diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index 2b498be4d011..62185d25b4d5 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -1,497 +1,4 @@
-on:
-  workflow_call:
-    inputs:
-      go-arch:
-        description: The execution architecture (arm, amd64, etc.)
-        required: true
-        type: string
-      enterprise:
-        description: A flag indicating if this workflow is executing for the enterprise repository.
-        required: true
-        type: string
-      total-runners:
-        description: Number of runners to use for executing non-binary tests.
-        required: true
-        type: string
-      binary-tests:
-        description: Whether to run the binary tests.
-        required: false
-        default: false
-        type: boolean
-      env-vars:
-        description: A map of environment variables as JSON.
-        required: false
-        type: string
-        default: '{}'
-      extra-flags:
-        description: A space-separated list of additional build flags.
-        required: false
-        type: string
-        default: ''
-      runs-on:
-        description: An expression indicating which kind of runners to use.
-        required: false
-        type: string
-        default: ubuntu-latest
-      go-tags:
-        description: A comma-separated list of additional build tags to consider satisfied during the build.
-        required: false
-        type: string
-      name:
-        description: A suffix to append to archived test results
-        required: false
-        default: ''
-        type: string
-      go-test-parallelism:
-        description: The parallelism parameter for Go tests
-        required: false
-        default: 20
-        type: number
-      timeout-minutes:
-        description: The maximum number of minutes that this workflow should run
-        required: false
-        default: 60
-        type: number
-      testonly:
-        description: Whether to run the tests tagged with testonly.
-        required: false
-        default: false
-        type: boolean
-      test-timing-cache-enabled:
-        description: Cache the gotestsum test timing data.
-        required: false
-        default: true
-        type: boolean
-      test-timing-cache-key:
-        description: The cache key to use for gotestsum test timing data.
-        required: false
-        default: go-test-reports
-        type: string
-      checkout-ref:
-        description: The ref to use for checkout.
-        required: false
-        default: ${{ github.ref }}
-        type: string
-
-env: ${{ fromJSON(inputs.env-vars) }}
-
-jobs:
-  test-matrix:
-    permissions:
-      id-token: write  # Note: this permission is explicitly required for Vault auth
-      contents: read
-    runs-on: ${{ fromJSON(inputs.runs-on) }}
-    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-        with:
-          ref: ${{ inputs.checkout-ref }}
-      - uses: ./.github/actions/set-up-go
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - name: Authenticate to Vault
-        id: vault-auth
-        if: github.repository == 'hashicorp/vault-enterprise'
-        run: vault-auth
-      - name: Fetch Secrets
-        id: secrets
-        if: github.repository == 'hashicorp/vault-enterprise'
-        uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e
-        with:
-          url: ${{ steps.vault-auth.outputs.addr }}
-          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
-          token: ${{ steps.vault-auth.outputs.token }}
-          secrets: |
-            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
-            kv/data/github/${{ github.repository }}/github-token username-and-token | github-token;
-            kv/data/github/${{ github.repository }}/license license_1 | VAULT_LICENSE_CI;
-            kv/data/github/${{ github.repository }}/license license_2 | VAULT_LICENSE_2;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_API_ADDRESS;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_AUTH_URL;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_ID;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_SECRET;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_RESOURCE_ID;
-      - id: setup-git-private
-        name: Setup Git configuration (private)
-        if: github.repository == 'hashicorp/vault-enterprise'
-        run: |
-          git config --global url."https://${{ steps.secrets.outputs.github-token }}@github.com".insteadOf https://github.com
-      - id: setup-git-public
-        name: Setup Git configuration (public)
-        if: github.repository != 'hashicorp/vault-enterprise'
-        run: |
-          git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
-      - uses: ./.github/actions/set-up-gotestsum
-      - run: mkdir -p test-results/go-test
-      - uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-        if: inputs.test-timing-cache-enabled
-        with:
-          path: test-results/go-test
-          key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
-          restore-keys: |
-            ${{ inputs.test-timing-cache-key }}-
-            go-test-reports-
-      - name: Sanitize timing files
-        id: sanitize-timing-files
-        run: |
-          # Prune invalid timing files
-          find test-results/go-test -mindepth 1 -type f -name "*.json" -exec sh -c '
-            file="$1";
-            jq . "$file" || rm "$file"
-          ' shell {} \; > /dev/null 2>&1
-      - name: Build matrix excluding binary, integration, and testonly tests
-        id: build-non-binary
-        if: ${{ !inputs.testonly }}
-        env:
-          GOPRIVATE: github.com/hashicorp/*
-        run: |
-          # testonly tests need additional build tag though let's exclude them anyway for clarity
-          (
-            go list ./... | grep -v "_binary" | grep -v "vault/integ" | grep -v "testonly" | gotestsum tool ci-matrix --debug \
-              --partitions "${{ inputs.total-runners }}" \
-              --timing-files 'test-results/go-test/*.json' > matrix.json
-          )
-      - name: Build matrix for tests tagged with testonly
-        if: ${{ inputs.testonly }}
-        env:
-          GOPRIVATE: github.com/hashicorp/*
-        run: |
-          set -exo pipefail
-          # enable glob expansion
-          shopt -s nullglob
-          # testonly tagged tests need an additional tag to be included
-          # also running some extra tests for sanity checking with the testonly build tag
-          (
-            go list -tags=testonly ./vault/external_tests/{kv,token,*replication-perf*,*testonly*} ./vault/ | gotestsum tool ci-matrix --debug \
-              --partitions "${{ inputs.total-runners }}" \
-              --timing-files 'test-results/go-test/*.json' > matrix.json
-          )
-          # disable glob expansion
-          shopt -u nullglob
-      - name: Capture list of binary tests
-        if: inputs.binary-tests
-        id: list-binary-tests
-        run: |
-          LIST="$(go list ./... | grep "_binary" | xargs)"
-          echo "list=$LIST" >> "$GITHUB_OUTPUT"
-      - name: Build complete matrix
-        id: build
-        run: |
-            set -exo pipefail
-            matrix_file="matrix.json"
-            if [ "${{ inputs.binary-tests}}" == "true" ] && [ -n "${{ steps.list-binary-tests.outputs.list }}" ]; then
-              export BINARY_TESTS="${{ steps.list-binary-tests.outputs.list }}"
-              jq --arg BINARY "${BINARY_TESTS}" --arg BINARY_INDEX "${{ inputs.total-runners }}" \
-                '.include += [{
-                  "id": $BINARY_INDEX,
-                  "estimatedRuntime": "N/A",
-                  "packages": $BINARY,
-                  "description": "partition $BINARY_INDEX - binary test packages"
-              }]' matrix.json > new-matrix.json
-              matrix_file="new-matrix.json"
-            fi
-            # convert the json to a map keyed by id
-            (
-              echo -n "matrix="
-                jq -c \
-                '.include | map( { (.id|tostring): . } ) | add' "$matrix_file"
-            ) >> "$GITHUB_OUTPUT"
-            # extract an array of ids from the json
-            (
-              echo -n "matrix_ids="
-              jq -c \
-                '[ .include[].id | tostring ]' "$matrix_file"
-            ) >> "$GITHUB_OUTPUT"
-    outputs:
-      matrix: ${{ steps.build.outputs.matrix }}
-      matrix_ids: ${{ steps.build.outputs.matrix_ids }}
-
-  test-go:
-    needs: test-matrix
-    permissions:
-      actions: read
-      contents: read
-      id-token: write  # Note: this permission is explicitly required for Vault auth
-    runs-on: ${{ fromJSON(inputs.runs-on) }}
-    strategy:
-      fail-fast: false
-      matrix:
-        id: ${{ fromJSON(needs.test-matrix.outputs.matrix_ids) }}
-    env:
-      GOPRIVATE: github.com/hashicorp/*
-      TIMEOUT_IN_MINUTES: ${{ inputs.timeout-minutes }}
-    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-        with:
-          ref: ${{ inputs.checkout-ref }}
-      - uses: ./.github/actions/set-up-go
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - name: Authenticate to Vault
-        id: vault-auth
-        if: github.repository == 'hashicorp/vault-enterprise'
-        run: vault-auth
-      - name: Fetch Secrets
-        id: secrets
-        if: github.repository == 'hashicorp/vault-enterprise'
-        uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e
-        with:
-          url: ${{ steps.vault-auth.outputs.addr }}
-          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
-          token: ${{ steps.vault-auth.outputs.token }}
-          secrets: |
-            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
-            kv/data/github/${{ github.repository }}/github-token username-and-token | github-token;
-            kv/data/github/${{ github.repository }}/license license_1 | VAULT_LICENSE_CI;
-            kv/data/github/${{ github.repository }}/license license_2 | VAULT_LICENSE_2;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_API_ADDRESS;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_AUTH_URL;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_ID;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_SECRET;
-            kv/data/github/${{ github.repository }}/hcp-link HCP_RESOURCE_ID;
-      - id: setup-git-private
-        name: Setup Git configuration (private)
-        if: github.repository == 'hashicorp/vault-enterprise'
-        run: |
-          git config --global url."https://${{ steps.secrets.outputs.github-token }}@github.com".insteadOf https://github.com
-      - id: setup-git-public
-        name: Setup Git configuration (public)
-        if: github.repository != 'hashicorp/vault-enterprise'
-        run: |
-          git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
-      - id: build
-        if: inputs.binary-tests && matrix.id == inputs.total-runners
-        env:
-          GOPRIVATE: github.com/hashicorp/*
-        run: time make ci-bootstrap dev
-      - uses: ./.github/actions/set-up-gotestsum
-      - name: Install gVisor
-        # Enterprise repo runners do not allow sudo, so can't install gVisor there yet.
-        if: ${{ !inputs.enterprise }}
-        run: |
-          (
-            set -e
-            ARCH="$(uname -m)"
-            URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"
-            wget --quiet "${URL}/runsc" "${URL}/runsc.sha512" \
-              "${URL}/containerd-shim-runsc-v1" "${URL}/containerd-shim-runsc-v1.sha512"
-            sha512sum -c runsc.sha512 \
-              -c containerd-shim-runsc-v1.sha512
-            rm -f -- *.sha512
-            chmod a+rx runsc containerd-shim-runsc-v1
-            sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
-          )
-          sudo tee /etc/docker/daemon.json <<EOF
-          {
-            "runtimes": {
-              "runsc": {
-                "path": "/usr/local/bin/runsc",
-                "runtimeArgs": [
-                  "--host-uds=all",
-                  "--host-fifo=open"
-                ]
-              }
-            }
-          }
-          EOF
-          sudo systemctl reload docker
-      - id: run-go-tests
-        name: Run Go tests
-        timeout-minutes: ${{ fromJSON(env.TIMEOUT_IN_MINUTES) }}
-        env:
-          COMMIT_SHA: ${{ github.sha }}
-        run: |
-          set -exo pipefail
-
-          # Build the dynamically generated source files.
-          make prep
-
-          packages=$(echo "${{ toJSON(needs.test-matrix.outputs.matrix) }}" | jq -c -r --arg id "${{ matrix.id }}" '.[$id] | .packages')
-
-          if [ -z "$packages" ]; then
-            echo "no test packages to run"
-            exit 1
-          fi
-          # We don't want VAULT_LICENSE set when running Go tests, because that's
-          # not what developers have in their environments and it could break some
-          # tests; it would be like setting VAULT_TOKEN.  However some non-Go
-          # CI commands, like the UI tests, shouldn't have to worry about licensing.
-          # So we provide the tests which want an externally supplied license with licenses
-          # via the VAULT_LICENSE_CI and VAULT_LICENSE_2 environment variables, and here we unset it.
-          # shellcheck disable=SC2034
-          VAULT_LICENSE=
-
-          # Assign test licenses to relevant variables if they aren't already
-          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
-            export VAULT_LICENSE_CI=${{ secrets.ci_license }}
-            export VAULT_LICENSE_2=${{ secrets.ci_license_2 }}
-            export HCP_API_ADDRESS=${{ secrets.HCP_API_ADDRESS }}
-            export HCP_AUTH_URL=${{ secrets.HCP_AUTH_URL }}
-            export HCP_CLIENT_ID=${{ secrets.HCP_CLIENT_ID }}
-            export HCP_CLIENT_SECRET=${{ secrets.HCP_CLIENT_SECRET }}
-            export HCP_RESOURCE_ID=${{ secrets.HCP_RESOURCE_ID }}
-            # Temporarily removing this variable to cause HCP Link tests
-            # to be skipped.
-            #export HCP_SCADA_ADDRESS=${{ secrets.HCP_SCADA_ADDRESS }}
-          fi
-
-          # The docker/binary tests are more expensive, and we've had problems with timeouts when running at full
-          # parallelism.  The default if -p isn't specified is to use NumCPUs, which seems fine for regular tests.
-          package_parallelism=""
-          
-          if [ -f bin/vault ]; then
-            VAULT_BINARY="$(pwd)/bin/vault"
-            export VAULT_BINARY
-          
-            package_parallelism="-p 2"
-          fi
-
-          # On a release branch, add a flag to rerun failed tests
-          # shellcheck disable=SC2193 # can get false positive for this comparision
-          if [[  "${{ github.base_ref }}" == release/* ]] || [[  -z "${{ github.base_ref }}" && "${{ github.ref_name }}" == release/* ]]
-          then
-            # TODO remove this extra condition once 1.15 is about to released GA
-            if [[  "${{ github.base_ref }}" != release/1.15* ]] || [[  -z "${{ github.base_ref }}" && "${{ github.ref_name }}" != release/1.15* ]]
-            then
-              RERUN_FAILS="--rerun-fails"
-            fi
-          fi
-
-          export VAULT_TEST_LOG_DIR=$(pwd)/test-results/go-test/logs-${{ matrix.id }}
-          mkdir -p $VAULT_TEST_LOG_DIR
-          
-          
-          # shellcheck disable=SC2086 # can't quote RERUN_FAILS
-          GOARCH=${{ inputs.go-arch }} \
-            gotestsum --format=short-verbose \
-              --junitfile test-results/go-test/results-${{ matrix.id }}.xml \
-              --jsonfile test-results/go-test/results-${{ matrix.id }}.json \
-              --jsonfile-timing-events failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{ inputs.name }}.json \
-              $RERUN_FAILS \
-              --packages "$packages" \
-              -- \
-              $package_parallelism \
-              -tags "${{ inputs.go-tags }}" \
-              -timeout=${{ env.TIMEOUT_IN_MINUTES }}m \
-              -parallel=${{ inputs.go-test-parallelism }} \
-              ${{ inputs.extra-flags }} \
-      - name: Prepare datadog-ci
-        if: github.repository == 'hashicorp/vault' && (success() || failure())
-        continue-on-error: true
-        run: |
-          curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
-          chmod +x /usr/local/bin/datadog-ci
-      - name: Upload test results to DataDog
-        continue-on-error: true
-        env:
-          DD_ENV: ci
-        run: |
-          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
-            export DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
-          fi
-          datadog-ci junit upload --service "$GITHUB_REPOSITORY" test-results/go-test/results-${{ matrix.id }}.xml
-        if: success() || failure()
-      - name: Archive test results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        with:
-          name: test-results${{ inputs.name != '' && '-' || '' }}${{ inputs.name }}
-          path: test-results/go-test
-        if: success() || failure()
-      # GitHub Actions doesn't expose the job ID or the URL to the job execution,
-      # so we have to fetch it from the API
-      - name: Fetch job logs URL
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
-        if: success() || failure()
-        continue-on-error: true
-        with:
-          retries: 3
-          script: |
-            // We surround the whole script with a try-catch block, to avoid each of the matrix jobs
-            // displaying an error in the GHA workflow run annotations, which gets very noisy.
-            // If an error occurs, it will be logged so that we don't lose any information about the reason for failure.
-            try {
-              const fs = require("fs");
-              const result = await github.rest.actions.listJobsForWorkflowRun({
-                owner: context.repo.owner,
-                per_page: 100,
-                repo: context.repo.repo,
-                run_id: context.runId,
-              });
-
-              // Determine what job name to use for the query. These values are hardcoded, because GHA doesn't
-              // expose them in any of the contexts available within a workflow run.
-              let prefixToSearchFor;
-              switch ("${{ inputs.name }}") {
-                case "race":
-                  prefixToSearchFor = 'Run Go tests with data race detection / test-go (${{ matrix.id }})'
-                  break
-                case "fips":
-                  prefixToSearchFor = 'Run Go tests with FIPS configuration / test-go (${{ matrix.id }})'
-                  break
-                default:
-                  prefixToSearchFor = 'Run Go tests / test-go (${{ matrix.id }})'
-              }
-
-              const jobData = result.data.jobs.filter(
-                (job) => job.name.startsWith(prefixToSearchFor)
-              );
-              const url = jobData[0].html_url;
-              const envVarName = "GH_JOB_URL";
-              const envVar = envVarName + "=" + url;
-              const envFile = process.env.GITHUB_ENV;
-
-              fs.appendFile(envFile, envVar, (err) => {
-                if (err) throw err;
-                console.log("Successfully set " + envVarName + " to: " + url);
-              });
-            } catch (error) {
-              console.log("Error: " + error);
-              return
-            }
-      - name: Prepare failure summary
-        if: success() || failure()
-        continue-on-error: true
-        run: |
-          # This jq query filters out successful tests, leaving only the failures.
-          # Then, it formats the results into rows of a Markdown table.
-          # An example row will resemble this:
-          # | github.com/hashicorp/vault/package | TestName | fips | 0 | 2 | [view results](github.com/link-to-logs) |
-          jq -r -n 'inputs
-          | select(.Action == "fail")
-          | "| ${{inputs.name}} | \(.Package) | \(.Test // "-") | \(.Elapsed) | ${{ matrix.id }} | [view test results :scroll:](${{ env.GH_JOB_URL }}) |"' \
-          failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.json \
-          >> failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.md
-      - name: Upload failure summary
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        if: success() || failure()
-        with:
-          name: failure-summary
-          path: failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.md
-
-  test-collect-reports:
-    if: ${{ ! cancelled() && needs.test-go.result == 'success' && inputs.test-timing-cache-enabled }}
-    needs: test-go
-    runs-on: ${{ fromJSON(inputs.runs-on) }}
-    steps:
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-        with:
-          path: test-results/go-test
-          key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
-          restore-keys: |
-            ${{ inputs.test-timing-cache-key }}-
-            go-test-reports-
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: test-results
-          path: test-results/go-test
-      - run: |
-          rm -rf test-results/go-test/logs
-          ls -lhR test-results/go-test
-          find test-results/go-test -mindepth 1 -mtime +3 -delete
-
-          # Prune invalid timing files
-          find test-results/go-test -mindepth 1 -type f -name "*.json" -exec sh -c '
-            file="$1";
-            jq . "$file" || rm "$file"
-          ' shell {} \; > /dev/null 2>&1
-
-          ls -lhR test-results/go-test
+```release-note:feature
+**Reload seal configuration on SIGHUP**: Seal configuration is reloaded on SIGHUP so that seal configuration can
+be changed without shutting down vault
+```
diff --git a/.hooks/pre-commit b/.hooks/pre-commit
index 0b4d6e0c94fa..aa72bc977912 100755
--- a/.hooks/pre-commit
+++ b/.hooks/pre-commit
@@ -1,151 +1,3 @@
-#!/usr/bin/env bash
-
-# READ THIS BEFORE MAKING CHANGES:
-#
-# If you want to add a new pre-commit check, here are the rules:
-#
-#   1. Create a bash function for your check (see e.g. ui_lint below).
-#      NOTE: Each function will be called in a sub-shell so you can freely
-#      change directory without worrying about interference.
-#   2. Add the name of the function to the CHECKS variable.
-#   3. If no changes relevant to your new check are staged, then
-#      do not output anything at all - this would be annoying noise.
-#      In this case, call 'return 0' from your check function to return
-#      early without blocking the commit.
-#   4. If any non-trivial check-specific thing has to be invoked,
-#      then output '==> [check description]' as the first line of
-#      output. Each sub-check should output '--> [subcheck description]'
-#      after it has run, indicating success or failure.
-#   5. Call 'block [reason]' to block the commit. This ensures the last
-#      line of output calls out that the commit was blocked - which may not
-#      be obvious from random error messages generated in 4.
-#
-# At the moment, there are no automated tests for this hook, so please run it
-# locally to check you have not broken anything - breaking this will interfere
-# with other peoples' workflows significantly, so be sure, check everything twice.
-
-set -euo pipefail
-
-# Call block to block the commit with a message.
-block() {
-  echo "$@"
-  echo "Commit blocked - see errors above."
-  exit 1
-}
-
-# Add all check functions to this space separated list.
-# They are executed in this order (see end of file).
-CHECKS="ui_lint ui_copywrite backend_lint"
-
-# Run ui linter if changes in that dir detected.
-ui_lint() {
-  local DIR=ui LINTER=node_modules/.bin/lint-staged
-
-  # Silently succeed if no changes staged for $DIR
-  if git diff --name-only --cached --exit-code -- $DIR/; then
-    return 0
-  fi
-
-  # Silently succeed if the linter has not been installed.
-  # We assume that if you're doing UI dev, you will have installed the linter
-  # by running yarn.
-  if [ ! -x $DIR/$LINTER ]; then
-    return 0
-  fi
-
-  echo "==> Changes detected in $DIR/: Running linter..."
-
-  # Run the linter from the UI dir.
-  cd $DIR
-  $LINTER || block "UI lint failed"
-}
-
-backend_lint() {
-  # Silently succeed if no changes staged for Go code files.
-  staged=$(git diff --name-only --cached --exit-code -- '*.go')
-  ret=$?
-  if [ $ret -eq 0 ]; then
-    return 0
-  fi
-
-  # Only run fmtcheck on staged files
-  ./scripts/gofmtcheck.sh "${staged}" || block "Backend linting failed; run 'make fmt' to fix."
-}
-
-ui_copywrite() {
-  DIR=ui
-  BINARY_DIR=$DIR/.copywrite
-  DOWNLOAD_ERR="==> Copywrite tool not found and failed to downloaded. Please download manually and extract to ui/.copywrite directory to utilize in pre-commit hook."
-
-  # silently succeed if no changes staged for $DIR
-  if git diff --name-only --cached --exit-code -- $DIR/; then
-    return 0
-  fi
-
-  echo "==> Changes detected in $DIR/: Checking copyright headers..."
-
-  # download latest version of hashicorp/copywrite if necessary 
-  if [ ! -x $BINARY_DIR/copywrite ]; then
-    local REPO_URL=https://github.com/hashicorp/copywrite
-    # get the latest version tag
-    local LATEST_RELEASE_JSON=$(curl -L -s -H 'Accept: application/json' $REPO_URL/releases/latest);
-    local LATEST_TAG=$(echo $LATEST_RELEASE_JSON | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
-
-    if [ ! $LATEST_TAG ]; then
-      echo $DOWNLOAD_ERR
-      return 0;
-    fi
-
-    # get the OS/Architecture specifics to build the filename
-    # eg. copywrite_0.16.6_darwin_x86_64.tar.gz
-    case "$OSTYPE" in
-      linux*) OS='linux' ;;
-      darwin*) OS='darwin' ;;
-      msys*) OS='windows';;
-    esac
-    local ARCH=$([ $(uname -m) == arm* ] && echo 'arm64' || echo 'x86_64')
-    local EXT=$([ $OSTYPE == "msys" ] && echo '.zip' || echo '.tar.gz')
-    local FILENAME=copywrite_"${LATEST_TAG:1}"_"$OS"_"$ARCH""$EXT"
-
-    mkdir -p $BINARY_DIR
-    echo "==> Copywrite tool not found, downloading version $LATEST_TAG from $REPO_URL..."
-    curl -L -s $REPO_URL/releases/download/$LATEST_TAG/$FILENAME | tar -xz - -C $BINARY_DIR || { echo $DOWNLOAD_ERR;  return 0; };
-  fi
-  
-  # run the copywrite tool
-  # if a --path option is added we could apply the headers to only the staged files much easier
-  # as of the latest version 0.16.6 there is only support for --dirPath
-  STAGED_FILES=($(git diff --name-only --cached))
-
-  rm -rf $BINARY_DIR/.staged
-  mkdir $BINARY_DIR/.staged
-  
-  # copy staged files to .staged directory
-  echo $STAGED_FILES;
-  for FILE_PATH in "${STAGED_FILES[@]}"; do
-    cp $FILE_PATH $BINARY_DIR/.staged
-  done
-
-  COPYWRITE_LOG_LEVEL=info
-  COPY_CMD="$BINARY_DIR/copywrite headers -d $BINARY_DIR/.staged --config $DIR/.copywrite.hcl"
-
-  # if staged files are missing header run the tool on .staged directory
-  VALIDATE=$(eval $COPY_CMD --plan) # assigning to var so output is suppressed since it is repeated during second run
-  if [ $(echo $?) == 1 ]; then
-    eval $COPY_CMD || { echo "==> Copyright check failed. Please review and add headers manually."; return 0; };
-
-    # copy files back to original locations and stage changes
-    local TMP_FILES=$(ls $BINARY_DIR/.staged)
-    i=0
-    for FILE in $TMP_FILES; do
-      cp $BINARY_DIR/.staged/$FILE "${STAGED_FILES[$i]}"
-      git add "${STAGED_FILES[$i]}"
-      i=$(( i + 1 ))
-    done
-  fi
-}
-
-for CHECK in $CHECKS; do
-  # Force each check into a subshell to avoid crosstalk.
-  ( $CHECK ) || exit $?
-done
+```release-note:improvement
+storage/raft: Upgrade to bbolt 1.3.8, along with an extra patch to reduce time scanning large freelist maps.
+```
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc17febcfa35..bc33a184f988 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3292 +1,3 @@
-## Previous versions
-- [v1.0.0 - v1.9.10](CHANGELOG-pre-v1.10.md)
-- [v0.11.6 and earlier](CHANGELOG-v0.md)
-
-## 1.15.2
-### November 09, 2023
-
-SECURITY:
-* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
-
-CHANGES:
-
-* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
-* secrets/mongodbatlas: Update plugin to v0.10.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
-
-FEATURES:
-
-* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
-
-IMPROVEMENTS:
-
-* api (enterprise): Enable the sys/license/features from any namespace
-* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
-* ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [[GH-23700](https://github.com/hashicorp/vault/pull/23700)]
-* ui: Update sidebar Secrets engine to title case. [[GH-23964](https://github.com/hashicorp/vault/pull/23964)]
-
-BUG FIXES:
-
-* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
-on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
-* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
-* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
-* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
-* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
-* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
-* core: fix bug where deadlock detection was always on for expiration and quotas. 
-These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
-* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
-* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
-* ui: fix broken GUI when accessing from listener with chroot_namespace defined [[GH-23942](https://github.com/hashicorp/vault/pull/23942)]
-
-## 1.15.1
-### October 25, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.21.3.
-
-IMPROVEMENTS:
-
-* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
-* auto-auth/azure: Support setting the `authenticate_from_environment` variable to "true" and "false" string literals, too. [[GH-22996](https://github.com/hashicorp/vault/pull/22996)]
-* secrets-sync (enterprise): Added telemetry on number of destinations and associations per type.
-* ui: Adds a warning when whitespace is detected in a key of a KV secret [[GH-23702](https://github.com/hashicorp/vault/pull/23702)]
-* ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [[GH-23747](https://github.com/hashicorp/vault/pull/23747)]
-* ui: Surface warning banner if UI has stopped auto-refreshing token [[GH-23143](https://github.com/hashicorp/vault/pull/23143)]
-* ui: show banner when resultant-acl check fails due to permissions or wrong namespace. [[GH-23503](https://github.com/hashicorp/vault/pull/23503)]
-
-BUG FIXES:
-
-* Seal HA (enterprise/beta): Fix rejection of a seal configuration change
-from two to one auto seal due to persistence of the previous seal type being
-"multiseal". [[GH-23573](https://github.com/hashicorp/vault/pull/23573)]
-* audit: Fix bug reopening 'file' audit devices on SIGHUP. [[GH-23598](https://github.com/hashicorp/vault/pull/23598)]
-* auth/aws: Fixes a panic that can occur in IAM-based login when a [client config](https://developer.hashicorp.com/vault/api-docs/auth/aws#configure-client) does not exist. [[GH-23555](https://github.com/hashicorp/vault/pull/23555)]
-* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
-* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
-* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
-* kmip (enterprise): Improve handling of failures due to storage replication issues.
-* kmip (enterprise): Return a structure in the response for query function Query Server Information.
-* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
-* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
-* replication (enterprise): Fix a missing unlock when changing replication state
-* secrets-sync (enterprise): Fixed issue where we could sync a deleted secret
-* secrets/aws: update credential rotation deadline when static role rotation period is updated [[GH-23528](https://github.com/hashicorp/vault/pull/23528)]
-* secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [[GH-23010](https://github.com/hashicorp/vault/pull/23010)]
-* secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [[GH-23278](https://github.com/hashicorp/vault/pull/23278)]
-* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
-* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
-* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
-* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
-* storage/consul: fix a bug where an active node in a specific sort of network
-partition could continue to write data to Consul after a new leader is elected
-potentially causing data loss or corruption for keys with many concurrent
-writers. For Enterprise clusters this could cause corruption of the merkle trees
-leading to failure to complete merkle sync without a full re-index. [[GH-23013](https://github.com/hashicorp/vault/pull/23013)]
-* ui: Assumes version 1 for kv engines when options are null because no version is specified [[GH-23585](https://github.com/hashicorp/vault/pull/23585)]
-* ui: Decode the connection url for display on the connection details page [[GH-23695](https://github.com/hashicorp/vault/pull/23695)]
-* ui: Fix AWS secret engine to allow empty policy_document field. [[GH-23470](https://github.com/hashicorp/vault/pull/23470)]
-* ui: Fix bug where auth items were not listed when within a namespace. [[GH-23446](https://github.com/hashicorp/vault/pull/23446)]
-* ui: Fix regression that broke the oktaNumberChallenge on the ui. [[GH-23565](https://github.com/hashicorp/vault/pull/23565)]
-* ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [[GH-23331](https://github.com/hashicorp/vault/pull/23331)]
-* ui: Fixes issue where you could not share the list view URL from the KV v2 secrets engine. [[GH-23620](https://github.com/hashicorp/vault/pull/23620)]
-* ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [[GH-23516](https://github.com/hashicorp/vault/pull/23516)]
-* ui: Fixes issues displaying accurate TLS state in dashboard configuration details [[GH-23726](https://github.com/hashicorp/vault/pull/23726)]
-
-## 1.15.0
-### September 27, 2023
-
-SECURITY:
-
-* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
-* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8.[[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
-
-CHANGES:
-
-* auth/alicloud: Update plugin to v0.16.0 [[GH-22646](https://github.com/hashicorp/vault/pull/22646)]
-* auth/azure: Update plugin to v0.16.0 [[GH-22277](https://github.com/hashicorp/vault/pull/22277)]
-* auth/azure: Update plugin to v0.16.1 [[GH-22795](https://github.com/hashicorp/vault/pull/22795)]
-* auth/azure: Update plugin to v0.16.2 [[GH-23060](https://github.com/hashicorp/vault/pull/23060)]
-* auth/cf: Update plugin to v0.15.1 [[GH-22758](https://github.com/hashicorp/vault/pull/22758)]
-* auth/gcp: Update plugin to v0.16.1 [[GH-22612](https://github.com/hashicorp/vault/pull/22612)]
-* auth/jwt: Update plugin to v0.17.0 [[GH-22678](https://github.com/hashicorp/vault/pull/22678)]
-* auth/kerberos: Update plugin to v0.10.1 [[GH-22797](https://github.com/hashicorp/vault/pull/22797)]
-* auth/kubernetes: Update plugin to v0.17.0 [[GH-22709](https://github.com/hashicorp/vault/pull/22709)]
-* auth/kubernetes: Update plugin to v0.17.1 [[GH-22879](https://github.com/hashicorp/vault/pull/22879)]
-* auth/ldap: Normalize HTTP response codes when invalid credentials are provided [[GH-21282](https://github.com/hashicorp/vault/pull/21282)]
-* auth/oci: Update plugin to v0.14.2 [[GH-22805](https://github.com/hashicorp/vault/pull/22805)]
-* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
-* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
-which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
-* core: Bump Go version to 1.21.1.
-* database/couchbase: Update plugin to v0.9.3 [[GH-22854](https://github.com/hashicorp/vault/pull/22854)]
-* database/couchbase: Update plugin to v0.9.4 [[GH-22871](https://github.com/hashicorp/vault/pull/22871)]
-* database/elasticsearch: Update plugin to v0.13.3 [[GH-22696](https://github.com/hashicorp/vault/pull/22696)]
-* database/mongodbatlas: Update plugin to v0.10.1 [[GH-22655](https://github.com/hashicorp/vault/pull/22655)]
-* database/redis-elasticache: Update plugin to v0.2.2 [[GH-22584](https://github.com/hashicorp/vault/pull/22584)]
-* database/redis-elasticache: Update plugin to v0.2.3 [[GH-22598](https://github.com/hashicorp/vault/pull/22598)]
-* database/redis: Update plugin to v0.2.2 [[GH-22654](https://github.com/hashicorp/vault/pull/22654)]
-* database/snowflake: Update plugin to v0.9.0 [[GH-22516](https://github.com/hashicorp/vault/pull/22516)]
-* events: Log level for processing an event dropped from info to debug. [[GH-22997](https://github.com/hashicorp/vault/pull/22997)]
-* events: `data_path` will include full data path of secret, including name. [[GH-22487](https://github.com/hashicorp/vault/pull/22487)]
-* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
-* sdk/logical/events: `EventSender` interface method is now `SendEvent` instead of `Send`. [[GH-22487](https://github.com/hashicorp/vault/pull/22487)]
-* secrets/ad: Update plugin to v0.16.1 [[GH-22856](https://github.com/hashicorp/vault/pull/22856)]
-* secrets/alicloud: Update plugin to v0.15.1 [[GH-22533](https://github.com/hashicorp/vault/pull/22533)]
-* secrets/azure: Update plugin to v0.16.2 [[GH-22799](https://github.com/hashicorp/vault/pull/22799)]
-* secrets/azure: Update plugin to v0.16.3 [[GH-22824](https://github.com/hashicorp/vault/pull/22824)]
-* secrets/gcp: Update plugin to v0.17.0 [[GH-22746](https://github.com/hashicorp/vault/pull/22746)]
-* secrets/gcpkms: Update plugin to v0.15.1 [[GH-22757](https://github.com/hashicorp/vault/pull/22757)]
-* secrets/keymgmt: Update plugin to v0.9.3
-* secrets/kubernetes: Update plugin to v0.6.0 [[GH-22823](https://github.com/hashicorp/vault/pull/22823)]
-* secrets/kv: Update plugin to v0.16.1 [[GH-22716](https://github.com/hashicorp/vault/pull/22716)]
-* secrets/mongodbatlas: Update plugin to v0.10.1 [[GH-22748](https://github.com/hashicorp/vault/pull/22748)]
-* secrets/openldap: Update plugin to v0.11.2 [[GH-22734](https://github.com/hashicorp/vault/pull/22734)]
-* secrets/terraform: Update plugin to v0.7.3 [[GH-22907](https://github.com/hashicorp/vault/pull/22907)]
-* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
-* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
-* telemetry: Replace `vault.rollback.attempt.{MOUNT_POINT}` and `vault.route.rollback.{MOUNT_POINT}` metrics with `vault.rollback.attempt` and `vault.route.rollback metrics` by default. Added a telemetry configuration `add_mount_point_rollback_metrics` which, when set to true, causes vault to emit the metrics with mount points in their names. [[GH-22400](https://github.com/hashicorp/vault/pull/22400)]
-
-FEATURES:
-
-* **Certificate Issuance External Policy Service (CIEPS) (enterprise)**: Allow highly-customizable operator control of certificate validation and generation through the PKI Secrets Engine.
-* **Copyable KV v2 paths in UI**: KV v2 secret paths are copyable for use in CLI commands or API calls [[GH-22551](https://github.com/hashicorp/vault/pull/22551)]
-* **Dashboard UI**: Dashboard is now available in the UI as the new landing page. [[GH-21057](https://github.com/hashicorp/vault/pull/21057)]
-* **Database Static Role Advanced TTL Management**: Adds the ability to rotate
-* **Event System**: Add subscribe capability and subscribe_event_types to policies for events. [[GH-22474](https://github.com/hashicorp/vault/pull/22474)]
-static roles on a defined schedule. [[GH-22484](https://github.com/hashicorp/vault/pull/22484)]
-* **GCP IAM Support**: Adds support for IAM-based authentication to MySQL and PostgreSQL backends using Google Cloud SQL. [[GH-22445](https://github.com/hashicorp/vault/pull/22445)]
-* **Improved KV V2 UI**: Updated and restructured secret engine for KV (version 2 only) [[GH-22559](https://github.com/hashicorp/vault/pull/22559)]
-* **Merkle Tree Corruption Detection (enterprise)**: Add a new endpoint to check merkle tree corruption.
-* **Plugin Containers**: Vault supports registering, managing, and running plugins inside a container on Linux. [[GH-22712](https://github.com/hashicorp/vault/pull/22712)]
-* **SAML Auth Method (enterprise)**: Enable users to authenticate with Vault using their identity in a SAML Identity Provider.
-* **Seal High Availability Beta (enterprise)**: operators can try out configuring more than one automatic seal for resilience against seal provider outages.  Not for production use at this time.
-* **Secrets Sync (enterprise)**: Add the ability to synchronize KVv2 secret with external secrets manager solutions.
-* **UI LDAP secrets engine**: Add LDAP secrets engine to the UI. [[GH-20790](https://github.com/hashicorp/vault/pull/20790)]
-
-IMPROVEMENTS:
-
-* Bump github.com/hashicorp/go-plugin version v1.4.9 -> v1.4.10 [[GH-20966](https://github.com/hashicorp/vault/pull/20966)]
-* api: add support for cloning a Client's tls.Config. [[GH-21424](https://github.com/hashicorp/vault/pull/21424)]
-* api: adding a new api sys method for replication status [[GH-20995](https://github.com/hashicorp/vault/pull/20995)]
-* audit: add core audit events experiment [[GH-21628](https://github.com/hashicorp/vault/pull/21628)]
-* auth/aws: Added support for signed GET requests for authenticating to vault using the aws iam method. [[GH-10961](https://github.com/hashicorp/vault/pull/10961)]
-* auth/azure: Add support for azure workload identity authentication (see issue
-#18257). Update go-kms-wrapping dependency to include [PR
-#155](https://github.com/hashicorp/go-kms-wrapping/pull/155) [[GH-22994](https://github.com/hashicorp/vault/pull/22994)]
-* auth/azure: Added Azure API configurable retry options [[GH-23059](https://github.com/hashicorp/vault/pull/23059)]
-* auth/cert: Adds support for requiring hexadecimal-encoded non-string certificate extension values [[GH-21830](https://github.com/hashicorp/vault/pull/21830)]
-* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
-* auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [[GH-22264](https://github.com/hashicorp/vault/pull/22264)]
-* auto-auth: added support for LDAP auto-auth [[GH-21641](https://github.com/hashicorp/vault/pull/21641)]
-* aws/auth: Adds a new config field `use_sts_region_from_client` which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication. [[GH-21960](https://github.com/hashicorp/vault/pull/21960)]
-* command/server: add `-dev-tls-san` flag to configure subject alternative names for the certificate generated when using `-dev-tls`. [[GH-22657](https://github.com/hashicorp/vault/pull/22657)]
-* core (ent) : Add field that allows lease-count namespace quotas to be inherited by child namespaces.
-* core : Add field that allows rate-limit namespace quotas to be inherited by child namespaces. [[GH-22452](https://github.com/hashicorp/vault/pull/22452)]
-* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
-* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
-* core: Add a new periodic metric to track the number of available policies, `vault.policy.configured.count`. [[GH-21010](https://github.com/hashicorp/vault/pull/21010)]
-* core: Fix OpenAPI representation and `-output-policy` recognition of some non-standard sudo paths [[GH-21772](https://github.com/hashicorp/vault/pull/21772)]
-* core: Fix regexes for `sys/raw/` and `sys/leases/lookup/` to match prevailing conventions [[GH-21760](https://github.com/hashicorp/vault/pull/21760)]
-* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
-* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
-* core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy [[GH-22304](https://github.com/hashicorp/vault/pull/22304)]
-* core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy
-* core: remove unnecessary *BarrierView field from backendEntry struct [[GH-20933](https://github.com/hashicorp/vault/pull/20933)]
-* core: use Go stdlib functionalities instead of explicit byte/string conversions [[GH-21854](https://github.com/hashicorp/vault/pull/21854)]
-* eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [[GH-21623](https://github.com/hashicorp/vault/pull/21623)]
-* events: Allow subscriptions to multiple namespaces [[GH-22540](https://github.com/hashicorp/vault/pull/22540)]
-* events: Enabled by default [[GH-22815](https://github.com/hashicorp/vault/pull/22815)]
-* events: WebSocket subscriptions add support for boolean filter expressions [[GH-22835](https://github.com/hashicorp/vault/pull/22835)]
-* framework: Make it an error for `CreateOperation` to be defined without an `ExistenceCheck`, thereby fixing misleading `x-vault-createSupported` in OpenAPI [[GH-18492](https://github.com/hashicorp/vault/pull/18492)]
-* kmip (enterprise): Add namespace lock and unlock support [[GH-21925](https://github.com/hashicorp/vault/pull/21925)]
-* openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [[GH-21563](https://github.com/hashicorp/vault/pull/21563)]
-* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
-* openapi: Fix generation of correct fields in some rarer cases [[GH-21942](https://github.com/hashicorp/vault/pull/21942)]
-* openapi: Fix response definitions for list operations [[GH-21934](https://github.com/hashicorp/vault/pull/21934)]
-* openapi: List operations are now given first-class representation in the OpenAPI document, rather than sometimes being overlaid with a read operation at the same path [[GH-21723](https://github.com/hashicorp/vault/pull/21723)]
-* plugins: Containerized plugins can be configured to still work when running with systemd's PrivateTmp=true setting. [[GH-23215](https://github.com/hashicorp/vault/pull/23215)]
-* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
-* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
-* sdk/framework: Adds replication state helper for backends to check for read-only storage [[GH-21743](https://github.com/hashicorp/vault/pull/21743)]
-* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
-* secrets/db: Remove the `service_account_json` parameter when reading DB connection details [[GH-23256](https://github.com/hashicorp/vault/pull/23256)]
-* secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [[GH-21702](https://github.com/hashicorp/vault/pull/21702)]
-* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
-* secrets/transit: Add support to create CSRs from keys in transit engine and import/export x509 certificates [[GH-21081](https://github.com/hashicorp/vault/pull/21081)]
-* storage/dynamodb: Added three permit pool metrics for the DynamoDB backend, `pending_permits`, `active_permits`, and `pool_size`. [[GH-21742](https://github.com/hashicorp/vault/pull/21742)]
-* storage/etcd: Make etcd parameter MaxCallSendMsgSize configurable [[GH-12666](https://github.com/hashicorp/vault/pull/12666)]
-* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
-* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
-* ui: Add API Explorer link to Sidebar, under Tools. [[GH-21578](https://github.com/hashicorp/vault/pull/21578)]
-* ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [[GH-23193](https://github.com/hashicorp/vault/pull/23193)]
-* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
-* ui: Adds mount configuration details to Kubernetes secrets engine configuration view [[GH-22926](https://github.com/hashicorp/vault/pull/22926)]
-* ui: Adds tidy_revoked_certs to PKI tidy status page [[GH-23232](https://github.com/hashicorp/vault/pull/23232)]
-* ui: Adds warning before downloading KV v2 secret values [[GH-23260](https://github.com/hashicorp/vault/pull/23260)]
-* ui: Display minus icon for empty MaskedInput value. Show MaskedInput for KV secrets without values [[GH-22039](https://github.com/hashicorp/vault/pull/22039)]
-* ui: JSON diff view available in "Create New Version" form for KV v2 [[GH-22593](https://github.com/hashicorp/vault/pull/22593)]
-* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
-* ui: Move access to  KV V2 version diff view to toolbar in Version History [[GH-23200](https://github.com/hashicorp/vault/pull/23200)]
-* ui: Update pki mount configuration details to match the new mount configuration details pattern [[GH-23166](https://github.com/hashicorp/vault/pull/23166)]
-* ui: add example modal to policy form [[GH-21583](https://github.com/hashicorp/vault/pull/21583)]
-* ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [[GH-22191](https://github.com/hashicorp/vault/pull/22191)]
-* ui: display CertificateCard instead of MaskedInput for certificates in PKI [[GH-22160](https://github.com/hashicorp/vault/pull/22160)]
-* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
-* ui: implement hashicorp design system [alert](https://helios.hashicorp.design/components/alert) component [[GH-21375](https://github.com/hashicorp/vault/pull/21375)]
-* ui: update detail views that render ttl durations to display full unit instead of letter (i.e. 'days' instead of 'd') [[GH-20697](https://github.com/hashicorp/vault/pull/20697)]
-* ui: update unseal and DR operation token flow components [[GH-21871](https://github.com/hashicorp/vault/pull/21871)]
-* ui: upgrade Ember to 4.12 [[GH-22122](https://github.com/hashicorp/vault/pull/22122)]
-
-DEPRECATIONS:
-
-* auth/centrify: Centrify plugin is deprecated as of 1.15, slated for removal in 1.17 [[GH-23050](https://github.com/hashicorp/vault/pull/23050)]
-
-BUG FIXES:
-
-* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
-* agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [[GH-22322](https://github.com/hashicorp/vault/pull/22322)]
-* agent: Fix "generate-config" command documentation URL [[GH-21466](https://github.com/hashicorp/vault/pull/21466)]
-* api/client: Fix deadlock in client.CloneWithHeaders when used alongside other client methods. [[GH-22410](https://github.com/hashicorp/vault/pull/22410)]
-* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
-* audit: Prevent panic due to nil pointer receiver for audit header formatting. [[GH-22694](https://github.com/hashicorp/vault/pull/22694)]
-* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21800](https://github.com/hashicorp/vault/pull/21800)]
-* auth/token, sys: Fix path-help being unavailable for some list-only endpoints [[GH-18571](https://github.com/hashicorp/vault/pull/18571)]
-* auth/token: Fix parsing of `auth/token/create` fields to avoid incorrect warnings about ignored parameters [[GH-18556](https://github.com/hashicorp/vault/pull/18556)]
-* awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
-respects `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, and `AWS_ROLE_SESSION_NAME`. [[GH-21951](https://github.com/hashicorp/vault/pull/21951)]
-* cli: Avoid printing "Success" message when `-field` flag is provided during a `vault write`. [[GH-21546](https://github.com/hashicorp/vault/pull/21546)]
-* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
-* core (enterprise): Fix sentinel policy check logic so that sentinel
-policies are not used when Sentinel feature isn't licensed.
-* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
-* core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
-* core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [[GH-22468](https://github.com/hashicorp/vault/pull/22468)]
-* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
-Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
-* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
-* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
-* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
-* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
-* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
-* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
-* core: Fixed issue with some durations not being properly parsed to include days. [[GH-21357](https://github.com/hashicorp/vault/pull/21357)]
-* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
-* core: fix race when updating a mount's route entry tainted status and incoming requests [[GH-21640](https://github.com/hashicorp/vault/pull/21640)]
-* events: Ensure subscription resources are cleaned up on close. [[GH-23042](https://github.com/hashicorp/vault/pull/23042)]
-* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
-* identity/mfa: Fixes to OpenAPI representation and returned error codes for `identity/mfa/method/*` APIs [[GH-20879](https://github.com/hashicorp/vault/pull/20879)]
-* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
-* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
-* openapi: Fix response schema for PKI Issue requests [[GH-21449](https://github.com/hashicorp/vault/pull/21449)]
-* openapi: Fix schema definitions for PKI EAB APIs [[GH-21458](https://github.com/hashicorp/vault/pull/21458)]
-* plugins: Containerized plugins can be run with mlock enabled. [[GH-23215](https://github.com/hashicorp/vault/pull/23215)]
-* plugins: Fix instance where Vault could fail to kill broken/unresponsive plugins. [[GH-22914](https://github.com/hashicorp/vault/pull/22914)]
-* plugins: Fix instance where broken/unresponsive plugins could cause Vault to hang. [[GH-22914](https://github.com/hashicorp/vault/pull/22914)]
-* plugins: Runtime catalog returns 404 instead of 500 when reading a runtime that does not exist [[GH-23171](https://github.com/hashicorp/vault/pull/23171)]
-* plugins: `vault plugin runtime list` can successfully list plugin runtimes with GET [[GH-23171](https://github.com/hashicorp/vault/pull/23171)]
-* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
-* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
-* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
-* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
-* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
-* replication (enterprise): Sort cluster addresses returned by echo requests, so that primary-addrs only gets persisted when the
-set of addrs changes.
-* replication (enterprise): update primary cluster address after DR failover
-* sdk/ldaputil: Properly escape user filters when using UPN domains
-sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
-* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21631](https://github.com/hashicorp/vault/pull/21631)]
-* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22330](https://github.com/hashicorp/vault/pull/22330)]
-* secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
-* secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
-* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
-* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
-* secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns [[GH-22126](https://github.com/hashicorp/vault/pull/22126)]
-* secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
-* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
-* secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
-* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
-* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
-* secrets/transit: fix panic when providing non-PEM formatted public key for import [[GH-22753](https://github.com/hashicorp/vault/pull/22753)]
-* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
-* storage/consul: Consul service registration tags are now case-sensitive. [[GH-6483](https://github.com/hashicorp/vault/pull/6483)]
-* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
-* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
-* ui: Adds missing values to details view after generating PKI certificate [[GH-21635](https://github.com/hashicorp/vault/pull/21635)]
-* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
-* ui: Fix display for "Last Vault Rotation" timestamp for static database roles which was not rendering or copyable [[GH-22519](https://github.com/hashicorp/vault/pull/22519)]
-* ui: Fix styling for username input when editing a user [[GH-21771](https://github.com/hashicorp/vault/pull/21771)]
-* ui: Fix styling for viewing certificate in kubernetes configuration [[GH-21968](https://github.com/hashicorp/vault/pull/21968)]
-* ui: Fix the issue where confirm delete dropdown is being cut off [[GH-23066](https://github.com/hashicorp/vault/pull/23066)]
-* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
-* ui: Fixed secrets, leases, and policies filter dropping focus after a single character [[GH-21767](https://github.com/hashicorp/vault/pull/21767)]
-* ui: Fixes filter and search bug in secrets engines [[GH-23123](https://github.com/hashicorp/vault/pull/23123)]
-* ui: Fixes form field label tooltip alignment [[GH-22832](https://github.com/hashicorp/vault/pull/22832)]
-* ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [[GH-21562](https://github.com/hashicorp/vault/pull/21562)]
-* ui: Fixes login screen display issue with Safari browser [[GH-21582](https://github.com/hashicorp/vault/pull/21582)]
-* ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [[GH-21926](https://github.com/hashicorp/vault/pull/21926)]
-* ui: Fixes styling of private key input when configuring an SSH key [[GH-21531](https://github.com/hashicorp/vault/pull/21531)]
-* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
-* ui: correct doctype for index.html [[GH-22153](https://github.com/hashicorp/vault/pull/22153)]
-* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
-* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
-* ui: fixes long namespace names overflow in the sidebar
-* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
-* ui: fixes text readability issue in revoke token confirmation dialog [[GH-22390](https://github.com/hashicorp/vault/pull/22390)]
-
-## 1.14.6
-### November 09, 2023
-
-SECURITY:
-* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
-
-CHANGES:
-
-* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
-* secrets/mongodbatlas: Update plugin to v0.10.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
-
-FEATURES:
-
-* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
-
-IMPROVEMENTS:
-
-* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
-
-BUG FIXES:
-
-* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
-on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
-* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
-* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
-* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
-* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
-* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
-* core: fix bug where deadlock detection was always on for expiration and quotas. 
-These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
-* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
-* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
-
-## 1.14.5
-### October 25, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.10.
-* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
-
-IMPROVEMENTS:
-
-* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
-* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
-* ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [[GH-23747](https://github.com/hashicorp/vault/pull/23747)]
-
-BUG FIXES:
-
-* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
-* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
-* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
-* kmip (enterprise): Improve handling of failures due to storage replication issues.
-* kmip (enterprise): Return a structure in the response for query function Query Server Information.
-* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
-* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
-* replication (enterprise): Fix a missing unlock when changing replication state
-* secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [[GH-23010](https://github.com/hashicorp/vault/pull/23010)]
-* secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [[GH-23278](https://github.com/hashicorp/vault/pull/23278)]
-* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
-* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
-* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
-* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
-* storage/consul: fix a bug where an active node in a specific sort of network
-partition could continue to write data to Consul after a new leader is elected
-potentially causing data loss or corruption for keys with many concurrent
-writers. For Enterprise clusters this could cause corruption of the merkle trees
-leading to failure to complete merkle sync without a full re-index. [[GH-23013](https://github.com/hashicorp/vault/pull/23013)]
-* ui: Decode the connection url for display on the connection details page [[GH-23695](https://github.com/hashicorp/vault/pull/23695)]
-* ui: Fix AWS secret engine to allow empty policy_document field. [[GH-23470](https://github.com/hashicorp/vault/pull/23470)]
-* ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [[GH-23331](https://github.com/hashicorp/vault/pull/23331)]
-* ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [[GH-23516](https://github.com/hashicorp/vault/pull/23516)]
-
-## 1.14.4
-### September 27, 2023
-
-SECURITY:
-
-* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
-
-CHANGES:
-
-* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
-
-IMPROVEMENTS:
-
-* ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [[GH-23193](https://github.com/hashicorp/vault/pull/23193)]
-* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
-* ui: Adds tidy_revoked_certs to PKI tidy status page [[GH-23232](https://github.com/hashicorp/vault/pull/23232)]
-* ui: Adds warning before downloading KV v2 secret values [[GH-23260](https://github.com/hashicorp/vault/pull/23260)]
-
-BUG FIXES:
-
-* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
-* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
-* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
-* ui: Fix the issue where confirm delete dropdown is being cut off [[GH-23066](https://github.com/hashicorp/vault/pull/23066)]
-* ui: Fixes filter and search bug in secrets engines [[GH-23123](https://github.com/hashicorp/vault/pull/23123)]
-* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
-
-## 1.14.3
-### September 13, 2023
-
-SECURITY:
-
-* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
-
-CHANGES:
-
-* core: Bump Go version to 1.20.8.
-
-FEATURES:
-
-* ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
-
-IMPROVEMENTS:
-
-* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
-* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
-* kmip (enterprise): reduce latency of KMIP operation handling
-
-BUG FIXES:
-
-* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
-* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
-* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
-* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
-* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
-* kmip (enterprise): fix date handling error with some re-key operations
-* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
-* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
-* secrets/transit: fix panic when providing non-PEM formatted public key for import [[GH-22753](https://github.com/hashicorp/vault/pull/22753)]
-* ui: fixes long namespace names overflow in the sidebar
-
-## 1.14.2
-### August 30, 2023
-
-CHANGES:
-
-* auth/azure: Update plugin to v0.16.0 [[GH-22277](https://github.com/hashicorp/vault/pull/22277)]
-* core: Bump Go version to 1.20.7.
-* database/snowflake: Update plugin to v0.9.0 [[GH-22516](https://github.com/hashicorp/vault/pull/22516)]
-
-IMPROVEMENTS:
-
-* auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [[GH-22264](https://github.com/hashicorp/vault/pull/22264)]
-* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
-* kmip (enterprise): Add namespace lock and unlock support [[GH-21925](https://github.com/hashicorp/vault/pull/21925)]
-* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
-* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
-* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
-* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
-* ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [[GH-22191](https://github.com/hashicorp/vault/pull/22191)]
-* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
-* website/docs: Fix link formatting in Vault lambda extension docs [[GH-22396](https://github.com/hashicorp/vault/pull/22396)]
-
-BUG FIXES:
-
-* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
-* agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [[GH-22322](https://github.com/hashicorp/vault/pull/22322)]
-* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
-* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
-* core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [[GH-22468](https://github.com/hashicorp/vault/pull/22468)]
-* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
-Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
-* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
-* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
-* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
-* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
-* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
-* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
-* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
-* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
-* sdk/ldaputil: Properly escape user filters when using UPN domains
-sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
-* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22330](https://github.com/hashicorp/vault/pull/22330)]
-* secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
-* secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
-* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
-* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
-* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
-* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
-* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
-* ui: fixes text readability issue in revoke token confirmation dialog [[GH-22390](https://github.com/hashicorp/vault/pull/22390)]
-
-## 1.14.1
-### July 25, 2023
-
-SECURITY
-
-* auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [[GH-21282](https://github.com/hashicorp/vault/pull/21282), [HSEC-2023-24](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714)]
-* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
-
-CHANGES:
-
-* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
-which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
-* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
-* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
-
-IMPROVEMENTS:
-
-* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
-* eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [[GH-21623](https://github.com/hashicorp/vault/pull/21623)]
-* openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [[GH-21563](https://github.com/hashicorp/vault/pull/21563)]
-* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
-* secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [[GH-21702](https://github.com/hashicorp/vault/pull/21702)]
-* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
-* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
-
-BUG FIXES:
-
-* agent: Fix "generate-config" command documentation URL [[GH-21466](https://github.com/hashicorp/vault/pull/21466)]
-* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21800](https://github.com/hashicorp/vault/pull/21800)]
-* auth/token, sys: Fix path-help being unavailable for some list-only endpoints [[GH-18571](https://github.com/hashicorp/vault/pull/18571)]
-* auth/token: Fix parsing of `auth/token/create` fields to avoid incorrect warnings about ignored parameters [[GH-18556](https://github.com/hashicorp/vault/pull/18556)]
-* awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
-respects `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, and `AWS_ROLE_SESSION_NAME`. [[GH-21951](https://github.com/hashicorp/vault/pull/21951)]
-* core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
-* core: Fixed issue with some durations not being properly parsed to include days. [[GH-21357](https://github.com/hashicorp/vault/pull/21357)]
-* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
-* openapi: Fix response schema for PKI Issue requests [[GH-21449](https://github.com/hashicorp/vault/pull/21449)]
-* openapi: Fix schema definitions for PKI EAB APIs [[GH-21458](https://github.com/hashicorp/vault/pull/21458)]
-* replication (enterprise): update primary cluster address after DR failover
-* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21631](https://github.com/hashicorp/vault/pull/21631)]
-* secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
-* secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
-* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
-* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
-* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
-* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
-* ui: Adds missing values to details view after generating PKI certificate [[GH-21635](https://github.com/hashicorp/vault/pull/21635)]
-* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
-* ui: Fixed secrets, leases, and policies filter dropping focus after a single character [[GH-21767](https://github.com/hashicorp/vault/pull/21767)]
-* ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [[GH-21562](https://github.com/hashicorp/vault/pull/21562)]
-* ui: Fixes login screen display issue with Safari browser [[GH-21582](https://github.com/hashicorp/vault/pull/21582)]
-* ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [[GH-21926](https://github.com/hashicorp/vault/pull/21926)]
-* ui: Fixes styling of private key input when configuring an SSH key [[GH-21531](https://github.com/hashicorp/vault/pull/21531)]
-* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
-
-## 1.14.0
-### June 21, 2023
-
-SECURITY:
-
-* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
-
-BREAKING CHANGES:
-
-* secrets/pki: Maintaining running count of certificates will be turned off by default.
-To re-enable keeping these metrics available on the tidy status endpoint, enable
-maintain_stored_certificate_counts on tidy-config, to also publish them to the
-metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
-
-CHANGES:
-
-* auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [[GH-20758](https://github.com/hashicorp/vault/pull/20758)]
-* auth/azure: Updated plugin from v0.13.0 to v0.15.0 [[GH-20816](https://github.com/hashicorp/vault/pull/20816)]
-* auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [[GH-20745](https://github.com/hashicorp/vault/pull/20745)]
-* auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [[GH-20725](https://github.com/hashicorp/vault/pull/20725)]
-* auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [[GH-20799](https://github.com/hashicorp/vault/pull/20799)]
-* auth/kubernetes: Update plugin to v0.16.0 [[GH-20802](https://github.com/hashicorp/vault/pull/20802)]
-* core: Bump Go version to 1.20.5.
-* core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [[GH-20834](https://github.com/hashicorp/vault/pull/20834)]
-* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
-* database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [[GH-20764](https://github.com/hashicorp/vault/pull/20764)]
-* database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [[GH-20751](https://github.com/hashicorp/vault/pull/20751)]
-* replication (enterprise): Add a new parameter for the update-primary API call
-that allows for setting of the primary cluster addresses directly, instead of
-via a token.
-* secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [[GH-20750](https://github.com/hashicorp/vault/pull/20750)]
-* secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [[GH-20787](https://github.com/hashicorp/vault/pull/20787)]
-* secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [[GH-20777](https://github.com/hashicorp/vault/pull/20777)]
-* secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [[GH-20882](https://github.com/hashicorp/vault/pull/20882)]
-* secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [[GH-20807](https://github.com/hashicorp/vault/pull/20807)]
-* secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [[GH-20818](https://github.com/hashicorp/vault/pull/20818)]
-* secrets/keymgmt: Updated plugin to v0.9.1
-* secrets/kubernetes: Update plugin to v0.5.0 [[GH-20802](https://github.com/hashicorp/vault/pull/20802)]
-* secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [[GH-20742](https://github.com/hashicorp/vault/pull/20742)]
-* secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [[GH-21209](https://github.com/hashicorp/vault/pull/21209)]
-* secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [[GH-20654](https://github.com/hashicorp/vault/pull/20654)]
-
-FEATURES:
-
-* **AWS Static Roles**: The AWS Secrets Engine can manage static roles configured by users. [[GH-20536](https://github.com/hashicorp/vault/pull/20536)]
-* **Automated License Utilization Reporting**: Added automated license
-utilization reporting, which sends minimal product-license [metering
-data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
-to HashiCorp without requiring you to manually collect and report them.
-* **Environment Variables through Vault Agent**: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new `env_template` configuration stanza. The process-supervisor configuration can be generated with a new `vault agent generate-config` helper tool. [[GH-20530](https://github.com/hashicorp/vault/pull/20530)]
-* **MongoDB Atlas Database Secrets**: Adds support for client certificate credentials [[GH-20425](https://github.com/hashicorp/vault/pull/20425)]
-* **MongoDB Atlas Database Secrets**: Adds support for generating X.509 certificates on dynamic roles for user authentication [[GH-20882](https://github.com/hashicorp/vault/pull/20882)]
-* **NEW PKI Workflow in UI**: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [[GH-pki-ui-improvements](https://github.com/hashicorp/vault/pull/pki-ui-improvements)]
-* **Secrets/Auth Plugin Multiplexing**: The plugin will be multiplexed when run
-as an external plugin by vault versions that support secrets/auth plugin
-multiplexing (> 1.12) [[GH-19215](https://github.com/hashicorp/vault/pull/19215)]
-* **Sidebar Navigation in UI**: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [[GH-19296](https://github.com/hashicorp/vault/pull/19296)]
-* **Vault PKI ACME Server**: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [[GH-20752](https://github.com/hashicorp/vault/pull/20752)]
-* **Vault Proxy**: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using `vault proxy -config=config.hcl`. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [[GH-20548](https://github.com/hashicorp/vault/pull/20548)]
-* **OCI Auto-Auth**: Add OCI (Oracle Cloud Infrastructure) auto-auth method [[GH-19260](https://github.com/hashicorp/vault/pull/19260)]
-
-IMPROVEMENTS:
-
-* * api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [[GH-20265](https://github.com/hashicorp/vault/pull/20265)]
-* * physical/etcd: Upgrade etcd3 client to v3.5.7 [[GH-20261](https://github.com/hashicorp/vault/pull/20261)]
-* activitylog: EntityRecord protobufs now contain a ClientType field for
-distinguishing client sources. [[GH-20626](https://github.com/hashicorp/vault/pull/20626)]
-* agent: Add integration tests for agent running in process supervisor mode [[GH-20741](https://github.com/hashicorp/vault/pull/20741)]
-* agent: Add logic to validate env_template entries in configuration [[GH-20569](https://github.com/hashicorp/vault/pull/20569)]
-* agent: Added `reload` option to cert auth configuration in case of external renewals of local x509 key-pairs. [[GH-19002](https://github.com/hashicorp/vault/pull/19002)]
-* agent: JWT auto-auth has a new config option, `remove_jwt_follows_symlinks` (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the `path` option, and the `remove_jwt_after_reading` config option is set to true (default). [[GH-18863](https://github.com/hashicorp/vault/pull/18863)]
-* agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [[GH-19776](https://github.com/hashicorp/vault/pull/19776)]
-* agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [[GH-20628](https://github.com/hashicorp/vault/pull/20628)]
-* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
-results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
-* api: property based testing for LifetimeWatcher sleep duration calculation [[GH-17919](https://github.com/hashicorp/vault/pull/17919)]
-* audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [[GH-19814](https://github.com/hashicorp/vault/pull/19814)]
-* audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
-* auth/cert: Better return OCSP validation errors during login to the caller. [[GH-20234](https://github.com/hashicorp/vault/pull/20234)]
-* auth/kerberos: Enable plugin multiplexing
-auth/kerberos: Upgrade plugin dependencies [[GH-20771](https://github.com/hashicorp/vault/pull/20771)]
-* auth/ldap: allow configuration of alias dereferencing in LDAP search [[GH-18230](https://github.com/hashicorp/vault/pull/18230)]
-* auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [[GH-18225](https://github.com/hashicorp/vault/pull/18225)]
-* auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [[GH-19247](https://github.com/hashicorp/vault/pull/19247)]
-* build: Prefer GOBIN when set over GOPATH/bin when building the binary [[GH-19862](https://github.com/hashicorp/vault/pull/19862)]
-* cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [[GH-20464](https://github.com/hashicorp/vault/pull/20464)]
-* cli: Improve addPrefixToKVPath helper [[GH-20488](https://github.com/hashicorp/vault/pull/20488)]
-* command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [[GH-20629](https://github.com/hashicorp/vault/pull/20629)]
-* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
-`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
-* command/server: New -dev-cluster-json writes a file describing the dev cluster in -dev and -dev-three-node modes, plus -dev-three-node now enables unauthenticated metrics and pprof requests. [[GH-20224](https://github.com/hashicorp/vault/pull/20224)]
-* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
-* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): vault server command now allows for opt-out of automated
-reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
-* core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [[GH-20559](https://github.com/hashicorp/vault/pull/20559)]
-* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
-* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
-* core: Add possibility to decode a generated encoded root token via the rest API [[GH-20595](https://github.com/hashicorp/vault/pull/20595)]
-* core: include namespace path in granting_policies block of audit log
-* core: include reason for ErrReadOnly on PBPWF writing failures
-* core: report intermediate error messages during request forwarding [[GH-20643](https://github.com/hashicorp/vault/pull/20643)]
-* core:provide more descriptive error message when calling enterprise feature paths in open-source [[GH-18870](https://github.com/hashicorp/vault/pull/18870)]
-* database/elasticsearch: Upgrade plugin dependencies [[GH-20767](https://github.com/hashicorp/vault/pull/20767)]
-* database/mongodb: upgrade mongo driver to 1.11 [[GH-19954](https://github.com/hashicorp/vault/pull/19954)]
-* database/redis: Upgrade plugin dependencies [[GH-20763](https://github.com/hashicorp/vault/pull/20763)]
-* http: Support responding to HEAD operation from plugins [[GH-19520](https://github.com/hashicorp/vault/pull/19520)]
-* openapi: Add openapi response definitions to /sys defined endpoints. [[GH-18633](https://github.com/hashicorp/vault/pull/18633)]
-* openapi: Add openapi response definitions to pki/config_*.go [[GH-18376](https://github.com/hashicorp/vault/pull/18376)]
-* openapi: Add openapi response definitions to vault/logical_system_paths.go defined endpoints. [[GH-18515](https://github.com/hashicorp/vault/pull/18515)]
-* openapi: Consistently stop Vault server on exit in gen_openapi.sh [[GH-19252](https://github.com/hashicorp/vault/pull/19252)]
-* openapi: Improve operationId/request/response naming strategy [[GH-19319](https://github.com/hashicorp/vault/pull/19319)]
-* openapi: add openapi response definitions to /sys/internal endpoints [[GH-18542](https://github.com/hashicorp/vault/pull/18542)]
-* openapi: add openapi response definitions to /sys/rotate endpoints [[GH-18624](https://github.com/hashicorp/vault/pull/18624)]
-* openapi: add openapi response definitions to /sys/seal endpoints [[GH-18625](https://github.com/hashicorp/vault/pull/18625)]
-* openapi: add openapi response definitions to /sys/tool endpoints [[GH-18626](https://github.com/hashicorp/vault/pull/18626)]
-* openapi: add openapi response definitions to /sys/version-history, /sys/leader, /sys/ha-status, /sys/host-info, /sys/in-flight-req [[GH-18628](https://github.com/hashicorp/vault/pull/18628)]
-* openapi: add openapi response definitions to /sys/wrapping endpoints [[GH-18627](https://github.com/hashicorp/vault/pull/18627)]
-* openapi: add openapi response defintions to /sys/auth endpoints [[GH-18465](https://github.com/hashicorp/vault/pull/18465)]
-* openapi: add openapi response defintions to /sys/capabilities endpoints [[GH-18468](https://github.com/hashicorp/vault/pull/18468)]
-* openapi: add openapi response defintions to /sys/config and /sys/generate-root endpoints [[GH-18472](https://github.com/hashicorp/vault/pull/18472)]
-* openapi: added ability to validate response structures against openapi schema for test clusters [[GH-19043](https://github.com/hashicorp/vault/pull/19043)]
-* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
-* sdk: Add new docker-based cluster testing framework to the sdk. [[GH-20247](https://github.com/hashicorp/vault/pull/20247)]
-* secrets/ad: upgrades dependencies [[GH-19829](https://github.com/hashicorp/vault/pull/19829)]
-* secrets/alicloud: upgrades dependencies [[GH-19846](https://github.com/hashicorp/vault/pull/19846)]
-* secrets/consul: Improve error message when ACL bootstrapping fails. [[GH-20891](https://github.com/hashicorp/vault/pull/20891)]
-* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
-* secrets/gcpkms: Enable plugin multiplexing
-secrets/gcpkms: Upgrade plugin dependencies [[GH-20784](https://github.com/hashicorp/vault/pull/20784)]
-* secrets/mongodbatlas: upgrades dependencies [[GH-19861](https://github.com/hashicorp/vault/pull/19861)]
-* secrets/openldap: upgrades dependencies [[GH-19993](https://github.com/hashicorp/vault/pull/19993)]
-* secrets/pki: Add missing fields to tidy-status, include new last_auto_tidy_finished field. [[GH-20442](https://github.com/hashicorp/vault/pull/20442)]
-* secrets/pki: Add warning when issuer lacks KeyUsage during CRL rebuilds; expose in logs and on rotation. [[GH-20253](https://github.com/hashicorp/vault/pull/20253)]
-* secrets/pki: Allow determining existing issuers and keys on import. [[GH-20441](https://github.com/hashicorp/vault/pull/20441)]
-* secrets/pki: Include CA serial number, key UUID on issuers list endpoint. [[GH-20276](https://github.com/hashicorp/vault/pull/20276)]
-* secrets/pki: Limit ACME issued certificates NotAfter TTL to a maximum of 90 days [[GH-20981](https://github.com/hashicorp/vault/pull/20981)]
-* secrets/pki: Support TLS-ALPN-01 challenge type in ACME for DNS certificate identifiers. [[GH-20943](https://github.com/hashicorp/vault/pull/20943)]
-* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
-* secrets/postgresql: Add configuration to scram-sha-256 encrypt passwords on Vault before sending them to PostgreSQL [[GH-19616](https://github.com/hashicorp/vault/pull/19616)]
-* secrets/terraform: upgrades dependencies [[GH-19798](https://github.com/hashicorp/vault/pull/19798)]
-* secrets/transit: Add support to import public keys in transit engine and allow encryption and verification of signed data [[GH-17934](https://github.com/hashicorp/vault/pull/17934)]
-* secrets/transit: Allow importing RSA-PSS OID (1.2.840.113549.1.1.10) private keys via BYOK. [[GH-19519](https://github.com/hashicorp/vault/pull/19519)]
-* secrets/transit: Respond to writes with updated key policy, cache configuration. [[GH-20652](https://github.com/hashicorp/vault/pull/20652)]
-* secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [[GH-20736](https://github.com/hashicorp/vault/pull/20736)]
-* ui: Add download button for each secret value in KV v2 [[GH-20431](https://github.com/hashicorp/vault/pull/20431)]
-* ui: Add filtering by auth type and auth name to the Authentication Method list view. [[GH-20747](https://github.com/hashicorp/vault/pull/20747)]
-* ui: Add filtering by engine type and engine name to the Secret Engine list view. [[GH-20481](https://github.com/hashicorp/vault/pull/20481)]
-* ui: Adds whitespace warning to secrets engine and auth method path inputs [[GH-19913](https://github.com/hashicorp/vault/pull/19913)]
-* ui: Remove the Bulma CSS framework. [[GH-19878](https://github.com/hashicorp/vault/pull/19878)]
-* ui: Update Web CLI with examples and a new `kv-get` command for reading kv v2 data and metadata [[GH-20590](https://github.com/hashicorp/vault/pull/20590)]
-* ui: Updates UI javascript dependencies [[GH-19901](https://github.com/hashicorp/vault/pull/19901)]
-* ui: add allowed_managed_keys field to secret engine mount options [[GH-19791](https://github.com/hashicorp/vault/pull/19791)]
-* ui: adds warning for commas in stringArray inputs and updates tooltip help text to remove references to comma separation [[GH-20163](https://github.com/hashicorp/vault/pull/20163)]
-* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
-* website/docs: Add rotate root documentation for azure secrets engine [[GH-19187](https://github.com/hashicorp/vault/pull/19187)]
-* website/docs: fix database static-user sample payload [[GH-19170](https://github.com/hashicorp/vault/pull/19170)]
-
-BUG FIXES:
-
-* agent: Fix agent generate-config to accept -namespace, VAULT_NAMESPACE, and other client-modifying flags. [[GH-21297](https://github.com/hashicorp/vault/pull/21297)]
-* agent: Fix bug with 'cache' stanza validation [[GH-20934](https://github.com/hashicorp/vault/pull/20934)]
-* api: Addressed a couple of issues that arose as edge cases for the -output-policy flag. Specifically around properly handling list commands, distinguishing kv V1/V2, and correctly recognizing protected paths. [[GH-19160](https://github.com/hashicorp/vault/pull/19160)]
-* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
-* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
-* auth/token: Fix cubbyhole and revocation for legacy service tokens [[GH-19416](https://github.com/hashicorp/vault/pull/19416)]
-* cli/kv: add -mount flag to kv list [[GH-19378](https://github.com/hashicorp/vault/pull/19378)]
-* core (enterprise): Don't delete backend stored data that appears to be filterable
-on this secondary if we don't have a corresponding mount entry.
-* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
-* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
-* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
-* core (enterprise): Fix panic when using invalid accessor for control-group request
-* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
-* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
-* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
-* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
-resulting in 412 errors.
-* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
-have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
-* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
-* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
-* core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
-* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
-* core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [[GH-20783](https://github.com/hashicorp/vault/pull/20783)]
-* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
-* license (enterprise): Fix bug where license would update even if the license didn't change.
-* openapi: Small fixes for OpenAPI display attributes. Changed "log-in" to "login" [[GH-20285](https://github.com/hashicorp/vault/pull/20285)]
-* plugin/reload:  Fix a possible data race with rollback manager and plugin reload [[GH-19468](https://github.com/hashicorp/vault/pull/19468)]
-* replication (enterprise): Fix a caching issue when replicating filtered data to
-a performance secondary. This resulted in the data being set to nil in the cache
-and a "invalid value" error being returned from the API.
-* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
-* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
-* replication (enterprise): Fix bug where reloading external plugin on a secondary would
-break replication.
-* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
-* replication (enterprise): Fix regression causing token creation against a role
-with a new entity alias to be incorrectly forwarded from perf standbys. [[GH-21100](https://github.com/hashicorp/vault/pull/21100)]
-* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
-* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
-* sdk/backend: prevent panic when computing the zero value for a `TypeInt64` schema field. [[GH-18729](https://github.com/hashicorp/vault/pull/18729)]
-* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
-* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
-* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
-* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
-* secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [[GH-20668](https://github.com/hashicorp/vault/pull/20668)]
-* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
-* secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
-* sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
-* shamir: change mul and div implementations to be constant-time [[GH-19495](https://github.com/hashicorp/vault/pull/19495)]
-* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
-* ui: Fix secret render when path includes %. Resolves #11616. [[GH-20430](https://github.com/hashicorp/vault/pull/20430)]
-* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
-* ui: fixes auto_rotate_period ttl input for transit keys [[GH-20731](https://github.com/hashicorp/vault/pull/20731)]
-* ui: fixes bug in kmip role form that caused `operation_all` to persist after deselecting all operation checkboxes [[GH-19139](https://github.com/hashicorp/vault/pull/19139)]
-* ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [[GH-20907](https://github.com/hashicorp/vault/pull/20907)]
-* ui: wait for wanted message event during OIDC callback instead of using the first message event [[GH-18521](https://github.com/hashicorp/vault/pull/18521)]
-
-## 1.13.10
-### November 09, 2023
-
-SECURITY:
-* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
-
-CHANGES:
-
-* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
-* secrets/mongodbatlas: Update plugin to v0.9.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
-
-FEATURES:
-
-* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
-
-IMPROVEMENTS:
-
-* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
-
-BUG FIXES:
-
-* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
-on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
-* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
-* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
-* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
-* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
-* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
-* core: fix bug where deadlock detection was always on for expiration and quotas. 
-These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
-* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
-* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
-
-## 1.13.9
-### October 25, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.10.
-* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
-
-IMPROVEMENTS:
-
-* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
-* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
-
-BUG FIXES:
-
-* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
-* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
-* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
-* kmip (enterprise): Improve handling of failures due to storage replication issues.
-* kmip (enterprise): Return a structure in the response for query function Query Server Information.
-* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
-* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
-* replication (enterprise): Fix a missing unlock when changing replication state
-* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
-* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
-* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
-* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
-
-## 1.13.6
-### August 30, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.7.
-
-IMPROVEMENTS:
-
-* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
-* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
-* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
-* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
-* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
-* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
-
-BUG FIXES:
-
-* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
-* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
-* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
-* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
-Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
-* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
-* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
-* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
-* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
-* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
-* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
-* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
-* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
-* sdk/ldaputil: Properly escape user filters when using UPN domains
-sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
-* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22331](https://github.com/hashicorp/vault/pull/22331)]
-* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
-* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
-* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
-* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
-
-## 1.13.8
-### September 27, 2023
-
-SECURITY:
-
-* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
-
-CHANGES:
-
-* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
-
-IMPROVEMENTS:
-
-* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
-
-BUG FIXES:
-
-* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
-* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
-* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
-* ui: Fixes old pki's filter and search roles page bug [[GH-22810](https://github.com/hashicorp/vault/pull/22810)]
-* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
-  
-## 1.13.7
-### September 13, 2023
-
-SECURITY:
-
-* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
-
-CHANGES:
-
-* core: Bump Go version to 1.20.8.
-* database/snowflake: Update plugin to v0.7.3 [[GH-22591](https://github.com/hashicorp/vault/pull/22591)]
-
-FEATURES:
-
-* ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
-
-IMPROVEMENTS:
-
-* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
-* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
-* kmip (enterprise): reduce latency of KMIP operation handling
-
-BUG FIXES:
-
-* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
-* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
-* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
-* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
-* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
-* kmip (enterprise): fix date handling error with some re-key operations
-* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
-* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
-
-## 1.13.6
-### August 30, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.7.
-
-IMPROVEMENTS:
-
-* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
-* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
-* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
-* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
-* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
-* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
-
-BUG FIXES:
-
-* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
-* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
-* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
-* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
-Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
-* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
-* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
-* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
-* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
-* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
-* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
-* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
-* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
-* sdk/ldaputil: Properly escape user filters when using UPN domains
-sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
-* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22331](https://github.com/hashicorp/vault/pull/22331)]
-* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
-* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
-* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
-* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
-
-## 1.13.5
-### July 25, 2023
-
-SECURITY:
-
-* auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [[GH-21282](https://github.com/hashicorp/vault/pull/21282), [HSEC-2023-24](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714)]
-* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
-
-CHANGES:
-
-* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
-which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
-* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
-
-IMPROVEMENTS:
-
-* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
-* core: Add a new periodic metric to track the number of available policies, `vault.policy.configured.count`. [[GH-21010](https://github.com/hashicorp/vault/pull/21010)]
-* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
-* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
-* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
-
-BUG FIXES:
-
-* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21799](https://github.com/hashicorp/vault/pull/21799)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
-* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
-* replication (enterprise): update primary cluster address after DR failover
-* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21632](https://github.com/hashicorp/vault/pull/21632)]
-* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
-* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
-* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
-* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
-* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
-* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
-* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
-
-## 1.13.4
-### June 21, 2023
-BREAKING CHANGES:
-
-* secrets/pki: Maintaining running count of certificates will be turned off by default.
-To re-enable keeping these metrics available on the tidy status endpoint, enable
-maintain_stored_certificate_counts on tidy-config, to also publish them to the
-metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
-
-CHANGES:
-
-* core: Bump Go version to 1.20.5.
-
-FEATURES:
-
-* **Automated License Utilization Reporting**: Added automated license
-utilization reporting, which sends minimal product-license [metering
-data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
-to HashiCorp without requiring you to manually collect and report them.
-* core (enterprise): Add background worker for automatic reporting of billing
-information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
-
-IMPROVEMENTS:
-
-* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
-results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
-* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
-* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): vault server command now allows for opt-out of automated
-reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
-* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
-* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
-* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
-
-BUG FIXES:
-
-* agent: Fix bug with 'cache' stanza validation [[GH-20934](https://github.com/hashicorp/vault/pull/20934)]
-* core (enterprise): Don't delete backend stored data that appears to be filterable
-on this secondary if we don't have a corresponding mount entry.
-* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
-have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
-* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
-* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
-* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
-* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
-* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
-* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
-* replication (enterprise): Fix regression causing token creation against a role
-with a new entity alias to be incorrectly forwarded from perf standbys. [[GH-21100](https://github.com/hashicorp/vault/pull/21100)]
-* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
-
-## 1.13.3
-### June 08, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.4.
-* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
-* replication (enterprise): Add a new parameter for the update-primary API call
-that allows for setting of the primary cluster addresses directly, instead of
-via a token.
-* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
-
-IMPROVEMENTS:
-
-* Add debug symbols back to builds to fix Dynatrace support [[GH-20519](https://github.com/hashicorp/vault/pull/20519)]
-* audit: add a `mount_point` field to audit requests and response entries [[GH-20411](https://github.com/hashicorp/vault/pull/20411)]
-* autopilot: Update version to v0.2.0 to add better support for respecting min quorum [[GH-19472](https://github.com/hashicorp/vault/pull/19472)]
-* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
-`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
-* core: Add possibility to decode a generated encoded root token via the rest API [[GH-20595](https://github.com/hashicorp/vault/pull/20595)]
-* core: include namespace path in granting_policies block of audit log
-* core: report intermediate error messages during request forwarding [[GH-20643](https://github.com/hashicorp/vault/pull/20643)]
-* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
-* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
-* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
-
-BUG FIXES:
-
-* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
-* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
-* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
-* cli: disable printing flags warnings messages for the ssh command [[GH-20502](https://github.com/hashicorp/vault/pull/20502)]
-* command/server: fixes panic in Vault server command when running in recovery mode [[GH-20418](https://github.com/hashicorp/vault/pull/20418)]
-* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
-* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
-* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
-* core/identity: Allow updates of only the custom-metadata for entity alias. [[GH-20368](https://github.com/hashicorp/vault/pull/20368)]
-* core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
-* core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [[GH-20783](https://github.com/hashicorp/vault/pull/20783)]
-* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
-* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
-* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
-* secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint. [[GH-20354](https://github.com/hashicorp/vault/pull/20354)]
-* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
-* secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [[GH-20668](https://github.com/hashicorp/vault/pull/20668)]
-* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
-secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
-sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
-* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
-* ui: fixes issue creating mfa login enforcement from method enforcements tab [[GH-20603](https://github.com/hashicorp/vault/pull/20603)]
-* ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [[GH-20907](https://github.com/hashicorp/vault/pull/20907)]
-
-## 1.13.2
-### April 26, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.20.3.
-
-SECURITY:
-
-* core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD which may have allowed an attacker to conduct a padding oracle attack. This vulnerability, CVE-2023-2197, affects Vault from 1.13.0 up to 1.13.1 and was fixed in 1.13.2. [[HCSEC-2023-14](https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322)]
-
-IMPROVEMENTS:
-
-* Add debug symbols back to builds to fix Dynatrace support [[GH-20294](https://github.com/hashicorp/vault/pull/20294)]
-* cli/namespace: Add detailed flag to output additional namespace information
-such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
-* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
-* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
-`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
-* core: include reason for ErrReadOnly on PBPWF writing failures
-* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
-for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
-* secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [[GH-20201](https://github.com/hashicorp/vault/pull/20201)]
-* sys/wrapping: Add example how to unwrap without authentication in Vault [[GH-20109](https://github.com/hashicorp/vault/pull/20109)]
-* ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [[GH-19116](https://github.com/hashicorp/vault/pull/19116)]
-
-BUG FIXES:
-
-* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
-* command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows [[GH-20257](https://github.com/hashicorp/vault/pull/20257)]
-* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
-* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
-* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
-resulting in 412 errors.
-* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
-* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
-* kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
-* pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [[GH-20220](https://github.com/hashicorp/vault/pull/20220)]
-* replication (enterprise): Fix a caching issue when replicating filtered data to
-a performance secondary. This resulted in the data being set to nil in the cache
-and a "invalid value" error being returned from the API.
-* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
-* sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates.
-auth/cert: Fix OCSP validation against Vault's PKI engine. [[GH-20181](https://github.com/hashicorp/vault/pull/20181)]
-* secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [[GH-20034](https://github.com/hashicorp/vault/pull/20034)]
-* secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [[GH-20057](https://github.com/hashicorp/vault/pull/20057)]
-* secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [[GH-20058](https://github.com/hashicorp/vault/pull/20058)]
-* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
-* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
-* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
-* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
-* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
-* ui: fixes remaining doc links to include /vault in path [[GH-20070](https://github.com/hashicorp/vault/pull/20070)]
-* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
-* website/docs: Fix Kubernetes Auth Code Example to use the correct whitespace in import. [[GH-20216](https://github.com/hashicorp/vault/pull/20216)]
-
-## 1.13.1
-### March 29, 2023
-
-SECURITY:
-
-* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
-* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
-* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
-
-IMPROVEMENTS:
-
-* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
-website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
-* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
-option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
-* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
-* database/elasticsearch: Update error messages resulting from Elasticsearch API errors [[GH-19545](https://github.com/hashicorp/vault/pull/19545)]
-* events: Suppress log warnings triggered when events are sent but the events system is not enabled. [[GH-19593](https://github.com/hashicorp/vault/pull/19593)]
-
-BUG FIXES:
-
-* agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [[GH-19483](https://github.com/hashicorp/vault/pull/19483)]
-* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
-* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
-* kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
-* kmip (enterprise): Fix a problem forwarding some requests to the active node.
-* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
-* secrets/ldap: Invalidates WAL entry for static role if `password_policy` has changed. [[GH-19640](https://github.com/hashicorp/vault/pull/19640)]
-* secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [[GH-19624](https://github.com/hashicorp/vault/pull/19624)]
-* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
-* ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [[GH-19428](https://github.com/hashicorp/vault/pull/19428)]
-* ui: fixes SSH engine config deletion [[GH-19448](https://github.com/hashicorp/vault/pull/19448)]
-* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
-* ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [[GH-19541](https://github.com/hashicorp/vault/pull/19541)]
-* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
-* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
-
-## 1.13.0
-### March 01, 2023
-
-SECURITY:
-
-* secrets/ssh: removal of the deprecated dynamic keys mode. **When any remaining dynamic key leases expire**, an error stating `secret is unsupported by this backend` will be thrown by the lease manager. [[GH-18874](https://github.com/hashicorp/vault/pull/18874)]
-* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
-
-CHANGES:
-
-* auth/alicloud: require the `role` field on login [[GH-19005](https://github.com/hashicorp/vault/pull/19005)]
-* auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [[GH-17768](https://github.com/hashicorp/vault/pull/17768)]
-* auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
-This will only be used internally for implementing user lockout. [[GH-17104](https://github.com/hashicorp/vault/pull/17104)]
-* core: Bump Go version to 1.20.1.
-* core: Vault version has been moved out of sdk and into main vault module.
-Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [[GH-14229](https://github.com/hashicorp/vault/pull/14229)]
-* logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [[GH-17822](https://github.com/hashicorp/vault/pull/17822)]
-* plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
-* plugins: `GET /database/config/:name` endpoint now returns an additional `plugin_version` field in the response data. [[GH-16982](https://github.com/hashicorp/vault/pull/16982)]
-* plugins: `GET /sys/auth/:path/tune` and `GET /sys/mounts/:path/tune` endpoints may now return an additional `plugin_version` field in the response data if set. [[GH-17167](https://github.com/hashicorp/vault/pull/17167)]
-* plugins: `GET` for `/sys/auth`, `/sys/auth/:path`, `/sys/mounts`, and `/sys/mounts/:path` paths now return additional `plugin_version`, `running_plugin_version` and `running_sha256` fields in the response data for each mount. [[GH-17167](https://github.com/hashicorp/vault/pull/17167)]
-* sdk: Remove version package, make useragent.String versionless. [[GH-19068](https://github.com/hashicorp/vault/pull/19068)]
-* secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [[GH-15869](https://github.com/hashicorp/vault/pull/15869)]
-* secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0 [[GH-19063](https://github.com/hashicorp/vault/pull/19063)]
-* sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can now be used to reload the configs and turns this endpoint on.
-* ui: Upgrade Ember to version 4.4.0 [[GH-17086](https://github.com/hashicorp/vault/pull/17086)]
-
-FEATURES:
-
-* **User lockout**: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
-* **Azure Auth Managed Identities**: Allow any Azure resource that supports managed identities to authenticate with Vault [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
-* **Azure Auth Rotate Root**: Add support for rotate root in Azure Auth engine [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
-* **Event System (Alpha)**: Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [[GH-19194](https://github.com/hashicorp/vault/pull/19194)]
-* **GCP Secrets Impersonated Account Support**: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role. [[GH-19018](https://github.com/hashicorp/vault/pull/19018)]
-* **Kubernetes Secrets Engine UI**: Kubernetes is now available in the UI as a supported secrets engine. [[GH-17893](https://github.com/hashicorp/vault/pull/17893)]
-* **New PKI UI**: Add beta support for new and improved PKI UI [[GH-18842](https://github.com/hashicorp/vault/pull/18842)]
-* **PKI Cross-Cluster Revocations**: Revocation information can now be
-synchronized across primary and performance replica clusters offering
-a unified CRL/OCSP view of revocations across cluster boundaries. [[GH-19196](https://github.com/hashicorp/vault/pull/19196)]
-* **Server UDS Listener**: Adding listener to Vault server to serve http request via unix domain socket [[GH-18227](https://github.com/hashicorp/vault/pull/18227)]
-* **Transit managed keys**: The transit secrets engine now supports configuring and using managed keys
-* **User Lockout**: Adds support to configure the user-lockout behaviour for failed logins to prevent
-brute force attacks for userpass, approle and ldap auth methods. [[GH-19230](https://github.com/hashicorp/vault/pull/19230)]
-* **VMSS Flex Authentication**: Adds support for Virtual Machine Scale Set Flex Authentication [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
-* **Namespaces (enterprise)**: Added the ability to allow access to secrets and more to be shared across namespaces that do not share a namespace hierarchy. Using the new `sys/config/group-policy-application` API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing.
-* **OpenAPI-based Go & .NET Client Libraries (Beta)**: We have now made available two new [[OpenAPI-based Go](https://github.com/hashicorp/vault-client-go/)] & [[OpenAPI-based .NET](https://github.com/hashicorp/vault-client-dotnet/)] Client libraries (beta). You can use them to perform various secret management operations easily from your applications.
-
-IMPROVEMENTS:
-
-* **Redis ElastiCache DB Engine**: Renamed configuration parameters for disambiguation; old parameters still supported for compatibility. [[GH-18752](https://github.com/hashicorp/vault/pull/18752)]
-* Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8 [[GH-19100](https://github.com/hashicorp/vault/pull/19100)]
-* Reduced binary size [[GH-17678](https://github.com/hashicorp/vault/pull/17678)]
-* agent/config: Allow config directories to be specified with -config, and allow multiple -configs to be supplied. [[GH-18403](https://github.com/hashicorp/vault/pull/18403)]
-* agent: Add note in logs when starting Vault Agent indicating if the version differs to the Vault Server. [[GH-18684](https://github.com/hashicorp/vault/pull/18684)]
-* agent: Added `token_file` auto-auth configuration to allow using a pre-existing token for Vault Agent. [[GH-18740](https://github.com/hashicorp/vault/pull/18740)]
-* agent: Agent listeners can now be to be the `metrics_only` role, serving only metrics, as part of the listener's new top level `role` option. [[GH-18101](https://github.com/hashicorp/vault/pull/18101)]
-* agent: Configured Vault Agent listeners now listen without the need for caching to be configured. [[GH-18137](https://github.com/hashicorp/vault/pull/18137)]
-* agent: allows some parts of config to be reloaded without requiring a restart. [[GH-18638](https://github.com/hashicorp/vault/pull/18638)]
-* agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [[GH-16872](https://github.com/hashicorp/vault/pull/16872)]
-* api: Remove dependency on sdk module. [[GH-18962](https://github.com/hashicorp/vault/pull/18962)]
-* api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [[GH-17352](https://github.com/hashicorp/vault/pull/17352)]
-* audit: Add `elide_list_responses` option, providing a countermeasure for a common source of oversized audit log entries [[GH-18128](https://github.com/hashicorp/vault/pull/18128)]
-* audit: Include stack trace when audit logging recovers from a panic. [[GH-18121](https://github.com/hashicorp/vault/pull/18121)]
-* auth/alicloud: upgrades dependencies [[GH-18021](https://github.com/hashicorp/vault/pull/18021)]
-* auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
-Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [[GH-17540](https://github.com/hashicorp/vault/pull/17540)]
-* auth/azure: upgrades dependencies [[GH-17857](https://github.com/hashicorp/vault/pull/17857)]
-* auth/cert: Add configurable support for validating client certs with OCSP. [[GH-17093](https://github.com/hashicorp/vault/pull/17093)]
-* auth/cert: Support listing provisioned CRLs within the mount. [[GH-18043](https://github.com/hashicorp/vault/pull/18043)]
-* auth/cf: Remove incorrect usage of CreateOperation from path_config [[GH-19098](https://github.com/hashicorp/vault/pull/19098)]
-* auth/gcp: Upgrades dependencies [[GH-17858](https://github.com/hashicorp/vault/pull/17858)]
-* auth/oidc: Adds `abort_on_error` parameter to CLI login command to help in non-interactive contexts [[GH-19076](https://github.com/hashicorp/vault/pull/19076)]
-* auth/oidc: Adds ability to set Google Workspace domain for groups search [[GH-19076](https://github.com/hashicorp/vault/pull/19076)]
-* auth/token (enterprise): Allow batch token creation in perfStandby nodes
-* auth: Allow naming login MFA methods and using those names instead of IDs in satisfying MFA requirement for requests.
-Make passcode arguments consistent across login MFA method types. [[GH-18610](https://github.com/hashicorp/vault/pull/18610)]
-* auth: Provide an IP address of the requests from Vault to a Duo challenge after successful authentication. [[GH-18811](https://github.com/hashicorp/vault/pull/18811)]
-* autopilot: Update version to v.0.2.0 to add better support for respecting min quorum
-* cli/kv: improve kv CLI to remove data or custom metadata using kv patch [[GH-18067](https://github.com/hashicorp/vault/pull/18067)]
-* cli/pki: Add List-Intermediates functionality to pki client. [[GH-18463](https://github.com/hashicorp/vault/pull/18463)]
-* cli/pki: Add health-check subcommand to evaluate the health of a PKI instance. [[GH-17750](https://github.com/hashicorp/vault/pull/17750)]
-* cli/pki: Add pki issue command, which creates a CSR, has a vault mount sign it, then reimports it. [[GH-18467](https://github.com/hashicorp/vault/pull/18467)]
-* cli/pki: Added "Reissue" command which allows extracting fields from an existing certificate to create a new certificate. [[GH-18499](https://github.com/hashicorp/vault/pull/18499)]
-* cli/pki: Change the pki health-check --list default config output to JSON so it's a usable configuration file [[GH-19269](https://github.com/hashicorp/vault/pull/19269)]
-* cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [[GH-17650](https://github.com/hashicorp/vault/pull/17650)]
-* cli: Add transit import key helper commands for BYOK to Transit/Transform. [[GH-18887](https://github.com/hashicorp/vault/pull/18887)]
-* cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [[GH-14945](https://github.com/hashicorp/vault/pull/14945)]
-* cli: updated `vault operator rekey` prompts to describe recovery keys when `-target=recovery` [[GH-18892](https://github.com/hashicorp/vault/pull/18892)]
-* client/pki: Add a new command verify-sign which checks the relationship between two certificates. [[GH-18437](https://github.com/hashicorp/vault/pull/18437)]
-* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
-* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
-* core/identity: Add machine-readable output to body of response upon alias clash during entity merge [[GH-17459](https://github.com/hashicorp/vault/pull/17459)]
-* core/server: Added an environment variable to write goroutine stacktraces to a
-temporary file for SIGUSR2 signals. [[GH-17929](https://github.com/hashicorp/vault/pull/17929)]
-* core: Add RPCs to read and update userFailedLoginInfo map
-* core: Add experiments system and `events.alpha1` experiment. [[GH-18682](https://github.com/hashicorp/vault/pull/18682)]
-* core: Add read support to `sys/loggers` and `sys/loggers/:name` endpoints [[GH-17979](https://github.com/hashicorp/vault/pull/17979)]
-* core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [[GH-17338](https://github.com/hashicorp/vault/pull/17338)]
-* core: Add vault.core.locked_users telemetry metric to emit information about total number of locked users. [[GH-18718](https://github.com/hashicorp/vault/pull/18718)]
-* core: Added sys/locked-users endpoint to list locked users. Changed api endpoint from
-sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] to sys/locked-users/[mount_accessor]/unlock/[alias_identifier]. [[GH-18675](https://github.com/hashicorp/vault/pull/18675)]
-* core: Added sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] endpoint to unlock an user
-with given mount_accessor and alias_identifier if locked [[GH-18279](https://github.com/hashicorp/vault/pull/18279)]
-* core: Added warning to /sys/seal-status and vault status command if potentially dangerous behaviour overrides are being used. [[GH-17855](https://github.com/hashicorp/vault/pull/17855)]
-* core: Implemented background thread to update locked user entries every 15 minutes to prevent brute forcing in auth methods. [[GH-18673](https://github.com/hashicorp/vault/pull/18673)]
-* core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [[GH-17265](https://github.com/hashicorp/vault/pull/17265)]
-* core: Update protoc from 3.21.5 to 3.21.7 [[GH-17499](https://github.com/hashicorp/vault/pull/17499)]
-* core: add `detect_deadlocks` config to optionally detect core state deadlocks [[GH-18604](https://github.com/hashicorp/vault/pull/18604)]
-* core: added changes for user lockout workflow. [[GH-17951](https://github.com/hashicorp/vault/pull/17951)]
-* core: parallelize backend initialization to improve startup time for large numbers of mounts. [[GH-18244](https://github.com/hashicorp/vault/pull/18244)]
-* database/postgres: Support multiline strings for revocation statements. [[GH-18632](https://github.com/hashicorp/vault/pull/18632)]
-* database/redis-elasticache: changed config argument names for disambiguation [[GH-19044](https://github.com/hashicorp/vault/pull/19044)]
-* database/snowflake: Allow parallel requests to Snowflake [[GH-17593](https://github.com/hashicorp/vault/pull/17593)]
-* hcp/connectivity: Add foundational OSS support for opt-in secure communication between self-managed Vault nodes and [HashiCorp Cloud Platform](https://cloud.hashicorp.com) [[GH-18228](https://github.com/hashicorp/vault/pull/18228)]
-* hcp/connectivity: Include HCP organization, project, and resource ID in server startup logs [[GH-18315](https://github.com/hashicorp/vault/pull/18315)]
-* hcp/connectivity: Only update SCADA session metadata if status changes [[GH-18585](https://github.com/hashicorp/vault/pull/18585)]
-* hcp/status: Add cluster-level status information [[GH-18351](https://github.com/hashicorp/vault/pull/18351)]
-* hcp/status: Expand node-level status information [[GH-18302](https://github.com/hashicorp/vault/pull/18302)]
-* logging: Vault Agent supports logging to a specified file path via environment variable, CLI or config [[GH-17841](https://github.com/hashicorp/vault/pull/17841)]
-* logging: Vault agent and server commands support log file and log rotation. [[GH-18031](https://github.com/hashicorp/vault/pull/18031)]
-* migration: allow parallelization of key migration for `vault operator migrate` in order to speed up a migration. [[GH-18817](https://github.com/hashicorp/vault/pull/18817)]
-* namespaces (enterprise): Add new API, `sys/config/group-policy-application`, to allow group policies to be configurable
-to apply to a group in `any` namespace. The default, `within_namespace_hierarchy`, is the current behaviour.
-* openapi: Add default values to thing_mount_path parameters [[GH-18935](https://github.com/hashicorp/vault/pull/18935)]
-* openapi: Add logic to generate openapi response structures [[GH-18192](https://github.com/hashicorp/vault/pull/18192)]
-* openapi: Add openapi response definitions to approle/path_login.go & approle/path_tidy_user_id.go [[GH-18772](https://github.com/hashicorp/vault/pull/18772)]
-* openapi: Add openapi response definitions to approle/path_role.go [[GH-18198](https://github.com/hashicorp/vault/pull/18198)]
-* openapi: Change gen_openapi.sh to generate schema with generic mount paths [[GH-18934](https://github.com/hashicorp/vault/pull/18934)]
-* openapi: Mark request body objects as required [[GH-17909](https://github.com/hashicorp/vault/pull/17909)]
-* openapi: add openapi response defintions to /sys/audit endpoints [[GH-18456](https://github.com/hashicorp/vault/pull/18456)]
-* openapi: generic_mount_paths: Move implementation fully into server, rather than partially in plugin framework; recognize all 4 singleton mounts (auth/token, cubbyhole, identity, system) rather than just 2; change parameter from `{mountPath}` to `{<type>_mount_path}` [[GH-18663](https://github.com/hashicorp/vault/pull/18663)]
-* plugins: Add plugin version information to key plugin lifecycle log lines. [[GH-17430](https://github.com/hashicorp/vault/pull/17430)]
-* plugins: Allow selecting builtin plugins by their reported semantic version of the form `vX.Y.Z+builtin` or `vX.Y.Z+builtin.vault`. [[GH-17289](https://github.com/hashicorp/vault/pull/17289)]
-* plugins: Let Vault unseal and mount deprecated builtin plugins in a
-deactivated state if this is not the first unseal after an upgrade. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
-* plugins: Mark app-id auth method Removed and remove the plugin code. [[GH-18039](https://github.com/hashicorp/vault/pull/18039)]
-* plugins: Mark logical database plugins Removed and remove the plugin code. [[GH-18039](https://github.com/hashicorp/vault/pull/18039)]
-* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
-* sdk: Add response schema validation method framework/FieldData.ValidateStrict and two test helpers (ValidateResponse, ValidateResponseData) [[GH-18635](https://github.com/hashicorp/vault/pull/18635)]
-* sdk: Adding FindResponseSchema test helper to assist with response schema validation in tests [[GH-18636](https://github.com/hashicorp/vault/pull/18636)]
-* secrets/aws: Update dependencies [[PR-17747](https://github.com/hashicorp/vault/pull/17747)] [[GH-17747](https://github.com/hashicorp/vault/pull/17747)]
-* secrets/azure: Adds ability to persist an application for the lifetime of a role. [[GH-19096](https://github.com/hashicorp/vault/pull/19096)]
-* secrets/azure: upgrades dependencies [[GH-17964](https://github.com/hashicorp/vault/pull/17964)]
-* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
-* secrets/gcp: Upgrades dependencies [[GH-17871](https://github.com/hashicorp/vault/pull/17871)]
-* secrets/kubernetes: Add /check endpoint to determine if environment variables are set [[GH-18](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/18)] [[GH-18587](https://github.com/hashicorp/vault/pull/18587)]
-* secrets/kubernetes: add /check endpoint to determine if environment variables are set [[GH-19084](https://github.com/hashicorp/vault/pull/19084)]
-* secrets/kv: Emit events on write if events system enabled [[GH-19145](https://github.com/hashicorp/vault/pull/19145)]
-* secrets/kv: make upgrade synchronous when no keys to upgrade [[GH-19056](https://github.com/hashicorp/vault/pull/19056)]
-* secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [[GH-17406](https://github.com/hashicorp/vault/pull/17406)]
-* secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [[GH-17779](https://github.com/hashicorp/vault/pull/17779)]
-* secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [[GH-17388](https://github.com/hashicorp/vault/pull/17388)]
-* secrets/pki: Added a new API that allows external actors to craft a CRL through JSON parameters [[GH-18040](https://github.com/hashicorp/vault/pull/18040)]
-* secrets/pki: Allow UserID Field (https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1) to be set on Certificates when
-allowed by role [[GH-18397](https://github.com/hashicorp/vault/pull/18397)]
-* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
-* secrets/pki: Allow templating performance replication cluster- and issuer-specific AIA URLs. [[GH-18199](https://github.com/hashicorp/vault/pull/18199)]
-* secrets/pki: Allow tidying of expired issuer certificates. [[GH-17823](https://github.com/hashicorp/vault/pull/17823)]
-* secrets/pki: Allow tidying of the legacy ca_bundle, improving startup on post-migrated, seal-wrapped PKI mounts. [[GH-18645](https://github.com/hashicorp/vault/pull/18645)]
-* secrets/pki: Respond with written data to `config/auto-tidy`, `config/crl`, and `roles/:role`. [[GH-18222](https://github.com/hashicorp/vault/pull/18222)]
-* secrets/pki: Return issuer_id and issuer_name on /issuer/:issuer_ref/json endpoint. [[GH-18482](https://github.com/hashicorp/vault/pull/18482)]
-* secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [[GH-17774](https://github.com/hashicorp/vault/pull/17774)]
-* secrets/ssh: Allow removing SSH host keys from the dynamic keys feature. [[GH-18939](https://github.com/hashicorp/vault/pull/18939)]
-* secrets/ssh: Evaluate ssh validprincipals user template before splitting [[GH-16622](https://github.com/hashicorp/vault/pull/16622)]
-* secrets/transit: Add an optional reference field to batch operation items
-which is repeated on batch responses to help more easily correlate inputs with outputs. [[GH-18243](https://github.com/hashicorp/vault/pull/18243)]
-* secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [[GH-17638](https://github.com/hashicorp/vault/pull/17638)]
-* secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [[GH-17636](https://github.com/hashicorp/vault/pull/17636)]
-* secrets/transit: Allow configuring whether upsert of keys is allowed. [[GH-18272](https://github.com/hashicorp/vault/pull/18272)]
-* storage/raft: Add `retry_join_as_non_voter` config option. [[GH-18030](https://github.com/hashicorp/vault/pull/18030)]
-* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
-* sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems. [[GH-17789](https://github.com/hashicorp/vault/pull/17789)]
-* sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.
-* ui: Add algorithm-signer as a SSH Secrets Engine UI field [[GH-10299](https://github.com/hashicorp/vault/pull/10299)]
-* ui: Add inline policy creation when creating an identity entity or group [[GH-17749](https://github.com/hashicorp/vault/pull/17749)]
-* ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [[GH-18787](https://github.com/hashicorp/vault/pull/18787)]
-* ui: Enable typescript for future development [[GH-17927](https://github.com/hashicorp/vault/pull/17927)]
-* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
-* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
-* ui: adds allowed_response_headers as param for secret engine mount config [[GH-19216](https://github.com/hashicorp/vault/pull/19216)]
-* ui: consolidate all <a> tag usage [[GH-17866](https://github.com/hashicorp/vault/pull/17866)]
-* ui: mfa: use proper request id generation [[GH-17835](https://github.com/hashicorp/vault/pull/17835)]
-* ui: remove wizard [[GH-19220](https://github.com/hashicorp/vault/pull/19220)]
-* ui: update DocLink component to use new host url: developer.hashicorp.com [[GH-18374](https://github.com/hashicorp/vault/pull/18374)]
-* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
-* ui: use the combined activity log (partial + historic) API for client count dashboard and remove use of monthly endpoint [[GH-17575](https://github.com/hashicorp/vault/pull/17575)]
-* vault/diagnose: Upgrade `go.opentelemetry.io/otel`, `go.opentelemetry.io/otel/sdk`, `go.opentelemetry.io/otel/trace` to v1.11.2 [[GH-18589](https://github.com/hashicorp/vault/pull/18589)]
-
-DEPRECATIONS:
-
-* secrets/ad: Marks the Active Directory (AD) secrets engine as deprecated. [[GH-19334](https://github.com/hashicorp/vault/pull/19334)]
-
-BUG FIXES:
-
-* api: Remove timeout logic from ReadRaw functions and add ReadRawWithContext [[GH-18708](https://github.com/hashicorp/vault/pull/18708)]
-* auth/alicloud: fix regression in vault login command that caused login to fail [[GH-19005](https://github.com/hashicorp/vault/pull/19005)]
-* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
-* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
-* auth/cert: Address a race condition accessing the loaded crls without a lock [[GH-18945](https://github.com/hashicorp/vault/pull/18945)]
-* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#173](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/173)] [[GH-18716](https://github.com/hashicorp/vault/pull/18716)]
-* auth/kubernetes: fixes and dep updates for the auth-kubernetes plugin (see plugin changelog for details) [[GH-19094](https://github.com/hashicorp/vault/pull/19094)]
-* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
-* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
-* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
-* cli/pki: Decode integer values properly in health-check configuration file [[GH-19265](https://github.com/hashicorp/vault/pull/19265)]
-* cli/pki: Fix path for role health-check warning messages [[GH-19274](https://github.com/hashicorp/vault/pull/19274)]
-* cli/pki: Properly report permission issues within health-check mount tune checks [[GH-19276](https://github.com/hashicorp/vault/pull/19276)]
-* cli/transit: Fix import, import-version command invocation [[GH-19373](https://github.com/hashicorp/vault/pull/19373)]
-* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
-* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
-* cli: Remove empty table heading for `vault secrets list -detailed` output. [[GH-17577](https://github.com/hashicorp/vault/pull/17577)]
-* command/namespace: Fix vault cli namespace patch examples in help text. [[GH-18143](https://github.com/hashicorp/vault/pull/18143)]
-* core (enterprise): Fix missing quotation mark in error message
-* core (enterprise): Fix panic that could occur with SSCT alongside invoking external plugins for revocation.
-* core (enterprise): Fix panic when using invalid accessor for control-group request
-* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
-* core (enterprise): Supported storage check in `vault server` command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than `raft` or `consul`.
-* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
-* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
-* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
-* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
-* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
-* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
-* core/auth: Return a 403 instead of a 500 for wrapping requests when token is not provided [[GH-18859](https://github.com/hashicorp/vault/pull/18859)]
-* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
-* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
-* core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
-* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
-* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
-* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
-* core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [[GH-17612](https://github.com/hashicorp/vault/pull/17612)]
-* core: Fix panic caused in Vault Agent when rendering certificate templates [[GH-17419](https://github.com/hashicorp/vault/pull/17419)]
-* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
-* core: Fix spurious `permission denied` for all HelpOperations on sudo-protected paths [[GH-18568](https://github.com/hashicorp/vault/pull/18568)]
-* core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [[GH-17514](https://github.com/hashicorp/vault/pull/17514)]
-* core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [[GH-17660](https://github.com/hashicorp/vault/pull/17660)]
-* core: Linux packages now have vendor label and set the default label to HashiCorp.
-This fix is implemented for any future releases, but will not be updated for historical releases.
-* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
-* core: Refactor lock grabbing code to simplify stateLock deadlock investigations [[GH-17187](https://github.com/hashicorp/vault/pull/17187)]
-* core: fix GPG encryption to support subkeys. [[GH-16224](https://github.com/hashicorp/vault/pull/16224)]
-* core: fix a start up race condition where performance standbys could go into a
-mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
-* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
-* core: fix race when using SystemView.ReplicationState outside of a request context [[GH-17186](https://github.com/hashicorp/vault/pull/17186)]
-* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
-* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
-* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
-* core: trying to unseal with the wrong key now returns HTTP 400 [[GH-17836](https://github.com/hashicorp/vault/pull/17836)]
-* credential/cert: adds error message if no tls connection is found during the AliasLookahead operation [[GH-17904](https://github.com/hashicorp/vault/pull/17904)]
-* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
-* expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [[GH-18401](https://github.com/hashicorp/vault/pull/18401)]
-* kmip (enterprise): Fix a problem with some multi-part MAC Verify operations.
-* kmip (enterprise): Only require data to be full blocks on encrypt/decrypt operations using CBC and ECB block cipher modes.
-* license (enterprise): Fix bug where license would update even if the license didn't change.
-* licensing (enterprise): update autoloaded license cache after reload
-* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
-* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
-* openapi: fix gen_openapi.sh script to correctly load vault plugins [[GH-17752](https://github.com/hashicorp/vault/pull/17752)]
-* plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [[GH-17339](https://github.com/hashicorp/vault/pull/17339)]
-* plugins: Allow running external plugins which override deprecated builtins. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
-* plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [[GH-17340](https://github.com/hashicorp/vault/pull/17340)]
-* plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [[GH-18173](https://github.com/hashicorp/vault/pull/18173)]
-* plugins: Only report deprecation status for builtin plugins. [[GH-17816](https://github.com/hashicorp/vault/pull/17816)]
-* plugins: Skip loading but still mount data associated with missing plugins on unseal. [[GH-18189](https://github.com/hashicorp/vault/pull/18189)]
-* plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
-* replication (enterprise): Fix bug where reloading external plugin on a secondary would
-break replication.
-* sdk: Don't panic if system view or storage methods called during plugin setup. [[GH-18210](https://github.com/hashicorp/vault/pull/18210)]
-* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
-* secrets/ad: Fix bug where updates to config would fail if password isn't provided [[GH-19061](https://github.com/hashicorp/vault/pull/19061)]
-* secrets/gcp: fix issue where IAM bindings were not preserved during policy update [[GH-19018](https://github.com/hashicorp/vault/pull/19018)]
-* secrets/mongodb-atlas: Fix a bug that did not allow WAL rollback to handle partial failures when creating API keys [[GH-19111](https://github.com/hashicorp/vault/pull/19111)]
-* secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [[GH-18184](https://github.com/hashicorp/vault/pull/18184)]
-* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
-* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17385](https://github.com/hashicorp/vault/pull/17385)]
-* secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [[GH-17693](https://github.com/hashicorp/vault/pull/17693)]
-* secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [[GH-16700](https://github.com/hashicorp/vault/pull/16700)]
-* secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [[GH-18938](https://github.com/hashicorp/vault/pull/18938)]
-* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
-* secrets/pki: Revert fix for PR [18938](https://github.com/hashicorp/vault/pull/18938) [[GH-19037](https://github.com/hashicorp/vault/pull/19037)]
-* secrets/pki: consistently use UTC for CA's notAfter exceeded error message [[GH-18984](https://github.com/hashicorp/vault/pull/18984)]
-* secrets/pki: fix race between tidy's cert counting and tidy status reporting. [[GH-18899](https://github.com/hashicorp/vault/pull/18899)]
-* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
-* secrets/transit: Honor `partial_success_response_code` on decryption failures. [[GH-18310](https://github.com/hashicorp/vault/pull/18310)]
-* server/config:  Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [[GH-19311](https://github.com/hashicorp/vault/pull/19311)]
-* storage/raft (enterprise): An already joined node can rejoin by wiping storage
-and re-issueing a join request, but in doing so could transiently become a
-non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
-* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
-* storage/raft: Fix race with follower heartbeat tracker during teardown. [[GH-18704](https://github.com/hashicorp/vault/pull/18704)]
-* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
-* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
-* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
-* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
-* ui: Remove `default` and add `default-service` and `default-batch` to UI token_type for auth mount and tuning. [[GH-19290](https://github.com/hashicorp/vault/pull/19290)]
-* ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [[GH-17376](https://github.com/hashicorp/vault/pull/17376)]
-* ui: allow selection of "default" for ssh algorithm_signer in web interface [[GH-17894](https://github.com/hashicorp/vault/pull/17894)]
-* ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [[GH-18651](https://github.com/hashicorp/vault/pull/18651)]
-* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
-* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
-* ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [[GH-19403](https://github.com/hashicorp/vault/pull/19403)]
-* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
-
-## 1.12.11
-### September 13, 2023
-
-SECURITY:
-
-* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [[GH-22852](https://github.com/hashicorp/vault/pull/22852)]
-
-IMPROVEMENTS:
-
-* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
-* kmip (enterprise): reduce latency of KMIP operation handling
-
-BUG FIXES:
-
-* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
-* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
-* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
-* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
-* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
-
-## 1.12.10
-### August 30, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.12.
-
-IMPROVEMENTS:
-
-* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
-* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
-* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
-* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
-
-BUG FIXES:
-
-* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
-* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
-* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
-Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
-* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
-* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
-* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
-* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
-* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
-* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
-* sdk/ldaputil: Properly escape user filters when using UPN domains
-sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
-* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22332](https://github.com/hashicorp/vault/pull/22332)]
-* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
-* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
-* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
-
-## 1.12.9
-### July 25, 2023
-
-SECURITY:
-
-* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
-
-CHANGES:
-
-* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
-
-IMPROVEMENTS:
-
-* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
-* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
-* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
-
-BUG FIXES:
-
-* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
-* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
-* replication (enterprise): update primary cluster address after DR failover
-* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21633](https://github.com/hashicorp/vault/pull/21633)]
-* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
-* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
-* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
-* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
-* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
-* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
-
-## 1.12.8
-### June 21, 2023
-BREAKING CHANGES:
-
-* secrets/pki: Maintaining running count of certificates will be turned off by default.
-To re-enable keeping these metrics available on the tidy status endpoint, enable
-maintain_stored_certificate_counts on tidy-config, to also publish them to the
-metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.10.
-
-FEATURES:
-
-* **Automated License Utilization Reporting**: Added automated license
-utilization reporting, which sends minimal product-license [metering
-data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
-to HashiCorp without requiring you to manually collect and report them.
-* core (enterprise): Add background worker for automatic reporting of billing
-information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
-
-IMPROVEMENTS:
-
-* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
-results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
-* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
-* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): vault server command now allows for opt-out of automated
-reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
-* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
-* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
-* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
-
-BUG FIXES:
-
-* core (enterprise): Don't delete backend stored data that appears to be filterable
-on this secondary if we don't have a corresponding mount entry.
-* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
-* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
-* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
-* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
-* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
-* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
-* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
-have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
-* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
-* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
-* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
-* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
-* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
-* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
-* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
-
-## 1.12.7
-### June 08, 2023
-
-SECURITY:
-
-* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.9.
-* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
-
-IMPROVEMENTS:
-
-* audit: add a `mount_point` field to audit requests and response entries [[GH-20411](https://github.com/hashicorp/vault/pull/20411)]
-* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
-`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
-* core: include namespace path in granting_policies block of audit log
-* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
-* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
-* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
-* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
-
-BUG FIXES:
-
-* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
-* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
-* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
-* cli: disable printing flags warnings messages for the ssh command [[GH-20502](https://github.com/hashicorp/vault/pull/20502)]
-* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
-* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
-* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
-* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
-* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
-* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
-* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
-* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
-secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
-sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
-* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
-
-## 1.12.6
-### April 26, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.8.
-
-IMPROVEMENTS:
-
-* cli/namespace: Add detailed flag to output additional namespace information
-such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
-* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
-* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
-`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
-* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
-for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
-* secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [[GH-20201](https://github.com/hashicorp/vault/pull/20201)]
-
-BUG FIXES:
-
-* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
-* command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows [[GH-20257](https://github.com/hashicorp/vault/pull/20257)]
-* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
-* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
-* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
-resulting in 412 errors.
-* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
-* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
-* kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
-* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
-* pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [[GH-20220](https://github.com/hashicorp/vault/pull/20220)]
-* replication (enterprise): Fix a caching issue when replicating filtered data to
-a performance secondary. This resulted in the data being set to nil in the cache
-and a "invalid value" error being returned from the API.
-* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
-* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
-* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
-* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
-* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
-* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
-* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
-
-## 1.12.5
-### March 29, 2023
-
-SECURITY:
-
-* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
-* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
-* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
-
-IMPROVEMENTS:
-
-* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
-website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
-* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
-option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
-* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
-
-BUG FIXES:
-
-* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
-* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
-* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
-* kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
-* kmip (enterprise): Fix a problem forwarding some requests to the active node.
-* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
-* secrets/ldap: Invalidates WAL entry for static role if `password_policy` has changed. [[GH-19641](https://github.com/hashicorp/vault/pull/19641)]
-* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
-* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
-* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
-* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
-
-## 1.12.4
-### March 01, 2023
-
-SECURITY:
-* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.6.
-
-IMPROVEMENTS:
-
-* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
-* ui: remove wizard [[GH-19220](https://github.com/hashicorp/vault/pull/19220)]
-
-BUG FIXES:
-
-* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
-* core (enterprise): Fix panic when using invalid accessor for control-group request
-* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
-* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
-* license (enterprise): Fix bug where license would update even if the license didn't change.
-* replication (enterprise): Fix bug where reloading external plugin on a secondary would
-break replication.
-* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18207](https://github.com/hashicorp/vault/pull/18207)]
-* secrets/pki: Revert fix for PR [18938](https://github.com/hashicorp/vault/pull/18938) [[GH-19037](https://github.com/hashicorp/vault/pull/19037)]
-* server/config:  Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [[GH-19311](https://github.com/hashicorp/vault/pull/19311)]
-* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
-* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
-* ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [[GH-19410](https://github.com/hashicorp/vault/pull/19410)]
-* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
-
-## 1.12.3
-### February 6, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.4.
-
-IMPROVEMENTS:
-
-* audit: Include stack trace when audit logging recovers from a panic. [[GH-18121](https://github.com/hashicorp/vault/pull/18121)]
-* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
-* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
-* core: Add read support to `sys/loggers` and `sys/loggers/:name` endpoints [[GH-17979](https://github.com/hashicorp/vault/pull/17979)]
-* plugins: Let Vault unseal and mount deprecated builtin plugins in a
-deactivated state if this is not the first unseal after an upgrade. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
-* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
-* secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [[GH-17406](https://github.com/hashicorp/vault/pull/17406)]
-* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
-* ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [[GH-18787](https://github.com/hashicorp/vault/pull/18787)]
-* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
-* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
-
-BUG FIXES:
-
-* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
-* auth/cert: Address a race condition accessing the loaded crls without a lock [[GH-18945](https://github.com/hashicorp/vault/pull/18945)]
-* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#173](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/173)] [[GH-18716](https://github.com/hashicorp/vault/pull/18716)]
-* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
-* command/namespace: Fix vault cli namespace patch examples in help text. [[GH-18143](https://github.com/hashicorp/vault/pull/18143)]
-* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
-* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
-* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
-* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
-* core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [[GH-17612](https://github.com/hashicorp/vault/pull/17612)]
-* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
-* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
-* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
-* expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [[GH-18401](https://github.com/hashicorp/vault/pull/18401)]
-* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
-* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
-* kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
-* licensing (enterprise): update autoloaded license cache after reload
-* plugins: Allow running external plugins which override deprecated builtins. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
-* plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [[GH-18173](https://github.com/hashicorp/vault/pull/18173)]
-* plugins: Skip loading but still mount data associated with missing plugins on unseal. [[GH-18189](https://github.com/hashicorp/vault/pull/18189)]
-* sdk: Don't panic if system view or storage methods called during plugin setup. [[GH-18210](https://github.com/hashicorp/vault/pull/18210)]
-* secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [[GH-18184](https://github.com/hashicorp/vault/pull/18184)]
-* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
-* secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [[GH-18938](https://github.com/hashicorp/vault/pull/18938)]
-* secrets/pki: fix race between tidy's cert counting and tidy status reporting. [[GH-18899](https://github.com/hashicorp/vault/pull/18899)]
-* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
-* secrets/transit: Honor `partial_success_response_code` on decryption failures. [[GH-18310](https://github.com/hashicorp/vault/pull/18310)]
-* storage/raft (enterprise): An already joined node can rejoin by wiping storage
-and re-issueing a join request, but in doing so could transiently become a
-non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
-* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
-* ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [[GH-18651](https://github.com/hashicorp/vault/pull/18651)]
-* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
-## 1.12.2
-### November 30, 2022
-
-CHANGES:
-
-* core: Bump Go version to 1.19.3.
-* plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
-
-IMPROVEMENTS:
-
-* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
-* storage/raft: Add `retry_join_as_non_voter` config option. [[GH-18030](https://github.com/hashicorp/vault/pull/18030)]
-
-BUG FIXES:
-
-* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
-* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
-* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
-* core (enterprise): Supported storage check in `vault server` command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than `raft` or `consul`.
-* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
-* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
-* core: fix a start up race condition where performance standbys could go into a
-  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
-* plugins: Only report deprecation status for builtin plugins. [[GH-17816](https://github.com/hashicorp/vault/pull/17816)]
-* plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
-* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
-* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18086](https://github.com/hashicorp/vault/pull/18086)]
-* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18111](https://github.com/hashicorp/vault/pull/18111)]
-* secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [[GH-17693](https://github.com/hashicorp/vault/pull/17693)]
-* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
-* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
-
-## 1.12.1
-### November 2, 2022
-
-IMPROVEMENTS:
-
-* api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [[GH-17352](https://github.com/hashicorp/vault/pull/17352)]
-* database/snowflake: Allow parallel requests to Snowflake [[GH-17593](https://github.com/hashicorp/vault/pull/17593)]
-* plugins: Add plugin version information to key plugin lifecycle log lines. [[GH-17430](https://github.com/hashicorp/vault/pull/17430)]
-* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
-
-BUG FIXES:
-
-* cli: Remove empty table heading for `vault secrets list -detailed` output. [[GH-17577](https://github.com/hashicorp/vault/pull/17577)]
-* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
-* core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
-* core: Fix panic caused in Vault Agent when rendering certificate templates [[GH-17419](https://github.com/hashicorp/vault/pull/17419)]
-* core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [[GH-17660](https://github.com/hashicorp/vault/pull/17660)]
-* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
-* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
-* kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
-* kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
-* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
-* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
-* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
-
-## 1.12.0
-### October 13, 2022
-
-SECURITY:
-
-* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
-
-CHANGES:
-
-* api: Exclusively use `GET /sys/plugins/catalog` endpoint for listing plugins, and add `details` field to list responses. [[GH-17347](https://github.com/hashicorp/vault/pull/17347)]
-* auth: `GET /sys/auth/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
-* auth: `GET /sys/auth` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
-* auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods. [[GH-17058](https://github.com/hashicorp/vault/pull/17058)]
-* auth: `auth enable` returns an error and `POST /sys/auth/:type` endpoint reports an error for `Pending Removal` auth methods. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
-* core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [[GH-16539](https://github.com/hashicorp/vault/pull/16539)]
-* core: Bump Go version to 1.19.2.
-* core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [[GH-16379](https://github.com/hashicorp/vault/pull/16379)]
-* identity: a request to `/identity/group` that includes `member_group_ids` that contains a cycle will now be responded to with a 400 rather than 500 [[GH-15912](https://github.com/hashicorp/vault/pull/15912)]
-* licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license expiration time is before the build date of the binary.
-* plugins: Add plugin version to auth register, list, and mount table [[GH-16856](https://github.com/hashicorp/vault/pull/16856)]
-* plugins: `GET /sys/plugins/catalog/:type/:name` endpoint contains deprecation status for builtin plugins. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
-* plugins: `GET /sys/plugins/catalog/:type/:name` endpoint now returns an additional `version` field in the response data. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
-* plugins: `GET /sys/plugins/catalog/` endpoint contains deprecation status in `detailed` list. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
-* plugins: `GET /sys/plugins/catalog` endpoint now returns an additional `detailed` field in the response data with a list of additional plugin metadata. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
-* plugins: `plugin info` displays deprecation status for builtin plugins. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
-* plugins: `plugin list` now accepts a `-detailed` flag, which display deprecation status and version info. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
-* secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [[GH-17180](https://github.com/hashicorp/vault/pull/17180)]
-* secrets: All database-specific (standalone DB) secrets engines are now marked `Pending Removal`. [[GH-17038](https://github.com/hashicorp/vault/pull/17038)]
-* secrets: `GET /sys/mounts/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
-* secrets: `GET /sys/mounts` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
-* secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines. [[GH-17058](https://github.com/hashicorp/vault/pull/17058)]
-* secrets: `secrets enable` returns an error and `POST /sys/mount/:type` endpoint reports an error for `Pending Removal` secrets engines. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
-
-FEATURES:
-
-* **GCP Cloud KMS support for managed keys**: Managed keys now support using GCP Cloud KMS keys
-* **LDAP Secrets Engine**: Adds the `ldap` secrets engine with service account check-out functionality for all supported schemas. [[GH-17152](https://github.com/hashicorp/vault/pull/17152)]
-* **OCSP Responder**: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [[GH-16723](https://github.com/hashicorp/vault/pull/16723)]
-* **Redis DB Engine**: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [[GH-17070](https://github.com/hashicorp/vault/pull/17070)]
-* **Redis ElastiCache DB Plugin**: Added Redis ElastiCache as a built-in plugin. [[GH-17075](https://github.com/hashicorp/vault/pull/17075)]
-* **Secrets/auth plugin multiplexing**: manage multiple plugin configurations with a single plugin process [[GH-14946](https://github.com/hashicorp/vault/pull/14946)]
-* **Transform Key Import (BYOK)**: The transform secrets engine now supports importing keys for tokenization and FPE transformations
-* HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with [HashiCorp Cloud Platform](https://cloud.hashicorp.com) as an opt-in feature
-* ui: UI support for Okta Number Challenge. [[GH-15998](https://github.com/hashicorp/vault/pull/15998)]
-* **Plugin Versioning**: Vault supports registering, managing, and running plugins with semantic versions specified.
-
-IMPROVEMENTS:
-
-* core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
-* activity (enterprise): Added new clients unit tests to test accuracy of estimates
-* agent/auto-auth: Add `exit_on_err` which when set to true, will cause Agent to exit if any errors are encountered during authentication. [[GH-17091](https://github.com/hashicorp/vault/pull/17091)]
-* agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating. [[GH-15986](https://github.com/hashicorp/vault/pull/15986)]
-* agent: Added `disable_keep_alives` configuration to disable keep alives in auto-auth, caching and templating. [[GH-16479](https://github.com/hashicorp/vault/pull/16479)]
-* agent: JWT auto auth now supports a `remove_jwt_after_reading` config option which defaults to true. [[GH-11969](https://github.com/hashicorp/vault/pull/11969)]
-* agent: Send notifications to systemd on start and stop. [[GH-9802](https://github.com/hashicorp/vault/pull/9802)]
-* api/mfa: Add namespace path to the MFA read/list endpoint [[GH-16911](https://github.com/hashicorp/vault/pull/16911)]
-* api: Add a sentinel error for missing KV secrets [[GH-16699](https://github.com/hashicorp/vault/pull/16699)]
-* auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [[GH-17251](https://github.com/hashicorp/vault/pull/17251)]
-* auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
-When either the ttl and num_uses fields are not specified, the role's configuration is used. [[GH-14474](https://github.com/hashicorp/vault/pull/14474)]
-* auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [[GH-16455](https://github.com/hashicorp/vault/pull/16455)]
-* auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [[GH-17194](https://github.com/hashicorp/vault/pull/17194)]
-* auth/cert: Add metadata to identity-alias [[GH-14751](https://github.com/hashicorp/vault/pull/14751)]
-* auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [[GH-17136](https://github.com/hashicorp/vault/pull/17136)]
-* auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [[GH-17196](https://github.com/hashicorp/vault/pull/17196)]
-* auth/gcp: Add support for GCE regional instance groups [[GH-16435](https://github.com/hashicorp/vault/pull/16435)]
-* auth/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. [[GH-17160](https://github.com/hashicorp/vault/pull/17160)]
-* auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [[GH-16525](https://github.com/hashicorp/vault/pull/16525)]
-* auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [[GH-16525](https://github.com/hashicorp/vault/pull/16525)]
-* auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases [[GH-16890](https://github.com/hashicorp/vault/pull/16890)]
-* auth/kerberos: add `remove_instance_name` parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [[GH-16594](https://github.com/hashicorp/vault/pull/16594)]
-* auth/kubernetes: Role resolution for K8S Auth [[GH-156](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/156)] [[GH-17161](https://github.com/hashicorp/vault/pull/17161)]
-* auth/oci: Add support for role resolution. [[GH-17212](https://github.com/hashicorp/vault/pull/17212)]
-* auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [[GH-16274](https://github.com/hashicorp/vault/pull/16274)]
-* cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [[GH-16441](https://github.com/hashicorp/vault/pull/16441)]
-* cli: `auth` and `secrets` list `-detailed` commands now show Deprecation Status for builtin plugins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
-* cli: `vault plugin list` now has a `details` field in JSON format, and version and type information in table format. [[GH-17347](https://github.com/hashicorp/vault/pull/17347)]
-* command/audit: Improve missing type error message [[GH-16409](https://github.com/hashicorp/vault/pull/16409)]
-* command/server: add `-dev-tls` and `-dev-tls-cert-dir` subcommands to create a Vault dev server with generated certificates and private key. [[GH-16421](https://github.com/hashicorp/vault/pull/16421)]
-* command: Fix shell completion for KV v2 mounts [[GH-16553](https://github.com/hashicorp/vault/pull/16553)]
-* core (enterprise): Add HTTP PATCH support for namespaces with an associated `namespace patch` CLI command
-* core (enterprise): Add check to `vault server` command to ensure configured storage backend is supported.
-* core (enterprise): Add custom metadata support for namespaces
-* core/activity: generate hyperloglogs containing clientIds for each month during precomputation [[GH-16146](https://github.com/hashicorp/vault/pull/16146)]
-* core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [[GH-16162](https://github.com/hashicorp/vault/pull/16162)]
-* core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [[GH-16184](https://github.com/hashicorp/vault/pull/16184)]
-* core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
-* core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
-* core/quotas: Added ability to add path suffixes for rate-limit resource quotas [[GH-15989](https://github.com/hashicorp/vault/pull/15989)]
-* core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [[GH-16115](https://github.com/hashicorp/vault/pull/16115)]
-* core: Activity log goroutine management improvements to allow tests to be more deterministic. [[GH-17028](https://github.com/hashicorp/vault/pull/17028)]
-* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
-* core: Handle and log deprecated builtin mounts. Introduces `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` to override shutdown and error when attempting to mount `Pending Removal` builtin plugins. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
-* core: Limit activity log client count usage by namespaces [[GH-16000](https://github.com/hashicorp/vault/pull/16000)]
-* core: Upgrade github.com/hashicorp/raft [[GH-16609](https://github.com/hashicorp/vault/pull/16609)]
-* core: remove gox [[GH-16353](https://github.com/hashicorp/vault/pull/16353)]
-* docs: Clarify the behaviour of local mounts in the context of DR replication [[GH-16218](https://github.com/hashicorp/vault/pull/16218)]
-* identity/oidc: Adds support for detailed listing of clients and providers. [[GH-16567](https://github.com/hashicorp/vault/pull/16567)]
-* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
-* identity/oidc: allows filtering the list providers response by an allowed_client_id [[GH-16181](https://github.com/hashicorp/vault/pull/16181)]
-* identity: Prevent possibility of data races on entity creation. [[GH-16487](https://github.com/hashicorp/vault/pull/16487)]
-* physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [[GH-15866](https://github.com/hashicorp/vault/pull/15866)]
-* plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [[GH-16995](https://github.com/hashicorp/vault/pull/16995)]
-* plugins: Add Deprecation Status method to builtinregistry. [[GH-16846](https://github.com/hashicorp/vault/pull/16846)]
-* plugins: Added environment variable flag to opt-out specific plugins from multiplexing [[GH-16972](https://github.com/hashicorp/vault/pull/16972)]
-* plugins: Adding version to plugin GRPC interface [[GH-17088](https://github.com/hashicorp/vault/pull/17088)]
-* plugins: Plugin catalog supports registering and managing plugins with semantic version information. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
-* replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
-* secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [[GH-15809](https://github.com/hashicorp/vault/pull/15809)]
-* secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [[GH-16519](https://github.com/hashicorp/vault/pull/16519)]
-* secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [[GH-16124](https://github.com/hashicorp/vault/pull/16124)]
-* secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (`cn_validations`). [[GH-15996](https://github.com/hashicorp/vault/pull/15996)]
-* secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [[GH-16494](https://github.com/hashicorp/vault/pull/16494)]
-* secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [[GH-15742](https://github.com/hashicorp/vault/pull/15742)]
-* secrets/ad: set config default length only if password_policy is missing [[GH-16140](https://github.com/hashicorp/vault/pull/16140)]
-* secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [[GH-17045](https://github.com/hashicorp/vault/pull/17045)]
-* secrets/database/hana: Add ability to customize dynamic usernames [[GH-16631](https://github.com/hashicorp/vault/pull/16631)]
-* secrets/database/snowflake: Add multiplexing support [[GH-17159](https://github.com/hashicorp/vault/pull/17159)]
-* secrets/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. [[GH-17174](https://github.com/hashicorp/vault/pull/17174)]
-* secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0. [[GH-17199](https://github.com/hashicorp/vault/pull/17199)]
-* secrets/kubernetes: upgrade to v0.2.0 [[GH-17164](https://github.com/hashicorp/vault/pull/17164)]
-* secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [[GH-16702](https://github.com/hashicorp/vault/pull/16702)]
-* secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [[GH-16935](https://github.com/hashicorp/vault/pull/16935)]
-* secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [[GH-17073](https://github.com/hashicorp/vault/pull/17073)]
-* secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [[GH-16958](https://github.com/hashicorp/vault/pull/16958)]
-* secrets/pki: Add ability to periodically rebuild CRL before expiry [[GH-16762](https://github.com/hashicorp/vault/pull/16762)]
-* secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [[GH-16900](https://github.com/hashicorp/vault/pull/16900)]
-* secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [[GH-16563](https://github.com/hashicorp/vault/pull/16563)]
-* secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [[GH-17388](https://github.com/hashicorp/vault/pull/17388)]
-* secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [[GH-16676](https://github.com/hashicorp/vault/pull/16676)]
-* secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [[GH-16564](https://github.com/hashicorp/vault/pull/16564)]
-* secrets/pki: Allow revocation via proving possession of certificate's private key [[GH-16566](https://github.com/hashicorp/vault/pull/16566)]
-* secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [[GH-16871](https://github.com/hashicorp/vault/pull/16871)]
-* secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [[GH-16249](https://github.com/hashicorp/vault/pull/16249)]
-* secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [[GH-16874](https://github.com/hashicorp/vault/pull/16874)]
-* secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [[GH-16773](https://github.com/hashicorp/vault/pull/16773)]
-* secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [[GH-16056](https://github.com/hashicorp/vault/pull/16056)]
-* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
-* secrets/ssh: Allow the use of Identity templates in the `default_user` field [[GH-16351](https://github.com/hashicorp/vault/pull/16351)]
-* secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [[GH-16668](https://github.com/hashicorp/vault/pull/16668)]
-* secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [[GH-17118](https://github.com/hashicorp/vault/pull/17118)]
-* secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [[GH-16549](https://github.com/hashicorp/vault/pull/16549)]
-* ssh: Addition of an endpoint `ssh/issue/:role` to allow the creation of signed key pairs [[GH-15561](https://github.com/hashicorp/vault/pull/15561)]
-* storage/cassandra: tuning parameters for clustered environments `connection_timeout`, `initial_connection_timeout`, `simple_retry_policy_retries`. [[GH-10467](https://github.com/hashicorp/vault/pull/10467)]
-* storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [[GH-14455](https://github.com/hashicorp/vault/pull/14455)]
-* ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [[GH-15852](https://github.com/hashicorp/vault/pull/15852)]
-* ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [[GH-17139](https://github.com/hashicorp/vault/pull/17139)]
-* ui: Removed deprecated version of core-js 2.6.11 [[GH-15898](https://github.com/hashicorp/vault/pull/15898)]
-* ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [[GH-16489](https://github.com/hashicorp/vault/pull/16489)]
-* ui: Replaces non-inclusive terms [[GH-17116](https://github.com/hashicorp/vault/pull/17116)]
-* ui: redirect_to param forwards from auth route when authenticated [[GH-16821](https://github.com/hashicorp/vault/pull/16821)]
-* website/docs: API generate-recovery-token documentation. [[GH-16213](https://github.com/hashicorp/vault/pull/16213)]
-* website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [[GH-16950](https://github.com/hashicorp/vault/pull/16950)]
-* website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [[GH-17139](https://github.com/hashicorp/vault/pull/17139)]
-* website/docs: Update replication docs to mention Integrated Storage [[GH-16063](https://github.com/hashicorp/vault/pull/16063)]
-* website/docs: changed to echo for all string examples instead of (<<<) here-string. [[GH-9081](https://github.com/hashicorp/vault/pull/9081)]
-
-BUG FIXES:
-
-* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
-* agent: Agent will now respect `max_retries` retry configuration even when caching is set. [[GH-16970](https://github.com/hashicorp/vault/pull/16970)]
-* agent: Update consul-template for pkiCert bug fixes [[GH-16087](https://github.com/hashicorp/vault/pull/16087)]
-* api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [[GH-15835](https://github.com/hashicorp/vault/pull/15835)]
-* api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [[GH-16794](https://github.com/hashicorp/vault/pull/16794)]
-* api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P<path>.+) endpoints where it was not properly handling /auth/ [[GH-15552](https://github.com/hashicorp/vault/pull/15552)]
-* api: properly handle switching to/from unix domain socket when changing client address [[GH-11904](https://github.com/hashicorp/vault/pull/11904)]
-* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
-* auth/kerberos: Maintain headers set by the client [[GH-16636](https://github.com/hashicorp/vault/pull/16636)]
-* auth/kubernetes: Restore support for JWT signature algorithm ES384 [[GH-160](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)] [[GH-17161](https://github.com/hashicorp/vault/pull/17161)]
-* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
-* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
-* core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [[GH-15583](https://github.com/hashicorp/vault/pull/15583)]
-* core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
-* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
-* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
-* core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
-* core/managed-keys (enterprise): fix panic when having `cache_disable` true
-* core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
-* core/quotas: Added globbing functionality on the end of path suffix quota paths [[GH-16386](https://github.com/hashicorp/vault/pull/16386)]
-* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
-* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
-* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
-* core: Fix panic when the plugin catalog returns neither a plugin nor an error. [[GH-17204](https://github.com/hashicorp/vault/pull/17204)]
-* core: Fixes parsing boolean values for ha_storage backends in config [[GH-15900](https://github.com/hashicorp/vault/pull/15900)]
-* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
-* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
-* database: Invalidate queue should cancel context first to avoid deadlock [[GH-15933](https://github.com/hashicorp/vault/pull/15933)]
-* debug: Fix panic when capturing debug bundle on Windows [[GH-14399](https://github.com/hashicorp/vault/pull/14399)]
-* debug: Remove extra empty lines from vault.log when debug command is run [[GH-16714](https://github.com/hashicorp/vault/pull/16714)]
-* identity (enterprise): Fix a data race when creating an entity for a local alias.
-* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
-* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
-* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
-* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
-* openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [[GH-15552](https://github.com/hashicorp/vault/pull/15552)]
-* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
-* plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [[GH-16673](https://github.com/hashicorp/vault/pull/16673)]
-* plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [[GH-17340](https://github.com/hashicorp/vault/pull/17340)]
-* quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [[GH-15735](https://github.com/hashicorp/vault/pull/15735)]
-* replication (enterprise): Fix data race in SaveCheckpoint()
-* replication (enterprise): Fix data race in saveCheckpoint.
-* replication (enterprise): Fix possible data race during merkle diff/sync
-* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
-* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
-* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
-* secrets/kv: Fix `kv get` issue preventing the ability to read a secret when providing a leading slash [[GH-16443](https://github.com/hashicorp/vault/pull/16443)]
-* secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [[GH-16865](https://github.com/hashicorp/vault/pull/16865)]
-* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
-* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17385](https://github.com/hashicorp/vault/pull/17385)]
-* secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [[GH-16813](https://github.com/hashicorp/vault/pull/16813)]
-* secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [[GH-16721](https://github.com/hashicorp/vault/pull/16721)]
-* secrets/pki: LIST issuers endpoint is now unauthenticated. [[GH-16830](https://github.com/hashicorp/vault/pull/16830)]
-* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
-* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
-* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
-* storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
-* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
-* storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [[GH-17019](https://github.com/hashicorp/vault/pull/17019)]
-* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
-* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
-* ui: Fix info tooltip submitting form [[GH-16659](https://github.com/hashicorp/vault/pull/16659)]
-* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
-* ui: Fix lease force revoke action [[GH-16930](https://github.com/hashicorp/vault/pull/16930)]
-* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
-* ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [[GH-15681](https://github.com/hashicorp/vault/pull/15681)]
-* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
-* ui: OIDC login type uses localStorage instead of sessionStorage [[GH-16170](https://github.com/hashicorp/vault/pull/16170)]
-* vault: Fix a bug where duplicate policies could be added to an identity group. [[GH-15638](https://github.com/hashicorp/vault/pull/15638)]
-
-## 1.11.12
-### June 21, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.10.
-* licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
-will not be allowed if the license termination time is before the build date of the binary.
-
-FEATURES:
-
-* **Automated License Utilization Reporting**: Added automated license
-utilization reporting, which sends minimal product-license [metering
-data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
-to HashiCorp without requiring you to manually collect and report them.
-* core (enterprise): Add background worker for automatic reporting of billing
-information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
-
-IMPROVEMENTS:
-
-* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
-results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
-* api: `/sys/internal/counters/config` endpoint now contains read-only
-`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
-* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
-* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
-* core (enterprise): vault server command now allows for opt-out of automated
-reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
-* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
-* core/activity: generate hyperloglogs containing clientIds for each month during precomputation [[GH-16146](https://github.com/hashicorp/vault/pull/16146)]
-* core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [[GH-16162](https://github.com/hashicorp/vault/pull/16162)]
-* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
-* core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [[GH-16184](https://github.com/hashicorp/vault/pull/16184)]
-* core: Activity log goroutine management improvements to allow tests to be more deterministic. [[GH-17028](https://github.com/hashicorp/vault/pull/17028)]
-* core: Limit activity log client count usage by namespaces [[GH-16000](https://github.com/hashicorp/vault/pull/16000)]
-* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
-* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
-
-BUG FIXES:
-
-* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
-* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
-* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
-* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
-* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
-* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
-* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
-have its own changelog entry. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
-* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
-* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
-* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
-* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
-* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
-* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
-
-## 1.11.11
-### June 08, 2023
-
-SECURITY:
-
-* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.9.
-* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
-
-IMPROVEMENTS:
-
-* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
-`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
-* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
-* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
-
-BUG FIXES:
-
-* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
-* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
-* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
-* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
-* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
-* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
-* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
-* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
-* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
-* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
-
-## 1.11.10
-### April 26, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.8.
-
-IMPROVEMENTS:
-
-* cli/namespace: Add detailed flag to output additional namespace information
-such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
-* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
-* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
-`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
-* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
-for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
-
-BUG FIXES:
-
-* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
-* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
-* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
-* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
-resulting in 412 errors.
-* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
-* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
-* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
-* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
-* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
-* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
-* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
-* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
-* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
-* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
-
-## 1.11.9
-### March 29, 2023
-
-SECURITY:
-
-* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
-* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
-* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
-
-IMPROVEMENTS:
-
-* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
-website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
-* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
-option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
-* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
-
-BUG FIXES:
-
-* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#190](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/190)] [[GH-19720](https://github.com/hashicorp/vault/pull/19720)]
-* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
-* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
-* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
-* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
-* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
-* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
-* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
-* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
-
-## 1.11.8
-### March 01, 2023
-
-SECURITY:
-
-* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.6.
-
-IMPROVEMENTS:
-
-* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
-
-BUG FIXES:
-
-* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
-* core (enterprise): Fix panic when using invalid accessor for control-group request
-* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
-* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
-* license (enterprise): Fix bug where license would update even if the license didn't change.
-* replication (enterprise): Fix bug where reloading external plugin on a secondary would
-break replication.
-* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18208](https://github.com/hashicorp/vault/pull/18208)]
-* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
-* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
-* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
-
-## 1.11.7
-### February 6, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.4.
-
-IMPROVEMENTS:
-
-* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
-* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
-* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
-* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
-* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
-
-BUG FIXES:
-
-* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
-* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
-* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
-* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
-* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
-* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
-* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
-* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
-* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
-* identity (enterprise): Fix a data race when creating an entity for a local alias.
-* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
-* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
-* kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
-* licensing (enterprise): update autoloaded license cache after reload
-* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
-* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
-* storage/raft (enterprise): An already joined node can rejoin by wiping storage
-and re-issueing a join request, but in doing so could transiently become a
-non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
-* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
-* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
-* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
-
-## 1.11.6
-### November 30, 2022
-
-IMPROVEMENTS:
-
-* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
-
-BUG FIXES:
-
-* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
-* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
-* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
-* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
-* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
-* core: fix a start up race condition where performance standbys could go into a
-  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
-* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
-* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18085](https://github.com/hashicorp/vault/pull/18085)]
-* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18110](https://github.com/hashicorp/vault/pull/18110)]
-* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
-* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
-
-## 1.11.5
-### November 2, 2022
-
-IMPROVEMENTS:
-
-* database/snowflake: Allow parallel requests to Snowflake [[GH-17594](https://github.com/hashicorp/vault/pull/17594)]
-* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
-
-BUG FIXES:
-
-* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
-* core/managed-keys (enterprise): fix panic when having `cache_disable` true
-* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
-* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
-* kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
-* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
-* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
-* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17384](https://github.com/hashicorp/vault/pull/17384)]
-* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
-* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
-* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
-
-## 1.11.4
-### September 30, 2022
-
-SECURITY:
-
-* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
-
-IMPROVEMENTS:
-
-* agent/auto-auth: Add `exit_on_err` which when set to true, will cause Agent to exit if any errors are encountered during authentication. [[GH-17091](https://github.com/hashicorp/vault/pull/17091)]
-* agent: Send notifications to systemd on start and stop. [[GH-9802](https://github.com/hashicorp/vault/pull/9802)]
-
-BUG FIXES:
-
-* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
-* auth/kubernetes: Restore support for JWT signature algorithm ES384 [[GH-160](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)] [[GH-17162](https://github.com/hashicorp/vault/pull/17162)]
-* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
-* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
-* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
-* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
-* replication (enterprise): Fix data race in SaveCheckpoint()
-* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
-* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
-* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
-* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
-
-## 1.11.3
-### August 31, 2022
-
-SECURITY:
-
-* core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [[HSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
-
-CHANGES:
-
-* core: Bump Go version to 1.17.13.
-
-IMPROVEMENTS:
-
-* auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases [[GH-16890](https://github.com/hashicorp/vault/pull/16890)]
-* auth/kerberos: add `remove_instance_name` parameter to the login CLI and the
-Kerberos config in Vault. This removes any instance names found in the keytab
-service principal name. [[GH-16594](https://github.com/hashicorp/vault/pull/16594)]
-* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
-* storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [[GH-14455](https://github.com/hashicorp/vault/pull/14455)]
-
-BUG FIXES:
-
-* api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [[GH-16794](https://github.com/hashicorp/vault/pull/16794)]
-* auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [[GH-16523](https://github.com/hashicorp/vault/pull/16523)]
-* auth/kerberos: Maintain headers set by the client [[GH-16636](https://github.com/hashicorp/vault/pull/16636)]
-* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
-* core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
-* database/elasticsearch: Fixes a bug in boolean parsing for initialize [[GH-16526](https://github.com/hashicorp/vault/pull/16526)]
-* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
-* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the
-Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
-* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
-* plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [[GH-16673](https://github.com/hashicorp/vault/pull/16673)]
-* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
-* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
-* secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [[GH-16813](https://github.com/hashicorp/vault/pull/16813)]
-* secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [[GH-16721](https://github.com/hashicorp/vault/pull/16721)]
-* secrets/pki: LIST issuers endpoint is now unauthenticated. [[GH-16830](https://github.com/hashicorp/vault/pull/16830)]
-* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
-* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
-* ui: Fix info tooltip submitting form [[GH-16659](https://github.com/hashicorp/vault/pull/16659)]
-* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
-
-SECURITY:
-
-* identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [[HCSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
-
-## 1.11.2
-### August 2, 2022
-
-IMPROVEMENTS:
-
-* agent: Added `disable_keep_alives` configuration to disable keep alives in auto-auth, caching and templating. [[GH-16479](https://github.com/hashicorp/vault/pull/16479)]
-
-BUG FIXES:
-
-* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
-* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
-* secrets/kv: Fix `kv get` issue preventing the ability to read a secret when providing a leading slash [[GH-16443](https://github.com/hashicorp/vault/pull/16443)]
-* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
-
-## 1.11.1
-### July 21, 2022
-
-SECURITY:
-
-* storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
-
-CHANGES:
-
-* core: Bump Go version to 1.17.12.
-
-IMPROVEMENTS:
-
-* agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating. [[GH-15986](https://github.com/hashicorp/vault/pull/15986)]
-* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
-* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
-
-BUG FIXES:
-
-* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
-* agent: Update consul-template for pkiCert bug fixes [[GH-16087](https://github.com/hashicorp/vault/pull/16087)]
-* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
-* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
-* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
-* kmip (enterprise): Return SecretData as supported Object Type.
-* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
-* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
-* storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
-* transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
-* ui: OIDC login type uses localStorage instead of sessionStorage [[GH-16170](https://github.com/hashicorp/vault/pull/16170)]
-
-SECURITY:
-
-* storage/raft (enterprise): Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HCSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
-
-## 1.11.0
-### June 20, 2022
-
-CHANGES:
-
-* auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [[GH-14954](https://github.com/hashicorp/vault/pull/14954)]
-* auth/kubernetes: If `kubernetes_ca_cert` is unset, and there is no pod-local CA available, an error will be surfaced when writing config instead of waiting for login. [[GH-15584](https://github.com/hashicorp/vault/pull/15584)]
-* auth: Remove support for legacy MFA
-(https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [[GH-14869](https://github.com/hashicorp/vault/pull/14869)]
-* core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [[GH-15858](https://github.com/hashicorp/vault/pull/15858)]
-* core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [[GH-14328](https://github.com/hashicorp/vault/pull/14328)]
-* core: Bump Go version to 1.17.11. [[GH-go-ver-1110](https://github.com/hashicorp/vault/pull/go-ver-1110)]
-* database & storage: Change underlying driver library from [lib/pq](https://github.com/lib/pq) to [pgx](https://github.com/jackc/pgx). This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [[GH-15343](https://github.com/hashicorp/vault/pull/15343)]
-* licensing (enterprise): Remove support for stored licenses and associated `sys/license` and `sys/license/signed`
-endpoints in favor of [autoloaded licenses](https://www.vaultproject.io/docs/enterprise/license/autoloading).
-* replication (enterprise): The `/sys/replication/performance/primary/mount-filter` endpoint has been removed. Please use [Paths Filter](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) instead.
-* secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA [[GH-15478](https://github.com/hashicorp/vault/pull/15478)]
-* secrets/kubernetes: Split `additional_metadata` into `extra_annotations` and `extra_labels` parameters [[GH-15655](https://github.com/hashicorp/vault/pull/15655)]
-* secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued)
-providing the same functionality as the existing API(/pki/root/sign-self-issued)
-does not require sudo capabilities but the latter still requires it in an
-effort to maintain backwards compatibility. [[GH-15211](https://github.com/hashicorp/vault/pull/15211)]
-* secrets/pki: Err on unknown role during sign-verbatim. [[GH-15543](https://github.com/hashicorp/vault/pull/15543)]
-* secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead
-of a v1 CRL. [[GH-15100](https://github.com/hashicorp/vault/pull/15100)]
-* secrets/pki: The `ca_chain` response field within issuing (/pki/issue/:role)
-and signing APIs will now include the root CA certificate if the mount is
-aware of it. [[GH-15155](https://github.com/hashicorp/vault/pull/15155)]
-* secrets/pki: existing Delete Root API (pki/root) will now delete all issuers
-and keys within the mount path. [[GH-15004](https://github.com/hashicorp/vault/pull/15004)]
-* secrets/pki: existing Generate Root (pki/root/generate/:type),
-Set Signed Intermediate (/pki/intermediate/set-signed) APIs will
-add new issuers/keys to a mount instead of warning that an existing CA exists [[GH-14975](https://github.com/hashicorp/vault/pull/14975)]
-* secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain
-response field along with the issuer's ca chain. [[GH-15524](https://github.com/hashicorp/vault/pull/15524)]
-* ui: Upgrade Ember to version 3.28 [[GH-14763](https://github.com/hashicorp/vault/pull/14763)]
-
-FEATURES:
-
-* **Autopilot Improvements (Enterprise)**: Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
-* **KeyMgmt UI**: Add UI support for managing the Key Management Secrets Engine [[GH-15523](https://github.com/hashicorp/vault/pull/15523)]
-* **Kubernetes Secrets Engine**: This new secrets engine generates Kubernetes service account tokens, service accounts, role bindings, and roles dynamically. [[GH-15551](https://github.com/hashicorp/vault/pull/15551)]
-* **Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
-import, generation and configuration of any number of keys and/or issuers
-within a PKI mount, providing operators the ability to rotate certificates
-in place without affecting existing client configurations. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
-* **Print minimum required policy for any command**: The global CLI flag `-output-policy` can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability. [[GH-14899](https://github.com/hashicorp/vault/pull/14899)]
-* **Snowflake Database Plugin**: Adds ability to manage RSA key pair credentials for dynamic and static Snowflake users. [[GH-15376](https://github.com/hashicorp/vault/pull/15376)]
-* **Transit BYOK**: Allow import of externally-generated keys into the Transit secrets engine. [[GH-15414](https://github.com/hashicorp/vault/pull/15414)]
-* nomad: Bootstrap Nomad ACL system if no token is provided [[GH-12451](https://github.com/hashicorp/vault/pull/12451)]
-* storage/dynamodb: Added `AWS_DYNAMODB_REGION` environment variable. [[GH-15054](https://github.com/hashicorp/vault/pull/15054)]
-
-IMPROVEMENTS:
-
-* activity: return nil response months in activity log API when no month data exists [[GH-15420](https://github.com/hashicorp/vault/pull/15420)]
-* agent/auto-auth: Add `min_backoff` to the method stanza for configuring initial backoff duration. [[GH-15204](https://github.com/hashicorp/vault/pull/15204)]
-* agent: Update consul-template to v0.29.0 [[GH-15293](https://github.com/hashicorp/vault/pull/15293)]
-* agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [[GH-15092](https://github.com/hashicorp/vault/pull/15092)]
-* api/monitor: Add log_format option to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
-* api: Add ability to pass certificate as PEM bytes to api.Client. [[GH-14753](https://github.com/hashicorp/vault/pull/14753)]
-* api: Add context-aware functions to vault/api for each API wrapper function. [[GH-14388](https://github.com/hashicorp/vault/pull/14388)]
-* api: Added MFALogin() for handling MFA flow when using login helpers. [[GH-14900](https://github.com/hashicorp/vault/pull/14900)]
-* api: If the parameters supplied over the API payload are ignored due to not
-being what the endpoints were expecting, or if the parameters supplied get
-replaced by the values in the endpoint's path itself, warnings will be added to
-the non-empty responses listing all the ignored and replaced parameters. [[GH-14962](https://github.com/hashicorp/vault/pull/14962)]
-* api: KV helper methods to simplify the common use case of reading and writing KV secrets [[GH-15305](https://github.com/hashicorp/vault/pull/15305)]
-* api: Provide a helper method WithNamespace to create a cloned client with a new NS [[GH-14963](https://github.com/hashicorp/vault/pull/14963)]
-* api: Support VAULT_PROXY_ADDR environment variable to allow overriding the Vault client's HTTP proxy. [[GH-15377](https://github.com/hashicorp/vault/pull/15377)]
-* api: Use the context passed to the api/auth Login helpers. [[GH-14775](https://github.com/hashicorp/vault/pull/14775)]
-* api: make ListPlugins parse only known plugin types [[GH-15434](https://github.com/hashicorp/vault/pull/15434)]
-* audit: Add a policy_results block into the audit log that contains the set of
-policies that granted this request access. [[GH-15457](https://github.com/hashicorp/vault/pull/15457)]
-* audit: Include mount_accessor in audit request and response logs [[GH-15342](https://github.com/hashicorp/vault/pull/15342)]
-* audit: added entity_created boolean to audit log, set when login operations create an entity [[GH-15487](https://github.com/hashicorp/vault/pull/15487)]
-* auth/aws: Add rsa2048 signature type to API [[GH-15719](https://github.com/hashicorp/vault/pull/15719)]
-* auth/gcp: Enable the Google service endpoints used by the underlying client to be customized [[GH-15592](https://github.com/hashicorp/vault/pull/15592)]
-* auth/gcp: Vault CLI now infers the service account email when running on Google Cloud [[GH-15592](https://github.com/hashicorp/vault/pull/15592)]
-* auth/jwt: Adds ability to use JSON pointer syntax for the `user_claim` value. [[GH-15593](https://github.com/hashicorp/vault/pull/15593)]
-* auth/okta: Add support for Google provider TOTP type in the Okta auth method [[GH-14985](https://github.com/hashicorp/vault/pull/14985)]
-* auth/okta: Add support for performing [the number
-challenge](https://help.okta.com/en-us/Content/Topics/Mobile/ov-admin-config.htm?cshid=csh-okta-verify-number-challenge-v1#enable-number-challenge)
-during an Okta Verify push challenge [[GH-15361](https://github.com/hashicorp/vault/pull/15361)]
-* auth: Globally scoped Login MFA method Get/List endpoints [[GH-15248](https://github.com/hashicorp/vault/pull/15248)]
-* auth: enforce a rate limit for TOTP passcode validation attempts [[GH-14864](https://github.com/hashicorp/vault/pull/14864)]
-* auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [[GH-15469](https://github.com/hashicorp/vault/pull/15469)]
-* cli/debug: added support for retrieving metrics from DR clusters if `unauthenticated_metrics_access` is enabled [[GH-15316](https://github.com/hashicorp/vault/pull/15316)]
-* cli/vault: warn when policy name contains upper-case letter [[GH-14670](https://github.com/hashicorp/vault/pull/14670)]
-* cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [[GH-14807](https://github.com/hashicorp/vault/pull/14807)]
-* cockroachdb: add high-availability support [[GH-12965](https://github.com/hashicorp/vault/pull/12965)]
-* command/debug: Add log_format flag to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
-* command: Support optional '-log-level' flag to be passed to 'operator migrate' command (defaults to info). Also support VAULT_LOG_LEVEL env var. [[GH-15405](https://github.com/hashicorp/vault/pull/15405)]
-* command: Support the optional '-detailed' flag to be passed to 'vault list' command to show ListResponseWithInfo data. Also supports the VAULT_DETAILED env var. [[GH-15417](https://github.com/hashicorp/vault/pull/15417)]
-* core (enterprise): Include `termination_time` in `sys/license/status` response
-* core (enterprise): Include termination time in `license inspect` command output
-* core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [[GH-15213](https://github.com/hashicorp/vault/pull/15213)]
-* core/activity: Order month data in ascending order of timestamps [[GH-15259](https://github.com/hashicorp/vault/pull/15259)]
-* core/activity: allow client counts to be precomputed and queried on non-contiguous chunks of data [[GH-15352](https://github.com/hashicorp/vault/pull/15352)]
-* core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
-* core: Add an export API for historical activity log data [[GH-15586](https://github.com/hashicorp/vault/pull/15586)]
-* core: Add new DB methods that do not prepare statements. [[GH-15166](https://github.com/hashicorp/vault/pull/15166)]
-* core: check uid and permissions of config dir, config file, plugin dir and plugin binaries [[GH-14817](https://github.com/hashicorp/vault/pull/14817)]
-* core: Fix some identity data races found by Go race detector (no known impact yet). [[GH-15123](https://github.com/hashicorp/vault/pull/15123)]
-* core: Include build date in `sys/seal-status` and `sys/version-history` endpoints. [[GH-14957](https://github.com/hashicorp/vault/pull/14957)]
-* core: Upgrade github.org/x/crypto/ssh [[GH-15125](https://github.com/hashicorp/vault/pull/15125)]
-* kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
-* mfa/okta: migrate to use official Okta SDK [[GH-15355](https://github.com/hashicorp/vault/pull/15355)]
-* sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [[GH-14217](https://github.com/hashicorp/vault/pull/14217)]
-* secrets/consul: Add support for Consul node-identities and service-identities [[GH-15295](https://github.com/hashicorp/vault/pull/15295)]
-* secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [[GH-10751](https://github.com/hashicorp/vault/pull/10751)]
-* secrets/database/elasticsearch: Use the new /_security base API path instead of /_xpack/security when managing elasticsearch. [[GH-15614](https://github.com/hashicorp/vault/pull/15614)]
-* secrets/pki: Add not_before_duration to root CA generation, intermediate CA signing paths. [[GH-14178](https://github.com/hashicorp/vault/pull/14178)]
-* secrets/pki: Add support for CPS URLs and User Notice to Policy Information [[GH-15751](https://github.com/hashicorp/vault/pull/15751)]
-* secrets/pki: Allow operators to control the issuing certificate behavior when
-the requested TTL is beyond the NotAfter value of the signing certificate [[GH-15152](https://github.com/hashicorp/vault/pull/15152)]
-* secrets/pki: Always return CRLs, URLs configurations, even if using the default value. [[GH-15470](https://github.com/hashicorp/vault/pull/15470)]
-* secrets/pki: Enable Patch Functionality for Roles and Issuers (API only) [[GH-15510](https://github.com/hashicorp/vault/pull/15510)]
-* secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role [[GH-15429](https://github.com/hashicorp/vault/pull/15429)]
-* secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate). [[GH-15494](https://github.com/hashicorp/vault/pull/15494)]
-* secrets/pki: Warn on missing AIA access information when generating issuers (config/urls). [[GH-15509](https://github.com/hashicorp/vault/pull/15509)]
-* secrets/pki: Warn when `generate_lease` and `no_store` are both set to `true` on requests. [[GH-14292](https://github.com/hashicorp/vault/pull/14292)]
-* secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode. [[GH-15440](https://github.com/hashicorp/vault/pull/15440)]
-* secrets/ssh: Support for `add_before_duration` in SSH [[GH-15250](https://github.com/hashicorp/vault/pull/15250)]
-* sentinel (enterprise): Upgrade sentinel to [v0.18.5](https://docs.hashicorp.com/sentinel/changelog#0-18-5-january-14-2022) to avoid potential naming collisions in the remote installer
-* storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [[GH-15042](https://github.com/hashicorp/vault/pull/15042)]
-* ui: Allow namespace param to be parsed from state queryParam [[GH-15378](https://github.com/hashicorp/vault/pull/15378)]
-* ui: Default auto-rotation period in transit is 30 days [[GH-15474](https://github.com/hashicorp/vault/pull/15474)]
-* ui: Parse schema refs from OpenAPI [[GH-14508](https://github.com/hashicorp/vault/pull/14508)]
-* ui: Remove stored license references [[GH-15513](https://github.com/hashicorp/vault/pull/15513)]
-* ui: Remove storybook. [[GH-15074](https://github.com/hashicorp/vault/pull/15074)]
-* ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [[GH-14659](https://github.com/hashicorp/vault/pull/14659)]
-* website/docs: Add usage documentation for Kubernetes Secrets Engine [[GH-15527](https://github.com/hashicorp/vault/pull/15527)]
-* website/docs: added a link to an Enigma secret plugin. [[GH-14389](https://github.com/hashicorp/vault/pull/14389)]
-
-DEPRECATIONS:
-
-* docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 [[GH-15581](https://github.com/hashicorp/vault/pull/15581)]
-* secrets/consul: Deprecate old parameters "token_type" and "policy" [[GH-15550](https://github.com/hashicorp/vault/pull/15550)]
-* secrets/consul: Deprecate parameter "policies" in favor of "consul_policies" for consistency [[GH-15400](https://github.com/hashicorp/vault/pull/15400)]
-
-BUG FIXES:
-
-* Fixed panic when adding or modifying a Duo MFA Method in Enterprise
-* agent: Fix log level mismatch between ERR and ERROR [[GH-14424](https://github.com/hashicorp/vault/pull/14424)]
-* agent: Redact auto auth token from renew endpoints [[GH-15380](https://github.com/hashicorp/vault/pull/15380)]
-* api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [[GH-14269](https://github.com/hashicorp/vault/pull/14269)]
-* api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [[GH-14968](https://github.com/hashicorp/vault/pull/14968)]
-* api: Respect increment value in grace period calculations in LifetimeWatcher [[GH-14836](https://github.com/hashicorp/vault/pull/14836)]
-* auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [[GH-14746](https://github.com/hashicorp/vault/pull/14746)]
-* auth/kubernetes: Fix error code when using the wrong service account [[GH-15584](https://github.com/hashicorp/vault/pull/15584)]
-* auth/ldap: The logic for setting the entity alias when `username_as_alias` is set
-has been fixed. The previous behavior would make a request to the LDAP server to
-get `user_attr` before discarding it and using the username instead. This would
-make it impossible for a user to connect if this attribute was missing or had
-multiple values, even though it would not be used anyway. This has been fixed
-and the username is now used without making superfluous LDAP searches. [[GH-15525](https://github.com/hashicorp/vault/pull/15525)]
-* auth: Fixed erroneous success message when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Fixed two-phase MFA information missing from table format when using vault login [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [[GH-15482](https://github.com/hashicorp/vault/pull/15482)]
-* auth: forward requests subject to login MFA from perfStandby to Active node [[GH-15009](https://github.com/hashicorp/vault/pull/15009)]
-* auth: load login MFA configuration upon restart [[GH-15261](https://github.com/hashicorp/vault/pull/15261)]
-* cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [[GH-14973](https://github.com/hashicorp/vault/pull/14973)]
-* cli: Fix panic caused by parsing key=value fields whose value is a single backslash [[GH-14523](https://github.com/hashicorp/vault/pull/14523)]
-* cli: kv get command now honors trailing spaces to retrieve secrets [[GH-15188](https://github.com/hashicorp/vault/pull/15188)]
-* command: do not report listener and storage types as key not found warnings [[GH-15383](https://github.com/hashicorp/vault/pull/15383)]
-* core (enterprise): Allow local alias create RPCs to persist alias metadata
-* core (enterprise): Fix overcounting of lease count quota usage at startup.
-* core (enterprise): Fix some races in merkle index flushing code found in testing
-* core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
-* core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [[GH-15224](https://github.com/hashicorp/vault/pull/15224)]
-* core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
-* core/metrics: Fix incorrect table size metric for local mounts [[GH-14755](https://github.com/hashicorp/vault/pull/14755)]
-* core: Fix double counting for "route" metrics [[GH-12763](https://github.com/hashicorp/vault/pull/12763)]
-* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [[GH-15072](https://github.com/hashicorp/vault/pull/15072)]
-* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [[GH-14522](https://github.com/hashicorp/vault/pull/14522)]
-* core: Fix panic caused by parsing policies with empty slice values. [[GH-14501](https://github.com/hashicorp/vault/pull/14501)]
-* core: Fix panic for help request URL paths without /v1/ prefix [[GH-14704](https://github.com/hashicorp/vault/pull/14704)]
-* core: Limit SSCT WAL checks on perf standbys to raft backends only [[GH-15879](https://github.com/hashicorp/vault/pull/15879)]
-* core: Prevent changing file permissions of audit logs when mode 0000 is used. [[GH-15759](https://github.com/hashicorp/vault/pull/15759)]
-* core: Prevent metrics generation from causing deadlocks. [[GH-15693](https://github.com/hashicorp/vault/pull/15693)]
-* core: fixed systemd reloading notification [[GH-15041](https://github.com/hashicorp/vault/pull/15041)]
-* core: fixing excessive unix file permissions [[GH-14791](https://github.com/hashicorp/vault/pull/14791)]
-* core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [[GH-14846](https://github.com/hashicorp/vault/pull/14846)]
-* core: pre-calculate namespace specific paths when tainting a route during postUnseal [[GH-15067](https://github.com/hashicorp/vault/pull/15067)]
-* core: renaming the environment variable VAULT_DISABLE_FILE_PERMISSIONS_CHECK to VAULT_ENABLE_FILE_PERMISSIONS_CHECK and adjusting the logic [[GH-15452](https://github.com/hashicorp/vault/pull/15452)]
-* core: report unused or redundant keys in server configuration [[GH-14752](https://github.com/hashicorp/vault/pull/14752)]
-* core: time.After() used in a select statement can lead to memory leak [[GH-14814](https://github.com/hashicorp/vault/pull/14814)]
-* identity: deduplicate policies when creating/updating identity groups [[GH-15055](https://github.com/hashicorp/vault/pull/15055)]
-* mfa/okta: disable client side rate limiting causing delays in push notifications [[GH-15369](https://github.com/hashicorp/vault/pull/15369)]
-* plugin: Fix a bug where plugin reload would falsely report success in certain scenarios. [[GH-15579](https://github.com/hashicorp/vault/pull/15579)]
-* raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [[GH-15156](https://github.com/hashicorp/vault/pull/15156)]
-* raft: Ensure initialMmapSize is set to 0 on Windows [[GH-14977](https://github.com/hashicorp/vault/pull/14977)]
-* replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [[GH-14622](https://github.com/hashicorp/vault/pull/14622)]
-* sdk/cidrutil: Only check if cidr contains remote address for IP addresses [[GH-14487](https://github.com/hashicorp/vault/pull/14487)]
-* sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [[GH-15104](https://github.com/hashicorp/vault/pull/15104)]
-* sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [[GH-15163](https://github.com/hashicorp/vault/pull/15163)]
-* secrets/database: Ensure that a `connection_url` password is redacted in all cases. [[GH-14744](https://github.com/hashicorp/vault/pull/14744)]
-* secrets/kv: Fix issue preventing the ability to reset the `delete_version_after` key metadata field to 0s via HTTP `PATCH`. [[GH-15792](https://github.com/hashicorp/vault/pull/15792)]
-* secrets/pki: CRLs on performance secondary clusters are now automatically
-rebuilt upon changes to the list of issuers. [[GH-15179](https://github.com/hashicorp/vault/pull/15179)]
-* secrets/pki: Fix handling of "any" key type with default zero signature bits value. [[GH-14875](https://github.com/hashicorp/vault/pull/14875)]
-* secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [[GH-14943](https://github.com/hashicorp/vault/pull/14943)]
-* secrets/ssh: Convert role field not_before_duration to seconds before returning it [[GH-15559](https://github.com/hashicorp/vault/pull/15559)]
-* storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
-* storage/raft: Forward autopilot state requests on perf standbys to active node. [[GH-15493](https://github.com/hashicorp/vault/pull/15493)]
-* storage/raft: joining a node to a cluster now ignores any VAULT_NAMESPACE environment variable set on the server process [[GH-15519](https://github.com/hashicorp/vault/pull/15519)]
-* ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [[GH-15046](https://github.com/hashicorp/vault/pull/15046)]
-* ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [[GH-14794](https://github.com/hashicorp/vault/pull/14794)]
-* ui: Fix inconsistent behavior in client count calendar widget [[GH-15789](https://github.com/hashicorp/vault/pull/15789)]
-* ui: Fix issue where metadata tab is hidden even though policy grants access [[GH-15824](https://github.com/hashicorp/vault/pull/15824)]
-* ui: Fix issue with KV not recomputing model when you changed versions. [[GH-14941](https://github.com/hashicorp/vault/pull/14941)]
-* ui: Fixed client count timezone for start and end months [[GH-15167](https://github.com/hashicorp/vault/pull/15167)]
-* ui: Fixed unsupported revocation statements field for DB roles [[GH-15573](https://github.com/hashicorp/vault/pull/15573)]
-* ui: Fixes edit auth method capabilities issue [[GH-14966](https://github.com/hashicorp/vault/pull/14966)]
-* ui: Fixes issue logging in with OIDC from a listed auth mounts tab [[GH-14916](https://github.com/hashicorp/vault/pull/14916)]
-* ui: Revert using localStorage in favor of sessionStorage [[GH-15769](https://github.com/hashicorp/vault/pull/15769)]
-* ui: Updated `leasId` to `leaseId` in the "Copy Credentials" section of "Generate AWS Credentials" [[GH-15685](https://github.com/hashicorp/vault/pull/15685)]
-* ui: fix firefox inability to recognize file format of client count csv export [[GH-15364](https://github.com/hashicorp/vault/pull/15364)]
-* ui: fix form validations ignoring default values and disabling submit button [[GH-15560](https://github.com/hashicorp/vault/pull/15560)]
-* ui: fix search-select component showing blank selections when editing group member entity [[GH-15058](https://github.com/hashicorp/vault/pull/15058)]
-* ui: masked values no longer give away length or location of special characters [[GH-15025](https://github.com/hashicorp/vault/pull/15025)]
-
-## 1.10.11
-### March 01, 2023
-
-SECURITY:
-
-* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
-
-CHANGES:
-
-* core: Bump Go version to 1.19.6.
-
-IMPROVEMENTS:
-
-* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
-
-BUG FIXES:
-
-* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
-* core (enterprise): Fix panic when using invalid accessor for control-group request
-* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
-* replication (enterprise): Fix bug where reloading external plugin on a secondary would
-break replication.
-* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18209](https://github.com/hashicorp/vault/pull/18209)]
-* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
-* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
-
-## 1.10.10
-### February 6, 2023
-
-CHANGES:
-
-* core: Bump Go version to 1.19.4.
-
-IMPROVEMENTS:
-
-* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
-* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
-* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
-* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
-* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
-
-BUG FIXES:
-
-* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
-* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
-* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
-* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
-* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
-* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
-* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
-* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
-* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
-* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
-* identity (enterprise): Fix a data race when creating an entity for a local alias.
-* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
-* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
-* licensing (enterprise): update autoloaded license cache after reload
-* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
-* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
-
-## 1.10.9
-### November 30, 2022
-
-BUG FIXES:
-
-* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
-* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
-* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
-* core: fix a start up race condition where performance standbys could go into a
-  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
-* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18084](https://github.com/hashicorp/vault/pull/18084)]
-* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18109](https://github.com/hashicorp/vault/pull/18109)]
-* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
-
-## 1.10.8
-### November 2, 2022
-
-BUG FIXES:
-
-* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
-* core/managed-keys (enterprise): fix panic when having `cache_disable` true
-* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
-* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
-* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
-* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
-* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
-* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
-
-## 1.10.7
-### September 30, 2022
-
-SECURITY:
-
-* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
-
-BUG FIXES:
-
-* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
-* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
-* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
-* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
-* replication (enterprise): Fix data race in SaveCheckpoint()
-* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
-* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
-* ui: Fix lease force revoke action [[GH-16930](https://github.com/hashicorp/vault/pull/16930)]
-
-## 1.10.6
-### August 31, 2022
-
-SECURITY:
-
-* core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [[HSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
-
-CHANGES:
-
-* core: Bump Go version to 1.17.13.
-
-IMPROVEMENTS:
-
-* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
-
-BUG FIXES:
-
-* auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [[GH-16524](https://github.com/hashicorp/vault/pull/16524)]
-* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
-* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
-* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
-* database: Invalidate queue should cancel context first to avoid deadlock [[GH-15933](https://github.com/hashicorp/vault/pull/15933)]
-* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
-* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the
-Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
-* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
-* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
-* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
-* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
-* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
-* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
-* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
-
-SECURITY:
-
-* identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [[HCSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
-
-## 1.10.5
-### July 21, 2022
-
-SECURITY:
-
-* storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
-
-CHANGES:
-
-* core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [[GH-15858](https://github.com/hashicorp/vault/pull/15858)]
-* core: Bump Go version to 1.17.12.
-
-IMPROVEMENTS:
-
-* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
-* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
-
-BUG FIXES:
-
-* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
-* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
-* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
-* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
-* core: Limit SSCT WAL checks on perf standbys to raft backends only [[GH-15879](https://github.com/hashicorp/vault/pull/15879)]
-* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
-* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
-* storage/raft (enterprise): Prevent unauthenticated voter status with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
-* transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
-* ui: Fix issue where metadata tab is hidden even though policy grants access [[GH-15824](https://github.com/hashicorp/vault/pull/15824)]
-* ui: Revert using localStorage in favor of sessionStorage [[GH-16169](https://github.com/hashicorp/vault/pull/16169)]
-* ui: Updated `leasId` to `leaseId` in the "Copy Credentials" section of "Generate AWS Credentials" [[GH-15685](https://github.com/hashicorp/vault/pull/15685)]
-
-## 1.10.4
-### June 10, 2022
-
-CHANGES:
-
-* core: Bump Go version to 1.17.11. [[GH-go-ver-1104](https://github.com/hashicorp/vault/pull/go-ver-1104)]
-
-IMPROVEMENTS:
-
-* api/monitor: Add log_format option to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
-* auth: Globally scoped Login MFA method Get/List endpoints [[GH-15248](https://github.com/hashicorp/vault/pull/15248)]
-* auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [[GH-15469](https://github.com/hashicorp/vault/pull/15469)]
-* cli/debug: added support for retrieving metrics from DR clusters if `unauthenticated_metrics_access` is enabled [[GH-15316](https://github.com/hashicorp/vault/pull/15316)]
-* command/debug: Add log_format flag to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
-* core: Fix some identity data races found by Go race detector (no known impact yet). [[GH-15123](https://github.com/hashicorp/vault/pull/15123)]
-* storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [[GH-15042](https://github.com/hashicorp/vault/pull/15042)]
-* ui: Allow namespace param to be parsed from state queryParam [[GH-15378](https://github.com/hashicorp/vault/pull/15378)]
-
-BUG FIXES:
-
-* agent: Redact auto auth token from renew endpoints [[GH-15380](https://github.com/hashicorp/vault/pull/15380)]
-* auth/kubernetes: Fix error code when using the wrong service account [[GH-15585](https://github.com/hashicorp/vault/pull/15585)]
-* auth/ldap: The logic for setting the entity alias when `username_as_alias` is set
-has been fixed. The previous behavior would make a request to the LDAP server to
-get `user_attr` before discarding it and using the username instead. This would
-make it impossible for a user to connect if this attribute was missing or had
-multiple values, even though it would not be used anyway. This has been fixed
-and the username is now used without making superfluous LDAP searches. [[GH-15525](https://github.com/hashicorp/vault/pull/15525)]
-* auth: Fixed erroneous success message when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Fixed two-phase MFA information missing from table format when using vault login [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
-* auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [[GH-15482](https://github.com/hashicorp/vault/pull/15482)]
-* core (enterprise): Fix overcounting of lease count quota usage at startup.
-* core: Prevent changing file permissions of audit logs when mode 0000 is used. [[GH-15759](https://github.com/hashicorp/vault/pull/15759)]
-* core: Prevent metrics generation from causing deadlocks. [[GH-15693](https://github.com/hashicorp/vault/pull/15693)]
-* core: fixed systemd reloading notification [[GH-15041](https://github.com/hashicorp/vault/pull/15041)]
-* mfa/okta: disable client side rate limiting causing delays in push notifications [[GH-15369](https://github.com/hashicorp/vault/pull/15369)]
-* storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
-* transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
-* ui: Fix inconsistent behavior in client count calendar widget [[GH-15789](https://github.com/hashicorp/vault/pull/15789)]
-* ui: Fixed client count timezone for start and end months [[GH-15167](https://github.com/hashicorp/vault/pull/15167)]
-* ui: fix firefox inability to recognize file format of client count csv export [[GH-15364](https://github.com/hashicorp/vault/pull/15364)]
-
-## 1.10.3
-### May 11, 2022
-
-SECURITY:
-* auth: A vulnerability was identified in Vault and Vault Enterprise (“Vault”) from 1.10.0 to 1.10.2 where MFA may not be enforced on user logins after a server restart. This vulnerability, CVE-2022-30689, was fixed in Vault 1.10.3.
-
-BUG FIXES:
-
-* auth: load login MFA configuration upon restart [[GH-15261](https://github.com/hashicorp/vault/pull/15261)]
-* core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [[GH-15224](https://github.com/hashicorp/vault/pull/15224)]
-* core: pre-calculate namespace specific paths when tainting a route during postUnseal [[GH-15067](https://github.com/hashicorp/vault/pull/15067)]
-
-## 1.10.2
-### April 29, 2022
-
-BUG FIXES:
-
-* raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [[GH-15156](https://github.com/hashicorp/vault/pull/15156)]
-* sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [[GH-15104](https://github.com/hashicorp/vault/pull/15104)]
-
-## 1.10.1
-### April 22, 2022
-
-CHANGES:
-
-* core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [[GH-14328](https://github.com/hashicorp/vault/pull/14328)]
-* core: Bump Go version to 1.17.9. [[GH-15044](https://github.com/hashicorp/vault/pull/15044)]
-
-IMPROVEMENTS:
-
-* agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [[GH-15092](https://github.com/hashicorp/vault/pull/15092)]
-* auth: enforce a rate limit for TOTP passcode validation attempts [[GH-14864](https://github.com/hashicorp/vault/pull/14864)]
-* cli/vault: warn when policy name contains upper-case letter [[GH-14670](https://github.com/hashicorp/vault/pull/14670)]
-* cockroachdb: add high-availability support [[GH-12965](https://github.com/hashicorp/vault/pull/12965)]
-* sentinel (enterprise): Upgrade sentinel to [v0.18.5](https://docs.hashicorp.com/sentinel/changelog#0-18-5-january-14-2022) to avoid potential naming collisions in the remote installer
-
-BUG FIXES:
-
-* Fixed panic when adding or modifying a Duo MFA Method in Enterprise
-* agent: Fix log level mismatch between ERR and ERROR [[GH-14424](https://github.com/hashicorp/vault/pull/14424)]
-* api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [[GH-14269](https://github.com/hashicorp/vault/pull/14269)]
-* api: Respect increment value in grace period calculations in LifetimeWatcher [[GH-14836](https://github.com/hashicorp/vault/pull/14836)]
-* auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [[GH-14746](https://github.com/hashicorp/vault/pull/14746)]
-* auth: forward requests subject to login MFA from perfStandby to Active node [[GH-15009](https://github.com/hashicorp/vault/pull/15009)]
-* cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [[GH-14973](https://github.com/hashicorp/vault/pull/14973)]
-* cli: Fix panic caused by parsing key=value fields whose value is a single backslash [[GH-14523](https://github.com/hashicorp/vault/pull/14523)]
-* core (enterprise): Allow local alias create RPCs to persist alias metadata [[GH-changelog:_2747](https://github.com/hashicorp/vault/pull/changelog:_2747)]
-* core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
-* core/metrics: Fix incorrect table size metric for local mounts [[GH-14755](https://github.com/hashicorp/vault/pull/14755)]
-* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [[GH-15072](https://github.com/hashicorp/vault/pull/15072)]
-* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [[GH-14522](https://github.com/hashicorp/vault/pull/14522)]
-* core: Fix panic caused by parsing policies with empty slice values. [[GH-14501](https://github.com/hashicorp/vault/pull/14501)]
-* core: Fix panic for help request URL paths without /v1/ prefix [[GH-14704](https://github.com/hashicorp/vault/pull/14704)]
-* core: fixing excessive unix file permissions [[GH-14791](https://github.com/hashicorp/vault/pull/14791)]
-* core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [[GH-14846](https://github.com/hashicorp/vault/pull/14846)]
-* core: report unused or redundant keys in server configuration [[GH-14752](https://github.com/hashicorp/vault/pull/14752)]
-* core: time.After() used in a select statement can lead to memory leak [[GH-14814](https://github.com/hashicorp/vault/pull/14814)]
-* raft: Ensure initialMmapSize is set to 0 on Windows [[GH-14977](https://github.com/hashicorp/vault/pull/14977)]
-* replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [[GH-14622](https://github.com/hashicorp/vault/pull/14622)]
-* secrets/database: Ensure that a `connection_url` password is redacted in all cases. [[GH-14744](https://github.com/hashicorp/vault/pull/14744)]
-* secrets/pki: Fix handling of "any" key type with default zero signature bits value. [[GH-14875](https://github.com/hashicorp/vault/pull/14875)]
-* secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [[GH-14943](https://github.com/hashicorp/vault/pull/14943)]
-* ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not excepted in this field. [[GH-15046](https://github.com/hashicorp/vault/pull/15046)]
-* ui: Fixes edit auth method capabilities issue [[GH-14966](https://github.com/hashicorp/vault/pull/14966)]
-* ui: Fixes issue logging in with OIDC from a listed auth mounts tab [[GH-14916](https://github.com/hashicorp/vault/pull/14916)]
-* ui: fix search-select component showing blank selections when editing group member entity [[GH-15058](https://github.com/hashicorp/vault/pull/15058)]
-* ui: masked values no longer give away length or location of special characters [[GH-15025](https://github.com/hashicorp/vault/pull/15025)]
-
-## 1.10.0
-### March 23, 2022
-
-CHANGES:
-
-* core (enterprise): requests with newly generated tokens to perf standbys which are lagging behind the active node return http 412 instead of 400/403/50x.
-* core: Changes the unit of `default_lease_ttl` and `max_lease_ttl` values returned by
-the `/sys/config/state/sanitized` endpoint from nanoseconds to seconds. [[GH-14206](https://github.com/hashicorp/vault/pull/14206)]
-* core: Bump Go version to 1.17.7. [[GH-14232](https://github.com/hashicorp/vault/pull/14232)]
-* plugin/database: The return value from `POST /database/config/:name` has been updated to "204 No Content" [[GH-14033](https://github.com/hashicorp/vault/pull/14033)]
-* secrets/azure: Changes the configuration parameter `use_microsoft_graph_api` to use the Microsoft
-Graph API by default. [[GH-14130](https://github.com/hashicorp/vault/pull/14130)]
-* storage/etcd: Remove support for v2. [[GH-14193](https://github.com/hashicorp/vault/pull/14193)]
-* ui: Upgrade Ember to version 3.24 [[GH-13443](https://github.com/hashicorp/vault/pull/13443)]
-
-FEATURES:
-
-* **Database plugin multiplexing**: manage multiple database connections with a single plugin process [[GH-14033](https://github.com/hashicorp/vault/pull/14033)]
-* **Login MFA**: Single and two phase MFA is now available when authenticating to Vault. [[GH-14025](https://github.com/hashicorp/vault/pull/14025)]
-* **Mount Migration**: Vault supports moving secrets and auth mounts both within and across namespaces.
-* **Postgres in the UI**: Postgres DB is now supported by the UI [[GH-12945](https://github.com/hashicorp/vault/pull/12945)]
-* **Report in-flight requests**: Adding a trace capability to show in-flight requests, and a new gauge metric to show the total number of in-flight requests [[GH-13024](https://github.com/hashicorp/vault/pull/13024)]
-* **Server Side Consistent Tokens**: Service tokens have been updated to be longer (a minimum of 95 bytes) and token prefixes for all token types are updated from s., b., and r. to hvs., hvb., and hvr. for service, batch, and recovery tokens respectively. Vault clusters with integrated storage will now have read-after-write consistency by default. [[GH-14109](https://github.com/hashicorp/vault/pull/14109)]
-* **Transit SHA-3 Support**: Add support for SHA-3 in the Transit backend. [[GH-13367](https://github.com/hashicorp/vault/pull/13367)]
-* **Transit Time-Based Key Autorotation**: Add support for automatic, time-based key rotation to transit secrets engine, including in the UI. [[GH-13691](https://github.com/hashicorp/vault/pull/13691)]
-* **UI Client Count Improvements**: Restructures client count dashboard, making use of billing start date to improve accuracy. Adds mount-level distribution and filtering. [[GH-client-counts](https://github.com/hashicorp/vault/pull/client-counts)]
-* **Agent Telemetry**: The Vault Agent can now collect and return telemetry information at the `/agent/v1/metrics` endpoint.
-
-IMPROVEMENTS:
-
-* agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. [[GH-14214](https://github.com/hashicorp/vault/pull/14214)]
-* agent: The `agent/v1/quit` endpoint can now be used to stop the Vault Agent remotely [[GH-14223](https://github.com/hashicorp/vault/pull/14223)]
-* api: Allow cloning `api.Client` tokens via `api.Config.CloneToken` or `api.Client.SetCloneToken()`. [[GH-13515](https://github.com/hashicorp/vault/pull/13515)]
-* api: Define constants for X-Vault-Forward and X-Vault-Inconsistent headers [[GH-14067](https://github.com/hashicorp/vault/pull/14067)]
-* api: Implements Login method in Go client libraries for GCP and Azure auth methods [[GH-13022](https://github.com/hashicorp/vault/pull/13022)]
-* api: Implements Login method in Go client libraries for LDAP auth methods [[GH-13841](https://github.com/hashicorp/vault/pull/13841)]
-* api: Trim newline character from wrapping token in logical.Unwrap from the api package [[GH-13044](https://github.com/hashicorp/vault/pull/13044)]
-* api: add api method for modifying raft autopilot configuration [[GH-12428](https://github.com/hashicorp/vault/pull/12428)]
-* api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string [[GH-13241](https://github.com/hashicorp/vault/pull/13241)]
-* audit: The audit logs now contain the port used by the client [[GH-12790](https://github.com/hashicorp/vault/pull/12790)]
-* auth/aws: Enable region detection in the CLI by specifying the region as `auto` [[GH-14051](https://github.com/hashicorp/vault/pull/14051)]
-* auth/cert: Add certificate extensions as metadata [[GH-13348](https://github.com/hashicorp/vault/pull/13348)]
-* auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [[GH-13365](https://github.com/hashicorp/vault/pull/13365)]
-* auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [[GH-13595](https://github.com/hashicorp/vault/pull/13595)]
-* auth/ldap: Add a response warning and server log whenever the config is accessed
-if `userfilter` doesn't consider `userattr` [[GH-14095](https://github.com/hashicorp/vault/pull/14095)]
-* auth/ldap: Add username to alias metadata [[GH-13669](https://github.com/hashicorp/vault/pull/13669)]
-* auth/ldap: Add username_as_alias configurable to change how aliases are named [[GH-14324](https://github.com/hashicorp/vault/pull/14324)]
-* auth/okta: Update [okta-sdk-golang](https://github.com/okta/okta-sdk-golang) dependency to version v2.9.1 for improved request backoff handling [[GH-13439](https://github.com/hashicorp/vault/pull/13439)]
-* auth/token: The `auth/token/revoke-accessor` endpoint is now idempotent and will
-not error out if the token has already been revoked. [[GH-13661](https://github.com/hashicorp/vault/pull/13661)]
-* auth: reading `sys/auth/:path` now returns the configuration for the auth engine mounted at the given path [[GH-12793](https://github.com/hashicorp/vault/pull/12793)]
-* cli: interactive CLI for login mfa [[GH-14131](https://github.com/hashicorp/vault/pull/14131)]
-* command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
-* core/ha: Add new mechanism for keeping track of peers talking to active node, and new 'operator members' command to view them. [[GH-13292](https://github.com/hashicorp/vault/pull/13292)]
-* core/identity: Support updating an alias' `custom_metadata` to be empty. [[GH-13395](https://github.com/hashicorp/vault/pull/13395)]
-* core/pki: Support Y10K value in notAfter field to be compliant with IEEE 802.1AR-2018 standard [[GH-12795](https://github.com/hashicorp/vault/pull/12795)]
-* core/pki: Support Y10K value in notAfter field when signing non-CA certificates [[GH-13736](https://github.com/hashicorp/vault/pull/13736)]
-* core: Add duration and start_time to completed requests log entries [[GH-13682](https://github.com/hashicorp/vault/pull/13682)]
-* core: Add support to list password policies at `sys/policies/password` [[GH-12787](https://github.com/hashicorp/vault/pull/12787)]
-* core: Add support to list version history via API at `sys/version-history` and via CLI with `vault version-history` [[GH-13766](https://github.com/hashicorp/vault/pull/13766)]
-* core: Fixes code scanning alerts [[GH-13667](https://github.com/hashicorp/vault/pull/13667)]
-* core: Periodically test the health of connectivity to auto-seal backends [[GH-13078](https://github.com/hashicorp/vault/pull/13078)]
-* core: Reading `sys/mounts/:path` now returns the configuration for the secret engine at the given path [[GH-12792](https://github.com/hashicorp/vault/pull/12792)]
-* core: Replace "master key" terminology with "root key" [[GH-13324](https://github.com/hashicorp/vault/pull/13324)]
-* core: Small changes to ensure goroutines terminate in tests [[GH-14197](https://github.com/hashicorp/vault/pull/14197)]
-* core: Systemd unit file included with the Linux packages now sets the service type to notify. [[GH-14385](https://github.com/hashicorp/vault/pull/14385)]
-* core: Update github.com/prometheus/client_golang to fix security vulnerability CVE-2022-21698. [[GH-14190](https://github.com/hashicorp/vault/pull/14190)]
-* core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections
-has also been added to the PROXY protocol v1. [[GH-13540](https://github.com/hashicorp/vault/pull/13540)]
-* http (enterprise): Serve /sys/license/status endpoint within namespaces
-* identity/oidc: Adds a default OIDC provider [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
-* identity/oidc: Adds a default key for OIDC clients [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
-* identity/oidc: Adds an `allow_all` assignment that permits all entities to authenticate via an OIDC client [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
-* identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers. [[GH-13917](https://github.com/hashicorp/vault/pull/13917)]
-* sdk: Add helper for decoding root tokens [[GH-10505](https://github.com/hashicorp/vault/pull/10505)]
-* secrets/azure: Adds support for rotate-root. [#70](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/70) [[GH-13034](https://github.com/hashicorp/vault/pull/13034)]
-* secrets/consul: Add support for consul enterprise namespaces and admin partitions. [[GH-13850](https://github.com/hashicorp/vault/pull/13850)]
-* secrets/consul: Add support for consul roles. [[GH-14014](https://github.com/hashicorp/vault/pull/14014)]
-* secrets/database/influxdb: Switch/upgrade to the `influxdb1-client` module [[GH-12262](https://github.com/hashicorp/vault/pull/12262)]
-* secrets/database: Add database configuration parameter 'disable_escaping' for username and password when connecting to a database. [[GH-13414](https://github.com/hashicorp/vault/pull/13414)]
-* secrets/kv: add full secret path output to table-formatted responses [[GH-14301](https://github.com/hashicorp/vault/pull/14301)]
-* secrets/kv: add patch support for KVv2 key metadata [[GH-13215](https://github.com/hashicorp/vault/pull/13215)]
-* secrets/kv: add subkeys endpoint to retrieve a secret's stucture without its values [[GH-13893](https://github.com/hashicorp/vault/pull/13893)]
-* secrets/pki: Add ability to fetch individual certificate as DER or PEM [[GH-10948](https://github.com/hashicorp/vault/pull/10948)]
-* secrets/pki: Add count and duration metrics to PKI issue and revoke calls. [[GH-13889](https://github.com/hashicorp/vault/pull/13889)]
-* secrets/pki: Add error handling for error types other than UserError or InternalError [[GH-14195](https://github.com/hashicorp/vault/pull/14195)]
-* secrets/pki: Allow URI SAN templates in allowed_uri_sans when allowed_uri_sans_template is set to true. [[GH-10249](https://github.com/hashicorp/vault/pull/10249)]
-* secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim [[GH-13958](https://github.com/hashicorp/vault/pull/13958)]
-* secrets/pki: Calculate the Subject Key Identifier as suggested in [RFC 5280, Section 4.2.1.2](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2). [[GH-11218](https://github.com/hashicorp/vault/pull/11218)]
-* secrets/pki: Restrict issuance of wildcard certificates via role parameter (`allow_wildcard_certificates`) [[GH-14238](https://github.com/hashicorp/vault/pull/14238)]
-* secrets/pki: Return complete chain (in `ca_chain` field) on calls to `pki/cert/ca_chain` [[GH-13935](https://github.com/hashicorp/vault/pull/13935)]
-* secrets/pki: Use application/pem-certificate-chain for PEM certificates, application/x-pem-file for PEM CRLs [[GH-13927](https://github.com/hashicorp/vault/pull/13927)]
-* secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates. [[GH-11216](https://github.com/hashicorp/vault/pull/11216)]
-* secrets/ssh: Add support for generating non-RSA SSH CAs [[GH-14008](https://github.com/hashicorp/vault/pull/14008)]
-* secrets/ssh: Allow specifying multiple approved key lengths for a single algorithm [[GH-13991](https://github.com/hashicorp/vault/pull/13991)]
-* secrets/ssh: Use secure default for algorithm signer (rsa-sha2-256) with RSA SSH CA keys on new roles [[GH-14006](https://github.com/hashicorp/vault/pull/14006)]
-* secrets/transit: Don't abort transit encrypt or decrypt batches on single item failure. [[GH-13111](https://github.com/hashicorp/vault/pull/13111)]
-* storage/aerospike: Upgrade `aerospike-client-go` to v5.6.0. [[GH-12165](https://github.com/hashicorp/vault/pull/12165)]
-* storage/raft: Set InitialMmapSize to 100GB on 64bit architectures [[GH-13178](https://github.com/hashicorp/vault/pull/13178)]
-* storage/raft: When using retry_join stanzas, join against all of them in parallel. [[GH-13606](https://github.com/hashicorp/vault/pull/13606)]
-* sys/raw: Enhance sys/raw to read and write values that cannot be encoded in json. [[GH-13537](https://github.com/hashicorp/vault/pull/13537)]
-* ui: Add support for ECDSA and Ed25519 certificate views [[GH-13894](https://github.com/hashicorp/vault/pull/13894)]
-* ui: Add version diff view for KV V2 [[GH-13000](https://github.com/hashicorp/vault/pull/13000)]
-* ui: Added client side paging for namespace list view [[GH-13195](https://github.com/hashicorp/vault/pull/13195)]
-* ui: Adds flight icons to UI [[GH-12976](https://github.com/hashicorp/vault/pull/12976)]
-* ui: Adds multi-factor authentication support [[GH-14049](https://github.com/hashicorp/vault/pull/14049)]
-* ui: Allow static role credential rotation in Database secrets engines [[GH-14268](https://github.com/hashicorp/vault/pull/14268)]
-* ui: Display badge for all versions in secrets engine header [[GH-13015](https://github.com/hashicorp/vault/pull/13015)]
-* ui: Swap browser localStorage in favor of sessionStorage [[GH-14054](https://github.com/hashicorp/vault/pull/14054)]
-* ui: The integrated web terminal now accepts both `-f` and `--force` as aliases
-for `-force` for the `write` command. [[GH-13683](https://github.com/hashicorp/vault/pull/13683)]
-* ui: Transform advanced templating with encode/decode format support [[GH-13908](https://github.com/hashicorp/vault/pull/13908)]
-* ui: Updates ember blueprints to glimmer components [[GH-13149](https://github.com/hashicorp/vault/pull/13149)]
-* ui: customizes empty state messages for transit and transform [[GH-13090](https://github.com/hashicorp/vault/pull/13090)]
-
-BUG FIXES:
-
-* Fixed bug where auth method only considers system-identity when multiple identities are available. [#50](https://github.com/hashicorp/vault-plugin-auth-azure/pull/50) [[GH-14138](https://github.com/hashicorp/vault/pull/14138)]
-* activity log (enterprise): allow partial monthly client count to be accessed from namespaces [[GH-13086](https://github.com/hashicorp/vault/pull/13086)]
-* agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
-* api/client: Fixes an issue where the `replicateStateStore` was being set to `nil` upon consecutive calls to `client.SetReadYourWrites(true)`. [[GH-13486](https://github.com/hashicorp/vault/pull/13486)]
-* auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [[GH-13235](https://github.com/hashicorp/vault/pull/13235)]
-* auth/approle: Fix wrapping of nil errors in `login` endpoint [[GH-14107](https://github.com/hashicorp/vault/pull/14107)]
-* auth/github: Use the Organization ID instead of the Organization name to verify the org membership. [[GH-13332](https://github.com/hashicorp/vault/pull/13332)]
-* auth/kubernetes: Properly handle the migration of role storage entries containing an empty `alias_name_source` [[GH-13925](https://github.com/hashicorp/vault/pull/13925)]
-* auth/kubernetes: ensure valid entity alias names created for projected volume tokens [[GH-14144](https://github.com/hashicorp/vault/pull/14144)]
-* auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and `form_post` response mode. [[GH-13492](https://github.com/hashicorp/vault/pull/13492)]
-* cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [[GH-13615](https://github.com/hashicorp/vault/pull/13615)]
-* core (enterprise): Fix a data race in logshipper.
-* core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
-* core/api: Fix overwriting of request headers when using JSONMergePatch. [[GH-14222](https://github.com/hashicorp/vault/pull/14222)]
-* core/identity: Address a data race condition between local updates to aliases and invalidations [[GH-13093](https://github.com/hashicorp/vault/pull/13093)]
-* core/identity: Address a data race condition between local updates to aliases and invalidations [[GH-13476](https://github.com/hashicorp/vault/pull/13476)]
-* core/token: Fix null token panic from 'v1/auth/token/' endpoints and return proper error response. [[GH-13233](https://github.com/hashicorp/vault/pull/13233)]
-* core/token: Fix null token_type panic resulting from 'v1/auth/token/roles/{role_name}' endpoint [[GH-13236](https://github.com/hashicorp/vault/pull/13236)]
-* core: Fix warnings logged on perf standbys re stored versions [[GH-13042](https://github.com/hashicorp/vault/pull/13042)]
-* core: `-output-curl-string` now properly sets cURL options for client and CA
-certificates. [[GH-13660](https://github.com/hashicorp/vault/pull/13660)]
-* core: add support for go-sockaddr templates in the top-level cluster_addr field [[GH-13678](https://github.com/hashicorp/vault/pull/13678)]
-* core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403 [[GH-13162](https://github.com/hashicorp/vault/pull/13162)]
-* core: revert some unintentionally downgraded dependencies from 1.9.0-rc1 [[GH-13168](https://github.com/hashicorp/vault/pull/13168)]
-* ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
-* http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
-* http:Fix /sys/monitor endpoint returning streaming not supported [[GH-13200](https://github.com/hashicorp/vault/pull/13200)]
-* identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [[GH-13871](https://github.com/hashicorp/vault/pull/13871)]
-* identity/oidc: Check for a nil signing key on rotation to prevent panics. [[GH-13716](https://github.com/hashicorp/vault/pull/13716)]
-* identity/oidc: Fixes inherited group membership when evaluating client assignments [[GH-14013](https://github.com/hashicorp/vault/pull/14013)]
-* identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation [[GH-14426](https://github.com/hashicorp/vault/pull/14426)]
-* identity/oidc: Make the `nonce` parameter optional for the Authorization Endpoint of OIDC providers. [[GH-13231](https://github.com/hashicorp/vault/pull/13231)]
-* identity/token: Fixes a bug where duplicate public keys could appear in the .well-known JWKS [[GH-14543](https://github.com/hashicorp/vault/pull/14543)]
-* identity: Fix possible nil pointer dereference. [[GH-13318](https://github.com/hashicorp/vault/pull/13318)]
-* identity: Fix regression preventing startup when aliases were created pre-1.9. [[GH-13169](https://github.com/hashicorp/vault/pull/13169)]
-* identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [[GH-13298](https://github.com/hashicorp/vault/pull/13298)]
-* kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
-* licensing (enterprise): Revert accidental inclusion of the TDE feature from the `prem` build.
-* metrics/autosnapshots (enterprise) : Fix bug that could cause
-vault.autosnapshots.save.errors to not be incremented when there is an
-autosnapshot save error.
-* physical/mysql: Create table with wider `vault_key` column when initializing database tables. [[GH-14231](https://github.com/hashicorp/vault/pull/14231)]
-* plugin/couchbase: Fix an issue in which the locking patterns did not allow parallel requests. [[GH-13033](https://github.com/hashicorp/vault/pull/13033)]
-* replication (enterprise): When using encrypted secondary tokens, only clear the
-private key after a successful connection to the primary cluster
-* sdk/framework: Generate proper OpenAPI specs for path patterns that use an alternation as the root. [[GH-13487](https://github.com/hashicorp/vault/pull/13487)]
-* sdk/helper/ldaputil: properly escape a trailing escape character to prevent panics. [[GH-13452](https://github.com/hashicorp/vault/pull/13452)]
-* sdk/queue: move lock before length check to prevent panics. [[GH-13146](https://github.com/hashicorp/vault/pull/13146)]
-* sdk: Fixes OpenAPI to distinguish between paths that can do only List, or both List and Read. [[GH-13643](https://github.com/hashicorp/vault/pull/13643)]
-* secrets/azure: Fixed bug where Azure environment did not change Graph URL [[GH-13973](https://github.com/hashicorp/vault/pull/13973)]
-* secrets/azure: Fixes service principal generation when assigning roles that have [DataActions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#dataactions). [[GH-13277](https://github.com/hashicorp/vault/pull/13277)]
-* secrets/azure: Fixes the [rotate root](https://www.vaultproject.io/api-docs/secret/azure#rotate-root)
-operation for upgraded configurations with a `root_password_ttl` of zero. [[GH-14130](https://github.com/hashicorp/vault/pull/14130)]
-* secrets/database/cassandra: change connect_timeout to 5s as documentation says [[GH-12443](https://github.com/hashicorp/vault/pull/12443)]
-* secrets/database/mssql: Accept a boolean for `contained_db`, rather than just a string. [[GH-13469](https://github.com/hashicorp/vault/pull/13469)]
-* secrets/gcp: Fixed bug where error was not reported for invalid bindings [[GH-13974](https://github.com/hashicorp/vault/pull/13974)]
-* secrets/gcp: Fixes role bindings for BigQuery dataset resources. [[GH-13548](https://github.com/hashicorp/vault/pull/13548)]
-* secrets/openldap: Fix panic from nil logger in backend [[GH-14171](https://github.com/hashicorp/vault/pull/14171)]
-* secrets/pki: Default value for key_bits changed to 0, enabling key_type=ec key generation with default value [[GH-13080](https://github.com/hashicorp/vault/pull/13080)]
-* secrets/pki: Fix issuance of wildcard certificates matching glob patterns [[GH-14235](https://github.com/hashicorp/vault/pull/14235)]
-* secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [[GH-13759](https://github.com/hashicorp/vault/pull/13759)]
-* secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [[GH-2456](https://github.com/hashicorp/vault/pull/2456)]
-* secrets/pki: Fixes around NIST P-curve signature hash length, default value for signature_bits changed to 0. [[GH-12872](https://github.com/hashicorp/vault/pull/12872)]
-* secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [[GH-13257](https://github.com/hashicorp/vault/pull/13257)]
-* secrets/pki: Skip signature bits validation for ed25519 curve key type [[GH-13254](https://github.com/hashicorp/vault/pull/13254)]
-* secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode. [[GH-13690](https://github.com/hashicorp/vault/pull/13690)]
-* secrets/transit: Return an error if any required parameter is missing. [[GH-14074](https://github.com/hashicorp/vault/pull/14074)]
-* storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [[GH-13286](https://github.com/hashicorp/vault/pull/13286)]
-* storage/raft: Fix a panic when trying to write a key > 32KB [[GH-13282](https://github.com/hashicorp/vault/pull/13282)]
-* storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [[GH-13703](https://github.com/hashicorp/vault/pull/13703)]
-* storage/raft: Fix regression in 1.9.0-rc1 that changed how time is represented in Raft logs; this prevented using a raft db created pre-1.9. [[GH-13165](https://github.com/hashicorp/vault/pull/13165)]
-* storage/raft: On linux, use map_populate for bolt files to improve startup time. [[GH-13573](https://github.com/hashicorp/vault/pull/13573)]
-* storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [[GH-13749](https://github.com/hashicorp/vault/pull/13749)]
-* ui: Adds pagination to auth methods list view [[GH-13054](https://github.com/hashicorp/vault/pull/13054)]
-* ui: Do not show verify connection value on database connection config page [[GH-13152](https://github.com/hashicorp/vault/pull/13152)]
-* ui: Fix client count current month data not showing unless monthly history data exists [[GH-13396](https://github.com/hashicorp/vault/pull/13396)]
-* ui: Fix default TTL display and set on database role [[GH-14224](https://github.com/hashicorp/vault/pull/14224)]
-* ui: Fix incorrect validity message on transit secrets engine [[GH-14233](https://github.com/hashicorp/vault/pull/14233)]
-* ui: Fix issue where UI incorrectly handled API errors when mounting backends [[GH-14551](https://github.com/hashicorp/vault/pull/14551)]
-* ui: Fix kv engine access bug [[GH-13872](https://github.com/hashicorp/vault/pull/13872)]
-* ui: Fixes breadcrumb bug for secrets navigation [[GH-13604](https://github.com/hashicorp/vault/pull/13604)]
-* ui: Fixes caching issue on kv new version create [[GH-14489](https://github.com/hashicorp/vault/pull/14489)]
-* ui: Fixes displaying empty masked values in PKI engine [[GH-14400](https://github.com/hashicorp/vault/pull/14400)]
-* ui: Fixes horizontal bar chart hover issue when filtering namespaces and mounts [[GH-14493](https://github.com/hashicorp/vault/pull/14493)]
-* ui: Fixes issue logging out with wrapped token query parameter [[GH-14329](https://github.com/hashicorp/vault/pull/14329)]
-* ui: Fixes issue removing raft storage peer via cli not reflected in UI until refresh [[GH-13098](https://github.com/hashicorp/vault/pull/13098)]
-* ui: Fixes issue restoring raft storage snapshot [[GH-13107](https://github.com/hashicorp/vault/pull/13107)]
-* ui: Fixes issue saving KMIP role correctly [[GH-13585](https://github.com/hashicorp/vault/pull/13585)]
-* ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [[GH-13133](https://github.com/hashicorp/vault/pull/13133)]
-* ui: Fixes issue with SearchSelect component not holding focus [[GH-13590](https://github.com/hashicorp/vault/pull/13590)]
-* ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [[GH-13177](https://github.com/hashicorp/vault/pull/13177)]
-* ui: Fixes issue with correct auth method not selected when logging out from OIDC or JWT methods [[GH-14545](https://github.com/hashicorp/vault/pull/14545)]
-* ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [[GH-13166](https://github.com/hashicorp/vault/pull/13166)]
-* ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [[GH-13038](https://github.com/hashicorp/vault/pull/13038)]
-* ui: Fixes long secret key names overlapping masked values [[GH-13032](https://github.com/hashicorp/vault/pull/13032)]
-* ui: Fixes node-forge error when parsing EC (elliptical curve) certs [[GH-13238](https://github.com/hashicorp/vault/pull/13238)]
-* ui: Redirects to managed namespace if incorrect namespace in URL param [[GH-14422](https://github.com/hashicorp/vault/pull/14422)]
-* ui: Removes ability to tune token_type for token auth methods [[GH-12904](https://github.com/hashicorp/vault/pull/12904)]
-* ui: trigger token renewal if inactive and half of TTL has passed [[GH-13950](https://github.com/hashicorp/vault/pull/13950)]
+```release-note:feature
+**Rotate Root for LDAP auth**: Rotate root operations are now supported for the LDAP auth engine.
+```
diff --git a/CODEOWNERS b/CODEOWNERS
index 364e143c95d1..09f34ce8621c 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,87 +1,3 @@
-# Each line is a file pattern followed by one or more owners. Being an owner
-# means those groups or individuals will be added as reviewers to PRs affecting
-# those areas of the code.
-#
-# More on CODEOWNERS files: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
-
-# Select Auth engines are owned by Ecosystem
-/builtin/credential/aws/      @hashicorp/vault-ecosystem-applications
-/builtin/credential/github/   @hashicorp/vault-ecosystem-applications
-/builtin/credential/ldap/     @hashicorp/vault-ecosystem-applications
-/builtin/credential/okta/     @hashicorp/vault-ecosystem-applications
-
-# Secrets engines (pki, ssh, totp and transit omitted)
-/builtin/logical/aws/         @hashicorp/vault-ecosystem-applications
-/builtin/logical/cassandra/   @hashicorp/vault-ecosystem-applications
-/builtin/logical/consul/      @hashicorp/vault-ecosystem-applications
-/builtin/logical/database/    @hashicorp/vault-ecosystem-applications
-/builtin/logical/mongodb/     @hashicorp/vault-ecosystem-applications
-/builtin/logical/mssql/       @hashicorp/vault-ecosystem-applications
-/builtin/logical/mysql/       @hashicorp/vault-ecosystem-applications
-/builtin/logical/nomad/       @hashicorp/vault-ecosystem-applications
-/builtin/logical/postgresql/  @hashicorp/vault-ecosystem-applications
-/builtin/logical/rabbitmq/    @hashicorp/vault-ecosystem-applications
-
-# Identity Integrations (OIDC, tokens)
-/vault/identity_store_oidc*   @hashicorp/vault-ecosystem-applications
-
-/plugins/                     @hashicorp/vault-ecosystem
-/vault/plugin_catalog.go      @hashicorp/vault-ecosystem
-
-/website/content/ @hashicorp/vault-education-approvers
-/website/content/docs/plugin-portal.mdx   @acahn @hashicorp/vault-education-approvers
-
-# Plugin docs
-/website/content/docs/plugins/              @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
-/website/content/docs/upgrading/plugins.mdx @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
-
-# UI code related to Vault's JWT/OIDC auth method and OIDC provider.
-# Changes to these files often require coordination with backend code,
-# so stewards of the backend code are added below for notification.
-/ui/app/components/auth-jwt.js         @hashicorp/vault-ecosystem-applications
-/ui/app/routes/vault/cluster/oidc-*.js @hashicorp/vault-ecosystem-applications
-
-# Release config; service account is required for automation tooling.
-/.release/                    @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team
-/.github/workflows/build.yml  @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team
-
-# Quality engineering
-/.github/  @hashicorp/quality-team
-/enos/     @hashicorp/quality-team
-
-# Cryptosec
-/builtin/logical/pki/                                @hashicorp/vault-crypto
-/builtin/logical/pkiext/                             @hashicorp/vault-crypto
-/website/content/docs/secrets/pki/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/pki.mdx             @hashicorp/vault-crypto
-/builtin/credential/cert/                            @hashicorp/vault-crypto
-/website/content/docs/auth/cert.mdx                  @hashicorp/vault-crypto
-/website/content/api-docs/auth/cert.mdx              @hashicorp/vault-crypto
-/builtin/logical/ssh/                                @hashicorp/vault-crypto
-/website/content/docs/secrets/ssh/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/ssh.mdx             @hashicorp/vault-crypto
-/builtin/logical/transit/                            @hashicorp/vault-crypto
-/website/content/docs/secrets/transit/               @hashicorp/vault-crypto
-/website/content/api-docs/secret/transit.mdx         @hashicorp/vault-crypto
-/helper/random/                                      @hashicorp/vault-crypto
-/sdk/helper/certutil/                                @hashicorp/vault-crypto
-/sdk/helper/cryptoutil/                              @hashicorp/vault-crypto
-/sdk/helper/kdf/                                     @hashicorp/vault-crypto
-/sdk/helper/keysutil/                                @hashicorp/vault-crypto
-/sdk/helper/ocsp/                                    @hashicorp/vault-crypto
-/sdk/helper/salt/                                    @hashicorp/vault-crypto
-/sdk/helper/tlsutil/                                 @hashicorp/vault-crypto
-/shamir/                                             @hashicorp/vault-crypto
-/vault/barrier*                                      @hashicorp/vault-crypto
-/vault/managed_key*                                  @hashicorp/vault-crypto
-/vault/seal*                                         @hashicorp/vault-crypto
-/vault/seal/                                         @hashicorp/vault-crypto
-/website/content/docs/configuration/seal/            @hashicorp/vault-crypto
-/website/content/docs/enterprise/sealwrap.mdx        @hashicorp/vault-crypto
-/website/content/api-docs/system/sealwrap-rewrap.mdx @hashicorp/vault-crypto
-/website/content/docs/secrets/transform/             @hashicorp/vault-crypto
-/website/content/api-docs/secret/transform.mdx       @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip-profiles.mdx      @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip.mdx               @hashicorp/vault-crypto
-/website/content/api-docs/secret/kmip.mdx            @hashicorp/vault-crypto
-/website/content/docs/enterprise/fips/               @hashicorp/vault-crypto
+```release-note:improvement
+ui: capabilities-self is always called in the user's root namespace
+```
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
index ae14f271d418..2fe98e926d05 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,91 +1,3 @@
-License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
-“Business Source License” is a trademark of MariaDB Corporation Ab.
-
-Parameters
-
-Licensor:             HashiCorp, Inc.
-Licensed Work:        Vault 1.15.2. The Licensed Work is (c) 2023 HashiCorp, Inc.
-Additional Use Grant: You may make production use of the Licensed Work, provided
-                      Your use does not include offering the Licensed Work to third
-                      parties on a hosted or embedded basis in order to compete with 
-                      HashiCorp’s paid version(s) of the Licensed Work. For purposes 
-                      of this license:
-
-                      A “competitive offering” is a Product that is offered to third
-                      parties on a paid basis, including through paid support 
-                      arrangements, that significantly overlaps with the capabilities 
-                      of HashiCorp’s paid version(s) of the Licensed Work. If Your 
-                      Product is not a competitive offering when You first make it 
-                      generally available, it will not become a competitive offering
-                      later due to HashiCorp releasing a new version of the Licensed 
-                      Work with additional capabilities. In addition, Products that 
-                      are not provided on a paid basis are not competitive.
-
-                      “Product” means software that is offered to end users to manage 
-                      in their own environments or offered as a service on a hosted 
-                      basis.
-
-                      “Embedded” means including the source code or executable code 
-                      from the Licensed Work in a competitive offering. “Embedded” 
-                      also means packaging the competitive offering in such a way 
-                      that the Licensed Work must be accessed or downloaded for the 
-                      competitive offering to operate.
-
-                      Hosting or using the Licensed Work(s) for internal purposes 
-                      within an organization is not considered a competitive 
-                      offering. HashiCorp considers your organization to include all 
-                      of your affiliates under common control.
-
-                      For binding interpretive guidance on using HashiCorp products 
-                      under the Business Source License, please visit our FAQ. 
-                      (https://www.hashicorp.com/license-faq)
-Change Date:          Four years from the date the Licensed Work is published.
-Change License:       MPL 2.0
-
-For information about alternative licensing arrangements for the Licensed Work,
-please contact licensing@hashicorp.com.
-
-Notice
-
-Business Source License 1.1
-
-Terms
-
-The Licensor hereby grants you the right to copy, modify, create derivative
-works, redistribute, and make non-production use of the Licensed Work. The
-Licensor may make an Additional Use Grant, above, permitting limited production use.
-
-Effective on the Change Date, or the fourth anniversary of the first publicly
-available distribution of a specific version of the Licensed Work under this
-License, whichever comes first, the Licensor hereby grants you rights under
-the terms of the Change License, and the rights granted in the paragraph
-above terminate.
-
-If your use of the Licensed Work does not comply with the requirements
-currently in effect as described in this License, you must purchase a
-commercial license from the Licensor, its affiliated entities, or authorized
-resellers, or you must refrain from using the Licensed Work.
-
-All copies of the original and modified Licensed Work, and derivative works
-of the Licensed Work, are subject to this License. This License applies
-separately for each version of the Licensed Work and the Change Date may vary
-for each version of the Licensed Work released by Licensor.
-
-You must conspicuously display this License on each original or modified copy
-of the Licensed Work. If you receive the Licensed Work in original or
-modified form from a third party, the terms and conditions set forth in this
-License apply to your use of that work.
-
-Any use of the Licensed Work in violation of this License will automatically
-terminate your rights under this License for the current and all other
-versions of the Licensed Work.
-
-This License does not grant you any right in any trademark or logo of
-Licensor or its affiliates (provided that you may use a trademark or logo of
-Licensor as expressly required by this License).
-
-TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
-AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
-EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
-TITLE.
+```release-note:improvement
+ui: Implement Helios Design System footer component
+```
diff --git a/api/go.mod b/api/go.mod
index 20fb4617af23..97a26746bd0f 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -1,39 +1,3 @@
-module github.com/hashicorp/vault/api
-
-// The Go version directive for the api package should normally only be updated when
-// code in the api package requires a newer Go version to build.  It should not
-// automatically track the Go version used to build Vault itself.  Many projects import
-// the api module and we don't want to impose a newer version on them any more than we
-// have to.
-go 1.19
-
-require (
-	github.com/cenkalti/backoff/v3 v3.0.0
-	github.com/go-jose/go-jose/v3 v3.0.0
-	github.com/go-test/deep v1.0.2
-	github.com/hashicorp/errwrap v1.1.0
-	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-hclog v0.16.2
-	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.6.6
-	github.com/hashicorp/go-rootcerts v1.0.2
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
-	github.com/hashicorp/hcl v1.0.0
-	github.com/mitchellh/mapstructure v1.5.0
-	golang.org/x/net v0.7.0
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1
-)
-
-require (
-	github.com/fatih/color v1.7.0 // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-)
+```release-note:bug
+secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0
+```
diff --git a/api/go.sum b/api/go.sum
index e8f5f1811f8f..67ea1d0ae974 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -1,93 +1,3 @@
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c=
-github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
-github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs=
-github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM=
-github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
-github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
-github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
-github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
-github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI=
-golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+```release-note:bug
+auth/cert: Handle errors related to expired OCSP server responses
+```
diff --git a/api/replication_status.go b/api/replication_status.go
index 1668daf19c12..9253e44ab8c0 100644
--- a/api/replication_status.go
+++ b/api/replication_status.go
@@ -1,130 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package api
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/mitchellh/mapstructure"
-)
-
-const (
-	apiRepPerformanceStatusPath = "/v1/sys/replication/performance/status"
-	apiRepDRStatusPath          = "/v1/sys/replication/dr/status"
-	apiRepStatusPath            = "/v1/sys/replication/status"
-)
-
-type ClusterInfo struct {
-	APIAddr          string `json:"api_address,omitempty" mapstructure:"api_address"`
-	ClusterAddress   string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
-	ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"`
-	LastHeartBeat    string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
-	NodeID           string `json:"node_id,omitempty" mapstructure:"node_id"`
-}
-
-type ReplicationStatusGenericResponse struct {
-	LastDRWAL             uint64 `json:"last_dr_wal,omitempty" mapstructure:"last_dr_wal"`
-	LastReindexEpoch      string `json:"last_reindex_epoch,omitempty" mapstructure:"last_reindex_epoch"`
-	ClusterID             string `json:"cluster_id,omitempty" mapstructure:"cluster_id"`
-	LastWAL               uint64 `json:"last_wal,omitempty" mapstructure:"last_wal"`
-	MerkleRoot            string `json:"merkle_root,omitempty" mapstructure:"merkle_root"`
-	Mode                  string `json:"mode,omitempty" mapstructure:"mode"`
-	PrimaryClusterAddr    string `json:"primary_cluster_addr,omitempty" mapstructure:"primary_cluster_addr"`
-	LastPerformanceWAL    uint64 `json:"last_performance_wal,omitempty" mapstructure:"last_performance_wal"`
-	State                 string `json:"state,omitempty" mapstructure:"state"`
-	LastRemoteWAL         uint64 `json:"last_remote_wal,omitempty" mapstructure:"last_remote_wal"`
-	SecondaryID           string `json:"secondary_id,omitempty" mapstructure:"secondary_id"`
-	SSCTGenerationCounter uint64 `json:"ssct_generation_counter,omitempty" mapstructure:"ssct_generation_counter"`
-
-	KnownSecondaries         []string      `json:"known_secondaries,omitempty" mapstructure:"known_secondaries"`
-	KnownPrimaryClusterAddrs []string      `json:"known_primary_cluster_addrs,omitempty" mapstructure:"known_primary_cluster_addrs"`
-	Primaries                []ClusterInfo `json:"primaries,omitempty" mapstructure:"primaries"`
-	Secondaries              []ClusterInfo `json:"secondaries,omitempty" mapstructure:"secondaries"`
-}
-
-type ReplicationStatusResponse struct {
-	DR          ReplicationStatusGenericResponse `json:"dr,omitempty" mapstructure:"dr"`
-	Performance ReplicationStatusGenericResponse `json:"performance,omitempty" mapstructure:"performance"`
-}
-
-func (c *Sys) ReplicationStatus() (*ReplicationStatusResponse, error) {
-	return c.ReplicationStatusWithContext(context.Background(), apiRepStatusPath)
-}
-
-func (c *Sys) ReplicationPerformanceStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
-	s, err := c.ReplicationStatusWithContext(ctx, apiRepPerformanceStatusPath)
-	if err != nil {
-		return nil, err
-	}
-
-	return &s.Performance, nil
-}
-
-func (c *Sys) ReplicationDRStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
-	s, err := c.ReplicationStatusWithContext(ctx, apiRepDRStatusPath)
-	if err != nil {
-		return nil, err
-	}
-
-	return &s.DR, nil
-}
-
-func (c *Sys) ReplicationStatusWithContext(ctx context.Context, path string) (*ReplicationStatusResponse, error) {
-	// default to replication/status
-	if path == "" {
-		path = apiRepStatusPath
-	}
-
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, path)
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer func() { _ = resp.Body.Close() }()
-
-	// First decode response into a map[string]interface{}
-	data := make(map[string]interface{})
-	dec := json.NewDecoder(resp.Body)
-	dec.UseNumber()
-	if err := dec.Decode(&data); err != nil {
-		return nil, err
-	}
-
-	rawData, ok := data["data"]
-	if !ok {
-		return nil, fmt.Errorf("empty data in replication status response")
-	}
-
-	s := &ReplicationStatusResponse{}
-	g := &ReplicationStatusGenericResponse{}
-	switch {
-	case path == apiRepPerformanceStatusPath:
-		err = mapstructure.Decode(rawData, g)
-		if err != nil {
-			return nil, err
-		}
-		s.Performance = *g
-	case path == apiRepDRStatusPath:
-		err = mapstructure.Decode(rawData, g)
-		if err != nil {
-			return nil, err
-		}
-		s.DR = *g
-	default:
-		err = mapstructure.Decode(rawData, s)
-		if err != nil {
-			return nil, err
-		}
-		return s, err
-	}
-
-	return s, err
-}
+```release-note:change
+events: Source URL is now `vault://{vault node}`
+```
diff --git a/api/sys_hastatus.go b/api/sys_hastatus.go
index 2b2aa7c3e980..040b42d94da8 100644
--- a/api/sys_hastatus.go
+++ b/api/sys_hastatus.go
@@ -1,46 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package api
-
-import (
-	"context"
-	"net/http"
-	"time"
-)
-
-func (c *Sys) HAStatus() (*HAStatusResponse, error) {
-	return c.HAStatusWithContext(context.Background())
-}
-
-func (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, "/v1/sys/ha-status")
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	var result HAStatusResponse
-	err = resp.DecodeJSON(&result)
-	return &result, err
-}
-
-type HAStatusResponse struct {
-	Nodes []HANode
-}
-
-type HANode struct {
-	Hostname       string     `json:"hostname"`
-	APIAddress     string     `json:"api_address"`
-	ClusterAddress string     `json:"cluster_address"`
-	ActiveNode     bool       `json:"active_node"`
-	LastEcho       *time.Time `json:"last_echo"`
-	Version        string     `json:"version"`
-	UpgradeVersion string     `json:"upgrade_version,omitempty"`
-	RedundancyZone string     `json:"redundancy_zone,omitempty"`
-}
+```release-note:bug
+ui: Fix JSON editor in KV V2 unable to handle pasted values
+```
diff --git a/api/sys_health.go b/api/sys_health.go
index 13fd8d4d3743..215c7c6d8f11 100644
--- a/api/sys_health.go
+++ b/api/sys_health.go
@@ -1,52 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package api
-
-import (
-	"context"
-	"net/http"
-)
-
-func (c *Sys) Health() (*HealthResponse, error) {
-	return c.HealthWithContext(context.Background())
-}
-
-func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, "/v1/sys/health")
-	// If the code is 400 or above it will automatically turn into an error,
-	// but the sys/health API defaults to returning 5xx when not sealed or
-	// inited, so we force this code to be something else so we parse correctly
-	r.Params.Add("uninitcode", "299")
-	r.Params.Add("sealedcode", "299")
-	r.Params.Add("standbycode", "299")
-	r.Params.Add("drsecondarycode", "299")
-	r.Params.Add("performancestandbycode", "299")
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	var result HealthResponse
-	err = resp.DecodeJSON(&result)
-	return &result, err
-}
-
-type HealthResponse struct {
-	Initialized                bool   `json:"initialized"`
-	Sealed                     bool   `json:"sealed"`
-	Standby                    bool   `json:"standby"`
-	PerformanceStandby         bool   `json:"performance_standby"`
-	ReplicationPerformanceMode string `json:"replication_performance_mode"`
-	ReplicationDRMode          string `json:"replication_dr_mode"`
-	ServerTimeUTC              int64  `json:"server_time_utc"`
-	Version                    string `json:"version"`
-	ClusterName                string `json:"cluster_name,omitempty"`
-	ClusterID                  string `json:"cluster_id,omitempty"`
-	LastWAL                    uint64 `json:"last_wal,omitempty"`
-}
+```release-note:improvement
+plugins: Containerized plugins can be run fully rootless with the runsc runtime.
+```
diff --git a/api/sys_mounts.go b/api/sys_mounts.go
index a6c2a0f5412e..207a61d60952 100644
--- a/api/sys_mounts.go
+++ b/api/sys_mounts.go
@@ -1,337 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package api
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/mitchellh/mapstructure"
-)
-
-func (c *Sys) ListMounts() (map[string]*MountOutput, error) {
-	return c.ListMountsWithContext(context.Background())
-}
-
-func (c *Sys) ListMountsWithContext(ctx context.Context) (map[string]*MountOutput, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, "/v1/sys/mounts")
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	mounts := map[string]*MountOutput{}
-	err = mapstructure.Decode(secret.Data, &mounts)
-	if err != nil {
-		return nil, err
-	}
-
-	return mounts, nil
-}
-
-func (c *Sys) Mount(path string, mountInfo *MountInput) error {
-	return c.MountWithContext(context.Background(), path, mountInfo)
-}
-
-func (c *Sys) MountWithContext(ctx context.Context, path string, mountInfo *MountInput) error {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodPost, fmt.Sprintf("/v1/sys/mounts/%s", path))
-	if err := r.SetJSONBody(mountInfo); err != nil {
-		return err
-	}
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	return nil
-}
-
-func (c *Sys) Unmount(path string) error {
-	return c.UnmountWithContext(context.Background(), path)
-}
-
-func (c *Sys) UnmountWithContext(ctx context.Context, path string) error {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodDelete, fmt.Sprintf("/v1/sys/mounts/%s", path))
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err == nil {
-		defer resp.Body.Close()
-	}
-	return err
-}
-
-// Remount wraps RemountWithContext using context.Background.
-func (c *Sys) Remount(from, to string) error {
-	return c.RemountWithContext(context.Background(), from, to)
-}
-
-// RemountWithContext kicks off a remount operation, polls the status endpoint using
-// the migration ID till either success or failure state is observed
-func (c *Sys) RemountWithContext(ctx context.Context, from, to string) error {
-	remountResp, err := c.StartRemountWithContext(ctx, from, to)
-	if err != nil {
-		return err
-	}
-
-	for {
-		remountStatusResp, err := c.RemountStatusWithContext(ctx, remountResp.MigrationID)
-		if err != nil {
-			return err
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == "success" {
-			return nil
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == "failure" {
-			return fmt.Errorf("Failure! Error encountered moving mount %s to %s, with migration ID %s", from, to, remountResp.MigrationID)
-		}
-		time.Sleep(1 * time.Second)
-	}
-}
-
-// StartRemount wraps StartRemountWithContext using context.Background.
-func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error) {
-	return c.StartRemountWithContext(context.Background(), from, to)
-}
-
-// StartRemountWithContext kicks off a mount migration and returns a response with the migration ID
-func (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	body := map[string]interface{}{
-		"from": from,
-		"to":   to,
-	}
-
-	r := c.c.NewRequest(http.MethodPost, "/v1/sys/remount")
-	if err := r.SetJSONBody(body); err != nil {
-		return nil, err
-	}
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	var result MountMigrationOutput
-	err = mapstructure.Decode(secret.Data, &result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, err
-}
-
-// RemountStatus wraps RemountStatusWithContext using context.Background.
-func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error) {
-	return c.RemountStatusWithContext(context.Background(), migrationID)
-}
-
-// RemountStatusWithContext checks the status of a mount migration operation with the provided ID
-func (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/remount/status/%s", migrationID))
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	var result MountMigrationStatusOutput
-	err = mapstructure.Decode(secret.Data, &result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, err
-}
-
-func (c *Sys) TuneMount(path string, config MountConfigInput) error {
-	return c.TuneMountWithContext(context.Background(), path, config)
-}
-
-func (c *Sys) TuneMountWithContext(ctx context.Context, path string, config MountConfigInput) error {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodPost, fmt.Sprintf("/v1/sys/mounts/%s/tune", path))
-	if err := r.SetJSONBody(config); err != nil {
-		return err
-	}
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err == nil {
-		defer resp.Body.Close()
-	}
-	return err
-}
-
-func (c *Sys) MountConfig(path string) (*MountConfigOutput, error) {
-	return c.MountConfigWithContext(context.Background(), path)
-}
-
-func (c *Sys) MountConfigWithContext(ctx context.Context, path string) (*MountConfigOutput, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/%s/tune", path))
-
-	resp, err := c.c.rawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	var result MountConfigOutput
-	err = mapstructure.Decode(secret.Data, &result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, err
-}
-
-type MountInput struct {
-	Type                  string            `json:"type"`
-	Description           string            `json:"description"`
-	Config                MountConfigInput  `json:"config"`
-	Local                 bool              `json:"local"`
-	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
-	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
-	Options               map[string]string `json:"options"`
-
-	// Deprecated: Newer server responses should be returning this information in the
-	// Type field (json: "type") instead.
-	PluginName string `json:"plugin_name,omitempty"`
-}
-
-type MountConfigInput struct {
-	Options                   map[string]string       `json:"options" mapstructure:"options"`
-	DefaultLeaseTTL           string                  `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
-	Description               *string                 `json:"description,omitempty" mapstructure:"description"`
-	MaxLeaseTTL               string                  `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
-	ForceNoCache              bool                    `json:"force_no_cache" mapstructure:"force_no_cache"`
-	AuditNonHMACRequestKeys   []string                `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
-	AuditNonHMACResponseKeys  []string                `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
-	ListingVisibility         string                  `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
-	PassthroughRequestHeaders []string                `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
-	AllowedResponseHeaders    []string                `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
-	TokenType                 string                  `json:"token_type,omitempty" mapstructure:"token_type"`
-	AllowedManagedKeys        []string                `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
-	PluginVersion             string                  `json:"plugin_version,omitempty"`
-	UserLockoutConfig         *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
-	// Deprecated: This field will always be blank for newer server responses.
-	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
-}
-
-type MountOutput struct {
-	UUID                  string            `json:"uuid"`
-	Type                  string            `json:"type"`
-	Description           string            `json:"description"`
-	Accessor              string            `json:"accessor"`
-	Config                MountConfigOutput `json:"config"`
-	Options               map[string]string `json:"options"`
-	Local                 bool              `json:"local"`
-	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
-	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
-	PluginVersion         string            `json:"plugin_version" mapstructure:"plugin_version"`
-	RunningVersion        string            `json:"running_plugin_version" mapstructure:"running_plugin_version"`
-	RunningSha256         string            `json:"running_sha256" mapstructure:"running_sha256"`
-	DeprecationStatus     string            `json:"deprecation_status" mapstructure:"deprecation_status"`
-}
-
-type MountConfigOutput struct {
-	DefaultLeaseTTL           int                      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
-	MaxLeaseTTL               int                      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
-	ForceNoCache              bool                     `json:"force_no_cache" mapstructure:"force_no_cache"`
-	AuditNonHMACRequestKeys   []string                 `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
-	AuditNonHMACResponseKeys  []string                 `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
-	ListingVisibility         string                   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
-	PassthroughRequestHeaders []string                 `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
-	AllowedResponseHeaders    []string                 `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
-	TokenType                 string                   `json:"token_type,omitempty" mapstructure:"token_type"`
-	AllowedManagedKeys        []string                 `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
-	UserLockoutConfig         *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
-	// Deprecated: This field will always be blank for newer server responses.
-	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
-}
-
-type UserLockoutConfigInput struct {
-	LockoutThreshold            string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
-	LockoutDuration             string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
-	LockoutCounterResetDuration string `json:"lockout_counter_reset_duration,omitempty" structs:"lockout_counter_reset_duration" mapstructure:"lockout_counter_reset_duration"`
-	DisableLockout              *bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
-}
-
-type UserLockoutConfigOutput struct {
-	LockoutThreshold    uint  `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
-	LockoutDuration     int   `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
-	LockoutCounterReset int   `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
-	DisableLockout      *bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
-}
-
-type MountMigrationOutput struct {
-	MigrationID string `mapstructure:"migration_id"`
-}
-
-type MountMigrationStatusOutput struct {
-	MigrationID   string                    `mapstructure:"migration_id"`
-	MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"`
-}
-
-type MountMigrationStatusInfo struct {
-	SourceMount     string `mapstructure:"source_mount"`
-	TargetMount     string `mapstructure:"target_mount"`
-	MigrationStatus string `mapstructure:"status"`
-}
+```release-note:bug
+core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request.
+```
\ No newline at end of file
diff --git a/api/sys_plugins_runtimes.go b/api/sys_plugins_runtimes.go
index d88bca9b7269..424a006f2da3 100644
--- a/api/sys_plugins_runtimes.go
+++ b/api/sys_plugins_runtimes.go
@@ -1,189 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package api
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-
-	"github.com/mitchellh/mapstructure"
-)
-
-// GetPluginRuntimeInput is used as input to the GetPluginRuntime function.
-type GetPluginRuntimeInput struct {
-	Name string `json:"-"`
-
-	// Type of the plugin runtime. Required.
-	Type PluginRuntimeType `json:"type"`
-}
-
-// GetPluginRuntimeResponse is the response from the GetPluginRuntime call.
-type GetPluginRuntimeResponse struct {
-	Type         string `json:"type"`
-	Name         string `json:"name"`
-	OCIRuntime   string `json:"oci_runtime"`
-	CgroupParent string `json:"cgroup_parent"`
-	CPU          int64  `json:"cpu_nanos"`
-	Memory       int64  `json:"memory_bytes"`
-}
-
-// GetPluginRuntime retrieves information about the plugin.
-func (c *Sys) GetPluginRuntime(ctx context.Context, i *GetPluginRuntimeInput) (*GetPluginRuntimeResponse, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
-	req := c.c.NewRequest(http.MethodGet, path)
-
-	resp, err := c.c.rawRequestWithContext(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	var result struct {
-		Data *GetPluginRuntimeResponse
-	}
-	err = resp.DecodeJSON(&result)
-	if err != nil {
-		return nil, err
-	}
-	return result.Data, err
-}
-
-// RegisterPluginRuntimeInput is used as input to the RegisterPluginRuntime function.
-type RegisterPluginRuntimeInput struct {
-	// Name is the name of the plugin. Required.
-	Name string `json:"-"`
-
-	// Type of the plugin. Required.
-	Type PluginRuntimeType `json:"type"`
-
-	OCIRuntime   string `json:"oci_runtime,omitempty"`
-	CgroupParent string `json:"cgroup_parent,omitempty"`
-	CPU          int64  `json:"cpu_nanos,omitempty"`
-	Memory       int64  `json:"memory_bytes,omitempty"`
-}
-
-// RegisterPluginRuntime registers the plugin with the given information.
-func (c *Sys) RegisterPluginRuntime(ctx context.Context, i *RegisterPluginRuntimeInput) error {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
-	req := c.c.NewRequest(http.MethodPut, path)
-
-	if err := req.SetJSONBody(i); err != nil {
-		return err
-	}
-
-	resp, err := c.c.rawRequestWithContext(ctx, req)
-	if err == nil {
-		defer resp.Body.Close()
-	}
-	return err
-}
-
-// DeregisterPluginRuntimeInput is used as input to the DeregisterPluginRuntime function.
-type DeregisterPluginRuntimeInput struct {
-	// Name is the name of the plugin runtime. Required.
-	Name string `json:"-"`
-
-	// Type of the plugin. Required.
-	Type PluginRuntimeType `json:"type"`
-}
-
-// DeregisterPluginRuntime removes the plugin with the given name from the plugin
-// catalog.
-func (c *Sys) DeregisterPluginRuntime(ctx context.Context, i *DeregisterPluginRuntimeInput) error {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
-	req := c.c.NewRequest(http.MethodDelete, path)
-	resp, err := c.c.rawRequestWithContext(ctx, req)
-	if err == nil {
-		defer resp.Body.Close()
-	}
-	return err
-}
-
-type PluginRuntimeDetails struct {
-	Type         string `json:"type" mapstructure:"type"`
-	Name         string `json:"name" mapstructure:"name"`
-	OCIRuntime   string `json:"oci_runtime" mapstructure:"oci_runtime"`
-	CgroupParent string `json:"cgroup_parent" mapstructure:"cgroup_parent"`
-	CPU          int64  `json:"cpu_nanos" mapstructure:"cpu_nanos"`
-	Memory       int64  `json:"memory_bytes" mapstructure:"memory_bytes"`
-}
-
-// ListPluginRuntimesInput is used as input to the ListPluginRuntimes function.
-type ListPluginRuntimesInput struct {
-	// Type of the plugin. Required.
-	Type PluginRuntimeType `json:"type"`
-}
-
-// ListPluginRuntimesResponse is the response from the ListPluginRuntimes call.
-type ListPluginRuntimesResponse struct {
-	// RuntimesByType is the list of plugin runtimes by type.
-	Runtimes []PluginRuntimeDetails `json:"runtimes"`
-}
-
-// ListPluginRuntimes lists all plugin runtimes in the catalog and returns their names as a
-// list of strings.
-func (c *Sys) ListPluginRuntimes(ctx context.Context, input *ListPluginRuntimesInput) (*ListPluginRuntimesResponse, error) {
-	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
-	defer cancelFunc()
-
-	if input != nil && input.Type == PluginRuntimeTypeUnsupported {
-		return nil, fmt.Errorf("%q is not a supported runtime type", input.Type.String())
-	}
-
-	resp, err := c.c.rawRequestWithContext(ctx, c.c.NewRequest(http.MethodGet, "/v1/sys/plugins/runtimes/catalog"))
-	if err != nil && resp == nil {
-		return nil, err
-	}
-	if resp == nil {
-		return nil, nil
-	}
-	defer resp.Body.Close()
-
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-	if _, ok := secret.Data["runtimes"]; !ok {
-		return nil, fmt.Errorf("data from server response does not contain runtimes")
-	}
-
-	var runtimes []PluginRuntimeDetails
-	if err = mapstructure.Decode(secret.Data["runtimes"], &runtimes); err != nil {
-		return nil, err
-	}
-
-	// return all runtimes in the catalog
-	if input == nil {
-		return &ListPluginRuntimesResponse{Runtimes: runtimes}, nil
-	}
-
-	result := &ListPluginRuntimesResponse{
-		Runtimes: []PluginRuntimeDetails{},
-	}
-	for _, runtime := range runtimes {
-		if runtime.Type == input.Type.String() {
-			result.Runtimes = append(result.Runtimes, runtime)
-		}
-	}
-	return result, nil
-}
-
-// pluginRuntimeCatalogPathByType is a helper to construct the proper API path by plugin type
-func pluginRuntimeCatalogPathByType(runtimeType PluginRuntimeType, name string) string {
-	return fmt.Sprintf("/v1/sys/plugins/runtimes/catalog/%s/%s", runtimeType, name)
-}
+```release-note:bug
+storage/raft: Fix a race whereby a new leader may present inconsistent node data to Autopilot.
+```
\ No newline at end of file
diff --git a/builtin/credential/aws/pkcs7/sign.go b/builtin/credential/aws/pkcs7/sign.go
index 72b99388548e..e6aca7096ac3 100644
--- a/builtin/credential/aws/pkcs7/sign.go
+++ b/builtin/credential/aws/pkcs7/sign.go
@@ -1,435 +1,6 @@
-package pkcs7
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/dsa"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"errors"
-	"fmt"
-	"math/big"
-	"time"
-
-	"github.com/hashicorp/vault/internal"
-)
-
-func init() {
-	internal.PatchSha1()
-}
-
-// SignedData is an opaque data structure for creating signed data payloads
-type SignedData struct {
-	sd                  signedData
-	certs               []*x509.Certificate
-	data, messageDigest []byte
-	digestOid           asn1.ObjectIdentifier
-	encryptionOid       asn1.ObjectIdentifier
-}
-
-// NewSignedData takes data and initializes a PKCS7 SignedData struct that is
-// ready to be signed via AddSigner. The digest algorithm is set to SHA-256 by default
-// and can be changed by calling SetDigestAlgorithm.
-func NewSignedData(data []byte) (*SignedData, error) {
-	content, err := asn1.Marshal(data)
-	if err != nil {
-		return nil, err
-	}
-	ci := contentInfo{
-		ContentType: OIDData,
-		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: content, IsCompound: true},
-	}
-	sd := signedData{
-		ContentInfo: ci,
-		Version:     1,
-	}
-	return &SignedData{sd: sd, data: data, digestOid: OIDDigestAlgorithmSHA256}, nil
-}
-
-// SignerInfoConfig are optional values to include when adding a signer
-type SignerInfoConfig struct {
-	ExtraSignedAttributes   []Attribute
-	ExtraUnsignedAttributes []Attribute
-}
-
-type signedData struct {
-	Version                    int                        `asn1:"default:1"`
-	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
-	ContentInfo                contentInfo
-	Certificates               rawCertificates        `asn1:"optional,tag:0"`
-	CRLs                       []pkix.CertificateList `asn1:"optional,tag:1"`
-	SignerInfos                []signerInfo           `asn1:"set"`
-}
-
-type signerInfo struct {
-	Version                   int `asn1:"default:1"`
-	IssuerAndSerialNumber     issuerAndSerial
-	DigestAlgorithm           pkix.AlgorithmIdentifier
-	AuthenticatedAttributes   []attribute `asn1:"optional,omitempty,tag:0"`
-	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier
-	EncryptedDigest           []byte
-	UnauthenticatedAttributes []attribute `asn1:"optional,omitempty,tag:1"`
-}
-
-type attribute struct {
-	Type  asn1.ObjectIdentifier
-	Value asn1.RawValue `asn1:"set"`
-}
-
-func marshalAttributes(attrs []attribute) ([]byte, error) {
-	encodedAttributes, err := asn1.Marshal(struct {
-		A []attribute `asn1:"set"`
-	}{A: attrs})
-	if err != nil {
-		return nil, err
-	}
-
-	// Remove the leading sequence octets
-	var raw asn1.RawValue
-	asn1.Unmarshal(encodedAttributes, &raw)
-	return raw.Bytes, nil
-}
-
-type rawCertificates struct {
-	Raw asn1.RawContent
-}
-
-type issuerAndSerial struct {
-	IssuerName   asn1.RawValue
-	SerialNumber *big.Int
-}
-
-// SetDigestAlgorithm sets the digest algorithm to be used in the signing process.
-//
-// This should be called before adding signers
-func (sd *SignedData) SetDigestAlgorithm(d asn1.ObjectIdentifier) {
-	sd.digestOid = d
-}
-
-// SetEncryptionAlgorithm sets the encryption algorithm to be used in the signing process.
-//
-// This should be called before adding signers
-func (sd *SignedData) SetEncryptionAlgorithm(d asn1.ObjectIdentifier) {
-	sd.encryptionOid = d
-}
-
-// AddSigner is a wrapper around AddSignerChain() that adds a signer without any parent.
-func (sd *SignedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error {
-	var parents []*x509.Certificate
-	return sd.AddSignerChain(ee, pkey, parents, config)
-}
-
-// AddSignerChain signs attributes about the content and adds certificates
-// and signers infos to the Signed Data. The certificate and private key
-// of the end-entity signer are used to issue the signature, and any
-// parent of that end-entity that need to be added to the list of
-// certifications can be specified in the parents slice.
-//
-// The signature algorithm used to hash the data is the one of the end-entity
-// certificate.
-func (sd *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error {
-	// Following RFC 2315, 9.2 SignerInfo type, the distinguished name of
-	// the issuer of the end-entity signer is stored in the issuerAndSerialNumber
-	// section of the SignedData.SignerInfo, alongside the serial number of
-	// the end-entity.
-	var ias issuerAndSerial
-	ias.SerialNumber = ee.SerialNumber
-	if len(parents) == 0 {
-		// no parent, the issuer is the end-entity cert itself
-		ias.IssuerName = asn1.RawValue{FullBytes: ee.RawIssuer}
-	} else {
-		err := verifyPartialChain(ee, parents)
-		if err != nil {
-			return err
-		}
-		// the first parent is the issuer
-		ias.IssuerName = asn1.RawValue{FullBytes: parents[0].RawSubject}
-	}
-	sd.sd.DigestAlgorithmIdentifiers = append(sd.sd.DigestAlgorithmIdentifiers,
-		pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
-	)
-	hash, err := getHashForOID(sd.digestOid)
-	if err != nil {
-		return err
-	}
-	h := hash.New()
-	h.Write(sd.data)
-	sd.messageDigest = h.Sum(nil)
-	encryptionOid, err := getOIDForEncryptionAlgorithm(pkey, sd.digestOid)
-	if err != nil {
-		return err
-	}
-	attrs := &attributes{}
-	attrs.Add(OIDAttributeContentType, sd.sd.ContentInfo.ContentType)
-	attrs.Add(OIDAttributeMessageDigest, sd.messageDigest)
-	attrs.Add(OIDAttributeSigningTime, time.Now().UTC())
-	for _, attr := range config.ExtraSignedAttributes {
-		attrs.Add(attr.Type, attr.Value)
-	}
-	finalAttrs, err := attrs.ForMarshalling()
-	if err != nil {
-		return err
-	}
-	unsignedAttrs := &attributes{}
-	for _, attr := range config.ExtraUnsignedAttributes {
-		unsignedAttrs.Add(attr.Type, attr.Value)
-	}
-	finalUnsignedAttrs, err := unsignedAttrs.ForMarshalling()
-	if err != nil {
-		return err
-	}
-	// create signature of signed attributes
-	signature, err := signAttributes(finalAttrs, pkey, hash)
-	if err != nil {
-		return err
-	}
-	signer := signerInfo{
-		AuthenticatedAttributes:   finalAttrs,
-		UnauthenticatedAttributes: finalUnsignedAttrs,
-		DigestAlgorithm:           pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
-		DigestEncryptionAlgorithm: pkix.AlgorithmIdentifier{Algorithm: encryptionOid},
-		IssuerAndSerialNumber:     ias,
-		EncryptedDigest:           signature,
-		Version:                   1,
-	}
-	sd.certs = append(sd.certs, ee)
-	if len(parents) > 0 {
-		sd.certs = append(sd.certs, parents...)
-	}
-	sd.sd.SignerInfos = append(sd.sd.SignerInfos, signer)
-	return nil
-}
-
-// SignWithoutAttr issues a signature on the content of the pkcs7 SignedData.
-// Unlike AddSigner/AddSignerChain, it calculates the digest on the data alone
-// and does not include any signed attributes like timestamp and so on.
-//
-// This function is needed to sign old Android APKs, something you probably
-// shouldn't do unless you're maintaining backward compatibility for old
-// applications.
-func (sd *SignedData) SignWithoutAttr(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error {
-	var signature []byte
-	sd.sd.DigestAlgorithmIdentifiers = append(sd.sd.DigestAlgorithmIdentifiers, pkix.AlgorithmIdentifier{Algorithm: sd.digestOid})
-	hash, err := getHashForOID(sd.digestOid)
-	if err != nil {
-		return err
-	}
-	h := hash.New()
-	h.Write(sd.data)
-	sd.messageDigest = h.Sum(nil)
-	switch pkey := pkey.(type) {
-	case *dsa.PrivateKey:
-		// dsa doesn't implement crypto.Signer so we make a special case
-		// https://github.com/golang/go/issues/27889
-		r, s, err := dsa.Sign(rand.Reader, pkey, sd.messageDigest)
-		if err != nil {
-			return err
-		}
-		signature, err = asn1.Marshal(dsaSignature{r, s})
-		if err != nil {
-			return err
-		}
-	default:
-		key, ok := pkey.(crypto.Signer)
-		if !ok {
-			return errors.New("pkcs7: private key does not implement crypto.Signer")
-		}
-		signature, err = key.Sign(rand.Reader, sd.messageDigest, hash)
-		if err != nil {
-			return err
-		}
-	}
-	var ias issuerAndSerial
-	ias.SerialNumber = ee.SerialNumber
-	// no parent, the issue is the end-entity cert itself
-	ias.IssuerName = asn1.RawValue{FullBytes: ee.RawIssuer}
-	if sd.encryptionOid == nil {
-		// if the encryption algorithm wasn't set by SetEncryptionAlgorithm,
-		// infer it from the digest algorithm
-		sd.encryptionOid, err = getOIDForEncryptionAlgorithm(pkey, sd.digestOid)
-	}
-	if err != nil {
-		return err
-	}
-	signer := signerInfo{
-		DigestAlgorithm:           pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
-		DigestEncryptionAlgorithm: pkix.AlgorithmIdentifier{Algorithm: sd.encryptionOid},
-		IssuerAndSerialNumber:     ias,
-		EncryptedDigest:           signature,
-		Version:                   1,
-	}
-	// create signature of signed attributes
-	sd.certs = append(sd.certs, ee)
-	sd.sd.SignerInfos = append(sd.sd.SignerInfos, signer)
-	return nil
-}
-
-func (si *signerInfo) SetUnauthenticatedAttributes(extraUnsignedAttrs []Attribute) error {
-	unsignedAttrs := &attributes{}
-	for _, attr := range extraUnsignedAttrs {
-		unsignedAttrs.Add(attr.Type, attr.Value)
-	}
-	finalUnsignedAttrs, err := unsignedAttrs.ForMarshalling()
-	if err != nil {
-		return err
-	}
-
-	si.UnauthenticatedAttributes = finalUnsignedAttrs
-
-	return nil
-}
-
-// AddCertificate adds the certificate to the payload. Useful for parent certificates
-func (sd *SignedData) AddCertificate(cert *x509.Certificate) {
-	sd.certs = append(sd.certs, cert)
-}
-
-// Detach removes content from the signed data struct to make it a detached signature.
-// This must be called right before Finish()
-func (sd *SignedData) Detach() {
-	sd.sd.ContentInfo = contentInfo{ContentType: OIDData}
-}
-
-// GetSignedData returns the private Signed Data
-func (sd *SignedData) GetSignedData() *signedData {
-	return &sd.sd
-}
-
-// Finish marshals the content and its signers
-func (sd *SignedData) Finish() ([]byte, error) {
-	sd.sd.Certificates = marshalCertificates(sd.certs)
-	inner, err := asn1.Marshal(sd.sd)
-	if err != nil {
-		return nil, err
-	}
-	outer := contentInfo{
-		ContentType: OIDSignedData,
-		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: inner, IsCompound: true},
-	}
-	return asn1.Marshal(outer)
-}
-
-// RemoveAuthenticatedAttributes removes authenticated attributes from signedData
-// similar to OpenSSL's PKCS7_NOATTR or -noattr flags
-func (sd *SignedData) RemoveAuthenticatedAttributes() {
-	for i := range sd.sd.SignerInfos {
-		sd.sd.SignerInfos[i].AuthenticatedAttributes = nil
-	}
-}
-
-// RemoveUnauthenticatedAttributes removes unauthenticated attributes from signedData
-func (sd *SignedData) RemoveUnauthenticatedAttributes() {
-	for i := range sd.sd.SignerInfos {
-		sd.sd.SignerInfos[i].UnauthenticatedAttributes = nil
-	}
-}
-
-// verifyPartialChain checks that a given cert is issued by the first parent in the list,
-// then continue down the path. It doesn't require the last parent to be a root CA,
-// or to be trusted in any truststore. It simply verifies that the chain provided, albeit
-// partial, makes sense.
-func verifyPartialChain(cert *x509.Certificate, parents []*x509.Certificate) error {
-	if len(parents) == 0 {
-		return fmt.Errorf("pkcs7: zero parents provided to verify the signature of certificate %q", cert.Subject.CommonName)
-	}
-	err := cert.CheckSignatureFrom(parents[0])
-	if err != nil {
-		return fmt.Errorf("pkcs7: certificate signature from parent is invalid: %v", err)
-	}
-	if len(parents) == 1 {
-		// there is no more parent to check, return
-		return nil
-	}
-	return verifyPartialChain(parents[0], parents[1:])
-}
-
-func cert2issuerAndSerial(cert *x509.Certificate) (issuerAndSerial, error) {
-	var ias issuerAndSerial
-	// The issuer RDNSequence has to match exactly the sequence in the certificate
-	// We cannot use cert.Issuer.ToRDNSequence() here since it mangles the sequence
-	ias.IssuerName = asn1.RawValue{FullBytes: cert.RawIssuer}
-	ias.SerialNumber = cert.SerialNumber
-
-	return ias, nil
-}
-
-// signs the DER encoded form of the attributes with the private key
-func signAttributes(attrs []attribute, pkey crypto.PrivateKey, digestAlg crypto.Hash) ([]byte, error) {
-	attrBytes, err := marshalAttributes(attrs)
-	if err != nil {
-		return nil, err
-	}
-	h := digestAlg.New()
-	h.Write(attrBytes)
-	hash := h.Sum(nil)
-
-	// dsa doesn't implement crypto.Signer so we make a special case
-	// https://github.com/golang/go/issues/27889
-	switch pkey := pkey.(type) {
-	case *dsa.PrivateKey:
-		r, s, err := dsa.Sign(rand.Reader, pkey, hash)
-		if err != nil {
-			return nil, err
-		}
-		return asn1.Marshal(dsaSignature{r, s})
-	}
-
-	key, ok := pkey.(crypto.Signer)
-	if !ok {
-		return nil, errors.New("pkcs7: private key does not implement crypto.Signer")
-	}
-	return key.Sign(rand.Reader, hash, digestAlg)
-}
-
-type dsaSignature struct {
-	R, S *big.Int
-}
-
-// concats and wraps the certificates in the RawValue structure
-func marshalCertificates(certs []*x509.Certificate) rawCertificates {
-	var buf bytes.Buffer
-	for _, cert := range certs {
-		buf.Write(cert.Raw)
-	}
-	rawCerts, _ := marshalCertificateBytes(buf.Bytes())
-	return rawCerts
-}
-
-// Even though, the tag & length are stripped out during marshalling the
-// RawContent, we have to encode it into the RawContent. If its missing,
-// then `asn1.Marshal()` will strip out the certificate wrapper instead.
-func marshalCertificateBytes(certs []byte) (rawCertificates, error) {
-	val := asn1.RawValue{Bytes: certs, Class: 2, Tag: 0, IsCompound: true}
-	b, err := asn1.Marshal(val)
-	if err != nil {
-		return rawCertificates{}, err
-	}
-	return rawCertificates{Raw: b}, nil
-}
-
-// DegenerateCertificate creates a signed data structure containing only the
-// provided certificate or certificate chain.
-func DegenerateCertificate(cert []byte) ([]byte, error) {
-	rawCert, err := marshalCertificateBytes(cert)
-	if err != nil {
-		return nil, err
-	}
-	emptyContent := contentInfo{ContentType: OIDData}
-	sd := signedData{
-		Version:      1,
-		ContentInfo:  emptyContent,
-		Certificates: rawCert,
-		CRLs:         []pkix.CertificateList{},
-	}
-	content, err := asn1.Marshal(sd)
-	if err != nil {
-		return nil, err
-	}
-	signedContent := contentInfo{
-		ContentType: OIDSignedData,
-		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: content, IsCompound: true},
-	}
-	return asn1.Marshal(signedContent)
-}
+```release-note:change
+cli: `vault plugin info` and `vault plugin deregister` now require 2 positional arguments instead of accepting either 1 or 2.
+```
+```release-note:improvement
+cli: Improved error messages for `vault plugin` sub-commands.
+```
diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
index d938a4fea9f0..343811bfd050 100644
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -1,174 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package ldap
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/cap/ldap"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/ldaputil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-const (
-	operationPrefixLDAP = "ldap"
-	errUserBindFailed   = "ldap operation failed: failed to bind as user"
-)
-
-func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
-	b := Backend()
-	if err := b.Setup(ctx, conf); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-func Backend() *backend {
-	var b backend
-	b.Backend = &framework.Backend{
-		Help: backendHelp,
-
-		PathsSpecial: &logical.Paths{
-			Unauthenticated: []string{
-				"login/*",
-			},
-
-			SealWrapStorage: []string{
-				"config",
-			},
-		},
-
-		Paths: []*framework.Path{
-			pathConfig(&b),
-			pathGroups(&b),
-			pathGroupsList(&b),
-			pathUsers(&b),
-			pathUsersList(&b),
-			pathLogin(&b),
-		},
-
-		AuthRenew:   b.pathLoginRenew,
-		BackendType: logical.TypeCredential,
-	}
-
-	return &b
-}
-
-type backend struct {
-	*framework.Backend
-}
-
-func (b *backend) Login(ctx context.Context, req *logical.Request, username string, password string, usernameAsAlias bool) (string, []string, *logical.Response, []string, error) {
-	cfg, err := b.Config(ctx, req)
-	if err != nil {
-		return "", nil, nil, nil, err
-	}
-	if cfg == nil {
-		return "", nil, logical.ErrorResponse("ldap backend not configured"), nil, nil
-	}
-
-	if cfg.DenyNullBind && len(password) == 0 {
-		return "", nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
-	}
-
-	ldapClient, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg.ConfigEntry))
-	if err != nil {
-		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
-	}
-
-	// Clean connection
-	defer ldapClient.Close(ctx)
-
-	c, err := ldapClient.Authenticate(ctx, username, password, ldap.WithGroups(), ldap.WithUserAttributes())
-	if err != nil {
-		if strings.Contains(err.Error(), "discovery of user bind DN failed") ||
-			strings.Contains(err.Error(), "unable to bind user") {
-			return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
-		}
-
-		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
-	}
-
-	ldapGroups := c.Groups
-	ldapResponse := &logical.Response{
-		Data: map[string]interface{}{},
-	}
-	if len(ldapGroups) == 0 {
-		errString := fmt.Sprintf(
-			"no LDAP groups found in groupDN %q; only policies from locally-defined groups available",
-			cfg.GroupDN)
-		ldapResponse.AddWarning(errString)
-	}
-
-	for _, warning := range c.Warnings {
-		ldapResponse.AddWarning(string(warning))
-	}
-
-	var allGroups []string
-	canonicalUsername := username
-	cs := *cfg.CaseSensitiveNames
-	if !cs {
-		canonicalUsername = strings.ToLower(username)
-	}
-	// Import the custom added groups from ldap backend
-	user, err := b.User(ctx, req.Storage, canonicalUsername)
-	if err == nil && user != nil && user.Groups != nil {
-		if b.Logger().IsDebug() {
-			b.Logger().Debug("adding local groups", "num_local_groups", len(user.Groups), "local_groups", user.Groups)
-		}
-		allGroups = append(allGroups, user.Groups...)
-	}
-	// Merge local and LDAP groups
-	allGroups = append(allGroups, ldapGroups...)
-
-	canonicalGroups := allGroups
-	// If not case sensitive, lowercase all
-	if !cs {
-		canonicalGroups = make([]string, len(allGroups))
-		for i, v := range allGroups {
-			canonicalGroups[i] = strings.ToLower(v)
-		}
-	}
-
-	// Retrieve policies
-	var policies []string
-	for _, groupName := range canonicalGroups {
-		group, err := b.Group(ctx, req.Storage, groupName)
-		if err == nil && group != nil {
-			policies = append(policies, group.Policies...)
-		}
-	}
-	if user != nil && user.Policies != nil {
-		policies = append(policies, user.Policies...)
-	}
-	// Policies from each group may overlap
-	policies = strutil.RemoveDuplicates(policies, true)
-
-	if usernameAsAlias {
-		return username, policies, ldapResponse, allGroups, nil
-	}
-
-	userAttrValues := c.UserAttributes[cfg.UserAttr]
-	if len(userAttrValues) == 0 {
-		return "", nil, logical.ErrorResponse("missing entity alias attribute value"), nil, nil
-	}
-	entityAliasAttribute := userAttrValues[0]
-
-	return entityAliasAttribute, policies, ldapResponse, allGroups, nil
-}
-
-const backendHelp = `
-The "ldap" credential provider allows authentication querying
-a LDAP server, checking username and password, and associating groups
-to set of policies.
-
-Configuration of the server is done through the "config" and "groups"
-endpoints by a user with root access. Authentication is then done
-by supplying the two fields for "login".
-`
+```release-note:bug
+agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library.
+```
\ No newline at end of file
diff --git a/builtin/credential/ldap/path_config.go b/builtin/credential/ldap/path_config.go
index f6e7a152dfa4..74124710b8a8 100644
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@@ -1,271 +1,4 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package ldap
-
-import (
-	"context"
-	"strings"
-
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/ldaputil"
-	"github.com/hashicorp/vault/sdk/helper/tokenutil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-const userFilterWarning = "userfilter configured does not consider userattr and may result in colliding entity aliases on logins"
-
-func pathConfig(b *backend) *framework.Path {
-	p := &framework.Path{
-		Pattern: `config`,
-
-		DisplayAttrs: &framework.DisplayAttributes{
-			OperationPrefix: operationPrefixLDAP,
-			Action:          "Configure",
-		},
-
-		Fields: ldaputil.ConfigFields(),
-
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation: &framework.PathOperation{
-				Callback: b.pathConfigRead,
-				DisplayAttrs: &framework.DisplayAttributes{
-					OperationSuffix: "auth-configuration",
-				},
-			},
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.pathConfigWrite,
-				DisplayAttrs: &framework.DisplayAttributes{
-					OperationVerb: "configure-auth",
-				},
-			},
-		},
-
-		HelpSynopsis:    pathConfigHelpSyn,
-		HelpDescription: pathConfigHelpDesc,
-	}
-
-	tokenutil.AddTokenFields(p.Fields)
-	p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups."
-	return p
-}
-
-/*
- * Construct ConfigEntry struct using stored configuration.
- */
-func (b *backend) Config(ctx context.Context, req *logical.Request) (*ldapConfigEntry, error) {
-	storedConfig, err := req.Storage.Get(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-
-	if storedConfig == nil {
-		// Create a new ConfigEntry, filling in defaults where appropriate
-		fd, err := b.getConfigFieldData()
-		if err != nil {
-			return nil, err
-		}
-
-		result, err := ldaputil.NewConfigEntry(nil, fd)
-		if err != nil {
-			return nil, err
-		}
-
-		// No user overrides, return default configuration
-		result.CaseSensitiveNames = new(bool)
-		*result.CaseSensitiveNames = false
-
-		result.UsePre111GroupCNBehavior = new(bool)
-		*result.UsePre111GroupCNBehavior = false
-
-		return &ldapConfigEntry{ConfigEntry: result}, nil
-	}
-
-	// Deserialize stored configuration.
-	// Fields not specified in storedConfig will retain their defaults.
-	result := new(ldapConfigEntry)
-	result.ConfigEntry = new(ldaputil.ConfigEntry)
-	if err := storedConfig.DecodeJSON(result); err != nil {
-		return nil, err
-	}
-
-	var persistNeeded bool
-	if result.CaseSensitiveNames == nil {
-		// Upgrade from before switching to case-insensitive
-		result.CaseSensitiveNames = new(bool)
-		*result.CaseSensitiveNames = true
-		persistNeeded = true
-	}
-
-	if result.UsePre111GroupCNBehavior == nil {
-		result.UsePre111GroupCNBehavior = new(bool)
-		*result.UsePre111GroupCNBehavior = true
-		persistNeeded = true
-	}
-
-	if persistNeeded && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
-		entry, err := logical.StorageEntryJSON("config", result)
-		if err != nil {
-			return nil, err
-		}
-		if err := req.Storage.Put(ctx, entry); err != nil {
-			return nil, err
-		}
-	}
-
-	return result, nil
-}
-
-func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	cfg, err := b.Config(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	if cfg == nil {
-		return nil, nil
-	}
-
-	data := cfg.PasswordlessMap()
-	cfg.PopulateTokenData(data)
-
-	resp := &logical.Response{
-		Data: data,
-	}
-
-	if warnings := b.checkConfigUserFilter(cfg); len(warnings) > 0 {
-		resp.Warnings = warnings
-	}
-
-	return resp, nil
-}
-
-// checkConfigUserFilter performs a best-effort check the config's userfilter.
-// It will checked whether the templated or literal userattr value is present,
-// and if not return a warning.
-func (b *backend) checkConfigUserFilter(cfg *ldapConfigEntry) []string {
-	if cfg == nil || cfg.UserFilter == "" {
-		return nil
-	}
-
-	var warnings []string
-
-	switch {
-	case strings.Contains(cfg.UserFilter, "{{.UserAttr}}"):
-		// Case where the templated userattr value is provided
-	case strings.Contains(cfg.UserFilter, cfg.UserAttr):
-		// Case where the literal userattr value is provided
-	default:
-		b.Logger().Debug(userFilterWarning, "userfilter", cfg.UserFilter, "userattr", cfg.UserAttr)
-		warnings = append(warnings, userFilterWarning)
-	}
-
-	return warnings
-}
-
-func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	cfg, err := b.Config(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	if cfg == nil {
-		return nil, nil
-	}
-
-	// Build a ConfigEntry struct out of the supplied FieldData
-	cfg.ConfigEntry, err = ldaputil.NewConfigEntry(cfg.ConfigEntry, d)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	// On write, if not specified, use false. We do this here so upgrade logic
-	// works since it calls the same newConfigEntry function
-	if cfg.CaseSensitiveNames == nil {
-		cfg.CaseSensitiveNames = new(bool)
-		*cfg.CaseSensitiveNames = false
-	}
-
-	if cfg.UsePre111GroupCNBehavior == nil {
-		cfg.UsePre111GroupCNBehavior = new(bool)
-		*cfg.UsePre111GroupCNBehavior = false
-	}
-
-	if err := cfg.ParseTokenFields(req, d); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-
-	entry, err := logical.StorageEntryJSON("config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	if err := req.Storage.Put(ctx, entry); err != nil {
-		return nil, err
-	}
-
-	if warnings := b.checkConfigUserFilter(cfg); len(warnings) > 0 {
-		return &logical.Response{
-			Warnings: warnings,
-		}, nil
-	}
-
-	return nil, nil
-}
-
-/*
- * Returns FieldData describing our ConfigEntry struct schema
- */
-func (b *backend) getConfigFieldData() (*framework.FieldData, error) {
-	configPath := b.Route("config")
-
-	if configPath == nil {
-		return nil, logical.ErrUnsupportedPath
-	}
-
-	raw := make(map[string]interface{}, len(configPath.Fields))
-
-	fd := framework.FieldData{
-		Raw:    raw,
-		Schema: configPath.Fields,
-	}
-
-	return &fd, nil
-}
-
-type ldapConfigEntry struct {
-	tokenutil.TokenParams
-	*ldaputil.ConfigEntry
-}
-
-const pathConfigHelpSyn = `
-Configure the LDAP server to connect to, along with its options.
-`
-
-const pathConfigHelpDesc = `
-This endpoint allows you to configure the LDAP server to connect to and its
-configuration options.
-
-The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former
-case, an unencrypted connection will be made with a default port of 389, unless
-the "starttls" parameter is set to true, in which case TLS will be used. In the
-latter case, a SSL connection will be established with a default port of 636.
-
-## A NOTE ON ESCAPING
-
-It is up to the administrator to provide properly escaped DNs. This includes
-the user DN, bind DN for search, and so on.
-
-The only DN escaping performed by this backend is on usernames given at login
-time when they are inserted into the final bind DN, and uses escaping rules
-defined in RFC 4514.
-
-Additionally, Active Directory has escaping rules that differ slightly from the
-RFC; in particular it requires escaping of '#' regardless of position in the DN
-(the RFC only requires it to be escaped when it is the first character), and
-'=', which the RFC indicates can be escaped with a backslash, but does not
-contain in its set of required escapes. If you are using Active Directory and
-these appear in your usernames, please ensure that they are escaped, in
-addition to being properly escaped in your configured DNs.
-
-For reference, see https://www.ietf.org/rfc/rfc4514.txt and
-http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
-`
+```release-note:bug
+api: Fix deadlock on calls to sys/leader with a namespace configured
+on the request.
+```
diff --git a/builtin/credential/ldap/path_config_rotate_root.go b/builtin/credential/ldap/path_config_rotate_root.go
new file mode 100644
index 000000000000..eb8e4c04fb7c
--- /dev/null
+++ b/builtin/credential/ldap/path_config_rotate_root.go
@@ -0,0 +1,3 @@
+```release-note:change
+api: add the `enterprise` parameter to the `/sys/health` endpoint
+```
diff --git a/builtin/credential/ldap/path_config_rotate_root_test.go b/builtin/credential/ldap/path_config_rotate_root_test.go
new file mode 100644
index 000000000000..7d24c296a1f2
--- /dev/null
+++ b/builtin/credential/ldap/path_config_rotate_root_test.go
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Correctly handle directory redirects from pre 1.15.0 Kv v2 list view urls.
+```
diff --git a/builtin/logical/pki/acme_challenges.go b/builtin/logical/pki/acme_challenges.go
index 290c8ec78c7f..f8f885f3e11e 100644
--- a/builtin/logical/pki/acme_challenges.go
+++ b/builtin/logical/pki/acme_challenges.go
@@ -1,502 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"crypto/subtle"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/asn1"
-	"encoding/base64"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-)
-
-const (
-	DNSChallengePrefix = "_acme-challenge."
-	ALPNProtocol       = "acme-tls/1"
-)
-
-// While this should be a constant, there's no way to do a low-level test of
-// ValidateTLSALPN01Challenge without spinning up a complicated Docker
-// instance to build a custom responder. Because we already have a local
-// toolchain, it is far easier to drive this through Go tests with a custom
-// (high) port, rather than requiring permission to bind to port 443 (root-run
-// tests are even worse).
-var ALPNPort = "443"
-
-// OID of the acmeIdentifier X.509 Certificate Extension.
-var OIDACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
-
-// ValidateKeyAuthorization validates that the given keyAuthz from a challenge
-// matches our expectation, returning (true, nil) if so, or (false, err) if
-// not.
-func ValidateKeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error) {
-	parts := strings.Split(keyAuthz, ".")
-	if len(parts) != 2 {
-		return false, fmt.Errorf("invalid authorization: got %v parts, expected 2", len(parts))
-	}
-
-	tokenPart := parts[0]
-	thumbprintPart := parts[1]
-
-	if token != tokenPart || thumbprint != thumbprintPart {
-		return false, fmt.Errorf("key authorization was invalid")
-	}
-
-	return true, nil
-}
-
-// ValidateSHA256KeyAuthorization validates that the given keyAuthz from a
-// challenge matches our expectation, returning (true, nil) if so, or
-// (false, err) if not.
-//
-// This is for use with DNS challenges, which require base64 encoding.
-func ValidateSHA256KeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error) {
-	authzContents := token + "." + thumbprint
-	checksum := sha256.Sum256([]byte(authzContents))
-	expectedAuthz := base64.RawURLEncoding.EncodeToString(checksum[:])
-
-	if keyAuthz != expectedAuthz {
-		return false, fmt.Errorf("sha256 key authorization was invalid")
-	}
-
-	return true, nil
-}
-
-// ValidateRawSHA256KeyAuthorization validates that the given keyAuthz from a
-// challenge matches our expectation, returning (true, nil) if so, or
-// (false, err) if not.
-//
-// This is for use with TLS challenges, which require the raw hash output.
-func ValidateRawSHA256KeyAuthorization(keyAuthz []byte, token string, thumbprint string) (bool, error) {
-	authzContents := token + "." + thumbprint
-	expectedAuthz := sha256.Sum256([]byte(authzContents))
-
-	if len(keyAuthz) != len(expectedAuthz) || subtle.ConstantTimeCompare(expectedAuthz[:], keyAuthz) != 1 {
-		return false, fmt.Errorf("sha256 key authorization was invalid")
-	}
-
-	return true, nil
-}
-
-func buildResolver(config *acmeConfigEntry) (*net.Resolver, error) {
-	if len(config.DNSResolver) == 0 {
-		return net.DefaultResolver, nil
-	}
-
-	return &net.Resolver{
-		PreferGo:     true,
-		StrictErrors: false,
-		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-			d := net.Dialer{
-				Timeout: 10 * time.Second,
-			}
-			return d.DialContext(ctx, network, config.DNSResolver)
-		},
-	}, nil
-}
-
-func buildDialerConfig(config *acmeConfigEntry) (*net.Dialer, error) {
-	resolver, err := buildResolver(config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to build resolver: %w", err)
-	}
-
-	return &net.Dialer{
-		Timeout:   10 * time.Second,
-		KeepAlive: -1 * time.Second,
-		Resolver:  resolver,
-	}, nil
-}
-
-// Validates a given ACME http-01 challenge against the specified domain,
-// per RFC 8555.
-//
-// We attempt to be defensive here against timeouts, extra redirects, &c.
-func ValidateHTTP01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
-	path := "http://" + domain + "/.well-known/acme-challenge/" + token
-	dialer, err := buildDialerConfig(config)
-	if err != nil {
-		return false, fmt.Errorf("failed to build dialer: %w", err)
-	}
-
-	transport := &http.Transport{
-		// Only a single request is sent to this server as we do not do any
-		// batching of validation attempts. There is no need to do an HTTP
-		// KeepAlive as a result.
-		DisableKeepAlives:   true,
-		MaxIdleConns:        1,
-		MaxIdleConnsPerHost: 1,
-		MaxConnsPerHost:     1,
-		IdleConnTimeout:     1 * time.Second,
-		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
-
-		// We'd rather timeout and re-attempt validation later than hang
-		// too many validators waiting for slow hosts.
-		DialContext:           dialer.DialContext,
-		ResponseHeaderTimeout: 10 * time.Second,
-	}
-
-	maxRedirects := 10
-	urlLength := 2000
-
-	client := &http.Client{
-		Transport: transport,
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			if len(via)+1 >= maxRedirects {
-				return fmt.Errorf("http-01: too many redirects: %v", len(via)+1)
-			}
-
-			reqUrlLen := len(req.URL.String())
-			if reqUrlLen > urlLength {
-				return fmt.Errorf("http-01: redirect url length too long: %v", reqUrlLen)
-			}
-
-			return nil
-		},
-	}
-
-	resp, err := client.Get(path)
-	if err != nil {
-		return false, fmt.Errorf("http-01: failed to fetch path %v: %w", path, err)
-	}
-
-	// We provision a buffer which allows for a variable size challenge, some
-	// whitespace, and a detection gap for too long of a message.
-	minExpected := len(token) + 1 + len(thumbprint)
-	maxExpected := 512
-
-	defer resp.Body.Close()
-
-	// Attempt to read the body, but don't do so infinitely.
-	body, err := io.ReadAll(io.LimitReader(resp.Body, int64(maxExpected+1)))
-	if err != nil {
-		return false, fmt.Errorf("http-01: unexpected error while reading body: %w", err)
-	}
-
-	if len(body) > maxExpected {
-		return false, fmt.Errorf("http-01: response too large: received %v > %v bytes", len(body), maxExpected)
-	}
-
-	if len(body) < minExpected {
-		return false, fmt.Errorf("http-01: response too small: received %v < %v bytes", len(body), minExpected)
-	}
-
-	// Per RFC 8555 Section 8.3. HTTP Challenge:
-	//
-	// > The server SHOULD ignore whitespace characters at the end of the body.
-	keyAuthz := string(body)
-	keyAuthz = strings.TrimSpace(keyAuthz)
-
-	// If we got here, we got no non-EOF error while reading. Try to validate
-	// the token because we're bounded by a reasonable amount of length.
-	return ValidateKeyAuthorization(keyAuthz, token, thumbprint)
-}
-
-func ValidateDNS01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
-	// Here, domain is the value from the post-wildcard-processed identifier.
-	// Per RFC 8555, no difference in validation occurs if a wildcard entry
-	// is requested or if a non-wildcard entry is requested.
-	//
-	// XXX: In this case the DNS server is operator controlled and is assumed
-	// to be less malicious so the default resolver is used. In the future,
-	// we'll want to use net.Resolver for two reasons:
-	//
-	// 1. To control the actual resolver via ACME configuration,
-	// 2. To use a context to set stricter timeout limits.
-	resolver, err := buildResolver(config)
-	if err != nil {
-		return false, fmt.Errorf("failed to build resolver: %w", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	name := DNSChallengePrefix + domain
-	results, err := resolver.LookupTXT(ctx, name)
-	if err != nil {
-		return false, fmt.Errorf("dns-01: failed to lookup TXT records for domain (%v) via resolver %v: %w", name, config.DNSResolver, err)
-	}
-
-	for _, keyAuthz := range results {
-		ok, _ := ValidateSHA256KeyAuthorization(keyAuthz, token, thumbprint)
-		if ok {
-			return true, nil
-		}
-	}
-
-	return false, fmt.Errorf("dns-01: challenge failed against %v records", len(results))
-}
-
-func ValidateTLSALPN01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
-	// This RFC is defined in RFC 8737 Automated Certificate Management
-	// Environment (ACME) TLS Application‑Layer Protocol Negotiation
-	// (ALPN) Challenge Extension.
-	//
-	// This is conceptually similar to ValidateHTTP01Challenge, but
-	// uses a TLS connection on port 443 with the specified ALPN
-	// protocol.
-
-	cfg := &tls.Config{
-		// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-		// Negotiation (TLS ALPN) Challenge, the name of the negotiated
-		// protocol is "acme-tls/1".
-		NextProtos: []string{ALPNProtocol},
-
-		// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-		// Negotiation (TLS ALPN) Challenge:
-		//
-		// > ... and an SNI extension containing only the domain name
-		// > being validated during the TLS handshake.
-		//
-		// According to the Go docs, setting this option (even though
-		// InsecureSkipVerify=true is also specified), allows us to
-		// set the SNI extension to this value.
-		ServerName: domain,
-
-		VerifyConnection: func(connState tls.ConnectionState) error {
-			// We initiated a fresh connection with no session tickets;
-			// even if we did have a session ticket, we do not wish to
-			// use it. Verify that the server has not inadvertently
-			// reused connections between validation attempts or something.
-			if connState.DidResume {
-				return fmt.Errorf("server under test incorrectly reported that handshake was resumed when no session cache was provided; refusing to continue")
-			}
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > The ACME server verifies that during the TLS handshake the
-			// > application-layer protocol "acme-tls/1" was successfully
-			// > negotiated (and that the ALPN extension contained only the
-			// > value "acme-tls/1").
-			if connState.NegotiatedProtocol != ALPNProtocol {
-				return fmt.Errorf("server under test negotiated unexpected ALPN protocol %v", connState.NegotiatedProtocol)
-			}
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > and that the certificate returned
-			//
-			// Because this certificate MUST be self-signed (per earlier
-			// statement in RFC 8737 Section 3), there is no point in sending
-			// more than one certificate, and so we will err early here if
-			// we got more than one.
-			if len(connState.PeerCertificates) > 1 {
-				return fmt.Errorf("server under test returned multiple (%v) certificates when we expected only one", len(connState.PeerCertificates))
-			}
-			cert := connState.PeerCertificates[0]
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > The client prepares for validation by constructing a
-			// > self-signed certificate that MUST contain an acmeIdentifier
-			// > extension and a subjectAlternativeName extension [RFC5280].
-			//
-			// Verify that this is a self-signed certificate that isn't signed
-			// by another certificate (i.e., with the same key material but
-			// different issuer).
-			// NOTE: Do not use cert.CheckSignatureFrom(cert) as we need to bypass the
-			//       checks for the parent certificate having the IsCA basic constraint set.
-			err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature)
-			if err != nil {
-				return fmt.Errorf("server under test returned a non-self-signed certificate: %v", err)
-			}
-
-			if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
-				return fmt.Errorf("server under test returned a non-self-signed certificate: invalid subject (%v) <-> issuer (%v) match", cert.Subject.String(), cert.Issuer.String())
-			}
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > The subjectAlternativeName extension MUST contain a single
-			// > dNSName entry where the value is the domain name being
-			// > validated.
-			//
-			// TODO: this does not validate that there are not other SANs
-			// with unknown (to Go) OIDs.
-			if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) > 0 || len(cert.IPAddresses) > 0 || len(cert.URIs) > 0 {
-				return fmt.Errorf("server under test returned a certificate with incorrect SANs")
-			}
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > The comparison of dNSNames MUST be case insensitive
-			// > [RFC4343]. Note that as ACME doesn't support Unicode
-			// > identifiers, all dNSNames MUST be encoded using the rules
-			// > of [RFC3492].
-			if !strings.EqualFold(cert.DNSNames[0], domain) {
-				return fmt.Errorf("server under test returned a certificate with unexpected identifier: %v", cert.DNSNames[0])
-			}
-
-			// Per above, verify that the acmeIdentifier extension is present
-			// exactly once and has the correct value.
-			var foundACMEId bool
-			for _, ext := range cert.Extensions {
-				if !ext.Id.Equal(OIDACMEIdentifier) {
-					continue
-				}
-
-				// There must be only a single ACME extension.
-				if foundACMEId {
-					return fmt.Errorf("server under test returned a certificate with multiple acmeIdentifier extensions")
-				}
-				foundACMEId = true
-
-				// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-				// Negotiation (TLS ALPN) Challenge:
-				//
-				// > a critical acmeIdentifier extension
-				if !ext.Critical {
-					return fmt.Errorf("server under test returned a certificate with an acmeIdentifier extension marked non-Critical")
-				}
-
-				var keyAuthz []byte
-				remainder, err := asn1.Unmarshal(ext.Value, &keyAuthz)
-				if err != nil {
-					return fmt.Errorf("server under test returned a certificate with invalid acmeIdentifier extension value: %w", err)
-				}
-				if len(remainder) > 0 {
-					return fmt.Errorf("server under test returned a certificate with invalid acmeIdentifier extension value with additional trailing data")
-				}
-
-				ok, err := ValidateRawSHA256KeyAuthorization(keyAuthz, token, thumbprint)
-				if !ok || err != nil {
-					return fmt.Errorf("server under test returned a certificate with an invalid key authorization (%w)", err)
-				}
-			}
-
-			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-			// Negotiation (TLS ALPN) Challenge:
-			//
-			// > The ACME server verifies that ... the certificate returned
-			// > contains: ... a critical acmeIdentifier extension containing
-			// > the expected SHA-256 digest computed in step 1.
-			if !foundACMEId {
-				return fmt.Errorf("server under test returned a certificate without the required acmeIdentifier extension")
-			}
-
-			// Remove the handled critical extension and validate that we
-			// have no additional critical extensions left unhandled.
-			var index int = -1
-			for oidIndex, oid := range cert.UnhandledCriticalExtensions {
-				if oid.Equal(OIDACMEIdentifier) {
-					index = oidIndex
-					break
-				}
-			}
-			if index != -1 {
-				// Unlike the foundACMEId case, this is not a failure; if Go
-				// updates to "understand" this critical extension, we do not
-				// wish to fail.
-				cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[0:index], cert.UnhandledCriticalExtensions[index+1:]...)
-			}
-			if len(cert.UnhandledCriticalExtensions) > 0 {
-				return fmt.Errorf("server under test returned a certificate with additional unknown critical extensions (%v)", cert.UnhandledCriticalExtensions)
-			}
-
-			// All good!
-			return nil
-		},
-
-		// We never want to resume a connection; do not provide session
-		// cache storage.
-		ClientSessionCache: nil,
-
-		// Do not trust any system trusted certificates; we're going to be
-		// manually validating the chain, so specifying a non-empty pool
-		// here could only cause additional, unnecessary work.
-		RootCAs: x509.NewCertPool(),
-
-		// Do not bother validating the client's chain; we know it should be
-		// self-signed. This also disables hostname verification, but we do
-		// this verification as part of VerifyConnection(...) ourselves.
-		//
-		// Per Go docs, this option is only safe in conjunction with
-		// VerifyConnection which we define above.
-		InsecureSkipVerify: true,
-
-		// RFC 8737 Section 4. acme-tls/1 Protocol Definition:
-		//
-		// > ACME servers that implement "acme-tls/1" MUST only negotiate
-		// > TLS 1.2 [RFC5246] or higher when connecting to clients for
-		// > validation.
-		MinVersion: tls.VersionTLS12,
-
-		// While RFC 8737 does not place restrictions around allowed cipher
-		// suites, we wish to restrict ourselves to secure defaults. Specify
-		// the Intermediate guideline from Mozilla's TLS config generator to
-		// disable obviously weak ciphers.
-		//
-		// See also: https://ssl-config.mozilla.org/#server=go&version=1.14.4&config=intermediate&guideline=5.7
-		CipherSuites: []uint16{
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		},
-	}
-
-	// Build a dialer using our custom DNS resolver, to ensure domains get
-	// resolved according to configuration.
-	dialer, err := buildDialerConfig(config)
-	if err != nil {
-		return false, fmt.Errorf("failed to build dialer: %w", err)
-	}
-
-	// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
-	// Negotiation (TLS ALPN) Challenge:
-	//
-	// > 2. The ACME server resolves the domain name being validated and
-	// >    chooses one of the IP addresses returned for validation (the
-	// >    server MAY validate against multiple addresses if more than
-	// >    one is returned).
-	// > 3. The ACME server initiates a TLS connection to the chosen IP
-	// >    address. This connection MUST use TCP port 443.
-	address := fmt.Sprintf("%v:"+ALPNPort, domain)
-	conn, err := dialer.Dial("tcp", address)
-	if err != nil {
-		return false, fmt.Errorf("tls-alpn-01: failed to dial host: %w", err)
-	}
-
-	// Initiate the connection to the remote peer.
-	client := tls.Client(conn, cfg)
-
-	// We intentionally swallow this error as it isn't useful to the
-	// underlying protocol we perform here. Notably, per RFC 8737
-	// Section 4. acme-tls/1 Protocol Definition:
-	//
-	// > Once the handshake is completed, the client MUST NOT exchange
-	// > any further data with the server and MUST immediately close the
-	// > connection. ... Because of this, an ACME server MAY choose to
-	// > withhold authorization if either the certificate signature is
-	// > invalid or the handshake doesn't fully complete.
-	defer client.Close()
-
-	// We wish to put time bounds on the total time the handshake can
-	// stall for, so build a connection context here.
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	// See note above about why we can allow Handshake to complete
-	// successfully.
-	if err := client.HandshakeContext(ctx); err != nil {
-		return false, fmt.Errorf("tls-alpn-01: failed to perform handshake: %w", err)
-	}
-	return true, nil
-}
+```release-note:change
+ui: add subnav for replication items
+```
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index 824d3cf8110d..3533146b7d23 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -1,7149 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"math"
-	"math/big"
-	mathrand "math/rand"
-	"net"
-	"net/url"
-	"os"
-	"reflect"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
-	"golang.org/x/exp/maps"
-
-	"github.com/hashicorp/vault/helper/testhelpers"
-
-	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/armon/go-metrics"
-	"github.com/fatih/structs"
-	"github.com/go-test/deep"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/vault/api"
-	auth "github.com/hashicorp/vault/api/auth/userpass"
-	"github.com/hashicorp/vault/builtin/credential/userpass"
-	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/mapstructure"
-	"golang.org/x/net/idna"
-)
-
-var stepCount = 0
-
-// From builtin/credential/cert/test-fixtures/root/rootcacert.pem
-const (
-	rootCACertPEM = `-----BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
-MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
-Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
-z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
-AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
-6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
-SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
-7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
-BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
-U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
-cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
-ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
-t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
-zehNe5dFTjFpylg1o6b8Ow==
------END CERTIFICATE-----`
-	rootCAKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
-t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
-BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
-/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
-0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
-18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
-ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
-8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
-nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
-2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
-grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
-bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
-0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
-ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
-lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
-lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
-AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
-ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
-thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
-4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
-iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
-tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
-LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
-4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
-OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
------END RSA PRIVATE KEY-----`
-)
-
-func TestPKI_RequireCN(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected ca info")
-	}
-
-	// Create a role which does require CN (default)
-	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
-		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"max_ttl":            "2h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue a cert with require_cn set to true and with common name supplied.
-	// It should succeed.
-	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
-		"common_name": "foobar.com",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issue/example"), logical.UpdateOperation), resp, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue a cert with require_cn set to true and with out supplying the
-	// common name. It should error out.
-	_, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
-	if err == nil {
-		t.Fatalf("expected an error due to missing common_name")
-	}
-
-	// Modify the role to make the common name optional
-	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
-		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"max_ttl":            "2h",
-		"require_cn":         false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue a cert with require_cn set to false and without supplying the
-	// common name. It should succeed.
-	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.Data["certificate"] == "" {
-		t.Fatalf("expected a cert to be generated")
-	}
-
-	// Issue a cert with require_cn set to false and with a common name. It
-	// should succeed.
-	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.Data["certificate"] == "" {
-		t.Fatalf("expected a cert to be generated")
-	}
-}
-
-func TestPKI_DeviceCert(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name":         "myvault.com",
-		"not_after":           "9999-12-31T23:59:59Z",
-		"not_before_duration": "2h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected ca info")
-	}
-	var certBundle certutil.CertBundle
-	err = mapstructure.Decode(resp.Data, &certBundle)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	parsedCertBundle, err := certBundle.ToParsedCertBundle()
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert := parsedCertBundle.Certificate
-	notAfter := cert.NotAfter.Format(time.RFC3339)
-	if notAfter != "9999-12-31T23:59:59Z" {
-		t.Fatalf("not after from certificate: %v is not matching with input parameter: %v", cert.NotAfter, "9999-12-31T23:59:59Z")
-	}
-	if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
-		t.Fatalf("root/generate/internal did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
-	}
-
-	// Create a role which does require CN (default)
-	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
-		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"not_after":          "9999-12-31T23:59:59Z",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue a cert with require_cn set to true and with common name supplied.
-	// It should succeed.
-	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
-		"common_name": "foobar.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = mapstructure.Decode(resp.Data, &certBundle)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	parsedCertBundle, err = certBundle.ToParsedCertBundle()
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert = parsedCertBundle.Certificate
-	notAfter = cert.NotAfter.Format(time.RFC3339)
-	if notAfter != "9999-12-31T23:59:59Z" {
-		t.Fatal(fmt.Errorf("not after from certificate  is not matching with input parameter"))
-	}
-}
-
-func TestBackend_InvalidParameter(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-		"not_after":   "9999-12-31T23:59:59Z",
-		"ttl":         "25h",
-	})
-	if err == nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-		"not_after":   "9999-12-31T23:59:59",
-	})
-	if err == nil {
-		t.Fatal(err)
-	}
-}
-
-func TestBackend_CSRValues(t *testing.T) {
-	t.Parallel()
-	initTest.Do(setCerts)
-	b, _ := CreateBackendWithStorage(t)
-
-	testCase := logicaltest.TestCase{
-		LogicalBackend: b,
-		Steps:          []logicaltest.TestStep{},
-	}
-
-	intdata := map[string]interface{}{}
-	reqdata := map[string]interface{}{}
-	testCase.Steps = append(testCase.Steps, generateCSRSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
-
-	logicaltest.Test(t, testCase)
-}
-
-func TestBackend_URLsCRUD(t *testing.T) {
-	t.Parallel()
-	initTest.Do(setCerts)
-	b, _ := CreateBackendWithStorage(t)
-
-	testCase := logicaltest.TestCase{
-		LogicalBackend: b,
-		Steps:          []logicaltest.TestStep{},
-	}
-
-	intdata := map[string]interface{}{}
-	reqdata := map[string]interface{}{}
-	testCase.Steps = append(testCase.Steps, generateURLSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
-
-	logicaltest.Test(t, testCase)
-}
-
-// Generates and tests steps that walk through the various possibilities
-// of role flags to ensure that they are properly restricted
-func TestBackend_Roles(t *testing.T) {
-	t.Parallel()
-	cases := []struct {
-		name      string
-		key, cert *string
-		useCSR    bool
-	}{
-		{"RSA", &rsaCAKey, &rsaCACert, false},
-		{"RSACSR", &rsaCAKey, &rsaCACert, true},
-		{"EC", &ecCAKey, &ecCACert, false},
-		{"ECCSR", &ecCAKey, &ecCACert, true},
-		{"ED", &edCAKey, &edCACert, false},
-		{"EDCSR", &edCAKey, &edCACert, true},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			initTest.Do(setCerts)
-			b, _ := CreateBackendWithStorage(t)
-
-			testCase := logicaltest.TestCase{
-				LogicalBackend: b,
-				Steps: []logicaltest.TestStep{
-					{
-						Operation: logical.UpdateOperation,
-						Path:      "config/ca",
-						Data: map[string]interface{}{
-							"pem_bundle": *tc.key + "\n" + *tc.cert,
-						},
-					},
-				},
-			}
-
-			testCase.Steps = append(testCase.Steps, generateRoleSteps(t, tc.useCSR)...)
-			if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-				for i, v := range testCase.Steps {
-					data := map[string]interface{}{}
-					var keys []string
-					for k := range v.Data {
-						keys = append(keys, k)
-					}
-					sort.Strings(keys)
-					for _, k := range keys {
-						interf := v.Data[k]
-						switch v := interf.(type) {
-						case bool:
-							if !v {
-								continue
-							}
-						case int:
-							if v == 0 {
-								continue
-							}
-						case []string:
-							if len(v) == 0 {
-								continue
-							}
-						case string:
-							if v == "" {
-								continue
-							}
-							lines := strings.Split(v, "\n")
-							if len(lines) > 1 {
-								data[k] = lines[0] + " ... (truncated)"
-								continue
-							}
-						}
-						data[k] = interf
-
-					}
-					t.Logf("Step %d:\n%s %s err=%v %+v\n\n", i+1, v.Operation, v.Path, v.ErrorOk, data)
-				}
-			}
-
-			logicaltest.Test(t, testCase)
-		})
-	}
-}
-
-// Performs some validity checking on the returned bundles
-func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration, certBundle *certutil.CertBundle) (*certutil.ParsedCertBundle, error) {
-	parsedCertBundle, err := certBundle.ToParsedCertBundle()
-	if err != nil {
-		return nil, fmt.Errorf("error parsing cert bundle: %s", err)
-	}
-
-	if key != nil {
-		switch keyType {
-		case "rsa":
-			parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey
-			parsedCertBundle.PrivateKey = key
-			parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
-		case "ec":
-			parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey
-			parsedCertBundle.PrivateKey = key
-			parsedCertBundle.PrivateKeyBytes, err = x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
-			if err != nil {
-				return nil, fmt.Errorf("error parsing EC key: %s", err)
-			}
-		case "ed25519":
-			parsedCertBundle.PrivateKeyType = certutil.Ed25519PrivateKey
-			parsedCertBundle.PrivateKey = key
-			parsedCertBundle.PrivateKeyBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey))
-			if err != nil {
-				return nil, fmt.Errorf("error parsing Ed25519 key: %s", err)
-			}
-		}
-	}
-
-	switch {
-	case parsedCertBundle.Certificate == nil:
-		return nil, fmt.Errorf("did not find a certificate in the cert bundle")
-	case len(parsedCertBundle.CAChain) == 0 || parsedCertBundle.CAChain[0].Certificate == nil:
-		return nil, fmt.Errorf("did not find a CA in the cert bundle")
-	case parsedCertBundle.PrivateKey == nil:
-		return nil, fmt.Errorf("did not find a private key in the cert bundle")
-	case parsedCertBundle.PrivateKeyType == certutil.UnknownPrivateKey:
-		return nil, fmt.Errorf("could not figure out type of private key")
-	}
-
-	switch {
-	case parsedCertBundle.PrivateKeyType == certutil.Ed25519PrivateKey && keyType != "ed25519":
-		fallthrough
-	case parsedCertBundle.PrivateKeyType == certutil.RSAPrivateKey && keyType != "rsa":
-		fallthrough
-	case parsedCertBundle.PrivateKeyType == certutil.ECPrivateKey && keyType != "ec":
-		return nil, fmt.Errorf("given key type does not match type found in bundle")
-	}
-
-	cert := parsedCertBundle.Certificate
-
-	if usage != cert.KeyUsage {
-		return nil, fmt.Errorf("expected usage of %#v, got %#v; ext usage is %#v", usage, cert.KeyUsage, cert.ExtKeyUsage)
-	}
-
-	// There should only be one ext usage type, because only one is requested
-	// in the tests
-	if len(cert.ExtKeyUsage) != 1 {
-		return nil, fmt.Errorf("got wrong size key usage in generated cert; expected 1, values are %#v", cert.ExtKeyUsage)
-	}
-	switch extUsage {
-	case x509.ExtKeyUsageEmailProtection:
-		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageEmailProtection {
-			return nil, fmt.Errorf("bad extended key usage")
-		}
-	case x509.ExtKeyUsageServerAuth:
-		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageServerAuth {
-			return nil, fmt.Errorf("bad extended key usage")
-		}
-	case x509.ExtKeyUsageClientAuth:
-		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageClientAuth {
-			return nil, fmt.Errorf("bad extended key usage")
-		}
-	case x509.ExtKeyUsageCodeSigning:
-		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageCodeSigning {
-			return nil, fmt.Errorf("bad extended key usage")
-		}
-	}
-
-	// TODO: We incremented 20->25 due to CircleCI execution
-	// being slow and pausing this test. We might consider recording the
-	// actual issuance time of the cert and calculating the expected
-	// validity period +/- fuzz, but that'd require recording and passing
-	// through more information.
-	if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 25 {
-		return nil, fmt.Errorf("certificate validity end: %s; expected within 25 seconds of %s", cert.NotAfter.Format(time.RFC3339), time.Now().Add(validity).Format(time.RFC3339))
-	}
-
-	return parsedCertBundle, nil
-}
-
-func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
-	expected := certutil.URLEntries{
-		IssuingCertificates: []string{
-			"http://example.com/ca1",
-			"http://example.com/ca2",
-		},
-		CRLDistributionPoints: []string{
-			"http://example.com/crl1",
-			"http://example.com/crl2",
-		},
-		OCSPServers: []string{
-			"http://example.com/ocsp1",
-			"http://example.com/ocsp2",
-		},
-	}
-	csrTemplate := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "my@example.com",
-		},
-	}
-
-	priv1024, _ := rsa.GenerateKey(rand.Reader, 1024)
-	csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024)
-	csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE REQUEST",
-		Bytes: csr1024,
-	})))
-
-	priv2048, _ := rsa.GenerateKey(rand.Reader, 2048)
-	csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048)
-	csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE REQUEST",
-		Bytes: csr2048,
-	})))
-
-	ret := []logicaltest.TestStep{
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/generate/exported",
-			Data: map[string]interface{}{
-				"common_name": "Root Cert",
-				"ttl":         "180h",
-			},
-			Check: func(resp *logical.Response) error {
-				if resp.Secret != nil && resp.Secret.LeaseID != "" {
-					return fmt.Errorf("root returned with a lease")
-				}
-				return nil
-			},
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "config/urls",
-			Data: map[string]interface{}{
-				"issuing_certificates":    strings.Join(expected.IssuingCertificates, ","),
-				"crl_distribution_points": strings.Join(expected.CRLDistributionPoints, ","),
-				"ocsp_servers":            strings.Join(expected.OCSPServers, ","),
-			},
-		},
-
-		{
-			Operation: logical.ReadOperation,
-			Path:      "config/urls",
-			Check: func(resp *logical.Response) error {
-				if resp.Data == nil {
-					return fmt.Errorf("no data returned")
-				}
-				var entries certutil.URLEntries
-				err := mapstructure.Decode(resp.Data, &entries)
-				if err != nil {
-					return err
-				}
-				if !reflect.DeepEqual(entries, expected) {
-					return fmt.Errorf("expected urls\n%#v\ndoes not match provided\n%#v\n", expected, entries)
-				}
-
-				return nil
-			},
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/sign-intermediate",
-			Data: map[string]interface{}{
-				"common_name": "intermediate.cert.com",
-				"csr":         csrPem1024,
-				"format":      "der",
-			},
-			ErrorOk: true,
-			Check: func(resp *logical.Response) error {
-				if !resp.IsError() {
-					return fmt.Errorf("expected an error response but did not get one")
-				}
-				if !strings.Contains(resp.Data["error"].(string), "2048") {
-					return fmt.Errorf("received an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
-				}
-
-				return nil
-			},
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/sign-intermediate",
-			Data: map[string]interface{}{
-				"common_name":         "intermediate.cert.com",
-				"csr":                 csrPem2048,
-				"signature_bits":      512,
-				"format":              "der",
-				"not_before_duration": "2h",
-				// Let's Encrypt -- R3 SKID
-				"skid": "14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6",
-			},
-			Check: func(resp *logical.Response) error {
-				certString := resp.Data["certificate"].(string)
-				if certString == "" {
-					return fmt.Errorf("no certificate returned")
-				}
-				if resp.Secret != nil && resp.Secret.LeaseID != "" {
-					return fmt.Errorf("signed intermediate returned with a lease")
-				}
-				certBytes, _ := base64.StdEncoding.DecodeString(certString)
-				certs, err := x509.ParseCertificates(certBytes)
-				if err != nil {
-					return fmt.Errorf("returned cert cannot be parsed: %w", err)
-				}
-				if len(certs) != 1 {
-					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
-				}
-				cert := certs[0]
-
-				skid, _ := hex.DecodeString("142EB317B75856CBAE500940E61FAF9D8B14C2C6")
-
-				switch {
-				case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
-					return fmt.Errorf("IssuingCertificateURL:\nexpected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
-				case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
-					return fmt.Errorf("CRLDistributionPoints:\nexpected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
-				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
-					return fmt.Errorf("OCSPServer:\nexpected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
-				case !reflect.DeepEqual([]string{"intermediate.cert.com"}, cert.DNSNames):
-					return fmt.Errorf("DNSNames\nexpected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
-				case !reflect.DeepEqual(x509.SHA512WithRSA, cert.SignatureAlgorithm):
-					return fmt.Errorf("Signature Algorithm:\nexpected\n%#v\ngot\n%#v\n", x509.SHA512WithRSA, cert.SignatureAlgorithm)
-				case !reflect.DeepEqual(skid, cert.SubjectKeyId):
-					return fmt.Errorf("SKID:\nexpected\n%#v\ngot\n%#v\n", skid, cert.SubjectKeyId)
-				}
-
-				if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
-					t.Fatalf("root/sign-intermediate did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
-				}
-
-				return nil
-			},
-		},
-
-		// Same as above but exclude adding to sans
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/sign-intermediate",
-			Data: map[string]interface{}{
-				"common_name":          "intermediate.cert.com",
-				"csr":                  csrPem2048,
-				"format":               "der",
-				"exclude_cn_from_sans": true,
-			},
-			Check: func(resp *logical.Response) error {
-				certString := resp.Data["certificate"].(string)
-				if certString == "" {
-					return fmt.Errorf("no certificate returned")
-				}
-				if resp.Secret != nil && resp.Secret.LeaseID != "" {
-					return fmt.Errorf("signed intermediate returned with a lease")
-				}
-				certBytes, _ := base64.StdEncoding.DecodeString(certString)
-				certs, err := x509.ParseCertificates(certBytes)
-				if err != nil {
-					return fmt.Errorf("returned cert cannot be parsed: %w", err)
-				}
-				if len(certs) != 1 {
-					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
-				}
-				cert := certs[0]
-
-				switch {
-				case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
-					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
-				case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
-					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
-				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
-					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
-				case !reflect.DeepEqual([]string(nil), cert.DNSNames):
-					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string(nil), cert.DNSNames)
-				}
-
-				return nil
-			},
-		},
-	}
-	return ret
-}
-
-func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType string, keyBits int) (interface{}, []byte, string) {
-	t.Helper()
-
-	var priv interface{}
-	var err error
-	switch keyType {
-	case "rsa":
-		priv, err = rsa.GenerateKey(rand.Reader, keyBits)
-	case "ec":
-		switch keyBits {
-		case 224:
-			priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-		case 256:
-			priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		case 384:
-			priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-		case 521:
-			priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
-		default:
-			t.Fatalf("Got unknown ec< key bits: %v", keyBits)
-		}
-	case "ed25519":
-		_, priv, err = ed25519.GenerateKey(rand.Reader)
-	}
-
-	if err != nil {
-		t.Fatalf("Got error generating private key for CSR: %v", err)
-	}
-
-	csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, priv)
-	if err != nil {
-		t.Fatalf("Got error generating CSR: %v", err)
-	}
-
-	csrPem := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE REQUEST",
-		Bytes: csr,
-	})))
-
-	return priv, csr, csrPem
-}
-
-func generateCSRSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
-	csrTemplate, csrPem := generateTestCsr(t, certutil.RSAPrivateKey, 2048)
-
-	ret := []logicaltest.TestStep{
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/generate/exported",
-			Data: map[string]interface{}{
-				"common_name":     "Root Cert",
-				"ttl":             "180h",
-				"max_path_length": 0,
-			},
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/sign-intermediate",
-			Data: map[string]interface{}{
-				"use_csr_values": true,
-				"csr":            csrPem,
-				"format":         "der",
-			},
-			ErrorOk: true,
-		},
-
-		{
-			Operation: logical.DeleteOperation,
-			Path:      "root",
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/generate/exported",
-			Data: map[string]interface{}{
-				"common_name":     "Root Cert",
-				"ttl":             "180h",
-				"max_path_length": 1,
-			},
-		},
-
-		{
-			Operation: logical.UpdateOperation,
-			Path:      "root/sign-intermediate",
-			Data: map[string]interface{}{
-				"use_csr_values": true,
-				"csr":            csrPem,
-				"format":         "der",
-			},
-			Check: func(resp *logical.Response) error {
-				certString := resp.Data["certificate"].(string)
-				if certString == "" {
-					return fmt.Errorf("no certificate returned")
-				}
-				certBytes, _ := base64.StdEncoding.DecodeString(certString)
-				certs, err := x509.ParseCertificates(certBytes)
-				if err != nil {
-					return fmt.Errorf("returned cert cannot be parsed: %w", err)
-				}
-				if len(certs) != 1 {
-					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
-				}
-				cert := certs[0]
-
-				if cert.MaxPathLen != 0 {
-					return fmt.Errorf("max path length of %d does not match the requested of 3", cert.MaxPathLen)
-				}
-				if !cert.MaxPathLenZero {
-					return fmt.Errorf("max path length zero is not set")
-				}
-
-				// We need to set these as they are filled in with unparsed values in the final cert
-				csrTemplate.Subject.Names = cert.Subject.Names
-				csrTemplate.Subject.ExtraNames = cert.Subject.ExtraNames
-
-				switch {
-				case !reflect.DeepEqual(cert.Subject, csrTemplate.Subject):
-					return fmt.Errorf("cert subject\n%#v\ndoes not match csr subject\n%#v\n", cert.Subject, csrTemplate.Subject)
-				case !reflect.DeepEqual(cert.DNSNames, csrTemplate.DNSNames):
-					return fmt.Errorf("cert dns names\n%#v\ndoes not match csr dns names\n%#v\n", cert.DNSNames, csrTemplate.DNSNames)
-				case !reflect.DeepEqual(cert.EmailAddresses, csrTemplate.EmailAddresses):
-					return fmt.Errorf("cert email addresses\n%#v\ndoes not match csr email addresses\n%#v\n", cert.EmailAddresses, csrTemplate.EmailAddresses)
-				case !reflect.DeepEqual(cert.IPAddresses, csrTemplate.IPAddresses):
-					return fmt.Errorf("cert ip addresses\n%#v\ndoes not match csr ip addresses\n%#v\n", cert.IPAddresses, csrTemplate.IPAddresses)
-				}
-				return nil
-			},
-		},
-	}
-	return ret
-}
-
-func generateTestCsr(t *testing.T, keyType certutil.PrivateKeyType, keyBits int) (x509.CertificateRequest, string) {
-	t.Helper()
-
-	csrTemplate := x509.CertificateRequest{
-		Subject: pkix.Name{
-			Country:      []string{"MyCountry"},
-			PostalCode:   []string{"MyPostalCode"},
-			SerialNumber: "MySerialNumber",
-			CommonName:   "my@example.com",
-		},
-		DNSNames: []string{
-			"name1.example.com",
-			"name2.example.com",
-			"name3.example.com",
-		},
-		EmailAddresses: []string{
-			"name1@example.com",
-			"name2@example.com",
-			"name3@example.com",
-		},
-		IPAddresses: []net.IP{
-			net.ParseIP("::ff:1:2:3:4"),
-			net.ParseIP("::ff:5:6:7:8"),
-		},
-	}
-
-	_, _, csrPem := generateCSR(t, &csrTemplate, string(keyType), keyBits)
-	return csrTemplate, csrPem
-}
-
-// Generates steps to test out various role permutations
-func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
-	roleVals := roleEntry{
-		MaxTTL:                    12 * time.Hour,
-		KeyType:                   "rsa",
-		KeyBits:                   2048,
-		RequireCN:                 true,
-		AllowWildcardCertificates: new(bool),
-	}
-	*roleVals.AllowWildcardCertificates = true
-
-	issueVals := certutil.IssueData{}
-	ret := []logicaltest.TestStep{}
-
-	roleTestStep := logicaltest.TestStep{
-		Operation: logical.UpdateOperation,
-		Path:      "roles/test",
-	}
-	var issueTestStep logicaltest.TestStep
-	if useCSRs {
-		issueTestStep = logicaltest.TestStep{
-			Operation: logical.UpdateOperation,
-			Path:      "sign/test",
-		}
-	} else {
-		issueTestStep = logicaltest.TestStep{
-			Operation: logical.UpdateOperation,
-			Path:      "issue/test",
-		}
-	}
-
-	generatedRSAKeys := map[int]crypto.Signer{}
-	generatedECKeys := map[int]crypto.Signer{}
-	generatedEdKeys := map[int]crypto.Signer{}
-	/*
-		// For the number of tests being run, a seed of 1 has been tested
-		// to hit all of the various values below. However, for normal
-		// testing we use a randomized time for maximum fuzziness.
-	*/
-	var seed int64 = 1
-	fixedSeed := os.Getenv("VAULT_PKITESTS_FIXED_SEED")
-	if len(fixedSeed) == 0 {
-		seed = time.Now().UnixNano()
-	} else {
-		var err error
-		seed, err = strconv.ParseInt(fixedSeed, 10, 64)
-		if err != nil {
-			t.Fatalf("error parsing fixed seed of %s: %v", fixedSeed, err)
-		}
-	}
-	mathRand := mathrand.New(mathrand.NewSource(seed))
-	// t.Logf("seed under test: %v", seed)
-
-	// Used by tests not toggling common names to turn off the behavior of random key bit fuzziness
-	keybitSizeRandOff := false
-
-	genericErrorOkCheck := func(resp *logical.Response) error {
-		if resp.IsError() {
-			return nil
-		}
-		return fmt.Errorf("expected an error, but did not seem to get one")
-	}
-
-	// Adds tests with the currently configured issue/role information
-	addTests := func(testCheck logicaltest.TestCheckFunc) {
-		stepCount++
-		// t.Logf("test step %d\nrole vals: %#v\n", stepCount, roleVals)
-		stepCount++
-		// t.Logf("test step %d\nissue vals: %#v\n", stepCount, issueTestStep)
-		roleTestStep.Data = roleVals.ToResponseData()
-		roleTestStep.Data["generate_lease"] = false
-		ret = append(ret, roleTestStep)
-		issueTestStep.Data = structs.New(issueVals).Map()
-		switch {
-		case issueTestStep.ErrorOk:
-			issueTestStep.Check = genericErrorOkCheck
-		case testCheck != nil:
-			issueTestStep.Check = testCheck
-		default:
-			issueTestStep.Check = nil
-		}
-		ret = append(ret, issueTestStep)
-	}
-
-	getCountryCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.Country, true)
-			if !reflect.DeepEqual(cert.Subject.Country, expected) {
-				return fmt.Errorf("error: returned certificate has Country of %s but %s was specified in the role", cert.Subject.Country, expected)
-			}
-			return nil
-		}
-	}
-
-	getOuCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicatesStable(role.OU, true)
-			if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, expected) {
-				return fmt.Errorf("error: returned certificate has OU of %s but %s was specified in the role", cert.Subject.OrganizationalUnit, expected)
-			}
-			return nil
-		}
-	}
-
-	getOrganizationCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.Organization, true)
-			if !reflect.DeepEqual(cert.Subject.Organization, expected) {
-				return fmt.Errorf("error: returned certificate has Organization of %s but %s was specified in the role", cert.Subject.Organization, expected)
-			}
-			return nil
-		}
-	}
-
-	getLocalityCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.Locality, true)
-			if !reflect.DeepEqual(cert.Subject.Locality, expected) {
-				return fmt.Errorf("error: returned certificate has Locality of %s but %s was specified in the role", cert.Subject.Locality, expected)
-			}
-			return nil
-		}
-	}
-
-	getProvinceCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.Province, true)
-			if !reflect.DeepEqual(cert.Subject.Province, expected) {
-				return fmt.Errorf("error: returned certificate has Province of %s but %s was specified in the role", cert.Subject.Province, expected)
-			}
-			return nil
-		}
-	}
-
-	getStreetAddressCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.StreetAddress, true)
-			if !reflect.DeepEqual(cert.Subject.StreetAddress, expected) {
-				return fmt.Errorf("error: returned certificate has StreetAddress of %s but %s was specified in the role", cert.Subject.StreetAddress, expected)
-			}
-			return nil
-		}
-	}
-
-	getPostalCodeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			expected := strutil.RemoveDuplicates(role.PostalCode, true)
-			if !reflect.DeepEqual(cert.Subject.PostalCode, expected) {
-				return fmt.Errorf("error: returned certificate has PostalCode of %s but %s was specified in the role", cert.Subject.PostalCode, expected)
-			}
-			return nil
-		}
-	}
-
-	getNotBeforeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := certBundle.ToParsedCertBundle()
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-
-			actualDiff := time.Since(cert.NotBefore)
-			certRoleDiff := (role.NotBeforeDuration - actualDiff).Truncate(time.Second)
-			// These times get truncated, so give a 1 second buffer on each side
-			if certRoleDiff >= -1*time.Second && certRoleDiff <= 1*time.Second {
-				return nil
-			}
-			return fmt.Errorf("validity period out of range diff: %v", certRoleDiff)
-		}
-	}
-
-	// Returns a TestCheckFunc that performs various validity checks on the
-	// returned certificate information, mostly within checkCertsAndPrivateKey
-	getCnCheck := func(name string, role roleEntry, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration) logicaltest.TestCheckFunc {
-		var certBundle certutil.CertBundle
-		return func(resp *logical.Response) error {
-			err := mapstructure.Decode(resp.Data, &certBundle)
-			if err != nil {
-				return err
-			}
-			parsedCertBundle, err := checkCertsAndPrivateKey(role.KeyType, key, usage, extUsage, validity, &certBundle)
-			if err != nil {
-				return fmt.Errorf("error checking generated certificate: %s", err)
-			}
-			cert := parsedCertBundle.Certificate
-			if cert.Subject.CommonName != name {
-				return fmt.Errorf("error: returned certificate has CN of %s but %s was requested", cert.Subject.CommonName, name)
-			}
-			if strings.Contains(cert.Subject.CommonName, "@") {
-				if len(cert.DNSNames) != 0 || len(cert.EmailAddresses) != 1 {
-					return fmt.Errorf("error: found more than one DNS SAN or not one Email SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
-				}
-			} else {
-				if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) != 0 {
-					return fmt.Errorf("error: found more than one Email SAN or not one DNS SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
-				}
-			}
-			var retName string
-			if len(cert.DNSNames) > 0 {
-				retName = cert.DNSNames[0]
-			}
-			if len(cert.EmailAddresses) > 0 {
-				retName = cert.EmailAddresses[0]
-			}
-			if retName != name {
-				// Check IDNA
-				p := idna.New(
-					idna.StrictDomainName(true),
-					idna.VerifyDNSLength(true),
-				)
-				converted, err := p.ToUnicode(retName)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if converted != name {
-					return fmt.Errorf("error: returned certificate has a DNS SAN of %s (from idna: %s) but %s was requested", retName, converted, name)
-				}
-			}
-			return nil
-		}
-	}
-
-	type csrPlan struct {
-		errorOk     bool
-		roleKeyBits int
-		cert        string
-		privKey     crypto.Signer
-	}
-
-	getCsr := func(keyType string, keyBits int, csrTemplate *x509.CertificateRequest) (*pem.Block, crypto.Signer) {
-		var privKey crypto.Signer
-		var ok bool
-		switch keyType {
-		case "rsa":
-			privKey, ok = generatedRSAKeys[keyBits]
-			if !ok {
-				privKey, _ = rsa.GenerateKey(rand.Reader, keyBits)
-				generatedRSAKeys[keyBits] = privKey
-			}
-
-		case "ec":
-			var curve elliptic.Curve
-
-			switch keyBits {
-			case 224:
-				curve = elliptic.P224()
-			case 256:
-				curve = elliptic.P256()
-			case 384:
-				curve = elliptic.P384()
-			case 521:
-				curve = elliptic.P521()
-			}
-
-			privKey, ok = generatedECKeys[keyBits]
-			if !ok {
-				privKey, _ = ecdsa.GenerateKey(curve, rand.Reader)
-				generatedECKeys[keyBits] = privKey
-			}
-
-		case "ed25519":
-			privKey, ok = generatedEdKeys[keyBits]
-			if !ok {
-				_, privKey, _ = ed25519.GenerateKey(rand.Reader)
-				generatedEdKeys[keyBits] = privKey
-			}
-
-		default:
-			panic("invalid key type: " + keyType)
-		}
-
-		csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
-		if err != nil {
-			t.Fatalf("Error creating certificate request: %s", err)
-		}
-		block := pem.Block{
-			Type:  "CERTIFICATE REQUEST",
-			Bytes: csr,
-		}
-		return &block, privKey
-	}
-
-	getRandCsr := func(keyType string, errorOk bool, csrTemplate *x509.CertificateRequest) csrPlan {
-		rsaKeyBits := []int{2048, 3072, 4096}
-		ecKeyBits := []int{224, 256, 384, 521}
-		plan := csrPlan{errorOk: errorOk}
-
-		var testBitSize int
-		switch keyType {
-		case "rsa":
-			plan.roleKeyBits = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
-			testBitSize = plan.roleKeyBits
-
-			// If we don't expect an error already, randomly choose a
-			// key size and expect an error if it's less than the role
-			// setting
-			if !keybitSizeRandOff && !errorOk {
-				testBitSize = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
-			}
-
-			if testBitSize < plan.roleKeyBits {
-				plan.errorOk = true
-			}
-
-		case "ec":
-			plan.roleKeyBits = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
-			testBitSize = plan.roleKeyBits
-
-			// If we don't expect an error already, randomly choose a
-			// key size and expect an error if it's less than the role
-			// setting
-			if !keybitSizeRandOff && !errorOk {
-				testBitSize = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
-			}
-
-			if testBitSize < plan.roleKeyBits {
-				plan.errorOk = true
-			}
-
-		default:
-			panic("invalid key type: " + keyType)
-		}
-		if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-			t.Logf("roleKeyBits=%d testBitSize=%d errorOk=%v", plan.roleKeyBits, testBitSize, plan.errorOk)
-		}
-
-		block, privKey := getCsr(keyType, testBitSize, csrTemplate)
-		plan.cert = strings.TrimSpace(string(pem.EncodeToMemory(block)))
-		plan.privKey = privKey
-		return plan
-	}
-
-	// Common names to test with the various role flags toggled
-	var commonNames struct {
-		Localhost            bool `structs:"localhost"`
-		BareDomain           bool `structs:"example.com"`
-		SecondDomain         bool `structs:"foobar.com"`
-		SubDomain            bool `structs:"foo.example.com"`
-		Wildcard             bool `structs:"*.example.com"`
-		SubSubdomain         bool `structs:"foo.bar.example.com"`
-		SubSubdomainWildcard bool `structs:"*.bar.example.com"`
-		GlobDomain           bool `structs:"fooexample.com"`
-		IDN                  bool `structs:"daɪˈɛrɨsɨs"`
-		AnyHost              bool `structs:"porkslap.beer"`
-	}
-
-	// Adds a series of tests based on the current selection of
-	// allowed common names; contains some (seeded) randomness
-	//
-	// This allows for a variety of common names to be tested in various
-	// combinations with allowed toggles of the role
-	addCnTests := func() {
-		cnMap := structs.New(commonNames).Map()
-		for name, allowedInt := range cnMap {
-			roleVals.KeyType = "rsa"
-			roleVals.KeyBits = 2048
-			if mathRand.Int()%3 == 1 {
-				roleVals.KeyType = "ec"
-				roleVals.KeyBits = 224
-			}
-
-			roleVals.ServerFlag = false
-			roleVals.ClientFlag = false
-			roleVals.CodeSigningFlag = false
-			roleVals.EmailProtectionFlag = false
-
-			var usage []string
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "DigitalSignature")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "ContentCoMmitment")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "KeyEncipherment")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "DataEncipherment")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "KeyAgreemEnt")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "CertSign")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "CRLSign")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "EncipherOnly")
-			}
-			if mathRand.Int()%2 == 1 {
-				usage = append(usage, "DecipherOnly")
-			}
-
-			roleVals.KeyUsage = usage
-			parsedKeyUsage := parseKeyUsages(roleVals.KeyUsage)
-			if parsedKeyUsage == 0 && len(usage) != 0 {
-				panic("parsed key usages was zero")
-			}
-
-			var extUsage x509.ExtKeyUsage
-			i := mathRand.Int() % 4
-			switch {
-			case i == 0:
-				// Punt on this for now since I'm not clear the actual proper
-				// way to format these
-				if name != "daɪˈɛrɨsɨs" {
-					extUsage = x509.ExtKeyUsageEmailProtection
-					roleVals.EmailProtectionFlag = true
-					break
-				}
-				fallthrough
-			case i == 1:
-				extUsage = x509.ExtKeyUsageServerAuth
-				roleVals.ServerFlag = true
-			case i == 2:
-				extUsage = x509.ExtKeyUsageClientAuth
-				roleVals.ClientFlag = true
-			default:
-				extUsage = x509.ExtKeyUsageCodeSigning
-				roleVals.CodeSigningFlag = true
-			}
-
-			allowed := allowedInt.(bool)
-			issueVals.CommonName = name
-			if roleVals.EmailProtectionFlag {
-				if !strings.HasPrefix(name, "*") {
-					issueVals.CommonName = "user@" + issueVals.CommonName
-				}
-			}
-
-			issueTestStep.ErrorOk = !allowed
-
-			validity := roleVals.MaxTTL
-
-			if useCSRs {
-				templ := &x509.CertificateRequest{
-					Subject: pkix.Name{
-						CommonName: issueVals.CommonName,
-					},
-				}
-				plan := getRandCsr(roleVals.KeyType, issueTestStep.ErrorOk, templ)
-				issueVals.CSR = plan.cert
-				roleVals.KeyBits = plan.roleKeyBits
-				issueTestStep.ErrorOk = plan.errorOk
-
-				addTests(getCnCheck(issueVals.CommonName, roleVals, plan.privKey, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
-			} else {
-				addTests(getCnCheck(issueVals.CommonName, roleVals, nil, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
-			}
-		}
-	}
-
-	funcs := []interface{}{
-		addCnTests, getCnCheck, getCountryCheck, getLocalityCheck, getNotBeforeCheck,
-		getOrganizationCheck, getOuCheck, getPostalCodeCheck, getRandCsr, getStreetAddressCheck,
-		getProvinceCheck,
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("funcs=%d", len(funcs))
-	}
-
-	// Common Name tests
-	{
-		// common_name not provided
-		issueVals.CommonName = ""
-		issueTestStep.ErrorOk = true
-		addTests(nil)
-
-		// Nothing is allowed
-		addCnTests()
-
-		roleVals.AllowLocalhost = true
-		commonNames.Localhost = true
-		addCnTests()
-
-		roleVals.AllowedDomains = []string{"foobar.com"}
-		addCnTests()
-
-		roleVals.AllowedDomains = []string{"example.com"}
-		roleVals.AllowSubdomains = true
-		commonNames.SubDomain = true
-		commonNames.Wildcard = true
-		commonNames.SubSubdomain = true
-		commonNames.SubSubdomainWildcard = true
-		addCnTests()
-
-		roleVals.AllowedDomains = []string{"foobar.com", "example.com"}
-		commonNames.SecondDomain = true
-		roleVals.AllowBareDomains = true
-		commonNames.BareDomain = true
-		addCnTests()
-
-		roleVals.AllowedDomains = []string{"foobar.com", "*example.com"}
-		roleVals.AllowGlobDomains = true
-		commonNames.GlobDomain = true
-		addCnTests()
-
-		roleVals.AllowAnyName = true
-		roleVals.EnforceHostnames = true
-		commonNames.AnyHost = true
-		commonNames.IDN = true
-		addCnTests()
-
-		roleVals.EnforceHostnames = false
-		addCnTests()
-
-		// Ensure that we end up with acceptable key sizes since they won't be
-		// toggled any longer
-		keybitSizeRandOff = true
-		addCnTests()
-	}
-	// Country tests
-	{
-		roleVals.Country = []string{"foo"}
-		addTests(getCountryCheck(roleVals))
-
-		roleVals.Country = []string{"foo", "bar"}
-		addTests(getCountryCheck(roleVals))
-	}
-	// OU tests
-	{
-		roleVals.OU = []string{"foo"}
-		addTests(getOuCheck(roleVals))
-
-		roleVals.OU = []string{"bar", "foo"}
-		addTests(getOuCheck(roleVals))
-	}
-	// Organization tests
-	{
-		roleVals.Organization = []string{"system:masters"}
-		addTests(getOrganizationCheck(roleVals))
-
-		roleVals.Organization = []string{"foo", "bar"}
-		addTests(getOrganizationCheck(roleVals))
-	}
-	// Locality tests
-	{
-		roleVals.Locality = []string{"foo"}
-		addTests(getLocalityCheck(roleVals))
-
-		roleVals.Locality = []string{"foo", "bar"}
-		addTests(getLocalityCheck(roleVals))
-	}
-	// Province tests
-	{
-		roleVals.Province = []string{"foo"}
-		addTests(getProvinceCheck(roleVals))
-
-		roleVals.Province = []string{"foo", "bar"}
-		addTests(getProvinceCheck(roleVals))
-	}
-	// StreetAddress tests
-	{
-		roleVals.StreetAddress = []string{"123 foo street"}
-		addTests(getStreetAddressCheck(roleVals))
-
-		roleVals.StreetAddress = []string{"123 foo street", "456 bar avenue"}
-		addTests(getStreetAddressCheck(roleVals))
-	}
-	// PostalCode tests
-	{
-		roleVals.PostalCode = []string{"f00"}
-		addTests(getPostalCodeCheck(roleVals))
-
-		roleVals.PostalCode = []string{"f00", "b4r"}
-		addTests(getPostalCodeCheck(roleVals))
-	}
-	// NotBefore tests
-	{
-		roleVals.NotBeforeDuration = 10 * time.Second
-		addTests(getNotBeforeCheck(roleVals))
-
-		roleVals.NotBeforeDuration = 30 * time.Second
-		addTests(getNotBeforeCheck(roleVals))
-
-		roleVals.NotBeforeDuration = 0
-	}
-
-	// IP SAN tests
-	{
-		getIpCheck := func(expectedIp ...net.IP) logicaltest.TestCheckFunc {
-			return func(resp *logical.Response) error {
-				var certBundle certutil.CertBundle
-				err := mapstructure.Decode(resp.Data, &certBundle)
-				if err != nil {
-					return err
-				}
-				parsedCertBundle, err := certBundle.ToParsedCertBundle()
-				if err != nil {
-					return fmt.Errorf("error parsing cert bundle: %s", err)
-				}
-				cert := parsedCertBundle.Certificate
-				var expected []net.IP
-				expected = append(expected, expectedIp...)
-				if diff := deep.Equal(cert.IPAddresses, expected); len(diff) > 0 {
-					return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
-				}
-				return nil
-			}
-		}
-		addIPSANTests := func(useCSRs, useCSRSANs, allowIPSANs, errorOk bool, ipSANs string, csrIPSANs []net.IP, check logicaltest.TestCheckFunc) {
-			if useCSRs {
-				csrTemplate := &x509.CertificateRequest{
-					Subject: pkix.Name{
-						CommonName: issueVals.CommonName,
-					},
-					IPAddresses: csrIPSANs,
-				}
-				block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
-				issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
-			}
-			oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
-			roleVals.UseCSRSANs = useCSRSANs
-			roleVals.AllowIPSANs = allowIPSANs
-			issueVals.CommonName = "someone@example.com"
-			issueVals.IPSANs = ipSANs
-			issueTestStep.ErrorOk = errorOk
-			addTests(check)
-			roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
-		}
-		roleVals.AllowAnyName = true
-		roleVals.EnforceHostnames = true
-		roleVals.AllowLocalhost = true
-		roleVals.UseCSRCommonName = true
-		commonNames.Localhost = true
-
-		netip1, netip2 := net.IP{127, 0, 0, 1}, net.IP{170, 171, 172, 173}
-		textip1, textip3 := "127.0.0.1", "::1"
-
-		// IPSANs not allowed and not provided, should not be an error.
-		addIPSANTests(useCSRs, false, false, false, "", nil, getIpCheck())
-
-		// IPSANs not allowed, valid IPSANs provided, should be an error.
-		addIPSANTests(useCSRs, false, false, true, textip1+","+textip3, nil, nil)
-
-		// IPSANs allowed, bogus IPSANs provided, should be an error.
-		addIPSANTests(useCSRs, false, true, true, "foobar", nil, nil)
-
-		// Given IPSANs as API argument and useCSRSANs false, CSR arg ignored.
-		addIPSANTests(useCSRs, false, true, false, textip1,
-			[]net.IP{netip2}, getIpCheck(netip1))
-
-		if useCSRs {
-			// IPSANs not allowed, valid IPSANs provided via CSR, should be an error.
-			addIPSANTests(useCSRs, true, false, true, "", []net.IP{netip1}, nil)
-
-			// Given IPSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
-			addIPSANTests(useCSRs, true, true, false, textip3,
-				[]net.IP{netip1, netip2}, getIpCheck(netip1, netip2))
-		}
-	}
-
-	{
-		getOtherCheck := func(expectedOthers ...otherNameUtf8) logicaltest.TestCheckFunc {
-			return func(resp *logical.Response) error {
-				var certBundle certutil.CertBundle
-				err := mapstructure.Decode(resp.Data, &certBundle)
-				if err != nil {
-					return err
-				}
-				parsedCertBundle, err := certBundle.ToParsedCertBundle()
-				if err != nil {
-					return fmt.Errorf("error parsing cert bundle: %s", err)
-				}
-				cert := parsedCertBundle.Certificate
-				foundOthers, err := getOtherSANsFromX509Extensions(cert.Extensions)
-				if err != nil {
-					return err
-				}
-				var expected []otherNameUtf8
-				expected = append(expected, expectedOthers...)
-				if diff := deep.Equal(foundOthers, expected); len(diff) > 0 {
-					return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
-				}
-				return nil
-			}
-		}
-
-		addOtherSANTests := func(useCSRs, useCSRSANs bool, allowedOtherSANs []string, errorOk bool, otherSANs []string, csrOtherSANs []otherNameUtf8, check logicaltest.TestCheckFunc) {
-			otherSansMap := func(os []otherNameUtf8) map[string][]string {
-				ret := make(map[string][]string)
-				for _, o := range os {
-					ret[o.oid] = append(ret[o.oid], o.value)
-				}
-				return ret
-			}
-			if useCSRs {
-				csrTemplate := &x509.CertificateRequest{
-					Subject: pkix.Name{
-						CommonName: issueVals.CommonName,
-					},
-				}
-				if err := handleOtherCSRSANs(csrTemplate, otherSansMap(csrOtherSANs)); err != nil {
-					t.Fatal(err)
-				}
-				block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
-				issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
-			}
-			oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
-			roleVals.UseCSRSANs = useCSRSANs
-			roleVals.AllowedOtherSANs = allowedOtherSANs
-			issueVals.CommonName = "someone@example.com"
-			issueVals.OtherSANs = strings.Join(otherSANs, ",")
-			issueTestStep.ErrorOk = errorOk
-			addTests(check)
-			roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
-		}
-		roleVals.AllowAnyName = true
-		roleVals.EnforceHostnames = true
-		roleVals.AllowLocalhost = true
-		roleVals.UseCSRCommonName = true
-		commonNames.Localhost = true
-
-		newOtherNameUtf8 := func(s string) (ret otherNameUtf8) {
-			pieces := strings.Split(s, ";")
-			if len(pieces) == 2 {
-				piecesRest := strings.Split(pieces[1], ":")
-				if len(piecesRest) == 2 {
-					switch strings.ToUpper(piecesRest[0]) {
-					case "UTF-8", "UTF8":
-						return otherNameUtf8{oid: pieces[0], value: piecesRest[1]}
-					}
-				}
-			}
-			t.Fatalf("error parsing otherName: %q", s)
-			return
-		}
-		oid1 := "1.3.6.1.4.1.311.20.2.3"
-		oth1str := oid1 + ";utf8:devops@nope.com"
-		oth1 := newOtherNameUtf8(oth1str)
-		oth2 := otherNameUtf8{oid1, "me@example.com"}
-		// allowNone, allowAll := []string{}, []string{oid1 + ";UTF-8:*"}
-		allowNone, allowAll := []string{}, []string{"*"}
-
-		// OtherSANs not allowed and not provided, should not be an error.
-		addOtherSANTests(useCSRs, false, allowNone, false, nil, nil, getOtherCheck())
-
-		// OtherSANs not allowed, valid OtherSANs provided, should be an error.
-		addOtherSANTests(useCSRs, false, allowNone, true, []string{oth1str}, nil, nil)
-
-		// OtherSANs allowed, bogus OtherSANs provided, should be an error.
-		addOtherSANTests(useCSRs, false, allowAll, true, []string{"foobar"}, nil, nil)
-
-		// Given OtherSANs as API argument and useCSRSANs false, CSR arg ignored.
-		addOtherSANTests(useCSRs, false, allowAll, false, []string{oth1str},
-			[]otherNameUtf8{oth2}, getOtherCheck(oth1))
-
-		if useCSRs {
-			// OtherSANs not allowed, valid OtherSANs provided via CSR, should be an error.
-			addOtherSANTests(useCSRs, true, allowNone, true, nil, []otherNameUtf8{oth1}, nil)
-
-			// Given OtherSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
-			addOtherSANTests(useCSRs, false, allowAll, false, []string{oth2.String()},
-				[]otherNameUtf8{oth1}, getOtherCheck(oth2))
-		}
-	}
-
-	// Lease tests
-	{
-		roleTestStep.ErrorOk = true
-		roleVals.Lease = ""
-		roleVals.MaxTTL = 0
-		addTests(nil)
-
-		roleVals.Lease = "12h"
-		roleVals.MaxTTL = 6 * time.Hour
-		addTests(nil)
-
-		roleTestStep.ErrorOk = false
-		roleVals.TTL = 0
-		roleVals.MaxTTL = 12 * time.Hour
-	}
-
-	// Listing test
-	ret = append(ret, logicaltest.TestStep{
-		Operation: logical.ListOperation,
-		Path:      "roles/",
-		Check: func(resp *logical.Response) error {
-			if resp.Data == nil {
-				return fmt.Errorf("nil data")
-			}
-
-			keysRaw, ok := resp.Data["keys"]
-			if !ok {
-				return fmt.Errorf("no keys found")
-			}
-
-			keys, ok := keysRaw.([]string)
-			if !ok {
-				return fmt.Errorf("could not convert keys to a string list")
-			}
-
-			if len(keys) != 1 {
-				return fmt.Errorf("unexpected keys length of %d", len(keys))
-			}
-
-			if keys[0] != "test" {
-				return fmt.Errorf("unexpected key value of %s", keys[0])
-			}
-
-			return nil
-		},
-	})
-
-	return ret
-}
-
-func TestRolesAltIssuer(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Create two issuers.
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "root a - example.com",
-		"issuer_name": "root-a",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	rootAPem := resp.Data["certificate"].(string)
-	rootACert := parseCert(t, rootAPem)
-
-	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "root b - example.com",
-		"issuer_name": "root-b",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	rootBPem := resp.Data["certificate"].(string)
-	rootBCert := parseCert(t, rootBPem)
-
-	// Create three roles: one with no assignment, one with explicit root-a,
-	// one with explicit root-b.
-	_, err = CBWrite(b, s, "roles/use-default", map[string]interface{}{
-		"allow_any_name":    true,
-		"enforce_hostnames": false,
-		"key_type":          "ec",
-	})
-	require.NoError(t, err)
-
-	_, err = CBWrite(b, s, "roles/use-root-a", map[string]interface{}{
-		"allow_any_name":    true,
-		"enforce_hostnames": false,
-		"key_type":          "ec",
-		"issuer_ref":        "root-a",
-	})
-	require.NoError(t, err)
-
-	_, err = CBWrite(b, s, "roles/use-root-b", map[string]interface{}{
-		"allow_any_name":    true,
-		"enforce_hostnames": false,
-		"issuer_ref":        "root-b",
-	})
-	require.NoError(t, err)
-
-	// Now issue certs against these roles.
-	resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "5s",
-	})
-	require.NoError(t, err)
-	leafPem := resp.Data["certificate"].(string)
-	leafCert := parseCert(t, leafPem)
-	err = leafCert.CheckSignatureFrom(rootACert)
-	require.NoError(t, err, "should be signed by root-a but wasn't")
-
-	resp, err = CBWrite(b, s, "issue/use-root-a", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "5s",
-	})
-	require.NoError(t, err)
-	leafPem = resp.Data["certificate"].(string)
-	leafCert = parseCert(t, leafPem)
-	err = leafCert.CheckSignatureFrom(rootACert)
-	require.NoError(t, err, "should be signed by root-a but wasn't")
-
-	resp, err = CBWrite(b, s, "issue/use-root-b", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "5s",
-	})
-	require.NoError(t, err)
-	leafPem = resp.Data["certificate"].(string)
-	leafCert = parseCert(t, leafPem)
-	err = leafCert.CheckSignatureFrom(rootBCert)
-	require.NoError(t, err, "should be signed by root-b but wasn't")
-
-	// Update the default issuer to be root B and make sure that the
-	// use-default role updates.
-	_, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
-		"default": "root-b",
-	})
-	require.NoError(t, err)
-
-	resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "5s",
-	})
-	require.NoError(t, err)
-	leafPem = resp.Data["certificate"].(string)
-	leafCert = parseCert(t, leafPem)
-	err = leafCert.CheckSignatureFrom(rootBCert)
-	require.NoError(t, err, "should be signed by root-b but wasn't")
-}
-
-func TestBackend_PathFetchValidRaw(t *testing.T) {
-	t.Parallel()
-	b, storage := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/generate/internal",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"common_name": "test.com",
-			"ttl":         "6h",
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err)
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to generate root, %#v", resp)
-	}
-	rootCaAsPem := resp.Data["certificate"].(string)
-
-	// Chain should contain the root.
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ReadOperation,
-		Path:       "ca_chain",
-		Storage:    storage,
-		Data:       map[string]interface{}{},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err)
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed read ca_chain, %#v", resp)
-	}
-	if strings.Count(string(resp.Data[logical.HTTPRawBody].([]byte)), rootCaAsPem) != 1 {
-		t.Fatalf("expected raw chain to contain the root cert")
-	}
-
-	// The ca/pem should return us the actual CA...
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ReadOperation,
-		Path:       "ca/pem",
-		Storage:    storage,
-		Data:       map[string]interface{}{},
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("ca/pem"), logical.ReadOperation), resp, true)
-	require.NoError(t, err)
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed read ca/pem, %#v", resp)
-	}
-	// check the raw cert matches the response body
-	if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), []byte(rootCaAsPem)) {
-		t.Fatalf("failed to get raw cert")
-	}
-
-	_, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "roles/example",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"allowed_domains":  "example.com",
-			"allow_subdomains": "true",
-			"max_ttl":          "1h",
-			"no_store":         "false",
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "error setting up pki role: %v", err)
-
-	// Now issue a short-lived certificate from our pki-external.
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "issue/example",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"common_name": "test.example.com",
-			"ttl":         "5m",
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "error issuing certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from issuing request")
-
-	issueCrtAsPem := resp.Data["certificate"].(string)
-	issuedCrt := parseCert(t, issueCrtAsPem)
-	expectedSerial := serialFromCert(issuedCrt)
-	expectedCert := []byte(issueCrtAsPem)
-
-	// get der cert
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.ReadOperation,
-		Path:      fmt.Sprintf("cert/%s/raw", expectedSerial),
-		Storage:   storage,
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to get raw cert, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// check the raw cert matches the response body
-	rawBody := resp.Data[logical.HTTPRawBody].([]byte)
-	bodyAsPem := []byte(strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rawBody}))))
-	if !bytes.Equal(bodyAsPem, expectedCert) {
-		t.Fatalf("failed to get raw cert for serial number: %s", expectedSerial)
-	}
-	if resp.Data[logical.HTTPContentType] != "application/pkix-cert" {
-		t.Fatalf("failed to get raw cert content-type")
-	}
-
-	// get pem
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.ReadOperation,
-		Path:      fmt.Sprintf("cert/%s/raw/pem", expectedSerial),
-		Storage:   storage,
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to get raw, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// check the pem cert matches the response body
-	if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), expectedCert) {
-		t.Fatalf("failed to get pem cert")
-	}
-	if resp.Data[logical.HTTPContentType] != "application/pem-certificate-chain" {
-		t.Fatalf("failed to get raw cert content-type")
-	}
-}
-
-func TestBackend_PathFetchCertList(t *testing.T) {
-	t.Parallel()
-	// create the backend
-	b, storage := CreateBackendWithStorage(t)
-
-	// generate root
-	rootData := map[string]interface{}{
-		"common_name": "test.com",
-		"ttl":         "6h",
-	}
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "root/generate/internal",
-		Storage:    storage,
-		Data:       rootData,
-		MountPoint: "pki/",
-	})
-
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to generate root, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// config urls
-	urlsData := map[string]interface{}{
-		"issuing_certificates":    "http://127.0.0.1:8200/v1/pki/ca",
-		"crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl",
-	}
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "config/urls",
-		Storage:    storage,
-		Data:       urlsData,
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/urls"), logical.UpdateOperation), resp, true)
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ReadOperation,
-		Path:       "config/urls",
-		Storage:    storage,
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/urls"), logical.ReadOperation), resp, true)
-
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to config urls, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// create a role entry
-	roleData := map[string]interface{}{
-		"allowed_domains":  "test.com",
-		"allow_subdomains": "true",
-		"max_ttl":          "4h",
-	}
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "roles/test-example",
-		Storage:    storage,
-		Data:       roleData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to create a role, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// issue some certs
-	i := 1
-	for i < 10 {
-		certData := map[string]interface{}{
-			"common_name": "example.test.com",
-		}
-		resp, err = b.HandleRequest(context.Background(), &logical.Request{
-			Operation:  logical.UpdateOperation,
-			Path:       "issue/test-example",
-			Storage:    storage,
-			Data:       certData,
-			MountPoint: "pki/",
-		})
-		if resp != nil && resp.IsError() {
-			t.Fatalf("failed to issue a cert, %#v", resp)
-		}
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		i = i + 1
-	}
-
-	// list certs
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ListOperation,
-		Path:       "certs",
-		Storage:    storage,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to list certs, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	// check that the root and 9 additional certs are all listed
-	if len(resp.Data["keys"].([]string)) != 10 {
-		t.Fatalf("failed to list all 10 certs")
-	}
-
-	// list certs/
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ListOperation,
-		Path:       "certs/",
-		Storage:    storage,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to list certs, %#v", resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	// check that the root and 9 additional certs are all listed
-	if len(resp.Data["keys"].([]string)) != 10 {
-		t.Fatalf("failed to list all 10 certs")
-	}
-}
-
-func TestBackend_SignVerbatim(t *testing.T) {
-	t.Parallel()
-	testCases := []struct {
-		testName string
-		keyType  string
-	}{
-		{testName: "RSA", keyType: "rsa"},
-		{testName: "ED25519", keyType: "ed25519"},
-		{testName: "EC", keyType: "ec"},
-		{testName: "Any", keyType: "any"},
-	}
-	for _, tc := range testCases {
-		tc := tc
-		t.Run(tc.testName, func(t *testing.T) {
-			runTestSignVerbatim(t, tc.keyType)
-		})
-	}
-}
-
-func runTestSignVerbatim(t *testing.T, keyType string) {
-	// create the backend
-	b, storage := CreateBackendWithStorage(t)
-
-	// generate root
-	rootData := map[string]interface{}{
-		"common_name": "test.com",
-		"not_after":   "9999-12-31T23:59:59Z",
-	}
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "root/generate/internal",
-		Storage:    storage,
-		Data:       rootData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to generate root, %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// create a CSR and key
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatal(err)
-	}
-	csrReq := &x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "foo.bar.com",
-		},
-		// Check that otherName extensions are not duplicated (see hashicorp/vault#16700).
-		// If these extensions are duplicated, sign-verbatim will fail when parsing the signed certificate on Go 1.19+ (see golang/go#50988).
-		// On older versions of Go this test will fail due to an explicit check for duplicate otherNames later in this test.
-		ExtraExtensions: []pkix.Extension{
-			{
-				Id:       oidExtensionSubjectAltName,
-				Critical: false,
-				Value:    []byte{0x30, 0x26, 0xA0, 0x24, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03, 0xA0, 0x16, 0x0C, 0x14, 0x75, 0x73, 0x65, 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D},
-			},
-		},
-	}
-	csr, err := x509.CreateCertificateRequest(rand.Reader, csrReq, key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(csr) == 0 {
-		t.Fatal("generated csr is empty")
-	}
-	pemCSR := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE REQUEST",
-		Bytes: csr,
-	})))
-	if len(pemCSR) == 0 {
-		t.Fatal("pem csr is empty")
-	}
-
-	signVerbatimData := map[string]interface{}{
-		"csr": pemCSR,
-	}
-	if keyType == "rsa" {
-		signVerbatimData["signature_bits"] = 512
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "sign-verbatim",
-		Storage:    storage,
-		Data:       signVerbatimData,
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign-verbatim"), logical.UpdateOperation), resp, true)
-
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to sign-verbatim basic CSR: %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Secret != nil {
-		t.Fatal("secret is not nil")
-	}
-
-	// create a role entry; we use this to check that sign-verbatim when used with a role is still honoring TTLs
-	roleData := map[string]interface{}{
-		"ttl":                 "4h",
-		"max_ttl":             "8h",
-		"key_type":            keyType,
-		"not_before_duration": "2h",
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "roles/test",
-		Storage:    storage,
-		Data:       roleData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to create a role, %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sign-verbatim/test",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"csr": pemCSR,
-			"ttl": "5h",
-		},
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to sign-verbatim ttl'd CSR: %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Secret != nil {
-		t.Fatal("got a lease when we should not have")
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sign-verbatim/test",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"csr": pemCSR,
-			"ttl": "12h",
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp != nil && resp.IsError() {
-		t.Fatalf(resp.Error().Error())
-	}
-	if resp.Data == nil || resp.Data["certificate"] == nil {
-		t.Fatal("did not get expected data")
-	}
-	certString := resp.Data["certificate"].(string)
-	block, _ := pem.Decode([]byte(certString))
-	if block == nil {
-		t.Fatal("nil pem block")
-	}
-	certs, err := x509.ParseCertificates(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(certs) != 1 {
-		t.Fatalf("expected a single cert, got %d", len(certs))
-	}
-	cert := certs[0]
-	if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 {
-		t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour))
-	}
-	if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
-		t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
-	}
-
-	// Now check signing a certificate using the not_after input using the Y10K value
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sign-verbatim/test",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"csr":       pemCSR,
-			"not_after": "9999-12-31T23:59:59Z",
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp != nil && resp.IsError() {
-		t.Fatalf(resp.Error().Error())
-	}
-	if resp.Data == nil || resp.Data["certificate"] == nil {
-		t.Fatal("did not get expected data")
-	}
-	certString = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certString))
-	if block == nil {
-		t.Fatal("nil pem block")
-	}
-	certs, err = x509.ParseCertificates(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(certs) != 1 {
-		t.Fatalf("expected a single cert, got %d", len(certs))
-	}
-	cert = certs[0]
-
-	// Fallback check for duplicate otherName, necessary on Go versions before 1.19.
-	// We assume that there is only one SAN in the original CSR and that it is an otherName.
-	san_count := 0
-	for _, ext := range cert.Extensions {
-		if ext.Id.Equal(oidExtensionSubjectAltName) {
-			san_count += 1
-		}
-	}
-	if san_count != 1 {
-		t.Fatalf("expected one SAN extension, got %d", san_count)
-	}
-
-	notAfter := cert.NotAfter.Format(time.RFC3339)
-	if notAfter != "9999-12-31T23:59:59Z" {
-		t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
-	}
-
-	// now check that if we set generate-lease it takes it from the role and the TTLs match
-	roleData = map[string]interface{}{
-		"ttl":            "4h",
-		"max_ttl":        "8h",
-		"generate_lease": true,
-		"key_type":       keyType,
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "roles/test",
-		Storage:    storage,
-		Data:       roleData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to create a role, %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sign-verbatim/test",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"csr": pemCSR,
-			"ttl": "5h",
-		},
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to sign-verbatim role-leased CSR: %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Secret == nil {
-		t.Fatalf("secret is nil, response is %#v", *resp)
-	}
-	if math.Abs(float64(resp.Secret.TTL-(5*time.Hour))) > float64(5*time.Hour) {
-		t.Fatalf("ttl not default; wanted %v, got %v", b.System().DefaultLeaseTTL(), resp.Secret.TTL)
-	}
-}
-
-func TestBackend_Root_Idempotency(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// This is a change within 1.11, we are no longer idempotent across generate/internal calls.
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	keyId1 := resp.Data["key_id"]
-	issuerId1 := resp.Data["issuer_id"]
-	cert := parseCert(t, resp.Data["certificate"].(string))
-	certSkid := certutil.GetHexFormatted(cert.SubjectKeyId, ":")
-
-	//  -> Validate the SKID matches between the root cert and the key
-	resp, err = CBRead(b, s, "key/"+keyId1.(keyID).String())
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected a response")
-	require.Equal(t, resp.Data["subject_key_id"], certSkid)
-
-	resp, err = CBRead(b, s, "cert/ca_chain")
-	require.NoError(t, err, "error reading ca_chain: %v", err)
-
-	r1Data := resp.Data
-
-	// Calling generate/internal should generate a new CA as well.
-	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	keyId2 := resp.Data["key_id"]
-	issuerId2 := resp.Data["issuer_id"]
-	cert = parseCert(t, resp.Data["certificate"].(string))
-	certSkid = certutil.GetHexFormatted(cert.SubjectKeyId, ":")
-
-	//  -> Validate the SKID matches between the root cert and the key
-	resp, err = CBRead(b, s, "key/"+keyId2.(keyID).String())
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected a response")
-	require.Equal(t, resp.Data["subject_key_id"], certSkid)
-
-	// Make sure that we actually generated different issuer and key values
-	require.NotEqual(t, keyId1, keyId2)
-	require.NotEqual(t, issuerId1, issuerId2)
-
-	// Now because the issued CA's have no links, the call to ca_chain should return the same data (ca chain from default)
-	resp, err = CBRead(b, s, "cert/ca_chain")
-	require.NoError(t, err, "error reading ca_chain: %v", err)
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("cert/ca_chain"), logical.ReadOperation), resp, true)
-
-	r2Data := resp.Data
-	if !reflect.DeepEqual(r1Data, r2Data) {
-		t.Fatal("got different ca certs")
-	}
-
-	// Now let's validate that the import bundle is idempotent.
-	pemBundleRootCA := rootCACertPEM + "\n" + rootCAKeyPEM
-	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
-		"pem_bundle": pemBundleRootCA,
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/ca"), logical.UpdateOperation), resp, true)
-
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	firstMapping := resp.Data["mapping"].(map[string]string)
-	firstImportedKeys := resp.Data["imported_keys"].([]string)
-	firstImportedIssuers := resp.Data["imported_issuers"].([]string)
-	firstExistingKeys := resp.Data["existing_keys"].([]string)
-	firstExistingIssuers := resp.Data["existing_issuers"].([]string)
-
-	require.NotContains(t, firstImportedKeys, keyId1)
-	require.NotContains(t, firstImportedKeys, keyId2)
-	require.NotContains(t, firstImportedIssuers, issuerId1)
-	require.NotContains(t, firstImportedIssuers, issuerId2)
-	require.Empty(t, firstExistingKeys)
-	require.Empty(t, firstExistingIssuers)
-	require.NotEmpty(t, firstMapping)
-	require.Equal(t, 1, len(firstMapping))
-
-	var issuerId3 string
-	var keyId3 string
-	for i, k := range firstMapping {
-		issuerId3 = i
-		keyId3 = k
-	}
-
-	// Performing this again should result in no key/issuer ids being imported/generated.
-	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
-		"pem_bundle": pemBundleRootCA,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	secondMapping := resp.Data["mapping"].(map[string]string)
-	secondImportedKeys := resp.Data["imported_keys"]
-	secondImportedIssuers := resp.Data["imported_issuers"]
-	secondExistingKeys := resp.Data["existing_keys"]
-	secondExistingIssuers := resp.Data["existing_issuers"]
-
-	require.Empty(t, secondImportedKeys)
-	require.Empty(t, secondImportedIssuers)
-	require.Contains(t, secondExistingKeys, keyId3)
-	require.Contains(t, secondExistingIssuers, issuerId3)
-	require.Equal(t, 1, len(secondMapping))
-
-	resp, err = CBDelete(b, s, "root")
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.Equal(t, 1, len(resp.Warnings))
-
-	// Make sure we can delete twice...
-	resp, err = CBDelete(b, s, "root")
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.Equal(t, 1, len(resp.Warnings))
-
-	_, err = CBRead(b, s, "cert/ca_chain")
-	require.Error(t, err, "expected an error fetching deleted ca_chain")
-
-	// We should be able to import the same ca bundle as before and get a different key/issuer ids
-	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
-		"pem_bundle": pemBundleRootCA,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	postDeleteImportedKeys := resp.Data["imported_keys"]
-	postDeleteImportedIssuers := resp.Data["imported_issuers"]
-
-	// Make sure that we actually generated different issuer and key values, then the previous import
-	require.NotNil(t, postDeleteImportedKeys)
-	require.NotNil(t, postDeleteImportedIssuers)
-	require.NotEqual(t, postDeleteImportedKeys, firstImportedKeys)
-	require.NotEqual(t, postDeleteImportedIssuers, firstImportedIssuers)
-
-	resp, err = CBRead(b, s, "cert/ca_chain")
-	require.NoError(t, err)
-
-	caChainPostDelete := resp.Data
-	if reflect.DeepEqual(r1Data, caChainPostDelete) {
-		t.Fatal("ca certs from ca_chain were the same post delete, should have changed.")
-	}
-}
-
-func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) {
-	t.Parallel()
-	b_root, s_root := CreateBackendWithStorage(t)
-	b_int, s_int := CreateBackendWithStorage(t)
-	var err error
-
-	// Direct issuing from root
-	_, err = CBWrite(b_root, s_root, "root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"allow_any_name":     true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := CBWrite(b_int, s_int, "intermediate/generate/internal", map[string]interface{}{
-		"common_name": "myint.com",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b_root.Route("intermediate/generate/internal"), logical.UpdateOperation), resp, true)
-	require.Contains(t, resp.Data, "key_id")
-	intKeyId := resp.Data["key_id"].(keyID)
-	csr := resp.Data["csr"]
-
-	resp, err = CBRead(b_int, s_int, "key/"+intKeyId.String())
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected a response")
-	intSkid := resp.Data["subject_key_id"].(string)
-
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b_root, s_root, "sign/test", map[string]interface{}{
-		"common_name": "myint.com",
-		"csr":         csr,
-		"ttl":         "60h",
-	})
-	require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
-
-	_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
-		"common_name": "myint.com",
-		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
-		"csr":         csr,
-		"ttl":         "60h",
-	})
-	require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
-
-	resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
-		"common_name": "myint.com",
-		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
-		"csr":         csr,
-		"ttl":         "60h",
-	})
-	if err != nil {
-		t.Fatalf("got error: %v", err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-	if len(resp.Warnings) == 0 {
-		t.Fatalf("expected warnings, got %#v", *resp)
-	}
-
-	cert := parseCert(t, resp.Data["certificate"].(string))
-	certSkid := certutil.GetHexFormatted(cert.SubjectKeyId, ":")
-	require.Equal(t, intSkid, certSkid)
-}
-
-func TestBackend_ConsulSignLeafWithLegacyRole(t *testing.T) {
-	t.Parallel()
-	// create the backend
-	b, s := CreateBackendWithStorage(t)
-
-	// generate root
-	data, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	require.NoError(t, err, "failed generating internal root cert")
-	rootCaPem := data.Data["certificate"].(string)
-
-	// Create a signing role like Consul did with the default args prior to Vault 1.10
-	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allow_any_name":         true,
-		"allowed_serial_numbers": []string{"MySerialNumber"},
-		"key_type":               "any",
-		"key_bits":               "2048",
-		"signature_bits":         "256",
-	})
-	require.NoError(t, err, "failed creating legacy role")
-
-	_, csrPem := generateTestCsr(t, certutil.ECPrivateKey, 256)
-	data, err = CBWrite(b, s, "sign/test", map[string]interface{}{
-		"csr": csrPem,
-	})
-	require.NoError(t, err, "failed signing csr")
-	certAsPem := data.Data["certificate"].(string)
-
-	signedCert := parseCert(t, certAsPem)
-	rootCert := parseCert(t, rootCaPem)
-	requireSignedBy(t, signedCert, rootCert)
-}
-
-func TestBackend_SignSelfIssued(t *testing.T) {
-	t.Parallel()
-	// create the backend
-	b, storage := CreateBackendWithStorage(t)
-
-	// generate root
-	rootData := map[string]interface{}{
-		"common_name": "test.com",
-		"ttl":         "172800",
-	}
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "root/generate/internal",
-		Storage:    storage,
-		Data:       rootData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to generate root, %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	template := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: "foo.bar.com",
-		},
-		SerialNumber:          big.NewInt(1234),
-		IsCA:                  false,
-		BasicConstraintsValid: true,
-	}
-
-	ss, _ := getSelfSigned(t, template, template, key)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-	if !resp.IsError() {
-		t.Fatalf("expected error due to non-CA; got: %#v", *resp)
-	}
-
-	// Set CA to true, but leave issuer alone
-	template.IsCA = true
-
-	issuer := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: "bar.foo.com",
-		},
-		SerialNumber:          big.NewInt(2345),
-		IsCA:                  true,
-		BasicConstraintsValid: true,
-	}
-	ss, ssCert := getSelfSigned(t, template, issuer, key)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-	if !resp.IsError() {
-		t.Fatalf("expected error due to different issuer; cert info is\nIssuer\n%#v\nSubject\n%#v\n", ssCert.Issuer, ssCert.Subject)
-	}
-
-	ss, _ = getSelfSigned(t, template, template, key)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-		},
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("root/sign-self-issued"), logical.UpdateOperation), resp, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-	if resp.IsError() {
-		t.Fatalf("error in response: %s", resp.Error().Error())
-	}
-
-	newCertString := resp.Data["certificate"].(string)
-	block, _ := pem.Decode([]byte(newCertString))
-	newCert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	sc := b.makeStorageContext(context.Background(), storage)
-	signingBundle, err := sc.fetchCAInfo(defaultRef, ReadOnlyUsage)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if reflect.DeepEqual(newCert.Subject, newCert.Issuer) {
-		t.Fatal("expected different subject/issuer")
-	}
-	if !reflect.DeepEqual(newCert.Issuer, signingBundle.Certificate.Subject) {
-		t.Fatalf("expected matching issuer/CA subject\n\nIssuer:\n%#v\nSubject:\n%#v\n", newCert.Issuer, signingBundle.Certificate.Subject)
-	}
-	if bytes.Equal(newCert.AuthorityKeyId, newCert.SubjectKeyId) {
-		t.Fatal("expected different authority/subject")
-	}
-	if !bytes.Equal(newCert.AuthorityKeyId, signingBundle.Certificate.SubjectKeyId) {
-		t.Fatal("expected authority on new cert to be same as signing subject")
-	}
-	if newCert.Subject.CommonName != "foo.bar.com" {
-		t.Fatalf("unexpected common name on new cert: %s", newCert.Subject.CommonName)
-	}
-}
-
-// TestBackend_SignSelfIssued_DifferentTypes tests the functionality of the
-// require_matching_certificate_algorithms flag.
-func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) {
-	t.Parallel()
-	// create the backend
-	b, storage := CreateBackendWithStorage(t)
-
-	// generate root
-	rootData := map[string]interface{}{
-		"common_name": "test.com",
-		"ttl":         "172800",
-		"key_type":    "ec",
-		"key_bits":    "521",
-	}
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "root/generate/internal",
-		Storage:    storage,
-		Data:       rootData,
-		MountPoint: "pki/",
-	})
-	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to generate root, %#v", *resp)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	template := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: "foo.bar.com",
-		},
-		SerialNumber:          big.NewInt(1234),
-		IsCA:                  true,
-		BasicConstraintsValid: true,
-	}
-
-	// Tests absent the flag
-	ss, _ := getSelfSigned(t, template, template, key)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-
-	// Set CA to true, but leave issuer alone
-	template.IsCA = true
-
-	// Tests with flag present but false
-	ss, _ = getSelfSigned(t, template, template, key)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-			"require_matching_certificate_algorithms": false,
-		},
-		MountPoint: "pki/",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("got nil response")
-	}
-
-	// Test with flag present and true
-	ss, _ = getSelfSigned(t, template, template, key)
-	_, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "root/sign-self-issued",
-		Storage:   storage,
-		Data: map[string]interface{}{
-			"certificate": ss,
-			"require_matching_certificate_algorithms": true,
-		},
-		MountPoint: "pki/",
-	})
-	if err == nil {
-		t.Fatal("expected error due to mismatched algorithms")
-	}
-}
-
-// This is a really tricky test because the Go stdlib asn1 package is incapable
-// of doing the right thing with custom OID SANs (see comments in the package,
-// it's readily admitted that it's too magic) but that means that any
-// validation logic written for this test isn't being independently verified,
-// as in, if cryptobytes is used to decode it to make the test work, that
-// doesn't mean we're encoding and decoding correctly, only that we made the
-// test pass. Instead, when run verbosely it will first perform a bunch of
-// checks to verify that the OID SAN logic doesn't screw up other SANs, then
-// will spit out the PEM. This can be validated independently.
-//
-// You want the hex dump of the octet string corresponding to the X509v3
-// Subject Alternative Name. There's a nice online utility at
-// https://lapo.it/asn1js that can be used to view the structure of an
-// openssl-generated other SAN at
-// https://lapo.it/asn1js/#3022A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374
-// (openssl asn1parse can also be used with -strparse using an offset of the
-// hex blob for the subject alternative names extension).
-//
-// The structure output from here should match that precisely (even if the OID
-// itself doesn't) in the second test.
-//
-// The test that encodes two should have them be in separate elements in the
-// top-level sequence; see
-// https://lapo.it/asn1js/#3046A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374A022060A2B060104018237140204A0140C12322D6465766F7073406C6F63616C686F7374 for an openssl-generated example.
-//
-// The good news is that it's valid to simply copy and paste the PEM output from
-// here into the form at that site as it will do the right thing so it's pretty
-// easy to validate.
-func TestBackend_OID_SANs(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	var err error
-	var resp *logical.Response
-	var certStr string
-	var block *pem.Block
-	var cert *x509.Certificate
-
-	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allowed_domains":    []string{"foobar.com", "zipzap.com"},
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"allow_ip_sans":      true,
-		"allowed_other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devops@*,1.3.6.1.4.1.311.20.2.4;utf8:d*e@foobar.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Get a baseline before adding OID SANs. In the next sections we'll verify
-	// that the SANs are all added even as the OID SAN inclusion forces other
-	// adding logic (custom rather than built-in Golang logic)
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foobar.com,foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.IPAddresses[0].String() != "1.2.3.4" {
-		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
-	}
-	if len(cert.DNSNames) != 3 ||
-		cert.DNSNames[0] != "bar.foobar.com" ||
-		cert.DNSNames[1] != "foo.foobar.com" ||
-		cert.DNSNames[2] != "foobar.com" {
-		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
-	}
-
-	// First test some bad stuff that shouldn't work
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		// Not a valid value for the first possibility
-		"other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devop@nope.com",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		// Not a valid OID for the first possibility
-		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:devops@nope.com",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		// Not a valid name for the second possibility
-		"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d34g@foobar.com",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		// Not a valid OID for the second possibility
-		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:d34e@foobar.com",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		// Not a valid type
-		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF2:d34e@foobar.com",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	// Valid for first possibility
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:devops@nope.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.IPAddresses[0].String() != "1.2.3.4" {
-		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
-	}
-	if len(cert.DNSNames) != 3 ||
-		cert.DNSNames[0] != "bar.foobar.com" ||
-		cert.DNSNames[1] != "foo.foobar.com" ||
-		cert.DNSNames[2] != "foobar.com" {
-		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("certificate 1 to check:\n%s", certStr)
-	}
-
-	// Valid for second possibility
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"other_sans":  "1.3.6.1.4.1.311.20.2.4;UTF8:d234e@foobar.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.IPAddresses[0].String() != "1.2.3.4" {
-		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
-	}
-	if len(cert.DNSNames) != 3 ||
-		cert.DNSNames[0] != "bar.foobar.com" ||
-		cert.DNSNames[1] != "foo.foobar.com" ||
-		cert.DNSNames[2] != "foobar.com" {
-		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("certificate 2 to check:\n%s", certStr)
-	}
-
-	// Valid for both
-	oid1, type1, val1 := "1.3.6.1.4.1.311.20.2.3", "utf8", "devops@nope.com"
-	oid2, type2, val2 := "1.3.6.1.4.1.311.20.2.4", "utf-8", "d234e@foobar.com"
-	otherNames := []string{
-		fmt.Sprintf("%s;%s:%s", oid1, type1, val1),
-		fmt.Sprintf("%s;%s:%s", oid2, type2, val2),
-	}
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"other_sans":  strings.Join(otherNames, ","),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.IPAddresses[0].String() != "1.2.3.4" {
-		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
-	}
-	if len(cert.DNSNames) != 3 ||
-		cert.DNSNames[0] != "bar.foobar.com" ||
-		cert.DNSNames[1] != "foo.foobar.com" ||
-		cert.DNSNames[2] != "foobar.com" {
-		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
-	}
-	expectedOtherNames := []otherNameUtf8{{oid1, val1}, {oid2, val2}}
-	foundOtherNames, err := getOtherSANsFromX509Extensions(cert.Extensions)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(expectedOtherNames, foundOtherNames); len(diff) != 0 {
-		t.Errorf("unexpected otherNames: %v", diff)
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("certificate 3 to check:\n%s", certStr)
-	}
-}
-
-func TestBackend_AllowedSerialNumbers(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	var err error
-	var resp *logical.Response
-	var certStr string
-	var block *pem.Block
-	var cert *x509.Certificate
-
-	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// First test that Serial Numbers are not allowed
-	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allow_any_name":    true,
-		"enforce_hostnames": false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar",
-		"ttl":         "1h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name":   "foobar",
-		"ttl":           "1h",
-		"serial_number": "foobar",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	// Update the role to allow serial numbers
-	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allow_any_name":         true,
-		"enforce_hostnames":      false,
-		"allowed_serial_numbers": "f00*,b4r*",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar",
-		"ttl":         "1h",
-		// Not a valid serial number
-		"serial_number": "foobar",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	// Valid for first possibility
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name":   "foobar",
-		"serial_number": "f00bar",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.Subject.SerialNumber != "f00bar" {
-		t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("certificate 1 to check:\n%s", certStr)
-	}
-
-	// Valid for second possibility
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name":   "foobar",
-		"serial_number": "b4rf00",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	certStr = resp.Data["certificate"].(string)
-	block, _ = pem.Decode([]byte(certStr))
-	cert, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert.Subject.SerialNumber != "b4rf00" {
-		t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
-	}
-	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
-		t.Logf("certificate 2 to check:\n%s", certStr)
-	}
-}
-
-func TestBackend_URI_SANs(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	var err error
-
-	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allowed_domains":    []string{"foobar.com", "zipzap.com"},
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"allow_ip_sans":      true,
-		"allowed_uri_sans":   []string{"http://someuri/abc", "spiffe://host.com/*"},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// First test some bad stuff that shouldn't work
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"uri_sans":    "http://www.mydomain.com/zxf",
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	// Test valid single entry
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"uri_sans":    "http://someuri/abc",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Test globed entry
-	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"uri_sans":    "spiffe://host.com/something",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Test multiple entries
-	resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "foobar.com",
-		"ip_sans":     "1.2.3.4",
-		"alt_names":   "foo.foobar.com,bar.foobar.com",
-		"ttl":         "1h",
-		"uri_sans":    "spiffe://host.com/something,http://someuri/abc",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	certStr := resp.Data["certificate"].(string)
-	block, _ := pem.Decode([]byte(certStr))
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	URI0, _ := url.Parse("spiffe://host.com/something")
-	URI1, _ := url.Parse("http://someuri/abc")
-
-	if len(cert.URIs) != 2 {
-		t.Fatalf("expected 2 valid URIs SANs %v", cert.URIs)
-	}
-
-	if cert.URIs[0].String() != URI0.String() || cert.URIs[1].String() != URI1.String() {
-		t.Fatalf(
-			"expected URIs SANs %v to equal provided values spiffe://host.com/something, http://someuri/abc",
-			cert.URIs)
-	}
-}
-
-func TestBackend_AllowedURISANsTemplate(t *testing.T) {
-	t.Parallel()
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"userpass": userpass.Factory,
-		},
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-
-	// Write test policy for userpass auth method.
-	err := client.Sys().PutPolicy("test", `
-   path "pki/*" {
-     capabilities = ["update"]
-   }`)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable userpass auth method.
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-
-	// Configure test role for userpass.
-	if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
-		"password": "test",
-		"policies": "test",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// Login userpass for test role and keep client token.
-	secret, err := client.Logical().Write("auth/userpass/login/userpassname", map[string]interface{}{
-		"password": "test",
-	})
-	if err != nil || secret == nil {
-		t.Fatal(err)
-	}
-	userpassToken := secret.Auth.ClientToken
-
-	// Get auth accessor for identity template.
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		t.Fatal(err)
-	}
-	userpassAccessor := auths["userpass/"].Accessor
-
-	// Mount PKI.
-	err = client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Generate internal CA.
-	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Write role PKI.
-	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
-		"allowed_uri_sans": []string{
-			"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}",
-			"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}/*", "spiffe://domain/foo",
-		},
-		"allowed_uri_sans_template": true,
-		"require_cn":                false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with identity templating
-	client.SetToken(userpassToken)
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname, spiffe://domain/foo"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with identity templating and glob
-	client.SetToken(userpassToken)
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname/bar"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with non-matching identity template parameter
-	client.SetToken(userpassToken)
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/unknownuser"})
-	if err == nil {
-		t.Fatal(err)
-	}
-
-	// Set allowed_uri_sans_template to false.
-	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
-		"allowed_uri_sans_template": false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with userpassToken.
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/users/userpassname"})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-}
-
-func TestBackend_AllowedDomainsTemplate(t *testing.T) {
-	t.Parallel()
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"userpass": userpass.Factory,
-		},
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-
-	// Write test policy for userpass auth method.
-	err := client.Sys().PutPolicy("test", `
-   path "pki/*" {  
-     capabilities = ["update"]
-   }`)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable userpass auth method.
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-
-	// Configure test role for userpass.
-	if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
-		"password": "test",
-		"policies": "test",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// Login userpass for test role and set client token
-	userpassAuth, err := auth.NewUserpassAuth("userpassname", &auth.Password{FromString: "test"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Get auth accessor for identity template.
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		t.Fatal(err)
-	}
-	userpassAccessor := auths["userpass/"].Accessor
-
-	// Mount PKI.
-	err = client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Generate internal CA.
-	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Write role PKI.
-	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
-		"allowed_domains": []string{
-			"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
-			"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com",
-		},
-		"allowed_domains_template": true,
-		"allow_bare_domains":       true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with userpassToken.
-	secret, err := client.Auth().Login(context.TODO(), userpassAuth)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err != nil || secret == nil {
-		t.Fatal(err)
-	}
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate for foobar.com to verify allowed_domain_template doesn't break plain domains.
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foobar.com"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate for unknown userpassname.
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "unknownuserpassname"})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-
-	// Issue certificate for foo.userpassname.domain.
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
-	if err != nil {
-		t.Fatal("expected error")
-	}
-
-	// Set allowed_domains_template to false.
-	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
-		"allowed_domains_template": false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Issue certificate with userpassToken.
-	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-}
-
-func TestReadWriteDeleteRoles(t *testing.T) {
-	t.Parallel()
-	ctx := context.Background()
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"userpass": userpass.Factory,
-		},
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-
-	// Mount PKI.
-	err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := client.Logical().ReadWithContext(ctx, "pki/roles/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp != nil {
-		t.Fatalf("response should have been emtpy but was:\n%#v", resp)
-	}
-
-	// Write role PKI.
-	_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Read the role.
-	resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.Data == nil {
-		t.Fatal("default data within response was nil when it should have contained data")
-	}
-
-	// Validate that we have not changed any defaults unknowingly
-	expectedData := map[string]interface{}{
-		"key_type":                           "rsa",
-		"use_csr_sans":                       true,
-		"client_flag":                        true,
-		"allowed_serial_numbers":             []interface{}{},
-		"generate_lease":                     false,
-		"signature_bits":                     json.Number("256"),
-		"use_pss":                            false,
-		"allowed_domains":                    []interface{}{},
-		"allowed_uri_sans_template":          false,
-		"enforce_hostnames":                  true,
-		"policy_identifiers":                 []interface{}{},
-		"require_cn":                         true,
-		"allowed_domains_template":           false,
-		"allow_token_displayname":            false,
-		"country":                            []interface{}{},
-		"not_after":                          "",
-		"postal_code":                        []interface{}{},
-		"use_csr_common_name":                true,
-		"allow_localhost":                    true,
-		"allow_subdomains":                   false,
-		"allow_wildcard_certificates":        true,
-		"allowed_other_sans":                 []interface{}{},
-		"allowed_uri_sans":                   []interface{}{},
-		"basic_constraints_valid_for_non_ca": false,
-		"key_usage":                          []interface{}{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
-		"not_before_duration":                json.Number("30"),
-		"allow_glob_domains":                 false,
-		"ttl":                                json.Number("0"),
-		"ou":                                 []interface{}{},
-		"email_protection_flag":              false,
-		"locality":                           []interface{}{},
-		"server_flag":                        true,
-		"allow_bare_domains":                 false,
-		"allow_ip_sans":                      true,
-		"ext_key_usage_oids":                 []interface{}{},
-		"allow_any_name":                     false,
-		"ext_key_usage":                      []interface{}{},
-		"key_bits":                           json.Number("2048"),
-		"max_ttl":                            json.Number("0"),
-		"no_store":                           false,
-		"organization":                       []interface{}{},
-		"province":                           []interface{}{},
-		"street_address":                     []interface{}{},
-		"code_signing_flag":                  false,
-		"issuer_ref":                         "default",
-		"cn_validations":                     []interface{}{"email", "hostname"},
-		"allowed_user_ids":                   []interface{}{},
-	}
-
-	if diff := deep.Equal(expectedData, resp.Data); len(diff) > 0 {
-		t.Fatalf("pki role default values have changed, diff: %v", diff)
-	}
-
-	_, err = client.Logical().DeleteWithContext(ctx, "pki/roles/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp != nil {
-		t.Fatalf("response should have been empty but was:\n%#v", resp)
-	}
-}
-
-func setCerts() {
-	cak, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-	marshaledKey, err := x509.MarshalECPrivateKey(cak)
-	if err != nil {
-		panic(err)
-	}
-	keyPEMBlock := &pem.Block{
-		Type:  "EC PRIVATE KEY",
-		Bytes: marshaledKey,
-	}
-	ecCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
-	if err != nil {
-		panic(err)
-	}
-	subjKeyID, err := certutil.GetSubjKeyID(cak)
-	if err != nil {
-		panic(err)
-	}
-	caCertTemplate := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: "root.localhost",
-		},
-		SubjectKeyId:          subjKeyID,
-		DNSNames:              []string{"root.localhost"},
-		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
-		SerialNumber:          big.NewInt(mathrand.Int63()),
-		NotAfter:              time.Now().Add(262980 * time.Hour),
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-	}
-	caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, cak.Public(), cak)
-	if err != nil {
-		panic(err)
-	}
-	caCertPEMBlock := &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	}
-	ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
-
-	rak, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		panic(err)
-	}
-	marshaledKey = x509.MarshalPKCS1PrivateKey(rak)
-	keyPEMBlock = &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: marshaledKey,
-	}
-	rsaCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
-	if err != nil {
-		panic(err)
-	}
-	_, err = certutil.GetSubjKeyID(rak)
-	if err != nil {
-		panic(err)
-	}
-	caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, rak.Public(), rak)
-	if err != nil {
-		panic(err)
-	}
-	caCertPEMBlock = &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	}
-	rsaCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
-
-	_, edk, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-	marshaledKey, err = x509.MarshalPKCS8PrivateKey(edk)
-	if err != nil {
-		panic(err)
-	}
-	keyPEMBlock = &pem.Block{
-		Type:  "PRIVATE KEY",
-		Bytes: marshaledKey,
-	}
-	edCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
-	if err != nil {
-		panic(err)
-	}
-	_, err = certutil.GetSubjKeyID(edk)
-	if err != nil {
-		panic(err)
-	}
-	caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, edk.Public(), edk)
-	if err != nil {
-		panic(err)
-	}
-	caCertPEMBlock = &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	}
-	edCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
-}
-
-func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
-	// Use a ridiculously long time to minimize the chance
-	// that we have to deal with more than one interval.
-	// InMemSink rounds down to an interval boundary rather than
-	// starting one at the time of initialization.
-	//
-	// This test is not parallelizable.
-	inmemSink := metrics.NewInmemSink(
-		1000000*time.Hour,
-		2000000*time.Hour)
-
-	metricsConf := metrics.DefaultConfig("")
-	metricsConf.EnableHostname = false
-	metricsConf.EnableHostnameLabel = false
-	metricsConf.EnableServiceLabel = false
-	metricsConf.EnableTypePrefix = false
-
-	_, err := metrics.NewGlobal(metricsConf, inmemSink)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable PKI secret engine
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
-	client := cores[0].Client
-
-	// Mount /pki as a root CA
-	err = client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "32h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Set up Metric Configuration, then restart to enable it
-	_, err = client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
-		"maintain_stored_certificate_counts":       true,
-		"publish_stored_certificate_count_metrics": true,
-	})
-	_, err = client.Logical().Write("/sys/plugins/reload/backend", map[string]interface{}{
-		"mounts": "pki/",
-	})
-
-	// Check the metrics initialized in order to calculate backendUUID for /pki
-	// BackendUUID not consistent during tests with UUID from /sys/mounts/pki
-	metricsSuffix := "total_certificates_stored"
-	backendUUID := ""
-	mostRecentInterval := inmemSink.Data()[len(inmemSink.Data())-1]
-	for _, existingGauge := range mostRecentInterval.Gauges {
-		if strings.HasSuffix(existingGauge.Name, metricsSuffix) {
-			expandedGaugeName := existingGauge.Name
-			backendUUID = strings.Split(expandedGaugeName, ".")[2]
-			break
-		}
-	}
-	if backendUUID == "" {
-		t.Fatalf("No Gauge Found ending with %s", metricsSuffix)
-	}
-
-	// Set the cluster's certificate as the root CA in /pki
-	pemBundleRootCA := string(cluster.CACertPEM) + string(cluster.CAKeyPEM)
-	_, err = client.Logical().Write("pki/config/ca", map[string]interface{}{
-		"pem_bundle": pemBundleRootCA,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Mount /pki2 to operate as an intermediate CA
-	err = client.Sys().Mount("pki2", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "32h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	// Set up Metric Configuration, then restart to enable it
-	_, err = client.Logical().Write("pki2/config/auto-tidy", map[string]interface{}{
-		"maintain_stored_certificate_counts":       true,
-		"publish_stored_certificate_count_metrics": true,
-	})
-	_, err = client.Logical().Write("/sys/plugins/reload/backend", map[string]interface{}{
-		"mounts": "pki2/",
-	})
-
-	// Create a CSR for the intermediate CA
-	secret, err := client.Logical().Write("pki2/intermediate/generate/internal", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	intermediateCSR := secret.Data["csr"].(string)
-
-	// Sign the intermediate CSR using /pki
-	secret, err = client.Logical().Write("pki/root/sign-intermediate", map[string]interface{}{
-		"permitted_dns_domains": ".myvault.com",
-		"csr":                   intermediateCSR,
-		"ttl":                   "10s",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	intermediateCertSerial := secret.Data["serial_number"].(string)
-	intermediateCASerialColon := strings.ReplaceAll(strings.ToLower(intermediateCertSerial), ":", "-")
-
-	// Get the intermediate cert after signing
-	secret, err = client.Logical().Read("pki/cert/" + intermediateCASerialColon)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if secret == nil || len(secret.Data) == 0 || len(secret.Data["certificate"].(string)) == 0 {
-		t.Fatal("expected certificate information from read operation")
-	}
-
-	// Issue a revoke on on /pki
-	_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
-		"serial_number": intermediateCertSerial,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Check the cert-count metrics
-	expectedCertCountGaugeMetrics := map[string]float32{
-		"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 1,
-		"secrets.pki." + backendUUID + ".total_certificates_stored":         1,
-	}
-	mostRecentInterval = inmemSink.Data()[len(inmemSink.Data())-1]
-	for gauge, value := range expectedCertCountGaugeMetrics {
-		if _, ok := mostRecentInterval.Gauges[gauge]; !ok {
-			t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
-		}
-		if value != mostRecentInterval.Gauges[gauge].Value {
-			t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, mostRecentInterval.Gauges[gauge].Value)
-		}
-	}
-
-	// Revoke adds a fixed 2s buffer, so we sleep for a bit longer to ensure
-	// the revocation time is past the current time.
-	time.Sleep(3 * time.Second)
-
-	// Issue a tidy on /pki
-	_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
-		"tidy_cert_store":    true,
-		"tidy_revoked_certs": true,
-		"safety_buffer":      "1s",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Sleep a bit to make sure we're past the safety buffer
-	time.Sleep(2 * time.Second)
-
-	// Get CRL and ensure the tidied cert is still in the list after the tidy
-	// operation since it's not past the NotAfter (ttl) value yet.
-	crl := getParsedCrl(t, client, "pki")
-
-	revokedCerts := crl.TBSCertList.RevokedCertificates
-	if len(revokedCerts) == 0 {
-		t.Fatal("expected CRL to be non-empty")
-	}
-
-	sn := certutil.GetHexFormatted(revokedCerts[0].SerialNumber.Bytes(), ":")
-	if sn != intermediateCertSerial {
-		t.Fatalf("expected: %v, got: %v", intermediateCertSerial, sn)
-	}
-
-	// Wait for cert to expire
-	time.Sleep(10 * time.Second)
-
-	// Issue a tidy on /pki
-	_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
-		"tidy_cert_store":    true,
-		"tidy_revoked_certs": true,
-		"safety_buffer":      "1s",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Sleep a bit to make sure we're past the safety buffer
-	time.Sleep(2 * time.Second)
-
-	// Issue a tidy-status on /pki
-	{
-		tidyStatus, err := client.Logical().Read("pki/tidy-status")
-		if err != nil {
-			t.Fatal(err)
-		}
-		expectedData := map[string]interface{}{
-			"safety_buffer":                         json.Number("1"),
-			"issuer_safety_buffer":                  json.Number("31536000"),
-			"revocation_queue_safety_buffer":        json.Number("172800"),
-			"tidy_cert_store":                       true,
-			"tidy_revoked_certs":                    true,
-			"tidy_revoked_cert_issuer_associations": false,
-			"tidy_expired_issuers":                  false,
-			"tidy_move_legacy_ca_bundle":            false,
-			"tidy_revocation_queue":                 false,
-			"tidy_cross_cluster_revoked_certs":      false,
-			"pause_duration":                        "0s",
-			"state":                                 "Finished",
-			"error":                                 nil,
-			"time_started":                          nil,
-			"time_finished":                         nil,
-			"last_auto_tidy_finished":               nil,
-			"message":                               nil,
-			"cert_store_deleted_count":              json.Number("1"),
-			"revoked_cert_deleted_count":            json.Number("1"),
-			"missing_issuer_cert_count":             json.Number("0"),
-			"current_cert_store_count":              json.Number("0"),
-			"current_revoked_cert_count":            json.Number("0"),
-			"revocation_queue_deleted_count":        json.Number("0"),
-			"cross_revoked_cert_deleted_count":      json.Number("0"),
-			"internal_backend_uuid":                 backendUUID,
-			"tidy_acme":                             false,
-			"acme_account_safety_buffer":            json.Number("2592000"),
-			"acme_orders_deleted_count":             json.Number("0"),
-			"acme_account_revoked_count":            json.Number("0"),
-			"acme_account_deleted_count":            json.Number("0"),
-			"total_acme_account_count":              json.Number("0"),
-		}
-		// Let's copy the times from the response so that we can use deep.Equal()
-		timeStarted, ok := tidyStatus.Data["time_started"]
-		if !ok || timeStarted == "" {
-			t.Fatal("Expected tidy status response to include a value for time_started")
-		}
-		expectedData["time_started"] = timeStarted
-		timeFinished, ok := tidyStatus.Data["time_finished"]
-		if !ok || timeFinished == "" {
-			t.Fatal("Expected tidy status response to include a value for time_finished")
-		}
-		expectedData["time_finished"] = timeFinished
-		expectedData["last_auto_tidy_finished"] = tidyStatus.Data["last_auto_tidy_finished"]
-
-		if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil {
-			t.Fatal(diff)
-		}
-	}
-	// Check the tidy metrics
-	{
-		// Map of gauges to expected value
-		expectedGauges := map[string]float32{
-			"secrets.pki.tidy.cert_store_current_entry":                         0,
-			"secrets.pki.tidy.cert_store_total_entries":                         1,
-			"secrets.pki.tidy.revoked_cert_current_entry":                       0,
-			"secrets.pki.tidy.revoked_cert_total_entries":                       1,
-			"secrets.pki.tidy.start_time_epoch":                                 0,
-			"secrets.pki." + backendUUID + ".total_certificates_stored":         0,
-			"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 0,
-			"secrets.pki.tidy.cert_store_total_entries_remaining":               0,
-			"secrets.pki.tidy.revoked_cert_total_entries_remaining":             0,
-		}
-		// Map of counters to the sum of the metrics for that counter
-		expectedCounters := map[string]float64{
-			"secrets.pki.tidy.cert_store_deleted_count":   1,
-			"secrets.pki.tidy.revoked_cert_deleted_count": 1,
-			"secrets.pki.tidy.success":                    2,
-			// Note that "secrets.pki.tidy.failure" won't be in the captured metrics
-		}
-
-		// If the metrics span more than one interval, skip the checks
-		intervals := inmemSink.Data()
-		if len(intervals) == 1 {
-			interval := inmemSink.Data()[0]
-
-			for gauge, value := range expectedGauges {
-				if _, ok := interval.Gauges[gauge]; !ok {
-					t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
-				}
-				if value != interval.Gauges[gauge].Value {
-					t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, interval.Gauges[gauge].Value)
-				}
-
-			}
-			for counter, value := range expectedCounters {
-				if _, ok := interval.Counters[counter]; !ok {
-					t.Fatalf("Expected metrics to include a value for couter %s", counter)
-				}
-				if value != interval.Counters[counter].Sum {
-					t.Fatalf("Expected the sum of metric %s to be %f but got %f", counter, value, interval.Counters[counter].Sum)
-				}
-			}
-
-			tidyDuration, ok := interval.Samples["secrets.pki.tidy.duration"]
-			if !ok {
-				t.Fatal("Expected metrics to include a value for sample secrets.pki.tidy.duration")
-			}
-			if tidyDuration.Count <= 0 {
-				t.Fatalf("Expected metrics to have count > 0 for sample secrets.pki.tidy.duration, but got %d", tidyDuration.Count)
-			}
-		}
-	}
-
-	crl = getParsedCrl(t, client, "pki")
-
-	revokedCerts = crl.TBSCertList.RevokedCertificates
-	if len(revokedCerts) != 0 {
-		t.Fatal("expected CRL to be empty")
-	}
-}
-
-func TestBackend_Root_FullCAChain(t *testing.T) {
-	t.Parallel()
-	testCases := []struct {
-		testName string
-		keyType  string
-	}{
-		{testName: "RSA", keyType: "rsa"},
-		{testName: "ED25519", keyType: "ed25519"},
-		{testName: "EC", keyType: "ec"},
-	}
-	for _, tc := range testCases {
-		tc := tc
-		t.Run(tc.testName, func(t *testing.T) {
-			runFullCAChainTest(t, tc.keyType)
-		})
-	}
-}
-
-func runFullCAChainTest(t *testing.T, keyType string) {
-	// Generate a root CA at /pki-root
-	b_root, s_root := CreateBackendWithStorage(t)
-
-	var err error
-
-	resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    keyType,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected ca info")
-	}
-	rootData := resp.Data
-	rootCert := rootData["certificate"].(string)
-
-	// Validate that root's /cert/ca-chain now contains the certificate.
-	resp, err = CBRead(b_root, s_root, "cert/ca_chain")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected intermediate chain information")
-	}
-
-	fullChain := resp.Data["ca_chain"].(string)
-	requireCertInCaChainString(t, fullChain, rootCert, "expected root cert within root cert/ca_chain")
-
-	// Make sure when we issue a leaf certificate we get the full chain back.
-	_, err = CBWrite(b_root, s_root, "roles/example", map[string]interface{}{
-		"allowed_domains":  "example.com",
-		"allow_subdomains": "true",
-		"max_ttl":          "1h",
-	})
-	require.NoError(t, err, "error setting up pki root role: %v", err)
-
-	resp, err = CBWrite(b_root, s_root, "issue/example", map[string]interface{}{
-		"common_name": "test.example.com",
-		"ttl":         "5m",
-	})
-	require.NoError(t, err, "error issuing certificate from pki root: %v", err)
-	fullChainArray := resp.Data["ca_chain"].([]string)
-	requireCertInCaChainArray(t, fullChainArray, rootCert, "expected root cert within root issuance pki-root/issue/example")
-
-	// Now generate an intermediate at /pki-intermediate, signed by the root.
-	b_int, s_int := CreateBackendWithStorage(t)
-
-	resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
-		"common_name": "intermediate myvault.com",
-		"key_type":    keyType,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected intermediate CSR info")
-	}
-	intermediateData := resp.Data
-	intermediateKey := intermediateData["private_key"].(string)
-
-	resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
-		"csr":    intermediateData["csr"],
-		"format": "pem",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected signed intermediate info")
-	}
-	intermediateSignedData := resp.Data
-	intermediateCert := intermediateSignedData["certificate"].(string)
-
-	rootCaCert := parseCert(t, rootCert)
-	intermediaryCaCert := parseCert(t, intermediateCert)
-	requireSignedBy(t, intermediaryCaCert, rootCaCert)
-	intermediateCaChain := intermediateSignedData["ca_chain"].([]string)
-
-	require.Equal(t, parseCert(t, intermediateCaChain[0]), intermediaryCaCert, "intermediate signed cert should have been part of ca_chain")
-	require.Equal(t, parseCert(t, intermediateCaChain[1]), rootCaCert, "root cert should have been part of ca_chain")
-
-	_, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
-		"certificate": intermediateCert + "\n" + rootCert + "\n",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Validate that intermediate's ca_chain field now includes the full
-	// chain.
-	resp, err = CBRead(b_int, s_int, "cert/ca_chain")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected intermediate chain information")
-	}
-
-	// Verify we have a proper CRL now
-	crl := getParsedCrlFromBackend(t, b_int, s_int, "crl")
-	require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))
-
-	fullChain = resp.Data["ca_chain"].(string)
-	requireCertInCaChainString(t, fullChain, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/cert/ca_chain")
-	requireCertInCaChainString(t, fullChain, rootCert, "expected full chain to contain root certificate from pki-intermediate/cert/ca_chain")
-
-	// Make sure when we issue a leaf certificate we get the full chain back.
-	_, err = CBWrite(b_int, s_int, "roles/example", map[string]interface{}{
-		"allowed_domains":  "example.com",
-		"allow_subdomains": "true",
-		"max_ttl":          "1h",
-	})
-	require.NoError(t, err, "error setting up pki intermediate role: %v", err)
-
-	resp, err = CBWrite(b_int, s_int, "issue/example", map[string]interface{}{
-		"common_name": "test.example.com",
-		"ttl":         "5m",
-	})
-	require.NoError(t, err, "error issuing certificate from pki intermediate: %v", err)
-	fullChainArray = resp.Data["ca_chain"].([]string)
-	requireCertInCaChainArray(t, fullChainArray, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/issue/example")
-	requireCertInCaChainArray(t, fullChainArray, rootCert, "expected full chain to contain root certificate from pki-intermediate/issue/example")
-
-	// Finally, import this signing cert chain into a new mount to ensure
-	// "external" CAs behave as expected.
-	b_ext, s_ext := CreateBackendWithStorage(t)
-
-	_, err = CBWrite(b_ext, s_ext, "config/ca", map[string]interface{}{
-		"pem_bundle": intermediateKey + "\n" + intermediateCert + "\n" + rootCert + "\n",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Validate the external chain information was loaded correctly.
-	resp, err = CBRead(b_ext, s_ext, "cert/ca_chain")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected intermediate chain information")
-	}
-
-	fullChain = resp.Data["ca_chain"].(string)
-	if strings.Count(fullChain, intermediateCert) != 1 {
-		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
-	}
-	if strings.Count(fullChain, rootCert) != 1 {
-		t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
-	}
-
-	// Now issue a short-lived certificate from our pki-external.
-	_, err = CBWrite(b_ext, s_ext, "roles/example", map[string]interface{}{
-		"allowed_domains":  "example.com",
-		"allow_subdomains": "true",
-		"max_ttl":          "1h",
-	})
-	require.NoError(t, err, "error setting up pki role: %v", err)
-
-	resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
-		"common_name": "test.example.com",
-		"ttl":         "5m",
-	})
-	require.NoError(t, err, "error issuing certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from issuing request")
-	issueCrtAsPem := resp.Data["certificate"].(string)
-	issuedCrt := parseCert(t, issueCrtAsPem)
-
-	// Verify that the certificates are signed by the intermediary CA key...
-	requireSignedBy(t, issuedCrt, intermediaryCaCert)
-
-	// Test that we can request that the root ca certificate not appear in the ca_chain field
-	resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
-		"common_name":             "test.example.com",
-		"ttl":                     "5m",
-		"remove_roots_from_chain": "true",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error issuing certificate when removing self signed")
-	fullChain = strings.Join(resp.Data["ca_chain"].([]string), "\n")
-	if strings.Count(fullChain, intermediateCert) != 1 {
-		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
-	}
-	if strings.Count(fullChain, rootCert) != 0 {
-		t.Fatalf("expected full chain to NOT contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
-	}
-}
-
-func requireCertInCaChainArray(t *testing.T, chain []string, cert string, msgAndArgs ...interface{}) {
-	var fullChain string
-	for _, caCert := range chain {
-		fullChain = fullChain + "\n" + caCert
-	}
-
-	requireCertInCaChainString(t, fullChain, cert, msgAndArgs)
-}
-
-func requireCertInCaChainString(t *testing.T, chain string, cert string, msgAndArgs ...interface{}) {
-	count := strings.Count(chain, cert)
-	if count != 1 {
-		failMsg := fmt.Sprintf("Found %d occurrances of the cert in the provided chain", count)
-		require.FailNow(t, failMsg, msgAndArgs...)
-	}
-}
-
-type MultiBool int
-
-const (
-	MFalse MultiBool = iota
-	MTrue  MultiBool = iota
-	MAny   MultiBool = iota
-)
-
-func (o MultiBool) ToValues() []bool {
-	if o == MTrue {
-		return []bool{true}
-	}
-
-	if o == MFalse {
-		return []bool{false}
-	}
-
-	if o == MAny {
-		return []bool{true, false}
-	}
-
-	return []bool{}
-}
-
-type IssuanceRegression struct {
-	AllowedDomains            []string
-	AllowBareDomains          MultiBool
-	AllowGlobDomains          MultiBool
-	AllowSubdomains           MultiBool
-	AllowLocalhost            MultiBool
-	AllowWildcardCertificates MultiBool
-	CNValidations             []string
-	CommonName                string
-	Issued                    bool
-}
-
-func RoleIssuanceRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test IssuanceRegression) int {
-	tested := 0
-	for _, AllowBareDomains := range test.AllowBareDomains.ToValues() {
-		for _, AllowGlobDomains := range test.AllowGlobDomains.ToValues() {
-			for _, AllowSubdomains := range test.AllowSubdomains.ToValues() {
-				for _, AllowLocalhost := range test.AllowLocalhost.ToValues() {
-					for _, AllowWildcardCertificates := range test.AllowWildcardCertificates.ToValues() {
-						role := fmt.Sprintf("issuance-regression-%d-bare-%v-glob-%v-subdomains-%v-localhost-%v-wildcard-%v", index, AllowBareDomains, AllowGlobDomains, AllowSubdomains, AllowLocalhost, AllowWildcardCertificates)
-						_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
-							"allowed_domains":             test.AllowedDomains,
-							"allow_bare_domains":          AllowBareDomains,
-							"allow_glob_domains":          AllowGlobDomains,
-							"allow_subdomains":            AllowSubdomains,
-							"allow_localhost":             AllowLocalhost,
-							"allow_wildcard_certificates": AllowWildcardCertificates,
-							"cn_validations":              test.CNValidations,
-							// TODO: test across this vector as well. Currently certain wildcard
-							// matching is broken with it enabled (such as x*x.foo).
-							"enforce_hostnames": false,
-							"key_type":          "ec",
-							"key_bits":          256,
-							"no_store":          true,
-							// With the CN Validations field, ensure we prevent CN from appearing
-							// in SANs.
-						})
-						if err != nil {
-							t.Fatal(err)
-						}
-
-						resp, err := CBWrite(b, s, "issue/"+role, map[string]interface{}{
-							"common_name":          test.CommonName,
-							"exclude_cn_from_sans": true,
-						})
-
-						haveErr := err != nil || resp == nil
-						expectErr := !test.Issued
-
-						if haveErr != expectErr {
-							t.Fatalf("issuance regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, role: %v", index, haveErr, expectErr, err, resp, test, role)
-						}
-
-						tested += 1
-					}
-				}
-			}
-		}
-	}
-
-	return tested
-}
-
-func TestBackend_Roles_IssuanceRegression(t *testing.T) {
-	t.Parallel()
-	// Regression testing of role's issuance policy.
-	testCases := []IssuanceRegression{
-		// allowed, bare, glob, subdomains, localhost, wildcards, cn, issued
-
-		// === Globs not allowed but used === //
-		// Allowed contains globs, but globbing not allowed, resulting in all
-		// issuances failing. Note that tests against issuing a wildcard with
-		// a bare domain will be covered later.
-		/*  0 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
-		/*  1 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
-		/*  2 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
-		/*  3 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
-		/*  4 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
-		/*  5 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.foo", false},
-		/*  6 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
-		/*  7 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
-		/*  8 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
-		/*  9 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
-		/* 10 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
-		/* 11 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
-		/* 12 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
-
-		// === Localhost sanity === //
-		// Localhost forbidden, not matching allowed domains -> not issued
-		/* 13 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MFalse, MAny, nil, "localhost", false},
-		// Localhost allowed, not matching allowed domains -> issued
-		/* 14 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MTrue, MAny, nil, "localhost", true},
-		// Localhost allowed via allowed domains (and bare allowed), not by AllowLocalhost -> issued
-		/* 15 */ {[]string{"localhost"}, MTrue, MAny, MAny, MFalse, MAny, nil, "localhost", true},
-		// Localhost allowed via allowed domains (and bare not allowed), not by AllowLocalhost -> not issued
-		/* 16 */ {[]string{"localhost"}, MFalse, MAny, MAny, MFalse, MAny, nil, "localhost", false},
-		// Localhost allowed via allowed domains (but bare not allowed), and by AllowLocalhost -> issued
-		/* 17 */ {[]string{"localhost"}, MFalse, MAny, MAny, MTrue, MAny, nil, "localhost", true},
-
-		// === Bare wildcard issuance == //
-		// allowed_domains contains one or more wildcards and bare domains allowed,
-		// resulting in the cert being issued.
-		/* 18 */ {[]string{"*.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "*.foo", true},
-		/* 19 */ {[]string{"*.*.foo"}, MTrue, MAny, MAny, MAny, MAny, nil, "*.*.foo", false}, // Does not conform to RFC 6125
-
-		// === Double Leading Glob Testing === //
-		// Allowed contains globs, but glob allowed so certain matches work.
-		// The value of bare and localhost does not impact these results.
-		/* 20 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
-		/* 21 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
-		/* 22 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true},
-		/* 23 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
-		/* 24 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", false},
-		/* 25 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "*.foo", false},
-		/* 26 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
-
-		// Allowed contains globs, but glob and subdomain both work, so we expect
-		// wildcard issuance to work as well. The value of bare and localhost does
-		// not impact these results.
-		/* 27 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
-		/* 28 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
-		/* 29 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
-		/* 30 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
-		/* 31 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", false},
-		/* 32 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "*.foo", false},
-		/* 33 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
-
-		// === Single Leading Glob Testing === //
-		// Allowed contains globs, but glob allowed so certain matches work.
-		// The value of bare and localhost does not impact these results.
-		/* 34 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
-		/* 35 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
-		/* 36 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true}, // glob domains allow infinite subdomains
-		/* 37 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // glob domain allows wildcards of subdomains
-		/* 38 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", true},
-		/* 39 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
-
-		// Allowed contains globs, but glob and subdomain both work, so we expect
-		// wildcard issuance to work as well. The value of bare and localhost does
-		// not impact these results.
-		/* 40 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
-		/* 41 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
-		/* 42 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
-		/* 43 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
-		/* 44 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", true},
-		/* 45 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
-
-		// === Only base domain name === //
-		// Allowed contains only domain components, but subdomains not allowed. This
-		// results in most issuances failing unless we allow bare domains, in which
-		// case only the final issuance for "foo" will succeed.
-		/* 46 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", false},
-		/* 47 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.fud.bar.foo", false},
-		/* 48 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "fud.bar.foo", false},
-		/* 49 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.bar.foo", false},
-		/* 50 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "bar.foo", false},
-		/* 51 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.foo", false},
-		/* 52 */ {[]string{"foo"}, MFalse, MAny, MFalse, MAny, MAny, nil, "foo", false},
-		/* 53 */ {[]string{"foo"}, MTrue, MAny, MFalse, MAny, MAny, nil, "foo", true},
-
-		// Allowed contains only domain components, and subdomains are now allowed.
-		// This results in most issuances succeeding, with the exception of the
-		// base foo, which is still governed by base's value.
-		/* 54 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
-		/* 55 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
-		/* 56 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
-		/* 57 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
-		/* 58 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "bar.foo", true},
-		/* 59 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.foo", true},
-		/* 60 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*x.foo", true}, // internal wildcards should be allowed per RFC 6125/6.4.3
-		/* 61 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*x.foo", true}, // prefix wildcards should be allowed per RFC 6125/6.4.3
-		/* 62 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*.foo", true}, // suffix wildcards should be allowed per RFC 6125/6.4.3
-		/* 63 */ {[]string{"foo"}, MFalse, MAny, MTrue, MAny, MAny, nil, "foo", false},
-		/* 64 */ {[]string{"foo"}, MTrue, MAny, MTrue, MAny, MAny, nil, "foo", true},
-
-		// === Internal Glob Matching === //
-		// Basic glob matching requirements
-		/* 65 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", true},
-		/* 66 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", true}, // globs can match across subdomains
-		/* 67 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
-		/* 68 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x*x isn't matched.
-		/* 69 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
-		/* 70 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x*x.foo", false}, // Does not conform to RFC 6125
-		/* 71 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.xyx.foo", false}, // Globs and Subdomains do not layer per docs.
-
-		// Various requirements around x*x.foo wildcard matching.
-		/* 72 */ {[]string{"x*x.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "x*x.foo", false}, // base disabled, shouldn't match wildcard
-		/* 73 */ {[]string{"x*x.foo"}, MFalse, MTrue, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base disallowed, but globbing allowed and should match
-		/* 74 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base allowed, should match wildcard
-
-		// Basic glob matching requirements with internal dots.
-		/* 75 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", false}, // missing dots
-		/* 76 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ero.x.foo", true},
-		/* 77 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", false}, // missing dots
-		/* 78 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ylophone.files.pyre.x.foo", true}, // globs can match across subdomains
-		/* 79 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
-		/* 80 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x.*.x isn't matched.
-		/* 81 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
-		/* 82 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.*.x.foo", false}, // Does not conform to RFC 6125
-		/* 83 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.y.x.foo", false}, // Globs and Subdomains do not layer per docs.
-
-		// === Wildcard restriction testing === //
-		/* 84 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.fud.bar.foo", false}, // glob domain allows wildcard of subdomains
-		/* 85 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.bar.foo", false}, // glob domain allows wildcards of subdomains
-		/* 86 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.fud.bar.foo", false},
-		/* 87 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.bar.foo", false},
-		/* 88 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.foo", false},
-		/* 89 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*x.foo", false},
-		/* 90 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*x.foo", false},
-		/* 91 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*.foo", false},
-		/* 92 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MFalse, nil, "x*x.foo", false},
-		/* 93 */ {[]string{"*.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "*.foo", false}, // Bare and globs forbidden despite (potentially) allowing wildcards.
-		/* 94 */ {[]string{"x.*.x.foo"}, MAny, MAny, MAny, MAny, MAny, nil, "x.*.x.foo", false}, // Does not conform to RFC 6125
-
-		// === CN validation allowances === //
-		/*  95 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.bar.foo", true},
-		/*  96 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.*.foo", true},
-		/*  97 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.bar.*.bar", true},
-		/*  98 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo", true},
-		/*  99 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo@foo", true},
-		/* 100 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "bar@bar@bar", true},
-		/* 101 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar@bar", false},
-		/* 102 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar", false},
-		/* 103 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@foo", true},
-		/* 104 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@foo", false},
-		/* 105 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@bar", false},
-		/* 106 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.foo", true},
-		/* 107 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.bar", false},
-		/* 108 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.foo", false},
-		/* 109 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.bar", false},
-	}
-
-	if len(testCases) != 110 {
-		t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
-	}
-
-	b, s := CreateBackendWithStorage(t)
-
-	// We need a RSA key so all signature sizes are valid with it.
-	resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
-		"common_name": "myvault.com",
-		"ttl":         "128h",
-		"key_type":    "rsa",
-		"key_bits":    2048,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected ca info")
-	}
-
-	tested := 0
-	for index, test := range testCases {
-		tested += RoleIssuanceRegressionHelper(t, b, s, index, test)
-	}
-
-	t.Logf("Issuance regression expanded matrix test scenarios: %d", tested)
-}
-
-type KeySizeRegression struct {
-	// Values reused for both Role and CA configuration.
-	RoleKeyType string
-	RoleKeyBits []int
-
-	// Signature Bits presently is only specified on the role.
-	RoleSignatureBits []int
-	RoleUsePSS        bool
-
-	// These are tuples; must be of the same length.
-	TestKeyTypes []string
-	TestKeyBits  []int
-
-	// All of the above key types/sizes must pass or fail together.
-	ExpectError bool
-}
-
-func (k KeySizeRegression) KeyTypeValues() []string {
-	if k.RoleKeyType == "any" {
-		return []string{"rsa", "ec", "ed25519"}
-	}
-
-	return []string{k.RoleKeyType}
-}
-
-func RoleKeySizeRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test KeySizeRegression) int {
-	tested := 0
-
-	for _, caKeyType := range test.KeyTypeValues() {
-		for _, caKeyBits := range test.RoleKeyBits {
-			// Generate a new CA key.
-			resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
-				"common_name": "myvault.com",
-				"ttl":         "128h",
-				"key_type":    caKeyType,
-				"key_bits":    caKeyBits,
-			})
-			if err != nil {
-				t.Fatal(err)
-			}
-			if resp == nil {
-				t.Fatal("expected ca info")
-			}
-
-			for _, roleKeyBits := range test.RoleKeyBits {
-				for _, roleSignatureBits := range test.RoleSignatureBits {
-					role := fmt.Sprintf("key-size-regression-%d-keytype-%v-keybits-%d-signature-bits-%d", index, test.RoleKeyType, roleKeyBits, roleSignatureBits)
-					_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
-						"key_type":       test.RoleKeyType,
-						"key_bits":       roleKeyBits,
-						"signature_bits": roleSignatureBits,
-						"use_pss":        test.RoleUsePSS,
-					})
-					if err != nil {
-						t.Fatal(err)
-					}
-
-					for index, keyType := range test.TestKeyTypes {
-						keyBits := test.TestKeyBits[index]
-
-						_, _, csrPem := generateCSR(t, &x509.CertificateRequest{
-							Subject: pkix.Name{
-								CommonName: "localhost",
-							},
-						}, keyType, keyBits)
-
-						resp, err = CBWrite(b, s, "sign/"+role, map[string]interface{}{
-							"common_name": "localhost",
-							"csr":         csrPem,
-						})
-
-						haveErr := err != nil || resp == nil
-
-						if haveErr != test.ExpectError {
-							t.Fatalf("key size regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, caKeyType: %v, caKeyBits: %v, role: %v, keyType: %v, keyBits: %v", index, haveErr, test.ExpectError, err, resp, test, caKeyType, caKeyBits, role, keyType, keyBits)
-						}
-
-						if resp != nil && test.RoleUsePSS && caKeyType == "rsa" {
-							leafCert := parseCert(t, resp.Data["certificate"].(string))
-							switch leafCert.SignatureAlgorithm {
-							case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
-							default:
-								t.Fatalf("key size regression test [%d] failed on role %v: unexpected signature algorithm; expected RSA-type CA to sign a leaf cert with PSS algorithm; got %v", index, role, leafCert.SignatureAlgorithm.String())
-							}
-						}
-
-						tested += 1
-					}
-				}
-			}
-
-			_, err = CBDelete(b, s, "root")
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-	}
-
-	return tested
-}
-
-func TestBackend_Roles_KeySizeRegression(t *testing.T) {
-	t.Parallel()
-	// Regression testing of role's issuance policy.
-	testCases := []KeySizeRegression{
-		// RSA with default parameters should fail to issue smaller RSA keys
-		// and any size ECDSA/Ed25519 keys.
-		/*  0 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{1024, 224, 256, 384, 521, 0}, true},
-		// But it should work to issue larger RSA keys.
-		/*  1 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{2048, 3072}, false},
-
-		// EC with default parameters should fail to issue smaller EC keys
-		// and any size RSA/Ed25519 keys.
-		/*  2 */ {"ec", []int{0}, []int{0}, false, []string{"rsa", "ec", "ed25519"}, []int{2048, 224, 0}, true},
-		// But it should work to issue larger EC keys. Note that we should be
-		// independent of signature bits as that's computed from the issuer
-		// type (for EC based issuers).
-		/*  3 */ {"ec", []int{224}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec", "ec"}, []int{224, 256, 384, 521}, false},
-		/*  4 */ {"ec", []int{0, 256}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec"}, []int{256, 384, 521}, false},
-		/*  5 */ {"ec", []int{384}, []int{0, 256, 384, 521}, false, []string{"ec", "ec"}, []int{384, 521}, false},
-		/*  6 */ {"ec", []int{521}, []int{0, 256, 384, 512}, false, []string{"ec"}, []int{521}, false},
-
-		// Ed25519 should reject RSA and EC keys.
-		/*  7 */ {"ed25519", []int{0}, []int{0}, false, []string{"rsa", "ec", "ec"}, []int{2048, 256, 521}, true},
-		// But it should work to issue Ed25519 keys.
-		/*  8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
-
-		// Any key type should reject insecure RSA key sizes.
-		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
-		// But work for everything else.
-		/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
-
-		// RSA with larger than default key size should reject smaller ones.
-		/* 11 */ {"rsa", []int{3072}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{2048}, true},
-
-		// We should be able to sign with PSS with any CA key type.
-		/* 12 */ {"rsa", []int{0}, []int{0, 256, 384, 512}, true, []string{"rsa"}, []int{2048}, false},
-		/* 13 */ {"ec", []int{0}, []int{0}, true, []string{"ec"}, []int{256}, false},
-		/* 14 */ {"ed25519", []int{0}, []int{0}, true, []string{"ed25519"}, []int{0}, false},
-	}
-
-	if len(testCases) != 15 {
-		t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
-	}
-
-	b, s := CreateBackendWithStorage(t)
-
-	tested := 0
-	for index, test := range testCases {
-		tested += RoleKeySizeRegressionHelper(t, b, s, index, test)
-	}
-
-	t.Logf("Key size regression expanded matrix test scenarios: %d", tested)
-}
-
-func TestRootWithExistingKey(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-	var err error
-
-	// Fail requests if type is existing, and we specify the key_type param
-	_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
-
-	// Fail requests if type is existing, and we specify the key_bits param
-	_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_bits":    "2048",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
-
-	// Fail if the specified key does not exist.
-	_, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "my-issuer1",
-		"key_ref":     "my-key1",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
-
-	// Fail if the specified key name is default.
-	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "my-issuer1",
-		"key_name":    "Default",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as key name")
-
-	// Fail if the specified issuer name is default.
-	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "DEFAULT",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as issuer name")
-
-	// Create the first CA
-	resp, err := CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-		"issuer_name": "my-issuer1",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/root/internal"), logical.UpdateOperation), resp, true)
-	require.NoError(t, err)
-	require.NotNil(t, resp.Data["certificate"])
-	myIssuerId1 := resp.Data["issuer_id"]
-	myKeyId1 := resp.Data["key_id"]
-	require.NotEmpty(t, myIssuerId1)
-	require.NotEmpty(t, myKeyId1)
-
-	// Fetch the parsed CRL; it should be empty as we've not revoked anything
-	parsedCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
-	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
-
-	// Fail if the specified issuer name is re-used.
-	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "my-issuer1",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "issuer name already in use")
-
-	// Create the second CA
-	resp, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-		"issuer_name": "my-issuer2",
-		"key_name":    "root-key2",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp.Data["certificate"])
-	myIssuerId2 := resp.Data["issuer_id"]
-	myKeyId2 := resp.Data["key_id"]
-	require.NotEmpty(t, myIssuerId2)
-	require.NotEmpty(t, myKeyId2)
-
-	// Fetch the parsed CRL; it should be empty as we've not revoked anything
-	parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer2/crl/der")
-	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
-
-	// Fail if the specified key name is re-used.
-	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "my-issuer3",
-		"key_name":    "root-key2",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "key name already in use")
-
-	// Create a third CA re-using key from CA 1
-	resp, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"issuer_name": "my-issuer3",
-		"key_ref":     myKeyId1,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp.Data["certificate"])
-	myIssuerId3 := resp.Data["issuer_id"]
-	myKeyId3 := resp.Data["key_id"]
-	require.NotEmpty(t, myIssuerId3)
-	require.NotEmpty(t, myKeyId3)
-
-	// Fetch the parsed CRL; it should be empty as we've not revoking anything.
-	parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer3/crl/der")
-	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
-	// Signatures should be the same since this is just a reissued cert. We
-	// use signature as a proxy for "these two CRLs are equal".
-	firstCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
-	require.Equal(t, parsedCrl.SignatureValue, firstCrl.SignatureValue)
-
-	require.NotEqual(t, myIssuerId1, myIssuerId2)
-	require.NotEqual(t, myIssuerId1, myIssuerId3)
-	require.NotEqual(t, myKeyId1, myKeyId2)
-	require.Equal(t, myKeyId1, myKeyId3)
-
-	resp, err = CBList(b, s, "issuers")
-	require.NoError(t, err)
-	require.Equal(t, 3, len(resp.Data["keys"].([]string)))
-	require.Contains(t, resp.Data["keys"], string(myIssuerId1.(issuerID)))
-	require.Contains(t, resp.Data["keys"], string(myIssuerId2.(issuerID)))
-	require.Contains(t, resp.Data["keys"], string(myIssuerId3.(issuerID)))
-}
-
-func TestIntermediateWithExistingKey(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	var err error
-
-	// Fail requests if type is existing, and we specify the key_type param
-	_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
-
-	// Fail requests if type is existing, and we specify the key_bits param
-	_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_bits":    "2048",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
-
-	// Fail if the specified key does not exist.
-	_, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_ref":     "my-key1",
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
-
-	// Create the first intermediate CA
-	resp, err := CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/intermediate/internal"), logical.UpdateOperation), resp, true)
-	require.NoError(t, err)
-	// csr1 := resp.Data["csr"]
-	myKeyId1 := resp.Data["key_id"]
-	require.NotEmpty(t, myKeyId1)
-
-	// Create the second intermediate CA
-	resp, err = CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "rsa",
-		"key_name":    "interkey1",
-	})
-	require.NoError(t, err)
-	// csr2 := resp.Data["csr"]
-	myKeyId2 := resp.Data["key_id"]
-	require.NotEmpty(t, myKeyId2)
-
-	// Create a third intermediate CA re-using key from intermediate CA 1
-	resp, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_ref":     myKeyId1,
-	})
-	require.NoError(t, err)
-	// csr3 := resp.Data["csr"]
-	myKeyId3 := resp.Data["key_id"]
-	require.NotEmpty(t, myKeyId3)
-
-	require.NotEqual(t, myKeyId1, myKeyId2)
-	require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
-}
-
-func TestIssuanceTTLs(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "root example.com",
-		"issuer_name": "root",
-		"ttl":         "10s",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	rootCert := parseCert(t, resp.Data["certificate"].(string))
-
-	_, err = CBWrite(b, s, "roles/local-testing", map[string]interface{}{
-		"allow_any_name":    true,
-		"enforce_hostnames": false,
-		"key_type":          "ec",
-	})
-	require.NoError(t, err)
-
-	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "1s",
-	})
-	require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
-
-	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
-		"common_name": "testing",
-	})
-	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
-
-	resp, err = CBPatch(b, s, "issuer/root", map[string]interface{}{
-		"leaf_not_after_behavior": "permit",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.Equal(t, resp.Data["leaf_not_after_behavior"], "permit")
-
-	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
-		"common_name": "testing",
-	})
-	require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
-
-	resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
-		"issuer_name":             "root",
-		"leaf_not_after_behavior": "truncate",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.Equal(t, resp.Data["leaf_not_after_behavior"], "truncate")
-
-	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
-		"common_name": "testing",
-	})
-	require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
-
-	// Sleep until the parent cert expires and the clock rolls over
-	// to the next second.
-	time.Sleep(time.Until(rootCert.NotAfter) + (1500 * time.Millisecond))
-
-	resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
-		"issuer_name":             "root",
-		"leaf_not_after_behavior": "err",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-
-	// Even 1s ttl should now fail.
-	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
-		"common_name": "testing",
-		"ttl":         "1s",
-	})
-	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
-}
-
-func TestSealWrappedStorageConfigured(t *testing.T) {
-	t.Parallel()
-	b, _ := CreateBackendWithStorage(t)
-	wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage
-
-	// Make sure our legacy bundle is within the list
-	// NOTE: do not convert these test values to constants, we should always have these paths within seal wrap config
-	require.Contains(t, wrappedEntries, "config/ca_bundle", "Legacy bundle missing from seal wrap")
-	// The trailing / is important as it treats the entire folder requiring seal wrapping, not just config/key
-	require.Contains(t, wrappedEntries, "config/key/", "key prefix with trailing / missing from seal wrap.")
-}
-
-func TestBackend_ConfigCA_WithECParams(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Generated key with OpenSSL:
-	// $ openssl ecparam -out p256.key -name prime256v1 -genkey
-	//
-	// Regression test for https://github.com/hashicorp/vault/issues/16667
-	resp, err := CBWrite(b, s, "config/ca", map[string]interface{}{
-		"pem_bundle": `
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEINzXthCZdhyV7+wIEBl/ty+ctNsUS99ykTeax6EbYZtvoAoGCCqGSM49
-AwEHoUQDQgAE57NX8bR/nDoW8yRgLswoXBQcjHrdyfuHS0gPwki6BNnfunUzryVb
-8f22/JWj6fsEF6AOADZlrswKIbR2Es9e/w==
------END EC PRIVATE KEY-----
-		`,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp, "expected ca info")
-	importedKeys := resp.Data["imported_keys"].([]string)
-	importedIssuers := resp.Data["imported_issuers"].([]string)
-
-	require.Equal(t, len(importedKeys), 1)
-	require.Equal(t, len(importedIssuers), 0)
-}
-
-func TestPerIssuerAIA(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Generating a root without anything should not have AIAs.
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "root example.com",
-		"issuer_name": "root",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	rootCert := parseCert(t, resp.Data["certificate"].(string))
-	require.Empty(t, rootCert.OCSPServer)
-	require.Empty(t, rootCert.IssuingCertificateURL)
-	require.Empty(t, rootCert.CRLDistributionPoints)
-
-	// Set some local URLs on the issuer.
-	resp, err = CBWrite(b, s, "issuer/default", map[string]interface{}{
-		"issuing_certificates": []string{"https://google.com"},
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/default"), logical.UpdateOperation), resp, true)
-
-	require.NoError(t, err)
-
-	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allow_any_name": true,
-		"ttl":            "85s",
-		"key_type":       "ec",
-	})
-	require.NoError(t, err)
-
-	// Issue something with this re-configured issuer.
-	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
-		"common_name": "localhost.com",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	leafCert := parseCert(t, resp.Data["certificate"].(string))
-	require.Empty(t, leafCert.OCSPServer)
-	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
-	require.Empty(t, leafCert.CRLDistributionPoints)
-
-	// Set global URLs and ensure they don't appear on this issuer's leaf.
-	_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
-		"issuing_certificates":    []string{"https://example.com/ca", "https://backup.example.com/ca"},
-		"crl_distribution_points": []string{"https://example.com/crl", "https://backup.example.com/crl"},
-		"ocsp_servers":            []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"},
-	})
-	require.NoError(t, err)
-	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
-		"common_name": "localhost.com",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	leafCert = parseCert(t, resp.Data["certificate"].(string))
-	require.Empty(t, leafCert.OCSPServer)
-	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
-	require.Empty(t, leafCert.CRLDistributionPoints)
-
-	// Now come back and remove the local modifications and ensure we get
-	// the defaults again.
-	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"issuing_certificates": []string{},
-	})
-	require.NoError(t, err)
-	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
-		"common_name": "localhost.com",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	leafCert = parseCert(t, resp.Data["certificate"].(string))
-	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca", "https://backup.example.com/ca"})
-	require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"})
-	require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl", "https://backup.example.com/crl"})
-
-	// Validate that we can set an issuer name and remove it.
-	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"issuer_name": "my-issuer",
-	})
-	require.NoError(t, err)
-	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"issuer_name": "",
-	})
-	require.NoError(t, err)
-}
-
-func TestIssuersWithoutCRLBits(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Importing a root without CRL signing bits should work fine.
-	customBundleWithoutCRLBits := `
------BEGIN CERTIFICATE-----
-MIIDGTCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhyb290
-LW5ldzAeFw0yMjA4MjQxMjEzNTVaFw0yMzA5MDMxMjEzNTVaMBMxETAPBgNVBAMM
-CHJvb3QtbmV3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAojTA/Mx7
-LVW/Zgn/N4BqZbaF82MrTIBFug3ob7mqycNRlWp4/PH8v37+jYn8e691HUsKjden
-rDTrO06kiQKiJinAzmlLJvgcazE3aXoh7wSzVG9lFHYvljEmVj+yDbkeaqaCktup
-skuNjxCoN9BLmKzZIwVCHn92ZHlhN6LI7CNaU3SDJdu7VftWF9Ugzt9FIvI+6Gcn
-/WNE9FWvZ9o7035rZ+1vvTn7/tgxrj2k3XvD51Kq4tsSbqjnSf3QieXT6E6uvtUE
-TbPp3xjBElgBCKmeogR1l28rs1aujqqwzZ0B/zOeF8ptaH0aZOIBsVDJR8yTwHzq
-s34hNdNfKLHzOwIDAQABo3gwdjAdBgNVHQ4EFgQUF4djNmx+1+uJINhZ82pN+7jz
-H8EwHwYDVR0jBBgwFoAUF4djNmx+1+uJINhZ82pN+7jzH8EwDwYDVR0TAQH/BAUw
-AwEB/zAOBgNVHQ8BAf8EBAMCAoQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
-hvcNAQELBQADggEBAICQovBz4KLWlLmXeZ2Vf6WfQYyGNgGyJa10XNXtWQ5dM2NU
-OLAit4x1c2dz+aFocc8ZsX/ikYi/bruT2rsGWqMAGC4at3U4GuaYGO5a6XzMKIDC
-nxIlbiO+Pn6Xum7fAqUri7+ZNf/Cygmc5sByi3MAAIkszeObUDZFTJL7gEOuXIMT
-rKIXCINq/U+qc7m9AQ8vKhF1Ddj+dLGLzNQ5j3cKfilPs/wRaYqbMQvnmarX+5Cs
-k1UL6kWSQsiP3+UWaBlcWkmD6oZ3fIG7c0aMxf7RISq1eTAM9XjH3vMxWQJlS5q3
-2weJ2LYoPe/DwX5CijR0IezapBCrin1BscJMLFQ=
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCiNMD8zHstVb9m
-Cf83gGpltoXzYytMgEW6DehvuarJw1GVanj88fy/fv6Nifx7r3UdSwqN16esNOs7
-TqSJAqImKcDOaUsm+BxrMTdpeiHvBLNUb2UUdi+WMSZWP7INuR5qpoKS26myS42P
-EKg30EuYrNkjBUIef3ZkeWE3osjsI1pTdIMl27tV+1YX1SDO30Ui8j7oZyf9Y0T0
-Va9n2jvTfmtn7W+9Ofv+2DGuPaTde8PnUqri2xJuqOdJ/dCJ5dPoTq6+1QRNs+nf
-GMESWAEIqZ6iBHWXbyuzVq6OqrDNnQH/M54Xym1ofRpk4gGxUMlHzJPAfOqzfiE1
-018osfM7AgMBAAECggEAAVd6kZZaN69IZITIc1vHRYa2rlZpKS2JP7c8Vd3Z/4Fz
-ZZvnJ7LgVAmUYg5WPZ2sOqBNLfKVN/oke5Q0dALgdxYl7dWQIhPjHeRFbZFtjqEV
-OXZGBniamMO/HSKGWGrqFf7BM/H7AhClUwQgjnzVSz+B+LJJidM+SVys3n1xuDmC
-EP+iOda+bAHqHv/7oCELQKhLmCvPc9v2fDy+180ttdo8EHuxwVnKiyR/ryKFhSyx
-K1wgAPQ9jO+V+GESL90rqpX/r501REsIOOpm4orueelHTD4+dnHxvUPqJ++9aYGX
-79qBNPPUhxrQI1yoHxwW0cTxW5EqkZ9bT2lSd5rjcQKBgQDNyPBpidkHPrYemQDT
-RldtS6FiW/jc1It/CRbjU4A6Gi7s3Cda43pEUObKNLeXMyLQaMf4GbDPDX+eh7B8
-RkUq0Q/N0H4bn1hbxYSUdgv0j/6czpMo6rLcJHGwOTSpHGsNsxSLL7xlpgzuzqrG
-FzEgjMA1aD3w8B9+/77AoSLoMQKBgQDJyYMw82+euLYRbR5Wc/SbrWfh2n1Mr2BG
-pp1ZNYorXE5CL4ScdLcgH1q/b8r5XGwmhMcpeA+geAAaKmk1CGG+gPLoq20c9Q1Y
-Ykq9tUVJasIkelvbb/SPxyjkJdBwylzcPP14IJBsqQM0be+yVqLJJVHSaoKhXZcl
-IW2xgCpjKwKBgFpeX5U5P+F6nKebMU2WmlYY3GpBUWxIummzKCX0SV86mFjT5UR4
-mPzfOjqaI/V2M1eqbAZ74bVLjDumAs7QXReMb5BGetrOgxLqDmrT3DQt9/YMkXtq
-ddlO984XkRSisjB18BOfhvBsl0lX4I7VKHHO3amWeX0RNgOjc7VMDfRBAoGAWAQH
-r1BfvZHACLXZ58fISCdJCqCsysgsbGS8eW77B5LJp+DmLQBT6DUE9j+i/0Wq/ton
-rRTrbAkrsj4RicpQKDJCwe4UN+9DlOu6wijRQgbJC/Q7IOoieJxcX7eGxcve2UnZ
-HY7GsD7AYRwa02UquCYJHIjM1enmxZFhMW1AD+UCgYEAm4jdNz5e4QjA4AkNF+cB
-ZenrAZ0q3NbTyiSsJEAtRe/c5fNFpmXo3mqgCannarREQYYDF0+jpSoTUY8XAc4q
-wL7EZNzwxITLqBnnHQbdLdAvYxB43kvWTy+JRK8qY9LAMCCFeDoYwXkWV4Wkx/b0
-TgM7RZnmEjNdeaa4M52o7VY=
------END PRIVATE KEY-----
-	`
-	resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": customBundleWithoutCRLBits,
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/import/bundle"), logical.UpdateOperation), resp, true)
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotEmpty(t, resp.Data)
-	require.NotEmpty(t, resp.Data["imported_issuers"])
-	require.NotEmpty(t, resp.Data["imported_keys"])
-	require.NotEmpty(t, resp.Data["mapping"])
-
-	// Shouldn't have crl-signing on the newly imported issuer's usage.
-	resp, err = CBRead(b, s, "issuer/default")
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotEmpty(t, resp.Data)
-	require.NotEmpty(t, resp.Data["usage"])
-	require.NotContains(t, resp.Data["usage"], "crl-signing")
-
-	// Modifying to set CRL should fail.
-	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"usage": "issuing-certificates,crl-signing",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// Modifying to set issuing-certificates and ocsp-signing should succeed.
-	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"usage": "issuing-certificates,ocsp-signing",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotEmpty(t, resp.Data)
-	require.NotEmpty(t, resp.Data["usage"])
-	require.NotContains(t, resp.Data["usage"], "crl-signing")
-}
-
-func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
-	t.Parallel()
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc:             vaulthttp.Handler,
-		RequestResponseCallback: schema.ResponseValidatingCallback(t),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-
-	// Mount PKI.
-	err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-			// Required to allow the header to be passed through.
-			PassthroughRequestHeaders: []string{"if-modified-since"},
-			AllowedResponseHeaders:    []string{"Last-Modified"},
-		},
-	})
-	require.NoError(t, err)
-
-	// Get a time before CA generation. Subtract two seconds to ensure
-	// the value in the seconds field is different than the time the CA
-	// is actually generated at.
-	beforeOldCAGeneration := time.Now().Add(-2 * time.Second)
-
-	// Generate an internal CA. This one is the default.
-	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "Root X1",
-		"key_type":    "ec",
-		"issuer_name": "old-root",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.NotEmpty(t, resp.Data["certificate"])
-
-	// CA is generated, but give a grace window.
-	afterOldCAGeneration := time.Now().Add(2 * time.Second)
-
-	// When you _save_ headers, client returns a copy. But when you go to
-	// reset them, it doesn't create a new copy (and instead directly
-	// assigns). This means we have to continually refresh our view of the
-	// last headers, otherwise the headers added after the last set operation
-	// leak into this copy... Yuck!
-	lastHeaders := client.Headers()
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/old-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		// Reading the CA should work, without a header.
-		resp, err := client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-
-		// Ensure that the CA is returned correctly if we give it the old time.
-		client.AddHeader("If-Modified-Since", beforeOldCAGeneration.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-
-		// Ensure that the CA is elided if we give it the present time (plus a
-		// grace window).
-		client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
-		t.Logf("headers: %v", client.Headers())
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// Wait three seconds. This ensures we have adequate grace period
-	// to distinguish the two cases, even with grace periods.
-	time.Sleep(3 * time.Second)
-
-	// Generating a second root. This one isn't the default.
-	beforeNewCAGeneration := time.Now().Add(-2 * time.Second)
-
-	// Generate an internal CA. This one is the default.
-	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "Root X1",
-		"key_type":    "ec",
-		"issuer_name": "new-root",
-	})
-	require.NoError(t, err)
-
-	// As above.
-	afterNewCAGeneration := time.Now().Add(2 * time.Second)
-
-	// New root isn't the default, so it has fewer paths.
-	for _, path := range []string{"pki/issuer/new-root/json", "pki/issuer/new-root/crl", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		// Reading the CA should work, without a header.
-		resp, err := client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-
-		// Ensure that the CA is returned correctly if we give it the old time.
-		client.AddHeader("If-Modified-Since", beforeNewCAGeneration.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-
-		// Ensure that the CA is elided if we give it the present time (plus a
-		// grace window).
-		client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
-		t.Logf("headers: %v", client.Headers())
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// Wait three seconds. This ensures we have adequate grace period
-	// to distinguish the two cases, even with grace periods.
-	time.Sleep(3 * time.Second)
-
-	// Now swap the default issuers around.
-	_, err = client.Logical().Write("pki/config/issuers", map[string]interface{}{
-		"default": "new-root",
-	})
-	require.NoError(t, err)
-
-	// Reading both with the last modified date should return new values.
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		// Ensure that the CA is returned correctly if we give it the old time.
-		client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-
-		// Ensure that the CA is returned correctly if we give it the old time.
-		client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// Wait for things to settle, record the present time, and wait for the
-	// clock to definitely tick over again.
-	time.Sleep(2 * time.Second)
-	preRevocationTimestamp := time.Now()
-	time.Sleep(2 * time.Second)
-
-	// The above tests should say everything is cached.
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-
-		// Ensure that the CA is returned correctly if we give it the new time.
-		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// We could generate some leaves and verify the revocation updates the
-	// CRL. But, revoking the issuer behaves the same, so let's do that
-	// instead.
-	_, err = client.Logical().Write("pki/issuer/old-root/revoke", map[string]interface{}{})
-	require.NoError(t, err)
-
-	// CA should still be valid.
-	for _, path := range []string{"pki/cert/ca", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json"} {
-		t.Logf("path: %v", path)
-
-		// Ensure that the CA is returned correctly if we give it the old time.
-		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// CRL should be invalidated
-	for _, path := range []string{"pki/cert/crl", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// If we send some time in the future, everything should be cached again!
-	futureTime := time.Now().Add(30 * time.Second)
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-
-		// Ensure that the CA is returned correctly if we give it the new time.
-		client.AddHeader("If-Modified-Since", futureTime.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	beforeThreeWaySwap := time.Now().Add(-2 * time.Second)
-
-	// Now, do a three-way swap of names (old->tmp; new->old; tmp->new). This
-	// should result in all names/CRLs being invalidated.
-	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/old-root", map[string]interface{}{
-		"issuer_name": "tmp-root",
-	})
-	require.NoError(t, err)
-	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/new-root", map[string]interface{}{
-		"issuer_name": "old-root",
-	})
-	require.NoError(t, err)
-	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/tmp-root", map[string]interface{}{
-		"issuer_name": "new-root",
-	})
-	require.NoError(t, err)
-
-	afterThreeWaySwap := time.Now().Add(2 * time.Second)
-
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		// Ensure that the CA is returned if we give it the pre-update time.
-		client.AddHeader("If-Modified-Since", beforeThreeWaySwap.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-
-		// Ensure that the CA is elided correctly if we give it the after time.
-		client.AddHeader("If-Modified-Since", afterThreeWaySwap.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-
-	// Finally, rebuild the delta CRL and ensure that only that is
-	// invalidated. We first need to enable it though, and wait for
-	// all CRLs to rebuild.
-	_, err = client.Logical().Write("pki/config/crl", map[string]interface{}{
-		"auto_rebuild": true,
-		"enable_delta": true,
-	})
-	require.NoError(t, err)
-	time.Sleep(4 * time.Second)
-	beforeDeltaRotation := time.Now().Add(-2 * time.Second)
-
-	resp, err = client.Logical().Read("pki/crl/rotate-delta")
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.Equal(t, resp.Data["success"], true)
-
-	afterDeltaRotation := time.Now().Add(2 * time.Second)
-
-	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl"} {
-		t.Logf("path: %v", path)
-
-		for _, when := range []time.Time{beforeDeltaRotation, afterDeltaRotation} {
-			client.AddHeader("If-Modified-Since", when.Format(time.RFC1123))
-			resp, err = client.Logical().Read(path)
-			require.NoError(t, err)
-			require.Nil(t, resp)
-			client.SetHeaders(lastHeaders)
-			lastHeaders = client.Headers()
-		}
-	}
-
-	for _, path := range []string{"pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
-		t.Logf("path: %v", path)
-		field := "certificate"
-		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
-			field = "crl"
-		}
-
-		// Ensure that the CRL is present if we give it the pre-update time.
-		client.AddHeader("If-Modified-Since", beforeDeltaRotation.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		require.NotNil(t, resp.Data)
-		require.NotEmpty(t, resp.Data[field])
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-
-		client.AddHeader("If-Modified-Since", afterDeltaRotation.Format(time.RFC1123))
-		resp, err = client.Logical().Read(path)
-		require.NoError(t, err)
-		require.Nil(t, resp)
-		client.SetHeaders(lastHeaders)
-		lastHeaders = client.Headers()
-	}
-}
-
-func TestBackend_InitializeCertificateCounts(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-	ctx := context.Background()
-
-	// Set up an Issuer and Role
-	// We need a root certificate to write/revoke certificates with
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("expected ca info")
-	}
-
-	// Create a role
-	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
-		"allowed_domains":    "myvault.com",
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"max_ttl":            "2h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Put certificates A, B, C, D, E in backend
-	var certificates []string = []string{"a", "b", "c", "d", "e"}
-	serials := make([]string, 5)
-	for i, cn := range certificates {
-		resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
-			"common_name": cn + ".myvault.com",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		serials[i] = resp.Data["serial_number"].(string)
-	}
-
-	// Turn on certificate counting:
-	CBWrite(b, s, "config/auto-tidy", map[string]interface{}{
-		"maintain_stored_certificate_counts":       true,
-		"publish_stored_certificate_count_metrics": false,
-	})
-	// Assert initialize from clean is correct:
-	b.initializeStoredCertificateCounts(ctx)
-
-	// Revoke certificates A + B
-	revocations := serials[0:2]
-	for _, key := range revocations {
-		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
-			"serial_number": key,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	if b.certCount.Load() != 6 {
-		t.Fatalf("Failed to count six certificates root,A,B,C,D,E, instead counted %d certs", b.certCount.Load())
-	}
-	if b.revokedCertCount.Load() != 2 {
-		t.Fatalf("Failed to count two revoked certificates A+B, instead counted %d certs", b.revokedCertCount.Load())
-	}
-
-	// Simulates listing while initialize in progress, by "restarting it"
-	b.certCount.Store(0)
-	b.revokedCertCount.Store(0)
-	b.certsCounted.Store(false)
-
-	// Revoke certificates C, D
-	dirtyRevocations := serials[2:4]
-	for _, key := range dirtyRevocations {
-		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
-			"serial_number": key,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// Put certificates F, G in the backend
-	dirtyCertificates := []string{"f", "g"}
-	for _, cn := range dirtyCertificates {
-		resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
-			"common_name": cn + ".myvault.com",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// Run initialize
-	b.initializeStoredCertificateCounts(ctx)
-
-	// Test certificate count
-	if b.certCount.Load() != 8 {
-		t.Fatalf("Failed to initialize count of certificates root, A,B,C,D,E,F,G counted %d certs", b.certCount.Load())
-	}
-
-	if b.revokedCertCount.Load() != 4 {
-		t.Fatalf("Failed to count revoked certificates A,B,C,D counted %d certs", b.revokedCertCount.Load())
-	}
-
-	return
-}
-
-// Verify that our default values are consistent when creating an issuer and when we do an
-// empty POST update to it. This will hopefully identify if we have different default values
-// for fields across the two APIs.
-func TestBackend_VerifyIssuerUpdateDefaultsMatchCreation(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "myvault.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
-
-	resp, err = CBRead(b, s, "issuer/default")
-	requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
-	preUpdateValues := resp.Data
-
-	// This field gets reset during issuer update to the empty string
-	// (meaning Go will auto-detect the rev-sig-algo).
-	preUpdateValues["revocation_signature_algorithm"] = ""
-
-	resp, err = CBWrite(b, s, "issuer/default", map[string]interface{}{})
-	requireSuccessNonNilResponse(t, resp, err, "failed updating default issuer with no values")
-
-	resp, err = CBRead(b, s, "issuer/default")
-	requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
-	postUpdateValues := resp.Data
-
-	require.Equal(t, preUpdateValues, postUpdateValues,
-		"A value was updated based on the empty update of an issuer, "+
-			"most likely we have a different set of field parameters across create and update of issuers.")
-}
-
-func TestBackend_VerifyPSSKeysIssuersFailImport(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// PKCS8 parsing fails on this key due to rsaPSS OID
-	rsaOIDKey := `
------BEGIN PRIVATE KEY-----
-MIIEugIBADALBgkqhkiG9w0BAQoEggSmMIIEogIBAAKCAQEAtN0/NPuJHLuyEdBr
-tUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16Fl6MRdtUZ/qNS
-Vs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKkFW69v8fsXwKE
-Bsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmipp0izCsVuQIE
-kBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+GvfnFy9AcTdqRe2
-VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITjwFZ28m7kS7kc
-OtvHpwIDAQABAoIBAFQxmjbj0RQbG+3HBBzD0CBgUYnu9ZC3vKFVoMriGci6YrVB
-FSKU8u5mpkDhpKMWnE6GRdItCvgyg4NSLAZUaIRT4O5ARqwtTDYsobTb2/U+gNnx
-5WXKbFpQcK6jIK+ClfNEDjYb8yDPxG0GEsfHrBvqoFy25L1t37N4sWwH7HjJyZIe
-Hbqx4NVDur9qgqaUwkfSeufn4ycHqFtkzKNzCUarDkST9cxE6/1AKfhl09PPuMEa
-lAY2JLiEplQL5sh9cxG5FObJbutJo5EIhR2OdM0VcPf0MTD9LXKRoGR3SNlG7IlS
-llJzBjlh4J1ByMX32btKMHzEvlhyrMI90E1SEGECgYEAx1yDQWe4/b1MBqCxA3d0
-20dDmUHSRQFhkd/Mzkl5dPzRkG42W3ryNbMKdeuL0ZgK9AhfaLCjcj1i+44O7dHb
-qBTVwfRrer2uoQVCqqJ6z8PGxPJJxTaqh9QuJxkoQ0i43ZNPcjc2M2sWLn+lkkdE
-MaGMiyrmjIQEC6tmgCtZ1VUCgYEA6D9xoT9VuAnQjDvW2tO5N2U2H/8ZyRd1pC3z
-H1CzjwShhxsP4YOUaVdw59K95JL4SMxSmpRrhthlW3cRaiT/exBcXLEvz0Qu0OhW
-a6155ZFjK3UaLDKlwvmtuoAsuAFqX084LO0B1oxvUJESgyPncQ36fv2lZGV7A66z
-Uo+BKQsCgYB2yGBMMAjA5nDN4iCV+C7gF+3m+pjWFKSVzcqxfoWndptGeuRYTUDT
-TgIFkHqWPwkHrZVrQxOflYPMbi/m8wr1crSKA5+mWi4aMpAuKvERqYxc/B+IKbIh
-jAKTuSGMNWAwZP0JCGx65mso+VUleuDe0Wpz4PPM9TuT2GQSKcI0oQKBgHAHcouC
-npmo+lU65DgoWzaydrpWdpy+2Tt6AsW/Su4ZIMWoMy/oJaXuzQK2cG0ay/NpxArW
-v0uLhNDrDZZzBF3blYIM4nALhr205UMJqjwntnuXACoDwFvdzoShIXEdFa+l6gYZ
-yYIxudxWLmTd491wDb5GIgrcvMsY8V1I5dfjAoGAM9g2LtdqgPgK33dCDtZpBm8m
-y4ri9PqHxnpps9WJ1dO6MW/YbW+a7vbsmNczdJ6XNLEfy2NWho1dw3xe7ztFVDjF
-cWNUzs1+/6aFsi41UX7EFn3zAFhQUPxT59hXspuWuKbRAWc5fMnxbCfI/Cr8wTLJ
-E/0kiZ4swUMyI4tYSbM=
------END PRIVATE KEY-----
-`
-	_, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": rsaOIDKey,
-	})
-	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
-
-	_, err = CBWrite(b, s, "keys/import", map[string]interface{}{
-		"key": rsaOIDKey,
-	})
-	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
-
-	// Importing a cert with rsaPSS OID should also fail
-	rsaOIDCert := `
------BEGIN CERTIFICATE-----
-MIIDfjCCAjGgAwIBAgIBATBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMBMxETAPBgNVBAMM
-CHJvb3Qtb2xkMB4XDTIyMDkxNjE0MDEwM1oXDTIzMDkyNjE0MDEwM1owEzERMA8G
-A1UEAwwIcm9vdC1vbGQwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtN0/
-NPuJHLuyEdBrtUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16F
-l6MRdtUZ/qNSVs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKk
-FW69v8fsXwKEBsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmi
-pp0izCsVuQIEkBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+Gvf
-nFy9AcTdqRe2VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITj
-wFZ28m7kS7kcOtvHpwIDAQABo3UwczAdBgNVHQ4EFgQUVGkTAUJ8inxIVGBlfxf4
-cDhRSnowHwYDVR0jBBgwFoAUVGkTAUJ8inxIVGBlfxf4cDhRSnowDAYDVR0TBAUw
-AwEB/zAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQgYJKoZI
-hvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgB
-ZQMEAgEFAKIEAgIA3gOCAQEAQZ3iQ3NjvS4FYJ5WG41huZI0dkvNFNan+ZYWlYHJ
-MIQhbFogb/UQB0rlsuldG0+HF1RDXoYNuThfzt5hiBWYEtMBNurezvnOn4DF0hrl
-Uk3sBVnvTalVXg+UVjqh9hBGB75JYJl6a5Oa2Zrq++4qGNwjd0FqgnoXzqS5UGuB
-TJL8nlnXPuOIK3VHoXEy7l9GtvEzKcys0xa7g1PYpaJ5D2kpbBJmuQGmU6CDcbP+
-m0hI4QDfVfHtnBp2VMCvhj0yzowtwF4BFIhv4EXZBU10mzxVj0zyKKft9++X8auH
-nebuK22ZwzbPe4NhOvAdfNDElkrrtGvTnzkDB7ezPYjelA==
------END CERTIFICATE-----
-`
-	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": rsaOIDCert,
-	})
-	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert")
-
-	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": rsaOIDKey + "\n" + rsaOIDCert,
-	})
-	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key+cert")
-
-	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": rsaOIDCert + "\n" + rsaOIDKey,
-	})
-	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert+key")
-
-	// After all these errors, we should have zero issuers and keys.
-	resp, err := CBList(b, s, "issuers")
-	require.NoError(t, err)
-	require.Equal(t, nil, resp.Data["keys"])
-
-	resp, err = CBList(b, s, "keys")
-	require.NoError(t, err)
-	require.Equal(t, nil, resp.Data["keys"])
-
-	// If we create a new PSS root, we should be able to issue an intermediate
-	// under it.
-	resp, err = CBWrite(b, s, "root/generate/exported", map[string]interface{}{
-		"use_pss":     "true",
-		"common_name": "root x1 - pss",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.NotEmpty(t, resp.Data["certificate"])
-	require.NotEmpty(t, resp.Data["private_key"])
-
-	resp, err = CBWrite(b, s, "intermediate/generate/exported", map[string]interface{}{
-		"use_pss":     "true",
-		"common_name": "int x1 - pss",
-		"key_type":    "ec",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.NotEmpty(t, resp.Data["csr"])
-	require.NotEmpty(t, resp.Data["private_key"])
-
-	resp, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
-		"use_pss":     "true",
-		"common_name": "int x1 - pss",
-		"csr":         resp.Data["csr"].(string),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.NotEmpty(t, resp.Data["certificate"])
-
-	resp, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
-		"pem_bundle": resp.Data["certificate"].(string),
-	})
-	require.NoError(t, err)
-
-	// Finally, if we were to take an rsaPSS OID'd CSR and use it against this
-	// mount, it will fail.
-	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allow_any_name": true,
-		"ttl":            "85s",
-		"key_type":       "any",
-	})
-	require.NoError(t, err)
-
-	// Issuing a leaf from a CSR with rsaPSS OID should fail...
-	rsaOIDCSR := `-----BEGIN CERTIFICATE REQUEST-----
-MIICkTCCAUQCAQAwGTEXMBUGA1UEAwwOcmFuY2hlci5teS5vcmcwggEgMAsGCSqG
-SIb3DQEBCgOCAQ8AMIIBCgKCAQEAtzHuGEUK55lXI08yp9DXoye9yCZbkJZO+Hej
-1TWGEkbX4hzauRJeNp2+wn8xU5y8ITjWSIXEVDHeezosLCSy0Y2QT7/V45zWPUYY
-ld0oUnPiwsb9CPFlBRFnX3dO9SS5MONIrNCJGKXmLdF3lgSl8zPT6J/hWM+JBjHO
-hBzK6L8IYwmcEujrQfnOnOztzgMEBJtWG8rnI8roz1adpczTddDKGymh2QevjhlL
-X9CLeYSSQZInOMsgaDYl98Hn00K5x0CBp8ADzzXtaPSQ9nsnihN8VvZ/wHw6YbBS
-BSHa6OD+MrYnw3Sao6/YgBRNT2glIX85uro4ARW9zGB9/748dwIDAQABoAAwQgYJ
-KoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
-hkgBZQMEAgEFAKIEAgIA3gOCAQEARGAa0HiwzWCpvAdLOVc4/srEyOYFZPLbtv+Y
-ezZIaUBNaWhOvkunqpa48avmcbGlji7r6fxJ5sT28lHt7ODWcJfn1XPAnqesXErm
-EBuOIhCv6WiwVyGeTVynuHYkHyw3rIL/zU7N8+zIFV2G2M1UAv5D/eyh/74cr9Of
-+nvm9jAbkHix8UwOBCFY2LLNl6bXvbIeJEdDOEtA9UmDXs8QGBg4lngyqcE2Z7rz
-+5N/x4guMk2FqblbFGiCc5fLB0Gp6lFFOqhX9Q8nLJ6HteV42xGJUUtsFpppNCRm
-82dGIH2PTbXZ0k7iAAwLaPjzOv1v58Wq90o35d4iEsOfJ8v98Q==
------END CERTIFICATE REQUEST-----`
-
-	_, err = CBWrite(b, s, "issuer/default/sign/testing", map[string]interface{}{
-		"common_name": "example.com",
-		"csr":         rsaOIDCSR,
-	})
-	require.Error(t, err)
-
-	_, err = CBWrite(b, s, "issuer/default/sign-verbatim", map[string]interface{}{
-		"common_name": "example.com",
-		"use_pss":     true,
-		"csr":         rsaOIDCSR,
-	})
-	require.Error(t, err)
-
-	_, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
-		"common_name": "faulty x1 - pss",
-		"use_pss":     true,
-		"csr":         rsaOIDCSR,
-	})
-	require.Error(t, err)
-
-	// Vault has a weird API for signing self-signed certificates. Ensure
-	// that doesn't accept rsaPSS OID'd certificates either.
-	_, err = CBWrite(b, s, "issuer/default/sign-self-issued", map[string]interface{}{
-		"use_pss":     true,
-		"certificate": rsaOIDCert,
-	})
-	require.Error(t, err)
-
-	// Issuing a regular leaf should succeed.
-	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allow_any_name": true,
-		"ttl":            "85s",
-		"key_type":       "rsa",
-		"use_pss":        "true",
-	})
-	require.NoError(t, err)
-
-	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
-		"common_name": "example.com",
-		"use_pss":     "true",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed to issue PSS leaf")
-}
-
-func TestPKI_EmptyCRLConfigUpgraded(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Write an empty CRLConfig into storage.
-	crlConfigEntry, err := logical.StorageEntryJSON("config/crl", &crlConfig{})
-	require.NoError(t, err)
-	err = s.Put(ctx, crlConfigEntry)
-	require.NoError(t, err)
-
-	resp, err := CBRead(b, s, "config/crl")
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	require.NotNil(t, resp.Data)
-	require.Equal(t, resp.Data["expiry"], defaultCrlConfig.Expiry)
-	require.Equal(t, resp.Data["disable"], defaultCrlConfig.Disable)
-	require.Equal(t, resp.Data["ocsp_disable"], defaultCrlConfig.OcspDisable)
-	require.Equal(t, resp.Data["auto_rebuild"], defaultCrlConfig.AutoRebuild)
-	require.Equal(t, resp.Data["auto_rebuild_grace_period"], defaultCrlConfig.AutoRebuildGracePeriod)
-	require.Equal(t, resp.Data["enable_delta"], defaultCrlConfig.EnableDelta)
-	require.Equal(t, resp.Data["delta_rebuild_interval"], defaultCrlConfig.DeltaRebuildInterval)
-}
-
-func TestPKI_ListRevokedCerts(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Test empty cluster
-	resp, err := CBList(b, s, "certs/revoked")
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("certs/revoked"), logical.ListOperation), resp, true)
-	requireSuccessNonNilResponse(t, resp, err, "failed listing empty cluster")
-	require.Empty(t, resp.Data, "response map contained data that we did not expect")
-
-	// Set up a mount that we can revoke under (We will create 3 leaf certs, 2 of which will be revoked)
-	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "test.com",
-		"key_type":    "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error generating root CA")
-	requireFieldsSetInResp(t, resp, "serial_number")
-	issuerSerial := resp.Data["serial_number"]
-
-	resp, err = CBWrite(b, s, "roles/test", map[string]interface{}{
-		"allowed_domains":  "test.com",
-		"allow_subdomains": "true",
-		"max_ttl":          "1h",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error setting up pki role")
-
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "test1.test.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 1")
-	requireFieldsSetInResp(t, resp, "serial_number")
-	serial1 := resp.Data["serial_number"]
-
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "test2.test.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
-	requireFieldsSetInResp(t, resp, "serial_number")
-	serial2 := resp.Data["serial_number"]
-
-	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
-		"common_name": "test3.test.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
-	requireFieldsSetInResp(t, resp, "serial_number")
-	serial3 := resp.Data["serial_number"]
-
-	resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial1})
-	requireSuccessNonNilResponse(t, resp, err, "error revoking cert 1")
-
-	resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial2})
-	requireSuccessNonNilResponse(t, resp, err, "error revoking cert 2")
-
-	// Test that we get back the expected revoked serial numbers.
-	resp, err = CBList(b, s, "certs/revoked")
-	requireSuccessNonNilResponse(t, resp, err, "failed listing revoked certs")
-	requireFieldsSetInResp(t, resp, "keys")
-	revokedKeys := resp.Data["keys"].([]string)
-
-	require.Contains(t, revokedKeys, serial1)
-	require.Contains(t, revokedKeys, serial2)
-	require.Equal(t, 2, len(revokedKeys), "Expected 2 revoked entries got %d: %v", len(revokedKeys), revokedKeys)
-
-	// Test that listing our certs returns a different response
-	resp, err = CBList(b, s, "certs")
-	requireSuccessNonNilResponse(t, resp, err, "failed listing written certs")
-	requireFieldsSetInResp(t, resp, "keys")
-	certKeys := resp.Data["keys"].([]string)
-
-	require.Contains(t, certKeys, serial1)
-	require.Contains(t, certKeys, serial2)
-	require.Contains(t, certKeys, serial3)
-	require.Contains(t, certKeys, issuerSerial)
-	require.Equal(t, 4, len(certKeys), "Expected 4 cert entries got %d: %v", len(certKeys), certKeys)
-}
-
-func TestPKI_TemplatedAIAs(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// Setting templated AIAs should succeed.
-	resp, err := CBWrite(b, s, "config/cluster", map[string]interface{}{
-		"path":     "http://localhost:8200/v1/pki",
-		"aia_path": "http://localhost:8200/cdn/pki",
-	})
-	require.NoError(t, err)
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/cluster"), logical.UpdateOperation), resp, true)
-
-	resp, err = CBRead(b, s, "config/cluster")
-	require.NoError(t, err)
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/cluster"), logical.ReadOperation), resp, true)
-
-	aiaData := map[string]interface{}{
-		"crl_distribution_points": "{{cluster_path}}/issuer/{{issuer_id}}/crl/der",
-		"issuing_certificates":    "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
-		"ocsp_servers":            "{{cluster_path}}/ocsp",
-		"enable_templating":       true,
-	}
-	_, err = CBWrite(b, s, "config/urls", aiaData)
-	require.NoError(t, err)
-
-	// Root generation should succeed, but without AIA info.
-	rootData := map[string]interface{}{
-		"common_name": "Long-Lived Root X1",
-		"issuer_name": "long-root-x1",
-		"key_type":    "ec",
-	}
-	resp, err = CBWrite(b, s, "root/generate/internal", rootData)
-	require.NoError(t, err)
-	_, err = CBDelete(b, s, "root")
-	require.NoError(t, err)
-
-	// Clearing the config and regenerating the root should still succeed.
-	_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
-		"crl_distribution_points": "{{cluster_path}}/issuer/my-root-id/crl/der",
-		"issuing_certificates":    "{{cluster_aia_path}}/issuer/my-root-id/der",
-		"ocsp_servers":            "{{cluster_path}}/ocsp",
-		"enable_templating":       true,
-	})
-	require.NoError(t, err)
-	resp, err = CBWrite(b, s, "root/generate/internal", rootData)
-	requireSuccessNonNilResponse(t, resp, err)
-	issuerId := string(resp.Data["issuer_id"].(issuerID))
-
-	// Now write the original AIA config and sign a leaf.
-	_, err = CBWrite(b, s, "config/urls", aiaData)
-	require.NoError(t, err)
-	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allow_any_name": "true",
-		"key_type":       "ec",
-		"ttl":            "50m",
-	})
-	require.NoError(t, err)
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "example.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err)
-
-	// Validate the AIA info is correctly templated.
-	cert := parseCert(t, resp.Data["certificate"].(string))
-	require.Equal(t, cert.OCSPServer, []string{"http://localhost:8200/v1/pki/ocsp"})
-	require.Equal(t, cert.IssuingCertificateURL, []string{"http://localhost:8200/cdn/pki/issuer/" + issuerId + "/der"})
-	require.Equal(t, cert.CRLDistributionPoints, []string{"http://localhost:8200/v1/pki/issuer/" + issuerId + "/crl/der"})
-
-	// Modify our issuer to set custom AIAs: these URLs are bad.
-	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"enable_aia_url_templating": "false",
-		"crl_distribution_points":   "a",
-		"issuing_certificates":      "b",
-		"ocsp_servers":              "c",
-	})
-	require.Error(t, err)
-
-	// These URLs are good.
-	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"enable_aia_url_templating": "false",
-		"crl_distribution_points":   "http://localhost/a",
-		"issuing_certificates":      "http://localhost/b",
-		"ocsp_servers":              "http://localhost/c",
-	})
-
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "example.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err)
-
-	// Validate the AIA info is correctly templated.
-	cert = parseCert(t, resp.Data["certificate"].(string))
-	require.Equal(t, cert.OCSPServer, []string{"http://localhost/c"})
-	require.Equal(t, cert.IssuingCertificateURL, []string{"http://localhost/b"})
-	require.Equal(t, cert.CRLDistributionPoints, []string{"http://localhost/a"})
-
-	// These URLs are bad, but will fail at issuance time due to AIA templating.
-	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-		"enable_aia_url_templating": "true",
-		"crl_distribution_points":   "a",
-		"issuing_certificates":      "b",
-		"ocsp_servers":              "c",
-	})
-	requireSuccessNonNilResponse(t, resp, err)
-	require.NotEmpty(t, resp.Warnings)
-	_, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "example.com",
-	})
-	require.Error(t, err)
-}
-
-func requireSubjectUserIDAttr(t *testing.T, cert string, target string) {
-	xCert := parseCert(t, cert)
-
-	for _, attr := range xCert.Subject.Names {
-		var userID string
-		if attr.Type.Equal(certutil.SubjectPilotUserIDAttributeOID) {
-			if target == "" {
-				t.Fatalf("expected no UserID (OID: %v) subject attributes in cert:\n%v", certutil.SubjectPilotUserIDAttributeOID, cert)
-			}
-
-			switch aValue := attr.Value.(type) {
-			case string:
-				userID = aValue
-			case []byte:
-				userID = string(aValue)
-			default:
-				t.Fatalf("unknown type for UserID attribute: %v\nCert: %v", attr, cert)
-			}
-
-			if userID == target {
-				return
-			}
-		}
-	}
-
-	if target != "" {
-		t.Fatalf("failed to find UserID (OID: %v) matching %v in cert:\n%v", certutil.SubjectPilotUserIDAttributeOID, target, cert)
-	}
-}
-
-func TestUserIDsInLeafCerts(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	// 1. Setup root issuer.
-	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-		"common_name": "Vault Root CA",
-		"key_type":    "ec",
-		"ttl":         "7200h",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
-
-	// 2. Allow no user IDs.
-	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allowed_user_ids": "",
-		"key_type":         "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
-
-	// - Issue cert without user IDs should work.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
-
-	// - Issue cert with user ID should fail.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// 3. Allow any user IDs.
-	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allowed_user_ids": "*",
-		"key_type":         "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
-
-	// - Issue cert without user IDs.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
-
-	// - Issue cert with one user ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-
-	// - Issue cert with two user IDs.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid,robot",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
-
-	// 4. Allow one specific user ID.
-	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allowed_user_ids": "humanoid",
-		"key_type":         "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
-
-	// - Issue cert without user IDs.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
-
-	// - Issue cert with approved ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-
-	// - Issue cert with non-approved user ID should fail.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "robot",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// - Issue cert with one approved and one non-approved should also fail.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid,robot",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// 5. Allow two specific user IDs.
-	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allowed_user_ids": "humanoid,robot",
-		"key_type":         "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
-
-	// - Issue cert without user IDs.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
-
-	// - Issue cert with one approved ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-
-	// - Issue cert with other user ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "robot",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
-
-	// - Issue cert with unknown user ID will fail.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "robot2",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// - Issue cert with both should succeed.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid,robot",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
-
-	// 6. Use a glob.
-	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
-		"allowed_user_ids": "human*",
-		"key_type":         "ec",
-		"use_csr_sans":     true, // setup for further testing.
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
-
-	// - Issue cert without user IDs.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
-
-	// - Issue cert with approved ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "humanoid",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-
-	// - Issue cert with another approved ID.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "human",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "human")
-
-	// - Issue cert with literal glob.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "human*",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "human*")
-
-	// - Still no robotic certs are allowed; will fail.
-	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
-		"common_name": "localhost",
-		"user_ids":    "robot",
-	})
-	require.Error(t, err)
-	require.True(t, resp.IsError())
-
-	// Create a CSR and validate it works with both sign/ and sign-verbatim.
-	csrTemplate := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "localhost",
-			ExtraNames: []pkix.AttributeTypeAndValue{
-				{
-					Type:  certutil.SubjectPilotUserIDAttributeOID,
-					Value: "humanoid",
-				},
-			},
-		},
-	}
-	_, _, csrPem := generateCSR(t, &csrTemplate, "ec", 256)
-
-	// Should work with role-based signing.
-	resp, err = CBWrite(b, s, "sign/testing", map[string]interface{}{
-		"csr": csrPem,
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign/testing"), logical.UpdateOperation), resp, true)
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-
-	// - Definitely will work with sign-verbatim.
-	resp, err = CBWrite(b, s, "sign-verbatim", map[string]interface{}{
-		"csr": csrPem,
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
-	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
-}
-
-// TestStandby_Operations test proper forwarding for PKI requests from a standby node to the
-// active node within a cluster.
-func TestStandby_Operations(t *testing.T) {
-	conf, opts := teststorage.ClusterSetup(&vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}, nil, teststorage.InmemBackendSetup)
-	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-	standbyCores := testhelpers.DeriveStandbyCores(t, cluster)
-	require.Greater(t, len(standbyCores), 0, "Need at least one standby core.")
-	client := standbyCores[0].Client
-
-	mountPKIEndpoint(t, client, "pki")
-
-	_, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "root-ca.com",
-		"ttl":         "600h",
-	})
-	require.NoError(t, err, "error setting up pki role: %v", err)
-
-	_, err = client.Logical().Write("pki/roles/example", map[string]interface{}{
-		"allowed_domains":  "example.com",
-		"allow_subdomains": "true",
-		"no_store":         "false", // make sure we store this cert
-		"ttl":              "5h",
-		"key_type":         "ec",
-	})
-	require.NoError(t, err, "error setting up pki role: %v", err)
-
-	resp, err := client.Logical().Write("pki/issue/example", map[string]interface{}{
-		"common_name": "test.example.com",
-	})
-	require.NoError(t, err, "error issuing certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from issuing request")
-	serialOfCert := resp.Data["serial_number"].(string)
-
-	resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{
-		"serial_number": serialOfCert,
-	})
-	require.NoError(t, err, "error revoking certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from revoke request")
-}
-
-type pathAuthCheckerFunc func(t *testing.T, client *api.Client, path string, token string)
-
-func isPermDenied(err error) bool {
-	return err != nil && strings.Contains(err.Error(), "permission denied")
-}
-
-func isUnsupportedPathOperation(err error) bool {
-	return err != nil && (strings.Contains(err.Error(), "unsupported path") || strings.Contains(err.Error(), "unsupported operation"))
-}
-
-func isDeniedOp(err error) bool {
-	return isPermDenied(err) || isUnsupportedPathOperation(err)
-}
-
-func pathShouldBeAuthed(t *testing.T, client *api.Client, path string, token string) {
-	client.SetToken("")
-	resp, err := client.Logical().ReadWithContext(ctx, path)
-	if err == nil || !isPermDenied(err) {
-		t.Fatalf("expected failure to read %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().ListWithContext(ctx, path)
-	if err == nil || !isPermDenied(err) {
-		t.Fatalf("expected failure to list %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
-	if err == nil || !isPermDenied(err) {
-		t.Fatalf("expected failure to write %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().DeleteWithContext(ctx, path)
-	if err == nil || !isPermDenied(err) {
-		t.Fatalf("expected failure to delete %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
-	if err == nil || !isPermDenied(err) {
-		t.Fatalf("expected failure to patch %v while unauthed: %v / %v", path, err, resp)
-	}
-}
-
-func pathShouldBeUnauthedReadList(t *testing.T, client *api.Client, path string, token string) {
-	// Should be able to read both with and without a token.
-	client.SetToken("")
-	resp, err := client.Logical().ReadWithContext(ctx, path)
-	if err != nil && isPermDenied(err) {
-		// Read will sometimes return permission denied, when the handler
-		// does not support the given operation. Retry with the token.
-		client.SetToken(token)
-		resp2, err2 := client.Logical().ReadWithContext(ctx, path)
-		if err2 != nil && !isUnsupportedPathOperation(err2) {
-			t.Fatalf("unexpected failure to read %v while unauthed: %v / %v\nWhile authed: %v / %v", path, err, resp, err2, resp2)
-		}
-		client.SetToken("")
-	}
-	resp, err = client.Logical().ListWithContext(ctx, path)
-	if err != nil && isPermDenied(err) {
-		// List will sometimes return permission denied, when the handler
-		// does not support the given operation. Retry with the token.
-		client.SetToken(token)
-		resp2, err2 := client.Logical().ListWithContext(ctx, path)
-		if err2 != nil && !isUnsupportedPathOperation(err2) {
-			t.Fatalf("unexpected failure to list %v while unauthed: %v / %v\nWhile authed: %v / %v", path, err, resp, err2, resp2)
-		}
-		client.SetToken("")
-	}
-
-	// These should all be denied.
-	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
-	if err == nil || !isDeniedOp(err) {
-		if !strings.Contains(path, "ocsp") || !strings.Contains(err.Error(), "Code: 40") {
-			t.Fatalf("unexpected failure during write on read-only path %v while unauthed: %v / %v", path, err, resp)
-		}
-	}
-	resp, err = client.Logical().DeleteWithContext(ctx, path)
-	if err == nil || !isDeniedOp(err) {
-		t.Fatalf("unexpected failure during delete on read-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
-	if err == nil || !isDeniedOp(err) {
-		t.Fatalf("unexpected failure during patch on read-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-
-	// Retrying with token should allow read/list, but not modification still.
-	client.SetToken(token)
-	resp, err = client.Logical().ReadWithContext(ctx, path)
-	if err != nil && isPermDenied(err) {
-		t.Fatalf("unexpected failure to read %v while authed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().ListWithContext(ctx, path)
-	if err != nil && isPermDenied(err) {
-		t.Fatalf("unexpected failure to list %v while authed: %v / %v", path, err, resp)
-	}
-
-	// Should all be denied.
-	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
-	if err == nil || !isDeniedOp(err) {
-		if !strings.Contains(path, "ocsp") || !strings.Contains(err.Error(), "Code: 40") {
-			t.Fatalf("unexpected failure during write on read-only path %v while authed: %v / %v", path, err, resp)
-		}
-	}
-	resp, err = client.Logical().DeleteWithContext(ctx, path)
-	if err == nil || !isDeniedOp(err) {
-		t.Fatalf("unexpected failure during delete on read-only path %v while authed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
-	if err == nil || !isDeniedOp(err) {
-		t.Fatalf("unexpected failure during patch on read-only path %v while authed: %v / %v", path, err, resp)
-	}
-}
-
-func pathShouldBeUnauthedWriteOnly(t *testing.T, client *api.Client, path string, token string) {
-	client.SetToken("")
-	resp, err := client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
-	if err != nil && isPermDenied(err) {
-		t.Fatalf("unexpected failure to write %v while unauthed: %v / %v", path, err, resp)
-	}
-
-	// These should all be denied. However, on OSS, we might end up with
-	// a regular 404, which looks like err == resp == nil; hence we only
-	// fail when there's a non-nil response and/or a non-nil err.
-	resp, err = client.Logical().ReadWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during read on write-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().ListWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during list on write-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().DeleteWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during delete on write-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during patch on write-only path %v while unauthed: %v / %v", path, err, resp)
-	}
-
-	// Retrying with token should allow writing, but nothing else.
-	client.SetToken(token)
-	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
-	if err != nil && isPermDenied(err) {
-		t.Fatalf("unexpected failure to write %v while unauthed: %v / %v", path, err, resp)
-	}
-
-	// These should all be denied.
-	resp, err = client.Logical().ReadWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during read on write-only path %v while authed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().ListWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		if resp != nil || err != nil {
-			t.Fatalf("unexpected failure during list on write-only path %v while authed: %v / %v", path, err, resp)
-		}
-	}
-	resp, err = client.Logical().DeleteWithContext(ctx, path)
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during delete on write-only path %v while authed: %v / %v", path, err, resp)
-	}
-	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
-	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
-		t.Fatalf("unexpected failure during patch on write-only path %v while authed: %v / %v", path, err, resp)
-	}
-}
-
-type pathAuthChecker int
-
-const (
-	shouldBeAuthed pathAuthChecker = iota
-	shouldBeUnauthedReadList
-	shouldBeUnauthedWriteOnly
-)
-
-var pathAuthChckerMap = map[pathAuthChecker]pathAuthCheckerFunc{
-	shouldBeAuthed:            pathShouldBeAuthed,
-	shouldBeUnauthedReadList:  pathShouldBeUnauthedReadList,
-	shouldBeUnauthedWriteOnly: pathShouldBeUnauthedWriteOnly,
-}
-
-func TestProperAuthing(t *testing.T) {
-	t.Parallel()
-	ctx := context.Background()
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-	token := client.Token()
-
-	// Mount PKI.
-	err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Setup basic configuration.
-	_, err = client.Logical().WriteWithContext(ctx, "pki/root/generate/internal", map[string]interface{}{
-		"ttl":         "40h",
-		"common_name": "myvault.com",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{
-		"allow_localhost": true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := client.Logical().WriteWithContext(ctx, "pki/issue/test", map[string]interface{}{
-		"common_name": "localhost",
-	})
-	if err != nil || resp == nil {
-		t.Fatal(err)
-	}
-	serial := resp.Data["serial_number"].(string)
-	eabKid := "13b80844-e60d-42d2-b7e9-152a8e834b90"
-	paths := map[string]pathAuthChecker{
-		"ca_chain":                               shouldBeUnauthedReadList,
-		"cert/ca_chain":                          shouldBeUnauthedReadList,
-		"ca":                                     shouldBeUnauthedReadList,
-		"ca/pem":                                 shouldBeUnauthedReadList,
-		"cert/" + serial:                         shouldBeUnauthedReadList,
-		"cert/" + serial + "/raw":                shouldBeUnauthedReadList,
-		"cert/" + serial + "/raw/pem":            shouldBeUnauthedReadList,
-		"cert/crl":                               shouldBeUnauthedReadList,
-		"cert/crl/raw":                           shouldBeUnauthedReadList,
-		"cert/crl/raw/pem":                       shouldBeUnauthedReadList,
-		"cert/delta-crl":                         shouldBeUnauthedReadList,
-		"cert/delta-crl/raw":                     shouldBeUnauthedReadList,
-		"cert/delta-crl/raw/pem":                 shouldBeUnauthedReadList,
-		"cert/unified-crl":                       shouldBeUnauthedReadList,
-		"cert/unified-crl/raw":                   shouldBeUnauthedReadList,
-		"cert/unified-crl/raw/pem":               shouldBeUnauthedReadList,
-		"cert/unified-delta-crl":                 shouldBeUnauthedReadList,
-		"cert/unified-delta-crl/raw":             shouldBeUnauthedReadList,
-		"cert/unified-delta-crl/raw/pem":         shouldBeUnauthedReadList,
-		"certs/":                                 shouldBeAuthed,
-		"certs/revoked/":                         shouldBeAuthed,
-		"certs/revocation-queue/":                shouldBeAuthed,
-		"certs/unified-revoked/":                 shouldBeAuthed,
-		"config/acme":                            shouldBeAuthed,
-		"config/auto-tidy":                       shouldBeAuthed,
-		"config/ca":                              shouldBeAuthed,
-		"config/cluster":                         shouldBeAuthed,
-		"config/crl":                             shouldBeAuthed,
-		"config/issuers":                         shouldBeAuthed,
-		"config/keys":                            shouldBeAuthed,
-		"config/urls":                            shouldBeAuthed,
-		"crl":                                    shouldBeUnauthedReadList,
-		"crl/pem":                                shouldBeUnauthedReadList,
-		"crl/delta":                              shouldBeUnauthedReadList,
-		"crl/delta/pem":                          shouldBeUnauthedReadList,
-		"crl/rotate":                             shouldBeAuthed,
-		"crl/rotate-delta":                       shouldBeAuthed,
-		"intermediate/cross-sign":                shouldBeAuthed,
-		"intermediate/generate/exported":         shouldBeAuthed,
-		"intermediate/generate/internal":         shouldBeAuthed,
-		"intermediate/generate/existing":         shouldBeAuthed,
-		"intermediate/generate/kms":              shouldBeAuthed,
-		"intermediate/set-signed":                shouldBeAuthed,
-		"issue/test":                             shouldBeAuthed,
-		"issuer/default":                         shouldBeAuthed,
-		"issuer/default/der":                     shouldBeUnauthedReadList,
-		"issuer/default/json":                    shouldBeUnauthedReadList,
-		"issuer/default/pem":                     shouldBeUnauthedReadList,
-		"issuer/default/crl":                     shouldBeUnauthedReadList,
-		"issuer/default/crl/pem":                 shouldBeUnauthedReadList,
-		"issuer/default/crl/der":                 shouldBeUnauthedReadList,
-		"issuer/default/crl/delta":               shouldBeUnauthedReadList,
-		"issuer/default/crl/delta/der":           shouldBeUnauthedReadList,
-		"issuer/default/crl/delta/pem":           shouldBeUnauthedReadList,
-		"issuer/default/unified-crl":             shouldBeUnauthedReadList,
-		"issuer/default/unified-crl/pem":         shouldBeUnauthedReadList,
-		"issuer/default/unified-crl/der":         shouldBeUnauthedReadList,
-		"issuer/default/unified-crl/delta":       shouldBeUnauthedReadList,
-		"issuer/default/unified-crl/delta/der":   shouldBeUnauthedReadList,
-		"issuer/default/unified-crl/delta/pem":   shouldBeUnauthedReadList,
-		"issuer/default/issue/test":              shouldBeAuthed,
-		"issuer/default/resign-crls":             shouldBeAuthed,
-		"issuer/default/revoke":                  shouldBeAuthed,
-		"issuer/default/sign-intermediate":       shouldBeAuthed,
-		"issuer/default/sign-revocation-list":    shouldBeAuthed,
-		"issuer/default/sign-self-issued":        shouldBeAuthed,
-		"issuer/default/sign-verbatim":           shouldBeAuthed,
-		"issuer/default/sign-verbatim/test":      shouldBeAuthed,
-		"issuer/default/sign/test":               shouldBeAuthed,
-		"issuers/":                               shouldBeUnauthedReadList,
-		"issuers/generate/intermediate/exported": shouldBeAuthed,
-		"issuers/generate/intermediate/internal": shouldBeAuthed,
-		"issuers/generate/intermediate/existing": shouldBeAuthed,
-		"issuers/generate/intermediate/kms":      shouldBeAuthed,
-		"issuers/generate/root/exported":         shouldBeAuthed,
-		"issuers/generate/root/internal":         shouldBeAuthed,
-		"issuers/generate/root/existing":         shouldBeAuthed,
-		"issuers/generate/root/kms":              shouldBeAuthed,
-		"issuers/import/cert":                    shouldBeAuthed,
-		"issuers/import/bundle":                  shouldBeAuthed,
-		"key/default":                            shouldBeAuthed,
-		"keys/":                                  shouldBeAuthed,
-		"keys/generate/internal":                 shouldBeAuthed,
-		"keys/generate/exported":                 shouldBeAuthed,
-		"keys/generate/kms":                      shouldBeAuthed,
-		"keys/import":                            shouldBeAuthed,
-		"ocsp":                                   shouldBeUnauthedWriteOnly,
-		"ocsp/dGVzdAo=":                          shouldBeUnauthedReadList,
-		"revoke":                                 shouldBeAuthed,
-		"revoke-with-key":                        shouldBeAuthed,
-		"roles/test":                             shouldBeAuthed,
-		"roles/":                                 shouldBeAuthed,
-		"root":                                   shouldBeAuthed,
-		"root/generate/exported":                 shouldBeAuthed,
-		"root/generate/internal":                 shouldBeAuthed,
-		"root/generate/existing":                 shouldBeAuthed,
-		"root/generate/kms":                      shouldBeAuthed,
-		"root/replace":                           shouldBeAuthed,
-		"root/rotate/internal":                   shouldBeAuthed,
-		"root/rotate/exported":                   shouldBeAuthed,
-		"root/rotate/existing":                   shouldBeAuthed,
-		"root/rotate/kms":                        shouldBeAuthed,
-		"root/sign-intermediate":                 shouldBeAuthed,
-		"root/sign-self-issued":                  shouldBeAuthed,
-		"sign-verbatim":                          shouldBeAuthed,
-		"sign-verbatim/test":                     shouldBeAuthed,
-		"sign/test":                              shouldBeAuthed,
-		"tidy":                                   shouldBeAuthed,
-		"tidy-cancel":                            shouldBeAuthed,
-		"tidy-status":                            shouldBeAuthed,
-		"unified-crl":                            shouldBeUnauthedReadList,
-		"unified-crl/pem":                        shouldBeUnauthedReadList,
-		"unified-crl/delta":                      shouldBeUnauthedReadList,
-		"unified-crl/delta/pem":                  shouldBeUnauthedReadList,
-		"unified-ocsp":                           shouldBeUnauthedWriteOnly,
-		"unified-ocsp/dGVzdAo=":                  shouldBeUnauthedReadList,
-		"eab/":                                   shouldBeAuthed,
-		"eab/" + eabKid:                          shouldBeAuthed,
-	}
-
-	entPaths := getEntProperAuthingPaths(serial)
-	maps.Copy(paths, entPaths)
-
-	// Add ACME based paths to the test suite
-	ossAcmePrefixes := []string{"acme/", "issuer/default/acme/", "roles/test/acme/", "issuer/default/roles/test/acme/"}
-	entAcmePrefixes := getEntAcmePrefixes()
-	for _, acmePrefix := range append(ossAcmePrefixes, entAcmePrefixes...) {
-		paths[acmePrefix+"directory"] = shouldBeUnauthedReadList
-		paths[acmePrefix+"new-nonce"] = shouldBeUnauthedReadList
-		paths[acmePrefix+"new-account"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"revoke-cert"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"new-order"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"orders"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"account/hrKmDYTvicHoHGVN2-3uzZV_BPGdE0W_dNaqYTtYqeo="] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"authorization/29da8c38-7a09-465e-b9a6-3d76802b1afd"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"challenge/29da8c38-7a09-465e-b9a6-3d76802b1afd/http-01"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90/finalize"] = shouldBeUnauthedWriteOnly
-		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90/cert"] = shouldBeUnauthedWriteOnly
-
-		// Make sure this new-eab path is auth'd
-		paths[acmePrefix+"new-eab"] = shouldBeAuthed
-	}
-
-	for path, checkerType := range paths {
-		checker := pathAuthChckerMap[checkerType]
-		checker(t, client, "pki/"+path, token)
-	}
-
-	client.SetToken(token)
-	openAPIResp, err := client.Logical().ReadWithContext(ctx, "sys/internal/specs/openapi")
-	if err != nil {
-		t.Fatalf("failed to get openapi data: %v", err)
-	}
-
-	validatedPath := false
-	for openapi_path, raw_data := range openAPIResp.Data["paths"].(map[string]interface{}) {
-		if !strings.HasPrefix(openapi_path, "/pki/") {
-			t.Logf("Skipping path: %v", openapi_path)
-			continue
-		}
-
-		t.Logf("Validating path: %v", openapi_path)
-		validatedPath = true
-		// Substitute values in from our testing map.
-		raw_path := openapi_path[5:]
-		if strings.Contains(raw_path, "roles/") && strings.Contains(raw_path, "{name}") {
-			raw_path = strings.ReplaceAll(raw_path, "{name}", "test")
-		}
-		if strings.Contains(raw_path, "{role}") {
-			raw_path = strings.ReplaceAll(raw_path, "{role}", "test")
-		}
-		if strings.Contains(raw_path, "ocsp/") && strings.Contains(raw_path, "{req}") {
-			raw_path = strings.ReplaceAll(raw_path, "{req}", "dGVzdAo=")
-		}
-		if strings.Contains(raw_path, "{issuer_ref}") {
-			raw_path = strings.ReplaceAll(raw_path, "{issuer_ref}", "default")
-		}
-		if strings.Contains(raw_path, "{key_ref}") {
-			raw_path = strings.ReplaceAll(raw_path, "{key_ref}", "default")
-		}
-		if strings.Contains(raw_path, "{exported}") {
-			raw_path = strings.ReplaceAll(raw_path, "{exported}", "internal")
-		}
-		if strings.Contains(raw_path, "{serial}") {
-			raw_path = strings.ReplaceAll(raw_path, "{serial}", serial)
-		}
-		if strings.Contains(raw_path, "acme/account/") && strings.Contains(raw_path, "{kid}") {
-			raw_path = strings.ReplaceAll(raw_path, "{kid}", "hrKmDYTvicHoHGVN2-3uzZV_BPGdE0W_dNaqYTtYqeo=")
-		}
-		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{auth_id}") {
-			raw_path = strings.ReplaceAll(raw_path, "{auth_id}", "29da8c38-7a09-465e-b9a6-3d76802b1afd")
-		}
-		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{challenge_type}") {
-			raw_path = strings.ReplaceAll(raw_path, "{challenge_type}", "http-01")
-		}
-		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{order_id}") {
-			raw_path = strings.ReplaceAll(raw_path, "{order_id}", "13b80844-e60d-42d2-b7e9-152a8e834b90")
-		}
-		if strings.Contains(raw_path, "eab") && strings.Contains(raw_path, "{key_id}") {
-			raw_path = strings.ReplaceAll(raw_path, "{key_id}", eabKid)
-		}
-		if strings.Contains(raw_path, "external-policy/") && strings.Contains(raw_path, "{policy}") {
-			raw_path = strings.ReplaceAll(raw_path, "{policy}", "a-policy")
-		}
-
-		raw_path = entProperAuthingPathReplacer(raw_path)
-
-		handler, present := paths[raw_path]
-		if !present {
-			t.Fatalf("OpenAPI reports PKI mount contains %v -> %v but was not tested to be authed or not authed.",
-				openapi_path, raw_path)
-		}
-
-		openapi_data := raw_data.(map[string]interface{})
-		hasList := false
-		rawGetData, hasGet := openapi_data["get"]
-		if hasGet {
-			getData := rawGetData.(map[string]interface{})
-			getParams, paramsPresent := getData["parameters"].(map[string]interface{})
-			if getParams != nil && paramsPresent {
-				if _, hasList = getParams["list"]; hasList {
-					// LIST is exclusive from GET on the same endpoint usually.
-					hasGet = false
-				}
-			}
-		}
-		_, hasPost := openapi_data["post"]
-		_, hasDelete := openapi_data["delete"]
-
-		if handler == shouldBeUnauthedReadList {
-			if hasPost || hasDelete {
-				t.Fatalf("Unauthed read-only endpoints should not have POST/DELETE capabilities: %v->%v", openapi_path, raw_path)
-			}
-		} else if handler == shouldBeUnauthedWriteOnly {
-			if hasGet || hasList {
-				t.Fatalf("Unauthed write-only endpoints should not have GET/LIST capabilities: %v->%v", openapi_path, raw_path)
-			}
-		}
-	}
-
-	if !validatedPath {
-		t.Fatalf("Expected to have validated at least one path.")
-	}
-}
-
-func TestPatchIssuer(t *testing.T) {
-	t.Parallel()
-
-	type TestCase struct {
-		Field   string
-		Before  interface{}
-		Patched interface{}
-	}
-	testCases := []TestCase{
-		{
-			Field:   "issuer_name",
-			Before:  "root",
-			Patched: "root-new",
-		},
-		{
-			Field:   "leaf_not_after_behavior",
-			Before:  "err",
-			Patched: "permit",
-		},
-		{
-			Field:   "usage",
-			Before:  "crl-signing,issuing-certificates,ocsp-signing,read-only",
-			Patched: "issuing-certificates,read-only",
-		},
-		{
-			Field:   "revocation_signature_algorithm",
-			Before:  "ECDSAWithSHA256",
-			Patched: "ECDSAWithSHA384",
-		},
-		{
-			Field:   "issuing_certificates",
-			Before:  []string{"http://localhost/v1/pki-1/ca"},
-			Patched: []string{"http://localhost/v1/pki/ca"},
-		},
-		{
-			Field:   "crl_distribution_points",
-			Before:  []string{"http://localhost/v1/pki-1/crl"},
-			Patched: []string{"http://localhost/v1/pki/crl"},
-		},
-		{
-			Field:   "ocsp_servers",
-			Before:  []string{"http://localhost/v1/pki-1/ocsp"},
-			Patched: []string{"http://localhost/v1/pki/ocsp"},
-		},
-		{
-			Field:   "enable_aia_url_templating",
-			Before:  false,
-			Patched: true,
-		},
-		{
-			Field:   "manual_chain",
-			Before:  []string(nil),
-			Patched: []string{"self"},
-		},
-	}
-
-	for index, testCase := range testCases {
-		t.Logf("index: %v / tc: %v", index, testCase)
-
-		b, s := CreateBackendWithStorage(t)
-
-		// 1. Setup root issuer.
-		resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-			"common_name": "Vault Root CA",
-			"key_type":    "ec",
-			"ttl":         "7200h",
-			"issuer_name": "root",
-		})
-		requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
-		id := string(resp.Data["issuer_id"].(issuerID))
-
-		// 2. Enable Cluster paths
-		resp, err = CBWrite(b, s, "config/urls", map[string]interface{}{
-			"path":     "https://localhost/v1/pki",
-			"aia_path": "http://localhost/v1/pki",
-		})
-		requireSuccessNonNilResponse(t, resp, err, "failed updating AIA config")
-
-		// 3. Add AIA information
-		resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-			"issuing_certificates":    "http://localhost/v1/pki-1/ca",
-			"crl_distribution_points": "http://localhost/v1/pki-1/crl",
-			"ocsp_servers":            "http://localhost/v1/pki-1/ocsp",
-		})
-		requireSuccessNonNilResponse(t, resp, err, "failed setting up issuer")
-
-		// 4. Read the issuer before.
-		resp, err = CBRead(b, s, "issuer/default")
-		requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer before")
-		require.Equal(t, testCase.Before, resp.Data[testCase.Field], "bad expectations")
-
-		// 5. Perform modification.
-		resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
-			testCase.Field: testCase.Patched,
-		})
-		requireSuccessNonNilResponse(t, resp, err, "failed patching root issuer")
-
-		if testCase.Field != "manual_chain" {
-			require.Equal(t, testCase.Patched, resp.Data[testCase.Field], "failed persisting value")
-		} else {
-			// self->id
-			require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
-		}
-
-		// 6. Ensure it stuck
-		resp, err = CBRead(b, s, "issuer/default")
-		requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer after")
-
-		if testCase.Field != "manual_chain" {
-			require.Equal(t, testCase.Patched, resp.Data[testCase.Field])
-		} else {
-			// self->id
-			require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
-		}
-	}
-}
-
-func TestGenerateRootCAWithAIA(t *testing.T) {
-	// Generate a root CA at /pki-root
-	b_root, s_root := CreateBackendWithStorage(t)
-
-	// Setup templated AIA information
-	_, err := CBWrite(b_root, s_root, "config/cluster", map[string]interface{}{
-		"path":     "https://localhost:8200",
-		"aia_path": "https://localhost:8200",
-	})
-	require.NoError(t, err, "failed to write AIA settings")
-
-	_, err = CBWrite(b_root, s_root, "config/urls", map[string]interface{}{
-		"crl_distribution_points": "{{cluster_path}}/issuer/{{issuer_id}}/crl/der",
-		"issuing_certificates":    "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
-		"ocsp_servers":            "{{cluster_path}}/ocsp",
-		"enable_templating":       true,
-	})
-	require.NoError(t, err, "failed to write AIA settings")
-
-	// Write a root issuer, this should succeed.
-	resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
-		"common_name": "root myvault.com",
-		"key_type":    "ec",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "expected root generation to succeed")
-}
-
-var (
-	initTest  sync.Once
-	rsaCAKey  string
-	rsaCACert string
-	ecCAKey   string
-	ecCACert  string
-	edCAKey   string
-	edCACert  string
-)
+```release-note:bug
+ui: When Kv v2 secret is an object, fix so details view defaults to readOnly JSON editor.
+```
\ No newline at end of file
diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go
index e637ac27fa90..784e2e38f4c7 100644
--- a/builtin/logical/pki/fields.go
+++ b/builtin/logical/pki/fields.go
@@ -1,645 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"time"
-
-	"github.com/hashicorp/vault/sdk/framework"
-)
-
-const (
-	issuerRefParam = "issuer_ref"
-	keyNameParam   = "key_name"
-	keyRefParam    = "key_ref"
-	keyIdParam     = "key_id"
-	keyTypeParam   = "key_type"
-	keyBitsParam   = "key_bits"
-	skidParam      = "subject_key_id"
-)
-
-// addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
-// and signing
-func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["exclude_cn_from_sans"] = &framework.FieldSchema{
-		Type:    framework.TypeBool,
-		Default: false,
-		Description: `If true, the Common Name will not be
-included in DNS or Email Subject Alternate Names.
-Defaults to false (CN is included).`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Exclude Common Name from Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["format"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "pem",
-		Description: `Format for returned data. Can be "pem", "der",
-or "pem_bundle". If "pem_bundle", any private
-key and issuing cert will be appended to the
-certificate pem. If "der", the value will be
-base64 encoded. Defaults to "pem".`,
-		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: "pem",
-		},
-	}
-
-	fields["private_key_format"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "der",
-		Description: `Format for the returned private key.
-Generally the default will be controlled by the "format"
-parameter as either base64-encoded DER or PEM-encoded DER.
-However, this can be set to "pkcs8" to have the returned
-private key contain base64-encoded pkcs8 or PEM-encoded
-pkcs8 instead. Defaults to "der".`,
-		AllowedValues: []interface{}{"", "der", "pem", "pkcs8"},
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: "der",
-		},
-	}
-
-	fields["ip_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `The requested IP SANs, if any, in a
-comma-delimited list`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "IP Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["uri_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `The requested URI SANs, if any, in a
-comma-delimited list.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "URI Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["other_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `Requested other SANs, in an array with the format
-<oid>;UTF8:<utf8 string value> for each entry.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Other SANs",
-		},
-	}
-
-	return fields
-}
-
-// addNonCACommonFields adds fields with help text specific to non-CA
-// certificate issuing and signing
-func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssueAndSignCommonFields(fields)
-
-	fields["role"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The desired role with configuration for this
-request`,
-	}
-
-	fields["common_name"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The requested common name; if you want more than
-one, specify the alternative names in the
-alt_names map. If email protection is enabled
-in the role, this may be an email address.`,
-	}
-
-	fields["alt_names"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The requested Subject Alternative Names, if any,
-in a comma-delimited list. If email protection
-is enabled for the role, this may contain
-email addresses.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "DNS/Email Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["serial_number"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The Subject's requested serial number, if any.
-See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
-If you want more than one, specify alternative names in the alt_names
-map using OID 2.5.4.5. This has no impact on the final certificate's
-Serial Number field.`,
-	}
-
-	fields["ttl"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The requested Time To Live for the certificate;
-sets the expiration date. If not specified
-the role default, backend default, or system
-default TTL is used, in that order. Cannot
-be larger than the role max TTL.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "TTL",
-		},
-	}
-
-	fields["not_after"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Set the not after field of the certificate with specified date value.
-The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
-	}
-
-	fields["remove_roots_from_chain"] = &framework.FieldSchema{
-		Type:    framework.TypeBool,
-		Default: false,
-		Description: `Whether or not to remove self-signed CA certificates in the output
-of the ca_chain field.`,
-	}
-
-	fields["user_ids"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `The requested user_ids value to place in the subject,
-if any, in a comma-delimited list. Restricted by allowed_user_ids.
-Any values are added with OID 0.9.2342.19200300.100.1.1.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "User ID(s)",
-		},
-	}
-
-	fields = addIssuerRefField(fields)
-
-	return fields
-}
-
-// addCACommonFields adds fields with help text specific to CA
-// certificate issuing and signing
-func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssueAndSignCommonFields(fields)
-
-	fields["alt_names"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The requested Subject Alternative Names, if any,
-in a comma-delimited list. May contain both
-DNS names and email addresses.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "DNS/Email Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["common_name"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The requested common name; if you want more than
-one, specify the alternative names in the alt_names
-map. If not specified when signing, the common
-name will be taken from the CSR; other names
-must still be specified in alt_names or ip_sans.`,
-	}
-
-	fields["ttl"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The requested Time To Live for the certificate;
-sets the expiration date. If not specified
-the role default, backend default, or system
-default TTL is used, in that order. Cannot
-be larger than the mount max TTL. Note:
-this only has an effect when generating
-a CA cert or signing a CA cert, not when
-generating a CSR for an intermediate CA.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "TTL",
-		},
-	}
-
-	fields["ou"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, OU (OrganizationalUnit) will be set to
-this value.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "OU (Organizational Unit)",
-		},
-	}
-
-	fields["organization"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, O (Organization) will be set to
-this value.`,
-	}
-
-	fields["country"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, Country will be set to
-this value.`,
-	}
-
-	fields["locality"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, Locality will be set to
-this value.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Locality/City",
-		},
-	}
-
-	fields["province"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, Province will be set to
-this value.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Province/State",
-		},
-	}
-
-	fields["street_address"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, Street Address will be set to
-this value.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Street Address",
-		},
-	}
-
-	fields["postal_code"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `If set, Postal Code will be set to
-this value.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Postal Code",
-		},
-	}
-
-	fields["serial_number"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The Subject's requested serial number, if any.
-See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
-If you want more than one, specify alternative names in the alt_names
-map using OID 2.5.4.5. This has no impact on the final certificate's
-Serial Number field.`,
-	}
-
-	fields["not_after"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Set the not after field of the certificate with specified date value.
-The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
-	}
-
-	fields["not_before_duration"] = &framework.FieldSchema{
-		Type:        framework.TypeDurationSecond,
-		Default:     30,
-		Description: `The duration before now which the certificate needs to be backdated by.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: 30,
-		},
-	}
-
-	return fields
-}
-
-// addCAKeyGenerationFields adds fields with help text specific to CA key
-// generation and exporting
-func addCAKeyGenerationFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["exported"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Must be "internal", "exported" or "kms". If set to
-"exported", the generated private key will be
-returned. This is your *only* chance to retrieve
-the private key!`,
-		AllowedValues: []interface{}{"internal", "external", "kms"},
-	}
-
-	fields["managed_key_name"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The name of the managed key to use when the exported
-type is kms. When kms type is the key type, this field or managed_key_id
-is required. Ignored for other types.`,
-	}
-
-	fields["managed_key_id"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The name of the managed key to use when the exported
-type is kms. When kms type is the key type, this field or managed_key_name
-is required. Ignored for other types.`,
-	}
-
-	fields["key_bits"] = &framework.FieldSchema{
-		Type:    framework.TypeInt,
-		Default: 0,
-		Description: `The number of bits to use. Allowed values are
-0 (universal default); with rsa key_type: 2048 (default), 3072, or
-4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with
-ed25519.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: 0,
-		},
-	}
-
-	fields["signature_bits"] = &framework.FieldSchema{
-		Type:    framework.TypeInt,
-		Default: 0,
-		Description: `The number of bits to use in the signature
-algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
-SHA-2-512. Defaults to 0 to automatically detect based on key length
-(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: 0,
-		},
-	}
-
-	fields["use_pss"] = &framework.FieldSchema{
-		Type:    framework.TypeBool,
-		Default: false,
-		Description: `Whether or not to use PSS signatures when using a
-RSA key-type issuer. Defaults to false.`,
-	}
-
-	fields["key_type"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "rsa",
-		Description: `The type of key to use; defaults to RSA. "rsa"
-"ec" and "ed25519" are the only valid values.`,
-		AllowedValues: []interface{}{"rsa", "ec", "ed25519"},
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: "rsa",
-		},
-	}
-
-	fields = addKeyRefNameFields(fields)
-
-	return fields
-}
-
-// addCAIssueFields adds fields common to CA issuing, e.g. when returning
-// an actual certificate
-func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["max_path_length"] = &framework.FieldSchema{
-		Type:        framework.TypeInt,
-		Default:     -1,
-		Description: "The maximum allowable path length",
-	}
-
-	fields["permitted_dns_domains"] = &framework.FieldSchema{
-		Type:        framework.TypeCommaStringSlice,
-		Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Permitted DNS Domains",
-		},
-	}
-
-	fields = addIssuerNameField(fields)
-
-	return fields
-}
-
-func addIssuerRefNameFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssuerNameField(fields)
-	fields = addIssuerRefField(fields)
-	return fields
-}
-
-func addIssuerNameField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["issuer_name"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Provide a name to the generated or existing issuer, the name
-must be unique across all issuers and not be the reserved value 'default'`,
-	}
-	return fields
-}
-
-func addIssuerRefField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields[issuerRefParam] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Reference to a existing issuer; either "default"
-for the configured default issuer, an identifier or the name assigned
-to the issuer.`,
-		Default: defaultRef,
-	}
-	return fields
-}
-
-func addKeyRefNameFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addKeyNameField(fields)
-	fields = addKeyRefField(fields)
-	return fields
-}
-
-func addKeyNameField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields[keyNameParam] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Provide a name to the generated or existing key, the name
-must be unique across all keys and not be the reserved value 'default'`,
-	}
-
-	return fields
-}
-
-func addKeyRefField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields[keyRefParam] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `Reference to a existing key; either "default"
-for the configured default key, an identifier or the name assigned
-to the key.`,
-		Default: defaultRef,
-	}
-	return fields
-}
-
-func addTidyFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["tidy_cert_store"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to enable tidying up
-the certificate store`,
-	}
-
-	fields["tidy_revocation_list"] = &framework.FieldSchema{
-		Type:        framework.TypeBool,
-		Description: `Deprecated; synonym for 'tidy_revoked_certs`,
-	}
-
-	fields["tidy_revoked_certs"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to expire all revoked
-and expired certificates, removing them both from the CRL and from storage. The
-CRL will be rotated if this causes any values to be removed.`,
-	}
-
-	fields["tidy_revoked_cert_issuer_associations"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to validate issuer associations
-on revocation entries. This helps increase the performance of CRL building
-and OCSP responses.`,
-	}
-
-	fields["tidy_expired_issuers"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to automatically remove expired issuers
-past the issuer_safety_buffer. No keys will be removed as part of this
-operation.`,
-	}
-
-	fields["tidy_move_legacy_ca_bundle"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to move the legacy ca_bundle from
-/config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades
-to pre-Vault 1.11 versions (as older PKI engines do not know about
-the new multi-issuer storage layout), but improves the performance
-on seal wrapped PKI mounts. This will only occur if at least
-issuer_safety_buffer time has occurred after the initial storage
-migration.
-
-This backup is saved in case of an issue in future migrations.
-Operators may consider removing it via sys/raw if they desire.
-The backup will be removed via a DELETE /root call, but note that
-this removes ALL issuers within the mount (and is thus not desirable
-in most operational scenarios).`,
-	}
-
-	fields["tidy_acme"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to enable tidying ACME accounts,
-orders and authorizations.  ACME orders are tidied (deleted) 
-safety_buffer after the certificate associated with them expires,
-or after the order and relevant authorizations have expired if no 
-certificate was produced.  Authorizations are tidied with the 
-corresponding order.
-
-When a valid ACME Account is at least acme_account_safety_buffer
-old, and has no remaining orders associated with it, the account is
-marked as revoked.  After another acme_account_safety_buffer has 
-passed from the revocation or deactivation date, a revoked or 
-deactivated ACME account is deleted.`,
-		Default: false,
-	}
-
-	fields["safety_buffer"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The amount of extra time that must have passed
-beyond certificate expiration before it is removed
-from the backend storage and/or revocation list.
-Defaults to 72 hours.`,
-		Default: int(defaultTidyConfig.SafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
-	}
-
-	fields["issuer_safety_buffer"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The amount of extra time that must have passed
-beyond issuer's expiration before it is removed
-from the backend storage.
-Defaults to 8760 hours (1 year).`,
-		Default: int(defaultTidyConfig.IssuerSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
-	}
-
-	fields["acme_account_safety_buffer"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The amount of time that must pass after creation
-that an account with no orders is marked revoked, and the amount of time
-after being marked revoked or deactivated.`,
-		Default: int(defaultTidyConfig.AcmeAccountSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
-	}
-
-	fields["pause_duration"] = &framework.FieldSchema{
-		Type: framework.TypeString,
-		Description: `The amount of time to wait between processing
-certificates. This allows operators to change the execution profile
-of tidy to take consume less resources by slowing down how long it
-takes to run. Note that the entire list of certificates will be
-stored in memory during the entire tidy operation, but resources to
-read/process/update existing entries will be spread out over a
-greater period of time. By default this is zero seconds.`,
-		Default: "0s",
-	}
-
-	fields["tidy_revocation_queue"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to remove stale revocation queue entries
-that haven't been confirmed by any active cluster. Only runs on the
-active primary node`,
-		Default: defaultTidyConfig.RevocationQueue,
-	}
-
-	fields["revocation_queue_safety_buffer"] = &framework.FieldSchema{
-		Type: framework.TypeDurationSecond,
-		Description: `The amount of time that must pass from the
-cross-cluster revocation request being initiated to when it will be
-slated for removal. Setting this too low may remove valid revocation
-requests before the owning cluster has a chance to process them,
-especially if the cluster is offline.`,
-		Default: int(defaultTidyConfig.QueueSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
-	}
-
-	fields["tidy_cross_cluster_revoked_certs"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `Set to true to enable tidying up
-the cross-cluster revoked certificate store. Only runs on the active
-primary node.`,
-	}
-
-	return fields
-}
-
-// generate the entire list of schema fields we need for CSR sign verbatim, this is also
-// leveraged by ACME internally.
-func getCsrSignVerbatimSchemaFields() map[string]*framework.FieldSchema {
-	fields := map[string]*framework.FieldSchema{}
-	fields = addNonCACommonFields(fields)
-	fields = addSignVerbatimRoleFields(fields)
-
-	fields["csr"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "",
-		Description: `PEM-format CSR to be signed. Values will be
-taken verbatim from the CSR, except for
-basic constraints.`,
-	}
-
-	return fields
-}
-
-// addSignVerbatimRoleFields provides the fields and defaults to be used by anything that is building up the fields
-// and their corresponding default values when generating/using a sign-verbatim type role such as buildSignVerbatimRole.
-func addSignVerbatimRoleFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["key_usage"] = &framework.FieldSchema{
-		Type:    framework.TypeCommaStringSlice,
-		Default: []string{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
-		Description: `A comma-separated string or list of key usages (not extended
-key usages). Valid values can be found at
-https://golang.org/pkg/crypto/x509/#KeyUsage
--- simply drop the "KeyUsage" part of the name.
-To remove all key usages from being set, set
-this value to an empty list.`,
-	}
-
-	fields["ext_key_usage"] = &framework.FieldSchema{
-		Type:    framework.TypeCommaStringSlice,
-		Default: []string{},
-		Description: `A comma-separated string or list of extended key usages. Valid values can be found at
-https://golang.org/pkg/crypto/x509/#ExtKeyUsage
--- simply drop the "ExtKeyUsage" part of the name.
-To remove all key usages from being set, set
-this value to an empty list.`,
-	}
-
-	fields["ext_key_usage_oids"] = &framework.FieldSchema{
-		Type:        framework.TypeCommaStringSlice,
-		Description: `A comma-separated string or list of extended key usage oids.`,
-	}
-
-	fields["signature_bits"] = &framework.FieldSchema{
-		Type:    framework.TypeInt,
-		Default: 0,
-		Description: `The number of bits to use in the signature
-algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
-SHA-2-512. Defaults to 0 to automatically detect based on key length
-(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: 0,
-		},
-	}
-
-	fields["use_pss"] = &framework.FieldSchema{
-		Type:    framework.TypeBool,
-		Default: false,
-		Description: `Whether or not to use PSS signatures when using a
-RSA key-type issuer. Defaults to false.`,
-	}
-
-	return fields
-}
+```release-note:bug
+ui: Fix payload sent when disabling replication
+```
diff --git a/builtin/logical/pki/path_manage_keys.go b/builtin/logical/pki/path_manage_keys.go
index 63e8ac668a58..d1433cfcd1f9 100644
--- a/builtin/logical/pki/path_manage_keys.go
+++ b/builtin/logical/pki/path_manage_keys.go
@@ -1,320 +1,2 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"bytes"
-	"context"
-	"encoding/pem"
-	"net/http"
-	"strings"
-
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-func pathGenerateKey(b *backend) *framework.Path {
-	return &framework.Path{
-		Pattern: "keys/generate/(internal|exported|kms)",
-
-		DisplayAttrs: &framework.DisplayAttributes{
-			OperationPrefix: operationPrefixPKI,
-			OperationVerb:   "generate",
-			OperationSuffix: "internal-key|exported-key|kms-key",
-		},
-
-		Fields: map[string]*framework.FieldSchema{
-			keyNameParam: {
-				Type:        framework.TypeString,
-				Description: "Optional name to be used for this key",
-			},
-			keyTypeParam: {
-				Type:    framework.TypeString,
-				Default: "rsa",
-				Description: `The type of key to use; defaults to RSA. "rsa"
-"ec" and "ed25519" are the only valid values.`,
-				AllowedValues: []interface{}{"rsa", "ec", "ed25519"},
-				DisplayAttrs: &framework.DisplayAttributes{
-					Value: "rsa",
-				},
-			},
-			keyBitsParam: {
-				Type:    framework.TypeInt,
-				Default: 0,
-				Description: `The number of bits to use. Allowed values are
-0 (universal default); with rsa key_type: 2048 (default), 3072, or
-4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with
-ed25519.`,
-			},
-			"managed_key_name": {
-				Type: framework.TypeString,
-				Description: `The name of the managed key to use when the exported
-type is kms. When kms type is the key type, this field or managed_key_id
-is required. Ignored for other types.`,
-			},
-			"managed_key_id": {
-				Type: framework.TypeString,
-				Description: `The name of the managed key to use when the exported
-type is kms. When kms type is the key type, this field or managed_key_name
-is required. Ignored for other types.`,
-			},
-		},
-
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.pathGenerateKeyHandler,
-				Responses: map[int][]framework.Response{
-					http.StatusOK: {{
-						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"key_id": {
-								Type:        framework.TypeString,
-								Description: `ID assigned to this key.`,
-								Required:    true,
-							},
-							"key_name": {
-								Type:        framework.TypeString,
-								Description: `Name assigned to this key.`,
-								Required:    true,
-							},
-							"key_type": {
-								Type: framework.TypeString,
-								Description: `The type of key to use; defaults to RSA. "rsa"
-								"ec" and "ed25519" are the only valid values.`,
-								Required: true,
-							},
-							"private_key": {
-								Type:        framework.TypeString,
-								Description: `The private key string`,
-								Required:    false,
-							},
-						},
-					}},
-				},
-
-				ForwardPerformanceStandby:   true,
-				ForwardPerformanceSecondary: true,
-			},
-		},
-
-		HelpSynopsis:    pathGenerateKeyHelpSyn,
-		HelpDescription: pathGenerateKeyHelpDesc,
-	}
-}
-
-const (
-	pathGenerateKeyHelpSyn  = `Generate a new private key used for signing.`
-	pathGenerateKeyHelpDesc = `This endpoint will generate a new key pair of the specified type (internal, exported, or kms).`
-)
-
-func (b *backend) pathGenerateKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Since we're planning on updating issuers here, grab the lock so we've
-	// got a consistent view.
-	b.issuersLock.Lock()
-	defer b.issuersLock.Unlock()
-
-	if b.useLegacyBundleCaStorage() {
-		return logical.ErrorResponse("Can not generate keys until migration has completed"), nil
-	}
-
-	sc := b.makeStorageContext(ctx, req.Storage)
-	keyName, err := getKeyName(sc, data)
-	if err != nil { // Fail Immediately if Key Name is in Use, etc...
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	exportPrivateKey := false
-	var keyBundle certutil.KeyBundle
-	var actualPrivateKeyType certutil.PrivateKeyType
-	switch {
-	case strings.HasSuffix(req.Path, "/exported"):
-		exportPrivateKey = true
-		fallthrough
-	case strings.HasSuffix(req.Path, "/internal"):
-		keyType := data.Get(keyTypeParam).(string)
-		keyBits := data.Get(keyBitsParam).(int)
-
-		keyBits, _, err := certutil.ValidateDefaultOrValueKeyTypeSignatureLength(keyType, keyBits, 0)
-		if err != nil {
-			return logical.ErrorResponse("Validation for key_type, key_bits failed: %s", err.Error()), nil
-		}
-
-		// Internal key generation, stored in storage
-		keyBundle, err = certutil.CreateKeyBundle(keyType, keyBits, b.GetRandomReader())
-		if err != nil {
-			return nil, err
-		}
-
-		actualPrivateKeyType = keyBundle.PrivateKeyType
-	case strings.HasSuffix(req.Path, "/kms"):
-		keyId, err := getManagedKeyId(data)
-		if err != nil {
-			return nil, err
-		}
-
-		keyBundle, actualPrivateKeyType, err = createKmsKeyBundle(ctx, b, keyId)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return logical.ErrorResponse("Unknown type of key to generate"), nil
-	}
-
-	privateKeyPemString, err := keyBundle.ToPrivateKeyPemString()
-	if err != nil {
-		return nil, err
-	}
-
-	key, _, err := sc.importKey(privateKeyPemString, keyName, keyBundle.PrivateKeyType)
-	if err != nil {
-		return nil, err
-	}
-	responseData := map[string]interface{}{
-		keyIdParam:   key.ID,
-		keyNameParam: key.Name,
-		keyTypeParam: string(actualPrivateKeyType),
-	}
-	if exportPrivateKey {
-		responseData["private_key"] = privateKeyPemString
-	}
-	return &logical.Response{
-		Data: responseData,
-	}, nil
-}
-
-func pathImportKey(b *backend) *framework.Path {
-	return &framework.Path{
-		Pattern: "keys/import",
-
-		DisplayAttrs: &framework.DisplayAttributes{
-			OperationPrefix: operationPrefixPKI,
-			OperationVerb:   "import",
-			OperationSuffix: "key",
-		},
-
-		Fields: map[string]*framework.FieldSchema{
-			keyNameParam: {
-				Type:        framework.TypeString,
-				Description: "Optional name to be used for this key",
-			},
-			"pem_bundle": {
-				Type:        framework.TypeString,
-				Description: `PEM-format, unencrypted secret key`,
-			},
-		},
-
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.pathImportKeyHandler,
-				Responses: map[int][]framework.Response{
-					http.StatusOK: {{
-						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"key_id": {
-								Type:        framework.TypeString,
-								Description: `ID assigned to this key.`,
-								Required:    true,
-							},
-							"key_name": {
-								Type:        framework.TypeString,
-								Description: `Name assigned to this key.`,
-								Required:    true,
-							},
-							"key_type": {
-								Type: framework.TypeString,
-								Description: `The type of key to use; defaults to RSA. "rsa"
-								"ec" and "ed25519" are the only valid values.`,
-								Required: true,
-							},
-						},
-					}},
-				},
-				ForwardPerformanceStandby:   true,
-				ForwardPerformanceSecondary: true,
-			},
-		},
-
-		HelpSynopsis:    pathImportKeyHelpSyn,
-		HelpDescription: pathImportKeyHelpDesc,
-	}
-}
-
-const (
-	pathImportKeyHelpSyn  = `Import the specified key.`
-	pathImportKeyHelpDesc = `This endpoint allows importing a specified issuer key from a pem bundle.
-If key_name is set, that will be set on the key, assuming the key did not exist previously.`
-)
-
-func (b *backend) pathImportKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Since we're planning on updating issuers here, grab the lock so we've
-	// got a consistent view.
-	b.issuersLock.Lock()
-	defer b.issuersLock.Unlock()
-
-	if b.useLegacyBundleCaStorage() {
-		return logical.ErrorResponse("Cannot import keys until migration has completed"), nil
-	}
-
-	sc := b.makeStorageContext(ctx, req.Storage)
-	pemBundle := data.Get("pem_bundle").(string)
-	keyName, err := getKeyName(sc, data)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	if len(pemBundle) < 64 {
-		// It is almost nearly impossible to store a complete key in
-		// less than 64 bytes. It is definitely impossible to do so when PEM
-		// encoding has been applied. Detect this and give a better warning
-		// than "provided PEM block contained no data" in this case. This is
-		// because the PEM headers contain 5*4 + 6 + 4 + 2 + 2 = 34 characters
-		// minimum (five dashes, "BEGIN" + space + at least one character
-		// identifier, "END" + space + at least one character identifier, and
-		// a pair of new lines). That would leave 30 bytes for Base64 data,
-		// meaning at most a 22-byte DER key. Even with a 128-bit key, 6 bytes
-		// is not sufficient for the required ASN.1 structure and OID encoding.
-		//
-		// However, < 64 bytes is probably a good length for a file path so
-		// suggest that is the case.
-		return logical.ErrorResponse("provided data for import was too short; perhaps a path was passed to the API rather than the contents of a PEM file"), nil
-	}
-
-	pemBytes := []byte(pemBundle)
-	var pemBlock *pem.Block
-
-	var keys []string
-	for len(bytes.TrimSpace(pemBytes)) > 0 {
-		pemBlock, pemBytes = pem.Decode(pemBytes)
-		if pemBlock == nil {
-			return logical.ErrorResponse("provided PEM block contained no data"), nil
-		}
-
-		pemBlockString := string(pem.EncodeToMemory(pemBlock))
-		keys = append(keys, pemBlockString)
-	}
-
-	if len(keys) != 1 {
-		return logical.ErrorResponse("only a single key can be present within the pem_bundle for importing"), nil
-	}
-
-	key, existed, err := importKeyFromBytes(sc, keys[0], keyName)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	resp := logical.Response{
-		Data: map[string]interface{}{
-			keyIdParam:   key.ID,
-			keyNameParam: key.Name,
-			keyTypeParam: key.PrivateKeyType,
-		},
-	}
-
-	if existed {
-		resp.AddWarning("Key already imported, use key/ endpoint to update name.")
-	}
-
-	return &resp, nil
-}
+```release-note:change
+logging: Vault server, Agent and Proxy now honor log file value and only add a timestamp on rotation.
\ No newline at end of file
diff --git a/builtin/logical/pki/path_manage_keys_test.go b/builtin/logical/pki/path_manage_keys_test.go
index 68d31ef862f2..1b295b985687 100644
--- a/builtin/logical/pki/path_manage_keys_test.go
+++ b/builtin/logical/pki/path_manage_keys_test.go
@@ -1,441 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"context"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"testing"
-
-	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
-
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/stretchr/testify/require"
-)
-
-func TestPKI_PathManageKeys_GenerateInternalKeys(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	tests := []struct {
-		name           string
-		keyType        string
-		keyBits        []int
-		wantLogicalErr bool
-	}{
-		{"all-defaults", "", []int{0}, false},
-		{"rsa", "rsa", []int{0, 2048, 3072, 4096}, false},
-		{"ec", "ec", []int{0, 224, 256, 384, 521}, false},
-		{"ed25519", "ed25519", []int{0}, false},
-		{"error-rsa", "rsa", []int{-1, 343444}, true},
-		{"error-ec", "ec", []int{-1, 3434324}, true},
-		{"error-bad-type", "dskjfkdsfjdkf", []int{0}, true},
-	}
-	for _, tt := range tests {
-		tt := tt
-		for _, keyBitParam := range tt.keyBits {
-			keyName := fmt.Sprintf("%s-%d", tt.name, keyBitParam)
-			t.Run(keyName, func(t *testing.T) {
-				data := make(map[string]interface{})
-				if tt.keyType != "" {
-					data["key_type"] = tt.keyType
-				}
-				if keyBitParam != 0 {
-					data["key_bits"] = keyBitParam
-				}
-				keyName = genUuid() + "-" + tt.keyType + "-key-name"
-				data["key_name"] = keyName
-				resp, err := b.HandleRequest(context.Background(), &logical.Request{
-					Operation:  logical.UpdateOperation,
-					Path:       "keys/generate/internal",
-					Storage:    s,
-					Data:       data,
-					MountPoint: "pki/",
-				})
-				require.NoError(t, err,
-					"Failed generating key with values key_type:%s key_bits:%d key_name:%s", tt.keyType, keyBitParam, keyName)
-				require.NotNil(t, resp,
-					"Got nil response generating key with values key_type:%s key_bits:%d key_name:%s", tt.keyType, keyBitParam, keyName)
-				if tt.wantLogicalErr {
-					require.True(t, resp.IsError(), "expected logical error but the request passed:\n%#v", resp)
-				} else {
-					require.False(t, resp.IsError(),
-						"Got logical error response when not expecting one, "+
-							"generating key with values key_type:%s key_bits:%d key_name:%s\n%s", tt.keyType, keyBitParam, keyName, resp.Error())
-
-					// Special case our all-defaults
-					if tt.keyType == "" {
-						tt.keyType = "rsa"
-					}
-
-					require.Equal(t, tt.keyType, resp.Data["key_type"], "key_type field contained an invalid type")
-					require.NotEmpty(t, resp.Data["key_id"], "returned an empty key_id field, should never happen")
-					require.Equal(t, keyName, resp.Data["key_name"], "key name was not processed correctly")
-					require.Nil(t, resp.Data["private_key"], "private_key field should not appear in internal generation type.")
-				}
-			})
-		}
-	}
-}
-
-func TestPKI_PathManageKeys_GenerateExportedKeys(t *testing.T) {
-	t.Parallel()
-	// We tested a lot of the logic above within the internal test, so just make sure we honor the exported contract
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/generate/exported",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_type": "ec",
-			"key_bits": 224,
-		},
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("keys/generate/exported"), logical.UpdateOperation), resp, true)
-
-	require.NoError(t, err, "Failed generating exported key")
-	require.NotNil(t, resp, "Got nil response generating exported key")
-	require.Equal(t, "ec", resp.Data["key_type"], "key_type field contained an invalid type")
-	require.NotEmpty(t, resp.Data["key_id"], "returned an empty key_id field, should never happen")
-	require.Empty(t, resp.Data["key_name"], "key name should have been empty but was not")
-	require.NotEmpty(t, resp.Data["private_key"], "private_key field should not be empty in exported generation type.")
-
-	// Make sure we can decode our private key as expected
-	keyData := resp.Data["private_key"].(string)
-	block, rest := pem.Decode([]byte(keyData))
-	require.Empty(t, rest, "should not have had any trailing data")
-	require.NotEmpty(t, block, "failed decoding pem block")
-
-	key, err := x509.ParseECPrivateKey(block.Bytes)
-	require.NoError(t, err, "failed parsing pem block as ec private key")
-	require.Equal(t, elliptic.P224(), key.Curve, "got unexpected curve value in returned private key")
-}
-
-func TestPKI_PathManageKeys_ImportKeyBundle(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	bundle1, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
-	require.NoError(t, err, "failed generating an ec key bundle")
-	bundle2, err := certutil.CreateKeyBundle("rsa", 2048, rand.Reader)
-	require.NoError(t, err, "failed generating an rsa key bundle")
-	pem1, err := bundle1.ToPrivateKeyPemString()
-	require.NoError(t, err, "failed converting ec key to pem")
-	pem2, err := bundle2.ToPrivateKeyPemString()
-	require.NoError(t, err, "failed converting rsa key to pem")
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-ec-key",
-			"pem_bundle": pem1,
-		},
-		MountPoint: "pki/",
-	})
-
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("keys/import"), logical.UpdateOperation), resp, true)
-
-	require.NoError(t, err, "Failed importing ec key")
-	require.NotNil(t, resp, "Got nil response importing ec key")
-	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
-	require.NotEmpty(t, resp.Data["key_id"], "key id for ec import response was empty")
-	require.Equal(t, "my-ec-key", resp.Data["key_name"], "key_name was incorrect for ec key")
-	require.Equal(t, certutil.ECPrivateKey, resp.Data["key_type"])
-	keyId1 := resp.Data["key_id"].(keyID)
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-rsa-key",
-			"pem_bundle": pem2,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed importing rsa key")
-	require.NotNil(t, resp, "Got nil response importing rsa key")
-	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
-	require.NotEmpty(t, resp.Data["key_id"], "key id for rsa import response was empty")
-	require.Equal(t, "my-rsa-key", resp.Data["key_name"], "key_name was incorrect for ec key")
-	require.Equal(t, certutil.RSAPrivateKey, resp.Data["key_type"])
-	keyId2 := resp.Data["key_id"].(keyID)
-
-	require.NotEqual(t, keyId1, keyId2)
-
-	// Attempt to reimport the same key with a different name.
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-new-ec-key",
-			"pem_bundle": pem1,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed importing the same ec key")
-	require.NotNil(t, resp, "Got nil response importing the same ec key")
-	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
-	require.NotEmpty(t, resp.Data["key_id"], "key id for ec import response was empty")
-	// Note we should receive back the original name, not the new updated name.
-	require.Equal(t, "my-ec-key", resp.Data["key_name"], "key_name was incorrect for ec key")
-	require.Equal(t, certutil.ECPrivateKey, resp.Data["key_type"])
-	keyIdReimport := resp.Data["key_id"]
-	require.Equal(t, keyId1, keyIdReimport, "the re-imported key did not return the same key id")
-
-	// Make sure we can not reuse an existing name across different keys.
-	bundle3, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
-	require.NoError(t, err, "failed generating an ec key bundle")
-	pem3, err := bundle3.ToPrivateKeyPemString()
-	require.NoError(t, err, "failed converting rsa key to pem")
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-ec-key",
-			"pem_bundle": pem3,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed importing the same ec key")
-	require.NotNil(t, resp, "Got nil response importing the same ec key")
-	require.True(t, resp.IsError(), "should have received an error response importing a key with a re-used name")
-
-	// Delete the key to make sure re-importing gets another ID
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.DeleteOperation,
-		Path:       "key/" + keyId2.String(),
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "failed deleting keyId 2")
-	require.Nil(t, resp, "Got non-nil response deleting the key: %#v", resp)
-
-	// Deleting a non-existent key should be okay...
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.DeleteOperation,
-		Path:       "key/" + keyId2.String(),
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "failed deleting keyId 2")
-	require.Nil(t, resp, "Got non-nil response deleting the key: %#v", resp)
-
-	// Let's reimport key 2 post-deletion to make sure we re-generate a new key id
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-rsa-key",
-			"pem_bundle": pem2,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed importing rsa key")
-	require.NotNil(t, resp, "Got nil response importing rsa key")
-	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
-	require.NotEmpty(t, resp.Data["key_id"], "key id for rsa import response was empty")
-	require.Equal(t, "my-rsa-key", resp.Data["key_name"], "key_name was incorrect for ec key")
-	require.Equal(t, certutil.RSAPrivateKey, resp.Data["key_type"])
-	keyId2Reimport := resp.Data["key_id"].(keyID)
-
-	require.NotEqual(t, keyId2, keyId2Reimport, "re-importing key 2 did not generate a new key id")
-}
-
-func TestPKI_PathManageKeys_DeleteDefaultKeyWarns(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "keys/generate/internal",
-		Storage:    s,
-		Data:       map[string]interface{}{"key_type": "ec"},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed generating key")
-	require.NotNil(t, resp, "Got nil response generating key")
-	require.False(t, resp.IsError(), "resp contained errors generating key: %#v", resp.Error())
-	keyId := resp.Data["key_id"].(keyID)
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.DeleteOperation,
-		Path:       "key/" + keyId.String(),
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "failed deleting default key")
-	require.NotNil(t, resp, "Got nil response deleting the default key")
-	require.False(t, resp.IsError(), "expected no errors deleting default key: %#v", resp.Error())
-	require.NotEmpty(t, resp.Warnings, "expected warnings to be populated on deleting default key")
-}
-
-func TestPKI_PathManageKeys_DeleteUsedKeyFails(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "issuers/generate/root/internal",
-		Storage:    s,
-		Data:       map[string]interface{}{"common_name": "test.com"},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed generating issuer")
-	require.NotNil(t, resp, "Got nil response generating issuer")
-	require.False(t, resp.IsError(), "resp contained errors generating issuer: %#v", resp.Error())
-	keyId := resp.Data["key_id"].(keyID)
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.DeleteOperation,
-		Path:       "key/" + keyId.String(),
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "failed deleting key used by an issuer")
-	require.NotNil(t, resp, "Got nil response deleting key used by an issuer")
-	require.True(t, resp.IsError(), "expected an error deleting key used by an issuer")
-}
-
-func TestPKI_PathManageKeys_UpdateKeyDetails(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "keys/generate/internal",
-		Storage:    s,
-		Data:       map[string]interface{}{"key_type": "ec"},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "Failed generating key")
-	require.NotNil(t, resp, "Got nil response generating key")
-	require.False(t, resp.IsError(), "resp contained errors generating key: %#v", resp.Error())
-	keyId := resp.Data["key_id"].(keyID)
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "key/" + keyId.String(),
-		Storage:    s,
-		Data:       map[string]interface{}{"key_name": "new-name"},
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("key/"+keyId.String()), logical.UpdateOperation), resp, true)
-
-	require.NoError(t, err, "failed updating key with new name")
-	require.NotNil(t, resp, "Got nil response updating key with new name")
-	require.False(t, resp.IsError(), "unexpected error updating key with new name: %#v", resp.Error())
-
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.ReadOperation,
-		Path:       "key/" + keyId.String(),
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("key/"+keyId.String()), logical.ReadOperation), resp, true)
-
-	require.NoError(t, err, "failed reading key after name update")
-	require.NotNil(t, resp, "Got nil response reading key after name update")
-	require.False(t, resp.IsError(), "unexpected error reading key: %#v", resp.Error())
-	keyName := resp.Data["key_name"].(string)
-
-	require.Equal(t, "new-name", keyName, "failed to update key_name expected: new-name was: %s", keyName)
-
-	// Make sure we do not allow updates to invalid name values
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "key/" + keyId.String(),
-		Storage:    s,
-		Data:       map[string]interface{}{"key_name": "a-bad\\-name"},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "failed updating key with a bad name")
-	require.NotNil(t, resp, "Got nil response updating key with a bad name")
-	require.True(t, resp.IsError(), "expected an error updating key with a bad name, but did not get one.")
-}
-
-func TestPKI_PathManageKeys_ImportKeyBundleBadData(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-ec-key",
-			"pem_bundle": "this-is-not-a-pem-bundle",
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "got a 500 error type response from a bad pem bundle")
-	require.NotNil(t, resp, "Got nil response importing a bad pem bundle")
-	require.True(t, resp.IsError(), "should have received an error response importing a bad pem bundle")
-
-	// Make sure we also bomb on a proper certificate
-	bundle := genCertBundle(t, b, s)
-	resp, err = b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"pem_bundle": bundle.Certificate,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "got a 500 error type response from a certificate pem bundle")
-	require.NotNil(t, resp, "Got nil response importing a certificate bundle")
-	require.True(t, resp.IsError(), "should have received an error response importing a certificate pem bundle")
-}
-
-func TestPKI_PathManageKeys_ImportKeyRejectsMultipleKeys(t *testing.T) {
-	t.Parallel()
-	b, s := CreateBackendWithStorage(t)
-
-	bundle1, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
-	require.NoError(t, err, "failed generating an ec key bundle")
-	bundle2, err := certutil.CreateKeyBundle("rsa", 2048, rand.Reader)
-	require.NoError(t, err, "failed generating an rsa key bundle")
-	pem1, err := bundle1.ToPrivateKeyPemString()
-	require.NoError(t, err, "failed converting ec key to pem")
-	pem2, err := bundle2.ToPrivateKeyPemString()
-	require.NoError(t, err, "failed converting rsa key to pem")
-
-	importPem := pem1 + "\n" + pem2
-
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "keys/import",
-		Storage:   s,
-		Data: map[string]interface{}{
-			"key_name":   "my-ec-key",
-			"pem_bundle": importPem,
-		},
-		MountPoint: "pki/",
-	})
-	require.NoError(t, err, "got a 500 error type response from a bad pem bundle")
-	require.NotNil(t, resp, "Got nil response importing a bad pem bundle")
-	require.True(t, resp.IsError(), "should have received an error response importing a pem bundle with more than 1 key")
-
-	ctx := context.Background()
-	sc := b.makeStorageContext(ctx, s)
-	keys, _ := sc.listKeys()
-	for _, keyId := range keys {
-		id, _ := sc.fetchKeyById(keyId)
-		t.Logf("%s:%s", id.ID, id.Name)
-	}
-}
+```release-note:improvement
+ui: Update AlertInline component to use Helios Design System Alert component
+```
diff --git a/builtin/logical/pki/path_ocsp.go b/builtin/logical/pki/path_ocsp.go
index 98adcc5fe4f2..5fcde924fae2 100644
--- a/builtin/logical/pki/path_ocsp.go
+++ b/builtin/logical/pki/path_ocsp.go
@@ -1,532 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/helper/errutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"golang.org/x/crypto/ocsp"
-)
-
-const (
-	ocspReqParam            = "req"
-	ocspResponseContentType = "application/ocsp-response"
-	maximumRequestSize      = 2048 // A normal simple request is 87 bytes, so give us some buffer
-)
-
-type ocspRespInfo struct {
-	serialNumber      *big.Int
-	ocspStatus        int
-	revocationTimeUTC *time.Time
-	issuerID          issuerID
-}
-
-// These response variables should not be mutated, instead treat them as constants
-var (
-	OcspUnauthorizedResponse = &logical.Response{
-		Data: map[string]interface{}{
-			logical.HTTPContentType: ocspResponseContentType,
-			logical.HTTPStatusCode:  http.StatusUnauthorized,
-			logical.HTTPRawBody:     ocsp.UnauthorizedErrorResponse,
-		},
-	}
-	OcspMalformedResponse = &logical.Response{
-		Data: map[string]interface{}{
-			logical.HTTPContentType: ocspResponseContentType,
-			logical.HTTPStatusCode:  http.StatusBadRequest,
-			logical.HTTPRawBody:     ocsp.MalformedRequestErrorResponse,
-		},
-	}
-	OcspInternalErrorResponse = &logical.Response{
-		Data: map[string]interface{}{
-			logical.HTTPContentType: ocspResponseContentType,
-			logical.HTTPStatusCode:  http.StatusInternalServerError,
-			logical.HTTPRawBody:     ocsp.InternalErrorErrorResponse,
-		},
-	}
-
-	ErrMissingOcspUsage = errors.New("issuer entry did not have the OCSPSigning usage")
-	ErrIssuerHasNoKey   = errors.New("issuer has no key")
-	ErrUnknownIssuer    = errors.New("unknown issuer")
-)
-
-func buildPathOcspGet(b *backend) *framework.Path {
-	pattern := "ocsp/" + framework.MatchAllRegex(ocspReqParam)
-
-	displayAttrs := &framework.DisplayAttributes{
-		OperationPrefix: operationPrefixPKI,
-		OperationVerb:   "query",
-		OperationSuffix: "ocsp-with-get-req",
-	}
-
-	return buildOcspGetWithPath(b, pattern, displayAttrs)
-}
-
-func buildPathUnifiedOcspGet(b *backend) *framework.Path {
-	pattern := "unified-ocsp/" + framework.MatchAllRegex(ocspReqParam)
-
-	displayAttrs := &framework.DisplayAttributes{
-		OperationPrefix: operationPrefixPKI,
-		OperationVerb:   "query",
-		OperationSuffix: "unified-ocsp-with-get-req",
-	}
-
-	return buildOcspGetWithPath(b, pattern, displayAttrs)
-}
-
-func buildOcspGetWithPath(b *backend, pattern string, displayAttrs *framework.DisplayAttributes) *framework.Path {
-	return &framework.Path{
-		Pattern:      pattern,
-		DisplayAttrs: displayAttrs,
-		Fields: map[string]*framework.FieldSchema{
-			ocspReqParam: {
-				Type:        framework.TypeString,
-				Description: "base-64 encoded ocsp request",
-			},
-		},
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation: &framework.PathOperation{
-				Callback: b.ocspHandler,
-			},
-		},
-
-		HelpSynopsis:    pathOcspHelpSyn,
-		HelpDescription: pathOcspHelpDesc,
-	}
-}
-
-func buildPathOcspPost(b *backend) *framework.Path {
-	pattern := "ocsp"
-
-	displayAttrs := &framework.DisplayAttributes{
-		OperationPrefix: operationPrefixPKI,
-		OperationVerb:   "query",
-		OperationSuffix: "ocsp",
-	}
-
-	return buildOcspPostWithPath(b, pattern, displayAttrs)
-}
-
-func buildPathUnifiedOcspPost(b *backend) *framework.Path {
-	pattern := "unified-ocsp"
-
-	displayAttrs := &framework.DisplayAttributes{
-		OperationPrefix: operationPrefixPKI,
-		OperationVerb:   "query",
-		OperationSuffix: "unified-ocsp",
-	}
-
-	return buildOcspPostWithPath(b, pattern, displayAttrs)
-}
-
-func buildOcspPostWithPath(b *backend, pattern string, displayAttrs *framework.DisplayAttributes) *framework.Path {
-	return &framework.Path{
-		Pattern:      pattern,
-		DisplayAttrs: displayAttrs,
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.ocspHandler,
-			},
-		},
-
-		HelpSynopsis:    pathOcspHelpSyn,
-		HelpDescription: pathOcspHelpDesc,
-	}
-}
-
-func (b *backend) ocspHandler(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	sc := b.makeStorageContext(ctx, request.Storage)
-	cfg, err := b.crlBuilder.getConfigWithUpdate(sc)
-	if err != nil || cfg.OcspDisable || (isUnifiedOcspPath(request) && !cfg.UnifiedCRL) {
-		return OcspUnauthorizedResponse, nil
-	}
-
-	derReq, err := fetchDerEncodedRequest(request, data)
-	if err != nil {
-		return OcspMalformedResponse, nil
-	}
-
-	ocspReq, err := ocsp.ParseRequest(derReq)
-	if err != nil {
-		return OcspMalformedResponse, nil
-	}
-
-	useUnifiedStorage := canUseUnifiedStorage(request, cfg)
-
-	ocspStatus, err := getOcspStatus(sc, ocspReq, useUnifiedStorage)
-	if err != nil {
-		return logAndReturnInternalError(b, err), nil
-	}
-
-	caBundle, issuer, err := lookupOcspIssuer(sc, ocspReq, ocspStatus.issuerID)
-	if err != nil {
-		if errors.Is(err, ErrUnknownIssuer) {
-			// Since we were not able to find a matching issuer for the incoming request
-			// generate an Unknown OCSP response. This might turn into an Unauthorized if
-			// we find out that we don't have a default issuer or it's missing the proper Usage flags
-			return generateUnknownResponse(cfg, sc, ocspReq), nil
-		}
-		if errors.Is(err, ErrMissingOcspUsage) {
-			// If we did find a matching issuer but aren't allowed to sign, the spec says
-			// we should be responding with an Unauthorized response as we don't have the
-			// ability to sign the response.
-			// https://www.rfc-editor.org/rfc/rfc5019#section-2.2.3
-			return OcspUnauthorizedResponse, nil
-		}
-		return logAndReturnInternalError(b, err), nil
-	}
-
-	byteResp, err := genResponse(cfg, caBundle, ocspStatus, ocspReq.HashAlgorithm, issuer.RevocationSigAlg)
-	if err != nil {
-		return logAndReturnInternalError(b, err), nil
-	}
-
-	return &logical.Response{
-		Data: map[string]interface{}{
-			logical.HTTPContentType: ocspResponseContentType,
-			logical.HTTPStatusCode:  http.StatusOK,
-			logical.HTTPRawBody:     byteResp,
-		},
-	}, nil
-}
-
-func canUseUnifiedStorage(req *logical.Request, cfg *crlConfig) bool {
-	if isUnifiedOcspPath(req) {
-		return true
-	}
-
-	// We are operating on the existing /pki/ocsp path, both of these fields need to be enabled
-	// for us to use the unified path.
-	return shouldLocalPathsUseUnified(cfg)
-}
-
-func isUnifiedOcspPath(req *logical.Request) bool {
-	return strings.HasPrefix(req.Path, "unified-ocsp")
-}
-
-func generateUnknownResponse(cfg *crlConfig, sc *storageContext, ocspReq *ocsp.Request) *logical.Response {
-	// Generate an Unknown OCSP response, signing with the default issuer from the mount as we did
-	// not match the request's issuer. If no default issuer can be used, return with Unauthorized as there
-	// isn't much else we can do at this point.
-	config, err := sc.getIssuersConfig()
-	if err != nil {
-		return logAndReturnInternalError(sc.Backend, err)
-	}
-
-	if config.DefaultIssuerId == "" {
-		// If we don't have any issuers or default issuers set, no way to sign a response so Unauthorized it is.
-		return OcspUnauthorizedResponse
-	}
-
-	caBundle, issuer, err := getOcspIssuerParsedBundle(sc, config.DefaultIssuerId)
-	if err != nil {
-		if errors.Is(err, ErrUnknownIssuer) || errors.Is(err, ErrIssuerHasNoKey) {
-			// We must have raced on a delete/update of the default issuer, anyways
-			// no way to sign a response so Unauthorized it is.
-			return OcspUnauthorizedResponse
-		}
-		return logAndReturnInternalError(sc.Backend, err)
-	}
-
-	if !issuer.Usage.HasUsage(OCSPSigningUsage) {
-		// If we don't have any issuers or default issuers set, no way to sign a response so Unauthorized it is.
-		return OcspUnauthorizedResponse
-	}
-
-	info := &ocspRespInfo{
-		serialNumber: ocspReq.SerialNumber,
-		ocspStatus:   ocsp.Unknown,
-	}
-
-	byteResp, err := genResponse(cfg, caBundle, info, ocspReq.HashAlgorithm, issuer.RevocationSigAlg)
-	if err != nil {
-		return logAndReturnInternalError(sc.Backend, err)
-	}
-
-	return &logical.Response{
-		Data: map[string]interface{}{
-			logical.HTTPContentType: ocspResponseContentType,
-			logical.HTTPStatusCode:  http.StatusOK,
-			logical.HTTPRawBody:     byteResp,
-		},
-	}
-}
-
-func fetchDerEncodedRequest(request *logical.Request, data *framework.FieldData) ([]byte, error) {
-	switch request.Operation {
-	case logical.ReadOperation:
-		// The param within the GET request should have a base64 encoded version of a DER request.
-		base64Req := data.Get(ocspReqParam).(string)
-		if base64Req == "" {
-			return nil, errors.New("no base64 encoded ocsp request was found")
-		}
-
-		if len(base64Req) >= maximumRequestSize {
-			return nil, errors.New("request is too large")
-		}
-
-		return base64.StdEncoding.DecodeString(base64Req)
-	case logical.UpdateOperation:
-		// POST bodies should contain the binary form of the DER request.
-		// NOTE: Writing an empty update request to Vault causes a nil request.HTTPRequest, and that object
-		//       says that it is possible for its Body element to be nil as well, so check both just in case.
-		if request.HTTPRequest == nil {
-			return nil, errors.New("no data in request")
-		}
-		rawBody := request.HTTPRequest.Body
-		if rawBody == nil {
-			return nil, errors.New("no data in request body")
-		}
-		defer rawBody.Close()
-
-		requestBytes, err := io.ReadAll(io.LimitReader(rawBody, maximumRequestSize))
-		if err != nil {
-			return nil, err
-		}
-
-		if len(requestBytes) >= maximumRequestSize {
-			return nil, errors.New("request is too large")
-		}
-		return requestBytes, nil
-	default:
-		return nil, fmt.Errorf("unsupported request method: %s", request.Operation)
-	}
-}
-
-func logAndReturnInternalError(b *backend, err error) *logical.Response {
-	// Since OCSP might be a high traffic endpoint, we will log at debug level only
-	// any internal errors we do get. There is no way for us to return to the end-user
-	// errors, so we rely on the log statement to help in debugging possible
-	// issues in the field.
-	b.Logger().Debug("OCSP internal error", "error", err)
-	return OcspInternalErrorResponse
-}
-
-func getOcspStatus(sc *storageContext, ocspReq *ocsp.Request, useUnifiedStorage bool) (*ocspRespInfo, error) {
-	revEntryRaw, err := fetchCertBySerialBigInt(sc, revokedPath, ocspReq.SerialNumber)
-	if err != nil {
-		return nil, err
-	}
-
-	info := ocspRespInfo{
-		serialNumber: ocspReq.SerialNumber,
-		ocspStatus:   ocsp.Good,
-	}
-
-	if revEntryRaw != nil {
-		var revEntry revocationInfo
-		if err := revEntryRaw.DecodeJSON(&revEntry); err != nil {
-			return nil, err
-		}
-
-		info.ocspStatus = ocsp.Revoked
-		info.revocationTimeUTC = &revEntry.RevocationTimeUTC
-		info.issuerID = revEntry.CertificateIssuer // This might be empty if the CRL hasn't been rebuilt
-	} else if useUnifiedStorage {
-		dashSerial := normalizeSerialFromBigInt(ocspReq.SerialNumber)
-		unifiedEntry, err := getUnifiedRevocationBySerial(sc, dashSerial)
-		if err != nil {
-			return nil, err
-		}
-
-		if unifiedEntry != nil {
-			info.ocspStatus = ocsp.Revoked
-			info.revocationTimeUTC = &unifiedEntry.RevocationTimeUTC
-			info.issuerID = unifiedEntry.CertificateIssuer
-		}
-	}
-
-	return &info, nil
-}
-
-func lookupOcspIssuer(sc *storageContext, req *ocsp.Request, optRevokedIssuer issuerID) (*certutil.ParsedCertBundle, *issuerEntry, error) {
-	reqHash := req.HashAlgorithm
-	if !reqHash.Available() {
-		return nil, nil, x509.ErrUnsupportedAlgorithm
-	}
-
-	// This will prime up issuerIds, with either the optRevokedIssuer value if set
-	// or if we are operating in legacy storage mode, the shim bundle id or finally
-	// a list of all our issuers in this mount.
-	issuerIds, err := lookupIssuerIds(sc, optRevokedIssuer)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	matchedButNoUsage := false
-	for _, issuerId := range issuerIds {
-		parsedBundle, issuer, err := getOcspIssuerParsedBundle(sc, issuerId)
-		if err != nil {
-			// A bit touchy here as if we get an ErrUnknownIssuer for an issuer id that we picked up
-			// from a revocation entry, we still return an ErrUnknownOcspIssuer as we can't validate
-			// the end-user actually meant this specific issuer's cert with serial X.
-			if errors.Is(err, ErrUnknownIssuer) || errors.Is(err, ErrIssuerHasNoKey) {
-				// This skips either bad issuer ids, or root certs with no keys that we can't use.
-				continue
-			}
-			return nil, nil, err
-		}
-
-		// Make sure the client and Vault are talking about the same issuer, otherwise
-		// we might have a case of a matching serial number for a different issuer which
-		// we should not respond back in the affirmative about.
-		matches, err := doesRequestMatchIssuer(parsedBundle, req)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		if matches {
-			if !issuer.Usage.HasUsage(OCSPSigningUsage) {
-				matchedButNoUsage = true
-				// We found a matching issuer, but it's not allowed to sign the
-				// response, there might be another issuer that we rotated
-				// that will match though, so keep iterating.
-				continue
-			}
-
-			return parsedBundle, issuer, nil
-		}
-	}
-
-	if matchedButNoUsage {
-		// We matched an issuer but it did not have an OCSP signing usage set so bail.
-		return nil, nil, ErrMissingOcspUsage
-	}
-
-	return nil, nil, ErrUnknownIssuer
-}
-
-func getOcspIssuerParsedBundle(sc *storageContext, issuerId issuerID) (*certutil.ParsedCertBundle, *issuerEntry, error) {
-	issuer, bundle, err := sc.fetchCertBundleByIssuerId(issuerId, true)
-	if err != nil {
-		switch err.(type) {
-		case errutil.UserError:
-			// Most likely the issuer id no longer exists skip it
-			return nil, nil, ErrUnknownIssuer
-		default:
-			return nil, nil, err
-		}
-	}
-
-	if issuer.KeyID == "" {
-		// No point if the key does not exist from the issuer to use as a signer.
-		return nil, nil, ErrIssuerHasNoKey
-	}
-
-	caBundle, err := parseCABundle(sc.Context, sc.Backend, bundle)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return caBundle, issuer, nil
-}
-
-func lookupIssuerIds(sc *storageContext, optRevokedIssuer issuerID) ([]issuerID, error) {
-	if optRevokedIssuer != "" {
-		return []issuerID{optRevokedIssuer}, nil
-	}
-
-	if sc.Backend.useLegacyBundleCaStorage() {
-		return []issuerID{legacyBundleShimID}, nil
-	}
-
-	return sc.listIssuers()
-}
-
-func doesRequestMatchIssuer(parsedBundle *certutil.ParsedCertBundle, req *ocsp.Request) (bool, error) {
-	// issuer name hashing taken from golang.org/x/crypto/ocsp.
-	var pkInfo struct {
-		Algorithm pkix.AlgorithmIdentifier
-		PublicKey asn1.BitString
-	}
-	if _, err := asn1.Unmarshal(parsedBundle.Certificate.RawSubjectPublicKeyInfo, &pkInfo); err != nil {
-		return false, err
-	}
-
-	h := req.HashAlgorithm.New()
-	h.Write(pkInfo.PublicKey.RightAlign())
-	issuerKeyHash := h.Sum(nil)
-
-	h.Reset()
-	h.Write(parsedBundle.Certificate.RawSubject)
-	issuerNameHash := h.Sum(nil)
-
-	return bytes.Equal(req.IssuerKeyHash, issuerKeyHash) && bytes.Equal(req.IssuerNameHash, issuerNameHash), nil
-}
-
-func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocspRespInfo, reqHash crypto.Hash, revSigAlg x509.SignatureAlgorithm) ([]byte, error) {
-	curTime := time.Now()
-	duration, err := parseutil.ParseDurationSecond(cfg.OcspExpiry)
-	if err != nil {
-		return nil, err
-	}
-
-	// x/crypto/ocsp lives outside of the standard library's crypto/x509 and includes
-	// ripped-off variants of many internal structures and functions. These
-	// lack support for PSS signatures altogether, so if we have revSigAlg
-	// that uses PSS, downgrade it to PKCS#1v1.5. This fixes the lack of
-	// support in x/ocsp, at the risk of OCSP requests failing due to lack
-	// of PKCS#1v1.5 (in say, PKCS#11 HSMs or GCP).
-	//
-	// Other restrictions, such as hash function selection, will still work
-	// however.
-	switch revSigAlg {
-	case x509.SHA256WithRSAPSS:
-		revSigAlg = x509.SHA256WithRSA
-	case x509.SHA384WithRSAPSS:
-		revSigAlg = x509.SHA384WithRSA
-	case x509.SHA512WithRSAPSS:
-		revSigAlg = x509.SHA512WithRSA
-	}
-
-	// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
-	// Certificate any more on the response to help Go based OCSP clients.
-	// This was technically unnecessary, as the Certificate given here
-	// both signed the OCSP response and issued the leaf cert, and so
-	// should already be trusted by the client.
-	//
-	// See also: https://github.com/golang/go/issues/59641
-	template := ocsp.Response{
-		IssuerHash:         reqHash,
-		Status:             info.ocspStatus,
-		SerialNumber:       info.serialNumber,
-		ThisUpdate:         curTime,
-		NextUpdate:         curTime.Add(duration),
-		ExtraExtensions:    []pkix.Extension{},
-		SignatureAlgorithm: revSigAlg,
-	}
-
-	if info.ocspStatus == ocsp.Revoked {
-		template.RevokedAt = *info.revocationTimeUTC
-		template.RevocationReason = ocsp.Unspecified
-	}
-
-	return ocsp.CreateResponse(caBundle.Certificate, caBundle.Certificate, template, caBundle.PrivateKey)
-}
-
-const pathOcspHelpSyn = `
-Query a certificate's revocation status through OCSP'
-`
-
-const pathOcspHelpDesc = `
-This endpoint expects DER encoded OCSP requests and returns DER encoded OCSP responses
-`
+```release-note:bug
+eventlogger: Update library to v0.2.7 to address race condition
+```
diff --git a/builtin/logical/pki/path_ocsp_test.go b/builtin/logical/pki/path_ocsp_test.go
index b62e7d4b5a17..ab5ce613c404 100644
--- a/builtin/logical/pki/path_ocsp_test.go
+++ b/builtin/logical/pki/path_ocsp_test.go
@@ -1,710 +1,4 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/x509"
-	"encoding/base64"
-	"fmt"
-	"io"
-	"net/http"
-	"strconv"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/ocsp"
-)
-
-// If the ocsp_disabled flag is set to true in the crl configuration make sure we always
-// return an Unauthorized error back as we assume an end-user disabling the feature does
-// not want us to act as the OCSP authority and the RFC specifies this is the appropriate response.
-func TestOcsp_Disabled(t *testing.T) {
-	t.Parallel()
-	type testArgs struct {
-		reqType string
-	}
-	var tests []testArgs
-	for _, reqType := range []string{"get", "post"} {
-		tests = append(tests, testArgs{
-			reqType: reqType,
-		})
-	}
-	for _, tt := range tests {
-		localTT := tt
-		t.Run(localTT.reqType, func(t *testing.T) {
-			b, s, testEnv := setupOcspEnv(t, "rsa")
-			resp, err := CBWrite(b, s, "config/crl", map[string]interface{}{
-				"ocsp_disable": "true",
-			})
-			requireSuccessNonNilResponse(t, resp, err)
-			resp, err = SendOcspRequest(t, b, s, localTT.reqType, testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-			require.NoError(t, err)
-			requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-			require.Equal(t, 401, resp.Data["http_status_code"])
-			require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-			respDer := resp.Data["http_raw_body"].([]byte)
-
-			require.Equal(t, ocsp.UnauthorizedErrorResponse, respDer)
-		})
-	}
-}
-
-// If we can't find the issuer within the request and have no default issuer to sign an Unknown response
-// with return an UnauthorizedErrorResponse/according to/the RFC, similar to if we are disabled (lack of authority)
-// This behavior differs from CRLs when an issuer is removed from a mount.
-func TestOcsp_UnknownIssuerWithNoDefault(t *testing.T) {
-	t.Parallel()
-
-	_, _, testEnv := setupOcspEnv(t, "ec")
-	// Create another completely empty mount so the created issuer/certificate above is unknown
-	b, s := CreateBackendWithStorage(t)
-
-	resp, err := SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	require.NoError(t, err)
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 401, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	require.Equal(t, ocsp.UnauthorizedErrorResponse, respDer)
-}
-
-// If the issuer in the request does exist, but the request coming in associates the serial with the
-// wrong issuer return an Unknown response back to the caller.
-func TestOcsp_WrongIssuerInRequest(t *testing.T) {
-	t.Parallel()
-
-	b, s, testEnv := setupOcspEnv(t, "ec")
-	serial := serialFromCert(testEnv.leafCertIssuer1)
-	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serial,
-	})
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer2, crypto.SHA1)
-	require.NoError(t, err)
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err := ocsp.ParseResponse(respDer, testEnv.issuer1)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Unknown, ocspResp.Status)
-}
-
-// Verify that requests we can't properly decode result in the correct response of MalformedRequestError
-func TestOcsp_MalformedRequests(t *testing.T) {
-	t.Parallel()
-	type testArgs struct {
-		reqType string
-	}
-	var tests []testArgs
-	for _, reqType := range []string{"get", "post"} {
-		tests = append(tests, testArgs{
-			reqType: reqType,
-		})
-	}
-	for _, tt := range tests {
-		localTT := tt
-		t.Run(localTT.reqType, func(t *testing.T) {
-			b, s, _ := setupOcspEnv(t, "rsa")
-			badReq := []byte("this is a bad request")
-			var resp *logical.Response
-			var err error
-			switch localTT.reqType {
-			case "get":
-				resp, err = sendOcspGetRequest(b, s, badReq)
-			case "post":
-				resp, err = sendOcspPostRequest(b, s, badReq)
-			default:
-				t.Fatalf("bad request type")
-			}
-			require.NoError(t, err)
-			requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-			require.Equal(t, 400, resp.Data["http_status_code"])
-			require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-			respDer := resp.Data["http_raw_body"].([]byte)
-
-			require.Equal(t, ocsp.MalformedRequestErrorResponse, respDer)
-		})
-	}
-}
-
-// Validate that we properly handle a revocation entry that contains an issuer ID that no longer exists,
-// the best we can do in this use case is to respond back with the default issuer that we don't know
-// the issuer that they are requesting (we can't guarantee that the client is actually requesting a serial
-// from that issuer)
-func TestOcsp_InvalidIssuerIdInRevocationEntry(t *testing.T) {
-	t.Parallel()
-
-	b, s, testEnv := setupOcspEnv(t, "ec")
-	ctx := context.Background()
-
-	// Revoke the entry
-	serial := serialFromCert(testEnv.leafCertIssuer1)
-	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serial,
-	})
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	// Twiddle the entry so that the issuer id is no longer valid.
-	storagePath := revokedPath + normalizeSerial(serial)
-	var revInfo revocationInfo
-	revEntry, err := s.Get(ctx, storagePath)
-	require.NoError(t, err, "failed looking up storage path: %s", storagePath)
-	err = revEntry.DecodeJSON(&revInfo)
-	require.NoError(t, err, "failed decoding storage entry: %v", revEntry)
-	revInfo.CertificateIssuer = "00000000-0000-0000-0000-000000000000"
-	revEntry, err = logical.StorageEntryJSON(storagePath, revInfo)
-	require.NoError(t, err, "failed re-encoding revocation info: %v", revInfo)
-	err = s.Put(ctx, revEntry)
-	require.NoError(t, err, "failed writing out new revocation entry: %v", revEntry)
-
-	// Send the request
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	require.NoError(t, err)
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err := ocsp.ParseResponse(respDer, testEnv.issuer1)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Unknown, ocspResp.Status)
-}
-
-// Validate that we properly handle an unknown issuer use-case but that the default issuer
-// does not have the OCSP usage flag set, we can't do much else other than reply with an
-// Unauthorized response.
-func TestOcsp_UnknownIssuerIdWithDefaultHavingOcspUsageRemoved(t *testing.T) {
-	t.Parallel()
-
-	b, s, testEnv := setupOcspEnv(t, "ec")
-	ctx := context.Background()
-
-	// Revoke the entry
-	serial := serialFromCert(testEnv.leafCertIssuer1)
-	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serial,
-	})
-	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("revoke"), logical.UpdateOperation), resp, true)
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	// Twiddle the entry so that the issuer id is no longer valid.
-	storagePath := revokedPath + normalizeSerial(serial)
-	var revInfo revocationInfo
-	revEntry, err := s.Get(ctx, storagePath)
-	require.NoError(t, err, "failed looking up storage path: %s", storagePath)
-	err = revEntry.DecodeJSON(&revInfo)
-	require.NoError(t, err, "failed decoding storage entry: %v", revEntry)
-	revInfo.CertificateIssuer = "00000000-0000-0000-0000-000000000000"
-	revEntry, err = logical.StorageEntryJSON(storagePath, revInfo)
-	require.NoError(t, err, "failed re-encoding revocation info: %v", revInfo)
-	err = s.Put(ctx, revEntry)
-	require.NoError(t, err, "failed writing out new revocation entry: %v", revEntry)
-
-	// Update our issuers to no longer have the OcspSigning usage
-	resp, err = CBPatch(b, s, "issuer/"+testEnv.issuerId1.String(), map[string]interface{}{
-		"usage": "read-only,issuing-certificates,crl-signing",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed resetting usage flags on issuer1")
-	resp, err = CBPatch(b, s, "issuer/"+testEnv.issuerId2.String(), map[string]interface{}{
-		"usage": "read-only,issuing-certificates,crl-signing",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed resetting usage flags on issuer2")
-
-	// Send the request
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	require.NoError(t, err)
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 401, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	require.Equal(t, ocsp.UnauthorizedErrorResponse, respDer)
-}
-
-// Verify that if we do have a revoked certificate entry for the request, that matches an
-// issuer but that issuer does not have the OcspUsage flag set that we return an Unauthorized
-// response back to the caller
-func TestOcsp_RevokedCertHasIssuerWithoutOcspUsage(t *testing.T) {
-	b, s, testEnv := setupOcspEnv(t, "ec")
-
-	// Revoke our certificate
-	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serialFromCert(testEnv.leafCertIssuer1),
-	})
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	// Update our issuer to no longer have the OcspSigning usage
-	resp, err = CBPatch(b, s, "issuer/"+testEnv.issuerId1.String(), map[string]interface{}{
-		"usage": "read-only,issuing-certificates,crl-signing",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed resetting usage flags on issuer")
-	requireFieldsSetInResp(t, resp, "usage")
-
-	// Do not assume a specific ordering for usage...
-	usages, err := NewIssuerUsageFromNames(strings.Split(resp.Data["usage"].(string), ","))
-	require.NoError(t, err, "failed parsing usage return value")
-	require.True(t, usages.HasUsage(IssuanceUsage))
-	require.True(t, usages.HasUsage(CRLSigningUsage))
-	require.False(t, usages.HasUsage(OCSPSigningUsage))
-
-	// Request an OCSP request from it, we should get an Unauthorized response back
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 401, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	require.Equal(t, ocsp.UnauthorizedErrorResponse, respDer)
-}
-
-// Verify if our matching issuer for a revocation entry has no key associated with it that
-// we bail with an Unauthorized response.
-func TestOcsp_RevokedCertHasIssuerWithoutAKey(t *testing.T) {
-	b, s, testEnv := setupOcspEnv(t, "ec")
-
-	// Revoke our certificate
-	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serialFromCert(testEnv.leafCertIssuer1),
-	})
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	// Delete the key associated with our issuer
-	resp, err = CBRead(b, s, "issuer/"+testEnv.issuerId1.String())
-	requireSuccessNonNilResponse(t, resp, err, "failed reading issuer")
-	requireFieldsSetInResp(t, resp, "key_id")
-	keyId := resp.Data["key_id"].(keyID)
-
-	// This is a bit naughty but allow me to delete the key...
-	sc := b.makeStorageContext(context.Background(), s)
-	issuer, err := sc.fetchIssuerById(testEnv.issuerId1)
-	require.NoError(t, err, "failed to get issuer from storage")
-	issuer.KeyID = ""
-	err = sc.writeIssuer(issuer)
-	require.NoError(t, err, "failed to write issuer update")
-
-	resp, err = CBDelete(b, s, "key/"+keyId.String())
-	requireSuccessNonNilResponse(t, resp, err, "failed deleting key")
-
-	// Request an OCSP request from it, we should get an Unauthorized response back
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 401, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	require.Equal(t, ocsp.UnauthorizedErrorResponse, respDer)
-}
-
-// Verify if for some reason an end-user has rotated an existing certificate using the same
-// key so our algo matches multiple issuers and one has OCSP usage disabled. We expect that
-// even if a prior issuer issued the certificate, the new matching issuer can respond and sign
-// the response to the caller on its behalf.
-//
-// NOTE: This test is a bit at the mercy of iteration order of the issuer ids.
-//
-//	If it becomes flaky, most likely something is wrong in the code
-//	and not the test.
-func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
-	b, s, testEnv := setupOcspEnv(t, "ec")
-
-	// Create a matching issuer as issuer1 with the same backing key
-	resp, err := CBWrite(b, s, "root/rotate/existing", map[string]interface{}{
-		"key_ref":     testEnv.keyId1,
-		"ttl":         "40h",
-		"common_name": "example-ocsp.com",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "rotate issuer failed")
-	requireFieldsSetInResp(t, resp, "issuer_id")
-	rotatedCert := parseCert(t, resp.Data["certificate"].(string))
-
-	// Remove ocsp signing from our issuer
-	resp, err = CBPatch(b, s, "issuer/"+testEnv.issuerId1.String(), map[string]interface{}{
-		"usage": "read-only,issuing-certificates,crl-signing",
-	})
-	requireSuccessNonNilResponse(t, resp, err, "failed resetting usage flags on issuer")
-	requireFieldsSetInResp(t, resp, "usage")
-	// Do not assume a specific ordering for usage...
-	usages, err := NewIssuerUsageFromNames(strings.Split(resp.Data["usage"].(string), ","))
-	require.NoError(t, err, "failed parsing usage return value")
-	require.True(t, usages.HasUsage(IssuanceUsage))
-	require.True(t, usages.HasUsage(CRLSigningUsage))
-	require.False(t, usages.HasUsage(OCSPSigningUsage))
-
-	// Request an OCSP request from it, we should get a Good response back, from the rotated cert
-	resp, err = SendOcspRequest(t, b, s, "get", testEnv.leafCertIssuer1, testEnv.issuer1, crypto.SHA1)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err := ocsp.ParseResponse(respDer, testEnv.issuer1)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Good, ocspResp.Status)
-	require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
-	require.Equal(t, 0, ocspResp.RevocationReason)
-	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
-
-	requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
-	requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
-}
-
-// Make sure OCSP GET/POST requests work through the entire stack, and not just
-// through the quicker backend layer the other tests are doing.
-func TestOcsp_HigherLevel(t *testing.T) {
-	t.Parallel()
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	client := cluster.Cores[0].Client
-	mountPKIEndpoint(t, client, "pki")
-	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "root-ca.com",
-		"ttl":         "600h",
-	})
-
-	require.NoError(t, err, "error generating root ca: %v", err)
-	require.NotNil(t, resp, "expected ca info from root")
-
-	issuerCert := parseCert(t, resp.Data["certificate"].(string))
-
-	resp, err = client.Logical().Write("pki/roles/example", map[string]interface{}{
-		"allowed_domains":  "example.com",
-		"allow_subdomains": "true",
-		"no_store":         "false", // make sure we store this cert
-		"max_ttl":          "1h",
-		"key_type":         "ec",
-	})
-	require.NoError(t, err, "error setting up pki role: %v", err)
-
-	resp, err = client.Logical().Write("pki/issue/example", map[string]interface{}{
-		"common_name": "test.example.com",
-		"ttl":         "15m",
-	})
-	require.NoError(t, err, "error issuing certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from issuing request")
-	certToRevoke := parseCert(t, resp.Data["certificate"].(string))
-	serialNum := resp.Data["serial_number"].(string)
-
-	// Revoke the certificate
-	resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{
-		"serial_number": serialNum,
-	})
-	require.NoError(t, err, "error revoking certificate: %v", err)
-	require.NotNil(t, resp, "got nil response from revoke")
-
-	// Make sure that OCSP handler responds properly
-	ocspReq := generateRequest(t, crypto.SHA256, certToRevoke, issuerCert)
-	ocspPostReq := client.NewRequest(http.MethodPost, "/v1/pki/ocsp")
-	ocspPostReq.Headers.Set("Content-Type", "application/ocsp-request")
-	ocspPostReq.BodyBytes = ocspReq
-	rawResp, err := client.RawRequest(ocspPostReq)
-	require.NoError(t, err, "failed sending ocsp post request")
-
-	require.Equal(t, 200, rawResp.StatusCode)
-	require.Equal(t, ocspResponseContentType, rawResp.Header.Get("Content-Type"))
-	bodyReader := rawResp.Body
-	respDer, err := io.ReadAll(bodyReader)
-	bodyReader.Close()
-	require.NoError(t, err, "failed reading response body")
-
-	ocspResp, err := ocsp.ParseResponse(respDer, issuerCert)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Revoked, ocspResp.Status)
-	require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
-
-	// Test OCSP Get request for ocsp
-	urlEncoded := base64.StdEncoding.EncodeToString(ocspReq)
-	if strings.Contains(urlEncoded, "//") {
-		// workaround known redirect bug that is difficult to fix
-		t.Skipf("VAULT-13630 - Skipping GET OCSP test with encoded issuer cert containing // triggering redirection bug")
-	}
-
-	ocspGetReq := client.NewRequest(http.MethodGet, "/v1/pki/ocsp/"+urlEncoded)
-	ocspGetReq.Headers.Set("Content-Type", "application/ocsp-request")
-	rawResp, err = client.RawRequest(ocspGetReq)
-	require.NoError(t, err, "failed sending ocsp get request")
-
-	require.Equal(t, 200, rawResp.StatusCode)
-	require.Equal(t, ocspResponseContentType, rawResp.Header.Get("Content-Type"))
-	bodyReader = rawResp.Body
-	respDer, err = io.ReadAll(bodyReader)
-	bodyReader.Close()
-	require.NoError(t, err, "failed reading response body")
-
-	ocspResp, err = ocsp.ParseResponse(respDer, issuerCert)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Revoked, ocspResp.Status)
-	require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
-}
-
-func TestOcsp_ValidRequests(t *testing.T) {
-	type caKeyConf struct {
-		keyType string
-		keyBits int
-		sigBits int
-	}
-	t.Parallel()
-	type testArgs struct {
-		reqType string
-		keyConf caKeyConf
-		reqHash crypto.Hash
-	}
-	var tests []testArgs
-	for _, reqType := range []string{"get", "post"} {
-		for _, keyConf := range []caKeyConf{
-			{"rsa", 0, 0},
-			{"rsa", 0, 384},
-			{"rsa", 0, 512},
-			{"ec", 0, 0},
-			{"ec", 521, 0},
-		} {
-			// "ed25519" is not supported at the moment in x/crypto/ocsp
-			for _, requestHash := range []crypto.Hash{crypto.SHA1, crypto.SHA256, crypto.SHA384, crypto.SHA512} {
-				tests = append(tests, testArgs{
-					reqType: reqType,
-					keyConf: keyConf,
-					reqHash: requestHash,
-				})
-			}
-		}
-	}
-	for _, tt := range tests {
-		localTT := tt
-		testName := fmt.Sprintf("%s-%s-keybits-%d-sigbits-%d-reqHash-%s", localTT.reqType, localTT.keyConf.keyType,
-			localTT.keyConf.keyBits,
-			localTT.keyConf.sigBits,
-			localTT.reqHash)
-		t.Run(testName, func(t *testing.T) {
-			runOcspRequestTest(t, localTT.reqType, localTT.keyConf.keyType, localTT.keyConf.keyBits,
-				localTT.keyConf.sigBits, localTT.reqHash)
-		})
-	}
-}
-
-func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKeyBits int, caKeySigBits int, requestHash crypto.Hash) {
-	b, s, testEnv := setupOcspEnvWithCaKeyConfig(t, caKeyType, caKeyBits, caKeySigBits)
-
-	// Non-revoked cert
-	resp, err := SendOcspRequest(t, b, s, requestType, testEnv.leafCertIssuer1, testEnv.issuer1, requestHash)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer := resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err := ocsp.ParseResponse(respDer, testEnv.issuer1)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Good, ocspResp.Status)
-	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, 0, ocspResp.RevocationReason)
-	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
-
-	requireOcspSignatureAlgoForKey(t, testEnv.issuer1.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
-	requireOcspResponseSignedBy(t, ocspResp, testEnv.issuer1)
-
-	// Now revoke it
-	resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
-		"serial_number": serialFromCert(testEnv.leafCertIssuer1),
-	})
-	requireSuccessNonNilResponse(t, resp, err, "revoke")
-
-	resp, err = SendOcspRequest(t, b, s, requestType, testEnv.leafCertIssuer1, testEnv.issuer1, requestHash)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request with revoked")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer = resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err = ocsp.ParseResponse(respDer, testEnv.issuer1)
-	require.NoError(t, err, "parsing ocsp get response with revoked")
-
-	require.Equal(t, ocsp.Revoked, ocspResp.Status)
-	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, 0, ocspResp.RevocationReason)
-	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
-
-	requireOcspSignatureAlgoForKey(t, testEnv.issuer1.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
-	requireOcspResponseSignedBy(t, ocspResp, testEnv.issuer1)
-
-	// Request status for our second issuer
-	resp, err = SendOcspRequest(t, b, s, requestType, testEnv.leafCertIssuer2, testEnv.issuer2, requestHash)
-	requireSuccessNonNilResponse(t, resp, err, "ocsp get request")
-	requireFieldsSetInResp(t, resp, "http_content_type", "http_status_code", "http_raw_body")
-	require.Equal(t, 200, resp.Data["http_status_code"])
-	require.Equal(t, ocspResponseContentType, resp.Data["http_content_type"])
-	respDer = resp.Data["http_raw_body"].([]byte)
-
-	ocspResp, err = ocsp.ParseResponse(respDer, testEnv.issuer2)
-	require.NoError(t, err, "parsing ocsp get response")
-
-	require.Equal(t, ocsp.Good, ocspResp.Status)
-	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, 0, ocspResp.RevocationReason)
-	require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)
-
-	// Verify that our thisUpdate and nextUpdate fields are updated as expected
-	thisUpdate := ocspResp.ThisUpdate
-	nextUpdate := ocspResp.NextUpdate
-	require.True(t, thisUpdate.Before(nextUpdate),
-		fmt.Sprintf("thisUpdate %s, should have been before nextUpdate: %s", thisUpdate, nextUpdate))
-	nextUpdateDiff := nextUpdate.Sub(thisUpdate)
-	expectedDiff, err := parseutil.ParseDurationSecond(defaultCrlConfig.OcspExpiry)
-	require.NoError(t, err, "failed to parse default ocsp expiry value")
-	require.Equal(t, expectedDiff, nextUpdateDiff,
-		fmt.Sprintf("the delta between thisUpdate %s and nextUpdate: %s should have been around: %s but was %s",
-			thisUpdate, nextUpdate, defaultCrlConfig.OcspExpiry, nextUpdateDiff))
-
-	requireOcspSignatureAlgoForKey(t, testEnv.issuer2.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
-	requireOcspResponseSignedBy(t, ocspResp, testEnv.issuer2)
-}
-
-func requireOcspSignatureAlgoForKey(t *testing.T, expected x509.SignatureAlgorithm, actual x509.SignatureAlgorithm) {
-	t.Helper()
-
-	require.Equal(t, expected.String(), actual.String())
-}
-
-type ocspTestEnv struct {
-	issuer1 *x509.Certificate
-	issuer2 *x509.Certificate
-
-	issuerId1 issuerID
-	issuerId2 issuerID
-
-	leafCertIssuer1 *x509.Certificate
-	leafCertIssuer2 *x509.Certificate
-
-	keyId1 keyID
-	keyId2 keyID
-}
-
-func setupOcspEnv(t *testing.T, keyType string) (*backend, logical.Storage, *ocspTestEnv) {
-	return setupOcspEnvWithCaKeyConfig(t, keyType, 0, 0)
-}
-
-func setupOcspEnvWithCaKeyConfig(t *testing.T, keyType string, caKeyBits int, caKeySigBits int) (*backend, logical.Storage, *ocspTestEnv) {
-	b, s := CreateBackendWithStorage(t)
-	var issuerCerts []*x509.Certificate
-	var leafCerts []*x509.Certificate
-	var issuerIds []issuerID
-	var keyIds []keyID
-
-	for i := 0; i < 2; i++ {
-		resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
-			"key_type":       keyType,
-			"key_bits":       caKeyBits,
-			"signature_bits": caKeySigBits,
-			"ttl":            "40h",
-			"common_name":    "example-ocsp.com",
-		})
-		requireSuccessNonNilResponse(t, resp, err, "root/generate/internal")
-		requireFieldsSetInResp(t, resp, "issuer_id", "key_id")
-		issuerId := resp.Data["issuer_id"].(issuerID)
-		keyId := resp.Data["key_id"].(keyID)
-
-		resp, err = CBWrite(b, s, "roles/test"+strconv.FormatInt(int64(i), 10), map[string]interface{}{
-			"allow_bare_domains": true,
-			"allow_subdomains":   true,
-			"allowed_domains":    "foobar.com",
-			"no_store":           false,
-			"generate_lease":     false,
-			"issuer_ref":         issuerId,
-			"key_type":           keyType,
-		})
-		requireSuccessNonNilResponse(t, resp, err, "roles/test"+strconv.FormatInt(int64(i), 10))
-
-		resp, err = CBWrite(b, s, "issue/test"+strconv.FormatInt(int64(i), 10), map[string]interface{}{
-			"common_name": "test.foobar.com",
-		})
-		requireSuccessNonNilResponse(t, resp, err, "roles/test"+strconv.FormatInt(int64(i), 10))
-		requireFieldsSetInResp(t, resp, "certificate", "issuing_ca", "serial_number")
-		leafCert := parseCert(t, resp.Data["certificate"].(string))
-		issuingCa := parseCert(t, resp.Data["issuing_ca"].(string))
-
-		issuerCerts = append(issuerCerts, issuingCa)
-		leafCerts = append(leafCerts, leafCert)
-		issuerIds = append(issuerIds, issuerId)
-		keyIds = append(keyIds, keyId)
-	}
-
-	testEnv := &ocspTestEnv{
-		issuerId1:       issuerIds[0],
-		issuer1:         issuerCerts[0],
-		leafCertIssuer1: leafCerts[0],
-		keyId1:          keyIds[0],
-
-		issuerId2:       issuerIds[1],
-		issuer2:         issuerCerts[1],
-		leafCertIssuer2: leafCerts[1],
-		keyId2:          keyIds[1],
-	}
-
-	return b, s, testEnv
-}
-
-func SendOcspRequest(t *testing.T, b *backend, s logical.Storage, getOrPost string, cert, issuer *x509.Certificate, requestHash crypto.Hash) (*logical.Response, error) {
-	t.Helper()
-
-	ocspRequest := generateRequest(t, requestHash, cert, issuer)
-
-	switch strings.ToLower(getOrPost) {
-	case "get":
-		return sendOcspGetRequest(b, s, ocspRequest)
-	case "post":
-		return sendOcspPostRequest(b, s, ocspRequest)
-	default:
-		t.Fatalf("unsupported value for SendOcspRequest getOrPost arg: %s", getOrPost)
-	}
-	return nil, nil
-}
-
-func sendOcspGetRequest(b *backend, s logical.Storage, ocspRequest []byte) (*logical.Response, error) {
-	urlEncoded := base64.StdEncoding.EncodeToString(ocspRequest)
-	return CBRead(b, s, "ocsp/"+urlEncoded)
-}
-
-func sendOcspPostRequest(b *backend, s logical.Storage, ocspRequest []byte) (*logical.Response, error) {
-	reader := io.NopCloser(bytes.NewReader(ocspRequest))
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  logical.UpdateOperation,
-		Path:       "ocsp",
-		Storage:    s,
-		MountPoint: "pki/",
-		HTTPRequest: &http.Request{
-			Body: reader,
-		},
-	})
-
-	return resp, err
-}
+```release-note:change
+identity (enterprise): POST requests to the `/identity/entity/merge` endpoint
+are now always forwarded from standbys to the active node.
+```
\ No newline at end of file
diff --git a/builtin/logical/pki/path_resign_crls.go b/builtin/logical/pki/path_resign_crls.go
index 6113010dc8c5..63594dc6cee0 100644
--- a/builtin/logical/pki/path_resign_crls.go
+++ b/builtin/logical/pki/path_resign_crls.go
@@ -1,675 +1,3 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"context"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"math/big"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-const (
-	crlNumberParam          = "crl_number"
-	deltaCrlBaseNumberParam = "delta_crl_base_number"
-	nextUpdateParam         = "next_update"
-	crlsParam               = "crls"
-	formatParam             = "format"
-)
-
-var (
-	akOid       = asn1.ObjectIdentifier{2, 5, 29, 35}
-	crlNumOid   = asn1.ObjectIdentifier{2, 5, 29, 20}
-	deltaCrlOid = asn1.ObjectIdentifier{2, 5, 29, 27}
-)
-
-func pathResignCrls(b *backend) *framework.Path {
-	return &framework.Path{
-		Pattern: "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/resign-crls",
-
-		DisplayAttrs: &framework.DisplayAttributes{
-			OperationPrefix: operationPrefixPKIIssuer,
-			OperationVerb:   "resign",
-			OperationSuffix: "crls",
-		},
-
-		Fields: map[string]*framework.FieldSchema{
-			issuerRefParam: {
-				Type: framework.TypeString,
-				Description: `Reference to a existing issuer; either "default"
-for the configured default issuer, an identifier or the name assigned
-to the issuer.`,
-				Default: defaultRef,
-			},
-			crlNumberParam: {
-				Type:        framework.TypeInt,
-				Description: `The sequence number to be written within the CRL Number extension.`,
-			},
-			deltaCrlBaseNumberParam: {
-				Type: framework.TypeInt,
-				Description: `Using a zero or greater value specifies the base CRL revision number to encode within
- a Delta CRL indicator extension, otherwise the extension will not be added.`,
-				Default: -1,
-			},
-			nextUpdateParam: {
-				Type: framework.TypeString,
-				Description: `The amount of time the generated CRL should be
-valid; defaults to 72 hours.`,
-				Default: defaultCrlConfig.Expiry,
-			},
-			crlsParam: {
-				Type:        framework.TypeStringSlice,
-				Description: `A list of PEM encoded CRLs to combine, originally signed by the requested issuer.`,
-			},
-			formatParam: {
-				Type: framework.TypeString,
-				Description: `The format of the combined CRL, can be "pem" or "der". If "der", the value will be
-base64 encoded. Defaults to "pem".`,
-				Default: "pem",
-			},
-		},
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.pathUpdateResignCrlsHandler,
-				Responses: map[int][]framework.Response{
-					http.StatusOK: {{
-						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"crl": {
-								Type:        framework.TypeString,
-								Description: `CRL`,
-								Required:    true,
-							},
-						},
-					}},
-				},
-			},
-		},
-
-		HelpSynopsis: `Combine and sign with the provided issuer different CRLs`,
-		HelpDescription: `Provide two or more PEM encoded CRLs signed by the issuer,
- normally from separate Vault clusters to be combined and signed.`,
-	}
-}
-
-func pathSignRevocationList(b *backend) *framework.Path {
-	return &framework.Path{
-		Pattern: "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-revocation-list",
-
-		DisplayAttrs: &framework.DisplayAttributes{
-			OperationPrefix: operationPrefixPKIIssuer,
-			OperationVerb:   "sign",
-			OperationSuffix: "revocation-list",
-		},
-
-		Fields: map[string]*framework.FieldSchema{
-			issuerRefParam: {
-				Type: framework.TypeString,
-				Description: `Reference to a existing issuer; either "default"
-for the configured default issuer, an identifier or the name assigned
-to the issuer.`,
-				Default: defaultRef,
-			},
-			crlNumberParam: {
-				Type:        framework.TypeInt,
-				Description: `The sequence number to be written within the CRL Number extension.`,
-			},
-			deltaCrlBaseNumberParam: {
-				Type: framework.TypeInt,
-				Description: `Using a zero or greater value specifies the base CRL revision number to encode within
- a Delta CRL indicator extension, otherwise the extension will not be added.`,
-				Default: -1,
-			},
-			nextUpdateParam: {
-				Type: framework.TypeString,
-				Description: `The amount of time the generated CRL should be
-valid; defaults to 72 hours.`,
-				Default: defaultCrlConfig.Expiry,
-			},
-			formatParam: {
-				Type: framework.TypeString,
-				Description: `The format of the combined CRL, can be "pem" or "der". If "der", the value will be
-base64 encoded. Defaults to "pem".`,
-				Default: "pem",
-			},
-			"revoked_certs": {
-				Type: framework.TypeSlice,
-				Description: `A list of maps containing the keys serial_number (string), revocation_time (string), 
-and extensions (map with keys id (string), critical (bool), value (string))`,
-			},
-			"extensions": {
-				Type: framework.TypeSlice,
-				Description: `A list of maps containing extensions with keys id (string), critical (bool), 
-value (string)`,
-			},
-		},
-		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.UpdateOperation: &framework.PathOperation{
-				Callback: b.pathUpdateSignRevocationListHandler,
-				Responses: map[int][]framework.Response{
-					http.StatusOK: {{
-						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"crl": {
-								Type:        framework.TypeString,
-								Description: `CRL`,
-								Required:    true,
-							},
-						},
-					}},
-				},
-			},
-		},
-
-		HelpSynopsis: `Generate and sign a CRL based on the provided parameters.`,
-		HelpDescription: `Given a list of revoked certificates and other parameters, 
-return a signed CRL based on the parameter values.`,
-	}
-}
-
-func (b *backend) pathUpdateResignCrlsHandler(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	if b.useLegacyBundleCaStorage() {
-		return logical.ErrorResponse("This API cannot be used until the migration has completed"), nil
-	}
-
-	issuerRef := getIssuerRef(data)
-	crlNumber := data.Get(crlNumberParam).(int)
-	deltaCrlBaseNumber := data.Get(deltaCrlBaseNumberParam).(int)
-	nextUpdateStr := data.Get(nextUpdateParam).(string)
-	rawCrls := data.Get(crlsParam).([]string)
-
-	format, err := parseCrlFormat(data.Get(formatParam).(string))
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	nextUpdateOffset, err := parseutil.ParseDurationSecond(nextUpdateStr)
-	if err != nil {
-		return logical.ErrorResponse("invalid value for %s: %v", nextUpdateParam, err), nil
-	}
-
-	if nextUpdateOffset <= 0 {
-		return logical.ErrorResponse("%s parameter must be greater than 0", nextUpdateParam), nil
-	}
-
-	if crlNumber < 0 {
-		return logical.ErrorResponse("%s parameter must be 0 or greater", crlNumberParam), nil
-	}
-	if deltaCrlBaseNumber < -1 {
-		return logical.ErrorResponse("%s parameter must be -1 or greater", deltaCrlBaseNumberParam), nil
-	}
-
-	if issuerRef == "" {
-		return logical.ErrorResponse("%s parameter cannot be blank", issuerRefParam), nil
-	}
-
-	providedCrls, err := decodePemCrls(rawCrls)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	sc := b.makeStorageContext(ctx, request.Storage)
-	caBundle, err := getCaBundle(sc, issuerRef)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	if err := verifyCrlsAreFromIssuersKey(caBundle.Certificate, providedCrls); err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	revokedCerts, warnings, err := getAllRevokedCertsFromPem(providedCrls)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	now := time.Now()
-	template := &x509.RevocationList{
-		SignatureAlgorithm:  caBundle.RevocationSigAlg,
-		RevokedCertificates: revokedCerts,
-		Number:              big.NewInt(int64(crlNumber)),
-		ThisUpdate:          now,
-		NextUpdate:          now.Add(nextUpdateOffset),
-	}
-
-	if deltaCrlBaseNumber > -1 {
-		ext, err := certutil.CreateDeltaCRLIndicatorExt(int64(deltaCrlBaseNumber))
-		if err != nil {
-			return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
-		}
-		template.ExtraExtensions = []pkix.Extension{ext}
-	}
-
-	crlBytes, err := x509.CreateRevocationList(rand.Reader, template, caBundle.Certificate, caBundle.PrivateKey)
-	if err != nil {
-		return nil, fmt.Errorf("error creating new CRL: %w", err)
-	}
-
-	body := encodeResponse(crlBytes, format == "der")
-
-	return &logical.Response{
-		Warnings: warnings,
-		Data: map[string]interface{}{
-			"crl": body,
-		},
-	}, nil
-}
-
-func (b *backend) pathUpdateSignRevocationListHandler(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	if b.useLegacyBundleCaStorage() {
-		return logical.ErrorResponse("This API cannot be used until the migration has completed"), nil
-	}
-
-	issuerRef := getIssuerRef(data)
-	crlNumber := data.Get(crlNumberParam).(int)
-	deltaCrlBaseNumber := data.Get(deltaCrlBaseNumberParam).(int)
-	nextUpdateStr := data.Get(nextUpdateParam).(string)
-	nextUpdateOffset, err := parseutil.ParseDurationSecond(nextUpdateStr)
-	if err != nil {
-		return logical.ErrorResponse("invalid value for %s: %v", nextUpdateParam, err), nil
-	}
-
-	if nextUpdateOffset <= 0 {
-		return logical.ErrorResponse("%s parameter must be greater than 0", nextUpdateParam), nil
-	}
-
-	if crlNumber < 0 {
-		return logical.ErrorResponse("%s parameter must be 0 or greater", crlNumberParam), nil
-	}
-	if deltaCrlBaseNumber < -1 {
-		return logical.ErrorResponse("%s parameter must be -1 or greater", deltaCrlBaseNumberParam), nil
-	}
-
-	if issuerRef == "" {
-		return logical.ErrorResponse("%s parameter cannot be blank", issuerRefParam), nil
-	}
-
-	format, err := parseCrlFormat(data.Get(formatParam).(string))
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	revokedCerts, err := parseRevokedCertsParam(data.Get("revoked_certs").([]interface{}))
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	crlExtensions, err := parseExtensionsParam(data.Get("extensions").([]interface{}))
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	sc := b.makeStorageContext(ctx, request.Storage)
-	caBundle, err := getCaBundle(sc, issuerRef)
-	if err != nil {
-		return logical.ErrorResponse(err.Error()), nil
-	}
-
-	if deltaCrlBaseNumber > -1 {
-		ext, err := certutil.CreateDeltaCRLIndicatorExt(int64(deltaCrlBaseNumber))
-		if err != nil {
-			return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
-		}
-		crlExtensions = append(crlExtensions, ext)
-	}
-
-	now := time.Now()
-	template := &x509.RevocationList{
-		SignatureAlgorithm:  caBundle.RevocationSigAlg,
-		RevokedCertificates: revokedCerts,
-		Number:              big.NewInt(int64(crlNumber)),
-		ThisUpdate:          now,
-		NextUpdate:          now.Add(nextUpdateOffset),
-		ExtraExtensions:     crlExtensions,
-	}
-
-	crlBytes, err := x509.CreateRevocationList(rand.Reader, template, caBundle.Certificate, caBundle.PrivateKey)
-	if err != nil {
-		return nil, fmt.Errorf("error creating new CRL: %w", err)
-	}
-
-	body := encodeResponse(crlBytes, format == "der")
-
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"crl": body,
-		},
-	}, nil
-}
-
-func parseRevokedCertsParam(revokedCerts []interface{}) ([]pkix.RevokedCertificate, error) {
-	var parsedCerts []pkix.RevokedCertificate
-	seenSerials := make(map[*big.Int]int)
-	for i, entry := range revokedCerts {
-		if revokedCert, ok := entry.(map[string]interface{}); ok {
-			serialNum, err := parseSerialNum(revokedCert)
-			if err != nil {
-				return nil, fmt.Errorf("failed parsing serial_number from entry %d: %w", i, err)
-			}
-
-			if origEntry, exists := seenSerials[serialNum]; exists {
-				serialNumStr := revokedCert["serial_number"]
-				return nil, fmt.Errorf("duplicate serial number: %s, original entry %d and %d", serialNumStr, origEntry, i)
-			}
-
-			seenSerials[serialNum] = i
-
-			revocationTime, err := parseRevocationTime(revokedCert)
-			if err != nil {
-				return nil, fmt.Errorf("failed parsing revocation_time from entry %d: %w", i, err)
-			}
-
-			extensions, err := parseCertExtensions(revokedCert)
-			if err != nil {
-				return nil, fmt.Errorf("failed parsing extensions from entry %d: %w", i, err)
-			}
-
-			parsedCerts = append(parsedCerts, pkix.RevokedCertificate{
-				SerialNumber:   serialNum,
-				RevocationTime: revocationTime,
-				Extensions:     extensions,
-			})
-		}
-	}
-
-	return parsedCerts, nil
-}
-
-func parseCertExtensions(cert map[string]interface{}) ([]pkix.Extension, error) {
-	extRaw, exists := cert["extensions"]
-	if !exists || extRaw == nil || extRaw == "" {
-		// We don't require extensions to be populated
-		return []pkix.Extension{}, nil
-	}
-
-	extListRaw, ok := extRaw.([]interface{})
-	if !ok {
-		return nil, errors.New("'extensions' field did not contain a slice")
-	}
-
-	return parseExtensionsParam(extListRaw)
-}
-
-func parseExtensionsParam(extRawList []interface{}) ([]pkix.Extension, error) {
-	var extensions []pkix.Extension
-	seenOid := make(map[string]struct{})
-	for i, entryRaw := range extRawList {
-		entry, ok := entryRaw.(map[string]interface{})
-		if !ok {
-			return nil, fmt.Errorf("extension entry %d not a map", i)
-		}
-		extension, err := parseExtension(entry)
-		if err != nil {
-			return nil, fmt.Errorf("failed parsing extension entry %d: %w", i, err)
-		}
-
-		parsedIdStr := extension.Id.String()
-		if _, exists := seenOid[parsedIdStr]; exists {
-			return nil, fmt.Errorf("duplicate extension id: %s", parsedIdStr)
-		}
-
-		seenOid[parsedIdStr] = struct{}{}
-
-		extensions = append(extensions, extension)
-	}
-
-	return extensions, nil
-}
-
-func parseExtension(entry map[string]interface{}) (pkix.Extension, error) {
-	asnObjectId, err := parseExtAsn1ObjectId(entry)
-	if err != nil {
-		return pkix.Extension{}, err
-	}
-
-	if asnObjectId.Equal(akOid) {
-		return pkix.Extension{}, fmt.Errorf("authority key object identifier (%s) is reserved", akOid.String())
-	}
-
-	if asnObjectId.Equal(crlNumOid) {
-		return pkix.Extension{}, fmt.Errorf("crl number object identifier (%s) is reserved", crlNumOid.String())
-	}
-
-	if asnObjectId.Equal(deltaCrlOid) {
-		return pkix.Extension{}, fmt.Errorf("delta crl object identifier (%s) is reserved", deltaCrlOid.String())
-	}
-
-	critical, err := parseExtCritical(entry)
-	if err != nil {
-		return pkix.Extension{}, err
-	}
-
-	extVal, err := parseExtValue(entry)
-	if err != nil {
-		return pkix.Extension{}, err
-	}
-
-	return pkix.Extension{
-		Id:       asnObjectId,
-		Critical: critical,
-		Value:    extVal,
-	}, nil
-}
-
-func parseExtValue(entry map[string]interface{}) ([]byte, error) {
-	valRaw, exists := entry["value"]
-	if !exists {
-		return nil, errors.New("missing 'value' field")
-	}
-
-	valStr, err := parseutil.ParseString(valRaw)
-	if err != nil {
-		return nil, fmt.Errorf("'value' field value was not a string: %w", err)
-	}
-
-	if len(valStr) == 0 {
-		return []byte{}, nil
-	}
-
-	decodeString, err := base64.StdEncoding.DecodeString(valStr)
-	if err != nil {
-		return nil, fmt.Errorf("failed base64 decoding 'value' field: %w", err)
-	}
-	return decodeString, nil
-}
-
-func parseExtCritical(entry map[string]interface{}) (bool, error) {
-	critRaw, exists := entry["critical"]
-	if !exists || critRaw == nil || critRaw == "" {
-		// Optional field, so just return as if they provided the value false.
-		return false, nil
-	}
-
-	myBool, err := parseutil.ParseBool(critRaw)
-	if err != nil {
-		return false, fmt.Errorf("critical field value failed to be parsed: %w", err)
-	}
-
-	return myBool, nil
-}
-
-func parseExtAsn1ObjectId(entry map[string]interface{}) (asn1.ObjectIdentifier, error) {
-	idRaw, idExists := entry["id"]
-	if !idExists {
-		return asn1.ObjectIdentifier{}, errors.New("missing id field")
-	}
-
-	oidStr, err := parseutil.ParseString(idRaw)
-	if err != nil {
-		return nil, fmt.Errorf("'id' field value was not a string: %w", err)
-	}
-
-	if len(oidStr) == 0 {
-		return asn1.ObjectIdentifier{}, errors.New("zero length object identifier")
-	}
-
-	// Parse out dot notation
-	oidParts := strings.Split(oidStr, ".")
-	oid := make(asn1.ObjectIdentifier, len(oidParts), len(oidParts))
-	for i := range oidParts {
-		oidIntVal, err := strconv.Atoi(oidParts[i])
-		if err != nil {
-			return nil, fmt.Errorf("failed parsing asn1 index element %d value %s: %w", i, oidParts[i], err)
-		}
-		oid[i] = oidIntVal
-	}
-	return oid, nil
-}
-
-func parseRevocationTime(cert map[string]interface{}) (time.Time, error) {
-	var revTime time.Time
-	revTimeRaw, exists := cert["revocation_time"]
-	if !exists {
-		return revTime, errors.New("missing 'revocation_time' field")
-	}
-	revTime, err := parseutil.ParseAbsoluteTime(revTimeRaw)
-	if err != nil {
-		return revTime, fmt.Errorf("failed parsing time %v: %w", revTimeRaw, err)
-	}
-	return revTime, nil
-}
-
-func parseSerialNum(cert map[string]interface{}) (*big.Int, error) {
-	serialNumRaw, serialExists := cert["serial_number"]
-	if !serialExists {
-		return nil, errors.New("missing 'serial_number' field")
-	}
-	serialNumStr, err := parseutil.ParseString(serialNumRaw)
-	if err != nil {
-		return nil, fmt.Errorf("'serial_number' field value was not a string: %w", err)
-	}
-	// Clean up any provided serials to decoder
-	for _, separator := range []string{":", ".", "-", " "} {
-		serialNumStr = strings.ReplaceAll(serialNumStr, separator, "")
-	}
-	// Prefer hex.DecodeString over certutil.ParseHexFormatted as we don't need a separator
-	serialBytes, err := hex.DecodeString(serialNumStr)
-	if err != nil {
-		return nil, fmt.Errorf("'serial_number' failed converting to bytes: %w", err)
-	}
-
-	bigIntSerial := big.Int{}
-	bigIntSerial.SetBytes(serialBytes)
-	return &bigIntSerial, nil
-}
-
-func parseCrlFormat(requestedValue string) (string, error) {
-	format := strings.ToLower(requestedValue)
-	switch format {
-	case "pem", "der":
-		return format, nil
-	default:
-		return "", fmt.Errorf("unknown format value of %s", requestedValue)
-	}
-}
-
-func verifyCrlsAreFromIssuersKey(caCert *x509.Certificate, crls []*x509.RevocationList) error {
-	for i, crl := range crls {
-		// At this point we assume if the issuer's key signed the CRL that is a good enough check
-		// to validate that we owned/generated the provided CRL.
-		if err := crl.CheckSignatureFrom(caCert); err != nil {
-			return fmt.Errorf("CRL index: %d was not signed by requested issuer", i)
-		}
-	}
-
-	return nil
-}
-
-func encodeResponse(crlBytes []byte, derFormatRequested bool) string {
-	if derFormatRequested {
-		return base64.StdEncoding.EncodeToString(crlBytes)
-	}
-
-	block := pem.Block{
-		Type:  "X509 CRL",
-		Bytes: crlBytes,
-	}
-	return string(pem.EncodeToMemory(&block))
-}
-
-func getAllRevokedCertsFromPem(crls []*x509.RevocationList) ([]pkix.RevokedCertificate, []string, error) {
-	uniqueCert := map[string]pkix.RevokedCertificate{}
-	var warnings []string
-	for _, crl := range crls {
-		for _, curCert := range crl.RevokedCertificates {
-			serial := serialFromBigInt(curCert.SerialNumber)
-			// Get rid of any extensions the existing certificate might have had.
-			curCert.Extensions = []pkix.Extension{}
-
-			existingCert, exists := uniqueCert[serial]
-			if !exists {
-				// First time we see the revoked cert
-				uniqueCert[serial] = curCert
-				continue
-			}
-
-			if existingCert.RevocationTime.Equal(curCert.RevocationTime) {
-				// Same revocation times, just skip it
-				continue
-			}
-
-			warn := fmt.Sprintf("Duplicate serial %s with different revocation "+
-				"times detected, using oldest revocation time", serial)
-			warnings = append(warnings, warn)
-
-			if existingCert.RevocationTime.After(curCert.RevocationTime) {
-				uniqueCert[serial] = curCert
-			}
-		}
-	}
-
-	var revokedCerts []pkix.RevokedCertificate
-	for _, cert := range uniqueCert {
-		revokedCerts = append(revokedCerts, cert)
-	}
-
-	return revokedCerts, warnings, nil
-}
-
-func getCaBundle(sc *storageContext, issuerRef string) (*certutil.CAInfoBundle, error) {
-	issuerId, err := sc.resolveIssuerReference(issuerRef)
-	if err != nil {
-		return nil, fmt.Errorf("failed to resolve issuer %s: %w", issuerRefParam, err)
-	}
-
-	return sc.fetchCAInfoByIssuerId(issuerId, CRLSigningUsage)
-}
-
-func decodePemCrls(rawCrls []string) ([]*x509.RevocationList, error) {
-	var crls []*x509.RevocationList
-	for i, rawCrl := range rawCrls {
-		crl, err := decodePemCrl(rawCrl)
-		if err != nil {
-			return nil, fmt.Errorf("failed decoding crl %d: %w", i, err)
-		}
-		crls = append(crls, crl)
-	}
-
-	return crls, nil
-}
-
-func decodePemCrl(crl string) (*x509.RevocationList, error) {
-	block, rest := pem.Decode([]byte(crl))
-	if len(rest) != 0 {
-		return nil, errors.New("invalid crl; should be one PEM block only")
-	}
-
-	return x509.ParseRevocationList(block.Bytes)
-}
+```release-note:bug
+core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts.
+```
diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go
index 1cdc98795e71..b77b3afc1938 100644
--- a/builtin/logical/pki/test_helpers.go
+++ b/builtin/logical/pki/test_helpers.go
@@ -1,438 +1,5 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package pki
-
-import (
-	"context"
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
-	"fmt"
-	"io"
-	"math"
-	"math/big"
-	http2 "net/http"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/ocsp"
-)
-
-// Setup helpers
-func CreateBackendWithStorage(t testing.TB) (*backend, logical.Storage) {
-	t.Helper()
-
-	config := logical.TestBackendConfig()
-	config.StorageView = &logical.InmemStorage{}
-
-	var err error
-	b := Backend(config)
-	err = b.Setup(context.Background(), config)
-	if err != nil {
-		t.Fatal(err)
-	}
-	// Assume for our tests we have performed the migration already.
-	b.pkiStorageVersion.Store(1)
-	return b, config.StorageView
-}
-
-func mountPKIEndpoint(t testing.TB, client *api.Client, path string) {
-	t.Helper()
-
-	err := client.Sys().Mount(path, &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "32h",
-		},
-	})
-	require.NoError(t, err, "failed mounting pki endpoint")
-}
-
-// Signing helpers
-func requireSignedBy(t *testing.T, cert *x509.Certificate, signingCert *x509.Certificate) {
-	t.Helper()
-
-	if err := cert.CheckSignatureFrom(signingCert); err != nil {
-		t.Fatalf("signature verification failed: %v", err)
-	}
-}
-
-func requireSignedByAtPath(t *testing.T, client *api.Client, leaf *x509.Certificate, path string) {
-	t.Helper()
-
-	resp, err := client.Logical().Read(path)
-	require.NoError(t, err, "got unexpected error fetching parent certificate")
-	require.NotNil(t, resp, "missing response when fetching parent certificate")
-	require.NotNil(t, resp.Data, "missing data from parent certificate response")
-	require.NotNil(t, resp.Data["certificate"], "missing certificate field on parent read response")
-
-	parentCert := resp.Data["certificate"].(string)
-	parent := parseCert(t, parentCert)
-
-	requireSignedBy(t, leaf, parent)
-}
-
-// Certificate helper
-func parseCert(t *testing.T, pemCert string) *x509.Certificate {
-	t.Helper()
-
-	block, _ := pem.Decode([]byte(pemCert))
-	require.NotNil(t, block, "failed to decode PEM block")
-
-	cert, err := x509.ParseCertificate(block.Bytes)
-	require.NoError(t, err)
-	return cert
-}
-
-func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto.PublicKey) {
-	t.Helper()
-
-	certPubKey := cert.PublicKey
-	areEqual, err := certutil.ComparePublicKeysAndType(certPubKey, key)
-	require.NoError(t, err, "failed comparing public keys: %#v", err)
-	require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key)
-}
-
-func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) {
-	t.Helper()
-	selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert, err := x509.ParseCertificate(selfSigned)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pemSS := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: selfSigned,
-	})))
-	return pemSS, cert
-}
-
-// CRL related helpers
-func getCrlCertificateList(t *testing.T, client *api.Client, mountPoint string) pkix.TBSCertificateList {
-	t.Helper()
-
-	path := fmt.Sprintf("/v1/%s/crl", mountPoint)
-	return getParsedCrlAtPath(t, client, path).TBSCertList
-}
-
-func parseCrlPemBytes(t *testing.T, crlPem []byte) pkix.TBSCertificateList {
-	t.Helper()
-
-	certList, err := x509.ParseCRL(crlPem)
-	require.NoError(t, err)
-	return certList.TBSCertList
-}
-
-func requireSerialNumberInCRL(t *testing.T, revokeList pkix.TBSCertificateList, serialNum string) bool {
-	if t != nil {
-		t.Helper()
-	}
-
-	serialsInList := make([]string, 0, len(revokeList.RevokedCertificates))
-	for _, revokeEntry := range revokeList.RevokedCertificates {
-		formattedSerial := certutil.GetHexFormatted(revokeEntry.SerialNumber.Bytes(), ":")
-		serialsInList = append(serialsInList, formattedSerial)
-		if formattedSerial == serialNum {
-			return true
-		}
-	}
-
-	if t != nil {
-		t.Fatalf("the serial number %s, was not found in the CRL list containing: %v", serialNum, serialsInList)
-	}
-
-	return false
-}
-
-func getParsedCrl(t *testing.T, client *api.Client, mountPoint string) *pkix.CertificateList {
-	t.Helper()
-
-	path := fmt.Sprintf("/v1/%s/crl", mountPoint)
-	return getParsedCrlAtPath(t, client, path)
-}
-
-func getParsedCrlAtPath(t *testing.T, client *api.Client, path string) *pkix.CertificateList {
-	t.Helper()
-
-	req := client.NewRequest("GET", path)
-	resp, err := client.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-
-	crlBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	if len(crlBytes) == 0 {
-		t.Fatalf("expected CRL in response body")
-	}
-
-	crl, err := x509.ParseDERCRL(crlBytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return crl
-}
-
-func getParsedCrlFromBackend(t *testing.T, b *backend, s logical.Storage, path string) *pkix.CertificateList {
-	t.Helper()
-
-	resp, err := CBRead(b, s, path)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	crl, err := x509.ParseDERCRL(resp.Data[logical.HTTPRawBody].([]byte))
-	if err != nil {
-		t.Fatal(err)
-	}
-	return crl
-}
-
-// Direct storage backend helpers (b, s := createBackendWithStorage(t)) which
-// are mostly compatible with client.Logical() operations. The main difference
-// is that the JSON round-tripping hasn't occurred, so values are as the
-// backend returns them (e.g., []string instead of []interface{}).
-func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error) {
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  operation,
-		Path:       path,
-		Data:       data,
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	if err != nil || resp == nil {
-		return resp, err
-	}
-
-	if msg, ok := resp.Data["error"]; ok && msg != nil && len(msg.(string)) > 0 {
-		return resp, fmt.Errorf("%s", msg)
-	}
-
-	return resp, nil
-}
-
-func CBHeader(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.HeaderOperation, path, make(map[string]interface{}))
-}
-
-func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.ReadOperation, path, make(map[string]interface{}))
-}
-
-func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
-	return CBReq(b, s, logical.UpdateOperation, path, data)
-}
-
-func CBPatch(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
-	return CBReq(b, s, logical.PatchOperation, path, data)
-}
-
-func CBList(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.ListOperation, path, make(map[string]interface{}))
-}
-
-func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.DeleteOperation, path, make(map[string]interface{}))
-}
-
-func requireFieldsSetInResp(t *testing.T, resp *logical.Response, fields ...string) {
-	t.Helper()
-
-	var missingFields []string
-	for _, field := range fields {
-		value, ok := resp.Data[field]
-		if !ok || value == nil {
-			missingFields = append(missingFields, field)
-		}
-	}
-
-	require.Empty(t, missingFields, "The following fields were required but missing from response:\n%v", resp.Data)
-}
-
-func requireSuccessNonNilResponse(t *testing.T, resp *logical.Response, err error, msgAndArgs ...interface{}) {
-	t.Helper()
-
-	require.NoError(t, err, msgAndArgs...)
-	if resp.IsError() {
-		errContext := fmt.Sprintf("Expected successful response but got error: %v", resp.Error())
-		require.Falsef(t, resp.IsError(), errContext, msgAndArgs...)
-	}
-	require.NotNil(t, resp, msgAndArgs...)
-}
-
-func requireSuccessNilResponse(t *testing.T, resp *logical.Response, err error, msgAndArgs ...interface{}) {
-	t.Helper()
-
-	require.NoError(t, err, msgAndArgs...)
-	if resp.IsError() {
-		errContext := fmt.Sprintf("Expected successful response but got error: %v", resp.Error())
-		require.Falsef(t, resp.IsError(), errContext, msgAndArgs...)
-	}
-	if resp != nil {
-		msg := fmt.Sprintf("expected nil response but got: %v", resp)
-		require.Nilf(t, resp, msg, msgAndArgs...)
-	}
-}
-
-func getCRLNumber(t *testing.T, crl pkix.TBSCertificateList) int {
-	t.Helper()
-
-	for _, extension := range crl.Extensions {
-		if extension.Id.Equal(certutil.CRLNumberOID) {
-			bigInt := new(big.Int)
-			leftOver, err := asn1.Unmarshal(extension.Value, &bigInt)
-			require.NoError(t, err, "Failed unmarshalling crl number extension")
-			require.Empty(t, leftOver, "leftover bytes from unmarshalling crl number extension")
-			require.True(t, bigInt.IsInt64(), "parsed crl number integer is not an int64")
-			require.False(t, math.MaxInt <= bigInt.Int64(), "parsed crl number integer can not fit in an int")
-			return int(bigInt.Int64())
-		}
-	}
-
-	t.Fatalf("failed to find crl number extension")
-	return 0
-}
-
-func getCrlReferenceFromDelta(t *testing.T, crl pkix.TBSCertificateList) int {
-	t.Helper()
-
-	for _, extension := range crl.Extensions {
-		if extension.Id.Equal(certutil.DeltaCRLIndicatorOID) {
-			bigInt := new(big.Int)
-			leftOver, err := asn1.Unmarshal(extension.Value, &bigInt)
-			require.NoError(t, err, "Failed unmarshalling delta crl indicator extension")
-			require.Empty(t, leftOver, "leftover bytes from unmarshalling delta crl indicator extension")
-			require.True(t, bigInt.IsInt64(), "parsed delta crl integer is not an int64")
-			require.False(t, math.MaxInt <= bigInt.Int64(), "parsed delta crl integer can not fit in an int")
-			return int(bigInt.Int64())
-		}
-	}
-
-	t.Fatalf("failed to find delta crl indicator extension")
-	return 0
-}
-
-// waitForUpdatedCrl will wait until the CRL at the provided path has been reloaded
-// up for a maxWait duration and gives up if the timeout has been reached. If a negative
-// value for lastSeenCRLNumber is provided, the method will load the current CRL and wait
-// for a newer CRL be generated.
-func waitForUpdatedCrl(t *testing.T, client *api.Client, crlPath string, lastSeenCRLNumber int, maxWait time.Duration) pkix.TBSCertificateList {
-	t.Helper()
-
-	newCrl, didTimeOut := waitForUpdatedCrlUntil(t, client, crlPath, lastSeenCRLNumber, maxWait)
-	if didTimeOut {
-		t.Fatalf("Timed out waiting for new CRL rebuild on path %s", crlPath)
-	}
-	return newCrl.TBSCertList
-}
-
-// waitForUpdatedCrlUntil is a helper method that will wait for a CRL to be updated up until maxWait duration
-// or give up and return the last CRL it loaded. It will not fail, if it does not see a new CRL within the
-// max duration unlike waitForUpdatedCrl. Returns the last loaded CRL at the provided path and a boolean
-// indicating if we hit maxWait duration or not.
-func waitForUpdatedCrlUntil(t *testing.T, client *api.Client, crlPath string, lastSeenCrlNumber int, maxWait time.Duration) (*pkix.CertificateList, bool) {
-	t.Helper()
-
-	crl := getParsedCrlAtPath(t, client, crlPath)
-	initialCrlRevision := getCRLNumber(t, crl.TBSCertList)
-	newCrlRevision := initialCrlRevision
-
-	// Short circuit the fetches if we have a version of the CRL we want
-	if lastSeenCrlNumber > 0 && getCRLNumber(t, crl.TBSCertList) > lastSeenCrlNumber {
-		return crl, false
-	}
-
-	start := time.Now()
-	iteration := 0
-	for {
-		iteration++
-
-		if time.Since(start) > maxWait {
-			t.Logf("Timed out waiting for new CRL on path %s after iteration %d, delay: %v",
-				crlPath, iteration, time.Now().Sub(start))
-			return crl, true
-		}
-
-		crl = getParsedCrlAtPath(t, client, crlPath)
-		newCrlRevision = getCRLNumber(t, crl.TBSCertList)
-		if newCrlRevision > initialCrlRevision {
-			t.Logf("Got new revision of CRL %s from %d to %d after iteration %d, delay %v",
-				crlPath, initialCrlRevision, newCrlRevision, iteration, time.Now().Sub(start))
-			return crl, false
-		}
-
-		time.Sleep(100 * time.Millisecond)
-	}
-}
-
-// A quick CRL to string to provide better test error messages
-func summarizeCrl(t *testing.T, crl pkix.TBSCertificateList) string {
-	version := getCRLNumber(t, crl)
-	serials := []string{}
-	for _, cert := range crl.RevokedCertificates {
-		serials = append(serials, normalizeSerialFromBigInt(cert.SerialNumber))
-	}
-	return fmt.Sprintf("CRL Version: %d\n"+
-		"This Update: %s\n"+
-		"Next Update: %s\n"+
-		"Revoked Serial Count: %d\n"+
-		"Revoked Serials: %v", version, crl.ThisUpdate, crl.NextUpdate, len(serials), serials)
-}
-
-// OCSP helpers
-func generateRequest(t *testing.T, requestHash crypto.Hash, cert *x509.Certificate, issuer *x509.Certificate) []byte {
-	t.Helper()
-
-	opts := &ocsp.RequestOptions{Hash: requestHash}
-	ocspRequestDer, err := ocsp.CreateRequest(cert, issuer, opts)
-	require.NoError(t, err, "Failed generating OCSP request")
-	return ocspRequestDer
-}
-
-func requireOcspResponseSignedBy(t *testing.T, ocspResp *ocsp.Response, issuer *x509.Certificate) {
-	t.Helper()
-
-	err := ocspResp.CheckSignatureFrom(issuer)
-	require.NoError(t, err, "Failed signature verification of ocsp response: %w", err)
-}
-
-func performOcspPost(t *testing.T, cert *x509.Certificate, issuerCert *x509.Certificate, client *api.Client, ocspPath string) *ocsp.Response {
-	t.Helper()
-
-	baseClient := client.WithNamespace("")
-
-	ocspReq := generateRequest(t, crypto.SHA256, cert, issuerCert)
-	ocspPostReq := baseClient.NewRequest(http2.MethodPost, ocspPath)
-	ocspPostReq.Headers.Set("Content-Type", "application/ocsp-request")
-	ocspPostReq.BodyBytes = ocspReq
-	rawResp, err := baseClient.RawRequest(ocspPostReq)
-	require.NoError(t, err, "failed sending unified-ocsp post request")
-
-	require.Equal(t, 200, rawResp.StatusCode)
-	require.Equal(t, ocspResponseContentType, rawResp.Header.Get("Content-Type"))
-	bodyReader := rawResp.Body
-	respDer, err := io.ReadAll(bodyReader)
-	bodyReader.Close()
-	require.NoError(t, err, "failed reading response body")
-
-	ocspResp, err := ocsp.ParseResponse(respDer, issuerCert)
-	require.NoError(t, err, "parsing ocsp get response")
-	return ocspResp
-}
+```release-note:improvement
+api: sys/health and sys/ha-status now expose information about how long
+the last heartbeat took, and the estimated clock skew between standby and
+active node based on that heartbeat duration.
+```
\ No newline at end of file
diff --git a/changelog/23571.txt b/changelog/23571.txt
new file mode 100644
index 000000000000..2bccb7febdf4
--- /dev/null
+++ b/changelog/23571.txt
@@ -0,0 +1,3374 @@
+## Previous versions
+- [v1.0.0 - v1.9.10](CHANGELOG-pre-v1.10.md)
+- [v0.11.6 and earlier](CHANGELOG-v0.md)
+
+## 1.15.3
+### November 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.21.4.
+
+IMPROVEMENTS:
+
+* core (enterprise): Speed up unseal when using namespaces
+* core: update sys/seal-status (and CLI vault status) to report the type of
+the seal when unsealed, as well as the type of the recovery seal if an
+auto-seal. [[GH-23022](https://github.com/hashicorp/vault/pull/23022)]
+* secrets/pki: do not check TLS validity on ACME requests redirected to https [[GH-22521](https://github.com/hashicorp/vault/pull/22521)]
+* ui: Sort list view of entities and aliases alphabetically using the item name [[GH-24103](https://github.com/hashicorp/vault/pull/24103)]
+* ui: capabilities-self is always called in the user's root namespace [[GH-24168](https://github.com/hashicorp/vault/pull/24168)]
+
+BUG FIXES:
+
+* activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
+* auth/cert: Handle errors related to expired OCSP server responses [[GH-24193](https://github.com/hashicorp/vault/pull/24193)]
+* core (Enterprise): Treat multiple disabled HA seals as a migration to Shamir.
+* core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request. [[GH-24238](https://github.com/hashicorp/vault/pull/24238)]
+* core/config: Use correct HCL config value when configuring `log_requests_level`. [[GH-24059](https://github.com/hashicorp/vault/pull/24059)]
+* core/quotas: Close rate-limit blocked client purge goroutines when sealing [[GH-24108](https://github.com/hashicorp/vault/pull/24108)]
+* core: Fix an error that resulted in the wrong seal type being returned by sys/seal-status while
+Vault is in seal migration mode. [[GH-24165](https://github.com/hashicorp/vault/pull/24165)]
+* replication (enterprise): disallow configuring paths filter for a mount path that does not exist
+* secrets-sync (enterprise): Fix panic when setting usage_gauge_period to none
+* secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [[GH-24192](https://github.com/hashicorp/vault/pull/24192)]
+* secrets/transit: Fix a panic when attempting to export a public RSA key [[GH-24054](https://github.com/hashicorp/vault/pull/24054)]
+* ui: Fix JSON editor in KV V2 unable to handle pasted values [[GH-24224](https://github.com/hashicorp/vault/pull/24224)]
+* ui: Fix error when tuning token auth configuration within namespace [[GH-24147](https://github.com/hashicorp/vault/pull/24147)]
+* ui: show error from API when seal fails [[GH-23921](https://github.com/hashicorp/vault/pull/23921)]
+
+## 1.15.2
+### November 09, 2023
+
+SECURITY:
+* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
+
+CHANGES:
+
+* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
+* secrets/mongodbatlas: Update plugin to v0.10.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
+
+FEATURES:
+
+* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
+
+IMPROVEMENTS:
+
+* api (enterprise): Enable the sys/license/features from any namespace
+* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
+* ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [[GH-23700](https://github.com/hashicorp/vault/pull/23700)]
+* ui: Update sidebar Secrets engine to title case. [[GH-23964](https://github.com/hashicorp/vault/pull/23964)]
+
+BUG FIXES:
+
+* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
+on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
+* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
+* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
+* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
+* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
+* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
+* core: fix bug where deadlock detection was always on for expiration and quotas. 
+These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
+* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
+* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
+* ui: fix broken GUI when accessing from listener with chroot_namespace defined [[GH-23942](https://github.com/hashicorp/vault/pull/23942)]
+
+## 1.15.1
+### October 25, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.21.3.
+
+IMPROVEMENTS:
+
+* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
+* auto-auth/azure: Support setting the `authenticate_from_environment` variable to "true" and "false" string literals, too. [[GH-22996](https://github.com/hashicorp/vault/pull/22996)]
+* secrets-sync (enterprise): Added telemetry on number of destinations and associations per type.
+* ui: Adds a warning when whitespace is detected in a key of a KV secret [[GH-23702](https://github.com/hashicorp/vault/pull/23702)]
+* ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [[GH-23747](https://github.com/hashicorp/vault/pull/23747)]
+* ui: Surface warning banner if UI has stopped auto-refreshing token [[GH-23143](https://github.com/hashicorp/vault/pull/23143)]
+* ui: show banner when resultant-acl check fails due to permissions or wrong namespace. [[GH-23503](https://github.com/hashicorp/vault/pull/23503)]
+
+BUG FIXES:
+
+* Seal HA (enterprise/beta): Fix rejection of a seal configuration change
+from two to one auto seal due to persistence of the previous seal type being
+"multiseal". [[GH-23573](https://github.com/hashicorp/vault/pull/23573)]
+* audit: Fix bug reopening 'file' audit devices on SIGHUP. [[GH-23598](https://github.com/hashicorp/vault/pull/23598)]
+* auth/aws: Fixes a panic that can occur in IAM-based login when a [client config](https://developer.hashicorp.com/vault/api-docs/auth/aws#configure-client) does not exist. [[GH-23555](https://github.com/hashicorp/vault/pull/23555)]
+* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
+* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
+* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
+* kmip (enterprise): Improve handling of failures due to storage replication issues.
+* kmip (enterprise): Return a structure in the response for query function Query Server Information.
+* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
+* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
+* replication (enterprise): Fix a missing unlock when changing replication state
+* secrets-sync (enterprise): Fixed issue where we could sync a deleted secret
+* secrets/aws: update credential rotation deadline when static role rotation period is updated [[GH-23528](https://github.com/hashicorp/vault/pull/23528)]
+* secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [[GH-23010](https://github.com/hashicorp/vault/pull/23010)]
+* secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [[GH-23278](https://github.com/hashicorp/vault/pull/23278)]
+* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
+* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
+* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
+* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
+* storage/consul: fix a bug where an active node in a specific sort of network
+partition could continue to write data to Consul after a new leader is elected
+potentially causing data loss or corruption for keys with many concurrent
+writers. For Enterprise clusters this could cause corruption of the merkle trees
+leading to failure to complete merkle sync without a full re-index. [[GH-23013](https://github.com/hashicorp/vault/pull/23013)]
+* ui: Assumes version 1 for kv engines when options are null because no version is specified [[GH-23585](https://github.com/hashicorp/vault/pull/23585)]
+* ui: Decode the connection url for display on the connection details page [[GH-23695](https://github.com/hashicorp/vault/pull/23695)]
+* ui: Fix AWS secret engine to allow empty policy_document field. [[GH-23470](https://github.com/hashicorp/vault/pull/23470)]
+* ui: Fix bug where auth items were not listed when within a namespace. [[GH-23446](https://github.com/hashicorp/vault/pull/23446)]
+* ui: Fix regression that broke the oktaNumberChallenge on the ui. [[GH-23565](https://github.com/hashicorp/vault/pull/23565)]
+* ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [[GH-23331](https://github.com/hashicorp/vault/pull/23331)]
+* ui: Fixes issue where you could not share the list view URL from the KV v2 secrets engine. [[GH-23620](https://github.com/hashicorp/vault/pull/23620)]
+* ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [[GH-23516](https://github.com/hashicorp/vault/pull/23516)]
+* ui: Fixes issues displaying accurate TLS state in dashboard configuration details [[GH-23726](https://github.com/hashicorp/vault/pull/23726)]
+
+## 1.15.0
+### September 27, 2023
+
+SECURITY:
+
+* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
+* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8.[[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
+
+CHANGES:
+
+* auth/alicloud: Update plugin to v0.16.0 [[GH-22646](https://github.com/hashicorp/vault/pull/22646)]
+* auth/azure: Update plugin to v0.16.0 [[GH-22277](https://github.com/hashicorp/vault/pull/22277)]
+* auth/azure: Update plugin to v0.16.1 [[GH-22795](https://github.com/hashicorp/vault/pull/22795)]
+* auth/azure: Update plugin to v0.16.2 [[GH-23060](https://github.com/hashicorp/vault/pull/23060)]
+* auth/cf: Update plugin to v0.15.1 [[GH-22758](https://github.com/hashicorp/vault/pull/22758)]
+* auth/gcp: Update plugin to v0.16.1 [[GH-22612](https://github.com/hashicorp/vault/pull/22612)]
+* auth/jwt: Update plugin to v0.17.0 [[GH-22678](https://github.com/hashicorp/vault/pull/22678)]
+* auth/kerberos: Update plugin to v0.10.1 [[GH-22797](https://github.com/hashicorp/vault/pull/22797)]
+* auth/kubernetes: Update plugin to v0.17.0 [[GH-22709](https://github.com/hashicorp/vault/pull/22709)]
+* auth/kubernetes: Update plugin to v0.17.1 [[GH-22879](https://github.com/hashicorp/vault/pull/22879)]
+* auth/ldap: Normalize HTTP response codes when invalid credentials are provided [[GH-21282](https://github.com/hashicorp/vault/pull/21282)]
+* auth/oci: Update plugin to v0.14.2 [[GH-22805](https://github.com/hashicorp/vault/pull/22805)]
+* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
+* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
+which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
+* core: Bump Go version to 1.21.1.
+* database/couchbase: Update plugin to v0.9.3 [[GH-22854](https://github.com/hashicorp/vault/pull/22854)]
+* database/couchbase: Update plugin to v0.9.4 [[GH-22871](https://github.com/hashicorp/vault/pull/22871)]
+* database/elasticsearch: Update plugin to v0.13.3 [[GH-22696](https://github.com/hashicorp/vault/pull/22696)]
+* database/mongodbatlas: Update plugin to v0.10.1 [[GH-22655](https://github.com/hashicorp/vault/pull/22655)]
+* database/redis-elasticache: Update plugin to v0.2.2 [[GH-22584](https://github.com/hashicorp/vault/pull/22584)]
+* database/redis-elasticache: Update plugin to v0.2.3 [[GH-22598](https://github.com/hashicorp/vault/pull/22598)]
+* database/redis: Update plugin to v0.2.2 [[GH-22654](https://github.com/hashicorp/vault/pull/22654)]
+* database/snowflake: Update plugin to v0.9.0 [[GH-22516](https://github.com/hashicorp/vault/pull/22516)]
+* events: Log level for processing an event dropped from info to debug. [[GH-22997](https://github.com/hashicorp/vault/pull/22997)]
+* events: `data_path` will include full data path of secret, including name. [[GH-22487](https://github.com/hashicorp/vault/pull/22487)]
+* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
+* sdk/logical/events: `EventSender` interface method is now `SendEvent` instead of `Send`. [[GH-22487](https://github.com/hashicorp/vault/pull/22487)]
+* secrets/ad: Update plugin to v0.16.1 [[GH-22856](https://github.com/hashicorp/vault/pull/22856)]
+* secrets/alicloud: Update plugin to v0.15.1 [[GH-22533](https://github.com/hashicorp/vault/pull/22533)]
+* secrets/azure: Update plugin to v0.16.2 [[GH-22799](https://github.com/hashicorp/vault/pull/22799)]
+* secrets/azure: Update plugin to v0.16.3 [[GH-22824](https://github.com/hashicorp/vault/pull/22824)]
+* secrets/gcp: Update plugin to v0.17.0 [[GH-22746](https://github.com/hashicorp/vault/pull/22746)]
+* secrets/gcpkms: Update plugin to v0.15.1 [[GH-22757](https://github.com/hashicorp/vault/pull/22757)]
+* secrets/keymgmt: Update plugin to v0.9.3
+* secrets/kubernetes: Update plugin to v0.6.0 [[GH-22823](https://github.com/hashicorp/vault/pull/22823)]
+* secrets/kv: Update plugin to v0.16.1 [[GH-22716](https://github.com/hashicorp/vault/pull/22716)]
+* secrets/mongodbatlas: Update plugin to v0.10.1 [[GH-22748](https://github.com/hashicorp/vault/pull/22748)]
+* secrets/openldap: Update plugin to v0.11.2 [[GH-22734](https://github.com/hashicorp/vault/pull/22734)]
+* secrets/terraform: Update plugin to v0.7.3 [[GH-22907](https://github.com/hashicorp/vault/pull/22907)]
+* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
+* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
+* telemetry: Replace `vault.rollback.attempt.{MOUNT_POINT}` and `vault.route.rollback.{MOUNT_POINT}` metrics with `vault.rollback.attempt` and `vault.route.rollback metrics` by default. Added a telemetry configuration `add_mount_point_rollback_metrics` which, when set to true, causes vault to emit the metrics with mount points in their names. [[GH-22400](https://github.com/hashicorp/vault/pull/22400)]
+
+FEATURES:
+
+* **Certificate Issuance External Policy Service (CIEPS) (enterprise)**: Allow highly-customizable operator control of certificate validation and generation through the PKI Secrets Engine.
+* **Copyable KV v2 paths in UI**: KV v2 secret paths are copyable for use in CLI commands or API calls [[GH-22551](https://github.com/hashicorp/vault/pull/22551)]
+* **Dashboard UI**: Dashboard is now available in the UI as the new landing page. [[GH-21057](https://github.com/hashicorp/vault/pull/21057)]
+* **Database Static Role Advanced TTL Management**: Adds the ability to rotate
+* **Event System**: Add subscribe capability and subscribe_event_types to policies for events. [[GH-22474](https://github.com/hashicorp/vault/pull/22474)]
+static roles on a defined schedule. [[GH-22484](https://github.com/hashicorp/vault/pull/22484)]
+* **GCP IAM Support**: Adds support for IAM-based authentication to MySQL and PostgreSQL backends using Google Cloud SQL. [[GH-22445](https://github.com/hashicorp/vault/pull/22445)]
+* **Improved KV V2 UI**: Updated and restructured secret engine for KV (version 2 only) [[GH-22559](https://github.com/hashicorp/vault/pull/22559)]
+* **Merkle Tree Corruption Detection (enterprise)**: Add a new endpoint to check merkle tree corruption.
+* **Plugin Containers**: Vault supports registering, managing, and running plugins inside a container on Linux. [[GH-22712](https://github.com/hashicorp/vault/pull/22712)]
+* **SAML Auth Method (enterprise)**: Enable users to authenticate with Vault using their identity in a SAML Identity Provider.
+* **Seal High Availability Beta (enterprise)**: operators can try out configuring more than one automatic seal for resilience against seal provider outages.  Not for production use at this time.
+* **Secrets Sync (enterprise)**: Add the ability to synchronize KVv2 secret with external secrets manager solutions.
+* **UI LDAP secrets engine**: Add LDAP secrets engine to the UI. [[GH-20790](https://github.com/hashicorp/vault/pull/20790)]
+
+IMPROVEMENTS:
+
+* Bump github.com/hashicorp/go-plugin version v1.4.9 -> v1.4.10 [[GH-20966](https://github.com/hashicorp/vault/pull/20966)]
+* api: add support for cloning a Client's tls.Config. [[GH-21424](https://github.com/hashicorp/vault/pull/21424)]
+* api: adding a new api sys method for replication status [[GH-20995](https://github.com/hashicorp/vault/pull/20995)]
+* audit: add core audit events experiment [[GH-21628](https://github.com/hashicorp/vault/pull/21628)]
+* auth/aws: Added support for signed GET requests for authenticating to vault using the aws iam method. [[GH-10961](https://github.com/hashicorp/vault/pull/10961)]
+* auth/azure: Add support for azure workload identity authentication (see issue
+#18257). Update go-kms-wrapping dependency to include [PR
+#155](https://github.com/hashicorp/go-kms-wrapping/pull/155) [[GH-22994](https://github.com/hashicorp/vault/pull/22994)]
+* auth/azure: Added Azure API configurable retry options [[GH-23059](https://github.com/hashicorp/vault/pull/23059)]
+* auth/cert: Adds support for requiring hexadecimal-encoded non-string certificate extension values [[GH-21830](https://github.com/hashicorp/vault/pull/21830)]
+* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
+* auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [[GH-22264](https://github.com/hashicorp/vault/pull/22264)]
+* auto-auth: added support for LDAP auto-auth [[GH-21641](https://github.com/hashicorp/vault/pull/21641)]
+* aws/auth: Adds a new config field `use_sts_region_from_client` which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication. [[GH-21960](https://github.com/hashicorp/vault/pull/21960)]
+* command/server: add `-dev-tls-san` flag to configure subject alternative names for the certificate generated when using `-dev-tls`. [[GH-22657](https://github.com/hashicorp/vault/pull/22657)]
+* core (ent) : Add field that allows lease-count namespace quotas to be inherited by child namespaces.
+* core : Add field that allows rate-limit namespace quotas to be inherited by child namespaces. [[GH-22452](https://github.com/hashicorp/vault/pull/22452)]
+* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
+* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
+* core: Add a new periodic metric to track the number of available policies, `vault.policy.configured.count`. [[GH-21010](https://github.com/hashicorp/vault/pull/21010)]
+* core: Fix OpenAPI representation and `-output-policy` recognition of some non-standard sudo paths [[GH-21772](https://github.com/hashicorp/vault/pull/21772)]
+* core: Fix regexes for `sys/raw/` and `sys/leases/lookup/` to match prevailing conventions [[GH-21760](https://github.com/hashicorp/vault/pull/21760)]
+* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
+* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
+* core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy [[GH-22304](https://github.com/hashicorp/vault/pull/22304)]
+* core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy
+* core: remove unnecessary *BarrierView field from backendEntry struct [[GH-20933](https://github.com/hashicorp/vault/pull/20933)]
+* core: use Go stdlib functionalities instead of explicit byte/string conversions [[GH-21854](https://github.com/hashicorp/vault/pull/21854)]
+* eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [[GH-21623](https://github.com/hashicorp/vault/pull/21623)]
+* events: Allow subscriptions to multiple namespaces [[GH-22540](https://github.com/hashicorp/vault/pull/22540)]
+* events: Enabled by default [[GH-22815](https://github.com/hashicorp/vault/pull/22815)]
+* events: WebSocket subscriptions add support for boolean filter expressions [[GH-22835](https://github.com/hashicorp/vault/pull/22835)]
+* framework: Make it an error for `CreateOperation` to be defined without an `ExistenceCheck`, thereby fixing misleading `x-vault-createSupported` in OpenAPI [[GH-18492](https://github.com/hashicorp/vault/pull/18492)]
+* kmip (enterprise): Add namespace lock and unlock support [[GH-21925](https://github.com/hashicorp/vault/pull/21925)]
+* openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [[GH-21563](https://github.com/hashicorp/vault/pull/21563)]
+* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
+* openapi: Fix generation of correct fields in some rarer cases [[GH-21942](https://github.com/hashicorp/vault/pull/21942)]
+* openapi: Fix response definitions for list operations [[GH-21934](https://github.com/hashicorp/vault/pull/21934)]
+* openapi: List operations are now given first-class representation in the OpenAPI document, rather than sometimes being overlaid with a read operation at the same path [[GH-21723](https://github.com/hashicorp/vault/pull/21723)]
+* plugins: Containerized plugins can be configured to still work when running with systemd's PrivateTmp=true setting. [[GH-23215](https://github.com/hashicorp/vault/pull/23215)]
+* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
+* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
+* sdk/framework: Adds replication state helper for backends to check for read-only storage [[GH-21743](https://github.com/hashicorp/vault/pull/21743)]
+* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
+* secrets/db: Remove the `service_account_json` parameter when reading DB connection details [[GH-23256](https://github.com/hashicorp/vault/pull/23256)]
+* secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [[GH-21702](https://github.com/hashicorp/vault/pull/21702)]
+* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
+* secrets/transit: Add support to create CSRs from keys in transit engine and import/export x509 certificates [[GH-21081](https://github.com/hashicorp/vault/pull/21081)]
+* storage/dynamodb: Added three permit pool metrics for the DynamoDB backend, `pending_permits`, `active_permits`, and `pool_size`. [[GH-21742](https://github.com/hashicorp/vault/pull/21742)]
+* storage/etcd: Make etcd parameter MaxCallSendMsgSize configurable [[GH-12666](https://github.com/hashicorp/vault/pull/12666)]
+* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
+* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
+* ui: Add API Explorer link to Sidebar, under Tools. [[GH-21578](https://github.com/hashicorp/vault/pull/21578)]
+* ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [[GH-23193](https://github.com/hashicorp/vault/pull/23193)]
+* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
+* ui: Adds mount configuration details to Kubernetes secrets engine configuration view [[GH-22926](https://github.com/hashicorp/vault/pull/22926)]
+* ui: Adds tidy_revoked_certs to PKI tidy status page [[GH-23232](https://github.com/hashicorp/vault/pull/23232)]
+* ui: Adds warning before downloading KV v2 secret values [[GH-23260](https://github.com/hashicorp/vault/pull/23260)]
+* ui: Display minus icon for empty MaskedInput value. Show MaskedInput for KV secrets without values [[GH-22039](https://github.com/hashicorp/vault/pull/22039)]
+* ui: JSON diff view available in "Create New Version" form for KV v2 [[GH-22593](https://github.com/hashicorp/vault/pull/22593)]
+* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
+* ui: Move access to  KV V2 version diff view to toolbar in Version History [[GH-23200](https://github.com/hashicorp/vault/pull/23200)]
+* ui: Update pki mount configuration details to match the new mount configuration details pattern [[GH-23166](https://github.com/hashicorp/vault/pull/23166)]
+* ui: add example modal to policy form [[GH-21583](https://github.com/hashicorp/vault/pull/21583)]
+* ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [[GH-22191](https://github.com/hashicorp/vault/pull/22191)]
+* ui: display CertificateCard instead of MaskedInput for certificates in PKI [[GH-22160](https://github.com/hashicorp/vault/pull/22160)]
+* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
+* ui: implement hashicorp design system [alert](https://helios.hashicorp.design/components/alert) component [[GH-21375](https://github.com/hashicorp/vault/pull/21375)]
+* ui: update detail views that render ttl durations to display full unit instead of letter (i.e. 'days' instead of 'd') [[GH-20697](https://github.com/hashicorp/vault/pull/20697)]
+* ui: update unseal and DR operation token flow components [[GH-21871](https://github.com/hashicorp/vault/pull/21871)]
+* ui: upgrade Ember to 4.12 [[GH-22122](https://github.com/hashicorp/vault/pull/22122)]
+
+DEPRECATIONS:
+
+* auth/centrify: Centrify plugin is deprecated as of 1.15, slated for removal in 1.17 [[GH-23050](https://github.com/hashicorp/vault/pull/23050)]
+
+BUG FIXES:
+
+* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
+* agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [[GH-22322](https://github.com/hashicorp/vault/pull/22322)]
+* agent: Fix "generate-config" command documentation URL [[GH-21466](https://github.com/hashicorp/vault/pull/21466)]
+* api/client: Fix deadlock in client.CloneWithHeaders when used alongside other client methods. [[GH-22410](https://github.com/hashicorp/vault/pull/22410)]
+* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
+* audit: Prevent panic due to nil pointer receiver for audit header formatting. [[GH-22694](https://github.com/hashicorp/vault/pull/22694)]
+* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21800](https://github.com/hashicorp/vault/pull/21800)]
+* auth/token, sys: Fix path-help being unavailable for some list-only endpoints [[GH-18571](https://github.com/hashicorp/vault/pull/18571)]
+* auth/token: Fix parsing of `auth/token/create` fields to avoid incorrect warnings about ignored parameters [[GH-18556](https://github.com/hashicorp/vault/pull/18556)]
+* awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
+respects `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, and `AWS_ROLE_SESSION_NAME`. [[GH-21951](https://github.com/hashicorp/vault/pull/21951)]
+* cli: Avoid printing "Success" message when `-field` flag is provided during a `vault write`. [[GH-21546](https://github.com/hashicorp/vault/pull/21546)]
+* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
+* core (enterprise): Fix sentinel policy check logic so that sentinel
+policies are not used when Sentinel feature isn't licensed.
+* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
+* core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
+* core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [[GH-22468](https://github.com/hashicorp/vault/pull/22468)]
+* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
+Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
+* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
+* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
+* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
+* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
+* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
+* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
+* core: Fixed issue with some durations not being properly parsed to include days. [[GH-21357](https://github.com/hashicorp/vault/pull/21357)]
+* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
+* core: fix race when updating a mount's route entry tainted status and incoming requests [[GH-21640](https://github.com/hashicorp/vault/pull/21640)]
+* events: Ensure subscription resources are cleaned up on close. [[GH-23042](https://github.com/hashicorp/vault/pull/23042)]
+* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
+* identity/mfa: Fixes to OpenAPI representation and returned error codes for `identity/mfa/method/*` APIs [[GH-20879](https://github.com/hashicorp/vault/pull/20879)]
+* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
+* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
+* openapi: Fix response schema for PKI Issue requests [[GH-21449](https://github.com/hashicorp/vault/pull/21449)]
+* openapi: Fix schema definitions for PKI EAB APIs [[GH-21458](https://github.com/hashicorp/vault/pull/21458)]
+* plugins: Containerized plugins can be run with mlock enabled. [[GH-23215](https://github.com/hashicorp/vault/pull/23215)]
+* plugins: Fix instance where Vault could fail to kill broken/unresponsive plugins. [[GH-22914](https://github.com/hashicorp/vault/pull/22914)]
+* plugins: Fix instance where broken/unresponsive plugins could cause Vault to hang. [[GH-22914](https://github.com/hashicorp/vault/pull/22914)]
+* plugins: Runtime catalog returns 404 instead of 500 when reading a runtime that does not exist [[GH-23171](https://github.com/hashicorp/vault/pull/23171)]
+* plugins: `vault plugin runtime list` can successfully list plugin runtimes with GET [[GH-23171](https://github.com/hashicorp/vault/pull/23171)]
+* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
+* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
+* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
+* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
+* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
+* replication (enterprise): Sort cluster addresses returned by echo requests, so that primary-addrs only gets persisted when the
+set of addrs changes.
+* replication (enterprise): update primary cluster address after DR failover
+* sdk/ldaputil: Properly escape user filters when using UPN domains
+sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
+* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21631](https://github.com/hashicorp/vault/pull/21631)]
+* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22330](https://github.com/hashicorp/vault/pull/22330)]
+* secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
+* secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
+* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
+* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
+* secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns [[GH-22126](https://github.com/hashicorp/vault/pull/22126)]
+* secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
+* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
+* secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
+* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
+* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
+* secrets/transit: fix panic when providing non-PEM formatted public key for import [[GH-22753](https://github.com/hashicorp/vault/pull/22753)]
+* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
+* storage/consul: Consul service registration tags are now case-sensitive. [[GH-6483](https://github.com/hashicorp/vault/pull/6483)]
+* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
+* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
+* ui: Adds missing values to details view after generating PKI certificate [[GH-21635](https://github.com/hashicorp/vault/pull/21635)]
+* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
+* ui: Fix display for "Last Vault Rotation" timestamp for static database roles which was not rendering or copyable [[GH-22519](https://github.com/hashicorp/vault/pull/22519)]
+* ui: Fix styling for username input when editing a user [[GH-21771](https://github.com/hashicorp/vault/pull/21771)]
+* ui: Fix styling for viewing certificate in kubernetes configuration [[GH-21968](https://github.com/hashicorp/vault/pull/21968)]
+* ui: Fix the issue where confirm delete dropdown is being cut off [[GH-23066](https://github.com/hashicorp/vault/pull/23066)]
+* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
+* ui: Fixed secrets, leases, and policies filter dropping focus after a single character [[GH-21767](https://github.com/hashicorp/vault/pull/21767)]
+* ui: Fixes filter and search bug in secrets engines [[GH-23123](https://github.com/hashicorp/vault/pull/23123)]
+* ui: Fixes form field label tooltip alignment [[GH-22832](https://github.com/hashicorp/vault/pull/22832)]
+* ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [[GH-21562](https://github.com/hashicorp/vault/pull/21562)]
+* ui: Fixes login screen display issue with Safari browser [[GH-21582](https://github.com/hashicorp/vault/pull/21582)]
+* ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [[GH-21926](https://github.com/hashicorp/vault/pull/21926)]
+* ui: Fixes styling of private key input when configuring an SSH key [[GH-21531](https://github.com/hashicorp/vault/pull/21531)]
+* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
+* ui: correct doctype for index.html [[GH-22153](https://github.com/hashicorp/vault/pull/22153)]
+* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
+* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
+* ui: fixes long namespace names overflow in the sidebar
+* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
+* ui: fixes text readability issue in revoke token confirmation dialog [[GH-22390](https://github.com/hashicorp/vault/pull/22390)]
+
+## 1.14.7
+### November 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.11.
+
+IMPROVEMENTS:
+
+* core (enterprise): Speed up unseal when using namespaces
+* secrets/pki: do not check TLS validity on ACME requests redirected to https [[GH-22521](https://github.com/hashicorp/vault/pull/22521)]
+* ui: Sort list view of entities and aliases alphabetically using the item name [[GH-24103](https://github.com/hashicorp/vault/pull/24103)]
+* ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [[GH-23700](https://github.com/hashicorp/vault/pull/23700)]
+
+BUG FIXES:
+
+* activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
+* auth/cert: Handle errors related to expired OCSP server responses [[GH-24193](https://github.com/hashicorp/vault/pull/24193)]
+* core/config: Use correct HCL config value when configuring `log_requests_level`. [[GH-24058](https://github.com/hashicorp/vault/pull/24058)]
+* core/quotas: Close rate-limit blocked client purge goroutines when sealing [[GH-24108](https://github.com/hashicorp/vault/pull/24108)]
+* replication (enterprise): disallow configuring paths filter for a mount path that does not exist
+* secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [[GH-24192](https://github.com/hashicorp/vault/pull/24192)]
+* secrets/transit: Fix a panic when attempting to export a public RSA key [[GH-24054](https://github.com/hashicorp/vault/pull/24054)]
+* ui: Fix error when tuning token auth configuration within namespace [[GH-24147](https://github.com/hashicorp/vault/pull/24147)]
+
+## 1.14.6
+### November 09, 2023
+
+SECURITY:
+* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
+
+CHANGES:
+
+* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
+* secrets/mongodbatlas: Update plugin to v0.10.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
+
+FEATURES:
+
+* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
+
+IMPROVEMENTS:
+
+* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
+
+BUG FIXES:
+
+* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
+on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
+* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
+* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
+* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
+* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
+* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
+* core: fix bug where deadlock detection was always on for expiration and quotas. 
+These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
+* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
+* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
+
+## 1.14.5
+### October 25, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.10.
+* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
+
+IMPROVEMENTS:
+
+* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
+* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
+* ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [[GH-23747](https://github.com/hashicorp/vault/pull/23747)]
+
+BUG FIXES:
+
+* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
+* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
+* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
+* kmip (enterprise): Improve handling of failures due to storage replication issues.
+* kmip (enterprise): Return a structure in the response for query function Query Server Information.
+* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
+* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
+* replication (enterprise): Fix a missing unlock when changing replication state
+* secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [[GH-23010](https://github.com/hashicorp/vault/pull/23010)]
+* secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [[GH-23278](https://github.com/hashicorp/vault/pull/23278)]
+* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
+* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
+* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
+* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
+* storage/consul: fix a bug where an active node in a specific sort of network
+partition could continue to write data to Consul after a new leader is elected
+potentially causing data loss or corruption for keys with many concurrent
+writers. For Enterprise clusters this could cause corruption of the merkle trees
+leading to failure to complete merkle sync without a full re-index. [[GH-23013](https://github.com/hashicorp/vault/pull/23013)]
+* ui: Decode the connection url for display on the connection details page [[GH-23695](https://github.com/hashicorp/vault/pull/23695)]
+* ui: Fix AWS secret engine to allow empty policy_document field. [[GH-23470](https://github.com/hashicorp/vault/pull/23470)]
+* ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [[GH-23331](https://github.com/hashicorp/vault/pull/23331)]
+* ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [[GH-23516](https://github.com/hashicorp/vault/pull/23516)]
+
+## 1.14.4
+### September 27, 2023
+
+SECURITY:
+
+* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
+
+CHANGES:
+
+* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
+
+IMPROVEMENTS:
+
+* ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [[GH-23193](https://github.com/hashicorp/vault/pull/23193)]
+* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
+* ui: Adds tidy_revoked_certs to PKI tidy status page [[GH-23232](https://github.com/hashicorp/vault/pull/23232)]
+* ui: Adds warning before downloading KV v2 secret values [[GH-23260](https://github.com/hashicorp/vault/pull/23260)]
+
+BUG FIXES:
+
+* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
+* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
+* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
+* ui: Fix the issue where confirm delete dropdown is being cut off [[GH-23066](https://github.com/hashicorp/vault/pull/23066)]
+* ui: Fixes filter and search bug in secrets engines [[GH-23123](https://github.com/hashicorp/vault/pull/23123)]
+* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
+
+## 1.14.3
+### September 13, 2023
+
+SECURITY:
+
+* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
+
+CHANGES:
+
+* core: Bump Go version to 1.20.8.
+
+FEATURES:
+
+* ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
+
+IMPROVEMENTS:
+
+* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
+* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
+* kmip (enterprise): reduce latency of KMIP operation handling
+
+BUG FIXES:
+
+* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
+* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
+* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
+* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
+* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
+* kmip (enterprise): fix date handling error with some re-key operations
+* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
+* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
+* secrets/transit: fix panic when providing non-PEM formatted public key for import [[GH-22753](https://github.com/hashicorp/vault/pull/22753)]
+* ui: fixes long namespace names overflow in the sidebar
+
+## 1.14.2
+### August 30, 2023
+
+CHANGES:
+
+* auth/azure: Update plugin to v0.16.0 [[GH-22277](https://github.com/hashicorp/vault/pull/22277)]
+* core: Bump Go version to 1.20.7.
+* database/snowflake: Update plugin to v0.9.0 [[GH-22516](https://github.com/hashicorp/vault/pull/22516)]
+
+IMPROVEMENTS:
+
+* auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [[GH-22264](https://github.com/hashicorp/vault/pull/22264)]
+* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
+* kmip (enterprise): Add namespace lock and unlock support [[GH-21925](https://github.com/hashicorp/vault/pull/21925)]
+* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
+* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
+* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
+* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
+* ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [[GH-22191](https://github.com/hashicorp/vault/pull/22191)]
+* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
+* website/docs: Fix link formatting in Vault lambda extension docs [[GH-22396](https://github.com/hashicorp/vault/pull/22396)]
+
+BUG FIXES:
+
+* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
+* agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [[GH-22322](https://github.com/hashicorp/vault/pull/22322)]
+* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
+* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
+* core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [[GH-22468](https://github.com/hashicorp/vault/pull/22468)]
+* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
+Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
+* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
+* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
+* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
+* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
+* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
+* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
+* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
+* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
+* sdk/ldaputil: Properly escape user filters when using UPN domains
+sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
+* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22330](https://github.com/hashicorp/vault/pull/22330)]
+* secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
+* secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
+* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
+* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
+* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
+* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
+* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
+* ui: fixes text readability issue in revoke token confirmation dialog [[GH-22390](https://github.com/hashicorp/vault/pull/22390)]
+
+## 1.14.1
+### July 25, 2023
+
+SECURITY
+
+* auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [[GH-21282](https://github.com/hashicorp/vault/pull/21282), [HSEC-2023-24](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714)]
+* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
+
+CHANGES:
+
+* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
+which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
+* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
+* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
+
+IMPROVEMENTS:
+
+* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
+* eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [[GH-21623](https://github.com/hashicorp/vault/pull/21623)]
+* openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [[GH-21563](https://github.com/hashicorp/vault/pull/21563)]
+* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
+* secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [[GH-21702](https://github.com/hashicorp/vault/pull/21702)]
+* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
+* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
+
+BUG FIXES:
+
+* agent: Fix "generate-config" command documentation URL [[GH-21466](https://github.com/hashicorp/vault/pull/21466)]
+* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21800](https://github.com/hashicorp/vault/pull/21800)]
+* auth/token, sys: Fix path-help being unavailable for some list-only endpoints [[GH-18571](https://github.com/hashicorp/vault/pull/18571)]
+* auth/token: Fix parsing of `auth/token/create` fields to avoid incorrect warnings about ignored parameters [[GH-18556](https://github.com/hashicorp/vault/pull/18556)]
+* awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
+respects `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, and `AWS_ROLE_SESSION_NAME`. [[GH-21951](https://github.com/hashicorp/vault/pull/21951)]
+* core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
+* core: Fixed issue with some durations not being properly parsed to include days. [[GH-21357](https://github.com/hashicorp/vault/pull/21357)]
+* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
+* openapi: Fix response schema for PKI Issue requests [[GH-21449](https://github.com/hashicorp/vault/pull/21449)]
+* openapi: Fix schema definitions for PKI EAB APIs [[GH-21458](https://github.com/hashicorp/vault/pull/21458)]
+* replication (enterprise): update primary cluster address after DR failover
+* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21631](https://github.com/hashicorp/vault/pull/21631)]
+* secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
+* secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [[GH-21870](https://github.com/hashicorp/vault/pull/21870)]
+* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
+* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
+* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
+* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
+* ui: Adds missing values to details view after generating PKI certificate [[GH-21635](https://github.com/hashicorp/vault/pull/21635)]
+* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
+* ui: Fixed secrets, leases, and policies filter dropping focus after a single character [[GH-21767](https://github.com/hashicorp/vault/pull/21767)]
+* ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [[GH-21562](https://github.com/hashicorp/vault/pull/21562)]
+* ui: Fixes login screen display issue with Safari browser [[GH-21582](https://github.com/hashicorp/vault/pull/21582)]
+* ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [[GH-21926](https://github.com/hashicorp/vault/pull/21926)]
+* ui: Fixes styling of private key input when configuring an SSH key [[GH-21531](https://github.com/hashicorp/vault/pull/21531)]
+* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
+
+## 1.14.0
+### June 21, 2023
+
+SECURITY:
+
+* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
+
+BREAKING CHANGES:
+
+* secrets/pki: Maintaining running count of certificates will be turned off by default.
+To re-enable keeping these metrics available on the tidy status endpoint, enable
+maintain_stored_certificate_counts on tidy-config, to also publish them to the
+metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
+
+CHANGES:
+
+* auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [[GH-20758](https://github.com/hashicorp/vault/pull/20758)]
+* auth/azure: Updated plugin from v0.13.0 to v0.15.0 [[GH-20816](https://github.com/hashicorp/vault/pull/20816)]
+* auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [[GH-20745](https://github.com/hashicorp/vault/pull/20745)]
+* auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [[GH-20725](https://github.com/hashicorp/vault/pull/20725)]
+* auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [[GH-20799](https://github.com/hashicorp/vault/pull/20799)]
+* auth/kubernetes: Update plugin to v0.16.0 [[GH-20802](https://github.com/hashicorp/vault/pull/20802)]
+* core: Bump Go version to 1.20.5.
+* core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [[GH-20834](https://github.com/hashicorp/vault/pull/20834)]
+* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
+* database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [[GH-20764](https://github.com/hashicorp/vault/pull/20764)]
+* database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [[GH-20751](https://github.com/hashicorp/vault/pull/20751)]
+* replication (enterprise): Add a new parameter for the update-primary API call
+that allows for setting of the primary cluster addresses directly, instead of
+via a token.
+* secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [[GH-20750](https://github.com/hashicorp/vault/pull/20750)]
+* secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [[GH-20787](https://github.com/hashicorp/vault/pull/20787)]
+* secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [[GH-20777](https://github.com/hashicorp/vault/pull/20777)]
+* secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [[GH-20882](https://github.com/hashicorp/vault/pull/20882)]
+* secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [[GH-20807](https://github.com/hashicorp/vault/pull/20807)]
+* secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [[GH-20818](https://github.com/hashicorp/vault/pull/20818)]
+* secrets/keymgmt: Updated plugin to v0.9.1
+* secrets/kubernetes: Update plugin to v0.5.0 [[GH-20802](https://github.com/hashicorp/vault/pull/20802)]
+* secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [[GH-20742](https://github.com/hashicorp/vault/pull/20742)]
+* secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [[GH-21209](https://github.com/hashicorp/vault/pull/21209)]
+* secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [[GH-20654](https://github.com/hashicorp/vault/pull/20654)]
+
+FEATURES:
+
+* **AWS Static Roles**: The AWS Secrets Engine can manage static roles configured by users. [[GH-20536](https://github.com/hashicorp/vault/pull/20536)]
+* **Automated License Utilization Reporting**: Added automated license
+utilization reporting, which sends minimal product-license [metering
+data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
+to HashiCorp without requiring you to manually collect and report them.
+* **Environment Variables through Vault Agent**: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new `env_template` configuration stanza. The process-supervisor configuration can be generated with a new `vault agent generate-config` helper tool. [[GH-20530](https://github.com/hashicorp/vault/pull/20530)]
+* **MongoDB Atlas Database Secrets**: Adds support for client certificate credentials [[GH-20425](https://github.com/hashicorp/vault/pull/20425)]
+* **MongoDB Atlas Database Secrets**: Adds support for generating X.509 certificates on dynamic roles for user authentication [[GH-20882](https://github.com/hashicorp/vault/pull/20882)]
+* **NEW PKI Workflow in UI**: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [[GH-pki-ui-improvements](https://github.com/hashicorp/vault/pull/pki-ui-improvements)]
+* **Secrets/Auth Plugin Multiplexing**: The plugin will be multiplexed when run
+as an external plugin by vault versions that support secrets/auth plugin
+multiplexing (> 1.12) [[GH-19215](https://github.com/hashicorp/vault/pull/19215)]
+* **Sidebar Navigation in UI**: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [[GH-19296](https://github.com/hashicorp/vault/pull/19296)]
+* **Vault PKI ACME Server**: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [[GH-20752](https://github.com/hashicorp/vault/pull/20752)]
+* **Vault Proxy**: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using `vault proxy -config=config.hcl`. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [[GH-20548](https://github.com/hashicorp/vault/pull/20548)]
+* **OCI Auto-Auth**: Add OCI (Oracle Cloud Infrastructure) auto-auth method [[GH-19260](https://github.com/hashicorp/vault/pull/19260)]
+
+IMPROVEMENTS:
+
+* * api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [[GH-20265](https://github.com/hashicorp/vault/pull/20265)]
+* * physical/etcd: Upgrade etcd3 client to v3.5.7 [[GH-20261](https://github.com/hashicorp/vault/pull/20261)]
+* activitylog: EntityRecord protobufs now contain a ClientType field for
+distinguishing client sources. [[GH-20626](https://github.com/hashicorp/vault/pull/20626)]
+* agent: Add integration tests for agent running in process supervisor mode [[GH-20741](https://github.com/hashicorp/vault/pull/20741)]
+* agent: Add logic to validate env_template entries in configuration [[GH-20569](https://github.com/hashicorp/vault/pull/20569)]
+* agent: Added `reload` option to cert auth configuration in case of external renewals of local x509 key-pairs. [[GH-19002](https://github.com/hashicorp/vault/pull/19002)]
+* agent: JWT auto-auth has a new config option, `remove_jwt_follows_symlinks` (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the `path` option, and the `remove_jwt_after_reading` config option is set to true (default). [[GH-18863](https://github.com/hashicorp/vault/pull/18863)]
+* agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [[GH-19776](https://github.com/hashicorp/vault/pull/19776)]
+* agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [[GH-20628](https://github.com/hashicorp/vault/pull/20628)]
+* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
+results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
+* api: property based testing for LifetimeWatcher sleep duration calculation [[GH-17919](https://github.com/hashicorp/vault/pull/17919)]
+* audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [[GH-19814](https://github.com/hashicorp/vault/pull/19814)]
+* audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
+* auth/cert: Better return OCSP validation errors during login to the caller. [[GH-20234](https://github.com/hashicorp/vault/pull/20234)]
+* auth/kerberos: Enable plugin multiplexing
+auth/kerberos: Upgrade plugin dependencies [[GH-20771](https://github.com/hashicorp/vault/pull/20771)]
+* auth/ldap: allow configuration of alias dereferencing in LDAP search [[GH-18230](https://github.com/hashicorp/vault/pull/18230)]
+* auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [[GH-18225](https://github.com/hashicorp/vault/pull/18225)]
+* auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [[GH-19247](https://github.com/hashicorp/vault/pull/19247)]
+* build: Prefer GOBIN when set over GOPATH/bin when building the binary [[GH-19862](https://github.com/hashicorp/vault/pull/19862)]
+* cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [[GH-20464](https://github.com/hashicorp/vault/pull/20464)]
+* cli: Improve addPrefixToKVPath helper [[GH-20488](https://github.com/hashicorp/vault/pull/20488)]
+* command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [[GH-20629](https://github.com/hashicorp/vault/pull/20629)]
+* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
+`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
+* command/server: New -dev-cluster-json writes a file describing the dev cluster in -dev and -dev-three-node modes, plus -dev-three-node now enables unauthenticated metrics and pprof requests. [[GH-20224](https://github.com/hashicorp/vault/pull/20224)]
+* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
+* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): vault server command now allows for opt-out of automated
+reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
+* core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [[GH-20559](https://github.com/hashicorp/vault/pull/20559)]
+* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
+* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
+* core: Add possibility to decode a generated encoded root token via the rest API [[GH-20595](https://github.com/hashicorp/vault/pull/20595)]
+* core: include namespace path in granting_policies block of audit log
+* core: include reason for ErrReadOnly on PBPWF writing failures
+* core: report intermediate error messages during request forwarding [[GH-20643](https://github.com/hashicorp/vault/pull/20643)]
+* core:provide more descriptive error message when calling enterprise feature paths in open-source [[GH-18870](https://github.com/hashicorp/vault/pull/18870)]
+* database/elasticsearch: Upgrade plugin dependencies [[GH-20767](https://github.com/hashicorp/vault/pull/20767)]
+* database/mongodb: upgrade mongo driver to 1.11 [[GH-19954](https://github.com/hashicorp/vault/pull/19954)]
+* database/redis: Upgrade plugin dependencies [[GH-20763](https://github.com/hashicorp/vault/pull/20763)]
+* http: Support responding to HEAD operation from plugins [[GH-19520](https://github.com/hashicorp/vault/pull/19520)]
+* openapi: Add openapi response definitions to /sys defined endpoints. [[GH-18633](https://github.com/hashicorp/vault/pull/18633)]
+* openapi: Add openapi response definitions to pki/config_*.go [[GH-18376](https://github.com/hashicorp/vault/pull/18376)]
+* openapi: Add openapi response definitions to vault/logical_system_paths.go defined endpoints. [[GH-18515](https://github.com/hashicorp/vault/pull/18515)]
+* openapi: Consistently stop Vault server on exit in gen_openapi.sh [[GH-19252](https://github.com/hashicorp/vault/pull/19252)]
+* openapi: Improve operationId/request/response naming strategy [[GH-19319](https://github.com/hashicorp/vault/pull/19319)]
+* openapi: add openapi response definitions to /sys/internal endpoints [[GH-18542](https://github.com/hashicorp/vault/pull/18542)]
+* openapi: add openapi response definitions to /sys/rotate endpoints [[GH-18624](https://github.com/hashicorp/vault/pull/18624)]
+* openapi: add openapi response definitions to /sys/seal endpoints [[GH-18625](https://github.com/hashicorp/vault/pull/18625)]
+* openapi: add openapi response definitions to /sys/tool endpoints [[GH-18626](https://github.com/hashicorp/vault/pull/18626)]
+* openapi: add openapi response definitions to /sys/version-history, /sys/leader, /sys/ha-status, /sys/host-info, /sys/in-flight-req [[GH-18628](https://github.com/hashicorp/vault/pull/18628)]
+* openapi: add openapi response definitions to /sys/wrapping endpoints [[GH-18627](https://github.com/hashicorp/vault/pull/18627)]
+* openapi: add openapi response defintions to /sys/auth endpoints [[GH-18465](https://github.com/hashicorp/vault/pull/18465)]
+* openapi: add openapi response defintions to /sys/capabilities endpoints [[GH-18468](https://github.com/hashicorp/vault/pull/18468)]
+* openapi: add openapi response defintions to /sys/config and /sys/generate-root endpoints [[GH-18472](https://github.com/hashicorp/vault/pull/18472)]
+* openapi: added ability to validate response structures against openapi schema for test clusters [[GH-19043](https://github.com/hashicorp/vault/pull/19043)]
+* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
+* sdk: Add new docker-based cluster testing framework to the sdk. [[GH-20247](https://github.com/hashicorp/vault/pull/20247)]
+* secrets/ad: upgrades dependencies [[GH-19829](https://github.com/hashicorp/vault/pull/19829)]
+* secrets/alicloud: upgrades dependencies [[GH-19846](https://github.com/hashicorp/vault/pull/19846)]
+* secrets/consul: Improve error message when ACL bootstrapping fails. [[GH-20891](https://github.com/hashicorp/vault/pull/20891)]
+* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
+* secrets/gcpkms: Enable plugin multiplexing
+secrets/gcpkms: Upgrade plugin dependencies [[GH-20784](https://github.com/hashicorp/vault/pull/20784)]
+* secrets/mongodbatlas: upgrades dependencies [[GH-19861](https://github.com/hashicorp/vault/pull/19861)]
+* secrets/openldap: upgrades dependencies [[GH-19993](https://github.com/hashicorp/vault/pull/19993)]
+* secrets/pki: Add missing fields to tidy-status, include new last_auto_tidy_finished field. [[GH-20442](https://github.com/hashicorp/vault/pull/20442)]
+* secrets/pki: Add warning when issuer lacks KeyUsage during CRL rebuilds; expose in logs and on rotation. [[GH-20253](https://github.com/hashicorp/vault/pull/20253)]
+* secrets/pki: Allow determining existing issuers and keys on import. [[GH-20441](https://github.com/hashicorp/vault/pull/20441)]
+* secrets/pki: Include CA serial number, key UUID on issuers list endpoint. [[GH-20276](https://github.com/hashicorp/vault/pull/20276)]
+* secrets/pki: Limit ACME issued certificates NotAfter TTL to a maximum of 90 days [[GH-20981](https://github.com/hashicorp/vault/pull/20981)]
+* secrets/pki: Support TLS-ALPN-01 challenge type in ACME for DNS certificate identifiers. [[GH-20943](https://github.com/hashicorp/vault/pull/20943)]
+* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
+* secrets/postgresql: Add configuration to scram-sha-256 encrypt passwords on Vault before sending them to PostgreSQL [[GH-19616](https://github.com/hashicorp/vault/pull/19616)]
+* secrets/terraform: upgrades dependencies [[GH-19798](https://github.com/hashicorp/vault/pull/19798)]
+* secrets/transit: Add support to import public keys in transit engine and allow encryption and verification of signed data [[GH-17934](https://github.com/hashicorp/vault/pull/17934)]
+* secrets/transit: Allow importing RSA-PSS OID (1.2.840.113549.1.1.10) private keys via BYOK. [[GH-19519](https://github.com/hashicorp/vault/pull/19519)]
+* secrets/transit: Respond to writes with updated key policy, cache configuration. [[GH-20652](https://github.com/hashicorp/vault/pull/20652)]
+* secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [[GH-20736](https://github.com/hashicorp/vault/pull/20736)]
+* ui: Add download button for each secret value in KV v2 [[GH-20431](https://github.com/hashicorp/vault/pull/20431)]
+* ui: Add filtering by auth type and auth name to the Authentication Method list view. [[GH-20747](https://github.com/hashicorp/vault/pull/20747)]
+* ui: Add filtering by engine type and engine name to the Secret Engine list view. [[GH-20481](https://github.com/hashicorp/vault/pull/20481)]
+* ui: Adds whitespace warning to secrets engine and auth method path inputs [[GH-19913](https://github.com/hashicorp/vault/pull/19913)]
+* ui: Remove the Bulma CSS framework. [[GH-19878](https://github.com/hashicorp/vault/pull/19878)]
+* ui: Update Web CLI with examples and a new `kv-get` command for reading kv v2 data and metadata [[GH-20590](https://github.com/hashicorp/vault/pull/20590)]
+* ui: Updates UI javascript dependencies [[GH-19901](https://github.com/hashicorp/vault/pull/19901)]
+* ui: add allowed_managed_keys field to secret engine mount options [[GH-19791](https://github.com/hashicorp/vault/pull/19791)]
+* ui: adds warning for commas in stringArray inputs and updates tooltip help text to remove references to comma separation [[GH-20163](https://github.com/hashicorp/vault/pull/20163)]
+* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
+* website/docs: Add rotate root documentation for azure secrets engine [[GH-19187](https://github.com/hashicorp/vault/pull/19187)]
+* website/docs: fix database static-user sample payload [[GH-19170](https://github.com/hashicorp/vault/pull/19170)]
+
+BUG FIXES:
+
+* agent: Fix agent generate-config to accept -namespace, VAULT_NAMESPACE, and other client-modifying flags. [[GH-21297](https://github.com/hashicorp/vault/pull/21297)]
+* agent: Fix bug with 'cache' stanza validation [[GH-20934](https://github.com/hashicorp/vault/pull/20934)]
+* api: Addressed a couple of issues that arose as edge cases for the -output-policy flag. Specifically around properly handling list commands, distinguishing kv V1/V2, and correctly recognizing protected paths. [[GH-19160](https://github.com/hashicorp/vault/pull/19160)]
+* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
+* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
+* auth/token: Fix cubbyhole and revocation for legacy service tokens [[GH-19416](https://github.com/hashicorp/vault/pull/19416)]
+* cli/kv: add -mount flag to kv list [[GH-19378](https://github.com/hashicorp/vault/pull/19378)]
+* core (enterprise): Don't delete backend stored data that appears to be filterable
+on this secondary if we don't have a corresponding mount entry.
+* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
+* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
+* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
+* core (enterprise): Fix panic when using invalid accessor for control-group request
+* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
+* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
+* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
+* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
+resulting in 412 errors.
+* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
+have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
+* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
+* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
+* core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
+* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
+* core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [[GH-20783](https://github.com/hashicorp/vault/pull/20783)]
+* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
+* license (enterprise): Fix bug where license would update even if the license didn't change.
+* openapi: Small fixes for OpenAPI display attributes. Changed "log-in" to "login" [[GH-20285](https://github.com/hashicorp/vault/pull/20285)]
+* plugin/reload:  Fix a possible data race with rollback manager and plugin reload [[GH-19468](https://github.com/hashicorp/vault/pull/19468)]
+* replication (enterprise): Fix a caching issue when replicating filtered data to
+a performance secondary. This resulted in the data being set to nil in the cache
+and a "invalid value" error being returned from the API.
+* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
+* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
+* replication (enterprise): Fix bug where reloading external plugin on a secondary would
+break replication.
+* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
+* replication (enterprise): Fix regression causing token creation against a role
+with a new entity alias to be incorrectly forwarded from perf standbys. [[GH-21100](https://github.com/hashicorp/vault/pull/21100)]
+* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
+* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
+* sdk/backend: prevent panic when computing the zero value for a `TypeInt64` schema field. [[GH-18729](https://github.com/hashicorp/vault/pull/18729)]
+* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
+* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
+* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
+* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
+* secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [[GH-20668](https://github.com/hashicorp/vault/pull/20668)]
+* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
+* secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
+* sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
+* shamir: change mul and div implementations to be constant-time [[GH-19495](https://github.com/hashicorp/vault/pull/19495)]
+* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
+* ui: Fix secret render when path includes %. Resolves #11616. [[GH-20430](https://github.com/hashicorp/vault/pull/20430)]
+* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
+* ui: fixes auto_rotate_period ttl input for transit keys [[GH-20731](https://github.com/hashicorp/vault/pull/20731)]
+* ui: fixes bug in kmip role form that caused `operation_all` to persist after deselecting all operation checkboxes [[GH-19139](https://github.com/hashicorp/vault/pull/19139)]
+* ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [[GH-20907](https://github.com/hashicorp/vault/pull/20907)]
+* ui: wait for wanted message event during OIDC callback instead of using the first message event [[GH-18521](https://github.com/hashicorp/vault/pull/18521)]
+
+## 1.13.11
+### November 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.11.
+
+IMPROVEMENTS:
+
+* core (enterprise): Speed up unseal when using namespaces
+* ui: Sort list view of entities and aliases alphabetically using the item name [[GH-24103](https://github.com/hashicorp/vault/pull/24103)]
+
+BUG FIXES:
+
+* activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
+* auth/cert: Handle errors related to expired OCSP server responses [[GH-24193](https://github.com/hashicorp/vault/pull/24193)]
+* core/config: Use correct HCL config value when configuring `log_requests_level`. [[GH-24057](https://github.com/hashicorp/vault/pull/24057)]
+* core/quotas: Close rate-limit blocked client purge goroutines when sealing [[GH-24108](https://github.com/hashicorp/vault/pull/24108)]
+* replication (enterprise): disallow configuring paths filter for a mount path that does not exist
+* secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [[GH-24192](https://github.com/hashicorp/vault/pull/24192)]
+* ui: Fix error when tuning token auth configuration within namespace [[GH-24147](https://github.com/hashicorp/vault/pull/24147)]
+
+## 1.13.10
+### November 09, 2023
+
+SECURITY:
+* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
+
+CHANGES:
+
+* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
+* secrets/mongodbatlas: Update plugin to v0.9.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
+
+FEATURES:
+
+* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
+
+IMPROVEMENTS:
+
+* storage/etcd: etcd should only return keys when calling List() [[GH-23872](https://github.com/hashicorp/vault/pull/23872)]
+
+BUG FIXES:
+
+* api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
+on the request. [[GH-23861](https://github.com/hashicorp/vault/pull/23861)]
+* core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
+* core/activity: Fixes segments fragment loss due to exceeding entry record size limit [[GH-23781](https://github.com/hashicorp/vault/pull/23781)]
+* core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [[GH-23802](https://github.com/hashicorp/vault/pull/23802)]
+* core: Revert PR causing memory consumption bug [[GH-23986](https://github.com/hashicorp/vault/pull/23986)]
+* core: Skip unnecessary deriving of policies during Login MFA Check. [[GH-23894](https://github.com/hashicorp/vault/pull/23894)]
+* core: fix bug where deadlock detection was always on for expiration and quotas. 
+These can now be configured individually with `detect_deadlocks`. [[GH-23902](https://github.com/hashicorp/vault/pull/23902)]
+* core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [[GH-23874](https://github.com/hashicorp/vault/pull/23874)]
+* expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [[GH-24027](https://github.com/hashicorp/vault/pull/24027)]
+
+## 1.13.9
+### October 25, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.10.
+* replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
+
+IMPROVEMENTS:
+
+* api/plugins: add `tls-server-name` arg for plugin registration [[GH-23549](https://github.com/hashicorp/vault/pull/23549)]
+* core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [[GH-22567](https://github.com/hashicorp/vault/pull/22567)]
+
+BUG FIXES:
+
+* command/server: Fix bug with sigusr2 where pprof files were not closed correctly [[GH-23636](https://github.com/hashicorp/vault/pull/23636)]
+* events: Ignore sending context to give more time for events to send [[GH-23500](https://github.com/hashicorp/vault/pull/23500)]
+* expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [[GH-23282](https://github.com/hashicorp/vault/pull/23282)]
+* kmip (enterprise): Improve handling of failures due to storage replication issues.
+* kmip (enterprise): Return a structure in the response for query function Query Server Information.
+* mongo-db: allow non-admin database for root credential rotation [[GH-23240](https://github.com/hashicorp/vault/pull/23240)]
+* replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
+* replication (enterprise): Fix a missing unlock when changing replication state
+* secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
+* secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
+* secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
+* secrets/transit: Do not allow auto rotation on managed_key key types [[GH-23723](https://github.com/hashicorp/vault/pull/23723)]
+
+## 1.13.6
+### August 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.7.
+
+IMPROVEMENTS:
+
+* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
+* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
+* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
+* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
+* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
+* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
+
+BUG FIXES:
+
+* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
+* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
+* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
+* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
+Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
+* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
+* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
+* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
+* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
+* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
+* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
+* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
+* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
+* sdk/ldaputil: Properly escape user filters when using UPN domains
+sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
+* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22331](https://github.com/hashicorp/vault/pull/22331)]
+* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
+* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
+* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
+* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
+
+## 1.13.8
+### September 27, 2023
+
+SECURITY:
+
+* sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [[HSEC-2023-29](https://discuss.hashicorp.com/t/hcsec-2023-29-vault-enterprise-s-sentinel-rgp-policies-allowed-for-cross-namespace-denial-of-service/58653)]
+
+CHANGES:
+
+* core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
+
+IMPROVEMENTS:
+
+* ui: Added allowed_domains_template field for CA type role in SSH engine [[GH-23119](https://github.com/hashicorp/vault/pull/23119)]
+
+BUG FIXES:
+
+* core: Fixes list password policy to include those with names containing / characters. [[GH-23155](https://github.com/hashicorp/vault/pull/23155)]
+* secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [[GH-23007](https://github.com/hashicorp/vault/pull/23007)]
+* ui (enterprise): Fix error message when generating SSH credential with control group [[GH-23025](https://github.com/hashicorp/vault/pull/23025)]
+* ui: Fixes old pki's filter and search roles page bug [[GH-22810](https://github.com/hashicorp/vault/pull/22810)]
+* ui: don't exclude features present on license [[GH-22855](https://github.com/hashicorp/vault/pull/22855)]
+  
+## 1.13.7
+### September 13, 2023
+
+SECURITY:
+
+* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [[GH-22852](https://github.com/hashicorp/vault/pull/22852), [HSEC-2023-28](https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249)]
+
+CHANGES:
+
+* core: Bump Go version to 1.20.8.
+* database/snowflake: Update plugin to v0.7.3 [[GH-22591](https://github.com/hashicorp/vault/pull/22591)]
+
+FEATURES:
+
+* ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
+
+IMPROVEMENTS:
+
+* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
+* core/quotas: Add configuration to allow skipping of expensive role calculations [[GH-22651](https://github.com/hashicorp/vault/pull/22651)]
+* kmip (enterprise): reduce latency of KMIP operation handling
+
+BUG FIXES:
+
+* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
+* core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [[GH-22597](https://github.com/hashicorp/vault/pull/22597)]
+* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
+* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
+* core: All subloggers now reflect configured log level on reload. [[GH-22038](https://github.com/hashicorp/vault/pull/22038)]
+* kmip (enterprise): fix date handling error with some re-key operations
+* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
+* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
+
+## 1.13.6
+### August 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.7.
+
+IMPROVEMENTS:
+
+* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
+* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
+* secrets/database: Improves error logging for static role rotations by including the database and role names. [[GH-22253](https://github.com/hashicorp/vault/pull/22253)]
+* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
+* ui: KV View Secret card will link to list view if input ends in "/" [[GH-22502](https://github.com/hashicorp/vault/pull/22502)]
+* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
+
+BUG FIXES:
+
+* activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [[GH-18809](https://github.com/hashicorp/vault/pull/18809)]
+* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
+* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
+* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
+Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
+* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
+* core: Fix bug where background thread to update locked user entries runs on DR secondaries. [[GH-22355](https://github.com/hashicorp/vault/pull/22355)]
+* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
+* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
+* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
+* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
+* replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
+* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
+* sdk/ldaputil: Properly escape user filters when using UPN domains
+sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
+* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22331](https://github.com/hashicorp/vault/pull/22331)]
+* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
+* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
+* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
+* ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
+
+## 1.13.5
+### July 25, 2023
+
+SECURITY:
+
+* auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [[GH-21282](https://github.com/hashicorp/vault/pull/21282), [HSEC-2023-24](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714)]
+* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
+
+CHANGES:
+
+* core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
+which will have access to some system backend paths that were previously only accessible in the root namespace. [[GH-21215](https://github.com/hashicorp/vault/pull/21215)]
+* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
+
+IMPROVEMENTS:
+
+* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
+* core: Add a new periodic metric to track the number of available policies, `vault.policy.configured.count`. [[GH-21010](https://github.com/hashicorp/vault/pull/21010)]
+* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
+* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
+* sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [[GH-21681](https://github.com/hashicorp/vault/pull/21681)]
+
+BUG FIXES:
+
+* auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21799](https://github.com/hashicorp/vault/pull/21799)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
+* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
+* replication (enterprise): update primary cluster address after DR failover
+* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21632](https://github.com/hashicorp/vault/pull/21632)]
+* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
+* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
+* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
+* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
+* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
+* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
+* ui: Surface DOMException error when browser settings prevent localStorage. [[GH-21503](https://github.com/hashicorp/vault/pull/21503)]
+
+## 1.13.4
+### June 21, 2023
+BREAKING CHANGES:
+
+* secrets/pki: Maintaining running count of certificates will be turned off by default.
+To re-enable keeping these metrics available on the tidy status endpoint, enable
+maintain_stored_certificate_counts on tidy-config, to also publish them to the
+metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
+
+CHANGES:
+
+* core: Bump Go version to 1.20.5.
+
+FEATURES:
+
+* **Automated License Utilization Reporting**: Added automated license
+utilization reporting, which sends minimal product-license [metering
+data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
+to HashiCorp without requiring you to manually collect and report them.
+* core (enterprise): Add background worker for automatic reporting of billing
+information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
+
+IMPROVEMENTS:
+
+* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
+results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
+* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
+* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): vault server command now allows for opt-out of automated
+reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
+* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
+* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
+* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
+
+BUG FIXES:
+
+* agent: Fix bug with 'cache' stanza validation [[GH-20934](https://github.com/hashicorp/vault/pull/20934)]
+* core (enterprise): Don't delete backend stored data that appears to be filterable
+on this secondary if we don't have a corresponding mount entry.
+* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
+have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
+* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
+* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
+* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
+* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
+* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
+* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
+* replication (enterprise): Fix regression causing token creation against a role
+with a new entity alias to be incorrectly forwarded from perf standbys. [[GH-21100](https://github.com/hashicorp/vault/pull/21100)]
+* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
+
+## 1.13.3
+### June 08, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.4.
+* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
+* replication (enterprise): Add a new parameter for the update-primary API call
+that allows for setting of the primary cluster addresses directly, instead of
+via a token.
+* storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [[GH-20825](https://github.com/hashicorp/vault/pull/20825)]
+
+IMPROVEMENTS:
+
+* Add debug symbols back to builds to fix Dynatrace support [[GH-20519](https://github.com/hashicorp/vault/pull/20519)]
+* audit: add a `mount_point` field to audit requests and response entries [[GH-20411](https://github.com/hashicorp/vault/pull/20411)]
+* autopilot: Update version to v0.2.0 to add better support for respecting min quorum [[GH-19472](https://github.com/hashicorp/vault/pull/19472)]
+* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
+`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
+* core: Add possibility to decode a generated encoded root token via the rest API [[GH-20595](https://github.com/hashicorp/vault/pull/20595)]
+* core: include namespace path in granting_policies block of audit log
+* core: report intermediate error messages during request forwarding [[GH-20643](https://github.com/hashicorp/vault/pull/20643)]
+* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
+* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
+* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
+
+BUG FIXES:
+
+* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
+* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
+* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
+* cli: disable printing flags warnings messages for the ssh command [[GH-20502](https://github.com/hashicorp/vault/pull/20502)]
+* command/server: fixes panic in Vault server command when running in recovery mode [[GH-20418](https://github.com/hashicorp/vault/pull/20418)]
+* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
+* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
+* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
+* core/identity: Allow updates of only the custom-metadata for entity alias. [[GH-20368](https://github.com/hashicorp/vault/pull/20368)]
+* core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
+* core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [[GH-20783](https://github.com/hashicorp/vault/pull/20783)]
+* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
+* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
+* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
+* secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint. [[GH-20354](https://github.com/hashicorp/vault/pull/20354)]
+* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
+* secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [[GH-20668](https://github.com/hashicorp/vault/pull/20668)]
+* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
+secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
+sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
+* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
+* ui: fixes issue creating mfa login enforcement from method enforcements tab [[GH-20603](https://github.com/hashicorp/vault/pull/20603)]
+* ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [[GH-20907](https://github.com/hashicorp/vault/pull/20907)]
+
+## 1.13.2
+### April 26, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.20.3.
+
+SECURITY:
+
+* core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD which may have allowed an attacker to conduct a padding oracle attack. This vulnerability, CVE-2023-2197, affects Vault from 1.13.0 up to 1.13.1 and was fixed in 1.13.2. [[HCSEC-2023-14](https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322)]
+
+IMPROVEMENTS:
+
+* Add debug symbols back to builds to fix Dynatrace support [[GH-20294](https://github.com/hashicorp/vault/pull/20294)]
+* cli/namespace: Add detailed flag to output additional namespace information
+such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
+* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
+* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
+`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
+* core: include reason for ErrReadOnly on PBPWF writing failures
+* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
+for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
+* secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [[GH-20201](https://github.com/hashicorp/vault/pull/20201)]
+* sys/wrapping: Add example how to unwrap without authentication in Vault [[GH-20109](https://github.com/hashicorp/vault/pull/20109)]
+* ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [[GH-19116](https://github.com/hashicorp/vault/pull/19116)]
+
+BUG FIXES:
+
+* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
+* command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows [[GH-20257](https://github.com/hashicorp/vault/pull/20257)]
+* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
+* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
+* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
+resulting in 412 errors.
+* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
+* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
+* kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
+* pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [[GH-20220](https://github.com/hashicorp/vault/pull/20220)]
+* replication (enterprise): Fix a caching issue when replicating filtered data to
+a performance secondary. This resulted in the data being set to nil in the cache
+and a "invalid value" error being returned from the API.
+* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
+* sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates.
+auth/cert: Fix OCSP validation against Vault's PKI engine. [[GH-20181](https://github.com/hashicorp/vault/pull/20181)]
+* secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [[GH-20034](https://github.com/hashicorp/vault/pull/20034)]
+* secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [[GH-20057](https://github.com/hashicorp/vault/pull/20057)]
+* secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [[GH-20058](https://github.com/hashicorp/vault/pull/20058)]
+* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
+* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
+* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
+* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
+* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
+* ui: fixes remaining doc links to include /vault in path [[GH-20070](https://github.com/hashicorp/vault/pull/20070)]
+* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
+* website/docs: Fix Kubernetes Auth Code Example to use the correct whitespace in import. [[GH-20216](https://github.com/hashicorp/vault/pull/20216)]
+
+## 1.13.1
+### March 29, 2023
+
+SECURITY:
+
+* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
+* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
+* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
+
+IMPROVEMENTS:
+
+* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
+website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
+* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
+option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
+* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
+* database/elasticsearch: Update error messages resulting from Elasticsearch API errors [[GH-19545](https://github.com/hashicorp/vault/pull/19545)]
+* events: Suppress log warnings triggered when events are sent but the events system is not enabled. [[GH-19593](https://github.com/hashicorp/vault/pull/19593)]
+
+BUG FIXES:
+
+* agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [[GH-19483](https://github.com/hashicorp/vault/pull/19483)]
+* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
+* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
+* kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
+* kmip (enterprise): Fix a problem forwarding some requests to the active node.
+* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
+* secrets/ldap: Invalidates WAL entry for static role if `password_policy` has changed. [[GH-19640](https://github.com/hashicorp/vault/pull/19640)]
+* secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [[GH-19624](https://github.com/hashicorp/vault/pull/19624)]
+* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
+* ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [[GH-19428](https://github.com/hashicorp/vault/pull/19428)]
+* ui: fixes SSH engine config deletion [[GH-19448](https://github.com/hashicorp/vault/pull/19448)]
+* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
+* ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [[GH-19541](https://github.com/hashicorp/vault/pull/19541)]
+* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
+* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
+
+## 1.13.0
+### March 01, 2023
+
+SECURITY:
+
+* secrets/ssh: removal of the deprecated dynamic keys mode. **When any remaining dynamic key leases expire**, an error stating `secret is unsupported by this backend` will be thrown by the lease manager. [[GH-18874](https://github.com/hashicorp/vault/pull/18874)]
+* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
+
+CHANGES:
+
+* auth/alicloud: require the `role` field on login [[GH-19005](https://github.com/hashicorp/vault/pull/19005)]
+* auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [[GH-17768](https://github.com/hashicorp/vault/pull/17768)]
+* auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
+This will only be used internally for implementing user lockout. [[GH-17104](https://github.com/hashicorp/vault/pull/17104)]
+* core: Bump Go version to 1.20.1.
+* core: Vault version has been moved out of sdk and into main vault module.
+Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [[GH-14229](https://github.com/hashicorp/vault/pull/14229)]
+* logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [[GH-17822](https://github.com/hashicorp/vault/pull/17822)]
+* plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
+* plugins: `GET /database/config/:name` endpoint now returns an additional `plugin_version` field in the response data. [[GH-16982](https://github.com/hashicorp/vault/pull/16982)]
+* plugins: `GET /sys/auth/:path/tune` and `GET /sys/mounts/:path/tune` endpoints may now return an additional `plugin_version` field in the response data if set. [[GH-17167](https://github.com/hashicorp/vault/pull/17167)]
+* plugins: `GET` for `/sys/auth`, `/sys/auth/:path`, `/sys/mounts`, and `/sys/mounts/:path` paths now return additional `plugin_version`, `running_plugin_version` and `running_sha256` fields in the response data for each mount. [[GH-17167](https://github.com/hashicorp/vault/pull/17167)]
+* sdk: Remove version package, make useragent.String versionless. [[GH-19068](https://github.com/hashicorp/vault/pull/19068)]
+* secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [[GH-15869](https://github.com/hashicorp/vault/pull/15869)]
+* secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0 [[GH-19063](https://github.com/hashicorp/vault/pull/19063)]
+* sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can now be used to reload the configs and turns this endpoint on.
+* ui: Upgrade Ember to version 4.4.0 [[GH-17086](https://github.com/hashicorp/vault/pull/17086)]
+
+FEATURES:
+
+* **User lockout**: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
+* **Azure Auth Managed Identities**: Allow any Azure resource that supports managed identities to authenticate with Vault [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
+* **Azure Auth Rotate Root**: Add support for rotate root in Azure Auth engine [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
+* **Event System (Alpha)**: Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [[GH-19194](https://github.com/hashicorp/vault/pull/19194)]
+* **GCP Secrets Impersonated Account Support**: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role. [[GH-19018](https://github.com/hashicorp/vault/pull/19018)]
+* **Kubernetes Secrets Engine UI**: Kubernetes is now available in the UI as a supported secrets engine. [[GH-17893](https://github.com/hashicorp/vault/pull/17893)]
+* **New PKI UI**: Add beta support for new and improved PKI UI [[GH-18842](https://github.com/hashicorp/vault/pull/18842)]
+* **PKI Cross-Cluster Revocations**: Revocation information can now be
+synchronized across primary and performance replica clusters offering
+a unified CRL/OCSP view of revocations across cluster boundaries. [[GH-19196](https://github.com/hashicorp/vault/pull/19196)]
+* **Server UDS Listener**: Adding listener to Vault server to serve http request via unix domain socket [[GH-18227](https://github.com/hashicorp/vault/pull/18227)]
+* **Transit managed keys**: The transit secrets engine now supports configuring and using managed keys
+* **User Lockout**: Adds support to configure the user-lockout behaviour for failed logins to prevent
+brute force attacks for userpass, approle and ldap auth methods. [[GH-19230](https://github.com/hashicorp/vault/pull/19230)]
+* **VMSS Flex Authentication**: Adds support for Virtual Machine Scale Set Flex Authentication [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
+* **Namespaces (enterprise)**: Added the ability to allow access to secrets and more to be shared across namespaces that do not share a namespace hierarchy. Using the new `sys/config/group-policy-application` API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing.
+* **OpenAPI-based Go & .NET Client Libraries (Beta)**: We have now made available two new [[OpenAPI-based Go](https://github.com/hashicorp/vault-client-go/)] & [[OpenAPI-based .NET](https://github.com/hashicorp/vault-client-dotnet/)] Client libraries (beta). You can use them to perform various secret management operations easily from your applications.
+
+IMPROVEMENTS:
+
+* **Redis ElastiCache DB Engine**: Renamed configuration parameters for disambiguation; old parameters still supported for compatibility. [[GH-18752](https://github.com/hashicorp/vault/pull/18752)]
+* Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8 [[GH-19100](https://github.com/hashicorp/vault/pull/19100)]
+* Reduced binary size [[GH-17678](https://github.com/hashicorp/vault/pull/17678)]
+* agent/config: Allow config directories to be specified with -config, and allow multiple -configs to be supplied. [[GH-18403](https://github.com/hashicorp/vault/pull/18403)]
+* agent: Add note in logs when starting Vault Agent indicating if the version differs to the Vault Server. [[GH-18684](https://github.com/hashicorp/vault/pull/18684)]
+* agent: Added `token_file` auto-auth configuration to allow using a pre-existing token for Vault Agent. [[GH-18740](https://github.com/hashicorp/vault/pull/18740)]
+* agent: Agent listeners can now be to be the `metrics_only` role, serving only metrics, as part of the listener's new top level `role` option. [[GH-18101](https://github.com/hashicorp/vault/pull/18101)]
+* agent: Configured Vault Agent listeners now listen without the need for caching to be configured. [[GH-18137](https://github.com/hashicorp/vault/pull/18137)]
+* agent: allows some parts of config to be reloaded without requiring a restart. [[GH-18638](https://github.com/hashicorp/vault/pull/18638)]
+* agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [[GH-16872](https://github.com/hashicorp/vault/pull/16872)]
+* api: Remove dependency on sdk module. [[GH-18962](https://github.com/hashicorp/vault/pull/18962)]
+* api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [[GH-17352](https://github.com/hashicorp/vault/pull/17352)]
+* audit: Add `elide_list_responses` option, providing a countermeasure for a common source of oversized audit log entries [[GH-18128](https://github.com/hashicorp/vault/pull/18128)]
+* audit: Include stack trace when audit logging recovers from a panic. [[GH-18121](https://github.com/hashicorp/vault/pull/18121)]
+* auth/alicloud: upgrades dependencies [[GH-18021](https://github.com/hashicorp/vault/pull/18021)]
+* auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
+Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [[GH-17540](https://github.com/hashicorp/vault/pull/17540)]
+* auth/azure: upgrades dependencies [[GH-17857](https://github.com/hashicorp/vault/pull/17857)]
+* auth/cert: Add configurable support for validating client certs with OCSP. [[GH-17093](https://github.com/hashicorp/vault/pull/17093)]
+* auth/cert: Support listing provisioned CRLs within the mount. [[GH-18043](https://github.com/hashicorp/vault/pull/18043)]
+* auth/cf: Remove incorrect usage of CreateOperation from path_config [[GH-19098](https://github.com/hashicorp/vault/pull/19098)]
+* auth/gcp: Upgrades dependencies [[GH-17858](https://github.com/hashicorp/vault/pull/17858)]
+* auth/oidc: Adds `abort_on_error` parameter to CLI login command to help in non-interactive contexts [[GH-19076](https://github.com/hashicorp/vault/pull/19076)]
+* auth/oidc: Adds ability to set Google Workspace domain for groups search [[GH-19076](https://github.com/hashicorp/vault/pull/19076)]
+* auth/token (enterprise): Allow batch token creation in perfStandby nodes
+* auth: Allow naming login MFA methods and using those names instead of IDs in satisfying MFA requirement for requests.
+Make passcode arguments consistent across login MFA method types. [[GH-18610](https://github.com/hashicorp/vault/pull/18610)]
+* auth: Provide an IP address of the requests from Vault to a Duo challenge after successful authentication. [[GH-18811](https://github.com/hashicorp/vault/pull/18811)]
+* autopilot: Update version to v.0.2.0 to add better support for respecting min quorum
+* cli/kv: improve kv CLI to remove data or custom metadata using kv patch [[GH-18067](https://github.com/hashicorp/vault/pull/18067)]
+* cli/pki: Add List-Intermediates functionality to pki client. [[GH-18463](https://github.com/hashicorp/vault/pull/18463)]
+* cli/pki: Add health-check subcommand to evaluate the health of a PKI instance. [[GH-17750](https://github.com/hashicorp/vault/pull/17750)]
+* cli/pki: Add pki issue command, which creates a CSR, has a vault mount sign it, then reimports it. [[GH-18467](https://github.com/hashicorp/vault/pull/18467)]
+* cli/pki: Added "Reissue" command which allows extracting fields from an existing certificate to create a new certificate. [[GH-18499](https://github.com/hashicorp/vault/pull/18499)]
+* cli/pki: Change the pki health-check --list default config output to JSON so it's a usable configuration file [[GH-19269](https://github.com/hashicorp/vault/pull/19269)]
+* cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [[GH-17650](https://github.com/hashicorp/vault/pull/17650)]
+* cli: Add transit import key helper commands for BYOK to Transit/Transform. [[GH-18887](https://github.com/hashicorp/vault/pull/18887)]
+* cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [[GH-14945](https://github.com/hashicorp/vault/pull/14945)]
+* cli: updated `vault operator rekey` prompts to describe recovery keys when `-target=recovery` [[GH-18892](https://github.com/hashicorp/vault/pull/18892)]
+* client/pki: Add a new command verify-sign which checks the relationship between two certificates. [[GH-18437](https://github.com/hashicorp/vault/pull/18437)]
+* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
+* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
+* core/identity: Add machine-readable output to body of response upon alias clash during entity merge [[GH-17459](https://github.com/hashicorp/vault/pull/17459)]
+* core/server: Added an environment variable to write goroutine stacktraces to a
+temporary file for SIGUSR2 signals. [[GH-17929](https://github.com/hashicorp/vault/pull/17929)]
+* core: Add RPCs to read and update userFailedLoginInfo map
+* core: Add experiments system and `events.alpha1` experiment. [[GH-18682](https://github.com/hashicorp/vault/pull/18682)]
+* core: Add read support to `sys/loggers` and `sys/loggers/:name` endpoints [[GH-17979](https://github.com/hashicorp/vault/pull/17979)]
+* core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [[GH-17338](https://github.com/hashicorp/vault/pull/17338)]
+* core: Add vault.core.locked_users telemetry metric to emit information about total number of locked users. [[GH-18718](https://github.com/hashicorp/vault/pull/18718)]
+* core: Added sys/locked-users endpoint to list locked users. Changed api endpoint from
+sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] to sys/locked-users/[mount_accessor]/unlock/[alias_identifier]. [[GH-18675](https://github.com/hashicorp/vault/pull/18675)]
+* core: Added sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] endpoint to unlock an user
+with given mount_accessor and alias_identifier if locked [[GH-18279](https://github.com/hashicorp/vault/pull/18279)]
+* core: Added warning to /sys/seal-status and vault status command if potentially dangerous behaviour overrides are being used. [[GH-17855](https://github.com/hashicorp/vault/pull/17855)]
+* core: Implemented background thread to update locked user entries every 15 minutes to prevent brute forcing in auth methods. [[GH-18673](https://github.com/hashicorp/vault/pull/18673)]
+* core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [[GH-17265](https://github.com/hashicorp/vault/pull/17265)]
+* core: Update protoc from 3.21.5 to 3.21.7 [[GH-17499](https://github.com/hashicorp/vault/pull/17499)]
+* core: add `detect_deadlocks` config to optionally detect core state deadlocks [[GH-18604](https://github.com/hashicorp/vault/pull/18604)]
+* core: added changes for user lockout workflow. [[GH-17951](https://github.com/hashicorp/vault/pull/17951)]
+* core: parallelize backend initialization to improve startup time for large numbers of mounts. [[GH-18244](https://github.com/hashicorp/vault/pull/18244)]
+* database/postgres: Support multiline strings for revocation statements. [[GH-18632](https://github.com/hashicorp/vault/pull/18632)]
+* database/redis-elasticache: changed config argument names for disambiguation [[GH-19044](https://github.com/hashicorp/vault/pull/19044)]
+* database/snowflake: Allow parallel requests to Snowflake [[GH-17593](https://github.com/hashicorp/vault/pull/17593)]
+* hcp/connectivity: Add foundational OSS support for opt-in secure communication between self-managed Vault nodes and [HashiCorp Cloud Platform](https://cloud.hashicorp.com) [[GH-18228](https://github.com/hashicorp/vault/pull/18228)]
+* hcp/connectivity: Include HCP organization, project, and resource ID in server startup logs [[GH-18315](https://github.com/hashicorp/vault/pull/18315)]
+* hcp/connectivity: Only update SCADA session metadata if status changes [[GH-18585](https://github.com/hashicorp/vault/pull/18585)]
+* hcp/status: Add cluster-level status information [[GH-18351](https://github.com/hashicorp/vault/pull/18351)]
+* hcp/status: Expand node-level status information [[GH-18302](https://github.com/hashicorp/vault/pull/18302)]
+* logging: Vault Agent supports logging to a specified file path via environment variable, CLI or config [[GH-17841](https://github.com/hashicorp/vault/pull/17841)]
+* logging: Vault agent and server commands support log file and log rotation. [[GH-18031](https://github.com/hashicorp/vault/pull/18031)]
+* migration: allow parallelization of key migration for `vault operator migrate` in order to speed up a migration. [[GH-18817](https://github.com/hashicorp/vault/pull/18817)]
+* namespaces (enterprise): Add new API, `sys/config/group-policy-application`, to allow group policies to be configurable
+to apply to a group in `any` namespace. The default, `within_namespace_hierarchy`, is the current behaviour.
+* openapi: Add default values to thing_mount_path parameters [[GH-18935](https://github.com/hashicorp/vault/pull/18935)]
+* openapi: Add logic to generate openapi response structures [[GH-18192](https://github.com/hashicorp/vault/pull/18192)]
+* openapi: Add openapi response definitions to approle/path_login.go & approle/path_tidy_user_id.go [[GH-18772](https://github.com/hashicorp/vault/pull/18772)]
+* openapi: Add openapi response definitions to approle/path_role.go [[GH-18198](https://github.com/hashicorp/vault/pull/18198)]
+* openapi: Change gen_openapi.sh to generate schema with generic mount paths [[GH-18934](https://github.com/hashicorp/vault/pull/18934)]
+* openapi: Mark request body objects as required [[GH-17909](https://github.com/hashicorp/vault/pull/17909)]
+* openapi: add openapi response defintions to /sys/audit endpoints [[GH-18456](https://github.com/hashicorp/vault/pull/18456)]
+* openapi: generic_mount_paths: Move implementation fully into server, rather than partially in plugin framework; recognize all 4 singleton mounts (auth/token, cubbyhole, identity, system) rather than just 2; change parameter from `{mountPath}` to `{<type>_mount_path}` [[GH-18663](https://github.com/hashicorp/vault/pull/18663)]
+* plugins: Add plugin version information to key plugin lifecycle log lines. [[GH-17430](https://github.com/hashicorp/vault/pull/17430)]
+* plugins: Allow selecting builtin plugins by their reported semantic version of the form `vX.Y.Z+builtin` or `vX.Y.Z+builtin.vault`. [[GH-17289](https://github.com/hashicorp/vault/pull/17289)]
+* plugins: Let Vault unseal and mount deprecated builtin plugins in a
+deactivated state if this is not the first unseal after an upgrade. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
+* plugins: Mark app-id auth method Removed and remove the plugin code. [[GH-18039](https://github.com/hashicorp/vault/pull/18039)]
+* plugins: Mark logical database plugins Removed and remove the plugin code. [[GH-18039](https://github.com/hashicorp/vault/pull/18039)]
+* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
+* sdk: Add response schema validation method framework/FieldData.ValidateStrict and two test helpers (ValidateResponse, ValidateResponseData) [[GH-18635](https://github.com/hashicorp/vault/pull/18635)]
+* sdk: Adding FindResponseSchema test helper to assist with response schema validation in tests [[GH-18636](https://github.com/hashicorp/vault/pull/18636)]
+* secrets/aws: Update dependencies [[PR-17747](https://github.com/hashicorp/vault/pull/17747)] [[GH-17747](https://github.com/hashicorp/vault/pull/17747)]
+* secrets/azure: Adds ability to persist an application for the lifetime of a role. [[GH-19096](https://github.com/hashicorp/vault/pull/19096)]
+* secrets/azure: upgrades dependencies [[GH-17964](https://github.com/hashicorp/vault/pull/17964)]
+* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
+* secrets/gcp: Upgrades dependencies [[GH-17871](https://github.com/hashicorp/vault/pull/17871)]
+* secrets/kubernetes: Add /check endpoint to determine if environment variables are set [[GH-18](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/18)] [[GH-18587](https://github.com/hashicorp/vault/pull/18587)]
+* secrets/kubernetes: add /check endpoint to determine if environment variables are set [[GH-19084](https://github.com/hashicorp/vault/pull/19084)]
+* secrets/kv: Emit events on write if events system enabled [[GH-19145](https://github.com/hashicorp/vault/pull/19145)]
+* secrets/kv: make upgrade synchronous when no keys to upgrade [[GH-19056](https://github.com/hashicorp/vault/pull/19056)]
+* secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [[GH-17406](https://github.com/hashicorp/vault/pull/17406)]
+* secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [[GH-17779](https://github.com/hashicorp/vault/pull/17779)]
+* secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [[GH-17388](https://github.com/hashicorp/vault/pull/17388)]
+* secrets/pki: Added a new API that allows external actors to craft a CRL through JSON parameters [[GH-18040](https://github.com/hashicorp/vault/pull/18040)]
+* secrets/pki: Allow UserID Field (https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1) to be set on Certificates when
+allowed by role [[GH-18397](https://github.com/hashicorp/vault/pull/18397)]
+* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
+* secrets/pki: Allow templating performance replication cluster- and issuer-specific AIA URLs. [[GH-18199](https://github.com/hashicorp/vault/pull/18199)]
+* secrets/pki: Allow tidying of expired issuer certificates. [[GH-17823](https://github.com/hashicorp/vault/pull/17823)]
+* secrets/pki: Allow tidying of the legacy ca_bundle, improving startup on post-migrated, seal-wrapped PKI mounts. [[GH-18645](https://github.com/hashicorp/vault/pull/18645)]
+* secrets/pki: Respond with written data to `config/auto-tidy`, `config/crl`, and `roles/:role`. [[GH-18222](https://github.com/hashicorp/vault/pull/18222)]
+* secrets/pki: Return issuer_id and issuer_name on /issuer/:issuer_ref/json endpoint. [[GH-18482](https://github.com/hashicorp/vault/pull/18482)]
+* secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [[GH-17774](https://github.com/hashicorp/vault/pull/17774)]
+* secrets/ssh: Allow removing SSH host keys from the dynamic keys feature. [[GH-18939](https://github.com/hashicorp/vault/pull/18939)]
+* secrets/ssh: Evaluate ssh validprincipals user template before splitting [[GH-16622](https://github.com/hashicorp/vault/pull/16622)]
+* secrets/transit: Add an optional reference field to batch operation items
+which is repeated on batch responses to help more easily correlate inputs with outputs. [[GH-18243](https://github.com/hashicorp/vault/pull/18243)]
+* secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [[GH-17638](https://github.com/hashicorp/vault/pull/17638)]
+* secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [[GH-17636](https://github.com/hashicorp/vault/pull/17636)]
+* secrets/transit: Allow configuring whether upsert of keys is allowed. [[GH-18272](https://github.com/hashicorp/vault/pull/18272)]
+* storage/raft: Add `retry_join_as_non_voter` config option. [[GH-18030](https://github.com/hashicorp/vault/pull/18030)]
+* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
+* sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems. [[GH-17789](https://github.com/hashicorp/vault/pull/17789)]
+* sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.
+* ui: Add algorithm-signer as a SSH Secrets Engine UI field [[GH-10299](https://github.com/hashicorp/vault/pull/10299)]
+* ui: Add inline policy creation when creating an identity entity or group [[GH-17749](https://github.com/hashicorp/vault/pull/17749)]
+* ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [[GH-18787](https://github.com/hashicorp/vault/pull/18787)]
+* ui: Enable typescript for future development [[GH-17927](https://github.com/hashicorp/vault/pull/17927)]
+* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
+* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
+* ui: adds allowed_response_headers as param for secret engine mount config [[GH-19216](https://github.com/hashicorp/vault/pull/19216)]
+* ui: consolidate all <a> tag usage [[GH-17866](https://github.com/hashicorp/vault/pull/17866)]
+* ui: mfa: use proper request id generation [[GH-17835](https://github.com/hashicorp/vault/pull/17835)]
+* ui: remove wizard [[GH-19220](https://github.com/hashicorp/vault/pull/19220)]
+* ui: update DocLink component to use new host url: developer.hashicorp.com [[GH-18374](https://github.com/hashicorp/vault/pull/18374)]
+* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
+* ui: use the combined activity log (partial + historic) API for client count dashboard and remove use of monthly endpoint [[GH-17575](https://github.com/hashicorp/vault/pull/17575)]
+* vault/diagnose: Upgrade `go.opentelemetry.io/otel`, `go.opentelemetry.io/otel/sdk`, `go.opentelemetry.io/otel/trace` to v1.11.2 [[GH-18589](https://github.com/hashicorp/vault/pull/18589)]
+
+DEPRECATIONS:
+
+* secrets/ad: Marks the Active Directory (AD) secrets engine as deprecated. [[GH-19334](https://github.com/hashicorp/vault/pull/19334)]
+
+BUG FIXES:
+
+* api: Remove timeout logic from ReadRaw functions and add ReadRawWithContext [[GH-18708](https://github.com/hashicorp/vault/pull/18708)]
+* auth/alicloud: fix regression in vault login command that caused login to fail [[GH-19005](https://github.com/hashicorp/vault/pull/19005)]
+* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
+* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
+* auth/cert: Address a race condition accessing the loaded crls without a lock [[GH-18945](https://github.com/hashicorp/vault/pull/18945)]
+* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#173](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/173)] [[GH-18716](https://github.com/hashicorp/vault/pull/18716)]
+* auth/kubernetes: fixes and dep updates for the auth-kubernetes plugin (see plugin changelog for details) [[GH-19094](https://github.com/hashicorp/vault/pull/19094)]
+* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
+* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
+* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
+* cli/pki: Decode integer values properly in health-check configuration file [[GH-19265](https://github.com/hashicorp/vault/pull/19265)]
+* cli/pki: Fix path for role health-check warning messages [[GH-19274](https://github.com/hashicorp/vault/pull/19274)]
+* cli/pki: Properly report permission issues within health-check mount tune checks [[GH-19276](https://github.com/hashicorp/vault/pull/19276)]
+* cli/transit: Fix import, import-version command invocation [[GH-19373](https://github.com/hashicorp/vault/pull/19373)]
+* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
+* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
+* cli: Remove empty table heading for `vault secrets list -detailed` output. [[GH-17577](https://github.com/hashicorp/vault/pull/17577)]
+* command/namespace: Fix vault cli namespace patch examples in help text. [[GH-18143](https://github.com/hashicorp/vault/pull/18143)]
+* core (enterprise): Fix missing quotation mark in error message
+* core (enterprise): Fix panic that could occur with SSCT alongside invoking external plugins for revocation.
+* core (enterprise): Fix panic when using invalid accessor for control-group request
+* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
+* core (enterprise): Supported storage check in `vault server` command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than `raft` or `consul`.
+* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
+* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
+* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
+* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
+* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
+* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
+* core/auth: Return a 403 instead of a 500 for wrapping requests when token is not provided [[GH-18859](https://github.com/hashicorp/vault/pull/18859)]
+* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
+* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
+* core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
+* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
+* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
+* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
+* core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [[GH-17612](https://github.com/hashicorp/vault/pull/17612)]
+* core: Fix panic caused in Vault Agent when rendering certificate templates [[GH-17419](https://github.com/hashicorp/vault/pull/17419)]
+* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
+* core: Fix spurious `permission denied` for all HelpOperations on sudo-protected paths [[GH-18568](https://github.com/hashicorp/vault/pull/18568)]
+* core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [[GH-17514](https://github.com/hashicorp/vault/pull/17514)]
+* core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [[GH-17660](https://github.com/hashicorp/vault/pull/17660)]
+* core: Linux packages now have vendor label and set the default label to HashiCorp.
+This fix is implemented for any future releases, but will not be updated for historical releases.
+* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
+* core: Refactor lock grabbing code to simplify stateLock deadlock investigations [[GH-17187](https://github.com/hashicorp/vault/pull/17187)]
+* core: fix GPG encryption to support subkeys. [[GH-16224](https://github.com/hashicorp/vault/pull/16224)]
+* core: fix a start up race condition where performance standbys could go into a
+mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
+* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
+* core: fix race when using SystemView.ReplicationState outside of a request context [[GH-17186](https://github.com/hashicorp/vault/pull/17186)]
+* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
+* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
+* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
+* core: trying to unseal with the wrong key now returns HTTP 400 [[GH-17836](https://github.com/hashicorp/vault/pull/17836)]
+* credential/cert: adds error message if no tls connection is found during the AliasLookahead operation [[GH-17904](https://github.com/hashicorp/vault/pull/17904)]
+* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
+* expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [[GH-18401](https://github.com/hashicorp/vault/pull/18401)]
+* kmip (enterprise): Fix a problem with some multi-part MAC Verify operations.
+* kmip (enterprise): Only require data to be full blocks on encrypt/decrypt operations using CBC and ECB block cipher modes.
+* license (enterprise): Fix bug where license would update even if the license didn't change.
+* licensing (enterprise): update autoloaded license cache after reload
+* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
+* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
+* openapi: fix gen_openapi.sh script to correctly load vault plugins [[GH-17752](https://github.com/hashicorp/vault/pull/17752)]
+* plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [[GH-17339](https://github.com/hashicorp/vault/pull/17339)]
+* plugins: Allow running external plugins which override deprecated builtins. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
+* plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [[GH-17340](https://github.com/hashicorp/vault/pull/17340)]
+* plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [[GH-18173](https://github.com/hashicorp/vault/pull/18173)]
+* plugins: Only report deprecation status for builtin plugins. [[GH-17816](https://github.com/hashicorp/vault/pull/17816)]
+* plugins: Skip loading but still mount data associated with missing plugins on unseal. [[GH-18189](https://github.com/hashicorp/vault/pull/18189)]
+* plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
+* replication (enterprise): Fix bug where reloading external plugin on a secondary would
+break replication.
+* sdk: Don't panic if system view or storage methods called during plugin setup. [[GH-18210](https://github.com/hashicorp/vault/pull/18210)]
+* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
+* secrets/ad: Fix bug where updates to config would fail if password isn't provided [[GH-19061](https://github.com/hashicorp/vault/pull/19061)]
+* secrets/gcp: fix issue where IAM bindings were not preserved during policy update [[GH-19018](https://github.com/hashicorp/vault/pull/19018)]
+* secrets/mongodb-atlas: Fix a bug that did not allow WAL rollback to handle partial failures when creating API keys [[GH-19111](https://github.com/hashicorp/vault/pull/19111)]
+* secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [[GH-18184](https://github.com/hashicorp/vault/pull/18184)]
+* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
+* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17385](https://github.com/hashicorp/vault/pull/17385)]
+* secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [[GH-17693](https://github.com/hashicorp/vault/pull/17693)]
+* secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [[GH-16700](https://github.com/hashicorp/vault/pull/16700)]
+* secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [[GH-18938](https://github.com/hashicorp/vault/pull/18938)]
+* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
+* secrets/pki: Revert fix for PR [18938](https://github.com/hashicorp/vault/pull/18938) [[GH-19037](https://github.com/hashicorp/vault/pull/19037)]
+* secrets/pki: consistently use UTC for CA's notAfter exceeded error message [[GH-18984](https://github.com/hashicorp/vault/pull/18984)]
+* secrets/pki: fix race between tidy's cert counting and tidy status reporting. [[GH-18899](https://github.com/hashicorp/vault/pull/18899)]
+* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
+* secrets/transit: Honor `partial_success_response_code` on decryption failures. [[GH-18310](https://github.com/hashicorp/vault/pull/18310)]
+* server/config:  Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [[GH-19311](https://github.com/hashicorp/vault/pull/19311)]
+* storage/raft (enterprise): An already joined node can rejoin by wiping storage
+and re-issueing a join request, but in doing so could transiently become a
+non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
+* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
+* storage/raft: Fix race with follower heartbeat tracker during teardown. [[GH-18704](https://github.com/hashicorp/vault/pull/18704)]
+* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
+* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
+* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
+* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
+* ui: Remove `default` and add `default-service` and `default-batch` to UI token_type for auth mount and tuning. [[GH-19290](https://github.com/hashicorp/vault/pull/19290)]
+* ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [[GH-17376](https://github.com/hashicorp/vault/pull/17376)]
+* ui: allow selection of "default" for ssh algorithm_signer in web interface [[GH-17894](https://github.com/hashicorp/vault/pull/17894)]
+* ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [[GH-18651](https://github.com/hashicorp/vault/pull/18651)]
+* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
+* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
+* ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [[GH-19403](https://github.com/hashicorp/vault/pull/19403)]
+* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
+
+## 1.12.11
+### September 13, 2023
+
+SECURITY:
+
+* secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [[GH-22852](https://github.com/hashicorp/vault/pull/22852)]
+
+IMPROVEMENTS:
+
+* auth/ldap: improved login speed by adding concurrency to LDAP token group searches [[GH-22659](https://github.com/hashicorp/vault/pull/22659)]
+* kmip (enterprise): reduce latency of KMIP operation handling
+
+BUG FIXES:
+
+* cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to `table`. [[GH-22818](https://github.com/hashicorp/vault/pull/22818)]
+* core/quotas: Reduce overhead for role calculation when using cloud auth methods. [[GH-22583](https://github.com/hashicorp/vault/pull/22583)]
+* core/seal: add a workaround for potential connection [[hangs](https://github.com/Azure/azure-sdk-for-go/issues/21346)] in Azure autoseals. [[GH-22760](https://github.com/hashicorp/vault/pull/22760)]
+* raft/autopilot: Add dr-token flag for raft autopilot cli commands [[GH-21165](https://github.com/hashicorp/vault/pull/21165)]
+* replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
+
+## 1.12.10
+### August 30, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.12.
+
+IMPROVEMENTS:
+
+* core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [[GH-22235](https://github.com/hashicorp/vault/pull/22235)]
+* replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
+* storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [[GH-22040](https://github.com/hashicorp/vault/pull/22040)]
+* ui: enables create and update KV secret workflow when control group present [[GH-22471](https://github.com/hashicorp/vault/pull/22471)]
+
+BUG FIXES:
+
+* api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [[GH-22523](https://github.com/hashicorp/vault/pull/22523)]
+* core (enterprise): Remove MFA Configuration for namespace when deleting namespace
+* core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
+Also fix a related potential deadlock. [[GH-21110](https://github.com/hashicorp/vault/pull/21110)]
+* core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [[GH-22137](https://github.com/hashicorp/vault/pull/22137)]
+* core: Fix readonly errors that could occur while loading mounts/auths during unseal [[GH-22362](https://github.com/hashicorp/vault/pull/22362)]
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-21470](https://github.com/hashicorp/vault/pull/21470)]
+* expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [[GH-22374](https://github.com/hashicorp/vault/pull/22374)]
+* license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [[GH-22363](https://github.com/hashicorp/vault/pull/22363)]
+* replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
+* replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
+* sdk/ldaputil: Properly escape user filters when using UPN domains
+sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https://github.com/hashicorp/vault/pull/22249)]
+* secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [[GH-22332](https://github.com/hashicorp/vault/pull/22332)]
+* secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
+* ui: Fix blank page or ghost secret when canceling KV secret create [[GH-22541](https://github.com/hashicorp/vault/pull/22541)]
+* ui: fixes `max_versions` default for secret metadata unintentionally overriding kv engine defaults [[GH-22394](https://github.com/hashicorp/vault/pull/22394)]
+
+## 1.12.9
+### July 25, 2023
+
+SECURITY:
+
+* core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [[HSEC_2023-23](https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617)]
+
+CHANGES:
+
+* secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
+
+IMPROVEMENTS:
+
+* core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
+* replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
+* secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
+
+BUG FIXES:
+
+* core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [[GH-24170](https://github.com/hashicorp/vault/pull/24170)]
+* identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [[GH-20965](https://github.com/hashicorp/vault/pull/20965)]
+* replication (enterprise): update primary cluster address after DR failover
+* secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [[GH-21633](https://github.com/hashicorp/vault/pull/21633)]
+* secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: `no managed key found with uuid`. [[GH-21316](https://github.com/hashicorp/vault/pull/21316)]
+* secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [[GH-20664](https://github.com/hashicorp/vault/pull/20664)]
+* secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
+* secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
+* serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [[GH-21642](https://github.com/hashicorp/vault/pull/21642)]
+* ui: Fixed an issue where editing an SSH role would clear `default_critical_options` and `default_extension` if left unchanged. [[GH-21739](https://github.com/hashicorp/vault/pull/21739)]
+
+## 1.12.8
+### June 21, 2023
+BREAKING CHANGES:
+
+* secrets/pki: Maintaining running count of certificates will be turned off by default.
+To re-enable keeping these metrics available on the tidy status endpoint, enable
+maintain_stored_certificate_counts on tidy-config, to also publish them to the
+metrics consumer, enable publish_stored_certificate_count_metrics . [[GH-18186](https://github.com/hashicorp/vault/pull/18186)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.10.
+
+FEATURES:
+
+* **Automated License Utilization Reporting**: Added automated license
+utilization reporting, which sends minimal product-license [metering
+data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
+to HashiCorp without requiring you to manually collect and report them.
+* core (enterprise): Add background worker for automatic reporting of billing
+information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
+
+IMPROVEMENTS:
+
+* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
+results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
+* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
+* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): vault server command now allows for opt-out of automated
+reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
+* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
+* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
+* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
+
+BUG FIXES:
+
+* core (enterprise): Don't delete backend stored data that appears to be filterable
+on this secondary if we don't have a corresponding mount entry.
+* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
+* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
+* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
+* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
+* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
+* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
+* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
+have its own changelog entry.  Fix wrong lock used in ListAuths link meta interface implementation. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
+* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
+* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
+* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
+* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
+* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
+* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
+* storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [[GH-20986](https://github.com/hashicorp/vault/pull/20986)]
+
+## 1.12.7
+### June 08, 2023
+
+SECURITY:
+
+* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.9.
+* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
+
+IMPROVEMENTS:
+
+* audit: add a `mount_point` field to audit requests and response entries [[GH-20411](https://github.com/hashicorp/vault/pull/20411)]
+* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
+`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
+* core: include namespace path in granting_policies block of audit log
+* openapi: Fix generated types for duration strings [[GH-20841](https://github.com/hashicorp/vault/pull/20841)]
+* sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [[GH-20881](https://github.com/hashicorp/vault/pull/20881)]
+* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
+* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
+
+BUG FIXES:
+
+* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
+* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
+* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
+* cli: disable printing flags warnings messages for the ssh command [[GH-20502](https://github.com/hashicorp/vault/pull/20502)]
+* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
+* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
+* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
+* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
+* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
+* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
+* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
+* secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
+secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
+sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [[GH-20864](https://github.com/hashicorp/vault/pull/20864)]
+* ui: Fixes issue unsealing cluster for seal types other than shamir [[GH-20897](https://github.com/hashicorp/vault/pull/20897)]
+
+## 1.12.6
+### April 26, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.8.
+
+IMPROVEMENTS:
+
+* cli/namespace: Add detailed flag to output additional namespace information
+such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
+* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
+* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
+`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
+* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
+for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
+* secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [[GH-20201](https://github.com/hashicorp/vault/pull/20201)]
+
+BUG FIXES:
+
+* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
+* command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows [[GH-20257](https://github.com/hashicorp/vault/pull/20257)]
+* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
+* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
+* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
+resulting in 412 errors.
+* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
+* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
+* kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
+* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
+* pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [[GH-20220](https://github.com/hashicorp/vault/pull/20220)]
+* replication (enterprise): Fix a caching issue when replicating filtered data to
+a performance secondary. This resulted in the data being set to nil in the cache
+and a "invalid value" error being returned from the API.
+* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
+* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
+* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
+* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
+* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
+* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
+* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
+
+## 1.12.5
+### March 29, 2023
+
+SECURITY:
+
+* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
+* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
+* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
+
+IMPROVEMENTS:
+
+* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
+website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
+* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
+option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
+* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
+
+BUG FIXES:
+
+* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
+* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
+* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
+* kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
+* kmip (enterprise): Fix a problem forwarding some requests to the active node.
+* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
+* secrets/ldap: Invalidates WAL entry for static role if `password_policy` has changed. [[GH-19641](https://github.com/hashicorp/vault/pull/19641)]
+* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
+* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
+* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
+* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
+
+## 1.12.4
+### March 01, 2023
+
+SECURITY:
+* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.6.
+
+IMPROVEMENTS:
+
+* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
+* ui: remove wizard [[GH-19220](https://github.com/hashicorp/vault/pull/19220)]
+
+BUG FIXES:
+
+* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
+* core (enterprise): Fix panic when using invalid accessor for control-group request
+* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
+* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
+* license (enterprise): Fix bug where license would update even if the license didn't change.
+* replication (enterprise): Fix bug where reloading external plugin on a secondary would
+break replication.
+* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18207](https://github.com/hashicorp/vault/pull/18207)]
+* secrets/pki: Revert fix for PR [18938](https://github.com/hashicorp/vault/pull/18938) [[GH-19037](https://github.com/hashicorp/vault/pull/19037)]
+* server/config:  Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [[GH-19311](https://github.com/hashicorp/vault/pull/19311)]
+* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
+* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
+* ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [[GH-19410](https://github.com/hashicorp/vault/pull/19410)]
+* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
+
+## 1.12.3
+### February 6, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.4.
+
+IMPROVEMENTS:
+
+* audit: Include stack trace when audit logging recovers from a panic. [[GH-18121](https://github.com/hashicorp/vault/pull/18121)]
+* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
+* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
+* core: Add read support to `sys/loggers` and `sys/loggers/:name` endpoints [[GH-17979](https://github.com/hashicorp/vault/pull/17979)]
+* plugins: Let Vault unseal and mount deprecated builtin plugins in a
+deactivated state if this is not the first unseal after an upgrade. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
+* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
+* secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [[GH-17406](https://github.com/hashicorp/vault/pull/17406)]
+* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
+* ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [[GH-18787](https://github.com/hashicorp/vault/pull/18787)]
+* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
+* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
+
+BUG FIXES:
+
+* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
+* auth/cert: Address a race condition accessing the loaded crls without a lock [[GH-18945](https://github.com/hashicorp/vault/pull/18945)]
+* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#173](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/173)] [[GH-18716](https://github.com/hashicorp/vault/pull/18716)]
+* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
+* command/namespace: Fix vault cli namespace patch examples in help text. [[GH-18143](https://github.com/hashicorp/vault/pull/18143)]
+* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
+* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
+* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
+* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
+* core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [[GH-17612](https://github.com/hashicorp/vault/pull/17612)]
+* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
+* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
+* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
+* expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [[GH-18401](https://github.com/hashicorp/vault/pull/18401)]
+* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
+* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
+* kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
+* licensing (enterprise): update autoloaded license cache after reload
+* plugins: Allow running external plugins which override deprecated builtins. [[GH-17879](https://github.com/hashicorp/vault/pull/17879)]
+* plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [[GH-18173](https://github.com/hashicorp/vault/pull/18173)]
+* plugins: Skip loading but still mount data associated with missing plugins on unseal. [[GH-18189](https://github.com/hashicorp/vault/pull/18189)]
+* sdk: Don't panic if system view or storage methods called during plugin setup. [[GH-18210](https://github.com/hashicorp/vault/pull/18210)]
+* secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [[GH-18184](https://github.com/hashicorp/vault/pull/18184)]
+* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
+* secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [[GH-18938](https://github.com/hashicorp/vault/pull/18938)]
+* secrets/pki: fix race between tidy's cert counting and tidy status reporting. [[GH-18899](https://github.com/hashicorp/vault/pull/18899)]
+* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
+* secrets/transit: Honor `partial_success_response_code` on decryption failures. [[GH-18310](https://github.com/hashicorp/vault/pull/18310)]
+* storage/raft (enterprise): An already joined node can rejoin by wiping storage
+and re-issueing a join request, but in doing so could transiently become a
+non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
+* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
+* ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [[GH-18651](https://github.com/hashicorp/vault/pull/18651)]
+* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
+## 1.12.2
+### November 30, 2022
+
+CHANGES:
+
+* core: Bump Go version to 1.19.3.
+* plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
+
+IMPROVEMENTS:
+
+* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
+* storage/raft: Add `retry_join_as_non_voter` config option. [[GH-18030](https://github.com/hashicorp/vault/pull/18030)]
+
+BUG FIXES:
+
+* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
+* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
+* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
+* core (enterprise): Supported storage check in `vault server` command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than `raft` or `consul`.
+* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
+* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
+* core: fix a start up race condition where performance standbys could go into a
+  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
+* plugins: Only report deprecation status for builtin plugins. [[GH-17816](https://github.com/hashicorp/vault/pull/17816)]
+* plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [[GH-18051](https://github.com/hashicorp/vault/pull/18051)]
+* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
+* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18086](https://github.com/hashicorp/vault/pull/18086)]
+* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18111](https://github.com/hashicorp/vault/pull/18111)]
+* secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [[GH-17693](https://github.com/hashicorp/vault/pull/17693)]
+* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
+* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
+
+## 1.12.1
+### November 2, 2022
+
+IMPROVEMENTS:
+
+* api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [[GH-17352](https://github.com/hashicorp/vault/pull/17352)]
+* database/snowflake: Allow parallel requests to Snowflake [[GH-17593](https://github.com/hashicorp/vault/pull/17593)]
+* plugins: Add plugin version information to key plugin lifecycle log lines. [[GH-17430](https://github.com/hashicorp/vault/pull/17430)]
+* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
+
+BUG FIXES:
+
+* cli: Remove empty table heading for `vault secrets list -detailed` output. [[GH-17577](https://github.com/hashicorp/vault/pull/17577)]
+* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
+* core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
+* core: Fix panic caused in Vault Agent when rendering certificate templates [[GH-17419](https://github.com/hashicorp/vault/pull/17419)]
+* core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [[GH-17660](https://github.com/hashicorp/vault/pull/17660)]
+* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
+* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
+* kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
+* kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
+* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
+* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
+* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
+
+## 1.12.0
+### October 13, 2022
+
+SECURITY:
+
+* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
+
+CHANGES:
+
+* api: Exclusively use `GET /sys/plugins/catalog` endpoint for listing plugins, and add `details` field to list responses. [[GH-17347](https://github.com/hashicorp/vault/pull/17347)]
+* auth: `GET /sys/auth/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
+* auth: `GET /sys/auth` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
+* auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods. [[GH-17058](https://github.com/hashicorp/vault/pull/17058)]
+* auth: `auth enable` returns an error and `POST /sys/auth/:type` endpoint reports an error for `Pending Removal` auth methods. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
+* core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [[GH-16539](https://github.com/hashicorp/vault/pull/16539)]
+* core: Bump Go version to 1.19.2.
+* core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [[GH-16379](https://github.com/hashicorp/vault/pull/16379)]
+* identity: a request to `/identity/group` that includes `member_group_ids` that contains a cycle will now be responded to with a 400 rather than 500 [[GH-15912](https://github.com/hashicorp/vault/pull/15912)]
+* licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license expiration time is before the build date of the binary.
+* plugins: Add plugin version to auth register, list, and mount table [[GH-16856](https://github.com/hashicorp/vault/pull/16856)]
+* plugins: `GET /sys/plugins/catalog/:type/:name` endpoint contains deprecation status for builtin plugins. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
+* plugins: `GET /sys/plugins/catalog/:type/:name` endpoint now returns an additional `version` field in the response data. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
+* plugins: `GET /sys/plugins/catalog/` endpoint contains deprecation status in `detailed` list. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
+* plugins: `GET /sys/plugins/catalog` endpoint now returns an additional `detailed` field in the response data with a list of additional plugin metadata. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
+* plugins: `plugin info` displays deprecation status for builtin plugins. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
+* plugins: `plugin list` now accepts a `-detailed` flag, which display deprecation status and version info. [[GH-17077](https://github.com/hashicorp/vault/pull/17077)]
+* secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [[GH-17180](https://github.com/hashicorp/vault/pull/17180)]
+* secrets: All database-specific (standalone DB) secrets engines are now marked `Pending Removal`. [[GH-17038](https://github.com/hashicorp/vault/pull/17038)]
+* secrets: `GET /sys/mounts/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
+* secrets: `GET /sys/mounts` endpoint now returns an additional `deprecation_status` field in the response data for builtins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
+* secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines. [[GH-17058](https://github.com/hashicorp/vault/pull/17058)]
+* secrets: `secrets enable` returns an error and `POST /sys/mount/:type` endpoint reports an error for `Pending Removal` secrets engines. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
+
+FEATURES:
+
+* **GCP Cloud KMS support for managed keys**: Managed keys now support using GCP Cloud KMS keys
+* **LDAP Secrets Engine**: Adds the `ldap` secrets engine with service account check-out functionality for all supported schemas. [[GH-17152](https://github.com/hashicorp/vault/pull/17152)]
+* **OCSP Responder**: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [[GH-16723](https://github.com/hashicorp/vault/pull/16723)]
+* **Redis DB Engine**: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [[GH-17070](https://github.com/hashicorp/vault/pull/17070)]
+* **Redis ElastiCache DB Plugin**: Added Redis ElastiCache as a built-in plugin. [[GH-17075](https://github.com/hashicorp/vault/pull/17075)]
+* **Secrets/auth plugin multiplexing**: manage multiple plugin configurations with a single plugin process [[GH-14946](https://github.com/hashicorp/vault/pull/14946)]
+* **Transform Key Import (BYOK)**: The transform secrets engine now supports importing keys for tokenization and FPE transformations
+* HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with [HashiCorp Cloud Platform](https://cloud.hashicorp.com) as an opt-in feature
+* ui: UI support for Okta Number Challenge. [[GH-15998](https://github.com/hashicorp/vault/pull/15998)]
+* **Plugin Versioning**: Vault supports registering, managing, and running plugins with semantic versions specified.
+
+IMPROVEMENTS:
+
+* core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
+* activity (enterprise): Added new clients unit tests to test accuracy of estimates
+* agent/auto-auth: Add `exit_on_err` which when set to true, will cause Agent to exit if any errors are encountered during authentication. [[GH-17091](https://github.com/hashicorp/vault/pull/17091)]
+* agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating. [[GH-15986](https://github.com/hashicorp/vault/pull/15986)]
+* agent: Added `disable_keep_alives` configuration to disable keep alives in auto-auth, caching and templating. [[GH-16479](https://github.com/hashicorp/vault/pull/16479)]
+* agent: JWT auto auth now supports a `remove_jwt_after_reading` config option which defaults to true. [[GH-11969](https://github.com/hashicorp/vault/pull/11969)]
+* agent: Send notifications to systemd on start and stop. [[GH-9802](https://github.com/hashicorp/vault/pull/9802)]
+* api/mfa: Add namespace path to the MFA read/list endpoint [[GH-16911](https://github.com/hashicorp/vault/pull/16911)]
+* api: Add a sentinel error for missing KV secrets [[GH-16699](https://github.com/hashicorp/vault/pull/16699)]
+* auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [[GH-17251](https://github.com/hashicorp/vault/pull/17251)]
+* auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
+When either the ttl and num_uses fields are not specified, the role's configuration is used. [[GH-14474](https://github.com/hashicorp/vault/pull/14474)]
+* auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [[GH-16455](https://github.com/hashicorp/vault/pull/16455)]
+* auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [[GH-17194](https://github.com/hashicorp/vault/pull/17194)]
+* auth/cert: Add metadata to identity-alias [[GH-14751](https://github.com/hashicorp/vault/pull/14751)]
+* auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [[GH-17136](https://github.com/hashicorp/vault/pull/17136)]
+* auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [[GH-17196](https://github.com/hashicorp/vault/pull/17196)]
+* auth/gcp: Add support for GCE regional instance groups [[GH-16435](https://github.com/hashicorp/vault/pull/16435)]
+* auth/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. [[GH-17160](https://github.com/hashicorp/vault/pull/17160)]
+* auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [[GH-16525](https://github.com/hashicorp/vault/pull/16525)]
+* auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [[GH-16525](https://github.com/hashicorp/vault/pull/16525)]
+* auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases [[GH-16890](https://github.com/hashicorp/vault/pull/16890)]
+* auth/kerberos: add `remove_instance_name` parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [[GH-16594](https://github.com/hashicorp/vault/pull/16594)]
+* auth/kubernetes: Role resolution for K8S Auth [[GH-156](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/156)] [[GH-17161](https://github.com/hashicorp/vault/pull/17161)]
+* auth/oci: Add support for role resolution. [[GH-17212](https://github.com/hashicorp/vault/pull/17212)]
+* auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [[GH-16274](https://github.com/hashicorp/vault/pull/16274)]
+* cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [[GH-16441](https://github.com/hashicorp/vault/pull/16441)]
+* cli: `auth` and `secrets` list `-detailed` commands now show Deprecation Status for builtin plugins. [[GH-16849](https://github.com/hashicorp/vault/pull/16849)]
+* cli: `vault plugin list` now has a `details` field in JSON format, and version and type information in table format. [[GH-17347](https://github.com/hashicorp/vault/pull/17347)]
+* command/audit: Improve missing type error message [[GH-16409](https://github.com/hashicorp/vault/pull/16409)]
+* command/server: add `-dev-tls` and `-dev-tls-cert-dir` subcommands to create a Vault dev server with generated certificates and private key. [[GH-16421](https://github.com/hashicorp/vault/pull/16421)]
+* command: Fix shell completion for KV v2 mounts [[GH-16553](https://github.com/hashicorp/vault/pull/16553)]
+* core (enterprise): Add HTTP PATCH support for namespaces with an associated `namespace patch` CLI command
+* core (enterprise): Add check to `vault server` command to ensure configured storage backend is supported.
+* core (enterprise): Add custom metadata support for namespaces
+* core/activity: generate hyperloglogs containing clientIds for each month during precomputation [[GH-16146](https://github.com/hashicorp/vault/pull/16146)]
+* core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [[GH-16162](https://github.com/hashicorp/vault/pull/16162)]
+* core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [[GH-16184](https://github.com/hashicorp/vault/pull/16184)]
+* core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
+* core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
+* core/quotas: Added ability to add path suffixes for rate-limit resource quotas [[GH-15989](https://github.com/hashicorp/vault/pull/15989)]
+* core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [[GH-16115](https://github.com/hashicorp/vault/pull/16115)]
+* core: Activity log goroutine management improvements to allow tests to be more deterministic. [[GH-17028](https://github.com/hashicorp/vault/pull/17028)]
+* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
+* core: Handle and log deprecated builtin mounts. Introduces `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` to override shutdown and error when attempting to mount `Pending Removal` builtin plugins. [[GH-17005](https://github.com/hashicorp/vault/pull/17005)]
+* core: Limit activity log client count usage by namespaces [[GH-16000](https://github.com/hashicorp/vault/pull/16000)]
+* core: Upgrade github.com/hashicorp/raft [[GH-16609](https://github.com/hashicorp/vault/pull/16609)]
+* core: remove gox [[GH-16353](https://github.com/hashicorp/vault/pull/16353)]
+* docs: Clarify the behaviour of local mounts in the context of DR replication [[GH-16218](https://github.com/hashicorp/vault/pull/16218)]
+* identity/oidc: Adds support for detailed listing of clients and providers. [[GH-16567](https://github.com/hashicorp/vault/pull/16567)]
+* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
+* identity/oidc: allows filtering the list providers response by an allowed_client_id [[GH-16181](https://github.com/hashicorp/vault/pull/16181)]
+* identity: Prevent possibility of data races on entity creation. [[GH-16487](https://github.com/hashicorp/vault/pull/16487)]
+* physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [[GH-15866](https://github.com/hashicorp/vault/pull/15866)]
+* plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [[GH-16995](https://github.com/hashicorp/vault/pull/16995)]
+* plugins: Add Deprecation Status method to builtinregistry. [[GH-16846](https://github.com/hashicorp/vault/pull/16846)]
+* plugins: Added environment variable flag to opt-out specific plugins from multiplexing [[GH-16972](https://github.com/hashicorp/vault/pull/16972)]
+* plugins: Adding version to plugin GRPC interface [[GH-17088](https://github.com/hashicorp/vault/pull/17088)]
+* plugins: Plugin catalog supports registering and managing plugins with semantic version information. [[GH-16688](https://github.com/hashicorp/vault/pull/16688)]
+* replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
+* secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [[GH-15809](https://github.com/hashicorp/vault/pull/15809)]
+* secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [[GH-16519](https://github.com/hashicorp/vault/pull/16519)]
+* secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [[GH-16124](https://github.com/hashicorp/vault/pull/16124)]
+* secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (`cn_validations`). [[GH-15996](https://github.com/hashicorp/vault/pull/15996)]
+* secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [[GH-16494](https://github.com/hashicorp/vault/pull/16494)]
+* secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [[GH-15742](https://github.com/hashicorp/vault/pull/15742)]
+* secrets/ad: set config default length only if password_policy is missing [[GH-16140](https://github.com/hashicorp/vault/pull/16140)]
+* secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [[GH-17045](https://github.com/hashicorp/vault/pull/17045)]
+* secrets/database/hana: Add ability to customize dynamic usernames [[GH-16631](https://github.com/hashicorp/vault/pull/16631)]
+* secrets/database/snowflake: Add multiplexing support [[GH-17159](https://github.com/hashicorp/vault/pull/17159)]
+* secrets/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. [[GH-17174](https://github.com/hashicorp/vault/pull/17174)]
+* secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0. [[GH-17199](https://github.com/hashicorp/vault/pull/17199)]
+* secrets/kubernetes: upgrade to v0.2.0 [[GH-17164](https://github.com/hashicorp/vault/pull/17164)]
+* secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [[GH-16702](https://github.com/hashicorp/vault/pull/16702)]
+* secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [[GH-16935](https://github.com/hashicorp/vault/pull/16935)]
+* secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [[GH-17073](https://github.com/hashicorp/vault/pull/17073)]
+* secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [[GH-16958](https://github.com/hashicorp/vault/pull/16958)]
+* secrets/pki: Add ability to periodically rebuild CRL before expiry [[GH-16762](https://github.com/hashicorp/vault/pull/16762)]
+* secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [[GH-16900](https://github.com/hashicorp/vault/pull/16900)]
+* secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [[GH-16563](https://github.com/hashicorp/vault/pull/16563)]
+* secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [[GH-17388](https://github.com/hashicorp/vault/pull/17388)]
+* secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [[GH-16676](https://github.com/hashicorp/vault/pull/16676)]
+* secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [[GH-16564](https://github.com/hashicorp/vault/pull/16564)]
+* secrets/pki: Allow revocation via proving possession of certificate's private key [[GH-16566](https://github.com/hashicorp/vault/pull/16566)]
+* secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [[GH-16871](https://github.com/hashicorp/vault/pull/16871)]
+* secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [[GH-16249](https://github.com/hashicorp/vault/pull/16249)]
+* secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [[GH-16874](https://github.com/hashicorp/vault/pull/16874)]
+* secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [[GH-16773](https://github.com/hashicorp/vault/pull/16773)]
+* secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [[GH-16056](https://github.com/hashicorp/vault/pull/16056)]
+* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
+* secrets/ssh: Allow the use of Identity templates in the `default_user` field [[GH-16351](https://github.com/hashicorp/vault/pull/16351)]
+* secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [[GH-16668](https://github.com/hashicorp/vault/pull/16668)]
+* secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [[GH-17118](https://github.com/hashicorp/vault/pull/17118)]
+* secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [[GH-16549](https://github.com/hashicorp/vault/pull/16549)]
+* ssh: Addition of an endpoint `ssh/issue/:role` to allow the creation of signed key pairs [[GH-15561](https://github.com/hashicorp/vault/pull/15561)]
+* storage/cassandra: tuning parameters for clustered environments `connection_timeout`, `initial_connection_timeout`, `simple_retry_policy_retries`. [[GH-10467](https://github.com/hashicorp/vault/pull/10467)]
+* storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [[GH-14455](https://github.com/hashicorp/vault/pull/14455)]
+* ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [[GH-15852](https://github.com/hashicorp/vault/pull/15852)]
+* ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [[GH-17139](https://github.com/hashicorp/vault/pull/17139)]
+* ui: Removed deprecated version of core-js 2.6.11 [[GH-15898](https://github.com/hashicorp/vault/pull/15898)]
+* ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [[GH-16489](https://github.com/hashicorp/vault/pull/16489)]
+* ui: Replaces non-inclusive terms [[GH-17116](https://github.com/hashicorp/vault/pull/17116)]
+* ui: redirect_to param forwards from auth route when authenticated [[GH-16821](https://github.com/hashicorp/vault/pull/16821)]
+* website/docs: API generate-recovery-token documentation. [[GH-16213](https://github.com/hashicorp/vault/pull/16213)]
+* website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [[GH-16950](https://github.com/hashicorp/vault/pull/16950)]
+* website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [[GH-17139](https://github.com/hashicorp/vault/pull/17139)]
+* website/docs: Update replication docs to mention Integrated Storage [[GH-16063](https://github.com/hashicorp/vault/pull/16063)]
+* website/docs: changed to echo for all string examples instead of (<<<) here-string. [[GH-9081](https://github.com/hashicorp/vault/pull/9081)]
+
+BUG FIXES:
+
+* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
+* agent: Agent will now respect `max_retries` retry configuration even when caching is set. [[GH-16970](https://github.com/hashicorp/vault/pull/16970)]
+* agent: Update consul-template for pkiCert bug fixes [[GH-16087](https://github.com/hashicorp/vault/pull/16087)]
+* api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [[GH-15835](https://github.com/hashicorp/vault/pull/15835)]
+* api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [[GH-16794](https://github.com/hashicorp/vault/pull/16794)]
+* api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P<path>.+) endpoints where it was not properly handling /auth/ [[GH-15552](https://github.com/hashicorp/vault/pull/15552)]
+* api: properly handle switching to/from unix domain socket when changing client address [[GH-11904](https://github.com/hashicorp/vault/pull/11904)]
+* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
+* auth/kerberos: Maintain headers set by the client [[GH-16636](https://github.com/hashicorp/vault/pull/16636)]
+* auth/kubernetes: Restore support for JWT signature algorithm ES384 [[GH-160](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)] [[GH-17161](https://github.com/hashicorp/vault/pull/17161)]
+* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
+* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
+* core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [[GH-15583](https://github.com/hashicorp/vault/pull/15583)]
+* core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
+* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
+* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
+* core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
+* core/managed-keys (enterprise): fix panic when having `cache_disable` true
+* core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
+* core/quotas: Added globbing functionality on the end of path suffix quota paths [[GH-16386](https://github.com/hashicorp/vault/pull/16386)]
+* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
+* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
+* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
+* core: Fix panic when the plugin catalog returns neither a plugin nor an error. [[GH-17204](https://github.com/hashicorp/vault/pull/17204)]
+* core: Fixes parsing boolean values for ha_storage backends in config [[GH-15900](https://github.com/hashicorp/vault/pull/15900)]
+* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
+* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
+* database: Invalidate queue should cancel context first to avoid deadlock [[GH-15933](https://github.com/hashicorp/vault/pull/15933)]
+* debug: Fix panic when capturing debug bundle on Windows [[GH-14399](https://github.com/hashicorp/vault/pull/14399)]
+* debug: Remove extra empty lines from vault.log when debug command is run [[GH-16714](https://github.com/hashicorp/vault/pull/16714)]
+* identity (enterprise): Fix a data race when creating an entity for a local alias.
+* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
+* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
+* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
+* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
+* openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [[GH-15552](https://github.com/hashicorp/vault/pull/15552)]
+* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
+* plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [[GH-16673](https://github.com/hashicorp/vault/pull/16673)]
+* plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [[GH-17340](https://github.com/hashicorp/vault/pull/17340)]
+* quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [[GH-15735](https://github.com/hashicorp/vault/pull/15735)]
+* replication (enterprise): Fix data race in SaveCheckpoint()
+* replication (enterprise): Fix data race in saveCheckpoint.
+* replication (enterprise): Fix possible data race during merkle diff/sync
+* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
+* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
+* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
+* secrets/kv: Fix `kv get` issue preventing the ability to read a secret when providing a leading slash [[GH-16443](https://github.com/hashicorp/vault/pull/16443)]
+* secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [[GH-16865](https://github.com/hashicorp/vault/pull/16865)]
+* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
+* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17385](https://github.com/hashicorp/vault/pull/17385)]
+* secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [[GH-16813](https://github.com/hashicorp/vault/pull/16813)]
+* secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [[GH-16721](https://github.com/hashicorp/vault/pull/16721)]
+* secrets/pki: LIST issuers endpoint is now unauthenticated. [[GH-16830](https://github.com/hashicorp/vault/pull/16830)]
+* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
+* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
+* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
+* storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
+* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
+* storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [[GH-17019](https://github.com/hashicorp/vault/pull/17019)]
+* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
+* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
+* ui: Fix info tooltip submitting form [[GH-16659](https://github.com/hashicorp/vault/pull/16659)]
+* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
+* ui: Fix lease force revoke action [[GH-16930](https://github.com/hashicorp/vault/pull/16930)]
+* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
+* ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [[GH-15681](https://github.com/hashicorp/vault/pull/15681)]
+* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
+* ui: OIDC login type uses localStorage instead of sessionStorage [[GH-16170](https://github.com/hashicorp/vault/pull/16170)]
+* vault: Fix a bug where duplicate policies could be added to an identity group. [[GH-15638](https://github.com/hashicorp/vault/pull/15638)]
+
+## 1.11.12
+### June 21, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.10.
+* licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
+will not be allowed if the license termination time is before the build date of the binary.
+
+FEATURES:
+
+* **Automated License Utilization Reporting**: Added automated license
+utilization reporting, which sends minimal product-license [metering
+data](https://developer.hashicorp.com/vault/docs/enterprise/license/utilization-reporting)
+to HashiCorp without requiring you to manually collect and report them.
+* core (enterprise): Add background worker for automatic reporting of billing
+information. [[GH-19625](https://github.com/hashicorp/vault/pull/19625)]
+
+IMPROVEMENTS:
+
+* api: GET ... /sys/internal/counters/activity?current_billing_period=true now
+results in a response which contains the full billing period [[GH-20694](https://github.com/hashicorp/vault/pull/20694)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`minimum_retention_months`. [[GH-20150](https://github.com/hashicorp/vault/pull/20150)]
+* api: `/sys/internal/counters/config` endpoint now contains read-only
+`reporting_enabled` and `billing_start_timestamp` fields. [[GH-20086](https://github.com/hashicorp/vault/pull/20086)]
+* core (enterprise): add configuration for license reporting [[GH-19891](https://github.com/hashicorp/vault/pull/19891)]
+* core (enterprise): license updates trigger a reload of reporting and the activity log [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): support reloading configuration for automated reporting via SIGHUP [[GH-20680](https://github.com/hashicorp/vault/pull/20680)]
+* core (enterprise): vault server command now allows for opt-out of automated
+reporting via the `OPTOUT_LICENSE_REPORTING` environment variable. [[GH-3939](https://github.com/hashicorp/vault/pull/3939)]
+* core/activity: error when attempting to update retention configuration below the minimum [[GH-20078](https://github.com/hashicorp/vault/pull/20078)]
+* core/activity: generate hyperloglogs containing clientIds for each month during precomputation [[GH-16146](https://github.com/hashicorp/vault/pull/16146)]
+* core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [[GH-16162](https://github.com/hashicorp/vault/pull/16162)]
+* core/activity: refactor the activity log's generation of precomputed queries [[GH-20073](https://github.com/hashicorp/vault/pull/20073)]
+* core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [[GH-16184](https://github.com/hashicorp/vault/pull/16184)]
+* core: Activity log goroutine management improvements to allow tests to be more deterministic. [[GH-17028](https://github.com/hashicorp/vault/pull/17028)]
+* core: Limit activity log client count usage by namespaces [[GH-16000](https://github.com/hashicorp/vault/pull/16000)]
+* storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [[GH-12166](https://github.com/hashicorp/vault/pull/12166)]
+* ui: updates clients configuration edit form state based on census reporting configuration [[GH-20125](https://github.com/hashicorp/vault/pull/20125)]
+
+BUG FIXES:
+
+* core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [[GH-18766](https://github.com/hashicorp/vault/pull/18766)]
+* core/activity: de-duplicate namespaces when historical and current month data are mixed [[GH-18452](https://github.com/hashicorp/vault/pull/18452)]
+* core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [[GH-17856](https://github.com/hashicorp/vault/pull/17856)]
+* core/activity: include mount counts when de-duplicating current and historical month data [[GH-18598](https://github.com/hashicorp/vault/pull/18598)]
+* core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [[GH-18916](https://github.com/hashicorp/vault/pull/18916)]
+* core/activity: return partial month counts when querying a historical date range and no historical data exists. [[GH-17935](https://github.com/hashicorp/vault/pull/17935)]
+* core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
+have its own changelog entry. [[GH-21260](https://github.com/hashicorp/vault/pull/21260)]
+* core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [[GH-21223](https://github.com/hashicorp/vault/pull/21223)]
+* core: Don't exit just because we think there's a potential deadlock. [[GH-21342](https://github.com/hashicorp/vault/pull/21342)]
+* core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [[GH-21249](https://github.com/hashicorp/vault/pull/21249)]
+* identity: Fixes duplicate groups creation with the same name but unique IDs. [[GH-20964](https://github.com/hashicorp/vault/pull/20964)]
+* replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
+* replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
+
+## 1.11.11
+### June 08, 2023
+
+SECURITY:
+
+* ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [[HSEC-2023-17](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.9.
+* core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [[GH-20826](https://github.com/hashicorp/vault/pull/20826)]
+
+IMPROVEMENTS:
+
+* command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
+`VAULT_PPROF_WRITE_TO_FILE=true` is set on the server. [[GH-20609](https://github.com/hashicorp/vault/pull/20609)]
+* secrets/pki: add subject key identifier to read key response [[GH-20642](https://github.com/hashicorp/vault/pull/20642)]
+* ui: update TTL picker for consistency [[GH-18114](https://github.com/hashicorp/vault/pull/18114)]
+
+BUG FIXES:
+
+* api: Properly Handle nil identity_policies in Secret Data [[GH-20636](https://github.com/hashicorp/vault/pull/20636)]
+* auth/ldap: Set default value for `max_page_size` properly [[GH-20453](https://github.com/hashicorp/vault/pull/20453)]
+* cli: CLI should take days as a unit of time for ttl like flags [[GH-20477](https://github.com/hashicorp/vault/pull/20477)]
+* core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
+* core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
+* core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
+* core: prevent panic on login after namespace is deleted that had mfa enforcement [[GH-20375](https://github.com/hashicorp/vault/pull/20375)]
+* replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
+* replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
+* secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
+
+## 1.11.10
+### April 26, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.8.
+
+IMPROVEMENTS:
+
+* cli/namespace: Add detailed flag to output additional namespace information
+such as namespace IDs and custom metadata. [[GH-20243](https://github.com/hashicorp/vault/pull/20243)]
+* core/activity: add an endpoint to write test activity log data, guarded by a build flag [[GH-20019](https://github.com/hashicorp/vault/pull/20019)]
+* core: Add a `raft` sub-field to the `storage` and `ha_storage` details provided by the
+`/sys/config/state/sanitized` endpoint in order to include the `max_entry_size`. [[GH-20044](https://github.com/hashicorp/vault/pull/20044)]
+* sdk/ldaputil: added `connection_timeout` to tune connection timeout duration
+for all LDAP plugins. [[GH-20144](https://github.com/hashicorp/vault/pull/20144)]
+
+BUG FIXES:
+
+* auth/ldap: Add max_page_size configurable to LDAP configuration [[GH-19032](https://github.com/hashicorp/vault/pull/19032)]
+* core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT `new_token` forwarding is set. When this occurred, this would result in the following error to the client: `error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue`.
+* core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
+* core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert `sscGenCounter`
+resulting in 412 errors.
+* core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [[GH-19721](https://github.com/hashicorp/vault/pull/19721)]
+* helper/random: Fix race condition in string generator helper [[GH-19875](https://github.com/hashicorp/vault/pull/19875)]
+* openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [[GH-18554](https://github.com/hashicorp/vault/pull/18554)]
+* replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
+* secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [[GH-20341](https://github.com/hashicorp/vault/pull/20341)]
+* secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
+* ui: Fix OIDC provider logo showing when domain doesn't match [[GH-20263](https://github.com/hashicorp/vault/pull/20263)]
+* ui: Fix bad link to namespace when namespace name includes `.` [[GH-19799](https://github.com/hashicorp/vault/pull/19799)]
+* ui: fixes browser console formatting for help command output [[GH-20064](https://github.com/hashicorp/vault/pull/20064)]
+* ui: remove use of htmlSafe except when first sanitized [[GH-20235](https://github.com/hashicorp/vault/pull/20235)]
+
+## 1.11.9
+### March 29, 2023
+
+SECURITY:
+
+* storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-12](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080)]
+* secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-11](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079)]
+* core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [[HCSEC-2023-10](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078)]
+
+IMPROVEMENTS:
+
+* auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
+website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config [[GH-19244](https://github.com/hashicorp/vault/pull/19244)]
+* core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed.  It's being added as a last-ditch
+option in case all else fails for some replication issues we may not have fully reproduced. [[GH-19676](https://github.com/hashicorp/vault/pull/19676)]
+* core: validate name identifiers in mssql physical storage backend prior use [[GH-19591](https://github.com/hashicorp/vault/pull/19591)]
+
+BUG FIXES:
+
+* auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [[#190](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/190)] [[GH-19720](https://github.com/hashicorp/vault/pull/19720)]
+* cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [[GH-17913](https://github.com/hashicorp/vault/pull/17913)]
+* core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
+* core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [[GH-19585](https://github.com/hashicorp/vault/pull/19585)]
+* openapi: Fix logic for labeling unauthenticated/sudo paths. [[GH-19600](https://github.com/hashicorp/vault/pull/19600)]
+* secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
+* ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [[GH-19703](https://github.com/hashicorp/vault/pull/19703)]
+* ui: pass encodeBase64 param to HMAC transit-key-actions. [[GH-19429](https://github.com/hashicorp/vault/pull/19429)]
+* ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [[GH-19460](https://github.com/hashicorp/vault/pull/19460)]
+
+## 1.11.8
+### March 01, 2023
+
+SECURITY:
+
+* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.6.
+
+IMPROVEMENTS:
+
+* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
+
+BUG FIXES:
+
+* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
+* core (enterprise): Fix panic when using invalid accessor for control-group request
+* core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
+* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
+* license (enterprise): Fix bug where license would update even if the license didn't change.
+* replication (enterprise): Fix bug where reloading external plugin on a secondary would
+break replication.
+* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18208](https://github.com/hashicorp/vault/pull/18208)]
+* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
+* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
+* ui: show Get credentials button for static roles detail page when a user has the proper permissions. [[GH-19190](https://github.com/hashicorp/vault/pull/19190)]
+
+## 1.11.7
+### February 6, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.4.
+
+IMPROVEMENTS:
+
+* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
+* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
+* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
+* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
+* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
+
+BUG FIXES:
+
+* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
+* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
+* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
+* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
+* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
+* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
+* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
+* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
+* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
+* identity (enterprise): Fix a data race when creating an entity for a local alias.
+* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
+* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
+* kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
+* licensing (enterprise): update autoloaded license cache after reload
+* secrets/pki: Allow patching issuer to set an empty issuer name. [[GH-18466](https://github.com/hashicorp/vault/pull/18466)]
+* secrets/transit: Do not warn about unrecognized parameter 'batch_input' [[GH-18299](https://github.com/hashicorp/vault/pull/18299)]
+* storage/raft (enterprise): An already joined node can rejoin by wiping storage
+and re-issueing a join request, but in doing so could transiently become a
+non-voter.  In some scenarios this resulted in loss of quorum. [[GH-18263](https://github.com/hashicorp/vault/pull/18263)]
+* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
+* storage/raft: Don't panic on unknown raft ops [[GH-17732](https://github.com/hashicorp/vault/pull/17732)]
+* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
+
+## 1.11.6
+### November 30, 2022
+
+IMPROVEMENTS:
+
+* secrets/pki: Allow issuer creation, import to change default issuer via `default_follows_latest_issuer`. [[GH-17824](https://github.com/hashicorp/vault/pull/17824)]
+
+BUG FIXES:
+
+* auth/okta: fix a panic for AuthRenew in Okta [[GH-18011](https://github.com/hashicorp/vault/pull/18011)]
+* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
+* cli: Fix issue preventing kv commands from executing properly when the mount path provided by `-mount` flag and secret key path are the same. [[GH-17679](https://github.com/hashicorp/vault/pull/17679)]
+* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
+* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
+* core: fix a start up race condition where performance standbys could go into a
+  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
+* secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [[GH-17772](https://github.com/hashicorp/vault/pull/17772)]
+* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18085](https://github.com/hashicorp/vault/pull/18085)]
+* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18110](https://github.com/hashicorp/vault/pull/18110)]
+* ui: Fixes issue with not being able to download raft snapshot via service worker [[GH-17769](https://github.com/hashicorp/vault/pull/17769)]
+* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
+
+## 1.11.5
+### November 2, 2022
+
+IMPROVEMENTS:
+
+* database/snowflake: Allow parallel requests to Snowflake [[GH-17594](https://github.com/hashicorp/vault/pull/17594)]
+* sdk/ldap: Added support for paging when searching for groups using group filters [[GH-17640](https://github.com/hashicorp/vault/pull/17640)]
+
+BUG FIXES:
+
+* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
+* core/managed-keys (enterprise): fix panic when having `cache_disable` true
+* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
+* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
+* kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
+* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
+* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
+* secrets/pki: Do not read revoked certificates from backend when CRL is disabled [[GH-17384](https://github.com/hashicorp/vault/pull/17384)]
+* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
+* ui/keymgmt: Sets the defaultValue for type when creating a key. [[GH-17407](https://github.com/hashicorp/vault/pull/17407)]
+* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
+
+## 1.11.4
+### September 30, 2022
+
+SECURITY:
+
+* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
+
+IMPROVEMENTS:
+
+* agent/auto-auth: Add `exit_on_err` which when set to true, will cause Agent to exit if any errors are encountered during authentication. [[GH-17091](https://github.com/hashicorp/vault/pull/17091)]
+* agent: Send notifications to systemd on start and stop. [[GH-9802](https://github.com/hashicorp/vault/pull/9802)]
+
+BUG FIXES:
+
+* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
+* auth/kubernetes: Restore support for JWT signature algorithm ES384 [[GH-160](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)] [[GH-17162](https://github.com/hashicorp/vault/pull/17162)]
+* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
+* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
+* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
+* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
+* replication (enterprise): Fix data race in SaveCheckpoint()
+* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
+* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
+* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
+* ui: Fixes secret version and status menu links transitioning to auth screen [[GH-16983](https://github.com/hashicorp/vault/pull/16983)]
+
+## 1.11.3
+### August 31, 2022
+
+SECURITY:
+
+* core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [[HSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
+
+CHANGES:
+
+* core: Bump Go version to 1.17.13.
+
+IMPROVEMENTS:
+
+* auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases [[GH-16890](https://github.com/hashicorp/vault/pull/16890)]
+* auth/kerberos: add `remove_instance_name` parameter to the login CLI and the
+Kerberos config in Vault. This removes any instance names found in the keytab
+service principal name. [[GH-16594](https://github.com/hashicorp/vault/pull/16594)]
+* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
+* storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [[GH-14455](https://github.com/hashicorp/vault/pull/14455)]
+
+BUG FIXES:
+
+* api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [[GH-16794](https://github.com/hashicorp/vault/pull/16794)]
+* auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [[GH-16523](https://github.com/hashicorp/vault/pull/16523)]
+* auth/kerberos: Maintain headers set by the client [[GH-16636](https://github.com/hashicorp/vault/pull/16636)]
+* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
+* core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
+* database/elasticsearch: Fixes a bug in boolean parsing for initialize [[GH-16526](https://github.com/hashicorp/vault/pull/16526)]
+* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
+* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the
+Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
+* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
+* plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [[GH-16673](https://github.com/hashicorp/vault/pull/16673)]
+* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
+* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
+* secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [[GH-16813](https://github.com/hashicorp/vault/pull/16813)]
+* secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [[GH-16721](https://github.com/hashicorp/vault/pull/16721)]
+* secrets/pki: LIST issuers endpoint is now unauthenticated. [[GH-16830](https://github.com/hashicorp/vault/pull/16830)]
+* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
+* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
+* ui: Fix info tooltip submitting form [[GH-16659](https://github.com/hashicorp/vault/pull/16659)]
+* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
+
+SECURITY:
+
+* identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [[HCSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
+
+## 1.11.2
+### August 2, 2022
+
+IMPROVEMENTS:
+
+* agent: Added `disable_keep_alives` configuration to disable keep alives in auto-auth, caching and templating. [[GH-16479](https://github.com/hashicorp/vault/pull/16479)]
+
+BUG FIXES:
+
+* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
+* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
+* secrets/kv: Fix `kv get` issue preventing the ability to read a secret when providing a leading slash [[GH-16443](https://github.com/hashicorp/vault/pull/16443)]
+* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
+
+## 1.11.1
+### July 21, 2022
+
+SECURITY:
+
+* storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
+
+CHANGES:
+
+* core: Bump Go version to 1.17.12.
+
+IMPROVEMENTS:
+
+* agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating. [[GH-15986](https://github.com/hashicorp/vault/pull/15986)]
+* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
+* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
+
+BUG FIXES:
+
+* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
+* agent: Update consul-template for pkiCert bug fixes [[GH-16087](https://github.com/hashicorp/vault/pull/16087)]
+* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
+* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
+* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
+* kmip (enterprise): Return SecretData as supported Object Type.
+* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
+* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
+* storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
+* transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
+* ui: OIDC login type uses localStorage instead of sessionStorage [[GH-16170](https://github.com/hashicorp/vault/pull/16170)]
+
+SECURITY:
+
+* storage/raft (enterprise): Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HCSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
+
+## 1.11.0
+### June 20, 2022
+
+CHANGES:
+
+* auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [[GH-14954](https://github.com/hashicorp/vault/pull/14954)]
+* auth/kubernetes: If `kubernetes_ca_cert` is unset, and there is no pod-local CA available, an error will be surfaced when writing config instead of waiting for login. [[GH-15584](https://github.com/hashicorp/vault/pull/15584)]
+* auth: Remove support for legacy MFA
+(https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [[GH-14869](https://github.com/hashicorp/vault/pull/14869)]
+* core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [[GH-15858](https://github.com/hashicorp/vault/pull/15858)]
+* core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [[GH-14328](https://github.com/hashicorp/vault/pull/14328)]
+* core: Bump Go version to 1.17.11. [[GH-go-ver-1110](https://github.com/hashicorp/vault/pull/go-ver-1110)]
+* database & storage: Change underlying driver library from [lib/pq](https://github.com/lib/pq) to [pgx](https://github.com/jackc/pgx). This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [[GH-15343](https://github.com/hashicorp/vault/pull/15343)]
+* licensing (enterprise): Remove support for stored licenses and associated `sys/license` and `sys/license/signed`
+endpoints in favor of [autoloaded licenses](https://www.vaultproject.io/docs/enterprise/license/autoloading).
+* replication (enterprise): The `/sys/replication/performance/primary/mount-filter` endpoint has been removed. Please use [Paths Filter](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) instead.
+* secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA [[GH-15478](https://github.com/hashicorp/vault/pull/15478)]
+* secrets/kubernetes: Split `additional_metadata` into `extra_annotations` and `extra_labels` parameters [[GH-15655](https://github.com/hashicorp/vault/pull/15655)]
+* secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued)
+providing the same functionality as the existing API(/pki/root/sign-self-issued)
+does not require sudo capabilities but the latter still requires it in an
+effort to maintain backwards compatibility. [[GH-15211](https://github.com/hashicorp/vault/pull/15211)]
+* secrets/pki: Err on unknown role during sign-verbatim. [[GH-15543](https://github.com/hashicorp/vault/pull/15543)]
+* secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead
+of a v1 CRL. [[GH-15100](https://github.com/hashicorp/vault/pull/15100)]
+* secrets/pki: The `ca_chain` response field within issuing (/pki/issue/:role)
+and signing APIs will now include the root CA certificate if the mount is
+aware of it. [[GH-15155](https://github.com/hashicorp/vault/pull/15155)]
+* secrets/pki: existing Delete Root API (pki/root) will now delete all issuers
+and keys within the mount path. [[GH-15004](https://github.com/hashicorp/vault/pull/15004)]
+* secrets/pki: existing Generate Root (pki/root/generate/:type),
+Set Signed Intermediate (/pki/intermediate/set-signed) APIs will
+add new issuers/keys to a mount instead of warning that an existing CA exists [[GH-14975](https://github.com/hashicorp/vault/pull/14975)]
+* secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain
+response field along with the issuer's ca chain. [[GH-15524](https://github.com/hashicorp/vault/pull/15524)]
+* ui: Upgrade Ember to version 3.28 [[GH-14763](https://github.com/hashicorp/vault/pull/14763)]
+
+FEATURES:
+
+* **Autopilot Improvements (Enterprise)**: Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
+* **KeyMgmt UI**: Add UI support for managing the Key Management Secrets Engine [[GH-15523](https://github.com/hashicorp/vault/pull/15523)]
+* **Kubernetes Secrets Engine**: This new secrets engine generates Kubernetes service account tokens, service accounts, role bindings, and roles dynamically. [[GH-15551](https://github.com/hashicorp/vault/pull/15551)]
+* **Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
+import, generation and configuration of any number of keys and/or issuers
+within a PKI mount, providing operators the ability to rotate certificates
+in place without affecting existing client configurations. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
+* **Print minimum required policy for any command**: The global CLI flag `-output-policy` can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability. [[GH-14899](https://github.com/hashicorp/vault/pull/14899)]
+* **Snowflake Database Plugin**: Adds ability to manage RSA key pair credentials for dynamic and static Snowflake users. [[GH-15376](https://github.com/hashicorp/vault/pull/15376)]
+* **Transit BYOK**: Allow import of externally-generated keys into the Transit secrets engine. [[GH-15414](https://github.com/hashicorp/vault/pull/15414)]
+* nomad: Bootstrap Nomad ACL system if no token is provided [[GH-12451](https://github.com/hashicorp/vault/pull/12451)]
+* storage/dynamodb: Added `AWS_DYNAMODB_REGION` environment variable. [[GH-15054](https://github.com/hashicorp/vault/pull/15054)]
+
+IMPROVEMENTS:
+
+* activity: return nil response months in activity log API when no month data exists [[GH-15420](https://github.com/hashicorp/vault/pull/15420)]
+* agent/auto-auth: Add `min_backoff` to the method stanza for configuring initial backoff duration. [[GH-15204](https://github.com/hashicorp/vault/pull/15204)]
+* agent: Update consul-template to v0.29.0 [[GH-15293](https://github.com/hashicorp/vault/pull/15293)]
+* agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [[GH-15092](https://github.com/hashicorp/vault/pull/15092)]
+* api/monitor: Add log_format option to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
+* api: Add ability to pass certificate as PEM bytes to api.Client. [[GH-14753](https://github.com/hashicorp/vault/pull/14753)]
+* api: Add context-aware functions to vault/api for each API wrapper function. [[GH-14388](https://github.com/hashicorp/vault/pull/14388)]
+* api: Added MFALogin() for handling MFA flow when using login helpers. [[GH-14900](https://github.com/hashicorp/vault/pull/14900)]
+* api: If the parameters supplied over the API payload are ignored due to not
+being what the endpoints were expecting, or if the parameters supplied get
+replaced by the values in the endpoint's path itself, warnings will be added to
+the non-empty responses listing all the ignored and replaced parameters. [[GH-14962](https://github.com/hashicorp/vault/pull/14962)]
+* api: KV helper methods to simplify the common use case of reading and writing KV secrets [[GH-15305](https://github.com/hashicorp/vault/pull/15305)]
+* api: Provide a helper method WithNamespace to create a cloned client with a new NS [[GH-14963](https://github.com/hashicorp/vault/pull/14963)]
+* api: Support VAULT_PROXY_ADDR environment variable to allow overriding the Vault client's HTTP proxy. [[GH-15377](https://github.com/hashicorp/vault/pull/15377)]
+* api: Use the context passed to the api/auth Login helpers. [[GH-14775](https://github.com/hashicorp/vault/pull/14775)]
+* api: make ListPlugins parse only known plugin types [[GH-15434](https://github.com/hashicorp/vault/pull/15434)]
+* audit: Add a policy_results block into the audit log that contains the set of
+policies that granted this request access. [[GH-15457](https://github.com/hashicorp/vault/pull/15457)]
+* audit: Include mount_accessor in audit request and response logs [[GH-15342](https://github.com/hashicorp/vault/pull/15342)]
+* audit: added entity_created boolean to audit log, set when login operations create an entity [[GH-15487](https://github.com/hashicorp/vault/pull/15487)]
+* auth/aws: Add rsa2048 signature type to API [[GH-15719](https://github.com/hashicorp/vault/pull/15719)]
+* auth/gcp: Enable the Google service endpoints used by the underlying client to be customized [[GH-15592](https://github.com/hashicorp/vault/pull/15592)]
+* auth/gcp: Vault CLI now infers the service account email when running on Google Cloud [[GH-15592](https://github.com/hashicorp/vault/pull/15592)]
+* auth/jwt: Adds ability to use JSON pointer syntax for the `user_claim` value. [[GH-15593](https://github.com/hashicorp/vault/pull/15593)]
+* auth/okta: Add support for Google provider TOTP type in the Okta auth method [[GH-14985](https://github.com/hashicorp/vault/pull/14985)]
+* auth/okta: Add support for performing [the number
+challenge](https://help.okta.com/en-us/Content/Topics/Mobile/ov-admin-config.htm?cshid=csh-okta-verify-number-challenge-v1#enable-number-challenge)
+during an Okta Verify push challenge [[GH-15361](https://github.com/hashicorp/vault/pull/15361)]
+* auth: Globally scoped Login MFA method Get/List endpoints [[GH-15248](https://github.com/hashicorp/vault/pull/15248)]
+* auth: enforce a rate limit for TOTP passcode validation attempts [[GH-14864](https://github.com/hashicorp/vault/pull/14864)]
+* auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [[GH-15469](https://github.com/hashicorp/vault/pull/15469)]
+* cli/debug: added support for retrieving metrics from DR clusters if `unauthenticated_metrics_access` is enabled [[GH-15316](https://github.com/hashicorp/vault/pull/15316)]
+* cli/vault: warn when policy name contains upper-case letter [[GH-14670](https://github.com/hashicorp/vault/pull/14670)]
+* cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [[GH-14807](https://github.com/hashicorp/vault/pull/14807)]
+* cockroachdb: add high-availability support [[GH-12965](https://github.com/hashicorp/vault/pull/12965)]
+* command/debug: Add log_format flag to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
+* command: Support optional '-log-level' flag to be passed to 'operator migrate' command (defaults to info). Also support VAULT_LOG_LEVEL env var. [[GH-15405](https://github.com/hashicorp/vault/pull/15405)]
+* command: Support the optional '-detailed' flag to be passed to 'vault list' command to show ListResponseWithInfo data. Also supports the VAULT_DETAILED env var. [[GH-15417](https://github.com/hashicorp/vault/pull/15417)]
+* core (enterprise): Include `termination_time` in `sys/license/status` response
+* core (enterprise): Include termination time in `license inspect` command output
+* core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [[GH-15213](https://github.com/hashicorp/vault/pull/15213)]
+* core/activity: Order month data in ascending order of timestamps [[GH-15259](https://github.com/hashicorp/vault/pull/15259)]
+* core/activity: allow client counts to be precomputed and queried on non-contiguous chunks of data [[GH-15352](https://github.com/hashicorp/vault/pull/15352)]
+* core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
+* core: Add an export API for historical activity log data [[GH-15586](https://github.com/hashicorp/vault/pull/15586)]
+* core: Add new DB methods that do not prepare statements. [[GH-15166](https://github.com/hashicorp/vault/pull/15166)]
+* core: check uid and permissions of config dir, config file, plugin dir and plugin binaries [[GH-14817](https://github.com/hashicorp/vault/pull/14817)]
+* core: Fix some identity data races found by Go race detector (no known impact yet). [[GH-15123](https://github.com/hashicorp/vault/pull/15123)]
+* core: Include build date in `sys/seal-status` and `sys/version-history` endpoints. [[GH-14957](https://github.com/hashicorp/vault/pull/14957)]
+* core: Upgrade github.org/x/crypto/ssh [[GH-15125](https://github.com/hashicorp/vault/pull/15125)]
+* kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
+* mfa/okta: migrate to use official Okta SDK [[GH-15355](https://github.com/hashicorp/vault/pull/15355)]
+* sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [[GH-14217](https://github.com/hashicorp/vault/pull/14217)]
+* secrets/consul: Add support for Consul node-identities and service-identities [[GH-15295](https://github.com/hashicorp/vault/pull/15295)]
+* secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [[GH-10751](https://github.com/hashicorp/vault/pull/10751)]
+* secrets/database/elasticsearch: Use the new /_security base API path instead of /_xpack/security when managing elasticsearch. [[GH-15614](https://github.com/hashicorp/vault/pull/15614)]
+* secrets/pki: Add not_before_duration to root CA generation, intermediate CA signing paths. [[GH-14178](https://github.com/hashicorp/vault/pull/14178)]
+* secrets/pki: Add support for CPS URLs and User Notice to Policy Information [[GH-15751](https://github.com/hashicorp/vault/pull/15751)]
+* secrets/pki: Allow operators to control the issuing certificate behavior when
+the requested TTL is beyond the NotAfter value of the signing certificate [[GH-15152](https://github.com/hashicorp/vault/pull/15152)]
+* secrets/pki: Always return CRLs, URLs configurations, even if using the default value. [[GH-15470](https://github.com/hashicorp/vault/pull/15470)]
+* secrets/pki: Enable Patch Functionality for Roles and Issuers (API only) [[GH-15510](https://github.com/hashicorp/vault/pull/15510)]
+* secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role [[GH-15429](https://github.com/hashicorp/vault/pull/15429)]
+* secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate). [[GH-15494](https://github.com/hashicorp/vault/pull/15494)]
+* secrets/pki: Warn on missing AIA access information when generating issuers (config/urls). [[GH-15509](https://github.com/hashicorp/vault/pull/15509)]
+* secrets/pki: Warn when `generate_lease` and `no_store` are both set to `true` on requests. [[GH-14292](https://github.com/hashicorp/vault/pull/14292)]
+* secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode. [[GH-15440](https://github.com/hashicorp/vault/pull/15440)]
+* secrets/ssh: Support for `add_before_duration` in SSH [[GH-15250](https://github.com/hashicorp/vault/pull/15250)]
+* sentinel (enterprise): Upgrade sentinel to [v0.18.5](https://docs.hashicorp.com/sentinel/changelog#0-18-5-january-14-2022) to avoid potential naming collisions in the remote installer
+* storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [[GH-15042](https://github.com/hashicorp/vault/pull/15042)]
+* ui: Allow namespace param to be parsed from state queryParam [[GH-15378](https://github.com/hashicorp/vault/pull/15378)]
+* ui: Default auto-rotation period in transit is 30 days [[GH-15474](https://github.com/hashicorp/vault/pull/15474)]
+* ui: Parse schema refs from OpenAPI [[GH-14508](https://github.com/hashicorp/vault/pull/14508)]
+* ui: Remove stored license references [[GH-15513](https://github.com/hashicorp/vault/pull/15513)]
+* ui: Remove storybook. [[GH-15074](https://github.com/hashicorp/vault/pull/15074)]
+* ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [[GH-14659](https://github.com/hashicorp/vault/pull/14659)]
+* website/docs: Add usage documentation for Kubernetes Secrets Engine [[GH-15527](https://github.com/hashicorp/vault/pull/15527)]
+* website/docs: added a link to an Enigma secret plugin. [[GH-14389](https://github.com/hashicorp/vault/pull/14389)]
+
+DEPRECATIONS:
+
+* docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 [[GH-15581](https://github.com/hashicorp/vault/pull/15581)]
+* secrets/consul: Deprecate old parameters "token_type" and "policy" [[GH-15550](https://github.com/hashicorp/vault/pull/15550)]
+* secrets/consul: Deprecate parameter "policies" in favor of "consul_policies" for consistency [[GH-15400](https://github.com/hashicorp/vault/pull/15400)]
+
+BUG FIXES:
+
+* Fixed panic when adding or modifying a Duo MFA Method in Enterprise
+* agent: Fix log level mismatch between ERR and ERROR [[GH-14424](https://github.com/hashicorp/vault/pull/14424)]
+* agent: Redact auto auth token from renew endpoints [[GH-15380](https://github.com/hashicorp/vault/pull/15380)]
+* api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [[GH-14269](https://github.com/hashicorp/vault/pull/14269)]
+* api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [[GH-14968](https://github.com/hashicorp/vault/pull/14968)]
+* api: Respect increment value in grace period calculations in LifetimeWatcher [[GH-14836](https://github.com/hashicorp/vault/pull/14836)]
+* auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [[GH-14746](https://github.com/hashicorp/vault/pull/14746)]
+* auth/kubernetes: Fix error code when using the wrong service account [[GH-15584](https://github.com/hashicorp/vault/pull/15584)]
+* auth/ldap: The logic for setting the entity alias when `username_as_alias` is set
+has been fixed. The previous behavior would make a request to the LDAP server to
+get `user_attr` before discarding it and using the username instead. This would
+make it impossible for a user to connect if this attribute was missing or had
+multiple values, even though it would not be used anyway. This has been fixed
+and the username is now used without making superfluous LDAP searches. [[GH-15525](https://github.com/hashicorp/vault/pull/15525)]
+* auth: Fixed erroneous success message when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Fixed two-phase MFA information missing from table format when using vault login [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [[GH-15482](https://github.com/hashicorp/vault/pull/15482)]
+* auth: forward requests subject to login MFA from perfStandby to Active node [[GH-15009](https://github.com/hashicorp/vault/pull/15009)]
+* auth: load login MFA configuration upon restart [[GH-15261](https://github.com/hashicorp/vault/pull/15261)]
+* cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [[GH-14973](https://github.com/hashicorp/vault/pull/14973)]
+* cli: Fix panic caused by parsing key=value fields whose value is a single backslash [[GH-14523](https://github.com/hashicorp/vault/pull/14523)]
+* cli: kv get command now honors trailing spaces to retrieve secrets [[GH-15188](https://github.com/hashicorp/vault/pull/15188)]
+* command: do not report listener and storage types as key not found warnings [[GH-15383](https://github.com/hashicorp/vault/pull/15383)]
+* core (enterprise): Allow local alias create RPCs to persist alias metadata
+* core (enterprise): Fix overcounting of lease count quota usage at startup.
+* core (enterprise): Fix some races in merkle index flushing code found in testing
+* core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
+* core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [[GH-15224](https://github.com/hashicorp/vault/pull/15224)]
+* core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
+* core/metrics: Fix incorrect table size metric for local mounts [[GH-14755](https://github.com/hashicorp/vault/pull/14755)]
+* core: Fix double counting for "route" metrics [[GH-12763](https://github.com/hashicorp/vault/pull/12763)]
+* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [[GH-15072](https://github.com/hashicorp/vault/pull/15072)]
+* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [[GH-14522](https://github.com/hashicorp/vault/pull/14522)]
+* core: Fix panic caused by parsing policies with empty slice values. [[GH-14501](https://github.com/hashicorp/vault/pull/14501)]
+* core: Fix panic for help request URL paths without /v1/ prefix [[GH-14704](https://github.com/hashicorp/vault/pull/14704)]
+* core: Limit SSCT WAL checks on perf standbys to raft backends only [[GH-15879](https://github.com/hashicorp/vault/pull/15879)]
+* core: Prevent changing file permissions of audit logs when mode 0000 is used. [[GH-15759](https://github.com/hashicorp/vault/pull/15759)]
+* core: Prevent metrics generation from causing deadlocks. [[GH-15693](https://github.com/hashicorp/vault/pull/15693)]
+* core: fixed systemd reloading notification [[GH-15041](https://github.com/hashicorp/vault/pull/15041)]
+* core: fixing excessive unix file permissions [[GH-14791](https://github.com/hashicorp/vault/pull/14791)]
+* core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [[GH-14846](https://github.com/hashicorp/vault/pull/14846)]
+* core: pre-calculate namespace specific paths when tainting a route during postUnseal [[GH-15067](https://github.com/hashicorp/vault/pull/15067)]
+* core: renaming the environment variable VAULT_DISABLE_FILE_PERMISSIONS_CHECK to VAULT_ENABLE_FILE_PERMISSIONS_CHECK and adjusting the logic [[GH-15452](https://github.com/hashicorp/vault/pull/15452)]
+* core: report unused or redundant keys in server configuration [[GH-14752](https://github.com/hashicorp/vault/pull/14752)]
+* core: time.After() used in a select statement can lead to memory leak [[GH-14814](https://github.com/hashicorp/vault/pull/14814)]
+* identity: deduplicate policies when creating/updating identity groups [[GH-15055](https://github.com/hashicorp/vault/pull/15055)]
+* mfa/okta: disable client side rate limiting causing delays in push notifications [[GH-15369](https://github.com/hashicorp/vault/pull/15369)]
+* plugin: Fix a bug where plugin reload would falsely report success in certain scenarios. [[GH-15579](https://github.com/hashicorp/vault/pull/15579)]
+* raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [[GH-15156](https://github.com/hashicorp/vault/pull/15156)]
+* raft: Ensure initialMmapSize is set to 0 on Windows [[GH-14977](https://github.com/hashicorp/vault/pull/14977)]
+* replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [[GH-14622](https://github.com/hashicorp/vault/pull/14622)]
+* sdk/cidrutil: Only check if cidr contains remote address for IP addresses [[GH-14487](https://github.com/hashicorp/vault/pull/14487)]
+* sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [[GH-15104](https://github.com/hashicorp/vault/pull/15104)]
+* sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [[GH-15163](https://github.com/hashicorp/vault/pull/15163)]
+* secrets/database: Ensure that a `connection_url` password is redacted in all cases. [[GH-14744](https://github.com/hashicorp/vault/pull/14744)]
+* secrets/kv: Fix issue preventing the ability to reset the `delete_version_after` key metadata field to 0s via HTTP `PATCH`. [[GH-15792](https://github.com/hashicorp/vault/pull/15792)]
+* secrets/pki: CRLs on performance secondary clusters are now automatically
+rebuilt upon changes to the list of issuers. [[GH-15179](https://github.com/hashicorp/vault/pull/15179)]
+* secrets/pki: Fix handling of "any" key type with default zero signature bits value. [[GH-14875](https://github.com/hashicorp/vault/pull/14875)]
+* secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [[GH-14943](https://github.com/hashicorp/vault/pull/14943)]
+* secrets/ssh: Convert role field not_before_duration to seconds before returning it [[GH-15559](https://github.com/hashicorp/vault/pull/15559)]
+* storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
+* storage/raft: Forward autopilot state requests on perf standbys to active node. [[GH-15493](https://github.com/hashicorp/vault/pull/15493)]
+* storage/raft: joining a node to a cluster now ignores any VAULT_NAMESPACE environment variable set on the server process [[GH-15519](https://github.com/hashicorp/vault/pull/15519)]
+* ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [[GH-15046](https://github.com/hashicorp/vault/pull/15046)]
+* ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [[GH-14794](https://github.com/hashicorp/vault/pull/14794)]
+* ui: Fix inconsistent behavior in client count calendar widget [[GH-15789](https://github.com/hashicorp/vault/pull/15789)]
+* ui: Fix issue where metadata tab is hidden even though policy grants access [[GH-15824](https://github.com/hashicorp/vault/pull/15824)]
+* ui: Fix issue with KV not recomputing model when you changed versions. [[GH-14941](https://github.com/hashicorp/vault/pull/14941)]
+* ui: Fixed client count timezone for start and end months [[GH-15167](https://github.com/hashicorp/vault/pull/15167)]
+* ui: Fixed unsupported revocation statements field for DB roles [[GH-15573](https://github.com/hashicorp/vault/pull/15573)]
+* ui: Fixes edit auth method capabilities issue [[GH-14966](https://github.com/hashicorp/vault/pull/14966)]
+* ui: Fixes issue logging in with OIDC from a listed auth mounts tab [[GH-14916](https://github.com/hashicorp/vault/pull/14916)]
+* ui: Revert using localStorage in favor of sessionStorage [[GH-15769](https://github.com/hashicorp/vault/pull/15769)]
+* ui: Updated `leasId` to `leaseId` in the "Copy Credentials" section of "Generate AWS Credentials" [[GH-15685](https://github.com/hashicorp/vault/pull/15685)]
+* ui: fix firefox inability to recognize file format of client count csv export [[GH-15364](https://github.com/hashicorp/vault/pull/15364)]
+* ui: fix form validations ignoring default values and disabling submit button [[GH-15560](https://github.com/hashicorp/vault/pull/15560)]
+* ui: fix search-select component showing blank selections when editing group member entity [[GH-15058](https://github.com/hashicorp/vault/pull/15058)]
+* ui: masked values no longer give away length or location of special characters [[GH-15025](https://github.com/hashicorp/vault/pull/15025)]
+
+## 1.10.11
+### March 01, 2023
+
+SECURITY:
+
+* auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [[HSEC-2023-07](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305)]
+
+CHANGES:
+
+* core: Bump Go version to 1.19.6.
+
+IMPROVEMENTS:
+
+* secrets/database: Adds error message requiring password on root crednetial rotation. [[GH-19103](https://github.com/hashicorp/vault/pull/19103)]
+
+BUG FIXES:
+
+* auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [[GH-19186](https://github.com/hashicorp/vault/pull/19186)]
+* core (enterprise): Fix panic when using invalid accessor for control-group request
+* core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and `sys/leases/renew` endpoints if provided `lease_id` is null [[GH-18951](https://github.com/hashicorp/vault/pull/18951)]
+* replication (enterprise): Fix bug where reloading external plugin on a secondary would
+break replication.
+* secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [[GH-18209](https://github.com/hashicorp/vault/pull/18209)]
+* ui (enterprise): Fix cancel button from transform engine role creation page [[GH-19135](https://github.com/hashicorp/vault/pull/19135)]
+* ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [[GH-19071](https://github.com/hashicorp/vault/pull/19071)]
+
+## 1.10.10
+### February 6, 2023
+
+CHANGES:
+
+* core: Bump Go version to 1.19.4.
+
+IMPROVEMENTS:
+
+* command/server: Environment variable keys are now logged at startup. [[GH-18125](https://github.com/hashicorp/vault/pull/18125)]
+* core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
+* secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters [[GH-18799](https://github.com/hashicorp/vault/pull/18799)]
+* ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [[GH-18342](https://github.com/hashicorp/vault/pull/18342)]
+* ui: Update language on database role to "Connection name" [[GH-18261](https://github.com/hashicorp/vault/issues/18261)] [[GH-18350](https://github.com/hashicorp/vault/pull/18350)]
+
+BUG FIXES:
+
+* auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID [[GH-18145](https://github.com/hashicorp/vault/pull/18145)]
+* auth/token: Fix ignored parameter warnings for valid parameters on token create [[GH-16938](https://github.com/hashicorp/vault/pull/16938)]
+* cli/kv: skip formatting of nil secrets for patch and put with field parameter set [[GH-18163](https://github.com/hashicorp/vault/pull/18163)]
+* core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
+* core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
+* core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
+* core/quotas: Fix issue with improper application of default rate limit quota exempt paths [[GH-18273](https://github.com/hashicorp/vault/pull/18273)]
+* core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
+* core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [[GH-18923](https://github.com/hashicorp/vault/pull/18923)]
+* database/mongodb: Fix writeConcern set to be applied to any query made on the database [[GH-18546](https://github.com/hashicorp/vault/pull/18546)]
+* identity (enterprise): Fix a data race when creating an entity for a local alias.
+* kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
+* kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
+* licensing (enterprise): update autoloaded license cache after reload
+* storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
+* ui: fixes query parameters not passed in api explorer test requests [[GH-18743](https://github.com/hashicorp/vault/pull/18743)]
+
+## 1.10.9
+### November 30, 2022
+
+BUG FIXES:
+
+* auth: Deduplicate policies prior to ACL generation [[GH-17914](https://github.com/hashicorp/vault/pull/17914)]
+* core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
+* core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [[GH-17944](https://github.com/hashicorp/vault/pull/17944)]
+* core: fix a start up race condition where performance standbys could go into a
+  mount loop if default policies are not yet synced from the active node. [[GH-17801](https://github.com/hashicorp/vault/pull/17801)]
+* secrets/azure: add WAL to clean up role assignments if errors occur [[GH-18084](https://github.com/hashicorp/vault/pull/18084)]
+* secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [[GH-18109](https://github.com/hashicorp/vault/pull/18109)]
+* ui: fix entity policies list link to policy show page [[GH-17950](https://github.com/hashicorp/vault/pull/17950)]
+
+## 1.10.8
+### November 2, 2022
+
+BUG FIXES:
+
+* core/managed-keys (enterprise): Return better error messages when encountering key creation failures
+* core/managed-keys (enterprise): fix panic when having `cache_disable` true
+* core: prevent memory leak when using control group factors in a policy [[GH-17532](https://github.com/hashicorp/vault/pull/17532)]
+* core: prevent panic during mfa after enforcement's namespace is deleted [[GH-17562](https://github.com/hashicorp/vault/pull/17562)]
+* login: Store token in tokenhelper for interactive login MFA [[GH-17040](https://github.com/hashicorp/vault/pull/17040)]
+* secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [[GH-17328](https://github.com/hashicorp/vault/pull/17328)]
+* secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [[GH-17497](https://github.com/hashicorp/vault/pull/17497)]
+* ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [[GH-17661](https://github.com/hashicorp/vault/pull/17661)]
+
+## 1.10.7
+### September 30, 2022
+
+SECURITY:
+
+* secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [[HSEC-2022-24](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483)]
+
+BUG FIXES:
+
+* auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [[GH-17138](https://github.com/hashicorp/vault/pull/17138)]
+* core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [[GH-17281](https://github.com/hashicorp/vault/pull/17281)]
+* core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [[GH-16956](https://github.com/hashicorp/vault/pull/16956)]
+* identity/oidc: Adds `claims_supported` to discovery document. [[GH-16992](https://github.com/hashicorp/vault/pull/16992)]
+* replication (enterprise): Fix data race in SaveCheckpoint()
+* secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
+* secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
+* ui: Fix lease force revoke action [[GH-16930](https://github.com/hashicorp/vault/pull/16930)]
+
+## 1.10.6
+### August 31, 2022
+
+SECURITY:
+
+* core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [[HSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
+
+CHANGES:
+
+* core: Bump Go version to 1.17.13.
+
+IMPROVEMENTS:
+
+* identity/oidc: Adds the `client_secret_post` token endpoint authentication method. [[GH-16598](https://github.com/hashicorp/vault/pull/16598)]
+
+BUG FIXES:
+
+* auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [[GH-16524](https://github.com/hashicorp/vault/pull/16524)]
+* command/debug: fix bug where monitor was not honoring configured duration [[GH-16834](https://github.com/hashicorp/vault/pull/16834)]
+* core/auth: Return a 403 instead of a 500 for a malformed SSCT [[GH-16112](https://github.com/hashicorp/vault/pull/16112)]
+* core: Increase the allowed concurrent gRPC streams over the cluster port. [[GH-16327](https://github.com/hashicorp/vault/pull/16327)]
+* database: Invalidate queue should cancel context first to avoid deadlock [[GH-15933](https://github.com/hashicorp/vault/pull/15933)]
+* identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. [[GH-16599](https://github.com/hashicorp/vault/pull/16599)]
+* identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the
+Authorization Endpoint. [[GH-16601](https://github.com/hashicorp/vault/pull/16601)]
+* identity/oidc: Fixes validation of the `request` and `request_uri` parameters. [[GH-16600](https://github.com/hashicorp/vault/pull/16600)]
+* secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [[GH-16686](https://github.com/hashicorp/vault/pull/16686)]
+* secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [[GH-16534](https://github.com/hashicorp/vault/pull/16534)]
+* storage/raft: Fix retry_join initialization failure [[GH-16550](https://github.com/hashicorp/vault/pull/16550)]
+* ui: Fix OIDC callback to accept namespace flag in different formats [[GH-16886](https://github.com/hashicorp/vault/pull/16886)]
+* ui: Fix issue logging in with JWT auth method [[GH-16466](https://github.com/hashicorp/vault/pull/16466)]
+* ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [[GH-16739](https://github.com/hashicorp/vault/pull/16739)]
+
+SECURITY:
+
+* identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [[HCSEC-2022-18](https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550)]
+
+## 1.10.5
+### July 21, 2022
+
+SECURITY:
+
+* storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [[HSEC-2022-15](https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420)]
+
+CHANGES:
+
+* core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [[GH-15858](https://github.com/hashicorp/vault/pull/15858)]
+* core: Bump Go version to 1.17.12.
+
+IMPROVEMENTS:
+
+* core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity [[GH-16111](https://github.com/hashicorp/vault/pull/16111)]
+* secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [[GH-16018](https://github.com/hashicorp/vault/pull/16018)]
+
+BUG FIXES:
+
+* agent/template: Fix parsing error for the exec stanza [[GH-16231](https://github.com/hashicorp/vault/pull/16231)]
+* core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [[GH-16088](https://github.com/hashicorp/vault/pull/16088)]
+* core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
+* core/seal: Fix possible keyring truncation when using the file backend. [[GH-15946](https://github.com/hashicorp/vault/pull/15946)]
+* core: Limit SSCT WAL checks on perf standbys to raft backends only [[GH-15879](https://github.com/hashicorp/vault/pull/15879)]
+* plugin/multiplexing: Fix panic when id doesn't exist in connection map [[GH-16094](https://github.com/hashicorp/vault/pull/16094)]
+* secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [[GH-16246](https://github.com/hashicorp/vault/pull/16246)]
+* storage/raft (enterprise): Prevent unauthenticated voter status with rejoin [[GH-16324](https://github.com/hashicorp/vault/pull/16324)]
+* transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
+* ui: Fix issue where metadata tab is hidden even though policy grants access [[GH-15824](https://github.com/hashicorp/vault/pull/15824)]
+* ui: Revert using localStorage in favor of sessionStorage [[GH-16169](https://github.com/hashicorp/vault/pull/16169)]
+* ui: Updated `leasId` to `leaseId` in the "Copy Credentials" section of "Generate AWS Credentials" [[GH-15685](https://github.com/hashicorp/vault/pull/15685)]
+
+## 1.10.4
+### June 10, 2022
+
+CHANGES:
+
+* core: Bump Go version to 1.17.11. [[GH-go-ver-1104](https://github.com/hashicorp/vault/pull/go-ver-1104)]
+
+IMPROVEMENTS:
+
+* api/monitor: Add log_format option to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
+* auth: Globally scoped Login MFA method Get/List endpoints [[GH-15248](https://github.com/hashicorp/vault/pull/15248)]
+* auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [[GH-15469](https://github.com/hashicorp/vault/pull/15469)]
+* cli/debug: added support for retrieving metrics from DR clusters if `unauthenticated_metrics_access` is enabled [[GH-15316](https://github.com/hashicorp/vault/pull/15316)]
+* command/debug: Add log_format flag to allow for logs to be emitted in JSON format [[GH-15536](https://github.com/hashicorp/vault/pull/15536)]
+* core: Fix some identity data races found by Go race detector (no known impact yet). [[GH-15123](https://github.com/hashicorp/vault/pull/15123)]
+* storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [[GH-15042](https://github.com/hashicorp/vault/pull/15042)]
+* ui: Allow namespace param to be parsed from state queryParam [[GH-15378](https://github.com/hashicorp/vault/pull/15378)]
+
+BUG FIXES:
+
+* agent: Redact auto auth token from renew endpoints [[GH-15380](https://github.com/hashicorp/vault/pull/15380)]
+* auth/kubernetes: Fix error code when using the wrong service account [[GH-15585](https://github.com/hashicorp/vault/pull/15585)]
+* auth/ldap: The logic for setting the entity alias when `username_as_alias` is set
+has been fixed. The previous behavior would make a request to the LDAP server to
+get `user_attr` before discarding it and using the username instead. This would
+make it impossible for a user to connect if this attribute was missing or had
+multiple values, even though it would not be used anyway. This has been fixed
+and the username is now used without making superfluous LDAP searches. [[GH-15525](https://github.com/hashicorp/vault/pull/15525)]
+* auth: Fixed erroneous success message when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Fixed two-phase MFA information missing from table format when using vault login [[GH-15428](https://github.com/hashicorp/vault/pull/15428)]
+* auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [[GH-15482](https://github.com/hashicorp/vault/pull/15482)]
+* core (enterprise): Fix overcounting of lease count quota usage at startup.
+* core: Prevent changing file permissions of audit logs when mode 0000 is used. [[GH-15759](https://github.com/hashicorp/vault/pull/15759)]
+* core: Prevent metrics generation from causing deadlocks. [[GH-15693](https://github.com/hashicorp/vault/pull/15693)]
+* core: fixed systemd reloading notification [[GH-15041](https://github.com/hashicorp/vault/pull/15041)]
+* mfa/okta: disable client side rate limiting causing delays in push notifications [[GH-15369](https://github.com/hashicorp/vault/pull/15369)]
+* storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
+* transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
+* ui: Fix inconsistent behavior in client count calendar widget [[GH-15789](https://github.com/hashicorp/vault/pull/15789)]
+* ui: Fixed client count timezone for start and end months [[GH-15167](https://github.com/hashicorp/vault/pull/15167)]
+* ui: fix firefox inability to recognize file format of client count csv export [[GH-15364](https://github.com/hashicorp/vault/pull/15364)]
+
+## 1.10.3
+### May 11, 2022
+
+SECURITY:
+* auth: A vulnerability was identified in Vault and Vault Enterprise (“Vault”) from 1.10.0 to 1.10.2 where MFA may not be enforced on user logins after a server restart. This vulnerability, CVE-2022-30689, was fixed in Vault 1.10.3.
+
+BUG FIXES:
+
+* auth: load login MFA configuration upon restart [[GH-15261](https://github.com/hashicorp/vault/pull/15261)]
+* core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [[GH-15224](https://github.com/hashicorp/vault/pull/15224)]
+* core: pre-calculate namespace specific paths when tainting a route during postUnseal [[GH-15067](https://github.com/hashicorp/vault/pull/15067)]
+
+## 1.10.2
+### April 29, 2022
+
+BUG FIXES:
+
+* raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [[GH-15156](https://github.com/hashicorp/vault/pull/15156)]
+* sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [[GH-15104](https://github.com/hashicorp/vault/pull/15104)]
+
+## 1.10.1
+### April 22, 2022
+
+CHANGES:
+
+* core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [[GH-14328](https://github.com/hashicorp/vault/pull/14328)]
+* core: Bump Go version to 1.17.9. [[GH-15044](https://github.com/hashicorp/vault/pull/15044)]
+
+IMPROVEMENTS:
+
+* agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [[GH-15092](https://github.com/hashicorp/vault/pull/15092)]
+* auth: enforce a rate limit for TOTP passcode validation attempts [[GH-14864](https://github.com/hashicorp/vault/pull/14864)]
+* cli/vault: warn when policy name contains upper-case letter [[GH-14670](https://github.com/hashicorp/vault/pull/14670)]
+* cockroachdb: add high-availability support [[GH-12965](https://github.com/hashicorp/vault/pull/12965)]
+* sentinel (enterprise): Upgrade sentinel to [v0.18.5](https://docs.hashicorp.com/sentinel/changelog#0-18-5-january-14-2022) to avoid potential naming collisions in the remote installer
+
+BUG FIXES:
+
+* Fixed panic when adding or modifying a Duo MFA Method in Enterprise
+* agent: Fix log level mismatch between ERR and ERROR [[GH-14424](https://github.com/hashicorp/vault/pull/14424)]
+* api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [[GH-14269](https://github.com/hashicorp/vault/pull/14269)]
+* api: Respect increment value in grace period calculations in LifetimeWatcher [[GH-14836](https://github.com/hashicorp/vault/pull/14836)]
+* auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [[GH-14746](https://github.com/hashicorp/vault/pull/14746)]
+* auth: forward requests subject to login MFA from perfStandby to Active node [[GH-15009](https://github.com/hashicorp/vault/pull/15009)]
+* cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [[GH-14973](https://github.com/hashicorp/vault/pull/14973)]
+* cli: Fix panic caused by parsing key=value fields whose value is a single backslash [[GH-14523](https://github.com/hashicorp/vault/pull/14523)]
+* core (enterprise): Allow local alias create RPCs to persist alias metadata [[GH-changelog:_2747](https://github.com/hashicorp/vault/pull/changelog:_2747)]
+* core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
+* core/metrics: Fix incorrect table size metric for local mounts [[GH-14755](https://github.com/hashicorp/vault/pull/14755)]
+* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [[GH-15072](https://github.com/hashicorp/vault/pull/15072)]
+* core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [[GH-14522](https://github.com/hashicorp/vault/pull/14522)]
+* core: Fix panic caused by parsing policies with empty slice values. [[GH-14501](https://github.com/hashicorp/vault/pull/14501)]
+* core: Fix panic for help request URL paths without /v1/ prefix [[GH-14704](https://github.com/hashicorp/vault/pull/14704)]
+* core: fixing excessive unix file permissions [[GH-14791](https://github.com/hashicorp/vault/pull/14791)]
+* core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [[GH-14846](https://github.com/hashicorp/vault/pull/14846)]
+* core: report unused or redundant keys in server configuration [[GH-14752](https://github.com/hashicorp/vault/pull/14752)]
+* core: time.After() used in a select statement can lead to memory leak [[GH-14814](https://github.com/hashicorp/vault/pull/14814)]
+* raft: Ensure initialMmapSize is set to 0 on Windows [[GH-14977](https://github.com/hashicorp/vault/pull/14977)]
+* replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [[GH-14622](https://github.com/hashicorp/vault/pull/14622)]
+* secrets/database: Ensure that a `connection_url` password is redacted in all cases. [[GH-14744](https://github.com/hashicorp/vault/pull/14744)]
+* secrets/pki: Fix handling of "any" key type with default zero signature bits value. [[GH-14875](https://github.com/hashicorp/vault/pull/14875)]
+* secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [[GH-14943](https://github.com/hashicorp/vault/pull/14943)]
+* ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not excepted in this field. [[GH-15046](https://github.com/hashicorp/vault/pull/15046)]
+* ui: Fixes edit auth method capabilities issue [[GH-14966](https://github.com/hashicorp/vault/pull/14966)]
+* ui: Fixes issue logging in with OIDC from a listed auth mounts tab [[GH-14916](https://github.com/hashicorp/vault/pull/14916)]
+* ui: fix search-select component showing blank selections when editing group member entity [[GH-15058](https://github.com/hashicorp/vault/pull/15058)]
+* ui: masked values no longer give away length or location of special characters [[GH-15025](https://github.com/hashicorp/vault/pull/15025)]
+
+## 1.10.0
+### March 23, 2022
+
+CHANGES:
+
+* core (enterprise): requests with newly generated tokens to perf standbys which are lagging behind the active node return http 412 instead of 400/403/50x.
+* core: Changes the unit of `default_lease_ttl` and `max_lease_ttl` values returned by
+the `/sys/config/state/sanitized` endpoint from nanoseconds to seconds. [[GH-14206](https://github.com/hashicorp/vault/pull/14206)]
+* core: Bump Go version to 1.17.7. [[GH-14232](https://github.com/hashicorp/vault/pull/14232)]
+* plugin/database: The return value from `POST /database/config/:name` has been updated to "204 No Content" [[GH-14033](https://github.com/hashicorp/vault/pull/14033)]
+* secrets/azure: Changes the configuration parameter `use_microsoft_graph_api` to use the Microsoft
+Graph API by default. [[GH-14130](https://github.com/hashicorp/vault/pull/14130)]
+* storage/etcd: Remove support for v2. [[GH-14193](https://github.com/hashicorp/vault/pull/14193)]
+* ui: Upgrade Ember to version 3.24 [[GH-13443](https://github.com/hashicorp/vault/pull/13443)]
+
+FEATURES:
+
+* **Database plugin multiplexing**: manage multiple database connections with a single plugin process [[GH-14033](https://github.com/hashicorp/vault/pull/14033)]
+* **Login MFA**: Single and two phase MFA is now available when authenticating to Vault. [[GH-14025](https://github.com/hashicorp/vault/pull/14025)]
+* **Mount Migration**: Vault supports moving secrets and auth mounts both within and across namespaces.
+* **Postgres in the UI**: Postgres DB is now supported by the UI [[GH-12945](https://github.com/hashicorp/vault/pull/12945)]
+* **Report in-flight requests**: Adding a trace capability to show in-flight requests, and a new gauge metric to show the total number of in-flight requests [[GH-13024](https://github.com/hashicorp/vault/pull/13024)]
+* **Server Side Consistent Tokens**: Service tokens have been updated to be longer (a minimum of 95 bytes) and token prefixes for all token types are updated from s., b., and r. to hvs., hvb., and hvr. for service, batch, and recovery tokens respectively. Vault clusters with integrated storage will now have read-after-write consistency by default. [[GH-14109](https://github.com/hashicorp/vault/pull/14109)]
+* **Transit SHA-3 Support**: Add support for SHA-3 in the Transit backend. [[GH-13367](https://github.com/hashicorp/vault/pull/13367)]
+* **Transit Time-Based Key Autorotation**: Add support for automatic, time-based key rotation to transit secrets engine, including in the UI. [[GH-13691](https://github.com/hashicorp/vault/pull/13691)]
+* **UI Client Count Improvements**: Restructures client count dashboard, making use of billing start date to improve accuracy. Adds mount-level distribution and filtering. [[GH-client-counts](https://github.com/hashicorp/vault/pull/client-counts)]
+* **Agent Telemetry**: The Vault Agent can now collect and return telemetry information at the `/agent/v1/metrics` endpoint.
+
+IMPROVEMENTS:
+
+* agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. [[GH-14214](https://github.com/hashicorp/vault/pull/14214)]
+* agent: The `agent/v1/quit` endpoint can now be used to stop the Vault Agent remotely [[GH-14223](https://github.com/hashicorp/vault/pull/14223)]
+* api: Allow cloning `api.Client` tokens via `api.Config.CloneToken` or `api.Client.SetCloneToken()`. [[GH-13515](https://github.com/hashicorp/vault/pull/13515)]
+* api: Define constants for X-Vault-Forward and X-Vault-Inconsistent headers [[GH-14067](https://github.com/hashicorp/vault/pull/14067)]
+* api: Implements Login method in Go client libraries for GCP and Azure auth methods [[GH-13022](https://github.com/hashicorp/vault/pull/13022)]
+* api: Implements Login method in Go client libraries for LDAP auth methods [[GH-13841](https://github.com/hashicorp/vault/pull/13841)]
+* api: Trim newline character from wrapping token in logical.Unwrap from the api package [[GH-13044](https://github.com/hashicorp/vault/pull/13044)]
+* api: add api method for modifying raft autopilot configuration [[GH-12428](https://github.com/hashicorp/vault/pull/12428)]
+* api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string [[GH-13241](https://github.com/hashicorp/vault/pull/13241)]
+* audit: The audit logs now contain the port used by the client [[GH-12790](https://github.com/hashicorp/vault/pull/12790)]
+* auth/aws: Enable region detection in the CLI by specifying the region as `auto` [[GH-14051](https://github.com/hashicorp/vault/pull/14051)]
+* auth/cert: Add certificate extensions as metadata [[GH-13348](https://github.com/hashicorp/vault/pull/13348)]
+* auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [[GH-13365](https://github.com/hashicorp/vault/pull/13365)]
+* auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [[GH-13595](https://github.com/hashicorp/vault/pull/13595)]
+* auth/ldap: Add a response warning and server log whenever the config is accessed
+if `userfilter` doesn't consider `userattr` [[GH-14095](https://github.com/hashicorp/vault/pull/14095)]
+* auth/ldap: Add username to alias metadata [[GH-13669](https://github.com/hashicorp/vault/pull/13669)]
+* auth/ldap: Add username_as_alias configurable to change how aliases are named [[GH-14324](https://github.com/hashicorp/vault/pull/14324)]
+* auth/okta: Update [okta-sdk-golang](https://github.com/okta/okta-sdk-golang) dependency to version v2.9.1 for improved request backoff handling [[GH-13439](https://github.com/hashicorp/vault/pull/13439)]
+* auth/token: The `auth/token/revoke-accessor` endpoint is now idempotent and will
+not error out if the token has already been revoked. [[GH-13661](https://github.com/hashicorp/vault/pull/13661)]
+* auth: reading `sys/auth/:path` now returns the configuration for the auth engine mounted at the given path [[GH-12793](https://github.com/hashicorp/vault/pull/12793)]
+* cli: interactive CLI for login mfa [[GH-14131](https://github.com/hashicorp/vault/pull/14131)]
+* command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
+* core/ha: Add new mechanism for keeping track of peers talking to active node, and new 'operator members' command to view them. [[GH-13292](https://github.com/hashicorp/vault/pull/13292)]
+* core/identity: Support updating an alias' `custom_metadata` to be empty. [[GH-13395](https://github.com/hashicorp/vault/pull/13395)]
+* core/pki: Support Y10K value in notAfter field to be compliant with IEEE 802.1AR-2018 standard [[GH-12795](https://github.com/hashicorp/vault/pull/12795)]
+* core/pki: Support Y10K value in notAfter field when signing non-CA certificates [[GH-13736](https://github.com/hashicorp/vault/pull/13736)]
+* core: Add duration and start_time to completed requests log entries [[GH-13682](https://github.com/hashicorp/vault/pull/13682)]
+* core: Add support to list password policies at `sys/policies/password` [[GH-12787](https://github.com/hashicorp/vault/pull/12787)]
+* core: Add support to list version history via API at `sys/version-history` and via CLI with `vault version-history` [[GH-13766](https://github.com/hashicorp/vault/pull/13766)]
+* core: Fixes code scanning alerts [[GH-13667](https://github.com/hashicorp/vault/pull/13667)]
+* core: Periodically test the health of connectivity to auto-seal backends [[GH-13078](https://github.com/hashicorp/vault/pull/13078)]
+* core: Reading `sys/mounts/:path` now returns the configuration for the secret engine at the given path [[GH-12792](https://github.com/hashicorp/vault/pull/12792)]
+* core: Replace "master key" terminology with "root key" [[GH-13324](https://github.com/hashicorp/vault/pull/13324)]
+* core: Small changes to ensure goroutines terminate in tests [[GH-14197](https://github.com/hashicorp/vault/pull/14197)]
+* core: Systemd unit file included with the Linux packages now sets the service type to notify. [[GH-14385](https://github.com/hashicorp/vault/pull/14385)]
+* core: Update github.com/prometheus/client_golang to fix security vulnerability CVE-2022-21698. [[GH-14190](https://github.com/hashicorp/vault/pull/14190)]
+* core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections
+has also been added to the PROXY protocol v1. [[GH-13540](https://github.com/hashicorp/vault/pull/13540)]
+* http (enterprise): Serve /sys/license/status endpoint within namespaces
+* identity/oidc: Adds a default OIDC provider [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
+* identity/oidc: Adds a default key for OIDC clients [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
+* identity/oidc: Adds an `allow_all` assignment that permits all entities to authenticate via an OIDC client [[GH-14119](https://github.com/hashicorp/vault/pull/14119)]
+* identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers. [[GH-13917](https://github.com/hashicorp/vault/pull/13917)]
+* sdk: Add helper for decoding root tokens [[GH-10505](https://github.com/hashicorp/vault/pull/10505)]
+* secrets/azure: Adds support for rotate-root. [#70](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/70) [[GH-13034](https://github.com/hashicorp/vault/pull/13034)]
+* secrets/consul: Add support for consul enterprise namespaces and admin partitions. [[GH-13850](https://github.com/hashicorp/vault/pull/13850)]
+* secrets/consul: Add support for consul roles. [[GH-14014](https://github.com/hashicorp/vault/pull/14014)]
+* secrets/database/influxdb: Switch/upgrade to the `influxdb1-client` module [[GH-12262](https://github.com/hashicorp/vault/pull/12262)]
+* secrets/database: Add database configuration parameter 'disable_escaping' for username and password when connecting to a database. [[GH-13414](https://github.com/hashicorp/vault/pull/13414)]
+* secrets/kv: add full secret path output to table-formatted responses [[GH-14301](https://github.com/hashicorp/vault/pull/14301)]
+* secrets/kv: add patch support for KVv2 key metadata [[GH-13215](https://github.com/hashicorp/vault/pull/13215)]
+* secrets/kv: add subkeys endpoint to retrieve a secret's stucture without its values [[GH-13893](https://github.com/hashicorp/vault/pull/13893)]
+* secrets/pki: Add ability to fetch individual certificate as DER or PEM [[GH-10948](https://github.com/hashicorp/vault/pull/10948)]
+* secrets/pki: Add count and duration metrics to PKI issue and revoke calls. [[GH-13889](https://github.com/hashicorp/vault/pull/13889)]
+* secrets/pki: Add error handling for error types other than UserError or InternalError [[GH-14195](https://github.com/hashicorp/vault/pull/14195)]
+* secrets/pki: Allow URI SAN templates in allowed_uri_sans when allowed_uri_sans_template is set to true. [[GH-10249](https://github.com/hashicorp/vault/pull/10249)]
+* secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim [[GH-13958](https://github.com/hashicorp/vault/pull/13958)]
+* secrets/pki: Calculate the Subject Key Identifier as suggested in [RFC 5280, Section 4.2.1.2](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2). [[GH-11218](https://github.com/hashicorp/vault/pull/11218)]
+* secrets/pki: Restrict issuance of wildcard certificates via role parameter (`allow_wildcard_certificates`) [[GH-14238](https://github.com/hashicorp/vault/pull/14238)]
+* secrets/pki: Return complete chain (in `ca_chain` field) on calls to `pki/cert/ca_chain` [[GH-13935](https://github.com/hashicorp/vault/pull/13935)]
+* secrets/pki: Use application/pem-certificate-chain for PEM certificates, application/x-pem-file for PEM CRLs [[GH-13927](https://github.com/hashicorp/vault/pull/13927)]
+* secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates. [[GH-11216](https://github.com/hashicorp/vault/pull/11216)]
+* secrets/ssh: Add support for generating non-RSA SSH CAs [[GH-14008](https://github.com/hashicorp/vault/pull/14008)]
+* secrets/ssh: Allow specifying multiple approved key lengths for a single algorithm [[GH-13991](https://github.com/hashicorp/vault/pull/13991)]
+* secrets/ssh: Use secure default for algorithm signer (rsa-sha2-256) with RSA SSH CA keys on new roles [[GH-14006](https://github.com/hashicorp/vault/pull/14006)]
+* secrets/transit: Don't abort transit encrypt or decrypt batches on single item failure. [[GH-13111](https://github.com/hashicorp/vault/pull/13111)]
+* storage/aerospike: Upgrade `aerospike-client-go` to v5.6.0. [[GH-12165](https://github.com/hashicorp/vault/pull/12165)]
+* storage/raft: Set InitialMmapSize to 100GB on 64bit architectures [[GH-13178](https://github.com/hashicorp/vault/pull/13178)]
+* storage/raft: When using retry_join stanzas, join against all of them in parallel. [[GH-13606](https://github.com/hashicorp/vault/pull/13606)]
+* sys/raw: Enhance sys/raw to read and write values that cannot be encoded in json. [[GH-13537](https://github.com/hashicorp/vault/pull/13537)]
+* ui: Add support for ECDSA and Ed25519 certificate views [[GH-13894](https://github.com/hashicorp/vault/pull/13894)]
+* ui: Add version diff view for KV V2 [[GH-13000](https://github.com/hashicorp/vault/pull/13000)]
+* ui: Added client side paging for namespace list view [[GH-13195](https://github.com/hashicorp/vault/pull/13195)]
+* ui: Adds flight icons to UI [[GH-12976](https://github.com/hashicorp/vault/pull/12976)]
+* ui: Adds multi-factor authentication support [[GH-14049](https://github.com/hashicorp/vault/pull/14049)]
+* ui: Allow static role credential rotation in Database secrets engines [[GH-14268](https://github.com/hashicorp/vault/pull/14268)]
+* ui: Display badge for all versions in secrets engine header [[GH-13015](https://github.com/hashicorp/vault/pull/13015)]
+* ui: Swap browser localStorage in favor of sessionStorage [[GH-14054](https://github.com/hashicorp/vault/pull/14054)]
+* ui: The integrated web terminal now accepts both `-f` and `--force` as aliases
+for `-force` for the `write` command. [[GH-13683](https://github.com/hashicorp/vault/pull/13683)]
+* ui: Transform advanced templating with encode/decode format support [[GH-13908](https://github.com/hashicorp/vault/pull/13908)]
+* ui: Updates ember blueprints to glimmer components [[GH-13149](https://github.com/hashicorp/vault/pull/13149)]
+* ui: customizes empty state messages for transit and transform [[GH-13090](https://github.com/hashicorp/vault/pull/13090)]
+
+BUG FIXES:
+
+* Fixed bug where auth method only considers system-identity when multiple identities are available. [#50](https://github.com/hashicorp/vault-plugin-auth-azure/pull/50) [[GH-14138](https://github.com/hashicorp/vault/pull/14138)]
+* activity log (enterprise): allow partial monthly client count to be accessed from namespaces [[GH-13086](https://github.com/hashicorp/vault/pull/13086)]
+* agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
+* api/client: Fixes an issue where the `replicateStateStore` was being set to `nil` upon consecutive calls to `client.SetReadYourWrites(true)`. [[GH-13486](https://github.com/hashicorp/vault/pull/13486)]
+* auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [[GH-13235](https://github.com/hashicorp/vault/pull/13235)]
+* auth/approle: Fix wrapping of nil errors in `login` endpoint [[GH-14107](https://github.com/hashicorp/vault/pull/14107)]
+* auth/github: Use the Organization ID instead of the Organization name to verify the org membership. [[GH-13332](https://github.com/hashicorp/vault/pull/13332)]
+* auth/kubernetes: Properly handle the migration of role storage entries containing an empty `alias_name_source` [[GH-13925](https://github.com/hashicorp/vault/pull/13925)]
+* auth/kubernetes: ensure valid entity alias names created for projected volume tokens [[GH-14144](https://github.com/hashicorp/vault/pull/14144)]
+* auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and `form_post` response mode. [[GH-13492](https://github.com/hashicorp/vault/pull/13492)]
+* cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [[GH-13615](https://github.com/hashicorp/vault/pull/13615)]
+* core (enterprise): Fix a data race in logshipper.
+* core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
+* core/api: Fix overwriting of request headers when using JSONMergePatch. [[GH-14222](https://github.com/hashicorp/vault/pull/14222)]
+* core/identity: Address a data race condition between local updates to aliases and invalidations [[GH-13093](https://github.com/hashicorp/vault/pull/13093)]
+* core/identity: Address a data race condition between local updates to aliases and invalidations [[GH-13476](https://github.com/hashicorp/vault/pull/13476)]
+* core/token: Fix null token panic from 'v1/auth/token/' endpoints and return proper error response. [[GH-13233](https://github.com/hashicorp/vault/pull/13233)]
+* core/token: Fix null token_type panic resulting from 'v1/auth/token/roles/{role_name}' endpoint [[GH-13236](https://github.com/hashicorp/vault/pull/13236)]
+* core: Fix warnings logged on perf standbys re stored versions [[GH-13042](https://github.com/hashicorp/vault/pull/13042)]
+* core: `-output-curl-string` now properly sets cURL options for client and CA
+certificates. [[GH-13660](https://github.com/hashicorp/vault/pull/13660)]
+* core: add support for go-sockaddr templates in the top-level cluster_addr field [[GH-13678](https://github.com/hashicorp/vault/pull/13678)]
+* core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403 [[GH-13162](https://github.com/hashicorp/vault/pull/13162)]
+* core: revert some unintentionally downgraded dependencies from 1.9.0-rc1 [[GH-13168](https://github.com/hashicorp/vault/pull/13168)]
+* ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
+* http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
+* http:Fix /sys/monitor endpoint returning streaming not supported [[GH-13200](https://github.com/hashicorp/vault/pull/13200)]
+* identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [[GH-13871](https://github.com/hashicorp/vault/pull/13871)]
+* identity/oidc: Check for a nil signing key on rotation to prevent panics. [[GH-13716](https://github.com/hashicorp/vault/pull/13716)]
+* identity/oidc: Fixes inherited group membership when evaluating client assignments [[GH-14013](https://github.com/hashicorp/vault/pull/14013)]
+* identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation [[GH-14426](https://github.com/hashicorp/vault/pull/14426)]
+* identity/oidc: Make the `nonce` parameter optional for the Authorization Endpoint of OIDC providers. [[GH-13231](https://github.com/hashicorp/vault/pull/13231)]
+* identity/token: Fixes a bug where duplicate public keys could appear in the .well-known JWKS [[GH-14543](https://github.com/hashicorp/vault/pull/14543)]
+* identity: Fix possible nil pointer dereference. [[GH-13318](https://github.com/hashicorp/vault/pull/13318)]
+* identity: Fix regression preventing startup when aliases were created pre-1.9. [[GH-13169](https://github.com/hashicorp/vault/pull/13169)]
+* identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [[GH-13298](https://github.com/hashicorp/vault/pull/13298)]
+* kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
+* licensing (enterprise): Revert accidental inclusion of the TDE feature from the `prem` build.
+* metrics/autosnapshots (enterprise) : Fix bug that could cause
+vault.autosnapshots.save.errors to not be incremented when there is an
+autosnapshot save error.
+* physical/mysql: Create table with wider `vault_key` column when initializing database tables. [[GH-14231](https://github.com/hashicorp/vault/pull/14231)]
+* plugin/couchbase: Fix an issue in which the locking patterns did not allow parallel requests. [[GH-13033](https://github.com/hashicorp/vault/pull/13033)]
+* replication (enterprise): When using encrypted secondary tokens, only clear the
+private key after a successful connection to the primary cluster
+* sdk/framework: Generate proper OpenAPI specs for path patterns that use an alternation as the root. [[GH-13487](https://github.com/hashicorp/vault/pull/13487)]
+* sdk/helper/ldaputil: properly escape a trailing escape character to prevent panics. [[GH-13452](https://github.com/hashicorp/vault/pull/13452)]
+* sdk/queue: move lock before length check to prevent panics. [[GH-13146](https://github.com/hashicorp/vault/pull/13146)]
+* sdk: Fixes OpenAPI to distinguish between paths that can do only List, or both List and Read. [[GH-13643](https://github.com/hashicorp/vault/pull/13643)]
+* secrets/azure: Fixed bug where Azure environment did not change Graph URL [[GH-13973](https://github.com/hashicorp/vault/pull/13973)]
+* secrets/azure: Fixes service principal generation when assigning roles that have [DataActions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#dataactions). [[GH-13277](https://github.com/hashicorp/vault/pull/13277)]
+* secrets/azure: Fixes the [rotate root](https://www.vaultproject.io/api-docs/secret/azure#rotate-root)
+operation for upgraded configurations with a `root_password_ttl` of zero. [[GH-14130](https://github.com/hashicorp/vault/pull/14130)]
+* secrets/database/cassandra: change connect_timeout to 5s as documentation says [[GH-12443](https://github.com/hashicorp/vault/pull/12443)]
+* secrets/database/mssql: Accept a boolean for `contained_db`, rather than just a string. [[GH-13469](https://github.com/hashicorp/vault/pull/13469)]
+* secrets/gcp: Fixed bug where error was not reported for invalid bindings [[GH-13974](https://github.com/hashicorp/vault/pull/13974)]
+* secrets/gcp: Fixes role bindings for BigQuery dataset resources. [[GH-13548](https://github.com/hashicorp/vault/pull/13548)]
+* secrets/openldap: Fix panic from nil logger in backend [[GH-14171](https://github.com/hashicorp/vault/pull/14171)]
+* secrets/pki: Default value for key_bits changed to 0, enabling key_type=ec key generation with default value [[GH-13080](https://github.com/hashicorp/vault/pull/13080)]
+* secrets/pki: Fix issuance of wildcard certificates matching glob patterns [[GH-14235](https://github.com/hashicorp/vault/pull/14235)]
+* secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [[GH-13759](https://github.com/hashicorp/vault/pull/13759)]
+* secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [[GH-2456](https://github.com/hashicorp/vault/pull/2456)]
+* secrets/pki: Fixes around NIST P-curve signature hash length, default value for signature_bits changed to 0. [[GH-12872](https://github.com/hashicorp/vault/pull/12872)]
+* secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [[GH-13257](https://github.com/hashicorp/vault/pull/13257)]
+* secrets/pki: Skip signature bits validation for ed25519 curve key type [[GH-13254](https://github.com/hashicorp/vault/pull/13254)]
+* secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode. [[GH-13690](https://github.com/hashicorp/vault/pull/13690)]
+* secrets/transit: Return an error if any required parameter is missing. [[GH-14074](https://github.com/hashicorp/vault/pull/14074)]
+* storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [[GH-13286](https://github.com/hashicorp/vault/pull/13286)]
+* storage/raft: Fix a panic when trying to write a key > 32KB [[GH-13282](https://github.com/hashicorp/vault/pull/13282)]
+* storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [[GH-13703](https://github.com/hashicorp/vault/pull/13703)]
+* storage/raft: Fix regression in 1.9.0-rc1 that changed how time is represented in Raft logs; this prevented using a raft db created pre-1.9. [[GH-13165](https://github.com/hashicorp/vault/pull/13165)]
+* storage/raft: On linux, use map_populate for bolt files to improve startup time. [[GH-13573](https://github.com/hashicorp/vault/pull/13573)]
+* storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [[GH-13749](https://github.com/hashicorp/vault/pull/13749)]
+* ui: Adds pagination to auth methods list view [[GH-13054](https://github.com/hashicorp/vault/pull/13054)]
+* ui: Do not show verify connection value on database connection config page [[GH-13152](https://github.com/hashicorp/vault/pull/13152)]
+* ui: Fix client count current month data not showing unless monthly history data exists [[GH-13396](https://github.com/hashicorp/vault/pull/13396)]
+* ui: Fix default TTL display and set on database role [[GH-14224](https://github.com/hashicorp/vault/pull/14224)]
+* ui: Fix incorrect validity message on transit secrets engine [[GH-14233](https://github.com/hashicorp/vault/pull/14233)]
+* ui: Fix issue where UI incorrectly handled API errors when mounting backends [[GH-14551](https://github.com/hashicorp/vault/pull/14551)]
+* ui: Fix kv engine access bug [[GH-13872](https://github.com/hashicorp/vault/pull/13872)]
+* ui: Fixes breadcrumb bug for secrets navigation [[GH-13604](https://github.com/hashicorp/vault/pull/13604)]
+* ui: Fixes caching issue on kv new version create [[GH-14489](https://github.com/hashicorp/vault/pull/14489)]
+* ui: Fixes displaying empty masked values in PKI engine [[GH-14400](https://github.com/hashicorp/vault/pull/14400)]
+* ui: Fixes horizontal bar chart hover issue when filtering namespaces and mounts [[GH-14493](https://github.com/hashicorp/vault/pull/14493)]
+* ui: Fixes issue logging out with wrapped token query parameter [[GH-14329](https://github.com/hashicorp/vault/pull/14329)]
+* ui: Fixes issue removing raft storage peer via cli not reflected in UI until refresh [[GH-13098](https://github.com/hashicorp/vault/pull/13098)]
+* ui: Fixes issue restoring raft storage snapshot [[GH-13107](https://github.com/hashicorp/vault/pull/13107)]
+* ui: Fixes issue saving KMIP role correctly [[GH-13585](https://github.com/hashicorp/vault/pull/13585)]
+* ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [[GH-13133](https://github.com/hashicorp/vault/pull/13133)]
+* ui: Fixes issue with SearchSelect component not holding focus [[GH-13590](https://github.com/hashicorp/vault/pull/13590)]
+* ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [[GH-13177](https://github.com/hashicorp/vault/pull/13177)]
+* ui: Fixes issue with correct auth method not selected when logging out from OIDC or JWT methods [[GH-14545](https://github.com/hashicorp/vault/pull/14545)]
+* ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [[GH-13166](https://github.com/hashicorp/vault/pull/13166)]
+* ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [[GH-13038](https://github.com/hashicorp/vault/pull/13038)]
+* ui: Fixes long secret key names overlapping masked values [[GH-13032](https://github.com/hashicorp/vault/pull/13032)]
+* ui: Fixes node-forge error when parsing EC (elliptical curve) certs [[GH-13238](https://github.com/hashicorp/vault/pull/13238)]
+* ui: Redirects to managed namespace if incorrect namespace in URL param [[GH-14422](https://github.com/hashicorp/vault/pull/14422)]
+* ui: Removes ability to tune token_type for token auth methods [[GH-12904](https://github.com/hashicorp/vault/pull/12904)]
+* ui: trigger token renewal if inactive and half of TTL has passed [[GH-13950](https://github.com/hashicorp/vault/pull/13950)]
diff --git a/changelog/24010.txt b/changelog/24010.txt
new file mode 100644
index 000000000000..2332eea289ce
--- /dev/null
+++ b/changelog/24010.txt
@@ -0,0 +1,87 @@
+# Each line is a file pattern followed by one or more owners. Being an owner
+# means those groups or individuals will be added as reviewers to PRs affecting
+# those areas of the code.
+#
+# More on CODEOWNERS files: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+
+# Select Auth engines are owned by Ecosystem
+/builtin/credential/aws/      @hashicorp/vault-ecosystem-applications
+/builtin/credential/github/   @hashicorp/vault-ecosystem-applications
+/builtin/credential/ldap/     @hashicorp/vault-ecosystem-applications
+/builtin/credential/okta/     @hashicorp/vault-ecosystem-applications
+
+# Secrets engines (pki, ssh, totp and transit omitted)
+/builtin/logical/aws/         @hashicorp/vault-ecosystem-applications
+/builtin/logical/cassandra/   @hashicorp/vault-ecosystem-applications
+/builtin/logical/consul/      @hashicorp/vault-ecosystem-applications
+/builtin/logical/database/    @hashicorp/vault-ecosystem-applications
+/builtin/logical/mongodb/     @hashicorp/vault-ecosystem-applications
+/builtin/logical/mssql/       @hashicorp/vault-ecosystem-applications
+/builtin/logical/mysql/       @hashicorp/vault-ecosystem-applications
+/builtin/logical/nomad/       @hashicorp/vault-ecosystem-applications
+/builtin/logical/postgresql/  @hashicorp/vault-ecosystem-applications
+/builtin/logical/rabbitmq/    @hashicorp/vault-ecosystem-applications
+
+# Identity Integrations (OIDC, tokens)
+/vault/identity_store_oidc*   @hashicorp/vault-ecosystem-applications
+
+/plugins/                     @hashicorp/vault-ecosystem
+/vault/plugin_catalog.go      @hashicorp/vault-ecosystem
+
+/website/content/ @hashicorp/vault-education-approvers
+/website/content/docs/plugin-portal.mdx   @acahn @hashicorp/vault-education-approvers
+
+# Plugin docs
+/website/content/docs/plugins/              @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
+/website/content/docs/upgrading/plugins.mdx @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
+
+# UI code related to Vault's JWT/OIDC auth method and OIDC provider.
+# Changes to these files often require coordination with backend code,
+# so stewards of the backend code are added below for notification.
+/ui/app/components/auth-jwt.js         @hashicorp/vault-ecosystem-applications
+/ui/app/routes/vault/cluster/oidc-*.js @hashicorp/vault-ecosystem-applications
+
+# Release config; service account is required for automation tooling.
+/.release/                     @hashicorp/github-secure-vault-core @hashicorp/quality-team
+/.github/workflows/build.yml   @hashicorp/github-secure-vault-core @hashicorp/quality-team
+
+# Quality engineering
+/.github/  @hashicorp/quality-team
+/enos/     @hashicorp/quality-team
+
+# Cryptosec
+/builtin/logical/pki/                                @hashicorp/vault-crypto
+/builtin/logical/pkiext/                             @hashicorp/vault-crypto
+/website/content/docs/secrets/pki/                   @hashicorp/vault-crypto
+/website/content/api-docs/secret/pki.mdx             @hashicorp/vault-crypto
+/builtin/credential/cert/                            @hashicorp/vault-crypto
+/website/content/docs/auth/cert.mdx                  @hashicorp/vault-crypto
+/website/content/api-docs/auth/cert.mdx              @hashicorp/vault-crypto
+/builtin/logical/ssh/                                @hashicorp/vault-crypto
+/website/content/docs/secrets/ssh/                   @hashicorp/vault-crypto
+/website/content/api-docs/secret/ssh.mdx             @hashicorp/vault-crypto
+/builtin/logical/transit/                            @hashicorp/vault-crypto
+/website/content/docs/secrets/transit/               @hashicorp/vault-crypto
+/website/content/api-docs/secret/transit.mdx         @hashicorp/vault-crypto
+/helper/random/                                      @hashicorp/vault-crypto
+/sdk/helper/certutil/                                @hashicorp/vault-crypto
+/sdk/helper/cryptoutil/                              @hashicorp/vault-crypto
+/sdk/helper/kdf/                                     @hashicorp/vault-crypto
+/sdk/helper/keysutil/                                @hashicorp/vault-crypto
+/sdk/helper/ocsp/                                    @hashicorp/vault-crypto
+/sdk/helper/salt/                                    @hashicorp/vault-crypto
+/sdk/helper/tlsutil/                                 @hashicorp/vault-crypto
+/shamir/                                             @hashicorp/vault-crypto
+/vault/barrier*                                      @hashicorp/vault-crypto
+/vault/managed_key*                                  @hashicorp/vault-crypto
+/vault/seal*                                         @hashicorp/vault-crypto
+/vault/seal/                                         @hashicorp/vault-crypto
+/website/content/docs/configuration/seal/            @hashicorp/vault-crypto
+/website/content/docs/enterprise/sealwrap.mdx        @hashicorp/vault-crypto
+/website/content/api-docs/system/sealwrap-rewrap.mdx @hashicorp/vault-crypto
+/website/content/docs/secrets/transform/             @hashicorp/vault-crypto
+/website/content/api-docs/secret/transform.mdx       @hashicorp/vault-crypto
+/website/content/docs/secrets/kmip-profiles.mdx      @hashicorp/vault-crypto
+/website/content/docs/secrets/kmip.mdx               @hashicorp/vault-crypto
+/website/content/api-docs/secret/kmip.mdx            @hashicorp/vault-crypto
+/website/content/docs/enterprise/fips/               @hashicorp/vault-crypto
diff --git a/changelog/24099.txt b/changelog/24099.txt
new file mode 100644
index 000000000000..2fd0aa80e20d
--- /dev/null
+++ b/changelog/24099.txt
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+FROM docker.mirror.hashicorp.services/ubuntu:22.04
+
+ARG plugin
+
+RUN groupadd nonroot && useradd -g nonroot nonroot
+
+USER nonroot
+
+COPY ${plugin} /bin/plugin
+
+ENTRYPOINT [ "/bin/plugin" ]
\ No newline at end of file
diff --git a/changelog/24168.txt b/changelog/24168.txt
new file mode 100644
index 000000000000..0731bd030f72
--- /dev/null
+++ b/changelog/24168.txt
@@ -0,0 +1,92 @@
+License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Parameters
+
+Licensor:             HashiCorp, Inc.
+Licensed Work:        Vault Version 1.15.0 or later. The Licensed Work is (c) 2023
+                      HashiCorp, Inc.
+Additional Use Grant: You may make production use of the Licensed Work, provided
+                      Your use does not include offering the Licensed Work to third
+                      parties on a hosted or embedded basis in order to compete with 
+                      HashiCorp's paid version(s) of the Licensed Work. For purposes 
+                      of this license:
+
+                      A "competitive offering" is a Product that is offered to third
+                      parties on a paid basis, including through paid support 
+                      arrangements, that significantly overlaps with the capabilities 
+                      of HashiCorp's paid version(s) of the Licensed Work. If Your 
+                      Product is not a competitive offering when You first make it 
+                      generally available, it will not become a competitive offering
+                      later due to HashiCorp releasing a new version of the Licensed 
+                      Work with additional capabilities. In addition, Products that 
+                      are not provided on a paid basis are not competitive.
+
+                      "Product" means software that is offered to end users to manage 
+                      in their own environments or offered as a service on a hosted 
+                      basis.
+
+                      "Embedded" means including the source code or executable code 
+                      from the Licensed Work in a competitive offering. "Embedded" 
+                      also means packaging the competitive offering in such a way 
+                      that the Licensed Work must be accessed or downloaded for the 
+                      competitive offering to operate.
+
+                      Hosting or using the Licensed Work(s) for internal purposes 
+                      within an organization is not considered a competitive 
+                      offering. HashiCorp considers your organization to include all 
+                      of your affiliates under common control.
+
+                      For binding interpretive guidance on using HashiCorp products 
+                      under the Business Source License, please visit our FAQ. 
+                      (https://www.hashicorp.com/license-faq)
+Change Date:          Four years from the date the Licensed Work is published.
+Change License:       MPL 2.0
+
+For information about alternative licensing arrangements for the Licensed Work,
+please contact licensing@hashicorp.com.
+
+Notice
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
diff --git a/changelog/24191.txt b/changelog/24191.txt
new file mode 100644
index 000000000000..85c051c86e0e
--- /dev/null
+++ b/changelog/24191.txt
@@ -0,0 +1,502 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"crypto/subtle"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+)
+
+const (
+	DNSChallengePrefix = "_acme-challenge."
+	ALPNProtocol       = "acme-tls/1"
+)
+
+// While this should be a constant, there's no way to do a low-level test of
+// ValidateTLSALPN01Challenge without spinning up a complicated Docker
+// instance to build a custom responder. Because we already have a local
+// toolchain, it is far easier to drive this through Go tests with a custom
+// (high) port, rather than requiring permission to bind to port 443 (root-run
+// tests are even worse).
+var ALPNPort = "443"
+
+// OID of the acmeIdentifier X.509 Certificate Extension.
+var OIDACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
+
+// ValidateKeyAuthorization validates that the given keyAuthz from a challenge
+// matches our expectation, returning (true, nil) if so, or (false, err) if
+// not.
+func ValidateKeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error) {
+	parts := strings.Split(keyAuthz, ".")
+	if len(parts) != 2 {
+		return false, fmt.Errorf("invalid authorization: got %v parts, expected 2", len(parts))
+	}
+
+	tokenPart := parts[0]
+	thumbprintPart := parts[1]
+
+	if token != tokenPart || thumbprint != thumbprintPart {
+		return false, fmt.Errorf("key authorization was invalid")
+	}
+
+	return true, nil
+}
+
+// ValidateSHA256KeyAuthorization validates that the given keyAuthz from a
+// challenge matches our expectation, returning (true, nil) if so, or
+// (false, err) if not.
+//
+// This is for use with DNS challenges, which require base64 encoding.
+func ValidateSHA256KeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error) {
+	authzContents := token + "." + thumbprint
+	checksum := sha256.Sum256([]byte(authzContents))
+	expectedAuthz := base64.RawURLEncoding.EncodeToString(checksum[:])
+
+	if keyAuthz != expectedAuthz {
+		return false, fmt.Errorf("sha256 key authorization was invalid")
+	}
+
+	return true, nil
+}
+
+// ValidateRawSHA256KeyAuthorization validates that the given keyAuthz from a
+// challenge matches our expectation, returning (true, nil) if so, or
+// (false, err) if not.
+//
+// This is for use with TLS challenges, which require the raw hash output.
+func ValidateRawSHA256KeyAuthorization(keyAuthz []byte, token string, thumbprint string) (bool, error) {
+	authzContents := token + "." + thumbprint
+	expectedAuthz := sha256.Sum256([]byte(authzContents))
+
+	if len(keyAuthz) != len(expectedAuthz) || subtle.ConstantTimeCompare(expectedAuthz[:], keyAuthz) != 1 {
+		return false, fmt.Errorf("sha256 key authorization was invalid")
+	}
+
+	return true, nil
+}
+
+func buildResolver(config *acmeConfigEntry) (*net.Resolver, error) {
+	if len(config.DNSResolver) == 0 {
+		return net.DefaultResolver, nil
+	}
+
+	return &net.Resolver{
+		PreferGo:     true,
+		StrictErrors: false,
+		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+			d := net.Dialer{
+				Timeout: 10 * time.Second,
+			}
+			return d.DialContext(ctx, network, config.DNSResolver)
+		},
+	}, nil
+}
+
+func buildDialerConfig(config *acmeConfigEntry) (*net.Dialer, error) {
+	resolver, err := buildResolver(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build resolver: %w", err)
+	}
+
+	return &net.Dialer{
+		Timeout:   10 * time.Second,
+		KeepAlive: -1 * time.Second,
+		Resolver:  resolver,
+	}, nil
+}
+
+// Validates a given ACME http-01 challenge against the specified domain,
+// per RFC 8555.
+//
+// We attempt to be defensive here against timeouts, extra redirects, &c.
+func ValidateHTTP01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
+	path := "http://" + domain + "/.well-known/acme-challenge/" + token
+	dialer, err := buildDialerConfig(config)
+	if err != nil {
+		return false, fmt.Errorf("failed to build dialer: %w", err)
+	}
+
+	transport := &http.Transport{
+		// Only a single request is sent to this server as we do not do any
+		// batching of validation attempts. There is no need to do an HTTP
+		// KeepAlive as a result.
+		DisableKeepAlives:   true,
+		MaxIdleConns:        1,
+		MaxIdleConnsPerHost: 1,
+		MaxConnsPerHost:     1,
+		IdleConnTimeout:     1 * time.Second,
+		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
+
+		// We'd rather timeout and re-attempt validation later than hang
+		// too many validators waiting for slow hosts.
+		DialContext:           dialer.DialContext,
+		ResponseHeaderTimeout: 10 * time.Second,
+	}
+
+	maxRedirects := 10
+	urlLength := 2000
+
+	client := &http.Client{
+		Transport: transport,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			if len(via)+1 >= maxRedirects {
+				return fmt.Errorf("http-01: too many redirects: %v", len(via)+1)
+			}
+
+			reqUrlLen := len(req.URL.String())
+			if reqUrlLen > urlLength {
+				return fmt.Errorf("http-01: redirect url length too long: %v", reqUrlLen)
+			}
+
+			return nil
+		},
+	}
+
+	resp, err := client.Get(path)
+	if err != nil {
+		return false, fmt.Errorf("http-01: failed to fetch path %v: %w", path, err)
+	}
+
+	// We provision a buffer which allows for a variable size challenge, some
+	// whitespace, and a detection gap for too long of a message.
+	minExpected := len(token) + 1 + len(thumbprint)
+	maxExpected := 512
+
+	defer resp.Body.Close()
+
+	// Attempt to read the body, but don't do so infinitely.
+	body, err := io.ReadAll(io.LimitReader(resp.Body, int64(maxExpected+1)))
+	if err != nil {
+		return false, fmt.Errorf("http-01: unexpected error while reading body: %w", err)
+	}
+
+	if len(body) > maxExpected {
+		return false, fmt.Errorf("http-01: response too large: received %v > %v bytes", len(body), maxExpected)
+	}
+
+	if len(body) < minExpected {
+		return false, fmt.Errorf("http-01: response too small: received %v < %v bytes", len(body), minExpected)
+	}
+
+	// Per RFC 8555 Section 8.3. HTTP Challenge:
+	//
+	// > The server SHOULD ignore whitespace characters at the end of the body.
+	keyAuthz := string(body)
+	keyAuthz = strings.TrimSpace(keyAuthz)
+
+	// If we got here, we got no non-EOF error while reading. Try to validate
+	// the token because we're bounded by a reasonable amount of length.
+	return ValidateKeyAuthorization(keyAuthz, token, thumbprint)
+}
+
+func ValidateDNS01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
+	// Here, domain is the value from the post-wildcard-processed identifier.
+	// Per RFC 8555, no difference in validation occurs if a wildcard entry
+	// is requested or if a non-wildcard entry is requested.
+	//
+	// XXX: In this case the DNS server is operator controlled and is assumed
+	// to be less malicious so the default resolver is used. In the future,
+	// we'll want to use net.Resolver for two reasons:
+	//
+	// 1. To control the actual resolver via ACME configuration,
+	// 2. To use a context to set stricter timeout limits.
+	resolver, err := buildResolver(config)
+	if err != nil {
+		return false, fmt.Errorf("failed to build resolver: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	name := DNSChallengePrefix + domain
+	results, err := resolver.LookupTXT(ctx, name)
+	if err != nil {
+		return false, fmt.Errorf("dns-01: failed to lookup TXT records for domain (%v) via resolver %v: %w", name, config.DNSResolver, err)
+	}
+
+	for _, keyAuthz := range results {
+		ok, _ := ValidateSHA256KeyAuthorization(keyAuthz, token, thumbprint)
+		if ok {
+			return true, nil
+		}
+	}
+
+	return false, fmt.Errorf("dns-01: challenge failed against %v records", len(results))
+}
+
+func ValidateTLSALPN01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error) {
+	// This RFC is defined in RFC 8737 Automated Certificate Management
+	// Environment (ACME) TLS Application‑Layer Protocol Negotiation
+	// (ALPN) Challenge Extension.
+	//
+	// This is conceptually similar to ValidateHTTP01Challenge, but
+	// uses a TLS connection on port 443 with the specified ALPN
+	// protocol.
+
+	cfg := &tls.Config{
+		// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+		// Negotiation (TLS ALPN) Challenge, the name of the negotiated
+		// protocol is "acme-tls/1".
+		NextProtos: []string{ALPNProtocol},
+
+		// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+		// Negotiation (TLS ALPN) Challenge:
+		//
+		// > ... and an SNI extension containing only the domain name
+		// > being validated during the TLS handshake.
+		//
+		// According to the Go docs, setting this option (even though
+		// InsecureSkipVerify=true is also specified), allows us to
+		// set the SNI extension to this value.
+		ServerName: domain,
+
+		VerifyConnection: func(connState tls.ConnectionState) error {
+			// We initiated a fresh connection with no session tickets;
+			// even if we did have a session ticket, we do not wish to
+			// use it. Verify that the server has not inadvertently
+			// reused connections between validation attempts or something.
+			if connState.DidResume {
+				return fmt.Errorf("server under test incorrectly reported that handshake was resumed when no session cache was provided; refusing to continue")
+			}
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > The ACME server verifies that during the TLS handshake the
+			// > application-layer protocol "acme-tls/1" was successfully
+			// > negotiated (and that the ALPN extension contained only the
+			// > value "acme-tls/1").
+			if connState.NegotiatedProtocol != ALPNProtocol {
+				return fmt.Errorf("server under test negotiated unexpected ALPN protocol %v", connState.NegotiatedProtocol)
+			}
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > and that the certificate returned
+			//
+			// Because this certificate MUST be self-signed (per earlier
+			// statement in RFC 8737 Section 3), there is no point in sending
+			// more than one certificate, and so we will err early here if
+			// we got more than one.
+			if len(connState.PeerCertificates) > 1 {
+				return fmt.Errorf("server under test returned multiple (%v) certificates when we expected only one", len(connState.PeerCertificates))
+			}
+			cert := connState.PeerCertificates[0]
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > The client prepares for validation by constructing a
+			// > self-signed certificate that MUST contain an acmeIdentifier
+			// > extension and a subjectAlternativeName extension [RFC5280].
+			//
+			// Verify that this is a self-signed certificate that isn't signed
+			// by another certificate (i.e., with the same key material but
+			// different issuer).
+			// NOTE: Do not use cert.CheckSignatureFrom(cert) as we need to bypass the
+			//       checks for the parent certificate having the IsCA basic constraint set.
+			err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature)
+			if err != nil {
+				return fmt.Errorf("server under test returned a non-self-signed certificate: %w", err)
+			}
+
+			if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
+				return fmt.Errorf("server under test returned a non-self-signed certificate: invalid subject (%v) <-> issuer (%v) match", cert.Subject.String(), cert.Issuer.String())
+			}
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > The subjectAlternativeName extension MUST contain a single
+			// > dNSName entry where the value is the domain name being
+			// > validated.
+			//
+			// TODO: this does not validate that there are not other SANs
+			// with unknown (to Go) OIDs.
+			if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) > 0 || len(cert.IPAddresses) > 0 || len(cert.URIs) > 0 {
+				return fmt.Errorf("server under test returned a certificate with incorrect SANs")
+			}
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > The comparison of dNSNames MUST be case insensitive
+			// > [RFC4343]. Note that as ACME doesn't support Unicode
+			// > identifiers, all dNSNames MUST be encoded using the rules
+			// > of [RFC3492].
+			if !strings.EqualFold(cert.DNSNames[0], domain) {
+				return fmt.Errorf("server under test returned a certificate with unexpected identifier: %v", cert.DNSNames[0])
+			}
+
+			// Per above, verify that the acmeIdentifier extension is present
+			// exactly once and has the correct value.
+			var foundACMEId bool
+			for _, ext := range cert.Extensions {
+				if !ext.Id.Equal(OIDACMEIdentifier) {
+					continue
+				}
+
+				// There must be only a single ACME extension.
+				if foundACMEId {
+					return fmt.Errorf("server under test returned a certificate with multiple acmeIdentifier extensions")
+				}
+				foundACMEId = true
+
+				// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+				// Negotiation (TLS ALPN) Challenge:
+				//
+				// > a critical acmeIdentifier extension
+				if !ext.Critical {
+					return fmt.Errorf("server under test returned a certificate with an acmeIdentifier extension marked non-Critical")
+				}
+
+				var keyAuthz []byte
+				remainder, err := asn1.Unmarshal(ext.Value, &keyAuthz)
+				if err != nil {
+					return fmt.Errorf("server under test returned a certificate with invalid acmeIdentifier extension value: %w", err)
+				}
+				if len(remainder) > 0 {
+					return fmt.Errorf("server under test returned a certificate with invalid acmeIdentifier extension value with additional trailing data")
+				}
+
+				ok, err := ValidateRawSHA256KeyAuthorization(keyAuthz, token, thumbprint)
+				if !ok || err != nil {
+					return fmt.Errorf("server under test returned a certificate with an invalid key authorization (%w)", err)
+				}
+			}
+
+			// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+			// Negotiation (TLS ALPN) Challenge:
+			//
+			// > The ACME server verifies that ... the certificate returned
+			// > contains: ... a critical acmeIdentifier extension containing
+			// > the expected SHA-256 digest computed in step 1.
+			if !foundACMEId {
+				return fmt.Errorf("server under test returned a certificate without the required acmeIdentifier extension")
+			}
+
+			// Remove the handled critical extension and validate that we
+			// have no additional critical extensions left unhandled.
+			var index int = -1
+			for oidIndex, oid := range cert.UnhandledCriticalExtensions {
+				if oid.Equal(OIDACMEIdentifier) {
+					index = oidIndex
+					break
+				}
+			}
+			if index != -1 {
+				// Unlike the foundACMEId case, this is not a failure; if Go
+				// updates to "understand" this critical extension, we do not
+				// wish to fail.
+				cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[0:index], cert.UnhandledCriticalExtensions[index+1:]...)
+			}
+			if len(cert.UnhandledCriticalExtensions) > 0 {
+				return fmt.Errorf("server under test returned a certificate with additional unknown critical extensions (%v)", cert.UnhandledCriticalExtensions)
+			}
+
+			// All good!
+			return nil
+		},
+
+		// We never want to resume a connection; do not provide session
+		// cache storage.
+		ClientSessionCache: nil,
+
+		// Do not trust any system trusted certificates; we're going to be
+		// manually validating the chain, so specifying a non-empty pool
+		// here could only cause additional, unnecessary work.
+		RootCAs: x509.NewCertPool(),
+
+		// Do not bother validating the client's chain; we know it should be
+		// self-signed. This also disables hostname verification, but we do
+		// this verification as part of VerifyConnection(...) ourselves.
+		//
+		// Per Go docs, this option is only safe in conjunction with
+		// VerifyConnection which we define above.
+		InsecureSkipVerify: true,
+
+		// RFC 8737 Section 4. acme-tls/1 Protocol Definition:
+		//
+		// > ACME servers that implement "acme-tls/1" MUST only negotiate
+		// > TLS 1.2 [RFC5246] or higher when connecting to clients for
+		// > validation.
+		MinVersion: tls.VersionTLS12,
+
+		// While RFC 8737 does not place restrictions around allowed cipher
+		// suites, we wish to restrict ourselves to secure defaults. Specify
+		// the Intermediate guideline from Mozilla's TLS config generator to
+		// disable obviously weak ciphers.
+		//
+		// See also: https://ssl-config.mozilla.org/#server=go&version=1.14.4&config=intermediate&guideline=5.7
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+	}
+
+	// Build a dialer using our custom DNS resolver, to ensure domains get
+	// resolved according to configuration.
+	dialer, err := buildDialerConfig(config)
+	if err != nil {
+		return false, fmt.Errorf("failed to build dialer: %w", err)
+	}
+
+	// Per RFC 8737 Section 3. TLS with Application-Layer Protocol
+	// Negotiation (TLS ALPN) Challenge:
+	//
+	// > 2. The ACME server resolves the domain name being validated and
+	// >    chooses one of the IP addresses returned for validation (the
+	// >    server MAY validate against multiple addresses if more than
+	// >    one is returned).
+	// > 3. The ACME server initiates a TLS connection to the chosen IP
+	// >    address. This connection MUST use TCP port 443.
+	address := fmt.Sprintf("%v:"+ALPNPort, domain)
+	conn, err := dialer.Dial("tcp", address)
+	if err != nil {
+		return false, fmt.Errorf("tls-alpn-01: failed to dial host: %w", err)
+	}
+
+	// Initiate the connection to the remote peer.
+	client := tls.Client(conn, cfg)
+
+	// We intentionally swallow this error as it isn't useful to the
+	// underlying protocol we perform here. Notably, per RFC 8737
+	// Section 4. acme-tls/1 Protocol Definition:
+	//
+	// > Once the handshake is completed, the client MUST NOT exchange
+	// > any further data with the server and MUST immediately close the
+	// > connection. ... Because of this, an ACME server MAY choose to
+	// > withhold authorization if either the certificate signature is
+	// > invalid or the handshake doesn't fully complete.
+	defer client.Close()
+
+	// We wish to put time bounds on the total time the handshake can
+	// stall for, so build a connection context here.
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	// See note above about why we can allow Handshake to complete
+	// successfully.
+	if err := client.HandshakeContext(ctx); err != nil {
+		return false, fmt.Errorf("tls-alpn-01: failed to perform handshake: %w", err)
+	}
+	return true, nil
+}
diff --git a/changelog/24192.txt b/changelog/24192.txt
new file mode 100644
index 000000000000..f5b152831771
--- /dev/null
+++ b/changelog/24192.txt
@@ -0,0 +1,76 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+@mixin stacked-grid {
+  grid-template-columns: 1fr;
+  grid-row: 1/1;
+}
+@mixin stacked-content {
+  margin-bottom: $spacing-24;
+}
+
+.action-block-width {
+  width: 100%;
+}
+
+.action-block {
+  grid-template-columns: 2fr 1fr;
+  display: grid;
+  padding: $spacing-16 $spacing-24;
+  line-height: inherit;
+  grid-gap: $spacing-16;
+
+  @include until($mobile) {
+    @include stacked-grid();
+  }
+}
+
+.action-block-info {
+  @include until($mobile) {
+    @include stacked-content();
+  }
+}
+
+.action-block.stacked {
+  @include stacked-grid();
+}
+.stacked > .action-block-info {
+  @include stacked-content();
+}
+
+.action-block-title {
+  font-size: $size-5;
+  font-weight: $font-weight-bold;
+}
+.action-block-action {
+  text-align: right;
+  @include until($mobile) {
+    text-align: left;
+  }
+}
+
+/* Action Block Grid */
+.replication-actions-grid-layout {
+  display: flex;
+  flex-wrap: wrap;
+  margin: $spacing-16 0;
+  @include until($mobile) {
+    display: block;
+  }
+}
+
+.replication-actions-grid-item {
+  flex-basis: 50%;
+  padding: $spacing-12;
+  display: flex;
+  width: 100%;
+}
+
+.replication-actions-grid-item .action-block {
+  width: 100%;
+  @include until($mobile) {
+    height: inherit;
+  }
+}
diff --git a/changelog/24193.txt b/changelog/24193.txt
new file mode 100644
index 000000000000..c6a6cbaabd2f
--- /dev/null
+++ b/changelog/24193.txt
@@ -0,0 +1,107 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{action "onSubmit" "secondary-token" "primary" (hash ttl=this.ttl id=this.id) on="submit"}}>
+  <div class="box is-fullwidth is-shadowless is-marginless">
+    <h4 class="title is-5">
+      Generate a secondary token
+    </h4>
+    <p>
+      Generate a token to enable
+      {{this.model.replicationModeForDisplay}}
+      replication or change primaries on secondary cluster.
+    </p>
+  </div>
+  <MessageError @errors={{this.errors}} />
+  <div class="field">
+    <label for="activation-token-id" class="is-label">
+      Secondary ID
+    </label>
+    <div class="control">
+      <Input
+        class="input"
+        name="activation-token-id"
+        id="activation-token-id"
+        @value={{this.id}}
+        data-test-replication-secondary-id
+      />
+    </div>
+    <p class="help has-text-grey">
+      This will be used to identify a secondary cluster once a connection has been established with the primary.
+    </p>
+  </div>
+  <div class="field">
+    <TtlPicker
+      @initialValue="30m"
+      @label="Time to Live (TTL) for generated secondary token"
+      @helperTextDisabled="If not set, the default value (30 minutes) will be used"
+      @helperTextEnabled="After this period, the generated token will no longer be valid."
+      @onChange={{action "updateTtl"}}
+      @changeOnInit={{true}}
+    />
+  </div>
+  {{#if (eq this.replicationMode "performance")}}
+    <PathFilterConfigList @paths={{this.paths}} @config={{this.filterConfig}} @id={{this.id}} />
+  {{/if}}
+  <hr class="has-background-gray-100" />
+  <Hds::ButtonSet>
+    <Hds::Button @text="Generate token" type="submit" data-test-secondary-add />
+    <Hds::Button @text="Cancel" @color="secondary" @route="mode.secondaries" @model={{this.model.replicationMode}} />
+  </Hds::ButtonSet>
+</form>
+
+{{#if this.isModalActive}}
+  <Hds::Modal
+    id="replication-copy-token-modal"
+    @onClose={{action "closeTokenModal"}}
+    @isDismissDisabled={{not this.isTokenCopied}}
+    as |M|
+  >
+    <M.Header>
+      Copy your token
+    </M.Header>
+    <M.Body>
+      <p>
+        This token can be used to enable
+        {{this.model.replicationModeForDisplay}}
+        replication or change primaries on the secondary cluster.
+      </p>
+      <div class="box is-shadowless is-fullwidth is-sideless">
+        <h2 class="title is-6">Activation token</h2>
+        <div class="copy-text level">
+          <div class="is-fullwidth">
+            <textarea readonly value={{this.token}} id="token-textarea" class="textarea level-left"></textarea>
+          </div>
+        </div>
+        <div class="has-top-margin-xl has-bottom-margin-s">
+          <InfoTableRow @label="TTL" @value={{this.ttl}} />
+          <InfoTableRow @label="Expires" @value={{date-format this.expirationDate "MMM dd, yyyy hh:mm:ss a"}} />
+        </div>
+      </div>
+    </M.Body>
+    <M.Footer>
+      <Hds::ButtonSet>
+        <Hds::Copy::Button
+          data-test-modal-copy
+          @text="Copy token"
+          @textToCopy={{this.token}}
+          class="primary"
+          @container=".hds-modal"
+          {{on "click" (action "onCopy")}}
+        />
+        <Hds::Button
+          data-test-modal-close
+          disabled={{not this.isTokenCopied}}
+          @text="Close"
+          @color="secondary"
+          {{on "click" (action "closeTokenModal")}}
+        />
+        {{#unless this.isTokenCopied}}
+          <AlertInline @type="warning" @message="Copy token to dismiss modal" />
+        {{/unless}}
+      </Hds::ButtonSet>
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/changelog/24201.txt b/changelog/24201.txt
new file mode 100644
index 000000000000..a3d46a32edc9
--- /dev/null
+++ b/changelog/24201.txt
@@ -0,0 +1,1265 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	systemd "github.com/coreos/go-systemd/daemon"
+	"github.com/hashicorp/cli"
+	ctconfig "github.com/hashicorp/consul-template/config"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	"github.com/hashicorp/vault/api"
+	agentConfig "github.com/hashicorp/vault/command/agent/config"
+	"github.com/hashicorp/vault/command/agent/exec"
+	"github.com/hashicorp/vault/command/agent/template"
+	"github.com/hashicorp/vault/command/agentproxyshared"
+	"github.com/hashicorp/vault/command/agentproxyshared/auth"
+	"github.com/hashicorp/vault/command/agentproxyshared/cache"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink/file"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink/inmem"
+	"github.com/hashicorp/vault/command/agentproxyshared/winsvc"
+	"github.com/hashicorp/vault/helper/logging"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/useragent"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/version"
+	"github.com/kr/pretty"
+	"github.com/oklog/run"
+	"github.com/posener/complete"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+var (
+	_ cli.Command             = (*AgentCommand)(nil)
+	_ cli.CommandAutocomplete = (*AgentCommand)(nil)
+)
+
+const (
+	// flagNameAgentExitAfterAuth is used as an Agent specific flag to indicate
+	// that agent should exit after a single successful auth
+	flagNameAgentExitAfterAuth = "exit-after-auth"
+	nameAgent                  = "agent"
+)
+
+type AgentCommand struct {
+	*BaseCommand
+	logFlags logFlags
+
+	config *agentConfig.Config
+
+	ShutdownCh chan struct{}
+	SighupCh   chan struct{}
+
+	tlsReloadFuncsLock sync.RWMutex
+	tlsReloadFuncs     []reloadutil.ReloadFunc
+
+	logWriter io.Writer
+	logGate   *gatedwriter.Writer
+	logger    hclog.Logger
+
+	// Telemetry object
+	metricsHelper *metricsutil.MetricsHelper
+
+	cleanupGuard sync.Once
+
+	startedCh  chan struct{} // for tests
+	reloadedCh chan struct{} // for tests
+
+	flagConfigs        []string
+	flagExitAfterAuth  bool
+	flagTestVerifyOnly bool
+}
+
+func (c *AgentCommand) Synopsis() string {
+	return "Start a Vault agent"
+}
+
+func (c *AgentCommand) Help() string {
+	helpText := `
+Usage: vault agent [options]
+
+  This command starts a Vault Agent that can perform automatic authentication
+  in certain environments.
+
+  Start an agent with a configuration file:
+
+      $ vault agent -config=/etc/vault/config.hcl
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AgentCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	// Augment with the log flags
+	f.addLogFlags(&c.logFlags)
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "config",
+		Target: &c.flagConfigs,
+		Completion: complete.PredictOr(
+			complete.PredictFiles("*.hcl"),
+			complete.PredictFiles("*.json"),
+		),
+		Usage: "Path to a configuration file. This configuration file should " +
+			"contain only agent directives.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    flagNameAgentExitAfterAuth,
+		Target:  &c.flagExitAfterAuth,
+		Default: false,
+		Usage: "If set to true, the agent will exit with code 0 after a single " +
+			"successful auth, where success means that a token was retrieved and " +
+			"all sinks successfully wrote it",
+	})
+
+	// Internal-only flags to follow.
+	//
+	// Why hello there little source code reader! Welcome to the Vault source
+	// code. The remaining options are intentionally undocumented and come with
+	// no warranty or backwards-compatibility promise. Do not use these flags
+	// in production. Do not build automation using these flags. Unless you are
+	// developing against Vault, you should not need any of these flags.
+	f.BoolVar(&BoolVar{
+		Name:    "test-verify-only",
+		Target:  &c.flagTestVerifyOnly,
+		Default: false,
+		Hidden:  true,
+	})
+
+	// End internal-only flags.
+
+	return set
+}
+
+func (c *AgentCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *AgentCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AgentCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Create a logger. We wrap it in a gated writer so that it doesn't
+	// start logging too early.
+	c.logGate = gatedwriter.NewWriter(os.Stderr)
+	c.logWriter = c.logGate
+
+	if c.logFlags.flagCombineLogs {
+		c.logWriter = os.Stdout
+	}
+
+	// Validation
+	if len(c.flagConfigs) < 1 {
+		c.UI.Error("Must specify exactly at least one config path using -config")
+		return 1
+	}
+
+	config, err := c.loadConfig(c.flagConfigs)
+	if err != nil {
+		c.outputErrors(err)
+		return 1
+	}
+
+	if config.AutoAuth == nil {
+		c.UI.Info("No auto_auth block found in config, the automatic authentication feature will not be started")
+	}
+
+	c.applyConfigOverrides(f, config) // This only needs to happen on start-up to aggregate config from flags and env vars
+	c.config = config
+
+	l, err := c.newLogger()
+	if err != nil {
+		c.outputErrors(err)
+		return 1
+	}
+
+	// Update the logger and then base the log writer on that logger.
+	// Log writer is supplied to consul-template runners for templates and execs.
+	// We want to ensure that consul-template will honor the settings, for example
+	// if the -log-format is JSON we want JSON, not a mix of JSON and non-JSON messages.
+	c.logger = l
+	c.logWriter = l.StandardWriter(&hclog.StandardLoggerOptions{
+		InferLevels:              true,
+		InferLevelsWithTimestamp: true,
+	})
+
+	infoKeys := make([]string, 0, 10)
+	info := make(map[string]string)
+	info["log level"] = config.LogLevel
+	infoKeys = append(infoKeys, "log level")
+
+	infoKeys = append(infoKeys, "version")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber(false)
+	if verInfo.Revision != "" {
+		info["version sha"] = strings.Trim(verInfo.Revision, "'")
+		infoKeys = append(infoKeys, "version sha")
+	}
+	infoKeys = append(infoKeys, "cgo")
+	info["cgo"] = "disabled"
+	if version.CgoEnabled {
+		info["cgo"] = "enabled"
+	}
+
+	// Tests might not want to start a vault server and just want to verify
+	// the configuration.
+	if c.flagTestVerifyOnly {
+		if os.Getenv("VAULT_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
+			c.UI.Output(fmt.Sprintf(
+				"\nConfiguration:\n%s\n",
+				pretty.Sprint(*c.config)))
+		}
+		return 0
+	}
+
+	// Ignore any setting of Agent's address. This client is used by the Agent
+	// to reach out to Vault. This should never loop back to agent.
+	c.flagAgentProxyAddress = ""
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf(
+			"Error fetching client: %v",
+			err))
+		return 1
+	}
+
+	serverHealth, err := client.Sys().Health()
+	if err == nil {
+		// We don't exit on error here, as this is not worth stopping Agent over
+		serverVersion := serverHealth.Version
+		agentVersion := version.GetVersion().VersionNumber()
+		if serverVersion != agentVersion {
+			c.UI.Info("==> Note: Vault Agent version does not match Vault server version. " +
+				fmt.Sprintf("Vault Agent version: %s, Vault server version: %s", agentVersion, serverVersion))
+		}
+	}
+
+	if config.IsDefaultListerDefined() {
+		// Notably, we cannot know for sure if they are using the API proxy functionality unless
+		// we log on each API proxy call, which would be too noisy.
+		// A customer could have a listener defined but only be using e.g. the cache-clear API,
+		// even though the API proxy is something they have available.
+		c.UI.Warn("==> Note: Vault Agent will be deprecating API proxy functionality in a future " +
+			"release, and this functionality has moved to a new subcommand, vault proxy. If you rely on this " +
+			"functionality, plan to move to Vault Proxy instead.")
+	}
+
+	// ctx and cancelFunc are passed to the AuthHandler, SinkServer, ExecServer and
+	// TemplateServer that periodically listen for ctx.Done() to fire and shut
+	// down accordingly.
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	defer cancelFunc()
+
+	// telemetry configuration
+	inmemMetrics, _, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
+		Config:      config.Telemetry,
+		Ui:          c.UI,
+		ServiceName: "vault",
+		DisplayName: "Vault",
+		UserAgent:   useragent.AgentString(),
+		ClusterName: config.ClusterName,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
+		return 1
+	}
+	c.metricsHelper = metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
+
+	var method auth.AuthMethod
+	var sinks []*sink.SinkConfig
+	var templateNamespace string
+	if config.AutoAuth != nil {
+		if client.Headers().Get(consts.NamespaceHeaderName) == "" && config.AutoAuth.Method.Namespace != "" {
+			client.SetNamespace(config.AutoAuth.Method.Namespace)
+		}
+		templateNamespace = client.Headers().Get(consts.NamespaceHeaderName)
+
+		sinkClient, err := client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			sinkClient.SetMaxIdleConnections(-1)
+		}
+
+		if config.DisableKeepAlivesAutoAuth {
+			sinkClient.SetDisableKeepAlives(true)
+		}
+
+		for _, sc := range config.AutoAuth.Sinks {
+			switch sc.Type {
+			case "file":
+				config := &sink.SinkConfig{
+					Logger:    c.logger.Named("sink.file"),
+					Config:    sc.Config,
+					Client:    sinkClient,
+					WrapTTL:   sc.WrapTTL,
+					DHType:    sc.DHType,
+					DeriveKey: sc.DeriveKey,
+					DHPath:    sc.DHPath,
+					AAD:       sc.AAD,
+				}
+				s, err := file.NewFileSink(config)
+				if err != nil {
+					c.UI.Error(fmt.Errorf("error creating file sink: %w", err).Error())
+					return 1
+				}
+				config.Sink = s
+				sinks = append(sinks, config)
+			default:
+				c.UI.Error(fmt.Sprintf("Unknown sink type %q", sc.Type))
+				return 1
+			}
+		}
+
+		authConfig := &auth.AuthConfig{
+			Logger:    c.logger.Named(fmt.Sprintf("auth.%s", config.AutoAuth.Method.Type)),
+			MountPath: config.AutoAuth.Method.MountPath,
+			Config:    config.AutoAuth.Method.Config,
+		}
+		method, err = agentproxyshared.GetAutoAuthMethodFromConfig(config.AutoAuth.Method.Type, authConfig, config.Vault.Address)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error creating %s auth method: %v", config.AutoAuth.Method.Type, err))
+			return 1
+		}
+	}
+
+	// We do this after auto-auth has been configured, because we don't want to
+	// confuse the issue of retries for auth failures which have their own
+	// config and are handled a bit differently.
+	if os.Getenv(api.EnvVaultMaxRetries) == "" {
+		client.SetMaxRetries(ctconfig.DefaultRetryAttempts)
+		if config.Vault != nil {
+			if config.Vault.Retry != nil {
+				client.SetMaxRetries(config.Vault.Retry.NumRetries)
+			}
+		}
+	}
+
+	enforceConsistency := cache.EnforceConsistencyNever
+	whenInconsistent := cache.WhenInconsistentFail
+	if config.APIProxy != nil {
+		switch config.APIProxy.EnforceConsistency {
+		case "always":
+			enforceConsistency = cache.EnforceConsistencyAlways
+		case "never", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for enforce_consistency: %q", config.APIProxy.EnforceConsistency))
+			return 1
+		}
+
+		switch config.APIProxy.WhenInconsistent {
+		case "retry":
+			whenInconsistent = cache.WhenInconsistentRetry
+		case "forward":
+			whenInconsistent = cache.WhenInconsistentForward
+		case "fail", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for when_inconsistent: %q", config.APIProxy.WhenInconsistent))
+			return 1
+		}
+	}
+	// Keep Cache configuration for legacy reasons, but error if defined alongside API Proxy
+	if config.Cache != nil {
+		switch config.Cache.EnforceConsistency {
+		case "always":
+			if enforceConsistency != cache.EnforceConsistencyNever {
+				c.UI.Error("enforce_consistency configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
+				return 1
+			} else {
+				enforceConsistency = cache.EnforceConsistencyAlways
+			}
+		case "never", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown cache setting for enforce_consistency: %q", config.Cache.EnforceConsistency))
+			return 1
+		}
+
+		switch config.Cache.WhenInconsistent {
+		case "retry":
+			if whenInconsistent != cache.WhenInconsistentFail {
+				c.UI.Error("when_inconsistent configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
+				return 1
+			} else {
+				whenInconsistent = cache.WhenInconsistentRetry
+			}
+		case "forward":
+			if whenInconsistent != cache.WhenInconsistentFail {
+				c.UI.Error("when_inconsistent configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
+				return 1
+			} else {
+				whenInconsistent = cache.WhenInconsistentForward
+			}
+		case "fail", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown cache setting for when_inconsistent: %q", config.Cache.WhenInconsistent))
+			return 1
+		}
+	}
+
+	// Warn if cache _and_ cert auto-auth is enabled but certificates were not
+	// provided in the auto_auth.method["cert"].config stanza.
+	if config.Cache != nil && (config.AutoAuth != nil && config.AutoAuth.Method != nil && config.AutoAuth.Method.Type == "cert") {
+		_, okCertFile := config.AutoAuth.Method.Config["client_cert"]
+		_, okCertKey := config.AutoAuth.Method.Config["client_key"]
+
+		// If neither of these exists in the cert stanza, agent will use the
+		// certs from the vault stanza.
+		if !okCertFile && !okCertKey {
+			c.UI.Warn(wrapAtLength("WARNING! Cache is enabled and using the same certificates " +
+				"from the 'cert' auto-auth method specified in the 'vault' stanza. Consider " +
+				"specifying certificate information in the 'cert' auto-auth's config stanza."))
+		}
+
+	}
+
+	// Output the header that the agent has started
+	if !c.logFlags.flagCombineLogs {
+		c.UI.Output("==> Vault Agent started! Log data will stream in below:\n")
+	}
+
+	var leaseCache *cache.LeaseCache
+	var previousToken string
+
+	proxyClient, err := client.CloneWithHeaders()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error cloning client for proxying: %v", err))
+		return 1
+	}
+
+	if config.DisableIdleConnsAPIProxy {
+		proxyClient.SetMaxIdleConnections(-1)
+	}
+
+	if config.DisableKeepAlivesAPIProxy {
+		proxyClient.SetDisableKeepAlives(true)
+	}
+
+	apiProxyLogger := c.logger.Named("apiproxy")
+
+	// The API proxy to be used, if listeners are configured
+	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
+		Client:                  proxyClient,
+		Logger:                  apiProxyLogger,
+		EnforceConsistency:      enforceConsistency,
+		WhenInconsistentAction:  whenInconsistent,
+		UserAgentStringFunction: useragent.AgentProxyStringWithProxiedUserAgent,
+		UserAgentString:         useragent.AgentProxyString(),
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error creating API proxy: %v", err))
+		return 1
+	}
+
+	// Parse agent cache configurations
+	if config.Cache != nil {
+		cacheLogger := c.logger.Named("cache")
+
+		// Create the lease cache proxier and set its underlying proxier to
+		// the API proxier.
+		leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
+			Client:              proxyClient,
+			BaseContext:         ctx,
+			Proxier:             apiProxy,
+			Logger:              cacheLogger.Named("leasecache"),
+			CacheDynamicSecrets: true,
+			UserAgentToUse:      useragent.ProxyAPIProxyString(),
+		})
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err))
+			return 1
+		}
+
+		// Configure persistent storage and add to LeaseCache
+		if config.Cache.Persist != nil {
+			deferFunc, oldToken, err := agentproxyshared.AddPersistentStorageToLeaseCache(ctx, leaseCache, config.Cache.Persist, cacheLogger)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating persistent cache: %v", err))
+				return 1
+			}
+			previousToken = oldToken
+			if deferFunc != nil {
+				defer deferFunc()
+			}
+		}
+	}
+
+	var listeners []net.Listener
+
+	// If there are templates, add an in-process listener
+	if len(config.Templates) > 0 || len(config.EnvTemplates) > 0 {
+		config.Listeners = append(config.Listeners, &configutil.Listener{Type: listenerutil.BufConnType})
+	}
+
+	// Ensure we've added all the reload funcs for TLS before anyone triggers a reload.
+	c.tlsReloadFuncsLock.Lock()
+
+	for i, lnConfig := range config.Listeners {
+		var ln net.Listener
+		var tlsCfg *tls.Config
+
+		if lnConfig.Type == listenerutil.BufConnType {
+			inProcListener := bufconn.Listen(1024 * 1024)
+			if config.Cache != nil {
+				config.Cache.InProcDialer = listenerutil.NewBufConnWrapper(inProcListener)
+			}
+			ln = inProcListener
+		} else {
+			lnBundle, err := cache.StartListener(lnConfig)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error starting listener: %v", err))
+				return 1
+			}
+
+			tlsCfg = lnBundle.TLSConfig
+			ln = lnBundle.Listener
+
+			// Track the reload func, so we can reload later if needed.
+			c.tlsReloadFuncs = append(c.tlsReloadFuncs, lnBundle.TLSReloadFunc)
+		}
+
+		listeners = append(listeners, ln)
+
+		proxyVaultToken := true
+		var inmemSink sink.Sink
+		if config.APIProxy != nil {
+			if config.APIProxy.UseAutoAuthToken {
+				apiProxyLogger.Debug("auto-auth token is allowed to be used; configuring inmem sink")
+				inmemSink, err = inmem.New(&sink.SinkConfig{
+					Logger: apiProxyLogger,
+				}, leaseCache)
+				if err != nil {
+					c.UI.Error(fmt.Sprintf("Error creating inmem sink for cache: %v", err))
+					return 1
+				}
+				sinks = append(sinks, &sink.SinkConfig{
+					Logger: apiProxyLogger,
+					Sink:   inmemSink,
+				})
+			}
+			proxyVaultToken = !config.APIProxy.ForceAutoAuthToken
+		}
+
+		var muxHandler http.Handler
+		if leaseCache != nil {
+			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, leaseCache, inmemSink, proxyVaultToken)
+		} else {
+			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, apiProxy, inmemSink, proxyVaultToken)
+		}
+
+		// Parse 'require_request_header' listener config option, and wrap
+		// the request handler if necessary
+		if lnConfig.RequireRequestHeader && ("metrics_only" != lnConfig.Role) {
+			muxHandler = verifyRequestHeader(muxHandler)
+		}
+
+		// Create a muxer and add paths relevant for the lease cache layer
+		mux := http.NewServeMux()
+		quitEnabled := lnConfig.AgentAPI != nil && lnConfig.AgentAPI.EnableQuit
+
+		mux.Handle(consts.AgentPathMetrics, c.handleMetrics())
+		if "metrics_only" != lnConfig.Role {
+			mux.Handle(consts.AgentPathCacheClear, leaseCache.HandleCacheClear(ctx))
+			mux.Handle(consts.AgentPathQuit, c.handleQuit(quitEnabled))
+			mux.Handle("/", muxHandler)
+		}
+
+		scheme := "https://"
+		if tlsCfg == nil {
+			scheme = "http://"
+		}
+		if ln.Addr().Network() == "unix" {
+			scheme = "unix://"
+		}
+
+		infoKey := fmt.Sprintf("api address %d", i+1)
+		info[infoKey] = scheme + ln.Addr().String()
+		infoKeys = append(infoKeys, infoKey)
+
+		server := &http.Server{
+			Addr:              ln.Addr().String(),
+			TLSConfig:         tlsCfg,
+			Handler:           mux,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			IdleTimeout:       5 * time.Minute,
+			ErrorLog:          apiProxyLogger.StandardLogger(nil),
+		}
+
+		go server.Serve(ln)
+	}
+
+	c.tlsReloadFuncsLock.Unlock()
+
+	// Ensure that listeners are closed at all the exits
+	listenerCloseFunc := func() {
+		for _, ln := range listeners {
+			ln.Close()
+		}
+	}
+	defer c.cleanupGuard.Do(listenerCloseFunc)
+
+	// Inform any tests that the server is ready
+	if c.startedCh != nil {
+		close(c.startedCh)
+	}
+
+	var g run.Group
+
+	g.Add(func() error {
+		for {
+			select {
+			case <-c.SighupCh:
+				c.UI.Output("==> Vault Agent config reload triggered")
+				err := c.reloadConfig(c.flagConfigs)
+				if err != nil {
+					c.outputErrors(err)
+				}
+				// Send the 'reloaded' message on the relevant channel
+				select {
+				case c.reloadedCh <- struct{}{}:
+				default:
+				}
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	}, func(error) {
+		cancelFunc()
+	})
+
+	// This run group watches for signal termination
+	g.Add(func() error {
+		for {
+			select {
+			case <-c.ShutdownCh:
+				c.UI.Output("==> Vault Agent shutdown triggered")
+				// Notify systemd that the server is shutting down
+				// Let the lease cache know this is a shutdown; no need to evict everything
+				if leaseCache != nil {
+					leaseCache.SetShuttingDown(true)
+				}
+				return nil
+			case <-ctx.Done():
+				return nil
+			case <-winsvc.ShutdownChannel():
+				return nil
+			}
+		}
+	}, func(error) {})
+
+	// Start auto-auth and sink servers
+	if method != nil {
+		enableTemplateTokenCh := len(config.Templates) > 0
+		enableEnvTemplateTokenCh := len(config.EnvTemplates) > 0
+
+		// Auth Handler is going to set its own retry values, so we want to
+		// work on a copy of the client to not affect other subsystems.
+		ahClient, err := c.client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			ahClient.SetMaxIdleConnections(-1)
+		}
+
+		if config.DisableKeepAlivesAutoAuth {
+			ahClient.SetDisableKeepAlives(true)
+		}
+
+		ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
+			Logger:                       c.logger.Named("auth.handler"),
+			Client:                       ahClient,
+			WrapTTL:                      config.AutoAuth.Method.WrapTTL,
+			MinBackoff:                   config.AutoAuth.Method.MinBackoff,
+			MaxBackoff:                   config.AutoAuth.Method.MaxBackoff,
+			EnableReauthOnNewCredentials: config.AutoAuth.EnableReauthOnNewCredentials,
+			EnableTemplateTokenCh:        enableTemplateTokenCh,
+			EnableExecTokenCh:            enableEnvTemplateTokenCh,
+			Token:                        previousToken,
+			ExitOnError:                  config.AutoAuth.Method.ExitOnError,
+			UserAgent:                    useragent.AgentAutoAuthString(),
+			MetricsSignifier:             "agent",
+		})
+
+		ss := sink.NewSinkServer(&sink.SinkServerConfig{
+			Logger:        c.logger.Named("sink.server"),
+			Client:        ahClient,
+			ExitAfterAuth: config.ExitAfterAuth,
+		})
+
+		ts := template.NewServer(&template.ServerConfig{
+			Logger:        c.logger.Named("template.server"),
+			LogLevel:      c.logger.GetLevel(),
+			LogWriter:     c.logWriter,
+			AgentConfig:   c.config,
+			Namespace:     templateNamespace,
+			ExitAfterAuth: config.ExitAfterAuth,
+		})
+
+		es, err := exec.NewServer(&exec.ServerConfig{
+			AgentConfig: c.config,
+			Namespace:   templateNamespace,
+			Logger:      c.logger.Named("exec.server"),
+			LogLevel:    c.logger.GetLevel(),
+			LogWriter:   c.logWriter,
+		})
+		if err != nil {
+			c.logger.Error("could not create exec server", "error", err)
+			return 1
+		}
+
+		g.Add(func() error {
+			return ah.Run(ctx, method)
+		}, func(error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+		})
+
+		g.Add(func() error {
+			err := ss.Run(ctx, ah.OutputCh, sinks)
+			c.logger.Info("sinks finished, exiting")
+
+			// Start goroutine to drain from ah.OutputCh from this point onward
+			// to prevent ah.Run from being blocked.
+			go func() {
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-ah.OutputCh:
+					}
+				}
+			}()
+
+			// Wait until templates are rendered
+			if len(config.Templates) > 0 {
+				<-ts.DoneCh
+			}
+
+			return err
+		}, func(error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+		})
+
+		g.Add(func() error {
+			return ts.Run(ctx, ah.TemplateTokenCh, config.Templates)
+		}, func(error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+			ts.Stop()
+		})
+
+		g.Add(func() error {
+			return es.Run(ctx, ah.ExecTokenCh)
+		}, func(err error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+			es.Close()
+		})
+
+	}
+
+	// Server configuration output
+	padding := 24
+	sort.Strings(infoKeys)
+	caser := cases.Title(language.English)
+	c.UI.Output("==> Vault Agent configuration:\n")
+	for _, k := range infoKeys {
+		c.UI.Output(fmt.Sprintf(
+			"%s%s: %s",
+			strings.Repeat(" ", padding-len(k)),
+			caser.String(k),
+			info[k]))
+	}
+	c.UI.Output("")
+
+	// Release the log gate.
+	c.logGate.Flush()
+
+	// Write out the PID to the file now that server has successfully started
+	if err := c.storePidFile(config.PidFile); err != nil {
+		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
+		return 1
+	}
+
+	// Notify systemd that the server is ready (if applicable)
+	c.notifySystemd(systemd.SdNotifyReady)
+
+	defer func() {
+		if err := c.removePidFile(config.PidFile); err != nil {
+			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
+		}
+	}()
+
+	var exitCode int
+	if err := g.Run(); err != nil {
+		var processExitError *exec.ProcessExitError
+		if errors.As(err, &processExitError) {
+			exitCode = processExitError.ExitCode
+		} else {
+			exitCode = 1
+		}
+
+		if exitCode != 0 {
+			c.logger.Error("runtime error encountered", "error", err, "exitCode", exitCode)
+			c.UI.Error("Error encountered during run, refer to logs for more details.")
+		}
+	}
+
+	c.notifySystemd(systemd.SdNotifyStopping)
+
+	return exitCode
+}
+
+// applyConfigOverrides ensures that the config object accurately reflects the desired
+// settings as configured by the user. It applies the relevant config setting based
+// on the precedence (env var overrides file config, cli overrides env var).
+// It mutates the config object supplied.
+func (c *AgentCommand) applyConfigOverrides(f *FlagSets, config *agentConfig.Config) {
+	if config.Vault == nil {
+		config.Vault = &agentConfig.Vault{}
+	}
+
+	f.applyLogConfigOverrides(config.SharedConfig)
+
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAgentExitAfterAuth {
+			config.ExitAfterAuth = c.flagExitAfterAuth
+		}
+	})
+
+	c.setStringFlag(f, config.Vault.Address, &StringVar{
+		Name:    flagNameAddress,
+		Target:  &c.flagAddress,
+		Default: "https://127.0.0.1:8200",
+		EnvVar:  api.EnvVaultAddress,
+	})
+	config.Vault.Address = c.flagAddress
+	c.setStringFlag(f, config.Vault.CACert, &StringVar{
+		Name:    flagNameCACert,
+		Target:  &c.flagCACert,
+		Default: "",
+		EnvVar:  api.EnvVaultCACert,
+	})
+	config.Vault.CACert = c.flagCACert
+	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
+		Name:    flagNameCAPath,
+		Target:  &c.flagCAPath,
+		Default: "",
+		EnvVar:  api.EnvVaultCAPath,
+	})
+	config.Vault.CAPath = c.flagCAPath
+	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
+		Name:    flagNameClientCert,
+		Target:  &c.flagClientCert,
+		Default: "",
+		EnvVar:  api.EnvVaultClientCert,
+	})
+	config.Vault.ClientCert = c.flagClientCert
+	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
+		Name:    flagNameClientKey,
+		Target:  &c.flagClientKey,
+		Default: "",
+		EnvVar:  api.EnvVaultClientKey,
+	})
+	config.Vault.ClientKey = c.flagClientKey
+	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
+		Name:    flagNameTLSSkipVerify,
+		Target:  &c.flagTLSSkipVerify,
+		Default: false,
+		EnvVar:  api.EnvVaultSkipVerify,
+	})
+	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
+	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
+		Name:    flagTLSServerName,
+		Target:  &c.flagTLSServerName,
+		Default: "",
+		EnvVar:  api.EnvVaultTLSServerName,
+	})
+	config.Vault.TLSServerName = c.flagTLSServerName
+}
+
+// verifyRequestHeader wraps an http.Handler inside a Handler that checks for
+// the request header that is used for SSRF protection.
+func verifyRequestHeader(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if val, ok := r.Header[consts.RequestHeaderName]; !ok || len(val) != 1 || val[0] != "true" {
+			logical.RespondError(w,
+				http.StatusPreconditionFailed,
+				fmt.Errorf("missing %q header", consts.RequestHeaderName))
+			return
+		}
+
+		handler.ServeHTTP(w, r)
+	})
+}
+
+func (c *AgentCommand) notifySystemd(status string) {
+	sent, err := systemd.SdNotify(false, status)
+	if err != nil {
+		c.logger.Error("error notifying systemd", "error", err)
+	} else {
+		if sent {
+			c.logger.Debug("sent systemd notification", "notification", status)
+		} else {
+			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
+		}
+	}
+}
+
+func (c *AgentCommand) setStringFlag(f *FlagSets, configVal string, fVar *StringVar) {
+	var isFlagSet bool
+	f.Visit(func(f *flag.Flag) {
+		if f.Name == fVar.Name {
+			isFlagSet = true
+		}
+	})
+
+	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
+	switch {
+	case isFlagSet:
+		// Don't do anything as the flag is already set from the command line
+	case flagEnvSet:
+		// Use value from env var
+		*fVar.Target = flagEnvValue
+	case configVal != "":
+		// Use value from config
+		*fVar.Target = configVal
+	default:
+		// Use the default value
+		*fVar.Target = fVar.Default
+	}
+}
+
+func (c *AgentCommand) setBoolFlag(f *FlagSets, configVal bool, fVar *BoolVar) {
+	var isFlagSet bool
+	f.Visit(func(f *flag.Flag) {
+		if f.Name == fVar.Name {
+			isFlagSet = true
+		}
+	})
+
+	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
+	switch {
+	case isFlagSet:
+		// Don't do anything as the flag is already set from the command line
+	case flagEnvSet:
+		// Use value from env var
+		*fVar.Target = flagEnvValue != ""
+	case configVal:
+		// Use value from config
+		*fVar.Target = configVal
+	default:
+		// Use the default value
+		*fVar.Target = fVar.Default
+	}
+}
+
+// storePidFile is used to write out our PID to a file if necessary
+func (c *AgentCommand) storePidFile(pidPath string) error {
+	// Quit fast if no pidfile
+	if pidPath == "" {
+		return nil
+	}
+
+	// Open the PID file
+	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
+	if err != nil {
+		return fmt.Errorf("could not open pid file: %w", err)
+	}
+	defer pidFile.Close()
+
+	// Write out the PID
+	pid := os.Getpid()
+	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
+	if err != nil {
+		return fmt.Errorf("could not write to pid file: %w", err)
+	}
+	return nil
+}
+
+// removePidFile is used to cleanup the PID file if necessary
+func (c *AgentCommand) removePidFile(pidPath string) error {
+	if pidPath == "" {
+		return nil
+	}
+	return os.Remove(pidPath)
+}
+
+func (c *AgentCommand) handleMetrics() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			logical.RespondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		if err := r.ParseForm(); err != nil {
+			logical.RespondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		format := r.Form.Get("format")
+		if format == "" {
+			format = metricsutil.FormatFromRequest(&logical.Request{
+				Headers: r.Header,
+			})
+		}
+
+		resp := c.metricsHelper.ResponseForFormat(format)
+
+		status := resp.Data[logical.HTTPStatusCode].(int)
+		w.Header().Set("Content-Type", resp.Data[logical.HTTPContentType].(string))
+		switch v := resp.Data[logical.HTTPRawBody].(type) {
+		case string:
+			w.WriteHeader(status)
+			w.Write([]byte(v))
+		case []byte:
+			w.WriteHeader(status)
+			w.Write(v)
+		default:
+			logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("wrong response returned"))
+		}
+	})
+}
+
+func (c *AgentCommand) handleQuit(enabled bool) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !enabled {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		switch r.Method {
+		case http.MethodPost:
+		default:
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+
+		c.logger.Debug("received quit request")
+		close(c.ShutdownCh)
+	})
+}
+
+// newLogger creates a logger based on parsed config field on the Agent Command struct.
+func (c *AgentCommand) newLogger() (hclog.InterceptLogger, error) {
+	if c.config == nil {
+		return nil, fmt.Errorf("cannot create logger, no config")
+	}
+
+	var errs *multierror.Error
+
+	// Parse all the log related config
+	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+	}
+
+	logFormat, err := logging.ParseLogFormat(c.config.LogFormat)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+	}
+
+	logRotateDuration, err := parseutil.ParseDurationSecond(c.config.LogRotateDuration)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+	}
+
+	if errs != nil {
+		return nil, errs
+	}
+
+	logCfg, err := logging.NewLogConfig(nameAgent)
+	if err != nil {
+		return nil, err
+	}
+	logCfg.Name = nameAgent
+	logCfg.LogLevel = logLevel
+	logCfg.LogFormat = logFormat
+	logCfg.LogFilePath = c.config.LogFile
+	logCfg.LogRotateDuration = logRotateDuration
+	logCfg.LogRotateBytes = c.config.LogRotateBytes
+	logCfg.LogRotateMaxFiles = c.config.LogRotateMaxFiles
+
+	l, err := logging.Setup(logCfg, c.logWriter)
+	if err != nil {
+		return nil, err
+	}
+
+	return l, nil
+}
+
+// loadConfig attempts to generate an Agent config from the file(s) specified.
+func (c *AgentCommand) loadConfig(paths []string) (*agentConfig.Config, error) {
+	var errs *multierror.Error
+	cfg := agentConfig.NewConfig()
+
+	for _, configPath := range paths {
+		configFromPath, err := agentConfig.LoadConfig(configPath)
+		if err != nil {
+			errs = multierror.Append(errs, fmt.Errorf("error loading configuration from %s: %w", configPath, err))
+		} else {
+			cfg = cfg.Merge(configFromPath)
+		}
+	}
+
+	if errs != nil {
+		return nil, errs
+	}
+
+	if err := cfg.ValidateConfig(); err != nil {
+		return nil, fmt.Errorf("error validating configuration: %w", err)
+	}
+
+	return cfg, nil
+}
+
+// reloadConfig will attempt to reload the config from file(s) and adjust certain
+// config values without requiring a restart of the Vault Agent.
+// If config is retrieved without error it is stored in the config field of the AgentCommand.
+// This operation is not atomic and could result in updated config but partially applied config settings.
+// The error returned from this func may be a multierror.
+// This function will most likely be called due to Vault Agent receiving a SIGHUP signal.
+// Currently only reloading the following are supported:
+// * log level
+// * TLS certs for listeners
+func (c *AgentCommand) reloadConfig(paths []string) error {
+	// Notify systemd that the server is reloading
+	c.notifySystemd(systemd.SdNotifyReloading)
+	defer c.notifySystemd(systemd.SdNotifyReady)
+
+	var errors error
+
+	// Reload the config
+	cfg, err := c.loadConfig(paths)
+	if err != nil {
+		// Returning single error as we won't continue with bad config and won't 'commit' it.
+		return err
+	}
+	c.config = cfg
+
+	// Update the log level
+	err = c.reloadLogLevel()
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	// Update certs
+	err = c.reloadCerts()
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	return errors
+}
+
+// reloadLogLevel will attempt to update the log level for the logger attached
+// to the AgentComment struct using the value currently set in config.
+func (c *AgentCommand) reloadLogLevel() error {
+	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
+	if err != nil {
+		return err
+	}
+
+	c.logger.SetLevel(logLevel)
+
+	return nil
+}
+
+// reloadCerts will attempt to reload certificates using a reload func which
+// was provided when the listeners were configured, only funcs that were appended
+// to the AgentCommand slice will be invoked.
+// This function returns a multierror type so that every func can report an error
+// if it encounters one.
+func (c *AgentCommand) reloadCerts() error {
+	var errors error
+
+	c.tlsReloadFuncsLock.RLock()
+	defer c.tlsReloadFuncsLock.RUnlock()
+
+	for _, reloadFunc := range c.tlsReloadFuncs {
+		// Non-TLS listeners will have a nil reload func.
+		if reloadFunc != nil {
+			err := reloadFunc()
+			if err != nil {
+				errors = multierror.Append(errors, err)
+			}
+		}
+	}
+
+	return errors
+}
+
+// outputErrors will take an error or multierror and handle outputting each to the UI
+func (c *AgentCommand) outputErrors(err error) {
+	if err != nil {
+		if me, ok := err.(*multierror.Error); ok {
+			for _, err := range me.Errors {
+				c.UI.Error(err.Error())
+			}
+		} else {
+			c.UI.Error(err.Error())
+		}
+	}
+}
diff --git a/changelog/24224.txt b/changelog/24224.txt
new file mode 100644
index 000000000000..31bbcd255c4e
--- /dev/null
+++ b/changelog/24224.txt
@@ -0,0 +1,442 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	paths "path"
+	"sort"
+	"strings"
+	"unicode"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/hcl/v2/gohcl"
+	"github.com/hashicorp/hcl/v2/hclwrite"
+	"github.com/hashicorp/vault/api"
+	"github.com/mitchellh/go-homedir"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*AgentGenerateConfigCommand)(nil)
+	_ cli.CommandAutocomplete = (*AgentGenerateConfigCommand)(nil)
+)
+
+type AgentGenerateConfigCommand struct {
+	*BaseCommand
+
+	flagType  string
+	flagPaths []string
+	flagExec  string
+}
+
+func (c *AgentGenerateConfigCommand) Synopsis() string {
+	return "Generate a Vault Agent configuration file."
+}
+
+func (c *AgentGenerateConfigCommand) Help() string {
+	helpText := `
+Usage: vault agent generate-config [options] [path/to/config.hcl]
+
+  Generates a simple Vault Agent configuration file from the given parameters.
+
+  Currently, the only supported configuration type is 'env-template', which
+  helps you generate a configuration file with environment variable templates
+  for running Vault Agent in process supervisor mode.
+
+  For every specified secret -path, the command will attempt to generate one or
+  multiple 'env_template' entries based on the JSON key(s) stored in the
+  specified secret. If the secret -path ends with '/*', the command will
+  attempt to recurse through the secrets tree rooted at the given path,
+  generating 'env_template' entries for each encountered secret. Currently,
+  only kv-v1 and kv-v2 paths are supported.
+
+  The command specified in the '-exec' option will be used to generate an
+  'exec' entry, which will tell Vault Agent which child process to run.
+
+  In addition to env_template entries, the command generates an 'auto_auth'
+  section with 'token_file' authentication method. While this method is very
+  convenient for local testing, it should NOT be used in production. Please
+  see https://developer.hashicorp.com/vault/docs/agent-and-proxy/autoauth/methods
+  for a list of production-ready auto_auth methods that you can use instead.
+
+  By default, the file will be generated in the local directory as 'agent.hcl'
+  unless a path is specified as an argument.
+
+  Generate a simple environment variable template configuration:
+
+      $ vault agent generate-config -type="env-template" \
+                    -exec="./my-app arg1 arg2" \
+                    -path="secret/foo"
+
+  Generate an environment variable template configuration for multiple secrets:
+
+      $ vault agent generate-config -type="env-template" \
+                    -exec="./my-app arg1 arg2" \
+                    -path="secret/foo" \
+                    -path="secret/bar" \
+                    -path="secret/my-app/*"
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AgentGenerateConfigCommand) Flags() *FlagSets {
+	// Include client-modifying flags (-address, -namespace, etc.)
+	set := c.flagSet(FlagSetHTTP)
+
+	// Common Options
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:   "type",
+		Target: &c.flagType,
+		Usage:  "Type of configuration file to generate; currently, only 'env-template' is supported.",
+		Completion: complete.PredictSet(
+			"env-template",
+		),
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "path",
+		Target:     &c.flagPaths,
+		Usage:      "Path to a kv-v1 or kv-v2 secret (e.g. secret/data/foo, kv-v2/prefix/*); multiple secrets and tail '*' wildcards are allowed.",
+		Completion: c.PredictVaultFolders(),
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "exec",
+		Target:  &c.flagExec,
+		Default: "env",
+		Usage:   "The command to execute in agent process supervisor mode.",
+	})
+
+	return set
+}
+
+func (c *AgentGenerateConfigCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *AgentGenerateConfigCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AgentGenerateConfigCommand) Run(args []string) int {
+	flags := c.Flags()
+
+	if err := flags.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = flags.Args()
+
+	if len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected at most 1, got %d)", len(args)))
+		return 1
+	}
+
+	if c.flagType == "" {
+		c.UI.Error(`Please specify a -type flag; currently only -type="env-template" is supported.`)
+		return 1
+	}
+
+	if c.flagType != "env-template" {
+		c.UI.Error(fmt.Sprintf(`%q is not a supported configuration type; currently only -type="env-template" is supported.`, c.flagType))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	config, err := generateConfiguration(context.Background(), client, c.flagExec, c.flagPaths)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error: %v", err))
+		return 2
+	}
+
+	var configPath string
+	if len(args) == 1 {
+		configPath = args[0]
+	} else {
+		configPath = "agent.hcl"
+	}
+
+	f, err := os.Create(configPath)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Could not create configuration file %q: %v", configPath, err))
+		return 3
+	}
+	defer func() {
+		if err := f.Close(); err != nil {
+			c.UI.Error(fmt.Sprintf("Could not close configuration file %q: %v", configPath, err))
+		}
+	}()
+
+	if _, err := config.WriteTo(f); err != nil {
+		c.UI.Error(fmt.Sprintf("Could not write to configuration file %q: %v", configPath, err))
+		return 3
+	}
+
+	c.UI.Info(fmt.Sprintf("Successfully generated %q configuration file!", configPath))
+
+	c.UI.Warn("Warning: the generated file uses 'token_file' authentication method, which is not suitable for production environments.")
+
+	return 0
+}
+
+func generateConfiguration(ctx context.Context, client *api.Client, flagExec string, flagPaths []string) (io.WriterTo, error) {
+	var execCommand []string
+	if flagExec != "" {
+		execCommand = strings.Split(flagExec, " ")
+	} else {
+		execCommand = []string{"env"}
+	}
+
+	tokenPath, err := homedir.Expand("~/.vault-token")
+	if err != nil {
+		return nil, fmt.Errorf("could not expand home directory: %w", err)
+	}
+
+	templates, err := constructTemplates(ctx, client, flagPaths)
+	if err != nil {
+		return nil, fmt.Errorf("could not generate templates: %w", err)
+	}
+
+	config := generatedConfig{
+		AutoAuth: generatedConfigAutoAuth{
+			Method: generatedConfigAutoAuthMethod{
+				Type: "token_file",
+				Config: generatedConfigAutoAuthMethodConfig{
+					TokenFilePath: tokenPath,
+				},
+			},
+		},
+		TemplateConfig: generatedConfigTemplateConfig{
+			StaticSecretRenderInterval: "5m",
+			ExitOnRetryFailure:         true,
+		},
+		Vault: generatedConfigVault{
+			Address: client.Address(),
+		},
+		Exec: generatedConfigExec{
+			Command:                execCommand,
+			RestartOnSecretChanges: "always",
+			RestartStopSignal:      "SIGTERM",
+		},
+		EnvTemplates: templates,
+	}
+
+	contents := hclwrite.NewEmptyFile()
+
+	gohcl.EncodeIntoBody(&config, contents.Body())
+
+	return contents, nil
+}
+
+func constructTemplates(ctx context.Context, client *api.Client, paths []string) ([]generatedConfigEnvTemplate, error) {
+	var templates []generatedConfigEnvTemplate
+
+	for _, path := range paths {
+		path = sanitizePath(path)
+
+		mountPath, v2, err := isKVv2(path, client)
+		if err != nil {
+			return nil, fmt.Errorf("could not validate secret path %q: %w", path, err)
+		}
+
+		switch {
+		case strings.HasSuffix(path, "/*"):
+			// this path contains a tail wildcard, attempt to walk the tree
+			t, err := constructTemplatesFromTree(ctx, client, path[:len(path)-2], mountPath, v2)
+			if err != nil {
+				return nil, fmt.Errorf("could not traverse sercet at %q: %w", path, err)
+			}
+			templates = append(templates, t...)
+
+		case strings.Contains(path, "*"):
+			// don't allow any other wildcards
+			return nil, fmt.Errorf("the path %q cannot contain '*' wildcard characters except as the last element of the path", path)
+
+		default:
+			// regular secret path
+			t, err := constructTemplatesFromSecret(ctx, client, path, mountPath, v2)
+			if err != nil {
+				return nil, fmt.Errorf("could not read secret at %q: %v", path, err)
+			}
+			templates = append(templates, t...)
+		}
+	}
+
+	return templates, nil
+}
+
+func constructTemplatesFromTree(ctx context.Context, client *api.Client, path, mountPath string, v2 bool) ([]generatedConfigEnvTemplate, error) {
+	var templates []generatedConfigEnvTemplate
+
+	if v2 {
+		metadataPath := strings.Replace(
+			path,
+			paths.Join(mountPath, "data"),
+			paths.Join(mountPath, "metadata"),
+			1,
+		)
+		if path != metadataPath {
+			path = metadataPath
+		} else {
+			path = addPrefixToKVPath(path, mountPath, "metadata", true)
+		}
+	}
+
+	err := walkSecretsTree(ctx, client, path, func(child string, directory bool) error {
+		if directory {
+			return nil
+		}
+
+		dataPath := strings.Replace(
+			child,
+			paths.Join(mountPath, "metadata"),
+			paths.Join(mountPath, "data"),
+			1,
+		)
+
+		t, err := constructTemplatesFromSecret(ctx, client, dataPath, mountPath, v2)
+		if err != nil {
+			return err
+		}
+		templates = append(templates, t...)
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return templates, nil
+}
+
+func constructTemplatesFromSecret(ctx context.Context, client *api.Client, path, mountPath string, v2 bool) ([]generatedConfigEnvTemplate, error) {
+	var templates []generatedConfigEnvTemplate
+
+	if v2 {
+		path = addPrefixToKVPath(path, mountPath, "data", true)
+	}
+
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err != nil {
+		return nil, fmt.Errorf("error querying: %w", err)
+	}
+	if resp == nil {
+		return nil, fmt.Errorf("secret not found")
+	}
+
+	var data map[string]interface{}
+	if v2 {
+		internal, ok := resp.Data["data"]
+		if !ok {
+			return nil, fmt.Errorf("secret.Data not found")
+		}
+		data = internal.(map[string]interface{})
+	} else {
+		data = resp.Data
+	}
+
+	fields := make([]string, 0, len(data))
+
+	for field := range data {
+		fields = append(fields, field)
+	}
+
+	// sort for a deterministic output
+	sort.Strings(fields)
+
+	var dataContents string
+	if v2 {
+		dataContents = ".Data.data"
+	} else {
+		dataContents = ".Data"
+	}
+
+	for _, field := range fields {
+		templates = append(templates, generatedConfigEnvTemplate{
+			Name:              constructDefaultEnvironmentKey(path, field),
+			Contents:          fmt.Sprintf(`{{ with secret "%s" }}{{ %s.%s }}{{ end }}`, path, dataContents, field),
+			ErrorOnMissingKey: true,
+		})
+	}
+
+	return templates, nil
+}
+
+func constructDefaultEnvironmentKey(path string, field string) string {
+	pathParts := strings.Split(path, "/")
+	pathPartsLast := pathParts[len(pathParts)-1]
+
+	notLetterOrNumber := func(r rune) bool {
+		return !unicode.IsLetter(r) && !unicode.IsNumber(r)
+	}
+
+	p1 := strings.FieldsFunc(pathPartsLast, notLetterOrNumber)
+	p2 := strings.FieldsFunc(field, notLetterOrNumber)
+
+	keyParts := append(p1, p2...)
+
+	return strings.ToUpper(strings.Join(keyParts, "_"))
+}
+
+// Below, we are redefining a subset of the configuration-related structures
+// defined under command/agent/config. Using these structures we can tailor the
+// output of the generated config, while using the original structures would
+// have produced an HCL document with many empty fields. The structures below
+// should not be used for anything other than generation.
+
+type generatedConfig struct {
+	AutoAuth       generatedConfigAutoAuth       `hcl:"auto_auth,block"`
+	TemplateConfig generatedConfigTemplateConfig `hcl:"template_config,block"`
+	Vault          generatedConfigVault          `hcl:"vault,block"`
+	EnvTemplates   []generatedConfigEnvTemplate  `hcl:"env_template,block"`
+	Exec           generatedConfigExec           `hcl:"exec,block"`
+}
+
+type generatedConfigTemplateConfig struct {
+	StaticSecretRenderInterval string `hcl:"static_secret_render_interval"`
+	ExitOnRetryFailure         bool   `hcl:"exit_on_retry_failure"`
+}
+
+type generatedConfigExec struct {
+	Command                []string `hcl:"command"`
+	RestartOnSecretChanges string   `hcl:"restart_on_secret_changes"`
+	RestartStopSignal      string   `hcl:"restart_stop_signal"`
+}
+
+type generatedConfigEnvTemplate struct {
+	Name              string `hcl:"name,label"`
+	Contents          string `hcl:"contents,attr"`
+	ErrorOnMissingKey bool   `hcl:"error_on_missing_key"`
+}
+
+type generatedConfigVault struct {
+	Address string `hcl:"address"`
+}
+
+type generatedConfigAutoAuth struct {
+	Method generatedConfigAutoAuthMethod `hcl:"method,block"`
+}
+
+type generatedConfigAutoAuthMethod struct {
+	Type   string                              `hcl:"type"`
+	Config generatedConfigAutoAuthMethodConfig `hcl:"config,block"`
+}
+
+type generatedConfigAutoAuthMethodConfig struct {
+	TokenFilePath string `hcl:"token_file_path"`
+}
diff --git a/changelog/24236.txt b/changelog/24236.txt
new file mode 100644
index 000000000000..8d12f6584d3d
--- /dev/null
+++ b/changelog/24236.txt
@@ -0,0 +1,3188 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bufio"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-hclog"
+	vaultjwt "github.com/hashicorp/vault-plugin-auth-jwt"
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/hashicorp/vault/api"
+	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
+	"github.com/hashicorp/vault/command/agent"
+	agentConfig "github.com/hashicorp/vault/command/agent/config"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/helper/useragent"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/pointerutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	BasicHclConfig = `
+log_file = "TMPDIR/juan.log"
+log_level="warn"
+log_rotate_max_files=2
+log_rotate_bytes=1048576
+vault {
+	address = "http://127.0.0.1:8200"
+	retry {
+		num_retries = 5
+	}
+}
+
+listener "tcp" {
+	address = "127.0.0.1:8100"
+	tls_disable = false
+	tls_cert_file = "TMPDIR/reload_cert.pem"
+  	tls_key_file  = "TMPDIR/reload_key.pem"
+}`
+	BasicHclConfig2 = `
+log_file = "TMPDIR/juan.log"
+log_level="debug"
+log_rotate_max_files=-1
+log_rotate_bytes=1048576
+vault {
+	address = "http://127.0.0.1:8200"
+	retry {
+		num_retries = 5
+	}
+}
+
+listener "tcp" {
+	address = "127.0.0.1:8100"
+	tls_disable = false
+	tls_cert_file = "TMPDIR/reload_cert.pem"
+  	tls_key_file  = "TMPDIR/reload_key.pem"
+}`
+)
+
+func testAgentCommand(tb testing.TB, logger hclog.Logger) (*cli.MockUi, *AgentCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &AgentCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+		ShutdownCh: MakeShutdownCh(),
+		SighupCh:   MakeSighupCh(),
+		logger:     logger,
+		startedCh:  make(chan struct{}, 5),
+		reloadedCh: make(chan struct{}, 5),
+	}
+}
+
+func TestAgent_ExitAfterAuth(t *testing.T) {
+	t.Run("via_config", func(t *testing.T) {
+		testAgentExitAfterAuth(t, false)
+	})
+
+	t.Run("via_flag", func(t *testing.T) {
+		testAgentExitAfterAuth(t, true)
+	})
+}
+
+func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"jwt": vaultjwt.Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	client := cluster.Cores[0].Client
+
+	// Setup Vault
+	err := client.Sys().EnableAuthWithOptions("jwt", &api.EnableAuthOptions{
+		Type: "jwt",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/jwt/config", map[string]interface{}{
+		"bound_issuer":           "https://team-vault.auth0.com/",
+		"jwt_validation_pubkeys": agent.TestECDSAPubKey,
+		"jwt_supported_algs":     "ES256",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/jwt/role/test", map[string]interface{}{
+		"role_type":       "jwt",
+		"bound_subject":   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
+		"bound_audiences": "https://vault.plugin.auth.jwt.test",
+		"user_claim":      "https://vault/user",
+		"groups_claim":    "https://vault/groups",
+		"policies":        "test",
+		"period":          "3s",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	inf, err := os.CreateTemp("", "auth.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := inf.Name()
+	inf.Close()
+	os.Remove(in)
+	t.Logf("input: %s", in)
+
+	sink1f, err := os.CreateTemp("", "sink1.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink1 := sink1f.Name()
+	sink1f.Close()
+	os.Remove(sink1)
+	t.Logf("sink1: %s", sink1)
+
+	sink2f, err := os.CreateTemp("", "sink2.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink2 := sink2f.Name()
+	sink2f.Close()
+	os.Remove(sink2)
+	t.Logf("sink2: %s", sink2)
+
+	conff, err := os.CreateTemp("", "conf.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	conf := conff.Name()
+	conff.Close()
+	os.Remove(conf)
+	t.Logf("config: %s", conf)
+
+	jwtToken, _ := agent.GetTestJWT(t)
+	if err := os.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
+		t.Fatal(err)
+	} else {
+		logger.Trace("wrote test jwt", "path", in)
+	}
+
+	exitAfterAuthTemplText := "exit_after_auth = true"
+	if viaFlag {
+		exitAfterAuthTemplText = ""
+	}
+
+	config := `
+%s
+
+auto_auth {
+        method {
+                type = "jwt"
+                config = {
+                        role = "test"
+                        path = "%s"
+                }
+        }
+
+        sink {
+                type = "file"
+                config = {
+                        path = "%s"
+                }
+        }
+
+        sink "file" {
+                config = {
+                        path = "%s"
+                }
+        }
+}
+`
+
+	config = fmt.Sprintf(config, exitAfterAuthTemplText, in, sink1, sink2)
+	if err := os.WriteFile(conf, []byte(config), 0o600); err != nil {
+		t.Fatal(err)
+	} else {
+		logger.Trace("wrote test config", "path", conf)
+	}
+
+	doneCh := make(chan struct{})
+	go func() {
+		ui, cmd := testAgentCommand(t, logger)
+		cmd.client = client
+
+		args := []string{"-config", conf}
+		if viaFlag {
+			args = append(args, "-exit-after-auth")
+		}
+
+		code := cmd.Run(args)
+		if code != 0 {
+			t.Errorf("expected %d to be %d", code, 0)
+			t.Logf("output from agent:\n%s", ui.OutputWriter.String())
+			t.Logf("error from agent:\n%s", ui.ErrorWriter.String())
+		}
+		close(doneCh)
+	}()
+
+	select {
+	case <-doneCh:
+		break
+	case <-time.After(1 * time.Minute):
+		t.Fatal("timeout reached while waiting for agent to exit")
+	}
+
+	sink1Bytes, err := os.ReadFile(sink1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(sink1Bytes) == 0 {
+		t.Fatal("got no output from sink 1")
+	}
+
+	sink2Bytes, err := os.ReadFile(sink2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(sink2Bytes) == 0 {
+		t.Fatal("got no output from sink 2")
+	}
+
+	if string(sink1Bytes) != string(sink2Bytes) {
+		t.Fatal("sink 1/2 values don't match")
+	}
+}
+
+func TestAgent_RequireRequestHeader(t *testing.T) {
+	// newApiClient creates an *api.Client.
+	newApiClient := func(addr string, includeVaultRequestHeader bool) *api.Client {
+		conf := api.DefaultConfig()
+		conf.Address = addr
+		cli, err := api.NewClient(conf)
+		if err != nil {
+			t.Fatalf("err: %s", err)
+		}
+
+		h := cli.Headers()
+		val, ok := h[consts.RequestHeaderName]
+		if !ok || !reflect.DeepEqual(val, []string{"true"}) {
+			t.Fatalf("invalid %s header", consts.RequestHeaderName)
+		}
+		if !includeVaultRequestHeader {
+			delete(h, consts.RequestHeaderName)
+			cli.SetHeaders(h)
+		}
+
+		return cli
+	}
+
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+
+	// Start a vault server
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Enable the approle auth method
+	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
+
+	// Create a config file
+	config := `
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+        }
+    }
+}
+
+cache {
+    use_auto_auth_token = true
+}
+
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+}
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+    require_request_header = false
+}
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+    require_request_header = true
+}
+`
+	listenAddr1 := generateListenerAddress(t)
+	listenAddr2 := generateListenerAddress(t)
+	listenAddr3 := generateListenerAddress(t)
+	config = fmt.Sprintf(
+		config,
+		roleIDPath,
+		secretIDPath,
+		listenAddr1,
+		listenAddr2,
+		listenAddr3,
+	)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logger)
+	cmd.client = serverClient
+	cmd.startedCh = make(chan struct{})
+
+	var output string
+	var code int
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		code = cmd.Run([]string{"-config", configPath})
+		if code != 0 {
+			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	// defer agent shutdown
+	defer func() {
+		cmd.ShutdownCh <- struct{}{}
+		wg.Wait()
+		if code != 0 {
+			t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
+		}
+	}()
+
+	//----------------------------------------------------
+	// Perform the tests
+	//----------------------------------------------------
+
+	// Test against a listener configuration that omits
+	// 'require_request_header', with the header missing from the request.
+	agentClient := newApiClient("http://"+listenAddr1, false)
+	req := agentClient.NewRequest("GET", "/v1/sys/health")
+	request(t, agentClient, req, 200)
+
+	// Test against a listener configuration that sets 'require_request_header'
+	// to 'false', with the header missing from the request.
+	agentClient = newApiClient("http://"+listenAddr2, false)
+	req = agentClient.NewRequest("GET", "/v1/sys/health")
+	request(t, agentClient, req, 200)
+
+	// Test against a listener configuration that sets 'require_request_header'
+	// to 'true', with the header missing from the request.
+	agentClient = newApiClient("http://"+listenAddr3, false)
+	req = agentClient.NewRequest("GET", "/v1/sys/health")
+	resp, err := agentClient.RawRequest(req)
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if resp.StatusCode != http.StatusPreconditionFailed {
+		t.Fatalf("expected status code %d, not %d", http.StatusPreconditionFailed, resp.StatusCode)
+	}
+
+	// Test against a listener configuration that sets 'require_request_header'
+	// to 'true', with an invalid header present in the request.
+	agentClient = newApiClient("http://"+listenAddr3, false)
+	h := agentClient.Headers()
+	h[consts.RequestHeaderName] = []string{"bogus"}
+	agentClient.SetHeaders(h)
+	req = agentClient.NewRequest("GET", "/v1/sys/health")
+	resp, err = agentClient.RawRequest(req)
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if resp.StatusCode != http.StatusPreconditionFailed {
+		t.Fatalf("expected status code %d, not %d", http.StatusPreconditionFailed, resp.StatusCode)
+	}
+
+	// Test against a listener configuration that sets 'require_request_header'
+	// to 'true', with the proper header present in the request.
+	agentClient = newApiClient("http://"+listenAddr3, true)
+	req = agentClient.NewRequest("GET", "/v1/sys/health")
+	request(t, agentClient, req, 200)
+}
+
+// TestAgent_RequireAutoAuthWithForce ensures that the client exits with a
+// non-zero code if configured to force the use of an auto-auth token without
+// configuring the auto_auth block
+func TestAgent_RequireAutoAuthWithForce(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	// Create a config file
+	config := fmt.Sprintf(`
+cache {
+    use_auto_auth_token = "force"
+}
+
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+}
+`, generateListenerAddress(t))
+
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	code := cmd.Run([]string{"-config", configPath})
+	if code == 0 {
+		t.Errorf("expected error code, but got 0: %d", code)
+		t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
+		t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
+	}
+}
+
+// TestAgent_Template_UserAgent Validates that the User-Agent sent to Vault
+// as part of Templating requests is correct. Uses the custom handler
+// userAgentHandler struct defined in this test package, so that Vault validates the
+// User-Agent on requests sent by Agent.
+func TestAgent_Template_UserAgent(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			NumCores: 1,
+			HandlerFunc: vaulthttp.HandlerFunc(
+				func(properties *vault.HandlerProperties) http.Handler {
+					h.props = properties
+					h.userAgentToCheckFor = useragent.AgentTemplatingString()
+					h.pathToCheck = "/v1/secret/data"
+					h.requestMethodToCheck = "GET"
+					h.t = t
+					return &h
+				}),
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Setenv(api.EnvVaultAddress, serverClient.Address())
+
+	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+	// create temp dir for this test run
+	tmpDir, err := os.MkdirTemp(tmpDirRoot, "TestAgent_Template_UserAgent")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// make some template files
+	var templatePaths []string
+	fileName := filepath.Join(tmpDir, "render_0.tmpl")
+	if err := os.WriteFile(fileName, []byte(templateContents(0)), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	templatePaths = append(templatePaths, fileName)
+
+	// build up the template config to be added to the Agent config.hcl file
+	var templateConfigStrings []string
+	for i, t := range templatePaths {
+		index := fmt.Sprintf("render_%d.json", i)
+		s := fmt.Sprintf(templateConfigString, t, tmpDir, index)
+		templateConfigStrings = append(templateConfigStrings, s)
+	}
+
+	// Create a config file
+	config := `
+vault {
+  address = "%s"
+	tls_skip_verify = true
+}
+
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+
+%s
+`
+
+	// flatten the template configs
+	templateConfig := strings.Join(templateConfigStrings, " ")
+
+	config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, templateConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logger)
+	cmd.client = serverClient
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		code := cmd.Run([]string{"-config", configPath})
+		if code != 0 {
+			t.Errorf("non-zero return code when running agent: %d", code)
+			t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
+			t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// We need to shut down the Agent command
+	defer func() {
+		cmd.ShutdownCh <- struct{}{}
+		wg.Wait()
+	}()
+
+	verify := func(suffix string) {
+		t.Helper()
+		// We need to poll for a bit to give Agent time to render the
+		// templates. Without this, the test will attempt to read
+		// the temp dir before Agent has had time to render and will
+		// likely fail the test
+		tick := time.Tick(1 * time.Second)
+		timeout := time.After(10 * time.Second)
+		var err error
+		for {
+			select {
+			case <-timeout:
+				t.Fatalf("timed out waiting for templates to render, last error: %v", err)
+			case <-tick:
+			}
+			// Check for files rendered in the directory and break
+			// early for shutdown if we do have all the files
+			// rendered
+
+			//----------------------------------------------------
+			// Perform the tests
+			//----------------------------------------------------
+
+			if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != len(templatePaths) {
+				err = fmt.Errorf("expected (%d) templates, got (%d)", len(templatePaths), numFiles)
+				continue
+			}
+
+			for i := range templatePaths {
+				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.json", i))
+				var c []byte
+				c, err = os.ReadFile(fileName)
+				if err != nil {
+					continue
+				}
+				if string(c) != templateRendered(i)+suffix {
+					err = fmt.Errorf("expected=%q, got=%q", templateRendered(i)+suffix, string(c))
+					continue
+				}
+			}
+			return
+		}
+	}
+
+	verify("")
+
+	fileName = filepath.Join(tmpDir, "render_0.tmpl")
+	if err := os.WriteFile(fileName, []byte(templateContents(0)+"{}"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	verify("{}")
+}
+
+// TestAgent_Template tests rendering templates
+func TestAgent_Template_Basic(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Setenv(api.EnvVaultAddress, serverClient.Address())
+
+	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+
+	// start test cases here
+	testCases := map[string]struct {
+		templateCount int
+		exitAfterAuth bool
+	}{
+		"one": {
+			templateCount: 1,
+		},
+		"one_with_exit": {
+			templateCount: 1,
+			exitAfterAuth: true,
+		},
+		"many": {
+			templateCount: 15,
+		},
+		"many_with_exit": {
+			templateCount: 13,
+			exitAfterAuth: true,
+		},
+	}
+
+	for tcname, tc := range testCases {
+		t.Run(tcname, func(t *testing.T) {
+			// create temp dir for this test run
+			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// make some template files
+			var templatePaths []string
+			for i := 0; i < tc.templateCount; i++ {
+				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
+				if err := os.WriteFile(fileName, []byte(templateContents(i)), 0o600); err != nil {
+					t.Fatal(err)
+				}
+				templatePaths = append(templatePaths, fileName)
+			}
+
+			// build up the template config to be added to the Agent config.hcl file
+			var templateConfigStrings []string
+			for i, t := range templatePaths {
+				index := fmt.Sprintf("render_%d.json", i)
+				s := fmt.Sprintf(templateConfigString, t, tmpDir, index)
+				templateConfigStrings = append(templateConfigStrings, s)
+			}
+
+			// Create a config file
+			config := `
+vault {
+  address = "%s"
+	tls_skip_verify = true
+}
+
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+
+%s
+
+%s
+`
+
+			// conditionally set the exit_after_auth flag
+			exitAfterAuth := ""
+			if tc.exitAfterAuth {
+				exitAfterAuth = "exit_after_auth = true"
+			}
+
+			// flatten the template configs
+			templateConfig := strings.Join(templateConfigStrings, " ")
+
+			config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, templateConfig, exitAfterAuth)
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			// Start the agent
+			ui, cmd := testAgentCommand(t, logger)
+			cmd.client = serverClient
+			cmd.startedCh = make(chan struct{})
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			go func() {
+				code := cmd.Run([]string{"-config", configPath})
+				if code != 0 {
+					t.Errorf("non-zero return code when running agent: %d", code)
+					t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
+					t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
+				}
+				wg.Done()
+			}()
+
+			select {
+			case <-cmd.startedCh:
+			case <-time.After(5 * time.Second):
+				t.Errorf("timeout")
+			}
+
+			// if using exit_after_auth, then the command will have returned at the
+			// end and no longer be running. If we are not using exit_after_auth, then
+			// we need to shut down the command
+			if !tc.exitAfterAuth {
+				defer func() {
+					cmd.ShutdownCh <- struct{}{}
+					wg.Wait()
+				}()
+			}
+
+			verify := func(suffix string) {
+				t.Helper()
+				// We need to poll for a bit to give Agent time to render the
+				// templates. Without this, the test will attempt to read
+				// the temp dir before Agent has had time to render and will
+				// likely fail the test
+				tick := time.Tick(1 * time.Second)
+				timeout := time.After(10 * time.Second)
+				var err error
+				for {
+					select {
+					case <-timeout:
+						t.Fatalf("timed out waiting for templates to render, last error: %v", err)
+					case <-tick:
+					}
+					// Check for files rendered in the directory and break
+					// early for shutdown if we do have all the files
+					// rendered
+
+					//----------------------------------------------------
+					// Perform the tests
+					//----------------------------------------------------
+
+					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != len(templatePaths) {
+						err = fmt.Errorf("expected (%d) templates, got (%d)", len(templatePaths), numFiles)
+						continue
+					}
+
+					for i := range templatePaths {
+						fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.json", i))
+						var c []byte
+						c, err = os.ReadFile(fileName)
+						if err != nil {
+							continue
+						}
+						if string(c) != templateRendered(i)+suffix {
+							err = fmt.Errorf("expected=%q, got=%q", templateRendered(i)+suffix, string(c))
+							continue
+						}
+					}
+					return
+				}
+			}
+
+			verify("")
+
+			for i := 0; i < tc.templateCount; i++ {
+				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
+				if err := os.WriteFile(fileName, []byte(templateContents(i)+"{}"), 0o600); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			verify("{}")
+		})
+	}
+}
+
+func setupAppRole(t *testing.T, serverClient *api.Client) (string, string) {
+	t.Helper()
+	// Enable the approle auth method
+	req := serverClient.NewRequest("POST", "/v1/sys/auth/approle")
+	req.BodyBytes = []byte(`{
+		"type": "approle"
+	}`)
+	request(t, serverClient, req, 204)
+
+	// Create a named role
+	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role")
+	req.BodyBytes = []byte(`{
+	  "token_ttl": "5m",
+		"token_policies":"default,myapp-read",
+		"policies":"default,myapp-read"
+	}`)
+	request(t, serverClient, req, 204)
+
+	// Fetch the RoleID of the named role
+	req = serverClient.NewRequest("GET", "/v1/auth/approle/role/test-role/role-id")
+	body := request(t, serverClient, req, 200)
+	data := body["data"].(map[string]interface{})
+	roleID := data["role_id"].(string)
+
+	// Get a SecretID issued against the named role
+	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role/secret-id")
+	body = request(t, serverClient, req, 200)
+	data = body["data"].(map[string]interface{})
+	secretID := data["secret_id"].(string)
+
+	// Write the RoleID and SecretID to temp files
+	roleIDPath := makeTempFile(t, "role_id.txt", roleID+"\n")
+	secretIDPath := makeTempFile(t, "secret_id.txt", secretID+"\n")
+	t.Cleanup(func() {
+		os.Remove(roleIDPath)
+		os.Remove(secretIDPath)
+	})
+
+	return roleIDPath, secretIDPath
+}
+
+func setupAppRoleAndKVMounts(t *testing.T, serverClient *api.Client) (string, string) {
+	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
+
+	// give test-role permissions to read the kv secret
+	req := serverClient.NewRequest("PUT", "/v1/sys/policy/myapp-read")
+	req.BodyBytes = []byte(`{
+	  "policy": "path \"secret/*\" { capabilities = [\"read\", \"list\"] }"
+	}`)
+	request(t, serverClient, req, 204)
+
+	// setup the kv secrets
+	req = serverClient.NewRequest("POST", "/v1/sys/mounts/secret/tune")
+	req.BodyBytes = []byte(`{
+	"options": {"version": "2"}
+	}`)
+	request(t, serverClient, req, 200)
+
+	// Secret: myapp
+	req = serverClient.NewRequest("POST", "/v1/secret/data/myapp")
+	req.BodyBytes = []byte(`{
+	  "data": {
+      "username": "bar",
+      "password": "zap"
+    }
+	}`)
+	request(t, serverClient, req, 200)
+
+	// Secret: myapp2
+	req = serverClient.NewRequest("POST", "/v1/secret/data/myapp2")
+	req.BodyBytes = []byte(`{
+	  "data": {
+      "username": "barstuff",
+      "password": "zap"
+    }
+	}`)
+	request(t, serverClient, req, 200)
+
+	// Secret: otherapp
+	req = serverClient.NewRequest("POST", "/v1/secret/data/otherapp")
+	req.BodyBytes = []byte(`{
+	  "data": {
+      "username": "barstuff",
+      "password": "zap",
+			"cert": "something"
+    }
+	}`)
+	request(t, serverClient, req, 200)
+
+	return roleIDPath, secretIDPath
+}
+
+// TestAgent_Template_VaultClientFromEnv tests that Vault Agent can read in its
+// required `vault` client details from environment variables instead of config.
+func TestAgent_Template_VaultClientFromEnv(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+
+	vaultAddr := "https://" + cluster.Cores[0].Listeners[0].Address.String()
+	testCases := map[string]struct {
+		env map[string]string
+	}{
+		"VAULT_ADDR and VAULT_CACERT": {
+			env: map[string]string{
+				api.EnvVaultAddress: vaultAddr,
+				api.EnvVaultCACert:  cluster.CACertPEMFile,
+			},
+		},
+		"VAULT_ADDR and VAULT_CACERT_BYTES": {
+			env: map[string]string{
+				api.EnvVaultAddress:     vaultAddr,
+				api.EnvVaultCACertBytes: string(cluster.CACertPEM),
+			},
+		},
+	}
+
+	for tcname, tc := range testCases {
+		t.Run(tcname, func(t *testing.T) {
+			for k, v := range tc.env {
+				t.Setenv(k, v)
+			}
+			tmpDir := t.TempDir()
+
+			// Make a template.
+			templateFile := filepath.Join(tmpDir, "render.tmpl")
+			if err := os.WriteFile(templateFile, []byte(templateContents(0)), 0o600); err != nil {
+				t.Fatal(err)
+			}
+
+			// build up the template config to be added to the Agent config.hcl file
+			targetFile := filepath.Join(tmpDir, "render.json")
+			templateConfig := fmt.Sprintf(`
+template {
+    source      = "%s"
+    destination = "%s"
+}
+			`, templateFile, targetFile)
+
+			// Create a config file
+			config := `
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+
+%s
+`
+
+			config = fmt.Sprintf(config, roleIDPath, secretIDPath, templateConfig)
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			// Start the agent
+			ui, cmd := testAgentCommand(t, logger)
+			cmd.client = serverClient
+			cmd.startedCh = make(chan struct{})
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			go func() {
+				code := cmd.Run([]string{"-config", configPath})
+				if code != 0 {
+					t.Errorf("non-zero return code when running agent: %d", code)
+					t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
+					t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
+				}
+				wg.Done()
+			}()
+
+			select {
+			case <-cmd.startedCh:
+			case <-time.After(5 * time.Second):
+				t.Errorf("timeout")
+			}
+
+			defer func() {
+				cmd.ShutdownCh <- struct{}{}
+				wg.Wait()
+			}()
+
+			// We need to poll for a bit to give Agent time to render the
+			// templates. Without this this, the test will attempt to read
+			// the temp dir before Agent has had time to render and will
+			// likely fail the test
+			tick := time.Tick(1 * time.Second)
+			timeout := time.After(10 * time.Second)
+			for {
+				select {
+				case <-timeout:
+					t.Fatalf("timed out waiting for templates to render, last error: %v", err)
+				case <-tick:
+				}
+
+				contents, err := os.ReadFile(targetFile)
+				if err != nil {
+					// If the file simply doesn't exist, continue waiting for
+					// the template rendering to complete.
+					if os.IsNotExist(err) {
+						continue
+					}
+					t.Fatal(err)
+				}
+
+				if string(contents) != templateRendered(0) {
+					t.Fatalf("expected=%q, got=%q", templateRendered(0), string(contents))
+				}
+
+				// Success! Break out of the retry loop.
+				break
+			}
+		})
+	}
+}
+
+func testListFiles(t *testing.T, dir, extension string) int {
+	t.Helper()
+
+	files, err := os.ReadDir(dir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var count int
+	for _, f := range files {
+		if filepath.Ext(f.Name()) == extension {
+			count++
+		}
+	}
+
+	return count
+}
+
+// TestAgent_Template_ExitCounter tests that Vault Agent correctly renders all
+// templates before exiting when the configuration uses exit_after_auth. This is
+// similar to TestAgent_Template_Basic, but differs by using a consistent number
+// of secrets from multiple sources, where as the basic test could possibly
+// generate a random number of secrets, but all using the same source. This test
+// reproduces https://github.com/hashicorp/vault/issues/7883
+func TestAgent_Template_ExitCounter(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Setenv(api.EnvVaultAddress, serverClient.Address())
+
+	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+
+	// create temp dir for this test run
+	tmpDir, err := os.MkdirTemp(tmpDirRoot, "agent-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a config file
+	config := `
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+
+template {
+    contents = "{{ with secret \"secret/myapp\" }}{{ range $k, $v := .Data.data }}{{ $v }}{{ end }}{{ end }}"
+    destination = "%s/render-pass.txt"
+}
+
+template {
+    contents = "{{ with secret \"secret/myapp2\" }}{{ .Data.data.username}}{{ end }}"
+    destination = "%s/render-user.txt"
+}
+
+template {
+    contents = <<EOF
+{{ with secret "secret/otherapp"}}
+{
+{{ if .Data.data.username}}"username":"{{ .Data.data.username}}",{{ end }}
+{{ if .Data.data.password }}"password":"{{ .Data.data.password }}",{{ end }}
+{{ .Data.data.cert }}
+}
+{{ end }}
+EOF
+    destination = "%s/render-other.txt"
+}
+
+exit_after_auth = true
+`
+
+	config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, tmpDir, tmpDir, tmpDir)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logger)
+	cmd.client = serverClient
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		code := cmd.Run([]string{"-config", configPath})
+		if code != 0 {
+			t.Errorf("non-zero return code when running agent: %d", code)
+			t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
+			t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	wg.Wait()
+
+	//----------------------------------------------------
+	// Perform the tests
+	//----------------------------------------------------
+
+	files, err := os.ReadDir(tmpDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(files) != 3 {
+		t.Fatalf("expected (%d) templates, got (%d)", 3, len(files))
+	}
+}
+
+// a slice of template options
+var templates = []string{
+	`{{- with secret "secret/otherapp"}}{"secret": "other",
+{{- if .Data.data.username}}"username":"{{ .Data.data.username}}",{{- end }}
+{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
+{{- end }}`,
+	`{{- with secret "secret/myapp"}}{"secret": "myapp",
+{{- if .Data.data.username}}"username":"{{ .Data.data.username}}",{{- end }}
+{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
+{{- end }}`,
+	`{{- with secret "secret/myapp"}}{"secret": "myapp",
+{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
+{{- end }}`,
+}
+
+var rendered = []string{
+	`{"secret": "other","username":"barstuff","password":"zap"}`,
+	`{"secret": "myapp","username":"bar","password":"zap"}`,
+	`{"secret": "myapp","password":"zap"}`,
+}
+
+// templateContents returns a template from the above templates slice. Each
+// invocation with incrementing seed will return "the next" template, and loop.
+// This ensures as we use multiple templates that we have a increasing number of
+// sources before we reuse a template.
+func templateContents(seed int) string {
+	index := seed % len(templates)
+	return templates[index]
+}
+
+func templateRendered(seed int) string {
+	index := seed % len(templates)
+	return rendered[index]
+}
+
+var templateConfigString = `
+template {
+  source      = "%s"
+  destination = "%s/%s"
+}
+`
+
+// request issues HTTP requests.
+func request(t *testing.T, client *api.Client, req *api.Request, expectedStatusCode int) map[string]interface{} {
+	t.Helper()
+	resp, err := client.RawRequest(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if resp.StatusCode != expectedStatusCode {
+		t.Fatalf("expected status code %d, not %d", expectedStatusCode, resp.StatusCode)
+	}
+
+	bytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if len(bytes) == 0 {
+		return nil
+	}
+
+	var body map[string]interface{}
+	err = json.Unmarshal(bytes, &body)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	return body
+}
+
+// makeTempFile creates a temp file and populates it.
+func makeTempFile(t *testing.T, name, contents string) string {
+	t.Helper()
+	f, err := os.CreateTemp("", name)
+	if err != nil {
+		t.Fatal(err)
+	}
+	path := f.Name()
+	f.WriteString(contents)
+	f.Close()
+	return path
+}
+
+func populateTempFile(t *testing.T, name, contents string) *os.File {
+	t.Helper()
+
+	file, err := os.CreateTemp(t.TempDir(), name)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = file.WriteString(contents)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = file.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return file
+}
+
+// handler makes 500 errors happen for reads on /v1/secret.
+// Definitely not thread-safe, do not use t.Parallel with this.
+type handler struct {
+	props     *vault.HandlerProperties
+	failCount int
+	t         *testing.T
+}
+
+func (h *handler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
+	if req.Method == "GET" && strings.HasPrefix(req.URL.Path, "/v1/secret") {
+		if h.failCount > 0 {
+			h.failCount--
+			h.t.Logf("%s failing GET request on %s, failures left: %d", time.Now(), req.URL.Path, h.failCount)
+			resp.WriteHeader(500)
+			return
+		}
+		h.t.Logf("passing GET request on %s", req.URL.Path)
+	}
+	vaulthttp.Handler.Handler(h.props).ServeHTTP(resp, req)
+}
+
+// userAgentHandler makes it easy to test the User-Agent header received
+// by Vault
+type userAgentHandler struct {
+	props                *vault.HandlerProperties
+	failCount            int
+	userAgentToCheckFor  string
+	pathToCheck          string
+	requestMethodToCheck string
+	t                    *testing.T
+}
+
+func (h *userAgentHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	if req.Method == h.requestMethodToCheck && strings.Contains(req.RequestURI, h.pathToCheck) {
+		userAgent := req.UserAgent()
+		if !(userAgent == h.userAgentToCheckFor) {
+			h.t.Fatalf("User-Agent string not as expected. Expected to find %s, got %s", h.userAgentToCheckFor, userAgent)
+		}
+	}
+	vaulthttp.Handler.Handler(h.props).ServeHTTP(w, req)
+}
+
+// TestAgent_Template_Retry verifies that the template server retries requests
+// based on retry configuration.
+func TestAgent_Template_Retry(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h handler
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			NumCores: 1,
+			HandlerFunc: vaulthttp.HandlerFunc(
+				func(properties *vault.HandlerProperties) http.Handler {
+					h.props = properties
+					h.t = t
+					return &h
+				}),
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	methodConf, cleanup := prepAgentApproleKV(t, serverClient)
+	defer cleanup()
+
+	err := serverClient.Sys().TuneMount("secret", api.MountConfigInput{
+		Options: map[string]string{
+			"version": "2",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = serverClient.Logical().Write("secret/data/otherapp", map[string]interface{}{
+		"data": map[string]interface{}{
+			"username": "barstuff",
+			"password": "zap",
+			"cert":     "something",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+
+	intRef := func(i int) *int {
+		return &i
+	}
+	// start test cases here
+	testCases := map[string]struct {
+		retries     *int
+		expectError bool
+	}{
+		"none": {
+			retries:     intRef(-1),
+			expectError: true,
+		},
+		"one": {
+			retries:     intRef(1),
+			expectError: true,
+		},
+		"two": {
+			retries:     intRef(2),
+			expectError: false,
+		},
+		"missing": {
+			retries:     nil,
+			expectError: false,
+		},
+		"default": {
+			retries:     intRef(0),
+			expectError: false,
+		},
+	}
+
+	for tcname, tc := range testCases {
+		t.Run(tcname, func(t *testing.T) {
+			// We fail the first 6 times.  The consul-template code creates
+			// a Vault client with MaxRetries=2, so for every consul-template
+			// retry configured, it will in practice make up to 3 requests.
+			// Thus if consul-template is configured with "one" retry, it will
+			// fail given our failCount, but if configured with "two" retries,
+			// they will consume our 6th failure, and on the "third (from its
+			// perspective) attempt, it will succeed.
+			h.failCount = 6
+
+			// create temp dir for this test run
+			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// make some template files
+			templatePath := filepath.Join(tmpDir, "render_0.tmpl")
+			if err := os.WriteFile(templatePath, []byte(templateContents(0)), 0o600); err != nil {
+				t.Fatal(err)
+			}
+			templateConfig := fmt.Sprintf(templateConfigString, templatePath, tmpDir, "render_0.json")
+
+			var retryConf string
+			if tc.retries != nil {
+				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
+			}
+
+			config := fmt.Sprintf(`
+%s
+vault {
+  address = "%s"
+  %s
+  tls_skip_verify = true
+}
+%s
+template_config {
+  exit_on_retry_failure = true
+}
+`, methodConf, serverClient.Address(), retryConf, templateConfig)
+
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			// Start the agent
+			_, cmd := testAgentCommand(t, logger)
+			cmd.startedCh = make(chan struct{})
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			var code int
+			go func() {
+				code = cmd.Run([]string{"-config", configPath})
+				wg.Done()
+			}()
+
+			select {
+			case <-cmd.startedCh:
+			case <-time.After(5 * time.Second):
+				t.Errorf("timeout")
+			}
+
+			verify := func() error {
+				t.Helper()
+				// We need to poll for a bit to give Agent time to render the
+				// templates. Without this this, the test will attempt to read
+				// the temp dir before Agent has had time to render and will
+				// likely fail the test
+				tick := time.Tick(1 * time.Second)
+				timeout := time.After(15 * time.Second)
+				var err error
+				for {
+					select {
+					case <-timeout:
+						return fmt.Errorf("timed out waiting for templates to render, last error: %v", err)
+					case <-tick:
+					}
+					// Check for files rendered in the directory and break
+					// early for shutdown if we do have all the files
+					// rendered
+
+					//----------------------------------------------------
+					// Perform the tests
+					//----------------------------------------------------
+
+					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != 1 {
+						err = fmt.Errorf("expected 1 template, got (%d)", numFiles)
+						continue
+					}
+
+					fileName := filepath.Join(tmpDir, "render_0.json")
+					var c []byte
+					c, err = os.ReadFile(fileName)
+					if err != nil {
+						continue
+					}
+					if string(c) != templateRendered(0) {
+						err = fmt.Errorf("expected=%q, got=%q", templateRendered(0), string(c))
+						continue
+					}
+					return nil
+				}
+			}
+
+			err = verify()
+			close(cmd.ShutdownCh)
+			wg.Wait()
+
+			switch {
+			case (code != 0 || err != nil) && tc.expectError:
+			case code == 0 && err == nil && !tc.expectError:
+			default:
+				t.Fatalf("%s expectError=%v error=%v code=%d", tcname, tc.expectError, err, code)
+			}
+		})
+	}
+}
+
+// prepAgentApproleKV configures a Vault instance for approle authentication,
+// such that the resulting token will have global permissions across /kv
+// and /secret mounts.  Returns the auto_auth config stanza to setup an Agent
+// to connect using approle.
+func prepAgentApproleKV(t *testing.T, client *api.Client) (string, func()) {
+	t.Helper()
+
+	policyAutoAuthAppRole := `
+path "/kv/*" {
+	capabilities = ["create", "read", "update", "delete", "list"]
+}
+path "/secret/*" {
+	capabilities = ["create", "read", "update", "delete", "list"]
+}
+`
+	// Add an kv-admin policy
+	if err := client.Sys().PutPolicy("test-autoauth", policyAutoAuthAppRole); err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable approle
+	err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
+		Type: "approle",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/approle/role/test1", map[string]interface{}{
+		"bind_secret_id": "true",
+		"token_ttl":      "1h",
+		"token_max_ttl":  "2h",
+		"policies":       []string{"test-autoauth"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().Write("auth/approle/role/test1/secret-id", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	secretID := resp.Data["secret_id"].(string)
+	secretIDFile := makeTempFile(t, "secret_id.txt", secretID+"\n")
+
+	resp, err = client.Logical().Read("auth/approle/role/test1/role-id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	roleID := resp.Data["role_id"].(string)
+	roleIDFile := makeTempFile(t, "role_id.txt", roleID+"\n")
+
+	config := fmt.Sprintf(`
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+`, roleIDFile, secretIDFile)
+
+	cleanup := func() {
+		_ = os.Remove(roleIDFile)
+		_ = os.Remove(secretIDFile)
+	}
+	return config, cleanup
+}
+
+// TestAgent_AutoAuth_UserAgent tests that the User-Agent sent
+// to Vault by Vault Agent is correct when performing Auto-Auth.
+// Uses the custom handler userAgentHandler (defined above) so
+// that Vault validates the User-Agent on requests sent by Agent.
+func TestAgent_AutoAuth_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"approle": credAppRole.Factory,
+		},
+	}, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.AgentAutoAuthString()
+				h.requestMethodToCheck = "PUT"
+				h.pathToCheck = "auth/approle/login"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Enable the approle auth method
+	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
+
+	sinkf, err := os.CreateTemp("", "sink.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink := sinkf.Name()
+	sinkf.Close()
+	os.Remove(sink)
+
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+        }
+    }
+
+	sink "file" {
+		config = {
+			path = "%s"
+		}
+	}
+}`, roleIDPath, secretIDPath, sink)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+api_proxy {
+  use_auto_auth_token = true
+}
+%s
+%s
+`, serverClient.Address(), listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	// Start the agent
+	_, cmd := testAgentCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// Validate that the auto-auth token has been correctly attained
+	// and works for LookupSelf
+	conf := api.DefaultConfig()
+	conf.Address = "http://" + listenAddr
+	agentClient, err := api.NewClient(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	agentClient.SetToken("")
+	err = agentClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Wait for the token to be sent to syncs and be available to be used
+	time.Sleep(5 * time.Second)
+
+	req := agentClient.NewRequest("GET", "/v1/auth/token/lookup-self")
+	request(t, agentClient, req, 200)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestAgent_APIProxyWithoutCache_UserAgent tests that the User-Agent sent
+// to Vault by Vault Agent is correct using the API proxy without
+// the cache configured. Uses the custom handler
+// userAgentHandler struct defined in this test package, so that Vault validates the
+// User-Agent on requests sent by Agent.
+func TestAgent_APIProxyWithoutCache_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	userAgentForProxiedClient := "proxied-client"
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.AgentProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
+				h.pathToCheck = "/v1/auth/token/lookup-self"
+				h.requestMethodToCheck = "GET"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+`, serverClient.Address(), listenConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	_, cmd := testAgentCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	agentClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	agentClient.AddHeader("User-Agent", userAgentForProxiedClient)
+	agentClient.SetToken(serverClient.Token())
+	agentClient.SetMaxRetries(0)
+	err = agentClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = agentClient.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestAgent_APIProxyWithCache_UserAgent tests that the User-Agent sent
+// to Vault by Vault Agent is correct using the API proxy with
+// the cache configured.  Uses the custom handler
+// userAgentHandler struct defined in this test package, so that Vault validates the
+// User-Agent on requests sent by Agent.
+func TestAgent_APIProxyWithCache_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	userAgentForProxiedClient := "proxied-client"
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.AgentProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
+				h.pathToCheck = "/v1/auth/token/lookup-self"
+				h.requestMethodToCheck = "GET"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	cacheConfig := `
+cache {
+}`
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), listenConfig, cacheConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	_, cmd := testAgentCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	agentClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	agentClient.AddHeader("User-Agent", userAgentForProxiedClient)
+	agentClient.SetToken(serverClient.Token())
+	agentClient.SetMaxRetries(0)
+	err = agentClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = agentClient.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+func TestAgent_Cache_DynamicSecret(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	cacheConfig := `
+cache {
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), cacheConfig, listenConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	_, cmd := testAgentCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	agentClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	agentClient.SetToken(serverClient.Token())
+	agentClient.SetMaxRetries(0)
+	err = agentClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	renewable := true
+	tokenCreateRequest := &api.TokenCreateRequest{
+		Policies:  []string{"default"},
+		TTL:       "30m",
+		Renewable: &renewable,
+	}
+
+	// This was the simplest test I could find to trigger the caching behaviour,
+	// i.e. the most concise I could make the test that I can tell
+	// creating an orphan token returns Auth, is renewable, and isn't a token
+	// that's managed elsewhere (since it's an orphan)
+	secret, err := agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token := secret.Auth.ClientToken
+
+	secret, err = agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token2 := secret.Auth.ClientToken
+
+	if token != token2 {
+		t.Fatalf("token create response not cached when it should have been, as tokens differ")
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+func TestAgent_ApiProxy_Retry(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h handler
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			NumCores: 1,
+			HandlerFunc: vaulthttp.HandlerFunc(func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.t = t
+				return &h
+			}),
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	_, err := serverClient.Logical().Write("secret/foo", map[string]interface{}{
+		"bar": "baz",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	intRef := func(i int) *int {
+		return &i
+	}
+	// start test cases here
+	testCases := map[string]struct {
+		retries     *int
+		expectError bool
+	}{
+		"none": {
+			retries:     intRef(-1),
+			expectError: true,
+		},
+		"one": {
+			retries:     intRef(1),
+			expectError: true,
+		},
+		"two": {
+			retries:     intRef(2),
+			expectError: false,
+		},
+		"missing": {
+			retries:     nil,
+			expectError: false,
+		},
+		"default": {
+			retries:     intRef(0),
+			expectError: false,
+		},
+	}
+
+	for tcname, tc := range testCases {
+		t.Run(tcname, func(t *testing.T) {
+			h.failCount = 2
+
+			cacheConfig := `
+cache {
+}
+`
+			listenAddr := generateListenerAddress(t)
+			listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+			var retryConf string
+			if tc.retries != nil {
+				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
+			}
+
+			config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  %s
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), retryConf, cacheConfig, listenConfig)
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			// Start the agent
+			_, cmd := testAgentCommand(t, logger)
+			cmd.startedCh = make(chan struct{})
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			go func() {
+				cmd.Run([]string{"-config", configPath})
+				wg.Done()
+			}()
+
+			select {
+			case <-cmd.startedCh:
+			case <-time.After(5 * time.Second):
+				t.Errorf("timeout")
+			}
+
+			client, err := api.NewClient(api.DefaultConfig())
+			if err != nil {
+				t.Fatal(err)
+			}
+			client.SetToken(serverClient.Token())
+			client.SetMaxRetries(0)
+			err = client.SetAddress("http://" + listenAddr)
+			if err != nil {
+				t.Fatal(err)
+			}
+			secret, err := client.Logical().Read("secret/foo")
+			switch {
+			case (err != nil || secret == nil) && tc.expectError:
+			case (err == nil || secret != nil) && !tc.expectError:
+			default:
+				t.Fatalf("%s expectError=%v error=%v secret=%v", tcname, tc.expectError, err, secret)
+			}
+			if secret != nil && secret.Data["foo"] != nil {
+				val := secret.Data["foo"].(map[string]interface{})
+				if !reflect.DeepEqual(val, map[string]interface{}{"bar": "baz"}) {
+					t.Fatalf("expected key 'foo' to yield bar=baz, got: %v", val)
+				}
+			}
+			time.Sleep(time.Second)
+
+			close(cmd.ShutdownCh)
+			wg.Wait()
+		})
+	}
+}
+
+func TestAgent_TemplateConfig_ExitOnRetryFailure(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			NumCores:    1,
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	autoAuthConfig, cleanup := prepAgentApproleKV(t, serverClient)
+	defer cleanup()
+
+	err := serverClient.Sys().TuneMount("secret", api.MountConfigInput{
+		Options: map[string]string{
+			"version": "2",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = serverClient.Logical().Write("secret/data/otherapp", map[string]interface{}{
+		"data": map[string]interface{}{
+			"username": "barstuff",
+			"password": "zap",
+			"cert":     "something",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// make a temp directory to hold renders. Each test will create a temp dir
+	// inside this one
+	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDirRoot)
+
+	// Note that missing key is different from a non-existent secret. A missing
+	// key (2xx response with missing keys in the response map) can still yield
+	// a successful render unless error_on_missing_key is specified, whereas a
+	// missing secret (4xx response) always results in an error.
+	missingKeyTemplateContent := `{{- with secret "secret/otherapp"}}{"secret": "other",
+{{- if .Data.data.foo}}"foo":"{{ .Data.data.foo}}"{{- end }}}
+{{- end }}`
+	missingKeyTemplateRender := `{"secret": "other",}`
+
+	badTemplateContent := `{{- with secret "secret/non-existent"}}{"secret": "other",
+{{- if .Data.data.foo}}"foo":"{{ .Data.data.foo}}"{{- end }}}
+{{- end }}`
+
+	testCases := map[string]struct {
+		exitOnRetryFailure        *bool
+		templateContents          string
+		expectTemplateRender      string
+		templateErrorOnMissingKey bool
+		expectError               bool
+		expectExitFromError       bool
+	}{
+		"true, no template error": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(true),
+			templateContents:          templateContents(0),
+			expectTemplateRender:      templateRendered(0),
+			templateErrorOnMissingKey: false,
+			expectError:               false,
+			expectExitFromError:       false,
+		},
+		"true, with non-existent secret": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(true),
+			templateContents:          badTemplateContent,
+			expectTemplateRender:      "",
+			templateErrorOnMissingKey: false,
+			expectError:               true,
+			expectExitFromError:       true,
+		},
+		"true, with missing key": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(true),
+			templateContents:          missingKeyTemplateContent,
+			expectTemplateRender:      missingKeyTemplateRender,
+			templateErrorOnMissingKey: false,
+			expectError:               false,
+			expectExitFromError:       false,
+		},
+		"true, with missing key, with error_on_missing_key": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(true),
+			templateContents:          missingKeyTemplateContent,
+			expectTemplateRender:      "",
+			templateErrorOnMissingKey: true,
+			expectError:               true,
+			expectExitFromError:       true,
+		},
+		"false, no template error": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(false),
+			templateContents:          templateContents(0),
+			expectTemplateRender:      templateRendered(0),
+			templateErrorOnMissingKey: false,
+			expectError:               false,
+			expectExitFromError:       false,
+		},
+		"false, with non-existent secret": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(false),
+			templateContents:          badTemplateContent,
+			expectTemplateRender:      "",
+			templateErrorOnMissingKey: false,
+			expectError:               true,
+			expectExitFromError:       false,
+		},
+		"false, with missing key": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(false),
+			templateContents:          missingKeyTemplateContent,
+			expectTemplateRender:      missingKeyTemplateRender,
+			templateErrorOnMissingKey: false,
+			expectError:               false,
+			expectExitFromError:       false,
+		},
+		"false, with missing key, with error_on_missing_key": {
+			exitOnRetryFailure:        pointerutil.BoolPtr(false),
+			templateContents:          missingKeyTemplateContent,
+			expectTemplateRender:      missingKeyTemplateRender,
+			templateErrorOnMissingKey: true,
+			expectError:               true,
+			expectExitFromError:       false,
+		},
+		"missing": {
+			exitOnRetryFailure:        nil,
+			templateContents:          templateContents(0),
+			expectTemplateRender:      templateRendered(0),
+			templateErrorOnMissingKey: false,
+			expectError:               false,
+			expectExitFromError:       false,
+		},
+	}
+
+	for tcName, tc := range testCases {
+		t.Run(tcName, func(t *testing.T) {
+			// create temp dir for this test run
+			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcName)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			listenAddr := generateListenerAddress(t)
+			listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+			var exitOnRetryFailure string
+			if tc.exitOnRetryFailure != nil {
+				exitOnRetryFailure = fmt.Sprintf("exit_on_retry_failure = %t", *tc.exitOnRetryFailure)
+			}
+			templateConfig := fmt.Sprintf(`
+template_config = {
+	%s
+}
+`, exitOnRetryFailure)
+
+			template := fmt.Sprintf(`
+template {
+	contents = <<EOF
+%s
+EOF
+	destination = "%s/render_0.json"
+	error_on_missing_key = %t
+}
+`, tc.templateContents, tmpDir, tc.templateErrorOnMissingKey)
+
+			config := fmt.Sprintf(`
+# auto-auth stanza
+%s
+
+vault {
+	address = "%s"
+	tls_skip_verify = true
+	retry {
+		num_retries = 3
+	}
+}
+
+# listener stanza
+%s
+
+# template_config stanza
+%s
+
+# template stanza
+%s
+`, autoAuthConfig, serverClient.Address(), listenConfig, templateConfig, template)
+
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			// Start the agent
+			ui, cmd := testAgentCommand(t, logger)
+			cmd.startedCh = make(chan struct{})
+
+			// Channel to let verify() know to stop early if agent
+			// has exited
+			cmdRunDoneCh := make(chan struct{})
+			var exitedEarly bool
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			var code int
+			go func() {
+				code = cmd.Run([]string{"-config", configPath})
+				close(cmdRunDoneCh)
+				wg.Done()
+			}()
+
+			verify := func() error {
+				t.Helper()
+				// We need to poll for a bit to give Agent time to render the
+				// templates. Without this this, the test will attempt to read
+				// the temp dir before Agent has had time to render and will
+				// likely fail the test
+				tick := time.Tick(1 * time.Second)
+				timeout := time.After(15 * time.Second)
+				var err error
+				for {
+					select {
+					case <-cmdRunDoneCh:
+						exitedEarly = true
+						return nil
+					case <-timeout:
+						return fmt.Errorf("timed out waiting for templates to render, last error: %w", err)
+					case <-tick:
+					}
+					// Check for files rendered in the directory and break
+					// early for shutdown if we do have all the files
+					// rendered
+
+					//----------------------------------------------------
+					// Perform the tests
+					//----------------------------------------------------
+
+					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != 1 {
+						err = fmt.Errorf("expected 1 template, got (%d)", numFiles)
+						continue
+					}
+
+					fileName := filepath.Join(tmpDir, "render_0.json")
+					var c []byte
+					c, err = os.ReadFile(fileName)
+					if err != nil {
+						continue
+					}
+					if strings.TrimSpace(string(c)) != tc.expectTemplateRender {
+						err = fmt.Errorf("expected=%q, got=%q", tc.expectTemplateRender, strings.TrimSpace(string(c)))
+						continue
+					}
+					return nil
+				}
+			}
+
+			err = verify()
+			close(cmd.ShutdownCh)
+			wg.Wait()
+
+			switch {
+			case (code != 0 || err != nil) && tc.expectError:
+				if exitedEarly != tc.expectExitFromError {
+					t.Fatalf("expected program exit due to error to be '%t', got '%t'", tc.expectExitFromError, exitedEarly)
+				}
+			case code == 0 && err == nil && !tc.expectError:
+				if exitedEarly {
+					t.Fatalf("did not expect program to exit before verify completes")
+				}
+			default:
+				if code != 0 {
+					t.Logf("output from agent:\n%s", ui.OutputWriter.String())
+					t.Logf("error from agent:\n%s", ui.ErrorWriter.String())
+				}
+				t.Fatalf("expectError=%v error=%v code=%d", tc.expectError, err, code)
+			}
+		})
+	}
+}
+
+func TestAgent_Metrics(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+
+	// Start a vault server
+	cluster := vault.NewTestCluster(t, nil,
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Create a config file
+	listenAddr := generateListenerAddress(t)
+	config := fmt.Sprintf(`
+cache {}
+
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+}
+`, listenAddr)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logging.NewVaultLogger(hclog.Trace))
+	cmd.client = serverClient
+	cmd.startedCh = make(chan struct{})
+
+	var output string
+	var code int
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		code = cmd.Run([]string{"-config", configPath})
+		if code != 0 {
+			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// defer agent shutdown
+	defer func() {
+		cmd.ShutdownCh <- struct{}{}
+		wg.Wait()
+		if code != 0 {
+			t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
+		}
+	}()
+
+	conf := api.DefaultConfig()
+	conf.Address = "http://" + listenAddr
+	agentClient, err := api.NewClient(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	req := agentClient.NewRequest("GET", "/agent/v1/metrics")
+	body := request(t, agentClient, req, 200)
+	keys := []string{}
+	for k := range body {
+		keys = append(keys, k)
+	}
+	require.ElementsMatch(t, keys, []string{
+		"Counters",
+		"Samples",
+		"Timestamp",
+		"Gauges",
+		"Points",
+	})
+}
+
+func TestAgent_Quit(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and agent
+	//----------------------------------------------------
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	err := os.Unsetenv(api.EnvVaultAddress)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	listenAddr := generateListenerAddress(t)
+	listenAddr2 := generateListenerAddress(t)
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+
+listener "tcp" {
+	address = "%s"
+	tls_disable = true
+}
+
+listener "tcp" {
+	address = "%s"
+	tls_disable = true
+	agent_api {
+		enable_quit = true
+	}
+}
+
+cache {}
+`, serverClient.Address(), listenAddr, listenAddr2)
+
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	_, cmd := testAgentCommand(t, nil)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+	client, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	client.SetToken(serverClient.Token())
+	client.SetMaxRetries(0)
+	err = client.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// First try on listener 1 where the API should be disabled.
+	resp, err := client.RawRequest(client.NewRequest(http.MethodPost, "/agent/v1/quit"))
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if resp != nil && resp.StatusCode != http.StatusNotFound {
+		t.Fatalf("expected %d but got: %d", http.StatusNotFound, resp.StatusCode)
+	}
+
+	// Now try on listener 2 where the quit API should be enabled.
+	err = client.SetAddress("http://" + listenAddr2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.RawRequest(client.NewRequest(http.MethodPost, "/agent/v1/quit"))
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+
+	select {
+	case <-cmd.ShutdownCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	wg.Wait()
+}
+
+func TestAgent_LogFile_CliOverridesConfig(t *testing.T) {
+	// Create basic config
+	configFile := populateTempFile(t, "agent-config.hcl", BasicHclConfig)
+	cfg, err := agentConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Sanity check that the config value is the current value
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile)
+
+	// Initialize the command and parse any flags
+	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
+	f := cmd.Flags()
+	// Simulate the flag being specified
+	err = f.Parse([]string{"-log-file=/foo/bar/test.log"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Update the config based on the inputs.
+	cmd.applyConfigOverrides(f, cfg)
+
+	assert.NotEqual(t, "TMPDIR/juan.log", cfg.LogFile)
+	assert.NotEqual(t, "/squiggle/logs.txt", cfg.LogFile)
+	assert.Equal(t, "/foo/bar/test.log", cfg.LogFile)
+}
+
+func TestAgent_LogFile_Config(t *testing.T) {
+	configFile := populateTempFile(t, "agent-config.hcl", BasicHclConfig)
+
+	cfg, err := agentConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Sanity check that the config value is the current value
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "sanity check on log config failed")
+	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
+	assert.Equal(t, 1048576, cfg.LogRotateBytes)
+
+	// Parse the cli flags (but we pass in an empty slice)
+	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
+	f := cmd.Flags()
+	err = f.Parse([]string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Should change nothing...
+	cmd.applyConfigOverrides(f, cfg)
+
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "actual config check")
+	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
+	assert.Equal(t, 1048576, cfg.LogRotateBytes)
+}
+
+func TestAgent_Config_NewLogger_Default(t *testing.T) {
+	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
+	cmd.config = agentConfig.NewConfig()
+	logger, err := cmd.newLogger()
+
+	assert.NoError(t, err)
+	assert.NotNil(t, logger)
+	assert.Equal(t, hclog.Info.String(), logger.GetLevel().String())
+}
+
+func TestAgent_Config_ReloadLogLevel(t *testing.T) {
+	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
+	var err error
+	tempDir := t.TempDir()
+
+	// Load an initial config
+	hcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
+	configFile := populateTempFile(t, "agent-config.hcl", hcl)
+	cmd.config, err = agentConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Tweak the loaded config to make sure we can put log files into a temp dir
+	// and systemd log attempts work fine, this would usually happen during Run.
+	cmd.logWriter = os.Stdout
+	cmd.logger, err = cmd.newLogger()
+	if err != nil {
+		t.Fatal("logger required for systemd log messages", err)
+	}
+
+	// Sanity check
+	assert.Equal(t, "warn", cmd.config.LogLevel)
+
+	// Load a new config
+	hcl = strings.ReplaceAll(BasicHclConfig2, "TMPDIR", tempDir)
+	configFile = populateTempFile(t, "agent-config.hcl", hcl)
+	err = cmd.reloadConfig([]string{configFile.Name()})
+	assert.NoError(t, err)
+	assert.Equal(t, "debug", cmd.config.LogLevel)
+}
+
+func TestAgent_Config_ReloadTls(t *testing.T) {
+	var wg sync.WaitGroup
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatal("unable to get current working directory")
+	}
+	workingDir := filepath.Join(wd, "/agent/test-fixtures/reload")
+	fooCert := "reload_foo.pem"
+	fooKey := "reload_foo.key"
+
+	barCert := "reload_bar.pem"
+	barKey := "reload_bar.key"
+
+	reloadCert := "reload_cert.pem"
+	reloadKey := "reload_key.pem"
+	caPem := "reload_ca.pem"
+
+	tempDir := t.TempDir()
+
+	// Set up initial 'foo' certs
+	inBytes, err := os.ReadFile(filepath.Join(workingDir, fooCert))
+	if err != nil {
+		t.Fatal("unable to read cert required for test", fooCert, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, fooKey))
+	if err != nil {
+		t.Fatal("unable to read cert key required for test", fooKey, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, caPem))
+	if err != nil {
+		t.Fatal("unable to read CA pem required for test", caPem, err)
+	}
+	certPool := x509.NewCertPool()
+	ok := certPool.AppendCertsFromPEM(inBytes)
+	if !ok {
+		t.Fatal("not ok when appending CA cert")
+	}
+
+	replacedHcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
+	configFile := populateTempFile(t, "agent-config.hcl", replacedHcl)
+
+	// Set up Agent/cmd
+	logger := logging.NewVaultLogger(hclog.Trace)
+	ui, cmd := testAgentCommand(t, logger)
+
+	var output string
+	var code int
+	wg.Add(1)
+	args := []string{"-config", configFile.Name()}
+	go func() {
+		if code = cmd.Run(args); code != 0 {
+			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
+		}
+		wg.Done()
+	}()
+
+	testCertificateName := func(cn string) error {
+		conn, err := tls.Dial("tcp", "127.0.0.1:8100", &tls.Config{
+			RootCAs: certPool,
+		})
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		if err = conn.Handshake(); err != nil {
+			return err
+		}
+		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
+		if servName != cn {
+			return fmt.Errorf("expected %s, got %s", cn, servName)
+		}
+		return nil
+	}
+
+	// Start
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("foo.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	// Swap out certs
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, barCert))
+	if err != nil {
+		t.Fatal("unable to read cert required for test", barCert, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, barKey))
+	if err != nil {
+		t.Fatal("unable to read cert key required for test", barKey, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
+	}
+
+	// Reload
+	cmd.SighupCh <- struct{}{}
+	select {
+	case <-cmd.reloadedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("bar.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	// Shut down
+	cmd.ShutdownCh <- struct{}{}
+	wg.Wait()
+
+	if code != 0 {
+		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
+	}
+}
+
+// TestAgent_NonTLSListener_SIGHUP tests giving a SIGHUP signal to a listener
+// without a TLS configuration. Prior to fixing GitHub issue #19480, this
+// would cause a panic.
+func TestAgent_NonTLSListener_SIGHUP(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that agent picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+`, serverClient.Address(), listenConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the agent
+	ui, cmd := testAgentCommand(t, logger)
+
+	cmd.startedCh = make(chan struct{})
+
+	var output string
+	var code int
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		if code = cmd.Run([]string{"-config", configPath}); code != 0 {
+			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// Reload
+	cmd.SighupCh <- struct{}{}
+	select {
+	case <-cmd.reloadedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+
+	if code != 0 {
+		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
+	}
+}
+
+// TestAgent_Logging_ConsulTemplate attempts to ensure two things about Vault Agent logs:
+// 1. When -log-format command line arg is set to JSON, it is honored as the output format
+// for messages generated from within the consul-template library.
+// 2. When -log-file command line arg is supplied, a file receives all log messages
+// generated by the consul-template library (they don't just go to stdout/stderr).
+// Should prevent a regression of: https://github.com/hashicorp/vault/issues/21109
+func TestAgent_Logging_ConsulTemplate(t *testing.T) {
+	const (
+		runnerLogMessage = "(runner) creating new runner (dry: false, once: false)"
+	)
+
+	// Configure a Vault server so Agent can successfully communicate and render its templates
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	apiClient := cluster.Cores[0].Client
+	t.Setenv(api.EnvVaultAddress, apiClient.Address())
+	tempDir := t.TempDir()
+	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, apiClient)
+
+	// Create relevant configs for Vault Agent (config, template config)
+	templateSrc := filepath.Join(tempDir, "render_1.tmpl")
+	err := os.WriteFile(templateSrc, []byte(templateContents(1)), 0o600)
+	require.NoError(t, err)
+	templateConfig := fmt.Sprintf(templateConfigString, templateSrc, tempDir, "render_1.json")
+
+	config := `
+vault {
+  address = "%s"
+	tls_skip_verify = true
+}
+
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+            remove_secret_id_file_after_reading = false
+        }
+    }
+}
+
+%s
+`
+	config = fmt.Sprintf(config, apiClient.Address(), roleIDPath, secretIDPath, templateConfig)
+	configFileName := filepath.Join(tempDir, "config.hcl")
+	err = os.WriteFile(configFileName, []byte(config), 0o600)
+	require.NoError(t, err)
+	_, cmd := testAgentCommand(t, nil)
+	logFilePath := filepath.Join(tempDir, "agent")
+
+	// Start Vault Agent
+	go func() {
+		code := cmd.Run([]string{"-config", configFileName, "-log-format", "json", "-log-file", logFilePath, "-log-level", "trace"})
+		require.Equalf(t, 0, code, "Vault Agent returned a non-zero exit code")
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatal("timeout starting agent")
+	}
+
+	// Give Vault Agent some time to render our template.
+	time.Sleep(3 * time.Second)
+
+	// This flag will be used to capture whether we saw a consul-template log
+	// message in the log file (the presence of the log file is also part of the test)
+	found := false
+
+	// Vault Agent file logs will match agent-{timestamp}.log based on the
+	// cmd line argument we supplied, e.g. agent-1701258869573205000.log
+	m, err := filepath.Glob(logFilePath + "*")
+	require.NoError(t, err)
+	require.Truef(t, len(m) > 0, "no files were found")
+
+	for _, p := range m {
+		f, err := os.Open(p)
+		require.NoError(t, err)
+
+		fs := bufio.NewScanner(f)
+		fs.Split(bufio.ScanLines)
+
+		for fs.Scan() {
+			s := fs.Text()
+			entry := make(map[string]string)
+			err := json.Unmarshal([]byte(s), &entry)
+			require.NoError(t, err)
+			v, ok := entry["@message"]
+			if !ok {
+				continue
+			}
+			if v == runnerLogMessage {
+				found = true
+				break
+			}
+		}
+	}
+
+	require.Truef(t, found, "unable to find consul-template partial message in logs", runnerLogMessage)
+}
+
+// Get a randomly assigned port and then free it again before returning it.
+// There is still a race when trying to use it, but should work better
+// than a static port.
+func generateListenerAddress(t *testing.T) string {
+	t.Helper()
+
+	ln1, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	listenAddr := ln1.Addr().String()
+	ln1.Close()
+	return listenAddr
+}
diff --git a/changelog/24238.txt b/changelog/24238.txt
new file mode 100644
index 000000000000..a992257ede3f
--- /dev/null
+++ b/changelog/24238.txt
@@ -0,0 +1,102 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, settled, find, waitUntil } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+
+const SHARED_STYLES = {
+  success: {
+    icon: 'check-circle-fill',
+    class: 'hds-alert--color-success',
+  },
+  warning: {
+    icon: 'alert-triangle-fill',
+    class: 'hds-alert--color-warning',
+  },
+};
+module('Integration | Component | alert-inline', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it renders alert message for each @color arg', async function (assert) {
+    const COLORS = {
+      ...SHARED_STYLES,
+      neutral: {
+        icon: 'info-fill',
+        class: 'hds-alert--color-neutral',
+      },
+      highlight: {
+        icon: 'info-fill',
+        class: 'hds-alert--color-highlight',
+      },
+      critical: {
+        icon: 'alert-diamond-fill',
+        class: 'hds-alert--color-critical',
+      },
+    };
+
+    const { neutral } = COLORS; // default color
+    await render(hbs`<AlertInline @message="some very important alert" />`);
+    assert.dom('[data-test-inline-error-message]').hasText('some very important alert');
+    assert.dom(`[data-test-icon="${neutral.icon}"]`).exists('renders default icon');
+    assert.dom('[data-test-inline-alert]').hasClass(neutral.class, 'renders default class');
+
+    // assert deprecated @type arg values map to expected color
+    for (const type in COLORS) {
+      this.color = type;
+      const color = COLORS[type];
+      await render(hbs`<AlertInline @color={{this.color}}  @message="some very important alert" />`);
+      assert.dom(`[data-test-icon="${color.icon}"]`).exists(`@color="${type}" renders icon: ${color.icon}`);
+      assert
+        .dom('[data-test-inline-alert]')
+        .hasClass(color.class, `@color="${type}" renders class: ${color.class}`);
+    }
+  });
+
+  test('it renders alert color for each deprecated @type arg', async function (assert) {
+    const OLD_TYPES = {
+      ...SHARED_STYLES,
+      info: {
+        icon: 'info-fill',
+        class: 'hds-alert--color-highlight',
+      },
+      danger: {
+        icon: 'alert-diamond-fill',
+        class: 'hds-alert--color-critical',
+      },
+    };
+    // assert deprecated @type arg values map to expected color
+    for (const type in OLD_TYPES) {
+      this.type = type;
+      const color = OLD_TYPES[type];
+      await render(hbs`<AlertInline @type={{this.type}}  @message="some very important alert" />`);
+      assert
+        .dom(`[data-test-icon="${color.icon}"]`)
+        .exists(`deprecated @type="${type}" renders icon: ${color.icon}`);
+      assert
+        .dom('[data-test-inline-alert]')
+        .hasClass(color.class, `deprecated @type="${type}" renders class: ${color.class}`);
+    }
+  });
+
+  test('it mimics loading when message changes', async function (assert) {
+    this.message = 'some very important alert';
+    await render(hbs`
+    <AlertInline @message={{this.message}}/>
+    `);
+    assert
+      .dom('[data-test-inline-error-message]')
+      .hasText('some very important alert', 'it renders original message');
+
+    this.set('message', 'some changed alert!!!');
+    await waitUntil(() => find('[data-test-icon="loading"]'));
+    assert.ok(find('[data-test-icon="loading"]'), 'it shows loading icon when message changes');
+    await settled();
+    assert
+      .dom('[data-test-inline-error-message]')
+      .hasText('some changed alert!!!', 'it shows updated message');
+  });
+});
diff --git a/changelog/24246.txt b/changelog/24246.txt
new file mode 100644
index 000000000000..0496ce57d621
--- /dev/null
+++ b/changelog/24246.txt
@@ -0,0 +1,18 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::Alert
+  {{did-update this.refresh @message}}
+  @type="compact"
+  @color={{this.color}}
+  @icon={{if this.isRefreshing "loading"}}
+  data-test-inline-alert
+  ...attributes
+  as |A|
+>
+  {{#unless this.isRefreshing}}
+    <A.Description data-test-inline-error-message>{{@message}}</A.Description>
+  {{/unless}}
+</Hds::Alert>
\ No newline at end of file
diff --git a/changelog/24250.txt b/changelog/24250.txt
new file mode 100644
index 000000000000..8a25a6fc286b
--- /dev/null
+++ b/changelog/24250.txt
@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { later } from '@ember/runloop';
+import { tracked } from '@glimmer/tracking';
+import { assert } from '@ember/debug';
+
+/**
+ * @module AlertInline
+ * * Use Hds::Alert @type="compact" for displaying alert messages.
+ * This component renders a compact Hds::Alert that displays a loading icon if the
+ * @message arg changes and then re-renders the updated @message text.
+ * (Example: submitting a form and displaying the number of errors because on re-submit the number may change)
+ *
+ * @example
+ * ```
+ * <AlertInline @type="danger" @message="There are 2 errors with this form."/>
+ * ```
+ *
+ * @deprecated {string} type - color getter maps type to the Hds::Alert @color
+ * @param {string} color - Styles alert color and icon, can be one of: critical, warning, success, highlight, neutral
+ * @param {string} message - The message to display within the alert.
+ */
+
+export default class AlertInlineComponent extends Component {
+  @tracked isRefreshing = false;
+
+  constructor() {
+    super(...arguments);
+    assert('@type arg is deprecated, pass @color="critical" instead', this.args.type !== 'critical');
+    if (this.args.color) {
+      const possibleColors = ['critical', 'warning', 'success', 'highlight', 'neutral'];
+      assert(
+        `${this.args.color} is not a valid color. @color must be one of: ${possibleColors.join(', ')}`,
+        possibleColors.includes(this.args.color)
+      );
+    }
+  }
+
+  get color() {
+    if (this.args.color) return this.args.color;
+    // @type arg is deprecated, this is for backward compatibility of old implementation
+    switch (this.args.type) {
+      case 'danger':
+        return 'critical';
+      case 'success':
+        return 'success';
+      case 'warning':
+        return 'warning';
+      case 'info':
+        return 'highlight';
+      default:
+        return 'neutral';
+    }
+  }
+
+  @action
+  refresh() {
+    this.isRefreshing = true;
+    later(() => {
+      this.isRefreshing = false;
+    }, 200);
+  }
+}
diff --git a/changelog/24252.txt b/changelog/24252.txt
new file mode 100644
index 000000000000..cc9ee5555101
--- /dev/null
+++ b/changelog/24252.txt
@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+
+const selectors = {
+  versionDisplay: '[data-test-footer-version]',
+  upgradeLink: '[data-test-footer-upgrade-link]',
+  docsLink: '[data-test-footer-documentation-link]',
+};
+
+module('Integration | Component | app-footer', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.versionSvc = this.owner.lookup('service:version');
+  });
+
+  test('it renders a sane default', async function (assert) {
+    await render(hbs`<AppFooter />`);
+    assert.dom(selectors.versionDisplay).hasText('Vault', 'Vault without version by default');
+    assert.dom(selectors.upgradeLink).hasText('Upgrade to Vault Enterprise', 'upgrade link shows');
+    assert.dom(selectors.docsLink).hasText('Documentation', 'displays docs link');
+  });
+
+  test('it renders for community version', async function (assert) {
+    this.versionSvc.version = '1.15.1';
+    this.versionSvc.type = 'community';
+    await render(hbs`<AppFooter />`);
+    assert.dom(selectors.versionDisplay).hasText('Vault 1.15.1', 'Vault shows version when available');
+    assert.dom(selectors.upgradeLink).hasText('Upgrade to Vault Enterprise', 'upgrade link shows');
+    assert.dom(selectors.docsLink).hasText('Documentation', 'displays docs link');
+  });
+  test('it renders for ent version', async function (assert) {
+    this.versionSvc.version = '1.15.1+hsm';
+    this.versionSvc.type = 'enterprise';
+    await render(hbs`<AppFooter />`);
+    assert.dom(selectors.versionDisplay).hasText('Vault 1.15.1+hsm', 'shows version when available');
+    assert.dom(selectors.upgradeLink).doesNotExist('upgrade link not shown');
+    assert.dom(selectors.docsLink).hasText('Documentation', 'displays docs link');
+  });
+});
diff --git a/changelog/24256.txt b/changelog/24256.txt
new file mode 100644
index 000000000000..616feb27d332
--- /dev/null
+++ b/changelog/24256.txt
@@ -0,0 +1,31 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::AppFooter as |AF|>
+  <AF.ExtraBefore>
+    {{#if this.isDevelopment}}
+      <div class="env-banner">
+        <div class="level-item notification">
+          <Icon @name="git-branch" /><Icon @name="pencil-tool" />
+          Local development
+          <Icon @name="pencil-tool" /><Icon @name="git-branch" />
+        </div>
+      </div>
+    {{/if}}
+  </AF.ExtraBefore>
+  <AF.Link @href={{changelog-url-for this.version.version}} data-test-footer-version>
+    Vault
+    {{this.version.version}}
+  </AF.Link>
+  {{#if this.version.isCommunity}}
+    <AF.Link @href="https://hashicorp.com/products/vault/trial?source=vaultui" data-test-footer-upgrade-link>
+      Upgrade to Vault Enterprise
+    </AF.Link>
+  {{/if}}
+  <AF.Link @href={{doc-link "/vault"}} data-test-footer-documentation-link>
+    Documentation
+  </AF.Link>
+  <AF.LegalLinks />
+</Hds::AppFooter>
\ No newline at end of file
diff --git a/changelog/24270.txt b/changelog/24270.txt
new file mode 100644
index 000000000000..2a64928d1d67
--- /dev/null
+++ b/changelog/24270.txt
@@ -0,0 +1,16 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import ENV from 'vault/config/environment';
+
+export default class AppFooterComponent extends Component {
+  @service version;
+
+  get isDevelopment() {
+    return ENV.environment === 'development';
+  }
+}
diff --git a/changelog/24281.txt b/changelog/24281.txt
new file mode 100644
index 000000000000..ca5ec0a0529d
--- /dev/null
+++ b/changelog/24281.txt
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Application from '@ember/application';
+import Resolver from 'ember-resolver';
+import loadInitializers from 'ember-load-initializers';
+import config from 'vault/config/environment';
+
+export default class App extends Application {
+  modulePrefix = config.modulePrefix;
+  podModulePrefix = config.podModulePrefix;
+  Resolver = Resolver;
+  engines = {
+    openApiExplorer: {
+      dependencies: {
+        services: ['auth', 'flash-messages', 'namespace', 'router', 'version'],
+      },
+    },
+    replication: {
+      dependencies: {
+        services: [
+          'auth',
+          'flash-messages',
+          'namespace',
+          'replication-mode',
+          'router',
+          'store',
+          'version',
+          '-portal',
+        ],
+        externalRoutes: {
+          replication: 'vault.cluster.replication.index',
+          vault: 'vault.cluster',
+        },
+      },
+    },
+    kmip: {
+      dependencies: {
+        services: [
+          'auth',
+          'download',
+          'flash-messages',
+          'namespace',
+          'path-help',
+          'router',
+          'store',
+          'version',
+          'secret-mount-path',
+        ],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+        },
+      },
+    },
+    kubernetes: {
+      dependencies: {
+        services: ['router', 'store', 'secret-mount-path', 'flash-messages'],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+        },
+      },
+    },
+    ldap: {
+      dependencies: {
+        services: ['router', 'store', 'secret-mount-path', 'flash-messages', 'auth'],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+        },
+      },
+    },
+    kv: {
+      dependencies: {
+        services: [
+          'download',
+          'namespace',
+          'router',
+          'store',
+          'secret-mount-path',
+          'flash-messages',
+          'control-group',
+        ],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+          syncDestination: 'vault.cluster.sync.secrets.destinations.destination',
+        },
+      },
+    },
+    pki: {
+      dependencies: {
+        services: [
+          'auth',
+          'download',
+          'flash-messages',
+          'namespace',
+          'path-help',
+          'router',
+          'secret-mount-path',
+          'store',
+          'version',
+        ],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+          externalMountIssuer: 'vault.cluster.secrets.backend.pki.issuers.issuer.details',
+          secretsListRootConfiguration: 'vault.cluster.secrets.backend.configuration',
+        },
+      },
+    },
+    sync: {
+      dependencies: {
+        services: ['flash-messages', 'router', 'store', 'version'],
+        externalRoutes: {
+          kvSecretDetails: 'vault.cluster.secrets.backend.kv.secret.details',
+          clientCountDashboard: 'vault.cluster.clients.dashboard',
+        },
+      },
+    },
+  };
+}
+
+loadInitializers(App, config.modulePrefix);
diff --git a/changelog/24283.txt b/changelog/24283.txt
new file mode 100644
index 000000000000..1e8c8ad0b3ff
--- /dev/null
+++ b/changelog/24283.txt
@@ -0,0 +1,34 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::SideNav::Portal @ariaLabel="Replication Navigation Links" data-test-sidebar-nav-panel="Replication" as |Nav|>
+  <Nav.BackLink
+    @route="vault"
+    @current-when={{false}}
+    @isRouteExternal={{true}}
+    @icon="arrow-left"
+    @text="Back to main navigation"
+    data-test-sidebar-nav-link="Back to main navigation"
+  />
+
+  <Nav.Title data-test-sidebar-nav-heading="Replication">Replication</Nav.Title>
+  <Nav.Link
+    @route="replication"
+    @current-when="replication"
+    @isRouteExternal={{true}}
+    @text="Overview"
+    data-test-sidebar-nav-link="Overview"
+  />
+  {{#if (not-eq this.model.mode "unsupported")}}
+    {{#if (has-feature "DR Replication")}}
+      <Nav.Link @route="mode" @model="dr" @text="Disaster Recovery" data-test-sidebar-nav-link="Disaster Recovery" />
+    {{/if}}
+    {{#if (has-feature "Performance Replication")}}
+      <Nav.Link @route="mode" @model="performance" @text="Performance" data-test-sidebar-nav-link="Performance" />
+    {{/if}}
+  {{/if}}
+</Hds::SideNav::Portal>
+
+{{outlet}}
\ No newline at end of file
diff --git a/changelog/24290.txt b/changelog/24290.txt
new file mode 100644
index 000000000000..75351718fa08
--- /dev/null
+++ b/changelog/24290.txt
@@ -0,0 +1,53 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { inject as service } from '@ember/service';
+import { setProperties } from '@ember/object';
+import { hash } from 'rsvp';
+import Route from '@ember/routing/route';
+import ClusterRoute from 'vault/mixins/cluster-route';
+
+export default Route.extend(ClusterRoute, {
+  version: service(),
+  store: service(),
+  auth: service(),
+  router: service(),
+
+  beforeModel() {
+    if (this.auth.activeCluster.replicationRedacted) {
+      // disallow replication access if endpoints are redacted
+      return this.router.transitionTo('vault.cluster');
+    }
+    return this.version.fetchFeatures().then(() => {
+      return this._super(...arguments);
+    });
+  },
+
+  model() {
+    return this.auth.activeCluster;
+  },
+
+  afterModel(model) {
+    return hash({
+      canEnablePrimary: this.store
+        .findRecord('capabilities', 'sys/replication/primary/enable')
+        .then((c) => c.get('canUpdate')),
+      canEnableSecondary: this.store
+        .findRecord('capabilities', 'sys/replication/secondary/enable')
+        .then((c) => c.get('canUpdate')),
+    }).then(({ canEnablePrimary, canEnableSecondary }) => {
+      setProperties(model, {
+        canEnablePrimary,
+        canEnableSecondary,
+      });
+      return model;
+    });
+  },
+  actions: {
+    refresh() {
+      this.refresh();
+    },
+  },
+});
diff --git a/changelog/24292.txt b/changelog/24292.txt
new file mode 100644
index 000000000000..13ff8044f6db
--- /dev/null
+++ b/changelog/24292.txt
@@ -0,0 +1,69 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <MessageError @errorMessage={{this.errorBanner}} />
+    <FormFieldLabel for="name" @label="Name" />
+    <input
+      autocomplete="off"
+      spellcheck="false"
+      value={{@model.name}}
+      disabled={{not @model.isNew}}
+      class="input field {{if this.modelValidations.name.errors 'has-error-border'}}"
+      {{on "input" this.handleOperation}}
+      data-test-input="name"
+    />
+    {{#if this.modelValidations.name.errors}}
+      <AlertInline @type="danger" @message={{join ", " this.modelValidations.name.errors}} />
+    {{/if}}
+    <SearchSelect
+      @id="entities"
+      @label="Entities"
+      @placeholder="Search"
+      @renderInPlace={{true}}
+      @models={{array "identity/entity"}}
+      @inputValue={{@model.entityIds}}
+      @shouldRenderName={{true}}
+      @onChange={{this.onEntitiesSelect}}
+      @disallowNewItems={{true}}
+      @fallbackComponent="string-list"
+      data-test-search-select="entities"
+    />
+    <SearchSelect
+      @id="groups"
+      @label="Groups"
+      @placeholder="Search"
+      @renderInPlace={{true}}
+      @models={{array "identity/group"}}
+      @inputValue={{@model.groupIds}}
+      @shouldRenderName={{true}}
+      @onChange={{this.onGroupsSelect}}
+      @disallowNewItems={{true}}
+      @fallbackComponent="string-list"
+      data-test-search-select="groups"
+    />
+  </div>
+  <div class="has-top-padding-s">
+    <Hds::Button
+      @text={{if @model.isNew "Create" "Update"}}
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-oidc-assignment-save
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      class="has-left-margin-s"
+      disabled={{this.save.isRunning}}
+      {{on "click" this.cancel}}
+      data-test-oidc-assignment-cancel
+    />
+    {{#if this.modelValidations.targets.errors}}
+      <AlertInline @type="danger" @message={{join ", " this.modelValidations.targets.errors}} class="has-top-padding-s" />
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/changelog/24297.txt b/changelog/24297.txt
new file mode 100644
index 000000000000..5418b26b5b27
--- /dev/null
+++ b/changelog/24297.txt
@@ -0,0 +1,136 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{! only show side-by-side horizontal bar charts if data is from a single, historical month }}
+<div
+  class={{concat "chart-wrapper" (if @isHistoricalMonth " dual-chart-grid" " single-chart-grid")}}
+  data-test-clients-attribution
+>
+  <div class="chart-header has-header-link has-bottom-margin-m">
+    <div class="header-left">
+      <h2 class="chart-title">Attribution</h2>
+      <p class="chart-description" data-test-attribution-description>{{this.chartText.description}}</p>
+    </div>
+    <div class="header-right">
+      {{#if this.hasCsvData}}
+        <Hds::Button
+          data-test-attribution-export-button
+          @text="Export attribution data"
+          @color="secondary"
+          {{on "click" (fn (mut this.showCSVDownloadModal) true)}}
+        />
+      {{/if}}
+    </div>
+  </div>
+  {{#if this.barChartTotalClients}}
+    {{#if @isHistoricalMonth}}
+      <div class="chart-container-left" data-test-chart-container="new-clients">
+        <h2 class="chart-title">New clients</h2>
+        <p class="chart-description">{{this.chartText.newCopy}}</p>
+        <Clients::HorizontalBarChart
+          @dataset={{this.barChartNewClients}}
+          @chartLegend={{@chartLegend}}
+          @totalCounts={{@newUsageCounts}}
+          @noDataMessage="There are no new clients for this namespace during this time period."
+        />
+      </div>
+
+      <div class="chart-container-right" data-test-chart-container="total-clients">
+        <h2 class="chart-title">Total clients</h2>
+        <p class="chart-description">{{this.chartText.totalCopy}}</p>
+        <Clients::HorizontalBarChart
+          @dataset={{this.barChartTotalClients}}
+          @chartLegend={{@chartLegend}}
+          @totalCounts={{@totalUsageCounts}}
+        />
+      </div>
+    {{else}}
+      <div
+        class={{concat (unless this.barChartTotalClients "chart-empty-state ") "chart-container-wide"}}
+        data-test-chart-container="single-chart"
+      >
+        <Clients::HorizontalBarChart
+          @dataset={{this.barChartTotalClients}}
+          @chartLegend={{@chartLegend}}
+          @totalCounts={{@totalUsageCounts}}
+        />
+      </div>
+      <div class="chart-subTitle">
+        <p class="chart-subtext" data-test-attribution-subtext>{{this.chartText.totalCopy}}</p>
+      </div>
+
+      <div class="data-details-top" data-test-top-attribution>
+        <h3 class="data-details">Top {{this.attributionBreakdown}}</h3>
+        <p class="data-details">{{this.topClientCounts.label}}</p>
+      </div>
+
+      <div class="data-details-bottom" data-test-attribution-clients>
+        <h3 class="data-details">Clients in {{this.attributionBreakdown}}</h3>
+        <p class="data-details">{{format-number this.topClientCounts.clients}}</p>
+      </div>
+    {{/if}}
+    <div class="legend-center">
+      <span class="light-dot"></span><span class="legend-label">{{capitalize (get @chartLegend "0.label")}}</span>
+      <span class="dark-dot"></span><span class="legend-label">{{capitalize (get @chartLegend "1.label")}}</span>
+    </div>
+  {{else}}
+    <div class="chart-empty-state">
+      <EmptyState @icon="skip" @title="No data found" @bottomBorder={{true}} />
+    </div>
+  {{/if}}
+  <div class="timestamp" data-test-attribution-timestamp>
+    {{#if @responseTimestamp}}
+      Updated
+      {{date-format @responseTimestamp "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
+    {{/if}}
+  </div>
+</div>
+
+{{! MODAL FOR CSV DOWNLOAD }}
+{{#if this.showCSVDownloadModal}}
+  <Hds::Modal id="attribution-csv-download-modal" @onClose={{fn (mut this.showCSVDownloadModal) false}} as |M|>
+    <M.Header @icon="info" data-test-export-modal-title>
+      Export attribution data
+    </M.Header>
+    <M.Body>
+      <p class="has-bottom-margin-s">
+        This export will include the namespace path, authentication method path, and the associated total, entity, and
+        non-entity clients for the below
+        {{if this.formattedEndDate "date range" "month"}}.
+      </p>
+      <p class="has-bottom-margin-s is-subtitle-gray">SELECTED DATE {{if this.formattedEndDate " RANGE"}}</p>
+      <p class="has-bottom-margin-s" data-test-export-date-range>
+        {{this.formattedStartDate}}
+        {{if this.formattedEndDate "-"}}
+        {{this.formattedEndDate}}</p>
+    </M.Body>
+    <M.Footer as |F|>
+      <Hds::ButtonSet>
+        <Hds::Button @text="Export" {{on "click" (fn this.exportChartData this.formattedCsvFileName)}} />
+        <Hds::Button @text="Cancel" @color="secondary" {{on "click" F.close}} />
+      </Hds::ButtonSet>
+      {{#if @upgradeExplanation}}
+        <Hds::Alert class="has-top-padding-m" @type="compact" @color="warning" as |A|>
+          <A.Description>
+            <strong>Your data contains an upgrade.</strong>
+            {{@upgradeExplanation}}
+            Visit our
+            <Hds::Link::Inline
+              @icon="docs-link"
+              @iconPosition="trailing"
+              @isHrefExternal={{true}}
+              @href={{doc-link
+                "/vault/docs/concepts/client-count/faq#q-which-vault-version-reflects-the-most-accurate-client-counts"
+              }}
+            >
+              Client count FAQ
+            </Hds::Link::Inline>
+            for more information.
+          </A.Description>
+        </Hds::Alert>
+      {{/if}}
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/changelog/24299.txt b/changelog/24299.txt
new file mode 100644
index 000000000000..1c59140a9a98
--- /dev/null
+++ b/changelog/24299.txt
@@ -0,0 +1,49 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*AuditCommand)(nil)
+
+type AuditCommand struct {
+	*BaseCommand
+}
+
+func (c *AuditCommand) Synopsis() string {
+	return "Interact with audit devices"
+}
+
+func (c *AuditCommand) Help() string {
+	helpText := `
+Usage: vault audit <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault's audit devices.
+  Users can list, enable, and disable audit devices.
+
+  *NOTE*: Once an audit device has been enabled, failure to audit could prevent
+  Vault from servicing future requests. It is highly recommended that you enable
+  multiple audit devices.
+
+  List all enabled audit devices:
+
+      $ vault audit list
+
+  Enable a new audit device "file";
+
+       $ vault audit enable file file_path=/var/log/audit.log
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuditCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/changelog/24305.txt b/changelog/24305.txt
new file mode 100644
index 000000000000..342a4387008e
--- /dev/null
+++ b/changelog/24305.txt
@@ -0,0 +1,333 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"fmt"
+	"runtime/debug"
+	"sync"
+	"time"
+
+	metrics "github.com/armon/go-metrics"
+	"github.com/hashicorp/eventlogger"
+	log "github.com/hashicorp/go-hclog"
+	multierror "github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internal/observability/event"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+type backendEntry struct {
+	backend audit.Backend
+	local   bool
+}
+
+// AuditBroker is used to provide a single ingest interface to auditable
+// events given that multiple backends may be configured.
+type AuditBroker struct {
+	sync.RWMutex
+	backends map[string]backendEntry
+	logger   log.Logger
+
+	broker *eventlogger.Broker
+}
+
+// NewAuditBroker creates a new audit broker
+func NewAuditBroker(log log.Logger, useEventLogger bool) (*AuditBroker, error) {
+	var eventBroker *eventlogger.Broker
+	var err error
+
+	if useEventLogger {
+		eventBroker, err = eventlogger.NewBroker(eventlogger.WithNodeRegistrationPolicy(eventlogger.DenyOverwrite), eventlogger.WithPipelineRegistrationPolicy(eventlogger.DenyOverwrite))
+		if err != nil {
+			return nil, fmt.Errorf("error creating event broker for audit events: %w", err)
+		}
+	}
+
+	b := &AuditBroker{
+		backends: make(map[string]backendEntry),
+		logger:   log,
+		broker:   eventBroker,
+	}
+	return b, nil
+}
+
+// Register is used to add new audit backend to the broker
+func (a *AuditBroker) Register(name string, b audit.Backend, local bool) error {
+	a.Lock()
+	defer a.Unlock()
+
+	a.backends[name] = backendEntry{
+		backend: b,
+		local:   local,
+	}
+
+	if a.broker != nil {
+		err := a.broker.SetSuccessThresholdSinks(eventlogger.EventType(event.AuditType.String()), 1)
+		if err != nil {
+			return err
+		}
+
+		err = b.RegisterNodesAndPipeline(a.broker, name)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Deregister is used to remove an audit backend from the broker
+func (a *AuditBroker) Deregister(ctx context.Context, name string) error {
+	a.Lock()
+	defer a.Unlock()
+
+	// Remove the Backend from the map first, so that if an error occurs while
+	// removing the pipeline and nodes, we can quickly exit this method with
+	// the error.
+	delete(a.backends, name)
+
+	if a.broker != nil {
+		if len(a.backends) == 0 {
+			err := a.broker.SetSuccessThresholdSinks(eventlogger.EventType(event.AuditType.String()), 0)
+			if err != nil {
+				return err
+			}
+		}
+
+		// The first return value, a bool, indicates whether
+		// RemovePipelineAndNodes encountered the error while evaluating
+		// pre-conditions (false) or once it started removing the pipeline and
+		// the nodes (true). This code doesn't care either way.
+		_, err := a.broker.RemovePipelineAndNodes(ctx, eventlogger.EventType(event.AuditType.String()), eventlogger.PipelineID(name))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// IsRegistered is used to check if a given audit backend is registered
+func (a *AuditBroker) IsRegistered(name string) bool {
+	a.RLock()
+	defer a.RUnlock()
+
+	_, ok := a.backends[name]
+	return ok
+}
+
+// IsLocal is used to check if a given audit backend is registered
+func (a *AuditBroker) IsLocal(name string) (bool, error) {
+	a.RLock()
+	defer a.RUnlock()
+	be, ok := a.backends[name]
+	if ok {
+		return be.local, nil
+	}
+	return false, fmt.Errorf("unknown audit backend %q", name)
+}
+
+// GetHash returns a hash using the salt of the given backend
+func (a *AuditBroker) GetHash(ctx context.Context, name string, input string) (string, error) {
+	a.RLock()
+	defer a.RUnlock()
+	be, ok := a.backends[name]
+	if !ok {
+		return "", fmt.Errorf("unknown audit backend %q", name)
+	}
+
+	return audit.HashString(ctx, be.backend, input)
+}
+
+// LogRequest is used to ensure all the audit backends have an opportunity to
+// log the given request and that *at least one* succeeds.
+func (a *AuditBroker) LogRequest(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error) {
+	defer metrics.MeasureSince([]string{"audit", "log_request"}, time.Now())
+
+	a.RLock()
+	defer a.RUnlock()
+
+	if in.Request.InboundSSCToken != "" {
+		if in.Auth != nil {
+			reqAuthToken := in.Auth.ClientToken
+			in.Auth.ClientToken = in.Request.InboundSSCToken
+			defer func() {
+				in.Auth.ClientToken = reqAuthToken
+			}()
+		}
+	}
+
+	var retErr *multierror.Error
+
+	defer func() {
+		if r := recover(); r != nil {
+			a.logger.Error("panic during logging", "request_path", in.Request.Path, "error", r, "stacktrace", string(debug.Stack()))
+			retErr = multierror.Append(retErr, fmt.Errorf("panic generating audit log"))
+		}
+
+		ret = retErr.ErrorOrNil()
+		failure := float32(0.0)
+		if ret != nil {
+			failure = 1.0
+		}
+		metrics.IncrCounter([]string{"audit", "log_request_failure"}, failure)
+	}()
+
+	headers := in.Request.Headers
+	defer func() {
+		in.Request.Headers = headers
+	}()
+
+	// Old behavior (no events)
+	if a.broker == nil {
+		// Ensure at least one backend logs
+		anyLogged := false
+		for name, be := range a.backends {
+			in.Request.Headers = nil
+			transHeaders, thErr := headersConfig.ApplyConfig(ctx, headers, be.backend)
+			if thErr != nil {
+				a.logger.Error("backend failed to include headers", "backend", name, "error", thErr)
+				continue
+			}
+			in.Request.Headers = transHeaders
+
+			start := time.Now()
+			lrErr := be.backend.LogRequest(ctx, in)
+			metrics.MeasureSince([]string{"audit", name, "log_request"}, start)
+			if lrErr != nil {
+				a.logger.Error("backend failed to log request", "backend", name, "error", lrErr)
+			} else {
+				anyLogged = true
+			}
+		}
+		if !anyLogged && len(a.backends) > 0 {
+			retErr = multierror.Append(retErr, fmt.Errorf("no audit backend succeeded in logging the request"))
+		}
+	} else {
+		if len(a.backends) > 0 {
+			e, err := audit.NewEvent(audit.RequestType)
+			if err != nil {
+				retErr = multierror.Append(retErr, err)
+			}
+
+			e.Data = in
+
+			status, err := a.broker.Send(ctx, eventlogger.EventType(event.AuditType.String()), e)
+			if err != nil {
+				retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...))
+			}
+		}
+	}
+
+	return retErr.ErrorOrNil()
+}
+
+// LogResponse is used to ensure all the audit backends have an opportunity to
+// log the given response and that *at least one* succeeds.
+func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error) {
+	defer metrics.MeasureSince([]string{"audit", "log_response"}, time.Now())
+	a.RLock()
+	defer a.RUnlock()
+	if in.Request.InboundSSCToken != "" {
+		if in.Auth != nil {
+			reqAuthToken := in.Auth.ClientToken
+			in.Auth.ClientToken = in.Request.InboundSSCToken
+			defer func() {
+				in.Auth.ClientToken = reqAuthToken
+			}()
+		}
+	}
+
+	var retErr *multierror.Error
+
+	defer func() {
+		if r := recover(); r != nil {
+			a.logger.Error("panic during logging", "request_path", in.Request.Path, "error", r, "stacktrace", string(debug.Stack()))
+			retErr = multierror.Append(retErr, fmt.Errorf("panic generating audit log"))
+		}
+
+		ret = retErr.ErrorOrNil()
+
+		failure := float32(0.0)
+		if ret != nil {
+			failure = 1.0
+		}
+		metrics.IncrCounter([]string{"audit", "log_response_failure"}, failure)
+	}()
+
+	headers := in.Request.Headers
+	defer func() {
+		in.Request.Headers = headers
+	}()
+
+	// Ensure at least one backend logs
+	if a.broker == nil {
+		anyLogged := false
+		for name, be := range a.backends {
+			in.Request.Headers = nil
+			transHeaders, thErr := headersConfig.ApplyConfig(ctx, headers, be.backend)
+			if thErr != nil {
+				a.logger.Error("backend failed to include headers", "backend", name, "error", thErr)
+				continue
+			}
+			in.Request.Headers = transHeaders
+
+			start := time.Now()
+			lrErr := be.backend.LogResponse(ctx, in)
+			metrics.MeasureSince([]string{"audit", name, "log_response"}, start)
+			if lrErr != nil {
+				a.logger.Error("backend failed to log response", "backend", name, "error", lrErr)
+			} else {
+				anyLogged = true
+			}
+		}
+		if !anyLogged && len(a.backends) > 0 {
+			retErr = multierror.Append(retErr, fmt.Errorf("no audit backend succeeded in logging the response"))
+		}
+	} else {
+		if len(a.backends) > 0 {
+			e, err := audit.NewEvent(audit.ResponseType)
+			if err != nil {
+				return multierror.Append(retErr, err)
+			}
+
+			e.Data = in
+
+			// In cases where we are trying to audit the response, we detach
+			// ourselves from the original context (keeping only the namespace).
+			// This is so that we get a fair run at writing audit entries if Vault
+			// Took up a lot of time handling the request before audit (response)
+			// is triggered. Pipeline nodes may check for a cancelled context and
+			// refuse to process the nodes further.
+			ns, err := namespace.FromContext(ctx)
+			if err != nil {
+				retErr = multierror.Append(retErr, fmt.Errorf("namespace missing from context: %w", err))
+				return retErr.ErrorOrNil()
+			}
+
+			auditContext, auditCancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer auditCancel()
+			auditContext = namespace.ContextWithNamespace(auditContext, ns)
+			status, err := a.broker.Send(auditContext, eventlogger.EventType(event.AuditType.String()), e)
+			if err != nil {
+				retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...))
+			}
+		}
+	}
+
+	return retErr.ErrorOrNil()
+}
+
+func (a *AuditBroker) Invalidate(ctx context.Context, key string) {
+	// For now, we ignore the key as this would only apply to salts. We just
+	// sort of brute force it on each one.
+	a.Lock()
+	defer a.Unlock()
+	for _, be := range a.backends {
+		be.backend.Invalidate(ctx)
+	}
+}
diff --git a/changelog/24325.txt b/changelog/24325.txt
new file mode 100644
index 000000000000..79914ea5d993
--- /dev/null
+++ b/changelog/24325.txt
@@ -0,0 +1,92 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*AuditDisableCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuditDisableCommand)(nil)
+)
+
+type AuditDisableCommand struct {
+	*BaseCommand
+}
+
+func (c *AuditDisableCommand) Synopsis() string {
+	return "Disables an audit device"
+}
+
+func (c *AuditDisableCommand) Help() string {
+	helpText := `
+Usage: vault audit disable [options] PATH
+
+  Disables an audit device. Once an audit device is disabled, no future audit
+  logs are dispatched to it. The data associated with the audit device is not
+  affected.
+
+  The argument corresponds to the PATH of audit device, not the TYPE!
+
+  Disable the audit device enabled at "file/":
+
+      $ vault audit disable file/
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuditDisableCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *AuditDisableCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultAudits()
+}
+
+func (c *AuditDisableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuditDisableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	path := ensureTrailingSlash(sanitizePath(args[0]))
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	if err := client.Sys().DisableAudit(path); err != nil {
+		c.UI.Error(fmt.Sprintf("Error disabling audit device: %s", err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Disabled audit device (if it was enabled) at: %s", path))
+
+	return 0
+}
diff --git a/changelog/24336.txt b/changelog/24336.txt
new file mode 100644
index 000000000000..786140ee326e
--- /dev/null
+++ b/changelog/24336.txt
@@ -0,0 +1,163 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+)
+
+func testAuditDisableCommand(tb testing.TB) (*cli.MockUi, *AuditDisableCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &AuditDisableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestAuditDisableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_real",
+			[]string{"not_real"},
+			"Success! Disabled audit device (if it was enabled) at: not_real/",
+			0,
+		},
+		{
+			"default",
+			[]string{"file"},
+			"Success! Disabled audit device (if it was enabled) at: file/",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			if err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+				Type: "file",
+				Options: map[string]string{
+					"file_path": "discard",
+				},
+			}); err != nil {
+				t.Fatal(err)
+			}
+
+			ui, cmd := testAuditDisableCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		if err := client.Sys().EnableAuditWithOptions("integration_audit_disable", &api.EnableAuditOptions{
+			Type: "file",
+			Options: map[string]string{
+				"file_path": "discard",
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		ui, cmd := testAuditDisableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"integration_audit_disable/",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Disabled audit device (if it was enabled) at: integration_audit_disable/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		mounts, err := client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if _, ok := mounts["integration_audit_disable"]; ok {
+			t.Errorf("expected mount to not exist: %#v", mounts)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testAuditDisableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"file",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error disabling audit device: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testAuditDisableCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/changelog/24343.txt b/changelog/24343.txt
new file mode 100644
index 000000000000..a163f471cc4f
--- /dev/null
+++ b/changelog/24343.txt
@@ -0,0 +1,159 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*AuditEnableCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuditEnableCommand)(nil)
+)
+
+type AuditEnableCommand struct {
+	*BaseCommand
+
+	flagDescription string
+	flagPath        string
+	flagLocal       bool
+
+	testStdin io.Reader // For tests
+}
+
+func (c *AuditEnableCommand) Synopsis() string {
+	return "Enables an audit device"
+}
+
+func (c *AuditEnableCommand) Help() string {
+	helpText := `
+Usage: vault audit enable [options] TYPE [CONFIG K=V...]
+
+  Enables an audit device at a given path.
+
+  This command enables an audit device of TYPE. Additional options for
+  configuring the audit device can be specified after the type in the same
+  format as the "vault write" command in key/value pairs.
+
+  For example, to configure the file audit device to write audit logs at the
+  path "/var/log/audit.log":
+
+      $ vault audit enable file file_path=/var/log/audit.log
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuditEnableCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "description",
+		Target:     &c.flagDescription,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Human-friendly description for the purpose of this audit " +
+			"device.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "path",
+		Target:     &c.flagPath,
+		Default:    "", // The default is complex, so we have to manually document
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Place where the audit device will be accessible. This must be " +
+			"unique across all audit devices. This defaults to the \"type\" of the " +
+			"audit device.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "local",
+		Target:  &c.flagLocal,
+		Default: false,
+		EnvVar:  "",
+		Usage: "Mark the audit device as a local-only device. Local devices " +
+			"are not replicated or removed by replication.",
+	})
+
+	return set
+}
+
+func (c *AuditEnableCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictSet(
+		"file",
+		"syslog",
+		"socket",
+	)
+}
+
+func (c *AuditEnableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuditEnableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) < 1 {
+		c.UI.Error("Error enabling audit device: audit type missing. Valid types include 'file', 'socket' and 'syslog'.")
+		return 1
+	}
+
+	// Grab the type
+	auditType := strings.TrimSpace(args[0])
+
+	auditPath := c.flagPath
+	if auditPath == "" {
+		auditPath = auditType
+	}
+	auditPath = ensureTrailingSlash(auditPath)
+
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	options, err := parseArgsDataString(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	if err := client.Sys().EnableAuditWithOptions(auditPath, &api.EnableAuditOptions{
+		Type:        auditType,
+		Description: c.flagDescription,
+		Options:     options,
+		Local:       c.flagLocal,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error enabling audit device: %s", err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Enabled the %s audit device at: %s", auditType, auditPath))
+	return 0
+}
diff --git a/command/agent.go b/command/agent.go
index 220679beb35b..6c0c769e23ed 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -4,1250 +4,211 @@
 package command
 
 import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"flag"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
+	"io/ioutil"
 	"os"
-	"sort"
 	"strings"
-	"sync"
-	"time"
+	"testing"
 
-	systemd "github.com/coreos/go-systemd/daemon"
-	ctconfig "github.com/hashicorp/consul-template/config"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	"github.com/hashicorp/vault/api"
-	agentConfig "github.com/hashicorp/vault/command/agent/config"
-	"github.com/hashicorp/vault/command/agent/exec"
-	"github.com/hashicorp/vault/command/agent/template"
-	"github.com/hashicorp/vault/command/agentproxyshared"
-	"github.com/hashicorp/vault/command/agentproxyshared/auth"
-	cache "github.com/hashicorp/vault/command/agentproxyshared/cache"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink/file"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink/inmem"
-	"github.com/hashicorp/vault/command/agentproxyshared/winsvc"
-	"github.com/hashicorp/vault/helper/logging"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/helper/useragent"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/internalshared/listenerutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/version"
-	"github.com/kr/pretty"
-	"github.com/mitchellh/cli"
-	"github.com/oklog/run"
-	"github.com/posener/complete"
-	"golang.org/x/text/cases"
-	"golang.org/x/text/language"
-	"google.golang.org/grpc/test/bufconn"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*AgentCommand)(nil)
-	_ cli.CommandAutocomplete = (*AgentCommand)(nil)
-)
-
-const (
-	// flagNameAgentExitAfterAuth is used as an Agent specific flag to indicate
-	// that agent should exit after a single successful auth
-	flagNameAgentExitAfterAuth = "exit-after-auth"
-)
-
-type AgentCommand struct {
-	*BaseCommand
-	logFlags logFlags
-
-	config *agentConfig.Config
-
-	ShutdownCh chan struct{}
-	SighupCh   chan struct{}
-
-	tlsReloadFuncsLock sync.RWMutex
-	tlsReloadFuncs     []reloadutil.ReloadFunc
-
-	logWriter io.Writer
-	logGate   *gatedwriter.Writer
-	logger    log.Logger
-
-	// Telemetry object
-	metricsHelper *metricsutil.MetricsHelper
-
-	cleanupGuard sync.Once
-
-	startedCh  chan struct{} // for tests
-	reloadedCh chan struct{} // for tests
-
-	flagConfigs        []string
-	flagExitAfterAuth  bool
-	flagTestVerifyOnly bool
-}
-
-func (c *AgentCommand) Synopsis() string {
-	return "Start a Vault agent"
-}
-
-func (c *AgentCommand) Help() string {
-	helpText := `
-Usage: vault agent [options]
-
-  This command starts a Vault Agent that can perform automatic authentication
-  in certain environments.
-
-  Start an agent with a configuration file:
-
-      $ vault agent -config=/etc/vault/config.hcl
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *AgentCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	// Augment with the log flags
-	f.addLogFlags(&c.logFlags)
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "config",
-		Target: &c.flagConfigs,
-		Completion: complete.PredictOr(
-			complete.PredictFiles("*.hcl"),
-			complete.PredictFiles("*.json"),
-		),
-		Usage: "Path to a configuration file. This configuration file should " +
-			"contain only agent directives.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    flagNameAgentExitAfterAuth,
-		Target:  &c.flagExitAfterAuth,
-		Default: false,
-		Usage: "If set to true, the agent will exit with code 0 after a single " +
-			"successful auth, where success means that a token was retrieved and " +
-			"all sinks successfully wrote it",
-	})
-
-	// Internal-only flags to follow.
-	//
-	// Why hello there little source code reader! Welcome to the Vault source
-	// code. The remaining options are intentionally undocumented and come with
-	// no warranty or backwards-compatibility promise. Do not use these flags
-	// in production. Do not build automation using these flags. Unless you are
-	// developing against Vault, you should not need any of these flags.
-	f.BoolVar(&BoolVar{
-		Name:    "test-verify-only",
-		Target:  &c.flagTestVerifyOnly,
-		Default: false,
-		Hidden:  true,
-	})
-
-	// End internal-only flags.
-
-	return set
-}
-
-func (c *AgentCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *AgentCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *AgentCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Create a logger. We wrap it in a gated writer so that it doesn't
-	// start logging too early.
-	c.logGate = gatedwriter.NewWriter(os.Stderr)
-	c.logWriter = c.logGate
-
-	if c.logFlags.flagCombineLogs {
-		c.logWriter = os.Stdout
-	}
-
-	// Validation
-	if len(c.flagConfigs) < 1 {
-		c.UI.Error("Must specify exactly at least one config path using -config")
-		return 1
-	}
-
-	config, err := c.loadConfig(c.flagConfigs)
-	if err != nil {
-		c.outputErrors(err)
-		return 1
-	}
-
-	if config.AutoAuth == nil {
-		c.UI.Info("No auto_auth block found in config, the automatic authentication feature will not be started")
-	}
-
-	c.applyConfigOverrides(f, config) // This only needs to happen on start-up to aggregate config from flags and env vars
-	c.config = config
-
-	l, err := c.newLogger()
-	if err != nil {
-		c.outputErrors(err)
-		return 1
-	}
-	c.logger = l
-
-	infoKeys := make([]string, 0, 10)
-	info := make(map[string]string)
-	info["log level"] = config.LogLevel
-	infoKeys = append(infoKeys, "log level")
-
-	infoKeys = append(infoKeys, "version")
-	verInfo := version.GetVersion()
-	info["version"] = verInfo.FullVersionNumber(false)
-	if verInfo.Revision != "" {
-		info["version sha"] = strings.Trim(verInfo.Revision, "'")
-		infoKeys = append(infoKeys, "version sha")
-	}
-	infoKeys = append(infoKeys, "cgo")
-	info["cgo"] = "disabled"
-	if version.CgoEnabled {
-		info["cgo"] = "enabled"
-	}
-
-	// Tests might not want to start a vault server and just want to verify
-	// the configuration.
-	if c.flagTestVerifyOnly {
-		if os.Getenv("VAULT_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
-			c.UI.Output(fmt.Sprintf(
-				"\nConfiguration:\n%s\n",
-				pretty.Sprint(*c.config)))
-		}
-		return 0
-	}
-
-	// Ignore any setting of Agent's address. This client is used by the Agent
-	// to reach out to Vault. This should never loop back to agent.
-	c.flagAgentProxyAddress = ""
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf(
-			"Error fetching client: %v",
-			err))
-		return 1
-	}
-
-	serverHealth, err := client.Sys().Health()
-	if err == nil {
-		// We don't exit on error here, as this is not worth stopping Agent over
-		serverVersion := serverHealth.Version
-		agentVersion := version.GetVersion().VersionNumber()
-		if serverVersion != agentVersion {
-			c.UI.Info("==> Note: Vault Agent version does not match Vault server version. " +
-				fmt.Sprintf("Vault Agent version: %s, Vault server version: %s", agentVersion, serverVersion))
-		}
-	}
-
-	if config.IsDefaultListerDefined() {
-		// Notably, we cannot know for sure if they are using the API proxy functionality unless
-		// we log on each API proxy call, which would be too noisy.
-		// A customer could have a listener defined but only be using e.g. the cache-clear API,
-		// even though the API proxy is something they have available.
-		c.UI.Warn("==> Note: Vault Agent will be deprecating API proxy functionality in a future " +
-			"release, and this functionality has moved to a new subcommand, vault proxy. If you rely on this " +
-			"functionality, plan to move to Vault Proxy instead.")
-	}
-
-	// ctx and cancelFunc are passed to the AuthHandler, SinkServer, ExecServer and
-	// TemplateServer that periodically listen for ctx.Done() to fire and shut
-	// down accordingly.
-	ctx, cancelFunc := context.WithCancel(context.Background())
-	defer cancelFunc()
-
-	// telemetry configuration
-	inmemMetrics, _, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
-		Config:      config.Telemetry,
-		Ui:          c.UI,
-		ServiceName: "vault",
-		DisplayName: "Vault",
-		UserAgent:   useragent.AgentString(),
-		ClusterName: config.ClusterName,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
-		return 1
-	}
-	c.metricsHelper = metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
-
-	var method auth.AuthMethod
-	var sinks []*sink.SinkConfig
-	var templateNamespace string
-	if config.AutoAuth != nil {
-		if client.Headers().Get(consts.NamespaceHeaderName) == "" && config.AutoAuth.Method.Namespace != "" {
-			client.SetNamespace(config.AutoAuth.Method.Namespace)
-		}
-		templateNamespace = client.Headers().Get(consts.NamespaceHeaderName)
-
-		sinkClient, err := client.CloneWithHeaders()
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
-			return 1
-		}
-
-		if config.DisableIdleConnsAutoAuth {
-			sinkClient.SetMaxIdleConnections(-1)
-		}
-
-		if config.DisableKeepAlivesAutoAuth {
-			sinkClient.SetDisableKeepAlives(true)
-		}
-
-		for _, sc := range config.AutoAuth.Sinks {
-			switch sc.Type {
-			case "file":
-				config := &sink.SinkConfig{
-					Logger:    c.logger.Named("sink.file"),
-					Config:    sc.Config,
-					Client:    sinkClient,
-					WrapTTL:   sc.WrapTTL,
-					DHType:    sc.DHType,
-					DeriveKey: sc.DeriveKey,
-					DHPath:    sc.DHPath,
-					AAD:       sc.AAD,
-				}
-				s, err := file.NewFileSink(config)
-				if err != nil {
-					c.UI.Error(fmt.Errorf("error creating file sink: %w", err).Error())
-					return 1
-				}
-				config.Sink = s
-				sinks = append(sinks, config)
-			default:
-				c.UI.Error(fmt.Sprintf("Unknown sink type %q", sc.Type))
-				return 1
-			}
-		}
-
-		authConfig := &auth.AuthConfig{
-			Logger:    c.logger.Named(fmt.Sprintf("auth.%s", config.AutoAuth.Method.Type)),
-			MountPath: config.AutoAuth.Method.MountPath,
-			Config:    config.AutoAuth.Method.Config,
-		}
-		method, err = agentproxyshared.GetAutoAuthMethodFromConfig(config.AutoAuth.Method.Type, authConfig, config.Vault.Address)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error creating %s auth method: %v", config.AutoAuth.Method.Type, err))
-			return 1
-		}
-	}
-
-	// We do this after auto-auth has been configured, because we don't want to
-	// confuse the issue of retries for auth failures which have their own
-	// config and are handled a bit differently.
-	if os.Getenv(api.EnvVaultMaxRetries) == "" {
-		client.SetMaxRetries(ctconfig.DefaultRetryAttempts)
-		if config.Vault != nil {
-			if config.Vault.Retry != nil {
-				client.SetMaxRetries(config.Vault.Retry.NumRetries)
-			}
-		}
-	}
-
-	enforceConsistency := cache.EnforceConsistencyNever
-	whenInconsistent := cache.WhenInconsistentFail
-	if config.APIProxy != nil {
-		switch config.APIProxy.EnforceConsistency {
-		case "always":
-			enforceConsistency = cache.EnforceConsistencyAlways
-		case "never", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for enforce_consistency: %q", config.APIProxy.EnforceConsistency))
-			return 1
-		}
-
-		switch config.APIProxy.WhenInconsistent {
-		case "retry":
-			whenInconsistent = cache.WhenInconsistentRetry
-		case "forward":
-			whenInconsistent = cache.WhenInconsistentForward
-		case "fail", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for when_inconsistent: %q", config.APIProxy.WhenInconsistent))
-			return 1
-		}
-	}
-	// Keep Cache configuration for legacy reasons, but error if defined alongside API Proxy
-	if config.Cache != nil {
-		switch config.Cache.EnforceConsistency {
-		case "always":
-			if enforceConsistency != cache.EnforceConsistencyNever {
-				c.UI.Error("enforce_consistency configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
-				return 1
-			} else {
-				enforceConsistency = cache.EnforceConsistencyAlways
+func testAuditEnableCommand(tb testing.TB) (*cli.MockUi, *AuditEnableCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &AuditEnableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestAuditEnableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"empty",
+			nil,
+			"Error enabling audit device: audit type missing. Valid types include 'file', 'socket' and 'syslog'.",
+			1,
+		},
+		{
+			"not_a_valid_type",
+			[]string{"nope_definitely_not_a_valid_type_like_ever"},
+			"",
+			2,
+		},
+		{
+			"enable",
+			[]string{"file", "file_path=discard"},
+			"Success! Enabled the file audit device at: file/",
+			0,
+		},
+		{
+			"enable_path",
+			[]string{
+				"-path", "audit_path",
+				"file",
+				"file_path=discard",
+			},
+			"Success! Enabled the file audit device at: audit_path/",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testAuditEnableCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
 			}
-		case "never", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown cache setting for enforce_consistency: %q", config.Cache.EnforceConsistency))
-			return 1
-		}
-
-		switch config.Cache.WhenInconsistent {
-		case "retry":
-			if whenInconsistent != cache.WhenInconsistentFail {
-				c.UI.Error("when_inconsistent configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
-				return 1
-			} else {
-				whenInconsistent = cache.WhenInconsistentRetry
-			}
-		case "forward":
-			if whenInconsistent != cache.WhenInconsistentFail {
-				c.UI.Error("when_inconsistent configured in both api_proxy and cache blocks. Please remove this configuration from the cache block.")
-				return 1
-			} else {
-				whenInconsistent = cache.WhenInconsistentForward
-			}
-		case "fail", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown cache setting for when_inconsistent: %q", config.Cache.WhenInconsistent))
-			return 1
-		}
-	}
-
-	// Warn if cache _and_ cert auto-auth is enabled but certificates were not
-	// provided in the auto_auth.method["cert"].config stanza.
-	if config.Cache != nil && (config.AutoAuth != nil && config.AutoAuth.Method != nil && config.AutoAuth.Method.Type == "cert") {
-		_, okCertFile := config.AutoAuth.Method.Config["client_cert"]
-		_, okCertKey := config.AutoAuth.Method.Config["client_key"]
-
-		// If neither of these exists in the cert stanza, agent will use the
-		// certs from the vault stanza.
-		if !okCertFile && !okCertKey {
-			c.UI.Warn(wrapAtLength("WARNING! Cache is enabled and using the same certificates " +
-				"from the 'cert' auto-auth method specified in the 'vault' stanza. Consider " +
-				"specifying certificate information in the 'cert' auto-auth's config stanza."))
-		}
-
-	}
-
-	// Output the header that the agent has started
-	if !c.logFlags.flagCombineLogs {
-		c.UI.Output("==> Vault Agent started! Log data will stream in below:\n")
-	}
-
-	var leaseCache *cache.LeaseCache
-	var previousToken string
-
-	proxyClient, err := client.CloneWithHeaders()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error cloning client for proxying: %v", err))
-		return 1
-	}
-
-	if config.DisableIdleConnsAPIProxy {
-		proxyClient.SetMaxIdleConnections(-1)
-	}
-
-	if config.DisableKeepAlivesAPIProxy {
-		proxyClient.SetDisableKeepAlives(true)
-	}
-
-	apiProxyLogger := c.logger.Named("apiproxy")
-
-	// The API proxy to be used, if listeners are configured
-	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
-		Client:                  proxyClient,
-		Logger:                  apiProxyLogger,
-		EnforceConsistency:      enforceConsistency,
-		WhenInconsistentAction:  whenInconsistent,
-		UserAgentStringFunction: useragent.AgentProxyStringWithProxiedUserAgent,
-		UserAgentString:         useragent.AgentProxyString(),
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error creating API proxy: %v", err))
-		return 1
-	}
-
-	// Parse agent cache configurations
-	if config.Cache != nil {
-		cacheLogger := c.logger.Named("cache")
-
-		// Create the lease cache proxier and set its underlying proxier to
-		// the API proxier.
-		leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
-			Client:              proxyClient,
-			BaseContext:         ctx,
-			Proxier:             apiProxy,
-			Logger:              cacheLogger.Named("leasecache"),
-			CacheDynamicSecrets: true,
-			UserAgentToUse:      useragent.ProxyAPIProxyString(),
 		})
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err))
-			return 1
-		}
-
-		// Configure persistent storage and add to LeaseCache
-		if config.Cache.Persist != nil {
-			deferFunc, oldToken, err := agentproxyshared.AddPersistentStorageToLeaseCache(ctx, leaseCache, config.Cache.Persist, cacheLogger)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error creating persistent cache: %v", err))
-				return 1
-			}
-			previousToken = oldToken
-			if deferFunc != nil {
-				defer deferFunc()
-			}
-		}
-	}
-
-	var listeners []net.Listener
-
-	// If there are templates, add an in-process listener
-	if len(config.Templates) > 0 || len(config.EnvTemplates) > 0 {
-		config.Listeners = append(config.Listeners, &configutil.Listener{Type: listenerutil.BufConnType})
-	}
-
-	// Ensure we've added all the reload funcs for TLS before anyone triggers a reload.
-	c.tlsReloadFuncsLock.Lock()
-
-	for i, lnConfig := range config.Listeners {
-		var ln net.Listener
-		var tlsCfg *tls.Config
-
-		if lnConfig.Type == listenerutil.BufConnType {
-			inProcListener := bufconn.Listen(1024 * 1024)
-			if config.Cache != nil {
-				config.Cache.InProcDialer = listenerutil.NewBufConnWrapper(inProcListener)
-			}
-			ln = inProcListener
-		} else {
-			lnBundle, err := cache.StartListener(lnConfig)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error starting listener: %v", err))
-				return 1
-			}
-
-			tlsCfg = lnBundle.TLSConfig
-			ln = lnBundle.Listener
-
-			// Track the reload func, so we can reload later if needed.
-			c.tlsReloadFuncs = append(c.tlsReloadFuncs, lnBundle.TLSReloadFunc)
-		}
-
-		listeners = append(listeners, ln)
-
-		proxyVaultToken := true
-		var inmemSink sink.Sink
-		if config.APIProxy != nil {
-			if config.APIProxy.UseAutoAuthToken {
-				apiProxyLogger.Debug("auto-auth token is allowed to be used; configuring inmem sink")
-				inmemSink, err = inmem.New(&sink.SinkConfig{
-					Logger: apiProxyLogger,
-				}, leaseCache)
-				if err != nil {
-					c.UI.Error(fmt.Sprintf("Error creating inmem sink for cache: %v", err))
-					return 1
-				}
-				sinks = append(sinks, &sink.SinkConfig{
-					Logger: apiProxyLogger,
-					Sink:   inmemSink,
-				})
-			}
-			proxyVaultToken = !config.APIProxy.ForceAutoAuthToken
-		}
-
-		var muxHandler http.Handler
-		if leaseCache != nil {
-			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, leaseCache, inmemSink, proxyVaultToken)
-		} else {
-			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, apiProxy, inmemSink, proxyVaultToken)
-		}
-
-		// Parse 'require_request_header' listener config option, and wrap
-		// the request handler if necessary
-		if lnConfig.RequireRequestHeader && ("metrics_only" != lnConfig.Role) {
-			muxHandler = verifyRequestHeader(muxHandler)
-		}
-
-		// Create a muxer and add paths relevant for the lease cache layer
-		mux := http.NewServeMux()
-		quitEnabled := lnConfig.AgentAPI != nil && lnConfig.AgentAPI.EnableQuit
-
-		mux.Handle(consts.AgentPathMetrics, c.handleMetrics())
-		if "metrics_only" != lnConfig.Role {
-			mux.Handle(consts.AgentPathCacheClear, leaseCache.HandleCacheClear(ctx))
-			mux.Handle(consts.AgentPathQuit, c.handleQuit(quitEnabled))
-			mux.Handle("/", muxHandler)
-		}
-
-		scheme := "https://"
-		if tlsCfg == nil {
-			scheme = "http://"
-		}
-		if ln.Addr().Network() == "unix" {
-			scheme = "unix://"
-		}
-
-		infoKey := fmt.Sprintf("api address %d", i+1)
-		info[infoKey] = scheme + ln.Addr().String()
-		infoKeys = append(infoKeys, infoKey)
-
-		server := &http.Server{
-			Addr:              ln.Addr().String(),
-			TLSConfig:         tlsCfg,
-			Handler:           mux,
-			ReadHeaderTimeout: 10 * time.Second,
-			ReadTimeout:       30 * time.Second,
-			IdleTimeout:       5 * time.Minute,
-			ErrorLog:          apiProxyLogger.StandardLogger(nil),
-		}
-
-		go server.Serve(ln)
-	}
-
-	c.tlsReloadFuncsLock.Unlock()
-
-	// Ensure that listeners are closed at all the exits
-	listenerCloseFunc := func() {
-		for _, ln := range listeners {
-			ln.Close()
-		}
 	}
-	defer c.cleanupGuard.Do(listenerCloseFunc)
-
-	// Inform any tests that the server is ready
-	if c.startedCh != nil {
-		close(c.startedCh)
-	}
-
-	var g run.Group
-
-	g.Add(func() error {
-		for {
-			select {
-			case <-c.SighupCh:
-				c.UI.Output("==> Vault Agent config reload triggered")
-				err := c.reloadConfig(c.flagConfigs)
-				if err != nil {
-					c.outputErrors(err)
-				}
-				// Send the 'reloaded' message on the relevant channel
-				select {
-				case c.reloadedCh <- struct{}{}:
-				default:
-				}
-			case <-ctx.Done():
-				return nil
-			}
-		}
-	}, func(error) {
-		cancelFunc()
-	})
-
-	// This run group watches for signal termination
-	g.Add(func() error {
-		for {
-			select {
-			case <-c.ShutdownCh:
-				c.UI.Output("==> Vault Agent shutdown triggered")
-				// Notify systemd that the server is shutting down
-				// Let the lease cache know this is a shutdown; no need to evict everything
-				if leaseCache != nil {
-					leaseCache.SetShuttingDown(true)
-				}
-				return nil
-			case <-ctx.Done():
-				return nil
-			case <-winsvc.ShutdownChannel():
-				return nil
-			}
-		}
-	}, func(error) {})
-
-	// Start auto-auth and sink servers
-	if method != nil {
-		enableTemplateTokenCh := len(config.Templates) > 0
-		enableEnvTemplateTokenCh := len(config.EnvTemplates) > 0
-
-		// Auth Handler is going to set its own retry values, so we want to
-		// work on a copy of the client to not affect other subsystems.
-		ahClient, err := c.client.CloneWithHeaders()
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
-			return 1
-		}
-
-		if config.DisableIdleConnsAutoAuth {
-			ahClient.SetMaxIdleConnections(-1)
-		}
-
-		if config.DisableKeepAlivesAutoAuth {
-			ahClient.SetDisableKeepAlives(true)
-		}
-
-		ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
-			Logger:                       c.logger.Named("auth.handler"),
-			Client:                       ahClient,
-			WrapTTL:                      config.AutoAuth.Method.WrapTTL,
-			MinBackoff:                   config.AutoAuth.Method.MinBackoff,
-			MaxBackoff:                   config.AutoAuth.Method.MaxBackoff,
-			EnableReauthOnNewCredentials: config.AutoAuth.EnableReauthOnNewCredentials,
-			EnableTemplateTokenCh:        enableTemplateTokenCh,
-			EnableExecTokenCh:            enableEnvTemplateTokenCh,
-			Token:                        previousToken,
-			ExitOnError:                  config.AutoAuth.Method.ExitOnError,
-			UserAgent:                    useragent.AgentAutoAuthString(),
-			MetricsSignifier:             "agent",
-		})
-
-		ss := sink.NewSinkServer(&sink.SinkServerConfig{
-			Logger:        c.logger.Named("sink.server"),
-			Client:        ahClient,
-			ExitAfterAuth: config.ExitAfterAuth,
-		})
-
-		ts := template.NewServer(&template.ServerConfig{
-			Logger:        c.logger.Named("template.server"),
-			LogLevel:      c.logger.GetLevel(),
-			LogWriter:     c.logWriter,
-			AgentConfig:   c.config,
-			Namespace:     templateNamespace,
-			ExitAfterAuth: config.ExitAfterAuth,
-		})
-
-		es, err := exec.NewServer(&exec.ServerConfig{
-			AgentConfig: c.config,
-			Namespace:   templateNamespace,
-			Logger:      c.logger.Named("exec.server"),
-			LogLevel:    c.logger.GetLevel(),
-			LogWriter:   c.logWriter,
-		})
-		if err != nil {
-			c.logger.Error("could not create exec server", "error", err)
-			return 1
-		}
-
-		g.Add(func() error {
-			return ah.Run(ctx, method)
-		}, func(error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-		})
-
-		g.Add(func() error {
-			err := ss.Run(ctx, ah.OutputCh, sinks)
-			c.logger.Info("sinks finished, exiting")
 
-			// Start goroutine to drain from ah.OutputCh from this point onward
-			// to prevent ah.Run from being blocked.
-			go func() {
-				for {
-					select {
-					case <-ctx.Done():
-						return
-					case <-ah.OutputCh:
-					}
-				}
-			}()
-
-			// Wait until templates are rendered
-			if len(config.Templates) > 0 {
-				<-ts.DoneCh
-			}
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-			return err
-		}, func(error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-		})
+		client, closer := testVaultServer(t)
+		defer closer()
 
-		g.Add(func() error {
-			return ts.Run(ctx, ah.TemplateTokenCh, config.Templates)
-		}, func(error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-			ts.Stop()
-		})
+		ui, cmd := testAuditEnableCommand(t)
+		cmd.client = client
 
-		g.Add(func() error {
-			return es.Run(ctx, ah.ExecTokenCh)
-		}, func(err error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-			es.Close()
+		code := cmd.Run([]string{
+			"-path", "audit_enable_integration/",
+			"-description", "The best kind of test",
+			"file",
+			"file_path=discard",
 		})
-
-	}
-
-	// Server configuration output
-	padding := 24
-	sort.Strings(infoKeys)
-	caser := cases.Title(language.English)
-	c.UI.Output("==> Vault Agent configuration:\n")
-	for _, k := range infoKeys {
-		c.UI.Output(fmt.Sprintf(
-			"%s%s: %s",
-			strings.Repeat(" ", padding-len(k)),
-			caser.String(k),
-			info[k]))
-	}
-	c.UI.Output("")
-
-	// Release the log gate.
-	c.logGate.Flush()
-
-	// Write out the PID to the file now that server has successfully started
-	if err := c.storePidFile(config.PidFile); err != nil {
-		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
-		return 1
-	}
-
-	// Notify systemd that the server is ready (if applicable)
-	c.notifySystemd(systemd.SdNotifyReady)
-
-	defer func() {
-		if err := c.removePidFile(config.PidFile); err != nil {
-			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
-		}
-	}()
-
-	var exitCode int
-	if err := g.Run(); err != nil {
-		var processExitError *exec.ProcessExitError
-		if errors.As(err, &processExitError) {
-			exitCode = processExitError.ExitCode
-		} else {
-			exitCode = 1
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		if exitCode != 0 {
-			c.logger.Error("runtime error encountered", "error", err, "exitCode", exitCode)
-			c.UI.Error("Error encountered during run, refer to logs for more details.")
+		expected := "Success! Enabled the file audit device at: audit_enable_integration/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
-
-	c.notifySystemd(systemd.SdNotifyStopping)
-
-	return exitCode
-}
 
-// applyConfigOverrides ensures that the config object accurately reflects the desired
-// settings as configured by the user. It applies the relevant config setting based
-// on the precedence (env var overrides file config, cli overrides env var).
-// It mutates the config object supplied.
-func (c *AgentCommand) applyConfigOverrides(f *FlagSets, config *agentConfig.Config) {
-	if config.Vault == nil {
-		config.Vault = &agentConfig.Vault{}
-	}
-
-	f.applyLogConfigOverrides(config.SharedConfig)
-
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameAgentExitAfterAuth {
-			config.ExitAfterAuth = c.flagExitAfterAuth
+		audits, err := client.Sys().ListAudit()
+		if err != nil {
+			t.Fatal(err)
 		}
-	})
 
-	c.setStringFlag(f, config.Vault.Address, &StringVar{
-		Name:    flagNameAddress,
-		Target:  &c.flagAddress,
-		Default: "https://127.0.0.1:8200",
-		EnvVar:  api.EnvVaultAddress,
-	})
-	config.Vault.Address = c.flagAddress
-	c.setStringFlag(f, config.Vault.CACert, &StringVar{
-		Name:    flagNameCACert,
-		Target:  &c.flagCACert,
-		Default: "",
-		EnvVar:  api.EnvVaultCACert,
-	})
-	config.Vault.CACert = c.flagCACert
-	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
-		Name:    flagNameCAPath,
-		Target:  &c.flagCAPath,
-		Default: "",
-		EnvVar:  api.EnvVaultCAPath,
-	})
-	config.Vault.CAPath = c.flagCAPath
-	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
-		Name:    flagNameClientCert,
-		Target:  &c.flagClientCert,
-		Default: "",
-		EnvVar:  api.EnvVaultClientCert,
-	})
-	config.Vault.ClientCert = c.flagClientCert
-	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
-		Name:    flagNameClientKey,
-		Target:  &c.flagClientKey,
-		Default: "",
-		EnvVar:  api.EnvVaultClientKey,
-	})
-	config.Vault.ClientKey = c.flagClientKey
-	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
-		Name:    flagNameTLSSkipVerify,
-		Target:  &c.flagTLSSkipVerify,
-		Default: false,
-		EnvVar:  api.EnvVaultSkipVerify,
-	})
-	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
-	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
-		Name:    flagTLSServerName,
-		Target:  &c.flagTLSServerName,
-		Default: "",
-		EnvVar:  api.EnvVaultTLSServerName,
-	})
-	config.Vault.TLSServerName = c.flagTLSServerName
-}
-
-// verifyRequestHeader wraps an http.Handler inside a Handler that checks for
-// the request header that is used for SSRF protection.
-func verifyRequestHeader(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if val, ok := r.Header[consts.RequestHeaderName]; !ok || len(val) != 1 || val[0] != "true" {
-			logical.RespondError(w,
-				http.StatusPreconditionFailed,
-				fmt.Errorf("missing %q header", consts.RequestHeaderName))
-			return
+		auditInfo, ok := audits["audit_enable_integration/"]
+		if !ok {
+			t.Fatalf("expected audit to exist")
 		}
-
-		handler.ServeHTTP(w, r)
-	})
-}
-
-func (c *AgentCommand) notifySystemd(status string) {
-	sent, err := systemd.SdNotify(false, status)
-	if err != nil {
-		c.logger.Error("error notifying systemd", "error", err)
-	} else {
-		if sent {
-			c.logger.Debug("sent systemd notification", "notification", status)
-		} else {
-			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
+		if exp := "file"; auditInfo.Type != exp {
+			t.Errorf("expected %q to be %q", auditInfo.Type, exp)
 		}
-	}
-}
-
-func (c *AgentCommand) setStringFlag(f *FlagSets, configVal string, fVar *StringVar) {
-	var isFlagSet bool
-	f.Visit(func(f *flag.Flag) {
-		if f.Name == fVar.Name {
-			isFlagSet = true
+		if exp := "The best kind of test"; auditInfo.Description != exp {
+			t.Errorf("expected %q to be %q", auditInfo.Description, exp)
 		}
-	})
-
-	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
-	switch {
-	case isFlagSet:
-		// Don't do anything as the flag is already set from the command line
-	case flagEnvSet:
-		// Use value from env var
-		*fVar.Target = flagEnvValue
-	case configVal != "":
-		// Use value from config
-		*fVar.Target = configVal
-	default:
-		// Use the default value
-		*fVar.Target = fVar.Default
-	}
-}
 
-func (c *AgentCommand) setBoolFlag(f *FlagSets, configVal bool, fVar *BoolVar) {
-	var isFlagSet bool
-	f.Visit(func(f *flag.Flag) {
-		if f.Name == fVar.Name {
-			isFlagSet = true
+		filePath, ok := auditInfo.Options["file_path"]
+		if !ok || filePath != "discard" {
+			t.Errorf("missing some options: %#v", auditInfo)
 		}
 	})
 
-	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
-	switch {
-	case isFlagSet:
-		// Don't do anything as the flag is already set from the command line
-	case flagEnvSet:
-		// Use value from env var
-		*fVar.Target = flagEnvValue != ""
-	case configVal:
-		// Use value from config
-		*fVar.Target = configVal
-	default:
-		// Use the default value
-		*fVar.Target = fVar.Default
-	}
-}
-
-// storePidFile is used to write out our PID to a file if necessary
-func (c *AgentCommand) storePidFile(pidPath string) error {
-	// Quit fast if no pidfile
-	if pidPath == "" {
-		return nil
-	}
-
-	// Open the PID file
-	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
-	if err != nil {
-		return fmt.Errorf("could not open pid file: %w", err)
-	}
-	defer pidFile.Close()
-
-	// Write out the PID
-	pid := os.Getpid()
-	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
-	if err != nil {
-		return fmt.Errorf("could not write to pid file: %w", err)
-	}
-	return nil
-}
-
-// removePidFile is used to cleanup the PID file if necessary
-func (c *AgentCommand) removePidFile(pidPath string) error {
-	if pidPath == "" {
-		return nil
-	}
-	return os.Remove(pidPath)
-}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-func (c *AgentCommand) handleMetrics() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
-			logical.RespondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-		if err := r.ParseForm(); err != nil {
-			logical.RespondError(w, http.StatusBadRequest, err)
-			return
-		}
+		ui, cmd := testAuditEnableCommand(t)
+		cmd.client = client
 
-		format := r.Form.Get("format")
-		if format == "" {
-			format = metricsutil.FormatFromRequest(&logical.Request{
-				Headers: r.Header,
-			})
+		code := cmd.Run([]string{
+			"pki",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		resp := c.metricsHelper.ResponseForFormat(format)
-
-		status := resp.Data[logical.HTTPStatusCode].(int)
-		w.Header().Set("Content-Type", resp.Data[logical.HTTPContentType].(string))
-		switch v := resp.Data[logical.HTTPRawBody].(type) {
-		case string:
-			w.WriteHeader(status)
-			w.Write([]byte(v))
-		case []byte:
-			w.WriteHeader(status)
-			w.Write(v)
-		default:
-			logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("wrong response returned"))
+		expected := "Error enabling audit device: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
 	})
-}
 
-func (c *AgentCommand) handleQuit(enabled bool) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if !enabled {
-			w.WriteHeader(http.StatusNotFound)
-			return
-		}
-
-		switch r.Method {
-		case http.MethodPost:
-		default:
-			w.WriteHeader(http.StatusMethodNotAllowed)
-			return
-		}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-		c.logger.Debug("received quit request")
-		close(c.ShutdownCh)
+		_, cmd := testAuditEnableCommand(t)
+		assertNoTabs(t, cmd)
 	})
-}
-
-// newLogger creates a logger based on parsed config field on the Agent Command struct.
-func (c *AgentCommand) newLogger() (log.InterceptLogger, error) {
-	if c.config == nil {
-		return nil, fmt.Errorf("cannot create logger, no config")
-	}
-
-	var errors error
-
-	// Parse all the log related config
-	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
-
-	logFormat, err := logging.ParseLogFormat(c.config.LogFormat)
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
-
-	logRotateDuration, err := parseutil.ParseDurationSecond(c.config.LogRotateDuration)
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
 
-	if errors != nil {
-		return nil, errors
-	}
-
-	logCfg := &logging.LogConfig{
-		Name:              "agent",
-		LogLevel:          logLevel,
-		LogFormat:         logFormat,
-		LogFilePath:       c.config.LogFile,
-		LogRotateDuration: logRotateDuration,
-		LogRotateBytes:    c.config.LogRotateBytes,
-		LogRotateMaxFiles: c.config.LogRotateMaxFiles,
-	}
-
-	l, err := logging.Setup(logCfg, c.logWriter)
-	if err != nil {
-		return nil, err
-	}
+	t.Run("mount_all", func(t *testing.T) {
+		t.Parallel()
 
-	return l, nil
-}
-
-// loadConfig attempts to generate an Agent config from the file(s) specified.
-func (c *AgentCommand) loadConfig(paths []string) (*agentConfig.Config, error) {
-	var errors error
-	cfg := agentConfig.NewConfig()
+		client, closer := testVaultServerAllBackends(t)
+		defer closer()
 
-	for _, configPath := range paths {
-		configFromPath, err := agentConfig.LoadConfig(configPath)
+		files, err := ioutil.ReadDir("../builtin/audit")
 		if err != nil {
-			errors = multierror.Append(errors, fmt.Errorf("error loading configuration from %s: %w", configPath, err))
-		} else {
-			cfg = cfg.Merge(configFromPath)
+			t.Fatal(err)
 		}
-	}
-
-	if errors != nil {
-		return nil, errors
-	}
-
-	if err := cfg.ValidateConfig(); err != nil {
-		return nil, fmt.Errorf("error validating configuration: %w", err)
-	}
-
-	return cfg, nil
-}
-
-// reloadConfig will attempt to reload the config from file(s) and adjust certain
-// config values without requiring a restart of the Vault Agent.
-// If config is retrieved without error it is stored in the config field of the AgentCommand.
-// This operation is not atomic and could result in updated config but partially applied config settings.
-// The error returned from this func may be a multierror.
-// This function will most likely be called due to Vault Agent receiving a SIGHUP signal.
-// Currently only reloading the following are supported:
-// * log level
-// * TLS certs for listeners
-func (c *AgentCommand) reloadConfig(paths []string) error {
-	// Notify systemd that the server is reloading
-	c.notifySystemd(systemd.SdNotifyReloading)
-	defer c.notifySystemd(systemd.SdNotifyReady)
-
-	var errors error
-
-	// Reload the config
-	cfg, err := c.loadConfig(paths)
-	if err != nil {
-		// Returning single error as we won't continue with bad config and won't 'commit' it.
-		return err
-	}
-	c.config = cfg
-
-	// Update the log level
-	err = c.reloadLogLevel()
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
 
-	// Update certs
-	err = c.reloadCerts()
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
-
-	return errors
-}
-
-// reloadLogLevel will attempt to update the log level for the logger attached
-// to the AgentComment struct using the value currently set in config.
-func (c *AgentCommand) reloadLogLevel() error {
-	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
-	if err != nil {
-		return err
-	}
-
-	c.logger.SetLevel(logLevel)
-
-	return nil
-}
-
-// reloadCerts will attempt to reload certificates using a reload func which
-// was provided when the listeners were configured, only funcs that were appended
-// to the AgentCommand slice will be invoked.
-// This function returns a multierror type so that every func can report an error
-// if it encounters one.
-func (c *AgentCommand) reloadCerts() error {
-	var errors error
-
-	c.tlsReloadFuncsLock.RLock()
-	defer c.tlsReloadFuncsLock.RUnlock()
-
-	for _, reloadFunc := range c.tlsReloadFuncs {
-		// Non-TLS listeners will have a nil reload func.
-		if reloadFunc != nil {
-			err := reloadFunc()
-			if err != nil {
-				errors = multierror.Append(errors, err)
+		var backends []string
+		for _, f := range files {
+			if f.IsDir() {
+				backends = append(backends, f.Name())
 			}
 		}
-	}
 
-	return errors
-}
+		for _, b := range backends {
+			ui, cmd := testAuditEnableCommand(t)
+			cmd.client = client
 
-// outputErrors will take an error or multierror and handle outputting each to the UI
-func (c *AgentCommand) outputErrors(err error) {
-	if err != nil {
-		if me, ok := err.(*multierror.Error); ok {
-			for _, err := range me.Errors {
-				c.UI.Error(err.Error())
+			args := []string{
+				b,
+			}
+			switch b {
+			case "file":
+				args = append(args, "file_path=discard")
+			case "socket":
+				args = append(args, "address=127.0.0.1:8888",
+					"skip_test=true")
+			case "syslog":
+				if _, exists := os.LookupEnv("WSLENV"); exists {
+					t.Log("skipping syslog test on WSL")
+					continue
+				}
+				if os.Getenv("CIRCLECI") == "true" {
+					// TODO install syslog in docker image we run our tests in
+					t.Log("skipping syslog test on CircleCI")
+					continue
+				}
+			}
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Errorf("type %s, expected %d to be %d - %s", b, code, exp, ui.OutputWriter.String()+ui.ErrorWriter.String())
 			}
-		} else {
-			c.UI.Error(err.Error())
 		}
-	}
+	})
 }
diff --git a/command/agent/internal/ctmanager/runner_config.go b/command/agent/internal/ctmanager/runner_config.go
index 21b3bc8e82a1..cf3a16f0f079 100644
--- a/command/agent/internal/ctmanager/runner_config.go
+++ b/command/agent/internal/ctmanager/runner_config.go
@@ -1,152 +1,171 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package ctmanager
+package command
 
 import (
 	"fmt"
-	"io"
+	"sort"
 	"strings"
 
-	ctconfig "github.com/hashicorp/consul-template/config"
-	ctlogging "github.com/hashicorp/consul-template/logging"
-	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
 
-	"github.com/hashicorp/vault/command/agent/config"
-	"github.com/hashicorp/vault/sdk/helper/pointerutil"
+var (
+	_ cli.Command             = (*AuditListCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuditListCommand)(nil)
 )
 
-type ManagerConfig struct {
-	AgentConfig *config.Config
-	Namespace   string
-	LogLevel    hclog.Level
-	LogWriter   io.Writer
+type AuditListCommand struct {
+	*BaseCommand
+
+	flagDetailed bool
 }
 
-// NewConfig returns a consul-template runner configuration, setting the
-// Vault and Consul configurations based on the clients configs.
-func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.Config, error) {
-	conf := ctconfig.DefaultConfig()
-	conf.Templates = templates.Copy()
+func (c *AuditListCommand) Synopsis() string {
+	return "Lists enabled audit devices"
+}
 
-	// Setup the Vault config
-	// Always set these to ensure nothing is picked up from the environment
-	conf.Vault.RenewToken = pointerutil.BoolPtr(false)
-	conf.Vault.Token = pointerutil.StringPtr("")
-	conf.Vault.Address = &mc.AgentConfig.Vault.Address
+func (c *AuditListCommand) Help() string {
+	helpText := `
+Usage: vault audit list [options]
 
-	if mc.Namespace != "" {
-		conf.Vault.Namespace = &mc.Namespace
-	}
+  Lists the enabled audit devices in the Vault server. The output lists the
+  enabled audit devices and the options for those devices.
 
-	if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
-		conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
-	}
+  List all audit devices:
+
+      $ vault audit list
+
+  List detailed output about the audit devices:
+
+      $ vault audit list -detailed
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuditListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "detailed",
+		Target:  &c.flagDetailed,
+		Default: false,
+		EnvVar:  "",
+		Usage: "Print detailed information such as options and replication " +
+			"status about each auth device.",
+	})
+
+	return set
+}
+
+func (c *AuditListCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
 
-	if mc.AgentConfig.DisableIdleConnsTemplating {
-		idleConns := -1
-		conf.Vault.Transport.MaxIdleConns = &idleConns
+func (c *AuditListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuditListCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	if mc.AgentConfig.DisableKeepAlivesTemplating {
-		conf.Vault.Transport.DisableKeepAlives = pointerutil.BoolPtr(true)
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	conf.Vault.SSL = &ctconfig.SSLConfig{
-		Enabled:    pointerutil.BoolPtr(false),
-		Verify:     pointerutil.BoolPtr(false),
-		Cert:       pointerutil.StringPtr(""),
-		Key:        pointerutil.StringPtr(""),
-		CaCert:     pointerutil.StringPtr(""),
-		CaPath:     pointerutil.StringPtr(""),
-		ServerName: pointerutil.StringPtr(""),
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	// If Vault.Retry isn't specified, use the default of 12 retries.
-	// This retry value will be respected regardless of if we use the cache.
-	attempts := ctconfig.DefaultRetryAttempts
-	if mc.AgentConfig.Vault != nil && mc.AgentConfig.Vault.Retry != nil {
-		attempts = mc.AgentConfig.Vault.Retry.NumRetries
+	audits, err := client.Sys().ListAudit()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing audits: %s", err))
+		return 2
 	}
 
-	// Use the cache if available or fallback to the Vault server values.
-	if mc.AgentConfig.Cache != nil {
-		if mc.AgentConfig.Cache.InProcDialer == nil {
-			return nil, fmt.Errorf("missing in-process dialer configuration")
+	switch Format(c.UI) {
+	case "table":
+		if len(audits) == 0 {
+			c.UI.Output("No audit devices are enabled.")
+			return 2
 		}
-		if conf.Vault.Transport == nil {
-			conf.Vault.Transport = &ctconfig.TransportConfig{}
-		}
-		conf.Vault.Transport.CustomDialer = mc.AgentConfig.Cache.InProcDialer
-		// The in-process dialer ignores the address passed in, but we're still
-		// setting it here to override the setting at the top of this function,
-		// and to prevent the vault/http client from defaulting to https.
-		conf.Vault.Address = pointerutil.StringPtr("http://127.0.0.1:8200")
-	} else if strings.HasPrefix(mc.AgentConfig.Vault.Address, "https") || mc.AgentConfig.Vault.CACert != "" {
-		skipVerify := mc.AgentConfig.Vault.TLSSkipVerify
-		verify := !skipVerify
-		conf.Vault.SSL = &ctconfig.SSLConfig{
-			Enabled:    pointerutil.BoolPtr(true),
-			Verify:     &verify,
-			Cert:       &mc.AgentConfig.Vault.ClientCert,
-			Key:        &mc.AgentConfig.Vault.ClientKey,
-			CaCert:     &mc.AgentConfig.Vault.CACert,
-			CaPath:     &mc.AgentConfig.Vault.CAPath,
-			ServerName: &mc.AgentConfig.Vault.TLSServerName,
+
+		if c.flagDetailed {
+			c.UI.Output(tableOutput(c.detailedAudits(audits), nil))
+			return 0
 		}
+		c.UI.Output(tableOutput(c.simpleAudits(audits), nil))
+		return 0
+	default:
+		return OutputData(c.UI, audits)
+	}
+}
+
+func (c *AuditListCommand) simpleAudits(audits map[string]*api.Audit) []string {
+	paths := make([]string, 0, len(audits))
+	for path := range audits {
+		paths = append(paths, path)
 	}
-	enabled := attempts > 0
-	conf.Vault.Retry = &ctconfig.RetryConfig{
-		Attempts: &attempts,
-		Enabled:  &enabled,
+	sort.Strings(paths)
+
+	columns := []string{"Path | Type | Description"}
+	for _, path := range paths {
+		audit := audits[path]
+		columns = append(columns, fmt.Sprintf("%s | %s | %s",
+			audit.Path,
+			audit.Type,
+			audit.Description,
+		))
 	}
 
-	// Sync Consul Template's retry with user set auto-auth initial backoff value.
-	// This is helpful if Auto Auth cannot get a new token and CT is trying to fetch
-	// secrets.
-	if mc.AgentConfig.AutoAuth != nil && mc.AgentConfig.AutoAuth.Method != nil {
-		if mc.AgentConfig.AutoAuth.Method.MinBackoff > 0 {
-			conf.Vault.Retry.Backoff = &mc.AgentConfig.AutoAuth.Method.MinBackoff
-		}
+	return columns
+}
 
-		if mc.AgentConfig.AutoAuth.Method.MaxBackoff > 0 {
-			conf.Vault.Retry.MaxBackoff = &mc.AgentConfig.AutoAuth.Method.MaxBackoff
-		}
+func (c *AuditListCommand) detailedAudits(audits map[string]*api.Audit) []string {
+	paths := make([]string, 0, len(audits))
+	for path := range audits {
+		paths = append(paths, path)
 	}
+	sort.Strings(paths)
 
-	conf.Finalize()
+	columns := []string{"Path | Type | Description | Replication | Options"}
+	for _, path := range paths {
+		audit := audits[path]
 
-	// setup log level from TemplateServer config
-	conf.LogLevel = logLevelToStringPtr(mc.LogLevel)
+		opts := make([]string, 0, len(audit.Options))
+		for k, v := range audit.Options {
+			opts = append(opts, k+"="+v)
+		}
 
-	if err := ctlogging.Setup(&ctlogging.Config{
-		Level:  *conf.LogLevel,
-		Writer: mc.LogWriter,
-	}); err != nil {
-		return nil, err
-	}
-	return conf, nil
-}
+		replication := "replicated"
+		if audit.Local {
+			replication = "local"
+		}
 
-// logLevelToString converts a go-hclog level to a matching, uppercase string
-// value. It's used to convert Vault Agent's hclog level to a string version
-// suitable for use in Consul Template's runner configuration input.
-func logLevelToStringPtr(level hclog.Level) *string {
-	// consul template's default level is WARN, but Vault Agent's default is INFO,
-	// so we use that for the Runner's default.
-	var levelStr string
-
-	switch level {
-	case hclog.Trace:
-		levelStr = "TRACE"
-	case hclog.Debug:
-		levelStr = "DEBUG"
-	case hclog.Warn:
-		levelStr = "WARN"
-	case hclog.Error:
-		levelStr = "ERR"
-	default:
-		levelStr = "INFO"
+		columns = append(columns, fmt.Sprintf("%s | %s | %s | %s | %s",
+			path,
+			audit.Type,
+			audit.Description,
+			replication,
+			strings.Join(opts, " "),
+		))
 	}
-	return pointerutil.StringPtr(levelStr)
+
+	return columns
 }
diff --git a/command/agent_generate_config.go b/command/agent_generate_config.go
index f2ff1abf9559..43ddbacf91f2 100644
--- a/command/agent_generate_config.go
+++ b/command/agent_generate_config.go
@@ -4,439 +4,111 @@
 package command
 
 import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	paths "path"
-	"sort"
 	"strings"
-	"unicode"
+	"testing"
 
-	"github.com/hashicorp/hcl/v2/gohcl"
-	"github.com/hashicorp/hcl/v2/hclwrite"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/mitchellh/go-homedir"
-	"github.com/posener/complete"
 )
 
-var (
-	_ cli.Command             = (*AgentGenerateConfigCommand)(nil)
-	_ cli.CommandAutocomplete = (*AgentGenerateConfigCommand)(nil)
-)
-
-type AgentGenerateConfigCommand struct {
-	*BaseCommand
-
-	flagType  string
-	flagPaths []string
-	flagExec  string
-}
-
-func (c *AgentGenerateConfigCommand) Synopsis() string {
-	return "Generate a Vault Agent configuration file."
-}
-
-func (c *AgentGenerateConfigCommand) Help() string {
-	helpText := `
-Usage: vault agent generate-config [options] [path/to/config.hcl]
-
-  Generates a simple Vault Agent configuration file from the given parameters.
-
-  Currently, the only supported configuration type is 'env-template', which
-  helps you generate a configuration file with environment variable templates
-  for running Vault Agent in process supervisor mode.
-
-  For every specified secret -path, the command will attempt to generate one or
-  multiple 'env_template' entries based on the JSON key(s) stored in the
-  specified secret. If the secret -path ends with '/*', the command will
-  attempt to recurse through the secrets tree rooted at the given path,
-  generating 'env_template' entries for each encountered secret. Currently,
-  only kv-v1 and kv-v2 paths are supported.
-
-  The command specified in the '-exec' option will be used to generate an
-  'exec' entry, which will tell Vault Agent which child process to run.
-
-  In addition to env_template entries, the command generates an 'auto_auth'
-  section with 'token_file' authentication method. While this method is very
-  convenient for local testing, it should NOT be used in production. Please
-  see https://developer.hashicorp.com/vault/docs/agent-and-proxy/autoauth/methods
-  for a list of production-ready auto_auth methods that you can use instead.
-
-  By default, the file will be generated in the local directory as 'agent.hcl'
-  unless a path is specified as an argument.
-
-  Generate a simple environment variable template configuration:
-
-      $ vault agent generate-config -type="env-template" \
-                    -exec="./my-app arg1 arg2" \
-                    -path="secret/foo"
-
-  Generate an environment variable template configuration for multiple secrets:
-
-      $ vault agent generate-config -type="env-template" \
-                    -exec="./my-app arg1 arg2" \
-                    -path="secret/foo" \
-                    -path="secret/bar" \
-                    -path="secret/my-app/*"
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *AgentGenerateConfigCommand) Flags() *FlagSets {
-	// Include client-modifying flags (-address, -namespace, etc.)
-	set := c.flagSet(FlagSetHTTP)
-
-	// Common Options
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:   "type",
-		Target: &c.flagType,
-		Usage:  "Type of configuration file to generate; currently, only 'env-template' is supported.",
-		Completion: complete.PredictSet(
-			"env-template",
-		),
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "path",
-		Target:     &c.flagPaths,
-		Usage:      "Path to a kv-v1 or kv-v2 secret (e.g. secret/data/foo, kv-v2/prefix/*); multiple secrets and tail '*' wildcards are allowed.",
-		Completion: c.PredictVaultFolders(),
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "exec",
-		Target:  &c.flagExec,
-		Default: "env",
-		Usage:   "The command to execute in agent process supervisor mode.",
-	})
-
-	return set
-}
-
-func (c *AgentGenerateConfigCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
+func testAuditListCommand(tb testing.TB) (*cli.MockUi, *AuditListCommand) {
+	tb.Helper()
 
-func (c *AgentGenerateConfigCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *AgentGenerateConfigCommand) Run(args []string) int {
-	flags := c.Flags()
-
-	if err := flags.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = flags.Args()
-
-	if len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected at most 1, got %d)", len(args)))
-		return 1
-	}
-
-	if c.flagType == "" {
-		c.UI.Error(`Please specify a -type flag; currently only -type="env-template" is supported.`)
-		return 1
-	}
-
-	if c.flagType != "env-template" {
-		c.UI.Error(fmt.Sprintf(`%q is not a supported configuration type; currently only -type="env-template" is supported.`, c.flagType))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	config, err := generateConfiguration(context.Background(), client, c.flagExec, c.flagPaths)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error: %v", err))
-		return 2
-	}
-
-	var configPath string
-	if len(args) == 1 {
-		configPath = args[0]
-	} else {
-		configPath = "agent.hcl"
-	}
-
-	f, err := os.Create(configPath)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Could not create configuration file %q: %v", configPath, err))
-		return 3
-	}
-	defer func() {
-		if err := f.Close(); err != nil {
-			c.UI.Error(fmt.Sprintf("Could not close configuration file %q: %v", configPath, err))
-		}
-	}()
-
-	if _, err := config.WriteTo(f); err != nil {
-		c.UI.Error(fmt.Sprintf("Could not write to configuration file %q: %v", configPath, err))
-		return 3
+	ui := cli.NewMockUi()
+	return ui, &AuditListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
-
-	c.UI.Info(fmt.Sprintf("Successfully generated %q configuration file!", configPath))
-
-	c.UI.Warn("Warning: the generated file uses 'token_file' authentication method, which is not suitable for production environments.")
-
-	return 0
 }
 
-func generateConfiguration(ctx context.Context, client *api.Client, flagExec string, flagPaths []string) (io.WriterTo, error) {
-	var execCommand []string
-	if flagExec != "" {
-		execCommand = strings.Split(flagExec, " ")
-	} else {
-		execCommand = []string{"env"}
-	}
-
-	tokenPath, err := homedir.Expand("~/.vault-token")
-	if err != nil {
-		return nil, fmt.Errorf("could not expand home directory: %w", err)
-	}
+func TestAuditListCommand_Run(t *testing.T) {
+	t.Parallel()
 
-	templates, err := constructTemplates(ctx, client, flagPaths)
-	if err != nil {
-		return nil, fmt.Errorf("could not generate templates: %w", err)
-	}
-
-	config := generatedConfig{
-		AutoAuth: generatedConfigAutoAuth{
-			Method: generatedConfigAutoAuthMethod{
-				Type: "token_file",
-				Config: generatedConfigAutoAuthMethodConfig{
-					TokenFilePath: tokenPath,
-				},
-			},
-		},
-		TemplateConfig: generatedConfigTemplateConfig{
-			StaticSecretRenderInterval: "5m",
-			ExitOnRetryFailure:         true,
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
 		},
-		Vault: generatedConfigVault{
-			Address: client.Address(),
+		{
+			"lists",
+			nil,
+			"Path",
+			0,
 		},
-		Exec: generatedConfigExec{
-			Command:                execCommand,
-			RestartOnSecretChanges: "always",
-			RestartStopSignal:      "SIGTERM",
+		{
+			"detailed",
+			[]string{"-detailed"},
+			"Options",
+			0,
 		},
-		EnvTemplates: templates,
 	}
 
-	contents := hclwrite.NewEmptyFile()
+	for _, tc := range cases {
+		tc := tc
 
-	gohcl.EncodeIntoBody(&config, contents.Body())
-
-	return contents, nil
-}
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-func constructTemplates(ctx context.Context, client *api.Client, paths []string) ([]generatedConfigEnvTemplate, error) {
-	var templates []generatedConfigEnvTemplate
+			client, closer := testVaultServer(t)
+			defer closer()
 
-	for _, path := range paths {
-		path = sanitizePath(path)
+			if err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+				Type: "file",
+				Options: map[string]string{
+					"file_path": "discard",
+				},
+			}); err != nil {
+				t.Fatal(err)
+			}
 
-		mountPath, v2, err := isKVv2(path, client)
-		if err != nil {
-			return nil, fmt.Errorf("could not validate secret path %q: %w", path, err)
-		}
+			ui, cmd := testAuditListCommand(t)
+			cmd.client = client
 
-		switch {
-		case strings.HasSuffix(path, "/*"):
-			// this path contains a tail wildcard, attempt to walk the tree
-			t, err := constructTemplatesFromTree(ctx, client, path[:len(path)-2], mountPath, v2)
-			if err != nil {
-				return nil, fmt.Errorf("could not traverse sercet at %q: %w", path, err)
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
 			}
-			templates = append(templates, t...)
-
-		case strings.Contains(path, "*"):
-			// don't allow any other wildcards
-			return nil, fmt.Errorf("the path %q cannot contain '*' wildcard characters except as the last element of the path", path)
 
-		default:
-			// regular secret path
-			t, err := constructTemplatesFromSecret(ctx, client, path, mountPath, v2)
-			if err != nil {
-				return nil, fmt.Errorf("could not read secret at %q: %v", path, err)
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
 			}
-			templates = append(templates, t...)
-		}
+		})
 	}
 
-	return templates, nil
-}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-func constructTemplatesFromTree(ctx context.Context, client *api.Client, path, mountPath string, v2 bool) ([]generatedConfigEnvTemplate, error) {
-	var templates []generatedConfigEnvTemplate
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-	if v2 {
-		metadataPath := strings.Replace(
-			path,
-			paths.Join(mountPath, "data"),
-			paths.Join(mountPath, "metadata"),
-			1,
-		)
-		if path != metadataPath {
-			path = metadataPath
-		} else {
-			path = addPrefixToKVPath(path, mountPath, "metadata", true)
-		}
-	}
+		ui, cmd := testAuditListCommand(t)
+		cmd.client = client
 
-	err := walkSecretsTree(ctx, client, path, func(child string, directory bool) error {
-		if directory {
-			return nil
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		dataPath := strings.Replace(
-			child,
-			paths.Join(mountPath, "metadata"),
-			paths.Join(mountPath, "data"),
-			1,
-		)
-
-		t, err := constructTemplatesFromSecret(ctx, client, dataPath, mountPath, v2)
-		if err != nil {
-			return err
+		expected := "Error listing audits: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		templates = append(templates, t...)
-
-		return nil
 	})
-	if err != nil {
-		return nil, err
-	}
-
-	return templates, nil
-}
-
-func constructTemplatesFromSecret(ctx context.Context, client *api.Client, path, mountPath string, v2 bool) ([]generatedConfigEnvTemplate, error) {
-	var templates []generatedConfigEnvTemplate
-
-	if v2 {
-		path = addPrefixToKVPath(path, mountPath, "data", true)
-	}
-
-	resp, err := client.Logical().ReadWithContext(ctx, path)
-	if err != nil {
-		return nil, fmt.Errorf("error querying: %w", err)
-	}
-	if resp == nil {
-		return nil, fmt.Errorf("secret not found")
-	}
-
-	var data map[string]interface{}
-	if v2 {
-		internal, ok := resp.Data["data"]
-		if !ok {
-			return nil, fmt.Errorf("secret.Data not found")
-		}
-		data = internal.(map[string]interface{})
-	} else {
-		data = resp.Data
-	}
-
-	fields := make([]string, 0, len(data))
-
-	for field := range data {
-		fields = append(fields, field)
-	}
-
-	// sort for a deterministic output
-	sort.Strings(fields)
-
-	var dataContents string
-	if v2 {
-		dataContents = ".Data.data"
-	} else {
-		dataContents = ".Data"
-	}
-
-	for _, field := range fields {
-		templates = append(templates, generatedConfigEnvTemplate{
-			Name:              constructDefaultEnvironmentKey(path, field),
-			Contents:          fmt.Sprintf(`{{ with secret "%s" }}{{ %s.%s }}{{ end }}`, path, dataContents, field),
-			ErrorOnMissingKey: true,
-		})
-	}
-
-	return templates, nil
-}
-
-func constructDefaultEnvironmentKey(path string, field string) string {
-	pathParts := strings.Split(path, "/")
-	pathPartsLast := pathParts[len(pathParts)-1]
-
-	notLetterOrNumber := func(r rune) bool {
-		return !unicode.IsLetter(r) && !unicode.IsNumber(r)
-	}
-
-	p1 := strings.FieldsFunc(pathPartsLast, notLetterOrNumber)
-	p2 := strings.FieldsFunc(field, notLetterOrNumber)
-
-	keyParts := append(p1, p2...)
-
-	return strings.ToUpper(strings.Join(keyParts, "_"))
-}
 
-// Below, we are redefining a subset of the configuration-related structures
-// defined under command/agent/config. Using these structures we can tailor the
-// output of the generated config, while using the original structures would
-// have produced an HCL document with many empty fields. The structures below
-// should not be used for anything other than generation.
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-type generatedConfig struct {
-	AutoAuth       generatedConfigAutoAuth       `hcl:"auto_auth,block"`
-	TemplateConfig generatedConfigTemplateConfig `hcl:"template_config,block"`
-	Vault          generatedConfigVault          `hcl:"vault,block"`
-	EnvTemplates   []generatedConfigEnvTemplate  `hcl:"env_template,block"`
-	Exec           generatedConfigExec           `hcl:"exec,block"`
-}
-
-type generatedConfigTemplateConfig struct {
-	StaticSecretRenderInterval string `hcl:"static_secret_render_interval"`
-	ExitOnRetryFailure         bool   `hcl:"exit_on_retry_failure"`
-}
-
-type generatedConfigExec struct {
-	Command                []string `hcl:"command"`
-	RestartOnSecretChanges string   `hcl:"restart_on_secret_changes"`
-	RestartStopSignal      string   `hcl:"restart_stop_signal"`
-}
-
-type generatedConfigEnvTemplate struct {
-	Name              string `hcl:"name,label"`
-	Contents          string `hcl:"contents,attr"`
-	ErrorOnMissingKey bool   `hcl:"error_on_missing_key"`
-}
-
-type generatedConfigVault struct {
-	Address string `hcl:"address"`
-}
-
-type generatedConfigAutoAuth struct {
-	Method generatedConfigAutoAuthMethod `hcl:"method,block"`
-}
-
-type generatedConfigAutoAuthMethod struct {
-	Type   string                              `hcl:"type"`
-	Config generatedConfigAutoAuthMethodConfig `hcl:"config,block"`
-}
-
-type generatedConfigAutoAuthMethodConfig struct {
-	TokenFilePath string `hcl:"token_file_path"`
+		_, cmd := testAuditListCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/agent_test.go b/command/agent_test.go
index d3868d43a114..ace2085cfb28 100644
--- a/command/agent_test.go
+++ b/command/agent_test.go
@@ -1,3086 +1,33 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/hashicorp/go-hclog"
-	vaultjwt "github.com/hashicorp/vault-plugin-auth-jwt"
-	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
-	"github.com/hashicorp/vault/api"
-	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
-	"github.com/hashicorp/vault/command/agent"
-	agentConfig "github.com/hashicorp/vault/command/agent/config"
-	"github.com/hashicorp/vault/helper/testhelpers/minimal"
-	"github.com/hashicorp/vault/helper/useragent"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/helper/pointerutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-const (
-	BasicHclConfig = `
-log_file = "TMPDIR/juan.log"
-log_level="warn"
-log_rotate_max_files=2
-log_rotate_bytes=1048576
-vault {
-	address = "http://127.0.0.1:8200"
-	retry {
-		num_retries = 5
-	}
-}
-
-listener "tcp" {
-	address = "127.0.0.1:8100"
-	tls_disable = false
-	tls_cert_file = "TMPDIR/reload_cert.pem"
-  	tls_key_file  = "TMPDIR/reload_key.pem"
-}`
-	BasicHclConfig2 = `
-log_file = "TMPDIR/juan.log"
-log_level="debug"
-log_rotate_max_files=-1
-log_rotate_bytes=1048576
-vault {
-	address = "http://127.0.0.1:8200"
-	retry {
-		num_retries = 5
-	}
-}
-
-listener "tcp" {
-	address = "127.0.0.1:8100"
-	tls_disable = false
-	tls_cert_file = "TMPDIR/reload_cert.pem"
-  	tls_key_file  = "TMPDIR/reload_key.pem"
-}`
-)
-
-func testAgentCommand(tb testing.TB, logger hclog.Logger) (*cli.MockUi, *AgentCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &AgentCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-		ShutdownCh: MakeShutdownCh(),
-		SighupCh:   MakeSighupCh(),
-		logger:     logger,
-		startedCh:  make(chan struct{}, 5),
-		reloadedCh: make(chan struct{}, 5),
-	}
-}
-
-func TestAgent_ExitAfterAuth(t *testing.T) {
-	t.Run("via_config", func(t *testing.T) {
-		testAgentExitAfterAuth(t, false)
-	})
-
-	t.Run("via_flag", func(t *testing.T) {
-		testAgentExitAfterAuth(t, true)
-	})
-}
-
-func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"jwt": vaultjwt.Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	client := cluster.Cores[0].Client
-
-	// Setup Vault
-	err := client.Sys().EnableAuthWithOptions("jwt", &api.EnableAuthOptions{
-		Type: "jwt",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/jwt/config", map[string]interface{}{
-		"bound_issuer":           "https://team-vault.auth0.com/",
-		"jwt_validation_pubkeys": agent.TestECDSAPubKey,
-		"jwt_supported_algs":     "ES256",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/jwt/role/test", map[string]interface{}{
-		"role_type":       "jwt",
-		"bound_subject":   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
-		"bound_audiences": "https://vault.plugin.auth.jwt.test",
-		"user_claim":      "https://vault/user",
-		"groups_claim":    "https://vault/groups",
-		"policies":        "test",
-		"period":          "3s",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	inf, err := os.CreateTemp("", "auth.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	in := inf.Name()
-	inf.Close()
-	os.Remove(in)
-	t.Logf("input: %s", in)
-
-	sink1f, err := os.CreateTemp("", "sink1.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink1 := sink1f.Name()
-	sink1f.Close()
-	os.Remove(sink1)
-	t.Logf("sink1: %s", sink1)
-
-	sink2f, err := os.CreateTemp("", "sink2.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink2 := sink2f.Name()
-	sink2f.Close()
-	os.Remove(sink2)
-	t.Logf("sink2: %s", sink2)
-
-	conff, err := os.CreateTemp("", "conf.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := conff.Name()
-	conff.Close()
-	os.Remove(conf)
-	t.Logf("config: %s", conf)
-
-	jwtToken, _ := agent.GetTestJWT(t)
-	if err := os.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
-		t.Fatal(err)
-	} else {
-		logger.Trace("wrote test jwt", "path", in)
-	}
-
-	exitAfterAuthTemplText := "exit_after_auth = true"
-	if viaFlag {
-		exitAfterAuthTemplText = ""
-	}
-
-	config := `
-%s
-
-auto_auth {
-        method {
-                type = "jwt"
-                config = {
-                        role = "test"
-                        path = "%s"
-                }
-        }
-
-        sink {
-                type = "file"
-                config = {
-                        path = "%s"
-                }
-        }
-
-        sink "file" {
-                config = {
-                        path = "%s"
-                }
-        }
-}
-`
-
-	config = fmt.Sprintf(config, exitAfterAuthTemplText, in, sink1, sink2)
-	if err := os.WriteFile(conf, []byte(config), 0o600); err != nil {
-		t.Fatal(err)
-	} else {
-		logger.Trace("wrote test config", "path", conf)
-	}
-
-	doneCh := make(chan struct{})
-	go func() {
-		ui, cmd := testAgentCommand(t, logger)
-		cmd.client = client
-
-		args := []string{"-config", conf}
-		if viaFlag {
-			args = append(args, "-exit-after-auth")
-		}
-
-		code := cmd.Run(args)
-		if code != 0 {
-			t.Errorf("expected %d to be %d", code, 0)
-			t.Logf("output from agent:\n%s", ui.OutputWriter.String())
-			t.Logf("error from agent:\n%s", ui.ErrorWriter.String())
-		}
-		close(doneCh)
-	}()
-
-	select {
-	case <-doneCh:
-		break
-	case <-time.After(1 * time.Minute):
-		t.Fatal("timeout reached while waiting for agent to exit")
-	}
-
-	sink1Bytes, err := os.ReadFile(sink1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(sink1Bytes) == 0 {
-		t.Fatal("got no output from sink 1")
-	}
-
-	sink2Bytes, err := os.ReadFile(sink2)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(sink2Bytes) == 0 {
-		t.Fatal("got no output from sink 2")
-	}
-
-	if string(sink1Bytes) != string(sink2Bytes) {
-		t.Fatal("sink 1/2 values don't match")
-	}
-}
-
-func TestAgent_RequireRequestHeader(t *testing.T) {
-	// newApiClient creates an *api.Client.
-	newApiClient := func(addr string, includeVaultRequestHeader bool) *api.Client {
-		conf := api.DefaultConfig()
-		conf.Address = addr
-		cli, err := api.NewClient(conf)
-		if err != nil {
-			t.Fatalf("err: %s", err)
-		}
-
-		h := cli.Headers()
-		val, ok := h[consts.RequestHeaderName]
-		if !ok || !reflect.DeepEqual(val, []string{"true"}) {
-			t.Fatalf("invalid %s header", consts.RequestHeaderName)
-		}
-		if !includeVaultRequestHeader {
-			delete(h, consts.RequestHeaderName)
-			cli.SetHeaders(h)
-		}
-
-		return cli
-	}
-
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-
-	// Start a vault server
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Enable the approle auth method
-	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
-
-	// Create a config file
-	config := `
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-        }
-    }
-}
-
-cache {
-    use_auto_auth_token = true
-}
-
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-}
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-    require_request_header = false
-}
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-    require_request_header = true
-}
-`
-	listenAddr1 := generateListenerAddress(t)
-	listenAddr2 := generateListenerAddress(t)
-	listenAddr3 := generateListenerAddress(t)
-	config = fmt.Sprintf(
-		config,
-		roleIDPath,
-		secretIDPath,
-		listenAddr1,
-		listenAddr2,
-		listenAddr3,
-	)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logger)
-	cmd.client = serverClient
-	cmd.startedCh = make(chan struct{})
-
-	var output string
-	var code int
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		code = cmd.Run([]string{"-config", configPath})
-		if code != 0 {
-			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
-	}
-
-	// defer agent shutdown
-	defer func() {
-		cmd.ShutdownCh <- struct{}{}
-		wg.Wait()
-		if code != 0 {
-			t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
-		}
-	}()
-
-	//----------------------------------------------------
-	// Perform the tests
-	//----------------------------------------------------
-
-	// Test against a listener configuration that omits
-	// 'require_request_header', with the header missing from the request.
-	agentClient := newApiClient("http://"+listenAddr1, false)
-	req := agentClient.NewRequest("GET", "/v1/sys/health")
-	request(t, agentClient, req, 200)
-
-	// Test against a listener configuration that sets 'require_request_header'
-	// to 'false', with the header missing from the request.
-	agentClient = newApiClient("http://"+listenAddr2, false)
-	req = agentClient.NewRequest("GET", "/v1/sys/health")
-	request(t, agentClient, req, 200)
-
-	// Test against a listener configuration that sets 'require_request_header'
-	// to 'true', with the header missing from the request.
-	agentClient = newApiClient("http://"+listenAddr3, false)
-	req = agentClient.NewRequest("GET", "/v1/sys/health")
-	resp, err := agentClient.RawRequest(req)
-	if err == nil {
-		t.Fatalf("expected error")
-	}
-	if resp.StatusCode != http.StatusPreconditionFailed {
-		t.Fatalf("expected status code %d, not %d", http.StatusPreconditionFailed, resp.StatusCode)
-	}
-
-	// Test against a listener configuration that sets 'require_request_header'
-	// to 'true', with an invalid header present in the request.
-	agentClient = newApiClient("http://"+listenAddr3, false)
-	h := agentClient.Headers()
-	h[consts.RequestHeaderName] = []string{"bogus"}
-	agentClient.SetHeaders(h)
-	req = agentClient.NewRequest("GET", "/v1/sys/health")
-	resp, err = agentClient.RawRequest(req)
-	if err == nil {
-		t.Fatalf("expected error")
-	}
-	if resp.StatusCode != http.StatusPreconditionFailed {
-		t.Fatalf("expected status code %d, not %d", http.StatusPreconditionFailed, resp.StatusCode)
-	}
-
-	// Test against a listener configuration that sets 'require_request_header'
-	// to 'true', with the proper header present in the request.
-	agentClient = newApiClient("http://"+listenAddr3, true)
-	req = agentClient.NewRequest("GET", "/v1/sys/health")
-	request(t, agentClient, req, 200)
-}
-
-// TestAgent_RequireAutoAuthWithForce ensures that the client exits with a
-// non-zero code if configured to force the use of an auto-auth token without
-// configuring the auto_auth block
-func TestAgent_RequireAutoAuthWithForce(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	// Create a config file
-	config := fmt.Sprintf(`
-cache {
-    use_auto_auth_token = "force"
-}
-
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-}
-`, generateListenerAddress(t))
-
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	code := cmd.Run([]string{"-config", configPath})
-	if code == 0 {
-		t.Errorf("expected error code, but got 0: %d", code)
-		t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
-		t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
-	}
-}
-
-// TestAgent_Template_UserAgent Validates that the User-Agent sent to Vault
-// as part of Templating requests is correct. Uses the custom handler
-// userAgentHandler struct defined in this test package, so that Vault validates the
-// User-Agent on requests sent by Agent.
-func TestAgent_Template_UserAgent(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			NumCores: 1,
-			HandlerFunc: vaulthttp.HandlerFunc(
-				func(properties *vault.HandlerProperties) http.Handler {
-					h.props = properties
-					h.userAgentToCheckFor = useragent.AgentTemplatingString()
-					h.pathToCheck = "/v1/secret/data"
-					h.requestMethodToCheck = "GET"
-					h.t = t
-					return &h
-				}),
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Setenv(api.EnvVaultAddress, serverClient.Address())
-
-	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-	// create temp dir for this test run
-	tmpDir, err := os.MkdirTemp(tmpDirRoot, "TestAgent_Template_UserAgent")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// make some template files
-	var templatePaths []string
-	fileName := filepath.Join(tmpDir, "render_0.tmpl")
-	if err := os.WriteFile(fileName, []byte(templateContents(0)), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	templatePaths = append(templatePaths, fileName)
-
-	// build up the template config to be added to the Agent config.hcl file
-	var templateConfigStrings []string
-	for i, t := range templatePaths {
-		index := fmt.Sprintf("render_%d.json", i)
-		s := fmt.Sprintf(templateConfigString, t, tmpDir, index)
-		templateConfigStrings = append(templateConfigStrings, s)
-	}
-
-	// Create a config file
-	config := `
-vault {
-  address = "%s"
-	tls_skip_verify = true
-}
-
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-            remove_secret_id_file_after_reading = false
-        }
-    }
-}
-
-%s
-`
-
-	// flatten the template configs
-	templateConfig := strings.Join(templateConfigStrings, " ")
-
-	config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, templateConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logger)
-	cmd.client = serverClient
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		code := cmd.Run([]string{"-config", configPath})
-		if code != 0 {
-			t.Errorf("non-zero return code when running agent: %d", code)
-			t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
-			t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	// We need to shut down the Agent command
-	defer func() {
-		cmd.ShutdownCh <- struct{}{}
-		wg.Wait()
-	}()
-
-	verify := func(suffix string) {
-		t.Helper()
-		// We need to poll for a bit to give Agent time to render the
-		// templates. Without this, the test will attempt to read
-		// the temp dir before Agent has had time to render and will
-		// likely fail the test
-		tick := time.Tick(1 * time.Second)
-		timeout := time.After(10 * time.Second)
-		var err error
-		for {
-			select {
-			case <-timeout:
-				t.Fatalf("timed out waiting for templates to render, last error: %v", err)
-			case <-tick:
-			}
-			// Check for files rendered in the directory and break
-			// early for shutdown if we do have all the files
-			// rendered
-
-			//----------------------------------------------------
-			// Perform the tests
-			//----------------------------------------------------
-
-			if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != len(templatePaths) {
-				err = fmt.Errorf("expected (%d) templates, got (%d)", len(templatePaths), numFiles)
-				continue
-			}
-
-			for i := range templatePaths {
-				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.json", i))
-				var c []byte
-				c, err = os.ReadFile(fileName)
-				if err != nil {
-					continue
-				}
-				if string(c) != templateRendered(i)+suffix {
-					err = fmt.Errorf("expected=%q, got=%q", templateRendered(i)+suffix, string(c))
-					continue
-				}
-			}
-			return
-		}
-	}
-
-	verify("")
-
-	fileName = filepath.Join(tmpDir, "render_0.tmpl")
-	if err := os.WriteFile(fileName, []byte(templateContents(0)+"{}"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-
-	verify("{}")
-}
-
-// TestAgent_Template tests rendering templates
-func TestAgent_Template_Basic(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Setenv(api.EnvVaultAddress, serverClient.Address())
-
-	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-
-	// start test cases here
-	testCases := map[string]struct {
-		templateCount int
-		exitAfterAuth bool
-	}{
-		"one": {
-			templateCount: 1,
-		},
-		"one_with_exit": {
-			templateCount: 1,
-			exitAfterAuth: true,
-		},
-		"many": {
-			templateCount: 15,
-		},
-		"many_with_exit": {
-			templateCount: 13,
-			exitAfterAuth: true,
-		},
-	}
-
-	for tcname, tc := range testCases {
-		t.Run(tcname, func(t *testing.T) {
-			// create temp dir for this test run
-			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// make some template files
-			var templatePaths []string
-			for i := 0; i < tc.templateCount; i++ {
-				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
-				if err := os.WriteFile(fileName, []byte(templateContents(i)), 0o600); err != nil {
-					t.Fatal(err)
-				}
-				templatePaths = append(templatePaths, fileName)
-			}
-
-			// build up the template config to be added to the Agent config.hcl file
-			var templateConfigStrings []string
-			for i, t := range templatePaths {
-				index := fmt.Sprintf("render_%d.json", i)
-				s := fmt.Sprintf(templateConfigString, t, tmpDir, index)
-				templateConfigStrings = append(templateConfigStrings, s)
-			}
-
-			// Create a config file
-			config := `
-vault {
-  address = "%s"
-	tls_skip_verify = true
-}
-
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-            remove_secret_id_file_after_reading = false
-        }
-    }
-}
-
-%s
-
-%s
-`
-
-			// conditionally set the exit_after_auth flag
-			exitAfterAuth := ""
-			if tc.exitAfterAuth {
-				exitAfterAuth = "exit_after_auth = true"
-			}
-
-			// flatten the template configs
-			templateConfig := strings.Join(templateConfigStrings, " ")
-
-			config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, templateConfig, exitAfterAuth)
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			// Start the agent
-			ui, cmd := testAgentCommand(t, logger)
-			cmd.client = serverClient
-			cmd.startedCh = make(chan struct{})
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			go func() {
-				code := cmd.Run([]string{"-config", configPath})
-				if code != 0 {
-					t.Errorf("non-zero return code when running agent: %d", code)
-					t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
-					t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
-				}
-				wg.Done()
-			}()
-
-			select {
-			case <-cmd.startedCh:
-			case <-time.After(5 * time.Second):
-				t.Errorf("timeout")
-			}
-
-			// if using exit_after_auth, then the command will have returned at the
-			// end and no longer be running. If we are not using exit_after_auth, then
-			// we need to shut down the command
-			if !tc.exitAfterAuth {
-				defer func() {
-					cmd.ShutdownCh <- struct{}{}
-					wg.Wait()
-				}()
-			}
-
-			verify := func(suffix string) {
-				t.Helper()
-				// We need to poll for a bit to give Agent time to render the
-				// templates. Without this this, the test will attempt to read
-				// the temp dir before Agent has had time to render and will
-				// likely fail the test
-				tick := time.Tick(1 * time.Second)
-				timeout := time.After(10 * time.Second)
-				var err error
-				for {
-					select {
-					case <-timeout:
-						t.Fatalf("timed out waiting for templates to render, last error: %v", err)
-					case <-tick:
-					}
-					// Check for files rendered in the directory and break
-					// early for shutdown if we do have all the files
-					// rendered
-
-					//----------------------------------------------------
-					// Perform the tests
-					//----------------------------------------------------
-
-					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != len(templatePaths) {
-						err = fmt.Errorf("expected (%d) templates, got (%d)", len(templatePaths), numFiles)
-						continue
-					}
-
-					for i := range templatePaths {
-						fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.json", i))
-						var c []byte
-						c, err = os.ReadFile(fileName)
-						if err != nil {
-							continue
-						}
-						if string(c) != templateRendered(i)+suffix {
-							err = fmt.Errorf("expected=%q, got=%q", templateRendered(i)+suffix, string(c))
-							continue
-						}
-					}
-					return
-				}
-			}
-
-			verify("")
-
-			for i := 0; i < tc.templateCount; i++ {
-				fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
-				if err := os.WriteFile(fileName, []byte(templateContents(i)+"{}"), 0o600); err != nil {
-					t.Fatal(err)
-				}
-			}
-
-			verify("{}")
-		})
-	}
-}
-
-func setupAppRole(t *testing.T, serverClient *api.Client) (string, string) {
-	t.Helper()
-	// Enable the approle auth method
-	req := serverClient.NewRequest("POST", "/v1/sys/auth/approle")
-	req.BodyBytes = []byte(`{
-		"type": "approle"
-	}`)
-	request(t, serverClient, req, 204)
-
-	// Create a named role
-	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role")
-	req.BodyBytes = []byte(`{
-	  "token_ttl": "5m",
-		"token_policies":"default,myapp-read",
-		"policies":"default,myapp-read"
-	}`)
-	request(t, serverClient, req, 204)
-
-	// Fetch the RoleID of the named role
-	req = serverClient.NewRequest("GET", "/v1/auth/approle/role/test-role/role-id")
-	body := request(t, serverClient, req, 200)
-	data := body["data"].(map[string]interface{})
-	roleID := data["role_id"].(string)
-
-	// Get a SecretID issued against the named role
-	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role/secret-id")
-	body = request(t, serverClient, req, 200)
-	data = body["data"].(map[string]interface{})
-	secretID := data["secret_id"].(string)
-
-	// Write the RoleID and SecretID to temp files
-	roleIDPath := makeTempFile(t, "role_id.txt", roleID+"\n")
-	secretIDPath := makeTempFile(t, "secret_id.txt", secretID+"\n")
-	t.Cleanup(func() {
-		os.Remove(roleIDPath)
-		os.Remove(secretIDPath)
-	})
-
-	return roleIDPath, secretIDPath
-}
-
-func setupAppRoleAndKVMounts(t *testing.T, serverClient *api.Client) (string, string) {
-	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
-
-	// give test-role permissions to read the kv secret
-	req := serverClient.NewRequest("PUT", "/v1/sys/policy/myapp-read")
-	req.BodyBytes = []byte(`{
-	  "policy": "path \"secret/*\" { capabilities = [\"read\", \"list\"] }"
-	}`)
-	request(t, serverClient, req, 204)
-
-	// setup the kv secrets
-	req = serverClient.NewRequest("POST", "/v1/sys/mounts/secret/tune")
-	req.BodyBytes = []byte(`{
-	"options": {"version": "2"}
-	}`)
-	request(t, serverClient, req, 200)
-
-	// Secret: myapp
-	req = serverClient.NewRequest("POST", "/v1/secret/data/myapp")
-	req.BodyBytes = []byte(`{
-	  "data": {
-      "username": "bar",
-      "password": "zap"
-    }
-	}`)
-	request(t, serverClient, req, 200)
-
-	// Secret: myapp2
-	req = serverClient.NewRequest("POST", "/v1/secret/data/myapp2")
-	req.BodyBytes = []byte(`{
-	  "data": {
-      "username": "barstuff",
-      "password": "zap"
-    }
-	}`)
-	request(t, serverClient, req, 200)
-
-	// Secret: otherapp
-	req = serverClient.NewRequest("POST", "/v1/secret/data/otherapp")
-	req.BodyBytes = []byte(`{
-	  "data": {
-      "username": "barstuff",
-      "password": "zap",
-			"cert": "something"
-    }
-	}`)
-	request(t, serverClient, req, 200)
-
-	return roleIDPath, secretIDPath
-}
-
-// TestAgent_Template_VaultClientFromEnv tests that Vault Agent can read in its
-// required `vault` client details from environment variables instead of config.
-func TestAgent_Template_VaultClientFromEnv(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-
-	vaultAddr := "https://" + cluster.Cores[0].Listeners[0].Address.String()
-	testCases := map[string]struct {
-		env map[string]string
-	}{
-		"VAULT_ADDR and VAULT_CACERT": {
-			env: map[string]string{
-				api.EnvVaultAddress: vaultAddr,
-				api.EnvVaultCACert:  cluster.CACertPEMFile,
-			},
-		},
-		"VAULT_ADDR and VAULT_CACERT_BYTES": {
-			env: map[string]string{
-				api.EnvVaultAddress:     vaultAddr,
-				api.EnvVaultCACertBytes: string(cluster.CACertPEM),
-			},
-		},
-	}
-
-	for tcname, tc := range testCases {
-		t.Run(tcname, func(t *testing.T) {
-			for k, v := range tc.env {
-				t.Setenv(k, v)
-			}
-			tmpDir := t.TempDir()
-
-			// Make a template.
-			templateFile := filepath.Join(tmpDir, "render.tmpl")
-			if err := os.WriteFile(templateFile, []byte(templateContents(0)), 0o600); err != nil {
-				t.Fatal(err)
-			}
-
-			// build up the template config to be added to the Agent config.hcl file
-			targetFile := filepath.Join(tmpDir, "render.json")
-			templateConfig := fmt.Sprintf(`
-template {
-    source      = "%s"
-    destination = "%s"
-}
-			`, templateFile, targetFile)
-
-			// Create a config file
-			config := `
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-            remove_secret_id_file_after_reading = false
-        }
-    }
-}
-
-%s
-`
-
-			config = fmt.Sprintf(config, roleIDPath, secretIDPath, templateConfig)
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			// Start the agent
-			ui, cmd := testAgentCommand(t, logger)
-			cmd.client = serverClient
-			cmd.startedCh = make(chan struct{})
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			go func() {
-				code := cmd.Run([]string{"-config", configPath})
-				if code != 0 {
-					t.Errorf("non-zero return code when running agent: %d", code)
-					t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
-					t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
-				}
-				wg.Done()
-			}()
-
-			select {
-			case <-cmd.startedCh:
-			case <-time.After(5 * time.Second):
-				t.Errorf("timeout")
-			}
-
-			defer func() {
-				cmd.ShutdownCh <- struct{}{}
-				wg.Wait()
-			}()
-
-			// We need to poll for a bit to give Agent time to render the
-			// templates. Without this this, the test will attempt to read
-			// the temp dir before Agent has had time to render and will
-			// likely fail the test
-			tick := time.Tick(1 * time.Second)
-			timeout := time.After(10 * time.Second)
-			for {
-				select {
-				case <-timeout:
-					t.Fatalf("timed out waiting for templates to render, last error: %v", err)
-				case <-tick:
-				}
-
-				contents, err := os.ReadFile(targetFile)
-				if err != nil {
-					// If the file simply doesn't exist, continue waiting for
-					// the template rendering to complete.
-					if os.IsNotExist(err) {
-						continue
-					}
-					t.Fatal(err)
-				}
-
-				if string(contents) != templateRendered(0) {
-					t.Fatalf("expected=%q, got=%q", templateRendered(0), string(contents))
-				}
-
-				// Success! Break out of the retry loop.
-				break
-			}
-		})
-	}
-}
-
-func testListFiles(t *testing.T, dir, extension string) int {
-	t.Helper()
-
-	files, err := os.ReadDir(dir)
-	if err != nil {
-		t.Fatal(err)
-	}
-	var count int
-	for _, f := range files {
-		if filepath.Ext(f.Name()) == extension {
-			count++
-		}
-	}
-
-	return count
-}
-
-// TestAgent_Template_ExitCounter tests that Vault Agent correctly renders all
-// templates before exiting when the configuration uses exit_after_auth. This is
-// similar to TestAgent_Template_Basic, but differs by using a consistent number
-// of secrets from multiple sources, where as the basic test could possibly
-// generate a random number of secrets, but all using the same source. This test
-// reproduces https://github.com/hashicorp/vault/issues/7883
-func TestAgent_Template_ExitCounter(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Setenv(api.EnvVaultAddress, serverClient.Address())
-
-	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-
-	// create temp dir for this test run
-	tmpDir, err := os.MkdirTemp(tmpDirRoot, "agent-test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create a config file
-	config := `
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-            remove_secret_id_file_after_reading = false
-        }
-    }
-}
-
-template {
-    contents = "{{ with secret \"secret/myapp\" }}{{ range $k, $v := .Data.data }}{{ $v }}{{ end }}{{ end }}"
-    destination = "%s/render-pass.txt"
-}
-
-template {
-    contents = "{{ with secret \"secret/myapp2\" }}{{ .Data.data.username}}{{ end }}"
-    destination = "%s/render-user.txt"
-}
-
-template {
-    contents = <<EOF
-{{ with secret "secret/otherapp"}}
-{
-{{ if .Data.data.username}}"username":"{{ .Data.data.username}}",{{ end }}
-{{ if .Data.data.password }}"password":"{{ .Data.data.password }}",{{ end }}
-{{ .Data.data.cert }}
-}
-{{ end }}
-EOF
-    destination = "%s/render-other.txt"
-}
-
-exit_after_auth = true
-`
-
-	config = fmt.Sprintf(config, serverClient.Address(), roleIDPath, secretIDPath, tmpDir, tmpDir, tmpDir)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logger)
-	cmd.client = serverClient
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		code := cmd.Run([]string{"-config", configPath})
-		if code != 0 {
-			t.Errorf("non-zero return code when running agent: %d", code)
-			t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
-			t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	wg.Wait()
-
-	//----------------------------------------------------
-	// Perform the tests
-	//----------------------------------------------------
-
-	files, err := os.ReadDir(tmpDir)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(files) != 3 {
-		t.Fatalf("expected (%d) templates, got (%d)", 3, len(files))
-	}
-}
-
-// a slice of template options
-var templates = []string{
-	`{{- with secret "secret/otherapp"}}{"secret": "other",
-{{- if .Data.data.username}}"username":"{{ .Data.data.username}}",{{- end }}
-{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
-{{- end }}`,
-	`{{- with secret "secret/myapp"}}{"secret": "myapp",
-{{- if .Data.data.username}}"username":"{{ .Data.data.username}}",{{- end }}
-{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
-{{- end }}`,
-	`{{- with secret "secret/myapp"}}{"secret": "myapp",
-{{- if .Data.data.password }}"password":"{{ .Data.data.password }}"{{- end }}}
-{{- end }}`,
-}
-
-var rendered = []string{
-	`{"secret": "other","username":"barstuff","password":"zap"}`,
-	`{"secret": "myapp","username":"bar","password":"zap"}`,
-	`{"secret": "myapp","password":"zap"}`,
-}
-
-// templateContents returns a template from the above templates slice. Each
-// invocation with incrementing seed will return "the next" template, and loop.
-// This ensures as we use multiple templates that we have a increasing number of
-// sources before we reuse a template.
-func templateContents(seed int) string {
-	index := seed % len(templates)
-	return templates[index]
-}
-
-func templateRendered(seed int) string {
-	index := seed % len(templates)
-	return rendered[index]
-}
-
-var templateConfigString = `
-template {
-  source      = "%s"
-  destination = "%s/%s"
-}
-`
-
-// request issues HTTP requests.
-func request(t *testing.T, client *api.Client, req *api.Request, expectedStatusCode int) map[string]interface{} {
-	t.Helper()
-	resp, err := client.RawRequest(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	if resp.StatusCode != expectedStatusCode {
-		t.Fatalf("expected status code %d, not %d", expectedStatusCode, resp.StatusCode)
-	}
-
-	bytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	if len(bytes) == 0 {
-		return nil
-	}
-
-	var body map[string]interface{}
-	err = json.Unmarshal(bytes, &body)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	return body
-}
-
-// makeTempFile creates a temp file and populates it.
-func makeTempFile(t *testing.T, name, contents string) string {
-	t.Helper()
-	f, err := os.CreateTemp("", name)
-	if err != nil {
-		t.Fatal(err)
-	}
-	path := f.Name()
-	f.WriteString(contents)
-	f.Close()
-	return path
-}
-
-func populateTempFile(t *testing.T, name, contents string) *os.File {
-	t.Helper()
-
-	file, err := os.CreateTemp(t.TempDir(), name)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = file.WriteString(contents)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = file.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return file
-}
-
-// handler makes 500 errors happen for reads on /v1/secret.
-// Definitely not thread-safe, do not use t.Parallel with this.
-type handler struct {
-	props     *vault.HandlerProperties
-	failCount int
-	t         *testing.T
-}
-
-func (h *handler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
-	if req.Method == "GET" && strings.HasPrefix(req.URL.Path, "/v1/secret") {
-		if h.failCount > 0 {
-			h.failCount--
-			h.t.Logf("%s failing GET request on %s, failures left: %d", time.Now(), req.URL.Path, h.failCount)
-			resp.WriteHeader(500)
-			return
-		}
-		h.t.Logf("passing GET request on %s", req.URL.Path)
-	}
-	vaulthttp.Handler.Handler(h.props).ServeHTTP(resp, req)
-}
-
-// userAgentHandler makes it easy to test the User-Agent header received
-// by Vault
-type userAgentHandler struct {
-	props                *vault.HandlerProperties
-	failCount            int
-	userAgentToCheckFor  string
-	pathToCheck          string
-	requestMethodToCheck string
-	t                    *testing.T
-}
-
-func (h *userAgentHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	if req.Method == h.requestMethodToCheck && strings.Contains(req.RequestURI, h.pathToCheck) {
-		userAgent := req.UserAgent()
-		if !(userAgent == h.userAgentToCheckFor) {
-			h.t.Fatalf("User-Agent string not as expected. Expected to find %s, got %s", h.userAgentToCheckFor, userAgent)
-		}
-	}
-	vaulthttp.Handler.Handler(h.props).ServeHTTP(w, req)
-}
-
-// TestAgent_Template_Retry verifies that the template server retries requests
-// based on retry configuration.
-func TestAgent_Template_Retry(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h handler
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			NumCores: 1,
-			HandlerFunc: vaulthttp.HandlerFunc(
-				func(properties *vault.HandlerProperties) http.Handler {
-					h.props = properties
-					h.t = t
-					return &h
-				}),
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	methodConf, cleanup := prepAgentApproleKV(t, serverClient)
-	defer cleanup()
-
-	err := serverClient.Sys().TuneMount("secret", api.MountConfigInput{
-		Options: map[string]string{
-			"version": "2",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = serverClient.Logical().Write("secret/data/otherapp", map[string]interface{}{
-		"data": map[string]interface{}{
-			"username": "barstuff",
-			"password": "zap",
-			"cert":     "something",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-
-	intRef := func(i int) *int {
-		return &i
-	}
-	// start test cases here
-	testCases := map[string]struct {
-		retries     *int
-		expectError bool
-	}{
-		"none": {
-			retries:     intRef(-1),
-			expectError: true,
-		},
-		"one": {
-			retries:     intRef(1),
-			expectError: true,
-		},
-		"two": {
-			retries:     intRef(2),
-			expectError: false,
-		},
-		"missing": {
-			retries:     nil,
-			expectError: false,
-		},
-		"default": {
-			retries:     intRef(0),
-			expectError: false,
-		},
-	}
-
-	for tcname, tc := range testCases {
-		t.Run(tcname, func(t *testing.T) {
-			// We fail the first 6 times.  The consul-template code creates
-			// a Vault client with MaxRetries=2, so for every consul-template
-			// retry configured, it will in practice make up to 3 requests.
-			// Thus if consul-template is configured with "one" retry, it will
-			// fail given our failCount, but if configured with "two" retries,
-			// they will consume our 6th failure, and on the "third (from its
-			// perspective) attempt, it will succeed.
-			h.failCount = 6
-
-			// create temp dir for this test run
-			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// make some template files
-			templatePath := filepath.Join(tmpDir, "render_0.tmpl")
-			if err := os.WriteFile(templatePath, []byte(templateContents(0)), 0o600); err != nil {
-				t.Fatal(err)
-			}
-			templateConfig := fmt.Sprintf(templateConfigString, templatePath, tmpDir, "render_0.json")
-
-			var retryConf string
-			if tc.retries != nil {
-				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
-			}
-
-			config := fmt.Sprintf(`
-%s
-vault {
-  address = "%s"
-  %s
-  tls_skip_verify = true
-}
-%s
-template_config {
-  exit_on_retry_failure = true
-}
-`, methodConf, serverClient.Address(), retryConf, templateConfig)
-
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			// Start the agent
-			_, cmd := testAgentCommand(t, logger)
-			cmd.startedCh = make(chan struct{})
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			var code int
-			go func() {
-				code = cmd.Run([]string{"-config", configPath})
-				wg.Done()
-			}()
-
-			select {
-			case <-cmd.startedCh:
-			case <-time.After(5 * time.Second):
-				t.Errorf("timeout")
-			}
-
-			verify := func() error {
-				t.Helper()
-				// We need to poll for a bit to give Agent time to render the
-				// templates. Without this this, the test will attempt to read
-				// the temp dir before Agent has had time to render and will
-				// likely fail the test
-				tick := time.Tick(1 * time.Second)
-				timeout := time.After(15 * time.Second)
-				var err error
-				for {
-					select {
-					case <-timeout:
-						return fmt.Errorf("timed out waiting for templates to render, last error: %v", err)
-					case <-tick:
-					}
-					// Check for files rendered in the directory and break
-					// early for shutdown if we do have all the files
-					// rendered
-
-					//----------------------------------------------------
-					// Perform the tests
-					//----------------------------------------------------
-
-					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != 1 {
-						err = fmt.Errorf("expected 1 template, got (%d)", numFiles)
-						continue
-					}
-
-					fileName := filepath.Join(tmpDir, "render_0.json")
-					var c []byte
-					c, err = os.ReadFile(fileName)
-					if err != nil {
-						continue
-					}
-					if string(c) != templateRendered(0) {
-						err = fmt.Errorf("expected=%q, got=%q", templateRendered(0), string(c))
-						continue
-					}
-					return nil
-				}
-			}
-
-			err = verify()
-			close(cmd.ShutdownCh)
-			wg.Wait()
-
-			switch {
-			case (code != 0 || err != nil) && tc.expectError:
-			case code == 0 && err == nil && !tc.expectError:
-			default:
-				t.Fatalf("%s expectError=%v error=%v code=%d", tcname, tc.expectError, err, code)
-			}
-		})
-	}
-}
-
-// prepAgentApproleKV configures a Vault instance for approle authentication,
-// such that the resulting token will have global permissions across /kv
-// and /secret mounts.  Returns the auto_auth config stanza to setup an Agent
-// to connect using approle.
-func prepAgentApproleKV(t *testing.T, client *api.Client) (string, func()) {
-	t.Helper()
-
-	policyAutoAuthAppRole := `
-path "/kv/*" {
-	capabilities = ["create", "read", "update", "delete", "list"]
-}
-path "/secret/*" {
-	capabilities = ["create", "read", "update", "delete", "list"]
-}
-`
-	// Add an kv-admin policy
-	if err := client.Sys().PutPolicy("test-autoauth", policyAutoAuthAppRole); err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable approle
-	err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
-		Type: "approle",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/approle/role/test1", map[string]interface{}{
-		"bind_secret_id": "true",
-		"token_ttl":      "1h",
-		"token_max_ttl":  "2h",
-		"policies":       []string{"test-autoauth"},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := client.Logical().Write("auth/approle/role/test1/secret-id", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	secretID := resp.Data["secret_id"].(string)
-	secretIDFile := makeTempFile(t, "secret_id.txt", secretID+"\n")
-
-	resp, err = client.Logical().Read("auth/approle/role/test1/role-id")
-	if err != nil {
-		t.Fatal(err)
-	}
-	roleID := resp.Data["role_id"].(string)
-	roleIDFile := makeTempFile(t, "role_id.txt", roleID+"\n")
-
-	config := fmt.Sprintf(`
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-            remove_secret_id_file_after_reading = false
-        }
-    }
-}
-`, roleIDFile, secretIDFile)
-
-	cleanup := func() {
-		_ = os.Remove(roleIDFile)
-		_ = os.Remove(secretIDFile)
-	}
-	return config, cleanup
-}
-
-// TestAgent_AutoAuth_UserAgent tests that the User-Agent sent
-// to Vault by Vault Agent is correct when performing Auto-Auth.
-// Uses the custom handler userAgentHandler (defined above) so
-// that Vault validates the User-Agent on requests sent by Agent.
-func TestAgent_AutoAuth_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"approle": credAppRole.Factory,
-		},
-	}, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.AgentAutoAuthString()
-				h.requestMethodToCheck = "PUT"
-				h.pathToCheck = "auth/approle/login"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Enable the approle auth method
-	roleIDPath, secretIDPath := setupAppRole(t, serverClient)
-
-	sinkf, err := os.CreateTemp("", "sink.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink := sinkf.Name()
-	sinkf.Close()
-	os.Remove(sink)
-
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-        }
-    }
-
-	sink "file" {
-		config = {
-			path = "%s"
-		}
-	}
-}`, roleIDPath, secretIDPath, sink)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-api_proxy {
-  use_auto_auth_token = true
-}
-%s
-%s
-`, serverClient.Address(), listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	// Start the agent
-	_, cmd := testAgentCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	// Validate that the auto-auth token has been correctly attained
-	// and works for LookupSelf
-	conf := api.DefaultConfig()
-	conf.Address = "http://" + listenAddr
-	agentClient, err := api.NewClient(conf)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	agentClient.SetToken("")
-	err = agentClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Wait for the token to be sent to syncs and be available to be used
-	time.Sleep(5 * time.Second)
-
-	req := agentClient.NewRequest("GET", "/v1/auth/token/lookup-self")
-	request(t, agentClient, req, 200)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestAgent_APIProxyWithoutCache_UserAgent tests that the User-Agent sent
-// to Vault by Vault Agent is correct using the API proxy without
-// the cache configured. Uses the custom handler
-// userAgentHandler struct defined in this test package, so that Vault validates the
-// User-Agent on requests sent by Agent.
-func TestAgent_APIProxyWithoutCache_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	userAgentForProxiedClient := "proxied-client"
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.AgentProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
-				h.pathToCheck = "/v1/auth/token/lookup-self"
-				h.requestMethodToCheck = "GET"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-`, serverClient.Address(), listenConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	_, cmd := testAgentCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	agentClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	agentClient.AddHeader("User-Agent", userAgentForProxiedClient)
-	agentClient.SetToken(serverClient.Token())
-	agentClient.SetMaxRetries(0)
-	err = agentClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = agentClient.Auth().Token().LookupSelf()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestAgent_APIProxyWithCache_UserAgent tests that the User-Agent sent
-// to Vault by Vault Agent is correct using the API proxy with
-// the cache configured.  Uses the custom handler
-// userAgentHandler struct defined in this test package, so that Vault validates the
-// User-Agent on requests sent by Agent.
-func TestAgent_APIProxyWithCache_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	userAgentForProxiedClient := "proxied-client"
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.AgentProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
-				h.pathToCheck = "/v1/auth/token/lookup-self"
-				h.requestMethodToCheck = "GET"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	cacheConfig := `
-cache {
-}`
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), listenConfig, cacheConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	_, cmd := testAgentCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	agentClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	agentClient.AddHeader("User-Agent", userAgentForProxiedClient)
-	agentClient.SetToken(serverClient.Token())
-	agentClient.SetMaxRetries(0)
-	err = agentClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = agentClient.Auth().Token().LookupSelf()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-func TestAgent_Cache_DynamicSecret(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	cacheConfig := `
-cache {
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), cacheConfig, listenConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	_, cmd := testAgentCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	agentClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	agentClient.SetToken(serverClient.Token())
-	agentClient.SetMaxRetries(0)
-	err = agentClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	renewable := true
-	tokenCreateRequest := &api.TokenCreateRequest{
-		Policies:  []string{"default"},
-		TTL:       "30m",
-		Renewable: &renewable,
-	}
-
-	// This was the simplest test I could find to trigger the caching behaviour,
-	// i.e. the most concise I could make the test that I can tell
-	// creating an orphan token returns Auth, is renewable, and isn't a token
-	// that's managed elsewhere (since it's an orphan)
-	secret, err := agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token := secret.Auth.ClientToken
-
-	secret, err = agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token2 := secret.Auth.ClientToken
-
-	if token != token2 {
-		t.Fatalf("token create response not cached when it should have been, as tokens differ")
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-func TestAgent_ApiProxy_Retry(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h handler
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			NumCores: 1,
-			HandlerFunc: vaulthttp.HandlerFunc(func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.t = t
-				return &h
-			}),
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	_, err := serverClient.Logical().Write("secret/foo", map[string]interface{}{
-		"bar": "baz",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	intRef := func(i int) *int {
-		return &i
-	}
-	// start test cases here
-	testCases := map[string]struct {
-		retries     *int
-		expectError bool
-	}{
-		"none": {
-			retries:     intRef(-1),
-			expectError: true,
-		},
-		"one": {
-			retries:     intRef(1),
-			expectError: true,
-		},
-		"two": {
-			retries:     intRef(2),
-			expectError: false,
-		},
-		"missing": {
-			retries:     nil,
-			expectError: false,
-		},
-		"default": {
-			retries:     intRef(0),
-			expectError: false,
-		},
-	}
-
-	for tcname, tc := range testCases {
-		t.Run(tcname, func(t *testing.T) {
-			h.failCount = 2
-
-			cacheConfig := `
-cache {
-}
-`
-			listenAddr := generateListenerAddress(t)
-			listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-			var retryConf string
-			if tc.retries != nil {
-				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
-			}
-
-			config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  %s
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), retryConf, cacheConfig, listenConfig)
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			// Start the agent
-			_, cmd := testAgentCommand(t, logger)
-			cmd.startedCh = make(chan struct{})
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			go func() {
-				cmd.Run([]string{"-config", configPath})
-				wg.Done()
-			}()
-
-			select {
-			case <-cmd.startedCh:
-			case <-time.After(5 * time.Second):
-				t.Errorf("timeout")
-			}
-
-			client, err := api.NewClient(api.DefaultConfig())
-			if err != nil {
-				t.Fatal(err)
-			}
-			client.SetToken(serverClient.Token())
-			client.SetMaxRetries(0)
-			err = client.SetAddress("http://" + listenAddr)
-			if err != nil {
-				t.Fatal(err)
-			}
-			secret, err := client.Logical().Read("secret/foo")
-			switch {
-			case (err != nil || secret == nil) && tc.expectError:
-			case (err == nil || secret != nil) && !tc.expectError:
-			default:
-				t.Fatalf("%s expectError=%v error=%v secret=%v", tcname, tc.expectError, err, secret)
-			}
-			if secret != nil && secret.Data["foo"] != nil {
-				val := secret.Data["foo"].(map[string]interface{})
-				if !reflect.DeepEqual(val, map[string]interface{}{"bar": "baz"}) {
-					t.Fatalf("expected key 'foo' to yield bar=baz, got: %v", val)
-				}
-			}
-			time.Sleep(time.Second)
-
-			close(cmd.ShutdownCh)
-			wg.Wait()
-		})
-	}
-}
-
-func TestAgent_TemplateConfig_ExitOnRetryFailure(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			NumCores:    1,
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	autoAuthConfig, cleanup := prepAgentApproleKV(t, serverClient)
-	defer cleanup()
-
-	err := serverClient.Sys().TuneMount("secret", api.MountConfigInput{
-		Options: map[string]string{
-			"version": "2",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = serverClient.Logical().Write("secret/data/otherapp", map[string]interface{}{
-		"data": map[string]interface{}{
-			"username": "barstuff",
-			"password": "zap",
-			"cert":     "something",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// make a temp directory to hold renders. Each test will create a temp dir
-	// inside this one
-	tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDirRoot)
-
-	// Note that missing key is different from a non-existent secret. A missing
-	// key (2xx response with missing keys in the response map) can still yield
-	// a successful render unless error_on_missing_key is specified, whereas a
-	// missing secret (4xx response) always results in an error.
-	missingKeyTemplateContent := `{{- with secret "secret/otherapp"}}{"secret": "other",
-{{- if .Data.data.foo}}"foo":"{{ .Data.data.foo}}"{{- end }}}
-{{- end }}`
-	missingKeyTemplateRender := `{"secret": "other",}`
-
-	badTemplateContent := `{{- with secret "secret/non-existent"}}{"secret": "other",
-{{- if .Data.data.foo}}"foo":"{{ .Data.data.foo}}"{{- end }}}
-{{- end }}`
-
-	testCases := map[string]struct {
-		exitOnRetryFailure        *bool
-		templateContents          string
-		expectTemplateRender      string
-		templateErrorOnMissingKey bool
-		expectError               bool
-		expectExitFromError       bool
-	}{
-		"true, no template error": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(true),
-			templateContents:          templateContents(0),
-			expectTemplateRender:      templateRendered(0),
-			templateErrorOnMissingKey: false,
-			expectError:               false,
-			expectExitFromError:       false,
-		},
-		"true, with non-existent secret": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(true),
-			templateContents:          badTemplateContent,
-			expectTemplateRender:      "",
-			templateErrorOnMissingKey: false,
-			expectError:               true,
-			expectExitFromError:       true,
-		},
-		"true, with missing key": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(true),
-			templateContents:          missingKeyTemplateContent,
-			expectTemplateRender:      missingKeyTemplateRender,
-			templateErrorOnMissingKey: false,
-			expectError:               false,
-			expectExitFromError:       false,
-		},
-		"true, with missing key, with error_on_missing_key": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(true),
-			templateContents:          missingKeyTemplateContent,
-			expectTemplateRender:      "",
-			templateErrorOnMissingKey: true,
-			expectError:               true,
-			expectExitFromError:       true,
-		},
-		"false, no template error": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(false),
-			templateContents:          templateContents(0),
-			expectTemplateRender:      templateRendered(0),
-			templateErrorOnMissingKey: false,
-			expectError:               false,
-			expectExitFromError:       false,
-		},
-		"false, with non-existent secret": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(false),
-			templateContents:          badTemplateContent,
-			expectTemplateRender:      "",
-			templateErrorOnMissingKey: false,
-			expectError:               true,
-			expectExitFromError:       false,
-		},
-		"false, with missing key": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(false),
-			templateContents:          missingKeyTemplateContent,
-			expectTemplateRender:      missingKeyTemplateRender,
-			templateErrorOnMissingKey: false,
-			expectError:               false,
-			expectExitFromError:       false,
-		},
-		"false, with missing key, with error_on_missing_key": {
-			exitOnRetryFailure:        pointerutil.BoolPtr(false),
-			templateContents:          missingKeyTemplateContent,
-			expectTemplateRender:      missingKeyTemplateRender,
-			templateErrorOnMissingKey: true,
-			expectError:               true,
-			expectExitFromError:       false,
-		},
-		"missing": {
-			exitOnRetryFailure:        nil,
-			templateContents:          templateContents(0),
-			expectTemplateRender:      templateRendered(0),
-			templateErrorOnMissingKey: false,
-			expectError:               false,
-			expectExitFromError:       false,
-		},
-	}
-
-	for tcName, tc := range testCases {
-		t.Run(tcName, func(t *testing.T) {
-			// create temp dir for this test run
-			tmpDir, err := os.MkdirTemp(tmpDirRoot, tcName)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			listenAddr := generateListenerAddress(t)
-			listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-			var exitOnRetryFailure string
-			if tc.exitOnRetryFailure != nil {
-				exitOnRetryFailure = fmt.Sprintf("exit_on_retry_failure = %t", *tc.exitOnRetryFailure)
-			}
-			templateConfig := fmt.Sprintf(`
-template_config = {
-	%s
-}
-`, exitOnRetryFailure)
-
-			template := fmt.Sprintf(`
-template {
-	contents = <<EOF
-%s
-EOF
-	destination = "%s/render_0.json"
-	error_on_missing_key = %t
-}
-`, tc.templateContents, tmpDir, tc.templateErrorOnMissingKey)
-
-			config := fmt.Sprintf(`
-# auto-auth stanza
-%s
-
-vault {
-	address = "%s"
-	tls_skip_verify = true
-	retry {
-		num_retries = 3
-	}
-}
-
-# listener stanza
-%s
-
-# template_config stanza
-%s
-
-# template stanza
-%s
-`, autoAuthConfig, serverClient.Address(), listenConfig, templateConfig, template)
-
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			// Start the agent
-			ui, cmd := testAgentCommand(t, logger)
-			cmd.startedCh = make(chan struct{})
-
-			// Channel to let verify() know to stop early if agent
-			// has exited
-			cmdRunDoneCh := make(chan struct{})
-			var exitedEarly bool
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			var code int
-			go func() {
-				code = cmd.Run([]string{"-config", configPath})
-				close(cmdRunDoneCh)
-				wg.Done()
-			}()
-
-			verify := func() error {
-				t.Helper()
-				// We need to poll for a bit to give Agent time to render the
-				// templates. Without this this, the test will attempt to read
-				// the temp dir before Agent has had time to render and will
-				// likely fail the test
-				tick := time.Tick(1 * time.Second)
-				timeout := time.After(15 * time.Second)
-				var err error
-				for {
-					select {
-					case <-cmdRunDoneCh:
-						exitedEarly = true
-						return nil
-					case <-timeout:
-						return fmt.Errorf("timed out waiting for templates to render, last error: %w", err)
-					case <-tick:
-					}
-					// Check for files rendered in the directory and break
-					// early for shutdown if we do have all the files
-					// rendered
-
-					//----------------------------------------------------
-					// Perform the tests
-					//----------------------------------------------------
-
-					if numFiles := testListFiles(t, tmpDir, ".json"); numFiles != 1 {
-						err = fmt.Errorf("expected 1 template, got (%d)", numFiles)
-						continue
-					}
-
-					fileName := filepath.Join(tmpDir, "render_0.json")
-					var c []byte
-					c, err = os.ReadFile(fileName)
-					if err != nil {
-						continue
-					}
-					if strings.TrimSpace(string(c)) != tc.expectTemplateRender {
-						err = fmt.Errorf("expected=%q, got=%q", tc.expectTemplateRender, strings.TrimSpace(string(c)))
-						continue
-					}
-					return nil
-				}
-			}
-
-			err = verify()
-			close(cmd.ShutdownCh)
-			wg.Wait()
-
-			switch {
-			case (code != 0 || err != nil) && tc.expectError:
-				if exitedEarly != tc.expectExitFromError {
-					t.Fatalf("expected program exit due to error to be '%t', got '%t'", tc.expectExitFromError, exitedEarly)
-				}
-			case code == 0 && err == nil && !tc.expectError:
-				if exitedEarly {
-					t.Fatalf("did not expect program to exit before verify completes")
-				}
-			default:
-				if code != 0 {
-					t.Logf("output from agent:\n%s", ui.OutputWriter.String())
-					t.Logf("error from agent:\n%s", ui.ErrorWriter.String())
-				}
-				t.Fatalf("expectError=%v error=%v code=%d", tc.expectError, err, code)
-			}
-		})
-	}
-}
-
-func TestAgent_Metrics(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-
-	// Start a vault server
-	cluster := vault.NewTestCluster(t, nil,
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Create a config file
-	listenAddr := generateListenerAddress(t)
-	config := fmt.Sprintf(`
-cache {}
-
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-}
-`, listenAddr)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logging.NewVaultLogger(hclog.Trace))
-	cmd.client = serverClient
-	cmd.startedCh = make(chan struct{})
-
-	var output string
-	var code int
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		code = cmd.Run([]string{"-config", configPath})
-		if code != 0 {
-			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	// defer agent shutdown
-	defer func() {
-		cmd.ShutdownCh <- struct{}{}
-		wg.Wait()
-		if code != 0 {
-			t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
-		}
-	}()
-
-	conf := api.DefaultConfig()
-	conf.Address = "http://" + listenAddr
-	agentClient, err := api.NewClient(conf)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	req := agentClient.NewRequest("GET", "/agent/v1/metrics")
-	body := request(t, agentClient, req, 200)
-	keys := []string{}
-	for k := range body {
-		keys = append(keys, k)
-	}
-	require.ElementsMatch(t, keys, []string{
-		"Counters",
-		"Samples",
-		"Timestamp",
-		"Gauges",
-		"Points",
-	})
-}
-
-func TestAgent_Quit(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and agent
-	//----------------------------------------------------
-	cluster := minimal.NewTestSoloCluster(t, nil)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	err := os.Unsetenv(api.EnvVaultAddress)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	listenAddr := generateListenerAddress(t)
-	listenAddr2 := generateListenerAddress(t)
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-
-listener "tcp" {
-	address = "%s"
-	tls_disable = true
-}
-
-listener "tcp" {
-	address = "%s"
-	tls_disable = true
-	agent_api {
-		enable_quit = true
-	}
-}
-
-cache {}
-`, serverClient.Address(), listenAddr, listenAddr2)
-
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	_, cmd := testAgentCommand(t, nil)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-	client, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	client.SetToken(serverClient.Token())
-	client.SetMaxRetries(0)
-	err = client.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// First try on listener 1 where the API should be disabled.
-	resp, err := client.RawRequest(client.NewRequest(http.MethodPost, "/agent/v1/quit"))
-	if err == nil {
-		t.Fatalf("expected error")
-	}
-	if resp != nil && resp.StatusCode != http.StatusNotFound {
-		t.Fatalf("expected %d but got: %d", http.StatusNotFound, resp.StatusCode)
-	}
-
-	// Now try on listener 2 where the quit API should be enabled.
-	err = client.SetAddress("http://" + listenAddr2)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.RawRequest(client.NewRequest(http.MethodPost, "/agent/v1/quit"))
-	if err != nil {
-		t.Fatalf("unexpected error: %s", err)
-	}
-
-	select {
-	case <-cmd.ShutdownCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	wg.Wait()
-}
-
-func TestAgent_LogFile_CliOverridesConfig(t *testing.T) {
-	// Create basic config
-	configFile := populateTempFile(t, "agent-config.hcl", BasicHclConfig)
-	cfg, err := agentConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Sanity check that the config value is the current value
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile)
-
-	// Initialize the command and parse any flags
-	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
-	f := cmd.Flags()
-	// Simulate the flag being specified
-	err = f.Parse([]string{"-log-file=/foo/bar/test.log"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Update the config based on the inputs.
-	cmd.applyConfigOverrides(f, cfg)
-
-	assert.NotEqual(t, "TMPDIR/juan.log", cfg.LogFile)
-	assert.NotEqual(t, "/squiggle/logs.txt", cfg.LogFile)
-	assert.Equal(t, "/foo/bar/test.log", cfg.LogFile)
-}
-
-func TestAgent_LogFile_Config(t *testing.T) {
-	configFile := populateTempFile(t, "agent-config.hcl", BasicHclConfig)
-
-	cfg, err := agentConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Sanity check that the config value is the current value
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "sanity check on log config failed")
-	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
-	assert.Equal(t, 1048576, cfg.LogRotateBytes)
-
-	// Parse the cli flags (but we pass in an empty slice)
-	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
-	f := cmd.Flags()
-	err = f.Parse([]string{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Should change nothing...
-	cmd.applyConfigOverrides(f, cfg)
-
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "actual config check")
-	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
-	assert.Equal(t, 1048576, cfg.LogRotateBytes)
-}
-
-func TestAgent_Config_NewLogger_Default(t *testing.T) {
-	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
-	cmd.config = agentConfig.NewConfig()
-	logger, err := cmd.newLogger()
-
-	assert.NoError(t, err)
-	assert.NotNil(t, logger)
-	assert.Equal(t, hclog.Info.String(), logger.GetLevel().String())
-}
-
-func TestAgent_Config_ReloadLogLevel(t *testing.T) {
-	cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
-	var err error
-	tempDir := t.TempDir()
-
-	// Load an initial config
-	hcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
-	configFile := populateTempFile(t, "agent-config.hcl", hcl)
-	cmd.config, err = agentConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Tweak the loaded config to make sure we can put log files into a temp dir
-	// and systemd log attempts work fine, this would usually happen during Run.
-	cmd.logWriter = os.Stdout
-	cmd.logger, err = cmd.newLogger()
-	if err != nil {
-		t.Fatal("logger required for systemd log messages", err)
-	}
-
-	// Sanity check
-	assert.Equal(t, "warn", cmd.config.LogLevel)
-
-	// Load a new config
-	hcl = strings.ReplaceAll(BasicHclConfig2, "TMPDIR", tempDir)
-	configFile = populateTempFile(t, "agent-config.hcl", hcl)
-	err = cmd.reloadConfig([]string{configFile.Name()})
-	assert.NoError(t, err)
-	assert.Equal(t, "debug", cmd.config.LogLevel)
-}
-
-func TestAgent_Config_ReloadTls(t *testing.T) {
-	var wg sync.WaitGroup
-	wd, err := os.Getwd()
-	if err != nil {
-		t.Fatal("unable to get current working directory")
-	}
-	workingDir := filepath.Join(wd, "/agent/test-fixtures/reload")
-	fooCert := "reload_foo.pem"
-	fooKey := "reload_foo.key"
-
-	barCert := "reload_bar.pem"
-	barKey := "reload_bar.key"
-
-	reloadCert := "reload_cert.pem"
-	reloadKey := "reload_key.pem"
-	caPem := "reload_ca.pem"
-
-	tempDir := t.TempDir()
-
-	// Set up initial 'foo' certs
-	inBytes, err := os.ReadFile(filepath.Join(workingDir, fooCert))
-	if err != nil {
-		t.Fatal("unable to read cert required for test", fooCert, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert required for test", reloadCert, err)
-	}
-
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, fooKey))
-	if err != nil {
-		t.Fatal("unable to read cert key required for test", fooKey, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
-	}
-
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, caPem))
-	if err != nil {
-		t.Fatal("unable to read CA pem required for test", caPem, err)
-	}
-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM(inBytes)
-	if !ok {
-		t.Fatal("not ok when appending CA cert")
-	}
-
-	replacedHcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
-	configFile := populateTempFile(t, "agent-config.hcl", replacedHcl)
-
-	// Set up Agent/cmd
-	logger := logging.NewVaultLogger(hclog.Trace)
-	ui, cmd := testAgentCommand(t, logger)
-
-	var output string
-	var code int
-	wg.Add(1)
-	args := []string{"-config", configFile.Name()}
-	go func() {
-		if code = cmd.Run(args); code != 0 {
-			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
-		}
-		wg.Done()
-	}()
-
-	testCertificateName := func(cn string) error {
-		conn, err := tls.Dial("tcp", "127.0.0.1:8100", &tls.Config{
-			RootCAs: certPool,
-		})
-		if err != nil {
-			return err
-		}
-		defer conn.Close()
-		if err = conn.Handshake(); err != nil {
-			return err
-		}
-		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
-		if servName != cn {
-			return fmt.Errorf("expected %s, got %s", cn, servName)
-		}
-		return nil
-	}
-
-	// Start
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
-	}
-
-	if err := testCertificateName("foo.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
-	}
-
-	// Swap out certs
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, barCert))
-	if err != nil {
-		t.Fatal("unable to read cert required for test", barCert, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert required for test", reloadCert, err)
-	}
-
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, barKey))
-	if err != nil {
-		t.Fatal("unable to read cert key required for test", barKey, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
-	}
-
-	// Reload
-	cmd.SighupCh <- struct{}{}
-	select {
-	case <-cmd.reloadedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
-	}
-
-	if err := testCertificateName("bar.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
-	}
-
-	// Shut down
-	cmd.ShutdownCh <- struct{}{}
-	wg.Wait()
-
-	if code != 0 {
-		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
-	}
-}
-
-// TestAgent_NonTLSListener_SIGHUP tests giving a SIGHUP signal to a listener
-// without a TLS configuration. Prior to fixing GitHub issue #19480, this
-// would cause a panic.
-func TestAgent_NonTLSListener_SIGHUP(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that agent picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-`, serverClient.Address(), listenConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the agent
-	ui, cmd := testAgentCommand(t, logger)
-
-	cmd.startedCh = make(chan struct{})
-
-	var output string
-	var code int
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		if code = cmd.Run([]string{"-config", configPath}); code != 0 {
-			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	// Reload
-	cmd.SighupCh <- struct{}{}
-	select {
-	case <-cmd.reloadedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-
-	if code != 0 {
-		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
-	}
-}
-
-// Get a randomly assigned port and then free it again before returning it.
-// There is still a race when trying to use it, but should work better
-// than a static port.
-func generateListenerAddress(t *testing.T) string {
-	t.Helper()
-
-	ln1, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	listenAddr := ln1.Addr().String()
-	ln1.Close()
-	return listenAddr
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#unless this.selectedAuthIsPath}}
+  <div class="box has-slim-padding is-shadowless">
+    <ToggleButton @isOpen={{this.isOpen}} @onClick={{fn (mut this.isOpen)}} data-test-auth-form-options-toggle />
+    {{#if this.isOpen}}
+      <div class="field">
+        <label for="custom-path" class="is-label">
+          Mount path
+        </label>
+        <div class="control">
+          <input
+            type="text"
+            name="custom-path"
+            id="custom-path"
+            class="input"
+            value={{@customPath}}
+            oninput={{action @onPathChange value="target.value"}}
+            data-test-auth-form-mount-path
+          />
+        </div>
+        <AlertInline
+          class="has-top-padding-s"
+          @type="info"
+          @message="If this backend was mounted using a non-default path, enter it here."
+        />
+      </div>
+    {{/if}}
+  </div>
+{{/unless}}
\ No newline at end of file
diff --git a/command/agentproxyshared/cache/cacheboltdb/bolt.go b/command/agentproxyshared/cache/cacheboltdb/bolt.go
index 6100ef896298..8d06e36dcd86 100644
--- a/command/agentproxyshared/cache/cacheboltdb/bolt.go
+++ b/command/agentproxyshared/cache/cacheboltdb/bolt.go
@@ -1,448 +1,204 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package cacheboltdb
-
-import (
-	"context"
-	"encoding/binary"
-	"fmt"
-	"os"
-	"path/filepath"
-	"time"
-
-	"github.com/golang/protobuf/proto"
-	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	"github.com/hashicorp/go-multierror"
-	bolt "go.etcd.io/bbolt"
-)
-
-const (
-	// Keep track of schema version for future migrations
-	storageVersionKey = "version"
-	storageVersion    = "2" // v2 merges auth-lease and secret-lease buckets into one ordered bucket
-
-	// DatabaseFileName - filename for the persistent cache file
-	DatabaseFileName = "vault-agent-cache.db"
-
-	// metaBucketName - naming the meta bucket that holds the version and
-	// bootstrapping keys
-	metaBucketName = "meta"
-
-	// DEPRECATED: secretLeaseType - v1 Bucket/type for leases with secret info
-	secretLeaseType = "secret-lease"
-
-	// DEPRECATED: authLeaseType - v1 Bucket/type for leases with auth info
-	authLeaseType = "auth-lease"
-
-	// TokenType - Bucket/type for auto-auth tokens
-	TokenType = "token"
-
-	// StaticSecretType - Bucket/type for static secrets
-	StaticSecretType = "static-secret"
-
-	// TokenCapabilitiesType - Bucket/type for the token capabilities that
-	// are used to govern access to static secrets. These will be updated
-	// periodically to ensure that access to the cached secret remains.
-	TokenCapabilitiesType = "token-capabilities"
-
-	// LeaseType - v2 Bucket/type for auth AND secret leases.
-	//
-	// This bucket stores keys in the same order they were created using
-	// auto-incrementing keys and the fact that BoltDB stores keys in byte
-	// slice order. This means when we iterate through this bucket during
-	// restore, we will always restore parent tokens before their children,
-	// allowing us to correctly attach child contexts to their parent's context.
-	LeaseType = "lease"
-
-	// lookupType - v2 Bucket/type to map from a memcachedb index ID to an
-	// auto-incrementing BoltDB key. Facilitates deletes from the lease
-	// bucket using an ID instead of the auto-incrementing BoltDB key.
-	lookupType = "lookup"
-
-	// AutoAuthToken - key for the latest auto-auth token
-	AutoAuthToken = "auto-auth-token"
-
-	// RetrievalTokenMaterial is the actual key or token in the key bucket
-	RetrievalTokenMaterial = "retrieval-token-material"
-)
-
-// BoltStorage is a persistent cache using a bolt db. Items are organized with
-// the version and bootstrapping items in the "meta" bucket, and tokens, auth
-// leases, and secret leases in their own buckets.
-type BoltStorage struct {
-	db      *bolt.DB
-	logger  hclog.Logger
-	wrapper wrapping.Wrapper
-	aad     string
-}
-
-// BoltStorageConfig is the collection of input parameters for setting up bolt
-// storage
-type BoltStorageConfig struct {
-	Path    string
-	Logger  hclog.Logger
-	Wrapper wrapping.Wrapper
-	AAD     string
-}
-
-// NewBoltStorage opens a new bolt db at the specified file path and returns it.
-// If the db already exists the buckets will just be created if they don't
-// exist.
-func NewBoltStorage(config *BoltStorageConfig) (*BoltStorage, error) {
-	dbPath := filepath.Join(config.Path, DatabaseFileName)
-	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
-	if err != nil {
-		return nil, err
-	}
-	err = db.Update(func(tx *bolt.Tx) error {
-		return createBoltSchema(tx, storageVersion)
-	})
-	if err != nil {
-		return nil, err
-	}
-	bs := &BoltStorage{
-		db:      db,
-		logger:  config.Logger,
-		wrapper: config.Wrapper,
-		aad:     config.AAD,
-	}
-	return bs, nil
-}
-
-func createBoltSchema(tx *bolt.Tx, createVersion string) error {
-	switch {
-	case createVersion == "1":
-		if err := createV1BoltSchema(tx); err != nil {
-			return err
-		}
-	case createVersion == "2":
-		if err := createV2BoltSchema(tx); err != nil {
-			return err
-		}
-	default:
-		return fmt.Errorf("schema version %s not supported", createVersion)
-	}
-
-	meta, err := tx.CreateBucketIfNotExists([]byte(metaBucketName))
-	if err != nil {
-		return fmt.Errorf("failed to create bucket %s: %w", metaBucketName, err)
-	}
-
-	// Check and set file version in the meta bucket.
-	version := meta.Get([]byte(storageVersionKey))
-	switch {
-	case version == nil:
-		err = meta.Put([]byte(storageVersionKey), []byte(createVersion))
-		if err != nil {
-			return fmt.Errorf("failed to set storage version: %w", err)
-		}
-
-		return nil
-
-	case string(version) == createVersion:
-		return nil
-
-	case string(version) == "1" && createVersion == "2":
-		return migrateFromV1ToV2Schema(tx)
-
-	default:
-		return fmt.Errorf("storage migration from %s to %s not implemented", string(version), createVersion)
-	}
-}
-
-func createV1BoltSchema(tx *bolt.Tx) error {
-	// Create the buckets for tokens and leases.
-	for _, bucket := range []string{TokenType, authLeaseType, secretLeaseType} {
-		if _, err := tx.CreateBucketIfNotExists([]byte(bucket)); err != nil {
-			return fmt.Errorf("failed to create %s bucket: %w", bucket, err)
-		}
-	}
-
-	return nil
-}
-
-func createV2BoltSchema(tx *bolt.Tx) error {
-	// Create the buckets for tokens and leases.
-	for _, bucket := range []string{TokenType, LeaseType, lookupType, StaticSecretType, TokenCapabilitiesType} {
-		if _, err := tx.CreateBucketIfNotExists([]byte(bucket)); err != nil {
-			return fmt.Errorf("failed to create %s bucket: %w", bucket, err)
-		}
-	}
-
-	return nil
-}
-
-func migrateFromV1ToV2Schema(tx *bolt.Tx) error {
-	if err := createV2BoltSchema(tx); err != nil {
-		return err
-	}
-
-	for _, v1BucketType := range []string{authLeaseType, secretLeaseType} {
-		if bucket := tx.Bucket([]byte(v1BucketType)); bucket != nil {
-			bucket.ForEach(func(key, value []byte) error {
-				autoIncKey, err := autoIncrementedLeaseKey(tx, string(key))
-				if err != nil {
-					return fmt.Errorf("error migrating %s %q key to auto incremented key: %w", v1BucketType, string(key), err)
-				}
-				if err := tx.Bucket([]byte(LeaseType)).Put(autoIncKey, value); err != nil {
-					return fmt.Errorf("error migrating %s %q from v1 to v2 schema: %w", v1BucketType, string(key), err)
-				}
-				return nil
-			})
-
-			if err := tx.DeleteBucket([]byte(v1BucketType)); err != nil {
-				return fmt.Errorf("failed to clean up %s bucket during v1 to v2 schema migration: %w", v1BucketType, err)
-			}
-		}
-	}
-
-	meta, err := tx.CreateBucketIfNotExists([]byte(metaBucketName))
-	if err != nil {
-		return fmt.Errorf("failed to create meta bucket: %w", err)
-	}
-	if err := meta.Put([]byte(storageVersionKey), []byte(storageVersion)); err != nil {
-		return fmt.Errorf("failed to update schema from v1 to v2: %w", err)
-	}
-
-	return nil
-}
-
-func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) {
-	leaseBucket := tx.Bucket([]byte(LeaseType))
-	keyValue, err := leaseBucket.NextSequence()
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate lookup key for id %q: %w", id, err)
-	}
-
-	key := make([]byte, 8)
-	// MUST be big endian, because keys are ordered by byte slice comparison
-	// which progressively compares each byte in the slice starting at index 0.
-	// BigEndian in the range [255-257] looks like this:
-	// [0 0 0 0 0 0 0 255]
-	// [0 0 0 0 0 0 1 0]
-	// [0 0 0 0 0 0 1 1]
-	// LittleEndian in the same range looks like this:
-	// [255 0 0 0 0 0 0 0]
-	// [0 1 0 0 0 0 0 0]
-	// [1 1 0 0 0 0 0 0]
-	binary.BigEndian.PutUint64(key, keyValue)
-
-	err = tx.Bucket([]byte(lookupType)).Put([]byte(id), key)
-	if err != nil {
-		return nil, err
-	}
-
-	return key, nil
-}
-
-// Set an index (token or lease) in bolt storage
-func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error {
-	blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad)))
-	if err != nil {
-		return fmt.Errorf("error encrypting %s index: %w", indexType, err)
-	}
-
-	protoBlob, err := proto.Marshal(blob)
-	if err != nil {
-		return err
-	}
-
-	return b.db.Update(func(tx *bolt.Tx) error {
-		var key []byte
-		switch indexType {
-		case LeaseType:
-			// If this is a lease type, generate an auto-incrementing key and
-			// store an ID -> key lookup entry
-			key, err = autoIncrementedLeaseKey(tx, id)
-			if err != nil {
-				return err
-			}
-		case TokenType:
-			// If this is an auto-auth token, also stash it in the meta bucket for
-			// easy retrieval upon restore
-			key = []byte(id)
-			meta := tx.Bucket([]byte(metaBucketName))
-			if err := meta.Put([]byte(AutoAuthToken), protoBlob); err != nil {
-				return fmt.Errorf("failed to set latest auto-auth token: %w", err)
-			}
-		case StaticSecretType:
-			key = []byte(id)
-		case TokenCapabilitiesType:
-			key = []byte(id)
-		default:
-			return fmt.Errorf("called Set for unsupported type %q", indexType)
-		}
-		s := tx.Bucket([]byte(indexType))
-		if s == nil {
-			return fmt.Errorf("bucket %q not found", indexType)
-		}
-		return s.Put(key, protoBlob)
-	})
-}
-
-// Delete an index (token or lease) by key from bolt storage
-func (b *BoltStorage) Delete(id string, indexType string) error {
-	return b.db.Update(func(tx *bolt.Tx) error {
-		key := []byte(id)
-		if indexType == LeaseType {
-			key = tx.Bucket([]byte(lookupType)).Get(key)
-			if key == nil {
-				return fmt.Errorf("failed to lookup bolt DB key for id %q", id)
-			}
-
-			err := tx.Bucket([]byte(lookupType)).Delete([]byte(id))
-			if err != nil {
-				return fmt.Errorf("failed to delete %q from lookup bucket: %w", id, err)
-			}
-		}
-
-		bucket := tx.Bucket([]byte(indexType))
-		if bucket == nil {
-			return fmt.Errorf("bucket %q not found during delete", indexType)
-		}
-		if err := bucket.Delete(key); err != nil {
-			return fmt.Errorf("failed to delete %q from %q bucket: %w", id, indexType, err)
-		}
-		b.logger.Trace("deleted index from bolt db", "id", id)
-		return nil
-	})
-}
-
-func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) {
-	var blob wrapping.BlobInfo
-	if err := proto.Unmarshal(ciphertext, &blob); err != nil {
-		return nil, err
-	}
-
-	return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad)))
-}
-
-// GetByType returns a list of stored items of the specified type
-func (b *BoltStorage) GetByType(ctx context.Context, indexType string) ([][]byte, error) {
-	var returnBytes [][]byte
-
-	err := b.db.View(func(tx *bolt.Tx) error {
-		var errors *multierror.Error
-
-		bucket := tx.Bucket([]byte(indexType))
-		if bucket == nil {
-			return fmt.Errorf("bucket %q not found", indexType)
-		}
-		bucket.ForEach(func(key, ciphertext []byte) error {
-			plaintext, err := b.decrypt(ctx, ciphertext)
-			if err != nil {
-				errors = multierror.Append(errors, fmt.Errorf("error decrypting entry %s: %w", key, err))
-				return nil
-			}
-
-			returnBytes = append(returnBytes, plaintext)
-			return nil
-		})
-		return errors.ErrorOrNil()
-	})
-
-	return returnBytes, err
-}
-
-// GetAutoAuthToken retrieves the latest auto-auth token, and returns nil if non
-// exists yet
-func (b *BoltStorage) GetAutoAuthToken(ctx context.Context) ([]byte, error) {
-	var encryptedToken []byte
-
-	err := b.db.View(func(tx *bolt.Tx) error {
-		meta := tx.Bucket([]byte(metaBucketName))
-		if meta == nil {
-			return fmt.Errorf("bucket %q not found", metaBucketName)
-		}
-		value := meta.Get([]byte(AutoAuthToken))
-		if value != nil {
-			encryptedToken = make([]byte, len(value))
-			copy(encryptedToken, value)
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	if encryptedToken == nil {
-		return nil, nil
-	}
-
-	plaintext, err := b.decrypt(ctx, encryptedToken)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt auto-auth token: %w", err)
-	}
-	return plaintext, nil
-}
-
-// GetRetrievalToken retrieves a plaintext token from the KeyBucket, which will
-// be used by the key manager to retrieve the encryption key, nil if none set
-func (b *BoltStorage) GetRetrievalToken() ([]byte, error) {
-	var token []byte
-
-	err := b.db.View(func(tx *bolt.Tx) error {
-		metaBucket := tx.Bucket([]byte(metaBucketName))
-		if metaBucket == nil {
-			return fmt.Errorf("bucket %q not found", metaBucketName)
-		}
-		value := metaBucket.Get([]byte(RetrievalTokenMaterial))
-		if value != nil {
-			token = make([]byte, len(value))
-			copy(token, value)
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return token, err
-}
-
-// StoreRetrievalToken sets plaintext token material in the RetrievalTokenBucket
-func (b *BoltStorage) StoreRetrievalToken(token []byte) error {
-	return b.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(metaBucketName))
-		if bucket == nil {
-			return fmt.Errorf("bucket %q not found", metaBucketName)
-		}
-		return bucket.Put([]byte(RetrievalTokenMaterial), token)
-	})
-}
-
-// Close the boltdb
-func (b *BoltStorage) Close() error {
-	b.logger.Trace("closing bolt db", "path", b.db.Path())
-	return b.db.Close()
-}
-
-// Clear the boltdb by deleting all the token and lease buckets and recreating
-// the schema/layout
-func (b *BoltStorage) Clear() error {
-	return b.db.Update(func(tx *bolt.Tx) error {
-		for _, name := range []string{TokenType, LeaseType, lookupType, StaticSecretType, TokenCapabilitiesType} {
-			b.logger.Trace("deleting bolt bucket", "name", name)
-			if err := tx.DeleteBucket([]byte(name)); err != nil {
-				return err
-			}
-		}
-		return createBoltSchema(tx, storageVersion)
-	})
-}
-
-// DBFileExists checks whether the vault agent cache file at `filePath` exists
-func DBFileExists(path string) (bool, error) {
-	checkFile, err := os.OpenFile(filepath.Join(path, DatabaseFileName), os.O_RDWR, 0o600)
-	defer checkFile.Close()
-	switch {
-	case err == nil:
-		return true, nil
-	case os.IsNotExist(err):
-		return false, nil
-	default:
-		return false, fmt.Errorf("failed to check if bolt file exists at path %s: %w", path, err)
-	}
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="auth-form" data-test-auth-form>
+  {{#if (and this.waitingForOktaNumberChallenge (not this.cancelAuthForOktaNumberChallenge))}}
+    <OktaNumberChallenge
+      @correctAnswer={{this.oktaNumberChallengeAnswer}}
+      @hasError={{(not-eq this.error null)}}
+      @onReturnToLogin={{action "returnToLoginFromOktaNumberChallenge"}}
+    />
+  {{else}}
+    {{#if this.hasMethodsWithPath}}
+      <nav class="tabs is-marginless">
+        <ul>
+          {{#each this.methodsToShow as |method|}}
+            {{#let (or method.path method.type) as |methodKey|}}
+              <li
+                class={{if
+                  (and
+                    this.selectedAuthIsPath (eq (or this.selectedAuthBackend.path this.selectedAuthBackend.type) methodKey)
+                  )
+                  "is-active"
+                  ""
+                }}
+                data-test-auth-method={{method.id}}
+              >
+                <LinkTo
+                  @route="vault.cluster.auth"
+                  @model={{this.cluster.name}}
+                  @query={{hash with=methodKey}}
+                  data-test-auth-method-link={{method.type}}
+                >
+                  {{or method.id (capitalize method.type)}}
+                </LinkTo>
+              </li>
+            {{/let}}
+          {{/each}}
+          <li class={{unless this.selectedAuthIsPath "is-active" ""}} data-test-auth-method>
+            <LinkTo
+              @route="vault.cluster.auth"
+              @model={{this.cluster.name}}
+              @query={{hash with="token"}}
+              data-test-auth-method-link="other"
+            >
+              Other
+            </LinkTo>
+          </li>
+        </ul>
+      </nav>
+    {{/if}}
+    <div class="box is-marginless is-shadowless">
+      <MessageError @errorMessage={{if (and this.cluster.standby this.hasCSPError) this.cspErrorText this.error}} />
+      {{#if this.selectedAuthBackend.path}}
+        <div class="has-bottom-margin-s">
+          <p class="is-label">{{this.selectedAuthBackend.path}}</p>
+          <span class="description has-text-grey" data-test-description={{true}}>
+            {{this.selectedAuthBackend.mountDescription}}
+          </span>
+        </div>
+      {{/if}}
+      {{#if (or (not this.hasMethodsWithPath) (not this.selectedAuthIsPath))}}
+        <Select
+          @label="Method"
+          @name="auth-method"
+          @options={{this.authMethods}}
+          @valueAttribute={{"type"}}
+          @labelAttribute={{"typeDisplay"}}
+          @isFullwidth={{true}}
+          @selectedValue={{this.selectedAuth}}
+          @onChange={{action (mut this.selectedAuth)}}
+        />
+      {{/if}}
+      {{#if (or (eq this.selectedAuthBackend.type "jwt") (eq this.selectedAuthBackend.type "oidc"))}}
+        <AuthJwt
+          @onError={{action "handleError"}}
+          @onLoading={{action (mut this.isLoading)}}
+          @namespace={{this.namespace}}
+          @onNamespace={{action (mut this.namespace)}}
+          @onSubmit={{action "doSubmit"}}
+          @onRoleName={{action (mut this.roleName)}}
+          @roleName={{this.roleName}}
+          @selectedAuthType={{this.selectedAuthBackend.type}}
+          @selectedAuthPath={{or this.customPath this.selectedAuthBackend.id}}
+          @disabled={{or this.authenticate.isRunning this.isLoading}}
+        >
+          <AuthFormOptions
+            @customPath={{this.customPath}}
+            @onPathChange={{action (mut this.customPath)}}
+            @selectedAuthIsPath={{this.selectedAuthIsPath}}
+          />
+        </AuthJwt>
+      {{else if (eq this.selectedAuthBackend.type "saml")}}
+        <AuthSaml
+          @onError={{action "handleError"}}
+          @onLoading={{action (mut this.isLoading)}}
+          @namespace={{this.namespace}}
+          @onNamespace={{action (mut this.namespace)}}
+          @onSubmit={{action "doSubmit"}}
+          @onRoleName={{action (mut this.roleName)}}
+          @roleName={{this.roleName}}
+          @selectedAuthType={{this.selectedAuthBackend.type}}
+          @selectedAuthPath={{or this.customPath this.selectedAuthBackend.id}}
+          @disabled={{or this.authenticate.isRunning this.isLoading}}
+        >
+          <AuthFormOptions
+            @customPath={{this.customPath}}
+            @onPathChange={{action (mut this.customPath)}}
+            @selectedAuthIsPath={{this.selectedAuthIsPath}}
+          />
+        </AuthSaml>
+      {{else}}
+        <form id="auth-form" onsubmit={{action "doSubmit" null}}>
+          {{#if (eq this.providerName "github")}}
+            <div class="field">
+              <label for="token" class="is-label">GitHub token</label>
+              <div class="control">
+                <Input
+                  @type="password"
+                  @value={{this.token}}
+                  name="token"
+                  id="token"
+                  class="input"
+                  data-test-token={{true}}
+                  autocomplete="off"
+                  spellcheck="false"
+                />
+              </div>
+            </div>
+          {{else if (eq this.providerName "token")}}
+            <div class="field">
+              <label for="token" class="is-label">Token</label>
+              <div class="control">
+                <Input
+                  @type="password"
+                  @value={{this.token}}
+                  name="token"
+                  class="input"
+                  autocomplete="off"
+                  spellcheck="false"
+                  data-test-token={{true}}
+                />
+              </div>
+            </div>
+          {{else}}
+            <div class="field">
+              <label for="username" class="is-label">Username</label>
+              <div class="control">
+                <Input
+                  @value={{this.username}}
+                  name="username"
+                  id="username"
+                  class="input"
+                  autocomplete="off"
+                  spellcheck="false"
+                  data-test-username={{true}}
+                />
+              </div>
+            </div>
+            <div class="field">
+              <label for="password" class="is-label">Password</label>
+              <div class="control">
+                <Input
+                  @value={{this.password}}
+                  name="password"
+                  id="password"
+                  @type="password"
+                  class="input"
+                  autocomplete="off"
+                  spellcheck="false"
+                  data-test-password={{true}}
+                />
+              </div>
+            </div>
+          {{/if}}
+          {{#if (not-eq this.selectedAuthBackend.type "token")}}
+            <AuthFormOptions
+              @customPath={{this.customPath}}
+              @onPathChange={{action (mut this.customPath)}}
+              @selectedAuthIsPath={{this.selectedAuthIsPath}}
+            />
+          {{/if}}
+          <Hds::Button
+            @text="Sign in"
+            @icon={{if this.authenticate.isRunning "loading"}}
+            data-test-auth-submit={{true}}
+            type="submit"
+            disabled={{this.authenticate.isRunning}}
+            id="auth-submit"
+          />
+          {{#if (and this.delayAuthMessageReminder.isIdle this.showLoading)}}
+            <AlertInline
+              class="has-top-padding-s"
+              @type="info"
+              @message="If login takes longer than usual, you may need to check your device for an MFA notification, or contact your administrator if login times out."
+              data-test-auth-message="push"
+            />
+          {{/if}}
+        </form>
+      {{/if}}
+    </div>
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/command/agentproxyshared/cache/cacheboltdb/bolt_test.go b/command/agentproxyshared/cache/cacheboltdb/bolt_test.go
index dbfafdce7bb4..c58de16aba1b 100644
--- a/command/agentproxyshared/cache/cacheboltdb/bolt_test.go
+++ b/command/agentproxyshared/cache/cacheboltdb/bolt_test.go
@@ -1,400 +1,68 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package cacheboltdb
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/golang/protobuf/proto"
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/command/agentproxyshared/cache/keymanager"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	bolt "go.etcd.io/bbolt"
-)
-
-func getTestKeyManager(t *testing.T) keymanager.KeyManager {
-	t.Helper()
-
-	km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
-	require.NoError(t, err)
-
-	return km
-}
-
-func TestBolt_SetGet(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	b, err := NewBoltStorage(&BoltStorageConfig{
-		Path:    path,
-		Logger:  hclog.Default(),
-		Wrapper: getTestKeyManager(t).Wrapper(),
-	})
-	require.NoError(t, err)
-
-	secrets, err := b.GetByType(ctx, LeaseType)
-	assert.NoError(t, err)
-	require.Len(t, secrets, 0)
-
-	err = b.Set(ctx, "test1", []byte("hello"), LeaseType)
-	assert.NoError(t, err)
-	secrets, err = b.GetByType(ctx, LeaseType)
-	assert.NoError(t, err)
-	require.Len(t, secrets, 1)
-	assert.Equal(t, []byte("hello"), secrets[0])
-}
-
-func TestBoltDelete(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	b, err := NewBoltStorage(&BoltStorageConfig{
-		Path:    path,
-		Logger:  hclog.Default(),
-		Wrapper: getTestKeyManager(t).Wrapper(),
-	})
-	require.NoError(t, err)
-
-	err = b.Set(ctx, "secret-test1", []byte("hello1"), LeaseType)
-	require.NoError(t, err)
-	err = b.Set(ctx, "secret-test2", []byte("hello2"), LeaseType)
-	require.NoError(t, err)
-
-	secrets, err := b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	assert.Len(t, secrets, 2)
-	assert.ElementsMatch(t, [][]byte{[]byte("hello1"), []byte("hello2")}, secrets)
-
-	err = b.Delete("secret-test1", LeaseType)
-	require.NoError(t, err)
-	secrets, err = b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	require.Len(t, secrets, 1)
-	assert.Equal(t, []byte("hello2"), secrets[0])
-}
-
-func TestBoltClear(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	b, err := NewBoltStorage(&BoltStorageConfig{
-		Path:    path,
-		Logger:  hclog.Default(),
-		Wrapper: getTestKeyManager(t).Wrapper(),
-	})
-	require.NoError(t, err)
-
-	// Populate the bolt db
-	err = b.Set(ctx, "secret-test1", []byte("hello1"), LeaseType)
-	require.NoError(t, err)
-	secrets, err := b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	require.Len(t, secrets, 1)
-	assert.Equal(t, []byte("hello1"), secrets[0])
-
-	err = b.Set(ctx, "auth-test1", []byte("hello2"), LeaseType)
-	require.NoError(t, err)
-	auths, err := b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	require.Len(t, auths, 2)
-	assert.Equal(t, []byte("hello1"), auths[0])
-	assert.Equal(t, []byte("hello2"), auths[1])
-
-	err = b.Set(ctx, "token-test1", []byte("hello"), TokenType)
-	require.NoError(t, err)
-	tokens, err := b.GetByType(ctx, TokenType)
-	require.NoError(t, err)
-	require.Len(t, tokens, 1)
-	assert.Equal(t, []byte("hello"), tokens[0])
-
-	err = b.Set(ctx, "static-secret", []byte("hello"), StaticSecretType)
-	require.NoError(t, err)
-	staticSecrets, err := b.GetByType(ctx, StaticSecretType)
-	require.NoError(t, err)
-	require.Len(t, staticSecrets, 1)
-	assert.Equal(t, []byte("hello"), staticSecrets[0])
-
-	err = b.Set(ctx, "capabilities-index", []byte("hello"), TokenCapabilitiesType)
-	require.NoError(t, err)
-	capabilities, err := b.GetByType(ctx, TokenCapabilitiesType)
-	require.NoError(t, err)
-	require.Len(t, capabilities, 1)
-	assert.Equal(t, []byte("hello"), capabilities[0])
-
-	// Clear the bolt db, and check that it's indeed clear
-	err = b.Clear()
-	require.NoError(t, err)
-	auths, err = b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	assert.Len(t, auths, 0)
-	tokens, err = b.GetByType(ctx, TokenType)
-	require.NoError(t, err)
-	assert.Len(t, tokens, 0)
-	staticSecrets, err = b.GetByType(ctx, StaticSecretType)
-	require.NoError(t, err)
-	require.Len(t, staticSecrets, 0)
-	capabilities, err = b.GetByType(ctx, TokenCapabilitiesType)
-	require.NoError(t, err)
-	require.Len(t, capabilities, 0)
-}
-
-func TestBoltSetAutoAuthToken(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	b, err := NewBoltStorage(&BoltStorageConfig{
-		Path:    path,
-		Logger:  hclog.Default(),
-		Wrapper: getTestKeyManager(t).Wrapper(),
-	})
-	require.NoError(t, err)
-
-	token, err := b.GetAutoAuthToken(ctx)
-	assert.NoError(t, err)
-	assert.Nil(t, token)
-
-	// set first token
-	err = b.Set(ctx, "token-test1", []byte("hello 1"), TokenType)
-	require.NoError(t, err)
-	secrets, err := b.GetByType(ctx, TokenType)
-	require.NoError(t, err)
-	require.Len(t, secrets, 1)
-	assert.Equal(t, []byte("hello 1"), secrets[0])
-	token, err = b.GetAutoAuthToken(ctx)
-	assert.NoError(t, err)
-	assert.Equal(t, []byte("hello 1"), token)
-
-	// set second token
-	err = b.Set(ctx, "token-test2", []byte("hello 2"), TokenType)
-	require.NoError(t, err)
-	secrets, err = b.GetByType(ctx, TokenType)
-	require.NoError(t, err)
-	require.Len(t, secrets, 2)
-	assert.ElementsMatch(t, [][]byte{[]byte("hello 1"), []byte("hello 2")}, secrets)
-	token, err = b.GetAutoAuthToken(ctx)
-	assert.NoError(t, err)
-	assert.Equal(t, []byte("hello 2"), token)
-}
-
-func TestDBFileExists(t *testing.T) {
-	testCases := []struct {
-		name        string
-		mkDir       bool
-		createFile  bool
-		expectExist bool
-	}{
-		{
-			name:        "all exists",
-			mkDir:       true,
-			createFile:  true,
-			expectExist: true,
-		},
-		{
-			name:        "dir exist, file missing",
-			mkDir:       true,
-			createFile:  false,
-			expectExist: false,
-		},
-		{
-			name:        "all missing",
-			mkDir:       false,
-			createFile:  false,
-			expectExist: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var tmpPath string
-			var err error
-			if tc.mkDir {
-				tmpPath, err = os.MkdirTemp("", "test-db-path")
-				require.NoError(t, err)
-			}
-			if tc.createFile {
-				err = os.WriteFile(path.Join(tmpPath, DatabaseFileName), []byte("test-db-path"), 0o600)
-				require.NoError(t, err)
-			}
-			exists, err := DBFileExists(tmpPath)
-			assert.NoError(t, err)
-			assert.Equal(t, tc.expectExist, exists)
-		})
-	}
-}
-
-func Test_SetGetRetrievalToken(t *testing.T) {
-	testCases := []struct {
-		name          string
-		tokenToSet    []byte
-		expectedToken []byte
-	}{
-		{
-			name:          "normal set and get",
-			tokenToSet:    []byte("test token"),
-			expectedToken: []byte("test token"),
-		},
-		{
-			name:          "no token set",
-			tokenToSet:    nil,
-			expectedToken: nil,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			path, err := os.MkdirTemp("", "bolt-test")
-			require.NoError(t, err)
-			defer os.RemoveAll(path)
-
-			b, err := NewBoltStorage(&BoltStorageConfig{
-				Path:    path,
-				Logger:  hclog.Default(),
-				Wrapper: getTestKeyManager(t).Wrapper(),
-			})
-			require.NoError(t, err)
-			defer b.Close()
-
-			if tc.tokenToSet != nil {
-				err := b.StoreRetrievalToken(tc.tokenToSet)
-				require.NoError(t, err)
-			}
-			gotKey, err := b.GetRetrievalToken()
-			assert.NoError(t, err)
-			assert.Equal(t, tc.expectedToken, gotKey)
-		})
-	}
-}
-
-func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	dbPath := filepath.Join(path, DatabaseFileName)
-	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
-	require.NoError(t, err)
-	err = db.Update(func(tx *bolt.Tx) error {
-		return createBoltSchema(tx, "1")
-	})
-	require.NoError(t, err)
-	b := &BoltStorage{
-		db:      db,
-		logger:  hclog.Default(),
-		wrapper: getTestKeyManager(t).Wrapper(),
-	}
-
-	// Manually insert some items into the v1 schema.
-	err = db.Update(func(tx *bolt.Tx) error {
-		blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"))
-		if err != nil {
-			return fmt.Errorf("error encrypting contents: %w", err)
-		}
-		protoBlob, err := proto.Marshal(blob)
-		if err != nil {
-			return err
-		}
-
-		if err := tx.Bucket([]byte(authLeaseType)).Put([]byte("test-auth-id-1"), protoBlob); err != nil {
-			return err
-		}
-		if err := tx.Bucket([]byte(authLeaseType)).Put([]byte("test-auth-id-2"), protoBlob); err != nil {
-			return err
-		}
-		if err := tx.Bucket([]byte(secretLeaseType)).Put([]byte("test-secret-id-1"), protoBlob); err != nil {
-			return err
-		}
-
-		return nil
-	})
-	require.NoError(t, err)
-
-	// Check we have the contents we would expect for the v1 schema.
-	leases, err := b.GetByType(ctx, authLeaseType)
-	require.NoError(t, err)
-	assert.Len(t, leases, 2)
-	leases, err = b.GetByType(ctx, secretLeaseType)
-	require.NoError(t, err)
-	assert.Len(t, leases, 1)
-	leases, err = b.GetByType(ctx, LeaseType)
-	require.Error(t, err)
-	assert.True(t, strings.Contains(err.Error(), "not found"))
-
-	// Now migrate to the v2 schema.
-	err = db.Update(migrateFromV1ToV2Schema)
-	require.NoError(t, err)
-
-	// Check all the leases have been migrated into one bucket.
-	leases, err = b.GetByType(ctx, authLeaseType)
-	require.Error(t, err)
-	assert.True(t, strings.Contains(err.Error(), "not found"))
-	leases, err = b.GetByType(ctx, secretLeaseType)
-	require.Error(t, err)
-	assert.True(t, strings.Contains(err.Error(), "not found"))
-	leases, err = b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	assert.Len(t, leases, 3)
-}
-
-func TestBolt_MigrateFromInvalidToV2Schema(t *testing.T) {
-	ctx := context.Background()
-
-	path, err := os.MkdirTemp("", "bolt-test")
-	require.NoError(t, err)
-	defer os.RemoveAll(path)
-
-	dbPath := filepath.Join(path, DatabaseFileName)
-	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
-	require.NoError(t, err)
-	b := &BoltStorage{
-		db:      db,
-		logger:  hclog.Default(),
-		wrapper: getTestKeyManager(t).Wrapper(),
-	}
-
-	// All GetByType calls should fail as there's no schema
-	for _, bucket := range []string{authLeaseType, secretLeaseType, LeaseType} {
-		_, err = b.GetByType(ctx, bucket)
-		require.Error(t, err)
-		assert.True(t, strings.Contains(err.Error(), "not found"))
-	}
-
-	// Now migrate to the v2 schema.
-	err = db.Update(migrateFromV1ToV2Schema)
-	require.NoError(t, err)
-
-	// Deprecated auth and secret lease buckets still shouldn't exist
-	// All GetByType calls should fail as there's no schema
-	for _, bucket := range []string{authLeaseType, secretLeaseType} {
-		_, err = b.GetByType(ctx, bucket)
-		require.Error(t, err)
-		assert.True(t, strings.Contains(err.Error(), "not found"))
-	}
-
-	// GetByType for LeaseType should now return an empty result
-	leases, err := b.GetByType(ctx, LeaseType)
-	require.NoError(t, err)
-	require.Len(t, leases, 0)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form id="auth-form" {{on "submit" (action "signIn")}}>
+  <div class="field">
+    <label for="role" class="is-label">Role</label>
+    <div class="control">
+      <input
+        value={{this.roleName}}
+        placeholder="Default"
+        autocomplete="off"
+        spellcheck="false"
+        name="role"
+        id="role"
+        class="input"
+        type="text"
+        {{on "input" (action "onRoleChange")}}
+        data-test-role
+      />
+    </div>
+    <AlertInline
+      class="has-top-padding-s"
+      @type="info"
+      @message="Leave blank to sign in with the default role if one is configured"
+    />
+  </div>
+  {{#unless this.isOIDC}}
+    <div class="field">
+      <label for="token" class="is-label">JWT Token</label>
+      <div class="control">
+        <Input
+          @type="password"
+          @value={{this.jwt}}
+          name="jwt"
+          class="input"
+          autocomplete="off"
+          spellcheck="false"
+          data-test-jwt={{true}}
+        />
+      </div>
+    </div>
+  {{/unless}}
+  <div data-test-yield-content>
+    {{yield}}
+  </div>
+
+  {{#if this.isOIDC}}
+    <Hds::Button
+      @text={{concat "Sign in with " (or this.role.providerName "OIDC Provider")}}
+      @icon={{if @disabled "loading" this.role.providerIcon}}
+      data-test-auth-submit
+      type="submit"
+      disabled={{@disabled}}
+      id="auth-submit"
+    />
+  {{else}}
+    <Hds::Button
+      @text="Sign in"
+      @icon={{if @disabled "loading"}}
+      data-test-auth-submit
+      type="submit"
+      disabled={{@disabled}}
+      id="auth-submit"
+    />
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/command/agentproxyshared/cache/lease_cache.go b/command/agentproxyshared/cache/lease_cache.go
index 1b6dcc1e1147..ec455509f736 100644
--- a/command/agentproxyshared/cache/lease_cache.go
+++ b/command/agentproxyshared/cache/lease_cache.go
@@ -1,1753 +1,1300 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package cache
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-secure-stdlib/base62"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/agentproxyshared/cache/cacheboltdb"
-	"github.com/hashicorp/vault/command/agentproxyshared/cache/cachememdb"
-	"github.com/hashicorp/vault/helper/namespace"
-	nshelper "github.com/hashicorp/vault/helper/namespace"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/locksutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	gocache "github.com/patrickmn/go-cache"
-	"go.uber.org/atomic"
-)
-
-const (
-	vaultPathTokenCreate         = "/v1/auth/token/create"
-	vaultPathTokenRevoke         = "/v1/auth/token/revoke"
-	vaultPathTokenRevokeSelf     = "/v1/auth/token/revoke-self"
-	vaultPathTokenRevokeAccessor = "/v1/auth/token/revoke-accessor"
-	vaultPathTokenRevokeOrphan   = "/v1/auth/token/revoke-orphan"
-	vaultPathTokenLookup         = "/v1/auth/token/lookup"
-	vaultPathTokenLookupSelf     = "/v1/auth/token/lookup-self"
-	vaultPathTokenRenew          = "/v1/auth/token/renew"
-	vaultPathTokenRenewSelf      = "/v1/auth/token/renew-self"
-	vaultPathLeaseRevoke         = "/v1/sys/leases/revoke"
-	vaultPathLeaseRevokeForce    = "/v1/sys/leases/revoke-force"
-	vaultPathLeaseRevokePrefix   = "/v1/sys/leases/revoke-prefix"
-)
-
-var (
-	contextIndexID  = contextIndex{}
-	errInvalidType  = errors.New("invalid type provided")
-	revocationPaths = []string{
-		strings.TrimPrefix(vaultPathTokenRevoke, "/v1"),
-		strings.TrimPrefix(vaultPathTokenRevokeSelf, "/v1"),
-		strings.TrimPrefix(vaultPathTokenRevokeAccessor, "/v1"),
-		strings.TrimPrefix(vaultPathTokenRevokeOrphan, "/v1"),
-		strings.TrimPrefix(vaultPathLeaseRevoke, "/v1"),
-		strings.TrimPrefix(vaultPathLeaseRevokeForce, "/v1"),
-		strings.TrimPrefix(vaultPathLeaseRevokePrefix, "/v1"),
-	}
-)
-
-type contextIndex struct{}
-
-type cacheClearRequest struct {
-	Type      string `json:"type"`
-	Value     string `json:"value"`
-	Namespace string `json:"namespace"`
-}
-
-// LeaseCache is an implementation of Proxier that handles
-// the caching of responses. It passes the incoming request
-// to an underlying Proxier implementation.
-type LeaseCache struct {
-	client      *api.Client
-	proxier     Proxier
-	logger      hclog.Logger
-	db          *cachememdb.CacheMemDB
-	baseCtxInfo *cachememdb.ContextInfo
-	l           *sync.RWMutex
-
-	// userAgentToUse is the user agent to use when making independent requests
-	// to Vault.
-	userAgentToUse string
-
-	// idLocks is used during cache lookup to ensure that identical requests made
-	// in parallel won't trigger multiple renewal goroutines.
-	idLocks []*locksutil.LockEntry
-
-	// inflightCache keeps track of inflight requests
-	inflightCache *gocache.Cache
-
-	// ps is the persistent storage for tokens and leases
-	ps *cacheboltdb.BoltStorage
-
-	// shuttingDown is used to determine if cache needs to be evicted or not
-	// when the context is cancelled
-	shuttingDown atomic.Bool
-
-	// cacheStaticSecrets is used to determine if the cache should also
-	// cache static secrets, as well as dynamic secrets.
-	cacheStaticSecrets bool
-
-	// cacheDynamicSecrets is used to determine if the cache should
-	// cache dynamic secrets
-	cacheDynamicSecrets bool
-
-	// capabilityManager is used when static secrets are enabled to
-	// manage the capabilities of cached tokens.
-	capabilityManager *StaticSecretCapabilityManager
-}
-
-// LeaseCacheConfig is the configuration for initializing a new
-// LeaseCache.
-type LeaseCacheConfig struct {
-	Client              *api.Client
-	BaseContext         context.Context
-	Proxier             Proxier
-	Logger              hclog.Logger
-	UserAgentToUse      string
-	Storage             *cacheboltdb.BoltStorage
-	CacheStaticSecrets  bool
-	CacheDynamicSecrets bool
-}
-
-type inflightRequest struct {
-	// ch is closed by the request that ends up processing the set of
-	// parallel request
-	ch chan struct{}
-
-	// remaining is the number of remaining inflight request that needs to
-	// be processed before this object can be cleaned up
-	remaining *atomic.Uint64
-}
-
-func newInflightRequest() *inflightRequest {
-	return &inflightRequest{
-		ch:        make(chan struct{}),
-		remaining: atomic.NewUint64(0),
-	}
-}
-
-// NewLeaseCache creates a new instance of a LeaseCache.
-func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error) {
-	if conf == nil {
-		return nil, errors.New("nil configuration provided")
-	}
-
-	if conf.Proxier == nil || conf.Logger == nil {
-		return nil, fmt.Errorf("missing configuration required params: %v", conf)
-	}
-
-	if conf.Client == nil {
-		return nil, fmt.Errorf("nil API client")
-	}
-
-	if conf.UserAgentToUse == "" {
-		return nil, fmt.Errorf("no user agent specified -- see useragent.go")
-	}
-
-	db, err := cachememdb.New()
-	if err != nil {
-		return nil, err
-	}
-
-	// Create a base context for the lease cache layer
-	baseCtxInfo := cachememdb.NewContextInfo(conf.BaseContext)
-
-	return &LeaseCache{
-		client:              conf.Client,
-		proxier:             conf.Proxier,
-		logger:              conf.Logger,
-		userAgentToUse:      conf.UserAgentToUse,
-		db:                  db,
-		baseCtxInfo:         baseCtxInfo,
-		l:                   &sync.RWMutex{},
-		idLocks:             locksutil.CreateLocks(),
-		inflightCache:       gocache.New(gocache.NoExpiration, gocache.NoExpiration),
-		ps:                  conf.Storage,
-		cacheStaticSecrets:  conf.CacheStaticSecrets,
-		cacheDynamicSecrets: conf.CacheDynamicSecrets,
-	}, nil
-}
-
-// SetCapabilityManager is a setter for CapabilityManager. If set, will manage capabilities
-// for capability indexes.
-func (c *LeaseCache) SetCapabilityManager(capabilityManager *StaticSecretCapabilityManager) {
-	c.capabilityManager = capabilityManager
-}
-
-// SetShuttingDown is a setter for the shuttingDown field
-func (c *LeaseCache) SetShuttingDown(in bool) {
-	c.shuttingDown.Store(in)
-
-	// Since we're shutting down, also stop the capability manager's jobs.
-	// We can do this forcibly since no there's no reason to update
-	// the cache when we're shutting down.
-	if c.capabilityManager != nil {
-		c.capabilityManager.Stop()
-	}
-}
-
-// SetPersistentStorage is a setter for the persistent storage field in
-// LeaseCache
-func (c *LeaseCache) SetPersistentStorage(storageIn *cacheboltdb.BoltStorage) {
-	c.ps = storageIn
-}
-
-// PersistentStorage is a getter for the persistent storage field in
-// LeaseCache
-func (c *LeaseCache) PersistentStorage() *cacheboltdb.BoltStorage {
-	return c.ps
-}
-
-// checkCacheForDynamicSecretRequest checks the cache for a particular request based on its
-// computed ID. It returns a non-nil *SendResponse if an entry is found.
-func (c *LeaseCache) checkCacheForDynamicSecretRequest(id string) (*SendResponse, error) {
-	return c.checkCacheForRequest(id, nil)
-}
-
-// checkCacheForStaticSecretRequest checks the cache for a particular request based on its
-// computed ID. It returns a non-nil *SendResponse if an entry is found.
-// If a request is provided, it will validate that the token is allowed to retrieve this
-// cache entry, and return nil if it isn't. It will also evict the cache if this is a non-GET
-// request.
-func (c *LeaseCache) checkCacheForStaticSecretRequest(id string, req *SendRequest) (*SendResponse, error) {
-	return c.checkCacheForRequest(id, req)
-}
-
-// checkCacheForRequest checks the cache for a particular request based on its
-// computed ID. It returns a non-nil *SendResponse if an entry is found.
-// If a token is provided, it will validate that the token is allowed to retrieve this
-// cache entry, and return nil if it isn't.
-func (c *LeaseCache) checkCacheForRequest(id string, req *SendRequest) (*SendResponse, error) {
-	index, err := c.db.Get(cachememdb.IndexNameID, id)
-	if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-		return nil, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	index.IndexLock.RLock()
-	defer index.IndexLock.RUnlock()
-
-	var token string
-	if req != nil {
-		// Req will be non-nil if we're checking for a static secret.
-		// Token might still be "" if it's going to an unauthenticated
-		// endpoint, or similar. For static secrets, we only care about
-		// requests with tokens attached, as KV is authenticated.
-		token = req.Token
-	}
-
-	if token != "" {
-		// We are checking for a static secret. We need to ensure that this token
-		// has previously demonstrated access to this static secret.
-		// We could check the capabilities cache here, but since these
-		// indexes should be in sync, this saves us an extra cache get.
-		if _, ok := index.Tokens[token]; !ok {
-			// We don't have access to this static secret, so
-			// we do not return the cached response.
-			return nil, nil
-		}
-	}
-
-	// Cached request is found, deserialize the response
-	reader := bufio.NewReader(bytes.NewReader(index.Response))
-	resp, err := http.ReadResponse(reader, nil)
-	if err != nil {
-		c.logger.Error("failed to deserialize response", "error", err)
-		return nil, err
-	}
-
-	sendResp, err := NewSendResponse(&api.Response{Response: resp}, index.Response)
-	if err != nil {
-		c.logger.Error("failed to create new send response", "error", err)
-		return nil, err
-	}
-	sendResp.CacheMeta.Hit = true
-
-	respTime, err := http.ParseTime(resp.Header.Get("Date"))
-	if err != nil {
-		c.logger.Error("failed to parse cached response date", "error", err)
-		return nil, err
-	}
-	sendResp.CacheMeta.Age = time.Now().Sub(respTime)
-
-	return sendResp, nil
-}
-
-// Send performs a cache lookup on the incoming request. If it's a cache hit,
-// it will return the cached response, otherwise it will delegate to the
-// underlying Proxier and cache the received response.
-func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse, error) {
-	// Compute the index ID for both static and dynamic secrets.
-	// The primary difference is that for dynamic secrets, the
-	// Vault token forms part of the index.
-	dynamicSecretCacheId, err := computeIndexID(req)
-	if err != nil {
-		c.logger.Error("failed to compute cache key", "error", err)
-		return nil, err
-	}
-	staticSecretCacheId := computeStaticSecretCacheIndex(req)
-
-	// Check the inflight cache to see if there are other inflight requests
-	// of the same kind, based on the computed ID. If so, we increment a counter
-
-	// Note: we lock both the dynamic secret cache ID and the static secret cache ID
-	// as at this stage, we don't know what kind of secret it is.
-	var inflight *inflightRequest
-
-	defer func() {
-		// Cleanup on the cache if there are no remaining inflight requests.
-		// This is the last step, so we defer the call first
-		if inflight != nil && inflight.remaining.Load() == 0 {
-			c.inflightCache.Delete(dynamicSecretCacheId)
-			if staticSecretCacheId != "" {
-				c.inflightCache.Delete(staticSecretCacheId)
-			}
-		}
-	}()
-
-	idLockDynamicSecret := locksutil.LockForKey(c.idLocks, dynamicSecretCacheId)
-
-	// Briefly grab an ID-based lock in here to emulate a load-or-store behavior
-	// and prevent concurrent cacheable requests from being proxied twice if
-	// they both miss the cache due to it being clean when peeking the cache
-	// entry.
-	idLockDynamicSecret.Lock()
-	inflightRaw, found := c.inflightCache.Get(dynamicSecretCacheId)
-	if found {
-		idLockDynamicSecret.Unlock()
-		inflight = inflightRaw.(*inflightRequest)
-		inflight.remaining.Inc()
-		defer inflight.remaining.Dec()
-
-		// If found it means that there's an inflight request being processed.
-		// We wait until that's finished before proceeding further.
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-inflight.ch:
-		}
-	} else {
-		if inflight == nil {
-			inflight = newInflightRequest()
-			inflight.remaining.Inc()
-			defer inflight.remaining.Dec()
-			defer close(inflight.ch)
-		}
-
-		c.inflightCache.Set(dynamicSecretCacheId, inflight, gocache.NoExpiration)
-		idLockDynamicSecret.Unlock()
-	}
-
-	if staticSecretCacheId != "" {
-		idLockStaticSecret := locksutil.LockForKey(c.idLocks, staticSecretCacheId)
-
-		// Briefly grab an ID-based lock in here to emulate a load-or-store behavior
-		// and prevent concurrent cacheable requests from being proxied twice if
-		// they both miss the cache due to it being clean when peeking the cache
-		// entry.
-		idLockStaticSecret.Lock()
-		inflightRaw, found = c.inflightCache.Get(staticSecretCacheId)
-		if found {
-			idLockStaticSecret.Unlock()
-			inflight = inflightRaw.(*inflightRequest)
-			inflight.remaining.Inc()
-			defer inflight.remaining.Dec()
-
-			// If found it means that there's an inflight request being processed.
-			// We wait until that's finished before proceeding further.
-			select {
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			case <-inflight.ch:
-			}
-		} else {
-			if inflight == nil {
-				inflight = newInflightRequest()
-				inflight.remaining.Inc()
-				defer inflight.remaining.Dec()
-				defer close(inflight.ch)
-			}
-
-			c.inflightCache.Set(staticSecretCacheId, inflight, gocache.NoExpiration)
-			idLockStaticSecret.Unlock()
-		}
-	}
-
-	// Check if the response for this request is already in the dynamic secret cache
-	cachedResp, err := c.checkCacheForDynamicSecretRequest(dynamicSecretCacheId)
-	if err != nil {
-		return nil, err
-	}
-	if cachedResp != nil {
-		c.logger.Debug("returning cached response", "path", req.Request.URL.Path)
-		return cachedResp, nil
-	}
-
-	// Check if the response for this request is already in the static secret cache
-	if staticSecretCacheId != "" && req.Request.Method == http.MethodGet {
-		cachedResp, err = c.checkCacheForStaticSecretRequest(staticSecretCacheId, req)
-		if err != nil {
-			return nil, err
-		}
-		if cachedResp != nil {
-			c.logger.Debug("returning cached response", "id", staticSecretCacheId, "path", req.Request.URL.Path)
-			return cachedResp, nil
-		}
-	}
-
-	c.logger.Debug("forwarding request from cache", "method", req.Request.Method, "path", req.Request.URL.Path)
-
-	// Pass the request down and get a response
-	resp, err := c.proxier.Send(ctx, req)
-	if err != nil {
-		return resp, err
-	}
-
-	// If this is a non-2xx or if the returned response does not contain JSON payload,
-	// we skip caching
-	if resp.Response.StatusCode >= 300 || resp.Response.Header.Get("Content-Type") != "application/json" {
-		return resp, err
-	}
-
-	// Get the namespace from the request header
-	namespace := req.Request.Header.Get(consts.NamespaceHeaderName)
-	// We need to populate an empty value since go-memdb will skip over indexes
-	// that contain empty values.
-	if namespace == "" {
-		namespace = "root/"
-	}
-
-	// Build the index to cache based on the response received
-	index := &cachememdb.Index{
-		Namespace:   namespace,
-		RequestPath: req.Request.URL.Path,
-		LastRenewed: time.Now().UTC(),
-	}
-
-	secret, err := api.ParseSecret(bytes.NewReader(resp.ResponseBody))
-	if err != nil {
-		c.logger.Error("failed to parse response as secret", "error", err)
-		return nil, err
-	}
-
-	isRevocation, err := c.handleRevocationRequest(ctx, req, resp)
-	if err != nil {
-		c.logger.Error("failed to process the response", "error", err)
-		return nil, err
-	}
-
-	// If this is a revocation request, do not go through cache logic.
-	if isRevocation {
-		return resp, nil
-	}
-
-	// Fast path for responses with no secrets
-	if secret == nil {
-		c.logger.Debug("pass-through response; no secret in response", "method", req.Request.Method, "path", req.Request.URL.Path)
-		return resp, nil
-	}
-
-	// There shouldn't be a situation where secret.MountType == "kv" and
-	// staticSecretCacheId == "", but just in case.
-	// We restrict this to GETs as those are all we want to cache.
-	if c.cacheStaticSecrets && secret.MountType == "kv" &&
-		staticSecretCacheId != "" && req.Request.Method == http.MethodGet {
-		index.Type = cacheboltdb.StaticSecretType
-		index.ID = staticSecretCacheId
-		// We set the request path to be the canonical static secret path, so that
-		// two differently shaped (but equivalent) requests to the same path
-		// will be the same.
-		// This differs slightly from dynamic secrets, where the /v1/ will be
-		// included in the request path.
-		index.RequestPath = getStaticSecretPathFromRequest(req)
-
-		err := c.cacheStaticSecret(ctx, req, resp, index)
-		if err != nil {
-			return nil, err
-		}
-		return resp, nil
-	} else {
-		// Since it's not a static secret, set the ID to be the dynamic id
-		index.ID = dynamicSecretCacheId
-	}
-
-	// Short-circuit if we've been configured to not cache dynamic secrets
-	if !c.cacheDynamicSecrets {
-		return resp, nil
-	}
-
-	// Short-circuit if the secret is not renewable
-	tokenRenewable, err := secret.TokenIsRenewable()
-	if err != nil {
-		c.logger.Error("failed to parse renewable param", "error", err)
-		return nil, err
-	}
-	if !secret.Renewable && !tokenRenewable {
-		c.logger.Debug("pass-through response; secret not renewable", "method", req.Request.Method, "path", req.Request.URL.Path)
-		return resp, nil
-	}
-
-	var renewCtxInfo *cachememdb.ContextInfo
-	switch {
-	case secret.LeaseID != "":
-		c.logger.Debug("processing lease response", "method", req.Request.Method, "path", req.Request.URL.Path)
-		entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			// If the lease belongs to a token that is not managed by the lease cache,
-			// return the response without caching it.
-			c.logger.Debug("pass-through lease response; token not managed by lease cache", "method", req.Request.Method, "path", req.Request.URL.Path)
-			return resp, nil
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		// Derive a context for renewal using the token's context
-		renewCtxInfo = cachememdb.NewContextInfo(entry.RenewCtxInfo.Ctx)
-
-		index.Lease = secret.LeaseID
-		index.LeaseToken = req.Token
-
-		index.Type = cacheboltdb.LeaseType
-
-	case secret.Auth != nil:
-		c.logger.Debug("processing auth response", "method", req.Request.Method, "path", req.Request.URL.Path)
-
-		// Check if this token creation request resulted in a non-orphan token, and if so
-		// correctly set the parentCtx to the request's token context.
-		var parentCtx context.Context
-		if !secret.Auth.Orphan {
-			entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token)
-			if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-				// If the lease belongs to a token that is not managed by the lease cache,
-				// return the response without caching it.
-				c.logger.Debug("pass-through lease response; parent token not managed by lease cache", "method", req.Request.Method, "path", req.Request.URL.Path)
-				return resp, nil
-			}
-			if err != nil {
-				return nil, err
-			}
-
-			c.logger.Debug("setting parent context", "method", req.Request.Method, "path", req.Request.URL.Path)
-			parentCtx = entry.RenewCtxInfo.Ctx
-
-			index.TokenParent = req.Token
-		}
-
-		renewCtxInfo = c.createCtxInfo(parentCtx)
-		index.Token = secret.Auth.ClientToken
-		index.TokenAccessor = secret.Auth.Accessor
-
-		index.Type = cacheboltdb.LeaseType
-
-	default:
-		// We shouldn't be hitting this, but will err on the side of caution and
-		// simply proxy.
-		c.logger.Debug("pass-through response; secret without lease and token", "method", req.Request.Method, "path", req.Request.URL.Path)
-		return resp, nil
-	}
-
-	// Serialize the response to store it in the cached index
-	var respBytes bytes.Buffer
-	err = resp.Response.Write(&respBytes)
-	if err != nil {
-		c.logger.Error("failed to serialize response", "error", err)
-		return nil, err
-	}
-
-	// Reset the response body for upper layers to read
-	if resp.Response.Body != nil {
-		resp.Response.Body.Close()
-	}
-	resp.Response.Body = io.NopCloser(bytes.NewReader(resp.ResponseBody))
-
-	// Set the index's Response
-	index.Response = respBytes.Bytes()
-
-	// Store the index ID in the lifetimewatcher context
-	renewCtx := context.WithValue(renewCtxInfo.Ctx, contextIndexID, index.ID)
-
-	// Store the lifetime watcher context in the index
-	index.RenewCtxInfo = &cachememdb.ContextInfo{
-		Ctx:        renewCtx,
-		CancelFunc: renewCtxInfo.CancelFunc,
-		DoneCh:     renewCtxInfo.DoneCh,
-	}
-
-	// Add extra information necessary for restoring from persisted cache
-	index.RequestMethod = req.Request.Method
-	index.RequestToken = req.Token
-	index.RequestHeader = req.Request.Header
-
-	if index.Type != cacheboltdb.StaticSecretType {
-		// Store the index in the cache
-		c.logger.Debug("storing dynamic secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID)
-		err = c.Set(ctx, index)
-		if err != nil {
-			c.logger.Error("failed to cache the proxied response", "error", err)
-			return nil, err
-		}
-
-		// Start renewing the secret in the response
-		go c.startRenewing(renewCtx, index, req, secret)
-	}
-
-	return resp, nil
-}
-
-func (c *LeaseCache) cacheStaticSecret(ctx context.Context, req *SendRequest, resp *SendResponse, index *cachememdb.Index) error {
-	// If a cached version of this secret exists, we now have access, so
-	// we don't need to re-cache, just update index.Tokens
-	indexFromCache, err := c.db.Get(cachememdb.IndexNameID, index.ID)
-	if err != nil && err != cachememdb.ErrCacheItemNotFound {
-		return err
-	}
-
-	// The index already exists, so all we need to do is add our token
-	// to the index's allowed token list, then re-store it.
-	if indexFromCache != nil {
-		// We must hold a lock for the index while it's being updated.
-		// We keep the two locking mechanisms distinct, so that it's only writes
-		// that have to be serial.
-		indexFromCache.IndexLock.Lock()
-		defer indexFromCache.IndexLock.Unlock()
-		indexFromCache.Tokens[req.Token] = struct{}{}
-
-		return c.storeStaticSecretIndex(ctx, req, indexFromCache)
-	}
-
-	// Serialize the response to store it in the cached index
-	var respBytes bytes.Buffer
-	err = resp.Response.Write(&respBytes)
-	if err != nil {
-		c.logger.Error("failed to serialize response", "error", err)
-		return err
-	}
-
-	// Reset the response body for upper layers to read
-	if resp.Response.Body != nil {
-		resp.Response.Body.Close()
-	}
-	resp.Response.Body = io.NopCloser(bytes.NewReader(resp.ResponseBody))
-
-	// Set the index's Response
-	index.Response = respBytes.Bytes()
-
-	// Initialize the token map and add this token to it.
-	index.Tokens = map[string]struct{}{req.Token: {}}
-
-	// Set the index type
-	index.Type = cacheboltdb.StaticSecretType
-
-	return c.storeStaticSecretIndex(ctx, req, index)
-}
-
-func (c *LeaseCache) storeStaticSecretIndex(ctx context.Context, req *SendRequest, index *cachememdb.Index) error {
-	// Store the index in the cache
-	c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID)
-	err := c.Set(ctx, index)
-	if err != nil {
-		c.logger.Error("failed to cache the proxied response", "error", err)
-		return err
-	}
-
-	capabilitiesIndex, created, err := c.retrieveOrCreateTokenCapabilitiesEntry(req.Token)
-	if err != nil {
-		c.logger.Error("failed to cache the proxied response", "error", err)
-		return err
-	}
-
-	path := getStaticSecretPathFromRequest(req)
-
-	// Extra caution -- avoid potential nil
-	if capabilitiesIndex.ReadablePaths == nil {
-		capabilitiesIndex.ReadablePaths = make(map[string]struct{})
-	}
-
-	// update the index with the new capability:
-	capabilitiesIndex.ReadablePaths[path] = struct{}{}
-
-	err = c.SetCapabilitiesIndex(ctx, capabilitiesIndex)
-	if err != nil {
-		c.logger.Error("failed to cache token capabilities as part of caching the proxied response", "error", err)
-		return err
-	}
-
-	// Lastly, ensure that we start renewing this index, if it's  new.
-	// We require the 'created' check so that we don't renew the same
-	// index multiple times.
-	if c.capabilityManager != nil && created {
-		c.capabilityManager.StartRenewingCapabilities(capabilitiesIndex)
-	}
-
-	return nil
-}
-
-// retrieveOrCreateTokenCapabilitiesEntry will either retrieve the token
-// capabilities entry from the cache, or create a new, empty one.
-// The bool represents if a new token capability has been created.
-func (c *LeaseCache) retrieveOrCreateTokenCapabilitiesEntry(token string) (*cachememdb.CapabilitiesIndex, bool, error) {
-	// The index ID is a hash of the token.
-	indexId := hashStaticSecretIndex(token)
-	indexFromCache, err := c.db.GetCapabilitiesIndex(cachememdb.IndexNameID, indexId)
-	if err != nil && err != cachememdb.ErrCacheItemNotFound {
-		return nil, false, err
-	}
-
-	if indexFromCache != nil {
-		return indexFromCache, false, nil
-	}
-
-	// Build the index to cache based on the response received
-	index := &cachememdb.CapabilitiesIndex{
-		ID:            indexId,
-		Token:         token,
-		ReadablePaths: make(map[string]struct{}),
-	}
-
-	return index, true, nil
-}
-
-func (c *LeaseCache) createCtxInfo(ctx context.Context) *cachememdb.ContextInfo {
-	if ctx == nil {
-		c.l.RLock()
-		ctx = c.baseCtxInfo.Ctx
-		c.l.RUnlock()
-	}
-	return cachememdb.NewContextInfo(ctx)
-}
-
-func (c *LeaseCache) startRenewing(ctx context.Context, index *cachememdb.Index, req *SendRequest, secret *api.Secret) {
-	defer func() {
-		id := ctx.Value(contextIndexID).(string)
-		if c.shuttingDown.Load() {
-			c.logger.Trace("not evicting index from cache during shutdown", "id", id, "method", req.Request.Method, "path", req.Request.URL.Path)
-			return
-		}
-		c.logger.Debug("evicting index from cache", "id", id, "method", req.Request.Method, "path", req.Request.URL.Path)
-		err := c.Evict(index)
-		if err != nil {
-			c.logger.Error("failed to evict index", "id", id, "error", err)
-			return
-		}
-	}()
-
-	client, err := c.client.Clone()
-	if err != nil {
-		c.logger.Error("failed to create API client in the lifetime watcher", "error", err)
-		return
-	}
-	client.SetToken(req.Token)
-
-	headers := client.Headers()
-	if headers == nil {
-		headers = make(http.Header)
-	}
-
-	// We do not preserve any initial User-Agent here since these requests are from
-	// the proxy subsystem, but are made by the lease cache's lifetime watcher,
-	// not triggered by a specific request.
-	headers.Set("User-Agent", c.userAgentToUse)
-	client.SetHeaders(headers)
-
-	watcher, err := client.NewLifetimeWatcher(&api.LifetimeWatcherInput{
-		Secret: secret,
-	})
-	if err != nil {
-		c.logger.Error("failed to create secret lifetime watcher", "error", err)
-		return
-	}
-
-	c.logger.Debug("initiating renewal", "method", req.Request.Method, "path", req.Request.URL.Path)
-	go watcher.Start()
-	defer watcher.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			// This is the case which captures context cancellations from token
-			// and leases. Since all the contexts are derived from the agent's
-			// context, this will also cover the shutdown scenario.
-			c.logger.Debug("context cancelled; stopping lifetime watcher", "path", req.Request.URL.Path)
-			return
-		case err := <-watcher.DoneCh():
-			// This case covers renewal completion and renewal errors
-			if err != nil {
-				c.logger.Error("failed to renew secret", "error", err)
-				return
-			}
-			c.logger.Debug("renewal halted; evicting from cache", "path", req.Request.URL.Path)
-			return
-		case <-watcher.RenewCh():
-			c.logger.Debug("secret renewed", "path", req.Request.URL.Path)
-			if c.ps != nil {
-				if err := c.updateLastRenewed(ctx, index, time.Now().UTC()); err != nil {
-					c.logger.Warn("not able to update lastRenewed time for cached index", "id", index.ID)
-				}
-			}
-		case <-index.RenewCtxInfo.DoneCh:
-			// This case indicates the renewal process to shutdown and evict
-			// the cache entry. This is triggered when a specific secret
-			// renewal needs to be killed without affecting any of the derived
-			// context renewals.
-			c.logger.Debug("done channel closed")
-			return
-		}
-	}
-}
-
-func (c *LeaseCache) updateLastRenewed(ctx context.Context, index *cachememdb.Index, t time.Time) error {
-	idLock := locksutil.LockForKey(c.idLocks, index.ID)
-	idLock.Lock()
-	defer idLock.Unlock()
-
-	getIndex, err := c.db.Get(cachememdb.IndexNameID, index.ID)
-	if err != nil && err != cachememdb.ErrCacheItemNotFound {
-		return err
-	}
-	index.LastRenewed = t
-	if err := c.Set(ctx, getIndex); err != nil {
-		return err
-	}
-	return nil
-}
-
-// computeIndexID results in a value that uniquely identifies a request
-// received by the agent. It does so by SHA256 hashing the serialized request
-// object containing the request path, query parameters and body parameters.
-func computeIndexID(req *SendRequest) (string, error) {
-	var b bytes.Buffer
-
-	cloned := req.Request.Clone(context.Background())
-	cloned.Header.Del(vaulthttp.VaultIndexHeaderName)
-	cloned.Header.Del(vaulthttp.VaultForwardHeaderName)
-	cloned.Header.Del(vaulthttp.VaultInconsistentHeaderName)
-	// Serialize the request
-	if err := cloned.Write(&b); err != nil {
-		return "", fmt.Errorf("failed to serialize request: %v", err)
-	}
-
-	// Reset the request body after it has been closed by Write
-	req.Request.Body = io.NopCloser(bytes.NewReader(req.RequestBody))
-
-	// Append req.Token into the byte slice. This is needed since auto-auth'ed
-	// requests sets the token directly into SendRequest.Token
-	if _, err := b.WriteString(req.Token); err != nil {
-		return "", fmt.Errorf("failed to write token to hash input: %w", err)
-	}
-
-	return hex.EncodeToString(cryptoutil.Blake2b256Hash(string(b.Bytes()))), nil
-}
-
-// canonicalizeStaticSecretPath takes an API request path such as
-// /v1/foo/bar and a namespace, and turns it into a canonical representation
-// of the secret's path in Vault.
-// We opt for this form as namespace.Canonicalize returns a namespace in the
-// form of "ns1/", so we keep consistent with path canonicalization.
-func canonicalizeStaticSecretPath(requestPath string, ns string) string {
-	// /sys/capabilities accepts both requests that look like foo/bar
-	// and /foo/bar but not /v1/foo/bar.
-	// We trim the /v1/ from the start of the URL to get the foo/bar form.
-	// This means that we can use the paths we retrieve from the
-	// /sys/capabilities endpoint to access this index
-	// without having to re-add the /v1/
-	path := strings.TrimPrefix(requestPath, "/v1/")
-	// Trim any leading slashes, as we never want those.
-	// This ensures /foo/bar gets turned to foo/bar
-	path = strings.TrimPrefix(path, "/")
-
-	// If a namespace was provided in a way that wasn't directly in the path,
-	// it must be added to the path.
-	path = namespace.Canonicalize(ns) + path
-
-	return path
-}
-
-// getStaticSecretPathFromRequest gets the canonical path for a
-// request, taking into account intricacies relating to /v1/ and namespaces
-// in the header.
-// Returns a path like foo/bar or ns1/foo/bar.
-// We opt for this form as namespace.Canonicalize returns a namespace in the
-// form of "ns1/", so we keep consistent with path canonicalization.
-func getStaticSecretPathFromRequest(req *SendRequest) string {
-	path := req.Request.URL.Path
-	// Static secrets always have /v1 as a prefix. This enables us to
-	// enable a pass-through and never attempt to cache or view-from-cache
-	// any request without the /v1 prefix.
-	if !strings.HasPrefix(path, "/v1") {
-		return ""
-	}
-	var namespace string
-	if header := req.Request.Header; header != nil {
-		namespace = header.Get(api.NamespaceHeaderName)
-	}
-	return canonicalizeStaticSecretPath(path, namespace)
-}
-
-// hashStaticSecretIndex is a simple function that hashes the path into
-// a function. This is kept as a helper function for ease of use by downstream functions.
-func hashStaticSecretIndex(unhashedIndex string) string {
-	return hex.EncodeToString(cryptoutil.Blake2b256Hash(unhashedIndex))
-}
-
-// computeStaticSecretCacheIndex results in a value that uniquely identifies a static
-// secret's cached ID. Notably, we intentionally ignore headers (for example,
-// the X-Vault-Token header) to remain agnostic to which token is being
-// used in the request. We care only about the path.
-// This will return "" if the index does not have a /v1 prefix, and therefore
-// cannot be a static secret.
-func computeStaticSecretCacheIndex(req *SendRequest) string {
-	path := getStaticSecretPathFromRequest(req)
-	if path == "" {
-		return path
-	}
-	return hashStaticSecretIndex(path)
-}
-
-// HandleCacheClear returns a handlerFunc that can perform cache clearing operations.
-func (c *LeaseCache) HandleCacheClear(ctx context.Context) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// If the cache is not enabled, return a 200
-		if c == nil {
-			return
-		}
-
-		// Only handle POST/PUT requests
-		switch r.Method {
-		case http.MethodPost:
-		case http.MethodPut:
-		default:
-			return
-		}
-
-		req := new(cacheClearRequest)
-		if err := jsonutil.DecodeJSONFromReader(r.Body, req); err != nil {
-			if err == io.EOF {
-				err = errors.New("empty JSON provided")
-			}
-			logical.RespondError(w, http.StatusBadRequest, fmt.Errorf("failed to parse JSON input: %w", err))
-			return
-		}
-
-		c.logger.Debug("received cache-clear request", "type", req.Type, "namespace", req.Namespace, "value", req.Value)
-
-		in, err := parseCacheClearInput(req)
-		if err != nil {
-			c.logger.Error("unable to parse clear input", "error", err)
-			logical.RespondError(w, http.StatusBadRequest, fmt.Errorf("failed to parse clear input: %w", err))
-			return
-		}
-
-		if err := c.handleCacheClear(ctx, in); err != nil {
-			// Default to 500 on error, unless the user provided an invalid type,
-			// which would then be a 400.
-			httpStatus := http.StatusInternalServerError
-			if err == errInvalidType {
-				httpStatus = http.StatusBadRequest
-			}
-			logical.RespondError(w, httpStatus, fmt.Errorf("failed to clear cache: %w", err))
-			return
-		}
-
-		return
-	})
-}
-
-func (c *LeaseCache) handleCacheClear(ctx context.Context, in *cacheClearInput) error {
-	if in == nil {
-		return errors.New("no value(s) provided to clear corresponding cache entries")
-	}
-
-	switch in.Type {
-	case "request_path":
-		// For this particular case, we need to ensure that there are 2 provided
-		// indexers for the proper lookup.
-		if in.RequestPath == "" {
-			return errors.New("request path not provided")
-		}
-
-		// The first value provided for this case will be the namespace, but if it's
-		// an empty value we need to overwrite it with "root/" to ensure proper
-		// cache lookup.
-		if in.Namespace == "" {
-			in.Namespace = "root/"
-		}
-
-		// Find all the cached entries which has the given request path and
-		// cancel the contexts of all the respective lifetime watchers
-		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameRequestPath, in.Namespace, in.RequestPath)
-		if err != nil {
-			return err
-		}
-		for _, index := range indexes {
-			// If it's a static secret, we must remove directly, as there
-			// is no renew func to cancel.
-			if index.Type == cacheboltdb.StaticSecretType {
-				err = c.db.Evict(cachememdb.IndexNameID, index.ID)
-				if err != nil {
-					return err
-				}
-			} else {
-				if index.RenewCtxInfo != nil {
-					if index.RenewCtxInfo.CancelFunc != nil {
-						index.RenewCtxInfo.CancelFunc()
-					}
-				}
-			}
-		}
-
-	case "token":
-		if in.Token == "" {
-			return errors.New("token not provided")
-		}
-
-		// Get the context for the given token and cancel its context
-		index, err := c.db.Get(cachememdb.IndexNameToken, in.Token)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			return nil
-		}
-		if err != nil {
-			return err
-		}
-
-		c.logger.Debug("canceling context of index attached to token")
-
-		index.RenewCtxInfo.CancelFunc()
-
-	case "token_accessor":
-		if in.TokenAccessor == "" && in.Type != cacheboltdb.StaticSecretType {
-			return errors.New("token accessor not provided")
-		}
-
-		// Get the cached index and cancel the corresponding lifetime watcher
-		// context
-		index, err := c.db.Get(cachememdb.IndexNameTokenAccessor, in.TokenAccessor)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			return nil
-		}
-		if err != nil {
-			return err
-		}
-
-		c.logger.Debug("canceling context of index attached to accessor")
-
-		index.RenewCtxInfo.CancelFunc()
-
-	case "lease":
-		if in.Lease == "" {
-			return errors.New("lease not provided")
-		}
-
-		// Get the cached index and cancel the corresponding lifetime watcher
-		// context
-		index, err := c.db.Get(cachememdb.IndexNameLease, in.Lease)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			return nil
-		}
-		if err != nil {
-			return err
-		}
-
-		c.logger.Debug("canceling context of index attached to accessor")
-
-		index.RenewCtxInfo.CancelFunc()
-
-	case "all":
-		// Cancel the base context which triggers all the goroutines to
-		// stop and evict entries from cache.
-		c.logger.Debug("canceling base context")
-		c.l.Lock()
-		c.baseCtxInfo.CancelFunc()
-		// Reset the base context
-		baseCtx, baseCancel := context.WithCancel(ctx)
-		c.baseCtxInfo = &cachememdb.ContextInfo{
-			Ctx:        baseCtx,
-			CancelFunc: baseCancel,
-		}
-		c.l.Unlock()
-
-		// Reset the memdb instance (and persistent storage if enabled)
-		if err := c.Flush(); err != nil {
-			return err
-		}
-
-	default:
-		return errInvalidType
-	}
-
-	c.logger.Debug("successfully cleared matching cache entries")
-
-	return nil
-}
-
-// handleRevocationRequest checks whether the originating request is a
-// revocation request, and if so perform applicable cache cleanups.
-// Returns true is this is a revocation request.
-func (c *LeaseCache) handleRevocationRequest(ctx context.Context, req *SendRequest, resp *SendResponse) (bool, error) {
-	// Lease and token revocations return 204's on success. Fast-path if that's
-	// not the case.
-	if resp.Response.StatusCode != http.StatusNoContent {
-		return false, nil
-	}
-
-	_, path := deriveNamespaceAndRevocationPath(req)
-
-	switch {
-	case path == vaultPathTokenRevoke:
-		// Get the token from the request body
-		jsonBody := map[string]interface{}{}
-		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
-			return false, err
-		}
-		tokenRaw, ok := jsonBody["token"]
-		if !ok {
-			return false, fmt.Errorf("failed to get token from request body")
-		}
-		token, ok := tokenRaw.(string)
-		if !ok {
-			return false, fmt.Errorf("expected token in the request body to be string")
-		}
-
-		// Clear the cache entry associated with the token and all the other
-		// entries belonging to the leases derived from this token.
-		in := &cacheClearInput{
-			Type:  "token",
-			Token: token,
-		}
-		if err := c.handleCacheClear(ctx, in); err != nil {
-			return false, err
-		}
-
-	case path == vaultPathTokenRevokeSelf:
-		// Clear the cache entry associated with the token and all the other
-		// entries belonging to the leases derived from this token.
-		in := &cacheClearInput{
-			Type:  "token",
-			Token: req.Token,
-		}
-		if err := c.handleCacheClear(ctx, in); err != nil {
-			return false, err
-		}
-
-	case path == vaultPathTokenRevokeAccessor:
-		jsonBody := map[string]interface{}{}
-		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
-			return false, err
-		}
-		accessorRaw, ok := jsonBody["accessor"]
-		if !ok {
-			return false, fmt.Errorf("failed to get accessor from request body")
-		}
-		accessor, ok := accessorRaw.(string)
-		if !ok {
-			return false, fmt.Errorf("expected accessor in the request body to be string")
-		}
-
-		in := &cacheClearInput{
-			Type:          "token_accessor",
-			TokenAccessor: accessor,
-		}
-		if err := c.handleCacheClear(ctx, in); err != nil {
-			return false, err
-		}
-
-	case path == vaultPathTokenRevokeOrphan:
-		jsonBody := map[string]interface{}{}
-		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
-			return false, err
-		}
-		tokenRaw, ok := jsonBody["token"]
-		if !ok {
-			return false, fmt.Errorf("failed to get token from request body")
-		}
-		token, ok := tokenRaw.(string)
-		if !ok {
-			return false, fmt.Errorf("expected token in the request body to be string")
-		}
-
-		// Kill the lifetime watchers of all the leases attached to the revoked
-		// token
-		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLeaseToken, token)
-		if err != nil {
-			return false, err
-		}
-		for _, index := range indexes {
-			index.RenewCtxInfo.CancelFunc()
-		}
-
-		// Kill the lifetime watchers of the revoked token
-		index, err := c.db.Get(cachememdb.IndexNameToken, token)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			return true, nil
-		}
-		if err != nil {
-			return false, err
-		}
-
-		// Indicate the lifetime watcher goroutine for this index to return.
-		// This will not affect the child tokens because the context is not
-		// getting cancelled.
-		close(index.RenewCtxInfo.DoneCh)
-
-		// Clear the parent references of the revoked token in the entries
-		// belonging to the child tokens of the revoked token.
-		indexes, err = c.db.GetByPrefix(cachememdb.IndexNameTokenParent, token)
-		if err != nil {
-			return false, err
-		}
-		for _, index := range indexes {
-			index.TokenParent = ""
-			err = c.db.Set(index)
-			if err != nil {
-				c.logger.Error("failed to persist index", "error", err)
-				return false, err
-			}
-		}
-
-	case path == vaultPathLeaseRevoke:
-		// TODO: Should lease present in the URL itself be considered here?
-		// Get the lease from the request body
-		jsonBody := map[string]interface{}{}
-		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
-			return false, err
-		}
-		leaseIDRaw, ok := jsonBody["lease_id"]
-		if !ok {
-			return false, fmt.Errorf("failed to get lease_id from request body")
-		}
-		leaseID, ok := leaseIDRaw.(string)
-		if !ok {
-			return false, fmt.Errorf("expected lease_id the request body to be string")
-		}
-		in := &cacheClearInput{
-			Type:  "lease",
-			Lease: leaseID,
-		}
-		if err := c.handleCacheClear(ctx, in); err != nil {
-			return false, err
-		}
-
-	case strings.HasPrefix(path, vaultPathLeaseRevokeForce):
-		// Trim the URL path to get the request path prefix
-		prefix := strings.TrimPrefix(path, vaultPathLeaseRevokeForce)
-		// Get all the cache indexes that use the request path containing the
-		// prefix and cancel the lifetime watcher context of each.
-		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLease, prefix)
-		if err != nil {
-			return false, err
-		}
-
-		_, tokenNSID := namespace.SplitIDFromString(req.Token)
-		for _, index := range indexes {
-			_, leaseNSID := namespace.SplitIDFromString(index.Lease)
-			// Only evict leases that match the token's namespace
-			if tokenNSID == leaseNSID {
-				index.RenewCtxInfo.CancelFunc()
-			}
-		}
-
-	case strings.HasPrefix(path, vaultPathLeaseRevokePrefix):
-		// Trim the URL path to get the request path prefix
-		prefix := strings.TrimPrefix(path, vaultPathLeaseRevokePrefix)
-		// Get all the cache indexes that use the request path containing the
-		// prefix and cancel the lifetime watcher context of each.
-		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLease, prefix)
-		if err != nil {
-			return false, err
-		}
-
-		_, tokenNSID := namespace.SplitIDFromString(req.Token)
-		for _, index := range indexes {
-			_, leaseNSID := namespace.SplitIDFromString(index.Lease)
-			// Only evict leases that match the token's namespace
-			if tokenNSID == leaseNSID {
-				index.RenewCtxInfo.CancelFunc()
-			}
-		}
-
-	default:
-		return false, nil
-	}
-
-	c.logger.Debug("triggered caching eviction from revocation request")
-
-	return true, nil
-}
-
-// Set stores the index in the cachememdb, and also stores it in the persistent
-// cache (if enabled)
-func (c *LeaseCache) Set(ctx context.Context, index *cachememdb.Index) error {
-	if err := c.db.Set(index); err != nil {
-		return err
-	}
-
-	if c.ps != nil {
-		plaintext, err := index.Serialize()
-		if err != nil {
-			return err
-		}
-
-		if err := c.ps.Set(ctx, index.ID, plaintext, index.Type); err != nil {
-			return err
-		}
-		c.logger.Trace("set entry in persistent storage", "type", index.Type, "path", index.RequestPath, "id", index.ID)
-	}
-
-	return nil
-}
-
-// SetCapabilitiesIndex stores the capabilities index in the cachememdb, and also stores it in the persistent
-// cache (if enabled)
-func (c *LeaseCache) SetCapabilitiesIndex(ctx context.Context, index *cachememdb.CapabilitiesIndex) error {
-	if err := c.db.SetCapabilitiesIndex(index); err != nil {
-		return err
-	}
-
-	if c.ps != nil {
-		plaintext, err := index.SerializeCapabilitiesIndex()
-		if err != nil {
-			return err
-		}
-
-		if err := c.ps.Set(ctx, index.ID, plaintext, cacheboltdb.TokenCapabilitiesType); err != nil {
-			return err
-		}
-		c.logger.Trace("set entry in persistent storage", "type", cacheboltdb.TokenCapabilitiesType, "id", index.ID)
-	}
-
-	return nil
-}
-
-// Evict removes an Index from the cachememdb, and also removes it from the
-// persistent cache (if enabled)
-func (c *LeaseCache) Evict(index *cachememdb.Index) error {
-	if err := c.db.Evict(cachememdb.IndexNameID, index.ID); err != nil {
-		return err
-	}
-
-	if c.ps != nil {
-		if err := c.ps.Delete(index.ID, index.Type); err != nil {
-			return err
-		}
-		c.logger.Trace("deleted item from persistent storage", "id", index.ID)
-	}
-
-	return nil
-}
-
-// Flush the cachememdb and persistent cache (if enabled)
-func (c *LeaseCache) Flush() error {
-	if err := c.db.Flush(); err != nil {
-		return err
-	}
-
-	if c.ps != nil {
-		c.logger.Trace("clearing persistent storage")
-		return c.ps.Clear()
-	}
-
-	return nil
-}
-
-// Restore loads the cachememdb from the persistent storage passed in. Loads
-// tokens first, since restoring a lease's renewal context and watcher requires
-// looking up the token in the cachememdb.
-// Restore also restarts any capability management for managed static secret
-// tokens.
-func (c *LeaseCache) Restore(ctx context.Context, storage *cacheboltdb.BoltStorage) error {
-	var errs *multierror.Error
-
-	// Process tokens first
-	tokens, err := storage.GetByType(ctx, cacheboltdb.TokenType)
-	if err != nil {
-		errs = multierror.Append(errs, err)
-	} else {
-		if err := c.restoreTokens(tokens); err != nil {
-			errs = multierror.Append(errs, err)
-		}
-	}
-
-	// Then process leases
-	leases, err := storage.GetByType(ctx, cacheboltdb.LeaseType)
-	if err != nil {
-		errs = multierror.Append(errs, err)
-	} else {
-		for _, lease := range leases {
-			newIndex, err := cachememdb.Deserialize(lease)
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-
-			c.logger.Trace("restoring lease", "id", newIndex.ID, "path", newIndex.RequestPath)
-
-			// Check if this lease has already expired
-			expired, err := c.hasExpired(time.Now().UTC(), newIndex)
-			if err != nil {
-				c.logger.Warn("failed to check if lease is expired", "id", newIndex.ID, "error", err)
-			}
-			if expired {
-				continue
-			}
-
-			if err := c.restoreLeaseRenewCtx(newIndex); err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-			if err := c.db.Set(newIndex); err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-			c.logger.Trace("restored lease", "id", newIndex.ID, "path", newIndex.RequestPath)
-		}
-	}
-
-	// Then process static secrets and their capabilities
-	if c.cacheStaticSecrets {
-		staticSecrets, err := storage.GetByType(ctx, cacheboltdb.StaticSecretType)
-		if err != nil {
-			errs = multierror.Append(errs, err)
-		} else {
-			for _, staticSecret := range staticSecrets {
-				newIndex, err := cachememdb.Deserialize(staticSecret)
-				if err != nil {
-					errs = multierror.Append(errs, err)
-					continue
-				}
-
-				c.logger.Trace("restoring static secret index", "id", newIndex.ID, "path", newIndex.RequestPath)
-				if err := c.db.Set(newIndex); err != nil {
-					errs = multierror.Append(errs, err)
-					continue
-				}
-			}
-		}
-
-		capabilityIndexes, err := storage.GetByType(ctx, cacheboltdb.TokenCapabilitiesType)
-		if err != nil {
-			errs = multierror.Append(errs, err)
-		} else {
-			for _, capabilityIndex := range capabilityIndexes {
-				newIndex, err := cachememdb.DeserializeCapabilitiesIndex(capabilityIndex)
-				if err != nil {
-					errs = multierror.Append(errs, err)
-					continue
-				}
-
-				c.logger.Trace("restoring capability index", "id", newIndex.ID)
-				if err := c.db.SetCapabilitiesIndex(newIndex); err != nil {
-					errs = multierror.Append(errs, err)
-					continue
-				}
-
-				if c.capabilityManager != nil {
-					c.capabilityManager.StartRenewingCapabilities(newIndex)
-				}
-			}
-		}
-	}
-
-	return errs.ErrorOrNil()
-}
-
-func (c *LeaseCache) restoreTokens(tokens [][]byte) error {
-	var errors *multierror.Error
-
-	for _, token := range tokens {
-		newIndex, err := cachememdb.Deserialize(token)
-		if err != nil {
-			errors = multierror.Append(errors, err)
-			continue
-		}
-		newIndex.RenewCtxInfo = c.createCtxInfo(nil)
-		if err := c.db.Set(newIndex); err != nil {
-			errors = multierror.Append(errors, err)
-			continue
-		}
-		c.logger.Trace("restored token", "id", newIndex.ID)
-	}
-
-	return errors.ErrorOrNil()
-}
-
-// restoreLeaseRenewCtx re-creates a RenewCtx for an index object and starts
-// the watcher go routine
-func (c *LeaseCache) restoreLeaseRenewCtx(index *cachememdb.Index) error {
-	if index.Response == nil {
-		return fmt.Errorf("cached response was nil for %s", index.ID)
-	}
-
-	// Parse the secret to determine which type it is
-	reader := bufio.NewReader(bytes.NewReader(index.Response))
-	resp, err := http.ReadResponse(reader, nil)
-	if err != nil {
-		c.logger.Error("failed to deserialize response", "error", err)
-		return err
-	}
-	secret, err := api.ParseSecret(resp.Body)
-	if err != nil {
-		c.logger.Error("failed to parse response as secret", "error", err)
-		return err
-	}
-
-	var renewCtxInfo *cachememdb.ContextInfo
-	switch {
-	case secret.LeaseID != "":
-		entry, err := c.db.Get(cachememdb.IndexNameToken, index.RequestToken)
-		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-			return fmt.Errorf("could not find parent Token %s for req path %s", index.RequestToken, index.RequestPath)
-		}
-		if err != nil {
-			return err
-		}
-
-		// Derive a context for renewal using the token's context
-		renewCtxInfo = cachememdb.NewContextInfo(entry.RenewCtxInfo.Ctx)
-
-	case secret.Auth != nil:
-		var parentCtx context.Context
-		if !secret.Auth.Orphan {
-			entry, err := c.db.Get(cachememdb.IndexNameToken, index.RequestToken)
-			if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
-				// If parent token is not managed by the cache, child shouldn't be
-				// either.
-				if entry == nil {
-					return fmt.Errorf("could not find parent Token %s for req path %s", index.RequestToken, index.RequestPath)
-				}
-			}
-			if err != nil {
-				return err
-			}
-
-			c.logger.Debug("setting parent context", "method", index.RequestMethod, "path", index.RequestPath)
-			parentCtx = entry.RenewCtxInfo.Ctx
-		}
-		renewCtxInfo = c.createCtxInfo(parentCtx)
-	default:
-		// This isn't a renewable cache entry, i.e. a static secret cache entry.
-		// We return, because there's nothing to do.
-		return nil
-	}
-
-	renewCtx := context.WithValue(renewCtxInfo.Ctx, contextIndexID, index.ID)
-	index.RenewCtxInfo = &cachememdb.ContextInfo{
-		Ctx:        renewCtx,
-		CancelFunc: renewCtxInfo.CancelFunc,
-		DoneCh:     renewCtxInfo.DoneCh,
-	}
-
-	sendReq := &SendRequest{
-		Token: index.RequestToken,
-		Request: &http.Request{
-			Header: index.RequestHeader,
-			Method: index.RequestMethod,
-			URL: &url.URL{
-				Path: index.RequestPath,
-			},
-		},
-	}
-	go c.startRenewing(renewCtx, index, sendReq, secret)
-
-	return nil
-}
-
-// deriveNamespaceAndRevocationPath returns the namespace and relative path for
-// revocation paths.
-//
-// If the path contains a namespace, but it's not a revocation path, it will be
-// returned as-is, since there's no way to tell where the namespace ends and
-// where the request path begins purely based off a string.
-//
-// Case 1: /v1/ns1/leases/revoke  -> ns1/, /v1/leases/revoke
-// Case 2: ns1/ /v1/leases/revoke -> ns1/, /v1/leases/revoke
-// Case 3: /v1/ns1/foo/bar  -> root/, /v1/ns1/foo/bar
-// Case 4: ns1/ /v1/foo/bar -> ns1/, /v1/foo/bar
-func deriveNamespaceAndRevocationPath(req *SendRequest) (string, string) {
-	namespace := "root/"
-	nsHeader := req.Request.Header.Get(consts.NamespaceHeaderName)
-	if nsHeader != "" {
-		namespace = nsHeader
-	}
-
-	fullPath := req.Request.URL.Path
-	nonVersionedPath := strings.TrimPrefix(fullPath, "/v1")
-
-	for _, pathToCheck := range revocationPaths {
-		// We use strings.Contains here for paths that can contain
-		// vars in the path, e.g. /v1/lease/revoke-prefix/:prefix
-		i := strings.Index(nonVersionedPath, pathToCheck)
-		// If there's no match, move on to the next check
-		if i == -1 {
-			continue
-		}
-
-		// If the index is 0, this is a relative path with no namespace preppended,
-		// so we can break early
-		if i == 0 {
-			break
-		}
-
-		// We need to turn /ns1 into ns1/, this makes it easy
-		namespaceInPath := nshelper.Canonicalize(nonVersionedPath[:i])
-
-		// If it's root, we replace, otherwise we join
-		if namespace == "root/" {
-			namespace = namespaceInPath
-		} else {
-			namespace = namespace + namespaceInPath
-		}
-
-		return namespace, fmt.Sprintf("/v1%s", nonVersionedPath[i:])
-	}
-
-	return namespace, fmt.Sprintf("/v1%s", nonVersionedPath)
-}
-
-// RegisterAutoAuthToken adds the provided auto-token into the cache. This is
-// primarily used to register the auto-auth token and should only be called
-// within a sink's WriteToken func.
-func (c *LeaseCache) RegisterAutoAuthToken(token string) error {
-	// Get the token from the cache
-	oldIndex, err := c.db.Get(cachememdb.IndexNameToken, token)
-	if err != nil && err != cachememdb.ErrCacheItemNotFound {
-		return err
-	}
-
-	// If the index is found, just keep it in the cache and ignore the incoming
-	// token (since they're the same)
-	if oldIndex != nil {
-		c.logger.Trace("auto-auth token already exists in cache; no need to store it again")
-		return nil
-	}
-
-	// The following randomly generated values are required for index stored by
-	// the cache, but are not actually used. We use random values to prevent
-	// accidental access.
-	id, err := base62.Random(5)
-	if err != nil {
-		return err
-	}
-	namespace, err := base62.Random(5)
-	if err != nil {
-		return err
-	}
-	requestPath, err := base62.Random(5)
-	if err != nil {
-		return err
-	}
-
-	index := &cachememdb.Index{
-		ID:          id,
-		Token:       token,
-		Namespace:   namespace,
-		RequestPath: requestPath,
-		Type:        cacheboltdb.TokenType,
-	}
-
-	// Derive a context off of the lease cache's base context
-	ctxInfo := c.createCtxInfo(nil)
-
-	index.RenewCtxInfo = &cachememdb.ContextInfo{
-		Ctx:        ctxInfo.Ctx,
-		CancelFunc: ctxInfo.CancelFunc,
-		DoneCh:     ctxInfo.DoneCh,
-	}
-
-	// Store the index in the cache
-	c.logger.Debug("storing auto-auth token into the cache")
-	err = c.Set(c.baseCtxInfo.Ctx, index)
-	if err != nil {
-		c.logger.Error("failed to cache the auto-auth token", "error", err)
-		return err
-	}
-
-	return nil
-}
-
-type cacheClearInput struct {
-	Type string
-
-	RequestPath   string
-	Namespace     string
-	Token         string
-	TokenAccessor string
-	Lease         string
-}
-
-func parseCacheClearInput(req *cacheClearRequest) (*cacheClearInput, error) {
-	if req == nil {
-		return nil, errors.New("nil request options provided")
-	}
-
-	if req.Type == "" {
-		return nil, errors.New("no type provided")
-	}
-
-	in := &cacheClearInput{
-		Type:      req.Type,
-		Namespace: req.Namespace,
-	}
-
-	switch req.Type {
-	case "request_path":
-		in.RequestPath = req.Value
-	case "token":
-		in.Token = req.Value
-	case "token_accessor":
-		in.TokenAccessor = req.Value
-	case "lease":
-		in.Lease = req.Value
-	}
-
-	return in, nil
-}
-
-func (c *LeaseCache) hasExpired(currentTime time.Time, index *cachememdb.Index) (bool, error) {
-	reader := bufio.NewReader(bytes.NewReader(index.Response))
-	resp, err := http.ReadResponse(reader, nil)
-	if err != nil {
-		return false, fmt.Errorf("failed to deserialize response: %w", err)
-	}
-	secret, err := api.ParseSecret(resp.Body)
-	if err != nil {
-		return false, fmt.Errorf("failed to parse response as secret: %w", err)
-	}
-
-	elapsed := currentTime.Sub(index.LastRenewed)
-	var leaseDuration int
-	switch {
-	case secret.LeaseID != "":
-		leaseDuration = secret.LeaseDuration
-	case secret.Auth != nil:
-		leaseDuration = secret.Auth.LeaseDuration
-	default:
-		return false, errors.New("secret without lease encountered in expiration check")
-	}
-
-	if int(elapsed.Seconds()) > leaseDuration {
-		c.logger.Trace("secret has expired", "id", index.ID, "elapsed", elapsed, "lease duration", leaseDuration)
-		return true, nil
-	}
-	return false, nil
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+const userpass = {
+  user: {
+    username: {
+      editType: 'string',
+      helpText: 'Username for this user.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Username',
+      type: 'string',
+    },
+    password: {
+      editType: 'string',
+      helpText: 'Password for this user.',
+      fieldGroup: 'default',
+      sensitive: true,
+      type: 'string',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+  },
+};
+
+const azure = {
+  'auth-config/azure': {
+    clientId: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.',
+      label: 'Client ID',
+      type: 'string',
+    },
+    clientSecret: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.',
+      type: 'string',
+    },
+    environment: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.',
+      type: 'string',
+    },
+    maxRetries: {
+      editType: 'number',
+      fieldGroup: 'default',
+      helpText:
+        'The maximum number of attempts a failed operation will be retried before producing an error.',
+      type: 'number',
+    },
+    maxRetryDelay: {
+      editType: 'ttl',
+      fieldGroup: 'default',
+      helpText: 'The maximum delay allowed before retrying an operation.',
+    },
+    resource: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.',
+      type: 'string',
+    },
+    retryDelay: {
+      editType: 'ttl',
+      fieldGroup: 'default',
+      helpText: 'The initial amount of delay to use before retrying an operation, increasing exponentially.',
+    },
+    rootPasswordTtl: {
+      editType: 'ttl',
+      fieldGroup: 'default',
+      helpText:
+        'The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)',
+    },
+    tenantId: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.',
+      label: 'Tenant ID',
+      type: 'string',
+    },
+  },
+};
+
+const cert = {
+  'auth-config/cert': {
+    disableBinding: {
+      editType: 'boolean',
+      helpText:
+        'If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    enableIdentityAliasMetadata: {
+      editType: 'boolean',
+      helpText:
+        'If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias. Defaults to false.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    ocspCacheSize: {
+      editType: 'number',
+      helpText: 'The size of the in memory OCSP response cache, shared by all configured certs',
+      fieldGroup: 'default',
+      type: 'number',
+    },
+  },
+  cert: {
+    name: {
+      editType: 'string',
+      helpText: 'The name of the certificate',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    allowedCommonNames: {
+      editType: 'stringArray',
+      helpText: 'A list of names. At least one must exist in the Common Name. Supports globbing.',
+      fieldGroup: 'Constraints',
+    },
+    allowedDnsSans: {
+      editType: 'stringArray',
+      helpText: 'A list of DNS names. At least one must exist in the SANs. Supports globbing.',
+      fieldGroup: 'Constraints',
+      label: 'Allowed DNS SANs',
+    },
+    allowedEmailSans: {
+      editType: 'stringArray',
+      helpText: 'A list of Email Addresses. At least one must exist in the SANs. Supports globbing.',
+      fieldGroup: 'Constraints',
+      label: 'Allowed Email SANs',
+    },
+    allowedMetadataExtensions: {
+      editType: 'stringArray',
+      helpText:
+        'A list of OID extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the OID numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.',
+      fieldGroup: 'default',
+    },
+    allowedNames: {
+      editType: 'stringArray',
+      helpText:
+        'A list of names. At least one must exist in either the Common Name or SANs. Supports globbing. This parameter is deprecated, please use allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans.',
+      fieldGroup: 'Constraints',
+    },
+    allowedOrganizationalUnits: {
+      editType: 'stringArray',
+      helpText: 'A list of Organizational Units names. At least one must exist in the OU field.',
+      fieldGroup: 'Constraints',
+    },
+    allowedUriSans: {
+      editType: 'stringArray',
+      helpText: 'A list of URIs. At least one must exist in the SANs. Supports globbing.',
+      fieldGroup: 'Constraints',
+      label: 'Allowed URI SANs',
+    },
+    certificate: {
+      editType: 'file',
+      helpText: 'The public certificate that should be trusted. Must be x509 PEM encoded.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    displayName: {
+      editType: 'string',
+      helpText: 'The display name to use for clients using this certificate.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    ocspCaCertificates: {
+      editType: 'file',
+      helpText: 'Any additional CA certificates needed to communicate with OCSP servers',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    ocspEnabled: {
+      editType: 'boolean',
+      helpText: 'Whether to attempt OCSP verification of certificates at login',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    ocspFailOpen: {
+      editType: 'boolean',
+      helpText:
+        'If set to true, if an OCSP revocation cannot be made successfully, login will proceed rather than failing. If false, failing to get an OCSP status fails the request.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    ocspQueryAllServers: {
+      editType: 'boolean',
+      helpText:
+        'If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    ocspServersOverride: {
+      editType: 'stringArray',
+      helpText:
+        'A list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.',
+      fieldGroup: 'default',
+    },
+    requiredExtensions: {
+      editType: 'stringArray',
+      helpText:
+        "A list of extensions formatted as 'oid:value'. Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on 'value'.",
+      fieldGroup: 'default',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+  },
+};
+
+const gcp = {
+  'auth-config/gcp': {
+    credentials: {
+      editType: 'string',
+      helpText:
+        'Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials',
+      fieldGroup: 'default',
+      label: 'Credentials',
+      type: 'string',
+    },
+    customEndpoint: {
+      editType: 'object',
+      helpText: 'Specifies overrides for various Google API Service Endpoints used in requests.',
+      fieldGroup: 'default',
+      type: 'object',
+    },
+    gceAlias: {
+      editType: 'string',
+      helpText: 'Indicates what value to use when generating an alias for GCE authentications.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    gceMetadata: {
+      editType: 'stringArray',
+      helpText:
+        "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: instance_creation_timestamp, instance_id, instance_name, project_id, project_number, role, service_account_id, service_account_email, zone. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.",
+      fieldGroup: 'default',
+      defaultValue: 'field1,field2',
+      label: 'gce_metadata',
+    },
+    iamAlias: {
+      editType: 'string',
+      helpText: 'Indicates what value to use when generating an alias for IAM authentications.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    iamMetadata: {
+      editType: 'stringArray',
+      helpText:
+        "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: project_id, role, service_account_id, service_account_email. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.",
+      fieldGroup: 'default',
+      defaultValue: 'field1,field2',
+      label: 'iam_metadata',
+    },
+  },
+};
+
+const github = {
+  'auth-config/github': {
+    baseUrl: {
+      editType: 'string',
+      helpText:
+        'The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.',
+      fieldGroup: 'GitHub Options',
+      label: 'Base URL',
+      type: 'string',
+    },
+    organization: {
+      editType: 'string',
+      helpText: 'The organization users must be part of',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    organizationId: {
+      editType: 'number',
+      helpText: 'The ID of the organization users must be part of',
+      fieldGroup: 'default',
+      type: 'number',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+  },
+};
+
+const jwt = {
+  'auth-config/jwt': {
+    boundIssuer: {
+      editType: 'string',
+      helpText: "The value against which to match the 'iss' claim in a JWT. Optional.",
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    defaultRole: {
+      editType: 'string',
+      helpText:
+        'The default role to use if none is provided during login. If not set, a role is required during login.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    jwksCaPem: {
+      editType: 'string',
+      helpText:
+        'The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    jwksUrl: {
+      editType: 'string',
+      helpText:
+        'JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    jwtSupportedAlgs: {
+      editType: 'stringArray',
+      helpText: 'A list of supported signing algorithms. Defaults to RS256.',
+      fieldGroup: 'default',
+    },
+    jwtValidationPubkeys: {
+      editType: 'stringArray',
+      helpText:
+        'A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".',
+      fieldGroup: 'default',
+    },
+    namespaceInState: {
+      editType: 'boolean',
+      helpText:
+        'Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.',
+      fieldGroup: 'default',
+      defaultValue: true,
+      label: 'Namespace in OIDC state',
+      type: 'boolean',
+    },
+    oidcClientId: {
+      editType: 'string',
+      helpText: 'The OAuth Client ID configured with your OIDC provider.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    oidcClientSecret: {
+      editType: 'string',
+      helpText: 'The OAuth Client Secret configured with your OIDC provider.',
+      fieldGroup: 'default',
+      sensitive: true,
+      type: 'string',
+    },
+    oidcDiscoveryCaPem: {
+      editType: 'string',
+      helpText:
+        'The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    oidcDiscoveryUrl: {
+      editType: 'string',
+      helpText:
+        'OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    oidcResponseMode: {
+      editType: 'string',
+      helpText:
+        "The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'.",
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    oidcResponseTypes: {
+      editType: 'stringArray',
+      helpText:
+        "The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'.",
+      fieldGroup: 'default',
+    },
+    providerConfig: {
+      editType: 'object',
+      helpText: 'Provider-specific configuration. Optional.',
+      fieldGroup: 'default',
+      label: 'Provider Config',
+      type: 'object',
+    },
+  },
+};
+
+const kubernetes = {
+  'auth-config/kubernetes': {
+    disableLocalCaJwt: {
+      editType: 'boolean',
+      helpText:
+        'Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod',
+      fieldGroup: 'default',
+      label: 'Disable use of local CA and service account JWT',
+      type: 'boolean',
+    },
+    kubernetesCaCert: {
+      editType: 'string',
+      helpText: 'PEM encoded CA cert for use by the TLS client used to talk with the API.',
+      fieldGroup: 'default',
+      label: 'Kubernetes CA Certificate',
+      type: 'string',
+    },
+    kubernetesHost: {
+      editType: 'string',
+      helpText:
+        'Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    pemKeys: {
+      editType: 'stringArray',
+      helpText:
+        'Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.',
+      fieldGroup: 'default',
+      label: 'Service account verification keys',
+    },
+    tokenReviewerJwt: {
+      editType: 'string',
+      helpText:
+        'A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.',
+      fieldGroup: 'default',
+      label: 'Token Reviewer JWT',
+      type: 'string',
+    },
+  },
+  role: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the role.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    aliasNameSource: {
+      editType: 'string',
+      helpText:
+        'Source to use when deriving the Alias name. valid choices: "serviceaccount_uid" : <token.uid> e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) "serviceaccount_name" : <namespace>/<serviceaccount> e.g. vault/vault-agent default: "serviceaccount_uid"',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    audience: {
+      editType: 'string',
+      helpText: 'Optional Audience claim to verify in the jwt.',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    boundServiceAccountNames: {
+      editType: 'stringArray',
+      helpText:
+        'List of service account names able to access this role. If set to "*" all names are allowed.',
+      fieldGroup: 'default',
+    },
+    boundServiceAccountNamespaces: {
+      editType: 'stringArray',
+      helpText: 'List of namespaces allowed to access this role. If set to "*" all namespaces are allowed.',
+      fieldGroup: 'default',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+  },
+};
+
+const ldap = {
+  'auth-config/ldap': {
+    anonymousGroupSearch: {
+      editType: 'boolean',
+      helpText:
+        'Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).',
+      fieldGroup: 'default',
+      label: 'Anonymous group search',
+      type: 'boolean',
+    },
+    binddn: {
+      editType: 'string',
+      helpText: 'LDAP DN for searching for the user DN (optional)',
+      fieldGroup: 'default',
+      label: 'Name of Object to bind (binddn)',
+      type: 'string',
+    },
+    bindpass: {
+      editType: 'string',
+      helpText: 'LDAP password for searching for the user DN (optional)',
+      fieldGroup: 'default',
+      sensitive: true,
+      type: 'string',
+    },
+    caseSensitiveNames: {
+      editType: 'boolean',
+      helpText:
+        'If true, case sensitivity will be used when comparing usernames and groups for matching policies.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    certificate: {
+      editType: 'file',
+      helpText:
+        'CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)',
+      fieldGroup: 'default',
+      label: 'CA certificate',
+      type: 'string',
+    },
+    clientTlsCert: {
+      editType: 'file',
+      helpText: 'Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)',
+      fieldGroup: 'default',
+      label: 'Client certificate',
+      type: 'string',
+    },
+    clientTlsKey: {
+      editType: 'file',
+      helpText: 'Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)',
+      fieldGroup: 'default',
+      label: 'Client key',
+      type: 'string',
+    },
+    connectionTimeout: {
+      editType: 'ttl',
+      helpText:
+        'Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.',
+      fieldGroup: 'default',
+    },
+    denyNullBind: {
+      editType: 'boolean',
+      helpText:
+        "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    dereferenceAliases: {
+      editType: 'string',
+      helpText:
+        "When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.",
+      possibleValues: ['never', 'finding', 'searching', 'always'],
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    discoverdn: {
+      editType: 'boolean',
+      helpText: 'Use anonymous bind to discover the bind DN of a user (optional)',
+      fieldGroup: 'default',
+      label: 'Discover DN',
+      type: 'boolean',
+    },
+    groupattr: {
+      editType: 'string',
+      helpText:
+        'LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn',
+      fieldGroup: 'default',
+      defaultValue: 'cn',
+      label: 'Group Attribute',
+      type: 'string',
+    },
+    groupdn: {
+      editType: 'string',
+      helpText: 'LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)',
+      fieldGroup: 'default',
+      label: 'Group DN',
+      type: 'string',
+    },
+    groupfilter: {
+      editType: 'string',
+      helpText:
+        'Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))',
+      fieldGroup: 'default',
+      label: 'Group Filter',
+      type: 'string',
+    },
+    insecureTls: {
+      editType: 'boolean',
+      helpText: 'Skip LDAP server SSL Certificate verification - VERY insecure (optional)',
+      fieldGroup: 'default',
+      label: 'Insecure TLS',
+      type: 'boolean',
+    },
+    maxPageSize: {
+      editType: 'number',
+      helpText:
+        "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
+      fieldGroup: 'default',
+      type: 'number',
+    },
+    passwordPolicy: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText: 'Password policy to use to rotate the root password',
+      type: 'string',
+    },
+    requestTimeout: {
+      editType: 'ttl',
+      helpText:
+        'Timeout, in seconds, for the connection when making requests against the server before returning back an error.',
+      fieldGroup: 'default',
+    },
+    starttls: {
+      editType: 'boolean',
+      helpText: 'Issue a StartTLS command after establishing unencrypted connection (optional)',
+      fieldGroup: 'default',
+      label: 'Issue StartTLS',
+      type: 'boolean',
+    },
+    tlsMaxVersion: {
+      editType: 'string',
+      helpText:
+        "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'",
+      possibleValues: ['tls10', 'tls11', 'tls12', 'tls13'],
+      fieldGroup: 'default',
+      label: 'Maximum TLS Version',
+      type: 'string',
+    },
+    tlsMinVersion: {
+      editType: 'string',
+      helpText:
+        "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'",
+      possibleValues: ['tls10', 'tls11', 'tls12', 'tls13'],
+      fieldGroup: 'default',
+      label: 'Minimum TLS Version',
+      type: 'string',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+    upndomain: {
+      editType: 'string',
+      helpText: 'Enables userPrincipalDomain login with [username]@UPNDomain (optional)',
+      fieldGroup: 'default',
+      label: 'User Principal (UPN) Domain',
+      type: 'string',
+    },
+    url: {
+      editType: 'string',
+      helpText:
+        'LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.',
+      fieldGroup: 'default',
+      label: 'URL',
+      type: 'string',
+    },
+    usePre111GroupCnBehavior: {
+      editType: 'boolean',
+      helpText:
+        'In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    useTokenGroups: {
+      editType: 'boolean',
+      helpText:
+        'If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+    userattr: {
+      editType: 'string',
+      helpText: 'Attribute used for users (default: cn)',
+      fieldGroup: 'default',
+      defaultValue: 'cn',
+      label: 'User Attribute',
+      type: 'string',
+    },
+    userdn: {
+      editType: 'string',
+      helpText: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)',
+      fieldGroup: 'default',
+      label: 'User DN',
+      type: 'string',
+    },
+    userfilter: {
+      editType: 'string',
+      helpText:
+        'Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})',
+      fieldGroup: 'default',
+      label: 'User Search Filter',
+      type: 'string',
+    },
+    usernameAsAlias: {
+      editType: 'boolean',
+      helpText: 'If true, sets the alias name to the username',
+      fieldGroup: 'default',
+      type: 'boolean',
+    },
+  },
+  group: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the LDAP group.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    policies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies associated to the group.',
+      fieldGroup: 'default',
+    },
+  },
+  user: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the LDAP user.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    groups: {
+      editType: 'stringArray',
+      helpText: 'A list of additional groups associated with the user.',
+      fieldGroup: 'default',
+    },
+    policies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies associated with the user.',
+      fieldGroup: 'default',
+    },
+  },
+};
+
+const okta = {
+  'auth-config/okta': {
+    apiToken: {
+      editType: 'string',
+      helpText: 'Okta API key.',
+      fieldGroup: 'default',
+      label: 'API Token',
+      type: 'string',
+    },
+    baseUrl: {
+      editType: 'string',
+      helpText:
+        'The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.',
+      fieldGroup: 'default',
+      label: 'Base URL',
+      type: 'string',
+    },
+    bypassOktaMfa: {
+      editType: 'boolean',
+      helpText:
+        'When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.',
+      fieldGroup: 'default',
+      label: 'Bypass Okta MFA',
+      type: 'boolean',
+    },
+    orgName: {
+      editType: 'string',
+      helpText: 'Name of the organization to be used in the Okta API.',
+      fieldGroup: 'default',
+      label: 'Organization Name',
+      type: 'string',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+  },
+  group: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the Okta group.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    policies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies associated to the group.',
+      fieldGroup: 'default',
+    },
+  },
+  user: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the user.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    groups: {
+      editType: 'stringArray',
+      helpText: 'List of groups associated with the user.',
+      fieldGroup: 'default',
+    },
+    policies: {
+      editType: 'stringArray',
+      helpText: 'List of policies associated with the user.',
+      fieldGroup: 'default',
+    },
+  },
+};
+
+const radius = {
+  'auth-config/radius': {
+    dialTimeout: {
+      editType: 'ttl',
+      helpText: 'Number of seconds before connect times out (default: 10)',
+      fieldGroup: 'default',
+      defaultValue: 10,
+    },
+    host: {
+      editType: 'string',
+      helpText: 'RADIUS server host',
+      fieldGroup: 'default',
+      label: 'Host',
+      type: 'string',
+    },
+    nasIdentifier: {
+      editType: 'string',
+      helpText: 'RADIUS NAS Identifier field (optional)',
+      fieldGroup: 'default',
+      label: 'NAS Identifier',
+      type: 'string',
+    },
+    nasPort: {
+      editType: 'number',
+      helpText: 'RADIUS NAS port field (default: 10)',
+      fieldGroup: 'default',
+      defaultValue: 10,
+      label: 'NAS Port',
+      type: 'number',
+    },
+    port: {
+      editType: 'number',
+      helpText: 'RADIUS server port (default: 1812)',
+      fieldGroup: 'default',
+      defaultValue: 1812,
+      type: 'number',
+    },
+    readTimeout: {
+      editType: 'ttl',
+      helpText: 'Number of seconds before response times out (default: 10)',
+      fieldGroup: 'default',
+      defaultValue: 10,
+    },
+    secret: {
+      editType: 'string',
+      helpText: 'Secret shared with the RADIUS server',
+      fieldGroup: 'default',
+      type: 'string',
+    },
+    tokenBoundCidrs: {
+      editType: 'stringArray',
+      helpText:
+        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Bound CIDRs",
+    },
+    tokenExplicitMaxTtl: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Explicit Maximum TTL",
+    },
+    tokenMaxTtl: {
+      editType: 'ttl',
+      helpText: 'The maximum lifetime of the generated token',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Maximum TTL",
+    },
+    tokenNoDefaultPolicy: {
+      editType: 'boolean',
+      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
+      fieldGroup: 'Tokens',
+      label: "Do Not Attach 'default' Policy To Generated Tokens",
+      type: 'boolean',
+    },
+    tokenNumUses: {
+      editType: 'number',
+      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
+      fieldGroup: 'Tokens',
+      label: 'Maximum Uses of Generated Tokens',
+      type: 'number',
+    },
+    tokenPeriod: {
+      editType: 'ttl',
+      helpText:
+        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Period",
+    },
+    tokenPolicies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies that will apply to the generated token for this user.',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Policies",
+    },
+    tokenTtl: {
+      editType: 'ttl',
+      helpText: 'The initial ttl of the token to generate',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Initial TTL",
+    },
+    tokenType: {
+      editType: 'string',
+      helpText: 'The type of token to generate, service or batch',
+      fieldGroup: 'Tokens',
+      label: "Generated Token's Type",
+      type: 'string',
+    },
+    unregisteredUserPolicies: {
+      editType: 'string',
+      helpText:
+        'List of policies to grant upon successful RADIUS authentication of an unregistered user (default: empty)',
+      fieldGroup: 'default',
+      label: 'Policies for unregistered users',
+      type: 'string',
+    },
+  },
+  user: {
+    name: {
+      editType: 'string',
+      helpText: 'Name of the RADIUS user.',
+      fieldValue: 'mutableId',
+      fieldGroup: 'default',
+      readOnly: true,
+      label: 'Name',
+      type: 'string',
+    },
+    policies: {
+      editType: 'stringArray',
+      helpText: 'A list of policies associated to the user.',
+      fieldGroup: 'default',
+    },
+  },
+};
+
+export default {
+  azure,
+  userpass,
+  cert,
+  gcp,
+  github,
+  jwt,
+  kubernetes,
+  ldap,
+  okta,
+  radius,
+  // aws is the only method that doesn't leverage OpenApi in practice
+};
diff --git a/command/audit.go b/command/audit.go
index 67f5b194daaa..8d69fe8759ce 100644
--- a/command/audit.go
+++ b/command/audit.go
@@ -1,49 +1,55 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*AuditCommand)(nil)
-
-type AuditCommand struct {
-	*BaseCommand
-}
-
-func (c *AuditCommand) Synopsis() string {
-	return "Interact with audit devices"
-}
-
-func (c *AuditCommand) Help() string {
-	helpText := `
-Usage: vault audit <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with Vault's audit devices.
-  Users can list, enable, and disable audit devices.
-
-  *NOTE*: Once an audit device has been enabled, failure to audit could prevent
-  Vault from servicing future requests. It is highly recommended that you enable
-  multiple audit devices.
-
-  List all enabled audit devices:
-
-      $ vault audit list
-
-  Enable a new audit device "file";
-
-       $ vault audit enable file file_path=/var/log/audit.log
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *AuditCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if this.canLoginSaml}}
+  <form id="auth-form" {{on "submit" (fn this.startSAMLAuth @onSubmit (hash role=@roleName))}}>
+    <div class="field">
+      <label for="role" class="is-label">Role</label>
+      <div class="control">
+        <input
+          value={{@roleName}}
+          placeholder="Default"
+          {{on "input" this.setRole}}
+          autocomplete="off"
+          spellcheck="false"
+          name="role"
+          id="role"
+          class="input"
+          type="text"
+          data-test-role
+        />
+      </div>
+      <AlertInline
+        class="has-top-padding-s"
+        @type="info"
+        @message="Leave blank to sign in with the default role if one is configured."
+      />
+    </div>
+    <div data-test-yield-content>
+      {{yield}}
+    </div>
+    <Hds::Button
+      @text="Sign in with SAML provider"
+      @icon={{if @disabled "loading"}}
+      data-test-auth-submit={{true}}
+      type="submit"
+      disabled={{@disabled}}
+      id="auth-submit"
+    />
+  </form>
+{{else}}
+  <Hds::Alert @type="inline" @color="warning" data-test-saml-auth-not-allowed as |A|>
+    <A.Title>Nonsecure context detected</A.Title>
+    <A.Description>
+      Logging in with a SAML auth method requires a browser in a secure context.
+    </A.Description>
+    <A.Description class="has-top-margin-xs">
+      <ExternalLink @href="https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts">
+        Read more about secure contexts.
+        <Icon @name="external-link" />
+      </ExternalLink>
+    </A.Description>
+  </Hds::Alert>
+{{/if}}
\ No newline at end of file
diff --git a/command/audit_disable.go b/command/audit_disable.go
index 0e99da438d7b..57489a186f1d 100644
--- a/command/audit_disable.go
+++ b/command/audit_disable.go
@@ -4,89 +4,49 @@
 package command
 
 import (
-	"fmt"
 	"strings"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*AuditDisableCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuditDisableCommand)(nil)
-)
+var _ cli.Command = (*AuthCommand)(nil)
 
-type AuditDisableCommand struct {
+type AuthCommand struct {
 	*BaseCommand
 }
 
-func (c *AuditDisableCommand) Synopsis() string {
-	return "Disables an audit device"
+func (c *AuthCommand) Synopsis() string {
+	return "Interact with auth methods"
 }
 
-func (c *AuditDisableCommand) Help() string {
-	helpText := `
-Usage: vault audit disable [options] PATH
+func (c *AuthCommand) Help() string {
+	return strings.TrimSpace(`
+Usage: vault auth <subcommand> [options] [args]
 
-  Disables an audit device. Once an audit device is disabled, no future audit
-  logs are dispatched to it. The data associated with the audit device is not
-  affected.
+  This command groups subcommands for interacting with Vault's auth methods.
+  Users can list, enable, disable, and get help for different auth methods.
 
-  The argument corresponds to the PATH of audit device, not the TYPE!
+  To authenticate to Vault as a user or machine, use the "vault login" command
+  instead. This command is for interacting with the auth methods themselves, not
+  authenticating to Vault.
 
-  Disable the audit device enabled at "file/":
+  List all enabled auth methods:
 
-      $ vault audit disable file/
+      $ vault auth list
 
-` + c.Flags().Help()
+  Enable a new auth method "userpass";
 
-	return strings.TrimSpace(helpText)
-}
+      $ vault auth enable userpass
 
-func (c *AuditDisableCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
+  Get detailed help information about how to authenticate to a particular auth
+  method:
 
-func (c *AuditDisableCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultAudits()
-}
+      $ vault auth help github
 
-func (c *AuditDisableCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+  Please see the individual subcommand help for detailed usage information.
+`)
 }
 
-func (c *AuditDisableCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	path := ensureTrailingSlash(sanitizePath(args[0]))
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if err := client.Sys().DisableAudit(path); err != nil {
-		c.UI.Error(fmt.Sprintf("Error disabling audit device: %s", err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Disabled audit device (if it was enabled) at: %s", path))
-
-	return 0
+func (c *AuthCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/command/audit_disable_test.go b/command/audit_disable_test.go
index ec28f70ddfc0..13d291f2a24f 100644
--- a/command/audit_disable_test.go
+++ b/command/audit_disable_test.go
@@ -1,163 +1,132 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func testAuditDisableCommand(tb testing.TB) (*cli.MockUi, *AuditDisableCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &AuditDisableCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestAuditDisableCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_real",
-			[]string{"not_real"},
-			"Success! Disabled audit device (if it was enabled) at: not_real/",
-			0,
-		},
-		{
-			"default",
-			[]string{"file"},
-			"Success! Disabled audit device (if it was enabled) at: file/",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-				Type: "file",
-				Options: map[string]string{
-					"file_path": "discard",
-				},
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			ui, cmd := testAuditDisableCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		if err := client.Sys().EnableAuditWithOptions("integration_audit_disable", &api.EnableAuditOptions{
-			Type: "file",
-			Options: map[string]string{
-				"file_path": "discard",
-			},
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		ui, cmd := testAuditDisableCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"integration_audit_disable/",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Disabled audit device (if it was enabled) at: integration_audit_disable/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		mounts, err := client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if _, ok := mounts["integration_audit_disable"]; ok {
-			t.Errorf("expected mount to not exist: %#v", mounts)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testAuditDisableCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"file",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error disabling audit device: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testAuditDisableCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if this.mfaErrors}}
+  <div class="has-top-margin-xxl" data-test-mfa-error>
+    <EmptyState
+      @title="Unauthorized"
+      @message="Multi-factor authentication is required, but failed. Go back and try again, or contact your administrator."
+      @icon="alert-circle"
+      @bottomBorder={{true}}
+      @subTitle={{join ". " this.mfaErrors}}
+      class="is-shadowless"
+    >
+      <Hds::Button @text="Go back" @icon="chevron-left" @color="tertiary" {{on "click" (action "onMfaErrorDismiss")}} />
+    </EmptyState>
+  </div>
+{{else}}
+  <SplashPage>
+    <:header>
+      {{#if this.oidcProvider}}
+        <div class="box is-shadowless is-flex-v-centered" data-test-auth-logo>
+          <LogoEdition aria-label="Sign in with Hashicorp Vault" />
+        </div>
+      {{else}}
+        <div class="is-flex-v-centered has-bottom-margin-xxl">
+          <div class="brand-icon-large">
+            <Icon @name="vault" @size="24" @stretched={{true}} />
+          </div>
+        </div>
+        <div class="is-flex-row">
+          {{#if this.mfaAuthData}}
+            <Hds::Button
+              @text="Back to login"
+              @icon="arrow-left"
+              @isIconOnly={{true}}
+              @color="tertiary"
+              {{on "click" (fn (mut this.mfaAuthData) null)}}
+            />
+          {{else if this.waitingForOktaNumberChallenge}}
+            <Hds::Button
+              @text="Back to login"
+              @icon="arrow-left"
+              @isIconOnly={{true}}
+              @color="tertiary"
+              {{on "click" (action "cancelAuthentication")}}
+            />
+          {{/if}}
+          <h1 class="title is-3">
+            {{if (or this.mfaAuthData this.waitingForOktaNumberChallenge) "Authenticate" "Sign in to Vault"}}
+          </h1>
+        </div>
+      {{/if}}
+    </:header>
+
+    <:subHeader>
+      {{#if (has-feature "Namespaces")}}
+        {{#unless this.mfaAuthData}}
+          <Toolbar class="toolbar-namespace-picker">
+            <div class="field is-horizontal" data-test-namespace-toolbar>
+              <div class="field-label is-normal">
+                <label class="is-label" for="namespace">Namespace</label>
+              </div>
+              {{#if this.managedNamespaceRoot}}
+                <div class="field-label">
+                  <span class="has-text-grey" data-test-managed-namespace-root>/{{this.managedNamespaceRoot}}</span>
+                </div>
+              {{/if}}
+              <div class="field-body">
+                <div class="field">
+                  <div class="control">
+                    <input
+                      data-test-auth-form-ns-input
+                      value={{this.namespaceInput}}
+                      placeholder={{if this.managedNamespaceRoot "/ (Default)" "/ (Root)"}}
+                      {{on "input" (perform this.updateNamespace value="target.value")}}
+                      autocomplete="off"
+                      spellcheck="false"
+                      name="namespace"
+                      id="namespace"
+                      class="input"
+                      type="text"
+                      disabled={{this.oidcProvider}}
+                    />
+                  </div>
+                </div>
+              </div>
+            </div>
+          </Toolbar>
+        {{/unless}}
+      {{/if}}
+    </:subHeader>
+
+    <:content>
+      {{#if this.mfaAuthData}}
+        <Mfa::MfaForm
+          @clusterId={{this.model.id}}
+          @authData={{this.mfaAuthData}}
+          @onSuccess={{action "onMfaSuccess"}}
+          @onError={{fn (mut this.mfaErrors)}}
+        />
+      {{else}}
+        <AuthForm
+          @wrappedToken={{this.wrappedToken}}
+          @cluster={{this.model}}
+          @namespace={{this.namespaceQueryParam}}
+          @redirectTo={{this.redirectTo}}
+          @selectedAuth={{this.authMethod}}
+          @onSuccess={{action "onAuthResponse"}}
+          @setOktaNumberChallenge={{fn (mut this.waitingForOktaNumberChallenge)}}
+          @waitingForOktaNumberChallenge={{this.waitingForOktaNumberChallenge}}
+          @setCancellingAuth={{fn (mut this.cancelAuth)}}
+          @cancelAuthForOktaNumberChallenge={{this.cancelAuth}}
+        />
+      {{/if}}
+    </:content>
+
+    <:footer>
+      <div class="has-short-padding">
+        <p class="help has-text-grey-dark" data-test-auth-helptext>
+          {{#if this.oidcProvider}}
+            Once you log in, you will be redirected back to your application. If you require login credentials, contact your
+            administrator.
+          {{else}}
+            Contact your administrator for login credentials.
+          {{/if}}
+        </p>
+      </div>
+    </:footer>
+  </SplashPage>
+{{/if}}
\ No newline at end of file
diff --git a/command/audit_enable.go b/command/audit_enable.go
index c77fe277d1f3..66c53c47e785 100644
--- a/command/audit_enable.go
+++ b/command/audit_enable.go
@@ -1,159 +1,69 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*AuditEnableCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuditEnableCommand)(nil)
-)
-
-type AuditEnableCommand struct {
-	*BaseCommand
-
-	flagDescription string
-	flagPath        string
-	flagLocal       bool
-
-	testStdin io.Reader // For tests
-}
-
-func (c *AuditEnableCommand) Synopsis() string {
-	return "Enables an audit device"
-}
-
-func (c *AuditEnableCommand) Help() string {
-	helpText := `
-Usage: vault audit enable [options] TYPE [CONFIG K=V...]
-
-  Enables an audit device at a given path.
-
-  This command enables an audit device of TYPE. Additional options for
-  configuring the audit device can be specified after the type in the same
-  format as the "vault write" command in key/value pairs.
-
-  For example, to configure the file audit device to write audit logs at the
-  path "/var/log/audit.log":
-
-      $ vault audit enable file file_path=/var/log/audit.log
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *AuditEnableCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "description",
-		Target:     &c.flagDescription,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Human-friendly description for the purpose of this audit " +
-			"device.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "path",
-		Target:     &c.flagPath,
-		Default:    "", // The default is complex, so we have to manually document
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Place where the audit device will be accessible. This must be " +
-			"unique across all audit devices. This defaults to the \"type\" of the " +
-			"audit device.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "local",
-		Target:  &c.flagLocal,
-		Default: false,
-		EnvVar:  "",
-		Usage: "Mark the audit device as a local-only device. Local devices " +
-			"are not replicated or removed by replication.",
-	})
-
-	return set
-}
-
-func (c *AuditEnableCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictSet(
-		"file",
-		"syslog",
-		"socket",
-	)
-}
-
-func (c *AuditEnableCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *AuditEnableCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) < 1 {
-		c.UI.Error("Error enabling audit device: audit type missing. Valid types include 'file', 'socket' and 'syslog'.")
-		return 1
-	}
-
-	// Grab the type
-	auditType := strings.TrimSpace(args[0])
-
-	auditPath := c.flagPath
-	if auditPath == "" {
-		auditPath = auditType
-	}
-	auditPath = ensureTrailingSlash(auditPath)
-
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
-
-	options, err := parseArgsDataString(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if err := client.Sys().EnableAuditWithOptions(auditPath, &api.EnableAuditOptions{
-		Type:        auditType,
-		Description: c.flagDescription,
-		Options:     options,
-		Local:       c.flagLocal,
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error enabling audit device: %s", err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Enabled the %s audit device at: %s", auditType, auditPath))
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { create, visitable, fillable, clickable } from 'ember-cli-page-object';
+import { click, settled } from '@ember/test-helpers';
+import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
+
+const { rootToken } = VAULT_KEYS;
+
+export default create({
+  visit: visitable('/vault/auth'),
+  logout: visitable('/vault/logout'),
+  submit: clickable('[data-test-auth-submit]'),
+  tokenInput: fillable('[data-test-token]'),
+  usernameInput: fillable('[data-test-username]'),
+  passwordInput: fillable('[data-test-password]'),
+  namespaceInput: fillable('[data-test-auth-form-ns-input]'),
+  optionsToggle: clickable('[data-test-auth-form-options-toggle]'),
+  mountPath: fillable('[data-test-auth-form-mount-path]'),
+
+  login: async function (token = rootToken) {
+    // make sure we're always logged out and logged back in
+    await this.logout();
+    await settled();
+    // clear session storage to ensure we have a clean state
+    window.localStorage.clear();
+    await this.visit({ with: 'token' });
+    await settled();
+    return this.tokenInput(token).submit();
+  },
+  loginUsername: async function (username, password, path) {
+    // make sure we're always logged out and logged back in
+    await this.logout();
+    await settled();
+    // clear local storage to ensure we have a clean state
+    window.localStorage.clear();
+    await this.visit({ with: 'userpass' });
+    await settled();
+    if (path) {
+      await this.optionsToggle();
+      await this.mountPath(path);
+    }
+    await this.usernameInput(username);
+    return this.passwordInput(password).submit();
+  },
+  loginNs: async function (ns, token = rootToken) {
+    // make sure we're always logged out and logged back in
+    await this.logout();
+    await settled();
+    // clear session storage to ensure we have a clean state
+    window.localStorage.clear();
+    await this.visit({ with: 'token' });
+    await settled();
+    await this.namespaceInput(ns);
+    await settled();
+    await this.tokenInput(token).submit();
+    return;
+  },
+  clickLogout: async function (clearNamespace = false) {
+    await click('[data-test-user-menu-trigger]');
+    await click('[data-test-user-menu-content] a#logout');
+    if (clearNamespace) {
+      await this.namespaceInput('');
+    }
+    return;
+  },
+});
diff --git a/command/audit_enable_test.go b/command/audit_enable_test.go
index 58dca872e640..1476b71d0f07 100644
--- a/command/audit_enable_test.go
+++ b/command/audit_enable_test.go
@@ -4,211 +4,89 @@
 package command
 
 import (
-	"io/ioutil"
-	"os"
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testAuditEnableCommand(tb testing.TB) (*cli.MockUi, *AuditEnableCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*AuthDisableCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthDisableCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &AuditEnableCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type AuthDisableCommand struct {
+	*BaseCommand
 }
 
-func TestAuditEnableCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"empty",
-			nil,
-			"Error enabling audit device: audit type missing. Valid types include 'file', 'socket' and 'syslog'.",
-			1,
-		},
-		{
-			"not_a_valid_type",
-			[]string{"nope_definitely_not_a_valid_type_like_ever"},
-			"",
-			2,
-		},
-		{
-			"enable",
-			[]string{"file", "file_path=discard"},
-			"Success! Enabled the file audit device at: file/",
-			0,
-		},
-		{
-			"enable_path",
-			[]string{
-				"-path", "audit_path",
-				"file",
-				"file_path=discard",
-			},
-			"Success! Enabled the file audit device at: audit_path/",
-			0,
-		},
-	}
+func (c *AuthDisableCommand) Synopsis() string {
+	return "Disables an auth method"
+}
+
+func (c *AuthDisableCommand) Help() string {
+	helpText := `
+Usage: vault auth disable [options] PATH
+
+  Disables an existing auth method at the given PATH. The argument corresponds
+  to the PATH of the mount, not the TYPE!. Once the auth method is disabled its
+  path can no longer be used to authenticate.
 
-	for _, tc := range cases {
-		tc := tc
+  All access tokens generated via the disabled auth method are immediately
+  revoked. This command will block until all tokens are revoked.
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+  Disable the auth method at userpass/:
 
-			client, closer := testVaultServer(t)
-			defer closer()
+      $ vault auth disable userpass/
 
-			ui, cmd := testAuditEnableCommand(t)
-			cmd.client = client
+` + c.Flags().Help()
 
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuthDisableCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *AuthDisableCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultAuths()
+}
+
+func (c *AuthDisableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuthDisableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	path := ensureTrailingSlash(sanitizePath(args[0]))
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
+	if err := client.Sys().DisableAuth(path); err != nil {
+		c.UI.Error(fmt.Sprintf("Error disabling auth method at %s: %s", path, err))
+		return 2
 	}
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testAuditEnableCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-path", "audit_enable_integration/",
-			"-description", "The best kind of test",
-			"file",
-			"file_path=discard",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Enabled the file audit device at: audit_enable_integration/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		audits, err := client.Sys().ListAudit()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		auditInfo, ok := audits["audit_enable_integration/"]
-		if !ok {
-			t.Fatalf("expected audit to exist")
-		}
-		if exp := "file"; auditInfo.Type != exp {
-			t.Errorf("expected %q to be %q", auditInfo.Type, exp)
-		}
-		if exp := "The best kind of test"; auditInfo.Description != exp {
-			t.Errorf("expected %q to be %q", auditInfo.Description, exp)
-		}
-
-		filePath, ok := auditInfo.Options["file_path"]
-		if !ok || filePath != "discard" {
-			t.Errorf("missing some options: %#v", auditInfo)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testAuditEnableCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"pki",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error enabling audit device: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testAuditEnableCommand(t)
-		assertNoTabs(t, cmd)
-	})
-
-	t.Run("mount_all", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerAllBackends(t)
-		defer closer()
-
-		files, err := ioutil.ReadDir("../builtin/audit")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		var backends []string
-		for _, f := range files {
-			if f.IsDir() {
-				backends = append(backends, f.Name())
-			}
-		}
-
-		for _, b := range backends {
-			ui, cmd := testAuditEnableCommand(t)
-			cmd.client = client
-
-			args := []string{
-				b,
-			}
-			switch b {
-			case "file":
-				args = append(args, "file_path=discard")
-			case "socket":
-				args = append(args, "address=127.0.0.1:8888",
-					"skip_test=true")
-			case "syslog":
-				if _, exists := os.LookupEnv("WSLENV"); exists {
-					t.Log("skipping syslog test on WSL")
-					continue
-				}
-				if os.Getenv("CIRCLECI") == "true" {
-					// TODO install syslog in docker image we run our tests in
-					t.Log("skipping syslog test on CircleCI")
-					continue
-				}
-			}
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Errorf("type %s, expected %d to be %d - %s", b, code, exp, ui.OutputWriter.String()+ui.ErrorWriter.String())
-			}
-		}
-	})
+	c.UI.Output(fmt.Sprintf("Success! Disabled the auth method (if it existed) at: %s", path))
+	return 0
 }
diff --git a/command/audit_list.go b/command/audit_list.go
index a7793fcee493..f9da8a7d770c 100644
--- a/command/audit_list.go
+++ b/command/audit_list.go
@@ -4,168 +4,137 @@
 package command
 
 import (
-	"fmt"
-	"sort"
 	"strings"
+	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*AuditListCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuditListCommand)(nil)
-)
-
-type AuditListCommand struct {
-	*BaseCommand
+func testAuthDisableCommand(tb testing.TB) (*cli.MockUi, *AuthDisableCommand) {
+	tb.Helper()
 
-	flagDetailed bool
-}
-
-func (c *AuditListCommand) Synopsis() string {
-	return "Lists enabled audit devices"
+	ui := cli.NewMockUi()
+	return ui, &AuthDisableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *AuditListCommand) Help() string {
-	helpText := `
-Usage: vault audit list [options]
-
-  Lists the enabled audit devices in the Vault server. The output lists the
-  enabled audit devices and the options for those devices.
-
-  List all audit devices:
+func TestAuthDisableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
 
-      $ vault audit list
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-  List detailed output about the audit devices:
+		for _, tc := range cases {
+			tc := tc
 
-      $ vault audit list -detailed
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-` + c.Flags().Help()
+				client, closer := testVaultServer(t)
+				defer closer()
 
-	return strings.TrimSpace(helpText)
-}
+				ui, cmd := testAuthDisableCommand(t)
+				cmd.client = client
 
-func (c *AuditListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "detailed",
-		Target:  &c.flagDetailed,
-		Default: false,
-		EnvVar:  "",
-		Usage: "Print detailed information such as options and replication " +
-			"status about each auth device.",
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
 	})
 
-	return set
-}
-
-func (c *AuditListCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *AuditListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *AuditListCommand) Run(args []string) int {
-	f := c.Flags()
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
+		if err := client.Sys().EnableAuth("my-auth", "userpass", ""); err != nil {
+			t.Fatal(err)
+		}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+		ui, cmd := testAuthDisableCommand(t)
+		cmd.client = client
 
-	audits, err := client.Sys().ListAudit()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing audits: %s", err))
-		return 2
-	}
+		code := cmd.Run([]string{
+			"my-auth",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-	switch Format(c.UI) {
-	case "table":
-		if len(audits) == 0 {
-			c.UI.Output("No audit devices are enabled.")
-			return 2
+		expected := "Success! Disabled the auth method"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
 
-		if c.flagDetailed {
-			c.UI.Output(tableOutput(c.detailedAudits(audits), nil))
-			return 0
+		auths, err := client.Sys().ListAuth()
+		if err != nil {
+			t.Fatal(err)
 		}
-		c.UI.Output(tableOutput(c.simpleAudits(audits), nil))
-		return 0
-	default:
-		return OutputData(c.UI, audits)
-	}
-}
 
-func (c *AuditListCommand) simpleAudits(audits map[string]*api.Audit) []string {
-	paths := make([]string, 0, len(audits))
-	for path := range audits {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
-
-	columns := []string{"Path | Type | Description"}
-	for _, path := range paths {
-		audit := audits[path]
-		columns = append(columns, fmt.Sprintf("%s | %s | %s",
-			audit.Path,
-			audit.Type,
-			audit.Description,
-		))
-	}
+		if auth, ok := auths["my-auth/"]; ok {
+			t.Errorf("expected auth to be disabled: %#v", auth)
+		}
+	})
 
-	return columns
-}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-func (c *AuditListCommand) detailedAudits(audits map[string]*api.Audit) []string {
-	paths := make([]string, 0, len(audits))
-	for path := range audits {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-	columns := []string{"Path | Type | Description | Replication | Options"}
-	for _, path := range paths {
-		audit := audits[path]
+		ui, cmd := testAuthDisableCommand(t)
+		cmd.client = client
 
-		opts := make([]string, 0, len(audit.Options))
-		for k, v := range audit.Options {
-			opts = append(opts, k+"="+v)
+		code := cmd.Run([]string{
+			"my-auth",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		replication := "replicated"
-		if audit.Local {
-			replication = "local"
+		expected := "Error disabling auth method at my-auth/: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
+	})
 
-		columns = append(columns, fmt.Sprintf("%s | %s | %s | %s | %s",
-			path,
-			audit.Type,
-			audit.Description,
-			replication,
-			strings.Join(opts, " "),
-		))
-	}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	return columns
+		_, cmd := testAuthDisableCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/audit_list_test.go b/command/audit_list_test.go
index bc41c13d603c..912f410e8285 100644
--- a/command/audit_list_test.go
+++ b/command/audit_list_test.go
@@ -4,111 +4,328 @@
 package command
 
 import (
+	"flag"
+	"fmt"
+	"strconv"
 	"strings"
-	"testing"
+	"time"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/posener/complete"
 )
 
-func testAuditListCommand(tb testing.TB) (*cli.MockUi, *AuditListCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*AuthEnableCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthEnableCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &AuditListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type AuthEnableCommand struct {
+	*BaseCommand
+
+	flagDescription               string
+	flagPath                      string
+	flagDefaultLeaseTTL           time.Duration
+	flagMaxLeaseTTL               time.Duration
+	flagAuditNonHMACRequestKeys   []string
+	flagAuditNonHMACResponseKeys  []string
+	flagListingVisibility         string
+	flagPluginName                string
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
+	flagOptions                   map[string]string
+	flagLocal                     bool
+	flagSealWrap                  bool
+	flagExternalEntropyAccess     bool
+	flagTokenType                 string
+	flagVersion                   int
+	flagPluginVersion             string
 }
 
-func TestAuditListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"lists",
-			nil,
-			"Path",
-			0,
-		},
-		{
-			"detailed",
-			[]string{"-detailed"},
-			"Options",
-			0,
-		},
+func (c *AuthEnableCommand) Synopsis() string {
+	return "Enables a new auth method"
+}
+
+func (c *AuthEnableCommand) Help() string {
+	helpText := `
+Usage: vault auth enable [options] TYPE
+
+  Enables a new auth method. An auth method is responsible for authenticating
+  users or machines and assigning them policies with which they can access
+  Vault.
+
+  Enable the userpass auth method at userpass/:
+
+      $ vault auth enable userpass
+
+  Enable the LDAP auth method at auth-prod/:
+
+      $ vault auth enable -path=auth-prod ldap
+
+  Enable a custom auth plugin (after it's registered in the plugin registry):
+
+      $ vault auth enable -path=my-auth -plugin-name=my-auth-plugin plugin
+
+      OR (preferred way):
+
+      $ vault auth enable -path=my-auth my-auth-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuthEnableCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "description",
+		Target:     &c.flagDescription,
+		Completion: complete.PredictAnything,
+		Usage: "Human-friendly description for the purpose of this " +
+			"auth method.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "path",
+		Target:     &c.flagPath,
+		Default:    "", // The default is complex, so we have to manually document
+		Completion: complete.PredictAnything,
+		Usage: "Place where the auth method will be accessible. This must be " +
+			"unique across all auth methods. This defaults to the \"type\" of " +
+			"the auth method. The auth method will be accessible at " +
+			"\"/auth/<path>\".",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "default-lease-ttl",
+		Target:     &c.flagDefaultLeaseTTL,
+		Completion: complete.PredictAnything,
+		Usage: "The default lease TTL for this auth method. If unspecified, " +
+			"this defaults to the Vault server's globally configured default lease " +
+			"TTL.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "max-lease-ttl",
+		Target:     &c.flagMaxLeaseTTL,
+		Completion: complete.PredictAnything,
+		Usage: "The maximum lease TTL for this auth method. If unspecified, " +
+			"this defaults to the Vault server's globally configured maximum lease " +
+			"TTL.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACRequestKeys,
+		Target: &c.flagAuditNonHMACRequestKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the request data object. " +
+			"To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACResponseKeys,
+		Target: &c.flagAuditNonHMACResponseKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the response data object. " +
+			"To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameListingVisibility,
+		Target: &c.flagListingVisibility,
+		Usage:  "Determines the visibility of the mount in the UI-specific listing endpoint.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Request header value that will be sent to the plugin. To specify multiple " +
+			"values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Response header value that plugins will be allowed to set. To specify multiple " +
+			"values, specify this flag multiple times.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "plugin-name",
+		Target:     &c.flagPluginName,
+		Completion: c.PredictVaultPlugins(api.PluginTypeCredential),
+		Usage: "Name of the auth method plugin. This plugin name must already " +
+			"exist in the Vault server's plugin catalog.",
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:       "options",
+		Target:     &c.flagOptions,
+		Completion: complete.PredictAnything,
+		Usage: "Key-value pair provided as key=value for the mount options. " +
+			"This can be specified multiple times.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "local",
+		Target:  &c.flagLocal,
+		Default: false,
+		Usage: "Mark the auth method as local-only. Local auth methods are " +
+			"not replicated nor removed by replication.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "seal-wrap",
+		Target:  &c.flagSealWrap,
+		Default: false,
+		Usage:   "Enable seal wrapping of critical values in the secrets engine.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "external-entropy-access",
+		Target:  &c.flagExternalEntropyAccess,
+		Default: false,
+		Usage:   "Enable auth method to access Vault's external entropy source.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameTokenType,
+		Target: &c.flagTokenType,
+		Usage:  "Sets a forced token type for the mount.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "version",
+		Target:  &c.flagVersion,
+		Default: 0,
+		Usage:   "Select the version of the auth method to run. Not supported by all auth methods.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    flagNamePluginVersion,
+		Target:  &c.flagPluginVersion,
+		Default: "",
+		Usage:   "Select the semantic version of the plugin to enable.",
+	})
+
+	return set
+}
+
+func (c *AuthEnableCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultAvailableAuths()
+}
+
+func (c *AuthEnableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuthEnableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-				Type: "file",
-				Options: map[string]string{
-					"file_path": "discard",
-				},
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			ui, cmd := testAuditListCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	authType := strings.TrimSpace(args[0])
+	if authType == "plugin" {
+		authType = c.flagPluginName
+	}
 
-		ui, cmd := testAuditListCommand(t)
-		cmd.client = client
+	// If no path is specified, we default the path to the backend type
+	// or use the plugin name if it's a plugin backend
+	authPath := c.flagPath
+	if authPath == "" {
+		if authType == "plugin" {
+			authPath = c.flagPluginName
+		} else {
+			authPath = authType
+		}
+	}
+
+	// Append a trailing slash to indicate it's a path in output
+	authPath = ensureTrailingSlash(authPath)
 
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	if c.flagVersion > 0 {
+		if c.flagOptions == nil {
+			c.flagOptions = make(map[string]string)
 		}
+		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+	}
+
+	authOpts := &api.EnableAuthOptions{
+		Type:                  authType,
+		Description:           c.flagDescription,
+		Local:                 c.flagLocal,
+		SealWrap:              c.flagSealWrap,
+		ExternalEntropyAccess: c.flagExternalEntropyAccess,
+		Config: api.AuthConfigInput{
+			DefaultLeaseTTL: c.flagDefaultLeaseTTL.String(),
+			MaxLeaseTTL:     c.flagMaxLeaseTTL.String(),
+		},
+		Options: c.flagOptions,
+	}
 
-		expected := "Error listing audits: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+	// Set these values only if they are provided in the CLI
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAuditNonHMACRequestKeys {
+			authOpts.Config.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
+		}
+
+		if fl.Name == flagNameAuditNonHMACResponseKeys {
+			authOpts.Config.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
+		}
+
+		if fl.Name == flagNameListingVisibility {
+			authOpts.Config.ListingVisibility = c.flagListingVisibility
 		}
-	})
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			authOpts.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			authOpts.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
 
-		_, cmd := testAuditListCommand(t)
-		assertNoTabs(t, cmd)
+		if fl.Name == flagNameTokenType {
+			authOpts.Config.TokenType = c.flagTokenType
+		}
+
+		if fl.Name == flagNamePluginVersion {
+			authOpts.Config.PluginVersion = c.flagPluginVersion
+		}
 	})
+
+	if err := client.Sys().EnableAuthWithOptions(authPath, authOpts); err != nil {
+		c.UI.Error(fmt.Sprintf("Error enabling %s auth: %s", authType, err))
+		return 2
+	}
+
+	authThing := authType + " auth method"
+	if authType == "plugin" {
+		authThing = c.flagPluginName + " plugin"
+	}
+	if c.flagPluginVersion != "" {
+		authThing += " version " + c.flagPluginVersion
+	}
+	c.UI.Output(fmt.Sprintf("Success! Enabled %s at: %s", authThing, authPath))
+	return 0
 }
diff --git a/command/auth.go b/command/auth.go
index 76919ed2084f..0cdaf0fc79dd 100644
--- a/command/auth.go
+++ b/command/auth.go
@@ -4,49 +4,241 @@
 package command
 
 import (
+	"io/ioutil"
+	"sort"
 	"strings"
-
-	"github.com/mitchellh/cli"
+	"testing"
+
+	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 )
 
-var _ cli.Command = (*AuthCommand)(nil)
-
-type AuthCommand struct {
-	*BaseCommand
-}
-
-func (c *AuthCommand) Synopsis() string {
-	return "Interact with auth methods"
-}
-
-func (c *AuthCommand) Help() string {
-	return strings.TrimSpace(`
-Usage: vault auth <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with Vault's auth methods.
-  Users can list, enable, disable, and get help for different auth methods.
-
-  To authenticate to Vault as a user or machine, use the "vault login" command
-  instead. This command is for interacting with the auth methods themselves, not
-  authenticating to Vault.
-
-  List all enabled auth methods:
-
-      $ vault auth list
-
-  Enable a new auth method "userpass";
-
-      $ vault auth enable userpass
-
-  Get detailed help information about how to authenticate to a particular auth
-  method:
-
-      $ vault auth help github
+func testAuthEnableCommand(tb testing.TB) (*cli.MockUi, *AuthEnableCommand) {
+	tb.Helper()
 
-  Please see the individual subcommand help for detailed usage information.
-`)
+	ui := cli.NewMockUi()
+	return ui, &AuthEnableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *AuthCommand) Run(args []string) int {
-	return cli.RunResultHelp
+func TestAuthEnableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_a_valid_auth",
+			[]string{"nope_definitely_not_a_valid_mount_like_ever"},
+			"",
+			2,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testAuthEnableCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected command return code to be %d, got %d", tc.code, code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q in response\n got: %+v", tc.out, combined)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testAuthEnableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-path", "auth_integration/",
+			"-description", "The best kind of test",
+			"-audit-non-hmac-request-keys", "foo,bar",
+			"-audit-non-hmac-response-keys", "foo,bar",
+			"-passthrough-request-headers", "authorization,authentication",
+			"-passthrough-request-headers", "www-authentication",
+			"-allowed-response-headers", "authorization",
+			"-listing-visibility", "unauth",
+			"userpass",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Enabled userpass auth method at:"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		auths, err := client.Sys().ListAuth()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		authInfo, ok := auths["auth_integration/"]
+		if !ok {
+			t.Fatalf("expected mount to exist")
+		}
+		if exp := "userpass"; authInfo.Type != exp {
+			t.Errorf("expected %q to be %q", authInfo.Type, exp)
+		}
+		if exp := "The best kind of test"; authInfo.Description != exp {
+			t.Errorf("expected %q to be %q", authInfo.Description, exp)
+		}
+		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testAuthEnableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"userpass",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error enabling userpass auth: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testAuthEnableCommand(t)
+		assertNoTabs(t, cmd)
+	})
+
+	t.Run("mount_all", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerAllBackends(t)
+		defer closer()
+
+		files, err := ioutil.ReadDir("../builtin/credential")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		var backends []string
+		for _, f := range files {
+			if f.IsDir() && f.Name() != "token" {
+				backends = append(backends, f.Name())
+			}
+		}
+
+		modFile, err := ioutil.ReadFile("../go.mod")
+		if err != nil {
+			t.Fatal(err)
+		}
+		modLines := strings.Split(string(modFile), "\n")
+		for _, p := range modLines {
+			splitLine := strings.Split(strings.TrimSpace(p), " ")
+			if len(splitLine) == 0 {
+				continue
+			}
+			potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
+			if strings.HasPrefix(potPlug, "vault-plugin-auth-") {
+				backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-auth-"))
+			}
+		}
+		// Since "pcf" plugin in the Vault registry is also pointed at the "vault-plugin-auth-cf"
+		// repository, we need to manually append it here so it'll tie out with our expected number
+		// of credential backends.
+		backends = append(backends, "pcf")
+
+		regkeys := strutil.StrListDelete(builtinplugins.Registry.Keys(consts.PluginTypeCredential), "oidc")
+		sort.Strings(regkeys)
+		sort.Strings(backends)
+		if d := cmp.Diff(regkeys, backends); len(d) > 0 {
+			t.Fatalf("found credential registry mismatch: %v", d)
+		}
+
+		for _, b := range backends {
+			var expectedResult int = 0
+
+			// Not a builtin
+			if b == "token" {
+				continue
+			}
+
+			ui, cmd := testAuthEnableCommand(t)
+			cmd.client = client
+
+			actualResult := cmd.Run([]string{
+				b,
+			})
+
+			// Need to handle deprecated builtins specially
+			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)
+			if status == consts.PendingRemoval || status == consts.Removed {
+				expectedResult = 2
+			}
+
+			if actualResult != expectedResult {
+				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
+			}
+		}
+	})
 }
diff --git a/command/auth_disable.go b/command/auth_disable.go
index 775f7fabc7fd..68365e737c3b 100644
--- a/command/auth_disable.go
+++ b/command/auth_disable.go
@@ -7,56 +7,70 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*AuthDisableCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthDisableCommand)(nil)
+	_ cli.Command             = (*AuthHelpCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthHelpCommand)(nil)
 )
 
-type AuthDisableCommand struct {
+type AuthHelpCommand struct {
 	*BaseCommand
+
+	Handlers map[string]LoginHandler
 }
 
-func (c *AuthDisableCommand) Synopsis() string {
-	return "Disables an auth method"
+func (c *AuthHelpCommand) Synopsis() string {
+	return "Prints usage for an auth method"
 }
 
-func (c *AuthDisableCommand) Help() string {
+func (c *AuthHelpCommand) Help() string {
 	helpText := `
-Usage: vault auth disable [options] PATH
+Usage: vault auth help [options] TYPE | PATH
+
+  Prints usage and help for an auth method.
+
+    - If given a TYPE, this command prints the default help for the
+      auth method of that type.
+
+    - If given a PATH, this command prints the help output for the
+      auth method enabled at that path. This path must already
+      exist.
 
-  Disables an existing auth method at the given PATH. The argument corresponds
-  to the PATH of the mount, not the TYPE!. Once the auth method is disabled its
-  path can no longer be used to authenticate.
+  Get usage instructions for the userpass auth method:
 
-  All access tokens generated via the disabled auth method are immediately
-  revoked. This command will block until all tokens are revoked.
+      $ vault auth help userpass
 
-  Disable the auth method at userpass/:
+  Print usage for the auth method enabled at my-method/:
 
-      $ vault auth disable userpass/
+      $ vault auth help my-method/
+
+  Each auth method produces its own help output.
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *AuthDisableCommand) Flags() *FlagSets {
+func (c *AuthHelpCommand) Flags() *FlagSets {
 	return c.flagSet(FlagSetHTTP)
 }
 
-func (c *AuthDisableCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultAuths()
+func (c *AuthHelpCommand) AutocompleteArgs() complete.Predictor {
+	handlers := make([]string, 0, len(c.Handlers))
+	for k := range c.Handlers {
+		handlers = append(handlers, k)
+	}
+	return complete.PredictSet(handlers...)
 }
 
-func (c *AuthDisableCommand) AutocompleteFlags() complete.Flags {
+func (c *AuthHelpCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *AuthDisableCommand) Run(args []string) int {
+func (c *AuthHelpCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -74,19 +88,41 @@ func (c *AuthDisableCommand) Run(args []string) int {
 		return 1
 	}
 
-	path := ensureTrailingSlash(sanitizePath(args[0]))
-
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	if err := client.Sys().DisableAuth(path); err != nil {
-		c.UI.Error(fmt.Sprintf("Error disabling auth method at %s: %s", path, err))
-		return 2
+	// Start with the assumption that we have an auth type, not a path.
+	authType := strings.TrimSpace(args[0])
+
+	authHandler, ok := c.Handlers[authType]
+	if !ok {
+		// There was no auth type by that name, see if it's a mount
+		auths, err := client.Sys().ListAuth()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error listing auth methods: %s", err))
+			return 2
+		}
+
+		authPath := ensureTrailingSlash(sanitizePath(args[0]))
+		auth, ok := auths[authPath]
+		if !ok {
+			c.UI.Warn(fmt.Sprintf(
+				"No auth method available on the server at %q", authPath))
+			return 1
+		}
+
+		authHandler, ok = c.Handlers[auth.Type]
+		if !ok {
+			c.UI.Warn(wrapAtLength(fmt.Sprintf(
+				"No method-specific CLI handler available for auth method %q",
+				authType)))
+			return 2
+		}
 	}
 
-	c.UI.Output(fmt.Sprintf("Success! Disabled the auth method (if it existed) at: %s", path))
+	c.UI.Output(authHandler.Help())
 	return 0
 }
diff --git a/command/auth_disable_test.go b/command/auth_disable_test.go
index 1cf429876070..e437f29199e3 100644
--- a/command/auth_disable_test.go
+++ b/command/auth_disable_test.go
@@ -7,21 +7,28 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
 )
 
-func testAuthDisableCommand(tb testing.TB) (*cli.MockUi, *AuthDisableCommand) {
+func testAuthHelpCommand(tb testing.TB) (*cli.MockUi, *AuthHelpCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &AuthDisableCommand{
+	return ui, &AuthHelpCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
 		},
+		Handlers: map[string]LoginHandler{
+			"userpass": &credUserpass.CLIHandler{
+				DefaultMount: "userpass",
+			},
+		},
 	}
 }
 
-func TestAuthDisableCommand_Run(t *testing.T) {
+func TestAuthHelpCommand_Run(t *testing.T) {
 	t.Parallel()
 
 	cases := []struct {
@@ -30,81 +37,93 @@ func TestAuthDisableCommand_Run(t *testing.T) {
 		out  string
 		code int
 	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
 		{
 			"too_many_args",
 			[]string{"foo", "bar"},
 			"Too many arguments",
 			1,
 		},
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	for _, tc := range cases {
+		tc := tc
 
-		for _, tc := range cases {
-			tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+			client, closer := testVaultServer(t)
+			defer closer()
 
-				client, closer := testVaultServer(t)
-				defer closer()
+			ui, cmd := testAuthHelpCommand(t)
+			cmd.client = client
 
-				ui, cmd := testAuthDisableCommand(t)
-				cmd.client = client
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
 
-	t.Run("integration", func(t *testing.T) {
+	t.Run("path", func(t *testing.T) {
 		t.Parallel()
 
 		client, closer := testVaultServer(t)
 		defer closer()
 
-		if err := client.Sys().EnableAuth("my-auth", "userpass", ""); err != nil {
+		if err := client.Sys().EnableAuth("foo", "userpass", ""); err != nil {
 			t.Fatal(err)
 		}
 
-		ui, cmd := testAuthDisableCommand(t)
+		ui, cmd := testAuthHelpCommand(t)
 		cmd.client = client
 
 		code := cmd.Run([]string{
-			"my-auth",
+			"foo/",
 		})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Success! Disabled the auth method"
+		expected := "Usage: vault login -method=userpass"
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
 		}
+	})
 
-		auths, err := client.Sys().ListAuth()
-		if err != nil {
-			t.Fatal(err)
+	t.Run("type", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		// No mounted auth methods
+
+		ui, cmd := testAuthHelpCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"userpass",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		if auth, ok := auths["my-auth/"]; ok {
-			t.Errorf("expected auth to be disabled: %#v", auth)
+		expected := "Usage: vault login -method=userpass"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
 	})
 
@@ -114,17 +133,17 @@ func TestAuthDisableCommand_Run(t *testing.T) {
 		client, closer := testVaultServerBad(t)
 		defer closer()
 
-		ui, cmd := testAuthDisableCommand(t)
+		ui, cmd := testAuthHelpCommand(t)
 		cmd.client = client
 
 		code := cmd.Run([]string{
-			"my-auth",
+			"sys/mounts",
 		})
 		if exp := 2; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Error disabling auth method at my-auth/: "
+		expected := "Error listing auth methods: "
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
@@ -134,7 +153,7 @@ func TestAuthDisableCommand_Run(t *testing.T) {
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()
 
-		_, cmd := testAuthDisableCommand(t)
+		_, cmd := testAuthHelpCommand(t)
 		assertNoTabs(t, cmd)
 	})
 }
diff --git a/command/auth_enable.go b/command/auth_enable.go
index cd47d2f35f92..d095156e155b 100644
--- a/command/auth_enable.go
+++ b/command/auth_enable.go
@@ -4,223 +4,78 @@
 package command
 
 import (
-	"flag"
 	"fmt"
+	"sort"
 	"strconv"
 	"strings"
-	"time"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*AuthEnableCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthEnableCommand)(nil)
+	_ cli.Command             = (*AuthListCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthListCommand)(nil)
 )
 
-type AuthEnableCommand struct {
+type AuthListCommand struct {
 	*BaseCommand
 
-	flagDescription               string
-	flagPath                      string
-	flagDefaultLeaseTTL           time.Duration
-	flagMaxLeaseTTL               time.Duration
-	flagAuditNonHMACRequestKeys   []string
-	flagAuditNonHMACResponseKeys  []string
-	flagListingVisibility         string
-	flagPluginName                string
-	flagPassthroughRequestHeaders []string
-	flagAllowedResponseHeaders    []string
-	flagOptions                   map[string]string
-	flagLocal                     bool
-	flagSealWrap                  bool
-	flagExternalEntropyAccess     bool
-	flagTokenType                 string
-	flagVersion                   int
-	flagPluginVersion             string
+	flagDetailed bool
 }
 
-func (c *AuthEnableCommand) Synopsis() string {
-	return "Enables a new auth method"
+func (c *AuthListCommand) Synopsis() string {
+	return "Lists enabled auth methods"
 }
 
-func (c *AuthEnableCommand) Help() string {
+func (c *AuthListCommand) Help() string {
 	helpText := `
-Usage: vault auth enable [options] TYPE
+Usage: vault auth list [options]
 
-  Enables a new auth method. An auth method is responsible for authenticating
-  users or machines and assigning them policies with which they can access
-  Vault.
+  Lists the enabled auth methods on the Vault server. This command also outputs
+  information about the method including configuration and human-friendly
+  descriptions. A TTL of "system" indicates that the system default is in use.
 
-  Enable the userpass auth method at userpass/:
+  List all enabled auth methods:
 
-      $ vault auth enable userpass
+      $ vault auth list
 
-  Enable the LDAP auth method at auth-prod/:
+  List all enabled auth methods with detailed output:
 
-      $ vault auth enable -path=auth-prod ldap
-
-  Enable a custom auth plugin (after it's registered in the plugin registry):
-
-      $ vault auth enable -path=my-auth -plugin-name=my-auth-plugin plugin
-
-      OR (preferred way):
-
-      $ vault auth enable -path=my-auth my-auth-plugin
+      $ vault auth list -detailed
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *AuthEnableCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
+func (c *AuthListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
 	f := set.NewFlagSet("Command Options")
 
-	f.StringVar(&StringVar{
-		Name:       "description",
-		Target:     &c.flagDescription,
-		Completion: complete.PredictAnything,
-		Usage: "Human-friendly description for the purpose of this " +
-			"auth method.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "path",
-		Target:     &c.flagPath,
-		Default:    "", // The default is complex, so we have to manually document
-		Completion: complete.PredictAnything,
-		Usage: "Place where the auth method will be accessible. This must be " +
-			"unique across all auth methods. This defaults to the \"type\" of " +
-			"the auth method. The auth method will be accessible at " +
-			"\"/auth/<path>\".",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "default-lease-ttl",
-		Target:     &c.flagDefaultLeaseTTL,
-		Completion: complete.PredictAnything,
-		Usage: "The default lease TTL for this auth method. If unspecified, " +
-			"this defaults to the Vault server's globally configured default lease " +
-			"TTL.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "max-lease-ttl",
-		Target:     &c.flagMaxLeaseTTL,
-		Completion: complete.PredictAnything,
-		Usage: "The maximum lease TTL for this auth method. If unspecified, " +
-			"this defaults to the Vault server's globally configured maximum lease " +
-			"TTL.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACRequestKeys,
-		Target: &c.flagAuditNonHMACRequestKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the request data object. " +
-			"To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACResponseKeys,
-		Target: &c.flagAuditNonHMACResponseKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the response data object. " +
-			"To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameListingVisibility,
-		Target: &c.flagListingVisibility,
-		Usage:  "Determines the visibility of the mount in the UI-specific listing endpoint.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNamePassthroughRequestHeaders,
-		Target: &c.flagPassthroughRequestHeaders,
-		Usage: "Request header value that will be sent to the plugin. To specify multiple " +
-			"values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedResponseHeaders,
-		Target: &c.flagAllowedResponseHeaders,
-		Usage: "Response header value that plugins will be allowed to set. To specify multiple " +
-			"values, specify this flag multiple times.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "plugin-name",
-		Target:     &c.flagPluginName,
-		Completion: c.PredictVaultPlugins(api.PluginTypeCredential),
-		Usage: "Name of the auth method plugin. This plugin name must already " +
-			"exist in the Vault server's plugin catalog.",
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:       "options",
-		Target:     &c.flagOptions,
-		Completion: complete.PredictAnything,
-		Usage: "Key-value pair provided as key=value for the mount options. " +
-			"This can be specified multiple times.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "local",
-		Target:  &c.flagLocal,
-		Default: false,
-		Usage: "Mark the auth method as local-only. Local auth methods are " +
-			"not replicated nor removed by replication.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "seal-wrap",
-		Target:  &c.flagSealWrap,
-		Default: false,
-		Usage:   "Enable seal wrapping of critical values in the secrets engine.",
-	})
-
 	f.BoolVar(&BoolVar{
-		Name:    "external-entropy-access",
-		Target:  &c.flagExternalEntropyAccess,
+		Name:    "detailed",
+		Target:  &c.flagDetailed,
 		Default: false,
-		Usage:   "Enable auth method to access Vault's external entropy source.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameTokenType,
-		Target: &c.flagTokenType,
-		Usage:  "Sets a forced token type for the mount.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "version",
-		Target:  &c.flagVersion,
-		Default: 0,
-		Usage:   "Select the version of the auth method to run. Not supported by all auth methods.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    flagNamePluginVersion,
-		Target:  &c.flagPluginVersion,
-		Default: "",
-		Usage:   "Select the semantic version of the plugin to enable.",
+		Usage: "Print detailed information such as configuration and replication " +
+			"status about each auth method. This option is only applicable to " +
+			"table-formatted output.",
 	})
 
 	return set
 }
 
-func (c *AuthEnableCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultAvailableAuths()
+func (c *AuthListCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func (c *AuthEnableCommand) AutocompleteFlags() complete.Flags {
+func (c *AuthListCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *AuthEnableCommand) Run(args []string) int {
+func (c *AuthListCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -229,12 +84,8 @@ func (c *AuthEnableCommand) Run(args []string) int {
 	}
 
 	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
 		return 1
 	}
 
@@ -244,88 +95,95 @@ func (c *AuthEnableCommand) Run(args []string) int {
 		return 2
 	}
 
-	authType := strings.TrimSpace(args[0])
-	if authType == "plugin" {
-		authType = c.flagPluginName
+	auths, err := client.Sys().ListAuth()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing enabled authentications: %s", err))
+		return 2
 	}
 
-	// If no path is specified, we default the path to the backend type
-	// or use the plugin name if it's a plugin backend
-	authPath := c.flagPath
-	if authPath == "" {
-		if authType == "plugin" {
-			authPath = c.flagPluginName
-		} else {
-			authPath = authType
+	switch Format(c.UI) {
+	case "table":
+		if c.flagDetailed {
+			c.UI.Output(tableOutput(c.detailedMounts(auths), nil))
+			return 0
 		}
+		c.UI.Output(tableOutput(c.simpleMounts(auths), nil))
+		return 0
+	default:
+		return OutputData(c.UI, auths)
 	}
+}
 
-	// Append a trailing slash to indicate it's a path in output
-	authPath = ensureTrailingSlash(authPath)
-
-	if c.flagVersion > 0 {
-		if c.flagOptions == nil {
-			c.flagOptions = make(map[string]string)
-		}
-		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+func (c *AuthListCommand) simpleMounts(auths map[string]*api.AuthMount) []string {
+	paths := make([]string, 0, len(auths))
+	for path := range auths {
+		paths = append(paths, path)
 	}
+	sort.Strings(paths)
 
-	authOpts := &api.EnableAuthOptions{
-		Type:                  authType,
-		Description:           c.flagDescription,
-		Local:                 c.flagLocal,
-		SealWrap:              c.flagSealWrap,
-		ExternalEntropyAccess: c.flagExternalEntropyAccess,
-		Config: api.AuthConfigInput{
-			DefaultLeaseTTL: c.flagDefaultLeaseTTL.String(),
-			MaxLeaseTTL:     c.flagMaxLeaseTTL.String(),
-		},
-		Options: c.flagOptions,
+	out := []string{"Path | Type | Accessor | Description | Version"}
+	for _, path := range paths {
+		mount := auths[path]
+		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s", path, mount.Type, mount.Accessor, mount.Description, mount.PluginVersion))
 	}
 
-	// Set these values only if they are provided in the CLI
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameAuditNonHMACRequestKeys {
-			authOpts.Config.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
-		}
-
-		if fl.Name == flagNameAuditNonHMACResponseKeys {
-			authOpts.Config.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
-		}
+	return out
+}
 
-		if fl.Name == flagNameListingVisibility {
-			authOpts.Config.ListingVisibility = c.flagListingVisibility
+func (c *AuthListCommand) detailedMounts(auths map[string]*api.AuthMount) []string {
+	paths := make([]string, 0, len(auths))
+	for path := range auths {
+		paths = append(paths, path)
+	}
+	sort.Strings(paths)
+
+	calcTTL := func(typ string, ttl int) string {
+		switch {
+		case typ == "system", typ == "cubbyhole":
+			return ""
+		case ttl != 0:
+			return strconv.Itoa(ttl)
+		default:
+			return "system"
 		}
+	}
 
-		if fl.Name == flagNamePassthroughRequestHeaders {
-			authOpts.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
-		}
+	out := []string{"Path | Plugin | Accessor | Default TTL | Max TTL | Token Type | Replication | Seal Wrap | External Entropy Access | Options | Description | UUID | Version | Running Version | Running SHA256 | Deprecation Status"}
+	for _, path := range paths {
+		mount := auths[path]
 
-		if fl.Name == flagNameAllowedResponseHeaders {
-			authOpts.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
-		}
+		defaultTTL := calcTTL(mount.Type, mount.Config.DefaultLeaseTTL)
+		maxTTL := calcTTL(mount.Type, mount.Config.MaxLeaseTTL)
 
-		if fl.Name == flagNameTokenType {
-			authOpts.Config.TokenType = c.flagTokenType
+		replication := "replicated"
+		if mount.Local {
+			replication = "local"
 		}
 
-		if fl.Name == flagNamePluginVersion {
-			authOpts.Config.PluginVersion = c.flagPluginVersion
+		pluginName := mount.Type
+		if pluginName == "plugin" {
+			pluginName = mount.Config.PluginName
 		}
-	})
 
-	if err := client.Sys().EnableAuthWithOptions(authPath, authOpts); err != nil {
-		c.UI.Error(fmt.Sprintf("Error enabling %s auth: %s", authType, err))
-		return 2
+		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %s | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
+			path,
+			pluginName,
+			mount.Accessor,
+			defaultTTL,
+			maxTTL,
+			mount.Config.TokenType,
+			replication,
+			mount.SealWrap,
+			mount.ExternalEntropyAccess,
+			mount.Options,
+			mount.Description,
+			mount.UUID,
+			mount.PluginVersion,
+			mount.RunningVersion,
+			mount.RunningSha256,
+			mount.DeprecationStatus,
+		))
 	}
 
-	authThing := authType + " auth method"
-	if authType == "plugin" {
-		authThing = c.flagPluginName + " plugin"
-	}
-	if c.flagPluginVersion != "" {
-		authThing += " version " + c.flagPluginVersion
-	}
-	c.UI.Output(fmt.Sprintf("Success! Enabled %s at: %s", authThing, authPath))
-	return 0
+	return out
 }
diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go
index 93c685819e44..087010a8ce35 100644
--- a/command/auth_enable_test.go
+++ b/command/auth_enable_test.go
@@ -4,31 +4,24 @@
 package command
 
 import (
-	"io/ioutil"
-	"sort"
 	"strings"
 	"testing"
 
-	"github.com/go-test/deep"
-	"github.com/google/go-cmp/cmp"
-	"github.com/hashicorp/vault/helper/builtinplugins"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/strutil"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 )
 
-func testAuthEnableCommand(tb testing.TB) (*cli.MockUi, *AuthEnableCommand) {
+func testAuthListCommand(tb testing.TB) (*cli.MockUi, *AuthListCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &AuthEnableCommand{
+	return ui, &AuthListCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
 		},
 	}
 }
 
-func TestAuthEnableCommand_Run(t *testing.T) {
+func TestAuthListCommand_Run(t *testing.T) {
 	t.Parallel()
 
 	cases := []struct {
@@ -37,106 +30,51 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		out  string
 		code int
 	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
 		{
 			"too_many_args",
-			[]string{"foo", "bar"},
+			[]string{"foo"},
 			"Too many arguments",
 			1,
 		},
 		{
-			"not_a_valid_auth",
-			[]string{"nope_definitely_not_a_valid_mount_like_ever"},
-			"",
-			2,
+			"lists",
+			nil,
+			"Path",
+			0,
+		},
+		{
+			"detailed",
+			[]string{"-detailed"},
+			"Default TTL",
+			0,
 		},
 	}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testAuthEnableCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected command return code to be %d, got %d", tc.code, code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q in response\n got: %+v", tc.out, combined)
-			}
-		})
-	}
-
-	t.Run("integration", func(t *testing.T) {
+	t.Run("validations", func(t *testing.T) {
 		t.Parallel()
 
-		client, closer := testVaultServer(t)
-		defer closer()
+		for _, tc := range cases {
+			tc := tc
 
-		ui, cmd := testAuthEnableCommand(t)
-		cmd.client = client
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-		code := cmd.Run([]string{
-			"-path", "auth_integration/",
-			"-description", "The best kind of test",
-			"-audit-non-hmac-request-keys", "foo,bar",
-			"-audit-non-hmac-response-keys", "foo,bar",
-			"-passthrough-request-headers", "authorization,authentication",
-			"-passthrough-request-headers", "www-authentication",
-			"-allowed-response-headers", "authorization",
-			"-listing-visibility", "unauth",
-			"userpass",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+				client, closer := testVaultServer(t)
+				defer closer()
 
-		expected := "Success! Enabled userpass auth method at:"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+				ui, cmd := testAuthListCommand(t)
+				cmd.client = client
 
-		auths, err := client.Sys().ListAuth()
-		if err != nil {
-			t.Fatal(err)
-		}
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-		authInfo, ok := auths["auth_integration/"]
-		if !ok {
-			t.Fatalf("expected mount to exist")
-		}
-		if exp := "userpass"; authInfo.Type != exp {
-			t.Errorf("expected %q to be %q", authInfo.Type, exp)
-		}
-		if exp := "The best kind of test"; authInfo.Description != exp {
-			t.Errorf("expected %q to be %q", authInfo.Description, exp)
-		}
-		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
 		}
 	})
 
@@ -146,17 +84,15 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		client, closer := testVaultServerBad(t)
 		defer closer()
 
-		ui, cmd := testAuthEnableCommand(t)
+		ui, cmd := testAuthListCommand(t)
 		cmd.client = client
 
-		code := cmd.Run([]string{
-			"userpass",
-		})
+		code := cmd.Run([]string{})
 		if exp := 2; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Error enabling userpass auth: "
+		expected := "Error listing enabled authentications: "
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
@@ -166,79 +102,7 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()
 
-		_, cmd := testAuthEnableCommand(t)
+		_, cmd := testAuthListCommand(t)
 		assertNoTabs(t, cmd)
 	})
-
-	t.Run("mount_all", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerAllBackends(t)
-		defer closer()
-
-		files, err := ioutil.ReadDir("../builtin/credential")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		var backends []string
-		for _, f := range files {
-			if f.IsDir() && f.Name() != "token" {
-				backends = append(backends, f.Name())
-			}
-		}
-
-		modFile, err := ioutil.ReadFile("../go.mod")
-		if err != nil {
-			t.Fatal(err)
-		}
-		modLines := strings.Split(string(modFile), "\n")
-		for _, p := range modLines {
-			splitLine := strings.Split(strings.TrimSpace(p), " ")
-			if len(splitLine) == 0 {
-				continue
-			}
-			potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
-			if strings.HasPrefix(potPlug, "vault-plugin-auth-") {
-				backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-auth-"))
-			}
-		}
-		// Since "pcf" plugin in the Vault registry is also pointed at the "vault-plugin-auth-cf"
-		// repository, we need to manually append it here so it'll tie out with our expected number
-		// of credential backends.
-		backends = append(backends, "pcf")
-
-		regkeys := strutil.StrListDelete(builtinplugins.Registry.Keys(consts.PluginTypeCredential), "oidc")
-		sort.Strings(regkeys)
-		sort.Strings(backends)
-		if d := cmp.Diff(regkeys, backends); len(d) > 0 {
-			t.Fatalf("found credential registry mismatch: %v", d)
-		}
-
-		for _, b := range backends {
-			var expectedResult int = 0
-
-			// Not a builtin
-			if b == "token" {
-				continue
-			}
-
-			ui, cmd := testAuthEnableCommand(t)
-			cmd.client = client
-
-			actualResult := cmd.Run([]string{
-				b,
-			})
-
-			// Need to handle deprecated builtins specially
-			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)
-			if status == consts.PendingRemoval || status == consts.Removed {
-				expectedResult = 2
-			}
-
-			if actualResult != expectedResult {
-				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
-			}
-		}
-	})
 }
diff --git a/command/auth_help.go b/command/auth_help.go
index 5e971ebbac41..3ede5fc49fc9 100644
--- a/command/auth_help.go
+++ b/command/auth_help.go
@@ -6,71 +6,67 @@ package command
 import (
 	"fmt"
 	"strings"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*AuthHelpCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthHelpCommand)(nil)
+	_ cli.Command             = (*AuthMoveCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthMoveCommand)(nil)
 )
 
-type AuthHelpCommand struct {
+type AuthMoveCommand struct {
 	*BaseCommand
-
-	Handlers map[string]LoginHandler
 }
 
-func (c *AuthHelpCommand) Synopsis() string {
-	return "Prints usage for an auth method"
+func (c *AuthMoveCommand) Synopsis() string {
+	return "Move an auth method to a new path"
 }
 
-func (c *AuthHelpCommand) Help() string {
+func (c *AuthMoveCommand) Help() string {
 	helpText := `
-Usage: vault auth help [options] TYPE | PATH
-
-  Prints usage and help for an auth method.
+Usage: vault auth move [options] SOURCE DESTINATION
 
-    - If given a TYPE, this command prints the default help for the
-      auth method of that type.
+  Moves an existing auth method to a new path. Any leases from the old
+  auth method are revoked, but all configuration associated with the method
+  is preserved. It initiates the migration and intermittently polls its status,
+  exiting if a final state is reached.
 
-    - If given a PATH, this command prints the help output for the
-      auth method enabled at that path. This path must already
-      exist.
+  This command works within or across namespaces, both source and destination paths
+  can be prefixed with a namespace heirarchy relative to the current namespace.
 
-  Get usage instructions for the userpass auth method:
+  WARNING! Moving an auth method will revoke any leases from the
+  old method.
 
-      $ vault auth help userpass
+  Move the auth method at approle/ to generic/:
 
-  Print usage for the auth method enabled at my-method/:
+      $ vault auth move approle/ generic/
 
-      $ vault auth help my-method/
+  Move the auth method at ns1/approle/ across namespaces to ns2/generic/, 
+  where ns1 and ns2 are child namespaces of the current namespace:
 
-  Each auth method produces its own help output.
+  $ vault auth move ns1/approle/ ns2/generic/
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *AuthHelpCommand) Flags() *FlagSets {
+func (c *AuthMoveCommand) Flags() *FlagSets {
 	return c.flagSet(FlagSetHTTP)
 }
 
-func (c *AuthHelpCommand) AutocompleteArgs() complete.Predictor {
-	handlers := make([]string, 0, len(c.Handlers))
-	for k := range c.Handlers {
-		handlers = append(handlers, k)
-	}
-	return complete.PredictSet(handlers...)
+func (c *AuthMoveCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultMounts()
 }
 
-func (c *AuthHelpCommand) AutocompleteFlags() complete.Flags {
+func (c *AuthMoveCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *AuthHelpCommand) Run(args []string) int {
+func (c *AuthMoveCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -80,49 +76,51 @@ func (c *AuthHelpCommand) Run(args []string) int {
 
 	args = f.Args()
 	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+	case len(args) < 2:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
 		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+	case len(args) > 2:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
 		return 1
 	}
 
+	// Grab the source and destination
+	source := ensureTrailingSlash(args[0])
+	destination := ensureTrailingSlash(args[1])
+
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	// Start with the assumption that we have an auth type, not a path.
-	authType := strings.TrimSpace(args[0])
+	remountResp, err := client.Sys().StartRemount(source, destination)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error moving auth method %s to %s: %s", source, destination, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Started moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
 
-	authHandler, ok := c.Handlers[authType]
-	if !ok {
-		// There was no auth type by that name, see if it's a mount
-		auths, err := client.Sys().ListAuth()
+	// Poll the status endpoint with the returned migration ID
+	// Exit if a terminal status is reached, else wait and retry
+	for {
+		remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error listing auth methods: %s", err))
+			c.UI.Error(fmt.Sprintf("Error checking migration status of auth method %s to %s: %s", source, destination, err))
 			return 2
 		}
-
-		authPath := ensureTrailingSlash(sanitizePath(args[0]))
-		auth, ok := auths[authPath]
-		if !ok {
-			c.UI.Warn(fmt.Sprintf(
-				"No auth method available on the server at %q", authPath))
-			return 1
+		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
+			c.UI.Output(fmt.Sprintf("Success! Finished moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+			return 0
 		}
-
-		authHandler, ok = c.Handlers[auth.Type]
-		if !ok {
-			c.UI.Warn(wrapAtLength(fmt.Sprintf(
-				"No method-specific CLI handler available for auth method %q",
-				authType)))
-			return 2
+		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
+			c.UI.Error(fmt.Sprintf("Failure! Error encountered moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+			return 0
 		}
+		c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+		time.Sleep(10 * time.Second)
 	}
 
-	c.UI.Output(authHandler.Help())
 	return 0
 }
diff --git a/command/auth_help_test.go b/command/auth_help_test.go
index d87832c8920f..0b585e7e0031 100644
--- a/command/auth_help_test.go
+++ b/command/auth_help_test.go
@@ -7,28 +7,22 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/mitchellh/cli"
-
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-func testAuthHelpCommand(tb testing.TB) (*cli.MockUi, *AuthHelpCommand) {
+func testAuthMoveCommand(tb testing.TB) (*cli.MockUi, *AuthMoveCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &AuthHelpCommand{
+	return ui, &AuthMoveCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
 		},
-		Handlers: map[string]LoginHandler{
-			"userpass": &credUserpass.CLIHandler{
-				DefaultMount: "userpass",
-			},
-		},
 	}
 }
 
-func TestAuthHelpCommand_Run(t *testing.T) {
+func TestAuthMoveCommand_Run(t *testing.T) {
 	t.Parallel()
 
 	cases := []struct {
@@ -37,93 +31,89 @@ func TestAuthHelpCommand_Run(t *testing.T) {
 		out  string
 		code int
 	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
 		{
 			"too_many_args",
-			[]string{"foo", "bar"},
+			[]string{"foo", "bar", "baz"},
 			"Too many arguments",
 			1,
 		},
 		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
+			"non_existent",
+			[]string{"not_real", "over_here"},
+			"Error moving auth method not_real/ to over_here/",
+			2,
 		},
 	}
 
-	for _, tc := range cases {
-		tc := tc
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+		for _, tc := range cases {
+			tc := tc
 
-			client, closer := testVaultServer(t)
-			defer closer()
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-			ui, cmd := testAuthHelpCommand(t)
-			cmd.client = client
+				client, closer := testVaultServer(t)
+				defer closer()
 
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
+				ui, cmd := testAuthMoveCommand(t)
+				cmd.client = client
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-	t.Run("path", func(t *testing.T) {
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
 		t.Parallel()
 
 		client, closer := testVaultServer(t)
 		defer closer()
 
-		if err := client.Sys().EnableAuth("foo", "userpass", ""); err != nil {
+		ui, cmd := testAuthMoveCommand(t)
+		cmd.client = client
+
+		if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
+			Type: "userpass",
+		}); err != nil {
 			t.Fatal(err)
 		}
 
-		ui, cmd := testAuthHelpCommand(t)
-		cmd.client = client
-
 		code := cmd.Run([]string{
-			"foo/",
+			"auth/my-auth/", "auth/my-auth-2/",
 		})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Usage: vault login -method=userpass"
+		expected := "Success! Finished moving auth method auth/my-auth/ to auth/my-auth-2/"
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	})
-
-	t.Run("type", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		// No mounted auth methods
-
-		ui, cmd := testAuthHelpCommand(t)
-		cmd.client = client
 
-		code := cmd.Run([]string{
-			"userpass",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		mounts, err := client.Sys().ListAuth()
+		if err != nil {
+			t.Fatal(err)
 		}
 
-		expected := "Usage: vault login -method=userpass"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if _, ok := mounts["my-auth-2/"]; !ok {
+			t.Errorf("expected mount at my-auth-2/: %#v", mounts)
 		}
 	})
 
@@ -133,17 +123,17 @@ func TestAuthHelpCommand_Run(t *testing.T) {
 		client, closer := testVaultServerBad(t)
 		defer closer()
 
-		ui, cmd := testAuthHelpCommand(t)
+		ui, cmd := testAuthMoveCommand(t)
 		cmd.client = client
 
 		code := cmd.Run([]string{
-			"sys/mounts",
+			"auth/my-auth/", "auth/my-auth-2/",
 		})
 		if exp := 2; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Error listing auth methods: "
+		expected := "Error moving auth method auth/my-auth/ to auth/my-auth-2/:"
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
@@ -153,7 +143,7 @@ func TestAuthHelpCommand_Run(t *testing.T) {
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()
 
-		_, cmd := testAuthHelpCommand(t)
+		_, cmd := testAuthMoveCommand(t)
 		assertNoTabs(t, cmd)
 	})
 }
diff --git a/command/auth_list.go b/command/auth_list.go
index e1a8771d7f5b..9071c0c157a0 100644
--- a/command/auth_list.go
+++ b/command/auth_list.go
@@ -4,186 +4,34 @@
 package command
 
 import (
-	"fmt"
-	"sort"
-	"strconv"
-	"strings"
+	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	"github.com/hashicorp/cli"
 
-var (
-	_ cli.Command             = (*AuthListCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthListCommand)(nil)
+	"github.com/hashicorp/vault/command/token"
 )
 
-type AuthListCommand struct {
-	*BaseCommand
-
-	flagDetailed bool
-}
-
-func (c *AuthListCommand) Synopsis() string {
-	return "Lists enabled auth methods"
-}
-
-func (c *AuthListCommand) Help() string {
-	helpText := `
-Usage: vault auth list [options]
-
-  Lists the enabled auth methods on the Vault server. This command also outputs
-  information about the method including configuration and human-friendly
-  descriptions. A TTL of "system" indicates that the system default is in use.
-
-  List all enabled auth methods:
-
-      $ vault auth list
-
-  List all enabled auth methods with detailed output:
-
-      $ vault auth list -detailed
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *AuthListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "detailed",
-		Target:  &c.flagDetailed,
-		Default: false,
-		Usage: "Print detailed information such as configuration and replication " +
-			"status about each auth method. This option is only applicable to " +
-			"table-formatted output.",
-	})
-
-	return set
-}
-
-func (c *AuthListCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *AuthListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+func testAuthCommand(tb testing.TB) (*cli.MockUi, *AuthCommand) {
+	tb.Helper()
 
-func (c *AuthListCommand) Run(args []string) int {
-	f := c.Flags()
+	ui := cli.NewMockUi()
+	return ui, &AuthCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing enabled authentications: %s", err))
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		if c.flagDetailed {
-			c.UI.Output(tableOutput(c.detailedMounts(auths), nil))
-			return 0
-		}
-		c.UI.Output(tableOutput(c.simpleMounts(auths), nil))
-		return 0
-	default:
-		return OutputData(c.UI, auths)
+			// Override to our own token helper
+			tokenHelper: token.NewTestingTokenHelper(),
+		},
 	}
 }
 
-func (c *AuthListCommand) simpleMounts(auths map[string]*api.AuthMount) []string {
-	paths := make([]string, 0, len(auths))
-	for path := range auths {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
-
-	out := []string{"Path | Type | Accessor | Description | Version"}
-	for _, path := range paths {
-		mount := auths[path]
-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s", path, mount.Type, mount.Accessor, mount.Description, mount.PluginVersion))
-	}
+func TestAuthCommand_Run(t *testing.T) {
+	t.Parallel()
 
-	return out
-}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-func (c *AuthListCommand) detailedMounts(auths map[string]*api.AuthMount) []string {
-	paths := make([]string, 0, len(auths))
-	for path := range auths {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
-
-	calcTTL := func(typ string, ttl int) string {
-		switch {
-		case typ == "system", typ == "cubbyhole":
-			return ""
-		case ttl != 0:
-			return strconv.Itoa(ttl)
-		default:
-			return "system"
-		}
-	}
-
-	out := []string{"Path | Plugin | Accessor | Default TTL | Max TTL | Token Type | Replication | Seal Wrap | External Entropy Access | Options | Description | UUID | Version | Running Version | Running SHA256 | Deprecation Status"}
-	for _, path := range paths {
-		mount := auths[path]
-
-		defaultTTL := calcTTL(mount.Type, mount.Config.DefaultLeaseTTL)
-		maxTTL := calcTTL(mount.Type, mount.Config.MaxLeaseTTL)
-
-		replication := "replicated"
-		if mount.Local {
-			replication = "local"
-		}
-
-		pluginName := mount.Type
-		if pluginName == "plugin" {
-			pluginName = mount.Config.PluginName
-		}
-
-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %s | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
-			path,
-			pluginName,
-			mount.Accessor,
-			defaultTTL,
-			maxTTL,
-			mount.Config.TokenType,
-			replication,
-			mount.SealWrap,
-			mount.ExternalEntropyAccess,
-			mount.Options,
-			mount.Description,
-			mount.UUID,
-			mount.PluginVersion,
-			mount.RunningVersion,
-			mount.RunningSha256,
-			mount.DeprecationStatus,
-		))
-	}
-
-	return out
+		_, cmd := testAuthCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/auth_list_test.go b/command/auth_list_test.go
index 8e019f1b8fa9..10e7f9fe4113 100644
--- a/command/auth_list_test.go
+++ b/command/auth_list_test.go
@@ -4,105 +4,307 @@
 package command
 
 import (
+	"flag"
+	"fmt"
+	"strconv"
 	"strings"
-	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-func testAuthListCommand(tb testing.TB) (*cli.MockUi, *AuthListCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*AuthTuneCommand)(nil)
+	_ cli.CommandAutocomplete = (*AuthTuneCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &AuthListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type AuthTuneCommand struct {
+	*BaseCommand
+
+	flagAuditNonHMACRequestKeys         []string
+	flagAuditNonHMACResponseKeys        []string
+	flagDefaultLeaseTTL                 time.Duration
+	flagDescription                     string
+	flagListingVisibility               string
+	flagMaxLeaseTTL                     time.Duration
+	flagPassthroughRequestHeaders       []string
+	flagAllowedResponseHeaders          []string
+	flagOptions                         map[string]string
+	flagTokenType                       string
+	flagVersion                         int
+	flagPluginVersion                   string
+	flagUserLockoutThreshold            uint
+	flagUserLockoutDuration             time.Duration
+	flagUserLockoutCounterResetDuration time.Duration
+	flagUserLockoutDisable              bool
+}
+
+func (c *AuthTuneCommand) Synopsis() string {
+	return "Tunes an auth method configuration"
+}
+
+func (c *AuthTuneCommand) Help() string {
+	helpText := `
+Usage: vault auth tune [options] PATH
+
+  Tunes the configuration options for the auth method at the given PATH. The
+  argument corresponds to the PATH where the auth method is enabled, not the
+  TYPE!
+
+  Tune the default lease for the github auth method:
+
+      $ vault auth tune -default-lease-ttl=72h github/
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *AuthTuneCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACRequestKeys,
+		Target: &c.flagAuditNonHMACRequestKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the request data " +
+			"object. To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACResponseKeys,
+		Target: &c.flagAuditNonHMACResponseKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the response data " +
+			"object. To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "default-lease-ttl",
+		Target:     &c.flagDefaultLeaseTTL,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "The default lease TTL for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured default lease TTL, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameDescription,
+		Target: &c.flagDescription,
+		Usage: "Human-friendly description of the this auth method. This overrides " +
+			"the current stored value, if any.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameListingVisibility,
+		Target: &c.flagListingVisibility,
+		Usage: "Determines the visibility of the mount in the UI-specific listing " +
+			"endpoint.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "max-lease-ttl",
+		Target:     &c.flagMaxLeaseTTL,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "The maximum lease TTL for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured maximum lease TTL, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Request header value that will be sent to the plugin. To specify " +
+			"multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Response header value that plugins will be allowed to set. To specify " +
+			"multiple values, specify this flag multiple times.",
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:       "options",
+		Target:     &c.flagOptions,
+		Completion: complete.PredictAnything,
+		Usage: "Key-value pair provided as key=value for the mount options. " +
+			"This can be specified multiple times.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameTokenType,
+		Target: &c.flagTokenType,
+		Usage:  "Sets a forced token type for the mount.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "version",
+		Target:  &c.flagVersion,
+		Default: 0,
+		Usage:   "Select the version of the auth method to run. Not supported by all auth methods.",
+	})
+
+	f.UintVar(&UintVar{
+		Name:   flagNameUserLockoutThreshold,
+		Target: &c.flagUserLockoutThreshold,
+		Usage: "The threshold for user lockout for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured user lockout threshold, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       flagNameUserLockoutDuration,
+		Target:     &c.flagUserLockoutDuration,
+		Completion: complete.PredictAnything,
+		Usage: "The user lockout duration for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured user lockout duration, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       flagNameUserLockoutCounterResetDuration,
+		Target:     &c.flagUserLockoutCounterResetDuration,
+		Completion: complete.PredictAnything,
+		Usage: "The user lockout counter reset duration for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured user lockout counter reset duration, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    flagNameUserLockoutDisable,
+		Target:  &c.flagUserLockoutDisable,
+		Default: false,
+		Usage: "Disable user lockout for this auth method. If unspecified, this " +
+			"defaults to the Vault server's globally configured user lockout disable, " +
+			"or a previously configured value for the auth method.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    flagNamePluginVersion,
+		Target:  &c.flagPluginVersion,
+		Default: "",
+		Usage: "Select the semantic version of the plugin to run. The new version must be registered in " +
+			"the plugin catalog, and will not start running until the plugin is reloaded.",
+	})
+
+	return set
+}
+
+func (c *AuthTuneCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultAuths()
 }
 
-func TestAuthListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"lists",
-			nil,
-			"Path",
-			0,
-		},
-		{
-			"detailed",
-			[]string{"-detailed"},
-			"Default TTL",
-			0,
-		},
+func (c *AuthTuneCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *AuthTuneCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		for _, tc := range cases {
-			tc := tc
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+	if c.flagVersion > 0 {
+		if c.flagOptions == nil {
+			c.flagOptions = make(map[string]string)
+		}
+		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+	}
 
-				client, closer := testVaultServer(t)
-				defer closer()
+	mountConfigInput := api.MountConfigInput{
+		DefaultLeaseTTL: ttlToAPI(c.flagDefaultLeaseTTL),
+		MaxLeaseTTL:     ttlToAPI(c.flagMaxLeaseTTL),
+		Options:         c.flagOptions,
+	}
 
-				ui, cmd := testAuthListCommand(t)
-				cmd.client = client
+	// Set these values only if they are provided in the CLI
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAuditNonHMACRequestKeys {
+			mountConfigInput.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
+		}
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+		if fl.Name == flagNameAuditNonHMACResponseKeys {
+			mountConfigInput.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
+		}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
+		if fl.Name == flagNameDescription {
+			mountConfigInput.Description = &c.flagDescription
 		}
-	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+		if fl.Name == flagNameListingVisibility {
+			mountConfigInput.ListingVisibility = c.flagListingVisibility
+		}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
 
-		ui, cmd := testAuthListCommand(t)
-		cmd.client = client
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
 
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		if fl.Name == flagNameTokenType {
+			mountConfigInput.TokenType = c.flagTokenType
+		}
+		switch fl.Name {
+		case flagNameUserLockoutThreshold, flagNameUserLockoutDuration, flagNameUserLockoutCounterResetDuration, flagNameUserLockoutDisable:
+			if mountConfigInput.UserLockoutConfig == nil {
+				mountConfigInput.UserLockoutConfig = &api.UserLockoutConfigInput{}
+			}
+		}
+		if fl.Name == flagNameUserLockoutThreshold {
+			mountConfigInput.UserLockoutConfig.LockoutThreshold = strconv.FormatUint(uint64(c.flagUserLockoutThreshold), 10)
+		}
+		if fl.Name == flagNameUserLockoutDuration {
+			mountConfigInput.UserLockoutConfig.LockoutDuration = ttlToAPI(c.flagUserLockoutDuration)
+		}
+		if fl.Name == flagNameUserLockoutCounterResetDuration {
+			mountConfigInput.UserLockoutConfig.LockoutCounterResetDuration = ttlToAPI(c.flagUserLockoutCounterResetDuration)
+		}
+		if fl.Name == flagNameUserLockoutDisable {
+			mountConfigInput.UserLockoutConfig.DisableLockout = &c.flagUserLockoutDisable
 		}
 
-		expected := "Error listing enabled authentications: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if fl.Name == flagNamePluginVersion {
+			mountConfigInput.PluginVersion = c.flagPluginVersion
 		}
 	})
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	// Append /auth (since that's where auths live) and a trailing slash to
+	// indicate it's a path in output
+	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
 
-		_, cmd := testAuthListCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	if err := client.Sys().TuneMount("/auth/"+mountPath, mountConfigInput); err != nil {
+		c.UI.Error(fmt.Sprintf("Error tuning auth method %s: %s", mountPath, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Tuned the auth method at: %s", mountPath))
+	return 0
 }
diff --git a/command/auth_move.go b/command/auth_move.go
index e91d9d82fb83..4bc8ddf46596 100644
--- a/command/auth_move.go
+++ b/command/auth_move.go
@@ -4,123 +4,289 @@
 package command
 
 import (
-	"fmt"
 	"strings"
-	"time"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/go-test/deep"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 )
 
-var (
-	_ cli.Command             = (*AuthMoveCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthMoveCommand)(nil)
-)
+func testAuthTuneCommand(tb testing.TB) (*cli.MockUi, *AuthTuneCommand) {
+	tb.Helper()
 
-type AuthMoveCommand struct {
-	*BaseCommand
+	ui := cli.NewMockUi()
+	return ui, &AuthTuneCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *AuthMoveCommand) Synopsis() string {
-	return "Move an auth method to a new path"
-}
+func TestAuthTuneCommand_Run(t *testing.T) {
+	t.Parallel()
 
-func (c *AuthMoveCommand) Help() string {
-	helpText := `
-Usage: vault auth move [options] SOURCE DESTINATION
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
 
-  Moves an existing auth method to a new path. Any leases from the old
-  auth method are revoked, but all configuration associated with the method
-  is preserved. It initiates the migration and intermittently polls its status,
-  exiting if a final state is reached.
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-  This command works within or across namespaces, both source and destination paths
-  can be prefixed with a namespace heirarchy relative to the current namespace.
+		for _, tc := range cases {
+			tc := tc
 
-  WARNING! Moving an auth method will revoke any leases from the
-  old method.
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-  Move the auth method at approle/ to generic/:
+				client, closer := testVaultServer(t)
+				defer closer()
 
-      $ vault auth move approle/ generic/
+				ui, cmd := testAuthTuneCommand(t)
+				cmd.client = client
 
-  Move the auth method at ns1/approle/ across namespaces to ns2/generic/, 
-  where ns1 and ns2 are child namespaces of the current namespace:
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-  $ vault auth move ns1/approle/ ns2/generic/
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
 
-` + c.Flags().Help()
+	t.Run("integration", func(t *testing.T) {
+		t.Run("flags_all", func(t *testing.T) {
+			t.Parallel()
+			pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+			defer cleanup(t)
 
-	return strings.TrimSpace(helpText)
-}
+			client, _, closer := testVaultServerPluginDir(t, pluginDir)
+			defer closer()
 
-func (c *AuthMoveCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
+			ui, cmd := testAuthTuneCommand(t)
+			cmd.client = client
 
-func (c *AuthMoveCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultMounts()
-}
+			// Mount
+			if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
+				Type: "userpass",
+			}); err != nil {
+				t.Fatal(err)
+			}
 
-func (c *AuthMoveCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+			auths, err := client.Sys().ListAuth()
+			if err != nil {
+				t.Fatal(err)
+			}
+			mountInfo, ok := auths["my-auth/"]
+			if !ok {
+				t.Fatalf("expected mount to exist: %#v", auths)
+			}
 
-func (c *AuthMoveCommand) Run(args []string) int {
-	f := c.Flags()
+			if exp := ""; mountInfo.PluginVersion != exp {
+				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
+			}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+			_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, "userpass", api.PluginTypeCredential)
 
-	args = f.Args()
-	switch {
-	case len(args) < 2:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
-		return 1
-	case len(args) > 2:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
-		return 1
-	}
+			code := cmd.Run([]string{
+				"-description", "new description",
+				"-default-lease-ttl", "30m",
+				"-max-lease-ttl", "1h",
+				"-audit-non-hmac-request-keys", "foo,bar",
+				"-audit-non-hmac-response-keys", "foo,bar",
+				"-passthrough-request-headers", "authorization",
+				"-passthrough-request-headers", "www-authentication",
+				"-allowed-response-headers", "authorization,www-authentication",
+				"-listing-visibility", "unauth",
+				"-plugin-version", version,
+				"my-auth/",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d", code, exp)
+			}
 
-	// Grab the source and destination
-	source := ensureTrailingSlash(args[0])
-	destination := ensureTrailingSlash(args[1])
+			expected := "Success! Tuned the auth method at: my-auth/"
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, expected) {
+				t.Errorf("expected %q to contain %q", combined, expected)
+			}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+			auths, err = client.Sys().ListAuth()
+			if err != nil {
+				t.Fatal(err)
+			}
 
-	remountResp, err := client.Sys().StartRemount(source, destination)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error moving auth method %s to %s: %s", source, destination, err))
-		return 2
-	}
+			mountInfo, ok = auths["my-auth/"]
+			if !ok {
+				t.Fatalf("expected auth to exist")
+			}
+			if exp := "new description"; mountInfo.Description != exp {
+				t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+			}
+			if exp := "userpass"; mountInfo.Type != exp {
+				t.Errorf("expected %q to be %q", mountInfo.Type, exp)
+			}
+			if exp := version; mountInfo.PluginVersion != exp {
+				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
+			}
+			if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
+				t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
+			}
+			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
+				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
+			}
+			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+			}
+		})
 
-	c.UI.Output(fmt.Sprintf("Started moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+		t.Run("flags_description", func(t *testing.T) {
+			t.Parallel()
+			t.Run("not_provided", func(t *testing.T) {
+				client, closer := testVaultServer(t)
+				defer closer()
 
-	// Poll the status endpoint with the returned migration ID
-	// Exit if a terminal status is reached, else wait and retry
-	for {
-		remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error checking migration status of auth method %s to %s: %s", source, destination, err))
-			return 2
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
-			c.UI.Output(fmt.Sprintf("Success! Finished moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-			return 0
+				ui, cmd := testAuthTuneCommand(t)
+				cmd.client = client
+
+				// Mount
+				if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
+					Type:        "userpass",
+					Description: "initial description",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				code := cmd.Run([]string{
+					"-default-lease-ttl", "30m",
+					"my-auth/",
+				})
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d", code, exp)
+				}
+
+				expected := "Success! Tuned the auth method at: my-auth/"
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, expected) {
+					t.Errorf("expected %q to contain %q", combined, expected)
+				}
+
+				auths, err := client.Sys().ListAuth()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				mountInfo, ok := auths["my-auth/"]
+				if !ok {
+					t.Fatalf("expected auth to exist")
+				}
+				if exp := "initial description"; mountInfo.Description != exp {
+					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				}
+			})
+
+			t.Run("provided_empty", func(t *testing.T) {
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testAuthTuneCommand(t)
+				cmd.client = client
+
+				// Mount
+				if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
+					Type:        "userpass",
+					Description: "initial description",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				code := cmd.Run([]string{
+					"-description", "",
+					"my-auth/",
+				})
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d", code, exp)
+				}
+
+				expected := "Success! Tuned the auth method at: my-auth/"
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, expected) {
+					t.Errorf("expected %q to contain %q", combined, expected)
+				}
+
+				auths, err := client.Sys().ListAuth()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				mountInfo, ok := auths["my-auth/"]
+				if !ok {
+					t.Fatalf("expected auth to exist")
+				}
+				if exp := ""; mountInfo.Description != exp {
+					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				}
+			})
+		})
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testAuthTuneCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"userpass/",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
-			c.UI.Error(fmt.Sprintf("Failure! Error encountered moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-			return 0
+
+		expected := "Error tuning auth method userpass/: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-		time.Sleep(10 * time.Second)
-	}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	return 0
+		_, cmd := testAuthTuneCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/auth_move_test.go b/command/auth_move_test.go
index 095c3ae9daab..2124e64b4958 100644
--- a/command/auth_move_test.go
+++ b/command/auth_move_test.go
@@ -1,149 +1,341 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: api
+page_title: Azure - Secrets Engines - HTTP API
+description: This is the API documentation for the Vault Azure secrets engine.
+---
 
-package command
+# Azure secrets engine (API)
 
-import (
-	"strings"
-	"testing"
+This is the API documentation for the Vault Azure
+secrets engine. For general information about the usage and operation of
+the Azure secrets engine, please see the main [Azure secrets documentation][docs].
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
+This documentation assumes the Azure secrets engine is enabled at the `/azure` path
+in Vault. Since it is possible to mount secrets engines at any path, please
+update your API calls accordingly.
 
-func testAuthMoveCommand(tb testing.TB) (*cli.MockUi, *AuthMoveCommand) {
-	tb.Helper()
+## Configure access
 
-	ui := cli.NewMockUi()
-	return ui, &AuthMoveCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+Configures the credentials required for the plugin to perform API calls
+to Azure. These credentials will be used to query roles and create/delete
+service principals. Environment variables will override any parameters set in the config.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `POST` | `/azure/config` |
+
+- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
+  This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
+- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
+  This value can also be provided with the AZURE_TENANT_ID environment variable.
+- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
+  with the AZURE_CLIENT_ID environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
+- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
+  provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
+- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
+  environment variable. If not specified, Vault will use Azure Public Cloud.
+- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
+  use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
+- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
+  rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
+
+### Sample payload
+
+```json
+{
+  "subscription_id": "94ca80...",
+  "tenant_id": "d0ac7e...",
+  "client_id": "e607c4...",
+  "client_secret": "9a6346...",
+  "environment": "AzureGermanCloud",
+  "password_policy": "azure_policy",
+  "root_password_ttl": "48d"
+}
+```
+
+### Sample request
+
+<Tabs>
+<Tab heading="cURL">
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+</Tab>
+<Tab heading="CLI">
+
+```shell-session
+$ vault write azure/config \
+    subscription_id="94ca80..." \
+    tenant_id="d0ac7e...",
+    client_id="e607c4...",
+    client_secret="9a6346...",
+    environment="AzureGermanCloud",
+    password_policy="azure_policy"
+```
+
+</Tab>
+</Tabs>
+
+## Read config
+
+Return the stored configuration, omitting `client_secret`.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `/azure/config` |
+
+### Sample request
+
+<Tabs>
+<Tab heading="cURL">
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+</Tab>
+<Tab heading="CLI">
+
+```shell-session
+$ vault read azure/config
+```
+
+</Tab>
+</Tabs>
+
+### Sample response
+
+```json
+{
+  "data": {
+    "subscription_id": "94ca80...",
+    "tenant_id": "d0ac7e...",
+    "client_id": "e607c4...",
+    "environment": "AzureGermanCloud"
+  },
+  ...
+}
+```
+
+## Delete config
+
+Deletes the stored Azure configuration and credentials.
+
+| Method   | Path            |
+| :------- | :-------------- |
+| `DELETE` | `/azure/config` |
+
+### Sample request
+
+<Tabs>
+<Tab heading="cURL">
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+</Tab>
+<Tab heading="CLI">
+
+```shell-session
+$ vault delete azure/config
+```
+
+</Tab>
+</Tabs>
+
+## Rotate root
+
+This endpoint generates a new client secret for the root account defined in the config. The
+value generated will only be known by Vault.
+
+~> Due to the eventual consistency of Microsoft Azure client secret APIs, the plugin
+may briefly stop authenticating to Azure as the password propagates through their
+datacenters.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/azure/rotate-root` |
+
+### Parameters
+
+There are no parameters to this operation.
+
+### Sample request
+
+```shell-session
+$ curl \
+  --header "X-Vault-Token: ..." \
+  --request POST \
+  http://127.0.0.1:8200/v1/azure/rotate-root
+```
+
+## Create/Update role
+
+Create or update a Vault role. Either `application_object_id` or
+`azure_roles` must be provided, and these resources must exist for this
+call to succeed. See the Azure secrets [roles docs][roles] for more
+information about roles.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/azure/roles/:name` |
+
+### Parameters
+
+- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
+  principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
+  for details on role definition.
+- `azure_groups` (`string: ""`) - List of Azure groups that the generated service principal will be
+  assigned to. The array must be in JSON format, properly escaped as a string. See [groups docs][groups]
+  for more details.
+- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
+  be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
+  [roles docs][roles] for details on role definition.
+- `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
+ Useful for when the Service Principal needs to maintain ownership of objects it creates
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+  Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
+  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
+  created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
+- `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
+  Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount.
+- `tags` (`string: ""`) - A comma-separated string of Azure tags to attach to an application.
+
+### Sample payload
+
+```json
+{
+  "azure_roles": "[
+    {
+      \"role_name\": \"Contributor\",
+      \"scope\":  \"/subscriptions/<uuid>/resourceGroups/Website\"
+    },
+    {
+      \"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
+      \"scope\":  \"/subscriptions/<uuid>\"
+    }
+  ]",
+  "ttl": 3600,
+  "max_ttl": "24h"
+  "sign_in_audience": "AzureADMyOrg"
+  "tags": "team:engineering","environment:development"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/azure/roles/my-role
+```
+
+## List roles
+
+Lists all of the roles that are registered with the plugin.
+
+| Method | Path           |
+| :----- | :------------- |
+| `LIST` | `/azure/roles` |
+
+### Sample request
+
+<Tabs>
+<Tab heading="cURL">
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/azure/roles
+```
+
+</Tab>
+<Tab heading="CLI">
+
+```shell-session
+$ vault list azure/roles
+```
+
+</Tab>
+</Tabs>
+
+### Sample response
+
+```json
+{
+  "data": {
+    "keys": ["my-role-one", "my-role-two"]
+  }
 }
+```
+
+## Generate credentials
+
+This endpoint generates a new service principal based on the named role.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/azure/creds/:name` |
+
+### Parameters
+
+- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
+
+### Sample request
 
-func TestAuthMoveCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"non_existent",
-			[]string{"not_real", "over_here"},
-			"Error moving auth method not_real/ to over_here/",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testAuthMoveCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testAuthMoveCommand(t)
-		cmd.client = client
-
-		if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
-			Type: "userpass",
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		code := cmd.Run([]string{
-			"auth/my-auth/", "auth/my-auth-2/",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Finished moving auth method auth/my-auth/ to auth/my-auth-2/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		mounts, err := client.Sys().ListAuth()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if _, ok := mounts["my-auth-2/"]; !ok {
-			t.Errorf("expected mount at my-auth-2/: %#v", mounts)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testAuthMoveCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"auth/my-auth/", "auth/my-auth-2/",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error moving auth method auth/my-auth/ to auth/my-auth-2/:"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testAuthMoveCommand(t)
-		assertNoTabs(t, cmd)
-	})
+<Tabs>
+<Tab heading="cURL">
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/creds/my-role
+```
+
+</Tab>
+<Tab heading="CLI">
+
+```shell-session
+$ vault read azure/creds/my-role
+```
+
+</Tab>
+</Tabs>
+
+### Sample response
+
+```json
+{
+  "data": {
+    "client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
+    "client_secret": "9PfdaDP9qcf98ggw8WSttfVreFcN4q9c4m4x",
+    ...
+  }
 }
+```
+
+## Revoking/Renewing secrets
+
+See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
+
+[docs]: /vault/docs/secrets/azure
+[roles]: /vault/docs/secrets/azure#roles
+[groups]: /vault/docs/secrets/azure#azure-groups
diff --git a/command/auth_test.go b/command/auth_test.go
index 4eb7d4ee3e07..d86ec901388c 100644
--- a/command/auth_test.go
+++ b/command/auth_test.go
@@ -1,37 +1,172 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: docs
+page_title: Azure Key Vault - Secrets Sync Destination
+description: The Azure Key Vault destination syncs secrets from Vault to Azure.
+---
 
-package command
+# Azure Key Vault
 
-import (
-	"testing"
+The Azure Key Vault destination enables Vault to sync and unsync secrets of your choosing into
+an external Azure account. When configured, Vault will actively maintain the state of each externally-synced
+secret in realtime. This includes sending new secrets, updating existing secret values, and removing
+secrets when they either get dissociated from the destination or deleted from Vault.
 
-	"github.com/mitchellh/cli"
+Prerequisites:
+* Ability to read or create KVv2 secrets
+* Ability to create Azure AD user credentials with access to an Azure Key Vault
+* Ability to create sync destinations and associations on your Vault server
 
-	"github.com/hashicorp/vault/command/token"
-)
+## Setup
 
-func testAuthCommand(tb testing.TB) (*cli.MockUi, *AuthCommand) {
-	tb.Helper()
+1. If you do not already have an Azure Key Vault instance, navigate to the Azure Portal to create a new
+  [Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-portal).
 
-	ui := cli.NewMockUi()
-	return ui, &AuthCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
+1. A service principal with a client id and client secret will be needed to configure Azure Key Vault as a
+  sync destination. This [guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
+  will walk you through creating the service principal.
 
-			// Override to our own token helper
-			tokenHelper: token.NewTestingTokenHelper(),
-		},
-	}
-}
+1. Once the service principal is created, the next step is to
+  [grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli)
+  access to Azure Key Vault. To quickly get started, we recommend using the "Key Vault Secrets Officer" built-in role,
+  which gives sufficient access to manage secrets. For more information, see the [Permissions](#permissions) section.
+
+
+1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps.
+
+  ```shell-session
+  $ vault write sys/sync/stores/azure-kv/my-azure-1 \
+      key_vault_uri="$KEY_VAULT_URI" \
+      client_id="$CLIENT_ID" \
+      client_secret="$CLIENT_SECRET" \
+      tenant_id="$TENANT_ID"
+  ```
+
+  **Output:**
+
+  <CodeBlockConfig hideClipboard>
+
+  ```plaintext
+  Key                   Value
+  ---                   -----
+  connection_details    map[client_id:123 client_secret:***** key_vault_uri:***** tenant_id:123]
+  name                  my-azure-1
+  type                  azure-kv
+  ```
+
+  </CodeBlockConfig>
+
+## Usage
+
+1. If you do not already have a KVv2 secret to sync, mount a new KVv2 secrets engine.
+
+  ```shell-session
+  $ vault secrets enable -path='my-kv' kv-v2
+  ```
+
+  **Output:**
+
+  <CodeBlockConfig hideClipboard>
+
+  ```plaintext
+  Success! Enabled the kv-v2 secrets engine at: my-kv/
+  ```
+
+  </CodeBlockConfig>
+
+1. Create secrets you wish to sync with a target Azure Key Vault.
+
+  ```shell-session
+  $ vault kv put -mount='my-kv' my-secret foo='bar'
+  ```
 
-func TestAuthCommand_Run(t *testing.T) {
-	t.Parallel()
+  **Output:**
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+  <CodeBlockConfig hideClipboard>
 
-		_, cmd := testAuthCommand(t)
-		assertNoTabs(t, cmd)
-	})
+  ```plaintext
+  ==== Secret Path ====
+  my-kv/data/my-secret
+
+  ======= Metadata =======
+  Key                Value
+  ---                -----
+  created_time       2023-09-19T13:17:23.395109Z
+  custom_metadata    <nil>
+  deletion_time      n/a
+  destroyed          false
+  version            1
+  ```
+
+  </CodeBlockConfig>
+
+1. Create an association between the destination and a secret to synchronize.
+
+  ```shell-session
+  $ vault write sys/sync/destinations/azure-kv/my-azure-1/associations/set \
+      mount='my-kv' \
+      secret_name='my-secret'
+  ```
+
+  **Output:**
+
+  <CodeBlockConfig hideClipboard>
+
+  ```plaintext
+  Key                   Value
+  ---                   -----
+  associated_secrets    map[kv_7532a8b4/my-secret:map[accessor:kv_7532a8b4 secret_name:my-secret sync_status:SYNCED updated_at:2023-09-21T13:53:24.839885-07:00]]
+  store_name            my-azure-1
+  store_type            azure-kv
+  ```
+
+  </CodeBlockConfig>
+
+1. Navigate to [Azure Key Vault](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
+  in the Azure portal to confirm your secret was successfully created.
+
+Moving forward, any modification on the Vault secret will be propagated in near real time to its Azure Key Vault
+counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret
+or the association in Vault will delete the secret in your Azure Key Vault as well.
+
+
+## Permissions
+
+For a more minimal set of permissions, you can create a
+[custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#steps-to-create-a-custom-role)
+using the following JSON role definition. Be sure to replace the subscription id placeholder.
+
+```json
+{
+  "properties": {
+    "roleName": "Key Vault Secrets Reader Writer",
+    "description": "Custom role for reading and updating Azure Key Vault secrets.",
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.KeyVault/vaults/secrets/read",
+          "Microsoft.KeyVault/vaults/secrets/write"
+        ],
+        "notActions": [],
+        "dataActions": [
+          "Microsoft.KeyVault/vaults/secrets/delete",
+          "Microsoft.KeyVault/vaults/secrets/backup/action",
+          "Microsoft.KeyVault/vaults/secrets/purge/action",
+          "Microsoft.KeyVault/vaults/secrets/recover/action",
+          "Microsoft.KeyVault/vaults/secrets/restore/action",
+          "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
+          "Microsoft.KeyVault/vaults/secrets/getSecret/action",
+          "Microsoft.KeyVault/vaults/secrets/setSecret/action"
+        ],
+        "notDataActions": []
+      }
+    ],
+    "assignableScopes": [
+      "/subscriptions/{subscriptionId}/"
+    ]
+  }
 }
+```
+
+## API
+
+Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details.
diff --git a/command/auth_tune.go b/command/auth_tune.go
index 65b3070666d9..3f203fb13bb0 100644
--- a/command/auth_tune.go
+++ b/command/auth_tune.go
@@ -1,310 +1,179 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package ldap
 
 import (
-	"flag"
+	"context"
 	"fmt"
-	"strconv"
 	"strings"
-	"time"
+	"sync"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	"github.com/hashicorp/cap/ldap"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
 
-var (
-	_ cli.Command             = (*AuthTuneCommand)(nil)
-	_ cli.CommandAutocomplete = (*AuthTuneCommand)(nil)
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
-type AuthTuneCommand struct {
-	*BaseCommand
-
-	flagAuditNonHMACRequestKeys         []string
-	flagAuditNonHMACResponseKeys        []string
-	flagDefaultLeaseTTL                 time.Duration
-	flagDescription                     string
-	flagListingVisibility               string
-	flagMaxLeaseTTL                     time.Duration
-	flagPassthroughRequestHeaders       []string
-	flagAllowedResponseHeaders          []string
-	flagOptions                         map[string]string
-	flagTokenType                       string
-	flagVersion                         int
-	flagPluginVersion                   string
-	flagUserLockoutThreshold            uint
-	flagUserLockoutDuration             time.Duration
-	flagUserLockoutCounterResetDuration time.Duration
-	flagUserLockoutDisable              bool
-}
-
-func (c *AuthTuneCommand) Synopsis() string {
-	return "Tunes an auth method configuration"
-}
-
-func (c *AuthTuneCommand) Help() string {
-	helpText := `
-Usage: vault auth tune [options] PATH
-
-  Tunes the configuration options for the auth method at the given PATH. The
-  argument corresponds to the PATH where the auth method is enabled, not the
-  TYPE!
-
-  Tune the default lease for the github auth method:
-
-      $ vault auth tune -default-lease-ttl=72h github/
-
-` + c.Flags().Help()
+const (
+	operationPrefixLDAP   = "ldap"
+	errUserBindFailed     = "ldap operation failed: failed to bind as user"
+	defaultPasswordLength = 64 // length to use for configured root password on rotations by default
+)
 
-	return strings.TrimSpace(helpText)
+func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
+	b := Backend()
+	if err := b.Setup(ctx, conf); err != nil {
+		return nil, err
+	}
+	return b, nil
 }
 
-func (c *AuthTuneCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACRequestKeys,
-		Target: &c.flagAuditNonHMACRequestKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the request data " +
-			"object. To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACResponseKeys,
-		Target: &c.flagAuditNonHMACResponseKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the response data " +
-			"object. To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "default-lease-ttl",
-		Target:     &c.flagDefaultLeaseTTL,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "The default lease TTL for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured default lease TTL, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameDescription,
-		Target: &c.flagDescription,
-		Usage: "Human-friendly description of the this auth method. This overrides " +
-			"the current stored value, if any.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameListingVisibility,
-		Target: &c.flagListingVisibility,
-		Usage: "Determines the visibility of the mount in the UI-specific listing " +
-			"endpoint.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "max-lease-ttl",
-		Target:     &c.flagMaxLeaseTTL,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "The maximum lease TTL for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured maximum lease TTL, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNamePassthroughRequestHeaders,
-		Target: &c.flagPassthroughRequestHeaders,
-		Usage: "Request header value that will be sent to the plugin. To specify " +
-			"multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedResponseHeaders,
-		Target: &c.flagAllowedResponseHeaders,
-		Usage: "Response header value that plugins will be allowed to set. To specify " +
-			"multiple values, specify this flag multiple times.",
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:       "options",
-		Target:     &c.flagOptions,
-		Completion: complete.PredictAnything,
-		Usage: "Key-value pair provided as key=value for the mount options. " +
-			"This can be specified multiple times.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameTokenType,
-		Target: &c.flagTokenType,
-		Usage:  "Sets a forced token type for the mount.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "version",
-		Target:  &c.flagVersion,
-		Default: 0,
-		Usage:   "Select the version of the auth method to run. Not supported by all auth methods.",
-	})
-
-	f.UintVar(&UintVar{
-		Name:   flagNameUserLockoutThreshold,
-		Target: &c.flagUserLockoutThreshold,
-		Usage: "The threshold for user lockout for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured user lockout threshold, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       flagNameUserLockoutDuration,
-		Target:     &c.flagUserLockoutDuration,
-		Completion: complete.PredictAnything,
-		Usage: "The user lockout duration for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured user lockout duration, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       flagNameUserLockoutCounterResetDuration,
-		Target:     &c.flagUserLockoutCounterResetDuration,
-		Completion: complete.PredictAnything,
-		Usage: "The user lockout counter reset duration for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured user lockout counter reset duration, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    flagNameUserLockoutDisable,
-		Target:  &c.flagUserLockoutDisable,
-		Default: false,
-		Usage: "Disable user lockout for this auth method. If unspecified, this " +
-			"defaults to the Vault server's globally configured user lockout disable, " +
-			"or a previously configured value for the auth method.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    flagNamePluginVersion,
-		Target:  &c.flagPluginVersion,
-		Default: "",
-		Usage: "Select the semantic version of the plugin to run. The new version must be registered in " +
-			"the plugin catalog, and will not start running until the plugin is reloaded.",
-	})
+func Backend() *backend {
+	var b backend
+	b.Backend = &framework.Backend{
+		Help: backendHelp,
+
+		PathsSpecial: &logical.Paths{
+			Unauthenticated: []string{
+				"login/*",
+			},
+
+			SealWrapStorage: []string{
+				"config",
+			},
+		},
+
+		Paths: []*framework.Path{
+			pathConfig(&b),
+			pathGroups(&b),
+			pathGroupsList(&b),
+			pathUsers(&b),
+			pathUsersList(&b),
+			pathLogin(&b),
+			pathConfigRotateRoot(&b),
+		},
+
+		AuthRenew:   b.pathLoginRenew,
+		BackendType: logical.TypeCredential,
+	}
 
-	return set
+	return &b
 }
 
-func (c *AuthTuneCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultAuths()
-}
+type backend struct {
+	*framework.Backend
 
-func (c *AuthTuneCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+	mu sync.RWMutex
 }
 
-func (c *AuthTuneCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
+func (b *backend) Login(ctx context.Context, req *logical.Request, username string, password string, usernameAsAlias bool) (string, []string, *logical.Response, []string, error) {
+	cfg, err := b.Config(ctx, req)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return "", nil, nil, nil, err
 	}
-
-	if c.flagVersion > 0 {
-		if c.flagOptions == nil {
-			c.flagOptions = make(map[string]string)
-		}
-		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+	if cfg == nil {
+		return "", nil, logical.ErrorResponse("ldap backend not configured"), nil, nil
 	}
 
-	mountConfigInput := api.MountConfigInput{
-		DefaultLeaseTTL: ttlToAPI(c.flagDefaultLeaseTTL),
-		MaxLeaseTTL:     ttlToAPI(c.flagMaxLeaseTTL),
-		Options:         c.flagOptions,
+	if cfg.DenyNullBind && len(password) == 0 {
+		return "", nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
 	}
 
-	// Set these values only if they are provided in the CLI
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameAuditNonHMACRequestKeys {
-			mountConfigInput.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
-		}
+	ldapClient, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg.ConfigEntry))
+	if err != nil {
+		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
+	}
 
-		if fl.Name == flagNameAuditNonHMACResponseKeys {
-			mountConfigInput.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
-		}
+	// Clean connection
+	defer ldapClient.Close(ctx)
 
-		if fl.Name == flagNameDescription {
-			mountConfigInput.Description = &c.flagDescription
+	c, err := ldapClient.Authenticate(ctx, username, password, ldap.WithGroups(), ldap.WithUserAttributes())
+	if err != nil {
+		if strings.Contains(err.Error(), "discovery of user bind DN failed") ||
+			strings.Contains(err.Error(), "unable to bind user") {
+			return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
 		}
 
-		if fl.Name == flagNameListingVisibility {
-			mountConfigInput.ListingVisibility = c.flagListingVisibility
-		}
+		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
+	}
 
-		if fl.Name == flagNamePassthroughRequestHeaders {
-			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
-		}
+	ldapGroups := c.Groups
+	ldapResponse := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+	if len(ldapGroups) == 0 {
+		errString := fmt.Sprintf(
+			"no LDAP groups found in groupDN %q; only policies from locally-defined groups available",
+			cfg.GroupDN)
+		ldapResponse.AddWarning(errString)
+	}
 
-		if fl.Name == flagNameAllowedResponseHeaders {
-			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
-		}
+	for _, warning := range c.Warnings {
+		ldapResponse.AddWarning(string(warning))
+	}
 
-		if fl.Name == flagNameTokenType {
-			mountConfigInput.TokenType = c.flagTokenType
-		}
-		switch fl.Name {
-		case flagNameUserLockoutThreshold, flagNameUserLockoutDuration, flagNameUserLockoutCounterResetDuration, flagNameUserLockoutDisable:
-			if mountConfigInput.UserLockoutConfig == nil {
-				mountConfigInput.UserLockoutConfig = &api.UserLockoutConfigInput{}
-			}
-		}
-		if fl.Name == flagNameUserLockoutThreshold {
-			mountConfigInput.UserLockoutConfig.LockoutThreshold = strconv.FormatUint(uint64(c.flagUserLockoutThreshold), 10)
-		}
-		if fl.Name == flagNameUserLockoutDuration {
-			mountConfigInput.UserLockoutConfig.LockoutDuration = ttlToAPI(c.flagUserLockoutDuration)
-		}
-		if fl.Name == flagNameUserLockoutCounterResetDuration {
-			mountConfigInput.UserLockoutConfig.LockoutCounterResetDuration = ttlToAPI(c.flagUserLockoutCounterResetDuration)
+	var allGroups []string
+	canonicalUsername := username
+	cs := *cfg.CaseSensitiveNames
+	if !cs {
+		canonicalUsername = strings.ToLower(username)
+	}
+	// Import the custom added groups from ldap backend
+	user, err := b.User(ctx, req.Storage, canonicalUsername)
+	if err == nil && user != nil && user.Groups != nil {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("adding local groups", "num_local_groups", len(user.Groups), "local_groups", user.Groups)
 		}
-		if fl.Name == flagNameUserLockoutDisable {
-			mountConfigInput.UserLockoutConfig.DisableLockout = &c.flagUserLockoutDisable
+		allGroups = append(allGroups, user.Groups...)
+	}
+	// Merge local and LDAP groups
+	allGroups = append(allGroups, ldapGroups...)
+
+	canonicalGroups := allGroups
+	// If not case sensitive, lowercase all
+	if !cs {
+		canonicalGroups = make([]string, len(allGroups))
+		for i, v := range allGroups {
+			canonicalGroups[i] = strings.ToLower(v)
 		}
+	}
 
-		if fl.Name == flagNamePluginVersion {
-			mountConfigInput.PluginVersion = c.flagPluginVersion
+	// Retrieve policies
+	var policies []string
+	for _, groupName := range canonicalGroups {
+		group, err := b.Group(ctx, req.Storage, groupName)
+		if err == nil && group != nil {
+			policies = append(policies, group.Policies...)
 		}
-	})
+	}
+	if user != nil && user.Policies != nil {
+		policies = append(policies, user.Policies...)
+	}
+	// Policies from each group may overlap
+	policies = strutil.RemoveDuplicates(policies, true)
 
-	// Append /auth (since that's where auths live) and a trailing slash to
-	// indicate it's a path in output
-	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
+	if usernameAsAlias {
+		return username, policies, ldapResponse, allGroups, nil
+	}
 
-	if err := client.Sys().TuneMount("/auth/"+mountPath, mountConfigInput); err != nil {
-		c.UI.Error(fmt.Sprintf("Error tuning auth method %s: %s", mountPath, err))
-		return 2
+	userAttrValues := c.UserAttributes[cfg.UserAttr]
+	if len(userAttrValues) == 0 {
+		return "", nil, logical.ErrorResponse("missing entity alias attribute value"), nil, nil
 	}
+	entityAliasAttribute := userAttrValues[0]
 
-	c.UI.Output(fmt.Sprintf("Success! Tuned the auth method at: %s", mountPath))
-	return 0
+	return entityAliasAttribute, policies, ldapResponse, allGroups, nil
 }
+
+const backendHelp = `
+The "ldap" credential provider allows authentication querying
+a LDAP server, checking username and password, and associating groups
+to set of policies.
+
+Configuration of the server is done through the "config" and "groups"
+endpoints by a user with root access. Authentication is then done
+by supplying the two fields for "login".
+`
diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go
index ea0449b9d5c2..d84cd64cadca 100644
--- a/command/auth_tune_test.go
+++ b/command/auth_tune_test.go
@@ -1,292 +1,7149 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package pki
 
 import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"math"
+	"math/big"
+	mathrand "math/rand"
+	"net"
+	"net/url"
+	"os"
+	"reflect"
+	"sort"
+	"strconv"
 	"strings"
+	"sync"
 	"testing"
+	"time"
 
+	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
+	"golang.org/x/exp/maps"
+
+	"github.com/hashicorp/vault/helper/testhelpers"
+
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/armon/go-metrics"
+	"github.com/fatih/structs"
 	"github.com/go-test/deep"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/mitchellh/cli"
+	auth "github.com/hashicorp/vault/api/auth/userpass"
+	"github.com/hashicorp/vault/builtin/credential/userpass"
+	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/mitchellh/mapstructure"
+	"golang.org/x/net/idna"
 )
 
-func testAuthTuneCommand(tb testing.TB) (*cli.MockUi, *AuthTuneCommand) {
-	tb.Helper()
+var stepCount = 0
 
-	ui := cli.NewMockUi()
-	return ui, &AuthTuneCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+// From builtin/credential/cert/test-fixtures/root/rootcacert.pem
+const (
+	rootCACertPEM = `-----BEGIN CERTIFICATE-----
+MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
+MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
+Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
+z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
+AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
+6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
+SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
+A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
+7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
+BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
+U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
+cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
+ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
+t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
+zehNe5dFTjFpylg1o6b8Ow==
+-----END CERTIFICATE-----`
+	rootCAKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
+t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
+BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
+/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
+0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
+18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
+ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
+8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
+nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
+2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
+grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
+bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
+0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
+ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
+lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
+lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
+AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
+ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
+thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
+4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
+iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
+tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
+LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
+4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
+OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
+-----END RSA PRIVATE KEY-----`
+)
+
+func TestPKI_RequireCN(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected ca info")
+	}
+
+	// Create a role which does require CN (default)
+	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
+		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"max_ttl":            "2h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue a cert with require_cn set to true and with common name supplied.
+	// It should succeed.
+	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
+		"common_name": "foobar.com",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issue/example"), logical.UpdateOperation), resp, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue a cert with require_cn set to true and with out supplying the
+	// common name. It should error out.
+	_, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
+	if err == nil {
+		t.Fatalf("expected an error due to missing common_name")
+	}
+
+	// Modify the role to make the common name optional
+	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
+		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"max_ttl":            "2h",
+		"require_cn":         false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue a cert with require_cn set to false and without supplying the
+	// common name. It should succeed.
+	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.Data["certificate"] == "" {
+		t.Fatalf("expected a cert to be generated")
+	}
+
+	// Issue a cert with require_cn set to false and with a common name. It
+	// should succeed.
+	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.Data["certificate"] == "" {
+		t.Fatalf("expected a cert to be generated")
 	}
 }
 
-func TestAuthTuneCommand_Run(t *testing.T) {
+func TestPKI_DeviceCert(t *testing.T) {
 	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
 
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name":         "myvault.com",
+		"not_after":           "9999-12-31T23:59:59Z",
+		"not_before_duration": "2h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected ca info")
+	}
+	var certBundle certutil.CertBundle
+	err = mapstructure.Decode(resp.Data, &certBundle)
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	parsedCertBundle, err := certBundle.ToParsedCertBundle()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cert := parsedCertBundle.Certificate
+	notAfter := cert.NotAfter.Format(time.RFC3339)
+	if notAfter != "9999-12-31T23:59:59Z" {
+		t.Fatalf("not after from certificate: %v is not matching with input parameter: %v", cert.NotAfter, "9999-12-31T23:59:59Z")
+	}
+	if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
+		t.Fatalf("root/generate/internal did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
+	}
 
-		for _, tc := range cases {
-			tc := tc
+	// Create a role which does require CN (default)
+	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
+		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"not_after":          "9999-12-31T23:59:59Z",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+	// Issue a cert with require_cn set to true and with common name supplied.
+	// It should succeed.
+	resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
+		"common_name": "foobar.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = mapstructure.Decode(resp.Data, &certBundle)
+	if err != nil {
+		t.Fatal(err)
+	}
 
-				client, closer := testVaultServer(t)
-				defer closer()
+	parsedCertBundle, err = certBundle.ToParsedCertBundle()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cert = parsedCertBundle.Certificate
+	notAfter = cert.NotAfter.Format(time.RFC3339)
+	if notAfter != "9999-12-31T23:59:59Z" {
+		t.Fatal(fmt.Errorf("not after from certificate  is not matching with input parameter"))
+	}
+}
 
-				ui, cmd := testAuthTuneCommand(t)
-				cmd.client = client
+func TestBackend_InvalidParameter(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+	_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+		"not_after":   "9999-12-31T23:59:59Z",
+		"ttl":         "25h",
+	})
+	if err == nil {
+		t.Fatal(err)
+	}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+		"not_after":   "9999-12-31T23:59:59",
 	})
+	if err == nil {
+		t.Fatal(err)
+	}
+}
 
-	t.Run("integration", func(t *testing.T) {
-		t.Run("flags_all", func(t *testing.T) {
-			t.Parallel()
-			pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-			defer cleanup(t)
+func TestBackend_CSRValues(t *testing.T) {
+	t.Parallel()
+	initTest.Do(setCerts)
+	b, _ := CreateBackendWithStorage(t)
 
-			client, _, closer := testVaultServerPluginDir(t, pluginDir)
-			defer closer()
+	testCase := logicaltest.TestCase{
+		LogicalBackend: b,
+		Steps:          []logicaltest.TestStep{},
+	}
 
-			ui, cmd := testAuthTuneCommand(t)
-			cmd.client = client
+	intdata := map[string]interface{}{}
+	reqdata := map[string]interface{}{}
+	testCase.Steps = append(testCase.Steps, generateCSRSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
 
-			// Mount
-			if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
-				Type: "userpass",
-			}); err != nil {
-				t.Fatal(err)
-			}
+	logicaltest.Test(t, testCase)
+}
 
-			auths, err := client.Sys().ListAuth()
-			if err != nil {
-				t.Fatal(err)
-			}
-			mountInfo, ok := auths["my-auth/"]
-			if !ok {
-				t.Fatalf("expected mount to exist: %#v", auths)
-			}
+func TestBackend_URLsCRUD(t *testing.T) {
+	t.Parallel()
+	initTest.Do(setCerts)
+	b, _ := CreateBackendWithStorage(t)
 
-			if exp := ""; mountInfo.PluginVersion != exp {
-				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
-			}
+	testCase := logicaltest.TestCase{
+		LogicalBackend: b,
+		Steps:          []logicaltest.TestStep{},
+	}
 
-			_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, "userpass", api.PluginTypeCredential)
+	intdata := map[string]interface{}{}
+	reqdata := map[string]interface{}{}
+	testCase.Steps = append(testCase.Steps, generateURLSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
 
-			code := cmd.Run([]string{
-				"-description", "new description",
-				"-default-lease-ttl", "30m",
-				"-max-lease-ttl", "1h",
-				"-audit-non-hmac-request-keys", "foo,bar",
-				"-audit-non-hmac-response-keys", "foo,bar",
-				"-passthrough-request-headers", "authorization",
-				"-passthrough-request-headers", "www-authentication",
-				"-allowed-response-headers", "authorization,www-authentication",
-				"-listing-visibility", "unauth",
-				"-plugin-version", version,
-				"my-auth/",
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d", code, exp)
-			}
+	logicaltest.Test(t, testCase)
+}
 
-			expected := "Success! Tuned the auth method at: my-auth/"
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, expected) {
-				t.Errorf("expected %q to contain %q", combined, expected)
-			}
+// Generates and tests steps that walk through the various possibilities
+// of role flags to ensure that they are properly restricted
+func TestBackend_Roles(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name      string
+		key, cert *string
+		useCSR    bool
+	}{
+		{"RSA", &rsaCAKey, &rsaCACert, false},
+		{"RSACSR", &rsaCAKey, &rsaCACert, true},
+		{"EC", &ecCAKey, &ecCACert, false},
+		{"ECCSR", &ecCAKey, &ecCACert, true},
+		{"ED", &edCAKey, &edCACert, false},
+		{"EDCSR", &edCAKey, &edCACert, true},
+	}
 
-			auths, err = client.Sys().ListAuth()
-			if err != nil {
-				t.Fatal(err)
-			}
+	for _, tc := range cases {
+		tc := tc
 
-			mountInfo, ok = auths["my-auth/"]
-			if !ok {
-				t.Fatalf("expected auth to exist")
-			}
-			if exp := "new description"; mountInfo.Description != exp {
-				t.Errorf("expected %q to be %q", mountInfo.Description, exp)
-			}
-			if exp := "userpass"; mountInfo.Type != exp {
-				t.Errorf("expected %q to be %q", mountInfo.Type, exp)
-			}
-			if exp := version; mountInfo.PluginVersion != exp {
-				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
-			}
-			if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
-				t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
-			}
-			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
-				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
-			}
-			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+		t.Run(tc.name, func(t *testing.T) {
+			initTest.Do(setCerts)
+			b, _ := CreateBackendWithStorage(t)
+
+			testCase := logicaltest.TestCase{
+				LogicalBackend: b,
+				Steps: []logicaltest.TestStep{
+					{
+						Operation: logical.UpdateOperation,
+						Path:      "config/ca",
+						Data: map[string]interface{}{
+							"pem_bundle": *tc.key + "\n" + *tc.cert,
+						},
+					},
+				},
 			}
-			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+
+			testCase.Steps = append(testCase.Steps, generateRoleSteps(t, tc.useCSR)...)
+			if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+				for i, v := range testCase.Steps {
+					data := map[string]interface{}{}
+					var keys []string
+					for k := range v.Data {
+						keys = append(keys, k)
+					}
+					sort.Strings(keys)
+					for _, k := range keys {
+						interf := v.Data[k]
+						switch v := interf.(type) {
+						case bool:
+							if !v {
+								continue
+							}
+						case int:
+							if v == 0 {
+								continue
+							}
+						case []string:
+							if len(v) == 0 {
+								continue
+							}
+						case string:
+							if v == "" {
+								continue
+							}
+							lines := strings.Split(v, "\n")
+							if len(lines) > 1 {
+								data[k] = lines[0] + " ... (truncated)"
+								continue
+							}
+						}
+						data[k] = interf
+
+					}
+					t.Logf("Step %d:\n%s %s err=%v %+v\n\n", i+1, v.Operation, v.Path, v.ErrorOk, data)
+				}
 			}
-			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+
+			logicaltest.Test(t, testCase)
+		})
+	}
+}
+
+// Performs some validity checking on the returned bundles
+func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration, certBundle *certutil.CertBundle) (*certutil.ParsedCertBundle, error) {
+	parsedCertBundle, err := certBundle.ToParsedCertBundle()
+	if err != nil {
+		return nil, fmt.Errorf("error parsing cert bundle: %s", err)
+	}
+
+	if key != nil {
+		switch keyType {
+		case "rsa":
+			parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey
+			parsedCertBundle.PrivateKey = key
+			parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
+		case "ec":
+			parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey
+			parsedCertBundle.PrivateKey = key
+			parsedCertBundle.PrivateKeyBytes, err = x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
+			if err != nil {
+				return nil, fmt.Errorf("error parsing EC key: %s", err)
 			}
-			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+		case "ed25519":
+			parsedCertBundle.PrivateKeyType = certutil.Ed25519PrivateKey
+			parsedCertBundle.PrivateKey = key
+			parsedCertBundle.PrivateKeyBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey))
+			if err != nil {
+				return nil, fmt.Errorf("error parsing Ed25519 key: %s", err)
 			}
-		})
+		}
+	}
 
-		t.Run("flags_description", func(t *testing.T) {
-			t.Parallel()
-			t.Run("not_provided", func(t *testing.T) {
-				client, closer := testVaultServer(t)
-				defer closer()
+	switch {
+	case parsedCertBundle.Certificate == nil:
+		return nil, fmt.Errorf("did not find a certificate in the cert bundle")
+	case len(parsedCertBundle.CAChain) == 0 || parsedCertBundle.CAChain[0].Certificate == nil:
+		return nil, fmt.Errorf("did not find a CA in the cert bundle")
+	case parsedCertBundle.PrivateKey == nil:
+		return nil, fmt.Errorf("did not find a private key in the cert bundle")
+	case parsedCertBundle.PrivateKeyType == certutil.UnknownPrivateKey:
+		return nil, fmt.Errorf("could not figure out type of private key")
+	}
 
-				ui, cmd := testAuthTuneCommand(t)
-				cmd.client = client
+	switch {
+	case parsedCertBundle.PrivateKeyType == certutil.Ed25519PrivateKey && keyType != "ed25519":
+		fallthrough
+	case parsedCertBundle.PrivateKeyType == certutil.RSAPrivateKey && keyType != "rsa":
+		fallthrough
+	case parsedCertBundle.PrivateKeyType == certutil.ECPrivateKey && keyType != "ec":
+		return nil, fmt.Errorf("given key type does not match type found in bundle")
+	}
 
-				// Mount
-				if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
-					Type:        "userpass",
-					Description: "initial description",
-				}); err != nil {
-					t.Fatal(err)
-				}
+	cert := parsedCertBundle.Certificate
 
-				code := cmd.Run([]string{
-					"-default-lease-ttl", "30m",
-					"my-auth/",
-				})
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d", code, exp)
-				}
+	if usage != cert.KeyUsage {
+		return nil, fmt.Errorf("expected usage of %#v, got %#v; ext usage is %#v", usage, cert.KeyUsage, cert.ExtKeyUsage)
+	}
+
+	// There should only be one ext usage type, because only one is requested
+	// in the tests
+	if len(cert.ExtKeyUsage) != 1 {
+		return nil, fmt.Errorf("got wrong size key usage in generated cert; expected 1, values are %#v", cert.ExtKeyUsage)
+	}
+	switch extUsage {
+	case x509.ExtKeyUsageEmailProtection:
+		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageEmailProtection {
+			return nil, fmt.Errorf("bad extended key usage")
+		}
+	case x509.ExtKeyUsageServerAuth:
+		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageServerAuth {
+			return nil, fmt.Errorf("bad extended key usage")
+		}
+	case x509.ExtKeyUsageClientAuth:
+		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageClientAuth {
+			return nil, fmt.Errorf("bad extended key usage")
+		}
+	case x509.ExtKeyUsageCodeSigning:
+		if cert.ExtKeyUsage[0] != x509.ExtKeyUsageCodeSigning {
+			return nil, fmt.Errorf("bad extended key usage")
+		}
+	}
+
+	// TODO: We incremented 20->25 due to CircleCI execution
+	// being slow and pausing this test. We might consider recording the
+	// actual issuance time of the cert and calculating the expected
+	// validity period +/- fuzz, but that'd require recording and passing
+	// through more information.
+	if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 25 {
+		return nil, fmt.Errorf("certificate validity end: %s; expected within 25 seconds of %s", cert.NotAfter.Format(time.RFC3339), time.Now().Add(validity).Format(time.RFC3339))
+	}
+
+	return parsedCertBundle, nil
+}
+
+func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
+	expected := certutil.URLEntries{
+		IssuingCertificates: []string{
+			"http://example.com/ca1",
+			"http://example.com/ca2",
+		},
+		CRLDistributionPoints: []string{
+			"http://example.com/crl1",
+			"http://example.com/crl2",
+		},
+		OCSPServers: []string{
+			"http://example.com/ocsp1",
+			"http://example.com/ocsp2",
+		},
+	}
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: "my@example.com",
+		},
+	}
+
+	priv1024, _ := rsa.GenerateKey(rand.Reader, 1024)
+	csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024)
+	csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csr1024,
+	})))
+
+	priv2048, _ := rsa.GenerateKey(rand.Reader, 2048)
+	csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048)
+	csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csr2048,
+	})))
 
-				expected := "Success! Tuned the auth method at: my-auth/"
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, expected) {
-					t.Errorf("expected %q to contain %q", combined, expected)
+	ret := []logicaltest.TestStep{
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/generate/exported",
+			Data: map[string]interface{}{
+				"common_name": "Root Cert",
+				"ttl":         "180h",
+			},
+			Check: func(resp *logical.Response) error {
+				if resp.Secret != nil && resp.Secret.LeaseID != "" {
+					return fmt.Errorf("root returned with a lease")
 				}
+				return nil
+			},
+		},
+
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "config/urls",
+			Data: map[string]interface{}{
+				"issuing_certificates":    strings.Join(expected.IssuingCertificates, ","),
+				"crl_distribution_points": strings.Join(expected.CRLDistributionPoints, ","),
+				"ocsp_servers":            strings.Join(expected.OCSPServers, ","),
+			},
+		},
 
-				auths, err := client.Sys().ListAuth()
+		{
+			Operation: logical.ReadOperation,
+			Path:      "config/urls",
+			Check: func(resp *logical.Response) error {
+				if resp.Data == nil {
+					return fmt.Errorf("no data returned")
+				}
+				var entries certutil.URLEntries
+				err := mapstructure.Decode(resp.Data, &entries)
 				if err != nil {
-					t.Fatal(err)
+					return err
+				}
+				if !reflect.DeepEqual(entries, expected) {
+					return fmt.Errorf("expected urls\n%#v\ndoes not match provided\n%#v\n", expected, entries)
+				}
+
+				return nil
+			},
+		},
+
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"common_name": "intermediate.cert.com",
+				"csr":         csrPem1024,
+				"format":      "der",
+			},
+			ErrorOk: true,
+			Check: func(resp *logical.Response) error {
+				if !resp.IsError() {
+					return fmt.Errorf("expected an error response but did not get one")
 				}
+				if !strings.Contains(resp.Data["error"].(string), "2048") {
+					return fmt.Errorf("received an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
+				}
+
+				return nil
+			},
+		},
 
-				mountInfo, ok := auths["my-auth/"]
-				if !ok {
-					t.Fatalf("expected auth to exist")
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"common_name":         "intermediate.cert.com",
+				"csr":                 csrPem2048,
+				"signature_bits":      512,
+				"format":              "der",
+				"not_before_duration": "2h",
+				// Let's Encrypt -- R3 SKID
+				"skid": "14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6",
+			},
+			Check: func(resp *logical.Response) error {
+				certString := resp.Data["certificate"].(string)
+				if certString == "" {
+					return fmt.Errorf("no certificate returned")
 				}
-				if exp := "initial description"; mountInfo.Description != exp {
-					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				if resp.Secret != nil && resp.Secret.LeaseID != "" {
+					return fmt.Errorf("signed intermediate returned with a lease")
 				}
-			})
+				certBytes, _ := base64.StdEncoding.DecodeString(certString)
+				certs, err := x509.ParseCertificates(certBytes)
+				if err != nil {
+					return fmt.Errorf("returned cert cannot be parsed: %w", err)
+				}
+				if len(certs) != 1 {
+					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
+				}
+				cert := certs[0]
 
-			t.Run("provided_empty", func(t *testing.T) {
-				client, closer := testVaultServer(t)
-				defer closer()
+				skid, _ := hex.DecodeString("142EB317B75856CBAE500940E61FAF9D8B14C2C6")
 
-				ui, cmd := testAuthTuneCommand(t)
-				cmd.client = client
+				switch {
+				case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
+					return fmt.Errorf("IssuingCertificateURL:\nexpected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
+				case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
+					return fmt.Errorf("CRLDistributionPoints:\nexpected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
+				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
+					return fmt.Errorf("OCSPServer:\nexpected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
+				case !reflect.DeepEqual([]string{"intermediate.cert.com"}, cert.DNSNames):
+					return fmt.Errorf("DNSNames\nexpected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
+				case !reflect.DeepEqual(x509.SHA512WithRSA, cert.SignatureAlgorithm):
+					return fmt.Errorf("Signature Algorithm:\nexpected\n%#v\ngot\n%#v\n", x509.SHA512WithRSA, cert.SignatureAlgorithm)
+				case !reflect.DeepEqual(skid, cert.SubjectKeyId):
+					return fmt.Errorf("SKID:\nexpected\n%#v\ngot\n%#v\n", skid, cert.SubjectKeyId)
+				}
 
-				// Mount
-				if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
-					Type:        "userpass",
-					Description: "initial description",
-				}); err != nil {
-					t.Fatal(err)
+				if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
+					t.Fatalf("root/sign-intermediate did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
 				}
 
-				code := cmd.Run([]string{
-					"-description", "",
-					"my-auth/",
-				})
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d", code, exp)
+				return nil
+			},
+		},
+
+		// Same as above but exclude adding to sans
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"common_name":          "intermediate.cert.com",
+				"csr":                  csrPem2048,
+				"format":               "der",
+				"exclude_cn_from_sans": true,
+			},
+			Check: func(resp *logical.Response) error {
+				certString := resp.Data["certificate"].(string)
+				if certString == "" {
+					return fmt.Errorf("no certificate returned")
+				}
+				if resp.Secret != nil && resp.Secret.LeaseID != "" {
+					return fmt.Errorf("signed intermediate returned with a lease")
 				}
+				certBytes, _ := base64.StdEncoding.DecodeString(certString)
+				certs, err := x509.ParseCertificates(certBytes)
+				if err != nil {
+					return fmt.Errorf("returned cert cannot be parsed: %w", err)
+				}
+				if len(certs) != 1 {
+					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
+				}
+				cert := certs[0]
 
-				expected := "Success! Tuned the auth method at: my-auth/"
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, expected) {
-					t.Errorf("expected %q to contain %q", combined, expected)
+				switch {
+				case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
+				case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
+				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
+				case !reflect.DeepEqual([]string(nil), cert.DNSNames):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string(nil), cert.DNSNames)
 				}
 
-				auths, err := client.Sys().ListAuth()
+				return nil
+			},
+		},
+	}
+	return ret
+}
+
+func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType string, keyBits int) (interface{}, []byte, string) {
+	t.Helper()
+
+	var priv interface{}
+	var err error
+	switch keyType {
+	case "rsa":
+		priv, err = rsa.GenerateKey(rand.Reader, keyBits)
+	case "ec":
+		switch keyBits {
+		case 224:
+			priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
+		case 256:
+			priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		case 384:
+			priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+		case 521:
+			priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+		default:
+			t.Fatalf("Got unknown ec< key bits: %v", keyBits)
+		}
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	}
+
+	if err != nil {
+		t.Fatalf("Got error generating private key for CSR: %v", err)
+	}
+
+	csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, priv)
+	if err != nil {
+		t.Fatalf("Got error generating CSR: %v", err)
+	}
+
+	csrPem := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csr,
+	})))
+
+	return priv, csr, csrPem
+}
+
+func generateCSRSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
+	csrTemplate, csrPem := generateTestCsr(t, certutil.RSAPrivateKey, 2048)
+
+	ret := []logicaltest.TestStep{
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/generate/exported",
+			Data: map[string]interface{}{
+				"common_name":     "Root Cert",
+				"ttl":             "180h",
+				"max_path_length": 0,
+			},
+		},
+
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"use_csr_values": true,
+				"csr":            csrPem,
+				"format":         "der",
+			},
+			ErrorOk: true,
+		},
+
+		{
+			Operation: logical.DeleteOperation,
+			Path:      "root",
+		},
+
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/generate/exported",
+			Data: map[string]interface{}{
+				"common_name":     "Root Cert",
+				"ttl":             "180h",
+				"max_path_length": 1,
+			},
+		},
+
+		{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"use_csr_values": true,
+				"csr":            csrPem,
+				"format":         "der",
+			},
+			Check: func(resp *logical.Response) error {
+				certString := resp.Data["certificate"].(string)
+				if certString == "" {
+					return fmt.Errorf("no certificate returned")
+				}
+				certBytes, _ := base64.StdEncoding.DecodeString(certString)
+				certs, err := x509.ParseCertificates(certBytes)
 				if err != nil {
-					t.Fatal(err)
+					return fmt.Errorf("returned cert cannot be parsed: %w", err)
 				}
+				if len(certs) != 1 {
+					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
+				}
+				cert := certs[0]
 
-				mountInfo, ok := auths["my-auth/"]
-				if !ok {
-					t.Fatalf("expected auth to exist")
+				if cert.MaxPathLen != 0 {
+					return fmt.Errorf("max path length of %d does not match the requested of 3", cert.MaxPathLen)
 				}
-				if exp := ""; mountInfo.Description != exp {
-					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				if !cert.MaxPathLenZero {
+					return fmt.Errorf("max path length zero is not set")
 				}
-			})
-		})
-	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+				// We need to set these as they are filled in with unparsed values in the final cert
+				csrTemplate.Subject.Names = cert.Subject.Names
+				csrTemplate.Subject.ExtraNames = cert.Subject.ExtraNames
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+				switch {
+				case !reflect.DeepEqual(cert.Subject, csrTemplate.Subject):
+					return fmt.Errorf("cert subject\n%#v\ndoes not match csr subject\n%#v\n", cert.Subject, csrTemplate.Subject)
+				case !reflect.DeepEqual(cert.DNSNames, csrTemplate.DNSNames):
+					return fmt.Errorf("cert dns names\n%#v\ndoes not match csr dns names\n%#v\n", cert.DNSNames, csrTemplate.DNSNames)
+				case !reflect.DeepEqual(cert.EmailAddresses, csrTemplate.EmailAddresses):
+					return fmt.Errorf("cert email addresses\n%#v\ndoes not match csr email addresses\n%#v\n", cert.EmailAddresses, csrTemplate.EmailAddresses)
+				case !reflect.DeepEqual(cert.IPAddresses, csrTemplate.IPAddresses):
+					return fmt.Errorf("cert ip addresses\n%#v\ndoes not match csr ip addresses\n%#v\n", cert.IPAddresses, csrTemplate.IPAddresses)
+				}
+				return nil
+			},
+		},
+	}
+	return ret
+}
 
-		ui, cmd := testAuthTuneCommand(t)
-		cmd.client = client
+func generateTestCsr(t *testing.T, keyType certutil.PrivateKeyType, keyBits int) (x509.CertificateRequest, string) {
+	t.Helper()
 
-		code := cmd.Run([]string{
-			"userpass/",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			Country:      []string{"MyCountry"},
+			PostalCode:   []string{"MyPostalCode"},
+			SerialNumber: "MySerialNumber",
+			CommonName:   "my@example.com",
+		},
+		DNSNames: []string{
+			"name1.example.com",
+			"name2.example.com",
+			"name3.example.com",
+		},
+		EmailAddresses: []string{
+			"name1@example.com",
+			"name2@example.com",
+			"name3@example.com",
+		},
+		IPAddresses: []net.IP{
+			net.ParseIP("::ff:1:2:3:4"),
+			net.ParseIP("::ff:5:6:7:8"),
+		},
+	}
+
+	_, _, csrPem := generateCSR(t, &csrTemplate, string(keyType), keyBits)
+	return csrTemplate, csrPem
+}
+
+// Generates steps to test out various role permutations
+func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
+	roleVals := roleEntry{
+		MaxTTL:                    12 * time.Hour,
+		KeyType:                   "rsa",
+		KeyBits:                   2048,
+		RequireCN:                 true,
+		AllowWildcardCertificates: new(bool),
+	}
+	*roleVals.AllowWildcardCertificates = true
+
+	issueVals := certutil.IssueData{}
+	ret := []logicaltest.TestStep{}
+
+	roleTestStep := logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "roles/test",
+	}
+	var issueTestStep logicaltest.TestStep
+	if useCSRs {
+		issueTestStep = logicaltest.TestStep{
+			Operation: logical.UpdateOperation,
+			Path:      "sign/test",
+		}
+	} else {
+		issueTestStep = logicaltest.TestStep{
+			Operation: logical.UpdateOperation,
+			Path:      "issue/test",
 		}
+	}
 
-		expected := "Error tuning auth method userpass/: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+	generatedRSAKeys := map[int]crypto.Signer{}
+	generatedECKeys := map[int]crypto.Signer{}
+	generatedEdKeys := map[int]crypto.Signer{}
+	/*
+		// For the number of tests being run, a seed of 1 has been tested
+		// to hit all of the various values below. However, for normal
+		// testing we use a randomized time for maximum fuzziness.
+	*/
+	var seed int64 = 1
+	fixedSeed := os.Getenv("VAULT_PKITESTS_FIXED_SEED")
+	if len(fixedSeed) == 0 {
+		seed = time.Now().UnixNano()
+	} else {
+		var err error
+		seed, err = strconv.ParseInt(fixedSeed, 10, 64)
+		if err != nil {
+			t.Fatalf("error parsing fixed seed of %s: %v", fixedSeed, err)
 		}
-	})
+	}
+	mathRand := mathrand.New(mathrand.NewSource(seed))
+	// t.Logf("seed under test: %v", seed)
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	// Used by tests not toggling common names to turn off the behavior of random key bit fuzziness
+	keybitSizeRandOff := false
 
-		_, cmd := testAuthTuneCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+	genericErrorOkCheck := func(resp *logical.Response) error {
+		if resp.IsError() {
+			return nil
+		}
+		return fmt.Errorf("expected an error, but did not seem to get one")
+	}
+
+	// Adds tests with the currently configured issue/role information
+	addTests := func(testCheck logicaltest.TestCheckFunc) {
+		stepCount++
+		// t.Logf("test step %d\nrole vals: %#v\n", stepCount, roleVals)
+		stepCount++
+		// t.Logf("test step %d\nissue vals: %#v\n", stepCount, issueTestStep)
+		roleTestStep.Data = roleVals.ToResponseData()
+		roleTestStep.Data["generate_lease"] = false
+		ret = append(ret, roleTestStep)
+		issueTestStep.Data = structs.New(issueVals).Map()
+		switch {
+		case issueTestStep.ErrorOk:
+			issueTestStep.Check = genericErrorOkCheck
+		case testCheck != nil:
+			issueTestStep.Check = testCheck
+		default:
+			issueTestStep.Check = nil
+		}
+		ret = append(ret, issueTestStep)
+	}
+
+	getCountryCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.Country, true)
+			if !reflect.DeepEqual(cert.Subject.Country, expected) {
+				return fmt.Errorf("error: returned certificate has Country of %s but %s was specified in the role", cert.Subject.Country, expected)
+			}
+			return nil
+		}
+	}
+
+	getOuCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicatesStable(role.OU, true)
+			if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, expected) {
+				return fmt.Errorf("error: returned certificate has OU of %s but %s was specified in the role", cert.Subject.OrganizationalUnit, expected)
+			}
+			return nil
+		}
+	}
+
+	getOrganizationCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.Organization, true)
+			if !reflect.DeepEqual(cert.Subject.Organization, expected) {
+				return fmt.Errorf("error: returned certificate has Organization of %s but %s was specified in the role", cert.Subject.Organization, expected)
+			}
+			return nil
+		}
+	}
+
+	getLocalityCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.Locality, true)
+			if !reflect.DeepEqual(cert.Subject.Locality, expected) {
+				return fmt.Errorf("error: returned certificate has Locality of %s but %s was specified in the role", cert.Subject.Locality, expected)
+			}
+			return nil
+		}
+	}
+
+	getProvinceCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.Province, true)
+			if !reflect.DeepEqual(cert.Subject.Province, expected) {
+				return fmt.Errorf("error: returned certificate has Province of %s but %s was specified in the role", cert.Subject.Province, expected)
+			}
+			return nil
+		}
+	}
+
+	getStreetAddressCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.StreetAddress, true)
+			if !reflect.DeepEqual(cert.Subject.StreetAddress, expected) {
+				return fmt.Errorf("error: returned certificate has StreetAddress of %s but %s was specified in the role", cert.Subject.StreetAddress, expected)
+			}
+			return nil
+		}
+	}
+
+	getPostalCodeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			expected := strutil.RemoveDuplicates(role.PostalCode, true)
+			if !reflect.DeepEqual(cert.Subject.PostalCode, expected) {
+				return fmt.Errorf("error: returned certificate has PostalCode of %s but %s was specified in the role", cert.Subject.PostalCode, expected)
+			}
+			return nil
+		}
+	}
+
+	getNotBeforeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := certBundle.ToParsedCertBundle()
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+
+			actualDiff := time.Since(cert.NotBefore)
+			certRoleDiff := (role.NotBeforeDuration - actualDiff).Truncate(time.Second)
+			// These times get truncated, so give a 1 second buffer on each side
+			if certRoleDiff >= -1*time.Second && certRoleDiff <= 1*time.Second {
+				return nil
+			}
+			return fmt.Errorf("validity period out of range diff: %v", certRoleDiff)
+		}
+	}
+
+	// Returns a TestCheckFunc that performs various validity checks on the
+	// returned certificate information, mostly within checkCertsAndPrivateKey
+	getCnCheck := func(name string, role roleEntry, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration) logicaltest.TestCheckFunc {
+		var certBundle certutil.CertBundle
+		return func(resp *logical.Response) error {
+			err := mapstructure.Decode(resp.Data, &certBundle)
+			if err != nil {
+				return err
+			}
+			parsedCertBundle, err := checkCertsAndPrivateKey(role.KeyType, key, usage, extUsage, validity, &certBundle)
+			if err != nil {
+				return fmt.Errorf("error checking generated certificate: %s", err)
+			}
+			cert := parsedCertBundle.Certificate
+			if cert.Subject.CommonName != name {
+				return fmt.Errorf("error: returned certificate has CN of %s but %s was requested", cert.Subject.CommonName, name)
+			}
+			if strings.Contains(cert.Subject.CommonName, "@") {
+				if len(cert.DNSNames) != 0 || len(cert.EmailAddresses) != 1 {
+					return fmt.Errorf("error: found more than one DNS SAN or not one Email SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
+				}
+			} else {
+				if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) != 0 {
+					return fmt.Errorf("error: found more than one Email SAN or not one DNS SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
+				}
+			}
+			var retName string
+			if len(cert.DNSNames) > 0 {
+				retName = cert.DNSNames[0]
+			}
+			if len(cert.EmailAddresses) > 0 {
+				retName = cert.EmailAddresses[0]
+			}
+			if retName != name {
+				// Check IDNA
+				p := idna.New(
+					idna.StrictDomainName(true),
+					idna.VerifyDNSLength(true),
+				)
+				converted, err := p.ToUnicode(retName)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if converted != name {
+					return fmt.Errorf("error: returned certificate has a DNS SAN of %s (from idna: %s) but %s was requested", retName, converted, name)
+				}
+			}
+			return nil
+		}
+	}
+
+	type csrPlan struct {
+		errorOk     bool
+		roleKeyBits int
+		cert        string
+		privKey     crypto.Signer
+	}
+
+	getCsr := func(keyType string, keyBits int, csrTemplate *x509.CertificateRequest) (*pem.Block, crypto.Signer) {
+		var privKey crypto.Signer
+		var ok bool
+		switch keyType {
+		case "rsa":
+			privKey, ok = generatedRSAKeys[keyBits]
+			if !ok {
+				privKey, _ = rsa.GenerateKey(rand.Reader, keyBits)
+				generatedRSAKeys[keyBits] = privKey
+			}
+
+		case "ec":
+			var curve elliptic.Curve
+
+			switch keyBits {
+			case 224:
+				curve = elliptic.P224()
+			case 256:
+				curve = elliptic.P256()
+			case 384:
+				curve = elliptic.P384()
+			case 521:
+				curve = elliptic.P521()
+			}
+
+			privKey, ok = generatedECKeys[keyBits]
+			if !ok {
+				privKey, _ = ecdsa.GenerateKey(curve, rand.Reader)
+				generatedECKeys[keyBits] = privKey
+			}
+
+		case "ed25519":
+			privKey, ok = generatedEdKeys[keyBits]
+			if !ok {
+				_, privKey, _ = ed25519.GenerateKey(rand.Reader)
+				generatedEdKeys[keyBits] = privKey
+			}
+
+		default:
+			panic("invalid key type: " + keyType)
+		}
+
+		csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
+		if err != nil {
+			t.Fatalf("Error creating certificate request: %s", err)
+		}
+		block := pem.Block{
+			Type:  "CERTIFICATE REQUEST",
+			Bytes: csr,
+		}
+		return &block, privKey
+	}
+
+	getRandCsr := func(keyType string, errorOk bool, csrTemplate *x509.CertificateRequest) csrPlan {
+		rsaKeyBits := []int{2048, 3072, 4096, 8192}
+		ecKeyBits := []int{224, 256, 384, 521}
+		plan := csrPlan{errorOk: errorOk}
+
+		var testBitSize int
+		switch keyType {
+		case "rsa":
+			plan.roleKeyBits = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
+			testBitSize = plan.roleKeyBits
+
+			// If we don't expect an error already, randomly choose a
+			// key size and expect an error if it's less than the role
+			// setting
+			if !keybitSizeRandOff && !errorOk {
+				testBitSize = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
+			}
+
+			if testBitSize < plan.roleKeyBits {
+				plan.errorOk = true
+			}
+
+		case "ec":
+			plan.roleKeyBits = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
+			testBitSize = plan.roleKeyBits
+
+			// If we don't expect an error already, randomly choose a
+			// key size and expect an error if it's less than the role
+			// setting
+			if !keybitSizeRandOff && !errorOk {
+				testBitSize = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
+			}
+
+			if testBitSize < plan.roleKeyBits {
+				plan.errorOk = true
+			}
+
+		default:
+			panic("invalid key type: " + keyType)
+		}
+		if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+			t.Logf("roleKeyBits=%d testBitSize=%d errorOk=%v", plan.roleKeyBits, testBitSize, plan.errorOk)
+		}
+
+		block, privKey := getCsr(keyType, testBitSize, csrTemplate)
+		plan.cert = strings.TrimSpace(string(pem.EncodeToMemory(block)))
+		plan.privKey = privKey
+		return plan
+	}
+
+	// Common names to test with the various role flags toggled
+	var commonNames struct {
+		Localhost            bool `structs:"localhost"`
+		BareDomain           bool `structs:"example.com"`
+		SecondDomain         bool `structs:"foobar.com"`
+		SubDomain            bool `structs:"foo.example.com"`
+		Wildcard             bool `structs:"*.example.com"`
+		SubSubdomain         bool `structs:"foo.bar.example.com"`
+		SubSubdomainWildcard bool `structs:"*.bar.example.com"`
+		GlobDomain           bool `structs:"fooexample.com"`
+		IDN                  bool `structs:"daɪˈɛrɨsɨs"`
+		AnyHost              bool `structs:"porkslap.beer"`
+	}
+
+	// Adds a series of tests based on the current selection of
+	// allowed common names; contains some (seeded) randomness
+	//
+	// This allows for a variety of common names to be tested in various
+	// combinations with allowed toggles of the role
+	addCnTests := func() {
+		cnMap := structs.New(commonNames).Map()
+		for name, allowedInt := range cnMap {
+			roleVals.KeyType = "rsa"
+			roleVals.KeyBits = 2048
+			if mathRand.Int()%3 == 1 {
+				roleVals.KeyType = "ec"
+				roleVals.KeyBits = 224
+			}
+
+			roleVals.ServerFlag = false
+			roleVals.ClientFlag = false
+			roleVals.CodeSigningFlag = false
+			roleVals.EmailProtectionFlag = false
+
+			var usage []string
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "DigitalSignature")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "ContentCoMmitment")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "KeyEncipherment")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "DataEncipherment")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "KeyAgreemEnt")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "CertSign")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "CRLSign")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "EncipherOnly")
+			}
+			if mathRand.Int()%2 == 1 {
+				usage = append(usage, "DecipherOnly")
+			}
+
+			roleVals.KeyUsage = usage
+			parsedKeyUsage := parseKeyUsages(roleVals.KeyUsage)
+			if parsedKeyUsage == 0 && len(usage) != 0 {
+				panic("parsed key usages was zero")
+			}
+
+			var extUsage x509.ExtKeyUsage
+			i := mathRand.Int() % 4
+			switch {
+			case i == 0:
+				// Punt on this for now since I'm not clear the actual proper
+				// way to format these
+				if name != "daɪˈɛrɨsɨs" {
+					extUsage = x509.ExtKeyUsageEmailProtection
+					roleVals.EmailProtectionFlag = true
+					break
+				}
+				fallthrough
+			case i == 1:
+				extUsage = x509.ExtKeyUsageServerAuth
+				roleVals.ServerFlag = true
+			case i == 2:
+				extUsage = x509.ExtKeyUsageClientAuth
+				roleVals.ClientFlag = true
+			default:
+				extUsage = x509.ExtKeyUsageCodeSigning
+				roleVals.CodeSigningFlag = true
+			}
+
+			allowed := allowedInt.(bool)
+			issueVals.CommonName = name
+			if roleVals.EmailProtectionFlag {
+				if !strings.HasPrefix(name, "*") {
+					issueVals.CommonName = "user@" + issueVals.CommonName
+				}
+			}
+
+			issueTestStep.ErrorOk = !allowed
+
+			validity := roleVals.MaxTTL
+
+			if useCSRs {
+				templ := &x509.CertificateRequest{
+					Subject: pkix.Name{
+						CommonName: issueVals.CommonName,
+					},
+				}
+				plan := getRandCsr(roleVals.KeyType, issueTestStep.ErrorOk, templ)
+				issueVals.CSR = plan.cert
+				roleVals.KeyBits = plan.roleKeyBits
+				issueTestStep.ErrorOk = plan.errorOk
+
+				addTests(getCnCheck(issueVals.CommonName, roleVals, plan.privKey, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
+			} else {
+				addTests(getCnCheck(issueVals.CommonName, roleVals, nil, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
+			}
+		}
+	}
+
+	funcs := []interface{}{
+		addCnTests, getCnCheck, getCountryCheck, getLocalityCheck, getNotBeforeCheck,
+		getOrganizationCheck, getOuCheck, getPostalCodeCheck, getRandCsr, getStreetAddressCheck,
+		getProvinceCheck,
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("funcs=%d", len(funcs))
+	}
+
+	// Common Name tests
+	{
+		// common_name not provided
+		issueVals.CommonName = ""
+		issueTestStep.ErrorOk = true
+		addTests(nil)
+
+		// Nothing is allowed
+		addCnTests()
+
+		roleVals.AllowLocalhost = true
+		commonNames.Localhost = true
+		addCnTests()
+
+		roleVals.AllowedDomains = []string{"foobar.com"}
+		addCnTests()
+
+		roleVals.AllowedDomains = []string{"example.com"}
+		roleVals.AllowSubdomains = true
+		commonNames.SubDomain = true
+		commonNames.Wildcard = true
+		commonNames.SubSubdomain = true
+		commonNames.SubSubdomainWildcard = true
+		addCnTests()
+
+		roleVals.AllowedDomains = []string{"foobar.com", "example.com"}
+		commonNames.SecondDomain = true
+		roleVals.AllowBareDomains = true
+		commonNames.BareDomain = true
+		addCnTests()
+
+		roleVals.AllowedDomains = []string{"foobar.com", "*example.com"}
+		roleVals.AllowGlobDomains = true
+		commonNames.GlobDomain = true
+		addCnTests()
+
+		roleVals.AllowAnyName = true
+		roleVals.EnforceHostnames = true
+		commonNames.AnyHost = true
+		commonNames.IDN = true
+		addCnTests()
+
+		roleVals.EnforceHostnames = false
+		addCnTests()
+
+		// Ensure that we end up with acceptable key sizes since they won't be
+		// toggled any longer
+		keybitSizeRandOff = true
+		addCnTests()
+	}
+	// Country tests
+	{
+		roleVals.Country = []string{"foo"}
+		addTests(getCountryCheck(roleVals))
+
+		roleVals.Country = []string{"foo", "bar"}
+		addTests(getCountryCheck(roleVals))
+	}
+	// OU tests
+	{
+		roleVals.OU = []string{"foo"}
+		addTests(getOuCheck(roleVals))
+
+		roleVals.OU = []string{"bar", "foo"}
+		addTests(getOuCheck(roleVals))
+	}
+	// Organization tests
+	{
+		roleVals.Organization = []string{"system:masters"}
+		addTests(getOrganizationCheck(roleVals))
+
+		roleVals.Organization = []string{"foo", "bar"}
+		addTests(getOrganizationCheck(roleVals))
+	}
+	// Locality tests
+	{
+		roleVals.Locality = []string{"foo"}
+		addTests(getLocalityCheck(roleVals))
+
+		roleVals.Locality = []string{"foo", "bar"}
+		addTests(getLocalityCheck(roleVals))
+	}
+	// Province tests
+	{
+		roleVals.Province = []string{"foo"}
+		addTests(getProvinceCheck(roleVals))
+
+		roleVals.Province = []string{"foo", "bar"}
+		addTests(getProvinceCheck(roleVals))
+	}
+	// StreetAddress tests
+	{
+		roleVals.StreetAddress = []string{"123 foo street"}
+		addTests(getStreetAddressCheck(roleVals))
+
+		roleVals.StreetAddress = []string{"123 foo street", "456 bar avenue"}
+		addTests(getStreetAddressCheck(roleVals))
+	}
+	// PostalCode tests
+	{
+		roleVals.PostalCode = []string{"f00"}
+		addTests(getPostalCodeCheck(roleVals))
+
+		roleVals.PostalCode = []string{"f00", "b4r"}
+		addTests(getPostalCodeCheck(roleVals))
+	}
+	// NotBefore tests
+	{
+		roleVals.NotBeforeDuration = 10 * time.Second
+		addTests(getNotBeforeCheck(roleVals))
+
+		roleVals.NotBeforeDuration = 30 * time.Second
+		addTests(getNotBeforeCheck(roleVals))
+
+		roleVals.NotBeforeDuration = 0
+	}
+
+	// IP SAN tests
+	{
+		getIpCheck := func(expectedIp ...net.IP) logicaltest.TestCheckFunc {
+			return func(resp *logical.Response) error {
+				var certBundle certutil.CertBundle
+				err := mapstructure.Decode(resp.Data, &certBundle)
+				if err != nil {
+					return err
+				}
+				parsedCertBundle, err := certBundle.ToParsedCertBundle()
+				if err != nil {
+					return fmt.Errorf("error parsing cert bundle: %s", err)
+				}
+				cert := parsedCertBundle.Certificate
+				var expected []net.IP
+				expected = append(expected, expectedIp...)
+				if diff := deep.Equal(cert.IPAddresses, expected); len(diff) > 0 {
+					return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
+				}
+				return nil
+			}
+		}
+		addIPSANTests := func(useCSRs, useCSRSANs, allowIPSANs, errorOk bool, ipSANs string, csrIPSANs []net.IP, check logicaltest.TestCheckFunc) {
+			if useCSRs {
+				csrTemplate := &x509.CertificateRequest{
+					Subject: pkix.Name{
+						CommonName: issueVals.CommonName,
+					},
+					IPAddresses: csrIPSANs,
+				}
+				block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
+				issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
+			}
+			oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
+			roleVals.UseCSRSANs = useCSRSANs
+			roleVals.AllowIPSANs = allowIPSANs
+			issueVals.CommonName = "someone@example.com"
+			issueVals.IPSANs = ipSANs
+			issueTestStep.ErrorOk = errorOk
+			addTests(check)
+			roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
+		}
+		roleVals.AllowAnyName = true
+		roleVals.EnforceHostnames = true
+		roleVals.AllowLocalhost = true
+		roleVals.UseCSRCommonName = true
+		commonNames.Localhost = true
+
+		netip1, netip2 := net.IP{127, 0, 0, 1}, net.IP{170, 171, 172, 173}
+		textip1, textip3 := "127.0.0.1", "::1"
+
+		// IPSANs not allowed and not provided, should not be an error.
+		addIPSANTests(useCSRs, false, false, false, "", nil, getIpCheck())
+
+		// IPSANs not allowed, valid IPSANs provided, should be an error.
+		addIPSANTests(useCSRs, false, false, true, textip1+","+textip3, nil, nil)
+
+		// IPSANs allowed, bogus IPSANs provided, should be an error.
+		addIPSANTests(useCSRs, false, true, true, "foobar", nil, nil)
+
+		// Given IPSANs as API argument and useCSRSANs false, CSR arg ignored.
+		addIPSANTests(useCSRs, false, true, false, textip1,
+			[]net.IP{netip2}, getIpCheck(netip1))
+
+		if useCSRs {
+			// IPSANs not allowed, valid IPSANs provided via CSR, should be an error.
+			addIPSANTests(useCSRs, true, false, true, "", []net.IP{netip1}, nil)
+
+			// Given IPSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
+			addIPSANTests(useCSRs, true, true, false, textip3,
+				[]net.IP{netip1, netip2}, getIpCheck(netip1, netip2))
+		}
+	}
+
+	{
+		getOtherCheck := func(expectedOthers ...otherNameUtf8) logicaltest.TestCheckFunc {
+			return func(resp *logical.Response) error {
+				var certBundle certutil.CertBundle
+				err := mapstructure.Decode(resp.Data, &certBundle)
+				if err != nil {
+					return err
+				}
+				parsedCertBundle, err := certBundle.ToParsedCertBundle()
+				if err != nil {
+					return fmt.Errorf("error parsing cert bundle: %s", err)
+				}
+				cert := parsedCertBundle.Certificate
+				foundOthers, err := getOtherSANsFromX509Extensions(cert.Extensions)
+				if err != nil {
+					return err
+				}
+				var expected []otherNameUtf8
+				expected = append(expected, expectedOthers...)
+				if diff := deep.Equal(foundOthers, expected); len(diff) > 0 {
+					return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
+				}
+				return nil
+			}
+		}
+
+		addOtherSANTests := func(useCSRs, useCSRSANs bool, allowedOtherSANs []string, errorOk bool, otherSANs []string, csrOtherSANs []otherNameUtf8, check logicaltest.TestCheckFunc) {
+			otherSansMap := func(os []otherNameUtf8) map[string][]string {
+				ret := make(map[string][]string)
+				for _, o := range os {
+					ret[o.oid] = append(ret[o.oid], o.value)
+				}
+				return ret
+			}
+			if useCSRs {
+				csrTemplate := &x509.CertificateRequest{
+					Subject: pkix.Name{
+						CommonName: issueVals.CommonName,
+					},
+				}
+				if err := handleOtherCSRSANs(csrTemplate, otherSansMap(csrOtherSANs)); err != nil {
+					t.Fatal(err)
+				}
+				block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
+				issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
+			}
+			oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
+			roleVals.UseCSRSANs = useCSRSANs
+			roleVals.AllowedOtherSANs = allowedOtherSANs
+			issueVals.CommonName = "someone@example.com"
+			issueVals.OtherSANs = strings.Join(otherSANs, ",")
+			issueTestStep.ErrorOk = errorOk
+			addTests(check)
+			roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
+		}
+		roleVals.AllowAnyName = true
+		roleVals.EnforceHostnames = true
+		roleVals.AllowLocalhost = true
+		roleVals.UseCSRCommonName = true
+		commonNames.Localhost = true
+
+		newOtherNameUtf8 := func(s string) (ret otherNameUtf8) {
+			pieces := strings.Split(s, ";")
+			if len(pieces) == 2 {
+				piecesRest := strings.Split(pieces[1], ":")
+				if len(piecesRest) == 2 {
+					switch strings.ToUpper(piecesRest[0]) {
+					case "UTF-8", "UTF8":
+						return otherNameUtf8{oid: pieces[0], value: piecesRest[1]}
+					}
+				}
+			}
+			t.Fatalf("error parsing otherName: %q", s)
+			return
+		}
+		oid1 := "1.3.6.1.4.1.311.20.2.3"
+		oth1str := oid1 + ";utf8:devops@nope.com"
+		oth1 := newOtherNameUtf8(oth1str)
+		oth2 := otherNameUtf8{oid1, "me@example.com"}
+		// allowNone, allowAll := []string{}, []string{oid1 + ";UTF-8:*"}
+		allowNone, allowAll := []string{}, []string{"*"}
+
+		// OtherSANs not allowed and not provided, should not be an error.
+		addOtherSANTests(useCSRs, false, allowNone, false, nil, nil, getOtherCheck())
+
+		// OtherSANs not allowed, valid OtherSANs provided, should be an error.
+		addOtherSANTests(useCSRs, false, allowNone, true, []string{oth1str}, nil, nil)
+
+		// OtherSANs allowed, bogus OtherSANs provided, should be an error.
+		addOtherSANTests(useCSRs, false, allowAll, true, []string{"foobar"}, nil, nil)
+
+		// Given OtherSANs as API argument and useCSRSANs false, CSR arg ignored.
+		addOtherSANTests(useCSRs, false, allowAll, false, []string{oth1str},
+			[]otherNameUtf8{oth2}, getOtherCheck(oth1))
+
+		if useCSRs {
+			// OtherSANs not allowed, valid OtherSANs provided via CSR, should be an error.
+			addOtherSANTests(useCSRs, true, allowNone, true, nil, []otherNameUtf8{oth1}, nil)
+
+			// Given OtherSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
+			addOtherSANTests(useCSRs, false, allowAll, false, []string{oth2.String()},
+				[]otherNameUtf8{oth1}, getOtherCheck(oth2))
+		}
+	}
+
+	// Lease tests
+	{
+		roleTestStep.ErrorOk = true
+		roleVals.Lease = ""
+		roleVals.MaxTTL = 0
+		addTests(nil)
+
+		roleVals.Lease = "12h"
+		roleVals.MaxTTL = 6 * time.Hour
+		addTests(nil)
+
+		roleTestStep.ErrorOk = false
+		roleVals.TTL = 0
+		roleVals.MaxTTL = 12 * time.Hour
+	}
+
+	// Listing test
+	ret = append(ret, logicaltest.TestStep{
+		Operation: logical.ListOperation,
+		Path:      "roles/",
+		Check: func(resp *logical.Response) error {
+			if resp.Data == nil {
+				return fmt.Errorf("nil data")
+			}
+
+			keysRaw, ok := resp.Data["keys"]
+			if !ok {
+				return fmt.Errorf("no keys found")
+			}
+
+			keys, ok := keysRaw.([]string)
+			if !ok {
+				return fmt.Errorf("could not convert keys to a string list")
+			}
+
+			if len(keys) != 1 {
+				return fmt.Errorf("unexpected keys length of %d", len(keys))
+			}
+
+			if keys[0] != "test" {
+				return fmt.Errorf("unexpected key value of %s", keys[0])
+			}
+
+			return nil
+		},
+	})
+
+	return ret
+}
+
+func TestRolesAltIssuer(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Create two issuers.
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root a - example.com",
+		"issuer_name": "root-a",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	rootAPem := resp.Data["certificate"].(string)
+	rootACert := parseCert(t, rootAPem)
+
+	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root b - example.com",
+		"issuer_name": "root-b",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	rootBPem := resp.Data["certificate"].(string)
+	rootBCert := parseCert(t, rootBPem)
+
+	// Create three roles: one with no assignment, one with explicit root-a,
+	// one with explicit root-b.
+	_, err = CBWrite(b, s, "roles/use-default", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+		"key_type":          "ec",
+	})
+	require.NoError(t, err)
+
+	_, err = CBWrite(b, s, "roles/use-root-a", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+		"key_type":          "ec",
+		"issuer_ref":        "root-a",
+	})
+	require.NoError(t, err)
+
+	_, err = CBWrite(b, s, "roles/use-root-b", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+		"issuer_ref":        "root-b",
+	})
+	require.NoError(t, err)
+
+	// Now issue certs against these roles.
+	resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "5s",
+	})
+	require.NoError(t, err)
+	leafPem := resp.Data["certificate"].(string)
+	leafCert := parseCert(t, leafPem)
+	err = leafCert.CheckSignatureFrom(rootACert)
+	require.NoError(t, err, "should be signed by root-a but wasn't")
+
+	resp, err = CBWrite(b, s, "issue/use-root-a", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "5s",
+	})
+	require.NoError(t, err)
+	leafPem = resp.Data["certificate"].(string)
+	leafCert = parseCert(t, leafPem)
+	err = leafCert.CheckSignatureFrom(rootACert)
+	require.NoError(t, err, "should be signed by root-a but wasn't")
+
+	resp, err = CBWrite(b, s, "issue/use-root-b", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "5s",
+	})
+	require.NoError(t, err)
+	leafPem = resp.Data["certificate"].(string)
+	leafCert = parseCert(t, leafPem)
+	err = leafCert.CheckSignatureFrom(rootBCert)
+	require.NoError(t, err, "should be signed by root-b but wasn't")
+
+	// Update the default issuer to be root B and make sure that the
+	// use-default role updates.
+	_, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
+		"default": "root-b",
+	})
+	require.NoError(t, err)
+
+	resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "5s",
+	})
+	require.NoError(t, err)
+	leafPem = resp.Data["certificate"].(string)
+	leafCert = parseCert(t, leafPem)
+	err = leafCert.CheckSignatureFrom(rootBCert)
+	require.NoError(t, err, "should be signed by root-b but wasn't")
+}
+
+func TestBackend_PathFetchValidRaw(t *testing.T) {
+	t.Parallel()
+	b, storage := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/generate/internal",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"common_name": "test.com",
+			"ttl":         "6h",
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err)
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to generate root, %#v", resp)
+	}
+	rootCaAsPem := resp.Data["certificate"].(string)
+
+	// Chain should contain the root.
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ReadOperation,
+		Path:       "ca_chain",
+		Storage:    storage,
+		Data:       map[string]interface{}{},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err)
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed read ca_chain, %#v", resp)
+	}
+	if strings.Count(string(resp.Data[logical.HTTPRawBody].([]byte)), rootCaAsPem) != 1 {
+		t.Fatalf("expected raw chain to contain the root cert")
+	}
+
+	// The ca/pem should return us the actual CA...
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ReadOperation,
+		Path:       "ca/pem",
+		Storage:    storage,
+		Data:       map[string]interface{}{},
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("ca/pem"), logical.ReadOperation), resp, true)
+	require.NoError(t, err)
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed read ca/pem, %#v", resp)
+	}
+	// check the raw cert matches the response body
+	if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), []byte(rootCaAsPem)) {
+		t.Fatalf("failed to get raw cert")
+	}
+
+	_, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "roles/example",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"allowed_domains":  "example.com",
+			"allow_subdomains": "true",
+			"max_ttl":          "1h",
+			"no_store":         "false",
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "error setting up pki role: %v", err)
+
+	// Now issue a short-lived certificate from our pki-external.
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "issue/example",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"common_name": "test.example.com",
+			"ttl":         "5m",
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "error issuing certificate: %v", err)
+	require.NotNil(t, resp, "got nil response from issuing request")
+
+	issueCrtAsPem := resp.Data["certificate"].(string)
+	issuedCrt := parseCert(t, issueCrtAsPem)
+	expectedSerial := serialFromCert(issuedCrt)
+	expectedCert := []byte(issueCrtAsPem)
+
+	// get der cert
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      fmt.Sprintf("cert/%s/raw", expectedSerial),
+		Storage:   storage,
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to get raw cert, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// check the raw cert matches the response body
+	rawBody := resp.Data[logical.HTTPRawBody].([]byte)
+	bodyAsPem := []byte(strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rawBody}))))
+	if !bytes.Equal(bodyAsPem, expectedCert) {
+		t.Fatalf("failed to get raw cert for serial number: %s", expectedSerial)
+	}
+	if resp.Data[logical.HTTPContentType] != "application/pkix-cert" {
+		t.Fatalf("failed to get raw cert content-type")
+	}
+
+	// get pem
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      fmt.Sprintf("cert/%s/raw/pem", expectedSerial),
+		Storage:   storage,
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to get raw, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// check the pem cert matches the response body
+	if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), expectedCert) {
+		t.Fatalf("failed to get pem cert")
+	}
+	if resp.Data[logical.HTTPContentType] != "application/pem-certificate-chain" {
+		t.Fatalf("failed to get raw cert content-type")
+	}
+}
+
+func TestBackend_PathFetchCertList(t *testing.T) {
+	t.Parallel()
+	// create the backend
+	b, storage := CreateBackendWithStorage(t)
+
+	// generate root
+	rootData := map[string]interface{}{
+		"common_name": "test.com",
+		"ttl":         "6h",
+	}
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "root/generate/internal",
+		Storage:    storage,
+		Data:       rootData,
+		MountPoint: "pki/",
+	})
+
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to generate root, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// config urls
+	urlsData := map[string]interface{}{
+		"issuing_certificates":    "http://127.0.0.1:8200/v1/pki/ca",
+		"crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl",
+	}
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "config/urls",
+		Storage:    storage,
+		Data:       urlsData,
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/urls"), logical.UpdateOperation), resp, true)
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ReadOperation,
+		Path:       "config/urls",
+		Storage:    storage,
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/urls"), logical.ReadOperation), resp, true)
+
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to config urls, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// create a role entry
+	roleData := map[string]interface{}{
+		"allowed_domains":  "test.com",
+		"allow_subdomains": "true",
+		"max_ttl":          "4h",
+	}
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "roles/test-example",
+		Storage:    storage,
+		Data:       roleData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to create a role, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// issue some certs
+	i := 1
+	for i < 10 {
+		certData := map[string]interface{}{
+			"common_name": "example.test.com",
+		}
+		resp, err = b.HandleRequest(context.Background(), &logical.Request{
+			Operation:  logical.UpdateOperation,
+			Path:       "issue/test-example",
+			Storage:    storage,
+			Data:       certData,
+			MountPoint: "pki/",
+		})
+		if resp != nil && resp.IsError() {
+			t.Fatalf("failed to issue a cert, %#v", resp)
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		i = i + 1
+	}
+
+	// list certs
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ListOperation,
+		Path:       "certs",
+		Storage:    storage,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to list certs, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	// check that the root and 9 additional certs are all listed
+	if len(resp.Data["keys"].([]string)) != 10 {
+		t.Fatalf("failed to list all 10 certs")
+	}
+
+	// list certs/
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ListOperation,
+		Path:       "certs/",
+		Storage:    storage,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to list certs, %#v", resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	// check that the root and 9 additional certs are all listed
+	if len(resp.Data["keys"].([]string)) != 10 {
+		t.Fatalf("failed to list all 10 certs")
+	}
+}
+
+func TestBackend_SignVerbatim(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		testName string
+		keyType  string
+	}{
+		{testName: "RSA", keyType: "rsa"},
+		{testName: "ED25519", keyType: "ed25519"},
+		{testName: "EC", keyType: "ec"},
+		{testName: "Any", keyType: "any"},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.testName, func(t *testing.T) {
+			runTestSignVerbatim(t, tc.keyType)
+		})
+	}
+}
+
+func runTestSignVerbatim(t *testing.T, keyType string) {
+	// create the backend
+	b, storage := CreateBackendWithStorage(t)
+
+	// generate root
+	rootData := map[string]interface{}{
+		"common_name": "test.com",
+		"not_after":   "9999-12-31T23:59:59Z",
+	}
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "root/generate/internal",
+		Storage:    storage,
+		Data:       rootData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to generate root, %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// create a CSR and key
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatal(err)
+	}
+	csrReq := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: "foo.bar.com",
+		},
+		// Check that otherName extensions are not duplicated (see hashicorp/vault#16700).
+		// If these extensions are duplicated, sign-verbatim will fail when parsing the signed certificate on Go 1.19+ (see golang/go#50988).
+		// On older versions of Go this test will fail due to an explicit check for duplicate otherNames later in this test.
+		ExtraExtensions: []pkix.Extension{
+			{
+				Id:       oidExtensionSubjectAltName,
+				Critical: false,
+				Value:    []byte{0x30, 0x26, 0xA0, 0x24, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03, 0xA0, 0x16, 0x0C, 0x14, 0x75, 0x73, 0x65, 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D},
+			},
+		},
+	}
+	csr, err := x509.CreateCertificateRequest(rand.Reader, csrReq, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(csr) == 0 {
+		t.Fatal("generated csr is empty")
+	}
+	pemCSR := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csr,
+	})))
+	if len(pemCSR) == 0 {
+		t.Fatal("pem csr is empty")
+	}
+
+	signVerbatimData := map[string]interface{}{
+		"csr": pemCSR,
+	}
+	if keyType == "rsa" {
+		signVerbatimData["signature_bits"] = 512
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "sign-verbatim",
+		Storage:    storage,
+		Data:       signVerbatimData,
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign-verbatim"), logical.UpdateOperation), resp, true)
+
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to sign-verbatim basic CSR: %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.Secret != nil {
+		t.Fatal("secret is not nil")
+	}
+
+	// create a role entry; we use this to check that sign-verbatim when used with a role is still honoring TTLs
+	roleData := map[string]interface{}{
+		"ttl":                 "4h",
+		"max_ttl":             "8h",
+		"key_type":            keyType,
+		"not_before_duration": "2h",
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "roles/test",
+		Storage:    storage,
+		Data:       roleData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to create a role, %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sign-verbatim/test",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"csr": pemCSR,
+			"ttl": "5h",
+		},
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to sign-verbatim ttl'd CSR: %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.Secret != nil {
+		t.Fatal("got a lease when we should not have")
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sign-verbatim/test",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"csr": pemCSR,
+			"ttl": "12h",
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf(resp.Error().Error())
+	}
+	if resp.Data == nil || resp.Data["certificate"] == nil {
+		t.Fatal("did not get expected data")
+	}
+	certString := resp.Data["certificate"].(string)
+	block, _ := pem.Decode([]byte(certString))
+	if block == nil {
+		t.Fatal("nil pem block")
+	}
+	certs, err := x509.ParseCertificates(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(certs) != 1 {
+		t.Fatalf("expected a single cert, got %d", len(certs))
+	}
+	cert := certs[0]
+	if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 {
+		t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour))
+	}
+	if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
+		t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
+	}
+
+	// Now check signing a certificate using the not_after input using the Y10K value
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sign-verbatim/test",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"csr":       pemCSR,
+			"not_after": "9999-12-31T23:59:59Z",
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf(resp.Error().Error())
+	}
+	if resp.Data == nil || resp.Data["certificate"] == nil {
+		t.Fatal("did not get expected data")
+	}
+	certString = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certString))
+	if block == nil {
+		t.Fatal("nil pem block")
+	}
+	certs, err = x509.ParseCertificates(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(certs) != 1 {
+		t.Fatalf("expected a single cert, got %d", len(certs))
+	}
+	cert = certs[0]
+
+	// Fallback check for duplicate otherName, necessary on Go versions before 1.19.
+	// We assume that there is only one SAN in the original CSR and that it is an otherName.
+	san_count := 0
+	for _, ext := range cert.Extensions {
+		if ext.Id.Equal(oidExtensionSubjectAltName) {
+			san_count += 1
+		}
+	}
+	if san_count != 1 {
+		t.Fatalf("expected one SAN extension, got %d", san_count)
+	}
+
+	notAfter := cert.NotAfter.Format(time.RFC3339)
+	if notAfter != "9999-12-31T23:59:59Z" {
+		t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
+	}
+
+	// now check that if we set generate-lease it takes it from the role and the TTLs match
+	roleData = map[string]interface{}{
+		"ttl":            "4h",
+		"max_ttl":        "8h",
+		"generate_lease": true,
+		"key_type":       keyType,
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "roles/test",
+		Storage:    storage,
+		Data:       roleData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to create a role, %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sign-verbatim/test",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"csr": pemCSR,
+			"ttl": "5h",
+		},
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to sign-verbatim role-leased CSR: %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.Secret == nil {
+		t.Fatalf("secret is nil, response is %#v", *resp)
+	}
+	if math.Abs(float64(resp.Secret.TTL-(5*time.Hour))) > float64(5*time.Hour) {
+		t.Fatalf("ttl not default; wanted %v, got %v", b.System().DefaultLeaseTTL(), resp.Secret.TTL)
+	}
+}
+
+func TestBackend_Root_Idempotency(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// This is a change within 1.11, we are no longer idempotent across generate/internal calls.
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	keyId1 := resp.Data["key_id"]
+	issuerId1 := resp.Data["issuer_id"]
+	cert := parseCert(t, resp.Data["certificate"].(string))
+	certSkid := certutil.GetHexFormatted(cert.SubjectKeyId, ":")
+
+	//  -> Validate the SKID matches between the root cert and the key
+	resp, err = CBRead(b, s, "key/"+keyId1.(keyID).String())
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected a response")
+	require.Equal(t, resp.Data["subject_key_id"], certSkid)
+
+	resp, err = CBRead(b, s, "cert/ca_chain")
+	require.NoError(t, err, "error reading ca_chain: %v", err)
+
+	r1Data := resp.Data
+
+	// Calling generate/internal should generate a new CA as well.
+	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	keyId2 := resp.Data["key_id"]
+	issuerId2 := resp.Data["issuer_id"]
+	cert = parseCert(t, resp.Data["certificate"].(string))
+	certSkid = certutil.GetHexFormatted(cert.SubjectKeyId, ":")
+
+	//  -> Validate the SKID matches between the root cert and the key
+	resp, err = CBRead(b, s, "key/"+keyId2.(keyID).String())
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected a response")
+	require.Equal(t, resp.Data["subject_key_id"], certSkid)
+
+	// Make sure that we actually generated different issuer and key values
+	require.NotEqual(t, keyId1, keyId2)
+	require.NotEqual(t, issuerId1, issuerId2)
+
+	// Now because the issued CA's have no links, the call to ca_chain should return the same data (ca chain from default)
+	resp, err = CBRead(b, s, "cert/ca_chain")
+	require.NoError(t, err, "error reading ca_chain: %v", err)
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("cert/ca_chain"), logical.ReadOperation), resp, true)
+
+	r2Data := resp.Data
+	if !reflect.DeepEqual(r1Data, r2Data) {
+		t.Fatal("got different ca certs")
+	}
+
+	// Now let's validate that the import bundle is idempotent.
+	pemBundleRootCA := rootCACertPEM + "\n" + rootCAKeyPEM
+	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
+		"pem_bundle": pemBundleRootCA,
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/ca"), logical.UpdateOperation), resp, true)
+
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	firstMapping := resp.Data["mapping"].(map[string]string)
+	firstImportedKeys := resp.Data["imported_keys"].([]string)
+	firstImportedIssuers := resp.Data["imported_issuers"].([]string)
+	firstExistingKeys := resp.Data["existing_keys"].([]string)
+	firstExistingIssuers := resp.Data["existing_issuers"].([]string)
+
+	require.NotContains(t, firstImportedKeys, keyId1)
+	require.NotContains(t, firstImportedKeys, keyId2)
+	require.NotContains(t, firstImportedIssuers, issuerId1)
+	require.NotContains(t, firstImportedIssuers, issuerId2)
+	require.Empty(t, firstExistingKeys)
+	require.Empty(t, firstExistingIssuers)
+	require.NotEmpty(t, firstMapping)
+	require.Equal(t, 1, len(firstMapping))
+
+	var issuerId3 string
+	var keyId3 string
+	for i, k := range firstMapping {
+		issuerId3 = i
+		keyId3 = k
+	}
+
+	// Performing this again should result in no key/issuer ids being imported/generated.
+	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
+		"pem_bundle": pemBundleRootCA,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	secondMapping := resp.Data["mapping"].(map[string]string)
+	secondImportedKeys := resp.Data["imported_keys"]
+	secondImportedIssuers := resp.Data["imported_issuers"]
+	secondExistingKeys := resp.Data["existing_keys"]
+	secondExistingIssuers := resp.Data["existing_issuers"]
+
+	require.Empty(t, secondImportedKeys)
+	require.Empty(t, secondImportedIssuers)
+	require.Contains(t, secondExistingKeys, keyId3)
+	require.Contains(t, secondExistingIssuers, issuerId3)
+	require.Equal(t, 1, len(secondMapping))
+
+	resp, err = CBDelete(b, s, "root")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, 1, len(resp.Warnings))
+
+	// Make sure we can delete twice...
+	resp, err = CBDelete(b, s, "root")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, 1, len(resp.Warnings))
+
+	_, err = CBRead(b, s, "cert/ca_chain")
+	require.Error(t, err, "expected an error fetching deleted ca_chain")
+
+	// We should be able to import the same ca bundle as before and get a different key/issuer ids
+	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
+		"pem_bundle": pemBundleRootCA,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	postDeleteImportedKeys := resp.Data["imported_keys"]
+	postDeleteImportedIssuers := resp.Data["imported_issuers"]
+
+	// Make sure that we actually generated different issuer and key values, then the previous import
+	require.NotNil(t, postDeleteImportedKeys)
+	require.NotNil(t, postDeleteImportedIssuers)
+	require.NotEqual(t, postDeleteImportedKeys, firstImportedKeys)
+	require.NotEqual(t, postDeleteImportedIssuers, firstImportedIssuers)
+
+	resp, err = CBRead(b, s, "cert/ca_chain")
+	require.NoError(t, err)
+
+	caChainPostDelete := resp.Data
+	if reflect.DeepEqual(r1Data, caChainPostDelete) {
+		t.Fatal("ca certs from ca_chain were the same post delete, should have changed.")
+	}
+}
+
+func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) {
+	t.Parallel()
+	b_root, s_root := CreateBackendWithStorage(t)
+	b_int, s_int := CreateBackendWithStorage(t)
+	var err error
+
+	// Direct issuing from root
+	_, err = CBWrite(b_root, s_root, "root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"allow_any_name":     true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := CBWrite(b_int, s_int, "intermediate/generate/internal", map[string]interface{}{
+		"common_name": "myint.com",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b_root.Route("intermediate/generate/internal"), logical.UpdateOperation), resp, true)
+	require.Contains(t, resp.Data, "key_id")
+	intKeyId := resp.Data["key_id"].(keyID)
+	csr := resp.Data["csr"]
+
+	resp, err = CBRead(b_int, s_int, "key/"+intKeyId.String())
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected a response")
+	intSkid := resp.Data["subject_key_id"].(string)
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b_root, s_root, "sign/test", map[string]interface{}{
+		"common_name": "myint.com",
+		"csr":         csr,
+		"ttl":         "60h",
+	})
+	require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
+
+	_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
+		"common_name": "myint.com",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
+		"csr":         csr,
+		"ttl":         "60h",
+	})
+	require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
+
+	resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
+		"common_name": "myint.com",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
+		"csr":         csr,
+		"ttl":         "60h",
+	})
+	if err != nil {
+		t.Fatalf("got error: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+	if len(resp.Warnings) == 0 {
+		t.Fatalf("expected warnings, got %#v", *resp)
+	}
+
+	cert := parseCert(t, resp.Data["certificate"].(string))
+	certSkid := certutil.GetHexFormatted(cert.SubjectKeyId, ":")
+	require.Equal(t, intSkid, certSkid)
+}
+
+func TestBackend_ConsulSignLeafWithLegacyRole(t *testing.T) {
+	t.Parallel()
+	// create the backend
+	b, s := CreateBackendWithStorage(t)
+
+	// generate root
+	data, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	require.NoError(t, err, "failed generating internal root cert")
+	rootCaPem := data.Data["certificate"].(string)
+
+	// Create a signing role like Consul did with the default args prior to Vault 1.10
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allow_any_name":         true,
+		"allowed_serial_numbers": []string{"MySerialNumber"},
+		"key_type":               "any",
+		"key_bits":               "2048",
+		"signature_bits":         "256",
+	})
+	require.NoError(t, err, "failed creating legacy role")
+
+	_, csrPem := generateTestCsr(t, certutil.ECPrivateKey, 256)
+	data, err = CBWrite(b, s, "sign/test", map[string]interface{}{
+		"csr": csrPem,
+	})
+	require.NoError(t, err, "failed signing csr")
+	certAsPem := data.Data["certificate"].(string)
+
+	signedCert := parseCert(t, certAsPem)
+	rootCert := parseCert(t, rootCaPem)
+	requireSignedBy(t, signedCert, rootCert)
+}
+
+func TestBackend_SignSelfIssued(t *testing.T) {
+	t.Parallel()
+	// create the backend
+	b, storage := CreateBackendWithStorage(t)
+
+	// generate root
+	rootData := map[string]interface{}{
+		"common_name": "test.com",
+		"ttl":         "172800",
+	}
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "root/generate/internal",
+		Storage:    storage,
+		Data:       rootData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to generate root, %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	template := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "foo.bar.com",
+		},
+		SerialNumber:          big.NewInt(1234),
+		IsCA:                  false,
+		BasicConstraintsValid: true,
+	}
+
+	ss, _ := getSelfSigned(t, template, template, key)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+	if !resp.IsError() {
+		t.Fatalf("expected error due to non-CA; got: %#v", *resp)
+	}
+
+	// Set CA to true, but leave issuer alone
+	template.IsCA = true
+
+	issuer := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "bar.foo.com",
+		},
+		SerialNumber:          big.NewInt(2345),
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}
+	ss, ssCert := getSelfSigned(t, template, issuer, key)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+	if !resp.IsError() {
+		t.Fatalf("expected error due to different issuer; cert info is\nIssuer\n%#v\nSubject\n%#v\n", ssCert.Issuer, ssCert.Subject)
+	}
+
+	ss, _ = getSelfSigned(t, template, template, key)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+		},
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("root/sign-self-issued"), logical.UpdateOperation), resp, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+	if resp.IsError() {
+		t.Fatalf("error in response: %s", resp.Error().Error())
+	}
+
+	newCertString := resp.Data["certificate"].(string)
+	block, _ := pem.Decode([]byte(newCertString))
+	newCert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sc := b.makeStorageContext(context.Background(), storage)
+	signingBundle, err := sc.fetchCAInfo(defaultRef, ReadOnlyUsage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if reflect.DeepEqual(newCert.Subject, newCert.Issuer) {
+		t.Fatal("expected different subject/issuer")
+	}
+	if !reflect.DeepEqual(newCert.Issuer, signingBundle.Certificate.Subject) {
+		t.Fatalf("expected matching issuer/CA subject\n\nIssuer:\n%#v\nSubject:\n%#v\n", newCert.Issuer, signingBundle.Certificate.Subject)
+	}
+	if bytes.Equal(newCert.AuthorityKeyId, newCert.SubjectKeyId) {
+		t.Fatal("expected different authority/subject")
+	}
+	if !bytes.Equal(newCert.AuthorityKeyId, signingBundle.Certificate.SubjectKeyId) {
+		t.Fatal("expected authority on new cert to be same as signing subject")
+	}
+	if newCert.Subject.CommonName != "foo.bar.com" {
+		t.Fatalf("unexpected common name on new cert: %s", newCert.Subject.CommonName)
+	}
+}
+
+// TestBackend_SignSelfIssued_DifferentTypes tests the functionality of the
+// require_matching_certificate_algorithms flag.
+func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) {
+	t.Parallel()
+	// create the backend
+	b, storage := CreateBackendWithStorage(t)
+
+	// generate root
+	rootData := map[string]interface{}{
+		"common_name": "test.com",
+		"ttl":         "172800",
+		"key_type":    "ec",
+		"key_bits":    "521",
+	}
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "root/generate/internal",
+		Storage:    storage,
+		Data:       rootData,
+		MountPoint: "pki/",
+	})
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to generate root, %#v", *resp)
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	template := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "foo.bar.com",
+		},
+		SerialNumber:          big.NewInt(1234),
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}
+
+	// Tests absent the flag
+	ss, _ := getSelfSigned(t, template, template, key)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+
+	// Set CA to true, but leave issuer alone
+	template.IsCA = true
+
+	// Tests with flag present but false
+	ss, _ = getSelfSigned(t, template, template, key)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+			"require_matching_certificate_algorithms": false,
+		},
+		MountPoint: "pki/",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got nil response")
+	}
+
+	// Test with flag present and true
+	ss, _ = getSelfSigned(t, template, template, key)
+	_, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/sign-self-issued",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"certificate": ss,
+			"require_matching_certificate_algorithms": true,
+		},
+		MountPoint: "pki/",
+	})
+	if err == nil {
+		t.Fatal("expected error due to mismatched algorithms")
+	}
+}
+
+// This is a really tricky test because the Go stdlib asn1 package is incapable
+// of doing the right thing with custom OID SANs (see comments in the package,
+// it's readily admitted that it's too magic) but that means that any
+// validation logic written for this test isn't being independently verified,
+// as in, if cryptobytes is used to decode it to make the test work, that
+// doesn't mean we're encoding and decoding correctly, only that we made the
+// test pass. Instead, when run verbosely it will first perform a bunch of
+// checks to verify that the OID SAN logic doesn't screw up other SANs, then
+// will spit out the PEM. This can be validated independently.
+//
+// You want the hex dump of the octet string corresponding to the X509v3
+// Subject Alternative Name. There's a nice online utility at
+// https://lapo.it/asn1js that can be used to view the structure of an
+// openssl-generated other SAN at
+// https://lapo.it/asn1js/#3022A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374
+// (openssl asn1parse can also be used with -strparse using an offset of the
+// hex blob for the subject alternative names extension).
+//
+// The structure output from here should match that precisely (even if the OID
+// itself doesn't) in the second test.
+//
+// The test that encodes two should have them be in separate elements in the
+// top-level sequence; see
+// https://lapo.it/asn1js/#3046A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374A022060A2B060104018237140204A0140C12322D6465766F7073406C6F63616C686F7374 for an openssl-generated example.
+//
+// The good news is that it's valid to simply copy and paste the PEM output from
+// here into the form at that site as it will do the right thing so it's pretty
+// easy to validate.
+func TestBackend_OID_SANs(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var err error
+	var resp *logical.Response
+	var certStr string
+	var block *pem.Block
+	var cert *x509.Certificate
+
+	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allowed_domains":    []string{"foobar.com", "zipzap.com"},
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"allow_ip_sans":      true,
+		"allowed_other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devops@*,1.3.6.1.4.1.311.20.2.4;utf8:d*e@foobar.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get a baseline before adding OID SANs. In the next sections we'll verify
+	// that the SANs are all added even as the OID SAN inclusion forces other
+	// adding logic (custom rather than built-in Golang logic)
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foobar.com,foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.IPAddresses[0].String() != "1.2.3.4" {
+		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
+	}
+	if len(cert.DNSNames) != 3 ||
+		cert.DNSNames[0] != "bar.foobar.com" ||
+		cert.DNSNames[1] != "foo.foobar.com" ||
+		cert.DNSNames[2] != "foobar.com" {
+		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
+	}
+
+	// First test some bad stuff that shouldn't work
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		// Not a valid value for the first possibility
+		"other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devop@nope.com",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		// Not a valid OID for the first possibility
+		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:devops@nope.com",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		// Not a valid name for the second possibility
+		"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d34g@foobar.com",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		// Not a valid OID for the second possibility
+		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:d34e@foobar.com",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		// Not a valid type
+		"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF2:d34e@foobar.com",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Valid for first possibility
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:devops@nope.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.IPAddresses[0].String() != "1.2.3.4" {
+		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
+	}
+	if len(cert.DNSNames) != 3 ||
+		cert.DNSNames[0] != "bar.foobar.com" ||
+		cert.DNSNames[1] != "foo.foobar.com" ||
+		cert.DNSNames[2] != "foobar.com" {
+		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("certificate 1 to check:\n%s", certStr)
+	}
+
+	// Valid for second possibility
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.4;UTF8:d234e@foobar.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.IPAddresses[0].String() != "1.2.3.4" {
+		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
+	}
+	if len(cert.DNSNames) != 3 ||
+		cert.DNSNames[0] != "bar.foobar.com" ||
+		cert.DNSNames[1] != "foo.foobar.com" ||
+		cert.DNSNames[2] != "foobar.com" {
+		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("certificate 2 to check:\n%s", certStr)
+	}
+
+	// Valid for both
+	oid1, type1, val1 := "1.3.6.1.4.1.311.20.2.3", "utf8", "devops@nope.com"
+	oid2, type2, val2 := "1.3.6.1.4.1.311.20.2.4", "utf-8", "d234e@foobar.com"
+	otherNames := []string{
+		fmt.Sprintf("%s;%s:%s", oid1, type1, val1),
+		fmt.Sprintf("%s;%s:%s", oid2, type2, val2),
+	}
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"other_sans":  strings.Join(otherNames, ","),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.IPAddresses[0].String() != "1.2.3.4" {
+		t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
+	}
+	if len(cert.DNSNames) != 3 ||
+		cert.DNSNames[0] != "bar.foobar.com" ||
+		cert.DNSNames[1] != "foo.foobar.com" ||
+		cert.DNSNames[2] != "foobar.com" {
+		t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
+	}
+	expectedOtherNames := []otherNameUtf8{{oid1, val1}, {oid2, val2}}
+	foundOtherNames, err := getOtherSANsFromX509Extensions(cert.Extensions)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(expectedOtherNames, foundOtherNames); len(diff) != 0 {
+		t.Errorf("unexpected otherNames: %v", diff)
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("certificate 3 to check:\n%s", certStr)
+	}
+}
+
+func TestBackend_AllowedSerialNumbers(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var err error
+	var resp *logical.Response
+	var certStr string
+	var block *pem.Block
+	var cert *x509.Certificate
+
+	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// First test that Serial Numbers are not allowed
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar",
+		"ttl":         "1h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name":   "foobar",
+		"ttl":           "1h",
+		"serial_number": "foobar",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Update the role to allow serial numbers
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allow_any_name":         true,
+		"enforce_hostnames":      false,
+		"allowed_serial_numbers": "f00*,b4r*",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar",
+		"ttl":         "1h",
+		// Not a valid serial number
+		"serial_number": "foobar",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Valid for first possibility
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name":   "foobar",
+		"serial_number": "f00bar",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.Subject.SerialNumber != "f00bar" {
+		t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("certificate 1 to check:\n%s", certStr)
+	}
+
+	// Valid for second possibility
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name":   "foobar",
+		"serial_number": "b4rf00",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	certStr = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certStr))
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.Subject.SerialNumber != "b4rf00" {
+		t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
+	}
+	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+		t.Logf("certificate 2 to check:\n%s", certStr)
+	}
+}
+
+func TestBackend_URI_SANs(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var err error
+
+	_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allowed_domains":    []string{"foobar.com", "zipzap.com"},
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"allow_ip_sans":      true,
+		"allowed_uri_sans":   []string{"http://someuri/abc", "spiffe://host.com/*"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// First test some bad stuff that shouldn't work
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"uri_sans":    "http://www.mydomain.com/zxf",
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Test valid single entry
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"uri_sans":    "http://someuri/abc",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Test globed entry
+	_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"uri_sans":    "spiffe://host.com/something",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Test multiple entries
+	resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "foobar.com",
+		"ip_sans":     "1.2.3.4",
+		"alt_names":   "foo.foobar.com,bar.foobar.com",
+		"ttl":         "1h",
+		"uri_sans":    "spiffe://host.com/something,http://someuri/abc",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	certStr := resp.Data["certificate"].(string)
+	block, _ := pem.Decode([]byte(certStr))
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	URI0, _ := url.Parse("spiffe://host.com/something")
+	URI1, _ := url.Parse("http://someuri/abc")
+
+	if len(cert.URIs) != 2 {
+		t.Fatalf("expected 2 valid URIs SANs %v", cert.URIs)
+	}
+
+	if cert.URIs[0].String() != URI0.String() || cert.URIs[1].String() != URI1.String() {
+		t.Fatalf(
+			"expected URIs SANs %v to equal provided values spiffe://host.com/something, http://someuri/abc",
+			cert.URIs)
+	}
+}
+
+func TestBackend_AllowedURISANsTemplate(t *testing.T) {
+	t.Parallel()
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": userpass.Factory,
+		},
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	client := cluster.Cores[0].Client
+
+	// Write test policy for userpass auth method.
+	err := client.Sys().PutPolicy("test", `
+   path "pki/*" {
+     capabilities = ["update"]
+   }`)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable userpass auth method.
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+
+	// Configure test role for userpass.
+	if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
+		"password": "test",
+		"policies": "test",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Login userpass for test role and keep client token.
+	secret, err := client.Logical().Write("auth/userpass/login/userpassname", map[string]interface{}{
+		"password": "test",
+	})
+	if err != nil || secret == nil {
+		t.Fatal(err)
+	}
+	userpassToken := secret.Auth.ClientToken
+
+	// Get auth accessor for identity template.
+	auths, err := client.Sys().ListAuth()
+	if err != nil {
+		t.Fatal(err)
+	}
+	userpassAccessor := auths["userpass/"].Accessor
+
+	// Mount PKI.
+	err = client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Generate internal CA.
+	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Write role PKI.
+	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
+		"allowed_uri_sans": []string{
+			"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}",
+			"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}/*", "spiffe://domain/foo",
+		},
+		"allowed_uri_sans_template": true,
+		"require_cn":                false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with identity templating
+	client.SetToken(userpassToken)
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname, spiffe://domain/foo"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with identity templating and glob
+	client.SetToken(userpassToken)
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname/bar"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with non-matching identity template parameter
+	client.SetToken(userpassToken)
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/unknownuser"})
+	if err == nil {
+		t.Fatal(err)
+	}
+
+	// Set allowed_uri_sans_template to false.
+	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
+		"allowed_uri_sans_template": false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with userpassToken.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/users/userpassname"})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestBackend_AllowedDomainsTemplate(t *testing.T) {
+	t.Parallel()
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": userpass.Factory,
+		},
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	client := cluster.Cores[0].Client
+
+	// Write test policy for userpass auth method.
+	err := client.Sys().PutPolicy("test", `
+   path "pki/*" {  
+     capabilities = ["update"]
+   }`)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable userpass auth method.
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+
+	// Configure test role for userpass.
+	if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
+		"password": "test",
+		"policies": "test",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Login userpass for test role and set client token
+	userpassAuth, err := auth.NewUserpassAuth("userpassname", &auth.Password{FromString: "test"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get auth accessor for identity template.
+	auths, err := client.Sys().ListAuth()
+	if err != nil {
+		t.Fatal(err)
+	}
+	userpassAccessor := auths["userpass/"].Accessor
+
+	// Mount PKI.
+	err = client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Generate internal CA.
+	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Write role PKI.
+	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
+		"allowed_domains": []string{
+			"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
+			"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com",
+		},
+		"allowed_domains_template": true,
+		"allow_bare_domains":       true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with userpassToken.
+	secret, err := client.Auth().Login(context.TODO(), userpassAuth)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err != nil || secret == nil {
+		t.Fatal(err)
+	}
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate for foobar.com to verify allowed_domain_template doesn't break plain domains.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foobar.com"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate for unknown userpassname.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "unknownuserpassname"})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Issue certificate for foo.userpassname.domain.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
+	if err != nil {
+		t.Fatal("expected error")
+	}
+
+	// Set allowed_domains_template to false.
+	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
+		"allowed_domains_template": false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue certificate with userpassToken.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestReadWriteDeleteRoles(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": userpass.Factory,
+		},
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	client := cluster.Cores[0].Client
+
+	// Mount PKI.
+	err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().ReadWithContext(ctx, "pki/roles/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp != nil {
+		t.Fatalf("response should have been emtpy but was:\n%#v", resp)
+	}
+
+	// Write role PKI.
+	_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Read the role.
+	resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.Data == nil {
+		t.Fatal("default data within response was nil when it should have contained data")
+	}
+
+	// Validate that we have not changed any defaults unknowingly
+	expectedData := map[string]interface{}{
+		"key_type":                           "rsa",
+		"use_csr_sans":                       true,
+		"client_flag":                        true,
+		"allowed_serial_numbers":             []interface{}{},
+		"generate_lease":                     false,
+		"signature_bits":                     json.Number("256"),
+		"use_pss":                            false,
+		"allowed_domains":                    []interface{}{},
+		"allowed_uri_sans_template":          false,
+		"enforce_hostnames":                  true,
+		"policy_identifiers":                 []interface{}{},
+		"require_cn":                         true,
+		"allowed_domains_template":           false,
+		"allow_token_displayname":            false,
+		"country":                            []interface{}{},
+		"not_after":                          "",
+		"postal_code":                        []interface{}{},
+		"use_csr_common_name":                true,
+		"allow_localhost":                    true,
+		"allow_subdomains":                   false,
+		"allow_wildcard_certificates":        true,
+		"allowed_other_sans":                 []interface{}{},
+		"allowed_uri_sans":                   []interface{}{},
+		"basic_constraints_valid_for_non_ca": false,
+		"key_usage":                          []interface{}{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
+		"not_before_duration":                json.Number("30"),
+		"allow_glob_domains":                 false,
+		"ttl":                                json.Number("0"),
+		"ou":                                 []interface{}{},
+		"email_protection_flag":              false,
+		"locality":                           []interface{}{},
+		"server_flag":                        true,
+		"allow_bare_domains":                 false,
+		"allow_ip_sans":                      true,
+		"ext_key_usage_oids":                 []interface{}{},
+		"allow_any_name":                     false,
+		"ext_key_usage":                      []interface{}{},
+		"key_bits":                           json.Number("2048"),
+		"max_ttl":                            json.Number("0"),
+		"no_store":                           false,
+		"organization":                       []interface{}{},
+		"province":                           []interface{}{},
+		"street_address":                     []interface{}{},
+		"code_signing_flag":                  false,
+		"issuer_ref":                         "default",
+		"cn_validations":                     []interface{}{"email", "hostname"},
+		"allowed_user_ids":                   []interface{}{},
+	}
+
+	if diff := deep.Equal(expectedData, resp.Data); len(diff) > 0 {
+		t.Fatalf("pki role default values have changed, diff: %v", diff)
+	}
+
+	_, err = client.Logical().DeleteWithContext(ctx, "pki/roles/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp != nil {
+		t.Fatalf("response should have been empty but was:\n%#v", resp)
+	}
+}
+
+func setCerts() {
+	cak, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	marshaledKey, err := x509.MarshalECPrivateKey(cak)
+	if err != nil {
+		panic(err)
+	}
+	keyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: marshaledKey,
+	}
+	ecCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
+	if err != nil {
+		panic(err)
+	}
+	subjKeyID, err := certutil.GetSubjKeyID(cak)
+	if err != nil {
+		panic(err)
+	}
+	caCertTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "root.localhost",
+		},
+		SubjectKeyId:          subjKeyID,
+		DNSNames:              []string{"root.localhost"},
+		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, cak.Public(), cak)
+	if err != nil {
+		panic(err)
+	}
+	caCertPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
+
+	rak, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+	marshaledKey = x509.MarshalPKCS1PrivateKey(rak)
+	keyPEMBlock = &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: marshaledKey,
+	}
+	rsaCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
+	if err != nil {
+		panic(err)
+	}
+	_, err = certutil.GetSubjKeyID(rak)
+	if err != nil {
+		panic(err)
+	}
+	caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, rak.Public(), rak)
+	if err != nil {
+		panic(err)
+	}
+	caCertPEMBlock = &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	rsaCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
+
+	_, edk, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	marshaledKey, err = x509.MarshalPKCS8PrivateKey(edk)
+	if err != nil {
+		panic(err)
+	}
+	keyPEMBlock = &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: marshaledKey,
+	}
+	edCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
+	if err != nil {
+		panic(err)
+	}
+	_, err = certutil.GetSubjKeyID(edk)
+	if err != nil {
+		panic(err)
+	}
+	caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, edk.Public(), edk)
+	if err != nil {
+		panic(err)
+	}
+	caCertPEMBlock = &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	edCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
+}
+
+func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
+	// Use a ridiculously long time to minimize the chance
+	// that we have to deal with more than one interval.
+	// InMemSink rounds down to an interval boundary rather than
+	// starting one at the time of initialization.
+	//
+	// This test is not parallelizable.
+	inmemSink := metrics.NewInmemSink(
+		1000000*time.Hour,
+		2000000*time.Hour)
+
+	metricsConf := metrics.DefaultConfig("")
+	metricsConf.EnableHostname = false
+	metricsConf.EnableHostnameLabel = false
+	metricsConf.EnableServiceLabel = false
+	metricsConf.EnableTypePrefix = false
+
+	_, err := metrics.NewGlobal(metricsConf, inmemSink)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable PKI secret engine
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	cores := cluster.Cores
+	vault.TestWaitActive(t, cores[0].Core)
+	client := cores[0].Client
+
+	// Mount /pki as a root CA
+	err = client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "32h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Set up Metric Configuration, then restart to enable it
+	_, err = client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
+		"maintain_stored_certificate_counts":       true,
+		"publish_stored_certificate_count_metrics": true,
+	})
+	_, err = client.Logical().Write("/sys/plugins/reload/backend", map[string]interface{}{
+		"mounts": "pki/",
+	})
+
+	// Check the metrics initialized in order to calculate backendUUID for /pki
+	// BackendUUID not consistent during tests with UUID from /sys/mounts/pki
+	metricsSuffix := "total_certificates_stored"
+	backendUUID := ""
+	mostRecentInterval := inmemSink.Data()[len(inmemSink.Data())-1]
+	for _, existingGauge := range mostRecentInterval.Gauges {
+		if strings.HasSuffix(existingGauge.Name, metricsSuffix) {
+			expandedGaugeName := existingGauge.Name
+			backendUUID = strings.Split(expandedGaugeName, ".")[2]
+			break
+		}
+	}
+	if backendUUID == "" {
+		t.Fatalf("No Gauge Found ending with %s", metricsSuffix)
+	}
+
+	// Set the cluster's certificate as the root CA in /pki
+	pemBundleRootCA := string(cluster.CACertPEM) + string(cluster.CAKeyPEM)
+	_, err = client.Logical().Write("pki/config/ca", map[string]interface{}{
+		"pem_bundle": pemBundleRootCA,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Mount /pki2 to operate as an intermediate CA
+	err = client.Sys().Mount("pki2", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "32h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Set up Metric Configuration, then restart to enable it
+	_, err = client.Logical().Write("pki2/config/auto-tidy", map[string]interface{}{
+		"maintain_stored_certificate_counts":       true,
+		"publish_stored_certificate_count_metrics": true,
+	})
+	_, err = client.Logical().Write("/sys/plugins/reload/backend", map[string]interface{}{
+		"mounts": "pki2/",
+	})
+
+	// Create a CSR for the intermediate CA
+	secret, err := client.Logical().Write("pki2/intermediate/generate/internal", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	intermediateCSR := secret.Data["csr"].(string)
+
+	// Sign the intermediate CSR using /pki
+	secret, err = client.Logical().Write("pki/root/sign-intermediate", map[string]interface{}{
+		"permitted_dns_domains": ".myvault.com",
+		"csr":                   intermediateCSR,
+		"ttl":                   "10s",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	intermediateCertSerial := secret.Data["serial_number"].(string)
+	intermediateCASerialColon := strings.ReplaceAll(strings.ToLower(intermediateCertSerial), ":", "-")
+
+	// Get the intermediate cert after signing
+	secret, err = client.Logical().Read("pki/cert/" + intermediateCASerialColon)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if secret == nil || len(secret.Data) == 0 || len(secret.Data["certificate"].(string)) == 0 {
+		t.Fatal("expected certificate information from read operation")
+	}
+
+	// Issue a revoke on on /pki
+	_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
+		"serial_number": intermediateCertSerial,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the cert-count metrics
+	expectedCertCountGaugeMetrics := map[string]float32{
+		"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 1,
+		"secrets.pki." + backendUUID + ".total_certificates_stored":         1,
+	}
+	mostRecentInterval = inmemSink.Data()[len(inmemSink.Data())-1]
+	for gauge, value := range expectedCertCountGaugeMetrics {
+		if _, ok := mostRecentInterval.Gauges[gauge]; !ok {
+			t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
+		}
+		if value != mostRecentInterval.Gauges[gauge].Value {
+			t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, mostRecentInterval.Gauges[gauge].Value)
+		}
+	}
+
+	// Revoke adds a fixed 2s buffer, so we sleep for a bit longer to ensure
+	// the revocation time is past the current time.
+	time.Sleep(3 * time.Second)
+
+	// Issue a tidy on /pki
+	_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
+		"tidy_cert_store":    true,
+		"tidy_revoked_certs": true,
+		"safety_buffer":      "1s",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Sleep a bit to make sure we're past the safety buffer
+	time.Sleep(2 * time.Second)
+
+	// Get CRL and ensure the tidied cert is still in the list after the tidy
+	// operation since it's not past the NotAfter (ttl) value yet.
+	crl := getParsedCrl(t, client, "pki")
+
+	revokedCerts := crl.TBSCertList.RevokedCertificates
+	if len(revokedCerts) == 0 {
+		t.Fatal("expected CRL to be non-empty")
+	}
+
+	sn := certutil.GetHexFormatted(revokedCerts[0].SerialNumber.Bytes(), ":")
+	if sn != intermediateCertSerial {
+		t.Fatalf("expected: %v, got: %v", intermediateCertSerial, sn)
+	}
+
+	// Wait for cert to expire
+	time.Sleep(10 * time.Second)
+
+	// Issue a tidy on /pki
+	_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
+		"tidy_cert_store":    true,
+		"tidy_revoked_certs": true,
+		"safety_buffer":      "1s",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Sleep a bit to make sure we're past the safety buffer
+	time.Sleep(2 * time.Second)
+
+	// Issue a tidy-status on /pki
+	{
+		tidyStatus, err := client.Logical().Read("pki/tidy-status")
+		if err != nil {
+			t.Fatal(err)
+		}
+		expectedData := map[string]interface{}{
+			"safety_buffer":                         json.Number("1"),
+			"issuer_safety_buffer":                  json.Number("31536000"),
+			"revocation_queue_safety_buffer":        json.Number("172800"),
+			"tidy_cert_store":                       true,
+			"tidy_revoked_certs":                    true,
+			"tidy_revoked_cert_issuer_associations": false,
+			"tidy_expired_issuers":                  false,
+			"tidy_move_legacy_ca_bundle":            false,
+			"tidy_revocation_queue":                 false,
+			"tidy_cross_cluster_revoked_certs":      false,
+			"pause_duration":                        "0s",
+			"state":                                 "Finished",
+			"error":                                 nil,
+			"time_started":                          nil,
+			"time_finished":                         nil,
+			"last_auto_tidy_finished":               nil,
+			"message":                               nil,
+			"cert_store_deleted_count":              json.Number("1"),
+			"revoked_cert_deleted_count":            json.Number("1"),
+			"missing_issuer_cert_count":             json.Number("0"),
+			"current_cert_store_count":              json.Number("0"),
+			"current_revoked_cert_count":            json.Number("0"),
+			"revocation_queue_deleted_count":        json.Number("0"),
+			"cross_revoked_cert_deleted_count":      json.Number("0"),
+			"internal_backend_uuid":                 backendUUID,
+			"tidy_acme":                             false,
+			"acme_account_safety_buffer":            json.Number("2592000"),
+			"acme_orders_deleted_count":             json.Number("0"),
+			"acme_account_revoked_count":            json.Number("0"),
+			"acme_account_deleted_count":            json.Number("0"),
+			"total_acme_account_count":              json.Number("0"),
+		}
+		// Let's copy the times from the response so that we can use deep.Equal()
+		timeStarted, ok := tidyStatus.Data["time_started"]
+		if !ok || timeStarted == "" {
+			t.Fatal("Expected tidy status response to include a value for time_started")
+		}
+		expectedData["time_started"] = timeStarted
+		timeFinished, ok := tidyStatus.Data["time_finished"]
+		if !ok || timeFinished == "" {
+			t.Fatal("Expected tidy status response to include a value for time_finished")
+		}
+		expectedData["time_finished"] = timeFinished
+		expectedData["last_auto_tidy_finished"] = tidyStatus.Data["last_auto_tidy_finished"]
+
+		if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil {
+			t.Fatal(diff)
+		}
+	}
+	// Check the tidy metrics
+	{
+		// Map of gauges to expected value
+		expectedGauges := map[string]float32{
+			"secrets.pki.tidy.cert_store_current_entry":                         0,
+			"secrets.pki.tidy.cert_store_total_entries":                         1,
+			"secrets.pki.tidy.revoked_cert_current_entry":                       0,
+			"secrets.pki.tidy.revoked_cert_total_entries":                       1,
+			"secrets.pki.tidy.start_time_epoch":                                 0,
+			"secrets.pki." + backendUUID + ".total_certificates_stored":         0,
+			"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 0,
+			"secrets.pki.tidy.cert_store_total_entries_remaining":               0,
+			"secrets.pki.tidy.revoked_cert_total_entries_remaining":             0,
+		}
+		// Map of counters to the sum of the metrics for that counter
+		expectedCounters := map[string]float64{
+			"secrets.pki.tidy.cert_store_deleted_count":   1,
+			"secrets.pki.tidy.revoked_cert_deleted_count": 1,
+			"secrets.pki.tidy.success":                    2,
+			// Note that "secrets.pki.tidy.failure" won't be in the captured metrics
+		}
+
+		// If the metrics span more than one interval, skip the checks
+		intervals := inmemSink.Data()
+		if len(intervals) == 1 {
+			interval := inmemSink.Data()[0]
+
+			for gauge, value := range expectedGauges {
+				if _, ok := interval.Gauges[gauge]; !ok {
+					t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
+				}
+				if value != interval.Gauges[gauge].Value {
+					t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, interval.Gauges[gauge].Value)
+				}
+
+			}
+			for counter, value := range expectedCounters {
+				if _, ok := interval.Counters[counter]; !ok {
+					t.Fatalf("Expected metrics to include a value for couter %s", counter)
+				}
+				if value != interval.Counters[counter].Sum {
+					t.Fatalf("Expected the sum of metric %s to be %f but got %f", counter, value, interval.Counters[counter].Sum)
+				}
+			}
+
+			tidyDuration, ok := interval.Samples["secrets.pki.tidy.duration"]
+			if !ok {
+				t.Fatal("Expected metrics to include a value for sample secrets.pki.tidy.duration")
+			}
+			if tidyDuration.Count <= 0 {
+				t.Fatalf("Expected metrics to have count > 0 for sample secrets.pki.tidy.duration, but got %d", tidyDuration.Count)
+			}
+		}
+	}
+
+	crl = getParsedCrl(t, client, "pki")
+
+	revokedCerts = crl.TBSCertList.RevokedCertificates
+	if len(revokedCerts) != 0 {
+		t.Fatal("expected CRL to be empty")
+	}
+}
+
+func TestBackend_Root_FullCAChain(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		testName string
+		keyType  string
+	}{
+		{testName: "RSA", keyType: "rsa"},
+		{testName: "ED25519", keyType: "ed25519"},
+		{testName: "EC", keyType: "ec"},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.testName, func(t *testing.T) {
+			runFullCAChainTest(t, tc.keyType)
+		})
+	}
+}
+
+func runFullCAChainTest(t *testing.T, keyType string) {
+	// Generate a root CA at /pki-root
+	b_root, s_root := CreateBackendWithStorage(t)
+
+	var err error
+
+	resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    keyType,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected ca info")
+	}
+	rootData := resp.Data
+	rootCert := rootData["certificate"].(string)
+
+	// Validate that root's /cert/ca-chain now contains the certificate.
+	resp, err = CBRead(b_root, s_root, "cert/ca_chain")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected intermediate chain information")
+	}
+
+	fullChain := resp.Data["ca_chain"].(string)
+	requireCertInCaChainString(t, fullChain, rootCert, "expected root cert within root cert/ca_chain")
+
+	// Make sure when we issue a leaf certificate we get the full chain back.
+	_, err = CBWrite(b_root, s_root, "roles/example", map[string]interface{}{
+		"allowed_domains":  "example.com",
+		"allow_subdomains": "true",
+		"max_ttl":          "1h",
+	})
+	require.NoError(t, err, "error setting up pki root role: %v", err)
+
+	resp, err = CBWrite(b_root, s_root, "issue/example", map[string]interface{}{
+		"common_name": "test.example.com",
+		"ttl":         "5m",
+	})
+	require.NoError(t, err, "error issuing certificate from pki root: %v", err)
+	fullChainArray := resp.Data["ca_chain"].([]string)
+	requireCertInCaChainArray(t, fullChainArray, rootCert, "expected root cert within root issuance pki-root/issue/example")
+
+	// Now generate an intermediate at /pki-intermediate, signed by the root.
+	b_int, s_int := CreateBackendWithStorage(t)
+
+	resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
+		"common_name": "intermediate myvault.com",
+		"key_type":    keyType,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected intermediate CSR info")
+	}
+	intermediateData := resp.Data
+	intermediateKey := intermediateData["private_key"].(string)
+
+	resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
+		"csr":    intermediateData["csr"],
+		"format": "pem",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected signed intermediate info")
+	}
+	intermediateSignedData := resp.Data
+	intermediateCert := intermediateSignedData["certificate"].(string)
+
+	rootCaCert := parseCert(t, rootCert)
+	intermediaryCaCert := parseCert(t, intermediateCert)
+	requireSignedBy(t, intermediaryCaCert, rootCaCert)
+	intermediateCaChain := intermediateSignedData["ca_chain"].([]string)
+
+	require.Equal(t, parseCert(t, intermediateCaChain[0]), intermediaryCaCert, "intermediate signed cert should have been part of ca_chain")
+	require.Equal(t, parseCert(t, intermediateCaChain[1]), rootCaCert, "root cert should have been part of ca_chain")
+
+	_, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
+		"certificate": intermediateCert + "\n" + rootCert + "\n",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Validate that intermediate's ca_chain field now includes the full
+	// chain.
+	resp, err = CBRead(b_int, s_int, "cert/ca_chain")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected intermediate chain information")
+	}
+
+	// Verify we have a proper CRL now
+	crl := getParsedCrlFromBackend(t, b_int, s_int, "crl")
+	require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))
+
+	fullChain = resp.Data["ca_chain"].(string)
+	requireCertInCaChainString(t, fullChain, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/cert/ca_chain")
+	requireCertInCaChainString(t, fullChain, rootCert, "expected full chain to contain root certificate from pki-intermediate/cert/ca_chain")
+
+	// Make sure when we issue a leaf certificate we get the full chain back.
+	_, err = CBWrite(b_int, s_int, "roles/example", map[string]interface{}{
+		"allowed_domains":  "example.com",
+		"allow_subdomains": "true",
+		"max_ttl":          "1h",
+	})
+	require.NoError(t, err, "error setting up pki intermediate role: %v", err)
+
+	resp, err = CBWrite(b_int, s_int, "issue/example", map[string]interface{}{
+		"common_name": "test.example.com",
+		"ttl":         "5m",
+	})
+	require.NoError(t, err, "error issuing certificate from pki intermediate: %v", err)
+	fullChainArray = resp.Data["ca_chain"].([]string)
+	requireCertInCaChainArray(t, fullChainArray, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/issue/example")
+	requireCertInCaChainArray(t, fullChainArray, rootCert, "expected full chain to contain root certificate from pki-intermediate/issue/example")
+
+	// Finally, import this signing cert chain into a new mount to ensure
+	// "external" CAs behave as expected.
+	b_ext, s_ext := CreateBackendWithStorage(t)
+
+	_, err = CBWrite(b_ext, s_ext, "config/ca", map[string]interface{}{
+		"pem_bundle": intermediateKey + "\n" + intermediateCert + "\n" + rootCert + "\n",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Validate the external chain information was loaded correctly.
+	resp, err = CBRead(b_ext, s_ext, "cert/ca_chain")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected intermediate chain information")
+	}
+
+	fullChain = resp.Data["ca_chain"].(string)
+	if strings.Count(fullChain, intermediateCert) != 1 {
+		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
+	}
+	if strings.Count(fullChain, rootCert) != 1 {
+		t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
+	}
+
+	// Now issue a short-lived certificate from our pki-external.
+	_, err = CBWrite(b_ext, s_ext, "roles/example", map[string]interface{}{
+		"allowed_domains":  "example.com",
+		"allow_subdomains": "true",
+		"max_ttl":          "1h",
+	})
+	require.NoError(t, err, "error setting up pki role: %v", err)
+
+	resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
+		"common_name": "test.example.com",
+		"ttl":         "5m",
+	})
+	require.NoError(t, err, "error issuing certificate: %v", err)
+	require.NotNil(t, resp, "got nil response from issuing request")
+	issueCrtAsPem := resp.Data["certificate"].(string)
+	issuedCrt := parseCert(t, issueCrtAsPem)
+
+	// Verify that the certificates are signed by the intermediary CA key...
+	requireSignedBy(t, issuedCrt, intermediaryCaCert)
+
+	// Test that we can request that the root ca certificate not appear in the ca_chain field
+	resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
+		"common_name":             "test.example.com",
+		"ttl":                     "5m",
+		"remove_roots_from_chain": "true",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error issuing certificate when removing self signed")
+	fullChain = strings.Join(resp.Data["ca_chain"].([]string), "\n")
+	if strings.Count(fullChain, intermediateCert) != 1 {
+		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
+	}
+	if strings.Count(fullChain, rootCert) != 0 {
+		t.Fatalf("expected full chain to NOT contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
+	}
+}
+
+func requireCertInCaChainArray(t *testing.T, chain []string, cert string, msgAndArgs ...interface{}) {
+	var fullChain string
+	for _, caCert := range chain {
+		fullChain = fullChain + "\n" + caCert
+	}
+
+	requireCertInCaChainString(t, fullChain, cert, msgAndArgs)
+}
+
+func requireCertInCaChainString(t *testing.T, chain string, cert string, msgAndArgs ...interface{}) {
+	count := strings.Count(chain, cert)
+	if count != 1 {
+		failMsg := fmt.Sprintf("Found %d occurrances of the cert in the provided chain", count)
+		require.FailNow(t, failMsg, msgAndArgs...)
+	}
+}
+
+type MultiBool int
+
+const (
+	MFalse MultiBool = iota
+	MTrue  MultiBool = iota
+	MAny   MultiBool = iota
+)
+
+func (o MultiBool) ToValues() []bool {
+	if o == MTrue {
+		return []bool{true}
+	}
+
+	if o == MFalse {
+		return []bool{false}
+	}
+
+	if o == MAny {
+		return []bool{true, false}
+	}
+
+	return []bool{}
+}
+
+type IssuanceRegression struct {
+	AllowedDomains            []string
+	AllowBareDomains          MultiBool
+	AllowGlobDomains          MultiBool
+	AllowSubdomains           MultiBool
+	AllowLocalhost            MultiBool
+	AllowWildcardCertificates MultiBool
+	CNValidations             []string
+	CommonName                string
+	Issued                    bool
+}
+
+func RoleIssuanceRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test IssuanceRegression) int {
+	tested := 0
+	for _, AllowBareDomains := range test.AllowBareDomains.ToValues() {
+		for _, AllowGlobDomains := range test.AllowGlobDomains.ToValues() {
+			for _, AllowSubdomains := range test.AllowSubdomains.ToValues() {
+				for _, AllowLocalhost := range test.AllowLocalhost.ToValues() {
+					for _, AllowWildcardCertificates := range test.AllowWildcardCertificates.ToValues() {
+						role := fmt.Sprintf("issuance-regression-%d-bare-%v-glob-%v-subdomains-%v-localhost-%v-wildcard-%v", index, AllowBareDomains, AllowGlobDomains, AllowSubdomains, AllowLocalhost, AllowWildcardCertificates)
+						_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
+							"allowed_domains":             test.AllowedDomains,
+							"allow_bare_domains":          AllowBareDomains,
+							"allow_glob_domains":          AllowGlobDomains,
+							"allow_subdomains":            AllowSubdomains,
+							"allow_localhost":             AllowLocalhost,
+							"allow_wildcard_certificates": AllowWildcardCertificates,
+							"cn_validations":              test.CNValidations,
+							// TODO: test across this vector as well. Currently certain wildcard
+							// matching is broken with it enabled (such as x*x.foo).
+							"enforce_hostnames": false,
+							"key_type":          "ec",
+							"key_bits":          256,
+							"no_store":          true,
+							// With the CN Validations field, ensure we prevent CN from appearing
+							// in SANs.
+						})
+						if err != nil {
+							t.Fatal(err)
+						}
+
+						resp, err := CBWrite(b, s, "issue/"+role, map[string]interface{}{
+							"common_name":          test.CommonName,
+							"exclude_cn_from_sans": true,
+						})
+
+						haveErr := err != nil || resp == nil
+						expectErr := !test.Issued
+
+						if haveErr != expectErr {
+							t.Fatalf("issuance regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, role: %v", index, haveErr, expectErr, err, resp, test, role)
+						}
+
+						tested += 1
+					}
+				}
+			}
+		}
+	}
+
+	return tested
+}
+
+func TestBackend_Roles_IssuanceRegression(t *testing.T) {
+	t.Parallel()
+	// Regression testing of role's issuance policy.
+	testCases := []IssuanceRegression{
+		// allowed, bare, glob, subdomains, localhost, wildcards, cn, issued
+
+		// === Globs not allowed but used === //
+		// Allowed contains globs, but globbing not allowed, resulting in all
+		// issuances failing. Note that tests against issuing a wildcard with
+		// a bare domain will be covered later.
+		/*  0 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
+		/*  1 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
+		/*  2 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
+		/*  3 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
+		/*  4 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
+		/*  5 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.foo", false},
+		/*  6 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
+		/*  7 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
+		/*  8 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
+		/*  9 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
+		/* 10 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
+		/* 11 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
+		/* 12 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
+
+		// === Localhost sanity === //
+		// Localhost forbidden, not matching allowed domains -> not issued
+		/* 13 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MFalse, MAny, nil, "localhost", false},
+		// Localhost allowed, not matching allowed domains -> issued
+		/* 14 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MTrue, MAny, nil, "localhost", true},
+		// Localhost allowed via allowed domains (and bare allowed), not by AllowLocalhost -> issued
+		/* 15 */ {[]string{"localhost"}, MTrue, MAny, MAny, MFalse, MAny, nil, "localhost", true},
+		// Localhost allowed via allowed domains (and bare not allowed), not by AllowLocalhost -> not issued
+		/* 16 */ {[]string{"localhost"}, MFalse, MAny, MAny, MFalse, MAny, nil, "localhost", false},
+		// Localhost allowed via allowed domains (but bare not allowed), and by AllowLocalhost -> issued
+		/* 17 */ {[]string{"localhost"}, MFalse, MAny, MAny, MTrue, MAny, nil, "localhost", true},
+
+		// === Bare wildcard issuance == //
+		// allowed_domains contains one or more wildcards and bare domains allowed,
+		// resulting in the cert being issued.
+		/* 18 */ {[]string{"*.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "*.foo", true},
+		/* 19 */ {[]string{"*.*.foo"}, MTrue, MAny, MAny, MAny, MAny, nil, "*.*.foo", false}, // Does not conform to RFC 6125
+
+		// === Double Leading Glob Testing === //
+		// Allowed contains globs, but glob allowed so certain matches work.
+		// The value of bare and localhost does not impact these results.
+		/* 20 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
+		/* 21 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
+		/* 22 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true},
+		/* 23 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
+		/* 24 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", false},
+		/* 25 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "*.foo", false},
+		/* 26 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
+
+		// Allowed contains globs, but glob and subdomain both work, so we expect
+		// wildcard issuance to work as well. The value of bare and localhost does
+		// not impact these results.
+		/* 27 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
+		/* 28 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
+		/* 29 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
+		/* 30 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
+		/* 31 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", false},
+		/* 32 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "*.foo", false},
+		/* 33 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
+
+		// === Single Leading Glob Testing === //
+		// Allowed contains globs, but glob allowed so certain matches work.
+		// The value of bare and localhost does not impact these results.
+		/* 34 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
+		/* 35 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
+		/* 36 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true}, // glob domains allow infinite subdomains
+		/* 37 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // glob domain allows wildcards of subdomains
+		/* 38 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", true},
+		/* 39 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
+
+		// Allowed contains globs, but glob and subdomain both work, so we expect
+		// wildcard issuance to work as well. The value of bare and localhost does
+		// not impact these results.
+		/* 40 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
+		/* 41 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
+		/* 42 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
+		/* 43 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
+		/* 44 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", true},
+		/* 45 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
+
+		// === Only base domain name === //
+		// Allowed contains only domain components, but subdomains not allowed. This
+		// results in most issuances failing unless we allow bare domains, in which
+		// case only the final issuance for "foo" will succeed.
+		/* 46 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", false},
+		/* 47 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.fud.bar.foo", false},
+		/* 48 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "fud.bar.foo", false},
+		/* 49 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.bar.foo", false},
+		/* 50 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "bar.foo", false},
+		/* 51 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.foo", false},
+		/* 52 */ {[]string{"foo"}, MFalse, MAny, MFalse, MAny, MAny, nil, "foo", false},
+		/* 53 */ {[]string{"foo"}, MTrue, MAny, MFalse, MAny, MAny, nil, "foo", true},
+
+		// Allowed contains only domain components, and subdomains are now allowed.
+		// This results in most issuances succeeding, with the exception of the
+		// base foo, which is still governed by base's value.
+		/* 54 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
+		/* 55 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
+		/* 56 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
+		/* 57 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
+		/* 58 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "bar.foo", true},
+		/* 59 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.foo", true},
+		/* 60 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*x.foo", true}, // internal wildcards should be allowed per RFC 6125/6.4.3
+		/* 61 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*x.foo", true}, // prefix wildcards should be allowed per RFC 6125/6.4.3
+		/* 62 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*.foo", true}, // suffix wildcards should be allowed per RFC 6125/6.4.3
+		/* 63 */ {[]string{"foo"}, MFalse, MAny, MTrue, MAny, MAny, nil, "foo", false},
+		/* 64 */ {[]string{"foo"}, MTrue, MAny, MTrue, MAny, MAny, nil, "foo", true},
+
+		// === Internal Glob Matching === //
+		// Basic glob matching requirements
+		/* 65 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", true},
+		/* 66 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", true}, // globs can match across subdomains
+		/* 67 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
+		/* 68 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x*x isn't matched.
+		/* 69 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
+		/* 70 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x*x.foo", false}, // Does not conform to RFC 6125
+		/* 71 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.xyx.foo", false}, // Globs and Subdomains do not layer per docs.
+
+		// Various requirements around x*x.foo wildcard matching.
+		/* 72 */ {[]string{"x*x.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "x*x.foo", false}, // base disabled, shouldn't match wildcard
+		/* 73 */ {[]string{"x*x.foo"}, MFalse, MTrue, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base disallowed, but globbing allowed and should match
+		/* 74 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base allowed, should match wildcard
+
+		// Basic glob matching requirements with internal dots.
+		/* 75 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", false}, // missing dots
+		/* 76 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ero.x.foo", true},
+		/* 77 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", false}, // missing dots
+		/* 78 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ylophone.files.pyre.x.foo", true}, // globs can match across subdomains
+		/* 79 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
+		/* 80 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x.*.x isn't matched.
+		/* 81 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
+		/* 82 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.*.x.foo", false}, // Does not conform to RFC 6125
+		/* 83 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.y.x.foo", false}, // Globs and Subdomains do not layer per docs.
+
+		// === Wildcard restriction testing === //
+		/* 84 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.fud.bar.foo", false}, // glob domain allows wildcard of subdomains
+		/* 85 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.bar.foo", false}, // glob domain allows wildcards of subdomains
+		/* 86 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.fud.bar.foo", false},
+		/* 87 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.bar.foo", false},
+		/* 88 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.foo", false},
+		/* 89 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*x.foo", false},
+		/* 90 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*x.foo", false},
+		/* 91 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*.foo", false},
+		/* 92 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MFalse, nil, "x*x.foo", false},
+		/* 93 */ {[]string{"*.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "*.foo", false}, // Bare and globs forbidden despite (potentially) allowing wildcards.
+		/* 94 */ {[]string{"x.*.x.foo"}, MAny, MAny, MAny, MAny, MAny, nil, "x.*.x.foo", false}, // Does not conform to RFC 6125
+
+		// === CN validation allowances === //
+		/*  95 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.bar.foo", true},
+		/*  96 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.*.foo", true},
+		/*  97 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.bar.*.bar", true},
+		/*  98 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo", true},
+		/*  99 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo@foo", true},
+		/* 100 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "bar@bar@bar", true},
+		/* 101 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar@bar", false},
+		/* 102 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar", false},
+		/* 103 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@foo", true},
+		/* 104 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@foo", false},
+		/* 105 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@bar", false},
+		/* 106 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.foo", true},
+		/* 107 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.bar", false},
+		/* 108 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.foo", false},
+		/* 109 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.bar", false},
+	}
+
+	if len(testCases) != 110 {
+		t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
+	}
+
+	b, s := CreateBackendWithStorage(t)
+
+	// We need a RSA key so all signature sizes are valid with it.
+	resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
+		"common_name": "myvault.com",
+		"ttl":         "128h",
+		"key_type":    "rsa",
+		"key_bits":    2048,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected ca info")
+	}
+
+	tested := 0
+	for index, test := range testCases {
+		tested += RoleIssuanceRegressionHelper(t, b, s, index, test)
+	}
+
+	t.Logf("Issuance regression expanded matrix test scenarios: %d", tested)
+}
+
+type KeySizeRegression struct {
+	// Values reused for both Role and CA configuration.
+	RoleKeyType string
+	RoleKeyBits []int
+
+	// Signature Bits presently is only specified on the role.
+	RoleSignatureBits []int
+	RoleUsePSS        bool
+
+	// These are tuples; must be of the same length.
+	TestKeyTypes []string
+	TestKeyBits  []int
+
+	// All of the above key types/sizes must pass or fail together.
+	ExpectError bool
+}
+
+func (k KeySizeRegression) KeyTypeValues() []string {
+	if k.RoleKeyType == "any" {
+		return []string{"rsa", "ec", "ed25519"}
+	}
+
+	return []string{k.RoleKeyType}
+}
+
+func RoleKeySizeRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test KeySizeRegression) int {
+	tested := 0
+
+	for _, caKeyType := range test.KeyTypeValues() {
+		for _, caKeyBits := range test.RoleKeyBits {
+			// Generate a new CA key.
+			resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
+				"common_name": "myvault.com",
+				"ttl":         "128h",
+				"key_type":    caKeyType,
+				"key_bits":    caKeyBits,
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+			if resp == nil {
+				t.Fatal("expected ca info")
+			}
+
+			for _, roleKeyBits := range test.RoleKeyBits {
+				for _, roleSignatureBits := range test.RoleSignatureBits {
+					role := fmt.Sprintf("key-size-regression-%d-keytype-%v-keybits-%d-signature-bits-%d", index, test.RoleKeyType, roleKeyBits, roleSignatureBits)
+					_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
+						"key_type":       test.RoleKeyType,
+						"key_bits":       roleKeyBits,
+						"signature_bits": roleSignatureBits,
+						"use_pss":        test.RoleUsePSS,
+					})
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					for index, keyType := range test.TestKeyTypes {
+						keyBits := test.TestKeyBits[index]
+
+						_, _, csrPem := generateCSR(t, &x509.CertificateRequest{
+							Subject: pkix.Name{
+								CommonName: "localhost",
+							},
+						}, keyType, keyBits)
+
+						resp, err = CBWrite(b, s, "sign/"+role, map[string]interface{}{
+							"common_name": "localhost",
+							"csr":         csrPem,
+						})
+
+						haveErr := err != nil || resp == nil
+
+						if haveErr != test.ExpectError {
+							t.Fatalf("key size regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, caKeyType: %v, caKeyBits: %v, role: %v, keyType: %v, keyBits: %v", index, haveErr, test.ExpectError, err, resp, test, caKeyType, caKeyBits, role, keyType, keyBits)
+						}
+
+						if resp != nil && test.RoleUsePSS && caKeyType == "rsa" {
+							leafCert := parseCert(t, resp.Data["certificate"].(string))
+							switch leafCert.SignatureAlgorithm {
+							case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
+							default:
+								t.Fatalf("key size regression test [%d] failed on role %v: unexpected signature algorithm; expected RSA-type CA to sign a leaf cert with PSS algorithm; got %v", index, role, leafCert.SignatureAlgorithm.String())
+							}
+						}
+
+						tested += 1
+					}
+				}
+			}
+
+			_, err = CBDelete(b, s, "root")
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	return tested
+}
+
+func TestBackend_Roles_KeySizeRegression(t *testing.T) {
+	t.Parallel()
+	// Regression testing of role's issuance policy.
+	testCases := []KeySizeRegression{
+		// RSA with default parameters should fail to issue smaller RSA keys
+		// and any size ECDSA/Ed25519 keys.
+		/*  0 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{1024, 224, 256, 384, 521, 0}, true},
+		// But it should work to issue larger RSA keys.
+		/*  1 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{2048, 3072}, false},
+
+		// EC with default parameters should fail to issue smaller EC keys
+		// and any size RSA/Ed25519 keys.
+		/*  2 */ {"ec", []int{0}, []int{0}, false, []string{"rsa", "ec", "ed25519"}, []int{2048, 224, 0}, true},
+		// But it should work to issue larger EC keys. Note that we should be
+		// independent of signature bits as that's computed from the issuer
+		// type (for EC based issuers).
+		/*  3 */ {"ec", []int{224}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec", "ec"}, []int{224, 256, 384, 521}, false},
+		/*  4 */ {"ec", []int{0, 256}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec"}, []int{256, 384, 521}, false},
+		/*  5 */ {"ec", []int{384}, []int{0, 256, 384, 521}, false, []string{"ec", "ec"}, []int{384, 521}, false},
+		/*  6 */ {"ec", []int{521}, []int{0, 256, 384, 512}, false, []string{"ec"}, []int{521}, false},
+
+		// Ed25519 should reject RSA and EC keys.
+		/*  7 */ {"ed25519", []int{0}, []int{0}, false, []string{"rsa", "ec", "ec"}, []int{2048, 256, 521}, true},
+		// But it should work to issue Ed25519 keys.
+		/*  8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
+
+		// Any key type should reject insecure RSA key sizes.
+		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
+		// But work for everything else.
+		/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
+
+		// RSA with larger than default key size should reject smaller ones.
+		/* 11 */ {"rsa", []int{3072}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{2048}, true},
+
+		// We should be able to sign with PSS with any CA key type.
+		/* 12 */ {"rsa", []int{0}, []int{0, 256, 384, 512}, true, []string{"rsa"}, []int{2048}, false},
+		/* 13 */ {"ec", []int{0}, []int{0}, true, []string{"ec"}, []int{256}, false},
+		/* 14 */ {"ed25519", []int{0}, []int{0}, true, []string{"ed25519"}, []int{0}, false},
+	}
+
+	if len(testCases) != 15 {
+		t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
+	}
+
+	b, s := CreateBackendWithStorage(t)
+
+	tested := 0
+	for index, test := range testCases {
+		tested += RoleKeySizeRegressionHelper(t, b, s, index, test)
+	}
+
+	t.Logf("Key size regression expanded matrix test scenarios: %d", tested)
+}
+
+func TestRootWithExistingKey(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+	var err error
+
+	// Fail requests if type is existing, and we specify the key_type param
+	_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
+
+	// Fail requests if type is existing, and we specify the key_bits param
+	_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_bits":    "2048",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
+
+	// Fail if the specified key does not exist.
+	_, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "my-issuer1",
+		"key_ref":     "my-key1",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
+
+	// Fail if the specified key name is default.
+	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "my-issuer1",
+		"key_name":    "Default",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as key name")
+
+	// Fail if the specified issuer name is default.
+	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "DEFAULT",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as issuer name")
+
+	// Create the first CA
+	resp, err := CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+		"issuer_name": "my-issuer1",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/root/internal"), logical.UpdateOperation), resp, true)
+	require.NoError(t, err)
+	require.NotNil(t, resp.Data["certificate"])
+	myIssuerId1 := resp.Data["issuer_id"]
+	myKeyId1 := resp.Data["key_id"]
+	require.NotEmpty(t, myIssuerId1)
+	require.NotEmpty(t, myKeyId1)
+
+	// Fetch the parsed CRL; it should be empty as we've not revoked anything
+	parsedCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
+	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
+
+	// Fail if the specified issuer name is re-used.
+	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "my-issuer1",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "issuer name already in use")
+
+	// Create the second CA
+	resp, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+		"issuer_name": "my-issuer2",
+		"key_name":    "root-key2",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp.Data["certificate"])
+	myIssuerId2 := resp.Data["issuer_id"]
+	myKeyId2 := resp.Data["key_id"]
+	require.NotEmpty(t, myIssuerId2)
+	require.NotEmpty(t, myKeyId2)
+
+	// Fetch the parsed CRL; it should be empty as we've not revoked anything
+	parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer2/crl/der")
+	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
+
+	// Fail if the specified key name is re-used.
+	_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "my-issuer3",
+		"key_name":    "root-key2",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "key name already in use")
+
+	// Create a third CA re-using key from CA 1
+	resp, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"issuer_name": "my-issuer3",
+		"key_ref":     myKeyId1,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp.Data["certificate"])
+	myIssuerId3 := resp.Data["issuer_id"]
+	myKeyId3 := resp.Data["key_id"]
+	require.NotEmpty(t, myIssuerId3)
+	require.NotEmpty(t, myKeyId3)
+
+	// Fetch the parsed CRL; it should be empty as we've not revoking anything.
+	parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer3/crl/der")
+	require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
+	// Signatures should be the same since this is just a reissued cert. We
+	// use signature as a proxy for "these two CRLs are equal".
+	firstCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
+	require.Equal(t, parsedCrl.SignatureValue, firstCrl.SignatureValue)
+
+	require.NotEqual(t, myIssuerId1, myIssuerId2)
+	require.NotEqual(t, myIssuerId1, myIssuerId3)
+	require.NotEqual(t, myKeyId1, myKeyId2)
+	require.Equal(t, myKeyId1, myKeyId3)
+
+	resp, err = CBList(b, s, "issuers")
+	require.NoError(t, err)
+	require.Equal(t, 3, len(resp.Data["keys"].([]string)))
+	require.Contains(t, resp.Data["keys"], string(myIssuerId1.(issuerID)))
+	require.Contains(t, resp.Data["keys"], string(myIssuerId2.(issuerID)))
+	require.Contains(t, resp.Data["keys"], string(myIssuerId3.(issuerID)))
+}
+
+func TestIntermediateWithExistingKey(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var err error
+
+	// Fail requests if type is existing, and we specify the key_type param
+	_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
+
+	// Fail requests if type is existing, and we specify the key_bits param
+	_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_bits":    "2048",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
+
+	// Fail if the specified key does not exist.
+	_, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_ref":     "my-key1",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
+
+	// Create the first intermediate CA
+	resp, err := CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/intermediate/internal"), logical.UpdateOperation), resp, true)
+	require.NoError(t, err)
+	// csr1 := resp.Data["csr"]
+	myKeyId1 := resp.Data["key_id"]
+	require.NotEmpty(t, myKeyId1)
+
+	// Create the second intermediate CA
+	resp, err = CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "rsa",
+		"key_name":    "interkey1",
+	})
+	require.NoError(t, err)
+	// csr2 := resp.Data["csr"]
+	myKeyId2 := resp.Data["key_id"]
+	require.NotEmpty(t, myKeyId2)
+
+	// Create a third intermediate CA re-using key from intermediate CA 1
+	resp, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_ref":     myKeyId1,
+	})
+	require.NoError(t, err)
+	// csr3 := resp.Data["csr"]
+	myKeyId3 := resp.Data["key_id"]
+	require.NotEmpty(t, myKeyId3)
+
+	require.NotEqual(t, myKeyId1, myKeyId2)
+	require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
+}
+
+func TestIssuanceTTLs(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root example.com",
+		"issuer_name": "root",
+		"ttl":         "10s",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	rootCert := parseCert(t, resp.Data["certificate"].(string))
+
+	_, err = CBWrite(b, s, "roles/local-testing", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+		"key_type":          "ec",
+	})
+	require.NoError(t, err)
+
+	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "1s",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
+
+	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
+
+	resp, err = CBPatch(b, s, "issuer/root", map[string]interface{}{
+		"leaf_not_after_behavior": "permit",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, resp.Data["leaf_not_after_behavior"], "permit")
+
+	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
+
+	resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
+		"issuer_name":             "root",
+		"leaf_not_after_behavior": "truncate",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, resp.Data["leaf_not_after_behavior"], "truncate")
+
+	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
+
+	// Sleep until the parent cert expires and the clock rolls over
+	// to the next second.
+	time.Sleep(time.Until(rootCert.NotAfter) + (1500 * time.Millisecond))
+
+	resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
+		"issuer_name":             "root",
+		"leaf_not_after_behavior": "err",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Even 1s ttl should now fail.
+	_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "1s",
+	})
+	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
+}
+
+func TestSealWrappedStorageConfigured(t *testing.T) {
+	t.Parallel()
+	b, _ := CreateBackendWithStorage(t)
+	wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage
+
+	// Make sure our legacy bundle is within the list
+	// NOTE: do not convert these test values to constants, we should always have these paths within seal wrap config
+	require.Contains(t, wrappedEntries, "config/ca_bundle", "Legacy bundle missing from seal wrap")
+	// The trailing / is important as it treats the entire folder requiring seal wrapping, not just config/key
+	require.Contains(t, wrappedEntries, "config/key/", "key prefix with trailing / missing from seal wrap.")
+}
+
+func TestBackend_ConfigCA_WithECParams(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generated key with OpenSSL:
+	// $ openssl ecparam -out p256.key -name prime256v1 -genkey
+	//
+	// Regression test for https://github.com/hashicorp/vault/issues/16667
+	resp, err := CBWrite(b, s, "config/ca", map[string]interface{}{
+		"pem_bundle": `
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINzXthCZdhyV7+wIEBl/ty+ctNsUS99ykTeax6EbYZtvoAoGCCqGSM49
+AwEHoUQDQgAE57NX8bR/nDoW8yRgLswoXBQcjHrdyfuHS0gPwki6BNnfunUzryVb
+8f22/JWj6fsEF6AOADZlrswKIbR2Es9e/w==
+-----END EC PRIVATE KEY-----
+		`,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp, "expected ca info")
+	importedKeys := resp.Data["imported_keys"].([]string)
+	importedIssuers := resp.Data["imported_issuers"].([]string)
+
+	require.Equal(t, len(importedKeys), 1)
+	require.Equal(t, len(importedIssuers), 0)
+}
+
+func TestPerIssuerAIA(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generating a root without anything should not have AIAs.
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root example.com",
+		"issuer_name": "root",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	rootCert := parseCert(t, resp.Data["certificate"].(string))
+	require.Empty(t, rootCert.OCSPServer)
+	require.Empty(t, rootCert.IssuingCertificateURL)
+	require.Empty(t, rootCert.CRLDistributionPoints)
+
+	// Set some local URLs on the issuer.
+	resp, err = CBWrite(b, s, "issuer/default", map[string]interface{}{
+		"issuing_certificates": []string{"https://google.com"},
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/default"), logical.UpdateOperation), resp, true)
+
+	require.NoError(t, err)
+
+	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allow_any_name": true,
+		"ttl":            "85s",
+		"key_type":       "ec",
+	})
+	require.NoError(t, err)
+
+	// Issue something with this re-configured issuer.
+	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
+		"common_name": "localhost.com",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	leafCert := parseCert(t, resp.Data["certificate"].(string))
+	require.Empty(t, leafCert.OCSPServer)
+	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
+	require.Empty(t, leafCert.CRLDistributionPoints)
+
+	// Set global URLs and ensure they don't appear on this issuer's leaf.
+	_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
+		"issuing_certificates":    []string{"https://example.com/ca", "https://backup.example.com/ca"},
+		"crl_distribution_points": []string{"https://example.com/crl", "https://backup.example.com/crl"},
+		"ocsp_servers":            []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"},
+	})
+	require.NoError(t, err)
+	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
+		"common_name": "localhost.com",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	leafCert = parseCert(t, resp.Data["certificate"].(string))
+	require.Empty(t, leafCert.OCSPServer)
+	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
+	require.Empty(t, leafCert.CRLDistributionPoints)
+
+	// Now come back and remove the local modifications and ensure we get
+	// the defaults again.
+	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"issuing_certificates": []string{},
+	})
+	require.NoError(t, err)
+	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
+		"common_name": "localhost.com",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	leafCert = parseCert(t, resp.Data["certificate"].(string))
+	require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca", "https://backup.example.com/ca"})
+	require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"})
+	require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl", "https://backup.example.com/crl"})
+
+	// Validate that we can set an issuer name and remove it.
+	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"issuer_name": "my-issuer",
+	})
+	require.NoError(t, err)
+	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"issuer_name": "",
+	})
+	require.NoError(t, err)
+}
+
+func TestIssuersWithoutCRLBits(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Importing a root without CRL signing bits should work fine.
+	customBundleWithoutCRLBits := `
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhyb290
+LW5ldzAeFw0yMjA4MjQxMjEzNTVaFw0yMzA5MDMxMjEzNTVaMBMxETAPBgNVBAMM
+CHJvb3QtbmV3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAojTA/Mx7
+LVW/Zgn/N4BqZbaF82MrTIBFug3ob7mqycNRlWp4/PH8v37+jYn8e691HUsKjden
+rDTrO06kiQKiJinAzmlLJvgcazE3aXoh7wSzVG9lFHYvljEmVj+yDbkeaqaCktup
+skuNjxCoN9BLmKzZIwVCHn92ZHlhN6LI7CNaU3SDJdu7VftWF9Ugzt9FIvI+6Gcn
+/WNE9FWvZ9o7035rZ+1vvTn7/tgxrj2k3XvD51Kq4tsSbqjnSf3QieXT6E6uvtUE
+TbPp3xjBElgBCKmeogR1l28rs1aujqqwzZ0B/zOeF8ptaH0aZOIBsVDJR8yTwHzq
+s34hNdNfKLHzOwIDAQABo3gwdjAdBgNVHQ4EFgQUF4djNmx+1+uJINhZ82pN+7jz
+H8EwHwYDVR0jBBgwFoAUF4djNmx+1+uJINhZ82pN+7jzH8EwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAoQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
+hvcNAQELBQADggEBAICQovBz4KLWlLmXeZ2Vf6WfQYyGNgGyJa10XNXtWQ5dM2NU
+OLAit4x1c2dz+aFocc8ZsX/ikYi/bruT2rsGWqMAGC4at3U4GuaYGO5a6XzMKIDC
+nxIlbiO+Pn6Xum7fAqUri7+ZNf/Cygmc5sByi3MAAIkszeObUDZFTJL7gEOuXIMT
+rKIXCINq/U+qc7m9AQ8vKhF1Ddj+dLGLzNQ5j3cKfilPs/wRaYqbMQvnmarX+5Cs
+k1UL6kWSQsiP3+UWaBlcWkmD6oZ3fIG7c0aMxf7RISq1eTAM9XjH3vMxWQJlS5q3
+2weJ2LYoPe/DwX5CijR0IezapBCrin1BscJMLFQ=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCiNMD8zHstVb9m
+Cf83gGpltoXzYytMgEW6DehvuarJw1GVanj88fy/fv6Nifx7r3UdSwqN16esNOs7
+TqSJAqImKcDOaUsm+BxrMTdpeiHvBLNUb2UUdi+WMSZWP7INuR5qpoKS26myS42P
+EKg30EuYrNkjBUIef3ZkeWE3osjsI1pTdIMl27tV+1YX1SDO30Ui8j7oZyf9Y0T0
+Va9n2jvTfmtn7W+9Ofv+2DGuPaTde8PnUqri2xJuqOdJ/dCJ5dPoTq6+1QRNs+nf
+GMESWAEIqZ6iBHWXbyuzVq6OqrDNnQH/M54Xym1ofRpk4gGxUMlHzJPAfOqzfiE1
+018osfM7AgMBAAECggEAAVd6kZZaN69IZITIc1vHRYa2rlZpKS2JP7c8Vd3Z/4Fz
+ZZvnJ7LgVAmUYg5WPZ2sOqBNLfKVN/oke5Q0dALgdxYl7dWQIhPjHeRFbZFtjqEV
+OXZGBniamMO/HSKGWGrqFf7BM/H7AhClUwQgjnzVSz+B+LJJidM+SVys3n1xuDmC
+EP+iOda+bAHqHv/7oCELQKhLmCvPc9v2fDy+180ttdo8EHuxwVnKiyR/ryKFhSyx
+K1wgAPQ9jO+V+GESL90rqpX/r501REsIOOpm4orueelHTD4+dnHxvUPqJ++9aYGX
+79qBNPPUhxrQI1yoHxwW0cTxW5EqkZ9bT2lSd5rjcQKBgQDNyPBpidkHPrYemQDT
+RldtS6FiW/jc1It/CRbjU4A6Gi7s3Cda43pEUObKNLeXMyLQaMf4GbDPDX+eh7B8
+RkUq0Q/N0H4bn1hbxYSUdgv0j/6czpMo6rLcJHGwOTSpHGsNsxSLL7xlpgzuzqrG
+FzEgjMA1aD3w8B9+/77AoSLoMQKBgQDJyYMw82+euLYRbR5Wc/SbrWfh2n1Mr2BG
+pp1ZNYorXE5CL4ScdLcgH1q/b8r5XGwmhMcpeA+geAAaKmk1CGG+gPLoq20c9Q1Y
+Ykq9tUVJasIkelvbb/SPxyjkJdBwylzcPP14IJBsqQM0be+yVqLJJVHSaoKhXZcl
+IW2xgCpjKwKBgFpeX5U5P+F6nKebMU2WmlYY3GpBUWxIummzKCX0SV86mFjT5UR4
+mPzfOjqaI/V2M1eqbAZ74bVLjDumAs7QXReMb5BGetrOgxLqDmrT3DQt9/YMkXtq
+ddlO984XkRSisjB18BOfhvBsl0lX4I7VKHHO3amWeX0RNgOjc7VMDfRBAoGAWAQH
+r1BfvZHACLXZ58fISCdJCqCsysgsbGS8eW77B5LJp+DmLQBT6DUE9j+i/0Wq/ton
+rRTrbAkrsj4RicpQKDJCwe4UN+9DlOu6wijRQgbJC/Q7IOoieJxcX7eGxcve2UnZ
+HY7GsD7AYRwa02UquCYJHIjM1enmxZFhMW1AD+UCgYEAm4jdNz5e4QjA4AkNF+cB
+ZenrAZ0q3NbTyiSsJEAtRe/c5fNFpmXo3mqgCannarREQYYDF0+jpSoTUY8XAc4q
+wL7EZNzwxITLqBnnHQbdLdAvYxB43kvWTy+JRK8qY9LAMCCFeDoYwXkWV4Wkx/b0
+TgM7RZnmEjNdeaa4M52o7VY=
+-----END PRIVATE KEY-----
+	`
+	resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": customBundleWithoutCRLBits,
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/import/bundle"), logical.UpdateOperation), resp, true)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotEmpty(t, resp.Data)
+	require.NotEmpty(t, resp.Data["imported_issuers"])
+	require.NotEmpty(t, resp.Data["imported_keys"])
+	require.NotEmpty(t, resp.Data["mapping"])
+
+	// Shouldn't have crl-signing on the newly imported issuer's usage.
+	resp, err = CBRead(b, s, "issuer/default")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotEmpty(t, resp.Data)
+	require.NotEmpty(t, resp.Data["usage"])
+	require.NotContains(t, resp.Data["usage"], "crl-signing")
+
+	// Modifying to set CRL should fail.
+	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"usage": "issuing-certificates,crl-signing",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// Modifying to set issuing-certificates and ocsp-signing should succeed.
+	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"usage": "issuing-certificates,ocsp-signing",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotEmpty(t, resp.Data)
+	require.NotEmpty(t, resp.Data["usage"])
+	require.NotContains(t, resp.Data["usage"], "crl-signing")
+}
+
+func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
+	t.Parallel()
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc:             vaulthttp.Handler,
+		RequestResponseCallback: schema.ResponseValidatingCallback(t),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	client := cluster.Cores[0].Client
+
+	// Mount PKI.
+	err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+			// Required to allow the header to be passed through.
+			PassthroughRequestHeaders: []string{"if-modified-since"},
+			AllowedResponseHeaders:    []string{"Last-Modified"},
+		},
+	})
+	require.NoError(t, err)
+
+	// Get a time before CA generation. Subtract two seconds to ensure
+	// the value in the seconds field is different than the time the CA
+	// is actually generated at.
+	beforeOldCAGeneration := time.Now().Add(-2 * time.Second)
+
+	// Generate an internal CA. This one is the default.
+	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "Root X1",
+		"key_type":    "ec",
+		"issuer_name": "old-root",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.NotEmpty(t, resp.Data["certificate"])
+
+	// CA is generated, but give a grace window.
+	afterOldCAGeneration := time.Now().Add(2 * time.Second)
+
+	// When you _save_ headers, client returns a copy. But when you go to
+	// reset them, it doesn't create a new copy (and instead directly
+	// assigns). This means we have to continually refresh our view of the
+	// last headers, otherwise the headers added after the last set operation
+	// leak into this copy... Yuck!
+	lastHeaders := client.Headers()
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/old-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		// Reading the CA should work, without a header.
+		resp, err := client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+
+		// Ensure that the CA is returned correctly if we give it the old time.
+		client.AddHeader("If-Modified-Since", beforeOldCAGeneration.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+
+		// Ensure that the CA is elided if we give it the present time (plus a
+		// grace window).
+		client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
+		t.Logf("headers: %v", client.Headers())
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// Wait three seconds. This ensures we have adequate grace period
+	// to distinguish the two cases, even with grace periods.
+	time.Sleep(3 * time.Second)
+
+	// Generating a second root. This one isn't the default.
+	beforeNewCAGeneration := time.Now().Add(-2 * time.Second)
+
+	// Generate an internal CA. This one is the default.
+	_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "Root X1",
+		"key_type":    "ec",
+		"issuer_name": "new-root",
+	})
+	require.NoError(t, err)
+
+	// As above.
+	afterNewCAGeneration := time.Now().Add(2 * time.Second)
+
+	// New root isn't the default, so it has fewer paths.
+	for _, path := range []string{"pki/issuer/new-root/json", "pki/issuer/new-root/crl", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		// Reading the CA should work, without a header.
+		resp, err := client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+
+		// Ensure that the CA is returned correctly if we give it the old time.
+		client.AddHeader("If-Modified-Since", beforeNewCAGeneration.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+
+		// Ensure that the CA is elided if we give it the present time (plus a
+		// grace window).
+		client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
+		t.Logf("headers: %v", client.Headers())
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// Wait three seconds. This ensures we have adequate grace period
+	// to distinguish the two cases, even with grace periods.
+	time.Sleep(3 * time.Second)
+
+	// Now swap the default issuers around.
+	_, err = client.Logical().Write("pki/config/issuers", map[string]interface{}{
+		"default": "new-root",
+	})
+	require.NoError(t, err)
+
+	// Reading both with the last modified date should return new values.
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		// Ensure that the CA is returned correctly if we give it the old time.
+		client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+
+		// Ensure that the CA is returned correctly if we give it the old time.
+		client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// Wait for things to settle, record the present time, and wait for the
+	// clock to definitely tick over again.
+	time.Sleep(2 * time.Second)
+	preRevocationTimestamp := time.Now()
+	time.Sleep(2 * time.Second)
+
+	// The above tests should say everything is cached.
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+
+		// Ensure that the CA is returned correctly if we give it the new time.
+		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// We could generate some leaves and verify the revocation updates the
+	// CRL. But, revoking the issuer behaves the same, so let's do that
+	// instead.
+	_, err = client.Logical().Write("pki/issuer/old-root/revoke", map[string]interface{}{})
+	require.NoError(t, err)
+
+	// CA should still be valid.
+	for _, path := range []string{"pki/cert/ca", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json"} {
+		t.Logf("path: %v", path)
+
+		// Ensure that the CA is returned correctly if we give it the old time.
+		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// CRL should be invalidated
+	for _, path := range []string{"pki/cert/crl", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// If we send some time in the future, everything should be cached again!
+	futureTime := time.Now().Add(30 * time.Second)
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+
+		// Ensure that the CA is returned correctly if we give it the new time.
+		client.AddHeader("If-Modified-Since", futureTime.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	beforeThreeWaySwap := time.Now().Add(-2 * time.Second)
+
+	// Now, do a three-way swap of names (old->tmp; new->old; tmp->new). This
+	// should result in all names/CRLs being invalidated.
+	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/old-root", map[string]interface{}{
+		"issuer_name": "tmp-root",
+	})
+	require.NoError(t, err)
+	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/new-root", map[string]interface{}{
+		"issuer_name": "old-root",
+	})
+	require.NoError(t, err)
+	_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/tmp-root", map[string]interface{}{
+		"issuer_name": "new-root",
+	})
+	require.NoError(t, err)
+
+	afterThreeWaySwap := time.Now().Add(2 * time.Second)
+
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		// Ensure that the CA is returned if we give it the pre-update time.
+		client.AddHeader("If-Modified-Since", beforeThreeWaySwap.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+
+		// Ensure that the CA is elided correctly if we give it the after time.
+		client.AddHeader("If-Modified-Since", afterThreeWaySwap.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+
+	// Finally, rebuild the delta CRL and ensure that only that is
+	// invalidated. We first need to enable it though, and wait for
+	// all CRLs to rebuild.
+	_, err = client.Logical().Write("pki/config/crl", map[string]interface{}{
+		"auto_rebuild": true,
+		"enable_delta": true,
+	})
+	require.NoError(t, err)
+	time.Sleep(4 * time.Second)
+	beforeDeltaRotation := time.Now().Add(-2 * time.Second)
+
+	resp, err = client.Logical().Read("pki/crl/rotate-delta")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, resp.Data["success"], true)
+
+	afterDeltaRotation := time.Now().Add(2 * time.Second)
+
+	for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl"} {
+		t.Logf("path: %v", path)
+
+		for _, when := range []time.Time{beforeDeltaRotation, afterDeltaRotation} {
+			client.AddHeader("If-Modified-Since", when.Format(time.RFC1123))
+			resp, err = client.Logical().Read(path)
+			require.NoError(t, err)
+			require.Nil(t, resp)
+			client.SetHeaders(lastHeaders)
+			lastHeaders = client.Headers()
+		}
+	}
+
+	for _, path := range []string{"pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
+		t.Logf("path: %v", path)
+		field := "certificate"
+		if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
+			field = "crl"
+		}
+
+		// Ensure that the CRL is present if we give it the pre-update time.
+		client.AddHeader("If-Modified-Since", beforeDeltaRotation.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotNil(t, resp.Data)
+		require.NotEmpty(t, resp.Data[field])
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+
+		client.AddHeader("If-Modified-Since", afterDeltaRotation.Format(time.RFC1123))
+		resp, err = client.Logical().Read(path)
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		client.SetHeaders(lastHeaders)
+		lastHeaders = client.Headers()
+	}
+}
+
+func TestBackend_InitializeCertificateCounts(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+	ctx := context.Background()
+
+	// Set up an Issuer and Role
+	// We need a root certificate to write/revoke certificates with
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("expected ca info")
+	}
+
+	// Create a role
+	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
+		"allowed_domains":    "myvault.com",
+		"allow_bare_domains": true,
+		"allow_subdomains":   true,
+		"max_ttl":            "2h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Put certificates A, B, C, D, E in backend
+	var certificates []string = []string{"a", "b", "c", "d", "e"}
+	serials := make([]string, 5)
+	for i, cn := range certificates {
+		resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
+			"common_name": cn + ".myvault.com",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		serials[i] = resp.Data["serial_number"].(string)
+	}
+
+	// Turn on certificate counting:
+	CBWrite(b, s, "config/auto-tidy", map[string]interface{}{
+		"maintain_stored_certificate_counts":       true,
+		"publish_stored_certificate_count_metrics": false,
+	})
+	// Assert initialize from clean is correct:
+	b.initializeStoredCertificateCounts(ctx)
+
+	// Revoke certificates A + B
+	revocations := serials[0:2]
+	for _, key := range revocations {
+		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
+			"serial_number": key,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if b.certCount.Load() != 6 {
+		t.Fatalf("Failed to count six certificates root,A,B,C,D,E, instead counted %d certs", b.certCount.Load())
+	}
+	if b.revokedCertCount.Load() != 2 {
+		t.Fatalf("Failed to count two revoked certificates A+B, instead counted %d certs", b.revokedCertCount.Load())
+	}
+
+	// Simulates listing while initialize in progress, by "restarting it"
+	b.certCount.Store(0)
+	b.revokedCertCount.Store(0)
+	b.certsCounted.Store(false)
+
+	// Revoke certificates C, D
+	dirtyRevocations := serials[2:4]
+	for _, key := range dirtyRevocations {
+		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
+			"serial_number": key,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Put certificates F, G in the backend
+	dirtyCertificates := []string{"f", "g"}
+	for _, cn := range dirtyCertificates {
+		resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
+			"common_name": cn + ".myvault.com",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Run initialize
+	b.initializeStoredCertificateCounts(ctx)
+
+	// Test certificate count
+	if b.certCount.Load() != 8 {
+		t.Fatalf("Failed to initialize count of certificates root, A,B,C,D,E,F,G counted %d certs", b.certCount.Load())
+	}
+
+	if b.revokedCertCount.Load() != 4 {
+		t.Fatalf("Failed to count revoked certificates A,B,C,D counted %d certs", b.revokedCertCount.Load())
+	}
+
+	return
+}
+
+// Verify that our default values are consistent when creating an issuer and when we do an
+// empty POST update to it. This will hopefully identify if we have different default values
+// for fields across the two APIs.
+func TestBackend_VerifyIssuerUpdateDefaultsMatchCreation(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
+
+	resp, err = CBRead(b, s, "issuer/default")
+	requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
+	preUpdateValues := resp.Data
+
+	// This field gets reset during issuer update to the empty string
+	// (meaning Go will auto-detect the rev-sig-algo).
+	preUpdateValues["revocation_signature_algorithm"] = ""
+
+	resp, err = CBWrite(b, s, "issuer/default", map[string]interface{}{})
+	requireSuccessNonNilResponse(t, resp, err, "failed updating default issuer with no values")
+
+	resp, err = CBRead(b, s, "issuer/default")
+	requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
+	postUpdateValues := resp.Data
+
+	require.Equal(t, preUpdateValues, postUpdateValues,
+		"A value was updated based on the empty update of an issuer, "+
+			"most likely we have a different set of field parameters across create and update of issuers.")
+}
+
+func TestBackend_VerifyPSSKeysIssuersFailImport(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// PKCS8 parsing fails on this key due to rsaPSS OID
+	rsaOIDKey := `
+-----BEGIN PRIVATE KEY-----
+MIIEugIBADALBgkqhkiG9w0BAQoEggSmMIIEogIBAAKCAQEAtN0/NPuJHLuyEdBr
+tUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16Fl6MRdtUZ/qNS
+Vs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKkFW69v8fsXwKE
+Bsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmipp0izCsVuQIE
+kBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+GvfnFy9AcTdqRe2
+VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITjwFZ28m7kS7kc
+OtvHpwIDAQABAoIBAFQxmjbj0RQbG+3HBBzD0CBgUYnu9ZC3vKFVoMriGci6YrVB
+FSKU8u5mpkDhpKMWnE6GRdItCvgyg4NSLAZUaIRT4O5ARqwtTDYsobTb2/U+gNnx
+5WXKbFpQcK6jIK+ClfNEDjYb8yDPxG0GEsfHrBvqoFy25L1t37N4sWwH7HjJyZIe
+Hbqx4NVDur9qgqaUwkfSeufn4ycHqFtkzKNzCUarDkST9cxE6/1AKfhl09PPuMEa
+lAY2JLiEplQL5sh9cxG5FObJbutJo5EIhR2OdM0VcPf0MTD9LXKRoGR3SNlG7IlS
+llJzBjlh4J1ByMX32btKMHzEvlhyrMI90E1SEGECgYEAx1yDQWe4/b1MBqCxA3d0
+20dDmUHSRQFhkd/Mzkl5dPzRkG42W3ryNbMKdeuL0ZgK9AhfaLCjcj1i+44O7dHb
+qBTVwfRrer2uoQVCqqJ6z8PGxPJJxTaqh9QuJxkoQ0i43ZNPcjc2M2sWLn+lkkdE
+MaGMiyrmjIQEC6tmgCtZ1VUCgYEA6D9xoT9VuAnQjDvW2tO5N2U2H/8ZyRd1pC3z
+H1CzjwShhxsP4YOUaVdw59K95JL4SMxSmpRrhthlW3cRaiT/exBcXLEvz0Qu0OhW
+a6155ZFjK3UaLDKlwvmtuoAsuAFqX084LO0B1oxvUJESgyPncQ36fv2lZGV7A66z
+Uo+BKQsCgYB2yGBMMAjA5nDN4iCV+C7gF+3m+pjWFKSVzcqxfoWndptGeuRYTUDT
+TgIFkHqWPwkHrZVrQxOflYPMbi/m8wr1crSKA5+mWi4aMpAuKvERqYxc/B+IKbIh
+jAKTuSGMNWAwZP0JCGx65mso+VUleuDe0Wpz4PPM9TuT2GQSKcI0oQKBgHAHcouC
+npmo+lU65DgoWzaydrpWdpy+2Tt6AsW/Su4ZIMWoMy/oJaXuzQK2cG0ay/NpxArW
+v0uLhNDrDZZzBF3blYIM4nALhr205UMJqjwntnuXACoDwFvdzoShIXEdFa+l6gYZ
+yYIxudxWLmTd491wDb5GIgrcvMsY8V1I5dfjAoGAM9g2LtdqgPgK33dCDtZpBm8m
+y4ri9PqHxnpps9WJ1dO6MW/YbW+a7vbsmNczdJ6XNLEfy2NWho1dw3xe7ztFVDjF
+cWNUzs1+/6aFsi41UX7EFn3zAFhQUPxT59hXspuWuKbRAWc5fMnxbCfI/Cr8wTLJ
+E/0kiZ4swUMyI4tYSbM=
+-----END PRIVATE KEY-----
+`
+	_, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": rsaOIDKey,
+	})
+	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
+
+	_, err = CBWrite(b, s, "keys/import", map[string]interface{}{
+		"key": rsaOIDKey,
+	})
+	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
+
+	// Importing a cert with rsaPSS OID should also fail
+	rsaOIDCert := `
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAjGgAwIBAgIBATBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMBMxETAPBgNVBAMM
+CHJvb3Qtb2xkMB4XDTIyMDkxNjE0MDEwM1oXDTIzMDkyNjE0MDEwM1owEzERMA8G
+A1UEAwwIcm9vdC1vbGQwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtN0/
+NPuJHLuyEdBrtUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16F
+l6MRdtUZ/qNSVs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKk
+FW69v8fsXwKEBsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmi
+pp0izCsVuQIEkBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+Gvf
+nFy9AcTdqRe2VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITj
+wFZ28m7kS7kcOtvHpwIDAQABo3UwczAdBgNVHQ4EFgQUVGkTAUJ8inxIVGBlfxf4
+cDhRSnowHwYDVR0jBBgwFoAUVGkTAUJ8inxIVGBlfxf4cDhRSnowDAYDVR0TBAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQgYJKoZI
+hvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgB
+ZQMEAgEFAKIEAgIA3gOCAQEAQZ3iQ3NjvS4FYJ5WG41huZI0dkvNFNan+ZYWlYHJ
+MIQhbFogb/UQB0rlsuldG0+HF1RDXoYNuThfzt5hiBWYEtMBNurezvnOn4DF0hrl
+Uk3sBVnvTalVXg+UVjqh9hBGB75JYJl6a5Oa2Zrq++4qGNwjd0FqgnoXzqS5UGuB
+TJL8nlnXPuOIK3VHoXEy7l9GtvEzKcys0xa7g1PYpaJ5D2kpbBJmuQGmU6CDcbP+
+m0hI4QDfVfHtnBp2VMCvhj0yzowtwF4BFIhv4EXZBU10mzxVj0zyKKft9++X8auH
+nebuK22ZwzbPe4NhOvAdfNDElkrrtGvTnzkDB7ezPYjelA==
+-----END CERTIFICATE-----
+`
+	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": rsaOIDCert,
+	})
+	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert")
+
+	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": rsaOIDKey + "\n" + rsaOIDCert,
+	})
+	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key+cert")
+
+	_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": rsaOIDCert + "\n" + rsaOIDKey,
+	})
+	require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert+key")
+
+	// After all these errors, we should have zero issuers and keys.
+	resp, err := CBList(b, s, "issuers")
+	require.NoError(t, err)
+	require.Equal(t, nil, resp.Data["keys"])
+
+	resp, err = CBList(b, s, "keys")
+	require.NoError(t, err)
+	require.Equal(t, nil, resp.Data["keys"])
+
+	// If we create a new PSS root, we should be able to issue an intermediate
+	// under it.
+	resp, err = CBWrite(b, s, "root/generate/exported", map[string]interface{}{
+		"use_pss":     "true",
+		"common_name": "root x1 - pss",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.NotEmpty(t, resp.Data["certificate"])
+	require.NotEmpty(t, resp.Data["private_key"])
+
+	resp, err = CBWrite(b, s, "intermediate/generate/exported", map[string]interface{}{
+		"use_pss":     "true",
+		"common_name": "int x1 - pss",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.NotEmpty(t, resp.Data["csr"])
+	require.NotEmpty(t, resp.Data["private_key"])
+
+	resp, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
+		"use_pss":     "true",
+		"common_name": "int x1 - pss",
+		"csr":         resp.Data["csr"].(string),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.NotEmpty(t, resp.Data["certificate"])
+
+	resp, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": resp.Data["certificate"].(string),
+	})
+	require.NoError(t, err)
+
+	// Finally, if we were to take an rsaPSS OID'd CSR and use it against this
+	// mount, it will fail.
+	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allow_any_name": true,
+		"ttl":            "85s",
+		"key_type":       "any",
+	})
+	require.NoError(t, err)
+
+	// Issuing a leaf from a CSR with rsaPSS OID should fail...
+	rsaOIDCSR := `-----BEGIN CERTIFICATE REQUEST-----
+MIICkTCCAUQCAQAwGTEXMBUGA1UEAwwOcmFuY2hlci5teS5vcmcwggEgMAsGCSqG
+SIb3DQEBCgOCAQ8AMIIBCgKCAQEAtzHuGEUK55lXI08yp9DXoye9yCZbkJZO+Hej
+1TWGEkbX4hzauRJeNp2+wn8xU5y8ITjWSIXEVDHeezosLCSy0Y2QT7/V45zWPUYY
+ld0oUnPiwsb9CPFlBRFnX3dO9SS5MONIrNCJGKXmLdF3lgSl8zPT6J/hWM+JBjHO
+hBzK6L8IYwmcEujrQfnOnOztzgMEBJtWG8rnI8roz1adpczTddDKGymh2QevjhlL
+X9CLeYSSQZInOMsgaDYl98Hn00K5x0CBp8ADzzXtaPSQ9nsnihN8VvZ/wHw6YbBS
+BSHa6OD+MrYnw3Sao6/YgBRNT2glIX85uro4ARW9zGB9/748dwIDAQABoAAwQgYJ
+KoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
+hkgBZQMEAgEFAKIEAgIA3gOCAQEARGAa0HiwzWCpvAdLOVc4/srEyOYFZPLbtv+Y
+ezZIaUBNaWhOvkunqpa48avmcbGlji7r6fxJ5sT28lHt7ODWcJfn1XPAnqesXErm
+EBuOIhCv6WiwVyGeTVynuHYkHyw3rIL/zU7N8+zIFV2G2M1UAv5D/eyh/74cr9Of
++nvm9jAbkHix8UwOBCFY2LLNl6bXvbIeJEdDOEtA9UmDXs8QGBg4lngyqcE2Z7rz
++5N/x4guMk2FqblbFGiCc5fLB0Gp6lFFOqhX9Q8nLJ6HteV42xGJUUtsFpppNCRm
+82dGIH2PTbXZ0k7iAAwLaPjzOv1v58Wq90o35d4iEsOfJ8v98Q==
+-----END CERTIFICATE REQUEST-----`
+
+	_, err = CBWrite(b, s, "issuer/default/sign/testing", map[string]interface{}{
+		"common_name": "example.com",
+		"csr":         rsaOIDCSR,
+	})
+	require.Error(t, err)
+
+	_, err = CBWrite(b, s, "issuer/default/sign-verbatim", map[string]interface{}{
+		"common_name": "example.com",
+		"use_pss":     true,
+		"csr":         rsaOIDCSR,
+	})
+	require.Error(t, err)
+
+	_, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
+		"common_name": "faulty x1 - pss",
+		"use_pss":     true,
+		"csr":         rsaOIDCSR,
+	})
+	require.Error(t, err)
+
+	// Vault has a weird API for signing self-signed certificates. Ensure
+	// that doesn't accept rsaPSS OID'd certificates either.
+	_, err = CBWrite(b, s, "issuer/default/sign-self-issued", map[string]interface{}{
+		"use_pss":     true,
+		"certificate": rsaOIDCert,
+	})
+	require.Error(t, err)
+
+	// Issuing a regular leaf should succeed.
+	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allow_any_name": true,
+		"ttl":            "85s",
+		"key_type":       "rsa",
+		"use_pss":        "true",
+	})
+	require.NoError(t, err)
+
+	resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
+		"common_name": "example.com",
+		"use_pss":     "true",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed to issue PSS leaf")
+}
+
+func TestPKI_EmptyCRLConfigUpgraded(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Write an empty CRLConfig into storage.
+	crlConfigEntry, err := logical.StorageEntryJSON("config/crl", &crlConfig{})
+	require.NoError(t, err)
+	err = s.Put(ctx, crlConfigEntry)
+	require.NoError(t, err)
+
+	resp, err := CBRead(b, s, "config/crl")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, resp.Data["expiry"], defaultCrlConfig.Expiry)
+	require.Equal(t, resp.Data["disable"], defaultCrlConfig.Disable)
+	require.Equal(t, resp.Data["ocsp_disable"], defaultCrlConfig.OcspDisable)
+	require.Equal(t, resp.Data["auto_rebuild"], defaultCrlConfig.AutoRebuild)
+	require.Equal(t, resp.Data["auto_rebuild_grace_period"], defaultCrlConfig.AutoRebuildGracePeriod)
+	require.Equal(t, resp.Data["enable_delta"], defaultCrlConfig.EnableDelta)
+	require.Equal(t, resp.Data["delta_rebuild_interval"], defaultCrlConfig.DeltaRebuildInterval)
+}
+
+func TestPKI_ListRevokedCerts(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Test empty cluster
+	resp, err := CBList(b, s, "certs/revoked")
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("certs/revoked"), logical.ListOperation), resp, true)
+	requireSuccessNonNilResponse(t, resp, err, "failed listing empty cluster")
+	require.Empty(t, resp.Data, "response map contained data that we did not expect")
+
+	// Set up a mount that we can revoke under (We will create 3 leaf certs, 2 of which will be revoked)
+	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "test.com",
+		"key_type":    "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error generating root CA")
+	requireFieldsSetInResp(t, resp, "serial_number")
+	issuerSerial := resp.Data["serial_number"]
+
+	resp, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allowed_domains":  "test.com",
+		"allow_subdomains": "true",
+		"max_ttl":          "1h",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error setting up pki role")
+
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "test1.test.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 1")
+	requireFieldsSetInResp(t, resp, "serial_number")
+	serial1 := resp.Data["serial_number"]
+
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "test2.test.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
+	requireFieldsSetInResp(t, resp, "serial_number")
+	serial2 := resp.Data["serial_number"]
+
+	resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+		"common_name": "test3.test.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
+	requireFieldsSetInResp(t, resp, "serial_number")
+	serial3 := resp.Data["serial_number"]
+
+	resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial1})
+	requireSuccessNonNilResponse(t, resp, err, "error revoking cert 1")
+
+	resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial2})
+	requireSuccessNonNilResponse(t, resp, err, "error revoking cert 2")
+
+	// Test that we get back the expected revoked serial numbers.
+	resp, err = CBList(b, s, "certs/revoked")
+	requireSuccessNonNilResponse(t, resp, err, "failed listing revoked certs")
+	requireFieldsSetInResp(t, resp, "keys")
+	revokedKeys := resp.Data["keys"].([]string)
+
+	require.Contains(t, revokedKeys, serial1)
+	require.Contains(t, revokedKeys, serial2)
+	require.Equal(t, 2, len(revokedKeys), "Expected 2 revoked entries got %d: %v", len(revokedKeys), revokedKeys)
+
+	// Test that listing our certs returns a different response
+	resp, err = CBList(b, s, "certs")
+	requireSuccessNonNilResponse(t, resp, err, "failed listing written certs")
+	requireFieldsSetInResp(t, resp, "keys")
+	certKeys := resp.Data["keys"].([]string)
+
+	require.Contains(t, certKeys, serial1)
+	require.Contains(t, certKeys, serial2)
+	require.Contains(t, certKeys, serial3)
+	require.Contains(t, certKeys, issuerSerial)
+	require.Equal(t, 4, len(certKeys), "Expected 4 cert entries got %d: %v", len(certKeys), certKeys)
+}
+
+func TestPKI_TemplatedAIAs(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Setting templated AIAs should succeed.
+	resp, err := CBWrite(b, s, "config/cluster", map[string]interface{}{
+		"path":     "http://localhost:8200/v1/pki",
+		"aia_path": "http://localhost:8200/cdn/pki",
+	})
+	require.NoError(t, err)
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/cluster"), logical.UpdateOperation), resp, true)
+
+	resp, err = CBRead(b, s, "config/cluster")
+	require.NoError(t, err)
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("config/cluster"), logical.ReadOperation), resp, true)
+
+	aiaData := map[string]interface{}{
+		"crl_distribution_points": "{{cluster_path}}/issuer/{{issuer_id}}/crl/der",
+		"issuing_certificates":    "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
+		"ocsp_servers":            "{{cluster_path}}/ocsp",
+		"enable_templating":       true,
+	}
+	_, err = CBWrite(b, s, "config/urls", aiaData)
+	require.NoError(t, err)
+
+	// Root generation should succeed, but without AIA info.
+	rootData := map[string]interface{}{
+		"common_name": "Long-Lived Root X1",
+		"issuer_name": "long-root-x1",
+		"key_type":    "ec",
+	}
+	resp, err = CBWrite(b, s, "root/generate/internal", rootData)
+	require.NoError(t, err)
+	_, err = CBDelete(b, s, "root")
+	require.NoError(t, err)
+
+	// Clearing the config and regenerating the root should still succeed.
+	_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
+		"crl_distribution_points": "{{cluster_path}}/issuer/my-root-id/crl/der",
+		"issuing_certificates":    "{{cluster_aia_path}}/issuer/my-root-id/der",
+		"ocsp_servers":            "{{cluster_path}}/ocsp",
+		"enable_templating":       true,
+	})
+	require.NoError(t, err)
+	resp, err = CBWrite(b, s, "root/generate/internal", rootData)
+	requireSuccessNonNilResponse(t, resp, err)
+	issuerId := string(resp.Data["issuer_id"].(issuerID))
+
+	// Now write the original AIA config and sign a leaf.
+	_, err = CBWrite(b, s, "config/urls", aiaData)
+	require.NoError(t, err)
+	_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allow_any_name": "true",
+		"key_type":       "ec",
+		"ttl":            "50m",
+	})
+	require.NoError(t, err)
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "example.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Validate the AIA info is correctly templated.
+	cert := parseCert(t, resp.Data["certificate"].(string))
+	require.Equal(t, cert.OCSPServer, []string{"http://localhost:8200/v1/pki/ocsp"})
+	require.Equal(t, cert.IssuingCertificateURL, []string{"http://localhost:8200/cdn/pki/issuer/" + issuerId + "/der"})
+	require.Equal(t, cert.CRLDistributionPoints, []string{"http://localhost:8200/v1/pki/issuer/" + issuerId + "/crl/der"})
+
+	// Modify our issuer to set custom AIAs: these URLs are bad.
+	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"enable_aia_url_templating": "false",
+		"crl_distribution_points":   "a",
+		"issuing_certificates":      "b",
+		"ocsp_servers":              "c",
+	})
+	require.Error(t, err)
+
+	// These URLs are good.
+	_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"enable_aia_url_templating": "false",
+		"crl_distribution_points":   "http://localhost/a",
+		"issuing_certificates":      "http://localhost/b",
+		"ocsp_servers":              "http://localhost/c",
+	})
+
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "example.com",
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Validate the AIA info is correctly templated.
+	cert = parseCert(t, resp.Data["certificate"].(string))
+	require.Equal(t, cert.OCSPServer, []string{"http://localhost/c"})
+	require.Equal(t, cert.IssuingCertificateURL, []string{"http://localhost/b"})
+	require.Equal(t, cert.CRLDistributionPoints, []string{"http://localhost/a"})
+
+	// These URLs are bad, but will fail at issuance time due to AIA templating.
+	resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+		"enable_aia_url_templating": "true",
+		"crl_distribution_points":   "a",
+		"issuing_certificates":      "b",
+		"ocsp_servers":              "c",
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+	require.NotEmpty(t, resp.Warnings)
+	_, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "example.com",
+	})
+	require.Error(t, err)
+}
+
+func requireSubjectUserIDAttr(t *testing.T, cert string, target string) {
+	xCert := parseCert(t, cert)
+
+	for _, attr := range xCert.Subject.Names {
+		var userID string
+		if attr.Type.Equal(certutil.SubjectPilotUserIDAttributeOID) {
+			if target == "" {
+				t.Fatalf("expected no UserID (OID: %v) subject attributes in cert:\n%v", certutil.SubjectPilotUserIDAttributeOID, cert)
+			}
+
+			switch aValue := attr.Value.(type) {
+			case string:
+				userID = aValue
+			case []byte:
+				userID = string(aValue)
+			default:
+				t.Fatalf("unknown type for UserID attribute: %v\nCert: %v", attr, cert)
+			}
+
+			if userID == target {
+				return
+			}
+		}
+	}
+
+	if target != "" {
+		t.Fatalf("failed to find UserID (OID: %v) matching %v in cert:\n%v", certutil.SubjectPilotUserIDAttributeOID, target, cert)
+	}
+}
+
+func TestUserIDsInLeafCerts(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// 1. Setup root issuer.
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "Vault Root CA",
+		"key_type":    "ec",
+		"ttl":         "7200h",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
+
+	// 2. Allow no user IDs.
+	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allowed_user_ids": "",
+		"key_type":         "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
+
+	// - Issue cert without user IDs should work.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
+
+	// - Issue cert with user ID should fail.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// 3. Allow any user IDs.
+	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allowed_user_ids": "*",
+		"key_type":         "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
+
+	// - Issue cert without user IDs.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
+
+	// - Issue cert with one user ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+
+	// - Issue cert with two user IDs.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid,robot",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
+
+	// 4. Allow one specific user ID.
+	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allowed_user_ids": "humanoid",
+		"key_type":         "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
+
+	// - Issue cert without user IDs.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
+
+	// - Issue cert with approved ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+
+	// - Issue cert with non-approved user ID should fail.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "robot",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// - Issue cert with one approved and one non-approved should also fail.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid,robot",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// 5. Allow two specific user IDs.
+	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allowed_user_ids": "humanoid,robot",
+		"key_type":         "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
+
+	// - Issue cert without user IDs.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
+
+	// - Issue cert with one approved ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+
+	// - Issue cert with other user ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "robot",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
+
+	// - Issue cert with unknown user ID will fail.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "robot2",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// - Issue cert with both should succeed.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid,robot",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "robot")
+
+	// 6. Use a glob.
+	resp, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
+		"allowed_user_ids": "human*",
+		"key_type":         "ec",
+		"use_csr_sans":     true, // setup for further testing.
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed setting up role")
+
+	// - Issue cert without user IDs.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "")
+
+	// - Issue cert with approved ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "humanoid",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+
+	// - Issue cert with another approved ID.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "human",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "human")
+
+	// - Issue cert with literal glob.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "human*",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "human*")
+
+	// - Still no robotic certs are allowed; will fail.
+	resp, err = CBWrite(b, s, "issue/testing", map[string]interface{}{
+		"common_name": "localhost",
+		"user_ids":    "robot",
+	})
+	require.Error(t, err)
+	require.True(t, resp.IsError())
+
+	// Create a CSR and validate it works with both sign/ and sign-verbatim.
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: "localhost",
+			ExtraNames: []pkix.AttributeTypeAndValue{
+				{
+					Type:  certutil.SubjectPilotUserIDAttributeOID,
+					Value: "humanoid",
+				},
+			},
+		},
+	}
+	_, _, csrPem := generateCSR(t, &csrTemplate, "ec", 256)
+
+	// Should work with role-based signing.
+	resp, err = CBWrite(b, s, "sign/testing", map[string]interface{}{
+		"csr": csrPem,
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign/testing"), logical.UpdateOperation), resp, true)
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+
+	// - Definitely will work with sign-verbatim.
+	resp, err = CBWrite(b, s, "sign-verbatim", map[string]interface{}{
+		"csr": csrPem,
+	})
+	requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
+	requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")
+}
+
+// TestStandby_Operations test proper forwarding for PKI requests from a standby node to the
+// active node within a cluster.
+func TestStandby_Operations(t *testing.T) {
+	conf, opts := teststorage.ClusterSetup(&vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}, nil, teststorage.InmemBackendSetup)
+	cluster := vault.NewTestCluster(t, conf, opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+	standbyCores := testhelpers.DeriveStandbyCores(t, cluster)
+	require.Greater(t, len(standbyCores), 0, "Need at least one standby core.")
+	client := standbyCores[0].Client
+
+	mountPKIEndpoint(t, client, "pki")
+
+	_, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"key_type":    "ec",
+		"common_name": "root-ca.com",
+		"ttl":         "600h",
+	})
+	require.NoError(t, err, "error setting up pki role: %v", err)
+
+	_, err = client.Logical().Write("pki/roles/example", map[string]interface{}{
+		"allowed_domains":  "example.com",
+		"allow_subdomains": "true",
+		"no_store":         "false", // make sure we store this cert
+		"ttl":              "5h",
+		"key_type":         "ec",
+	})
+	require.NoError(t, err, "error setting up pki role: %v", err)
+
+	resp, err := client.Logical().Write("pki/issue/example", map[string]interface{}{
+		"common_name": "test.example.com",
+	})
+	require.NoError(t, err, "error issuing certificate: %v", err)
+	require.NotNil(t, resp, "got nil response from issuing request")
+	serialOfCert := resp.Data["serial_number"].(string)
+
+	resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{
+		"serial_number": serialOfCert,
+	})
+	require.NoError(t, err, "error revoking certificate: %v", err)
+	require.NotNil(t, resp, "got nil response from revoke request")
+}
+
+type pathAuthCheckerFunc func(t *testing.T, client *api.Client, path string, token string)
+
+func isPermDenied(err error) bool {
+	return err != nil && strings.Contains(err.Error(), "permission denied")
+}
+
+func isUnsupportedPathOperation(err error) bool {
+	return err != nil && (strings.Contains(err.Error(), "unsupported path") || strings.Contains(err.Error(), "unsupported operation"))
+}
+
+func isDeniedOp(err error) bool {
+	return isPermDenied(err) || isUnsupportedPathOperation(err)
+}
+
+func pathShouldBeAuthed(t *testing.T, client *api.Client, path string, token string) {
+	client.SetToken("")
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err == nil || !isPermDenied(err) {
+		t.Fatalf("expected failure to read %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().ListWithContext(ctx, path)
+	if err == nil || !isPermDenied(err) {
+		t.Fatalf("expected failure to list %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
+	if err == nil || !isPermDenied(err) {
+		t.Fatalf("expected failure to write %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().DeleteWithContext(ctx, path)
+	if err == nil || !isPermDenied(err) {
+		t.Fatalf("expected failure to delete %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
+	if err == nil || !isPermDenied(err) {
+		t.Fatalf("expected failure to patch %v while unauthed: %v / %v", path, err, resp)
+	}
+}
+
+func pathShouldBeUnauthedReadList(t *testing.T, client *api.Client, path string, token string) {
+	// Should be able to read both with and without a token.
+	client.SetToken("")
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err != nil && isPermDenied(err) {
+		// Read will sometimes return permission denied, when the handler
+		// does not support the given operation. Retry with the token.
+		client.SetToken(token)
+		resp2, err2 := client.Logical().ReadWithContext(ctx, path)
+		if err2 != nil && !isUnsupportedPathOperation(err2) {
+			t.Fatalf("unexpected failure to read %v while unauthed: %v / %v\nWhile authed: %v / %v", path, err, resp, err2, resp2)
+		}
+		client.SetToken("")
+	}
+	resp, err = client.Logical().ListWithContext(ctx, path)
+	if err != nil && isPermDenied(err) {
+		// List will sometimes return permission denied, when the handler
+		// does not support the given operation. Retry with the token.
+		client.SetToken(token)
+		resp2, err2 := client.Logical().ListWithContext(ctx, path)
+		if err2 != nil && !isUnsupportedPathOperation(err2) {
+			t.Fatalf("unexpected failure to list %v while unauthed: %v / %v\nWhile authed: %v / %v", path, err, resp, err2, resp2)
+		}
+		client.SetToken("")
+	}
+
+	// These should all be denied.
+	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
+	if err == nil || !isDeniedOp(err) {
+		if !strings.Contains(path, "ocsp") || !strings.Contains(err.Error(), "Code: 40") {
+			t.Fatalf("unexpected failure during write on read-only path %v while unauthed: %v / %v", path, err, resp)
+		}
+	}
+	resp, err = client.Logical().DeleteWithContext(ctx, path)
+	if err == nil || !isDeniedOp(err) {
+		t.Fatalf("unexpected failure during delete on read-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
+	if err == nil || !isDeniedOp(err) {
+		t.Fatalf("unexpected failure during patch on read-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+
+	// Retrying with token should allow read/list, but not modification still.
+	client.SetToken(token)
+	resp, err = client.Logical().ReadWithContext(ctx, path)
+	if err != nil && isPermDenied(err) {
+		t.Fatalf("unexpected failure to read %v while authed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().ListWithContext(ctx, path)
+	if err != nil && isPermDenied(err) {
+		t.Fatalf("unexpected failure to list %v while authed: %v / %v", path, err, resp)
+	}
+
+	// Should all be denied.
+	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
+	if err == nil || !isDeniedOp(err) {
+		if !strings.Contains(path, "ocsp") || !strings.Contains(err.Error(), "Code: 40") {
+			t.Fatalf("unexpected failure during write on read-only path %v while authed: %v / %v", path, err, resp)
+		}
+	}
+	resp, err = client.Logical().DeleteWithContext(ctx, path)
+	if err == nil || !isDeniedOp(err) {
+		t.Fatalf("unexpected failure during delete on read-only path %v while authed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
+	if err == nil || !isDeniedOp(err) {
+		t.Fatalf("unexpected failure during patch on read-only path %v while authed: %v / %v", path, err, resp)
+	}
+}
+
+func pathShouldBeUnauthedWriteOnly(t *testing.T, client *api.Client, path string, token string) {
+	client.SetToken("")
+	resp, err := client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
+	if err != nil && isPermDenied(err) {
+		t.Fatalf("unexpected failure to write %v while unauthed: %v / %v", path, err, resp)
+	}
+
+	// These should all be denied. However, on OSS, we might end up with
+	// a regular 404, which looks like err == resp == nil; hence we only
+	// fail when there's a non-nil response and/or a non-nil err.
+	resp, err = client.Logical().ReadWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during read on write-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().ListWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during list on write-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().DeleteWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during delete on write-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during patch on write-only path %v while unauthed: %v / %v", path, err, resp)
+	}
+
+	// Retrying with token should allow writing, but nothing else.
+	client.SetToken(token)
+	resp, err = client.Logical().WriteWithContext(ctx, path, map[string]interface{}{})
+	if err != nil && isPermDenied(err) {
+		t.Fatalf("unexpected failure to write %v while unauthed: %v / %v", path, err, resp)
+	}
+
+	// These should all be denied.
+	resp, err = client.Logical().ReadWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during read on write-only path %v while authed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().ListWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		if resp != nil || err != nil {
+			t.Fatalf("unexpected failure during list on write-only path %v while authed: %v / %v", path, err, resp)
+		}
+	}
+	resp, err = client.Logical().DeleteWithContext(ctx, path)
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during delete on write-only path %v while authed: %v / %v", path, err, resp)
+	}
+	resp, err = client.Logical().JSONMergePatch(ctx, path, map[string]interface{}{})
+	if (err == nil && resp != nil) || (err != nil && !isDeniedOp(err)) {
+		t.Fatalf("unexpected failure during patch on write-only path %v while authed: %v / %v", path, err, resp)
+	}
+}
+
+type pathAuthChecker int
+
+const (
+	shouldBeAuthed pathAuthChecker = iota
+	shouldBeUnauthedReadList
+	shouldBeUnauthedWriteOnly
+)
+
+var pathAuthChckerMap = map[pathAuthChecker]pathAuthCheckerFunc{
+	shouldBeAuthed:            pathShouldBeAuthed,
+	shouldBeUnauthedReadList:  pathShouldBeUnauthedReadList,
+	shouldBeUnauthedWriteOnly: pathShouldBeUnauthedWriteOnly,
+}
+
+func TestProperAuthing(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	client := cluster.Cores[0].Client
+	token := client.Token()
+
+	// Mount PKI.
+	err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Setup basic configuration.
+	_, err = client.Logical().WriteWithContext(ctx, "pki/root/generate/internal", map[string]interface{}{
+		"ttl":         "40h",
+		"common_name": "myvault.com",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{
+		"allow_localhost": true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().WriteWithContext(ctx, "pki/issue/test", map[string]interface{}{
+		"common_name": "localhost",
+	})
+	if err != nil || resp == nil {
+		t.Fatal(err)
+	}
+	serial := resp.Data["serial_number"].(string)
+	eabKid := "13b80844-e60d-42d2-b7e9-152a8e834b90"
+	paths := map[string]pathAuthChecker{
+		"ca_chain":                               shouldBeUnauthedReadList,
+		"cert/ca_chain":                          shouldBeUnauthedReadList,
+		"ca":                                     shouldBeUnauthedReadList,
+		"ca/pem":                                 shouldBeUnauthedReadList,
+		"cert/" + serial:                         shouldBeUnauthedReadList,
+		"cert/" + serial + "/raw":                shouldBeUnauthedReadList,
+		"cert/" + serial + "/raw/pem":            shouldBeUnauthedReadList,
+		"cert/crl":                               shouldBeUnauthedReadList,
+		"cert/crl/raw":                           shouldBeUnauthedReadList,
+		"cert/crl/raw/pem":                       shouldBeUnauthedReadList,
+		"cert/delta-crl":                         shouldBeUnauthedReadList,
+		"cert/delta-crl/raw":                     shouldBeUnauthedReadList,
+		"cert/delta-crl/raw/pem":                 shouldBeUnauthedReadList,
+		"cert/unified-crl":                       shouldBeUnauthedReadList,
+		"cert/unified-crl/raw":                   shouldBeUnauthedReadList,
+		"cert/unified-crl/raw/pem":               shouldBeUnauthedReadList,
+		"cert/unified-delta-crl":                 shouldBeUnauthedReadList,
+		"cert/unified-delta-crl/raw":             shouldBeUnauthedReadList,
+		"cert/unified-delta-crl/raw/pem":         shouldBeUnauthedReadList,
+		"certs/":                                 shouldBeAuthed,
+		"certs/revoked/":                         shouldBeAuthed,
+		"certs/revocation-queue/":                shouldBeAuthed,
+		"certs/unified-revoked/":                 shouldBeAuthed,
+		"config/acme":                            shouldBeAuthed,
+		"config/auto-tidy":                       shouldBeAuthed,
+		"config/ca":                              shouldBeAuthed,
+		"config/cluster":                         shouldBeAuthed,
+		"config/crl":                             shouldBeAuthed,
+		"config/issuers":                         shouldBeAuthed,
+		"config/keys":                            shouldBeAuthed,
+		"config/urls":                            shouldBeAuthed,
+		"crl":                                    shouldBeUnauthedReadList,
+		"crl/pem":                                shouldBeUnauthedReadList,
+		"crl/delta":                              shouldBeUnauthedReadList,
+		"crl/delta/pem":                          shouldBeUnauthedReadList,
+		"crl/rotate":                             shouldBeAuthed,
+		"crl/rotate-delta":                       shouldBeAuthed,
+		"intermediate/cross-sign":                shouldBeAuthed,
+		"intermediate/generate/exported":         shouldBeAuthed,
+		"intermediate/generate/internal":         shouldBeAuthed,
+		"intermediate/generate/existing":         shouldBeAuthed,
+		"intermediate/generate/kms":              shouldBeAuthed,
+		"intermediate/set-signed":                shouldBeAuthed,
+		"issue/test":                             shouldBeAuthed,
+		"issuer/default":                         shouldBeAuthed,
+		"issuer/default/der":                     shouldBeUnauthedReadList,
+		"issuer/default/json":                    shouldBeUnauthedReadList,
+		"issuer/default/pem":                     shouldBeUnauthedReadList,
+		"issuer/default/crl":                     shouldBeUnauthedReadList,
+		"issuer/default/crl/pem":                 shouldBeUnauthedReadList,
+		"issuer/default/crl/der":                 shouldBeUnauthedReadList,
+		"issuer/default/crl/delta":               shouldBeUnauthedReadList,
+		"issuer/default/crl/delta/der":           shouldBeUnauthedReadList,
+		"issuer/default/crl/delta/pem":           shouldBeUnauthedReadList,
+		"issuer/default/unified-crl":             shouldBeUnauthedReadList,
+		"issuer/default/unified-crl/pem":         shouldBeUnauthedReadList,
+		"issuer/default/unified-crl/der":         shouldBeUnauthedReadList,
+		"issuer/default/unified-crl/delta":       shouldBeUnauthedReadList,
+		"issuer/default/unified-crl/delta/der":   shouldBeUnauthedReadList,
+		"issuer/default/unified-crl/delta/pem":   shouldBeUnauthedReadList,
+		"issuer/default/issue/test":              shouldBeAuthed,
+		"issuer/default/resign-crls":             shouldBeAuthed,
+		"issuer/default/revoke":                  shouldBeAuthed,
+		"issuer/default/sign-intermediate":       shouldBeAuthed,
+		"issuer/default/sign-revocation-list":    shouldBeAuthed,
+		"issuer/default/sign-self-issued":        shouldBeAuthed,
+		"issuer/default/sign-verbatim":           shouldBeAuthed,
+		"issuer/default/sign-verbatim/test":      shouldBeAuthed,
+		"issuer/default/sign/test":               shouldBeAuthed,
+		"issuers/":                               shouldBeUnauthedReadList,
+		"issuers/generate/intermediate/exported": shouldBeAuthed,
+		"issuers/generate/intermediate/internal": shouldBeAuthed,
+		"issuers/generate/intermediate/existing": shouldBeAuthed,
+		"issuers/generate/intermediate/kms":      shouldBeAuthed,
+		"issuers/generate/root/exported":         shouldBeAuthed,
+		"issuers/generate/root/internal":         shouldBeAuthed,
+		"issuers/generate/root/existing":         shouldBeAuthed,
+		"issuers/generate/root/kms":              shouldBeAuthed,
+		"issuers/import/cert":                    shouldBeAuthed,
+		"issuers/import/bundle":                  shouldBeAuthed,
+		"key/default":                            shouldBeAuthed,
+		"keys/":                                  shouldBeAuthed,
+		"keys/generate/internal":                 shouldBeAuthed,
+		"keys/generate/exported":                 shouldBeAuthed,
+		"keys/generate/kms":                      shouldBeAuthed,
+		"keys/import":                            shouldBeAuthed,
+		"ocsp":                                   shouldBeUnauthedWriteOnly,
+		"ocsp/dGVzdAo=":                          shouldBeUnauthedReadList,
+		"revoke":                                 shouldBeAuthed,
+		"revoke-with-key":                        shouldBeAuthed,
+		"roles/test":                             shouldBeAuthed,
+		"roles/":                                 shouldBeAuthed,
+		"root":                                   shouldBeAuthed,
+		"root/generate/exported":                 shouldBeAuthed,
+		"root/generate/internal":                 shouldBeAuthed,
+		"root/generate/existing":                 shouldBeAuthed,
+		"root/generate/kms":                      shouldBeAuthed,
+		"root/replace":                           shouldBeAuthed,
+		"root/rotate/internal":                   shouldBeAuthed,
+		"root/rotate/exported":                   shouldBeAuthed,
+		"root/rotate/existing":                   shouldBeAuthed,
+		"root/rotate/kms":                        shouldBeAuthed,
+		"root/sign-intermediate":                 shouldBeAuthed,
+		"root/sign-self-issued":                  shouldBeAuthed,
+		"sign-verbatim":                          shouldBeAuthed,
+		"sign-verbatim/test":                     shouldBeAuthed,
+		"sign/test":                              shouldBeAuthed,
+		"tidy":                                   shouldBeAuthed,
+		"tidy-cancel":                            shouldBeAuthed,
+		"tidy-status":                            shouldBeAuthed,
+		"unified-crl":                            shouldBeUnauthedReadList,
+		"unified-crl/pem":                        shouldBeUnauthedReadList,
+		"unified-crl/delta":                      shouldBeUnauthedReadList,
+		"unified-crl/delta/pem":                  shouldBeUnauthedReadList,
+		"unified-ocsp":                           shouldBeUnauthedWriteOnly,
+		"unified-ocsp/dGVzdAo=":                  shouldBeUnauthedReadList,
+		"eab/":                                   shouldBeAuthed,
+		"eab/" + eabKid:                          shouldBeAuthed,
+	}
+
+	entPaths := getEntProperAuthingPaths(serial)
+	maps.Copy(paths, entPaths)
+
+	// Add ACME based paths to the test suite
+	ossAcmePrefixes := []string{"acme/", "issuer/default/acme/", "roles/test/acme/", "issuer/default/roles/test/acme/"}
+	entAcmePrefixes := getEntAcmePrefixes()
+	for _, acmePrefix := range append(ossAcmePrefixes, entAcmePrefixes...) {
+		paths[acmePrefix+"directory"] = shouldBeUnauthedReadList
+		paths[acmePrefix+"new-nonce"] = shouldBeUnauthedReadList
+		paths[acmePrefix+"new-account"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"revoke-cert"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"new-order"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"orders"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"account/hrKmDYTvicHoHGVN2-3uzZV_BPGdE0W_dNaqYTtYqeo="] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"authorization/29da8c38-7a09-465e-b9a6-3d76802b1afd"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"challenge/29da8c38-7a09-465e-b9a6-3d76802b1afd/http-01"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90/finalize"] = shouldBeUnauthedWriteOnly
+		paths[acmePrefix+"order/13b80844-e60d-42d2-b7e9-152a8e834b90/cert"] = shouldBeUnauthedWriteOnly
+
+		// Make sure this new-eab path is auth'd
+		paths[acmePrefix+"new-eab"] = shouldBeAuthed
+	}
+
+	for path, checkerType := range paths {
+		checker := pathAuthChckerMap[checkerType]
+		checker(t, client, "pki/"+path, token)
+	}
+
+	client.SetToken(token)
+	openAPIResp, err := client.Logical().ReadWithContext(ctx, "sys/internal/specs/openapi")
+	if err != nil {
+		t.Fatalf("failed to get openapi data: %v", err)
+	}
+
+	validatedPath := false
+	for openapi_path, raw_data := range openAPIResp.Data["paths"].(map[string]interface{}) {
+		if !strings.HasPrefix(openapi_path, "/pki/") {
+			t.Logf("Skipping path: %v", openapi_path)
+			continue
+		}
+
+		t.Logf("Validating path: %v", openapi_path)
+		validatedPath = true
+		// Substitute values in from our testing map.
+		raw_path := openapi_path[5:]
+		if strings.Contains(raw_path, "roles/") && strings.Contains(raw_path, "{name}") {
+			raw_path = strings.ReplaceAll(raw_path, "{name}", "test")
+		}
+		if strings.Contains(raw_path, "{role}") {
+			raw_path = strings.ReplaceAll(raw_path, "{role}", "test")
+		}
+		if strings.Contains(raw_path, "ocsp/") && strings.Contains(raw_path, "{req}") {
+			raw_path = strings.ReplaceAll(raw_path, "{req}", "dGVzdAo=")
+		}
+		if strings.Contains(raw_path, "{issuer_ref}") {
+			raw_path = strings.ReplaceAll(raw_path, "{issuer_ref}", "default")
+		}
+		if strings.Contains(raw_path, "{key_ref}") {
+			raw_path = strings.ReplaceAll(raw_path, "{key_ref}", "default")
+		}
+		if strings.Contains(raw_path, "{exported}") {
+			raw_path = strings.ReplaceAll(raw_path, "{exported}", "internal")
+		}
+		if strings.Contains(raw_path, "{serial}") {
+			raw_path = strings.ReplaceAll(raw_path, "{serial}", serial)
+		}
+		if strings.Contains(raw_path, "acme/account/") && strings.Contains(raw_path, "{kid}") {
+			raw_path = strings.ReplaceAll(raw_path, "{kid}", "hrKmDYTvicHoHGVN2-3uzZV_BPGdE0W_dNaqYTtYqeo=")
+		}
+		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{auth_id}") {
+			raw_path = strings.ReplaceAll(raw_path, "{auth_id}", "29da8c38-7a09-465e-b9a6-3d76802b1afd")
+		}
+		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{challenge_type}") {
+			raw_path = strings.ReplaceAll(raw_path, "{challenge_type}", "http-01")
+		}
+		if strings.Contains(raw_path, "acme/") && strings.Contains(raw_path, "{order_id}") {
+			raw_path = strings.ReplaceAll(raw_path, "{order_id}", "13b80844-e60d-42d2-b7e9-152a8e834b90")
+		}
+		if strings.Contains(raw_path, "eab") && strings.Contains(raw_path, "{key_id}") {
+			raw_path = strings.ReplaceAll(raw_path, "{key_id}", eabKid)
+		}
+		if strings.Contains(raw_path, "external-policy/") && strings.Contains(raw_path, "{policy}") {
+			raw_path = strings.ReplaceAll(raw_path, "{policy}", "a-policy")
+		}
+
+		raw_path = entProperAuthingPathReplacer(raw_path)
+
+		handler, present := paths[raw_path]
+		if !present {
+			t.Fatalf("OpenAPI reports PKI mount contains %v -> %v but was not tested to be authed or not authed.",
+				openapi_path, raw_path)
+		}
+
+		openapi_data := raw_data.(map[string]interface{})
+		hasList := false
+		rawGetData, hasGet := openapi_data["get"]
+		if hasGet {
+			getData := rawGetData.(map[string]interface{})
+			getParams, paramsPresent := getData["parameters"].(map[string]interface{})
+			if getParams != nil && paramsPresent {
+				if _, hasList = getParams["list"]; hasList {
+					// LIST is exclusive from GET on the same endpoint usually.
+					hasGet = false
+				}
+			}
+		}
+		_, hasPost := openapi_data["post"]
+		_, hasDelete := openapi_data["delete"]
+
+		if handler == shouldBeUnauthedReadList {
+			if hasPost || hasDelete {
+				t.Fatalf("Unauthed read-only endpoints should not have POST/DELETE capabilities: %v->%v", openapi_path, raw_path)
+			}
+		} else if handler == shouldBeUnauthedWriteOnly {
+			if hasGet || hasList {
+				t.Fatalf("Unauthed write-only endpoints should not have GET/LIST capabilities: %v->%v", openapi_path, raw_path)
+			}
+		}
+	}
+
+	if !validatedPath {
+		t.Fatalf("Expected to have validated at least one path.")
+	}
+}
+
+func TestPatchIssuer(t *testing.T) {
+	t.Parallel()
+
+	type TestCase struct {
+		Field   string
+		Before  interface{}
+		Patched interface{}
+	}
+	testCases := []TestCase{
+		{
+			Field:   "issuer_name",
+			Before:  "root",
+			Patched: "root-new",
+		},
+		{
+			Field:   "leaf_not_after_behavior",
+			Before:  "err",
+			Patched: "permit",
+		},
+		{
+			Field:   "usage",
+			Before:  "crl-signing,issuing-certificates,ocsp-signing,read-only",
+			Patched: "issuing-certificates,read-only",
+		},
+		{
+			Field:   "revocation_signature_algorithm",
+			Before:  "ECDSAWithSHA256",
+			Patched: "ECDSAWithSHA384",
+		},
+		{
+			Field:   "issuing_certificates",
+			Before:  []string{"http://localhost/v1/pki-1/ca"},
+			Patched: []string{"http://localhost/v1/pki/ca"},
+		},
+		{
+			Field:   "crl_distribution_points",
+			Before:  []string{"http://localhost/v1/pki-1/crl"},
+			Patched: []string{"http://localhost/v1/pki/crl"},
+		},
+		{
+			Field:   "ocsp_servers",
+			Before:  []string{"http://localhost/v1/pki-1/ocsp"},
+			Patched: []string{"http://localhost/v1/pki/ocsp"},
+		},
+		{
+			Field:   "enable_aia_url_templating",
+			Before:  false,
+			Patched: true,
+		},
+		{
+			Field:   "manual_chain",
+			Before:  []string(nil),
+			Patched: []string{"self"},
+		},
+	}
+
+	for index, testCase := range testCases {
+		t.Logf("index: %v / tc: %v", index, testCase)
+
+		b, s := CreateBackendWithStorage(t)
+
+		// 1. Setup root issuer.
+		resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+			"common_name": "Vault Root CA",
+			"key_type":    "ec",
+			"ttl":         "7200h",
+			"issuer_name": "root",
+		})
+		requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
+		id := string(resp.Data["issuer_id"].(issuerID))
+
+		// 2. Enable Cluster paths
+		resp, err = CBWrite(b, s, "config/urls", map[string]interface{}{
+			"path":     "https://localhost/v1/pki",
+			"aia_path": "http://localhost/v1/pki",
+		})
+		requireSuccessNonNilResponse(t, resp, err, "failed updating AIA config")
+
+		// 3. Add AIA information
+		resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+			"issuing_certificates":    "http://localhost/v1/pki-1/ca",
+			"crl_distribution_points": "http://localhost/v1/pki-1/crl",
+			"ocsp_servers":            "http://localhost/v1/pki-1/ocsp",
+		})
+		requireSuccessNonNilResponse(t, resp, err, "failed setting up issuer")
+
+		// 4. Read the issuer before.
+		resp, err = CBRead(b, s, "issuer/default")
+		requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer before")
+		require.Equal(t, testCase.Before, resp.Data[testCase.Field], "bad expectations")
+
+		// 5. Perform modification.
+		resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
+			testCase.Field: testCase.Patched,
+		})
+		requireSuccessNonNilResponse(t, resp, err, "failed patching root issuer")
+
+		if testCase.Field != "manual_chain" {
+			require.Equal(t, testCase.Patched, resp.Data[testCase.Field], "failed persisting value")
+		} else {
+			// self->id
+			require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
+		}
+
+		// 6. Ensure it stuck
+		resp, err = CBRead(b, s, "issuer/default")
+		requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer after")
+
+		if testCase.Field != "manual_chain" {
+			require.Equal(t, testCase.Patched, resp.Data[testCase.Field])
+		} else {
+			// self->id
+			require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
+		}
+	}
+}
+
+func TestGenerateRootCAWithAIA(t *testing.T) {
+	// Generate a root CA at /pki-root
+	b_root, s_root := CreateBackendWithStorage(t)
+
+	// Setup templated AIA information
+	_, err := CBWrite(b_root, s_root, "config/cluster", map[string]interface{}{
+		"path":     "https://localhost:8200",
+		"aia_path": "https://localhost:8200",
+	})
+	require.NoError(t, err, "failed to write AIA settings")
+
+	_, err = CBWrite(b_root, s_root, "config/urls", map[string]interface{}{
+		"crl_distribution_points": "{{cluster_path}}/issuer/{{issuer_id}}/crl/der",
+		"issuing_certificates":    "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
+		"ocsp_servers":            "{{cluster_path}}/ocsp",
+		"enable_templating":       true,
+	})
+	require.NoError(t, err, "failed to write AIA settings")
+
+	// Write a root issuer, this should succeed.
+	resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
+		"common_name": "root myvault.com",
+		"key_type":    "ec",
+	})
+	requireSuccessNonNilResponse(t, resp, err, "expected root generation to succeed")
+}
+
+var (
+	initTest  sync.Once
+	rsaCAKey  string
+	rsaCACert string
+	ecCAKey   string
+	ecCACert  string
+	edCAKey   string
+	edCACert  string
+)
diff --git a/command/base.go b/command/base.go
index 10be15b636cb..bb4c455b4805 100644
--- a/command/base.go
+++ b/command/base.go
@@ -1,722 +1,1268 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
-	"bytes"
-	"flag"
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
-	"os"
-	"regexp"
+	"math"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/token"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/mattn/go-isatty"
-	"github.com/mitchellh/cli"
-	"github.com/pkg/errors"
-	"github.com/posener/complete"
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"go.uber.org/atomic"
 )
 
 const (
-	// maxLineLength is the maximum width of any line.
-	maxLineLength int = 78
+	// initialKeyTerm is the hard coded initial key term. This is
+	// used only for values that are not encrypted with the keyring.
+	initialKeyTerm = 1
 
-	// notSetValue is a flag value for a not-set value
-	notSetValue = "(not set)"
-)
+	// termSize the number of bytes used for the key term.
+	termSize = 4
 
-// reRemoveWhitespace is a regular expression for stripping whitespace from
-// a string.
-var reRemoveWhitespace = regexp.MustCompile(`[\s]+`)
+	autoRotateCheckInterval = 5 * time.Minute
+	legacyRotateReason      = "legacy rotation"
+	// The keyring is persisted before the root key.
+	keyringTimeout = 1 * time.Second
+)
 
-type BaseCommand struct {
-	UI cli.Ui
+// Versions of the AESGCM storage methodology
+const (
+	AESGCMVersion1 = 0x1
+	AESGCMVersion2 = 0x2
+)
 
-	flags     *FlagSets
-	flagsOnce sync.Once
+// barrierInit is the JSON encoded value stored
+type barrierInit struct {
+	Version int    // Version is the current format version
+	Key     []byte // Key is the primary encryption key
+}
 
-	flagAddress           string
-	flagAgentProxyAddress string
-	flagCACert            string
-	flagCAPath            string
-	flagClientCert        string
-	flagClientKey         string
-	flagNamespace         string
-	flagNS                string
-	flagPolicyOverride    bool
-	flagTLSServerName     string
-	flagTLSSkipVerify     bool
-	flagDisableRedirects  bool
-	flagWrapTTL           time.Duration
-	flagUnlockKey         string
+// Validate AESGCMBarrier satisfies SecurityBarrier interface
+var (
+	_                      SecurityBarrier = &AESGCMBarrier{}
+	barrierEncryptsMetric                  = []string{"barrier", "estimated_encryptions"}
+	barrierRotationsMetric                 = []string{"barrier", "auto_rotation"}
+)
 
-	flagFormat           string
-	flagField            string
-	flagDetailed         bool
-	flagOutputCurlString bool
-	flagOutputPolicy     bool
-	flagNonInteractive   bool
-	addrWarning          string
+// AESGCMBarrier is a SecurityBarrier implementation that uses the AES
+// cipher core and the Galois Counter Mode block mode. It defaults to
+// the golang NONCE default value of 12 and a key size of 256
+// bit. AES-GCM is high performance, and provides both confidentiality
+// and integrity.
+type AESGCMBarrier struct {
+	backend physical.Backend
+
+	l      sync.RWMutex
+	sealed bool
+
+	// keyring is used to maintain all of the encryption keys, including
+	// the active key used for encryption, but also prior keys to allow
+	// decryption of keys encrypted under previous terms.
+	keyring *Keyring
+
+	// cache is used to reduce the number of AEAD constructions we do
+	cache     map[uint32]cipher.AEAD
+	cacheLock sync.RWMutex
+
+	// currentAESGCMVersionByte is prefixed to a message to allow for
+	// future versioning of barrier implementations. It's var instead
+	// of const to allow for testing
+	currentAESGCMVersionByte byte
+
+	initialized atomic.Bool
+
+	UnaccountedEncryptions *atomic.Int64
+	// Used only for testing
+	RemoteEncryptions     *atomic.Int64
+	totalLocalEncryptions *atomic.Int64
+}
 
-	flagMFA []string
+func (b *AESGCMBarrier) RotationConfig() (kc KeyRotationConfig, err error) {
+	if b.keyring == nil {
+		return kc, errors.New("keyring not yet present")
+	}
+	return b.keyring.rotationConfig.Clone(), nil
+}
 
-	flagHeader map[string]string
+func (b *AESGCMBarrier) SetRotationConfig(ctx context.Context, rotConfig KeyRotationConfig) error {
+	b.l.Lock()
+	defer b.l.Unlock()
+	rotConfig.Sanitize()
+	if !rotConfig.Equals(b.keyring.rotationConfig) {
+		b.keyring.rotationConfig = rotConfig
 
-	tokenHelper token.TokenHelper
+		return b.persistKeyring(ctx, b.keyring)
+	}
+	return nil
+}
 
-	client *api.Client
+// NewAESGCMBarrier is used to construct a new barrier that uses
+// the provided physical backend for storage.
+func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error) {
+	b := &AESGCMBarrier{
+		backend:                  physical,
+		sealed:                   true,
+		cache:                    make(map[uint32]cipher.AEAD),
+		currentAESGCMVersionByte: byte(AESGCMVersion2),
+		UnaccountedEncryptions:   atomic.NewInt64(0),
+		RemoteEncryptions:        atomic.NewInt64(0),
+		totalLocalEncryptions:    atomic.NewInt64(0),
+	}
+	return b, nil
 }
 
-// Client returns the HTTP API client. The client is cached on the command to
-// save performance on future calls.
-func (c *BaseCommand) Client() (*api.Client, error) {
-	// Read the test client if present
-	if c.client != nil {
-		return c.client, nil
+// Initialized checks if the barrier has been initialized
+// and has a root key set.
+func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error) {
+	if b.initialized.Load() {
+		return true, nil
 	}
 
-	if c.addrWarning != "" && c.UI != nil {
-		if os.Getenv("VAULT_ADDR") == "" {
-			if !c.flagNonInteractive && isatty.IsTerminal(os.Stdin.Fd()) {
-				c.UI.Warn(wrapAtLength(c.addrWarning))
-			}
-		}
+	// Read the keyring file
+	keys, err := b.backend.List(ctx, keyringPrefix)
+	if err != nil {
+		return false, fmt.Errorf("failed to check for initialization: %w", err)
+	}
+	if strutil.StrListContains(keys, "keyring") {
+		b.initialized.Store(true)
+		return true, nil
 	}
 
-	config := api.DefaultConfig()
+	// Fallback, check for the old sentinel file
+	out, err := b.backend.Get(ctx, barrierInitPath)
+	if err != nil {
+		return false, fmt.Errorf("failed to check for initialization: %w", err)
+	}
+	b.initialized.Store(out != nil)
+	return out != nil, nil
+}
 
-	if err := config.ReadEnvironment(); err != nil {
-		return nil, errors.Wrap(err, "failed to read environment")
+// Initialize works only if the barrier has not been initialized
+// and makes use of the given root key.
+func (b *AESGCMBarrier) Initialize(ctx context.Context, key []byte, sealKey []byte, reader io.Reader) error {
+	// Verify the key size
+	min, max := b.KeyLength()
+	if len(key) < min || len(key) > max {
+		return fmt.Errorf("key size must be %d or %d", min, max)
 	}
 
-	if c.flagAddress != "" {
-		config.Address = c.flagAddress
+	// Check if already initialized
+	if alreadyInit, err := b.Initialized(ctx); err != nil {
+		return err
+	} else if alreadyInit {
+		return ErrBarrierAlreadyInit
 	}
-	if c.flagAgentProxyAddress != "" {
-		config.Address = c.flagAgentProxyAddress
+
+	// Generate encryption key
+	encryptionKey, err := b.GenerateKey(reader)
+	if err != nil {
+		return fmt.Errorf("failed to generate encryption key: %w", err)
 	}
 
-	if c.flagOutputCurlString {
-		config.OutputCurlString = c.flagOutputCurlString
+	// Create a new keyring, install the keys
+	keyring := NewKeyring()
+	keyring = keyring.SetRootKey(key)
+	keyring, err = keyring.AddKey(&Key{
+		Term:    1,
+		Version: 1,
+		Value:   encryptionKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create keyring: %w", err)
 	}
-	if c.flagOutputPolicy {
-		config.OutputPolicy = c.flagOutputPolicy
+
+	err = b.persistKeyring(ctx, keyring)
+	if err != nil {
+		return err
 	}
 
-	// If we need custom TLS configuration, then set it
-	if c.flagCACert != "" || c.flagCAPath != "" || c.flagClientCert != "" ||
-		c.flagClientKey != "" || c.flagTLSServerName != "" || c.flagTLSSkipVerify {
-		t := &api.TLSConfig{
-			CACert:        c.flagCACert,
-			CAPath:        c.flagCAPath,
-			ClientCert:    c.flagClientCert,
-			ClientKey:     c.flagClientKey,
-			TLSServerName: c.flagTLSServerName,
-			Insecure:      c.flagTLSSkipVerify,
+	if len(sealKey) > 0 {
+		primary, err := b.aeadFromKey(encryptionKey)
+		if err != nil {
+			return err
 		}
 
-		// Setup TLS config
-		if err := config.ConfigureTLS(t); err != nil {
-			return nil, errors.Wrap(err, "failed to setup TLS config")
+		err = b.putInternal(ctx, 1, primary, &logical.StorageEntry{
+			Key:   shamirKekPath,
+			Value: sealKey,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to store new seal key: %w", err)
 		}
 	}
 
-	// Build the client
-	client, err := api.NewClient(config)
+	return nil
+}
+
+// persistKeyring is used to write out the keyring using the
+// root key to encrypt it.
+func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) error {
+	return b.persistKeyringInternal(ctx, keyring, false)
+}
+
+// persistKeyringBestEffort is like persistKeyring but 'best effort', ie times out early
+// for non critical keyring writes (encryption/rotation tracking)
+func (b *AESGCMBarrier) persistKeyringBestEffort(ctx context.Context, keyring *Keyring) error {
+	return b.persistKeyringInternal(ctx, keyring, true)
+}
+
+// persistKeyring is used to write out the keyring using the
+// root key to encrypt it.
+func (b *AESGCMBarrier) persistKeyringInternal(ctx context.Context, keyring *Keyring, bestEffort bool) error {
+	// Create the keyring entry
+	keyringBuf, err := keyring.Serialize()
+	defer memzero(keyringBuf)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to create client")
+		return fmt.Errorf("failed to serialize keyring: %w", err)
 	}
 
-	// Turn off retries on the CLI
-	if os.Getenv(api.EnvVaultMaxRetries) == "" {
-		client.SetMaxRetries(0)
+	// Create the AES-GCM
+	gcm, err := b.aeadFromKey(keyring.RootKey())
+	if err != nil {
+		return fmt.Errorf("failed to retrieve AES-GCM AEAD from root key: %w", err)
 	}
 
-	// Set the wrapping function
-	client.SetWrappingLookupFunc(c.DefaultWrappingLookupFunc)
+	// Encrypt the barrier init value
+	value, err := b.encrypt(keyringPath, initialKeyTerm, gcm, keyringBuf)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt barrier initial value: %w", err)
+	}
 
-	// Get the token if it came in from the environment
-	token := client.Token()
+	// Create the keyring physical entry
+	pe := &physical.Entry{
+		Key:   keyringPath,
+		Value: value,
+	}
 
-	// If we don't have a token, check the token helper
-	if token == "" {
-		helper, err := c.TokenHelper()
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to get token helper")
-		}
-		token, err = helper.Get()
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to get token from token helper")
-		}
+	ctxKeyring := ctx
+
+	if bestEffort {
+		// We reduce the timeout on the initial 'put' but if this succeeds we will
+		// allow longer later on when we try to persist the root key .
+		var cancelKeyring func()
+		ctxKeyring, cancelKeyring = context.WithTimeout(ctx, keyringTimeout)
+		defer cancelKeyring()
 	}
 
-	// Set the token
-	if token != "" {
-		client.SetToken(token)
+	if err := b.backend.Put(ctxKeyring, pe); err != nil {
+		return fmt.Errorf("failed to persist keyring: %w", err)
 	}
 
-	client.SetMFACreds(c.flagMFA)
+	// Serialize the root key value
+	key := &Key{
+		Term:    1,
+		Version: 1,
+		Value:   keyring.RootKey(),
+	}
+	keyBuf, err := key.Serialize()
+	defer memzero(keyBuf)
+	if err != nil {
+		return fmt.Errorf("failed to serialize root key: %w", err)
+	}
 
-	// flagNS takes precedence over flagNamespace. After resolution, point both
-	// flags to the same value to be able to use them interchangeably anywhere.
-	if c.flagNS != notSetValue {
-		c.flagNamespace = c.flagNS
+	// Encrypt the root key
+	activeKey := keyring.ActiveKey()
+	aead, err := b.aeadFromKey(activeKey.Value)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve AES-GCM AEAD from active key: %w", err)
 	}
-	if c.flagNamespace != notSetValue {
-		client.SetNamespace(namespace.Canonicalize(c.flagNamespace))
+	value, err = b.encryptTracked(rootKeyPath, activeKey.Term, aead, keyBuf)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt and track active key value: %w", err)
 	}
-	if c.flagPolicyOverride {
-		client.SetPolicyOverride(c.flagPolicyOverride)
+
+	// Update the rootKeyPath for standby instances
+	pe = &physical.Entry{
+		Key:   rootKeyPath,
+		Value: value,
 	}
 
-	if c.flagHeader != nil {
+	// Use the longer timeout from the original context, for the follow-up write
+	// to persist the root key, as the initial storage of the keyring was successful.
+	if err := b.backend.Put(ctx, pe); err != nil {
+		return fmt.Errorf("failed to persist root key: %w", err)
+	}
+	return nil
+}
 
-		var forbiddenHeaders []string
-		for key, val := range c.flagHeader {
+// GenerateKey is used to generate a new key
+func (b *AESGCMBarrier) GenerateKey(reader io.Reader) ([]byte, error) {
+	// Generate a 256bit key
+	buf := make([]byte, 2*aes.BlockSize)
+	_, err := reader.Read(buf)
 
-			if strings.HasPrefix(key, "X-Vault-") {
-				forbiddenHeaders = append(forbiddenHeaders, key)
-				continue
-			}
-			client.AddHeader(key, val)
-		}
+	return buf, err
+}
+
+// KeyLength is used to sanity check a key
+func (b *AESGCMBarrier) KeyLength() (int, int) {
+	return aes.BlockSize, 2 * aes.BlockSize
+}
+
+// Sealed checks if the barrier has been unlocked yet. The Barrier
+// is not expected to be able to perform any CRUD until it is unsealed.
+func (b *AESGCMBarrier) Sealed() (bool, error) {
+	b.l.RLock()
+	sealed := b.sealed
+	b.l.RUnlock()
+	return sealed, nil
+}
+
+// VerifyRoot is used to check if the given key matches the root key
+func (b *AESGCMBarrier) VerifyRoot(key []byte) error {
+	b.l.RLock()
+	defer b.l.RUnlock()
+	if b.sealed {
+		return ErrBarrierSealed
+	}
+	if subtle.ConstantTimeCompare(key, b.keyring.RootKey()) != 1 {
+		return ErrBarrierInvalidKey
+	}
+	return nil
+}
+
+// ReloadKeyring is used to re-read the underlying keyring.
+// This is used for HA deployments to ensure the latest keyring
+// is present in the leader.
+func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error {
+	b.l.Lock()
+	defer b.l.Unlock()
 
-		if len(forbiddenHeaders) > 0 {
-			return nil, fmt.Errorf("failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only", strings.Join(forbiddenHeaders, ", "))
+	// Create the AES-GCM
+	gcm, err := b.aeadFromKey(b.keyring.RootKey())
+	if err != nil {
+		return err
+	}
+
+	// Read in the keyring
+	out, err := b.backend.Get(ctx, keyringPath)
+	if err != nil {
+		return fmt.Errorf("failed to check for keyring: %w", err)
+	}
+
+	// Ensure that the keyring exists. This should never happen,
+	// and indicates something really bad has happened.
+	if out == nil {
+		return errors.New("keyring unexpectedly missing")
+	}
+
+	// Verify the term is always just one
+	term := binary.BigEndian.Uint32(out.Value[:4])
+	if term != initialKeyTerm {
+		return errors.New("term mis-match")
+	}
+
+	// Decrypt the barrier init key
+	plain, err := b.decrypt(keyringPath, gcm, out.Value)
+	defer memzero(plain)
+	if err != nil {
+		if strings.Contains(err.Error(), "message authentication failed") {
+			return ErrBarrierInvalidKey
 		}
+		return err
 	}
 
-	c.client = client
+	// Reset enc. counters, this may be a leadership change
+	b.totalLocalEncryptions.Store(0)
+	b.totalLocalEncryptions.Store(0)
+	b.UnaccountedEncryptions.Store(0)
+	b.RemoteEncryptions.Store(0)
 
-	return client, nil
+	return b.recoverKeyring(plain)
 }
 
-// SetAddress sets the token helper on the command; useful for the demo server and other outside cases.
-func (c *BaseCommand) SetAddress(addr string) {
-	c.flagAddress = addr
-}
+func (b *AESGCMBarrier) recoverKeyring(plaintext []byte) error {
+	keyring, err := DeserializeKeyring(plaintext)
+	if err != nil {
+		return fmt.Errorf("keyring deserialization failed: %w", err)
+	}
 
-// SetTokenHelper sets the token helper on the command.
-func (c *BaseCommand) SetTokenHelper(th token.TokenHelper) {
-	c.tokenHelper = th
+	// Setup the keyring and finish
+	b.cache = make(map[uint32]cipher.AEAD)
+	b.keyring = keyring
+	return nil
 }
 
-// TokenHelper returns the token helper attached to the command.
-func (c *BaseCommand) TokenHelper() (token.TokenHelper, error) {
-	if c.tokenHelper != nil {
-		return c.tokenHelper, nil
+// ReloadRootKey is used to re-read the underlying root key.
+// This is used for HA deployments to ensure the latest root key
+// is available for keyring reloading.
+func (b *AESGCMBarrier) ReloadRootKey(ctx context.Context) error {
+	// Read the rootKeyPath upgrade
+	out, err := b.Get(ctx, rootKeyPath)
+	if err != nil {
+		return fmt.Errorf("failed to read root key path: %w", err)
+	}
+
+	// The rootKeyPath could be missing (backwards incompatible),
+	// we can ignore this and attempt to make progress with the current
+	// root key.
+	if out == nil {
+		return nil
 	}
 
-	helper, err := DefaultTokenHelper()
+	// Grab write lock and refetch
+	b.l.Lock()
+	defer b.l.Unlock()
+
+	out, err = b.lockSwitchedGet(ctx, rootKeyPath, false)
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to read root key path: %w", err)
 	}
-	return helper, nil
-}
 
-// DefaultWrappingLookupFunc is the default wrapping function based on the
-// CLI flag.
-func (c *BaseCommand) DefaultWrappingLookupFunc(operation, path string) string {
-	if c.flagWrapTTL != 0 {
-		return c.flagWrapTTL.String()
+	if out == nil {
+		return nil
 	}
 
-	return api.DefaultWrappingLookupFunc(operation, path)
-}
+	// Deserialize the root key
+	key, err := DeserializeKey(out.Value)
+	memzero(out.Value)
+	if err != nil {
+		return fmt.Errorf("failed to deserialize key: %w", err)
+	}
 
-// getMFAValidationRequired checks to see if the secret exists and has an MFA
-// requirement. If MFA is required and the number of constraints is greater than
-// 1, we can assert that interactive validation is not required.
-func (c *BaseCommand) getMFAValidationRequired(secret *api.Secret) bool {
-	if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil {
-		if c.flagMFA == nil && len(secret.Auth.MFARequirement.MFAConstraints) == 1 {
-			return true
-		} else if len(secret.Auth.MFARequirement.MFAConstraints) > 1 {
-			return true
-		}
+	// Check if the root key is the same
+	if subtle.ConstantTimeCompare(b.keyring.RootKey(), key.Value) == 1 {
+		return nil
 	}
 
-	return false
+	// Update the root key
+	oldKeyring := b.keyring
+	b.keyring = b.keyring.SetRootKey(key.Value)
+	oldKeyring.Zeroize(false)
+	return nil
 }
 
-// getInteractiveMFAMethodInfo returns MFA method information only if operating
-// in interactive mode and one MFA method is configured.
-func (c *BaseCommand) getInteractiveMFAMethodInfo(secret *api.Secret) *MFAMethodInfo {
-	if secret == nil || secret.Auth == nil || secret.Auth.MFARequirement == nil {
+// Unseal is used to provide the root key which permits the barrier
+// to be unsealed. If the key is not correct, the barrier remains sealed.
+func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error {
+	b.l.Lock()
+	defer b.l.Unlock()
+
+	// Do nothing if already unsealed
+	if !b.sealed {
 		return nil
 	}
 
-	mfaConstraints := secret.Auth.MFARequirement.MFAConstraints
-	if c.flagNonInteractive || len(mfaConstraints) != 1 || !isatty.IsTerminal(os.Stdin.Fd()) {
-		return nil
+	// Create the AES-GCM
+	gcm, err := b.aeadFromKey(key)
+	if err != nil {
+		return err
 	}
 
-	for _, mfaConstraint := range mfaConstraints {
-		if len(mfaConstraint.Any) != 1 {
-			return nil
+	// Read in the keyring
+	out, err := b.backend.Get(ctx, keyringPath)
+	if err != nil {
+		return fmt.Errorf("failed to check for keyring: %w", err)
+	}
+	if out != nil {
+		// Verify the term is always just one
+		term := binary.BigEndian.Uint32(out.Value[:4])
+		if term != initialKeyTerm {
+			return errors.New("term mis-match")
 		}
 
-		return &MFAMethodInfo{
-			methodType:  mfaConstraint.Any[0].Type,
-			methodID:    mfaConstraint.Any[0].ID,
-			usePasscode: mfaConstraint.Any[0].UsesPasscode,
+		// Decrypt the barrier init key
+		plain, err := b.decrypt(keyringPath, gcm, out.Value)
+		defer memzero(plain)
+		if err != nil {
+			if strings.Contains(err.Error(), "message authentication failed") {
+				return ErrBarrierInvalidKey
+			}
+			return err
+		}
+
+		// Recover the keyring
+		err = b.recoverKeyring(plain)
+		if err != nil {
+			return fmt.Errorf("keyring deserialization failed: %w", err)
 		}
+
+		b.sealed = false
+
+		return nil
+	}
+
+	// Read the barrier initialization key
+	out, err = b.backend.Get(ctx, barrierInitPath)
+	if err != nil {
+		return fmt.Errorf("failed to check for initialization: %w", err)
+	}
+	if out == nil {
+		return ErrBarrierNotInit
 	}
 
+	// Verify the term is always just one
+	term := binary.BigEndian.Uint32(out.Value[:4])
+	if term != initialKeyTerm {
+		return errors.New("term mis-match")
+	}
+
+	// Decrypt the barrier init key
+	plain, err := b.decrypt(barrierInitPath, gcm, out.Value)
+	if err != nil {
+		if strings.Contains(err.Error(), "message authentication failed") {
+			return ErrBarrierInvalidKey
+		}
+		return err
+	}
+	defer memzero(plain)
+
+	// Unmarshal the barrier init
+	var init barrierInit
+	if err := jsonutil.DecodeJSON(plain, &init); err != nil {
+		return fmt.Errorf("failed to unmarshal barrier init file")
+	}
+
+	// Setup a new keyring, this is for backwards compatibility
+	keyringNew := NewKeyring()
+	keyring := keyringNew.SetRootKey(key)
+
+	// AddKey reuses the root, so we are only zeroizing after this call
+	defer keyringNew.Zeroize(false)
+
+	keyring, err = keyring.AddKey(&Key{
+		Term:    1,
+		Version: 1,
+		Value:   init.Key,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create keyring: %w", err)
+	}
+	if err := b.persistKeyring(ctx, keyring); err != nil {
+		return err
+	}
+
+	// Delete the old barrier entry
+	if err := b.backend.Delete(ctx, barrierInitPath); err != nil {
+		return fmt.Errorf("failed to delete barrier init file: %w", err)
+	}
+
+	// Set the vault as unsealed
+	b.keyring = keyring
+	b.sealed = false
+
 	return nil
 }
 
-func (c *BaseCommand) validateMFA(reqID string, methodInfo MFAMethodInfo) (*api.Secret, error) {
-	var passcode string
-	var err error
-	if methodInfo.usePasscode {
-		passcode, err = c.UI.AskSecret(fmt.Sprintf("Enter the passphrase for methodID %q of type %q:", methodInfo.methodID, methodInfo.methodType))
-		if err != nil {
-			return nil, fmt.Errorf("failed to read passphrase: %w. please validate the login by sending a request to sys/mfa/validate", err)
-		}
-	} else {
-		c.UI.Warn("Asking Vault to perform MFA validation with upstream service. " +
-			"You should receive a push notification in your authenticator app shortly")
+// Seal is used to re-seal the barrier. This requires the barrier to
+// be unsealed again to perform any further operations.
+func (b *AESGCMBarrier) Seal() error {
+	b.l.Lock()
+	defer b.l.Unlock()
+
+	// Remove the primary key, and seal the vault
+	b.cache = make(map[uint32]cipher.AEAD)
+	b.keyring.Zeroize(true)
+	b.keyring = nil
+	b.sealed = true
+	return nil
+}
+
+// Rotate is used to create a new encryption key. All future writes
+// should use the new key, while old values should still be decryptable.
+func (b *AESGCMBarrier) Rotate(ctx context.Context, randomSource io.Reader) (uint32, error) {
+	b.l.Lock()
+	defer b.l.Unlock()
+	if b.sealed {
+		return 0, ErrBarrierSealed
 	}
 
-	// passcode could be an empty string
-	mfaPayload := map[string]interface{}{
-		methodInfo.methodID: []string{passcode},
+	// Generate a new key
+	encrypt, err := b.GenerateKey(randomSource)
+	if err != nil {
+		return 0, fmt.Errorf("failed to generate encryption key: %w", err)
 	}
 
-	client, err := c.Client()
+	// Get the next term
+	term := b.keyring.ActiveTerm()
+	newTerm := term + 1
+
+	// Add a new encryption key
+	newKeyring, err := b.keyring.AddKey(&Key{
+		Term:    newTerm,
+		Version: 1,
+		Value:   encrypt,
+	})
 	if err != nil {
-		return nil, err
+		return 0, fmt.Errorf("failed to add new encryption key: %w", err)
+	}
+
+	// Persist the new keyring
+	if err := b.persistKeyring(ctx, newKeyring); err != nil {
+		return 0, err
 	}
 
-	return client.Sys().MFAValidate(reqID, mfaPayload)
+	// Clear encryption tracking
+	b.RemoteEncryptions.Store(0)
+	b.totalLocalEncryptions.Store(0)
+	b.UnaccountedEncryptions.Store(0)
+
+	// Swap the keyrings
+	b.keyring = newKeyring
+
+	return newTerm, nil
 }
 
-type FlagSetBit uint
+// CreateUpgrade creates an upgrade path key to the given term from the previous term
+func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error {
+	b.l.RLock()
+	if b.sealed {
+		b.l.RUnlock()
+		return ErrBarrierSealed
+	}
 
-const (
-	FlagSetNone FlagSetBit = 1 << iota
-	FlagSetHTTP
-	FlagSetOutputField
-	FlagSetOutputFormat
-	FlagSetOutputDetailed
-)
+	// Get the key for this term
+	termKey := b.keyring.TermKey(term)
+	buf, err := termKey.Serialize()
+	defer memzero(buf)
+	if err != nil {
+		b.l.RUnlock()
+		return err
+	}
 
-// flagSet creates the flags for this command. The result is cached on the
-// command to save performance on future calls.
-func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
-	c.flagsOnce.Do(func() {
-		set := NewFlagSets(c.UI)
-
-		// These flag sets will apply to all leaf subcommands.
-		// TODO: Optional, but FlagSetHTTP can be safely removed from the individual
-		// Flags() subcommands.
-		bit = bit | FlagSetHTTP
-
-		if bit&FlagSetHTTP != 0 {
-			f := set.NewFlagSet("HTTP Options")
-
-			addrStringVar := &StringVar{
-				Name:       flagNameAddress,
-				Target:     &c.flagAddress,
-				EnvVar:     api.EnvVaultAddress,
-				Completion: complete.PredictAnything,
-				Usage:      "Address of the Vault server.",
-			}
+	// Get the AEAD for the previous term
+	prevTerm := term - 1
+	primary, err := b.aeadForTerm(prevTerm)
+	if err != nil {
+		b.l.RUnlock()
+		return err
+	}
 
-			if c.flagAddress != "" {
-				addrStringVar.Default = c.flagAddress
-			} else {
-				addrStringVar.Default = "https://127.0.0.1:8200"
-				c.addrWarning = fmt.Sprintf("WARNING! VAULT_ADDR and -address unset. Defaulting to %s.", addrStringVar.Default)
-			}
-			f.StringVar(addrStringVar)
-
-			agentAddrStringVar := &StringVar{
-				Name:       "agent-address",
-				Target:     &c.flagAgentProxyAddress,
-				EnvVar:     api.EnvVaultAgentAddr,
-				Completion: complete.PredictAnything,
-				Usage:      "Address of the Agent.",
-			}
-			f.StringVar(agentAddrStringVar)
-
-			f.StringVar(&StringVar{
-				Name:       flagNameCACert,
-				Target:     &c.flagCACert,
-				Default:    "",
-				EnvVar:     api.EnvVaultCACert,
-				Completion: complete.PredictFiles("*"),
-				Usage: "Path on the local disk to a single PEM-encoded CA " +
-					"certificate to verify the Vault server's SSL certificate. This " +
-					"takes precedence over -ca-path.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       flagNameCAPath,
-				Target:     &c.flagCAPath,
-				Default:    "",
-				EnvVar:     api.EnvVaultCAPath,
-				Completion: complete.PredictDirs("*"),
-				Usage: "Path on the local disk to a directory of PEM-encoded CA " +
-					"certificates to verify the Vault server's SSL certificate.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       flagNameClientCert,
-				Target:     &c.flagClientCert,
-				Default:    "",
-				EnvVar:     api.EnvVaultClientCert,
-				Completion: complete.PredictFiles("*"),
-				Usage: "Path on the local disk to a single PEM-encoded CA " +
-					"certificate to use for TLS authentication to the Vault server. If " +
-					"this flag is specified, -client-key is also required.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       flagNameClientKey,
-				Target:     &c.flagClientKey,
-				Default:    "",
-				EnvVar:     api.EnvVaultClientKey,
-				Completion: complete.PredictFiles("*"),
-				Usage: "Path on the local disk to a single PEM-encoded private key " +
-					"matching the client certificate from -client-cert.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       "namespace",
-				Target:     &c.flagNamespace,
-				Default:    notSetValue, // this can never be a real value
-				EnvVar:     api.EnvVaultNamespace,
-				Completion: complete.PredictAnything,
-				Usage: "The namespace to use for the command. Setting this is not " +
-					"necessary but allows using relative paths. -ns can be used as " +
-					"shortcut.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       "ns",
-				Target:     &c.flagNS,
-				Default:    notSetValue, // this can never be a real value
-				Completion: complete.PredictAnything,
-				Hidden:     true,
-				Usage:      "Alias for -namespace. This takes precedence over -namespace.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       flagTLSServerName,
-				Target:     &c.flagTLSServerName,
-				Default:    "",
-				EnvVar:     api.EnvVaultTLSServerName,
-				Completion: complete.PredictAnything,
-				Usage: "Name to use as the SNI host when connecting to the Vault " +
-					"server via TLS.",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    flagNameTLSSkipVerify,
-				Target:  &c.flagTLSSkipVerify,
-				Default: false,
-				EnvVar:  api.EnvVaultSkipVerify,
-				Usage: "Disable verification of TLS certificates. Using this option " +
-					"is highly discouraged as it decreases the security of data " +
-					"transmissions to and from the Vault server.",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    flagNameDisableRedirects,
-				Target:  &c.flagDisableRedirects,
-				Default: false,
-				EnvVar:  api.EnvVaultDisableRedirects,
-				Usage: "Disable the default client behavior, which honors a single " +
-					"redirect response from a request",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    "policy-override",
-				Target:  &c.flagPolicyOverride,
-				Default: false,
-				Usage: "Override a Sentinel policy that has a soft-mandatory " +
-					"enforcement_level specified",
-			})
-
-			f.DurationVar(&DurationVar{
-				Name:       "wrap-ttl",
-				Target:     &c.flagWrapTTL,
-				Default:    0,
-				EnvVar:     api.EnvVaultWrapTTL,
-				Completion: complete.PredictAnything,
-				Usage: "Wraps the response in a cubbyhole token with the requested " +
-					"TTL. The response is available via the \"vault unwrap\" command. " +
-					"The TTL is specified as a numeric string with suffix like \"30s\" " +
-					"or \"5m\".",
-			})
-
-			f.StringSliceVar(&StringSliceVar{
-				Name:       "mfa",
-				Target:     &c.flagMFA,
-				Default:    nil,
-				EnvVar:     api.EnvVaultMFA,
-				Completion: complete.PredictAnything,
-				Usage:      "Supply MFA credentials as part of X-Vault-MFA header.",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    "output-curl-string",
-				Target:  &c.flagOutputCurlString,
-				Default: false,
-				Usage: "Instead of executing the request, print an equivalent cURL " +
-					"command string and exit.",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    "output-policy",
-				Target:  &c.flagOutputPolicy,
-				Default: false,
-				Usage: "Instead of executing the request, print an example HCL " +
-					"policy that would be required to run this command, and exit.",
-			})
-
-			f.StringVar(&StringVar{
-				Name:       "unlock-key",
-				Target:     &c.flagUnlockKey,
-				Default:    notSetValue,
-				Completion: complete.PredictNothing,
-				Usage:      "Key to unlock a namespace API lock.",
-			})
-
-			f.StringMapVar(&StringMapVar{
-				Name:       "header",
-				Target:     &c.flagHeader,
-				Completion: complete.PredictAnything,
-				Usage: "Key-value pair provided as key=value to provide http header added to any request done by the CLI." +
-					"Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail " +
-					"This can be specified multiple times.",
-			})
-
-			f.BoolVar(&BoolVar{
-				Name:    "non-interactive",
-				Target:  &c.flagNonInteractive,
-				Default: false,
-				Usage:   "When set true, prevents asking the user for input via the terminal.",
-			})
+	key := fmt.Sprintf("%s%d", keyringUpgradePrefix, prevTerm)
+	value, err := b.encryptTracked(key, prevTerm, primary, buf)
+	b.l.RUnlock()
+	if err != nil {
+		return err
+	}
+	// Create upgrade key
+	pe := &physical.Entry{
+		Key:   key,
+		Value: value,
+	}
+	return b.backend.Put(ctx, pe)
+}
 
-		}
+// DestroyUpgrade destroys the upgrade path key to the given term
+func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error {
+	path := fmt.Sprintf("%s%d", keyringUpgradePrefix, term-1)
+	return b.Delete(ctx, path)
+}
 
-		if bit&(FlagSetOutputField|FlagSetOutputFormat|FlagSetOutputDetailed) != 0 {
-			outputSet := set.NewFlagSet("Output Options")
-
-			if bit&FlagSetOutputField != 0 {
-				outputSet.StringVar(&StringVar{
-					Name:       "field",
-					Target:     &c.flagField,
-					Default:    "",
-					Completion: complete.PredictAnything,
-					Usage: "Print only the field with the given name. Specifying " +
-						"this option will take precedence over other formatting " +
-						"directives. The result will not have a trailing newline " +
-						"making it ideal for piping to other processes.",
-				})
-			}
+// CheckUpgrade looks for an upgrade to the current term and installs it
+func (b *AESGCMBarrier) CheckUpgrade(ctx context.Context) (bool, uint32, error) {
+	b.l.RLock()
+	if b.sealed {
+		b.l.RUnlock()
+		return false, 0, ErrBarrierSealed
+	}
 
-			if bit&FlagSetOutputFormat != 0 {
-				outputSet.StringVar(&StringVar{
-					Name:       "format",
-					Target:     &c.flagFormat,
-					Default:    "table",
-					EnvVar:     EnvVaultFormat,
-					Completion: complete.PredictSet("table", "json", "yaml", "pretty", "raw"),
-					Usage: `Print the output in the given format. Valid formats
-						are "table", "json", "yaml", or "pretty". "raw" is allowed
-						for 'vault read' operations only.`,
-				})
-			}
+	// Get the current term
+	activeTerm := b.keyring.ActiveTerm()
 
-			if bit&FlagSetOutputDetailed != 0 {
-				outputSet.BoolVar(&BoolVar{
-					Name:    "detailed",
-					Target:  &c.flagDetailed,
-					Default: false,
-					EnvVar:  EnvVaultDetailed,
-					Usage:   "Enables additional metadata during some operations",
-				})
-			}
-		}
+	// Check for an upgrade key
+	upgrade := fmt.Sprintf("%s%d", keyringUpgradePrefix, activeTerm)
+	entry, err := b.lockSwitchedGet(ctx, upgrade, false)
+	if err != nil {
+		b.l.RUnlock()
+		return false, 0, err
+	}
 
-		c.flags = set
-	})
+	// Nothing to do if no upgrade
+	if entry == nil {
+		b.l.RUnlock()
+		return false, 0, nil
+	}
+
+	// Upgrade from read lock to write lock
+	b.l.RUnlock()
+	b.l.Lock()
+	defer b.l.Unlock()
+
+	// Validate base cases and refetch values again
+
+	if b.sealed {
+		return false, 0, ErrBarrierSealed
+	}
+
+	activeTerm = b.keyring.ActiveTerm()
+
+	upgrade = fmt.Sprintf("%s%d", keyringUpgradePrefix, activeTerm)
+	entry, err = b.lockSwitchedGet(ctx, upgrade, false)
+	if err != nil {
+		return false, 0, err
+	}
+
+	if entry == nil {
+		return false, 0, nil
+	}
+
+	// Deserialize the key
+	key, err := DeserializeKey(entry.Value)
+	memzero(entry.Value)
+	if err != nil {
+		return false, 0, err
+	}
 
-	return c.flags
+	// Update the keyring
+	newKeyring, err := b.keyring.AddKey(key)
+	if err != nil {
+		return false, 0, fmt.Errorf("failed to add new encryption key: %w", err)
+	}
+	b.keyring = newKeyring
+
+	// Done!
+	return true, key.Term, nil
 }
 
-// FlagSets is a group of flag sets.
-type FlagSets struct {
-	flagSets    []*FlagSet
-	mainSet     *flag.FlagSet
-	hiddens     map[string]struct{}
-	completions complete.Flags
-	ui          cli.Ui
+// ActiveKeyInfo is used to inform details about the active key
+func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error) {
+	b.l.RLock()
+	defer b.l.RUnlock()
+	if b.sealed {
+		return nil, ErrBarrierSealed
+	}
+
+	// Determine the key install time
+	term := b.keyring.ActiveTerm()
+	key := b.keyring.TermKey(term)
+
+	// Return the key info
+	info := &KeyInfo{
+		Term:        int(term),
+		InstallTime: key.InstallTime,
+		Encryptions: b.encryptions(),
+	}
+	return info, nil
 }
 
-// NewFlagSets creates a new flag sets.
-func NewFlagSets(ui cli.Ui) *FlagSets {
-	mainSet := flag.NewFlagSet("", flag.ContinueOnError)
+// Rekey is used to change the root key used to protect the keyring
+func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error {
+	b.l.Lock()
+	defer b.l.Unlock()
 
-	// Errors and usage are controlled by the CLI.
-	mainSet.Usage = func() {}
-	mainSet.SetOutput(ioutil.Discard)
+	newKeyring, err := b.updateRootKeyCommon(key)
+	if err != nil {
+		return err
+	}
 
-	return &FlagSets{
-		flagSets:    make([]*FlagSet, 0, 6),
-		mainSet:     mainSet,
-		hiddens:     make(map[string]struct{}),
-		completions: complete.Flags{},
-		ui:          ui,
+	// Persist the new keyring
+	if err := b.persistKeyring(ctx, newKeyring); err != nil {
+		return err
 	}
+
+	// Swap the keyrings
+	oldKeyring := b.keyring
+	b.keyring = newKeyring
+	oldKeyring.Zeroize(false)
+	return nil
 }
 
-// NewFlagSet creates a new flag set from the given flag sets.
-func (f *FlagSets) NewFlagSet(name string) *FlagSet {
-	flagSet := NewFlagSet(name)
-	flagSet.mainSet = f.mainSet
-	flagSet.completions = f.completions
-	f.flagSets = append(f.flagSets, flagSet)
-	return flagSet
+// SetRootKey updates the keyring's in-memory root key but does not persist
+// anything to storage
+func (b *AESGCMBarrier) SetRootKey(key []byte) error {
+	b.l.Lock()
+	defer b.l.Unlock()
+
+	newKeyring, err := b.updateRootKeyCommon(key)
+	if err != nil {
+		return err
+	}
+
+	// Swap the keyrings
+	oldKeyring := b.keyring
+	b.keyring = newKeyring
+	oldKeyring.Zeroize(false)
+	return nil
 }
 
-// Completions returns the completions for this flag set.
-func (f *FlagSets) Completions() complete.Flags {
-	return f.completions
+// Performs common tasks related to updating the root key; note that the lock
+// must be held before calling this function
+func (b *AESGCMBarrier) updateRootKeyCommon(key []byte) (*Keyring, error) {
+	if b.sealed {
+		return nil, ErrBarrierSealed
+	}
+
+	// Verify the key size
+	min, max := b.KeyLength()
+	if len(key) < min || len(key) > max {
+		return nil, fmt.Errorf("key size must be %d or %d", min, max)
+	}
+
+	return b.keyring.SetRootKey(key), nil
 }
 
-type (
-	ParseOptions              interface{}
-	ParseOptionAllowRawFormat bool
-	DisableDisplayFlagWarning bool
-)
+// Put is used to insert or update an entry
+func (b *AESGCMBarrier) Put(ctx context.Context, entry *logical.StorageEntry) error {
+	defer metrics.MeasureSince([]string{"barrier", "put"}, time.Now())
+	b.l.RLock()
+	if b.sealed {
+		b.l.RUnlock()
+		return ErrBarrierSealed
+	}
 
-// Parse parses the given flags, returning any errors.
-// Warnings, if any, regarding the arguments format are sent to stdout
-func (f *FlagSets) Parse(args []string, opts ...ParseOptions) error {
-	err := f.mainSet.Parse(args)
+	term := b.keyring.ActiveTerm()
+	primary, err := b.aeadForTerm(term)
+	b.l.RUnlock()
+	if err != nil {
+		return err
+	}
+
+	return b.putInternal(ctx, term, primary, entry)
+}
+
+func (b *AESGCMBarrier) putInternal(ctx context.Context, term uint32, primary cipher.AEAD, entry *logical.StorageEntry) error {
+	value, err := b.encryptTracked(entry.Key, term, primary, entry.Value)
+	if err != nil {
+		return err
+	}
+	pe := &physical.Entry{
+		Key:      entry.Key,
+		Value:    value,
+		SealWrap: entry.SealWrap,
+	}
+	return b.backend.Put(ctx, pe)
+}
+
+// Get is used to fetch an entry
+func (b *AESGCMBarrier) Get(ctx context.Context, key string) (*logical.StorageEntry, error) {
+	return b.lockSwitchedGet(ctx, key, true)
+}
+
+func (b *AESGCMBarrier) lockSwitchedGet(ctx context.Context, key string, getLock bool) (*logical.StorageEntry, error) {
+	defer metrics.MeasureSince([]string{"barrier", "get"}, time.Now())
+	if getLock {
+		b.l.RLock()
+	}
+	if b.sealed {
+		if getLock {
+			b.l.RUnlock()
+		}
+		return nil, ErrBarrierSealed
+	}
 
-	displayFlagWarningsDisabled := false
-	for _, opt := range opts {
-		if value, ok := opt.(DisableDisplayFlagWarning); ok {
-			displayFlagWarningsDisabled = bool(value)
+	// Read the key from the backend
+	pe, err := b.backend.Get(ctx, key)
+	if err != nil {
+		if getLock {
+			b.l.RUnlock()
+		}
+		return nil, err
+	} else if pe == nil {
+		if getLock {
+			b.l.RUnlock()
 		}
+		return nil, nil
 	}
-	if !displayFlagWarningsDisabled {
-		warnings := generateFlagWarnings(f.Args())
-		if warnings != "" && Format(f.ui) == "table" {
-			f.ui.Warn(warnings)
+
+	if len(pe.Value) < 4 {
+		if getLock {
+			b.l.RUnlock()
 		}
+		return nil, errors.New("invalid value")
 	}
 
+	// Verify the term
+	term := binary.BigEndian.Uint32(pe.Value[:4])
+
+	// Get the GCM by term
+	// It is expensive to do this first but it is not a
+	// normal case that this won't match
+	gcm, err := b.aeadForTerm(term)
+	if getLock {
+		b.l.RUnlock()
+	}
 	if err != nil {
-		return err
+		return nil, err
+	}
+	if gcm == nil {
+		return nil, fmt.Errorf("no decryption key available for term %d", term)
 	}
 
-	// Now surface any other errors.
-	return generateFlagErrors(f, opts...)
+	// Decrypt the ciphertext
+	plain, err := b.decrypt(key, gcm, pe.Value)
+	if err != nil {
+		return nil, fmt.Errorf("decryption failed: %w", err)
+	}
+
+	// Wrap in a logical entry
+	entry := &logical.StorageEntry{
+		Key:      key,
+		Value:    plain,
+		SealWrap: pe.SealWrap,
+	}
+	return entry, nil
 }
 
-// Parsed reports whether the command-line flags have been parsed.
-func (f *FlagSets) Parsed() bool {
-	return f.mainSet.Parsed()
+// Delete is used to permanently delete an entry
+func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error {
+	defer metrics.MeasureSince([]string{"barrier", "delete"}, time.Now())
+	b.l.RLock()
+	sealed := b.sealed
+	b.l.RUnlock()
+	if sealed {
+		return ErrBarrierSealed
+	}
+
+	return b.backend.Delete(ctx, key)
 }
 
-// Args returns the remaining args after parsing.
-func (f *FlagSets) Args() []string {
-	return f.mainSet.Args()
+// List is used ot list all the keys under a given
+// prefix, up to the next prefix.
+func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error) {
+	defer metrics.MeasureSince([]string{"barrier", "list"}, time.Now())
+	b.l.RLock()
+	sealed := b.sealed
+	b.l.RUnlock()
+	if sealed {
+		return nil, ErrBarrierSealed
+	}
+
+	return b.backend.List(ctx, prefix)
 }
 
-// Visit visits the flags in lexicographical order, calling fn for each. It
-// visits only those flags that have been set.
-func (f *FlagSets) Visit(fn func(*flag.Flag)) {
-	f.mainSet.Visit(fn)
+// aeadForTerm returns the AES-GCM AEAD for the given term
+func (b *AESGCMBarrier) aeadForTerm(term uint32) (cipher.AEAD, error) {
+	// Check for the keyring
+	keyring := b.keyring
+	if keyring == nil {
+		return nil, nil
+	}
+
+	// Check the cache for the aead
+	b.cacheLock.RLock()
+	aead, ok := b.cache[term]
+	b.cacheLock.RUnlock()
+	if ok {
+		return aead, nil
+	}
+
+	// Read the underlying key
+	key := keyring.TermKey(term)
+	if key == nil {
+		return nil, nil
+	}
+
+	// Create a new aead
+	aead, err := b.aeadFromKey(key.Value)
+	if err != nil {
+		return nil, err
+	}
+
+	// Update the cache
+	b.cacheLock.Lock()
+	b.cache[term] = aead
+	b.cacheLock.Unlock()
+	return aead, nil
 }
 
-// Help builds custom help for this command, grouping by flag set.
-func (f *FlagSets) Help() string {
-	var out bytes.Buffer
+// aeadFromKey returns an AES-GCM AEAD using the given key.
+func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
+	// Create the AES cipher
+	aesCipher, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
 
-	for _, set := range f.flagSets {
-		printFlagTitle(&out, set.name+":")
-		set.VisitAll(func(f *flag.Flag) {
-			// Skip any hidden flags
-			if v, ok := f.Value.(FlagVisibility); ok && v.Hidden() {
-				return
-			}
-			printFlagDetail(&out, f)
-		})
+	// Create the GCM mode AEAD
+	gcm, err := cipher.NewGCM(aesCipher)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize GCM mode")
+	}
+	return gcm, nil
+}
+
+// encrypt is used to encrypt a value
+func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
+	// Allocate the output buffer with room for term, version byte,
+	// nonce, GCM tag and the plaintext
+
+	extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
+	if len(plain) > math.MaxInt-extra {
+		return nil, ErrPlaintextTooLarge
+	}
+
+	capacity := len(plain) + extra
+	size := termSize + 1 + gcm.NonceSize()
+	out := make([]byte, size, capacity)
+
+	// Set the key term
+	binary.BigEndian.PutUint32(out[:4], term)
+
+	// Set the version byte
+	out[4] = b.currentAESGCMVersionByte
+
+	// Generate a random nonce
+	nonce := out[5 : 5+gcm.NonceSize()]
+	n, err := rand.Read(nonce)
+	if err != nil {
+		return nil, err
+	}
+	if n != len(nonce) {
+		return nil, errors.New("unable to read enough random bytes to fill gcm nonce")
+	}
+
+	// Seal the output
+	switch b.currentAESGCMVersionByte {
+	case AESGCMVersion1:
+		out = gcm.Seal(out, nonce, plain, nil)
+	case AESGCMVersion2:
+		aad := []byte(nil)
+		if path != "" {
+			aad = []byte(path)
+		}
+		out = gcm.Seal(out, nonce, plain, aad)
+	default:
+		panic("Unknown AESGCM version")
+	}
+
+	return out, nil
+}
+
+func termLabel(term uint32) []metrics.Label {
+	return []metrics.Label{
+		{
+			Name:  "term",
+			Value: strconv.FormatUint(uint64(term), 10),
+		},
+	}
+}
+
+// decrypt is used to decrypt a value using the keyring
+func (b *AESGCMBarrier) decrypt(path string, gcm cipher.AEAD, cipher []byte) ([]byte, error) {
+	if len(cipher) < 5+gcm.NonceSize() {
+		return nil, fmt.Errorf("invalid cipher length")
+	}
+	// Capture the parts
+	nonce := cipher[5 : 5+gcm.NonceSize()]
+	raw := cipher[5+gcm.NonceSize():]
+	out := make([]byte, 0, len(raw)-gcm.NonceSize())
+
+	// Attempt to open
+	switch cipher[4] {
+	case AESGCMVersion1:
+		return gcm.Open(out, nonce, raw, nil)
+	case AESGCMVersion2:
+		aad := []byte(nil)
+		if path != "" {
+			aad = []byte(path)
+		}
+		return gcm.Open(out, nonce, raw, aad)
+	default:
+		return nil, fmt.Errorf("version bytes mis-match")
+	}
+}
+
+// Encrypt is used to encrypt in-memory for the BarrierEncryptor interface
+func (b *AESGCMBarrier) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error) {
+	b.l.RLock()
+	if b.sealed {
+		b.l.RUnlock()
+		return nil, ErrBarrierSealed
+	}
+
+	term := b.keyring.ActiveTerm()
+	primary, err := b.aeadForTerm(term)
+	b.l.RUnlock()
+	if err != nil {
+		return nil, err
 	}
 
-	return strings.TrimRight(out.String(), "\n")
+	ciphertext, err := b.encryptTracked(key, term, primary, plaintext)
+	if err != nil {
+		return nil, err
+	}
+
+	return ciphertext, nil
 }
 
-// FlagSet is a grouped wrapper around a real flag set and a grouped flag set.
-type FlagSet struct {
-	name        string
-	flagSet     *flag.FlagSet
-	mainSet     *flag.FlagSet
-	completions complete.Flags
+// Decrypt is used to decrypt in-memory for the BarrierEncryptor interface
+func (b *AESGCMBarrier) Decrypt(_ context.Context, key string, ciphertext []byte) ([]byte, error) {
+	b.l.RLock()
+	if b.sealed {
+		b.l.RUnlock()
+		return nil, ErrBarrierSealed
+	}
+
+	if len(ciphertext) == 0 {
+		b.l.RUnlock()
+		return nil, fmt.Errorf("empty ciphertext")
+	}
+
+	// Verify the term
+	if len(ciphertext) < 4 {
+		b.l.RUnlock()
+		return nil, fmt.Errorf("invalid ciphertext term")
+	}
+	term := binary.BigEndian.Uint32(ciphertext[:4])
+
+	// Get the GCM by term
+	// It is expensive to do this first but it is not a
+	// normal case that this won't match
+	gcm, err := b.aeadForTerm(term)
+	b.l.RUnlock()
+	if err != nil {
+		return nil, err
+	}
+	if gcm == nil {
+		return nil, fmt.Errorf("no decryption key available for term %d", term)
+	}
+
+	// Decrypt the ciphertext
+	plain, err := b.decrypt(key, gcm, ciphertext)
+	if err != nil {
+		return nil, fmt.Errorf("decryption failed: %w", err)
+	}
+
+	return plain, nil
 }
 
-// NewFlagSet creates a new flag set.
-func NewFlagSet(name string) *FlagSet {
-	return &FlagSet{
-		name:    name,
-		flagSet: flag.NewFlagSet(name, flag.ContinueOnError),
+func (b *AESGCMBarrier) Keyring() (*Keyring, error) {
+	b.l.RLock()
+	defer b.l.RUnlock()
+	if b.sealed {
+		return nil, ErrBarrierSealed
 	}
+
+	return b.keyring.Clone(), nil
 }
 
-// Name returns the name of this flag set.
-func (f *FlagSet) Name() string {
-	return f.name
+func (b *AESGCMBarrier) ConsumeEncryptionCount(consumer func(int64) error) error {
+	if b.keyring != nil {
+		// Lock to prevent replacement of the key while we consume the encryptions
+		b.l.RLock()
+		defer b.l.RUnlock()
+
+		c := b.UnaccountedEncryptions.Load()
+		err := consumer(c)
+		if err == nil && c > 0 {
+			// Consumer succeeded, remove those from local encryptions
+			b.UnaccountedEncryptions.Sub(c)
+		}
+		return err
+	}
+	return nil
 }
 
-func (f *FlagSet) Visit(fn func(*flag.Flag)) {
-	f.flagSet.Visit(fn)
+func (b *AESGCMBarrier) AddRemoteEncryptions(encryptions int64) {
+	// For rollup and persistence
+	b.UnaccountedEncryptions.Add(encryptions)
+	// For testing
+	b.RemoteEncryptions.Add(encryptions)
 }
 
-func (f *FlagSet) VisitAll(fn func(*flag.Flag)) {
-	f.flagSet.VisitAll(fn)
+func (b *AESGCMBarrier) encryptTracked(path string, term uint32, gcm cipher.AEAD, buf []byte) ([]byte, error) {
+	ct, err := b.encrypt(path, term, gcm, buf)
+	if err != nil {
+		return nil, err
+	}
+	// Increment the local encryption count, and track metrics
+	b.UnaccountedEncryptions.Add(1)
+	b.totalLocalEncryptions.Add(1)
+	metrics.IncrCounterWithLabels(barrierEncryptsMetric, 1, termLabel(term))
+
+	return ct, nil
 }
 
-// printFlagTitle prints a consistently-formatted title to the given writer.
-func printFlagTitle(w io.Writer, s string) {
-	fmt.Fprintf(w, "%s\n\n", s)
+// UnaccountedEncryptions returns the number of encryptions made on the local instance only for the current key term
+func (b *AESGCMBarrier) TotalLocalEncryptions() int64 {
+	return b.totalLocalEncryptions.Load()
 }
 
-// printFlagDetail prints a single flag to the given writer.
-func printFlagDetail(w io.Writer, f *flag.Flag) {
-	// Check if the flag is hidden - do not print any flag detail or help output
-	// if it is hidden.
-	if h, ok := f.Value.(FlagVisibility); ok && h.Hidden() {
-		return
+func (b *AESGCMBarrier) CheckBarrierAutoRotate(ctx context.Context) (string, error) {
+	const oneYear = 24 * 365 * time.Hour
+	reason, err := func() (string, error) {
+		b.l.RLock()
+		defer b.l.RUnlock()
+		if b.keyring != nil {
+			// Rotation Checks
+			var reason string
+
+			rc, err := b.RotationConfig()
+			if err != nil {
+				return "", err
+			}
+
+			if !rc.Disabled {
+				activeKey := b.keyring.ActiveKey()
+				ops := b.encryptions()
+				switch {
+				case activeKey.Encryptions == 0 && !activeKey.InstallTime.IsZero() && time.Since(activeKey.InstallTime) > oneYear:
+					reason = legacyRotateReason
+				case ops > rc.MaxOperations:
+					reason = "reached max operations"
+				case rc.Interval > 0 && time.Since(activeKey.InstallTime) > rc.Interval:
+					reason = "rotation interval reached"
+				}
+			}
+			return reason, nil
+		}
+		return "", nil
+	}()
+	if err != nil {
+		return "", err
+	}
+	if reason != "" {
+		return reason, nil
 	}
 
-	// Check for a detailed example
-	example := ""
-	if t, ok := f.Value.(FlagExample); ok {
-		example = t.Example()
+	b.l.Lock()
+	defer b.l.Unlock()
+	if b.keyring != nil {
+		err := b.persistEncryptions(ctx)
+		if err != nil {
+			return "", err
+		}
 	}
+	return reason, nil
+}
 
-	if example != "" {
-		fmt.Fprintf(w, "  -%s=<%s>\n", f.Name, example)
-	} else {
-		fmt.Fprintf(w, "  -%s\n", f.Name)
+// Must be called with lock held
+func (b *AESGCMBarrier) persistEncryptions(ctx context.Context) error {
+	if !b.sealed {
+		// Encryption count persistence
+		upe := b.UnaccountedEncryptions.Load()
+		if upe > 0 {
+			activeKey := b.keyring.ActiveKey()
+			// Move local (unpersisted) encryptions to the key and persist.  This prevents us from needing to persist if
+			// there has been no activity. Since persistence performs an encryption, perversely we zero out after
+			// persistence and add 1 to the count to avoid this operation guaranteeing we need another
+			// autoRotateCheckInterval later.
+			newEncs := upe + 1
+			activeKey.Encryptions += uint64(newEncs)
+			newKeyring := b.keyring.Clone()
+			err := b.persistKeyringBestEffort(ctx, newKeyring)
+			if err != nil {
+				return err
+			}
+			b.UnaccountedEncryptions.Sub(newEncs)
+		}
 	}
+	return nil
+}
 
-	usage := reRemoveWhitespace.ReplaceAllString(f.Usage, " ")
-	indented := wrapAtLengthWithPadding(usage, 6)
-	fmt.Fprintf(w, "%s\n\n", indented)
+// Mostly for testing, returns the total number of encryption operations performed on the active term
+func (b *AESGCMBarrier) encryptions() int64 {
+	if b.keyring != nil {
+		activeKey := b.keyring.ActiveKey()
+		if activeKey != nil {
+			return b.UnaccountedEncryptions.Load() + int64(activeKey.Encryptions)
+		}
+	}
+	return 0
 }
diff --git a/command/command_stubs_oss.go b/command/command_stubs_oss.go
index bc90a1585aaf..c2657e7fd8cc 100644
--- a/command/command_stubs_oss.go
+++ b/command/command_stubs_oss.go
@@ -1,33 +1,722 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-//go:build !enterprise
-
 package command
 
-//go:generate go run github.com/hashicorp/vault/tools/stubmaker
-
 import (
-	"github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
+	"bytes"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/token"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/mattn/go-isatty"
+	"github.com/pkg/errors"
+	"github.com/posener/complete"
 )
 
-func entInitCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions, commands map[string]cli.CommandFactory) {
+const (
+	// maxLineLength is the maximum width of any line.
+	maxLineLength int = 78
+
+	// notSetValue is a flag value for a not-set value
+	notSetValue = "(not set)"
+)
+
+// reRemoveWhitespace is a regular expression for stripping whitespace from
+// a string.
+var reRemoveWhitespace = regexp.MustCompile(`[\s]+`)
+
+type BaseCommand struct {
+	UI cli.Ui
+
+	flags     *FlagSets
+	flagsOnce sync.Once
+
+	flagAddress           string
+	flagAgentProxyAddress string
+	flagCACert            string
+	flagCAPath            string
+	flagClientCert        string
+	flagClientKey         string
+	flagNamespace         string
+	flagNS                string
+	flagPolicyOverride    bool
+	flagTLSServerName     string
+	flagTLSSkipVerify     bool
+	flagDisableRedirects  bool
+	flagWrapTTL           time.Duration
+	flagUnlockKey         string
+
+	flagFormat           string
+	flagField            string
+	flagDetailed         bool
+	flagOutputCurlString bool
+	flagOutputPolicy     bool
+	flagNonInteractive   bool
+	addrWarning          string
+
+	flagMFA []string
+
+	flagHeader map[string]string
+
+	tokenHelper token.TokenHelper
+
+	client *api.Client
+}
+
+// Client returns the HTTP API client. The client is cached on the command to
+// save performance on future calls.
+func (c *BaseCommand) Client() (*api.Client, error) {
+	// Read the test client if present
+	if c.client != nil {
+		return c.client, nil
+	}
+
+	if c.addrWarning != "" && c.UI != nil {
+		if os.Getenv("VAULT_ADDR") == "" {
+			if !c.flagNonInteractive && isatty.IsTerminal(os.Stdin.Fd()) {
+				c.UI.Warn(wrapAtLength(c.addrWarning))
+			}
+		}
+	}
+
+	config := api.DefaultConfig()
+
+	if err := config.ReadEnvironment(); err != nil {
+		return nil, errors.Wrap(err, "failed to read environment")
+	}
+
+	if c.flagAddress != "" {
+		config.Address = c.flagAddress
+	}
+	if c.flagAgentProxyAddress != "" {
+		config.Address = c.flagAgentProxyAddress
+	}
+
+	if c.flagOutputCurlString {
+		config.OutputCurlString = c.flagOutputCurlString
+	}
+	if c.flagOutputPolicy {
+		config.OutputPolicy = c.flagOutputPolicy
+	}
+
+	// If we need custom TLS configuration, then set it
+	if c.flagCACert != "" || c.flagCAPath != "" || c.flagClientCert != "" ||
+		c.flagClientKey != "" || c.flagTLSServerName != "" || c.flagTLSSkipVerify {
+		t := &api.TLSConfig{
+			CACert:        c.flagCACert,
+			CAPath:        c.flagCAPath,
+			ClientCert:    c.flagClientCert,
+			ClientKey:     c.flagClientKey,
+			TLSServerName: c.flagTLSServerName,
+			Insecure:      c.flagTLSSkipVerify,
+		}
+
+		// Setup TLS config
+		if err := config.ConfigureTLS(t); err != nil {
+			return nil, errors.Wrap(err, "failed to setup TLS config")
+		}
+	}
+
+	// Build the client
+	client, err := api.NewClient(config)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create client")
+	}
+
+	// Turn off retries on the CLI
+	if os.Getenv(api.EnvVaultMaxRetries) == "" {
+		client.SetMaxRetries(0)
+	}
+
+	// Set the wrapping function
+	client.SetWrappingLookupFunc(c.DefaultWrappingLookupFunc)
+
+	// Get the token if it came in from the environment
+	token := client.Token()
+
+	// If we don't have a token, check the token helper
+	if token == "" {
+		helper, err := c.TokenHelper()
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get token helper")
+		}
+		token, err = helper.Get()
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get token from token helper")
+		}
+	}
+
+	// Set the token
+	if token != "" {
+		client.SetToken(token)
+	}
+
+	client.SetMFACreds(c.flagMFA)
+
+	// flagNS takes precedence over flagNamespace. After resolution, point both
+	// flags to the same value to be able to use them interchangeably anywhere.
+	if c.flagNS != notSetValue {
+		c.flagNamespace = c.flagNS
+	}
+	if c.flagNamespace != notSetValue {
+		client.SetNamespace(namespace.Canonicalize(c.flagNamespace))
+	}
+	if c.flagPolicyOverride {
+		client.SetPolicyOverride(c.flagPolicyOverride)
+	}
+
+	if c.flagHeader != nil {
+
+		var forbiddenHeaders []string
+		for key, val := range c.flagHeader {
+
+			if strings.HasPrefix(key, "X-Vault-") {
+				forbiddenHeaders = append(forbiddenHeaders, key)
+				continue
+			}
+			client.AddHeader(key, val)
+		}
+
+		if len(forbiddenHeaders) > 0 {
+			return nil, fmt.Errorf("failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only", strings.Join(forbiddenHeaders, ", "))
+		}
+	}
+
+	c.client = client
+
+	return client, nil
 }
 
-func entEnableFourClusterDev(c *ServerCommand, base *vault.CoreConfig, info map[string]string, infoKeys []string, tempDir string) int {
-	c.logger.Error("-dev-four-cluster only supported in enterprise Vault")
-	return 1
+// SetAddress sets the token helper on the command; useful for the demo server and other outside cases.
+func (c *BaseCommand) SetAddress(addr string) {
+	c.flagAddress = addr
 }
 
-func entAdjustCoreConfig(config *server.Config, coreConfig *vault.CoreConfig) {
+// SetTokenHelper sets the token helper on the command.
+func (c *BaseCommand) SetTokenHelper(th token.TokenHelper) {
+	c.tokenHelper = th
 }
 
-func entCheckStorageType(coreConfig *vault.CoreConfig) bool {
-	return true
+// TokenHelper returns the token helper attached to the command.
+func (c *BaseCommand) TokenHelper() (token.TokenHelper, error) {
+	if c.tokenHelper != nil {
+		return c.tokenHelper, nil
+	}
+
+	helper, err := DefaultTokenHelper()
+	if err != nil {
+		return nil, err
+	}
+	return helper, nil
+}
+
+// DefaultWrappingLookupFunc is the default wrapping function based on the
+// CLI flag.
+func (c *BaseCommand) DefaultWrappingLookupFunc(operation, path string) string {
+	if c.flagWrapTTL != 0 {
+		return c.flagWrapTTL.String()
+	}
+
+	return api.DefaultWrappingLookupFunc(operation, path)
+}
+
+// getMFAValidationRequired checks to see if the secret exists and has an MFA
+// requirement. If MFA is required and the number of constraints is greater than
+// 1, we can assert that interactive validation is not required.
+func (c *BaseCommand) getMFAValidationRequired(secret *api.Secret) bool {
+	if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil {
+		if c.flagMFA == nil && len(secret.Auth.MFARequirement.MFAConstraints) == 1 {
+			return true
+		} else if len(secret.Auth.MFARequirement.MFAConstraints) > 1 {
+			return true
+		}
+	}
+
+	return false
+}
+
+// getInteractiveMFAMethodInfo returns MFA method information only if operating
+// in interactive mode and one MFA method is configured.
+func (c *BaseCommand) getInteractiveMFAMethodInfo(secret *api.Secret) *MFAMethodInfo {
+	if secret == nil || secret.Auth == nil || secret.Auth.MFARequirement == nil {
+		return nil
+	}
+
+	mfaConstraints := secret.Auth.MFARequirement.MFAConstraints
+	if c.flagNonInteractive || len(mfaConstraints) != 1 || !isatty.IsTerminal(os.Stdin.Fd()) {
+		return nil
+	}
+
+	for _, mfaConstraint := range mfaConstraints {
+		if len(mfaConstraint.Any) != 1 {
+			return nil
+		}
+
+		return &MFAMethodInfo{
+			methodType:  mfaConstraint.Any[0].Type,
+			methodID:    mfaConstraint.Any[0].ID,
+			usePasscode: mfaConstraint.Any[0].UsesPasscode,
+		}
+	}
+
+	return nil
 }
 
-func entGetFIPSInfoKey() string {
-	return ""
+func (c *BaseCommand) validateMFA(reqID string, methodInfo MFAMethodInfo) (*api.Secret, error) {
+	var passcode string
+	var err error
+	if methodInfo.usePasscode {
+		passcode, err = c.UI.AskSecret(fmt.Sprintf("Enter the passphrase for methodID %q of type %q:", methodInfo.methodID, methodInfo.methodType))
+		if err != nil {
+			return nil, fmt.Errorf("failed to read passphrase: %w. please validate the login by sending a request to sys/mfa/validate", err)
+		}
+	} else {
+		c.UI.Warn("Asking Vault to perform MFA validation with upstream service. " +
+			"You should receive a push notification in your authenticator app shortly")
+	}
+
+	// passcode could be an empty string
+	mfaPayload := map[string]interface{}{
+		methodInfo.methodID: []string{passcode},
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		return nil, err
+	}
+
+	return client.Sys().MFAValidate(reqID, mfaPayload)
+}
+
+type FlagSetBit uint
+
+const (
+	FlagSetNone FlagSetBit = 1 << iota
+	FlagSetHTTP
+	FlagSetOutputField
+	FlagSetOutputFormat
+	FlagSetOutputDetailed
+)
+
+// flagSet creates the flags for this command. The result is cached on the
+// command to save performance on future calls.
+func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
+	c.flagsOnce.Do(func() {
+		set := NewFlagSets(c.UI)
+
+		// These flag sets will apply to all leaf subcommands.
+		// TODO: Optional, but FlagSetHTTP can be safely removed from the individual
+		// Flags() subcommands.
+		bit = bit | FlagSetHTTP
+
+		if bit&FlagSetHTTP != 0 {
+			f := set.NewFlagSet("HTTP Options")
+
+			addrStringVar := &StringVar{
+				Name:       flagNameAddress,
+				Target:     &c.flagAddress,
+				EnvVar:     api.EnvVaultAddress,
+				Completion: complete.PredictAnything,
+				Usage:      "Address of the Vault server.",
+			}
+
+			if c.flagAddress != "" {
+				addrStringVar.Default = c.flagAddress
+			} else {
+				addrStringVar.Default = "https://127.0.0.1:8200"
+				c.addrWarning = fmt.Sprintf("WARNING! VAULT_ADDR and -address unset. Defaulting to %s.", addrStringVar.Default)
+			}
+			f.StringVar(addrStringVar)
+
+			agentAddrStringVar := &StringVar{
+				Name:       "agent-address",
+				Target:     &c.flagAgentProxyAddress,
+				EnvVar:     api.EnvVaultAgentAddr,
+				Completion: complete.PredictAnything,
+				Usage:      "Address of the Agent.",
+			}
+			f.StringVar(agentAddrStringVar)
+
+			f.StringVar(&StringVar{
+				Name:       flagNameCACert,
+				Target:     &c.flagCACert,
+				Default:    "",
+				EnvVar:     api.EnvVaultCACert,
+				Completion: complete.PredictFiles("*"),
+				Usage: "Path on the local disk to a single PEM-encoded CA " +
+					"certificate to verify the Vault server's SSL certificate. This " +
+					"takes precedence over -ca-path.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       flagNameCAPath,
+				Target:     &c.flagCAPath,
+				Default:    "",
+				EnvVar:     api.EnvVaultCAPath,
+				Completion: complete.PredictDirs("*"),
+				Usage: "Path on the local disk to a directory of PEM-encoded CA " +
+					"certificates to verify the Vault server's SSL certificate.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       flagNameClientCert,
+				Target:     &c.flagClientCert,
+				Default:    "",
+				EnvVar:     api.EnvVaultClientCert,
+				Completion: complete.PredictFiles("*"),
+				Usage: "Path on the local disk to a single PEM-encoded CA " +
+					"certificate to use for TLS authentication to the Vault server. If " +
+					"this flag is specified, -client-key is also required.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       flagNameClientKey,
+				Target:     &c.flagClientKey,
+				Default:    "",
+				EnvVar:     api.EnvVaultClientKey,
+				Completion: complete.PredictFiles("*"),
+				Usage: "Path on the local disk to a single PEM-encoded private key " +
+					"matching the client certificate from -client-cert.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       "namespace",
+				Target:     &c.flagNamespace,
+				Default:    notSetValue, // this can never be a real value
+				EnvVar:     api.EnvVaultNamespace,
+				Completion: complete.PredictAnything,
+				Usage: "The namespace to use for the command. Setting this is not " +
+					"necessary but allows using relative paths. -ns can be used as " +
+					"shortcut.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       "ns",
+				Target:     &c.flagNS,
+				Default:    notSetValue, // this can never be a real value
+				Completion: complete.PredictAnything,
+				Hidden:     true,
+				Usage:      "Alias for -namespace. This takes precedence over -namespace.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       flagTLSServerName,
+				Target:     &c.flagTLSServerName,
+				Default:    "",
+				EnvVar:     api.EnvVaultTLSServerName,
+				Completion: complete.PredictAnything,
+				Usage: "Name to use as the SNI host when connecting to the Vault " +
+					"server via TLS.",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    flagNameTLSSkipVerify,
+				Target:  &c.flagTLSSkipVerify,
+				Default: false,
+				EnvVar:  api.EnvVaultSkipVerify,
+				Usage: "Disable verification of TLS certificates. Using this option " +
+					"is highly discouraged as it decreases the security of data " +
+					"transmissions to and from the Vault server.",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    flagNameDisableRedirects,
+				Target:  &c.flagDisableRedirects,
+				Default: false,
+				EnvVar:  api.EnvVaultDisableRedirects,
+				Usage: "Disable the default client behavior, which honors a single " +
+					"redirect response from a request",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    "policy-override",
+				Target:  &c.flagPolicyOverride,
+				Default: false,
+				Usage: "Override a Sentinel policy that has a soft-mandatory " +
+					"enforcement_level specified",
+			})
+
+			f.DurationVar(&DurationVar{
+				Name:       "wrap-ttl",
+				Target:     &c.flagWrapTTL,
+				Default:    0,
+				EnvVar:     api.EnvVaultWrapTTL,
+				Completion: complete.PredictAnything,
+				Usage: "Wraps the response in a cubbyhole token with the requested " +
+					"TTL. The response is available via the \"vault unwrap\" command. " +
+					"The TTL is specified as a numeric string with suffix like \"30s\" " +
+					"or \"5m\".",
+			})
+
+			f.StringSliceVar(&StringSliceVar{
+				Name:       "mfa",
+				Target:     &c.flagMFA,
+				Default:    nil,
+				EnvVar:     api.EnvVaultMFA,
+				Completion: complete.PredictAnything,
+				Usage:      "Supply MFA credentials as part of X-Vault-MFA header.",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    "output-curl-string",
+				Target:  &c.flagOutputCurlString,
+				Default: false,
+				Usage: "Instead of executing the request, print an equivalent cURL " +
+					"command string and exit.",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    "output-policy",
+				Target:  &c.flagOutputPolicy,
+				Default: false,
+				Usage: "Instead of executing the request, print an example HCL " +
+					"policy that would be required to run this command, and exit.",
+			})
+
+			f.StringVar(&StringVar{
+				Name:       "unlock-key",
+				Target:     &c.flagUnlockKey,
+				Default:    notSetValue,
+				Completion: complete.PredictNothing,
+				Usage:      "Key to unlock a namespace API lock.",
+			})
+
+			f.StringMapVar(&StringMapVar{
+				Name:       "header",
+				Target:     &c.flagHeader,
+				Completion: complete.PredictAnything,
+				Usage: "Key-value pair provided as key=value to provide http header added to any request done by the CLI." +
+					"Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail " +
+					"This can be specified multiple times.",
+			})
+
+			f.BoolVar(&BoolVar{
+				Name:    "non-interactive",
+				Target:  &c.flagNonInteractive,
+				Default: false,
+				Usage:   "When set true, prevents asking the user for input via the terminal.",
+			})
+
+		}
+
+		if bit&(FlagSetOutputField|FlagSetOutputFormat|FlagSetOutputDetailed) != 0 {
+			outputSet := set.NewFlagSet("Output Options")
+
+			if bit&FlagSetOutputField != 0 {
+				outputSet.StringVar(&StringVar{
+					Name:       "field",
+					Target:     &c.flagField,
+					Default:    "",
+					Completion: complete.PredictAnything,
+					Usage: "Print only the field with the given name. Specifying " +
+						"this option will take precedence over other formatting " +
+						"directives. The result will not have a trailing newline " +
+						"making it ideal for piping to other processes.",
+				})
+			}
+
+			if bit&FlagSetOutputFormat != 0 {
+				outputSet.StringVar(&StringVar{
+					Name:       "format",
+					Target:     &c.flagFormat,
+					Default:    "table",
+					EnvVar:     EnvVaultFormat,
+					Completion: complete.PredictSet("table", "json", "yaml", "pretty", "raw"),
+					Usage: `Print the output in the given format. Valid formats
+						are "table", "json", "yaml", or "pretty". "raw" is allowed
+						for 'vault read' operations only.`,
+				})
+			}
+
+			if bit&FlagSetOutputDetailed != 0 {
+				outputSet.BoolVar(&BoolVar{
+					Name:    "detailed",
+					Target:  &c.flagDetailed,
+					Default: false,
+					EnvVar:  EnvVaultDetailed,
+					Usage:   "Enables additional metadata during some operations",
+				})
+			}
+		}
+
+		c.flags = set
+	})
+
+	return c.flags
+}
+
+// FlagSets is a group of flag sets.
+type FlagSets struct {
+	flagSets    []*FlagSet
+	mainSet     *flag.FlagSet
+	hiddens     map[string]struct{}
+	completions complete.Flags
+	ui          cli.Ui
+}
+
+// NewFlagSets creates a new flag sets.
+func NewFlagSets(ui cli.Ui) *FlagSets {
+	mainSet := flag.NewFlagSet("", flag.ContinueOnError)
+
+	// Errors and usage are controlled by the CLI.
+	mainSet.Usage = func() {}
+	mainSet.SetOutput(ioutil.Discard)
+
+	return &FlagSets{
+		flagSets:    make([]*FlagSet, 0, 6),
+		mainSet:     mainSet,
+		hiddens:     make(map[string]struct{}),
+		completions: complete.Flags{},
+		ui:          ui,
+	}
+}
+
+// NewFlagSet creates a new flag set from the given flag sets.
+func (f *FlagSets) NewFlagSet(name string) *FlagSet {
+	flagSet := NewFlagSet(name)
+	flagSet.mainSet = f.mainSet
+	flagSet.completions = f.completions
+	f.flagSets = append(f.flagSets, flagSet)
+	return flagSet
+}
+
+// Completions returns the completions for this flag set.
+func (f *FlagSets) Completions() complete.Flags {
+	return f.completions
+}
+
+type (
+	ParseOptions              interface{}
+	ParseOptionAllowRawFormat bool
+	DisableDisplayFlagWarning bool
+)
+
+// Parse parses the given flags, returning any errors.
+// Warnings, if any, regarding the arguments format are sent to stdout
+func (f *FlagSets) Parse(args []string, opts ...ParseOptions) error {
+	err := f.mainSet.Parse(args)
+
+	displayFlagWarningsDisabled := false
+	for _, opt := range opts {
+		if value, ok := opt.(DisableDisplayFlagWarning); ok {
+			displayFlagWarningsDisabled = bool(value)
+		}
+	}
+	if !displayFlagWarningsDisabled {
+		warnings := generateFlagWarnings(f.Args())
+		if warnings != "" && Format(f.ui) == "table" {
+			f.ui.Warn(warnings)
+		}
+	}
+
+	if err != nil {
+		return err
+	}
+
+	// Now surface any other errors.
+	return generateFlagErrors(f, opts...)
+}
+
+// Parsed reports whether the command-line flags have been parsed.
+func (f *FlagSets) Parsed() bool {
+	return f.mainSet.Parsed()
+}
+
+// Args returns the remaining args after parsing.
+func (f *FlagSets) Args() []string {
+	return f.mainSet.Args()
+}
+
+// Visit visits the flags in lexicographical order, calling fn for each. It
+// visits only those flags that have been set.
+func (f *FlagSets) Visit(fn func(*flag.Flag)) {
+	f.mainSet.Visit(fn)
+}
+
+// Help builds custom help for this command, grouping by flag set.
+func (f *FlagSets) Help() string {
+	var out bytes.Buffer
+
+	for _, set := range f.flagSets {
+		printFlagTitle(&out, set.name+":")
+		set.VisitAll(func(f *flag.Flag) {
+			// Skip any hidden flags
+			if v, ok := f.Value.(FlagVisibility); ok && v.Hidden() {
+				return
+			}
+			printFlagDetail(&out, f)
+		})
+	}
+
+	return strings.TrimRight(out.String(), "\n")
+}
+
+// FlagSet is a grouped wrapper around a real flag set and a grouped flag set.
+type FlagSet struct {
+	name        string
+	flagSet     *flag.FlagSet
+	mainSet     *flag.FlagSet
+	completions complete.Flags
+}
+
+// NewFlagSet creates a new flag set.
+func NewFlagSet(name string) *FlagSet {
+	return &FlagSet{
+		name:    name,
+		flagSet: flag.NewFlagSet(name, flag.ContinueOnError),
+	}
+}
+
+// Name returns the name of this flag set.
+func (f *FlagSet) Name() string {
+	return f.name
+}
+
+func (f *FlagSet) Visit(fn func(*flag.Flag)) {
+	f.flagSet.Visit(fn)
+}
+
+func (f *FlagSet) VisitAll(fn func(*flag.Flag)) {
+	f.flagSet.VisitAll(fn)
+}
+
+// printFlagTitle prints a consistently-formatted title to the given writer.
+func printFlagTitle(w io.Writer, s string) {
+	fmt.Fprintf(w, "%s\n\n", s)
+}
+
+// printFlagDetail prints a single flag to the given writer.
+func printFlagDetail(w io.Writer, f *flag.Flag) {
+	// Check if the flag is hidden - do not print any flag detail or help output
+	// if it is hidden.
+	if h, ok := f.Value.(FlagVisibility); ok && h.Hidden() {
+		return
+	}
+
+	// Check for a detailed example
+	example := ""
+	if t, ok := f.Value.(FlagExample); ok {
+		example = t.Example()
+	}
+
+	if example != "" {
+		fmt.Fprintf(w, "  -%s=<%s>\n", f.Name, example)
+	} else {
+		fmt.Fprintf(w, "  -%s\n", f.Name)
+	}
+
+	usage := reRemoveWhitespace.ReplaceAllString(f.Usage, " ")
+	indented := wrapAtLengthWithPadding(usage, 6)
+	fmt.Fprintf(w, "%s\n\n", indented)
 }
diff --git a/command/command_test.go b/command/command_test.go
index 34bd3b453355..52a7ff996a5c 100644
--- a/command/command_test.go
+++ b/command/command_test.go
@@ -1,334 +1,88 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"encoding/base64"
-	"net"
-	"net/http"
-	"strings"
-	"testing"
-	"time"
-
-	log "github.com/hashicorp/go-hclog"
-	kv "github.com/hashicorp/vault-plugin-secrets-kv"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/builtin/logical/pki"
-	"github.com/hashicorp/vault/builtin/logical/ssh"
-	"github.com/hashicorp/vault/builtin/logical/transit"
-	"github.com/hashicorp/vault/helper/benchhelpers"
-	"github.com/hashicorp/vault/helper/builtinplugins"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical/inmem"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/vault/seal"
-	"github.com/mitchellh/cli"
-
-	auditFile "github.com/hashicorp/vault/builtin/audit/file"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	vaulthttp "github.com/hashicorp/vault/http"
-)
-
-var (
-	defaultVaultLogger = log.NewNullLogger()
-
-	defaultVaultCredentialBackends = map[string]logical.Factory{
-		"userpass": credUserpass.Factory,
-	}
-
-	defaultVaultAuditBackends = map[string]audit.Factory{
-		"file": auditFile.Factory,
-	}
-
-	defaultVaultLogicalBackends = map[string]logical.Factory{
-		"generic-leased": vault.LeasedPassthroughBackendFactory,
-		"pki":            pki.Factory,
-		"ssh":            ssh.Factory,
-		"transit":        transit.Factory,
-		"kv":             kv.Factory,
-	}
-)
-
-// assertNoTabs asserts the CLI help has no tab characters.
-func assertNoTabs(tb testing.TB, c cli.Command) {
-	tb.Helper()
-
-	if strings.ContainsRune(c.Help(), '\t') {
-		tb.Errorf("%#v help output contains tabs", c)
-	}
-}
-
-// testVaultServer creates a test vault cluster and returns a configured API
-// client and closer function.
-func testVaultServer(tb testing.TB) (*api.Client, func()) {
-	tb.Helper()
-
-	client, _, closer := testVaultServerUnseal(tb)
-	return client, closer
-}
-
-func testVaultServerWithSecrets(ctx context.Context, tb testing.TB) (*api.Client, func()) {
-	tb.Helper()
-
-	client, _, closer := testVaultServerUnseal(tb)
-
-	// enable kv-v1 backend
-	if err := client.Sys().Mount("kv-v1/", &api.MountInput{
-		Type: "kv-v1",
-	}); err != nil {
-		tb.Fatal(err)
-	}
-
-	// enable kv-v2 backend
-	if err := client.Sys().Mount("kv-v2/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		tb.Fatal(err)
-	}
-
-	// populate dummy secrets
-	for _, path := range []string{
-		"foo",
-		"app-1/foo",
-		"app-1/bar",
-		"app-1/nested/baz",
-	} {
-		if err := client.KVv1("kv-v1").Put(ctx, path, map[string]interface{}{
-			"user":     "test",
-			"password": "Hashi123",
-		}); err != nil {
-			tb.Fatal(err)
-		}
-
-		if _, err := client.KVv2("kv-v2").Put(ctx, path, map[string]interface{}{
-			"user":     "test",
-			"password": "Hashi123",
-		}); err != nil {
-			tb.Fatal(err)
-		}
-	}
-
-	return client, closer
-}
-
-func testVaultServerWithKVVersion(tb testing.TB, kvVersion string) (*api.Client, func()) {
-	tb.Helper()
-
-	client, _, closer := testVaultServerUnsealWithKVVersionWithSeal(tb, kvVersion, nil)
-	return client, closer
-}
-
-func testVaultServerAllBackends(tb testing.TB) (*api.Client, func()) {
-	tb.Helper()
-
-	client, _, closer := testVaultServerCoreConfig(tb, &vault.CoreConfig{
-		CredentialBackends: credentialBackends,
-		AuditBackends:      auditBackends,
-		LogicalBackends:    logicalBackends,
-		BuiltinRegistry:    builtinplugins.Registry,
-	})
-	return client, closer
-}
-
-// testVaultServerAutoUnseal creates a test vault cluster and sets it up with auto unseal
-// the function returns a client, the recovery keys, and a closer function
-func testVaultServerAutoUnseal(tb testing.TB) (*api.Client, []string, func()) {
-	testSeal, _ := seal.NewTestSeal(nil)
-	autoSeal := vault.NewAutoSeal(testSeal)
-	return testVaultServerUnsealWithKVVersionWithSeal(tb, "1", autoSeal)
-}
-
-// testVaultServerUnseal creates a test vault cluster and returns a configured
-// API client, list of unseal keys (as strings), and a closer function.
-func testVaultServerUnseal(tb testing.TB) (*api.Client, []string, func()) {
-	return testVaultServerUnsealWithKVVersionWithSeal(tb, "1", nil)
-}
-
-func testVaultServerUnsealWithKVVersionWithSeal(tb testing.TB, kvVersion string, seal vault.Seal) (*api.Client, []string, func()) {
-	tb.Helper()
-
-	return testVaultServerCoreConfigWithOpts(tb, &vault.CoreConfig{
-		CredentialBackends: defaultVaultCredentialBackends,
-		AuditBackends:      defaultVaultAuditBackends,
-		LogicalBackends:    defaultVaultLogicalBackends,
-		BuiltinRegistry:    builtinplugins.Registry,
-		Seal:               seal,
-	}, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-		NumCores:    1,
-		KVVersion:   kvVersion,
-	})
-}
-
-// testVaultServerUnseal creates a test vault cluster and returns a configured
-// API client, list of unseal keys (as strings), and a closer function
-// configured with the given plugin directory.
-func testVaultServerPluginDir(tb testing.TB, pluginDir string) (*api.Client, []string, func()) {
-	tb.Helper()
-
-	return testVaultServerCoreConfig(tb, &vault.CoreConfig{
-		CredentialBackends: defaultVaultCredentialBackends,
-		AuditBackends:      defaultVaultAuditBackends,
-		LogicalBackends:    defaultVaultLogicalBackends,
-		PluginDirectory:    pluginDir,
-		BuiltinRegistry:    builtinplugins.Registry,
-	})
-}
-
-func testVaultServerCoreConfig(tb testing.TB, coreConfig *vault.CoreConfig) (*api.Client, []string, func()) {
-	return testVaultServerCoreConfigWithOpts(tb, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-		NumCores:    1, // Default is 3, but we don't need that many
-	})
-}
-
-// testVaultServerCoreConfig creates a new vault cluster with the given core
-// configuration. This is a lower-level test helper. If the seal config supports recovery keys, then
-// recovery keys are returned. Otherwise, unseal keys are returned
-func testVaultServerCoreConfigWithOpts(tb testing.TB, coreConfig *vault.CoreConfig, opts *vault.TestClusterOptions) (*api.Client, []string, func()) {
-	tb.Helper()
-
-	cluster := vault.NewTestCluster(benchhelpers.TBtoT(tb), coreConfig, opts)
-	cluster.Start()
-
-	// Make it easy to get access to the active
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(benchhelpers.TBtoT(tb), core)
-
-	// Get the client already setup for us!
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	var keys [][]byte
-	if coreConfig.Seal != nil && coreConfig.Seal.RecoveryKeySupported() {
-		keys = cluster.RecoveryKeys
-	} else {
-		keys = cluster.BarrierKeys
-	}
-
-	return client, encodeKeys(keys), cluster.Cleanup
-}
-
-// Convert the unseal keys to base64 encoded, since these are how the user
-// will get them.
-func encodeKeys(rawKeys [][]byte) []string {
-	keys := make([]string, len(rawKeys))
-	for i := range rawKeys {
-		keys[i] = base64.StdEncoding.EncodeToString(rawKeys[i])
-	}
-	return keys
-}
-
-// testVaultServerUninit creates an uninitialized server.
-func testVaultServerUninit(tb testing.TB) (*api.Client, func()) {
-	tb.Helper()
-
-	inm, err := inmem.NewInmem(nil, defaultVaultLogger)
-	if err != nil {
-		tb.Fatal(err)
-	}
-
-	core, err := vault.NewCore(&vault.CoreConfig{
-		DisableMlock:       true,
-		Physical:           inm,
-		CredentialBackends: defaultVaultCredentialBackends,
-		AuditBackends:      defaultVaultAuditBackends,
-		LogicalBackends:    defaultVaultLogicalBackends,
-		BuiltinRegistry:    builtinplugins.Registry,
-	})
-	if err != nil {
-		tb.Fatal(err)
-	}
-
-	ln, addr := vaulthttp.TestServer(tb, core)
-
-	client, err := api.NewClient(&api.Config{
-		Address: addr,
-	})
-	if err != nil {
-		tb.Fatal(err)
-	}
-
-	closer := func() {
-		core.Shutdown()
-		ln.Close()
-	}
-
-	return client, closer
-}
-
-// testVaultServerBad creates an http server that returns a 500 on each request
-// to simulate failures.
-func testVaultServerBad(tb testing.TB) (*api.Client, func()) {
-	tb.Helper()
-
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		tb.Fatal(err)
-	}
-
-	server := &http.Server{
-		Addr: "127.0.0.1:0",
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "500 internal server error", http.StatusInternalServerError)
-		}),
-		ReadTimeout:       1 * time.Second,
-		ReadHeaderTimeout: 1 * time.Second,
-		WriteTimeout:      1 * time.Second,
-		IdleTimeout:       1 * time.Second,
-	}
-
-	go func() {
-		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
-			tb.Fatal(err)
-		}
-	}()
-
-	client, err := api.NewClient(&api.Config{
-		Address: "http://" + listener.Addr().String(),
-	})
-	if err != nil {
-		tb.Fatal(err)
-	}
-
-	return client, func() {
-		ctx, done := context.WithTimeout(context.Background(), 5*time.Second)
-		defer done()
-
-		server.Shutdown(ctx)
-	}
-}
-
-// testTokenAndAccessor creates a new authentication token capable of being renewed with
-// the default policy attached. It returns the token and it's accessor.
-func testTokenAndAccessor(tb testing.TB, client *api.Client) (string, string) {
-	tb.Helper()
-
-	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-		Policies: []string{"default"},
-		TTL:      "30m",
-	})
-	if err != nil {
-		tb.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-		tb.Fatalf("missing auth data: %#v", secret)
-	}
-	return secret.Auth.ClientToken, secret.Auth.Accessor
-}
-
-func testClient(tb testing.TB, addr string, token string) *api.Client {
-	tb.Helper()
-	config := api.DefaultConfig()
-	config.Address = addr
-	client, err := api.NewClient(config)
-	if err != nil {
-		tb.Fatal(err)
-	}
-	client.SetToken(token)
-
-	return client
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+// base handlers used in mirage config when a specific handler is not specified
+const EXPIRY_DATE = '2021-05-12T23:20:50.52Z';
+
+export default function (server) {
+  server.get('/sys/internal/ui/feature-flags', (db) => {
+    const featuresResponse = db.features.first();
+    return {
+      data: {
+        feature_flags: featuresResponse ? featuresResponse.feature_flags : null,
+      },
+    };
+  });
+
+  server.get('/sys/health', function () {
+    return {
+      enterprise: true,
+      initialized: true,
+      sealed: false,
+      standby: false,
+      license: {
+        expiry: '2021-05-12T23:20:50.52Z',
+        state: 'stored',
+      },
+      performance_standby: false,
+      replication_performance_mode: 'disabled',
+      replication_dr_mode: 'disabled',
+      server_time_utc: 1622562585,
+      version: '1.9.0+ent',
+      cluster_name: 'vault-cluster-e779cd7c',
+      cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
+      last_wal: 121,
+    };
+  });
+
+  server.get('/sys/license/status', function () {
+    return {
+      data: {
+        autoloading_used: false,
+        persisted_autoload: {
+          expiration_time: EXPIRY_DATE,
+          features: ['DR Replication', 'Namespaces', 'Lease Count Quotas', 'Automated Snapshots'],
+          license_id: '0eca7ef8-ebc0-f875-315e-3cc94a7870cf',
+          performance_standby_count: 0,
+          start_time: '2020-04-28T00:00:00Z',
+        },
+        autoloaded: {
+          expiration_time: EXPIRY_DATE,
+          features: ['DR Replication', 'Namespaces', 'Lease Count Quotas', 'Automated Snapshots'],
+          license_id: '0eca7ef8-ebc0-f875-315e-3cc94a7870cf',
+          performance_standby_count: 0,
+          start_time: '2020-04-28T00:00:00Z',
+        },
+      },
+    };
+  });
+
+  server.get('sys/namespaces', function () {
+    return {
+      data: {
+        keys: [
+          'ns1/',
+          'ns2/',
+          'ns3/',
+          'ns4/',
+          'ns5/',
+          'ns6/',
+          'ns7/',
+          'ns8/',
+          'ns9/',
+          'ns10/',
+          'ns11/',
+          'ns12/',
+          'ns13/',
+          'ns14/',
+          'ns15/',
+          'ns16/',
+          'ns17/',
+          'ns18/',
+        ],
+      },
+    };
+  });
 }
diff --git a/command/commands.go b/command/commands.go
index b1867e428da3..05d5ad93637a 100644
--- a/command/commands.go
+++ b/command/commands.go
@@ -1,946 +1,448 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package cacheboltdb
 
 import (
+	"context"
+	"encoding/binary"
+	"fmt"
 	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/builtin/plugin"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
-
-	/*
-		The builtinplugins package is initialized here because it, in turn,
-		initializes the database plugins.
-		They register multiple database drivers for the "database/sql" package.
-	*/
-	_ "github.com/hashicorp/vault/helper/builtinplugins"
-
-	auditFile "github.com/hashicorp/vault/builtin/audit/file"
-	auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
-	auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
-
-	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
-	credCentrify "github.com/hashicorp/vault-plugin-auth-centrify"
-	credCF "github.com/hashicorp/vault-plugin-auth-cf"
-	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
-	credOIDC "github.com/hashicorp/vault-plugin-auth-jwt"
-	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
-	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
-	credAws "github.com/hashicorp/vault/builtin/credential/aws"
-	credCert "github.com/hashicorp/vault/builtin/credential/cert"
-	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
-	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
-	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
-	credToken "github.com/hashicorp/vault/builtin/credential/token"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-
-	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
-	logicalDb "github.com/hashicorp/vault/builtin/logical/database"
-
-	physAerospike "github.com/hashicorp/vault/physical/aerospike"
-	physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
-	physAzure "github.com/hashicorp/vault/physical/azure"
-	physCassandra "github.com/hashicorp/vault/physical/cassandra"
-	physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
-	physConsul "github.com/hashicorp/vault/physical/consul"
-	physCouchDB "github.com/hashicorp/vault/physical/couchdb"
-	physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
-	physEtcd "github.com/hashicorp/vault/physical/etcd"
-	physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
-	physGCS "github.com/hashicorp/vault/physical/gcs"
-	physManta "github.com/hashicorp/vault/physical/manta"
-	physMSSQL "github.com/hashicorp/vault/physical/mssql"
-	physMySQL "github.com/hashicorp/vault/physical/mysql"
-	physOCI "github.com/hashicorp/vault/physical/oci"
-	physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
-	physRaft "github.com/hashicorp/vault/physical/raft"
-	physS3 "github.com/hashicorp/vault/physical/s3"
-	physSpanner "github.com/hashicorp/vault/physical/spanner"
-	physSwift "github.com/hashicorp/vault/physical/swift"
-	physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
-	physFile "github.com/hashicorp/vault/sdk/physical/file"
-	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
-
-	sr "github.com/hashicorp/vault/serviceregistration"
-	csr "github.com/hashicorp/vault/serviceregistration/consul"
-	ksr "github.com/hashicorp/vault/serviceregistration/kubernetes"
+	"path/filepath"
+	"time"
+
+	"github.com/golang/protobuf/proto"
+	bolt "github.com/hashicorp-forge/bbolt"
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-multierror"
 )
 
 const (
-	// EnvVaultCLINoColor is an env var that toggles colored UI output.
-	EnvVaultCLINoColor = `VAULT_CLI_NO_COLOR`
-	// EnvVaultFormat is the output format
-	EnvVaultFormat = `VAULT_FORMAT`
-	// EnvVaultLicense is an env var used in Vault Enterprise to provide a license blob
-	EnvVaultLicense = "VAULT_LICENSE"
-	// EnvVaultLicensePath is an env var used in Vault Enterprise to provide a
-	// path to a license file on disk
-	EnvVaultLicensePath = "VAULT_LICENSE_PATH"
-	// EnvVaultDetailed is to output detailed information (e.g., ListResponseWithInfo).
-	EnvVaultDetailed = `VAULT_DETAILED`
-	// EnvVaultLogFormat is used to specify the log format. Supported values are "standard" and "json"
-	EnvVaultLogFormat = "VAULT_LOG_FORMAT"
-	// EnvVaultLogLevel is used to specify the log level applied to logging
-	// Supported log levels: Trace, Debug, Error, Warn, Info
-	EnvVaultLogLevel = "VAULT_LOG_LEVEL"
-	// EnvVaultExperiments defines the experiments to enable for a server as a
-	// comma separated list. See experiments.ValidExperiments() for the list of
-	// valid experiments. Not mutable or persisted in storage, only read and
-	// logged at startup _per node_. This was initially introduced for the events
-	// system being developed over multiple release cycles.
-	EnvVaultExperiments = "VAULT_EXPERIMENTS"
-
-	// flagNameAddress is the flag used in the base command to read in the
-	// address of the Vault server.
-	flagNameAddress = "address"
-	// flagnameCACert is the flag used in the base command to read in the CA
-	// cert.
-	flagNameCACert = "ca-cert"
-	// flagnameCAPath is the flag used in the base command to read in the CA
-	// cert path.
-	flagNameCAPath = "ca-path"
-	// flagNameClientCert is the flag used in the base command to read in the
-	// client key
-	flagNameClientKey = "client-key"
-	// flagNameClientCert is the flag used in the base command to read in the
-	// client cert
-	flagNameClientCert = "client-cert"
-	// flagNameTLSSkipVerify is the flag used in the base command to read in
-	// the option to ignore TLS certificate verification.
-	flagNameTLSSkipVerify = "tls-skip-verify"
-	// flagTLSServerName is the flag used in the base command to read in
-	// the TLS server name.
-	flagTLSServerName = "tls-server-name"
-	// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
-	flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
-	// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable
-	flagNameAuditNonHMACResponseKeys = "audit-non-hmac-response-keys"
-	// flagNameDescription is the flag name used for tuning the secret and auth mount description parameter
-	flagNameDescription = "description"
-	// flagListingVisibility is the flag to toggle whether to show the mount in the UI-specific listing endpoint
-	flagNameListingVisibility = "listing-visibility"
-	// flagNamePassthroughRequestHeaders is the flag name used to set passthrough request headers to the backend
-	flagNamePassthroughRequestHeaders = "passthrough-request-headers"
-	// flagNameAllowedResponseHeaders is used to set allowed response headers from a plugin
-	flagNameAllowedResponseHeaders = "allowed-response-headers"
-	// flagNameTokenType is the flag name used to force a specific token type
-	flagNameTokenType = "token-type"
-	// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
-	flagNameAllowedManagedKeys = "allowed-managed-keys"
-	// flagNamePluginVersion selects what version of a plugin should be used.
-	flagNamePluginVersion = "plugin-version"
-	// flagNameUserLockoutThreshold is the flag name used for tuning the auth mount lockout threshold parameter
-	flagNameUserLockoutThreshold = "user-lockout-threshold"
-	// flagNameUserLockoutDuration is the flag name used for tuning the auth mount lockout duration parameter
-	flagNameUserLockoutDuration = "user-lockout-duration"
-	// flagNameUserLockoutCounterResetDuration is the flag name used for tuning the auth mount lockout counter reset parameter
-	flagNameUserLockoutCounterResetDuration = "user-lockout-counter-reset-duration"
-	// flagNameUserLockoutDisable is the flag name used for tuning the auth mount disable lockout parameter
-	flagNameUserLockoutDisable = "user-lockout-disable"
-	// flagNameDisableRedirects is used to prevent the client from honoring a single redirect as a response to a request
-	flagNameDisableRedirects = "disable-redirects"
-	// flagNameCombineLogs is used to specify whether log output should be combined and sent to stdout
-	flagNameCombineLogs = "combine-logs"
-	// flagNameLogFile is used to specify the path to the log file that Vault should use for logging
-	flagNameLogFile = "log-file"
-	// flagNameLogRotateBytes is the flag used to specify the number of bytes a log file should be before it is rotated.
-	flagNameLogRotateBytes = "log-rotate-bytes"
-	// flagNameLogRotateDuration is the flag used to specify the duration after which a log file should be rotated.
-	flagNameLogRotateDuration = "log-rotate-duration"
-	// flagNameLogRotateMaxFiles is the flag used to specify the maximum number of older/archived log files to keep.
-	flagNameLogRotateMaxFiles = "log-rotate-max-files"
-	// flagNameLogFormat is the flag used to specify the log format. Supported values are "standard" and "json"
-	flagNameLogFormat = "log-format"
-	// flagNameLogLevel is used to specify the log level applied to logging
-	// Supported log levels: Trace, Debug, Error, Warn, Info
-	flagNameLogLevel = "log-level"
+	// Keep track of schema version for future migrations
+	storageVersionKey = "version"
+	storageVersion    = "2" // v2 merges auth-lease and secret-lease buckets into one ordered bucket
+
+	// DatabaseFileName - filename for the persistent cache file
+	DatabaseFileName = "vault-agent-cache.db"
+
+	// metaBucketName - naming the meta bucket that holds the version and
+	// bootstrapping keys
+	metaBucketName = "meta"
+
+	// DEPRECATED: secretLeaseType - v1 Bucket/type for leases with secret info
+	secretLeaseType = "secret-lease"
+
+	// DEPRECATED: authLeaseType - v1 Bucket/type for leases with auth info
+	authLeaseType = "auth-lease"
+
+	// TokenType - Bucket/type for auto-auth tokens
+	TokenType = "token"
+
+	// StaticSecretType - Bucket/type for static secrets
+	StaticSecretType = "static-secret"
+
+	// TokenCapabilitiesType - Bucket/type for the token capabilities that
+	// are used to govern access to static secrets. These will be updated
+	// periodically to ensure that access to the cached secret remains.
+	TokenCapabilitiesType = "token-capabilities"
+
+	// LeaseType - v2 Bucket/type for auth AND secret leases.
+	//
+	// This bucket stores keys in the same order they were created using
+	// auto-incrementing keys and the fact that BoltDB stores keys in byte
+	// slice order. This means when we iterate through this bucket during
+	// restore, we will always restore parent tokens before their children,
+	// allowing us to correctly attach child contexts to their parent's context.
+	LeaseType = "lease"
+
+	// lookupType - v2 Bucket/type to map from a memcachedb index ID to an
+	// auto-incrementing BoltDB key. Facilitates deletes from the lease
+	// bucket using an ID instead of the auto-incrementing BoltDB key.
+	lookupType = "lookup"
+
+	// AutoAuthToken - key for the latest auto-auth token
+	AutoAuthToken = "auto-auth-token"
+
+	// RetrievalTokenMaterial is the actual key or token in the key bucket
+	RetrievalTokenMaterial = "retrieval-token-material"
 )
 
-var (
-	auditBackends = map[string]audit.Factory{
-		"file":   auditFile.Factory,
-		"socket": auditSocket.Factory,
-		"syslog": auditSyslog.Factory,
+// BoltStorage is a persistent cache using a bolt db. Items are organized with
+// the version and bootstrapping items in the "meta" bucket, and tokens, auth
+// leases, and secret leases in their own buckets.
+type BoltStorage struct {
+	db      *bolt.DB
+	logger  hclog.Logger
+	wrapper wrapping.Wrapper
+	aad     string
+}
+
+// BoltStorageConfig is the collection of input parameters for setting up bolt
+// storage
+type BoltStorageConfig struct {
+	Path    string
+	Logger  hclog.Logger
+	Wrapper wrapping.Wrapper
+	AAD     string
+}
+
+// NewBoltStorage opens a new bolt db at the specified file path and returns it.
+// If the db already exists the buckets will just be created if they don't
+// exist.
+func NewBoltStorage(config *BoltStorageConfig) (*BoltStorage, error) {
+	dbPath := filepath.Join(config.Path, DatabaseFileName)
+	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
+	if err != nil {
+		return nil, err
+	}
+	err = db.Update(func(tx *bolt.Tx) error {
+		return createBoltSchema(tx, storageVersion)
+	})
+	if err != nil {
+		return nil, err
+	}
+	bs := &BoltStorage{
+		db:      db,
+		logger:  config.Logger,
+		wrapper: config.Wrapper,
+		aad:     config.AAD,
 	}
+	return bs, nil
+}
 
-	credentialBackends = map[string]logical.Factory{
-		"plugin": plugin.Factory,
+func createBoltSchema(tx *bolt.Tx, createVersion string) error {
+	switch {
+	case createVersion == "1":
+		if err := createV1BoltSchema(tx); err != nil {
+			return err
+		}
+	case createVersion == "2":
+		if err := createV2BoltSchema(tx); err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("schema version %s not supported", createVersion)
 	}
 
-	logicalBackends = map[string]logical.Factory{
-		"plugin":   plugin.Factory,
-		"database": logicalDb.Factory,
-		// This is also available in the plugin catalog, but is here due to the need to
-		// automatically mount it.
-		"kv": logicalKv.Factory,
+	meta, err := tx.CreateBucketIfNotExists([]byte(metaBucketName))
+	if err != nil {
+		return fmt.Errorf("failed to create bucket %s: %w", metaBucketName, err)
 	}
 
-	physicalBackends = map[string]physical.Factory{
-		"aerospike":              physAerospike.NewAerospikeBackend,
-		"alicloudoss":            physAliCloudOSS.NewAliCloudOSSBackend,
-		"azure":                  physAzure.NewAzureBackend,
-		"cassandra":              physCassandra.NewCassandraBackend,
-		"cockroachdb":            physCockroachDB.NewCockroachDBBackend,
-		"consul":                 physConsul.NewConsulBackend,
-		"couchdb_transactional":  physCouchDB.NewTransactionalCouchDBBackend,
-		"couchdb":                physCouchDB.NewCouchDBBackend,
-		"dynamodb":               physDynamoDB.NewDynamoDBBackend,
-		"etcd":                   physEtcd.NewEtcdBackend,
-		"file_transactional":     physFile.NewTransactionalFileBackend,
-		"file":                   physFile.NewFileBackend,
-		"foundationdb":           physFoundationDB.NewFDBBackend,
-		"gcs":                    physGCS.NewBackend,
-		"inmem_ha":               physInmem.NewInmemHA,
-		"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
-		"inmem_transactional":    physInmem.NewTransactionalInmem,
-		"inmem":                  physInmem.NewInmem,
-		"manta":                  physManta.NewMantaBackend,
-		"mssql":                  physMSSQL.NewMSSQLBackend,
-		"mysql":                  physMySQL.NewMySQLBackend,
-		"oci":                    physOCI.NewBackend,
-		"postgresql":             physPostgreSQL.NewPostgreSQLBackend,
-		"s3":                     physS3.NewS3Backend,
-		"spanner":                physSpanner.NewBackend,
-		"swift":                  physSwift.NewSwiftBackend,
-		"raft":                   physRaft.NewRaftBackend,
-		"zookeeper":              physZooKeeper.NewZooKeeperBackend,
+	// Check and set file version in the meta bucket.
+	version := meta.Get([]byte(storageVersionKey))
+	switch {
+	case version == nil:
+		err = meta.Put([]byte(storageVersionKey), []byte(createVersion))
+		if err != nil {
+			return fmt.Errorf("failed to set storage version: %w", err)
+		}
+
+		return nil
+
+	case string(version) == createVersion:
+		return nil
+
+	case string(version) == "1" && createVersion == "2":
+		return migrateFromV1ToV2Schema(tx)
+
+	default:
+		return fmt.Errorf("storage migration from %s to %s not implemented", string(version), createVersion)
+	}
+}
+
+func createV1BoltSchema(tx *bolt.Tx) error {
+	// Create the buckets for tokens and leases.
+	for _, bucket := range []string{TokenType, authLeaseType, secretLeaseType} {
+		if _, err := tx.CreateBucketIfNotExists([]byte(bucket)); err != nil {
+			return fmt.Errorf("failed to create %s bucket: %w", bucket, err)
+		}
 	}
 
-	serviceRegistrations = map[string]sr.Factory{
-		"consul":     csr.NewServiceRegistration,
-		"kubernetes": ksr.NewServiceRegistration,
+	return nil
+}
+
+func createV2BoltSchema(tx *bolt.Tx) error {
+	// Create the buckets for tokens and leases.
+	for _, bucket := range []string{TokenType, LeaseType, lookupType, StaticSecretType, TokenCapabilitiesType} {
+		if _, err := tx.CreateBucketIfNotExists([]byte(bucket)); err != nil {
+			return fmt.Errorf("failed to create %s bucket: %w", bucket, err)
+		}
 	}
 
-	loginHandlers = map[string]LoginHandler{
-		"alicloud": &credAliCloud.CLIHandler{},
-		"aws":      &credAws.CLIHandler{},
-		"centrify": &credCentrify.CLIHandler{},
-		"cert":     &credCert.CLIHandler{},
-		"cf":       &credCF.CLIHandler{},
-		"gcp":      &credGcp.CLIHandler{},
-		"github":   &credGitHub.CLIHandler{},
-		"kerberos": &credKerb.CLIHandler{},
-		"ldap":     &credLdap.CLIHandler{},
-		"oci":      &credOCI.CLIHandler{},
-		"oidc":     &credOIDC.CLIHandler{},
-		"okta":     &credOkta.CLIHandler{},
-		"pcf":      &credCF.CLIHandler{}, // Deprecated.
-		"radius": &credUserpass.CLIHandler{
-			DefaultMount: "radius",
-		},
-		"token": &credToken.CLIHandler{},
-		"userpass": &credUserpass.CLIHandler{
-			DefaultMount: "userpass",
-		},
+	return nil
+}
+
+func migrateFromV1ToV2Schema(tx *bolt.Tx) error {
+	if err := createV2BoltSchema(tx); err != nil {
+		return err
+	}
+
+	for _, v1BucketType := range []string{authLeaseType, secretLeaseType} {
+		if bucket := tx.Bucket([]byte(v1BucketType)); bucket != nil {
+			bucket.ForEach(func(key, value []byte) error {
+				autoIncKey, err := autoIncrementedLeaseKey(tx, string(key))
+				if err != nil {
+					return fmt.Errorf("error migrating %s %q key to auto incremented key: %w", v1BucketType, string(key), err)
+				}
+				if err := tx.Bucket([]byte(LeaseType)).Put(autoIncKey, value); err != nil {
+					return fmt.Errorf("error migrating %s %q from v1 to v2 schema: %w", v1BucketType, string(key), err)
+				}
+				return nil
+			})
+
+			if err := tx.DeleteBucket([]byte(v1BucketType)); err != nil {
+				return fmt.Errorf("failed to clean up %s bucket during v1 to v2 schema migration: %w", v1BucketType, err)
+			}
+		}
+	}
+
+	meta, err := tx.CreateBucketIfNotExists([]byte(metaBucketName))
+	if err != nil {
+		return fmt.Errorf("failed to create meta bucket: %w", err)
+	}
+	if err := meta.Put([]byte(storageVersionKey), []byte(storageVersion)); err != nil {
+		return fmt.Errorf("failed to update schema from v1 to v2: %w", err)
+	}
+
+	return nil
+}
+
+func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) {
+	leaseBucket := tx.Bucket([]byte(LeaseType))
+	keyValue, err := leaseBucket.NextSequence()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate lookup key for id %q: %w", id, err)
 	}
-)
 
-func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.CommandFactory {
-	getBaseCommand := func() *BaseCommand {
-		return &BaseCommand{
-			UI:          ui,
-			tokenHelper: runOpts.TokenHelper,
-			flagAddress: runOpts.Address,
-			client:      runOpts.Client,
+	key := make([]byte, 8)
+	// MUST be big endian, because keys are ordered by byte slice comparison
+	// which progressively compares each byte in the slice starting at index 0.
+	// BigEndian in the range [255-257] looks like this:
+	// [0 0 0 0 0 0 0 255]
+	// [0 0 0 0 0 0 1 0]
+	// [0 0 0 0 0 0 1 1]
+	// LittleEndian in the same range looks like this:
+	// [255 0 0 0 0 0 0 0]
+	// [0 1 0 0 0 0 0 0]
+	// [1 1 0 0 0 0 0 0]
+	binary.BigEndian.PutUint64(key, keyValue)
+
+	err = tx.Bucket([]byte(lookupType)).Put([]byte(id), key)
+	if err != nil {
+		return nil, err
+	}
+
+	return key, nil
+}
+
+// Set an index (token or lease) in bolt storage
+func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error {
+	blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad)))
+	if err != nil {
+		return fmt.Errorf("error encrypting %s index: %w", indexType, err)
+	}
+
+	protoBlob, err := proto.Marshal(blob)
+	if err != nil {
+		return err
+	}
+
+	return b.db.Update(func(tx *bolt.Tx) error {
+		var key []byte
+		switch indexType {
+		case LeaseType:
+			// If this is a lease type, generate an auto-incrementing key and
+			// store an ID -> key lookup entry
+			key, err = autoIncrementedLeaseKey(tx, id)
+			if err != nil {
+				return err
+			}
+		case TokenType:
+			// If this is an auto-auth token, also stash it in the meta bucket for
+			// easy retrieval upon restore
+			key = []byte(id)
+			meta := tx.Bucket([]byte(metaBucketName))
+			if err := meta.Put([]byte(AutoAuthToken), protoBlob); err != nil {
+				return fmt.Errorf("failed to set latest auto-auth token: %w", err)
+			}
+		case StaticSecretType:
+			key = []byte(id)
+		case TokenCapabilitiesType:
+			key = []byte(id)
+		default:
+			return fmt.Errorf("called Set for unsupported type %q", indexType)
+		}
+		s := tx.Bucket([]byte(indexType))
+		if s == nil {
+			return fmt.Errorf("bucket %q not found", indexType)
+		}
+		return s.Put(key, protoBlob)
+	})
+}
+
+// Delete an index (token or lease) by key from bolt storage
+func (b *BoltStorage) Delete(id string, indexType string) error {
+	return b.db.Update(func(tx *bolt.Tx) error {
+		key := []byte(id)
+		if indexType == LeaseType {
+			key = tx.Bucket([]byte(lookupType)).Get(key)
+			if key == nil {
+				return fmt.Errorf("failed to lookup bolt DB key for id %q", id)
+			}
+
+			err := tx.Bucket([]byte(lookupType)).Delete([]byte(id))
+			if err != nil {
+				return fmt.Errorf("failed to delete %q from lookup bucket: %w", id, err)
+			}
+		}
+
+		bucket := tx.Bucket([]byte(indexType))
+		if bucket == nil {
+			return fmt.Errorf("bucket %q not found during delete", indexType)
+		}
+		if err := bucket.Delete(key); err != nil {
+			return fmt.Errorf("failed to delete %q from %q bucket: %w", id, indexType, err)
 		}
+		b.logger.Trace("deleted index from bolt db", "id", id)
+		return nil
+	})
+}
+
+func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) {
+	var blob wrapping.BlobInfo
+	if err := proto.Unmarshal(ciphertext, &blob); err != nil {
+		return nil, err
 	}
 
-	commands := map[string]cli.CommandFactory{
-		"agent": func() (cli.Command, error) {
-			return &AgentCommand{
-				BaseCommand: &BaseCommand{
-					UI: serverCmdUi,
-				},
-				ShutdownCh: MakeShutdownCh(),
-				SighupCh:   MakeSighupCh(),
-			}, nil
-		},
-		"agent generate-config": func() (cli.Command, error) {
-			return &AgentGenerateConfigCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"audit": func() (cli.Command, error) {
-			return &AuditCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"audit disable": func() (cli.Command, error) {
-			return &AuditDisableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"audit enable": func() (cli.Command, error) {
-			return &AuditEnableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"audit list": func() (cli.Command, error) {
-			return &AuditListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth tune": func() (cli.Command, error) {
-			return &AuthTuneCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth": func() (cli.Command, error) {
-			return &AuthCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth disable": func() (cli.Command, error) {
-			return &AuthDisableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth enable": func() (cli.Command, error) {
-			return &AuthEnableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth help": func() (cli.Command, error) {
-			return &AuthHelpCommand{
-				BaseCommand: getBaseCommand(),
-				Handlers:    loginHandlers,
-			}, nil
-		},
-		"auth list": func() (cli.Command, error) {
-			return &AuthListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"auth move": func() (cli.Command, error) {
-			return &AuthMoveCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"debug": func() (cli.Command, error) {
-			return &DebugCommand{
-				BaseCommand: getBaseCommand(),
-				ShutdownCh:  MakeShutdownCh(),
-			}, nil
-		},
-		"delete": func() (cli.Command, error) {
-			return &DeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"events subscribe": func() (cli.Command, error) {
-			return &EventsSubscribeCommands{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"lease": func() (cli.Command, error) {
-			return &LeaseCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"lease renew": func() (cli.Command, error) {
-			return &LeaseRenewCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"lease lookup": func() (cli.Command, error) {
-			return &LeaseLookupCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"lease revoke": func() (cli.Command, error) {
-			return &LeaseRevokeCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"list": func() (cli.Command, error) {
-			return &ListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"login": func() (cli.Command, error) {
-			return &LoginCommand{
-				BaseCommand: getBaseCommand(),
-				Handlers:    loginHandlers,
-			}, nil
-		},
-		"namespace": func() (cli.Command, error) {
-			return &NamespaceCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace list": func() (cli.Command, error) {
-			return &NamespaceListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace lookup": func() (cli.Command, error) {
-			return &NamespaceLookupCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace create": func() (cli.Command, error) {
-			return &NamespaceCreateCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace patch": func() (cli.Command, error) {
-			return &NamespacePatchCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace delete": func() (cli.Command, error) {
-			return &NamespaceDeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace lock": func() (cli.Command, error) {
-			return &NamespaceAPILockCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"namespace unlock": func() (cli.Command, error) {
-			return &NamespaceAPIUnlockCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator": func() (cli.Command, error) {
-			return &OperatorCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator diagnose": func() (cli.Command, error) {
-			return &OperatorDiagnoseCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator generate-root": func() (cli.Command, error) {
-			return &OperatorGenerateRootCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator init": func() (cli.Command, error) {
-			return &OperatorInitCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator key-status": func() (cli.Command, error) {
-			return &OperatorKeyStatusCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator migrate": func() (cli.Command, error) {
-			return &OperatorMigrateCommand{
-				BaseCommand:      getBaseCommand(),
-				PhysicalBackends: physicalBackends,
-				ShutdownCh:       MakeShutdownCh(),
-			}, nil
-		},
-		"operator raft": func() (cli.Command, error) {
-			return &OperatorRaftCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft autopilot get-config": func() (cli.Command, error) {
-			return &OperatorRaftAutopilotGetConfigCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft autopilot set-config": func() (cli.Command, error) {
-			return &OperatorRaftAutopilotSetConfigCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft autopilot state": func() (cli.Command, error) {
-			return &OperatorRaftAutopilotStateCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft list-peers": func() (cli.Command, error) {
-			return &OperatorRaftListPeersCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft join": func() (cli.Command, error) {
-			return &OperatorRaftJoinCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft remove-peer": func() (cli.Command, error) {
-			return &OperatorRaftRemovePeerCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft snapshot": func() (cli.Command, error) {
-			return &OperatorRaftSnapshotCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft snapshot inspect": func() (cli.Command, error) {
-			return &OperatorRaftSnapshotInspectCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft snapshot restore": func() (cli.Command, error) {
-			return &OperatorRaftSnapshotRestoreCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator raft snapshot save": func() (cli.Command, error) {
-			return &OperatorRaftSnapshotSaveCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator rekey": func() (cli.Command, error) {
-			return &OperatorRekeyCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator rotate": func() (cli.Command, error) {
-			return &OperatorRotateCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator seal": func() (cli.Command, error) {
-			return &OperatorSealCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator step-down": func() (cli.Command, error) {
-			return &OperatorStepDownCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator usage": func() (cli.Command, error) {
-			return &OperatorUsageCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator unseal": func() (cli.Command, error) {
-			return &OperatorUnsealCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"operator members": func() (cli.Command, error) {
-			return &OperatorMembersCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"patch": func() (cli.Command, error) {
-			return &PatchCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"path-help": func() (cli.Command, error) {
-			return &PathHelpCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki": func() (cli.Command, error) {
-			return &PKICommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki health-check": func() (cli.Command, error) {
-			return &PKIHealthCheckCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki issue": func() (cli.Command, error) {
-			return &PKIIssueCACommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki list-intermediates": func() (cli.Command, error) {
-			return &PKIListIntermediateCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki reissue": func() (cli.Command, error) {
-			return &PKIReIssueCACommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"pki verify-sign": func() (cli.Command, error) {
-			return &PKIVerifySignCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin": func() (cli.Command, error) {
-			return &PluginCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin deregister": func() (cli.Command, error) {
-			return &PluginDeregisterCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin info": func() (cli.Command, error) {
-			return &PluginInfoCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin list": func() (cli.Command, error) {
-			return &PluginListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin register": func() (cli.Command, error) {
-			return &PluginRegisterCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin reload": func() (cli.Command, error) {
-			return &PluginReloadCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin reload-status": func() (cli.Command, error) {
-			return &PluginReloadStatusCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin runtime": func() (cli.Command, error) {
-			return &PluginRuntimeCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin runtime register": func() (cli.Command, error) {
-			return &PluginRuntimeRegisterCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin runtime deregister": func() (cli.Command, error) {
-			return &PluginRuntimeDeregisterCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin runtime info": func() (cli.Command, error) {
-			return &PluginRuntimeInfoCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"plugin runtime list": func() (cli.Command, error) {
-			return &PluginRuntimeListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"proxy": func() (cli.Command, error) {
-			return &ProxyCommand{
-				BaseCommand: &BaseCommand{
-					UI: serverCmdUi,
-				},
-				ShutdownCh: MakeShutdownCh(),
-				SighupCh:   MakeSighupCh(),
-			}, nil
-		},
-		"policy": func() (cli.Command, error) {
-			return &PolicyCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"policy delete": func() (cli.Command, error) {
-			return &PolicyDeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"policy fmt": func() (cli.Command, error) {
-			return &PolicyFmtCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"policy list": func() (cli.Command, error) {
-			return &PolicyListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"policy read": func() (cli.Command, error) {
-			return &PolicyReadCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"policy write": func() (cli.Command, error) {
-			return &PolicyWriteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"print": func() (cli.Command, error) {
-			return &PrintCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"print token": func() (cli.Command, error) {
-			return &PrintTokenCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"read": func() (cli.Command, error) {
-			return &ReadCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets": func() (cli.Command, error) {
-			return &SecretsCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets disable": func() (cli.Command, error) {
-			return &SecretsDisableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets enable": func() (cli.Command, error) {
-			return &SecretsEnableCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets list": func() (cli.Command, error) {
-			return &SecretsListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets move": func() (cli.Command, error) {
-			return &SecretsMoveCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"secrets tune": func() (cli.Command, error) {
-			return &SecretsTuneCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"server": func() (cli.Command, error) {
-			return &ServerCommand{
-				BaseCommand: &BaseCommand{
-					UI:          serverCmdUi,
-					tokenHelper: runOpts.TokenHelper,
-					flagAddress: runOpts.Address,
-				},
-				AuditBackends:      auditBackends,
-				CredentialBackends: credentialBackends,
-				LogicalBackends:    logicalBackends,
-				PhysicalBackends:   physicalBackends,
-
-				ServiceRegistrations: serviceRegistrations,
-
-				ShutdownCh: MakeShutdownCh(),
-				SighupCh:   MakeSighupCh(),
-				SigUSR2Ch:  MakeSigUSR2Ch(),
-			}, nil
-		},
-		"ssh": func() (cli.Command, error) {
-			return &SSHCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"status": func() (cli.Command, error) {
-			return &StatusCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transform": func() (cli.Command, error) {
-			return &TransformCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transform import": func() (cli.Command, error) {
-			return &TransformImportCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transform import-version": func() (cli.Command, error) {
-			return &TransformImportVersionCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transit": func() (cli.Command, error) {
-			return &TransitCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transit import": func() (cli.Command, error) {
-			return &TransitImportCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"transit import-version": func() (cli.Command, error) {
-			return &TransitImportVersionCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token": func() (cli.Command, error) {
-			return &TokenCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token create": func() (cli.Command, error) {
-			return &TokenCreateCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token capabilities": func() (cli.Command, error) {
-			return &TokenCapabilitiesCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token lookup": func() (cli.Command, error) {
-			return &TokenLookupCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token renew": func() (cli.Command, error) {
-			return &TokenRenewCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"token revoke": func() (cli.Command, error) {
-			return &TokenRevokeCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"unwrap": func() (cli.Command, error) {
-			return &UnwrapCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"version": func() (cli.Command, error) {
-			return &VersionCommand{
-				VersionInfo: version.GetVersion(),
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"version-history": func() (cli.Command, error) {
-			return &VersionHistoryCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"write": func() (cli.Command, error) {
-			return &WriteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv": func() (cli.Command, error) {
-			return &KVCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv put": func() (cli.Command, error) {
-			return &KVPutCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv patch": func() (cli.Command, error) {
-			return &KVPatchCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv rollback": func() (cli.Command, error) {
-			return &KVRollbackCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv get": func() (cli.Command, error) {
-			return &KVGetCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv delete": func() (cli.Command, error) {
-			return &KVDeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv list": func() (cli.Command, error) {
-			return &KVListCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv destroy": func() (cli.Command, error) {
-			return &KVDestroyCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv undelete": func() (cli.Command, error) {
-			return &KVUndeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv enable-versioning": func() (cli.Command, error) {
-			return &KVEnableVersioningCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv metadata": func() (cli.Command, error) {
-			return &KVMetadataCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv metadata put": func() (cli.Command, error) {
-			return &KVMetadataPutCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv metadata patch": func() (cli.Command, error) {
-			return &KVMetadataPatchCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv metadata get": func() (cli.Command, error) {
-			return &KVMetadataGetCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"kv metadata delete": func() (cli.Command, error) {
-			return &KVMetadataDeleteCommand{
-				BaseCommand: getBaseCommand(),
-			}, nil
-		},
-		"monitor": func() (cli.Command, error) {
-			return &MonitorCommand{
-				BaseCommand: getBaseCommand(),
-				ShutdownCh:  MakeShutdownCh(),
-			}, nil
-		},
+	return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad)))
+}
+
+// GetByType returns a list of stored items of the specified type
+func (b *BoltStorage) GetByType(ctx context.Context, indexType string) ([][]byte, error) {
+	var returnBytes [][]byte
+
+	err := b.db.View(func(tx *bolt.Tx) error {
+		var errors *multierror.Error
+
+		bucket := tx.Bucket([]byte(indexType))
+		if bucket == nil {
+			return fmt.Errorf("bucket %q not found", indexType)
+		}
+		bucket.ForEach(func(key, ciphertext []byte) error {
+			plaintext, err := b.decrypt(ctx, ciphertext)
+			if err != nil {
+				errors = multierror.Append(errors, fmt.Errorf("error decrypting entry %s: %w", key, err))
+				return nil
+			}
+
+			returnBytes = append(returnBytes, plaintext)
+			return nil
+		})
+		return errors.ErrorOrNil()
+	})
+
+	return returnBytes, err
+}
+
+// GetAutoAuthToken retrieves the latest auto-auth token, and returns nil if non
+// exists yet
+func (b *BoltStorage) GetAutoAuthToken(ctx context.Context) ([]byte, error) {
+	var encryptedToken []byte
+
+	err := b.db.View(func(tx *bolt.Tx) error {
+		meta := tx.Bucket([]byte(metaBucketName))
+		if meta == nil {
+			return fmt.Errorf("bucket %q not found", metaBucketName)
+		}
+		value := meta.Get([]byte(AutoAuthToken))
+		if value != nil {
+			encryptedToken = make([]byte, len(value))
+			copy(encryptedToken, value)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if encryptedToken == nil {
+		return nil, nil
 	}
 
-	entInitCommands(ui, serverCmdUi, runOpts, commands)
-	return commands
+	plaintext, err := b.decrypt(ctx, encryptedToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt auto-auth token: %w", err)
+	}
+	return plaintext, nil
 }
 
-// MakeShutdownCh returns a channel that can be used for shutdown
-// notifications for commands. This channel will send a message for every
-// SIGINT or SIGTERM received.
-func MakeShutdownCh() chan struct{} {
-	resultCh := make(chan struct{})
-
-	shutdownCh := make(chan os.Signal, 4)
-	signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
-	go func() {
-		<-shutdownCh
-		close(resultCh)
-	}()
-	return resultCh
+// GetRetrievalToken retrieves a plaintext token from the KeyBucket, which will
+// be used by the key manager to retrieve the encryption key, nil if none set
+func (b *BoltStorage) GetRetrievalToken() ([]byte, error) {
+	var token []byte
+
+	err := b.db.View(func(tx *bolt.Tx) error {
+		metaBucket := tx.Bucket([]byte(metaBucketName))
+		if metaBucket == nil {
+			return fmt.Errorf("bucket %q not found", metaBucketName)
+		}
+		value := metaBucket.Get([]byte(RetrievalTokenMaterial))
+		if value != nil {
+			token = make([]byte, len(value))
+			copy(token, value)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return token, err
 }
 
-// MakeSighupCh returns a channel that can be used for SIGHUP
-// reloading. This channel will send a message for every
-// SIGHUP received.
-func MakeSighupCh() chan struct{} {
-	resultCh := make(chan struct{})
-
-	signalCh := make(chan os.Signal, 4)
-	signal.Notify(signalCh, syscall.SIGHUP)
-	go func() {
-		for {
-			<-signalCh
-			resultCh <- struct{}{}
+// StoreRetrievalToken sets plaintext token material in the RetrievalTokenBucket
+func (b *BoltStorage) StoreRetrievalToken(token []byte) error {
+	return b.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(metaBucketName))
+		if bucket == nil {
+			return fmt.Errorf("bucket %q not found", metaBucketName)
 		}
-	}()
-	return resultCh
+		return bucket.Put([]byte(RetrievalTokenMaterial), token)
+	})
+}
+
+// Close the boltdb
+func (b *BoltStorage) Close() error {
+	b.logger.Trace("closing bolt db", "path", b.db.Path())
+	return b.db.Close()
+}
+
+// Clear the boltdb by deleting all the token and lease buckets and recreating
+// the schema/layout
+func (b *BoltStorage) Clear() error {
+	return b.db.Update(func(tx *bolt.Tx) error {
+		for _, name := range []string{TokenType, LeaseType, lookupType, StaticSecretType, TokenCapabilitiesType} {
+			b.logger.Trace("deleting bolt bucket", "name", name)
+			if err := tx.DeleteBucket([]byte(name)); err != nil {
+				return err
+			}
+		}
+		return createBoltSchema(tx, storageVersion)
+	})
+}
+
+// DBFileExists checks whether the vault agent cache file at `filePath` exists
+func DBFileExists(path string) (bool, error) {
+	checkFile, err := os.OpenFile(filepath.Join(path, DatabaseFileName), os.O_RDWR, 0o600)
+	defer checkFile.Close()
+	switch {
+	case err == nil:
+		return true, nil
+	case os.IsNotExist(err):
+		return false, nil
+	default:
+		return false, fmt.Errorf("failed to check if bolt file exists at path %s: %w", path, err)
+	}
 }
diff --git a/command/debug.go b/command/debug.go
index 941249657a94..06a31780b5ad 100644
--- a/command/debug.go
+++ b/command/debug.go
@@ -1,1111 +1,400 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package cacheboltdb
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"net/url"
 	"os"
+	"path"
 	"path/filepath"
-	"runtime"
-	"strconv"
 	"strings"
-	"sync"
+	"testing"
 	"time"
 
+	"github.com/golang/protobuf/proto"
+	bolt "github.com/hashicorp-forge/bbolt"
 	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/osutil"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/version"
-	"github.com/mholt/archiver/v3"
-	"github.com/mitchellh/cli"
-	"github.com/oklog/run"
-	"github.com/posener/complete"
+	"github.com/hashicorp/vault/command/agentproxyshared/cache/keymanager"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-const (
-	// debugIndexVersion tracks the canonical version in the index file
-	// for compatibility with future format/layout changes on the bundle.
-	debugIndexVersion = 1
+func getTestKeyManager(t *testing.T) keymanager.KeyManager {
+	t.Helper()
 
-	// debugMinInterval is the minimum acceptable interval capture value. This
-	// value applies to duration and all interval-related flags.
-	debugMinInterval = 5 * time.Second
+	km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
+	require.NoError(t, err)
 
-	// debugDurationGrace is the grace period added to duration to allow for
-	// "last frame" capture if the interval falls into the last duration time
-	// value. For instance, using default values, adding a grace duration lets
-	// the command capture 5 intervals (0, 30, 60, 90, and 120th second) before
-	// exiting.
-	debugDurationGrace = 1 * time.Second
-
-	// debugCompressionExt is the default compression extension used if
-	// compression is enabled.
-	debugCompressionExt = ".tar.gz"
-
-	// fileFriendlyTimeFormat is the time format used for file and directory
-	// naming.
-	fileFriendlyTimeFormat = "2006-01-02T15-04-05Z"
-)
-
-// debugIndex represents the data structure in the index file
-type debugIndex struct {
-	Version                int                    `json:"version"`
-	VaultAddress           string                 `json:"vault_address"`
-	ClientVersion          string                 `json:"client_version"`
-	ServerVersion          string                 `json:"server_version"`
-	Timestamp              time.Time              `json:"timestamp"`
-	DurationSeconds        int                    `json:"duration_seconds"`
-	IntervalSeconds        int                    `json:"interval_seconds"`
-	MetricsIntervalSeconds int                    `json:"metrics_interval_seconds"`
-	Compress               bool                   `json:"compress"`
-	RawArgs                []string               `json:"raw_args"`
-	Targets                []string               `json:"targets"`
-	Output                 map[string]interface{} `json:"output"`
-	Errors                 []*captureError        `json:"errors"`
-}
-
-// captureError holds an error entry that can occur during polling capture.
-// It includes the timestamp, the target, and the error itself.
-type captureError struct {
-	TargetError string    `json:"error"`
-	Target      string    `json:"target"`
-	Timestamp   time.Time `json:"timestamp"`
+	return km
 }
 
-var (
-	_ cli.Command             = (*DebugCommand)(nil)
-	_ cli.CommandAutocomplete = (*DebugCommand)(nil)
-)
-
-type DebugCommand struct {
-	*BaseCommand
-
-	flagCompress        bool
-	flagDuration        time.Duration
-	flagInterval        time.Duration
-	flagMetricsInterval time.Duration
-	flagOutput          string
-	flagTargets         []string
-
-	// logFormat defines the output format for Monitor
-	logFormat string
+func TestBolt_SetGet(t *testing.T) {
+	ctx := context.Background()
 
-	// debugIndex is used to keep track of the index state, which gets written
-	// to a file at the end.
-	debugIndex *debugIndex
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-	// skipTimingChecks bypasses timing-related checks, used primarily for tests
-	skipTimingChecks bool
-	// logger is the logger used for outputting capture progress
-	logger hclog.Logger
-
-	// ShutdownCh is used to capture interrupt signal and end polling capture
-	ShutdownCh chan struct{}
-
-	// Collection slices to hold data
-	hostInfoCollection          []map[string]interface{}
-	metricsCollection           []map[string]interface{}
-	replicationStatusCollection []map[string]interface{}
-	serverStatusCollection      []map[string]interface{}
-	inFlightReqStatusCollection []map[string]interface{}
-
-	// cachedClient holds the client retrieved during preflight
-	cachedClient *api.Client
-
-	// errLock is used to lock error capture into the index file
-	errLock sync.Mutex
-}
-
-func (c *DebugCommand) AutocompleteArgs() complete.Predictor {
-	// Predict targets
-	return c.PredictVaultDebugTargets()
-}
-
-func (c *DebugCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *DebugCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "compress",
-		Target:  &c.flagCompress,
-		Default: true,
-		Usage:   "Toggles whether to compress output package",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "duration",
-		Target:     &c.flagDuration,
-		Completion: complete.PredictAnything,
-		Default:    2 * time.Minute,
-		Usage:      "Duration to run the command.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "interval",
-		Target:     &c.flagInterval,
-		Completion: complete.PredictAnything,
-		Default:    30 * time.Second,
-		Usage:      "The polling interval at which to collect profiling data and server state.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "metrics-interval",
-		Target:     &c.flagMetricsInterval,
-		Completion: complete.PredictAnything,
-		Default:    10 * time.Second,
-		Usage:      "The polling interval at which to collect metrics data.",
+	b, err := NewBoltStorage(&BoltStorageConfig{
+		Path:    path,
+		Logger:  hclog.Default(),
+		Wrapper: getTestKeyManager(t).Wrapper(),
 	})
-
-	f.StringVar(&StringVar{
-		Name:       "output",
-		Target:     &c.flagOutput,
-		Completion: complete.PredictAnything,
-		Usage:      "Specifies the output path for the debug package.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "target",
-		Target: &c.flagTargets,
-		Usage: "Target to capture, defaulting to all if none specified. " +
-			"This can be specified multiple times to capture multiple targets. " +
-			"Available targets are: config, host, metrics, pprof, " +
-			"replication-status, server-status, log.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "log-format",
-		Target:  &c.logFormat,
-		Default: "standard",
-		Usage: "Log format to be captured if \"log\" target specified. " +
-			"Supported values are \"standard\" and \"json\". The default is \"standard\".",
-	})
-
-	return set
-}
-
-func (c *DebugCommand) Help() string {
-	helpText := `
-Usage: vault debug [options]
-
-  Probes a specific Vault server node for a specified period of time, recording
-  information about the node, its cluster, and its host environment. The
-  information collected is packaged and written to the specified path.
-
-  Certain endpoints that this command uses require ACL permissions to access.
-  If not permitted, the information from these endpoints will not be part of the
-  output. The command uses the Vault address and token as specified via
-  the login command, environment variables, or CLI flags.
-
-  To create a debug package using default duration and interval values in the 
-  current directory that captures all applicable targets:
-
-  $ vault debug
-
-  To create a debug package with a specific duration and interval in the current
-  directory that capture all applicable targets:
-
-  $ vault debug -duration=10m -interval=1m
-
-  To create a debug package in the current directory with a specific sub-set of
-  targets:
-
-  $ vault debug -target=host -target=metrics
-
-` + c.Flags().Help()
-
-	return helpText
+	require.NoError(t, err)
+
+	secrets, err := b.GetByType(ctx, LeaseType)
+	assert.NoError(t, err)
+	require.Len(t, secrets, 0)
+
+	err = b.Set(ctx, "test1", []byte("hello"), LeaseType)
+	assert.NoError(t, err)
+	secrets, err = b.GetByType(ctx, LeaseType)
+	assert.NoError(t, err)
+	require.Len(t, secrets, 1)
+	assert.Equal(t, []byte("hello"), secrets[0])
 }
 
-func (c *DebugCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	parsedArgs := f.Args()
-	if len(parsedArgs) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(parsedArgs)))
-		return 1
-	}
-
-	// Initialize the logger for debug output
-	gatedWriter := gatedwriter.NewWriter(os.Stderr)
-	if c.logger == nil {
-		c.logger = logging.NewVaultLoggerWithWriter(gatedWriter, hclog.Trace)
-	}
-
-	dstOutputFile, err := c.preflight(args)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error during validation: %s", err))
-		return 1
-	}
-
-	// Print debug information
-	c.UI.Output("==> Starting debug capture...")
-	c.UI.Info(fmt.Sprintf("         Vault Address: %s", c.debugIndex.VaultAddress))
-	c.UI.Info(fmt.Sprintf("        Client Version: %s", c.debugIndex.ClientVersion))
-	c.UI.Info(fmt.Sprintf("        Server Version: %s", c.debugIndex.ServerVersion))
-	c.UI.Info(fmt.Sprintf("              Duration: %s", c.flagDuration))
-	c.UI.Info(fmt.Sprintf("              Interval: %s", c.flagInterval))
-	c.UI.Info(fmt.Sprintf("      Metrics Interval: %s", c.flagMetricsInterval))
-	c.UI.Info(fmt.Sprintf("               Targets: %s", strings.Join(c.flagTargets, ", ")))
-	c.UI.Info(fmt.Sprintf("                Output: %s", dstOutputFile))
-	c.UI.Output("")
+func TestBoltDelete(t *testing.T) {
+	ctx := context.Background()
 
-	// Release the log gate.
-	c.logger.(hclog.OutputResettable).ResetOutputWithFlush(&hclog.LoggerOptions{
-		Output: os.Stderr,
-	}, gatedWriter)
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-	// Capture static information
-	c.UI.Info("==> Capturing static information...")
-	if err := c.captureStaticTargets(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error capturing static information: %s", err))
-		return 2
-	}
-
-	c.UI.Output("")
-
-	// Capture polling information
-	c.UI.Info("==> Capturing dynamic information...")
-	if err := c.capturePollingTargets(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error capturing dynamic information: %s", err))
-		return 2
-	}
-
-	c.UI.Output("Finished capturing information, bundling files...")
-
-	// Generate index file
-	if err := c.generateIndex(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error generating index: %s", err))
-		return 1
-	}
-
-	if c.flagCompress {
-		if err := c.compress(dstOutputFile); err != nil {
-			c.UI.Error(fmt.Sprintf("Error encountered during bundle compression: %s", err))
-			// We want to inform that data collection was captured and stored in
-			// a directory even if compression fails
-			c.UI.Info(fmt.Sprintf("Data written to: %s", c.flagOutput))
-			return 1
-		}
-	}
-
-	c.UI.Info(fmt.Sprintf("Success! Bundle written to: %s", dstOutputFile))
-	return 0
+	b, err := NewBoltStorage(&BoltStorageConfig{
+		Path:    path,
+		Logger:  hclog.Default(),
+		Wrapper: getTestKeyManager(t).Wrapper(),
+	})
+	require.NoError(t, err)
+
+	err = b.Set(ctx, "secret-test1", []byte("hello1"), LeaseType)
+	require.NoError(t, err)
+	err = b.Set(ctx, "secret-test2", []byte("hello2"), LeaseType)
+	require.NoError(t, err)
+
+	secrets, err := b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	assert.Len(t, secrets, 2)
+	assert.ElementsMatch(t, [][]byte{[]byte("hello1"), []byte("hello2")}, secrets)
+
+	err = b.Delete("secret-test1", LeaseType)
+	require.NoError(t, err)
+	secrets, err = b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	require.Len(t, secrets, 1)
+	assert.Equal(t, []byte("hello2"), secrets[0])
 }
 
-func (c *DebugCommand) Synopsis() string {
-	return "Runs the debug command"
-}
+func TestBoltClear(t *testing.T) {
+	ctx := context.Background()
 
-func (c *DebugCommand) generateIndex() error {
-	outputLayout := map[string]interface{}{
-		"files": []string{},
-	}
-	// Walk the directory to generate the output layout
-	err := filepath.Walk(c.flagOutput, func(path string, info os.FileInfo, err error) error {
-		// Prevent panic by handling failure accessing a path
-		if err != nil {
-			return err
-		}
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-		// Skip the base dir
-		if path == c.flagOutput {
-			return nil
-		}
-
-		// If we're a directory, simply add a corresponding map
-		if info.IsDir() {
-			parsedTime, err := time.Parse(fileFriendlyTimeFormat, info.Name())
-			if err != nil {
-				return err
-			}
-
-			outputLayout[info.Name()] = map[string]interface{}{
-				"timestamp": parsedTime,
-				"files":     []string{},
-			}
-			return nil
-		}
-
-		relPath, err := filepath.Rel(c.flagOutput, path)
-		if err != nil {
-			return err
-		}
-
-		dir, file := filepath.Split(relPath)
-		if len(dir) != 0 {
-			dir = filepath.Clean(dir)
-			filesArr := outputLayout[dir].(map[string]interface{})["files"]
-			outputLayout[dir].(map[string]interface{})["files"] = append(filesArr.([]string), file)
-		} else {
-			outputLayout["files"] = append(outputLayout["files"].([]string), file)
-		}
-
-		return nil
+	b, err := NewBoltStorage(&BoltStorageConfig{
+		Path:    path,
+		Logger:  hclog.Default(),
+		Wrapper: getTestKeyManager(t).Wrapper(),
 	})
-	if err != nil {
-		return fmt.Errorf("error generating directory output layout: %s", err)
-	}
-
-	c.debugIndex.Output = outputLayout
-
-	// Marshal into json
-	bytes, err := json.MarshalIndent(c.debugIndex, "", "  ")
-	if err != nil {
-		return fmt.Errorf("error marshaling index file: %s", err)
-	}
-
-	// Write out file
-	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, "index.json"), bytes, 0o600); err != nil {
-		return fmt.Errorf("error generating index file; %s", err)
-	}
-
-	return nil
+	require.NoError(t, err)
+
+	// Populate the bolt db
+	err = b.Set(ctx, "secret-test1", []byte("hello1"), LeaseType)
+	require.NoError(t, err)
+	secrets, err := b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	require.Len(t, secrets, 1)
+	assert.Equal(t, []byte("hello1"), secrets[0])
+
+	err = b.Set(ctx, "auth-test1", []byte("hello2"), LeaseType)
+	require.NoError(t, err)
+	auths, err := b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	require.Len(t, auths, 2)
+	assert.Equal(t, []byte("hello1"), auths[0])
+	assert.Equal(t, []byte("hello2"), auths[1])
+
+	err = b.Set(ctx, "token-test1", []byte("hello"), TokenType)
+	require.NoError(t, err)
+	tokens, err := b.GetByType(ctx, TokenType)
+	require.NoError(t, err)
+	require.Len(t, tokens, 1)
+	assert.Equal(t, []byte("hello"), tokens[0])
+
+	err = b.Set(ctx, "static-secret", []byte("hello"), StaticSecretType)
+	require.NoError(t, err)
+	staticSecrets, err := b.GetByType(ctx, StaticSecretType)
+	require.NoError(t, err)
+	require.Len(t, staticSecrets, 1)
+	assert.Equal(t, []byte("hello"), staticSecrets[0])
+
+	err = b.Set(ctx, "capabilities-index", []byte("hello"), TokenCapabilitiesType)
+	require.NoError(t, err)
+	capabilities, err := b.GetByType(ctx, TokenCapabilitiesType)
+	require.NoError(t, err)
+	require.Len(t, capabilities, 1)
+	assert.Equal(t, []byte("hello"), capabilities[0])
+
+	// Clear the bolt db, and check that it's indeed clear
+	err = b.Clear()
+	require.NoError(t, err)
+	auths, err = b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	assert.Len(t, auths, 0)
+	tokens, err = b.GetByType(ctx, TokenType)
+	require.NoError(t, err)
+	assert.Len(t, tokens, 0)
+	staticSecrets, err = b.GetByType(ctx, StaticSecretType)
+	require.NoError(t, err)
+	require.Len(t, staticSecrets, 0)
+	capabilities, err = b.GetByType(ctx, TokenCapabilitiesType)
+	require.NoError(t, err)
+	require.Len(t, capabilities, 0)
 }
 
-// preflight performs various checks against the provided flags to ensure they
-// are valid/reasonable values. It also takes care of instantiating a client and
-// index object for use by the command.
-func (c *DebugCommand) preflight(rawArgs []string) (string, error) {
-	if !c.skipTimingChecks {
-		// Guard duration and interval values to acceptable values
-		if c.flagDuration < debugMinInterval {
-			c.UI.Info(fmt.Sprintf("Overwriting duration value %q to the minimum value of %q", c.flagDuration, debugMinInterval))
-			c.flagDuration = debugMinInterval
-		}
-		if c.flagInterval < debugMinInterval {
-			c.UI.Info(fmt.Sprintf("Overwriting interval value %q to the minimum value of %q", c.flagInterval, debugMinInterval))
-			c.flagInterval = debugMinInterval
-		}
-		if c.flagMetricsInterval < debugMinInterval {
-			c.UI.Info(fmt.Sprintf("Overwriting metrics interval value %q to the minimum value of %q", c.flagMetricsInterval, debugMinInterval))
-			c.flagMetricsInterval = debugMinInterval
-		}
-	}
-
-	// These timing checks are always applicable since interval shouldn't be
-	// greater than the duration
-	if c.flagInterval > c.flagDuration {
-		c.UI.Info(fmt.Sprintf("Overwriting interval value %q to the duration value %q", c.flagInterval, c.flagDuration))
-		c.flagInterval = c.flagDuration
-	}
-	if c.flagMetricsInterval > c.flagDuration {
-		c.UI.Info(fmt.Sprintf("Overwriting metrics interval value %q to the duration value %q", c.flagMetricsInterval, c.flagDuration))
-		c.flagMetricsInterval = c.flagDuration
-	}
-
-	if len(c.flagTargets) == 0 {
-		c.flagTargets = c.defaultTargets()
-	} else {
-		// Check for any invalid targets and ignore them if found
-		invalidTargets := strutil.Difference(c.flagTargets, c.defaultTargets(), true)
-		if len(invalidTargets) != 0 {
-			c.UI.Info(fmt.Sprintf("Ignoring invalid targets: %s", strings.Join(invalidTargets, ", ")))
-			c.flagTargets = strutil.Difference(c.flagTargets, invalidTargets, true)
-		}
-	}
-
-	// Make sure we can talk to the server
-	client, err := c.Client()
-	if err != nil {
-		return "", fmt.Errorf("unable to create client to connect to Vault: %s", err)
-	}
-	serverHealth, err := client.Sys().Health()
-	if err != nil {
-		return "", fmt.Errorf("unable to connect to the server: %s", err)
-	}
+func TestBoltSetAutoAuthToken(t *testing.T) {
+	ctx := context.Background()
 
-	// Check if server is DR Secondary and we need to further
-	// ignore any targets due to endpoint restrictions
-	if serverHealth.ReplicationDRMode == "secondary" {
-		invalidDRTargets := strutil.Difference(c.flagTargets, c.validDRSecondaryTargets(), true)
-		if len(invalidDRTargets) != 0 {
-			c.UI.Info(fmt.Sprintf("Ignoring invalid targets for DR Secondary: %s", strings.Join(invalidDRTargets, ", ")))
-			c.flagTargets = strutil.Difference(c.flagTargets, invalidDRTargets, true)
-		}
-	}
-	c.cachedClient = client
-
-	captureTime := time.Now().UTC()
-	if len(c.flagOutput) == 0 {
-		formattedTime := captureTime.Format(fileFriendlyTimeFormat)
-		c.flagOutput = fmt.Sprintf("vault-debug-%s", formattedTime)
-	}
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-	// Strip trailing slash before proceeding
-	c.flagOutput = filepath.Clean(c.flagOutput)
-
-	// If compression is enabled, trim the extension so that the files are
-	// written to a directory even if compression somehow fails. We ensure the
-	// extension during compression. We also prevent overwriting if the file
-	// already exists.
-	dstOutputFile := c.flagOutput
-	if c.flagCompress {
-		if !strings.HasSuffix(dstOutputFile, ".tar.gz") && !strings.HasSuffix(dstOutputFile, ".tgz") {
-			dstOutputFile = dstOutputFile + debugCompressionExt
-		}
-
-		// Ensure that the file doesn't already exist, and ensure that we always
-		// trim the extension from flagOutput since we'll be progressively
-		// writing to that.
-		_, err := os.Stat(dstOutputFile)
-		switch {
-		case os.IsNotExist(err):
-			c.flagOutput = strings.TrimSuffix(c.flagOutput, ".tar.gz")
-			c.flagOutput = strings.TrimSuffix(c.flagOutput, ".tgz")
-		case err != nil:
-			return "", fmt.Errorf("unable to stat file: %s", err)
-		default:
-			return "", fmt.Errorf("output file already exists: %s", dstOutputFile)
-		}
-	}
-
-	// Stat check the directory to ensure we don't override any existing data.
-	_, err = os.Stat(c.flagOutput)
-	switch {
-	case os.IsNotExist(err):
-		err := os.MkdirAll(c.flagOutput, 0o700)
-		if err != nil {
-			return "", fmt.Errorf("unable to create output directory: %s", err)
-		}
-	case err != nil:
-		return "", fmt.Errorf("unable to stat directory: %s", err)
-	default:
-		return "", fmt.Errorf("output directory already exists: %s", c.flagOutput)
-	}
-
-	// Populate initial index fields
-	c.debugIndex = &debugIndex{
-		VaultAddress:           client.Address(),
-		ClientVersion:          version.GetVersion().VersionNumber(),
-		ServerVersion:          serverHealth.Version,
-		Compress:               c.flagCompress,
-		DurationSeconds:        int(c.flagDuration.Seconds()),
-		IntervalSeconds:        int(c.flagInterval.Seconds()),
-		MetricsIntervalSeconds: int(c.flagMetricsInterval.Seconds()),
-		RawArgs:                rawArgs,
-		Version:                debugIndexVersion,
-		Targets:                c.flagTargets,
-		Timestamp:              captureTime,
-		Errors:                 []*captureError{},
-	}
-
-	return dstOutputFile, nil
-}
-
-func (c *DebugCommand) defaultTargets() []string {
-	return []string{"config", "host", "requests", "metrics", "pprof", "replication-status", "server-status", "log"}
-}
-
-func (c *DebugCommand) validDRSecondaryTargets() []string {
-	return []string{"metrics", "replication-status", "server-status"}
+	b, err := NewBoltStorage(&BoltStorageConfig{
+		Path:    path,
+		Logger:  hclog.Default(),
+		Wrapper: getTestKeyManager(t).Wrapper(),
+	})
+	require.NoError(t, err)
+
+	token, err := b.GetAutoAuthToken(ctx)
+	assert.NoError(t, err)
+	assert.Nil(t, token)
+
+	// set first token
+	err = b.Set(ctx, "token-test1", []byte("hello 1"), TokenType)
+	require.NoError(t, err)
+	secrets, err := b.GetByType(ctx, TokenType)
+	require.NoError(t, err)
+	require.Len(t, secrets, 1)
+	assert.Equal(t, []byte("hello 1"), secrets[0])
+	token, err = b.GetAutoAuthToken(ctx)
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("hello 1"), token)
+
+	// set second token
+	err = b.Set(ctx, "token-test2", []byte("hello 2"), TokenType)
+	require.NoError(t, err)
+	secrets, err = b.GetByType(ctx, TokenType)
+	require.NoError(t, err)
+	require.Len(t, secrets, 2)
+	assert.ElementsMatch(t, [][]byte{[]byte("hello 1"), []byte("hello 2")}, secrets)
+	token, err = b.GetAutoAuthToken(ctx)
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("hello 2"), token)
 }
 
-func (c *DebugCommand) captureStaticTargets() error {
-	// Capture configuration state
-	if strutil.StrListContains(c.flagTargets, "config") {
-		c.logger.Info("capturing configuration state")
-
-		resp, err := c.cachedClient.Logical().Read("sys/config/state/sanitized")
-		if err != nil {
-			c.captureError("config", err)
-			c.logger.Error("config: error capturing config state", "error", err)
-			return nil
-		}
-
-		if resp != nil && resp.Data != nil {
-			collection := []map[string]interface{}{
-				{
-					"timestamp": time.Now().UTC(),
-					"config":    resp.Data,
-				},
+func TestDBFileExists(t *testing.T) {
+	testCases := []struct {
+		name        string
+		mkDir       bool
+		createFile  bool
+		expectExist bool
+	}{
+		{
+			name:        "all exists",
+			mkDir:       true,
+			createFile:  true,
+			expectExist: true,
+		},
+		{
+			name:        "dir exist, file missing",
+			mkDir:       true,
+			createFile:  false,
+			expectExist: false,
+		},
+		{
+			name:        "all missing",
+			mkDir:       false,
+			createFile:  false,
+			expectExist: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var tmpPath string
+			var err error
+			if tc.mkDir {
+				tmpPath, err = os.MkdirTemp("", "test-db-path")
+				require.NoError(t, err)
 			}
-			if err := c.persistCollection(collection, "config.json"); err != nil {
-				c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "config.json", err))
-			}
-		}
-	}
-
-	return nil
-}
-
-// capturePollingTargets captures all dynamic targets over the specified
-// duration and interval.
-func (c *DebugCommand) capturePollingTargets() error {
-	var g run.Group
-
-	ctx, cancelFunc := context.WithTimeout(context.Background(), c.flagDuration+debugDurationGrace)
-	defer cancelFunc()
-
-	// This run group watches for interrupt or duration
-	g.Add(func() error {
-		for {
-			select {
-			case <-c.ShutdownCh:
-				return nil
-			case <-ctx.Done():
-				return nil
+			if tc.createFile {
+				err = os.WriteFile(path.Join(tmpPath, DatabaseFileName), []byte("test-db-path"), 0o600)
+				require.NoError(t, err)
 			}
-		}
-	}, func(error) {})
-
-	// Collect host-info if target is specified
-	if strutil.StrListContains(c.flagTargets, "host") {
-		g.Add(func() error {
-			c.collectHostInfo(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// Collect metrics if target is specified
-	if strutil.StrListContains(c.flagTargets, "metrics") {
-		g.Add(func() error {
-			c.collectMetrics(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// Collect pprof data if target is specified
-	if strutil.StrListContains(c.flagTargets, "pprof") {
-		g.Add(func() error {
-			c.collectPprof(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// Collect replication status if target is specified
-	if strutil.StrListContains(c.flagTargets, "replication-status") {
-		g.Add(func() error {
-			c.collectReplicationStatus(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// Collect server status if target is specified
-	if strutil.StrListContains(c.flagTargets, "server-status") {
-		g.Add(func() error {
-			c.collectServerStatus(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// Collect in-flight request status if target is specified
-	if strutil.StrListContains(c.flagTargets, "requests") {
-		g.Add(func() error {
-			c.collectInFlightRequestStatus(ctx)
-			return nil
-		}, func(error) {
-			cancelFunc()
+			exists, err := DBFileExists(tmpPath)
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expectExist, exists)
 		})
 	}
-
-	if strutil.StrListContains(c.flagTargets, "log") {
-		g.Add(func() error {
-			c.writeLogs(ctx)
-			// If writeLogs returned earlier due to an error, wait for context
-			// to terminate so we don't abort everything.
-			<-ctx.Done()
-			return nil
-		}, func(error) {
-			cancelFunc()
-		})
-	}
-
-	// We shouldn't bump across errors since none is returned by the interrupts,
-	// but we error check for sanity here.
-	if err := g.Run(); err != nil {
-		return err
-	}
-
-	// Write collected data to their corresponding files
-	if err := c.persistCollection(c.metricsCollection, "metrics.json"); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "metrics.json", err))
-	}
-	if err := c.persistCollection(c.serverStatusCollection, "server_status.json"); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "server_status.json", err))
-	}
-	if err := c.persistCollection(c.replicationStatusCollection, "replication_status.json"); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "replication_status.json", err))
-	}
-	if err := c.persistCollection(c.hostInfoCollection, "host_info.json"); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "host_info.json", err))
-	}
-	if err := c.persistCollection(c.inFlightReqStatusCollection, "requests.json"); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "requests.json", err))
-	}
-	return nil
-}
-
-func (c *DebugCommand) collectHostInfo(ctx context.Context) {
-	idxCount := 0
-	intervalTicker := time.Tick(c.flagInterval)
-
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
-		}
-
-		c.logger.Info("capturing host information", "count", idxCount)
-		idxCount++
-
-		r := c.cachedClient.NewRequest("GET", "/v1/sys/host-info")
-		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
-		if err != nil {
-			c.captureError("host", err)
-			return
-		}
-		if resp != nil {
-			defer resp.Body.Close()
-
-			secret, err := api.ParseSecret(resp.Body)
-			if err != nil {
-				c.captureError("host", err)
-				return
-			}
-			if secret != nil && secret.Data != nil {
-				hostEntry := secret.Data
-				c.hostInfoCollection = append(c.hostInfoCollection, hostEntry)
-			}
-		}
-	}
 }
 
-func (c *DebugCommand) collectMetrics(ctx context.Context) {
-	idxCount := 0
-	intervalTicker := time.Tick(c.flagMetricsInterval)
-
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
-		}
-
-		c.logger.Info("capturing metrics", "count", idxCount)
-		idxCount++
-
-		// Perform metrics request
-		r := c.cachedClient.NewRequest("GET", "/v1/sys/metrics")
-		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
-		if err != nil {
-			c.captureError("metrics", err)
-			continue
-		}
-		if resp != nil {
-			defer resp.Body.Close()
-
-			metricsEntry := make(map[string]interface{})
-			err := json.NewDecoder(resp.Body).Decode(&metricsEntry)
-			if err != nil {
-				c.captureError("metrics", err)
-				continue
+func Test_SetGetRetrievalToken(t *testing.T) {
+	testCases := []struct {
+		name          string
+		tokenToSet    []byte
+		expectedToken []byte
+	}{
+		{
+			name:          "normal set and get",
+			tokenToSet:    []byte("test token"),
+			expectedToken: []byte("test token"),
+		},
+		{
+			name:          "no token set",
+			tokenToSet:    nil,
+			expectedToken: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			path, err := os.MkdirTemp("", "bolt-test")
+			require.NoError(t, err)
+			defer os.RemoveAll(path)
+
+			b, err := NewBoltStorage(&BoltStorageConfig{
+				Path:    path,
+				Logger:  hclog.Default(),
+				Wrapper: getTestKeyManager(t).Wrapper(),
+			})
+			require.NoError(t, err)
+			defer b.Close()
+
+			if tc.tokenToSet != nil {
+				err := b.StoreRetrievalToken(tc.tokenToSet)
+				require.NoError(t, err)
 			}
-			c.metricsCollection = append(c.metricsCollection, metricsEntry)
-		}
+			gotKey, err := b.GetRetrievalToken()
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expectedToken, gotKey)
+		})
 	}
 }
 
-func (c *DebugCommand) collectPprof(ctx context.Context) {
-	idxCount := 0
-	startTime := time.Now()
-	intervalTicker := time.Tick(c.flagInterval)
+func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) {
+	ctx := context.Background()
 
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
-		}
-
-		currentTimestamp := time.Now().UTC()
-		c.logger.Info("capturing pprof data", "count", idxCount)
-		idxCount++
-
-		// Create a sub-directory for pprof data
-		currentDir := currentTimestamp.Format(fileFriendlyTimeFormat)
-		dirName := filepath.Join(c.flagOutput, currentDir)
-		if err := os.MkdirAll(dirName, 0o700); err != nil {
-			c.UI.Error(fmt.Sprintf("Error creating sub-directory for time interval: %s", err))
-			continue
-		}
-
-		var wg sync.WaitGroup
-
-		for _, target := range []string{"threadcreate", "allocs", "block", "mutex", "goroutine", "heap"} {
-			wg.Add(1)
-			go func(target string) {
-				defer wg.Done()
-				data, err := pprofTarget(ctx, c.cachedClient, target, nil)
-				if err != nil {
-					c.captureError("pprof."+target, err)
-					return
-				}
-
-				err = ioutil.WriteFile(filepath.Join(dirName, target+".prof"), data, 0o600)
-				if err != nil {
-					c.captureError("pprof."+target, err)
-				}
-			}(target)
-		}
-
-		// As a convenience, we'll also fetch the goroutine target using debug=2, which yields a text
-		// version of the stack traces that don't require using `go tool pprof` to view.
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			data, err := pprofTarget(ctx, c.cachedClient, "goroutine", url.Values{"debug": []string{"2"}})
-			if err != nil {
-				c.captureError("pprof.goroutines-text", err)
-				return
-			}
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-			err = ioutil.WriteFile(filepath.Join(dirName, "goroutines.txt"), data, 0o600)
-			if err != nil {
-				c.captureError("pprof.goroutines-text", err)
-			}
-		}()
-
-		// If the our remaining duration is less than the interval value
-		// skip profile and trace.
-		runDuration := currentTimestamp.Sub(startTime)
-		if (c.flagDuration+debugDurationGrace)-runDuration < c.flagInterval {
-			wg.Wait()
-			continue
-		}
-
-		// Capture profile
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			data, err := pprofProfile(ctx, c.cachedClient, c.flagInterval)
-			if err != nil {
-				c.captureError("pprof.profile", err)
-				return
-			}
-
-			err = ioutil.WriteFile(filepath.Join(dirName, "profile.prof"), data, 0o600)
-			if err != nil {
-				c.captureError("pprof.profile", err)
-			}
-		}()
-
-		// Capture trace
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			data, err := pprofTrace(ctx, c.cachedClient, c.flagInterval)
-			if err != nil {
-				c.captureError("pprof.trace", err)
-				return
-			}
-
-			err = ioutil.WriteFile(filepath.Join(dirName, "trace.out"), data, 0o600)
-			if err != nil {
-				c.captureError("pprof.trace", err)
-			}
-		}()
-
-		wg.Wait()
-	}
-}
-
-func (c *DebugCommand) collectReplicationStatus(ctx context.Context) {
-	idxCount := 0
-	intervalTicker := time.Tick(c.flagInterval)
-
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
-		}
-
-		c.logger.Info("capturing replication status", "count", idxCount)
-		idxCount++
-
-		r := c.cachedClient.NewRequest("GET", "/v1/sys/replication/status")
-		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
-		if err != nil {
-			c.captureError("replication-status", err)
-			return
-		}
-		if resp != nil {
-			defer resp.Body.Close()
-
-			secret, err := api.ParseSecret(resp.Body)
-			if err != nil {
-				c.captureError("replication-status", err)
-				return
-			}
-			if secret != nil && secret.Data != nil {
-				replicationEntry := secret.Data
-				replicationEntry["timestamp"] = time.Now().UTC()
-				c.replicationStatusCollection = append(c.replicationStatusCollection, replicationEntry)
-			}
-		}
+	dbPath := filepath.Join(path, DatabaseFileName)
+	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
+	require.NoError(t, err)
+	err = db.Update(func(tx *bolt.Tx) error {
+		return createBoltSchema(tx, "1")
+	})
+	require.NoError(t, err)
+	b := &BoltStorage{
+		db:      db,
+		logger:  hclog.Default(),
+		wrapper: getTestKeyManager(t).Wrapper(),
 	}
-}
 
-func (c *DebugCommand) collectServerStatus(ctx context.Context) {
-	idxCount := 0
-	intervalTicker := time.Tick(c.flagInterval)
-
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
-		}
-
-		c.logger.Info("capturing server status", "count", idxCount)
-		idxCount++
-
-		healthInfo, err := c.cachedClient.Sys().Health()
+	// Manually insert some items into the v1 schema.
+	err = db.Update(func(tx *bolt.Tx) error {
+		blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"))
 		if err != nil {
-			c.captureError("server-status.health", err)
+			return fmt.Errorf("error encrypting contents: %w", err)
 		}
-		sealInfo, err := c.cachedClient.Sys().SealStatus()
+		protoBlob, err := proto.Marshal(blob)
 		if err != nil {
-			c.captureError("server-status.seal", err)
+			return err
 		}
 
-		statusEntry := map[string]interface{}{
-			"timestamp": time.Now().UTC(),
-			"health":    healthInfo,
-			"seal":      sealInfo,
-		}
-		c.serverStatusCollection = append(c.serverStatusCollection, statusEntry)
-	}
-}
-
-func (c *DebugCommand) collectInFlightRequestStatus(ctx context.Context) {
-	idxCount := 0
-	intervalTicker := time.Tick(c.flagInterval)
-
-	for {
-		if idxCount > 0 {
-			select {
-			case <-ctx.Done():
-				return
-			case <-intervalTicker:
-			}
+		if err := tx.Bucket([]byte(authLeaseType)).Put([]byte("test-auth-id-1"), protoBlob); err != nil {
+			return err
 		}
-
-		c.logger.Info("capturing in-flight request status", "count", idxCount)
-		idxCount++
-
-		req := c.cachedClient.NewRequest("GET", "/v1/sys/in-flight-req")
-		resp, err := c.cachedClient.RawRequestWithContext(ctx, req)
-		if err != nil {
-			c.captureError("requests", err)
-			return
+		if err := tx.Bucket([]byte(authLeaseType)).Put([]byte("test-auth-id-2"), protoBlob); err != nil {
+			return err
 		}
-
-		var data map[string]interface{}
-		if resp != nil {
-			defer resp.Body.Close()
-			err = jsonutil.DecodeJSONFromReader(resp.Body, &data)
-			if err != nil {
-				c.captureError("requests", err)
-				return
-			}
-
-			statusEntry := map[string]interface{}{
-				"timestamp":          time.Now().UTC(),
-				"in_flight_requests": data,
-			}
-			c.inFlightReqStatusCollection = append(c.inFlightReqStatusCollection, statusEntry)
+		if err := tx.Bucket([]byte(secretLeaseType)).Put([]byte("test-secret-id-1"), protoBlob); err != nil {
+			return err
 		}
-	}
-}
 
-// persistCollection writes the collected data for a particular target onto the
-// specified file. If the collection is empty, it returns immediately.
-func (c *DebugCommand) persistCollection(collection []map[string]interface{}, outFile string) error {
-	if len(collection) == 0 {
 		return nil
-	}
-
-	// Write server-status file and update the index
-	bytes, err := json.MarshalIndent(collection, "", "  ")
-	if err != nil {
-		return err
-	}
-	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, outFile), bytes, 0o600); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (c *DebugCommand) compress(dst string) error {
-	if runtime.GOOS != "windows" {
-		defer osutil.Umask(osutil.Umask(0o077))
-	}
-
-	tgz := archiver.NewTarGz()
-	if err := tgz.Archive([]string{c.flagOutput}, dst); err != nil {
-		return fmt.Errorf("failed to compress data: %s", err)
-	}
-
-	// If everything is fine up to this point, remove original directory
-	if err := os.RemoveAll(c.flagOutput); err != nil {
-		return fmt.Errorf("failed to remove data directory: %s", err)
-	}
-
-	return nil
-}
-
-func pprofTarget(ctx context.Context, client *api.Client, target string, params url.Values) ([]byte, error) {
-	req := client.NewRequest("GET", "/v1/sys/pprof/"+target)
-	if params != nil {
-		req.Params = params
-	}
-	resp, err := client.RawRequestWithContext(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	data, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	return data, nil
-}
-
-func pprofProfile(ctx context.Context, client *api.Client, duration time.Duration) ([]byte, error) {
-	seconds := int(duration.Seconds())
-	secStr := strconv.Itoa(seconds)
-
-	req := client.NewRequest("GET", "/v1/sys/pprof/profile")
-	req.Params.Add("seconds", secStr)
-	resp, err := client.RawRequestWithContext(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	data, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	return data, nil
+	})
+	require.NoError(t, err)
+
+	// Check we have the contents we would expect for the v1 schema.
+	leases, err := b.GetByType(ctx, authLeaseType)
+	require.NoError(t, err)
+	assert.Len(t, leases, 2)
+	leases, err = b.GetByType(ctx, secretLeaseType)
+	require.NoError(t, err)
+	assert.Len(t, leases, 1)
+	leases, err = b.GetByType(ctx, LeaseType)
+	require.Error(t, err)
+	assert.True(t, strings.Contains(err.Error(), "not found"))
+
+	// Now migrate to the v2 schema.
+	err = db.Update(migrateFromV1ToV2Schema)
+	require.NoError(t, err)
+
+	// Check all the leases have been migrated into one bucket.
+	leases, err = b.GetByType(ctx, authLeaseType)
+	require.Error(t, err)
+	assert.True(t, strings.Contains(err.Error(), "not found"))
+	leases, err = b.GetByType(ctx, secretLeaseType)
+	require.Error(t, err)
+	assert.True(t, strings.Contains(err.Error(), "not found"))
+	leases, err = b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	assert.Len(t, leases, 3)
 }
 
-func pprofTrace(ctx context.Context, client *api.Client, duration time.Duration) ([]byte, error) {
-	seconds := int(duration.Seconds())
-	secStr := strconv.Itoa(seconds)
-
-	req := client.NewRequest("GET", "/v1/sys/pprof/trace")
-	req.Params.Add("seconds", secStr)
-	resp, err := client.RawRequestWithContext(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	data, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
+func TestBolt_MigrateFromInvalidToV2Schema(t *testing.T) {
+	ctx := context.Background()
 
-	return data, nil
-}
+	path, err := os.MkdirTemp("", "bolt-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(path)
 
-// newCaptureError instantiates a new captureError.
-func (c *DebugCommand) captureError(target string, err error) {
-	c.errLock.Lock()
-	c.debugIndex.Errors = append(c.debugIndex.Errors, &captureError{
-		TargetError: err.Error(),
-		Target:      target,
-		Timestamp:   time.Now().UTC(),
-	})
-	c.errLock.Unlock()
-}
-
-func (c *DebugCommand) writeLogs(ctx context.Context) {
-	out, err := os.OpenFile(filepath.Join(c.flagOutput, "vault.log"), os.O_CREATE|os.O_WRONLY, 0o600)
-	if err != nil {
-		c.captureError("log", err)
-		return
+	dbPath := filepath.Join(path, DatabaseFileName)
+	db, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
+	require.NoError(t, err)
+	b := &BoltStorage{
+		db:      db,
+		logger:  hclog.Default(),
+		wrapper: getTestKeyManager(t).Wrapper(),
 	}
-	defer out.Close()
 
-	// Create Monitor specific client based on the cached client
-	mClient, err := c.cachedClient.Clone()
-	if err != nil {
-		c.captureError("log", err)
-		return
+	// All GetByType calls should fail as there's no schema
+	for _, bucket := range []string{authLeaseType, secretLeaseType, LeaseType} {
+		_, err = b.GetByType(ctx, bucket)
+		require.Error(t, err)
+		assert.True(t, strings.Contains(err.Error(), "not found"))
 	}
-	mClient.SetToken(c.cachedClient.Token())
 
-	// Set timeout to match the context explicitly
-	mClient.SetClientTimeout(c.flagDuration + debugDurationGrace)
+	// Now migrate to the v2 schema.
+	err = db.Update(migrateFromV1ToV2Schema)
+	require.NoError(t, err)
 
-	logCh, err := mClient.Sys().Monitor(ctx, "trace", c.logFormat)
-	if err != nil {
-		c.captureError("log", err)
-		return
+	// Deprecated auth and secret lease buckets still shouldn't exist
+	// All GetByType calls should fail as there's no schema
+	for _, bucket := range []string{authLeaseType, secretLeaseType} {
+		_, err = b.GetByType(ctx, bucket)
+		require.Error(t, err)
+		assert.True(t, strings.Contains(err.Error(), "not found"))
 	}
 
-	for {
-		select {
-		case log := <-logCh:
-			if len(log) > 0 {
-				if !strings.HasSuffix(log, "\n") {
-					log += "\n"
-				}
-				_, err = out.WriteString(log)
-				if err != nil {
-					c.captureError("log", err)
-					return
-				}
-			}
-		case <-ctx.Done():
-			return
-		}
-	}
+	// GetByType for LeaseType should now return an empty result
+	leases, err := b.GetByType(ctx, LeaseType)
+	require.NoError(t, err)
+	require.Len(t, leases, 0)
 }
diff --git a/command/debug_test.go b/command/debug_test.go
index 80576311dde8..fd5102ad8f6d 100644
--- a/command/debug_test.go
+++ b/command/debug_test.go
@@ -1,846 +1,383 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package eventbus
 
 import (
-	"archive/tar"
-	"encoding/json"
+	"context"
+	"errors"
 	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"runtime"
+	"net/url"
+	"path"
 	"strings"
-	"syscall"
-	"testing"
+	"sync"
+	"sync/atomic"
 	"time"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mholt/archiver/v3"
-	"github.com/mitchellh/cli"
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/eventlogger"
+	"github.com/hashicorp/eventlogger/formatter_filters/cloudevents"
+	"github.com/hashicorp/go-bexpr"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/ryanuber/go-glob"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
-func testDebugCommand(tb testing.TB) (*cli.MockUi, *DebugCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &DebugCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
+const (
+	// eventTypeAll is purely internal to the event bus. We use it to send all
+	// events down one big firehose, and pipelines define their own filtering
+	// based on what each subscriber is interested in.
+	eventTypeAll   = "*"
+	defaultTimeout = 60 * time.Second
+)
 
-func TestDebugCommand_Run(t *testing.T) {
-	t.Parallel()
+var (
+	ErrNotStarted = errors.New("event broker has not been started")
+	subscriptions atomic.Int64 // keeps track of event subscription count in all event buses
 
-	testDir, err := ioutil.TempDir("", "vault-debug")
-	if err != nil {
-		t.Fatal(err)
+	// these metadata fields will have the plugin mount path prepended to them
+	metadataPrependPathFields = []string{
+		"path",
+		logical.EventMetadataDataPath,
 	}
-	defer os.RemoveAll(testDir)
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"valid",
-			[]string{
-				"-duration=1s",
-				fmt.Sprintf("-output=%s/valid", testDir),
-			},
-			"",
-			0,
-		},
-		{
-			"too_many_args",
-			[]string{
-				"-duration=1s",
-				fmt.Sprintf("-output=%s/too_many_args", testDir),
-				"foo",
-			},
-			"Too many arguments",
-			1,
-		},
-		{
-			"invalid_target",
-			[]string{
-				"-duration=1s",
-				fmt.Sprintf("-output=%s/invalid_target", testDir),
-				"-target=foo",
-			},
-			"Ignoring invalid targets: foo",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
+)
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+// EventBus contains the main logic of running an event broker for Vault.
+// Start() must be called before the EventBus will accept events for sending.
+type EventBus struct {
+	logger                     hclog.Logger
+	broker                     *eventlogger.Broker
+	started                    atomic.Bool
+	formatterNodeID            eventlogger.NodeID
+	timeout                    time.Duration
+	filters                    *Filters
+	cloudEventsFormatterFilter *cloudevents.FormatterFilter
+}
 
-			client, closer := testVaultServer(t)
-			defer closer()
+type pluginEventBus struct {
+	bus        *EventBus
+	namespace  *namespace.Namespace
+	pluginInfo *logical.EventPluginInfo
+}
 
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.skipTimingChecks = true
+type asyncChanNode struct {
+	// TODO: add bounded deque buffer of *EventReceived
+	ctx    context.Context
+	ch     chan *eventlogger.Event
+	logger hclog.Logger
+
+	// used to close the connection
+	closeOnce      sync.Once
+	cancelFunc     context.CancelFunc
+	pipelineID     eventlogger.PipelineID
+	removeFilter   func()
+	removePipeline func(ctx context.Context, t eventlogger.EventType, id eventlogger.PipelineID) (bool, error)
+}
 
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
+var (
+	_ eventlogger.Node    = (*asyncChanNode)(nil)
+	_ logical.EventSender = (*pluginEventBus)(nil)
+)
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Fatalf("expected %q to contain %q", combined, tc.out)
-			}
-		})
+// Start starts the event bus, allowing events to be written.
+// It is not possible to stop or restart the event bus.
+// It is safe to call Start() multiple times.
+func (bus *EventBus) Start() {
+	wasStarted := bus.started.Swap(true)
+	if !wasStarted {
+		bus.logger.Info("Starting event system")
 	}
 }
 
-func TestDebugCommand_Archive(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name        string
-		ext         string
-		expectError bool
-	}{
-		{
-			"no-ext",
-			"",
-			false,
-		},
-		{
-			"with-ext-tar-gz",
-			".tar.gz",
-			false,
-		},
-		{
-			"with-ext-tgz",
-			".tgz",
-			false,
-		},
+// patchMountPath patches the event data's metadata "secret_path" field, if present, to include the mount path prepended.
+func patchMountPath(data *logical.EventData, pluginInfo *logical.EventPluginInfo) *logical.EventData {
+	if pluginInfo == nil || pluginInfo.MountPath == "" || data.Metadata == nil {
+		return data
 	}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Create temp dirs for each test case since os.Stat and tgz.Walk
-			// (called down below) exhibits raciness otherwise.
-			testDir, err := ioutil.TempDir("", "vault-debug")
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer os.RemoveAll(testDir)
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.skipTimingChecks = true
-
-			// We use tc.name as the base path and apply the extension per
-			// test case.
-			basePath := tc.name
-			outputPath := filepath.Join(testDir, basePath+tc.ext)
-			args := []string{
-				"-duration=1s",
-				fmt.Sprintf("-output=%s", outputPath),
-				"-target=server-status",
-			}
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Log(ui.OutputWriter.String())
-				t.Log(ui.ErrorWriter.String())
-				t.Fatalf("expected %d to be %d", code, exp)
-			}
-			// If we expect an error we're done here
-			if tc.expectError {
-				return
-			}
-
-			expectedExt := tc.ext
-			if expectedExt == "" {
-				expectedExt = debugCompressionExt
-			}
-
-			bundlePath := filepath.Join(testDir, basePath+expectedExt)
-			_, err = os.Stat(bundlePath)
-			if os.IsNotExist(err) {
-				t.Log(ui.OutputWriter.String())
-				t.Fatal(err)
+	for _, field := range metadataPrependPathFields {
+		if data.Metadata.Fields[field] != nil {
+			newPath := path.Join(pluginInfo.MountPath, data.Metadata.Fields[field].GetStringValue())
+			if pluginInfo.MountClass == "auth" {
+				newPath = path.Join("auth", newPath)
 			}
+			data.Metadata.Fields[field] = structpb.NewStringValue(newPath)
+		}
+	}
 
-			tgz := archiver.NewTarGz()
-			err = tgz.Walk(bundlePath, func(f archiver.File) error {
-				fh, ok := f.Header.(*tar.Header)
-				if !ok {
-					return fmt.Errorf("invalid file header: %#v", f.Header)
-				}
-
-				// Ignore base directory and index file
-				if fh.Name == basePath+"/" || fh.Name == filepath.Join(basePath, "index.json") {
-					return nil
-				}
+	return data
+}
 
-				if fh.Name != filepath.Join(basePath, "server_status.json") {
-					return fmt.Errorf("unexpected file: %s", fh.Name)
-				}
-				return nil
-			})
-			if err != nil {
-				t.Fatal(err)
-			}
-		})
+// SendEventInternal sends an event to the event bus and routes it to all relevant subscribers.
+// This function does *not* wait for all subscribers to acknowledge before returning.
+// This function is meant to be used by trusted internal code, so it can specify details like the namespace
+// and plugin info. Events from plugins should be routed through WithPlugin(), which will populate
+// the namespace and plugin info automatically.
+// The context passed in is currently ignored to ensure that the event is sent if the context is short-lived,
+// such as with an HTTP request context.
+func (bus *EventBus) SendEventInternal(_ context.Context, ns *namespace.Namespace, pluginInfo *logical.EventPluginInfo, eventType logical.EventType, data *logical.EventData) error {
+	if ns == nil {
+		return namespace.ErrNoNamespace
+	}
+	if !bus.started.Load() {
+		return ErrNotStarted
+	}
+	eventReceived := &logical.EventReceived{
+		Event:      patchMountPath(data, pluginInfo),
+		Namespace:  ns.Path,
+		EventType:  string(eventType),
+		PluginInfo: pluginInfo,
+	}
+
+	// We can't easily know when the SendEvent is complete, so we can't call the cancel function.
+	// But, it is called automatically after bus.timeout, so there won't be any leak as long as bus.timeout is not too long.
+	ctx, _ := context.WithTimeout(context.Background(), bus.timeout)
+	_, err := bus.broker.Send(ctx, eventTypeAll, eventReceived)
+	if err != nil {
+		// if no listeners for this event type are registered, that's okay, the event
+		// will just not be sent anywhere
+		if strings.Contains(strings.ToLower(err.Error()), "no graph for eventtype") {
+			return nil
+		}
 	}
+	return err
 }
 
-func TestDebugCommand_CaptureTargets(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name          string
-		targets       []string
-		expectedFiles []string
-	}{
-		{
-			"config",
-			[]string{"config"},
-			[]string{"config.json"},
-		},
-		{
-			"host-info",
-			[]string{"host"},
-			[]string{"host_info.json"},
-		},
-		{
-			"metrics",
-			[]string{"metrics"},
-			[]string{"metrics.json"},
-		},
-		{
-			"replication-status",
-			[]string{"replication-status"},
-			[]string{"replication_status.json"},
-		},
-		{
-			"server-status",
-			[]string{"server-status"},
-			[]string{"server_status.json"},
-		},
-		{
-			"in-flight-req",
-			[]string{"requests"},
-			[]string{"requests.json"},
-		},
-		{
-			"all-minus-pprof",
-			[]string{"config", "host", "metrics", "replication-status", "server-status"},
-			[]string{"config.json", "host_info.json", "metrics.json", "replication_status.json", "server_status.json"},
-		},
+func (bus *EventBus) WithPlugin(ns *namespace.Namespace, eventPluginInfo *logical.EventPluginInfo) (*pluginEventBus, error) {
+	if ns == nil {
+		return nil, namespace.ErrNoNamespace
 	}
+	return &pluginEventBus{
+		bus:        bus,
+		namespace:  ns,
+		pluginInfo: eventPluginInfo,
+	}, nil
+}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			testDir, err := ioutil.TempDir("", "vault-debug")
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer os.RemoveAll(testDir)
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.skipTimingChecks = true
-
-			basePath := tc.name
-			args := []string{
-				"-duration=1s",
-				fmt.Sprintf("-output=%s/%s", testDir, basePath),
-			}
-			for _, target := range tc.targets {
-				args = append(args, fmt.Sprintf("-target=%s", target))
-			}
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Log(ui.ErrorWriter.String())
-				t.Fatalf("expected %d to be %d", code, exp)
-			}
-
-			bundlePath := filepath.Join(testDir, basePath+debugCompressionExt)
-			_, err = os.Open(bundlePath)
-			if err != nil {
-				t.Fatalf("failed to open archive: %s", err)
-			}
-
-			tgz := archiver.NewTarGz()
-			err = tgz.Walk(bundlePath, func(f archiver.File) error {
-				fh, ok := f.Header.(*tar.Header)
-				if !ok {
-					t.Fatalf("invalid file header: %#v", f.Header)
-				}
-
-				// Ignore base directory and index file
-				if fh.Name == basePath+"/" || fh.Name == filepath.Join(basePath, "index.json") {
-					return nil
-				}
-
-				for _, fileName := range tc.expectedFiles {
-					if fh.Name == filepath.Join(basePath, fileName) {
-						return nil
-					}
-				}
-
-				// If we reach here, it means that this is an unexpected file
-				return fmt.Errorf("unexpected file: %s", fh.Name)
-			})
-			if err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
+// SendEvent sends an event to the event bus and routes it to all relevant subscribers.
+// This function does *not* wait for all subscribers to acknowledge before returning.
+// The context passed in is currently ignored.
+func (bus *pluginEventBus) SendEvent(ctx context.Context, eventType logical.EventType, data *logical.EventData) error {
+	return bus.bus.SendEventInternal(ctx, bus.namespace, bus.pluginInfo, eventType, data)
 }
 
-func TestDebugCommand_Pprof(t *testing.T) {
-	testDir, err := ioutil.TempDir("", "vault-debug")
+func NewEventBus(localNodeID string, logger hclog.Logger) (*EventBus, error) {
+	broker, err := eventlogger.NewBroker()
 	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(testDir)
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	ui, cmd := testDebugCommand(t)
-	cmd.client = client
-	cmd.skipTimingChecks = true
-
-	basePath := "pprof"
-	outputPath := filepath.Join(testDir, basePath)
-	// pprof requires a minimum interval of 1s, we set it to 2 to ensure it
-	// runs through and reduce flakiness on slower systems.
-	args := []string{
-		"-compress=false",
-		"-duration=2s",
-		"-interval=2s",
-		fmt.Sprintf("-output=%s", outputPath),
-		"-target=pprof",
+		return nil, err
 	}
 
-	code := cmd.Run(args)
-	if exp := 0; code != exp {
-		t.Log(ui.ErrorWriter.String())
-		t.Fatalf("expected %d to be %d", code, exp)
+	formatterID, err := uuid.GenerateUUID()
+	if err != nil {
+		return nil, err
 	}
+	formatterNodeID := eventlogger.NodeID(formatterID)
 
-	profiles := []string{"heap.prof", "goroutine.prof"}
-	pollingProfiles := []string{"profile.prof", "trace.out"}
+	if logger == nil {
+		logger = hclog.Default().Named("events")
+	}
 
-	// These are captures on the first (0th) and last (1st) frame
-	for _, v := range profiles {
-		files, _ := filepath.Glob(fmt.Sprintf("%s/*/%s", outputPath, v))
-		if len(files) != 2 {
-			t.Errorf("2 output files should exist for %s: got: %v", v, files)
-		}
+	sourceUrl, err := url.Parse("vault://" + localNodeID)
+	if err != nil {
+		return nil, err
 	}
 
-	// Since profile and trace are polling outputs, these only get captured
-	// on the first (0th) frame.
-	for _, v := range pollingProfiles {
-		files, _ := filepath.Glob(fmt.Sprintf("%s/*/%s", outputPath, v))
-		if len(files) != 1 {
-			t.Errorf("1 output file should exist for %s: got: %v", v, files)
-		}
+	cloudEventsFormatterFilter := &cloudevents.FormatterFilter{
+		Source: sourceUrl,
+		Predicate: func(_ context.Context, e interface{}) (bool, error) {
+			return true, nil
+		},
 	}
 
-	t.Log(ui.OutputWriter.String())
-	t.Log(ui.ErrorWriter.String())
+	return &EventBus{
+		logger:                     logger,
+		broker:                     broker,
+		formatterNodeID:            formatterNodeID,
+		timeout:                    defaultTimeout,
+		cloudEventsFormatterFilter: cloudEventsFormatterFilter,
+		filters:                    NewFilters(localNodeID),
+	}, nil
 }
 
-func TestDebugCommand_IndexFile(t *testing.T) {
-	t.Parallel()
+// Subscribe subscribes to events in the given namespace matching the event type pattern and after
+// applying the optional go-bexpr filter.
+func (bus *EventBus) Subscribe(ctx context.Context, ns *namespace.Namespace, pattern string, bexprFilter string) (<-chan *eventlogger.Event, context.CancelFunc, error) {
+	return bus.SubscribeMultipleNamespaces(ctx, []string{strings.Trim(ns.Path, "/")}, pattern, bexprFilter)
+}
 
-	testDir, err := ioutil.TempDir("", "vault-debug")
+// SubscribeMultipleNamespaces subscribes to events in the given namespace matching the event type
+// pattern and after applying the optional go-bexpr filter.
+func (bus *EventBus) SubscribeMultipleNamespaces(ctx context.Context, namespacePathPatterns []string, pattern string, bexprFilter string) (<-chan *eventlogger.Event, context.CancelFunc, error) {
+	// subscriptions are still stored even if the bus has not been started
+	pipelineID, err := uuid.GenerateUUID()
 	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(testDir)
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	ui, cmd := testDebugCommand(t)
-	cmd.client = client
-	cmd.skipTimingChecks = true
-
-	basePath := "index-test"
-	outputPath := filepath.Join(testDir, basePath)
-	// pprof requires a minimum interval of 1s
-	args := []string{
-		"-compress=false",
-		"-duration=1s",
-		"-interval=1s",
-		"-metrics-interval=1s",
-		fmt.Sprintf("-output=%s", outputPath),
+		return nil, nil, err
 	}
 
-	code := cmd.Run(args)
-	if exp := 0; code != exp {
-		t.Log(ui.ErrorWriter.String())
-		t.Fatalf("expected %d to be %d", code, exp)
+	err = bus.broker.RegisterNode(bus.formatterNodeID, bus.cloudEventsFormatterFilter)
+	if err != nil {
+		return nil, nil, err
 	}
 
-	content, err := ioutil.ReadFile(filepath.Join(outputPath, "index.json"))
+	filterNodeID, err := uuid.GenerateUUID()
 	if err != nil {
-		t.Fatal(err)
+		return nil, nil, err
 	}
 
-	index := &debugIndex{}
-	if err := json.Unmarshal(content, index); err != nil {
-		t.Fatal(err)
+	filterNode, err := newFilterNode(namespacePathPatterns, pattern, bexprFilter)
+	if err != nil {
+		return nil, nil, err
 	}
-	if len(index.Output) == 0 {
-		t.Fatalf("expected valid index file: got: %v", index)
+	err = bus.broker.RegisterNode(eventlogger.NodeID(filterNodeID), filterNode)
+	if err != nil {
+		return nil, nil, err
 	}
-}
-
-func TestDebugCommand_TimingChecks(t *testing.T) {
-	t.Parallel()
 
-	testDir, err := ioutil.TempDir("", "vault-debug")
+	sinkNodeID, err := uuid.GenerateUUID()
 	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(testDir)
-
-	cases := []struct {
-		name            string
-		duration        string
-		interval        string
-		metricsInterval string
-	}{
-		{
-			"short-values-all",
-			"10ms",
-			"10ms",
-			"10ms",
-		},
-		{
-			"short-duration",
-			"10ms",
-			"",
-			"",
-		},
-		{
-			"short-interval",
-			debugMinInterval.String(),
-			"10ms",
-			"",
-		},
-		{
-			"short-metrics-interval",
-			debugMinInterval.String(),
-			"",
-			"10ms",
-		},
+		return nil, nil, err
 	}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			// If we are past the minimum duration + some grace, trigger shutdown
-			// to prevent hanging
-			grace := 10 * time.Second
-			shutdownCh := make(chan struct{})
-			go func() {
-				time.AfterFunc(grace, func() {
-					close(shutdownCh)
-				})
-			}()
-
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.ShutdownCh = shutdownCh
-
-			basePath := tc.name
-			outputPath := filepath.Join(testDir, basePath)
-			// pprof requires a minimum interval of 1s
-			args := []string{
-				"-target=server-status",
-				fmt.Sprintf("-output=%s", outputPath),
-			}
-			if tc.duration != "" {
-				args = append(args, fmt.Sprintf("-duration=%s", tc.duration))
-			}
-			if tc.interval != "" {
-				args = append(args, fmt.Sprintf("-interval=%s", tc.interval))
-			}
-			if tc.metricsInterval != "" {
-				args = append(args, fmt.Sprintf("-metrics-interval=%s", tc.metricsInterval))
-			}
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Log(ui.ErrorWriter.String())
-				t.Fatalf("expected %d to be %d", code, exp)
-			}
-
-			if !strings.Contains(ui.OutputWriter.String(), "Duration: 5s") {
-				t.Fatal("expected minimum duration value")
-			}
+	ctx, cancel := context.WithCancel(ctx)
 
-			if tc.interval != "" {
-				if !strings.Contains(ui.OutputWriter.String(), "  Interval: 5s") {
-					t.Fatal("expected minimum interval value")
-				}
-			}
+	bus.filters.addPattern(bus.filters.self, namespacePathPatterns, pattern)
 
-			if tc.metricsInterval != "" {
-				if !strings.Contains(ui.OutputWriter.String(), "Metrics Interval: 5s") {
-					t.Fatal("expected minimum metrics interval value")
-				}
-			}
-		})
+	asyncNode := newAsyncNode(ctx, bus.logger, bus.broker, func() {
+		bus.filters.removePattern(bus.filters.self, namespacePathPatterns, pattern)
+	})
+	err = bus.broker.RegisterNode(eventlogger.NodeID(sinkNodeID), asyncNode)
+	if err != nil {
+		defer cancel()
+		return nil, nil, err
 	}
-}
 
-func TestDebugCommand_NoConnection(t *testing.T) {
-	t.Parallel()
+	nodes := []eventlogger.NodeID{eventlogger.NodeID(filterNodeID), bus.formatterNodeID, eventlogger.NodeID(sinkNodeID)}
 
-	client, err := api.NewClient(nil)
-	if err != nil {
-		t.Fatal(err)
+	pipeline := eventlogger.Pipeline{
+		PipelineID: eventlogger.PipelineID(pipelineID),
+		EventType:  eventTypeAll,
+		NodeIDs:    nodes,
 	}
-
-	if err := client.SetAddress(""); err != nil {
-		t.Fatal(err)
+	err = bus.broker.RegisterPipeline(pipeline)
+	if err != nil {
+		defer cancel()
+		return nil, nil, err
 	}
 
-	_, cmd := testDebugCommand(t)
-	cmd.client = client
-	cmd.skipTimingChecks = true
-
-	args := []string{
-		"-duration=1s",
-		"-target=server-status",
-	}
+	addSubscriptions(1)
+	// add info needed to cancel the subscription
+	asyncNode.pipelineID = eventlogger.PipelineID(pipelineID)
+	asyncNode.cancelFunc = cancel
+	// Capture context in a closure for the cancel func
+	return asyncNode.ch, func() { asyncNode.Close(ctx) }, nil
+}
 
-	code := cmd.Run(args)
-	if exp := 1; code != exp {
-		t.Fatalf("expected %d to be %d", code, exp)
-	}
+// SetSendTimeout sets the timeout of sending events. If the events are not accepted by the
+// underlying channel before this timeout, then the channel closed.
+func (bus *EventBus) SetSendTimeout(timeout time.Duration) {
+	bus.timeout = timeout
 }
 
-func TestDebugCommand_OutputExists(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name          string
-		compress      bool
-		outputFile    string
-		expectedError string
-	}{
-		{
-			"no-compress",
-			false,
-			"output-exists",
-			"output directory already exists",
-		},
-		{
-			"compress",
-			true,
-			"output-exist.tar.gz",
-			"output file already exists",
-		},
+func newFilterNode(namespacePatterns []string, pattern string, bexprFilter string) (*eventlogger.Filter, error) {
+	var evaluator *bexpr.Evaluator
+	if bexprFilter != "" {
+		var err error
+		evaluator, err = bexpr.CreateEvaluator(bexprFilter)
+		if err != nil {
+			return nil, err
+		}
 	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			testDir, err := ioutil.TempDir("", "vault-debug")
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer os.RemoveAll(testDir)
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.skipTimingChecks = true
-
-			outputPath := filepath.Join(testDir, tc.outputFile)
-
-			// Create a conflicting file/directory
-			if tc.compress {
-				_, err = os.Create(outputPath)
-				if err != nil {
-					t.Fatal(err)
+	return &eventlogger.Filter{
+		Predicate: func(e *eventlogger.Event) (bool, error) {
+			eventRecv := e.Payload.(*logical.EventReceived)
+			eventNs := strings.Trim(eventRecv.Namespace, "/")
+			// Drop if event is not in namespace patterns namespace.
+			if len(namespacePatterns) > 0 {
+				allow := false
+				for _, nsPattern := range namespacePatterns {
+					if glob.Glob(nsPattern, eventNs) {
+						allow = true
+						break
+					}
 				}
-			} else {
-				err = os.Mkdir(outputPath, 0o700)
-				if err != nil {
-					t.Fatal(err)
+				if !allow {
+					return false, nil
 				}
 			}
 
-			args := []string{
-				fmt.Sprintf("-compress=%t", tc.compress),
-				"-duration=1s",
-				"-interval=1s",
-				"-metrics-interval=1s",
-				fmt.Sprintf("-output=%s", outputPath),
+			// NodeFilter for correct event type, including wildcards.
+			if !glob.Glob(pattern, eventRecv.EventType) {
+				return false, nil
 			}
 
-			code := cmd.Run(args)
-			if exp := 1; code != exp {
-				t.Log(ui.OutputWriter.String())
-				t.Log(ui.ErrorWriter.String())
-				t.Errorf("expected %d to be %d", code, exp)
+			// apply go-bexpr filter
+			if evaluator != nil {
+				return evaluator.Evaluate(eventRecv.BexprDatum())
 			}
-
-			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
-			if !strings.Contains(output, tc.expectedError) {
-				t.Fatalf("expected %s, got: %s", tc.expectedError, output)
-			}
-		})
-	}
+			return true, nil
+		},
+	}, nil
 }
 
-func TestDebugCommand_PartialPermissions(t *testing.T) {
-	t.Parallel()
-
-	testDir, err := ioutil.TempDir("", "vault-debug")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(testDir)
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	// Create a new token with default policy
-	resp, err := client.Logical().Write("auth/token/create", map[string]interface{}{
-		"policies": "default",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	client.SetToken(resp.Auth.ClientToken)
-
-	ui, cmd := testDebugCommand(t)
-	cmd.client = client
-	cmd.skipTimingChecks = true
-
-	basePath := "with-default-policy-token"
-	args := []string{
-		"-duration=1s",
-		fmt.Sprintf("-output=%s/%s", testDir, basePath),
-	}
-
-	code := cmd.Run(args)
-	if exp := 0; code != exp {
-		t.Log(ui.ErrorWriter.String())
-		t.Fatalf("expected %d to be %d", code, exp)
-	}
-
-	bundlePath := filepath.Join(testDir, basePath+debugCompressionExt)
-	_, err = os.Open(bundlePath)
-	if err != nil {
-		t.Fatalf("failed to open archive: %s", err)
+func newAsyncNode(ctx context.Context, logger hclog.Logger, broker *eventlogger.Broker, removeFilter func()) *asyncChanNode {
+	return &asyncChanNode{
+		ctx:            ctx,
+		ch:             make(chan *eventlogger.Event),
+		logger:         logger,
+		removeFilter:   removeFilter,
+		removePipeline: broker.RemovePipelineAndNodes,
 	}
+}
 
-	tgz := archiver.NewTarGz()
-	err = tgz.Walk(bundlePath, func(f archiver.File) error {
-		fh, ok := f.Header.(*tar.Header)
-		if !ok {
-			t.Fatalf("invalid file header: %#v", f.Header)
-		}
-
-		// Ignore base directory and index file
-		if fh.Name == basePath+"/" {
-			return nil
-		}
-
-		// Ignore directories, which still get created by pprof but should
-		// otherwise be empty.
-		if fh.FileInfo().IsDir() {
-			return nil
-		}
+// Close tells the bus to stop sending us events.
+func (node *asyncChanNode) Close(ctx context.Context) {
+	node.closeOnce.Do(func() {
+		defer node.cancelFunc()
+		node.removeFilter()
+		removed, err := node.removePipeline(ctx, eventTypeAll, node.pipelineID)
 
 		switch {
-		case fh.Name == filepath.Join(basePath, "index.json"):
-		case fh.Name == filepath.Join(basePath, "replication_status.json"):
-		case fh.Name == filepath.Join(basePath, "server_status.json"):
-		case fh.Name == filepath.Join(basePath, "vault.log"):
-		default:
-			return fmt.Errorf("unexpected file: %s", fh.Name)
+		case err != nil && removed:
+			msg := fmt.Sprintf("Error removing nodes referenced by pipeline %q", node.pipelineID)
+			node.logger.Warn(msg, err)
+		case err != nil:
+			msg := fmt.Sprintf("Error removing pipeline %q", node.pipelineID)
+			node.logger.Warn(msg, err)
 		}
-
-		return nil
+		addSubscriptions(-1)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
 }
 
-// set insecure umask to see if the files and directories get created with right permissions
-func TestDebugCommand_InsecureUmask(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("test does not work in windows environment")
-	}
-	t.Parallel()
-
-	cases := []struct {
-		name        string
-		compress    bool
-		outputFile  string
-		expectError bool
-	}{
-		{
-			"with-compress",
-			true,
-			"with-compress.tar.gz",
-			false,
-		},
-		{
-			"no-compress",
-			false,
-			"no-compress",
-			false,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			// set insecure umask
-			defer syscall.Umask(syscall.Umask(0))
-
-			testDir, err := ioutil.TempDir("", "vault-debug")
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer os.RemoveAll(testDir)
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testDebugCommand(t)
-			cmd.client = client
-			cmd.skipTimingChecks = true
-
-			outputPath := filepath.Join(testDir, tc.outputFile)
-
-			args := []string{
-				fmt.Sprintf("-compress=%t", tc.compress),
-				"-duration=1s",
-				"-interval=1s",
-				"-metrics-interval=1s",
-				fmt.Sprintf("-output=%s", outputPath),
-			}
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Log(ui.ErrorWriter.String())
-				t.Fatalf("expected %d to be %d", code, exp)
-			}
-			// If we expect an error we're done here
-			if tc.expectError {
-				return
-			}
-
-			bundlePath := filepath.Join(testDir, tc.outputFile)
-			fs, err := os.Stat(bundlePath)
-			if os.IsNotExist(err) {
-				t.Log(ui.OutputWriter.String())
-				t.Fatal(err)
-			}
-			// check permissions of the parent debug directory
-			err = isValidFilePermissions(fs)
-			if err != nil {
-				t.Fatalf(err.Error())
-			}
-
-			// check permissions of the files within the parent directory
-			switch tc.compress {
-			case true:
-				tgz := archiver.NewTarGz()
-
-				err = tgz.Walk(bundlePath, func(f archiver.File) error {
-					fh, ok := f.Header.(*tar.Header)
-					if !ok {
-						return fmt.Errorf("invalid file header: %#v", f.Header)
-					}
-					err = isValidFilePermissions(fh.FileInfo())
-					if err != nil {
-						t.Fatalf(err.Error())
-					}
-					return nil
-				})
-
-			case false:
-				err = filepath.Walk(bundlePath, func(path string, info os.FileInfo, err error) error {
-					err = isValidFilePermissions(info)
-					if err != nil {
-						t.Fatalf(err.Error())
-					}
-					return nil
-				})
-			}
+func (node *asyncChanNode) Process(ctx context.Context, e *eventlogger.Event) (*eventlogger.Event, error) {
+	// sends to the channel async in another goroutine
+	go func() {
+		var timeout bool
+		select {
+		case node.ch <- e:
+		case <-ctx.Done():
+			timeout = errors.Is(ctx.Err(), context.DeadlineExceeded)
+		case <-node.ctx.Done():
+			timeout = errors.Is(node.ctx.Err(), context.DeadlineExceeded)
+		}
+		if timeout {
+			node.logger.Info("Subscriber took too long to process event, closing", "ID", e.Payload.(*logical.EventReceived).Event.Id)
+			node.Close(ctx)
+		}
+	}()
+	return e, nil
+}
 
-			if err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
+func (node *asyncChanNode) Reopen() error {
+	return nil
 }
 
-func isValidFilePermissions(info os.FileInfo) (err error) {
-	mode := info.Mode()
-	// check group permissions
-	for i := 4; i < 7; i++ {
-		if string(mode.String()[i]) != "-" {
-			return fmt.Errorf("expected no permissions for group but got %s permissions for file %s", string(mode.String()[i]), info.Name())
-		}
-	}
+func (node *asyncChanNode) Type() eventlogger.NodeType {
+	return eventlogger.NodeTypeSink
+}
 
-	// check others permissions
-	for i := 7; i < 10; i++ {
-		if string(mode.String()[i]) != "-" {
-			return fmt.Errorf("expected no permissions for others but got %s permissions for file %s", string(mode.String()[i]), info.Name())
-		}
-	}
-	return err
+func addSubscriptions(delta int64) {
+	metrics.SetGauge([]string{"events", "subscriptions"}, float32(subscriptions.Add(delta)))
 }
diff --git a/command/delete.go b/command/delete.go
index 58005e95b261..0255f7fe8678 100644
--- a/command/delete.go
+++ b/command/delete.go
@@ -1,128 +1,705 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package eventbus
 
 import (
+	"context"
+	"encoding/json"
+	"errors"
 	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/eventlogger"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
-var (
-	_ cli.Command             = (*DeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*DeleteCommand)(nil)
-)
+// TestBusBasics tests that basic event sending and subscribing function.
+func TestBusBasics(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ctx := context.Background()
+
+	eventType := logical.EventType("someType")
+
+	event, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+	if !errors.Is(err, ErrNotStarted) {
+		t.Errorf("Expected not started error but got: %v", err)
+	}
 
-type DeleteCommand struct {
-	*BaseCommand
+	bus.Start()
 
-	testStdin io.Reader // for tests
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+	if err != nil {
+		t.Errorf("Expected no error sending: %v", err)
+	}
+
+	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel()
+
+	event, err = logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout := time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
+			t.Errorf("Got unexpected message: %+v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for message")
+	}
+}
+
+// TestBusIgnoresSendContext tests that the context is ignored when sending to an event,
+// so that we do not give up too quickly.
+func TestBusIgnoresSendContext(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	eventType := logical.EventType("someType")
+
+	event, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bus.Start()
+
+	ch, subCancel, err := bus.Subscribe(context.Background(), namespace.RootNamespace, string(eventType), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer subCancel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel() // cancel immediately
+
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+	if err != nil {
+		t.Errorf("Expected no error sending: %v", err)
+	}
+
+	timeout := time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
+			t.Errorf("Got unexpected message: %+v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for message")
+	}
 }
 
-func (c *DeleteCommand) Synopsis() string {
-	return "Delete secrets and configuration"
+// TestSubscribeNonRootNamespace verifies that events for non-root namespaces
+// aren't filtered out by the bus.
+func TestSubscribeNonRootNamespace(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bus.Start()
+	ctx := context.Background()
+
+	eventType := logical.EventType("someType")
+
+	ns := &namespace.Namespace{
+		ID:   "abc",
+		Path: "abc/",
+	}
+
+	ch, cancel, err := bus.Subscribe(ctx, ns, string(eventType), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel()
+
+	event, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = bus.SendEventInternal(ctx, ns, nil, eventType, event)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout := time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
+			t.Errorf("Got unexpected message: %+v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for message")
+	}
 }
 
-func (c *DeleteCommand) Help() string {
-	helpText := `
-Usage: vault delete [options] PATH
+// TestNamespaceFiltering verifies that events for other namespaces are filtered out by the bus.
+func TestNamespaceFiltering(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bus.Start()
+	ctx := context.Background()
 
-  Deletes secrets and configuration from Vault at the given path. The behavior
-  of "delete" is delegated to the backend corresponding to the given path.
+	eventType := logical.EventType("someType")
 
-  Remove data in the status secret backend:
+	event, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-      $ vault delete secret/my-secret
+	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel()
 
-  Uninstall an encryption key in the transit backend:
+	event, err = logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-      $ vault delete transit/keys/my-key
+	err = bus.SendEventInternal(ctx, &namespace.Namespace{
+		ID:   "abc",
+		Path: "/abc",
+	}, nil, eventType, event)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout := time.After(100 * time.Millisecond)
+	select {
+	case <-ch:
+		t.Errorf("Got abc namespace message when root namespace was specified")
+	case <-timeout:
+		// okay
+	}
+
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout = time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
+			t.Errorf("Got unexpected message %+v but was waiting for %+v", message, event)
+		}
+
+	case <-timeout:
+		t.Error("Timed out waiting for message")
+	}
+}
 
-  Delete an IAM role:
+// TestBus2Subscriptions verifies that events of different types are successfully routed to the correct subscribers.
+func TestBus2Subscriptions(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ctx := context.Background()
+
+	eventType1 := logical.EventType("someType1")
+	eventType2 := logical.EventType("someType2")
+	bus.Start()
 
-      $ vault delete aws/roles/ops
+	ch1, cancel1, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel1()
 
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secret backend in use.
+	ch2, cancel2, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType2), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel2()
+
+	event1, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+	event2, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-` + c.Flags().Help()
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType2, event2)
+	if err != nil {
+		t.Error(err)
+	}
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType1, event1)
+	if err != nil {
+		t.Error(err)
+	}
 
-	return strings.TrimSpace(helpText)
+	timeout := time.After(1 * time.Second)
+	select {
+	case message := <-ch1:
+		if message.Payload.(*logical.EventReceived).Event.Id != event1.Id {
+			t.Errorf("Got unexpected message: %v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for event1")
+	}
+	select {
+	case message := <-ch2:
+		if message.Payload.(*logical.EventReceived).Event.Id != event2.Id {
+			t.Errorf("Got unexpected message: %v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for event2")
+	}
 }
 
-func (c *DeleteCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+// TestBusSubscriptionsCancel verifies that canceled subscriptions are cleaned up.
+func TestBusSubscriptionsCancel(t *testing.T) {
+	testCases := []struct {
+		cancel bool
+	}{
+		{cancel: true},
+		{cancel: false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("cancel=%v", tc.cancel), func(t *testing.T) {
+			subscriptions.Store(0)
+			bus, err := NewEventBus("", nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ctx := context.Background()
+			if !tc.cancel {
+				// set the timeout very short to make the test faster if we aren't canceling explicitly
+				bus.SetSendTimeout(100 * time.Millisecond)
+			}
+			bus.Start()
+
+			// create and stop a bunch of subscriptions
+			const create = 100
+			const stop = 50
+
+			eventType := logical.EventType("someType")
+
+			var channels []<-chan *eventlogger.Event
+			var cancels []context.CancelFunc
+			stopped := atomic.Int32{}
+
+			received := atomic.Int32{}
+
+			for i := 0; i < create; i++ {
+				ch, cancelFunc, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
+				if err != nil {
+					t.Fatal(err)
+				}
+				t.Cleanup(cancelFunc)
+				channels = append(channels, ch)
+				cancels = append(cancels, cancelFunc)
+
+				go func(i int32) {
+					<-ch // always receive one message
+					received.Add(1)
+					// continue receiving messages as long as are not stopped
+					for i < int32(stop) {
+						<-ch
+						received.Add(1)
+					}
+					if tc.cancel {
+						cancelFunc() // stop explicitly to unsubscribe
+					}
+					stopped.Add(1)
+				}(int32(i))
+			}
+
+			// check that all channels receive a message
+			event, err := logical.NewEvent()
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+			if err != nil {
+				t.Error(err)
+			}
+			waitFor(t, 1*time.Second, func() bool { return received.Load() == int32(create) })
+			waitFor(t, 1*time.Second, func() bool { return stopped.Load() == int32(stop) })
+
+			// send another message, but half should stop receiving
+			event, err = logical.NewEvent()
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
+			if err != nil {
+				t.Error(err)
+			}
+			waitFor(t, 1*time.Second, func() bool { return received.Load() == int32(create*2-stop) })
+			// the sends should time out and the subscriptions should drop when cancelFunc is called or the context cancels
+			waitFor(t, 1*time.Second, func() bool { return subscriptions.Load() == int64(create-stop) })
+		})
+	}
 }
 
-func (c *DeleteCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
+// waitFor waits for a condition to be true, up to the maximum timeout.
+// It waits with a capped exponential backoff starting at 1ms.
+// It is guaranteed to try f() at least once.
+func waitFor(t *testing.T, maxWait time.Duration, f func() bool) {
+	t.Helper()
+	start := time.Now()
+
+	if f() {
+		return
+	}
+	sleepAmount := 1 * time.Millisecond
+	for time.Now().Sub(start) <= maxWait {
+		left := time.Now().Sub(start)
+		sleepAmount = sleepAmount * 2
+		if sleepAmount > left {
+			sleepAmount = left
+		}
+		time.Sleep(sleepAmount)
+		if f() {
+			return
+		}
+	}
+	t.Error("Timeout waiting for condition")
 }
 
-func (c *DeleteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// TestBusWildcardSubscriptions tests that a single subscription can receive
+// multiple event types using * for glob patterns.
+func TestBusWildcardSubscriptions(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ctx := context.Background()
+
+	fooEventType := logical.EventType("kv/foo")
+	barEventType := logical.EventType("kv/bar")
+	bus.Start()
+
+	ch1, cancel1, err := bus.Subscribe(ctx, namespace.RootNamespace, "kv/*", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel1()
+
+	ch2, cancel2, err := bus.Subscribe(ctx, namespace.RootNamespace, "*/bar", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel2()
+
+	event1, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+	event2, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, barEventType, event2)
+	if err != nil {
+		t.Error(err)
+	}
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, fooEventType, event1)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout := time.After(1 * time.Second)
+	// Expect to receive both events on ch1, which subscribed to kv/*
+	var ch1Seen []string
+	for i := 0; i < 2; i++ {
+		select {
+		case message := <-ch1:
+			ch1Seen = append(ch1Seen, message.Payload.(*logical.EventReceived).Event.Id)
+		case <-timeout:
+			t.Error("Timeout waiting for event1")
+		}
+	}
+	if len(ch1Seen) != 2 {
+		t.Errorf("Expected 2 events but got: %v", ch1Seen)
+	} else {
+		if !strutil.StrListContains(ch1Seen, event1.Id) {
+			t.Errorf("Did not find %s event1 ID in ch1seen", event1.Id)
+		}
+		if !strutil.StrListContains(ch1Seen, event2.Id) {
+			t.Errorf("Did not find %s event2 ID in ch1seen", event2.Id)
+		}
+	}
+	// Expect to receive just kv/bar on ch2, which subscribed to */bar
+	select {
+	case message := <-ch2:
+		if message.Payload.(*logical.EventReceived).Event.Id != event2.Id {
+			t.Errorf("Got unexpected message: %v", message)
+		}
+	case <-timeout:
+		t.Error("Timeout waiting for event2")
+	}
 }
 
-func (c *DeleteCommand) Run(args []string) int {
-	f := c.Flags()
+// TestDataPathIsPrependedWithMount tests that "data_path", if present in the
+// metadata, is prepended with the plugin's mount.
+func TestDataPathIsPrependedWithMount(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ctx := context.Background()
+
+	fooEventType := logical.EventType("kv/foo")
+	bus.Start()
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, "kv/*", "")
+	if err != nil {
+		t.Fatal(err)
 	}
+	defer cancel()
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected at least 1, got %d)", len(args)))
-		return 1
+	event, err := logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+	metadata := map[string]string{
+		logical.EventMetadataDataPath: "my/secret/path",
+		"not_touched":                 "xyz",
+	}
+	metadataBytes, err := json.Marshal(metadata)
+	if err != nil {
+		t.Fatal(err)
+	}
+	event.Metadata = &structpb.Struct{}
+	if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
+		t.Fatal(err)
 	}
 
-	client, err := c.Client()
+	// no plugin info means nothing should change
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, fooEventType, event)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		t.Error(err)
 	}
 
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
+	timeout := time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
+		assert.Contains(t, metadata, "not_touched")
+		assert.Equal(t, "xyz", metadata["not_touched"])
+		assert.Contains(t, metadata, "data_path")
+		assert.Equal(t, "my/secret/path", metadata["data_path"])
+	case <-timeout:
+		t.Error("Timeout waiting for event")
 	}
 
-	path := sanitizePath(args[0])
+	// send with a secrets plugin mounted
+	pluginInfo := logical.EventPluginInfo{
+		MountClass:    "secrets",
+		MountAccessor: "kv_abc",
+		MountPath:     "secret/",
+		Plugin:        "kv",
+		PluginVersion: "v1.13.1+builtin",
+		Version:       "2",
+	}
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, fooEventType, event)
+	if err != nil {
+		t.Error(err)
+	}
 
-	data, err := parseArgsDataStringLists(stdin, args[1:])
+	timeout = time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
+		assert.Contains(t, metadata, "not_touched")
+		assert.Equal(t, "xyz", metadata["not_touched"])
+		assert.Contains(t, metadata, "data_path")
+		assert.Equal(t, "secret/my/secret/path", metadata["data_path"])
+	case <-timeout:
+		t.Error("Timeout waiting for event")
+	}
+
+	// send with an auth plugin mounted
+	pluginInfo = logical.EventPluginInfo{
+		MountClass:    "auth",
+		MountAccessor: "kubernetes_abc",
+		MountPath:     "kubernetes/",
+		Plugin:        "vault-plugin-auth-kubernetes",
+		PluginVersion: "v1.13.1+builtin",
+	}
+	event, err = logical.NewEvent()
+	if err != nil {
+		t.Fatal(err)
+	}
+	metadata = map[string]string{
+		logical.EventMetadataDataPath: "my/secret/path",
+		"not_touched":                 "xyz",
+	}
+	metadataBytes, err = json.Marshal(metadata)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse string list data: %s", err))
-		return 1
+		t.Fatal(err)
+	}
+	event.Metadata = &structpb.Struct{}
+	if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
+		t.Fatal(err)
 	}
+	err = bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, fooEventType, event)
+	if err != nil {
+		t.Error(err)
+	}
+
+	timeout = time.After(1 * time.Second)
+	select {
+	case message := <-ch:
+		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
+		assert.Contains(t, metadata, "not_touched")
+		assert.Equal(t, "xyz", metadata["not_touched"])
+		assert.Contains(t, metadata, "data_path")
+		assert.Equal(t, "auth/kubernetes/my/secret/path", metadata["data_path"])
+	case <-timeout:
+		t.Error("Timeout waiting for event")
+	}
+}
 
-	secret, err := client.Logical().DeleteWithData(path, data)
+// TestBexpr tests go-bexpr filters are evaluated on an event.
+func TestBexpr(t *testing.T) {
+	bus, err := NewEventBus("", nil)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", path, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
+		t.Fatal(err)
 	}
+	ctx := context.Background()
+
+	bus.Start()
 
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", path))
+	sendEvent := func(eventType string) error {
+		event, err := logical.NewEvent()
+		if err != nil {
+			return err
+		}
+		metadata := map[string]string{
+			logical.EventMetadataDataPath:  "my/secret/path",
+			logical.EventMetadataOperation: "write",
+		}
+		metadataBytes, err := json.Marshal(metadata)
+		if err != nil {
+			return err
+		}
+		event.Metadata = &structpb.Struct{}
+		if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
+			return err
+		}
+		// send with a secrets plugin mounted
+		pluginInfo := logical.EventPluginInfo{
+			MountClass:    "secrets",
+			MountAccessor: "kv_abc",
+			MountPath:     "secret/",
+			Plugin:        "kv",
+			PluginVersion: "v1.13.1+builtin",
+			Version:       "2",
 		}
-		return 0
+		return bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, logical.EventType(eventType), event)
+	}
+
+	testCases := []struct {
+		name             string
+		filter           string
+		shouldPassFilter bool
+	}{
+		{"empty expression", "", true},
+		{"non-matching expression", "data_path == nothing", false},
+		{"matching expression", "data_path == secret/my/secret/path", true},
+		{"full matching expression", "data_path == secret/my/secret/path and operation != read and source_plugin_mount == secret/ and source_plugin_mount != somethingelse", true},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			eventType, err := uuid.GenerateUUID()
+			if err != nil {
+				t.Fatal(err)
+			}
+			ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, eventType, testCase.filter)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer cancel()
+			err = sendEvent(eventType)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			timer := time.NewTimer(5 * time.Second)
+			defer timer.Stop()
+			got := false
+			select {
+			case <-ch:
+				got = true
+			case <-timer.C:
+			}
+			assert.Equal(t, testCase.shouldPassFilter, got)
+		})
+	}
+}
+
+// TestPipelineCleanedUp ensures pipelines are properly cleaned up after
+// subscriptions are closed.
+func TestPipelineCleanedUp(t *testing.T) {
+	bus, err := NewEventBus("", nil)
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	// Handle single field output
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
+	eventType := logical.EventType("someType")
+	bus.Start()
+
+	_, cancel, err := bus.Subscribe(context.Background(), namespace.RootNamespace, string(eventType), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	// check that the filters are set
+	if !bus.filters.anyMatch(namespace.RootNamespace, eventType) {
+		t.Fatal()
 	}
+	if !bus.broker.IsAnyPipelineRegistered(eventTypeAll) {
+		cancel()
+		t.Fatal()
+	}
+
+	cancel()
 
-	return OutputSecret(c.UI, secret)
+	if bus.broker.IsAnyPipelineRegistered(eventTypeAll) {
+		t.Fatal()
+	}
+
+	// and that the filters are cleaned up
+	if bus.filters.anyMatch(namespace.RootNamespace, eventType) {
+		t.Fatal()
+	}
 }
diff --git a/command/delete_test.go b/command/delete_test.go
index 3c08bc685b0b..2e0bb0f33092 100644
--- a/command/delete_test.go
+++ b/command/delete_test.go
@@ -1,144 +1,68 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testDeleteCommand(tb testing.TB) (*cli.MockUi, *DeleteCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &DeleteCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestDeleteCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"default",
-			[]string{"secret/foo"},
-			"",
-			0,
-		},
-		{
-			"optional_args",
-			[]string{"secret/foo", "bar=baz"},
-			"",
-			0,
-		},
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testDeleteCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		if _, err := client.Logical().Write("secret/delete/foo", map[string]interface{}{
-			"foo": "bar",
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		ui, cmd := testDeleteCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/delete/foo",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Data deleted (if it existed) at: secret/delete/foo"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		secret, _ := client.Logical().Read("secret/delete/foo")
-		if secret != nil {
-			t.Errorf("expected deletion: %#v", secret)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testDeleteCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/delete/foo",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error deleting secret/delete/foo: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testDeleteCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { resolve } from 'rsvp';
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+
+module('Unit | Adapter | capabilities', function (hooks) {
+  setupTest(hooks);
+
+  test('calls the correct url', function (assert) {
+    let url, method, options;
+    const adapter = this.owner.factoryFor('adapter:capabilities').create({
+      ajax: (...args) => {
+        [url, method, options] = args;
+        return resolve();
+      },
+    });
+
+    adapter.findRecord(null, 'capabilities', 'foo');
+    assert.strictEqual(url, '/v1/sys/capabilities-self', 'calls the correct URL');
+    assert.deepEqual({ paths: ['foo'] }, options.data, 'data params OK');
+    assert.strictEqual(method, 'POST', 'method OK');
+  });
+
+  test('enterprise calls the correct url within namespace when userRoot = root', function (assert) {
+    const namespaceSvc = this.owner.lookup('service:namespace');
+    namespaceSvc.setNamespace('admin');
+
+    let url, method, options;
+    const adapter = this.owner.factoryFor('adapter:capabilities').create({
+      ajax: (...args) => {
+        [url, method, options] = args;
+        return resolve();
+      },
+    });
+
+    adapter.findRecord(null, 'capabilities', 'foo');
+    assert.strictEqual(url, '/v1/sys/capabilities-self', 'calls the correct URL');
+    assert.deepEqual({ paths: ['admin/foo'] }, options.data, 'data params prefix paths with namespace');
+    assert.strictEqual(options.namespace, '', 'sent with root namespace');
+    assert.strictEqual(method, 'POST', 'method OK');
+  });
+
+  test('enterprise calls the correct url within namespace when userRoot is not root', function (assert) {
+    const namespaceSvc = this.owner.lookup('service:namespace');
+    namespaceSvc.setNamespace('admin/bar/baz');
+    namespaceSvc.reopen({
+      userRootNamespace: 'admin/bar',
+    });
+
+    let url, method, options;
+    const adapter = this.owner.factoryFor('adapter:capabilities').create({
+      ajax: (...args) => {
+        [url, method, options] = args;
+        return resolve();
+      },
+    });
+
+    adapter.findRecord(null, 'capabilities', 'foo');
+    assert.strictEqual(url, '/v1/sys/capabilities-self', 'calls the correct URL');
+    assert.deepEqual({ paths: ['baz/foo'] }, options.data, 'data params prefix path with relative namespace');
+    assert.strictEqual(options.namespace, 'admin/bar', 'sent with root namespace');
+    assert.strictEqual(method, 'POST', 'method OK');
+  });
+});
diff --git a/command/events.go b/command/events.go
index acc68b117f9c..8eee53c3e27b 100644
--- a/command/events.go
+++ b/command/events.go
@@ -1,197 +1,48 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-	"nhooyr.io/websocket"
-)
-
-var (
-	_ cli.Command             = (*EventsSubscribeCommands)(nil)
-	_ cli.CommandAutocomplete = (*EventsSubscribeCommands)(nil)
-)
-
-type EventsSubscribeCommands struct {
-	*BaseCommand
-
-	namespaces  []string
-	bexprFilter string
-}
-
-func (c *EventsSubscribeCommands) Synopsis() string {
-	return "Subscribe to events"
-}
-
-func (c *EventsSubscribeCommands) Help() string {
-	helpText := `
-Usage: vault events subscribe [-namespaces=ns1] [-timeout=XYZs] [-filter=filterExpression] eventType
-
-  Subscribe to events of the given event type (topic), which may be a glob
-  pattern (with "*" treated as a wildcard). The events will be sent to
-  standard out.
-
-  The output will be a JSON object serialized using the default protobuf
-  JSON serialization format, with one line per event received.
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *EventsSubscribeCommands) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-	f := set.NewFlagSet("Subscribe Options")
-	f.StringVar(&StringVar{
-		Name: "filter",
-		Usage: `A boolean expression to use to filter events. Only events matching
-                the filter will be subscribed to. This is applied after any filtering
-                by event type or namespace.`,
-		Default: "",
-		Target:  &c.bexprFilter,
-	})
-	f.StringSliceVar(&StringSliceVar{
-		Name: "namespaces",
-		Usage: `Specifies one or more patterns of additional child namespaces
-                to subscribe to. The namespace of the request is automatically
-                prepended, so specifying 'ns2' when the request is in the 'ns1'
-                namespace will result in subscribing to 'ns1/ns2', in addition to
-                'ns1'. Patterns can include "*" characters to indicate
-                wildcards. The default is to subscribe only to the request's
-                namespace.`,
-		Default: []string{},
-		Target:  &c.namespaces,
-	})
-	return set
-}
-
-func (c *EventsSubscribeCommands) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *EventsSubscribeCommands) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *EventsSubscribeCommands) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	err = c.subscribeRequest(client, "sys/events/subscribe/"+args[0])
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	return 0
-}
-
-// cleanNamespace removes leading and trailing space and /'s from the namespace path.
-func cleanNamespace(ns string) string {
-	ns = strings.TrimSpace(ns)
-	ns = strings.Trim(ns, "/")
-	return ns
-}
-
-// cleanNamespaces removes leading and trailing space and /'s from the namespace paths.
-func cleanNamespaces(namespaces []string) []string {
-	cleaned := make([]string, len(namespaces))
-	for i, ns := range namespaces {
-		cleaned[i] = cleanNamespace(ns)
-	}
-	return cleaned
-}
-
-func (c *EventsSubscribeCommands) subscribeRequest(client *api.Client, path string) error {
-	r := client.NewRequest("GET", "/v1/"+path)
-	u := r.URL
-	if u.Scheme == "http" {
-		u.Scheme = "ws"
-	} else {
-		u.Scheme = "wss"
-	}
-	q := u.Query()
-	q.Set("json", "true")
-	if len(c.namespaces) > 0 {
-		q["namespaces"] = cleanNamespaces(c.namespaces)
-	}
-	bexprFilter := strings.TrimSpace(c.bexprFilter)
-	if bexprFilter != "" {
-		q.Set("filter", bexprFilter)
-	}
-	u.RawQuery = q.Encode()
-	client.AddHeader("X-Vault-Token", client.Token())
-	client.AddHeader("X-Vault-Namespace", client.Namespace())
-	ctx := context.Background()
-
-	// Follow redirects in case our request if our request is forwarded to the leader.
-	url := u.String()
-	var conn *websocket.Conn
-	var err error
-	for attempt := 0; attempt < 10; attempt++ {
-		var resp *http.Response
-		conn, resp, err = websocket.Dial(ctx, url, &websocket.DialOptions{
-			HTTPClient: client.CloneConfig().HttpClient,
-			HTTPHeader: client.Headers(),
-		})
-
-		if err == nil {
-			break
-		}
-
-		switch {
-		case resp == nil:
-			return err
-		case resp.StatusCode == http.StatusTemporaryRedirect:
-			url = resp.Header.Get("Location")
-			continue
-		case resp.StatusCode == http.StatusNotFound:
-			return errors.New("events endpoint not found; check `vault read sys/experiments` to see if an events experiment is available but disabled")
-		default:
-			return err
-		}
-	}
-
-	if conn == nil {
-		return fmt.Errorf("too many redirects")
-	}
-	defer conn.Close(websocket.StatusNormalClosure, "")
-
-	for {
-		_, message, err := conn.Read(ctx)
-		if err != nil {
-			return err
-		}
-		_, err = os.Stdout.Write(message)
-		if err != nil {
-			return err
-		}
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import AdapterError from '@ember-data/adapter/error';
+import { set } from '@ember/object';
+import ApplicationAdapter from './application';
+import { sanitizePath } from 'core/utils/sanitize-path';
+
+export default ApplicationAdapter.extend({
+  pathForType() {
+    return 'capabilities-self';
+  },
+
+  formatPaths(path) {
+    const { relativeNamespace } = this.namespaceService;
+    if (!relativeNamespace) {
+      return [path];
+    }
+    // ensure original path doesn't have leading slash
+    return [`${relativeNamespace}/${path.replace(/^\//, '')}`];
+  },
+
+  findRecord(store, type, id) {
+    const paths = this.formatPaths(id);
+    return this.ajax(this.buildURL(type), 'POST', {
+      data: { paths },
+      namespace: sanitizePath(this.namespaceService.userRootNamespace),
+    }).catch((e) => {
+      if (e instanceof AdapterError) {
+        set(e, 'policyPath', 'sys/capabilities-self');
+      }
+      throw e;
+    });
+  },
+
+  queryRecord(store, type, query) {
+    const { id } = query;
+    if (!id) {
+      return;
+    }
+    return this.findRecord(store, type, id).then((resp) => {
+      resp.path = id;
+      return resp;
+    });
+  },
+});
diff --git a/command/events_test.go b/command/events_test.go
index 336dc0a34225..3d16b68cff8d 100644
--- a/command/events_test.go
+++ b/command/events_test.go
@@ -1,71 +1,65 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-package command
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { rootPem } from 'vault/tests/helpers/pki/values';
+import { rootDer } from 'vault/tests/helpers/pki/values';
 
-import (
-	"strings"
-	"testing"
+const SELECTORS = {
+  label: '[data-test-certificate-label]',
+  value: '[data-test-certificate-value]',
+  icon: '[data-test-certificate-icon]',
+  copyButton: '[data-test-copy-button]',
+  copyIcon: '[data-test-icon="clipboard-copy"]',
+};
 
-	"github.com/mitchellh/cli"
-)
+module('Integration | Component | certificate-card', function (hooks) {
+  setupRenderingTest(hooks);
 
-func testEventsSubscribeCommand(tb testing.TB) (*cli.MockUi, *EventsSubscribeCommands) {
-	tb.Helper()
+  test('it renders', async function (assert) {
+    await render(hbs`<CertificateCard />`);
 
-	ui := cli.NewMockUi()
-	return ui, &EventsSubscribeCommands{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
+    assert.dom(SELECTORS.label).hasNoText('There is no label because there is no value');
+    assert.dom(SELECTORS.value).hasNoText('There is no value because none was provided');
+    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(SELECTORS.copyIcon).exists('The copy icon renders');
+  });
 
-// TestEventsSubscribeCommand_Run tests that the command argument parsing is working as expected.
-func TestEventsSubscribeCommand_Run(t *testing.T) {
-	t.Parallel()
+  test('it renders with an example PEM Certificate', async function (assert) {
+    const certificate = rootPem;
+    this.set('certificate', certificate);
+    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
 
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
+    assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
+    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
+    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
+  });
 
-	for _, tc := range cases {
-		tc := tc
+  test('it renders with an example DER Certificate', async function (assert) {
+    const certificate = rootDer;
+    this.set('certificate', certificate);
+    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+    assert.dom(SELECTORS.label).hasText('DER Format', 'The label text is DER Format');
+    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
+    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
+  });
 
-			client, closer := testVaultServer(t)
-			defer closer()
+  test('it renders with the PEM Format label regardless of the value provided when @isPem is true', async function (assert) {
+    const certificate = 'example-certificate-text';
+    this.set('certificate', certificate);
+    await render(hbs`<CertificateCard @data={{this.certificate}} @isPem={{true}}/>`);
 
-			ui, cmd := testEventsSubscribeCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-}
+    assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
+    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
+    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
+  });
+});
diff --git a/command/format.go b/command/format.go
index 4b12771d98d1..044067b817e1 100644
--- a/command/format.go
+++ b/command/format.go
@@ -1,726 +1,32 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-	"sort"
-	"strings"
-	"time"
-
-	"github.com/ghodss/yaml"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/ryanuber/columnize"
-)
-
-const (
-	// hopeDelim is the delimiter to use when splitting columns. We call it a
-	// hopeDelim because we hope that it's never contained in a secret.
-	hopeDelim = "♨"
-)
-
-type FormatOptions struct {
-	Format string
-}
-
-func OutputSecret(ui cli.Ui, secret *api.Secret) int {
-	return outputWithFormat(ui, secret, secret)
-}
-
-func OutputList(ui cli.Ui, data interface{}) int {
-	switch data := data.(type) {
-	case *api.Secret:
-		secret := data
-		return outputWithFormat(ui, secret, secret.Data["keys"])
-	default:
-		return outputWithFormat(ui, nil, data)
-	}
-}
-
-func OutputData(ui cli.Ui, data interface{}) int {
-	return outputWithFormat(ui, nil, data)
-}
-
-func outputWithFormat(ui cli.Ui, secret *api.Secret, data interface{}) int {
-	format := Format(ui)
-	formatter, ok := Formatters[format]
-	if !ok {
-		ui.Error(fmt.Sprintf("Invalid output format: %s", format))
-		return 1
-	}
-
-	if err := formatter.Output(ui, secret, data); err != nil {
-		ui.Error(fmt.Sprintf("Could not parse output: %s", err.Error()))
-		return 1
-	}
-	return 0
-}
-
-type Formatter interface {
-	Output(ui cli.Ui, secret *api.Secret, data interface{}) error
-	Format(data interface{}) ([]byte, error)
-}
-
-var Formatters = map[string]Formatter{
-	"json":   JsonFormatter{},
-	"table":  TableFormatter{},
-	"yaml":   YamlFormatter{},
-	"yml":    YamlFormatter{},
-	"pretty": PrettyFormatter{},
-	"raw":    RawFormatter{},
-}
-
-func Format(ui cli.Ui) string {
-	switch ui := ui.(type) {
-	case *VaultUI:
-		return ui.format
-	}
-
-	format := os.Getenv(EnvVaultFormat)
-	if format == "" {
-		format = "table"
-	}
-
-	return format
-}
-
-func Detailed(ui cli.Ui) bool {
-	switch ui := ui.(type) {
-	case *VaultUI:
-		return ui.detailed
-	}
-
-	return false
-}
-
-// An output formatter for json output of an object
-type JsonFormatter struct{}
-
-func (j JsonFormatter) Format(data interface{}) ([]byte, error) {
-	return json.MarshalIndent(data, "", "  ")
-}
-
-func (j JsonFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	b, err := j.Format(data)
-	if err != nil {
-		return err
-	}
-
-	if secret != nil {
-		shouldListWithInfo := Detailed(ui)
-
-		// Show the raw JSON of the LIST call, rather than only the
-		// list of keys.
-		if shouldListWithInfo {
-			b, err = j.Format(secret)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	ui.Output(string(b))
-	return nil
-}
-
-// An output formatter for raw output of the original request object
-type RawFormatter struct{}
-
-func (r RawFormatter) Format(data interface{}) ([]byte, error) {
-	byte_data, ok := data.([]byte)
-	if !ok {
-		return nil, fmt.Errorf("This command does not support the -format=raw option; only `vault read` does.")
-	}
-
-	return byte_data, nil
-}
-
-func (r RawFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	b, err := r.Format(data)
-	if err != nil {
-		return err
-	}
-	ui.Output(string(b))
-	return nil
-}
-
-// An output formatter for yaml output format of an object
-type YamlFormatter struct{}
-
-func (y YamlFormatter) Format(data interface{}) ([]byte, error) {
-	return yaml.Marshal(data)
-}
-
-func (y YamlFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	b, err := y.Format(data)
-	if err == nil {
-		ui.Output(strings.TrimSpace(string(b)))
-	}
-	return err
-}
-
-type PrettyFormatter struct{}
-
-func (p PrettyFormatter) Format(data interface{}) ([]byte, error) {
-	return nil, nil
-}
-
-func (p PrettyFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	switch data.(type) {
-	case *api.AutopilotState:
-		p.OutputAutopilotState(ui, data)
-	default:
-		return errors.New("cannot use the pretty formatter for this type")
-	}
-	return nil
-}
-
-func outputStringSlice(buffer *bytes.Buffer, indent string, values []string) {
-	for _, val := range values {
-		buffer.WriteString(fmt.Sprintf("%s%s\n", indent, val))
-	}
-}
-
-type mapOutput struct {
-	key   string
-	value string
-}
-
-func formatServer(srv *api.AutopilotServer) string {
-	var buffer bytes.Buffer
-
-	buffer.WriteString(fmt.Sprintf("   %s\n", srv.ID))
-	buffer.WriteString(fmt.Sprintf("      Name:              %s\n", srv.Name))
-	buffer.WriteString(fmt.Sprintf("      Address:           %s\n", srv.Address))
-	buffer.WriteString(fmt.Sprintf("      Status:            %s\n", srv.Status))
-	buffer.WriteString(fmt.Sprintf("      Node Status:       %s\n", srv.NodeStatus))
-	buffer.WriteString(fmt.Sprintf("      Healthy:           %t\n", srv.Healthy))
-	buffer.WriteString(fmt.Sprintf("      Last Contact:      %s\n", srv.LastContact))
-	buffer.WriteString(fmt.Sprintf("      Last Term:         %d\n", srv.LastTerm))
-	buffer.WriteString(fmt.Sprintf("      Last Index:        %d\n", srv.LastIndex))
-	buffer.WriteString(fmt.Sprintf("      Version:           %s\n", srv.Version))
-
-	if srv.UpgradeVersion != "" {
-		buffer.WriteString(fmt.Sprintf("      Upgrade Version:   %s\n", srv.UpgradeVersion))
-	}
-	if srv.RedundancyZone != "" {
-		buffer.WriteString(fmt.Sprintf("      Redundancy Zone:   %s\n", srv.RedundancyZone))
-	}
-	if srv.NodeType != "" {
-		buffer.WriteString(fmt.Sprintf("      Node Type:         %s\n", srv.NodeType))
-	}
-
-	return buffer.String()
-}
-
-func (p PrettyFormatter) OutputAutopilotState(ui cli.Ui, data interface{}) {
-	state := data.(*api.AutopilotState)
-
-	var buffer bytes.Buffer
-	buffer.WriteString(fmt.Sprintf("Healthy:                         %t\n", state.Healthy))
-	buffer.WriteString(fmt.Sprintf("Failure Tolerance:               %d\n", state.FailureTolerance))
-	buffer.WriteString(fmt.Sprintf("Leader:                          %s\n", state.Leader))
-	buffer.WriteString("Voters:\n")
-	outputStringSlice(&buffer, "   ", state.Voters)
-
-	if len(state.NonVoters) > 0 {
-		buffer.WriteString("Non Voters:\n")
-		outputStringSlice(&buffer, "   ", state.NonVoters)
-	}
-
-	if state.OptimisticFailureTolerance > 0 {
-		buffer.WriteString(fmt.Sprintf("Optimistic Failure Tolerance:    %d\n", state.OptimisticFailureTolerance))
-	}
-
-	// Servers
-	buffer.WriteString("Servers:\n")
-	var outputs []mapOutput
-	for id, srv := range state.Servers {
-		outputs = append(outputs, mapOutput{key: id, value: formatServer(srv)})
-	}
-	sort.Slice(outputs, func(i, j int) bool {
-		return outputs[i].key < outputs[j].key
-	})
-	for _, output := range outputs {
-		buffer.WriteString(output.value)
-	}
-
-	// Redundancy Zones
-	if len(state.RedundancyZones) > 0 {
-		buffer.WriteString("Redundancy Zones:\n")
-		zoneList := make([]string, 0, len(state.RedundancyZones))
-		for z := range state.RedundancyZones {
-			zoneList = append(zoneList, z)
-		}
-		sort.Strings(zoneList)
-		for _, zoneName := range zoneList {
-			zone := state.RedundancyZones[zoneName]
-			servers := zone.Servers
-			voters := zone.Voters
-			sort.Strings(servers)
-			sort.Strings(voters)
-			buffer.WriteString(fmt.Sprintf("   %s\n", zoneName))
-			buffer.WriteString(fmt.Sprintf("      Servers: %s\n", strings.Join(servers, ", ")))
-			buffer.WriteString(fmt.Sprintf("      Voters: %s\n", strings.Join(voters, ", ")))
-			buffer.WriteString(fmt.Sprintf("      Failure Tolerance: %d\n", zone.FailureTolerance))
-		}
-	}
-
-	// Upgrade Info
-	if state.Upgrade != nil {
-		buffer.WriteString("Upgrade Info:\n")
-		buffer.WriteString(fmt.Sprintf("   Status: %s\n", state.Upgrade.Status))
-		buffer.WriteString(fmt.Sprintf("   Target Version: %s\n", state.Upgrade.TargetVersion))
-		buffer.WriteString(fmt.Sprintf("   Target Version Voters: %s\n", strings.Join(state.Upgrade.TargetVersionVoters, ", ")))
-		buffer.WriteString(fmt.Sprintf("   Target Version Non-Voters: %s\n", strings.Join(state.Upgrade.TargetVersionNonVoters, ", ")))
-		buffer.WriteString(fmt.Sprintf("   Other Version Voters: %s\n", strings.Join(state.Upgrade.OtherVersionVoters, ", ")))
-		buffer.WriteString(fmt.Sprintf("   Other Version Non-Voters: %s\n", strings.Join(state.Upgrade.OtherVersionNonVoters, ", ")))
-
-		if len(state.Upgrade.RedundancyZones) > 0 {
-			buffer.WriteString("   Redundancy Zones:\n")
-			for zoneName, zoneVersion := range state.Upgrade.RedundancyZones {
-				buffer.WriteString(fmt.Sprintf("      %s\n", zoneName))
-				buffer.WriteString(fmt.Sprintf("         Target Version Voters: %s\n", strings.Join(zoneVersion.TargetVersionVoters, ", ")))
-				buffer.WriteString(fmt.Sprintf("         Target Version Non-Voters: %s\n", strings.Join(zoneVersion.TargetVersionNonVoters, ", ")))
-				buffer.WriteString(fmt.Sprintf("         Other Version Voters: %s\n", strings.Join(zoneVersion.OtherVersionVoters, ", ")))
-				buffer.WriteString(fmt.Sprintf("         Other Version Non-Voters: %s\n", strings.Join(zoneVersion.OtherVersionNonVoters, ", ")))
-			}
-		}
-	}
-
-	ui.Output(buffer.String())
-}
-
-// An output formatter for table output of an object
-type TableFormatter struct{}
-
-// We don't use this due to the TableFormatter introducing a bug when the -field flag is supplied:
-// https://github.com/hashicorp/vault/commit/b24cf9a8af2190e96c614205b8cdf06d8c4b6718 .
-func (t TableFormatter) Format(data interface{}) ([]byte, error) {
-	return nil, nil
-}
-
-func (t TableFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	switch data := data.(type) {
-	case *api.Secret:
-		return t.OutputSecret(ui, secret)
-	case []interface{}:
-		return t.OutputList(ui, secret, data)
-	case []string:
-		return t.OutputList(ui, nil, data)
-	case map[string]interface{}:
-		return t.OutputMap(ui, data)
-	case SealStatusOutput:
-		return t.OutputSealStatusStruct(ui, nil, data)
-	default:
-		return errors.New("cannot use the table formatter for this type")
-	}
-}
-
-func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	var status SealStatusOutput = data.(SealStatusOutput)
-	var sealPrefix string
-
-	out := []string{}
-	out = append(out, "Key | Value")
-	out = append(out, fmt.Sprintf("Seal Type | %s", status.Type))
-	if status.RecoverySeal {
-		sealPrefix = "Recovery "
-		out = append(out, fmt.Sprintf("Recovery Seal Type | %s", status.RecoverySealType))
-	}
-	out = append(out, fmt.Sprintf("Initialized | %t", status.Initialized))
-	out = append(out, fmt.Sprintf("Sealed | %t", status.Sealed))
-	out = append(out, fmt.Sprintf("Total %sShares | %d", sealPrefix, status.N))
-	out = append(out, fmt.Sprintf("Threshold | %d", status.T))
-
-	if status.Sealed {
-		out = append(out, fmt.Sprintf("Unseal Progress | %d/%d", status.Progress, status.T))
-		out = append(out, fmt.Sprintf("Unseal Nonce | %s", status.Nonce))
-	}
-
-	if status.Migration {
-		out = append(out, fmt.Sprintf("Seal Migration in Progress | %t", status.Migration))
-	}
-
-	out = append(out, fmt.Sprintf("Version | %s", status.Version))
-	out = append(out, fmt.Sprintf("Build Date | %s", status.BuildDate))
-	out = append(out, fmt.Sprintf("Storage Type | %s", status.StorageType))
-
-	if status.ClusterName != "" && status.ClusterID != "" {
-		out = append(out, fmt.Sprintf("Cluster Name | %s", status.ClusterName))
-		out = append(out, fmt.Sprintf("Cluster ID | %s", status.ClusterID))
-	}
-
-	// Output if HCP link is configured
-	if status.HCPLinkStatus != "" {
-		out = append(out, fmt.Sprintf("HCP Link Status | %s", status.HCPLinkStatus))
-		out = append(out, fmt.Sprintf("HCP Link Resource ID | %s", status.HCPLinkResourceID))
-	}
-
-	// Output if HA is enabled
-	out = append(out, fmt.Sprintf("HA Enabled | %t", status.HAEnabled))
-
-	if status.HAEnabled {
-		mode := "sealed"
-		if !status.Sealed {
-			out = append(out, fmt.Sprintf("HA Cluster | %s", status.LeaderClusterAddress))
-			mode = "standby"
-			showLeaderAddr := false
-			if status.IsSelf {
-				mode = "active"
-			} else {
-				if status.LeaderAddress == "" {
-					status.LeaderAddress = "<none>"
-				}
-				showLeaderAddr = true
-			}
-			out = append(out, fmt.Sprintf("HA Mode | %s", mode))
-
-			if status.IsSelf && !status.ActiveTime.IsZero() {
-				out = append(out, fmt.Sprintf("Active Since | %s", status.ActiveTime.Format(time.RFC3339Nano)))
-			}
-			// This is down here just to keep ordering consistent
-			if showLeaderAddr {
-				out = append(out, fmt.Sprintf("Active Node Address | %s", status.LeaderAddress))
-			}
-
-			if status.PerfStandby {
-				out = append(out, fmt.Sprintf("Performance Standby Node | %t", status.PerfStandby))
-				out = append(out, fmt.Sprintf("Performance Standby Last Remote WAL | %d", status.PerfStandbyLastRemoteWAL))
-			}
-		}
-	}
-
-	if status.RaftCommittedIndex > 0 {
-		out = append(out, fmt.Sprintf("Raft Committed Index | %d", status.RaftCommittedIndex))
-	}
-	if status.RaftAppliedIndex > 0 {
-		out = append(out, fmt.Sprintf("Raft Applied Index | %d", status.RaftAppliedIndex))
-	}
-	if status.LastWAL != 0 {
-		out = append(out, fmt.Sprintf("Last WAL | %d", status.LastWAL))
-	}
-	if len(status.Warnings) > 0 {
-		out = append(out, fmt.Sprintf("Warnings | %v", status.Warnings))
-	}
-
-	ui.Output(tableOutput(out, &columnize.Config{
-		Delim: "|",
-	}))
-	return nil
-}
-
-func (t TableFormatter) OutputList(ui cli.Ui, secret *api.Secret, data interface{}) error {
-	t.printWarnings(ui, secret)
-
-	// Determine if we have additional information from a ListResponseWithInfo endpoint.
-	var additionalInfo map[string]interface{}
-	if secret != nil {
-		shouldListWithInfo := Detailed(ui)
-		if additional, ok := secret.Data["key_info"]; shouldListWithInfo && ok && len(additional.(map[string]interface{})) > 0 {
-			additionalInfo = additional.(map[string]interface{})
-		}
-	}
-
-	switch data := data.(type) {
-	case []interface{}:
-	case []string:
-		ui.Output(tableOutput(data, nil))
-		return nil
-	default:
-		return errors.New("error: table formatter cannot output list for this data type")
-	}
-
-	list := data.([]interface{})
-
-	if len(list) > 0 {
-		keys := make([]string, len(list))
-		for i, v := range list {
-			typed, ok := v.(string)
-			if !ok {
-				return fmt.Errorf("%v is not a string", v)
-			}
-			keys[i] = typed
-		}
-		sort.Strings(keys)
-
-		// If we have a ListResponseWithInfo endpoint, we'll need to show
-		// additional headers. To satisfy the table outputter, we'll need
-		// to concat them with the deliminator.
-		var headers []string
-		header := "Keys"
-		if len(additionalInfo) > 0 {
-			seenHeaders := make(map[string]bool)
-			for key, rawValues := range additionalInfo {
-				// Most endpoints use the well-behaved ListResponseWithInfo.
-				// However, some use a hand-rolled equivalent, where the
-				// returned "keys" doesn't match the key of the "key_info"
-				// member (namely, /sys/policies/egp). We seek to exclude
-				// headers only visible from "non-visitable" key_info rows,
-				// to make table output less confusing. These non-visitable
-				// rows will still be visible in the JSON output.
-				index := sort.SearchStrings(keys, key)
-				if index < len(keys) && keys[index] != key {
-					continue
-				}
-
-				values := rawValues.(map[string]interface{})
-				for key := range values {
-					seenHeaders[key] = true
-				}
-			}
-
-			for key := range seenHeaders {
-				headers = append(headers, key)
-			}
-			sort.Strings(headers)
-
-			header = header + hopeDelim + strings.Join(headers, hopeDelim)
-		}
-
-		// Finally, if we have a ListResponseWithInfo, we'll need to update
-		// the returned rows to not just have the keys (in the sorted order),
-		// but also have the values for each header (in their sorted order).
-		rows := keys
-		if len(additionalInfo) > 0 && len(headers) > 0 {
-			for index, row := range rows {
-				formatted := []string{row}
-				if rawValues, ok := additionalInfo[row]; ok {
-					values := rawValues.(map[string]interface{})
-					for _, header := range headers {
-						if rawValue, ok := values[header]; ok {
-							if looksLikeDuration(header) {
-								rawValue = humanDurationInt(rawValue)
-							}
-
-							formatted = append(formatted, fmt.Sprintf("%v", rawValue))
-						} else {
-							// Show a default empty n/a when this field is
-							// missing from the additional information.
-							formatted = append(formatted, "n/a")
-						}
-					}
-				}
-
-				rows[index] = strings.Join(formatted, hopeDelim)
-			}
-		}
-
-		// Prepend the header to the formatted rows.
-		output := append([]string{header}, rows...)
-		ui.Output(tableOutput(output, &columnize.Config{
-			Delim: hopeDelim,
-		}))
-	}
-
-	return nil
-}
-
-// printWarnings prints any warnings in the secret.
-func (t TableFormatter) printWarnings(ui cli.Ui, secret *api.Secret) {
-	if secret != nil && len(secret.Warnings) > 0 {
-		ui.Warn("WARNING! The following warnings were returned from Vault:\n")
-		for _, warning := range secret.Warnings {
-			ui.Warn(wrapAtLengthWithPadding(fmt.Sprintf("* %s", warning), 2))
-			ui.Warn("")
-		}
-	}
-}
-
-func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error {
-	if secret == nil {
-		return nil
-	}
-
-	t.printWarnings(ui, secret)
-
-	out := make([]string, 0, 8)
-	if secret.LeaseDuration > 0 {
-		if secret.LeaseID != "" {
-			out = append(out, fmt.Sprintf("lease_id %s %s", hopeDelim, secret.LeaseID))
-			out = append(out, fmt.Sprintf("lease_duration %s %v", hopeDelim, humanDurationInt(secret.LeaseDuration)))
-			out = append(out, fmt.Sprintf("lease_renewable %s %t", hopeDelim, secret.Renewable))
-		} else {
-			// This is probably the generic secret backend which has leases, but we
-			// print them as refresh_interval to reduce confusion.
-			out = append(out, fmt.Sprintf("refresh_interval %s %v", hopeDelim, humanDurationInt(secret.LeaseDuration)))
-		}
-	}
-
-	if secret.Auth != nil {
-		if secret.Auth.MFARequirement != nil {
-			out = append(out, fmt.Sprintf("mfa_request_id %s %s", hopeDelim, secret.Auth.MFARequirement.MFARequestID))
-
-			for k, constraintSet := range secret.Auth.MFARequirement.MFAConstraints {
-				for _, constraint := range constraintSet.Any {
-					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_id %s %s", k, constraint.Type, hopeDelim, constraint.ID))
-					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_uses_passcode %s %t", k, constraint.Type, hopeDelim, constraint.UsesPasscode))
-					if constraint.Name != "" {
-						out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_name %s %s", k, constraint.Type, hopeDelim, constraint.Name))
-					}
-				}
-			}
-		} else { // Token information only makes sense if no further MFA requirement (i.e. if we actually have a token)
-			out = append(out, fmt.Sprintf("token %s %s", hopeDelim, secret.Auth.ClientToken))
-			out = append(out, fmt.Sprintf("token_accessor %s %s", hopeDelim, secret.Auth.Accessor))
-			// If the lease duration is 0, it's likely a root token, so output the
-			// duration as "infinity" to clear things up.
-			if secret.Auth.LeaseDuration == 0 {
-				out = append(out, fmt.Sprintf("token_duration %s %s", hopeDelim, "∞"))
-			} else {
-				out = append(out, fmt.Sprintf("token_duration %s %v", hopeDelim, humanDurationInt(secret.Auth.LeaseDuration)))
-			}
-			out = append(out, fmt.Sprintf("token_renewable %s %t", hopeDelim, secret.Auth.Renewable))
-			out = append(out, fmt.Sprintf("token_policies %s %q", hopeDelim, secret.Auth.TokenPolicies))
-			out = append(out, fmt.Sprintf("identity_policies %s %q", hopeDelim, secret.Auth.IdentityPolicies))
-			out = append(out, fmt.Sprintf("policies %s %q", hopeDelim, secret.Auth.Policies))
-			for k, v := range secret.Auth.Metadata {
-				out = append(out, fmt.Sprintf("token_meta_%s %s %v", k, hopeDelim, v))
-			}
-		}
-	}
-
-	if secret.WrapInfo != nil {
-		out = append(out, fmt.Sprintf("wrapping_token: %s %s", hopeDelim, secret.WrapInfo.Token))
-		out = append(out, fmt.Sprintf("wrapping_accessor: %s %s", hopeDelim, secret.WrapInfo.Accessor))
-		out = append(out, fmt.Sprintf("wrapping_token_ttl: %s %v", hopeDelim, humanDurationInt(secret.WrapInfo.TTL)))
-		out = append(out, fmt.Sprintf("wrapping_token_creation_time: %s %s", hopeDelim, secret.WrapInfo.CreationTime.String()))
-		out = append(out, fmt.Sprintf("wrapping_token_creation_path: %s %s", hopeDelim, secret.WrapInfo.CreationPath))
-		if secret.WrapInfo.WrappedAccessor != "" {
-			out = append(out, fmt.Sprintf("wrapped_accessor: %s %s", hopeDelim, secret.WrapInfo.WrappedAccessor))
-		}
-	}
-
-	if len(secret.Data) > 0 {
-		keys := make([]string, 0, len(secret.Data))
-		for k := range secret.Data {
-			keys = append(keys, k)
-		}
-		sort.Strings(keys)
-
-		for _, k := range keys {
-			v := secret.Data[k]
-
-			// If the field "looks" like a TTL, print it as a time duration instead.
-			if looksLikeDuration(k) {
-				v = humanDurationInt(v)
-			}
-
-			out = append(out, fmt.Sprintf("%s %s %v", k, hopeDelim, v))
-		}
-	}
-
-	// If we got this far and still don't have any data, there's nothing to print,
-	// sorry.
-	if len(out) == 0 {
-		return nil
-	}
-
-	// Prepend the header
-	out = append([]string{"Key" + hopeDelim + "Value"}, out...)
-
-	ui.Output(tableOutput(out, &columnize.Config{
-		Delim: hopeDelim,
-	}))
-	return nil
-}
-
-func (t TableFormatter) OutputMap(ui cli.Ui, data map[string]interface{}) error {
-	out := make([]string, 0, len(data)+1)
-	if len(data) > 0 {
-		keys := make([]string, 0, len(data))
-		for k := range data {
-			keys = append(keys, k)
-		}
-		sort.Strings(keys)
-
-		for _, k := range keys {
-			v := data[k]
-
-			// If the field "looks" like a TTL, print it as a time duration instead.
-			if looksLikeDuration(k) {
-				v = humanDurationInt(v)
-			}
-
-			out = append(out, fmt.Sprintf("%s %s %v", k, hopeDelim, v))
-		}
-	}
-
-	// If we got this far and still don't have any data, there's nothing to print,
-	// sorry.
-	if len(out) == 0 {
-		return nil
-	}
-
-	// Prepend the header
-	out = append([]string{"Key" + hopeDelim + "Value"}, out...)
-
-	ui.Output(tableOutput(out, &columnize.Config{
-		Delim: hopeDelim,
-	}))
-	return nil
-}
-
-// OutputSealStatus will print *api.SealStatusResponse in the CLI according to the format provided
-func OutputSealStatus(ui cli.Ui, client *api.Client, status *api.SealStatusResponse) int {
-	sealStatusOutput := SealStatusOutput{SealStatusResponse: *status}
-
-	// Mask the 'Vault is sealed' error, since this means HA is enabled, but that
-	// we cannot query for the leader since we are sealed.
-	leaderStatus, err := client.Sys().Leader()
-	if err != nil && strings.Contains(err.Error(), "Vault is sealed") {
-		leaderStatus = &api.LeaderResponse{HAEnabled: true}
-		err = nil
-	}
-	if err != nil {
-		ui.Error(fmt.Sprintf("Error checking leader status: %s", err))
-		return 1
-	}
-
-	// copy leaderStatus fields into sealStatusOutput for display later
-	sealStatusOutput.HAEnabled = leaderStatus.HAEnabled
-	sealStatusOutput.IsSelf = leaderStatus.IsSelf
-	sealStatusOutput.ActiveTime = leaderStatus.ActiveTime
-	sealStatusOutput.LeaderAddress = leaderStatus.LeaderAddress
-	sealStatusOutput.LeaderClusterAddress = leaderStatus.LeaderClusterAddress
-	sealStatusOutput.PerfStandby = leaderStatus.PerfStandby
-	sealStatusOutput.PerfStandbyLastRemoteWAL = leaderStatus.PerfStandbyLastRemoteWAL
-	sealStatusOutput.LastWAL = leaderStatus.LastWAL
-	sealStatusOutput.RaftCommittedIndex = leaderStatus.RaftCommittedIndex
-	sealStatusOutput.RaftAppliedIndex = leaderStatus.RaftAppliedIndex
-	OutputData(ui, sealStatusOutput)
-	return 0
-}
-
-// looksLikeDuration checks if the given key "k" looks like a duration value.
-// This is used to pretty-format duration values in responses, especially from
-// plugins.
-func looksLikeDuration(k string) bool {
-	return k == "period" || strings.HasSuffix(k, "_period") ||
-		k == "ttl" || strings.HasSuffix(k, "_ttl") ||
-		k == "duration" || strings.HasSuffix(k, "_duration") ||
-		k == "lease_max" || k == "ttl_max"
-}
-
-// This struct is responsible for capturing all the fields to be output by a
-// vault status command, including fields that do not come from the status API.
-// Currently we are adding the fields from api.LeaderResponse
-type SealStatusOutput struct {
-	api.SealStatusResponse
-	HAEnabled                bool      `json:"ha_enabled"`
-	IsSelf                   bool      `json:"is_self,omitempty"`
-	ActiveTime               time.Time `json:"active_time,omitempty"`
-	LeaderAddress            string    `json:"leader_address,omitempty"`
-	LeaderClusterAddress     string    `json:"leader_cluster_address,omitempty"`
-	PerfStandby              bool      `json:"performance_standby,omitempty"`
-	PerfStandbyLastRemoteWAL uint64    `json:"performance_standby_last_remote_wal,omitempty"`
-	LastWAL                  uint64    `json:"last_wal,omitempty"`
-	RaftCommittedIndex       uint64    `json:"raft_committed_index,omitempty"`
-	RaftAppliedIndex         uint64    `json:"raft_applied_index,omitempty"`
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::Card::Container
+  @level="mid"
+  @hasBorder={{true}}
+  class="is-flex-row has-top-padding-m has-bottom-padding-m is-medium-width"
+  data-test-certificate-card
+>
+  <span class="has-left-margin-s">
+    <Icon @name="certificate" @size="24" data-test-certificate-icon />
+  </span>
+  <div class="has-left-margin-m is-min-width-0 is-flex-grow-1">
+    <p class="has-text-weight-bold" data-test-certificate-label>
+      {{this.format}}
+    </p>
+    <code class="is-size-8 truncate-second-line has-text-grey" data-test-certificate-value>
+      {{@data}}
+    </code>
+  </div>
+  <div class="is-flex-center has-background-white-bis has-top-bottom-margin-negative-m">
+    <Hds::Copy::Button
+      @text="Copy"
+      @isIconOnly={{true}}
+      @textToCopy={{@data}}
+      class="transparent"
+      data-test-copy-button={{or @data true}}
+    />
+  </div>
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/command/kv.go b/command/kv.go
index 9a7e9eaee15d..d789ad92873f 100644
--- a/command/kv.go
+++ b/command/kv.go
@@ -1,61 +1,104 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*KVCommand)(nil)
-
-type KVCommand struct {
-	*BaseCommand
-}
-
-func (c *KVCommand) Synopsis() string {
-	return "Interact with Vault's Key-Value storage"
-}
-
-func (c *KVCommand) Help() string {
-	helpText := `
-Usage: vault kv <subcommand> [options] [args]
-
-  This command has subcommands for interacting with Vault's key-value
-  store. Here are some simple examples, and more detailed examples are
-  available in the subcommands or the documentation.
-
-  Create or update the key named "foo" in the "secret" mount with the value
-  "bar=baz":
-
-      $ vault kv put -mount=secret foo bar=baz
-
-  Read this value back:
-
-      $ vault kv get -mount=secret foo
-
-  Get metadata for the key:
-
-      $ vault kv metadata get -mount=secret foo
-	  
-  Get a specific version of the key:
-
-      $ vault kv get -mount=secret -version=1 foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion:   
-  
-      $ vault kv get secret/foo
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <nav class="breadcrumb">
+      <ul>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          {{#if @model.isNew}}
+            <LinkTo @route="vault.cluster.access.oidc.clients">
+              Applications
+            </LinkTo>
+          {{else}}
+            <LinkTo @route="vault.cluster.access.oidc.clients.client.details" @model={{@model.name}}>
+              Details
+            </LinkTo>
+          {{/if}}
+        </li>
+      </ul>
+    </nav>
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-oidc-client-title>
+      {{if @model.isNew "Create" "Edit"}}
+      Application
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <MessageError @errorMessage={{this.errorBanner}} />
+    {{#each @model.formFields as |attr|}}
+      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+    {{/each}}
+
+    {{! MORE OPTIONS TOGGLE }}
+    <FormFieldGroups @renderGroup="More options" @model={{@model}} @modelValidations={{this.modelValidations}} />
+  </div>
+  {{! RADIO CARD + SEARCH SELECT }}
+  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
+    <h4 class="title is-4">Assign access</h4>
+    <div class="is-flex-row">
+      <RadioCard
+        data-test-oidc-radio="allow-all"
+        @title="Allow everyone to access existing"
+        @description="All Vault entities can authenticate through this application."
+        @icon="org"
+        @value="allow_all"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleAssignmentSelection}}
+      />
+      <RadioCard
+        data-test-oidc-radio="limited"
+        @title="Limit access to selected users"
+        @description="Choose or create an assignment to give access to selected entities."
+        @icon="users"
+        @value="limited"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleAssignmentSelection}}
+      />
+    </div>
+    {{#if (eq this.radioCardGroupValue "limited")}}
+      <SearchSelectWithModal
+        @id="assignments"
+        @label="Assignment name"
+        @subText="Search for an existing assignment, or type a new name to create it."
+        @models={{array "oidc/assignment"}}
+        @inputValue={{this.modelAssignments}}
+        @onChange={{this.handleAssignmentSelection}}
+        @excludeOptions={{array "allow_all"}}
+        @fallbackComponent="string-list"
+        @modalFormTemplate="modal-form/oidc-assignment-template"
+        @modalSubtext="Use assignment to specify which Vault entities and groups are allowed to authenticate."
+      />
+    {{/if}}
+  </div>
+  <div class="field box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Button
+        @text={{if @model.isNew "Create" "Update"}}
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-oidc-client-save
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        class="has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.cancel}}
+        data-test-oidc-client-cancel
+      />
+    </div>
+    {{#if this.invalidFormAlert}}
+      <div class="control">
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+      </div>
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/command/kv_delete.go b/command/kv_delete.go
index acb4abecaf41..8bd9cea4ee8f 100644
--- a/command/kv_delete.go
+++ b/command/kv_delete.go
@@ -1,209 +1,1174 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
 
-package command
+package ocsp
 
 import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/base64"
+	"errors"
 	"fmt"
-	"path"
+	"io"
+	"math/big"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
 	"strings"
+	"sync"
+	"time"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-retryablehttp"
+	lru "github.com/hashicorp/golang-lru"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"golang.org/x/crypto/ocsp"
 )
 
-var (
-	_ cli.Command             = (*KVDeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVDeleteCommand)(nil)
+// FailOpenMode is OCSP fail open mode. FailOpenTrue by default and may
+// set to ocspModeFailClosed for fail closed mode
+type FailOpenMode uint32
+
+type requestFunc func(method, urlStr string, body interface{}) (*retryablehttp.Request, error)
+
+type clientInterface interface {
+	Do(req *retryablehttp.Request) (*http.Response, error)
+}
+
+const (
+	httpHeaderContentType   = "Content-Type"
+	httpHeaderAccept        = "accept"
+	httpHeaderContentLength = "Content-Length"
+	httpHeaderHost          = "Host"
+	ocspRequestContentType  = "application/ocsp-request"
+	ocspResponseContentType = "application/ocsp-response"
+)
+
+const (
+	ocspFailOpenNotSet FailOpenMode = iota
+	// FailOpenTrue represents OCSP fail open mode.
+	FailOpenTrue
+	// FailOpenFalse represents OCSP fail closed mode.
+	FailOpenFalse
+)
+
+const (
+	ocspModeFailOpen   = "FAIL_OPEN"
+	ocspModeFailClosed = "FAIL_CLOSED"
+	ocspModeInsecure   = "INSECURE"
 )
 
-type KVDeleteCommand struct {
-	*BaseCommand
+const ocspCacheKey = "ocsp_cache"
 
-	flagVersions []string
-	flagMount    string
+const (
+	// defaultOCSPResponderTimeout is the total timeout for OCSP responder.
+	defaultOCSPResponderTimeout = 10 * time.Second
+)
+
+const (
+	// cacheExpire specifies cache data expiration time in seconds.
+	cacheExpire = float64(24 * 60 * 60)
+)
+
+type ocspCachedResponse struct {
+	time       float64
+	producedAt float64
+	thisUpdate float64
+	nextUpdate float64
+	status     ocspStatusCode
 }
 
-func (c *KVDeleteCommand) Synopsis() string {
-	return "Deletes versions in the KV store"
+type Client struct {
+	// caRoot includes the CA certificates.
+	caRoot map[string]*x509.Certificate
+	// certPool includes the CA certificates.
+	certPool              *x509.CertPool
+	ocspResponseCache     *lru.TwoQueueCache
+	ocspResponseCacheLock sync.RWMutex
+	// cacheUpdated is true if the memory cache is updated
+	cacheUpdated bool
+	logFactory   func() hclog.Logger
 }
 
-func (c *KVDeleteCommand) Help() string {
-	helpText := `
-Usage: vault kv delete [options] PATH
+type ocspStatusCode int
 
-  Deletes the data for the provided version and path in the key-value store. The
-  versioned data will not be fully removed, but marked as deleted and will no
-  longer be returned in normal get requests.
+type ocspStatus struct {
+	code ocspStatusCode
+	err  error
+}
 
-  To delete the latest version of the key "foo": 
+const (
+	ocspSuccess                ocspStatusCode = 0
+	ocspStatusGood             ocspStatusCode = -1
+	ocspStatusRevoked          ocspStatusCode = -2
+	ocspStatusUnknown          ocspStatusCode = -3
+	ocspStatusOthers           ocspStatusCode = -4
+	ocspFailedDecomposeRequest ocspStatusCode = -5
+	ocspInvalidValidity        ocspStatusCode = -6
+	ocspMissedCache            ocspStatusCode = -7
+	ocspCacheExpired           ocspStatusCode = -8
+)
 
-      $ vault kv delete -mount=secret foo
+// copied from crypto/ocsp.go
+type certID struct {
+	HashAlgorithm pkix.AlgorithmIdentifier
+	NameHash      []byte
+	IssuerKeyHash []byte
+	SerialNumber  *big.Int
+}
 
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv delete secret/foo
+// cache key
+type certIDKey struct {
+	NameHash      string
+	IssuerKeyHash string
+	SerialNumber  string
+}
 
-  To delete version 3 of key foo:
+// copied from crypto/ocsp
+var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{
+	crypto.SHA1:   asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}),
+	crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}),
+	crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}),
+	crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}),
+}
 
-      $ vault kv delete -mount=secret -versions=3 foo
+// copied from crypto/ocsp
+func getOIDFromHashAlgorithm(target crypto.Hash) (asn1.ObjectIdentifier, error) {
+	for hash, oid := range hashOIDs {
+		if hash == target {
+			return oid, nil
+		}
+	}
+	return nil, fmt.Errorf("no valid OID is found for the hash algorithm: %v", target)
+}
+
+func (c *Client) ClearCache() {
+	c.ocspResponseCache.Purge()
+}
 
-  To delete all versions and metadata, see the "vault kv metadata" subcommand.
+func (c *Client) getHashAlgorithmFromOID(target pkix.AlgorithmIdentifier) crypto.Hash {
+	for hash, oid := range hashOIDs {
+		if oid.Equal(target.Algorithm) {
+			return hash
+		}
+	}
+	// no valid hash algorithm is found for the oid. Falling back to SHA1
+	return crypto.SHA1
+}
 
-  Additional flags and more advanced use cases are detailed below.
+// isInValidityRange checks the validity
+func isInValidityRange(currTime, nextUpdate time.Time) bool {
+	return !nextUpdate.IsZero() && !currTime.After(nextUpdate)
+}
 
-` + c.Flags().Help()
+func extractCertIDKeyFromRequest(ocspReq []byte) (*certIDKey, *ocspStatus) {
+	r, err := ocsp.ParseRequest(ocspReq)
+	if err != nil {
+		return nil, &ocspStatus{
+			code: ocspFailedDecomposeRequest,
+			err:  err,
+		}
+	}
 
-	return strings.TrimSpace(helpText)
+	// encode CertID, used as a key in the cache
+	encodedCertID := &certIDKey{
+		base64.StdEncoding.EncodeToString(r.IssuerNameHash),
+		base64.StdEncoding.EncodeToString(r.IssuerKeyHash),
+		r.SerialNumber.String(),
+	}
+	return encodedCertID, &ocspStatus{
+		code: ocspSuccess,
+	}
 }
 
-func (c *KVDeleteCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-	// Common Options
-	f := set.NewFlagSet("Common Options")
+func (c *Client) encodeCertIDKey(certIDKeyBase64 string) (*certIDKey, error) {
+	r, err := base64.StdEncoding.DecodeString(certIDKeyBase64)
+	if err != nil {
+		return nil, err
+	}
+	var cid certID
+	rest, err := asn1.Unmarshal(r, &cid)
+	if err != nil {
+		// error in parsing
+		return nil, err
+	}
+	if len(rest) > 0 {
+		// extra bytes to the end
+		return nil, err
+	}
+	return &certIDKey{
+		base64.StdEncoding.EncodeToString(cid.NameHash),
+		base64.StdEncoding.EncodeToString(cid.IssuerKeyHash),
+		cid.SerialNumber.String(),
+	}, nil
+}
 
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "versions",
-		Target:  &c.flagVersions,
-		Default: nil,
-		Usage:   `Specifies the version numbers to delete.`,
-	})
+func (c *Client) checkOCSPResponseCache(encodedCertID *certIDKey, subject, issuer *x509.Certificate) (*ocspStatus, error) {
+	c.ocspResponseCacheLock.RLock()
+	var cacheValue *ocspCachedResponse
+	v, ok := c.ocspResponseCache.Get(*encodedCertID)
+	if ok {
+		cacheValue = v.(*ocspCachedResponse)
+	}
+	c.ocspResponseCacheLock.RUnlock()
 
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
+	status, err := c.extractOCSPCacheResponseValue(cacheValue, subject, issuer)
+	if err != nil {
+		return nil, err
+	}
+	if !isValidOCSPStatus(status.code) {
+		c.deleteOCSPCache(encodedCertID)
+	}
+	return status, err
+}
 
-	return set
+func (c *Client) deleteOCSPCache(encodedCertID *certIDKey) {
+	c.ocspResponseCacheLock.Lock()
+	c.ocspResponseCache.Remove(*encodedCertID)
+	c.cacheUpdated = true
+	c.ocspResponseCacheLock.Unlock()
 }
 
-func (c *KVDeleteCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
+func validateOCSP(ocspRes *ocsp.Response) (*ocspStatus, error) {
+	curTime := time.Now()
+
+	if ocspRes == nil {
+		return nil, errors.New("OCSP Response is nil")
+	}
+	if !isInValidityRange(curTime, ocspRes.NextUpdate) {
+		return &ocspStatus{
+			code: ocspInvalidValidity,
+			err:  fmt.Errorf("invalid validity: producedAt: %v, thisUpdate: %v, nextUpdate: %v", ocspRes.ProducedAt, ocspRes.ThisUpdate, ocspRes.NextUpdate),
+		}, nil
+	}
+	return returnOCSPStatus(ocspRes), nil
 }
 
-func (c *KVDeleteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func returnOCSPStatus(ocspRes *ocsp.Response) *ocspStatus {
+	switch ocspRes.Status {
+	case ocsp.Good:
+		return &ocspStatus{
+			code: ocspStatusGood,
+			err:  nil,
+		}
+	case ocsp.Revoked:
+		return &ocspStatus{
+			code: ocspStatusRevoked,
+		}
+	case ocsp.Unknown:
+		return &ocspStatus{
+			code: ocspStatusUnknown,
+			err:  errors.New("OCSP status unknown."),
+		}
+	default:
+		return &ocspStatus{
+			code: ocspStatusOthers,
+			err:  fmt.Errorf("OCSP others. %v", ocspRes.Status),
+		}
+	}
 }
 
-func (c *KVDeleteCommand) Run(args []string) int {
-	f := c.Flags()
+// retryOCSP is the second level of retry method if the returned contents are corrupted. It often happens with OCSP
+// serer and retry helps.
+func (c *Client) retryOCSP(
+	ctx context.Context,
+	client clientInterface,
+	req requestFunc,
+	ocspHost *url.URL,
+	headers map[string]string,
+	reqBody []byte,
+	issuer *x509.Certificate,
+) (ocspRes *ocsp.Response, ocspResBytes []byte, ocspS *ocspStatus, retErr error) {
+	doRequest := func(request *retryablehttp.Request) (*http.Response, error) {
+		if request != nil {
+			request = request.WithContext(ctx)
+			for k, v := range headers {
+				request.Header[k] = append(request.Header[k], v)
+			}
+		}
+		res, err := client.Do(request)
+		if err != nil {
+			return nil, err
+		}
+		c.Logger().Debug("StatusCode from OCSP Server:", "statusCode", res.StatusCode)
+		return res, err
+	}
+
+	for _, method := range []string{"GET", "POST"} {
+		reqUrl := *ocspHost
+		var body []byte
+
+		switch method {
+		case "GET":
+			reqUrl.Path = reqUrl.Path + "/" + base64.StdEncoding.EncodeToString(reqBody)
+		case "POST":
+			body = reqBody
+		default:
+			// Programming error; all request/systems errors are multierror
+			// and appended.
+			return nil, nil, nil, fmt.Errorf("unknown request method: %v", method)
+		}
+
+		var res *http.Response
+		request, err := req(method, reqUrl.String(), bytes.NewBuffer(body))
+		if err != nil {
+			err = fmt.Errorf("error creating %v request: %w", method, err)
+			retErr = multierror.Append(retErr, err)
+			continue
+		}
+		if res, err = doRequest(request); err != nil {
+			err = fmt.Errorf("error doing %v request: %w", method, err)
+			retErr = multierror.Append(retErr, err)
+			continue
+		} else {
+			defer res.Body.Close()
+		}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+		if res.StatusCode != http.StatusOK {
+			err = fmt.Errorf("HTTP code is not OK on %v request. %v: %v", method, res.StatusCode, res.Status)
+			retErr = multierror.Append(retErr, err)
+			continue
+		}
+
+		ocspResBytes, err = io.ReadAll(res.Body)
+		if err != nil {
+			err = fmt.Errorf("error reading %v request body: %w", method, err)
+			retErr = multierror.Append(retErr, err)
+			continue
+		}
+
+		// Reading an OCSP response shouldn't be fatal. A misconfigured
+		// endpoint might return invalid results for e.g., GET but return
+		// valid results for POST on retry. This could happen if e.g., the
+		// server responds with JSON.
+		ocspRes, err = ocsp.ParseResponse(ocspResBytes /*issuer = */, nil /* !!unsafe!! */)
+		if err != nil {
+			err = fmt.Errorf("error parsing %v OCSP response: %w", method, err)
+			retErr = multierror.Append(retErr, err)
+			continue
+		}
+
+		// Above, we use the unsafe issuer=nil parameter to ocsp.ParseResponse
+		// because Go's library does the wrong thing.
+		//
+		// Here, we lack a full chain, but we know we trust the parent issuer,
+		// so if the Go library incorrectly discards useful certificates, we
+		// likely cannot verify this without passing through the full chain
+		// back to the root.
+		//
+		// Instead, take one of two paths: 1. if there is no certificate in
+		// the ocspRes, verify the OCSP response directly with our trusted
+		// issuer certificate, or 2. if there is a certificate, either verify
+		// it directly matches our trusted issuer certificate, or verify it
+		// is signed by our trusted issuer certificate.
+		//
+		// See also: https://github.com/golang/go/issues/59641
+		//
+		// This addresses the !!unsafe!! behavior above.
+		if ocspRes.Certificate == nil {
+			if err := ocspRes.CheckSignatureFrom(issuer); err != nil {
+				err = fmt.Errorf("error directly verifying signature on %v OCSP response: %w", method, err)
+				retErr = multierror.Append(retErr, err)
+				continue
+			}
+		} else {
+			// Because we have at least one certificate here, we know that
+			// Go's ocsp library verified the signature from this certificate
+			// onto the response and it was valid. Now we need to know we trust
+			// this certificate. There's two ways we can do this:
+			//
+			// 1. Via confirming issuer == ocspRes.Certificate, or
+			// 2. Via confirming ocspRes.Certificate.CheckSignatureFrom(issuer).
+			if !bytes.Equal(issuer.Raw, ocspRes.Raw) {
+				// 1 must not hold, so 2 holds; verify the signature.
+				if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
+					err = fmt.Errorf("error checking chain of trust on %v OCSP response via %v failed: %w", method, issuer.Subject.String(), err)
+					retErr = multierror.Append(retErr, err)
+					continue
+				}
+
+				// Verify the OCSP responder certificate is still valid and
+				// contains the required EKU since it is a delegated OCSP
+				// responder certificate.
+				if ocspRes.Certificate.NotAfter.Before(time.Now()) {
+					err := fmt.Errorf("error checking delegated OCSP responder on %v OCSP response: certificate has expired", method)
+					retErr = multierror.Append(retErr, err)
+					continue
+				}
+				haveEKU := false
+				for _, ku := range ocspRes.Certificate.ExtKeyUsage {
+					if ku == x509.ExtKeyUsageOCSPSigning {
+						haveEKU = true
+						break
+					}
+				}
+				if !haveEKU {
+					err := fmt.Errorf("error checking delegated OCSP responder on %v OCSP response: certificate lacks the OCSP Signing EKU", method)
+					retErr = multierror.Append(retErr, err)
+					continue
+				}
+			}
+		}
+
+		// While we haven't validated the signature on the OCSP response, we
+		// got what we presume is a definitive answer and simply changing
+		// methods will likely not help us in that regard. Use this status
+		// to return without retrying another method, when it looks definitive.
+		//
+		// We don't accept ocsp.Unknown here: presumably, we could've hit a CDN
+		// with static mapping of request->responses, with a default "unknown"
+		// handler for everything else. By retrying here, we use POST, which
+		// could hit a live OCSP server with fresher data than the cached CDN.
+		if ocspRes.Status == ocsp.Good || ocspRes.Status == ocsp.Revoked {
+			break
+		}
+
+		// Here, we didn't have a valid response. Even though we didn't get an
+		// error, we should inform the user that this (valid-looking) response
+		// wasn't utilized.
+		err = fmt.Errorf("fetched %v OCSP response of status %v; wanted either good (%v) or revoked (%v)", method, ocspRes.Status, ocsp.Good, ocsp.Revoked)
+		retErr = multierror.Append(retErr, err)
 	}
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+	if ocspRes != nil && ocspResBytes != nil {
+		// Clear retErr, because we have one parseable-but-maybe-not-quite-correct
+		// OCSP response.
+		retErr = nil
+		ocspS = &ocspStatus{
+			code: ocspSuccess,
+		}
 	}
 
-	client, err := c.Client()
+	return
+}
+
+// GetRevocationStatus checks the certificate revocation status for subject using issuer certificate.
+func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) (*ocspStatus, error) {
+	status, ocspReq, encodedCertID, err := c.validateWithCache(subject, issuer)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return nil, err
+	}
+	if isValidOCSPStatus(status.code) {
+		return status, nil
+	}
+	if ocspReq == nil || encodedCertID == nil {
+		return status, nil
+	}
+	c.Logger().Debug("cache missed", "server", subject.OCSPServer)
+	if len(subject.OCSPServer) == 0 && len(conf.OcspServersOverride) == 0 {
+		return nil, fmt.Errorf("no OCSP responder URL: subject: %v", subject.Subject)
+	}
+	ocspHosts := subject.OCSPServer
+	if len(conf.OcspServersOverride) > 0 {
+		ocspHosts = conf.OcspServersOverride
 	}
 
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
+	var wg sync.WaitGroup
 
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
+	ocspStatuses := make([]*ocspStatus, len(ocspHosts))
+	ocspResponses := make([]*ocsp.Response, len(ocspHosts))
+	errors := make([]error, len(ocspHosts))
 
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+	for i, ocspHost := range ocspHosts {
+		u, err := url.Parse(ocspHost)
 		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
+			return nil, err
 		}
 
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
+		hostname := u.Hostname()
+
+		headers := make(map[string]string)
+		headers[httpHeaderContentType] = ocspRequestContentType
+		headers[httpHeaderAccept] = ocspResponseContentType
+		headers[httpHeaderContentLength] = strconv.Itoa(len(ocspReq))
+		headers[httpHeaderHost] = hostname
+		timeout := defaultOCSPResponderTimeout
+
+		ocspClient := retryablehttp.NewClient()
+		ocspClient.HTTPClient.Timeout = timeout
+		ocspClient.HTTPClient.Transport = newInsecureOcspTransport(conf.ExtraCas)
+
+		doRequest := func() error {
+			if conf.QueryAllServers {
+				defer wg.Done()
+			}
+			ocspRes, _, ocspS, err := c.retryOCSP(
+				ctx, ocspClient, retryablehttp.NewRequest, u, headers, ocspReq, issuer)
+			ocspResponses[i] = ocspRes
+			if err != nil {
+				errors[i] = err
+				return err
+			}
+			if ocspS.code != ocspSuccess {
+				ocspStatuses[i] = ocspS
+				return nil
+			}
+
+			ret, err := validateOCSP(ocspRes)
+			if err != nil {
+				errors[i] = err
+				return err
+			}
+			if isValidOCSPStatus(ret.code) {
+				ocspStatuses[i] = ret
+			} else if ret.err != nil {
+				// This check needs to occur after the isValidOCSPStatus as the unknown
+				// status also sets an err value within ret.
+				errors[i] = ret.err
+				return ret.err
+			}
+			return nil
+		}
+		if conf.QueryAllServers {
+			wg.Add(1)
+			go doRequest()
+		} else {
+			err = doRequest()
+			if err == nil {
+				break
+			}
+		}
+	}
+	if conf.QueryAllServers {
+		wg.Wait()
+	}
+	// Good by default
+	var ret *ocspStatus
+	ocspRes := ocspResponses[0]
+	var firstError error
+	for i := range ocspHosts {
+		if errors[i] != nil {
+			if firstError == nil {
+				firstError = errors[i]
+			}
+		} else if ocspStatuses[i] != nil {
+			switch ocspStatuses[i].code {
+			case ocspStatusRevoked:
+				ret = ocspStatuses[i]
+				ocspRes = ocspResponses[i]
+				break
+			case ocspStatusGood:
+				// Use this response only if we don't have a status already, or if what we have was unknown
+				if ret == nil || ret.code == ocspStatusUnknown {
+					ret = ocspStatuses[i]
+					ocspRes = ocspResponses[i]
+				}
+			case ocspStatusUnknown:
+				if ret == nil {
+					// We may want to use this as the overall result
+					ret = ocspStatuses[i]
+					ocspRes = ocspResponses[i]
+				}
+			}
 		}
+	}
+
+	// If no server reported the cert revoked, but we did have an error, report it
+	if (ret == nil || ret.code == ocspStatusUnknown) && firstError != nil {
+		return nil, firstError
+	}
+	// An extra safety in case ret and firstError are both nil
+	if ret == nil {
+		return nil, fmt.Errorf("failed to extract a known response code or error from the OCSP server")
+	}
+
+	// otherwise ret should contain a response for the overall request
+	if !isValidOCSPStatus(ret.code) {
+		return ret, nil
+	}
+	v := ocspCachedResponse{
+		status:     ret.code,
+		time:       float64(time.Now().UTC().Unix()),
+		producedAt: float64(ocspRes.ProducedAt.UTC().Unix()),
+		thisUpdate: float64(ocspRes.ThisUpdate.UTC().Unix()),
+		nextUpdate: float64(ocspRes.NextUpdate.UTC().Unix()),
+	}
+
+	c.ocspResponseCacheLock.Lock()
+	c.ocspResponseCache.Add(*encodedCertID, &v)
+	c.cacheUpdated = true
+	c.ocspResponseCacheLock.Unlock()
+	return ret, nil
+}
+
+func isValidOCSPStatus(status ocspStatusCode) bool {
+	return status == ocspStatusGood || status == ocspStatusRevoked || status == ocspStatusUnknown
+}
+
+type VerifyConfig struct {
+	OcspEnabled         bool
+	ExtraCas            []*x509.Certificate
+	OcspServersOverride []string
+	OcspFailureMode     FailOpenMode
+	QueryAllServers     bool
+}
+
+// VerifyLeafCertificate verifies just the subject against it's direct issuer
+func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) error {
+	results, err := c.GetRevocationStatus(ctx, subject, issuer, conf)
+	if err != nil {
+		return err
+	}
+	if results.code == ocspStatusGood {
+		return nil
 	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
+		serial := issuer.SerialNumber
+		serialHex := strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":"))
+		if results.code == ocspStatusRevoked {
+			return fmt.Errorf("certificate with serial number %s has been revoked", serialHex)
+		} else if conf.OcspFailureMode == FailOpenFalse {
+			return fmt.Errorf("unknown OCSP status for cert with serial number %s", strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":")))
+		} else {
+			c.Logger().Warn("could not validate OCSP status for cert, but continuing in fail open mode", "serial", serialHex)
+		}
+	}
+	return nil
+}
+
+// VerifyPeerCertificate verifies all of certificate revocation status
+func (c *Client) VerifyPeerCertificate(ctx context.Context, verifiedChains [][]*x509.Certificate, conf *VerifyConfig) error {
+	for i := 0; i < len(verifiedChains); i++ {
+		// Certificate signed by Root CA. This should be one before the last in the Certificate Chain
+		numberOfNoneRootCerts := len(verifiedChains[i]) - 1
+		if !verifiedChains[i][numberOfNoneRootCerts].IsCA || string(verifiedChains[i][numberOfNoneRootCerts].RawIssuer) != string(verifiedChains[i][numberOfNoneRootCerts].RawSubject) {
+			// Check if the last Non Root Cert is also a CA or is self signed.
+			// if the last certificate is not, add it to the list
+			rca := c.caRoot[string(verifiedChains[i][numberOfNoneRootCerts].RawIssuer)]
+			if rca == nil {
+				return fmt.Errorf("failed to find root CA. pkix.name: %v", verifiedChains[i][numberOfNoneRootCerts].Issuer)
+			}
+			verifiedChains[i] = append(verifiedChains[i], rca)
+			numberOfNoneRootCerts++
+		}
+		results, err := c.GetAllRevocationStatus(ctx, verifiedChains[i], conf)
 		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
+			return err
+		}
+		if r := c.canEarlyExitForOCSP(results, numberOfNoneRootCerts, conf); r != nil {
+			return r.err
 		}
 	}
 
-	var secret *api.Secret
-	var fullPath string
-	if v2 {
-		secret, err = c.deleteV2(partialPath, mountPath, client)
-		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
+	return nil
+}
+
+func (c *Client) canEarlyExitForOCSP(results []*ocspStatus, chainSize int, conf *VerifyConfig) *ocspStatus {
+	msg := ""
+	if conf.OcspFailureMode == FailOpenFalse {
+		// Fail closed. any error is returned to stop connection
+		for _, r := range results {
+			if r.err != nil {
+				return r
+			}
+		}
 	} else {
-		// v1
-		if mountFlagSyntax {
-			fullPath = path.Join(mountPath, partialPath)
-		} else {
-			fullPath = partialPath
+		// Fail open and all results are valid.
+		allValid := len(results) == chainSize
+		for _, r := range results {
+			if !isValidOCSPStatus(r.code) {
+				allValid = false
+				break
+			}
 		}
-		secret, err = client.Logical().Delete(fullPath)
+		for _, r := range results {
+			if allValid && r.code == ocspStatusRevoked {
+				return r
+			}
+			if r != nil && r.code != ocspStatusGood && r.err != nil {
+				msg += "" + r.err.Error()
+			}
+		}
+	}
+	if len(msg) > 0 {
+		c.Logger().Warn(
+			"OCSP is set to fail-open, and could not retrieve OCSP based revocation checking but proceeding.", "detail", msg)
 	}
+	return nil
+}
 
+func (c *Client) validateWithCacheForAllCertificates(verifiedChains []*x509.Certificate) (bool, error) {
+	n := len(verifiedChains) - 1
+	for j := 0; j < n; j++ {
+		subject := verifiedChains[j]
+		issuer := verifiedChains[j+1]
+		status, _, _, err := c.validateWithCache(subject, issuer)
+		if err != nil {
+			return false, err
+		}
+		if !isValidOCSPStatus(status.code) {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+func (c *Client) validateWithCache(subject, issuer *x509.Certificate) (*ocspStatus, []byte, *certIDKey, error) {
+	ocspReq, err := ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{})
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to create OCSP request from the certificates: %v", err)
+	}
+	encodedCertID, ocspS := extractCertIDKeyFromRequest(ocspReq)
+	if ocspS.code != ocspSuccess {
+		return nil, nil, nil, fmt.Errorf("failed to extract CertID from OCSP Request: %v", err)
+	}
+	status, err := c.checkOCSPResponseCache(encodedCertID, subject, issuer)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return status, ocspReq, encodedCertID, nil
+}
+
+func (c *Client) GetAllRevocationStatus(ctx context.Context, verifiedChains []*x509.Certificate, conf *VerifyConfig) ([]*ocspStatus, error) {
+	_, err := c.validateWithCacheForAllCertificates(verifiedChains)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", fullPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
+		return nil, err
+	}
+	n := len(verifiedChains) - 1
+	results := make([]*ocspStatus, n)
+	for j := 0; j < n; j++ {
+		results[j], err = c.GetRevocationStatus(ctx, verifiedChains[j], verifiedChains[j+1], conf)
+		if err != nil {
+			return nil, err
 		}
-		return 2
+		if !isValidOCSPStatus(results[j].code) {
+			return results, nil
+		}
+	}
+	return results, nil
+}
+
+// verifyPeerCertificateSerial verifies the certificate revocation status in serial.
+func (c *Client) verifyPeerCertificateSerial(conf *VerifyConfig) func(_ [][]byte, verifiedChains [][]*x509.Certificate) (err error) {
+	return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
+		return c.VerifyPeerCertificate(context.TODO(), verifiedChains, conf)
+	}
+}
+
+func (c *Client) extractOCSPCacheResponseValueWithoutSubject(cacheValue ocspCachedResponse) (*ocspStatus, error) {
+	return c.extractOCSPCacheResponseValue(&cacheValue, nil, nil)
+}
+
+func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, subject, issuer *x509.Certificate) (*ocspStatus, error) {
+	subjectName := "Unknown"
+	if subject != nil {
+		subjectName = subject.Subject.CommonName
+	}
+
+	curTime := time.Now()
+	if cacheValue == nil {
+		return &ocspStatus{
+			code: ocspMissedCache,
+			err:  fmt.Errorf("miss cache data. subject: %v", subjectName),
+		}, nil
+	}
+	currentTime := float64(curTime.UTC().Unix())
+	if currentTime-cacheValue.time >= cacheExpire {
+		return &ocspStatus{
+			code: ocspCacheExpired,
+			err: fmt.Errorf("cache expired. current: %v, cache: %v",
+				time.Unix(int64(currentTime), 0).UTC(), time.Unix(int64(cacheValue.time), 0).UTC()),
+		}, nil
+	}
+
+	return validateOCSP(&ocsp.Response{
+		ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
+		ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
+		NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
+		Status:     int(cacheValue.status),
+	})
+}
+
+/*
+// writeOCSPCache writes a OCSP Response cache
+func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {
+	c.Logger().Debug("writing OCSP Response cache")
+	t := time.Now()
+	m := make(map[string][]interface{})
+	keys := c.ocspResponseCache.Keys()
+	if len(keys) > persistedCacheSize {
+		keys = keys[:persistedCacheSize]
+	}
+	for _, k := range keys {
+		e, ok := c.ocspResponseCache.Get(k)
+		if ok {
+			entry := e.(*ocspCachedResponse)
+			// Don't store if expired
+			if isInValidityRange(t, time.Unix(int64(entry.thisUpdate), 0), time.Unix(int64(entry.nextUpdate), 0)) {
+				key := k.(certIDKey)
+				cacheKeyInBase64, err := decodeCertIDKey(&key)
+				if err != nil {
+					return err
+				}
+				m[cacheKeyInBase64] = []interface{}{entry.status, entry.time, entry.producedAt, entry.thisUpdate, entry.nextUpdate}
+			}
+		}
+	}
+
+	v, err := jsonutil.EncodeJSONAndCompress(m, nil)
+	if err != nil {
+		return err
+	}
+	entry := logical.StorageEntry{
+		Key:   ocspCacheKey,
+		Value: v,
+	}
+	return storage.Put(ctx, &entry)
+}
+
+// readOCSPCache reads a OCSP Response cache from storage
+func (c *Client) readOCSPCache(ctx context.Context, storage logical.Storage) error {
+	c.Logger().Debug("reading OCSP Response cache")
+
+	entry, err := storage.Get(ctx, ocspCacheKey)
+	if err != nil {
+		return err
+	}
+	if entry == nil {
+		return nil
+	}
+	var untypedCache map[string][]interface{}
+
+	err = jsonutil.DecodeJSON(entry.Value, &untypedCache)
+	if err != nil {
+		return errors.New("failed to unmarshal OCSP cache")
 	}
 
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", fullPath))
+	for k, v := range untypedCache {
+		key, err := c.encodeCertIDKey(k)
+		if err != nil {
+			return err
+		}
+		var times [4]float64
+		for i, t := range v[1:] {
+			if jn, ok := t.(json.Number); ok {
+				times[i], err = jn.Float64()
+				if err != nil {
+					return err
+				}
+			} else {
+				times[i] = t.(float64)
+			}
+		}
+		var status int
+		if jn, ok := v[0].(json.Number); ok {
+			s, err := jn.Int64()
+			if err != nil {
+				return err
+			}
+			status = int(s)
+		} else {
+			status = v[0].(int)
 		}
-		return 0
+
+		c.ocspResponseCache.Add(*key, &ocspCachedResponse{
+			status:     ocspStatusCode(status),
+			time:       times[0],
+			producedAt: times[1],
+			thisUpdate: times[2],
+			nextUpdate: times[3],
+		})
 	}
 
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
+	return nil
+}
+*/
+
+func New(logFactory func() hclog.Logger, cacheSize int) *Client {
+	if cacheSize < 100 {
+		cacheSize = 100
 	}
+	cache, _ := lru.New2Q(cacheSize)
+	c := Client{
+		caRoot:            make(map[string]*x509.Certificate),
+		ocspResponseCache: cache,
+		logFactory:        logFactory,
+	}
+
+	return &c
+}
 
-	return OutputSecret(c.UI, secret)
+func (c *Client) Logger() hclog.Logger {
+	return c.logFactory()
 }
 
-func (c *KVDeleteCommand) deleteV2(path, mountPath string, client *api.Client) (*api.Secret, error) {
-	var err error
-	var secret *api.Secret
-	switch {
-	case len(c.flagVersions) > 0:
-		path = addPrefixToKVPath(path, mountPath, "delete", false)
-		data := map[string]interface{}{
-			"versions": kvParseVersionsFlags(c.flagVersions),
+// insecureOcspTransport is the transport object that doesn't do certificate revocation check.
+func newInsecureOcspTransport(extraCas []*x509.Certificate) *http.Transport {
+	// Get the SystemCertPool, continue with an empty pool on error
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+	for _, c := range extraCas {
+		rootCAs.AddCert(c)
+	}
+	config := &tls.Config{
+		RootCAs: rootCAs,
+	}
+	return &http.Transport{
+		MaxIdleConns:    10,
+		IdleConnTimeout: 30 * time.Minute,
+		Proxy:           http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).DialContext,
+		TLSClientConfig: config,
+	}
+}
+
+// NewTransport includes the certificate revocation check with OCSP in sequential.
+func (c *Client) NewTransport(conf *VerifyConfig) *http.Transport {
+	rootCAs := c.certPool
+	if rootCAs == nil {
+		rootCAs, _ = x509.SystemCertPool()
+	}
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+	for _, c := range conf.ExtraCas {
+		rootCAs.AddCert(c)
+	}
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:               rootCAs,
+			VerifyPeerCertificate: c.verifyPeerCertificateSerial(conf),
+		},
+		MaxIdleConns:    10,
+		IdleConnTimeout: 30 * time.Minute,
+		Proxy:           http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).DialContext,
+	}
+}
+
+/*
+func (c *Client) WriteCache(ctx context.Context, storage logical.Storage) error {
+	c.ocspResponseCacheLock.Lock()
+	defer c.ocspResponseCacheLock.Unlock()
+	if c.cacheUpdated {
+		err := c.writeOCSPCache(ctx, storage)
+		if err == nil {
+			c.cacheUpdated = false
 		}
-		secret, err = client.Logical().Write(path, data)
-	default:
-		path = addPrefixToKVPath(path, mountPath, "data", false)
-		secret, err = client.Logical().Delete(path)
+		return err
 	}
+	return nil
+}
 
-	return secret, err
+func (c *Client) ReadCache(ctx context.Context, storage logical.Storage) error {
+	c.ocspResponseCacheLock.Lock()
+	defer c.ocspResponseCacheLock.Unlock()
+	return c.readOCSPCache(ctx, storage)
 }
+*/
+/*
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
diff --git a/command/kv_destroy.go b/command/kv_destroy.go
index bc73021fff82..f2a9659efdf4 100644
--- a/command/kv_destroy.go
+++ b/command/kv_destroy.go
@@ -1,185 +1,100 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"path"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVDestroyCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVDestroyCommand)(nil)
-)
-
-type KVDestroyCommand struct {
-	*BaseCommand
-
-	flagVersions []string
-	flagMount    string
-}
-
-func (c *KVDestroyCommand) Synopsis() string {
-	return "Permanently removes one or more versions in the KV store"
-}
-
-func (c *KVDestroyCommand) Help() string {
-	helpText := `
-Usage: vault kv destroy [options] KEY
-
-  Permanently removes the specified versions' data from the key-value store. If
-  no key exists at the path, no action is taken.
-
-  To destroy version 3 of key foo:
-
-      $ vault kv destroy -mount=secret -versions=3 foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv destroy -versions=3 secret/foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVDestroyCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "versions",
-		Target:  &c.flagVersions,
-		Default: nil,
-		Usage:   `Specifies the version numbers to destroy.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVDestroyCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVDestroyCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVDestroyCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	if len(c.flagVersions) == 0 {
-		c.UI.Error("No versions provided, use the \"-versions\" flag to specify the version to destroy.")
-		return 1
-	}
-
-	var err error
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("Destroy not supported on KV Version 1")
-		return 1
-	}
-	destroyPath := addPrefixToKVPath(partialPath, mountPath, "destroy", false)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	data := map[string]interface{}{
-		"versions": kvParseVersionsFlags(c.flagVersions),
-	}
-
-	secret, err := client.Logical().Write(destroyPath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", destroyPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", destroyPath))
-		}
-		return 0
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
+
+const renderComponent = () => {
+  return render(hbs`
+    <Sidebar::Frame @isVisible={{true}}>
+      <Sidebar::Nav::Cluster />
+    </Sidebar::Frame>
+  `);
+};
+
+module('Integration | Component | sidebar-nav-cluster', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it should render nav headings', async function (assert) {
+    const headings = ['Vault', 'Monitoring'];
+    stubFeaturesAndPermissions(this.owner, true, true);
+    await renderComponent();
+
+    assert
+      .dom('[data-test-sidebar-nav-heading]')
+      .exists({ count: headings.length }, 'Correct number of headings render');
+    headings.forEach((heading) => {
+      assert
+        .dom(`[data-test-sidebar-nav-heading="${heading}"]`)
+        .hasText(heading, `${heading} heading renders`);
+    });
+  });
+
+  test('it should hide links and headings user does not have access too', async function (assert) {
+    await renderComponent();
+    assert
+      .dom('[data-test-sidebar-nav-link]')
+      .exists({ count: 3 }, 'Nav links are hidden other than secrets, secrets sync and dashboard');
+    assert
+      .dom('[data-test-sidebar-nav-heading]')
+      .exists({ count: 1 }, 'Headings are hidden other than Vault');
+  });
+
+  test('it should render nav links', async function (assert) {
+    const links = [
+      'Dashboard',
+      'Secrets Engines',
+      'Secrets Sync',
+      'Access',
+      'Policies',
+      'Tools',
+      'Replication',
+      'Raft Storage',
+      'Client Count',
+      'License',
+      'Seal Vault',
+    ];
+    stubFeaturesAndPermissions(this.owner, true, true);
+    await renderComponent();
+
+    assert
+      .dom('[data-test-sidebar-nav-link]')
+      .exists({ count: links.length }, 'Correct number of links render');
+    links.forEach((link) => {
+      assert.dom(`[data-test-sidebar-nav-link="${link}"]`).hasText(link, `${link} link renders`);
+    });
+  });
+
+  test('it should hide enterprise related links in child namespace', async function (assert) {
+    const links = [
+      'Disaster Recovery',
+      'Performance',
+      'Replication',
+      'Raft Storage',
+      'License',
+      'Seal Vault',
+    ];
+    this.owner.lookup('service:namespace').set('path', 'foo');
+    const stubs = stubFeaturesAndPermissions(this.owner, true, true);
+    stubs.hasNavPermission.callsFake((route) => route !== 'clients');
+
+    await renderComponent();
+
+    assert
+      .dom('[data-test-sidebar-nav-heading="Monitoring"]')
+      .doesNotExist(
+        'Monitoring heading is hidden in child namespace when user does not have access to Client Count'
+      );
+
+    links.forEach((link) => {
+      assert
+        .dom(`[data-test-sidebar-nav-link="${link}"]`)
+        .doesNotExist(`${link} is hidden in child namespace`);
+    });
+  });
+});
diff --git a/command/kv_enable_versioning.go b/command/kv_enable_versioning.go
index 1b522269034b..2b0ecff88ddf 100644
--- a/command/kv_enable_versioning.go
+++ b/command/kv_enable_versioning.go
@@ -1,94 +1,110 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVEnableVersioningCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVEnableVersioningCommand)(nil)
-)
-
-type KVEnableVersioningCommand struct {
-	*BaseCommand
-}
-
-func (c *KVEnableVersioningCommand) Synopsis() string {
-	return "Turns on versioning for a KV store"
-}
-
-func (c *KVEnableVersioningCommand) Help() string {
-	helpText := `
-Usage: vault kv enable-versioning [options] KEY
-
-  This command turns on versioning for the backend at the provided path.
-
-      $ vault kv enable-versioning secret
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVEnableVersioningCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	return set
-}
-
-func (c *KVEnableVersioningCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVEnableVersioningCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVEnableVersioningCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// Append a trailing slash to indicate it's a path in output
-	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
-
-	if err := client.Sys().TuneMount(mountPath, api.MountConfigInput{
-		Options: map[string]string{
-			"version": "2",
-		},
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error tuning secrets engine %s: %s", mountPath, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Tuned the secrets engine at: %s", mountPath))
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::SideNav::Portal @ariaLabel="Cluster Navigation Links" data-test-sidebar-nav-panel="Cluster" as |Nav|>
+  <Nav.Title data-test-sidebar-nav-heading="Vault">Vault</Nav.Title>
+
+  <Nav.Link @route="vault.cluster.dashboard" @text="Dashboard" data-test-sidebar-nav-link="Dashboard" />
+  <Nav.Link
+    @route="vault.cluster.secrets"
+    @current-when="vault.cluster.secrets vault.cluster.settings.mount-secret-backend vault.cluster.settings.configure-secret-backend"
+    @text="Secrets Engines"
+    data-test-sidebar-nav-link="Secrets Engines"
+  />
+  <Nav.Link
+    @route="vault.cluster.sync"
+    @text="Secrets Sync"
+    @badge={{unless this.version.isEnterprise "Enterprise"}}
+    data-test-sidebar-nav-link="Secrets Sync"
+  />
+  {{#if (has-permission "access")}}
+    <Nav.Link
+      @route={{get (route-params-for "access") "route"}}
+      @models={{get (route-params-for "access") "models"}}
+      @current-when="vault.cluster.access vault.cluster.settings.auth"
+      @text="Access"
+      @hasSubItems={{true}}
+      data-test-sidebar-nav-link="Access"
+    />
+  {{/if}}
+  {{#if (has-permission "policies")}}
+    <Nav.Link
+      @route="vault.cluster.policies"
+      @models={{get (route-params-for "policies") "models"}}
+      @text="Policies"
+      @hasSubItems={{true}}
+      data-test-sidebar-nav-link="Policies"
+    />
+  {{/if}}
+  {{#if (has-permission "tools")}}
+    <Nav.Link
+      @route="vault.cluster.tools.tool"
+      @models={{get (route-params-for "tools") "models"}}
+      @text="Tools"
+      @hasSubItems={{true}}
+      data-test-sidebar-nav-link="Tools"
+    />
+  {{/if}}
+
+  {{#if
+    (or
+      (and
+        this.namespace.inRootNamespace (has-permission "status" routeParams=(array "replication" "raft" "license" "seal"))
+      )
+      (has-permission "clients" routeParams="activity")
+    )
+  }}
+    <Nav.Title data-test-sidebar-nav-heading="Monitoring">Monitoring</Nav.Title>
+  {{/if}}
+  {{#if
+    (and
+      this.version.isEnterprise
+      this.namespace.inRootNamespace
+      (not this.cluster.replicationRedacted)
+      (has-permission "status" routeParams="replication")
+    )
+  }}
+    <Nav.Link
+      @route="vault.cluster.replication.index"
+      @text="Replication"
+      data-test-sidebar-nav-link="Replication"
+      @hasSubItems={{true}}
+    />
+  {{/if}}
+  {{#if (and this.cluster.usingRaft this.namespace.inRootNamespace (has-permission "status" routeParams="raft"))}}
+    <Nav.Link
+      @route="vault.cluster.storage"
+      @model={{this.cluster.name}}
+      @text="Raft Storage"
+      data-test-sidebar-nav-link="Raft Storage"
+    />
+  {{/if}}
+  {{#if (and (has-permission "clients" routeParams="activity") (not this.cluster.dr.isSecondary))}}
+    <Nav.Link @route="vault.cluster.clients" @text="Client Count" data-test-sidebar-nav-link="Client Count" />
+  {{/if}}
+  {{#if
+    (and
+      this.version.features
+      this.namespace.inRootNamespace
+      (has-permission "status" routeParams="license")
+      (not this.cluster.dr.isSecondary)
+    )
+  }}
+    <Nav.Link
+      @route="vault.cluster.license"
+      @model={{this.cluster.name}}
+      @text="License"
+      data-test-sidebar-nav-link="License"
+    />
+  {{/if}}
+  {{#if (and this.namespace.inRootNamespace (has-permission "status" routeParams="seal") (not this.cluster.dr.isSecondary))}}
+    <Nav.Link
+      @route="vault.cluster.settings.seal"
+      @model={{this.cluster.name}}
+      @text="Seal Vault"
+      data-test-sidebar-nav-link="Seal Vault"
+    />
+  {{/if}}
+</Hds::SideNav::Portal>
\ No newline at end of file
diff --git a/command/kv_get.go b/command/kv_get.go
index d852a722b48e..7d55d33b90ad 100644
--- a/command/kv_get.go
+++ b/command/kv_get.go
@@ -1,243 +1,145 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"path"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVGetCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVGetCommand)(nil)
-)
-
-type KVGetCommand struct {
-	*BaseCommand
-
-	flagVersion int
-	flagMount   string
-}
-
-func (c *KVGetCommand) Synopsis() string {
-	return "Retrieves data from the KV store"
-}
-
-func (c *KVGetCommand) Help() string {
-	helpText := `
-Usage: vault kv get [options] KEY
-
-  Retrieves the value from Vault's key-value store at the given key name. If no
-  key exists with that name, an error is returned. If a key exists with that
-  name but has no data, nothing is returned.
-
-      $ vault kv get -mount=secret foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv get secret/foo
-
-  To view the given key name at a specific version in time, specify the "-version"
-  flag:
-
-      $ vault kv get -mount=secret -version=1 foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVGetCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:    "version",
-		Target:  &c.flagVersion,
-		Default: 0,
-		Usage:   `If passed, the value at the version number will be returned.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVGetCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *KVGetCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVGetCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath string
-		v2        bool
-	)
-
-	// Ignore leading slash
-	partialPath := strings.TrimPrefix(args[0], "/")
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	var versionParam map[string]string
-	var fullPath string
-	// Add /data to v2 paths only
-	if v2 {
-		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
-
-		if c.flagVersion > 0 {
-			versionParam = map[string]string{
-				"version": fmt.Sprintf("%d", c.flagVersion),
-			}
-		}
-	} else {
-		// v1
-		if mountFlagSyntax {
-			fullPath = path.Join(mountPath, partialPath)
-		} else {
-			fullPath = partialPath
-		}
-	}
-
-	secret, err := kvReadRequest(client, fullPath, versionParam)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading %s: %s", fullPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-	if secret == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-		return 2
-	}
-
-	if c.flagField != "" {
-		if v2 {
-			// This is a v2, pass in the data field
-			if data, ok := secret.Data["data"]; ok && data != nil {
-				// If they requested a literal "data" see if they meant actual
-				// value or the data block itself
-				if c.flagField == "data" {
-					if dataMap, ok := data.(map[string]interface{}); ok {
-						if _, ok := dataMap["data"]; ok {
-							return PrintRawField(c.UI, dataMap, c.flagField)
-						}
-					}
-					return PrintRawField(c.UI, secret, c.flagField)
-				}
-				return PrintRawField(c.UI, data, c.flagField)
-			} else {
-				c.UI.Error(fmt.Sprintf("No data found at %s", fullPath))
-				return 2
-			}
-		} else {
-			return PrintRawField(c.UI, secret, c.flagField)
-		}
-	}
-
-	// If we have wrap info print the secret normally.
-	if secret.WrapInfo != nil || c.flagFormat != "table" {
-		return OutputSecret(c.UI, secret)
-	}
-
-	if len(secret.Warnings) > 0 {
-		tf := TableFormatter{}
-		tf.printWarnings(c.UI, secret)
-	}
-
-	if v2 {
-		outputPath(c.UI, fullPath, "Secret Path")
-	}
-
-	if metadata, ok := secret.Data["metadata"]; ok && metadata != nil {
-		c.UI.Info(getHeaderForMap("Metadata", metadata.(map[string]interface{})))
-		OutputData(c.UI, metadata)
-		c.UI.Info("")
-	}
-
-	data := secret.Data
-	if v2 && data != nil {
-		data = nil
-		dataRaw := secret.Data["data"]
-		if dataRaw != nil {
-			data = dataRaw.(map[string]interface{})
-		}
-	}
-
-	if data != nil {
-		c.UI.Info(getHeaderForMap("Data", data))
-		OutputData(c.UI, data)
-	}
-
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { inject as service } from '@ember/service';
+import { computed } from '@ember/object';
+import { reject } from 'rsvp';
+import Route from '@ember/routing/route';
+import { task, timeout } from 'ember-concurrency';
+import Ember from 'ember';
+import getStorage from '../../lib/token-storage';
+import localStorage from 'vault/lib/local-storage';
+import ClusterRoute from 'vault/mixins/cluster-route';
+import ModelBoundaryRoute from 'vault/mixins/model-boundary-route';
+import { assert } from '@ember/debug';
+
+const POLL_INTERVAL_MS = 10000;
+
+export const getManagedNamespace = (nsParam, root) => {
+  if (!nsParam || nsParam.replaceAll('/', '') === root) return root;
+  // Check if param starts with root and /
+  if (nsParam.startsWith(`${root}/`)) {
+    return nsParam;
+  }
+  // Otherwise prepend the given param with the root
+  return `${root}/${nsParam}`;
+};
+
+export default Route.extend(ModelBoundaryRoute, ClusterRoute, {
+  namespaceService: service('namespace'),
+  version: service(),
+  permissions: service(),
+  store: service(),
+  auth: service(),
+  featureFlagService: service('featureFlag'),
+  currentCluster: service(),
+  modelTypes: computed(function () {
+    return ['node', 'secret', 'secret-engine'];
+  }),
+
+  queryParams: {
+    namespaceQueryParam: {
+      refreshModel: true,
+    },
+  },
+
+  getClusterId(params) {
+    const { cluster_name } = params;
+    const cluster = this.modelFor('vault').findBy('name', cluster_name);
+    return cluster ? cluster.get('id') : null;
+  },
+
+  async beforeModel() {
+    const params = this.paramsFor(this.routeName);
+    let namespace = params.namespaceQueryParam;
+    const currentTokenName = this.auth.get('currentTokenName');
+    const managedRoot = this.featureFlagService.managedNamespaceRoot;
+    assert(
+      'Cannot use VAULT_CLOUD_ADMIN_NAMESPACE flag with non-enterprise Vault version',
+      !(managedRoot && this.version.isCommunity)
+    );
+    if (!namespace && currentTokenName && !Ember.testing) {
+      // if no namespace queryParam and user authenticated,
+      // use user's root namespace to redirect to properly param'd url
+      const storage = getStorage().getItem(currentTokenName);
+      namespace = storage?.userRootNamespace;
+      // only redirect if something other than nothing
+      if (namespace) {
+        this.transitionTo({ queryParams: { namespace } });
+      }
+    } else if (managedRoot !== null) {
+      const managed = getManagedNamespace(namespace, managedRoot);
+      if (managed !== namespace) {
+        this.transitionTo({ queryParams: { namespace: managed } });
+      }
+    }
+    this.namespaceService.setNamespace(namespace);
+    const id = this.getClusterId(params);
+    if (id) {
+      this.auth.setCluster(id);
+      if (this.auth.currentToken) {
+        this.version.fetchVersion();
+        await this.permissions.getPaths.perform();
+      }
+      return this.version.fetchFeatures();
+    } else {
+      return reject({ httpStatus: 404, message: 'not found', path: params.cluster_name });
+    }
+  },
+
+  model(params) {
+    // if a user's browser settings block localStorage they will be unable to use Vault. The method will throw the error and the rest of the application will not load.
+    localStorage.isLocalStorageSupported();
+
+    const id = this.getClusterId(params);
+    return this.store.findRecord('cluster', id);
+  },
+
+  poll: task(function* () {
+    while (true) {
+      // when testing, the polling loop causes promises to never settle so acceptance tests hang
+      // to get around that, we just disable the poll in tests
+      if (Ember.testing) {
+        return;
+      }
+      yield timeout(POLL_INTERVAL_MS);
+      try {
+        /* eslint-disable-next-line ember/no-controller-access-in-routes */
+        yield this.controller.model.reload();
+        yield this.transitionToTargetRoute();
+      } catch (e) {
+        // we want to keep polling here
+      }
+    }
+  })
+    .cancelOn('deactivate')
+    .keepLatest(),
+
+  afterModel(model, transition) {
+    this._super(...arguments);
+    this.currentCluster.setCluster(model);
+
+    // Check that namespaces is enabled and if not,
+    // clear the namespace by transition to this route w/o it
+    if (this.namespaceService.path && !this.version.hasNamespaces) {
+      return this.transitionTo(this.routeName, { queryParams: { namespace: '' } });
+    }
+    return this.transitionToTargetRoute(transition);
+  },
+
+  setupController() {
+    this._super(...arguments);
+    this.poll.perform();
+  },
+
+  actions: {
+    error(e) {
+      if (e.httpStatus === 503 && e.errors[0] === 'Vault is sealed') {
+        this.refresh();
+      }
+      return true;
+    },
+  },
+});
diff --git a/command/kv_helpers.go b/command/kv_helpers.go
index 844af21848d2..c5be6d878c33 100644
--- a/command/kv_helpers.go
+++ b/command/kv_helpers.go
@@ -1,269 +1,20 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	paths "path"
-	"sort"
-	"strings"
-
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func kvReadRequest(client *api.Client, path string, params map[string]string) (*api.Secret, error) {
-	r := client.NewRequest("GET", "/v1/"+path)
-	for k, v := range params {
-		r.Params.Set(k, v)
-	}
-	resp, err := client.RawRequest(r)
-	if resp != nil {
-		defer resp.Body.Close()
-	}
-	if resp != nil && resp.StatusCode == 404 {
-		secret, parseErr := api.ParseSecret(resp.Body)
-		switch parseErr {
-		case nil:
-		case io.EOF:
-			return nil, nil
-		default:
-			return nil, err
-		}
-		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
-			return secret, nil
-		}
-		return nil, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	return api.ParseSecret(resp.Body)
-}
-
-func kvPreflightVersionRequest(client *api.Client, path string) (string, int, error) {
-	// We don't want to use a wrapping call here so save any custom value and
-	// restore after
-	currentWrappingLookupFunc := client.CurrentWrappingLookupFunc()
-	client.SetWrappingLookupFunc(nil)
-	defer client.SetWrappingLookupFunc(currentWrappingLookupFunc)
-	currentOutputCurlString := client.OutputCurlString()
-	client.SetOutputCurlString(false)
-	defer client.SetOutputCurlString(currentOutputCurlString)
-	currentOutputPolicy := client.OutputPolicy()
-	client.SetOutputPolicy(false)
-	defer client.SetOutputPolicy(currentOutputPolicy)
-
-	r := client.NewRequest("GET", "/v1/sys/internal/ui/mounts/"+path)
-	resp, err := client.RawRequest(r)
-	if resp != nil {
-		defer resp.Body.Close()
-	}
-	if err != nil {
-		// If we get a 404 we are using an older version of vault, default to
-		// version 1
-		if resp != nil {
-			if resp.StatusCode == 404 {
-				return "", 1, nil
-			}
-
-			// if the original request had the -output-curl-string or -output-policy flag,
-			if (currentOutputCurlString || currentOutputPolicy) && resp.StatusCode == 403 {
-				// we provide a more helpful error for the user,
-				// who may not understand why the flag isn't working.
-				err = fmt.Errorf(
-					`This output flag requires the success of a preflight request 
-to determine the version of a KV secrets engine. Please 
-re-run this command with a token with read access to %s. 
-Note that if the path you are trying to reach is a KV v2 path, your token's policy must 
-allow read access to that path in the format 'mount-path/data/foo', not just 'mount-path/foo'.`, path)
-			}
-		}
-
-		return "", 0, err
-	}
-
-	secret, err := api.ParseSecret(resp.Body)
-	if err != nil {
-		return "", 0, err
-	}
-	if secret == nil {
-		return "", 0, errors.New("nil response from pre-flight request")
-	}
-	var mountPath string
-	if mountPathRaw, ok := secret.Data["path"]; ok {
-		mountPath = mountPathRaw.(string)
-	}
-	options := secret.Data["options"]
-	if options == nil {
-		return mountPath, 1, nil
-	}
-	versionRaw := options.(map[string]interface{})["version"]
-	if versionRaw == nil {
-		return mountPath, 1, nil
-	}
-	version := versionRaw.(string)
-	switch version {
-	case "", "1":
-		return mountPath, 1, nil
-	case "2":
-		return mountPath, 2, nil
-	}
-
-	return mountPath, 1, nil
-}
-
-func isKVv2(path string, client *api.Client) (string, bool, error) {
-	mountPath, version, err := kvPreflightVersionRequest(client, path)
-	if err != nil {
-		return "", false, err
-	}
-
-	return mountPath, version == 2, nil
-}
-
-func addPrefixToKVPath(path, mountPath, apiPrefix string, skipIfExists bool) string {
-	if path == mountPath || path == strings.TrimSuffix(mountPath, "/") {
-		return paths.Join(mountPath, apiPrefix)
-	}
-
-	pathSuffix := strings.TrimPrefix(path, mountPath)
-	for {
-		// If the entire mountPath is included in the path, we are done
-		if pathSuffix != path {
-			break
-		}
-		// Trim the parts of the mountPath that are not included in the
-		// path, for example, in cases where the mountPath contains
-		// namespaces which are not included in the path.
-		partialMountPath := strings.SplitN(mountPath, "/", 2)
-		if len(partialMountPath) <= 1 || partialMountPath[1] == "" {
-			break
-		}
-		mountPath = strings.TrimSuffix(partialMountPath[1], "/")
-		pathSuffix = strings.TrimPrefix(pathSuffix, mountPath)
-	}
-
-	if skipIfExists {
-		if strings.HasPrefix(pathSuffix, apiPrefix) || strings.HasPrefix(pathSuffix, "/"+apiPrefix) {
-			return paths.Join(mountPath, pathSuffix)
-		}
-	}
-
-	return paths.Join(mountPath, apiPrefix, pathSuffix)
-}
-
-func getHeaderForMap(header string, data map[string]interface{}) string {
-	maxKey := 0
-	for k := range data {
-		if len(k) > maxKey {
-			maxKey = len(k)
-		}
-	}
-
-	// 4 for the column spaces and 5 for the len("value")
-	totalLen := maxKey + 4 + 5
-
-	return padEqualSigns(header, totalLen)
-}
-
-func kvParseVersionsFlags(versions []string) []string {
-	versionsOut := make([]string, 0, len(versions))
-	for _, v := range versions {
-		versionsOut = append(versionsOut, strutil.ParseStringSlice(v, ",")...)
-	}
-
-	return versionsOut
-}
-
-func outputPath(ui cli.Ui, path string, title string) {
-	ui.Info(padEqualSigns(title, len(path)))
-	ui.Info(path)
-	ui.Info("")
-}
-
-// Pad the table header with equal signs on each side
-func padEqualSigns(header string, totalLen int) string {
-	equalSigns := totalLen - (len(header) + 2)
-
-	// If we have zero or fewer equal signs bump it back up to two on either
-	// side of the header.
-	if equalSigns <= 0 {
-		equalSigns = 4
-	}
-
-	// If the number of equal signs is not divisible by two add a sign.
-	if equalSigns%2 != 0 {
-		equalSigns = equalSigns + 1
-	}
-
-	return fmt.Sprintf("%s %s %s", strings.Repeat("=", equalSigns/2), header, strings.Repeat("=", equalSigns/2))
-}
-
-// walkSecretsTree dfs-traverses the secrets tree rooted at the given path
-// and calls the `visit` functor for each of the directory and leaf paths.
-// Note: for kv-v2, a "metadata" path is expected and "metadata" paths will be
-// returned in the visit functor.
-func walkSecretsTree(ctx context.Context, client *api.Client, path string, visit func(path string, directory bool) error) error {
-	resp, err := client.Logical().ListWithContext(ctx, path)
-	if err != nil {
-		return fmt.Errorf("could not list %q path: %w", path, err)
-	}
-
-	if resp == nil || resp.Data == nil {
-		return fmt.Errorf("no value found at %q: %w", path, err)
-	}
-
-	keysRaw, ok := resp.Data["keys"]
-	if !ok {
-		return fmt.Errorf("unexpected list response at %q", path)
-	}
-
-	keysRawSlice, ok := keysRaw.([]interface{})
-	if !ok {
-		return fmt.Errorf("unexpected list response type %T at %q", keysRaw, path)
-	}
-
-	keys := make([]string, 0, len(keysRawSlice))
-
-	for _, keyRaw := range keysRawSlice {
-		key, ok := keyRaw.(string)
-		if !ok {
-			return fmt.Errorf("unexpected key type %T at %q", keyRaw, path)
-		}
-		keys = append(keys, key)
-	}
-
-	// sort the keys for a deterministic output
-	sort.Strings(keys)
-
-	for _, key := range keys {
-		// the keys are relative to the current path: combine them
-		child := paths.Join(path, key)
-
-		if strings.HasSuffix(key, "/") {
-			// visit the directory
-			if err := visit(child, true); err != nil {
-				return err
-			}
-
-			// this is not a leaf node: we need to go deeper...
-			if err := walkSecretsTree(ctx, client, child, visit); err != nil {
-				return err
-			}
-		} else {
-			// this is a leaf node: add it to the list
-			if err := visit(child, false); err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div
+  class="has-padding-s has-background-gray-900 border-radius-4 is-flex-between is-flex-center"
+  data-test-code-snippet
+  ...attributes
+>
+  <code class="has-text-white is-size-7">{{@codeBlock}}</code>
+  <Hds::Copy::Button
+    class="has-text-grey-light transparent icon-grey-300"
+    @text="Copy"
+    @textToCopy={{or @clipboardCode @codeBlock}}
+    @isIconOnly={{@isIconOnly}}
+    @container={{@container}}
+    data-test-copy-button={{or @clipboardCode @codeBlock}}
+  />
+</div>
\ No newline at end of file
diff --git a/command/kv_list.go b/command/kv_list.go
index d4733a137f59..d1de67e4def6 100644
--- a/command/kv_list.go
+++ b/command/kv_list.go
@@ -1,179 +1,33 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
+//go:build !enterprise
+
 package command
 
-import (
-	"fmt"
-	"path"
-	"strings"
+//go:generate go run github.com/hashicorp/vault/tools/stubmaker
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVListCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVListCommand)(nil)
+import (
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/vault"
 )
 
-type KVListCommand struct {
-	*BaseCommand
-	flagMount string
+func entInitCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions, commands map[string]cli.CommandFactory) {
 }
 
-func (c *KVListCommand) Synopsis() string {
-	return "List data or secrets"
+func entEnableFourClusterDev(c *ServerCommand, base *vault.CoreConfig, info map[string]string, infoKeys []string, tempDir string) int {
+	c.logger.Error("-dev-four-cluster only supported in enterprise Vault")
+	return 1
 }
 
-func (c *KVListCommand) Help() string {
-	helpText := `
-
-Usage: vault kv list [options] PATH
-
-  Lists data from Vault's key-value store at the given path.
-
-  List values under the "my-app" folder of the key-value store:
-
-      $ vault kv list secret/my-app/
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
+func entAdjustCoreConfig(config *server.Config, coreConfig *vault.CoreConfig) {
 }
 
-func (c *KVListCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFolders()
+func entCheckStorageType(coreConfig *vault.CoreConfig) bool {
+	return true
 }
 
-func (c *KVListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVListCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		if c.flagMount == "" {
-			c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-			return 1
-		}
-		args = []string{""}
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	// Add /metadata to v2 paths only
-	var fullPath string
-	if v2 {
-		fullPath = addPrefixToKVPath(partialPath, mountPath, "metadata", false)
-	} else {
-		// v1
-		if mountFlagSyntax {
-			fullPath = path.Join(mountPath, partialPath)
-		} else {
-			fullPath = partialPath
-		}
-	}
-
-	secret, err := client.Logical().List(fullPath)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing %s: %s", fullPath, err))
-		return 2
-	}
-
-	// If the secret is wrapped, return the wrapped response.
-	if secret != nil && secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
-		return OutputSecret(c.UI, secret)
-	}
-
-	_, ok := extractListData(secret)
-	if Format(c.UI) != "table" {
-		if secret == nil || secret.Data == nil || !ok {
-			OutputData(c.UI, map[string]interface{}{})
-			return 2
-		}
-	}
-
-	if secret == nil || secret.Data == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-		return 2
-	}
-
-	if !ok {
-		c.UI.Error(fmt.Sprintf("No entries found at %s", fullPath))
-		return 2
-	}
-
-	return OutputList(c.UI, secret)
+func entGetFIPSInfoKey() string {
+	return ""
 }
diff --git a/command/kv_metadata.go b/command/kv_metadata.go
index 8c0d2ca59274..5ef880b78742 100644
--- a/command/kv_metadata.go
+++ b/command/kv_metadata.go
@@ -4,54 +4,331 @@
 package command
 
 import (
+	"context"
+	"encoding/base64"
+	"net"
+	"net/http"
 	"strings"
+	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	log "github.com/hashicorp/go-hclog"
+	kv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/builtin/logical/ssh"
+	"github.com/hashicorp/vault/builtin/logical/transit"
+	"github.com/hashicorp/vault/helper/benchhelpers"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal"
+
+	auditFile "github.com/hashicorp/vault/builtin/audit/file"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	vaulthttp "github.com/hashicorp/vault/http"
 )
 
-var _ cli.Command = (*KVMetadataCommand)(nil)
+var (
+	defaultVaultLogger = log.NewNullLogger()
+
+	defaultVaultCredentialBackends = map[string]logical.Factory{
+		"userpass": credUserpass.Factory,
+	}
+
+	defaultVaultAuditBackends = map[string]audit.Factory{
+		"file": auditFile.Factory,
+	}
+
+	defaultVaultLogicalBackends = map[string]logical.Factory{
+		"generic-leased": vault.LeasedPassthroughBackendFactory,
+		"pki":            pki.Factory,
+		"ssh":            ssh.Factory,
+		"transit":        transit.Factory,
+		"kv":             kv.Factory,
+	}
+)
+
+// assertNoTabs asserts the CLI help has no tab characters.
+func assertNoTabs(tb testing.TB, c cli.Command) {
+	tb.Helper()
+
+	if strings.ContainsRune(c.Help(), '\t') {
+		tb.Errorf("%#v help output contains tabs", c)
+	}
+}
+
+// testVaultServer creates a test vault cluster and returns a configured API
+// client and closer function.
+func testVaultServer(tb testing.TB) (*api.Client, func()) {
+	tb.Helper()
+
+	client, _, closer := testVaultServerUnseal(tb)
+	return client, closer
+}
+
+func testVaultServerWithSecrets(ctx context.Context, tb testing.TB) (*api.Client, func()) {
+	tb.Helper()
+
+	client, _, closer := testVaultServerUnseal(tb)
+
+	// enable kv-v1 backend
+	if err := client.Sys().Mount("kv-v1/", &api.MountInput{
+		Type: "kv-v1",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	// enable kv-v2 backend
+	if err := client.Sys().Mount("kv-v2/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	// populate dummy secrets
+	for _, path := range []string{
+		"foo",
+		"app-1/foo",
+		"app-1/bar",
+		"app-1/nested/baz",
+	} {
+		if err := client.KVv1("kv-v1").Put(ctx, path, map[string]interface{}{
+			"user":     "test",
+			"password": "Hashi123",
+		}); err != nil {
+			tb.Fatal(err)
+		}
+
+		if _, err := client.KVv2("kv-v2").Put(ctx, path, map[string]interface{}{
+			"user":     "test",
+			"password": "Hashi123",
+		}); err != nil {
+			tb.Fatal(err)
+		}
+	}
+
+	return client, closer
+}
+
+func testVaultServerWithKVVersion(tb testing.TB, kvVersion string) (*api.Client, func()) {
+	tb.Helper()
+
+	client, _, closer := testVaultServerUnsealWithKVVersionWithSeal(tb, kvVersion, nil)
+	return client, closer
+}
+
+func testVaultServerAllBackends(tb testing.TB) (*api.Client, func()) {
+	tb.Helper()
+
+	client, _, closer := testVaultServerCoreConfig(tb, &vault.CoreConfig{
+		CredentialBackends: credentialBackends,
+		AuditBackends:      auditBackends,
+		LogicalBackends:    logicalBackends,
+		BuiltinRegistry:    builtinplugins.Registry,
+	})
+	return client, closer
+}
+
+// testVaultServerAutoUnseal creates a test vault cluster and sets it up with auto unseal
+// the function returns a client, the recovery keys, and a closer function
+func testVaultServerAutoUnseal(tb testing.TB) (*api.Client, []string, func()) {
+	testSeal, _ := seal.NewTestSeal(nil)
+	autoSeal := vault.NewAutoSeal(testSeal)
+	return testVaultServerUnsealWithKVVersionWithSeal(tb, "1", autoSeal)
+}
 
-type KVMetadataCommand struct {
-	*BaseCommand
+// testVaultServerUnseal creates a test vault cluster and returns a configured
+// API client, list of unseal keys (as strings), and a closer function.
+func testVaultServerUnseal(tb testing.TB) (*api.Client, []string, func()) {
+	return testVaultServerUnsealWithKVVersionWithSeal(tb, "1", nil)
 }
 
-func (c *KVMetadataCommand) Synopsis() string {
-	return "Interact with Vault's Key-Value storage"
+func testVaultServerUnsealWithKVVersionWithSeal(tb testing.TB, kvVersion string, seal vault.Seal) (*api.Client, []string, func()) {
+	tb.Helper()
+
+	return testVaultServerCoreConfigWithOpts(tb, &vault.CoreConfig{
+		CredentialBackends: defaultVaultCredentialBackends,
+		AuditBackends:      defaultVaultAuditBackends,
+		LogicalBackends:    defaultVaultLogicalBackends,
+		BuiltinRegistry:    builtinplugins.Registry,
+		Seal:               seal,
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+		NumCores:    1,
+		KVVersion:   kvVersion,
+	})
 }
 
-func (c *KVMetadataCommand) Help() string {
-	helpText := `
-Usage: vault kv metadata <subcommand> [options] [args]
+// testVaultServerUnseal creates a test vault cluster and returns a configured
+// API client, list of unseal keys (as strings), and a closer function
+// configured with the given plugin directory.
+func testVaultServerPluginDir(tb testing.TB, pluginDir string) (*api.Client, []string, func()) {
+	tb.Helper()
+
+	return testVaultServerCoreConfig(tb, &vault.CoreConfig{
+		CredentialBackends: defaultVaultCredentialBackends,
+		AuditBackends:      defaultVaultAuditBackends,
+		LogicalBackends:    defaultVaultLogicalBackends,
+		PluginDirectory:    pluginDir,
+		BuiltinRegistry:    builtinplugins.Registry,
+	})
+}
+
+func testVaultServerCoreConfig(tb testing.TB, coreConfig *vault.CoreConfig) (*api.Client, []string, func()) {
+	return testVaultServerCoreConfigWithOpts(tb, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+		NumCores:    1, // Default is 3, but we don't need that many
+	})
+}
 
-  This command has subcommands for interacting with the metadata endpoint in
-  Vault's key-value store. Here are some simple examples, and more detailed
-  examples are available in the subcommands or the documentation.
+// testVaultServerCoreConfig creates a new vault cluster with the given core
+// configuration. This is a lower-level test helper. If the seal config supports recovery keys, then
+// recovery keys are returned. Otherwise, unseal keys are returned
+func testVaultServerCoreConfigWithOpts(tb testing.TB, coreConfig *vault.CoreConfig, opts *vault.TestClusterOptions) (*api.Client, []string, func()) {
+	tb.Helper()
 
-  Create or update a metadata entry for a key:
+	cluster := vault.NewTestCluster(benchhelpers.TBtoT(tb), coreConfig, opts)
+	cluster.Start()
 
-      $ vault kv metadata put -mount=secret -max-versions=5 -delete-version-after=3h25m19s foo
+	// Make it easy to get access to the active
+	core := cluster.Cores[0].Core
+	vault.TestWaitActive(benchhelpers.TBtoT(tb), core)
+
+	// Get the client already setup for us!
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	var keys [][]byte
+	if coreConfig.Seal != nil && coreConfig.Seal.RecoveryKeySupported() {
+		keys = cluster.RecoveryKeys
+	} else {
+		keys = cluster.BarrierKeys
+	}
+
+	return client, encodeKeys(keys), cluster.Cleanup
+}
+
+// Convert the unseal keys to base64 encoded, since these are how the user
+// will get them.
+func encodeKeys(rawKeys [][]byte) []string {
+	keys := make([]string, len(rawKeys))
+	for i := range rawKeys {
+		keys[i] = base64.StdEncoding.EncodeToString(rawKeys[i])
+	}
+	return keys
+}
 
-  Get the metadata for a key, this provides information about each existing
-  version:
+// testVaultServerUninit creates an uninitialized server.
+func testVaultServerUninit(tb testing.TB) (*api.Client, func()) {
+	tb.Helper()
 
-      $ vault kv metadata get -mount=secret foo
+	inm, err := inmem.NewInmem(nil, defaultVaultLogger)
+	if err != nil {
+		tb.Fatal(err)
+	}
 
-  Delete a key and all existing versions:
+	core, err := vault.NewCore(&vault.CoreConfig{
+		DisableMlock:       true,
+		Physical:           inm,
+		CredentialBackends: defaultVaultCredentialBackends,
+		AuditBackends:      defaultVaultAuditBackends,
+		LogicalBackends:    defaultVaultLogicalBackends,
+		BuiltinRegistry:    builtinplugins.Registry,
+	})
+	if err != nil {
+		tb.Fatal(err)
+	}
 
-      $ vault kv metadata delete -mount=secret foo
+	ln, addr := vaulthttp.TestServer(tb, core)
 
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/metadata/foo) can cause confusion: 
-  
-      $ vault kv metadata get secret/foo
+	client, err := api.NewClient(&api.Config{
+		Address: addr,
+	})
+	if err != nil {
+		tb.Fatal(err)
+	}
 
-  Please see the individual subcommand help for detailed usage information.
-`
+	closer := func() {
+		core.Shutdown()
+		ln.Close()
+	}
 
-	return strings.TrimSpace(helpText)
+	return client, closer
 }
 
-func (c *KVMetadataCommand) Run(args []string) int {
-	return cli.RunResultHelp
+// testVaultServerBad creates an http server that returns a 500 on each request
+// to simulate failures.
+func testVaultServerBad(tb testing.TB) (*api.Client, func()) {
+	tb.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		tb.Fatal(err)
+	}
+
+	server := &http.Server{
+		Addr: "127.0.0.1:0",
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			http.Error(w, "500 internal server error", http.StatusInternalServerError)
+		}),
+		ReadTimeout:       1 * time.Second,
+		ReadHeaderTimeout: 1 * time.Second,
+		WriteTimeout:      1 * time.Second,
+		IdleTimeout:       1 * time.Second,
+	}
+
+	go func() {
+		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
+			tb.Fatal(err)
+		}
+	}()
+
+	client, err := api.NewClient(&api.Config{
+		Address: "http://" + listener.Addr().String(),
+	})
+	if err != nil {
+		tb.Fatal(err)
+	}
+
+	return client, func() {
+		ctx, done := context.WithTimeout(context.Background(), 5*time.Second)
+		defer done()
+
+		server.Shutdown(ctx)
+	}
+}
+
+// testTokenAndAccessor creates a new authentication token capable of being renewed with
+// the default policy attached. It returns the token and it's accessor.
+func testTokenAndAccessor(tb testing.TB, client *api.Client) (string, string) {
+	tb.Helper()
+
+	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"default"},
+		TTL:      "30m",
+	})
+	if err != nil {
+		tb.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+		tb.Fatalf("missing auth data: %#v", secret)
+	}
+	return secret.Auth.ClientToken, secret.Auth.Accessor
+}
+
+func testClient(tb testing.TB, addr string, token string) *api.Client {
+	tb.Helper()
+	config := api.DefaultConfig()
+	config.Address = addr
+	client, err := api.NewClient(config)
+	if err != nil {
+		tb.Fatal(err)
+	}
+	client.SetToken(token)
+
+	return client
 }
diff --git a/command/kv_metadata_delete.go b/command/kv_metadata_delete.go
index 8163cc6bde8e..aac2d57bc73f 100644
--- a/command/kv_metadata_delete.go
+++ b/command/kv_metadata_delete.go
@@ -4,149 +4,946 @@
 package command
 
 import (
-	"fmt"
-	"path"
-	"strings"
+	"os"
+	"os/signal"
+	"syscall"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/builtin/plugin"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/version"
 
-var (
-	_ cli.Command             = (*KVMetadataDeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVMetadataDeleteCommand)(nil)
-)
+	/*
+		The builtinplugins package is initialized here because it, in turn,
+		initializes the database plugins.
+		They register multiple database drivers for the "database/sql" package.
+	*/
+	_ "github.com/hashicorp/vault/helper/builtinplugins"
 
-type KVMetadataDeleteCommand struct {
-	*BaseCommand
-	flagMount string
-}
+	auditFile "github.com/hashicorp/vault/builtin/audit/file"
+	auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
+	auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
 
-func (c *KVMetadataDeleteCommand) Synopsis() string {
-	return "Deletes all versions and metadata for a key in the KV store"
-}
+	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
+	credCentrify "github.com/hashicorp/vault-plugin-auth-centrify"
+	credCF "github.com/hashicorp/vault-plugin-auth-cf"
+	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
+	credOIDC "github.com/hashicorp/vault-plugin-auth-jwt"
+	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
+	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
+	credAws "github.com/hashicorp/vault/builtin/credential/aws"
+	credCert "github.com/hashicorp/vault/builtin/credential/cert"
+	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
+	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
+	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
+	credToken "github.com/hashicorp/vault/builtin/credential/token"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
 
-func (c *KVMetadataDeleteCommand) Help() string {
-	helpText := `
-Usage: vault kv metadata delete [options] PATH
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	logicalDb "github.com/hashicorp/vault/builtin/logical/database"
 
-  Deletes all versions and metadata for the provided key. 
+	physAerospike "github.com/hashicorp/vault/physical/aerospike"
+	physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
+	physAzure "github.com/hashicorp/vault/physical/azure"
+	physCassandra "github.com/hashicorp/vault/physical/cassandra"
+	physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
+	physConsul "github.com/hashicorp/vault/physical/consul"
+	physCouchDB "github.com/hashicorp/vault/physical/couchdb"
+	physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
+	physEtcd "github.com/hashicorp/vault/physical/etcd"
+	physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
+	physGCS "github.com/hashicorp/vault/physical/gcs"
+	physManta "github.com/hashicorp/vault/physical/manta"
+	physMSSQL "github.com/hashicorp/vault/physical/mssql"
+	physMySQL "github.com/hashicorp/vault/physical/mysql"
+	physOCI "github.com/hashicorp/vault/physical/oci"
+	physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
+	physRaft "github.com/hashicorp/vault/physical/raft"
+	physS3 "github.com/hashicorp/vault/physical/s3"
+	physSpanner "github.com/hashicorp/vault/physical/spanner"
+	physSwift "github.com/hashicorp/vault/physical/swift"
+	physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
+	physFile "github.com/hashicorp/vault/sdk/physical/file"
+	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
 
-      $ vault kv metadata delete -mount=secret foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/metadata/foo) can cause confusion: 
-  
-      $ vault kv metadata delete secret/foo
+	sr "github.com/hashicorp/vault/serviceregistration"
+	csr "github.com/hashicorp/vault/serviceregistration/consul"
+	ksr "github.com/hashicorp/vault/serviceregistration/kubernetes"
+)
 
-  Additional flags and more advanced use cases are detailed below.
+const (
+	// EnvVaultCLINoColor is an env var that toggles colored UI output.
+	EnvVaultCLINoColor = `VAULT_CLI_NO_COLOR`
+	// EnvVaultFormat is the output format
+	EnvVaultFormat = `VAULT_FORMAT`
+	// EnvVaultLicense is an env var used in Vault Enterprise to provide a license blob
+	EnvVaultLicense = "VAULT_LICENSE"
+	// EnvVaultLicensePath is an env var used in Vault Enterprise to provide a
+	// path to a license file on disk
+	EnvVaultLicensePath = "VAULT_LICENSE_PATH"
+	// EnvVaultDetailed is to output detailed information (e.g., ListResponseWithInfo).
+	EnvVaultDetailed = `VAULT_DETAILED`
+	// EnvVaultLogFormat is used to specify the log format. Supported values are "standard" and "json"
+	EnvVaultLogFormat = "VAULT_LOG_FORMAT"
+	// EnvVaultLogLevel is used to specify the log level applied to logging
+	// Supported log levels: Trace, Debug, Error, Warn, Info
+	EnvVaultLogLevel = "VAULT_LOG_LEVEL"
+	// EnvVaultExperiments defines the experiments to enable for a server as a
+	// comma separated list. See experiments.ValidExperiments() for the list of
+	// valid experiments. Not mutable or persisted in storage, only read and
+	// logged at startup _per node_. This was initially introduced for the events
+	// system being developed over multiple release cycles.
+	EnvVaultExperiments = "VAULT_EXPERIMENTS"
 
-` + c.Flags().Help()
+	// flagNameAddress is the flag used in the base command to read in the
+	// address of the Vault server.
+	flagNameAddress = "address"
+	// flagnameCACert is the flag used in the base command to read in the CA
+	// cert.
+	flagNameCACert = "ca-cert"
+	// flagnameCAPath is the flag used in the base command to read in the CA
+	// cert path.
+	flagNameCAPath = "ca-path"
+	// flagNameClientCert is the flag used in the base command to read in the
+	// client key
+	flagNameClientKey = "client-key"
+	// flagNameClientCert is the flag used in the base command to read in the
+	// client cert
+	flagNameClientCert = "client-cert"
+	// flagNameTLSSkipVerify is the flag used in the base command to read in
+	// the option to ignore TLS certificate verification.
+	flagNameTLSSkipVerify = "tls-skip-verify"
+	// flagTLSServerName is the flag used in the base command to read in
+	// the TLS server name.
+	flagTLSServerName = "tls-server-name"
+	// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
+	flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
+	// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable
+	flagNameAuditNonHMACResponseKeys = "audit-non-hmac-response-keys"
+	// flagNameDescription is the flag name used for tuning the secret and auth mount description parameter
+	flagNameDescription = "description"
+	// flagListingVisibility is the flag to toggle whether to show the mount in the UI-specific listing endpoint
+	flagNameListingVisibility = "listing-visibility"
+	// flagNamePassthroughRequestHeaders is the flag name used to set passthrough request headers to the backend
+	flagNamePassthroughRequestHeaders = "passthrough-request-headers"
+	// flagNameAllowedResponseHeaders is used to set allowed response headers from a plugin
+	flagNameAllowedResponseHeaders = "allowed-response-headers"
+	// flagNameTokenType is the flag name used to force a specific token type
+	flagNameTokenType = "token-type"
+	// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
+	flagNameAllowedManagedKeys = "allowed-managed-keys"
+	// flagNamePluginVersion selects what version of a plugin should be used.
+	flagNamePluginVersion = "plugin-version"
+	// flagNameUserLockoutThreshold is the flag name used for tuning the auth mount lockout threshold parameter
+	flagNameUserLockoutThreshold = "user-lockout-threshold"
+	// flagNameUserLockoutDuration is the flag name used for tuning the auth mount lockout duration parameter
+	flagNameUserLockoutDuration = "user-lockout-duration"
+	// flagNameUserLockoutCounterResetDuration is the flag name used for tuning the auth mount lockout counter reset parameter
+	flagNameUserLockoutCounterResetDuration = "user-lockout-counter-reset-duration"
+	// flagNameUserLockoutDisable is the flag name used for tuning the auth mount disable lockout parameter
+	flagNameUserLockoutDisable = "user-lockout-disable"
+	// flagNameDisableRedirects is used to prevent the client from honoring a single redirect as a response to a request
+	flagNameDisableRedirects = "disable-redirects"
+	// flagNameCombineLogs is used to specify whether log output should be combined and sent to stdout
+	flagNameCombineLogs = "combine-logs"
+	// flagNameLogFile is used to specify the path to the log file that Vault should use for logging
+	flagNameLogFile = "log-file"
+	// flagNameLogRotateBytes is the flag used to specify the number of bytes a log file should be before it is rotated.
+	flagNameLogRotateBytes = "log-rotate-bytes"
+	// flagNameLogRotateDuration is the flag used to specify the duration after which a log file should be rotated.
+	flagNameLogRotateDuration = "log-rotate-duration"
+	// flagNameLogRotateMaxFiles is the flag used to specify the maximum number of older/archived log files to keep.
+	flagNameLogRotateMaxFiles = "log-rotate-max-files"
+	// flagNameLogFormat is the flag used to specify the log format. Supported values are "standard" and "json"
+	flagNameLogFormat = "log-format"
+	// flagNameLogLevel is used to specify the log level applied to logging
+	// Supported log levels: Trace, Debug, Error, Warn, Info
+	flagNameLogLevel = "log-level"
+	// flagNameDelegatedAuthAccessors allows operators to specify the allowed mount accessors a backend can delegate
+	// authentication
+	flagNameDelegatedAuthAccessors = "delegated-auth-accessors"
+)
 
-	return strings.TrimSpace(helpText)
-}
+var (
+	auditBackends = map[string]audit.Factory{
+		"file":   auditFile.Factory,
+		"socket": auditSocket.Factory,
+		"syslog": auditSyslog.Factory,
+	}
 
-func (c *KVMetadataDeleteCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
+	credentialBackends = map[string]logical.Factory{
+		"plugin": plugin.Factory,
+	}
 
-	// Common Options
-	f := set.NewFlagSet("Common Options")
+	logicalBackends = map[string]logical.Factory{
+		"plugin":   plugin.Factory,
+		"database": logicalDb.Factory,
+		// This is also available in the plugin catalog, but is here due to the need to
+		// automatically mount it.
+		"kv": logicalKv.Factory,
+	}
 
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /metadata/ automatically appended between KV 
-		v2 secrets.`,
-	})
+	physicalBackends = map[string]physical.Factory{
+		"aerospike":              physAerospike.NewAerospikeBackend,
+		"alicloudoss":            physAliCloudOSS.NewAliCloudOSSBackend,
+		"azure":                  physAzure.NewAzureBackend,
+		"cassandra":              physCassandra.NewCassandraBackend,
+		"cockroachdb":            physCockroachDB.NewCockroachDBBackend,
+		"consul":                 physConsul.NewConsulBackend,
+		"couchdb_transactional":  physCouchDB.NewTransactionalCouchDBBackend,
+		"couchdb":                physCouchDB.NewCouchDBBackend,
+		"dynamodb":               physDynamoDB.NewDynamoDBBackend,
+		"etcd":                   physEtcd.NewEtcdBackend,
+		"file_transactional":     physFile.NewTransactionalFileBackend,
+		"file":                   physFile.NewFileBackend,
+		"foundationdb":           physFoundationDB.NewFDBBackend,
+		"gcs":                    physGCS.NewBackend,
+		"inmem_ha":               physInmem.NewInmemHA,
+		"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
+		"inmem_transactional":    physInmem.NewTransactionalInmem,
+		"inmem":                  physInmem.NewInmem,
+		"manta":                  physManta.NewMantaBackend,
+		"mssql":                  physMSSQL.NewMSSQLBackend,
+		"mysql":                  physMySQL.NewMySQLBackend,
+		"oci":                    physOCI.NewBackend,
+		"postgresql":             physPostgreSQL.NewPostgreSQLBackend,
+		"s3":                     physS3.NewS3Backend,
+		"spanner":                physSpanner.NewBackend,
+		"swift":                  physSwift.NewSwiftBackend,
+		"raft":                   physRaft.NewRaftBackend,
+		"zookeeper":              physZooKeeper.NewZooKeeperBackend,
+	}
 
-	return set
-}
+	serviceRegistrations = map[string]sr.Factory{
+		"consul":     csr.NewServiceRegistration,
+		"kubernetes": ksr.NewServiceRegistration,
+	}
 
-func (c *KVMetadataDeleteCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
+	loginHandlers = map[string]LoginHandler{
+		"alicloud": &credAliCloud.CLIHandler{},
+		"aws":      &credAws.CLIHandler{},
+		"centrify": &credCentrify.CLIHandler{},
+		"cert":     &credCert.CLIHandler{},
+		"cf":       &credCF.CLIHandler{},
+		"gcp":      &credGcp.CLIHandler{},
+		"github":   &credGitHub.CLIHandler{},
+		"kerberos": &credKerb.CLIHandler{},
+		"ldap":     &credLdap.CLIHandler{},
+		"oci":      &credOCI.CLIHandler{},
+		"oidc":     &credOIDC.CLIHandler{},
+		"okta":     &credOkta.CLIHandler{},
+		"pcf":      &credCF.CLIHandler{}, // Deprecated.
+		"radius": &credUserpass.CLIHandler{
+			DefaultMount: "radius",
+		},
+		"token": &credToken.CLIHandler{},
+		"userpass": &credUserpass.CLIHandler{
+			DefaultMount: "userpass",
+		},
+	}
+)
 
-func (c *KVMetadataDeleteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.CommandFactory {
+	getBaseCommand := func() *BaseCommand {
+		return &BaseCommand{
+			UI:          ui,
+			tokenHelper: runOpts.TokenHelper,
+			flagAddress: runOpts.Address,
+			client:      runOpts.Client,
+		}
+	}
 
-func (c *KVMetadataDeleteCommand) Run(args []string) int {
-	f := c.Flags()
+	commands := map[string]cli.CommandFactory{
+		"agent": func() (cli.Command, error) {
+			return &AgentCommand{
+				BaseCommand: &BaseCommand{
+					UI: serverCmdUi,
+				},
+				ShutdownCh: MakeShutdownCh(),
+				SighupCh:   MakeSighupCh(),
+			}, nil
+		},
+		"agent generate-config": func() (cli.Command, error) {
+			return &AgentGenerateConfigCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"audit": func() (cli.Command, error) {
+			return &AuditCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"audit disable": func() (cli.Command, error) {
+			return &AuditDisableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"audit enable": func() (cli.Command, error) {
+			return &AuditEnableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"audit list": func() (cli.Command, error) {
+			return &AuditListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth tune": func() (cli.Command, error) {
+			return &AuthTuneCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth": func() (cli.Command, error) {
+			return &AuthCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth disable": func() (cli.Command, error) {
+			return &AuthDisableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth enable": func() (cli.Command, error) {
+			return &AuthEnableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth help": func() (cli.Command, error) {
+			return &AuthHelpCommand{
+				BaseCommand: getBaseCommand(),
+				Handlers:    loginHandlers,
+			}, nil
+		},
+		"auth list": func() (cli.Command, error) {
+			return &AuthListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"auth move": func() (cli.Command, error) {
+			return &AuthMoveCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"debug": func() (cli.Command, error) {
+			return &DebugCommand{
+				BaseCommand: getBaseCommand(),
+				ShutdownCh:  MakeShutdownCh(),
+			}, nil
+		},
+		"delete": func() (cli.Command, error) {
+			return &DeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"events subscribe": func() (cli.Command, error) {
+			return &EventsSubscribeCommands{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"lease": func() (cli.Command, error) {
+			return &LeaseCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"lease renew": func() (cli.Command, error) {
+			return &LeaseRenewCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"lease lookup": func() (cli.Command, error) {
+			return &LeaseLookupCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"lease revoke": func() (cli.Command, error) {
+			return &LeaseRevokeCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"list": func() (cli.Command, error) {
+			return &ListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"login": func() (cli.Command, error) {
+			return &LoginCommand{
+				BaseCommand: getBaseCommand(),
+				Handlers:    loginHandlers,
+			}, nil
+		},
+		"namespace": func() (cli.Command, error) {
+			return &NamespaceCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace list": func() (cli.Command, error) {
+			return &NamespaceListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace lookup": func() (cli.Command, error) {
+			return &NamespaceLookupCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace create": func() (cli.Command, error) {
+			return &NamespaceCreateCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace patch": func() (cli.Command, error) {
+			return &NamespacePatchCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace delete": func() (cli.Command, error) {
+			return &NamespaceDeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace lock": func() (cli.Command, error) {
+			return &NamespaceAPILockCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"namespace unlock": func() (cli.Command, error) {
+			return &NamespaceAPIUnlockCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator": func() (cli.Command, error) {
+			return &OperatorCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator diagnose": func() (cli.Command, error) {
+			return &OperatorDiagnoseCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator generate-root": func() (cli.Command, error) {
+			return &OperatorGenerateRootCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator init": func() (cli.Command, error) {
+			return &OperatorInitCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator key-status": func() (cli.Command, error) {
+			return &OperatorKeyStatusCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator migrate": func() (cli.Command, error) {
+			return &OperatorMigrateCommand{
+				BaseCommand:      getBaseCommand(),
+				PhysicalBackends: physicalBackends,
+				ShutdownCh:       MakeShutdownCh(),
+			}, nil
+		},
+		"operator raft": func() (cli.Command, error) {
+			return &OperatorRaftCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft autopilot get-config": func() (cli.Command, error) {
+			return &OperatorRaftAutopilotGetConfigCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft autopilot set-config": func() (cli.Command, error) {
+			return &OperatorRaftAutopilotSetConfigCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft autopilot state": func() (cli.Command, error) {
+			return &OperatorRaftAutopilotStateCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft list-peers": func() (cli.Command, error) {
+			return &OperatorRaftListPeersCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft join": func() (cli.Command, error) {
+			return &OperatorRaftJoinCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft remove-peer": func() (cli.Command, error) {
+			return &OperatorRaftRemovePeerCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft snapshot": func() (cli.Command, error) {
+			return &OperatorRaftSnapshotCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft snapshot inspect": func() (cli.Command, error) {
+			return &OperatorRaftSnapshotInspectCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft snapshot restore": func() (cli.Command, error) {
+			return &OperatorRaftSnapshotRestoreCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator raft snapshot save": func() (cli.Command, error) {
+			return &OperatorRaftSnapshotSaveCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator rekey": func() (cli.Command, error) {
+			return &OperatorRekeyCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator rotate": func() (cli.Command, error) {
+			return &OperatorRotateCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator seal": func() (cli.Command, error) {
+			return &OperatorSealCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator step-down": func() (cli.Command, error) {
+			return &OperatorStepDownCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator usage": func() (cli.Command, error) {
+			return &OperatorUsageCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator unseal": func() (cli.Command, error) {
+			return &OperatorUnsealCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"operator members": func() (cli.Command, error) {
+			return &OperatorMembersCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"patch": func() (cli.Command, error) {
+			return &PatchCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"path-help": func() (cli.Command, error) {
+			return &PathHelpCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki": func() (cli.Command, error) {
+			return &PKICommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki health-check": func() (cli.Command, error) {
+			return &PKIHealthCheckCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki issue": func() (cli.Command, error) {
+			return &PKIIssueCACommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki list-intermediates": func() (cli.Command, error) {
+			return &PKIListIntermediateCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki reissue": func() (cli.Command, error) {
+			return &PKIReIssueCACommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"pki verify-sign": func() (cli.Command, error) {
+			return &PKIVerifySignCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin": func() (cli.Command, error) {
+			return &PluginCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin deregister": func() (cli.Command, error) {
+			return &PluginDeregisterCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin info": func() (cli.Command, error) {
+			return &PluginInfoCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin list": func() (cli.Command, error) {
+			return &PluginListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin register": func() (cli.Command, error) {
+			return &PluginRegisterCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin reload": func() (cli.Command, error) {
+			return &PluginReloadCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin reload-status": func() (cli.Command, error) {
+			return &PluginReloadStatusCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin runtime": func() (cli.Command, error) {
+			return &PluginRuntimeCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin runtime register": func() (cli.Command, error) {
+			return &PluginRuntimeRegisterCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin runtime deregister": func() (cli.Command, error) {
+			return &PluginRuntimeDeregisterCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin runtime info": func() (cli.Command, error) {
+			return &PluginRuntimeInfoCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"plugin runtime list": func() (cli.Command, error) {
+			return &PluginRuntimeListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"proxy": func() (cli.Command, error) {
+			return &ProxyCommand{
+				BaseCommand: &BaseCommand{
+					UI: serverCmdUi,
+				},
+				ShutdownCh: MakeShutdownCh(),
+				SighupCh:   MakeSighupCh(),
+			}, nil
+		},
+		"policy": func() (cli.Command, error) {
+			return &PolicyCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"policy delete": func() (cli.Command, error) {
+			return &PolicyDeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"policy fmt": func() (cli.Command, error) {
+			return &PolicyFmtCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"policy list": func() (cli.Command, error) {
+			return &PolicyListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"policy read": func() (cli.Command, error) {
+			return &PolicyReadCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"policy write": func() (cli.Command, error) {
+			return &PolicyWriteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"print": func() (cli.Command, error) {
+			return &PrintCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"print token": func() (cli.Command, error) {
+			return &PrintTokenCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"read": func() (cli.Command, error) {
+			return &ReadCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets": func() (cli.Command, error) {
+			return &SecretsCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets disable": func() (cli.Command, error) {
+			return &SecretsDisableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets enable": func() (cli.Command, error) {
+			return &SecretsEnableCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets list": func() (cli.Command, error) {
+			return &SecretsListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets move": func() (cli.Command, error) {
+			return &SecretsMoveCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"secrets tune": func() (cli.Command, error) {
+			return &SecretsTuneCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"server": func() (cli.Command, error) {
+			return &ServerCommand{
+				BaseCommand: &BaseCommand{
+					UI:          serverCmdUi,
+					tokenHelper: runOpts.TokenHelper,
+					flagAddress: runOpts.Address,
+				},
+				AuditBackends:      auditBackends,
+				CredentialBackends: credentialBackends,
+				LogicalBackends:    logicalBackends,
+				PhysicalBackends:   physicalBackends,
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+				ServiceRegistrations: serviceRegistrations,
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+				ShutdownCh: MakeShutdownCh(),
+				SighupCh:   MakeSighupCh(),
+				SigUSR2Ch:  MakeSigUSR2Ch(),
+			}, nil
+		},
+		"ssh": func() (cli.Command, error) {
+			return &SSHCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"status": func() (cli.Command, error) {
+			return &StatusCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transform": func() (cli.Command, error) {
+			return &TransformCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transform import": func() (cli.Command, error) {
+			return &TransformImportCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transform import-version": func() (cli.Command, error) {
+			return &TransformImportVersionCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transit": func() (cli.Command, error) {
+			return &TransitCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transit import": func() (cli.Command, error) {
+			return &TransitImportCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"transit import-version": func() (cli.Command, error) {
+			return &TransitImportVersionCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token": func() (cli.Command, error) {
+			return &TokenCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token create": func() (cli.Command, error) {
+			return &TokenCreateCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token capabilities": func() (cli.Command, error) {
+			return &TokenCapabilitiesCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token lookup": func() (cli.Command, error) {
+			return &TokenLookupCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token renew": func() (cli.Command, error) {
+			return &TokenRenewCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"token revoke": func() (cli.Command, error) {
+			return &TokenRevokeCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"unwrap": func() (cli.Command, error) {
+			return &UnwrapCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"version": func() (cli.Command, error) {
+			return &VersionCommand{
+				VersionInfo: version.GetVersion(),
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"version-history": func() (cli.Command, error) {
+			return &VersionHistoryCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"write": func() (cli.Command, error) {
+			return &WriteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv": func() (cli.Command, error) {
+			return &KVCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv put": func() (cli.Command, error) {
+			return &KVPutCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv patch": func() (cli.Command, error) {
+			return &KVPatchCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv rollback": func() (cli.Command, error) {
+			return &KVRollbackCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv get": func() (cli.Command, error) {
+			return &KVGetCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv delete": func() (cli.Command, error) {
+			return &KVDeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv list": func() (cli.Command, error) {
+			return &KVListCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv destroy": func() (cli.Command, error) {
+			return &KVDestroyCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv undelete": func() (cli.Command, error) {
+			return &KVUndeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv enable-versioning": func() (cli.Command, error) {
+			return &KVEnableVersioningCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv metadata": func() (cli.Command, error) {
+			return &KVMetadataCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv metadata put": func() (cli.Command, error) {
+			return &KVMetadataPutCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv metadata patch": func() (cli.Command, error) {
+			return &KVMetadataPatchCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv metadata get": func() (cli.Command, error) {
+			return &KVMetadataGetCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"kv metadata delete": func() (cli.Command, error) {
+			return &KVMetadataDeleteCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
+		"monitor": func() (cli.Command, error) {
+			return &MonitorCommand{
+				BaseCommand: getBaseCommand(),
+				ShutdownCh:  MakeShutdownCh(),
+			}, nil
+		},
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+	entInitCommands(ui, serverCmdUi, runOpts, commands)
+	return commands
+}
 
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
+// MakeShutdownCh returns a channel that can be used for shutdown
+// notifications for commands. This channel will send a message for every
+// SIGINT or SIGTERM received.
+func MakeShutdownCh() chan struct{} {
+	resultCh := make(chan struct{})
 
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
+	shutdownCh := make(chan os.Signal, 4)
+	signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-shutdownCh
+		close(resultCh)
+	}()
+	return resultCh
+}
 
-	if !v2 {
-		c.UI.Error("Metadata not supported on KV Version 1")
-		return 1
-	}
+// MakeSighupCh returns a channel that can be used for SIGHUP
+// reloading. This channel will send a message for every
+// SIGHUP received.
+func MakeSighupCh() chan struct{} {
+	resultCh := make(chan struct{})
 
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
-	if secret, err := client.Logical().Delete(fullPath); err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", fullPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
+	signalCh := make(chan os.Signal, 4)
+	signal.Notify(signalCh, syscall.SIGHUP)
+	go func() {
+		for {
+			<-signalCh
+			resultCh <- struct{}{}
 		}
-		return 2
-	}
-
-	c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", fullPath))
-	return 0
+	}()
+	return resultCh
 }
diff --git a/command/kv_metadata_get.go b/command/kv_metadata_get.go
index 54d73c0b3a22..1858da83be36 100644
--- a/command/kv_metadata_get.go
+++ b/command/kv_metadata_get.go
@@ -1,197 +1,19 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"path"
-	"sort"
-	"strconv"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVMetadataGetCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVMetadataGetCommand)(nil)
-)
-
-type KVMetadataGetCommand struct {
-	*BaseCommand
-	flagMount string
-}
-
-func (c *KVMetadataGetCommand) Synopsis() string {
-	return "Retrieves key metadata from the KV store"
-}
-
-func (c *KVMetadataGetCommand) Help() string {
-	helpText := `
-Usage: vault kv metadata get [options] KEY
-
-  Retrieves the metadata from Vault's key-value store at the given key name. If no
-  key exists with that name, an error is returned.
-
-      $ vault kv metadata get -mount=secret foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/metadata/foo) can cause confusion: 
-  
-      $ vault kv metadata get secret/foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVMetadataGetCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /metadata/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVMetadataGetCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVMetadataGetCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVMetadataGetCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("Metadata not supported on KV Version 1")
-		return 1
-	}
-
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
-	secret, err := client.Logical().Read(fullPath)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading %s: %s", fullPath, err))
-		return 2
-	}
-	if secret == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-		return 2
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	// If we have wrap info print the secret normally.
-	if secret.WrapInfo != nil || c.flagFormat != "table" {
-		return OutputSecret(c.UI, secret)
-	}
-
-	versionsRaw, ok := secret.Data["versions"]
-	if !ok || versionsRaw == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-		OutputSecret(c.UI, secret)
-		return 2
-	}
-	versions := versionsRaw.(map[string]interface{})
-
-	delete(secret.Data, "versions")
-
-	outputPath(c.UI, fullPath, "Metadata Path")
-
-	c.UI.Info(getHeaderForMap("Metadata", secret.Data))
-	OutputSecret(c.UI, secret)
-
-	versionKeys := []int{}
-	for k := range versions {
-		i, err := strconv.Atoi(k)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error parsing version %s", k))
-			return 2
-		}
-
-		versionKeys = append(versionKeys, i)
-	}
-
-	sort.Ints(versionKeys)
-
-	for _, v := range versionKeys {
-		c.UI.Info("\n" + getHeaderForMap(fmt.Sprintf("Version %d", v), versions[strconv.Itoa(v)].(map[string]interface{})))
-		OutputData(c.UI, versions[strconv.Itoa(v)])
-	}
-
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="box is-fullwidth is-shadowless is-marginless">
+  <h4 class="title is-5 is-marginless">
+    Create a path filter config for
+    <code>{{this.model.config.id}}</code>
+  </h4>
+</div>
+<form {{action "saveConfig" this.model.config on="submit"}}>
+  <PathFilterConfigList @paths={{this.model.paths}} @config={{this.model.config}} />
+  <hr class="has-background-gray-100" />
+  <Hds::ButtonSet>
+    <Hds::Button @text="Create" type="submit" />
+    <Hds::Button @text="Cancel" @color="secondary" @route="mode.secondaries.config-show" @model={{this.model.config.id}} />
+  </Hds::ButtonSet>
+</form>
\ No newline at end of file
diff --git a/command/kv_metadata_patch.go b/command/kv_metadata_patch.go
index 74c46476d0de..03b5dbd18de0 100644
--- a/command/kv_metadata_patch.go
+++ b/command/kv_metadata_patch.go
@@ -1,262 +1,20 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"path"
-	"strings"
-	"time"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVMetadataPutCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVMetadataPutCommand)(nil)
-)
-
-type KVMetadataPatchCommand struct {
-	*BaseCommand
-
-	flagMaxVersions          int
-	flagCASRequired          BoolPtr
-	flagDeleteVersionAfter   time.Duration
-	flagCustomMetadata       map[string]string
-	flagRemoveCustomMetadata []string
-	flagMount                string
-	testStdin                io.Reader // for tests
-}
-
-func (c *KVMetadataPatchCommand) Synopsis() string {
-	return "Patches key settings in the KV store"
-}
-
-func (c *KVMetadataPatchCommand) Help() string {
-	helpText := `
-Usage: vault kv metadata patch [options] KEY
-
-  This command can be used to create a blank key in the key-value store or to
-  update key configuration for a specified key.
-
-  Create a key in the key-value store with no data:
-
-      $ vault kv metadata patch -mount=secret foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/metadata/foo) can cause confusion: 
-  
-      $ vault kv metadata patch secret/foo
-
-  Set a max versions setting on the key:
-
-      $ vault kv metadata patch -mount=secret -max-versions=5 foo
-
-  Set delete-version-after on the key:
-
-      $ vault kv metadata patch -mount=secret -delete-version-after=3h25m19s foo
-
-  Require Check-and-Set for this key:
-
-      $ vault kv metadata patch -mount=secret -cas-required foo
-
-  Set custom metadata on the key:
-
-      $ vault kv metadata patch -mount=secret -custom-metadata=foo=abc -custom-metadata=bar=123 foo
-
-  To remove custom meta data from the corresponding path in the key-value store, kv metadata patch can be used.
-
-      $ vault kv metadata patch -mount=secret -remove-custom-metadata=bar foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVMetadataPatchCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:    "max-versions",
-		Target:  &c.flagMaxVersions,
-		Default: -1,
-		Usage:   `The number of versions to keep. If not set, the backend’s configured max version is used.`,
-	})
-
-	f.BoolPtrVar(&BoolPtrVar{
-		Name:   "cas-required",
-		Target: &c.flagCASRequired,
-		Usage:  `If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.`,
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "delete-version-after",
-		Target:     &c.flagDeleteVersionAfter,
-		Default:    -1,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: `Specifies the length of time before a version is deleted.
-		If not set, the backend's configured delete-version-after is used. Cannot be
-		greater than the backend's delete-version-after. The delete-version-after is
-		specified as a numeric string with a suffix like "30s" or
-		"3h25m19s".`,
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:    "custom-metadata",
-		Target:  &c.flagCustomMetadata,
-		Default: map[string]string{},
-		Usage: `Specifies arbitrary version-agnostic key=value metadata meant to describe a secret.
-		This can be specified multiple times to add multiple pieces of metadata.`,
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "remove-custom-metadata",
-		Target:  &c.flagRemoveCustomMetadata,
-		Default: []string{},
-		Usage:   "Key to remove from custom metadata. To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /metadata/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVMetadataPatchCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVMetadataPatchCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVMetadataPatchCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-	if !v2 {
-		c.UI.Error("Metadata not supported on KV Version 1")
-		return 1
-	}
-
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
-
-	data := make(map[string]interface{}, 0)
-
-	if c.flagMaxVersions >= 0 {
-		data["max_versions"] = c.flagMaxVersions
-	}
-
-	if c.flagCASRequired.IsSet() {
-		data["cas_required"] = c.flagCASRequired.Get()
-	}
-
-	if c.flagDeleteVersionAfter >= 0 {
-		data["delete_version_after"] = c.flagDeleteVersionAfter.String()
-	}
-
-	customMetadata := make(map[string]interface{})
-
-	for key, value := range c.flagCustomMetadata {
-		customMetadata[key] = value
-	}
-
-	for _, key := range c.flagRemoveCustomMetadata {
-		// A null in a JSON merge patch payload will remove the associated key
-		customMetadata[key] = nil
-	}
-
-	data["custom_metadata"] = customMetadata
-
-	secret, err := client.Logical().JSONMergePatch(context.Background(), fullPath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
-
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
-		}
-		return 0
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Toolbar />
+<div class="box is-fullwidth is-shadowless is-marginless">
+  <h4 class="title is-5 is-marginless">
+    Edit path filter config for
+    <code>{{this.model.config.id}}</code>
+  </h4>
+</div>
+<form {{action "saveConfig" this.model.config on="submit"}}>
+  <PathFilterConfigList @paths={{this.model.paths}} @config={{this.model.config}} />
+  <hr class="has-background-gray-100" />
+  <Hds::ButtonSet>
+    <Hds::Button @text="Update" type="submit" data-test-config-save />
+    <Hds::Button @text="Cancel" @color="secondary" @route="mode.secondaries.config-show" @model={{this.model.config.id}} />
+  </Hds::ButtonSet>
+</form>
\ No newline at end of file
diff --git a/command/kv_metadata_patch_test.go b/command/kv_metadata_patch_test.go
index a8dc583780c5..f674c7df3625 100644
--- a/command/kv_metadata_patch_test.go
+++ b/command/kv_metadata_patch_test.go
@@ -1,299 +1,17 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package pluginruntimeutil
 
-import (
-	"encoding/json"
-	"io"
-	"strings"
-	"testing"
+import "github.com/hashicorp/vault/sdk/helper/consts"
 
-	"github.com/go-test/deep"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func testKVMetadataPatchCommand(tb testing.TB) (*cli.MockUi, *KVMetadataPatchCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVMetadataPatchCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func kvMetadataPatchWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
-	t.Helper()
-
-	return retryKVCommand(t, func() (int, string) {
-		ui, cmd := testKVMetadataPatchCommand(t)
-		cmd.client = client
-
-		if stdin != nil {
-			cmd.testStdin = stdin
-		}
-
-		code := cmd.Run(args)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-		return code, combined
-	})
-}
-
-func kvMetadataPutWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
-	t.Helper()
-
-	return retryKVCommand(t, func() (int, string) {
-		ui, cmd := testKVMetadataPutCommand(t)
-		cmd.client = client
-
-		if stdin != nil {
-			cmd.testStdin = stdin
-		}
-
-		code := cmd.Run(args)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-		return code, combined
-	})
-}
-
-func TestKvMetadataPatchCommand_EmptyArgs(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount error: %#v", err)
-	}
-
-	args := make([]string, 0)
-	code, combined := kvMetadataPatchWithRetry(t, client, args, nil)
-
-	expectedCode := 1
-	expectedOutput := "Not enough arguments"
-
-	if code != expectedCode {
-		t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v", expectedCode, code, args)
-	}
-
-	if !strings.Contains(combined, expectedOutput) {
-		t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", expectedOutput, combined, args)
-	}
-}
-
-func TestKvMetadataPatchCommand_Flags(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name            string
-		args            []string
-		out             string
-		code            int
-		expectedUpdates map[string]interface{}
-	}{
-		{
-			"cas_required_success",
-			[]string{"-cas-required=true"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"cas_required": true,
-			},
-		},
-		{
-			"cas_required_invalid",
-			[]string{"-cas-required=12345"},
-			"invalid boolean value",
-			1,
-			map[string]interface{}{},
-		},
-		{
-			"custom_metadata_success",
-			[]string{"-custom-metadata=baz=ghi"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"custom_metadata": map[string]interface{}{
-					"foo": "abc",
-					"bar": "def",
-					"baz": "ghi",
-				},
-			},
-		},
-		{
-			"remove-custom_metadata",
-			[]string{"-custom-metadata=baz=ghi", "-remove-custom-metadata=foo"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"custom_metadata": map[string]interface{}{
-					"bar": "def",
-					"baz": "ghi",
-				},
-			},
-		},
-		{
-			"remove-custom_metadata-multiple",
-			[]string{"-custom-metadata=baz=ghi", "-remove-custom-metadata=foo", "-remove-custom-metadata=bar"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"custom_metadata": map[string]interface{}{
-					"baz": "ghi",
-				},
-			},
-		},
-		{
-			"delete_version_after_success",
-			[]string{"-delete-version-after=5s"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"delete_version_after": "5s",
-			},
-		},
-		{
-			"delete_version_after_invalid",
-			[]string{"-delete-version-after=false"},
-			"invalid duration",
-			1,
-			map[string]interface{}{},
-		},
-		{
-			"max_versions_success",
-			[]string{"-max-versions=10"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"max_versions": json.Number("10"),
-			},
-		},
-		{
-			"max_versions_invalid",
-			[]string{"-max-versions=false"},
-			"invalid syntax",
-			1,
-			map[string]interface{}{},
-		},
-		{
-			"multiple_flags_success",
-			[]string{"-max-versions=20", "-custom-metadata=baz=123"},
-			"Success!",
-			0,
-			map[string]interface{}{
-				"max_versions": json.Number("20"),
-				"custom_metadata": map[string]interface{}{
-					"foo": "abc",
-					"bar": "def",
-					"baz": "123",
-				},
-			},
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			basePath := t.Name() + "/"
-			secretPath := basePath + "my-secret"
-			metadataPath := basePath + "metadata/" + "my-secret"
-
-			if err := client.Sys().Mount(basePath, &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount error: %#v", err)
-			}
-
-			putArgs := []string{"-cas-required=true", "-custom-metadata=foo=abc", "-custom-metadata=bar=def", secretPath}
-			code, combined := kvMetadataPutWithRetry(t, client, putArgs, nil)
-
-			if code != 0 {
-				t.Fatalf("initial metadata put failed, code: %d, output: %s", code, combined)
-			}
-
-			initialMetadata, err := client.Logical().Read(metadataPath)
-			if err != nil {
-				t.Fatalf("metadata read failed, err: %#v", err)
-			}
-
-			patchArgs := append(tc.args, secretPath)
-
-			code, combined = kvMetadataPatchWithRetry(t, client, patchArgs, nil)
-
-			if !strings.Contains(combined, tc.out) {
-				t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", tc.out, combined, patchArgs)
-			}
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v", tc.code, code, patchArgs)
-			}
-
-			patchedMetadata, err := client.Logical().Read(metadataPath)
-			if err != nil {
-				t.Fatalf("metadata read failed, err: %#v", err)
-			}
-
-			for k, v := range patchedMetadata.Data {
-				var expectedVal interface{}
-
-				if inputVal, ok := tc.expectedUpdates[k]; ok {
-					expectedVal = inputVal
-				} else {
-					expectedVal = initialMetadata.Data[k]
-				}
-
-				if diff := deep.Equal(expectedVal, v); len(diff) > 0 {
-					t.Fatalf("patched %q mismatch, diff: %#v", k, diff)
-				}
-			}
-		})
-	}
-}
-
-func TestKvMetadataPatchCommand_CasWarning(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	basePath := "kv/"
-	if err := client.Sys().Mount(basePath, &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount error: %#v", err)
-	}
-
-	secretPath := basePath + "my-secret"
-
-	args := []string{"-cas-required=true", secretPath}
-	code, combined := kvMetadataPutWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("metadata put failed, code: %d, output: %s", code, combined)
-	}
-
-	casConfig := map[string]interface{}{
-		"cas_required": true,
-	}
-
-	_, err := client.Logical().Write(basePath+"config", casConfig)
-	if err != nil {
-		t.Fatalf("config write failed, err: #%v", err)
-	}
-
-	args = []string{"-cas-required=false", secretPath}
-	code, combined = kvMetadataPatchWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v", code, args)
-	}
-
-	expectedOutput := "\"cas_required\" set to false, but is mandated by backend config"
-	if !strings.Contains(combined, expectedOutput) {
-		t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", expectedOutput, combined, args)
-	}
+// PluginRuntimeConfig defines the metadata needed to run a plugin runtime
+type PluginRuntimeConfig struct {
+	Name         string                   `json:"name" structs:"name"`
+	Type         consts.PluginRuntimeType `json:"type" structs:"type"`
+	OCIRuntime   string                   `json:"oci_runtime" structs:"oci_runtime"`
+	CgroupParent string                   `json:"cgroup_parent" structs:"cgroup_parent"`
+	CPU          int64                    `json:"cpu" structs:"cpu"`
+	Memory       int64                    `json:"memory" structs:"memory"`
+	Rootless     bool                     `json:"rootless" structs:"rootlesss"`
 }
diff --git a/command/kv_metadata_put.go b/command/kv_metadata_put.go
index 1cd8375320a1..a479656adc4d 100644
--- a/command/kv_metadata_put.go
+++ b/command/kv_metadata_put.go
@@ -1,238 +1,147 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"io"
-	"path"
-	"strings"
-	"time"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVMetadataPutCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVMetadataPutCommand)(nil)
-)
-
-type KVMetadataPutCommand struct {
-	*BaseCommand
-
-	flagMaxVersions        int
-	flagCASRequired        BoolPtr
-	flagDeleteVersionAfter time.Duration
-	flagCustomMetadata     map[string]string
-	flagMount              string
-	testStdin              io.Reader // for tests
-}
-
-func (c *KVMetadataPutCommand) Synopsis() string {
-	return "Sets or updates key settings in the KV store"
-}
-
-func (c *KVMetadataPutCommand) Help() string {
-	helpText := `
-Usage: vault kv metadata put [options] KEY
-
-  This command can be used to create a blank key in the key-value store or to
-  update key configuration for a specified key.
-
-  Create a key in the key-value store with no data:
-
-      $ vault kv metadata put -mount=secret foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/metadata/foo) can cause confusion: 
-  
-      $ vault kv metadata put secret/foo
-
-  Set a max versions setting on the key:
-
-      $ vault kv metadata put -mount=secret -max-versions=5 foo
-
-  Set delete-version-after on the key:
-
-      $ vault kv metadata put -mount=secret -delete-version-after=3h25m19s foo
-
-  Require Check-and-Set for this key:
-
-      $ vault kv metadata put -mount=secret -cas-required foo
-
-  Set custom metadata on the key:
-
-      $ vault kv metadata put -mount=secret -custom-metadata=foo=abc -custom-metadata=bar=123 foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVMetadataPutCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:    "max-versions",
-		Target:  &c.flagMaxVersions,
-		Default: -1,
-		Usage:   `The number of versions to keep. If not set, the backend’s configured max version is used.`,
-	})
-
-	f.BoolPtrVar(&BoolPtrVar{
-		Name:   "cas-required",
-		Target: &c.flagCASRequired,
-		Usage:  `If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.`,
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "delete-version-after",
-		Target:     &c.flagDeleteVersionAfter,
-		Default:    -1,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: `Specifies the length of time before a version is deleted.
-		If not set, the backend's configured delete-version-after is used. Cannot be
-		greater than the backend's delete-version-after. The delete-version-after is
-		specified as a numeric string with a suffix like "30s" or
-		"3h25m19s".`,
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:    "custom-metadata",
-		Target:  &c.flagCustomMetadata,
-		Default: map[string]string{},
-		Usage: "Specifies arbitrary version-agnostic key=value metadata meant to describe a secret." +
-			"This can be specified multiple times to add multiple pieces of metadata.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /metadata/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVMetadataPutCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVMetadataPutCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVMetadataPutCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("Metadata not supported on KV Version 1")
-		return 1
-	}
-
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
-	data := map[string]interface{}{}
-
-	if c.flagMaxVersions >= 0 {
-		data["max_versions"] = c.flagMaxVersions
-	}
-
-	if c.flagDeleteVersionAfter >= 0 {
-		data["delete_version_after"] = c.flagDeleteVersionAfter.String()
-	}
-
-	if c.flagCASRequired.IsSet() {
-		data["cas_required"] = c.flagCASRequired.Get()
-	}
-
-	if len(c.flagCustomMetadata) > 0 {
-		data["custom_metadata"] = c.flagCustomMetadata
-	}
-
-	secret, err := client.Logical().Write(fullPath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
-		}
-		return 0
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render, click, fillIn } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import { Response } from 'miragejs';
+import sinon from 'sinon';
+import { generateBreadcrumbs } from 'vault/tests/helpers/ldap';
+
+const selectors = {
+  radioCard: '[data-test-radio-card="OpenLDAP"]',
+  save: '[data-test-config-save]',
+  binddn: '[data-test-field="binddn"] input',
+  bindpass: '[data-test-field="bindpass"] input',
+};
+
+module('Integration | Component | ldap | Page::Configure', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'ldap');
+  setupMirage(hooks);
+
+  const fillAndSubmit = async (rotate) => {
+    await click(selectors.radioCard);
+    await fillIn(selectors.binddn, 'foo');
+    await fillIn(selectors.bindpass, 'bar');
+    await click(selectors.save);
+    await click(`[data-test-save-${rotate}-rotate]`);
+  };
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.newModel = this.store.createRecord('ldap/config', { backend: 'ldap-new' });
+    this.existingConfig = {
+      schema: 'openldap',
+      binddn: 'cn=vault,ou=Users,dc=hashicorp,dc=com',
+      bindpass: 'foobar',
+    };
+    this.store.pushPayload('ldap/config', {
+      modelName: 'ldap/config',
+      backend: 'ldap-edit',
+      ...this.existingConfig,
+    });
+    this.editModel = this.store.peekRecord('ldap/config', 'ldap-edit');
+    this.breadcrumbs = generateBreadcrumbs('ldap', 'configure');
+    this.model = this.newModel; // most of the tests use newModel but set this to editModel when needed
+    this.renderComponent = () => {
+      return render(hbs`<Page::Configure @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`, {
+        owner: this.engine,
+      });
+    };
+    this.transitionStub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
+  });
+
+  test('it should render empty state when schema is not selected', async function (assert) {
+    await this.renderComponent();
+
+    assert.dom('[data-test-empty-state-title]').hasText('Choose an option', 'Empty state title renders');
+    assert
+      .dom('[data-test-empty-state-message]')
+      .hasText('Pick an option above to see available configuration options', 'Empty state title renders');
+    assert.dom(selectors.save).isDisabled('Save button is disabled when schema is not selected');
+
+    await click(selectors.radioCard);
+    assert
+      .dom('[data-test-component="empty-state"]')
+      .doesNotExist('Empty state is hidden when schema is selected');
+  });
+
+  test('it should render validation messages for invalid form', async function (assert) {
+    await this.renderComponent();
+
+    await click(selectors.radioCard);
+    await click(selectors.save);
+
+    assert
+      .dom('[data-test-field="binddn"] [data-test-inline-error-message]')
+      .hasText('Administrator distinguished name is required.', 'Validation message renders for binddn');
+    assert
+      .dom('[data-test-field="bindpass"] [data-test-inline-error-message]')
+      .hasText('Administrator password is required.', 'Validation message renders for bindpass');
+    assert
+      .dom('[data-test-invalid-form-message]')
+      .hasText('There are 2 errors with this form.', 'Invalid form message renders');
+  });
+
+  test('it should save new configuration without rotating root password', async function (assert) {
+    assert.expect(2);
+
+    this.server.post('/ldap-new/config', () => {
+      assert.ok(true, 'POST request made to save config');
+      return new Response(204, {});
+    });
+
+    await this.renderComponent();
+    await fillAndSubmit('without');
+
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
+      'Transitions to configuration route on save success'
+    );
+  });
+
+  test('it should save new configuration and rotate root password', async function (assert) {
+    assert.expect(3);
+
+    this.server.post('/ldap-new/config', () => {
+      assert.ok(true, 'POST request made to save config');
+      return new Response(204, {});
+    });
+    this.server.post('/ldap-new/rotate-root', () => {
+      assert.ok(true, 'POST request made to rotate root password');
+      return new Response(204, {});
+    });
+
+    await this.renderComponent();
+    await fillAndSubmit('with');
+
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
+      'Transitions to configuration route on save success'
+    );
+  });
+
+  test('it should populate fields when editing form', async function (assert) {
+    this.model = this.editModel;
+
+    await this.renderComponent();
+
+    assert.dom(selectors.radioCard).isChecked('Correct radio card is checked for schema value');
+    assert.dom(selectors.binddn).hasValue(this.existingConfig.binddn, 'binddn value renders');
+
+    await fillIn(selectors.binddn, 'foobar');
+    await click('[data-test-config-cancel]');
+
+    assert.strictEqual(this.model.binddn, this.existingConfig.binddn, 'Model is rolled back on cancel');
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
+      'Transitions to configuration route on save success'
+    );
+  });
+});
diff --git a/command/kv_metadata_put_test.go b/command/kv_metadata_put_test.go
index a4068e23c886..393b8eb51e99 100644
--- a/command/kv_metadata_put_test.go
+++ b/command/kv_metadata_put_test.go
@@ -1,204 +1,109 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"encoding/json"
-	"strings"
-	"testing"
-
-	"github.com/go-test/deep"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func testKVMetadataPutCommand(tb testing.TB) (*cli.MockUi, *KVMetadataPutCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVMetadataPutCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestKvMetadataPutCommand_DeleteVersionAfter(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	basePath := t.Name() + "/"
-	if err := client.Sys().Mount(basePath, &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	ui, cmd := testKVMetadataPutCommand(t)
-	cmd.client = client
-
-	// Set a limit of 1s first.
-	code := cmd.Run([]string{"-delete-version-after=1s", basePath + "secret/my-secret"})
-	if code != 0 {
-		t.Fatalf("expected %d but received %d", 0, code)
-	}
-
-	metaFullPath := basePath + "metadata/secret/my-secret"
-	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	success := "Success! Data written to: " + metaFullPath
-	if !strings.Contains(combined, success) {
-		t.Fatalf("expected %q but received %q", success, combined)
-	}
-
-	secret, err := client.Logical().Read(metaFullPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret.Data["delete_version_after"] != "1s" {
-		t.Fatalf("expected 1s but received %q", secret.Data["delete_version_after"])
-	}
-
-	// Now verify that we can return it to 0s.
-	ui, cmd = testKVMetadataPutCommand(t)
-	cmd.client = client
-
-	// Set a limit of 1s first.
-	code = cmd.Run([]string{"-delete-version-after=0", basePath + "secret/my-secret"})
-	if code != 0 {
-		t.Errorf("expected %d but received %d", 0, code)
-	}
-
-	combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if !strings.Contains(combined, success) {
-		t.Errorf("expected %q but received %q", success, combined)
-	}
-
-	secret, err = client.Logical().Read(metaFullPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret.Data["delete_version_after"] != "0s" {
-		t.Fatalf("expected 0s but received %q", secret.Data["delete_version_after"])
-	}
-}
-
-func TestKvMetadataPutCommand_CustomMetadata(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	basePath := t.Name() + "/"
-	secretPath := basePath + "secret/my-secret"
-
-	if err := client.Sys().Mount(basePath, &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount error: %#v", err)
-	}
-
-	ui, cmd := testKVMetadataPutCommand(t)
-	cmd.client = client
-
-	exitStatus := cmd.Run([]string{"-custom-metadata=foo=abc", "-custom-metadata=bar=123", secretPath})
-
-	if exitStatus != 0 {
-		t.Fatalf("Expected 0 exit status but received %d", exitStatus)
-	}
-
-	metaFullPath := basePath + "metadata/secret/my-secret"
-	commandOutput := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	expectedOutput := "Success! Data written to: " + metaFullPath
-
-	if !strings.Contains(commandOutput, expectedOutput) {
-		t.Fatalf("Expected command output %q but received %q", expectedOutput, commandOutput)
-	}
-
-	metadata, err := client.Logical().Read(metaFullPath)
-	if err != nil {
-		t.Fatalf("Metadata read error: %#v", err)
-	}
-
-	// JSON output from read decoded into map[string]interface{}
-	expectedCustomMetadata := map[string]interface{}{
-		"foo": "abc",
-		"bar": "123",
-	}
-
-	if diff := deep.Equal(metadata.Data["custom_metadata"], expectedCustomMetadata); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-
-	ui, cmd = testKVMetadataPutCommand(t)
-	cmd.client = client
-
-	// Overwrite entire custom metadata with a single key
-	exitStatus = cmd.Run([]string{"-custom-metadata=baz=abc123", secretPath})
-
-	if exitStatus != 0 {
-		t.Fatalf("Expected 0 exit status but received %d", exitStatus)
-	}
-
-	commandOutput = ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-	if !strings.Contains(commandOutput, expectedOutput) {
-		t.Fatalf("Expected command output %q but received %q", expectedOutput, commandOutput)
-	}
-
-	metadata, err = client.Logical().Read(metaFullPath)
-
-	if err != nil {
-		t.Fatalf("Metadata read error: %#v", err)
-	}
-
-	expectedCustomMetadata = map[string]interface{}{
-		"baz": "abc123",
-	}
-
-	if diff := deep.Equal(metadata.Data["custom_metadata"], expectedCustomMetadata); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-}
-
-func TestKvMetadataPutCommand_UnprovidedFlags(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	basePath := t.Name() + "/"
-	secretPath := basePath + "my-secret"
-
-	if err := client.Sys().Mount(basePath, &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount error: %#v", err)
-	}
-
-	_, cmd := testKVMetadataPutCommand(t)
-	cmd.client = client
-
-	args := []string{"-cas-required=true", "-max-versions=10", secretPath}
-	code, _ := kvMetadataPutWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("expected 0 exit status but received %d", code)
-	}
-
-	args = []string{"-custom-metadata=foo=bar", secretPath}
-	code, _ = kvMetadataPutWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("expected 0 exit status but received %d", code)
-	}
-
-	secret, err := client.Logical().Read(basePath + "metadata/" + "my-secret")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if secret.Data["cas_required"] != true {
-		t.Fatalf("expected cas_required to be true but received %#v", secret.Data["cas_required"])
-	}
-
-	if secret.Data["max_versions"] != json.Number("10") {
-		t.Fatalf("expected max_versions to be 10 but received %#v", secret.Data["max_versions"])
-	}
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3">Configure LDAP</h1>
+  </p.levelLeft>
+</PageHeader>
+
+<hr class="is-marginless has-background-gray-200" />
+
+<form class="has-top-margin-l" {{on "submit" (perform this.save)}}>
+  <Hds::Form::RadioCard::Group @name="schema options" as |RadioGroup|>
+    {{#each this.schemaOptions as |option|}}
+      <RadioGroup.RadioCard
+        @checked={{eq option.value @model.schema}}
+        {{on "change" (fn (mut @model.schema) option.value)}}
+        data-test-radio-card={{option.title}}
+        as |Card|
+      >
+        <Card.Icon @name={{option.icon}} />
+        <Card.Label>{{option.title}}</Card.Label>
+        <Card.Description>{{option.description}}</Card.Description>
+      </RadioGroup.RadioCard>
+    {{/each}}
+  </Hds::Form::RadioCard::Group>
+
+  <div class="has-top-margin-xl">
+    <MessageError @errorMessage={{this.error}} />
+
+    <h2 class="title is-4">Schema Options</h2>
+    <hr class="has-background-gray-200" />
+
+    {{#if @model.schema}}
+      <div class="has-top-margin-l">
+        <FormFieldGroups @model={{@model}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} />
+      </div>
+    {{else}}
+      <EmptyState
+        class="is-shadowless has-top-margin-l"
+        @title="Choose an option"
+        @message="Pick an option above to see available configuration options"
+      />
+    {{/if}}
+  </div>
+
+  <hr class="has-background-gray-200 has-top-margin-l" />
+
+  <div class="has-top-margin-l has-bottom-margin-l is-flex">
+    <Hds::Button
+      @text="Save"
+      data-test-config-save
+      type="submit"
+      disabled={{or this.save.isRunning (not @model.schema)}}
+      {{on "click" (perform this.save)}}
+    />
+    <Hds::Button
+      @text="Back"
+      @color="secondary"
+      class="has-left-margin-xs"
+      data-test-config-cancel
+      disabled={{or this.save.isRunning this.fetchInferred.isRunning}}
+      {{on "click" this.cancel}}
+    />
+    {{#if this.invalidFormMessage}}
+      <AlertInline
+        @type="danger"
+        class="has-top-padding-s"
+        @message={{this.invalidFormMessage}}
+        data-test-invalid-form-message
+      />
+    {{/if}}
+  </div>
+</form>
+
+{{#if this.showRotatePrompt}}
+  <Hds::Modal id="ldap-rotate-password-modal" @onClose={{fn (mut this.showRotatePrompt) false}} as |M|>
+    <M.Header @icon="info">
+      Rotate your root password?
+    </M.Header>
+    <M.Body>
+      <p>
+        It’s best practice to rotate the administrator (root) password immediately after the initial configuration of the
+        LDAP engine. The rotation will update the password both in Vault and your directory server. Once rotated,
+        <span class="has-text-weight-semibold">only Vault knows the new root password.</span>
+      </p>
+      <br />
+      <p>
+        Would you like to rotate your new credentials? You can also do this later.
+      </p>
+    </M.Body>
+    <M.Footer>
+      <Hds::ButtonSet>
+        <Hds::Button data-test-save-with-rotate @text="Save and rotate" {{on "click" (fn (perform this.save) null true)}} />
+        <Hds::Button
+          data-test-save-without-rotate
+          @text="Save without rotating"
+          @color="secondary"
+          {{on "click" (fn (perform this.save) null false)}}
+        />
+      </Hds::ButtonSet>
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/command/kv_patch.go b/command/kv_patch.go
index da96088d112f..139bc100162b 100644
--- a/command/kv_patch.go
+++ b/command/kv_patch.go
@@ -1,409 +1,159 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVPatchCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVPatchCommand)(nil)
-)
-
-type KVPatchCommand struct {
-	*BaseCommand
-
-	flagCAS        int
-	flagMethod     string
-	flagMount      string
-	testStdin      io.Reader // for tests
-	flagRemoveData []string
-}
-
-func (c *KVPatchCommand) Synopsis() string {
-	return "Sets or updates data in the KV store without overwriting"
-}
-
-func (c *KVPatchCommand) Help() string {
-	helpText := `
-Usage: vault kv patch [options] KEY [DATA]
-
-  *NOTE*: This is only supported for KV v2 engine mounts.
-
-  Writes the data to the corresponding path in the key-value store. The data can be of
-  any type.
-
-      $ vault kv patch -mount=secret foo bar=baz
-
-  The deprecated path-like syntax can also be used, but this should be avoided, 
-  as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv patch secret/foo bar=baz
-
-  The data can also be consumed from a file on disk by prefixing with the "@"
-  symbol. For example:
-
-      $ vault kv patch -mount=secret foo @data.json
-
-  Or it can be read from stdin using the "-" symbol:
-
-      $ echo "abcd1234" | vault kv patch -mount=secret foo bar=-
-
-  To perform a Check-And-Set operation, specify the -cas flag with the
-  appropriate version number corresponding to the key you want to perform
-  the CAS operation on:
-
-      $ vault kv patch -mount=secret -cas=1 foo bar=baz
-
-  By default, this operation will attempt an HTTP PATCH operation. If your
-  policy does not allow that, it will fall back to a read/local update/write approach.
-  If you wish to specify which method this command should use, you may do so
-  with the -method flag. When -method=patch is specified, only an HTTP PATCH
-  operation will be tried. If it fails, the entire command will fail.
-
-      $ vault kv patch -mount=secret -method=patch foo bar=baz
-
-  When -method=rw is specified, only a read/local update/write approach will be tried.
-  This was the default behavior previous to Vault 1.9.
-
-      $ vault kv patch -mount=secret -method=rw foo bar=baz
-
-  To remove data from the corresponding path in the key-value store, kv patch can be used.
-
-      $ vault kv patch -mount=secret -remove-data=bar foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVPatchCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	// Patch specific options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:    "cas",
-		Target:  &c.flagCAS,
-		Default: 0,
-		Usage: `Specifies to use a Check-And-Set operation. If set to 0 or not
-		set, the patch will be allowed. If the index is non-zero the patch will
-		only be allowed if the key’s current version matches the version
-		specified in the cas parameter.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:   "method",
-		Target: &c.flagMethod,
-		Usage: `Specifies which method of patching to use. If set to "patch", then
-		an HTTP PATCH request will be issued. If set to "rw", then a read will be
-		performed, then a local update, followed by a remote update.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "remove-data",
-		Target:  &c.flagRemoveData,
-		Default: []string{},
-		Usage:   "Key to remove from data. To specify multiple values, specify this flag multiple times.",
-	})
-
-	return set
-}
-
-func (c *KVPatchCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *KVPatchCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVPatchCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
-
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected >1, got %d)", len(args)))
-		return 1
-	case len(c.flagRemoveData) == 0 && len(args) == 1:
-		c.UI.Error("Must supply data")
-		return 1
-	}
-
-	var err error
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	newData, err := parseArgsData(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
-		return 1
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("K/V engine mount must be version 2 for patch support")
-		return 2
-	}
-
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "data", false)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// collecting data to be removed
-	if newData == nil {
-		newData = make(map[string]interface{})
-	}
-
-	for _, key := range c.flagRemoveData {
-		// A null in a JSON merge patch payload will remove the associated key
-		newData[key] = nil
-	}
-
-	// Check the method and behave accordingly
-	var secret *api.Secret
-	var code int
-
-	switch c.flagMethod {
-	case "rw":
-		secret, code = c.readThenWrite(client, fullPath, newData)
-	case "patch":
-		secret, code = c.mergePatch(client, fullPath, newData, false)
-	case "":
-		secret, code = c.mergePatch(client, fullPath, newData, true)
-	default:
-		c.UI.Error(fmt.Sprintf("Unsupported method provided to -method flag: %s", c.flagMethod))
-		return 2
-	}
-
-	if code != 0 {
-		return code
-	}
-	if secret == nil {
-		// Don't output anything if there's no secret
-		return 0
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	// If the secret is wrapped, return the wrapped response.
-	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
-		return OutputSecret(c.UI, secret)
-	}
-
-	if Format(c.UI) == "table" {
-		outputPath(c.UI, fullPath, "Secret Path")
-		metadata := secret.Data
-		c.UI.Info(getHeaderForMap("Metadata", metadata))
-		return OutputData(c.UI, metadata)
-	}
-
-	return OutputSecret(c.UI, secret)
-}
-
-func (c *KVPatchCommand) readThenWrite(client *api.Client, path string, newData map[string]interface{}) (*api.Secret, int) {
-	// First, do a read.
-	// Note that we don't want to see curl output for the read request.
-	curOutputCurl := client.OutputCurlString()
-	client.SetOutputCurlString(false)
-	outputPolicy := client.OutputPolicy()
-	client.SetOutputPolicy(false)
-	secret, err := kvReadRequest(client, path, nil)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", path, err))
-		return nil, 2
-	}
-	client.SetOutputCurlString(curOutputCurl)
-	client.SetOutputPolicy(outputPolicy)
-
-	// Make sure a value already exists
-	if secret == nil || secret.Data == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", path))
-		return nil, 2
-	}
-
-	// Verify metadata found
-	rawMeta, ok := secret.Data["metadata"]
-	if !ok || rawMeta == nil {
-		c.UI.Error(fmt.Sprintf("No metadata found at %s; patch only works on existing data", path))
-		return nil, 2
-	}
-	meta, ok := rawMeta.(map[string]interface{})
-	if !ok {
-		c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", path))
-		return nil, 2
-	}
-	if meta == nil {
-		c.UI.Error(fmt.Sprintf("No metadata found at %s; patch only works on existing data", path))
-		return nil, 2
-	}
-
-	// Verify old data found
-	rawData, ok := secret.Data["data"]
-	if !ok || rawData == nil {
-		c.UI.Error(fmt.Sprintf("No data found at %s; patch only works on existing data", path))
-		return nil, 2
-	}
-	data, ok := rawData.(map[string]interface{})
-	if !ok {
-		c.UI.Error(fmt.Sprintf("Data found at %s is not the expected type (JSON object)", path))
-		return nil, 2
-	}
-	if data == nil {
-		c.UI.Error(fmt.Sprintf("No data found at %s; patch only works on existing data", path))
-		return nil, 2
-	}
-
-	// Copy new data over
-	for k, v := range newData {
-		data[k] = v
-	}
-
-	secret, err = client.Logical().Write(path, map[string]interface{}{
-		"data": data,
-		"options": map[string]interface{}{
-			"cas": meta["version"],
-		},
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
-		return nil, 2
-	}
-
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
-		}
-		return nil, 0
-	}
-
-	if c.flagField != "" {
-		return nil, PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	return secret, 0
-}
-
-func (c *KVPatchCommand) mergePatch(client *api.Client, path string, newData map[string]interface{}, rwFallback bool) (*api.Secret, int) {
-	data := map[string]interface{}{
-		"data":    newData,
-		"options": map[string]interface{}{},
-	}
-
-	if c.flagCAS > 0 {
-		data["options"].(map[string]interface{})["cas"] = c.flagCAS
-	}
-
-	secret, err := client.Logical().JSONMergePatch(context.Background(), path, data)
-	if err != nil {
-		// If it's a 405, that probably means the server is running a pre-1.9
-		// Vault version that doesn't support the HTTP PATCH method.
-		// Fall back to the old way of doing it if the user didn't specify a -method.
-		// If they did, and it was "patch", then just error.
-		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == 405 && rwFallback {
-			return c.readThenWrite(client, path, newData)
-		}
-		// If it's a 403, that probably means they don't have the patch capability in their policy. Fall back to
-		// the old way of doing it if the user didn't specify a -method. If they did, and it was "patch", then just error.
-		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == 403 && rwFallback {
-			c.UI.Warn(fmt.Sprintf("Data was written to %s but we recommend that you add the \"patch\" capability to your ACL policy in order to use HTTP PATCH in the future.", path))
-			return c.readThenWrite(client, path, newData)
-		}
-
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
-		return nil, 2
-	}
-
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
-		}
-		return nil, 0
-	}
-
-	if c.flagField != "" {
-		return nil, PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	return secret, 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, click, find } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import sinon from 'sinon';
+
+const SELECTORS = {
+  modalToggle: '[data-test-confirm-action-trigger]',
+  title: '[data-test-confirm-action-title]',
+  message: '[data-test-confirm-action-message]',
+  confirm: '[data-test-confirm-button]',
+  cancel: '[data-test-confirm-cancel-button]',
+};
+module('Integration | Component | confirm-action', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.onConfirm = sinon.spy();
+  });
+
+  test('it renders defaults and calls onConfirmAction', async function (assert) {
+    await render(hbs`
+      <ConfirmAction
+        @buttonText="DELETE"
+        @onConfirmAction={{this.onConfirm}}
+      />
+      `);
+
+    assert.dom(SELECTORS.modalToggle).hasText('DELETE', 'renders button text');
+    await click(SELECTORS.modalToggle);
+    // hasClass assertion wasn't working so this is the workaround
+    assert.strictEqual(
+      find('#confirm-action-modal').className,
+      'hds-modal hds-modal--size-small hds-modal--color-critical has-text-left',
+      'renders critical modal color by default'
+    );
+    assert.strictEqual(
+      find(SELECTORS.confirm).className,
+      'hds-button hds-button--size-medium hds-button--color-critical',
+      'renders critical confirm button'
+    );
+    assert.dom(SELECTORS.title).hasText('Are you sure?', 'renders default title');
+    assert
+      .dom(SELECTORS.message)
+      .hasText('You will not be able to recover it later.', 'renders default body text');
+    await click(SELECTORS.cancel);
+    assert.false(this.onConfirm.called, 'does not call the action when Cancel is clicked');
+    await click(SELECTORS.modalToggle);
+    await click(SELECTORS.confirm);
+    assert.true(this.onConfirm.called, 'calls the action when Confirm is clicked');
+    assert.dom(SELECTORS.title).doesNotExist('modal closes after confirm is clicked');
+  });
+
+  test('it renders isInDropdown defaults and calls onConfirmAction', async function (assert) {
+    await render(hbs`
+      <ConfirmAction
+        @buttonText="DELETE"
+        @onConfirmAction={{this.onConfirm}}
+        @isInDropdown={{true}}
+      />
+      `);
+
+    assert.dom(`li ${SELECTORS.modalToggle}`).exists('element renders inside <li>');
+    assert.dom(SELECTORS.modalToggle).hasClass('hds-confirm-action-critical', 'button has dropdown styling');
+    await click(SELECTORS.modalToggle);
+    assert.dom(SELECTORS.title).hasText('Are you sure?', 'renders default title');
+    assert
+      .dom(SELECTORS.message)
+      .hasText('You will not be able to recover it later.', 'renders default body text');
+    await click('[data-test-confirm-cancel-button]');
+    assert.false(this.onConfirm.called, 'does not call the action when Cancel is clicked');
+    await click(SELECTORS.modalToggle);
+    await click(SELECTORS.confirm);
+    assert.true(this.onConfirm.called, 'calls the action when Confirm is clicked');
+    assert.dom(SELECTORS.title).doesNotExist('modal closes after confirm is clicked');
+  });
+
+  test('it renders loading state', async function (assert) {
+    await render(hbs`
+      <ConfirmAction
+        @buttonText="Open!"
+        @onConfirmAction={{this.onConfirm}}
+        @isRunning={{true}}
+      />
+      `);
+
+    await click(SELECTORS.modalToggle);
+
+    assert.dom(SELECTORS.confirm).isDisabled('disables confirm button when loading');
+    assert.dom('[data-test-confirm-button] [data-test-icon="loading"]').exists('it renders loading icon');
+  });
+
+  test('it renders disabledMessage modal', async function (assert) {
+    this.condition = true;
+    await render(hbs`
+      <ConfirmAction
+        @buttonText="Open!"
+        @onConfirmAction={{this.onConfirm}}
+        @confirmTitle="Do this?"
+        @confirmMessage="Are you really, really sure?"
+        @disabledMessage={{if this.condition "This is the reason you cannot do the thing"}}
+      />
+      `);
+
+    await click(SELECTORS.modalToggle);
+    assert.strictEqual(
+      find('#confirm-action-modal').className,
+      'hds-modal hds-modal--size-small hds-modal--color-neutral has-text-left',
+      'renders critical modal color by default'
+    );
+    assert.dom(SELECTORS.title).hasText('Not allowed', 'renders disabled title');
+    assert
+      .dom(SELECTORS.message)
+      .hasText('This is the reason you cannot do the thing', 'renders disabled message as body text');
+    assert.dom(SELECTORS.confirm).doesNotExist('does not render confirm action button');
+    assert.dom(SELECTORS.cancel).hasText('Close');
+  });
+
+  test('it renders passed args', async function (assert) {
+    this.condition = false;
+    await render(hbs`
+      <ConfirmAction
+        @buttonText="Open!"
+        @onConfirmAction={{this.onConfirm}}
+        @modalColor="warning"
+        @buttonColor="secondary"
+        @confirmTitle="Do this?"
+        @confirmMessage="Are you really, really sure?"
+        @disabledMessage={{if this.condition "This is the reason you cannot do the thing"}}
+      />
+      `);
+
+    // hasClass assertion wasn't working so this is the workaround
+    assert.strictEqual(
+      find(SELECTORS.modalToggle).className,
+      'hds-button hds-button--size-medium hds-button--color-secondary',
+      'renders @buttonColor classes'
+    );
+    await click(SELECTORS.modalToggle);
+    assert.strictEqual(
+      find('#confirm-action-modal').className,
+      'hds-modal hds-modal--size-small hds-modal--color-warning has-text-left',
+      'renders warning modal'
+    );
+    assert.strictEqual(
+      find(SELECTORS.confirm).className,
+      'hds-button hds-button--size-medium hds-button--color-primary',
+      'renders primary confirm button'
+    );
+    assert.dom(SELECTORS.title).hasText('Do this?', 'renders passed title');
+    assert.dom(SELECTORS.message).hasText('Are you really, really sure?', 'renders passed body text');
+    assert.dom(SELECTORS.confirm).hasText('Confirm');
+  });
+});
diff --git a/command/kv_put.go b/command/kv_put.go
index d450b4415ccc..2c22eedd8ea8 100644
--- a/command/kv_put.go
+++ b/command/kv_put.go
@@ -1,235 +1,68 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVPutCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVPutCommand)(nil)
-)
-
-type KVPutCommand struct {
-	*BaseCommand
-
-	flagCAS   int
-	flagMount string
-	testStdin io.Reader // for tests
-}
-
-func (c *KVPutCommand) Synopsis() string {
-	return "Sets or updates data in the KV store"
-}
-
-func (c *KVPutCommand) Help() string {
-	helpText := `
-Usage: vault kv put [options] KEY [DATA]
-
-  Writes the data to the given path in the key-value store. The data can be of
-  any type.
-
-      $ vault kv put -mount=secret foo bar=baz
-
-  The deprecated path-like syntax can also be used, but this should be avoided 
-  for KV v2, as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv put secret/foo bar=baz
-
-  The data can also be consumed from a file on disk by prefixing with the "@"
-  symbol. For example:
-
-      $ vault kv put -mount=secret foo @data.json
-
-  Or it can be read from stdin using the "-" symbol:
-
-      $ echo "abcd1234" | vault kv put -mount=secret foo bar=-
-
-  To perform a Check-And-Set operation, specify the -cas flag with the
-  appropriate version number corresponding to the key you want to perform
-  the CAS operation on:
-
-      $ vault kv put -mount=secret -cas=1 foo bar=baz
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVPutCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:    "cas",
-		Target:  &c.flagCAS,
-		Default: -1,
-		Usage: `Specifies to use a Check-And-Set operation. If not set the write
-		will be allowed. If set to 0 a write will only be allowed if the key
-		doesn’t exist. If the index is non-zero the write will only be allowed
-		if the key’s current version matches the version specified in the cas
-		parameter.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVPutCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFolders()
-}
-
-func (c *KVPutCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVPutCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
-
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected >1, got %d)", len(args)))
-		return 1
-	case len(args) == 1:
-		c.UI.Error("Must supply data")
-		return 1
-	}
-
-	var err error
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	data, err := parseArgsData(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
-		return 1
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	// Add /data to v2 paths only
-	var fullPath string
-	if v2 {
-		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
-		data = map[string]interface{}{
-			"data":    data,
-			"options": map[string]interface{}{},
-		}
-
-		if c.flagCAS > -1 {
-			data["options"].(map[string]interface{})["cas"] = c.flagCAS
-		}
-	} else {
-		// v1
-		if mountFlagSyntax {
-			fullPath = path.Join(mountPath, partialPath)
-		} else {
-			fullPath = partialPath
-		}
-	}
-
-	secret, err := client.Logical().Write(fullPath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
-		}
-		return 0
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	// If the secret is wrapped, return the wrapped response.
-	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
-		return OutputSecret(c.UI, secret)
-	}
-
-	if Format(c.UI) == "table" {
-		outputPath(c.UI, fullPath, "Secret Path")
-		metadata := secret.Data
-		c.UI.Info(getHeaderForMap("Metadata", metadata))
-		return OutputData(c.UI, metadata)
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if @isInDropdown}}
+  {{! Hds component renders <li> and <button> elements }}
+  <Hds::Dropdown::ListItem::Interactive
+    data-test-confirm-action-trigger
+    @text={{@buttonText}}
+    @color="critical"
+    {{on "click" (fn (mut this.showConfirmModal) true)}}
+    ...attributes
+    {{! remove class when dropdown/popup menus are replaced with Hds::Dropdown }}
+    class="hds-confirm-action-critical"
+  />
+{{else}}
+  <Hds::Button
+    data-test-confirm-action-trigger
+    @text={{@buttonText}}
+    @color={{@buttonColor}}
+    {{on "click" (fn (mut this.showConfirmModal) true)}}
+    ...attributes
+  />
+{{/if}}
+
+{{#if this.showConfirmModal}}
+  <Hds::Modal
+    id="confirm-action-modal"
+    class="has-text-left"
+    @color={{this.modalColor}}
+    @size="small"
+    @onClose={{fn (mut this.showConfirmModal) false}}
+    as |M|
+  >
+    {{#if @disabledMessage}}
+      <M.Header data-test-confirm-action-title @icon="x-circle">
+        Not allowed
+      </M.Header>
+      <M.Body data-test-confirm-action-message>
+        {{@disabledMessage}}
+      </M.Body>
+      <M.Footer as |F|>
+        <Hds::Button data-test-confirm-cancel-button @text="Close" {{on "click" F.close}} />
+      </M.Footer>
+    {{else}}
+      <M.Header data-test-confirm-action-title @icon="alert-circle">
+        {{or @confirmTitle "Are you sure?"}}
+      </M.Header>
+      <M.Body data-test-confirm-action-message>
+        {{this.confirmMessage}}
+      </M.Body>
+      <M.Footer as |F|>
+        <Hds::ButtonSet>
+          <Hds::Button
+            data-test-confirm-button
+            disabled={{@isRunning}}
+            @icon={{if @isRunning "loading"}}
+            @color={{if (eq this.modalColor "critical") "critical" "primary"}}
+            @text="Confirm"
+            {{on "click" this.onConfirm}}
+          />
+          <Hds::Button data-test-confirm-cancel-button @color="secondary" @text="Cancel" {{on "click" F.close}} />
+        </Hds::ButtonSet>
+      </M.Footer>
+    {{/if}}
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/command/kv_rollback.go b/command/kv_rollback.go
index 798e4a898846..4e8f9bea5252 100644
--- a/command/kv_rollback.go
+++ b/command/kv_rollback.go
@@ -1,294 +1,46 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"flag"
-	"fmt"
-	"path"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVRollbackCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVRollbackCommand)(nil)
-)
-
-type KVRollbackCommand struct {
-	*BaseCommand
-
-	flagVersion int
-	flagMount   string
-}
-
-func (c *KVRollbackCommand) Synopsis() string {
-	return "Rolls back to a previous version of data"
-}
-
-func (c *KVRollbackCommand) Help() string {
-	helpText := `
-Usage: vault kv rollback [options] KEY
-
-  *NOTE*: This is only supported for KV v2 engine mounts.
-
-  Restores a given previous version to the current version at the given path.
-  The value is written as a new version; for instance, if the current version
-  is 5 and the rollback version is 2, the data from version 2 will become
-  version 6.
-
-      $ vault kv rollback -mount=secret -version=2 foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided, 
-  as the fact that it is not actually the full API path to 
-  the secret (secret/data/foo) can cause confusion: 
-  
-      $ vault kv rollback -version=2 secret/foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVRollbackCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.IntVar(&IntVar{
-		Name:   "version",
-		Target: &c.flagVersion,
-		Usage:  `Specifies the version number that should be made current again.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified, 
-		the next argument will be interpreted as the secret path. If this flag is 
-		not specified, the next argument will be interpreted as the combined mount 
-		path and secret path, with /data/ automatically appended between KV 
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVRollbackCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVRollbackCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVRollbackCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	var version *int
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == "version" {
-			version = &c.flagVersion
-		}
-	})
-
-	args = f.Args()
-
-	switch {
-	case len(args) != 1:
-		c.UI.Error(fmt.Sprintf("Invalid number of arguments (expected 1, got %d)", len(args)))
-		return 1
-	case version == nil:
-		c.UI.Error("Version flag must be specified")
-		return 1
-	case c.flagVersion <= 0:
-		c.UI.Error(fmt.Sprintf("Invalid value %d for the version flag", c.flagVersion))
-		return 1
-	}
-
-	var err error
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := c.flagMount != ""
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-
-		if v2 {
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("K/V engine mount must be version 2 for rollback support")
-		return 2
-	}
-
-	fullPath := addPrefixToKVPath(partialPath, mountPath, "data", false)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// First, do a read to get the current version for check-and-set
-	var meta map[string]interface{}
-	{
-		secret, err := kvReadRequest(client, fullPath, nil)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", fullPath, err))
-			return 2
-		}
-
-		// Make sure a value already exists
-		if secret == nil || secret.Data == nil {
-			c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-			return 2
-		}
-
-		// Verify metadata found
-		rawMeta, ok := secret.Data["metadata"]
-		if !ok || rawMeta == nil {
-			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-		meta, ok = rawMeta.(map[string]interface{})
-		if !ok {
-			c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", fullPath))
-			return 2
-		}
-		if meta == nil {
-			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-	}
-
-	casVersion := meta["version"]
-
-	// Set the version parameter
-	versionParam := map[string]string{
-		"version": fmt.Sprintf("%d", c.flagVersion),
-	}
-
-	// Now run it again and read the version we want to roll back to
-	var data map[string]interface{}
-	{
-		secret, err := kvReadRequest(client, fullPath, versionParam)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", fullPath, err))
-			return 2
-		}
-
-		// Make sure a value already exists
-		if secret == nil || secret.Data == nil {
-			c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
-			return 2
-		}
-
-		// Verify metadata found
-		rawMeta, ok := secret.Data["metadata"]
-		if !ok || rawMeta == nil {
-			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-		meta, ok := rawMeta.(map[string]interface{})
-		if !ok {
-			c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", fullPath))
-			return 2
-		}
-		if meta == nil {
-			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-
-		// Verify it hasn't been deleted
-		if meta["deletion_time"] != nil && meta["deletion_time"].(string) != "" {
-			c.UI.Error("Cannot roll back to a version that has been deleted")
-			return 2
-		}
-
-		if meta["destroyed"] != nil && meta["destroyed"].(bool) {
-			c.UI.Error("Cannot roll back to a version that has been destroyed")
-			return 2
-		}
-
-		// Verify old data found
-		rawData, ok := secret.Data["data"]
-		if !ok || rawData == nil {
-			c.UI.Error(fmt.Sprintf("No data found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-		data, ok = rawData.(map[string]interface{})
-		if !ok {
-			c.UI.Error(fmt.Sprintf("Data found at %s is not the expected type (JSON object)", fullPath))
-			return 2
-		}
-		if data == nil {
-			c.UI.Error(fmt.Sprintf("No data found at %s; rollback only works on existing data", fullPath))
-			return 2
-		}
-	}
-
-	secret, err := client.Logical().Write(fullPath, map[string]interface{}{
-		"data": data,
-		"options": map[string]interface{}{
-			"cas": casVersion,
-		},
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
-		return 2
-	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
-		}
-		return 0
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if @isActive}}
+  <Hds::Modal id="confirmation-modal" @onClose={{@onClose}} @color="critical" as |M|>
+    <M.Header data-test-confirmation-modal-title @icon="alert-triangle">
+      {{@title}}
+    </M.Header>
+    <M.Body>
+      {{yield}}
+      <div class="has-top-padding-m">
+        <p class="has-text-weight-semibold is-size-6">
+          Confirm
+        </p>
+        <p class="sub-text has-top-bottom-margin-xxs">Type
+          <strong>{{this.confirmText}}</strong>
+          to confirm
+          {{@toConfirmMsg}}
+        </p>
+        <Input
+          @type="text"
+          @value={{this.confirmationInput}}
+          name="confirmationInput"
+          class="input has-margin-top"
+          autocomplete="off"
+          spellcheck="false"
+          data-test-confirmation-modal-input={{@title}}
+        />
+      </div>
+    </M.Body>
+    <M.Footer>
+      <Hds::ButtonSet>
+        <Hds::Button
+          @color="critical"
+          disabled={{not-eq this.confirmationInput this.confirmText}}
+          {{on "click" @onConfirm}}
+          data-test-confirm-button={{@title}}
+          @text={{or @buttonText "Confirm"}}
+        />
+        <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onClose}} data-test-cancel-button />
+      </Hds::ButtonSet>
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/command/kv_test.go b/command/kv_test.go
index e8abba0b1d56..ccc7494a281c 100644
--- a/command/kv_test.go
+++ b/command/kv_test.go
@@ -1,1696 +1,50 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package consts
 
-import (
-	"context"
-	"fmt"
-	"io"
-	"strings"
-	"testing"
-	"time"
+const (
+	// ExpirationRestoreWorkerCount specifies the number of workers to use while
+	// restoring leases into the expiration manager
+	ExpirationRestoreWorkerCount = 64
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func testKVPutCommand(tb testing.TB) (*cli.MockUi, *KVPutCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVPutCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func retryKVCommand(t *testing.T, cmdFunc func() (int, string)) (int, string) {
-	t.Helper()
-
-	var code int
-	var combined string
-
-	// Loop until return message does not indicate upgrade, or timeout.
-	timeout := time.After(20 * time.Second)
-	ticker := time.Tick(time.Second)
-
-	for {
-		select {
-		case <-timeout:
-			t.Errorf("timeout expired waiting for upgrade: %q", combined)
-			return code, combined
-		case <-ticker:
-			code, combined = cmdFunc()
-
-			// This is an error if a v1 mount, but test case doesn't
-			// currently contain the information to know the difference.
-			if !strings.Contains(combined, "Upgrading from non-versioned to versioned") {
-				return code, combined
-			}
-		}
-	}
-}
-
-func kvPutWithRetry(t *testing.T, client *api.Client, args []string) (int, string) {
-	t.Helper()
-
-	return retryKVCommand(t, func() (int, string) {
-		ui, cmd := testKVPutCommand(t)
-		cmd.client = client
-
-		code := cmd.Run(args)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-		return code, combined
-	})
-}
-
-func kvPatchWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
-	t.Helper()
-
-	return retryKVCommand(t, func() (int, string) {
-		ui, cmd := testKVPatchCommand(t)
-		cmd.client = client
-
-		if stdin != nil {
-			cmd.testStdin = stdin
-		}
-
-		code := cmd.Run(args)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-		return code, combined
-	})
-}
-
-func TestKVPutCommand(t *testing.T) {
-	t.Parallel()
-
-	v2ExpectedFields := []string{"created_time", "custom_metadata", "deletion_time", "deletion_time", "version"}
-
-	cases := []struct {
-		name       string
-		args       []string
-		outStrings []string
-		code       int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			[]string{"Not enough arguments"},
-			1,
-		},
-		{
-			"empty_kvs",
-			[]string{"secret/write/foo"},
-			[]string{"Must supply data"},
-			1,
-		},
-		{
-			"kvs_no_value",
-			[]string{"secret/write/foo", "foo"},
-			[]string{"Failed to parse K=V data"},
-			1,
-		},
-		{
-			"single_value",
-			[]string{"secret/write/foo", "foo=bar"},
-			[]string{"Success!"},
-			0,
-		},
-		{
-			"multi_value",
-			[]string{"secret/write/foo", "foo=bar", "zip=zap"},
-			[]string{"Success!"},
-			0,
-		},
-		{
-			"v1_mount_flag_syntax",
-			[]string{"-mount", "secret", "write/foo", "foo=bar"},
-			[]string{"Success!"},
-			0,
-		},
-		{
-			"v1_mount_flag_syntax_key_same_as_mount",
-			[]string{"-mount", "secret", "secret", "foo=bar"},
-			[]string{"Success!"},
-			0,
-		},
-		{
-			"v2_single_value",
-			[]string{"kv/write/foo", "foo=bar"},
-			v2ExpectedFields,
-			0,
-		},
-		{
-			"v2_multi_value",
-			[]string{"kv/write/foo", "foo=bar", "zip=zap"},
-			v2ExpectedFields,
-			0,
-		},
-		{
-			"v2_secret_path",
-			[]string{"kv/write/foo", "foo=bar"},
-			[]string{"== Secret Path ==", "kv/data/write/foo"},
-			0,
-		},
-		{
-			"v2_mount_flag_syntax",
-			[]string{"-mount", "kv", "write/foo", "foo=bar"},
-			v2ExpectedFields,
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_key_same_as_mount",
-			[]string{"-mount", "kv", "kv", "foo=bar"},
-			v2ExpectedFields,
-			0,
-		},
-		{
-			"v2_single_value_backslash",
-			[]string{"kv/write/foo", "foo=\\"},
-			[]string{"== Secret Path ==", "kv/data/write/foo"},
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			code, combined := kvPutWithRetry(t, client, tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			for _, str := range tc.outStrings {
-				if !strings.Contains(combined, str) {
-					t.Errorf("expected %q to contain %q", combined, str)
-				}
-			}
-		})
-	}
-
-	t.Run("v2_cas", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		if err := client.Sys().Mount("kv/", &api.MountInput{
-			Type: "kv-v2",
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		// Only have to potentially retry the first time.
-		code, combined := kvPutWithRetry(t, client, []string{
-			"-cas", "0", "kv/write/cas", "bar=baz",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-
-		for _, str := range v2ExpectedFields {
-			if !strings.Contains(combined, str) {
-				t.Errorf("expected %q to contain %q", combined, str)
-			}
-		}
-
-		ui, cmd := testKVPutCommand(t)
-		cmd.client = client
-		code = cmd.Run([]string{
-			"-cas", "1", "kv/write/cas", "bar=baz",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-		for _, str := range v2ExpectedFields {
-			if !strings.Contains(combined, str) {
-				t.Errorf("expected %q to contain %q", combined, str)
-			}
-		}
-
-		ui, cmd = testKVPutCommand(t)
-		cmd.client = client
-		code = cmd.Run([]string{
-			"-cas", "1", "kv/write/cas", "bar=baz",
-		})
-		if code != 2 {
-			t.Fatalf("expected 2 to be %d", code)
-		}
-		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, "check-and-set parameter did not match the current version") {
-			t.Errorf("expected %q to contain %q", combined, "check-and-set parameter did not match the current version")
-		}
-	})
-
-	t.Run("v1_data", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testKVPutCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/write/data", "bar=baz",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, "Success!") {
-			t.Errorf("expected %q to contain %q", combined, "created_time")
-		}
-
-		ui, rcmd := testReadCommand(t)
-		rcmd.client = client
-		code = rcmd.Run([]string{
-			"secret/write/data",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if strings.Contains(combined, "data") {
-			t.Errorf("expected %q not to contain %q", combined, "data")
-		}
-	})
-
-	t.Run("stdin_full", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(`{"foo":"bar"}`))
-			stdinW.Close()
-		}()
-
-		_, cmd := testKVPutCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"secret/write/stdin_full", "-",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-
-		secret, err := client.Logical().Read("secret/write/stdin_full")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
-
-	t.Run("stdin_value", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte("bar"))
-			stdinW.Close()
-		}()
-
-		_, cmd := testKVPutCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"secret/write/stdin_value", "foo=-",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-
-		secret, err := client.Logical().Read("secret/write/stdin_value")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		_, cmd := testKVPutCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/write/integration", "foo=bar", "zip=zap",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-
-		secret, err := client.Logical().Read("secret/write/integration")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-		if exp, act := "zap", secret.Data["zip"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testKVPutCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
-
-func testKVGetCommand(tb testing.TB) (*cli.MockUi, *KVGetCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVGetCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestKVGetCommand(t *testing.T) {
-	t.Parallel()
-
-	baseV2ExpectedFields := []string{"created_time", "custom_metadata", "deletion_time", "deletion_time", "version"}
-
-	cases := []struct {
-		name       string
-		args       []string
-		outStrings []string
-		code       int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			[]string{"Not enough arguments"},
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			[]string{"Too many arguments"},
-			1,
-		},
-		{
-			"not_found",
-			[]string{"secret/nope/not/once/never"},
-			[]string{"No value found at secret/nope/not/once/never"},
-			2,
-		},
-		{
-			"default",
-			[]string{"secret/read/foo"},
-			[]string{"foo"},
-			0,
-		},
-		{
-			"v1_field",
-			[]string{"-field", "foo", "secret/read/foo"},
-			[]string{"bar"},
-			0,
-		},
-		{
-			"v1_mount_flag_syntax",
-			[]string{"-mount", "secret", "read/foo"},
-			[]string{"foo"},
-			0,
-		},
-		{
-			"v2_field",
-			[]string{"-field", "foo", "kv/read/foo"},
-			[]string{"bar"},
-			0,
-		},
-		{
-			"v2_mount_flag_syntax",
-			[]string{"-mount", "kv", "read/foo"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_leading_slash",
-			[]string{"-mount", "kv", "/read/foo"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v1_mount_flag_syntax_key_same_as_mount",
-			[]string{"-mount", "kv", "kv"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_key_same_as_mount",
-			[]string{"-mount", "kv", "kv"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v2_not_found",
-			[]string{"kv/nope/not/once/never"},
-			[]string{"No value found at kv/data/nope/not/once/never"},
-			2,
-		},
-		{
-			"v2_read",
-			[]string{"kv/read/foo"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v2_read_leading_slash",
-			[]string{"/kv/read/foo"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-		{
-			"v2_read_version",
-			[]string{"--version", "1", "kv/read/foo"},
-			append(baseV2ExpectedFields, "foo"),
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-				if err := client.Sys().Mount("kv/", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Give time for the upgrade code to run/finish
-				time.Sleep(time.Second)
-
-				if _, err := client.Logical().Write("secret/read/foo", map[string]interface{}{
-					"foo": "bar",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				if _, err := client.Logical().Write("kv/data/read/foo", map[string]interface{}{
-					"data": map[string]interface{}{
-						"foo": "bar",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// create KV entries to test -mount flag where secret key is same as mount path
-				if _, err := client.Logical().Write("secret/secret", map[string]interface{}{
-					"foo": "bar",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				if _, err := client.Logical().Write("kv/data/kv", map[string]interface{}{
-					"data": map[string]interface{}{
-						"foo": "bar",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				ui, cmd := testKVGetCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-				for _, str := range tc.outStrings {
-					if !strings.Contains(combined, str) {
-						t.Errorf("expected %q to contain %q", combined, str)
-					}
-				}
-			})
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testKVGetCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
-
-func testKVListCommand(tb testing.TB) (*cli.MockUi, *KVListCommand) {
-	tb.Helper()
-	ui := cli.NewMockUi()
-	cmd := &KVListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-
-	return ui, cmd
-}
-
-// TestKVListCommand runs tests for `vault kv list`
-func TestKVListCommand(t *testing.T) {
-	testCases := []struct {
-		name       string
-		args       []string
-		outStrings []string
-		code       int
-	}{
-		{
-			name:       "default",
-			args:       []string{"kv/my-prefix"},
-			outStrings: []string{"secret-0", "secret-1", "secret-2"},
-			code:       0,
-		},
-		{
-			name:       "not_enough_args",
-			args:       []string{},
-			outStrings: []string{"Not enough arguments"},
-			code:       1,
-		},
-		{
-			name:       "v2_default_with_mount",
-			args:       []string{"-mount", "kv", "my-prefix"},
-			outStrings: []string{"secret-0", "secret-1", "secret-2"},
-			code:       0,
-		},
-		{
-			name:       "v1_default_with_mount",
-			args:       []string{"kv/my-prefix"},
-			outStrings: []string{"secret-0", "secret-1", "secret-2"},
-			code:       0,
-		},
-		{
-			name:       "v2_not_found",
-			args:       []string{"kv/nope/not/once/never"},
-			outStrings: []string{"No value found at kv/metadata/nope/not/once/never"},
-			code:       2,
-		},
-		{
-			name:       "v1_mount_only",
-			args:       []string{"kv"},
-			outStrings: []string{"my-prefix"},
-			code:       0,
-		},
-		{
-			name:       "v2_mount_only",
-			args:       []string{"-mount", "kv"},
-			outStrings: []string{"my-prefix"},
-			code:       0,
-		},
-		{
-			// this is behavior that should be tested
-			// `kv` here is an explicit mount
-			// `my-prefix` is not
-			// the current kv code will ignore `my-prefix`
-			name:       "ignore_multi_part_mounts",
-			args:       []string{"-mount", "kv/my-prefix"},
-			outStrings: []string{"my-prefix"},
-			code:       0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, testCase := range testCases {
-			testCase := testCase
-
-			t.Run(testCase.name, func(t *testing.T) {
-				t.Parallel()
-
-				// test setup
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				// enable kv-v2 backend
-				if err := client.Sys().Mount("kv/", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-				time.Sleep(time.Second)
-
-				ctx := context.Background()
-				for i := 0; i < 3; i++ {
-					path := fmt.Sprintf("my-prefix/secret-%d", i)
-					_, err := client.KVv2("kv/").Put(ctx, path, map[string]interface{}{
-						"foo": "bar",
-					})
-					if err != nil {
-						t.Fatal(err)
-					}
-				}
-
-				ui, cmd := testKVListCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(testCase.args)
-				if code != testCase.code {
-					t.Errorf("expected %d to be %d", code, testCase.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				for _, str := range testCase.outStrings {
-					if !strings.Contains(combined, str) {
-						t.Errorf("expected %q to contain %q", combined, str)
-					}
-				}
-			})
-		}
-	})
-}
-
-func testKVMetadataGetCommand(tb testing.TB) (*cli.MockUi, *KVMetadataGetCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVMetadataGetCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestKVMetadataGetCommand(t *testing.T) {
-	t.Parallel()
-
-	expectedTopLevelFields := []string{
-		"cas_required",
-		"created_time",
-		"current_version",
-		"custom_metadata",
-		"delete_version_after",
-		"max_versions",
-		"oldest_version",
-		"updated_time",
-	}
-
-	expectedVersionFields := []string{
-		"created_time", // field is redundant
-		"deletion_time",
-		"destroyed",
-	}
-
-	cases := []struct {
-		name       string
-		args       []string
-		outStrings []string
-		code       int
-	}{
-		{
-			"v1",
-			[]string{"secret/foo"},
-			[]string{"Metadata not supported on KV Version 1"},
-			1,
-		},
-		{
-			"metadata_exists",
-			[]string{"kv/foo"},
-			expectedTopLevelFields,
-			0,
-		},
-		// ensure that all top-level and version-level fields are output along with version num
-		{
-			"versions_exist",
-			[]string{"kv/foo"},
-			append(expectedTopLevelFields, expectedVersionFields[:]...),
-			0,
-		},
-		{
-			"mount_flag_syntax",
-			[]string{"-mount", "kv", "foo"},
-			expectedTopLevelFields,
-			0,
-		},
-		{
-			"mount_flag_syntax_key_same_as_mount",
-			[]string{"-mount", "kv", "kv"},
-			expectedTopLevelFields,
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-				if err := client.Sys().Mount("kv/", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Give time for the upgrade code to run/finish
-				time.Sleep(time.Second)
-
-				if _, err := client.Logical().Write("kv/data/foo", map[string]interface{}{
-					"data": map[string]interface{}{
-						"foo": "bar",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// create KV entry to test -mount flag where secret key is same as mount path
-				if _, err := client.Logical().Write("kv/data/kv", map[string]interface{}{
-					"data": map[string]interface{}{
-						"foo": "bar",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				ui, cmd := testKVMetadataGetCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				for _, str := range tc.outStrings {
-					if !strings.Contains(combined, str) {
-						t.Errorf("expected %q to contain %q", combined, str)
-					}
-				}
-			})
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testKVMetadataGetCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
-
-func testKVPatchCommand(tb testing.TB) (*cli.MockUi, *KVPatchCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVPatchCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestKVPatchCommand_ArgValidation(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"empty_kvs",
-			[]string{"kv/patch/foo"},
-			"Must supply data",
-			1,
-		},
-		{
-			"kvs_no_value",
-			[]string{"kv/patch/foo", "foo"},
-			"Failed to parse K=V data",
-			1,
-		},
-		{
-			"mount_flag_syntax",
-			[]string{"-mount", "kv"},
-			"Not enough arguments",
-			1,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc // capture range variable
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+	// NamespaceHeaderName is the header set to specify which namespace the
+	// request is indented for.
+	NamespaceHeaderName = "X-Vault-Namespace"
 
-			client, closer := testVaultServer(t)
-			defer closer()
+	// AuthHeaderName is the name of the header containing the token.
+	AuthHeaderName = "X-Vault-Token"
 
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-			}
+	// RequestHeaderName is the name of the header used by the Agent for
+	// SSRF protection.
+	RequestHeaderName = "X-Vault-Request"
 
-			code, combined := kvPatchWithRetry(t, client, tc.args, nil)
+	// WrapTTLHeaderName is the name of the header containing a directive to
+	// wrap the response
+	WrapTTLHeaderName = "X-Vault-Wrap-TTL"
 
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v\n", tc.code, code, tc.args)
-			}
+	// PerformanceReplicationALPN is the negotiated protocol used for
+	// performance replication.
+	PerformanceReplicationALPN = "replication_v1"
 
-			if !strings.Contains(combined, tc.out) {
-				t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v\n", tc.out, combined, tc.args)
-			}
-		})
-	}
-}
+	// DRReplicationALPN is the negotiated protocol used for dr replication.
+	DRReplicationALPN = "replication_dr_v1"
 
-// expectedPatchFields produces a deterministic slice of
-// expected fields for patch command output since const
-// slices are not supported
-func expectedPatchFields() []string {
-	return []string{
-		"created_time",
-		"custom_metadata",
-		"deletion_time",
-		"destroyed",
-		"version",
-	}
-}
+	PerfStandbyALPN = "perf_standby_v1"
 
-func TestKVPatchCommand_StdinFull(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
+	RequestForwardingALPN = "req_fw_sb-act_v1"
 
-	if err := client.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
+	RaftStorageALPN = "raft_storage_v1"
 
-	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
-		"data": map[string]interface{}{
-			"foo": "a",
-		},
-	}); err != nil {
-		t.Fatalf("write failed, err: %#v\n", err)
-	}
+	// ReplicationResolverALPN is the negotiated protocol used for
+	// resolving replicaiton addresses
+	ReplicationResolverALPN = "replication_resolver_v1"
 
-	cases := [][]string{
-		{"kv/patch/foo", "-"},
-		{"-mount", "kv", "patch/foo", "-"},
-	}
-	for i, args := range cases {
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(fmt.Sprintf(`{"foo%d":"bar%d"}`, i, i)))
-			stdinW.Close()
-		}()
-		code, combined := kvPatchWithRetry(t, client, args, stdinR)
+	VaultEnableFilePermissionsCheckEnv = "VAULT_ENABLE_FILE_PERMISSIONS_CHECK"
 
-		for _, str := range expectedPatchFields() {
-			if !strings.Contains(combined, str) {
-				t.Errorf("expected %q to contain %q", combined, str)
-			}
-		}
+	VaultDisableUserLockout = "VAULT_DISABLE_USER_LOCKOUT"
 
-		if code != 0 {
-			t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
-		}
+	PerformanceReplicationPathTarget = "performance"
 
-		secret, err := client.Logical().ReadWithContext(context.Background(), "kv/data/patch/foo")
-		if err != nil {
-			t.Fatalf("read failed, err: %#v\n", err)
-		}
-
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-
-		secretDataRaw, ok := secret.Data["data"]
-
-		if !ok {
-			t.Fatalf("expected secret to have nested data key, data: %#v", secret.Data)
-		}
-
-		secretData := secretDataRaw.(map[string]interface{})
-		foo, ok := secretData[fmt.Sprintf("foo%d", i)].(string)
-		if !ok {
-			t.Fatal("expected foo to be a string but it wasn't")
-		}
-
-		if exp, act := fmt.Sprintf("bar%d", i), foo; exp != act {
-			t.Fatalf("expected %q to be %q, data: %#v\n", act, exp, secret.Data)
-		}
-	}
-}
-
-func TestKVPatchCommand_StdinValue(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
-
-	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
-		"data": map[string]interface{}{
-			"foo": "a",
-		},
-	}); err != nil {
-		t.Fatalf("write failed, err: %#v\n", err)
-	}
-
-	cases := [][]string{
-		{"kv/patch/foo", "foo=-"},
-		{"-mount", "kv", "patch/foo", "foo=-"},
-	}
-
-	for i, args := range cases {
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(fmt.Sprintf("bar%d", i)))
-			stdinW.Close()
-		}()
-
-		code, combined := kvPatchWithRetry(t, client, args, stdinR)
-		if code != 0 {
-			t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
-		}
-
-		for _, str := range expectedPatchFields() {
-			if !strings.Contains(combined, str) {
-				t.Errorf("expected %q to contain %q", combined, str)
-			}
-		}
-
-		secret, err := client.Logical().ReadWithContext(context.Background(), "kv/data/patch/foo")
-		if err != nil {
-			t.Fatalf("read failed, err: %#v\n", err)
-		}
-
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-
-		secretDataRaw, ok := secret.Data["data"]
-
-		if !ok {
-			t.Fatalf("expected secret to have nested data key, data: %#v\n", secret.Data)
-		}
-
-		secretData := secretDataRaw.(map[string]interface{})
-
-		if exp, act := fmt.Sprintf("bar%d", i), secretData["foo"].(string); exp != act {
-			t.Fatalf("expected %q to be %q, data: %#v\n", act, exp, secret.Data)
-		}
-	}
-}
-
-func TestKVPatchCommand_RWMethodNotExists(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
-
-	cases := [][]string{
-		{"-method", "rw", "kv/patch/foo", "foo=a"},
-		{"-method", "rw", "-mount", "kv", "patch/foo", "foo=a"},
-	}
-
-	for _, args := range cases {
-		code, combined := kvPatchWithRetry(t, client, args, nil)
-
-		if code != 2 {
-			t.Fatalf("expected code to be 2 but was %d for patch cmd with args %#v\n", code, args)
-		}
-
-		expectedOutputSubstr := "No value found"
-		if !strings.Contains(combined, expectedOutputSubstr) {
-			t.Fatalf("expected output %q to contain %q for patch cmd with args %#v\n", combined, expectedOutputSubstr, args)
-		}
-	}
-}
-
-func TestKVPatchCommand_RWMethodSucceeds(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
-
-	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
-		"data": map[string]interface{}{
-			"foo": "a",
-			"bar": "b",
-		},
-	}); err != nil {
-		t.Fatalf("write failed, err: %#v\n", err)
-	}
-
-	// Test single value
-	args := []string{"-method", "rw", "kv/patch/foo", "foo=aa"}
-	code, combined := kvPatchWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
-	}
-
-	for _, str := range expectedPatchFields() {
-		if !strings.Contains(combined, str) {
-			t.Errorf("expected %q to contain %q", combined, str)
-		}
-	}
-
-	// Test that full path was output
-	for _, str := range []string{"== Secret Path ==", "kv/data/patch/foo"} {
-		if !strings.Contains(combined, str) {
-			t.Errorf("expected %q to contain %q", combined, str)
-		}
-	}
-
-	// Test multi value
-	args = []string{"-method", "rw", "kv/patch/foo", "foo=aaa", "bar=bbb"}
-	code, combined = kvPatchWithRetry(t, client, args, nil)
-
-	if code != 0 {
-		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
-	}
-
-	for _, str := range expectedPatchFields() {
-		if !strings.Contains(combined, str) {
-			t.Errorf("expected %q to contain %q", combined, str)
-		}
-	}
-}
-
-func TestKVPatchCommand_CAS(t *testing.T) {
-	cases := []struct {
-		name       string
-		key        string
-		args       []string
-		expected   string
-		outStrings []string
-		code       int
-	}{
-		{
-			"right version",
-			"foo",
-			[]string{"-cas", "1", "kv/foo", "bar=quux"},
-			"quux",
-			expectedPatchFields(),
-			0,
-		},
-		{
-			"wrong version",
-			"foo",
-			[]string{"-cas", "2", "kv/foo", "bar=wibble"},
-			"baz",
-			[]string{"check-and-set parameter did not match the current version"},
-			2,
-		},
-		{
-			"mount_flag_syntax",
-			"foo",
-			[]string{"-mount", "kv", "-cas", "1", "foo", "bar=quux"},
-			"quux",
-			expectedPatchFields(),
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_key_same_as_mount",
-			"kv",
-			[]string{"-mount", "kv", "-cas", "1", "kv", "bar=quux"},
-			"quux",
-			expectedPatchFields(),
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-			}
-
-			// create a policy with patch capability
-			policy := `path "kv/*" { capabilities = ["create", "update", "read", "patch"] }`
-			secretAuth, err := createTokenForPolicy(t, client, policy)
-			if err != nil {
-				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
-			}
-
-			kvClient, err := client.Clone()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			kvClient.SetToken(secretAuth.ClientToken)
-
-			data := map[string]interface{}{
-				"bar": "baz",
-			}
-
-			_, err = kvClient.Logical().Write("kv/data/"+tc.key, map[string]interface{}{"data": data})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			code, combined := kvPatchWithRetry(t, kvClient, tc.args, nil)
-
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d", tc.code, code)
-			}
-
-			for _, str := range tc.outStrings {
-				if !strings.Contains(combined, str) {
-					t.Errorf("expected %q to contain %q", combined, str)
-				}
-			}
-
-			secret, err := kvClient.Logical().ReadWithContext(context.Background(), "kv/data/"+tc.key)
-			if err != nil {
-				t.Fatal(err)
-			}
-			bar := secret.Data["data"].(map[string]interface{})["bar"]
-			if bar != tc.expected {
-				t.Fatalf("expected bar to be %q but it was %q", tc.expected, bar)
-			}
-		})
-	}
-}
-
-func TestKVPatchCommand_Methods(t *testing.T) {
-	cases := []struct {
-		name     string
-		args     []string
-		expected string
-		code     int
-	}{
-		{
-			"rw",
-			[]string{"-method", "rw", "kv/foo", "bar=quux"},
-			"quux",
-			0,
-		},
-		{
-			"patch",
-			[]string{"-method", "patch", "kv/foo", "bar=wibble"},
-			"wibble",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-			}
-
-			// create a policy with patch capability
-			policy := `path "kv/*" { capabilities = ["create", "update", "read", "patch"] }`
-			secretAuth, err := createTokenForPolicy(t, client, policy)
-			if err != nil {
-				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
-			}
-
-			kvClient, err := client.Clone()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			kvClient.SetToken(secretAuth.ClientToken)
-
-			_, err = kvClient.Logical().Write("kv/data/foo", map[string]interface{}{"data": map[string]interface{}{"bar": "baz"}})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			code, _ := kvPatchWithRetry(t, kvClient, tc.args, nil)
-
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d", tc.code, code)
-			}
-
-			secret, err := kvClient.Logical().ReadWithContext(context.Background(), "kv/data/foo")
-			if err != nil {
-				t.Fatal(err)
-			}
-			bar := secret.Data["data"].(map[string]interface{})["bar"]
-			if bar != tc.expected {
-				t.Fatalf("expected bar to be %q but it was %q", tc.expected, bar)
-			}
-		})
-	}
-}
-
-func TestKVPatchCommand_403Fallback(t *testing.T) {
-	cases := []struct {
-		name     string
-		args     []string
-		expected string
-		code     int
-	}{
-		// if no -method is specified, and patch fails, it should fall back to rw and succeed
-		{
-			"unspecified",
-			[]string{"kv/foo", "bar=quux"},
-			`add the "patch" capability to your ACL policy`,
-			0,
-		},
-		// if -method=patch is specified, and patch fails, it should not fall back, and just error
-		{
-			"specifying patch",
-			[]string{"-method", "patch", "kv/foo", "bar=quux"},
-			"permission denied",
-			2,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-			}
-
-			// create a policy without patch capability
-			policy := `path "kv/*" { capabilities = ["create", "update", "read"] }`
-			secretAuth, err := createTokenForPolicy(t, client, policy)
-			if err != nil {
-				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
-			}
-
-			kvClient, err := client.Clone()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			kvClient.SetToken(secretAuth.ClientToken)
-
-			// Write a value then attempt to patch it
-			_, err = kvClient.Logical().Write("kv/data/foo", map[string]interface{}{"data": map[string]interface{}{"bar": "baz"}})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			code, combined := kvPatchWithRetry(t, kvClient, tc.args, nil)
-
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d", tc.code, code)
-			}
-
-			if !strings.Contains(combined, tc.expected) {
-				t.Errorf("expected %q to contain %q", combined, tc.expected)
-			}
-		})
-	}
-}
-
-func TestKVPatchCommand_RWMethodPolicyVariations(t *testing.T) {
-	cases := []struct {
-		name     string
-		args     []string
-		policy   string
-		expected string
-		code     int
-	}{
-		// if the policy doesn't have read capability and -method=rw is specified, it fails
-		{
-			"no read",
-			[]string{"-method", "rw", "kv/foo", "bar=quux"},
-			`path "kv/*" { capabilities = ["create", "update"] }`,
-			"permission denied",
-			2,
-		},
-		// if the policy doesn't have update capability and -method=rw is specified, it fails
-		{
-			"no update",
-			[]string{"-method", "rw", "kv/foo", "bar=quux"},
-			`path "kv/*" { capabilities = ["create", "read"] }`,
-			"permission denied",
-			2,
-		},
-		// if the policy has both read and update and -method=rw is specified, it succeeds
-		{
-			"read and update",
-			[]string{"-method", "rw", "kv/foo", "bar=quux"},
-			`path "kv/*" { capabilities = ["create", "read", "update"] }`,
-			"",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			if err := client.Sys().Mount("kv/", &api.MountInput{
-				Type: "kv-v2",
-			}); err != nil {
-				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-			}
-
-			secretAuth, err := createTokenForPolicy(t, client, tc.policy)
-			if err != nil {
-				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", tc.policy, err)
-			}
-
-			client.SetToken(secretAuth.ClientToken)
-
-			putArgs := []string{"kv/foo", "foo=bar", "bar=baz"}
-			code, combined := kvPutWithRetry(t, client, putArgs)
-			if code != 0 {
-				t.Errorf("write failed, expected %d to be 0, output: %s", code, combined)
-			}
-
-			code, combined = kvPatchWithRetry(t, client, tc.args, nil)
-			if code != tc.code {
-				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v\n", tc.code, code, tc.args)
-			}
-
-			if code != 0 {
-				if !strings.Contains(combined, tc.expected) {
-					t.Fatalf("expected output %q to contain %q for patch cmd with args %#v\n", combined, tc.expected, tc.args)
-				}
-			}
-		})
-	}
-}
-
-func TestPadEqualSigns(t *testing.T) {
-	t.Parallel()
-
-	header := "Test Header"
-
-	cases := []struct {
-		name          string
-		totalPathLen  int
-		expectedCount int
-	}{
-		{
-			name:          "path with even length",
-			totalPathLen:  20,
-			expectedCount: 4,
-		},
-		{
-			name:          "path with odd length",
-			totalPathLen:  19,
-			expectedCount: 3,
-		},
-		{
-			name:          "smallest possible path",
-			totalPathLen:  8,
-			expectedCount: 2,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			padded := padEqualSigns(header, tc.totalPathLen)
-
-			signs := strings.Split(padded, fmt.Sprintf(" %s ", header))
-			if len(signs[0]) != len(signs[1]) {
-				t.Fatalf("expected an equal number of equal signs on both sides")
-			}
-			for _, sign := range signs {
-				count := strings.Count(sign, "=")
-				if count != tc.expectedCount {
-					t.Fatalf("expected %d equal signs but there were %d", tc.expectedCount, count)
-				}
-			}
-		})
-	}
-}
-
-func testKVUndeleteCommand(tb testing.TB) (*cli.MockUi, *KVUndeleteCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &KVUndeleteCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestKVUndeleteCommand(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name       string
-		args       []string
-		outStrings []string
-		code       int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			[]string{"Not enough arguments"},
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			[]string{"Too many arguments"},
-			1,
-		},
-		{
-			"no_versions",
-			[]string{"-mount", "kv", "/read/foo"},
-			[]string{"No versions provided"},
-			1,
-		},
-		{
-			"v2_mount_flag_syntax",
-			[]string{"-versions", "1", "-mount", "kv", "read/foo"},
-			[]string{"Success! Data written to: kv/undelete/read/foo"},
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_complex_1",
-			[]string{"-versions", "1", "-mount", "secrets/testapp", "test"},
-			[]string{"Success! Data written to: secrets/testapp/undelete/test"},
-			0,
-		},
-		{
-			"v2_mount_flag_syntax_complex_2",
-			[]string{"-versions", "1", "-mount", "secrets/x/testapp", "test"},
-			[]string{"Success! Data written to: secrets/x/testapp/undelete/test"},
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-				if err := client.Sys().Mount("kv/", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				if err := client.Sys().Mount("secrets/testapp", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Additional layer of mount path
-				if err := client.Sys().Mount("secrets/x/testapp", &api.MountInput{
-					Type: "kv-v2",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Give time for the upgrade code to run/finish
-				time.Sleep(time.Second)
-
-				if _, err := client.Logical().Write("kv/data/read/foo", map[string]interface{}{
-					"data": map[string]interface{}{
-						"foo": "bar",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Delete the entry so we can undelete it
-				if _, err := client.Logical().Delete("kv/data/read/foo"); err != nil {
-					t.Fatal(err)
-				}
-
-				if _, err := client.Logical().Write("secrets/testapp/data/test", map[string]interface{}{
-					"data": map[string]interface{}{
-						"complex": "yes",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				if _, err := client.Logical().Write("secrets/x/testapp/data/test", map[string]interface{}{
-					"data": map[string]interface{}{
-						"complex": "yes",
-					},
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Delete the entry so we can undelete it
-				if _, err := client.Logical().Delete("secrets/x/testapp/data/test"); err != nil {
-					t.Fatal(err)
-				}
-
-				// Delete the entry so we can undelete it
-				if _, err := client.Logical().Delete("secrets/testapp/data/test"); err != nil {
-					t.Fatal(err)
-				}
-
-				ui, cmd := testKVUndeleteCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-
-				for _, str := range tc.outStrings {
-					if !strings.Contains(combined, str) {
-						t.Errorf("expected %q to contain %q", combined, str)
-					}
-				}
-			})
-		}
-	})
-}
-
-func createTokenForPolicy(t *testing.T, client *api.Client, policy string) (*api.SecretAuth, error) {
-	t.Helper()
-
-	if err := client.Sys().PutPolicy("policy", policy); err != nil {
-		return nil, err
-	}
-
-	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-		Policies: []string{"policy"},
-		TTL:      "30m",
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-		return nil, fmt.Errorf("missing auth data: %#v", secret)
-	}
-
-	return secret.Auth, err
-}
+	DRReplicationPathTarget = "dr"
+)
diff --git a/command/kv_undelete.go b/command/kv_undelete.go
index abc90879e6b8..748d6d680923 100644
--- a/command/kv_undelete.go
+++ b/command/kv_undelete.go
@@ -1,184 +1,105 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: docs
+page_title: Containerized plugins
+description: External Vault plugins can be run in containers.
+---
 
-package command
-
-import (
-	"fmt"
-	"path"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*KVUndeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*KVUndeleteCommand)(nil)
-)
-
-type KVUndeleteCommand struct {
-	*BaseCommand
-
-	flagVersions []string
-	flagMount    string
-}
-
-func (c *KVUndeleteCommand) Synopsis() string {
-	return "Undeletes versions in the KV store"
-}
-
-func (c *KVUndeleteCommand) Help() string {
-	helpText := `
-Usage: vault kv undelete [options] KEY
-
-  Undeletes the data for the provided version and path in the key-value store.
-  This restores the data, allowing it to be returned on get requests.
-
-  To undelete version 3 of key "foo":
-
-      $ vault kv undelete -mount=secret -versions=3 foo
-
-  The deprecated path-like syntax can also be used, but this should be avoided,
-  as the fact that it is not actually the full API path to
-  the secret (secret/data/foo) can cause confusion:
-
-      $ vault kv undelete -versions=3 secret/foo
-
-  Additional flags and more advanced use cases are detailed below.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *KVUndeleteCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "versions",
-		Target:  &c.flagVersions,
-		Default: nil,
-		Usage:   `Specifies the version numbers to undelete.`,
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "mount",
-		Target:  &c.flagMount,
-		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
-		Usage: `Specifies the path where the KV backend is mounted. If specified,
-		the next argument will be interpreted as the secret path. If this flag is
-		not specified, the next argument will be interpreted as the combined mount
-		path and secret path, with /data/ automatically appended between KV
-		v2 secrets.`,
-	})
-
-	return set
-}
-
-func (c *KVUndeleteCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *KVUndeleteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *KVUndeleteCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	if len(c.flagVersions) == 0 {
-		c.UI.Error("No versions provided, use the \"-versions\" flag to specify the version to undelete.")
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// If true, we're working with "-mount=secret foo" syntax.
-	// If false, we're using "secret/foo" syntax.
-	mountFlagSyntax := (c.flagMount != "")
-
-	var (
-		mountPath   string
-		partialPath string
-		v2          bool
-	)
-
-	// Parse the paths and grab the KV version
-	if mountFlagSyntax {
-		// In this case, this arg is the secret path (e.g. "foo").
-		partialPath = sanitizePath(args[0])
-		mountPath = sanitizePath(c.flagMount)
-		_, v2, err = isKVv2(mountPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-		if v2 {
-			// Without this join, mountPaths that are deeper
-			// than the root path E.G. secrets/myapp will get
-			// pruned down to myapp/undelete/<secret> which
-			// is incorrect.
-			// This technique was lifted from kv_delete.go.
-			partialPath = path.Join(mountPath, partialPath)
-		}
-	} else {
-		// In this case, this arg is a path-like combination of mountPath/secretPath.
-		// (e.g. "secret/foo")
-		partialPath = sanitizePath(args[0])
-		mountPath, v2, err = isKVv2(partialPath, client)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-	}
-
-	if !v2 {
-		c.UI.Error("Undelete not supported on KV Version 1")
-		return 1
-	}
-
-	undeletePath := addPrefixToKVPath(partialPath, mountPath, "undelete", false)
-	data := map[string]interface{}{
-		"versions": kvParseVersionsFlags(c.flagVersions),
-	}
-
-	secret, err := client.Logical().Write(undeletePath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", undeletePath, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
-		return 2
-	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		if Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", undeletePath))
-		}
-		return 0
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+# Containerized plugins
+
+@include 'alerts/beta.mdx'
+
+<Note title="Limited OS support">
+
+  Support for the `container` runtime is currently limited to Linux.
+
+</Note>
+
+By default, external plugins run as subprocesses that share Vault's user and
+environment variables. Administrators managing Vault instances on Linux can
+choose to run external plugins in containers. Running plugins in containers
+increases the isolation between plugins, and between plugins and Vault.
+
+## System requirements
+
+- **Your Vault instance must be running on Linux**.
+
+- **Your environment must provide Vault local access to the Docker Engine API**.
+  Vault uses the [Docker SDK](https://pkg.go.dev/github.com/docker/docker) to
+  manage containerized plugins.
+
+- **You must have a valid container runtime installed**. We recommend
+  [installing gVisor](https://gvisor.dev/docs/user_guide/install/) for your
+  container runtime as Vault specifies the `runsc` runtime by default.
+
+- **You must have all your plugin container images pulled and available locally**.
+  Vault does not currently support pulling images as part of the plugin
+  registration process.
+
+## Plugin requirements
+
+All plugins have the following basic requirements to be containerized:
+
+- **Your plugin must be built with at least v1.6.0 of the HashiCorp
+  [`go-plugin`](https://github.com/hashicorp/go-plugin) library**.
+
+- **The image entrypoint should run the plugin binary**.
+
+Some configurations have additional requirements for the container image, listed
+in [supported configurations](#supported-configurations).
+
+## Supported configurations
+
+Vault's containerized plugins are compatible with a variety of configurations.
+In particular, it has been tested with the following:
+
+- Default and [rootless](https://docs.docker.com/engine/security/rootless/) Docker.
+- OCI-compatible runtimes `runsc` and `runc`.
+- Plugin container images running as root and non-root users.
+- [Mlock](/vault/docs/configuration#disable_mlock) disabled or enabled.
+
+Not all combinations work and some have additional requirements, listed below.
+If you use a configuration that matches multiple headings, you should combine
+the requirements from each matching heading.
+
+### `runsc` runtime
+
+- You must pass an additional `--host-uds=create` flag to the `runsc` runtime.
+
+### Rootless Docker with `runsc` runtime
+
+- You must pass an additional `--ignore-cgroups` flag to the `runsc` runtime.
+  - Cgroup limits are not currently supported for this configuration.
+
+### Rootless Docker with non-root container user
+
+- You must use a container plugin runtime with
+  [`rootless`](/vault/docs/commands/plugin/runtime/register#rootless) enabled.
+- Your filesystem must have Posix 1e ACL support, available by default in most
+  modern Linux file systems.
+- Only supported for gVisor's `runsc` runtime.
+
+### Rootless Docker with mlock enabled
+
+- Only supported for gVisor's `runsc` runtime.
+
+### Non-root container user with mlock enabled
+
+- You must set the `IPC_LOCK` capability on the plugin binary.
+
+## Container lifecycle and metadata
+
+Like any other external plugin, Vault will automatically manage the lifecycle
+of plugin containers. If they are killed out of band, Vault will restart them
+before servicing any requests that need to be handled by them. Vault will also
+[multiplex](/vault/docs/plugins/plugin-architecture#plugin-multiplexing) multiple
+mounts to be serviced by the same container if the plugin supports multiplexing.
+
+Vault labels each plugin container with a standard set of metadata to help
+identify the owner of the container, including the cluster ID, Vault's own
+process ID, and the plugin's name, type, and version.
+
+## Plugin runtimes
+
+Users who require more control over plugin containers can use the "plugin
+runtime" APIs for finer grained settings. See the CLI documentation for
+[`vault plugin runtime`](/vault/docs/commands/plugin/runtime) for more details.
diff --git a/command/lease.go b/command/lease.go
index 5e8f46afe1bb..b0c9089681d2 100644
--- a/command/lease.go
+++ b/command/lease.go
@@ -1,43 +1,256 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-package command
+import { set } from '@ember/object';
+import Service from '@ember/service';
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import sinon from 'sinon';
 
-import (
-	"strings"
+import { storageKey, CONTROL_GROUP_PREFIX, TOKEN_SEPARATOR } from 'vault/services/control-group';
 
-	"github.com/mitchellh/cli"
-)
+const versionStub = Service.extend();
 
-var _ cli.Command = (*LeaseCommand)(nil)
+function storage() {
+  return {
+    items: {},
+    getItem(key) {
+      var item = this.items[key];
+      return item && JSON.parse(item);
+    },
 
-type LeaseCommand struct {
-	*BaseCommand
-}
+    setItem(key, val) {
+      return (this.items[key] = JSON.stringify(val));
+    },
+
+    removeItem(key) {
+      delete this.items[key];
+    },
 
-func (c *LeaseCommand) Synopsis() string {
-	return "Interact with leases"
+    keys() {
+      return Object.keys(this.items);
+    },
+  };
 }
 
-func (c *LeaseCommand) Help() string {
-	helpText := `
-Usage: vault lease <subcommand> [options] [args]
+module('Unit | Service | control group', function (hooks) {
+  setupTest(hooks);
 
-  This command groups subcommands for interacting with leases. Users can revoke
-  or renew leases.
+  hooks.beforeEach(function () {
+    this.owner.register('service:version', versionStub);
+    this.version = this.owner.lookup('service:version');
+    this.router = this.owner.lookup('service:router');
+    this.router.reopen({
+      transitionTo: sinon.stub(),
+      urlFor: sinon.stub().returns('/ui/vault/foo'),
+      currentURL: '/vault/secrets/kv/show/foo',
+    });
+  });
 
-  Renew a lease:
+  hooks.afterEach(function () {});
 
-      $ vault lease renew database/creds/readonly/2f6a614c...
+  const isCommunity = (context) => set(context, 'version.type', 'community');
+  const isEnt = (context) => set(context, 'version.type', 'enterprise');
+  const resolvesArgs = (assert, result, expectedArgs) => {
+    return result.then((...args) => {
+      return assert.deepEqual(args, expectedArgs, 'resolves with the passed args');
+    });
+  };
 
-  Revoke a lease:
+  [
+    [
+      'it resolves isCommunity:true, wrapTTL: true, response: has wrap_info',
+      isCommunity,
+      [[{ one: 'two', three: 'four' }], { wrap_info: { token: 'foo', accessor: 'bar' } }, true],
+      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
+    ],
+    [
+      'it resolves isCommunity:true, wrapTTL: false, response: has no wrap_info',
+      isCommunity,
+      [[{ one: 'two', three: 'four' }], { wrap_info: null }, false],
+      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
+    ],
+    [
+      'it resolves isCommunity: false and wrapTTL:true response: has wrap_info',
+      isEnt,
+      [[{ one: 'two', three: 'four' }], { wrap_info: { token: 'foo', accessor: 'bar' } }, true],
+      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
+    ],
+    [
+      'it resolves isCommunity: false and wrapTTL:false response: has no wrap_info',
+      isEnt,
+      [[{ one: 'two', three: 'four' }], { wrap_info: null }, false],
+      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
+    ],
+    [
+      'it rejects isCommunity: false, wrapTTL:false, response: has wrap_info',
+      isEnt,
+      [
+        [{ one: 'two', three: 'four' }],
+        { foo: 'bar', wrap_info: { token: 'secret', accessor: 'lookup' } },
+        false,
+      ],
+      (assert, result) => {
+        // ensure failure if we ever don't reject
+        assert.expect(2);
 
-      $ vault lease revoke database/creds/readonly/2f6a614c...
-`
+        return result.then(
+          () => {},
+          (err) => {
+            assert.strictEqual(err.token, 'secret');
+            assert.strictEqual(err.accessor, 'lookup');
+          }
+        );
+      },
+    ],
+  ].forEach(function ([name, setup, args, expectation]) {
+    test(`checkForControlGroup: ${name}`, function (assert) {
+      const assertCount =
+        name === 'it rejects isCommunity: false, wrapTTL:false, response: has wrap_info' ? 2 : 1;
+      assert.expect(assertCount);
+      if (setup) {
+        setup(this);
+      }
+      const service = this.owner.lookup('service:control-group');
+      const result = service.checkForControlGroup(...args);
+      return expectation(assert, result);
+    });
+  });
 
-	return strings.TrimSpace(helpText)
-}
+  test(`handleError: transitions to accessor and stores control group token`, function (assert) {
+    const error = {
+      accessor: '12345',
+      token: 'token',
+      creation_path: 'kv/',
+      creation_time: '2022-03-17T20:00:25.594Z',
+      ttl: 400,
+    };
+    const expected = { ...error, uiParams: { url: '/vault/secrets/kv/show/foo' } };
+    const service = this.owner.factoryFor('service:control-group').create({
+      storeControlGroupToken: sinon.spy(),
+    });
+    service.handleError(error);
+    assert.ok(service.storeControlGroupToken.calledWith(expected), 'calls storeControlGroupToken');
+    assert.ok(
+      this.router.transitionTo.calledWith('vault.cluster.access.control-group-accessor', '12345'),
+      'calls router transitionTo'
+    );
+  });
 
-func (c *LeaseCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+  test(`logFromError: returns correct content string`, function (assert) {
+    const error = {
+      accessor: '12345',
+      token: 'token',
+      creation_path: 'kv/',
+      creation_time: '2022-03-17T20:00:25.594Z',
+      ttl: 400,
+    };
+    const service = this.owner.factoryFor('service:control-group').create({
+      storeControlGroupToken: sinon.spy(),
+    });
+    const contentString = service.logFromError(error);
+    assert.ok(
+      this.router.urlFor.calledWith('vault.cluster.access.control-group-accessor', '12345'),
+      'calls urlFor with accessor'
+    );
+    assert.ok(service.storeControlGroupToken.calledWith(error), 'calls storeControlGroupToken');
+    assert.ok(contentString.content.includes('12345'), 'contains accessor');
+    assert.ok(contentString.content.includes('kv/'), 'contains creation path');
+    assert.ok(contentString.content.includes('token'), 'contains token');
+  });
+
+  test('storageKey', function (assert) {
+    const accessor = '12345';
+    const path = 'kv/foo/bar';
+    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
+    assert.strictEqual(storageKey(accessor, path), expectedKey, 'uses expected key');
+  });
+
+  test('keyFromAccessor', function (assert) {
+    const store = storage();
+    const accessor = '12345';
+    const path = 'kv/foo/bar';
+    const data = { foo: 'bar' };
+    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
+    const subject = this.owner.factoryFor('service:control-group').create({
+      storage() {
+        return store;
+      },
+    });
+
+    store.setItem(expectedKey, data);
+    store.setItem(`${CONTROL_GROUP_PREFIX}2345${TOKEN_SEPARATOR}${path}`, 'ok');
+
+    assert.strictEqual(subject.keyFromAccessor(accessor), expectedKey, 'finds key given the accessor');
+    assert.strictEqual(subject.keyFromAccessor('foo'), null, 'returns null if no key was found');
+  });
+
+  test('storeControlGroupToken', function (assert) {
+    const store = storage();
+    const subject = this.owner.factoryFor('service:control-group').create({
+      storage() {
+        return store;
+      },
+    });
+    const info = {
+      accessor: '12345',
+      creation_path: 'foo/',
+      creation_time: '2022-03-17T20:00:25.594Z',
+      ttl: 300,
+    };
+    const key = `${CONTROL_GROUP_PREFIX}${info.accessor}${TOKEN_SEPARATOR}${info.creation_path}`;
+
+    subject.storeControlGroupToken(info);
+    assert.deepEqual(store.items[key], JSON.stringify(info), 'stores the whole info object');
+  });
+
+  test('deleteControlGroupToken', function (assert) {
+    const store = storage();
+    const subject = this.owner.factoryFor('service:control-group').create({
+      storage() {
+        return store;
+      },
+    });
+    const accessor = 'foo';
+    const path = 'kv/one';
+
+    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
+    store.setItem(expectedKey, { one: '2' });
+    subject.deleteControlGroupToken(accessor);
+    assert.strictEqual(Object.keys(store.items).length, 0, 'there are no keys stored in storage');
+  });
+
+  test('deleteTokens', function (assert) {
+    const store = storage();
+    const subject = this.owner.factoryFor('service:control-group').create({
+      storage() {
+        return store;
+      },
+    });
+
+    const keyOne = `${CONTROL_GROUP_PREFIX}foo`;
+    const keyTwo = `${CONTROL_GROUP_PREFIX}bar`;
+    store.setItem(keyOne, { one: '2' });
+    store.setItem(keyTwo, { two: '2' });
+    store.setItem('value', 'one');
+    assert.strictEqual(Object.keys(store.items).length, 3, 'stores 3 values');
+    subject.deleteTokens();
+    assert.strictEqual(Object.keys(store.items).length, 1, 'removes tokens with control group prefix');
+    assert.strictEqual(store.getItem('value'), 'one', 'keeps the non-prefixed value');
+  });
+
+  test('wrapInfoForAccessor', function (assert) {
+    const store = storage();
+    const subject = this.owner.factoryFor('service:control-group').create({
+      storage() {
+        return store;
+      },
+    });
+
+    const keyOne = `${CONTROL_GROUP_PREFIX}foo`;
+    store.setItem(keyOne, { one: '2' });
+    assert.deepEqual(subject.wrapInfoForAccessor('foo'), { one: '2' });
+  });
+});
diff --git a/command/lease_lookup.go b/command/lease_lookup.go
index 8c38c1cfd7df..7ea218fbfbe9 100644
--- a/command/lease_lookup.go
+++ b/command/lease_lookup.go
@@ -1,94 +1,140 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*LeaseLookupCommand)(nil)
-	_ cli.CommandAutocomplete = (*LeaseLookupCommand)(nil)
-)
-
-type LeaseLookupCommand struct {
-	*BaseCommand
-}
-
-func (c *LeaseLookupCommand) Synopsis() string {
-	return "Lookup the lease of a secret"
-}
-
-func (c *LeaseLookupCommand) Help() string {
-	helpText := `
-Usage: vault lease lookup ID
-
-  Lookup the lease information of a secret.
-
-  Every secret in Vault has a lease associated with it. Users can look up
-  information on the lease by referencing the lease ID.
-
-  Lookup lease of a secret:
-
-      $ vault lease lookup database/creds/readonly/2f6a614c...
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *LeaseLookupCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	return set
-}
-
-func (c *LeaseLookupCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *LeaseLookupCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *LeaseLookupCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	leaseID := ""
-
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		c.UI.Error("Missing ID!")
-		return 1
-	case 1:
-		leaseID = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	secret, err := client.Sys().Lookup(leaseID)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("error looking up lease id %s: %s", leaseID, err))
-		return 2
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Service, { inject as service } from '@ember/service';
+import RSVP from 'rsvp';
+import ControlGroupError from 'vault/lib/control-group-error';
+import getStorage from 'vault/lib/token-storage';
+import parseURL from 'core/utils/parse-url';
+
+const CONTROL_GROUP_PREFIX = 'vault:cg-';
+const TOKEN_SEPARATOR = '☃';
+
+// list of endpoints that return wrapped responses
+// without `wrap-ttl`
+const WRAPPED_RESPONSE_PATHS = [
+  'sys/wrapping/rewrap',
+  'sys/wrapping/wrap',
+  'sys/replication/performance/primary/secondary-token',
+  'sys/replication/dr/primary/secondary-token',
+];
+
+const storageKey = (accessor, path) => {
+  return `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
+};
+
+export { storageKey, CONTROL_GROUP_PREFIX, TOKEN_SEPARATOR };
+export default Service.extend({
+  version: service(),
+  router: service(),
+
+  storage() {
+    return getStorage();
+  },
+
+  keyFromAccessor(accessor) {
+    const keys = this.storage().keys() || [];
+    const returnKey = keys
+      .filter((k) => k.startsWith(CONTROL_GROUP_PREFIX))
+      .find((key) => key.replace(CONTROL_GROUP_PREFIX, '').startsWith(accessor));
+    return returnKey ? returnKey : null;
+  },
+
+  storeControlGroupToken(info) {
+    const key = storageKey(info.accessor, info.creation_path);
+    this.storage().setItem(key, info);
+  },
+
+  deleteControlGroupToken(accessor) {
+    this.unmarkTokenForUnwrap();
+    const key = this.keyFromAccessor(accessor);
+    this.storage().removeItem(key);
+  },
+
+  deleteTokens() {
+    const keys = this.storage().keys() || [];
+    keys.filter((k) => k.startsWith(CONTROL_GROUP_PREFIX)).forEach((key) => this.storage().removeItem(key));
+  },
+
+  wrapInfoForAccessor(accessor) {
+    const key = this.keyFromAccessor(accessor);
+    return key ? this.storage().getItem(key) : null;
+  },
+
+  tokenToUnwrap: null,
+  markTokenForUnwrap(accessor) {
+    this.set('tokenToUnwrap', this.wrapInfoForAccessor(accessor));
+  },
+
+  unmarkTokenForUnwrap() {
+    this.set('tokenToUnwrap', null);
+  },
+
+  tokenForUrl(url) {
+    if (this.version.isCommunity) {
+      return null;
+    }
+    let pathForUrl = parseURL(url).pathname;
+    pathForUrl = pathForUrl.replace('/v1/', '');
+    const tokenInfo = this.tokenToUnwrap;
+    if (tokenInfo && tokenInfo.creation_path === pathForUrl) {
+      const { token, accessor, creation_time } = tokenInfo;
+      return { token, accessor, creationTime: creation_time };
+    }
+    return null;
+  },
+
+  checkForControlGroup(callbackArgs, response, wasWrapTTLRequested) {
+    const creationPath = response && response?.wrap_info?.creation_path;
+    if (
+      this.version.isCommunity ||
+      wasWrapTTLRequested ||
+      !response ||
+      (creationPath && WRAPPED_RESPONSE_PATHS.includes(creationPath)) ||
+      !response.wrap_info
+    ) {
+      return RSVP.resolve(...callbackArgs);
+    }
+    const error = new ControlGroupError(response.wrap_info);
+    return RSVP.reject(error);
+  },
+
+  handleError(error) {
+    const { accessor, token, creation_path, creation_time, ttl } = error;
+    const data = { accessor, token, creation_path, creation_time, ttl };
+    data.uiParams = { url: this.router.currentURL };
+    this.storeControlGroupToken(data);
+    return this.router.transitionTo('vault.cluster.access.control-group-accessor', accessor);
+  },
+
+  // Handle error from non-read request (eg. POST or UPDATE) so it can be retried
+  saveTokenFromError(error) {
+    const { accessor, token, creation_path, creation_time, ttl } = error;
+    const data = { accessor, token, creation_path, creation_time, ttl };
+    this.storeControlGroupToken(data);
+    // In the read flow the accessor is marked once the user clicks "Visit" from the control group page
+    // On a POST/UPDATE flow we don't redirect, so we need to mark automatically so that on the next try
+    // the request will attempt unwrap.
+    this.markTokenForUnwrap(accessor);
+  },
+
+  logFromError(error) {
+    const { accessor, token, creation_path, creation_time, ttl } = error;
+    const data = { accessor, token, creation_path, creation_time, ttl };
+    this.storeControlGroupToken(data);
+
+    const href = this.router.urlFor('vault.cluster.access.control-group-accessor', accessor);
+    const lines = [
+      `A Control Group was encountered at ${error.creation_path}.`,
+      `The Control Group Token is ${error.token}.`,
+      `The Accessor is ${error.accessor}.`,
+      `Visit <a href='${href}'>${href}</a> for more details.`,
+    ];
+    return {
+      type: 'error-with-html',
+      content: lines.join('\n'),
+    };
+  },
+});
diff --git a/command/lease_lookup_test.go b/command/lease_lookup_test.go
index bc0019428097..3729c07e7d12 100644
--- a/command/lease_lookup_test.go
+++ b/command/lease_lookup_test.go
@@ -1,103 +1,93 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
-
-func testLeaseLookupCommand(tb testing.TB) (*cli.MockUi, *LeaseLookupCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &LeaseLookupCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-// testLeaseLookupCommandMountAndLease mounts a leased secret backend and returns
-// the leaseID of an item.
-func testLeaseLookupCommandMountAndLease(tb testing.TB, client *api.Client) string {
-	if err := client.Sys().Mount("testing", &api.MountInput{
-		Type: "generic-leased",
-	}); err != nil {
-		tb.Fatal(err)
-	}
-
-	if _, err := client.Logical().Write("testing/foo", map[string]interface{}{
-		"key":   "value",
-		"lease": "5m",
-	}); err != nil {
-		tb.Fatal(err)
-	}
-
-	// Read the secret back to get the leaseID
-	secret, err := client.Logical().Read("testing/foo")
-	if err != nil {
-		tb.Fatal(err)
-	}
-	if secret == nil || secret.LeaseID == "" {
-		tb.Fatalf("missing secret or lease: %#v", secret)
-	}
-
-	return secret.LeaseID
-}
-
-// TestLeaseLookupCommand_Run tests basic lookup
-func TestLeaseLookupCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	t.Run("empty", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		_ = testLeaseLookupCommandMountAndLease(t, client)
-
-		ui, cmd := testLeaseLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run(nil)
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		expectedMsg := "Missing ID!"
-		if !strings.Contains(combined, expectedMsg) {
-			t.Errorf("expected %q to contain %q", combined, expectedMsg)
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		leaseID := testLeaseLookupCommandMountAndLease(t, client)
-
-		_, cmd := testLeaseLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{leaseID})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testLeaseLookupCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+
+const SELECTORS = {
+  dropdown: '[data-test-copy-menu-trigger]',
+  copyButton: '[data-test-copy-button]',
+  clipboard: 'data-test-copy-button',
+  wrapButton: '[data-test-wrap-button]',
+  masked: '[data-test-masked-input]',
+};
+
+module('Integration | Component | copy-secret-dropdown', function (hooks) {
+  setupRenderingTest(hooks);
+  hooks.beforeEach(function () {
+    this.onWrap = () => {};
+    this.onClose = () => {};
+  });
+
+  test('it renders and fires callback functions', async function (assert) {
+    assert.expect(5);
+    this.data = `{ foo: 'bar' }`;
+    this.onWrap = () => assert.ok(true, 'onWrap callback fires Wrap secret is clicked');
+    this.onClose = () => assert.ok(true, 'onClose callback fires when dropdown closes');
+
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert.dom(SELECTORS.copyButton).hasText('Copy JSON');
+    assert.dom(SELECTORS.wrapButton).hasText('Wrap secret');
+    assert
+      .dom(SELECTORS.copyButton)
+      .hasAttribute('data-test-copy-button', `${this.data}`, 'it renders copyable data');
+
+    await click(SELECTORS.wrapButton);
+    await click(SELECTORS.dropdown);
+  });
+
+  test('it renders loading wrap button', async function (assert) {
+    assert.expect(2);
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @isWrapping={{true}}
+    @wrappedData={{this.wrappedData}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert.dom(`${SELECTORS.wrapButton} [data-test-icon="loading"]`).exists('renders loading icon');
+    assert.dom(SELECTORS.wrapButton).isDisabled();
+  });
+
+  test('it wrapped data', async function (assert) {
+    assert.expect(1);
+    this.wrappedData = 'my-token';
+
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @isWrapping={{false}}
+    @wrappedData={{this.wrappedData}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert
+      .dom(`${SELECTORS.masked} ${SELECTORS.copyButton}`)
+      .hasAttribute('data-test-copy-button', this.wrappedData, 'it renders wrapped data');
+  });
+});
diff --git a/command/lease_renew.go b/command/lease_renew.go
index 0918d8ed4b75..0818adddc5d6 100644
--- a/command/lease_renew.go
+++ b/command/lease_renew.go
@@ -1,117 +1,45 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*LeaseRenewCommand)(nil)
-	_ cli.CommandAutocomplete = (*LeaseRenewCommand)(nil)
-)
-
-type LeaseRenewCommand struct {
-	*BaseCommand
-
-	flagIncrement time.Duration
-}
-
-func (c *LeaseRenewCommand) Synopsis() string {
-	return "Renews the lease of a secret"
-}
-
-func (c *LeaseRenewCommand) Help() string {
-	helpText := `
-Usage: vault lease renew [options] ID
-
-  Renews the lease on a secret, extending the time that it can be used before
-  it is revoked by Vault.
-
-  Every secret in Vault has a lease associated with it. If the owner of the
-  secret wants to use it longer than the lease, then it must be renewed.
-  Renewing the lease does not change the contents of the secret. The ID is the
-  full path lease ID.
-
-  Renew a secret:
-
-      $ vault lease renew database/creds/readonly/2f6a614c...
-
-  Lease renewal will fail if the secret is not renewable, the secret has already
-  been revoked, or if the secret has already reached its maximum TTL.
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *LeaseRenewCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
-
-	f.DurationVar(&DurationVar{
-		Name:       "increment",
-		Target:     &c.flagIncrement,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Request a specific increment in seconds. Vault is not required " +
-			"to honor this request.",
-	})
-
-	return set
-}
-
-func (c *LeaseRenewCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *LeaseRenewCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *LeaseRenewCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	leaseID := ""
-	increment := c.flagIncrement
-
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		c.UI.Error("Missing ID!")
-		return 1
-	case 1:
-		leaseID = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1-2, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	secret, err := client.Sys().Renew(leaseID, truncateToSeconds(increment))
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error renewing %s: %s", leaseID, err))
-		return 2
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{! @onWrap is recommend to be a concurrency task! see <Page::Secret::Details> in KV addon for example }}
+<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" @onClose={{@onClose}} as |D|>
+  <D.Trigger data-test-copy-menu-trigger class="toolbar-link {{if D.isOpen 'is-active'}}" @htmlTag="button">
+    Copy
+    <Chevron @direction={{if D.isOpen "up" "down"}} @isButton={{true}} />
+  </D.Trigger>
+  <D.Content @defaultClass="popup-menu-content is-wide">
+    <nav class="box menu">
+      <ul class="menu-list">
+        <li class="action">
+          <Hds::Copy::Button
+            @text="Copy JSON"
+            @textToCopy={{@clipboardText}}
+            @isFullWidth={{true}}
+            class="in-dropdown link is-flex-start"
+            {{on "click" (action (set-flash-message "JSON Copied!"))}}
+            data-test-copy-button={{@clipboardText}}
+          />
+        </li>
+        <li class="action">
+          {{#if @wrappedData}}
+            <MaskedInput @class="has-padding" @displayOnly={{true}} @allowCopy={{true}} @value={{@wrappedData}} />
+          {{else}}
+            {{#if @isWrapping}}
+              <LoadingDropdownOption data-test-wrap-button />
+            {{else}}
+              <Hds::Button
+                @text="Wrap secret"
+                @color="secondary"
+                class="link"
+                {{on "click" @onWrap}}
+                data-test-wrap-button
+              />
+            {{/if}}
+          {{/if}}
+        </li>
+      </ul>
+    </nav>
+  </D.Content>
+</BasicDropdown>
\ No newline at end of file
diff --git a/command/lease_renew_test.go b/command/lease_renew_test.go
index 40719d1f0a55..e02e53a82e39 100644
--- a/command/lease_renew_test.go
+++ b/command/lease_renew_test.go
@@ -1,161 +1,4332 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/subtle"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	paths "path"
+	"path/filepath"
+	"runtime"
+	"slices"
+	"strconv"
 	"strings"
-	"testing"
+	"sync"
+	"sync/atomic"
+	"time"
 
+	kv "github.com/hashicorp/vault-plugin-secrets-kv"
+
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/mlock"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-secure-stdlib/tlsutil"
+	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/identity/mfa"
+	"github.com/hashicorp/vault/helper/locking"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/osutil"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/pathmanager"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	sr "github.com/hashicorp/vault/serviceregistration"
+	"github.com/hashicorp/vault/shamir"
+	"github.com/hashicorp/vault/vault/cluster"
+	"github.com/hashicorp/vault/vault/eventbus"
+	"github.com/hashicorp/vault/vault/quotas"
+	vaultseal "github.com/hashicorp/vault/vault/seal"
+	"github.com/hashicorp/vault/version"
+	"github.com/patrickmn/go-cache"
+	uberAtomic "go.uber.org/atomic"
+	"google.golang.org/grpc"
+)
+
+const (
+	// CoreLockPath is the path used to acquire a coordinating lock
+	// for a highly-available deploy.
+	CoreLockPath = "core/lock"
+
+	// The poison pill is used as a check during certain scenarios to indicate
+	// to standby nodes that they should seal
+	poisonPillPath   = "core/poison-pill"
+	poisonPillDRPath = "core/poison-pill-dr"
+
+	// coreLeaderPrefix is the prefix used for the UUID that contains
+	// the currently elected leader.
+	coreLeaderPrefix = "core/leader/"
+
+	// coreKeyringCanaryPath is used as a canary to indicate to replicated
+	// clusters that they need to perform a rekey operation synchronously; this
+	// isn't keyring-canary to avoid ignoring it when ignoring core/keyring
+	coreKeyringCanaryPath = "core/canary-keyring"
+
+	// coreGroupPolicyApplicationPath is used to store the behaviour for
+	// how policies should be applied
+	coreGroupPolicyApplicationPath = "core/group-policy-application-mode"
+
+	// groupPolicyApplicationModeWithinNamespaceHierarchy is a configuration option for group
+	// policy application modes, which allows only in-namespace-hierarchy policy application
+	groupPolicyApplicationModeWithinNamespaceHierarchy = "within_namespace_hierarchy"
+
+	// groupPolicyApplicationModeAny is a configuration option for group
+	// policy application modes, which allows policy application irrespective of namespaces
+	groupPolicyApplicationModeAny = "any"
+
+	indexHeaderHMACKeyPath = "core/index-header-hmac-key"
+
+	// defaultMFAAuthResponseTTL is the default duration that Vault caches the
+	// MfaAuthResponse when the value is not specified in the server config
+	defaultMFAAuthResponseTTL = 300 * time.Second
+
+	// defaultMaxTOTPValidateAttempts is the default value for the number
+	// of failed attempts to validate a request subject to TOTP MFA. If the
+	// number of failed totp passcode validations exceeds this max value, the
+	// user needs to wait until a fresh totp passcode is generated.
+	defaultMaxTOTPValidateAttempts = 5
+
+	// ForwardSSCTokenToActive is the value that must be set in the
+	// forwardToActive to trigger forwarding if a perf standby encounters
+	// an SSC Token that it does not have the WAL state for.
+	ForwardSSCTokenToActive = "new_token"
+
+	WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")
+
+	// undoLogsAreSafeStoragePath is a storage path that we write once we know undo logs are
+	// safe, so we don't have to keep checking all the time.
+	undoLogsAreSafeStoragePath = "core/raft/undo_logs_are_safe"
+
+	ErrMlockFailedTemplate = "Failed to lock memory: %v\n\n" +
+		"This usually means that the mlock syscall is not available.\n" +
+		"Vault uses mlock to prevent memory from being swapped to\n" +
+		"disk. This requires root privileges as well as a machine\n" +
+		"that supports mlock. Please enable mlock on your system or\n" +
+		"disable Vault from using it. To disable Vault from using it,\n" +
+		"set the `disable_mlock` configuration option in your configuration\n" +
+		"file."
+
+	WellKnownPrefix = "/.well-known/"
+)
+
+var (
+	// ErrAlreadyInit is returned if the core is already
+	// initialized. This prevents a re-initialization.
+	ErrAlreadyInit = errors.New("Vault is already initialized")
+
+	// ErrNotInit is returned if a non-initialized barrier
+	// is attempted to be unsealed.
+	ErrNotInit = errors.New("Vault is not initialized")
+
+	// ErrInternalError is returned when we don't want to leak
+	// any information about an internal error
+	ErrInternalError = errors.New("internal error")
+
+	// ErrHANotEnabled is returned if the operation only makes sense
+	// in an HA setting
+	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")
+
+	// ErrIntrospectionNotEnabled is returned if "introspection_endpoint" is not
+	// enabled in the configuration file
+	ErrIntrospectionNotEnabled = errors.New("The Vault configuration must set \"introspection_endpoint\" to true to enable this endpoint")
+
+	// manualStepDownSleepPeriod is how long to sleep after a user-initiated
+	// step down of the active node, to prevent instantly regrabbing the lock.
+	// It's var not const so that tests can manipulate it.
+	manualStepDownSleepPeriod = 10 * time.Second
 )
 
-func testLeaseRenewCommand(tb testing.TB) (*cli.MockUi, *LeaseRenewCommand) {
-	tb.Helper()
+// NonFatalError is an error that can be returned during NewCore that should be
+// displayed but not cause a program exit
+type NonFatalError struct {
+	Err error
+}
+
+func (e *NonFatalError) WrappedErrors() []error {
+	return []error{e.Err}
+}
+
+func (e *NonFatalError) Error() string {
+	return e.Err.Error()
+}
+
+// NewNonFatalError returns a new non-fatal error.
+func NewNonFatalError(err error) *NonFatalError {
+	return &NonFatalError{Err: err}
+}
+
+// IsFatalError returns true if the given error is a fatal error.
+func IsFatalError(err error) bool {
+	return !errwrap.ContainsType(err, new(NonFatalError))
+}
+
+// ErrInvalidKey is returned if there is a user-based error with a provided
+// unseal key. This will be shown to the user, so should not contain
+// information that is sensitive.
+type ErrInvalidKey struct {
+	Reason string
+}
+
+func (e *ErrInvalidKey) Error() string {
+	return fmt.Sprintf("invalid key: %v", e.Reason)
+}
+
+type RegisterAuthFunc func(context.Context, time.Duration, string, *logical.Auth, string) error
+
+type activeAdvertisement struct {
+	RedirectAddr     string                     `json:"redirect_addr"`
+	ClusterAddr      string                     `json:"cluster_addr,omitempty"`
+	ClusterCert      []byte                     `json:"cluster_cert,omitempty"`
+	ClusterKeyParams *certutil.ClusterKeyParams `json:"cluster_key_params,omitempty"`
+}
+
+type unlockInformation struct {
+	Parts [][]byte
+	Nonce string
+}
+
+type raftInformation struct {
+	challenge           *wrapping.BlobInfo
+	leaderClient        *api.Client
+	leaderBarrierConfig *SealConfig
+	nonVoter            bool
+	joinInProgress      bool
+}
+
+type migrationInformation struct {
+	// seal to use during a migration operation. It is the
+	// seal we're migrating *from*.
+	seal Seal
+
+	// unsealKey was the unseal key provided for the migration seal.
+	// This will be set as the recovery key when migrating from shamir to auto-seal.
+	// We don't need to do anything with it when migrating auto->shamir because
+	// we don't store the shamir combined key for shamir seals, nor when
+	// migrating auto->auto because then the recovery key doesn't change.
+	unsealKey []byte
+}
+
+// Core is used as the central manager of Vault activity. It is the primary point of
+// interface for API handlers and is responsible for managing the logical and physical
+// backends, router, security barrier, and audit trails.
+type Core struct {
+	entCore
+
+	// The registry of builtin plugins is passed in here as an interface because
+	// if it's used directly, it results in import cycles.
+	builtinRegistry BuiltinRegistry
+
+	// N.B.: This is used to populate a dev token down replication, as
+	// otherwise, after replication is started, a dev would have to go through
+	// the generate-root process simply to talk to the new follower cluster.
+	devToken string
+
+	// HABackend may be available depending on the physical backend
+	ha physical.HABackend
+
+	// storageType is the the storage type set in the storage configuration
+	storageType string
+
+	// redirectAddr is the address we advertise as leader if held
+	redirectAddr string
+
+	// clusterAddr is the address we use for clustering
+	clusterAddr *atomic.Value
+
+	// physical backend is the un-trusted backend with durable data
+	physical physical.Backend
+
+	// serviceRegistration is the ServiceRegistration network
+	serviceRegistration sr.ServiceRegistration
+
+	// hcpLinkStatus is a string describing the status of HCP link connection
+	hcpLinkStatus HCPLinkStatus
+
+	// underlyingPhysical will always point to the underlying backend
+	// implementation. This is an un-trusted backend with durable data
+	underlyingPhysical physical.Backend
+
+	// seal is our seal, for seal configuration information
+	seal Seal
+
+	// raftJoinDoneCh is used by the raft retry join routine to inform unseal process
+	// that the join is complete
+	raftJoinDoneCh chan struct{}
+
+	// postUnsealStarted informs the raft retry join routine that unseal key
+	// validation is completed and post unseal has started so that it can complete
+	// the join process when Shamir seal is in use
+	postUnsealStarted *uint32
+
+	// raftInfo will contain information required for this node to join as a
+	// peer to an existing raft cluster. This is marked atomic to prevent data
+	// races and casted to raftInformation wherever it is used.
+	raftInfo *atomic.Value
+
+	// migrationInfo is used during (and possibly after) a seal migration.
+	// This contains information about the seal we are migrating *from*.  Even
+	// post seal migration, provided the old seal is still in configuration
+	// migrationInfo will be populated, which on enterprise may be necessary for
+	// seal rewrap.
+	migrationInfo     *migrationInformation
+	sealMigrationDone *uint32
+
+	// barrier is the security barrier wrapping the physical backend
+	barrier SecurityBarrier
+
+	// router is responsible for managing the mount points for logical backends.
+	router *Router
+
+	// logicalBackends is the mapping of backends to use for this core
+	logicalBackends map[string]logical.Factory
+
+	// credentialBackends is the mapping of backends to use for this core
+	credentialBackends map[string]logical.Factory
+
+	// auditBackends is the mapping of backends to use for this core
+	auditBackends map[string]audit.Factory
+
+	// stateLock protects mutable state
+	stateLock locking.RWMutex
+	sealed    *uint32
+
+	standby              bool
+	perfStandby          bool
+	standbyDoneCh        chan struct{}
+	standbyStopCh        *atomic.Value
+	manualStepDownCh     chan struct{}
+	keepHALockOnStepDown *uint32
+	heldHALock           physical.Lock
+
+	// shutdownDoneCh is used to notify when core.Shutdown() completes.
+	// core.Shutdown() is typically issued in a goroutine to allow Vault to
+	// release the stateLock. This channel is marked atomic to prevent race
+	// conditions.
+	shutdownDoneCh *atomic.Value
+
+	// unlockInfo has the keys provided to Unseal until the threshold number of parts is available, as well as the operation nonce
+	unlockInfo *unlockInformation
+
+	// generateRootProgress holds the shares until we reach enough
+	// to verify the master key
+	generateRootConfig   *GenerateRootConfig
+	generateRootProgress [][]byte
+	generateRootLock     sync.Mutex
+
+	// These variables holds the config and shares we have until we reach
+	// enough to verify the appropriate master key. Note that the same lock is
+	// used; this isn't time-critical so this shouldn't be a problem.
+	barrierRekeyConfig  *SealConfig
+	recoveryRekeyConfig *SealConfig
+	rekeyLock           sync.RWMutex
+
+	// mounts is loaded after unseal since it is a protected
+	// configuration
+	mounts *MountTable
+
+	// mountsLock is used to ensure that the mounts table does not
+	// change underneath a calling function
+	mountsLock locking.DeadlockRWMutex
+
+	// mountMigrationTracker tracks past and ongoing remount operations
+	// against their migration ids
+	mountMigrationTracker *sync.Map
+
+	// auth is loaded after unseal since it is a protected
+	// configuration
+	auth *MountTable
+
+	// authLock is used to ensure that the auth table does not
+	// change underneath a calling function
+	authLock locking.DeadlockRWMutex
+
+	// audit is loaded after unseal since it is a protected
+	// configuration
+	audit *MountTable
+
+	// auditLock is used to ensure that the audit table does not
+	// change underneath a calling function
+	auditLock sync.RWMutex
+
+	// auditBroker is used to ingest the audit events and fan
+	// out into the configured audit backends
+	auditBroker *AuditBroker
+
+	// auditedHeaders is used to configure which http headers
+	// can be output in the audit logs
+	auditedHeaders *AuditedHeadersConfig
+
+	// systemBackend is the backend which is used to manage internal operations
+	systemBackend   *SystemBackend
+	loginMFABackend *LoginMFABackend
+
+	// cubbyholeBackend is the backend which manages the per-token storage
+	cubbyholeBackend *CubbyholeBackend
+
+	// systemBarrierView is the barrier view for the system backend
+	systemBarrierView *BarrierView
+
+	// expiration manager is used for managing LeaseIDs,
+	// renewal, expiration and revocation
+	expiration *ExpirationManager
+
+	// rollback manager is used to run rollbacks periodically
+	rollback *RollbackManager
+
+	// policy store is used to manage named ACL policies
+	policyStore *PolicyStore
+
+	// token store is used to manage authentication tokens
+	tokenStore *TokenStore
+
+	// identityStore is used to manage client entities
+	identityStore *IdentityStore
+
+	// activityLog is used to track active client count
+	activityLog *ActivityLog
+	// activityLogLock protects the activityLog and activityLogConfig
+	activityLogLock sync.RWMutex
+
+	// metricsCh is used to stop the metrics streaming
+	metricsCh chan struct{}
+
+	// metricsMutex is used to prevent a race condition between
+	// metrics emission and sealing leading to a nil pointer
+	metricsMutex sync.Mutex
+
+	// inFlightReqMap is used to store info about in-flight requests
+	inFlightReqData *InFlightRequests
+
+	// mfaResponseAuthQueue is used to cache the auth response per request ID
+	mfaResponseAuthQueue     *LoginMFAPriorityQueue
+	mfaResponseAuthQueueLock sync.Mutex
+
+	// metricSink is the destination for all metrics that have
+	// a cluster label.
+	metricSink *metricsutil.ClusterMetricSink
+
+	defaultLeaseTTL time.Duration
+	maxLeaseTTL     time.Duration
+
+	// baseLogger is used to avoid ResetNamed as it strips useful prefixes in
+	// e.g. testing
+	baseLogger log.Logger
+	logger     log.Logger
+
+	// log level provided by config, CLI flag, or env
+	logLevel string
+
+	// Disables the trace display for Sentinel checks
+	sentinelTraceDisabled bool
+
+	// cachingDisabled indicates whether caches are disabled
+	cachingDisabled bool
+	// Cache stores the actual cache; we always have this but may bypass it if
+	// disabled
+	physicalCache physical.ToggleablePurgemonster
+
+	// logRequestsLevel indicates at which level requests should be logged
+	logRequestsLevel *uberAtomic.Int32
+
+	// reloadFuncs is a map containing reload functions
+	reloadFuncs map[string][]reloadutil.ReloadFunc
+
+	// reloadFuncsLock controls access to the funcs
+	reloadFuncsLock sync.RWMutex
+
+	// wrappingJWTKey is the key used for generating JWTs containing response
+	// wrapping information
+	wrappingJWTKey *ecdsa.PrivateKey
+
+	//
+	// Cluster information
+	//
+	// Name
+	clusterName string
+	// ID
+	clusterID uberAtomic.String
+	// Specific cipher suites to use for clustering, if any
+	clusterCipherSuites []uint16
+	// Used to modify cluster parameters
+	clusterParamsLock sync.RWMutex
+	// The private key stored in the barrier used for establishing
+	// mutually-authenticated connections between Vault cluster members
+	localClusterPrivateKey *atomic.Value
+	// The local cluster cert
+	localClusterCert *atomic.Value
+	// The parsed form of the local cluster cert
+	localClusterParsedCert *atomic.Value
+	// The TCP addresses we should use for clustering
+	clusterListenerAddrs []*net.TCPAddr
+	// The handler to use for request forwarding
+	clusterHandler http.Handler
+	// Write lock used to ensure that we don't have multiple connections adjust
+	// this value at the same time
+	requestForwardingConnectionLock sync.RWMutex
+	// Lock for the leader values, ensuring we don't run the parts of Leader()
+	// that change things concurrently
+	leaderParamsLock sync.RWMutex
+	// Current cluster leader values
+	clusterLeaderParams *atomic.Value
+	// Info on cluster members
+	clusterPeerClusterAddrsCache *cache.Cache
+	// The context for the client
+	rpcClientConnContext context.Context
+	// The function for canceling the client connection
+	rpcClientConnCancelFunc context.CancelFunc
+	// The grpc ClientConn for RPC calls
+	rpcClientConn *grpc.ClientConn
+	// The grpc forwarding client
+	rpcForwardingClient *forwardingClient
+	// The UUID used to hold the leader lock. Only set on active node
+	leaderUUID string
+
+	// CORS Information
+	corsConfig *CORSConfig
+
+	// replicationState keeps the current replication state cached for quick
+	// lookup; activeNodeReplicationState stores the active value on standbys
+	replicationState           *uint32
+	activeNodeReplicationState *uint32
+
+	// uiConfig contains UI configuration
+	uiConfig *UIConfig
+
+	// rawEnabled indicates whether the Raw endpoint is enabled
+	rawEnabled bool
+
+	// inspectableEnabled indicates whether the Inspect endpoint is enabled
+	introspectionEnabled     bool
+	introspectionEnabledLock sync.Mutex
+
+	// pluginDirectory is the location vault will look for plugin binaries
+	pluginDirectory string
+
+	// pluginFileUid is the uid of the plugin files and directory
+	pluginFileUid int
+
+	// pluginFilePermissions is the permissions of the plugin files and directory
+	pluginFilePermissions int
+
+	// pluginCatalog is used to manage plugin configurations
+	pluginCatalog *PluginCatalog
+
+	// pluginRuntimeCatalog is used to manage plugin runtime configurations
+	pluginRuntimeCatalog *PluginRuntimeCatalog
+
+	// The userFailedLoginInfo map has user failed login information.
+	// It has user information (alias-name and mount accessor) as a key
+	// and login counter, last failed login time as value
+	userFailedLoginInfo map[FailedLoginUser]*FailedLoginInfo
+
+	// userFailedLoginInfoLock controls access to the userFailedLoginInfoMap
+	userFailedLoginInfoLock sync.RWMutex
+
+	enableMlock bool
+
+	// This can be used to trigger operations to stop running when Vault is
+	// going to be shut down, stepped down, or sealed
+	activeContext           context.Context
+	activeContextCancelFunc *atomic.Value
+
+	// Stores the sealunwrapper for downgrade needs
+	sealUnwrapper physical.Backend
+
+	// unsealwithStoredKeysLock is a mutex that prevents multiple processes from
+	// unsealing with stored keys are the same time.
+	unsealWithStoredKeysLock sync.Mutex
+
+	// Stores any funcs that should be run on successful postUnseal
+	postUnsealFuncs []func()
+
+	// Stores any funcs that should be run on successful barrier unseal in
+	// recovery mode
+	postRecoveryUnsealFuncs []func() error
+
+	// replicationFailure is used to mark when replication has entered an
+	// unrecoverable failure.
+	replicationFailure *uint32
+
+	// disablePerfStanby is used to tell a standby not to attempt to become a
+	// perf standby
+	disablePerfStandby bool
+
+	licensingStopCh chan struct{}
+
+	// Stores loggers so we can reset the level
+	allLoggers     []log.Logger
+	allLoggersLock sync.RWMutex
+
+	// Can be toggled atomically to cause the core to never try to become
+	// active, or give up active as soon as it gets it
+	neverBecomeActive *uint32
+
+	// clusterListener starts up and manages connections on the cluster ports
+	clusterListener *atomic.Value
+
+	// customListenerHeader holds custom response headers for a listener
+	customListenerHeader *atomic.Value
+
+	// Telemetry objects
+	metricsHelper *metricsutil.MetricsHelper
+
+	// raftFollowerStates tracks information about all the raft follower nodes.
+	raftFollowerStates *raft.FollowerStates
+	// Stop channel for raft TLS rotations
+	raftTLSRotationStopCh chan struct{}
+	// Stores the pending peers we are waiting to give answers
+	pendingRaftPeers *sync.Map
+
+	// rawConfig stores the config as-is from the provided server configuration.
+	rawConfig *atomic.Value
+
+	coreNumber int
+
+	// secureRandomReader is the reader used for CSP operations
+	secureRandomReader io.Reader
+
+	recoveryMode bool
+
+	clusterNetworkLayer cluster.NetworkLayer
+
+	// PR1103disabled is used to test upgrade workflows: when set to true,
+	// the correct behaviour for namespaced cubbyholes is disabled, so we
+	// can test an upgrade to a version that includes the fixes from
+	// https://github.com/hashicorp/vault-enterprise/pull/1103
+	PR1103disabled bool
+
+	quotaManager *quotas.Manager
+
+	clusterHeartbeatInterval time.Duration
+
+	// activityLogConfig contains override values for the activity log
+	// it is protected by activityLogLock
+	activityLogConfig ActivityLogCoreConfig
+
+	censusConfig atomic.Value
+
+	// activeTime is set on active nodes indicating the time at which this node
+	// became active.
+	activeTime time.Time
+
+	// KeyRotateGracePeriod is how long we allow an upgrade path
+	// for standby instances before we delete the upgrade keys
+	keyRotateGracePeriod *int64
+
+	autoRotateCancel context.CancelFunc
+
+	updateLockedUserEntriesCancel context.CancelFunc
+
+	// number of workers to use for lease revocation in the expiration manager
+	numExpirationWorkers int
+
+	IndexHeaderHMACKey uberAtomic.Value
+
+	// disableAutopilot is used to disable the autopilot subsystem in raft storage
+	disableAutopilot bool
+
+	// enable/disable identifying response headers
+	enableResponseHeaderHostname   bool
+	enableResponseHeaderRaftNodeID bool
+
+	// disableSSCTokens is used to disable server side consistent token creation/usage
+	disableSSCTokens bool
+
+	// versionHistory is a map of vault versions to VaultVersion. The
+	// VaultVersion.TimestampInstalled when the version will denote when the version
+	// was first run. Note that because perf standbys should be upgraded first, and
+	// only the active node will actually write the new version timestamp, a perf
+	// standby shouldn't rely on the stored version timestamps being present.
+	versionHistory map[string]VaultVersion
+
+	// effectiveSDKVersion contains the SDK version that standby nodes should use when
+	// heartbeating with the active node. Default to the current SDK version.
+	effectiveSDKVersion string
+
+	numRollbackWorkers       int
+	rollbackPeriod           time.Duration
+	rollbackMountPathMetrics bool
+
+	experiments []string
+
+	pendingRemovalMountsAllowed bool
+	expirationRevokeRetryBase   time.Duration
+
+	events *eventbus.EventBus
+
+	// writeForwardedPaths are a set of storage paths which are GRPC forwarded
+	// to the active node of the primary cluster, when present. This PathManager
+	// contains absolute paths that we intend to forward (and template) when
+	// we're on a secondary cluster.
+	writeForwardedPaths *pathmanager.PathManager
+
+	// if populated, the callback is called for every request
+	// for testing purposes
+	requestResponseCallback func(logical.Backend, *logical.Request, *logical.Response)
+
+	// If any role based quota (LCQ or RLQ) is enabled, don't track lease counts by role
+	impreciseLeaseRoleTracking bool
+
+	WellKnownRedirects *wellKnownRedirectRegistry // RFC 5785
+	// Config value for "detect_deadlocks".
+	detectDeadlocks []string
+
+	echoDuration              *uberAtomic.Duration
+	activeNodeClockSkewMillis *uberAtomic.Int64
+}
+
+func (c *Core) ActiveNodeClockSkewMillis() int64 {
+	return c.activeNodeClockSkewMillis.Load()
+}
+
+func (c *Core) EchoDuration() time.Duration {
+	return c.echoDuration.Load()
+}
+
+// c.stateLock needs to be held in read mode before calling this function.
+func (c *Core) HAState() consts.HAState {
+	switch {
+	case c.perfStandby:
+		return consts.PerfStandby
+	case c.standby:
+		return consts.Standby
+	default:
+		return consts.Active
+	}
+}
+
+func (c *Core) HAStateWithLock() consts.HAState {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+
+	return c.HAState()
+}
+
+// CoreConfig is used to parameterize a core
+type CoreConfig struct {
+	entCoreConfig
+
+	DevToken string
+
+	BuiltinRegistry BuiltinRegistry
+
+	LogicalBackends map[string]logical.Factory
+
+	CredentialBackends map[string]logical.Factory
+
+	AuditBackends map[string]audit.Factory
+
+	Physical physical.Backend
+
+	StorageType string
+
+	// May be nil, which disables HA operations
+	HAPhysical physical.HABackend
+
+	ServiceRegistration sr.ServiceRegistration
+
+	// Seal is the configured seal, or if none is configured explicitly, a
+	// shamir seal.  In migration scenarios this is the new seal.
+	Seal Seal
+
+	// Unwrap seal is the optional seal marked "disabled"; this is the old
+	// seal in migration scenarios.
+	UnwrapSeal Seal
+
+	SecureRandomReader io.Reader
+
+	LogLevel string
+
+	Logger log.Logger
+
+	// Use the deadlocks library to detect deadlocks
+	DetectDeadlocks string
+
+	// If any role based quota (LCQ or RLQ) is enabled, don't track lease counts by role
+	ImpreciseLeaseRoleTracking bool
+
+	// Disables the trace display for Sentinel checks
+	DisableSentinelTrace bool
+
+	// Disables the LRU cache on the physical backend
+	DisableCache bool
+
+	// Disables mlock syscall
+	DisableMlock bool
+
+	// Custom cache size for the LRU cache on the physical backend, or zero for default
+	CacheSize int
+
+	// Set as the leader address for HA
+	RedirectAddr string
+
+	// Set as the cluster address for HA
+	ClusterAddr string
+
+	DefaultLeaseTTL time.Duration
+
+	MaxLeaseTTL time.Duration
+
+	ClusterName string
+
+	ClusterCipherSuites string
+
+	EnableUI bool
+
+	// Enable the raw endpoint
+	EnableRaw bool
+
+	// Enable the introspection endpoint
+	EnableIntrospection bool
+
+	PluginDirectory string
+
+	PluginFileUid int
+
+	PluginFilePermissions int
+
+	DisableSealWrap bool
+
+	RawConfig *server.Config
+
+	ReloadFuncs     *map[string][]reloadutil.ReloadFunc
+	ReloadFuncsLock *sync.RWMutex
+
+	// Licensing
+	License         string
+	LicensePath     string
+	LicensingConfig *LicensingConfig
+
+	// Configured Census Agent
+	CensusAgent CensusReporter
+
+	DisablePerformanceStandby bool
+	DisableIndexing           bool
+	DisableKeyEncodingChecks  bool
+
+	AllLoggers []log.Logger
+
+	// Telemetry objects
+	MetricsHelper *metricsutil.MetricsHelper
+	MetricSink    *metricsutil.ClusterMetricSink
+
+	RecoveryMode bool
+
+	ClusterNetworkLayer cluster.NetworkLayer
+
+	ClusterHeartbeatInterval time.Duration
+
+	// Activity log controls
+	ActivityLogConfig ActivityLogCoreConfig
+
+	// number of workers to use for lease revocation in the expiration manager
+	NumExpirationWorkers int
+
+	// DisableAutopilot is used to disable autopilot subsystem in raft storage
+	DisableAutopilot bool
+
+	// Whether to send headers in the HTTP response showing hostname or raft node ID
+	EnableResponseHeaderHostname   bool
+	EnableResponseHeaderRaftNodeID bool
+
+	// DisableSSCTokens is used to disable the use of server side consistent tokens
+	DisableSSCTokens bool
+
+	EffectiveSDKVersion string
+
+	RollbackPeriod time.Duration
+
+	Experiments []string
+
+	PendingRemovalMountsAllowed bool
+
+	ExpirationRevokeRetryBase time.Duration
+
+	// AdministrativeNamespacePath is used to configure the administrative namespace, which has access to some sys endpoints that are
+	// only accessible in the root namespace, currently sys/audit-hash and sys/monitor.
+	AdministrativeNamespacePath string
+
+	NumRollbackWorkers int
+}
+
+// GetServiceRegistration returns the config's ServiceRegistration, or nil if it does
+// not exist.
+func (c *CoreConfig) GetServiceRegistration() sr.ServiceRegistration {
+	// Check whether there is a ServiceRegistration explicitly configured
+	if c.ServiceRegistration != nil {
+		return c.ServiceRegistration
+	}
+
+	// Check if HAPhysical is configured and implements ServiceRegistration
+	if c.HAPhysical != nil && c.HAPhysical.HAEnabled() {
+		if disc, ok := c.HAPhysical.(sr.ServiceRegistration); ok {
+			return disc
+		}
+	}
+
+	// No service discovery is available.
+	return nil
+}
+
+// CreateCore conducts static validations on the Core Config
+// and returns an uninitialized core.
+func CreateCore(conf *CoreConfig) (*Core, error) {
+	if conf.HAPhysical != nil && conf.HAPhysical.HAEnabled() {
+		if conf.RedirectAddr == "" {
+			return nil, fmt.Errorf("missing API address, please set in configuration or via environment")
+		}
+	}
+
+	if conf.DefaultLeaseTTL == 0 {
+		conf.DefaultLeaseTTL = defaultLeaseTTL
+	}
+	if conf.MaxLeaseTTL == 0 {
+		conf.MaxLeaseTTL = maxLeaseTTL
+	}
+	if conf.DefaultLeaseTTL > conf.MaxLeaseTTL {
+		return nil, fmt.Errorf("cannot have DefaultLeaseTTL larger than MaxLeaseTTL")
+	}
+
+	// Validate the advertise addr if its given to us
+	if conf.RedirectAddr != "" {
+		u, err := url.Parse(conf.RedirectAddr)
+		if err != nil {
+			return nil, fmt.Errorf("redirect address is not valid url: %w", err)
+		}
+
+		if u.Scheme == "" {
+			return nil, fmt.Errorf("redirect address must include scheme (ex. 'http')")
+		}
+	}
+
+	// Make a default logger if not provided
+	if conf.Logger == nil {
+		conf.Logger = logging.NewVaultLogger(log.Trace)
+	}
+
+	// Make a default metric sink if not provided
+	if conf.MetricSink == nil {
+		conf.MetricSink = metricsutil.BlackholeSink()
+	}
+
+	// Instantiate a non-nil raw config if none is provided
+	if conf.RawConfig == nil {
+		conf.RawConfig = new(server.Config)
+	}
+
+	// secureRandomReader cannot be nil
+	if conf.SecureRandomReader == nil {
+		conf.SecureRandomReader = rand.Reader
+	}
+
+	clusterHeartbeatInterval := conf.ClusterHeartbeatInterval
+	if clusterHeartbeatInterval == 0 {
+		clusterHeartbeatInterval = 5 * time.Second
+	}
+
+	if conf.NumExpirationWorkers == 0 {
+		conf.NumExpirationWorkers = numExpirationWorkersDefault
+	}
+
+	if conf.NumRollbackWorkers == 0 {
+		conf.NumRollbackWorkers = RollbackDefaultNumWorkers
+	}
+
+	effectiveSDKVersion := conf.EffectiveSDKVersion
+	if effectiveSDKVersion == "" {
+		effectiveSDKVersion = version.GetVersion().Version
+	}
+
+	var detectDeadlocks []string
+	if conf.DetectDeadlocks != "" {
+		detectDeadlocks = strings.Split(conf.DetectDeadlocks, ",")
+		for k, v := range detectDeadlocks {
+			detectDeadlocks[k] = strings.ToLower(strings.TrimSpace(v))
+		}
+	}
+
+	// Use imported logging deadlock if requested
+	var stateLock locking.RWMutex
+	stateLock = &locking.SyncRWMutex{}
+
+	if slices.Contains(detectDeadlocks, "statelock") {
+		stateLock = &locking.DeadlockRWMutex{}
+	}
+
+	// Setup the core
+	c := &Core{
+		entCore:              entCore{},
+		devToken:             conf.DevToken,
+		physical:             conf.Physical,
+		serviceRegistration:  conf.GetServiceRegistration(),
+		underlyingPhysical:   conf.Physical,
+		storageType:          conf.StorageType,
+		redirectAddr:         conf.RedirectAddr,
+		clusterAddr:          new(atomic.Value),
+		clusterListener:      new(atomic.Value),
+		customListenerHeader: new(atomic.Value),
+		seal:                 conf.Seal,
+		stateLock:            stateLock,
+		router:               NewRouter(),
+		sealed:               new(uint32),
+		sealMigrationDone:    new(uint32),
+		standby:              true,
+		standbyStopCh:        new(atomic.Value),
+		baseLogger:           conf.Logger,
+		logger:               conf.Logger.Named("core"),
+		logLevel:             conf.LogLevel,
+
+		defaultLeaseTTL:                conf.DefaultLeaseTTL,
+		maxLeaseTTL:                    conf.MaxLeaseTTL,
+		sentinelTraceDisabled:          conf.DisableSentinelTrace,
+		cachingDisabled:                conf.DisableCache,
+		clusterName:                    conf.ClusterName,
+		clusterNetworkLayer:            conf.ClusterNetworkLayer,
+		clusterPeerClusterAddrsCache:   cache.New(3*clusterHeartbeatInterval, time.Second),
+		enableMlock:                    !conf.DisableMlock,
+		rawEnabled:                     conf.EnableRaw,
+		introspectionEnabled:           conf.EnableIntrospection,
+		shutdownDoneCh:                 new(atomic.Value),
+		replicationState:               new(uint32),
+		localClusterPrivateKey:         new(atomic.Value),
+		localClusterCert:               new(atomic.Value),
+		localClusterParsedCert:         new(atomic.Value),
+		activeNodeReplicationState:     new(uint32),
+		keepHALockOnStepDown:           new(uint32),
+		replicationFailure:             new(uint32),
+		disablePerfStandby:             true,
+		activeContextCancelFunc:        new(atomic.Value),
+		allLoggers:                     conf.AllLoggers,
+		builtinRegistry:                conf.BuiltinRegistry,
+		neverBecomeActive:              new(uint32),
+		clusterLeaderParams:            new(atomic.Value),
+		metricsHelper:                  conf.MetricsHelper,
+		metricSink:                     conf.MetricSink,
+		secureRandomReader:             conf.SecureRandomReader,
+		rawConfig:                      new(atomic.Value),
+		recoveryMode:                   conf.RecoveryMode,
+		postUnsealStarted:              new(uint32),
+		raftInfo:                       new(atomic.Value),
+		raftJoinDoneCh:                 make(chan struct{}),
+		clusterHeartbeatInterval:       clusterHeartbeatInterval,
+		activityLogConfig:              conf.ActivityLogConfig,
+		keyRotateGracePeriod:           new(int64),
+		numExpirationWorkers:           conf.NumExpirationWorkers,
+		raftFollowerStates:             raft.NewFollowerStates(),
+		disableAutopilot:               conf.DisableAutopilot,
+		enableResponseHeaderHostname:   conf.EnableResponseHeaderHostname,
+		enableResponseHeaderRaftNodeID: conf.EnableResponseHeaderRaftNodeID,
+		mountMigrationTracker:          &sync.Map{},
+		disableSSCTokens:               conf.DisableSSCTokens,
+		effectiveSDKVersion:            effectiveSDKVersion,
+		userFailedLoginInfo:            make(map[FailedLoginUser]*FailedLoginInfo),
+		experiments:                    conf.Experiments,
+		pendingRemovalMountsAllowed:    conf.PendingRemovalMountsAllowed,
+		expirationRevokeRetryBase:      conf.ExpirationRevokeRetryBase,
+		rollbackMountPathMetrics:       conf.MetricSink.TelemetryConsts.RollbackMetricsIncludeMountPoint,
+		numRollbackWorkers:             conf.NumRollbackWorkers,
+		impreciseLeaseRoleTracking:     conf.ImpreciseLeaseRoleTracking,
+		WellKnownRedirects:             NewWellKnownRedirects(),
+		detectDeadlocks:                detectDeadlocks,
+		echoDuration:                   uberAtomic.NewDuration(0),
+		activeNodeClockSkewMillis:      uberAtomic.NewInt64(0),
+	}
+
+	c.standbyStopCh.Store(make(chan struct{}))
+	atomic.StoreUint32(c.sealed, 1)
+	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 0, nil)
+
+	c.shutdownDoneCh.Store(make(chan struct{}))
+
+	c.allLoggers = append(c.allLoggers, c.logger)
+
+	c.router.logger = c.logger.Named("router")
+	c.allLoggers = append(c.allLoggers, c.router.logger)
+
+	c.router.rollbackMetricsMountName = c.rollbackMountPathMetrics
+
+	c.inFlightReqData = &InFlightRequests{
+		InFlightReqMap:   &sync.Map{},
+		InFlightReqCount: uberAtomic.NewUint64(0),
+	}
+
+	c.SetConfig(conf.RawConfig)
+
+	atomic.StoreUint32(c.replicationState, uint32(consts.ReplicationDRDisabled|consts.ReplicationPerformanceDisabled))
+	c.localClusterCert.Store(([]byte)(nil))
+	c.localClusterParsedCert.Store((*x509.Certificate)(nil))
+	c.localClusterPrivateKey.Store((*ecdsa.PrivateKey)(nil))
+
+	c.clusterLeaderParams.Store((*ClusterLeaderParams)(nil))
+	c.clusterAddr.Store(conf.ClusterAddr)
+	c.activeContextCancelFunc.Store((context.CancelFunc)(nil))
+	atomic.StoreInt64(c.keyRotateGracePeriod, int64(2*time.Minute))
+
+	c.hcpLinkStatus = HCPLinkStatus{
+		lock:             sync.RWMutex{},
+		ConnectionStatus: "disconnected",
+	}
+
+	c.raftInfo.Store((*raftInformation)(nil))
+
+	switch conf.ClusterCipherSuites {
+	case "tls13", "tls12":
+		// Do nothing, let Go use the default
+
+	case "":
+		// Add in forward compatible TLS 1.3 suites, followed by handpicked 1.2 suites
+		c.clusterCipherSuites = []uint16{
+			// 1.3
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			// 1.2
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		}
+
+	default:
+		suites, err := tlsutil.ParseCiphers(conf.ClusterCipherSuites)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing cluster cipher suites: %w", err)
+		}
+		c.clusterCipherSuites = suites
+	}
+
+	// Load CORS config and provide a value for the core field.
+	c.corsConfig = &CORSConfig{
+		core:    c,
+		Enabled: new(uint32),
+	}
+
+	// Load write-forwarded path manager.
+	c.writeForwardedPaths = pathmanager.New()
+
+	// Load seal information.
+	if c.seal == nil {
+		wrapper := aeadwrapper.NewShamirWrapper()
+		wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
+
+		access, err := vaultseal.NewAccessFromWrapper(c.logger, wrapper, SealConfigTypeShamir.String())
+		if err != nil {
+			return nil, err
+		}
+		c.seal = NewDefaultSeal(access)
+	}
+	c.seal.SetCore(c)
+	return c, nil
+}
+
+// NewCore creates, initializes and configures a Vault node (core).
+func NewCore(conf *CoreConfig) (*Core, error) {
+	// NOTE: The order of configuration of the core has some importance, as we can
+	// make use of an early return if we are running this new core in recovery mode.
+	c, err := CreateCore(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	err = coreInit(c, conf)
+	if err != nil {
+		return nil, err
+	}
+
+	switch {
+	case conf.DisableMlock:
+		// User configured that memory lock should be disabled on unix systems.
+	default:
+		err = mlock.LockMemory()
+		if err != nil {
+			return nil, fmt.Errorf(ErrMlockFailedTemplate, err)
+		}
+	}
+
+	// Construct a new AES-GCM barrier
+	c.barrier, err = NewAESGCMBarrier(c.physical)
+	if err != nil {
+		return nil, fmt.Errorf("barrier setup failed: %w", err)
+	}
+
+	err = c.entCheckStoredLicense(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	// We create the funcs here, then populate the given config with it so that
+	// the caller can share state
+	conf.ReloadFuncsLock = &c.reloadFuncsLock
+	c.reloadFuncsLock.Lock()
+	c.reloadFuncs = make(map[string][]reloadutil.ReloadFunc)
+	c.reloadFuncsLock.Unlock()
+	conf.ReloadFuncs = &c.reloadFuncs
+
+	c.rollbackPeriod = conf.RollbackPeriod
+	if c.rollbackPeriod == 0 {
+		// Default to 1 minute
+		c.rollbackPeriod = 1 * time.Minute
+	}
+
+	// For recovery mode we've now configured enough to return early.
+	if c.recoveryMode {
+		return c, nil
+	}
+
+	if conf.PluginDirectory != "" {
+		c.pluginDirectory, err = filepath.Abs(conf.PluginDirectory)
+		if err != nil {
+			return nil, fmt.Errorf("core setup failed, could not verify plugin directory: %w", err)
+		}
+	}
+
+	if conf.PluginFileUid != 0 {
+		c.pluginFileUid = conf.PluginFileUid
+	}
+	if conf.PluginFilePermissions != 0 {
+		c.pluginFilePermissions = conf.PluginFilePermissions
+	}
+
+	// Create secondaries (this will only impact Enterprise versions of Vault)
+	c.createSecondaries(conf.Logger)
+
+	if conf.HAPhysical != nil && conf.HAPhysical.HAEnabled() {
+		c.ha = conf.HAPhysical
+	}
+
+	// MFA method
+	c.loginMFABackend = NewLoginMFABackend(c, conf.Logger)
+	if c.loginMFABackend.mfaLogger != nil {
+		c.AddLogger(c.loginMFABackend.mfaLogger)
+	}
+
+	// Logical backends
+	c.configureLogicalBackends(conf.LogicalBackends, conf.Logger, conf.AdministrativeNamespacePath)
+
+	// Credentials backends
+	c.configureCredentialsBackends(conf.CredentialBackends, conf.Logger)
+
+	// Audit backends
+	c.configureAuditBackends(conf.AuditBackends)
+
+	// UI
+	uiStoragePrefix := systemBarrierPrefix + "ui"
+	c.uiConfig = NewUIConfig(conf.EnableUI, physical.NewView(c.physical, uiStoragePrefix), NewBarrierView(c.barrier, uiStoragePrefix))
+
+	// Listeners
+	err = c.configureListeners(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	// Log requests level
+	c.configureLogRequestsLevel(conf.RawConfig.LogRequestsLevel)
+
+	// Quotas
+	quotasLogger := conf.Logger.Named("quotas")
+	c.allLoggers = append(c.allLoggers, quotasLogger)
+
+	detectDeadlocks := slices.Contains(c.detectDeadlocks, "quotas")
+	c.quotaManager, err = quotas.NewManager(quotasLogger, c.quotaLeaseWalker, c.metricSink, detectDeadlocks)
+	if err != nil {
+		return nil, err
+	}
+
+	err = c.adjustForSealMigration(conf.UnwrapSeal)
+	if err != nil {
+		return nil, err
+	}
+
+	// Version history
+	if c.versionHistory == nil {
+		c.logger.Info("Initializing version history cache for core")
+		c.versionHistory = make(map[string]VaultVersion)
+	}
+
+	// Events
+	eventsLogger := conf.Logger.Named("events")
+	c.allLoggers = append(c.allLoggers, eventsLogger)
+	// start the event system
+	nodeID, err := c.LoadNodeID()
+	if err != nil {
+		return nil, err
+	}
+	events, err := eventbus.NewEventBus(nodeID, eventsLogger)
+	if err != nil {
+		return nil, err
+	}
+	c.events = events
+	c.events.Start()
+
+	return c, nil
+}
+
+// configureListeners configures the Core with the listeners from the CoreConfig.
+func (c *Core) configureListeners(conf *CoreConfig) error {
+	c.clusterListener.Store((*cluster.Listener)(nil))
+
+	if conf.RawConfig.Listeners == nil {
+		c.customListenerHeader.Store(([]*ListenerCustomHeaders)(nil))
+		return nil
+	}
+
+	uiHeaders, err := c.UIHeaders()
+	if err != nil {
+		return err
+	}
+
+	c.customListenerHeader.Store(NewListenerCustomHeader(conf.RawConfig.Listeners, c.logger, uiHeaders))
+
+	return nil
+}
+
+// configureLogRequestsLevel configures the Core with the supplied log requests level.
+func (c *Core) configureLogRequestsLevel(level string) {
+	c.logRequestsLevel = uberAtomic.NewInt32(0)
+
+	lvl := log.LevelFromString(level)
+
+	switch {
+	case lvl > log.NoLevel && lvl < log.Off:
+		c.logRequestsLevel.Store(int32(lvl))
+	case level != "":
+		c.logger.Warn("invalid log_requests_level", "level", level)
+	}
+}
+
+// configureAuditBackends configures the Core with the ability to create audit
+// backends for various types.
+func (c *Core) configureAuditBackends(backends map[string]audit.Factory) {
+	auditBackends := make(map[string]audit.Factory, len(backends))
+
+	for k, f := range backends {
+		auditBackends[k] = f
+	}
+
+	c.auditBackends = auditBackends
+}
+
+// configureCredentialsBackends configures the Core with the ability to create
+// credential backends for various types.
+func (c *Core) configureCredentialsBackends(backends map[string]logical.Factory, logger log.Logger) {
+	credentialBackends := make(map[string]logical.Factory, len(backends))
+
+	for k, f := range backends {
+		credentialBackends[k] = f
+	}
+
+	credentialBackends[mountTypeToken] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		tsLogger := logger.Named("token")
+		c.AddLogger(tsLogger)
+		return NewTokenStore(ctx, tsLogger, c, config)
+	}
+
+	c.credentialBackends = credentialBackends
+
+	c.addExtraCredentialBackends()
+}
+
+// configureLogicalBackends configures the Core with the ability to create
+// logical backends for various types.
+func (c *Core) configureLogicalBackends(backends map[string]logical.Factory, logger log.Logger, adminNamespacePath string) {
+	logicalBackends := make(map[string]logical.Factory, len(backends))
+
+	for k, f := range backends {
+		logicalBackends[k] = f
+	}
+
+	// KV
+	_, ok := logicalBackends[mountTypeKV]
+	if !ok {
+		logicalBackends[mountTypeKV] = kv.Factory
+	}
+
+	// Cubbyhole
+	logicalBackends[mountTypeCubbyhole] = CubbyholeBackendFactory
+
+	// System
+	logicalBackends[mountTypeSystem] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		sysBackendLogger := logger.Named("system")
+		c.AddLogger(sysBackendLogger)
+		b := NewSystemBackend(c, sysBackendLogger, config)
+		if err := b.Setup(ctx, config); err != nil {
+			return nil, err
+		}
+		return b, nil
+	}
+
+	// Identity
+	logicalBackends[mountTypeIdentity] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		identityLogger := logger.Named("identity")
+		c.AddLogger(identityLogger)
+		return NewIdentityStore(ctx, c, config, identityLogger)
+	}
+
+	c.logicalBackends = logicalBackends
+
+	c.addExtraLogicalBackends(adminNamespacePath)
+}
+
+// handleVersionTimeStamps stores the current version at the current time to
+// storage, and then loads all versions and upgrade timestamps out from storage.
+func (c *Core) handleVersionTimeStamps(ctx context.Context) error {
+	currentTime := time.Now().UTC()
+
+	vaultVersion := &VaultVersion{
+		TimestampInstalled: currentTime,
+		Version:            version.Version,
+		BuildDate:          version.BuildDate,
+	}
+
+	isUpdated, err := c.storeVersionEntry(ctx, vaultVersion, false)
+	if err != nil {
+		return fmt.Errorf("error storing vault version: %w", err)
+	}
+	if isUpdated {
+		c.logger.Info("Recorded vault version", "vault version", version.Version, "upgrade time", currentTime, "build date", version.BuildDate)
+	}
+
+	// Finally, repopulate the version history cache
+	err = c.loadVersionHistory(ctx)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// HostnameHeaderEnabled determines whether to add the X-Vault-Hostname header
+// to HTTP responses.
+func (c *Core) HostnameHeaderEnabled() bool {
+	return c.enableResponseHeaderHostname
+}
+
+// RaftNodeIDHeaderEnabled determines whether to add the X-Vault-Raft-Node-ID header
+// to HTTP responses.
+func (c *Core) RaftNodeIDHeaderEnabled() bool {
+	return c.enableResponseHeaderRaftNodeID
+}
+
+// DisableSSCTokens determines whether to use server side consistent tokens or not.
+func (c *Core) DisableSSCTokens() bool {
+	return c.disableSSCTokens
+}
+
+// ShutdownCoreError logs a shutdown error and shuts down the Vault core.
+func (c *Core) ShutdownCoreError(err error) {
+	c.Logger().Error("shutting down core", "error", err)
+	if shutdownErr := c.ShutdownWait(); shutdownErr != nil {
+		c.Logger().Error("failed to shutdown core", "error", shutdownErr)
+	}
+}
+
+// Shutdown is invoked when the Vault instance is about to be terminated. It
+// should not be accessible as part of an API call as it will cause an availability
+// problem. It is only used to gracefully quit in the case of HA so that failover
+// happens as quickly as possible.
+func (c *Core) Shutdown() error {
+	c.logger.Debug("shutdown called")
+	err := c.sealInternal()
+
+	c.stateLock.Lock()
+	defer c.stateLock.Unlock()
+
+	doneCh := c.shutdownDoneCh.Load().(chan struct{})
+	if doneCh != nil {
+		close(doneCh)
+		c.shutdownDoneCh.Store((chan struct{})(nil))
+	}
+
+	return err
+}
+
+func (c *Core) ShutdownWait() error {
+	donech := c.ShutdownDone()
+	err := c.Shutdown()
+	if donech != nil {
+		<-donech
+	}
+	return err
+}
+
+// ShutdownDone returns a channel that will be closed after Shutdown completes
+func (c *Core) ShutdownDone() <-chan struct{} {
+	return c.shutdownDoneCh.Load().(chan struct{})
+}
+
+// CORSConfig returns the current CORS configuration
+func (c *Core) CORSConfig() *CORSConfig {
+	return c.corsConfig
+}
+
+func (c *Core) GetContext() (context.Context, context.CancelFunc) {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+
+	return context.WithCancel(namespace.RootContext(c.activeContext))
+}
+
+// Sealed checks if the Vault is current sealed
+func (c *Core) Sealed() bool {
+	return atomic.LoadUint32(c.sealed) == 1
+}
+
+// SecretProgress returns the number of keys provided so far. Lock
+// should only be false if the caller is already holding the read
+// statelock (such as calls originating from switchedLockHandleRequest).
+func (c *Core) SecretProgress(lock bool) (int, string) {
+	if lock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
+	switch c.unlockInfo {
+	case nil:
+		return 0, ""
+	default:
+		return len(c.unlockInfo.Parts), c.unlockInfo.Nonce
+	}
+}
+
+// ResetUnsealProcess removes the current unlock parts from memory, to reset
+// the unsealing process
+func (c *Core) ResetUnsealProcess() {
+	c.stateLock.Lock()
+	defer c.stateLock.Unlock()
+	c.unlockInfo = nil
+}
+
+func (c *Core) UnsealMigrate(key []byte) (bool, error) {
+	err := c.unsealFragment(key, true)
+	return !c.Sealed(), err
+}
+
+// Unseal is used to provide one of the key parts to unseal the Vault.
+func (c *Core) Unseal(key []byte) (bool, error) {
+	err := c.unsealFragment(key, false)
+	return !c.Sealed(), err
+}
+
+// unseal takes a key fragment and attempts to use it to unseal Vault.
+// Vault may remain sealed afterwards even when no error is returned,
+// depending on whether enough key fragments were provided to meet the
+// target threshold.
+//
+// The provided key should be a recovery key fragment if the seal
+// is an autoseal, or a regular seal key fragment for shamir.  In
+// migration scenarios "seal" in the preceding sentence refers to
+// the migration seal in c.migrationInfo.seal.
+//
+// We use getUnsealKey to work out if we have enough fragments,
+// and if we don't have enough we return early.  Otherwise we get
+// back the combined key.
+//
+// For legacy shamir the combined key *is* the master key.  For
+// shamir the combined key is used to decrypt the master key
+// read from storage.  For autoseal the combined key isn't used
+// except to verify that the stored recovery key matches.
+//
+// In migration scenarios a side-effect of unsealing is that
+// the members of c.migrationInfo are populated (excluding
+// .seal, which must already be populated before unseal is called.)
+func (c *Core) unsealFragment(key []byte, migrate bool) error {
+	defer metrics.MeasureSince([]string{"core", "unseal"}, time.Now())
+
+	c.stateLock.Lock()
+	defer c.stateLock.Unlock()
+
+	ctx := context.Background()
+
+	if migrate && c.migrationInfo == nil {
+		return fmt.Errorf("can't perform a seal migration, no migration seal found")
+	}
+	if migrate && c.isRaftUnseal() {
+		return fmt.Errorf("can't perform a seal migration while joining a raft cluster")
+	}
+	if !migrate && c.migrationInfo != nil {
+		done, err := c.sealMigrated(ctx)
+		if err != nil {
+			return fmt.Errorf("error checking to see if seal is migrated: %w", err)
+		}
+		if !done {
+			return fmt.Errorf("migrate option not provided and seal migration is pending")
+		}
+	}
+
+	c.logger.Debug("unseal key supplied", "migrate", migrate)
+
+	// Explicitly check for init status. This also checks if the seal
+	// configuration is valid (i.e. non-nil).
+	init, err := c.Initialized(ctx)
+	if err != nil {
+		return err
+	}
+	if !init && !c.isRaftUnseal() {
+		return ErrNotInit
+	}
+
+	// Verify the key length
+	min, max := c.barrier.KeyLength()
+	max += shamir.ShareOverhead
+	if len(key) < min {
+		return &ErrInvalidKey{fmt.Sprintf("key is shorter than minimum %d bytes", min)}
+	}
+	if len(key) > max {
+		return &ErrInvalidKey{fmt.Sprintf("key is longer than maximum %d bytes", max)}
+	}
+
+	// Check if already unsealed
+	if !c.Sealed() {
+		return nil
+	}
+
+	sealToUse := c.seal
+	if migrate {
+		c.logger.Info("unsealing using migration seal")
+		sealToUse = c.migrationInfo.seal
+	}
+
+	newKey, err := c.recordUnsealPart(key)
+	if !newKey || err != nil {
+		return err
+	}
+
+	// getUnsealKey returns either a recovery key (in the case of an autoseal)
+	// or a master key (legacy shamir) or an unseal key (new-style shamir).
+	combinedKey, err := c.getUnsealKey(ctx, sealToUse)
+	if err != nil || combinedKey == nil {
+		return err
+	}
+	if migrate {
+		c.migrationInfo.unsealKey = combinedKey
+	}
+
+	if c.isRaftUnseal() {
+		return c.unsealWithRaft(combinedKey)
+	}
+	masterKey, err := c.unsealKeyToMasterKeyPreUnseal(ctx, sealToUse, combinedKey)
+	if err != nil {
+		return err
+	}
+	return c.unsealInternal(ctx, masterKey)
+}
+
+func (c *Core) unsealWithRaft(combinedKey []byte) error {
+	ctx := context.Background()
+
+	if c.seal.BarrierSealConfigType() == SealConfigTypeShamir {
+		// If this is a legacy shamir seal this serves no purpose but it
+		// doesn't hurt.
+		err := c.seal.GetAccess().SetShamirSealKey(combinedKey)
+		if err != nil {
+			return err
+		}
+	}
+
+	raftInfo := c.raftInfo.Load().(*raftInformation)
+
+	switch raftInfo.joinInProgress {
+	case true:
+		// JoinRaftCluster is already trying to perform a join based on retry_join configuration.
+		// Inform that routine that unseal key validation is complete so that it can continue to
+		// try and join possible leader nodes, and wait for it to complete.
+
+		atomic.StoreUint32(c.postUnsealStarted, 1)
+
+		c.logger.Info("waiting for raft retry join process to complete")
+		<-c.raftJoinDoneCh
+
+	default:
+		// This is the case for manual raft join. Send the answer to the leader node and
+		// wait for data to start streaming in.
+		if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
+			return err
+		}
+		// Reset the state
+		c.raftInfo.Store((*raftInformation)(nil))
+	}
+
+	go func() {
+		var masterKey []byte
+		keyringFound := false
+
+		// Wait until we at least have the keyring before we attempt to
+		// unseal the node.
+		for {
+			if !keyringFound {
+				keys, err := c.underlyingPhysical.List(ctx, keyringPrefix)
+				if err != nil {
+					c.logger.Error("failed to list physical keys", "error", err)
+					return
+				}
+				if strutil.StrListContains(keys, "keyring") {
+					keyringFound = true
+				}
+			}
+			if keyringFound && len(masterKey) == 0 {
+				var err error
+				masterKey, err = c.unsealKeyToMasterKeyPreUnseal(ctx, c.seal, combinedKey)
+				if err != nil {
+					c.logger.Error("failed to read master key", "error", err)
+					return
+				}
+			}
+			if keyringFound && len(masterKey) > 0 {
+				err := c.unsealInternal(ctx, masterKey)
+				if err != nil {
+					c.logger.Error("failed to unseal", "error", err)
+				}
+				return
+			}
+			time.Sleep(1 * time.Second)
+		}
+	}()
+
+	return nil
+}
+
+// recordUnsealPart takes in a key fragment, and returns true if it's a new fragment.
+func (c *Core) recordUnsealPart(key []byte) (bool, error) {
+	// Check if we already have this piece
+	if c.unlockInfo != nil {
+		for _, existing := range c.unlockInfo.Parts {
+			if subtle.ConstantTimeCompare(existing, key) == 1 {
+				return false, nil
+			}
+		}
+	} else {
+		uuid, err := uuid.GenerateUUID()
+		if err != nil {
+			return false, err
+		}
+		c.unlockInfo = &unlockInformation{
+			Nonce: uuid,
+		}
+	}
+
+	// Store this key
+	c.unlockInfo.Parts = append(c.unlockInfo.Parts, key)
+	return true, nil
+}
+
+// getUnsealKey uses key fragments recorded by recordUnsealPart and
+// returns the combined key if the key share threshold is met.
+// If the key fragments are part of a recovery key, also verify that
+// it matches the stored recovery key on disk.
+func (c *Core) getUnsealKey(ctx context.Context, seal Seal) ([]byte, error) {
+	var config *SealConfig
+	var err error
+
+	raftInfo := c.raftInfo.Load().(*raftInformation)
+
+	switch {
+	case seal.RecoveryKeySupported():
+		config, err = seal.RecoveryConfig(ctx)
+	case c.isRaftUnseal():
+		// Ignore follower's seal config and refer to leader's barrier
+		// configuration.
+		config = raftInfo.leaderBarrierConfig
+	default:
+		config, err = seal.BarrierConfig(ctx)
+	}
+	if err != nil {
+		return nil, err
+	}
+	if config == nil {
+		return nil, fmt.Errorf("failed to obtain seal/recovery configuration")
+	}
+
+	// Check if we don't have enough keys to unlock, proceed through the rest of
+	// the call only if we have met the threshold
+	if len(c.unlockInfo.Parts) < config.SecretThreshold {
+		if c.logger.IsDebug() {
+			c.logger.Debug("cannot unseal, not enough keys", "keys", len(c.unlockInfo.Parts), "threshold", config.SecretThreshold, "nonce", c.unlockInfo.Nonce)
+		}
+		return nil, nil
+	}
+
+	defer func() {
+		c.unlockInfo = nil
+	}()
+
+	// Recover the split key. recoveredKey is the shamir combined
+	// key, or the single provided key if the threshold is 1.
+	var unsealKey []byte
+	if config.SecretThreshold == 1 {
+		unsealKey = make([]byte, len(c.unlockInfo.Parts[0]))
+		copy(unsealKey, c.unlockInfo.Parts[0])
+	} else {
+		unsealKey, err = shamir.Combine(c.unlockInfo.Parts)
+		if err != nil {
+			return nil, &ErrInvalidKey{fmt.Sprintf("failed to compute combined key: %v", err)}
+		}
+	}
+
+	if seal.RecoveryKeySupported() {
+		if err := seal.VerifyRecoveryKey(ctx, unsealKey); err != nil {
+			return nil, &ErrInvalidKey{fmt.Sprintf("failed to verify recovery key: %v", err)}
+		}
+	}
+
+	return unsealKey, nil
+}
+
+// sealMigrated must be called with the stateLock held.  It returns true if
+// the seal configured in HCL and the seal configured in storage match.
+// For the auto->auto same seal migration scenario, it will return false even
+// if the preceding conditions are true but we cannot decrypt the master key
+// in storage using the configured seal.
+func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
+	if atomic.LoadUint32(c.sealMigrationDone) == 1 {
+		return true, nil
+	}
+
+	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	if !c.seal.BarrierSealConfigType().IsSameAs(existBarrierSealConfig.Type) {
+		return false, nil
+	}
+	if c.seal.RecoveryKeySupported() && !SealConfigTypeRecovery.IsSameAs(existRecoverySealConfig.Type) {
+		return false, nil
+	}
+
+	if c.seal.BarrierSealConfigType() != c.migrationInfo.seal.BarrierSealConfigType() {
+		return true, nil
+	}
+
+	// The above checks can handle the auto->shamir and shamir->auto
+	// and auto1->auto2 cases.  For auto1->auto1, we need to actually try
+	// to read and decrypt the keys.
+
+	keysMig, errMig := c.migrationInfo.seal.GetStoredKeys(ctx)
+	keys, err := c.seal.GetStoredKeys(ctx)
+
+	switch {
+	case len(keys) > 0 && err == nil:
+		return true, nil
+	case len(keysMig) > 0 && errMig == nil:
+		return false, nil
+	case errors.Is(err, &ErrDecrypt{}) && errors.Is(errMig, &ErrDecrypt{}):
+		return false, fmt.Errorf("decrypt error, neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
+	default:
+		return false, fmt.Errorf("neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
+	}
+}
+
+// migrateSeal must be called with the stateLock held.
+func (c *Core) migrateSeal(ctx context.Context) error {
+	if c.migrationInfo == nil {
+		// There is no defaultSeal <-> autoSeal migration, but we may need to
+		// migrate seal configuration from single <-> multi autoSeal
+		return c.migrateMultiSealConfig(ctx)
+	}
+
+	ok, err := c.sealMigrated(ctx)
+	if err != nil {
+		return fmt.Errorf("error checking if seal is migrated or not: %w", err)
+	}
+
+	if ok {
+		c.logger.Info("migration is already performed")
+		return nil
+	}
+
+	c.logger.Info("seal migration initiated")
+
+	switch {
+	case c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
+		c.logger.Info("migrating from one auto-unseal to another", "from",
+			c.migrationInfo.seal.BarrierSealConfigType(), "to", c.seal.BarrierSealConfigType())
+
+		// Set the recovery and barrier keys to be the same.
+		recoveryKey, err := c.migrationInfo.seal.RecoveryKey(ctx)
+		if err != nil {
+			return fmt.Errorf("error getting recovery key to set on new seal: %w", err)
+		}
+
+		if err := c.seal.SetRecoveryKey(ctx, recoveryKey); err != nil {
+			return fmt.Errorf("error setting new recovery key information during migrate: %w", err)
+		}
+
+		barrierKeys, err := c.migrationInfo.seal.GetStoredKeys(ctx)
+		if err != nil {
+			return fmt.Errorf("error getting stored keys to set on new seal: %w", err)
+		}
+
+		if err := c.seal.SetStoredKeys(ctx, barrierKeys); err != nil {
+			return fmt.Errorf("error setting new barrier key information during migrate: %w", err)
+		}
+
+	case c.migrationInfo.seal.RecoveryKeySupported():
+		c.logger.Info("migrating from one auto-unseal to shamir", "from", c.migrationInfo.seal.BarrierSealConfigType())
+		// Auto to Shamir, since recovery key isn't supported on new seal
+
+		recoveryKey, err := c.migrationInfo.seal.RecoveryKey(ctx)
+		if err != nil {
+			return fmt.Errorf("error getting recovery key to set on new seal: %w", err)
+		}
+
+		// We have recovery keys; we're going to use them as the new shamir KeK.
+		err = c.seal.GetAccess().SetShamirSealKey(recoveryKey)
+		if err != nil {
+			return fmt.Errorf("failed to set master key in seal: %w", err)
+		}
+
+		barrierKeys, err := c.migrationInfo.seal.GetStoredKeys(ctx)
+		if err != nil {
+			return fmt.Errorf("error getting stored keys to set on new seal: %w", err)
+		}
+
+		if err := c.seal.SetStoredKeys(ctx, barrierKeys); err != nil {
+			return fmt.Errorf("error setting new barrier key information during migrate: %w", err)
+		}
+
+	case c.seal.RecoveryKeySupported():
+		c.logger.Info("migrating from shamir to auto-unseal", "to", c.seal.BarrierSealConfigType())
+		// Migration is happening from shamir -> auto. In this case use the shamir
+		// combined key that was used to store the master key as the new recovery key.
+		if err := c.seal.SetRecoveryKey(ctx, c.migrationInfo.unsealKey); err != nil {
+			return fmt.Errorf("error setting new recovery key information: %w", err)
+		}
+
+		// Generate a new master key
+		newMasterKey, err := c.barrier.GenerateKey(c.secureRandomReader)
+		if err != nil {
+			return fmt.Errorf("error generating new master key: %w", err)
+		}
+
+		// Rekey the barrier.  This handles the case where the shamir seal we're
+		// migrating from was a legacy seal without a stored master key.
+		if err := c.barrier.Rekey(ctx, newMasterKey); err != nil {
+			return fmt.Errorf("error rekeying barrier during migration: %w", err)
+		}
+
+		// Store the new master key
+		if err := c.seal.SetStoredKeys(ctx, [][]byte{newMasterKey}); err != nil {
+			return fmt.Errorf("error storing new master key: %w", err)
+		}
+
+	default:
+		return errors.New("unhandled migration case (shamir to shamir)")
+	}
+
+	err = c.migrateSealConfig(ctx)
+	if err != nil {
+		return fmt.Errorf("error storing new seal configs: %w", err)
+	}
+
+	// Flag migration performed for seal-rewrap later
+	atomic.StoreUint32(c.sealMigrationDone, 1)
+
+	c.logger.Info("seal migration complete")
+	return nil
+}
+
+// unsealInternal takes in the master key and attempts to unseal the barrier.
+// N.B.: This must be called with the state write lock held.
+func (c *Core) unsealInternal(ctx context.Context, masterKey []byte) error {
+	// Attempt to unlock
+	if err := c.barrier.Unseal(ctx, masterKey); err != nil {
+		return err
+	}
+
+	if err := preUnsealInternal(ctx, c); err != nil {
+		return err
+	}
+
+	if err := c.startClusterListener(ctx); err != nil {
+		return err
+	}
+
+	if err := c.startRaftBackend(ctx); err != nil {
+		return err
+	}
+
+	if err := c.setupReplicationResolverHandler(); err != nil {
+		c.logger.Warn("failed to start replication resolver server", "error", err)
+	}
+
+	// Do post-unseal setup if HA is not enabled
+	if c.ha == nil {
+		// We still need to set up cluster info even if it's not part of a
+		// cluster right now. This also populates the cached cluster object.
+		if err := c.setupCluster(ctx); err != nil {
+			c.logger.Error("cluster setup failed", "error", err)
+			c.barrier.Seal()
+			c.logger.Warn("vault is sealed")
+			return err
+		}
+
+		if err := c.migrateSeal(ctx); err != nil {
+			c.logger.Error("seal migration error", "error", err)
+			c.barrier.Seal()
+			c.logger.Warn("vault is sealed")
+			return err
+		}
+
+		ctx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
+		if err := c.postUnseal(ctx, ctxCancel, standardUnsealStrategy{}); err != nil {
+			c.logger.Error("post-unseal setup failed", "error", err)
+			c.barrier.Seal()
+			c.logger.Warn("vault is sealed")
+			return err
+		}
+
+		// Force a cache bust here, which will also run migration code
+		if c.seal.RecoveryKeySupported() {
+			c.seal.ClearRecoveryConfig(ctx)
+		}
+
+		c.standby = false
+	} else {
+		// Go to standby mode, wait until we are active to unseal
+		c.standbyDoneCh = make(chan struct{})
+		c.manualStepDownCh = make(chan struct{}, 1)
+		c.standbyStopCh.Store(make(chan struct{}))
+		go c.runStandby(c.standbyDoneCh, c.manualStepDownCh, c.standbyStopCh.Load().(chan struct{}))
+	}
+
+	// Success!
+	atomic.StoreUint32(c.sealed, 0)
+	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 1, nil)
+
+	if c.logger.IsInfo() {
+		c.logger.Info("vault is unsealed")
+	}
+
+	if c.serviceRegistration != nil {
+		if err := c.serviceRegistration.NotifySealedStateChange(false); err != nil {
+			if c.logger.IsWarn() {
+				c.logger.Warn("failed to notify unsealed status", "error", err)
+			}
+		}
+		if err := c.serviceRegistration.NotifyInitializedStateChange(true); err != nil {
+			if c.logger.IsWarn() {
+				c.logger.Warn("failed to notify initialized status", "error", err)
+			}
+		}
+	}
+	return nil
+}
+
+// SealWithRequest takes in a logical.Request, acquires the lock, and passes
+// through to sealInternal
+func (c *Core) SealWithRequest(httpCtx context.Context, req *logical.Request) error {
+	defer metrics.MeasureSince([]string{"core", "seal-with-request"}, time.Now())
+
+	if c.Sealed() {
+		return nil
+	}
+
+	c.stateLock.RLock()
+
+	// This will unlock the read lock
+	// We use background context since we may not be active
+	ctx, cancel := context.WithCancel(namespace.RootContext(nil))
+	defer cancel()
+
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-httpCtx.Done():
+			cancel()
+		}
+	}()
+
+	// This will unlock the read lock
+	return c.sealInitCommon(ctx, req)
+}
+
+// Seal takes in a token and creates a logical.Request, acquires the lock, and
+// passes through to sealInternal
+func (c *Core) Seal(token string) error {
+	defer metrics.MeasureSince([]string{"core", "seal"}, time.Now())
+
+	if c.Sealed() {
+		return nil
+	}
+
+	c.stateLock.RLock()
+
+	req := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		Path:        "sys/seal",
+		ClientToken: token,
+	}
+
+	// This will unlock the read lock
+	// We use background context since we may not be active
+	return c.sealInitCommon(namespace.RootContext(nil), req)
+}
+
+// sealInitCommon is common logic for Seal and SealWithRequest and is used to
+// re-seal the Vault. This requires the Vault to be unsealed again to perform
+// any further operations. Note: this function will read-unlock the state lock.
+func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr error) {
+	defer metrics.MeasureSince([]string{"core", "seal-internal"}, time.Now())
+
+	var unlocked bool
+	defer func() {
+		if !unlocked {
+			c.stateLock.RUnlock()
+		}
+	}()
+
+	if req == nil {
+		return errors.New("nil request to seal")
+	}
+
+	// Since there is no token store in standby nodes, sealing cannot be done.
+	// Ideally, the request has to be forwarded to leader node for validation
+	// and the operation should be performed. But for now, just returning with
+	// an error and recommending a vault restart, which essentially does the
+	// same thing.
+	if c.standby {
+		c.logger.Error("vault cannot seal when in standby mode; please restart instead")
+		return errors.New("vault cannot seal when in standby mode; please restart instead")
+	}
+
+	err := c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+			return logical.ErrPermissionDenied
+		}
+		return logical.ErrInvalidRequest
+	}
+	acl, te, entity, identityPolicies, err := c.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return err
+	}
+
+	// Audit-log the request before going any further
+	auth := &logical.Auth{
+		ClientToken: req.ClientToken,
+		Accessor:    req.ClientTokenAccessor,
+	}
+	if te != nil {
+		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
+		delete(identityPolicies, te.NamespaceID)
+		auth.ExternalNamespacePolicies = identityPolicies
+		auth.TokenPolicies = te.Policies
+		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
+		auth.Metadata = te.Meta
+		auth.DisplayName = te.DisplayName
+		auth.EntityID = te.EntityID
+		auth.TokenType = te.Type
+	}
+
+	logInput := &logical.LogInput{
+		Auth:    auth,
+		Request: req,
+	}
+	if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+		c.logger.Error("failed to audit request", "request_path", req.Path, "error", err)
+		return errors.New("failed to audit request, cannot continue")
+	}
+
+	if entity != nil && entity.Disabled {
+		c.logger.Warn("permission denied as the entity on the token is disabled")
+		return logical.ErrPermissionDenied
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		c.logger.Warn("permission denied as the entity on the token is invalid")
+		return logical.ErrPermissionDenied
+	}
+
+	// Attempt to use the token (decrement num_uses)
+	// On error bail out; if the token has been revoked, bail out too
+	if te != nil {
+		te, err = c.tokenStore.UseToken(ctx, te)
+		if err != nil {
+			c.logger.Error("failed to use token", "error", err)
+			return ErrInternalError
+		}
+		if te == nil {
+			// Token is no longer valid
+			return logical.ErrPermissionDenied
+		}
+	}
+
+	// Verify that this operation is allowed
+	authResults := c.performPolicyChecks(ctx, acl, te, req, entity, &PolicyCheckOpts{
+		RootPrivsRequired: true,
+	})
+	if !authResults.Allowed {
+		retErr = multierror.Append(retErr, authResults.Error)
+		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
+			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
+		}
+		return retErr
+	}
+
+	if te != nil && te.NumUses == tokenRevocationPending {
+		// Token needs to be revoked. We do this immediately here because
+		// we won't have a token store after sealing.
+		leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
+		if err == nil {
+			err = c.expiration.Revoke(c.activeContext, leaseID)
+		}
+		if err != nil {
+			c.logger.Error("token needed revocation before seal but failed to revoke", "error", err)
+			retErr = multierror.Append(retErr, ErrInternalError)
+		}
+	}
+
+	// Unlock; sealing will grab the lock when needed
+	unlocked = true
+	c.stateLock.RUnlock()
+
+	sealErr := c.sealInternal()
+
+	if sealErr != nil {
+		retErr = multierror.Append(retErr, sealErr)
+	}
+
+	return
+}
+
+// UIEnabled returns if the UI is enabled
+func (c *Core) UIEnabled() bool {
+	return c.uiConfig.Enabled()
+}
+
+// UIHeaders returns configured UI headers
+func (c *Core) UIHeaders() (http.Header, error) {
+	return c.uiConfig.Headers(context.Background())
+}
+
+// sealInternal is an internal method used to seal the vault.  It does not do
+// any authorization checking.
+func (c *Core) sealInternal() error {
+	return c.sealInternalWithOptions(true, false, true)
+}
+
+func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, performCleanup bool) error {
+	// Mark sealed, and if already marked return
+	if swapped := atomic.CompareAndSwapUint32(c.sealed, 0, 1); !swapped {
+		return nil
+	}
+	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 0, nil)
+
+	c.logger.Info("marked as sealed")
+
+	// Clear forwarding clients
+	c.requestForwardingConnectionLock.Lock()
+	c.clearForwardingClients()
+	c.requestForwardingConnectionLock.Unlock()
+
+	activeCtxCancel := c.activeContextCancelFunc.Load().(context.CancelFunc)
+	cancelCtxAndLock := func() {
+		doneCh := make(chan struct{})
+		go func() {
+			select {
+			case <-doneCh:
+			// Attempt to drain any inflight requests
+			case <-time.After(DefaultMaxRequestDuration):
+				if activeCtxCancel != nil {
+					activeCtxCancel()
+				}
+			}
+		}()
+
+		c.stateLock.Lock()
+		close(doneCh)
+		// Stop requests from processing
+		if activeCtxCancel != nil {
+			activeCtxCancel()
+		}
+	}
+
+	// Do pre-seal teardown if HA is not enabled
+	if c.ha == nil {
+		if grabStateLock {
+			cancelCtxAndLock()
+			defer c.stateLock.Unlock()
+		}
+		// Even in a non-HA context we key off of this for some things
+		c.standby = true
+
+		// Stop requests from processing
+		if activeCtxCancel != nil {
+			activeCtxCancel()
+		}
+
+		if err := c.preSeal(); err != nil {
+			c.logger.Error("pre-seal teardown failed", "error", err)
+			return fmt.Errorf("internal error")
+		}
+	} else {
+		// If we are keeping the lock we already have the state write lock
+		// held. Otherwise grab it here so that when stopCh is triggered we are
+		// locked.
+		if keepHALock {
+			atomic.StoreUint32(c.keepHALockOnStepDown, 1)
+		}
+		if grabStateLock {
+			cancelCtxAndLock()
+			defer c.stateLock.Unlock()
+		}
+
+		// If we are trying to acquire the lock, force it to return with nil so
+		// runStandby will exit
+		// If we are active, signal the standby goroutine to shut down and wait
+		// for completion. We have the state lock here so nothing else should
+		// be toggling standby status.
+		close(c.standbyStopCh.Load().(chan struct{}))
+		c.logger.Debug("finished triggering standbyStopCh for runStandby")
+
+		// Wait for runStandby to stop
+		<-c.standbyDoneCh
+		atomic.StoreUint32(c.keepHALockOnStepDown, 0)
+		c.logger.Debug("runStandby done")
+	}
+
+	c.teardownReplicationResolverHandler()
+
+	// Perform additional cleanup upon sealing.
+	if performCleanup {
+		if raftBackend := c.getRaftBackend(); raftBackend != nil {
+			if err := raftBackend.TeardownCluster(c.getClusterListener()); err != nil {
+				c.logger.Error("error stopping storage cluster", "error", err)
+				return err
+			}
+		}
+
+		// Stop the cluster listener
+		c.stopClusterListener()
+	}
+
+	c.logger.Debug("sealing barrier")
+	if err := c.barrier.Seal(); err != nil {
+		c.logger.Error("error sealing barrier", "error", err)
+		return err
+	}
+
+	if c.serviceRegistration != nil {
+		if err := c.serviceRegistration.NotifySealedStateChange(true); err != nil {
+			if c.logger.IsWarn() {
+				c.logger.Warn("failed to notify sealed status", "error", err)
+			}
+		}
+	}
+
+	if c.quotaManager != nil {
+		if err := c.quotaManager.Reset(); err != nil {
+			c.logger.Error("error resetting quota manager", "error", err)
+		}
+	}
+
+	postSealInternal(c)
+
+	c.logger.Info("vault is sealed")
+
+	return nil
+}
+
+type UnsealStrategy interface {
+	unseal(context.Context, log.Logger, *Core) error
+}
+
+type standardUnsealStrategy struct{}
+
+func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c *Core) error {
+	// Clear forwarding clients; we're active
+	c.requestForwardingConnectionLock.Lock()
+	c.clearForwardingClients()
+	c.requestForwardingConnectionLock.Unlock()
+
+	// Mark the active time. We do this first so it can be correlated to the logs
+	// for the active startup.
+	c.activeTime = time.Now().UTC()
+
+	if err := postUnsealPhysical(c); err != nil {
+		return err
+	}
+
+	if err := c.entPostUnseal(false); err != nil {
+		return err
+	}
+	if !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary) {
+		// Only perf primarys should write feature flags, but we do it by
+		// excluding other states so that we don't have to change it when
+		// a non-replicated cluster becomes a primary.
+		if err := c.persistFeatureFlags(ctx); err != nil {
+			return err
+		}
+	}
+
+	if c.autoRotateCancel == nil {
+		var autoRotateCtx context.Context
+		autoRotateCtx, c.autoRotateCancel = context.WithCancel(c.activeContext)
+		go c.autoRotateBarrierLoop(autoRotateCtx)
+	}
+
+	if !c.IsDRSecondary() {
+		if err := c.ensureWrappingKey(ctx); err != nil {
+			return err
+		}
+	}
+	if err := c.setupPluginRuntimeCatalog(ctx); err != nil {
+		return err
+	}
+	if err := c.setupPluginCatalog(ctx); err != nil {
+		return err
+	}
+	if err := c.loadMounts(ctx); err != nil {
+		return err
+	}
+	if err := c.entSetupFilteredPaths(); err != nil {
+		return err
+	}
+	if err := c.setupMounts(ctx); err != nil {
+		return err
+	}
+	if err := c.entSetupAPILock(ctx); err != nil {
+		return err
+	}
+	if err := c.setupPolicyStore(ctx); err != nil {
+		return err
+	}
+	if err := c.setupManagedKeyRegistry(); err != nil {
+		return err
+	}
+	if err := c.loadCORSConfig(ctx); err != nil {
+		return err
+	}
+	if err := c.loadCredentials(ctx); err != nil {
+		return err
+	}
+	if err := c.entSetupFilteredPaths(); err != nil {
+		return err
+	}
+	if err := c.setupCredentials(ctx); err != nil {
+		return err
+	}
+	if err := c.setupQuotas(ctx, false); err != nil {
+		return err
+	}
+	if err := c.setupHeaderHMACKey(ctx, false); err != nil {
+		return err
+	}
+	if !c.IsDRSecondary() {
+		c.updateLockedUserEntries()
+
+		if err := c.startRollback(); err != nil {
+			return err
+		}
+		if err := c.setupExpiration(expireLeaseStrategyFairsharing); err != nil {
+			return err
+		}
+		if err := c.loadAudits(ctx); err != nil {
+			return err
+		}
+		if err := c.setupAuditedHeadersConfig(ctx); err != nil {
+			return err
+		}
+
+		if err := c.setupAudits(ctx); err != nil {
+			return err
+		}
+		if err := c.loadIdentityStoreArtifacts(ctx); err != nil {
+			return err
+		}
+		if err := loadPolicyMFAConfigs(ctx, c); err != nil {
+			return err
+		}
+		c.setupCachedMFAResponseAuth()
+		if err := c.loadLoginMFAConfigs(ctx); err != nil {
+			return err
+		}
+
+		if err := c.setupCensusAgent(); err != nil {
+			c.logger.Error("skipping reporting for nil agent", "error", err)
+		}
+
+		// not waiting on wg to avoid changing existing behavior
+		var wg sync.WaitGroup
+		if err := c.setupActivityLog(ctx, &wg); err != nil {
+			return err
+		}
+	} else {
+		var err error
+		disableEventLogger, err := parseutil.ParseBool(os.Getenv(featureFlagDisableEventLogger))
+		if err != nil {
+			return fmt.Errorf("unable to parse feature flag: %q: %w", featureFlagDisableEventLogger, err)
+		}
+		c.auditBroker, err = NewAuditBroker(c.logger, !disableEventLogger)
+		if err != nil {
+			return err
+		}
+	}
+
+	if !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary) {
+		// Cannot do this above, as we need other resources like mounts to be setup
+		if err := c.setupPluginReload(); err != nil {
+			return err
+		}
+
+		// Retrieve the seal generation information from storage
+		existingGenerationInfo, err := PhysicalSealGenInfo(ctx, c.physical)
+		if err != nil {
+			c.logger.Error("cannot read existing seal generation info from storage", "error", err)
+			return err
+		}
+
+		sealGenerationInfo := c.seal.GetAccess().GetSealGenerationInfo()
+
+		switch {
+		case existingGenerationInfo == nil:
+			// This is the first time we store seal generation information
+			fallthrough
+		case existingGenerationInfo.Generation < sealGenerationInfo.Generation:
+			// We have incremented the seal generation
+			if err := c.SetPhysicalSealGenInfo(ctx, sealGenerationInfo); err != nil {
+				c.logger.Error("failed to store seal generation info", "error", err)
+				return err
+			}
+
+		case existingGenerationInfo.Generation == sealGenerationInfo.Generation:
+			// Same generation, update the rewrapped flag in case the previous active node
+			// changed its value. In other words, a rewrap may have happened, or a rewrap may have been
+			// started but not completed.
+			c.seal.GetAccess().GetSealGenerationInfo().SetRewrapped(existingGenerationInfo.IsRewrapped())
+
+		case existingGenerationInfo.Generation > sealGenerationInfo.Generation:
+			// Our seal information is out of date. The previous active node used a newer generation.
+			c.logger.Error("A newer seal generation was found in storage. The seal configuration in this node should be updated to match that of the previous active node, and this node should be restarted.")
+			return errors.New("newer seal generation found in storage, in memory seal configuration is out of date")
+		}
+
+		if server.IsMultisealSupported() && !sealGenerationInfo.IsRewrapped() {
+			// Set the migration done flag so that a seal-rewrap gets triggered later.
+			// Note that in the case where multi seal is not supported, Core.migrateSeal() takes care of
+			// triggering the rewrap when necessary.
+			c.logger.Trace("seal generation information indicates that a seal-rewrap is needed", "generation", sealGenerationInfo.Generation)
+			atomic.StoreUint32(c.sealMigrationDone, 1)
+		}
+
+		startPartialSealRewrapping(c)
+	}
+
+	if c.getClusterListener() != nil && (c.ha != nil || shouldStartClusterListener(c)) {
+		if err := c.setupRaftActiveNode(ctx); err != nil {
+			return err
+		}
+
+		if err := c.startForwarding(ctx); err != nil {
+			return err
+		}
+
+	}
+
+	c.clusterParamsLock.Lock()
+	defer c.clusterParamsLock.Unlock()
+	if err := c.entStartReplication(); err != nil {
+		return err
+	}
+
+	c.metricsCh = make(chan struct{})
+	go c.emitMetricsActiveNode(c.metricsCh)
+
+	// Establish version timestamps at the end of unseal on active nodes only.
+	if err := c.handleVersionTimeStamps(ctx); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// postUnseal is invoked on the active node, and performance standby nodes,
+// after the barrier is unsealed, but before
+// allowing any user operations. This allows us to setup any state that
+// requires the Vault to be unsealed such as mount tables, logical backends,
+// credential stores, etc.
+func (c *Core) postUnseal(ctx context.Context, ctxCancelFunc context.CancelFunc, unsealer UnsealStrategy) (retErr error) {
+	defer metrics.MeasureSince([]string{"core", "post_unseal"}, time.Now())
+
+	// Clear any out
+	c.postUnsealFuncs = nil
+
+	// Create a new request context
+	c.activeContext = ctx
+	c.activeContextCancelFunc.Store(ctxCancelFunc)
+
+	defer func() {
+		if retErr != nil {
+			ctxCancelFunc()
+			_ = c.preSeal()
+		}
+	}()
+	c.logger.Info("post-unseal setup starting")
+
+	// Enable the cache
+	c.physicalCache.Purge(ctx)
+	if !c.cachingDisabled {
+		c.physicalCache.SetEnabled(true)
+	}
+
+	// Purge these for safety in case of a rekey
+	_ = c.seal.ClearBarrierConfig(ctx)
+	if c.seal.RecoveryKeySupported() {
+		_ = c.seal.ClearRecoveryConfig(ctx)
+	}
+
+	// Load prior un-updated store into version history cache to compare
+	// previous state.
+	if err := c.loadVersionHistory(ctx); err != nil {
+		return err
+	}
+
+	if err := unsealer.unseal(ctx, c.logger, c); err != nil {
+		return err
+	}
+
+	// Automatically re-encrypt the keys used for auto unsealing when the
+	// seal's encryption key changes. The regular rotation of cryptographic
+	// keys is a NIST recommendation. Access to prior keys for decryption
+	// is normally supported for a configurable time period. Re-encrypting
+	// the keys used for auto unsealing ensures Vault and its data will
+	// continue to be accessible even after prior seal keys are destroyed.
+	if seal, ok := c.seal.(*autoSeal); ok {
+		if err := seal.UpgradeKeys(c.activeContext); err != nil {
+			c.logger.Warn("post-unseal upgrade seal keys failed", "error", err)
+		}
+
+		// Start a periodic but infrequent heartbeat to detect auto-seal backend outages at runtime rather than being
+		// surprised by this at the next need to unseal.
+		seal.StartHealthCheck()
+	}
+
+	// This is intentionally the last block in this function. We want to allow
+	// writes just before allowing client requests, to ensure everything has
+	// been set up properly before any writes can have happened.
+	//
+	// Use a small temporary worker pool to run postUnsealFuncs in parallel
+	postUnsealFuncConcurrency := runtime.NumCPU() * 2
+	if v := os.Getenv("VAULT_POSTUNSEAL_FUNC_CONCURRENCY"); v != "" {
+		pv, err := strconv.Atoi(v)
+		if err != nil || pv < 1 {
+			c.logger.Warn("invalid value for VAULT_POSTUNSEAL_FUNC_CURRENCY, must be a positive integer", "error", err, "value", pv)
+		} else {
+			postUnsealFuncConcurrency = pv
+		}
+	}
+	if postUnsealFuncConcurrency <= 1 {
+		// Out of paranoia, keep the old logic for parallism=1
+		for _, v := range c.postUnsealFuncs {
+			v()
+		}
+	} else {
+		jobs := make(chan func())
+		var wg sync.WaitGroup
+		for i := 0; i < postUnsealFuncConcurrency; i++ {
+			go func() {
+				for v := range jobs {
+					v()
+					wg.Done()
+				}
+			}()
+		}
+		for _, v := range c.postUnsealFuncs {
+			wg.Add(1)
+			jobs <- v
+		}
+		wg.Wait()
+		close(jobs)
+	}
+
+	if atomic.LoadUint32(c.sealMigrationDone) == 1 {
+		if err := c.postSealMigration(ctx); err != nil {
+			c.logger.Warn("post-unseal post seal migration failed", "error", err)
+		}
+	}
+
+	if os.Getenv(EnvVaultDisableLocalAuthMountEntities) != "" {
+		c.logger.Warn("disabling entities for local auth mounts through env var", "env", EnvVaultDisableLocalAuthMountEntities)
+	}
+	c.loginMFABackend.usedCodes = cache.New(0, 30*time.Second)
+	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
+		c.systemBackend.mfaBackend.usedCodes = cache.New(0, 30*time.Second)
+	}
+	c.logger.Info("post-unseal setup complete")
+	return nil
+}
+
+// preSeal is invoked before the barrier is sealed, allowing
+// for any state teardown required.
+func (c *Core) preSeal() error {
+	defer metrics.MeasureSince([]string{"core", "pre_seal"}, time.Now())
+	c.logger.Info("pre-seal teardown starting")
+
+	if seal, ok := c.seal.(*autoSeal); ok {
+		seal.StopHealthCheck()
+	}
+	// Clear any pending funcs
+	c.postUnsealFuncs = nil
+	c.activeTime = time.Time{}
+
+	// Clear any rekey progress
+	c.barrierRekeyConfig = nil
+	c.recoveryRekeyConfig = nil
+
+	if c.metricsCh != nil {
+		close(c.metricsCh)
+		c.metricsCh = nil
+	}
+	var result error
+
+	c.stopForwarding()
+
+	c.stopRaftActiveNode()
+
+	c.clusterParamsLock.Lock()
+	if err := c.entStopReplication(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error stopping replication: %w", err))
+	}
+	c.clusterParamsLock.Unlock()
+
+	if err := c.teardownAudits(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error tearing down audits: %w", err))
+	}
+	if err := c.stopExpiration(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error stopping expiration: %w", err))
+	}
+	c.stopActivityLog()
+	// Clean up the censusAgent on seal
+	if err := c.teardownCensusAgent(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error tearing down reporting agent: %w", err))
+	}
+
+	if err := c.teardownCredentials(context.Background()); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error tearing down credentials: %w", err))
+	}
+	if err := c.teardownPolicyStore(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error tearing down policy store: %w", err))
+	}
+	if err := c.stopRollback(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error stopping rollback: %w", err))
+	}
+	if err := c.unloadMounts(context.Background()); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error unloading mounts: %w", err))
+	}
+
+	if err := c.entPreSeal(); err != nil {
+		result = multierror.Append(result, err)
+	}
+
+	if c.autoRotateCancel != nil {
+		c.autoRotateCancel()
+		c.autoRotateCancel = nil
+	}
+
+	if c.updateLockedUserEntriesCancel != nil {
+		c.updateLockedUserEntriesCancel()
+		c.updateLockedUserEntriesCancel = nil
+	}
+
+	if seal, ok := c.seal.(*autoSeal); ok {
+		seal.StopHealthCheck()
+	}
+
+	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
+		c.systemBackend.mfaBackend.usedCodes = nil
+	}
+	if err := c.teardownLoginMFA(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("error tearing down login MFA, error: %w", err))
+	}
+
+	preSealPhysical(c)
+
+	c.logger.Info("pre-seal teardown complete")
+	return result
+}
+
+func (c *Core) ReplicationState() consts.ReplicationState {
+	return consts.ReplicationState(atomic.LoadUint32(c.replicationState))
+}
+
+func (c *Core) ActiveNodeReplicationState() consts.ReplicationState {
+	return consts.ReplicationState(atomic.LoadUint32(c.activeNodeReplicationState))
+}
+
+func (c *Core) SealAccess() *SealAccess {
+	return NewSealAccess(c.seal)
+}
+
+// StorageType returns a string equal to the storage configuration's type.
+func (c *Core) StorageType() string {
+	return c.storageType
+}
+
+func (c *Core) Logger() log.Logger {
+	return c.logger
+}
+
+func (c *Core) BarrierKeyLength() (min, max int) {
+	min, max = c.barrier.KeyLength()
+	max += shamir.ShareOverhead
+	return
+}
+
+func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig {
+	return c.auditedHeaders
+}
+
+// physicalBarrierSealConfig reads the storage entry at configPath and parses and validates it as SealConfig.
+func physicalSealConfig(ctx context.Context, c *Core, label, configPath string) (*SealConfig, error) {
+	pe, err := c.physical.Get(ctx, configPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch %s seal configuration: %w", label, err)
+	}
+	if pe == nil {
+		return nil, nil
+	}
+
+	config := new(SealConfig)
+
+	if err := jsonutil.DecodeJSON(pe.Value, config); err != nil {
+		return nil, fmt.Errorf("failed to decode %s seal configuration: %w", label, err)
+	}
+	err = config.Validate()
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate %s seal configuration: %w", label, err)
+	}
+	// In older versions of vault the default seal would not store a type. This
+	// is here to offer backwards compatibility for older seal configs.
+	if config.Type == "" {
+		config.Type = SealConfigTypeShamir.String()
+	}
+
+	return config, nil
+}
+
+func (c *Core) PhysicalBarrierSealConfig(ctx context.Context) (*SealConfig, error) {
+	return physicalSealConfig(ctx, c, "barrier", barrierSealConfigPath)
+}
+
+func (c *Core) PhysicalRecoverySealConfig(ctx context.Context) (*SealConfig, error) {
+	return physicalSealConfig(ctx, c, "recovery", recoverySealConfigPlaintextPath)
+}
+
+func (c *Core) PhysicalRecoverySealConfigOldPath(ctx context.Context) (*SealConfig, error) {
+	return physicalSealConfig(ctx, c, "recovery", recoverySealConfigPath)
+}
+
+func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfig, error) {
+	barrierConf, err := c.PhysicalBarrierSealConfig(ctx)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get barrier seal configuration at migration check time: %w", err)
+	}
+	if barrierConf == nil {
+		return nil, nil, nil
+	}
+
+	recoveryConf, err := c.PhysicalRecoverySealConfig(ctx)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get recovery seal configuration at migration check time: %w", err)
+	}
+
+	return barrierConf, recoveryConf, nil
+}
+
+func (c *Core) SetPhysicalBarrierSealConfig(ctx context.Context, barrierSealConfig *SealConfig) error {
+	return setPhysicalSealConfig(ctx, c, "barrier", barrierSealConfigPath, barrierSealConfig)
+}
+
+func (c *Core) SetPhysicalRecoverySealConfig(ctx context.Context, recoverySealConfig *SealConfig) error {
+	return setPhysicalSealConfig(ctx, c, "recovery", recoverySealConfigPlaintextPath, recoverySealConfig)
+}
+
+func setPhysicalSealConfig(ctx context.Context, c *Core, label, configPath string, sealConfig *SealConfig) error {
+	// Encode the seal configuration
+	buf, err := json.Marshal(sealConfig)
+	if err != nil {
+		return fmt.Errorf("failed to encode %s seal configuration: %w", label, err)
+	}
+
+	// Store the seal configuration
+	pe := &physical.Entry{
+		Key:   configPath,
+		Value: buf,
+	}
+
+	if err := c.physical.Put(ctx, pe); err != nil {
+		c.logger.Error(fmt.Sprintf("failed to write %s seal configuration", label), "error", err)
+		return fmt.Errorf("failed to write %s seal configuration: %w", label, err)
+	}
+
+	return nil
+}
+
+// adjustForSealMigration takes the unwrapSeal, which is nil if (a) we're not
+// configured for seal migration or (b) we might be doing a seal migration away
+// from shamir.  It will only be non-nil if there is a configured seal with
+// the config key disabled=true, which implies a migration away from autoseal.
+//
+// For case (a), the common case, we expect that the stored barrier
+// config matches the seal type, in which case we simply return nil.  If they
+// don't match, and the stored seal config is of type Shamir but the configured
+// seal is not Shamir, that is case (b) and we make an unwrapSeal of type Shamir.
+// Any other unwrapSeal=nil scenario is treated as an error.
+//
+// Given a non-nil unwrapSeal or case (b), we setup c.migrationInfo to prepare
+// for a migration upon receiving a valid migration unseal request.  We cannot
+// check at this time for already performed (or incomplete) migrations because
+// we haven't yet been unsealed, so we have no way of checking whether a
+// shamir seal works to read stored seal-encrypted data.
+//
+// The assumption throughout is that the very last step of seal migration is
+// to write the new barrier/recovery stored seal config.
+func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
+	ctx := context.Background()
+	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
+	if err != nil {
+		return fmt.Errorf("Error checking for existing seal: %s", err)
+	}
+
+	// If we don't have an existing config or if it's the deprecated auto seal
+	// which needs an upgrade, skip out
+	if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
+		return nil
+	}
+
+	if unwrapSeal == nil {
+		// With unwrapSeal==nil, either we're not migrating, or we're migrating
+		// from shamir.
+
+		storedType := SealConfigType(existBarrierSealConfig.Type)
+		configuredType := c.seal.BarrierSealConfigType()
+
+		switch {
+		case storedType == configuredType:
+			// We have the same barrier type and the unwrap seal is nil so we're not
+			// migrating from same to same, IOW we assume it's not a migration.
+			return nil
+		case configuredType == SealConfigTypeShamir:
+			// The stored barrier config is not shamir, there is no disabled seal
+			// in config, and either no configured seal (which equates to Shamir)
+			// or an explicitly configured Shamir seal.
+			return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
+				existBarrierSealConfig.Type)
+		case storedType == SealConfigTypeShamir:
+			// The configured seal is not Shamir, the stored seal config is Shamir.
+			// This is a migration away from Shamir.
+
+			// See note about creating a SealGenerationInfo for the unwrap seal in
+			// function setSeal in server.go.
+			sealAccess, err := vaultseal.NewAccessFromWrapper(c.logger, aeadwrapper.NewShamirWrapper(), SealConfigTypeShamir.String())
+			if err != nil {
+				return err
+			}
+			unwrapSeal = NewDefaultSeal(sealAccess)
+		case configuredType == SealConfigTypeMultiseal && server.IsMultisealSupported():
+			// We are going from a single non-shamir seal to multiseal, and multi seal is supported.
+			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
+			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
+
+			return nil
+		case configuredType == SealConfigTypeMultiseal:
+			// The configured seal is multiseal and we know the stored type is not shamir, thus
+			// we are going from auto seal to multiseal.
+			return fmt.Errorf("cannot seal migrate from %q to %q, multiple seals are not supported",
+				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
+		case storedType == SealConfigTypeMultiseal:
+			// The stored type is multiseal and we know the type the configured type is not shamir,
+			// thus we are going from multiseal to autoseal.
+			//
+			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
+			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
+
+			return nil
+		default:
+			// We know at this point that there is a configured non-Shamir seal,
+			// that it does not match the stored non-Shamir seal config, and that
+			// there is no explicitly disabled seal stanza.
+			return fmt.Errorf("cannot seal migrate from %q to %q, no disabled seal in configuration",
+				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
+		}
+	} else {
+		// If we're not coming from Shamir we expect the previous seal to be
+		// in the config and disabled.
+
+		if unwrapSeal.BarrierSealConfigType() == SealConfigTypeShamir {
+			return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
+		}
+	}
+
+	// If we've reached this point it's a migration attempt and we should have both
+	// c.migrationInfo.seal (old seal) and c.seal (new seal) populated.
+	unwrapSeal.SetCore(c)
+
+	// No stored recovery seal config found, what about the legacy recovery config?
+	if existBarrierSealConfig.Type != SealConfigTypeShamir.String() && existRecoverySealConfig == nil {
+		entry, err := c.physical.Get(ctx, recoverySealConfigPath)
+		if err != nil {
+			return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err)
+		}
+		if entry == nil {
+			return errors.New("Recovery seal configuration not found for existing seal")
+		}
+		return errors.New("Cannot migrate seals while using a legacy recovery seal config")
+	}
+
+	c.migrationInfo = &migrationInformation{
+		seal: unwrapSeal,
+	}
+	if existBarrierSealConfig.Type != c.seal.BarrierSealConfigType().String() {
+		// It's unnecessary to call this when doing an auto->auto
+		// same-seal-type migration, since they'll have the same configs before
+		// and after migration.
+		c.adjustSealConfigDuringMigration(existBarrierSealConfig, existRecoverySealConfig)
+	}
+	c.initSealsForMigration()
+	c.logger.Warn("entering seal migration mode; Vault will not automatically unseal even if using an autoseal", "from_barrier_type", c.migrationInfo.seal.BarrierSealConfigType(), "to_barrier_type", c.seal.BarrierSealConfigType())
+
+	return nil
+}
+
+func (c *Core) migrateMultiSealConfig(ctx context.Context) error {
+	barrierSealConfig, err := c.PhysicalBarrierSealConfig(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to read existing seal configuration during multi seal migration: %v", err)
+	}
+
+	switch {
+	case c.seal.BarrierSealConfigType().IsSameAs(barrierSealConfig.Type):
+		return nil
+	case c.seal.BarrierSealConfigType() == SealConfigTypeMultiseal:
+		// needs update
+	case SealConfigTypeMultiseal.IsSameAs(barrierSealConfig.Type):
+		// needs update
+	default:
+		return nil
+	}
+
+	// Note that SetBarrierConfig updates SealConfig.Type to the correct value.
+	if err := c.seal.SetBarrierConfig(ctx, barrierSealConfig); err != nil {
+		return fmt.Errorf("error storing barrier config during multi seal migration: %w", err)
+	}
+
+	// Note that we don't need to trigger a seal rewrap here, since we'll do that when
+	// we update the SealGenerationInfo. See standardUnsealStrategy.unseal().
+
+	return nil
+}
+
+func (c *Core) migrateSealConfig(ctx context.Context) error {
+	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to read existing seal configuration during migration: %v", err)
+	}
+
+	var bc, rc *SealConfig
+
+	switch {
+	case c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
+		// Migrating from auto->auto, copy the configs over
+		bc, rc = existBarrierSealConfig, existRecoverySealConfig
+	case c.migrationInfo.seal.RecoveryKeySupported():
+		// Migrating from auto->shamir, clone auto's recovery config and set
+		// stored keys to 1.
+		bc = existRecoverySealConfig.Clone()
+		bc.StoredShares = 1
+	case c.seal.RecoveryKeySupported():
+		// Migrating from shamir->auto, set a new barrier config and set
+		// recovery config to a clone of shamir's barrier config with stored
+		// keys set to 0.
+		bc = &SealConfig{
+			Type:            c.seal.BarrierSealConfigType().String(),
+			SecretShares:    1,
+			SecretThreshold: 1,
+			StoredShares:    1,
+		}
+
+		rc = existBarrierSealConfig.Clone()
+		rc.StoredShares = 0
+	}
+
+	if err := c.seal.SetBarrierConfig(ctx, bc); err != nil {
+		return fmt.Errorf("error storing barrier config after migration: %w", err)
+	}
+
+	if c.seal.RecoveryKeySupported() {
+		if err := c.seal.SetRecoveryConfig(ctx, rc); err != nil {
+			return fmt.Errorf("error storing recovery config after migration: %w", err)
+		}
+	} else if err := c.physical.Delete(ctx, recoverySealConfigPlaintextPath); err != nil {
+		return fmt.Errorf("failed to delete old recovery seal configuration during migration: %w", err)
+	}
+
+	return nil
+}
+
+func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existRecoverySealConfig *SealConfig) {
+	switch {
+	case c.migrationInfo.seal.RecoveryKeySupported() && existRecoverySealConfig != nil:
+		// Migrating from auto->shamir, clone auto's recovery config and set
+		// stored keys to 1.  Unless the recover config doesn't exist, in which
+		// case the migration is assumed to already have been performed.
+		newSealConfig := existRecoverySealConfig.Clone()
+		newSealConfig.StoredShares = 1
+		c.seal.SetCachedBarrierConfig(newSealConfig)
+	case !c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
+		// Migrating from shamir->auto, set a new barrier config and set
+		// recovery config to a clone of shamir's barrier config with stored
+		// keys set to 0.
+		newBarrierSealConfig := &SealConfig{
+			Type:            c.seal.BarrierSealConfigType().String(),
+			SecretShares:    1,
+			SecretThreshold: 1,
+			StoredShares:    1,
+		}
+		c.seal.SetCachedBarrierConfig(newBarrierSealConfig)
+
+		newRecoveryConfig := existBarrierSealConfig.Clone()
+		newRecoveryConfig.StoredShares = 0
+		c.seal.SetCachedRecoveryConfig(newRecoveryConfig)
+	}
+}
+
+func (c *Core) unsealKeyToRootKeyPostUnseal(ctx context.Context, combinedKey []byte) ([]byte, error) {
+	return c.unsealKeyToRootKey(ctx, c.seal, combinedKey, true, false)
+}
+
+func (c *Core) unsealKeyToMasterKeyPreUnseal(ctx context.Context, seal Seal, combinedKey []byte) ([]byte, error) {
+	return c.unsealKeyToRootKey(ctx, seal, combinedKey, false, true)
+}
+
+// unsealKeyToRootKey takes a key provided by the user, either a recovery key
+// if using an autoseal or an unseal key with Shamir.  It returns a nil error
+// if the key is valid and an error otherwise. It also returns the master key
+// that can be used to unseal the barrier.
+// If useTestSeal is true, seal will not be modified; this is used when not
+// invoked as part of an unseal process.  Otherwise in the non-legacy shamir
+// case the combinedKey will be set in the seal, which means subsequent attempts
+// to use the seal to read the master key will succeed, assuming combinedKey is
+// valid.
+// If allowMissing is true, a failure to find the master key in storage results
+// in a nil error and a nil master key being returned.
+func (c *Core) unsealKeyToRootKey(ctx context.Context, seal Seal, combinedKey []byte, useTestSeal bool, allowMissing bool) ([]byte, error) {
+	switch seal.StoredKeysSupported() {
+	case vaultseal.StoredKeysSupportedGeneric:
+		if err := seal.VerifyRecoveryKey(ctx, combinedKey); err != nil {
+			return nil, fmt.Errorf("recovery key verification failed: %w", err)
+		}
+
+		storedKeys, err := seal.GetStoredKeys(ctx)
+		if storedKeys == nil && err == nil && allowMissing {
+			return nil, nil
+		}
+
+		if err == nil && len(storedKeys) != 1 {
+			err = fmt.Errorf("expected exactly one stored key, got %d", len(storedKeys))
+		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve stored keys: %w", err)
+		}
+		return storedKeys[0], nil
+
+	case vaultseal.StoredKeysSupportedShamirRoot:
+		if useTestSeal {
+			// Note that the seal generation should not matter, since the only thing we are doing with
+			// this seal is calling GetStoredKeys (i.e. we are not encrypting anything).
+			sealAccess, err := vaultseal.NewAccessFromWrapper(c.logger, aeadwrapper.NewShamirWrapper(), SealConfigTypeShamir.String())
+			if err != nil {
+				return nil, fmt.Errorf("failed to setup seal wrapper for test barrier config: %w", err)
+			}
+			testseal := NewDefaultSeal(sealAccess)
+			testseal.SetCore(c)
+			cfg, err := seal.BarrierConfig(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to setup test barrier config: %w", err)
+			}
+			testseal.SetCachedBarrierConfig(cfg)
+			seal = testseal
+		}
+
+		err := seal.GetAccess().SetShamirSealKey(combinedKey)
+		if err != nil {
+			return nil, &ErrInvalidKey{fmt.Sprintf("failed to setup unseal key: %v", err)}
+		}
+		storedKeys, err := seal.GetStoredKeys(ctx)
+		if storedKeys == nil && err == nil && allowMissing {
+			return nil, nil
+		}
+		if err == nil && len(storedKeys) != 1 {
+			err = fmt.Errorf("expected exactly one stored key, got %d", len(storedKeys))
+		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve stored keys: %w", err)
+		}
+		return storedKeys[0], nil
+
+	case vaultseal.StoredKeysNotSupported:
+		return combinedKey, nil
+	}
+	return nil, fmt.Errorf("invalid seal")
+}
+
+// IsInSealMigrationMode returns true if we're configured to perform a seal migration,
+// meaning either that we have a disabled seal in HCL configuration or the seal
+// configuration in storage is Shamir but the seal in HCL is not.  In this
+// mode we should not auto-unseal (even if the migration is done) and we will
+// accept unseal requests with and without the `migrate` option, though the migrate
+// option is required if we haven't yet performed the seal migration. Lock
+// should only be false if the caller is already holding the read
+// statelock (such as calls originating from switchedLockHandleRequest).
+func (c *Core) IsInSealMigrationMode(lock bool) bool {
+	if lock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
+	return c.migrationInfo != nil
+}
+
+// IsSealMigrated returns true if we're in seal migration mode but migration
+// has already been performed (possibly by another node, or prior to this node's
+// current invocation). Lock should only be false if the caller is already
+// holding the read statelock (such as calls originating from switchedLockHandleRequest).
+func (c *Core) IsSealMigrated(lock bool) bool {
+	if !c.IsInSealMigrationMode(lock) {
+		return false
+	}
+
+	if lock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
+	done, _ := c.sealMigrated(context.Background())
+	return done
+}
+
+func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess {
+	return NewBarrierEncryptorAccess(c.barrier)
+}
+
+func (c *Core) PhysicalAccess() *physical.PhysicalAccess {
+	return physical.NewPhysicalAccess(c.physical)
+}
+
+func (c *Core) RouterAccess() *RouterAccess {
+	return NewRouterAccess(c)
+}
+
+// IsDRSecondary returns if the current cluster state is a DR secondary.
+func (c *Core) IsDRSecondary() bool {
+	return c.ReplicationState().HasState(consts.ReplicationDRSecondary)
+}
+
+func (c *Core) IsPerfSecondary() bool {
+	return c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary)
+}
+
+func (c *Core) AddLogger(logger log.Logger) {
+	c.allLoggersLock.Lock()
+	defer c.allLoggersLock.Unlock()
+	c.allLoggers = append(c.allLoggers, logger)
+}
+
+// SetLogLevel sets logging level for all tracked loggers to the level provided
+func (c *Core) SetLogLevel(level log.Level) {
+	c.allLoggersLock.RLock()
+	defer c.allLoggersLock.RUnlock()
+	for _, logger := range c.allLoggers {
+		logger.SetLevel(level)
+	}
+}
+
+// SetLogLevelByName sets the logging level of named logger to level provided
+// if it exists. Core.allLoggers is a slice and as such it is entirely possible
+// that multiple entries exist for the same name. Each instance will be modified.
+func (c *Core) SetLogLevelByName(name string, level log.Level) bool {
+	c.allLoggersLock.RLock()
+	defer c.allLoggersLock.RUnlock()
+
+	found := false
+	for _, logger := range c.allLoggers {
+		if logger.Name() == name {
+			logger.SetLevel(level)
+			found = true
+		}
+	}
+
+	return found
+}
+
+// SetConfig sets core's config object to the newly provided config.
+func (c *Core) SetConfig(conf *server.Config) {
+	c.rawConfig.Store(conf)
+	bz, err := json.Marshal(c.SanitizedConfig())
+	if err != nil {
+		c.logger.Error("error serializing sanitized config", "error", err)
+		return
+	}
+
+	c.logger.Debug("set config", "sanitized config", string(bz))
+}
+
+func (c *Core) GetListenerCustomResponseHeaders(listenerAdd string) *ListenerCustomHeaders {
+	customHeaders := c.customListenerHeader.Load()
+	if customHeaders == nil {
+		return nil
+	}
+
+	customHeadersList, ok := customHeaders.([]*ListenerCustomHeaders)
+	if customHeadersList == nil || !ok {
+		return nil
+	}
+
+	for _, l := range customHeadersList {
+		if l.Address == listenerAdd {
+			return l
+		}
+	}
+	return nil
+}
+
+// ExistCustomResponseHeader checks if a custom header is configured in any
+// listener's stanza
+func (c *Core) ExistCustomResponseHeader(header string) bool {
+	customHeaders := c.customListenerHeader.Load()
+	if customHeaders == nil {
+		return false
+	}
+
+	customHeadersList, ok := customHeaders.([]*ListenerCustomHeaders)
+	if customHeadersList == nil || !ok {
+		return false
+	}
+
+	for _, l := range customHeadersList {
+		exist := l.ExistCustomResponseHeader(header)
+		if exist {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (c *Core) ReloadCustomResponseHeaders() error {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return fmt.Errorf("failed to load core raw config")
+	}
+	lns := conf.(*server.Config).Listeners
+	if lns == nil {
+		return fmt.Errorf("no listener configured")
+	}
+
+	uiHeaders, err := c.UIHeaders()
+	if err != nil {
+		return err
+	}
+	c.customListenerHeader.Store(NewListenerCustomHeader(lns, c.logger, uiHeaders))
+
+	return nil
+}
+
+// SanitizedConfig returns a sanitized version of the current config.
+// See server.Config.Sanitized for specific values omitted.
+func (c *Core) SanitizedConfig() map[string]interface{} {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return nil
+	}
+	return conf.(*server.Config).Sanitized()
+}
+
+// LogFormat returns the log format current in use.
+func (c *Core) LogFormat() string {
+	conf := c.rawConfig.Load()
+	return conf.(*server.Config).LogFormat
+}
+
+// LogLevel returns the log level provided by level provided by config, CLI flag, or env
+func (c *Core) LogLevel() string {
+	return c.logLevel
+}
+
+// MetricsHelper returns the global metrics helper which allows external
+// packages to access Vault's internal metrics.
+func (c *Core) MetricsHelper() *metricsutil.MetricsHelper {
+	return c.metricsHelper
+}
+
+// MetricSink returns the metrics wrapper with which Core has been configured.
+func (c *Core) MetricSink() *metricsutil.ClusterMetricSink {
+	return c.metricSink
+}
+
+// BuiltinRegistry is an interface that allows the "vault" package to use
+// the registry of builtin plugins without getting an import cycle. It
+// also allows for mocking the registry easily.
+type BuiltinRegistry interface {
+	Contains(name string, pluginType consts.PluginType) bool
+	Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool)
+	Keys(pluginType consts.PluginType) []string
+	DeprecationStatus(name string, pluginType consts.PluginType) (consts.DeprecationStatus, bool)
+	IsBuiltinEntPlugin(name string, pluginType consts.PluginType) bool
+}
+
+func (c *Core) AuditLogger() AuditLogger {
+	return &basicAuditor{c: c}
+}
+
+type FeatureFlags struct {
+	NamespacesCubbyholesLocal bool `json:"namespace_cubbyholes_local"`
+}
+
+func (c *Core) persistFeatureFlags(ctx context.Context) error {
+	if !c.PR1103disabled {
+		c.logger.Debug("persisting feature flags")
+		json, err := jsonutil.EncodeJSON(&FeatureFlags{NamespacesCubbyholesLocal: !c.PR1103disabled})
+		if err != nil {
+			return err
+		}
+		return c.barrier.Put(ctx, &logical.StorageEntry{
+			Key:   consts.CoreFeatureFlagPath,
+			Value: json,
+		})
+	}
+	return nil
+}
+
+func (c *Core) readFeatureFlags(ctx context.Context) (*FeatureFlags, error) {
+	entry, err := c.barrier.Get(ctx, consts.CoreFeatureFlagPath)
+	if err != nil {
+		return nil, err
+	}
+	var flags FeatureFlags
+	if entry != nil {
+		err = jsonutil.DecodeJSON(entry.Value, &flags)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &flags, nil
+}
+
+// isMountable tells us whether or not we can continue mounting a plugin-based
+// mount entry after failing to instantiate a backend. We do this to preserve
+// the storage and path when a plugin is missing or has otherwise been
+// misconfigured. This allows users to recover from errors when starting Vault
+// with misconfigured plugins. It should not be possible for existing builtins
+// to be misconfigured, so that is a fatal error.
+func (c *Core) isMountable(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) bool {
+	return !c.isMountEntryBuiltin(ctx, entry, pluginType)
+}
+
+// isMountEntryBuiltin determines whether a mount entry is associated with a
+// builtin of the specified plugin type.
+func (c *Core) isMountEntryBuiltin(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) bool {
+	// Prevent a panic early on
+	if entry == nil || c.pluginCatalog == nil {
+		return false
+	}
+
+	// Allow type to be determined from mount entry when not otherwise specified
+	if pluginType == consts.PluginTypeUnknown {
+		pluginType = c.builtinTypeFromMountEntry(ctx, entry)
+	}
+
+	// Handle aliases
+	pluginName := entry.Type
+	if alias, ok := mountAliases[pluginName]; ok {
+		pluginName = alias
+	}
+
+	plug, err := c.pluginCatalog.Get(ctx, pluginName, pluginType, entry.Version)
+	if err != nil || plug == nil {
+		return false
+	}
+
+	return plug.Builtin
+}
+
+// MatchingMount returns the path of the mount that will be responsible for
+// handling the given request path.
+func (c *Core) MatchingMount(ctx context.Context, reqPath string) string {
+	return c.router.MatchingMount(ctx, reqPath)
+}
 
-	ui := cli.NewMockUi()
-	return ui, &LeaseRenewCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+func (c *Core) setupQuotas(ctx context.Context, isPerfStandby bool) error {
+	if c.quotaManager == nil {
+		return nil
 	}
+
+	return c.quotaManager.Setup(ctx, c.systemBarrierView, isPerfStandby, c.IsDRSecondary())
 }
 
-// testLeaseRenewCommandMountAndLease mounts a leased secret backend and returns
-// the leaseID of an item.
-func testLeaseRenewCommandMountAndLease(tb testing.TB, client *api.Client) string {
-	if err := client.Sys().Mount("testing", &api.MountInput{
-		Type: "generic-leased",
-	}); err != nil {
-		tb.Fatal(err)
+// ApplyRateLimitQuota checks the request against all the applicable quota rules.
+// If the given request's path is exempt, no rate limiting will be applied.
+func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error) {
+	req.Type = quotas.TypeRateLimit
+
+	resp := quotas.Response{
+		Allowed: true,
+		Headers: make(map[string]string),
 	}
 
-	if _, err := client.Logical().Write("testing/foo", map[string]interface{}{
-		"key":   "value",
-		"lease": "5m",
-	}); err != nil {
-		tb.Fatal(err)
+	if c.quotaManager != nil {
+		// skip rate limit checks for paths that are exempt from rate limiting
+		if c.quotaManager.RateLimitPathExempt(req.Path, req.NamespacePath) {
+			return resp, nil
+		}
+
+		return c.quotaManager.ApplyQuota(ctx, req)
 	}
 
-	// Read the secret back to get the leaseID
-	secret, err := client.Logical().Read("testing/foo")
-	if err != nil {
-		tb.Fatal(err)
+	return resp, nil
+}
+
+// RateLimitAuditLoggingEnabled returns if the quota configuration allows audit
+// logging of request rejections due to rate limiting quota rule violations.
+func (c *Core) RateLimitAuditLoggingEnabled() bool {
+	if c.quotaManager != nil {
+		return c.quotaManager.RateLimitAuditLoggingEnabled()
 	}
-	if secret == nil || secret.LeaseID == "" {
-		tb.Fatalf("missing secret or lease: %#v", secret)
+
+	return false
+}
+
+// RateLimitResponseHeadersEnabled returns if the quota configuration allows for
+// rate limit quota HTTP headers to be added to responses.
+func (c *Core) RateLimitResponseHeadersEnabled() bool {
+	if c.quotaManager != nil {
+		return c.quotaManager.RateLimitResponseHeadersEnabled()
 	}
 
-	return secret.LeaseID
+	return false
+}
+
+func (c *Core) KeyRotateGracePeriod() time.Duration {
+	return time.Duration(atomic.LoadInt64(c.keyRotateGracePeriod))
 }
 
-func TestLeaseRenewCommand_Run(t *testing.T) {
-	t.Parallel()
+func (c *Core) SetKeyRotateGracePeriod(t time.Duration) {
+	atomic.StoreInt64(c.keyRotateGracePeriod, int64(t))
+}
 
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"empty",
-			nil,
-			"Missing ID!",
-			1,
-		},
-		{
-			"increment",
-			[]string{"-increment", "60s"},
-			"foo",
-			0,
-		},
-		{
-			"increment_no_suffix",
-			[]string{"-increment", "60"},
-			"foo",
-			0,
-		},
+// Periodically test whether to automatically rotate the barrier key
+func (c *Core) autoRotateBarrierLoop(ctx context.Context) {
+	t := time.NewTicker(autoRotateCheckInterval)
+	for {
+		select {
+		case <-t.C:
+			c.checkBarrierAutoRotate(ctx)
+		case <-ctx.Done():
+			t.Stop()
+			return
+		}
 	}
+}
 
-	t.Run("group", func(t *testing.T) {
-		t.Parallel()
+func (c *Core) checkBarrierAutoRotate(ctx context.Context) {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	if c.isPrimary() {
+		reason, err := c.barrier.CheckBarrierAutoRotate(ctx)
+		if err != nil {
+			lf := c.logger.Error
+			if strings.HasSuffix(err.Error(), "context canceled") {
+				lf = c.logger.Debug
+			}
+			lf("error in barrier auto rotation", "error", err)
+			return
+		}
+		if reason != "" {
+			// Time to rotate.  Invoke the rotation handler in order to both rotate and create
+			// the replication canary
+			c.logger.Info("automatic barrier key rotation triggered", "reason", reason)
 
-		for _, tc := range cases {
-			tc := tc
+			_, err := c.systemBackend.handleRotate(ctx, nil, nil)
+			if err != nil {
+				c.logger.Error("error automatically rotating barrier key", "error", err)
+			} else {
+				metrics.IncrCounter(barrierRotationsMetric, 1)
+			}
+		}
+	}
+}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+func (c *Core) isPrimary() bool {
+	return !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary)
+}
 
-				client, closer := testVaultServer(t)
-				defer closer()
+type LicenseState struct {
+	State      string
+	ExpiryTime time.Time
+	Terminated bool
+}
 
-				leaseID := testLeaseRenewCommandMountAndLease(t, client)
+func (c *Core) loadLoginMFAConfigs(ctx context.Context) error {
+	eConfigs := make([]*mfa.MFAEnforcementConfig, 0)
+	allNamespaces := c.collectNamespaces()
+	for _, ns := range allNamespaces {
+		err := c.loginMFABackend.loadMFAMethodConfigs(ctx, ns)
+		if err != nil {
+			return fmt.Errorf("error loading MFA method Config, namespaceid %s, error: %w", ns.ID, err)
+		}
 
-				ui, cmd := testLeaseRenewCommand(t)
-				cmd.client = client
+		loadedConfigs, err := c.loginMFABackend.loadMFAEnforcementConfigs(ctx, ns)
+		if err != nil {
+			return fmt.Errorf("error loading MFA enforcement Config, namespaceid %s, error: %w", ns.ID, err)
+		}
 
-				if tc.args != nil {
-					tc.args = append(tc.args, leaseID)
-				}
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
+		eConfigs = append(eConfigs, loadedConfigs...)
+	}
+
+	for _, conf := range eConfigs {
+		if err := c.loginMFABackend.loginMFAMethodExistenceCheck(conf); err != nil {
+			c.loginMFABackend.mfaLogger.Error("failed to find all MFA methods that exist in MFA enforcement configs", "configID", conf.ID, "namespaceID", conf.NamespaceID, "error", err.Error())
+		}
+	}
+	return nil
+}
+
+type MFACachedAuthResponse struct {
+	CachedAuth            *logical.Auth
+	RequestPath           string
+	RequestNSID           string
+	RequestNSPath         string
+	RequestConnRemoteAddr string
+	TimeOfStorage         time.Time
+	RequestID             string
+}
+
+func (c *Core) setupCachedMFAResponseAuth() {
+	c.mfaResponseAuthQueueLock.Lock()
+	c.mfaResponseAuthQueue = NewLoginMFAPriorityQueue()
+	mfaQueue := c.mfaResponseAuthQueue
+	c.mfaResponseAuthQueueLock.Unlock()
+
+	ctx := c.activeContext
+
+	go func() {
+		ticker := time.Tick(5 * time.Second)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker:
+				err := mfaQueue.RemoveExpiredMfaAuthResponse(defaultMFAAuthResponseTTL, time.Now())
+				if err != nil {
+					c.Logger().Error("failed to remove stale MFA auth response", "error", err)
 				}
+			}
+		}
+	}()
+	return
+}
+
+// updateLockedUserEntries runs every 15 mins to remove stale user entries from storage
+// it also updates the userFailedLoginInfo map with correct information for locked users if incorrect
+func (c *Core) updateLockedUserEntries() {
+	if c.updateLockedUserEntriesCancel != nil {
+		return
+	}
+
+	var updateLockedUserEntriesCtx context.Context
+	updateLockedUserEntriesCtx, c.updateLockedUserEntriesCancel = context.WithCancel(c.activeContext)
+
+	if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
+		c.Logger().Error("failed to run locked user entry updates", "error", err)
+	}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
+	go func() {
+		ticker := time.NewTicker(15 * time.Minute)
+		for {
+			select {
+			case <-updateLockedUserEntriesCtx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
+					c.Logger().Error("failed to run locked user entry updates", "error", err)
 				}
-			})
+			}
+		}
+	}()
+	return
+}
+
+// runLockedUserEntryUpdates runs updates for locked user storage entries and userFailedLoginInfo map
+func (c *Core) runLockedUserEntryUpdates(ctx context.Context) error {
+	// check environment variable to see if user lockout workflow is disabled
+	var disableUserLockout bool
+	if disableUserLockoutEnv := os.Getenv(consts.VaultDisableUserLockout); disableUserLockoutEnv != "" {
+		var err error
+		disableUserLockout, err = strconv.ParseBool(disableUserLockoutEnv)
+		if err != nil {
+			c.Logger().Error("Error parsing the environment variable VAULT_DISABLE_USER_LOCKOUT", "error", err)
+		}
+	}
+	if disableUserLockout {
+		return nil
+	}
+
+	// get the list of namespaces of locked users from locked users path in storage
+	nsIDs, err := c.barrier.List(ctx, coreLockedUsersPath)
+	if err != nil {
+		return err
+	}
+
+	totalLockedUsersCount := 0
+	for _, nsID := range nsIDs {
+		// get the list of mount accessors of locked users for each namespace
+		mountAccessors, err := c.barrier.List(ctx, coreLockedUsersPath+nsID)
+		if err != nil {
+			return err
+		}
+
+		// update the entries for locked users for each mount accessor
+		// if storage entry is stale i.e; the lockout duration has passed
+		// remove this entry from storage and userFailedLoginInfo map
+		// else check if the userFailedLoginInfo map has correct failed login information
+		// if incorrect, update the entry in userFailedLoginInfo map
+		for _, mountAccessorPath := range mountAccessors {
+			mountAccessor := strings.TrimSuffix(mountAccessorPath, "/")
+			lockedAliasesCount, err := c.runLockedUserEntryUpdatesForMountAccessor(ctx, mountAccessor, coreLockedUsersPath+nsID+mountAccessorPath)
+			if err != nil {
+				return err
+			}
+			totalLockedUsersCount = totalLockedUsersCount + lockedAliasesCount
+		}
+	}
+
+	// emit locked user count metrics
+	metrics.SetGaugeWithLabels([]string{"core", "locked_users"}, float32(totalLockedUsersCount), nil)
+	return nil
+}
+
+// runLockedUserEntryUpdatesForMountAccessor updates the storage entry for each locked user (alias name)
+// if the entry is stale, it removes it from storage and userFailedLoginInfo map if present
+// if the entry is not stale, it updates the userFailedLoginInfo map with correct values for entry if incorrect
+func (c *Core) runLockedUserEntryUpdatesForMountAccessor(ctx context.Context, mountAccessor string, path string) (int, error) {
+	// get mount entry for mountAccessor
+	mountEntry := c.router.MatchingMountByAccessor(mountAccessor)
+	if mountEntry == nil {
+		mountEntry = &MountEntry{}
+	}
+	// get configuration for mount entry
+	userLockoutConfiguration := c.getUserLockoutConfiguration(mountEntry)
+
+	// get the list of aliases for mount accessor
+	aliases, err := c.barrier.List(ctx, path)
+	if err != nil {
+		return 0, err
+	}
+
+	lockedAliasesCount := len(aliases)
+
+	// check storage entry for each alias to update
+	for _, alias := range aliases {
+		loginUserInfoKey := FailedLoginUser{
+			aliasName:     alias,
+			mountAccessor: mountAccessor,
+		}
+
+		existingEntry, err := c.barrier.Get(ctx, path+alias)
+		if err != nil {
+			return 0, err
+		}
+
+		if existingEntry == nil {
+			continue
+		}
+
+		var lastLoginTime int
+		err = jsonutil.DecodeJSON(existingEntry.Value, &lastLoginTime)
+		if err != nil {
+			return 0, err
 		}
-	})
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+		lastFailedLoginTimeFromStorageEntry := time.Unix(int64(lastLoginTime), 0)
+		lockoutDurationFromConfiguration := userLockoutConfiguration.LockoutDuration
 
-		client, closer := testVaultServer(t)
-		defer closer()
+		// get the entry for the locked user from userFailedLoginInfo map
+		failedLoginInfoFromMap := c.LocalGetUserFailedLoginInfo(ctx, loginUserInfoKey)
 
-		leaseID := testLeaseRenewCommandMountAndLease(t, client)
+		// check if the storage entry for locked user is stale
+		if time.Now().After(lastFailedLoginTimeFromStorageEntry.Add(lockoutDurationFromConfiguration)) {
+			// stale entry, remove from storage
+			// leaving this as it is as this happens on the active node
+			// also handles case where namespace is deleted
+			if err := c.barrier.Delete(ctx, path+alias); err != nil {
+				return 0, err
+			}
+			// remove entry for this user from userFailedLoginInfo map if present as the user is not locked
+			if failedLoginInfoFromMap != nil {
+				if err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true); err != nil {
+					return 0, err
+				}
+			}
+			lockedAliasesCount -= 1
+			continue
+		}
 
-		_, cmd := testLeaseRenewCommand(t)
-		cmd.client = client
+		// this is not a stale entry
+		// update the map with actual failed login information
+		actualFailedLoginInfo := FailedLoginInfo{
+			lastFailedLoginTime: lastLoginTime,
+			count:               uint(userLockoutConfiguration.LockoutThreshold),
+		}
 
-		code := cmd.Run([]string{leaseID})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		if failedLoginInfoFromMap != &actualFailedLoginInfo {
+			// entry is invalid, updating the entry in userFailedLoginMap with correct information
+			if err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, &actualFailedLoginInfo, false); err != nil {
+				return 0, err
+			}
 		}
+	}
+	return lockedAliasesCount, nil
+}
+
+// PopMFAResponseAuthByID pops an item from the mfaResponseAuthQueue by ID
+// it returns the cached auth response or an error
+func (c *Core) PopMFAResponseAuthByID(reqID string) (*MFACachedAuthResponse, error) {
+	c.mfaResponseAuthQueueLock.Lock()
+	defer c.mfaResponseAuthQueueLock.Unlock()
+	return c.mfaResponseAuthQueue.PopByKey(reqID)
+}
+
+// SaveMFAResponseAuth pushes an MFACachedAuthResponse to the mfaResponseAuthQueue.
+// it returns an error in case of failure
+func (c *Core) SaveMFAResponseAuth(respAuth *MFACachedAuthResponse) error {
+	c.mfaResponseAuthQueueLock.Lock()
+	defer c.mfaResponseAuthQueueLock.Unlock()
+	return c.mfaResponseAuthQueue.Push(respAuth)
+}
+
+type InFlightRequests struct {
+	InFlightReqMap   *sync.Map
+	InFlightReqCount *uberAtomic.Uint64
+}
+
+type InFlightReqData struct {
+	StartTime        time.Time `json:"start_time"`
+	ClientRemoteAddr string    `json:"client_remote_address"`
+	ReqPath          string    `json:"request_path"`
+	Method           string    `json:"request_method"`
+	ClientID         string    `json:"client_id"`
+}
+
+func (c *Core) StoreInFlightReqData(reqID string, data InFlightReqData) {
+	c.inFlightReqData.InFlightReqMap.Store(reqID, data)
+	c.inFlightReqData.InFlightReqCount.Inc()
+}
+
+// FinalizeInFlightReqData is going log the completed request if the
+// corresponding server config option is enabled. It also removes the
+// request from the inFlightReqMap and decrement the number of in-flight
+// requests by one.
+func (c *Core) FinalizeInFlightReqData(reqID string, statusCode int) {
+	if c.logRequestsLevel != nil && c.logRequestsLevel.Load() != 0 {
+		c.LogCompletedRequests(reqID, statusCode)
+	}
+
+	c.inFlightReqData.InFlightReqMap.Delete(reqID)
+	c.inFlightReqData.InFlightReqCount.Dec()
+}
+
+// LoadInFlightReqData creates a snapshot map of the current
+// in-flight requests
+func (c *Core) LoadInFlightReqData() map[string]InFlightReqData {
+	currentInFlightReqMap := make(map[string]InFlightReqData)
+	c.inFlightReqData.InFlightReqMap.Range(func(key, value interface{}) bool {
+		// there is only one writer to this map, so skip checking for errors
+		v := value.(InFlightReqData)
+		currentInFlightReqMap[key.(string)] = v
+		return true
 	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	return currentInFlightReqMap
+}
+
+// UpdateInFlightReqData updates the data for a specific reqID with
+// the clientID
+func (c *Core) UpdateInFlightReqData(reqID, clientID string) {
+	v, ok := c.inFlightReqData.InFlightReqMap.Load(reqID)
+	if !ok {
+		c.Logger().Trace("failed to retrieve request with ID", "request_id", reqID)
+		return
+	}
+
+	// there is only one writer to this map, so skip checking for errors
+	reqData := v.(InFlightReqData)
+	reqData.ClientID = clientID
+	c.inFlightReqData.InFlightReqMap.Store(reqID, reqData)
+}
+
+// LogCompletedRequests Logs the completed request to the server logs
+func (c *Core) LogCompletedRequests(reqID string, statusCode int) {
+	logLevel := log.Level(c.logRequestsLevel.Load())
+	v, ok := c.inFlightReqData.InFlightReqMap.Load(reqID)
+	if !ok {
+		c.logger.Log(logLevel, fmt.Sprintf("failed to retrieve request with ID %v", reqID))
+		return
+	}
+
+	// there is only one writer to this map, so skip checking for errors
+	reqData := v.(InFlightReqData)
+	c.logger.Log(logLevel, "completed_request",
+		"start_time", reqData.StartTime.Format(time.RFC3339),
+		"duration", fmt.Sprintf("%dms", time.Now().Sub(reqData.StartTime).Milliseconds()),
+		"client_id", reqData.ClientID,
+		"client_address", reqData.ClientRemoteAddr, "status_code", statusCode, "request_path", reqData.ReqPath,
+		"request_method", reqData.Method)
+}
+
+func (c *Core) ReloadLogRequestsLevel() {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return
+	}
+
+	infoLevel := conf.(*server.Config).LogRequestsLevel
+	switch {
+	case log.LevelFromString(infoLevel) > log.NoLevel && log.LevelFromString(infoLevel) < log.Off:
+		c.logRequestsLevel.Store(int32(log.LevelFromString(infoLevel)))
+	case infoLevel != "":
+		c.logger.Warn("invalid log_requests_level", "level", infoLevel)
+	}
+}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+func (c *Core) ReloadIntrospectionEndpointEnabled() {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return
+	}
+	c.introspectionEnabledLock.Lock()
+	defer c.introspectionEnabledLock.Unlock()
+	c.introspectionEnabled = conf.(*server.Config).EnableIntrospectionEndpoint
+}
 
-		ui, cmd := testLeaseRenewCommand(t)
-		cmd.client = client
+type PeerNode struct {
+	Hostname        string        `json:"hostname"`
+	APIAddress      string        `json:"api_address"`
+	ClusterAddress  string        `json:"cluster_address"`
+	Version         string        `json:"version"`
+	LastEcho        time.Time     `json:"last_echo"`
+	UpgradeVersion  string        `json:"upgrade_version,omitempty"`
+	RedundancyZone  string        `json:"redundancy_zone,omitempty"`
+	EchoDuration    time.Duration `json:"echo_duration"`
+	ClockSkewMillis int64         `json:"clock_skew_millis"`
+}
 
-		code := cmd.Run([]string{
-			"foo/bar",
+// GetHAPeerNodesCached returns the nodes that've sent us Echo requests recently.
+func (c *Core) GetHAPeerNodesCached() []PeerNode {
+	var nodes []PeerNode
+	for itemClusterAddr, item := range c.clusterPeerClusterAddrsCache.Items() {
+		info := item.Object.(nodeHAConnectionInfo)
+		nodes = append(nodes, PeerNode{
+			Hostname:        info.nodeInfo.Hostname,
+			APIAddress:      info.nodeInfo.ApiAddr,
+			ClusterAddress:  itemClusterAddr,
+			LastEcho:        info.lastHeartbeat,
+			Version:         info.version,
+			UpgradeVersion:  info.upgradeVersion,
+			RedundancyZone:  info.redundancyZone,
+			EchoDuration:    info.echoDuration,
+			ClockSkewMillis: info.clockSkewMillis,
 		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	}
+	return nodes
+}
+
+func (c *Core) CheckPluginPerms(pluginName string) (err error) {
+	var enableFilePermissionsCheck bool
+	if enableFilePermissionsCheckEnv := os.Getenv(consts.VaultEnableFilePermissionsCheckEnv); enableFilePermissionsCheckEnv != "" {
+		var err error
+		enableFilePermissionsCheck, err = strconv.ParseBool(enableFilePermissionsCheckEnv)
+		if err != nil {
+			return errors.New("Error parsing the environment variable VAULT_ENABLE_FILE_PERMISSIONS_CHECK")
 		}
+	}
 
-		expected := "Error renewing foo/bar: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+	if c.pluginDirectory != "" && enableFilePermissionsCheck {
+		err = osutil.OwnerPermissionsMatch(c.pluginDirectory, c.pluginFileUid, c.pluginFilePermissions)
+		if err != nil {
+			return err
 		}
+		fullPath := filepath.Join(c.pluginDirectory, pluginName)
+		err = osutil.OwnerPermissionsMatch(fullPath, c.pluginFileUid, c.pluginFilePermissions)
+		if err != nil {
+			return err
+		}
+	}
+	return err
+}
+
+func (c *Core) LoadNodeID() (string, error) {
+	raftNodeID := c.GetRaftNodeID()
+	if raftNodeID != "" {
+		return raftNodeID, nil
+	}
+	hostname, err := os.Hostname()
+	if err != nil {
+		return "", err
+	}
+	return hostname, nil
+}
+
+// DetermineRoleFromLoginRequest will determine the role that should be applied to a quota for a given
+// login request
+func (c *Core) DetermineRoleFromLoginRequest(ctx context.Context, mountPoint string, data map[string]interface{}) string {
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+	matchingBackend := c.router.MatchingBackend(ctx, mountPoint)
+	if matchingBackend == nil || matchingBackend.Type() != logical.TypeCredential {
+		// Role based quotas do not apply to this request
+		return ""
+	}
+	return c.doResolveRoleLocked(ctx, mountPoint, matchingBackend, data)
+}
+
+// DetermineRoleFromLoginRequestFromReader will determine the role that should
+// be applied to a quota for a given login request. The reader will only be
+// consumed if the matching backend for the mount point exists and is a secret
+// backend
+func (c *Core) DetermineRoleFromLoginRequestFromReader(ctx context.Context, mountPoint string, reader io.Reader) string {
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+	matchingBackend := c.router.MatchingBackend(ctx, mountPoint)
+	if matchingBackend == nil || matchingBackend.Type() != logical.TypeCredential {
+		// Role based quotas do not apply to this request
+		return ""
+	}
+
+	data := make(map[string]interface{})
+	err := jsonutil.DecodeJSONFromReader(reader, &data)
+	if err != nil {
+		return ""
+	}
+	return c.doResolveRoleLocked(ctx, mountPoint, matchingBackend, data)
+}
+
+// doResolveRoleLocked does a login and resolve role request on the matching
+// backend. Callers should have a read lock on c.authLock
+func (c *Core) doResolveRoleLocked(ctx context.Context, mountPoint string, matchingBackend logical.Backend, data map[string]interface{}) string {
+	resp, err := matchingBackend.HandleRequest(ctx, &logical.Request{
+		MountPoint: mountPoint,
+		Path:       "login",
+		Operation:  logical.ResolveRoleOperation,
+		Data:       data,
+		Storage:    c.router.MatchingStorageByAPIPath(ctx, mountPoint+"login"),
+	})
+	if err != nil || resp.Data["role"] == nil {
+		return ""
+	}
+
+	return resp.Data["role"].(string)
+}
+
+// ResolveRoleForQuotas looks for any quotas requiring a role for early
+// computation in the RateLimitQuotaWrapping handler.
+func (c *Core) ResolveRoleForQuotas(ctx context.Context, req *quotas.Request) (bool, error) {
+	if c.quotaManager == nil {
+		return false, nil
+	}
+	return c.quotaManager.QueryResolveRoleQuotas(req)
+}
+
+// aliasNameFromLoginRequest will determine the aliasName from the login Request
+func (c *Core) aliasNameFromLoginRequest(ctx context.Context, req *logical.Request) (string, error) {
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	// ns path is added while checking matching backend
+	mountPath := strings.TrimPrefix(req.MountPoint, ns.Path)
+
+	matchingBackend := c.router.MatchingBackend(ctx, mountPath)
+	if matchingBackend == nil || matchingBackend.Type() != logical.TypeCredential {
+		// pathLoginAliasLookAhead operation does not apply to this request
+		return "", nil
+	}
+
+	path := strings.ReplaceAll(req.Path, mountPath, "")
+
+	resp, err := matchingBackend.HandleRequest(ctx, &logical.Request{
+		MountPoint: req.MountPoint,
+		Path:       path,
+		Operation:  logical.AliasLookaheadOperation,
+		Data:       req.Data,
+		Storage:    c.router.MatchingStorageByAPIPath(ctx, req.Path),
 	})
+	if err != nil || resp.Auth.Alias == nil {
+		return "", nil
+	}
+	return resp.Auth.Alias.Name, nil
+}
+
+// ListMounts will provide a slice containing a deep copy each mount entry
+func (c *Core) ListMounts() ([]*MountEntry, error) {
+	if c.Sealed() {
+		return nil, fmt.Errorf("vault is sealed")
+	}
+
+	c.mountsLock.RLock()
+	defer c.mountsLock.RUnlock()
+
+	var entries []*MountEntry
+
+	for _, entry := range c.mounts.Entries {
+		clone, err := entry.Clone()
+		if err != nil {
+			return nil, err
+		}
+
+		entries = append(entries, clone)
+	}
+
+	return entries, nil
+}
+
+// ListAuths will provide a slice containing a deep copy each auth entry
+func (c *Core) ListAuths() ([]*MountEntry, error) {
+	if c.Sealed() {
+		return nil, fmt.Errorf("vault is sealed")
+	}
+
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+
+	var entries []*MountEntry
+
+	for _, entry := range c.auth.Entries {
+		clone, err := entry.Clone()
+		if err != nil {
+			return nil, err
+		}
+
+		entries = append(entries, clone)
+	}
+
+	return entries, nil
+}
+
+type GroupPolicyApplicationMode struct {
+	GroupPolicyApplicationMode string `json:"group_policy_application_mode"`
+}
+
+func (c *Core) GetGroupPolicyApplicationMode(ctx context.Context) (string, error) {
+	se, err := c.barrier.Get(ctx, coreGroupPolicyApplicationPath)
+	if err != nil {
+		return "", err
+	}
+	if se == nil {
+		return groupPolicyApplicationModeWithinNamespaceHierarchy, nil
+	}
+
+	var modeStruct GroupPolicyApplicationMode
+
+	err = jsonutil.DecodeJSON(se.Value, &modeStruct)
+	if err != nil {
+		return "", err
+	}
+	mode := modeStruct.GroupPolicyApplicationMode
+	if mode == "" {
+		mode = groupPolicyApplicationModeWithinNamespaceHierarchy
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	return mode, nil
+}
 
-		_, cmd := testLeaseRenewCommand(t)
-		assertNoTabs(t, cmd)
+func (c *Core) SetGroupPolicyApplicationMode(ctx context.Context, mode string) error {
+	json, err := jsonutil.EncodeJSON(&GroupPolicyApplicationMode{GroupPolicyApplicationMode: mode})
+	if err != nil {
+		return err
+	}
+	return c.barrier.Put(ctx, &logical.StorageEntry{
+		Key:   coreGroupPolicyApplicationPath,
+		Value: json,
 	})
 }
+
+type HCPLinkStatus struct {
+	lock             sync.RWMutex
+	ConnectionStatus string `json:"hcp_link_status,omitempty"`
+	ResourceIDOnHCP  string `json:"resource_ID_on_hcp,omitempty"`
+}
+
+func (c *Core) SetHCPLinkStatus(status, resourceID string) {
+	c.hcpLinkStatus.lock.Lock()
+	defer c.hcpLinkStatus.lock.Unlock()
+	c.hcpLinkStatus.ConnectionStatus = status
+	c.hcpLinkStatus.ResourceIDOnHCP = resourceID
+}
+
+func (c *Core) GetHCPLinkStatus() (string, string) {
+	c.hcpLinkStatus.lock.RLock()
+	defer c.hcpLinkStatus.lock.RUnlock()
+
+	status := c.hcpLinkStatus.ConnectionStatus
+	resourceID := c.hcpLinkStatus.ResourceIDOnHCP
+
+	return status, resourceID
+}
+
+// IsExperimentEnabled is true if the experiment is enabled in the core.
+func (c *Core) IsExperimentEnabled(experiment string) bool {
+	return strutil.StrListContains(c.experiments, experiment)
+}
+
+// ListenerAddresses provides a slice of configured listener addresses
+func (c *Core) ListenerAddresses() ([]string, error) {
+	addresses := make([]string, 0)
+
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return nil, fmt.Errorf("failed to load core raw config")
+	}
+
+	listeners := conf.(*server.Config).Listeners
+	if listeners == nil {
+		return nil, fmt.Errorf("no listener configured")
+	}
+
+	for _, listener := range listeners {
+		addresses = append(addresses, listener.Address)
+	}
+
+	return addresses, nil
+}
+
+// IsRaftVoter specifies whether the node is a raft voter which is
+// always false if raft storage is not in use.
+func (c *Core) IsRaftVoter() bool {
+	raftInfo := c.raftInfo.Load().(*raftInformation)
+
+	if raftInfo == nil {
+		return false
+	}
+
+	return !raftInfo.nonVoter
+}
+
+func (c *Core) HAEnabled() bool {
+	return c.ha != nil && c.ha.HAEnabled()
+}
+
+func (c *Core) GetRaftConfiguration(ctx context.Context) (*raft.RaftConfigurationResponse, error) {
+	raftBackend := c.getRaftBackend()
+
+	if raftBackend == nil {
+		return nil, nil
+	}
+
+	return raftBackend.GetConfiguration(ctx)
+}
+
+func (c *Core) GetRaftAutopilotState(ctx context.Context) (*raft.AutopilotState, error) {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return nil, nil
+	}
+
+	return raftBackend.GetAutopilotServerState(ctx)
+}
+
+// Events returns a reference to the common event bus for sending and subscribint to events.
+func (c *Core) Events() *eventbus.EventBus {
+	return c.events
+}
+
+func (c *Core) SetSeals(barrierSeal Seal, secureRandomReader io.Reader) error {
+	ctx, _ := c.GetContext()
+
+	c.stateLock.Lock()
+	defer c.stateLock.Unlock()
+
+	currentSealBarrierConfig, err := c.SealAccess().BarrierConfig(ctx)
+	if err != nil {
+		return fmt.Errorf("error retrieving barrier config: %s", err)
+	}
+
+	barrierConfigCopy := currentSealBarrierConfig.Clone()
+	barrierConfigCopy.Type = barrierSeal.BarrierSealConfigType().String()
+
+	barrierSeal.SetCore(c)
+
+	rootKey, err := c.seal.GetStoredKeys(ctx)
+	if err != nil {
+		return err
+	}
+
+	if len(rootKey) < 1 {
+		return errors.New("root key not found")
+	}
+
+	barrierConfigCopy.Type = barrierSeal.BarrierSealConfigType().String()
+	err = barrierSeal.SetBarrierConfig(ctx, barrierConfigCopy)
+	if err != nil {
+		return fmt.Errorf("error setting barrier config for new seal: %s", err)
+	}
+
+	err = barrierSeal.SetStoredKeys(ctx, rootKey)
+	if err != nil {
+		return fmt.Errorf("error setting root key in new seal: %s", err)
+	}
+
+	c.seal = barrierSeal
+
+	c.reloadSealsEnt(secureRandomReader, barrierSeal.GetAccess(), c.logger)
+
+	return nil
+}
+
+func (c *Core) GetWellKnownRedirect(ctx context.Context, path string) (string, error) {
+	if c.WellKnownRedirects == nil {
+		return "", nil
+	}
+	path = strings.TrimPrefix(path, WellKnownPrefix)
+	redir, remaining := c.WellKnownRedirects.Find(path)
+	if redir != nil {
+		dest, err := redir.Destination(remaining)
+		if err != nil {
+			return "", err
+		}
+		return paths.Join("/v1", dest), nil
+	}
+	return "", nil
+}
+
+func (c *Core) DetectStateLockDeadlocks() bool {
+	if _, ok := c.stateLock.(*locking.DeadlockRWMutex); ok {
+		return true
+	}
+	return false
+}
diff --git a/command/lease_revoke.go b/command/lease_revoke.go
index 751cce97449d..1c8dcc675d65 100644
--- a/command/lease_revoke.go
+++ b/command/lease_revoke.go
@@ -1,181 +1,115 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*LeaseRevokeCommand)(nil)
-	_ cli.CommandAutocomplete = (*LeaseRevokeCommand)(nil)
-)
-
-type LeaseRevokeCommand struct {
-	*BaseCommand
-
-	flagForce  bool
-	flagPrefix bool
-	flagSync   bool
-}
-
-func (c *LeaseRevokeCommand) Synopsis() string {
-	return "Revokes leases and secrets"
-}
-
-func (c *LeaseRevokeCommand) Help() string {
-	helpText := `
-Usage: vault lease revoke [options] ID
-
-  Revokes secrets by their lease ID. This command can revoke a single secret
-  or multiple secrets based on a path-matched prefix.
-
-  The default behavior when not using -force is to revoke asynchronously; Vault
-  will queue the revocation and keep trying if it fails (including across
-  restarts). The -sync flag can be used to force a synchronous operation, but
-  it is then up to the caller to retry on failure. Force mode always operates
-  synchronously.
-
-  Revoke a single lease:
-
-      $ vault lease revoke database/creds/readonly/2f6a614c...
-
-  Revoke all leases for a role:
-
-      $ vault lease revoke -prefix aws/creds/deploy
-
-  Force delete leases from Vault even if secret engine revocation fails:
-
-      $ vault lease revoke -force -prefix consul/creds
-
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secret engine in use.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *LeaseRevokeCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "force",
-		Aliases: []string{"f"},
-		Target:  &c.flagForce,
-		Default: false,
-		Usage: "Delete the lease from Vault even if the secret engine revocation " +
-			"fails. This is meant for recovery situations where the secret " +
-			"in the target secret engine was manually removed. If this flag is " +
-			"specified, -prefix is also required.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "prefix",
-		Target:  &c.flagPrefix,
-		Default: false,
-		Usage: "Treat the ID as a prefix instead of an exact lease ID. This can " +
-			"revoke multiple leases simultaneously.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "sync",
-		Target:  &c.flagSync,
-		Default: false,
-		Usage: "Force a synchronous operation; on failure it is up to the client " +
-			"to retry.",
-	})
-
-	return set
-}
-
-func (c *LeaseRevokeCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *LeaseRevokeCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *LeaseRevokeCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	if c.flagForce && !c.flagPrefix {
-		c.UI.Error("Specifying -force requires also specifying -prefix")
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	leaseID := strings.TrimSpace(args[0])
-
-	revokeOpts := &api.RevokeOptions{
-		LeaseID: leaseID,
-		Force:   c.flagForce,
-		Prefix:  c.flagPrefix,
-		Sync:    c.flagSync,
-	}
-
-	if c.flagForce {
-		c.UI.Warn(wrapAtLength("Warning! Force-removing leases can cause Vault " +
-			"to become out of sync with secret engines!"))
-	}
-
-	err = client.Sys().RevokeWithOptions(revokeOpts)
-	if err != nil {
-		switch {
-		case c.flagForce:
-			c.UI.Error(fmt.Sprintf("Error force revoking leases with prefix %s: %s", leaseID, err))
-			return 2
-		case c.flagPrefix:
-			c.UI.Error(fmt.Sprintf("Error revoking leases with prefix %s: %s", leaseID, err))
-			return 2
-		default:
-			c.UI.Error(fmt.Sprintf("Error revoking lease %s: %s", leaseID, err))
-			return 2
-		}
-	}
-
-	if c.flagForce {
-		c.UI.Output(fmt.Sprintf("Success! Force revoked any leases with prefix: %s", leaseID))
-		return 0
-	}
-
-	if c.flagSync {
-		if c.flagPrefix {
-			c.UI.Output(fmt.Sprintf("Success! Revoked any leases with prefix: %s", leaseID))
-			return 0
-		}
-		c.UI.Output(fmt.Sprintf("Success! Revoked lease: %s", leaseID))
-		return 0
-	}
-
-	c.UI.Output("All revocation operations queued successfully!")
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+// Variables
+@import './utils/color_variables'; // colors need to come first.
+@import './utils/box-shadow_variables';
+@import './utils/font_variables';
+@import './utils/size_variables';
+
+// Element styling
+@import './core/element-styling';
+
+// Mixins
+@import './utils/mixins';
+@import './utils/animations';
+
+// Open-api styling
+@import './utils/swagger';
+
+// Core Styles: each file styles a class that is not associated with a component. Ex: box and not box-label.
+@import './core/box';
+@import './core/breadcrumb';
+@import './core/buttons';
+@import './core/charts';
+@import './core/checkbox-and-radio';
+@import './core/columns';
+@import './core/containers';
+@import './core/control';
+@import './core/field';
+@import './core/file';
+@import './core/inputs';
+@import './core/json-diff-patch';
+@import './core/label';
+@import './core/level';
+@import './core/link';
+@import './core/lists';
+@import './core/menu';
+@import './core/message';
+@import './core/progress';
+@import './core/select';
+@import './core/tag';
+@import './core/title';
+@import './core/toggle';
+
+// Helpers
+@import './helper-classes/colors';
+@import './helper-classes/flexbox-and-grid';
+@import './helper-classes/layout';
+@import './helper-classes/general';
+@import './helper-classes/spacing';
+@import './helper-classes/typography';
+
+// Component specific styling
+@import './components/auth-form';
+@import './components/autocomplete-input';
+@import './components/b64-toggle';
+@import './components/box-label';
+@import './components/calendar-widget';
+@import './components/cluster-banners';
+@import './components/codemirror';
+@import './components/console-ui-panel';
+@import './components/control-group';
+@import './components/doc-link';
+@import './components/empty-state-component';
+@import './components/env-banner';
+@import './components/features-selection';
+@import './components/form-section';
+@import './components/global-flash';
+@import './components/icon';
+@import './components/init-illustration';
+@import './components/info-table-row';
+@import './components/kmip-role-edit';
+@import './components/known-secondaries-card.scss';
+@import './components/linked-block';
+@import './components/list-item-row';
+@import './components/loader';
+@import './components/login-form';
+@import './components/masked-input';
+@import './components/namespace-picker';
+@import './components/namespace-reminder';
+@import './components/navigate-input';
+@import './components/overview-card';
+@import './components/page-header-old';
+@import './components/popup-menu';
+@import './components/radio-card';
+@import './components/radial-progress';
+@import './components/raft-join';
+@import './components/read-more';
+@import './components/regex-validator';
+@import './components/replication-dashboard';
+@import './components/replication-mode-summary';
+@import './components/replication-page';
+@import './components/replication-summary';
+@import './components/role-item';
+@import './components/search-select';
+@import './components/selectable-card';
+@import './components/selectable-card-container';
+@import './components/secrets-engines-card';
+@import './components/action-block';
+@import './components/shamir-progress';
+@import './components/sidebar';
+@import './components/splash-page';
+@import './components/stat-text';
+@import './components/tabs-component';
+@import './components/text-file';
+@import './components/toolbar';
+@import './components/tool-tip';
+@import './components/transform-edit';
+@import './components/transit-card';
+@import './components/ttl-picker';
+@import './components/unseal-warning';
+// @import './components/ui-wizard'; // remove, see PR https://github.com/hashicorp/vault/pull/19220
+@import './components/vault-loading';
diff --git a/command/lease_revoke_test.go b/command/lease_revoke_test.go
index ece8d31f0601..2fb05416b164 100644
--- a/command/lease_revoke_test.go
+++ b/command/lease_revoke_test.go
@@ -1,149 +1,100 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+//go:build !enterprise
 
-import (
-	"strings"
-	"testing"
+package vault
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+import (
+	"context"
 )
 
-func testLeaseRevokeCommand(tb testing.TB) (*cli.MockUi, *LeaseRevokeCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &LeaseRevokeCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestLeaseRevokeCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"force_without_prefix",
-			[]string{"-force"},
-			"requires also specifying -prefix",
-			1,
-		},
-		{
-			"single",
-			nil,
-			"All revocation operations queued successfully",
-			0,
-		},
-		{
-			"single_sync",
-			[]string{"-sync"},
-			"Success",
-			0,
-		},
-		{
-			"force_prefix",
-			[]string{"-force", "-prefix"},
-			"Success",
-			0,
-		},
-		{
-			"prefix",
-			[]string{"-prefix"},
-			"All revocation operations queued successfully",
-			0,
-		},
-		{
-			"prefix_sync",
-			[]string{"-prefix", "-sync"},
-			"Success",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				if err := client.Sys().Mount("secret-leased", &api.MountInput{
-					Type: "generic-leased",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				path := "secret-leased/revoke/" + tc.name
-				data := map[string]interface{}{
-					"key":   "value",
-					"lease": "1m",
-				}
-				if _, err := client.Logical().Write(path, data); err != nil {
-					t.Fatal(err)
-				}
-				secret, err := client.Logical().Read(path)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				ui, cmd := testLeaseRevokeCommand(t)
-				cmd.client = client
-
-				tc.args = append(tc.args, secret.LeaseID)
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testLeaseRevokeCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"foo/bar",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error revoking lease foo/bar: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testLeaseRevokeCommand(t)
-		assertNoTabs(t, cmd)
-	})
+//go:generate go run github.com/hashicorp/vault/tools/stubmaker
+
+func (c *Core) entInitWALPassThrough() func() {
+	return nil
+}
+
+func (c *Core) entCheckStoredLicense(conf *CoreConfig) error {
+	return nil
+}
+
+func (c *Core) entIsLicenseAutoloaded() bool {
+	return false
+}
+
+func (c *Core) entCheckLicenseInit() error {
+	return nil
+}
+
+func (c *Core) EntGetLicenseState() (*LicenseState, error) {
+	return nil, nil
+}
+
+func (c *Core) EntReloadLicense() error {
+	return nil
+}
+
+func (c *Core) entPostUnseal(isStandby bool) error {
+	return nil
+}
+
+func (c *Core) entPreSeal() error {
+	return nil
+}
+
+func (c *Core) entSetupFilteredPaths() error {
+	return nil
+}
+
+func (c *Core) entSetupQuotas(ctx context.Context) error {
+	return nil
+}
+
+func (c *Core) entSetupAPILock(ctx context.Context) error {
+	return nil
+}
+
+func (c *Core) entBlockRequestIfError(nsPath, requestPath string) error {
+	return nil
+}
+
+func (c *Core) entStartReplication() error {
+	return nil
+}
+
+func (c *Core) entStopReplication() error {
+	return nil
+}
+
+func (c *Core) EntLastWAL() uint64 {
+	return 0
+}
+
+func (c *Core) EntLastPerformanceWAL() uint64 {
+	return 0
+}
+
+func (c *Core) EntLastDRWAL() uint64 {
+	return 0
+}
+
+func (c *Core) EntDRMerkleRoot() string {
+	return ""
+}
+
+func (c *Core) EntPerformanceMerkleRoot() string {
+	return ""
+}
+
+func (c *Core) EntLastRemoteWAL() uint64 {
+	return 0
+}
+
+func (c *Core) entLastRemoteUpstreamWAL() uint64 {
+	return 0
+}
+
+func (c *Core) EntWaitUntilWALShipped(ctx context.Context, index uint64) bool {
+	return true
 }
diff --git a/command/list.go b/command/list.go
index 1f300cb459e6..6ecc40af3140 100644
--- a/command/list.go
+++ b/command/list.go
@@ -1,120 +1,3453 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
 	"fmt"
+	"reflect"
 	"strings"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	"github.com/hashicorp/vault/command/server"
+
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	logicalDb "github.com/hashicorp/vault/builtin/logical/database"
+
+	"github.com/hashicorp/vault/builtin/plugin"
+
+	"github.com/hashicorp/vault/builtin/audit/syslog"
 
-var (
-	_ cli.Command             = (*ListCommand)(nil)
-	_ cli.CommandAutocomplete = (*ListCommand)(nil)
+	"github.com/hashicorp/vault/builtin/audit/file"
+	"github.com/hashicorp/vault/builtin/audit/socket"
+	"github.com/stretchr/testify/require"
+
+	"github.com/go-test/deep"
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/hashicorp/vault/version"
+	"github.com/sasha-s/go-deadlock"
 )
 
-type ListCommand struct {
-	*BaseCommand
+// invalidKey is used to test Unseal
+var invalidKey = []byte("abcdefghijklmnopqrstuvwxyz")[:17]
+
+// TestNewCore_configureAuditBackends ensures that we are able to configure the
+// supplied audit backends when getting a NewCore.
+func TestNewCore_configureAuditBackends(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		backends map[string]audit.Factory
+	}{
+		"none": {
+			backends: nil,
+		},
+		"file": {
+			backends: map[string]audit.Factory{
+				"file": file.Factory,
+			},
+		},
+		"socket": {
+			backends: map[string]audit.Factory{
+				"socket": socket.Factory,
+			},
+		},
+		"syslog": {
+			backends: map[string]audit.Factory{
+				"syslog": syslog.Factory,
+			},
+		},
+		"all": {
+			backends: map[string]audit.Factory{
+				"file":   file.Factory,
+				"socket": socket.Factory,
+				"syslog": syslog.Factory,
+			},
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			core := &Core{}
+			require.Len(t, core.auditBackends, 0)
+			core.configureAuditBackends(tc.backends)
+			require.Len(t, core.auditBackends, len(tc.backends))
+			for k := range tc.backends {
+				require.Contains(t, core.auditBackends, k)
+			}
+		})
+	}
+}
+
+// TestNewCore_configureCredentialsBackends ensures that we are able to configure the
+// supplied credential backends, in addition to defaults, when getting a NewCore.
+func TestNewCore_configureCredentialsBackends(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		backends map[string]logical.Factory
+	}{
+		"none": {
+			backends: nil,
+		},
+		"plugin": {
+			backends: map[string]logical.Factory{
+				"plugin": plugin.Factory,
+			},
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			core := &Core{}
+			require.Len(t, core.credentialBackends, 0)
+			core.configureCredentialsBackends(tc.backends, corehelpers.NewTestLogger(t))
+			require.GreaterOrEqual(t, len(core.credentialBackends), len(tc.backends)+1) // token + ent
+			for k := range tc.backends {
+				require.Contains(t, core.credentialBackends, k)
+			}
+		})
+	}
+}
+
+// TestNewCore_configureLogicalBackends ensures that we are able to configure the
+// supplied logical backends, in addition to defaults, when getting a NewCore.
+func TestNewCore_configureLogicalBackends(t *testing.T) {
+	t.Parallel()
+
+	// configureLogicalBackends will add some default backends for us:
+	// cubbyhole
+	// identity
+	// kv
+	// system
+	// In addition Enterprise versions of Vault may add additional engines.
+
+	tests := map[string]struct {
+		backends               map[string]logical.Factory
+		adminNamespacePath     string
+		expectedNonEntBackends int
+	}{
+		"none": {
+			backends:               nil,
+			expectedNonEntBackends: 0,
+		},
+		"database": {
+			backends: map[string]logical.Factory{
+				"database": logicalDb.Factory,
+			},
+			adminNamespacePath:     "foo",
+			expectedNonEntBackends: 5, // database + defaults
+		},
+		"kv": {
+			backends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+			adminNamespacePath:     "foo",
+			expectedNonEntBackends: 4, // kv + defaults (kv is a default)
+		},
+		"plugin": {
+			backends: map[string]logical.Factory{
+				"plugin": plugin.Factory,
+			},
+			adminNamespacePath:     "foo",
+			expectedNonEntBackends: 5, // plugin + defaults
+		},
+		"all": {
+			backends: map[string]logical.Factory{
+				"database": logicalDb.Factory,
+				"kv":       logicalKv.Factory,
+				"plugin":   plugin.Factory,
+			},
+			adminNamespacePath:     "foo",
+			expectedNonEntBackends: 6, // database, plugin + defaults
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			core := &Core{}
+			require.Len(t, core.logicalBackends, 0)
+			core.configureLogicalBackends(tc.backends, corehelpers.NewTestLogger(t), tc.adminNamespacePath)
+			require.GreaterOrEqual(t, len(core.logicalBackends), tc.expectedNonEntBackends)
+			require.Contains(t, core.logicalBackends, mountTypeKV)
+			require.Contains(t, core.logicalBackends, mountTypeCubbyhole)
+			require.Contains(t, core.logicalBackends, mountTypeSystem)
+			require.Contains(t, core.logicalBackends, mountTypeIdentity)
+			for k := range tc.backends {
+				require.Contains(t, core.logicalBackends, k)
+			}
+		})
+	}
+}
+
+// TestNewCore_configureLogRequestLevel ensures that we are able to configure the
+// supplied logging level when getting a NewCore.
+func TestNewCore_configureLogRequestLevel(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		level         string
+		expectedLevel log.Level
+	}{
+		"none": {
+			level:         "",
+			expectedLevel: log.NoLevel,
+		},
+		"trace": {
+			level:         "trace",
+			expectedLevel: log.Trace,
+		},
+		"debug": {
+			level:         "debug",
+			expectedLevel: log.Debug,
+		},
+		"info": {
+			level:         "info",
+			expectedLevel: log.Info,
+		},
+		"warn": {
+			level:         "warn",
+			expectedLevel: log.Warn,
+		},
+		"error": {
+			level:         "error",
+			expectedLevel: log.Error,
+		},
+		"bad": {
+			level:         "foo",
+			expectedLevel: log.NoLevel,
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			// We need to supply a logger, as configureLogRequestsLevel emits
+			// warnings to the logs in certain circumstances.
+			core := &Core{
+				logger: corehelpers.NewTestLogger(t),
+			}
+			core.configureLogRequestsLevel(tc.level)
+			require.Equal(t, tc.expectedLevel, log.Level(core.logRequestsLevel.Load()))
+		})
+	}
+}
+
+// TestNewCore_configureListeners tests that we are able to configure listeners
+// on a NewCore via config.
+func TestNewCore_configureListeners(t *testing.T) {
+	// We would usually expect CoreConfig to come from server.NewConfig().
+	// However, we want to fiddle to give us some granular control over the config.
+	tests := map[string]struct {
+		config            *CoreConfig
+		expectedListeners []*ListenerCustomHeaders
+	}{
+		"nil-listeners": {
+			config: &CoreConfig{
+				RawConfig: &server.Config{
+					SharedConfig: &configutil.SharedConfig{},
+				},
+			},
+			expectedListeners: nil,
+		},
+		"listeners-empty": {
+			config: &CoreConfig{
+				RawConfig: &server.Config{
+					SharedConfig: &configutil.SharedConfig{
+						Listeners: []*configutil.Listener{},
+					},
+				},
+			},
+			expectedListeners: nil,
+		},
+		"listeners-some": {
+			config: &CoreConfig{
+				RawConfig: &server.Config{
+					SharedConfig: &configutil.SharedConfig{
+						Listeners: []*configutil.Listener{
+							{Address: "foo"},
+						},
+					},
+				},
+			},
+			expectedListeners: []*ListenerCustomHeaders{
+				{Address: "foo"},
+			},
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			// We need to init some values ourselves, usually CreateCore does this for us.
+			logger := corehelpers.NewTestLogger(t)
+			backend, err := inmem.NewInmem(nil, logger)
+			require.NoError(t, err)
+			storage := &logical.InmemStorage{}
+			core := &Core{
+				clusterListener:      new(atomic.Value),
+				customListenerHeader: new(atomic.Value),
+				uiConfig:             NewUIConfig(false, backend, storage),
+			}
+
+			err = core.configureListeners(tc.config)
+			require.NoError(t, err)
+			switch tc.expectedListeners {
+			case nil:
+				require.Nil(t, core.customListenerHeader.Load())
+			default:
+				for i, v := range core.customListenerHeader.Load().([]*ListenerCustomHeaders) {
+					require.Equal(t, v.Address, tc.config.RawConfig.Listeners[i].Address)
+				}
+			}
+		})
+	}
+}
+
+func TestNewCore_badRedirectAddr(t *testing.T) {
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inm, err := inmem.NewInmem(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	conf := &CoreConfig{
+		RedirectAddr: "127.0.0.1:8200",
+		Physical:     inm,
+		DisableMlock: true,
+	}
+	_, err = NewCore(conf)
+	if err == nil {
+		t.Fatal("should error")
+	}
+}
+
+func TestSealConfig_Invalid(t *testing.T) {
+	s := &SealConfig{
+		SecretShares:    2,
+		SecretThreshold: 1,
+	}
+	err := s.Validate()
+	if err == nil {
+		t.Fatalf("expected err")
+	}
+}
+
+// TestCore_HasVaultVersion checks that versionHistory is correct and initialized
+// after a core has been unsealed.
+func TestCore_HasVaultVersion(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	if c.versionHistory == nil {
+		t.Fatalf("Version timestamps for core were not initialized for a new core")
+	}
+	versionEntry, ok := c.versionHistory[version.Version]
+	if !ok {
+		t.Fatalf("%s upgrade time not found", version.Version)
+	}
+
+	upgradeTime := versionEntry.TimestampInstalled
+
+	if upgradeTime.After(time.Now()) || upgradeTime.Before(time.Now().Add(-1*time.Hour)) {
+		t.Fatalf("upgrade time isn't within reasonable bounds of new core initialization. " +
+			fmt.Sprintf("time is: %+v, upgrade time is %+v", time.Now(), upgradeTime))
+	}
+}
+
+func TestCore_Unseal_MultiShare(t *testing.T) {
+	c := TestCore(t)
+
+	_, err := TestCoreUnseal(c, invalidKey)
+	if err != ErrNotInit {
+		t.Fatalf("err: %v", err)
+	}
+
+	sealConf := &SealConfig{
+		SecretShares:    5,
+		SecretThreshold: 3,
+	}
+	res, err := c.Initialize(namespace.RootContext(nil), &InitParams{
+		BarrierConfig:  sealConf,
+		RecoveryConfig: nil,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !c.Sealed() {
+		t.Fatalf("should be sealed")
+	}
+
+	if prog, _ := c.SecretProgress(true); prog != 0 {
+		t.Fatalf("bad progress: %d", prog)
+	}
+
+	for i := 0; i < 5; i++ {
+		unseal, err := TestCoreUnseal(c, res.SecretShares[i])
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Ignore redundant
+		_, err = TestCoreUnseal(c, res.SecretShares[i])
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if i >= 2 {
+			if !unseal {
+				t.Fatalf("should be unsealed")
+			}
+			if prog, _ := c.SecretProgress(true); prog != 0 {
+				t.Fatalf("bad progress: %d", prog)
+			}
+		} else {
+			if unseal {
+				t.Fatalf("should not be unsealed")
+			}
+			if prog, _ := c.SecretProgress(true); prog != i+1 {
+				t.Fatalf("bad progress: %d", prog)
+			}
+		}
+	}
+
+	if c.Sealed() {
+		t.Fatalf("should not be sealed")
+	}
+
+	err = c.Seal(res.RootToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ignore redundant
+	err = c.Seal(res.RootToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !c.Sealed() {
+		t.Fatalf("should be sealed")
+	}
+}
+
+// TestCore_UseSSCTokenToggleOn will check that the root SSC
+// token can be used even when disableSSCTokens is toggled on
+func TestCore_UseSSCTokenToggleOn(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	c.disableSSCTokens = true
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	if resp.Secret.TTL != time.Hour {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
+// TestCore_UseNonSSCTokenToggleOff will check that the root
+// non-SSC token can be used even when disableSSCTokens is toggled
+// off.
+func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
+	coreConfig := &CoreConfig{
+		DisableSSCTokens: true,
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) {
+		t.Fatalf("token is not an old token type: %s, %d", root, len(root))
+	}
+	c.disableSSCTokens = false
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	if resp.Secret.TTL != time.Hour {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
+func TestCore_Unseal_Single(t *testing.T) {
+	c := TestCore(t)
+
+	_, err := TestCoreUnseal(c, invalidKey)
+	if err != ErrNotInit {
+		t.Fatalf("err: %v", err)
+	}
+
+	sealConf := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+	}
+	res, err := c.Initialize(namespace.RootContext(nil), &InitParams{
+		BarrierConfig:  sealConf,
+		RecoveryConfig: nil,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !c.Sealed() {
+		t.Fatalf("should be sealed")
+	}
+
+	if prog, _ := c.SecretProgress(true); prog != 0 {
+		t.Fatalf("bad progress: %d", prog)
+	}
+
+	unseal, err := TestCoreUnseal(c, res.SecretShares[0])
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !unseal {
+		t.Fatalf("should be unsealed")
+	}
+	if prog, _ := c.SecretProgress(true); prog != 0 {
+		t.Fatalf("bad progress: %d", prog)
+	}
+
+	if c.Sealed() {
+		t.Fatalf("should not be sealed")
+	}
+}
+
+func TestCore_Route_Sealed(t *testing.T) {
+	c := TestCore(t)
+	sealConf := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+	}
+
+	ctx := namespace.RootContext(nil)
+
+	// Should not route anything
+	req := &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "sys/mounts",
+	}
+	_, err := c.HandleRequest(ctx, req)
+	if err != consts.ErrSealed {
+		t.Fatalf("err: %v", err)
+	}
+
+	res, err := c.Initialize(ctx, &InitParams{
+		BarrierConfig:  sealConf,
+		RecoveryConfig: nil,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	unseal, err := TestCoreUnseal(c, res.SecretShares[0])
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !unseal {
+		t.Fatalf("should be unsealed")
+	}
+
+	// Should not error after unseal
+	req.ClientToken = res.RootToken
+	_, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+// Attempt to unseal after doing a first seal
+func TestCore_SealUnseal(t *testing.T) {
+	c, keys, root := TestCoreUnsealed(t)
+	if err := c.Seal(root); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	for i, key := range keys {
+		unseal, err := TestCoreUnseal(c, key)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if i+1 == len(keys) && !unseal {
+			t.Fatalf("err: should be unsealed")
+		}
+	}
 }
 
-func (c *ListCommand) Synopsis() string {
-	return "List data or secrets"
+// TestCore_RunLockedUserUpdatesForStaleEntry tests that stale locked user entries
+// get deleted upon unseal
+func TestCore_RunLockedUserUpdatesForStaleEntry(t *testing.T) {
+	core, keys, root := TestCoreUnsealed(t)
+	storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath + "ns1/mountAccessor1/aliasName1")
+
+	// cleanup
+	defer core.barrier.Delete(context.Background(), storageUserLockoutPath)
+
+	// create invalid entry in storage to test stale entries get deleted on unseal
+	// last failed login time for this path is 1970-01-01 00:00:00 +0000 UTC
+	// since user lockout configurations are not configured, lockout duration will
+	// be set to default (15m) internally
+	compressedBytes, err := jsonutil.EncodeJSONAndCompress(int(time.Unix(0, 0).Unix()), nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create an entry
+	entry := &logical.StorageEntry{
+		Key:   storageUserLockoutPath,
+		Value: compressedBytes,
+	}
+
+	// Write to the physical backend
+	err = core.barrier.Put(context.Background(), entry)
+	if err != nil {
+		t.Fatalf("failed to write invalid locked user entry, err: %v", err)
+	}
+
+	// seal and unseal vault
+	if err := core.Seal(root); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	for i, key := range keys {
+		unseal, err := TestCoreUnseal(core, key)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if i+1 == len(keys) && !unseal {
+			t.Fatalf("err: should be unsealed")
+		}
+	}
+
+	// locked user entry must be deleted upon unseal as it is stale
+	lastFailedLoginRaw, err := core.barrier.Get(context.Background(), storageUserLockoutPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if lastFailedLoginRaw != nil {
+		t.Fatal("err: stale locked user entry exists")
+	}
 }
 
-func (c *ListCommand) Help() string {
-	helpText := `
+// TestCore_RunLockedUserUpdatesForValidEntry tests that valid locked user entries
+// do not get removed on unseal
+// Also tests that the userFailedLoginInfo map gets updated with correct information
+func TestCore_RunLockedUserUpdatesForValidEntry(t *testing.T) {
+	core, keys, root := TestCoreUnsealed(t)
+	storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath + "ns1/mountAccessor1/aliasName1")
+
+	// cleanup
+	defer core.barrier.Delete(context.Background(), storageUserLockoutPath)
+
+	// create valid storage entry for locked user
+	lastFailedLoginTime := int(time.Now().Unix())
 
-Usage: vault list [options] PATH
+	compressedBytes, err := jsonutil.EncodeJSONAndCompress(lastFailedLoginTime, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
 
-  Lists data from Vault at the given path. This can be used to list keys in a,
-  given secret engine.
+	// Create an entry
+	entry := &logical.StorageEntry{
+		Key:   storageUserLockoutPath,
+		Value: compressedBytes,
+	}
 
-  List values under the "my-app" folder of the generic secret engine:
+	// Write to the physical backend
+	err = core.barrier.Put(context.Background(), entry)
+	if err != nil {
+		t.Fatalf("failed to write invalid locked user entry, err: %v", err)
+	}
 
-      $ vault list secret/my-app/
+	// seal and unseal vault
+	if err := core.Seal(root); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	for i, key := range keys {
+		unseal, err := TestCoreUnseal(core, key)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if i+1 == len(keys) && !unseal {
+			t.Fatalf("err: should be unsealed")
+		}
+	}
 
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secret engine in use. Not all engines support listing.
+	// locked user entry must exist as it is still valid
+	existingEntry, err := core.barrier.Get(context.Background(), storageUserLockoutPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if existingEntry == nil {
+		t.Fatalf("err: entry must exist for locked user in storage")
+	}
 
-` + c.Flags().Help()
+	// userFailedLoginInfo map should have the correct information for locked user
+	loginUserInfoKey := FailedLoginUser{
+		aliasName:     "aliasName1",
+		mountAccessor: "mountAccessor1",
+	}
 
-	return strings.TrimSpace(helpText)
+	failedLoginInfoFromMap := core.LocalGetUserFailedLoginInfo(context.Background(), loginUserInfoKey)
+	if failedLoginInfoFromMap == nil {
+		t.Fatalf("err: entry must exist for locked user in userFailedLoginInfo map")
+	}
+	if failedLoginInfoFromMap.lastFailedLoginTime != lastFailedLoginTime {
+		t.Fatalf("err: incorrect failed login time information for locked user updated in userFailedLoginInfo map")
+	}
+	if int(failedLoginInfoFromMap.count) != configutil.UserLockoutThresholdDefault {
+		t.Fatalf("err: incorrect failed login count information for locked user updated in userFailedLoginInfo map")
+	}
 }
 
-func (c *ListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat | FlagSetOutputDetailed)
-	return set
+// Attempt to shutdown after unseal
+func TestCore_Shutdown(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	if err := c.Shutdown(); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !c.Sealed() {
+		t.Fatal("wasn't sealed")
+	}
 }
 
-func (c *ListCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFolders()
+// verify the channel returned by ShutdownDone is closed after Finalize
+func TestCore_ShutdownDone(t *testing.T) {
+	c := TestCoreWithSealAndUINoCleanup(t, &CoreConfig{})
+	testCoreUnsealed(t, c)
+	doneCh := c.ShutdownDone()
+	go func() {
+		time.Sleep(100 * time.Millisecond)
+		err := c.Shutdown()
+		if err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	select {
+	case <-doneCh:
+		if !c.Sealed() {
+			t.Fatalf("shutdown done called prematurely!")
+		}
+	case <-time.After(5 * time.Second):
+		t.Fatalf("shutdown notification not received")
+	}
 }
 
-func (c *ListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// Attempt to seal bad token
+func TestCore_Seal_BadToken(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	if err := c.Seal("foo"); err == nil {
+		t.Fatalf("err: %v", err)
+	}
+	if c.Sealed() {
+		t.Fatal("was sealed")
+	}
 }
 
-func (c *ListCommand) Run(args []string) int {
-	f := c.Flags()
+func TestCore_PreOneTen_BatchTokens(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	// load up some versions and ensure that 1.9 is the most recent one by timestamp (even though this isn't realistic)
+	upgradeTimePlusEpsilon := time.Now().UTC()
+
+	versionEntries := []VaultVersion{
+		{Version: "1.10.1", TimestampInstalled: upgradeTimePlusEpsilon.Add(-4 * time.Hour)},
+		{Version: "1.9.2", TimestampInstalled: upgradeTimePlusEpsilon.Add(2 * time.Hour)},
+	}
+
+	for _, entry := range versionEntries {
+		_, err := c.storeVersionEntry(context.Background(), &entry, false)
+		if err != nil {
+			t.Fatalf("failed to write version entry %#v, err: %s", entry, err.Error())
+		}
 	}
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+	err := c.loadVersionHistory(c.activeContext)
+	if err != nil {
+		t.Fatalf("failed to populate version history cache, err: %s", err.Error())
 	}
 
-	client, err := c.Client()
+	// double check that we're working with 1.9
+	v, _, err := c.FindNewestVersionTimestamp()
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		t.Fatal(err)
+	}
+	if v != "1.9.2" {
+		t.Fatalf("expected 1.9.2, found: %s", v)
 	}
 
-	path := sanitizePath(args[0])
-	secret, err := client.Logical().List(path)
+	// generate a batch token
+	te := &logical.TokenEntry{
+		NumUses:     1,
+		Policies:    []string{"root"},
+		NamespaceID: namespace.RootNamespaceID,
+		Type:        logical.TokenTypeBatch,
+	}
+	err = c.tokenStore.create(namespace.RootContext(nil), te)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing %s: %s", path, err))
-		return 2
+		t.Fatal(err)
+	}
+
+	// verify it uses the legacy prefix
+	if !strings.HasPrefix(te.ID, consts.LegacyBatchTokenPrefix) {
+		t.Fatalf("expected 1.9 batch token IDs to start with b. but it didn't: %s", te.ID)
 	}
+}
+
+func TestCore_OneTenPlus_BatchTokens(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	// load up some versions and ensure that 1.10 is the most recent version
+	upgradeTimePlusEpsilon := time.Now().UTC()
 
-	// If the secret is wrapped, return the wrapped response.
-	if secret != nil && secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
-		return OutputSecret(c.UI, secret)
+	versionEntries := []VaultVersion{
+		{Version: "1.9.2", TimestampInstalled: upgradeTimePlusEpsilon.Add(-4 * time.Hour)},
+		{Version: "1.10.1", TimestampInstalled: upgradeTimePlusEpsilon.Add(2 * time.Hour)},
 	}
 
-	_, ok := extractListData(secret)
-	if Format(c.UI) != "table" {
-		if secret == nil || secret.Data == nil || !ok {
-			OutputData(c.UI, map[string]interface{}{})
-			return 2
+	for _, entry := range versionEntries {
+		_, err := c.storeVersionEntry(context.Background(), &entry, false)
+		if err != nil {
+			t.Fatalf("failed to write version entry %#v, err: %s", entry, err.Error())
 		}
 	}
 
-	if secret == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", path))
-		return 2
+	err := c.loadVersionHistory(c.activeContext)
+	if err != nil {
+		t.Fatalf("failed to populate version history cache, err: %s", err.Error())
+	}
+
+	// double check that we're working with 1.10
+	v, _, err := c.FindNewestVersionTimestamp()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if v != "1.10.1" {
+		t.Fatalf("expected 1.10.1, found: %s", v)
+	}
+
+	// generate a batch token
+	te := &logical.TokenEntry{
+		NumUses:     1,
+		Policies:    []string{"root"},
+		NamespaceID: namespace.RootNamespaceID,
+		Type:        logical.TokenTypeBatch,
+	}
+	err = c.tokenStore.create(namespace.RootContext(nil), te)
+	if err != nil {
+		t.Fatal(err)
 	}
-	if secret.Data == nil {
-		// If secret wasn't nil, we have warnings, so output them anyways. We
-		// may also have non-keys info.
-		return OutputSecret(c.UI, secret)
+
+	// verify it uses the legacy prefix
+	if !strings.HasPrefix(te.ID, consts.BatchTokenPrefix) {
+		t.Fatalf("expected 1.10 batch token IDs to start with hvb. but it didn't: %s", te.ID)
 	}
+}
 
-	if !ok {
-		c.UI.Error(fmt.Sprintf("No entries found at %s", path))
-		return 2
+// GH-3497
+func TestCore_Seal_SingleUse(t *testing.T) {
+	c, keys, _ := TestCoreUnsealed(t)
+	c.tokenStore.create(namespace.RootContext(nil), &logical.TokenEntry{
+		ID:          "foo",
+		NumUses:     1,
+		Policies:    []string{"root"},
+		NamespaceID: namespace.RootNamespaceID,
+	})
+	if err := c.Seal("foo"); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !c.Sealed() {
+		t.Fatal("not sealed")
+	}
+	for i, key := range keys {
+		unseal, err := TestCoreUnseal(c, key)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if i+1 == len(keys) && !unseal {
+			t.Fatalf("err: should be unsealed")
+		}
+	}
+	if err := c.Seal("foo"); err == nil {
+		t.Fatal("expected error from revoked token")
+	}
+	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), "foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te != nil {
+		t.Fatalf("expected nil token entry, got %#v", *te)
+	}
+}
+
+// Ensure we get a LeaseID
+func TestCore_HandleRequest_Lease(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
 	}
 
-	return OutputList(c.UI, secret)
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	if resp.Secret.TTL != time.Hour {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
+func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1000h",
+		},
+		ClientToken: root,
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	if resp.Secret.TTL != c.maxLeaseTTL {
+		t.Fatalf("bad: %#v, %d", resp.Secret, c.maxLeaseTTL)
+	}
+	if resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
+func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "0h",
+		},
+		ClientToken: root,
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	if resp.Secret.TTL != c.defaultLeaseTTL {
+		t.Fatalf("bad: %d, %d", resp.Secret.TTL/time.Second, c.defaultLeaseTTL/time.Second)
+	}
+	if resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
+func TestCore_HandleRequest_MissingToken(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+func TestCore_HandleRequest_InvalidToken(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: "foobarbaz",
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != "permission denied" {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+// Check that standard permissions work
+func TestCore_HandleRequest_NoSlash(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	req := &logical.Request{
+		Operation:   logical.HelpOperation,
+		Path:        "secret",
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v, resp: %v", err, resp)
+	}
+	if _, ok := resp.Data["help"]; !ok {
+		t.Fatalf("resp: %v", resp)
+	}
+}
+
+// Test a root path is denied if non-root
+func TestCore_HandleRequest_RootPath(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
+
+	req := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "sys/policy", // root protected!
+		ClientToken: "child",
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("err: %v, resp: %v", err, resp)
+	}
+}
+
+// Test a root path is allowed if non-root but with sudo
+func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Set the 'test' policy object to permit access to sys/policy
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sys/policy/test", // root protected!
+		Data: map[string]interface{}{
+			"rules": `path "sys/policy" { policy = "sudo" }`,
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Child token (non-root) but with 'test' policy should have access
+	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
+	req = &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "sys/policy", // root protected!
+		ClientToken: "child",
+	}
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+// Check that standard permissions work
+func TestCore_HandleRequest_PermissionDenied(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: "child",
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("err: %v, resp: %v", err, resp)
+	}
+}
+
+// Check that standard permissions work
+func TestCore_HandleRequest_PermissionAllowed(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
+
+	// Set the 'test' policy object to permit access to secret/
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sys/policy/test",
+		Data: map[string]interface{}{
+			"rules": `path "secret/*" { policy = "write" }`,
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Write should work now
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: "child",
+	}
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+func TestCore_HandleRequest_NoClientToken(t *testing.T) {
+	noop := &NoopBackend{
+		Response: &logical.Response{},
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the logical backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
+	req.Data["type"] = "noop"
+	req.Data["description"] = "foo"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to request with connection data
+	req = &logical.Request{
+		Path: "foo/login",
+	}
+	req.ClientToken = root
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	ct := noop.Requests[0].ClientToken
+	if ct == "" || ct == root {
+		t.Fatalf("bad: %#v", noop.Requests)
+	}
+}
+
+func TestCore_HandleRequest_ConnOnLogin(t *testing.T) {
+	noop := &NoopBackend{
+		Login:       []string{"login"},
+		Response:    &logical.Response{},
+		BackendType: logical.TypeCredential,
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to request with connection data
+	req = &logical.Request{
+		Path:       "auth/foo/login",
+		Connection: &logical.Connection{},
+	}
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if noop.Requests[0].Connection == nil {
+		t.Fatalf("bad: %#v", noop.Requests)
+	}
+}
+
+// Ensure we get a client token
+func TestCore_HandleLogin_Token(t *testing.T) {
+	noop := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Auth: &logical.Auth{
+				Policies: []string{"foo", "bar"},
+				Metadata: map[string]string{
+					"user": "armon",
+				},
+				DisplayName: "armon",
+			},
+		},
+		BackendType: logical.TypeCredential,
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we got a client token back
+	clientToken := lresp.Auth.ClientToken
+	if clientToken == "" {
+		t.Fatalf("bad: %#v", lresp)
+	}
+
+	// Check the policy and metadata
+	innerToken, _ := c.DecodeSSCToken(clientToken)
+	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), innerToken)
+	if err != nil || te == nil {
+		t.Fatalf("tok: %s, err: %v", clientToken, err)
+	}
+
+	expectedID, _ := c.DecodeSSCToken(clientToken)
+	expect := &logical.TokenEntry{
+		ID:       expectedID,
+		Accessor: te.Accessor,
+		Parent:   "",
+		Policies: []string{"bar", "default", "foo"},
+		Path:     "auth/foo/login",
+		Meta: map[string]string{
+			"user": "armon",
+		},
+		DisplayName:  "foo-armon",
+		TTL:          time.Hour * 24,
+		CreationTime: te.CreationTime,
+		NamespaceID:  namespace.RootNamespaceID,
+		CubbyholeID:  te.CubbyholeID,
+		Type:         logical.TokenTypeService,
+	}
+
+	if diff := deep.Equal(te, expect); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Check that we have a lease with default duration
+	if lresp.Auth.TTL != noop.System().DefaultLeaseTTL() {
+		t.Fatalf("bad: %#v, defaultLeaseTTL: %#v", lresp.Auth, c.defaultLeaseTTL)
+	}
+}
+
+func TestCore_HandleRequest_AuditTrail(t *testing.T) {
+	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
+
+	// Create a noop audit backend
+	noop := &corehelpers.NoopAudit{}
+	c, _, root := TestCoreUnsealed(t)
+	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
+		noop = &corehelpers.NoopAudit{
+			Config: config,
+		}
+		return noop, nil
+	}
+
+	// Enable the audit backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Make a request
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	req.ClientToken = root
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the audit trail on request and response
+	if len(noop.ReqAuth) != 1 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	auth := noop.ReqAuth[0]
+	if auth.ClientToken != root {
+		t.Fatalf("bad client token: %#v", auth)
+	}
+	if len(auth.Policies) != 1 || auth.Policies[0] != "root" {
+		t.Fatalf("bad: %#v", auth)
+	}
+	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) {
+		t.Fatalf("Bad: %#v", noop.Req[0])
+	}
+
+	if len(noop.RespAuth) != 2 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	if !reflect.DeepEqual(noop.RespAuth[1], auth) {
+		t.Fatalf("bad: %#v, vs %#v", auth, noop.RespAuth)
+	}
+	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) {
+		t.Fatalf("Bad: %#v", noop.RespReq[1])
+	}
+	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) {
+		t.Fatalf("Bad: %#v", noop.Resp[1])
+	}
+}
+
+func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
+	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
+
+	// Create a noop audit backend
+	var noop *corehelpers.NoopAudit
+	c, _, root := TestCoreUnsealed(t)
+	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
+		noop = &corehelpers.NoopAudit{
+			Config: config,
+		}
+		return noop, nil
+	}
+
+	// Specify some keys to not HMAC
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune")
+	req.Data["audit_non_hmac_request_keys"] = "foo"
+	req.ClientToken = root
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune")
+	req.Data["audit_non_hmac_response_keys"] = "baz"
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Enable the audit backend
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Make a request
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo": "bar",
+		},
+		ClientToken: root,
+	}
+	req.ClientToken = root
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the audit trail on request and response
+	if len(noop.ReqAuth) != 1 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	auth := noop.ReqAuth[0]
+	if auth.ClientToken != root {
+		t.Fatalf("bad client token: %#v", auth)
+	}
+	if len(auth.Policies) != 1 || auth.Policies[0] != "root" {
+		t.Fatalf("bad: %#v", auth)
+	}
+	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) {
+		t.Fatalf("Bad: %#v", noop.Req[0])
+	}
+	if len(noop.ReqNonHMACKeys) != 1 || noop.ReqNonHMACKeys[0] != "foo" {
+		t.Fatalf("Bad: %#v", noop.ReqNonHMACKeys)
+	}
+	if len(noop.RespAuth) != 2 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	if !reflect.DeepEqual(noop.RespAuth[1], auth) {
+		t.Fatalf("bad: %#v", auth)
+	}
+	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) {
+		t.Fatalf("Bad: %#v", noop.RespReq[1])
+	}
+	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) {
+		t.Fatalf("Bad: %#v", noop.Resp[1])
+	}
+
+	// Test for response keys
+	// Make a request
+	req = &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "secret/test",
+		ClientToken: root,
+	}
+	req.ClientToken = root
+	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(noop.RespNonHMACKeys) != 1 || !strutil.EquivalentSlices(noop.RespNonHMACKeys[0], []string{"baz"}) {
+		t.Fatalf("Bad: %#v", noop.RespNonHMACKeys)
+	}
+	if len(noop.RespReqNonHMACKeys) != 1 || !strutil.EquivalentSlices(noop.RespReqNonHMACKeys[0], []string{"foo"}) {
+		t.Fatalf("Bad: %#v", noop.RespReqNonHMACKeys)
+	}
+}
+
+func TestCore_HandleLogin_AuditTrail(t *testing.T) {
+	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
+
+	// Create a badass credential backend that always logs in as armon
+	noop := &corehelpers.NoopAudit{}
+	noopBack := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Auth: &logical.Auth{
+				LeaseOptions: logical.LeaseOptions{
+					TTL: time.Hour,
+				},
+				Policies: []string{"foo", "bar"},
+				Metadata: map[string]string{
+					"user": "armon",
+				},
+			},
+		},
+		BackendType: logical.TypeCredential,
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noopBack, nil
+	}
+	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
+		noop = &corehelpers.NoopAudit{
+			Config: config,
+		}
+		return noop, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Enable the audit backend
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we got a client token back
+	clientToken := lresp.Auth.ClientToken
+	if clientToken == "" {
+		t.Fatalf("bad: %#v", lresp)
+	}
+
+	// Check the audit trail on request and response
+	if len(noop.ReqAuth) != 1 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], lreq) {
+		t.Fatalf("Bad: %#v %#v", noop.Req[0], lreq)
+	}
+
+	if len(noop.RespAuth) != 2 {
+		t.Fatalf("bad: %#v", noop)
+	}
+	auth := noop.RespAuth[1]
+	if auth.ClientToken != clientToken {
+		t.Fatalf("bad client token: %#v", auth)
+	}
+	if len(auth.Policies) != 3 || auth.Policies[0] != "bar" || auth.Policies[1] != "default" || auth.Policies[2] != "foo" {
+		t.Fatalf("bad: %#v", auth)
+	}
+	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], lreq) {
+		t.Fatalf("Bad: %#v", noop.RespReq[1])
+	}
+	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], lresp) {
+		t.Fatalf("Bad: %#v %#v", noop.Resp[1], lresp)
+	}
+}
+
+// Check that we register a lease for new tokens
+func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new credential
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
+	req.ClientToken = root
+	req.Data["policies"] = []string{"foo"}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we got a new client token back
+	if resp.IsError() {
+		t.Fatalf("err: %v %v", err, *resp)
+	}
+	clientToken := resp.Auth.ClientToken
+	if clientToken == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Check the policy and metadata
+	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	expectedID, _ := c.DecodeSSCToken(clientToken)
+	expectedRootID, _ := c.DecodeSSCToken(root)
+
+	expect := &logical.TokenEntry{
+		ID:           expectedID,
+		Accessor:     te.Accessor,
+		Parent:       expectedRootID,
+		Policies:     []string{"default", "foo"},
+		Path:         "auth/token/create",
+		DisplayName:  "token",
+		CreationTime: te.CreationTime,
+		TTL:          time.Hour * 24 * 32,
+		NamespaceID:  namespace.RootNamespaceID,
+		CubbyholeID:  te.CubbyholeID,
+		Type:         logical.TokenTypeService,
+	}
+	if diff := deep.Equal(te, expect); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Check that we have a lease with default duration
+	if resp.Auth.TTL != c.defaultLeaseTTL {
+		t.Fatalf("bad: %#v", resp.Auth)
+	}
+}
+
+// Check that we handle excluding the default policy
+func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new credential
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
+	req.ClientToken = root
+	req.Data["policies"] = []string{"foo"}
+	req.Data["no_default_policy"] = true
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we got a new client token back
+	clientToken := resp.Auth.ClientToken
+	if clientToken == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Check the policy and metadata
+	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	expectedID, _ := c.DecodeSSCToken(clientToken)
+	expectedRootID, _ := c.DecodeSSCToken(root)
+
+	expect := &logical.TokenEntry{
+		ID:           expectedID,
+		Accessor:     te.Accessor,
+		Parent:       expectedRootID,
+		Policies:     []string{"foo"},
+		Path:         "auth/token/create",
+		DisplayName:  "token",
+		CreationTime: te.CreationTime,
+		TTL:          time.Hour * 24 * 32,
+		NamespaceID:  namespace.RootNamespaceID,
+		CubbyholeID:  te.CubbyholeID,
+		Type:         logical.TokenTypeService,
+	}
+	if diff := deep.Equal(te, expect); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
+func TestCore_LimitedUseToken(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new credential
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
+	req.ClientToken = root
+	req.Data["num_uses"] = "1"
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Put a secret
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/foo",
+		Data: map[string]interface{}{
+			"foo": "bar",
+		},
+		ClientToken: resp.Auth.ClientToken,
+	}
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Second operation should fail
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestCore_Standby_Seal(t *testing.T) {
+	// Create the first core and initialize it
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Check the leader is local
+	isLeader, advertise, _, err := core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Create the second core and initialize it
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core2.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Core2 should be in standby
+	standby, err := core2.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Seal the standby core with the correct token. Shouldn't go down
+	err = core2.Seal(root)
+	if err == nil {
+		t.Fatal("should not be sealed")
+	}
+
+	keyUUID, err := uuid.GenerateUUID()
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Seal the standby core with an invalid token. Shouldn't go down
+	err = core2.Seal(keyUUID)
+	if err == nil {
+		t.Fatal("should not be sealed")
+	}
+}
+
+func TestCore_StepDown(t *testing.T) {
+	// Create the first core and initialize it
+	logger = logging.NewVaultLogger(log.Trace).Named(t.Name())
+
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal,
+		DisableMlock: true,
+		Logger:       logger.Named("core1"),
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Check the leader is local
+	isLeader, advertise, _, err := core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Create the second core and initialize it
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+		Logger:       logger.Named("core2"),
+	})
+	defer core2.Shutdown()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core2.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Core2 should be in standby
+	standby, err := core2.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	req := &logical.Request{
+		ClientToken: root,
+		Path:        "sys/step-down",
+	}
+
+	// Create an identifier for the request
+	req.ID, err = uuid.GenerateUUID()
+	if err != nil {
+		t.Fatalf("failed to generate identifier for the request: path: %s err: %v", req.Path, err)
+	}
+
+	// Step down core
+	err = core.StepDown(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal("error stepping down core 1")
+	}
+
+	// Give time to switch leaders
+	time.Sleep(5 * time.Second)
+
+	// Core1 should be in standby
+	standby, err = core.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Check the leader is core2
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal2 {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal2 {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
+	}
+
+	// Step down core2
+	err = core2.StepDown(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal("error stepping down core 1")
+	}
+
+	// Give time to switch leaders -- core 1 will still be waiting on its
+	// cooling off period so give it a full 10 seconds to recover
+	time.Sleep(10 * time.Second)
+
+	// Core2 should be in standby
+	standby, err = core2.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Check the leader is core1
+	isLeader, advertise, _, err = core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+}
+
+func TestCore_CleanLeaderPrefix(t *testing.T) {
+	// Create the first core and initialize it
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Ensure that the original clean function has stopped running
+	time.Sleep(2 * time.Second)
+
+	// Put several random entries
+	for i := 0; i < 5; i++ {
+		keyUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			t.Fatal(err)
+		}
+		valueUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			t.Fatal(err)
+		}
+		core.barrier.Put(namespace.RootContext(nil), &logical.StorageEntry{
+			Key:   coreLeaderPrefix + keyUUID,
+			Value: []byte(valueUUID),
+		})
+	}
+
+	entries, err := core.barrier.List(namespace.RootContext(nil), coreLeaderPrefix)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(entries) != 6 {
+		t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries))
+	}
+
+	// Check the leader is local
+	isLeader, advertise, _, err := core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Create a second core, attached to same in-memory store
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core2.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Core2 should be in standby
+	standby, err := core2.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Seal the first core, should step down
+	err = core.Seal(root)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Core should be in standby
+	standby, err = core.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Wait for core2 to become active
+	TestWaitActive(t, core2)
+
+	// Check the leader is local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal2 {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
+	}
+
+	// Give time for the entries to clear out; it is conservative at 1/second
+	time.Sleep(10 * leaderPrefixCleanDelay)
+
+	entries, err = core2.barrier.List(namespace.RootContext(nil), coreLeaderPrefix)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(entries) != 1 {
+		t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries))
+	}
+}
+
+func TestCore_Standby(t *testing.T) {
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testCore_Standby_Common(t, inmha, inmha.(physical.HABackend))
+}
+
+func TestCore_Standby_SeparateHA(t *testing.T) {
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha2, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testCore_Standby_Common(t, inmha, inmha2.(physical.HABackend))
+}
+
+func testCore_Standby_Common(t *testing.T, inm physical.Backend, inmha physical.HABackend) {
+	// Create the first core and initialize it
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:        inm,
+		HAPhysical:      inmha,
+		RedirectAddr:    redirectOriginal,
+		DisableMlock:    true,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	testCoreAddSecretMount(t, core, root, "1")
+
+	// Put a secret
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/foo",
+		Data: map[string]interface{}{
+			"foo": "bar",
+		},
+		ClientToken: root,
+	}
+	_, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the leader is local
+	isLeader, advertise, _, err := core.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Create a second core, attached to same in-memory store
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha,
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Verify unsealed
+	if core2.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Core2 should be in standby
+	standby, err := core2.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Request should fail in standby mode
+	_, err = core2.HandleRequest(namespace.RootContext(nil), req)
+	if err != consts.ErrStandby {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the leader is not local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if isLeader {
+		t.Fatalf("should not be leader")
+	}
+	if advertise != redirectOriginal {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
+	}
+
+	// Seal the first core, should step down
+	err = core.Seal(root)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Core should be in standby
+	standby, err = core.Standby()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !standby {
+		t.Fatalf("should be standby")
+	}
+
+	// Wait for core2 to become active
+	TestWaitActive(t, core2)
+
+	// Read the secret
+	req = &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "secret/foo",
+		ClientToken: root,
+	}
+	resp, err := core2.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the response
+	if resp.Data["foo"] != "bar" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Check the leader is local
+	isLeader, advertise, _, err = core2.Leader()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !isLeader {
+		t.Fatalf("should be leader")
+	}
+	if advertise != redirectOriginal2 {
+		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
+	}
+
+	if inm.(*inmem.InmemHABackend) == inmha.(*inmem.InmemHABackend) {
+		lockSize := inm.(*inmem.InmemHABackend).LockMapSize()
+		if lockSize == 0 {
+			t.Fatalf("locks not used with only one HA backend")
+		}
+	} else {
+		lockSize := inmha.(*inmem.InmemHABackend).LockMapSize()
+		if lockSize == 0 {
+			t.Fatalf("locks not used with expected HA backend")
+		}
+
+		lockSize = inm.(*inmem.InmemHABackend).LockMapSize()
+		if lockSize != 0 {
+			t.Fatalf("locks used with unexpected HA backend")
+		}
+	}
+}
+
+// Ensure that InternalData is never returned
+func TestCore_HandleRequest_Login_InternalData(t *testing.T) {
+	noop := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Auth: &logical.Auth{
+				Policies: []string{"foo", "bar"},
+				InternalData: map[string]interface{}{
+					"foo": "bar",
+				},
+			},
+		},
+		BackendType: logical.TypeCredential,
+	}
+
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we do not get the internal data
+	if lresp.Auth.InternalData != nil {
+		t.Fatalf("bad: %#v", lresp)
+	}
+}
+
+// Ensure that InternalData is never returned
+func TestCore_HandleRequest_InternalData(t *testing.T) {
+	noop := &NoopBackend{
+		Response: &logical.Response{
+			Secret: &logical.Secret{
+				InternalData: map[string]interface{}{
+					"foo": "bar",
+				},
+			},
+			Data: map[string]interface{}{
+				"foo": "bar",
+			},
+		},
+	}
+
+	c, _, root := TestCoreUnsealed(t)
+	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to read
+	lreq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "foo/test",
+		ClientToken: root,
+	}
+	lreq.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
+	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Ensure we do not get the internal data
+	if lresp.Secret.InternalData != nil {
+		t.Fatalf("bad: %#v", lresp)
+	}
+}
+
+// Ensure login does not return a secret
+func TestCore_HandleLogin_ReturnSecret(t *testing.T) {
+	// Create a badass credential backend that always logs in as armon
+	noopBack := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Secret: &logical.Secret{},
+			Auth: &logical.Auth{
+				Policies: []string{"foo", "bar"},
+			},
+		},
+		BackendType: logical.TypeCredential,
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noopBack, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != ErrInternalError {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+// Renew should return the same lease back
+func TestCore_RenewSameLease(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	// Create a leasable secret
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+	original := resp.Secret.LeaseID
+
+	// Renew the lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/renew/"+resp.Secret.LeaseID)
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the lease did not change
+	if resp.Secret.LeaseID != original {
+		t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID)
+	}
+
+	// Renew the lease (alternate path)
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew/"+resp.Secret.LeaseID)
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the lease did not change
+	if resp.Secret.LeaseID != original {
+		t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID)
+	}
+}
+
+// Renew of a token should not create a new lease
+func TestCore_RenewToken_SingleRegister(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new token
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "auth/token/create",
+		Data: map[string]interface{}{
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	newClient := resp.Auth.ClientToken
+
+	// Renew the token
+	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/renew")
+	req.ClientToken = newClient
+	req.Data = map[string]interface{}{
+		"token": newClient,
+	}
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Revoke using the renew prefix
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/revoke-prefix/auth/token/renew/")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify our token is still valid (e.g. we did not get invalidated by the revoke)
+	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup")
+	req.Data = map[string]interface{}{
+		"token": newClient,
+	}
+	req.ClientToken = newClient
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the token exists
+	if newClient != resp.Data["id"].(string) {
+		t.Fatalf("bad: return IDs: expected %v, got %v",
+			resp.Data["id"], newClient)
+	}
+}
+
+// Based on bug GH-203, attempt to disable a credential backend with leased secrets
+func TestCore_EnableDisableCred_WithLease(t *testing.T) {
+	noopBack := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Auth: &logical.Auth{
+				Policies: []string{"root"},
+			},
+		},
+		BackendType: logical.TypeCredential,
+	}
+
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noopBack, nil
+	}
+
+	secretWritingPolicy := `
+name = "admins"
+path "secret/*" {
+	capabilities = ["update", "create", "read"]
+}
+`
+
+	ps := c.policyStore
+	policy, _ := ParseACLPolicy(namespace.RootNamespace, secretWritingPolicy)
+	if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login -- should fail because we don't allow root to be returned
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err == nil || lresp == nil || !lresp.IsError() {
+		t.Fatalf("expected error trying to auth and receive root policy")
+	}
+
+	// Fix and try again
+	noopBack.Response.Auth.Policies = []string{"admins"}
+	lreq = &logical.Request{
+		Path: "auth/foo/login",
+	}
+	lresp, err = c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Create a leasable secret
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "secret/test",
+		Data: map[string]interface{}{
+			"foo":   "bar",
+			"lease": "1h",
+		},
+		ClientToken: lresp.Auth.ClientToken,
+	}
+	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read the key
+	req.Operation = logical.ReadOperation
+	req.Data = nil
+	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp.Secret)
+	}
+
+	// Renew the lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew")
+	req.Data = map[string]interface{}{
+		"lease_id": resp.Secret.LeaseID,
+	}
+	req.ClientToken = lresp.Auth.ClientToken
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Disable the credential backend
+	req = logical.TestRequest(t, logical.DeleteOperation, "sys/auth/foo")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+}
+
+func TestCore_HandleRequest_MountPointType(t *testing.T) {
+	noop := &NoopBackend{
+		Response: &logical.Response{},
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the logical backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
+	req.Data["type"] = "noop"
+	req.Data["description"] = "foo"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to request
+	req = &logical.Request{
+		Operation:  logical.ReadOperation,
+		Path:       "foo/test",
+		Connection: &logical.Connection{},
+	}
+	req.ClientToken = root
+	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify Path, MountPoint, and MountType
+	if noop.Requests[0].Path != "test" {
+		t.Fatalf("bad: %#v", noop.Requests)
+	}
+	if noop.Requests[0].MountPoint != "foo/" {
+		t.Fatalf("bad: %#v", noop.Requests)
+	}
+	if noop.Requests[0].MountType != "noop" {
+		t.Fatalf("bad: %#v", noop.Requests)
+	}
+}
+
+func TestCore_Standby_Rotate(t *testing.T) {
+	// Create the first core and initialize it
+	logger = logging.NewVaultLogger(log.Trace)
+
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Create a second core, attached to same in-memory store
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Rotate the encryption key
+	req := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		Path:        "sys/rotate",
+		ClientToken: root,
+	}
+	_, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Seal the first core, should step down
+	err = core.Seal(root)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Wait for core2 to become active
+	TestWaitActive(t, core2)
+
+	// Read the key status
+	req = &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "sys/key-status",
+		ClientToken: root,
+	}
+	resp, err := core2.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the response
+	if resp.Data["term"] != 2 {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+func TestCore_HandleRequest_Headers(t *testing.T) {
+	noop := &NoopBackend{
+		Response: &logical.Response{
+			Data: map[string]interface{}{},
+		},
+	}
+
+	c, _, root := TestCoreUnsealed(t)
+	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Mount tune
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune")
+	req.Data["passthrough_request_headers"] = []string{"Should-Passthrough", "should-passthrough-case-insensitive"}
+	req.ClientToken = root
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to read
+	lreq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "foo/test",
+		ClientToken: root,
+		Headers: map[string][]string{
+			"Should-Passthrough":                  {"foo"},
+			"Should-Passthrough-Case-Insensitive": {"baz"},
+			"Should-Not-Passthrough":              {"bar"},
+			consts.AuthHeaderName:                 {"nope"},
+		},
+	}
+	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the headers
+	headers := noop.Requests[0].Headers
+
+	// Test passthrough values
+	if val, ok := headers["Should-Passthrough"]; ok {
+		expected := []string{"foo"}
+		if !reflect.DeepEqual(val, expected) {
+			t.Fatalf("expected: %v, got: %v", expected, val)
+		}
+	} else {
+		t.Fatalf("expected 'Should-Passthrough' to be present in the headers map")
+	}
+
+	if val, ok := headers["Should-Passthrough-Case-Insensitive"]; ok {
+		expected := []string{"baz"}
+		if !reflect.DeepEqual(val, expected) {
+			t.Fatalf("expected: %v, got: %v", expected, val)
+		}
+	} else {
+		t.Fatal("expected 'Should-Passthrough-Case-Insensitive' to be present in the headers map")
+	}
+
+	if _, ok := headers["Should-Not-Passthrough"]; ok {
+		t.Fatal("did not expect 'Should-Not-Passthrough' to be in the headers map")
+	}
+
+	if _, ok := headers[consts.AuthHeaderName]; ok {
+		t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName)
+	}
+}
+
+func TestCore_HandleRequest_Headers_denyList(t *testing.T) {
+	noop := &NoopBackend{
+		Response: &logical.Response{
+			Data: map[string]interface{}{},
+		},
+	}
+
+	c, _, root := TestCoreUnsealed(t)
+	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return noop, nil
+	}
+
+	// Enable the backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Mount tune
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune")
+	req.Data["passthrough_request_headers"] = []string{"Authorization", consts.AuthHeaderName}
+	req.ClientToken = root
+	_, err = c.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to read
+	lreq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "foo/test",
+		ClientToken: root,
+		Headers: map[string][]string{
+			consts.AuthHeaderName: {"foo"},
+		},
+	}
+	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Check the headers
+	headers := noop.Requests[0].Headers
+
+	// Test passthrough values, they should not be present in the backend
+	if _, ok := headers[consts.AuthHeaderName]; ok {
+		t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName)
+	}
+}
+
+func TestCore_HandleRequest_TokenCreate_RegisterAuthFailure(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+
+	// Create a root token and use that for subsequent requests
+	req := logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
+	req.Data = map[string]interface{}{
+		"policies": []string{"root"},
+	}
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil || resp.Auth == nil || resp.Auth.ClientToken == "" {
+		t.Fatalf("expected a response from token creation, got: %#v", resp)
+	}
+	tokenWithRootPolicy := resp.Auth.ClientToken
+
+	// Use new token to create yet a new token, this should succeed
+	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
+	req.ClientToken = tokenWithRootPolicy
+	_, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Try again but force failure on RegisterAuth to simulate a network failure
+	// when registering the lease (e.g. a storage failure). This should trigger
+	// an expiration manager cleanup on the newly created token
+	core.expiration.testRegisterAuthFailure.Store(true)
+	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
+	req.ClientToken = tokenWithRootPolicy
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil {
+		t.Fatalf("expected error, got a response: %#v", resp)
+	}
+	core.expiration.testRegisterAuthFailure.Store(false)
+
+	// Do a lookup against the client token that we used for the failed request.
+	// It should still be present
+	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup")
+	req.Data = map[string]interface{}{
+		"token": tokenWithRootPolicy,
+	}
+	req.ClientToken = root
+	_, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Do a token creation request with the token to ensure that it's still
+	// valid, should succeed.
+	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
+	req.ClientToken = tokenWithRootPolicy
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// mockServiceRegistration helps test whether standalone ServiceRegistration works
+type mockServiceRegistration struct {
+	notifyActiveCount int
+	notifySealedCount int
+	notifyPerfCount   int
+	notifyInitCount   int
+	runDiscoveryCount int
+}
+
+func (m *mockServiceRegistration) Run(shutdownCh <-chan struct{}, wait *sync.WaitGroup, redirectAddr string) error {
+	m.runDiscoveryCount++
+	return nil
+}
+
+func (m *mockServiceRegistration) NotifyActiveStateChange(isActive bool) error {
+	m.notifyActiveCount++
+	return nil
+}
+
+func (m *mockServiceRegistration) NotifySealedStateChange(isSealed bool) error {
+	m.notifySealedCount++
+	return nil
+}
+
+func (m *mockServiceRegistration) NotifyPerformanceStandbyStateChange(isStandby bool) error {
+	m.notifyPerfCount++
+	return nil
+}
+
+func (m *mockServiceRegistration) NotifyInitializedStateChange(isInitialized bool) error {
+	m.notifyInitCount++
+	return nil
+}
+
+// TestCore_ServiceRegistration tests whether standalone ServiceRegistration works
+func TestCore_ServiceRegistration(t *testing.T) {
+	// Make a mock service discovery
+	sr := &mockServiceRegistration{}
+
+	// Create the core
+	logger = logging.NewVaultLogger(log.Trace)
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	const redirectAddr = "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		ServiceRegistration: sr,
+		Physical:            inm,
+		HAPhysical:          inmha.(physical.HABackend),
+		RedirectAddr:        redirectAddr,
+		DisableMlock:        true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer core.Shutdown()
+
+	// Vault should not yet be registered
+	if diff := deep.Equal(sr, &mockServiceRegistration{}); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Vault should be registered
+	if diff := deep.Equal(sr, &mockServiceRegistration{
+		runDiscoveryCount: 1,
+	}); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Initialize and unseal the core
+	keys, _ := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Vault should be registered, unsealed, and active
+	if diff := deep.Equal(sr, &mockServiceRegistration{
+		runDiscoveryCount: 1,
+		notifyActiveCount: 1,
+		notifySealedCount: 1,
+		notifyInitCount:   1,
+	}); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
+func TestDetectedDeadlock(t *testing.T) {
+	testCore, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{DetectDeadlocks: "statelock"})
+	InduceDeadlock(t, testCore, 1)
+}
+
+func TestDefaultDeadlock(t *testing.T) {
+	testCore, _, _ := TestCoreUnsealed(t)
+	InduceDeadlock(t, testCore, 0)
+}
+
+func RestoreDeadlockOpts() func() {
+	opts := deadlock.Opts
+	return func() {
+		deadlock.Opts = opts
+	}
+}
+
+func InduceDeadlock(t *testing.T, vaultcore *Core, expected uint32) {
+	defer RestoreDeadlockOpts()()
+	var deadlocks uint32
+	deadlock.Opts.OnPotentialDeadlock = func() {
+		atomic.AddUint32(&deadlocks, 1)
+	}
+	var mtx deadlock.Mutex
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		vaultcore.expiration.coreStateLock.Lock()
+		mtx.Lock()
+		mtx.Unlock()
+		vaultcore.expiration.coreStateLock.Unlock()
+	}()
+	wg.Wait()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		mtx.Lock()
+		vaultcore.expiration.coreStateLock.RLock()
+		vaultcore.expiration.coreStateLock.RUnlock()
+		mtx.Unlock()
+	}()
+	wg.Wait()
+	if atomic.LoadUint32(&deadlocks) != expected {
+		t.Fatalf("expected 1 deadlock, detected %d", deadlocks)
+	}
+}
+
+func TestSetSeals(t *testing.T) {
+	oldSeal := NewTestSeal(t, &seal.TestSealOpts{
+		StoredKeys:   seal.StoredKeysSupportedGeneric,
+		Name:         "old-seal",
+		WrapperCount: 1,
+		Generation:   1,
+	})
+	testCore := TestCoreWithSeal(t, oldSeal, false)
+	_, keys, _ := TestCoreInitClusterWrapperSetup(t, testCore, nil)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(testCore, key); err != nil {
+			t.Fatalf("error unsealing core: %s", err)
+		}
+	}
+
+	if testCore.Sealed() {
+		t.Fatal("expected core to be unsealed, but it is sealed")
+	}
+
+	newSeal := NewTestSeal(t, &seal.TestSealOpts{
+		StoredKeys:   seal.StoredKeysSupportedGeneric,
+		Name:         "new-seal",
+		WrapperCount: 1,
+		Generation:   2,
+	})
+
+	err := testCore.SetSeals(newSeal, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wrappers := testCore.seal.GetAccess().GetAllSealWrappersByPriority()
+	if len(wrappers) != 1 {
+		t.Fatalf("expected 1 wrapper in seal access, got %d", len(wrappers))
+	}
+
+	if wrappers[0].Name != "new-seal-1" {
+		t.Fatalf("unexpected seal name: got %s, expected new-seal-1", wrappers[0].Name)
+	}
+}
+
+func TestExpiration_DeadlockDetection(t *testing.T) {
+	testCore := TestCore(t)
+	testCoreUnsealed(t, testCore)
+
+	if testCore.expiration.DetectDeadlocks() {
+		t.Fatal("expiration has deadlock detection enabled, it shouldn't")
+	}
+
+	testCore = TestCoreWithDeadlockDetection(t, nil, false)
+	testCoreUnsealed(t, testCore)
+
+	if !testCore.expiration.DetectDeadlocks() {
+		t.Fatal("expiration doesn't have deadlock detection enabled, it should")
+	}
+}
+
+func TestQuotas_DeadlockDetection(t *testing.T) {
+	testCore := TestCore(t)
+	testCoreUnsealed(t, testCore)
+
+	if testCore.quotaManager.DetectDeadlocks() {
+		t.Fatal("quotas has deadlock detection enabled, it shouldn't")
+	}
+
+	testCore = TestCoreWithDeadlockDetection(t, nil, false)
+	testCoreUnsealed(t, testCore)
+
+	if !testCore.quotaManager.DetectDeadlocks() {
+		t.Fatal("quotas doesn't have deadlock detection enabled, it should")
+	}
+}
+
+func TestStatelock_DeadlockDetection(t *testing.T) {
+	testCore := TestCore(t)
+	testCoreUnsealed(t, testCore)
+
+	if testCore.DetectStateLockDeadlocks() {
+		t.Fatal("statelock has deadlock detection enabled, it shouldn't")
+	}
+
+	testCore = TestCoreWithDeadlockDetection(t, nil, false)
+	testCoreUnsealed(t, testCore)
+
+	if !testCore.DetectStateLockDeadlocks() {
+		t.Fatal("statelock doesn't have deadlock detection enabled, it should")
+	}
 }
diff --git a/command/list_test.go b/command/list_test.go
index 60467647a055..7003c8bcea03 100644
--- a/command/list_test.go
+++ b/command/list_test.go
@@ -1,135 +1,159 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testListCommand(tb testing.TB) (*cli.MockUi, *ListCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &ListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_found",
-			[]string{"nope/not/once/never"},
-			"",
-			2,
-		},
-		{
-			"default",
-			[]string{"secret/list"},
-			"bar\nbaz\nfoo",
-			0,
-		},
-		{
-			"default_slash",
-			[]string{"secret/list/"},
-			"bar\nbaz\nfoo",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				keys := []string{
-					"secret/list/foo",
-					"secret/list/bar",
-					"secret/list/baz",
-				}
-				for _, k := range keys {
-					if _, err := client.Logical().Write(k, map[string]interface{}{
-						"foo": "bar",
-					}); err != nil {
-						t.Fatal(err)
-					}
-				}
-
-				ui, cmd := testListCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testListCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/list",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error listing secret/list: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testListCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render, click, fillIn } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import sinon from 'sinon';
+
+module('Integration | Component | ldap | Page::Library::CreateAndEdit', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'ldap');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    const router = this.owner.lookup('service:router');
+    const routerStub = sinon.stub(router, 'transitionTo');
+    this.transitionCalledWith = (routeName, name) => {
+      const route = `vault.cluster.secrets.backend.ldap.${routeName}`;
+      const args = name ? [route, name] : [route];
+      return routerStub.calledWith(...args);
+    };
+
+    this.store = this.owner.lookup('service:store');
+    this.newModel = this.store.createRecord('ldap/library', { backend: 'ldap-test' });
+
+    this.libraryData = this.server.create('ldap-library', { name: 'test-library' });
+    this.store.pushPayload('ldap/library', {
+      modelName: 'ldap/library',
+      backend: 'ldap-test',
+      ...this.libraryData,
+    });
+
+    this.breadcrumbs = [
+      { label: 'ldap', route: 'overview' },
+      { label: 'libraries', route: 'libraries' },
+      { label: 'create' },
+    ];
+
+    this.renderComponent = () => {
+      return render(
+        hbs`<Page::Library::CreateAndEdit @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`,
+        { owner: this.engine }
+      );
+    };
+  });
+
+  test('it should populate form when editing', async function (assert) {
+    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
+
+    await this.renderComponent();
+
+    assert.dom('[data-test-input="name"]').hasValue(this.libraryData.name, 'Name renders');
+    assert.dom('[data-test-input="name"]').isDisabled('Name field is disabled when editing');
+    [(0, 1)].forEach((index) => {
+      assert
+        .dom(`[data-test-string-list-input="${index}"]`)
+        .hasValue(this.libraryData.service_account_names[index], 'Service account renders');
+    });
+    assert.dom('[data-test-ttl-value="Default lease TTL"]').hasAnyValue('Default lease ttl renders');
+    assert.dom('[data-test-ttl-value="Max lease TTL"]').hasAnyValue('Max lease ttl renders');
+    const checkInValue = this.libraryData.disable_check_in_enforcement ? 'Disabled' : 'Enabled';
+    assert
+      .dom(`[data-test-input="disable_check_in_enforcement"] input#${checkInValue}`)
+      .isChecked('Correct radio is checked for check-in enforcement');
+  });
+
+  test('it should go back to list route and clean up model on cancel', async function (assert) {
+    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
+    const spy = sinon.spy(this.model, 'rollbackAttributes');
+
+    await this.renderComponent();
+    await click('[data-test-cancel]');
+
+    assert.ok(spy.calledOnce, 'Model is rolled back on cancel');
+    assert.ok(this.transitionCalledWith('libraries'), 'Transitions to libraries list route on cancel');
+  });
+
+  test('it should validate form fields', async function (assert) {
+    this.model = this.newModel;
+
+    await this.renderComponent();
+    await click('[data-test-save]');
+
+    assert
+      .dom('[data-test-field-validation="name"]')
+      .hasText('Library name is required.', 'Name validation error renders');
+    assert
+      .dom('[data-test-field-validation="service_account_names"]')
+      .hasText('At least one service account is required.', 'Service account name validation error renders');
+    assert
+      .dom('[data-test-invalid-form-message]')
+      .hasText('There are 2 errors with this form.', 'Invalid form message renders');
+  });
+
+  test('it should create new library', async function (assert) {
+    assert.expect(2);
+
+    this.server.post('/ldap-test/library/new-library', (schema, req) => {
+      const data = JSON.parse(req.requestBody);
+      const expected = {
+        service_account_names: 'foo@bar.com,bar@baz.com',
+        ttl: '24h',
+        max_ttl: '24h',
+        disable_check_in_enforcement: true,
+      };
+      assert.deepEqual(data, expected, 'POST request made with correct properties when creating library');
+    });
+
+    this.model = this.newModel;
+
+    await this.renderComponent();
+
+    await fillIn('[data-test-input="name"]', 'new-library');
+    await fillIn('[data-test-string-list-input="0"]', 'foo@bar.com');
+    await click('[data-test-string-list-button="add"]');
+    await fillIn('[data-test-string-list-input="1"]', 'bar@baz.com');
+    await click('[data-test-string-list-button="add"]');
+    await click('[data-test-input="disable_check_in_enforcement"] input#Disabled');
+    await click('[data-test-save]');
+
+    assert.ok(
+      this.transitionCalledWith('libraries.library.details', 'new-library'),
+      'Transitions to library details route on save success'
+    );
+  });
+
+  test('it should save edited library with correct properties', async function (assert) {
+    assert.expect(2);
+
+    this.server.post('/ldap-test/library/test-library', (schema, req) => {
+      const data = JSON.parse(req.requestBody);
+      const expected = {
+        service_account_names: this.libraryData.service_account_names[1],
+        ttl: this.libraryData.ttl,
+        max_ttl: this.libraryData.max_ttl,
+        disable_check_in_enforcement: true,
+      };
+      assert.deepEqual(expected, data, 'POST request made to save library with correct properties');
+    });
+
+    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
+
+    await this.renderComponent();
+
+    await click('[data-test-string-list-button="delete"]');
+    await click('[data-test-input="disable_check_in_enforcement"] input#Disabled');
+    await click('[data-test-save]');
+
+    assert.ok(
+      this.transitionCalledWith('libraries.library.details', 'test-library'),
+      'Transitions to library details route on save success'
+    );
+  });
+});
diff --git a/command/login_test.go b/command/login_test.go
index deb96be18871..c90601480d18 100644
--- a/command/login_test.go
+++ b/command/login_test.go
@@ -1,616 +1,76 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"regexp"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/mitchellh/cli"
-
-	"github.com/hashicorp/vault/api"
-	credToken "github.com/hashicorp/vault/builtin/credential/token"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	"github.com/hashicorp/vault/command/token"
-	"github.com/hashicorp/vault/helper/testhelpers"
-	"github.com/hashicorp/vault/vault"
-)
-
-// minTokenLengthExternal is the minimum size of SSC
-// tokens we are currently handing out to end users, without any
-// namespace information
-const minTokenLengthExternal = 91
-
-func testLoginCommand(tb testing.TB) (*cli.MockUi, *LoginCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &LoginCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-
-			// Override to our own token helper
-			tokenHelper: token.NewTestingTokenHelper(),
-		},
-		Handlers: map[string]LoginHandler{
-			"token":    &credToken.CLIHandler{},
-			"userpass": &credUserpass.CLIHandler{},
-		},
-	}
-}
-
-func TestCustomPath(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().EnableAuth("my-auth", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := client.Logical().Write("auth/my-auth/users/test", map[string]interface{}{
-		"password": "test",
-		"policies": "default",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Emulate an unknown token format present in ~/.vault-token, for example
-	client.SetToken("a.a")
-
-	code := cmd.Run([]string{
-		"-method", "userpass",
-		"-path", "my-auth",
-		"username=test",
-		"password=test",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	expected := "Success! You are now authenticated."
-	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if !strings.Contains(combined, expected) {
-		t.Errorf("expected %q to be %q", combined, expected)
-	}
-
-	storedToken, err := tokenHelper.Get()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp {
-		t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken)
-	}
-}
-
-// Do not persist the token to the token helper
-func TestNoStore(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-		Policies: []string{"default"},
-		TTL:      "30m",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	token := secret.Auth.ClientToken
-
-	_, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Ensure we have no token to start
-	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
-		t.Errorf("expected token helper to be empty: %s: %q", err, storedToken)
-	}
-
-	code := cmd.Run([]string{
-		"-no-store",
-		token,
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	storedToken, err := tokenHelper.Get()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if exp := ""; storedToken != exp {
-		t.Errorf("expected %q to be %q", storedToken, exp)
-	}
-}
-
-func TestStores(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-		Policies: []string{"default"},
-		TTL:      "30m",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	token := secret.Auth.ClientToken
-
-	_, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	code := cmd.Run([]string{
-		token,
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	storedToken, err := tokenHelper.Get()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if storedToken != token {
-		t.Errorf("expected %q to be %q", storedToken, token)
-	}
-}
-
-func TestTokenOnly(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
-		"password": "test",
-		"policies": "default",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	code := cmd.Run([]string{
-		"-token-only",
-		"-method", "userpass",
-		"username=test",
-		"password=test",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	// Verify only the token was printed
-	token := ui.OutputWriter.String()
-	if l, exp := len(token), minTokenLengthExternal+vault.TokenPrefixLength; l != exp {
-		t.Errorf("expected token to be %d characters, was %d: %q", exp, l, token)
-	}
-
-	// Verify the token was not stored
-	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
-		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
-	}
-}
-
-func TestFailureNoStore(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	code := cmd.Run([]string{
-		"not-a-real-token",
-	})
-	if exp := 2; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	expected := "Error authenticating: "
-	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if !strings.Contains(combined, expected) {
-		t.Errorf("expected %q to contain %q", combined, expected)
-	}
-
-	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
-		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
-	}
-}
-
-func TestWrapAutoUnwrap(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
-		"password": "test",
-		"policies": "default",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	_, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	// Set the wrapping ttl to 5s. We can't set this via the flag because we
-	// override the client object before that particular flag is parsed.
-	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
-
-	code := cmd.Run([]string{
-		"-method", "userpass",
-		"username=test",
-		"password=test",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	// Unset the wrapping
-	client.SetWrappingLookupFunc(func(string, string) string { return "" })
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-	token, err := tokenHelper.Get()
-	if err != nil || token == "" {
-		t.Fatalf("expected token from helper: %s: %q", err, token)
-	}
-	client.SetToken(token)
-
-	// Ensure the resulting token is unwrapped
-	secret, err := client.Auth().Token().LookupSelf()
-	if err != nil {
-		t.Error(err)
-	}
-	if secret == nil {
-		t.Fatal("secret was nil")
-	}
-
-	if secret.WrapInfo != nil {
-		t.Errorf("expected to be unwrapped: %#v", secret)
-	}
-}
-
-func TestWrapTokenOnly(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
-		"password": "test",
-		"policies": "default",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	// Set the wrapping ttl to 5s. We can't set this via the flag because we
-	// override the client object before that particular flag is parsed.
-	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
-
-	code := cmd.Run([]string{
-		"-token-only",
-		"-method", "userpass",
-		"username=test",
-		"password=test",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	// Unset the wrapping
-	client.SetWrappingLookupFunc(func(string, string) string { return "" })
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-	storedToken, err := tokenHelper.Get()
-	if err != nil || storedToken != "" {
-		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
-	}
-
-	token := strings.TrimSpace(ui.OutputWriter.String())
-	if token == "" {
-		t.Errorf("expected %q to not be %q", token, "")
-	}
-
-	// Ensure the resulting token is, in fact, still wrapped.
-	client.SetToken(token)
-	secret, err := client.Logical().Unwrap("")
-	if err != nil {
-		t.Error(err)
-	}
-	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-		t.Fatalf("expected secret to have auth: %#v", secret)
-	}
-}
-
-func TestWrapNoStore(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
-		"password": "test",
-		"policies": "default",
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	// Set the wrapping ttl to 5s. We can't set this via the flag because we
-	// override the client object before that particular flag is parsed.
-	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
-
-	code := cmd.Run([]string{
-		"-no-store",
-		"-method", "userpass",
-		"username=test",
-		"password=test",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	// Unset the wrapping
-	client.SetWrappingLookupFunc(func(string, string) string { return "" })
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-	storedToken, err := tokenHelper.Get()
-	if err != nil || storedToken != "" {
-		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
-	}
-
-	expected := "wrapping_token"
-	output := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if !strings.Contains(output, expected) {
-		t.Errorf("expected %q to contain %q", output, expected)
-	}
-}
-
-func TestCommunicationFailure(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServerBad(t)
-	defer closer()
-
-	ui, cmd := testLoginCommand(t)
-	cmd.client = client
-
-	code := cmd.Run([]string{
-		"token",
-	})
-	if exp := 2; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	expected := "Error authenticating: "
-	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if !strings.Contains(combined, expected) {
-		t.Errorf("expected %q to contain %q", combined, expected)
-	}
-}
-
-func TestNoTabs(t *testing.T) {
-	t.Parallel()
-
-	_, cmd := testLoginCommand(t)
-	assertNoTabs(t, cmd)
-}
-
-func TestLoginMFASinglePhase(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	methodName := "foo"
-	waitPeriod := 5
-	userClient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, methodName, waitPeriod)
-	enginePath := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
-
-	runCommand := func(methodIdentifier string) {
-		// the time required for the totp engine to generate a new code
-		time.Sleep(time.Duration(waitPeriod) * time.Second)
-		totpCode := testhelpers.GetTOTPCodeFromEngine(t, client, enginePath)
-		ui, cmd := testLoginCommand(t)
-		cmd.client = userClient
-		// login command bails early for test clients, so we have to explicitly set this
-		cmd.client.SetMFACreds([]string{methodIdentifier + ":" + totpCode})
-		code := cmd.Run([]string{
-			"-method", "userpass",
-			"username=testuser1",
-			"password=testpassword",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		tokenHelper, err := cmd.TokenHelper()
-		if err != nil {
-			t.Fatal(err)
-		}
-		storedToken, err := tokenHelper.Get()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if storedToken == "" {
-			t.Fatal("expected non-empty stored token")
-		}
-		output := ui.OutputWriter.String()
-		if !strings.Contains(output, storedToken) {
-			t.Fatalf("expected stored token: %q, got: %q", storedToken, output)
-		}
-	}
-	runCommand(methodID)
-	runCommand(methodName)
-}
-
-func TestLoginMFATwoPhase(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	ui, cmd := testLoginCommand(t)
-
-	userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, "", 5)
-	cmd.client = userclient
-
-	_ = testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
-
-	// clear the MFA creds just to be sure
-	cmd.client.SetMFACreds([]string{})
-
-	code := cmd.Run([]string{
-		"-method", "userpass",
-		"username=testuser1",
-		"password=testpassword",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	expected := methodID
-	output := ui.OutputWriter.String()
-	if !strings.Contains(output, expected) {
-		t.Fatalf("expected stored token: %q, got: %q", expected, output)
-	}
-
-	tokenHelper, err := cmd.TokenHelper()
-	if err != nil {
-		t.Fatal(err)
-	}
-	storedToken, err := tokenHelper.Get()
-	if storedToken != "" {
-		t.Fatal("expected empty stored token")
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestLoginMFATwoPhaseNonInteractiveMethodName(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	ui, cmd := testLoginCommand(t)
-
-	methodName := "foo"
-	waitPeriod := 5
-	userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, methodName, waitPeriod)
-	cmd.client = userclient
-
-	engineName := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
-
-	// clear the MFA creds just to be sure
-	cmd.client.SetMFACreds([]string{})
-
-	code := cmd.Run([]string{
-		"-method", "userpass",
-		"-non-interactive",
-		"username=testuser1",
-		"password=testpassword",
-	})
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d", code, exp)
-	}
-
-	output := ui.OutputWriter.String()
-
-	reqIdReg := regexp.MustCompile(`mfa_request_id\s+([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\s+mfa_constraint`)
-	reqIDRaw := reqIdReg.FindAllStringSubmatch(output, -1)
-	if len(reqIDRaw) == 0 || len(reqIDRaw[0]) < 2 {
-		t.Fatal("failed to MFA request ID from output")
-	}
-	mfaReqID := reqIDRaw[0][1]
-
-	validateFunc := func(methodIdentifier string) {
-		// the time required for the totp engine to generate a new code
-		time.Sleep(time.Duration(waitPeriod) * time.Second)
-		totpPasscode1 := "passcode=" + testhelpers.GetTOTPCodeFromEngine(t, client, engineName)
-
-		secret, err := cmd.client.Logical().WriteWithContext(context.Background(), "sys/mfa/validate", map[string]interface{}{
-			"mfa_request_id": mfaReqID,
-			"mfa_payload": map[string][]string{
-				methodIdentifier: {totpPasscode1},
-			},
-		})
-		if err != nil {
-			t.Fatalf("mfa validation failed: %v", err)
-		}
-
-		if secret.Auth == nil || secret.Auth.ClientToken == "" {
-			t.Fatalf("mfa validation did not return a client token")
-		}
-	}
-
-	validateFunc(methodName)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3">
+      {{if @model.isNew "Create Role" "Edit Role"}}
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+<hr class="is-marginless has-background-gray-200" />
+
+<form {{on "submit" (perform this.save)}} class="has-top-margin-m">
+  <MessageError @errorMessage={{this.error}} />
+
+  <label class="is-label">
+    Role type
+  </label>
+  <Hds::Form::RadioCard::Group @name="role type options" class="has-bottom-margin-m" as |RadioGroup|>
+    {{#each this.roleTypeOptions as |option|}}
+      <RadioGroup.RadioCard
+        @checked={{eq option.value @model.type}}
+        @disabled={{not @model.isNew}}
+        {{on "change" (fn (mut @model.type) option.value)}}
+        data-test-radio-card={{option.value}}
+        as |Card|
+      >
+        <Card.Icon @name={{option.icon}} />
+        <Card.Label>{{option.title}}</Card.Label>
+        <Card.Description>{{option.description}}</Card.Description>
+      </RadioGroup.RadioCard>
+    {{/each}}
+  </Hds::Form::RadioCard::Group>
+
+  {{#each @model.formFields as |field|}}
+    {{! display section heading ahead of ldif fields }}
+    {{#if field.options.sectionHeading}}
+      <hr class="has-background-gray-200" />
+      <h2 class="title is-4 has-top-margin-xl">{{field.options.sectionHeading}}</h2>
+    {{/if}}
+    <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+  {{/each}}
+
+  <hr class="has-background-gray-200 has-top-margin-l" />
+
+  <div class="has-top-margin-l has-bottom-margin-l is-flex">
+    <Hds::Button
+      @text={{if @model.isNew "Create role" "Save"}}
+      data-test-save
+      type="submit"
+      disabled={{this.save.isRunning}}
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      class="has-left-margin-xs"
+      data-test-cancel
+      disabled={{this.save.isRunning}}
+      {{on "click" this.cancel}}
+    />
+    {{#if this.invalidFormMessage}}
+      <AlertInline
+        @type="danger"
+        class="has-top-padding-s"
+        @message={{this.invalidFormMessage}}
+        data-test-invalid-form-message
+      />
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/command/main.go b/command/main.go
index 22dde07fa745..47933c341a90 100644
--- a/command/main.go
+++ b/command/main.go
@@ -1,363 +1,68 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"sort"
-	"strconv"
-	"strings"
-	"text/tabwriter"
-
-	"github.com/fatih/color"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/token"
-	colorable "github.com/mattn/go-colorable"
-	"github.com/mitchellh/cli"
-)
-
-type VaultUI struct {
-	cli.Ui
-	format   string
-	detailed bool
-}
-
-const (
-	globalFlagOutputCurlString = "output-curl-string"
-	globalFlagOutputPolicy     = "output-policy"
-	globalFlagFormat           = "format"
-	globalFlagDetailed         = "detailed"
-)
-
-var globalFlags = []string{
-	globalFlagOutputCurlString, globalFlagOutputPolicy, globalFlagFormat, globalFlagDetailed,
-}
-
-// setupEnv parses args and may replace them and sets some env vars to known
-// values based on format options
-func setupEnv(args []string) (retArgs []string, format string, detailed bool, outputCurlString bool, outputPolicy bool) {
-	var err error
-	var nextArgFormat bool
-	var haveDetailed bool
-
-	for _, arg := range args {
-		if nextArgFormat {
-			nextArgFormat = false
-			format = arg
-			continue
-		}
-
-		if arg == "--" {
-			break
-		}
-
-		if len(args) == 1 && (arg == "-v" || arg == "-version" || arg == "--version") {
-			args = []string{"version"}
-			break
-		}
-
-		if isGlobalFlag(arg, globalFlagOutputCurlString) {
-			outputCurlString = true
-			continue
-		}
-
-		if isGlobalFlag(arg, globalFlagOutputPolicy) {
-			outputPolicy = true
-			continue
-		}
-
-		// Parse a given flag here, which overrides the env var
-		if isGlobalFlagWithValue(arg, globalFlagFormat) {
-			format = getGlobalFlagValue(arg)
-		}
-		// For backwards compat, it could be specified without an equal sign
-		if isGlobalFlag(arg, globalFlagFormat) {
-			nextArgFormat = true
-		}
-
-		// Parse a given flag here, which overrides the env var
-		if isGlobalFlagWithValue(arg, globalFlagDetailed) {
-			detailed, err = strconv.ParseBool(getGlobalFlagValue(globalFlagDetailed))
-			if err != nil {
-				detailed = false
-			}
-			haveDetailed = true
-		}
-		// For backwards compat, it could be specified without an equal sign to enable
-		// detailed output.
-		if isGlobalFlag(arg, globalFlagDetailed) {
-			detailed = true
-			haveDetailed = true
-		}
-	}
-
-	envVaultFormat := os.Getenv(EnvVaultFormat)
-	// If we did not parse a value, fetch the env var
-	if format == "" && envVaultFormat != "" {
-		format = envVaultFormat
-	}
-	// Lowercase for consistency
-	format = strings.ToLower(format)
-	if format == "" {
-		format = "table"
-	}
-
-	envVaultDetailed := os.Getenv(EnvVaultDetailed)
-	// If we did not parse a value, fetch the env var
-	if !haveDetailed && envVaultDetailed != "" {
-		detailed, err = strconv.ParseBool(envVaultDetailed)
-		if err != nil {
-			detailed = false
-		}
-	}
-
-	return args, format, detailed, outputCurlString, outputPolicy
-}
-
-func isGlobalFlag(arg string, flag string) bool {
-	return arg == "-"+flag || arg == "--"+flag
-}
-
-func isGlobalFlagWithValue(arg string, flag string) bool {
-	return strings.HasPrefix(arg, "--"+flag+"=") || strings.HasPrefix(arg, "-"+flag+"=")
-}
-
-func getGlobalFlagValue(arg string) string {
-	_, value, _ := strings.Cut(arg, "=")
-
-	return value
-}
-
-type RunOptions struct {
-	TokenHelper token.TokenHelper
-	Stdout      io.Writer
-	Stderr      io.Writer
-	Address     string
-	Client      *api.Client
-}
-
-func Run(args []string) int {
-	return RunCustom(args, nil)
-}
-
-// RunCustom allows passing in a base command template to pass to other
-// commands. Currently, this is only used for setting a custom token helper.
-func RunCustom(args []string, runOpts *RunOptions) int {
-	if runOpts == nil {
-		runOpts = &RunOptions{}
-	}
-
-	var format string
-	var detailed bool
-	var outputCurlString bool
-	var outputPolicy bool
-	args, format, detailed, outputCurlString, outputPolicy = setupEnv(args)
-
-	// Don't use color if disabled
-	useColor := true
-	if os.Getenv(EnvVaultCLINoColor) != "" || color.NoColor {
-		useColor = false
-	}
-
-	if runOpts.Stdout == nil {
-		runOpts.Stdout = os.Stdout
-	}
-	if runOpts.Stderr == nil {
-		runOpts.Stderr = os.Stderr
-	}
-
-	// Only use colored UI if stdout is a tty, and not disabled
-	if useColor && format == "table" {
-		if f, ok := runOpts.Stdout.(*os.File); ok {
-			runOpts.Stdout = colorable.NewColorable(f)
-		}
-		if f, ok := runOpts.Stderr.(*os.File); ok {
-			runOpts.Stderr = colorable.NewColorable(f)
-		}
-	} else {
-		runOpts.Stdout = colorable.NewNonColorable(runOpts.Stdout)
-		runOpts.Stderr = colorable.NewNonColorable(runOpts.Stderr)
-	}
-
-	uiErrWriter := runOpts.Stderr
-	if outputCurlString || outputPolicy {
-		uiErrWriter = &bytes.Buffer{}
-	}
-
-	ui := &VaultUI{
-		Ui: &cli.ColoredUi{
-			ErrorColor: cli.UiColorRed,
-			WarnColor:  cli.UiColorYellow,
-			Ui: &cli.BasicUi{
-				Reader:      bufio.NewReader(os.Stdin),
-				Writer:      runOpts.Stdout,
-				ErrorWriter: uiErrWriter,
-			},
-		},
-		format:   format,
-		detailed: detailed,
-	}
-
-	serverCmdUi := &VaultUI{
-		Ui: &cli.ColoredUi{
-			ErrorColor: cli.UiColorRed,
-			WarnColor:  cli.UiColorYellow,
-			Ui: &cli.BasicUi{
-				Reader: bufio.NewReader(os.Stdin),
-				Writer: runOpts.Stdout,
-			},
-		},
-		format: format,
-	}
-
-	if _, ok := Formatters[format]; !ok {
-		ui.Error(fmt.Sprintf("Invalid output format: %s", format))
-		return 1
-	}
-
-	commands := initCommands(ui, serverCmdUi, runOpts)
-
-	hiddenCommands := []string{"version"}
-
-	cli := &cli.CLI{
-		Name:     "vault",
-		Args:     args,
-		Commands: commands,
-		HelpFunc: groupedHelpFunc(
-			cli.BasicHelpFunc("vault"),
-		),
-		HelpWriter:                 runOpts.Stdout,
-		ErrorWriter:                runOpts.Stderr,
-		HiddenCommands:             hiddenCommands,
-		Autocomplete:               true,
-		AutocompleteNoDefaultFlags: true,
-	}
-
-	exitCode, err := cli.Run()
-	if outputCurlString {
-		return generateCurlString(exitCode, runOpts, uiErrWriter.(*bytes.Buffer))
-	} else if outputPolicy {
-		return generatePolicy(exitCode, runOpts, uiErrWriter.(*bytes.Buffer))
-	} else if err != nil {
-		fmt.Fprintf(runOpts.Stderr, "Error executing CLI: %s\n", err.Error())
-		return 1
-	}
-
-	return exitCode
-}
-
-var commonCommands = []string{
-	"read",
-	"write",
-	"delete",
-	"list",
-	"login",
-	"agent",
-	"server",
-	"status",
-	"unwrap",
-}
-
-func groupedHelpFunc(f cli.HelpFunc) cli.HelpFunc {
-	return func(commands map[string]cli.CommandFactory) string {
-		var b bytes.Buffer
-		tw := tabwriter.NewWriter(&b, 0, 2, 6, ' ', 0)
-
-		fmt.Fprintf(tw, "Usage: vault <command> [args]\n\n")
-		fmt.Fprintf(tw, "Common commands:\n")
-		for _, v := range commonCommands {
-			printCommand(tw, v, commands[v])
-		}
-
-		otherCommands := make([]string, 0, len(commands))
-		for k := range commands {
-			found := false
-			for _, v := range commonCommands {
-				if k == v {
-					found = true
-					break
-				}
-			}
-
-			if !found {
-				otherCommands = append(otherCommands, k)
-			}
-		}
-		sort.Strings(otherCommands)
-
-		fmt.Fprintf(tw, "\n")
-		fmt.Fprintf(tw, "Other commands:\n")
-		for _, v := range otherCommands {
-			printCommand(tw, v, commands[v])
-		}
-
-		tw.Flush()
-
-		return strings.TrimSpace(b.String())
-	}
-}
-
-func printCommand(w io.Writer, name string, cmdFn cli.CommandFactory) {
-	cmd, err := cmdFn()
-	if err != nil {
-		panic(fmt.Sprintf("failed to load %q command: %s", name, err))
-	}
-	fmt.Fprintf(w, "    %s\t%s\n", name, cmd.Synopsis())
-}
-
-func generateCurlString(exitCode int, runOpts *RunOptions, preParsingErrBuf *bytes.Buffer) int {
-	if exitCode == 0 {
-		fmt.Fprint(runOpts.Stderr, "Could not generate cURL command")
-		return 1
-	}
-
-	if api.LastOutputStringError == nil {
-		if exitCode == 127 {
-			// Usage, just pass it through
-			return exitCode
-		}
-		runOpts.Stderr.Write(preParsingErrBuf.Bytes())
-		runOpts.Stderr.Write([]byte("Unable to generate cURL string from command\n"))
-		return exitCode
-	}
-
-	cs, err := api.LastOutputStringError.CurlString()
-	if err != nil {
-		runOpts.Stderr.Write([]byte(fmt.Sprintf("Error creating request string: %s\n", err)))
-		return 1
-	}
-
-	runOpts.Stdout.Write([]byte(fmt.Sprintf("%s\n", cs)))
-	return 0
-}
-
-func generatePolicy(exitCode int, runOpts *RunOptions, preParsingErrBuf *bytes.Buffer) int {
-	if exitCode == 0 {
-		fmt.Fprint(runOpts.Stderr, "Could not generate policy")
-		return 1
-	}
-
-	if api.LastOutputPolicyError == nil {
-		if exitCode == 127 {
-			// Usage, just pass it through
-			return exitCode
-		}
-		runOpts.Stderr.Write(preParsingErrBuf.Bytes())
-		runOpts.Stderr.Write([]byte("Unable to generate policy from command\n"))
-		return exitCode
-	}
-
-	hcl, err := api.LastOutputPolicyError.HCLString()
-	if err != nil {
-		runOpts.Stderr.Write([]byte(fmt.Sprintf("Error assembling policy HCL: %s\n", err)))
-		return 1
-	}
-
-	runOpts.Stdout.Write([]byte(fmt.Sprintf("%s\n", hcl)))
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Create Secret">
+  <:toolbarFilters>
+    <Toggle @name="json" @checked={{this.showJsonView}} @onChange={{fn (mut this.showJsonView)}}>
+      <span class="has-text-grey">JSON</span>
+    </Toggle>
+  </:toolbarFilters>
+</KvPageHeader>
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <NamespaceReminder @mode="create" @noun="secret" />
+    <MessageError @errorMessage={{this.errorMessage}} />
+
+    <KvDataFields
+      @showJson={{this.showJsonView}}
+      @secret={{@secret}}
+      @modelValidations={{this.modelValidations}}
+      @pathValidations={{this.pathValidations}}
+      @type="create"
+    />
+
+    <ToggleButton
+      @isOpen={{this.showMetadata}}
+      @openLabel="Hide secret metadata"
+      @closedLabel="Show secret metadata"
+      @onClick={{fn (mut this.showMetadata)}}
+      class="is-block"
+      data-test-metadata-toggle
+    />
+    {{#if this.showMetadata}}
+      <div class="box has-container" data-test-metadata-section>
+        <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
+      </div>
+    {{/if}}
+  </div>
+  <div class="box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Button
+        @text="Save"
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-kv-save
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        class="has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.onCancel}}
+        data-test-kv-cancel
+      />
+    </div>
+    {{#if this.invalidFormAlert}}
+      <AlertInline
+        data-test-invalid-form-alert
+        class="has-top-padding-s"
+        @type="danger"
+        @message={{this.invalidFormAlert}}
+      />
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/command/monitor.go b/command/monitor.go
index acfbc24be761..d372e856b89a 100644
--- a/command/monitor.go
+++ b/command/monitor.go
@@ -1,138 +1,54 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*MonitorCommand)(nil)
-	_ cli.CommandAutocomplete = (*MonitorCommand)(nil)
-)
-
-type MonitorCommand struct {
-	*BaseCommand
-
-	logLevel  string
-	logFormat string
-
-	// ShutdownCh is used to capture interrupt signal and end streaming
-	ShutdownCh chan struct{}
-}
-
-func (c *MonitorCommand) Synopsis() string {
-	return "Stream log messages from a Vault server"
-}
-
-func (c *MonitorCommand) Help() string {
-	helpText := `
-Usage: vault monitor [options]
-
-	Stream log messages of a Vault server. The monitor command lets you listen
-	for log levels that may be filtered out of the server logs. For example,
-	the server may be logging at the INFO level, but with the monitor command
-	you can set -log-level=DEBUG.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *MonitorCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Monitor Options")
-	f.StringVar(&StringVar{
-		Name:       "log-level",
-		Target:     &c.logLevel,
-		Default:    "info",
-		Completion: complete.PredictSet("trace", "debug", "info", "warn", "error"),
-		Usage: "If passed, the log level to monitor logs. Supported values" +
-			"(in order of detail) are \"trace\", \"debug\", \"info\", \"warn\"" +
-			" and \"error\". These are not case sensitive.",
-	})
-	f.StringVar(&StringVar{
-		Name:       "log-format",
-		Target:     &c.logFormat,
-		Default:    "standard",
-		Completion: complete.PredictSet("standard", "json"),
-		Usage:      "Output format of logs. Supported values are \"standard\" and \"json\".",
-	})
-
-	return set
-}
-
-func (c *MonitorCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *MonitorCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *MonitorCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	parsedArgs := f.Args()
-	if len(parsedArgs) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(parsedArgs)))
-		return 1
-	}
-
-	c.logLevel = strings.ToLower(c.logLevel)
-	validLevels := []string{"trace", "debug", "info", "warn", "error"}
-	if !strutil.StrListContains(validLevels, c.logLevel) {
-		c.UI.Error(fmt.Sprintf("%s is an unknown log level. Valid log levels are: %s", c.logLevel, validLevels))
-		return 1
-	}
-
-	c.logFormat = strings.ToLower(c.logFormat)
-	validFormats := []string{"standard", "json"}
-	if !strutil.StrListContains(validFormats, c.logFormat) {
-		c.UI.Error(fmt.Sprintf("%s is an unknown log format. Valid log formats are: %s", c.logFormat, validFormats))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// Remove the default 60 second timeout so we can stream indefinitely
-	client.SetClientTimeout(0)
-
-	var logCh chan string
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	logCh, err = client.Sys().Monitor(ctx, c.logLevel, c.logFormat)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error starting monitor: %s", err))
-		return 1
-	}
-
-	for {
-		select {
-		case log, ok := <-logCh:
-			if !ok {
-				return 0
-			}
-			c.UI.Info(log)
-		case <-c.ShutdownCh:
-			return 0
-		}
-	}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+// eslint-disable-next-line ember/no-mixins
+import ClusterRoute from 'vault/mixins/cluster-route';
+import { action } from '@ember/object';
+
+export default class VaultClusterDashboardRoute extends Route.extend(ClusterRoute) {
+  @service store;
+  @service namespace;
+  @service version;
+
+  async getVaultConfiguration() {
+    try {
+      if (!this.namespace.inRootNamespace) return null;
+
+      const adapter = this.store.adapterFor('application');
+      const configState = await adapter.ajax('/v1/sys/config/state/sanitized', 'GET');
+      return configState.data;
+    } catch (e) {
+      return null;
+    }
+  }
+
+  model() {
+    const clusterModel = this.modelFor('vault.cluster');
+    const hasChroot = clusterModel?.hasChrootNamespace;
+    const replication =
+      hasChroot || clusterModel.replicationRedacted
+        ? null
+        : {
+            dr: clusterModel.dr,
+            performance: clusterModel.performance,
+          };
+    return hash({
+      replication,
+      secretsEngines: this.store.query('secret-engine', {}),
+      license: this.store.queryRecord('license', {}).catch(() => null),
+      isRootNamespace: this.namespace.inRootNamespace && !hasChroot,
+      version: this.version,
+      vaultConfiguration: hasChroot ? null : this.getVaultConfiguration(),
+    });
+  }
+
+  @action
+  refreshRoute() {
+    this.refresh();
+  }
 }
diff --git a/command/monitor_test.go b/command/monitor_test.go
index 8c2c288d841a..01edae328ff7 100644
--- a/command/monitor_test.go
+++ b/command/monitor_test.go
@@ -1,94 +1,367 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/mitchellh/cli"
-)
-
-func testMonitorCommand(tb testing.TB) (*cli.MockUi, *MonitorCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &MonitorCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestMonitorCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int64
-	}{
-		{
-			"valid",
-			[]string{
-				"-log-level=debug",
-			},
-			"",
-			0,
-		},
-		{
-			"too_many_args",
-			[]string{
-				"-log-level=debug",
-				"foo",
-			},
-			"Too many arguments",
-			1,
-		},
-		{
-			"unknown_log_level",
-			[]string{
-				"-log-level=haha",
-			},
-			"haha is an unknown log level",
-			1,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			var code int64
-			shutdownCh := make(chan struct{})
-
-			ui, cmd := testMonitorCommand(t)
-			cmd.client = client
-			cmd.ShutdownCh = shutdownCh
-
-			go func() {
-				atomic.StoreInt64(&code, int64(cmd.Run(tc.args)))
-			}()
-
-			<-time.After(3 * time.Second)
-			close(shutdownCh)
-
-			if atomic.LoadInt64(&code) != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Fatalf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { kvDataPath } from 'vault/utils/kv-path';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+import { Response } from 'miragejs';
+
+const EXAMPLE_KV_DATA_CREATE_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    created_time: '2023-06-21T16:18:31.479993Z',
+    custom_metadata: null,
+    deletion_time: '',
+    destroyed: false,
+    version: 1,
+  },
+};
+
+const EXAMPLE_KV_DATA_GET_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    data: { foo: 'bar' },
+    metadata: {
+      created_time: '2023-06-20T21:26:47.592306Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: 2,
+    },
+  },
+};
+
+const EXAMPLE_CONTROL_GROUP_RESPONSE = {
+  data: null,
+  wrap_info: {
+    token: 'some-token',
+    accessor: 'some-accessor',
+    ttl: 86400,
+    creation_time: '2023-08-09T16:08:06-05:00',
+    creation_path: 'some/path/here',
+  },
+};
+
+const EXAMPLE_KV_DATA_DESTROYED = {
+  data: {
+    data: null,
+    metadata: {
+      created_time: '2023-08-09T20:10:24.4825Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: true,
+      version: 2,
+    },
+  },
+};
+
+const EXAMPLE_KV_DATA_DELETED = {
+  data: {
+    data: null,
+    metadata: {
+      created_time: '2023-08-09T20:10:24.571332Z',
+      custom_metadata: null,
+      deletion_time: '2023-08-09T20:10:24.70176Z',
+      destroyed: false,
+      version: 2,
+    },
+  },
+};
+
+module('Unit | Adapter | kv/data', function (hooks) {
+  setupTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'enterprise'; // Required for testing control-group flow
+    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
+    this.backend = 'my/kv-back&end';
+    this.secretMountPath.currentPath = this.backend;
+    this.path = 'beep/bop/my secret';
+    this.version = '2';
+    this.id = kvDataPath(this.backend, this.path, this.version);
+    this.data = {
+      options: {
+        cas: 2,
+      },
+      data: {
+        foo: 'bar',
+      },
+    };
+    this.payload = {
+      backend: this.backend,
+      path: this.path,
+      version: 2,
+    };
+    this.endpoint = (noun) => `${encodePath(this.backend)}/${noun}/${encodePath(this.path)}`;
+  });
+
+  test('it should make request to correct endpoint on createRecord', async function (assert) {
+    assert.expect(8);
+    this.server.post(this.endpoint('data'), (schema, req) => {
+      assert.ok('POST request made to correct endpoint when creating new record');
+      const body = JSON.parse(req.requestBody);
+      assert.deepEqual(body, {
+        data: {
+          foo: 'bar',
+        },
+        options: {
+          cas: 0,
+        },
+      });
+      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
+    });
+    const record = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: { foo: 'bar' },
+      casVersion: 0,
+    });
+    await record.save();
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 1, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
+      'record has correct id'
+    );
+  });
+
+  test('it should not send cas if casVersion is not a number', async function (assert) {
+    assert.expect(8);
+    this.server.post(this.endpoint('data'), (schema, req) => {
+      assert.ok('POST request made to correct endpoint when creating new record');
+      const body = JSON.parse(req.requestBody);
+      assert.deepEqual(body, {
+        data: {
+          foo: 'bar',
+        },
+      });
+      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
+    });
+    const record = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: { foo: 'bar' },
+    });
+    await record.save();
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 1, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
+      'record has correct id'
+    );
+  });
+
+  test('it should make request to correct endpoint on queryRecord', async function (assert) {
+    assert.expect(8);
+    this.server.get(this.endpoint('data'), (schema, req) => {
+      assert.ok(true, 'request is made to correct url on queryRecord.');
+      assert.strictEqual(
+        req.queryParams.version,
+        this.version,
+        'request includes the version flag on queryRecord.'
+      );
+      return EXAMPLE_KV_DATA_GET_RESPONSE;
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-20T21:26:47.592306Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a 404 not found response properly', async function (assert) {
+    assert.expect(1);
+    this.server.get(this.endpoint('data'), () => {
+      // This is what the API currently returns for not found
+      return new Response(404, {}, { errors: [] });
+    });
+
+    try {
+      await this.store.queryRecord('kv/data', this.payload);
+    } catch (e) {
+      assert.ok('throws the error');
+    }
+  });
+
+  test('it should handle a 403 permission denied properly', async function (assert) {
+    assert.expect(8);
+    this.server.get(this.endpoint('data'), (schema, req) => {
+      assert.ok(true, 'request is made to correct url on queryRecord.');
+      assert.strictEqual(
+        req.queryParams.version,
+        this.version,
+        'request includes the version flag on queryRecord.'
+      );
+      return new Response(403, {}, { errors: ['1 error occurred:\n\t* permission denied\n\n'] });
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.strictEqual(record.secretData, undefined, 'record does not include data');
+    assert.strictEqual(record.failReadErrorCode, 403, 'record has error response recorded');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a soft-deleted version properly', async function (assert) {
+    this.server.get(this.endpoint('data'), () => {
+      return new Response(404, {}, EXAMPLE_KV_DATA_DELETED);
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.strictEqual(record.deletionTime, '2023-08-09T20:10:24.70176Z', 'record includes deletion time');
+    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have failed error code');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a destroyed version properly', async function (assert) {
+    this.server.get(this.endpoint('data'), () => {
+      return new Response(404, {}, EXAMPLE_KV_DATA_DESTROYED);
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.true(record.destroyed, 'record has destroyed value');
+    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have error code');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a control group response properly', async function (assert) {
+    assert.expect(1);
+    this.server.get(this.endpoint('data'), () => {
+      return EXAMPLE_CONTROL_GROUP_RESPONSE;
+    });
+
+    try {
+      await this.store.queryRecord('kv/data', this.payload);
+    } catch (e) {
+      assert.ok('throws the error');
+    }
+  });
+
+  test('it should make request to correct endpoint on delete latest version', async function (assert) {
+    assert.expect(3);
+    this.server.delete(this.endpoint('data'), () => {
+      assert.ok(true, 'request made to correct endpoint on delete latest version.');
+      return new Response(204);
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({ adapterOptions: { deleteType: 'delete-latest-version' } });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on delete specific versions', async function (assert) {
+    assert.expect(4);
+    this.server.post(this.endpoint('delete'), (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on delete specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'delete-version', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on undelete', async function (assert) {
+    assert.expect(4);
+    this.server.post(`${this.backend}/undelete/${this.path}`, (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on undelete specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'undelete', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on destroy specific versions', async function (assert) {
+    assert.expect(4);
+    this.server.put(`${encodePath(this.backend)}/destroy/${encodePath(this.path)}`, (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on destroy specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'destroy', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+});
diff --git a/command/namespace.go b/command/namespace.go
index 4bc6cfa1c776..d154886f6a46 100644
--- a/command/namespace.go
+++ b/command/namespace.go
@@ -1,66 +1,38 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*NamespaceCommand)(nil)
-
-type NamespaceCommand struct {
-	*BaseCommand
-}
-
-func (c *NamespaceCommand) Synopsis() string {
-	return "Interact with namespaces"
-}
-
-func (c *NamespaceCommand) Help() string {
-	helpText := `
-Usage: vault namespace <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with Vault namespaces.
-  These subcommands operate in the context of the namespace that the
-  currently logged in token belongs to.
-
-  List enabled child namespaces:
-
-      $ vault namespace list
-
-  Look up an existing namespace:
-
-      $ vault namespace lookup
-
-  Create a new namespace:
-
-      $ vault namespace create
-
-  Patch an existing namespace:
-
-      $ vault namespace patch
-
-  Delete an existing namespace:
-
-      $ vault namespace delete
-
-  Lock the API for an existing namespace:
-
-      $ vault namespace lock
-
-  Unlock the API for an existing namespace:
-
-      $ vault namespace unlock
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *NamespaceCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::SegmentedGroup ...attributes as |S|>
+  <S.Dropdown @listPosition="bottom-left" @height="200px" as |dd|>
+    <dd.ToggleButton data-test-toggle-month @text={{or this.selectedMonth.name "Month"}} @color="secondary" />
+    {{#each this.dropdownMonths as |month|}}
+      <dd.Interactive
+        data-test-dropdown-month={{month.name}}
+        disabled={{if (gt month.index this.maxMonthIdx) true false}}
+        {{on "click" (fn this.selectMonth month dd)}}
+        @text={{month.name}}
+      />
+    {{/each}}
+  </S.Dropdown>
+  <S.Dropdown data-test-year-list @listPosition="bottom-left" @height="200px" as |dd|>
+    <dd.ToggleButton data-test-toggle-year @text={{or this.selectedYear "Year"}} @color="secondary" />
+    {{#each this.dropdownYears as |year|}}
+      <dd.Interactive
+        data-test-dropdown-year={{year}}
+        disabled={{if (eq year this.disabledYear) true false}}
+        {{on "click" (fn this.selectYear year dd)}}
+        @text={{year}}
+      />
+    {{/each}}
+  </S.Dropdown>
+  <S.Button
+    data-test-date-dropdown-submit
+    disabled={{if (and this.selectedMonth this.selectedYear) false true}}
+    {{on "click" this.handleSubmit}}
+    @text={{or @submitText "Submit"}}
+  />
+</Hds::SegmentedGroup>
+{{#if this.invalidDate}}
+  <AlertInline @type="danger" @message={{this.invalidDate}} class="has-top-padding-s" />
+{{/if}}
\ No newline at end of file
diff --git a/command/namespace_api_lock.go b/command/namespace_api_lock.go
index 22a3169304e7..09df88fb4d60 100644
--- a/command/namespace_api_lock.go
+++ b/command/namespace_api_lock.go
@@ -4,57 +4,233 @@
 package command
 
 import (
+	"context"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
 	"strings"
+	"sync"
+	"time"
 
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/osutil"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/version"
+	"github.com/mholt/archiver/v3"
+	"github.com/oklog/run"
 	"github.com/posener/complete"
 )
 
-var (
-	_ cli.Command             = (*NamespaceAPILockCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceAPILockCommand)(nil)
+const (
+	// debugIndexVersion tracks the canonical version in the index file
+	// for compatibility with future format/layout changes on the bundle.
+	debugIndexVersion = 1
+
+	// debugMinInterval is the minimum acceptable interval capture value. This
+	// value applies to duration and all interval-related flags.
+	debugMinInterval = 5 * time.Second
+
+	// debugDurationGrace is the grace period added to duration to allow for
+	// "last frame" capture if the interval falls into the last duration time
+	// value. For instance, using default values, adding a grace duration lets
+	// the command capture 5 intervals (0, 30, 60, 90, and 120th second) before
+	// exiting.
+	debugDurationGrace = 1 * time.Second
+
+	// debugCompressionExt is the default compression extension used if
+	// compression is enabled.
+	debugCompressionExt = ".tar.gz"
+
+	// fileFriendlyTimeFormat is the time format used for file and directory
+	// naming.
+	fileFriendlyTimeFormat = "2006-01-02T15-04-05Z"
 )
 
-type NamespaceAPILockCommand struct {
-	*BaseCommand
+// debugIndex represents the data structure in the index file
+type debugIndex struct {
+	Version                int                    `json:"version"`
+	VaultAddress           string                 `json:"vault_address"`
+	ClientVersion          string                 `json:"client_version"`
+	ServerVersion          string                 `json:"server_version"`
+	Timestamp              time.Time              `json:"timestamp"`
+	DurationSeconds        int                    `json:"duration_seconds"`
+	IntervalSeconds        int                    `json:"interval_seconds"`
+	MetricsIntervalSeconds int                    `json:"metrics_interval_seconds"`
+	Compress               bool                   `json:"compress"`
+	RawArgs                []string               `json:"raw_args"`
+	Targets                []string               `json:"targets"`
+	Output                 map[string]interface{} `json:"output"`
+	Errors                 []*captureError        `json:"errors"`
 }
 
-func (c *NamespaceAPILockCommand) Synopsis() string {
-	return "Lock the API for particular namespaces"
+// captureError holds an error entry that can occur during polling capture.
+// It includes the timestamp, the target, and the error itself.
+type captureError struct {
+	TargetError string    `json:"error"`
+	Target      string    `json:"target"`
+	Timestamp   time.Time `json:"timestamp"`
 }
 
-func (c *NamespaceAPILockCommand) Help() string {
-	helpText := `
-Usage: vault namespace lock PATH
+var (
+	_ cli.Command             = (*DebugCommand)(nil)
+	_ cli.CommandAutocomplete = (*DebugCommand)(nil)
+)
 
-	Lock the current namespace, and all descendants:
+type DebugCommand struct {
+	*BaseCommand
 
-		$ vault namespace lock
+	flagCompress        bool
+	flagDuration        time.Duration
+	flagInterval        time.Duration
+	flagMetricsInterval time.Duration
+	flagOutput          string
+	flagTargets         []string
 
-	Lock a child namespace, and all of its descendants (e.g. ns1/ns2/):
+	// logFormat defines the output format for Monitor
+	logFormat string
 
-		$ vault namespace lock ns1/ns2
+	// debugIndex is used to keep track of the index state, which gets written
+	// to a file at the end.
+	debugIndex *debugIndex
 
-` + c.Flags().Help()
+	// skipTimingChecks bypasses timing-related checks, used primarily for tests
+	skipTimingChecks bool
+	// logger is the logger used for outputting capture progress
+	logger hclog.Logger
 
-	return strings.TrimSpace(helpText)
-}
+	// ShutdownCh is used to capture interrupt signal and end polling capture
+	ShutdownCh chan struct{}
 
-func (c *NamespaceAPILockCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	// Collection slices to hold data
+	hostInfoCollection          []map[string]interface{}
+	metricsCollection           []map[string]interface{}
+	replicationStatusCollection []map[string]interface{}
+	serverStatusCollection      []map[string]interface{}
+	inFlightReqStatusCollection []map[string]interface{}
+
+	// cachedClient holds the client retrieved during preflight
+	cachedClient *api.Client
+
+	// errLock is used to lock error capture into the index file
+	errLock sync.Mutex
 }
 
-func (c *NamespaceAPILockCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultNamespaces()
+func (c *DebugCommand) AutocompleteArgs() complete.Predictor {
+	// Predict targets
+	return c.PredictVaultDebugTargets()
 }
 
-func (c *NamespaceAPILockCommand) AutocompleteFlags() complete.Flags {
+func (c *DebugCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *NamespaceAPILockCommand) Run(args []string) int {
+func (c *DebugCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "compress",
+		Target:  &c.flagCompress,
+		Default: true,
+		Usage:   "Toggles whether to compress output package",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "duration",
+		Target:     &c.flagDuration,
+		Completion: complete.PredictAnything,
+		Default:    2 * time.Minute,
+		Usage:      "Duration to run the command.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "interval",
+		Target:     &c.flagInterval,
+		Completion: complete.PredictAnything,
+		Default:    30 * time.Second,
+		Usage:      "The polling interval at which to collect profiling data and server state.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "metrics-interval",
+		Target:     &c.flagMetricsInterval,
+		Completion: complete.PredictAnything,
+		Default:    10 * time.Second,
+		Usage:      "The polling interval at which to collect metrics data.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "output",
+		Target:     &c.flagOutput,
+		Completion: complete.PredictAnything,
+		Usage:      "Specifies the output path for the debug package.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "target",
+		Target: &c.flagTargets,
+		Usage: "Target to capture, defaulting to all if none specified. " +
+			"This can be specified multiple times to capture multiple targets. " +
+			"Available targets are: config, host, metrics, pprof, " +
+			"replication-status, server-status, log.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "log-format",
+		Target:  &c.logFormat,
+		Default: "standard",
+		Usage: "Log format to be captured if \"log\" target specified. " +
+			"Supported values are \"standard\" and \"json\". The default is \"standard\".",
+	})
+
+	return set
+}
+
+func (c *DebugCommand) Help() string {
+	helpText := `
+Usage: vault debug [options]
+
+  Probes a specific Vault server node for a specified period of time, recording
+  information about the node, its cluster, and its host environment. The
+  information collected is packaged and written to the specified path.
+
+  Certain endpoints that this command uses require ACL permissions to access.
+  If not permitted, the information from these endpoints will not be part of the
+  output. The command uses the Vault address and token as specified via
+  the login command, environment variables, or CLI flags.
+
+  To create a debug package using default duration and interval values in the 
+  current directory that captures all applicable targets:
+
+  $ vault debug
+
+  To create a debug package with a specific duration and interval in the current
+  directory that capture all applicable targets:
+
+  $ vault debug -duration=10m -interval=1m
+
+  To create a debug package in the current directory with a specific sub-set of
+  targets:
+
+  $ vault debug -target=host -target=metrics
+
+` + c.Flags().Help()
+
+	return helpText
+}
+
+func (c *DebugCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -62,29 +238,874 @@ func (c *NamespaceAPILockCommand) Run(args []string) int {
 		return 1
 	}
 
-	args = f.Args()
-	if len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
+	parsedArgs := f.Args()
+	if len(parsedArgs) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(parsedArgs)))
 		return 1
 	}
 
-	// current namespace is already encoded in the :client:
-	client, err := c.Client()
+	// Initialize the logger for debug output
+	gatedWriter := gatedwriter.NewWriter(os.Stderr)
+	if c.logger == nil {
+		c.logger = logging.NewVaultLoggerWithWriter(gatedWriter, hclog.Trace)
+	}
+
+	dstOutputFile, err := c.preflight(args)
 	if err != nil {
-		c.UI.Error(err.Error())
+		c.UI.Error(fmt.Sprintf("Error during validation: %s", err))
+		return 1
+	}
+
+	// Print debug information
+	c.UI.Output("==> Starting debug capture...")
+	c.UI.Info(fmt.Sprintf("         Vault Address: %s", c.debugIndex.VaultAddress))
+	c.UI.Info(fmt.Sprintf("        Client Version: %s", c.debugIndex.ClientVersion))
+	c.UI.Info(fmt.Sprintf("        Server Version: %s", c.debugIndex.ServerVersion))
+	c.UI.Info(fmt.Sprintf("              Duration: %s", c.flagDuration))
+	c.UI.Info(fmt.Sprintf("              Interval: %s", c.flagInterval))
+	c.UI.Info(fmt.Sprintf("      Metrics Interval: %s", c.flagMetricsInterval))
+	c.UI.Info(fmt.Sprintf("               Targets: %s", strings.Join(c.flagTargets, ", ")))
+	c.UI.Info(fmt.Sprintf("                Output: %s", dstOutputFile))
+	c.UI.Output("")
+
+	// Release the log gate.
+	c.logger.(hclog.OutputResettable).ResetOutputWithFlush(&hclog.LoggerOptions{
+		Output: os.Stderr,
+	}, gatedWriter)
+
+	// Capture static information
+	c.UI.Info("==> Capturing static information...")
+	if err := c.captureStaticTargets(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error capturing static information: %s", err))
+		return 2
+	}
+
+	c.UI.Output("")
+
+	// Capture polling information
+	c.UI.Info("==> Capturing dynamic information...")
+	if err := c.capturePollingTargets(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error capturing dynamic information: %s", err))
 		return 2
 	}
 
-	optionalChildNSPath := ""
-	if len(args) == 1 {
-		optionalChildNSPath = fmt.Sprintf("/%s", namespace.Canonicalize(args[0]))
+	c.UI.Output("Finished capturing information, bundling files...")
+
+	// Generate index file
+	if err := c.generateIndex(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error generating index: %s", err))
+		return 1
+	}
+
+	if c.flagCompress {
+		if err := c.compress(dstOutputFile); err != nil {
+			c.UI.Error(fmt.Sprintf("Error encountered during bundle compression: %s", err))
+			// We want to inform that data collection was captured and stored in
+			// a directory even if compression fails
+			c.UI.Info(fmt.Sprintf("Data written to: %s", c.flagOutput))
+			return 1
+		}
+	}
+
+	c.UI.Info(fmt.Sprintf("Success! Bundle written to: %s", dstOutputFile))
+	return 0
+}
+
+func (c *DebugCommand) Synopsis() string {
+	return "Runs the debug command"
+}
+
+func (c *DebugCommand) generateIndex() error {
+	outputLayout := map[string]interface{}{
+		"files": []string{},
+	}
+	// Walk the directory to generate the output layout
+	err := filepath.Walk(c.flagOutput, func(path string, info os.FileInfo, err error) error {
+		// Prevent panic by handling failure accessing a path
+		if err != nil {
+			return err
+		}
+
+		// Skip the base dir
+		if path == c.flagOutput {
+			return nil
+		}
+
+		// If we're a directory, simply add a corresponding map
+		if info.IsDir() {
+			parsedTime, err := time.Parse(fileFriendlyTimeFormat, info.Name())
+			if err != nil {
+				return err
+			}
+
+			outputLayout[info.Name()] = map[string]interface{}{
+				"timestamp": parsedTime,
+				"files":     []string{},
+			}
+			return nil
+		}
+
+		relPath, err := filepath.Rel(c.flagOutput, path)
+		if err != nil {
+			return err
+		}
+
+		dir, file := filepath.Split(relPath)
+		if len(dir) != 0 {
+			dir = filepath.Clean(dir)
+			filesArr := outputLayout[dir].(map[string]interface{})["files"]
+			outputLayout[dir].(map[string]interface{})["files"] = append(filesArr.([]string), file)
+		} else {
+			outputLayout["files"] = append(outputLayout["files"].([]string), file)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("error generating directory output layout: %s", err)
 	}
 
-	resp, err := client.Logical().Write(fmt.Sprintf("sys/namespaces/api-lock/lock%s", optionalChildNSPath), nil)
+	c.debugIndex.Output = outputLayout
+
+	// Marshal into json
+	bytes, err := json.MarshalIndent(c.debugIndex, "", "  ")
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error locking namespace: %v", err))
-		return 2
+		return fmt.Errorf("error marshaling index file: %s", err)
+	}
+
+	// Write out file
+	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, "index.json"), bytes, 0o600); err != nil {
+		return fmt.Errorf("error generating index file; %s", err)
+	}
+
+	return nil
+}
+
+// preflight performs various checks against the provided flags to ensure they
+// are valid/reasonable values. It also takes care of instantiating a client and
+// index object for use by the command.
+func (c *DebugCommand) preflight(rawArgs []string) (string, error) {
+	if !c.skipTimingChecks {
+		// Guard duration and interval values to acceptable values
+		if c.flagDuration < debugMinInterval {
+			c.UI.Info(fmt.Sprintf("Overwriting duration value %q to the minimum value of %q", c.flagDuration, debugMinInterval))
+			c.flagDuration = debugMinInterval
+		}
+		if c.flagInterval < debugMinInterval {
+			c.UI.Info(fmt.Sprintf("Overwriting interval value %q to the minimum value of %q", c.flagInterval, debugMinInterval))
+			c.flagInterval = debugMinInterval
+		}
+		if c.flagMetricsInterval < debugMinInterval {
+			c.UI.Info(fmt.Sprintf("Overwriting metrics interval value %q to the minimum value of %q", c.flagMetricsInterval, debugMinInterval))
+			c.flagMetricsInterval = debugMinInterval
+		}
+	}
+
+	// These timing checks are always applicable since interval shouldn't be
+	// greater than the duration
+	if c.flagInterval > c.flagDuration {
+		c.UI.Info(fmt.Sprintf("Overwriting interval value %q to the duration value %q", c.flagInterval, c.flagDuration))
+		c.flagInterval = c.flagDuration
+	}
+	if c.flagMetricsInterval > c.flagDuration {
+		c.UI.Info(fmt.Sprintf("Overwriting metrics interval value %q to the duration value %q", c.flagMetricsInterval, c.flagDuration))
+		c.flagMetricsInterval = c.flagDuration
+	}
+
+	if len(c.flagTargets) == 0 {
+		c.flagTargets = c.defaultTargets()
+	} else {
+		// Check for any invalid targets and ignore them if found
+		invalidTargets := strutil.Difference(c.flagTargets, c.defaultTargets(), true)
+		if len(invalidTargets) != 0 {
+			c.UI.Info(fmt.Sprintf("Ignoring invalid targets: %s", strings.Join(invalidTargets, ", ")))
+			c.flagTargets = strutil.Difference(c.flagTargets, invalidTargets, true)
+		}
+	}
+
+	// Make sure we can talk to the server
+	client, err := c.Client()
+	if err != nil {
+		return "", fmt.Errorf("unable to create client to connect to Vault: %s", err)
+	}
+	serverHealth, err := client.Sys().Health()
+	if err != nil {
+		return "", fmt.Errorf("unable to connect to the server: %s", err)
+	}
+
+	// Check if server is DR Secondary and we need to further
+	// ignore any targets due to endpoint restrictions
+	if serverHealth.ReplicationDRMode == "secondary" {
+		invalidDRTargets := strutil.Difference(c.flagTargets, c.validDRSecondaryTargets(), true)
+		if len(invalidDRTargets) != 0 {
+			c.UI.Info(fmt.Sprintf("Ignoring invalid targets for DR Secondary: %s", strings.Join(invalidDRTargets, ", ")))
+			c.flagTargets = strutil.Difference(c.flagTargets, invalidDRTargets, true)
+		}
+	}
+	c.cachedClient = client
+
+	captureTime := time.Now().UTC()
+	if len(c.flagOutput) == 0 {
+		formattedTime := captureTime.Format(fileFriendlyTimeFormat)
+		c.flagOutput = fmt.Sprintf("vault-debug-%s", formattedTime)
+	}
+
+	// Strip trailing slash before proceeding
+	c.flagOutput = filepath.Clean(c.flagOutput)
+
+	// If compression is enabled, trim the extension so that the files are
+	// written to a directory even if compression somehow fails. We ensure the
+	// extension during compression. We also prevent overwriting if the file
+	// already exists.
+	dstOutputFile := c.flagOutput
+	if c.flagCompress {
+		if !strings.HasSuffix(dstOutputFile, ".tar.gz") && !strings.HasSuffix(dstOutputFile, ".tgz") {
+			dstOutputFile = dstOutputFile + debugCompressionExt
+		}
+
+		// Ensure that the file doesn't already exist, and ensure that we always
+		// trim the extension from flagOutput since we'll be progressively
+		// writing to that.
+		_, err := os.Stat(dstOutputFile)
+		switch {
+		case os.IsNotExist(err):
+			c.flagOutput = strings.TrimSuffix(c.flagOutput, ".tar.gz")
+			c.flagOutput = strings.TrimSuffix(c.flagOutput, ".tgz")
+		case err != nil:
+			return "", fmt.Errorf("unable to stat file: %s", err)
+		default:
+			return "", fmt.Errorf("output file already exists: %s", dstOutputFile)
+		}
+	}
+
+	// Stat check the directory to ensure we don't override any existing data.
+	_, err = os.Stat(c.flagOutput)
+	switch {
+	case os.IsNotExist(err):
+		err := os.MkdirAll(c.flagOutput, 0o700)
+		if err != nil {
+			return "", fmt.Errorf("unable to create output directory: %s", err)
+		}
+	case err != nil:
+		return "", fmt.Errorf("unable to stat directory: %s", err)
+	default:
+		return "", fmt.Errorf("output directory already exists: %s", c.flagOutput)
+	}
+
+	// Populate initial index fields
+	c.debugIndex = &debugIndex{
+		VaultAddress:           client.Address(),
+		ClientVersion:          version.GetVersion().VersionNumber(),
+		ServerVersion:          serverHealth.Version,
+		Compress:               c.flagCompress,
+		DurationSeconds:        int(c.flagDuration.Seconds()),
+		IntervalSeconds:        int(c.flagInterval.Seconds()),
+		MetricsIntervalSeconds: int(c.flagMetricsInterval.Seconds()),
+		RawArgs:                rawArgs,
+		Version:                debugIndexVersion,
+		Targets:                c.flagTargets,
+		Timestamp:              captureTime,
+		Errors:                 []*captureError{},
+	}
+
+	return dstOutputFile, nil
+}
+
+func (c *DebugCommand) defaultTargets() []string {
+	return []string{"config", "host", "requests", "metrics", "pprof", "replication-status", "server-status", "log"}
+}
+
+func (c *DebugCommand) validDRSecondaryTargets() []string {
+	return []string{"metrics", "replication-status", "server-status"}
+}
+
+func (c *DebugCommand) captureStaticTargets() error {
+	// Capture configuration state
+	if strutil.StrListContains(c.flagTargets, "config") {
+		c.logger.Info("capturing configuration state")
+
+		resp, err := c.cachedClient.Logical().Read("sys/config/state/sanitized")
+		if err != nil {
+			c.captureError("config", err)
+			c.logger.Error("config: error capturing config state", "error", err)
+			return nil
+		}
+
+		if resp != nil && resp.Data != nil {
+			collection := []map[string]interface{}{
+				{
+					"timestamp": time.Now().UTC(),
+					"config":    resp.Data,
+				},
+			}
+			if err := c.persistCollection(collection, "config.json"); err != nil {
+				c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "config.json", err))
+			}
+		}
+	}
+
+	return nil
+}
+
+// capturePollingTargets captures all dynamic targets over the specified
+// duration and interval.
+func (c *DebugCommand) capturePollingTargets() error {
+	var g run.Group
+
+	ctx, cancelFunc := context.WithTimeout(context.Background(), c.flagDuration+debugDurationGrace)
+	defer cancelFunc()
+
+	// This run group watches for interrupt or duration
+	g.Add(func() error {
+		for {
+			select {
+			case <-c.ShutdownCh:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	}, func(error) {})
+
+	// Collect host-info if target is specified
+	if strutil.StrListContains(c.flagTargets, "host") {
+		g.Add(func() error {
+			c.collectHostInfo(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// Collect metrics if target is specified
+	if strutil.StrListContains(c.flagTargets, "metrics") {
+		g.Add(func() error {
+			c.collectMetrics(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// Collect pprof data if target is specified
+	if strutil.StrListContains(c.flagTargets, "pprof") {
+		g.Add(func() error {
+			c.collectPprof(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// Collect replication status if target is specified
+	if strutil.StrListContains(c.flagTargets, "replication-status") {
+		g.Add(func() error {
+			c.collectReplicationStatus(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
 	}
 
-	return OutputSecret(c.UI, resp)
+	// Collect server status if target is specified
+	if strutil.StrListContains(c.flagTargets, "server-status") {
+		g.Add(func() error {
+			c.collectServerStatus(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// Collect in-flight request status if target is specified
+	if strutil.StrListContains(c.flagTargets, "requests") {
+		g.Add(func() error {
+			c.collectInFlightRequestStatus(ctx)
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	if strutil.StrListContains(c.flagTargets, "log") {
+		g.Add(func() error {
+			c.writeLogs(ctx)
+			// If writeLogs returned earlier due to an error, wait for context
+			// to terminate so we don't abort everything.
+			<-ctx.Done()
+			return nil
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// We shouldn't bump across errors since none is returned by the interrupts,
+	// but we error check for sanity here.
+	if err := g.Run(); err != nil {
+		return err
+	}
+
+	// Write collected data to their corresponding files
+	if err := c.persistCollection(c.metricsCollection, "metrics.json"); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "metrics.json", err))
+	}
+	if err := c.persistCollection(c.serverStatusCollection, "server_status.json"); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "server_status.json", err))
+	}
+	if err := c.persistCollection(c.replicationStatusCollection, "replication_status.json"); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "replication_status.json", err))
+	}
+	if err := c.persistCollection(c.hostInfoCollection, "host_info.json"); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "host_info.json", err))
+	}
+	if err := c.persistCollection(c.inFlightReqStatusCollection, "requests.json"); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %v", "requests.json", err))
+	}
+	return nil
+}
+
+func (c *DebugCommand) collectHostInfo(ctx context.Context) {
+	idxCount := 0
+	intervalTicker := time.Tick(c.flagInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		c.logger.Info("capturing host information", "count", idxCount)
+		idxCount++
+
+		r := c.cachedClient.NewRequest("GET", "/v1/sys/host-info")
+		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
+		if err != nil {
+			c.captureError("host", err)
+			return
+		}
+		if resp != nil {
+			defer resp.Body.Close()
+
+			secret, err := api.ParseSecret(resp.Body)
+			if err != nil {
+				c.captureError("host", err)
+				return
+			}
+			if secret != nil && secret.Data != nil {
+				hostEntry := secret.Data
+				c.hostInfoCollection = append(c.hostInfoCollection, hostEntry)
+			}
+		}
+	}
+}
+
+func (c *DebugCommand) collectMetrics(ctx context.Context) {
+	idxCount := 0
+	intervalTicker := time.Tick(c.flagMetricsInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		c.logger.Info("capturing metrics", "count", idxCount)
+		idxCount++
+
+		// Perform metrics request
+		r := c.cachedClient.NewRequest("GET", "/v1/sys/metrics")
+		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
+		if err != nil {
+			c.captureError("metrics", err)
+			continue
+		}
+		if resp != nil {
+			defer resp.Body.Close()
+
+			metricsEntry := make(map[string]interface{})
+			err := json.NewDecoder(resp.Body).Decode(&metricsEntry)
+			if err != nil {
+				c.captureError("metrics", err)
+				continue
+			}
+			c.metricsCollection = append(c.metricsCollection, metricsEntry)
+		}
+	}
+}
+
+func (c *DebugCommand) collectPprof(ctx context.Context) {
+	idxCount := 0
+	startTime := time.Now()
+	intervalTicker := time.Tick(c.flagInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		currentTimestamp := time.Now().UTC()
+		c.logger.Info("capturing pprof data", "count", idxCount)
+		idxCount++
+
+		// Create a sub-directory for pprof data
+		currentDir := currentTimestamp.Format(fileFriendlyTimeFormat)
+		dirName := filepath.Join(c.flagOutput, currentDir)
+		if err := os.MkdirAll(dirName, 0o700); err != nil {
+			c.UI.Error(fmt.Sprintf("Error creating sub-directory for time interval: %s", err))
+			continue
+		}
+
+		var wg sync.WaitGroup
+
+		for _, target := range []string{"threadcreate", "allocs", "block", "mutex", "goroutine", "heap"} {
+			wg.Add(1)
+			go func(target string) {
+				defer wg.Done()
+				data, err := pprofTarget(ctx, c.cachedClient, target, nil)
+				if err != nil {
+					c.captureError("pprof."+target, err)
+					return
+				}
+
+				err = ioutil.WriteFile(filepath.Join(dirName, target+".prof"), data, 0o600)
+				if err != nil {
+					c.captureError("pprof."+target, err)
+				}
+			}(target)
+		}
+
+		// As a convenience, we'll also fetch the goroutine target using debug=2, which yields a text
+		// version of the stack traces that don't require using `go tool pprof` to view.
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			data, err := pprofTarget(ctx, c.cachedClient, "goroutine", url.Values{"debug": []string{"2"}})
+			if err != nil {
+				c.captureError("pprof.goroutines-text", err)
+				return
+			}
+
+			err = ioutil.WriteFile(filepath.Join(dirName, "goroutines.txt"), data, 0o600)
+			if err != nil {
+				c.captureError("pprof.goroutines-text", err)
+			}
+		}()
+
+		// If the our remaining duration is less than the interval value
+		// skip profile and trace.
+		runDuration := currentTimestamp.Sub(startTime)
+		if (c.flagDuration+debugDurationGrace)-runDuration < c.flagInterval {
+			wg.Wait()
+			continue
+		}
+
+		// Capture profile
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			data, err := pprofProfile(ctx, c.cachedClient, c.flagInterval)
+			if err != nil {
+				c.captureError("pprof.profile", err)
+				return
+			}
+
+			err = ioutil.WriteFile(filepath.Join(dirName, "profile.prof"), data, 0o600)
+			if err != nil {
+				c.captureError("pprof.profile", err)
+			}
+		}()
+
+		// Capture trace
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			data, err := pprofTrace(ctx, c.cachedClient, c.flagInterval)
+			if err != nil {
+				c.captureError("pprof.trace", err)
+				return
+			}
+
+			err = ioutil.WriteFile(filepath.Join(dirName, "trace.out"), data, 0o600)
+			if err != nil {
+				c.captureError("pprof.trace", err)
+			}
+		}()
+
+		wg.Wait()
+	}
+}
+
+func (c *DebugCommand) collectReplicationStatus(ctx context.Context) {
+	idxCount := 0
+	intervalTicker := time.Tick(c.flagInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		c.logger.Info("capturing replication status", "count", idxCount)
+		idxCount++
+
+		r := c.cachedClient.NewRequest("GET", "/v1/sys/replication/status")
+		resp, err := c.cachedClient.RawRequestWithContext(ctx, r)
+		if err != nil {
+			c.captureError("replication-status", err)
+			return
+		}
+		if resp != nil {
+			defer resp.Body.Close()
+
+			secret, err := api.ParseSecret(resp.Body)
+			if err != nil {
+				c.captureError("replication-status", err)
+				return
+			}
+			if secret != nil && secret.Data != nil {
+				replicationEntry := secret.Data
+				replicationEntry["timestamp"] = time.Now().UTC()
+				c.replicationStatusCollection = append(c.replicationStatusCollection, replicationEntry)
+			}
+		}
+	}
+}
+
+func (c *DebugCommand) collectServerStatus(ctx context.Context) {
+	idxCount := 0
+	intervalTicker := time.Tick(c.flagInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		c.logger.Info("capturing server status", "count", idxCount)
+		idxCount++
+
+		healthInfo, err := c.cachedClient.Sys().Health()
+		if err != nil {
+			c.captureError("server-status.health", err)
+		}
+		sealInfo, err := c.cachedClient.Sys().SealStatus()
+		if err != nil {
+			c.captureError("server-status.seal", err)
+		}
+
+		statusEntry := map[string]interface{}{
+			"timestamp": time.Now().UTC(),
+			"health":    healthInfo,
+			"seal":      sealInfo,
+		}
+		c.serverStatusCollection = append(c.serverStatusCollection, statusEntry)
+	}
+}
+
+func (c *DebugCommand) collectInFlightRequestStatus(ctx context.Context) {
+	idxCount := 0
+	intervalTicker := time.Tick(c.flagInterval)
+
+	for {
+		if idxCount > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			case <-intervalTicker:
+			}
+		}
+
+		c.logger.Info("capturing in-flight request status", "count", idxCount)
+		idxCount++
+
+		req := c.cachedClient.NewRequest("GET", "/v1/sys/in-flight-req")
+		resp, err := c.cachedClient.RawRequestWithContext(ctx, req)
+		if err != nil {
+			c.captureError("requests", err)
+			return
+		}
+
+		var data map[string]interface{}
+		if resp != nil {
+			defer resp.Body.Close()
+			err = jsonutil.DecodeJSONFromReader(resp.Body, &data)
+			if err != nil {
+				c.captureError("requests", err)
+				return
+			}
+
+			statusEntry := map[string]interface{}{
+				"timestamp":          time.Now().UTC(),
+				"in_flight_requests": data,
+			}
+			c.inFlightReqStatusCollection = append(c.inFlightReqStatusCollection, statusEntry)
+		}
+	}
+}
+
+// persistCollection writes the collected data for a particular target onto the
+// specified file. If the collection is empty, it returns immediately.
+func (c *DebugCommand) persistCollection(collection []map[string]interface{}, outFile string) error {
+	if len(collection) == 0 {
+		return nil
+	}
+
+	// Write server-status file and update the index
+	bytes, err := json.MarshalIndent(collection, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, outFile), bytes, 0o600); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *DebugCommand) compress(dst string) error {
+	if runtime.GOOS != "windows" {
+		defer osutil.Umask(osutil.Umask(0o077))
+	}
+
+	tgz := archiver.NewTarGz()
+	if err := tgz.Archive([]string{c.flagOutput}, dst); err != nil {
+		return fmt.Errorf("failed to compress data: %s", err)
+	}
+
+	// If everything is fine up to this point, remove original directory
+	if err := os.RemoveAll(c.flagOutput); err != nil {
+		return fmt.Errorf("failed to remove data directory: %s", err)
+	}
+
+	return nil
+}
+
+func pprofTarget(ctx context.Context, client *api.Client, target string, params url.Values) ([]byte, error) {
+	req := client.NewRequest("GET", "/v1/sys/pprof/"+target)
+	if params != nil {
+		req.Params = params
+	}
+	resp, err := client.RawRequestWithContext(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+func pprofProfile(ctx context.Context, client *api.Client, duration time.Duration) ([]byte, error) {
+	seconds := int(duration.Seconds())
+	secStr := strconv.Itoa(seconds)
+
+	req := client.NewRequest("GET", "/v1/sys/pprof/profile")
+	req.Params.Add("seconds", secStr)
+	resp, err := client.RawRequestWithContext(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+func pprofTrace(ctx context.Context, client *api.Client, duration time.Duration) ([]byte, error) {
+	seconds := int(duration.Seconds())
+	secStr := strconv.Itoa(seconds)
+
+	req := client.NewRequest("GET", "/v1/sys/pprof/trace")
+	req.Params.Add("seconds", secStr)
+	resp, err := client.RawRequestWithContext(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+// newCaptureError instantiates a new captureError.
+func (c *DebugCommand) captureError(target string, err error) {
+	c.errLock.Lock()
+	c.debugIndex.Errors = append(c.debugIndex.Errors, &captureError{
+		TargetError: err.Error(),
+		Target:      target,
+		Timestamp:   time.Now().UTC(),
+	})
+	c.errLock.Unlock()
+}
+
+func (c *DebugCommand) writeLogs(ctx context.Context) {
+	out, err := os.OpenFile(filepath.Join(c.flagOutput, "vault.log"), os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		c.captureError("log", err)
+		return
+	}
+	defer out.Close()
+
+	// Create Monitor specific client based on the cached client
+	mClient, err := c.cachedClient.Clone()
+	if err != nil {
+		c.captureError("log", err)
+		return
+	}
+	mClient.SetToken(c.cachedClient.Token())
+
+	// Set timeout to match the context explicitly
+	mClient.SetClientTimeout(c.flagDuration + debugDurationGrace)
+
+	logCh, err := mClient.Sys().Monitor(ctx, "trace", c.logFormat)
+	if err != nil {
+		c.captureError("log", err)
+		return
+	}
+
+	for {
+		select {
+		case log := <-logCh:
+			if len(log) > 0 {
+				if !strings.HasSuffix(log, "\n") {
+					log += "\n"
+				}
+				_, err = out.WriteString(log)
+				if err != nil {
+					c.captureError("log", err)
+					return
+				}
+			}
+		case <-ctx.Done():
+			return
+		}
+	}
 }
diff --git a/command/namespace_api_unlock.go b/command/namespace_api_unlock.go
index fa05d43ca561..279c48f0a5ac 100644
--- a/command/namespace_api_unlock.go
+++ b/command/namespace_api_unlock.go
@@ -4,93 +4,843 @@
 package command
 
 import (
+	"archive/tar"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
 	"strings"
+	"syscall"
+	"testing"
+	"time"
 
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/mholt/archiver/v3"
 )
 
-var (
-	_ cli.Command             = (*NamespaceAPIUnlockCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceAPIUnlockCommand)(nil)
-)
+func testDebugCommand(tb testing.TB) (*cli.MockUi, *DebugCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &DebugCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestDebugCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	testDir, err := ioutil.TempDir("", "vault-debug")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"valid",
+			[]string{
+				"-duration=1s",
+				fmt.Sprintf("-output=%s/valid", testDir),
+			},
+			"",
+			0,
+		},
+		{
+			"too_many_args",
+			[]string{
+				"-duration=1s",
+				fmt.Sprintf("-output=%s/too_many_args", testDir),
+				"foo",
+			},
+			"Too many arguments",
+			1,
+		},
+		{
+			"invalid_target",
+			[]string{
+				"-duration=1s",
+				fmt.Sprintf("-output=%s/invalid_target", testDir),
+				"-target=foo",
+			},
+			"Ignoring invalid targets: foo",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.skipTimingChecks = true
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Fatalf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+}
 
-type NamespaceAPIUnlockCommand struct {
-	*BaseCommand
+func TestDebugCommand_Archive(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name        string
+		ext         string
+		expectError bool
+	}{
+		{
+			"no-ext",
+			"",
+			false,
+		},
+		{
+			"with-ext-tar-gz",
+			".tar.gz",
+			false,
+		},
+		{
+			"with-ext-tgz",
+			".tgz",
+			false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Create temp dirs for each test case since os.Stat and tgz.Walk
+			// (called down below) exhibits raciness otherwise.
+			testDir, err := ioutil.TempDir("", "vault-debug")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(testDir)
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.skipTimingChecks = true
+
+			// We use tc.name as the base path and apply the extension per
+			// test case.
+			basePath := tc.name
+			outputPath := filepath.Join(testDir, basePath+tc.ext)
+			args := []string{
+				"-duration=1s",
+				fmt.Sprintf("-output=%s", outputPath),
+				"-target=server-status",
+			}
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Log(ui.OutputWriter.String())
+				t.Log(ui.ErrorWriter.String())
+				t.Fatalf("expected %d to be %d", code, exp)
+			}
+			// If we expect an error we're done here
+			if tc.expectError {
+				return
+			}
+
+			expectedExt := tc.ext
+			if expectedExt == "" {
+				expectedExt = debugCompressionExt
+			}
+
+			bundlePath := filepath.Join(testDir, basePath+expectedExt)
+			_, err = os.Stat(bundlePath)
+			if os.IsNotExist(err) {
+				t.Log(ui.OutputWriter.String())
+				t.Fatal(err)
+			}
+
+			tgz := archiver.NewTarGz()
+			err = tgz.Walk(bundlePath, func(f archiver.File) error {
+				fh, ok := f.Header.(*tar.Header)
+				if !ok {
+					return fmt.Errorf("invalid file header: %#v", f.Header)
+				}
+
+				// Ignore base directory and index file
+				if fh.Name == basePath+"/" || fh.Name == filepath.Join(basePath, "index.json") {
+					return nil
+				}
+
+				if fh.Name != filepath.Join(basePath, "server_status.json") {
+					return fmt.Errorf("unexpected file: %s", fh.Name)
+				}
+				return nil
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
 }
 
-func (c *NamespaceAPIUnlockCommand) Synopsis() string {
-	return "Unlock the API for particular namespaces"
+func TestDebugCommand_CaptureTargets(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name          string
+		targets       []string
+		expectedFiles []string
+	}{
+		{
+			"config",
+			[]string{"config"},
+			[]string{"config.json"},
+		},
+		{
+			"host-info",
+			[]string{"host"},
+			[]string{"host_info.json"},
+		},
+		{
+			"metrics",
+			[]string{"metrics"},
+			[]string{"metrics.json"},
+		},
+		{
+			"replication-status",
+			[]string{"replication-status"},
+			[]string{"replication_status.json"},
+		},
+		{
+			"server-status",
+			[]string{"server-status"},
+			[]string{"server_status.json"},
+		},
+		{
+			"in-flight-req",
+			[]string{"requests"},
+			[]string{"requests.json"},
+		},
+		{
+			"all-minus-pprof",
+			[]string{"config", "host", "metrics", "replication-status", "server-status"},
+			[]string{"config.json", "host_info.json", "metrics.json", "replication_status.json", "server_status.json"},
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			testDir, err := ioutil.TempDir("", "vault-debug")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(testDir)
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.skipTimingChecks = true
+
+			basePath := tc.name
+			args := []string{
+				"-duration=1s",
+				fmt.Sprintf("-output=%s/%s", testDir, basePath),
+			}
+			for _, target := range tc.targets {
+				args = append(args, fmt.Sprintf("-target=%s", target))
+			}
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Log(ui.ErrorWriter.String())
+				t.Fatalf("expected %d to be %d", code, exp)
+			}
+
+			bundlePath := filepath.Join(testDir, basePath+debugCompressionExt)
+			_, err = os.Open(bundlePath)
+			if err != nil {
+				t.Fatalf("failed to open archive: %s", err)
+			}
+
+			tgz := archiver.NewTarGz()
+			err = tgz.Walk(bundlePath, func(f archiver.File) error {
+				fh, ok := f.Header.(*tar.Header)
+				if !ok {
+					t.Fatalf("invalid file header: %#v", f.Header)
+				}
+
+				// Ignore base directory and index file
+				if fh.Name == basePath+"/" || fh.Name == filepath.Join(basePath, "index.json") {
+					return nil
+				}
+
+				for _, fileName := range tc.expectedFiles {
+					if fh.Name == filepath.Join(basePath, fileName) {
+						return nil
+					}
+				}
+
+				// If we reach here, it means that this is an unexpected file
+				return fmt.Errorf("unexpected file: %s", fh.Name)
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
 }
 
-func (c *NamespaceAPIUnlockCommand) Help() string {
-	helpText := `
-Usage: vault namespace unlock [options] PATH
+func TestDebugCommand_Pprof(t *testing.T) {
+	testDir, err := ioutil.TempDir("", "vault-debug")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
 
-	Unlock the current namespace, and all descendants, with unlock key:
+	client, closer := testVaultServer(t)
+	defer closer()
 
-		$ vault namespace unlock -unlock-key=<key>
+	ui, cmd := testDebugCommand(t)
+	cmd.client = client
+	cmd.skipTimingChecks = true
 
-	Unlock the current namespace, and all descendants (from a root token):
+	basePath := "pprof"
+	outputPath := filepath.Join(testDir, basePath)
+	// pprof requires a minimum interval of 1s, we set it to 2 to ensure it
+	// runs through and reduce flakiness on slower systems.
+	args := []string{
+		"-compress=false",
+		"-duration=2s",
+		"-interval=2s",
+		fmt.Sprintf("-output=%s", outputPath),
+		"-target=pprof",
+	}
 
-		$ vault namespace unlock
+	code := cmd.Run(args)
+	if exp := 0; code != exp {
+		t.Log(ui.ErrorWriter.String())
+		t.Fatalf("expected %d to be %d", code, exp)
+	}
 
-	Unlock a child namespace, and all of its descendants (e.g. ns1/ns2/):
+	profiles := []string{"heap.prof", "goroutine.prof"}
+	pollingProfiles := []string{"profile.prof", "trace.out"}
 
-		$ vault namespace lock -unlock-key=<key> ns1/ns2
+	// These are captures on the first (0th) and last (1st) frame
+	for _, v := range profiles {
+		files, _ := filepath.Glob(fmt.Sprintf("%s/*/%s", outputPath, v))
+		if len(files) != 2 {
+			t.Errorf("2 output files should exist for %s: got: %v", v, files)
+		}
+	}
 
-` + c.Flags().Help()
+	// Since profile and trace are polling outputs, these only get captured
+	// on the first (0th) frame.
+	for _, v := range pollingProfiles {
+		files, _ := filepath.Glob(fmt.Sprintf("%s/*/%s", outputPath, v))
+		if len(files) != 1 {
+			t.Errorf("1 output file should exist for %s: got: %v", v, files)
+		}
+	}
 
-	return strings.TrimSpace(helpText)
+	t.Log(ui.OutputWriter.String())
+	t.Log(ui.ErrorWriter.String())
 }
 
-func (c *NamespaceAPIUnlockCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func TestDebugCommand_IndexFile(t *testing.T) {
+	t.Parallel()
+
+	testDir, err := ioutil.TempDir("", "vault-debug")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	ui, cmd := testDebugCommand(t)
+	cmd.client = client
+	cmd.skipTimingChecks = true
+
+	basePath := "index-test"
+	outputPath := filepath.Join(testDir, basePath)
+	// pprof requires a minimum interval of 1s
+	args := []string{
+		"-compress=false",
+		"-duration=1s",
+		"-interval=1s",
+		"-metrics-interval=1s",
+		fmt.Sprintf("-output=%s", outputPath),
+	}
+
+	code := cmd.Run(args)
+	if exp := 0; code != exp {
+		t.Log(ui.ErrorWriter.String())
+		t.Fatalf("expected %d to be %d", code, exp)
+	}
+
+	content, err := ioutil.ReadFile(filepath.Join(outputPath, "index.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	index := &debugIndex{}
+	if err := json.Unmarshal(content, index); err != nil {
+		t.Fatal(err)
+	}
+	if len(index.Output) == 0 {
+		t.Fatalf("expected valid index file: got: %v", index)
+	}
 }
 
-func (c *NamespaceAPIUnlockCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultNamespaces()
+func TestDebugCommand_TimingChecks(t *testing.T) {
+	t.Parallel()
+
+	testDir, err := ioutil.TempDir("", "vault-debug")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+
+	cases := []struct {
+		name            string
+		duration        string
+		interval        string
+		metricsInterval string
+	}{
+		{
+			"short-values-all",
+			"10ms",
+			"10ms",
+			"10ms",
+		},
+		{
+			"short-duration",
+			"10ms",
+			"",
+			"",
+		},
+		{
+			"short-interval",
+			debugMinInterval.String(),
+			"10ms",
+			"",
+		},
+		{
+			"short-metrics-interval",
+			debugMinInterval.String(),
+			"",
+			"10ms",
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			// If we are past the minimum duration + some grace, trigger shutdown
+			// to prevent hanging
+			grace := 10 * time.Second
+			shutdownCh := make(chan struct{})
+			go func() {
+				time.AfterFunc(grace, func() {
+					close(shutdownCh)
+				})
+			}()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.ShutdownCh = shutdownCh
+
+			basePath := tc.name
+			outputPath := filepath.Join(testDir, basePath)
+			// pprof requires a minimum interval of 1s
+			args := []string{
+				"-target=server-status",
+				fmt.Sprintf("-output=%s", outputPath),
+			}
+			if tc.duration != "" {
+				args = append(args, fmt.Sprintf("-duration=%s", tc.duration))
+			}
+			if tc.interval != "" {
+				args = append(args, fmt.Sprintf("-interval=%s", tc.interval))
+			}
+			if tc.metricsInterval != "" {
+				args = append(args, fmt.Sprintf("-metrics-interval=%s", tc.metricsInterval))
+			}
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Log(ui.ErrorWriter.String())
+				t.Fatalf("expected %d to be %d", code, exp)
+			}
+
+			if !strings.Contains(ui.OutputWriter.String(), "Duration: 5s") {
+				t.Fatal("expected minimum duration value")
+			}
+
+			if tc.interval != "" {
+				if !strings.Contains(ui.OutputWriter.String(), "  Interval: 5s") {
+					t.Fatal("expected minimum interval value")
+				}
+			}
+
+			if tc.metricsInterval != "" {
+				if !strings.Contains(ui.OutputWriter.String(), "Metrics Interval: 5s") {
+					t.Fatal("expected minimum metrics interval value")
+				}
+			}
+		})
+	}
 }
 
-func (c *NamespaceAPIUnlockCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func TestDebugCommand_NoConnection(t *testing.T) {
+	t.Parallel()
+
+	client, err := api.NewClient(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := client.SetAddress(""); err != nil {
+		t.Fatal(err)
+	}
+
+	_, cmd := testDebugCommand(t)
+	cmd.client = client
+	cmd.skipTimingChecks = true
+
+	args := []string{
+		"-duration=1s",
+		"-target=server-status",
+	}
+
+	code := cmd.Run(args)
+	if exp := 1; code != exp {
+		t.Fatalf("expected %d to be %d", code, exp)
+	}
 }
 
-func (c *NamespaceAPIUnlockCommand) Run(args []string) int {
-	f := c.Flags()
+func TestDebugCommand_OutputExists(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name          string
+		compress      bool
+		outputFile    string
+		expectedError string
+	}{
+		{
+			"no-compress",
+			false,
+			"output-exists",
+			"output directory already exists",
+		},
+		{
+			"compress",
+			true,
+			"output-exist.tar.gz",
+			"output file already exists",
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+			testDir, err := ioutil.TempDir("", "vault-debug")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(testDir)
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.skipTimingChecks = true
+
+			outputPath := filepath.Join(testDir, tc.outputFile)
+
+			// Create a conflicting file/directory
+			if tc.compress {
+				_, err = os.Create(outputPath)
+				if err != nil {
+					t.Fatal(err)
+				}
+			} else {
+				err = os.Mkdir(outputPath, 0o700)
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			args := []string{
+				fmt.Sprintf("-compress=%t", tc.compress),
+				"-duration=1s",
+				"-interval=1s",
+				"-metrics-interval=1s",
+				fmt.Sprintf("-output=%s", outputPath),
+			}
+
+			code := cmd.Run(args)
+			if exp := 1; code != exp {
+				t.Log(ui.OutputWriter.String())
+				t.Log(ui.ErrorWriter.String())
+				t.Errorf("expected %d to be %d", code, exp)
+			}
+
+			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+			if !strings.Contains(output, tc.expectedError) {
+				t.Fatalf("expected %s, got: %s", tc.expectedError, output)
+			}
+		})
 	}
+}
+
+func TestDebugCommand_PartialPermissions(t *testing.T) {
+	t.Parallel()
 
-	args = f.Args()
-	if len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
-		return 1
+	testDir, err := ioutil.TempDir("", "vault-debug")
+	if err != nil {
+		t.Fatal(err)
 	}
+	defer os.RemoveAll(testDir)
+
+	client, closer := testVaultServer(t)
+	defer closer()
 
-	// current namespace is already encoded in the :client:
-	client, err := c.Client()
+	// Create a new token with default policy
+	resp, err := client.Logical().Write("auth/token/create", map[string]interface{}{
+		"policies": "default",
+	})
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		t.Fatal(err)
+	}
+
+	client.SetToken(resp.Auth.ClientToken)
+
+	ui, cmd := testDebugCommand(t)
+	cmd.client = client
+	cmd.skipTimingChecks = true
+
+	basePath := "with-default-policy-token"
+	args := []string{
+		"-duration=1s",
+		fmt.Sprintf("-output=%s/%s", testDir, basePath),
+	}
+
+	code := cmd.Run(args)
+	if exp := 0; code != exp {
+		t.Log(ui.ErrorWriter.String())
+		t.Fatalf("expected %d to be %d", code, exp)
 	}
 
-	optionalChildNSPath := ""
-	if len(args) == 1 {
-		optionalChildNSPath = fmt.Sprintf("/%s", namespace.Canonicalize(args[0]))
+	bundlePath := filepath.Join(testDir, basePath+debugCompressionExt)
+	_, err = os.Open(bundlePath)
+	if err != nil {
+		t.Fatalf("failed to open archive: %s", err)
 	}
 
-	_, err = client.Logical().Write(fmt.Sprintf("sys/namespaces/api-lock/unlock%s", optionalChildNSPath), map[string]interface{}{
-		"unlock_key": c.flagUnlockKey,
+	tgz := archiver.NewTarGz()
+	err = tgz.Walk(bundlePath, func(f archiver.File) error {
+		fh, ok := f.Header.(*tar.Header)
+		if !ok {
+			t.Fatalf("invalid file header: %#v", f.Header)
+		}
+
+		// Ignore base directory and index file
+		if fh.Name == basePath+"/" {
+			return nil
+		}
+
+		// Ignore directories, which still get created by pprof but should
+		// otherwise be empty.
+		if fh.FileInfo().IsDir() {
+			return nil
+		}
+
+		switch {
+		case fh.Name == filepath.Join(basePath, "index.json"):
+		case fh.Name == filepath.Join(basePath, "replication_status.json"):
+		case fh.Name == filepath.Join(basePath, "server_status.json"):
+		case fh.Name == filepath.Join(basePath, "vault.log"):
+		default:
+			return fmt.Errorf("unexpected file: %s", fh.Name)
+		}
+
+		return nil
 	})
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error unlocking namespace: %v", err))
-		return 2
+		t.Fatal(err)
+	}
+}
+
+// set insecure umask to see if the files and directories get created with right permissions
+func TestDebugCommand_InsecureUmask(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("test does not work in windows environment")
+	}
+	t.Parallel()
+
+	cases := []struct {
+		name        string
+		compress    bool
+		outputFile  string
+		expectError bool
+	}{
+		{
+			"with-compress",
+			true,
+			"with-compress.tar.gz",
+			false,
+		},
+		{
+			"no-compress",
+			false,
+			"no-compress",
+			false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			// set insecure umask
+			defer syscall.Umask(syscall.Umask(0))
+
+			testDir, err := ioutil.TempDir("", "vault-debug")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(testDir)
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testDebugCommand(t)
+			cmd.client = client
+			cmd.skipTimingChecks = true
+
+			outputPath := filepath.Join(testDir, tc.outputFile)
+
+			args := []string{
+				fmt.Sprintf("-compress=%t", tc.compress),
+				"-duration=1s",
+				"-interval=1s",
+				"-metrics-interval=1s",
+				fmt.Sprintf("-output=%s", outputPath),
+			}
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Log(ui.ErrorWriter.String())
+				t.Fatalf("expected %d to be %d", code, exp)
+			}
+			// If we expect an error we're done here
+			if tc.expectError {
+				return
+			}
+
+			bundlePath := filepath.Join(testDir, tc.outputFile)
+			fs, err := os.Stat(bundlePath)
+			if os.IsNotExist(err) {
+				t.Log(ui.OutputWriter.String())
+				t.Fatal(err)
+			}
+			// check permissions of the parent debug directory
+			err = isValidFilePermissions(fs)
+			if err != nil {
+				t.Fatalf(err.Error())
+			}
+
+			// check permissions of the files within the parent directory
+			switch tc.compress {
+			case true:
+				tgz := archiver.NewTarGz()
+
+				err = tgz.Walk(bundlePath, func(f archiver.File) error {
+					fh, ok := f.Header.(*tar.Header)
+					if !ok {
+						return fmt.Errorf("invalid file header: %#v", f.Header)
+					}
+					err = isValidFilePermissions(fh.FileInfo())
+					if err != nil {
+						t.Fatalf(err.Error())
+					}
+					return nil
+				})
+
+			case false:
+				err = filepath.Walk(bundlePath, func(path string, info os.FileInfo, err error) error {
+					err = isValidFilePermissions(info)
+					if err != nil {
+						t.Fatalf(err.Error())
+					}
+					return nil
+				})
+			}
+
+			if err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}
+
+func isValidFilePermissions(info os.FileInfo) (err error) {
+	mode := info.Mode()
+	// check group permissions
+	for i := 4; i < 7; i++ {
+		if string(mode.String()[i]) != "-" {
+			return fmt.Errorf("expected no permissions for group but got %s permissions for file %s", string(mode.String()[i]), info.Name())
+		}
 	}
 
-	return 0
+	// check others permissions
+	for i := 7; i < 10; i++ {
+		if string(mode.String()[i]) != "-" {
+			return fmt.Errorf("expected no permissions for others but got %s permissions for file %s", string(mode.String()[i]), info.Name())
+		}
+	}
+	return err
 }
diff --git a/command/namespace_create.go b/command/namespace_create.go
index 20dc639ad605..c50077ffe5f9 100644
--- a/command/namespace_create.go
+++ b/command/namespace_create.go
@@ -1,115 +1,530 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package delegated_auth
 
 import (
+	"context"
 	"fmt"
-	"strings"
+	paths "path"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/builtin/logical/totp"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/require"
 )
 
-var (
-	_ cli.Command             = (*NamespaceCreateCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceCreateCommand)(nil)
-)
+func buildDaError(defaults map[string]string, d *framework.FieldData) *logical.RequestDelegatedAuthError {
+	fieldDataOrDefault := func(field string, d *framework.FieldData) string {
+		if val, ok := d.GetOk(field); ok {
+			return val.(string)
+		}
+
+		return defaults[field]
+	}
 
-type NamespaceCreateCommand struct {
-	*BaseCommand
+	accessor := fieldDataOrDefault("accessor", d)
+	path := fieldDataOrDefault("path", d)
+	username := fieldDataOrDefault("username", d)
+	password := fieldDataOrDefault("password", d)
+	var errorHandler logical.DelegatedAuthErrorHandler
+	if handleErrorRaw, ok := d.GetOk("handle_error"); ok {
+		if handleErrorRaw.(bool) {
+			errorHandler = func(ctx context.Context, initiatingRequest, authRequest *logical.Request, authResponse *logical.Response, err error) (*logical.Response, error) {
+				return logical.ErrorResponse(fmt.Sprintf("my custom handler: %v", err)), nil
+			}
+		}
+	}
 
-	flagCustomMetadata map[string]string
+	loginPath := paths.Join(path, username)
+	data := map[string]interface{}{"password": password}
+
+	return logical.NewDelegatedAuthenticationRequest(accessor, loginPath, data, errorHandler)
 }
 
-func (c *NamespaceCreateCommand) Synopsis() string {
-	return "Create a new namespace"
+func buildDelegatedAuthFactory(defaults map[string]string) logical.Factory {
+	opHandler := func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		daError := buildDaError(defaults, d)
+		if req.ClientToken == "" || req.ClientTokenSource != logical.ClientTokenFromInternalAuth {
+			return nil, daError
+		}
+
+		if req.Operation == logical.ListOperation {
+			return logical.ListResponse([]string{"success", req.ClientToken}), nil
+		}
+
+		if d.Get("loop").(bool) {
+			return nil, daError
+		}
+
+		if d.Get("perform_write").(bool) {
+			entry, err := logical.StorageEntryJSON("test", map[string]string{"test": "value"})
+			if err != nil {
+				return nil, err
+			}
+			if err = req.Storage.Put(ctx, entry); err != nil {
+				return nil, err
+			}
+		}
+
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"success": true,
+				"token":   req.ClientToken,
+			},
+		}, nil
+	}
+
+	return func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		b := new(framework.Backend)
+		b.BackendType = logical.TypeLogical
+		b.Paths = []*framework.Path{
+			{
+				Pattern: "preauth-test/list/?",
+				Operations: map[logical.Operation]framework.OperationHandler{
+					logical.ListOperation: &framework.PathOperation{Callback: opHandler},
+				},
+			},
+			{
+				Pattern: "preauth-test",
+				Operations: map[logical.Operation]framework.OperationHandler{
+					logical.ReadOperation:   &framework.PathOperation{Callback: opHandler},
+					logical.PatchOperation:  &framework.PathOperation{Callback: opHandler},
+					logical.UpdateOperation: &framework.PathOperation{Callback: opHandler},
+					logical.DeleteOperation: &framework.PathOperation{Callback: opHandler},
+				},
+				Fields: map[string]*framework.FieldSchema{
+					"accessor":      {Type: framework.TypeString},
+					"path":          {Type: framework.TypeString},
+					"username":      {Type: framework.TypeString},
+					"password":      {Type: framework.TypeString},
+					"loop":          {Type: framework.TypeBool},
+					"perform_write": {Type: framework.TypeBool},
+					"handle_error":  {Type: framework.TypeBool},
+				},
+			},
+		}
+		b.PathsSpecial = &logical.Paths{Unauthenticated: []string{"preauth-test", "preauth-test/*"}}
+		err := b.Setup(ctx, config)
+		return b, err
+	}
 }
 
-func (c *NamespaceCreateCommand) Help() string {
-	helpText := `
-Usage: vault namespace create [options] PATH
+func TestDelegatedAuth(t *testing.T) {
+	t.Parallel()
 
-  Create a child namespace. The namespace created will be relative to the
-  namespace provided in either the VAULT_NAMESPACE environment variable or
-  -namespace CLI flag.
+	// A map of success values to be populated once and used in request
+	// operations that can't pass in values
+	delegatedReqDefaults := map[string]string{
+		"username": "allowed-est",
+		"password": "test",
+		"path":     "login",
+	}
 
-  Create a child namespace (e.g. ns1/):
+	delegatedAuthFactory := buildDelegatedAuthFactory(delegatedReqDefaults)
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": userpass.Factory,
+		},
+		LogicalBackends: map[string]logical.Factory{
+			"delegateauthtest": delegatedAuthFactory,
+			"totp":             totp.Factory,
+		},
+	}
 
-      $ vault namespace create ns1
+	cluster := minimal.NewTestSoloCluster(t, coreConfig)
+	cluster.Start()
+	defer cluster.Cleanup()
 
-  Create a child namespace from a parent namespace (e.g. ns1/ns2/):
+	client := testhelpers.WaitForActiveNode(t, cluster).Client
 
-      $ vault namespace create -namespace=ns1 ns2
+	// Setup two users, one with an allowed policy, another without a policy within userpass
+	err := client.Sys().PutPolicy("allow-est",
+		`path "dat/preauth-test" { capabilities = ["read", "create", "update", "patch", "delete"] }
+               path "dat/preauth-test/*" { capabilities = ["read","list"] }`)
+	require.NoError(t, err, "Failed to write policy allow-est")
 
-` + c.Flags().Help()
+	err = client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	require.NoError(t, err, "failed mounting userpass endpoint")
 
-	return strings.TrimSpace(helpText)
-}
+	_, err = client.Logical().Write("auth/userpass/users/allowed-est", map[string]interface{}{
+		"password":   "test",
+		"policies":   "allow-est",
+		"token_type": "batch",
+	})
+	require.NoError(t, err, "failed to create allowed-est user")
 
-func (c *NamespaceCreateCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+	_, err = client.Logical().Write("auth/userpass/users/not-allowed-est", map[string]interface{}{
+		"password":   "test",
+		"token_type": "batch",
+	})
+	require.NoError(t, err, "failed to create not-allowed-est user")
 
-	f := set.NewFlagSet("Command Options")
-	f.StringMapVar(&StringMapVar{
-		Name:    "custom-metadata",
-		Target:  &c.flagCustomMetadata,
-		Default: map[string]string{},
-		Usage: "Specifies arbitrary key=value metadata meant to describe a namespace." +
-			"This can be specified multiple times to add multiple pieces of metadata.",
+	_, err = client.Logical().Write("auth/userpass/users/bad-token-type-est", map[string]interface{}{
+		"password":   "test",
+		"token_type": "service",
 	})
+	require.NoError(t, err, "failed to create bad-token-type-est user")
 
-	return set
-}
+	// Setup another auth mount so we can test multiple accessors in mount tuning works later
+	err = client.Sys().EnableAuthWithOptions("userpass2", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	require.NoError(t, err, "failed mounting userpass2")
 
-func (c *NamespaceCreateCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
+	_, err = client.Logical().Write("auth/userpass2/users/allowed-est-2", map[string]interface{}{
+		"password":   "test",
+		"policies":   "allow-est",
+		"token_type": "batch",
+	})
+	require.NoError(t, err, "failed to create allowed-est-2 user")
 
-func (c *NamespaceCreateCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+	// Setup a dedicated mount for MFA purposes
+	err = client.Sys().EnableAuthWithOptions("userpass-mfa", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	require.NoError(t, err, "failed mounting userpass-mfa")
 
-func (c *NamespaceCreateCommand) Run(args []string) int {
-	f := c.Flags()
+	// Fetch the userpass auth accessors
+	resp, err := client.Logical().Read("/sys/mounts/auth/userpass")
+	require.NoError(t, err, "failed to query for mount accessor")
+	require.NotNil(t, resp, "received nil response from mount accessor query")
+	require.NotNil(t, resp.Data, "received response with nil Data")
+	require.NotEmpty(t, resp.Data["accessor"], "Accessor field was empty: %v", resp)
+	upAccessor := resp.Data["accessor"].(string)
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+	resp, err = client.Logical().Read("/sys/mounts/auth/userpass2")
+	require.NoError(t, err, "failed to query for mount accessor for userpass2")
+	require.NotNil(t, resp, "received nil response from mount accessor query for userpass2")
+	require.NotNil(t, resp.Data, "received response with nil Data")
+	require.NotEmpty(t, resp.Data["accessor"], "Accessor field was empty: %v", resp)
+	upAccessor2 := resp.Data["accessor"].(string)
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
+	resp, err = client.Logical().Read("/sys/mounts/auth/userpass-mfa")
+	require.NoError(t, err, "failed to query for MFA mount accessor")
+	require.NotNil(t, resp, "received nil response from MFA mount accessor query")
+	require.NotNil(t, resp.Data, "received response with nil Data for MFA mount accessor query")
+	require.NotEmpty(t, resp.Data["accessor"], "MFA mount Accessor field was empty: %v", resp)
+	upAccessorMFA := resp.Data["accessor"].(string)
 
-	namespacePath := strings.TrimSpace(args[0])
+	resp, err = client.Logical().Read("/sys/mounts/cubbyhole")
+	require.NoError(t, err, "failed to query for mount accessor for cubbyhole")
+	require.NotNil(t, resp, "received nil response from mount accessor query for cubbyhole")
+	require.NotNil(t, resp.Data, "received response with nil Data")
+	require.NotEmpty(t, resp.Data["accessor"], "Accessor field was empty: %v", resp)
+	cubbyAccessor := resp.Data["accessor"].(string)
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+	// Set up our backend mount that will delegate its auth to the userpass mount
+	err = client.Sys().Mount("dat", &api.MountInput{
+		Type: "delegateauthtest",
+		Config: api.MountConfigInput{
+			DelegatedAuthAccessors: []string{
+				upAccessor, upAccessorMFA, "an-accessor-that-does-not-exist",
+				cubbyAccessor,
+			},
+		},
+	})
+	require.NoError(t, err, "failed mounting delegated auth endpoint")
 
-	data := map[string]interface{}{
-		"custom_metadata": c.flagCustomMetadata,
-	}
+	delegatedReqDefaults["accessor"] = upAccessor
+
+	// We want a client without any previous tokens set to make sure we aren't using
+	// the other token.
+	clientNoToken, err := client.Clone()
+	require.NoError(t, err, "failed cloning client")
+	clientNoToken.ClearToken()
 
-	secret, err := client.Logical().Write("sys/namespaces/"+namespacePath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error creating namespace: %s", err))
-		return 2
+	// Happy path test for the various operation types we want to support, make sure
+	// for each one that we don't error out and we get back a token value from the backend
+	// call.
+	for _, test := range []string{"delete", "read", "list", "write"} {
+		t.Run("op-"+test, func(st *testing.T) {
+			switch test {
+			case "delete":
+				resp, err = clientNoToken.Logical().Delete("dat/preauth-test")
+			case "read":
+				resp, err = clientNoToken.Logical().Read("dat/preauth-test")
+			case "list":
+				resp, err = clientNoToken.Logical().List("dat/preauth-test/list/")
+			case "write":
+				resp, err = clientNoToken.Logical().Write("dat/preauth-test", map[string]interface{}{
+					"accessor": delegatedReqDefaults["accessor"],
+					"path":     delegatedReqDefaults["path"],
+					"username": delegatedReqDefaults["username"],
+					"password": delegatedReqDefaults["password"],
+				})
+			}
+
+			require.NoErrorf(st, err, "failed making %s pre-auth call with allowed-est", test)
+			require.NotNilf(st, resp, "pre-auth %s call returned nil", test)
+			require.NotNil(t, resp.Data, "received response with nil Data")
+			if test != "list" {
+				require.Equalf(st, true, resp.Data["success"], "Got an incorrect response from %s call in success field", test)
+				require.NotEmptyf(st, resp.Data["token"], "no token returned by %s handler", test)
+			} else {
+				require.NotEmpty(st, resp.Data["keys"], "list operation did not contain keys in response")
+				keys := resp.Data["keys"].([]interface{})
+				require.Equal(st, 2, len(keys), "keys field did not contain expected 2 elements")
+				require.Equal(st, "success", keys[0], "the first keys field did not contain expected value")
+				require.NotEmpty(st, keys[1], "the second keys field did not contain a token")
+			}
+		})
 	}
 
-	// Handle single field output
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
+	// Test various failure scenarios
+	failureTests := []struct {
+		name          string
+		accessor      string
+		path          string
+		username      string
+		password      string
+		errorContains string
+		forceLoop     bool
+	}{
+		{
+			name:          "policy-denies-user",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "not-allowed-est",
+			password:      "test",
+			errorContains: "permission denied",
+		},
+		{
+			name:          "bad-password",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "allowed-est",
+			password:      "bad-password",
+			errorContains: "invalid credentials",
+		},
+		{
+			name:          "unknown-user",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "non-existant-user",
+			password:      "test",
+			errorContains: "invalid username or password",
+		},
+		{
+			name:          "missing-user",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "",
+			password:      "test",
+			errorContains: "was not considered a login request",
+		},
+		{
+			name:          "missing-password",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "allowed-est",
+			password:      "",
+			errorContains: "missing password",
+		},
+		{
+			name:          "bad-path-within-delegated-auth-error",
+			accessor:      upAccessor,
+			path:          "not-the-login-path",
+			username:      "allowed-est",
+			password:      "test",
+			errorContains: "was not considered a login request",
+		},
+		{
+			name:          "empty-path-within-delegated-auth-error",
+			accessor:      upAccessor,
+			path:          "",
+			username:      "allowed-est",
+			password:      "test",
+			errorContains: "was not considered a login request",
+		},
+		{
+			name:          "empty-accessor-within-delegated-auth-error",
+			accessor:      "",
+			path:          "login",
+			username:      "allowed-est",
+			password:      "test",
+			errorContains: "backend returned an invalid mount accessor",
+		},
+		{
+			name:          "accessor-does-not-exist-within-delegated-auth-error",
+			accessor:      "an-accessor-that-does-not-exist",
+			path:          "login",
+			username:      "allowed-est",
+			password:      "test",
+			errorContains: "requested delegate authentication accessor 'an-accessor-that-does-not-exist' was not found",
+		},
+		{
+			name:          "non-allowed-accessor-within-delegated-auth-error",
+			accessor:      upAccessor2,
+			path:          "login",
+			username:      "allowed-est-2",
+			password:      "test",
+			errorContains: fmt.Sprintf("delegated auth to accessor %s not permitted", upAccessor2),
+		},
+		{
+			name:          "force-constant-login-request-loop",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "allowed-est",
+			password:      "test",
+			forceLoop:     true,
+			errorContains: "delegated authentication requested but authentication token present",
+		},
+		{
+			name:          "non-auth-mount-accessor",
+			accessor:      cubbyAccessor,
+			path:          "login",
+			username:      "allowed-est",
+			password:      "test",
+			errorContains: fmt.Sprintf("requested delegate authentication mount '%s' was not an auth mount", cubbyAccessor),
+		},
+		{
+			name:          "fails-on-non-batch-token",
+			accessor:      upAccessor,
+			path:          "login",
+			username:      "bad-token-type-est",
+			password:      "test",
+			errorContains: "delegated auth requests must be configured to issue batch tokens",
+		},
+	}
+	for _, test := range failureTests {
+		t.Run(test.name, func(st *testing.T) {
+			resp, err = clientNoToken.Logical().Write("dat/preauth-test", map[string]interface{}{
+				"accessor": test.accessor,
+				"path":     test.path,
+				"username": test.username,
+				"password": test.password,
+				"loop":     test.forceLoop,
+			})
+			if test.errorContains != "" {
+				require.ErrorContains(st, err, test.errorContains,
+					"pre-auth call should have failed due to policy restriction got resp: %v err: %v", resp, err)
+			} else {
+				require.Error(st, err, "Expected failure got resp: %v err: %v", resp, err)
+			}
+		})
 	}
 
-	return OutputSecret(c.UI, secret)
+	// Make sure we can add an accessor to the mount that previously failed above,
+	// and the request handling code does use both accessor values.
+	t.Run("multiple-accessors", func(st *testing.T) {
+		err = client.Sys().TuneMount("dat", api.MountConfigInput{DelegatedAuthAccessors: []string{upAccessor, upAccessor2, upAccessorMFA}})
+		require.NoError(t, err, "Failed to tune mount to update delegated auth accessors")
+
+		resp, err = clientNoToken.Logical().Write("dat/preauth-test", map[string]interface{}{
+			"accessor": upAccessor2,
+			"path":     "login",
+			"username": "allowed-est-2",
+			"password": "test",
+		})
+
+		require.NoError(st, err, "failed making pre-auth call with allowed-est-2")
+		require.NotNil(st, resp, "pre-auth %s call returned nil with allowed-est-2")
+		require.NotNil(t, resp.Data, "received response with nil Data")
+		require.Equal(st, true, resp.Data["success"], "Got an incorrect response from call in success field with allowed-est-2")
+		require.NotEmpty(st, resp.Data["token"], "no token returned with allowed-est-2 user")
+	})
+
+	// Test we can delegate a permission denied error back to the originating
+	// backend for processing/response to the client
+	t.Run("backend-handles-permission-denied", func(st *testing.T) {
+		resp, err = clientNoToken.Logical().Write("dat/preauth-test", map[string]interface{}{
+			"accessor":     upAccessor,
+			"path":         "login",
+			"username":     "allowed-est",
+			"password":     "test2",
+			"handle_error": true,
+		})
+
+		require.ErrorContains(st, err, "my custom handler: invalid credentials")
+	})
+
+	// Test we can delegate a permission denied error back to the originating
+	// backend for processing/response to the client
+	t.Run("mfa-request-is-denied", func(st *testing.T) {
+		// Mount the totp secrets engine
+		testhelpers.SetupTOTPMount(st, client)
+
+		// Create a test entity and alias
+		totpUser := "test-totp"
+		testhelpers.CreateEntityAndAliasWithinMount(st, client, upAccessorMFA, "userpass-mfa", "entity1", totpUser)
+
+		// Configure a default TOTP method
+		methodID := testhelpers.SetupTOTPMethod(st, client, map[string]interface{}{
+			"issuer":                  "yCorp",
+			"period":                  5,
+			"algorithm":               "SHA256",
+			"digits":                  6,
+			"skew":                    1,
+			"key_size":                20,
+			"qr_size":                 200,
+			"max_validation_attempts": 5,
+			"method_name":             "foo",
+		})
+
+		// Configure a login enforcement specific to the MFA userpass mount to avoid conflicts on others.
+		enforcementConfig := map[string]interface{}{
+			"auth_method_accessors": []string{upAccessorMFA},
+			"name":                  methodID[0:4],
+			"mfa_method_ids":        []string{methodID},
+		}
+
+		testhelpers.SetupMFALoginEnforcement(st, client, enforcementConfig)
+
+		_, err = clientNoToken.Logical().Write("dat/preauth-test", map[string]interface{}{
+			"accessor":     upAccessorMFA,
+			"path":         "login",
+			"username":     totpUser,
+			"password":     "testpassword",
+			"handle_error": false,
+		})
+
+		require.ErrorContains(st, err, "delegated auth request requiring MFA is not supported")
+	})
+
+	// Test the behavior around receiving a request asking for response wrapping and
+	// being delegated to the secondary query we do
+	t.Run("response-wrapping-test", func(st *testing.T) {
+		resWrapClient, err := client.Clone()
+		require.NoError(st, err, "failed cloning client for response wrapping")
+
+		resWrapClient.SetWrappingLookupFunc(func(operation, path string) string {
+			if path == "dat/preauth-test" {
+				return "15s"
+			}
+			return ""
+		})
+
+		resp, err = resWrapClient.Logical().Write("dat/preauth-test", map[string]interface{}{
+			"accessor": upAccessor,
+			"path":     "login",
+			"username": "allowed-est",
+			"password": "test",
+		})
+		require.NoError(st, err, "failed calling preauth-test api with response wrapping")
+		require.NotNil(st, resp, "Got nil, nil response from preauth-test api with response wrapping")
+		require.NotNil(st, resp.WrapInfo, "response object didn't contain wrapped info")
+
+		unwrapClient, err := client.Clone()
+		require.NoError(st, err, "failed cloning client for lookups")
+		wrapToken := resp.WrapInfo.Token
+		unwrapClient.SetToken(wrapToken)
+
+		unwrapResp, err := unwrapClient.Logical().Write("sys/wrapping/unwrap", map[string]interface{}{})
+		require.NoError(st, err, "failed unwrap call")
+		require.NotNil(st, unwrapResp, "unwrap response was nil")
+		require.NotNil(st, unwrapResp.Data, "unwrap response did not contain Data")
+		require.Contains(st, unwrapResp.Data, "success", "unwrap response data did not contain success field")
+		require.Contains(st, unwrapResp.Data, "token", "unwrap response data did not contain token field")
+		require.Equal(st, true, unwrapResp.Data["success"], "Got an incorrect response in success field within unwrap call")
+		require.NotEmptyf(st, unwrapResp.Data["token"], "no token returned by handler within unwrap call")
+	})
 }
diff --git a/command/namespace_delete.go b/command/namespace_delete.go
index f034ec4771af..6986a84ec343 100644
--- a/command/namespace_delete.go
+++ b/command/namespace_delete.go
@@ -5,59 +5,69 @@ package command
 
 import (
 	"fmt"
+	"io"
+	"os"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*NamespaceDeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceDeleteCommand)(nil)
+	_ cli.Command             = (*DeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*DeleteCommand)(nil)
 )
 
-type NamespaceDeleteCommand struct {
+type DeleteCommand struct {
 	*BaseCommand
+
+	testStdin io.Reader // for tests
 }
 
-func (c *NamespaceDeleteCommand) Synopsis() string {
-	return "Delete an existing namespace"
+func (c *DeleteCommand) Synopsis() string {
+	return "Delete secrets and configuration"
 }
 
-func (c *NamespaceDeleteCommand) Help() string {
+func (c *DeleteCommand) Help() string {
 	helpText := `
-Usage: vault namespace delete [options] PATH
+Usage: vault delete [options] PATH
+
+  Deletes secrets and configuration from Vault at the given path. The behavior
+  of "delete" is delegated to the backend corresponding to the given path.
+
+  Remove data in the status secret backend:
+
+      $ vault delete secret/my-secret
 
-  Delete an existing namespace. The namespace deleted will be relative to the
-  namespace provided in either the VAULT_NAMESPACE environment variable or
-  -namespace CLI flag.
+  Uninstall an encryption key in the transit backend:
 
-  Delete a namespace (e.g. ns1/):
+      $ vault delete transit/keys/my-key
 
-      $ vault namespace delete ns1
+  Delete an IAM role:
 
-  Delete a namespace namespace from a parent namespace (e.g. ns1/ns2/):
+      $ vault delete aws/roles/ops
 
-      $ vault namespace delete -namespace=ns1 ns2
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secret backend in use.
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *NamespaceDeleteCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
+func (c *DeleteCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
 }
 
-func (c *NamespaceDeleteCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultNamespaces()
+func (c *DeleteCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
 }
 
-func (c *NamespaceDeleteCommand) AutocompleteFlags() complete.Flags {
+func (c *DeleteCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *NamespaceDeleteCommand) Run(args []string) int {
+func (c *DeleteCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -68,36 +78,51 @@ func (c *NamespaceDeleteCommand) Run(args []string) int {
 	args = f.Args()
 	switch {
 	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected at least 1, got %d)", len(args)))
 		return 1
 	}
 
-	namespacePath := strings.TrimSpace(args[0])
-
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	secret, err := client.Logical().Delete("sys/namespaces/" + namespacePath)
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	path := sanitizePath(args[0])
+
+	data, err := parseArgsDataStringLists(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse string list data: %s", err))
+		return 1
+	}
+
+	secret, err := client.Logical().DeleteWithData(path, data)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting namespace: %s", err))
+		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 
-	if secret != nil {
-		// Likely, we have warnings
-		return OutputSecret(c.UI, secret)
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", path))
+		}
+		return 0
 	}
 
-	if !strings.HasSuffix(namespacePath, "/") {
-		namespacePath = namespacePath + "/"
+	// Handle single field output
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
 	}
 
-	c.UI.Output(fmt.Sprintf("Success! Namespace deleted at: %s", namespacePath))
-	return 0
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/namespace_list.go b/command/namespace_list.go
index 8bb30ed9bb3a..6da1d1d7fa91 100644
--- a/command/namespace_list.go
+++ b/command/namespace_list.go
@@ -4,120 +4,141 @@
 package command
 
 import (
-	"fmt"
 	"strings"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*NamespaceListCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceListCommand)(nil)
-)
-
-type NamespaceListCommand struct {
-	*BaseCommand
-}
+func testDeleteCommand(tb testing.TB) (*cli.MockUi, *DeleteCommand) {
+	tb.Helper()
 
-func (c *NamespaceListCommand) Synopsis() string {
-	return "List child namespaces"
+	ui := cli.NewMockUi()
+	return ui, &DeleteCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *NamespaceListCommand) Help() string {
-	helpText := `
-Usage: vault namespace list [options]
-
-  Lists the enabled child namespaces.
+func TestDeleteCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"default",
+			[]string{"secret/foo"},
+			"",
+			0,
+		},
+		{
+			"optional_args",
+			[]string{"secret/foo", "bar=baz"},
+			"",
+			0,
+		},
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+	}
 
-  List all enabled child namespaces:
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-      $ vault namespace list
+		for _, tc := range cases {
+			tc := tc
 
-` + c.Flags().Help()
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-	return strings.TrimSpace(helpText)
-}
+				client, closer := testVaultServer(t)
+				defer closer()
 
-func (c *NamespaceListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+				ui, cmd := testDeleteCommand(t)
+				cmd.client = client
 
-	f := set.NewFlagSet("Command Options")
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-	f.BoolVar(&BoolVar{
-		Name:    "detailed",
-		Target:  &c.flagDetailed,
-		Default: false,
-		Usage:   "Print detailed information such as namespace ID.",
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
 	})
 
-	return set
-}
-
-func (c *NamespaceListCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *NamespaceListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-func (c *NamespaceListCommand) Run(args []string) int {
-	f := c.Flags()
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+		if _, err := client.Logical().Write("secret/delete/foo", map[string]interface{}{
+			"foo": "bar",
+		}); err != nil {
+			t.Fatal(err)
+		}
 
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
+		ui, cmd := testDeleteCommand(t)
+		cmd.client = client
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+		code := cmd.Run([]string{
+			"secret/delete/foo",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-	secret, err := client.Logical().List("sys/namespaces")
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing namespaces: %s", err))
-		return 2
-	}
+		expected := "Success! Data deleted (if it existed) at: secret/delete/foo"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
 
-	_, ok := extractListData(secret)
-	if Format(c.UI) != "table" {
-		if secret == nil || secret.Data == nil || !ok {
-			OutputData(c.UI, map[string]interface{}{})
-			return 2
+		secret, _ := client.Logical().Read("secret/delete/foo")
+		if secret != nil {
+			t.Errorf("expected deletion: %#v", secret)
 		}
-	}
+	})
 
-	if secret == nil {
-		c.UI.Error("No namespaces found")
-		return 2
-	}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-	// There could be e.g. warnings
-	if secret.Data == nil {
-		return OutputSecret(c.UI, secret)
-	}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
-		return OutputSecret(c.UI, secret)
-	}
+		ui, cmd := testDeleteCommand(t)
+		cmd.client = client
 
-	if !ok {
-		c.UI.Error("No entries found")
-		return 2
-	}
+		code := cmd.Run([]string{
+			"secret/delete/foo",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-	if c.flagDetailed && Format(c.UI) != "table" {
-		return OutputData(c.UI, secret.Data["key_info"])
-	}
+		expected := "Error deleting secret/delete/foo: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
 
-	return OutputList(c.UI, secret)
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testDeleteCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/namespace_lookup.go b/command/namespace_lookup.go
index 480da0b914fa..1a30e1615958 100644
--- a/command/namespace_lookup.go
+++ b/command/namespace_lookup.go
@@ -1,93 +1,147 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*NamespaceLookupCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespaceLookupCommand)(nil)
-)
-
-type NamespaceLookupCommand struct {
-	*BaseCommand
-}
-
-func (c *NamespaceLookupCommand) Synopsis() string {
-	return "Look up an existing namespace"
-}
-
-func (c *NamespaceLookupCommand) Help() string {
-	helpText := `
-Usage: vault namespace lookup [options] PATH
-
-  Get information about the namespace of the locally authenticated token:
-
-      $ vault namespace lookup
-
-  Get information about the namespace of a particular child token (e.g. ns1/ns2/):
-
-      $ vault namespace lookup -namespace=ns1 ns2
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *NamespaceLookupCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-}
-
-func (c *NamespaceLookupCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultNamespaces()
-}
-
-func (c *NamespaceLookupCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *NamespaceLookupCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	namespacePath := strings.TrimSpace(args[0])
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	secret, err := client.Logical().Read("sys/namespaces/" + namespacePath)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error looking up namespace: %s", err))
-		return 2
-	}
-	if secret == nil {
-		c.UI.Error("Namespace not found")
-		return 2
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
+  <:syncDetails>
+    {{#if this.syncStatus}}
+      <Hds::Alert data-test-sync-alert @type="page" @color="neutral" @icon={{false}} as |A|>
+        <A.Title>
+          This secret has been synced from Vault to other destinations, updates to the secret will get automatically synced
+          to destinations.
+        </A.Title>
+
+        {{#each this.syncStatus as |status|}}
+          <A.Description data-test-sync-alert={{status.destinationName}}>
+            <SyncStatusBadge @status={{status.syncStatus}} />
+            <Hds::Link::Inline
+              @route="syncDestination"
+              @color="secondary"
+              @isRouteExternal={{true}}
+              @models={{array status.destinationType status.destinationName}}
+            >
+              {{status.destinationName}}
+            </Hds::Link::Inline>
+            - last updated
+            {{date-format status.updatedAt "MMMM do yyyy, h:mm:ss a"}}
+          </A.Description>
+        {{/each}}
+
+        <A.Button
+          @icon={{if this.fetchSyncStatus.isRunning "loading"}}
+          @text="Refresh"
+          @color="secondary"
+          {{on "click" (perform this.fetchSyncStatus)}}
+        />
+        <A.Link::Standalone
+          @isHrefExternal={{true}}
+          @icon="docs-link"
+          @text="About sync statuses"
+          @href={{doc-link "/vault/docs/sync#sync-statuses"}}
+        />
+      </Hds::Alert>
+    {{/if}}
+  </:syncDetails>
+
+  <:tabLinks>
+    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
+    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
+    <LinkTo @route="secret.paths" data-test-secrets-tab="Paths">Paths</LinkTo>
+    {{#if @secret.canReadMetadata}}
+      <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
+    {{/if}}
+  </:tabLinks>
+
+  <:toolbarFilters>
+    {{#unless this.emptyState}}
+      <Toggle
+        @name="json"
+        @checked={{or this.showJsonView this.secretDataIsAdvanced}}
+        @onChange={{fn (mut this.showJsonView)}}
+        @disabled={{this.secretDataIsAdvanced}}
+      >
+        <span class="has-text-grey">JSON</span>
+      </Toggle>
+    {{/unless}}
+  </:toolbarFilters>
+  <:toolbarActions>
+    {{#if this.showUndelete}}
+      <Hds::Button
+        @text="Undelete"
+        @color="secondary"
+        class="toolbar-button"
+        data-test-kv-delete="undelete"
+        {{on "click" this.undelete}}
+      />
+    {{/if}}
+    {{#if this.showDelete}}
+      <KvDeleteModal
+        @mode="delete"
+        @secret={{@secret}}
+        @metadata={{@metadata}}
+        @onDelete={{this.handleDestruction}}
+        @version={{this.version}}
+      />
+    {{/if}}
+    {{#if this.showDestroy}}
+      <KvDeleteModal @mode="destroy" @secret={{@secret}} @onDelete={{this.handleDestruction}} @version={{this.version}} />
+    {{/if}}
+    {{#if (or @secret.canReadData @secret.canReadMetadata @secret.canEditData)}}
+      <div class="toolbar-separator"></div>
+    {{/if}}
+    {{#if (and @secret.canReadData (eq @secret.state "created"))}}
+      <CopySecretDropdown
+        @clipboardText={{stringify @secret.secretData}}
+        @onWrap={{perform this.wrapSecret}}
+        @isWrapping={{this.wrapSecret.isRunning}}
+        @wrappedData={{this.wrappedData}}
+        @onClose={{this.clearWrappedData}}
+      />
+    {{/if}}
+    {{#if @secret.canReadMetadata}}
+      <KvVersionDropdown @displayVersion={{this.version}} @metadata={{@metadata}} @onClose={{this.closeVersionMenu}} />
+    {{/if}}
+    {{#if @secret.canEditData}}
+      <ToolbarLink data-test-create-new-version @route="secret.details.edit" @type="add">Create new version</ToolbarLink>
+    {{/if}}
+  </:toolbarActions>
+</KvPageHeader>
+
+{{#if (or @secret.isSecretDeleted (not this.emptyState))}}
+  <div class="info-table-row-header">
+    <div class="info-table-row thead {{if this.showJsonView 'is-shadowless'}} ">
+      {{#unless this.hideHeaders}}
+        <div class="th column is-one-quarter">
+          Key
+        </div>
+        <div class="th column">
+          Value
+        </div>
+      {{/unless}}
+      <div class="th column justify-right">
+        {{#if (or @secret.isSecretDeleted @secret.createdTime)}}
+          <KvTooltipTimestamp
+            @text="Version {{if @secret.version @secret.version}} {{@secret.state}}"
+            @timestamp={{(if @secret.isSecretDeleted @secret.deletionTime @secret.createdTime)}}
+          />
+        {{/if}}
+      </div>
+    </div>
+  </div>
+{{/if}}
+
+{{#if this.emptyState}}
+  <EmptyState @title={{this.emptyState.title}} @message={{this.emptyState.message}}>
+    {{#if this.emptyState.link}}
+      <DocLink @path={{this.emptyState.link}}>Learn more</DocLink>
+    {{/if}}
+  </EmptyState>
+{{else}}
+  <KvDataFields
+    @showJson={{or this.showJsonView this.secretDataIsAdvanced}}
+    @secret={{@secret}}
+    @modelValidations={{this.modelValidations}}
+    @type="details"
+  />
+{{/if}}
\ No newline at end of file
diff --git a/command/namespace_patch.go b/command/namespace_patch.go
index 40c1d05f9d73..7fab1676b192 100644
--- a/command/namespace_patch.go
+++ b/command/namespace_patch.go
@@ -1,141 +1,224 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*NamespacePatchCommand)(nil)
-	_ cli.CommandAutocomplete = (*NamespacePatchCommand)(nil)
-)
-
-type NamespacePatchCommand struct {
-	*BaseCommand
-
-	flagCustomMetadata       map[string]string
-	flagRemoveCustomMetadata []string
-}
-
-func (c *NamespacePatchCommand) Synopsis() string {
-	return "Patch an existing namespace"
-}
-
-func (c *NamespacePatchCommand) Help() string {
-	helpText := `
-Usage: vault namespace patch [options] PATH
-
-  Patch an existing namespace. The namespace patched will be relative to the
-  namespace provided in either the VAULT_NAMESPACE environment variable or
-  -namespace CLI flag.
-
-  Patch an existing child namespace by adding and removing custom-metadata (e.g. ns1/):
-
-      $ vault namespace patch -custom-metadata=foo=abc -remove-custom-metadata=bar ns1
-
-  Patch an existing child namespace from a parent namespace (e.g. ns1/ns2/):
-
-      $ vault namespace patch -namespace=ns1 -custom-metadata=foo=abc ns2
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *NamespacePatchCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-	f.StringMapVar(&StringMapVar{
-		Name:    "custom-metadata",
-		Target:  &c.flagCustomMetadata,
-		Default: map[string]string{},
-		Usage: "Specifies arbitrary key=value metadata meant to describe a namespace." +
-			"This can be specified multiple times to add multiple pieces of metadata.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "remove-custom-metadata",
-		Target:  &c.flagRemoveCustomMetadata,
-		Default: []string{},
-		Usage:   "Key to remove from custom metadata. To specify multiple values, specify this flag multiple times.",
-	})
-
-	return set
-}
-
-func (c *NamespacePatchCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *NamespacePatchCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *NamespacePatchCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	namespacePath := strings.TrimSpace(args[0])
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	data := make(map[string]interface{})
-	customMetadata := make(map[string]interface{})
-
-	for key, value := range c.flagCustomMetadata {
-		customMetadata[key] = value
-	}
-
-	for _, key := range c.flagRemoveCustomMetadata {
-		// A null in a JSON merge patch payload will remove the associated key
-		customMetadata[key] = nil
-	}
-
-	data["custom_metadata"] = customMetadata
-
-	secret, err := client.Logical().JSONMergePatch(context.Background(), "sys/namespaces/"+namespacePath, data)
-	if err != nil {
-		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == http.StatusNotFound {
-			c.UI.Error("Namespace not found")
-			return 2
-		}
-
-		c.UI.Error(fmt.Sprintf("Error patching namespace: %s", err))
-		return 2
-	}
-
-	// Handle single field output
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	return OutputSecret(c.UI, secret)
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { next } from '@ember/runloop';
+import { inject as service } from '@ember/service';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
+import { isDeleted } from 'kv/utils/kv-deleted';
+
+/**
+ * @module KvSecretDetails renders the key/value data of a KV secret.
+ * It also renders a dropdown to display different versions of the secret.
+ * <Page::Secret::Details
+ *  @path={{this.model.path}}
+ *  @secret={{this.model.secret}}
+ *  @metadata={{this.model.metadata}}
+ *  @breadcrumbs={{this.breadcrumbs}}
+  />
+ *
+ * @param {string} path - path of kv secret 'my/secret' used as the title for the KV page header
+ * @param {model} secret - Ember data model: 'kv/data'
+ * @param {model} metadata - Ember data model: 'kv/metadata'
+ * @param {array} breadcrumbs - Array to generate breadcrumbs, passed to the page header component
+ */
+
+export default class KvSecretDetails extends Component {
+  @service flashMessages;
+  @service router;
+  @service store;
+
+  @tracked showJsonView = false;
+  @tracked wrappedData = null;
+  secretDataIsAdvanced;
+
+  constructor() {
+    super(...arguments);
+    this.originalSecret = JSON.stringify(this.args.secret.secretData || {});
+    if (this.originalSecret.lastIndexOf('{') > 0) {
+      // Dumb way to check if there's a nested object in the secret
+      this.secretDataIsAdvanced = true;
+    }
+    this.fetchSyncStatus.perform();
+  }
+
+  @action
+  closeVersionMenu(dropdown) {
+    // strange issue where closing dropdown triggers full transition (which redirects to auth screen in production)
+    // closing dropdown in next tick of run loop fixes it
+    next(() => dropdown.actions.close());
+  }
+
+  @action
+  clearWrappedData() {
+    this.wrappedData = null;
+  }
+
+  @task
+  @waitFor
+  *wrapSecret() {
+    const { backend, path } = this.args.secret;
+    const adapter = this.store.adapterFor('kv/data');
+    try {
+      const { token } = yield adapter.fetchWrapInfo({ backend, path, wrapTTL: 1800 });
+      if (!token) throw 'No token';
+      this.wrappedData = token;
+      this.flashMessages.success('Secret successfully wrapped!');
+    } catch (error) {
+      this.flashMessages.danger('Could not wrap secret.');
+    }
+  }
+
+  @task
+  @waitFor
+  *fetchSyncStatus() {
+    const { backend, path } = this.args.secret;
+    const syncAdapter = this.store.adapterFor('sync/association');
+    try {
+      this.syncStatus = yield syncAdapter.fetchSyncStatus({ mount: backend, secretName: path });
+    } catch (e) {
+      // silently error
+    }
+  }
+
+  @action
+  async undelete() {
+    const { secret } = this.args;
+    try {
+      await secret.destroyRecord({
+        adapterOptions: { deleteType: 'undelete', deleteVersions: this.version },
+      });
+      this.flashMessages.success(`Successfully undeleted ${secret.path}.`);
+      this.refreshRoute();
+    } catch (err) {
+      this.flashMessages.danger(
+        `There was a problem undeleting ${secret.path}. Error: ${err.errors?.join(' ')}.`
+      );
+    }
+  }
+
+  @action
+  async handleDestruction(type) {
+    const { secret } = this.args;
+    try {
+      await secret.destroyRecord({ adapterOptions: { deleteType: type, deleteVersions: this.version } });
+      this.flashMessages.success(`Successfully ${secret.state} Version ${this.version} of ${secret.path}.`);
+      this.refreshRoute();
+    } catch (err) {
+      const verb = type.includes('delete') ? 'deleting' : 'destroying';
+      this.flashMessages.danger(
+        `There was a problem ${verb} Version ${this.version} of ${secret.path}. Error: ${err.errors.join(
+          ' '
+        )}.`
+      );
+    }
+  }
+
+  refreshRoute() {
+    // transition to the parent secret route to refresh both metadata and data models
+    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret', {
+      queryParams: { version: this.version },
+    });
+  }
+
+  get version() {
+    return (
+      this.args.secret?.version ||
+      this.router.currentRoute.queryParams?.version ||
+      this.args.metadata?.sortedVersions[0].version
+    );
+  }
+
+  get hideHeaders() {
+    return this.showJsonView || this.emptyState;
+  }
+
+  get versionState() {
+    const { secret, metadata } = this.args;
+    if (secret.failReadErrorCode !== 403) {
+      return secret.state;
+    }
+    // If the user can't read secret data, get the current version
+    // state from metadata versions
+    if (metadata?.sortedVersions) {
+      const version = this.version;
+      const meta = version
+        ? metadata.sortedVersions.find((v) => v.version == version)
+        : metadata.sortedVersions[0];
+      if (meta?.destroyed) {
+        return 'destroyed';
+      }
+      if (isDeleted(meta?.deletion_time)) {
+        return 'deleted';
+      }
+      if (meta?.created_time) {
+        return 'created';
+      }
+    }
+    return '';
+  }
+
+  get showUndelete() {
+    const { secret } = this.args;
+    if (secret.canUndelete) {
+      return this.versionState === 'deleted';
+    }
+    return false;
+  }
+
+  get showDelete() {
+    const { secret } = this.args;
+    if (secret.canDeleteVersion || secret.canDeleteLatestVersion) {
+      return this.versionState === 'created' || this.versionState === '';
+    }
+    return false;
+  }
+
+  get showDestroy() {
+    const { secret } = this.args;
+    if (secret.canDestroyVersion) {
+      return this.versionState !== 'destroyed' && this.version;
+    }
+    return false;
+  }
+
+  get emptyState() {
+    if (!this.args.secret.canReadData) {
+      return {
+        title: 'You do not have permission to read this secret',
+        message:
+          'Your policies may permit you to write a new version of this secret, but do not allow you to read its current contents.',
+      };
+    }
+    // only destructure if we can read secret data
+    const { version, destroyed, isSecretDeleted } = this.args.secret;
+    if (destroyed) {
+      return {
+        title: `Version ${version} of this secret has been permanently destroyed`,
+        message: `A version that has been permanently deleted cannot be restored. ${
+          this.args.secret.canReadMetadata
+            ? ' You can view other versions of this secret in the Version History tab above.'
+            : ''
+        }`,
+        link: '/vault/docs/secrets/kv/kv-v2',
+      };
+    }
+    if (isSecretDeleted) {
+      return {
+        title: `Version ${version} of this secret has been deleted`,
+        message: `This version has been deleted but can be undeleted. ${
+          this.args.secret.canReadMetadata
+            ? 'View other versions of this secret by clicking the Version History tab above.'
+            : ''
+        }`,
+        link: '/vault/docs/secrets/kv/kv-v2',
+      };
+    }
+    return false;
+  }
 }
diff --git a/command/operator.go b/command/operator.go
index 94b02994d807..06439b8a5a0f 100644
--- a/command/operator.go
+++ b/command/operator.go
@@ -1,50 +1,193 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*OperatorCommand)(nil)
-
-type OperatorCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorCommand) Synopsis() string {
-	return "Perform operator-specific tasks"
-}
-
-func (c *OperatorCommand) Help() string {
-	helpText := `
-Usage: vault operator <subcommand> [options] [args]
-
-  This command groups subcommands for operators interacting with Vault. Most
-  users will not need to interact with these commands. Here are a few examples
-  of the operator commands:
-
-  Initialize a new Vault cluster:
-
-      $ vault operator init
-
-  Force a Vault to resign leadership in a cluster:
-
-      $ vault operator step-down
-
-  Rotate Vault's underlying encryption key:
-
-      $ vault operator rotate
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if @backend}}
+  {{#if this.formErrors}}
+    <Hds::Alert data-test-keymgmt-distribute-error @type="inline" @color="critical" as |A|>
+      <A.Title>Error</A.Title>
+      <A.Description>{{this.formErrors}}</A.Description>
+    </Hds::Alert>
+  {{/if}}
+  <form {{on "submit" (perform this.createDistribution)}} class="form-section" data-test-keymgmt-distribution-form>
+    {{#unless @key}}
+      <div class="field" data-test-keymgmt-dist-key>
+        <SearchSelect
+          @id="key"
+          @models={{array "keymgmt/key"}}
+          @onChange={{this.handleKeySelect}}
+          @passObject={{true}}
+          @inputValue={{this.formData.key}}
+          @subText="Type to use the name of an existing key that you’d like to add to this provider, or to create one."
+          @wildcardLabel="key"
+          @label="Key name"
+          @fallbackComponent="string-list"
+          @selectLimit="1"
+          @backend={{@backend}}
+          @disallowNewItems={{false}}
+        >
+          {{#if (and this.validMatchError.key (not this.isNewKey))}}
+            <Hds::Alert class="has-top-margin-s" @type="inline" @color="warning" data-test-keymgmt-error="key" as |A|>
+              <A.Description>
+                {{this.validMatchError.key}}
+                To check compatibility,
+                <Hds::Link::Inline
+                  @icon="docs-link"
+                  @iconPosition="trailing"
+                  @isHrefExternal={{true}}
+                  @href={{doc-link "/vault/docs/secrets/key-management#compatibility"}}
+                >
+                  refer to this table
+                </Hds::Link::Inline>.
+              </A.Description>
+            </Hds::Alert>
+          {{/if}}
+        </SearchSelect>
+      </div>
+    {{/unless}}
+
+    {{#if this.isNewKey}}
+      <div class="field">
+        <label class="is-label" for="keyType">Key Type</label>
+        <p class="sub-text">The type of cryptographic key that will be created.</p>
+        <div class="control is-expanded">
+          <div class="select is-fullwidth">
+            <select
+              name="keyType"
+              id="keyType"
+              {{on "change" this.handleKeyType}}
+              class={{if this.validMatchError.key "has-error-border"}}
+              data-test-keymgmt-dist-keytype
+            >
+              <option value="">
+                Select one
+              </option>
+              {{#each this.keyTypes as |val|}}
+                <option selected={{eq this.keyType val}} value={{val}}>
+                  {{val}}
+                </option>
+              {{/each}}
+            </select>
+          </div>
+          {{#if this.validMatchError.key}}
+            <Hds::Alert class="has-top-margin-s" @type="inline" @color="warning" data-test-keymgmt-error="new-key" as |A|>
+              <A.Description>
+                {{this.validMatchError.key}}
+                To check compatibility,
+                <Hds::Link::Inline
+                  @icon="docs-link"
+                  @iconPosition="trailing"
+                  @isHrefExternal={{true}}
+                  @href={{doc-link "/vault/docs/secrets/key-management#compatibility"}}
+                >
+                  refer to this table
+                </Hds::Link::Inline>.
+              </A.Description>
+            </Hds::Alert>
+          {{/if}}
+        </div>
+      </div>
+    {{/if}}
+
+    {{#unless @provider}}
+      <div class="field">
+        <SearchSelect
+          @id="provider"
+          @models={{array "keymgmt/provider"}}
+          @onChange={{this.handleProvider}}
+          @passObject={{false}}
+          @inputValue={{this.formData.provider}}
+          @subText="Select a provider in Vault. If it doesn’t exist yet, you’ll need to add it first."
+          @label="Provider"
+          @fallbackComponent="input-search"
+          @selectLimit="1"
+          @backend={{@backend}}
+          @disallowNewItems={{true}}
+          data-test-keymgmt-dist-provider
+        >
+          {{#if this.validMatchError.provider}}
+            <Hds::Alert class="has-top-margin-s" @type="inline" @color="warning" data-test-keymgmt-error="provider" as |A|>
+              <A.Description>
+                {{this.validMatchError.provider}}
+                To check compatibility,
+                <Hds::Link::Inline
+                  @icon="docs-link"
+                  @iconPosition="trailing"
+                  @isHrefExternal={{true}}
+                  @href={{doc-link "/vault/docs/secrets/key-management#compatibility"}}
+                >
+                  refer to this table
+                </Hds::Link::Inline>.
+              </A.Description>
+            </Hds::Alert>
+          {{/if}}
+        </SearchSelect>
+      </div>
+    {{/unless}}
+
+    <fieldset
+      class="field form-fieldset"
+      id="operations"
+      disabled={{this.disableOperations}}
+      data-test-keymgmt-dist-operations
+    >
+      <legend class="is-label">Operations</legend>
+      <p class="sub-text">The types of operations this key can perform in the provider.</p>
+      {{#each this.operations as |op|}}
+        <div class="b-checkbox">
+          <Input
+            @type="checkbox"
+            id={{op}}
+            class="styled"
+            @checked={{false}}
+            {{on "input" this.handleOperation}}
+            data-test-operation={{op}}
+          />
+          <label for={{op}}>{{capitalize op}}</label>
+        </div>
+      {{/each}}
+    </fieldset>
+
+    <fieldset class="field form-fieldset" id="protection" data-test-keymgmt-dist-protections>
+      <legend class="is-label">Protection</legend>
+      <p class="sub-text">Specifies the protection of the key.</p>
+      <div>
+        <RadioButton
+          id="protection-hsm"
+          name="hsm"
+          class="radio"
+          data-test-protection="hsm"
+          @value="hsm"
+          @groupValue={{this.formData.protection}}
+          @onChange={{fn (mut this.formData.protection)}}
+        />
+        <label for="protection-hsm">HSM</label>
+      </div>
+      <div>
+        <RadioButton
+          id="protection-software"
+          name="software"
+          class="radio"
+          data-test-protection="software"
+          @value="software"
+          @groupValue={{this.formData.protection}}
+          @onChange={{fn (mut this.formData.protection)}}
+        />
+        <label for="protection-software">Software</label>
+      </div>
+    </fieldset>
+
+    <hr class="has-background-gray-100" />
+    <Hds::ButtonSet>
+      <Hds::Button
+        @text={{if (or (not @key) this.isNewKey) "Add key" "Distribute key"}}
+        @icon={{if this.createDistribution.isRunning "loading"}}
+        type="submit"
+        data-test-secret-save
+        disabled={{this.createDistribution.isRunning}}
+      />
+      <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onClose}} />
+    </Hds::ButtonSet>
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/command/operator_diagnose.go b/command/operator_diagnose.go
index 360feb287be3..20edb9d62dc8 100644
--- a/command/operator_diagnose.go
+++ b/command/operator_diagnose.go
@@ -1,797 +1,13 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-kms-wrapping/entropy/v2"
-
-	"golang.org/x/term"
-
-	"github.com/hashicorp/consul/api"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	uuid "github.com/hashicorp/go-uuid"
-	cserver "github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/helper/constants"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/internalshared/listenerutil"
-	physconsul "github.com/hashicorp/vault/physical/consul"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/physical"
-	sr "github.com/hashicorp/vault/serviceregistration"
-	srconsul "github.com/hashicorp/vault/serviceregistration/consul"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/vault/diagnose"
-	"github.com/hashicorp/vault/vault/hcp_link"
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-const CoreConfigUninitializedErr = "Diagnose cannot attempt this step because core config could not be set."
-
-var (
-	_ cli.Command             = (*OperatorDiagnoseCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorDiagnoseCommand)(nil)
-)
-
-type OperatorDiagnoseCommand struct {
-	*BaseCommand
-	diagnose *diagnose.Session
-
-	flagDebug    bool
-	flagSkips    []string
-	flagConfigs  []string
-	cleanupGuard sync.Once
-
-	reloadFuncsLock      *sync.RWMutex
-	reloadFuncs          *map[string][]reloadutil.ReloadFunc
-	ServiceRegistrations map[string]sr.Factory
-	startedCh            chan struct{} // for tests
-	reloadedCh           chan struct{} // for tests
-	skipEndEnd           bool          // for tests
-}
-
-func (c *OperatorDiagnoseCommand) Synopsis() string {
-	return "Troubleshoot problems starting Vault"
-}
-
-func (c *OperatorDiagnoseCommand) Help() string {
-	helpText := `
-Usage: vault operator diagnose
-
-  This command troubleshoots Vault startup issues, such as TLS configuration or
-  auto-unseal. It should be run using the same environment variables and configuration
-  files as the "vault server" command, so that startup problems can be accurately
-  reproduced.
-
-  Start diagnose with a configuration file:
-
-     $ vault operator diagnose -config=/etc/vault/config.hcl
-
-  Perform a diagnostic check while Vault is still running:
-
-     $ vault operator diagnose -config=/etc/vault/config.hcl -skip=listener
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorDiagnoseCommand) Flags() *FlagSets {
-	set := NewFlagSets(c.UI)
-	f := set.NewFlagSet("Command Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "config",
-		Target: &c.flagConfigs,
-		Completion: complete.PredictOr(
-			complete.PredictFiles("*.hcl"),
-			complete.PredictFiles("*.json"),
-			complete.PredictDirs("*"),
-		),
-		Usage: "Path to a Vault configuration file or directory of configuration " +
-			"files. This flag can be specified multiple times to load multiple " +
-			"configurations. If the path is a directory, all files which end in " +
-			".hcl or .json are loaded.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "skip",
-		Target: &c.flagSkips,
-		Usage:  "Skip the health checks named as arguments. May be 'listener', 'storage', or 'autounseal'.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "debug",
-		Target:  &c.flagDebug,
-		Default: false,
-		Usage:   "Dump all information collected by Diagnose.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   "format",
-		Target: &c.flagFormat,
-		Usage:  "The output format",
-	})
-	return set
-}
-
-func (c *OperatorDiagnoseCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *OperatorDiagnoseCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-const (
-	status_unknown = "[      ] "
-	status_ok      = "\u001b[32m[  ok  ]\u001b[0m "
-	status_failed  = "\u001b[31m[failed]\u001b[0m "
-	status_warn    = "\u001b[33m[ warn ]\u001b[0m "
-	same_line      = "\u001b[F"
-)
-
-func (c *OperatorDiagnoseCommand) Run(args []string) int {
-	f := c.Flags()
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 3
-	}
-	return c.RunWithParsedFlags()
-}
-
-func (c *OperatorDiagnoseCommand) RunWithParsedFlags() int {
-	if len(c.flagConfigs) == 0 {
-		c.UI.Error("Must specify a configuration file using -config.")
-		return 3
-	}
-
-	if c.diagnose == nil {
-		if c.flagFormat == "json" {
-			c.diagnose = diagnose.New(io.Discard)
-		} else {
-			c.UI.Output(version.GetVersion().FullVersionNumber(true))
-			c.diagnose = diagnose.New(os.Stdout)
-		}
-	}
-	ctx := diagnose.Context(context.Background(), c.diagnose)
-	c.diagnose.SkipFilters = c.flagSkips
-	err := c.offlineDiagnostics(ctx)
-
-	results := c.diagnose.Finalize(ctx)
-	if c.flagFormat == "json" {
-		resultsJS, err := json.MarshalIndent(results, "", "  ")
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Error marshalling results: %v.", err)
-			return 4
-		}
-		c.UI.Output(string(resultsJS))
-	} else {
-		c.UI.Output("\nResults:")
-		w, _, err := term.GetSize(0)
-		if err == nil {
-			results.Write(os.Stdout, w)
-		} else {
-			results.Write(os.Stdout, 0)
-		}
-	}
-
-	if err != nil {
-		return 4
-	}
-	// Use a different return code
-	switch results.Status {
-	case diagnose.WarningStatus:
-		return 2
-	case diagnose.ErrorStatus:
-		return 1
-	}
-	return 0
-}
-
-func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error {
-	rloadFuncs := make(map[string][]reloadutil.ReloadFunc)
-	server := &ServerCommand{
-		// TODO: set up a different one?
-		// In particular, a UI instance that won't output?
-		BaseCommand: c.BaseCommand,
-
-		// TODO: refactor to a common place?
-		AuditBackends:        auditBackends,
-		CredentialBackends:   credentialBackends,
-		LogicalBackends:      logicalBackends,
-		PhysicalBackends:     physicalBackends,
-		ServiceRegistrations: serviceRegistrations,
-
-		// TODO: other ServerCommand options?
-
-		logger: log.NewInterceptLogger(&log.LoggerOptions{
-			Level: log.Off,
-		}),
-		allLoggers:      []log.Logger{},
-		reloadFuncs:     &rloadFuncs,
-		reloadFuncsLock: new(sync.RWMutex),
-	}
-
-	ctx, span := diagnose.StartSpan(ctx, "Vault Diagnose")
-	defer span.End()
-
-	// OS Specific checks
-	diagnose.OSChecks(ctx)
-
-	var config *cserver.Config
-
-	diagnose.Test(ctx, "Parse Configuration", func(ctx context.Context) (err error) {
-		server.flagConfigs = c.flagConfigs
-		var configErrors []configutil.ConfigError
-		config, configErrors, err = server.parseConfig()
-		if err != nil {
-			return fmt.Errorf("Could not parse configuration: %w.", err)
-		}
-		for _, ce := range configErrors {
-			diagnose.Warn(ctx, diagnose.CapitalizeFirstLetter(ce.String())+".")
-		}
-		diagnose.Success(ctx, "Vault configuration syntax is ok.")
-		return nil
-	})
-	if config == nil {
-		return fmt.Errorf("No vault server configuration found.")
-	}
-
-	diagnose.Test(ctx, "Check Telemetry", func(ctx context.Context) (err error) {
-		if config.Telemetry == nil {
-			diagnose.Warn(ctx, "Telemetry is using default configuration")
-			diagnose.Advise(ctx, "By default only Prometheus and JSON metrics are available.  Ignore this warning if you are using telemetry or are using these metrics and are satisfied with the default retention time and gauge period.")
-		} else {
-			t := config.Telemetry
-			// If any Circonus setting is present but we're missing the basic fields...
-			if coalesce(t.CirconusAPIURL, t.CirconusAPIToken, t.CirconusCheckID, t.CirconusCheckTags, t.CirconusCheckSearchTag,
-				t.CirconusBrokerID, t.CirconusBrokerSelectTag, t.CirconusCheckForceMetricActivation, t.CirconusCheckInstanceID,
-				t.CirconusCheckSubmissionURL, t.CirconusCheckDisplayName) != nil {
-				if t.CirconusAPIURL == "" {
-					return errors.New("incomplete Circonus telemetry configuration, missing circonus_api_url")
-				} else if t.CirconusAPIToken != "" {
-					return errors.New("incomplete Circonus telemetry configuration, missing circonus_api_token")
-				}
-			}
-			if len(t.DogStatsDTags) > 0 && t.DogStatsDAddr == "" {
-				return errors.New("incomplete DogStatsD telemetry configuration, missing dogstatsd_addr, while dogstatsd_tags specified")
-			}
-
-			// If any Stackdriver setting is present but we're missing the basic fields...
-			if coalesce(t.StackdriverNamespace, t.StackdriverLocation, t.StackdriverDebugLogs, t.StackdriverNamespace) != nil {
-				if t.StackdriverProjectID == "" {
-					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_project_id")
-				}
-				if t.StackdriverLocation == "" {
-					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_location")
-				}
-				if t.StackdriverNamespace == "" {
-					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_namespace")
-				}
-			}
-		}
-		return nil
-	})
-
-	var metricSink *metricsutil.ClusterMetricSink
-	var metricsHelper *metricsutil.MetricsHelper
-
-	var backend *physical.Backend
-	diagnose.Test(ctx, "Check Storage", func(ctx context.Context) error {
-		// Ensure that there is a storage stanza
-		if config.Storage == nil {
-			diagnose.Advise(ctx, "To learn how to specify a storage backend, see the Vault server configuration documentation.")
-			return fmt.Errorf("No storage stanza in Vault server configuration.")
-		}
-
-		diagnose.Test(ctx, "Create Storage Backend", func(ctx context.Context) error {
-			b, err := server.setupStorage(config)
-			if err != nil {
-				return err
-			}
-			if b == nil {
-				diagnose.Advise(ctx, "To learn how to specify a storage backend, see the Vault server configuration documentation.")
-				return fmt.Errorf("Storage backend could not be initialized.")
-			}
-			backend = &b
-			return nil
-		})
-
-		if backend == nil {
-			diagnose.Fail(ctx, "Diagnose could not initialize storage backend.")
-			span.End()
-			return fmt.Errorf("Diagnose could not initialize storage backend.")
-		}
-
-		// Check for raft quorum status
-		if config.Storage.Type == storageTypeRaft {
-			path := os.Getenv(raft.EnvVaultRaftPath)
-			if path == "" {
-				path, ok := config.Storage.Config["path"]
-				if !ok {
-					diagnose.SpotError(ctx, "Check Raft Folder Permissions", fmt.Errorf("Storage folder path is required."))
-				}
-				diagnose.RaftFileChecks(ctx, path)
-			}
-			diagnose.RaftStorageQuorum(ctx, (*backend).(*raft.RaftBackend))
-		}
-
-		// Consul storage checks
-		if config.Storage != nil && config.Storage.Type == storageTypeConsul {
-			diagnose.Test(ctx, "Check Consul TLS", func(ctx context.Context) error {
-				err := physconsul.SetupSecureTLS(ctx, api.DefaultConfig(), config.Storage.Config, server.logger, true)
-				if err != nil {
-					return err
-				}
-				return nil
-			})
-
-			diagnose.Test(ctx, "Check Consul Direct Storage Access", func(ctx context.Context) error {
-				dirAccess := diagnose.ConsulDirectAccess(config.Storage.Config)
-				if dirAccess != "" {
-					diagnose.Warn(ctx, dirAccess)
-				}
-				if dirAccess == diagnose.DirAccessErr {
-					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
-				}
-				return nil
-			})
-		}
-
-		// Attempt to use storage backend
-		if !c.skipEndEnd && config.Storage.Type != storageTypeRaft {
-			diagnose.Test(ctx, "Check Storage Access", diagnose.WithTimeout(30*time.Second, func(ctx context.Context) error {
-				maxDurationCrudOperation := "write"
-				maxDuration := time.Duration(0)
-				uuidSuffix, err := uuid.GenerateUUID()
-				if err != nil {
-					return err
-				}
-				uuid := "diagnose/latency/" + uuidSuffix
-				dur, err := diagnose.EndToEndLatencyCheckWrite(ctx, uuid, *backend)
-				if err != nil {
-					return err
-				}
-				maxDuration = dur
-				dur, err = diagnose.EndToEndLatencyCheckRead(ctx, uuid, *backend)
-				if err != nil {
-					return err
-				}
-				if dur > maxDuration {
-					maxDuration = dur
-					maxDurationCrudOperation = "read"
-				}
-				dur, err = diagnose.EndToEndLatencyCheckDelete(ctx, uuid, *backend)
-				if err != nil {
-					return err
-				}
-				if dur > maxDuration {
-					maxDuration = dur
-					maxDurationCrudOperation = "delete"
-				}
-
-				if maxDuration > time.Duration(0) {
-					diagnose.Warn(ctx, diagnose.LatencyWarning+fmt.Sprintf("duration: %s, operation: %s", maxDuration, maxDurationCrudOperation))
-				}
-				return nil
-			}))
-		}
-		return nil
-	})
-
-	// Return from top-level span when backend is nil
-	if backend == nil {
-		return fmt.Errorf("Diagnose could not initialize storage backend.")
-	}
-
-	var configSR sr.ServiceRegistration
-	diagnose.Test(ctx, "Check Service Discovery", func(ctx context.Context) error {
-		if config.ServiceRegistration == nil || config.ServiceRegistration.Config == nil {
-			diagnose.Skipped(ctx, "No service registration configured.")
-			return nil
-		}
-		srConfig := config.ServiceRegistration.Config
-
-		diagnose.Test(ctx, "Check Consul Service Discovery TLS", func(ctx context.Context) error {
-			// SetupSecureTLS for service discovery uses the same cert and key to set up physical
-			// storage. See the consul package in physical for details.
-			err := srconsul.SetupSecureTLS(ctx, api.DefaultConfig(), srConfig, server.logger, true)
-			if err != nil {
-				return err
-			}
-			return nil
-		})
-
-		if config.ServiceRegistration != nil && config.ServiceRegistration.Type == "consul" {
-			diagnose.Test(ctx, "Check Consul Direct Service Discovery", func(ctx context.Context) error {
-				dirAccess := diagnose.ConsulDirectAccess(config.ServiceRegistration.Config)
-				if dirAccess != "" {
-					diagnose.Warn(ctx, dirAccess)
-				}
-				if dirAccess == diagnose.DirAccessErr {
-					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
-				}
-				return nil
-			})
-		}
-		return nil
-	})
-
-	sealcontext, sealspan := diagnose.StartSpan(ctx, "Create Vault Server Configuration Seals")
-
-	var setSealResponse *SetSealResponse
-	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(sealcontext, *backend)
-	if err != nil {
-		diagnose.Fail(sealcontext, fmt.Sprintf("Unable to get Seal generation information from storage: %s.", err.Error()))
-		goto SEALFAIL
-	}
-
-	setSealResponse, err = setSeal(server, config, make([]string, 0), make(map[string]string), existingSealGenerationInfo, false /* unsealed vault has no partially wrapped paths */)
-	if err != nil {
-		diagnose.Advise(ctx, "For assistance with the seal stanza, see the Vault configuration documentation.")
-		diagnose.Fail(sealcontext, fmt.Sprintf("Seal creation resulted in the following error: %s.", err.Error()))
-		goto SEALFAIL
-	}
-
-	for _, seal := range setSealResponse.getCreatedSeals() {
-		seal := seal // capture range variable
-		// Ensure that the seal finalizer is called, even if using verify-only
-		defer func(seal *vault.Seal) {
-			sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierSealConfigType().String())
-			finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal")
-			err = (*seal).Finalize(finalizeSealContext)
-			if err != nil {
-				diagnose.Fail(finalizeSealContext, "Error finalizing seal.")
-				diagnose.Advise(finalizeSealContext, "This likely means that the barrier is still in use; therefore, finalizing the seal timed out.")
-				finalizeSealSpan.End()
-			}
-			finalizeSealSpan.End()
-		}(seal)
-	}
-
-	if setSealResponse.sealConfigError != nil {
-		diagnose.Fail(sealcontext, "Seal could not be configured: seals may already be initialized.")
-	} else if setSealResponse.barrierSeal == nil {
-		diagnose.Fail(sealcontext, "Could not create barrier seal. No error was generated, but it is likely that the seal stanza is misconfigured. For guidance, see Vault's configuration documentation on the seal stanza.")
-	}
-
-SEALFAIL:
-	sealspan.End()
-
-	var barrierSeal vault.Seal
-	var unwrapSeal vault.Seal
-
-	if setSealResponse != nil {
-		barrierSeal = setSealResponse.barrierSeal
-		unwrapSeal = setSealResponse.unwrapSeal
-	}
-
-	diagnose.Test(ctx, "Check Transit Seal TLS", func(ctx context.Context) error {
-		var checkSealTransit bool
-		for _, seal := range config.Seals {
-			if seal.Type == "transit" {
-				checkSealTransit = true
-
-				tlsSkipVerify, _ := seal.Config["tls_skip_verify"]
-				if tlsSkipVerify == "true" {
-					diagnose.Warn(ctx, "TLS verification is skipped. This is highly discouraged and decreases the security of data transmissions to and from the Vault server.")
-					return nil
-				}
-
-				// Checking tls_client_cert and tls_client_key
-				tlsClientCert, ok := seal.Config["tls_client_cert"]
-				if !ok {
-					diagnose.Warn(ctx, "Missing tls_client_cert in the seal configuration.")
-					return nil
-				}
-				tlsClientKey, ok := seal.Config["tls_client_key"]
-				if !ok {
-					diagnose.Warn(ctx, "Missing tls_client_key in the seal configuration.")
-					return nil
-				}
-				_, err := diagnose.TLSFileChecks(tlsClientCert, tlsClientKey)
-				if err != nil {
-					return fmt.Errorf("The TLS certificate and key configured through the tls_client_cert and tls_client_key fields of the transit seal configuration are invalid: %w.", err)
-				}
-
-				// checking tls_ca_cert
-				tlsCACert, ok := seal.Config["tls_ca_cert"]
-				if !ok {
-					diagnose.Warn(ctx, "Missing tls_ca_cert in the seal configuration.")
-					return nil
-				}
-				warnings, err := diagnose.TLSCAFileCheck(tlsCACert)
-				if len(warnings) != 0 {
-					for _, warning := range warnings {
-						diagnose.Warn(ctx, warning)
-					}
-				}
-				if err != nil {
-					return fmt.Errorf("The TLS CA certificate configured through the tls_ca_cert field of the transit seal configuration is invalid: %w.", err)
-				}
-			}
-		}
-		if !checkSealTransit {
-			diagnose.Skipped(ctx, "No transit seal found in seal configuration.")
-		}
-		return nil
-	})
-
-	var coreConfig vault.CoreConfig
-	diagnose.Test(ctx, "Create Core Configuration", func(ctx context.Context) error {
-		var secureRandomReader io.Reader
-		// prepare a secure random reader for core
-		randReaderTestName := "Initialize Randomness for Core"
-		var sources []*configutil.EntropySourcerInfo
-		if barrierSeal != nil {
-			for _, sealWrapper := range barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
-				if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
-					sources = append(sources, &configutil.EntropySourcerInfo{
-						Sourcer: s,
-						Name:    sealWrapper.Name,
-					})
-				}
-			}
-		}
-		secureRandomReader, err = configutil.CreateSecureRandomReaderFunc(config.SharedConfig, sources, server.logger)
-		if err != nil {
-			return diagnose.SpotError(ctx, randReaderTestName, fmt.Errorf("could not initialize randomness for core: %w", err))
-		}
-		diagnose.SpotOk(ctx, randReaderTestName, "")
-		coreConfig = createCoreConfig(server, config, *backend, configSR, barrierSeal, unwrapSeal, metricsHelper, metricSink, secureRandomReader)
-		return nil
-	})
-
-	var disableClustering bool
-	diagnose.Test(ctx, "HA Storage", func(ctx context.Context) error {
-		diagnose.Test(ctx, "Create HA Storage Backend", func(ctx context.Context) error {
-			// Initialize the separate HA storage backend, if it exists
-			disableClustering, err = initHaBackend(server, config, &coreConfig, *backend)
-			if err != nil {
-				return err
-			}
-			return nil
-		})
-
-		diagnose.Test(ctx, "Check HA Consul Direct Storage Access", func(ctx context.Context) error {
-			if config.HAStorage == nil {
-				diagnose.Skipped(ctx, "No HA storage stanza is configured.")
-			} else {
-				dirAccess := diagnose.ConsulDirectAccess(config.HAStorage.Config)
-				if dirAccess != "" {
-					diagnose.Warn(ctx, dirAccess)
-				}
-				if dirAccess == diagnose.DirAccessErr {
-					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
-				}
-			}
-			return nil
-		})
-		if config.HAStorage != nil && config.HAStorage.Type == storageTypeConsul {
-			diagnose.Test(ctx, "Check Consul TLS", func(ctx context.Context) error {
-				err = physconsul.SetupSecureTLS(ctx, api.DefaultConfig(), config.HAStorage.Config, server.logger, true)
-				if err != nil {
-					return err
-				}
-				return nil
-			})
-		}
-		return nil
-	})
-
-	// Determine the redirect address from environment variables
-	err = determineRedirectAddr(server, &coreConfig, config)
-	if err != nil {
-		return diagnose.SpotError(ctx, "Determine Redirect Address", fmt.Errorf("Redirect Address could not be determined: %w.", err))
-	}
-	diagnose.SpotOk(ctx, "Determine Redirect Address", "")
-
-	err = findClusterAddress(server, &coreConfig, config, disableClustering)
-	if err != nil {
-		return diagnose.SpotError(ctx, "Check Cluster Address", fmt.Errorf("Cluster Address could not be determined or was invalid: %w.", err),
-			diagnose.Advice("Please check that the API and Cluster addresses are different, and that the API, Cluster and Redirect addresses have both a host and port."))
-	}
-	diagnose.SpotOk(ctx, "Check Cluster Address", "Cluster address is logically valid and can be found.")
-
-	var vaultCore *vault.Core
-
-	// Run all the checks that are utilized when initializing a core object
-	// without actually calling core.Init. These are in the init-core section
-	// as they are runtime checks.
-	diagnose.Test(ctx, "Check Core Creation", func(ctx context.Context) error {
-		var newCoreError error
-		if coreConfig.RawConfig == nil {
-			return fmt.Errorf(CoreConfigUninitializedErr)
-		}
-		core, newCoreError := vault.CreateCore(&coreConfig)
-		if newCoreError != nil {
-			if vault.IsFatalError(newCoreError) {
-				return fmt.Errorf("Error initializing core: %s.", newCoreError)
-			}
-			diagnose.Warn(ctx, wrapAtLength(
-				"A non-fatal error occurred during initialization. Please check the logs for more information."))
-		} else {
-			vaultCore = core
-		}
-		return nil
-	})
-
-	if vaultCore == nil {
-		return fmt.Errorf("Diagnose could not initialize the Vault core from the Vault server configuration.")
-	}
-
-	licenseCtx, licenseSpan := diagnose.StartSpan(ctx, "Check For Autoloaded License")
-	// If we are not in enterprise, return from the check
-	if !constants.IsEnterprise {
-		diagnose.Skipped(licenseCtx, "License check will not run on OSS Vault.")
-	} else {
-		// Load License from environment variables. These take precedence over the
-		// configured license.
-		if envLicensePath := os.Getenv(EnvVaultLicensePath); envLicensePath != "" {
-			coreConfig.LicensePath = envLicensePath
-		}
-		if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" {
-			coreConfig.License = envLicense
-		}
-		vault.DiagnoseCheckLicense(licenseCtx, vaultCore, coreConfig, false)
-	}
-	licenseSpan.End()
-
-	var lns []listenerutil.Listener
-	diagnose.Test(ctx, "Start Listeners", func(ctx context.Context) error {
-		disableClustering := config.HAStorage != nil && config.HAStorage.DisableClustering
-		infoKeys := make([]string, 0, 10)
-		info := make(map[string]string)
-		var listeners []listenerutil.Listener
-		var status int
-
-		diagnose.ListenerChecks(ctx, config.Listeners)
-
-		diagnose.Test(ctx, "Create Listeners", func(ctx context.Context) error {
-			status, listeners, _, err = server.InitListeners(config, disableClustering, &infoKeys, &info)
-			if status != 0 {
-				return err
-			}
-			return nil
-		})
-
-		lns = listeners
-
-		// Make sure we close all listeners from this point on
-		listenerCloseFunc := func() {
-			for _, ln := range lns {
-				ln.Listener.Close()
-			}
-		}
-
-		c.cleanupGuard.Do(listenerCloseFunc)
-
-		return nil
-	})
-
-	// TODO: Diagnose logging configuration
-
-	// The unseal diagnose check will simply attempt to use the barrier to encrypt and
-	// decrypt a mock value. It will not call runUnseal.
-	diagnose.Test(ctx, "Check Autounseal Encryption", diagnose.WithTimeout(30*time.Second, func(ctx context.Context) error {
-		if barrierSeal == nil {
-			return fmt.Errorf("Diagnose could not create a barrier seal object.")
-		}
-		if barrierSeal.BarrierSealConfigType() == vault.SealConfigTypeShamir {
-			diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.")
-			return nil
-		}
-		barrierUUID, err := uuid.GenerateUUID()
-		if err != nil {
-			return fmt.Errorf("Diagnose could not create unique UUID for unsealing.")
-		}
-		barrierEncValue := "diagnose-" + barrierUUID
-		ciphertext, errMap := barrierSeal.GetAccess().Encrypt(ctx, []byte(barrierEncValue), nil)
-		if len(errMap) > 0 {
-			var sealErrors []error
-			for name, err := range errMap {
-				sealErrors = append(sealErrors, fmt.Errorf("error encrypting with seal %q: %w", name, err))
-			}
-			if ciphertext == nil {
-				// Full failure
-				if len(sealErrors) == 1 {
-					return sealErrors[0]
-				} else {
-					return fmt.Errorf("complete seal encryption failure: %w", errors.Join())
-				}
-			} else {
-				// Partial failure
-				return fmt.Errorf("partial seal encryption failure: %w", errors.Join())
-			}
-		}
-		plaintext, _, err := barrierSeal.GetAccess().Decrypt(ctx, ciphertext, nil)
-		if err != nil {
-			return fmt.Errorf("Error decrypting with seal barrier: %w", err)
-		}
-		if string(plaintext) != barrierEncValue {
-			return fmt.Errorf("Barrier returned incorrect decrypted value for mock data.")
-		}
-		return nil
-	}))
-
-	// The following block contains static checks that are run during the
-	// startHttpServers portion of server run. In other words, they are static
-	// checks during resource creation. Currently there is nothing important in this
-	// diagnose check. For now it is a placeholder for any checks that will be done
-	// before server run.
-	diagnose.Test(ctx, "Check Server Before Runtime", func(ctx context.Context) error {
-		for _, ln := range lns {
-			if ln.Config == nil {
-				return fmt.Errorf("Found no listener config after parsing the Vault configuration.")
-			}
-		}
-		return nil
-	})
-
-	// Checking HCP link to make sure Vault could connect to SCADA.
-	// If it could not connect to SCADA in 5 seconds, diagnose reports an issue
-	if !constants.IsEnterprise {
-		diagnose.Skipped(ctx, "HCP link check will not run on OSS Vault.")
-	} else {
-		if config.HCPLinkConf != nil {
-			// we need to override API and Passthrough capabilities
-			// as they could not be initialized when Vault http handler
-			// is not fully initialized
-			config.HCPLinkConf.EnablePassThroughCapability = false
-			config.HCPLinkConf.EnableAPICapability = false
-
-			diagnose.Test(ctx, "Check HCP Connection", func(ctx context.Context) error {
-				hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, vaultCore, server.logger)
-				if err != nil || hcpLink == nil {
-					return fmt.Errorf("failed to start HCP link, %w", err)
-				}
-
-				// check if a SCADA session is established successfully
-				deadline := time.Now().Add(5 * time.Second)
-				linkSessionStatus := "disconnected"
-				for time.Now().Before(deadline) {
-					linkSessionStatus = hcpLink.GetConnectionStatusMessage(hcpLink.GetScadaSessionStatus())
-					if linkSessionStatus == "connected" {
-						break
-					}
-					time.Sleep(500 * time.Millisecond)
-				}
-				if linkSessionStatus != "connected" {
-					return fmt.Errorf("failed to connect to HCP in 5 seconds. HCP session status is: %s", linkSessionStatus)
-				}
-
-				err = hcpLink.Shutdown()
-				if err != nil {
-					return fmt.Errorf("failed to shutdown HCP link: %w", err)
-				}
-
-				return nil
-			})
-		}
-	}
-
-	return nil
-}
-
-func coalesce(values ...interface{}) interface{} {
-	for _, val := range values {
-		if val != nil && val != "" {
-			return val
-		}
-	}
-	return nil
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+.doc-link {
+  color: $blue;
+  text-decoration: none;
+  font-weight: $font-weight-semibold;
+  &:hover {
+    text-decoration: underline !important;
+  }
 }
diff --git a/command/operator_diagnose_test.go b/command/operator_diagnose_test.go
index 31b38f1c50ed..0266f1ba69ea 100644
--- a/command/operator_diagnose_test.go
+++ b/command/operator_diagnose_test.go
@@ -1,700 +1,107 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-//go:build !race
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/command/server"
-
-	"github.com/hashicorp/vault/vault/diagnose"
-	"github.com/mitchellh/cli"
-)
-
-func testOperatorDiagnoseCommand(tb testing.TB) *OperatorDiagnoseCommand {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return &OperatorDiagnoseCommand{
-		diagnose: diagnose.New(ioutil.Discard),
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-		skipEndEnd: true,
-	}
-}
-
-func TestOperatorDiagnoseCommand_Run(t *testing.T) {
-	t.Parallel()
-	cases := []struct {
-		name     string
-		args     []string
-		expected []*diagnose.Result
-	}{
-		{
-			"diagnose_ok",
-			[]string{
-				"-config", "./server/test-fixtures/config_diagnose_ok.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Parse Configuration",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Start Listeners",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Listeners",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Listener TLS",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								"TLS is disabled in a listener config stanza.",
-							},
-						},
-					},
-				},
-				{
-					Name:   "Check Storage",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Storage Access",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name:   "Check Service Discovery",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Check Consul Service Discovery TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Service Discovery",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name:   "Create Vault Server Configuration Seals",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Create Core Configuration",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Initialize Randomness for Core",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name:   "HA Storage",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create HA Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check HA Consul Direct Storage Access",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-					},
-				},
-				{
-					Name:   "Determine Redirect Address",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Check Cluster Address",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Check Core Creation",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Start Listeners",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Listeners",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Listener TLS",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								"TLS is disabled in a listener config stanza.",
-							},
-						},
-					},
-				},
-				{
-					Name:    "Check Autounseal Encryption",
-					Status:  diagnose.SkippedStatus,
-					Message: "Skipping barrier encryption",
-				},
-				{
-					Name:   "Check Server Before Runtime",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Finalize Shamir Seal",
-					Status: diagnose.OkStatus,
-				},
-			},
-		},
-		{
-			"diagnose_ok_multiseal",
-			[]string{
-				"-config", "./server/test-fixtures/config_diagnose_ok.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Parse Configuration",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Start Listeners",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Listeners",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Listener TLS",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								"TLS is disabled in a listener config stanza.",
-							},
-						},
-					},
-				},
-				{
-					Name:   "Check Storage",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Storage Access",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name:   "Check Service Discovery",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Check Consul Service Discovery TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Service Discovery",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name: "Create Vault Server Configuration Seals",
-					// We can't load from storage the existing seal generation info during the test, so we expect an error.
-					Status: diagnose.ErrorStatus,
-				},
-				{
-					Name:   "Create Core Configuration",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Initialize Randomness for Core",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-				{
-					Name:   "HA Storage",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create HA Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check HA Consul Direct Storage Access",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-					},
-				},
-				{
-					Name:   "Determine Redirect Address",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Check Cluster Address",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Check Core Creation",
-					Status: diagnose.OkStatus,
-				},
-				{
-					Name:   "Start Listeners",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Listeners",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Listener TLS",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								"TLS is disabled in a listener config stanza.",
-							},
-						},
-					},
-				},
-				{
-					Name:    "Check Autounseal Encryption",
-					Status:  diagnose.ErrorStatus,
-					Message: "Diagnose could not create a barrier seal object.",
-				},
-				{
-					Name:   "Check Server Before Runtime",
-					Status: diagnose.OkStatus,
-				},
-			},
-		},
-		{
-			"diagnose_raft_problems",
-			[]string{
-				"-config", "./server/test-fixtures/config_raft.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Storage",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:    "Check Raft Folder Permissions",
-							Status:  diagnose.WarningStatus,
-							Message: "too many permissions",
-						},
-						{
-							Name:    "Check For Raft Quorum",
-							Status:  diagnose.WarningStatus,
-							Message: "0 voters found",
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_invalid_storage",
-			[]string{
-				"-config", "./server/test-fixtures/nostore_config.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:    "Check Storage",
-					Status:  diagnose.ErrorStatus,
-					Message: "No storage stanza in Vault server configuration.",
-				},
-			},
-		},
-		{
-			"diagnose_listener_config_ok",
-			[]string{
-				"-config", "./server/test-fixtures/tls_config_ok.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Start Listeners",
-					Status: diagnose.OkStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Listeners",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Listener TLS",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_invalid_https_storage",
-			[]string{
-				"-config", "./server/test-fixtures/config_bad_https_storage.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Storage",
-					Status: diagnose.ErrorStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:    "Check Consul TLS",
-							Status:  diagnose.ErrorStatus,
-							Message: "certificate has expired or is not yet valid",
-							Warnings: []string{
-								"expired or near expiry",
-							},
-						},
-						{
-							Name:   "Check Consul Direct Storage Access",
-							Status: diagnose.OkStatus,
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_invalid_https_hastorage",
-			[]string{
-				"-config", "./server/test-fixtures/config_diagnose_hastorage_bad_https.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Storage",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Storage Access",
-							Status: diagnose.WarningStatus,
-							Advice: "We recommend connecting to a local agent.",
-							Warnings: []string{
-								"Vault storage is directly connected to a Consul server.",
-							},
-						},
-					},
-				},
-				{
-					Name:   "HA Storage",
-					Status: diagnose.ErrorStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create HA Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check HA Consul Direct Storage Access",
-							Status: diagnose.WarningStatus,
-							Advice: "We recommend connecting to a local agent.",
-							Warnings: []string{
-								"Vault storage is directly connected to a Consul server.",
-							},
-						},
-						{
-							Name:    "Check Consul TLS",
-							Status:  diagnose.ErrorStatus,
-							Message: "certificate has expired or is not yet valid",
-							Warnings: []string{
-								"expired or near expiry",
-							},
-						},
-					},
-				},
-				{
-					Name:   "Check Cluster Address",
-					Status: diagnose.ErrorStatus,
-				},
-			},
-		},
-		{
-			"diagnose_seal_transit_tls_check_fail",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_seal_transit_tls_check.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Transit Seal TLS",
-					Status: diagnose.WarningStatus,
-					Warnings: []string{
-						"Found at least one intermediate certificate in the CA certificate file.",
-					},
-				},
-			},
-		},
-		{
-			"diagnose_invalid_https_sr",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_bad_https_consul_sr.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Service Discovery",
-					Status: diagnose.ErrorStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:    "Check Consul Service Discovery TLS",
-							Status:  diagnose.ErrorStatus,
-							Message: "certificate has expired or is not yet valid",
-							Warnings: []string{
-								"expired or near expiry",
-							},
-						},
-						{
-							Name:   "Check Consul Direct Service Discovery",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								diagnose.DirAccessErr,
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_direct_storage_access",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_ok_storage_direct_access.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:   "Check Storage",
-					Status: diagnose.WarningStatus,
-					Children: []*diagnose.Result{
-						{
-							Name:   "Create Storage Backend",
-							Status: diagnose.OkStatus,
-						},
-						{
-							Name:   "Check Consul TLS",
-							Status: diagnose.SkippedStatus,
-						},
-						{
-							Name:   "Check Consul Direct Storage Access",
-							Status: diagnose.WarningStatus,
-							Warnings: []string{
-								diagnose.DirAccessErr,
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_raft_no_folder_backend",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_raft_no_bolt_folder.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:    "Check Storage",
-					Status:  diagnose.ErrorStatus,
-					Message: "Diagnose could not initialize storage backend.",
-					Children: []*diagnose.Result{
-						{
-							Name:    "Create Storage Backend",
-							Status:  diagnose.ErrorStatus,
-							Message: "no such file or directory",
-						},
-					},
-				},
-			},
-		},
-		{
-			"diagnose_telemetry_partial_circonus",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_bad_telemetry1.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:    "Check Telemetry",
-					Status:  diagnose.ErrorStatus,
-					Message: "incomplete Circonus telemetry configuration, missing circonus_api_url",
-				},
-			},
-		},
-		{
-			"diagnose_telemetry_partial_dogstats",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_bad_telemetry2.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:    "Check Telemetry",
-					Status:  diagnose.ErrorStatus,
-					Message: "incomplete DogStatsD telemetry configuration, missing dogstatsd_addr, while dogstatsd_tags specified",
-				},
-			},
-		},
-		{
-			"diagnose_telemetry_partial_stackdriver",
-			[]string{
-				"-config", "./server/test-fixtures/diagnose_bad_telemetry3.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:    "Check Telemetry",
-					Status:  diagnose.ErrorStatus,
-					Message: "incomplete Stackdriver telemetry configuration, missing stackdriver_project_id",
-				},
-			},
-		},
-		{
-			"diagnose_telemetry_default",
-			[]string{
-				"-config", "./server/test-fixtures/config4.hcl",
-			},
-			[]*diagnose.Result{
-				{
-					Name:     "Check Telemetry",
-					Status:   diagnose.WarningStatus,
-					Warnings: []string{"Telemetry is using default configuration"},
-				},
-			},
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-			t.Run(tc.name, func(t *testing.T) {
-				if tc.name == "diagnose_ok" && server.IsMultisealSupported() {
-					t.Skip("Test not valid in ENT")
-				} else if tc.name == "diagnose_ok_multiseal" && !server.IsMultisealSupported() {
-					t.Skip("Test not valid in community edition")
-				} else {
-					t.Parallel()
-					client, closer := testVaultServer(t)
-					defer closer()
-					cmd := testOperatorDiagnoseCommand(t)
-					cmd.client = client
-
-					cmd.Run(tc.args)
-					result := cmd.diagnose.Finalize(context.Background())
-
-					if err := compareResults(tc.expected, result.Children); err != nil {
-						t.Fatalf("Did not find expected test results: %v", err)
-					}
-				}
-			})
-		}
-	})
-}
-
-func compareResults(expected []*diagnose.Result, actual []*diagnose.Result) error {
-	for _, exp := range expected {
-		found := false
-		// Check them all so we don't have to be order specific
-		for _, act := range actual {
-			fmt.Printf("%+v", act)
-			if exp.Name == act.Name {
-				found = true
-				if err := compareResult(exp, act); err != nil {
-					return err
-				}
-				break
-			}
-		}
-		if !found {
-			return fmt.Errorf("could not find expected test result: %s", exp.Name)
-		}
-	}
-	return nil
-}
-
-func compareResult(exp *diagnose.Result, act *diagnose.Result) error {
-	if exp.Name != act.Name {
-		return fmt.Errorf("names mismatch: %s vs %s", exp.Name, act.Name)
-	}
-	if exp.Status != act.Status {
-		if act.Status != diagnose.OkStatus {
-			return fmt.Errorf("section %s, status mismatch: %s vs %s, got error %s", exp.Name, exp.Status, act.Status, act.Message)
-		}
-		return fmt.Errorf("section %s, status mismatch: %s vs %s", exp.Name, exp.Status, act.Status)
-	}
-	if exp.Message != "" && exp.Message != act.Message && !strings.Contains(act.Message, exp.Message) {
-		return fmt.Errorf("section %s, message not found: %s in %s", exp.Name, exp.Message, act.Message)
-	}
-	if exp.Advice != "" && exp.Advice != act.Advice && !strings.Contains(act.Advice, exp.Advice) {
-		return fmt.Errorf("section %s, advice not found: %s in %s", exp.Name, exp.Advice, act.Advice)
-	}
-	if len(exp.Warnings) != len(act.Warnings) {
-		return fmt.Errorf("section %s, warning count mismatch: %d vs %d", exp.Name, len(exp.Warnings), len(act.Warnings))
-	}
-	for j := range exp.Warnings {
-		if !strings.Contains(act.Warnings[j], exp.Warnings[j]) {
-			return fmt.Errorf("section %s, warning message not found: %s in %s", exp.Name, exp.Warnings[j], act.Warnings[j])
-		}
-	}
-	if len(exp.Children) > len(act.Children) {
-		errStrings := []string{}
-		for _, c := range act.Children {
-			errStrings = append(errStrings, fmt.Sprintf("%+v", c))
-		}
-		return fmt.Errorf(strings.Join(errStrings, ","))
-	}
-
-	if len(exp.Children) > 0 {
-		return compareResults(exp.Children, act.Children)
-	}
-
-	// Remove raft file if it exists
-	os.Remove("./server/test-fixtures/vault.db")
-	os.RemoveAll("./server/test-fixtures/raft")
-
-	return nil
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{action (queue (action "preSave" this.model) (perform this.save this.model)) on="submit"}}>
+  <MessageError @model={{this.model}} data-test-edit-form-error />
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <NamespaceReminder @mode="save" />
+    {{#if (eq @mode "create")}}
+      <FormField data-test-field @attr={{hash name="name" type="string"}} @model={{this.model}} />
+    {{/if}}
+    <div class="control is-flex box is-shadowless is-fullwidth is-marginless">
+      <input
+        data-test-input="operationNone"
+        id="operationNone"
+        type="checkbox"
+        class="toggle is-success is-small"
+        checked={{not this.model.operationNone}}
+        onchange={{action "toggleOperationSpecial" value="target.checked"}}
+      />
+      <label for="operationNone" class="has-text-weight-bold is-size-8">
+        Allow this role to perform KMIP operations
+      </label>
+    </div>
+    {{#unless this.model.operationNone}}
+      <Toolbar>
+        <h3 class="title is-6 has-left-padding-s">
+          Allowed Operations
+        </h3>
+      </Toolbar>
+      <div class="box">
+        <FormField
+          @attr={{hash name="operationAll" type="boolean" options=(hash label="Allow this role to perform all operations")}}
+          @model={{this.model}}
+        />
+        <hr />
+        <div class="is-flex">
+          <div class="kmip-role-allowed-operations">
+            {{#each-in this.model.operationFormFields.firstObject as |groupName fieldsInGroup|}}
+              <h4 class="title is-7">{{groupName}}</h4>
+              {{#each fieldsInGroup as |attr|}}
+                <FormField
+                  data-test-field
+                  @disabled={{or this.model.operationNone this.model.operationAll}}
+                  @attr={{attr}}
+                  @model={{compute (action "placeholderOrModel") this.model.operationAll attr}}
+                  @showHelpText={{false}}
+                />
+              {{/each}}
+            {{/each-in}}
+          </div>
+          <div class="kmip-role-allowed-operations">
+            {{#each (drop 1 (or this.model.operationFormFields (array))) as |group|}}
+              <div class="kmip-role-allowed-operations">
+                {{#each-in group as |groupName fieldsInGroup|}}
+                  <h4 class="title is-7">{{groupName}}</h4>
+                  {{#each fieldsInGroup as |attr|}}
+                    <FormField
+                      data-test-field
+                      @disabled={{or this.model.operationNone this.model.operationAll}}
+                      @attr={{attr}}
+                      @model={{compute (action "placeholderOrModel") this.model.operationAll attr}}
+                      @showHelpText={{false}}
+                    />
+                  {{/each}}
+                {{/each-in}}
+              </div>
+            {{/each}}
+          </div>
+        </div>
+      </div>
+    {{/unless}}
+    <div class="box is-fullwidth is-shadowless">
+      <h3 class="title is-3">
+        TLS
+      </h3>
+      {{#each this.model.tlsFormFields as |attr|}}
+        <FormField data-test-field @attr={{attr}} @model={{this.model}} />
+      {{/each}}
+    </div>
+    {{#each this.model.fields as |attr|}}
+      <FormField data-test-field @attr={{attr}} @model={{this.model}} />
+    {{/each}}
+  </div>
+
+  <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
+    <Hds::ButtonSet>
+      <Hds::Button
+        @text={{this.saveButtonText}}
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        data-test-edit-form-submit
+        disabled={{this.save.isRunning}}
+      />
+      {{#if this.cancelLink}}
+        <Hds::Button
+          @text="Cancel"
+          @color="secondary"
+          @route={{this.cancelLink.route}}
+          @models={{this.cancelLink.models}}
+          data-test-edit-form-cancel
+        />
+      {{/if}}
+    </Hds::ButtonSet>
+  </div>
+</form>
\ No newline at end of file
diff --git a/command/operator_generate_root.go b/command/operator_generate_root.go
index e660a6e1c145..2ca2fb583b89 100644
--- a/command/operator_generate_root.go
+++ b/command/operator_generate_root.go
@@ -1,628 +1,37 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/hashicorp/go-secure-stdlib/password"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/pgpkeys"
-	"github.com/hashicorp/vault/sdk/helper/roottoken"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorGenerateRootCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorGenerateRootCommand)(nil)
-)
-
-type generateRootKind int
-
-const (
-	generateRootRegular generateRootKind = iota
-	generateRootDR
-	generateRootRecovery
-)
-
-type OperatorGenerateRootCommand struct {
-	*BaseCommand
-
-	flagInit          bool
-	flagCancel        bool
-	flagStatus        bool
-	flagDecode        string
-	flagOTP           string
-	flagPGPKey        string
-	flagNonce         string
-	flagGenerateOTP   bool
-	flagDRToken       bool
-	flagRecoveryToken bool
-
-	testStdin io.Reader // for tests
-}
-
-func (c *OperatorGenerateRootCommand) Synopsis() string {
-	return "Generates a new root, DR operation, or recovery token"
-}
-
-func (c *OperatorGenerateRootCommand) Help() string {
-	helpText := `
-Usage: vault operator generate-root [options] -init [-otp=...] [-pgp-key=...]
-       vault operator generate-root [options] [-nonce=... KEY]
-       vault operator generate-root [options] -decode=... -otp=...
-       vault operator generate-root [options] -generate-otp
-       vault operator generate-root [options] -status
-       vault operator generate-root [options] -cancel
-
-  Generates a new root token by combining a quorum of share holders.
-
-  This command is unusual, as it is effectively six separate subcommands,
-  selected via the options -init, -decode, -generate-otp, -status, -cancel, 
-  or the absence of any of the previous five options (which selects the 
-  "provide a key share" form).
-
-  With the -dr-token or -recovery-token options, a DR operation token or a
-  recovery token is generated instead of a root token - the relevant option
-  must be included in every form of the generate-root command.
-
-  Form 1 (-init) - Start a token generation:
-
-    When starting a root or privileged operation token generation, you must
-    choose one of the following protection methods for how the token will be
-    returned:
-
-      - A base64-encoded one-time-password (OTP). The resulting token is XORed
-        with this value when it is returned. Use the "-decode" form of this
-        command to output the final value.
-
-        The Vault server will generate a suitable OTP for you, and return it:
-
-            $ vault operator generate-root -init
-
-        Vault versions before 0.11.2, released in 2018, required you to
-        generate your own OTP (see the "-generate-otp" form) and pass it in,
-        but this is no longer necessary. The command is still supported for
-        compatibility, though:
-
-            $ vault operator generate-root -init -otp="..."
-
-      - A PGP key. The resulting token is encrypted with this public key.
-        The key may be specified as a path to a file, or a string of the
-        form "keybase:<username>" to fetch the key from the keybase.io API.
-
-            $ vault operator generate-root -init -pgp-key="..."
-
-  Form 2 (no option) - Enter an unseal key to progress root token generation:
-
-    In the sub-form intended for interactive use, the command will
-    automatically look up the nonce of the currently active generation
-    operation, and will prompt for the key to be entered:
-
-        $ vault operator generate-root
-
-    In the sub-form intended for automation, the operation nonce must be
-    explicitly provided, and the key is provided directly on the command line
-
-        $ vault operator generate-root -nonce=... KEY
-
-    If key is specified as "-", the command will read from stdin.
-
-  Form 3 (-decode) - Decode a generated token protected with an OTP:
-
-        $ vault operator generate-root -decode=ENCODED_TOKEN -otp=OTP
-
-    If encoded token is specified as "-", the command will read from stdin.
-
-  Form 4 (-generate-otp) - Generate an OTP code for the final token:
-
-        $ vault operator generate-root -generate-otp
-
-    Since changes in Vault 0.11.2 in 2018, there is no longer any reason to
-    use this form, as a suitable OTP will be returned as part of the "-init"
-    command.
-
-  Form 5 (-status) - Get the status of a token generation that is in progress:
-
-        $ vault operator generate-root -status
-
-    This form also returns the length of the a correct OTP, for the running
-    version and configuration of Vault.
-
-  Form 6 (-cancel) - Cancel a token generation that is in progress:
-
-    This would be used to remove an in progress generation operation, so that
-    a new one can be started with different parameters.
-
-        $ vault operator generate-root -cancel
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorGenerateRootCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:       "init",
-		Target:     &c.flagInit,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Start a root token generation. This can only be done if " +
-			"there is not currently one in progress.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "cancel",
-		Target:     &c.flagCancel,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Reset the root token generation progress. This will discard any " +
-			"submitted unseal keys or configuration.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "status",
-		Target:     &c.flagStatus,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Print the status of the current attempt without providing an " +
-			"unseal key.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "decode",
-		Target:     &c.flagDecode,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "The value to decode; setting this triggers a decode operation. " +
-			" If the value is \"-\" then read the encoded token from stdin.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "generate-otp",
-		Target:     &c.flagGenerateOTP,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Generate and print a high-entropy one-time-password (OTP) " +
-			"suitable for use with the \"-init\" flag.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Set this flag to do generate root operations on DR operation " +
-			"tokens.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "recovery-token",
-		Target:     &c.flagRecoveryToken,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Set this flag to do generate root operations on recovery " +
-			"tokens.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "otp",
-		Target:     &c.flagOTP,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "OTP code to use with \"-decode\" or \"-init\".",
-	})
-
-	f.VarFlag(&VarFlag{
-		Name:       "pgp-key",
-		Value:      (*pgpkeys.PubKeyFileFlag)(&c.flagPGPKey),
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Path to a file on disk containing a binary or base64-encoded " +
-			"public PGP key. This can also be specified as a Keybase username " +
-			"using the format \"keybase:<username>\". When supplied, the generated " +
-			"root token will be encrypted and base64-encoded with the given public " +
-			"key. Must be used with \"-init\".",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "nonce",
-		Target:     &c.flagNonce,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Nonce value returned at initialization. The same nonce value " +
-			"must be provided with each unseal or recovery key. Only needed " +
-			"when providing an unseal or recovery key.",
-	})
-
-	return set
-}
-
-func (c *OperatorGenerateRootCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorGenerateRootCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorGenerateRootCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
-		return 1
-	}
-
-	if c.flagDRToken && c.flagRecoveryToken {
-		c.UI.Error("Both -recovery-token and -dr-token flags are set")
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	kind := generateRootRegular
-	switch {
-	case c.flagDRToken:
-		kind = generateRootDR
-	case c.flagRecoveryToken:
-		kind = generateRootRecovery
-	}
-
-	switch {
-	case c.flagGenerateOTP:
-		otp, code := c.generateOTP(client, kind)
-		if code == 0 {
-			switch Format(c.UI) {
-			case "", "table":
-				return PrintRaw(c.UI, otp)
-			default:
-				status := map[string]interface{}{
-					"otp":        otp,
-					"otp_length": len(otp),
-				}
-				return OutputData(c.UI, status)
-			}
-		}
-		return code
-	case c.flagDecode != "":
-		return c.decode(client, c.flagDecode, c.flagOTP, kind)
-	case c.flagCancel:
-		return c.cancel(client, kind)
-	case c.flagInit:
-		return c.init(client, c.flagOTP, c.flagPGPKey, kind)
-	case c.flagStatus:
-		return c.status(client, kind)
-	default:
-		// If there are no other flags, prompt for an unseal key.
-		key := ""
-		if len(args) > 0 {
-			key = strings.TrimSpace(args[0])
-		}
-		return c.provide(client, key, kind)
-	}
-}
-
-// generateOTP generates a suitable OTP code for generating a root token.
-func (c *OperatorGenerateRootCommand) generateOTP(client *api.Client, kind generateRootKind) (string, int) {
-	f := client.Sys().GenerateRootStatus
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenStatus
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenStatus
-	}
-
-	status, err := f()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
-		return "", 2
-	}
-
-	otp, err := roottoken.GenerateOTP(status.OTPLength)
-	var retCode int
-	if err != nil {
-		retCode = 2
-		c.UI.Error(err.Error())
-	} else {
-		retCode = 0
-	}
-	return otp, retCode
-}
-
-// decode decodes the given value using the otp.
-func (c *OperatorGenerateRootCommand) decode(client *api.Client, encoded, otp string, kind generateRootKind) int {
-	if encoded == "" {
-		c.UI.Error("Missing encoded value: use -decode=<string> to supply it")
-		return 1
-	}
-	if otp == "" {
-		c.UI.Error("Missing otp: use -otp to supply it")
-		return 1
-	}
-
-	if encoded == "-" {
-		// Pull our fake stdin if needed
-		stdin := (io.Reader)(os.Stdin)
-		if c.testStdin != nil {
-			stdin = c.testStdin
-		}
-
-		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, stdin); err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
-			return 1
-		}
-
-		encoded = buf.String()
-
-		if encoded == "" {
-			c.UI.Error("Missing encoded value. When using -decode=\"-\" value must be passed via stdin.")
-			return 1
-		}
-	}
-
-	f := client.Sys().GenerateRootStatus
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenStatus
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenStatus
-	}
-
-	status, err := f()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
-		return 2
-	}
-
-	token, err := roottoken.DecodeToken(encoded, otp, status.OTPLength)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error decoding root token: %s", err))
-		return 1
-	}
-
-	switch Format(c.UI) {
-	case "", "table":
-		return PrintRaw(c.UI, token)
-	default:
-		tokenJSON := map[string]interface{}{
-			"token": token,
-		}
-		return OutputData(c.UI, tokenJSON)
-	}
-}
-
-// init is used to start the generation process
-func (c *OperatorGenerateRootCommand) init(client *api.Client, otp, pgpKey string, kind generateRootKind) int {
-	// Validate incoming fields. Either OTP OR PGP keys must be supplied.
-	if otp != "" && pgpKey != "" {
-		c.UI.Error("Error initializing: cannot specify both -otp and -pgp-key")
-		return 1
-	}
-
-	// Start the root generation
-	f := client.Sys().GenerateRootInit
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenInit
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenInit
-	}
-	status, err := f(otp, pgpKey)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing root generation: %s", err))
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		return c.printStatus(status)
-	default:
-		return OutputData(c.UI, status)
-	}
-}
-
-// provide prompts the user for the seal key and posts it to the update root
-// endpoint. If this is the last unseal, this function outputs it.
-func (c *OperatorGenerateRootCommand) provide(client *api.Client, key string, kind generateRootKind) int {
-	f := client.Sys().GenerateRootStatus
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenStatus
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenStatus
-	}
-	status, err := f()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
-		return 2
-	}
-
-	// Verify a root token generation is in progress. If there is not one in
-	// progress, return an error instructing the user to start one.
-	if !status.Started {
-		c.UI.Error(wrapAtLength(
-			"No root generation is in progress. Start a root generation by " +
-				"running \"vault operator generate-root -init\"."))
-		c.UI.Warn(wrapAtLength(fmt.Sprintf(
-			"If starting root generation using the OTP method and generating "+
-				"your own OTP, the length of the OTP string needs to be %d "+
-				"characters in length.", status.OTPLength)))
-		return 1
-	}
-
-	var nonce string
-
-	switch key {
-	case "-": // Read from stdin
-		nonce = c.flagNonce
-
-		// Pull our fake stdin if needed
-		stdin := (io.Reader)(os.Stdin)
-		if c.testStdin != nil {
-			stdin = c.testStdin
-		}
-
-		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, stdin); err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
-			return 1
-		}
-
-		key = buf.String()
-	case "": // Prompt using the tty
-		// Nonce value is not required if we are prompting via the terminal
-		nonce = status.Nonce
-
-		w := getWriterFromUI(c.UI)
-		fmt.Fprintf(w, "Operation nonce: %s\n", nonce)
-		fmt.Fprintf(w, "Unseal Key (will be hidden): ")
-		key, err = password.Read(os.Stdin)
-		fmt.Fprintf(w, "\n")
-		if err != nil {
-			if err == password.ErrInterrupted {
-				c.UI.Error("user canceled")
-				return 1
-			}
-
-			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
-				"ask for the unseal key. The raw error message is shown below, but "+
-				"usually this is because you attempted to pipe a value into the "+
-				"command or you are executing outside of a terminal (tty). If you "+
-				"want to pipe the value, pass \"-\" as the argument to read from "+
-				"stdin. The raw error was: %s", err)))
-			return 1
-		}
-	default: // Supplied directly as an arg
-		nonce = c.flagNonce
-	}
-
-	// Trim any whitespace from they key, especially since we might have prompted
-	// the user for it.
-	key = strings.TrimSpace(key)
-
-	// Verify we have a nonce value
-	if nonce == "" {
-		c.UI.Error("Missing nonce value: specify it via the -nonce flag")
-		return 1
-	}
-
-	// Provide the key, this may potentially complete the update
-	fUpd := client.Sys().GenerateRootUpdate
-	switch kind {
-	case generateRootDR:
-		fUpd = client.Sys().GenerateDROperationTokenUpdate
-	case generateRootRecovery:
-		fUpd = client.Sys().GenerateRecoveryOperationTokenUpdate
-	}
-	status, err = fUpd(key, nonce)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error posting unseal key: %s", err))
-		return 2
-	}
-	switch Format(c.UI) {
-	case "table":
-		return c.printStatus(status)
-	default:
-		return OutputData(c.UI, status)
-	}
-}
-
-// cancel cancels the root token generation
-func (c *OperatorGenerateRootCommand) cancel(client *api.Client, kind generateRootKind) int {
-	f := client.Sys().GenerateRootCancel
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenCancel
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenCancel
-	}
-	if err := f(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error canceling root token generation: %s", err))
-		return 2
-	}
-	c.UI.Output("Success! Root token generation canceled (if it was started)")
-	return 0
-}
-
-// status is used just to fetch and dump the status
-func (c *OperatorGenerateRootCommand) status(client *api.Client, kind generateRootKind) int {
-	f := client.Sys().GenerateRootStatus
-	switch kind {
-	case generateRootDR:
-		f = client.Sys().GenerateDROperationTokenStatus
-	case generateRootRecovery:
-		f = client.Sys().GenerateRecoveryOperationTokenStatus
-	}
-
-	status, err := f()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
-		return 2
-	}
-	switch Format(c.UI) {
-	case "table":
-		return c.printStatus(status)
-	default:
-		return OutputData(c.UI, status)
-	}
-}
-
-// printStatus dumps the status to output
-func (c *OperatorGenerateRootCommand) printStatus(status *api.GenerateRootStatusResponse) int {
-	out := []string{}
-	out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
-	out = append(out, fmt.Sprintf("Started | %t", status.Started))
-	out = append(out, fmt.Sprintf("Progress | %d/%d", status.Progress, status.Required))
-	out = append(out, fmt.Sprintf("Complete | %t", status.Complete))
-	if status.PGPFingerprint != "" {
-		out = append(out, fmt.Sprintf("PGP Fingerprint | %s", status.PGPFingerprint))
-	}
-	switch {
-	case status.EncodedToken != "":
-		out = append(out, fmt.Sprintf("Encoded Token | %s", status.EncodedToken))
-	case status.EncodedRootToken != "":
-		out = append(out, fmt.Sprintf("Encoded Root Token | %s", status.EncodedRootToken))
-	}
-	if status.OTP != "" {
-		c.UI.Warn(wrapAtLength("A One-Time-Password has been generated for you and is shown in the OTP field. You will need this value to decode the resulting root token, so keep it safe."))
-		out = append(out, fmt.Sprintf("OTP | %s", status.OTP))
-	}
-	if status.OTPLength != 0 {
-		out = append(out, fmt.Sprintf("OTP Length | %d", status.OTPLength))
-	}
-
-	output := columnOutput(out, nil)
-	c.UI.Output(output)
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{action (perform this.save this.model) on="submit"}}>
+  <MessageError @model={{this.model}} data-test-edit-form-error />
+  <div class={{if this.includeBox "box is-sideless is-fullwidth is-marginless"}}>
+    <NamespaceReminder @mode="save" />
+    {{#if (or this.model.fields this.model.attrs)}}
+      {{#each (or this.model.fields this.model.attrs) as |attr|}}
+        <FormField
+          data-test-field
+          @attr={{attr}}
+          @model={{this.model}}
+          @mode={{@mode}}
+          @modelValidations={{this.modelValidations}}
+        />
+      {{/each}}
+    {{else if this.model.fieldGroups}}
+      <FormFieldGroups @model={{this.model}} @mode={{@mode}} @modelValidations={{this.modelValidations}} />
+    {{/if}}
+  </div>
+  <FormSaveButtons
+    @isSaving={{this.save.isRunning}}
+    @saveButtonText={{this.saveButtonText}}
+    @cancelLinkParams={{@cancelLinkParams}}
+    @includeBox={{this.includeBox}}
+    @onCancel={{@onCancel}}
+  >
+    <:error>
+      {{#if this.invalidFormAlert}}
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+      {{/if}}
+    </:error>
+  </FormSaveButtons>
+</form>
\ No newline at end of file
diff --git a/command/operator_generate_root_test.go b/command/operator_generate_root_test.go
index 4db2262cad1b..9d8bcb7b045a 100644
--- a/command/operator_generate_root_test.go
+++ b/command/operator_generate_root_test.go
@@ -1,561 +1,59 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-//go:build !race
-
-package command
-
-import (
-	"encoding/base64"
-	"io"
-	"os"
-	"regexp"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/sdk/helper/xor"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-)
-
-func testOperatorGenerateRootCommand(tb testing.TB) (*cli.MockUi, *OperatorGenerateRootCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &OperatorGenerateRootCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestOperatorGenerateRootCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"init_invalid_otp",
-			[]string{
-				"-init",
-				"-otp", "not-a-valid-otp",
-			},
-			"OTP string is wrong length",
-			2,
-		},
-		{
-			"init_pgp_multi",
-			[]string{
-				"-init",
-				"-pgp-key", "keybase:hashicorp",
-				"-pgp-key", "keybase:jefferai",
-			},
-			"can only be specified once",
-			1,
-		},
-		{
-			"init_pgp_multi_inline",
-			[]string{
-				"-init",
-				"-pgp-key", "keybase:hashicorp,keybase:jefferai",
-			},
-			"can only specify one pgp key",
-			1,
-		},
-		{
-			"init_pgp_otp",
-			[]string{
-				"-init",
-				"-pgp-key", "keybase:hashicorp",
-				"-otp", "abcd1234",
-			},
-			"cannot specify both -otp and -pgp-key",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorGenerateRootCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("%s: expected %d to be %d", tc.name, code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("%s: expected %q to contain %q", tc.name, combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("generate_otp", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		_, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-generate-otp",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-	})
-
-	t.Run("decode", func(t *testing.T) {
-		t.Parallel()
-
-		encoded := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
-		otp := "3JhHkONiyiaNYj14nnD9xZQS"
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		// Simulate piped output to print raw output
-		old := os.Stdout
-		_, w, err := os.Pipe()
-		if err != nil {
-			t.Fatal(err)
-		}
-		os.Stdout = w
-
-		code := cmd.Run([]string{
-			"-decode", encoded,
-			"-otp", otp,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		w.Close()
-		os.Stdout = old
-
-		expected := "4RUmoevJ3lsLni9sTXcNnRE1"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if combined != expected {
-			t.Errorf("expected %q to be %q", combined, expected)
-		}
-	})
-
-	t.Run("decode_from_stdin", func(t *testing.T) {
-		t.Parallel()
-
-		encoded := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
-		otp := "3JhHkONiyiaNYj14nnD9xZQS"
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(encoded))
-			stdinW.Close()
-		}()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		// Simulate piped output to print raw output
-		old := os.Stdout
-		_, w, err := os.Pipe()
-		if err != nil {
-			t.Fatal(err)
-		}
-		os.Stdout = w
-
-		code := cmd.Run([]string{
-			"-decode", "-", // read from stdin
-			"-otp", otp,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		w.Close()
-		os.Stdout = old
-
-		expected := "4RUmoevJ3lsLni9sTXcNnRE1"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if combined != expected {
-			t.Errorf("expected %q to be %q", combined, expected)
-		}
-	})
-
-	t.Run("decode_from_stdin_empty", func(t *testing.T) {
-		t.Parallel()
-
-		encoded := ""
-		otp := "3JhHkONiyiaNYj14nnD9xZQS"
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(encoded))
-			stdinW.Close()
-		}()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		// Simulate piped output to print raw output
-		old := os.Stdout
-		_, w, err := os.Pipe()
-		if err != nil {
-			t.Fatal(err)
-		}
-		os.Stdout = w
-
-		code := cmd.Run([]string{
-			"-decode", "-", // read from stdin
-			"-otp", otp,
-		})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		w.Close()
-		os.Stdout = old
-
-		expected := "Missing encoded value"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("cancel", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		// Initialize a generation
-		if _, err := client.Sys().GenerateRootInit("", ""); err != nil {
-			t.Fatal(err)
-		}
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-cancel",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Root token generation canceled"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		status, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if status.Started {
-			t.Errorf("expected status to be canceled: %#v", status)
-		}
-	})
-
-	t.Run("init_otp", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-init",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Nonce"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		status, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if !status.Started {
-			t.Errorf("expected status to be started: %#v", status)
-		}
-	})
-
-	t.Run("init_pgp", func(t *testing.T) {
-		t.Parallel()
-
-		pgpKey := "keybase:hashicorp"
-		pgpFingerprint := "c874011f0ab405110d02105534365d9472d7468f"
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-init",
-			"-pgp-key", pgpKey,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Nonce"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		status, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if !status.Started {
-			t.Errorf("expected status to be started: %#v", status)
-		}
-		if status.PGPFingerprint != pgpFingerprint {
-			t.Errorf("expected %q to be %q", status.PGPFingerprint, pgpFingerprint)
-		}
-	})
-
-	t.Run("status", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-status",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Nonce"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("provide_arg", func(t *testing.T) {
-		t.Parallel()
-
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
-
-		// Initialize a generation
-		status, err := client.Sys().GenerateRootInit("", "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		nonce := status.Nonce
-		otp := status.OTP
-
-		// Supply the first n-1 unseal keys
-		for _, key := range keys[:len(keys)-1] {
-			_, cmd := testOperatorGenerateRootCommand(t)
-			cmd.client = client
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				key,
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d", code, exp)
-			}
-		}
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			keys[len(keys)-1], // the last unseal key
-		})
-		if exp := 0; code != exp {
-			t.Fatalf("expected %d to be %d, out=%q, err=%q", code, exp, ui.OutputWriter, ui.ErrorWriter)
-		}
-
-		reToken := regexp.MustCompile(`Encoded Token\s+(.+)`)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		match := reToken.FindAllStringSubmatch(combined, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("no match: %#v", match)
-		}
-
-		tokenBytes, err := base64.RawStdEncoding.DecodeString(match[0][1])
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		token, err := xor.XORBytes(tokenBytes, []byte(otp))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if l, exp := len(token), vault.TokenLength+vault.TokenPrefixLength; l != exp {
-			t.Errorf("expected %d to be %d: %s", l, exp, token)
-		}
-	})
-
-	t.Run("provide_stdin", func(t *testing.T) {
-		t.Parallel()
-
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
-
-		// Initialize a generation
-		status, err := client.Sys().GenerateRootInit("", "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		nonce := status.Nonce
-		otp := status.OTP
-
-		// Supply the first n-1 unseal keys
-		for _, key := range keys[:len(keys)-1] {
-			stdinR, stdinW := io.Pipe()
-			go func() {
-				stdinW.Write([]byte(key))
-				stdinW.Close()
-			}()
-
-			_, cmd := testOperatorGenerateRootCommand(t)
-			cmd.client = client
-			cmd.testStdin = stdinR
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				"-",
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d", code, exp)
-			}
-		}
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(keys[len(keys)-1])) // the last unseal key
-			stdinW.Close()
-		}()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			"-",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		reToken := regexp.MustCompile(`Encoded Token\s+(.+)`)
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		match := reToken.FindAllStringSubmatch(combined, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("no match: %#v", match)
-		}
-
-		// encodedOTP := base64.RawStdEncoding.EncodeToString([]byte(otp))
-
-		// tokenBytes, err := xor.XORBase64(match[0][1], encodedOTP)
-		// if err != nil {
-		// 	t.Fatal(err)
-		// }
-		// token, err := uuid.FormatUUID(tokenBytes)
-		// if err != nil {
-		// 	t.Fatal(err)
-		// }
-
-		tokenBytes, err := base64.RawStdEncoding.DecodeString(match[0][1])
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		token, err := xor.XORBytes(tokenBytes, []byte(otp))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if l, exp := len(token), vault.TokenLength+vault.TokenPrefixLength; l != exp {
-			t.Errorf("expected %d to be %d: %s", l, exp, token)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testOperatorGenerateRootCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"secret/foo",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error getting root generation status: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testOperatorGenerateRootCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Edit Secret Metadata" />
+
+{{#if @metadata.canUpdateMetadata}}
+  <hr class="is-marginless has-background-gray-200" />
+  <p class="has-top-margin-m has-bottom-margin-m">
+    The options below are all version-agnostic; they apply to all versions of this secret.
+  </p>
+  <form {{on "submit" (perform this.save)}}>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <NamespaceReminder @mode="update" @noun="KV secret metadata" />
+      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+      <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
+    </div>
+    <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
+      <div class="has-top-padding-s">
+        <Hds::Button
+          @text="Update"
+          @icon={{if this.save.isRunning "loading"}}
+          type="submit"
+          disabled={{this.save.isRunning}}
+          data-test-kv-save
+        />
+        <Hds::Button
+          @text="Cancel"
+          @color="secondary"
+          class="has-left-margin-s"
+          disabled={{this.save.isRunning}}
+          {{on "click" this.cancel}}
+          data-test-kv-cancel
+        />
+        {{#if this.invalidFormAlert}}
+          <div class="control">
+            <AlertInline
+              data-test-invalid-form-alert
+              @type="danger"
+              class="has-top-padding-s"
+              @message={{this.invalidFormAlert}}
+            />
+          </div>
+        {{/if}}
+      </div>
+    </div>
+  </form>
+{{else}}
+  <EmptyState
+    @title="You do not have permissions to edit metadata"
+    @message="Ask your administrator if you think you should have access."
+  >
+    <LinkTo @route="secret.metadata.index">
+      View Metadata
+    </LinkTo>
+    <DocLink @path="/vault/api-docs/secret/kv/kv-v2#create-update-metadata">More here</DocLink>
+  </EmptyState>
+{{/if}}
\ No newline at end of file
diff --git a/command/operator_init.go b/command/operator_init.go
index 4b0f26bb4aa8..26e8b39295f0 100644
--- a/command/operator_init.go
+++ b/command/operator_init.go
@@ -1,595 +1,107 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"net/url"
-	"runtime"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/pgpkeys"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-
-	consulapi "github.com/hashicorp/consul/api"
-)
-
-var (
-	_ cli.Command             = (*OperatorInitCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorInitCommand)(nil)
-)
-
-type OperatorInitCommand struct {
-	*BaseCommand
-
-	flagStatus          bool
-	flagKeyShares       int
-	flagKeyThreshold    int
-	flagPGPKeys         []string
-	flagRootTokenPGPKey string
-
-	// Auto Unseal
-	flagRecoveryShares    int
-	flagRecoveryThreshold int
-	flagRecoveryPGPKeys   []string
-	flagStoredShares      int
-
-	// Consul
-	flagConsulAuto    bool
-	flagConsulService string
-}
-
-const (
-	defKeyShares         = 5
-	defKeyThreshold      = 3
-	defRecoveryShares    = 5
-	defRecoveryThreshold = 3
-)
-
-func (c *OperatorInitCommand) Synopsis() string {
-	return "Initializes a server"
-}
-
-func (c *OperatorInitCommand) Help() string {
-	helpText := `
-Usage: vault operator init [options]
-
-  Initializes a Vault server. Initialization is the process by which Vault's
-  storage backend is prepared to receive data. Since Vault servers share the
-  same storage backend in HA mode, you only need to initialize one Vault to
-  initialize the storage backend.
-
-  During initialization, Vault generates an in-memory root key and applies
-  Shamir's secret sharing algorithm to disassemble that root key into a
-  configuration number of key shares such that a configurable subset of those
-  key shares must come together to regenerate the root key. These keys are
-  often called "unseal keys" in Vault's documentation.
-
-  This command cannot be run against an already-initialized Vault cluster.
-
-  Start initialization with the default options:
-
-      $ vault operator init
-
-  Initialize, but encrypt the unseal keys with pgp keys:
-
-      $ vault operator init \
-          -key-shares=3 \
-          -key-threshold=2 \
-          -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
-
-  Encrypt the initial root token using a pgp key:
-
-      $ vault operator init -root-token-pgp-key="keybase:hashicorp"
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorInitCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	// Common Options
-	f := set.NewFlagSet("Common Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "status",
-		Target:  &c.flagStatus,
-		Default: false,
-		Usage: "Print the current initialization status. An exit code of 0 means " +
-			"the Vault is already initialized. An exit code of 1 means an error " +
-			"occurred. An exit code of 2 means the Vault is not initialized.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:       "key-shares",
-		Aliases:    []string{"n"},
-		Target:     &c.flagKeyShares,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares to split the generated root key into. " +
-			"This is the number of \"unseal keys\" to generate.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:       "key-threshold",
-		Aliases:    []string{"t"},
-		Target:     &c.flagKeyThreshold,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares required to reconstruct the root key. " +
-			"This must be less than or equal to -key-shares.",
-	})
-
-	f.VarFlag(&VarFlag{
-		Name:       "pgp-keys",
-		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagPGPKeys),
-		Completion: complete.PredictAnything,
-		Usage: "Comma-separated list of paths to files on disk containing " +
-			"public PGP keys OR a comma-separated list of Keybase usernames using " +
-			"the format \"keybase:<username>\". When supplied, the generated " +
-			"unseal keys will be encrypted and base64-encoded in the order " +
-			"specified in this list. The number of entries must match -key-shares, " +
-			"unless -stored-shares are used.",
-	})
-
-	f.VarFlag(&VarFlag{
-		Name:       "root-token-pgp-key",
-		Value:      (*pgpkeys.PubKeyFileFlag)(&c.flagRootTokenPGPKey),
-		Completion: complete.PredictAnything,
-		Usage: "Path to a file on disk containing a binary or base64-encoded " +
-			"public PGP key. This can also be specified as a Keybase username " +
-			"using the format \"keybase:<username>\". When supplied, the generated " +
-			"root token will be encrypted and base64-encoded with the given public " +
-			"key.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "stored-shares",
-		Target:  &c.flagStoredShares,
-		Default: -1,
-		Usage:   "DEPRECATED: This flag does nothing. It will be removed in Vault 1.3.",
-	})
-
-	// Consul Options
-	f = set.NewFlagSet("Consul Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "consul-auto",
-		Target:  &c.flagConsulAuto,
-		Default: false,
-		Usage: "Perform automatic service discovery using Consul in HA mode. " +
-			"When all nodes in a Vault HA cluster are registered with Consul, " +
-			"enabling this option will trigger automatic service discovery based " +
-			"on the provided -consul-service value. When Consul is Vault's HA " +
-			"backend, this functionality is automatically enabled. Ensure the " +
-			"proper Consul environment variables are set (CONSUL_HTTP_ADDR, etc). " +
-			"When only one Vault server is discovered, it will be initialized " +
-			"automatically. When more than one Vault server is discovered, they " +
-			"will each be output for selection.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "consul-service",
-		Target:     &c.flagConsulService,
-		Default:    "vault",
-		Completion: complete.PredictAnything,
-		Usage: "Name of the service in Consul under which the Vault servers are " +
-			"registered.",
-	})
-
-	// Auto Unseal Options
-	f = set.NewFlagSet("Auto Unseal Options")
-
-	f.IntVar(&IntVar{
-		Name:       "recovery-shares",
-		Target:     &c.flagRecoveryShares,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares to split the recovery key into. " +
-			"This is only used in auto-unseal mode.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:       "recovery-threshold",
-		Target:     &c.flagRecoveryThreshold,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares required to reconstruct the recovery key. " +
-			"This is only used in Auto Unseal mode.",
-	})
-
-	f.VarFlag(&VarFlag{
-		Name:       "recovery-pgp-keys",
-		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagRecoveryPGPKeys),
-		Completion: complete.PredictAnything,
-		Usage: "Behaves like -pgp-keys, but for the recovery key shares. This " +
-			"is only used in Auto Unseal mode.",
-	})
-
-	return set
-}
-
-func (c *OperatorInitCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorInitCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorInitCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	if c.flagStoredShares != -1 {
-		c.UI.Warn("-stored-shares has no effect and will be removed in Vault 1.3.\n")
-	}
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	// -output-curl string returns curl command for seal status
-	// setting this to false and then setting actual value after reading seal status
-	currentOutputCurlString := client.OutputCurlString()
-	client.SetOutputCurlString(false)
-	// -output-policy string returns minimum required policy HCL for seal status
-	// setting this to false and then setting actual value after reading seal status
-	outputPolicy := client.OutputPolicy()
-	client.SetOutputPolicy(false)
-
-	// Set defaults based on use of auto unseal seal
-	sealInfo, err := client.Sys().SealStatus()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	client.SetOutputCurlString(currentOutputCurlString)
-	client.SetOutputPolicy(outputPolicy)
-
-	switch sealInfo.RecoverySeal {
-	case true:
-		if c.flagRecoveryShares == 0 {
-			c.flagRecoveryShares = defRecoveryShares
-		}
-		if c.flagRecoveryThreshold == 0 {
-			c.flagRecoveryThreshold = defRecoveryThreshold
-		}
-	default:
-		if c.flagKeyShares == 0 {
-			c.flagKeyShares = defKeyShares
-		}
-		if c.flagKeyThreshold == 0 {
-			c.flagKeyThreshold = defKeyThreshold
-		}
-	}
-
-	// Build the initial init request
-	initReq := &api.InitRequest{
-		SecretShares:    c.flagKeyShares,
-		SecretThreshold: c.flagKeyThreshold,
-		PGPKeys:         c.flagPGPKeys,
-		RootTokenPGPKey: c.flagRootTokenPGPKey,
-
-		RecoveryShares:    c.flagRecoveryShares,
-		RecoveryThreshold: c.flagRecoveryThreshold,
-		RecoveryPGPKeys:   c.flagRecoveryPGPKeys,
-	}
-
-	// Check auto mode
-	switch {
-	case c.flagStatus:
-		return c.status(client)
-	case c.flagConsulAuto:
-		return c.consulAuto(client, initReq)
-	default:
-		return c.init(client, initReq)
-	}
-}
-
-// consulAuto enables auto-joining via Consul.
-func (c *OperatorInitCommand) consulAuto(client *api.Client, req *api.InitRequest) int {
-	// Capture the client original address and reset it
-	originalAddr := client.Address()
-	defer client.SetAddress(originalAddr)
-
-	// Create a client to communicate with Consul
-	consulClient, err := consulapi.NewClient(consulapi.DefaultConfig())
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to create Consul client:%v", err))
-		return 1
-	}
-
-	// Pull the scheme from the Vault client to determine if the Consul agent
-	// should talk via HTTP or HTTPS.
-	addr := client.Address()
-	clientURL, err := url.Parse(addr)
-	if err != nil || clientURL == nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse Vault address %s: %s", addr, err))
-		return 1
-	}
-
-	var uninitedVaults []string
-	var initedVault string
-
-	// Query the nodes belonging to the cluster
-	services, _, err := consulClient.Catalog().Service(c.flagConsulService, "", &consulapi.QueryOptions{
-		AllowStale: true,
-	})
-	if err == nil {
-		for _, service := range services {
-			// Set the address on the client temporarily
-			vaultAddr := (&url.URL{
-				Scheme: clientURL.Scheme,
-				Host:   fmt.Sprintf("%s:%d", service.ServiceAddress, service.ServicePort),
-			}).String()
-			client.SetAddress(vaultAddr)
-
-			// Check the initialization status of the discovered node
-			inited, err := client.Sys().InitStatus()
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error checking init status of %q: %s", vaultAddr, err))
-			}
-			if inited {
-				initedVault = vaultAddr
-				break
-			}
-
-			// If we got this far, we communicated successfully with Vault, but it
-			// was not initialized.
-			uninitedVaults = append(uninitedVaults, vaultAddr)
-		}
-	}
-
-	// Get the correct export keywords and quotes for *nix vs Windows
-	export := "export"
-	quote := "\""
-	if runtime.GOOS == "windows" {
-		export = "set"
-		quote = ""
-	}
-
-	if initedVault != "" {
-		vaultURL, err := url.Parse(initedVault)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
-			return 2
-		}
-		vaultAddr := vaultURL.String()
-
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Discovered an initialized Vault node at %q with Consul service name "+
-				"%q. Set the following environment variable to target the discovered "+
-				"Vault server:",
-			vaultURL.String(), c.flagConsulService)))
-		c.UI.Output("")
-		c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
-		c.UI.Output("")
-		return 0
-	}
-
-	switch len(uninitedVaults) {
-	case 0:
-		c.UI.Error(fmt.Sprintf("No Vault nodes registered as %q in Consul", c.flagConsulService))
-		return 2
-	case 1:
-		// There was only one node found in the Vault cluster and it was
-		// uninitialized.
-		vaultURL, err := url.Parse(uninitedVaults[0])
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
-			return 2
-		}
-		vaultAddr := vaultURL.String()
-
-		// Update the client to connect to this Vault server
-		client.SetAddress(vaultAddr)
-
-		// Let the client know that initialization is performed on the
-		// discovered node.
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Discovered an initialized Vault node at %q with Consul service name "+
-				"%q. Set the following environment variable to target the discovered "+
-				"Vault server:",
-			vaultURL.String(), c.flagConsulService)))
-		c.UI.Output("")
-		c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
-		c.UI.Output("")
-		c.UI.Output("Attempting to initialize it...")
-		c.UI.Output("")
-
-		// Attempt to initialize it
-		return c.init(client, req)
-	default:
-		// If more than one Vault node were discovered, print out all of them,
-		// requiring the client to update VAULT_ADDR and to run init again.
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Discovered %d uninitialized Vault servers with Consul service name "+
-				"%q. To initialize these Vaults, set any one of the following "+
-				"environment variables and run \"vault operator init\":",
-			len(uninitedVaults), c.flagConsulService)))
-		c.UI.Output("")
-
-		// Print valid commands to make setting the variables easier
-		for _, node := range uninitedVaults {
-			vaultURL, err := url.Parse(node)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
-				return 2
-			}
-			vaultAddr := vaultURL.String()
-
-			c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
-		}
-
-		c.UI.Output("")
-		return 0
-	}
-}
-
-func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int {
-	resp, err := client.Sys().Init(req)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing: %s", err))
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-	default:
-		return OutputData(c.UI, newMachineInit(req, resp))
-	}
-
-	for i, key := range resp.Keys {
-		if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
-			c.UI.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, resp.KeysB64[i]))
-		} else {
-			c.UI.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, key))
-		}
-	}
-	for i, key := range resp.RecoveryKeys {
-		if resp.RecoveryKeysB64 != nil && len(resp.RecoveryKeysB64) == len(resp.RecoveryKeys) {
-			c.UI.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, resp.RecoveryKeysB64[i]))
-		} else {
-			c.UI.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, key))
-		}
-	}
-
-	c.UI.Output("")
-	c.UI.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))
-
-	if len(resp.Keys) > 0 {
-		c.UI.Output("")
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Vault initialized with %d key shares and a key threshold of %d. Please "+
-				"securely distribute the key shares printed above. When the Vault is "+
-				"re-sealed, restarted, or stopped, you must supply at least %d of "+
-				"these keys to unseal it before it can start servicing requests.",
-			req.SecretShares,
-			req.SecretThreshold,
-			req.SecretThreshold)))
-
-		c.UI.Output("")
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Vault does not store the generated root key. Without at least %d "+
-				"keys to reconstruct the root key, Vault will remain permanently "+
-				"sealed!",
-			req.SecretThreshold)))
-
-		c.UI.Output("")
-		c.UI.Output(wrapAtLength(
-			"It is possible to generate new unseal keys, provided you have a quorum " +
-				"of existing unseal keys shares. See \"vault operator rekey\" for " +
-				"more information."))
-	} else {
-		c.UI.Output("")
-		c.UI.Output("Success! Vault is initialized")
-	}
-
-	if len(resp.RecoveryKeys) > 0 {
-		c.UI.Output("")
-		c.UI.Output(wrapAtLength(fmt.Sprintf(
-			"Recovery key initialized with %d key shares and a key threshold of %d. "+
-				"Please securely distribute the key shares printed above.",
-			req.RecoveryShares,
-			req.RecoveryThreshold)))
-	}
-
-	return 0
-}
-
-// status inspects the init status of vault and returns an appropriate error
-// code and message.
-func (c *OperatorInitCommand) status(client *api.Client) int {
-	inited, err := client.Sys().InitStatus()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error checking init status: %s", err))
-		return 1 // Normally we'd return 2, but 2 means something special here
-	}
-
-	errorCode := 0
-
-	if !inited {
-		errorCode = 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		if inited {
-			c.UI.Output("Vault is initialized")
-		} else {
-			c.UI.Output("Vault is not initialized")
-		}
-	default:
-		data := api.InitStatusResponse{Initialized: inited}
-		OutputData(c.UI, data)
-	}
-
-	return errorCode
-}
-
-// machineInit is used to output information about the init command.
-type machineInit struct {
-	UnsealKeysB64     []string `json:"unseal_keys_b64"`
-	UnsealKeysHex     []string `json:"unseal_keys_hex"`
-	UnsealShares      int      `json:"unseal_shares"`
-	UnsealThreshold   int      `json:"unseal_threshold"`
-	RecoveryKeysB64   []string `json:"recovery_keys_b64"`
-	RecoveryKeysHex   []string `json:"recovery_keys_hex"`
-	RecoveryShares    int      `json:"recovery_keys_shares"`
-	RecoveryThreshold int      `json:"recovery_keys_threshold"`
-	RootToken         string   `json:"root_token"`
-}
-
-func newMachineInit(req *api.InitRequest, resp *api.InitResponse) *machineInit {
-	init := &machineInit{}
-
-	init.UnsealKeysHex = make([]string, len(resp.Keys))
-	for i, v := range resp.Keys {
-		init.UnsealKeysHex[i] = v
-	}
-
-	init.UnsealKeysB64 = make([]string, len(resp.KeysB64))
-	for i, v := range resp.KeysB64 {
-		init.UnsealKeysB64[i] = v
-	}
-
-	// If we don't get a set of keys back, it means that we are storing the keys,
-	// so the key shares and threshold has been set to 1.
-	if len(resp.Keys) == 0 {
-		init.UnsealShares = 1
-		init.UnsealThreshold = 1
-	} else {
-		init.UnsealShares = req.SecretShares
-		init.UnsealThreshold = req.SecretThreshold
-	}
-
-	init.RecoveryKeysHex = make([]string, len(resp.RecoveryKeys))
-	for i, v := range resp.RecoveryKeys {
-		init.RecoveryKeysHex[i] = v
-	}
-
-	init.RecoveryKeysB64 = make([]string, len(resp.RecoveryKeysB64))
-	for i, v := range resp.RecoveryKeysB64 {
-		init.RecoveryKeysB64[i] = v
-	}
-
-	init.RecoveryShares = req.RecoveryShares
-	init.RecoveryThreshold = req.RecoveryThreshold
-
-	init.RootToken = resp.RootToken
-
-	return init
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { inject as service } from '@ember/service';
+import errorMessage from 'vault/utils/error-message';
+
+/**
+ * @module KvSecretEdit is used for creating a new version of a secret
+ *
+ * <Page::Secret::Edit
+ *  @secret={{this.model.newVersion}}
+ *  @previousVersion={{this.model.secret.version}}
+ *  @currentVersion={{this.model.metadata.currentVersion}}
+ *  @breadcrumbs={{this.breadcrumbs}
+ * />
+ *
+ * @param {model} secret - Ember data model: 'kv/data', the new record for the new secret version saved by the form
+ * @param {number} previousVersion - previous secret version number
+ * @param {number} currentVersion - current secret version, comes from the metadata endpoint
+ * @param {array} breadcrumbs - breadcrumb objects to render in page header
+ */
+
+/* eslint-disable no-undef */
+export default class KvSecretEdit extends Component {
+  @service controlGroup;
+  @service flashMessages;
+  @service router;
+
+  @tracked showJsonView = false;
+  @tracked showDiff = false;
+  @tracked errorMessage;
+  @tracked modelValidations;
+  @tracked invalidFormAlert;
+  originalSecret;
+  secretDataIsAdvanced;
+
+  constructor() {
+    super(...arguments);
+    this.originalSecret = JSON.stringify(this.args.secret.secretData || {});
+    if (this.originalSecret.lastIndexOf('{') > 0) {
+      // Dumb way to check if there's a nested object in the secret
+      this.secretDataIsAdvanced = true;
+    }
+  }
+
+  get showOldVersionAlert() {
+    const { currentVersion, previousVersion } = this.args;
+    // isNew check prevents alert from flashing after save but before route transitions
+    if (!currentVersion || !previousVersion || !this.args.secret.isNew) return false;
+    if (currentVersion !== previousVersion) return true;
+    return false;
+  }
+
+  get diffDelta() {
+    const oldData = JSON.parse(this.originalSecret);
+    const newData = this.args.secret.secretData;
+
+    const diffpatcher = jsondiffpatch.create({});
+    return diffpatcher.diff(oldData, newData);
+  }
+
+  get visualDiff() {
+    if (!this.showDiff) return null;
+    const newData = this.args.secret.secretData;
+    return this.diffDelta
+      ? jsondiffpatch.formatters.html.format(this.diffDelta, newData)
+      : JSON.stringify(newData, undefined, 2);
+  }
+
+  @task
+  *save(event) {
+    event.preventDefault();
+    try {
+      const { isValid, state, invalidFormMessage } = this.args.secret.validate();
+      this.modelValidations = isValid ? null : state;
+      this.invalidFormAlert = invalidFormMessage;
+      if (isValid) {
+        const { secret } = this.args;
+        yield secret.save();
+        this.flashMessages.success(`Successfully created new version of ${secret.path}.`);
+        this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details', {
+          queryParams: { version: secret?.version },
+        });
+      }
+    } catch (error) {
+      let message = errorMessage(error);
+      if (error.message === 'Control Group encountered') {
+        this.controlGroup.saveTokenFromError(error);
+        const err = this.controlGroup.logFromError(error);
+        message = err.content;
+      }
+      this.errorMessage = message;
+      this.invalidFormAlert = 'There was an error submitting this form.';
+    }
+  }
+
+  @action
+  onCancel() {
+    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details');
+  }
 }
diff --git a/command/operator_init_test.go b/command/operator_init_test.go
index 917686543223..f3ddb560ea47 100644
--- a/command/operator_init_test.go
+++ b/command/operator_init_test.go
@@ -1,374 +1,33 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-//go:build !race
-
-package command
-
-import (
-	"fmt"
-	"os"
-	"regexp"
-	"strconv"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/pgpkeys"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-)
-
-func testOperatorInitCommand(tb testing.TB) (*cli.MockUi, *OperatorInitCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &OperatorInitCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestOperatorInitCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"pgp_keys_multi",
-			[]string{
-				"-pgp-keys", "keybase:hashicorp",
-				"-pgp-keys", "keybase:jefferai",
-			},
-			"can only be specified once",
-			1,
-		},
-		{
-			"root_token_pgp_key_multi",
-			[]string{
-				"-root-token-pgp-key", "keybase:hashicorp",
-				"-root-token-pgp-key", "keybase:jefferai",
-			},
-			"can only be specified once",
-			1,
-		},
-		{
-			"root_token_pgp_key_multi_inline",
-			[]string{
-				"-root-token-pgp-key", "keybase:hashicorp,keybase:jefferai",
-			},
-			"can only specify one pgp key",
-			1,
-		},
-		{
-			"recovery_pgp_keys_multi",
-			[]string{
-				"-recovery-pgp-keys", "keybase:hashicorp",
-				"-recovery-pgp-keys", "keybase:jefferai",
-			},
-			"can only be specified once",
-			1,
-		},
-		{
-			"key_shares_pgp_less",
-			[]string{
-				"-key-shares", "10",
-				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
-			},
-			"incorrect number",
-			2,
-		},
-		{
-			"key_shares_pgp_more",
-			[]string{
-				"-key-shares", "1",
-				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
-			},
-			"incorrect number",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorInitCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("status", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerUninit(t)
-		defer closer()
-
-		ui, cmd := testOperatorInitCommand(t)
-		cmd.client = client
-
-		// Verify the non-init response code
-		code := cmd.Run([]string{
-			"-status",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
-
-		// Now init to verify the init response code
-		if _, err := client.Sys().Init(&api.InitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		// Verify the init response code
-		ui, cmd = testOperatorInitCommand(t)
-		cmd.client = client
-		code = cmd.Run([]string{
-			"-status",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
-	})
-
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerUninit(t)
-		defer closer()
-
-		ui, cmd := testOperatorInitCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
-
-		init, err := client.Sys().InitStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !init {
-			t.Error("expected initialized")
-		}
-
-		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 5 || len(match[0]) < 2 {
-			t.Fatalf("no match: %#v", match)
-		}
-
-		keys := make([]string, len(match))
-		for i := range match {
-			keys[i] = match[i][1]
-		}
-
-		// Try unsealing with those keys - only use 3, which is the default
-		// threshold.
-		for i, key := range keys[:3] {
-			resp, err := client.Sys().Unseal(key)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			exp := (i + 1) % 3 // 1, 2, 0
-			if resp.Progress != exp {
-				t.Errorf("expected %d to be %d", resp.Progress, exp)
-			}
-		}
-
-		status, err := client.Sys().SealStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if status.Sealed {
-			t.Errorf("expected vault to be unsealed: %#v", status)
-		}
-	})
-
-	t.Run("custom_shares_threshold", func(t *testing.T) {
-		t.Parallel()
-
-		keyShares, keyThreshold := 20, 15
-
-		client, closer := testVaultServerUninit(t)
-		defer closer()
-
-		ui, cmd := testOperatorInitCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-key-shares", strconv.Itoa(keyShares),
-			"-key-threshold", strconv.Itoa(keyThreshold),
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
-
-		init, err := client.Sys().InitStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !init {
-			t.Error("expected initialized")
-		}
-
-		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < keyShares || len(match[0]) < 2 {
-			t.Fatalf("no match: %#v", match)
-		}
-
-		keys := make([]string, len(match))
-		for i := range match {
-			keys[i] = match[i][1]
-		}
-
-		// Try unsealing with those keys - only use 3, which is the default
-		// threshold.
-		for i, key := range keys[:keyThreshold] {
-			resp, err := client.Sys().Unseal(key)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			exp := (i + 1) % keyThreshold
-			if resp.Progress != exp {
-				t.Errorf("expected %d to be %d", resp.Progress, exp)
-			}
-		}
-
-		status, err := client.Sys().SealStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if status.Sealed {
-			t.Errorf("expected vault to be unsealed: %#v", status)
-		}
-	})
-
-	t.Run("pgp", func(t *testing.T) {
-		t.Parallel()
-
-		tempDir, pubFiles, err := getPubKeyFiles(t)
-		if err != nil {
-			t.Fatal(err)
-		}
-		defer os.RemoveAll(tempDir)
-
-		client, closer := testVaultServerUninit(t)
-		defer closer()
-
-		ui, cmd := testOperatorInitCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-key-shares", "4",
-			"-key-threshold", "2",
-			"-pgp-keys", fmt.Sprintf("%s,@%s, %s,     %s           ",
-				pubFiles[0], pubFiles[1], pubFiles[2], pubFiles[3]),
-			"-root-token-pgp-key", pubFiles[0],
-		})
-		if exp := 0; code != exp {
-			t.Fatalf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
-
-		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 4 || len(match[0]) < 2 {
-			t.Fatalf("no match: %#v", match)
-		}
-
-		keys := make([]string, len(match))
-		for i := range match {
-			keys[i] = match[i][1]
-		}
-
-		// Try unsealing with one key
-		decryptedKey := testPGPDecrypt(t, pgpkeys.TestPrivKey1, keys[0])
-		if _, err := client.Sys().Unseal(decryptedKey); err != nil {
-			t.Fatal(err)
-		}
-
-		// Decrypt the root token
-		reToken := regexp.MustCompile(`Root Token: (.+)`)
-		match = reToken.FindAllStringSubmatch(output, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("no match")
-		}
-		root := match[0][1]
-		decryptedRoot := testPGPDecrypt(t, pgpkeys.TestPrivKey1, root)
-
-		if l, exp := len(decryptedRoot), vault.TokenLength+vault.TokenPrefixLength; l != exp {
-			t.Errorf("expected %d to be %d", l, exp)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testOperatorInitCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-key-shares=1",
-			"-key-threshold=1",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error making API request"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testOperatorInitCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Engine from 'ember-engines/engine';
+import loadInitializers from 'ember-load-initializers';
+import Resolver from './resolver';
+import config from './config/environment';
+
+const { modulePrefix } = config;
+/* eslint-disable ember/avoid-leaking-state-in-ember-objects */
+const Eng = Engine.extend({
+  modulePrefix,
+  Resolver,
+  dependencies: {
+    services: [
+      'auth',
+      'flash-messages',
+      'namespace',
+      'replication-mode',
+      'router',
+      'store',
+      'version',
+      '-portal',
+    ],
+    externalRoutes: ['replication', 'vault'],
+  },
+});
+
+loadInitializers(Eng, modulePrefix);
+
+export default Eng;
diff --git a/command/operator_key_status.go b/command/operator_key_status.go
index 866b7d7e7eb8..9d84c71e7dc9 100644
--- a/command/operator_key_status.go
+++ b/command/operator_key_status.go
@@ -1,84 +1,111 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorKeyStatusCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorKeyStatusCommand)(nil)
-)
-
-type OperatorKeyStatusCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorKeyStatusCommand) Synopsis() string {
-	return "Provides information about the active encryption key"
-}
-
-func (c *OperatorKeyStatusCommand) Help() string {
-	helpText := `
-Usage: vault operator key-status [options]
-
-  Provides information about the active encryption key. Specifically,
-  the current key term and the key installation time.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorKeyStatusCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-}
-
-func (c *OperatorKeyStatusCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorKeyStatusCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorKeyStatusCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	status, err := client.Sys().KeyStatus()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading key status: %s", err))
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		c.UI.Output(printKeyStatus(status))
-		return 0
-	default:
-		return OutputData(c.UI, status)
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import { visit } from '@ember/test-helpers';
+import { setupApplicationTest } from 'ember-qunit';
+import Pretender from 'pretender';
+import formatRFC3339 from 'date-fns/formatRFC3339';
+import { addDays, subDays } from 'date-fns';
+import timestamp from 'core/utils/timestamp';
+
+const generateHealthResponse = (now, state) => {
+  let expiry;
+  switch (state) {
+    case 'expired':
+      expiry = subDays(now, 2);
+      break;
+    case 'expiring':
+      expiry = addDays(now, 10);
+      break;
+    default:
+      expiry = addDays(now, 33);
+      break;
+  }
+  return {
+    enterprise: true,
+    initialized: true,
+    sealed: false,
+    standby: false,
+    license: {
+      expiry_time: formatRFC3339(expiry),
+      state: 'stored',
+    },
+    performance_standby: false,
+    replication_performance_mode: 'disabled',
+    replication_dr_mode: 'disabled',
+    server_time_utc: 1622562585,
+    version: '1.9.0+ent',
+    cluster_name: 'vault-cluster-e779cd7c',
+    cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
+    last_wal: 121,
+  };
+};
+
+module('Acceptance | Enterprise | License banner warnings', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.before(function () {
+    sinon.stub(timestamp, 'now').callsFake(() => new Date('2018-04-03T14:15:30'));
+  });
+  hooks.beforeEach(function () {
+    this.now = timestamp.now();
+  });
+  hooks.afterEach(function () {
+    this.server.shutdown();
+  });
+  hooks.after(function () {
+    timestamp.now.restore();
+  });
+
+  test('it shows no license banner if license expires in > 30 days', async function (assert) {
+    const healthResp = generateHealthResponse(this.now);
+    this.server = new Pretender(function () {
+      this.get('/v1/sys/health', (response) => {
+        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
+      });
+      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
+      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
+      this.get('/v1/sys/seal-status', this.passthrough);
+      this.get('/v1/sys/license/features', this.passthrough);
+    });
+    await visit('/vault/auth');
+    assert.dom('[data-test-license-banner-expired]').doesNotExist('expired banner does not show');
+    assert.dom('[data-test-license-banner-warning]').doesNotExist('warning banner does not show');
+    this.server.shutdown();
+  });
+  test('it shows license banner warning if license expires within 30 days', async function (assert) {
+    const healthResp = generateHealthResponse(this.now, 'expiring');
+    this.server = new Pretender(function () {
+      this.get('/v1/sys/health', (response) => {
+        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
+      });
+      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
+      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
+      this.get('/v1/sys/seal-status', this.passthrough);
+      this.get('/v1/sys/license/features', this.passthrough);
+    });
+    await visit('/vault/auth');
+    assert.dom('[data-test-license-banner-warning]').exists('license warning shows');
+    this.server.shutdown();
+  });
+
+  test('it shows license banner alert if license has already expired', async function (assert) {
+    const healthResp = generateHealthResponse(this.now, 'expired');
+    this.server = new Pretender(function () {
+      this.get('/v1/sys/health', (response) => {
+        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
+      });
+      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
+      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
+      this.get('/v1/sys/seal-status', this.passthrough);
+      this.get('/v1/sys/license/features', this.passthrough);
+    });
+    await visit('/vault/auth');
+    assert.dom('[data-test-license-banner-expired]').exists('expired license message shows');
+    this.server.shutdown();
+  });
+});
diff --git a/command/operator_key_status_test.go b/command/operator_key_status_test.go
index db92eb9e9b70..ad5b8c332a1b 100644
--- a/command/operator_key_status_test.go
+++ b/command/operator_key_status_test.go
@@ -1,117 +1,150 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testOperatorKeyStatusCommand(tb testing.TB) (*cli.MockUi, *OperatorKeyStatusCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &OperatorKeyStatusCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestOperatorKeyStatusCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorKeyStatusCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorKeyStatusCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Key Term"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testOperatorKeyStatusCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error reading key status: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testOperatorKeyStatusCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, currentRouteName, currentURL, fillIn, settled, visit } from '@ember/test-helpers';
+import authPage from 'vault/tests/pages/auth';
+import { createTokenCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
+import { pollCluster } from 'vault/tests/helpers/poll-cluster';
+import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
+import ENV from 'vault/config/environment';
+
+const { unsealKeys } = VAULT_KEYS;
+const SELECTORS = {
+  footerVersion: `[data-test-footer-version]`,
+  dashboardTitle: `[data-test-dashboard-card-header="Vault version"]`,
+};
+
+module('Acceptance | Enterprise | reduced disclosure test', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.before(function () {
+    ENV['ember-cli-mirage'].handler = 'reducedDisclosure';
+  });
+  hooks.beforeEach(function () {
+    this.versionSvc = this.owner.lookup('service:version');
+    return authPage.logout();
+  });
+  hooks.after(function () {
+    ENV['ember-cli-mirage'].handler = null;
+  });
+
+  test('it works when reduced disclosure enabled', async function (assert) {
+    const namespace = 'reduced-disclosure';
+    assert.dom(SELECTORS.footerVersion).hasText(`Vault`, 'shows Vault without version when logged out');
+    await authPage.login();
+
+    // Ensure it shows version on dashboard
+    assert.dom(SELECTORS.dashboardTitle).includesText(`Vault v1.`);
+    assert
+      .dom(SELECTORS.footerVersion)
+      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version after login');
+
+    await runCmd(`write sys/namespaces/${namespace} -f`, false);
+    await authPage.loginNs(namespace);
+
+    assert
+      .dom(SELECTORS.footerVersion)
+      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version within namespace');
+
+    const token = await runCmd(createTokenCmd('default'));
+
+    await authPage.logout();
+    assert.dom(SELECTORS.footerVersion).hasText(`Vault`, 'no vault version after logout');
+
+    await authPage.loginNs(namespace, token);
+    assert
+      .dom(SELECTORS.footerVersion)
+      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version for default policy in namespace');
+  });
+
+  test('it works for user accessing child namespace', async function (assert) {
+    const namespace = 'reduced-disclosure';
+    await authPage.login();
+
+    await runCmd(`write sys/namespaces/${namespace} -f`, false);
+    const token = await runCmd(
+      tokenWithPolicyCmd(
+        'child-ns-access',
+        `
+    path "${namespace}/sys/*" {
+      capabilities = ["read"]
+    }
+    `
+      )
+    );
+
+    await authPage.logout();
+    await authPage.login(token);
+    assert
+      .dom(SELECTORS.footerVersion)
+      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version for default policy in namespace');
+
+    // navigate to child namespace
+    await visit(`/vault/dashboard?namespace=${namespace}`);
+    assert
+      .dom(SELECTORS.footerVersion)
+      .hasText(
+        `Vault ${this.versionSvc.version}`,
+        'shows Vault version for default policy in child namespace'
+      );
+    assert.dom(SELECTORS.dashboardTitle).includesText('Vault v1.');
+  });
+
+  test('shows correct version on unseal flow', async function (assert) {
+    await authPage.login();
+
+    const versionSvc = this.owner.lookup('service:version');
+    await visit('/vault/settings/seal');
+    assert
+      .dom('[data-test-footer-version]')
+      .hasText(`Vault ${versionSvc.version}`, 'shows version on seal page');
+    assert.strictEqual(currentURL(), '/vault/settings/seal');
+
+    // seal
+    await click('[data-test-seal]');
+
+    await click('[data-test-confirm-button]');
+
+    await pollCluster(this.owner);
+    await settled();
+    assert.strictEqual(currentURL(), '/vault/unseal', 'vault is on the unseal page');
+    assert.dom('[data-test-footer-version]').hasText(`Vault`, 'Clears version on unseal');
+
+    // unseal
+    for (const key of unsealKeys) {
+      await fillIn('[data-test-shamir-key-input]', key);
+
+      await click('button[type="submit"]');
+
+      await pollCluster(this.owner);
+      await settled();
+    }
+
+    assert.dom('[data-test-cluster-status]').doesNotExist('ui does not show sealed warning');
+    assert.strictEqual(currentRouteName(), 'vault.cluster.auth', 'vault is ready to authenticate');
+    assert.dom('[data-test-footer-version]').hasText(`Vault`, 'Version is still not shown before auth');
+    await authPage.login();
+    assert
+      .dom('[data-test-footer-version]')
+      .hasText(`Vault ${versionSvc.version}`, 'Version is shown after login');
+  });
+
+  test('does not allow access to replication pages', async function (assert) {
+    await authPage.login();
+    assert.dom('[data-test-sidebar-nav-link="Replication"]').doesNotExist('hides replication nav item');
+
+    await visit(`/vault/replication/dr`);
+    assert.strictEqual(
+      currentRouteName(),
+      'vault.cluster.dashboard',
+      'redirects to dashboard if replication access attempted'
+    );
+    assert.dom('[data-test-card="replication"]').doesNotExist('hides replication card on dashboard');
+  });
+});
diff --git a/command/operator_members.go b/command/operator_members.go
index c280f315bf9c..c06c7181acd8 100644
--- a/command/operator_members.go
+++ b/command/operator_members.go
@@ -1,94 +1,130 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorMembersCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorMembersCommand)(nil)
-)
-
-type OperatorMembersCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorMembersCommand) Synopsis() string {
-	return "Returns the list of nodes in the cluster"
-}
-
-func (c *OperatorMembersCommand) Help() string {
-	helpText := `
-Usage: vault operator members
-
-  Provides the details of all the nodes in the cluster.
-
-	  $ vault operator members
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorMembersCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	return set
-}
-
-func (c *OperatorMembersCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *OperatorMembersCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorMembersCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	resp, err := client.Sys().HAStatus()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		out := make([]string, 0)
-		cols := []string{"Host Name", "API Address", "Cluster Address", "Active Node", "Version", "Upgrade Version", "Redundancy Zone", "Last Echo"}
-		out = append(out, strings.Join(cols, " | "))
-		for _, node := range resp.Nodes {
-			cols := []string{node.Hostname, node.APIAddress, node.ClusterAddress, fmt.Sprintf("%t", node.ActiveNode), node.Version, node.UpgradeVersion, node.RedundancyZone}
-			if node.LastEcho != nil {
-				cols = append(cols, node.LastEcho.Format(time.RFC3339))
-			} else {
-				cols = append(cols, "")
-			}
-			out = append(out, strings.Join(cols, " | "))
-		}
-		c.UI.Output(tableOutput(out, nil))
-		return 0
-	default:
-		return OutputData(c.UI, resp)
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, visit } from '@ember/test-helpers';
+import authPage from 'vault/tests/pages/auth';
+import { STATUS_DISABLED_RESPONSE, mockReplicationBlock } from 'vault/tests/helpers/replication';
+
+const s = {
+  navLink: (title) => `[data-test-sidebar-nav-link="${title}"]`,
+  title: '[data-test-replication-title]',
+  detailLink: (mode) => `[data-test-replication-details-link="${mode}"]`,
+  summaryCard: '[data-test-replication-summary-card]',
+  dashboard: '[data-test-replication-dashboard]',
+  enableForm: '[data-test-replication-enable-form]',
+  knownSecondary: (name) => `[data-test-secondaries-node="${name}"]`,
+};
+
+module('Acceptance | Enterprise | replication modes', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.setupMocks = (payload) => {
+      this.server.get('sys/replication/status', () => ({
+        data: payload,
+      }));
+      return authPage.login();
+    };
+  });
+
+  test('replication page when unsupported', async function (assert) {
+    await this.setupMocks({
+      data: {
+        mode: 'unsupported',
+      },
+    });
+    await visit('/vault/replication');
+    assert.dom(s.title).hasText('Replication unsupported', 'it shows the unsupported view');
+
+    // Nav links
+    assert.dom(s.navLink('Performance')).doesNotExist('hides performance link');
+    assert.dom(s.navLink('Disaster Recovery')).doesNotExist('hides dr link');
+  });
+
+  test('replication page when disabled', async function (assert) {
+    await this.setupMocks(STATUS_DISABLED_RESPONSE);
+    await visit('/vault/replication');
+    assert.dom(s.title).hasText('Enable Replication', 'it shows the enable view');
+
+    // Nav links
+    assert.dom(s.navLink('Performance')).exists('shows performance link');
+    assert.dom(s.navLink('Disaster Recovery')).exists('shows dr link');
+
+    await click(s.navLink('Performance'));
+    assert.dom(s.title).hasText('Enable Performance Replication', 'it shows the enable view for performance');
+
+    await click(s.navLink('Disaster Recovery'));
+    assert.dom(s.title).hasText('Enable Disaster Recovery Replication', 'it shows the enable view for dr');
+  });
+
+  ['primary', 'secondary'].forEach((mode) => {
+    test(`replication page when perf ${mode} only`, async function (assert) {
+      await this.setupMocks({
+        dr: mockReplicationBlock(),
+        performance: mockReplicationBlock(mode),
+      });
+      await visit('/vault/replication');
+
+      assert.dom(s.title).hasText('Replication', 'it shows default view');
+      assert.dom(s.detailLink('performance')).hasText('Details', 'CTA to see performance details');
+      assert.dom(s.detailLink('dr')).hasText('Enable', 'CTA to enable dr');
+
+      // Nav links
+      assert.dom(s.navLink('Performance')).exists('shows performance link');
+      assert.dom(s.navLink('Disaster Recovery')).exists('shows dr link');
+
+      await click(s.navLink('Performance'));
+      assert.dom(s.title).hasText(`Performance ${mode}`, `it shows the performance title`);
+      assert.dom(s.dashboard).exists(`it shows the replication dashboard`);
+
+      await click(s.navLink('Disaster Recovery'));
+      assert.dom(s.title).hasText('Enable Disaster Recovery Replication', 'it shows the dr title');
+      assert.dom(s.enableForm).exists('it shows the enable view for dr');
+    });
+  });
+  // DR secondary mode is a whole other thing, test primary only here
+  test(`replication page when dr primary only`, async function (assert) {
+    await this.setupMocks({
+      dr: mockReplicationBlock('primary'),
+      performance: mockReplicationBlock(),
+    });
+    await visit('/vault/replication');
+    assert.dom(s.title).hasText('Replication', 'it shows default view');
+    assert.dom(s.detailLink('performance')).hasText('Enable', 'CTA to enable performance');
+    assert.dom(s.detailLink('dr')).hasText('Details', 'CTA to see dr details');
+
+    // Nav links
+    assert.dom(s.navLink('Performance')).exists('shows performance link');
+    assert.dom(s.navLink('Disaster Recovery')).exists('shows dr link');
+
+    await click(s.navLink('Performance'));
+    assert.dom(s.title).hasText(`Enable Performance Replication`, `it shows the performance title`);
+    assert.dom(s.enableForm).exists('it shows the enable view for performance');
+
+    await click(s.navLink('Disaster Recovery'));
+    assert.dom(s.title).hasText(`Disaster Recovery primary`, 'it shows the dr title');
+    assert.dom(s.dashboard).exists(`it shows the replication dashboard`);
+  });
+
+  test(`replication page both primary`, async function (assert) {
+    await this.setupMocks({
+      dr: mockReplicationBlock('primary'),
+      performance: mockReplicationBlock('primary'),
+    });
+    await visit('/vault/replication');
+    assert.dom(s.title).hasText('Disaster Recovery & Performance primary', 'it shows primary view');
+    assert.dom(s.summaryCard).exists({ count: 2 }, 'shows 2 summary cards');
+
+    await click(s.navLink('Performance'));
+    assert.dom(s.title).hasText(`Performance primary`, `it shows the performance mode details`);
+
+    await click(s.navLink('Disaster Recovery'));
+    assert.dom(s.title).hasText(`Disaster Recovery primary`, 'it shows the dr mode details');
+  });
+});
diff --git a/command/operator_migrate.go b/command/operator_migrate.go
index 2e956046f3f7..8d46ad0d9f9d 100644
--- a/command/operator_migrate.go
+++ b/command/operator_migrate.go
@@ -1,426 +1,363 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"io/ioutil"
-	"math"
-	"net/url"
-	"os"
-	"sort"
-	"strings"
-	"time"
-
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/hcl"
-	"github.com/hashicorp/hcl/hcl/ast"
-	"github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-	"github.com/pkg/errors"
-	"github.com/posener/complete"
-	"golang.org/x/sync/errgroup"
-)
-
-var (
-	_ cli.Command             = (*OperatorMigrateCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorMigrateCommand)(nil)
-)
-
-var errAbort = errors.New("Migration aborted")
-
-type OperatorMigrateCommand struct {
-	*BaseCommand
-
-	PhysicalBackends map[string]physical.Factory
-	flagConfig       string
-	flagLogLevel     string
-	flagStart        string
-	flagReset        bool
-	flagMaxParallel  int
-	logger           log.Logger
-	ShutdownCh       chan struct{}
-}
-
-type migratorConfig struct {
-	StorageSource      *server.Storage `hcl:"-"`
-	StorageDestination *server.Storage `hcl:"-"`
-	ClusterAddr        string          `hcl:"cluster_addr"`
-}
-
-func (c *OperatorMigrateCommand) Synopsis() string {
-	return "Migrates Vault data between storage backends"
-}
-
-func (c *OperatorMigrateCommand) Help() string {
-	helpText := `
-Usage: vault operator migrate [options]
-
-  This command starts a storage backend migration process to copy all data
-  from one backend to another. This operates directly on encrypted data and
-  does not require a Vault server, nor any unsealing.
-
-  Start a migration with a configuration file:
-
-      $ vault operator migrate -config=migrate.hcl
-
-  For more information, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorMigrateCommand) Flags() *FlagSets {
-	set := NewFlagSets(c.UI)
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:   "config",
-		Target: &c.flagConfig,
-		Completion: complete.PredictOr(
-			complete.PredictFiles("*.hcl"),
-		),
-		Usage: "Path to a configuration file. This configuration file should " +
-			"contain only migrator directives.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   "start",
-		Target: &c.flagStart,
-		Usage:  "Only copy keys lexicographically at or after this value.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:   "reset",
-		Target: &c.flagReset,
-		Usage:  "Reset the migration lock. No migration will occur.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "max-parallel",
-		Default: 10,
-		Target:  &c.flagMaxParallel,
-		Usage: "Specifies the maximum number of parallel migration threads (goroutines) that may be used when migrating. " +
-			"This can speed up the migration process on slow backends but uses more resources.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "log-level",
-		Target:     &c.flagLogLevel,
-		Default:    "info",
-		EnvVar:     "VAULT_LOG_LEVEL",
-		Completion: complete.PredictSet("trace", "debug", "info", "warn", "error"),
-		Usage: "Log verbosity level. Supported values (in order of detail) are " +
-			"\"trace\", \"debug\", \"info\", \"warn\", and \"error\". These are not case sensitive.",
-	})
-
-	return set
-}
-
-func (c *OperatorMigrateCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorMigrateCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorMigrateCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	c.flagLogLevel = strings.ToLower(c.flagLogLevel)
-	validLevels := []string{"trace", "debug", "info", "warn", "error"}
-	if !strutil.StrListContains(validLevels, c.flagLogLevel) {
-		c.UI.Error(fmt.Sprintf("%s is an unknown log level. Valid log levels are: %s", c.flagLogLevel, validLevels))
-		return 1
-	}
-	c.logger = logging.NewVaultLogger(log.LevelFromString(c.flagLogLevel))
-
-	if c.flagMaxParallel < 1 {
-		c.UI.Error(fmt.Sprintf("Argument to flag -max-parallel must be between 1 and %d", math.MaxInt))
-		return 1
-	}
-
-	if c.flagConfig == "" {
-		c.UI.Error("Must specify exactly one config path using -config")
-		return 1
-	}
-
-	config, err := c.loadMigratorConfig(c.flagConfig)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error loading configuration from %s: %s", c.flagConfig, err))
-		return 1
-	}
-
-	if err := c.migrate(config); err != nil {
-		if err == errAbort {
-			return 0
-		}
-		c.UI.Error(fmt.Sprintf("Error migrating: %s", err))
-		return 2
-	}
-
-	if c.flagReset {
-		c.UI.Output("Success! Migration lock reset (if it was set).")
-	} else {
-		c.UI.Output("Success! All of the keys have been migrated.")
-	}
-
-	return 0
-}
-
-// migrate attempts to instantiate the source and destinations backends,
-// and then invoke the migration the root of the keyspace.
-func (c *OperatorMigrateCommand) migrate(config *migratorConfig) error {
-	from, err := c.newBackend(config.StorageSource.Type, config.StorageSource.Config)
-	if err != nil {
-		return fmt.Errorf("error mounting 'storage_source': %w", err)
-	}
-
-	if c.flagReset {
-		if err := SetStorageMigration(from, false); err != nil {
-			return fmt.Errorf("error resetting migration lock: %w", err)
-		}
-		return nil
-	}
-
-	to, err := c.createDestinationBackend(config.StorageDestination.Type, config.StorageDestination.Config, config)
-	if err != nil {
-		return fmt.Errorf("error mounting 'storage_destination': %w", err)
-	}
-
-	migrationStatus, err := CheckStorageMigration(from)
-	if err != nil {
-		return fmt.Errorf("error checking migration status: %w", err)
-	}
-
-	if migrationStatus != nil {
-		return fmt.Errorf("storage migration in progress (started: %s)", migrationStatus.Start.Format(time.RFC3339))
-	}
-
-	switch config.StorageSource.Type {
-	case "raft":
-		// Raft storage cannot be written to when shutdown. Also the boltDB file
-		// already uses file locking to ensure two processes are not accessing
-		// it.
-	default:
-		if err := SetStorageMigration(from, true); err != nil {
-			return fmt.Errorf("error setting migration lock: %w", err)
-		}
-
-		defer SetStorageMigration(from, false)
-	}
-
-	ctx, cancelFunc := context.WithCancel(context.Background())
-
-	doneCh := make(chan error)
-	go func() {
-		doneCh <- c.migrateAll(ctx, from, to, c.flagMaxParallel)
-	}()
-
-	select {
-	case err := <-doneCh:
-		cancelFunc()
-		return err
-	case <-c.ShutdownCh:
-		c.UI.Output("==> Migration shutdown triggered\n")
-		cancelFunc()
-		<-doneCh
-		return errAbort
-	}
-}
-
-// migrateAll copies all keys in lexicographic order.
-func (c *OperatorMigrateCommand) migrateAll(ctx context.Context, from physical.Backend, to physical.Backend, maxParallel int) error {
-	return dfsScan(ctx, from, maxParallel, func(ctx context.Context, path string) error {
-		if path < c.flagStart || path == storageMigrationLock || path == vault.CoreLockPath {
-			return nil
-		}
-
-		entry, err := from.Get(ctx, path)
-		if err != nil {
-			return fmt.Errorf("error reading entry: %w", err)
-		}
-
-		if entry == nil {
-			return nil
-		}
-
-		if err := to.Put(ctx, entry); err != nil {
-			return fmt.Errorf("error writing entry: %w", err)
-		}
-		c.logger.Info("copied key", "path", path)
-		return nil
-	})
-}
-
-func (c *OperatorMigrateCommand) newBackend(kind string, conf map[string]string) (physical.Backend, error) {
-	factory, ok := c.PhysicalBackends[kind]
-	if !ok {
-		return nil, fmt.Errorf("no Vault storage backend named: %+q", kind)
-	}
-
-	return factory(conf, c.logger)
-}
-
-func (c *OperatorMigrateCommand) createDestinationBackend(kind string, conf map[string]string, config *migratorConfig) (physical.Backend, error) {
-	storage, err := c.newBackend(kind, conf)
-	if err != nil {
-		return nil, err
-	}
-
-	switch kind {
-	case "raft":
-		if len(config.ClusterAddr) == 0 {
-			return nil, errors.New("cluster_addr config not set")
-		}
-
-		raftStorage, ok := storage.(*raft.RaftBackend)
-		if !ok {
-			return nil, errors.New("wrong storage type for raft backend")
-		}
-
-		parsedClusterAddr, err := url.Parse(config.ClusterAddr)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing cluster address: %w", err)
-		}
-		if err := raftStorage.Bootstrap([]raft.Peer{
-			{
-				ID:      raftStorage.NodeID(),
-				Address: parsedClusterAddr.Host,
-			},
-		}); err != nil {
-			return nil, fmt.Errorf("could not bootstrap clustered storage: %w", err)
-		}
-
-		if err := raftStorage.SetupCluster(context.Background(), raft.SetupOpts{
-			StartAsLeader: true,
-		}); err != nil {
-			return nil, fmt.Errorf("could not start clustered storage: %w", err)
-		}
-	}
-
-	return storage, nil
-}
-
-// loadMigratorConfig loads the configuration at the given path
-func (c *OperatorMigrateCommand) loadMigratorConfig(path string) (*migratorConfig, error) {
-	fi, err := os.Stat(path)
-	if err != nil {
-		return nil, err
-	}
-
-	if fi.IsDir() {
-		return nil, fmt.Errorf("location is a directory, not a file")
-	}
-
-	d, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	obj, err := hcl.ParseBytes(d)
-	if err != nil {
-		return nil, err
-	}
-
-	var result migratorConfig
-	if err := hcl.DecodeObject(&result, obj); err != nil {
-		return nil, err
-	}
-
-	list, ok := obj.Node.(*ast.ObjectList)
-	if !ok {
-		return nil, fmt.Errorf("error parsing: file doesn't contain a root object")
-	}
-
-	// Look for storage_* stanzas
-	for _, stanza := range []string{"storage_source", "storage_destination"} {
-		o := list.Filter(stanza)
-		if len(o.Items) != 1 {
-			return nil, fmt.Errorf("exactly one %q block is required", stanza)
-		}
-
-		if err := parseStorage(&result, o, stanza); err != nil {
-			return nil, fmt.Errorf("error parsing %q: %w", stanza, err)
-		}
-	}
-	return &result, nil
-}
-
-// parseStorage reuses the existing storage parsing that's part of the main Vault
-// config processing, but only keeps the storage result.
-func parseStorage(result *migratorConfig, list *ast.ObjectList, name string) error {
-	tmpConfig := new(server.Config)
-
-	if err := server.ParseStorage(tmpConfig, list, name); err != nil {
-		return err
-	}
-
-	switch name {
-	case "storage_source":
-		result.StorageSource = tmpConfig.Storage
-	case "storage_destination":
-		result.StorageDestination = tmpConfig.Storage
-	default:
-		return fmt.Errorf("unknown storage name: %s", name)
-	}
-
-	return nil
-}
-
-// dfsScan will invoke cb with every key from source.
-// Keys will be traversed in lexicographic, depth-first order.
-func dfsScan(ctx context.Context, source physical.Backend, maxParallel int, cb func(ctx context.Context, path string) error) error {
-	dfs := []string{""}
-
-	eg, ctx := errgroup.WithContext(ctx)
-	eg.SetLimit(maxParallel)
-
-	for l := len(dfs); l > 0; l = len(dfs) {
-		// Check for cancellation
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-		}
-
-		key := dfs[len(dfs)-1]
-		if key == "" || strings.HasSuffix(key, "/") {
-			children, err := source.List(ctx, key)
-			if err != nil {
-				return fmt.Errorf("failed to scan for children: %w", err)
-			}
-			sort.Strings(children)
-
-			// remove List-triggering key and add children in reverse order
-			dfs = dfs[:len(dfs)-1]
-			for i := len(children) - 1; i >= 0; i-- {
-				if children[i] != "" {
-					dfs = append(dfs, key+children[i])
-				}
-			}
-		} else {
-			// Pooling
-			eg.Go(func() error {
-				return cb(ctx, key)
-			})
-
-			dfs = dfs[:len(dfs)-1]
-		}
-	}
-
-	return eg.Wait()
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { clickTrigger } from 'ember-power-select/test-support/helpers';
+import { click, fillIn, findAll, currentURL, find, visit, settled, waitUntil } from '@ember/test-helpers';
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import authPage from 'vault/tests/pages/auth';
+import { pollCluster } from 'vault/tests/helpers/poll-cluster';
+import { create } from 'ember-cli-page-object';
+import flashMessage from 'vault/tests/pages/components/flash-message';
+import ss from 'vault/tests/pages/components/search-select';
+import { disableReplication } from 'vault/tests/helpers/replication';
+const searchSelect = create(ss);
+const flash = create(flashMessage);
+
+module('Acceptance | Enterprise | replication', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    await authPage.login();
+    await settled();
+    await disableReplication('dr');
+    await settled();
+    await disableReplication('performance');
+    await settled();
+  });
+
+  hooks.afterEach(async function () {
+    await disableReplication('dr');
+    await settled();
+    await disableReplication('performance');
+    await settled();
+  });
+
+  test('replication', async function (assert) {
+    assert.expect(17);
+    const secondaryName = 'firstSecondary';
+    const mode = 'deny';
+
+    // confirm unable to visit dr secondary details page when both replications are disabled
+    await visit('/vault/replication-dr-promote/details');
+
+    assert.dom('[data-test-component="empty-state"]').exists();
+    assert
+      .dom('[data-test-empty-state-title]')
+      .includesText('Disaster Recovery secondary not set up', 'shows the correct title of the empty state');
+
+    assert
+      .dom('[data-test-empty-state-message]')
+      .hasText(
+        'This cluster has not been enabled as a Disaster Recovery Secondary. You can do so by enabling replication and adding a secondary from the Disaster Recovery Primary.',
+        'renders default message specific to when no replication is enabled'
+      );
+
+    await visit('/vault/replication');
+
+    assert.strictEqual(currentURL(), '/vault/replication');
+
+    // enable perf replication
+    await click('[data-test-replication-type-select="performance"]');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+
+    // confirm that the details dashboard shows
+    assert.ok(await waitUntil(() => find('[data-test-replication-dashboard]')), 'details dashboard is shown');
+
+    // add a secondary with a mount filter config
+    await click('[data-test-replication-link="secondaries"]');
+
+    await click('[data-test-secondary-add]');
+
+    await fillIn('[data-test-replication-secondary-id]', secondaryName);
+
+    await click('#deny');
+    await clickTrigger();
+    const mountPath = searchSelect.options.objectAt(0).text;
+    await searchSelect.options.objectAt(0).click();
+    await click('[data-test-secondary-add]');
+
+    await pollCluster(this.owner);
+    // click into the added secondary's mount filter config
+    await click('[data-test-replication-link="secondaries"]');
+
+    await click('[data-test-popup-menu-trigger]');
+
+    await click('[data-test-replication-path-filter-link]');
+
+    assert.strictEqual(
+      currentURL(),
+      `/vault/replication/performance/secondaries/config/show/${secondaryName}`
+    );
+    assert.dom('[data-test-mount-config-mode]').includesText(mode, 'show page renders the correct mode');
+    assert
+      .dom('[data-test-mount-config-paths]')
+      .includesText(mountPath, 'show page renders the correct mount path');
+
+    // delete config by choosing "no filter" in the edit screen
+    await click('[data-test-replication-link="edit-mount-config"]');
+
+    await click('#no-filtering');
+
+    await click('[data-test-config-save]');
+    await settled(); // eslint-disable-line
+
+    assert.strictEqual(
+      flash.latestMessage,
+      `The performance mount filter config for the secondary ${secondaryName} was successfully deleted.`,
+      'renders success flash upon deletion'
+    );
+    assert.strictEqual(
+      currentURL(),
+      `/vault/replication/performance/secondaries`,
+      'redirects to the secondaries page'
+    );
+    // nav back to details page and confirm secondary is in the known secondaries table
+    await click('[data-test-replication-link="details"]');
+
+    assert
+      .dom(`[data-test-secondaries-node=${secondaryName}]`)
+      .exists('shows a table row the recently added secondary');
+
+    // nav to DR
+    await visit('/vault/replication/dr');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'secondary');
+    assert
+      .dom('[data-test-replication-enable]')
+      .isDisabled('dr secondary enable is disabled when other replication modes are on');
+
+    // disable performance replication
+    await disableReplication('performance', assert);
+    await settled();
+    await pollCluster(this.owner);
+
+    // enable dr replication
+    await visit('vault/replication/dr');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('button[type="submit"]');
+
+    await pollCluster(this.owner);
+    await waitUntil(() => find('[data-test-empty-state-title]'));
+    // empty state inside of know secondaries table
+    assert
+      .dom('[data-test-empty-state-title]')
+      .includesText(
+        'No known dr secondary clusters associated with this cluster',
+        'shows the correct title of the empty state'
+      );
+
+    assert.ok(
+      find('[data-test-replication-title]').textContent.includes('Disaster Recovery'),
+      'it displays the replication type correctly'
+    );
+    assert.ok(
+      find('[data-test-replication-mode-display]').textContent.includes('primary'),
+      'it displays the cluster mode correctly'
+    );
+
+    // add dr secondary
+    await click('[data-test-replication-link="secondaries"]');
+
+    await click('[data-test-secondary-add]');
+
+    await fillIn('[data-test-replication-secondary-id]', secondaryName);
+
+    await click('[data-test-secondary-add]');
+
+    await pollCluster(this.owner);
+    await click('[data-test-replication-link="secondaries"]');
+
+    assert
+      .dom('[data-test-secondary-name]')
+      .includesText(secondaryName, 'it displays the secondary in the list of known secondaries');
+  });
+
+  test('disabling dr primary when perf replication is enabled', async function (assert) {
+    await visit('vault/replication/performance');
+
+    // enable perf replication
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+
+    // enable dr replication
+    await visit('/vault/replication/dr');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+    await visit('/vault/replication/dr/manage');
+
+    await click('[data-test-demote-replication] [data-test-replication-action-trigger]');
+
+    assert.ok(findAll('[data-test-demote-warning]').length, 'displays the demotion warning');
+  });
+
+  test('navigating to dr secondary details page when dr secondary is not enabled', async function (assert) {
+    // enable dr replication
+
+    await visit('/vault/replication/dr');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('[data-test-replication-enable]');
+    await settled(); // eslint-disable-line
+    await pollCluster(this.owner);
+    await visit('/vault/replication-dr-promote/details');
+
+    assert.dom('[data-test-component="empty-state"]').exists();
+    assert
+      .dom('[data-test-empty-state-message]')
+      .hasText(
+        'This Disaster Recovery secondary has not been enabled. You can do so from the Disaster Recovery Primary.',
+        'renders message when replication is enabled'
+      );
+  });
+
+  test('add secondary and navigate through token generation modal', async function (assert) {
+    const secondaryNameFirst = 'firstSecondary';
+    const secondaryNameSecond = 'secondSecondary';
+    await visit('/vault/replication');
+
+    // enable perf replication
+    await click('[data-test-replication-type-select="performance"]');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+    await settled();
+
+    // add a secondary with default TTL
+    await click('[data-test-replication-link="secondaries"]');
+
+    await click('[data-test-secondary-add]');
+
+    await fillIn('[data-test-replication-secondary-id]', secondaryNameFirst);
+    await click('[data-test-secondary-add]');
+
+    await pollCluster(this.owner);
+    await settled();
+    const modalDefaultTtl = document.querySelector('[data-test-row-value="TTL"]').innerText;
+
+    // checks on secondary token modal
+    assert.dom('#replication-copy-token-modal').exists();
+    assert.dom('[data-test-inline-error-message]').hasText('Copy token to dismiss modal');
+    assert.strictEqual(modalDefaultTtl, '1800s', 'shows the correct TTL of 1800s');
+    // click off the modal to make sure you don't just have to click on the copy-close button to copy the token
+    assert.dom('[data-test-modal-close]').isDisabled('cancel is disabled');
+    await click('[data-test-modal-copy]');
+    assert.dom('[data-test-modal-close]').isEnabled('cancel is enabled after token is copied');
+    await click('[data-test-modal-close]');
+
+    // add another secondary not using the default ttl
+    await click('[data-test-secondary-add]');
+
+    await fillIn('[data-test-replication-secondary-id]', secondaryNameSecond);
+    await click('[data-test-toggle-input]');
+
+    await fillIn('[data-test-ttl-value]', 3);
+    await click('[data-test-secondary-add]');
+
+    await pollCluster(this.owner);
+    await settled();
+    const modalTtl = document.querySelector('[data-test-row-value="TTL"]').innerText;
+    assert.strictEqual(modalTtl, '180s', 'shows the correct TTL of 180s');
+    await click('[data-test-modal-copy]');
+    await click('[data-test-modal-close]');
+
+    // confirm you were redirected to the secondaries page
+    assert.strictEqual(
+      currentURL(),
+      `/vault/replication/performance/secondaries`,
+      'redirects to the secondaries page'
+    );
+    assert
+      .dom('[data-test-secondary-name]')
+      .includesText(secondaryNameFirst, 'it displays the secondary in the list of secondaries');
+  });
+
+  test('render performance and dr primary and navigate to details page', async function (assert) {
+    // enable perf primary replication
+    await visit('/vault/replication');
+    await click('[data-test-replication-type-select="performance"]');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+    await settled();
+
+    await visit('/vault/replication');
+
+    assert
+      .dom(`[data-test-replication-summary-card]`)
+      .doesNotExist(`does not render replication summary card when both modes are not enabled as primary`);
+
+    // enable DR primary replication
+    await click('[data-test-replication-details-link="dr"]');
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+    await settled();
+
+    // navigate using breadcrumbs back to replication.index
+    await click('[data-test-replication-breadcrumb]');
+
+    assert
+      .dom('[data-test-replication-summary-card]')
+      .exists({ count: 2 }, 'renders two replication-summary-card components');
+
+    // navigate to details page using the "Details" link
+    await click('[data-test-manage-link="Disaster Recovery"]');
+
+    assert
+      .dom('[data-test-selectable-card-container="primary"]')
+      .exists('shows the correct card on the details dashboard');
+    assert.strictEqual(currentURL(), '/vault/replication/dr');
+  });
+
+  test('render performance secondary and navigate to the details page', async function (assert) {
+    // enable perf replication
+    await visit('/vault/replication');
+
+    await click('[data-test-replication-type-select="performance"]');
+
+    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
+    await click('[data-test-replication-enable]');
+
+    await pollCluster(this.owner);
+    await settled();
+
+    // demote perf primary to a secondary
+    await click('[data-test-replication-link="manage"]');
+
+    // open demote modal
+    await click('[data-test-demote-replication] [data-test-replication-action-trigger]');
+
+    // enter confirmation text
+    await fillIn('[data-test-confirmation-modal-input="Demote to secondary?"]', 'Performance');
+    // Click confirm button
+    await click('[data-test-confirm-button="Demote to secondary?"]');
+
+    await click('[data-test-replication-link="details"]');
+
+    assert.dom('[data-test-replication-dashboard]').exists();
+    assert.dom('[data-test-selectable-card-container="secondary"]').exists();
+    assert.ok(
+      find('[data-test-replication-mode-display]').textContent.includes('secondary'),
+      'it displays the cluster mode correctly'
+    );
+  });
+});
diff --git a/command/operator_raft.go b/command/operator_raft.go
index 9e02371dcbd6..2fe03b19f067 100644
--- a/command/operator_raft.go
+++ b/command/operator_raft.go
@@ -1,54 +1,68 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*OperatorRaftCommand)(nil)
-
-type OperatorRaftCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorRaftCommand) Synopsis() string {
-	return "Interact with Vault's raft storage backend"
-}
-
-func (c *OperatorRaftCommand) Help() string {
-	helpText := `
-Usage: vault operator raft <subcommand> [options] [args]
-
-  This command groups subcommands for operators interacting with the Vault raft
-  storage backend. Most users will not need to interact with these commands. Here
-  are a few examples of the raft operator commands:
-
-  Joins a node to the raft cluster:
-
-      $ vault operator raft join https://127.0.0.1:8200
-
-  Returns the set of raft peers:
-
-      $ vault operator raft list-peers
-
-  Removes a node from the raft cluster:
-
-      $ vault operator raft remove-peer
-
-  Restores and saves snapshots from the raft cluster:
-
-      $ vault operator raft snapshot save out.snap
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRaftCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { click, currentURL } from '@ember/test-helpers';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import authPage from 'vault/tests/pages/auth';
+
+const link = (label) => `[data-test-sidebar-nav-link="${label}"]`;
+const panel = (label) => `[data-test-sidebar-nav-panel="${label}"]`;
+
+module('Acceptance | Enterprise | sidebar navigation', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    return authPage.login();
+  });
+
+  // common links are tested in the sidebar-nav test and will not be covered here
+  test('it should render enterprise only navigation links', async function (assert) {
+    assert.dom(panel('Cluster')).exists('Cluster nav panel renders');
+
+    await click(link('Secrets Sync'));
+    assert.strictEqual(currentURL(), '/vault/sync/secrets/overview', 'Sync route renders');
+
+    await click(link('Replication'));
+    assert.strictEqual(currentURL(), '/vault/replication', 'Replication route renders');
+    assert.dom(panel('Replication')).exists(`Replication nav panel renders`);
+    assert.dom(link('Overview')).hasClass('active', 'Overview link is active');
+    assert.dom(link('Performance')).exists('Performance link exists');
+    assert.dom(link('Disaster Recovery')).exists('DR link exists');
+
+    await click(link('Performance'));
+    assert.strictEqual(
+      currentURL(),
+      '/vault/replication/performance',
+      'Replication performance route renders'
+    );
+
+    await click(link('Disaster Recovery'));
+    assert.strictEqual(currentURL(), '/vault/replication/dr', 'Replication dr route renders');
+
+    await click(link('Client Count'));
+    assert.strictEqual(currentURL(), '/vault/clients/dashboard', 'Client counts route renders');
+
+    await click(link('License'));
+    assert.strictEqual(currentURL(), '/vault/license', 'License route renders');
+
+    await click(link('Access'));
+    await click(link('Control Groups'));
+    assert.strictEqual(currentURL(), '/vault/access/control-groups', 'Control groups route renders');
+
+    await click(link('Namespaces'));
+    assert.strictEqual(currentURL(), '/vault/access/namespaces?page=1', 'Replication route renders');
+
+    await click(link('Back to main navigation'));
+    await click(link('Policies'));
+    await click(link('Role-Governing Policies'));
+    assert.strictEqual(currentURL(), '/vault/policies/rgp', 'Role-Governing Policies route renders');
+
+    await click(link('Endpoint Governing Policies'));
+    assert.strictEqual(currentURL(), '/vault/policies/egp', 'Endpoint Governing Policies route renders');
+  });
+});
diff --git a/command/operator_raft_autopilot_get_config.go b/command/operator_raft_autopilot_get_config.go
index 81ee3b6b885a..cda5d646cf47 100644
--- a/command/operator_raft_autopilot_get_config.go
+++ b/command/operator_raft_autopilot_get_config.go
@@ -1,112 +1,32 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorRaftAutopilotGetConfigCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotGetConfigCommand)(nil)
-)
-
-type OperatorRaftAutopilotGetConfigCommand struct {
-	*BaseCommand
-	flagDRToken string
-}
-
-func (c *OperatorRaftAutopilotGetConfigCommand) Synopsis() string {
-	return "Returns the configuration of the autopilot subsystem under integrated storage"
-}
-
-func (c *OperatorRaftAutopilotGetConfigCommand) Help() string {
-	helpText := `
-Usage: vault operator raft autopilot get-config
-
- Returns the configuration of the autopilot subsystem under integrated storage.
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRaftAutopilotGetConfigCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
-	})
-
-	return set
-}
-
-func (c *OperatorRaftAutopilotGetConfigCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+.env-banner {
+  font-size: 0.8rem;
+  border-radius: 3rem;
+  background: linear-gradient(
+    135deg,
+    $blue,
+    hsl(271, 100%, 71%)
+  ); // only use case for purple in the app. define here instead of utils/color_var
+  animation: env-banner-color-rotate 8s infinite linear alternate;
+  color: $white;
+
+  .hs-icon {
+    margin: 0;
+  }
+
+  .notification {
+    background-color: transparent;
+    line-height: 2;
+    padding: 0 $spacing-12;
+  }
 }
 
-func (c *OperatorRaftAutopilotGetConfigCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorRaftAutopilotGetConfigCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch len(args) {
-	case 0:
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var config *api.AutopilotConfig
-	switch {
-	case c.flagDRToken != "":
-		config, err = client.Sys().RaftAutopilotConfigurationWithDRToken(c.flagDRToken)
-	default:
-		config, err = client.Sys().RaftAutopilotConfiguration()
-	}
-
-	if config == nil {
-		return 0
-	}
-
-	if Format(c.UI) != "table" {
-		return OutputData(c.UI, config)
-	}
-
-	entries := []string{"Key | Value"}
-	entries = append(entries, fmt.Sprintf("%s | %t", "Cleanup Dead Servers", config.CleanupDeadServers))
-	entries = append(entries, fmt.Sprintf("%s | %s", "Last Contact Threshold", config.LastContactThreshold.String()))
-	entries = append(entries, fmt.Sprintf("%s | %s", "Dead Server Last Contact Threshold", config.DeadServerLastContactThreshold.String()))
-	entries = append(entries, fmt.Sprintf("%s | %s", "Server Stabilization Time", config.ServerStabilizationTime.String()))
-	entries = append(entries, fmt.Sprintf("%s | %d", "Min Quorum", config.MinQuorum))
-	entries = append(entries, fmt.Sprintf("%s | %d", "Max Trailing Logs", config.MaxTrailingLogs))
-	entries = append(entries, fmt.Sprintf("%s | %t", "Disable Upgrade Migration", config.DisableUpgradeMigration))
-
-	return OutputData(c.UI, entries)
+@keyframes env-banner-color-rotate {
+  100% {
+    filter: hue-rotate(105deg);
+  }
 }
diff --git a/command/operator_raft_autopilot_set_config.go b/command/operator_raft_autopilot_set_config.go
index 3ac287cc7494..801ee924ac7c 100644
--- a/command/operator_raft_autopilot_set_config.go
+++ b/command/operator_raft_autopilot_set_config.go
@@ -1,171 +1,1276 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package docker
 
 import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
+	"math/big"
+	mathrand "math/rand"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
 	"strings"
+	"sync"
+	"testing"
 	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/volume"
+	docker "github.com/docker/docker/client"
+	"github.com/hashicorp/go-cleanhttp"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/vault/api"
+	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	uberAtomic "go.uber.org/atomic"
+	"golang.org/x/net/http2"
 )
 
 var (
-	_ cli.Command             = (*OperatorRaftAutopilotSetConfigCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotSetConfigCommand)(nil)
+	_ testcluster.VaultCluster     = &DockerCluster{}
+	_ testcluster.VaultClusterNode = &DockerClusterNode{}
 )
 
-type OperatorRaftAutopilotSetConfigCommand struct {
-	*BaseCommand
-	flagCleanupDeadServers             BoolPtr
-	flagLastContactThreshold           time.Duration
-	flagDeadServerLastContactThreshold time.Duration
-	flagMaxTrailingLogs                uint64
-	flagMinQuorum                      uint
-	flagServerStabilizationTime        time.Duration
-	flagDisableUpgradeMigration        BoolPtr
-	flagDRToken                        string
+const MaxClusterNameLength = 52
+
+// DockerCluster is used to managing the lifecycle of the test Vault cluster
+type DockerCluster struct {
+	ClusterName string
+
+	ClusterNodes []*DockerClusterNode
+
+	// Certificate fields
+	*testcluster.CA
+	RootCAs *x509.CertPool
+
+	barrierKeys  [][]byte
+	recoveryKeys [][]byte
+	tmpDir       string
+
+	// rootToken is the initial root token created when the Vault cluster is
+	// created.
+	rootToken string
+	DockerAPI *docker.Client
+	ID        string
+	Logger    log.Logger
+	builtTags map[string]struct{}
+
+	storage testcluster.ClusterStorage
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) Synopsis() string {
-	return "Modify the configuration of the autopilot subsystem under integrated storage"
+func (dc *DockerCluster) NamedLogger(s string) log.Logger {
+	return dc.Logger.Named(s)
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) Help() string {
-	helpText := `
-Usage: vault operator raft autopilot set-config [options]
+func (dc *DockerCluster) ClusterID() string {
+	return dc.ID
+}
 
-  Modify the configuration of the autopilot subsystem under integrated storage.
-` + c.Flags().Help()
+func (dc *DockerCluster) Nodes() []testcluster.VaultClusterNode {
+	ret := make([]testcluster.VaultClusterNode, len(dc.ClusterNodes))
+	for i := range dc.ClusterNodes {
+		ret[i] = dc.ClusterNodes[i]
+	}
+	return ret
+}
 
-	return strings.TrimSpace(helpText)
+func (dc *DockerCluster) GetBarrierKeys() [][]byte {
+	return dc.barrierKeys
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func testKeyCopy(key []byte) []byte {
+	result := make([]byte, len(key))
+	copy(result, key)
+	return result
+}
 
-	f := set.NewFlagSet("Common Options")
+func (dc *DockerCluster) GetRecoveryKeys() [][]byte {
+	ret := make([][]byte, len(dc.recoveryKeys))
+	for i, k := range dc.recoveryKeys {
+		ret[i] = testKeyCopy(k)
+	}
+	return ret
+}
 
-	f.BoolPtrVar(&BoolPtrVar{
-		Name:   "cleanup-dead-servers",
-		Target: &c.flagCleanupDeadServers,
-		Usage:  "Controls whether to remove dead servers from the Raft peer list periodically or when a new server joins.",
+func (dc *DockerCluster) GetBarrierOrRecoveryKeys() [][]byte {
+	return dc.GetBarrierKeys()
+}
+
+func (dc *DockerCluster) SetBarrierKeys(keys [][]byte) {
+	dc.barrierKeys = make([][]byte, len(keys))
+	for i, k := range keys {
+		dc.barrierKeys[i] = testKeyCopy(k)
+	}
+}
+
+func (dc *DockerCluster) SetRecoveryKeys(keys [][]byte) {
+	dc.recoveryKeys = make([][]byte, len(keys))
+	for i, k := range keys {
+		dc.recoveryKeys[i] = testKeyCopy(k)
+	}
+}
+
+func (dc *DockerCluster) GetCACertPEMFile() string {
+	return dc.CACertPEMFile
+}
+
+func (dc *DockerCluster) Cleanup() {
+	dc.cleanup()
+}
+
+func (dc *DockerCluster) cleanup() error {
+	var result *multierror.Error
+	for _, node := range dc.ClusterNodes {
+		if err := node.cleanup(); err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+
+	return result.ErrorOrNil()
+}
+
+// GetRootToken returns the root token of the cluster, if set
+func (dc *DockerCluster) GetRootToken() string {
+	return dc.rootToken
+}
+
+func (dc *DockerCluster) SetRootToken(s string) {
+	dc.Logger.Trace("cluster root token changed", "helpful_env", fmt.Sprintf("VAULT_TOKEN=%s VAULT_CACERT=/vault/config/ca.pem", s))
+	dc.rootToken = s
+}
+
+func (n *DockerClusterNode) Name() string {
+	return n.Cluster.ClusterName + "-" + n.NodeID
+}
+
+func (dc *DockerCluster) setupNode0(ctx context.Context) error {
+	client := dc.ClusterNodes[0].client
+
+	var resp *api.InitResponse
+	var err error
+	for ctx.Err() == nil {
+		resp, err = client.Sys().Init(&api.InitRequest{
+			SecretShares:    3,
+			SecretThreshold: 3,
+		})
+		if err == nil && resp != nil {
+			break
+		}
+		time.Sleep(500 * time.Millisecond)
+	}
+	if err != nil {
+		return err
+	}
+	if resp == nil {
+		return fmt.Errorf("nil response to init request")
+	}
+
+	for _, k := range resp.Keys {
+		raw, err := hex.DecodeString(k)
+		if err != nil {
+			return err
+		}
+		dc.barrierKeys = append(dc.barrierKeys, raw)
+	}
+
+	for _, k := range resp.RecoveryKeys {
+		raw, err := hex.DecodeString(k)
+		if err != nil {
+			return err
+		}
+		dc.recoveryKeys = append(dc.recoveryKeys, raw)
+	}
+
+	dc.rootToken = resp.RootToken
+	client.SetToken(dc.rootToken)
+	dc.ClusterNodes[0].client = client
+
+	err = testcluster.UnsealNode(ctx, dc, 0)
+	if err != nil {
+		return err
+	}
+
+	err = ensureLeaderMatches(ctx, client, func(leader *api.LeaderResponse) error {
+		if !leader.IsSelf {
+			return fmt.Errorf("node %d leader=%v, expected=%v", 0, leader.IsSelf, true)
+		}
+
+		return nil
 	})
 
-	f.DurationVar(&DurationVar{
-		Name:   "last-contact-threshold",
-		Target: &c.flagLastContactThreshold,
-		Usage:  "Limit on the amount of time a server can go without leader contact before being considered unhealthy.",
+	status, err := client.Sys().SealStatusWithContext(ctx)
+	if err != nil {
+		return err
+	}
+	dc.ID = status.ClusterID
+	return err
+}
+
+func (dc *DockerCluster) clusterReady(ctx context.Context) error {
+	for i, node := range dc.ClusterNodes {
+		expectLeader := i == 0
+		err := ensureLeaderMatches(ctx, node.client, func(leader *api.LeaderResponse) error {
+			if expectLeader != leader.IsSelf {
+				return fmt.Errorf("node %d leader=%v, expected=%v", i, leader.IsSelf, expectLeader)
+			}
+
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (dc *DockerCluster) setupCA(opts *DockerClusterOptions) error {
+	var err error
+	var ca testcluster.CA
+
+	if opts != nil && opts.CAKey != nil {
+		ca.CAKey = opts.CAKey
+	} else {
+		ca.CAKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return err
+		}
+	}
+
+	var caBytes []byte
+	if opts != nil && len(opts.CACert) > 0 {
+		caBytes = opts.CACert
+	} else {
+		serialNumber := mathrand.New(mathrand.NewSource(time.Now().UnixNano())).Int63()
+		CACertTemplate := &x509.Certificate{
+			Subject: pkix.Name{
+				CommonName: "localhost",
+			},
+			KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+			SerialNumber:          big.NewInt(serialNumber),
+			NotBefore:             time.Now().Add(-30 * time.Second),
+			NotAfter:              time.Now().Add(262980 * time.Hour),
+			BasicConstraintsValid: true,
+			IsCA:                  true,
+		}
+		caBytes, err = x509.CreateCertificate(rand.Reader, CACertTemplate, CACertTemplate, ca.CAKey.Public(), ca.CAKey)
+		if err != nil {
+			return err
+		}
+	}
+	CACert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		return err
+	}
+	ca.CACert = CACert
+	ca.CACertBytes = caBytes
+
+	CACertPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	ca.CACertPEM = pem.EncodeToMemory(CACertPEMBlock)
+
+	ca.CACertPEMFile = filepath.Join(dc.tmpDir, "ca", "ca.pem")
+	err = os.WriteFile(ca.CACertPEMFile, ca.CACertPEM, 0o755)
+	if err != nil {
+		return err
+	}
+
+	marshaledCAKey, err := x509.MarshalECPrivateKey(ca.CAKey)
+	if err != nil {
+		return err
+	}
+	CAKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: marshaledCAKey,
+	}
+	ca.CAKeyPEM = pem.EncodeToMemory(CAKeyPEMBlock)
+
+	dc.CA = &ca
+
+	return nil
+}
+
+func (n *DockerClusterNode) setupCert(ip string) error {
+	var err error
+
+	n.ServerKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return err
+	}
+
+	serialNumber := mathrand.New(mathrand.NewSource(time.Now().UnixNano())).Int63()
+	certTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: n.Name(),
+		},
+		DNSNames:    []string{"localhost", n.Name()},
+		IPAddresses: []net.IP{net.IPv6loopback, net.ParseIP("127.0.0.1"), net.ParseIP(ip)},
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		SerialNumber: big.NewInt(serialNumber),
+		NotBefore:    time.Now().Add(-30 * time.Second),
+		NotAfter:     time.Now().Add(262980 * time.Hour),
+	}
+	n.ServerCertBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, n.Cluster.CACert, n.ServerKey.Public(), n.Cluster.CAKey)
+	if err != nil {
+		return err
+	}
+	n.ServerCert, err = x509.ParseCertificate(n.ServerCertBytes)
+	if err != nil {
+		return err
+	}
+	n.ServerCertPEM = pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: n.ServerCertBytes,
 	})
 
-	f.DurationVar(&DurationVar{
-		Name:   "dead-server-last-contact-threshold",
-		Target: &c.flagDeadServerLastContactThreshold,
-		Usage:  "Limit on the amount of time a server can go without leader contact before being considered failed. This takes effect only when cleanup_dead_servers is set.",
+	marshaledKey, err := x509.MarshalECPrivateKey(n.ServerKey)
+	if err != nil {
+		return err
+	}
+	n.ServerKeyPEM = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: marshaledKey,
 	})
 
-	f.Uint64Var(&Uint64Var{
-		Name:   "max-trailing-logs",
-		Target: &c.flagMaxTrailingLogs,
-		Usage:  "Amount of entries in the Raft Log that a server can be behind before being considered unhealthy.",
+	n.ServerCertPEMFile = filepath.Join(n.WorkDir, "cert.pem")
+	err = os.WriteFile(n.ServerCertPEMFile, n.ServerCertPEM, 0o755)
+	if err != nil {
+		return err
+	}
+
+	n.ServerKeyPEMFile = filepath.Join(n.WorkDir, "key.pem")
+	err = os.WriteFile(n.ServerKeyPEMFile, n.ServerKeyPEM, 0o755)
+	if err != nil {
+		return err
+	}
+
+	tlsCert, err := tls.X509KeyPair(n.ServerCertPEM, n.ServerKeyPEM)
+	if err != nil {
+		return err
+	}
+
+	certGetter := NewCertificateGetter(n.ServerCertPEMFile, n.ServerKeyPEMFile, "")
+	if err := certGetter.Reload(); err != nil {
+		return err
+	}
+	tlsConfig := &tls.Config{
+		Certificates:   []tls.Certificate{tlsCert},
+		RootCAs:        n.Cluster.RootCAs,
+		ClientCAs:      n.Cluster.RootCAs,
+		ClientAuth:     tls.RequestClientCert,
+		NextProtos:     []string{"h2", "http/1.1"},
+		GetCertificate: certGetter.GetCertificate,
+	}
+
+	n.tlsConfig = tlsConfig
+
+	err = os.WriteFile(filepath.Join(n.WorkDir, "ca.pem"), n.Cluster.CACertPEM, 0o755)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func NewTestDockerCluster(t *testing.T, opts *DockerClusterOptions) *DockerCluster {
+	if opts == nil {
+		opts = &DockerClusterOptions{}
+	}
+	if opts.ClusterName == "" {
+		opts.ClusterName = strings.ReplaceAll(t.Name(), "/", "-")
+	}
+	if opts.Logger == nil {
+		opts.Logger = logging.NewVaultLogger(log.Trace).Named(t.Name())
+	}
+	if opts.NetworkName == "" {
+		opts.NetworkName = os.Getenv("TEST_DOCKER_NETWORK_NAME")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 120*time.Second)
+	t.Cleanup(cancel)
+
+	dc, err := NewDockerCluster(ctx, opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dc.Logger.Trace("cluster started", "helpful_env", fmt.Sprintf("VAULT_TOKEN=%s VAULT_CACERT=/vault/config/ca.pem", dc.GetRootToken()))
+	return dc
+}
+
+func NewDockerCluster(ctx context.Context, opts *DockerClusterOptions) (*DockerCluster, error) {
+	api, err := dockhelper.NewDockerAPI()
+	if err != nil {
+		return nil, err
+	}
+
+	if opts == nil {
+		opts = &DockerClusterOptions{}
+	}
+	if opts.Logger == nil {
+		opts.Logger = log.NewNullLogger()
+	}
+	if opts.VaultLicense == "" {
+		opts.VaultLicense = os.Getenv(testcluster.EnvVaultLicenseCI)
+	}
+
+	dc := &DockerCluster{
+		DockerAPI:   api,
+		ClusterName: opts.ClusterName,
+		Logger:      opts.Logger,
+		builtTags:   map[string]struct{}{},
+		CA:          opts.CA,
+		storage:     opts.Storage,
+	}
+
+	if err := dc.setupDockerCluster(ctx, opts); err != nil {
+		dc.Cleanup()
+		return nil, err
+	}
+
+	return dc, nil
+}
+
+// DockerClusterNode represents a single instance of Vault in a cluster
+type DockerClusterNode struct {
+	NodeID               string
+	HostPort             string
+	client               *api.Client
+	ServerCert           *x509.Certificate
+	ServerCertBytes      []byte
+	ServerCertPEM        []byte
+	ServerCertPEMFile    string
+	ServerKey            *ecdsa.PrivateKey
+	ServerKeyPEM         []byte
+	ServerKeyPEMFile     string
+	tlsConfig            *tls.Config
+	WorkDir              string
+	Cluster              *DockerCluster
+	Container            *types.ContainerJSON
+	DockerAPI            *docker.Client
+	runner               *dockhelper.Runner
+	Logger               log.Logger
+	cleanupContainer     func()
+	RealAPIAddr          string
+	ContainerNetworkName string
+	ContainerIPAddress   string
+	ImageRepo            string
+	ImageTag             string
+	DataVolumeName       string
+	cleanupVolume        func()
+	AllClients           []*api.Client
+}
+
+func (n *DockerClusterNode) TLSConfig() *tls.Config {
+	return n.tlsConfig.Clone()
+}
+
+func (n *DockerClusterNode) APIClient() *api.Client {
+	// We clone to ensure that whenever this method is called, the caller gets
+	// back a pristine client, without e.g. any namespace or token changes that
+	// might pollute a shared client.  We clone the config instead of the
+	// client because (1) Client.clone propagates the replicationStateStore and
+	// the httpClient pointers, (2) it doesn't copy the tlsConfig at all, and
+	// (3) if clone returns an error, it doesn't feel as appropriate to panic
+	// below.  Who knows why clone might return an error?
+	cfg := n.client.CloneConfig()
+	client, err := api.NewClient(cfg)
+	if err != nil {
+		// It seems fine to panic here, since this should be the same input
+		// we provided to NewClient when we were setup, and we didn't panic then.
+		// Better not to completely ignore the error though, suppose there's a
+		// bug in CloneConfig?
+		panic(fmt.Sprintf("NewClient error on cloned config: %v", err))
+	}
+	client.SetToken(n.Cluster.rootToken)
+	return client
+}
+
+func (n *DockerClusterNode) APIClientN(listenerNumber int) (*api.Client, error) {
+	// We clone to ensure that whenever this method is called, the caller gets
+	// back a pristine client, without e.g. any namespace or token changes that
+	// might pollute a shared client.  We clone the config instead of the
+	// client because (1) Client.clone propagates the replicationStateStore and
+	// the httpClient pointers, (2) it doesn't copy the tlsConfig at all, and
+	// (3) if clone returns an error, it doesn't feel as appropriate to panic
+	// below.  Who knows why clone might return an error?
+	if listenerNumber >= len(n.AllClients) {
+		return nil, fmt.Errorf("invalid listener number %d", listenerNumber)
+	}
+	cfg := n.AllClients[listenerNumber].CloneConfig()
+	client, err := api.NewClient(cfg)
+	if err != nil {
+		// It seems fine to panic here, since this should be the same input
+		// we provided to NewClient when we were setup, and we didn't panic then.
+		// Better not to completely ignore the error though, suppose there's a
+		// bug in CloneConfig?
+		panic(fmt.Sprintf("NewClient error on cloned config: %v", err))
+	}
+	client.SetToken(n.Cluster.rootToken)
+	return client, nil
+}
+
+// NewAPIClient creates and configures a Vault API client to communicate with
+// the running Vault Cluster for this DockerClusterNode
+func (n *DockerClusterNode) apiConfig() (*api.Config, error) {
+	transport := cleanhttp.DefaultPooledTransport()
+	transport.TLSClientConfig = n.TLSConfig()
+	if err := http2.ConfigureTransport(transport); err != nil {
+		return nil, err
+	}
+	client := &http.Client{
+		Transport: transport,
+		CheckRedirect: func(*http.Request, []*http.Request) error {
+			// This can of course be overridden per-test by using its own client
+			return fmt.Errorf("redirects not allowed in these tests")
+		},
+	}
+	config := api.DefaultConfig()
+	if config.Error != nil {
+		return nil, config.Error
+	}
+	config.Address = fmt.Sprintf("https://%s", n.HostPort)
+	config.HttpClient = client
+	config.MaxRetries = 0
+	return config, nil
+}
+
+func (n *DockerClusterNode) newAPIClient() (*api.Client, error) {
+	config, err := n.apiConfig()
+	if err != nil {
+		return nil, err
+	}
+	client, err := api.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetToken(n.Cluster.GetRootToken())
+	return client, nil
+}
+
+func (n *DockerClusterNode) newAPIClientForAddress(address string) (*api.Client, error) {
+	config, err := n.apiConfig()
+	if err != nil {
+		return nil, err
+	}
+	config.Address = fmt.Sprintf("https://%s", address)
+	client, err := api.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetToken(n.Cluster.GetRootToken())
+	return client, nil
+}
+
+// Cleanup kills the container of the node and deletes its data volume
+func (n *DockerClusterNode) Cleanup() {
+	n.cleanup()
+}
+
+// Stop kills the container of the node
+func (n *DockerClusterNode) Stop() {
+	n.cleanupContainer()
+}
+
+func (n *DockerClusterNode) cleanup() error {
+	if n.Container == nil || n.Container.ID == "" {
+		return nil
+	}
+	n.cleanupContainer()
+	n.cleanupVolume()
+	return nil
+}
+
+func (n *DockerClusterNode) createDefaultListenerConfig() map[string]interface{} {
+	return map[string]interface{}{"tcp": map[string]interface{}{
+		"address":       fmt.Sprintf("%s:%d", "0.0.0.0", 8200),
+		"tls_cert_file": "/vault/config/cert.pem",
+		"tls_key_file":  "/vault/config/key.pem",
+		"telemetry": map[string]interface{}{
+			"unauthenticated_metrics_access": true,
+		},
+	}}
+}
+
+func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOptions) error {
+	if n.DataVolumeName == "" {
+		vol, err := n.DockerAPI.VolumeCreate(ctx, volume.CreateOptions{})
+		if err != nil {
+			return err
+		}
+		n.DataVolumeName = vol.Name
+		n.cleanupVolume = func() {
+			_ = n.DockerAPI.VolumeRemove(ctx, vol.Name, false)
+		}
+	}
+	vaultCfg := map[string]interface{}{}
+	var listenerConfig []map[string]interface{}
+	listenerConfig = append(listenerConfig, n.createDefaultListenerConfig())
+	ports := []string{"8200/tcp", "8201/tcp"}
+
+	if opts.VaultNodeConfig != nil && opts.VaultNodeConfig.AdditionalListeners != nil {
+		for _, config := range opts.VaultNodeConfig.AdditionalListeners {
+			cfg := n.createDefaultListenerConfig()
+			listener := cfg["tcp"].(map[string]interface{})
+			listener["address"] = fmt.Sprintf("%s:%d", "0.0.0.0", config.Port)
+			listener["chroot_namespace"] = config.ChrootNamespace
+			listenerConfig = append(listenerConfig, cfg)
+			portStr := fmt.Sprintf("%d/tcp", config.Port)
+			if strutil.StrListContains(ports, portStr) {
+				return fmt.Errorf("duplicate port %d specified", config.Port)
+			}
+			ports = append(ports, portStr)
+		}
+	}
+	vaultCfg["listener"] = listenerConfig
+	vaultCfg["telemetry"] = map[string]interface{}{
+		"disable_hostname": true,
+	}
+
+	// Setup storage. Default is raft.
+	storageType := "raft"
+	storageOpts := map[string]interface{}{
+		// TODO add options from vnc
+		"path":    "/vault/file",
+		"node_id": n.NodeID,
+	}
+
+	if opts.Storage != nil {
+		storageType = opts.Storage.Type()
+		storageOpts = opts.Storage.Opts()
+	}
+
+	if opts != nil && opts.VaultNodeConfig != nil {
+		for k, v := range opts.VaultNodeConfig.StorageOptions {
+			if _, ok := storageOpts[k].(string); !ok {
+				storageOpts[k] = v
+			}
+		}
+	}
+	vaultCfg["storage"] = map[string]interface{}{
+		storageType: storageOpts,
+	}
+
+	//// disable_mlock is required for working in the Docker environment with
+	//// custom plugins
+	vaultCfg["disable_mlock"] = true
+	vaultCfg["api_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8200`
+	vaultCfg["cluster_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8201`
+
+	vaultCfg["administrative_namespace_path"] = opts.AdministrativeNamespacePath
+
+	systemJSON, err := json.Marshal(vaultCfg)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(filepath.Join(n.WorkDir, "system.json"), systemJSON, 0o644)
+	if err != nil {
+		return err
+	}
+
+	if opts.VaultNodeConfig != nil {
+		localCfg := *opts.VaultNodeConfig
+		if opts.VaultNodeConfig.LicensePath != "" {
+			b, err := os.ReadFile(opts.VaultNodeConfig.LicensePath)
+			if err != nil || len(b) == 0 {
+				return fmt.Errorf("unable to read LicensePath at %q: %w", opts.VaultNodeConfig.LicensePath, err)
+			}
+			localCfg.LicensePath = "/vault/config/license"
+			dest := filepath.Join(n.WorkDir, "license")
+			err = os.WriteFile(dest, b, 0o644)
+			if err != nil {
+				return fmt.Errorf("error writing license to %q: %w", dest, err)
+			}
+
+		}
+		userJSON, err := json.Marshal(localCfg)
+		if err != nil {
+			return err
+		}
+		err = os.WriteFile(filepath.Join(n.WorkDir, "user.json"), userJSON, 0o644)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Create a temporary cert so vault will start up
+	err = n.setupCert("127.0.0.1")
+	if err != nil {
+		return err
+	}
+
+	caDir := filepath.Join(n.Cluster.tmpDir, "ca")
+
+	// setup plugin bin copy if needed
+	copyFromTo := map[string]string{
+		n.WorkDir: "/vault/config",
+		caDir:     "/usr/local/share/ca-certificates/",
+	}
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+	var seenLogs uberAtomic.Bool
+	logConsumer := func(s string) {
+		if seenLogs.CAS(false, true) {
+			wg.Done()
+		}
+		n.Logger.Trace(s)
+	}
+	logStdout := &LogConsumerWriter{logConsumer}
+	logStderr := &LogConsumerWriter{func(s string) {
+		if seenLogs.CAS(false, true) {
+			wg.Done()
+		}
+		testcluster.JSONLogNoTimestamp(n.Logger, s)
+	}}
+
+	r, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
+		ImageRepo: n.ImageRepo,
+		ImageTag:  n.ImageTag,
+		// We don't need to run update-ca-certificates in the container, because
+		// we're providing the CA in the raft join call, and otherwise Vault
+		// servers don't talk to one another on the API port.
+		Cmd: append([]string{"server"}, opts.Args...),
+		Env: []string{
+			// For now we're using disable_mlock, because this is for testing
+			// anyway, and because it prevents us using external plugins.
+			"SKIP_SETCAP=true",
+			"VAULT_LOG_FORMAT=json",
+			"VAULT_LICENSE=" + opts.VaultLicense,
+		},
+		Ports:           ports,
+		ContainerName:   n.Name(),
+		NetworkName:     opts.NetworkName,
+		CopyFromTo:      copyFromTo,
+		LogConsumer:     logConsumer,
+		LogStdout:       logStdout,
+		LogStderr:       logStderr,
+		PreDelete:       true,
+		DoNotAutoRemove: true,
+		PostStart: func(containerID string, realIP string) error {
+			err := n.setupCert(realIP)
+			if err != nil {
+				return err
+			}
+
+			// If we signal Vault before it installs its sighup handler, it'll die.
+			wg.Wait()
+			n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
+			return n.runner.RefreshFiles(ctx, containerID)
+		},
+		Capabilities:      []string{"NET_ADMIN"},
+		OmitLogTimestamps: true,
+		VolumeNameToMountPoint: map[string]string{
+			n.DataVolumeName: "/vault/file",
+		},
 	})
+	if err != nil {
+		return err
+	}
+	n.runner = r
+
+	probe := opts.StartProbe
+	if probe == nil {
+		probe = func(c *api.Client) error {
+			_, err = c.Sys().SealStatus()
+			return err
+		}
+	}
+	svc, _, err := r.StartNewService(ctx, false, false, func(ctx context.Context, host string, port int) (dockhelper.ServiceConfig, error) {
+		config, err := n.apiConfig()
+		if err != nil {
+			return nil, err
+		}
+		config.Address = fmt.Sprintf("https://%s:%d", host, port)
+		client, err := api.NewClient(config)
+		if err != nil {
+			return nil, err
+		}
+		err = probe(client)
+		if err != nil {
+			return nil, err
+		}
 
-	f.UintVar(&UintVar{
-		Name:   "min-quorum",
-		Target: &c.flagMinQuorum,
-		Usage:  "Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3.",
+		return dockhelper.NewServiceHostPort(host, port), nil
 	})
+	if err != nil {
+		return err
+	}
+
+	n.HostPort = svc.Config.Address()
+	n.Container = svc.Container
+	netName := opts.NetworkName
+	if netName == "" {
+		if len(svc.Container.NetworkSettings.Networks) > 1 {
+			return fmt.Errorf("Set d.RunOptions.NetworkName instead for container with multiple networks: %v", svc.Container.NetworkSettings.Networks)
+		}
+		for netName = range svc.Container.NetworkSettings.Networks {
+			// Networks above is a map; we just need to find the first and
+			// only key of this map (network name). The range handles this
+			// for us, but we need a loop construction in order to use range.
+		}
+	}
+	n.ContainerNetworkName = netName
+	n.ContainerIPAddress = svc.Container.NetworkSettings.Networks[netName].IPAddress
+	n.RealAPIAddr = "https://" + n.ContainerIPAddress + ":8200"
+	n.cleanupContainer = svc.Cleanup
+
+	client, err := n.newAPIClient()
+	if err != nil {
+		return err
+	}
+	client.SetToken(n.Cluster.rootToken)
+	n.client = client
+
+	n.AllClients = append(n.AllClients, client)
+
+	for _, addr := range svc.StartResult.Addrs[2:] {
+		// The second element of this list of addresses is the cluster address
+		// We do not want to create a client for the cluster address mapping
+		client, err := n.newAPIClientForAddress(addr)
+		if err != nil {
+			return err
+		}
+		client.SetToken(n.Cluster.rootToken)
+		n.AllClients = append(n.AllClients, client)
+	}
+	return nil
+}
+
+func (n *DockerClusterNode) Pause(ctx context.Context) error {
+	return n.DockerAPI.ContainerPause(ctx, n.Container.ID)
+}
+
+func (n *DockerClusterNode) Restart(ctx context.Context) error {
+	timeout := 5
+	err := n.DockerAPI.ContainerRestart(ctx, n.Container.ID, container.StopOptions{Timeout: &timeout})
+	if err != nil {
+		return err
+	}
+
+	resp, err := n.DockerAPI.ContainerInspect(ctx, n.Container.ID)
+	if err != nil {
+		return fmt.Errorf("error inspecting container after restart: %s", err)
+	}
+
+	var port int
+	if len(resp.NetworkSettings.Ports) > 0 {
+		for key, binding := range resp.NetworkSettings.Ports {
+			if len(binding) < 1 {
+				continue
+			}
+
+			if key == "8200/tcp" {
+				port, err = strconv.Atoi(binding[0].HostPort)
+			}
+		}
+	}
+
+	if port == 0 {
+		return fmt.Errorf("failed to find container port after restart")
+	}
+
+	hostPieces := strings.Split(n.HostPort, ":")
+	if len(hostPieces) < 2 {
+		return errors.New("could not parse node hostname")
+	}
+
+	n.HostPort = fmt.Sprintf("%s:%d", hostPieces[0], port)
 
-	f.DurationVar(&DurationVar{
-		Name:   "server-stabilization-time",
-		Target: &c.flagServerStabilizationTime,
-		Usage:  "Minimum amount of time a server must be in a stable, healthy state before it can be added to the cluster.",
+	client, err := n.newAPIClient()
+	if err != nil {
+		return err
+	}
+	client.SetToken(n.Cluster.rootToken)
+	n.client = client
+
+	return nil
+}
+
+func (n *DockerClusterNode) AddNetworkDelay(ctx context.Context, delay time.Duration, targetIP string) error {
+	ip := net.ParseIP(targetIP)
+	if ip == nil {
+		return fmt.Errorf("targetIP %q is not an IP address", targetIP)
+	}
+	// Let's attempt to get a unique handle for the filter rule; we'll assume that
+	// every targetIP has a unique last octet, which is true currently for how
+	// we're doing docker networking.
+	lastOctet := ip.To4()[3]
+
+	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
+		"/bin/sh",
+		"-xec", strings.Join([]string{
+			fmt.Sprintf("echo isolating node %s", targetIP),
+			"apk add iproute2",
+			// If we're running this script a second time on the same node,
+			// the add dev will fail; since we only want to run the netem
+			// command once, we'll do so in the case where the add dev doesn't fail.
+			"tc qdisc add dev eth0 root handle 1: prio && " +
+				fmt.Sprintf("tc qdisc add dev eth0 parent 1:1 handle 2: netem delay %dms", delay/time.Millisecond),
+			// Here we create a u32 filter as per https://man7.org/linux/man-pages/man8/tc-u32.8.html
+			// Its parent is 1:0 (which I guess is the root?)
+			// Its handle must be unique, so we base it on targetIP
+			fmt.Sprintf("tc filter add dev eth0 parent 1:0 protocol ip pref 55 handle ::%x u32 match ip dst %s flowid 2:1", lastOctet, targetIP),
+		}, "; "),
 	})
+	if err != nil {
+		return err
+	}
 
-	f.BoolPtrVar(&BoolPtrVar{
-		Name:   "disable-upgrade-migration",
-		Target: &c.flagDisableUpgradeMigration,
-		Usage:  "Whether or not to perform automated version upgrades.",
+	n.Logger.Trace(string(stdout))
+	n.Logger.Trace(string(stderr))
+	if exitCode != 0 {
+		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
+	}
+	return nil
+}
+
+// PartitionFromCluster will cause the node to be disconnected at the network
+// level from the rest of the docker cluster. It does so in a way that the node
+// will not see TCP RSTs and all packets it sends will be "black holed". It
+// attempts to keep packets to and from the host intact which allows docker
+// daemon to continue streaming logs and any test code to continue making
+// requests from the host to the partitioned node.
+func (n *DockerClusterNode) PartitionFromCluster(ctx context.Context) error {
+	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
+		"/bin/sh",
+		"-xec", strings.Join([]string{
+			fmt.Sprintf("echo partitioning container from network"),
+			"apk add iproute2",
+			// Get the gateway address for the bridge so we can allow host to
+			// container traffic still.
+			"GW=$(ip r | grep default | grep eth0 | cut -f 3 -d' ')",
+			// First delete the rules in case this is called twice otherwise we'll add
+			// multiple copies and only remove one in Unpartition (yay iptables).
+			// Ignore the error if it didn't exist.
+			"iptables -D INPUT -i eth0 ! -s \"$GW\" -j DROP | true",
+			"iptables -D OUTPUT -o eth0 ! -d \"$GW\" -j DROP | true",
+			// Add rules to drop all packets in and out of the docker network
+			// connection.
+			"iptables -I INPUT -i eth0 ! -s \"$GW\" -j DROP",
+			"iptables -I OUTPUT -o eth0 ! -d \"$GW\" -j DROP",
+		}, "; "),
 	})
+	if err != nil {
+		return err
+	}
 
-	f.StringVar(&StringVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+	n.Logger.Trace(string(stdout))
+	n.Logger.Trace(string(stderr))
+	if exitCode != 0 {
+		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
+	}
+	return nil
+}
+
+// UnpartitionFromCluster reverses a previous call to PartitionFromCluster and
+// restores full connectivity. Currently assumes the default "bridge" network.
+func (n *DockerClusterNode) UnpartitionFromCluster(ctx context.Context) error {
+	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
+		"/bin/sh",
+		"-xec", strings.Join([]string{
+			fmt.Sprintf("echo un-partitioning container from network"),
+			// Get the gateway address for the bridge so we can allow host to
+			// container traffic still.
+			"GW=$(ip r | grep default | grep eth0 | cut -f 3 -d' ')",
+			// Remove the rules, ignore if they are not present or iptables wasn't
+			// installed yet (i.e. no-one called PartitionFromCluster yet).
+			"iptables -D INPUT -i eth0 ! -s \"$GW\" -j DROP | true",
+			"iptables -D OUTPUT -o eth0 ! -d \"$GW\" -j DROP | true",
+		}, "; "),
 	})
+	if err != nil {
+		return err
+	}
 
-	return set
+	n.Logger.Trace(string(stdout))
+	n.Logger.Trace(string(stderr))
+	if exitCode != 0 {
+		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
+	}
+	return nil
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+type LogConsumerWriter struct {
+	consumer func(string)
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func (l LogConsumerWriter) Write(p []byte) (n int, err error) {
+	// TODO this assumes that we're never passed partial log lines, which
+	// seems a safe assumption for now based on how docker looks to implement
+	// logging, but might change in the future.
+	scanner := bufio.NewScanner(bytes.NewReader(p))
+	scanner.Buffer(make([]byte, 64*1024), bufio.MaxScanTokenSize)
+	for scanner.Scan() {
+		l.consumer(scanner.Text())
+	}
+	return len(p), nil
 }
 
-func (c *OperatorRaftAutopilotSetConfigCommand) Run(args []string) int {
-	f := c.Flags()
+// DockerClusterOptions has options for setting up the docker cluster
+type DockerClusterOptions struct {
+	testcluster.ClusterOptions
+	CAKey       *ecdsa.PrivateKey
+	NetworkName string
+	ImageRepo   string
+	ImageTag    string
+	CA          *testcluster.CA
+	VaultBinary string
+	Args        []string
+	StartProbe  func(*api.Client) error
+	Storage     testcluster.ClusterStorage
+}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+func ensureLeaderMatches(ctx context.Context, client *api.Client, ready func(response *api.LeaderResponse) error) error {
+	var leader *api.LeaderResponse
+	var err error
+	for ctx.Err() == nil {
+		leader, err = client.Sys().Leader()
+		switch {
+		case err != nil:
+		case leader == nil:
+			err = fmt.Errorf("nil response to leader check")
+		default:
+			err = ready(leader)
+			if err == nil {
+				return nil
+			}
+		}
+		time.Sleep(500 * time.Millisecond)
+	}
+	return fmt.Errorf("error checking leader: %v", err)
+}
+
+const DefaultNumCores = 3
+
+// creates a managed docker container running Vault
+func (dc *DockerCluster) setupDockerCluster(ctx context.Context, opts *DockerClusterOptions) error {
+	if opts.TmpDir != "" {
+		if _, err := os.Stat(opts.TmpDir); os.IsNotExist(err) {
+			if err := os.MkdirAll(opts.TmpDir, 0o700); err != nil {
+				return err
+			}
+		}
+		dc.tmpDir = opts.TmpDir
+	} else {
+		tempDir, err := ioutil.TempDir("", "vault-test-cluster-")
+		if err != nil {
+			return err
+		}
+		dc.tmpDir = tempDir
+	}
+	caDir := filepath.Join(dc.tmpDir, "ca")
+	if err := os.MkdirAll(caDir, 0o755); err != nil {
+		return err
 	}
 
-	args = f.Args()
-	switch len(args) {
-	case 0:
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
-		return 1
+	var numCores int
+	if opts.NumCores == 0 {
+		numCores = DefaultNumCores
+	} else {
+		numCores = opts.NumCores
 	}
 
-	client, err := c.Client()
+	if dc.CA == nil {
+		if err := dc.setupCA(opts); err != nil {
+			return err
+		}
+	}
+	dc.RootCAs = x509.NewCertPool()
+	dc.RootCAs.AddCert(dc.CA.CACert)
+
+	if dc.storage != nil {
+		if err := dc.storage.Start(ctx, &opts.ClusterOptions); err != nil {
+			return err
+		}
+	}
+
+	for i := 0; i < numCores; i++ {
+		if err := dc.addNode(ctx, opts); err != nil {
+			return err
+		}
+		if opts.SkipInit {
+			continue
+		}
+		if i == 0 {
+			if err := dc.setupNode0(ctx); err != nil {
+				return err
+			}
+		} else {
+			if err := dc.joinNode(ctx, i, 0); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (dc *DockerCluster) AddNode(ctx context.Context, opts *DockerClusterOptions) error {
+	leaderIdx, err := testcluster.LeaderNode(ctx, dc)
+	if err != nil {
+		return err
+	}
+	if err := dc.addNode(ctx, opts); err != nil {
+		return err
+	}
+
+	return dc.joinNode(ctx, len(dc.ClusterNodes)-1, leaderIdx)
+}
+
+func (dc *DockerCluster) addNode(ctx context.Context, opts *DockerClusterOptions) error {
+	tag, err := dc.setupImage(ctx, opts)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return err
+	}
+	i := len(dc.ClusterNodes)
+	nodeID := fmt.Sprintf("core-%d", i)
+	node := &DockerClusterNode{
+		DockerAPI: dc.DockerAPI,
+		NodeID:    nodeID,
+		Cluster:   dc,
+		WorkDir:   filepath.Join(dc.tmpDir, nodeID),
+		Logger:    dc.Logger.Named(nodeID),
+		ImageRepo: opts.ImageRepo,
+		ImageTag:  tag,
+	}
+	dc.ClusterNodes = append(dc.ClusterNodes, node)
+	if err := os.MkdirAll(node.WorkDir, 0o755); err != nil {
+		return err
+	}
+	if err := node.Start(ctx, opts); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (dc *DockerCluster) joinNode(ctx context.Context, nodeIdx int, leaderIdx int) error {
+	if dc.storage != nil && dc.storage.Type() != "raft" {
+		// Storage is not raft so nothing to do but unseal.
+		return testcluster.UnsealNode(ctx, dc, nodeIdx)
 	}
 
-	data := make(map[string]interface{})
-	if c.flagCleanupDeadServers.IsSet() {
-		data["cleanup_dead_servers"] = c.flagCleanupDeadServers.Get()
+	leader := dc.ClusterNodes[leaderIdx]
+
+	if nodeIdx >= len(dc.ClusterNodes) {
+		return fmt.Errorf("invalid node %d", nodeIdx)
 	}
-	if c.flagMaxTrailingLogs > 0 {
-		data["max_trailing_logs"] = c.flagMaxTrailingLogs
+	node := dc.ClusterNodes[nodeIdx]
+	client := node.APIClient()
+
+	var resp *api.RaftJoinResponse
+	resp, err := client.Sys().RaftJoinWithContext(ctx, &api.RaftJoinRequest{
+		// When running locally on a bridge network, the containers must use their
+		// actual (private) IP to talk to one another.  Our code must instead use
+		// the portmapped address since we're not on their network in that case.
+		LeaderAPIAddr:    leader.RealAPIAddr,
+		LeaderCACert:     string(dc.CACertPEM),
+		LeaderClientCert: string(node.ServerCertPEM),
+		LeaderClientKey:  string(node.ServerKeyPEM),
+	})
+	if resp == nil || !resp.Joined {
+		return fmt.Errorf("nil or negative response from raft join request: %v", resp)
 	}
-	if c.flagMinQuorum > 0 {
-		data["min_quorum"] = c.flagMinQuorum
+	if err != nil {
+		return fmt.Errorf("failed to join cluster: %w", err)
 	}
-	if c.flagLastContactThreshold > 0 {
-		data["last_contact_threshold"] = c.flagLastContactThreshold.String()
+
+	return testcluster.UnsealNode(ctx, dc, nodeIdx)
+}
+
+func (dc *DockerCluster) setupImage(ctx context.Context, opts *DockerClusterOptions) (string, error) {
+	if opts == nil {
+		opts = &DockerClusterOptions{}
 	}
-	if c.flagDeadServerLastContactThreshold > 0 {
-		data["dead_server_last_contact_threshold"] = c.flagDeadServerLastContactThreshold.String()
+	sourceTag := opts.ImageTag
+	if sourceTag == "" {
+		sourceTag = "latest"
 	}
-	if c.flagServerStabilizationTime > 0 {
-		data["server_stabilization_time"] = c.flagServerStabilizationTime.String()
+
+	if opts.VaultBinary == "" {
+		return sourceTag, nil
 	}
-	if c.flagDisableUpgradeMigration.IsSet() {
-		data["disable_upgrade_migration"] = c.flagDisableUpgradeMigration.Get()
+
+	suffix := "testing"
+	if sha := os.Getenv("COMMIT_SHA"); sha != "" {
+		suffix = sha
 	}
-	if c.flagDRToken != "" {
-		data["dr_operation_token"] = c.flagDRToken
+	tag := sourceTag + "-" + suffix
+	if _, ok := dc.builtTags[tag]; ok {
+		return tag, nil
 	}
 
-	secret, err := client.Logical().Write("sys/storage/raft/autopilot/configuration", data)
+	f, err := os.Open(opts.VaultBinary)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return "", err
 	}
-	if secret == nil {
-		return 0
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return "", err
 	}
+	bCtx := dockhelper.NewBuildContext()
+	bCtx["vault"] = &dockhelper.FileContents{
+		Data: data,
+		Mode: 0o755,
+	}
+
+	containerFile := fmt.Sprintf(`
+FROM %s:%s
+COPY vault /bin/vault
+`, opts.ImageRepo, sourceTag)
 
-	return OutputSecret(c.UI, secret)
+	_, err = dockhelper.BuildImage(ctx, dc.DockerAPI, containerFile, bCtx,
+		dockhelper.BuildRemove(true), dockhelper.BuildForceRemove(true),
+		dockhelper.BuildPullParent(true),
+		dockhelper.BuildTags([]string{opts.ImageRepo + ":" + tag}))
+	if err != nil {
+		return "", err
+	}
+	dc.builtTags[tag] = struct{}{}
+	return tag, nil
 }
+
+/* Notes on testing the non-bridge network case:
+- you need the test itself to be running in a container so that it can use
+  the network; create the network using
+    docker network create testvault
+- this means that you need to mount the docker socket in that test container,
+  but on macos there's stuff that prevents that from working; to hack that,
+  on the host run
+    sudo ln -s "$HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock" /var/run/docker.sock.raw
+- run the test container like
+    docker run --rm -it --network testvault \
+      -v /var/run/docker.sock.raw:/var/run/docker.sock \
+      -v $(pwd):/home/circleci/go/src/github.com/hashicorp/vault/ \
+      -w /home/circleci/go/src/github.com/hashicorp/vault/ \
+      "docker.mirror.hashicorp.services/cimg/go:1.19.2" /bin/bash
+- in the container you may need to chown/chmod /var/run/docker.sock; use `docker ps`
+  to test if it's working
+
+*/
diff --git a/command/operator_raft_autopilot_state.go b/command/operator_raft_autopilot_state.go
index a5b31a34139b..95445afac537 100644
--- a/command/operator_raft_autopilot_state.go
+++ b/command/operator_raft_autopilot_state.go
@@ -1,117 +1,169 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package logical
 
 import (
-	"flag"
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"context"
+	"errors"
 )
 
 var (
-	_ cli.Command             = (*OperatorRaftAutopilotStateCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotStateCommand)(nil)
+	// ErrUnsupportedOperation is returned if the operation is not supported
+	// by the logical backend.
+	ErrUnsupportedOperation = errors.New("unsupported operation")
+
+	// ErrUnsupportedPath is returned if the path is not supported
+	// by the logical backend.
+	ErrUnsupportedPath = errors.New("unsupported path")
+
+	// ErrInvalidRequest is returned if the request is invalid
+	ErrInvalidRequest = errors.New("invalid request")
+
+	// ErrPermissionDenied is returned if the client is not authorized
+	ErrPermissionDenied = errors.New("permission denied")
+
+	// ErrInvalidCredentials is returned when the provided credentials are incorrect
+	// This is used internally for user lockout purposes. This is not seen externally.
+	// The status code returned does not change because of this error
+	ErrInvalidCredentials = errors.New("invalid credentials")
+
+	// ErrMultiAuthzPending is returned if the the request needs more
+	// authorizations
+	ErrMultiAuthzPending = errors.New("request needs further approval")
+
+	// ErrUpstreamRateLimited is returned when Vault receives a rate limited
+	// response from an upstream
+	ErrUpstreamRateLimited = errors.New("upstream rate limited")
+
+	// ErrPerfStandbyForward is returned when Vault is in a state such that a
+	// perf standby cannot satisfy a request
+	ErrPerfStandbyPleaseForward = errors.New("please forward to the active node")
+
+	// ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease
+	// count quota being exceeded.
+	ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded")
+
+	// ErrRateLimitQuotaExceeded is returned when a request is rejected due to a
+	// rate limit quota being exceeded.
+	ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded")
+
+	// ErrUnrecoverable is returned when a request fails due to something that
+	// is likely to require manual intervention. This is a generic form of an
+	// unrecoverable error.
+	// e.g.: misconfigured or disconnected storage backend.
+	ErrUnrecoverable = errors.New("unrecoverable error")
+
+	// ErrMissingRequiredState is returned when a request can't be satisfied
+	// with the data in the local node's storage, based on the provided
+	// X-Vault-Index request header.
+	ErrMissingRequiredState = errors.New("required index state not present")
+
+	// Error indicating that the requested path used to serve a purpose in older
+	// versions, but the functionality has now been removed
+	ErrPathFunctionalityRemoved = errors.New("functionality on this path has been removed")
 )
 
-type OperatorRaftAutopilotStateCommand struct {
-	*BaseCommand
-	flagDRToken string
+type DelegatedAuthErrorHandler func(ctx context.Context, initiatingRequest, authRequest *Request, authResponse *Response, err error) (*Response, error)
+
+var _ error = &RequestDelegatedAuthError{}
+
+// RequestDelegatedAuthError Special error indicating the backend wants to delegate authentication elsewhere
+type RequestDelegatedAuthError struct {
+	mountAccessor string
+	path          string
+	data          map[string]interface{}
+	errHandler    DelegatedAuthErrorHandler
 }
 
-func (c *OperatorRaftAutopilotStateCommand) Synopsis() string {
-	return "Displays the state of the raft cluster under integrated storage as seen by autopilot"
+func NewDelegatedAuthenticationRequest(mountAccessor, path string, data map[string]interface{}, errHandler DelegatedAuthErrorHandler) *RequestDelegatedAuthError {
+	return &RequestDelegatedAuthError{
+		mountAccessor: mountAccessor,
+		path:          path,
+		data:          data,
+		errHandler:    errHandler,
+	}
 }
 
-func (c *OperatorRaftAutopilotStateCommand) Help() string {
-	helpText := `
-Usage: vault operator raft autopilot state
+func (d *RequestDelegatedAuthError) Error() string {
+	return "authentication delegation requested"
+}
 
-  Displays the state of the raft cluster under integrated storage as seen by autopilot.
-` + c.Flags().Help()
+func (d *RequestDelegatedAuthError) MountAccessor() string {
+	return d.mountAccessor
+}
 
-	return strings.TrimSpace(helpText)
+func (d *RequestDelegatedAuthError) Path() string {
+	return d.path
 }
 
-func (c *OperatorRaftAutopilotStateCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func (d *RequestDelegatedAuthError) Data() map[string]interface{} {
+	return d.data
+}
 
-	f := set.NewFlagSet("Command Options")
+func (d *RequestDelegatedAuthError) AuthErrorHandler() DelegatedAuthErrorHandler {
+	return d.errHandler
+}
 
-	f.StringVar(&StringVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
-	})
+type HTTPCodedError interface {
+	Error() string
+	Code() int
+}
 
-	// The output of the state endpoint contains nested values and is not fit for
-	// the default "table" display format. Override the default display format to
-	// "pretty", both in the flag and in the UI.
-	set.mainSet.VisitAll(func(fl *flag.Flag) {
-		if fl.Name == "format" {
-			fl.DefValue = "pretty"
-		}
-	})
-	ui, ok := c.UI.(*VaultUI)
-	if ok && ui.format == "table" {
-		ui.format = "pretty"
+func CodedError(status int, msg string) HTTPCodedError {
+	return &codedError{
+		Status:  status,
+		Message: msg,
 	}
-	return set
 }
 
-func (c *OperatorRaftAutopilotStateCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+var _ HTTPCodedError = (*codedError)(nil)
+
+type codedError struct {
+	Status  int
+	Message string
 }
 
-func (c *OperatorRaftAutopilotStateCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func (e *codedError) Error() string {
+	return e.Message
 }
 
-func (c *OperatorRaftAutopilotStateCommand) Run(args []string) int {
-	f := c.Flags()
+func (e *codedError) Code() int {
+	return e.Status
+}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+// Struct to identify user input errors.  This is helpful in responding the
+// appropriate status codes to clients from the HTTP endpoints.
+type StatusBadRequest struct {
+	Err string
+}
 
-	args = f.Args()
-	switch len(args) {
-	case 0:
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
+// Implementing error interface
+func (s *StatusBadRequest) Error() string {
+	return s.Err
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+// This is a new type declared to not cause potential compatibility problems if
+// the logic around the CodedError changes; in particular for logical request
+// paths it is basically ignored, and changing that behavior might cause
+// unforeseen issues.
+type ReplicationCodedError struct {
+	Msg  string
+	Code int
+}
 
-	var state *api.AutopilotState
-	switch {
-	case c.flagDRToken != "":
-		state, err = client.Sys().RaftAutopilotStateWithDRToken(c.flagDRToken)
-	default:
-		state, err = client.Sys().RaftAutopilotState()
-	}
+func (r *ReplicationCodedError) Error() string {
+	return r.Msg
+}
 
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error checking autopilot state: %s", err))
-		return 2
-	}
+type KeyNotFoundError struct {
+	Err error
+}
 
-	if state == nil {
-		return 0
-	}
+func (e *KeyNotFoundError) WrappedErrors() []error {
+	return []error{e.Err}
+}
 
-	return OutputData(c.UI, state)
+func (e *KeyNotFoundError) Error() string {
+	return e.Err.Error()
 }
diff --git a/command/operator_raft_join.go b/command/operator_raft_join.go
index 74fc7f487f7f..48f1fdd22681 100644
--- a/command/operator_raft_join.go
+++ b/command/operator_raft_join.go
@@ -4,135 +4,84 @@
 package command
 
 import (
+	"context"
+	"errors"
 	"fmt"
+	"net/http"
+	"os"
 	"strings"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
 	"github.com/posener/complete"
+	"nhooyr.io/websocket"
 )
 
 var (
-	_ cli.Command             = (*OperatorRaftJoinCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftJoinCommand)(nil)
+	_ cli.Command             = (*EventsSubscribeCommands)(nil)
+	_ cli.CommandAutocomplete = (*EventsSubscribeCommands)(nil)
 )
 
-type OperatorRaftJoinCommand struct {
-	flagRetry            bool
-	flagNonVoter         bool
-	flagLeaderCACert     string
-	flagLeaderClientCert string
-	flagLeaderClientKey  string
-	flagAutoJoinScheme   string
-	flagAutoJoinPort     uint
+type EventsSubscribeCommands struct {
 	*BaseCommand
+
+	namespaces  []string
+	bexprFilter string
 }
 
-func (c *OperatorRaftJoinCommand) Synopsis() string {
-	return "Joins a node to the Raft cluster"
+func (c *EventsSubscribeCommands) Synopsis() string {
+	return "Subscribe to events"
 }
 
-func (c *OperatorRaftJoinCommand) Help() string {
+func (c *EventsSubscribeCommands) Help() string {
 	helpText := `
-Usage: vault operator raft join [options] <leader-api-addr|auto-join-configuration>
-
-  Join the current node as a peer to the Raft cluster by providing the address
-  of the Raft leader node.
-
-      $ vault operator raft join "http://127.0.0.2:8200"
-
-  Join the current node as a peer to the Raft cluster by providing cloud auto-join
-  configuration.
-
-      $ vault operator raft join "provider=aws region=eu-west-1 ..."
-			
-  Join the current node as a peer to the Raft cluster by providing cloud auto-join
-  configuration with an explicit URI scheme and port.
-
-			$ vault operator raft join -auto-join-scheme="http" -auto-join-port=8201 \
-			  "provider=aws region=eu-west-1 ..."
-
-  TLS certificate data can also be consumed from a file on disk by prefixing with
-  the "@" symbol. For example:
+Usage: vault events subscribe [-namespaces=ns1] [-timeout=XYZs] [-filter=filterExpression] eventType
 
-      $ vault operator raft join "http://127.0.0.2:8200" \
-        -leader-ca-cert=@leader_ca.crt \
-        -leader-client-cert=@leader_client.crt \
-        -leader-client-key=@leader.key
+  Subscribe to events of the given event type (topic), which may be a glob
+  pattern (with "*" treated as a wildcard). The events will be sent to
+  standard out.
 
+  The output will be a JSON object serialized using the default protobuf
+  JSON serialization format, with one line per event received.
 ` + c.Flags().Help()
-
 	return strings.TrimSpace(helpText)
 }
 
-func (c *OperatorRaftJoinCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
+func (c *EventsSubscribeCommands) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+	f := set.NewFlagSet("Subscribe Options")
 	f.StringVar(&StringVar{
-		Name:       "auto-join-scheme",
-		Target:     &c.flagAutoJoinScheme,
-		Completion: complete.PredictNothing,
-		Default:    "https",
-		Usage:      "An optional URI protocol scheme used for addresses discovered via auto-join.",
+		Name: "filter",
+		Usage: `A boolean expression to use to filter events. Only events matching
+                the filter will be subscribed to. This is applied after any filtering
+                by event type or namespace.`,
+		Default: "",
+		Target:  &c.bexprFilter,
 	})
-
-	f.UintVar(&UintVar{
-		Name:       "auto-join-port",
-		Target:     &c.flagAutoJoinPort,
-		Completion: complete.PredictNothing,
-		Default:    8200,
-		Usage:      "An optional port used for addresses discovered via auto-join.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "leader-ca-cert",
-		Target:     &c.flagLeaderCACert,
-		Completion: complete.PredictNothing,
-		Usage:      "CA cert to use when verifying the Raft leader certificate.",
+	f.StringSliceVar(&StringSliceVar{
+		Name: "namespaces",
+		Usage: `Specifies one or more patterns of additional child namespaces
+                to subscribe to. The namespace of the request is automatically
+                prepended, so specifying 'ns2' when the request is in the 'ns1'
+                namespace will result in subscribing to 'ns1/ns2', in addition to
+                'ns1'. Patterns can include "*" characters to indicate
+                wildcards. The default is to subscribe only to the request's
+                namespace.`,
+		Default: []string{},
+		Target:  &c.namespaces,
 	})
-
-	f.StringVar(&StringVar{
-		Name:       "leader-client-cert",
-		Target:     &c.flagLeaderClientCert,
-		Completion: complete.PredictNothing,
-		Usage:      "Client cert to use when authenticating with the Raft leader.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "leader-client-key",
-		Target:     &c.flagLeaderClientKey,
-		Completion: complete.PredictNothing,
-		Usage:      "Client key to use when authenticating with the Raft leader.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "retry",
-		Target:  &c.flagRetry,
-		Default: false,
-		Usage:   "Continuously retry joining the Raft cluster upon failures.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "non-voter",
-		Target:  &c.flagNonVoter,
-		Default: false,
-		Usage:   "(Enterprise-only) This flag is used to make the server not participate in the Raft quorum, and have it only receive the data replication stream. This can be used to add read scalability to a cluster in cases where a high volume of reads to servers are needed.",
-	})
-
 	return set
 }
 
-func (c *OperatorRaftJoinCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+func (c *EventsSubscribeCommands) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func (c *OperatorRaftJoinCommand) AutocompleteFlags() complete.Flags {
+func (c *EventsSubscribeCommands) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *OperatorRaftJoinCommand) Run(args []string) int {
+func (c *EventsSubscribeCommands) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -140,81 +89,109 @@ func (c *OperatorRaftJoinCommand) Run(args []string) int {
 		return 1
 	}
 
-	leaderInfo := ""
-
 	args = f.Args()
-	switch len(args) {
-	case 0:
-		// No-op: This is acceptable if we're using raft for HA-only
-	case 1:
-		leaderInfo = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
 		return 1
-	}
-
-	leaderCACert, err := parseFlagFile(c.flagLeaderCACert)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse leader CA certificate: %s", err))
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
 		return 1
 	}
 
-	leaderClientCert, err := parseFlagFile(c.flagLeaderClientCert)
+	client, err := c.Client()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse leader client certificate: %s", err))
-		return 1
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	leaderClientKey, err := parseFlagFile(c.flagLeaderClientKey)
+	err = c.subscribeRequest(client, "sys/events/subscribe/"+args[0])
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse leader client key: %s", err))
-		return 1
-	}
-
-	if c.flagAutoJoinScheme != "" && (c.flagAutoJoinScheme != "http" && c.flagAutoJoinScheme != "https") {
-		c.UI.Error(fmt.Sprintf("invalid scheme %q; must either be http or https", c.flagAutoJoinScheme))
+		c.UI.Error(err.Error())
 		return 1
 	}
+	return 0
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+// cleanNamespace removes leading and trailing space and /'s from the namespace path.
+func cleanNamespace(ns string) string {
+	ns = strings.TrimSpace(ns)
+	ns = strings.Trim(ns, "/")
+	return ns
+}
 
-	joinReq := &api.RaftJoinRequest{
-		LeaderCACert:     leaderCACert,
-		LeaderClientCert: leaderClientCert,
-		LeaderClientKey:  leaderClientKey,
-		Retry:            c.flagRetry,
-		NonVoter:         c.flagNonVoter,
+// cleanNamespaces removes leading and trailing space and /'s from the namespace paths.
+func cleanNamespaces(namespaces []string) []string {
+	cleaned := make([]string, len(namespaces))
+	for i, ns := range namespaces {
+		cleaned[i] = cleanNamespace(ns)
 	}
+	return cleaned
+}
 
-	if strings.Contains(leaderInfo, "provider=") {
-		joinReq.AutoJoin = leaderInfo
-		joinReq.AutoJoinScheme = c.flagAutoJoinScheme
-		joinReq.AutoJoinPort = c.flagAutoJoinPort
+func (c *EventsSubscribeCommands) subscribeRequest(client *api.Client, path string) error {
+	r := client.NewRequest("GET", "/v1/"+path)
+	u := r.URL
+	if u.Scheme == "http" {
+		u.Scheme = "ws"
 	} else {
-		joinReq.LeaderAPIAddr = leaderInfo
+		u.Scheme = "wss"
 	}
-
-	resp, err := client.Sys().RaftJoin(joinReq)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error joining the node to the Raft cluster: %s", err))
-		return 2
+	q := u.Query()
+	q.Set("json", "true")
+	if len(c.namespaces) > 0 {
+		q["namespaces"] = cleanNamespaces(c.namespaces)
 	}
-
-	switch Format(c.UI) {
-	case "table":
-	default:
-		return OutputData(c.UI, resp)
+	bexprFilter := strings.TrimSpace(c.bexprFilter)
+	if bexprFilter != "" {
+		q.Set("filter", bexprFilter)
 	}
-
-	out := []string{
-		"Key | Value",
-		fmt.Sprintf("Joined | %t", resp.Joined),
+	u.RawQuery = q.Encode()
+	client.AddHeader("X-Vault-Token", client.Token())
+	client.AddHeader("X-Vault-Namespace", client.Namespace())
+	ctx := context.Background()
+
+	// Follow redirects in case our request if our request is forwarded to the leader.
+	url := u.String()
+	var conn *websocket.Conn
+	var err error
+	for attempt := 0; attempt < 10; attempt++ {
+		var resp *http.Response
+		conn, resp, err = websocket.Dial(ctx, url, &websocket.DialOptions{
+			HTTPClient: client.CloneConfig().HttpClient,
+			HTTPHeader: client.Headers(),
+		})
+
+		if err == nil {
+			break
+		}
+
+		switch {
+		case resp == nil:
+			return err
+		case resp.StatusCode == http.StatusTemporaryRedirect:
+			url = resp.Header.Get("Location")
+			continue
+		case resp.StatusCode == http.StatusNotFound:
+			return errors.New("events endpoint not found; check `vault read sys/experiments` to see if an events experiment is available but disabled")
+		default:
+			return err
+		}
 	}
-	c.UI.Output(tableOutput(out, nil))
 
-	return 0
+	if conn == nil {
+		return fmt.Errorf("too many redirects")
+	}
+	defer conn.Close(websocket.StatusNormalClosure, "")
+
+	for {
+		_, message, err := conn.Read(ctx)
+		if err != nil {
+			return err
+		}
+		_, err = os.Stdout.Write(message)
+		if err != nil {
+			return err
+		}
+	}
 }
diff --git a/command/operator_raft_listpeers.go b/command/operator_raft_listpeers.go
index 434fcc0eecd7..dfeb12d706b2 100644
--- a/command/operator_raft_listpeers.go
+++ b/command/operator_raft_listpeers.go
@@ -4,121 +4,68 @@
 package command
 
 import (
-	"fmt"
 	"strings"
+	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*OperatorRaftListPeersCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftListPeersCommand)(nil)
-)
-
-type OperatorRaftListPeersCommand struct {
-	*BaseCommand
-	flagDRToken string
-}
-
-func (c *OperatorRaftListPeersCommand) Synopsis() string {
-	return "Returns the Raft peer set"
-}
-
-func (c *OperatorRaftListPeersCommand) Help() string {
-	helpText := `
-Usage: vault operator raft list-peers
-
-  Provides the details of all the peers in the Raft cluster.
-
-	  $ vault operator raft list-peers
-
-  Provides the details of all the peers in the Raft cluster of a DR secondary
-  cluster. This command should be invoked on the DR secondary nodes.
-
-      $ vault operator raft list-peers -dr-token <dr-operation-token>
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRaftListPeersCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
+func testEventsSubscribeCommand(tb testing.TB) (*cli.MockUi, *EventsSubscribeCommands) {
+	tb.Helper()
 
-	f.StringVar(&StringVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
-	})
-
-	return set
-}
-
-func (c *OperatorRaftListPeersCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *OperatorRaftListPeersCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+	ui := cli.NewMockUi()
+	return ui, &EventsSubscribeCommands{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *OperatorRaftListPeersCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+// TestEventsSubscribeCommand_Run tests that the command argument parsing is working as expected.
+func TestEventsSubscribeCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+	for _, tc := range cases {
+		tc := tc
 
-	var secret *api.Secret
-	switch {
-	case c.flagDRToken != "":
-		secret, err = client.Logical().Write("sys/storage/raft/configuration", map[string]interface{}{
-			"dr_operation_token": c.flagDRToken,
-		})
-	default:
-		secret, err = client.Logical().Read("sys/storage/raft/configuration")
-	}
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading the raft cluster configuration: %s", err))
-		return 2
-	}
-	if secret == nil {
-		c.UI.Error("No raft cluster configuration found")
-		return 2
-	}
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	if Format(c.UI) != "table" {
-		return OutputSecret(c.UI, secret)
-	}
+			client, closer := testVaultServer(t)
+			defer closer()
 
-	config := secret.Data["config"].(map[string]interface{})
+			ui, cmd := testEventsSubscribeCommand(t)
+			cmd.client = client
 
-	servers := config["servers"].([]interface{})
-	out := []string{"Node | Address | State | Voter"}
-	for _, serverRaw := range servers {
-		server := serverRaw.(map[string]interface{})
-		state := "follower"
-		if server["leader"].(bool) {
-			state = "leader"
-		}
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
 
-		out = append(out, fmt.Sprintf("%s | %s | %s | %t", server["node_id"].(string), server["address"].(string), state, server["voter"].(bool)))
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
 	}
-
-	c.UI.Output(tableOutput(out, nil))
-	return 0
 }
diff --git a/command/operator_raft_remove_peer.go b/command/operator_raft_remove_peer.go
index 1f9c33ba1ce3..03aca4ca6d1a 100644
--- a/command/operator_raft_remove_peer.go
+++ b/command/operator_raft_remove_peer.go
@@ -1,108 +1,185 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"encoding/hex"
 	"fmt"
+	"os"
+	"os/exec"
 	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
-var (
-	_ cli.Command             = (*OperatorRaftRemovePeerCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftRemovePeerCommand)(nil)
-)
+func testClusterWithContainerPlugins(t *testing.T, types []consts.PluginType) (*Core, []pluginhelpers.TestPlugin) {
+	var plugins []*TestPluginConfig
+	for _, typ := range types {
+		plugins = append(plugins, &TestPluginConfig{
+			Typ:       typ,
+			Versions:  []string{"v1.0.0"},
+			Container: true,
+		})
+	}
+	cluster := NewTestCluster(t, &CoreConfig{}, &TestClusterOptions{
+		Plugins: plugins,
+	})
 
-type OperatorRaftRemovePeerCommand struct {
-	*BaseCommand
+	cluster.Start()
+	t.Cleanup(cluster.Cleanup)
 
-	flagDRToken string
-}
+	core := cluster.Cores[0].Core
+	TestWaitActive(t, core)
 
-func (c *OperatorRaftRemovePeerCommand) Synopsis() string {
-	return "Removes a node from the Raft cluster"
+	return core, cluster.Plugins
 }
 
-func (c *OperatorRaftRemovePeerCommand) Help() string {
-	helpText := `
-Usage: vault operator raft remove-peer <server_id>
-
-  Removes a node from the Raft cluster.
-
-	  $ vault operator raft remove-peer node1
-
-` + c.Flags().Help()
+func TestExternalPluginInContainer_MountAndUnmount(t *testing.T) {
+	t.Run("rootful docker runtimes", func(t *testing.T) {
+		t.Setenv("DOCKER_HOST", "unix:///var/run/docker.sock")
+		c, plugins := testClusterWithContainerPlugins(t, []consts.PluginType{
+			consts.PluginTypeCredential,
+			consts.PluginTypeSecrets,
+		})
+
+		for _, plugin := range plugins {
+			t.Run(plugin.Typ.String(), func(t *testing.T) {
+				t.Run("default runtime", func(t *testing.T) {
+					if _, err := exec.LookPath("runsc"); err != nil {
+						t.Skip("Skipping test as runsc not found on path")
+					}
+					mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "", false)
+				})
+
+				t.Run("runc", func(t *testing.T) {
+					mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "runc", false)
+				})
+
+				t.Run("runsc", func(t *testing.T) {
+					if _, err := exec.LookPath("runsc"); err != nil {
+						t.Skip("Skipping test as runsc not found on path")
+					}
+					mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "runsc", false)
+				})
+			})
+		}
+	})
 
-	return strings.TrimSpace(helpText)
-}
+	t.Run("rootless runsc", func(t *testing.T) {
+		if _, err := exec.LookPath("runsc"); err != nil {
+			t.Skip("Skipping test as runsc not found on path")
+		}
 
-func (c *OperatorRaftRemovePeerCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "dr-token",
-		Target:     &c.flagDRToken,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+		t.Setenv("DOCKER_HOST", fmt.Sprintf("unix:///run/user/%d/docker.sock", os.Getuid()))
+		c, plugins := testClusterWithContainerPlugins(t, []consts.PluginType{consts.PluginTypeCredential})
+		mountAndUnmountContainerPlugin_WithRuntime(t, c, plugins[0], "runsc", true)
 	})
-
-	return set
 }
 
-func (c *OperatorRaftRemovePeerCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
+func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *Core, plugin pluginhelpers.TestPlugin, ociRuntime string, rootless bool) {
+	if ociRuntime != "" {
+		registerPluginRuntime(t, c.systemBackend, ociRuntime, rootless)
+	}
+	registerContainerPlugin(t, c.systemBackend, plugin.Name, plugin.Typ.String(), "1.0.0", plugin.ImageSha256, plugin.Image, ociRuntime)
+
+	mountPlugin(t, c.systemBackend, plugin.Name, plugin.Typ, "v1.0.0", "")
+
+	routeRequest := func(expectMatch bool) {
+		pluginPath := "foo/bar"
+		if plugin.Typ == consts.PluginTypeCredential {
+			pluginPath = "auth/foo/bar"
+		}
+		match := c.router.MatchingMount(namespace.RootContext(context.Background()), pluginPath)
+		if expectMatch && match != strings.TrimSuffix(pluginPath, "bar") {
+			t.Fatalf("missing mount, match: %q", match)
+		}
+		if !expectMatch && match != "" {
+			t.Fatalf("expected no match for path, but got %q", match)
+		}
+	}
 
-func (c *OperatorRaftRemovePeerCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+	routeRequest(true)
+	unmountPlugin(t, c.systemBackend, plugin.Typ, "foo")
+	routeRequest(false)
 }
 
-func (c *OperatorRaftRemovePeerCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+func TestExternalPluginInContainer_GetBackendTypeVersion(t *testing.T) {
+	c, plugins := testClusterWithContainerPlugins(t, []consts.PluginType{
+		consts.PluginTypeCredential,
+		consts.PluginTypeSecrets,
+		consts.PluginTypeDatabase,
+	})
+	for _, plugin := range plugins {
+		t.Run(plugin.Typ.String(), func(t *testing.T) {
+			for _, ociRuntime := range []string{"runc", "runsc"} {
+				t.Run(ociRuntime, func(t *testing.T) {
+					if _, err := exec.LookPath(ociRuntime); err != nil {
+						t.Skipf("Skipping test as %s not found on path", ociRuntime)
+					}
+					shaBytes, _ := hex.DecodeString(plugin.ImageSha256)
+					entry := &pluginutil.PluginRunner{
+						Name:     plugin.Name,
+						OCIImage: plugin.Image,
+						Args:     nil,
+						Sha256:   shaBytes,
+						Builtin:  false,
+						Runtime:  ociRuntime,
+						RuntimeConfig: &pluginruntimeutil.PluginRuntimeConfig{
+							OCIRuntime: ociRuntime,
+						},
+					}
+
+					var version logical.PluginVersion
+					var err error
+					if plugin.Typ == consts.PluginTypeDatabase {
+						version, err = c.pluginCatalog.getDatabaseRunningVersion(context.Background(), entry)
+					} else {
+						version, err = c.pluginCatalog.getBackendRunningVersion(context.Background(), entry)
+					}
+					if err != nil {
+						t.Fatal(err)
+					}
+					if version.Version != plugin.Version {
+						t.Errorf("Expected to get version %v but got %v", plugin.Version, version.Version)
+					}
+				})
+			}
+		})
 	}
+}
 
-	serverID := ""
-
-	args = f.Args()
-	switch len(args) {
-	case 1:
-		serverID = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
-		return 1
+func registerContainerPlugin(t *testing.T, sys *SystemBackend, pluginName, pluginType, version, sha, image, runtime string) {
+	t.Helper()
+	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/catalog/%s/%s", pluginType, pluginName))
+	req.Data = map[string]interface{}{
+		"oci_image": image,
+		"sha256":    sha,
+		"version":   version,
+		"runtime":   runtime,
 	}
-
-	if len(serverID) == 0 {
-		c.UI.Error("Server id is required")
-		return 1
+	resp, err := sys.HandleRequest(namespace.RootContext(context.Background()), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+func registerPluginRuntime(t *testing.T, sys *SystemBackend, ociRuntime string, rootless bool) {
+	t.Helper()
+	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/runtimes/catalog/%s/%s", consts.PluginRuntimeTypeContainer, ociRuntime))
+	req.Data = map[string]interface{}{
+		"oci_runtime": ociRuntime,
+		"rootless":    rootless,
 	}
-
-	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id":          serverID,
-		"dr_operation_token": c.flagDRToken,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error removing the peer from raft cluster: %s", err))
-		return 2
+	resp, err := sys.HandleRequest(namespace.RootContext(context.Background()), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
-
-	c.UI.Output("Peer removed successfully!")
-
-	return 0
 }
diff --git a/command/operator_raft_snapshot.go b/command/operator_raft_snapshot.go
index c78ef8d4e74e..b0c00c46da59 100644
--- a/command/operator_raft_snapshot.go
+++ b/command/operator_raft_snapshot.go
@@ -1,50 +1,1028 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package plugin_test
 
 import (
-	"strings"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/vault/audit"
+	auditFile "github.com/hashicorp/vault/builtin/audit/file"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/api/auth/approle"
+	"github.com/hashicorp/vault/builtin/logical/database"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/consul"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
+	postgreshelper "github.com/hashicorp/vault/helper/testhelpers/postgresql"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+
+	_ "github.com/jackc/pgx/v4/stdlib"
 )
 
-var _ cli.Command = (*OperatorRaftSnapshotCommand)(nil)
+func getClusterWithFileAuditBackend(t *testing.T, typ consts.PluginType, numCores int) *vault.TestCluster {
+	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+	t.Cleanup(func() { cleanup(t) })
+	coreConfig := &vault.CoreConfig{
+		PluginDirectory: pluginDir,
+		LogicalBackends: map[string]logical.Factory{
+			"database": database.Factory,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		TempDir:  pluginDir,
+		NumCores: numCores,
+		Plugins: []*vault.TestPluginConfig{
+			{
+				Typ:      typ,
+				Versions: []string{""},
+			},
+		},
+		HandlerFunc: vaulthttp.Handler,
+	})
 
-type OperatorRaftSnapshotCommand struct {
-	*BaseCommand
+	cluster.Start()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
+	return cluster
 }
 
-func (c *OperatorRaftSnapshotCommand) Synopsis() string {
-	return "Restores and saves snapshots from the Raft cluster"
+func getCluster(t *testing.T, typ consts.PluginType, numCores int) *vault.TestCluster {
+	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+	t.Cleanup(func() { cleanup(t) })
+	coreConfig := &vault.CoreConfig{
+		PluginDirectory: pluginDir,
+		LogicalBackends: map[string]logical.Factory{
+			"database": database.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		TempDir:  pluginDir,
+		NumCores: numCores,
+		Plugins: []*vault.TestPluginConfig{
+			{
+				Typ:      typ,
+				Versions: []string{""},
+			},
+		},
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	cluster.Start()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
+	return cluster
 }
 
-func (c *OperatorRaftSnapshotCommand) Help() string {
-	helpText := `
-Usage: vault operator raft snapshot <subcommand> [options] [args]
+// TestExternalPlugin_RollbackAndReload ensures that we can successfully
+// rollback and reload a plugin without triggering race conditions by the go
+// race detector
+func TestExternalPlugin_RollbackAndReload(t *testing.T) {
+	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+	t.Cleanup(func() { cleanup(t) })
+	coreConfig := &vault.CoreConfig{
+		// set rollback period to a short interval to make conditions more "racy"
+		RollbackPeriod:  1 * time.Second,
+		PluginDirectory: pluginDir,
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		TempDir:  pluginDir,
+		NumCores: 1,
+		Plugins: []*vault.TestPluginConfig{
+			{
+				Typ:      consts.PluginTypeSecrets,
+				Versions: []string{""},
+			},
+		},
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	cluster.Start()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
+	core := cluster.Cores[0]
+	plugin := cluster.Plugins[0]
+	client := core.Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: plugin.Name,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func testRegisterAndEnable(t *testing.T, client *api.Client, plugin pluginhelpers.TestPlugin) {
+	t.Helper()
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Command: plugin.Name,
+		SHA256:  plugin.Sha256,
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	switch plugin.Typ {
+	case consts.PluginTypeSecrets:
+		if err := client.Sys().Mount(plugin.Name, &api.MountInput{
+			Type: plugin.Name,
+		}); err != nil {
+			t.Fatal(err)
+		}
+	case consts.PluginTypeCredential:
+		if err := client.Sys().EnableAuthWithOptions(plugin.Name, &api.EnableAuthOptions{
+			Type: plugin.Name,
+		}); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+// TestExternalPlugin_ContinueOnError tests that vault can recover from a
+// sha256 mismatch or missing plugin binary scenario
+func TestExternalPlugin_ContinueOnError(t *testing.T) {
+	t.Run("secret", func(t *testing.T) {
+		t.Parallel()
+		t.Run("sha256_mismatch", func(t *testing.T) {
+			t.Parallel()
+			testExternalPlugin_ContinueOnError(t, true, consts.PluginTypeSecrets)
+		})
+
+		t.Run("missing_plugin", func(t *testing.T) {
+			t.Parallel()
+			testExternalPlugin_ContinueOnError(t, false, consts.PluginTypeSecrets)
+		})
+	})
 
-  This command groups subcommands for operators interacting with the snapshot
-  functionality of the integrated Raft storage backend. Here are a few examples of
-  the Raft snapshot operator commands:
+	t.Run("auth", func(t *testing.T) {
+		t.Parallel()
+		t.Run("sha256_mismatch", func(t *testing.T) {
+			t.Parallel()
+			testExternalPlugin_ContinueOnError(t, true, consts.PluginTypeCredential)
+		})
+
+		t.Run("missing_plugin", func(t *testing.T) {
+			t.Parallel()
+			testExternalPlugin_ContinueOnError(t, false, consts.PluginTypeCredential)
+		})
+	})
+}
+
+func testExternalPlugin_ContinueOnError(t *testing.T, mismatch bool, pluginType consts.PluginType) {
+	cluster := getCluster(t, pluginType, 1)
+	defer cluster.Cleanup()
+
+	core := cluster.Cores[0]
+	plugin := cluster.Plugins[0]
+	client := core.Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+	pluginPath := fmt.Sprintf("sys/plugins/catalog/%s/%s", pluginType, plugin.Name)
+	// Get the registered plugin
+	req := logical.TestRequest(t, logical.ReadOperation, pluginPath)
+	req.ClientToken = core.Client.Token()
+	resp, err := core.HandleRequest(namespace.RootContext(testCtx), req)
+	if err != nil || resp == nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	command, ok := resp.Data["command"].(string)
+	if !ok || command == "" {
+		t.Fatal("invalid command")
+	}
+
+	// Trigger a sha256 mismatch or missing plugin error
+	if mismatch {
+		req = logical.TestRequest(t, logical.UpdateOperation, pluginPath)
+		req.Data = map[string]interface{}{
+			"sha256":  "d17bd7334758e53e6fbab15745d2520765c06e296f2ce8e25b7919effa0ac216",
+			"command": filepath.Base(command),
+		}
+		req.ClientToken = core.Client.Token()
+		resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+	} else {
+		err := os.Remove(filepath.Join(cluster.TempDir, filepath.Base(command)))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Seal the cluster
+	cluster.EnsureCoresSealed(t)
+
+	// Unseal the cluster
+	barrierKeys := cluster.BarrierKeys
+	for _, core := range cluster.Cores {
+		for _, key := range barrierKeys {
+			_, err := core.Unseal(vault.TestKeyCopy(key))
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		if core.Sealed() {
+			t.Fatal("should not be sealed")
+		}
+	}
+
+	// Wait for active so post-unseal takes place
+	// If it fails, it means unseal process failed
+	vault.TestWaitActive(t, core.Core)
+
+	// unmount
+	switch pluginType {
+	case consts.PluginTypeSecrets:
+		if err := client.Sys().Unmount(plugin.Name); err != nil {
+			t.Fatal(err)
+		}
+	case consts.PluginTypeCredential:
+		if err := client.Sys().DisableAuth(plugin.Name); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Re-compile plugin
+	var plugins []pluginhelpers.TestPlugin
+	plugins = append(plugins, pluginhelpers.CompilePlugin(t, pluginType, "", core.CoreConfig.PluginDirectory))
+	cluster.Plugins = plugins
+
+	// Re-add the plugin to the catalog
+	testRegisterAndEnable(t, client, plugin)
+
+	// Reload the plugin
+	req = logical.TestRequest(t, logical.UpdateOperation, "sys/plugins/reload/backend")
+	req.Data = map[string]interface{}{
+		"plugin": plugin.Name,
+	}
+	req.ClientToken = core.Client.Token()
+	resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, pluginPath)
+	req.ClientToken = core.Client.Token()
+	resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: response should not be nil")
+	}
+}
 
-  Installs the provided snapshot, returning the cluster to the state defined in it:
+// TestExternalPlugin_AuthMethod tests that we can build, register and use an
+// external auth method
+func TestExternalPlugin_AuthMethod(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeCredential, 5)
+	defer cluster.Cleanup()
 
-      $ vault operator raft snapshot restore raft.snap
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
 
-  Saves a snapshot of the current state of the Raft cluster into a file:
+	// Register
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Command: plugin.Name,
+		SHA256:  plugin.Sha256,
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
 
-      $ vault operator raft snapshot save raft.snap
+	// define a group of parallel tests so we wait for their execution before
+	// continuing on to cleanup
+	// see: https://go.dev/blog/subtests
+	t.Run("parallel execution group", func(t *testing.T) {
+		// loop to mount 5 auth methods that will each share a single
+		// plugin process
+		for i := 0; i < 5; i++ {
+			i := i
+			pluginPath := fmt.Sprintf("%s-%d", plugin.Name, i)
+			client := cluster.Cores[i].Client
+			t.Run(pluginPath, func(t *testing.T) {
+				t.Parallel()
+				client.SetToken(cluster.RootToken)
+				// Enable
+				if err := client.Sys().EnableAuthWithOptions(pluginPath, &api.EnableAuthOptions{
+					Type: plugin.Name,
+				}); err != nil {
+					t.Fatal(err)
+				}
 
-  Inspects a snapshot based on a file:
+				// Configure
+				_, err := client.Logical().Write("auth/"+pluginPath+"/role/role1", map[string]interface{}{
+					"bind_secret_id": "true",
+					"period":         "300",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
 
-      $ vault operator raft snapshot inspect raft.snap
+				secret, err := client.Logical().Write("auth/"+pluginPath+"/role/role1/secret-id", nil)
+				if err != nil {
+					t.Fatal(err)
+				}
+				secretID := secret.Data["secret_id"].(string)
 
-  Please see the individual subcommand help for detailed usage information.
+				secret, err = client.Logical().Read("auth/" + pluginPath + "/role/role1/role-id")
+				if err != nil {
+					t.Fatal(err)
+				}
+				roleID := secret.Data["role_id"].(string)
+
+				// Login - expect SUCCESS
+				authMethod, err := approle.NewAppRoleAuth(
+					roleID,
+					&approle.SecretID{FromString: secretID},
+					approle.WithMountPath(pluginPath),
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+				_, err = client.Auth().Login(context.Background(), authMethod)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// Renew
+				resp, err := client.Auth().Token().RenewSelf(30)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// Login - expect SUCCESS
+				resp, err = client.Auth().Login(context.Background(), authMethod)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				revokeToken := resp.Auth.ClientToken
+				// Revoke
+				if err = client.Auth().Token().RevokeSelf(revokeToken); err != nil {
+					t.Fatal(err)
+				}
+
+				// Reset root token
+				client.SetToken(cluster.RootToken)
+
+				// Lookup - expect FAILURE
+				resp, err = client.Auth().Token().Lookup(revokeToken)
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+
+				// Reset root token
+				client.SetToken(cluster.RootToken)
+			})
+		}
+	})
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestExternalPlugin_AuthMethodReload tests that we can use an external auth
+// method after reload
+func TestExternalPlugin_AuthMethodReload(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeCredential, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+
+	// Configure
+	_, err := client.Logical().Write("auth/"+plugin.Name+"/role/role1", map[string]interface{}{
+		"bind_secret_id": "true",
+		"period":         "300",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	secret, err := client.Logical().Write("auth/"+plugin.Name+"/role/role1/secret-id", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	secretID := secret.Data["secret_id"].(string)
+
+	secret, err = client.Logical().Read("auth/" + plugin.Name + "/role/role1/role-id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	roleID := secret.Data["role_id"].(string)
+
+	// Login - expect SUCCESS
+	authMethod, err := approle.NewAppRoleAuth(
+		roleID,
+		&approle.SecretID{FromString: secretID},
+		approle.WithMountPath(plugin.Name),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = client.Auth().Login(context.Background(), authMethod)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Reset root token
+	client.SetToken(cluster.RootToken)
+
+	// Reload plugin
+	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: plugin.Name,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Auth().Login(context.Background(), authMethod)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Reset root token
+	client.SetToken(cluster.RootToken)
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestExternalPlugin_SecretsEngine tests that we can build, register and use an
+// external secrets engine
+func TestExternalPlugin_SecretsEngine(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeSecrets, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	// Register
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Command: plugin.Name,
+		SHA256:  plugin.Sha256,
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// define a group of parallel tests so we wait for their execution before
+	// continuing on to cleanup
+	// see: https://go.dev/blog/subtests
+	t.Run("parallel execution group", func(t *testing.T) {
+		// loop to mount 5 secrets engines that will each share a single
+		// plugin process
+		for i := 0; i < 5; i++ {
+			pluginPath := fmt.Sprintf("%s-%d", plugin.Name, i)
+			t.Run(pluginPath, func(t *testing.T) {
+				t.Parallel()
+				// Enable
+				if err := client.Sys().Mount(pluginPath, &api.MountInput{
+					Type: plugin.Name,
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Configure
+				cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
+				defer cleanupConsul()
+
+				_, err := client.Logical().Write(pluginPath+"/config/access", map[string]interface{}{
+					"address": consulConfig.Address(),
+					"token":   consulConfig.Token,
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				_, err = client.Logical().Write(pluginPath+"/roles/test", map[string]interface{}{
+					"consul_policies": []string{"test"},
+					"ttl":             "6h",
+					"local":           false,
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				resp, err := client.Logical().Read(pluginPath + "/creds/test")
+				if err != nil {
+					t.Fatal(err)
+				}
+				if resp == nil {
+					t.Fatal("read creds response is nil")
+				}
+			})
+		}
+	})
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestExternalPlugin_SecretsEngineReload tests that we can use an external
+// secrets engine after reload
+func TestExternalPlugin_SecretsEngineReload(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeSecrets, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+
+	// Configure
+	cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
+	defer cleanupConsul()
+
+	_, err := client.Logical().Write(plugin.Name+"/config/access", map[string]interface{}{
+		"address": consulConfig.Address(),
+		"token":   consulConfig.Token,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write(plugin.Name+"/roles/test", map[string]interface{}{
+		"consul_policies": []string{"test"},
+		"ttl":             "6h",
+		"local":           false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().Read(plugin.Name + "/creds/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("read creds response is nil")
+	}
+
+	// Reload plugin
+	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: plugin.Name,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err = client.Logical().Read(plugin.Name + "/creds/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("read creds response is nil")
+	}
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestExternalPlugin_Database tests that we can build, register and use an
+// external database secrets engine
+func TestExternalPlugin_Database(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeDatabase, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	// Register
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(consts.PluginTypeDatabase),
+		Command: plugin.Name,
+		SHA256:  plugin.Sha256,
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable
+	if err := client.Sys().Mount(consts.PluginTypeDatabase.String(), &api.MountInput{
+		Type: consts.PluginTypeDatabase.String(),
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// define a group of parallel tests so we wait for their execution before
+	// continuing on to cleanup
+	// see: https://go.dev/blog/subtests
+	t.Run("parallel execution group", func(t *testing.T) {
+		// loop to mount 5 database connections that will each share a single
+		// plugin process
+		for i := 0; i < 5; i++ {
+			dbName := fmt.Sprintf("%s-%d", plugin.Name, i)
+			t.Run(dbName, func(t *testing.T) {
+				t.Parallel()
+				roleName := "test-role-" + dbName
+
+				cleanupContainer, connURL := postgreshelper.PrepareTestContainerWithVaultUser(t, context.Background(), "13.4-buster")
+				defer cleanupContainer()
+
+				_, err := client.Logical().Write("database/config/"+dbName, map[string]interface{}{
+					"connection_url": connURL,
+					"plugin_name":    plugin.Name,
+					"allowed_roles":  []string{roleName},
+					"username":       "vaultadmin",
+					"password":       "vaultpass",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				_, err = client.Logical().Write("database/rotate-root/"+dbName, map[string]interface{}{})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				_, err = client.Logical().Write("database/roles/"+roleName, map[string]interface{}{
+					"db_name":             dbName,
+					"creation_statements": testRole,
+					"max_ttl":             "10m",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// Generate credentials
+				resp, err := client.Logical().Read("database/creds/" + roleName)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if resp == nil {
+					t.Fatal("read creds response is nil")
+				}
+
+				_, err = client.Logical().Write("database/reset/"+dbName, map[string]interface{}{})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// Generate credentials
+				resp, err = client.Logical().Read("database/creds/" + roleName)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if resp == nil {
+					t.Fatal("read creds response is nil")
+				}
+
+				resp, err = client.Logical().Read("database/creds/" + roleName)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if resp == nil {
+					t.Fatal("read creds response is nil")
+				}
+
+				revokeLease := resp.LeaseID
+				// Lookup - expect SUCCESS
+				resp, err = client.Sys().Lookup(revokeLease)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if resp == nil {
+					t.Fatalf("lease lookup response is nil")
+				}
+
+				// Revoke
+				if err = client.Sys().Revoke(revokeLease); err != nil {
+					t.Fatal(err)
+				}
+
+				// Reset root token
+				client.SetToken(cluster.RootToken)
+
+				// Lookup - expect FAILURE
+				resp, err = client.Sys().Lookup(revokeLease)
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+			})
+		}
+	})
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestExternalPlugin_DatabaseReload tests that we can use an external database
+// secrets engine after reload
+func TestExternalPlugin_DatabaseReload(t *testing.T) {
+	cluster := getCluster(t, consts.PluginTypeDatabase, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	// Register
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(consts.PluginTypeDatabase),
+		Command: plugin.Name,
+		SHA256:  plugin.Sha256,
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable
+	if err := client.Sys().Mount(consts.PluginTypeDatabase.String(), &api.MountInput{
+		Type: consts.PluginTypeDatabase.String(),
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	dbName := fmt.Sprintf("%s-%d", plugin.Name, 0)
+	roleName := "test-role-" + dbName
+
+	cleanupContainer, connURL := postgreshelper.PrepareTestContainerWithVaultUser(t, context.Background(), "13.4-buster")
+	defer cleanupContainer()
+
+	_, err := client.Logical().Write("database/config/"+dbName, map[string]interface{}{
+		"connection_url": connURL,
+		"plugin_name":    plugin.Name,
+		"allowed_roles":  []string{roleName},
+		"username":       "vaultadmin",
+		"password":       "vaultpass",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("database/roles/"+roleName, map[string]interface{}{
+		"db_name":             dbName,
+		"creation_statements": testRole,
+		"max_ttl":             "10m",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().Read("database/creds/" + roleName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("read creds response is nil")
+	}
+
+	// Reload plugin
+	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: plugin.Name,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Generate credentials after reload
+	resp, err = client.Logical().Read("database/creds/" + roleName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("read creds response is nil")
+	}
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+const testRole = `
+CREATE ROLE "{{name}}" WITH
+  LOGIN
+  PASSWORD '{{password}}'
+  VALID UNTIL '{{expiration}}';
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}";
 `
 
-	return strings.TrimSpace(helpText)
+func testExternalPluginMetadataAuditLog(t *testing.T, log map[string]interface{}, expectedMountClass string) {
+	if mountClass, ok := log["mount_class"].(string); !ok {
+		t.Fatalf("mount_class should be a string, not %T", log["mount_class"])
+	} else if mountClass != expectedMountClass {
+		t.Fatalf("bad: mount_class should be %s, not %s", expectedMountClass, mountClass)
+	}
+
+	if mountIsExternalPlugin, ok := log["mount_is_external_plugin"].(bool); !ok {
+		t.Fatalf("mount_is_external_plugin should be a bool, not %T", log["mount_is_external_plugin"])
+	} else if !mountIsExternalPlugin {
+		t.Fatalf("bad: mount_is_external_plugin should be true, not %t", mountIsExternalPlugin)
+	}
+
+	if _, ok := log["mount_running_sha256"].(string); !ok {
+		t.Fatalf("mount_running_sha256 should be a string, not %T", log["mount_running_sha256"])
+	}
+}
+
+// TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth tests that we have plugin metadata of an auth plugin
+// in audit log when it is enabled
+func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
+	cluster := getClusterWithFileAuditBackend(t, consts.PluginTypeCredential, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+
+	// Enable the audit backend
+	tempDir := t.TempDir()
+	auditLogFile, err := os.CreateTemp(tempDir, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": auditLogFile.Name(),
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/"+plugin.Name+"/role/role1", map[string]interface{}{
+		"bind_secret_id": "true",
+		"period":         "300",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the audit trail on request and response
+	decoder := json.NewDecoder(auditLogFile)
+	var auditRecord map[string]interface{}
+	for decoder.Decode(&auditRecord) == nil {
+		auditRequest := map[string]interface{}{}
+		if req, ok := auditRecord["request"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditRequest["path"] != "auth/"+plugin.Name+"/role/role1" {
+				continue
+			}
+		}
+		testExternalPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeCredential.String())
+
+		auditResponse := map[string]interface{}{}
+		if req, ok := auditRecord["response"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditResponse["path"] != "auth/"+plugin.Name+"/role/role1" {
+				continue
+			}
+		}
+		testExternalPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeCredential.String())
+	}
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
 }
 
-func (c *OperatorRaftSnapshotCommand) Run(args []string) int {
-	return cli.RunResultHelp
+// TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Secret tests that we have plugin metadata of a secret plugin
+// in audit log when it is enabled
+func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
+	cluster := getClusterWithFileAuditBackend(t, consts.PluginTypeSecrets, 1)
+	defer cluster.Cleanup()
+
+	plugin := cluster.Plugins[0]
+	client := cluster.Cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	testRegisterAndEnable(t, client, plugin)
+
+	// Enable the audit backend
+	tempDir := t.TempDir()
+	auditLogFile, err := os.CreateTemp(tempDir, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": auditLogFile.Name(),
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Configure
+	cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
+	defer cleanupConsul()
+	_, err = client.Logical().Write(plugin.Name+"/config/access", map[string]interface{}{
+		"address": consulConfig.Address(),
+		"token":   consulConfig.Token,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the audit trail on request and response
+	decoder := json.NewDecoder(auditLogFile)
+	var auditRecord map[string]interface{}
+	for decoder.Decode(&auditRecord) == nil {
+		auditRequest := map[string]interface{}{}
+		if req, ok := auditRecord["request"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditRequest["path"] != plugin.Name+"/config/access" {
+				continue
+			}
+		}
+		testExternalPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeSecrets.String())
+
+		auditResponse := map[string]interface{}{}
+		if req, ok := auditRecord["response"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditResponse["path"] != plugin.Name+"/config/access" {
+				continue
+			}
+		}
+		testExternalPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeSecrets.String())
+	}
+
+	// Deregister
+	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
+		Name:    plugin.Name,
+		Type:    api.PluginType(plugin.Typ),
+		Version: plugin.Version,
+	}); err != nil {
+		t.Fatal(err)
+	}
 }
diff --git a/command/operator_raft_snapshot_inspect.go b/command/operator_raft_snapshot_inspect.go
index a64c5ba347a9..0ebb3f77985c 100644
--- a/command/operator_raft_snapshot_inspect.go
+++ b/command/operator_raft_snapshot_inspect.go
@@ -1,568 +1,75 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"archive/tar"
-	"bufio"
-	"bytes"
-	"compress/gzip"
-	"crypto/sha256"
-	"encoding/json"
-	"fmt"
-	"hash"
-	"io"
-	"math"
-	"os"
-	"sort"
-	"strconv"
-	"strings"
-	"text/tabwriter"
-
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/raft"
-	protoio "github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/plugin/pb"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorRaftSnapshotInspectCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotInspectCommand)(nil)
-)
-
-type OperatorRaftSnapshotInspectCommand struct {
-	*BaseCommand
-	details bool
-	depth   int
-	filter  string
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) Synopsis() string {
-	return "Inspects raft snapshot"
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) Help() string {
-	helpText := `
-	Usage: vault operator raft snapshot inspect <snapshot_file>
-	
-	Inspects a snapshot file.
-	
-	$ vault operator raft snapshot inspect raft.snap
-	
-	` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "details",
-		Target:  &c.details,
-		Default: true,
-		Usage:   "Provides information about usage for data stored in the snapshot.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "depth",
-		Target:  &c.depth,
-		Default: 2,
-		Usage:   "Can only be used with -details. The key prefix depth used to breakdown KV store data. If set to 0, all keys will be returned. Defaults to 2.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "filter",
-		Target:  &c.filter,
-		Default: "",
-		Usage:   "Can only be used with -details. Limits the key breakdown using this prefix filter.",
-	})
-
-	return set
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-type OutputFormat struct {
-	Meta         *MetadataInfo
-	StatsKV      []typeStats
-	TotalCountKV int
-	TotalSizeKV  int
-}
-
-// SnapshotInfo is used for passing snapshot stat
-// information between functions
-type SnapshotInfo struct {
-	Meta         MetadataInfo
-	StatsKV      map[string]typeStats
-	TotalCountKV int
-	TotalSizeKV  int
-}
-
-type MetadataInfo struct {
-	ID      string
-	Size    int64
-	Index   uint64
-	Term    uint64
-	Version raft.SnapshotVersion
-}
-
-type typeStats struct {
-	Name  string
-	Count int
-	Size  int
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) Run(args []string) int {
-	flags := c.Flags()
-
-	if err := flags.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Validate flags
-	if c.depth < 0 {
-		c.UI.Error("Depth must be equal to or greater than 0")
-		return 1
-	}
-
-	var file string
-	args = c.flags.Args()
-
-	switch len(args) {
-	case 0:
-		c.UI.Error("Missing FILE argument")
-		return 1
-	case 1:
-		file = args[0]
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	// Open the file.
-	f, err := os.Open(file)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error opening snapshot file: %s", err))
-		return 1
-	}
-	defer f.Close()
-
-	// Extract metadata and snapshot info from snapshot file
-	var info *SnapshotInfo
-	var meta *raft.SnapshotMeta
-	info, meta, err = c.Read(hclog.New(nil), f)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading snapshot: %s", err))
-		return 1
-	}
-
-	if info == nil {
-		c.UI.Error(fmt.Sprintf("Error calculating snapshot info: %s", err))
-		return 1
-	}
-
-	// Generate structs for the formatter with information we read in
-	metaformat := &MetadataInfo{
-		ID:      meta.ID,
-		Size:    meta.Size,
-		Index:   meta.Index,
-		Term:    meta.Term,
-		Version: meta.Version,
-	}
-
-	formattedStatsKV := generateKVStats(*info)
-
-	data := &OutputFormat{
-		Meta:         metaformat,
-		StatsKV:      formattedStatsKV,
-		TotalCountKV: info.TotalCountKV,
-		TotalSizeKV:  info.TotalSizeKV,
-	}
-
-	if Format(c.UI) != "table" {
-		return OutputData(c.UI, data)
-	}
-
-	tableData, err := formatTable(data)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	c.UI.Output(tableData)
-
-	return 0
-}
-
-func (c *OperatorRaftSnapshotInspectCommand) kvEnhance(val *pb.StorageEntry, info *SnapshotInfo, read int) {
-	if !c.details {
-		return
-	}
-
-	if val.Key == "" {
-		return
-	}
-
-	// check for whether a filter is specified. if it is, skip
-	// any keys that don't match.
-	if len(c.filter) > 0 && !strings.HasPrefix(val.Key, c.filter) {
-		return
-	}
-
-	split := strings.Split(val.Key, "/")
-
-	// handle the situation where the key is shorter than
-	// the specified depth.
-	actualDepth := c.depth
-	if c.depth == 0 || c.depth > len(split) {
-		actualDepth = len(split)
-	}
-
-	prefix := strings.Join(split[0:actualDepth], "/")
-	kvs := info.StatsKV[prefix]
-	if kvs.Name == "" {
-		kvs.Name = prefix
-	}
-
-	kvs.Count++
-	kvs.Size += read
-	info.TotalCountKV++
-	info.TotalSizeKV += read
-	info.StatsKV[prefix] = kvs
-}
-
-// Read from snapshot's state.bin and update the SnapshotInfo struct
-func (c *OperatorRaftSnapshotInspectCommand) parseState(r io.Reader) (SnapshotInfo, error) {
-	info := SnapshotInfo{
-		StatsKV: make(map[string]typeStats),
-	}
-
-	protoReader := protoio.NewDelimitedReader(r, math.MaxInt32)
-
-	for {
-		s := new(pb.StorageEntry)
-		if err := protoReader.ReadMsg(s); err != nil {
-			if err == io.EOF {
-				break
-			}
-			return info, err
-		}
-		size := protoReader.GetLastReadSize()
-		c.kvEnhance(s, &info, size)
-	}
-
-	return info, nil
-}
-
-// Read contents of snapshot. Parse metadata and snapshot info
-// Also, verify validity of snapshot
-func (c *OperatorRaftSnapshotInspectCommand) Read(logger hclog.Logger, in io.Reader) (*SnapshotInfo, *raft.SnapshotMeta, error) {
-	// Wrap the reader in a gzip decompressor.
-	decomp, err := gzip.NewReader(in)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to decompress snapshot: %v", err)
-	}
-
-	defer func() {
-		if decomp == nil {
-			return
-		}
-
-		if err := decomp.Close(); err != nil {
-			logger.Error("Failed to close snapshot decompressor", "error", err)
-		}
-	}()
-
-	// Read the archive.
-	snapshotInfo, metadata, err := c.read(decomp)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to read snapshot file: %v", err)
-	}
-
-	if err := concludeGzipRead(decomp); err != nil {
-		return nil, nil, err
-	}
-
-	if err := decomp.Close(); err != nil {
-		return nil, nil, err
-	}
-	decomp = nil
-	return snapshotInfo, metadata, nil
-}
-
-func formatTable(info *OutputFormat) (string, error) {
-	var b bytes.Buffer
-	tw := tabwriter.NewWriter(&b, 8, 8, 6, ' ', 0)
-
-	fmt.Fprintf(tw, " ID\t%s", info.Meta.ID)
-	fmt.Fprintf(tw, "\n Size\t%d", info.Meta.Size)
-	fmt.Fprintf(tw, "\n Index\t%d", info.Meta.Index)
-	fmt.Fprintf(tw, "\n Term\t%d", info.Meta.Term)
-	fmt.Fprintf(tw, "\n Version\t%d", info.Meta.Version)
-	fmt.Fprintf(tw, "\n")
-
-	if info.StatsKV != nil {
-		fmt.Fprintf(tw, "\n")
-		fmt.Fprintln(tw, "\n Key Name\tCount\tSize")
-		fmt.Fprintf(tw, " %s\t%s\t%s", "----", "----", "----")
-
-		for _, s := range info.StatsKV {
-			fmt.Fprintf(tw, "\n %s\t%d\t%s", s.Name, s.Count, ByteSize(uint64(s.Size)))
-		}
-
-		fmt.Fprintf(tw, "\n %s\t%s", "----", "----")
-		fmt.Fprintf(tw, "\n Total Size\t\t%s", ByteSize(uint64(info.TotalSizeKV)))
-	}
-
-	if err := tw.Flush(); err != nil {
-		return b.String(), err
-	}
-
-	return b.String(), nil
-}
-
-const (
-	BYTE = 1 << (10 * iota)
-	KILOBYTE
-	MEGABYTE
-	GIGABYTE
-	TERABYTE
-)
-
-func ByteSize(bytes uint64) string {
-	unit := ""
-	value := float64(bytes)
-
-	switch {
-	case bytes >= TERABYTE:
-		unit = "TB"
-		value = value / TERABYTE
-	case bytes >= GIGABYTE:
-		unit = "GB"
-		value = value / GIGABYTE
-	case bytes >= MEGABYTE:
-		unit = "MB"
-		value = value / MEGABYTE
-	case bytes >= KILOBYTE:
-		unit = "KB"
-		value = value / KILOBYTE
-	case bytes >= BYTE:
-		unit = "B"
-	case bytes == 0:
-		return "0"
-	}
-
-	result := strconv.FormatFloat(value, 'f', 1, 64)
-	result = strings.TrimSuffix(result, ".0")
-	return result + unit
-}
-
-// sortTypeStats sorts the stat slice by count and then
-// alphabetically in the case the counts are equal
-func sortTypeStats(stats []typeStats) []typeStats {
-	// sort alphabetically if size is equal
-	sort.Slice(stats, func(i, j int) bool {
-		// Sort alphabetically if count is equal
-		if stats[i].Count == stats[j].Count {
-			return stats[i].Name < stats[j].Name
-		}
-		return stats[i].Count > stats[j].Count
-	})
-
-	return stats
-}
-
-// generateKVStats reformats the KV stats to work with
-// the output struct that's used to produce the printed
-// output the user sees.
-func generateKVStats(info SnapshotInfo) []typeStats {
-	kvLen := len(info.StatsKV)
-	if kvLen > 0 {
-		ks := make([]typeStats, 0, kvLen)
-
-		for _, s := range info.StatsKV {
-			ks = append(ks, s)
-		}
-
-		ks = sortTypeStats(ks)
-
-		return ks
-	}
-
-	return nil
-}
-
-// hashList manages a list of filenames and their hashes.
-type hashList struct {
-	hashes map[string]hash.Hash
-}
-
-// newHashList returns a new hashList.
-func newHashList() *hashList {
-	return &hashList{
-		hashes: make(map[string]hash.Hash),
-	}
-}
-
-// Add creates a new hash for the given file.
-func (hl *hashList) Add(file string) hash.Hash {
-	if existing, ok := hl.hashes[file]; ok {
-		return existing
-	}
-
-	h := sha256.New()
-	hl.hashes[file] = h
-	return h
-}
-
-// Encode takes the current sum of all the hashes and saves the hash list as a
-// SHA256SUMS-style text file.
-func (hl *hashList) Encode(w io.Writer) error {
-	for file, h := range hl.hashes {
-		if _, err := fmt.Fprintf(w, "%x  %s\n", h.Sum([]byte{}), file); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// DecodeAndVerify reads a SHA256SUMS-style text file and checks the results
-// against the current sums for all the hashes.
-func (hl *hashList) DecodeAndVerify(r io.Reader) error {
-	// Read the file and make sure everything in there has a matching hash.
-	seen := make(map[string]struct{})
-	s := bufio.NewScanner(r)
-	for s.Scan() {
-		sha := make([]byte, sha256.Size)
-		var file string
-		if _, err := fmt.Sscanf(s.Text(), "%x  %s", &sha, &file); err != nil {
-			return err
-		}
-
-		h, ok := hl.hashes[file]
-		if !ok {
-			return fmt.Errorf("list missing hash for %q", file)
-		}
-		if !bytes.Equal(sha, h.Sum([]byte{})) {
-			return fmt.Errorf("hash check failed for %q", file)
-		}
-		seen[file] = struct{}{}
-	}
-	if err := s.Err(); err != nil {
-		return err
-	}
-
-	// Make sure everything we had a hash for was seen.
-	for file := range hl.hashes {
-		if _, ok := seen[file]; !ok {
-			return fmt.Errorf("file missing for %q", file)
-		}
-	}
-
-	return nil
-}
-
-// read takes a reader and extracts the snapshot metadata and snapshot
-// info. It also checks the integrity of the snapshot data.
-func (c *OperatorRaftSnapshotInspectCommand) read(in io.Reader) (*SnapshotInfo, *raft.SnapshotMeta, error) {
-	// Start a new tar reader.
-	archive := tar.NewReader(in)
-
-	// Create a hash list that we will use to compare with the SHA256SUMS
-	// file in the archive.
-	hl := newHashList()
-
-	// Populate the hashes for all the files we expect to see. The check at
-	// the end will make sure these are all present in the SHA256SUMS file
-	// and that the hashes match.
-	metaHash := hl.Add("meta.json")
-	snapHash := hl.Add("state.bin")
-
-	// Look through the archive for the pieces we care about.
-	var shaBuffer bytes.Buffer
-	var snapshotInfo SnapshotInfo
-	var metadata raft.SnapshotMeta
-	for {
-		hdr, err := archive.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, nil, fmt.Errorf("failed reading snapshot: %v", err)
-		}
-
-		switch hdr.Name {
-		case "meta.json":
-			// Previously we used json.Decode to decode the archive stream. There are
-			// edgecases in which it doesn't read all the bytes from the stream, even
-			// though the json object is still being parsed properly. Since we
-			// simultaneously feeded everything to metaHash, our hash ended up being
-			// different than what we calculated when creating the snapshot. Which in
-			// turn made the snapshot verification fail. By explicitly reading the
-			// whole thing first we ensure that we calculate the correct hash
-			// independent of how json.Decode works internally.
-			buf, err := io.ReadAll(io.TeeReader(archive, metaHash))
-			if err != nil {
-				return nil, nil, fmt.Errorf("failed to read snapshot metadata: %v", err)
-			}
-			if err := json.Unmarshal(buf, &metadata); err != nil {
-				return nil, nil, fmt.Errorf("failed to decode snapshot metadata: %v", err)
-			}
-		case "state.bin":
-			// create reader that writes to snapHash what it reads from archive
-			wrappedReader := io.TeeReader(archive, snapHash)
-			var err error
-			snapshotInfo, err = c.parseState(wrappedReader)
-			if err != nil {
-				return nil, nil, fmt.Errorf("error parsing snapshot state: %v", err)
-			}
-
-		case "SHA256SUMS":
-			if _, err := io.CopyN(&shaBuffer, archive, 10000); err != nil && err != io.EOF {
-				return nil, nil, fmt.Errorf("failed to read snapshot hashes: %v", err)
-			}
-
-		case "SHA256SUMS.sealed":
-			// Add verification of sealed sum in future
-			continue
-
-		default:
-			return nil, nil, fmt.Errorf("unexpected file %q in snapshot", hdr.Name)
-		}
-	}
-
-	// Verify all the hashes.
-	if err := hl.DecodeAndVerify(&shaBuffer); err != nil {
-		return nil, nil, fmt.Errorf("failed checking integrity of snapshot: %v", err)
-	}
-
-	return &snapshotInfo, &metadata, nil
-}
-
-// concludeGzipRead should be invoked after you think you've consumed all of
-// the data from the gzip stream. It will error if the stream was corrupt.
-//
-// The docs for gzip.Reader say: "Clients should treat data returned by Read as
-// tentative until they receive the io.EOF marking the end of the data."
-func concludeGzipRead(decomp *gzip.Reader) error {
-	extra, err := io.ReadAll(decomp) // ReadAll consumes the EOF
-	if err != nil {
-		return err
-	}
-	if len(extra) != 0 {
-		return fmt.Errorf("%d unread uncompressed bytes remain", len(extra))
-	}
-	return nil
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<WizardContent @headerText="Vault Web UI" @glyph="tour" @selectProgress={{this.selectProgress}}>
+  <h2 class="title is-6">
+    Choosing where to go
+  </h2>
+  <p>
+    You did it! You now have access to your Vault and can start entering your data. We can help you get started with any of
+    the options below.
+  </p>
+  <div class="access-information">
+    <Icon @name="info" class="has-text-info" />
+    <p>
+      Vault only shows links to pages that you have access to based on your policies. Contact your administrator if you need
+      access changes.
+    </p>
+  </div>
+  {{#if (or (has-feature "Performance Replication") (has-feature "DR Replication"))}}{{/if}}
+  <h3 class="feature-header">Walk me through setting up:</h3>
+  <form id="features-form" class="feature-selection" {{action "saveFeatures" on="submit"}}>
+    {{#each this.allFeatures as |feature|}}
+      {{#if feature.show}}
+        <div
+          class="feature-box {{if feature.selected 'is-active'}} {{if feature.disabled 'is-disabled'}}"
+          data-test-select-input={{true}}
+        >
+          <div class="b-checkbox">
+            <input
+              id="feature-{{feature.key}}"
+              type="checkbox"
+              class="styled"
+              checked={{feature.selected}}
+              onchange={{action (mut feature.selected) value="target.checked"}}
+              disabled={{feature.disabled}}
+              data-test-checkbox={{feature.name}}
+            />
+            <label for="feature-{{feature.key}}">{{feature.name}}</label>
+            <Hds::Button
+              @color="tertiary"
+              @text={{if (get this (concat feature.key "-isOpen")) "Close" "Open"}}
+              @icon={{if (get this (concat feature.key "-isOpen")) "chevron-up" "chevron-down"}}
+              @isIconOnly={{true}}
+              {{on "click" (action (toggle (concat feature.key "-isOpen") this))}}
+            />
+            {{#if feature.disabled}}
+              <Info-Tooltip data-test-tooltip>
+                You do not have permissions to tour some parts of this feature
+              </Info-Tooltip>
+            {{/if}}
+          </div>
+          {{#if (get this (concat feature.key "-isOpen"))}}
+            <ul class="feature-steps">
+              {{#each feature.steps as |step|}}
+                <li>{{step}}</li>
+              {{/each}}
+            </ul>
+          {{/if}}
+        </div>
+      {{/if}}
+    {{/each}}
+    <span class="selection-summary">
+      <Hds::Button @text="Start" type="submit" disabled={{this.cannotStartWizard}} data-test-start-button />
+      {{#if this.selectedFeatures}}
+        <span class="time-estimate">
+          <Icon @name="clock" class="has-text-grey" />About
+          {{this.estimatedTime}}
+          minutes
+        </span>
+      {{/if}}
+    </span>
+  </form>
+</WizardContent>
\ No newline at end of file
diff --git a/command/operator_raft_snapshot_inspect_test.go b/command/operator_raft_snapshot_inspect_test.go
index de306595e5a3..117497893b8d 100644
--- a/command/operator_raft_snapshot_inspect_test.go
+++ b/command/operator_raft_snapshot_inspect_test.go
@@ -1,141 +1,644 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package pki
 
 import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/mitchellh/cli"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/framework"
+)
+
+const (
+	issuerRefParam = "issuer_ref"
+	keyNameParam   = "key_name"
+	keyRefParam    = "key_ref"
+	keyIdParam     = "key_id"
+	keyTypeParam   = "key_type"
+	keyBitsParam   = "key_bits"
+	skidParam      = "subject_key_id"
 )
 
-func testOperatorRaftSnapshotInspectCommand(tb testing.TB) (*cli.MockUi, *OperatorRaftSnapshotInspectCommand) {
-	tb.Helper()
+// addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
+// and signing
+func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["exclude_cn_from_sans"] = &framework.FieldSchema{
+		Type:    framework.TypeBool,
+		Default: false,
+		Description: `If true, the Common Name will not be
+included in DNS or Email Subject Alternate Names.
+Defaults to false (CN is included).`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Exclude Common Name from Subject Alternative Names (SANs)",
+		},
+	}
+
+	fields["format"] = &framework.FieldSchema{
+		Type:    framework.TypeString,
+		Default: "pem",
+		Description: `Format for returned data. Can be "pem", "der",
+or "pem_bundle". If "pem_bundle", any private
+key and issuing cert will be appended to the
+certificate pem. If "der", the value will be
+base64 encoded. Defaults to "pem".`,
+		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "pem",
+		},
+	}
+
+	fields["private_key_format"] = &framework.FieldSchema{
+		Type:    framework.TypeString,
+		Default: "der",
+		Description: `Format for the returned private key.
+Generally the default will be controlled by the "format"
+parameter as either base64-encoded DER or PEM-encoded DER.
+However, this can be set to "pkcs8" to have the returned
+private key contain base64-encoded pkcs8 or PEM-encoded
+pkcs8 instead. Defaults to "der".`,
+		AllowedValues: []interface{}{"", "der", "pem", "pkcs8"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "der",
+		},
+	}
+
+	fields["ip_sans"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `The requested IP SANs, if any, in a
+comma-delimited list`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "IP Subject Alternative Names (SANs)",
+		},
+	}
 
-	ui := cli.NewMockUi()
-	return ui, &OperatorRaftSnapshotInspectCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
+	fields["uri_sans"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `The requested URI SANs, if any, in a
+comma-delimited list.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "URI Subject Alternative Names (SANs)",
 		},
 	}
+
+	fields["other_sans"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `Requested other SANs, in an array with the format
+<oid>;UTF8:<utf8 string value> for each entry.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Other SANs",
+		},
+	}
+
+	return fields
 }
 
-func createSnapshot(tb testing.TB) (*os.File, func(), error) {
-	// Create new raft backend
-	r, raftDir := raft.GetRaft(tb, true, false)
-	defer os.RemoveAll(raftDir)
+// addNonCACommonFields adds fields with help text specific to non-CA
+// certificate issuing and signing
+func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields = addIssueAndSignCommonFields(fields)
 
-	// Write some data
-	for i := 0; i < 100; i++ {
-		err := r.Put(context.Background(), &physical.Entry{
-			Key:   fmt.Sprintf("key-%d", i),
-			Value: []byte(fmt.Sprintf("value-%d", i)),
-		})
-		if err != nil {
-			return nil, nil, fmt.Errorf("Error adding data to snapshot %s", err)
-		}
+	fields["role"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The desired role with configuration for this
+request`,
 	}
 
-	// Create temporary file to save snapshot to
-	snap, err := os.CreateTemp("", "temp_snapshot.snap")
-	if err != nil {
-		return nil, nil, fmt.Errorf("Error creating temporary file %s", err)
+	fields["common_name"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The requested common name; if you want more than
+one, specify the alternative names in the
+alt_names map. If email protection is enabled
+in the role, this may be an email address.`,
 	}
 
-	cleanup := func() {
-		err := os.RemoveAll(snap.Name())
-		if err != nil {
-			tb.Errorf("Error deleting temporary snapshot %s", err)
-		}
+	fields["alt_names"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The requested Subject Alternative Names, if any,
+in a comma-delimited list. If email protection
+is enabled for the role, this may contain
+email addresses.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "DNS/Email Subject Alternative Names (SANs)",
+		},
+	}
+
+	fields["serial_number"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The Subject's requested serial number, if any.
+See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
+If you want more than one, specify alternative names in the alt_names
+map using OID 2.5.4.5. This has no impact on the final certificate's
+Serial Number field.`,
+	}
+
+	fields["ttl"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The requested Time To Live for the certificate;
+sets the expiration date. If not specified
+the role default, backend default, or system
+default TTL is used, in that order. Cannot
+be larger than the role max TTL.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "TTL",
+		},
+	}
+
+	fields["not_after"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Set the not after field of the certificate with specified date value.
+The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
+	}
+
+	fields["remove_roots_from_chain"] = &framework.FieldSchema{
+		Type:    framework.TypeBool,
+		Default: false,
+		Description: `Whether or not to remove self-signed CA certificates in the output
+of the ca_chain field.`,
 	}
 
-	// Save snapshot
-	err = r.Snapshot(snap, nil)
-	if err != nil {
-		return nil, nil, fmt.Errorf("Error saving raft snapshot %s", err)
+	fields["user_ids"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `The requested user_ids value to place in the subject,
+if any, in a comma-delimited list. Restricted by allowed_user_ids.
+Any values are added with OID 0.9.2342.19200300.100.1.1.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "User ID(s)",
+		},
 	}
 
-	return snap, cleanup, nil
+	fields = addIssuerRefField(fields)
+
+	return fields
 }
 
-func TestOperatorRaftSnapshotInspectCommand_Run(t *testing.T) {
-	t.Parallel()
+// addCACommonFields adds fields with help text specific to CA
+// certificate issuing and signing
+func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields = addIssueAndSignCommonFields(fields)
+
+	fields["alt_names"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The requested Subject Alternative Names, if any,
+in a comma-delimited list. May contain both
+DNS names and email addresses.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "DNS/Email Subject Alternative Names (SANs)",
+		},
+	}
+
+	fields["common_name"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The requested common name; if you want more than
+one, specify the alternative names in the alt_names
+map. If not specified when signing, the common
+name will be taken from the CSR; other names
+must still be specified in alt_names or ip_sans.`,
+	}
+
+	fields["ttl"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The requested Time To Live for the certificate;
+sets the expiration date. If not specified
+the role default, backend default, or system
+default TTL is used, in that order. Cannot
+be larger than the mount max TTL. Note:
+this only has an effect when generating
+a CA cert or signing a CA cert, not when
+generating a CSR for an intermediate CA.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "TTL",
+		},
+	}
+
+	fields["ou"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, OU (OrganizationalUnit) will be set to
+this value.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "OU (Organizational Unit)",
+		},
+	}
+
+	fields["organization"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, O (Organization) will be set to
+this value.`,
+	}
+
+	fields["country"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, Country will be set to
+this value.`,
+	}
 
-	file1, cleanup1, err := createSnapshot(t)
-	if err != nil {
-		t.Fatalf("Error creating snapshot %s", err)
+	fields["locality"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, Locality will be set to
+this value.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Locality/City",
+		},
 	}
 
-	file2, cleanup2, err := createSnapshot(t)
-	if err != nil {
-		t.Fatalf("Error creating snapshot %s", err)
+	fields["province"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, Province will be set to
+this value.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Province/State",
+		},
 	}
 
-	cases := []struct {
-		name    string
-		args    []string
-		out     string
-		code    int
-		cleanup func()
-	}{
-		{
-			"too_many_args",
-			[]string{"test.snap", "test"},
-			"Too many arguments",
-			1,
-			nil,
+	fields["street_address"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, Street Address will be set to
+this value.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Street Address",
 		},
-		{
-			"default",
-			[]string{file1.Name()},
-			"ID           bolt-snapshot",
-			0,
-			cleanup1,
+	}
+
+	fields["postal_code"] = &framework.FieldSchema{
+		Type: framework.TypeCommaStringSlice,
+		Description: `If set, Postal Code will be set to
+this value.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Postal Code",
 		},
-		{
-			"all_flags",
-			[]string{"-details", "-depth", "10", "-filter", "key", file2.Name()},
-			"Key Name",
-			0,
-			cleanup2,
+	}
+
+	fields["serial_number"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The Subject's requested serial number, if any.
+See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
+If you want more than one, specify alternative names in the alt_names
+map using OID 2.5.4.5. This has no impact on the final certificate's
+Serial Number field.`,
+	}
+
+	fields["not_after"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Set the not after field of the certificate with specified date value.
+The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
+	}
+
+	fields["not_before_duration"] = &framework.FieldSchema{
+		Type:        framework.TypeDurationSecond,
+		Default:     30,
+		Description: `The duration before now which the certificate needs to be backdated by.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: 30,
 		},
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	return fields
+}
+
+// addCAKeyGenerationFields adds fields with help text specific to CA key
+// generation and exporting
+func addCAKeyGenerationFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["exported"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Must be "internal", "exported" or "kms". If set to
+"exported", the generated private key will be
+returned. This is your *only* chance to retrieve
+the private key!`,
+		AllowedValues: []interface{}{"internal", "external", "kms"},
+	}
+
+	fields["managed_key_name"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The name of the managed key to use when the exported
+type is kms. When kms type is the key type, this field or managed_key_id
+is required. Ignored for other types.`,
+	}
+
+	fields["managed_key_id"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The name of the managed key to use when the exported
+type is kms. When kms type is the key type, this field or managed_key_name
+is required. Ignored for other types.`,
+	}
+
+	fields["key_bits"] = &framework.FieldSchema{
+		Type:    framework.TypeInt,
+		Default: 0,
+		Description: `The number of bits to use. Allowed values are
+0 (universal default); with rsa key_type: 2048 (default), 3072, 4096 or 8192;
+with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: 0,
+		},
+	}
 
-		for _, tc := range cases {
-			tc := tc
+	fields["signature_bits"] = &framework.FieldSchema{
+		Type:    framework.TypeInt,
+		Default: 0,
+		Description: `The number of bits to use in the signature
+algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
+SHA-2-512. Defaults to 0 to automatically detect based on key length
+(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: 0,
+		},
+	}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+	fields["use_pss"] = &framework.FieldSchema{
+		Type:    framework.TypeBool,
+		Default: false,
+		Description: `Whether or not to use PSS signatures when using a
+RSA key-type issuer. Defaults to false.`,
+	}
 
-				client, closer := testVaultServer(t)
-				defer closer()
+	fields["key_type"] = &framework.FieldSchema{
+		Type:    framework.TypeString,
+		Default: "rsa",
+		Description: `The type of key to use; defaults to RSA. "rsa"
+"ec" and "ed25519" are the only valid values.`,
+		AllowedValues: []interface{}{"rsa", "ec", "ed25519"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "rsa",
+		},
+	}
 
-				ui, cmd := testOperatorRaftSnapshotInspectCommand(t)
+	fields = addKeyRefNameFields(fields)
 
-				cmd.client = client
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+	return fields
+}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
+// addCAIssueFields adds fields common to CA issuing, e.g. when returning
+// an actual certificate
+func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["max_path_length"] = &framework.FieldSchema{
+		Type:        framework.TypeInt,
+		Default:     -1,
+		Description: "The maximum allowable path length",
+	}
+
+	fields["permitted_dns_domains"] = &framework.FieldSchema{
+		Type:        framework.TypeCommaStringSlice,
+		Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Permitted DNS Domains",
+		},
+	}
+
+	fields = addIssuerNameField(fields)
+
+	return fields
+}
+
+func addIssuerRefNameFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields = addIssuerNameField(fields)
+	fields = addIssuerRefField(fields)
+	return fields
+}
+
+func addIssuerNameField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["issuer_name"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Provide a name to the generated or existing issuer, the name
+must be unique across all issuers and not be the reserved value 'default'`,
+	}
+	return fields
+}
+
+func addIssuerRefField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields[issuerRefParam] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Reference to a existing issuer; either "default"
+for the configured default issuer, an identifier or the name assigned
+to the issuer.`,
+		Default: defaultRef,
+	}
+	return fields
+}
+
+func addKeyRefNameFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields = addKeyNameField(fields)
+	fields = addKeyRefField(fields)
+	return fields
+}
+
+func addKeyNameField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields[keyNameParam] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Provide a name to the generated or existing key, the name
+must be unique across all keys and not be the reserved value 'default'`,
+	}
+
+	return fields
+}
+
+func addKeyRefField(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields[keyRefParam] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Reference to a existing key; either "default"
+for the configured default key, an identifier or the name assigned
+to the key.`,
+		Default: defaultRef,
+	}
+	return fields
+}
+
+func addTidyFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["tidy_cert_store"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to enable tidying up
+the certificate store`,
+	}
+
+	fields["tidy_revocation_list"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Deprecated; synonym for 'tidy_revoked_certs`,
+	}
+
+	fields["tidy_revoked_certs"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to expire all revoked
+and expired certificates, removing them both from the CRL and from storage. The
+CRL will be rotated if this causes any values to be removed.`,
+	}
+
+	fields["tidy_revoked_cert_issuer_associations"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to validate issuer associations
+on revocation entries. This helps increase the performance of CRL building
+and OCSP responses.`,
+	}
+
+	fields["tidy_expired_issuers"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to automatically remove expired issuers
+past the issuer_safety_buffer. No keys will be removed as part of this
+operation.`,
+	}
+
+	fields["tidy_move_legacy_ca_bundle"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to move the legacy ca_bundle from
+/config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades
+to pre-Vault 1.11 versions (as older PKI engines do not know about
+the new multi-issuer storage layout), but improves the performance
+on seal wrapped PKI mounts. This will only occur if at least
+issuer_safety_buffer time has occurred after the initial storage
+migration.
+
+This backup is saved in case of an issue in future migrations.
+Operators may consider removing it via sys/raw if they desire.
+The backup will be removed via a DELETE /root call, but note that
+this removes ALL issuers within the mount (and is thus not desirable
+in most operational scenarios).`,
+	}
+
+	fields["tidy_acme"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to enable tidying ACME accounts,
+orders and authorizations.  ACME orders are tidied (deleted) 
+safety_buffer after the certificate associated with them expires,
+or after the order and relevant authorizations have expired if no 
+certificate was produced.  Authorizations are tidied with the 
+corresponding order.
+
+When a valid ACME Account is at least acme_account_safety_buffer
+old, and has no remaining orders associated with it, the account is
+marked as revoked.  After another acme_account_safety_buffer has 
+passed from the revocation or deactivation date, a revoked or 
+deactivated ACME account is deleted.`,
+		Default: false,
+	}
+
+	fields["safety_buffer"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The amount of extra time that must have passed
+beyond certificate expiration before it is removed
+from the backend storage and/or revocation list.
+Defaults to 72 hours.`,
+		Default: int(defaultTidyConfig.SafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
+	}
+
+	fields["issuer_safety_buffer"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The amount of extra time that must have passed
+beyond issuer's expiration before it is removed
+from the backend storage.
+Defaults to 8760 hours (1 year).`,
+		Default: int(defaultTidyConfig.IssuerSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
+	}
+
+	fields["acme_account_safety_buffer"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The amount of time that must pass after creation
+that an account with no orders is marked revoked, and the amount of time
+after being marked revoked or deactivated.`,
+		Default: int(defaultTidyConfig.AcmeAccountSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
+	}
+
+	fields["pause_duration"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `The amount of time to wait between processing
+certificates. This allows operators to change the execution profile
+of tidy to take consume less resources by slowing down how long it
+takes to run. Note that the entire list of certificates will be
+stored in memory during the entire tidy operation, but resources to
+read/process/update existing entries will be spread out over a
+greater period of time. By default this is zero seconds.`,
+		Default: "0s",
+	}
+
+	fields["tidy_revocation_queue"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to remove stale revocation queue entries
+that haven't been confirmed by any active cluster. Only runs on the
+active primary node`,
+		Default: defaultTidyConfig.RevocationQueue,
+	}
+
+	fields["revocation_queue_safety_buffer"] = &framework.FieldSchema{
+		Type: framework.TypeDurationSecond,
+		Description: `The amount of time that must pass from the
+cross-cluster revocation request being initiated to when it will be
+slated for removal. Setting this too low may remove valid revocation
+requests before the owning cluster has a chance to process them,
+especially if the cluster is offline.`,
+		Default: int(defaultTidyConfig.QueueSafetyBuffer / time.Second), // TypeDurationSecond currently requires defaults to be int
+	}
+
+	fields["tidy_cross_cluster_revoked_certs"] = &framework.FieldSchema{
+		Type: framework.TypeBool,
+		Description: `Set to true to enable tidying up
+the cross-cluster revoked certificate store. Only runs on the active
+primary node.`,
+	}
+
+	return fields
+}
+
+// generate the entire list of schema fields we need for CSR sign verbatim, this is also
+// leveraged by ACME internally.
+func getCsrSignVerbatimSchemaFields() map[string]*framework.FieldSchema {
+	fields := map[string]*framework.FieldSchema{}
+	fields = addNonCACommonFields(fields)
+	fields = addSignVerbatimRoleFields(fields)
+
+	fields["csr"] = &framework.FieldSchema{
+		Type:    framework.TypeString,
+		Default: "",
+		Description: `PEM-format CSR to be signed. Values will be
+taken verbatim from the CSR, except for
+basic constraints.`,
+	}
+
+	return fields
+}
+
+// addSignVerbatimRoleFields provides the fields and defaults to be used by anything that is building up the fields
+// and their corresponding default values when generating/using a sign-verbatim type role such as buildSignVerbatimRole.
+func addSignVerbatimRoleFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["key_usage"] = &framework.FieldSchema{
+		Type:    framework.TypeCommaStringSlice,
+		Default: []string{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
+		Description: `A comma-separated string or list of key usages (not extended
+key usages). Valid values can be found at
+https://golang.org/pkg/crypto/x509/#KeyUsage
+-- simply drop the "KeyUsage" part of the name.
+To remove all key usages from being set, set
+this value to an empty list.`,
+	}
+
+	fields["ext_key_usage"] = &framework.FieldSchema{
+		Type:    framework.TypeCommaStringSlice,
+		Default: []string{},
+		Description: `A comma-separated string or list of extended key usages. Valid values can be found at
+https://golang.org/pkg/crypto/x509/#ExtKeyUsage
+-- simply drop the "ExtKeyUsage" part of the name.
+To remove all key usages from being set, set
+this value to an empty list.`,
+	}
+
+	fields["ext_key_usage_oids"] = &framework.FieldSchema{
+		Type:        framework.TypeCommaStringSlice,
+		Description: `A comma-separated string or list of extended key usage oids.`,
+	}
+
+	fields["signature_bits"] = &framework.FieldSchema{
+		Type:    framework.TypeInt,
+		Default: 0,
+		Description: `The number of bits to use in the signature
+algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
+SHA-2-512. Defaults to 0 to automatically detect based on key length
+(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: 0,
+		},
+	}
+
+	fields["use_pss"] = &framework.FieldSchema{
+		Type:    framework.TypeBool,
+		Default: false,
+		Description: `Whether or not to use PSS signatures when using a
+RSA key-type issuer. Defaults to false.`,
+	}
 
-				if tc.cleanup != nil {
-					tc.cleanup()
-				}
-			})
-		}
-	})
+	return fields
 }
diff --git a/command/operator_raft_snapshot_restore.go b/command/operator_raft_snapshot_restore.go
index 56c24b61b58f..7d4268aacfe8 100644
--- a/command/operator_raft_snapshot_restore.go
+++ b/command/operator_raft_snapshot_restore.go
@@ -1,109 +1,120 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package eventbus
 
 import (
-	"fmt"
-	"os"
-	"strings"
+	"slices"
+	"sort"
+	"sync"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/ryanuber/go-glob"
 )
 
-var (
-	_ cli.Command             = (*OperatorRaftSnapshotRestoreCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotRestoreCommand)(nil)
-)
-
-type OperatorRaftSnapshotRestoreCommand struct {
-	flagForce bool
-	*BaseCommand
-}
-
-func (c *OperatorRaftSnapshotRestoreCommand) Synopsis() string {
-	return "Installs the provided snapshot, returning the cluster to the state defined in it"
+// Filters keeps track of all the event patterns that each node is interested in.
+type Filters struct {
+	lock    sync.RWMutex
+	self    nodeID
+	filters map[nodeID]*NodeFilter
 }
 
-func (c *OperatorRaftSnapshotRestoreCommand) Help() string {
-	helpText := `
-Usage: vault operator raft snapshot restore <snapshot_file>
-
-  Installs the provided snapshot, returning the cluster to the state defined in it.
-
-	  $ vault operator raft snapshot restore raft.snap
-
-` + c.Flags().Help()
+// nodeID is used to syntactically indicate that the string is a node's name identifier.
+type nodeID string
 
-	return strings.TrimSpace(helpText)
+// pattern is used to represent one or more combinations of patterns
+type pattern struct {
+	eventTypePattern  string
+	namespacePatterns []string
 }
 
-func (c *OperatorRaftSnapshotRestoreCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "force",
-		Target:  &c.flagForce,
-		Default: false,
-		Usage:   "This bypasses checks ensuring the Autounseal or shamir keys are consistent with the snapshot data.",
-	})
-
-	return set
+// NodeFilter keeps track of all patterns that a particular node is interested in.
+type NodeFilter struct {
+	patterns []pattern
 }
 
-func (c *OperatorRaftSnapshotRestoreCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+func (nf *NodeFilter) match(ns *namespace.Namespace, eventType logical.EventType) bool {
+	if nf == nil {
+		return false
+	}
+	for _, p := range nf.patterns {
+		if glob.Glob(p.eventTypePattern, string(eventType)) {
+			for _, nsp := range p.namespacePatterns {
+				if glob.Glob(nsp, ns.Path) {
+					return true
+				}
+			}
+		}
+	}
+	return false
 }
 
-func (c *OperatorRaftSnapshotRestoreCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// NewFilters creates an empty set of filters to keep track of each node's pattern interests.
+func NewFilters(self string) *Filters {
+	return &Filters{
+		self:    nodeID(self),
+		filters: map[nodeID]*NodeFilter{},
+	}
 }
 
-func (c *OperatorRaftSnapshotRestoreCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+// addPattern adds a pattern to a node's list.
+func (f *Filters) addPattern(node nodeID, namespacePatterns []string, eventTypePattern string) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	if _, ok := f.filters[node]; !ok {
+		f.filters[node] = &NodeFilter{}
 	}
+	nsPatterns := slices.Clone(namespacePatterns)
+	sort.Strings(nsPatterns)
+	f.filters[node].patterns = append(f.filters[node].patterns, pattern{eventTypePattern: eventTypePattern, namespacePatterns: nsPatterns})
+}
 
-	snapFile := ""
-
-	args = f.Args()
-	switch len(args) {
-	case 1:
-		snapFile = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
+func (f *Filters) addNsPattern(node nodeID, ns *namespace.Namespace, eventTypePattern string) {
+	f.addPattern(node, []string{ns.Path}, eventTypePattern)
+}
 
-	if len(snapFile) == 0 {
-		c.UI.Error("Snapshot file name is required")
-		return 1
+// removePattern removes a pattern from a node's list.
+func (f *Filters) removePattern(node nodeID, namespacePatterns []string, eventTypePattern string) {
+	nsPatterns := slices.Clone(namespacePatterns)
+	sort.Strings(nsPatterns)
+	check := pattern{eventTypePattern: eventTypePattern, namespacePatterns: nsPatterns}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	filters, ok := f.filters[node]
+	if !ok {
+		return
 	}
+	filters.patterns = slices.DeleteFunc(filters.patterns, func(m pattern) bool {
+		return m.eventTypePattern == check.eventTypePattern &&
+			slices.Equal(m.namespacePatterns, check.namespacePatterns)
+	})
+}
 
-	snapReader, err := os.Open(snapFile)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error opening policy file: %s", err))
-		return 2
-	}
-	defer snapReader.Close()
+func (f *Filters) removeNsPattern(node nodeID, ns *namespace.Namespace, eventTypePattern string) {
+	f.removePattern(node, []string{ns.Path}, eventTypePattern)
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+// anyMatch returns true if any node's pattern list matches the arguments.
+func (f *Filters) anyMatch(ns *namespace.Namespace, eventType logical.EventType) bool {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	for _, nf := range f.filters {
+		if nf.match(ns, eventType) {
+			return true
+		}
 	}
+	return false
+}
 
-	err = client.Sys().RaftSnapshotRestore(snapReader, c.flagForce)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error installing the snapshot: %s", err))
-		return 2
-	}
+// nodeMatch returns true if the given node's pattern list matches the arguments.
+func (f *Filters) nodeMatch(node nodeID, ns *namespace.Namespace, eventType logical.EventType) bool {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	return f.filters[node].match(ns, eventType)
+}
 
-	return 0
+// localMatch returns true if the local node's pattern list matches the arguments.
+func (f *Filters) localMatch(ns *namespace.Namespace, eventType logical.EventType) bool {
+	return f.nodeMatch(f.self, ns, eventType)
 }
diff --git a/command/operator_raft_snapshot_save.go b/command/operator_raft_snapshot_save.go
index 95ecae87c09d..034fb74f95a6 100644
--- a/command/operator_raft_snapshot_save.go
+++ b/command/operator_raft_snapshot_save.go
@@ -1,129 +1,31 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package command
+package eventbus
 
 import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/stretchr/testify/assert"
 )
 
-var (
-	_ cli.Command             = (*OperatorRaftSnapshotSaveCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotSaveCommand)(nil)
-)
-
-type OperatorRaftSnapshotSaveCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) Synopsis() string {
-	return "Saves a snapshot of the current state of the Raft cluster into a file"
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) Help() string {
-	helpText := `
-Usage: vault operator raft snapshot save <snapshot_file>
-
-  Saves a snapshot of the current state of the Raft cluster into a file.
-
-	  $ vault operator raft snapshot save raft.snap
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	return set
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	path := ""
-
-	args = f.Args()
-	switch len(args) {
-	case 1:
-		path = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	if len(path) == 0 {
-		c.UI.Error("Output file name is required")
-		return 1
-	}
-
-	w := &lazyOpenWriter{
-		openFunc: func() (io.WriteCloser, error) {
-			return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
-		},
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		w.Close()
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	err = client.Sys().RaftSnapshot(w)
-	if err != nil {
-		w.Close()
-		c.UI.Error(fmt.Sprintf("Error taking the snapshot: %s", err))
-		return 2
-	}
-
-	err = w.Close()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error taking the snapshot: %s", err))
-		return 2
-	}
-	return 0
-}
-
-type lazyOpenWriter struct {
-	openFunc func() (io.WriteCloser, error)
-	writer   io.WriteCloser
-}
-
-func (l *lazyOpenWriter) Write(p []byte) (n int, err error) {
-	if l.writer == nil {
-		var err error
-		l.writer, err = l.openFunc()
-		if err != nil {
-			return 0, err
-		}
-	}
-	return l.writer.Write(p)
-}
-
-func (l *lazyOpenWriter) Close() error {
-	if l.writer != nil {
-		return l.writer.Close()
-	}
-	return nil
+// TestFilters_AddRemoveMatchLocal checks that basic matching, adding, and removing of patterns all work.
+func TestFilters_AddRemoveMatchLocal(t *testing.T) {
+	f := NewFilters("self")
+	ns := &namespace.Namespace{
+		ID:   "ns1",
+		Path: "ns1",
+	}
+
+	assert.False(t, f.localMatch(ns, "abc"))
+	assert.False(t, f.anyMatch(ns, "abc"))
+	f.addNsPattern("self", ns, "abc")
+	assert.True(t, f.localMatch(ns, "abc"))
+	assert.False(t, f.localMatch(ns, "abcd"))
+	assert.True(t, f.anyMatch(ns, "abc"))
+	assert.False(t, f.anyMatch(ns, "abcd"))
+	f.removeNsPattern("self", ns, "abc")
+	assert.False(t, f.localMatch(ns, "abc"))
+	assert.False(t, f.anyMatch(ns, "abc"))
 }
diff --git a/command/operator_rekey.go b/command/operator_rekey.go
index 415b634a07ad..4d46dfa46daa 100644
--- a/command/operator_rekey.go
+++ b/command/operator_rekey.go
@@ -1,786 +1,258 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/fatih/structs"
-	"github.com/hashicorp/go-secure-stdlib/password"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/pgpkeys"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorRekeyCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRekeyCommand)(nil)
-)
-
-const (
-	keyTypeRecovery = "Recovery"
-	keyTypeUnseal   = "Unseal"
-)
-
-type OperatorRekeyCommand struct {
-	*BaseCommand
-
-	flagCancel       bool
-	flagInit         bool
-	flagKeyShares    int
-	flagKeyThreshold int
-	flagNonce        string
-	flagPGPKeys      []string
-	flagStatus       bool
-	flagTarget       string
-	flagVerify       bool
-
-	// Backup options
-	flagBackup         bool
-	flagBackupDelete   bool
-	flagBackupRetrieve bool
-
-	testStdin io.Reader // for tests
-}
-
-func (c *OperatorRekeyCommand) Synopsis() string {
-	return "Generates new unseal keys"
-}
-
-func (c *OperatorRekeyCommand) Help() string {
-	helpText := `
-Usage: vault operator rekey [options] [KEY]
-
-  Generates a new set of unseal keys. This can optionally change the total
-  number of key shares or the required threshold of those key shares to
-  reconstruct the root key. This operation is zero downtime, but it requires
-  the Vault is unsealed and a quorum of existing unseal keys are provided.
-
-  An unseal key may be provided directly on the command line as an argument to
-  the command. If key is specified as "-", the command will read from stdin. If
-  a TTY is available, the command will prompt for text.
-
-  If the flag -target=recovery is supplied, then this operation will require a
-  quorum of recovery keys in order to generate a new set of recovery keys. 
-
-  Initialize a rekey:
-
-      $ vault operator rekey \
-          -init \
-          -key-shares=15 \
-          -key-threshold=9
-
-  Rekey and encrypt the resulting unseal keys with PGP:
-
-      $ vault operator rekey \
-          -init \
-          -key-shares=3 \
-          -key-threshold=2 \
-          -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
-
-  Store encrypted PGP keys in Vault's core:
-
-      $ vault operator rekey \
-          -init \
-          -pgp-keys="..." \
-          -backup
-
-  Retrieve backed-up unseal keys:
-
-      $ vault operator rekey -backup-retrieve
-
-  Delete backed-up unseal keys:
-
-      $ vault operator rekey -backup-delete
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorRekeyCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Common Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "init",
-		Target:  &c.flagInit,
-		Default: false,
-		Usage: "Initialize the rekeying operation. This can only be done if no " +
-			"rekeying operation is in progress. Customize the new number of key " +
-			"shares and key threshold using the -key-shares and -key-threshold " +
-			"flags.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "cancel",
-		Target:  &c.flagCancel,
-		Default: false,
-		Usage: "Reset the rekeying progress. This will discard any submitted " +
-			"unseal keys, recovery keys, or configuration.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "status",
-		Target:  &c.flagStatus,
-		Default: false,
-		Usage: "Print the status of the current attempt without providing an " +
-			"unseal or recovery key.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:       "key-shares",
-		Aliases:    []string{"n"},
-		Target:     &c.flagKeyShares,
-		Default:    5,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares to split the generated root key into. " +
-			"This is the number of \"unseal keys\" or \"recovery keys\" to generate.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:       "key-threshold",
-		Aliases:    []string{"t"},
-		Target:     &c.flagKeyThreshold,
-		Default:    3,
-		Completion: complete.PredictAnything,
-		Usage: "Number of key shares required to reconstruct the root key. " +
-			"This must be less than or equal to -key-shares.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "nonce",
-		Target:     &c.flagNonce,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Nonce value provided at initialization. The same nonce value " +
-			"must be provided with each unseal or recovery key.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "target",
-		Target:     &c.flagTarget,
-		Default:    "barrier",
-		EnvVar:     "",
-		Completion: complete.PredictSet("barrier", "recovery"),
-		Usage: "Target for rekeying. \"recovery\" only applies when HSM support " +
-			"is enabled.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "verify",
-		Target:  &c.flagVerify,
-		Default: false,
-		Usage: "Indicates that the action (-status, -cancel, or providing a key " +
-			"share) will be affecting verification for the current rekey " +
-			"attempt.",
-	})
-
-	f.VarFlag(&VarFlag{
-		Name:       "pgp-keys",
-		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagPGPKeys),
-		Completion: complete.PredictAnything,
-		Usage: "Comma-separated list of paths to files on disk containing " +
-			"public PGP keys OR a comma-separated list of Keybase usernames using " +
-			"the format \"keybase:<username>\". When supplied, the generated " +
-			"unseal or recovery keys will be encrypted and base64-encoded in the order " +
-			"specified in this list.",
-	})
-
-	f = set.NewFlagSet("Backup Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "backup",
-		Target:  &c.flagBackup,
-		Default: false,
-		Usage: "Store a backup of the current PGP encrypted unseal or recovery keys in " +
-			"Vault's core. The encrypted values can be recovered in the event of " +
-			"failure or discarded after success. See the -backup-delete and " +
-			"-backup-retrieve options for more information. This option only " +
-			"applies when the existing unseal or recovery keys were PGP encrypted.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "backup-delete",
-		Target:  &c.flagBackupDelete,
-		Default: false,
-		Usage:   "Delete any stored backup unseal or recovery keys.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "backup-retrieve",
-		Target:  &c.flagBackupRetrieve,
-		Default: false,
-		Usage: "Retrieve the backed-up unseal or recovery keys. This option is only available " +
-			"if the PGP keys were provided and the backup has not been deleted.",
-	})
-
-	return set
-}
-
-func (c *OperatorRekeyCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
-}
-
-func (c *OperatorRekeyCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorRekeyCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
-		return 1
-	}
-
-	// Create the client
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	switch {
-	case c.flagBackupDelete:
-		return c.backupDelete(client)
-	case c.flagBackupRetrieve:
-		return c.backupRetrieve(client)
-	case c.flagCancel:
-		return c.cancel(client)
-	case c.flagInit:
-		return c.init(client)
-	case c.flagStatus:
-		return c.status(client)
-	default:
-		// If there are no other flags, prompt for an unseal key.
-		key := ""
-		if len(args) > 0 {
-			key = strings.TrimSpace(args[0])
-		}
-		return c.provide(client, key)
-	}
-}
-
-// init starts the rekey process.
-func (c *OperatorRekeyCommand) init(client *api.Client) int {
-	// Handle the different API requests
-	var fn func(*api.RekeyInitRequest) (*api.RekeyStatusResponse, error)
-	keyTypeRequired := keyTypeUnseal
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		fn = client.Sys().RekeyInit
-	case "recovery", "hsm":
-		keyTypeRequired = keyTypeRecovery
-		fn = client.Sys().RekeyRecoveryKeyInit
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	// Make the request
-	status, err := fn(&api.RekeyInitRequest{
-		SecretShares:        c.flagKeyShares,
-		SecretThreshold:     c.flagKeyThreshold,
-		PGPKeys:             c.flagPGPKeys,
-		Backup:              c.flagBackup,
-		RequireVerification: c.flagVerify,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing rekey: %s", err))
-		return 2
-	}
-
-	// Print warnings about recovery, etc.
-	if len(c.flagPGPKeys) == 0 {
-		if Format(c.UI) == "table" {
-			c.UI.Warn(wrapAtLength(
-				fmt.Sprintf("WARNING! If you lose the keys after they are returned, there is no "+
-					"recovery. Consider canceling this operation and re-initializing "+
-					"with the -pgp-keys flag to protect the returned %s keys along "+
-					"with -backup to allow recovery of the encrypted keys in case of "+
-					"emergency. You can delete the stored keys later using the -delete "+
-					"flag.", strings.ToLower(keyTypeRequired))))
-			c.UI.Output("")
-		}
-	}
-	if len(c.flagPGPKeys) > 0 && !c.flagBackup {
-		if Format(c.UI) == "table" {
-			c.UI.Warn(wrapAtLength(
-				fmt.Sprintf("WARNING! You are using PGP keys for encrypted the resulting %s "+
-					"keys, but you did not enable the option to backup the keys to "+
-					"Vault's core. If you lose the encrypted keys after they are "+
-					"returned, you will not be able to recover them. Consider canceling "+
-					"this operation and re-running with -backup to allow recovery of the "+
-					"encrypted unseal keys in case of emergency. You can delete the "+
-					"stored keys later using the -delete flag.", strings.ToLower(keyTypeRequired))))
-			c.UI.Output("")
-		}
-	}
-
-	// Provide the current status
-	return c.printStatus(status)
-}
-
-// cancel is used to abort the rekey process.
-func (c *OperatorRekeyCommand) cancel(client *api.Client) int {
-	// Handle the different API requests
-	var fn func() error
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		fn = client.Sys().RekeyCancel
-		if c.flagVerify {
-			fn = client.Sys().RekeyVerificationCancel
-		}
-	case "recovery", "hsm":
-		fn = client.Sys().RekeyRecoveryKeyCancel
-		if c.flagVerify {
-			fn = client.Sys().RekeyRecoveryKeyVerificationCancel
-		}
-
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	// Make the request
-	if err := fn(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error canceling rekey: %s", err))
-		return 2
-	}
-
-	c.UI.Output("Success! Canceled rekeying (if it was started)")
-	return 0
-}
-
-// provide prompts the user for the seal key and posts it to the update root
-// endpoint. If this is the last unseal, this function outputs it.
-func (c *OperatorRekeyCommand) provide(client *api.Client, key string) int {
-	var statusFn func() (interface{}, error)
-	var updateFn func(string, string) (interface{}, error)
-	keyTypeRequired := keyTypeUnseal
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		statusFn = func() (interface{}, error) {
-			return client.Sys().RekeyStatus()
-		}
-		updateFn = func(s1 string, s2 string) (interface{}, error) {
-			return client.Sys().RekeyUpdate(s1, s2)
-		}
-		if c.flagVerify {
-			statusFn = func() (interface{}, error) {
-				return client.Sys().RekeyVerificationStatus()
-			}
-			updateFn = func(s1 string, s2 string) (interface{}, error) {
-				return client.Sys().RekeyVerificationUpdate(s1, s2)
-			}
-		}
-	case "recovery", "hsm":
-		keyTypeRequired = keyTypeRecovery
-		statusFn = func() (interface{}, error) {
-			return client.Sys().RekeyRecoveryKeyStatus()
-		}
-		updateFn = func(s1 string, s2 string) (interface{}, error) {
-			return client.Sys().RekeyRecoveryKeyUpdate(s1, s2)
-		}
-		if c.flagVerify {
-			statusFn = func() (interface{}, error) {
-				return client.Sys().RekeyRecoveryKeyVerificationStatus()
-			}
-			updateFn = func(s1 string, s2 string) (interface{}, error) {
-				return client.Sys().RekeyRecoveryKeyVerificationUpdate(s1, s2)
-			}
-		}
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	status, err := statusFn()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting rekey status: %s", err))
-		return 2
-	}
-
-	var started bool
-	var nonce string
-
-	switch status := status.(type) {
-	case *api.RekeyStatusResponse:
-		stat := status
-		started = stat.Started
-		nonce = stat.Nonce
-	case *api.RekeyVerificationStatusResponse:
-		stat := status
-		started = stat.Started
-		nonce = stat.Nonce
-	default:
-		c.UI.Error("Unknown status type")
-		return 1
-	}
-
-	// Verify a root token generation is in progress. If there is not one in
-	// progress, return an error instructing the user to start one.
-	if !started {
-		c.UI.Error(wrapAtLength(
-			"No rekey is in progress. Start a rekey process by running " +
-				"\"vault operator rekey -init\"."))
-		return 1
-	}
-
-	switch key {
-	case "-": // Read from stdin
-		nonce = c.flagNonce
-
-		// Pull our fake stdin if needed
-		stdin := (io.Reader)(os.Stdin)
-		if c.testStdin != nil {
-			stdin = c.testStdin
-		}
-
-		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, stdin); err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
-			return 1
-		}
-
-		key = buf.String()
-	case "": // Prompt using the tty
-		// Nonce value is not required if we are prompting via the terminal
-		w := getWriterFromUI(c.UI)
-		fmt.Fprintf(w, "Rekey operation nonce: %s\n", nonce)
-		fmt.Fprintf(w, "%s Key (will be hidden): ", keyTypeRequired)
-		key, err = password.Read(os.Stdin)
-		fmt.Fprintf(w, "\n")
-		if err != nil {
-			if err == password.ErrInterrupted {
-				c.UI.Error("user canceled")
-				return 1
-			}
-
-			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
-				"ask for the %s key. The raw error message is shown below, but "+
-				"usually this is because you attempted to pipe a value into the "+
-				"command or you are executing outside of a terminal (tty). If you "+
-				"want to pipe the value, pass \"-\" as the argument to read from "+
-				"stdin. The raw error was: %s", strings.ToLower(keyTypeRequired), err)))
-			return 1
-		}
-	default: // Supplied directly as an arg
-		nonce = c.flagNonce
-	}
-
-	// Trim any whitespace from they key, especially since we might have
-	// prompted the user for it.
-	key = strings.TrimSpace(key)
-
-	// Verify we have a nonce value
-	if nonce == "" {
-		c.UI.Error("Missing nonce value: specify it via the -nonce flag")
-		return 1
-	}
-
-	// Provide the key, this may potentially complete the update
-	resp, err := updateFn(key, nonce)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error posting unseal key: %s", err))
-		return 2
-	}
-
-	var complete bool
-	var mightContainUnsealKeys bool
-
-	switch resp := resp.(type) {
-	case *api.RekeyUpdateResponse:
-		complete = resp.Complete
-		mightContainUnsealKeys = true
-	case *api.RekeyVerificationUpdateResponse:
-		complete = resp.Complete
-	default:
-		c.UI.Error("Unknown update response type")
-		return 1
-	}
-
-	if !complete {
-		return c.status(client)
-	}
-
-	if mightContainUnsealKeys {
-		return c.printUnsealKeys(client, status.(*api.RekeyStatusResponse),
-			resp.(*api.RekeyUpdateResponse))
-	}
-
-	c.UI.Output(wrapAtLength("Rekey verification successful. The rekey operation is complete and the new keys are now active."))
-	return 0
-}
-
-// status is used just to fetch and dump the status.
-func (c *OperatorRekeyCommand) status(client *api.Client) int {
-	// Handle the different API requests
-	var fn func() (interface{}, error)
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		fn = func() (interface{}, error) {
-			return client.Sys().RekeyStatus()
-		}
-		if c.flagVerify {
-			fn = func() (interface{}, error) {
-				return client.Sys().RekeyVerificationStatus()
-			}
-		}
-	case "recovery", "hsm":
-		fn = func() (interface{}, error) {
-			return client.Sys().RekeyRecoveryKeyStatus()
-		}
-		if c.flagVerify {
-			fn = func() (interface{}, error) {
-				return client.Sys().RekeyRecoveryKeyVerificationStatus()
-			}
-		}
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	// Make the request
-	status, err := fn()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading rekey status: %s", err))
-		return 2
-	}
-
-	return c.printStatus(status)
-}
-
-// backupRetrieve retrieves the stored backup keys.
-func (c *OperatorRekeyCommand) backupRetrieve(client *api.Client) int {
-	// Handle the different API requests
-	var fn func() (*api.RekeyRetrieveResponse, error)
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		fn = client.Sys().RekeyRetrieveBackup
-	case "recovery", "hsm":
-		fn = client.Sys().RekeyRetrieveRecoveryBackup
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	// Make the request
-	storedKeys, err := fn()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error retrieving rekey stored keys: %s", err))
-		return 2
-	}
-
-	secret := &api.Secret{
-		Data: structs.New(storedKeys).Map(),
-	}
-
-	return OutputSecret(c.UI, secret)
-}
-
-// backupDelete deletes the stored backup keys.
-func (c *OperatorRekeyCommand) backupDelete(client *api.Client) int {
-	// Handle the different API requests
-	var fn func() error
-	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-	case "barrier":
-		fn = client.Sys().RekeyDeleteBackup
-	case "recovery", "hsm":
-		fn = client.Sys().RekeyDeleteRecoveryBackup
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
-		return 1
-	}
-
-	// Make the request
-	if err := fn(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting rekey stored keys: %s", err))
-		return 2
-	}
-
-	c.UI.Output("Success! Delete stored keys (if they existed)")
-	return 0
-}
-
-// printStatus dumps the status to output
-func (c *OperatorRekeyCommand) printStatus(in interface{}) int {
-	out := []string{}
-	out = append(out, "Key | Value")
-
-	switch in := in.(type) {
-	case *api.RekeyStatusResponse:
-		status := in
-		out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
-		out = append(out, fmt.Sprintf("Started | %t", status.Started))
-		if status.Started {
-			if status.Progress == status.Required {
-				out = append(out, fmt.Sprintf("Rekey Progress | %d/%d (verification in progress)", status.Progress, status.Required))
-			} else {
-				out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required))
-			}
-			out = append(out, fmt.Sprintf("New Shares | %d", status.N))
-			out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
-			out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired))
-			if status.VerificationNonce != "" {
-				out = append(out, fmt.Sprintf("Verification Nonce | %s", status.VerificationNonce))
-			}
-		}
-		if len(status.PGPFingerprints) > 0 {
-			out = append(out, fmt.Sprintf("PGP Fingerprints | %s", status.PGPFingerprints))
-			out = append(out, fmt.Sprintf("Backup | %t", status.Backup))
-		}
-	case *api.RekeyVerificationStatusResponse:
-		status := in
-		out = append(out, fmt.Sprintf("Started | %t", status.Started))
-		out = append(out, fmt.Sprintf("New Shares | %d", status.N))
-		out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
-		out = append(out, fmt.Sprintf("Verification Nonce | %s", status.Nonce))
-		out = append(out, fmt.Sprintf("Verification Progress | %d/%d", status.Progress, status.T))
-	default:
-		c.UI.Error("Unknown status type")
-		return 1
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		c.UI.Output(tableOutput(out, nil))
-		return 0
-	default:
-		return OutputData(c.UI, in)
-	}
-}
-
-func (c *OperatorRekeyCommand) printUnsealKeys(client *api.Client, status *api.RekeyStatusResponse, resp *api.RekeyUpdateResponse) int {
-	switch Format(c.UI) {
-	case "table":
-	default:
-		return OutputData(c.UI, resp)
-	}
-
-	// Space between the key prompt, if any, and the output
-	c.UI.Output("")
-
-	// Provide the keys
-	var haveB64 bool
-	if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
-		haveB64 = true
-	}
-	for i, key := range resp.Keys {
-		if len(resp.PGPFingerprints) > 0 {
-			if haveB64 {
-				c.UI.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, resp.PGPFingerprints[i], resp.KeysB64[i]))
-			} else {
-				c.UI.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, resp.PGPFingerprints[i], key))
-			}
-		} else {
-			if haveB64 {
-				c.UI.Output(fmt.Sprintf("Key %d: %s", i+1, resp.KeysB64[i]))
-			} else {
-				c.UI.Output(fmt.Sprintf("Key %d: %s", i+1, key))
-			}
-		}
-	}
-
-	c.UI.Output("")
-	c.UI.Output(fmt.Sprintf("Operation nonce: %s", resp.Nonce))
-
-	if len(resp.PGPFingerprints) > 0 && resp.Backup {
-		c.UI.Output("")
-		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-		case "barrier":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"The encrypted unseal keys are backed up to \"core/unseal-keys-backup\" " +
-					"in the storage backend. Remove these keys at any time using " +
-					"\"vault operator rekey -backup-delete\". Vault does not automatically " +
-					"remove these keys.",
-			)))
-		case "recovery", "hsm":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"The encrypted recovery keys are backed up to \"core/recovery-keys-backup\" " +
-					"in the storage backend. Remove these keys at any time using " +
-					"\"vault operator rekey -backup-delete -target=recovery\". Vault does not automatically " +
-					"remove these keys.",
-			)))
-		}
-	}
-
-	switch status.VerificationRequired {
-	case false:
-		c.UI.Output("")
-		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-		case "barrier":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"Vault unseal keys rekeyed with %d key shares and a key threshold of %d. Please "+
-					"securely distribute the key shares printed above. When Vault is "+
-					"re-sealed, restarted, or stopped, you must supply at least %d of "+
-					"these keys to unseal it before it can start servicing requests.",
-				status.N,
-				status.T,
-				status.T)))
-		case "recovery", "hsm":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"Vault recovery keys rekeyed with %d key shares and a key threshold of %d. Please "+
-					"securely distribute the key shares printed above.",
-				status.N,
-				status.T)))
-		}
-
-	default:
-		c.UI.Output("")
-		var warningText string
-		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
-		case "barrier":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"Vault has created a new unseal key, split into %d key shares and a key threshold "+
-					"of %d. These will not be active until after verification is complete. "+
-					"Please securely distribute the key shares printed above. When Vault "+
-					"is re-sealed, restarted, or stopped, you must supply at least %d of "+
-					"these keys to unseal it before it can start servicing requests.",
-				status.N,
-				status.T,
-				status.T)))
-			warningText = "unseal"
-		case "recovery", "hsm":
-			c.UI.Output(wrapAtLength(fmt.Sprintf(
-				"Vault has created a new recovery key, split into %d key shares and a key threshold "+
-					"of %d. These will not be active until after verification is complete. "+
-					"Please securely distribute the key shares printed above.",
-				status.N,
-				status.T)))
-			warningText = "authenticate with"
-
-		}
-		c.UI.Output("")
-		c.UI.Warn(wrapAtLength(fmt.Sprintf(
-			"Again, these key shares are _not_ valid until verification is performed. "+
-				"Do not lose or discard your current key shares until after verification "+
-				"is complete or you will be unable to %s Vault. If you cancel the "+
-				"rekey process or seal Vault before verification is complete the new "+
-				"shares will be discarded and the current shares will remain valid.", warningText)))
-		c.UI.Output("")
-		c.UI.Warn(wrapAtLength(
-			"The current verification status, including initial nonce, is shown below.",
-		))
-		c.UI.Output("")
-
-		c.flagVerify = true
-		return c.status(client)
-	}
-
-	return 0
-}
+---
+layout: docs
+page_title: Vault Enterprise FIPS 140-2 Inside
+description: |-
+  Vault Enterprise features a special build with FIPS 140-2 support built into
+  the Vault binary. This can directly be used for FIPS compliance.
+---
+
+# FIPS 140-2 inside
+
+@include 'alerts/enterprise-only.mdx'
+
+Special builds of Vault Enterprise (marked with a `fips1402` feature name)
+include built-in support for FIPS 140-2 compliance. Unlike using Seal Wrap
+for FIPS compliance, this binary has no external dependencies on a HSM.
+
+To use this feature, you must have an active or trial license for Vault
+Enterprise Plus (HSMs). To start a trial, contact [HashiCorp
+sales](mailto:sales@hashicorp.com).
+
+## Using FIPS 140-2 Vault enterprise
+
+FIPS 140-2 Inside versions of Vault Enterprise behave like non-FIPS versions
+of Vault. No restrictions are placed on algorithms; it is up to the operator
+to ensure Vault remains in a FIPS-compliant mode of operation. This means
+configuring some Secrets Engines to permit a limited set of algorithms (e.g.,
+forbidding ed25519-based CAs with PKI Secrets Engines).
+
+Because Vault Enterprise may return secrets in plain text, it is important to
+ensure the Vault server's `listener` configuration section utilizes TLS. This
+ensures secrets are transmitted securely from Server to Client. Additionally,
+note that TLSv1.3 will not work with FIPS 140-2 Inside, as HKDF is not a
+certified primitive. If TLSv1.3 is desired, it is suggested to front Vault
+Server with a FIPS-certified load balancer.
+
+A non-exhaustive list of potential compliance issues include:
+
+ - Using Ed25519 or ChaCha20+Poly1305 keys with the Transit Secrets Engine,
+ - Using Ed25519 keys as CAs in the PKI or SSH Secrets Engines,
+ - Using FF3-1/FPE in Transform Secrets Engine, or
+ - Using a Derived Key (using HKDF) for Agent auto-authing or the Transit
+   Secrets Engine.
+ - Using **Entropy Augmentation**: because BoringCrypto uses its internal,
+   FIPS 140-2 approved RNG, it cannot mix entropy from other sources.
+   Attempting to use EA with FIPS 140-2 HSM enabled binaries will result
+   in failures such as `panic: boringcrypto: invalid code execution`.
+
+Hashicorp can only provide general guidance regarding using Vault Enterprise
+in a FIPS-compliant manner. We are not a NIST-certified testing laboratory
+and thus organizations may need to consult an approved auditor for final
+information.
+
+The FIPS 140-2 variant of Vault uses separate binaries; these are available
+from the following sources:
+
+ - From the [Hashicorp Releases Page](https://releases.hashicorp.com/vault),
+   ending with the `+ent.fips1402` and `+ent.hsm.fips1402` suffixes.
+ - From the [Docker Hub `hashicorp/vault-enterprise-fips`](https://hub.docker.com/r/hashicorp/vault-enterprise-fips)
+   container repository.
+ - From the [AWS ECR `hashicorp/vault-enterprise-fips`](https://gallery.ecr.aws/hashicorp/vault-enterprise-fips)
+   container repository.
+ - From the [Red Hat Access `hashicorp/vault-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise-fips/628d50e37ff70c66a88517ea)
+   container repository.
+
+~> **Note**: When pulling the FIPS UBI-based images, note that they are
+   ultimately designed for OpenShift certification; consider either adding
+   the `--user root --cap-add IPC_LOCK` options, to allow Vault to enable
+   mlock, or use the `--env SKIP_SETCAP=1` option, to disable mlock
+   completely, as appropriate for your environment.
+
+### Usage restrictions
+
+#### Migration restrictions
+
+Hashicorp **does not** support in-place migrations from non-FIPS Inside
+versions of Vault to FIPS Inside versions of Vault, regardless of version.
+A fresh cluster installation is required to receive support. We generally
+recommend avoiding direct upgrades and replicated-migrations for several
+reasons:
+
+ - Old entries remain encrypted with the old barrier key until overwritten,
+   this barrier key was likely not created by a FIPS library and thus
+   is not compliant.
+ - Many secrets engines internally create keys; things like Transit create
+   and store keys, but don't store any data (inside of Vault) -- these would
+   still need to be accessible and rotated to a new, FIPS-compliant key.
+   Any PKI engines would have also created non-compliant keys, but rotation
+   of say, a Root CA involves a concerted, non-Vault effort to accomplish
+   and must be done thoughtfully.
+
+As such Hashicorp cannot provide support for workloads that are affected
+either technically or via non-compliance that results from converting
+existing cluster workloads to the FIPS 140-2 Inside binary.
+
+Instead, we suggest leaving the existing cluster in place, and carefully
+consider migration of specific workloads to the FIPS-backed cluster.  
+
+#### Entropy augmentation restrictions
+
+Entropy Augmentation **does not** work with FIPS 140-2 Inside. The internal
+BoringCrypto RNG is FIPS 140-2 certified and does not accept entropy from
+other sources. On Vault 1.11.0 and later, attempting to use Entropy
+Augmentation will result in a warning ("Entropy Augmentation is not supported...")
+and Entropy Augmentation will be disabled.
+
+#### TLS restrictions
+
+Vault Enterprise's FIPS modifications include restrictions to supported TLS
+cipher suites and key information. Only the following cipher suites are
+allowed:
+
+ - `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
+ - `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
+ - `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
+ - `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
+ - `TLS_RSA_WITH_AES_128_GCM_SHA256`, and
+ - `TLS_RSA_WITH_AES_256_GCM_SHA384`.
+
+Additionally, only the following key types are allowed in TLS chains of trust:
+
+ - RSA 2048, 3072, 4096, 7680, and 8192-bit;
+ - ECDSA P-256, P-384, and P-521.
+
+Finally, only TLSv1.2 or higher is supported in FIPS mode. These are in line
+with recent NIST guidance and recommendations.
+
+#### Heterogeneous cluster deployments
+
+Hashicorp does not support mixed deployment scenarios within the same Vault
+cluster, e.g., mixing FIPS and non-FIPS Vault binary versions, or mixing FIPS
+Inside with FIPS Seal Wrap clusters. Clusters nodes must be of a single
+binary/deployment type across the entire cluster. Usage of Seal Wrap with
+the FIPS Inside binary is permitted.
+
+Running a heterogeneous cluster is not permitted by FIPS, as components of
+the system are not compliant with FIPS.
+
+## Technical details
+
+Vault Enterprise's FIPS 140-2 Inside binaries rely on a special version of the
+Go toolchain which include a FIPS-validated BoringCrypto version. To ensure
+your version of Vault Enterprise includes FIPS support, after starting the
+server, make sure you see a line with `Fips: Enabled`, such as:
+
+```
+                    Fips: FIPS 140-2 Enabled, BoringCrypto version 7
+```
+
+~> **Note**: FIPS 140-2 Inside binaries depend on cgo, which require that a
+   GNU C Library (glibc) Linux distribution be used to run Vault. We've
+   additionally opted to certify only on the AMD64 architecture at this time.
+   This means these binaries will not work on Alpine Linux based containers.
+
+### FIPS 140-2 inside and external plugins
+
+Vault Enterprise's built-in plugins are compiled into the Vault binary using
+the same Go toolchain version that compiled the core Vault; this results in
+these plugins having FIPS 140-2 compliance status as well. This same guarantee
+does not apply to external plugins.
+
+### Validating FIPS 140-2 inside
+
+To validate that the FIPS 140-2 Inside binary correctly includes BoringCrypto,
+run `go tool nm` on the binary to get a symbol dump. On non-FIPS builds,
+searching for `goboringcrypto` in the output will yield no results, but on
+FIPS-enabled builds, you'll see many results with this:
+
+```
+$ go tool nm vault | grep -i goboringcrypto
+  4014d0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_cbc_encrypt
+  4014f0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_ctr128_encrypt
+  401520 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_decrypt
+  401540 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_encrypt
+  401560 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_set_decrypt_key
+...additional lines elided...
+```
+
+All FIPS cryptographic modules must execute startup tests. BoringCrypto uses
+the `_goboringcrypto_BORINGSSL_bcm_power_on_self_test` symbol for this. To
+ensure the Vault Enterprise binary is correctly executing startup tests, use
+[GDB](https://www.sourceware.org/gdb/) to stop execution on this function to
+ensure it gets hit.
+
+```
+$ gdb --args vault server -dev
+...GDB startup messages elided...
+(gdb) break _goboringcrypto_BORINGSSL_bcm_power_on_self_test
+...breakpoint location elided...
+(gdb) run
+...additional GDB output elided...
+Thread 1 "vault" hit Breakpoint 1, 0x0000000000454950 in _goboringcrypto_BORINGSSL_bcm_power_on_self_test ()
+(gdb) backtrace
+#0 0x0000000000454950 in _goboringcrypto_BORINGSSL_bcm_power_on_self_test ()
+#1 0x00000000005da8f0 in runtime.asmcgocall () at /usr/local/hashicorp-fips-go-devel/src/runtime/asm_amd64.s:765
+#2 0x00007fffd07a5a18 in ?? ()
+#3 0x00007fffffffdf28 in ?? ()
+#4 0x000000000057ebce in runtime.persistentalloc.func1 () at /usr/local/hashicorp-fips-go-devel/src/runtime/malloc.go:1371
+#5 0x00000000005d8a49 in runtime.systemstack () at /usr/local/hashicorp-fips-go-devel/src/runtime/asm_amd64.s:383
+#6 0x00000000005dd189 in runtime.newproc (siz=6129989, fn=0x5d88fb <runtime.rt0_go+315>) at <autogenerated>:1
+#7 0x0000000000000000 in ?? ()
+```
+
+Exact output may vary.
+
+<div {...{"className":"alert alert-warning g-type-body"}}>
+
+**Note**: When executing Vault Enterprise within GDB, GDB must rewrite
+parts of the binary to permit stopping on the specified breakpoint. This
+results in the HMAC of the contained BoringCrypto library changing,
+breaking the FIPS integrity check. If execution were to be continued
+in the example above via the `continue` command, a message like the
+following would be emitted:
+
+```
+Continuing.
+FIPS integrity test failed.
+Expected: 18d35ae031f649825a4269d68d2e62583d060a31d359690f97b9c8bf8120cdf75b405f74be7018094da7eb5261f2f86d0f481cc3b5a9c7c432268d94bf91aad9
+Calculated: 111502a3201de3b23f54b29d79ca6a1a754f94ecfc57a379444aac0d3ada68bf3c06834e6d84e68599bdf763e28e2c994fcdaeac84adabd180b59cad5fc980bb
+
+Thread 1 "vault" received signal SIGABRT, Aborted.
+```
+
+This is expected. Rerunning Vault without GDB (or with no breakpoints
+set -- e.g., `delete 1`) will still result in this function executing, but
+with the FIPS integrity check succeeding.
+
+</div>
+
+### BoringCrypto certification
+
+BoringCrypto Version 7 uses the following FIPS 140-2 Certificate and software
+version:
+
+ - NIST CMVP [Certificate #3678](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3678).
+ - BoringSSL Release [`ae223d6138807a13006342edfeef32e813246b39`](https://github.com/google/boringssl/commit/ae223d6138807a13006342edfeef32e813246b39).
+
+The following algorithms were certified as part of this release:
+
+ - RSA in all key sizes greater than or equal to 2048 bits (tested at 2048
+   and 3072 bits),
+ - ECDSA and ECDH with P-224 (not accessible from Vault), P-256, P-384, and
+   P-521,
+ - AES symmetric encryption with 128/192/256-bit CBC, ECB, and CRT modes and
+   128/256-bit GCM modes,
+ - SHA-1 and SHA-2 (224, 256,384, and 512-bit variants),
+ - HMAC+SHA-2 with 224, 256, 384, and 512-bit variants of SHA-2,
+ - TLSv1.0/TLSv1.1 and TLSv1.2 KDFs,
+ - AES-256 based CRT_DRBG CS-PRNG.
+
+### Leidos compliance
+
+See the updated [Leidos Compliance Letter (V Entr v1.10.0+entrfips) for FIPS Inside](https://www.datocms-assets.com/2885/1653327036-boringcrypto_compliance_letter_signed.pdf) using the Boring Crypto Libraries for more details. All [past letters](https://www.hashicorp.com/vault-compliance) are also available for reference.
+
+What is the difference between Seal Wrap FIPS 140 compliance and the new FIPS Inside compliance?
+- Only the storage of sensitive entries (seal wrapped entries) is covered by FIPS-validated crypto when using Seal Wrapping.
+- The TLS connection to Vault by clients is not covered by FIPS-validated crypto when using Seal Wrapping (it is when using FIPS 140-2 Inside, per items 1, 2, 7, and 13 in the updated letter).
+- The generation of key material  wasn't using FIPS-validated crypto in the Seal Wrap version (for example, the PKI certificates: item 8 in the updated FIPS 140-2 Inside letter; or SSH module: item 10 in the updated FIPS 140-2 Inside letter).
+- With Seal Wrapping, some entries were protected with FIPS-validated crypto, but all crypto in Vault wasn't FIPS certified. With FIPS 140-2 Inside, by default (if the algorithm is certified), Vault will be using the certified crypto implementation.
diff --git a/command/operator_rekey_test.go b/command/operator_rekey_test.go
index f06ac561346e..548a9a089c85 100644
--- a/command/operator_rekey_test.go
+++ b/command/operator_rekey_test.go
@@ -1,687 +1,726 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-//go:build !race
-
 package command
 
 import (
-	"io"
-	"reflect"
-	"regexp"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"sort"
 	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/sdk/helper/roottoken"
+	"time"
 
+	"github.com/ghodss/yaml"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/ryanuber/columnize"
+)
+
+const (
+	// hopeDelim is the delimiter to use when splitting columns. We call it a
+	// hopeDelim because we hope that it's never contained in a secret.
+	hopeDelim = "♨"
 )
 
-func testOperatorRekeyCommand(tb testing.TB) (*cli.MockUi, *OperatorRekeyCommand) {
-	tb.Helper()
+type FormatOptions struct {
+	Format string
+}
 
-	ui := cli.NewMockUi()
-	return ui, &OperatorRekeyCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+func OutputSecret(ui cli.Ui, secret *api.Secret) int {
+	return outputWithFormat(ui, secret, secret)
+}
+
+func OutputList(ui cli.Ui, data interface{}) int {
+	switch data := data.(type) {
+	case *api.Secret:
+		secret := data
+		return outputWithFormat(ui, secret, secret.Data["keys"])
+	default:
+		return outputWithFormat(ui, nil, data)
 	}
 }
 
-func TestOperatorRekeyCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"pgp_keys_multi",
-			[]string{
-				"-init",
-				"-pgp-keys", "keybase:hashicorp",
-				"-pgp-keys", "keybase:jefferai",
-			},
-			"can only be specified once",
-			1,
-		},
-		{
-			"key_shares_pgp_less",
-			[]string{
-				"-init",
-				"-key-shares", "10",
-				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
-			},
-			"incorrect number",
-			2,
-		},
-		{
-			"key_shares_pgp_more",
-			[]string{
-				"-init",
-				"-key-shares", "1",
-				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
-			},
-			"incorrect number",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorRekeyCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+func OutputData(ui cli.Ui, data interface{}) int {
+	return outputWithFormat(ui, nil, data)
+}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
+func outputWithFormat(ui cli.Ui, secret *api.Secret, data interface{}) int {
+	format := Format(ui)
+	formatter, ok := Formatters[format]
+	if !ok {
+		ui.Error(fmt.Sprintf("Invalid output format: %s", format))
+		return 1
+	}
 
-	t.Run("status", func(t *testing.T) {
-		t.Parallel()
+	if err := formatter.Output(ui, secret, data); err != nil {
+		ui.Error(fmt.Sprintf("Could not parse output: %s", err.Error()))
+		return 1
+	}
+	return 0
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+type Formatter interface {
+	Output(ui cli.Ui, secret *api.Secret, data interface{}) error
+	Format(data interface{}) ([]byte, error)
+}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+var Formatters = map[string]Formatter{
+	"json":   JsonFormatter{},
+	"table":  TableFormatter{},
+	"yaml":   YamlFormatter{},
+	"yml":    YamlFormatter{},
+	"pretty": PrettyFormatter{},
+	"raw":    RawFormatter{},
+}
 
-		// Verify the non-init response
-		code := cmd.Run([]string{
-			"-status",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+func Format(ui cli.Ui) string {
+	switch ui := ui.(type) {
+	case *VaultUI:
+		return ui.format
+	}
 
-		expected := "Nonce"
-		combined := ui.OutputWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	format := os.Getenv(EnvVaultFormat)
+	if format == "" {
+		format = "table"
+	}
 
-		// Now init to verify the init response
-		if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		}); err != nil {
-			t.Fatal(err)
-		}
+	return format
+}
 
-		// Verify the init response
-		ui, cmd = testOperatorRekeyCommand(t)
-		cmd.client = client
-		code = cmd.Run([]string{
-			"-status",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+func Detailed(ui cli.Ui) bool {
+	switch ui := ui.(type) {
+	case *VaultUI:
+		return ui.detailed
+	}
 
-		expected = "Progress"
-		combined = ui.OutputWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	return false
+}
 
-	t.Run("cancel", func(t *testing.T) {
-		t.Parallel()
+// An output formatter for json output of an object
+type JsonFormatter struct{}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (j JsonFormatter) Format(data interface{}) ([]byte, error) {
+	return json.MarshalIndent(data, "", "  ")
+}
 
-		// Initialize a rekey
-		if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		}); err != nil {
-			t.Fatal(err)
-		}
+func (j JsonFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	b, err := j.Format(data)
+	if err != nil {
+		return err
+	}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+	if secret != nil {
+		shouldListWithInfo := Detailed(ui)
 
-		code := cmd.Run([]string{
-			"-cancel",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		// Show the raw JSON of the LIST call, rather than only the
+		// list of keys.
+		if shouldListWithInfo {
+			b, err = j.Format(secret)
+			if err != nil {
+				return err
+			}
 		}
+	}
 
-		expected := "Success! Canceled rekeying"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	ui.Output(string(b))
+	return nil
+}
 
-		status, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
+// An output formatter for raw output of the original request object
+type RawFormatter struct{}
 
-		if status.Started {
-			t.Errorf("expected status to be canceled: %#v", status)
-		}
-	})
+func (r RawFormatter) Format(data interface{}) ([]byte, error) {
+	byte_data, ok := data.([]byte)
+	if !ok {
+		return nil, fmt.Errorf("This command does not support the -format=raw option; only `vault read` does.")
+	}
 
-	t.Run("init", func(t *testing.T) {
-		t.Parallel()
+	return byte_data, nil
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (r RawFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	b, err := r.Format(data)
+	if err != nil {
+		return err
+	}
+	ui.Output(string(b))
+	return nil
+}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+// An output formatter for yaml output format of an object
+type YamlFormatter struct{}
 
-		code := cmd.Run([]string{
-			"-init",
-			"-key-shares", "1",
-			"-key-threshold", "1",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+func (y YamlFormatter) Format(data interface{}) ([]byte, error) {
+	return yaml.Marshal(data)
+}
 
-		expected := "Nonce"
-		combined := ui.OutputWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+func (y YamlFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	b, err := y.Format(data)
+	if err == nil {
+		ui.Output(strings.TrimSpace(string(b)))
+	}
+	return err
+}
 
-		status, err := client.Sys().RekeyStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !status.Started {
-			t.Errorf("expected status to be started: %#v", status)
-		}
-	})
+type PrettyFormatter struct{}
 
-	t.Run("init_pgp", func(t *testing.T) {
-		t.Parallel()
+func (p PrettyFormatter) Format(data interface{}) ([]byte, error) {
+	return nil, nil
+}
 
-		pgpKey := "keybase:hashicorp"
-		pgpFingerprints := []string{"c874011f0ab405110d02105534365d9472d7468f"}
+func (p PrettyFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	switch data.(type) {
+	case *api.AutopilotState:
+		p.OutputAutopilotState(ui, data)
+	default:
+		return errors.New("cannot use the pretty formatter for this type")
+	}
+	return nil
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func outputStringSlice(buffer *bytes.Buffer, indent string, values []string) {
+	for _, val := range values {
+		buffer.WriteString(fmt.Sprintf("%s%s\n", indent, val))
+	}
+}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+type mapOutput struct {
+	key   string
+	value string
+}
 
-		code := cmd.Run([]string{
-			"-init",
-			"-key-shares", "1",
-			"-key-threshold", "1",
-			"-pgp-keys", pgpKey,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+func formatServer(srv *api.AutopilotServer) string {
+	var buffer bytes.Buffer
+
+	buffer.WriteString(fmt.Sprintf("   %s\n", srv.ID))
+	buffer.WriteString(fmt.Sprintf("      Name:              %s\n", srv.Name))
+	buffer.WriteString(fmt.Sprintf("      Address:           %s\n", srv.Address))
+	buffer.WriteString(fmt.Sprintf("      Status:            %s\n", srv.Status))
+	buffer.WriteString(fmt.Sprintf("      Node Status:       %s\n", srv.NodeStatus))
+	buffer.WriteString(fmt.Sprintf("      Healthy:           %t\n", srv.Healthy))
+	buffer.WriteString(fmt.Sprintf("      Last Contact:      %s\n", srv.LastContact))
+	buffer.WriteString(fmt.Sprintf("      Last Term:         %d\n", srv.LastTerm))
+	buffer.WriteString(fmt.Sprintf("      Last Index:        %d\n", srv.LastIndex))
+	buffer.WriteString(fmt.Sprintf("      Version:           %s\n", srv.Version))
+
+	if srv.UpgradeVersion != "" {
+		buffer.WriteString(fmt.Sprintf("      Upgrade Version:   %s\n", srv.UpgradeVersion))
+	}
+	if srv.RedundancyZone != "" {
+		buffer.WriteString(fmt.Sprintf("      Redundancy Zone:   %s\n", srv.RedundancyZone))
+	}
+	if srv.NodeType != "" {
+		buffer.WriteString(fmt.Sprintf("      Node Type:         %s\n", srv.NodeType))
+	}
 
-		expected := "Nonce"
-		combined := ui.OutputWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	return buffer.String()
+}
 
-		status, err := client.Sys().RekeyStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !status.Started {
-			t.Errorf("expected status to be started: %#v", status)
-		}
-		if !reflect.DeepEqual(status.PGPFingerprints, pgpFingerprints) {
-			t.Errorf("expected %#v to be %#v", status.PGPFingerprints, pgpFingerprints)
-		}
-	})
+func (p PrettyFormatter) OutputAutopilotState(ui cli.Ui, data interface{}) {
+	state := data.(*api.AutopilotState)
 
-	t.Run("provide_arg_recovery_keys", func(t *testing.T) {
-		t.Parallel()
+	var buffer bytes.Buffer
+	buffer.WriteString(fmt.Sprintf("Healthy:                         %t\n", state.Healthy))
+	buffer.WriteString(fmt.Sprintf("Failure Tolerance:               %d\n", state.FailureTolerance))
+	buffer.WriteString(fmt.Sprintf("Leader:                          %s\n", state.Leader))
+	buffer.WriteString("Voters:\n")
+	outputStringSlice(&buffer, "   ", state.Voters)
 
-		client, keys, closer := testVaultServerAutoUnseal(t)
-		defer closer()
+	if len(state.NonVoters) > 0 {
+		buffer.WriteString("Non Voters:\n")
+		outputStringSlice(&buffer, "   ", state.NonVoters)
+	}
+
+	if state.OptimisticFailureTolerance > 0 {
+		buffer.WriteString(fmt.Sprintf("Optimistic Failure Tolerance:    %d\n", state.OptimisticFailureTolerance))
+	}
 
-		// Initialize a rekey
-		status, err := client.Sys().RekeyRecoveryKeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		})
-		if err != nil {
-			t.Fatal(err)
+	// Servers
+	buffer.WriteString("Servers:\n")
+	var outputs []mapOutput
+	for id, srv := range state.Servers {
+		outputs = append(outputs, mapOutput{key: id, value: formatServer(srv)})
+	}
+	sort.Slice(outputs, func(i, j int) bool {
+		return outputs[i].key < outputs[j].key
+	})
+	for _, output := range outputs {
+		buffer.WriteString(output.value)
+	}
+
+	// Redundancy Zones
+	if len(state.RedundancyZones) > 0 {
+		buffer.WriteString("Redundancy Zones:\n")
+		zoneList := make([]string, 0, len(state.RedundancyZones))
+		for z := range state.RedundancyZones {
+			zoneList = append(zoneList, z)
+		}
+		sort.Strings(zoneList)
+		for _, zoneName := range zoneList {
+			zone := state.RedundancyZones[zoneName]
+			servers := zone.Servers
+			voters := zone.Voters
+			sort.Strings(servers)
+			sort.Strings(voters)
+			buffer.WriteString(fmt.Sprintf("   %s\n", zoneName))
+			buffer.WriteString(fmt.Sprintf("      Servers: %s\n", strings.Join(servers, ", ")))
+			buffer.WriteString(fmt.Sprintf("      Voters: %s\n", strings.Join(voters, ", ")))
+			buffer.WriteString(fmt.Sprintf("      Failure Tolerance: %d\n", zone.FailureTolerance))
 		}
-		nonce := status.Nonce
-
-		// Supply the first n-1 recovery keys
-		for _, key := range keys[:len(keys)-1] {
-			ui, cmd := testOperatorRekeyCommand(t)
-			cmd.client = client
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				"-target", "recovery",
-				key,
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+	}
+
+	// Upgrade Info
+	if state.Upgrade != nil {
+		buffer.WriteString("Upgrade Info:\n")
+		buffer.WriteString(fmt.Sprintf("   Status: %s\n", state.Upgrade.Status))
+		buffer.WriteString(fmt.Sprintf("   Target Version: %s\n", state.Upgrade.TargetVersion))
+		buffer.WriteString(fmt.Sprintf("   Target Version Voters: %s\n", strings.Join(state.Upgrade.TargetVersionVoters, ", ")))
+		buffer.WriteString(fmt.Sprintf("   Target Version Non-Voters: %s\n", strings.Join(state.Upgrade.TargetVersionNonVoters, ", ")))
+		buffer.WriteString(fmt.Sprintf("   Other Version Voters: %s\n", strings.Join(state.Upgrade.OtherVersionVoters, ", ")))
+		buffer.WriteString(fmt.Sprintf("   Other Version Non-Voters: %s\n", strings.Join(state.Upgrade.OtherVersionNonVoters, ", ")))
+
+		if len(state.Upgrade.RedundancyZones) > 0 {
+			buffer.WriteString("   Redundancy Zones:\n")
+			for zoneName, zoneVersion := range state.Upgrade.RedundancyZones {
+				buffer.WriteString(fmt.Sprintf("      %s\n", zoneName))
+				buffer.WriteString(fmt.Sprintf("         Target Version Voters: %s\n", strings.Join(zoneVersion.TargetVersionVoters, ", ")))
+				buffer.WriteString(fmt.Sprintf("         Target Version Non-Voters: %s\n", strings.Join(zoneVersion.TargetVersionNonVoters, ", ")))
+				buffer.WriteString(fmt.Sprintf("         Other Version Voters: %s\n", strings.Join(zoneVersion.OtherVersionVoters, ", ")))
+				buffer.WriteString(fmt.Sprintf("         Other Version Non-Voters: %s\n", strings.Join(zoneVersion.OtherVersionNonVoters, ", ")))
 			}
 		}
+	}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+	ui.Output(buffer.String())
+}
 
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			"-target", "recovery",
-			keys[len(keys)-1], // the last recovery key
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+// An output formatter for table output of an object
+type TableFormatter struct{}
 
-		re := regexp.MustCompile(`Key 1: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("bad match: %#v", match)
-		}
-		recoveryKey := match[0][1]
+// We don't use this due to the TableFormatter introducing a bug when the -field flag is supplied:
+// https://github.com/hashicorp/vault/commit/b24cf9a8af2190e96c614205b8cdf06d8c4b6718 .
+func (t TableFormatter) Format(data interface{}) ([]byte, error) {
+	return nil, nil
+}
 
-		if strings.Contains(strings.ToLower(output), "unseal key") {
-			t.Fatalf(`output %s shouldn't contain "unseal key"`, output)
-		}
+func (t TableFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	switch data := data.(type) {
+	case *api.Secret:
+		return t.OutputSecret(ui, secret)
+	case []interface{}:
+		return t.OutputList(ui, secret, data)
+	case []string:
+		return t.OutputList(ui, nil, data)
+	case map[string]interface{}:
+		return t.OutputMap(ui, data)
+	case SealStatusOutput:
+		return t.OutputSealStatusStruct(ui, nil, data)
+	default:
+		return errors.New("cannot use the table formatter for this type")
+	}
+}
 
-		// verify that we can perform operations with the recovery key
-		// below we generate a root token using the recovery key
-		rootStatus, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		otp, err := roottoken.GenerateOTP(rootStatus.OTPLength)
-		if err != nil {
-			t.Fatal(err)
-		}
-		genRoot, err := client.Sys().GenerateRootInit(otp, "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		r, err := client.Sys().GenerateRootUpdate(recoveryKey, genRoot.Nonce)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !r.Complete {
-			t.Fatal("expected root update to be complete")
-		}
-	})
-	t.Run("provide_arg", func(t *testing.T) {
-		t.Parallel()
-
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
-
-		// Initialize a rekey
-		status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		nonce := status.Nonce
-
-		// Supply the first n-1 unseal keys
-		for _, key := range keys[:len(keys)-1] {
-			ui, cmd := testOperatorRekeyCommand(t)
-			cmd.client = client
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				key,
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	var status SealStatusOutput = data.(SealStatusOutput)
+	var sealPrefix string
+
+	out := []string{}
+	out = append(out, "Key | Value")
+	out = append(out, fmt.Sprintf("Seal Type | %s", status.Type))
+	if status.RecoverySeal {
+		sealPrefix = "Recovery "
+		out = append(out, fmt.Sprintf("Recovery Seal Type | %s", status.RecoverySealType))
+	}
+	out = append(out, fmt.Sprintf("Initialized | %t", status.Initialized))
+	out = append(out, fmt.Sprintf("Sealed | %t", status.Sealed))
+	out = append(out, fmt.Sprintf("Total %sShares | %d", sealPrefix, status.N))
+	out = append(out, fmt.Sprintf("Threshold | %d", status.T))
+
+	if status.Sealed {
+		out = append(out, fmt.Sprintf("Unseal Progress | %d/%d", status.Progress, status.T))
+		out = append(out, fmt.Sprintf("Unseal Nonce | %s", status.Nonce))
+	}
+
+	if status.Migration {
+		out = append(out, fmt.Sprintf("Seal Migration in Progress | %t", status.Migration))
+	}
+
+	out = append(out, fmt.Sprintf("Version | %s", status.Version))
+	out = append(out, fmt.Sprintf("Build Date | %s", status.BuildDate))
+	out = append(out, fmt.Sprintf("Storage Type | %s", status.StorageType))
+
+	if status.ClusterName != "" && status.ClusterID != "" {
+		out = append(out, fmt.Sprintf("Cluster Name | %s", status.ClusterName))
+		out = append(out, fmt.Sprintf("Cluster ID | %s", status.ClusterID))
+	}
+
+	// Output if HCP link is configured
+	if status.HCPLinkStatus != "" {
+		out = append(out, fmt.Sprintf("HCP Link Status | %s", status.HCPLinkStatus))
+		out = append(out, fmt.Sprintf("HCP Link Resource ID | %s", status.HCPLinkResourceID))
+	}
+
+	// Output if HA is enabled
+	out = append(out, fmt.Sprintf("HA Enabled | %t", status.HAEnabled))
+
+	if status.HAEnabled {
+		mode := "sealed"
+		if !status.Sealed {
+			out = append(out, fmt.Sprintf("HA Cluster | %s", status.LeaderClusterAddress))
+			mode = "standby"
+			showLeaderAddr := false
+			if status.IsSelf {
+				mode = "active"
+			} else {
+				if status.LeaderAddress == "" {
+					status.LeaderAddress = "<none>"
+				}
+				showLeaderAddr = true
 			}
-		}
+			out = append(out, fmt.Sprintf("HA Mode | %s", mode))
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+			if status.IsSelf && !status.ActiveTime.IsZero() {
+				out = append(out, fmt.Sprintf("Active Since | %s", status.ActiveTime.Format(time.RFC3339Nano)))
+			}
+			// This is down here just to keep ordering consistent
+			if showLeaderAddr {
+				out = append(out, fmt.Sprintf("Active Node Address | %s", status.LeaderAddress))
+			}
 
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			keys[len(keys)-1], // the last unseal key
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			if status.PerfStandby {
+				out = append(out, fmt.Sprintf("Performance Standby Node | %t", status.PerfStandby))
+				out = append(out, fmt.Sprintf("Performance Standby Last Remote WAL | %d", status.PerfStandbyLastRemoteWAL))
+			}
 		}
+	}
 
-		re := regexp.MustCompile(`Key 1: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("bad match: %#v", match)
-		}
+	if status.RaftCommittedIndex > 0 {
+		out = append(out, fmt.Sprintf("Raft Committed Index | %d", status.RaftCommittedIndex))
+	}
+	if status.RaftAppliedIndex > 0 {
+		out = append(out, fmt.Sprintf("Raft Applied Index | %d", status.RaftAppliedIndex))
+	}
+	if status.LastWAL != 0 {
+		out = append(out, fmt.Sprintf("Last WAL | %d", status.LastWAL))
+	}
+	if len(status.Warnings) > 0 {
+		out = append(out, fmt.Sprintf("Warnings | %v", status.Warnings))
+	}
 
-		// Grab the unseal key and try to unseal
-		unsealKey := match[0][1]
-		if err := client.Sys().Seal(); err != nil {
-			t.Fatal(err)
-		}
-		sealStatus, err := client.Sys().Unseal(unsealKey)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if sealStatus.Sealed {
-			t.Errorf("expected vault to be unsealed: %#v", sealStatus)
+	ui.Output(tableOutput(out, &columnize.Config{
+		Delim: "|",
+	}))
+	return nil
+}
+
+func (t TableFormatter) OutputList(ui cli.Ui, secret *api.Secret, data interface{}) error {
+	t.printWarnings(ui, secret)
+
+	// Determine if we have additional information from a ListResponseWithInfo endpoint.
+	var additionalInfo map[string]interface{}
+	if secret != nil {
+		shouldListWithInfo := Detailed(ui)
+		if additional, ok := secret.Data["key_info"]; shouldListWithInfo && ok && len(additional.(map[string]interface{})) > 0 {
+			additionalInfo = additional.(map[string]interface{})
 		}
-	})
+	}
 
-	t.Run("provide_stdin", func(t *testing.T) {
-		t.Parallel()
+	switch data := data.(type) {
+	case []interface{}:
+	case []string:
+		ui.Output(tableOutput(data, nil))
+		return nil
+	default:
+		return errors.New("error: table formatter cannot output list for this data type")
+	}
 
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
+	list := data.([]interface{})
 
-		// Initialize a rekey
-		status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		nonce := status.Nonce
-
-		// Supply the first n-1 unseal keys
-		for _, key := range keys[:len(keys)-1] {
-			stdinR, stdinW := io.Pipe()
-			go func() {
-				stdinW.Write([]byte(key))
-				stdinW.Close()
-			}()
-
-			ui, cmd := testOperatorRekeyCommand(t)
-			cmd.client = client
-			cmd.testStdin = stdinR
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				"-",
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+	if len(list) > 0 {
+		keys := make([]string, len(list))
+		for i, v := range list {
+			typed, ok := v.(string)
+			if !ok {
+				return fmt.Errorf("%v is not a string", v)
 			}
-		}
+			keys[i] = typed
+		}
+		sort.Strings(keys)
+
+		// If we have a ListResponseWithInfo endpoint, we'll need to show
+		// additional headers. To satisfy the table outputter, we'll need
+		// to concat them with the deliminator.
+		var headers []string
+		header := "Keys"
+		if len(additionalInfo) > 0 {
+			seenHeaders := make(map[string]bool)
+			for key, rawValues := range additionalInfo {
+				// Most endpoints use the well-behaved ListResponseWithInfo.
+				// However, some use a hand-rolled equivalent, where the
+				// returned "keys" doesn't match the key of the "key_info"
+				// member (namely, /sys/policies/egp). We seek to exclude
+				// headers only visible from "non-visitable" key_info rows,
+				// to make table output less confusing. These non-visitable
+				// rows will still be visible in the JSON output.
+				index := sort.SearchStrings(keys, key)
+				if index < len(keys) && keys[index] != key {
+					continue
+				}
 
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(keys[len(keys)-1])) // the last unseal key
-			stdinW.Close()
-		}()
-
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			"-",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+				values := rawValues.(map[string]interface{})
+				for key := range values {
+					seenHeaders[key] = true
+				}
+			}
 
-		re := regexp.MustCompile(`Key 1: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("bad match: %#v", match)
-		}
+			for key := range seenHeaders {
+				headers = append(headers, key)
+			}
+			sort.Strings(headers)
+
+			header = header + hopeDelim + strings.Join(headers, hopeDelim)
+		}
+
+		// Finally, if we have a ListResponseWithInfo, we'll need to update
+		// the returned rows to not just have the keys (in the sorted order),
+		// but also have the values for each header (in their sorted order).
+		rows := keys
+		if len(additionalInfo) > 0 && len(headers) > 0 {
+			for index, row := range rows {
+				formatted := []string{row}
+				if rawValues, ok := additionalInfo[row]; ok {
+					values := rawValues.(map[string]interface{})
+					for _, header := range headers {
+						if rawValue, ok := values[header]; ok {
+							if looksLikeDuration(header) {
+								rawValue = humanDurationInt(rawValue)
+							}
+
+							formatted = append(formatted, fmt.Sprintf("%v", rawValue))
+						} else {
+							// Show a default empty n/a when this field is
+							// missing from the additional information.
+							formatted = append(formatted, "n/a")
+						}
+					}
+				}
 
-		// Grab the unseal key and try to unseal
-		unsealKey := match[0][1]
-		if err := client.Sys().Seal(); err != nil {
-			t.Fatal(err)
-		}
-		sealStatus, err := client.Sys().Unseal(unsealKey)
-		if err != nil {
-			t.Fatal(err)
+				rows[index] = strings.Join(formatted, hopeDelim)
+			}
 		}
-		if sealStatus.Sealed {
-			t.Errorf("expected vault to be unsealed: %#v", sealStatus)
+
+		// Prepend the header to the formatted rows.
+		output := append([]string{header}, rows...)
+		ui.Output(tableOutput(output, &columnize.Config{
+			Delim: hopeDelim,
+		}))
+	}
+
+	return nil
+}
+
+// printWarnings prints any warnings in the secret.
+func (t TableFormatter) printWarnings(ui cli.Ui, secret *api.Secret) {
+	if secret != nil && len(secret.Warnings) > 0 {
+		ui.Warn("WARNING! The following warnings were returned from Vault:\n")
+		for _, warning := range secret.Warnings {
+			ui.Warn(wrapAtLengthWithPadding(fmt.Sprintf("* %s", warning), 2))
+			ui.Warn("")
 		}
-	})
+	}
+}
 
-	t.Run("provide_stdin_recovery_keys", func(t *testing.T) {
-		t.Parallel()
+func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error {
+	if secret == nil {
+		return nil
+	}
 
-		client, keys, closer := testVaultServerAutoUnseal(t)
-		defer closer()
+	t.printWarnings(ui, secret)
 
-		// Initialize a rekey
-		status, err := client.Sys().RekeyRecoveryKeyInit(&api.RekeyInitRequest{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		})
-		if err != nil {
-			t.Fatal(err)
+	out := make([]string, 0, 8)
+	if secret.LeaseDuration > 0 {
+		if secret.LeaseID != "" {
+			out = append(out, fmt.Sprintf("lease_id %s %s", hopeDelim, secret.LeaseID))
+			out = append(out, fmt.Sprintf("lease_duration %s %v", hopeDelim, humanDurationInt(secret.LeaseDuration)))
+			out = append(out, fmt.Sprintf("lease_renewable %s %t", hopeDelim, secret.Renewable))
+		} else {
+			// This is probably the generic secret backend which has leases, but we
+			// print them as refresh_interval to reduce confusion.
+			out = append(out, fmt.Sprintf("refresh_interval %s %v", hopeDelim, humanDurationInt(secret.LeaseDuration)))
 		}
-		nonce := status.Nonce
-		for _, key := range keys[:len(keys)-1] {
-			stdinR, stdinW := io.Pipe()
-			go func() {
-				_, _ = stdinW.Write([]byte(key))
-				_ = stdinW.Close()
-			}()
-
-			ui, cmd := testOperatorRekeyCommand(t)
-			cmd.client = client
-			cmd.testStdin = stdinR
-
-			code := cmd.Run([]string{
-				"-target", "recovery",
-				"-nonce", nonce,
-				"-",
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+	}
+
+	if secret.Auth != nil {
+		if secret.Auth.MFARequirement != nil {
+			out = append(out, fmt.Sprintf("mfa_request_id %s %s", hopeDelim, secret.Auth.MFARequirement.MFARequestID))
+
+			for k, constraintSet := range secret.Auth.MFARequirement.MFAConstraints {
+				for _, constraint := range constraintSet.Any {
+					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_id %s %s", k, constraint.Type, hopeDelim, constraint.ID))
+					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_uses_passcode %s %t", k, constraint.Type, hopeDelim, constraint.UsesPasscode))
+					if constraint.Name != "" {
+						out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_name %s %s", k, constraint.Type, hopeDelim, constraint.Name))
+					}
+				}
+			}
+		} else { // Token information only makes sense if no further MFA requirement (i.e. if we actually have a token)
+			out = append(out, fmt.Sprintf("token %s %s", hopeDelim, secret.Auth.ClientToken))
+			out = append(out, fmt.Sprintf("token_accessor %s %s", hopeDelim, secret.Auth.Accessor))
+			// If the lease duration is 0, it's likely a root token, so output the
+			// duration as "infinity" to clear things up.
+			if secret.Auth.LeaseDuration == 0 {
+				out = append(out, fmt.Sprintf("token_duration %s %s", hopeDelim, "∞"))
+			} else {
+				out = append(out, fmt.Sprintf("token_duration %s %v", hopeDelim, humanDurationInt(secret.Auth.LeaseDuration)))
+			}
+			out = append(out, fmt.Sprintf("token_renewable %s %t", hopeDelim, secret.Auth.Renewable))
+			out = append(out, fmt.Sprintf("token_policies %s %q", hopeDelim, secret.Auth.TokenPolicies))
+			out = append(out, fmt.Sprintf("identity_policies %s %q", hopeDelim, secret.Auth.IdentityPolicies))
+			out = append(out, fmt.Sprintf("policies %s %q", hopeDelim, secret.Auth.Policies))
+			for k, v := range secret.Auth.Metadata {
+				out = append(out, fmt.Sprintf("token_meta_%s %s %v", k, hopeDelim, v))
 			}
 		}
+	}
 
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			_, _ = stdinW.Write([]byte(keys[len(keys)-1])) // the last recovery key
-			_ = stdinW.Close()
-		}()
-
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"-nonce", nonce,
-			"-target", "recovery",
-			"-",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+	if secret.WrapInfo != nil {
+		out = append(out, fmt.Sprintf("wrapping_token: %s %s", hopeDelim, secret.WrapInfo.Token))
+		out = append(out, fmt.Sprintf("wrapping_accessor: %s %s", hopeDelim, secret.WrapInfo.Accessor))
+		out = append(out, fmt.Sprintf("wrapping_token_ttl: %s %v", hopeDelim, humanDurationInt(secret.WrapInfo.TTL)))
+		out = append(out, fmt.Sprintf("wrapping_token_creation_time: %s %s", hopeDelim, secret.WrapInfo.CreationTime.String()))
+		out = append(out, fmt.Sprintf("wrapping_token_creation_path: %s %s", hopeDelim, secret.WrapInfo.CreationPath))
+		if secret.WrapInfo.WrappedAccessor != "" {
+			out = append(out, fmt.Sprintf("wrapped_accessor: %s %s", hopeDelim, secret.WrapInfo.WrappedAccessor))
 		}
+	}
 
-		re := regexp.MustCompile(`Key 1: (.+)`)
-		output := ui.OutputWriter.String()
-		match := re.FindAllStringSubmatch(output, -1)
-		if len(match) < 1 || len(match[0]) < 2 {
-			t.Fatalf("bad match: %#v", match)
+	if len(secret.Data) > 0 {
+		keys := make([]string, 0, len(secret.Data))
+		for k := range secret.Data {
+			keys = append(keys, k)
 		}
-		recoveryKey := match[0][1]
+		sort.Strings(keys)
 
-		if strings.Contains(strings.ToLower(output), "unseal key") {
-			t.Fatalf(`output %s shouldn't contain "unseal key"`, output)
-		}
-		// verify that we can perform operations with the recovery key
-		// below we generate a root token using the recovery key
-		rootStatus, err := client.Sys().GenerateRootStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		otp, err := roottoken.GenerateOTP(rootStatus.OTPLength)
-		if err != nil {
-			t.Fatal(err)
-		}
-		genRoot, err := client.Sys().GenerateRootInit(otp, "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		r, err := client.Sys().GenerateRootUpdate(recoveryKey, genRoot.Nonce)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !r.Complete {
-			t.Fatal("expected root update to be complete")
-		}
-	})
-	t.Run("backup", func(t *testing.T) {
-		t.Parallel()
-
-		pgpKey := "keybase:hashicorp"
-		// pgpFingerprints := []string{"c874011f0ab405110d02105534365d9472d7468f"}
-
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
-
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-init",
-			"-key-shares", "1",
-			"-key-threshold", "1",
-			"-pgp-keys", pgpKey,
-			"-backup",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
-		}
+		for _, k := range keys {
+			v := secret.Data[k]
 
-		// Get the status for the nonce
-		status, err := client.Sys().RekeyStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		nonce := status.Nonce
-
-		var combined string
-		// Supply the unseal keys
-		for _, key := range keys {
-			ui, cmd := testOperatorRekeyCommand(t)
-			cmd.client = client
-
-			code := cmd.Run([]string{
-				"-nonce", nonce,
-				key,
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			// If the field "looks" like a TTL, print it as a time duration instead.
+			if looksLikeDuration(k) {
+				v = humanDurationInt(v)
 			}
 
-			// Append to our output string
-			combined += ui.OutputWriter.String()
+			out = append(out, fmt.Sprintf("%s %s %v", k, hopeDelim, v))
 		}
+	}
 
-		re := regexp.MustCompile(`Key 1 fingerprint: (.+); value: (.+)`)
-		match := re.FindAllStringSubmatch(combined, -1)
-		if len(match) < 1 || len(match[0]) < 3 {
-			t.Fatalf("bad match: %#v", match)
-		}
+	// If we got this far and still don't have any data, there's nothing to print,
+	// sorry.
+	if len(out) == 0 {
+		return nil
+	}
 
-		// Grab the output fingerprint and encrypted key
-		fingerprint, encryptedKey := match[0][1], match[0][2]
+	// Prepend the header
+	out = append([]string{"Key" + hopeDelim + "Value"}, out...)
 
-		// Get the backup
-		ui, cmd = testOperatorRekeyCommand(t)
-		cmd.client = client
+	ui.Output(tableOutput(out, &columnize.Config{
+		Delim: hopeDelim,
+	}))
+	return nil
+}
 
-		code = cmd.Run([]string{
-			"-backup-retrieve",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+func (t TableFormatter) OutputMap(ui cli.Ui, data map[string]interface{}) error {
+	out := make([]string, 0, len(data)+1)
+	if len(data) > 0 {
+		keys := make([]string, 0, len(data))
+		for k := range data {
+			keys = append(keys, k)
 		}
+		sort.Strings(keys)
 
-		output := ui.OutputWriter.String()
-		if !strings.Contains(output, fingerprint) {
-			t.Errorf("expected %q to contain %q", output, fingerprint)
-		}
-		if !strings.Contains(output, encryptedKey) {
-			t.Errorf("expected %q to contain %q", output, encryptedKey)
-		}
+		for _, k := range keys {
+			v := data[k]
 
-		// Delete the backup
-		ui, cmd = testOperatorRekeyCommand(t)
-		cmd.client = client
+			// If the field "looks" like a TTL, print it as a time duration instead.
+			if looksLikeDuration(k) {
+				v = humanDurationInt(v)
+			}
 
-		code = cmd.Run([]string{
-			"-backup-delete",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			out = append(out, fmt.Sprintf("%s %s %v", k, hopeDelim, v))
 		}
+	}
 
-		secret, err := client.Sys().RekeyRetrieveBackup()
-		if err == nil {
-			t.Errorf("expected error: %#v", secret)
-		}
-	})
+	// If we got this far and still don't have any data, there's nothing to print,
+	// sorry.
+	if len(out) == 0 {
+		return nil
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	// Prepend the header
+	out = append([]string{"Key" + hopeDelim + "Value"}, out...)
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	ui.Output(tableOutput(out, &columnize.Config{
+		Delim: hopeDelim,
+	}))
+	return nil
+}
 
-		ui, cmd := testOperatorRekeyCommand(t)
-		cmd.client = client
+// OutputSealStatus will print *api.SealStatusResponse in the CLI according to the format provided
+func OutputSealStatus(ui cli.Ui, client *api.Client, status *api.SealStatusResponse) int {
+	sealStatusOutput := SealStatusOutput{SealStatusResponse: *status}
 
-		code := cmd.Run([]string{
-			"secret/foo",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	// Mask the 'Vault is sealed' error, since this means HA is enabled, but that
+	// we cannot query for the leader since we are sealed.
+	leaderStatus, err := client.Sys().Leader()
+	if err != nil && strings.Contains(err.Error(), "Vault is sealed") {
+		leaderStatus = &api.LeaderResponse{HAEnabled: true}
+		err = nil
+	}
+	if err != nil {
+		ui.Error(fmt.Sprintf("Error checking leader status: %s", err))
+		return 1
+	}
 
-		expected := "Error getting rekey status: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	// copy leaderStatus fields into sealStatusOutput for display later
+	sealStatusOutput.HAEnabled = leaderStatus.HAEnabled
+	sealStatusOutput.IsSelf = leaderStatus.IsSelf
+	sealStatusOutput.ActiveTime = leaderStatus.ActiveTime
+	sealStatusOutput.LeaderAddress = leaderStatus.LeaderAddress
+	sealStatusOutput.LeaderClusterAddress = leaderStatus.LeaderClusterAddress
+	sealStatusOutput.PerfStandby = leaderStatus.PerfStandby
+	sealStatusOutput.PerfStandbyLastRemoteWAL = leaderStatus.PerfStandbyLastRemoteWAL
+	sealStatusOutput.LastWAL = leaderStatus.LastWAL
+	sealStatusOutput.RaftCommittedIndex = leaderStatus.RaftCommittedIndex
+	sealStatusOutput.RaftAppliedIndex = leaderStatus.RaftAppliedIndex
+	OutputData(ui, sealStatusOutput)
+	return 0
+}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+// looksLikeDuration checks if the given key "k" looks like a duration value.
+// This is used to pretty-format duration values in responses, especially from
+// plugins.
+func looksLikeDuration(k string) bool {
+	return k == "period" || strings.HasSuffix(k, "_period") ||
+		k == "ttl" || strings.HasSuffix(k, "_ttl") ||
+		k == "duration" || strings.HasSuffix(k, "_duration") ||
+		k == "lease_max" || k == "ttl_max"
+}
 
-		_, cmd := testOperatorRekeyCommand(t)
-		assertNoTabs(t, cmd)
-	})
+// This struct is responsible for capturing all the fields to be output by a
+// vault status command, including fields that do not come from the status API.
+// Currently we are adding the fields from api.LeaderResponse
+type SealStatusOutput struct {
+	api.SealStatusResponse
+	HAEnabled                bool      `json:"ha_enabled"`
+	IsSelf                   bool      `json:"is_self,omitempty"`
+	ActiveTime               time.Time `json:"active_time,omitempty"`
+	LeaderAddress            string    `json:"leader_address,omitempty"`
+	LeaderClusterAddress     string    `json:"leader_cluster_address,omitempty"`
+	PerfStandby              bool      `json:"performance_standby,omitempty"`
+	PerfStandbyLastRemoteWAL uint64    `json:"performance_standby_last_remote_wal,omitempty"`
+	LastWAL                  uint64    `json:"last_wal,omitempty"`
+	RaftCommittedIndex       uint64    `json:"raft_committed_index,omitempty"`
+	RaftAppliedIndex         uint64    `json:"raft_applied_index,omitempty"`
 }
diff --git a/command/operator_seal.go b/command/operator_seal.go
index e8f55805b0c8..4df34374b720 100644
--- a/command/operator_seal.go
+++ b/command/operator_seal.go
@@ -1,89 +1,73 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*OperatorSealCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorSealCommand)(nil)
-)
-
-type OperatorSealCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorSealCommand) Synopsis() string {
-	return "Seals the Vault server"
-}
-
-func (c *OperatorSealCommand) Help() string {
-	helpText := `
-Usage: vault operator seal [options]
-
-  Seals the Vault server. Sealing tells the Vault server to stop responding
-  to any operations until it is unsealed. When sealed, the Vault server
-  discards its in-memory root key to unlock the data, so it is physically
-  blocked from responding to operations unsealed.
-
-  If an unseal is in progress, sealing the Vault will reset the unsealing
-  process. Users will have to re-enter their portions of the root key again.
-
-  This command does nothing if the Vault server is already sealed.
-
-  Seal the Vault server:
-
-      $ vault operator seal
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorSealCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *OperatorSealCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorSealCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorSealCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if err := client.Sys().Seal(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error sealing: %s", err))
-		return 2
-	}
-
-	c.UI.Output("Success! Vault is sealed.")
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, click } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import sinon from 'sinon';
+
+module('Integration | Component | sidebar-frame', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it should hide and show sidebar', async function (assert) {
+    this.set('showSidebar', true);
+    await render(hbs`
+      <Sidebar::Frame @showSidebar={{this.showSidebar}} />
+    `);
+    assert.dom('[data-test-sidebar-nav]').exists('Sidebar renders');
+
+    this.set('showSidebar', false);
+    assert.dom('[data-test-sidebar-nav]').doesNotExist('Sidebar is hidden');
+  });
+
+  test('it should render link status, console ui panel and yield block for app content', async function (assert) {
+    const currentCluster = this.owner.lookup('service:currentCluster');
+    currentCluster.setCluster({ hcpLinkStatus: 'connected' });
+    const version = this.owner.lookup('service:version');
+    version.type = 'enterprise';
+
+    await render(hbs`
+      <Sidebar::Frame @showSidebar={{true}}>
+        <div class="page-container">
+          App goes here!
+        </div>
+      </Sidebar::Frame>
+    `);
+
+    assert.dom('[data-test-link-status]').exists('Link status component renders');
+    assert.dom('[data-test-component="console/ui-panel"]').exists('Console UI panel renders');
+    assert.dom('.page-container').exists('Block yields for app content');
+  });
+
+  test('it should render logo and actions in sidebar header', async function (assert) {
+    this.owner.lookup('service:currentCluster').setCluster({ name: 'vault' });
+
+    await render(hbs`
+      <Sidebar::Frame @showSidebar={{true}} />
+    `);
+
+    assert.dom('[data-test-sidebar-logo]').exists('Vault logo renders in sidebar header');
+    assert.dom('[data-test-console-toggle]').exists('Console toggle button renders in sidebar header');
+    await click('[data-test-console-toggle]');
+    assert.dom('.panel-open').exists('Console ui panel opens');
+    await click('[data-test-console-toggle]');
+    assert.dom('.panel-open').doesNotExist('Console ui panel closes');
+    assert.dom('[data-test-user-menu]').exists('User menu renders');
+  });
+
+  test('it should render namespace picker in sidebar footer', async function (assert) {
+    const version = this.owner.lookup('service:version');
+    version.features = ['Namespaces'];
+    const auth = this.owner.lookup('service:auth');
+    sinon.stub(auth, 'authData').value({});
+
+    await render(hbs`
+      <Sidebar::Frame @showSidebar={{true}} />
+    `);
+
+    assert.dom('.namespace-picker').exists('Namespace picker renders in sidebar footer');
+  });
+});
diff --git a/command/operator_seal_test.go b/command/operator_seal_test.go
index 7a8e5c35ed78..3323f987df8b 100644
--- a/command/operator_seal_test.go
+++ b/command/operator_seal_test.go
@@ -1,125 +1,1120 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package raft
 
 import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
 	"strings"
-	"testing"
+	"sync"
+	"sync/atomic"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/armon/go-metrics"
+	"github.com/golang/protobuf/proto"
+	bolt "github.com/hashicorp-forge/bbolt"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-raftchunking"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/raft"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/sdk/plugin/pb"
 )
 
-func testOperatorSealCommand(tb testing.TB) (*cli.MockUi, *OperatorSealCommand) {
-	tb.Helper()
+const (
+	deleteOp uint32 = 1 << iota
+	putOp
+	restoreCallbackOp
+	getOp
 
-	ui := cli.NewMockUi()
-	return ui, &OperatorSealCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+	chunkingPrefix   = "raftchunking/"
+	databaseFilename = "vault.db"
+)
+
+var (
+	// dataBucketName is the value we use for the bucket
+	dataBucketName     = []byte("data")
+	configBucketName   = []byte("config")
+	latestIndexKey     = []byte("latest_indexes")
+	latestConfigKey    = []byte("latest_config")
+	localNodeConfigKey = []byte("local_node_config")
+)
+
+// Verify FSM satisfies the correct interfaces
+var (
+	_ physical.Backend       = (*FSM)(nil)
+	_ physical.Transactional = (*FSM)(nil)
+	_ raft.FSM               = (*FSM)(nil)
+	_ raft.BatchingFSM       = (*FSM)(nil)
+)
+
+type restoreCallback func(context.Context) error
+
+type FSMEntry struct {
+	Key   string
+	Value []byte
+}
+
+func (f *FSMEntry) String() string {
+	return fmt.Sprintf("Key: %s. Value: %s", f.Key, hex.EncodeToString(f.Value))
+}
+
+// FSMApplyResponse is returned from an FSM apply. It indicates if the apply was
+// successful or not. EntryMap contains the keys/values from the Get operations.
+type FSMApplyResponse struct {
+	Success    bool
+	EntrySlice []*FSMEntry
+}
+
+// FSM is Vault's primary state storage. It writes updates to a bolt db file
+// that lives on local disk. FSM implements raft.FSM and physical.Backend
+// interfaces.
+type FSM struct {
+	// latestIndex and latestTerm must stay at the top of this struct to be
+	// properly 64-bit aligned.
+
+	// latestIndex and latestTerm are the term and index of the last log we
+	// received
+	latestIndex *uint64
+	latestTerm  *uint64
+	// latestConfig is the latest server configuration we've seen
+	latestConfig atomic.Value
+
+	l           sync.RWMutex
+	path        string
+	logger      log.Logger
+	noopRestore bool
+
+	// applyCallback is used to control the pace of applies in tests
+	applyCallback func()
+
+	db *bolt.DB
+
+	// retoreCb is called after we've restored a snapshot
+	restoreCb restoreCallback
+
+	chunker *raftchunking.ChunkingBatchingFSM
+
+	localID         string
+	desiredSuffrage string
+	unknownOpTypes  sync.Map
+}
+
+// NewFSM constructs a FSM using the given directory
+func NewFSM(path string, localID string, logger log.Logger) (*FSM, error) {
+	// Initialize the latest term, index, and config values
+	latestTerm := new(uint64)
+	latestIndex := new(uint64)
+	latestConfig := atomic.Value{}
+	atomic.StoreUint64(latestTerm, 0)
+	atomic.StoreUint64(latestIndex, 0)
+	latestConfig.Store((*ConfigurationValue)(nil))
+
+	f := &FSM{
+		path:   path,
+		logger: logger,
+
+		latestTerm:   latestTerm,
+		latestIndex:  latestIndex,
+		latestConfig: latestConfig,
+		// Assume that the default intent is to join as as voter. This will be updated
+		// when this node joins a cluster with a different suffrage, or during cluster
+		// setup if this is already part of a cluster with a desired suffrage.
+		desiredSuffrage: "voter",
+		localID:         localID,
+	}
+
+	f.chunker = raftchunking.NewChunkingBatchingFSM(f, &FSMChunkStorage{
+		f:   f,
+		ctx: context.Background(),
+	})
+
+	dbPath := filepath.Join(path, databaseFilename)
+	f.l.Lock()
+	defer f.l.Unlock()
+	if err := f.openDBFile(dbPath); err != nil {
+		return nil, fmt.Errorf("failed to open bolt file: %w", err)
 	}
+
+	return f, nil
+}
+
+func (f *FSM) getDB() *bolt.DB {
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	return f.db
 }
 
-func TestOperatorSealCommand_Run(t *testing.T) {
-	t.Parallel()
+// SetFSMDelay adds a delay to the FSM apply. This is used in tests to simulate
+// a slow apply.
+func (r *RaftBackend) SetFSMDelay(delay time.Duration) {
+	r.SetFSMApplyCallback(func() { time.Sleep(delay) })
+}
+
+func (r *RaftBackend) SetFSMApplyCallback(f func()) {
+	r.fsm.l.Lock()
+	r.fsm.applyCallback = f
+	r.fsm.l.Unlock()
+}
 
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
+func (f *FSM) openDBFile(dbPath string) error {
+	if len(dbPath) == 0 {
+		return errors.New("can not open empty filename")
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	st, err := os.Stat(dbPath)
+	switch {
+	case err != nil && os.IsNotExist(err):
+	case err != nil:
+		return fmt.Errorf("error checking raft FSM db file %q: %v", dbPath, err)
+	default:
+		perms := st.Mode() & os.ModePerm
+		if perms&0o077 != 0 {
+			f.logger.Warn("raft FSM db file has wider permissions than needed",
+				"needed", os.FileMode(0o600), "existing", perms)
+		}
+	}
 
-		for _, tc := range cases {
-			tc := tc
+	opts := boltOptions(dbPath)
+	start := time.Now()
+	boltDB, err := bolt.Open(dbPath, 0o600, opts)
+	if err != nil {
+		return err
+	}
+	elapsed := time.Now().Sub(start)
+	f.logger.Debug("time to open database", "elapsed", elapsed, "path", dbPath)
+	metrics.MeasureSince([]string{"raft_storage", "fsm", "open_db_file"}, start)
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+	err = boltDB.Update(func(tx *bolt.Tx) error {
+		// make sure we have the necessary buckets created
+		_, err := tx.CreateBucketIfNotExists(dataBucketName)
+		if err != nil {
+			return fmt.Errorf("failed to create bucket: %v", err)
+		}
+		b, err := tx.CreateBucketIfNotExists(configBucketName)
+		if err != nil {
+			return fmt.Errorf("failed to create bucket: %v", err)
+		}
 
-				client, closer := testVaultServer(t)
-				defer closer()
+		// Read in our latest index and term and populate it inmemory
+		val := b.Get(latestIndexKey)
+		if val != nil {
+			var latest IndexValue
+			err := proto.Unmarshal(val, &latest)
+			if err != nil {
+				return err
+			}
 
-				ui, cmd := testOperatorSealCommand(t)
-				cmd.client = client
+			atomic.StoreUint64(f.latestTerm, latest.Term)
+			atomic.StoreUint64(f.latestIndex, latest.Index)
+		}
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+		// Read in our latest config and populate it inmemory
+		val = b.Get(latestConfigKey)
+		if val != nil {
+			var latest ConfigurationValue
+			err := proto.Unmarshal(val, &latest)
+			if err != nil {
+				return err
+			}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
+			f.latestConfig.Store(&latest)
 		}
+		return nil
 	})
+	if err != nil {
+		return err
+	}
+
+	f.db = boltDB
+	return nil
+}
+
+func (f *FSM) Stats() bolt.Stats {
+	f.l.RLock()
+	defer f.l.RUnlock()
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+	return f.db.Stats()
+}
+
+func (f *FSM) Close() error {
+	f.l.RLock()
+	defer f.l.RUnlock()
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	return f.db.Close()
+}
+
+func writeSnapshotMetaToDB(metadata *raft.SnapshotMeta, db *bolt.DB) error {
+	latestIndex := &IndexValue{
+		Term:  metadata.Term,
+		Index: metadata.Index,
+	}
+	indexBytes, err := proto.Marshal(latestIndex)
+	if err != nil {
+		return err
+	}
 
-		ui, cmd := testOperatorSealCommand(t)
-		cmd.client = client
+	protoConfig := raftConfigurationToProtoConfiguration(metadata.ConfigurationIndex, metadata.Configuration)
+	configBytes, err := proto.Marshal(protoConfig)
+	if err != nil {
+		return err
+	}
 
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	err = db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists(configBucketName)
+		if err != nil {
+			return err
 		}
 
-		expected := "Success! Vault is sealed."
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		err = b.Put(latestConfigKey, configBytes)
+		if err != nil {
+			return err
 		}
 
-		sealStatus, err := client.Sys().SealStatus()
+		err = b.Put(latestIndexKey, indexBytes)
 		if err != nil {
-			t.Fatal(err)
+			return err
 		}
-		if !sealStatus.Sealed {
-			t.Errorf("expected to be sealed")
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (f *FSM) localNodeConfig() (*LocalNodeConfigValue, error) {
+	var configBytes []byte
+	if err := f.db.View(func(tx *bolt.Tx) error {
+		value := tx.Bucket(configBucketName).Get(localNodeConfigKey)
+		if value != nil {
+			configBytes = make([]byte, len(value))
+			copy(configBytes, value)
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	if configBytes == nil {
+		return nil, nil
+	}
+
+	var lnConfig LocalNodeConfigValue
+	if configBytes != nil {
+		err := proto.Unmarshal(configBytes, &lnConfig)
+		if err != nil {
+			return nil, err
 		}
+		f.desiredSuffrage = lnConfig.DesiredSuffrage
+		return &lnConfig, nil
+	}
+
+	return nil, nil
+}
+
+func (f *FSM) DesiredSuffrage() string {
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	return f.desiredSuffrage
+}
+
+func (f *FSM) upgradeLocalNodeConfig() error {
+	f.l.Lock()
+	defer f.l.Unlock()
+
+	// Read the local node config
+	lnConfig, err := f.localNodeConfig()
+	if err != nil {
+		return err
+	}
+
+	// Entry is already present. Get the suffrage value.
+	if lnConfig != nil {
+		f.desiredSuffrage = lnConfig.DesiredSuffrage
+		return nil
+	}
+
+	//
+	// This is the upgrade case where there is no entry
+	//
+
+	lnConfig = &LocalNodeConfigValue{}
+
+	// Refer to the persisted latest raft config
+	config := f.latestConfig.Load().(*ConfigurationValue)
+
+	// If there is no config, then this is a fresh node coming up. This could end up
+	// being a voter or non-voter. But by default assume that this is a voter. It
+	// will be changed if this node joins the cluster as a non-voter.
+	if config == nil {
+		f.desiredSuffrage = "voter"
+		lnConfig.DesiredSuffrage = f.desiredSuffrage
+		return f.persistDesiredSuffrage(lnConfig)
+	}
+
+	// Get the last known suffrage of the node and assume that it is the desired
+	// suffrage. There is no better alternative here.
+	for _, srv := range config.Servers {
+		if srv.Id == f.localID {
+			switch srv.Suffrage {
+			case int32(raft.Nonvoter):
+				lnConfig.DesiredSuffrage = "non-voter"
+			default:
+				lnConfig.DesiredSuffrage = "voter"
+			}
+			// Bring the intent to the fsm instance.
+			f.desiredSuffrage = lnConfig.DesiredSuffrage
+			break
+		}
+	}
+
+	return f.persistDesiredSuffrage(lnConfig)
+}
+
+// recordSuffrage is called when a node successfully joins the cluster. This
+// intent should land in the stored configuration. If the config isn't available
+// yet, we still go ahead and store the intent in the fsm. During the next
+// update to the configuration, this intent will be persisted.
+func (f *FSM) recordSuffrage(desiredSuffrage string) error {
+	f.l.Lock()
+	defer f.l.Unlock()
+
+	if err := f.persistDesiredSuffrage(&LocalNodeConfigValue{
+		DesiredSuffrage: desiredSuffrage,
+	}); err != nil {
+		return err
+	}
+
+	f.desiredSuffrage = desiredSuffrage
+	return nil
+}
+
+func (f *FSM) persistDesiredSuffrage(lnconfig *LocalNodeConfigValue) error {
+	dsBytes, err := proto.Marshal(lnconfig)
+	if err != nil {
+		return err
+	}
+
+	return f.db.Update(func(tx *bolt.Tx) error {
+		return tx.Bucket(configBucketName).Put(localNodeConfigKey, dsBytes)
+	})
+}
+
+func (f *FSM) witnessSnapshot(metadata *raft.SnapshotMeta) error {
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	err := writeSnapshotMetaToDB(metadata, f.db)
+	if err != nil {
+		return err
+	}
+
+	atomic.StoreUint64(f.latestIndex, metadata.Index)
+	atomic.StoreUint64(f.latestTerm, metadata.Term)
+	f.latestConfig.Store(raftConfigurationToProtoConfiguration(metadata.ConfigurationIndex, metadata.Configuration))
+
+	return nil
+}
+
+// LatestState returns the latest index and configuration values we have seen on
+// this FSM.
+func (f *FSM) LatestState() (*IndexValue, *ConfigurationValue) {
+	return &IndexValue{
+		Term:  atomic.LoadUint64(f.latestTerm),
+		Index: atomic.LoadUint64(f.latestIndex),
+	}, f.latestConfig.Load().(*ConfigurationValue)
+}
+
+// Delete deletes the given key from the bolt file.
+func (f *FSM) Delete(ctx context.Context, path string) error {
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "delete"}, time.Now())
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	return f.db.Update(func(tx *bolt.Tx) error {
+		return tx.Bucket(dataBucketName).Delete([]byte(path))
+	})
+}
+
+// Delete deletes the given key from the bolt file.
+func (f *FSM) DeletePrefix(ctx context.Context, prefix string) error {
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "delete_prefix"}, time.Now())
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	err := f.db.Update(func(tx *bolt.Tx) error {
+		// Assume bucket exists and has keys
+		c := tx.Bucket(dataBucketName).Cursor()
+
+		prefixBytes := []byte(prefix)
+		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
+			if err := c.Delete(); err != nil {
+				return err
+			}
+		}
+
+		return nil
 	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	return err
+}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+// Get retrieves the value at the given path from the bolt file.
+func (f *FSM) Get(ctx context.Context, path string) (*physical.Entry, error) {
+	// TODO: Remove this outdated metric name in an older release
+	defer metrics.MeasureSince([]string{"raft", "get"}, time.Now())
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "get"}, time.Now())
 
-		ui, cmd := testOperatorSealCommand(t)
-		cmd.client = client
+	f.l.RLock()
+	defer f.l.RUnlock()
 
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	var valCopy []byte
+	var found bool
+
+	err := f.db.View(func(tx *bolt.Tx) error {
+		value := tx.Bucket(dataBucketName).Get([]byte(path))
+		if value != nil {
+			found = true
+			valCopy = make([]byte, len(value))
+			copy(valCopy, value)
 		}
 
-		expected := "Error sealing: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if !found {
+		return nil, nil
+	}
+
+	return &physical.Entry{
+		Key:   path,
+		Value: valCopy,
+	}, nil
+}
+
+// Put writes the given entry to the bolt file.
+func (f *FSM) Put(ctx context.Context, entry *physical.Entry) error {
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "put"}, time.Now())
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	// Start a write transaction.
+	return f.db.Update(func(tx *bolt.Tx) error {
+		return tx.Bucket(dataBucketName).Put([]byte(entry.Key), entry.Value)
+	})
+}
+
+// List retrieves the set of keys with the given prefix from the bolt file.
+func (f *FSM) List(ctx context.Context, prefix string) ([]string, error) {
+	// TODO: Remove this outdated metric name in a future release
+	defer metrics.MeasureSince([]string{"raft", "list"}, time.Now())
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "list"}, time.Now())
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	var keys []string
+
+	err := f.db.View(func(tx *bolt.Tx) error {
+		// Assume bucket exists and has keys
+		c := tx.Bucket(dataBucketName).Cursor()
+
+		prefixBytes := []byte(prefix)
+		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
+			key := string(k)
+			key = strings.TrimPrefix(key, prefix)
+			if i := strings.Index(key, "/"); i == -1 {
+				// Add objects only from the current 'folder'
+				keys = append(keys, key)
+			} else {
+				// Add truncated 'folder' paths
+				if len(keys) == 0 || keys[len(keys)-1] != key[:i+1] {
+					keys = append(keys, string(key[:i+1]))
+				}
+			}
 		}
+
+		return nil
 	})
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	return keys, err
+}
+
+// Transaction writes all the operations in the provided transaction to the bolt
+// file.
+func (f *FSM) Transaction(ctx context.Context, txns []*physical.TxnEntry) error {
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	// Start a write transaction.
+	err := f.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket(dataBucketName)
+		for _, txn := range txns {
+			var err error
+			switch txn.Operation {
+			case physical.PutOperation:
+				err = b.Put([]byte(txn.Entry.Key), txn.Entry.Value)
+			case physical.DeleteOperation:
+				err = b.Delete([]byte(txn.Entry.Key))
+			default:
+				return fmt.Errorf("%q is not a supported transaction operation", txn.Operation)
+			}
+			if err != nil {
+				return err
+			}
+		}
 
-		_, cmd := testOperatorSealCommand(t)
-		assertNoTabs(t, cmd)
+		return nil
 	})
+
+	return err
+}
+
+// ApplyBatch will apply a set of logs to the FSM. This is called from the raft
+// library.
+func (f *FSM) ApplyBatch(logs []*raft.Log) []interface{} {
+	numLogs := len(logs)
+
+	if numLogs == 0 {
+		return []interface{}{}
+	}
+
+	// We will construct one slice per log, each slice containing another slice of results from our get ops
+	entrySlices := make([][]*FSMEntry, 0, numLogs)
+
+	// Do the unmarshalling first so we don't hold locks
+	var latestConfiguration *ConfigurationValue
+	commands := make([]interface{}, 0, numLogs)
+	for _, l := range logs {
+		switch l.Type {
+		case raft.LogCommand:
+			command := &LogData{}
+			err := proto.Unmarshal(l.Data, command)
+			if err != nil {
+				f.logger.Error("error proto unmarshaling log data", "error", err)
+				panic("error proto unmarshaling log data")
+			}
+			commands = append(commands, command)
+		case raft.LogConfiguration:
+			configuration := raft.DecodeConfiguration(l.Data)
+			config := raftConfigurationToProtoConfiguration(l.Index, configuration)
+
+			commands = append(commands, config)
+
+			// Update the latest configuration the fsm has received; we will
+			// store this after it has been committed to storage.
+			latestConfiguration = config
+
+		default:
+			panic(fmt.Sprintf("got unexpected log type: %d", l.Type))
+		}
+	}
+
+	// Only advance latest pointer if this log has a higher index value than
+	// what we have seen in the past.
+	var logIndex []byte
+	var err error
+	latestIndex, _ := f.LatestState()
+	lastLog := logs[numLogs-1]
+	if latestIndex.Index < lastLog.Index {
+		logIndex, err = proto.Marshal(&IndexValue{
+			Term:  lastLog.Term,
+			Index: lastLog.Index,
+		})
+		if err != nil {
+			f.logger.Error("unable to marshal latest index", "error", err)
+			panic("unable to marshal latest index")
+		}
+	}
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	if f.applyCallback != nil {
+		f.applyCallback()
+	}
+
+	err = f.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket(dataBucketName)
+		for _, commandRaw := range commands {
+			entrySlice := make([]*FSMEntry, 0)
+			switch command := commandRaw.(type) {
+			case *LogData:
+				for _, op := range command.Operations {
+					var err error
+					switch op.OpType {
+					case putOp:
+						err = b.Put([]byte(op.Key), op.Value)
+					case deleteOp:
+						err = b.Delete([]byte(op.Key))
+					case getOp:
+						fsmEntry := &FSMEntry{
+							Key: op.Key,
+						}
+						val := b.Get([]byte(op.Key))
+						if len(val) > 0 {
+							newVal := make([]byte, len(val))
+							copy(newVal, val)
+							fsmEntry.Value = newVal
+						}
+						entrySlice = append(entrySlice, fsmEntry)
+					case restoreCallbackOp:
+						if f.restoreCb != nil {
+							// Kick off the restore callback function in a go routine
+							go f.restoreCb(context.Background())
+						}
+					default:
+						if _, ok := f.unknownOpTypes.Load(op.OpType); !ok {
+							f.logger.Error("unsupported transaction operation", "op", op.OpType)
+							f.unknownOpTypes.Store(op.OpType, struct{}{})
+						}
+					}
+					if err != nil {
+						return err
+					}
+				}
+
+			case *ConfigurationValue:
+				b := tx.Bucket(configBucketName)
+				configBytes, err := proto.Marshal(command)
+				if err != nil {
+					return err
+				}
+				if err := b.Put(latestConfigKey, configBytes); err != nil {
+					return err
+				}
+			}
+
+			entrySlices = append(entrySlices, entrySlice)
+		}
+
+		if len(logIndex) > 0 {
+			b := tx.Bucket(configBucketName)
+			err = b.Put(latestIndexKey, logIndex)
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		f.logger.Error("failed to store data", "error", err)
+		panic("failed to store data")
+	}
+
+	// If we advanced the latest value, update the in-memory representation too.
+	if len(logIndex) > 0 {
+		atomic.StoreUint64(f.latestTerm, lastLog.Term)
+		atomic.StoreUint64(f.latestIndex, lastLog.Index)
+	}
+
+	// If one or more configuration changes were processed, store the latest one.
+	if latestConfiguration != nil {
+		f.latestConfig.Store(latestConfiguration)
+	}
+
+	// Build the responses. The logs array is used here to ensure we reply to
+	// all command values; even if they are not of the types we expect. This
+	// should futureproof this function from more log types being provided.
+	resp := make([]interface{}, numLogs)
+	for i := range logs {
+		resp[i] = &FSMApplyResponse{
+			Success:    true,
+			EntrySlice: entrySlices[i],
+		}
+	}
+
+	return resp
+}
+
+// Apply will apply a log value to the FSM. This is called from the raft
+// library.
+func (f *FSM) Apply(log *raft.Log) interface{} {
+	return f.ApplyBatch([]*raft.Log{log})[0]
+}
+
+type writeErrorCloser interface {
+	io.WriteCloser
+	CloseWithError(error) error
+}
+
+// writeTo will copy the FSM's content to a remote sink. The data is written
+// twice, once for use in determining various metadata attributes of the dataset
+// (size, checksum, etc) and a second for the sink of the data. We also use a
+// proto delimited writer so we can stream proto messages to the sink.
+func (f *FSM) writeTo(ctx context.Context, metaSink writeErrorCloser, sink writeErrorCloser) {
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "write_snapshot"}, time.Now())
+
+	protoWriter := NewDelimitedWriter(sink)
+	metadataProtoWriter := NewDelimitedWriter(metaSink)
+
+	f.l.RLock()
+	defer f.l.RUnlock()
+
+	err := f.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket(dataBucketName)
+
+		c := b.Cursor()
+
+		// Do the first scan of the data for metadata purposes.
+		for k, v := c.First(); k != nil; k, v = c.Next() {
+			err := metadataProtoWriter.WriteMsg(&pb.StorageEntry{
+				Key:   string(k),
+				Value: v,
+			})
+			if err != nil {
+				metaSink.CloseWithError(err)
+				return err
+			}
+		}
+		metaSink.Close()
+
+		// Do the second scan for copy purposes.
+		for k, v := c.First(); k != nil; k, v = c.Next() {
+			err := protoWriter.WriteMsg(&pb.StorageEntry{
+				Key:   string(k),
+				Value: v,
+			})
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+	sink.CloseWithError(err)
+}
+
+// Snapshot implements the FSM interface. It returns a noop snapshot object.
+func (f *FSM) Snapshot() (raft.FSMSnapshot, error) {
+	return &noopSnapshotter{
+		fsm: f,
+	}, nil
+}
+
+// SetNoopRestore is used to disable restore operations on raft startup. Because
+// we are using persistent storage in our FSM we do not need to issue a restore
+// on startup.
+func (f *FSM) SetNoopRestore(enabled bool) {
+	f.l.Lock()
+	f.noopRestore = enabled
+	f.l.Unlock()
+}
+
+// Restore installs a new snapshot from the provided reader. It does an atomic
+// rename of the snapshot file into the database filepath. While a restore is
+// happening the FSM is locked and no writes or reads can be performed.
+func (f *FSM) Restore(r io.ReadCloser) error {
+	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "restore_snapshot"}, time.Now())
+
+	if f.noopRestore {
+		return nil
+	}
+
+	snapshotInstaller, ok := r.(*boltSnapshotInstaller)
+	if !ok {
+		wrapper, ok := r.(raft.ReadCloserWrapper)
+		if !ok {
+			return fmt.Errorf("expected ReadCloserWrapper object, got: %T", r)
+		}
+		snapshotInstallerRaw := wrapper.WrappedReadCloser()
+		snapshotInstaller, ok = snapshotInstallerRaw.(*boltSnapshotInstaller)
+		if !ok {
+			return fmt.Errorf("expected snapshot installer object, got: %T", snapshotInstallerRaw)
+		}
+	}
+
+	f.l.Lock()
+	defer f.l.Unlock()
+
+	// Cache the local node config before closing the db file
+	lnConfig, err := f.localNodeConfig()
+	if err != nil {
+		return err
+	}
+
+	// Close the db file
+	if err := f.db.Close(); err != nil {
+		f.logger.Error("failed to close database file", "error", err)
+		return err
+	}
+
+	dbPath := filepath.Join(f.path, databaseFilename)
+
+	f.logger.Info("installing snapshot to FSM")
+
+	// Install the new boltdb file
+	var retErr *multierror.Error
+	if err := snapshotInstaller.Install(dbPath); err != nil {
+		f.logger.Error("failed to install snapshot", "error", err)
+		retErr = multierror.Append(retErr, fmt.Errorf("failed to install snapshot database: %w", err))
+	} else {
+		f.logger.Info("snapshot installed")
+	}
+
+	// Open the db file. We want to do this regardless of if the above install
+	// worked. If the install failed we should try to open the old DB file.
+	if err := f.openDBFile(dbPath); err != nil {
+		f.logger.Error("failed to open new database file", "error", err)
+		retErr = multierror.Append(retErr, fmt.Errorf("failed to open new bolt file: %w", err))
+	}
+
+	// Handle local node config restore. lnConfig should not be nil here, but
+	// adding the nil check anyways for safety.
+	if lnConfig != nil {
+		// Persist the local node config on the restored fsm.
+		if err := f.persistDesiredSuffrage(lnConfig); err != nil {
+			f.logger.Error("failed to persist local node config from before the restore", "error", err)
+			retErr = multierror.Append(retErr, fmt.Errorf("failed to persist local node config from before the restore: %w", err))
+		}
+	}
+
+	return retErr.ErrorOrNil()
+}
+
+// noopSnapshotter implements the fsm.Snapshot interface. It doesn't do anything
+// since our SnapshotStore reads data out of the FSM on Open().
+type noopSnapshotter struct {
+	fsm *FSM
+}
+
+// Persist implements the fsm.Snapshot interface. It doesn't need to persist any
+// state data, but it does persist the raft metadata. This is necessary so we
+// can be sure to capture indexes for operation types that are not sent to the
+// FSM.
+func (s *noopSnapshotter) Persist(sink raft.SnapshotSink) error {
+	boltSnapshotSink := sink.(*BoltSnapshotSink)
+
+	// We are processing a snapshot, fastforward the index, term, and
+	// configuration to the latest seen by the raft system.
+	if err := s.fsm.witnessSnapshot(&boltSnapshotSink.meta); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Release doesn't do anything.
+func (s *noopSnapshotter) Release() {}
+
+// raftConfigurationToProtoConfiguration converts a raft configuration object to
+// a proto value.
+func raftConfigurationToProtoConfiguration(index uint64, configuration raft.Configuration) *ConfigurationValue {
+	servers := make([]*Server, len(configuration.Servers))
+	for i, s := range configuration.Servers {
+		servers[i] = &Server{
+			Suffrage: int32(s.Suffrage),
+			Id:       string(s.ID),
+			Address:  string(s.Address),
+		}
+	}
+	return &ConfigurationValue{
+		Index:   index,
+		Servers: servers,
+	}
+}
+
+// protoConfigurationToRaftConfiguration converts a proto configuration object
+// to a raft object.
+func protoConfigurationToRaftConfiguration(configuration *ConfigurationValue) (uint64, raft.Configuration) {
+	servers := make([]raft.Server, len(configuration.Servers))
+	for i, s := range configuration.Servers {
+		servers[i] = raft.Server{
+			Suffrage: raft.ServerSuffrage(s.Suffrage),
+			ID:       raft.ServerID(s.Id),
+			Address:  raft.ServerAddress(s.Address),
+		}
+	}
+	return configuration.Index, raft.Configuration{
+		Servers: servers,
+	}
+}
+
+type FSMChunkStorage struct {
+	f   *FSM
+	ctx context.Context
+}
+
+// chunkPaths returns a disk prefix and key given chunkinfo
+func (f *FSMChunkStorage) chunkPaths(chunk *raftchunking.ChunkInfo) (string, string) {
+	prefix := fmt.Sprintf("%s%d/", chunkingPrefix, chunk.OpNum)
+	key := fmt.Sprintf("%s%d", prefix, chunk.SequenceNum)
+	return prefix, key
+}
+
+func (f *FSMChunkStorage) StoreChunk(chunk *raftchunking.ChunkInfo) (bool, error) {
+	b, err := jsonutil.EncodeJSON(chunk)
+	if err != nil {
+		return false, fmt.Errorf("error encoding chunk info: %w", err)
+	}
+
+	prefix, key := f.chunkPaths(chunk)
+
+	entry := &physical.Entry{
+		Key:   key,
+		Value: b,
+	}
+
+	f.f.l.RLock()
+	defer f.f.l.RUnlock()
+
+	// Start a write transaction.
+	done := new(bool)
+	if err := f.f.db.Update(func(tx *bolt.Tx) error {
+		if err := tx.Bucket(dataBucketName).Put([]byte(entry.Key), entry.Value); err != nil {
+			return fmt.Errorf("error storing chunk info: %w", err)
+		}
+
+		// Assume bucket exists and has keys
+		c := tx.Bucket(dataBucketName).Cursor()
+
+		var keys []string
+		prefixBytes := []byte(prefix)
+		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
+			key := string(k)
+			key = strings.TrimPrefix(key, prefix)
+			if i := strings.Index(key, "/"); i == -1 {
+				// Add objects only from the current 'folder'
+				keys = append(keys, key)
+			} else {
+				// Add truncated 'folder' paths
+				keys = strutil.AppendIfMissing(keys, string(key[:i+1]))
+			}
+		}
+
+		*done = uint32(len(keys)) == chunk.NumChunks
+
+		return nil
+	}); err != nil {
+		return false, err
+	}
+
+	return *done, nil
+}
+
+func (f *FSMChunkStorage) FinalizeOp(opNum uint64) ([]*raftchunking.ChunkInfo, error) {
+	ret, err := f.chunksForOpNum(opNum)
+	if err != nil {
+		return nil, fmt.Errorf("error getting chunks for op keys: %w", err)
+	}
+
+	prefix, _ := f.chunkPaths(&raftchunking.ChunkInfo{OpNum: opNum})
+	if err := f.f.DeletePrefix(f.ctx, prefix); err != nil {
+		return nil, fmt.Errorf("error deleting prefix after op finalization: %w", err)
+	}
+
+	return ret, nil
+}
+
+func (f *FSMChunkStorage) chunksForOpNum(opNum uint64) ([]*raftchunking.ChunkInfo, error) {
+	prefix, _ := f.chunkPaths(&raftchunking.ChunkInfo{OpNum: opNum})
+
+	opChunkKeys, err := f.f.List(f.ctx, prefix)
+	if err != nil {
+		return nil, fmt.Errorf("error fetching op chunk keys: %w", err)
+	}
+
+	if len(opChunkKeys) == 0 {
+		return nil, nil
+	}
+
+	var ret []*raftchunking.ChunkInfo
+
+	for _, v := range opChunkKeys {
+		seqNum, err := strconv.ParseInt(v, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error converting seqnum to integer: %w", err)
+		}
+
+		entry, err := f.f.Get(f.ctx, prefix+v)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching chunkinfo: %w", err)
+		}
+
+		var ci raftchunking.ChunkInfo
+		if err := jsonutil.DecodeJSON(entry.Value, &ci); err != nil {
+			return nil, fmt.Errorf("error decoding chunkinfo json: %w", err)
+		}
+
+		if ret == nil {
+			ret = make([]*raftchunking.ChunkInfo, ci.NumChunks)
+		}
+
+		ret[seqNum] = &ci
+	}
+
+	return ret, nil
+}
+
+func (f *FSMChunkStorage) GetChunks() (raftchunking.ChunkMap, error) {
+	opNums, err := f.f.List(f.ctx, chunkingPrefix)
+	if err != nil {
+		return nil, fmt.Errorf("error doing recursive list for chunk saving: %w", err)
+	}
+
+	if len(opNums) == 0 {
+		return nil, nil
+	}
+
+	ret := make(raftchunking.ChunkMap, len(opNums))
+	for _, opNumStr := range opNums {
+		opNum, err := strconv.ParseInt(opNumStr, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing op num during chunk saving: %w", err)
+		}
+
+		opChunks, err := f.chunksForOpNum(uint64(opNum))
+		if err != nil {
+			return nil, fmt.Errorf("error getting chunks for op keys during chunk saving: %w", err)
+		}
+
+		ret[uint64(opNum)] = opChunks
+	}
+
+	return ret, nil
+}
+
+func (f *FSMChunkStorage) RestoreChunks(chunks raftchunking.ChunkMap) error {
+	if err := f.f.DeletePrefix(f.ctx, chunkingPrefix); err != nil {
+		return fmt.Errorf("error deleting prefix for chunk restoration: %w", err)
+	}
+	if len(chunks) == 0 {
+		return nil
+	}
+
+	for opNum, opChunks := range chunks {
+		for _, chunk := range opChunks {
+			if chunk == nil {
+				continue
+			}
+			if chunk.OpNum != opNum {
+				return errors.New("unexpected op number in chunk")
+			}
+			if _, err := f.StoreChunk(chunk); err != nil {
+				return fmt.Errorf("error storing chunk during restoration: %w", err)
+			}
+		}
+	}
+
+	return nil
 }
diff --git a/command/operator_step_down.go b/command/operator_step_down.go
index b9350ee08817..5bd6a0a98adf 100644
--- a/command/operator_step_down.go
+++ b/command/operator_step_down.go
@@ -1,85 +1,117 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+module github.com/hashicorp/vault/sdk
+
+go 1.19
+
+require (
+	cloud.google.com/go/cloudsqlconn v1.4.3
+	github.com/armon/go-metrics v0.4.1
+	github.com/armon/go-radix v1.0.0
+	github.com/cenkalti/backoff/v3 v3.2.2
+	github.com/docker/docker v24.0.7+incompatible
+	github.com/docker/go-connections v0.4.0
+	github.com/evanphx/json-patch/v5 v5.6.0
+	github.com/fatih/structs v1.1.0
+	github.com/go-ldap/ldap/v3 v3.4.4
+	github.com/go-test/deep v1.1.0
+	github.com/golang/protobuf v1.5.3
+	github.com/golang/snappy v0.0.4
+	github.com/google/tink/go v1.6.1
+	github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7
+	github.com/hashicorp/errwrap v1.1.0
+	github.com/hashicorp/go-cleanhttp v0.5.2
+	github.com/hashicorp/go-hclog v1.5.0
+	github.com/hashicorp/go-immutable-radix v1.3.1
+	github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0
+	github.com/hashicorp/go-kms-wrapping/v2 v2.0.8
+	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-plugin v1.6.0
+	github.com/hashicorp/go-retryablehttp v0.7.1
+	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
+	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7
+	github.com/hashicorp/go-secure-stdlib/password v0.1.1
+	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
+	github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2
+	github.com/hashicorp/go-sockaddr v1.0.2
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/go-version v1.6.0
+	github.com/hashicorp/golang-lru v0.5.4
+	github.com/hashicorp/hcl v1.0.1-vault-5
+	github.com/hashicorp/vault/api v1.9.1
+	github.com/mitchellh/copystructure v1.2.0
+	github.com/mitchellh/go-testing-interface v1.14.1
+	github.com/mitchellh/mapstructure v1.5.0
+	github.com/pierrec/lz4 v2.6.1+incompatible
+	github.com/ryanuber/go-glob v1.0.0
+	github.com/stretchr/testify v1.8.3
+	go.uber.org/atomic v1.9.0
+	golang.org/x/crypto v0.14.0
+	golang.org/x/net v0.17.0
+	golang.org/x/text v0.13.0
+	google.golang.org/grpc v1.57.2
+	google.golang.org/protobuf v1.31.0
 )
 
-var (
-	_ cli.Command             = (*OperatorStepDownCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorStepDownCommand)(nil)
+require (
+	cloud.google.com/go/compute v1.20.1 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/containerd/containerd v1.7.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/frankban/quicktest v1.11.3 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/s2a-go v0.1.4 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/yamux v0.1.1 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.14.0 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgtype v1.14.0 // indirect
+	github.com/jackc/pgx/v4 v4.18.1 // indirect
+	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/patternmatcher v0.5.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/oklog/run v1.1.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
+	github.com/opencontainers/runc v1.1.6 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/api v0.134.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-
-type OperatorStepDownCommand struct {
-	*BaseCommand
-}
-
-func (c *OperatorStepDownCommand) Synopsis() string {
-	return "Forces Vault to resign active duty"
-}
-
-func (c *OperatorStepDownCommand) Help() string {
-	helpText := `
-Usage: vault operator step-down [options]
-
-  Forces the Vault server at the given address to step down from active duty.
-  While the affected node will have a delay before attempting to acquire the
-  leader lock again, if no other Vault nodes acquire the lock beforehand, it
-  is possible for the same node to re-acquire the lock and become active
-  again.
-
-  Force Vault to step down as the leader:
-
-      $ vault operator step-down
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *OperatorStepDownCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *OperatorStepDownCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *OperatorStepDownCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *OperatorStepDownCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if err := client.Sys().StepDown(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error stepping down: %s", err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Stepped down: %s", client.Address()))
-	return 0
-}
diff --git a/command/operator_step_down_test.go b/command/operator_step_down_test.go
index 376f4ef2e6ae..b71ecfa543b8 100644
--- a/command/operator_step_down_test.go
+++ b/command/operator_step_down_test.go
@@ -1,102 +1,898 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testOperatorStepDownCommand(tb testing.TB) (*cli.MockUi, *OperatorStepDownCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &OperatorStepDownCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestOperatorStepDownCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"default",
-			nil,
-			"Success! Stepped down: ",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorStepDownCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testOperatorStepDownCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error stepping down: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testOperatorStepDownCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/cloudsqlconn v1.4.3 h1:/WYFbB1NtMtoMxCbqpzzTFPDkxxlLTPme390KEGaEPc=
+cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA=
+cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
+cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
+github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/hcsshim v0.10.0-rc.7 h1:HBytQPxcv8Oy4244zbQbe6hnOnx544eL5QPUqhJldz8=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
+github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA=
+github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
+github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
+github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
+github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
+github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
+github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
+github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
+github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg=
+github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
+github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
+github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
+github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
+github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
+github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
+github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
+github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
+github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
+github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
+github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
+github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
+github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
+github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
+github.com/google/tink/go v1.6.1/go.mod h1:IGW53kTgag+st5yPhKKwJ6u2l+SSp5/v9XF7spovjlY=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
+github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
+github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7 h1:jgVdtp5YMn++PxnYhAFfrURfLf+nlqzBeddbvRG+tTg=
+github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7/go.mod h1:q+c9XV1VqloZFZMu+zdvfb0cm7UrvKbvtmTF5wX5Q9o=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
+github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
+github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0 h1:pSjQfW3vPtrOTcasTUKgCTQT7OGPPTTMVRrOfU6FJD8=
+github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8DSFG2IwDcydK9DBQE+fGA5fsw6hSk=
+github.com/hashicorp/go-kms-wrapping/v2 v2.0.8 h1:9Q2lu1YbbmiAgvYZ7Pr31RdlVonUpX+mmDL7Z7qTA2U=
+github.com/hashicorp/go-kms-wrapping/v2 v2.0.8/go.mod h1:qTCjxGig/kjuj3hk1z8pOUrzbse/GxB1tGfbrq8tGJg=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY=
+github.com/hashicorp/go-plugin v1.6.0 h1:wgd4KxHJTVGGqWBq4QPB1i5BZNEx9BR8+OFmHDmTk8A=
+github.com/hashicorp/go-plugin v1.6.0/go.mod h1:lBS5MtSSBZk0SHc66KACcjjlU6WzEVP/8pwz68aMkCI=
+github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
+github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
+github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
+github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ=
+github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60=
+github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0 h1:KMWpBsC65ZBXDpoxJ0n2/zVfZaZIW73k2d8cy5Dv/Kk=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0/go.mod h1:qKYwSZ2EOpppko5ud+Sh9TrUgiTAZSaQCr8XWIYXsbM=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
+github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 h1:phcbL8urUzF/kxA/Oj6awENaRwfWsjP59GW7u2qlDyY=
+github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
+github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
+github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
+github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q=
+github.com/hashicorp/vault/api v1.9.1 h1:LtY/I16+5jVGU8rufyyAkwopgq/HpUnxFBg+QLOAV38=
+github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs=
+github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
+github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
+github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
+github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
+github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
+github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
+github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
+github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
+github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
+github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
+github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
+github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgconn v1.14.0 h1:vrbA9Ud87g6JdFWkHTJXppVce58qPIdP7N8y0Ml/A7Q=
+github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E=
+github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
+github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
+github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
+github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
+github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
+github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
+github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
+github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
+github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
+github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
+github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.3.2 h1:7eY55bdBeCz1F2fTzSz69QC+pG46jYq9/jtSPiJ5nn0=
+github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
+github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
+github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
+github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
+github.com/jackc/pgtype v1.14.0 h1:y+xUdabmyMkJLyApYuPj38mW+aAIqCe5uuBB51rH3Vw=
+github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
+github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
+github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
+github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
+github.com/jackc/pgx/v4 v4.18.1 h1:YP7G1KABtKpB5IHrO9vYwSrCOhs7p3uqhvhhQBptya0=
+github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE=
+github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
+github.com/jimlambrt/gldap v0.1.4 h1:PoB5u4ND0E+6W99JtQJvcjGFw+iKi3Gx3M60oOJBOqE=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4=
+github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531/go.mod h1:fqTUQpVYBvhCNIsMXGl2GE9q6z94DIP6NtFKXCSTVbg=
+github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d h1:J8tJzRyiddAFF65YVgxli+TyWBi0f79Sld6rJP6CBcY=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
+github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
+github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
+github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/microsoft/go-mssqldb v1.5.0 h1:CgENxkwtOBNj3Jg6T1X209y2blCfTTcwuOlznd2k9fk=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
+github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
+github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
+github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
+github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
+github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
+github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
+github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
+github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
+github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
+github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
+github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
+github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
+github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
+go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
+go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
+go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
+golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.134.0 h1:ktL4Goua+UBgoP1eL1/60LwZJqa1sIzkLmvoR3hR6Gw=
+google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
+google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 h1:AB/lmRny7e2pLhFEYIbl5qkDAUt2h0ZRO4wGPhZf+ik=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE=
+google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
+google.golang.org/grpc v1.57.2 h1:uw37EN34aMFFXB2QPW7Tq6tdTbind1GpRxw5aOX3a5k=
+google.golang.org/grpc v1.57.2/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/command/operator_unseal.go b/command/operator_unseal.go
index 18bd5f4a02a5..9468538a6609 100644
--- a/command/operator_unseal.go
+++ b/command/operator_unseal.go
@@ -1,165 +1,1187 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"errors"
 	"fmt"
-	"io"
 	"os"
+	"sort"
 	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
 
-	"github.com/hashicorp/go-secure-stdlib/password"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/oklog/run"
+)
+
+const (
+	// lockRetryInterval is the interval we re-attempt to acquire the
+	// HA lock if an error is encountered
+	lockRetryInterval = 10 * time.Second
+
+	// leaderCheckInterval is how often a standby checks for a new leader
+	leaderCheckInterval = 2500 * time.Millisecond
+
+	// keyRotateCheckInterval is how often a standby checks for a key
+	// rotation taking place.
+	keyRotateCheckInterval = 10 * time.Second
+
+	// leaderPrefixCleanDelay is how long to wait between deletions
+	// of orphaned leader keys, to prevent slamming the backend.
+	leaderPrefixCleanDelay = 200 * time.Millisecond
 )
 
 var (
-	_ cli.Command             = (*OperatorUnsealCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorUnsealCommand)(nil)
+	addEnterpriseHaActors func(*Core, *run.Group) chan func()            = addEnterpriseHaActorsNoop
+	interruptPerfStandby  func(chan func(), chan struct{}) chan struct{} = interruptPerfStandbyNoop
 )
 
-type OperatorUnsealCommand struct {
-	*BaseCommand
+func addEnterpriseHaActorsNoop(*Core, *run.Group) chan func() { return nil }
+func interruptPerfStandbyNoop(chan func(), chan struct{}) chan struct{} {
+	return make(chan struct{})
+}
 
-	flagReset   bool
-	flagMigrate bool
+// Standby checks if the Vault is in standby mode
+func (c *Core) Standby() (bool, error) {
+	c.stateLock.RLock()
+	standby := c.standby
+	c.stateLock.RUnlock()
+	return standby, nil
+}
 
-	testOutput io.Writer // for tests
+// PerfStandby checks if the vault is a performance standby
+// This function cannot be used during request handling
+// because this causes a deadlock with the statelock.
+func (c *Core) PerfStandby() bool {
+	c.stateLock.RLock()
+	perfStandby := c.perfStandby
+	c.stateLock.RUnlock()
+	return perfStandby
 }
 
-func (c *OperatorUnsealCommand) Synopsis() string {
-	return "Unseals the Vault server"
+func (c *Core) ActiveTime() time.Time {
+	c.stateLock.RLock()
+	activeTime := c.activeTime
+	c.stateLock.RUnlock()
+	return activeTime
 }
 
-func (c *OperatorUnsealCommand) Help() string {
-	helpText := `
-Usage: vault operator unseal [options] [KEY]
+// StandbyStates is meant as a way to avoid some extra locking on the very
+// common sys/health check.
+func (c *Core) StandbyStates() (standby, perfStandby bool) {
+	c.stateLock.RLock()
+	standby = c.standby
+	perfStandby = c.perfStandby
+	c.stateLock.RUnlock()
+	return
+}
 
-  Provide a portion of the root key to unseal a Vault server. Vault starts
-  in a sealed state. It cannot perform operations until it is unsealed. This
-  command accepts a portion of the root key (an "unseal key").
+// getHAMembers retrieves cluster membership that doesn't depend on raft. This should only ever be called by the
+// active node.
+func (c *Core) getHAMembers() ([]HAStatusNode, error) {
+	hostname, err := os.Hostname()
+	if err != nil {
+		return nil, err
+	}
+
+	leader := HAStatusNode{
+		Hostname:       hostname,
+		APIAddress:     c.redirectAddr,
+		ClusterAddress: c.ClusterAddr(),
+		ActiveNode:     true,
+		Version:        c.effectiveSDKVersion,
+	}
+
+	if rb := c.getRaftBackend(); rb != nil {
+		leader.UpgradeVersion = rb.EffectiveVersion()
+		leader.RedundancyZone = rb.RedundancyZone()
+	}
+
+	nodes := []HAStatusNode{leader}
 
-  The unseal key can be supplied as an argument to the command, but this is
-  not recommended as the unseal key will be available in your history:
+	for _, peerNode := range c.GetHAPeerNodesCached() {
+		lastEcho := peerNode.LastEcho
+		nodes = append(nodes, HAStatusNode{
+			Hostname:           peerNode.Hostname,
+			APIAddress:         peerNode.APIAddress,
+			ClusterAddress:     peerNode.ClusterAddress,
+			LastEcho:           &lastEcho,
+			Version:            peerNode.Version,
+			UpgradeVersion:     peerNode.UpgradeVersion,
+			RedundancyZone:     peerNode.RedundancyZone,
+			EchoDurationMillis: peerNode.EchoDuration.Milliseconds(),
+			ClockSkewMillis:    peerNode.ClockSkewMillis,
+		})
+	}
 
-      $ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
+	sort.Slice(nodes, func(i, j int) bool {
+		return nodes[i].APIAddress < nodes[j].APIAddress
+	})
 
-  Instead, run the command with no arguments and it will prompt for the key:
+	return nodes, nil
+}
 
-      $ vault operator unseal
-      Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
+// Leader is used to get information about the current active leader in relation to the current node (core).
+// It utilizes a state lock on the Core by attempting to acquire a read lock. Care should be taken not to
+// call this method if a read lock on this Core's state lock is currently held, as this can cause deadlock.
+// e.g. if called from within request handling.
+func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err error) {
+	// Check if HA enabled. We don't need the lock for this check as it's set
+	// on startup and never modified
+	if c.ha == nil {
+		return false, "", "", ErrHANotEnabled
+	}
 
-` + c.Flags().Help()
+	// Check if sealed
+	if c.Sealed() {
+		return false, "", "", consts.ErrSealed
+	}
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
 
-	return strings.TrimSpace(helpText)
+	return c.LeaderLocked()
 }
 
-func (c *OperatorUnsealCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func (c *Core) LeaderLocked() (isLeader bool, leaderAddr, clusterAddr string, err error) {
+	// Check if HA enabled. We don't need the lock for this check as it's set
+	// on startup and never modified
+	if c.ha == nil {
+		return false, "", "", ErrHANotEnabled
+	}
 
-	f := set.NewFlagSet("Command Options")
+	// Check if sealed
+	if c.Sealed() {
+		return false, "", "", consts.ErrSealed
+	}
 
-	f.BoolVar(&BoolVar{
-		Name:       "reset",
-		Aliases:    []string{},
-		Target:     &c.flagReset,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage:      "Discard any previously entered keys to the unseal process.",
+	// Check if we are the leader
+	if !c.standby {
+		return true, c.redirectAddr, c.ClusterAddr(), nil
+	}
+
+	// Initialize a lock
+	lock, err := c.ha.LockWith(CoreLockPath, "read")
+	if err != nil {
+		return false, "", "", err
+	}
+
+	// Read the value
+	held, leaderUUID, err := lock.Value()
+	if err != nil {
+		return false, "", "", err
+	}
+	if !held {
+		return false, "", "", nil
+	}
+
+	var localLeaderUUID, localRedirectAddr, localClusterAddr string
+	clusterLeaderParams := c.clusterLeaderParams.Load().(*ClusterLeaderParams)
+	if clusterLeaderParams != nil {
+		localLeaderUUID = clusterLeaderParams.LeaderUUID
+		localRedirectAddr = clusterLeaderParams.LeaderRedirectAddr
+		localClusterAddr = clusterLeaderParams.LeaderClusterAddr
+	}
+
+	// If the leader hasn't changed, return the cached value; nothing changes
+	// mid-leadership, and the barrier caches anyways
+	if leaderUUID == localLeaderUUID && localRedirectAddr != "" {
+		return false, localRedirectAddr, localClusterAddr, nil
+	}
+
+	c.logger.Trace("found new active node information, refreshing")
+
+	c.leaderParamsLock.Lock()
+	defer c.leaderParamsLock.Unlock()
+
+	// Validate base conditions again
+	clusterLeaderParams = c.clusterLeaderParams.Load().(*ClusterLeaderParams)
+	if clusterLeaderParams != nil {
+		localLeaderUUID = clusterLeaderParams.LeaderUUID
+		localRedirectAddr = clusterLeaderParams.LeaderRedirectAddr
+		localClusterAddr = clusterLeaderParams.LeaderClusterAddr
+	} else {
+		localLeaderUUID = ""
+		localRedirectAddr = ""
+		localClusterAddr = ""
+	}
+
+	if leaderUUID == localLeaderUUID && localRedirectAddr != "" {
+		return false, localRedirectAddr, localClusterAddr, nil
+	}
+
+	key := coreLeaderPrefix + leaderUUID
+	// Use background because postUnseal isn't run on standby
+	entry, err := c.barrier.Get(context.Background(), key)
+	if err != nil {
+		return false, "", "", err
+	}
+	if entry == nil {
+		return false, "", "", nil
+	}
+
+	var oldAdv bool
+
+	var adv activeAdvertisement
+	err = jsonutil.DecodeJSON(entry.Value, &adv)
+	if err != nil {
+		// Fall back to pre-struct handling
+		adv.RedirectAddr = string(entry.Value)
+		c.logger.Debug("parsed redirect addr for new active node", "redirect_addr", adv.RedirectAddr)
+		oldAdv = true
+	}
+
+	// At the top of this function we return early when we're the active node.
+	// If we're not the active node, and there's a stale advertisement pointing
+	// to ourself, there's no point in paying any attention to it.  And by
+	// disregarding it, we can avoid a panic in raft tests using the Inmem network
+	// layer when we try to connect back to ourself.
+	if adv.ClusterAddr == c.ClusterAddr() && adv.RedirectAddr == c.redirectAddr && c.getRaftBackend() != nil {
+		return false, "", "", nil
+	}
+
+	if !oldAdv {
+		c.logger.Debug("parsing information for new active node", "active_cluster_addr", adv.ClusterAddr, "active_redirect_addr", adv.RedirectAddr)
+
+		// Ensure we are using current values
+		err = c.loadLocalClusterTLS(adv)
+		if err != nil {
+			return false, "", "", err
+		}
+
+		// This will ensure that we both have a connection at the ready and that
+		// the address is the current known value
+		// Since this is standby, we don't use the active context. Later we may
+		// use a process-scoped context
+		err = c.refreshRequestForwardingConnection(context.Background(), adv.ClusterAddr)
+		if err != nil {
+			return false, "", "", err
+		}
+	}
+
+	// Don't set these until everything has been parsed successfully or we'll
+	// never try again
+	c.clusterLeaderParams.Store(&ClusterLeaderParams{
+		LeaderUUID:         leaderUUID,
+		LeaderRedirectAddr: adv.RedirectAddr,
+		LeaderClusterAddr:  adv.ClusterAddr,
 	})
 
-	f.BoolVar(&BoolVar{
-		Name:       "migrate",
-		Aliases:    []string{},
-		Target:     &c.flagMigrate,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage:      "Indicate that this share is provided with the intent that it is part of a seal migration process.",
+	return false, adv.RedirectAddr, adv.ClusterAddr, nil
+}
+
+// StepDown is used to step down from leadership
+func (c *Core) StepDown(httpCtx context.Context, req *logical.Request) (retErr error) {
+	defer metrics.MeasureSince([]string{"core", "step_down"}, time.Now())
+
+	if req == nil {
+		return errors.New("nil request to step-down")
+	}
+
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+
+	if c.Sealed() {
+		return nil
+	}
+	if c.ha == nil || c.standby {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(namespace.RootContext(nil))
+	defer cancel()
+
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-httpCtx.Done():
+			cancel()
+		}
+	}()
+
+	err := c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+			return logical.ErrPermissionDenied
+		}
+		return logical.ErrInvalidRequest
+	}
+	acl, te, entity, identityPolicies, err := c.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return err
+	}
+
+	// Audit-log the request before going any further
+	auth := &logical.Auth{
+		ClientToken: req.ClientToken,
+		Accessor:    req.ClientTokenAccessor,
+	}
+	if te != nil {
+		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
+		delete(identityPolicies, te.NamespaceID)
+		auth.ExternalNamespacePolicies = identityPolicies
+		auth.TokenPolicies = te.Policies
+		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
+		auth.Metadata = te.Meta
+		auth.DisplayName = te.DisplayName
+		auth.EntityID = te.EntityID
+		auth.TokenType = te.Type
+	}
+
+	logInput := &logical.LogInput{
+		Auth:    auth,
+		Request: req,
+	}
+	if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+		c.logger.Error("failed to audit request", "request_path", req.Path, "error", err)
+		return errors.New("failed to audit request, cannot continue")
+	}
+
+	if entity != nil && entity.Disabled {
+		c.logger.Warn("permission denied as the entity on the token is disabled")
+		return logical.ErrPermissionDenied
+	}
+
+	if te != nil && te.EntityID != "" && entity == nil {
+		c.logger.Warn("permission denied as the entity on the token is invalid")
+		return logical.ErrPermissionDenied
+	}
+
+	// Attempt to use the token (decrement num_uses)
+	if te != nil {
+		te, err = c.tokenStore.UseToken(ctx, te)
+		if err != nil {
+			c.logger.Error("failed to use token", "error", err)
+			return ErrInternalError
+		}
+		if te == nil {
+			// Token has been revoked
+			return logical.ErrPermissionDenied
+		}
+	}
+
+	// Verify that this operation is allowed
+	authResults := c.performPolicyChecks(ctx, acl, te, req, entity, &PolicyCheckOpts{
+		RootPrivsRequired: true,
 	})
+	if !authResults.Allowed {
+		retErr = multierror.Append(retErr, authResults.Error)
+		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
+			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
+		}
+		return retErr
+	}
+
+	if te != nil && te.NumUses == tokenRevocationPending {
+		// Token needs to be revoked. We do this immediately here because
+		// we won't have a token store after sealing.
+		leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
+		if err == nil {
+			err = c.expiration.Revoke(c.activeContext, leaseID)
+		}
+		if err != nil {
+			c.logger.Error("token needed revocation before step-down but failed to revoke", "error", err)
+			retErr = multierror.Append(retErr, ErrInternalError)
+		}
+	}
+
+	select {
+	case c.manualStepDownCh <- struct{}{}:
+	default:
+		c.logger.Warn("manual step-down operation already queued")
+	}
 
-	return set
+	return retErr
 }
 
-func (c *OperatorUnsealCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+// runStandby is a long running process that manages a number of the HA
+// subsystems.
+func (c *Core) runStandby(doneCh, manualStepDownCh, stopCh chan struct{}) {
+	defer close(doneCh)
+	defer close(manualStepDownCh)
+	c.logger.Info("entering standby mode")
+
+	var g run.Group
+	newLeaderCh := addEnterpriseHaActors(c, &g)
+	{
+		// This will cause all the other actors to close when the stop channel
+		// is closed.
+		g.Add(func() error {
+			<-stopCh
+			return nil
+		}, func(error) {})
+	}
+	{
+		// Monitor for key rotations
+		keyRotateStop := make(chan struct{})
+
+		g.Add(func() error {
+			c.periodicCheckKeyUpgrades(context.Background(), keyRotateStop)
+			return nil
+		}, func(error) {
+			close(keyRotateStop)
+			c.logger.Debug("shutting down periodic key rotation checker")
+		})
+	}
+	{
+		// Monitor for new leadership
+		checkLeaderStop := make(chan struct{})
+
+		g.Add(func() error {
+			c.periodicLeaderRefresh(newLeaderCh, checkLeaderStop)
+			return nil
+		}, func(error) {
+			close(checkLeaderStop)
+			c.logger.Debug("shutting down periodic leader refresh")
+		})
+	}
+	{
+		metricsStop := make(chan struct{})
+
+		g.Add(func() error {
+			c.metricsLoop(metricsStop)
+			return nil
+		}, func(error) {
+			close(metricsStop)
+			c.logger.Debug("shutting down periodic metrics")
+		})
+	}
+	{
+		// Wait for leadership
+		leaderStopCh := make(chan struct{})
+
+		g.Add(func() error {
+			c.waitForLeadership(newLeaderCh, manualStepDownCh, leaderStopCh)
+			return nil
+		}, func(error) {
+			close(leaderStopCh)
+			c.logger.Debug("shutting down leader elections")
+		})
+	}
+
+	// Start all the actors
+	g.Run()
 }
 
-func (c *OperatorUnsealCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// waitForLeadership is a long running routine that is used when an HA backend
+// is enabled. It waits until we are leader and switches this Vault to
+// active.
+func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stopCh chan struct{}) {
+	var manualStepDown bool
+	firstIteration := true
+	for {
+		// Check for a shutdown
+		select {
+		case <-stopCh:
+			c.logger.Debug("stop channel triggered in runStandby")
+			return
+		default:
+			// If we've just down, we could instantly grab the lock again. Give
+			// the other nodes a chance.
+			if manualStepDown {
+				time.Sleep(manualStepDownSleepPeriod)
+				manualStepDown = false
+			} else if !firstIteration {
+				// If we restarted the for loop due to an error, wait a second
+				// so that we don't busy loop if the error persists.
+				time.Sleep(1 * time.Second)
+			}
+		}
+		firstIteration = false
+
+		// Create a lock
+		uuid, err := uuid.GenerateUUID()
+		if err != nil {
+			c.logger.Error("failed to generate uuid", "error", err)
+			continue
+		}
+		lock, err := c.ha.LockWith(CoreLockPath, uuid)
+		if err != nil {
+			c.logger.Error("failed to create lock", "error", err)
+			continue
+		}
+
+		// Attempt the acquisition
+		leaderLostCh := c.acquireLock(lock, stopCh)
+
+		// Bail if we are being shutdown
+		if leaderLostCh == nil {
+			return
+		}
+
+		if atomic.LoadUint32(c.neverBecomeActive) == 1 {
+			c.heldHALock = nil
+			lock.Unlock()
+			c.logger.Info("marked never become active, giving up active state")
+			continue
+		}
+
+		// If the backend is a FencingHABackend, register the lock with it so it can
+		// correctly fence all writes from now on  (i.e. assert that we still hold
+		// the lock atomically with each write).
+		if fba, ok := c.ha.(physical.FencingHABackend); ok {
+			err := fba.RegisterActiveNodeLock(lock)
+			if err != nil {
+				// Can't register lock, bail out
+				c.heldHALock = nil
+				lock.Unlock()
+				c.logger.Error("failed registering lock with fencing backend, giving up active state")
+				continue
+			}
+		}
+
+		c.logger.Info("acquired lock, enabling active operation")
+
+		// This is used later to log a metrics event; this can be helpful to
+		// detect flapping
+		activeTime := time.Now()
+
+		continueCh := interruptPerfStandby(newLeaderCh, stopCh)
+
+		// Grab the statelock or stop
+		l := newLockGrabber(c.stateLock.Lock, c.stateLock.Unlock, stopCh)
+		go l.grab()
+		if stopped := l.lockOrStop(); stopped {
+			lock.Unlock()
+			close(continueCh)
+			metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+			return
+		}
+
+		if c.Sealed() {
+			c.logger.Warn("grabbed HA lock but already sealed, exiting")
+			lock.Unlock()
+			close(continueCh)
+			c.stateLock.Unlock()
+			metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+			return
+		}
+
+		// Store the lock so that we can manually clear it later if needed
+		c.heldHALock = lock
+
+		// Create the active context
+		activeCtx, activeCtxCancel := context.WithCancel(namespace.RootContext(nil))
+		c.activeContext = activeCtx
+		c.activeContextCancelFunc.Store(activeCtxCancel)
+
+		// Perform seal migration
+		if err := c.migrateSeal(c.activeContext); err != nil {
+			c.logger.Error("seal migration error", "error", err)
+			c.barrier.Seal()
+			c.logger.Warn("vault is sealed")
+			c.heldHALock = nil
+			lock.Unlock()
+			close(continueCh)
+			c.stateLock.Unlock()
+			return
+		}
+
+		// This block is used to wipe barrier/seal state and verify that
+		// everything is sane. If we have no sanity in the barrier, we actually
+		// seal, as there's little we can do.
+		{
+			c.seal.ClearBarrierConfig(activeCtx)
+			if c.seal.RecoveryKeySupported() {
+				c.seal.ClearRecoveryConfig(activeCtx)
+			}
+
+			if err := c.performKeyUpgrades(activeCtx); err != nil {
+				c.logger.Error("error performing key upgrades", "error", err)
+
+				// If we fail due to anything other than a context canceled
+				// error we should shutdown as we may have the incorrect Keys.
+				if !strings.Contains(err.Error(), context.Canceled.Error()) {
+					// We call this in a goroutine so that we can give up the
+					// statelock and have this shut us down; sealInternal has a
+					// workflow where it watches for the stopCh to close so we want
+					// to return from here
+					go c.Shutdown()
+				}
+
+				c.heldHALock = nil
+				lock.Unlock()
+				close(continueCh)
+				c.stateLock.Unlock()
+				metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+
+				// If we are shutting down we should return from this function,
+				// otherwise continue
+				if !strings.Contains(err.Error(), context.Canceled.Error()) {
+					continue
+				} else {
+					return
+				}
+			}
+		}
+
+		{
+			// Clear previous local cluster cert info so we generate new. Since the
+			// UUID will have changed, standbys will know to look for new info
+			c.localClusterParsedCert.Store((*x509.Certificate)(nil))
+			c.localClusterCert.Store(([]byte)(nil))
+			c.localClusterPrivateKey.Store((*ecdsa.PrivateKey)(nil))
+
+			if err := c.setupCluster(activeCtx); err != nil {
+				c.heldHALock = nil
+				lock.Unlock()
+				close(continueCh)
+				c.stateLock.Unlock()
+				c.logger.Error("cluster setup failed", "error", err)
+				metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+				continue
+			}
+
+		}
+		// Advertise as leader
+		if err := c.advertiseLeader(activeCtx, uuid, leaderLostCh); err != nil {
+			c.heldHALock = nil
+			lock.Unlock()
+			close(continueCh)
+			c.stateLock.Unlock()
+			c.logger.Error("leader advertisement setup failed", "error", err)
+			metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+			continue
+		}
+
+		// Attempt the post-unseal process
+		err = c.postUnseal(activeCtx, activeCtxCancel, standardUnsealStrategy{})
+		if err == nil {
+			c.standby = false
+			c.leaderUUID = uuid
+			c.metricSink.SetGaugeWithLabels([]string{"core", "active"}, 1, nil)
+		}
+
+		close(continueCh)
+		c.stateLock.Unlock()
+
+		// Handle a failure to unseal
+		if err != nil {
+			c.logger.Error("post-unseal setup failed", "error", err)
+			lock.Unlock()
+			metrics.MeasureSince([]string{"core", "leadership_setup_failed"}, activeTime)
+			continue
+		}
+
+		// Monitor a loss of leadership
+		select {
+		case <-leaderLostCh:
+			c.logger.Warn("leadership lost, stopping active operation")
+		case <-stopCh:
+		case <-manualStepDownCh:
+			manualStepDown = true
+			c.logger.Warn("stepping down from active operation to standby")
+		}
+
+		// Stop Active Duty
+		{
+			// Spawn this in a go routine so we can cancel the context and
+			// unblock any inflight requests that are holding the statelock.
+			go func() {
+				timer := time.NewTimer(DefaultMaxRequestDuration)
+				select {
+				case <-activeCtx.Done():
+					timer.Stop()
+					// Attempt to drain any inflight requests
+				case <-timer.C:
+					activeCtxCancel()
+				}
+			}()
+
+			// Grab lock if we are not stopped
+			l := newLockGrabber(c.stateLock.Lock, c.stateLock.Unlock, stopCh)
+			go l.grab()
+			stopped := l.lockOrStop()
+
+			// Cancel the context incase the above go routine hasn't done it
+			// yet
+			activeCtxCancel()
+			metrics.MeasureSince([]string{"core", "leadership_lost"}, activeTime)
+
+			// Mark as standby
+			c.standby = true
+			c.leaderUUID = ""
+			c.metricSink.SetGaugeWithLabels([]string{"core", "active"}, 0, nil)
+
+			// Seal
+			if err := c.preSeal(); err != nil {
+				c.logger.Error("pre-seal teardown failed", "error", err)
+			}
+
+			// If we are not meant to keep the HA lock, clear it
+			if atomic.LoadUint32(c.keepHALockOnStepDown) == 0 {
+				if err := c.clearLeader(uuid); err != nil {
+					c.logger.Error("clearing leader advertisement failed", "error", err)
+				}
+
+				if err := c.heldHALock.Unlock(); err != nil {
+					c.logger.Error("unlocking HA lock failed", "error", err)
+				}
+				c.heldHALock = nil
+			}
+
+			// Advertise ourselves as a standby.
+			if c.serviceRegistration != nil {
+				if err := c.serviceRegistration.NotifyActiveStateChange(false); err != nil {
+					c.logger.Warn("failed to notify standby status", "error", err)
+				}
+			}
+
+			// If we are stopped return, otherwise unlock the statelock
+			if stopped {
+				return
+			}
+			c.stateLock.Unlock()
+		}
+	}
 }
 
-func (c *OperatorUnsealCommand) Run(args []string) int {
-	f := c.Flags()
+// grabLockOrStop returns stopped=false if the lock is acquired. Returns
+// stopped=true if the lock is not acquired, because stopCh was closed. If the
+// lock was acquired (stopped=false) then it's up to the caller to unlock. If
+// the lock was not acquired (stopped=true), the caller does not hold the lock and
+// should not call unlock.
+// It's probably better to inline the body of grabLockOrStop into your function
+// instead of calling it. If multiple functions call grabLockOrStop, when a deadlock
+// occurs, we have no way of knowing who launched the grab goroutine, complicating
+// investigation.
+func grabLockOrStop(lockFunc, unlockFunc func(), stopCh chan struct{}) (stopped bool) {
+	l := newLockGrabber(lockFunc, unlockFunc, stopCh)
+	go l.grab()
+	return l.lockOrStop()
+}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+type lockGrabber struct {
+	// stopCh provides a way to interrupt the grab-or-stop
+	stopCh chan struct{}
+	// doneCh is closed when the child goroutine is done.
+	doneCh     chan struct{}
+	lockFunc   func()
+	unlockFunc func()
+	// lock protects these variables which are shared by parent and child.
+	lock          sync.Mutex
+	parentWaiting bool
+	locked        bool
+}
+
+func newLockGrabber(lockFunc, unlockFunc func(), stopCh chan struct{}) *lockGrabber {
+	return &lockGrabber{
+		doneCh:        make(chan struct{}),
+		lockFunc:      lockFunc,
+		unlockFunc:    unlockFunc,
+		parentWaiting: true,
+		stopCh:        stopCh,
 	}
+}
 
-	unsealKey := ""
+// lockOrStop waits for grab to get a lock or give up, see grabLockOrStop for how to use it.
+func (l *lockGrabber) lockOrStop() (stopped bool) {
+	stop := false
+	select {
+	case <-l.stopCh:
+		stop = true
+	case <-l.doneCh:
+	}
 
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		// We will prompt for the unseal key later
-	case 1:
-		unsealKey = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+	// The child goroutine may not have acquired the lock yet.
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	l.parentWaiting = false
+	if stop {
+		if l.locked {
+			l.unlockFunc()
+		}
+		return true
 	}
+	return false
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+// grab tries to get a lock, see grabLockOrStop for how to use it.
+func (l *lockGrabber) grab() {
+	defer close(l.doneCh)
+	l.lockFunc()
+
+	// The parent goroutine may or may not be waiting.
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	if !l.parentWaiting {
+		l.unlockFunc()
+	} else {
+		l.locked = true
 	}
+}
+
+// This checks the leader periodically to ensure that we switch RPC to a new
+// leader pretty quickly. There is logic in Leader() already to not make this
+// onerous and avoid more traffic than needed, so we just call that and ignore
+// the result.
+func (c *Core) periodicLeaderRefresh(newLeaderCh chan func(), stopCh chan struct{}) {
+	opCount := new(int32)
 
-	if c.flagReset {
-		status, err := client.Sys().ResetUnsealProcess()
+	clusterAddr := ""
+	for {
+		timer := time.NewTimer(leaderCheckInterval)
+		select {
+		case <-timer.C:
+			count := atomic.AddInt32(opCount, 1)
+			if count > 1 {
+				atomic.AddInt32(opCount, -1)
+				continue
+			}
+			// We do this in a goroutine because otherwise if this refresh is
+			// called while we're shutting down the call to Leader() can
+			// deadlock, which then means stopCh can never been seen and we can
+			// block shutdown
+			go func() {
+				// Bind locally, as the race detector is tripping here
+				lopCount := opCount
+				isLeader, _, newClusterAddr, err := c.Leader()
+				if err != nil {
+					// This is debug level because it's not really something the user
+					// needs to see typically. This will only really fail if we are sealed
+					// or the HALock fails (e.g. can't connect to Consul or elect raft
+					// leader) and other things in logs should make those kinds of
+					// conditions obvious. However when debugging, it is useful to know
+					// for sure why a standby is not seeing the leadership update which
+					// could be due to errors being returned or could be due to some other
+					// bug.
+					c.logger.Debug("periodicLeaderRefresh fail to fetch leader info", "err", err)
+				}
+
+				// If we are the leader reset the clusterAddr since the next
+				// failover might go to the node that was previously active.
+				if isLeader {
+					clusterAddr = ""
+				}
+
+				if !isLeader && newClusterAddr != clusterAddr && newLeaderCh != nil {
+					select {
+					case newLeaderCh <- nil:
+						c.logger.Debug("new leader found, triggering new leader channel")
+						clusterAddr = newClusterAddr
+					default:
+						c.logger.Debug("new leader found, but still processing previous leader change")
+					}
+				}
+				atomic.AddInt32(lopCount, -1)
+			}()
+		case <-stopCh:
+			timer.Stop()
+			return
+		}
+	}
+}
+
+// periodicCheckKeyUpgrade is used to watch for key rotation events as a standby
+func (c *Core) periodicCheckKeyUpgrades(ctx context.Context, stopCh chan struct{}) {
+	raftBackend := c.getRaftBackend()
+	isRaft := raftBackend != nil
+
+	opCount := new(int32)
+	for {
+		timer := time.NewTimer(keyRotateCheckInterval)
+		select {
+		case <-timer.C:
+			count := atomic.AddInt32(opCount, 1)
+			if count > 1 {
+				atomic.AddInt32(opCount, -1)
+				continue
+			}
+
+			go func() {
+				// Bind locally, as the race detector is tripping here
+				lopCount := opCount
+
+				// Only check if we are a standby
+				c.stateLock.RLock()
+				standby := c.standby
+				c.stateLock.RUnlock()
+				if !standby {
+					atomic.AddInt32(lopCount, -1)
+					return
+				}
+
+				// Check for a poison pill. If we can read it, it means we have stale
+				// keys (e.g. from replication being activated) and we need to seal to
+				// be unsealed again.
+				entry, _ := c.barrier.Get(ctx, poisonPillPath)
+				entryDR, _ := c.barrier.Get(ctx, poisonPillDRPath)
+				if (entry != nil && len(entry.Value) > 0) || (entryDR != nil && len(entryDR.Value) > 0) {
+					c.logger.Warn("encryption keys have changed out from underneath us (possibly due to replication enabling), must be unsealed again")
+					// If we are using raft storage we do not want to shut down
+					// raft during replication secondary enablement. This will
+					// allow us to keep making progress on the raft log.
+					go c.sealInternalWithOptions(true, false, !isRaft)
+					atomic.AddInt32(lopCount, -1)
+					return
+				}
+
+				if err := c.checkKeyUpgrades(ctx); err != nil {
+					c.logger.Error("key rotation periodic upgrade check failed", "error", err)
+				}
+
+				if isRaft {
+					hasState, err := raftBackend.HasState()
+					if err != nil {
+						c.logger.Error("could not check raft state", "error", err)
+					}
+
+					if raftBackend.Initialized() && hasState {
+						if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
+							c.logger.Error("raft tls periodic upgrade check failed", "error", err)
+						}
+					}
+				}
+
+				atomic.AddInt32(lopCount, -1)
+				return
+			}()
+		case <-stopCh:
+			timer.Stop()
+			return
+		}
+	}
+}
+
+// checkKeyUpgrades is used to check if there have been any key rotations
+// and if there is a chain of upgrades available
+func (c *Core) checkKeyUpgrades(ctx context.Context) error {
+	for {
+		// Check for an upgrade
+		didUpgrade, newTerm, err := c.barrier.CheckUpgrade(ctx)
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error resetting unseal process: %s", err))
-			return 2
+			return err
+		}
+
+		// Nothing to do if no upgrade
+		if !didUpgrade {
+			break
+		}
+		if c.logger.IsInfo() {
+			c.logger.Info("upgraded to new key term", "term", newTerm)
 		}
-		return OutputSealStatus(c.UI, client, status)
 	}
+	return nil
+}
+
+func (c *Core) reloadRootKey(ctx context.Context) error {
+	if err := c.barrier.ReloadRootKey(ctx); err != nil {
+		return fmt.Errorf("error reloading root key: %w", err)
+	}
+	return nil
+}
 
-	if unsealKey == "" {
-		// Override the output
-		writer := (io.Writer)(os.Stdout)
-		if c.testOutput != nil {
-			writer = c.testOutput
+func (c *Core) reloadShamirKey(ctx context.Context) error {
+	_ = c.seal.ClearBarrierConfig(ctx)
+
+	cfg, _ := c.seal.BarrierConfig(ctx)
+	if cfg == nil {
+		return nil
+	}
+
+	var shamirKey []byte
+	switch c.seal.StoredKeysSupported() {
+	case seal.StoredKeysSupportedGeneric:
+		return nil
+	case seal.StoredKeysSupportedShamirRoot:
+		entry, err := c.barrier.Get(ctx, shamirKekPath)
+		if err != nil {
+			return err
 		}
+		if entry == nil {
+			return nil
+		}
+		shamirKey = entry.Value
+	case seal.StoredKeysNotSupported:
+		keyring, err := c.barrier.Keyring()
+		if err != nil {
+			return fmt.Errorf("failed to update seal access: %w", err)
+		}
+		shamirKey = keyring.rootKey
+	}
+	return c.seal.GetAccess().SetShamirSealKey(shamirKey)
+}
+
+func (c *Core) performKeyUpgrades(ctx context.Context) error {
+	if err := c.checkKeyUpgrades(ctx); err != nil {
+		return fmt.Errorf("error checking for key upgrades: %w", err)
+	}
 
-		fmt.Fprintf(writer, "Unseal Key (will be hidden): ")
-		value, err := password.Read(os.Stdin)
-		fmt.Fprintf(writer, "\n")
+	if err := c.reloadRootKey(ctx); err != nil {
+		return fmt.Errorf("error reloading root key: %w", err)
+	}
+
+	if err := c.barrier.ReloadKeyring(ctx); err != nil {
+		return fmt.Errorf("error reloading keyring: %w", err)
+	}
+
+	if err := c.reloadShamirKey(ctx); err != nil {
+		return fmt.Errorf("error reloading shamir kek key: %w", err)
+	}
+
+	if err := c.scheduleUpgradeCleanup(ctx); err != nil {
+		return fmt.Errorf("error scheduling upgrade cleanup: %w", err)
+	}
+
+	return nil
+}
+
+// scheduleUpgradeCleanup is used to ensure that all the upgrade paths
+// are cleaned up in a timely manner if a leader failover takes place
+func (c *Core) scheduleUpgradeCleanup(ctx context.Context) error {
+	// List the upgrades
+	upgrades, err := c.barrier.List(ctx, keyringUpgradePrefix)
+	if err != nil {
+		return fmt.Errorf("failed to list upgrades: %w", err)
+	}
+
+	// Nothing to do if no upgrades
+	if len(upgrades) == 0 {
+		return nil
+	}
+
+	// Schedule cleanup for all of them
+	time.AfterFunc(c.KeyRotateGracePeriod(), func() {
+		sealed, err := c.barrier.Sealed()
 		if err != nil {
-			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
-				"ask for an unseal key. The raw error message is shown below, but "+
-				"usually this is because you attempted to pipe a value into the "+
-				"unseal command or you are executing outside of a terminal (tty). "+
-				"You should run the unseal command from a terminal for maximum "+
-				"security. If this is not an option, the unseal key can be provided "+
-				"as the first argument to the unseal command. The raw error "+
-				"was:\n\n%s", err)))
-			return 1
-		}
-		unsealKey = strings.TrimSpace(value)
-	}
-
-	status, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
-		Key:     unsealKey,
-		Migrate: c.flagMigrate,
+			c.logger.Warn("failed to check barrier status at upgrade cleanup time")
+			return
+		}
+		if sealed {
+			c.logger.Warn("barrier sealed at upgrade cleanup time")
+			return
+		}
+		for _, upgrade := range upgrades {
+			path := fmt.Sprintf("%s%s", keyringUpgradePrefix, upgrade)
+			if err := c.barrier.Delete(ctx, path); err != nil {
+				c.logger.Error("failed to cleanup upgrade", "path", path, "error", err)
+			}
+		}
 	})
+	return nil
+}
+
+// acquireLock blocks until the lock is acquired, returning the leaderLostCh
+func (c *Core) acquireLock(lock physical.Lock, stopCh <-chan struct{}) <-chan struct{} {
+	for {
+		// Attempt lock acquisition
+		leaderLostCh, err := lock.Lock(stopCh)
+		if err == nil {
+			return leaderLostCh
+		}
+
+		// Retry the acquisition
+		c.logger.Error("failed to acquire lock", "error", err)
+		timer := time.NewTimer(lockRetryInterval)
+		select {
+		case <-timer.C:
+		case <-stopCh:
+			timer.Stop()
+			return nil
+		}
+	}
+}
+
+// advertiseLeader is used to advertise the current node as leader
+func (c *Core) advertiseLeader(ctx context.Context, uuid string, leaderLostCh <-chan struct{}) error {
+	if leaderLostCh != nil {
+		go c.cleanLeaderPrefix(ctx, uuid, leaderLostCh)
+	}
+
+	var key *ecdsa.PrivateKey
+	switch c.localClusterPrivateKey.Load().(type) {
+	case *ecdsa.PrivateKey:
+		key = c.localClusterPrivateKey.Load().(*ecdsa.PrivateKey)
+	default:
+		c.logger.Error("unknown cluster private key type", "key_type", fmt.Sprintf("%T", c.localClusterPrivateKey.Load()))
+		return fmt.Errorf("unknown cluster private key type %T", c.localClusterPrivateKey.Load())
+	}
+
+	keyParams := &certutil.ClusterKeyParams{
+		Type: corePrivateKeyTypeP521,
+		X:    key.X,
+		Y:    key.Y,
+		D:    key.D,
+	}
+
+	locCert := c.localClusterCert.Load().([]byte)
+	localCert := make([]byte, len(locCert))
+	copy(localCert, locCert)
+	adv := &activeAdvertisement{
+		RedirectAddr:     c.redirectAddr,
+		ClusterAddr:      c.ClusterAddr(),
+		ClusterCert:      localCert,
+		ClusterKeyParams: keyParams,
+	}
+	val, err := jsonutil.EncodeJSON(adv)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error unsealing: %s", err))
-		return 2
+		return err
 	}
+	ent := &logical.StorageEntry{
+		Key:   coreLeaderPrefix + uuid,
+		Value: val,
+	}
+	err = c.barrier.Put(ctx, ent)
+	if err != nil {
+		return err
+	}
+
+	if c.serviceRegistration != nil {
+		if err := c.serviceRegistration.NotifyActiveStateChange(true); err != nil {
+			if c.logger.IsWarn() {
+				c.logger.Warn("failed to notify active status", "error", err)
+			}
+		}
+	}
+	return nil
+}
+
+func (c *Core) cleanLeaderPrefix(ctx context.Context, uuid string, leaderLostCh <-chan struct{}) {
+	keys, err := c.barrier.List(ctx, coreLeaderPrefix)
+	if err != nil {
+		c.logger.Error("failed to list entries in core/leader", "error", err)
+		return
+	}
+	for len(keys) > 0 {
+		timer := time.NewTimer(leaderPrefixCleanDelay)
+		select {
+		case <-timer.C:
+			if keys[0] != uuid {
+				c.barrier.Delete(ctx, coreLeaderPrefix+keys[0])
+			}
+			keys = keys[1:]
+		case <-leaderLostCh:
+			timer.Stop()
+			return
+		}
+	}
+}
+
+// clearLeader is used to clear our leadership entry
+func (c *Core) clearLeader(uuid string) error {
+	key := coreLeaderPrefix + uuid
+	return c.barrier.Delete(context.Background(), key)
+}
 
-	return OutputSealStatus(c.UI, client, status)
+func (c *Core) SetNeverBecomeActive(on bool) {
+	if on {
+		atomic.StoreUint32(c.neverBecomeActive, 1)
+	} else {
+		atomic.StoreUint32(c.neverBecomeActive, 0)
+	}
 }
diff --git a/command/operator_unseal_test.go b/command/operator_unseal_test.go
index 8e45978c0beb..2e1db26aa0af 100644
--- a/command/operator_unseal_test.go
+++ b/command/operator_unseal_test.go
@@ -1,189 +1,1272 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package http
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
 	"io/ioutil"
+	"mime"
+	"net"
+	"net/http"
+	"net/http/pprof"
+	"net/textproto"
+	"net/url"
 	"os"
+	"regexp"
 	"strings"
-	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-sockaddr"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/pathmanager"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	gziphandler "github.com/klauspost/compress/gzhttp"
 )
 
-func testOperatorUnsealCommand(tb testing.TB) (*cli.MockUi, *OperatorUnsealCommand) {
-	tb.Helper()
+const (
+	// WrapTTLHeaderName is the name of the header containing a directive to
+	// wrap the response
+	WrapTTLHeaderName = "X-Vault-Wrap-TTL"
 
-	ui := cli.NewMockUi()
-	return ui, &OperatorUnsealCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+	// WrapFormatHeaderName is the name of the header containing the format to
+	// wrap in; has no effect if the wrap TTL is not set
+	WrapFormatHeaderName = "X-Vault-Wrap-Format"
+
+	// NoRequestForwardingHeaderName is the name of the header telling Vault
+	// not to use request forwarding
+	NoRequestForwardingHeaderName = "X-Vault-No-Request-Forwarding"
+
+	// MFAHeaderName represents the HTTP header which carries the credentials
+	// required to perform MFA on any path.
+	MFAHeaderName = "X-Vault-MFA"
+
+	// canonicalMFAHeaderName is the MFA header value's format in the request
+	// headers. Do not alter the casing of this string.
+	canonicalMFAHeaderName = "X-Vault-Mfa"
+
+	// PolicyOverrideHeaderName is the header set to request overriding
+	// soft-mandatory Sentinel policies.
+	PolicyOverrideHeaderName = "X-Vault-Policy-Override"
+
+	VaultIndexHeaderName        = "X-Vault-Index"
+	VaultInconsistentHeaderName = "X-Vault-Inconsistent"
+	VaultForwardHeaderName      = "X-Vault-Forward"
+	VaultInconsistentForward    = "forward-active-node"
+	VaultInconsistentFail       = "fail"
+
+	// DefaultMaxRequestSize is the default maximum accepted request size. This
+	// is to prevent a denial of service attack where no Content-Length is
+	// provided and the server is fed ever more data until it exhausts memory.
+	// Can be overridden per listener.
+	DefaultMaxRequestSize = 32 * 1024 * 1024
+)
+
+var (
+	// Set to false by stub_asset if the ui build tag isn't enabled
+	uiBuiltIn = true
+
+	// perfStandbyAlwaysForwardPaths is used to check a requested path against
+	// the always forward list
+	perfStandbyAlwaysForwardPaths = pathmanager.New()
+	alwaysRedirectPaths           = pathmanager.New()
+	websocketPaths                = pathmanager.New()
+
+	injectDataIntoTopRoutes = []string{
+		"/v1/sys/audit",
+		"/v1/sys/audit/",
+		"/v1/sys/audit-hash/",
+		"/v1/sys/auth",
+		"/v1/sys/auth/",
+		"/v1/sys/config/cors",
+		"/v1/sys/config/auditing/request-headers/",
+		"/v1/sys/config/auditing/request-headers",
+		"/v1/sys/capabilities",
+		"/v1/sys/capabilities-accessor",
+		"/v1/sys/capabilities-self",
+		"/v1/sys/ha-status",
+		"/v1/sys/key-status",
+		"/v1/sys/mounts",
+		"/v1/sys/mounts/",
+		"/v1/sys/policy",
+		"/v1/sys/policy/",
+		"/v1/sys/rekey/backup",
+		"/v1/sys/rekey/recovery-key-backup",
+		"/v1/sys/remount",
+		"/v1/sys/rotate",
+		"/v1/sys/wrapping/wrap",
 	}
+	websocketRawPaths = []string{
+		"/v1/sys/events/subscribe",
+	}
+	oidcProtectedPathRegex = regexp.MustCompile(`^identity/oidc/provider/\w(([\w-.]+)?\w)?/userinfo$`)
+)
+
+func init() {
+	alwaysRedirectPaths.AddPaths([]string{
+		"sys/storage/raft/snapshot",
+		"sys/storage/raft/snapshot-force",
+		"!sys/storage/raft/snapshot-auto/config",
+	})
+	websocketPaths.AddPaths(websocketRawPaths)
+	for _, path := range websocketRawPaths {
+		alwaysRedirectPaths.AddPaths([]string{strings.TrimPrefix(path, "/v1/")})
+	}
+}
+
+type HandlerAnchor struct{}
+
+func (h HandlerAnchor) Handler(props *vault.HandlerProperties) http.Handler {
+	return handler(props)
+}
+
+var Handler vault.HandlerHandler = HandlerAnchor{}
+
+type HandlerFunc func(props *vault.HandlerProperties) http.Handler
+
+func (h HandlerFunc) Handler(props *vault.HandlerProperties) http.Handler {
+	return h(props)
 }
 
-func TestOperatorUnsealCommand_Run(t *testing.T) {
-	t.Parallel()
+var _ vault.HandlerHandler = HandlerFunc(func(props *vault.HandlerProperties) http.Handler { return nil })
 
-	t.Run("error_non_terminal", func(t *testing.T) {
-		t.Parallel()
+// handler returns an http.Handler for the API. This can be used on
+// its own to mount the Vault API within another web server.
+func handler(props *vault.HandlerProperties) http.Handler {
+	core := props.Core
+
+	// Create the muxer to handle the actual endpoints
+	mux := http.NewServeMux()
+	var chrootNamespace string
+	if props.ListenerConfig != nil {
+		chrootNamespace = props.ListenerConfig.ChrootNamespace
+	}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	switch {
+	case props.RecoveryMode:
+		raw := vault.NewRawBackend(core)
+		strategy := vault.GenerateRecoveryTokenStrategy(props.RecoveryToken)
+		mux.Handle("/v1/sys/raw/", handleLogicalRecovery(raw, props.RecoveryToken))
+		mux.Handle("/v1/sys/generate-recovery-token/attempt", handleSysGenerateRootAttempt(core, strategy))
+		mux.Handle("/v1/sys/generate-recovery-token/update", handleSysGenerateRootUpdate(core, strategy))
+	default:
+		// Handle non-forwarded paths
+		mux.Handle("/v1/sys/config/state/", handleLogicalNoForward(core, chrootNamespace))
+		mux.Handle("/v1/sys/host-info", handleLogicalNoForward(core, chrootNamespace))
 
-		ui, cmd := testOperatorUnsealCommand(t)
-		cmd.client = client
-		cmd.testOutput = ioutil.Discard
+		mux.Handle("/v1/sys/init", handleSysInit(core))
+		mux.Handle("/v1/sys/seal-status", handleSysSealStatus(core,
+			WithRedactClusterName(props.ListenerConfig.RedactClusterName),
+			WithRedactVersion(props.ListenerConfig.RedactVersion)))
+		mux.Handle("/v1/sys/seal-backend-status", handleSysSealBackendStatus(core))
+		mux.Handle("/v1/sys/seal", handleSysSeal(core))
+		mux.Handle("/v1/sys/step-down", handleRequestForwarding(core, handleSysStepDown(core)))
+		mux.Handle("/v1/sys/unseal", handleSysUnseal(core))
+		mux.Handle("/v1/sys/leader", handleSysLeader(core,
+			WithRedactAddresses(props.ListenerConfig.RedactAddresses)))
+		mux.Handle("/v1/sys/health", handleSysHealth(core,
+			WithRedactClusterName(props.ListenerConfig.RedactClusterName),
+			WithRedactVersion(props.ListenerConfig.RedactVersion)))
+		mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core, chrootNamespace))
+		mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
+			handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
+		mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
+			handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy))))
+		mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false)))
+		mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false)))
+		mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false)))
+		mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true)))
+		mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true)))
+		mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true)))
+		mux.Handle("/v1/sys/storage/raft/bootstrap", handleSysRaftBootstrap(core))
+		mux.Handle("/v1/sys/storage/raft/join", handleSysRaftJoin(core))
+		mux.Handle("/v1/sys/internal/ui/feature-flags", handleSysInternalFeatureFlags(core))
 
-		code := cmd.Run(nil)
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		for _, path := range injectDataIntoTopRoutes {
+			mux.Handle(path, handleRequestForwarding(core, handleLogicalWithInjector(core, chrootNamespace)))
 		}
+		mux.Handle("/v1/sys/", handleRequestForwarding(core, handleLogical(core, chrootNamespace)))
+		mux.Handle("/v1/", handleRequestForwarding(core, handleLogical(core, chrootNamespace)))
+		if core.UIEnabled() {
+			if uiBuiltIn {
+				mux.Handle("/ui/", http.StripPrefix("/ui/", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()}))))))
+				mux.Handle("/robots.txt", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()})))))
+			} else {
+				mux.Handle("/ui/", handleUIHeaders(core, handleUIStub()))
+			}
+			mux.Handle("/ui", handleUIRedirect())
+			mux.Handle("/", handleUIRedirect())
 
-		expected := "is not a terminal"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	})
 
-	t.Run("reset", func(t *testing.T) {
-		t.Parallel()
+		// Register metrics path without authentication if enabled
+		if props.ListenerConfig != nil && props.ListenerConfig.Telemetry.UnauthenticatedMetricsAccess {
+			mux.Handle("/v1/sys/metrics", handleMetricsUnauthenticated(core))
+		} else {
+			mux.Handle("/v1/sys/metrics", handleLogicalNoForward(core, chrootNamespace))
+		}
 
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
+		if props.ListenerConfig != nil && props.ListenerConfig.Profiling.UnauthenticatedPProfAccess {
+			for _, name := range []string{"goroutine", "threadcreate", "heap", "allocs", "block", "mutex"} {
+				mux.Handle("/v1/sys/pprof/"+name, pprof.Handler(name))
+			}
+			mux.Handle("/v1/sys/pprof/", http.HandlerFunc(pprof.Index))
+			mux.Handle("/v1/sys/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
+			mux.Handle("/v1/sys/pprof/profile", http.HandlerFunc(pprof.Profile))
+			mux.Handle("/v1/sys/pprof/symbol", http.HandlerFunc(pprof.Symbol))
+			mux.Handle("/v1/sys/pprof/trace", http.HandlerFunc(pprof.Trace))
+		} else {
+			mux.Handle("/v1/sys/pprof/", handleLogicalNoForward(core, chrootNamespace))
+		}
 
-		// Seal so we can unseal
-		if err := client.Sys().Seal(); err != nil {
-			t.Fatal(err)
+		if props.ListenerConfig != nil && props.ListenerConfig.InFlightRequestLogging.UnauthenticatedInFlightAccess {
+			mux.Handle("/v1/sys/in-flight-req", handleUnAuthenticatedInFlightRequest(core))
+		} else {
+			mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core, chrootNamespace))
 		}
+		entAdditionalRoutes(mux, core)
+	}
+
+	// Build up a chain of wrapping handlers.
+	wrappedHandler := wrapHelpHandler(mux, core)
+	wrappedHandler = wrapCORSHandler(wrappedHandler, core)
+	wrappedHandler = rateLimitQuotaWrapping(wrappedHandler, core)
+	wrappedHandler = entWrapGenericHandler(core, wrappedHandler, props)
+	wrappedHandler = wrapMaxRequestSizeHandler(wrappedHandler, props)
 
-		// Enter an unseal key
-		if _, err := client.Sys().Unseal(keys[0]); err != nil {
-			t.Fatal(err)
+	// Add an extra wrapping handler if the DisablePrintableCheck listener
+	// setting isn't true that checks for non-printable characters in the
+	// request path.
+	if !props.DisablePrintableCheck {
+		wrappedHandler = cleanhttp.PrintablePathCheckHandler(wrappedHandler, nil)
+	}
+
+	// Add an extra wrapping handler if the DisableReplicationStatusEndpoints
+	// setting is true that will create a new request with a context that has
+	// a value indicating that the replication status endpoints are disabled.
+	if props.ListenerConfig != nil && props.ListenerConfig.DisableReplicationStatusEndpoints {
+		wrappedHandler = disableReplicationStatusEndpointWrapping(wrappedHandler)
+	}
+
+	return wrappedHandler
+}
+
+type copyResponseWriter struct {
+	wrapped    http.ResponseWriter
+	statusCode int
+	body       *bytes.Buffer
+}
+
+// newCopyResponseWriter returns an initialized newCopyResponseWriter
+func newCopyResponseWriter(wrapped http.ResponseWriter) *copyResponseWriter {
+	w := &copyResponseWriter{
+		wrapped:    wrapped,
+		body:       new(bytes.Buffer),
+		statusCode: 200,
+	}
+	return w
+}
+
+func (w *copyResponseWriter) Header() http.Header {
+	return w.wrapped.Header()
+}
+
+func (w *copyResponseWriter) Write(buf []byte) (int, error) {
+	w.body.Write(buf)
+	return w.wrapped.Write(buf)
+}
+
+func (w *copyResponseWriter) WriteHeader(code int) {
+	w.statusCode = code
+	w.wrapped.WriteHeader(code)
+}
+
+func handleAuditNonLogical(core *vault.Core, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origBody := new(bytes.Buffer)
+		reader := ioutil.NopCloser(io.TeeReader(r.Body, origBody))
+		r.Body = reader
+		req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
+		if err != nil || status != 0 {
+			respondError(w, status, err)
+			return
 		}
 
-		ui, cmd := testOperatorUnsealCommand(t)
-		cmd.client = client
-		cmd.testOutput = ioutil.Discard
+		r.Body = io.NopCloser(origBody)
 
-		// Reset and check output
-		code := cmd.Run([]string{
-			"-reset",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		input := &logical.LogInput{
+			Request: req,
 		}
-		expected := "0/3"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		err = core.AuditLogger().AuditRequest(r.Context(), input)
+		if err != nil {
+			respondError(w, status, err)
+			return
+		}
+		cw := newCopyResponseWriter(w)
+		h.ServeHTTP(cw, r)
+		data := make(map[string]interface{})
+
+		// Refactoring this code, since the returned error was being ignored.
+		jsonutil.DecodeJSON(cw.body.Bytes(), &data)
+
+		httpResp := &logical.HTTPResponse{Data: data, Headers: cw.Header()}
+		input.Response = logical.HTTPResponseToLogicalResponse(httpResp)
+		err = core.AuditLogger().AuditResponse(r.Context(), input)
+		if err != nil {
+			respondError(w, status, err)
 		}
 	})
+}
 
-	t.Run("full", func(t *testing.T) {
-		t.Parallel()
+// wrapGenericHandler wraps the handler with an extra layer of handler where
+// tasks that should be commonly handled for all the requests and/or responses
+// are performed.
+func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerProperties) http.Handler {
+	var maxRequestDuration time.Duration
+	if props.ListenerConfig != nil {
+		maxRequestDuration = props.ListenerConfig.MaxRequestDuration
+	}
+	if maxRequestDuration == 0 {
+		maxRequestDuration = vault.DefaultMaxRequestDuration
+	}
+	// Swallow this error since we don't want to pollute the logs and we also don't want to
+	// return an HTTP error here. This information is best effort.
+	hostname, _ := os.Hostname()
 
-		client, keys, closer := testVaultServerUnseal(t)
-		defer closer()
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// This block needs to be here so that upon sending SIGHUP, custom response
+		// headers are also reloaded into the handlers.
+		var customHeaders map[string][]*logical.CustomHeader
+		if props.ListenerConfig != nil {
+			la := props.ListenerConfig.Address
+			listenerCustomHeaders := core.GetListenerCustomResponseHeaders(la)
+			if listenerCustomHeaders != nil {
+				customHeaders = listenerCustomHeaders.StatusCodeHeaderMap
+			}
+		}
+		// saving start time for the in-flight requests
+		inFlightReqStartTime := time.Now()
+
+		nw := logical.NewStatusHeaderResponseWriter(w, customHeaders)
+
+		// Set the Cache-Control header for all the responses returned
+		// by Vault
+		nw.Header().Set("Cache-Control", "no-store")
 
-		// Seal so we can unseal
-		if err := client.Sys().Seal(); err != nil {
-			t.Fatal(err)
+		// Start with the request context
+		ctx := r.Context()
+		var cancelFunc context.CancelFunc
+		// Add our timeout, but not for the monitor or events endpoints, as they are streaming
+		if strings.HasSuffix(r.URL.Path, "sys/monitor") || strings.Contains(r.URL.Path, "sys/events") {
+			ctx, cancelFunc = context.WithCancel(ctx)
+		} else {
+			ctx, cancelFunc = context.WithTimeout(ctx, maxRequestDuration)
 		}
 
-		for _, key := range keys {
-			ui, cmd := testOperatorUnsealCommand(t)
-			cmd.client = client
-			cmd.testOutput = ioutil.Discard
+		ctx = logical.CreateContextOriginalRequestPath(ctx, r.URL.Path)
+		r = r.WithContext(ctx)
+		r = r.WithContext(namespace.ContextWithNamespace(r.Context(), namespace.RootNamespace))
 
-			// Reset and check output
-			code := cmd.Run([]string{
-				key,
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		// Set some response headers with raft node id (if applicable) and hostname, if available
+		if core.RaftNodeIDHeaderEnabled() {
+			nodeID := core.GetRaftNodeID()
+			if nodeID != "" {
+				nw.Header().Set("X-Vault-Raft-Node-ID", nodeID)
+			}
+		}
+
+		if core.HostnameHeaderEnabled() && hostname != "" {
+			nw.Header().Set("X-Vault-Hostname", hostname)
+		}
+
+		// Extract the namespace from the header before we modify it
+		ns := r.Header.Get(consts.NamespaceHeaderName)
+		switch {
+		case strings.HasPrefix(r.URL.Path, "/v1/"):
+			// Setting the namespace in the header to be included in the error message
+			newR, status, err := adjustRequest(core, props.ListenerConfig, r)
+			if status != 0 {
+				respondError(nw, status, err)
+				cancelFunc()
+				return
 			}
+			r = newR
+
+		case strings.HasPrefix(r.URL.Path, "/ui"), r.URL.Path == "/robots.txt", r.URL.Path == "/":
+			// RFC 5785
+		case strings.HasPrefix(r.URL.Path, "/.well-known/"):
+			standby, err := core.Standby()
+			if err != nil {
+				core.Logger().Warn("error resolving standby status handling .well-known path", "error", err)
+			} else if standby {
+				respondStandby(core, w, r.URL)
+				cancelFunc()
+				return
+			} else {
+				redir, err := core.GetWellKnownRedirect(r.Context(), r.URL.Path)
+				if err != nil {
+					core.Logger().Warn("error resolving potential API redirect", "error", err)
+				} else {
+					if redir != "" {
+						dest := url.URL{
+							Path:     redir,
+							RawQuery: r.URL.RawQuery,
+						}
+						w.Header().Set("Location", dest.String())
+						if r.Method == http.MethodGet || r.Proto == "HTTP/1.0" {
+							w.WriteHeader(http.StatusFound)
+						} else {
+							w.WriteHeader(http.StatusTemporaryRedirect)
+						}
+						cancelFunc()
+						return
+					}
+				}
+			}
+			respondError(nw, http.StatusNotFound, nil)
+			cancelFunc()
+			return
 		}
 
-		status, err := client.Sys().SealStatus()
+		// The uuid for the request is going to be generated when a logical
+		// request is generated. But, here we generate one to be able to track
+		// in-flight requests, and use that to update the req data with clientID
+		inFlightReqID, err := uuid.GenerateUUID()
 		if err != nil {
-			t.Fatal(err)
+			respondError(nw, http.StatusInternalServerError, fmt.Errorf("failed to generate an identifier for the in-flight request"))
 		}
-		if status.Sealed {
-			t.Error("expected unsealed")
+		// adding an entry to the context to enable updating in-flight
+		// data with ClientID in the logical layer
+		r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyInFlightRequestID{}, inFlightReqID))
+
+		// extracting the client address to be included in the in-flight request
+		var clientAddr string
+		headers := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")]
+		if len(headers) == 0 {
+			clientAddr = r.RemoteAddr
+		} else {
+			clientAddr = headers[0]
 		}
+
+		// getting the request method
+		requestMethod := r.Method
+
+		// Storing the in-flight requests. Path should include namespace as well
+		core.StoreInFlightReqData(
+			inFlightReqID,
+			vault.InFlightReqData{
+				StartTime:        inFlightReqStartTime,
+				ReqPath:          r.URL.Path,
+				ClientRemoteAddr: clientAddr,
+				Method:           requestMethod,
+			})
+		defer func() {
+			// Not expecting this fail, so skipping the assertion check
+			core.FinalizeInFlightReqData(inFlightReqID, nw.StatusCode)
+		}()
+
+		// Setting the namespace in the header to be included in the error message
+		if ns != "" {
+			nw.Header().Set(consts.NamespaceHeaderName, ns)
+		}
+
+		h.ServeHTTP(nw, r)
+
+		cancelFunc()
 	})
+}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler {
+	rejectNotPresent := l.XForwardedForRejectNotPresent
+	hopSkips := l.XForwardedForHopSkips
+	authorizedAddrs := l.XForwardedForAuthorizedAddrs
+	rejectNotAuthz := l.XForwardedForRejectNotAuthorized
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		headers, headersOK := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")]
+		if !headersOK || len(headers) == 0 {
+			if !rejectNotPresent {
+				h.ServeHTTP(w, r)
+				return
+			}
+			respondError(w, http.StatusBadRequest, fmt.Errorf("missing x-forwarded-for header and configured to reject when not present"))
+			return
+		}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+		host, port, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			// If not rejecting treat it like we just don't have a valid
+			// header because we can't do a comparison against an address we
+			// can't understand
+			if !rejectNotPresent {
+				h.ServeHTTP(w, r)
+				return
+			}
+			respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client hostport: %w", err))
+			return
+		}
 
-		ui, cmd := testOperatorUnsealCommand(t)
-		cmd.client = client
+		addr, err := sockaddr.NewIPAddr(host)
+		if err != nil {
+			// We treat this the same as the case above
+			if !rejectNotPresent {
+				h.ServeHTTP(w, r)
+				return
+			}
+			respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client address: %w", err))
+			return
+		}
 
-		code := cmd.Run([]string{
-			"abcd",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		var found bool
+		for _, authz := range authorizedAddrs {
+			if authz.Contains(addr) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			// If we didn't find it and aren't configured to reject, simply
+			// don't trust it
+			if !rejectNotAuthz {
+				h.ServeHTTP(w, r)
+				return
+			}
+			respondError(w, http.StatusBadRequest, fmt.Errorf("client address not authorized for x-forwarded-for and configured to reject connection"))
+			return
 		}
 
-		expected := "Error unsealing: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		// At this point we have at least one value and it's authorized
+
+		// Split comma separated ones, which are common. This brings it in line
+		// to the multiple-header case.
+		var acc []string
+		for _, header := range headers {
+			vals := strings.Split(header, ",")
+			for _, v := range vals {
+				acc = append(acc, strings.TrimSpace(v))
+			}
 		}
+
+		indexToUse := int64(len(acc)) - 1 - hopSkips
+		if indexToUse < 0 {
+			// This is likely an error in either configuration or other
+			// infrastructure. We could either deny the request, or we
+			// could simply not trust the value. Denying the request is
+			// "safer" since if this logic is configured at all there may
+			// be an assumption it can always be trusted. Given that we can
+			// deny accepting the request at all if it's not from an
+			// authorized address, if we're at this point the address is
+			// authorized (or we've turned off explicit rejection) and we
+			// should assume that what comes in should be properly
+			// formatted.
+			respondError(w, http.StatusBadRequest, fmt.Errorf("malformed x-forwarded-for configuration or request, hops to skip (%d) would skip before earliest chain link (chain length %d)", hopSkips, len(headers)))
+			return
+		}
+
+		r.RemoteAddr = net.JoinHostPort(acc[indexToUse], port)
+		h.ServeHTTP(w, r)
+	})
+}
+
+func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		header := w.Header()
+
+		userHeaders, err := core.UIHeaders()
+		if err != nil {
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+
+		for k := range userHeaders {
+			v := userHeaders.Get(k)
+			header.Set(k, v)
+		}
+
+		h.ServeHTTP(w, req)
+	})
+}
+
+func handleUI(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		// The fileserver handler strips trailing slashes and does a redirect.
+		// We don't want the redirect to happen so we preemptively trim the slash
+		// here.
+		req.URL.Path = strings.TrimSuffix(req.URL.Path, "/")
+		h.ServeHTTP(w, req)
+	})
+}
+
+func handleUIStub() http.Handler {
+	stubHTML := `
+	<!DOCTYPE html>
+	<html>
+	<style>
+	body {
+	color: #1F2124;
+	font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
+	}
+
+	.wrapper {
+	display: flex;
+	justify-content: center;
+	align-items: center;
+	height: 500px;
+	}
+
+	.content ul {
+	line-height: 1.5;
+	}
+
+	a {
+	color: #1563ff;
+	text-decoration: none;
+	}
+
+	.header {
+	display: flex;
+	color: #6a7786;
+	align-items: center;
+	}
+
+	.header svg {
+	padding-right: 12px;
+	}
+
+	.alert {
+	transform: scale(0.07);
+	fill: #6a7786;
+	}
+
+	h1 {
+	font-weight: 500;
+	}
+
+	p {
+	margin-top: 0px;
+	}
+	</style>
+	<div class="wrapper">
+	<div class="content">
+	<div class="header">
+	<svg width="36px" height="36px" viewBox="0 0 36 36" xmlns="http://www.w3.org/2000/svg">
+	<path class="alert" d="M476.7 422.2L270.1 72.7c-2.9-5-8.3-8.7-14.1-8.7-5.9 0-11.3 3.7-14.1 8.7L35.3 422.2c-2.8 5-4.8 13-1.9 17.9 2.9 4.9 8.2 7.9 14 7.9h417.1c5.8 0 11.1-3 14-7.9 3-4.9 1-13-1.8-17.9zM288 400h-64v-48h64v48zm0-80h-64V176h64v144z"/>
+	</svg>
+	<h1>Vault UI is not available in this binary.</h1>
+	</div>
+	<p>To get Vault UI do one of the following:</p>
+	<ul>
+	<li><a href="https://www.vaultproject.io/downloads.html">Download an official release</a></li>
+	<li>Run <code>make bin</code> to create your own release binaries.
+	<li>Run <code>make dev-ui</code> to create a development binary with the UI.
+	</ul>
+	</div>
+	</div>
+	</html>
+	`
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte(stubHTML))
 	})
+}
+
+func handleUIRedirect() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		http.Redirect(w, req, "/ui/", http.StatusTemporaryRedirect)
+	})
+}
+
+type UIAssetWrapper struct {
+	FileSystem http.FileSystem
+}
+
+func (fsw *UIAssetWrapper) Open(name string) (http.File, error) {
+	file, err := fsw.FileSystem.Open(name)
+	if err == nil {
+		return file, nil
+	}
+	// serve index.html instead of 404ing
+	if errors.Is(err, fs.ErrNotExist) {
+		file, err := fsw.FileSystem.Open("index.html")
+		return file, err
+	}
+	return nil, err
+}
+
+func parseQuery(values url.Values) map[string]interface{} {
+	data := map[string]interface{}{}
+	for k, v := range values {
+		// Skip the help key as this is a reserved parameter
+		if k == "help" {
+			continue
+		}
+
+		switch {
+		case len(v) == 0:
+		case len(v) == 1:
+			data[k] = v[0]
+		default:
+			data[k] = v
+		}
+	}
+
+	if len(data) > 0 {
+		return data
+	}
+	return nil
+}
+
+func parseJSONRequest(perfStandby bool, r *http.Request, w http.ResponseWriter, out interface{}) (io.ReadCloser, error) {
+	// Limit the maximum number of bytes to MaxRequestSize to protect
+	// against an indefinite amount of data being read.
+	reader := r.Body
+
+	var origBody io.ReadWriter
+
+	if perfStandby {
+		// Since we're checking PerfStandby here we key on origBody being nil
+		// or not later, so we need to always allocate so it's non-nil
+		origBody = new(bytes.Buffer)
+		reader = ioutil.NopCloser(io.TeeReader(reader, origBody))
+	}
+	err := jsonutil.DecodeJSONFromReader(reader, out)
+	if err != nil && err != io.EOF {
+		return nil, fmt.Errorf("failed to parse JSON input: %w", err)
+	}
+	if origBody != nil {
+		return ioutil.NopCloser(origBody), err
+	}
+	return nil, err
+}
+
+// parseFormRequest parses values from a form POST.
+//
+// A nil map will be returned if the format is empty or invalid.
+func parseFormRequest(r *http.Request) (map[string]interface{}, error) {
+	if err := r.ParseForm(); err != nil {
+		return nil, err
+	}
+
+	var data map[string]interface{}
+
+	if len(r.PostForm) != 0 {
+		data = make(map[string]interface{}, len(r.PostForm))
+		for k, v := range r.PostForm {
+			switch len(v) {
+			case 0:
+			case 1:
+				data[k] = v[0]
+			default:
+				// Almost anywhere taking in a string list can take in comma
+				// separated values, and really this is super niche anyways
+				data[k] = strings.Join(v, ",")
+			}
+		}
+	}
+
+	return data, nil
+}
+
+// forwardBasedOnHeaders returns true if the request headers specify that
+// we should forward to the active node - either unconditionally or because
+// a specified state isn't present locally.
+func forwardBasedOnHeaders(core *vault.Core, r *http.Request) (bool, error) {
+	rawForward := r.Header.Get(VaultForwardHeaderName)
+	if rawForward != "" {
+		if !core.AllowForwardingViaHeader() {
+			return false, fmt.Errorf("forwarding via header %s disabled in configuration", VaultForwardHeaderName)
+		}
+		if rawForward == "active-node" {
+			return true, nil
+		}
+		return false, nil
+	}
+
+	rawInconsistent := r.Header.Get(VaultInconsistentHeaderName)
+	if rawInconsistent == "" {
+		return false, nil
+	}
+
+	switch rawInconsistent {
+	case VaultInconsistentForward:
+		if !core.AllowForwardingViaHeader() {
+			return false, fmt.Errorf("forwarding via header %s=%s disabled in configuration",
+				VaultInconsistentHeaderName, VaultInconsistentForward)
+		}
+	default:
+		return false, nil
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	return core.MissingRequiredState(r.Header.Values(VaultIndexHeaderName), core.PerfStandby()), nil
+}
+
+// handleRequestForwarding determines whether to forward a request or not,
+// falling back on the older behavior of redirecting the client
+func handleRequestForwarding(core *vault.Core, handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Note if the client requested forwarding
+		shouldForward, err := forwardBasedOnHeaders(core, r)
+		if err != nil {
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		// If we are a performance standby we can maybe handle the request.
+		if core.PerfStandby() && !shouldForward {
+			ns, err := namespace.FromContext(r.Context())
+			if err != nil {
+				respondError(w, http.StatusBadRequest, err)
+				return
+			}
+			path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
+			if !perfStandbyAlwaysForwardPaths.HasPath(path) && !alwaysRedirectPaths.HasPath(path) {
+				handler.ServeHTTP(w, r)
+				return
+			}
+		}
 
-		_, cmd := testOperatorUnsealCommand(t)
-		assertNoTabs(t, cmd)
+		// Note: in an HA setup, this call will also ensure that connections to
+		// the leader are set up, as that happens once the advertised cluster
+		// values are read during this function
+		isLeader, leaderAddr, _, err := core.Leader()
+		if err != nil {
+			if err == vault.ErrHANotEnabled {
+				// Standalone node, serve request normally
+				handler.ServeHTTP(w, r)
+				return
+			}
+			// Some internal error occurred
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+		if isLeader {
+			// No forwarding needed, we're leader
+			handler.ServeHTTP(w, r)
+			return
+		}
+		if leaderAddr == "" {
+			respondError(w, http.StatusInternalServerError, fmt.Errorf("local node not active but active cluster node not found"))
+			return
+		}
+
+		forwardRequest(core, w, r)
 	})
 }
 
-func TestOperatorUnsealCommand_Format(t *testing.T) {
-	defer func() {
-		os.Setenv(EnvVaultCLINoColor, "")
-	}()
+func forwardRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) {
+	if r.Header.Get(vault.IntNoForwardingHeaderName) != "" {
+		respondStandby(core, w, r.URL)
+		return
+	}
 
-	client, keys, closer := testVaultServerUnseal(t)
-	defer closer()
+	if r.Header.Get(NoRequestForwardingHeaderName) != "" {
+		// Forwarding explicitly disabled, fall back to previous behavior
+		core.Logger().Debug("handleRequestForwarding: forwarding disabled by client request")
+		respondStandby(core, w, r.URL)
+		return
+	}
 
-	// Seal so we can unseal
-	if err := client.Sys().Seal(); err != nil {
-		t.Fatal(err)
+	ns, err := namespace.FromContext(r.Context())
+	if err != nil {
+		respondError(w, http.StatusBadRequest, err)
+		return
+	}
+	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
+	if alwaysRedirectPaths.HasPath(path) {
+		respondStandby(core, w, r.URL)
+		return
 	}
 
-	stdout := bytes.NewBuffer(nil)
-	stderr := bytes.NewBuffer(nil)
-	runOpts := &RunOptions{
-		Stdout: stdout,
-		Stderr: stderr,
-		Client: client,
+	// Attempt forwarding the request. If we cannot forward -- perhaps it's
+	// been disabled on the active node -- this will return with an
+	// ErrCannotForward and we simply fall back
+	statusCode, header, retBytes, err := core.ForwardRequest(r)
+	if err != nil {
+		if err == vault.ErrCannotForward {
+			core.Logger().Debug("cannot forward request (possibly disabled on active node), falling back")
+		} else {
+			core.Logger().Error("forward request error", "error", err)
+		}
+
+		// Fall back to redirection
+		respondStandby(core, w, r.URL)
+		return
 	}
 
-	args, format, _, _, _ := setupEnv([]string{"operator", "unseal", "-format", "json"})
-	if format != "json" {
-		t.Fatalf("expected %q, got %q", "json", format)
+	for k, v := range header {
+		w.Header()[k] = v
 	}
 
-	// Unseal with one key
-	code := RunCustom(append(args, []string{
-		keys[0],
-	}...), runOpts)
-	if exp := 0; code != exp {
-		t.Errorf("expected %d to be %d: %s", code, exp, stderr.String())
+	w.WriteHeader(statusCode)
+	w.Write(retBytes)
+}
+
+// request is a helper to perform a request and properly exit in the
+// case of an error.
+func request(core *vault.Core, w http.ResponseWriter, rawReq *http.Request, r *logical.Request) (*logical.Response, bool, bool) {
+	resp, err := core.HandleRequest(rawReq.Context(), r)
+	if r.LastRemoteWAL() > 0 && !core.EntWaitUntilWALShipped(rawReq.Context(), r.LastRemoteWAL()) {
+		if resp == nil {
+			resp = &logical.Response{}
+		}
+		resp.AddWarning("Timeout hit while waiting for local replicated cluster to apply primary's write; this client may encounter stale reads of values written during this operation.")
+	}
+	if errwrap.Contains(err, consts.ErrStandby.Error()) {
+		respondStandby(core, w, rawReq.URL)
+		return resp, false, false
+	}
+	if err != nil && errwrap.Contains(err, logical.ErrPerfStandbyPleaseForward.Error()) {
+		return nil, false, true
 	}
 
-	if !json.Valid(stdout.Bytes()) {
-		t.Error("expected output to be valid JSON")
+	if resp != nil && len(resp.Headers) > 0 {
+		// Set this here so it will take effect regardless of any other type of
+		// response processing
+		header := w.Header()
+		for k, v := range resp.Headers {
+			for _, h := range v {
+				header.Add(k, h)
+			}
+		}
+
+		switch {
+		case resp.Secret != nil,
+			resp.Auth != nil,
+			len(resp.Data) > 0,
+			resp.Redirect != "",
+			len(resp.Warnings) > 0,
+			resp.WrapInfo != nil:
+			// Nothing, resp has data
+
+		default:
+			// We have an otherwise totally empty response except for headers,
+			// so nil out the response now that the headers are written out
+			resp = nil
+		}
 	}
+
+	// If vault's core has already written to the response writer do not add any
+	// additional output. Headers have already been sent. If the response writer
+	// is set but has not been written to it likely means there was some kind of
+	// error
+	if r.ResponseWriter != nil && r.ResponseWriter.Written() {
+		return nil, true, false
+	}
+
+	if respondErrorCommon(w, r, resp, err) {
+		return resp, false, false
+	}
+
+	return resp, true, false
+}
+
+// respondStandby is used to trigger a redirect in the case that this Vault is currently a hot standby
+func respondStandby(core *vault.Core, w http.ResponseWriter, reqURL *url.URL) {
+	// Request the leader address
+	_, redirectAddr, _, err := core.Leader()
+	if err != nil {
+		if err == vault.ErrHANotEnabled {
+			// Standalone node, serve 503
+			err = errors.New("node is not active")
+			respondError(w, http.StatusServiceUnavailable, err)
+			return
+		}
+
+		respondError(w, http.StatusInternalServerError, err)
+		return
+	}
+
+	// If there is no leader, generate a 503 error
+	if redirectAddr == "" {
+		err = errors.New("no active Vault instance found")
+		respondError(w, http.StatusServiceUnavailable, err)
+		return
+	}
+
+	// Parse the redirect location
+	redirectURL, err := url.Parse(redirectAddr)
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, err)
+		return
+	}
+
+	// Generate a redirect URL
+	finalURL := url.URL{
+		Scheme:   redirectURL.Scheme,
+		Host:     redirectURL.Host,
+		Path:     reqURL.Path,
+		RawQuery: reqURL.RawQuery,
+	}
+
+	// WebSockets schemas are ws or wss
+	if websocketPaths.HasPath(reqURL.Path) {
+		if finalURL.Scheme == "http" {
+			finalURL.Scheme = "ws"
+		} else {
+			finalURL.Scheme = "wss"
+		}
+	}
+
+	// Ensure there is a scheme, default to https
+	if finalURL.Scheme == "" {
+		finalURL.Scheme = "https"
+	}
+
+	// If we have an address, redirect! We use a 307 code
+	// because we don't actually know if its permanent and
+	// the request method should be preserved.
+	w.Header().Set("Location", finalURL.String())
+	w.WriteHeader(307)
+}
+
+// getTokenFromReq parse headers of the incoming request to extract token if
+// present it accepts Authorization Bearer (RFC6750) and X-Vault-Token header.
+// Returns true if the token was sourced from a Bearer header.
+func getTokenFromReq(r *http.Request) (string, bool) {
+	if token := r.Header.Get(consts.AuthHeaderName); token != "" {
+		return token, false
+	}
+	if headers, ok := r.Header["Authorization"]; ok {
+		// Reference for Authorization header format: https://tools.ietf.org/html/rfc7236#section-3
+
+		// If string does not start by 'Bearer ', it is not one we would use,
+		// but might be used by plugins
+		for _, v := range headers {
+			if !strings.HasPrefix(v, "Bearer ") {
+				continue
+			}
+			return strings.TrimSpace(v[7:]), true
+		}
+	}
+	return "", false
+}
+
+// requestAuth adds the token to the logical.Request if it exists.
+func requestAuth(r *http.Request, req *logical.Request) {
+	// Attach the header value if we have it
+	token, fromAuthzHeader := getTokenFromReq(r)
+	if token != "" {
+		req.ClientToken = token
+		req.ClientTokenSource = logical.ClientTokenFromVaultHeader
+		if fromAuthzHeader {
+			req.ClientTokenSource = logical.ClientTokenFromAuthzHeader
+		}
+
+	}
+}
+
+func requestPolicyOverride(r *http.Request, req *logical.Request) error {
+	raw := r.Header.Get(PolicyOverrideHeaderName)
+	if raw == "" {
+		return nil
+	}
+
+	override, err := parseutil.ParseBool(raw)
+	if err != nil {
+		return err
+	}
+
+	req.PolicyOverride = override
+	return nil
+}
+
+// requestWrapInfo adds the WrapInfo value to the logical.Request if wrap info exists
+func requestWrapInfo(r *http.Request, req *logical.Request) (*logical.Request, error) {
+	// First try for the header value
+	wrapTTL := r.Header.Get(WrapTTLHeaderName)
+	if wrapTTL == "" {
+		return req, nil
+	}
+
+	// If it has an allowed suffix parse as a duration string
+	dur, err := parseutil.ParseDurationSecond(wrapTTL)
+	if err != nil {
+		return req, err
+	}
+	if int64(dur) < 0 {
+		return req, fmt.Errorf("requested wrap ttl cannot be negative")
+	}
+
+	req.WrapInfo = &logical.RequestWrapInfo{
+		TTL: dur,
+	}
+
+	wrapFormat := r.Header.Get(WrapFormatHeaderName)
+	switch wrapFormat {
+	case "jwt":
+		req.WrapInfo.Format = "jwt"
+	}
+
+	return req, nil
+}
+
+// parseMFAHeader parses the MFAHeaderName in the request headers and organizes
+// them with MFA method name as the index.
+func parseMFAHeader(req *logical.Request) error {
+	if req == nil {
+		return fmt.Errorf("request is nil")
+	}
+
+	if req.Headers == nil {
+		return nil
+	}
+
+	// Reset and initialize the credentials in the request
+	req.MFACreds = make(map[string][]string)
+
+	for _, mfaHeaderValue := range req.Headers[canonicalMFAHeaderName] {
+		// Skip the header with no value in it
+		if mfaHeaderValue == "" {
+			continue
+		}
+
+		// Handle the case where only method name is mentioned and no value
+		// is supplied
+		if !strings.Contains(mfaHeaderValue, ":") {
+			// Mark the presence of method name, but set an empty set to it
+			// indicating that there were no values supplied for the method
+			if req.MFACreds[mfaHeaderValue] == nil {
+				req.MFACreds[mfaHeaderValue] = []string{}
+			}
+			continue
+		}
+
+		shardSplits := strings.SplitN(mfaHeaderValue, ":", 2)
+		if shardSplits[0] == "" {
+			return fmt.Errorf("invalid data in header %q; missing method name or ID", MFAHeaderName)
+		}
+
+		if shardSplits[1] == "" {
+			return fmt.Errorf("invalid data in header %q; missing method value", MFAHeaderName)
+		}
+
+		req.MFACreds[shardSplits[0]] = append(req.MFACreds[shardSplits[0]], shardSplits[1])
+	}
+
+	return nil
+}
+
+// isForm tries to determine whether the request should be
+// processed as a form or as JSON.
+//
+// Virtually all existing use cases have assumed processing as JSON,
+// and there has not been a Content-Type requirement in the API. In order to
+// maintain backwards compatibility, this will err on the side of JSON.
+// The request will be considered a form only if:
+//
+//  1. The content type is "application/x-www-form-urlencoded"
+//  2. The start of the request doesn't look like JSON. For this test we
+//     we expect the body to begin with { or [, ignoring leading whitespace.
+func isForm(head []byte, contentType string) bool {
+	contentType, _, err := mime.ParseMediaType(contentType)
+
+	if err != nil || contentType != "application/x-www-form-urlencoded" {
+		return false
+	}
+
+	// Look for the start of JSON or not-JSON, skipping any insignificant
+	// whitespace (per https://tools.ietf.org/html/rfc7159#section-2).
+	for _, c := range head {
+		switch c {
+		case ' ', '\t', '\n', '\r':
+			continue
+		case '[', '{': // JSON
+			return false
+		default: // not JSON
+			return true
+		}
+	}
+
+	return true
+}
+
+func respondError(w http.ResponseWriter, status int, err error) {
+	logical.RespondError(w, status, err)
+}
+
+func respondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error) {
+	logical.RespondErrorAndData(w, status, data, err)
+}
+
+func respondErrorCommon(w http.ResponseWriter, req *logical.Request, resp *logical.Response, err error) bool {
+	statusCode, newErr := logical.RespondErrorCommon(req, resp, err)
+	if newErr == nil && statusCode == 0 {
+		return false
+	}
+
+	// If ErrPermissionDenied occurs for OIDC protected resources (e.g., userinfo),
+	// then respond with a JSON error format that complies with the specification.
+	// This prevents the JSON error format from changing to a Vault-y format (i.e.,
+	// the format that results from respondError) after an OIDC access token expires.
+	if oidcPermissionDenied(req.Path, err) {
+		respondOIDCPermissionDenied(w)
+		return true
+	}
+
+	if resp != nil {
+		if data := resp.Data["data"]; data != nil {
+			respondErrorAndData(w, statusCode, data, newErr)
+			return true
+		}
+	}
+	respondError(w, statusCode, newErr)
+	return true
+}
+
+func respondOk(w http.ResponseWriter, body interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+
+	if body == nil {
+		w.WriteHeader(http.StatusNoContent)
+	} else {
+		w.WriteHeader(http.StatusOK)
+		enc := json.NewEncoder(w)
+		enc.Encode(body)
+	}
+}
+
+// oidcPermissionDenied returns true if the given path matches the
+// UserInfo Endpoint published by Vault OIDC providers and the given
+// error is a logical.ErrPermissionDenied.
+func oidcPermissionDenied(path string, err error) bool {
+	return errwrap.Contains(err, logical.ErrPermissionDenied.Error()) &&
+		oidcProtectedPathRegex.MatchString(path)
+}
+
+// respondOIDCPermissionDenied writes a response to the given w for
+// permission denied errors (expired token) on resources protected
+// by OIDC access tokens. Currently, the UserInfo Endpoint is the only
+// protected resource. See the following specifications for details:
+//   - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
+//   - https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
+func respondOIDCPermissionDenied(w http.ResponseWriter) {
+	errorCode := "invalid_token"
+	errorDescription := logical.ErrPermissionDenied.Error()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("WWW-Authenticate", fmt.Sprintf("Bearer error=%q,error_description=%q",
+		errorCode, errorDescription))
+	w.WriteHeader(http.StatusUnauthorized)
+
+	var oidcResponse struct {
+		Error            string `json:"error"`
+		ErrorDescription string `json:"error_description"`
+	}
+	oidcResponse.Error = errorCode
+	oidcResponse.ErrorDescription = errorDescription
+
+	enc := json.NewEncoder(w)
+	enc.Encode(oidcResponse)
 }
diff --git a/command/operator_usage.go b/command/operator_usage.go
index fda1caf29a82..92e1eacc4680 100644
--- a/command/operator_usage.go
+++ b/command/operator_usage.go
@@ -1,327 +1,953 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package http
 
 import (
+	"bytes"
+	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
-	"fmt"
-	"sort"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/textproto"
+	"net/url"
+	"reflect"
+	"runtime"
 	"strings"
-	"time"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-	"github.com/ryanuber/columnize"
+	"testing"
+
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/stretchr/testify/require"
+
+	"github.com/go-test/deep"
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
 )
 
-var (
-	_ cli.Command             = (*OperatorUsageCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorUsageCommand)(nil)
-)
+func TestHandler_parseMFAHandler(t *testing.T) {
+	var err error
+	var expectedMFACreds logical.MFACreds
+	req := &logical.Request{
+		Headers: make(map[string][]string),
+	}
 
-type OperatorUsageCommand struct {
-	*BaseCommand
-	flagStartTime time.Time
-	flagEndTime   time.Time
-}
+	headerName := textproto.CanonicalMIMEHeaderKey(MFAHeaderName)
+
+	// Set TOTP passcode in the MFA header
+	req.Headers[headerName] = []string{
+		"my_totp:123456",
+		"my_totp:111111",
+		"my_second_mfa:hi=hello",
+		"my_third_mfa",
+	}
+	err = parseMFAHeader(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify that it is being parsed properly
+	expectedMFACreds = logical.MFACreds{
+		"my_totp": []string{
+			"123456",
+			"111111",
+		},
+		"my_second_mfa": []string{
+			"hi=hello",
+		},
+		"my_third_mfa": []string{},
+	}
+	if !reflect.DeepEqual(expectedMFACreds, req.MFACreds) {
+		t.Fatalf("bad: parsed MFACreds; expected: %#v\n actual: %#v\n", expectedMFACreds, req.MFACreds)
+	}
+
+	// Split the creds of a method type in different headers and check if they
+	// all get merged together
+	req.Headers[headerName] = []string{
+		"my_mfa:passcode=123456",
+		"my_mfa:month=july",
+		"my_mfa:day=tuesday",
+	}
+	err = parseMFAHeader(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedMFACreds = logical.MFACreds{
+		"my_mfa": []string{
+			"passcode=123456",
+			"month=july",
+			"day=tuesday",
+		},
+	}
+	if !reflect.DeepEqual(expectedMFACreds, req.MFACreds) {
+		t.Fatalf("bad: parsed MFACreds; expected: %#v\n actual: %#v\n", expectedMFACreds, req.MFACreds)
+	}
+
+	// Header without method name should error out
+	req.Headers[headerName] = []string{
+		":passcode=123456",
+	}
+	err = parseMFAHeader(req)
+	if err == nil {
+		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
+	}
+
+	// Header without method name and method value should error out
+	req.Headers[headerName] = []string{
+		":",
+	}
+	err = parseMFAHeader(req)
+	if err == nil {
+		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
+	}
 
-func (c *OperatorUsageCommand) Synopsis() string {
-	return "Lists historical client counts"
+	// Header without method name and method value should error out
+	req.Headers[headerName] = []string{
+		"my_totp:",
+	}
+	err = parseMFAHeader(req)
+	if err == nil {
+		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
+	}
 }
 
-func (c *OperatorUsageCommand) Help() string {
-	helpText := `
-Usage: vault operator usage
+func TestHandler_cors(t *testing.T) {
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
 
-  List the client counts for the default reporting period.
+	// Enable CORS and allow from any origin for testing.
+	corsConfig := core.CORSConfig()
+	err := corsConfig.Enable(context.Background(), []string{addr}, nil)
+	if err != nil {
+		t.Fatalf("Error enabling CORS: %s", err)
+	}
+
+	req, err := http.NewRequest(http.MethodOptions, addr+"/v1/sys/seal-status", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	req.Header.Set("Origin", "BAD ORIGIN")
+
+	// Requests from unacceptable origins will be rejected with a 403.
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-	  $ vault operator usage
+	if resp.StatusCode != http.StatusForbidden {
+		t.Fatalf("Bad status:\nexpected: 403 Forbidden\nactual: %s", resp.Status)
+	}
 
-  List the client counts for a specific time period.
+	//
+	// Test preflight requests
+	//
 
-          $ vault operator usage -start-time=2020-10 -end-time=2020-11
+	// Set a valid origin
+	req.Header.Set("Origin", addr)
 
-` + c.Flags().Help()
+	// Server should NOT accept arbitrary methods.
+	req.Header.Set("Access-Control-Request-Method", "FOO")
 
-	return strings.TrimSpace(helpText)
-}
+	client = cleanhttp.DefaultClient()
+	resp, err = client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-func (c *OperatorUsageCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	// Fail if an arbitrary method is accepted.
+	if resp.StatusCode != http.StatusMethodNotAllowed {
+		t.Fatalf("Bad status:\nexpected: 405 Method Not Allowed\nactual: %s", resp.Status)
+	}
 
-	f := set.NewFlagSet("Command Options")
+	// Server SHOULD accept acceptable methods.
+	req.Header.Set("Access-Control-Request-Method", http.MethodPost)
 
-	f.TimeVar(&TimeVar{
-		Name:       "start-time",
-		Usage:      "Start of report period. Defaults to 'default_reporting_period' before end time.",
-		Target:     &c.flagStartTime,
-		Completion: complete.PredictNothing,
-		Default:    time.Time{},
-		Formats:    TimeVar_TimeOrDay | TimeVar_Month,
-	})
-	f.TimeVar(&TimeVar{
-		Name:       "end-time",
-		Usage:      "End of report period. Defaults to end of last month.",
-		Target:     &c.flagEndTime,
-		Completion: complete.PredictNothing,
-		Default:    time.Time{},
-		Formats:    TimeVar_TimeOrDay | TimeVar_Month,
-	})
+	client = cleanhttp.DefaultClient()
+	resp, err = client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-	return set
-}
+	//
+	// Test that the CORS headers are applied correctly.
+	//
+	expHeaders := map[string]string{
+		"Access-Control-Allow-Origin":  addr,
+		"Access-Control-Allow-Headers": strings.Join(vault.StdAllowedHeaders, ","),
+		"Access-Control-Max-Age":       "300",
+		"Vary":                         "Origin",
+	}
+
+	for expHeader, expected := range expHeaders {
+		actual := resp.Header.Get(expHeader)
+		if actual == "" {
+			t.Fatalf("bad:\nHeader: %#v was not on response.", expHeader)
+		}
 
-func (c *OperatorUsageCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything
+		if actual != expected {
+			t.Fatalf("bad:\nExpected: %#v\nActual: %#v\n", expected, actual)
+		}
+	}
 }
 
-func (c *OperatorUsageCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func TestHandler_HostnameHeader(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		description   string
+		config        *vault.CoreConfig
+		headerPresent bool
+	}{
+		{
+			description:   "with no header configured",
+			config:        nil,
+			headerPresent: false,
+		},
+		{
+			description: "with header configured",
+			config: &vault.CoreConfig{
+				EnableResponseHeaderHostname: true,
+			},
+			headerPresent: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			var core *vault.Core
+
+			if tc.config == nil {
+				core, _, _ = vault.TestCoreUnsealed(t)
+			} else {
+				core, _, _ = vault.TestCoreUnsealedWithConfig(t, tc.config)
+			}
+
+			ln, addr := TestServer(t, core)
+			defer ln.Close()
+
+			req, err := http.NewRequest("GET", addr+"/v1/sys/seal-status", nil)
+			if err != nil {
+				t.Fatalf("err: %s", err)
+			}
+
+			client := cleanhttp.DefaultClient()
+			resp, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("err: %s", err)
+			}
+
+			if resp == nil {
+				t.Fatal("nil response")
+			}
+
+			hnHeader := resp.Header.Get("X-Vault-Hostname")
+			if tc.headerPresent && hnHeader == "" {
+				t.Logf("header configured = %t", core.HostnameHeaderEnabled())
+				t.Fatal("missing 'X-Vault-Hostname' header entry in response")
+			}
+			if !tc.headerPresent && hnHeader != "" {
+				t.Fatal("didn't expect 'X-Vault-Hostname' header but it was present anyway")
+			}
+
+			rniHeader := resp.Header.Get("X-Vault-Raft-Node-ID")
+			if rniHeader != "" {
+				t.Fatalf("no raft node ID header was expected, since we're not running a raft cluster. instead, got %s", rniHeader)
+			}
+		})
+	}
 }
 
-func (c *OperatorUsageCommand) Run(args []string) int {
-	f := c.Flags()
+func TestHandler_CacheControlNoStore(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	req.Header.Set(consts.AuthHeaderName, token)
+	req.Header.Set(WrapTTLHeaderName, "60s")
+
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	if resp == nil {
+		t.Fatalf("nil response")
 	}
 
-	data := make(map[string][]string)
-	if !c.flagStartTime.IsZero() {
-		data["start_time"] = []string{c.flagStartTime.Format(time.RFC3339)}
+	actual := resp.Header.Get("Cache-Control")
+
+	if actual == "" {
+		t.Fatalf("missing 'Cache-Control' header entry in response writer")
 	}
-	if !c.flagEndTime.IsZero() {
-		data["end_time"] = []string{c.flagEndTime.Format(time.RFC3339)}
+
+	if actual != "no-store" {
+		t.Fatalf("bad: Cache-Control. Expected: 'no-store', Actual: %q", actual)
 	}
+}
+
+func TestHandler_InFlightRequest(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
 
-	client, err := c.Client()
+	req, err := http.NewRequest("GET", addr+"/v1/sys/in-flight-req", nil)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		t.Fatalf("err: %s", err)
 	}
+	req.Header.Set(consts.AuthHeaderName, token)
 
-	resp, err := client.Logical().ReadWithData("sys/internal/counters/activity", data)
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error retrieving client counts: %v", err))
-		return 2
+		t.Fatalf("err: %s", err)
 	}
 
-	if resp == nil || resp.Data == nil {
-		if c.noReportAvailable(client) {
-			c.UI.Warn("Vault does not have any usage data available. A report will be available\n" +
-				"after the first calendar month in which monitoring is enabled.")
-		} else {
-			c.UI.Warn("No data is available for the given time range.")
+	if resp == nil {
+		t.Fatalf("nil response")
+	}
+
+	var actual map[string]interface{}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+	if actual == nil || len(actual) == 0 {
+		t.Fatal("expected to get at least one in-flight request, got nil or zero length map")
+	}
+	for _, v := range actual {
+		reqInfo, ok := v.(map[string]interface{})
+		if !ok {
+			t.Fatal("failed to read in-flight request")
+		}
+		if reqInfo["request_path"] != "/v1/sys/in-flight-req" {
+			t.Fatalf("expected /v1/sys/in-flight-req in-flight request path, got %s", actual["request_path"])
 		}
-		// No further output
-		return 0
 	}
+}
+
+// TestHandler_MissingToken tests the response / error code if a request comes
+// in with a missing client token. See
+// https://github.com/hashicorp/vault/issues/8377
+func TestHandler_MissingToken(t *testing.T) {
+	// core, _, token := vault.TestCoreUnsealed(t)
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
 
-	switch Format(c.UI) {
-	case "table":
-	default:
-		// Handle JSON, YAML, etc.
-		return OutputData(c.UI, resp)
+	req, err := http.NewRequest("GET", addr+"/v1/sys/internal/ui/mounts/cubbyhole", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
 
-	// Show this before the headers
-	c.outputTimestamps(resp.Data)
+	req.Header.Set(WrapTTLHeaderName, "60s")
 
-	out := []string{
-		"Namespace path | Distinct entities | Non-Entity tokens | Active clients",
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != 403 {
+		t.Fatalf("expected code 403, got: %d", resp.StatusCode)
+	}
+}
+
+func TestHandler_Accepted(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	req, err := http.NewRequest("POST", addr+"/v1/auth/token/tidy", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	req.Header.Set(consts.AuthHeaderName, token)
 
-	out = append(out, c.namespacesOutput(resp.Data)...)
-	out = append(out, c.totalOutput(resp.Data)...)
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-	colConfig := columnize.DefaultConfig()
-	colConfig.Empty = " " // Do not show n/a on intentional blank lines
-	colConfig.Glue = "   "
-	c.UI.Output(tableOutput(out, colConfig))
-	return 0
+	testResponseStatus(t, resp, 202)
 }
 
-// noReportAvailable checks whether we can definitively say that no
-// queries can be answered; if there's an error, just fall back to
-// reporting that the response is empty.
-func (c *OperatorUsageCommand) noReportAvailable(client *api.Client) bool {
-	if c.flagOutputCurlString || c.flagOutputPolicy {
-		// Don't mess up the original query string
-		return false
+// We use this test to verify header auth
+func TestSysMounts_headerAuth(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	req.Header.Set(consts.AuthHeaderName, token)
 
-	resp, err := client.Logical().Read("sys/internal/counters/config")
-	if err != nil || resp == nil || resp.Data == nil {
-		c.UI.Warn("bad response from config")
-		return false
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
 
-	qaRaw, ok := resp.Data["queries_available"]
-	if !ok {
-		c.UI.Warn("no queries_available key")
-		return false
+	var actual map[string]interface{}
+	expected := map[string]interface{}{
+		"lease_id":       "",
+		"renewable":      false,
+		"lease_duration": json.Number("0"),
+		"wrap_info":      nil,
+		"warnings":       nil,
+		"mount_type":     "system",
+		"auth":           nil,
+		"data": map[string]interface{}{
+			"secret/": map[string]interface{}{
+				"description":             "key/value secret storage",
+				"type":                    "kv",
+				"external_entropy_access": false,
+				"config": map[string]interface{}{
+					"default_lease_ttl": json.Number("0"),
+					"max_lease_ttl":     json.Number("0"),
+					"force_no_cache":    false,
+				},
+				"local":                  false,
+				"seal_wrap":              false,
+				"options":                map[string]interface{}{"version": "1"},
+				"plugin_version":         "",
+				"running_sha256":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+			},
+			"sys/": map[string]interface{}{
+				"description":             "system endpoints used for control, policy and debugging",
+				"type":                    "system",
+				"external_entropy_access": false,
+				"config": map[string]interface{}{
+					"default_lease_ttl":           json.Number("0"),
+					"max_lease_ttl":               json.Number("0"),
+					"force_no_cache":              false,
+					"passthrough_request_headers": []interface{}{"Accept"},
+				},
+				"local":                  false,
+				"seal_wrap":              true,
+				"options":                interface{}(nil),
+				"plugin_version":         "",
+				"running_sha256":         "",
+				"running_plugin_version": versions.DefaultBuiltinVersion,
+			},
+			"cubbyhole/": map[string]interface{}{
+				"description":             "per-token private secret storage",
+				"type":                    "cubbyhole",
+				"external_entropy_access": false,
+				"config": map[string]interface{}{
+					"default_lease_ttl": json.Number("0"),
+					"max_lease_ttl":     json.Number("0"),
+					"force_no_cache":    false,
+				},
+				"local":                  true,
+				"seal_wrap":              false,
+				"options":                interface{}(nil),
+				"plugin_version":         "",
+				"running_sha256":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
+			},
+			"identity/": map[string]interface{}{
+				"description":             "identity store",
+				"type":                    "identity",
+				"external_entropy_access": false,
+				"config": map[string]interface{}{
+					"default_lease_ttl":           json.Number("0"),
+					"max_lease_ttl":               json.Number("0"),
+					"force_no_cache":              false,
+					"passthrough_request_headers": []interface{}{"Authorization"},
+				},
+				"local":                  false,
+				"seal_wrap":              false,
+				"options":                interface{}(nil),
+				"plugin_version":         "",
+				"running_sha256":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
+			},
+		},
+		"secret/": map[string]interface{}{
+			"description":             "key/value secret storage",
+			"type":                    "kv",
+			"external_entropy_access": false,
+			"config": map[string]interface{}{
+				"default_lease_ttl": json.Number("0"),
+				"max_lease_ttl":     json.Number("0"),
+				"force_no_cache":    false,
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                map[string]interface{}{"version": "1"},
+			"plugin_version":         "",
+			"running_sha256":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+		},
+		"sys/": map[string]interface{}{
+			"description":             "system endpoints used for control, policy and debugging",
+			"type":                    "system",
+			"external_entropy_access": false,
+			"config": map[string]interface{}{
+				"default_lease_ttl":           json.Number("0"),
+				"max_lease_ttl":               json.Number("0"),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []interface{}{"Accept"},
+			},
+			"local":                  false,
+			"seal_wrap":              true,
+			"options":                interface{}(nil),
+			"plugin_version":         "",
+			"running_sha256":         "",
+			"running_plugin_version": versions.DefaultBuiltinVersion,
+		},
+		"cubbyhole/": map[string]interface{}{
+			"description":             "per-token private secret storage",
+			"type":                    "cubbyhole",
+			"external_entropy_access": false,
+			"config": map[string]interface{}{
+				"default_lease_ttl": json.Number("0"),
+				"max_lease_ttl":     json.Number("0"),
+				"force_no_cache":    false,
+			},
+			"local":                  true,
+			"seal_wrap":              false,
+			"options":                interface{}(nil),
+			"plugin_version":         "",
+			"running_sha256":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
+		},
+		"identity/": map[string]interface{}{
+			"description":             "identity store",
+			"type":                    "identity",
+			"external_entropy_access": false,
+			"config": map[string]interface{}{
+				"default_lease_ttl":           json.Number("0"),
+				"max_lease_ttl":               json.Number("0"),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []interface{}{"Authorization"},
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                interface{}(nil),
+			"plugin_version":         "",
+			"running_sha256":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
+		},
 	}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
 
-	qa, ok := qaRaw.(bool)
-	if !ok {
-		c.UI.Warn("wrong type")
-		return false
+	expected["request_id"] = actual["request_id"]
+	for k, v := range actual["data"].(map[string]interface{}) {
+		if v.(map[string]interface{})["accessor"] == "" {
+			t.Fatalf("no accessor from %s", k)
+		}
+		if v.(map[string]interface{})["uuid"] == "" {
+			t.Fatalf("no uuid from %s", k)
+		}
+
+		expected[k].(map[string]interface{})["accessor"] = v.(map[string]interface{})["accessor"]
+		expected[k].(map[string]interface{})["uuid"] = v.(map[string]interface{})["uuid"]
+		expected["data"].(map[string]interface{})[k].(map[string]interface{})["accessor"] = v.(map[string]interface{})["accessor"]
+		expected["data"].(map[string]interface{})[k].(map[string]interface{})["uuid"] = v.(map[string]interface{})["uuid"]
 	}
 
-	return !qa
+	if diff := deep.Equal(actual, expected); len(diff) > 0 {
+		t.Fatalf("bad, diff: %#v", diff)
+	}
 }
 
-func (c *OperatorUsageCommand) outputTimestamps(data map[string]interface{}) {
-	c.UI.Output(fmt.Sprintf("Period start: %v\nPeriod end: %v\n",
-		data["start_time"].(string),
-		data["end_time"].(string)))
-}
+// We use this test to verify header auth wrapping
+func TestSysMounts_headerAuth_Wrapped(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
 
-type UsageCommandNamespace struct {
-	formattedLine string
-	sortOrder     string
+	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	req.Header.Set(consts.AuthHeaderName, token)
+	req.Header.Set(WrapTTLHeaderName, "60s")
 
-	// Sort order:
-	// -- root first
-	// -- namespaces in lexicographic order
-	// -- deleted namespace "xxxxx" last
-}
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-type UsageResponse struct {
-	namespacePath string
-	entityCount   int64
-	// As per 1.9, the tokenCount field will contain the distinct non-entity
-	// token clients instead of each individual token.
-	tokenCount int64
+	var actual map[string]interface{}
+	expected := map[string]interface{}{
+		"request_id":     "",
+		"lease_id":       "",
+		"renewable":      false,
+		"lease_duration": json.Number("0"),
+		"data":           nil,
+		"wrap_info": map[string]interface{}{
+			"ttl": json.Number("60"),
+		},
+		"warnings":   nil,
+		"auth":       nil,
+		"mount_type": "",
+	}
 
-	clientCount int64
-}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
 
-func jsonNumberOK(m map[string]interface{}, key string) (int64, bool) {
-	val, ok := m[key].(json.Number)
-	if !ok {
-		return 0, false
+	actualToken, ok := actual["wrap_info"].(map[string]interface{})["token"]
+	if !ok || actualToken == "" {
+		t.Fatal("token missing in wrap info")
 	}
-	intVal, err := val.Int64()
-	if err != nil {
-		return 0, false
+	expected["wrap_info"].(map[string]interface{})["token"] = actualToken
+
+	actualCreationTime, ok := actual["wrap_info"].(map[string]interface{})["creation_time"]
+	if !ok || actualCreationTime == "" {
+		t.Fatal("creation_time missing in wrap info")
 	}
-	return intVal, true
-}
+	expected["wrap_info"].(map[string]interface{})["creation_time"] = actualCreationTime
+
+	actualCreationPath, ok := actual["wrap_info"].(map[string]interface{})["creation_path"]
+	if !ok || actualCreationPath == "" {
+		t.Fatal("creation_path missing in wrap info")
+	}
+	expected["wrap_info"].(map[string]interface{})["creation_path"] = actualCreationPath
 
-// TODO: provide a function in the API module for doing this conversion?
-func (c *OperatorUsageCommand) parseNamespaceCount(rawVal interface{}) (UsageResponse, error) {
-	var ret UsageResponse
+	actualAccessor, ok := actual["wrap_info"].(map[string]interface{})["accessor"]
+	if !ok || actualAccessor == "" {
+		t.Fatal("accessor missing in wrap info")
+	}
+	expected["wrap_info"].(map[string]interface{})["accessor"] = actualAccessor
 
-	val, ok := rawVal.(map[string]interface{})
-	if !ok {
-		return ret, errors.New("value is not a map")
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad:\nExpected: %#v\nActual: %#v\n%T %T", expected, actual, actual["warnings"], actual["data"])
 	}
+}
+
+func TestHandler_sealed(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
 
-	ret.namespacePath, ok = val["namespace_path"].(string)
-	if !ok {
-		return ret, errors.New("bad namespace path")
+	core.Seal(token)
+
+	resp, err := http.Get(addr + "/v1/secret/foo")
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	testResponseStatus(t, resp, 503)
+}
 
-	counts, ok := val["counts"].(map[string]interface{})
-	if !ok {
-		return ret, errors.New("missing counts")
+func TestHandler_ui_default(t *testing.T) {
+	core := vault.TestCoreUI(t, false)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	resp, err := http.Get(addr + "/ui/")
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	testResponseStatus(t, resp, 404)
+}
 
-	ret.entityCount, ok = jsonNumberOK(counts, "distinct_entities")
-	if !ok {
-		return ret, errors.New("missing distinct_entities")
+func TestHandler_ui_enabled(t *testing.T) {
+	core := vault.TestCoreUI(t, true)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	resp, err := http.Get(addr + "/ui/")
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	testResponseStatus(t, resp, 200)
+}
+
+func TestHandler_error(t *testing.T) {
+	w := httptest.NewRecorder()
+
+	respondError(w, 500, errors.New("test Error"))
 
-	ret.tokenCount, ok = jsonNumberOK(counts, "non_entity_tokens")
-	if !ok {
-		return ret, errors.New("missing non_entity_tokens")
+	if w.Code != 500 {
+		t.Fatalf("expected 500, got %d", w.Code)
 	}
 
-	ret.clientCount, ok = jsonNumberOK(counts, "clients")
-	if !ok {
-		return ret, errors.New("missing clients")
+	// The code inside of the error should override
+	// the argument to respondError
+	w2 := httptest.NewRecorder()
+	e := logical.CodedError(403, "error text")
+
+	respondError(w2, 500, e)
+
+	if w2.Code != 403 {
+		t.Fatalf("expected 403, got %d", w2.Code)
 	}
 
-	return ret, nil
+	// vault.ErrSealed is a special case
+	w3 := httptest.NewRecorder()
+
+	respondError(w3, 400, consts.ErrSealed)
+
+	if w3.Code != 503 {
+		t.Fatalf("expected 503, got %d", w3.Code)
+	}
 }
 
-func (c *OperatorUsageCommand) namespacesOutput(data map[string]interface{}) []string {
-	byNs, ok := data["by_namespace"].([]interface{})
-	if !ok {
-		c.UI.Error("missing namespace breakdown in response")
-		return nil
+func TestHandler_requestAuth(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+
+	rootCtx := namespace.RootContext(nil)
+	te, err := core.LookupToken(rootCtx, token)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	rWithAuthorization, err := http.NewRequest("GET", "v1/test/path", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	rWithAuthorization.Header.Set("Authorization", "Bearer "+token)
 
-	nsOut := make([]UsageCommandNamespace, 0, len(byNs))
+	rWithVault, err := http.NewRequest("GET", "v1/test/path", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	rWithVault.Header.Set(consts.AuthHeaderName, token)
 
-	for _, rawVal := range byNs {
-		val, err := c.parseNamespaceCount(rawVal)
+	for _, r := range []*http.Request{rWithVault, rWithAuthorization} {
+		req := logical.TestRequest(t, logical.ReadOperation, "test/path")
+		r = r.WithContext(rootCtx)
+		requestAuth(r, req)
+		err = core.PopulateTokenEntry(rootCtx, req)
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("malformed namespace in response: %v", err))
-			continue
+			t.Fatalf("err: %s", err)
 		}
 
-		sortOrder := "1" + val.namespacePath
-		if val.namespacePath == "" {
-			val.namespacePath = "[root]"
-			sortOrder = "0"
-		} else if strings.HasPrefix(val.namespacePath, "deleted namespace") {
-			sortOrder = "2" + val.namespacePath
+		if req.ClientToken != token {
+			t.Fatalf("client token should be filled with %s, got %s", token, req.ClientToken)
+		}
+		if req.TokenEntry() == nil {
+			t.Fatal("token entry should not be nil")
+		}
+		if !reflect.DeepEqual(req.TokenEntry(), te) {
+			t.Fatalf("token entry should be the same as the core")
 		}
+		if req.ClientTokenAccessor == "" {
+			t.Fatal("token accessor should not be empty")
+		}
+	}
 
-		formattedLine := fmt.Sprintf("%s | %d | %d | %d",
-			val.namespacePath, val.entityCount, val.tokenCount, val.clientCount)
-		nsOut = append(nsOut, UsageCommandNamespace{
-			formattedLine: formattedLine,
-			sortOrder:     sortOrder,
-		})
+	rNothing, err := http.NewRequest("GET", "v1/test/path", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	req := logical.TestRequest(t, logical.ReadOperation, "test/path")
 
-	sort.Slice(nsOut, func(i, j int) bool {
-		return nsOut[i].sortOrder < nsOut[j].sortOrder
+	requestAuth(rNothing, req)
+	err = core.PopulateTokenEntry(rootCtx, req)
+	if err != nil {
+		t.Fatalf("expected no error, got %s", err)
+	}
+	if req.ClientToken != "" {
+		t.Fatalf("client token should not be filled, got %s", req.ClientToken)
+	}
+}
+
+func TestHandler_getTokenFromReq(t *testing.T) {
+	r := http.Request{Header: http.Header{}}
+
+	tok, _ := getTokenFromReq(&r)
+	if tok != "" {
+		t.Fatalf("expected '' as result, got '%s'", tok)
+	}
+
+	r.Header.Set("Authorization", "Bearer TOKEN NOT_GOOD_TOKEN")
+	token, fromHeader := getTokenFromReq(&r)
+	if !fromHeader {
+		t.Fatal("expected from header")
+	} else if token != "TOKEN NOT_GOOD_TOKEN" {
+		t.Fatal("did not get expected token value")
+	} else if r.Header.Get("Authorization") == "" {
+		t.Fatal("expected value to be passed through")
+	}
+
+	r.Header.Set(consts.AuthHeaderName, "NEWTOKEN")
+	tok, _ = getTokenFromReq(&r)
+	if tok == "TOKEN" {
+		t.Fatalf("%s header should be prioritized", consts.AuthHeaderName)
+	} else if tok != "NEWTOKEN" {
+		t.Fatalf("expected 'NEWTOKEN' as result, got '%s'", tok)
+	}
+
+	r.Header = http.Header{}
+	r.Header.Set("Authorization", "Basic TOKEN")
+	tok, fromHeader = getTokenFromReq(&r)
+	if tok != "" {
+		t.Fatalf("expected '' as result, got '%s'", tok)
+	} else if fromHeader {
+		t.Fatal("expected not from header")
+	}
+}
+
+func TestHandler_nonPrintableChars(t *testing.T) {
+	testNonPrintable(t, false)
+	testNonPrintable(t, true)
+}
+
+func testNonPrintable(t *testing.T, disable bool) {
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		DisableKeyEncodingChecks: disable,
 	})
+	ln, addr := TestListener(t)
+	props := &vault.HandlerProperties{
+		Core:                  core,
+		DisablePrintableCheck: disable,
+		ListenerConfig:        &configutil.Listener{},
+	}
+	TestServerWithListenerAndProperties(t, ln, addr, core, props)
+	defer ln.Close()
 
-	out := make([]string, len(nsOut))
-	for i := range nsOut {
-		out[i] = nsOut[i].formattedLine
+	req, err := http.NewRequest("PUT", addr+"/v1/cubbyhole/foo\u2028bar", strings.NewReader(`{"zip": "zap"}`))
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+	req.Header.Set(consts.AuthHeaderName, token)
 
-	return out
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if disable {
+		testResponseStatus(t, resp, 204)
+	} else {
+		testResponseStatus(t, resp, 400)
+	}
 }
 
-func (c *OperatorUsageCommand) totalOutput(data map[string]interface{}) []string {
-	// blank line separating it from namespaces
-	out := []string{"  |  |  |  "}
+func TestHandler_Parse_Form(t *testing.T) {
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	core := cores[0].Core
+	vault.TestWaitActive(t, core)
 
-	total, ok := data["total"].(map[string]interface{})
-	if !ok {
-		c.UI.Error("missing total in response")
-		return out
+	c := cleanhttp.DefaultClient()
+	c.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: cluster.RootCAs,
+		},
 	}
 
-	entityCount, ok := jsonNumberOK(total, "distinct_entities")
-	if !ok {
-		c.UI.Error("missing distinct_entities in total")
-		return out
+	values := url.Values{
+		"zip":   []string{"zap"},
+		"abc":   []string{"xyz"},
+		"multi": []string{"first", "second"},
+		"empty": []string{},
+	}
+	req, err := http.NewRequest("POST", cores[0].Client.Address()+"/v1/secret/foo", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Body = ioutil.NopCloser(strings.NewReader(values.Encode()))
+	req.Header.Set("x-vault-token", cluster.RootToken)
+	req.Header.Set("content-type", "application/x-www-form-urlencoded")
+	resp, err := c.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.StatusCode != 204 {
+		t.Fatalf("bad response: %#v\nrequest was: %#v\nurl was: %#v", *resp, *req, req.URL)
 	}
 
-	tokenCount, ok := jsonNumberOK(total, "non_entity_tokens")
-	if !ok {
-		c.UI.Error("missing non_entity_tokens in total")
-		return out
+	client := cores[0].Client
+	client.SetToken(cluster.RootToken)
+
+	apiResp, err := client.Logical().Read("secret/foo")
+	if err != nil {
+		t.Fatal(err)
 	}
-	clientCount, ok := jsonNumberOK(total, "clients")
-	if !ok {
-		c.UI.Error("missing clients in total")
-		return out
+	if apiResp == nil {
+		t.Fatal("api resp is nil")
 	}
+	expected := map[string]interface{}{
+		"zip":   "zap",
+		"abc":   "xyz",
+		"multi": "first,second",
+	}
+	if diff := deep.Equal(expected, apiResp.Data); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
+// TestHandler_MaxRequestSize verifies that a request larger than the
+// MaxRequestSize fails
+func TestHandler_MaxRequestSize(t *testing.T) {
+	t.Parallel()
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{
+				MaxRequestSize: 1024,
+			},
+		},
+		HandlerFunc: Handler,
+		NumCores:    1,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
 
-	out = append(out, fmt.Sprintf("Total | %d | %d | %d",
-		entityCount, tokenCount, clientCount))
-	return out
+	client := cluster.Cores[0].Client
+	_, err := client.KVv2("secret").Put(context.Background(), "foo", map[string]interface{}{
+		"bar": strings.Repeat("a", 1025),
+	})
+
+	require.ErrorContains(t, err, "error parsing JSON")
+}
+
+// TestHandler_MaxRequestSize_Memory sets the max request size to 1024 bytes,
+// and creates a 1MB request. The test verifies that less than 1MB of memory is
+// allocated when the request is sent. This test shouldn't be run in parallel,
+// because it modifies GOMAXPROCS
+func TestHandler_MaxRequestSize_Memory(t *testing.T) {
+	ln, addr := TestListener(t)
+	core, _, token := vault.TestCoreUnsealed(t)
+	TestServerWithListenerAndProperties(t, ln, addr, core, &vault.HandlerProperties{
+		Core: core,
+		ListenerConfig: &configutil.Listener{
+			Address:        addr,
+			MaxRequestSize: 1024,
+		},
+	})
+	defer ln.Close()
+
+	data := bytes.Repeat([]byte{0x1}, 1024*1024)
+
+	req, err := http.NewRequest("POST", addr+"/v1/sys/unseal", bytes.NewReader(data))
+	require.NoError(t, err)
+	req.Header.Set(consts.AuthHeaderName, token)
+
+	client := cleanhttp.DefaultClient()
+	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(1))
+	var start, end runtime.MemStats
+	runtime.GC()
+	runtime.ReadMemStats(&start)
+	client.Do(req)
+	runtime.ReadMemStats(&end)
+	require.Less(t, end.TotalAlloc-start.TotalAlloc, uint64(1024*1024))
 }
diff --git a/command/patch.go b/command/patch.go
index f2092f3eba4a..957db87aa30a 100644
--- a/command/patch.go
+++ b/command/patch.go
@@ -1,138 +1,553 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: docs
+page_title: Vault Secrets Operator Helm Chart Configuration
+description: >-
+  Configuration for the Vault Secrets Operator Helm chart.
+---
 
-package command
+# Vault Secrets Operator helm chart
+
+The chart is customizable using
+[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+
+<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit
+                  the vault-secrets-operator repo's values.yaml: file commit=d2307002434ffd899f7982f9827f427dbb6295e6 -->
+<!-- codegen: start -->
 
-import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"strings"
+## Top-Level Stanzas
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+Use these links to navigate to a particular top-level stanza.
 
-var (
-	_ cli.Command             = (*PatchCommand)(nil)
-	_ cli.CommandAutocomplete = (*PatchCommand)(nil)
-)
+- [`controller`](#h-controller)
+- [`metricsService`](#h-metricsservice)
+- [`defaultVaultConnection`](#h-defaultvaultconnection)
+- [`defaultAuthMethod`](#h-defaultauthmethod)
+- [`telemetry`](#h-telemetry)
+- [`tests`](#h-tests)
 
-// PatchCommand is a Command that puts data into the Vault.
-type PatchCommand struct {
-	*BaseCommand
+## All Values
 
-	flagForce bool
+### controller ((#h-controller))
 
-	testStdin io.Reader // for tests
-}
+- `controller` ((#v-controller)) - Top level configuration for the vault secrets operator deployment.
+  This consists of a controller and a kube rbac proxy container.
 
-func (c *PatchCommand) Synopsis() string {
-	return "Patch data, configuration, and secrets"
-}
+  - `replicas` ((#v-controller-replicas)) (`integer: 1`) - Set the number of replicas for the operator.
 
-func (c *PatchCommand) Help() string {
-	helpText := `
-Usage: vault patch [options] PATH [DATA K=V...]
+  - `hostAliases` ((#v-controller-hostaliases)) (`array<map>`) - Host Aliases settings for vault-secrets-operator pod.
+    The value is an array of PodSpec HostAlias maps.
+    ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
+    Example:
+    hostAliases:
+      - ip: 192.168.1.100
+        hostnames:
+        - vault.example.com
 
-  Patches data in Vault at the given path. The data can be credentials, secrets,
-  configuration, or arbitrary data. The specific behavior of this command is
-  determined at the thing mounted at the path.
+  - `nodeSelector` ((#v-controller-nodeselector)) (`map`) - nodeSelector labels for vault-secrets-operator pod assignment.
+    ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+    Example:
+    nodeSelector:
+      beta.kubernetes.io/arch: amd64
 
-  Data is specified as "key=value" pairs. If the value begins with an "@", then
-  it is loaded from a file. If the value is "-", Vault will read the value from
-  stdin.
+  - `tolerations` ((#v-controller-tolerations)) (`array<map>`) - Toleration Settings for vault-secrets-operator pod.
+    The value is an array of PodSpec Toleration maps.
+    ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+    Example:
+    tolerations:
+     - key: "key1"
+       operator: "Equal"
+       value: "value1"
+       effect: "NoSchedule"
 
-  Unlike write, patch will only modify specified fields.
+  - `affinity` ((#v-controller-affinity)) - Affinity settings for vault-secrets-operator pod.
+    The value is a map of PodSpec Affinity maps.
+    ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+    Example:
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: topology.kubernetes.io/zone
+              operator: In
+              values:
+              - antarctica-east1
+              - antarctica-west1
 
-  Persist data in the generic secrets engine without modifying any other fields:
+  - `kubeRbacProxy` ((#v-controller-kuberbacproxy)) - Settings related to the kubeRbacProxy container. This container is an HTTP proxy for the
+    controller manager which performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 
-      $ vault patch pki/roles/example allow_localhost=false
+    - `image` ((#v-controller-kuberbacproxy-image)) - Image sets the repo and tag of the kube-rbac-proxy image to use for the controller.
 
-  The data can also be consumed from a file on disk by prefixing with the "@"
-  symbol. For example:
+      - `repository` ((#v-controller-kuberbacproxy-image-repository)) (`string: gcr.io/kubebuilder/kube-rbac-proxy`)
 
-      $ vault patch pki/roles/example @role.json
+      - `tag` ((#v-controller-kuberbacproxy-image-tag)) (`string: v0.15.0`)
 
-  Or it can be read from stdin using the "-" symbol:
+    - `resources` ((#v-controller-kuberbacproxy-resources)) (`map`) - Configures the default resources for the kube rbac proxy container.
+      For more information on configuring resources, see the K8s documentation:
+      https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
-      $ echo "example.com" | vault patch pki/roles/example allowed_domains=-
+      - `limits` ((#v-controller-kuberbacproxy-resources-limits))
 
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secret engines in use.
+        - `cpu` ((#v-controller-kuberbacproxy-resources-limits-cpu)) (`string: 500m`)
 
-` + c.Flags().Help()
+        - `memory` ((#v-controller-kuberbacproxy-resources-limits-memory)) (`string: 128Mi`)
 
-	return strings.TrimSpace(helpText)
-}
+      - `requests` ((#v-controller-kuberbacproxy-resources-requests))
 
-func (c *PatchCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
+        - `cpu` ((#v-controller-kuberbacproxy-resources-requests-cpu)) (`string: 5m`)
 
-	f.BoolVar(&BoolVar{
-		Name:       "force",
-		Aliases:    []string{"f"},
-		Target:     &c.flagForce,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Allow the operation to continue with no key=value pairs. This " +
-			"allows writing to keys that do not need or expect data.",
-	})
+        - `memory` ((#v-controller-kuberbacproxy-resources-requests-memory)) (`string: 64Mi`)
 
-	return set
-}
+  - `imagePullSecrets` ((#v-controller-imagepullsecrets)) (`array<map>`) - Image pull secret to use for private container registry authentication which will be applied to the controllers
+    service account. Alternatively, the value may be specified as an array of strings.
+    Example:
+    ```yaml
+    imagePullSecrets:
+      - name: pull-secret-name-1
+      - name: pull-secret-name-2
+    ```
+    Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry.
 
-func (c *PatchCommand) AutocompleteArgs() complete.Predictor {
-	// Return an anything predictor here. Without a way to access help
-	// information, we don't know what paths we could patch.
-	return complete.PredictAnything
-}
+  - `extraLabels` ((#v-controller-extralabels)) - Extra labels to attach to the deployment. This should be formatted as a YAML object (map)
 
-func (c *PatchCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+  - `annotations` ((#v-controller-annotations)) - This value defines additional annotations for the deployment. This should be formatted as a YAML object (map)
 
-func (c *PatchCommand) Run(args []string) int {
-	f := c.Flags()
+  - `manager` ((#v-controller-manager)) - Settings related to the vault-secrets-operator container.
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+    - `image` ((#v-controller-manager-image)) - Image sets the repo and tag of the vault-secrets-operator image to use for the controller.
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) == 1 && !c.flagForce:
-		c.UI.Error("Must supply data or use -force")
-		return 1
-	}
+      - `repository` ((#v-controller-manager-image-repository)) (`string: hashicorp/vault-secrets-operator`)
 
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
+      - `tag` ((#v-controller-manager-image-tag)) (`string: 0.4.1`)
 
-	path := sanitizePath(args[0])
+    - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that
+      are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens
+      throughout their TTLs as well as the ability to renew.
+      Persistence is only useful in the context of Dynamic Secrets, so "none" is an okay default.
 
-	data, err := parseArgsData(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
-		return 1
-	}
+      - `persistenceModel` ((#v-controller-manager-clientcache-persistencemodel)) (`string: ""`) - Defines the `-client-cache-persistence-model` which caches+persists vault tokens.
+        Valid values are:
+        "none" - in-memory client cache is used, no tokens are persisted.
+        "direct-unencrypted" - in-memory client cache is persisted, unencrypted. This is NOT recommended for any production workload.
+        "direct-encrypted" - in-memory client cache is persisted encrypted using the Vault Transit engine.
+        Note: It is strongly encouraged to not use the setting of "direct-unencrypted" in
+        production due to the potential of vault tokens being leaked as they would then be stored
+        in clear text.
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	secret, err := client.Logical().JSONMergePatch(context.Background(), path, data)
-	return handleWriteSecretOutput(c.BaseCommand, path, secret, err)
-}
+        default: "none"
+
+      - `cacheSize` ((#v-controller-manager-clientcache-cachesize)) (`integer: ""`) - Defines the size of the in-memory LRU cache *in entries*, that is used by the client cache controller.
+        Larger numbers will increase memory usage by the controller, lower numbers will cause more frequent evictions
+        of the client cache which can result in additional Vault client counts.
+
+        default: 10000
+
+      - `storageEncryption` ((#v-controller-manager-clientcache-storageencryption)) - StorageEncryption provides the necessary configuration to encrypt the client storage
+        cache within Kubernetes objects using (required) Vault Transit Engine.
+        This should only be configured when client cache persistence with encryption is enabled and
+        will deploy an additional VaultAuthMethod to be used by the Vault Transit Engine.
+        E.g. when `controller.manager.clientCache.persistenceModel=direct-encrypted`
+        Supported Vault authentication methods for the Transit Auth method are: jwt, appRole,
+        aws, and kubernetes.
+        Typically, there should only ever be one VaultAuth configured with
+        StorageEncryption in the Cluster.
+
+        - `enabled` ((#v-controller-manager-clientcache-storageencryption-enabled)) (`boolean: false`) - toggles the deployment of the Transit VaultAuthMethod CR.
+
+        - `vaultConnectionRef` ((#v-controller-manager-clientcache-storageencryption-vaultconnectionref)) (`string: default`) - Vault Connection Ref to be used by the Transit VaultAuthMethod.
+          Default setting will use the default VaultConnectionRef, which must also be configured.
+
+        - `keyName` ((#v-controller-manager-clientcache-storageencryption-keyname)) (`string: ""`) - KeyName to use for encrypt/decrypt operations via Vault Transit.
+
+        - `transitMount` ((#v-controller-manager-clientcache-storageencryption-transitmount)) (`string: ""`) - Mount path for the Transit VaultAuthMethod.
+
+        - `namespace` ((#v-controller-manager-clientcache-storageencryption-namespace)) (`string: ""`) - Vault namespace for the Transit VaultAuthMethod CR.
+
+        - `method` ((#v-controller-manager-clientcache-storageencryption-method)) (`string: kubernetes`) - Vault Auth method to be used with the Transit VaultAuthMethod CR.
+
+        - `mount` ((#v-controller-manager-clientcache-storageencryption-mount)) (`string: kubernetes`) - Mount path for the Transit VaultAuthMethod.
+
+        - `kubernetes` ((#v-controller-manager-clientcache-storageencryption-kubernetes)) - Vault Kubernetes auth method specific configuration
+
+          - `role` ((#v-controller-manager-clientcache-storageencryption-kubernetes-role)) (`string: ""`) - Vault Auth Role to use
+            This is a required field and must be setup in Vault prior to deploying the helm chart
+            if `defaultAuthMethod.enabled=true`
+
+          - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-kubernetes-serviceaccount)) (`string: ""`) - Kubernetes ServiceAccount associated with the Transit Vault Auth Role
+            Defaults to using the Operator's service-account.
+
+          - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
+
+        - `jwt` ((#v-controller-manager-clientcache-storageencryption-jwt)) - Vault JWT auth method specific configuration
+
+          - `role` ((#v-controller-manager-clientcache-storageencryption-jwt-role)) (`string: ""`) - Vault Auth Role to use
+            This is a required field and must be setup in Vault prior to deploying the helm chart
+            if using JWT for the Transit VaultAuthMethod.
+
+          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-jwt-secretref)) (`string: ""`) - One of the following is required prior to deploying the helm chart
+            - K8s secret that contains the JWT
+            - K8s service account if a service account JWT is used as a Vault JWT auth token and
+            needs generating by VSO.
+
+            Name of Kubernetes Secret that has the Vault JWT auth token.
+            The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and
+            must exist in the namespace of any consuming VaultSecret CR. This is a required field if
+            a JWT token is provided.
+
+          - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT
+
+          - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if
+            applicable of the Vault JWT auth role.
+
+        - `appRole` ((#v-controller-manager-clientcache-storageencryption-approle)) - AppRole auth method specific configuration
+
+          - `roleId` ((#v-controller-manager-clientcache-storageencryption-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
+            This is a required field when using appRole and must be setup in Vault prior to deploying
+            the helm chart.
+
+          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-approle-secretref)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with
+            Vault. The Kubernetes Secret must contain a key named `id` which references the AppRole
+            Role's SecretID, and must exist in the namespace of any consuming VaultSecret CR.
+            This is a required field when using appRole and must be setup in Vault prior to
+            deploying the helm chart.
+
+        - `aws` ((#v-controller-manager-clientcache-storageencryption-aws)) - AWS auth method specific configuration
+
+          - `role` ((#v-controller-manager-clientcache-storageencryption-aws-role)) (`string: ""`) - Vault Auth Role to use
+            This is a required field and must be setup in Vault prior to deploying the helm chart
+            if using the AWS for the Transit auth method.
+
+          - `region` ((#v-controller-manager-clientcache-storageencryption-aws-region)) (`string: ""`) - AWS region to use for signing the authentication request
+            Optional, but most commonly will be the EKS cluster region.
+
+          - `headerValue` ((#v-controller-manager-clientcache-storageencryption-aws-headervalue)) (`string: ""`) - Vault header value to include in the STS signing request
+
+          - `sessionName` ((#v-controller-manager-clientcache-storageencryption-aws-sessionname)) (`string: ""`) - The role session name to use when creating a WebIdentity provider
+
+          - `stsEndpoint` ((#v-controller-manager-clientcache-storageencryption-aws-stsendpoint)) (`string: ""`) - The STS endpoint to use; if not set will use the default
+
+          - `iamEndpoint` ((#v-controller-manager-clientcache-storageencryption-aws-iamendpoint)) (`string: ""`) - The IAM endpoint to use; if not set will use the default
+
+          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-aws-secretref)) (`string: ""`) - The name of a Kubernetes Secret which holds credentials for AWS. Supported keys
+            include `access_key_id`, `secret_access_key`, `session_token`
+
+          - `irsaServiceAccount` ((#v-controller-manager-clientcache-storageencryption-aws-irsaserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured with IAM Roles
+            for Service Accounts (IRSA). Should be annotated with "eks.amazonaws.com/role-arn".
+
+        - `gcp` ((#v-controller-manager-clientcache-storageencryption-gcp))
+
+          - `role` ((#v-controller-manager-clientcache-storageencryption-gcp-role)) (`string: ""`) - Vault Auth Role to use
+            This is a required field and must be setup in Vault prior to deploying the helm chart
+            if using GCP for the Transit auth method.
+
+          - `workloadIdentityServiceAccount` ((#v-controller-manager-clientcache-storageencryption-gcp-workloadidentityserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured for workload
+            identity in GKE.
+
+          - `region` ((#v-controller-manager-clientcache-storageencryption-gcp-region)) (`string: ""`) - GCP Region of the GKE cluster's identity provider. Defaults to the
+            region returned from the operator pod's local metadata server if
+            unspecified.
+
+          - `clusterName` ((#v-controller-manager-clientcache-storageencryption-gcp-clustername)) (`string: ""`) - GKE cluster name. Defaults to the cluster-name returned from the
+            operator pod's local metadata server if unspecified.
+
+          - `projectID` ((#v-controller-manager-clientcache-storageencryption-gcp-projectid)) (`string: ""`) - GCP project id. Defaults to the project-id returned from the
+            operator pod's local metadata server if unspecified.
+
+        - `params` ((#v-controller-manager-clientcache-storageencryption-params)) (`map`) - Params to use when authenticating to Vault using this auth method.
+          params:
+            param-something1: "foo"
+
+        - `headers` ((#v-controller-manager-clientcache-storageencryption-headers)) (` map: ""`) - Headers to be included in all Vault requests.
+          headers:
+            X-vault-something1: "foo"
+
+    - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles for each controller.
+
+      default: 100
+
+    - `extraEnv` ((#v-controller-manager-extraenv)) (`array<map>`) - Defines additional environment variables to be added to the
+      vault-secrets-opearator manager container.
+      extraEnv:
+        - name: HTTP_PROXY
+          value: http://proxy.example.com
+
+    - `extraArgs` ((#v-controller-manager-extraargs)) (`array: []`) - Defines additional commandline arguments to be passed to the
+      vault-secrets-operator manager container.
+      extraArgs:
+      - -zap-log-level=5
+
+    - `resources` ((#v-controller-manager-resources)) (`map`) - Configures the default resources for the vault-secrets-operator container.
+      For more information on configuring resources, see the K8s documentation:
+      https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+      - `limits` ((#v-controller-manager-resources-limits))
+
+        - `cpu` ((#v-controller-manager-resources-limits-cpu)) (`string: 500m`)
+
+        - `memory` ((#v-controller-manager-resources-limits-memory)) (`string: 128Mi`)
+
+      - `requests` ((#v-controller-manager-resources-requests))
+
+        - `cpu` ((#v-controller-manager-resources-requests-cpu)) (`string: 10m`)
+
+        - `memory` ((#v-controller-manager-resources-requests-memory)) (`string: 64Mi`)
+
+  - `podSecurityContext` ((#v-controller-podsecuritycontext)) - Configures the Pod Security Context
+    https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+
+    - `runAsNonRoot` ((#v-controller-podsecuritycontext-runasnonroot)) (`boolean: true`)
+
+  - `securityContext` ((#v-controller-securitycontext)) - Configures the Container Security Context
+    https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+
+    - `allowPrivilegeEscalation` ((#v-controller-securitycontext-allowprivilegeescalation)) (`boolean: false`)
+
+  - `controllerConfigMapYaml` ((#v-controller-controllerconfigmapyaml)) (`map`) - Sets the configuration settings used by the controller. Any custom changes will be reflected in the
+    data field of the configmap.
+    For more information on configuring resources, see the K8s documentation:
+    https://kubernetes.io/docs/concepts/configuration/configmap/
+
+    - `health` ((#v-controller-controllerconfigmapyaml-health))
+
+      - `healthProbeBindAddress` ((#v-controller-controllerconfigmapyaml-health-healthprobebindaddress)) (`string: :8081`)
+
+    - `leaderElection` ((#v-controller-controllerconfigmapyaml-leaderelection))
+
+      - `leaderElect` ((#v-controller-controllerconfigmapyaml-leaderelection-leaderelect)) (`boolean: true`)
+
+      - `resourceName` ((#v-controller-controllerconfigmapyaml-leaderelection-resourcename)) (`string: b0d477c0.hashicorp.com`)
+
+    - `metrics` ((#v-controller-controllerconfigmapyaml-metrics))
+
+      - `bindAddress` ((#v-controller-controllerconfigmapyaml-metrics-bindaddress)) (`string: 127.0.0.1:8080`)
+
+    - `webhook` ((#v-controller-controllerconfigmapyaml-webhook))
+
+      - `port` ((#v-controller-controllerconfigmapyaml-webhook-port)) (`integer: 9443`)
+
+  - `kubernetesClusterDomain` ((#v-controller-kubernetesclusterdomain)) (`string: cluster.local`) - Configures the environment variable KUBERNETES_CLUSTER_DOMAIN used by KubeDNS.
+
+  - `terminationGracePeriodSeconds` ((#v-controller-terminationgraceperiodseconds)) (`integer: 120`) - Duration in seconds the pod needs to terminate gracefully.
+    See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
+
+  - `preDeleteHookTimeoutSeconds` ((#v-controller-predeletehooktimeoutseconds)) (`integer: 120`) - Timeout in seconds for the pre-delete hook
+
+### metricsService ((#h-metricsservice))
+
+- `metricsService` ((#v-metricsservice)) (`map`) - Configure the metrics service ports used by the metrics service.
+  Set the configuration fo the metricsService port.
+
+  - `ports` ((#v-metricsservice-ports)) (`map`) - Set the port settings for the metrics service.
+    For more information on configuring resources, see the K8s documentation:
+    https://kubernetes.io/docs/concepts/services-networking/service/
+
+  - `name` ((#v-metricsservice-ports-name)) (`string: https`)
+
+  - `port` ((#v-metricsservice-ports-port)) (`integer: 8443`)
+
+  - `protocol` ((#v-metricsservice-ports-protocol)) (`string: TCP`)
+
+  - `targetPort` ((#v-metricsservice-ports-targetport)) (`string: https`)
+
+  - `type` ((#v-metricsservice-type)) (`string: ClusterIP`)
+
+### defaultVaultConnection ((#h-defaultvaultconnection))
+
+- `defaultVaultConnection` ((#v-defaultvaultconnection)) - Configures the default VaultConnection CR which will be used by resources
+  if they do not specify a VaultConnection reference. The name is 'default' and will
+  always be installed in the same namespace as the operator.
+  NOTE:
+  * It is strongly recommended to deploy the vault secrets operator in a secure Vault environment
+    which includes a configuration utilizing TLS and installing Vault into its own restricted namespace.
+
+  - `enabled` ((#v-defaultvaultconnection-enabled)) (`boolean: false`) - toggles the deployment of the VaultAuthMethod CR
+
+  - `address` ((#v-defaultvaultconnection-address)) (`string: ""`) - Address of the Vault Server
+    Example: http://vault.default.svc.cluster.local:8200
+
+  - `caCertSecret` ((#v-defaultvaultconnection-cacertsecret)) (`string: ""`) - CACertSecret is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as `ca.crt`.
+    Note: This secret must exist prior to deploying the CR.
+
+  - `tlsServerName` ((#v-defaultvaultconnection-tlsservername)) (`string: ""`) - TLSServerName to use as the SNI host for TLS connections.
+
+  - `skipTLSVerify` ((#v-defaultvaultconnection-skiptlsverify)) (`boolean: false`) - SkipTLSVerify for TLS connections.
+
+  - `headers` ((#v-defaultvaultconnection-headers)) (`map`) - Headers to be included in all Vault requests.
+    headers:
+      X-vault-something: "foo"
+
+### defaultAuthMethod ((#h-defaultauthmethod))
+
+- `defaultAuthMethod` ((#v-defaultauthmethod)) - Configures and deploys the default VaultAuthMethod CR which will be used by resources
+  if they do not specify a VaultAuthMethod reference. The name is 'default' and will
+  always be installed in the same namespace as the operator.
+  NOTE:
+  * It is strongly recommended to deploy the vault secrets operator in a secure Vault environment
+    which includes a configuration utilizing TLS and installing Vault into its own restricted namespace.
+
+  - `enabled` ((#v-defaultauthmethod-enabled)) (`boolean: false`) - toggles the deployment of the VaultAuthMethod CR
+
+  - `namespace` ((#v-defaultauthmethod-namespace)) (`string: ""`) - Vault namespace for the VaultAuthMethod CR
+
+  - `method` ((#v-defaultauthmethod-method)) (`string: kubernetes`) - Vault Auth method to be used with the VaultAuthMethod CR
+
+  - `mount` ((#v-defaultauthmethod-mount)) (`string: kubernetes`) - Mount path for the Vault Auth Method.
+
+  - `kubernetes` ((#v-defaultauthmethod-kubernetes)) - Vault Kubernetes auth method specific configuration
+
+    - `role` ((#v-defaultauthmethod-kubernetes-role)) (`string: ""`) - Vault Auth Role to use
+      This is a required field and must be setup in Vault prior to deploying the helm chart
+      if `defaultAuthMethod.enabled=true`
+
+    - `serviceAccount` ((#v-defaultauthmethod-kubernetes-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount associated with the default Vault Auth Role
+
+    - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
+
+  - `jwt` ((#v-defaultauthmethod-jwt)) - Vault JWT auth method specific configuration
+
+    - `role` ((#v-defaultauthmethod-jwt-role)) (`string: ""`) - Vault Auth Role to use
+      This is a required field and must be setup in Vault prior to deploying the helm chart
+      if using the JWT for the default auth method.
+
+    - `secretRef` ((#v-defaultauthmethod-jwt-secretref)) (`string: ""`) - One of the following is required prior to deploying the helm chart
+      - K8s secret that contains the JWT
+      - K8s service account if a service account JWT is used as a Vault JWT auth token and needs generating by VSO
+
+      Name of Kubernetes Secret that has the Vault JWT auth token.
+      The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and must exist in the namespace
+      of any consuming VaultSecret CR. This is a required field if a JWT token is provided.
+
+    - `serviceAccount` ((#v-defaultauthmethod-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT
+
+    - `tokenAudiences` ((#v-defaultauthmethod-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if applicable
+      of the Vault JWT auth role.
+
+  - `appRole` ((#v-defaultauthmethod-approle)) - AppRole auth method specific configuration
+
+    - `roleId` ((#v-defaultauthmethod-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
+      This is a required field when using appRole and must be setup in Vault prior to deploying the
+      helm chart.
+
+    - `secretRef` ((#v-defaultauthmethod-approle-secretref)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with Vault.
+      The Kubernetes Secret must contain a key named `id` which references the AppRole Role's
+      SecretID, and must exist in the namespace of any consuming VaultSecret CR.
+      This is a required field when using appRole and must be setup in Vault prior to deploying the
+      helm chart.
+
+  - `aws` ((#v-defaultauthmethod-aws)) - AWS auth method specific configuration
+
+    - `role` ((#v-defaultauthmethod-aws-role)) (`string: ""`) - Vault Auth Role to use
+      This is a required field and must be setup in Vault prior to deploying the helm chart
+      if using the AWS for the default auth method.
+
+    - `region` ((#v-defaultauthmethod-aws-region)) (`string: ""`) - AWS region to use for signing the authentication request
+      Optional, but most commonly will be the region where the EKS cluster is running
+
+    - `headerValue` ((#v-defaultauthmethod-aws-headervalue)) (`string: ""`) - Vault header value to include in the STS signing request
+
+    - `sessionName` ((#v-defaultauthmethod-aws-sessionname)) (`string: ""`) - The role session name to use when creating a WebIdentity provider
+
+    - `stsEndpoint` ((#v-defaultauthmethod-aws-stsendpoint)) (`string: ""`) - The STS endpoint to use; if not set will use the default
+
+    - `iamEndpoint` ((#v-defaultauthmethod-aws-iamendpoint)) (`string: ""`) - The IAM endpoint to use; if not set will use the default
+
+    - `secretRef` ((#v-defaultauthmethod-aws-secretref)) (`string: ""`) - The name of a Kubernetes Secret which holds credentials for AWS. Supported keys include
+      `access_key_id`, `secret_access_key`, `session_token`
+
+    - `irsaServiceAccount` ((#v-defaultauthmethod-aws-irsaserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured with IAM Roles
+      for Service Accounts (IRSA). Should be annotated with "eks.amazonaws.com/role-arn".
+
+  - `gcp` ((#v-defaultauthmethod-gcp))
+
+    - `role` ((#v-defaultauthmethod-gcp-role)) (`string: ""`) - Vault Auth Role to use
+      This is a required field and must be setup in Vault prior to deploying the helm chart
+      if using GCP for the Transit auth method.
+
+    - `workloadIdentityServiceAccount` ((#v-defaultauthmethod-gcp-workloadidentityserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured for workload
+      identity in GKE.
+
+    - `region` ((#v-defaultauthmethod-gcp-region)) (`string: ""`) - GCP Region of the GKE cluster's identity provider. Defaults to the
+      region returned from the operator pod's local metadata server if
+      unspecified.
+
+    - `clusterName` ((#v-defaultauthmethod-gcp-clustername)) (`string: ""`) - GKE cluster name. Defaults to the cluster-name returned from the
+      operator pod's local metadata server if unspecified.
+
+    - `projectID` ((#v-defaultauthmethod-gcp-projectid)) (`string: ""`) - GCP project id. Defaults to the project-id returned from the
+      operator pod's local metadata server if unspecified.
+
+  - `params` ((#v-defaultauthmethod-params)) (`map`) - Params to use when authenticating to Vault
+    params:
+      param-something1: "foo"
+
+  - `headers` ((#v-defaultauthmethod-headers)) (`map`) - Headers to be included in all Vault requests.
+    headers:
+      X-vault-something1: "foo"
+
+### telemetry ((#h-telemetry))
+
+- `telemetry` ((#v-telemetry)) - Configures a Prometheus ServiceMonitor
+
+  - `serviceMonitor` ((#v-telemetry-servicemonitor))
+
+    - `enabled` ((#v-telemetry-servicemonitor-enabled)) (`boolean: false`) - The Prometheus operator *must* be installed before enabling this feature,
+      if not the chart will fail to install due to missing CustomResourceDefinitions
+      provided by the operator.
+
+      Instructions on how to install the Helm chart can be found here:
+       https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
+      More information can be found here:
+       https://github.com/prometheus-operator/prometheus-operator
+       https://github.com/prometheus-operator/kube-prometheus
+
+      Enable deployment of the Vault Secrets Operator ServiceMonitor CustomResource.
+
+    - `selectors` ((#v-telemetry-servicemonitor-selectors)) (`string: ""`) - Selector labels to add to the ServiceMonitor.
+      When empty, defaults to:
+       release: prometheus
+
+    - `scheme` ((#v-telemetry-servicemonitor-scheme)) (`string: https`) - Scheme of the service Prometheus scrapes metrics from. This must match the scheme of the metrics service of VSO
+
+    - `port` ((#v-telemetry-servicemonitor-port)) (`string: https`) - Port at which Prometheus scrapes metrics. This must match the port of the metrics service of VSO
+
+    - `path` ((#v-telemetry-servicemonitor-path)) (`string: /metrics`) - Path at which Prometheus scrapes metrics
+
+    - `bearerTokenFile` ((#v-telemetry-servicemonitor-bearertokenfile)) (`string: /var/run/secrets/kubernetes.io/serviceaccount/token`) - File Prometheus reads bearer token from for scraping metrics
+
+    - `interval` ((#v-telemetry-servicemonitor-interval)) (`string: 30s`) - Interval at which Prometheus scrapes metrics
+
+    - `scrapeTimeout` ((#v-telemetry-servicemonitor-scrapetimeout)) (`string: 10s`) - Timeout for Prometheus scrapes
+
+### tests ((#h-tests))
+
+- `tests` ((#v-tests)) - # Used by unit tests, and will not be rendered except when using `helm template`, this can be safely ignored.
+
+  - `enabled` ((#v-tests-enabled)) (`boolean: true`)
+
+  <!-- codegen: end -->
+
+## Helm chart examples
+
+The below `config.yaml` results in a single replica installation of the Vault Secrets Operator
+with a default vault connection and auth method custom resource deployed.
+It expects a local Vault installation within the kubernetes cluster
+accessible via `http://vault.default.svc.cluster.local:8200` with TLS disabled,
+and a [Vault Auth Method](/vault/docs/auth/kubernetes) to be setup against the `default` ServiceAccount.
+
+
+```yaml
+# config.yaml
+
+defaultVaultConnection:
+  enabled: true
+defaultAuthMethod:
+  enabled: true
+
+```
+
+## Customizing the helm chart
+
+If you need to extend the Helm chart with additional options, we recommend using a third-party tool,
+such as [kustomize](https://github.com/kubernetes-sigs/kustomize) using the project repo `config/` path
+in the [vault-secrets-operator](https://github.com/hashicorp/vault-secrets-operator) project.
diff --git a/command/patch_test.go b/command/patch_test.go
index a8476722e28a..6094339c4e84 100644
--- a/command/patch_test.go
+++ b/command/patch_test.go
@@ -1,205 +1,1191 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
-	"io"
+	"context"
+	"errors"
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-)
+	"github.com/hashicorp/go-multierror"
 
-func testPatchCommand(tb testing.TB) (*cli.MockUi, *PatchCommand) {
-	tb.Helper()
+	"github.com/golang/protobuf/ptypes"
+	memdb "github.com/hashicorp/go-memdb"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/identity"
+	"github.com/hashicorp/vault/helper/identity/mfa"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/storagepacker"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PatchCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
+func entityPathFields() map[string]*framework.FieldSchema {
+	return map[string]*framework.FieldSchema{
+		"id": {
+			Type:        framework.TypeString,
+			Description: "ID of the entity. If set, updates the corresponding existing entity.",
+		},
+		"name": {
+			Type:        framework.TypeString,
+			Description: "Name of the entity",
+		},
+		"metadata": {
+			Type: framework.TypeKVPairs,
+			Description: `Metadata to be associated with the entity.
+In CLI, this parameter can be repeated multiple times, and it all gets merged together.
+For example:
+vault <command> <path> metadata=key1=value1 metadata=key2=value2
+					`,
+		},
+		"policies": {
+			Type:        framework.TypeCommaStringSlice,
+			Description: "Policies to be tied to the entity.",
+		},
+		"disabled": {
+			Type:        framework.TypeBool,
+			Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
 		},
 	}
 }
 
-func TestPatchCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
+// entityPaths returns the API endpoints supported to operate on entities.
+// Following are the paths supported:
+// entity - To register a new entity
+// entity/id - To lookup, modify, delete and list entities based on ID
+// entity/merge - To merge entities based on ID
+func entityPaths(i *IdentityStore) []*framework.Path {
+	return []*framework.Path{
 		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
+			Pattern: "entity$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationVerb:   "create",
+			},
+
+			Fields: entityPathFields(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityUpdateCommon(),
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity"][1]),
 		},
 		{
-			"empty_kvs",
-			[]string{"secret/write/foo"},
-			"Must supply data or use -force",
-			1,
+			Pattern: "entity/name/(?P<name>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationSuffix: "by-name",
+			},
+
+			Fields: entityPathFields(),
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityUpdateCommon(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "update",
+					},
+				},
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: i.pathEntityNameRead(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "read",
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: i.pathEntityNameDelete(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "delete",
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-name"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity-name"][1]),
 		},
 		{
-			"force_kvs",
-			[]string{"-force", "pki/roles/example"},
-			"allow_localhost",
-			0,
+			Pattern: "entity/id/" + framework.GenericNameRegex("id"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationSuffix: "by-id",
+			},
+
+			Fields: entityPathFields(),
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityUpdateCommon(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "update",
+					},
+				},
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: i.pathEntityIDRead(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "read",
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: i.pathEntityIDDelete(),
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "delete",
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-id"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity-id"][1]),
 		},
 		{
-			"force_f_kvs",
-			[]string{"-f", "pki/roles/example"},
-			"allow_localhost",
-			0,
+			Pattern: "entity/batch-delete",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationVerb:   "batch-delete",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"entity_ids": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Entity IDs to delete",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityBatchDelete(),
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["batch-delete"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["batch-delete"][1]),
 		},
 		{
-			"kvs_no_value",
-			[]string{"pki/roles/example", "foo"},
-			"Failed to parse K=V data",
-			1,
+			Pattern: "entity/name/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationSuffix: "by-name",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: i.pathEntityNameList(),
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-name-list"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity-name-list"][1]),
 		},
 		{
-			"single_value",
-			[]string{"pki/roles/example", "allow_localhost=true"},
-			"allow_localhost",
-			0,
+			Pattern: "entity/id/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationSuffix: "by-id",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: i.pathEntityIDList(),
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-id-list"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity-id-list"][1]),
 		},
 		{
-			"multi_value",
-			[]string{"pki/roles/example", "allow_localhost=true", "allowed_domains=true"},
-			"allow_localhost",
-			0,
+			Pattern: "entity/merge/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "entity",
+				OperationVerb:   "merge",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"from_entity_ids": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Entity IDs which need to get merged",
+				},
+				"to_entity_id": {
+					Type:        framework.TypeString,
+					Description: "Entity ID into which all the other entities need to get merged",
+				},
+				"conflicting_alias_ids_to_keep": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found",
+				},
+				"force": {
+					Type:        framework.TypeBool,
+					Description: "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback:                  i.pathEntityMergeID(),
+					ForwardPerformanceStandby: true,
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-merge-id"][0]),
+			HelpDescription: strings.TrimSpace(entityHelp["entity-merge-id"][1]),
 		},
 	}
+}
+
+// pathEntityMergeID merges two or more entities into a single entity
+func (i *IdentityStore) pathEntityMergeID() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		toEntityIDInterface, ok := d.GetOk("to_entity_id")
+		if !ok || toEntityIDInterface == "" {
+			return logical.ErrorResponse("missing entity id to merge to"), nil
+		}
+		toEntityID := toEntityIDInterface.(string)
+
+		fromEntityIDsInterface, ok := d.GetOk("from_entity_ids")
+		if !ok || len(fromEntityIDsInterface.([]string)) == 0 {
+			return logical.ErrorResponse("missing entity ids to merge from"), nil
+		}
+		fromEntityIDs := fromEntityIDsInterface.([]string)
+
+		var conflictingAliasIDsToKeep []string
+		if conflictingAliasIDsToKeepInterface, ok := d.GetOk("conflicting_alias_ids_to_keep"); ok {
+			conflictingAliasIDsToKeep = conflictingAliasIDsToKeepInterface.([]string)
+		}
+
+		var force bool
+		if forceInterface, ok := d.GetOk("force"); ok {
+			force = forceInterface.(bool)
+		}
+
+		// Create a MemDB transaction to merge entities
+		i.lock.Lock()
+		defer i.lock.Unlock()
+
+		txn := i.db.Txn(true)
+		defer txn.Abort()
+
+		toEntity, err := i.MemDBEntityByID(toEntityID, true)
+		if err != nil {
+			return nil, err
+		}
+
+		userErr, intErr, aliases := i.mergeEntity(ctx, txn, toEntity, fromEntityIDs, conflictingAliasIDsToKeep, force, false, false, true, false)
+		if userErr != nil {
+			// Not an error due to alias clash, return like normal
+			if len(aliases) == 0 {
+				return logical.ErrorResponse(userErr.Error()), nil
+			}
+			// Alias clash error, so include additional details
+			resp := &logical.Response{
+				Data: map[string]interface{}{
+					"error": userErr.Error(),
+					"data":  aliases,
+				},
+			}
+
+			return resp, nil
+		}
+		if intErr != nil {
+			return nil, intErr
+		}
+
+		// Committing the transaction *after* successfully performing storage
+		// persistence
+		txn.Commit()
+
+		return nil, nil
+	}
+}
+
+// handleEntityUpdateCommon is used to update an entity
+func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		i.lock.Lock()
+		defer i.lock.Unlock()
+
+		entity := new(identity.Entity)
+		var err error
+
+		entityID := d.Get("id").(string)
+		if entityID != "" {
+			entity, err = i.MemDBEntityByID(entityID, true)
+			if err != nil {
+				return nil, err
+			}
+			if entity == nil {
+				return logical.ErrorResponse("entity not found from id"), nil
+			}
+		}
+
+		// Get the name
+		entityName := d.Get("name").(string)
+		if entityName != "" {
+			entityByName, err := i.MemDBEntityByName(ctx, entityName, false)
+			if err != nil {
+				return nil, err
+			}
+			switch {
+			case entityByName == nil:
+				// Not found, safe to use this name with an existing or new entity
+			case entity.ID == "":
+				// Entity by ID was not found, but and entity for the supplied
+				// name was found. Continue updating the entity.
+				entity = entityByName
+			case entity.ID == entityByName.ID:
+				// Same exact entity, carry on (this is basically a noop then)
+			default:
+				return logical.ErrorResponse("entity name is already in use"), nil
+			}
+		}
+
+		if entityName != "" {
+			entity.Name = entityName
+		}
+
+		// Update the policies if supplied
+		entityPoliciesRaw, ok := d.GetOk("policies")
+		if ok {
+			entity.Policies = strutil.RemoveDuplicates(entityPoliciesRaw.([]string), false)
+		}
+
+		if strutil.StrListContains(entity.Policies, "root") {
+			return logical.ErrorResponse("policies cannot contain root"), nil
+		}
+
+		disabledRaw, ok := d.GetOk("disabled")
+		if ok {
+			entity.Disabled = disabledRaw.(bool)
+		}
+
+		// Get entity metadata
+		metadata, ok, err := d.GetOkErr("metadata")
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("failed to parse metadata: %v", err)), nil
+		}
+		if ok {
+			entity.Metadata = metadata.(map[string]string)
+		}
+
+		// At this point, if entity.ID is empty, it indicates that a new entity
+		// is being created. Using this to respond data in the response.
+		newEntity := entity.ID == ""
+
+		// ID creation and some validations
+		err = i.sanitizeEntity(ctx, entity)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := i.upsertEntity(ctx, entity, nil, true); err != nil {
+			return nil, err
+		}
+
+		// If this operation was an update to an existing entity, return 204
+		if !newEntity {
+			return nil, nil
+		}
+
+		// Prepare the response
+		respData := map[string]interface{}{
+			"id":   entity.ID,
+			"name": entity.Name,
+		}
+
+		var aliasIDs []string
+		for _, alias := range entity.Aliases {
+			aliasIDs = append(aliasIDs, alias.ID)
+		}
+
+		respData["aliases"] = aliasIDs
+
+		// Return ID of the entity that was either created or updated along with
+		// its aliases
+		return &logical.Response{
+			Data: respData,
+		}, nil
+	}
+}
+
+// pathEntityNameRead returns the properties of an entity for a given entity ID
+func (i *IdentityStore) pathEntityNameRead() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		entityName := d.Get("name").(string)
+		if entityName == "" {
+			return logical.ErrorResponse("missing entity name"), nil
+		}
+
+		entity, err := i.MemDBEntityByName(ctx, entityName, false)
+		if err != nil {
+			return nil, err
+		}
+		if entity == nil {
+			return nil, nil
+		}
+
+		return i.handleEntityReadCommon(ctx, entity)
+	}
+}
+
+// pathEntityIDRead returns the properties of an entity for a given entity ID
+func (i *IdentityStore) pathEntityIDRead() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		entityID := d.Get("id").(string)
+		if entityID == "" {
+			return logical.ErrorResponse("missing entity id"), nil
+		}
+
+		entity, err := i.MemDBEntityByID(entityID, false)
+		if err != nil {
+			return nil, err
+		}
+		if entity == nil {
+			return nil, nil
+		}
+
+		return i.handleEntityReadCommon(ctx, entity)
+	}
+}
+
+func (i *IdentityStore) handleEntityReadCommon(ctx context.Context, entity *identity.Entity) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if ns.ID != entity.NamespaceID {
+		return nil, nil
+	}
+
+	respData := map[string]interface{}{}
+	respData["id"] = entity.ID
+	respData["name"] = entity.Name
+	respData["metadata"] = entity.Metadata
+	respData["merged_entity_ids"] = entity.MergedEntityIDs
+	respData["policies"] = strutil.RemoveDuplicates(entity.Policies, false)
+	respData["disabled"] = entity.Disabled
+	respData["namespace_id"] = entity.NamespaceID
+
+	// Convert protobuf timestamp into RFC3339 format
+	respData["creation_time"] = ptypes.TimestampString(entity.CreationTime)
+	respData["last_update_time"] = ptypes.TimestampString(entity.LastUpdateTime)
+
+	// Convert each alias into a map and replace the time format in each
+	aliasesToReturn := make([]interface{}, len(entity.Aliases))
+	for aliasIdx, alias := range entity.Aliases {
+		aliasMap := map[string]interface{}{}
+		aliasMap["id"] = alias.ID
+		aliasMap["canonical_id"] = alias.CanonicalID
+		aliasMap["mount_accessor"] = alias.MountAccessor
+		aliasMap["metadata"] = alias.Metadata
+		aliasMap["name"] = alias.Name
+		aliasMap["merged_from_canonical_ids"] = alias.MergedFromCanonicalIDs
+		aliasMap["creation_time"] = ptypes.TimestampString(alias.CreationTime)
+		aliasMap["last_update_time"] = ptypes.TimestampString(alias.LastUpdateTime)
+		aliasMap["local"] = alias.Local
+		aliasMap["custom_metadata"] = alias.CustomMetadata
+
+		if mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor); mountValidationResp != nil {
+			aliasMap["mount_type"] = mountValidationResp.MountType
+			aliasMap["mount_path"] = mountValidationResp.MountPath
+		}
+
+		aliasesToReturn[aliasIdx] = aliasMap
+	}
+
+	// Add the aliases information to the response which has the correct time
+	// formats
+	respData["aliases"] = aliasesToReturn
+
+	addExtraEntityDataToResponse(entity, respData)
+
+	// Fetch the groups this entity belongs to and return their identifiers
+	groups, inheritedGroups, err := i.groupsByEntityID(entity.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	groupIDs := make([]string, len(groups))
+	for i, group := range groups {
+		groupIDs[i] = group.ID
+	}
+	respData["direct_group_ids"] = groupIDs
+
+	inheritedGroupIDs := make([]string, len(inheritedGroups))
+	for i, group := range inheritedGroups {
+		inheritedGroupIDs[i] = group.ID
+	}
+	respData["inherited_group_ids"] = inheritedGroupIDs
+
+	respData["group_ids"] = append(groupIDs, inheritedGroupIDs...)
+
+	return &logical.Response{
+		Data: respData,
+	}, nil
+}
+
+// pathEntityIDDelete deletes the entity for a given entity ID
+func (i *IdentityStore) pathEntityIDDelete() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		entityID := d.Get("id").(string)
+		if entityID == "" {
+			return logical.ErrorResponse("missing entity id"), nil
+		}
+
+		i.lock.Lock()
+		defer i.lock.Unlock()
+
+		// Create a MemDB transaction to delete entity
+		txn := i.db.Txn(true)
+		defer txn.Abort()
+
+		// Fetch the entity using its ID
+		entity, err := i.MemDBEntityByIDInTxn(txn, entityID, true)
+		if err != nil {
+			return nil, err
+		}
+		if entity == nil {
+			return nil, nil
+		}
+
+		err = i.handleEntityDeleteCommon(ctx, txn, entity, true)
+		if err != nil {
+			return nil, err
+		}
+
+		txn.Commit()
+
+		return nil, nil
+	}
+}
+
+// pathEntityNameDelete deletes the entity for a given entity ID
+func (i *IdentityStore) pathEntityNameDelete() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		entityName := d.Get("name").(string)
+		if entityName == "" {
+			return logical.ErrorResponse("missing entity name"), nil
+		}
+
+		i.lock.Lock()
+		defer i.lock.Unlock()
 
-	for _, tc := range cases {
-		tc := tc
+		// Create a MemDB transaction to delete entity
+		txn := i.db.Txn(true)
+		defer txn.Abort()
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+		// Fetch the entity using its name
+		entity, err := i.MemDBEntityByNameInTxn(ctx, txn, entityName, true)
+		if err != nil {
+			return nil, err
+		}
+		// If there is no entity for the ID, do nothing
+		if entity == nil {
+			return nil, nil
+		}
 
-			client, closer := testVaultServer(t)
-			defer closer()
+		ns, err := namespace.FromContext(ctx)
+		if err != nil {
+			return nil, err
+		}
+		if entity.NamespaceID != ns.ID {
+			return nil, nil
+		}
 
-			if err := client.Sys().Mount("pki", &api.MountInput{
-				Type: "pki",
-			}); err != nil {
-				t.Fatalf("pki mount error: %#v", err)
+		err = i.handleEntityDeleteCommon(ctx, txn, entity, true)
+		if err != nil {
+			return nil, err
+		}
+
+		txn.Commit()
+
+		return nil, nil
+	}
+}
+
+// pathEntityIDDelete deletes the entity for a given entity ID
+func (i *IdentityStore) handleEntityBatchDelete() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		entityIDs := d.Get("entity_ids").([]string)
+		if len(entityIDs) == 0 {
+			return logical.ErrorResponse("missing entity ids to delete"), nil
+		}
+
+		// Sort the ids by the bucket they will be deleted from
+		byBucket := make(map[string]map[string]struct{})
+		for _, id := range entityIDs {
+			bucketKey := i.entityPacker.BucketKey(id)
+
+			bucket, ok := byBucket[bucketKey]
+			if !ok {
+				bucket = make(map[string]struct{})
+				byBucket[bucketKey] = bucket
 			}
 
-			if _, err := client.Logical().Write("pki/roles/example", nil); err != nil {
-				t.Fatalf("failed to prime role: %v", err)
+			bucket[id] = struct{}{}
+		}
+
+		deleteIdsForBucket := func(entityIDs []string) error {
+			i.lock.Lock()
+			defer i.lock.Unlock()
+
+			// Create a MemDB transaction to delete entities from the inmem database
+			// without altering storage. Batch deletion on storage bucket items is
+			// performed directly through entityPacker.
+			txn := i.db.Txn(true)
+			defer txn.Abort()
+
+			for _, entityID := range entityIDs {
+				// Fetch the entity using its ID
+				entity, err := i.MemDBEntityByIDInTxn(txn, entityID, true)
+				if err != nil {
+					return err
+				}
+				if entity == nil {
+					continue
+				}
+
+				err = i.handleEntityDeleteCommon(ctx, txn, entity, false)
+				if err != nil {
+					return err
+				}
 			}
 
-			if _, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-				"key_type":    "ec",
-				"common_name": "Root X1",
-			}); err != nil {
-				t.Fatalf("failed to prime CA: %v", err)
+			// Write all updates for this bucket.
+			err := i.entityPacker.DeleteMultipleItems(ctx, i.logger, entityIDs)
+			if err != nil {
+				return err
 			}
 
-			ui, cmd := testPatchCommand(t)
-			cmd.client = client
+			txn.Commit()
+			return nil
+		}
 
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
+		for _, bucket := range byBucket {
+			ids := make([]string, len(bucket))
+			i := 0
+			for id := range bucket {
+				ids[i] = id
+				i++
 			}
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
+			err := deleteIdsForBucket(ids)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		return nil, nil
+	}
+}
+
+// handleEntityDeleteCommon deletes an entity by removing it from groups of
+// which it's a member and then, if update is true, deleting the entity itself.
+func (i *IdentityStore) handleEntityDeleteCommon(ctx context.Context, txn *memdb.Txn, entity *identity.Entity, update bool) error {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+	if entity.NamespaceID != ns.ID {
+		return nil
+	}
+
+	// Remove entity ID as a member from all the groups it belongs, both
+	// internal and external
+	groups, err := i.MemDBGroupsByMemberEntityIDInTxn(txn, entity.ID, true, false)
+	if err != nil {
+		return err
+	}
+
+	for _, group := range groups {
+		group.MemberEntityIDs = strutil.StrListDelete(group.MemberEntityIDs, entity.ID)
+		err = i.UpsertGroupInTxn(ctx, txn, group, true)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Delete all the aliases in the entity and the respective indexes
+	err = i.deleteAliasesInEntityInTxn(txn, entity, entity.Aliases)
+	if err != nil {
+		return err
+	}
+
+	// Delete the entity using the same transaction
+	err = i.MemDBDeleteEntityByIDInTxn(txn, entity.ID)
+	if err != nil {
+		return err
+	}
+
+	if update {
+		// Delete the entity from storage
+		err = i.entityPacker.DeleteItem(ctx, entity.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (i *IdentityStore) pathEntityIDList() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		return i.handlePathEntityListCommon(ctx, req, d, true)
+	}
+}
+
+func (i *IdentityStore) pathEntityNameList() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		return i.handlePathEntityListCommon(ctx, req, d, false)
+	}
+}
+
+// handlePathEntityListCommon lists the IDs or names of all the valid entities
+// in the identity store
+func (i *IdentityStore) handlePathEntityListCommon(ctx context.Context, req *logical.Request, d *framework.FieldData, byID bool) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	ws := memdb.NewWatchSet()
+
+	txn := i.db.Txn(false)
+
+	iter, err := txn.Get(entitiesTable, "namespace_id", ns.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch iterator for entities in memdb: %w", err)
+	}
+
+	ws.Add(iter.WatchCh())
+
+	var keys []string
+	entityInfo := map[string]interface{}{}
+
+	type mountInfo struct {
+		MountType string
+		MountPath string
+	}
+	mountAccessorMap := map[string]mountInfo{}
+
+	for {
+		// Check for timeouts
+		select {
+		case <-ctx.Done():
+			resp := logical.ListResponseWithInfo(keys, entityInfo)
+			resp.AddWarning("partial response due to timeout")
+			return resp, nil
+		default:
+			break
+		}
+
+		raw := iter.Next()
+		if raw == nil {
+			break
+		}
+		entity := raw.(*identity.Entity)
+		if byID {
+			keys = append(keys, entity.ID)
+		} else {
+			keys = append(keys, entity.Name)
+		}
+		entityInfoEntry := map[string]interface{}{
+			"name": entity.Name,
+		}
+		if len(entity.Aliases) > 0 {
+			aliasList := make([]interface{}, 0, len(entity.Aliases))
+			for _, alias := range entity.Aliases {
+				entry := map[string]interface{}{
+					"id":             alias.ID,
+					"name":           alias.Name,
+					"mount_accessor": alias.MountAccessor,
+				}
+
+				mi, ok := mountAccessorMap[alias.MountAccessor]
+				if ok {
+					entry["mount_type"] = mi.MountType
+					entry["mount_path"] = mi.MountPath
+				} else {
+					mi = mountInfo{}
+					if mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor); mountValidationResp != nil {
+						mi.MountType = mountValidationResp.MountType
+						mi.MountPath = mountValidationResp.MountPath
+						entry["mount_type"] = mi.MountType
+						entry["mount_path"] = mi.MountPath
+					}
+					mountAccessorMap[alias.MountAccessor] = mi
+				}
+
+				aliasList = append(aliasList, entry)
 			}
-		})
+			entityInfoEntry["aliases"] = aliasList
+		}
+		entityInfo[entity.ID] = entityInfoEntry
+	}
+
+	return logical.ListResponseWithInfo(keys, entityInfo), nil
+}
+
+func (i *IdentityStore) mergeEntityAsPartOfUpsert(ctx context.Context, txn *memdb.Txn, toEntity *identity.Entity, fromEntityID string, persist bool) (error, error) {
+	err1, err2, _ := i.mergeEntity(ctx, txn, toEntity, []string{fromEntityID}, []string{}, true, false, true, persist, true)
+	return err1, err2
+}
+
+// A small type to return useful information to the UI after an entity clash
+// Every alias involved in a clash will be returned.
+type aliasClashInformation struct {
+	Alias     string `json:"alias"`
+	Entity    string `json:"entity"`
+	EntityId  string `json:"entity_id"`
+	Mount     string `json:"mount"`
+	MountPath string `json:"mount_path"`
+}
+
+func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntity *identity.Entity, fromEntityIDs, conflictingAliasIDsToKeep []string, force, grabLock, mergePolicies, persist, forceMergeAliases bool) (error, error, []aliasClashInformation) {
+	if grabLock {
+		i.lock.Lock()
+		defer i.lock.Unlock()
 	}
 
-	t.Run("stdin_full", func(t *testing.T) {
-		t.Parallel()
+	if toEntity == nil {
+		return errors.New("entity id to merge to is invalid"), nil, nil
+	}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err, nil
+	}
+	if toEntity.NamespaceID != ns.ID {
+		return errors.New("entity id to merge into does not belong to the request's namespace"), nil, nil
+	}
 
-		if err := client.Sys().Mount("pki", &api.MountInput{
-			Type: "pki",
-		}); err != nil {
-			t.Fatalf("pki mount error: %#v", err)
+	if len(fromEntityIDs) > 1 && len(conflictingAliasIDsToKeep) > 1 {
+		return errors.New("aliases conflicts cannot be resolved with multiple from entity ids - merge one entity at a time"), nil, nil
+	}
+
+	sanitizedFromEntityIDs := strutil.RemoveDuplicates(fromEntityIDs, false)
+
+	// A map to check if there are any clashes between mount accessors for any of the sanitizedFromEntityIDs
+	fromEntityAccessors := make(map[string]string)
+
+	// A list detailing all aliases where a clash has occurred, so that the error
+	// can be understood by the UI
+	aliasesInvolvedInClashes := make([]aliasClashInformation, 0)
+
+	// An error detailing if any alias clashes happen (shared mount accessor)
+	var aliasClashError error
+
+	for _, fromEntityID := range sanitizedFromEntityIDs {
+		if fromEntityID == toEntity.ID {
+			return errors.New("to_entity_id should not be present in from_entity_ids"), nil, nil
 		}
 
-		if _, err := client.Logical().Write("pki/roles/example", nil); err != nil {
-			t.Fatalf("failed to prime role: %v", err)
+		fromEntity, err := i.MemDBEntityByID(fromEntityID, false)
+		if err != nil {
+			return nil, err, nil
 		}
 
-		if _, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-			"key_type":    "ec",
-			"common_name": "Root X1",
-		}); err != nil {
-			t.Fatalf("failed to prime CA: %v", err)
+		if fromEntity == nil {
+			// If forceMergeAliases is true, and we didn't find a fromEntity, then something
+			// is wrong with storage. This function was called as part of an automated
+			// merge from CreateOrFetchEntity or Invalidate to repatriate an alias with its 'true'
+			// entity. As a result, the entity _should_ exist, but we can't find it.
+			// MemDb may be in a bad state, because fromEntity should be non-nil in the
+			// automated merge case.
+			if forceMergeAliases {
+				return fmt.Errorf("fromEntity %s was not found in memdb as part of an automated entity merge into %s; storage/memdb may be in a bad state", fromEntityID, toEntity.ID), nil, nil
+			}
+			return errors.New("entity id to merge from is invalid"), nil, nil
 		}
 
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(`{"allow_localhost":"false","allow_wildcard_certificates":"false"}`))
-			stdinW.Close()
-		}()
+		if fromEntity.NamespaceID != toEntity.NamespaceID {
+			return errors.New("entity id to merge from does not belong to this namespace"), nil, nil
+		}
 
-		ui, cmd := testPatchCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
+		// If we're not resolving a conflict, we check to see if
+		// any aliases conflict between the toEntity and this fromEntity:
+		if !forceMergeAliases && len(conflictingAliasIDsToKeep) == 0 {
+			for _, toAlias := range toEntity.Aliases {
+				for _, fromAlias := range fromEntity.Aliases {
+					// First, check to see if this alias clashes with an alias from any of the other fromEntities:
+					id, mountAccessorInAnotherFromEntity := fromEntityAccessors[fromAlias.MountAccessor]
+					if mountAccessorInAnotherFromEntity && (id != fromEntityID) {
+						return fmt.Errorf("mount accessor %s found in multiple fromEntities, merge should be done with one fromEntity at a time", fromAlias.MountAccessor), nil, nil
+					}
+
+					fromEntityAccessors[fromAlias.MountAccessor] = fromEntityID
+
+					// If it doesn't, check if it clashes with the toEntities
+					if toAlias.MountAccessor == fromAlias.MountAccessor {
+						if aliasClashError == nil {
+							aliasClashError = multierror.Append(aliasClashError, fmt.Errorf("toEntity and at least one fromEntity have aliases with the same mount accessor, repeat the merge request specifying exactly one fromEntity, clashes: "))
+						}
+						aliasClashError = multierror.Append(aliasClashError,
+							fmt.Errorf("mountAccessor: %s, toEntity ID: %s, fromEntity ID: %s, conflicting toEntity alias ID: %s, conflicting fromEntity alias ID: %s",
+								toAlias.MountAccessor, toEntity.ID, fromEntityID, toAlias.ID, fromAlias.ID))
+
+						var toAliasMountType string
+						var toAliasMountPath string
+						mountValidationRespToAlias := i.router.ValidateMountByAccessor(toAlias.MountAccessor)
+						if mountValidationRespToAlias != nil {
+							toAliasMountType = mountValidationRespToAlias.MountType
+							toAliasMountPath = mountValidationRespToAlias.MountPath
+						}
+
+						var fromAliasMountType string
+						var fromAliasMountPath string
+						mountValidationRespFromAlias := i.router.ValidateMountByAccessor(fromAlias.MountAccessor)
+						if mountValidationRespFromAlias != nil {
+							fromAliasMountType = mountValidationRespFromAlias.MountType
+							fromAliasMountPath = mountValidationRespFromAlias.MountPath
+						}
+
+						// Also add both to our summary of all clashes:
+						aliasesInvolvedInClashes = append(aliasesInvolvedInClashes, aliasClashInformation{
+							Entity:    toEntity.Name,
+							EntityId:  toEntity.ID,
+							Alias:     toAlias.Name,
+							Mount:     toAliasMountType,
+							MountPath: toAliasMountPath,
+						})
+						aliasesInvolvedInClashes = append(aliasesInvolvedInClashes, aliasClashInformation{
+							Entity:    fromEntity.Name,
+							EntityId:  fromEntityID,
+							Alias:     fromAlias.Name,
+							Mount:     fromAliasMountType,
+							MountPath: fromAliasMountPath,
+						})
+					}
+				}
+			}
+		}
+
+		for configID, configSecret := range fromEntity.MFASecrets {
+			_, ok := toEntity.MFASecrets[configID]
+			if ok && !force {
+				return nil, fmt.Errorf("conflicting MFA config ID %q in entity ID %q", configID, fromEntity.ID), nil
+			} else {
+				if toEntity.MFASecrets == nil {
+					toEntity.MFASecrets = make(map[string]*mfa.Secret)
+				}
+				toEntity.MFASecrets[configID] = configSecret
+			}
+		}
+	}
+
+	// Check alias clashes after validating every fromEntity, so that we have a full list of errors
+	if aliasClashError != nil {
+		return aliasClashError, nil, aliasesInvolvedInClashes
+	}
+
+	isPerfSecondaryOrStandby := i.localNode.ReplicationState().HasState(consts.ReplicationPerformanceSecondary) ||
+		i.localNode.HAState() == consts.PerfStandby
+	var fromEntityGroups []*identity.Group
+
+	toEntityAccessors := make(map[string][]string)
+
+	for _, alias := range toEntity.Aliases {
+		if accessors, ok := toEntityAccessors[alias.MountAccessor]; !ok {
+			// While it is not supported to have multiple aliases with the same mount accessor in one entity
+			// we do not strictly enforce the invariant. Thus, we account for multiple just to be safe
+			if accessors == nil {
+				toEntityAccessors[alias.MountAccessor] = []string{alias.ID}
+			} else {
+				toEntityAccessors[alias.MountAccessor] = append(accessors, alias.ID)
+			}
+		}
+	}
 
-		code := cmd.Run([]string{
-			"pki/roles/example", "-",
-		})
-		if code != 0 {
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			t.Fatalf("expected retcode=%d to be 0\nOutput:\n%v", code, combined)
+	for _, fromEntityID := range sanitizedFromEntityIDs {
+		if fromEntityID == toEntity.ID {
+			return errors.New("to_entity_id should not be present in from_entity_ids"), nil, nil
 		}
 
-		secret, err := client.Logical().Read("pki/roles/example")
+		fromEntity, err := i.MemDBEntityByID(fromEntityID, true)
 		if err != nil {
-			t.Fatal(err)
+			return nil, err, nil
 		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
+
+		if fromEntity == nil {
+			// If forceMergeAliases is true, and we didn't find a fromEntity, then something
+			// is wrong with storage. This function was called as part of an automated
+			// merge from CreateOrFetchEntity or Invalidate to repatriate an alias with its 'true'
+			// entity. As a result, the entity _should_ exist, but we can't find it.
+			// MemDb may be in a bad state, because fromEntity should be non-nil in the
+			// automated merge case.
+			if forceMergeAliases {
+				return fmt.Errorf("fromEntity %s was not found in memdb as part of an automated entity merge into %s; storage/memdb may be in a bad state", fromEntityID, toEntity.ID), nil, nil
+			}
+			return errors.New("entity id to merge from is invalid"), nil, nil
 		}
-		if exp, act := false, secret.Data["allow_localhost"].(bool); exp != act {
-			t.Errorf("expected allowed_localhost=%v to be %v", act, exp)
+
+		if fromEntity.NamespaceID != toEntity.NamespaceID {
+			return errors.New("entity id to merge from does not belong to this namespace"), nil, nil
 		}
-		if exp, act := false, secret.Data["allow_wildcard_certificates"].(bool); exp != act {
-			t.Errorf("expected allow_wildcard_certificates=%v to be %v", act, exp)
+
+		for _, fromAlias := range fromEntity.Aliases {
+			// If true, we need to handle conflicts (conflict = both aliases share the same mount accessor)
+			if toAliasIds, ok := toEntityAccessors[fromAlias.MountAccessor]; ok {
+				for _, toAliasId := range toAliasIds {
+					// When forceMergeAliases is true (as part of the merge-during-upsert case), we make the decision
+					// for the user, and keep the to_entity alias, merging the from_entity
+					// This case's code is the same as when the user selects to keep the from_entity alias
+					// but is kept separate for clarity
+					if forceMergeAliases {
+						i.logger.Info("Deleting to_entity alias during entity merge", "to_entity", toEntity.ID, "deleted_alias", toAliasId)
+						err := i.MemDBDeleteAliasByIDInTxn(txn, toAliasId, false)
+						if err != nil {
+							return nil, fmt.Errorf("aborting entity merge - failed to delete orphaned alias %q during merge into entity %q: %w", toAliasId, toEntity.ID, err), nil
+						}
+					} else if strutil.StrListContains(conflictingAliasIDsToKeep, toAliasId) {
+						i.logger.Info("Deleting from_entity alias during entity merge", "from_entity", fromEntityID, "deleted_alias", fromAlias.ID)
+						err := i.MemDBDeleteAliasByIDInTxn(txn, fromAlias.ID, false)
+						if err != nil {
+							return nil, fmt.Errorf("aborting entity merge - failed to delete orphaned alias %q during merge into entity %q: %w", fromAlias.ID, toEntity.ID, err), nil
+						}
+
+						// Continue to next alias, as there's no alias to merge left in the from_entity
+						continue
+					} else if strutil.StrListContains(conflictingAliasIDsToKeep, fromAlias.ID) {
+						i.logger.Info("Deleting to_entity alias during entity merge", "to_entity", toEntity.ID, "deleted_alias", toAliasId)
+						err := i.MemDBDeleteAliasByIDInTxn(txn, toAliasId, false)
+						if err != nil {
+							return nil, fmt.Errorf("aborting entity merge - failed to delete orphaned alias %q during merge into entity %q: %w", toAliasId, toEntity.ID, err), nil
+						}
+					} else {
+						return fmt.Errorf("conflicting mount accessors in following alias IDs and neither were present in conflicting_alias_ids_to_keep: %s, %s", fromAlias.ID, toAliasId), nil, nil
+					}
+				}
+			}
+
+			// Set the desired canonical ID
+			fromAlias.CanonicalID = toEntity.ID
+
+			fromAlias.MergedFromCanonicalIDs = append(fromAlias.MergedFromCanonicalIDs, fromEntity.ID)
+
+			err = i.MemDBUpsertAliasInTxn(txn, fromAlias, false)
+			if err != nil {
+				return nil, fmt.Errorf("failed to update alias during merge: %w", err), nil
+			}
+
+			// Add the alias to the desired entity
+			toEntity.Aliases = append(toEntity.Aliases, fromAlias)
 		}
-	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+		// If told to, merge policies
+		if mergePolicies {
+			toEntity.Policies = strutil.RemoveDuplicates(strutil.MergeSlices(toEntity.Policies, fromEntity.Policies), false)
+		}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+		// If the entity from which we are merging from was already a merged
+		// entity, transfer over the Merged set to the entity we are
+		// merging into.
+		toEntity.MergedEntityIDs = append(toEntity.MergedEntityIDs, fromEntity.MergedEntityIDs...)
 
-		ui, cmd := testPatchCommand(t)
-		cmd.client = client
+		// Add the entity from which we are merging from to the list of entities
+		// the entity we are merging into is composed of.
+		toEntity.MergedEntityIDs = append(toEntity.MergedEntityIDs, fromEntity.ID)
 
-		code := cmd.Run([]string{
-			"foo/bar", "a=b",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		// Remove entity ID as a member from all the groups it belongs, both
+		// internal and external
+		groups, err := i.MemDBGroupsByMemberEntityIDInTxn(txn, fromEntity.ID, true, false)
+		if err != nil {
+			return nil, err, nil
 		}
+		for _, group := range groups {
+			group.MemberEntityIDs = strutil.StrListDelete(group.MemberEntityIDs, fromEntity.ID)
+			err = i.UpsertGroupInTxn(ctx, txn, group, persist && !isPerfSecondaryOrStandby)
+			if err != nil {
+				return nil, err, nil
+			}
 
-		expected := "Error writing data to foo/bar: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+			fromEntityGroups = append(fromEntityGroups, group)
 		}
-	})
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+		// Delete the entity which we are merging from in MemDB using the same transaction
+		err = i.MemDBDeleteEntityByIDInTxn(txn, fromEntity.ID)
+		if err != nil {
+			return nil, err, nil
+		}
+
+		if persist && !isPerfSecondaryOrStandby {
+			// Delete the entity which we are merging from in storage
+			err = i.entityPacker.DeleteItem(ctx, fromEntity.ID)
+			if err != nil {
+				return nil, err, nil
+			}
+		}
+	}
+
+	// Update MemDB with changes to the entity we are merging to
+	err = i.MemDBUpsertEntityInTxn(txn, toEntity)
+	if err != nil {
+		return nil, err, nil
+	}
+
+	for _, group := range fromEntityGroups {
+		group.MemberEntityIDs = append(group.MemberEntityIDs, toEntity.ID)
+		err = i.UpsertGroupInTxn(ctx, txn, group, persist && !isPerfSecondaryOrStandby)
+		if err != nil {
+			return nil, err, nil
+		}
+	}
+
+	if persist && !isPerfSecondaryOrStandby {
+		// Persist the entity which we are merging to
+		toEntityAsAny, err := ptypes.MarshalAny(toEntity)
+		if err != nil {
+			return nil, err, nil
+		}
+		item := &storagepacker.Item{
+			ID:      toEntity.ID,
+			Message: toEntityAsAny,
+		}
+
+		err = i.entityPacker.PutItem(ctx, item)
+		if err != nil {
+			return nil, err, nil
+		}
+	}
+
+	return nil, nil, nil
+}
 
-		_, cmd := testPatchCommand(t)
-		assertNoTabs(t, cmd)
-	})
+var entityHelp = map[string][2]string{
+	"entity": {
+		"Create a new entity",
+		"",
+	},
+	"entity-id": {
+		"Update, read or delete an entity using entity ID",
+		"",
+	},
+	"entity-name": {
+		"Update, read or delete an entity using entity name",
+		"",
+	},
+	"entity-id-list": {
+		"List all the entity IDs",
+		"",
+	},
+	"entity-name-list": {
+		"List all the entity names",
+		"",
+	},
+	"entity-merge-id": {
+		"Merge two or more entities together",
+		"",
+	},
+	"batch-delete": {
+		"Delete all of the entities provided",
+		"",
+	},
 }
diff --git a/command/path_help.go b/command/path_help.go
index 3525f2ededc5..fa675d1b4f1d 100644
--- a/command/path_help.go
+++ b/command/path_help.go
@@ -1,121 +1,121 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PathHelpCommand)(nil)
-	_ cli.CommandAutocomplete = (*PathHelpCommand)(nil)
-)
-
-var pathHelpVaultSealedMessage = strings.TrimSpace(`
-Error: Vault is sealed.
-
-The "path-help" command requires the Vault to be unsealed so that the mount
-points of the secret engines are known.
-`)
-
-type PathHelpCommand struct {
-	*BaseCommand
-}
-
-func (c *PathHelpCommand) Synopsis() string {
-	return "Retrieve API help for paths"
-}
-
-func (c *PathHelpCommand) Help() string {
-	helpText := `
-Usage: vault path-help [options] PATH
-
-  Retrieves API help for paths. All endpoints in Vault provide built-in help
-  in markdown format. This includes system paths, secret engines, and auth
-  methods.
-
-  Get help for the thing mounted at database/:
-
-      $ vault path-help database/
-
-  The response object will return additional paths to retrieve help:
-
-      $ vault path-help database/roles/
-
-  Each secret engine produces different help output.
-
-  If -format is specified as JSON, the output will be in OpenAPI format.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PathHelpCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-}
-
-func (c *PathHelpCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictAnything // TODO: programatic way to invoke help
-}
-
-func (c *PathHelpCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PathHelpCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	path := sanitizePath(args[0])
-
-	help, err := client.Help(path)
-	if err != nil {
-		if strings.Contains(err.Error(), "Vault is sealed") {
-			c.UI.Error(pathHelpVaultSealedMessage)
-		} else {
-			c.UI.Error(fmt.Sprintf("Error retrieving help: %s", err))
-		}
-		return 2
-	}
-
-	switch c.flagFormat {
-	case "json":
-		b, err := json.Marshal(help.OpenAPI)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error marshaling OpenAPI: %s", err))
-			return 2
-		}
-		c.UI.Output(string(b))
-	default:
-		c.UI.Output(help.Help)
-	}
-
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Identity::EntityNav @identityType={{this.identityType}} @model={{this.model}} />
+{{#if this.model.meta.total}}
+  {{#each this.model as |item|}}
+    <LinkedBlock
+      @params={{array "vault.cluster.access.identity.show" item.id "details"}}
+      class="list-item-row"
+      data-test-identity-row
+    >
+      <div class="columns is-mobile">
+        <div class="column is-7-tablet is-10-mobile">
+          <LinkTo
+            @route="vault.cluster.access.identity.show"
+            @models={{array item.id "details"}}
+            class="is-block has-text-black has-text-weight-semibold"
+            data-test-identity-link={{true}}
+          >
+            <Icon @name="user" class="has-text-grey-light" />
+            <span class="has-text-weight-semibold">{{item.name}}</span>
+          </LinkTo>
+          <div class="has-text-grey is-size-8">
+            {{item.id}}
+          </div>
+        </div>
+        <div class="column is-3 is-hidden-mobile">
+          {{#if item.aliases.length}}
+            {{pluralize item.aliases.length "alias"}}
+          {{/if}}
+        </div>
+        <div class="column has-text-right">
+          <PopupMenu @name="identity-item" @onOpen={{action "reloadRecord" item}}>
+            <nav class="menu">
+              <ul class="menu-list">
+                <li class="action">
+                  <LinkTo @route="vault.cluster.access.identity.show" @models={{array item.id "details"}}>
+                    Details
+                  </LinkTo>
+                </li>
+                {{#if (or item.isReloading item.updatePath.isPending item.aliasPath.isPending)}}
+                  <li class="action">
+                    <LoadingDropdownOption />
+                  </li>
+                {{else}}
+                  {{#if item.canAddAlias}}
+                    <li class="action">
+                      <LinkTo
+                        @route="vault.cluster.access.identity.aliases.add"
+                        @models={{array (pluralize this.identityType) item.id}}
+                      >
+                        Create alias
+                      </LinkTo>
+                    </li>
+                  {{/if}}
+                  {{#if item.canEdit}}
+                    <li class="action">
+                      <LinkTo @route="vault.cluster.access.identity.edit" @model={{item.id}}>
+                        Edit
+                      </LinkTo>
+                    </li>
+                    <li class="action">
+                      {{#if item.disabled}}
+                        <Hds::Button @text="Enable" {{on "click" (action "toggleDisabled" item)}} class="link" />
+                      {{else if (eq this.identityType "entity")}}
+                        <ConfirmAction
+                          @isInDropdown={{true}}
+                          @buttonText="Disable"
+                          @confirmMessage="Associated tokens will not be revoked, but cannot be used"
+                          @confirmTitle="Disable this entity?"
+                          @onConfirmAction={{action "toggleDisabled" item}}
+                          @modalColor="warning"
+                        />
+                      {{/if}}
+                    </li>
+                  {{/if}}
+                  {{#if item.canDelete}}
+                    <ConfirmAction
+                      @isInDropdown={{true}}
+                      @buttonText="Delete"
+                      @onConfirmAction={{action "delete" item}}
+                      @confirmTitle="Delete this {{this.identityType}}?"
+                      data-test-item-delete
+                    />
+                  {{/if}}
+                {{/if}}
+              </ul>
+            </nav>
+          </PopupMenu>
+        </div>
+      </div>
+    </LinkedBlock>
+  {{/each}}
+
+  <Hds::Pagination::Numbered
+    @currentPage={{this.model.meta.currentPage}}
+    @currentPageSize={{this.model.meta.pageSize}}
+    @route="vault.cluster.access.identity.index"
+    @showSizeSelector={{false}}
+    @totalItems={{this.model.meta.total}}
+    @queryFunction={{this.paginationQueryParams}}
+  />
+
+{{else}}
+  <EmptyState
+    @title="No {{pluralize this.identityType}} yet"
+    @message="A list of {{pluralize
+      this.identityType
+    }} in this namespace will be listed here. Create your first {{this.identityType}} to get started."
+  >
+    <LinkTo @route="vault.cluster.access.identity.create" @model={{pluralize this.identityType}} class="link">
+      Create
+      {{this.identityType}}
+    </LinkTo>
+    <DocLink @path="/vault/tutorials/auth-methods/identity">
+      Learn more
+    </DocLink>
+  </EmptyState>
+{{/if}}
\ No newline at end of file
diff --git a/command/path_help_test.go b/command/path_help_test.go
index 0bce2c788f81..1a3a8b167bb0 100644
--- a/command/path_help_test.go
+++ b/command/path_help_test.go
@@ -1,118 +1,81 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testPathHelpCommand(tb testing.TB) (*cli.MockUi, *PathHelpCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PathHelpCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPathHelpCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_found",
-			[]string{"nope/not/once/never"},
-			"",
-			2,
-		},
-		{
-			"kv",
-			[]string{"secret/"},
-			"The kv backend",
-			0,
-		},
-		{
-			"sys",
-			[]string{"sys/mounts"},
-			"currently mounted backends",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testPathHelpCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPathHelpCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"sys/mounts",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error retrieving help: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPathHelpCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { inject as service } from '@ember/service';
+import Route from '@ember/routing/route';
+import ClusterRoute from 'vault/mixins/cluster-route';
+import ListRoute from 'core/mixins/list-route';
+
+export default Route.extend(ClusterRoute, ListRoute, {
+  store: service(),
+  version: service(),
+
+  shouldReturnEmptyModel(policyType, version) {
+    return policyType !== 'acl' && (version.get('isCommunity') || !version.get('hasSentinel'));
+  },
+
+  model(params) {
+    const policyType = this.policyType();
+    if (this.shouldReturnEmptyModel(policyType, this.version)) {
+      return;
+    }
+    return this.store
+      .lazyPaginatedQuery(`policy/${policyType}`, {
+        page: params.page,
+        pageFilter: params.pageFilter,
+        responsePath: 'data.keys',
+      })
+      .catch((err) => {
+        // acls will never be empty, but sentinel policies can be
+        if (err.httpStatus === 404 && this.policyType() !== 'acl') {
+          return [];
+        } else {
+          throw err;
+        }
+      });
+  },
+
+  setupController(controller, model) {
+    const params = this.paramsFor(this.routeName);
+    if (!model) {
+      controller.setProperties({
+        model: null,
+        policyType: this.policyType(),
+      });
+      return;
+    }
+    controller.setProperties({
+      model,
+      filter: params.pageFilter || '',
+      page: model.get('meta.currentPage') || 1,
+      policyType: this.policyType(),
+    });
+  },
+
+  resetController(controller, isExiting) {
+    this._super(...arguments);
+    if (isExiting) {
+      controller.set('filter', '');
+    }
+  },
+
+  actions: {
+    willTransition(transition) {
+      window.scrollTo(0, 0);
+      if (!transition || transition.targetName !== this.routeName) {
+        this.store.clearAllDatasets();
+      }
+      return true;
+    },
+    reload() {
+      this.store.clearAllDatasets();
+      this.refresh();
+    },
+  },
+
+  policyType() {
+    return this.paramsFor('vault.cluster.policies').type;
+  },
+});
diff --git a/command/pki.go b/command/pki.go
index 63655da5ca6f..086ff87eddde 100644
--- a/command/pki.go
+++ b/command/pki.go
@@ -1,42 +1,357 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: docs
+page_title: Vault Proxy
+description: |-
+  Vault Proxy is a daemon that can be used to perform some Vault
+  functionality automatically, and act as a proxy for Vault's APIs.
+---
 
-package command
+# What is Vault Proxy?
 
-import (
-	"strings"
+Vault Proxy aims to remove the initial hurdle to adopt Vault by providing a
+more scalable and simpler way for applications to integrate with Vault.
+Vault Proxy acts as an [API Proxy][apiproxy] for Vault, and can optionally allow
+or force interacting clients to use its [automatically authenticated token][autoauth].
 
-	"github.com/mitchellh/cli"
-)
+Vault Proxy is a client daemon that provides the following features:
 
-var _ cli.Command = (*PKICommand)(nil)
+- [Auto-Auth][autoauth] - Automatically authenticate to Vault and manage the
+token renewal process for locally-retrieved dynamic secrets.
+- [API Proxy][apiproxy] - Acts as a proxy for Vault's API,
+optionally using (or forcing the use of) the Auto-Auth token.
+- [Caching][caching] - Allows client-side caching of responses containing newly
+created tokens and responses containing leased secrets generated off of these
+newly created tokens. The agent also manages the renewals of the cached tokens and leases.
 
-type PKICommand struct {
-	*BaseCommand
-}
+## Auto-Auth
+
+Vault Proxy allows easy authentication to Vault in a wide variety of
+environments. Please see the [Auto-Auth docs][autoauth]
+for information.
+
+Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
+
+## API proxy
+
+Vault Proxy's primary purpose is to act as an API proxy for Vault, allowing you to talk to Vault's
+API via a listener. It can be configured to optionally allow or force the automatic use of
+the Auto-Auth token for these requests. Please see the [API Proxy docs][apiproxy]
+for more information.
+
+API Proxy functionality takes place within a defined `listener`, and its behaviour can be configured with an
+[`api_proxy` stanza](/vault/docs/agent-and-proxy/proxy/apiproxy#configuration-api_proxy).
+
+## Caching
+
+Vault Proxy allows client-side caching of responses containing newly created tokens
+and responses containing leased secrets generated off of these newly created tokens.
+Please see the [Caching docs][caching] for information.
+
+## API
+
+### Quit
+
+This endpoint triggers shutdown of the proxy. By default, it is disabled, and can
+be enabled per listener using the [`proxy_api`][proxy-api] stanza. It is recommended
+to only enable this on trusted interfaces, as it does not require any authorization to use.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `POST` | `/proxy/v1/quit` |
+
+### Cache
+
+See the [caching](/vault/docs/agent-and-proxy/proxy/caching#api) page for details on the cache API.
+
+## Configuration
+
+### Command options
+
+- `-log-level` ((#\_log_level)) `(string: "info")` - Log verbosity level. Supported values (in
+order of descending detail) are `trace`, `debug`, `info`, `warn`, and `error`. This can
+also be specified via the `VAULT_LOG_LEVEL` environment variable.
+
+- `-log-format` ((#\_log_format)) `(string: "standard")` - Log format. Supported values
+are `standard` and `json`. This can also be specified via the
+`VAULT_LOG_FORMAT` environment variable.
+
+- `-log-file` ((#\_log_file)) - the absolute path where Vault Proxy should save
+  log messages. Paths that end with a path separator use the default file name,
+  `proxy.log`. Paths that do not end with a file extension use the default
+  `.log` extension. If the log file rotates, Vault Proxy appends the current
+  timestamp to the file name at the time of rotation. For example:
+
+  `log-file` | Full log file | Rotated log file
+  ---------- | ------------- | ----------------
+  `/var/log` | `/var/log/proxy.log` | `/var/log/proxy-{timestamp}.log`
+  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
+  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`
+
+- `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
+bytes that should be written to a log before it needs to be rotated. Unless specified,
+there is no limit to the number of bytes that can be written to a log file.
+
+- `-log-rotate-duration` ((#\_log_rotate_duration)) - to specify the maximum
+duration a log should be written to before it needs to be rotated. Must be a duration
+value such as 30s. Defaults to 24h.
+
+- `-log-rotate-max-files` ((#\_log_rotate_max_files)) - to specify the maximum
+number of older log file archives to keep. Defaults to `0` (no files are ever deleted).
+Set to `-1` to discard old log files when a new one is created.
+
+### Configuration file options
+
+These are the currently-available general configuration options:
+
+- `vault` <code>([vault][vault]: <optional\>)</code> - Specifies the remote Vault server the Proxy connects to.
+
+- `auto_auth` <code>([auto_auth][autoauth]: <optional\>)</code> - Specifies the method and other options used for Auto-Auth functionality.
+
+- `api_proxy` <code>([api_proxy][apiproxy]: <optional\>)</code> - Specifies options used for API Proxy functionality.
+
+- `cache` <code>([cache][caching]: <optional\>)</code> - Specifies options used for Caching functionality.
+
+- `listener` <code>([listener][listener]: <optional\>)</code> - Specifies the addresses and ports on which the Proxy will respond to requests.
+
+~> **Note:** On `SIGHUP` (`kill -SIGHUP $(pidof vault)`), Vault Proxy will attempt to reload listener TLS configuration.
+This method can be used to refresh certificates used by Vault Proxy without having to restart its process.
+
+- `pid_file` `(string: "")` - Path to the file in which the Proxy's Process ID
+(PID) should be stored
+
+- `exit_after_auth` `(bool: false)` - If set to `true`, the proxy will exit
+with code `0` after a single successful auth, where success means that a
+token was retrieved and all sinks successfully wrote it
+
+- `disable_idle_connections` `(string array: [])` - A list of strings that disables idle connections for various features in Vault Proxy.
+Valid values include: `auto-auth`, and `proxying`. Can also be configured by setting the `VAULT_PROXY_DISABLE_IDLE_CONNECTIONS`
+environment variable as a comma separated string. This environment variable will override any values found in a configuration file.
+
+- `disable_keep_alives` `(string array: [])` - A list of strings that disables keep alives for various features in Vault Agent.
+Valid values include: `auto-auth`, and `proxying`. Can also be configured by setting the `VAULT_PROXY_DISABLE_KEEP_ALIVES`
+environment variable as a comma separated string. This environment variable will override any values found in a configuration file.
+
+- `template` <code>([template][template]: <optional\>)</code> - Specifies options used for templating Vault secrets to files.
+
+- `template_config` <code>([template_config][template-config]: <optional\>)</code> - Specifies templating engine behavior.
+
+- `telemetry` <code>([telemetry][telemetry]: <optional\>)</code> – Specifies the telemetry
+reporting system. See the [telemetry Stanza](/vault/docs/agent-and-proxy/proxy#telemetry-stanza) section below
+for a list of metrics specific to Proxy.
+
+- `log_level` - Equivalent to the [`-log-level` command-line flag](#_log_level).
+
+~> **Note:** On `SIGHUP` (`kill -SIGHUP $(pidof vault)`), Vault Proxy will update the log level to the value
+specified by configuration file (including overriding values set using CLI or environment variable parameters).
+
+- `log_format` - Equivalent to the [`-log-format` command-line flag](#_log_format).
+
+- `log_file` - Equivalent to the [`-log-file` command-line flag](#_log_file).
+
+- `log_rotate_duration` - Equivalent to the [`-log-rotate-duration` command-line flag](#_log_rotate_duration).
+
+- `log_rotate_bytes` - Equivalent to the [`-log-rotate-bytes` command-line flag](#_log_rotate_bytes).
 
-func (c *PKICommand) Synopsis() string {
-	return "Interact with Vault's PKI Secrets Engine"
+- `log_rotate_max_files` - Equivalent to the [`-log-rotate-max-files` command-line flag](#_log_rotate_max_files).
+
+### vault stanza
+
+There can at most be one top level `vault` block, and it has the following
+configuration entries:
+
+- `address` `(string: <optional>)` - The address of the Vault server to
+connect to. This should be a Fully Qualified Domain Name (FQDN) or IP
+such as `https://vault-fqdn:8200` or `https://172.16.9.8:8200`.
+This value can be overridden by setting the `VAULT_ADDR` environment variable.
+
+- `ca_cert` `(string: <optional>)` - Path on the local disk to a single PEM-encoded
+CA certificate to verify the Vault server's SSL certificate. This value can
+be overridden by setting the `VAULT_CACERT` environment variable.
+
+- `ca_path` `(string: <optional>)` - Path on the local disk to a directory of
+PEM-encoded CA certificates to verify the Vault server's SSL certificate.
+This value can be overridden by setting the `VAULT_CAPATH` environment
+variable.
+
+- `client_cert` `(string: <optional>)` - Path on the local disk to a single
+PEM-encoded CA certificate to use for TLS authentication to the Vault server.
+This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
+variable.
+
+- `client_key` `(string: <optional>)` - Path on the local disk to a single
+PEM-encoded private key matching the client certificate from `client_cert`.
+This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
+variable.
+
+- `tls_skip_verify` `(string: <optional>)` - Disable verification of TLS
+certificates. Using this option is highly discouraged as it decreases the
+security of data transmissions to and from the Vault server. This value can
+be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
+
+- `tls_server_name` `(string: <optional>)` - Name to use as the SNI host when
+connecting via TLS. This value can be overridden by setting the
+`VAULT_TLS_SERVER_NAME` environment variable.
+
+#### retry stanza
+
+The `vault` stanza may contain a `retry` stanza that controls how failing Vault
+requests are handled. Auto-auth, however, has its own notion of retrying and is not
+affected by this section.
+
+Here are the options for the `retry` stanza:
+
+- `num_retries` `(int: 12)` - Specify how many times a failing request will
+be retried. A value of `0` translates to the default, i.e. 12 retries.
+A value of `-1` disables retries. The environment variable `VAULT_MAX_RETRIES`
+overrides this setting.
+
+Requests originating
+from the proxy cache will only be retried if they resulted in specific HTTP
+result codes: any 50x code except 501 ("not implemented"), as well as 412
+("precondition failed"); 412 is used in Vault Enterprise 1.7+ to indicate a
+stale read due to eventual consistency. Requests coming from the template
+subsystem are retried regardless of the failure.
+
+### listener stanza
+
+Vault Proxy supports one or more [listener][listener_main] stanzas. Listeners
+can be configured with or without [caching][caching], but will use the cache if it
+has been configured, and will enable the [API proxy][apiproxy]. In addition to the standard
+listener configuration, a Proxy's listener configuration also supports the following:
+
+- `require_request_header` `(bool: false)` - Require that all incoming HTTP
+requests on this listener must have an `X-Vault-Request: true` header entry.
+Using this option offers an additional layer of protection from Server Side
+Request Forgery attacks. Requests on the listener that do not have the proper
+`X-Vault-Request` header will fail, with a HTTP response status code of `412: Precondition Failed`.
+
+- `role` `(string: default)` - `role` determines which APIs the listener serves.
+It can be configured to `metrics_only` to serve only metrics, or the default role, `default`,
+which serves everything (including metrics). The `require_request_header` does not apply
+to `metrics_only` listeners.
+
+- `proxy_api` <code>([proxy_api][proxy-api]: <optional\>)</code> - Manages optional Proxy API endpoints.
+
+#### proxy_api stanza
+
+- `enable_quit` `(bool: false)` - If set to `true`, the Proxy will enable the [quit](/vault/docs/agent-and-proxy/proxy#quit) API.
+
+### telemetry stanza
+
+Vault Proxy supports the [telemetry][telemetry] stanza and collects various
+runtime metrics about its performance, the auto-auth and the cache status:
+
+| Metric                           | Description                                          | Type    |
+| -------------------------------- | ---------------------------------------------------- | ------- |
+| `vault.proxy.auth.failure`       | Number of authentication failures                    | counter |
+| `vault.proxy.auth.success`       | Number of authentication successes                   | counter |
+| `vault.proxy.proxy.success`      | Number of requests successfully proxied              | counter |
+| `vault.proxy.proxy.client_error` | Number of requests for which Vault returned an error | counter |
+| `vault.proxy.proxy.error`        | Number of requests the proxy failed to proxy         | counter |
+| `vault.proxy.cache.hit`          | Number of cache hits                                 | counter |
+| `vault.proxy.cache.miss`         | Number of cache misses                               | counter |
+
+## Start Vault proxy
+
+To run Vault Proxy:
+
+1. [Download](/vault/downloads) the Vault binary where the client application runs
+(virtual machine, Kubernetes pod, etc.)
+
+1. Create a Vault Proxy configuration file. (See the [Example
+Configuration](#example-configuration) section for an example configuration.)
+
+1. Start a Vault Proxy with the configuration file.
+
+**Example:**
+
+```shell-session
+$ vault proxy -config=/etc/vault/proxy-config.hcl
+   ```
+
+To get help, run:
+
+```shell-session
+$ vault proxy -h
+   ```
+
+As with Vault, the `-config` flag can be used in three different ways:
+
+- Use the flag once to name the path to a single specific configuration file.
+- Use the flag multiple times to name multiple configuration files, which will be composed at runtime.
+- Use the flag to name a directory of configuration files, the contents of which will be composed at runtime.
+
+## Example configuration
+
+An example configuration, with very contrived values, follows:
+
+```hcl
+pid_file = "./pidfile"
+
+vault {
+  address = "https://vault-fqdn:8200"
+  retry {
+    num_retries = 5
+  }
 }
 
-func (c *PKICommand) Help() string {
-	helpText := `
-Usage: vault pki <subcommand> [options] [args]
+auto_auth {
+  method "aws" {
+    mount_path = "auth/aws-subaccount"
+    config = {
+      type = "iam"
+      role = "foobar"
+    }
+  }
 
-  This command has subcommands for interacting with Vault's PKI Secrets
-  Engine. Here are some simple examples, and more detailed examples are
-  available in the subcommands or the documentation.
+  sink "file" {
+    config = {
+      path = "/tmp/file-foo"
+    }
+  }
 
-  Check the health of a PKI mount, to the best of this token's abilities:
+  sink "file" {
+    wrap_ttl = "5m"
+    aad_env_var = "TEST_AAD_ENV"
+    dh_type = "curve25519"
+    dh_path = "/tmp/file-foo-dhpath2"
+    config = {
+      path = "/tmp/file-bar"
+    }
+  }
+}
 
-      $ vault pki health-check pki
+cache {
+  // An empty cache stanza still enables caching
+}
 
-  Please see the individual subcommand help for detailed usage information.
-`
+api_proxy {
+  use_auto_auth_token = true
+}
 
-	return strings.TrimSpace(helpText)
+listener "unix" {
+  address = "/path/to/socket"
+  tls_disable = true
+
+  agent_api {
+    enable_quit = true
+  }
 }
 
-func (c *PKICommand) Run(args []string) int {
-	return cli.RunResultHelp
+listener "tcp" {
+  address = "127.0.0.1:8100"
+  tls_disable = true
 }
+```
+
+[vault]: /vault/docs/agent-and-proxy/proxy#vault-stanza
+[autoauth]: /vault/docs/agent-and-proxy/autoauth
+[caching]: /vault/docs/agent-and-proxy/proxy/caching
+[apiproxy]: /vault/docs/agent-and-proxy/proxy/apiproxy
+[persistent-cache]: /vault/docs/agent-and-proxy/proxy/caching/persistent-caches
+[template]: /vault/docs/agent-and-proxy/proxy/template
+[template-config]: /vault/docs/agent-and-proxy/proxy/template#template-configurations
+[proxy-api]: /vault/docs/agent-and-proxy/proxy/#proxy_api-stanza
+[listener]: /vault/docs/agent-and-proxy/proxy#listener-stanza
+[listener_main]: /vault/docs/configuration/listener/tcp
+[telemetry]: /vault/docs/configuration/telemetry
diff --git a/command/pki_health_check.go b/command/pki_health_check.go
index a06a8eccf8fc..d6ba44a25ee0 100644
--- a/command/pki_health_check.go
+++ b/command/pki_health_check.go
@@ -1,384 +1,294 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/hashicorp/vault/command/healthcheck"
-
-	"github.com/ghodss/yaml"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-	"github.com/ryanuber/columnize"
-)
-
-const (
-	pkiRetOK int = iota
-	pkiRetUsage
-	pkiRetInformational
-	pkiRetWarning
-	pkiRetCritical
-	pkiRetInvalidVersion
-	pkiRetInsufficientPermissions
-)
-
-var (
-	_ cli.Command             = (*PKIHealthCheckCommand)(nil)
-	_ cli.CommandAutocomplete = (*PKIHealthCheckCommand)(nil)
-
-	// Ensure the above return codes match (outside of OK/Usage) the values in
-	// the healthcheck package.
-	_ = pkiRetInformational == int(healthcheck.ResultInformational)
-	_ = pkiRetWarning == int(healthcheck.ResultWarning)
-	_ = pkiRetCritical == int(healthcheck.ResultCritical)
-	_ = pkiRetInvalidVersion == int(healthcheck.ResultInvalidVersion)
-	_ = pkiRetInsufficientPermissions == int(healthcheck.ResultInsufficientPermissions)
-)
-
-type PKIHealthCheckCommand struct {
-	*BaseCommand
-
-	flagConfig          string
-	flagReturnIndicator string
-	flagDefaultDisabled bool
-	flagList            bool
-}
-
-func (c *PKIHealthCheckCommand) Synopsis() string {
-	return "Check a PKI Secrets Engine mount's health and operational status"
-}
-
-func (c *PKIHealthCheckCommand) Help() string {
-	helpText := `
-Usage: vault pki health-check [options] MOUNT
-
-  Reports status of the specified mount against best practices and pending
-  failures. This is an informative command and not all recommendations will
-  apply to all mounts; consider using a configuration file to tune the
-  executed health checks.
-
-  To check the pki-root mount with default configuration:
-
-      $ vault pki health-check pki-root
-
-  To specify a configuration:
-
-      $ vault pki health-check -health-config=mycorp-root.json /pki-root
-
-  Return codes indicate failure type:
-
-      0 - Everything is good.
-      1 - Usage error (check CLI parameters).
-	  2 - Informational message from a health check.
-	  3 - Warning message from a health check.
-	  4 - Critical message from a health check.
-	  5 - A version mismatch between health check and Vault Server occurred,
-	      preventing one or more health checks from being run.
-      6 - A permission denied message was returned from Vault Server for
-	      one or more health checks.
-
-For more detailed information, refer to the online documentation about the
-vault pki health-check command.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PKIHealthCheckCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:    "health-config",
-		Target:  &c.flagConfig,
-		Default: "",
-		EnvVar:  "",
-		Usage:   "Path to JSON configuration file to modify health check execution and parameters.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "return-indicator",
-		Target:     &c.flagReturnIndicator,
-		Default:    "default",
-		EnvVar:     "",
-		Completion: complete.PredictSet("default", "informational", "warning", "critical", "permission"),
-		Usage: `Behavior of the return value:
- - permission, for exiting with a non-zero code when the tool lacks
-               permissions or has a version mismatch with the server;
- - critical, for exiting with a non-zero code when a check returns a
-             critical status in addition to the above;
- - warning, for exiting with a non-zero status when a check returns a
-            warning status in addition to the above;
- - informational, for exiting with a non-zero status when a check returns
-                  an informational status in addition to the above;
- - default, for the default behavior based on severity of message and
-            only returning a zero exit status when all checks have passed
-			and no execution errors have occurred.
-		`,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "default-disabled",
-		Target:  &c.flagDefaultDisabled,
-		Default: false,
-		EnvVar:  "",
-		Usage: `When specified, results in all health checks being disabled by
-default unless enabled by the configuration file explicitly.`,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "list",
-		Target:  &c.flagList,
-		Default: false,
-		EnvVar:  "",
-		Usage: `When specified, no health checks are run, but all known health
-checks are printed.`,
-	})
-
-	return set
-}
-
-func (c *PKIHealthCheckCommand) isValidRetIndicator() bool {
-	switch c.flagReturnIndicator {
-	case "", "default", "informational", "warning", "critical", "permission":
-		return true
-	default:
-		return false
-	}
-}
-
-func (c *PKIHealthCheckCommand) AutocompleteArgs() complete.Predictor {
-	// Return an anything predictor here, similar to `vault write`. We
-	// don't know what values are valid for the mount path.
-	return complete.PredictAnything
-}
-
-func (c *PKIHealthCheckCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PKIHealthCheckCommand) Run(args []string) int {
-	// Parse and validate the arguments.
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return pkiRetUsage
-	}
-
-	args = f.Args()
-	if !c.flagList && len(args) < 1 {
-		c.UI.Error("Not enough arguments (expected mount path, got nothing)")
-		return pkiRetUsage
-	} else if !c.flagList && len(args) > 1 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected only mount path, got %d arguments)", len(args)))
-		for _, arg := range args {
-			if strings.HasPrefix(arg, "-") {
-				c.UI.Warn(fmt.Sprintf("Options (%v) must be specified before positional arguments (%v)", arg, args[0]))
-				break
-			}
-		}
-		return pkiRetUsage
-	}
-
-	if !c.isValidRetIndicator() {
-		c.UI.Error(fmt.Sprintf("Invalid flag -return-indicator=%v; known options are default, informational, warning, critical, and permission", c.flagReturnIndicator))
-		return pkiRetUsage
-	}
-
-	// Setup the client and the executor.
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return pkiRetUsage
-	}
-
-	// When listing is enabled, we lack an argument here, but do not contact
-	// the server at all, so we're safe to use a hard-coded default here.
-	pkiPath := "<mount>"
-	if len(args) == 1 {
-		pkiPath = args[0]
-	}
-
-	mount := sanitizePath(pkiPath)
-	executor := healthcheck.NewExecutor(client, mount)
-	executor.AddCheck(healthcheck.NewCAValidityPeriodCheck())
-	executor.AddCheck(healthcheck.NewCRLValidityPeriodCheck())
-	executor.AddCheck(healthcheck.NewHardwareBackedRootCheck())
-	executor.AddCheck(healthcheck.NewRootIssuedLeavesCheck())
-	executor.AddCheck(healthcheck.NewRoleAllowsLocalhostCheck())
-	executor.AddCheck(healthcheck.NewRoleAllowsGlobWildcardsCheck())
-	executor.AddCheck(healthcheck.NewRoleNoStoreFalseCheck())
-	executor.AddCheck(healthcheck.NewAuditVisibilityCheck())
-	executor.AddCheck(healthcheck.NewAllowIfModifiedSinceCheck())
-	executor.AddCheck(healthcheck.NewEnableAutoTidyCheck())
-	executor.AddCheck(healthcheck.NewTidyLastRunCheck())
-	executor.AddCheck(healthcheck.NewTooManyCertsCheck())
-	executor.AddCheck(healthcheck.NewEnableAcmeIssuance())
-	executor.AddCheck(healthcheck.NewAllowAcmeHeaders())
-	if c.flagDefaultDisabled {
-		executor.DefaultEnabled = false
-	}
-
-	// Handle listing, if necessary.
-	if c.flagList {
-		uiFormat := Format(c.UI)
-		if uiFormat == "yaml" {
-			c.UI.Error("YAML output format is not supported by the --list command")
-			return pkiRetUsage
-		}
-
-		if uiFormat != "json" {
-			c.UI.Output("Default health check config:")
-		}
-		config := map[string]map[string]interface{}{}
-		for _, checker := range executor.Checkers {
-			config[checker.Name()] = checker.DefaultConfig()
-		}
-
-		marshaled, err := json.MarshalIndent(config, "", "  ")
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to marshal default config for check: %v", err))
-			return pkiRetUsage
-		}
-
-		c.UI.Output(string(marshaled))
-		return pkiRetOK
-	}
-
-	// Handle config merging.
-	external_config := map[string]interface{}{}
-	if c.flagConfig != "" {
-		contents, err := os.Open(c.flagConfig)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to read configuration file %v: %v", c.flagConfig, err))
-			return pkiRetUsage
-		}
-
-		decoder := json.NewDecoder(contents)
-		decoder.UseNumber() // Use json.Number instead of float64 values as we are decoding to an interface{}.
-
-		if err := decoder.Decode(&external_config); err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to parse configuration file %v: %v", c.flagConfig, err))
-			return pkiRetUsage
-		}
-	}
-
-	if err := executor.BuildConfig(external_config); err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to build health check configuration: %v", err))
-		return pkiRetUsage
-	}
-
-	// Run the health checks.
-	results, err := executor.Execute()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to run health check: %v", err))
-		return pkiRetUsage
-	}
-
-	// Display the output.
-	if err := c.outputResults(executor, results); err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to render results for display: %v", err))
-	}
-
-	// Select an appropriate return code.
-	return c.selectRetCode(results)
-}
-
-func (c *PKIHealthCheckCommand) outputResults(e *healthcheck.Executor, results map[string][]*healthcheck.Result) error {
-	switch Format(c.UI) {
-	case "", "table":
-		return c.outputResultsTable(e, results)
-	case "json":
-		return c.outputResultsJSON(results)
-	case "yaml":
-		return c.outputResultsYAML(results)
-	default:
-		return fmt.Errorf("unknown output format: %v", Format(c.UI))
-	}
-}
-
-func (c *PKIHealthCheckCommand) outputResultsTable(e *healthcheck.Executor, results map[string][]*healthcheck.Result) error {
-	// Iterate in checker order to ensure stable output.
-	for _, checker := range e.Checkers {
-		if !checker.IsEnabled() {
-			continue
-		}
-
-		scanner := checker.Name()
-		findings := results[scanner]
-
-		c.UI.Output(scanner)
-		c.UI.Output(strings.Repeat("-", len(scanner)))
-		data := []string{"status" + hopeDelim + "endpoint" + hopeDelim + "message"}
-		for _, finding := range findings {
-			row := []string{
-				finding.StatusDisplay,
-				finding.Endpoint,
-				finding.Message,
-			}
-			data = append(data, strings.Join(row, hopeDelim))
-		}
-
-		c.UI.Output(tableOutput(data, &columnize.Config{
-			Delim: hopeDelim,
-		}))
-		c.UI.Output("\n")
-	}
-
-	return nil
-}
-
-func (c *PKIHealthCheckCommand) outputResultsJSON(results map[string][]*healthcheck.Result) error {
-	bytes, err := json.MarshalIndent(results, "", "  ")
-	if err != nil {
-		return err
-	}
-
-	c.UI.Output(string(bytes))
-	return nil
-}
-
-func (c *PKIHealthCheckCommand) outputResultsYAML(results map[string][]*healthcheck.Result) error {
-	bytes, err := yaml.Marshal(results)
-	if err != nil {
-		return err
-	}
-
-	c.UI.Output(string(bytes))
-	return nil
-}
-
-func (c *PKIHealthCheckCommand) selectRetCode(results map[string][]*healthcheck.Result) int {
-	var highestResult healthcheck.ResultStatus = healthcheck.ResultNotApplicable
-	for _, findings := range results {
-		for _, finding := range findings {
-			if finding.Status > highestResult {
-				highestResult = finding.Status
-			}
-		}
-	}
-
-	cutOff := healthcheck.ResultInformational
-	switch c.flagReturnIndicator {
-	case "", "default", "informational":
-	case "permission":
-		cutOff = healthcheck.ResultInvalidVersion
-	case "critical":
-		cutOff = healthcheck.ResultCritical
-	case "warning":
-		cutOff = healthcheck.ResultWarning
-	}
-
-	if highestResult >= cutOff {
-		return int(highestResult)
-	}
-
-	return pkiRetOK
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { resolve } from 'rsvp';
+import Service from '@ember/service';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, triggerEvent } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+
+const VALUE = 'test value';
+const LABEL = 'test label';
+const TYPE = 'array';
+const DEFAULT = 'some default value';
+
+const routerService = Service.extend({
+  transitionTo() {
+    return {
+      followRedirects() {
+        return resolve();
+      },
+    };
+  },
+  replaceWith() {
+    return resolve();
+  },
+});
+
+module('Integration | Component | InfoTableRow', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.set('value', VALUE);
+    this.set('label', LABEL);
+    this.set('type', TYPE);
+    this.set('default', DEFAULT);
+    this.owner.register('service:router', routerService);
+    this.router = this.owner.lookup('service:router');
+  });
+
+  hooks.afterEach(function () {
+    this.owner.unregister('service:store');
+  });
+
+  test('it renders', async function (assert) {
+    await render(hbs`<InfoTableRow
+        @value={{this.value}}
+        @label={{this.label}}
+        @defaultShown={{this.default}}
+      />`);
+
+    assert.dom('[data-test-component="info-table-row"]').exists();
+    assert.dom('[data-test-row-value]').hasText(VALUE, 'renders value as passed through');
+
+    this.set('value', '');
+    assert
+      .dom('[data-test-label-div]')
+      .doesNotExist('does not render if no value and alwaysRender is false (even if default exists)');
+  });
+
+  test('it renders a tooltip', async function (assert) {
+    this.set('tooltipText', 'Tooltip text!');
+
+    await render(hbs`<InfoTableRow
+        @value={{this.value}}
+        @label={{this.label}}
+        @tooltipText={{this.tooltipText}}
+      />`);
+
+    await triggerEvent('[data-test-value-div="test label"] .ember-basic-dropdown-trigger', 'mouseenter');
+
+    const tooltip = document.querySelector('div.box').textContent.trim();
+    assert.strictEqual(tooltip, 'Tooltip text!', 'renders tooltip text');
+  });
+
+  test('it should copy tooltip', async function (assert) {
+    assert.expect(3);
+
+    this.set('isCopyable', false);
+
+    await render(hbs`
+      <InfoTableRow
+        @label={{this.label}}
+        @value={{this.value}}
+        @tooltipText="Foo bar"
+        @isTooltipCopyable={{this.isCopyable}}
+      />
+    `);
+
+    await triggerEvent('[data-test-value-div="test label"] .ember-basic-dropdown-trigger', 'mouseenter');
+
+    assert.dom('[data-test-tooltip-copy]').doesNotExist('Tooltip has no copy button');
+    this.set('isCopyable', true);
+    assert.dom('[data-test-tooltip-copy]').exists('Tooltip has copy button');
+    assert
+      .dom('[data-test-tooltip-copy]')
+      .hasAttribute('data-test-tooltip-copy', 'Foo bar', 'Copy button will copy the tooltip text');
+  });
+
+  test('it renders a string with no link if isLink is true and the item type is not an array.', async function (assert) {
+    // This could be changed in the component so that it adds a link for any item type, but right now it should only add a link if item type is an array.
+    await render(hbs`<InfoTableRow
+        @value={{this.value}}
+        @label={{this.label}}
+        @isLink={{true}}
+      />`);
+    assert.dom('[data-test-row-value]').hasText(VALUE, 'renders value in code element and not in a tag');
+  });
+
+  test('it renders links if isLink is true and type is array', async function (assert) {
+    this.set('valueArray', ['valueArray']);
+    await render(hbs`<InfoTableRow
+      @value={{this.valueArray}}
+      @label={{this.label}}
+      @isLink={{true}}
+      @type={{this.type}}
+    />`);
+
+    assert.dom('[data-test-item="valueArray"]').hasText('valueArray', 'Confirm link with item value exist');
+  });
+
+  test('it renders as expected if a label and/or value do not exist', async function (assert) {
+    this.set('value', VALUE);
+    this.set('label', '');
+    this.set('default', '');
+
+    await render(hbs`<InfoTableRow
+      @value={{this.value}}
+      @label={{this.label}}
+      @alwaysRender={{true}}
+      @defaultShown={{this.default}}
+    />`);
+
+    assert.dom('div.column.is-one-quarter .flight-icon').exists('Renders a dash (-) for the label');
+
+    this.set('value', '');
+    this.set('label', LABEL);
+    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for empty string value');
+
+    this.set('value', null);
+    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for null value');
+
+    this.set('value', undefined);
+    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for undefined value');
+
+    this.set('default', DEFAULT);
+    assert.dom('[data-test-value-div]').hasText(DEFAULT, 'Renders default text if value is empty');
+
+    this.set('value', '');
+    this.set('label', '');
+    this.set('default', '');
+    const dashCount = document.querySelectorAll('.flight-icon').length;
+    assert.strictEqual(
+      dashCount,
+      2,
+      'Renders dash (-) when both label and value do not exist (and no defaults)'
+    );
+  });
+
+  test('block content overrides any passed in value content', async function (assert) {
+    await render(hbs`<InfoTableRow
+      @value={{this.value}}
+      @label={{this.label}}
+      @alwaysRender={{true}}>
+      Block content is here
+      </InfoTableRow>`);
+
+    const block = document.querySelector('[data-test-value-div]').textContent.trim();
+    assert.strictEqual(block, 'Block content is here', 'renders block passed through');
+  });
+
+  test('Row renders when block content even if alwaysRender = false', async function (assert) {
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @alwaysRender={{false}}>
+      Block content
+    </InfoTableRow>`);
+    assert.dom('[data-test-value-div]').exists('renders block');
+    assert.dom('[data-test-value-div]').hasText('Block content', 'renders block');
+  });
+
+  test('Row does not render empty block content when alwaysRender = false', async function (assert) {
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @alwaysRender={{false}} />`);
+    assert.dom('[data-test-component="info-table-row"]').doesNotExist();
+  });
+
+  test('Has dashed label if none provided', async function (assert) {
+    await render(hbs`<InfoTableRow
+        @value={{this.value}}
+      />`);
+    assert.dom('[data-test-component="info-table-row"]').exists();
+    assert.dom('[data-test-icon="minus"]').exists('renders dash when no label');
+  });
+  test('Truncates the label if too long', async function (assert) {
+    this.set('label', 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz');
+    await render(hbs`<InfoTableRow
+        @label={{this.label}}
+        @value={{this.value}}
+      />`);
+    assert.dom('[data-test-component="info-table-row"]').exists('Row renders');
+    assert.dom('[data-test-label-div].label-overflow').exists('Label has class label-overflow');
+    await triggerEvent('[data-test-row-label]', 'mouseenter');
+    assert.dom('[data-test-label-tooltip]').exists('Label tooltip exists on hover');
+  });
+  test('Renders if block value and alwaysrender=false', async function (assert) {
+    await render(hbs`<InfoTableRow @alwaysRender={{false}}>{{this.value}}</InfoTableRow>`);
+    assert.dom('[data-test-component="info-table-row"]').exists();
+  });
+  test('Does not render if value is empty and alwaysrender=false', async function (assert) {
+    await render(hbs`<InfoTableRow @alwaysRender={{false}} @value="" />`);
+    assert.dom('[data-test-component="info-table-row"]').doesNotExist();
+  });
+  test('Renders dash for value if value empty and alwaysRender=true', async function (assert) {
+    await render(hbs`<InfoTableRow
+        @label={{this.label}}
+        @alwaysRender={{true}}
+      />`);
+    assert.dom('[data-test-component="info-table-row"]').exists();
+    assert.dom('[data-test-value-div] [data-test-icon="minus"]').exists('renders dash for value');
+  });
+  test('Renders block over @value or @defaultShown', async function (assert) {
+    await render(hbs`<InfoTableRow
+        @label={{this.label}}
+        @value="bar"
+        @defaultShown="baz"
+      >
+        foo
+      </InfoTableRow>`);
+    assert.dom('[data-test-component="info-table-row"]').exists();
+    assert.dom('[data-test-value-div]').hasText('foo', 'renders block value');
+  });
+  test('Renders icons if value is boolean', async function (assert) {
+    this.set('value', true);
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @value={{this.value}}
+    />`);
+
+    assert.dom('[data-test-boolean-true]').exists('check icon exists');
+    assert.dom('[data-test-value-div]').hasText('Yes', 'Renders yes text');
+    this.set('value', false);
+    assert.dom('[data-test-boolean-false]').exists('x icon exists');
+    assert.dom('[data-test-value-div]').hasText('No', 'renders no text');
+  });
+  test('Renders data-test attrs passed from parent', async function (assert) {
+    this.set('value', true);
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @value={{this.value}}
+      data-test-foo-bar
+    />`);
+
+    assert.dom('[data-test-foo-bar]').exists();
+  });
+
+  test('Formats the value as date when formatDate present', async function (assert) {
+    this.set('value', new Date('2018-04-03T14:15:30'));
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @value={{this.value}}
+      @formatDate={{'yyyy'}}
+    />`);
+
+    assert.dom('[data-test-value-div]').hasText('2018', 'Renders date with passed format');
+  });
+
+  test('Formats the value as TTL when formatTtl present', async function (assert) {
+    this.set('value', 6000);
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @value={{this.value}}
+      @formatTtl={{true}}
+    />`);
+
+    assert
+      .dom('[data-test-value-div]')
+      .hasText('1 hour 40 minutes', 'Translates number value to largest unit with carryover of minutes');
+  });
+
+  test('Formats string value when formatTtl present', async function (assert) {
+    this.set('value', '45m');
+    await render(hbs`<InfoTableRow
+      @label={{this.label}}
+      @value={{this.value}}
+      @formatTtl={{true}}
+    />`);
+
+    assert.dom('[data-test-value-div]').hasText('45 minutes', 'it formats string duration');
+  });
+});
diff --git a/command/pki_health_check_test.go b/command/pki_health_check_test.go
index b3b2dfb8c830..a79b00821694 100644
--- a/command/pki_health_check_test.go
+++ b/command/pki_health_check_test.go
@@ -1,694 +1,111 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net/url"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/healthcheck"
-
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/require"
-)
-
-func TestPKIHC_AllGood(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			AuditNonHMACRequestKeys:   healthcheck.VisibleReqParams,
-			AuditNonHMACResponseKeys:  healthcheck.VisibleRespParams,
-			PassthroughRequestHeaders: []string{"If-Modified-Since"},
-			AllowedResponseHeaders:    []string{"Last-Modified", "Replay-Nonce", "Link", "Location"},
-			MaxLeaseTTL:               "36500d",
-		},
-	}); err != nil {
-		t.Fatalf("pki mount error: %#v", err)
-	}
-
-	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "Root X1",
-		"ttl":         "3650d",
-	}); err != nil || resp == nil {
-		t.Fatalf("failed to prime CA: %v", err)
-	}
-
-	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
-		t.Fatalf("failed to rotate CRLs: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
-		"allow_any_name": true,
-		"no_store":       true,
-	}); err != nil {
-		t.Fatalf("failed to write role: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
-		"enabled":         true,
-		"tidy_cert_store": true,
-	}); err != nil {
-		t.Fatalf("failed to write auto-tidy config: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/tidy", map[string]interface{}{
-		"tidy_cert_store": true,
-	}); err != nil {
-		t.Fatalf("failed to run tidy: %v", err)
-	}
-
-	path, err := url.Parse(client.Address())
-	require.NoError(t, err, "failed parsing client address")
-
-	if _, err := client.Logical().Write("pki/config/cluster", map[string]interface{}{
-		"path": path.JoinPath("/v1/", "pki/").String(),
-	}); err != nil {
-		t.Fatalf("failed to update local cluster: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/acme", map[string]interface{}{
-		"enabled": "true",
-	}); err != nil {
-		t.Fatalf("failed to update acme config: %v", err)
-	}
-
-	_, _, results := execPKIHC(t, client, true)
-
-	validateExpectedPKIHC(t, expectedAllGood, results)
-}
-
-func TestPKIHC_AllBad(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-	}); err != nil {
-		t.Fatalf("pki mount error: %#v", err)
-	}
-
-	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "Root X1",
-		"ttl":         "35d",
-	}); err != nil || resp == nil {
-		t.Fatalf("failed to prime CA: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/crl", map[string]interface{}{
-		"expiry": "5s",
-	}); err != nil {
-		t.Fatalf("failed to issue leaf cert: %v", err)
-	}
-
-	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
-		t.Fatalf("failed to rotate CRLs: %v", err)
-	}
-
-	time.Sleep(5 * time.Second)
-
-	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
-		"allow_localhost":             true,
-		"allowed_domains":             "*.example.com",
-		"allow_glob_domains":          true,
-		"allow_wildcard_certificates": true,
-		"no_store":                    false,
-		"key_type":                    "ec",
-		"ttl":                         "30d",
-	}); err != nil {
-		t.Fatalf("failed to write role: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/issue/testing", map[string]interface{}{
-		"common_name": "something.example.com",
-	}); err != nil {
-		t.Fatalf("failed to issue leaf cert: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
-		"enabled":         false,
-		"tidy_cert_store": false,
-	}); err != nil {
-		t.Fatalf("failed to write auto-tidy config: %v", err)
-	}
-
-	_, _, results := execPKIHC(t, client, true)
-
-	validateExpectedPKIHC(t, expectedAllBad, results)
-}
-
-func TestPKIHC_OnlyIssuer(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-	}); err != nil {
-		t.Fatalf("pki mount error: %#v", err)
-	}
-
-	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "Root X1",
-		"ttl":         "35d",
-	}); err != nil || resp == nil {
-		t.Fatalf("failed to prime CA: %v", err)
-	}
-
-	_, _, results := execPKIHC(t, client, true)
-	validateExpectedPKIHC(t, expectedEmptyWithIssuer, results)
-}
-
-func TestPKIHC_NoMount(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	code, message, _ := execPKIHC(t, client, false)
-	if code != 1 {
-		t.Fatalf("Expected return code 1 from invocation on non-existent mount, got %v\nOutput: %v", code, message)
-	}
-
-	if !strings.Contains(message, "route entry not found") {
-		t.Fatalf("Expected failure to talk about missing route entry, got exit code %v\nOutput: %v", code, message)
-	}
-}
-
-func TestPKIHC_ExpectedEmptyMount(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-	}); err != nil {
-		t.Fatalf("pki mount error: %#v", err)
-	}
-
-	code, message, _ := execPKIHC(t, client, false)
-	if code != 1 {
-		t.Fatalf("Expected return code 1 from invocation on empty mount, got %v\nOutput: %v", code, message)
-	}
-
-	if !strings.Contains(message, "lacks any configured issuers,") {
-		t.Fatalf("Expected failure to talk about no issuers, got exit code %v\nOutput: %v", code, message)
-	}
-}
-
-func TestPKIHC_NoPerm(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-	}); err != nil {
-		t.Fatalf("pki mount error: %#v", err)
-	}
-
-	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
-		"key_type":    "ec",
-		"common_name": "Root X1",
-		"ttl":         "35d",
-	}); err != nil || resp == nil {
-		t.Fatalf("failed to prime CA: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/crl", map[string]interface{}{
-		"expiry": "5s",
-	}); err != nil {
-		t.Fatalf("failed to issue leaf cert: %v", err)
-	}
-
-	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
-		t.Fatalf("failed to rotate CRLs: %v", err)
-	}
-
-	time.Sleep(5 * time.Second)
-
-	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
-		"allow_localhost":             true,
-		"allowed_domains":             "*.example.com",
-		"allow_glob_domains":          true,
-		"allow_wildcard_certificates": true,
-		"no_store":                    false,
-		"key_type":                    "ec",
-		"ttl":                         "30d",
-	}); err != nil {
-		t.Fatalf("failed to write role: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/issue/testing", map[string]interface{}{
-		"common_name": "something.example.com",
-	}); err != nil {
-		t.Fatalf("failed to issue leaf cert: %v", err)
-	}
-
-	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
-		"enabled":         false,
-		"tidy_cert_store": false,
-	}); err != nil {
-		t.Fatalf("failed to write auto-tidy config: %v", err)
-	}
-
-	// Remove client token.
-	client.ClearToken()
-
-	_, _, results := execPKIHC(t, client, true)
-	validateExpectedPKIHC(t, expectedNoPerm, results)
-}
-
-func testPKIHealthCheckCommand(tb testing.TB) (*cli.MockUi, *PKIHealthCheckCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PKIHealthCheckCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func execPKIHC(t *testing.T, client *api.Client, ok bool) (int, string, map[string][]map[string]interface{}) {
-	t.Helper()
-
-	stdout := bytes.NewBuffer(nil)
-	stderr := bytes.NewBuffer(nil)
-	runOpts := &RunOptions{
-		Stdout: stdout,
-		Stderr: stderr,
-		Client: client,
-	}
-
-	code := RunCustom([]string{"pki", "health-check", "-format=json", "pki"}, runOpts)
-	combined := stdout.String() + stderr.String()
-
-	var results map[string][]map[string]interface{}
-	if err := json.Unmarshal([]byte(combined), &results); err != nil {
-		if ok {
-			t.Fatalf("failed to decode json (ret %v): %v\njson:\n%v", code, err, combined)
-		}
-	}
-
-	t.Log(combined)
-
-	return code, combined, results
-}
-
-func validateExpectedPKIHC(t *testing.T, expected, results map[string][]map[string]interface{}) {
-	t.Helper()
-
-	for test, subtest := range expected {
-		actual, ok := results[test]
-		require.True(t, ok, fmt.Sprintf("expected top-level test %v to be present", test))
-
-		if subtest == nil {
-			continue
-		}
-
-		require.NotNil(t, actual, fmt.Sprintf("expected top-level test %v to be non-empty; wanted wireframe format %v", test, subtest))
-		require.Equal(t, len(subtest), len(actual), fmt.Sprintf("top-level test %v has different number of results %v in wireframe, %v in test output\nwireframe: %v\noutput: %v\n", test, len(subtest), len(actual), subtest, actual))
-
-		for index, subset := range subtest {
-			for key, value := range subset {
-				a_value, present := actual[index][key]
-				require.True(t, present)
-				if value != nil {
-					require.Equal(t, value, a_value, fmt.Sprintf("in test: %v / result %v - when validating key %v\nWanted: %v\nGot: %v", test, index, key, subset, actual[index]))
-				}
-			}
-		}
-	}
-
-	for name := range results {
-		if _, present := expected[name]; !present {
-			t.Fatalf("got unexpected health check: %v\n%v", name, results[name])
-		}
-	}
-}
-
-var expectedAllGood = map[string][]map[string]interface{}{
-	"ca_validity_period": {
-		{
-			"status": "ok",
-		},
-	},
-	"crl_validity_period": {
-		{
-			"status": "ok",
-		},
-		{
-			"status": "ok",
-		},
-	},
-	"allow_acme_headers": {
-		{
-			"status": "ok",
-		},
-	},
-	"allow_if_modified_since": {
-		{
-			"status": "ok",
-		},
-	},
-	"audit_visibility": {
-		{
-			"status": "ok",
-		},
-	},
-	"enable_acme_issuance": {
-		{
-			"status": "ok",
-		},
-	},
-	"enable_auto_tidy": {
-		{
-			"status": "ok",
-		},
-	},
-	"role_allows_glob_wildcards": {
-		{
-			"status": "ok",
-		},
-	},
-	"role_allows_localhost": {
-		{
-			"status": "ok",
-		},
-	},
-	"role_no_store_false": {
-		{
-			"status": "ok",
-		},
-	},
-	"root_issued_leaves": {
-		{
-			"status": "ok",
-		},
-	},
-	"tidy_last_run": {
-		{
-			"status": "ok",
-		},
-	},
-	"too_many_certs": {
-		{
-			"status": "ok",
-		},
-	},
-}
-
-var expectedAllBad = map[string][]map[string]interface{}{
-	"ca_validity_period": {
-		{
-			"status": "critical",
-		},
-	},
-	"crl_validity_period": {
-		{
-			"status": "critical",
-		},
-		{
-			"status": "critical",
-		},
-	},
-	"allow_acme_headers": {
-		{
-			"status": "not_applicable",
-		},
-	},
-	"allow_if_modified_since": {
-		{
-			"status": "informational",
-		},
-	},
-	"audit_visibility": {
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-		{
-			"status": "informational",
-		},
-	},
-	"enable_acme_issuance": {
-		{
-			"status": "not_applicable",
-		},
-	},
-	"enable_auto_tidy": {
-		{
-			"status": "informational",
-		},
-	},
-	"role_allows_glob_wildcards": {
-		{
-			"status": "warning",
-		},
-	},
-	"role_allows_localhost": {
-		{
-			"status": "warning",
-		},
-	},
-	"role_no_store_false": {
-		{
-			"status": "warning",
-		},
-	},
-	"root_issued_leaves": {
-		{
-			"status": "warning",
-		},
-	},
-	"tidy_last_run": {
-		{
-			"status": "critical",
-		},
-	},
-	"too_many_certs": {
-		{
-			"status": "ok",
-		},
-	},
-}
-
-var expectedEmptyWithIssuer = map[string][]map[string]interface{}{
-	"ca_validity_period": {
-		{
-			"status": "critical",
-		},
-	},
-	"crl_validity_period": {
-		{
-			"status": "ok",
-		},
-		{
-			"status": "ok",
-		},
-	},
-	"allow_acme_headers": {
-		{
-			"status": "not_applicable",
-		},
-	},
-	"allow_if_modified_since": nil,
-	"audit_visibility":        nil,
-	"enable_acme_issuance": {
-		{
-			"status": "not_applicable",
-		},
-	},
-	"enable_auto_tidy": {
-		{
-			"status": "informational",
-		},
-	},
-	"role_allows_glob_wildcards": nil,
-	"role_allows_localhost":      nil,
-	"role_no_store_false":        nil,
-	"root_issued_leaves": {
-		{
-			"status": "ok",
-		},
-	},
-	"tidy_last_run": {
-		{
-			"status": "critical",
-		},
-	},
-	"too_many_certs": {
-		{
-			"status": "ok",
-		},
-	},
-}
-
-var expectedNoPerm = map[string][]map[string]interface{}{
-	"ca_validity_period": {
-		{
-			"status": "critical",
-		},
-	},
-	"crl_validity_period": {
-		{
-			"status": "insufficient_permissions",
-		},
-		{
-			"status": "critical",
-		},
-		{
-			"status": "critical",
-		},
-	},
-	"allow_acme_headers": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"allow_if_modified_since": nil,
-	"audit_visibility":        nil,
-	"enable_acme_issuance": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"enable_auto_tidy": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"role_allows_glob_wildcards": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"role_allows_localhost": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"role_no_store_false": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"root_issued_leaves": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"tidy_last_run": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-	"too_many_certs": {
-		{
-			"status": "insufficient_permissions",
-		},
-	},
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if (or (has-block) this.isVisible)}}
+  <div class="info-table-row" data-test-component="info-table-row" ...attributes>
+    <div
+      class="column {{or @labelWidth 'is-one-quarter'}} {{if this.hasLabelOverflow 'label-overflow'}}"
+      data-test-label-div
+      {{did-insert this.calculateLabelOverflow}}
+    >
+      {{#if @label}}
+        {{#if this.hasLabelOverflow}}
+          <ToolTip @verticalPosition="below" @horizontalPosition="left" as |T|>
+            <T.Trigger @tabindex={{false}}>
+              <span class="is-label has-text-grey-dark" data-test-row-label={{@label}}>{{@label}}</span>
+            </T.Trigger>
+            <T.Content @defaultClass="tool-tip">
+              <div class="box fit-content" data-test-label-tooltip>
+                {{@label}}
+              </div>
+            </T.Content>
+          </ToolTip>
+        {{else}}
+          <span class="is-label has-text-grey-dark" data-test-row-label={{@label}}>{{@label}}</span>
+        {{/if}}
+        {{#if @helperText}}
+          <div>
+            <span class="is-label helper-text has-text-grey">{{@helperText}}</span>
+          </div>
+        {{/if}}
+      {{else}}
+        <Icon @name="minus" />
+      {{/if}}
+    </div>
+    <div class="column is-flex-center {{if @truncateValue 'is-two-thirds'}}" data-test-value-div={{@label}}>
+      {{#if @addCopyButton}}
+        <Hds::Copy::Button
+          @text="Copy"
+          @isIconOnly={{true}}
+          @textToCopy={{@value}}
+          class="transparent has-padding-xxs"
+          data-test-copy-button={{@value}}
+        />
+      {{/if}}
+      {{#if (has-block)}}
+        {{yield}}
+      {{else if this.valueIsBoolean}}
+        {{#if @value}}
+          <Icon class="icon-true" @name="check-circle" data-test-boolean-true />
+          Yes
+        {{else}}
+          <Icon @name="x-square" class="icon-false" data-test-boolean-false />
+          No
+        {{/if}}
+        {{! @alwaysRender (this.isVisible) is still true }}
+      {{else if this.valueIsEmpty}}
+        {{#if @defaultShown}}
+          <span data-test-row-value={{@label}}>{{@defaultShown}}</span>
+        {{else}}
+          <Icon @name="minus" />
+        {{/if}}
+      {{else if @formatDate}}
+        {{date-format @value @formatDate}}
+      {{else if @formatTtl}}
+        {{format-duration @value}}
+      {{else}}
+        {{#if (eq @type "array")}}
+          <InfoTableItemArray
+            @label={{@label}}
+            @backend={{@backend}}
+            @displayArray={{@value}}
+            @isLink={{@isLink}}
+            @modelType={{@modelType}}
+            @queryParam={{@queryParam}}
+            @wildcardLabel={{@wildcardLabel}}
+            @rootRoute={{@rootRoute}}
+            @itemRoute={{@itemRoute}}
+            @doNotTruncate={{@doNotTruncate}}
+            @renderItemName={{@renderItemName}}
+          />
+        {{else}}
+          {{#if @tooltipText}}
+            <ToolTip @verticalPosition="above" @horizontalPosition="left" as |T|>
+              <T.Trigger @tabindex={{false}}>
+                <span class="is-word-break has-text-black" data-test-row-value={{@label}}>{{@value}}</span>
+              </T.Trigger>
+              <T.Content @defaultClass="tool-tip">
+                <div class="box is-flex-center">
+                  {{@tooltipText}}
+                  {{#if @isTooltipCopyable}}
+                    <Hds::Copy::Button
+                      @text="Copy"
+                      @isIconOnly={{true}}
+                      @textToCopy={{@tooltipText}}
+                      class="transparent white-icon"
+                      data-test-tooltip-copy={{@tooltipText}}
+                    />
+                  {{/if}}
+                </div>
+              </T.Content>
+            </ToolTip>
+          {{else}}
+            <span class="is-word-break has-text-black" data-test-row-value={{@label}}>{{@value}}</span>
+          {{/if}}
+        {{/if}}
+      {{/if}}
+    </div>
+  </div>
+{{/if}}
\ No newline at end of file
diff --git a/command/plugin.go b/command/plugin.go
index 49e5635db1ba..af3fd58d2295 100644
--- a/command/plugin.go
+++ b/command/plugin.go
@@ -1,51 +1,219 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*PluginCommand)(nil)
-
-type PluginCommand struct {
-	*BaseCommand
-}
-
-func (c *PluginCommand) Synopsis() string {
-	return "Interact with Vault plugins and catalog"
-}
-
-func (c *PluginCommand) Help() string {
-	helpText := `
-Usage: vault plugin <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with Vault's plugins and the
-  plugin catalog. The plugin catalog is divided into three types: "auth", 
-  "database", and "secret" plugins. A type must be specified on each call. Here 
-  are a few examples of the plugin commands.
-
-  List all available plugins in the catalog of a particular type:
-
-      $ vault plugin list database
-
-  Register a new plugin to the catalog as a particular type:
-
-      $ vault plugin register -sha256=d3f0a8b... auth my-custom-plugin
-
-  Get information about a plugin in the catalog listed under a particular type:
-
-      $ vault plugin info auth my-custom-plugin
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<SplashPage>
+  <:header>
+    {{#if (and this.model.usingRaft (not this.prefersInit))}}
+      <h1 class="title is-4">
+        Raft Storage
+      </h1>
+    {{else if this.keyData}}
+      {{#let (or this.keyData.recovery_keys this.keyData.keys) as |keyArray|}}
+        <h1 class="title is-4">
+          Vault has been initialized!
+          {{#if (eq keyArray.length 1)}}
+            Here is your key.
+          {{else}}
+            Here are your
+            {{pluralize keyArray.length "key"}}.
+          {{/if}}
+        </h1>
+      {{/let}}
+    {{else}}
+      <h1 class="title h5">
+        Let's set up the initial set of root keys that you will need in case of an emergency.
+      </h1>
+    {{/if}}
+  </:header>
+  <:content>
+    {{#if (and this.model.usingRaft (not this.prefersInit))}}
+      <RaftJoin @onDismiss={{action (mut this.prefersInit) true}} />
+    {{else if this.keyData}}
+      <div class="box is-marginless is-shadowless">
+        <div class="content">
+          <p>
+            {{#if this.keyData.recovery_keys}}
+              Please securely distribute the keys below. Certain privileged operations in Vault such as rekeying the barrier
+              or generating a new root token will require you to provide at least
+              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
+              of these keys to perform the operation.
+            {{else}}
+              Please securely distribute the keys below. When the Vault is re-sealed, restarted, or stopped, you must provide
+              at least
+              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
+              of these keys to unseal it again. Vault does not store the root key. Without at least
+              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
+              keys, your Vault will remain permanently sealed.
+            {{/if}}
+          </p>
+        </div>
+        <div class="message is-list is-highlight">
+          <div class="message-body">
+            <h4 class="title is-7 is-marginless">
+              Initial root token
+            </h4>
+            <MaskedInput
+              @class="is-highlight has-label"
+              @displayOnly={{true}}
+              @value={{this.keyData.root_token}}
+              @allowCopy={{true}}
+            />
+          </div>
+        </div>
+        {{#each
+          (or this.keyData.recovery_keys_base64 this.keyData.recovery_keys this.keyData.keys_base64 this.keyData.keys)
+          as |key index|
+        }}
+          <div data-test-key-box class="message is-list">
+            <div class="message-body">
+              <h4 class="title is-7 is-marginless">
+                Key
+                {{add index 1}}
+              </h4>
+              <MaskedInput @class="has-label" @displayOnly={{true}} @value={{key}} @allowCopy={{true}} />
+            </div>
+          </div>
+        {{/each}}
+      </div>
+      <div class="box is-marginless is-shadowless">
+        <Hds::ButtonSet>
+          {{#if (and this.model.sealed (not this.keyData.recovery_keys))}}
+            <Hds::Button
+              @text="Continue to Unseal"
+              @color="primary"
+              @route="vault.cluster.unseal"
+              @model={{this.model.name}}
+              data-test-advance-button
+            />
+          {{else}}
+            <Hds::Button
+              @text="Continue to Authenticate"
+              @color="primary"
+              @route="vault.cluster.auth"
+              @model={{this.model.name}}
+              @icon={{if this.model.sealed "loading"}}
+              disabled={{this.model.sealed}}
+              data-test-advance-button
+            />
+          {{/if}}
+          <DownloadButton
+            @color="tertiary"
+            @filename={{this.keyFilename}}
+            @data={{this.keyData}}
+            @extension="json"
+            @stringify={{true}}
+            @text="Download keys"
+          />
+        </Hds::ButtonSet>
+      </div>
+    {{else}}
+      <form
+        {{action
+          "initCluster"
+          (hash
+            secret_shares=this.secret_shares
+            secret_threshold=this.secret_threshold
+            pgp_keys=this.pgp_keys
+            use_pgp=this.use_pgp
+            use_pgp_for_root=this.use_pgp_for_root
+            root_token_pgp_key=this.root_token_pgp_key
+          )
+          on="submit"
+        }}
+        id="init"
+      >
+        <div class="box is-marginless is-shadowless">
+          <MessageError @errors={{this.errors}} />
+          <div class="field">
+            <label for="key-shares" class="is-label">
+              Key shares
+            </label>
+            <div class="control">
+              <Input
+                data-test-key-shares="true"
+                class="input"
+                autocomplete="off"
+                spellcheck="false"
+                name="key-shares"
+                @type="number"
+                step="1"
+                min="1"
+                pattern="[0-9]*"
+                @value={{this.secret_shares}}
+              />
+            </div>
+            <p class="help has-text-grey">
+              The number of key shares to split the root key into
+            </p>
+          </div>
+          <div class="field">
+            <label for="key-threshold" class="is-label">
+              Key threshold
+            </label>
+            <div class="control">
+              <Input
+                data-test-key-threshold="true"
+                class="input"
+                autocomplete="off"
+                spellcheck="false"
+                name="key-threshold"
+                @type="number"
+                step="1"
+                min="1"
+                pattern="[0-9]*"
+                @value={{this.secret_threshold}}
+              />
+            </div>
+            <p class="help has-text-grey">
+              The number of key shares required to reconstruct the root key
+            </p>
+          </div>
+          <ToggleButton
+            @isOpen={{this.use_pgp}}
+            @openLabel="Encrypt output with PGP"
+            @closedLabel="Encrypt output with PGP"
+            @onClick={{fn (mut this.use_pgp)}}
+            class="is-block"
+          />
+          {{#if this.use_pgp}}
+            <div class="box init-box">
+              <p class="help has-text-grey">
+                The output unseal keys will be encrypted and hex-encoded, in order, with the given public keys.
+              </p>
+              <PgpList @listLength={{this.secret_shares}} @onDataUpdate={{action "setKeys"}} />
+            </div>
+          {{/if}}
+          <ToggleButton
+            @isOpen={{this.use_pgp_for_root}}
+            @openLabel="Encrypt root token with PGP"
+            @closedLabel="Encrypt root token with PGP"
+            @onClick={{fn (mut this.use_pgp_for_root)}}
+            class="is-block"
+          />
+          {{#if this.use_pgp_for_root}}
+            <div class="box init-box">
+              <p class="help has-text-grey">
+                The root unseal key will be encrypted and hex-encoded with the given public key.
+              </p>
+              <PgpList @listLength={{1}} @onDataUpdate={{action "setRootKey"}} />
+            </div>
+          {{/if}}
+        </div>
+        <div class="box is-marginless is-shadowless">
+          <Hds::Button
+            @text="Initialize"
+            @icon={{if this.loading "loading"}}
+            data-test-init-submit
+            type="submit"
+            disabled={{this.loading}}
+          />
+          <div class="init-illustration">
+            {{svg-jar "initialize"}}
+          </div>
+        </div>
+      </form>
+    {{/if}}
+  </:content>
+</SplashPage>
\ No newline at end of file
diff --git a/command/plugin_deregister.go b/command/plugin_deregister.go
index 4b9de504db84..34b6ad402c7f 100644
--- a/command/plugin_deregister.go
+++ b/command/plugin_deregister.go
@@ -1,132 +1,107 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+---
+layout: docs
+page_title: Vault Secrets Operator Installation
+description: >-
+  The Vault Secrets Operator can be installed using Helm.
+---
 
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	semver "github.com/hashicorp/go-version"
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginDeregisterCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginDeregisterCommand)(nil)
-)
-
-type PluginDeregisterCommand struct {
-	*BaseCommand
-
-	flagPluginVersion string
-}
-
-func (c *PluginDeregisterCommand) Synopsis() string {
-	return "Deregister an existing plugin in the catalog"
-}
-
-func (c *PluginDeregisterCommand) Help() string {
-	helpText := `
-Usage: vault plugin deregister [options] TYPE NAME
-
-  Deregister an existing plugin in the catalog. If the plugin does not exist,
-  no action is taken (the command is idempotent). The TYPE argument
-  takes "auth", "database", or "secret".
-
-  Deregister the unversioned auth plugin named my-custom-plugin:
-
-      $ vault plugin deregister auth my-custom-plugin
-
-  Deregister the auth plugin named my-custom-plugin, version 1.0.0:
-
-      $ vault plugin deregister -version=v1.0.0 auth my-custom-plugin
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginDeregisterCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "version",
-		Target:     &c.flagPluginVersion,
-		Completion: complete.PredictAnything,
-		Usage: "Semantic version of the plugin to deregister. If unset, " +
-			"only an unversioned plugin may be deregistered.",
-	})
-
-	return set
-}
-
-func (c *PluginDeregisterCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultPlugins(api.PluginTypeUnknown)
-}
-
-func (c *PluginDeregisterCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginDeregisterCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	var pluginNameRaw, pluginTypeRaw string
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		c.UI.Error("Not enough arguments (expected 1, or 2, got 0)")
-		return 1
-	case 1:
-		pluginTypeRaw = "unknown"
-		pluginNameRaw = args[0]
-	case 2:
-		pluginTypeRaw = args[0]
-		pluginNameRaw = args[1]
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, or 2, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-	pluginName := strings.TrimSpace(pluginNameRaw)
-	if c.flagPluginVersion != "" {
-		_, err := semver.NewSemver(c.flagPluginVersion)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("version %q is not a valid semantic version: %v", c.flagPluginVersion, err))
-			return 2
-		}
-	}
-
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    pluginName,
-		Type:    pluginType,
-		Version: c.flagPluginVersion,
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error deregistering plugin named %s: %s", pluginName, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Deregistered plugin (if it was registered): %s", pluginName))
-	return 0
-}
+# Installing and upgrading the Vault Secrets Operator
+
+## Prerequisites
+
+- A Kubernetes cluster running 1.23+
+- Helm 3.7+
+
+## Installation using helm
+
+[Install Helm](https://helm.sh/docs/intro/install) before beginning.
+
+The [Vault Secrets Operator Helm chart](/vault/docs/platform/k8s/vso/helm) is the recommended way of
+installing and configuring the Vault Secrets Operator.
+
+To install a new instance of the Vault Secrets Operator, first add the
+HashiCorp helm repository and ensure you have access to the chart:
+
+```shell-session
+$ helm repo add hashicorp https://helm.releases.hashicorp.com
+"hashicorp" has been added to your repositories
+```
+
+```shell-session
+$ helm search repo hashicorp/vault-secrets-operator
+NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault-secrets-operator	0.4.1       	0.4.1     	Official HashiCorp Vault Secrets Operator Chart
+```
+
+Then install the Operator:
+
+```shell-session
+$ helm install --version 0.4.1 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
+```
+
+
+## Upgrading using helm
+
+You can upgrade an existing installation with the `helm upgrade` command.
+Please always run Helm with the `--dry-run` option before any install or upgrade to verify
+changes.
+
+Update the `hashicorp` Helm repo:
+```shell-session
+$ helm repo update hashicorp
+Hang tight while we grab the latest from your chart repositories...
+...Successfully got an update from the "hashicorp" chart repository
+Update Complete. ⎈Happy Helming!⎈
+```
+
+<Note title="Helm does not automatically update CRDs">
+  You must update all CRDs manually before upgrading VSO.
+  Refer to <a href="#updating-crds">Updating CRDs</a>.
+</Note>
+
+To upgrade your VSO release, replace `<TARGET_VSO_VERSION>` with the VSO version you are upgrading to:
+```shell-session
+$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
+$ helm upgrade --version <TARGET_VSO_VERSION> --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
+```
+
+For example, if you are upgrading to VSO 0.4.1:
+```shell-session
+$ helm show crds --version 0.4.1 hashicorp/vault-secrets-operator | kubectl apply -f -
+$ helm upgrade --version 0.4.1 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
+```
+
+## Updating CRDs
+
+You must update the CRDs for VSO manually **before** you upgrade the
+ operator when the operator is managed by Helm.
+
+**Any `kubectl` warnings related to `last-applied-configuration` should be safe to ignore.**
+
+To update the VSO CRDs, replace `<TARGET_VSO_VERSION>` with the VSO version you are upgrading to:
+```shell-session
+$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
+```
+
+For example, if you are upgrading to VSO 0.4.1:
+```shell-session
+$ helm show crds --version 0.4.1 hashicorp/vault-secrets-operator | kubectl apply -f -
+
+customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
+customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
+Warning: resource customresourcedefinitions/vaultauths.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
+customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com configured
+Warning: resource customresourcedefinitions/vaultconnections.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
+customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com configured
+Warning: resource customresourcedefinitions/vaultdynamicsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
+customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com configured
+Warning: resource customresourcedefinitions/vaultpkisecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
+customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com configured
+Warning: resource customresourcedefinitions/vaultstaticsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
+customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com configured
+```
+
+## Chart values
+
+Refer to the [VSO helm chart](/vault/docs/platform/k8s/vso/helm)
+ overview for a full list of supported chart values.
diff --git a/command/plugin_deregister_test.go b/command/plugin_deregister_test.go
index f23c8b6c433c..c3a29b72335b 100644
--- a/command/plugin_deregister_test.go
+++ b/command/plugin_deregister_test.go
@@ -1,263 +1,65 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/mitchellh/cli"
-)
-
-func testPluginDeregisterCommand(tb testing.TB) (*cli.MockUi, *PluginDeregisterCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginDeregisterCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginDeregisterCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "fizz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_a_plugin",
-			[]string{consts.PluginTypeCredential.String(), "nope_definitely_never_a_plugin_nope"},
-			"",
-			0,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testPluginDeregisterCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
-
-		ui, cmd := testPluginDeregisterCommand(t)
-		cmd.client = client
-
-		if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-			Name:    pluginName,
-			Type:    api.PluginTypeCredential,
-			Command: pluginName,
-			SHA256:  sha256Sum,
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		code := cmd.Run([]string{
-			consts.PluginTypeCredential.String(),
-			pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Deregistered plugin (if it was registered): "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-			Type: api.PluginTypeCredential,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		found := false
-		for _, plugins := range resp.PluginsByType {
-			for _, p := range plugins {
-				if p == pluginName {
-					found = true
-				}
-			}
-		}
-		if found {
-			t.Errorf("expected %q to not be in %q", pluginName, resp.PluginsByType)
-		}
-	})
-
-	t.Run("integration with version", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, pluginName, api.PluginTypeCredential)
-
-		ui, cmd := testPluginDeregisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-version=" + version,
-			consts.PluginTypeCredential.String(),
-			pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Deregistered plugin (if it was registered): "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-			Type: api.PluginTypeUnknown,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		found := false
-		for _, p := range resp.Details {
-			if p.Name == pluginName {
-				found = true
-			}
-		}
-		if found {
-			t.Errorf("expected %q to not be in %#v", pluginName, resp.Details)
-		}
-	})
-
-	t.Run("integration with missing version", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		testPluginCreateAndRegisterVersioned(t, client, pluginDir, pluginName, api.PluginTypeCredential)
-
-		ui, cmd := testPluginDeregisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			consts.PluginTypeCredential.String(),
-			pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Deregistered plugin (if it was registered): "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-			Type: api.PluginTypeUnknown,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		found := false
-		for _, p := range resp.Details {
-			if p.Name == pluginName {
-				found = true
-			}
-		}
-		if !found {
-			t.Errorf("expected %q to be in %#v", pluginName, resp.Details)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginDeregisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			consts.PluginTypeCredential.String(),
-			"my-plugin",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error deregistering plugin named my-plugin: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginDeregisterCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div ...attributes>
+  {{#if this.getShowToolbar}}
+    <div data-test-component="json-editor-toolbar">
+      <Toolbar>
+        <label class="has-text-weight-bold" data-test-component="json-editor-title">
+          {{@title}}
+          {{#if @subTitle}}
+            <span class="is-size-9 is-lowercase has-text-grey">({{@subTitle}})</span>
+          {{/if}}
+        </label>
+        <ToolbarActions>
+          {{yield}}
+          {{#if @example}}
+            <Hds::Button
+              class="toolbar-button"
+              @icon="reload"
+              @text="Restore example"
+              disabled={{not @value}}
+              {{on "click" this.restoreExample}}
+              data-test-restore-example
+            />
+          {{/if}}
+          <div class="toolbar-separator"></div>
+          <Hds::Copy::Button
+            @container={{@container}}
+            @text="Copy"
+            @isIconOnly={{true}}
+            @textToCopy={{@value}}
+            class="transparent"
+            data-test-copy-button={{@value}}
+          />
+        </ToolbarActions>
+      </Toolbar>
+    </div>
+  {{/if}}
+  <div
+    {{code-mirror
+      content=(or @value @example)
+      extraKeys=@extraKeys
+      gutters=@gutters
+      lineNumbers=(if @readOnly false true)
+      mode=@mode
+      readOnly=@readOnly
+      theme=@theme
+      viewportMarg=@viewportMargin
+      onSetup=this.onSetup
+      onUpdate=this.onUpdate
+      onFocus=this.onFocus
+      autoRefresh=(if @container true false)
+    }}
+    class={{if @readOnly "readonly-codemirror"}}
+    data-test-component="code-mirror-modifier"
+  ></div>
+
+  {{#if @helpText}}
+    <div class="box is-shadowless is-fullwidth has-short-padding">
+      <p class="sub-text">{{@helpText}}</p>
+    </div>
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/command/plugin_info.go b/command/plugin_info.go
index b1cf7acb04a2..77e983fd1d8f 100644
--- a/command/plugin_info.go
+++ b/command/plugin_info.go
@@ -1,141 +1,105 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginInfoCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginInfoCommand)(nil)
-)
-
-type PluginInfoCommand struct {
-	*BaseCommand
-
-	flagVersion string
-}
-
-func (c *PluginInfoCommand) Synopsis() string {
-	return "Read information about a plugin in the catalog"
-}
-
-func (c *PluginInfoCommand) Help() string {
-	helpText := `
-Usage: vault plugin info [options] TYPE NAME
-
-  Displays information about a plugin in the catalog with the given name. If
-  the plugin does not exist, an error is returned. The argument of type
-  takes "auth", "database", or "secret".
-
-  Get info about a plugin:
-
-      $ vault plugin info database mysql-database-plugin
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginInfoCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "version",
-		Target:     &c.flagVersion,
-		Completion: complete.PredictAnything,
-		Usage:      "Semantic version of the plugin. Optional.",
-	})
-
-	return set
-}
-
-func (c *PluginInfoCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultPlugins(api.PluginTypeUnknown)
-}
-
-func (c *PluginInfoCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginInfoCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	var pluginNameRaw, pluginTypeRaw string
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or 2, got %d)", len(args)))
-		return 1
-	case len(args) > 2:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or 2, got %d)", len(args)))
-		return 1
-
-	// These cases should come after invalid cases have been checked
-	case len(args) == 1:
-		pluginTypeRaw = "unknown"
-		pluginNameRaw = args[0]
-	case len(args) == 2:
-		pluginTypeRaw = args[0]
-		pluginNameRaw = args[1]
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-	pluginName := strings.TrimSpace(pluginNameRaw)
-
-	resp, err := client.Sys().GetPlugin(&api.GetPluginInput{
-		Name:    pluginName,
-		Type:    pluginType,
-		Version: c.flagVersion,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading plugin named %s: %s", pluginName, err))
-		return 2
-	}
-
-	if resp == nil {
-		c.UI.Error(fmt.Sprintf("No value found for plugin %q", pluginName))
-		return 2
-	}
-
-	data := map[string]interface{}{
-		"args":               resp.Args,
-		"builtin":            resp.Builtin,
-		"command":            resp.Command,
-		"oci_image":          resp.OCIImage,
-		"runtime":            resp.Runtime,
-		"name":               resp.Name,
-		"sha256":             resp.SHA256,
-		"deprecation_status": resp.DeprecationStatus,
-		"version":            resp.Version,
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, data, c.flagField)
-	}
-	return OutputData(c.UI, data)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <nav class="breadcrumb">
+      <ul>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          {{#if @model.isNew}}
+            <LinkTo @route="vault.cluster.access.oidc.keys">
+              Keys
+            </LinkTo>
+          {{else}}
+            <LinkTo @route="vault.cluster.access.oidc.keys.key.details" @model={{@model.name}}>
+              Details
+            </LinkTo>
+          {{/if}}
+        </li>
+      </ul>
+    </nav>
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-oidc-key-title>
+      {{if @model.isNew "Create" "Edit"}}
+      Key
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <MessageError @errorMessage={{this.errorBanner}} />
+    {{#each @model.formFields as |attr|}}
+      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+    {{/each}}
+  </div>
+  {{! RADIO CARD + SEARCH SELECT }}
+  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
+    <h4 class="title is-4">Allowed applications</h4>
+    <div class="is-flex-row">
+      <RadioCard
+        data-test-oidc-radio="allow-all"
+        @title="Allow every application to use"
+        @description="All applications can use this key for authentication requests."
+        @icon="globe"
+        @value="allow_all"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleClientSelection}}
+      />
+      <RadioCard
+        data-test-oidc-radio="limited"
+        @title="Limit access to selected application"
+        @description="Only selected applications can use this key for authentication requests."
+        @icon="globe-private"
+        @value="limited"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleClientSelection}}
+        @disabled={{@model.isNew}}
+        @disabledTooltipMessage="This option has been disabled for now. To limit access, you must first create an application that references this key."
+      />
+    </div>
+    {{#if (eq this.radioCardGroupValue "limited")}}
+      <SearchSelect
+        @id="allowedClientIds"
+        @label="Application name"
+        @subText="Select which applications are allowed to use this key. Only applications that currently reference this key will appear in the dropdown."
+        @models={{array "oidc/client"}}
+        @inputValue={{@model.allowedClientIds}}
+        @onChange={{this.handleClientSelection}}
+        @disallowNewItems={{true}}
+        @fallbackComponent="string-list"
+        @passObject={{true}}
+        @objectKeys={{array "clientId"}}
+        @queryObject={{this.filterDropdownOptions}}
+      />
+    {{/if}}
+  </div>
+  <div class="field box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Button
+        @text={{if @model.isNew "Create" "Update"}}
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-oidc-key-save
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        class="has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.cancel}}
+        data-test-oidc-key-cancel
+      />
+    </div>
+    {{#if this.invalidFormAlert}}
+      <div class="control">
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+      </div>
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/command/plugin_info_test.go b/command/plugin_info_test.go
index 367124301671..ac343147659e 100644
--- a/command/plugin_info_test.go
+++ b/command/plugin_info_test.go
@@ -1,214 +1,86 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/helper/versions"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/mitchellh/cli"
-)
-
-func testPluginInfoCommand(tb testing.TB) (*cli.MockUi, *PluginInfoCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginInfoCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginInfoCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "fizz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"no_plugin_exist",
-			[]string{api.PluginTypeCredential.String(), "not-a-real-plugin-like-ever"},
-			"Error reading plugin",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testPluginInfoCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
-
-		ui, cmd := testPluginInfoCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			api.PluginTypeCredential.String(), pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, pluginName) {
-			t.Errorf("expected %q to contain %q", combined, pluginName)
-		}
-		if !strings.Contains(combined, sha256Sum) {
-			t.Errorf("expected %q to contain %q", combined, sha256Sum)
-		}
-	})
-
-	t.Run("version flag", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		const pluginName = "azure"
-		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "v1.0.0")
-
-		for name, tc := range map[string]struct {
-			version     string
-			expectedSHA string
-		}{
-			"versioned":       {"v1.0.0", sha256Sum},
-			"builtin version": {versions.GetBuiltinVersion(consts.PluginTypeSecrets, pluginName), ""},
-		} {
-			t.Run(name, func(t *testing.T) {
-				ui, cmd := testPluginInfoCommand(t)
-				cmd.client = client
-
-				code := cmd.Run([]string{
-					"-version=" + tc.version,
-					api.PluginTypeCredential.String(), pluginName,
-				})
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d: %s", code, exp, combined)
-				}
-
-				if !strings.Contains(combined, pluginName) {
-					t.Errorf("expected %q to contain %q", combined, pluginName)
-				}
-				if !strings.Contains(combined, tc.expectedSHA) {
-					t.Errorf("expected %q to contain %q", combined, tc.expectedSHA)
-				}
-				if !strings.Contains(combined, tc.version) {
-					t.Errorf("expected %q to contain %q", combined, tc.version)
-				}
-			})
-		}
-	})
-
-	t.Run("field", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
-
-		ui, cmd := testPluginInfoCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-field", "builtin",
-			api.PluginTypeCredential.String(), pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if exp := "false"; combined != exp {
-			t.Errorf("expected %q to be %q", combined, exp)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginInfoCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			api.PluginTypeCredential.String(), "my-plugin",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error reading plugin named my-plugin: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginInfoCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import hbs from 'htmlbars-inline-precompile';
+
+const CLUSTER = {
+  canAddSecondary: true,
+  replicationMode: 'dr',
+};
+
+const REPLICATION_ATTRS = {
+  secondaries: [
+    { node_id: 'secondary-1', api_address: 'https://stuff.com/', connection_status: 'connected' },
+    { node_id: '2nd', connection_status: 'disconnected' },
+    { node_id: '_three_', api_address: 'https://10.0.0.2:1000/', connection_status: 'connected' },
+  ],
+};
+
+module('Integration | Component | replication known-secondaries-card', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'replication');
+
+  hooks.beforeEach(function () {
+    this.context = { owner: this.engine }; // this.engine set by setupEngine
+    this.set('cluster', CLUSTER);
+    this.set('replicationAttrs', REPLICATION_ATTRS);
+  });
+
+  test('it renders with a table of known secondaries', async function (assert) {
+    await render(
+      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
+      this.context
+    );
+
+    assert
+      .dom('[data-test-known-secondaries-table]')
+      .exists('shows known secondaries table when there are known secondaries');
+    assert.dom('[data-test-manage-link]').exists('shows manage link');
+  });
+
+  test('it renders an empty state if there are no known secondaries', async function (assert) {
+    const noSecondaries = {
+      secondaries: [],
+    };
+    this.set('replicationAttrs', noSecondaries);
+    await render(
+      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
+      this.context
+    );
+
+    assert
+      .dom('[data-test-known-secondaries-table]')
+      .doesNotExist('does not show the known secondaries table');
+    assert
+      .dom('.hds-application-state')
+      .includesText('No known dr secondary clusters', 'empty state has a message with the replication mode');
+  });
+
+  test('it renders an Add secondary link if user has capabilites', async function (assert) {
+    await render(
+      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
+      this.context
+    );
+
+    assert.dom('.add-secondaries').exists();
+  });
+
+  test('it does not render an Add secondary link if user does not have capabilites', async function (assert) {
+    const noCapabilities = {
+      canAddSecondary: false,
+    };
+    this.set('cluster', noCapabilities);
+    await render(
+      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
+      this.context
+    );
+
+    assert.dom('.add-secondaries').doesNotExist();
+  });
+});
diff --git a/command/plugin_list.go b/command/plugin_list.go
index a325264eaf9e..f190d43ff5e1 100644
--- a/command/plugin_list.go
+++ b/command/plugin_list.go
@@ -1,169 +1,36 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginListCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginListCommand)(nil)
-)
-
-type PluginListCommand struct {
-	*BaseCommand
-
-	flagDetailed bool
-}
-
-func (c *PluginListCommand) Synopsis() string {
-	return "Lists available plugins"
-}
-
-func (c *PluginListCommand) Help() string {
-	helpText := `
-Usage: vault plugin list [options] [TYPE]
-
-  Lists available plugins registered in the catalog. This does not list whether
-  plugins are in use, but rather just their availability. The last argument of
-  type takes "auth", "database", or "secret".
-
-  List all available plugins in the catalog:
-
-      $ vault plugin list
-
-  List all available database plugins in the catalog:
-
-      $ vault plugin list database
-
-  List all available plugins with detailed output:
-
-      $ vault plugin list -detailed
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "detailed",
-		Target:  &c.flagDetailed,
-		Default: false,
-		Usage: "Print detailed plugin information such as plugin type, " +
-			"version, and deprecation status for each plugin. This option " +
-			"is only applicable to table-formatted output.",
-	})
-
-	return set
-}
-
-func (c *PluginListCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *PluginListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginListCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
-		return 1
-	}
-
-	pluginType := api.PluginTypeUnknown
-	if len(args) > 0 {
-		pluginTypeStr := strings.TrimSpace(args[0])
-		if pluginTypeStr != "" {
-			var err error
-			pluginType, err = api.ParsePluginType(pluginTypeStr)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error parsing type: %s", err))
-				return 2
-			}
-		}
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-		Type: pluginType,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing available plugins: %s", err))
-		return 2
-	}
-	if resp == nil {
-		c.UI.Error("No response from server when listing plugins")
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		if c.flagDetailed {
-			c.UI.Output(tableOutput(c.detailedResponse(resp), nil))
-			return 0
-		}
-		c.UI.Output(tableOutput(c.simpleResponse(resp, pluginType), nil))
-		return 0
-	default:
-		res := make(map[string]interface{})
-		for k, v := range resp.PluginsByType {
-			res[k.String()] = v
-		}
-		res["details"] = resp.Details
-		return OutputData(c.UI, res)
-	}
-}
-
-func (c *PluginListCommand) simpleResponse(plugins *api.ListPluginsResponse, pluginType api.PluginType) []string {
-	var out []string
-	switch pluginType {
-	case api.PluginTypeUnknown:
-		out = []string{"Name | Type | Version"}
-		for _, plugin := range plugins.Details {
-			out = append(out, fmt.Sprintf("%s | %s | %s", plugin.Name, plugin.Type, plugin.Version))
-		}
-	default:
-		out = []string{"Name | Version"}
-		for _, plugin := range plugins.Details {
-			out = append(out, fmt.Sprintf("%s | %s", plugin.Name, plugin.Version))
-		}
-	}
-
-	return out
-}
-
-func (c *PluginListCommand) detailedResponse(plugins *api.ListPluginsResponse) []string {
-	out := []string{"Name | Type | Version | Container | Deprecation Status"}
-	for _, plugin := range plugins.Details {
-		out = append(out, fmt.Sprintf("%s | %s | %s | %v | %s", plugin.Name, plugin.Type, plugin.Version, plugin.OCIImage != "", plugin.DeprecationStatus))
-	}
-
-	return out
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::Card::Container
+  @hasBorder={{true}}
+  class="has-padding-m known-secondaries-card {{if this.hasErrorClass 'has-error-border'}}"
+>
+  <div class="level">
+    <h3 class="card-title title is-5">{{this.replicationAttrs.secondaries.length}} Known secondaries</h3>
+    <ToolbarLink @route="mode.secondaries" @model={{this.cluster.replicationMode}} data-test-manage-link>
+      View all
+    </ToolbarLink>
+  </div>
+  <div class="secondaries-table">
+    {{#if this.replicationAttrs.secondaries}}
+      <KnownSecondariesTable @secondaries={{this.replicationAttrs.secondaries}} />
+    {{else}}
+      <Hds::ApplicationState as |A|>
+        <A.Header
+          @title="No known {{this.cluster.replicationMode}} secondary clusters associated with this cluster"
+          data-test-empty-state-title
+        />
+        <A.Body
+          @text="Associated secondary clusters will be listed here. Add your first secondary cluster to get started."
+        />
+      </Hds::ApplicationState>
+    {{/if}}
+  </div>
+  {{#if this.cluster.canAddSecondary}}
+    <LinkTo @route="mode.secondaries.add" @model={{this.cluster.replicationMode}} class="link add-secondaries">
+      Add secondary
+    </LinkTo>
+  {{/if}}
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/command/plugin_list_test.go b/command/plugin_list_test.go
index 395167e45f12..e0c9f8ebb8cf 100644
--- a/command/plugin_list_test.go
+++ b/command/plugin_list_test.go
@@ -1,104 +1,62 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"regexp"
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testPluginListCommand(tb testing.TB) (*cli.MockUi, *PluginListCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "fizz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"lists",
-			nil,
-			"Name\\s+Type\\s+Version",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testPluginListCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				matcher := regexp.MustCompile(tc.out)
-				if !matcher.MatchString(combined) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginListCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{"database"})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error listing available plugins: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginListCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/* eslint qunit/no-conditional-assertions: "warn" */
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import hbs from 'htmlbars-inline-precompile';
+
+const SECONDARIES = [
+  { node_id: 'secondary-1', api_address: 'https://127.0.0.1:52304', connection_status: 'connected' },
+  { node_id: '2nd', connection_status: 'disconnected' },
+  { node_id: '_three_', api_address: 'http://127.0.0.1:8202', connection_status: 'connected' },
+];
+
+module('Integration | Component | replication known-secondaries-table', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'replication');
+
+  hooks.beforeEach(function () {
+    this.context = { owner: this.engine }; // this.engine set by setupEngine
+    this.set('secondaries', SECONDARIES);
+  });
+
+  test('it renders a table of known secondaries', async function (assert) {
+    await render(hbs`<KnownSecondariesTable @secondaries={{this.secondaries}} />`, this.context);
+
+    assert.dom('[data-test-known-secondaries-table]').exists();
+  });
+
+  test('it shows the secondary URL and connection_status', async function (assert) {
+    assert.expect(13);
+    await render(hbs`<KnownSecondariesTable @secondaries={{this.secondaries}} />`, this.context);
+
+    SECONDARIES.forEach((secondary) => {
+      assert
+        .dom(`[data-test-secondaries-node="${secondary.node_id}"]`)
+        .hasText(secondary.node_id, 'shows a table row and ID for each known secondary');
+      const expectedAPIAddr = secondary.api_address || 'URL unavailable';
+      const expectedTag = secondary.api_address ? 'a' : 'p';
+      assert.dom(`[data-test-secondaries-api-address="${secondary.node_id}"]`).hasText(expectedAPIAddr);
+      assert
+        .dom(`[data-test-secondaries-api-address="${secondary.node_id}"] ${expectedTag}`)
+        .exists('has correct tag');
+
+      assert
+        .dom(`[data-test-secondaries-connection-status="${secondary.node_id}"]`)
+        .hasText(secondary.connection_status, 'shows the connection status');
+    });
+
+    assert
+      .dom(`[data-test-secondaries-api-address="secondary-1"] a`)
+      .hasAttribute(
+        'href',
+        'https://127.0.0.1:52304/ui/',
+        'secondary with API address has correct href attribute'
+      );
+  });
+});
diff --git a/command/plugin_register.go b/command/plugin_register.go
index e8cb406b400d..b447dd29bf3c 100644
--- a/command/plugin_register.go
+++ b/command/plugin_register.go
@@ -1,195 +1,38 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginRegisterCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginRegisterCommand)(nil)
-)
-
-type PluginRegisterCommand struct {
-	*BaseCommand
-
-	flagArgs     []string
-	flagCommand  string
-	flagSHA256   string
-	flagVersion  string
-	flagOCIImage string
-	flagRuntime  string
-	flagEnv      []string
-}
-
-func (c *PluginRegisterCommand) Synopsis() string {
-	return "Registers a new plugin in the catalog"
-}
-
-func (c *PluginRegisterCommand) Help() string {
-	helpText := `
-Usage: vault plugin register [options] TYPE NAME
-
-  Registers a new plugin in the catalog. The plugin binary must exist in Vault's
-  configured plugin directory. The argument of type takes "auth", "database",
-  or "secret".
-
-  Register the plugin named my-custom-plugin:
-
-      $ vault plugin register -sha256=d3f0a8b... -version=v1.0.0 auth my-custom-plugin
-
-  Register a plugin with custom arguments:
-
-      $ vault plugin register \
-          -sha256=d3f0a8b... \
-          -version=v1.0.0 \
-          -args=--with-glibc,--with-cgo \
-          auth my-custom-plugin
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginRegisterCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "args",
-		Target:     &c.flagArgs,
-		Completion: complete.PredictAnything,
-		Usage: "Argument to pass to the plugin when starting. This " +
-			"flag can be specified multiple times to specify multiple args.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "command",
-		Target:     &c.flagCommand,
-		Completion: complete.PredictAnything,
-		Usage: "Command to spawn the plugin. This defaults to the name of the " +
-			"plugin if both oci_image and command are unspecified.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "sha256",
-		Target:     &c.flagSHA256,
-		Completion: complete.PredictAnything,
-		Usage:      "SHA256 of the plugin binary or the oci_image provided. This is required for all plugins.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "version",
-		Target:     &c.flagVersion,
-		Completion: complete.PredictAnything,
-		Usage:      "Semantic version of the plugin. Used as the tag when specifying oci_image, but with any leading 'v' trimmed. Optional.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "oci_image",
-		Target:     &c.flagOCIImage,
-		Completion: complete.PredictAnything,
-		Usage: "OCI image to run. If specified, setting command, args, and env will update the " +
-			"container's entrypoint, args, and environment variables (append-only) respectively.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "runtime",
-		Target:     &c.flagRuntime,
-		Completion: complete.PredictAnything,
-		Usage:      "Vault plugin runtime to use if oci_image is specified.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "env",
-		Target:     &c.flagEnv,
-		Completion: complete.PredictAnything,
-		Usage: "Environment variables to set for the plugin when starting. This " +
-			"flag can be specified multiple times to specify multiple environment variables.",
-	})
-
-	return set
-}
-
-func (c *PluginRegisterCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultPlugins(api.PluginTypeUnknown)
-}
-
-func (c *PluginRegisterCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginRegisterCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	var pluginNameRaw, pluginTypeRaw string
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or 2, got %d)", len(args)))
-		return 1
-	case len(args) > 2:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or 2, got %d)", len(args)))
-		return 1
-	case c.flagSHA256 == "":
-		c.UI.Error("SHA256 is required for all plugins, please provide -sha256")
-		return 1
-
-	// These cases should come after invalid cases have been checked
-	case len(args) == 1:
-		pluginTypeRaw = "unknown"
-		pluginNameRaw = args[0]
-	case len(args) == 2:
-		pluginTypeRaw = args[0]
-		pluginNameRaw = args[1]
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-	pluginName := strings.TrimSpace(pluginNameRaw)
-
-	command := c.flagCommand
-	if command == "" && c.flagOCIImage == "" {
-		command = pluginName
-	}
-
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:     pluginName,
-		Type:     pluginType,
-		Args:     c.flagArgs,
-		Command:  command,
-		SHA256:   c.flagSHA256,
-		Version:  c.flagVersion,
-		OCIImage: c.flagOCIImage,
-		Runtime:  c.flagRuntime,
-		Env:      c.flagEnv,
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error registering plugin %s: %s", pluginName, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Registered plugin: %s", pluginName))
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<Hds::Table @caption="Known Secondaries" data-test-known-secondaries-table>
+  <:head as |H|>
+    <H.Tr>
+      <H.Th>Secondary ID</H.Th>
+      <H.Th>URL</H.Th>
+      <H.Th>Connected?</H.Th>
+    </H.Tr>
+  </:head>
+  <:body as |B|>
+    {{#each this.secondaries as |secondary|}}
+      <B.Tr>
+        <B.Th data-test-secondaries-node={{or secondary.node_id secondary}}>{{secondary.node_id}}</B.Th>
+        <B.Td data-test-secondaries-api-address={{or secondary.node_id secondary}}>
+          {{#if secondary.api_address}}
+            <Hds::Link::Standalone
+              @icon="external-link"
+              @text={{secondary.api_address}}
+              @href={{concat secondary.api_address "/ui/"}}
+              @iconPosition="trailing"
+            />
+          {{else}}
+            <p class="has-text-grey">URL unavailable</p>
+          {{/if}}
+        </B.Td>
+        <B.Td>
+          <code data-test-secondaries-connection-status={{or secondary.node_id secondary}}>
+            {{secondary.connection_status}}
+          </code>
+        </B.Td>
+      </B.Tr>
+    {{/each}}
+  </:body>
+</Hds::Table>
\ No newline at end of file
diff --git a/command/plugin_register_test.go b/command/plugin_register_test.go
index e2c3ce3e7020..9d89c4bf8405 100644
--- a/command/plugin_register_test.go
+++ b/command/plugin_register_test.go
@@ -1,337 +1,107 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"sort"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/mitchellh/cli"
-)
-
-func testPluginRegisterCommand(tb testing.TB) (*cli.MockUi, *PluginRegisterCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginRegisterCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginRegisterCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "fizz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_a_plugin",
-			[]string{consts.PluginTypeCredential.String(), "nope_definitely_never_a_plugin_nope"},
-			"",
-			2,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testPluginRegisterCommand(t)
-			cmd.client = client
-
-			args := append([]string{"-sha256", "abcd1234"}, tc.args...)
-			code := cmd.Run(args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		_, sha256Sum := testPluginCreate(t, pluginDir, pluginName)
-
-		ui, cmd := testPluginRegisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-sha256", sha256Sum,
-			consts.PluginTypeCredential.String(), pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Registered plugin: my-plugin"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-			Type: api.PluginTypeCredential,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		found := false
-		for _, plugins := range resp.PluginsByType {
-			for _, p := range plugins {
-				if p == pluginName {
-					found = true
-				}
-			}
-		}
-		if !found {
-			t.Errorf("expected %q to be in %q", pluginName, resp.PluginsByType)
-		}
-	})
-
-	t.Run("integration with version", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		const pluginName = "my-plugin"
-		versions := []string{"v1.0.0", "v2.0.1"}
-		_, sha256Sum := testPluginCreate(t, pluginDir, pluginName)
-		types := []api.PluginType{api.PluginTypeCredential, api.PluginTypeDatabase, api.PluginTypeSecrets}
-
-		for _, typ := range types {
-			for _, version := range versions {
-				ui, cmd := testPluginRegisterCommand(t)
-				cmd.client = client
-
-				code := cmd.Run([]string{
-					"-version=" + version,
-					"-sha256=" + sha256Sum,
-					typ.String(),
-					pluginName,
-				})
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d", code, exp)
-				}
-
-				expected := "Success! Registered plugin: my-plugin"
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, expected) {
-					t.Errorf("expected %q to contain %q", combined, expected)
-				}
-			}
-		}
-
-		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
-			Type: api.PluginTypeUnknown,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		found := make(map[api.PluginType]int)
-		versionsFound := make(map[api.PluginType][]string)
-		for _, p := range resp.Details {
-			if p.Name == pluginName {
-				typ, err := api.ParsePluginType(p.Type)
-				if err != nil {
-					t.Fatal(err)
-				}
-				found[typ]++
-				versionsFound[typ] = append(versionsFound[typ], p.Version)
-			}
-		}
-
-		for _, typ := range types {
-			if found[typ] != 2 {
-				t.Fatalf("expected %q to be found 2 times, but found it %d times for %s type in %#v", pluginName, found[typ], typ.String(), resp.Details)
-			}
-			sort.Strings(versions)
-			sort.Strings(versionsFound[typ])
-			if !reflect.DeepEqual(versions, versionsFound[typ]) {
-				t.Fatalf("expected %v versions but got %v", versions, versionsFound[typ])
-			}
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginRegisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-sha256", "abcd1234",
-			consts.PluginTypeCredential.String(), "my-plugin",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error registering plugin my-plugin:"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginRegisterCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
-
-// TestFlagParsing ensures that flags passed to vault plugin register correctly
-// translate into the expected JSON body and request path.
-func TestFlagParsing(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType      api.PluginType
-		name            string
-		command         string
-		ociImage        string
-		runtime         string
-		version         string
-		sha256          string
-		args            []string
-		env             []string
-		expectedPayload string
-	}{
-		"minimal": {
-			pluginType:      api.PluginTypeUnknown,
-			name:            "foo",
-			sha256:          "abc123",
-			expectedPayload: `{"type":0,"command":"foo","sha256":"abc123"}`,
-		},
-		"full": {
-			pluginType:      api.PluginTypeCredential,
-			name:            "name",
-			command:         "cmd",
-			ociImage:        "image",
-			runtime:         "runtime",
-			version:         "v1.0.0",
-			sha256:          "abc123",
-			args:            []string{"--a=b", "--b=c", "positional"},
-			env:             []string{"x=1", "y=2"},
-			expectedPayload: `{"type":1,"args":["--a=b","--b=c","positional"],"command":"cmd","sha256":"abc123","version":"v1.0.0","oci_image":"image","runtime":"runtime","env":["x=1","y=2"]}`,
-		},
-		"command remains empty if oci_image specified": {
-			pluginType:      api.PluginTypeCredential,
-			name:            "name",
-			ociImage:        "image",
-			sha256:          "abc123",
-			expectedPayload: `{"type":1,"sha256":"abc123","oci_image":"image"}`,
-		},
-	} {
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			ui, cmd := testPluginRegisterCommand(t)
-			var requestLogger *recordingRoundTripper
-			cmd.client, requestLogger = mockClient(t)
-
-			var args []string
-			if tc.command != "" {
-				args = append(args, "-command="+tc.command)
-			}
-			if tc.ociImage != "" {
-				args = append(args, "-oci_image="+tc.ociImage)
-			}
-			if tc.runtime != "" {
-				args = append(args, "-runtime="+tc.runtime)
-			}
-			if tc.sha256 != "" {
-				args = append(args, "-sha256="+tc.sha256)
-			}
-			if tc.version != "" {
-				args = append(args, "-version="+tc.version)
-			}
-			for _, arg := range tc.args {
-				args = append(args, "-args="+arg)
-			}
-			for _, env := range tc.env {
-				args = append(args, "-env="+env)
-			}
-			if tc.pluginType != api.PluginTypeUnknown {
-				args = append(args, tc.pluginType.String())
-			}
-			args = append(args, tc.name)
-			t.Log(args)
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Fatalf("expected %d to be %d\nstdout: %s\nstderr: %s", code, exp, ui.OutputWriter.String(), ui.ErrorWriter.String())
-			}
-
-			actual := &api.RegisterPluginInput{}
-			expected := &api.RegisterPluginInput{}
-			err := json.Unmarshal(requestLogger.body, actual)
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = json.Unmarshal([]byte(tc.expectedPayload), expected)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if !reflect.DeepEqual(expected, actual) {
-				t.Errorf("expected: %s\ngot: %s", tc.expectedPayload, requestLogger.body)
-			}
-			expectedPath := fmt.Sprintf("/v1/sys/plugins/catalog/%s/%s", tc.pluginType.String(), tc.name)
-			if tc.pluginType == api.PluginTypeUnknown {
-				expectedPath = fmt.Sprintf("/v1/sys/plugins/catalog/%s", tc.name)
-			}
-			if requestLogger.path != expectedPath {
-				t.Errorf("Expected path %s, got %s", expectedPath, requestLogger.path)
-			}
-		})
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { hbs } from 'ember-cli-htmlbars';
+import { fillIn, render, click } from '@ember/test-helpers';
+import codemirror from 'vault/tests/helpers/codemirror';
+import { PAGE, FORM } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv-v2 | KvDataFields', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.backend = 'my-kv-engine';
+    this.path = 'my-secret';
+    this.secret = this.store.createRecord('kv/data', { backend: this.backend });
+  });
+
+  test('it updates the secret model', async function (assert) {
+    assert.expect(2);
+
+    await render(hbs`<KvDataFields @showJson={{false}} @secret={{this.secret}} @type="create" />`, {
+      owner: this.engine,
+    });
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.maskedValueInput(), 'bar');
+    assert.strictEqual(this.secret.path, this.path);
+    assert.propEqual(this.secret.secretData, { foo: 'bar' });
+  });
+
+  test('it JSON editor initializes with empty object and modifies secretData', async function (assert) {
+    assert.expect(3);
+
+    await render(hbs`<KvDataFields @showJson={{true}} @secret={{this.secret}} />`, { owner: this.engine });
+    assert.strictEqual(
+      codemirror().getValue(' '),
+      `{ \"\": \"\" }`, // eslint-disable-line no-useless-escape
+      'json editor initializes with empty object'
+    );
+    await fillIn(`${FORM.jsonEditor} textarea`, 'blah');
+    assert.strictEqual(codemirror().state.lint.marked.length, 1, 'codemirror lints input');
+    codemirror().setValue(`{ "hello": "there"}`);
+    assert.propEqual(this.secret.secretData, { hello: 'there' }, 'json editor updates secret data');
+  });
+
+  test('it disables path and prefills secret data when creating a new secret version', async function (assert) {
+    assert.expect(5);
+    this.secret.secretData = { foo: 'bar' };
+    this.secret.path = this.path;
+
+    this.newVersion = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: this.secret.secretData,
+    });
+
+    await render(hbs`<KvDataFields @showJson={{false}} @secret={{this.secret}} @type="edit" />`, {
+      owner: this.engine,
+    });
+
+    assert.dom(FORM.inputByAttr('path')).isDisabled();
+    assert.dom(FORM.inputByAttr('path')).hasValue(this.path);
+    assert.dom(FORM.keyInput()).hasValue('foo');
+    assert.dom(FORM.maskedValueInput()).hasValue('bar');
+    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Version data');
+  });
+
+  test('it shows readonly info rows when viewing secret details of simple secret', async function (assert) {
+    assert.expect(3);
+    this.secret.secretData = { foo: 'bar' };
+    this.secret.path = this.path;
+
+    await render(hbs`<KvDataFields @showJson={{false}} @secret={{this.secret}} @type="details" />`, {
+      owner: this.engine,
+    });
+    assert.dom(PAGE.infoRow).exists({ count: 1 }, '1 row of data shows');
+    assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
+    await click(PAGE.infoRowToggleMasked('foo'));
+    assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'secret value shows after toggle');
+  });
+
+  test('it shows readonly json editor when viewing secret details of complex secret', async function (assert) {
+    assert.expect(3);
+    this.secret.secretData = {
+      foo: {
+        bar: 'baz',
+      },
+    };
+    this.secret.path = this.path;
+
+    await render(hbs`<KvDataFields @showJson={{true}} @secret={{this.secret}} @type="details" />`, {
+      owner: this.engine,
+    });
+    assert.dom(PAGE.infoRowValue('foo')).doesNotExist('does not render rows of secret data');
+    assert.dom('[data-test-component="code-mirror-modifier"]').hasClass('readonly-codemirror');
+    assert.dom('[data-test-component="code-mirror-modifier"]').includesText(`{ "foo": { "bar": "baz" }}`);
+  });
+});
diff --git a/command/plugin_reload.go b/command/plugin_reload.go
index 4ec7acb99c83..554c4cbdd1f2 100644
--- a/command/plugin_reload.go
+++ b/command/plugin_reload.go
@@ -1,135 +1,49 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginReloadCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginReloadCommand)(nil)
-)
-
-type PluginReloadCommand struct {
-	*BaseCommand
-	plugin string
-	mounts []string
-	scope  string
-}
-
-func (c *PluginReloadCommand) Synopsis() string {
-	return "Reload mounted plugin backend"
-}
-
-func (c *PluginReloadCommand) Help() string {
-	helpText := `
-Usage: vault plugin reload [options]
-
-  Reloads mounted plugins. Either the plugin name or the desired plugin 
-  mount(s) must be provided, but not both. In case the plugin name is provided,
-  all of its corresponding mounted paths that use the plugin backend will be reloaded.
-
-  Reload the plugin named "my-custom-plugin":
-
-	  $ vault plugin reload -plugin=my-custom-plugin
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginReloadCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "plugin",
-		Target:     &c.plugin,
-		Completion: complete.PredictAnything,
-		Usage:      "The name of the plugin to reload, as registered in the plugin catalog.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "mounts",
-		Target:     &c.mounts,
-		Completion: complete.PredictAnything,
-		Usage:      "Array or comma-separated string mount paths of the plugin backends to reload.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "scope",
-		Target:     &c.scope,
-		Completion: complete.PredictAnything,
-		Usage:      "The scope of the reload, omitted for local, 'global', for replicated reloads",
-	})
-
-	return set
-}
-
-func (c *PluginReloadCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *PluginReloadCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginReloadCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	switch {
-	case c.plugin == "" && len(c.mounts) == 0:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case c.plugin != "" && len(c.mounts) > 0:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	case c.scope != "" && c.scope != "global":
-		c.UI.Error(fmt.Sprintf("Invalid reload scope: %s", c.scope))
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	rid, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
-		Plugin: c.plugin,
-		Mounts: c.mounts,
-		Scope:  c.scope,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reloading plugin/mounts: %s", err))
-		return 2
-	}
-
-	if len(c.mounts) > 0 {
-		if rid != "" {
-			c.UI.Output(fmt.Sprintf("Success! Reloading mounts: %s, reload_id: %s", c.mounts, rid))
-		} else {
-			c.UI.Output(fmt.Sprintf("Success! Reloaded mounts: %s", c.mounts))
-		}
-	} else {
-		if rid != "" {
-			c.UI.Output(fmt.Sprintf("Success! Reloading plugin: %s, reload_id: %s", c.plugin, rid))
-		} else {
-			c.UI.Output(fmt.Sprintf("Success! Reloaded plugin: %s", c.plugin))
-		}
-	}
-
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#let (find-by "name" "path" @secret.allFields) as |attr|}}
+  {{#if (eq @type "edit")}}
+    <ReadonlyFormField @attr={{attr}} @value={{get @secret attr.name}} />
+  {{else if (eq @type "create")}}
+    <FormField @attr={{attr}} @model={{@secret}} @modelValidations={{@modelValidations}} @onKeyUp={{@pathValidations}} />
+  {{/if}}
+{{/let}}
+
+<hr class="is-marginless has-background-gray-200" />
+{{#if @showJson}}
+  <JsonEditor
+    @title="{{if (eq @type 'create') 'Secret' 'Version'}} data"
+    @value={{this.codeMirrorString}}
+    @valueUpdated={{this.handleJson}}
+    @readOnly={{eq @type "details"}}
+  />
+  {{#if (or @modelValidations.secretData.errors this.lintingErrors)}}
+    <AlertInline
+      @color={{if this.lintingErrors "warning" "critical"}}
+      class="has-top-padding-s"
+      @message={{if
+        @modelValidations.secretData.errors
+        @modelValidations.secretData.errors
+        "JSON is unparsable. Fix linting errors to avoid data discrepancies."
+      }}
+    />
+  {{/if}}
+{{else if (eq @type "details")}}
+  {{#each-in @secret.secretData as |key value|}}
+    <InfoTableRow @label={{key}} @value={{value}} @alwaysRender={{true}}>
+      <MaskedInput @name={{key}} @value={{value}} @displayOnly={{true}} @allowCopy={{true}} @allowDownload={{true}} />
+    </InfoTableRow>
+  {{else}}
+    <InfoTableRow @label="" @value="" @alwaysRender={{true}} />
+  {{/each-in}}
+{{else}}
+  <KvObjectEditor
+    class="has-top-margin-m"
+    @label="{{if (eq @type 'create') 'Secret' 'Version'}} data"
+    @value={{@secret.secretData}}
+    @onChange={{fn (mut @secret.secretData)}}
+    @isMasked={{true}}
+  />
+{{/if}}
\ No newline at end of file
diff --git a/command/plugin_reload_status.go b/command/plugin_reload_status.go
index 83c8f8a86a91..7dc6d8a865d7 100644
--- a/command/plugin_reload_status.go
+++ b/command/plugin_reload_status.go
@@ -1,96 +1,49 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginReloadCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginReloadCommand)(nil)
-)
-
-type PluginReloadStatusCommand struct {
-	*BaseCommand
-}
-
-func (c *PluginReloadStatusCommand) Synopsis() string {
-	return "Get the status of an active or recently completed global plugin reload"
-}
-
-func (c *PluginReloadStatusCommand) Help() string {
-	helpText := `
-Usage: vault plugin reload-status RELOAD_ID
-
-  Retrieves the status of a recent cluster plugin reload.  The reload id must be provided.
-
-	  $ vault plugin reload-status d60a3e83-a598-4f3a-879d-0ddd95f11d4e
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginReloadStatusCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *PluginReloadStatusCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *PluginReloadStatusCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginReloadStatusCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	reloadId := strings.TrimSpace(args[0])
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	r, err := client.Sys().ReloadPluginStatus(&api.ReloadPluginStatusInput{
-		ReloadID: reloadId,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error retrieving plugin reload status: %s", err))
-		return 2
-	}
-	out := []string{"Time | Participant | Success | Message "}
-	for i, s := range r.Results {
-		out = append(out, fmt.Sprintf("%s | %s | %t | %s ",
-			s.Timestamp.Format("15:04:05"),
-			i,
-			s.Error == "",
-			s.Error))
-	}
-	c.UI.Output(tableOutput(out, nil))
-	return 0
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { stringify } from 'core/helpers/stringify';
+
+/**
+ * @module KvDataFields is used for rendering the fields associated with kv secret data, it hides/shows a json editor and renders validation errors for the json editor
+ *
+ * <KvDataFields
+ *  @showJson={{true}}
+ *  @secret={{@secret}}
+ *  @type="edit"
+ *  @modelValidations={{this.modelValidations}}
+ *  @pathValidations={{this.pathValidations}}
+ * />
+ *
+ * @param {model} secret - Ember data model: 'kv/data', the new record saved by the form
+ * @param {boolean} showJson - boolean passed from parent to hide/show json editor
+ * @param {object} [modelValidations] - object of errors.  If attr.name is in object and has error message display in AlertInline.
+ * @param {callback} [pathValidations] - callback function fired for the path input on key up
+ * @param {boolean} [type=null] - can be edit, create, or details. Used to change text for some form labels
+ */
+
+export default class KvDataFields extends Component {
+  @tracked lintingErrors;
+  @tracked codeMirrorString;
+
+  constructor() {
+    super(...arguments);
+    this.codeMirrorString = this.args.secret?.secretData
+      ? stringify([this.args.secret.secretData], {})
+      : '{ "": "" }';
+  }
+
+  @action
+  handleJson(value, codemirror) {
+    codemirror.performLint();
+    this.lintingErrors = codemirror.state.lint.marked.length > 0;
+    if (!this.lintingErrors) {
+      this.args.secret.secretData = JSON.parse(value);
+    }
+    this.codeMirrorString = value;
+  }
 }
diff --git a/command/plugin_reload_test.go b/command/plugin_reload_test.go
index cf9f2d149c54..eac26ede34cc 100644
--- a/command/plugin_reload_test.go
+++ b/command/plugin_reload_test.go
@@ -1,165 +1,92 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/mitchellh/cli"
-)
-
-func testPluginReloadCommand(tb testing.TB) (*cli.MockUi, *PluginReloadCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginReloadCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func testPluginReloadStatusCommand(tb testing.TB) (*cli.MockUi, *PluginReloadStatusCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginReloadStatusCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginReloadCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"-plugin", "foo", "-mounts", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testPluginReloadCommand(t)
-			cmd.client = client
-
-			args := append([]string{}, tc.args...)
-			code := cmd.Run(args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
-
-		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-		defer cleanup(t)
-
-		client, _, closer := testVaultServerPluginDir(t, pluginDir)
-		defer closer()
-
-		pluginName := "my-plugin"
-		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
-
-		ui, cmd := testPluginReloadCommand(t)
-		cmd.client = client
-
-		if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-			Name:    pluginName,
-			Type:    api.PluginTypeCredential,
-			Command: pluginName,
-			SHA256:  sha256Sum,
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		code := cmd.Run([]string{
-			"-plugin", pluginName,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Reloaded plugin: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-}
-
-func TestPluginReloadStatusCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testPluginReloadCommand(t)
-			cmd.client = client
-
-			args := append([]string{}, tc.args...)
-			code := cmd.Run(args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="field" ...attributes {{did-insert this.createKvData @value}}>
+  <FormFieldLabel
+    @label={{@label}}
+    @helpText={{@helpText}}
+    @subText={{@subText}}
+    class={{@labelClass}}
+    data-test-kv-label={{true}}
+  />
+  {{#if @validationError}}
+    <div>
+      <AlertInline @type="danger" @message={{@validationError}} class="has-top-padding-s" />
+    </div>
+  {{/if}}
+  {{#if this.kvData}}
+    {{#each this.kvData as |row index|}}
+      <div class="columns is-variable" data-test-kv-row>
+        <div class="column is-one-quarter">
+          <Input
+            data-test-kv-key={{index}}
+            @value={{row.name}}
+            placeholder={{this.placeholders.key}}
+            {{on "change" (fn this.updateRow row index)}}
+            {{on "input" (fn this.validateKey index)}}
+            class="input"
+          />
+        </div>
+        <div class="column">
+          {{#if (has-block)}}
+            {{yield row this.kvData}}
+          {{else if @isMasked}}
+            <MaskedInput
+              data-test-kv-value={{index}}
+              @name={{row.name}}
+              @onChange={{fn this.updateRow row index}}
+              @value={{row.value}}
+            />
+          {{else}}
+            <Textarea
+              data-test-kv-value={{index}}
+              name={{row.name}}
+              class="input {{if @validationError 'has-error-border'}}"
+              @value={{row.value}}
+              wrap="off"
+              placeholder={{this.placeholders.value}}
+              rows={{1}}
+              {{on "change" (fn this.updateRow row index)}}
+              {{on "keyup" this.handleKeyUp}}
+            />
+          {{/if}}
+        </div>
+        <div class="column is-1">
+          {{#if (eq this.kvData.length (inc index))}}
+            <Hds::Button @text="Add" {{on "click" this.addRow}} data-test-kv-add-row={{index}} @isFullWidth={{true}} />
+          {{else}}
+            <Hds::Button
+              @text="Delete row"
+              @color="secondary"
+              {{on "click" (fn this.deleteRow row index)}}
+              @icon="trash"
+              @isIconOnly={{true}}
+              @isFullWidth={{true}}
+              data-test-kv-delete-row={{index}}
+            />
+          {{/if}}
+        </div>
+      </div>
+      {{#if (includes index this.whitespaceWarningRows)}}
+        <div class="has-bottom-margin-s">
+          <AlertInline
+            @type="warning"
+            @message="Key contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+            data-test-kv-whitespace-warning={{index}}
+          />
+        </div>
+      {{/if}}
+    {{/each}}
+    {{#if this.hasDuplicateKeys}}
+      <Hds::Alert data-test-duplicate-keys-warning @type="inline" @color="warning" as |A|>
+        <A.Title>Warning</A.Title>
+        <A.Description>
+          More than one key shares the same name. Please be sure to have unique key names or some data may be lost when
+          saving.
+        </A.Description>
+      </Hds::Alert>
+    {{/if}}
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/command/plugin_runtime.go b/command/plugin_runtime.go
index 38781a724879..3241a257a531 100644
--- a/command/plugin_runtime.go
+++ b/command/plugin_runtime.go
@@ -1,54 +1,265 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
 
-package command
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, find, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvDataPath, kvMetadataPath } from 'vault/utils/kv-path';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { FORM, PAGE, parseJsonEditor } from 'vault/tests/helpers/kv/kv-selectors';
+import { syncStatusResponse } from 'vault/mirage/handlers/sync';
 
-import (
-	"strings"
+module('Integration | Component | kv-v2 | Page::Secret::Details', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
 
-	"github.com/mitchellh/cli"
-)
+  hooks.beforeEach(async function () {
+    this.store = this.owner.lookup('service:store');
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    this.backend = 'kv-engine';
+    this.path = 'my-secret';
+    this.pathComplex = 'my-secret-object';
+    this.version = 2;
+    this.dataId = kvDataPath(this.backend, this.path);
+    this.dataIdComplex = kvDataPath(this.backend, this.pathComplex);
+    this.metadataId = kvMetadataPath(this.backend, this.path);
 
-var _ cli.Command = (*PluginRuntimeCommand)(nil)
+    this.secretData = { foo: 'bar' };
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.dataId,
+      secret_data: this.secretData,
+      created_time: '2023-07-20T02:12:17.379762Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: this.version,
+      backend: this.backend,
+      path: this.path,
+    });
+    // nested secret
+    this.secretDataComplex = {
+      foo: {
+        bar: 'baz',
+      },
+    };
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.dataIdComplex,
+      secret_data: this.secretDataComplex,
+      created_time: '2023-08-20T02:12:17.379762Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: this.version,
+    });
 
-type PluginRuntimeCommand struct {
-	*BaseCommand
-}
+    const metadata = this.server.create('kv-metadatum');
+    metadata.id = this.metadataId;
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...metadata,
+    });
 
-func (c *PluginRuntimeCommand) Synopsis() string {
-	return "Interact with Vault plugin runtimes catalog."
-}
+    this.metadata = this.store.peekRecord('kv/metadata', this.metadataId);
+    this.secret = this.store.peekRecord('kv/data', this.dataId);
+    this.secretComplex = this.store.peekRecord('kv/data', this.dataIdComplex);
 
-func (c *PluginRuntimeCommand) Help() string {
-	helpText := `
-Usage: vault plugin runtime <subcommand> [options] [args]
+    // this is the route model, not an ember data model
+    this.model = {
+      backend: this.backend,
+      path: this.path,
+      secret: this.secret,
+      metadata: this.metadata,
+    };
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+      { label: this.model.path },
+    ];
+    this.modelComplex = {
+      backend: this.backend,
+      path: this.pathComplex,
+      secret: this.secretComplex,
+      metadata: this.metadata,
+    };
+  });
 
-  This command groups subcommands for interacting with Vault's plugin runtimes and the
-  plugin runtime catalog. The plugin runtime catalog is divided into types. Currently,
-  Vault only supports "container" plugin runtimes. A plugin runtime allows users to 
-  fine-tune the parameters with which a plugin is executed. For example, you can select 
-  a different OCI-compatible runtime, or set resource limits. A plugin runtime can 
-  optionally be referenced during plugin registration. A type must be specified on each call. 
-  Here are a few examples of the plugin runtime commands.
+  test('it renders secret details and toggles json view', async function (assert) {
+    assert.expect(8);
+    this.server.get(`sys/sync/associations/:mount/*name`, (schema, req) => {
+      assert.ok(true, 'request made to fetch sync status');
+      // no records so response returns 404
+      return syncStatusResponse(schema, req);
+    });
 
-  List all available plugin runtimes in the catalog of a particular type:
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
 
-      $ vault plugin runtime list -type=container
+    assert
+      .dom(PAGE.detail.syncAlert())
+      .doesNotExist('sync page alert banner does not render when sync status errors');
+    assert.dom(PAGE.title).includesText(this.model.path, 'renders secret path as page title');
+    assert.dom(PAGE.infoRowValue('foo')).exists('renders row for secret data');
+    assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
+    await click(FORM.toggleMasked);
+    assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'renders secret value');
+    await click(FORM.toggleJson);
+    assert.propEqual(parseJsonEditor(find), this.secretData, 'json editor renders secret data');
+    assert
+      .dom(PAGE.detail.versionTimestamp)
+      .includesText(`Version ${this.version} created`, 'renders version and time created');
+  });
 
-  Register a new plugin runtime to the catalog as a particular type:
+  test('it renders json view when secret is complex', async function (assert) {
+    assert.expect(3);
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.modelComplex.path}}
+        @secret={{this.modelComplex.secret}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.infoRowValue('foo')).doesNotExist('does not render rows of secret data');
+    assert.dom(FORM.toggleJson).isDisabled();
+    assert.dom('[data-test-component="code-mirror-modifier"]').includesText(`{ "foo": { "bar": "baz" }}`);
+  });
 
-      $ vault plugin runtime register -type=container -oci_runtime=my-oci-runtime my-custom-plugin-runtime
+  test('it renders deleted empty state', async function (assert) {
+    assert.expect(3);
+    this.secret.deletionTime = '2023-07-23T02:12:17.379762Z';
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been deleted');
+    assert
+      .dom(PAGE.emptyStateMessage)
+      .hasText(
+        'This version has been deleted but can be undeleted. View other versions of this secret by clicking the Version History tab above.'
+      );
+    assert
+      .dom(PAGE.detail.versionTimestamp)
+      .includesText(`Version ${this.version} deleted`, 'renders version and time deleted');
+  });
 
-  Get information about a plugin runtime in the catalog listed under a particular type:
+  test('it renders destroyed empty state', async function (assert) {
+    assert.expect(2);
+    this.secret.destroyed = true;
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been permanently destroyed');
+    assert
+      .dom(PAGE.emptyStateMessage)
+      .hasText(
+        'A version that has been permanently deleted cannot be restored. You can view other versions of this secret in the Version History tab above.'
+      );
+  });
 
-      $ vault plugin runtime info -type=container my-custom-plugin-runtime
+  test('it renders secret version dropdown', async function (assert) {
+    assert.expect(9);
 
-  Please see the individual subcommand help for detailed usage information.
-`
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
 
-	return strings.TrimSpace(helpText)
-}
+    assert.dom(PAGE.detail.versionTimestamp).includesText(this.version, 'renders version');
+    assert.dom(PAGE.detail.versionDropdown).hasText(`Version ${this.secret.version}`);
+    await click(PAGE.detail.versionDropdown);
 
-func (c *PluginRuntimeCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+    for (const version in this.metadata.versions) {
+      const data = this.metadata.versions[version];
+      assert.dom(PAGE.detail.version(version)).exists(`renders ${version} in dropdown menu`);
+
+      if (data.destroyed || data.deletion_time) {
+        assert
+          .dom(`${PAGE.detail.version(version)} [data-test-icon="x-square-fill"]`)
+          .hasClass(`${data.destroyed ? 'has-text-danger' : 'has-text-grey'}`);
+      }
+    }
+
+    assert
+      .dom(`${PAGE.detail.version(this.metadata.currentVersion)} [data-test-icon="check-circle"]`)
+      .exists('renders current version icon');
+  });
+
+  test('it renders sync status page alert', async function (assert) {
+    assert.expect(3); // assert count important because confirms request made to fetch sync status twice
+    const destinationName = 'my-destination';
+    this.server.create('sync-association', {
+      type: 'aws-sm',
+      name: destinationName,
+      mount: this.backend,
+      secret_name: this.path,
+    });
+    this.server.get('sys/sync/associations/:mount/*name', (schema, req) => {
+      // this assertion should be hit twice, once on init and again when the 'Refresh' button is clicked
+      assert.ok(true, 'request made to fetch sync status');
+      return syncStatusResponse(schema, req);
+    });
+
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+
+    assert
+      .dom(PAGE.detail.syncAlert(destinationName))
+      .hasTextContaining(
+        'Synced my-destination - last updated September',
+        'renders sync status alert banner'
+      );
+
+    // sync status refresh button
+    await click(`${PAGE.detail.syncAlert()} button`);
+  });
+});
diff --git a/command/plugin_runtime_deregister.go b/command/plugin_runtime_deregister.go
index dfadc20a0972..5e6fe4a449bd 100644
--- a/command/plugin_runtime_deregister.go
+++ b/command/plugin_runtime_deregister.go
@@ -1,124 +1,148 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*PluginRuntimeDeregisterCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginRuntimeDeregisterCommand)(nil)
-)
-
-type PluginRuntimeDeregisterCommand struct {
-	*BaseCommand
-
-	flagType string
-}
-
-func (c *PluginRuntimeDeregisterCommand) Synopsis() string {
-	return "Deregister an existing plugin runtime in the catalog"
-}
-
-func (c *PluginRuntimeDeregisterCommand) Help() string {
-	helpText := `
-Usage: vault plugin runtime deregister [options] NAME
-
-  Deregister an existing plugin runtime in the catalog with the given name. If
-  any registered plugin references the plugin runtime, an error is returned. If
-  the plugin runtime does not exist, an error is returned. The -type flag
-  currently only accepts "container".
-
-  Deregister a plugin runtime:
-
-      $ vault plugin runtime deregister -type=container my-plugin-runtime
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *PluginRuntimeDeregisterCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringVar(&StringVar{
-		Name:       "type",
-		Target:     &c.flagType,
-		Completion: complete.PredictAnything,
-		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
-	})
-
-	return set
-}
-
-func (c *PluginRuntimeDeregisterCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *PluginRuntimeDeregisterCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *PluginRuntimeDeregisterCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	runtimeTyeRaw := strings.TrimSpace(c.flagType)
-	if len(runtimeTyeRaw) == 0 {
-		c.UI.Error("-type is required for plugin runtime deregistration")
-		return 1
-	}
-
-	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var runtimeNameRaw string
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-
-	// This case should come after invalid cases have been checked
-	case len(args) == 1:
-		runtimeNameRaw = args[0]
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	runtimeName := strings.TrimSpace(runtimeNameRaw)
-	if err = client.Sys().DeregisterPluginRuntime(context.Background(), &api.DeregisterPluginRuntimeInput{
-		Name: runtimeName,
-		Type: runtimeType,
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error deregistering plugin runtime named %s: %s", runtimeName, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Deregistered plugin runtime: %s", runtimeName))
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+/* eslint-disable no-useless-escape */
+
+module('Integration | Component | kv-v2 | Page::Secret::Paths', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+
+  hooks.beforeEach(async function () {
+    this.backend = 'kv-engine';
+    this.path = 'my-secret';
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.backend, route: 'list' },
+      { label: this.path },
+    ];
+
+    this.assertClipboard = (assert, element, expected) => {
+      assert.dom(element).hasAttribute('data-test-copy-button', expected);
+    };
+  });
+
+  test('it renders copyable paths', async function (assert) {
+    assert.expect(6);
+
+    const paths = [
+      { label: 'API path', expected: `/v1/${this.backend}/data/${this.path}` },
+      { label: 'CLI path', expected: `-mount="${this.backend}" "${this.path}"` },
+      { label: 'API path for metadata', expected: `/v1/${this.backend}/metadata/${this.path}` },
+    ];
+
+    await render(
+      hbs`
+<Page::Secret::Paths
+  @path={{this.path}}
+  @backend={{this.backend}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
+      `,
+      { owner: this.engine }
+    );
+
+    for (const path of paths) {
+      assert.dom(PAGE.infoRowValue(path.label)).hasText(path.expected);
+      this.assertClipboard(assert, PAGE.paths.copyButton(path.label), path.expected);
+    }
+  });
+
+  test('it renders copyable encoded mount and secret paths', async function (assert) {
+    assert.expect(6);
+    this.path = `my spacey!"secret`;
+    this.backend = `my fancy!"backend`;
+    const backend = encodeURIComponent(this.backend);
+    const path = encodeURIComponent(this.path);
+    const paths = [
+      {
+        label: 'API path',
+        expected: `/v1/${backend}/data/${path}`,
+      },
+      { label: 'CLI path', expected: `-mount="${this.backend}" "${this.path}"` },
+      {
+        label: 'API path for metadata',
+        expected: `/v1/${backend}/metadata/${path}`,
+      },
+    ];
+
+    await render(
+      hbs`
+<Page::Secret::Paths
+  @path={{this.path}}
+  @backend={{this.backend}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
+      `,
+      { owner: this.engine }
+    );
+
+    for (const path of paths) {
+      assert.dom(PAGE.infoRowValue(path.label)).hasText(path.expected);
+      this.assertClipboard(assert, PAGE.paths.copyButton(path.label), path.expected);
+    }
+  });
+
+  test('it renders copyable commands', async function (assert) {
+    assert.expect(4);
+    const url = `https://127.0.0.1:8200/v1/${this.backend}/data/${this.path}`;
+    const expected = {
+      cli: `vault kv get -mount="${this.backend}" "${this.path}"`,
+      apiDisplay: `curl \\ --header \"X-Vault-Token: ...\" \\ --request GET \\ ${url}`,
+      apiCopy: `curl  --header \"X-Vault-Token: ...\"  --request GET \ ${url}`,
+    };
+    await render(
+      hbs`
+<Page::Secret::Paths
+  @path={{this.path}}
+  @backend={{this.backend}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
+      `,
+      { owner: this.engine }
+    );
+
+    assert.dom(PAGE.paths.codeSnippet('cli')).hasText(expected.cli);
+    assert.dom(PAGE.paths.snippetCopy('cli')).hasAttribute('data-test-copy-button', expected.cli);
+    assert.dom(PAGE.paths.codeSnippet('api')).hasText(expected.apiDisplay);
+    assert.dom(PAGE.paths.snippetCopy('api')).hasAttribute('data-test-copy-button', expected.apiCopy);
+  });
+
+  test('it renders copyable encoded mount and path commands', async function (assert) {
+    assert.expect(4);
+    this.path = `my spacey!"secret`;
+    this.backend = `my fancy!"backend`;
+
+    const backend = encodeURIComponent(this.backend);
+    const path = encodeURIComponent(this.path);
+    const url = `https://127.0.0.1:8200/v1/${backend}/data/${path}`;
+
+    const expected = {
+      cli: `vault kv get -mount="${this.backend}" "${this.path}"`,
+      apiDisplay: `curl \\ --header \"X-Vault-Token: ...\" \\ --request GET \\ ${url}`,
+      apiCopy: `curl  --header \"X-Vault-Token: ...\"  --request GET \ ${url}`,
+    };
+    await render(
+      hbs`
+<Page::Secret::Paths
+  @path={{this.path}}
+  @backend={{this.backend}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
+      `,
+      { owner: this.engine }
+    );
+
+    assert.dom(PAGE.paths.codeSnippet('cli')).hasText(expected.cli);
+    assert.dom(PAGE.paths.snippetCopy('cli')).hasAttribute('data-test-copy-button', expected.cli);
+    assert.dom(PAGE.paths.codeSnippet('api')).hasText(expected.apiDisplay);
+    assert.dom(PAGE.paths.snippetCopy('api')).hasAttribute('data-test-copy-button', expected.apiCopy);
+  });
+});
diff --git a/command/plugin_runtime_deregister_test.go b/command/plugin_runtime_deregister_test.go
index 5cd411d5f700..87aad84cc2c0 100644
--- a/command/plugin_runtime_deregister_test.go
+++ b/command/plugin_runtime_deregister_test.go
@@ -1,116 +1,469 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"regexp"
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testPluginRuntimeDeregisterCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeDeregisterCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginRuntimeDeregisterCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginRuntimeDeregisterCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{"-type=container"},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"-type=container", "foo", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"invalid_runtime_type",
-			[]string{"-type=foo", "bar"},
-			"\"foo\" is not a supported plugin runtime type",
-			2,
-		},
-		{
-			"info_container_on_empty_plugin_runtime_catalog",
-			[]string{"-type=container", "my-plugin-runtime"},
-			"Error deregistering plugin runtime named my-plugin-runtime",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testPluginRuntimeDeregisterCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				matcher := regexp.MustCompile(tc.out)
-				if !matcher.MatchString(combined) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginRuntimeDeregisterCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{"-type=container", "my-plugin-runtime"})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error deregistering plugin runtime named my-plugin-runtime"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginRuntimeDeregisterCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentURL, fillIn, findAll, setupOnerror, typeIn, visit } from '@ember/test-helpers';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import {
+  createPolicyCmd,
+  deleteEngineCmd,
+  mountEngineCmd,
+  runCmd,
+  createTokenCmd,
+} from 'vault/tests/helpers/commands';
+import {
+  dataPolicy,
+  deleteVersionsPolicy,
+  destroyVersionsPolicy,
+  metadataListPolicy,
+  metadataPolicy,
+} from 'vault/tests/helpers/policy-generator/kv';
+import { clearRecords, writeSecret, writeVersionedSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import codemirror from 'vault/tests/helpers/codemirror';
+
+/**
+ * This test set is for testing edge cases, such as specific bug fixes or reported user workflows
+ */
+module('Acceptance | kv-v2 workflow | edge cases', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    const uid = uuidv4();
+    this.backend = `kv-edge-${uid}`;
+    this.rootSecret = 'root-directory';
+    this.fullSecretPath = `${this.rootSecret}/nested/child-secret`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, this.fullSecretPath, 'foo', 'bar');
+    await writeSecret(this.backend, 'edge/one', 'foo', 'bar');
+    await writeSecret(this.backend, 'edge/two', 'foo', 'bar');
+    return;
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    await runCmd(deleteEngineCmd(this.backend));
+    return;
+  });
+
+  module('persona with read and list access on the secret level', function (hooks) {
+    // see github issue for more details https://github.com/hashicorp/vault/issues/5362
+    hooks.beforeEach(async function () {
+      const secretPath = `${this.rootSecret}/*`; // user has LIST and READ access within this root secret directory
+      const capabilities = ['list', 'read'];
+      const backend = this.backend;
+      const token = await runCmd([
+        createPolicyCmd(
+          'nested-secret-list-reader',
+          metadataPolicy({ backend, secretPath, capabilities }) +
+            dataPolicy({ backend, secretPath, capabilities })
+        ),
+        createTokenCmd('nested-secret-list-reader'),
+      ]);
+      await authPage.login(token);
+    });
+
+    test('it can navigate to secrets within a secret directory', async function (assert) {
+      assert.expect(21);
+      const backend = this.backend;
+      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
+
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+
+      await typeIn(PAGE.list.overviewInput, `${root}/no-access/`);
+      assert
+        .dom(PAGE.list.overviewButton)
+        .hasText('View list', 'shows list and not secret because search is a directory');
+      await click(PAGE.list.overviewButton);
+      assert.dom(PAGE.emptyStateTitle).hasText(`There are no secrets matching "${root}/no-access/".`);
+
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await typeIn(PAGE.list.overviewInput, `${root}/`); // add slash because this is a directory
+      await click(PAGE.list.overviewButton);
+
+      // URL correct
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list/${root}/`,
+        'visits list-directory of root'
+      );
+
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbarAction).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).hasValue(`${root}/`);
+      // List content correct
+      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
+      await click(PAGE.list.item(`${subdirectory}/`));
+      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
+      await click(PAGE.list.item(secret));
+      // Secret details visible
+      assert.dom(PAGE.title).hasText(this.fullSecretPath);
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.secretTab('Version History')).hasText('Version History');
+      assert.dom(PAGE.secretTab('Version History')).doesNotHaveClass('active');
+      assert.dom(PAGE.toolbarAction).exists({ count: 5 }, 'toolbar renders all actions');
+    });
+
+    test('it navigates back to engine index route via breadcrumbs from secret details', async function (assert) {
+      assert.expect(6);
+      const backend = this.backend;
+      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
+
+      await visit(`vault/secrets/${backend}/kv/${encodeURIComponent(this.fullSecretPath)}/details?version=1`);
+      // navigate back through crumbs
+      let previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list/${root}/${subdirectory}/`,
+        'goes back to subdirectory list'
+      );
+      assert.dom(PAGE.list.filter).hasValue(`${root}/${subdirectory}/`);
+      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
+
+      // back again
+      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list/${root}/`,
+        'goes back to root directory'
+      );
+      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
+
+      // and back to the engine list view
+      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        'navigates back to engine list from crumbs'
+      );
+    });
+
+    test('it handles errors when attempting to view details of a secret that is a directory', async function (assert) {
+      assert.expect(7);
+      const backend = this.backend;
+      const [root, subdirectory] = this.fullSecretPath.split('/');
+      setupOnerror((error) => assert.strictEqual(error.httpStatus, 404), '404 error is thrown'); // catches error so qunit test doesn't fail
+
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await typeIn(PAGE.list.overviewInput, `${root}/${subdirectory}`); // intentionally leave out trailing slash
+      await click(PAGE.list.overviewButton);
+      assert.dom(PAGE.error.title).hasText('404 Not Found');
+      assert
+        .dom(PAGE.error.message)
+        .hasText(`Sorry, we were unable to find any content at /v1/${backend}/data/${root}/${subdirectory}.`);
+
+      assert.dom(PAGE.breadcrumbAtIdx(0)).hasText('secrets');
+      assert.dom(PAGE.breadcrumbAtIdx(1)).hasText(backend);
+      assert.dom(PAGE.secretTab('Secrets')).doesNotHaveClass('is-active');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('is-active');
+    });
+  });
+
+  module('destruction without read', function (hooks) {
+    hooks.beforeEach(async function () {
+      const backend = this.backend;
+      const testSecrets = [
+        'data-delete-only',
+        'delete-version-only',
+        'destroy-version-only',
+        'destroy-metadata-only',
+      ];
+
+      // user has different permissions for each secret path
+      const token = await runCmd([
+        createPolicyCmd(
+          'destruction-no-read',
+          dataPolicy({ backend, secretPath: 'data-delete-only', capabilities: ['delete'] }) +
+            deleteVersionsPolicy({ backend, secretPath: 'delete-version-only' }) +
+            destroyVersionsPolicy({ backend, secretPath: 'destroy-version-only' }) +
+            metadataPolicy({ backend, secretPath: 'destroy-metadata-only', capabilities: ['delete'] }) +
+            metadataListPolicy(backend)
+        ),
+        createTokenCmd('destruction-no-read'),
+      ]);
+      for (const secret of testSecrets) {
+        await writeVersionedSecret(backend, secret, 'foo', 'bar', 2);
+      }
+      await authPage.login(token);
+    });
+
+    test('it renders the delete action and disables delete this version option', async function (assert) {
+      assert.expect(4);
+      const testSecret = 'data-delete-only';
+      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
+
+      assert.dom(PAGE.detail.delete).exists('renders delete button');
+      await click(PAGE.detail.delete);
+      assert
+        .dom(PAGE.detail.deleteModal)
+        .hasTextContaining('Delete this version This deletes a specific version of the secret');
+      assert.dom(PAGE.detail.deleteOption).isDisabled('disables version specific option');
+      assert.dom(PAGE.detail.deleteOptionLatest).isEnabled('enables version specific option');
+    });
+
+    test('it renders the delete action and disables delete latest version option', async function (assert) {
+      assert.expect(4);
+      const testSecret = 'delete-version-only';
+      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
+
+      assert.dom(PAGE.detail.delete).exists('renders delete button');
+      await click(PAGE.detail.delete);
+      assert
+        .dom(PAGE.detail.deleteModal)
+        .hasTextContaining('Delete this version This deletes a specific version of the secret');
+
+      assert.dom(PAGE.detail.deleteOption).isEnabled('enables version specific option');
+      assert.dom(PAGE.detail.deleteOptionLatest).isDisabled('disables version specific option');
+    });
+
+    test('it hides destroy option without version number', async function (assert) {
+      assert.expect(1);
+      const testSecret = 'destroy-version-only';
+      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
+
+      assert.dom(PAGE.detail.destroy).doesNotExist();
+    });
+
+    test('it renders the destroy metadata action and expected modal copy', async function (assert) {
+      assert.expect(2);
+
+      const testSecret = 'destroy-metadata-only';
+      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/metadata`);
+      assert.dom(PAGE.metadata.deleteMetadata).exists('renders delete metadata button');
+      await click(PAGE.metadata.deleteMetadata);
+      assert
+        .dom(PAGE.detail.deleteModal)
+        .hasText(
+          'Delete metadata and secret data? This will permanently delete the metadata and versions of the secret. All version history will be removed. This cannot be undone. Confirm Cancel'
+        );
+    });
+  });
+
+  test('no ghost item after editing metadata', async function (assert) {
+    await visit(`/vault/secrets/${this.backend}/kv/list/edge/`);
+    assert.dom(PAGE.list.item()).exists({ count: 2 }, 'two secrets are listed');
+    await click(PAGE.list.item('two'));
+    await click(PAGE.secretTab('Metadata'));
+    await click(PAGE.metadata.editBtn);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.valueInput(), 'bar');
+    await click(FORM.saveBtn);
+    await click(PAGE.breadcrumbAtIdx(2));
+    assert.dom(PAGE.list.item()).exists({ count: 2 }, 'two secrets are listed');
+  });
+
+  test('complex values default to JSON display', async function (assert) {
+    await visit(`/vault/secrets/${this.backend}/kv/create`);
+    await fillIn(FORM.inputByAttr('path'), 'complex');
+
+    await click(FORM.toggleJson);
+    assert.strictEqual(codemirror().getValue(), '{ "": "" }');
+    codemirror().setValue('{ "foo3": { "name": "bar3" } }');
+    await click(FORM.saveBtn);
+    // Future: test that json is automatic on details too
+    await click(PAGE.detail.createNewVersion);
+    assert.dom(FORM.toggleJson).isDisabled();
+    assert.dom(FORM.toggleJson).isChecked();
+  });
+});
+
+// NAMESPACE TESTS
+module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks) {
+  setupApplicationTest(hooks);
+
+  const navToEngine = async (backend) => {
+    await click('[data-test-sidebar-nav-link="Secrets Engines"]');
+    return await click(PAGE.backends.link(backend));
+  };
+
+  const assertDeleteActions = (assert, expected = ['delete', 'destroy']) => {
+    ['delete', 'destroy', 'undelete'].forEach((toolbar) => {
+      if (expected.includes(toolbar)) {
+        assert.dom(PAGE.detail[toolbar]).exists(`${toolbar} toolbar action exists`);
+      } else {
+        assert.dom(PAGE.detail[toolbar]).doesNotExist(`${toolbar} toolbar action not rendered`);
+      }
+    });
+  };
+
+  const assertVersionDropdown = async (assert, deleted = [], versions = [2, 1]) => {
+    assert.dom(PAGE.detail.versionDropdown).hasText(`Version ${versions[0]}`);
+    await click(PAGE.detail.versionDropdown);
+    versions.forEach((num) => {
+      assert.dom(PAGE.detail.version(num)).exists(`renders version ${num} link in dropdown`);
+    });
+    // also asserts destroyed icon
+    deleted.forEach((num) => {
+      assert.dom(`${PAGE.detail.version(num)} [data-test-icon="x-square"]`);
+    });
+  };
+
+  // each test uses a different secret path
+  hooks.beforeEach(async function () {
+    const uid = uuidv4();
+    this.store = this.owner.lookup('service:store');
+    this.backend = `kv-enterprise-edge-${uid}`;
+    this.namespace = `ns-${uid}`;
+    await authPage.login();
+    await runCmd([`write sys/namespaces/${this.namespace} -force`]);
+    return;
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    await runCmd([`delete /sys/auth/${this.namespace}`]);
+    await runCmd(deleteEngineCmd(this.backend));
+    return;
+  });
+
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      await authPage.loginNs(this.namespace);
+      // mount engine within namespace
+      await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+      clearRecords(this.store);
+      return;
+    });
+    hooks.afterEach(async function () {
+      // visit logout with namespace query param because we're transitioning from within an engine
+      // and navigating directly to /vault/auth caused test context routing problems :(
+      await visit(`/vault/logout?namespace=${this.namespace}`);
+      await authPage.namespaceInput(''); // clear login form namespace input
+    });
+
+    test('namespace: it can create a secret and new secret version', async function (assert) {
+      assert.expect(15);
+      const backend = this.backend;
+      const ns = this.namespace;
+      const secret = 'my-create-secret';
+      await navToEngine(backend);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list?namespace=${ns}`,
+        'navigates to list'
+      );
+      // Create first version of secret
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), secret);
+      assert.dom(FORM.toggleMetadata).exists('Shows metadata toggle when creating new secret');
+      await fillIn(FORM.keyInput(), 'foo');
+      await fillIn(FORM.maskedValueInput(), 'woahsecret');
+      await click(FORM.saveBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=1`,
+        'navigates to details'
+      );
+
+      // Create a new version
+      await click(PAGE.detail.createNewVersion);
+      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
+      assert.dom(FORM.inputByAttr('path')).hasValue(secret);
+      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
+      assert.dom(FORM.keyInput()).hasValue('foo');
+      assert.dom(FORM.maskedValueInput()).hasValue('woahsecret');
+      await fillIn(FORM.keyInput(1), 'foo-two');
+      await fillIn(FORM.maskedValueInput(1), 'supersecret');
+      await click(FORM.saveBtn);
+
+      // Check details
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=2`,
+        'navigates to details'
+      );
+      await assertVersionDropdown(assert);
+      assert
+        .dom(`${PAGE.detail.version(2)} [data-test-icon="check-circle"]`)
+        .exists('renders current version icon');
+      assert.dom(PAGE.infoRowValue('foo-two')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('foo-two'));
+      assert.dom(PAGE.infoRowValue('foo-two')).hasText('supersecret', 'secret value shows after toggle');
+    });
+
+    test('namespace: it manages state throughout delete, destroy and undelete operations', async function (assert) {
+      assert.expect(34);
+      const backend = this.backend;
+      const ns = this.namespace;
+      const secret = 'my-delete-secret';
+      await writeVersionedSecret(backend, secret, 'foo', 'bar', 2, ns);
+      await navToEngine(backend);
+
+      await click(PAGE.list.item(secret));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=2`,
+        'navigates to details'
+      );
+
+      // correct toolbar options & details show
+      assertDeleteActions(assert);
+      await assertVersionDropdown(assert);
+      // delete flow
+      await click(PAGE.detail.delete);
+      await click(PAGE.detail.deleteOption);
+      await click(PAGE.detail.deleteConfirm);
+      // check empty state and toolbar
+      assertDeleteActions(assert, ['undelete', 'destroy']);
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('Version 2 of this secret has been deleted', 'Shows deleted message');
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 deleted');
+      await assertVersionDropdown(assert, [2]); // important to test dropdown versions are accurate
+
+      // navigate to sibling route to make sure empty state remains for details tab
+      await click(PAGE.secretTab('Version History'));
+      assert.dom(PAGE.versions.linkedBlock()).exists({ count: 2 });
+
+      // back to secret tab to confirm deleted state
+      await click(PAGE.secretTab('Secret'));
+      // if this assertion fails, the view is rendering a stale model
+      assert.dom(PAGE.emptyStateTitle).exists('still renders empty state!!');
+      await assertVersionDropdown(assert, [2]);
+
+      // undelete flow
+      await click(PAGE.detail.undelete);
+      // details update accordingly
+      assertDeleteActions(assert, ['delete', 'destroy']);
+      assert.dom(PAGE.infoRow).exists('shows secret data');
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 created');
+
+      // destroy flow
+      await click(PAGE.detail.destroy);
+      await click(PAGE.detail.deleteConfirm);
+      assertDeleteActions(assert, []);
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('Version 2 of this secret has been permanently destroyed', 'Shows destroyed message');
+
+      // navigate to sibling route to make sure empty state remains for details tab
+      await click(PAGE.secretTab('Version History'));
+      assert.dom(PAGE.versions.linkedBlock()).exists({ count: 2 });
+
+      // back to secret tab to confirm destroyed state
+      await click(PAGE.secretTab('Secret'));
+      // if this assertion fails, the view is rendering a stale model
+      assert.dom(PAGE.emptyStateTitle).exists('still renders empty state!!');
+      await assertVersionDropdown(assert, [2]);
+    });
+  });
+});
diff --git a/command/plugin_runtime_info.go b/command/plugin_runtime_info.go
index b22af6c50119..24586a99e5ad 100644
--- a/command/plugin_runtime_info.go
+++ b/command/plugin_runtime_info.go
@@ -1,140 +1,1277 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-package command
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentRouteName, currentURL, typeIn, visit, waitUntil } from '@ember/test-helpers';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import {
+  createPolicyCmd,
+  deleteEngineCmd,
+  mountEngineCmd,
+  runCmd,
+  createTokenCmd,
+  tokenWithPolicyCmd,
+} from 'vault/tests/helpers/commands';
+import { personas } from 'vault/tests/helpers/policy-generator/kv';
+import {
+  addSecretMetadataCmd,
+  clearRecords,
+  writeSecret,
+  writeVersionedSecret,
+} from 'vault/tests/helpers/kv/kv-run-commands';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { setupControlGroup, grantAccess } from 'vault/tests/helpers/control-groups';
 
-import (
-	"context"
-	"fmt"
-	"strings"
+const secretPath = `my-#:$=?-secret`;
+// This doesn't encode in a normal way, so hardcoding it here until we sort that out
+const secretPathUrlEncoded = `my-%23:$=%3F-secret`;
+const navToBackend = async (backend) => {
+  await visit(`/vault/secrets`);
+  return click(PAGE.backends.link(backend));
+};
+const assertCorrectBreadcrumbs = (assert, expected) => {
+  assert.dom(PAGE.breadcrumb).exists({ count: expected.length }, 'correct number of breadcrumbs');
+  const breadcrumbs = document.querySelectorAll(PAGE.breadcrumb);
+  expected.forEach((text, idx) => {
+    assert.dom(breadcrumbs[idx]).includesText(text, `position ${idx} breadcrumb includes text ${text}`);
+  });
+};
+const assertDetailTabs = (assert, current, hidden = []) => {
+  const allTabs = ['Secret', 'Metadata', 'Paths', 'Version History'];
+  allTabs.forEach((tab) => {
+    if (hidden.includes(tab)) {
+      assert.dom(PAGE.secretTab(tab)).doesNotExist(`${tab} tab does not render`);
+      return;
+    }
+    assert.dom(PAGE.secretTab(tab)).hasText(tab);
+    if (current === tab) {
+      assert.dom(PAGE.secretTab(tab)).hasClass('active');
+    } else {
+      assert.dom(PAGE.secretTab(tab)).doesNotHaveClass('active');
+    }
+  });
+};
+const DETAIL_TOOLBARS = ['delete', 'destroy', 'copy', 'versionDropdown', 'createNewVersion'];
+const assertDetailsToolbar = (assert, expected = DETAIL_TOOLBARS) => {
+  assert
+    .dom(PAGE.toolbarAction)
+    .exists({ count: expected.length }, 'correct number of toolbar actions render');
+  DETAIL_TOOLBARS.forEach((toolbar) => {
+    if (expected.includes(toolbar)) {
+      assert.dom(PAGE.detail[toolbar]).exists(`${toolbar} toolbar action exists`);
+    } else {
+      assert.dom(PAGE.detail[toolbar]).doesNotExist(`${toolbar} toolbar action not rendered`);
+    }
+  });
+};
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+/**
+ * This test set is for testing the navigation, breadcrumbs, and tabs.
+ * Letter(s) in parenthesis at the end are shorthand for the persona,
+ * for ease of tracking down specific tests failures from CI
+ */
+module('Acceptance | kv-v2 workflow | navigation', function (hooks) {
+  setupApplicationTest(hooks);
 
-var (
-	_ cli.Command             = (*PluginRuntimeInfoCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginRuntimeInfoCommand)(nil)
-)
+  hooks.beforeEach(async function () {
+    const uid = uuidv4();
+    this.store = this.owner.lookup('service:store');
+    this.emptyBackend = `kv-empty-${uid}`;
+    this.backend = `kv-nav-${uid}`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.emptyBackend), false);
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, 'app/nested/secret', 'foo', 'bar');
+    await writeVersionedSecret(this.backend, secretPath, 'foo', 'bar', 3);
+    await runCmd(addSecretMetadataCmd(this.backend, secretPath, { max_versions: 5, cas_required: true }));
+    return;
+  });
 
-type PluginRuntimeInfoCommand struct {
-	*BaseCommand
+  hooks.afterEach(async function () {
+    await authPage.login();
+    await runCmd(deleteEngineCmd(this.backend));
+    await runCmd(deleteEngineCmd(this.emptyBackend));
+    return;
+  });
 
-	flagType string
-}
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(
+        tokenWithPolicyCmd('admin', personas.admin(this.backend) + personas.admin(this.emptyBackend))
+      );
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (a)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
 
-func (c *PluginRuntimeInfoCommand) Synopsis() string {
-	return "Read information about a plugin runtime in the catalog"
-}
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
 
-func (c *PluginRuntimeInfoCommand) Help() string {
-	helpText := `
-Usage: vault plugin runtime info [options] NAME
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
 
-  Displays information about a plugin runtime in the catalog with the given name. If
-  the plugin runtime does not exist, an error is returned. The -type flag
-  currently only accepts "container".
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
 
-  Get info about a plugin runtime:
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
 
-      $ vault plugin runtime info -type=container my-plugin-runtime
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (a)', async function (assert) {
+      assert.expect(40);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
 
-` + c.Flags().Help()
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
 
-	return strings.TrimSpace(helpText)
-}
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
 
-func (c *PluginRuntimeInfoCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+      await click(PAGE.list.item('secret'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert);
 
-	f := set.NewFlagSet("Command Options")
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
 
-	f.StringVar(&StringVar{
-		Name:       "type",
-		Target:     &c.flagType,
-		Completion: complete.PredictAnything,
-		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
-	})
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
 
-	return set
-}
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('is redirects to nested secret using old non-engine url (a)', async function (assert) {
+      // Reported bug, backported fix https://github.com/hashicorp/vault/pull/24281
+      assert.expect(1);
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/list/app/`);
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
+    });
+    test('versioned secret nav, tabs, breadcrumbs (a)', async function (assert) {
+      assert.expect(45);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'title is correct on detail view');
+      assertDetailTabs(assert, 'Secret');
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 3', 'Version dropdown shows current version');
+      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
 
-func (c *PluginRuntimeInfoCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Goes back to detail view'
+      );
+
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
+        'Goes to detail view for version 1'
+      );
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+      assert.dom(FORM.keyInput()).hasValue('key-1', 'pre-populates form with selected version data');
+      assert.dom(FORM.maskedValueInput()).hasValue('val-1', 'pre-populates form with selected version data');
+      assert.dom(FORM.versionAlert).exists('Shows version alert');
+      await click(FORM.cancelBtn);
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
+        .hasText('Add metadata', 'empty state has metadata CTA');
+      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
+        `goes to metadata edit page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `cancel btn goes back to metadata page`
+      );
+    });
+    test('breadcrumbs & page titles are correct (a)', async function (assert) {
+      assert.expect(45);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
+
+      await click(PAGE.secretTab('Version History'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
+    });
+  });
+
+  module('data-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'data-reader',
+          personas.dataReader(this.backend) + personas.dataReader(this.emptyBackend)
+        ),
+        createTokenCmd('data-reader'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (dr)', async function (assert) {
+      assert.expect(16);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert
+        .dom(PAGE.list.filter)
+        .doesNotExist('list filter input does not render because no list capabilities');
+      // Page content correct
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .doesNotExist('empty state does not render because no metadata access to list');
+      assert.dom(PAGE.list.overviewCard).exists('renders overview card');
+
+      await typeIn(PAGE.list.overviewInput, 'directory/');
+      await click(PAGE.list.overviewButton);
+      assert
+        .dom('[data-test-inline-error-message]')
+        .hasText('You do not have the required permissions or the directory does not exist.');
+
+      // click toolbar CTA
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create`,
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (dr)', async function (assert) {
+      assert.expect(23);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert
+        .dom(PAGE.list.filter)
+        .doesNotExist('List filter input does not render because no list capabilities');
+
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      // Goes to correct detail view
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['copy']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (dr)', async function (assert) {
+      assert.expect(28);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      // Navigate to secret
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assertDetailTabs(assert, 'Secret', ['Version History']);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown hidden');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
+
+      // data-reader can't navigate to older versions, but they can go to page directly
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert.dom(PAGE.toolbarAction).doesNotExist('no toolbar actions available on metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
+    });
+    test('breadcrumbs & page titles are correct (dr)', async function (assert) {
+      assert.expect(35);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on config page');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on secrets list');
+
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on secret detail');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret', 'metadata']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret', 'paths']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'correct page title for paths');
+
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
+
+  module('data-list-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'data-reader-list',
+          personas.dataListReader(this.backend) + personas.dataListReader(this.emptyBackend)
+        ),
+        createTokenCmd('data-reader-list'),
+      ]);
+
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (dlr)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (dlr)', async function (assert) {
+      assert.expect(31);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).doesNotExist('List filter hidden since no nested list access');
+
+      assert
+        .dom(PAGE.list.overviewInput)
+        .hasValue('app/', 'overview card is pre-filled with directory param');
+      await typeIn(PAGE.list.overviewInput, 'nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'copy']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (dlr)', async function (assert) {
+      assert.expect(28);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assertDetailTabs(assert, 'Secret', ['Version History']);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('does not show version dropdown');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      // data-list-reader can't navigate to older versions, but they can go to page directly
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('no version dropdown');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version from old version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
+    });
+    test('breadcrumbs & page titles are correct (dlr)', async function (assert) {
+      assert.expect(29);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
+
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
 
-func (c *PluginRuntimeInfoCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+  module('metadata-maintainer persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'metadata-maintainer',
+          personas.metadataMaintainer(this.backend) + personas.metadataMaintainer(this.emptyBackend)
+        ),
+        createTokenCmd('metadata-maintainer'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (mm)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (mm)', async function (assert) {
+      assert.expect(41);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
+
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
+
+      await click(PAGE.list.item('secret'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
+        `Goes to URL with version`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'destroy', 'versionDropdown']);
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Shows version timestamp');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (mm)', async function (assert) {
+      assert.expect(37);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assertDetailTabs(assert, 'Secret');
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 3', 'Version dropdown shows current version');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('Create new version button not shown');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created text not shown');
+      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('does not render current data');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'Shows empty state on secret detail');
+
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
+        'Goes to detail view for version 1'
+      );
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
+
+      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText(
+          'You do not have permission to read this secret',
+          'Shows empty state on secret detail for older version'
+        );
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
+        .hasText('Add metadata', 'empty state has metadata CTA');
+      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
+        `goes to metadata edit page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `cancel btn goes back to metadata page`
+      );
+    });
+    test('breadcrumbs & page titles are correct (mm)', async function (assert) {
+      assert.expect(39);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
+
+      await click(PAGE.secretTab('Version History'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
+    });
+  });
+
+  module('secret-creator persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'secret-creator',
+          personas.secretCreator(this.backend) + personas.secretCreator(this.emptyBackend)
+        ),
+        createTokenCmd('secret-creator'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (sc)', async function (assert) {
+      assert.expect(15);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
+      // Page content correct
+      assert.dom(PAGE.list.overviewCard).exists('Overview card renders');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create`,
+        `goes to /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (sc)', async function (assert) {
+      assert.expect(23);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
+
+      // Navigate to secret
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
+        'goes to secret detail page'
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['createNewVersion']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (sc)', async function (assert) {
+      assert.expect(36);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Goes to detail view'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assertDetailTabs(assert, 'Secret', ['Version History']);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not render');
+      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created info is not rendered');
+      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('current data not rendered');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'empty state shows');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit`,
+        'Goes to edit page'
+      );
+      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
+      assert
+        .dom(FORM.noReadAlert)
+        .hasText(
+          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
+          'Shows warning about no read permissions'
+        );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Goes back to detail view'
+      );
+
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('version created data not rendered');
+      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+      assert.dom(FORM.keyInput()).hasValue('', 'form does not pre-populate');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'form does not pre-populate');
+      assert.dom(FORM.noReadAlert).exists('Shows no read alert');
+      await click(FORM.cancelBtn);
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to read custom metadata', 'shows correct empty state');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit metadata button does not render');
+    });
+    test('breadcrumbs & page titles are correct (sc)', async function (assert) {
+      assert.expect(34);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
+
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
+
+  module('enterprise controlled access persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      // Set up control group scenario
+      const userPolicy = `
+path "${this.backend}/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+  control_group = {
+    max_ttl = "24h"
+    factor "ops_manager" {
+      controlled_capabilities = ["read"]
+      identity {
+          group_names = ["managers"]
+          approvals = 1
+      }
+    }
+  }
 }
 
-func (c *PluginRuntimeInfoCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	runtimeTyeRaw := strings.TrimSpace(c.flagType)
-	if len(runtimeTyeRaw) == 0 {
-		c.UI.Error("-type is required for plugin runtime info retrieval")
-		return 1
-	}
-
-	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var runtimeNameRaw string
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-
-	// This case should come after invalid cases have been checked
-	case len(args) == 1:
-		runtimeNameRaw = args[0]
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	runtimeName := strings.TrimSpace(runtimeNameRaw)
-	resp, err := client.Sys().GetPluginRuntime(context.Background(), &api.GetPluginRuntimeInput{
-		Name: runtimeName,
-		Type: runtimeType,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading plugin runtime named %s: %s", runtimeName, err))
-		return 2
-	}
-
-	if resp == nil {
-		c.UI.Error(fmt.Sprintf("No value found for plugin runtime %q", runtimeName))
-		return 2
-	}
-
-	data := map[string]interface{}{
-		"name":          resp.Name,
-		"type":          resp.Type,
-		"oci_runtime":   resp.OCIRuntime,
-		"cgroup_parent": resp.CgroupParent,
-		"cpu_nanos":     resp.CPU,
-		"memory_bytes":  resp.Memory,
-	}
-
-	if c.flagField != "" {
-		return PrintRawField(c.UI, data, c.flagField)
-	}
-	return OutputData(c.UI, data)
+path "${this.backend}/*" {
+  capabilities = ["list"]
 }
+`;
+      const { userToken } = await setupControlGroup({ userPolicy });
+      this.userToken = userToken;
+      await authPage.login(userToken);
+      clearRecords(this.store);
+      return;
+    });
+    test('can access nested secret (cg)', async function (assert) {
+      assert.expect(42);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
+
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
+
+      // For some reason when we click on the item in tests it throws a global control group error
+      // But not when we visit the page directly
+      await visit(`/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`);
+      assert.ok(
+        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
+        'redirects to access control group route'
+      );
+      await grantAccess({
+        apiPath: `${backend}/data/app/nested/secret`,
+        originUrl: `/vault/secrets/${backend}/kv/list/app/nested/`,
+        userToken: this.userToken,
+      });
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list/app/nested/`,
+        'navigates to list url where secret is'
+      );
+      await click(PAGE.list.item('secret'));
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`,
+        'goes to secret details'
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'copy', 'createNewVersion']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('breadcrumbs & page titles are correct (cg)', async function (assert) {
+      assert.expect(36);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`);
+
+      assert.ok(
+        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
+        'redirects to access control group route'
+      );
+
+      await grantAccess({
+        apiPath: `${backend}/data/${encodeURIComponent(secretPath)}`,
+        originUrl: `/vault/secrets/${backend}/kv/list`,
+        userToken: this.userToken,
+      });
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        'navigates back to list url after authorized'
+      );
+      await click(PAGE.list.item(secretPath));
+
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Paths'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
+
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+
+      await click(PAGE.secretTab('Secret'));
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+    });
+  });
+});
diff --git a/command/plugin_runtime_info_test.go b/command/plugin_runtime_info_test.go
index cf1a5aee7c14..a5557d4ea69f 100644
--- a/command/plugin_runtime_info_test.go
+++ b/command/plugin_runtime_info_test.go
@@ -1,116 +1,53 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"regexp"
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testPluginRuntimeInfoCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeInfoCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &PluginRuntimeInfoCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestPluginRuntimeInfoCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{"-type=container"},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"-type=container", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"invalid_runtime_type",
-			[]string{"-type=foo", "bar"},
-			"\"foo\" is not a supported plugin runtime type",
-			2,
-		},
-		{
-			"info_container_on_empty_plugin_runtime_catalog",
-			[]string{"-type=container", "my-plugin-runtime"},
-			"Error reading plugin runtime named my-plugin-runtime",
-			2,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testPluginRuntimeInfoCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				matcher := regexp.MustCompile(tc.out)
-				if !matcher.MatchString(combined) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testPluginRuntimeInfoCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{"-type=container", "my-plugin-runtime"})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error reading plugin runtime named my-plugin-runtime"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testPluginRuntimeInfoCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
+  <D.Trigger data-test-version-dropdown class="toolbar-link {{if D.isOpen ' is-active'}}">
+    Version
+    {{or @displayVersion "current"}}
+    <Chevron @direction="down" @isButton={{true}} />
+  </D.Trigger>
+  <D.Content @defaultClass="popup-menu-content">
+    <nav class="box menu">
+      <ul class="menu-list">
+        {{#each @metadata.sortedVersions as |versionData|}}
+          <li data-test-version={{versionData.version}} class="action">
+            {{#if @onSelect}}
+              {{! TODO use Hds::Dropdown instead https://helios.hashicorp.design/components/dropdown }}
+              <button
+                disabled={{or versionData.destroyed versionData.isSecretDeleted}}
+                {{on "click" (fn @onSelect versionData.version D.actions)}}
+                type="button"
+                class="link {{if (loose-equal versionData.version @displayVersion) 'is-active'}}"
+              >
+                Version
+                {{versionData.version}}
+                {{#if versionData.destroyed}}
+                  <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
+                {{else if versionData.isSecretDeleted}}
+                  <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
+                {{else if (loose-equal versionData.version @metadata.currentVersion)}}
+                  <Icon @name="check-circle" class="has-text-success is-pulled-right" />
+                {{/if}}
+              </button>
+            {{else}}
+              <LinkTo @query={{hash version=versionData.version}} {{on "click" (fn @onClose D)}}>
+                Version
+                {{versionData.version}}
+                {{#if versionData.destroyed}}
+                  <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
+                {{else if versionData.isSecretDeleted}}
+                  <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
+                {{else if (loose-equal versionData.version @metadata.currentVersion)}}
+                  <Icon @name="check-circle" class="has-text-success is-pulled-right" />
+                {{/if}}
+              </LinkTo>
+            {{/if}}
+          </li>
+        {{/each}}
+      </ul>
+    </nav>
+  </D.Content>
+</BasicDropdown>
\ No newline at end of file
diff --git a/command/plugin_runtime_list.go b/command/plugin_runtime_list.go
index 9fca07da6de6..f17baf5d3ab7 100644
--- a/command/plugin_runtime_list.go
+++ b/command/plugin_runtime_list.go
@@ -4,128 +4,58 @@
 package command
 
 import (
-	"context"
-	"fmt"
 	"strings"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*PluginRuntimeListCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginRuntimeListCommand)(nil)
-)
+var _ cli.Command = (*KVCommand)(nil)
 
-type PluginRuntimeListCommand struct {
+type KVCommand struct {
 	*BaseCommand
-
-	flagType string
 }
 
-func (c *PluginRuntimeListCommand) Synopsis() string {
-	return "Lists available plugin runtimes"
+func (c *KVCommand) Synopsis() string {
+	return "Interact with Vault's Key-Value storage"
 }
 
-func (c *PluginRuntimeListCommand) Help() string {
+func (c *KVCommand) Help() string {
 	helpText := `
-Usage: vault plugin runtime list [options]
-
-  Lists available plugin runtimes registered in the catalog. This does not list whether
-  plugin runtimes are in use, but rather just their availability.
+Usage: vault kv <subcommand> [options] [args]
 
-  List all available plugin runtimes in the catalog:
+  This command has subcommands for interacting with Vault's key-value
+  store. Here are some simple examples, and more detailed examples are
+  available in the subcommands or the documentation.
 
-      $ vault plugin runtime list
+  Create or update the key named "foo" in the "secret" mount with the value
+  "bar=baz":
 
-  List all available container plugin runtimes in the catalog:
+      $ vault kv put -mount=secret foo bar=baz
 
-      $ vault plugin runtime list -type=container
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
+  Read this value back:
 
-func (c *PluginRuntimeListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+      $ vault kv get -mount=secret foo
 
-	f := set.NewFlagSet("Command Options")
+  Get metadata for the key:
 
-	f.StringVar(&StringVar{
-		Name:       "type",
-		Target:     &c.flagType,
-		Completion: complete.PredictAnything,
-		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
-	})
+      $ vault kv metadata get -mount=secret foo
+	  
+  Get a specific version of the key:
 
-	return set
-}
+      $ vault kv get -mount=secret -version=1 foo
 
-func (c *PluginRuntimeListCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion:   
+  
+      $ vault kv get secret/foo
 
-func (c *PluginRuntimeListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+  Please see the individual subcommand help for detailed usage information.
+`
 
-func (c *PluginRuntimeListCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	if len(f.Args()) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	var input *api.ListPluginRuntimesInput
-	runtimeTyeRaw := strings.TrimSpace(c.flagType)
-	if len(runtimeTyeRaw) > 0 {
-		runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 2
-		}
-		input = &api.ListPluginRuntimesInput{Type: runtimeType}
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	resp, err := client.Sys().ListPluginRuntimes(context.Background(), input)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing available plugin runtimes: %s", err))
-		return 2
-	}
-	if resp == nil {
-		c.UI.Error("No tableResponse from server when listing plugin runtimes")
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		c.UI.Output(tableOutput(c.tableResponse(resp), nil))
-		return 0
-	default:
-		return OutputData(c.UI, resp.Runtimes)
-	}
+	return strings.TrimSpace(helpText)
 }
 
-func (c *PluginRuntimeListCommand) tableResponse(response *api.ListPluginRuntimesResponse) []string {
-	out := []string{"Name | Type | OCI Runtime | Parent Cgroup | CPU Nanos | Memory Bytes"}
-	for _, runtime := range response.Runtimes {
-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %d | %d",
-			runtime.Name, runtime.Type, runtime.OCIRuntime, runtime.CgroupParent, runtime.CPU, runtime.Memory))
-	}
-
-	return out
+func (c *KVCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/command/plugin_runtime_list_test.go b/command/plugin_runtime_list_test.go
index 50ba6a6112ad..67cc56ac4e77 100644
--- a/command/plugin_runtime_list_test.go
+++ b/command/plugin_runtime_list_test.go
@@ -4,113 +4,206 @@
 package command
 
 import (
-	"regexp"
+	"fmt"
+	"path"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-func testPluginRuntimeListCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeListCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVDeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVDeleteCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PluginRuntimeListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVDeleteCommand struct {
+	*BaseCommand
+
+	flagVersions []string
+	flagMount    string
 }
 
-func TestPluginRuntimeListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"invalid_runtime_type",
-			[]string{"-type=foo"},
-			"\"foo\" is not a supported plugin runtime type",
-			2,
-		},
-		{
-			"list container on empty plugin runtime catalog",
-			[]string{"-type=container"},
-			"Error listing available plugin runtimes:",
-			2,
-		},
-		{
-			"list on empty plugin runtime catalog",
-			nil,
-			"Error listing available plugin runtimes:",
-			2,
-		},
-	}
+func (c *KVDeleteCommand) Synopsis() string {
+	return "Deletes versions in the KV store"
+}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+func (c *KVDeleteCommand) Help() string {
+	helpText := `
+Usage: vault kv delete [options] PATH
 
-		for _, tc := range cases {
-			tc := tc
+  Deletes the data for the provided version and path in the key-value store. The
+  versioned data will not be fully removed, but marked as deleted and will no
+  longer be returned in normal get requests.
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+  To delete the latest version of the key "foo": 
 
-				client, closer := testVaultServer(t)
-				defer closer()
+      $ vault kv delete -mount=secret foo
 
-				ui, cmd := testPluginRuntimeListCommand(t)
-				cmd.client = client
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv delete secret/foo
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+  To delete version 3 of key foo:
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				matcher := regexp.MustCompile(tc.out)
-				if !matcher.MatchString(combined) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+      $ vault kv delete -mount=secret -versions=3 foo
+
+  To delete all versions and metadata, see the "vault kv metadata" subcommand.
+
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *KVDeleteCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "versions",
+		Target:  &c.flagVersions,
+		Default: nil,
+		Usage:   `Specifies the version numbers to delete.`,
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
 	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	return set
+}
+
+func (c *KVDeleteCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *KVDeleteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *KVDeleteCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		ui, cmd := testPluginRuntimeListCommand(t)
-		cmd.client = client
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		code := cmd.Run([]string{"-type=container"})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
 		}
 
-		expected := "Error listing available plugin runtimes: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-	})
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	var secret *api.Secret
+	var fullPath string
+	if v2 {
+		secret, err = c.deleteV2(partialPath, mountPath, client)
+		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
+	} else {
+		// v1
+		if mountFlagSyntax {
+			fullPath = path.Join(mountPath, partialPath)
+		} else {
+			fullPath = partialPath
+		}
+		secret, err = client.Logical().Delete(fullPath)
+	}
 
-		_, cmd := testPluginRuntimeListCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", fullPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
+	}
+
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", fullPath))
+		}
+		return 0
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	return OutputSecret(c.UI, secret)
+}
+
+func (c *KVDeleteCommand) deleteV2(path, mountPath string, client *api.Client) (*api.Secret, error) {
+	var err error
+	var secret *api.Secret
+	switch {
+	case len(c.flagVersions) > 0:
+		path = addPrefixToKVPath(path, mountPath, "delete", false)
+		data := map[string]interface{}{
+			"versions": kvParseVersionsFlags(c.flagVersions),
+		}
+		secret, err = client.Logical().Write(path, data)
+	default:
+		path = addPrefixToKVPath(path, mountPath, "data", false)
+		secret, err = client.Logical().Delete(path)
+	}
+
+	return secret, err
 }
diff --git a/command/plugin_runtime_register.go b/command/plugin_runtime_register.go
index 11b831512e4f..0299be4cea87 100644
--- a/command/plugin_runtime_register.go
+++ b/command/plugin_runtime_register.go
@@ -4,102 +4,89 @@
 package command
 
 import (
-	"context"
 	"fmt"
+	"path"
 	"strings"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*PluginRuntimeRegisterCommand)(nil)
-	_ cli.CommandAutocomplete = (*PluginRuntimeRegisterCommand)(nil)
+	_ cli.Command             = (*KVDestroyCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVDestroyCommand)(nil)
 )
 
-type PluginRuntimeRegisterCommand struct {
+type KVDestroyCommand struct {
 	*BaseCommand
 
-	flagType         string
-	flagOCIRuntime   string
-	flagCgroupParent string
-	flagCPUNanos     int64
-	flagMemoryBytes  int64
+	flagVersions []string
+	flagMount    string
 }
 
-func (c *PluginRuntimeRegisterCommand) Synopsis() string {
-	return "Registers a new plugin runtime in the catalog"
+func (c *KVDestroyCommand) Synopsis() string {
+	return "Permanently removes one or more versions in the KV store"
 }
 
-func (c *PluginRuntimeRegisterCommand) Help() string {
+func (c *KVDestroyCommand) Help() string {
 	helpText := `
-Usage: vault plugin runtime register [options] NAME
+Usage: vault kv destroy [options] KEY
 
-  Registers a new plugin runtime in the catalog. Currently, Vault only supports registering runtimes of type "container".
-The OCI runtime must be available on Vault's host. If no OCI runtime is specified, Vault will use "runsc", gVisor's OCI runtime.
+  Permanently removes the specified versions' data from the key-value store. If
+  no key exists at the path, no action is taken.
 
-  Register the plugin runtime named my-custom-plugin-runtime:
+  To destroy version 3 of key foo:
 
-      $ vault plugin runtime register -type=container -oci_runtime=my-oci-runtime my-custom-plugin-runtime
+      $ vault kv destroy -mount=secret -versions=3 foo
 
-` + c.Flags().Help()
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv destroy -versions=3 secret/foo
+
+  Additional flags and more advanced use cases are detailed below.
 
+` + c.Flags().Help()
 	return strings.TrimSpace(helpText)
 }
 
-func (c *PluginRuntimeRegisterCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
+func (c *KVDestroyCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-	f := set.NewFlagSet("Command Options")
+	// Common Options
+	f := set.NewFlagSet("Common Options")
 
-	f.StringVar(&StringVar{
-		Name:       "type",
-		Target:     &c.flagType,
-		Completion: complete.PredictAnything,
-		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "versions",
+		Target:  &c.flagVersions,
+		Default: nil,
+		Usage:   `Specifies the version numbers to destroy.`,
 	})
 
 	f.StringVar(&StringVar{
-		Name:       "oci_runtime",
-		Target:     &c.flagOCIRuntime,
-		Completion: complete.PredictAnything,
-		Usage:      "OCI runtime. Default is \"runsc\", gVisor's OCI runtime.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "cgroup_parent",
-		Target:     &c.flagCgroupParent,
-		Completion: complete.PredictAnything,
-		Usage:      "Parent cgroup to set for each container. This can be used to control the total resource usage for a group of plugins.",
-	})
-
-	f.Int64Var(&Int64Var{
-		Name:       "cpu_nanos",
-		Target:     &c.flagCPUNanos,
-		Completion: complete.PredictAnything,
-		Usage:      "CPU limit to set per container in nanos. Defaults to no limit.",
-	})
-
-	f.Int64Var(&Int64Var{
-		Name:       "memory_bytes",
-		Target:     &c.flagMemoryBytes,
-		Completion: complete.PredictAnything,
-		Usage:      "Memory limit to set per container in bytes. Defaults to no limit.",
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
 	})
 
 	return set
 }
 
-func (c *PluginRuntimeRegisterCommand) AutocompleteArgs() complete.Predictor {
+func (c *KVDestroyCommand) AutocompleteArgs() complete.Predictor {
 	return nil
 }
 
-func (c *PluginRuntimeRegisterCommand) AutocompleteFlags() complete.Flags {
+func (c *KVDestroyCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *PluginRuntimeRegisterCommand) Run(args []string) int {
+func (c *KVDestroyCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -107,19 +94,6 @@ func (c *PluginRuntimeRegisterCommand) Run(args []string) int {
 		return 1
 	}
 
-	runtimeTyeRaw := strings.TrimSpace(c.flagType)
-	if len(runtimeTyeRaw) == 0 {
-		c.UI.Error("-type is required for plugin runtime registration")
-		return 1
-	}
-
-	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var runtimeNameRaw string
 	args = f.Args()
 	switch {
 	case len(args) < 1:
@@ -128,34 +102,84 @@ func (c *PluginRuntimeRegisterCommand) Run(args []string) int {
 	case len(args) > 1:
 		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
 		return 1
+	}
 
-	// This case should come after invalid cases have been checked
-	case len(args) == 1:
-		runtimeNameRaw = args[0]
+	if len(c.flagVersions) == 0 {
+		c.UI.Error("No versions provided, use the \"-versions\" flag to specify the version to destroy.")
+		return 1
 	}
 
+	var err error
+
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	runtimeName := strings.TrimSpace(runtimeNameRaw)
-	ociRuntime := strings.TrimSpace(c.flagOCIRuntime)
-	cgroupParent := strings.TrimSpace(c.flagCgroupParent)
-
-	if err := client.Sys().RegisterPluginRuntime(context.Background(), &api.RegisterPluginRuntimeInput{
-		Name:         runtimeName,
-		Type:         runtimeType,
-		OCIRuntime:   ociRuntime,
-		CgroupParent: cgroupParent,
-		CPU:          c.flagCPUNanos,
-		Memory:       c.flagMemoryBytes,
-	}); err != nil {
-		c.UI.Error(fmt.Sprintf("Error registering plugin runtime %s: %s", runtimeName, err))
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
+		}
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+
+	if !v2 {
+		c.UI.Error("Destroy not supported on KV Version 1")
+		return 1
+	}
+	destroyPath := addPrefixToKVPath(partialPath, mountPath, "destroy", false)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	data := map[string]interface{}{
+		"versions": kvParseVersionsFlags(c.flagVersions),
+	}
+
+	secret, err := client.Logical().Write(destroyPath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", destroyPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", destroyPath))
+		}
+		return 0
+	}
 
-	c.UI.Output(fmt.Sprintf("Success! Registered plugin runtime: %s", runtimeName))
-	return 0
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/plugin_runtime_register_test.go b/command/plugin_runtime_register_test.go
index c43c96bac125..921c286e3aae 100644
--- a/command/plugin_runtime_register_test.go
+++ b/command/plugin_runtime_register_test.go
@@ -4,199 +4,91 @@
 package command
 
 import (
-	"encoding/json"
 	"fmt"
-	"reflect"
 	"strings"
-	"testing"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/mitchellh/cli"
+	"github.com/posener/complete"
 )
 
-func testPluginRuntimeRegisterCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeRegisterCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVEnableVersioningCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVEnableVersioningCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PluginRuntimeRegisterCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVEnableVersioningCommand struct {
+	*BaseCommand
 }
 
-func TestPluginRuntimeRegisterCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		flags []string
-		args  []string
-		out   string
-		code  int
-	}{
-		{
-			"no type specified",
-			[]string{},
-			[]string{"foo"},
-			"-type is required for plugin runtime registration",
-			1,
-		},
-		{
-			"invalid type",
-			[]string{"-type", "foo"},
-			[]string{"not"},
-			"\"foo\" is not a supported plugin runtime type",
-			2,
-		},
-		{
-			"not_enough_args",
-			[]string{"-type", consts.PluginRuntimeTypeContainer.String()},
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"-type", consts.PluginRuntimeTypeContainer.String()},
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
+func (c *KVEnableVersioningCommand) Synopsis() string {
+	return "Turns on versioning for a KV store"
+}
 
-	for _, tc := range cases {
-		tc := tc
+func (c *KVEnableVersioningCommand) Help() string {
+	helpText := `
+Usage: vault kv enable-versioning [options] KEY
 
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+  This command turns on versioning for the backend at the provided path.
 
-			client, closer := testVaultServer(t)
-			defer closer()
+      $ vault kv enable-versioning secret
 
-			ui, cmd := testPluginRuntimeRegisterCommand(t)
-			cmd.client = client
+  Additional flags and more advanced use cases are detailed below.
 
-			args := append(tc.flags, tc.args...)
-			code := cmd.Run(args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
+func (c *KVEnableVersioningCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	return set
+}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+func (c *KVEnableVersioningCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
 
-		ui, cmd := testPluginRuntimeRegisterCommand(t)
-		cmd.client = client
+func (c *KVEnableVersioningCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-		code := cmd.Run([]string{"-type", consts.PluginRuntimeTypeContainer.String(), "my-plugin-runtime"})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+func (c *KVEnableVersioningCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		expected := "Error registering plugin runtime my-plugin-runtime"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		_, cmd := testPluginRuntimeRegisterCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+	// Append a trailing slash to indicate it's a path in output
+	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
 
-// TestPluginRuntimeFlagParsing ensures that flags passed to vault plugin runtime register correctly
-// translate into the expected JSON body and request path.
-func TestPluginRuntimeFlagParsing(t *testing.T) {
-	for name, tc := range map[string]struct {
-		runtimeType     api.PluginRuntimeType
-		name            string
-		ociRuntime      string
-		cgroupParent    string
-		cpu             int64
-		memory          int64
-		args            []string
-		expectedPayload string
-	}{
-		"minimal": {
-			runtimeType:     api.PluginRuntimeTypeContainer,
-			name:            "foo",
-			expectedPayload: `{"type":1,"name":"foo"}`,
+	if err := client.Sys().TuneMount(mountPath, api.MountConfigInput{
+		Options: map[string]string{
+			"version": "2",
 		},
-		"full": {
-			runtimeType:     api.PluginRuntimeTypeContainer,
-			name:            "foo",
-			cgroupParent:    "/cpulimit/",
-			ociRuntime:      "runtime",
-			cpu:             5678,
-			memory:          1234,
-			expectedPayload: `{"type":1,"cgroup_parent":"/cpulimit/","memory_bytes":1234,"cpu_nanos":5678,"oci_runtime":"runtime"}`,
-		},
-	} {
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			ui, cmd := testPluginRuntimeRegisterCommand(t)
-			var requestLogger *recordingRoundTripper
-			cmd.client, requestLogger = mockClient(t)
-
-			var args []string
-			if tc.cgroupParent != "" {
-				args = append(args, "-cgroup_parent="+tc.cgroupParent)
-			}
-			if tc.ociRuntime != "" {
-				args = append(args, "-oci_runtime="+tc.ociRuntime)
-			}
-			if tc.memory != 0 {
-				args = append(args, fmt.Sprintf("-memory_bytes=%d", tc.memory))
-			}
-			if tc.cpu != 0 {
-				args = append(args, fmt.Sprintf("-cpu_nanos=%d", tc.cpu))
-			}
-
-			if tc.runtimeType != api.PluginRuntimeTypeUnsupported {
-				args = append(args, "-type="+tc.runtimeType.String())
-			}
-			args = append(args, tc.name)
-			t.Log(args)
-
-			code := cmd.Run(args)
-			if exp := 0; code != exp {
-				t.Fatalf("expected %d to be %d\nstdout: %s\nstderr: %s", code, exp, ui.OutputWriter.String(), ui.ErrorWriter.String())
-			}
-
-			actual := &api.RegisterPluginRuntimeInput{}
-			expected := &api.RegisterPluginRuntimeInput{}
-			err := json.Unmarshal(requestLogger.body, actual)
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = json.Unmarshal([]byte(tc.expectedPayload), expected)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if !reflect.DeepEqual(expected, actual) {
-				t.Errorf("expected: %s\ngot: %s", tc.expectedPayload, requestLogger.body)
-			}
-			expectedPath := fmt.Sprintf("/v1/sys/plugins/runtimes/catalog/%s/%s", tc.runtimeType.String(), tc.name)
-
-			if requestLogger.path != expectedPath {
-				t.Errorf("Expected path %s, got %s", expectedPath, requestLogger.path)
-			}
-		})
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error tuning secrets engine %s: %s", mountPath, err))
+		return 2
 	}
+
+	c.UI.Output(fmt.Sprintf("Success! Tuned the secrets engine at: %s", mountPath))
+	return 0
 }
diff --git a/command/policy.go b/command/policy.go
index 64fe14a75ebb..e31c8a32a5c7 100644
--- a/command/policy.go
+++ b/command/policy.go
@@ -4,47 +4,240 @@
 package command
 
 import (
+	"fmt"
+	"path"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-var _ cli.Command = (*PolicyCommand)(nil)
+var (
+	_ cli.Command             = (*KVGetCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVGetCommand)(nil)
+)
 
-// PolicyCommand is a Command that holds the audit commands
-type PolicyCommand struct {
+type KVGetCommand struct {
 	*BaseCommand
+
+	flagVersion int
+	flagMount   string
 }
 
-func (c *PolicyCommand) Synopsis() string {
-	return "Interact with policies"
+func (c *KVGetCommand) Synopsis() string {
+	return "Retrieves data from the KV store"
 }
 
-func (c *PolicyCommand) Help() string {
+func (c *KVGetCommand) Help() string {
 	helpText := `
-Usage: vault policy <subcommand> [options] [args]
+Usage: vault kv get [options] KEY
 
-  This command groups subcommands for interacting with policies.
-  Users can write, read, and list policies in Vault.
+  Retrieves the value from Vault's key-value store at the given key name. If no
+  key exists with that name, an error is returned. If a key exists with that
+  name but has no data, nothing is returned.
 
-  List all enabled policies:
+      $ vault kv get -mount=secret foo
 
-      $ vault policy list
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv get secret/foo
 
-  Create a policy named "my-policy" from contents on local disk:
+  To view the given key name at a specific version in time, specify the "-version"
+  flag:
 
-      $ vault policy write my-policy ./my-policy.hcl
+      $ vault kv get -mount=secret -version=1 foo
 
-  Delete the policy named my-policy:
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
 
-      $ vault policy delete my-policy
+func (c *KVGetCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:    "version",
+		Target:  &c.flagVersion,
+		Default: 0,
+		Usage:   `If passed, the value at the version number will be returned.`,
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	return set
+}
 
-  Please see the individual subcommand help for detailed usage information.
-`
+func (c *KVGetCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
 
-	return strings.TrimSpace(helpText)
+func (c *KVGetCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func (c *PolicyCommand) Run(args []string) int {
-	return cli.RunResultHelp
+func (c *KVGetCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath string
+		v2        bool
+	)
+
+	// Ignore leading slash
+	partialPath := strings.TrimPrefix(args[0], "/")
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
+		}
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+
+	var versionParam map[string]string
+	var fullPath string
+	// Add /data to v2 paths only
+	if v2 {
+		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
+
+		if c.flagVersion > 0 {
+			versionParam = map[string]string{
+				"version": fmt.Sprintf("%d", c.flagVersion),
+			}
+		}
+	} else {
+		// v1
+		if mountFlagSyntax {
+			fullPath = path.Join(mountPath, partialPath)
+		} else {
+			fullPath = partialPath
+		}
+	}
+
+	secret, err := kvReadRequest(client, fullPath, versionParam)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading %s: %s", fullPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
+	}
+	if secret == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+		return 2
+	}
+
+	if c.flagField != "" {
+		if v2 {
+			// This is a v2, pass in the data field
+			if data, ok := secret.Data["data"]; ok && data != nil {
+				// If they requested a literal "data" see if they meant actual
+				// value or the data block itself
+				if c.flagField == "data" {
+					if dataMap, ok := data.(map[string]interface{}); ok {
+						if _, ok := dataMap["data"]; ok {
+							return PrintRawField(c.UI, dataMap, c.flagField)
+						}
+					}
+					return PrintRawField(c.UI, secret, c.flagField)
+				}
+				return PrintRawField(c.UI, data, c.flagField)
+			} else {
+				c.UI.Error(fmt.Sprintf("No data found at %s", fullPath))
+				return 2
+			}
+		} else {
+			return PrintRawField(c.UI, secret, c.flagField)
+		}
+	}
+
+	// If we have wrap info print the secret normally.
+	if secret.WrapInfo != nil || c.flagFormat != "table" {
+		return OutputSecret(c.UI, secret)
+	}
+
+	if len(secret.Warnings) > 0 {
+		tf := TableFormatter{}
+		tf.printWarnings(c.UI, secret)
+	}
+
+	if v2 {
+		outputPath(c.UI, fullPath, "Secret Path")
+	}
+
+	if metadata, ok := secret.Data["metadata"]; ok && metadata != nil {
+		c.UI.Info(getHeaderForMap("Metadata", metadata.(map[string]interface{})))
+		OutputData(c.UI, metadata)
+		c.UI.Info("")
+	}
+
+	data := secret.Data
+	if v2 && data != nil {
+		data = nil
+		dataRaw := secret.Data["data"]
+		if dataRaw != nil {
+			data = dataRaw.(map[string]interface{})
+		}
+	}
+
+	if data != nil {
+		c.UI.Info(getHeaderForMap("Data", data))
+		OutputData(c.UI, data)
+	}
+
+	return 0
 }
diff --git a/command/policy_delete.go b/command/policy_delete.go
index c4ee61059bd9..ed3bc38118e5 100644
--- a/command/policy_delete.go
+++ b/command/policy_delete.go
@@ -4,87 +4,266 @@
 package command
 
 import (
+	"context"
+	"errors"
 	"fmt"
+	"io"
+	paths "path"
+	"sort"
 	"strings"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/api"
 )
 
-var (
-	_ cli.Command             = (*PolicyDeleteCommand)(nil)
-	_ cli.CommandAutocomplete = (*PolicyDeleteCommand)(nil)
-)
+func kvReadRequest(client *api.Client, path string, params map[string]string) (*api.Secret, error) {
+	r := client.NewRequest("GET", "/v1/"+path)
+	for k, v := range params {
+		r.Params.Set(k, v)
+	}
+	resp, err := client.RawRequest(r)
+	if resp != nil {
+		defer resp.Body.Close()
+	}
+	if resp != nil && resp.StatusCode == 404 {
+		secret, parseErr := api.ParseSecret(resp.Body)
+		switch parseErr {
+		case nil:
+		case io.EOF:
+			return nil, nil
+		default:
+			return nil, err
+		}
+		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
+			return secret, nil
+		}
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
 
-type PolicyDeleteCommand struct {
-	*BaseCommand
+	return api.ParseSecret(resp.Body)
 }
 
-func (c *PolicyDeleteCommand) Synopsis() string {
-	return "Deletes a policy by name"
-}
+func kvPreflightVersionRequest(client *api.Client, path string) (string, int, error) {
+	// We don't want to use a wrapping call here so save any custom value and
+	// restore after
+	currentWrappingLookupFunc := client.CurrentWrappingLookupFunc()
+	client.SetWrappingLookupFunc(nil)
+	defer client.SetWrappingLookupFunc(currentWrappingLookupFunc)
+	currentOutputCurlString := client.OutputCurlString()
+	client.SetOutputCurlString(false)
+	defer client.SetOutputCurlString(currentOutputCurlString)
+	currentOutputPolicy := client.OutputPolicy()
+	client.SetOutputPolicy(false)
+	defer client.SetOutputPolicy(currentOutputPolicy)
 
-func (c *PolicyDeleteCommand) Help() string {
-	helpText := `
-Usage: vault policy delete [options] NAME
+	r := client.NewRequest("GET", "/v1/sys/internal/ui/mounts/"+path)
+	resp, err := client.RawRequest(r)
+	if resp != nil {
+		defer resp.Body.Close()
+	}
+	if err != nil {
+		// If we get a 404 we are using an older version of vault, default to
+		// version 1
+		if resp != nil {
+			if resp.StatusCode == 404 {
+				return "", 1, nil
+			}
 
-  Deletes the policy named NAME in the Vault server. Once the policy is deleted,
-  all tokens associated with the policy are affected immediately.
+			// if the original request had the -output-curl-string or -output-policy flag,
+			if (currentOutputCurlString || currentOutputPolicy) && resp.StatusCode == 403 {
+				// we provide a more helpful error for the user,
+				// who may not understand why the flag isn't working.
+				err = fmt.Errorf(
+					`This output flag requires the success of a preflight request 
+to determine the version of a KV secrets engine. Please 
+re-run this command with a token with read access to %s. 
+Note that if the path you are trying to reach is a KV v2 path, your token's policy must 
+allow read access to that path in the format 'mount-path/data/foo', not just 'mount-path/foo'.`, path)
+			}
+		}
 
-  Delete the policy named "my-policy":
+		return "", 0, err
+	}
 
-      $ vault policy delete my-policy
+	secret, err := api.ParseSecret(resp.Body)
+	if err != nil {
+		return "", 0, err
+	}
+	if secret == nil {
+		return "", 0, errors.New("nil response from pre-flight request")
+	}
+	var mountPath string
+	if mountPathRaw, ok := secret.Data["path"]; ok {
+		mountPath = mountPathRaw.(string)
+	}
+	options := secret.Data["options"]
+	if options == nil {
+		return mountPath, 1, nil
+	}
+	versionRaw := options.(map[string]interface{})["version"]
+	if versionRaw == nil {
+		return mountPath, 1, nil
+	}
+	version := versionRaw.(string)
+	switch version {
+	case "", "1":
+		return mountPath, 1, nil
+	case "2":
+		return mountPath, 2, nil
+	}
 
-  Note that it is not possible to delete the "default" or "root" policies.
-  These are built-in policies.
+	return mountPath, 1, nil
+}
 
-` + c.Flags().Help()
+func isKVv2(path string, client *api.Client) (string, bool, error) {
+	mountPath, version, err := kvPreflightVersionRequest(client, path)
+	if err != nil {
+		return "", false, err
+	}
 
-	return strings.TrimSpace(helpText)
+	return mountPath, version == 2, nil
 }
 
-func (c *PolicyDeleteCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
+func addPrefixToKVPath(path, mountPath, apiPrefix string, skipIfExists bool) string {
+	if path == mountPath || path == strings.TrimSuffix(mountPath, "/") {
+		return paths.Join(mountPath, apiPrefix)
+	}
+
+	pathSuffix := strings.TrimPrefix(path, mountPath)
+	for {
+		// If the entire mountPath is included in the path, we are done
+		if pathSuffix != path {
+			break
+		}
+		// Trim the parts of the mountPath that are not included in the
+		// path, for example, in cases where the mountPath contains
+		// namespaces which are not included in the path.
+		partialMountPath := strings.SplitN(mountPath, "/", 2)
+		if len(partialMountPath) <= 1 || partialMountPath[1] == "" {
+			break
+		}
+		mountPath = strings.TrimSuffix(partialMountPath[1], "/")
+		pathSuffix = strings.TrimPrefix(pathSuffix, mountPath)
+	}
+
+	if skipIfExists {
+		if strings.HasPrefix(pathSuffix, apiPrefix) || strings.HasPrefix(pathSuffix, "/"+apiPrefix) {
+			return paths.Join(mountPath, pathSuffix)
+		}
+	}
+
+	return paths.Join(mountPath, apiPrefix, pathSuffix)
+}
+
+func getHeaderForMap(header string, data map[string]interface{}) string {
+	maxKey := 0
+	for k := range data {
+		if len(k) > maxKey {
+			maxKey = len(k)
+		}
+	}
+
+	// 4 for the column spaces and 5 for the len("value")
+	totalLen := maxKey + 4 + 5
+
+	return padEqualSigns(header, totalLen)
 }
 
-func (c *PolicyDeleteCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultPolicies()
+func kvParseVersionsFlags(versions []string) []string {
+	versionsOut := make([]string, 0, len(versions))
+	for _, v := range versions {
+		versionsOut = append(versionsOut, strutil.ParseStringSlice(v, ",")...)
+	}
+
+	return versionsOut
 }
 
-func (c *PolicyDeleteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func outputPath(ui cli.Ui, path string, title string) {
+	ui.Info(padEqualSigns(title, len(path)))
+	ui.Info(path)
+	ui.Info("")
 }
 
-func (c *PolicyDeleteCommand) Run(args []string) int {
-	f := c.Flags()
+// Pad the table header with equal signs on each side
+func padEqualSigns(header string, totalLen int) string {
+	equalSigns := totalLen - (len(header) + 2)
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	// If we have zero or fewer equal signs bump it back up to two on either
+	// side of the header.
+	if equalSigns <= 0 {
+		equalSigns = 4
 	}
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+	// If the number of equal signs is not divisible by two add a sign.
+	if equalSigns%2 != 0 {
+		equalSigns = equalSigns + 1
 	}
 
-	client, err := c.Client()
+	return fmt.Sprintf("%s %s %s", strings.Repeat("=", equalSigns/2), header, strings.Repeat("=", equalSigns/2))
+}
+
+// walkSecretsTree dfs-traverses the secrets tree rooted at the given path
+// and calls the `visit` functor for each of the directory and leaf paths.
+// Note: for kv-v2, a "metadata" path is expected and "metadata" paths will be
+// returned in the visit functor.
+func walkSecretsTree(ctx context.Context, client *api.Client, path string, visit func(path string, directory bool) error) error {
+	resp, err := client.Logical().ListWithContext(ctx, path)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return fmt.Errorf("could not list %q path: %w", path, err)
 	}
 
-	name := strings.TrimSpace(strings.ToLower(args[0]))
-	if err := client.Sys().DeletePolicy(name); err != nil {
-		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", name, err))
-		return 2
+	if resp == nil || resp.Data == nil {
+		return fmt.Errorf("no value found at %q: %w", path, err)
+	}
+
+	keysRaw, ok := resp.Data["keys"]
+	if !ok {
+		return fmt.Errorf("unexpected list response at %q", path)
+	}
+
+	keysRawSlice, ok := keysRaw.([]interface{})
+	if !ok {
+		return fmt.Errorf("unexpected list response type %T at %q", keysRaw, path)
+	}
+
+	keys := make([]string, 0, len(keysRawSlice))
+
+	for _, keyRaw := range keysRawSlice {
+		key, ok := keyRaw.(string)
+		if !ok {
+			return fmt.Errorf("unexpected key type %T at %q", keyRaw, path)
+		}
+		keys = append(keys, key)
+	}
+
+	// sort the keys for a deterministic output
+	sort.Strings(keys)
+
+	for _, key := range keys {
+		// the keys are relative to the current path: combine them
+		child := paths.Join(path, key)
+
+		if strings.HasSuffix(key, "/") {
+			// visit the directory
+			if err := visit(child, true); err != nil {
+				return err
+			}
+
+			// this is not a leaf node: we need to go deeper...
+			if err := walkSecretsTree(ctx, client, child, visit); err != nil {
+				return err
+			}
+		} else {
+			// this is a leaf node: add it to the list
+			if err := visit(child, false); err != nil {
+				return err
+			}
+		}
 	}
 
-	c.UI.Output(fmt.Sprintf("Success! Deleted policy: %s", name))
-	return 0
+	return nil
 }
diff --git a/command/policy_delete_test.go b/command/policy_delete_test.go
index 7c96d241571c..4e19d9d7ae3b 100644
--- a/command/policy_delete_test.go
+++ b/command/policy_delete_test.go
@@ -4,140 +4,176 @@
 package command
 
 import (
-	"reflect"
+	"fmt"
+	"path"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testPolicyDeleteCommand(tb testing.TB) (*cli.MockUi, *PolicyDeleteCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVListCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVListCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PolicyDeleteCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVListCommand struct {
+	*BaseCommand
+	flagMount string
 }
 
-func TestPolicyDeleteCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
+func (c *KVListCommand) Synopsis() string {
+	return "List data or secrets"
+}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+func (c *KVListCommand) Help() string {
+	helpText := `
 
-		for _, tc := range cases {
-			tc := tc
+Usage: vault kv list [options] PATH
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+  Lists data from Vault's key-value store at the given path.
 
-				client, closer := testVaultServer(t)
-				defer closer()
+  List values under the "my-app" folder of the key-value store:
 
-				ui, cmd := testPolicyDeleteCommand(t)
-				cmd.client = client
+      $ vault kv list secret/my-app/
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+  Additional flags and more advanced use cases are detailed below.
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *KVListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
 	})
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+	return set
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (c *KVListCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFolders()
+}
 
-		policy := `path "secret/" {}`
-		if err := client.Sys().PutPolicy("my-policy", policy); err != nil {
-			t.Fatal(err)
-		}
+func (c *KVListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-		ui, cmd := testPolicyDeleteCommand(t)
-		cmd.client = client
+func (c *KVListCommand) Run(args []string) int {
+	f := c.Flags()
 
-		code := cmd.Run([]string{
-			"my-policy",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		expected := "Success! Deleted policy: my-policy"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		if c.flagMount == "" {
+			c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+			return 1
 		}
+		args = []string{""}
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		policies, err := client.Sys().ListPolicies()
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
 		if err != nil {
-			t.Fatal(err)
+			c.UI.Error(err.Error())
+			return 2
 		}
 
-		list := []string{"default", "root"}
-		if !reflect.DeepEqual(policies, list) {
-			t.Errorf("expected %q to be %q", policies, list)
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-	})
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	// Add /metadata to v2 paths only
+	var fullPath string
+	if v2 {
+		fullPath = addPrefixToKVPath(partialPath, mountPath, "metadata", false)
+	} else {
+		// v1
+		if mountFlagSyntax {
+			fullPath = path.Join(mountPath, partialPath)
+		} else {
+			fullPath = partialPath
+		}
+	}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	secret, err := client.Logical().List(fullPath)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing %s: %s", fullPath, err))
+		return 2
+	}
 
-		ui, cmd := testPolicyDeleteCommand(t)
-		cmd.client = client
+	// If the secret is wrapped, return the wrapped response.
+	if secret != nil && secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
+		return OutputSecret(c.UI, secret)
+	}
 
-		code := cmd.Run([]string{
-			"my-policy",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	_, ok := extractListData(secret)
+	if Format(c.UI) != "table" {
+		if secret == nil || secret.Data == nil || !ok {
+			OutputData(c.UI, map[string]interface{}{})
+			return 2
 		}
+	}
 
-		expected := "Error deleting my-policy: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	if secret == nil || secret.Data == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+		return 2
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	if !ok {
+		c.UI.Error(fmt.Sprintf("No entries found at %s", fullPath))
+		return 2
+	}
 
-		_, cmd := testPolicyDeleteCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	return OutputList(c.UI, secret)
 }
diff --git a/command/policy_fmt.go b/command/policy_fmt.go
index 219ce1f75b9f..14e1b5bfa3a5 100644
--- a/command/policy_fmt.go
+++ b/command/policy_fmt.go
@@ -4,113 +4,54 @@
 package command
 
 import (
-	"fmt"
-	"io/ioutil"
 	"strings"
 
-	"github.com/hashicorp/hcl/hcl/printer"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-	homedir "github.com/mitchellh/go-homedir"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ cli.Command             = (*PolicyFmtCommand)(nil)
-	_ cli.CommandAutocomplete = (*PolicyFmtCommand)(nil)
-)
+var _ cli.Command = (*KVMetadataCommand)(nil)
 
-type PolicyFmtCommand struct {
+type KVMetadataCommand struct {
 	*BaseCommand
 }
 
-func (c *PolicyFmtCommand) Synopsis() string {
-	return "Formats a policy on disk"
+func (c *KVMetadataCommand) Synopsis() string {
+	return "Interact with Vault's Key-Value storage"
 }
 
-func (c *PolicyFmtCommand) Help() string {
+func (c *KVMetadataCommand) Help() string {
 	helpText := `
-Usage: vault policy fmt [options] PATH
+Usage: vault kv metadata <subcommand> [options] [args]
 
-  Formats a local policy file to the policy specification. This command will
-  overwrite the file at the given PATH with the properly-formatted policy
-  file contents.
+  This command has subcommands for interacting with the metadata endpoint in
+  Vault's key-value store. Here are some simple examples, and more detailed
+  examples are available in the subcommands or the documentation.
 
-  Format the local file "my-policy.hcl" as a policy file:
+  Create or update a metadata entry for a key:
 
-      $ vault policy fmt my-policy.hcl
+      $ vault kv metadata put -mount=secret -max-versions=5 -delete-version-after=3h25m19s foo
 
-` + c.Flags().Help()
+  Get the metadata for a key, this provides information about each existing
+  version:
 
-	return strings.TrimSpace(helpText)
-}
+      $ vault kv metadata get -mount=secret foo
 
-func (c *PolicyFmtCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetNone)
-}
+  Delete a key and all existing versions:
 
-func (c *PolicyFmtCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictFiles("*.hcl")
-}
+      $ vault kv metadata delete -mount=secret foo
+
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/metadata/foo) can cause confusion: 
+  
+      $ vault kv metadata get secret/foo
 
-func (c *PolicyFmtCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
 }
 
-func (c *PolicyFmtCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	// Get the filepath, accounting for ~ and stuff
-	path, err := homedir.Expand(strings.TrimSpace(args[0]))
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to expand path: %s", err))
-		return 1
-	}
-
-	// Read the entire contents into memory - it would be nice if we could use
-	// a buffer, but hcl wants the full contents.
-	b, err := ioutil.ReadFile(path)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading source file: %s", err))
-		return 1
-	}
-
-	// Actually parse the policy. We always use the root namespace here because
-	// we don't want to modify the results.
-	if _, err := vault.ParseACLPolicy(namespace.RootNamespace, string(b)); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Generate final contents
-	result, err := printer.Format(b)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error printing result: %s", err))
-		return 1
-	}
-
-	// Write them back out
-	if err := ioutil.WriteFile(path, result, 0o644); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing result: %s", err))
-		return 1
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Formatted policy: %s", path))
-	return 0
+func (c *KVMetadataCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/command/policy_fmt_test.go b/command/policy_fmt_test.go
index 7830b2a034ce..6f672fc6aeac 100644
--- a/command/policy_fmt_test.go
+++ b/command/policy_fmt_test.go
@@ -4,233 +4,149 @@
 package command
 
 import (
-	"io/ioutil"
-	"os"
+	"fmt"
+	"path"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testPolicyFmtCommand(tb testing.TB) (*cli.MockUi, *PolicyFmtCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVMetadataDeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVMetadataDeleteCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PolicyFmtCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVMetadataDeleteCommand struct {
+	*BaseCommand
+	flagMount string
 }
 
-func TestPolicyFmtCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testPolicyFmtCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
+func (c *KVMetadataDeleteCommand) Synopsis() string {
+	return "Deletes all versions and metadata for a key in the KV store"
+}
 
-		policy := strings.TrimSpace(`
-path "secret" {
-  capabilities  =           ["create",    "update","delete"]
+func (c *KVMetadataDeleteCommand) Help() string {
+	helpText := `
+Usage: vault kv metadata delete [options] PATH
 
-}
-`)
+  Deletes all versions and metadata for the provided key. 
 
-		f, err := ioutil.TempFile("", "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		defer os.Remove(f.Name())
-		if _, err := f.WriteString(policy); err != nil {
-			t.Fatal(err)
-		}
-		f.Close()
+      $ vault kv metadata delete -mount=secret foo
 
-		client, closer := testVaultServer(t)
-		defer closer()
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/metadata/foo) can cause confusion: 
+  
+      $ vault kv metadata delete secret/foo
 
-		_, cmd := testPolicyFmtCommand(t)
-		cmd.client = client
+  Additional flags and more advanced use cases are detailed below.
 
-		code := cmd.Run([]string{
-			f.Name(),
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+` + c.Flags().Help()
 
-		expected := strings.TrimSpace(`
-path "secret" {
-  capabilities = ["create", "update", "delete"]
+	return strings.TrimSpace(helpText)
 }
-`) + "\n"
 
-		contents, err := ioutil.ReadFile(f.Name())
-		if err != nil {
-			t.Fatal(err)
-		}
-		if string(contents) != expected {
-			t.Errorf("expected %q to be %q", string(contents), expected)
-		}
+func (c *KVMetadataDeleteCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /metadata/ automatically appended between KV 
+		v2 secrets.`,
 	})
 
-	t.Run("bad_hcl", func(t *testing.T) {
-		t.Parallel()
-
-		policy := `dafdaf`
-
-		f, err := ioutil.TempFile("", "")
-		if err != nil {
-			t.Fatal(err)
-		}
-		defer os.Remove(f.Name())
-		if _, err := f.WriteString(policy); err != nil {
-			t.Fatal(err)
-		}
-		f.Close()
+	return set
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (c *KVMetadataDeleteCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
 
-		ui, cmd := testPolicyFmtCommand(t)
-		cmd.client = client
+func (c *KVMetadataDeleteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-		code := cmd.Run([]string{
-			f.Name(),
-		})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+func (c *KVMetadataDeleteCommand) Run(args []string) int {
+	f := c.Flags()
 
-		stderr := ui.ErrorWriter.String()
-		expected := "failed to parse policy"
-		if !strings.Contains(stderr, expected) {
-			t.Errorf("expected %q to include %q", stderr, expected)
-		}
-	})
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-	t.Run("bad_policy", func(t *testing.T) {
-		t.Parallel()
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		policy := `banana "foo" {}`
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		f, err := ioutil.TempFile("", "")
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
 		if err != nil {
-			t.Fatal(err)
-		}
-		defer os.Remove(f.Name())
-		if _, err := f.WriteString(policy); err != nil {
-			t.Fatal(err)
+			c.UI.Error(err.Error())
+			return 2
 		}
-		f.Close()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testPolicyFmtCommand(t)
-		cmd.client = client
 
-		code := cmd.Run([]string{
-			f.Name(),
-		})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-
-		stderr := ui.ErrorWriter.String()
-		expected := "failed to parse policy"
-		if !strings.Contains(stderr, expected) {
-			t.Errorf("expected %q to include %q", stderr, expected)
-		}
-	})
-
-	t.Run("bad_policy", func(t *testing.T) {
-		t.Parallel()
-
-		policy := `path "secret/" { capabilities = ["bogus"] }`
-
-		f, err := ioutil.TempFile("", "")
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
 		if err != nil {
-			t.Fatal(err)
-		}
-		defer os.Remove(f.Name())
-		if _, err := f.WriteString(policy); err != nil {
-			t.Fatal(err)
+			c.UI.Error(err.Error())
+			return 2
 		}
-		f.Close()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testPolicyFmtCommand(t)
-		cmd.client = client
+	}
 
-		code := cmd.Run([]string{
-			f.Name(),
-		})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	if !v2 {
+		c.UI.Error("Metadata not supported on KV Version 1")
+		return 1
+	}
 
-		stderr := ui.ErrorWriter.String()
-		expected := "failed to parse policy"
-		if !strings.Contains(stderr, expected) {
-			t.Errorf("expected %q to include %q", stderr, expected)
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
+	if secret, err := client.Logical().Delete(fullPath); err != nil {
+		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", fullPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
 		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+		return 2
+	}
 
-		_, cmd := testPolicyFmtCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", fullPath))
+	return 0
 }
diff --git a/command/policy_list.go b/command/policy_list.go
index 3800b584627a..2722c330efe0 100644
--- a/command/policy_list.go
+++ b/command/policy_list.go
@@ -5,49 +5,79 @@ package command
 
 import (
 	"fmt"
+	"path"
+	"sort"
+	"strconv"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*PolicyListCommand)(nil)
-	_ cli.CommandAutocomplete = (*PolicyListCommand)(nil)
+	_ cli.Command             = (*KVMetadataGetCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVMetadataGetCommand)(nil)
 )
 
-type PolicyListCommand struct {
+type KVMetadataGetCommand struct {
 	*BaseCommand
+	flagMount string
 }
 
-func (c *PolicyListCommand) Synopsis() string {
-	return "Lists the installed policies"
+func (c *KVMetadataGetCommand) Synopsis() string {
+	return "Retrieves key metadata from the KV store"
 }
 
-func (c *PolicyListCommand) Help() string {
+func (c *KVMetadataGetCommand) Help() string {
 	helpText := `
-Usage: vault policy list [options]
+Usage: vault kv metadata get [options] KEY
 
-  Lists the names of the policies that are installed on the Vault server.
+  Retrieves the metadata from Vault's key-value store at the given key name. If no
+  key exists with that name, an error is returned.
 
-` + c.Flags().Help()
+      $ vault kv metadata get -mount=secret foo
+
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/metadata/foo) can cause confusion: 
+  
+      $ vault kv metadata get secret/foo
+
+  Additional flags and more advanced use cases are detailed below.
 
+` + c.Flags().Help()
 	return strings.TrimSpace(helpText)
 }
 
-func (c *PolicyListCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func (c *KVMetadataGetCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /metadata/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	return set
 }
 
-func (c *PolicyListCommand) AutocompleteArgs() complete.Predictor {
+func (c *KVMetadataGetCommand) AutocompleteArgs() complete.Predictor {
 	return nil
 }
 
-func (c *PolicyListCommand) AutocompleteFlags() complete.Flags {
+func (c *KVMetadataGetCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *PolicyListCommand) Run(args []string) int {
+func (c *KVMetadataGetCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -57,8 +87,11 @@ func (c *PolicyListCommand) Run(args []string) int {
 
 	args = f.Args()
 	switch {
-	case len(args) > 0:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
 		return 1
 	}
 
@@ -68,19 +101,97 @@ func (c *PolicyListCommand) Run(args []string) int {
 		return 2
 	}
 
-	policies, err := client.Sys().ListPolicies()
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
+		}
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+
+	if !v2 {
+		c.UI.Error("Metadata not supported on KV Version 1")
+		return 1
+	}
+
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
+	secret, err := client.Logical().Read(fullPath)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing policies: %s", err))
+		c.UI.Error(fmt.Sprintf("Error reading %s: %s", fullPath, err))
 		return 2
 	}
+	if secret == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+		return 2
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	// If we have wrap info print the secret normally.
+	if secret.WrapInfo != nil || c.flagFormat != "table" {
+		return OutputSecret(c.UI, secret)
+	}
+
+	versionsRaw, ok := secret.Data["versions"]
+	if !ok || versionsRaw == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+		OutputSecret(c.UI, secret)
+		return 2
+	}
+	versions := versionsRaw.(map[string]interface{})
 
-	switch Format(c.UI) {
-	case "table":
-		for _, p := range policies {
-			c.UI.Output(p)
+	delete(secret.Data, "versions")
+
+	outputPath(c.UI, fullPath, "Metadata Path")
+
+	c.UI.Info(getHeaderForMap("Metadata", secret.Data))
+	OutputSecret(c.UI, secret)
+
+	versionKeys := []int{}
+	for k := range versions {
+		i, err := strconv.Atoi(k)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error parsing version %s", k))
+			return 2
 		}
-		return 0
-	default:
-		return OutputData(c.UI, policies)
+
+		versionKeys = append(versionKeys, i)
 	}
+
+	sort.Ints(versionKeys)
+
+	for _, v := range versionKeys {
+		c.UI.Info("\n" + getHeaderForMap(fmt.Sprintf("Version %d", v), versions[strconv.Itoa(v)].(map[string]interface{})))
+		OutputData(c.UI, versions[strconv.Itoa(v)])
+	}
+
+	return 0
 }
diff --git a/command/policy_list_test.go b/command/policy_list_test.go
index 0626f3a1b678..ff59c12fb7c7 100644
--- a/command/policy_list_test.go
+++ b/command/policy_list_test.go
@@ -4,114 +4,259 @@
 package command
 
 import (
+	"context"
+	"fmt"
+	"io"
+	"path"
 	"strings"
-	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testPolicyListCommand(tb testing.TB) (*cli.MockUi, *PolicyListCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVMetadataPutCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVMetadataPutCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PolicyListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVMetadataPatchCommand struct {
+	*BaseCommand
+
+	flagMaxVersions          int
+	flagCASRequired          BoolPtr
+	flagDeleteVersionAfter   time.Duration
+	flagCustomMetadata       map[string]string
+	flagRemoveCustomMetadata []string
+	flagMount                string
+	testStdin                io.Reader // for tests
 }
 
-func TestPolicyListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-	}
+func (c *KVMetadataPatchCommand) Synopsis() string {
+	return "Patches key settings in the KV store"
+}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+func (c *KVMetadataPatchCommand) Help() string {
+	helpText := `
+Usage: vault kv metadata patch [options] KEY
 
-		for _, tc := range cases {
-			tc := tc
+  This command can be used to create a blank key in the key-value store or to
+  update key configuration for a specified key.
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+  Create a key in the key-value store with no data:
 
-				client, closer := testVaultServer(t)
-				defer closer()
+      $ vault kv metadata patch -mount=secret foo
 
-				ui, cmd := testPolicyListCommand(t)
-				cmd.client = client
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/metadata/foo) can cause confusion: 
+  
+      $ vault kv metadata patch secret/foo
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+  Set a max versions setting on the key:
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+      $ vault kv metadata patch -mount=secret -max-versions=5 foo
+
+  Set delete-version-after on the key:
+
+      $ vault kv metadata patch -mount=secret -delete-version-after=3h25m19s foo
+
+  Require Check-and-Set for this key:
+
+      $ vault kv metadata patch -mount=secret -cas-required foo
+
+  Set custom metadata on the key:
+
+      $ vault kv metadata patch -mount=secret -custom-metadata=foo=abc -custom-metadata=bar=123 foo
+
+  To remove custom meta data from the corresponding path in the key-value store, kv metadata patch can be used.
+
+      $ vault kv metadata patch -mount=secret -remove-custom-metadata=bar foo
+
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *KVMetadataPatchCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:    "max-versions",
+		Target:  &c.flagMaxVersions,
+		Default: -1,
+		Usage:   `The number of versions to keep. If not set, the backend’s configured max version is used.`,
 	})
 
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
+	f.BoolPtrVar(&BoolPtrVar{
+		Name:   "cas-required",
+		Target: &c.flagCASRequired,
+		Usage:  `If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.`,
+	})
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	f.DurationVar(&DurationVar{
+		Name:       "delete-version-after",
+		Target:     &c.flagDeleteVersionAfter,
+		Default:    -1,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: `Specifies the length of time before a version is deleted.
+		If not set, the backend's configured delete-version-after is used. Cannot be
+		greater than the backend's delete-version-after. The delete-version-after is
+		specified as a numeric string with a suffix like "30s" or
+		"3h25m19s".`,
+	})
 
-		ui, cmd := testPolicyListCommand(t)
-		cmd.client = client
+	f.StringMapVar(&StringMapVar{
+		Name:    "custom-metadata",
+		Target:  &c.flagCustomMetadata,
+		Default: map[string]string{},
+		Usage: `Specifies arbitrary version-agnostic key=value metadata meant to describe a secret.
+		This can be specified multiple times to add multiple pieces of metadata.`,
+	})
 
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "remove-custom-metadata",
+		Target:  &c.flagRemoveCustomMetadata,
+		Default: []string{},
+		Usage:   "Key to remove from custom metadata. To specify multiple values, specify this flag multiple times.",
+	})
 
-		expected := "default\nroot"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /metadata/ automatically appended between KV 
+		v2 secrets.`,
 	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	return set
+}
+
+func (c *KVMetadataPatchCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *KVMetadataPatchCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *KVMetadataPatchCommand) Run(args []string) int {
+	f := c.Flags()
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		ui, cmd := testPolicyListCommand(t)
-		cmd.client = client
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
 
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
 		}
 
-		expected := "Error listing policies: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-	})
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+	if !v2 {
+		c.UI.Error("Metadata not supported on KV Version 1")
+		return 1
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
 
-		_, cmd := testPolicyListCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	data := make(map[string]interface{}, 0)
+
+	if c.flagMaxVersions >= 0 {
+		data["max_versions"] = c.flagMaxVersions
+	}
+
+	if c.flagCASRequired.IsSet() {
+		data["cas_required"] = c.flagCASRequired.Get()
+	}
+
+	if c.flagDeleteVersionAfter >= 0 {
+		data["delete_version_after"] = c.flagDeleteVersionAfter.String()
+	}
+
+	customMetadata := make(map[string]interface{})
+
+	for key, value := range c.flagCustomMetadata {
+		customMetadata[key] = value
+	}
+
+	for _, key := range c.flagRemoveCustomMetadata {
+		// A null in a JSON merge patch payload will remove the associated key
+		customMetadata[key] = nil
+	}
+
+	data["custom_metadata"] = customMetadata
+
+	secret, err := client.Logical().JSONMergePatch(context.Background(), fullPath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
+
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
+	}
+
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
+		}
+		return 0
+	}
+
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/policy_read.go b/command/policy_read.go
index d8b749ee784c..1dc0e123773e 100644
--- a/command/policy_read.go
+++ b/command/policy_read.go
@@ -4,97 +4,296 @@
 package command
 
 import (
-	"fmt"
+	"encoding/json"
+	"io"
 	"strings"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/go-test/deep"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-var (
-	_ cli.Command             = (*PolicyReadCommand)(nil)
-	_ cli.CommandAutocomplete = (*PolicyReadCommand)(nil)
-)
+func testKVMetadataPatchCommand(tb testing.TB) (*cli.MockUi, *KVMetadataPatchCommand) {
+	tb.Helper()
 
-type PolicyReadCommand struct {
-	*BaseCommand
+	ui := cli.NewMockUi()
+	return ui, &KVMetadataPatchCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *PolicyReadCommand) Synopsis() string {
-	return "Prints the contents of a policy"
-}
+func kvMetadataPatchWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
+	t.Helper()
+
+	return retryKVCommand(t, func() (int, string) {
+		ui, cmd := testKVMetadataPatchCommand(t)
+		cmd.client = client
+
+		if stdin != nil {
+			cmd.testStdin = stdin
+		}
 
-func (c *PolicyReadCommand) Help() string {
-	helpText := `
-Usage: vault policy read [options] [NAME]
+		code := cmd.Run(args)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 
-  Prints the contents and metadata of the Vault policy named NAME. If the policy
-  does not exist, an error is returned.
+		return code, combined
+	})
+}
 
-  Read the policy named "my-policy":
+func kvMetadataPutWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
+	t.Helper()
 
-      $ vault policy read my-policy
+	return retryKVCommand(t, func() (int, string) {
+		ui, cmd := testKVMetadataPutCommand(t)
+		cmd.client = client
 
-` + c.Flags().Help()
+		if stdin != nil {
+			cmd.testStdin = stdin
+		}
 
-	return strings.TrimSpace(helpText)
-}
+		code := cmd.Run(args)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 
-func (c *PolicyReadCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+		return code, combined
+	})
 }
 
-func (c *PolicyReadCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultPolicies()
+func TestKvMetadataPatchCommand_EmptyArgs(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount error: %#v", err)
+	}
+
+	args := make([]string, 0)
+	code, combined := kvMetadataPatchWithRetry(t, client, args, nil)
+
+	expectedCode := 1
+	expectedOutput := "Not enough arguments"
+
+	if code != expectedCode {
+		t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v", expectedCode, code, args)
+	}
+
+	if !strings.Contains(combined, expectedOutput) {
+		t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", expectedOutput, combined, args)
+	}
 }
 
-func (c *PolicyReadCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func TestKvMetadataPatchCommand_Flags(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name            string
+		args            []string
+		out             string
+		code            int
+		expectedUpdates map[string]interface{}
+	}{
+		{
+			"cas_required_success",
+			[]string{"-cas-required=true"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"cas_required": true,
+			},
+		},
+		{
+			"cas_required_invalid",
+			[]string{"-cas-required=12345"},
+			"invalid boolean value",
+			1,
+			map[string]interface{}{},
+		},
+		{
+			"custom_metadata_success",
+			[]string{"-custom-metadata=baz=ghi"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"custom_metadata": map[string]interface{}{
+					"foo": "abc",
+					"bar": "def",
+					"baz": "ghi",
+				},
+			},
+		},
+		{
+			"remove-custom_metadata",
+			[]string{"-custom-metadata=baz=ghi", "-remove-custom-metadata=foo"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"custom_metadata": map[string]interface{}{
+					"bar": "def",
+					"baz": "ghi",
+				},
+			},
+		},
+		{
+			"remove-custom_metadata-multiple",
+			[]string{"-custom-metadata=baz=ghi", "-remove-custom-metadata=foo", "-remove-custom-metadata=bar"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"custom_metadata": map[string]interface{}{
+					"baz": "ghi",
+				},
+			},
+		},
+		{
+			"delete_version_after_success",
+			[]string{"-delete-version-after=5s"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"delete_version_after": "5s",
+			},
+		},
+		{
+			"delete_version_after_invalid",
+			[]string{"-delete-version-after=false"},
+			"invalid duration",
+			1,
+			map[string]interface{}{},
+		},
+		{
+			"max_versions_success",
+			[]string{"-max-versions=10"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"max_versions": json.Number("10"),
+			},
+		},
+		{
+			"max_versions_invalid",
+			[]string{"-max-versions=false"},
+			"invalid syntax",
+			1,
+			map[string]interface{}{},
+		},
+		{
+			"multiple_flags_success",
+			[]string{"-max-versions=20", "-custom-metadata=baz=123"},
+			"Success!",
+			0,
+			map[string]interface{}{
+				"max_versions": json.Number("20"),
+				"custom_metadata": map[string]interface{}{
+					"foo": "abc",
+					"bar": "def",
+					"baz": "123",
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			basePath := t.Name() + "/"
+			secretPath := basePath + "my-secret"
+			metadataPath := basePath + "metadata/" + "my-secret"
+
+			if err := client.Sys().Mount(basePath, &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount error: %#v", err)
+			}
+
+			putArgs := []string{"-cas-required=true", "-custom-metadata=foo=abc", "-custom-metadata=bar=def", secretPath}
+			code, combined := kvMetadataPutWithRetry(t, client, putArgs, nil)
+
+			if code != 0 {
+				t.Fatalf("initial metadata put failed, code: %d, output: %s", code, combined)
+			}
+
+			initialMetadata, err := client.Logical().Read(metadataPath)
+			if err != nil {
+				t.Fatalf("metadata read failed, err: %#v", err)
+			}
+
+			patchArgs := append(tc.args, secretPath)
+
+			code, combined = kvMetadataPatchWithRetry(t, client, patchArgs, nil)
+
+			if !strings.Contains(combined, tc.out) {
+				t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", tc.out, combined, patchArgs)
+			}
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v", tc.code, code, patchArgs)
+			}
+
+			patchedMetadata, err := client.Logical().Read(metadataPath)
+			if err != nil {
+				t.Fatalf("metadata read failed, err: %#v", err)
+			}
+
+			for k, v := range patchedMetadata.Data {
+				var expectedVal interface{}
+
+				if inputVal, ok := tc.expectedUpdates[k]; ok {
+					expectedVal = inputVal
+				} else {
+					expectedVal = initialMetadata.Data[k]
+				}
+
+				if diff := deep.Equal(expectedVal, v); len(diff) > 0 {
+					t.Fatalf("patched %q mismatch, diff: %#v", k, diff)
+				}
+			}
+		})
+	}
 }
 
-func (c *PolicyReadCommand) Run(args []string) int {
-	f := c.Flags()
+func TestKvMetadataPatchCommand_CasWarning(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	basePath := "kv/"
+	if err := client.Sys().Mount(basePath, &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount error: %#v", err)
 	}
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
+	secretPath := basePath + "my-secret"
+
+	args := []string{"-cas-required=true", secretPath}
+	code, combined := kvMetadataPutWithRetry(t, client, args, nil)
+
+	if code != 0 {
+		t.Fatalf("metadata put failed, code: %d, output: %s", code, combined)
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+	casConfig := map[string]interface{}{
+		"cas_required": true,
 	}
 
-	name := strings.ToLower(strings.TrimSpace(args[0]))
-	rules, err := client.Sys().GetPolicy(name)
+	_, err := client.Logical().Write(basePath+"config", casConfig)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading policy named %s: %s", name, err))
-		return 2
+		t.Fatalf("config write failed, err: #%v", err)
 	}
-	if rules == "" {
-		c.UI.Error(fmt.Sprintf("No policy named: %s", name))
-		return 2
+
+	args = []string{"-cas-required=false", secretPath}
+	code, combined = kvMetadataPatchWithRetry(t, client, args, nil)
+
+	if code != 0 {
+		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v", code, args)
 	}
 
-	switch Format(c.UI) {
-	case "table":
-		c.UI.Output(strings.TrimSpace(rules))
-		return 0
-	default:
-		resp := map[string]string{
-			"policy": rules,
-		}
-		return OutputData(c.UI, &resp)
+	expectedOutput := "\"cas_required\" set to false, but is mandated by backend config"
+	if !strings.Contains(combined, expectedOutput) {
+		t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v", expectedOutput, combined, args)
 	}
 }
diff --git a/command/policy_read_test.go b/command/policy_read_test.go
index 84ec9f9cf64b..5b8124229de9 100644
--- a/command/policy_read_test.go
+++ b/command/policy_read_test.go
@@ -4,128 +4,235 @@
 package command
 
 import (
+	"fmt"
+	"io"
+	"path"
 	"strings"
-	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testPolicyReadCommand(tb testing.TB) (*cli.MockUi, *PolicyReadCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVMetadataPutCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVMetadataPutCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PolicyReadCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type KVMetadataPutCommand struct {
+	*BaseCommand
+
+	flagMaxVersions        int
+	flagCASRequired        BoolPtr
+	flagDeleteVersionAfter time.Duration
+	flagCustomMetadata     map[string]string
+	flagMount              string
+	testStdin              io.Reader // for tests
 }
 
-func TestPolicyReadCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"no_policy_exists",
-			[]string{"not-a-real-policy"},
-			"No policy named",
-			2,
-		},
-	}
+func (c *KVMetadataPutCommand) Synopsis() string {
+	return "Sets or updates key settings in the KV store"
+}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+func (c *KVMetadataPutCommand) Help() string {
+	helpText := `
+Usage: vault kv metadata put [options] KEY
 
-		for _, tc := range cases {
-			tc := tc
+  This command can be used to create a blank key in the key-value store or to
+  update key configuration for a specified key.
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+  Create a key in the key-value store with no data:
 
-				client, closer := testVaultServer(t)
-				defer closer()
+      $ vault kv metadata put -mount=secret foo
 
-				ui, cmd := testPolicyReadCommand(t)
-				cmd.client = client
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/metadata/foo) can cause confusion: 
+  
+      $ vault kv metadata put secret/foo
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+  Set a max versions setting on the key:
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
+      $ vault kv metadata put -mount=secret -max-versions=5 foo
 
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
+  Set delete-version-after on the key:
 
-		client, closer := testVaultServer(t)
-		defer closer()
+      $ vault kv metadata put -mount=secret -delete-version-after=3h25m19s foo
 
-		policy := `path "secret/" {}`
-		if err := client.Sys().PutPolicy("my-policy", policy); err != nil {
-			t.Fatal(err)
-		}
+  Require Check-and-Set for this key:
 
-		ui, cmd := testPolicyReadCommand(t)
-		cmd.client = client
+      $ vault kv metadata put -mount=secret -cas-required foo
 
-		code := cmd.Run([]string{
-			"my-policy",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+  Set custom metadata on the key:
 
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, policy) {
-			t.Errorf("expected %q to contain %q", combined, policy)
-		}
+      $ vault kv metadata put -mount=secret -custom-metadata=foo=abc -custom-metadata=bar=123 foo
+
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *KVMetadataPutCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:    "max-versions",
+		Target:  &c.flagMaxVersions,
+		Default: -1,
+		Usage:   `The number of versions to keep. If not set, the backend’s configured max version is used.`,
+	})
+
+	f.BoolPtrVar(&BoolPtrVar{
+		Name:   "cas-required",
+		Target: &c.flagCASRequired,
+		Usage:  `If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.`,
 	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	f.DurationVar(&DurationVar{
+		Name:       "delete-version-after",
+		Target:     &c.flagDeleteVersionAfter,
+		Default:    -1,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: `Specifies the length of time before a version is deleted.
+		If not set, the backend's configured delete-version-after is used. Cannot be
+		greater than the backend's delete-version-after. The delete-version-after is
+		specified as a numeric string with a suffix like "30s" or
+		"3h25m19s".`,
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:    "custom-metadata",
+		Target:  &c.flagCustomMetadata,
+		Default: map[string]string{},
+		Usage: "Specifies arbitrary version-agnostic key=value metadata meant to describe a secret." +
+			"This can be specified multiple times to add multiple pieces of metadata.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /metadata/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	return set
+}
+
+func (c *KVMetadataPutCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *KVMetadataPutCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *KVMetadataPutCommand) Run(args []string) int {
+	f := c.Flags()
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		ui, cmd := testPolicyReadCommand(t)
-		cmd.client = client
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		code := cmd.Run([]string{
-			"my-policy",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
 		}
 
-		expected := "Error reading policy named my-policy: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-	})
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	if !v2 {
+		c.UI.Error("Metadata not supported on KV Version 1")
+		return 1
+	}
 
-		_, cmd := testPolicyReadCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "metadata", false)
+	data := map[string]interface{}{}
+
+	if c.flagMaxVersions >= 0 {
+		data["max_versions"] = c.flagMaxVersions
+	}
+
+	if c.flagDeleteVersionAfter >= 0 {
+		data["delete_version_after"] = c.flagDeleteVersionAfter.String()
+	}
+
+	if c.flagCASRequired.IsSet() {
+		data["cas_required"] = c.flagCASRequired.Get()
+	}
+
+	if len(c.flagCustomMetadata) > 0 {
+		data["custom_metadata"] = c.flagCustomMetadata
+	}
+
+	secret, err := client.Logical().Write(fullPath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
+	}
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
+		}
+		return 0
+	}
+
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/policy_write.go b/command/policy_write.go
index d4b5256b0cac..edd0b6bf2e92 100644
--- a/command/policy_write.go
+++ b/command/policy_write.go
@@ -4,134 +4,201 @@
 package command
 
 import (
-	"bytes"
-	"fmt"
-	"io"
-	"os"
+	"encoding/json"
 	"strings"
+	"testing"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/go-test/deep"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-var (
-	_ cli.Command             = (*PolicyWriteCommand)(nil)
-	_ cli.CommandAutocomplete = (*PolicyWriteCommand)(nil)
-)
-
-type PolicyWriteCommand struct {
-	*BaseCommand
+func testKVMetadataPutCommand(tb testing.TB) (*cli.MockUi, *KVMetadataPutCommand) {
+	tb.Helper()
 
-	testStdin io.Reader // for tests
+	ui := cli.NewMockUi()
+	return ui, &KVMetadataPutCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *PolicyWriteCommand) Synopsis() string {
-	return "Uploads a named policy from a file"
-}
+func TestKvMetadataPutCommand_DeleteVersionAfter(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
 
-func (c *PolicyWriteCommand) Help() string {
-	helpText := `
-Usage: vault policy write [options] NAME PATH
+	basePath := t.Name() + "/"
+	if err := client.Sys().Mount(basePath, &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatal(err)
+	}
 
-  Uploads a policy with name NAME from the contents of a local file PATH or
-  stdin. If PATH is "-", the policy is read from stdin. Otherwise, it is
-  loaded from the file at the given path on the local disk.
+	ui, cmd := testKVMetadataPutCommand(t)
+	cmd.client = client
 
-  Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:
+	// Set a limit of 1s first.
+	code := cmd.Run([]string{"-delete-version-after=1s", basePath + "secret/my-secret"})
+	if code != 0 {
+		t.Fatalf("expected %d but received %d", 0, code)
+	}
 
-      $ vault policy write my-policy /tmp/policy.hcl
+	metaFullPath := basePath + "metadata/secret/my-secret"
+	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	success := "Success! Data written to: " + metaFullPath
+	if !strings.Contains(combined, success) {
+		t.Fatalf("expected %q but received %q", success, combined)
+	}
 
-  Upload a policy from stdin:
+	secret, err := client.Logical().Read(metaFullPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret.Data["delete_version_after"] != "1s" {
+		t.Fatalf("expected 1s but received %q", secret.Data["delete_version_after"])
+	}
 
-      $ cat my-policy.hcl | vault policy write my-policy -
+	// Now verify that we can return it to 0s.
+	ui, cmd = testKVMetadataPutCommand(t)
+	cmd.client = client
 
-` + c.Flags().Help()
+	// Set a limit of 1s first.
+	code = cmd.Run([]string{"-delete-version-after=0", basePath + "secret/my-secret"})
+	if code != 0 {
+		t.Errorf("expected %d but received %d", 0, code)
+	}
 
-	return strings.TrimSpace(helpText)
-}
+	combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if !strings.Contains(combined, success) {
+		t.Errorf("expected %q but received %q", success, combined)
+	}
 
-func (c *PolicyWriteCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
+	secret, err = client.Logical().Read(metaFullPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret.Data["delete_version_after"] != "0s" {
+		t.Fatalf("expected 0s but received %q", secret.Data["delete_version_after"])
+	}
 }
 
-func (c *PolicyWriteCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictFunc(func(args complete.Args) []string {
-		// Predict the LAST argument hcl files - we don't want to predict the
-		// name argument as a filepath.
-		if len(args.All) == 3 {
-			return complete.PredictFiles("*.hcl").Predict(args)
-		}
-		return nil
-	})
-}
+func TestKvMetadataPutCommand_CustomMetadata(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
 
-func (c *PolicyWriteCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+	basePath := t.Name() + "/"
+	secretPath := basePath + "secret/my-secret"
+
+	if err := client.Sys().Mount(basePath, &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount error: %#v", err)
+	}
+
+	ui, cmd := testKVMetadataPutCommand(t)
+	cmd.client = client
+
+	exitStatus := cmd.Run([]string{"-custom-metadata=foo=abc", "-custom-metadata=bar=123", secretPath})
+
+	if exitStatus != 0 {
+		t.Fatalf("Expected 0 exit status but received %d", exitStatus)
+	}
+
+	metaFullPath := basePath + "metadata/secret/my-secret"
+	commandOutput := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	expectedOutput := "Success! Data written to: " + metaFullPath
 
-func (c *PolicyWriteCommand) Run(args []string) int {
-	f := c.Flags()
+	if !strings.Contains(commandOutput, expectedOutput) {
+		t.Fatalf("Expected command output %q but received %q", expectedOutput, commandOutput)
+	}
+
+	metadata, err := client.Logical().Read(metaFullPath)
+	if err != nil {
+		t.Fatalf("Metadata read error: %#v", err)
+	}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	// JSON output from read decoded into map[string]interface{}
+	expectedCustomMetadata := map[string]interface{}{
+		"foo": "abc",
+		"bar": "123",
 	}
 
-	args = f.Args()
-	switch {
-	case len(args) < 2:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
-		return 1
-	case len(args) > 2:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
-		return 1
+	if diff := deep.Equal(metadata.Data["custom_metadata"], expectedCustomMetadata); len(diff) > 0 {
+		t.Fatal(diff)
 	}
 
-	client, err := c.Client()
+	ui, cmd = testKVMetadataPutCommand(t)
+	cmd.client = client
+
+	// Overwrite entire custom metadata with a single key
+	exitStatus = cmd.Run([]string{"-custom-metadata=baz=abc123", secretPath})
+
+	if exitStatus != 0 {
+		t.Fatalf("Expected 0 exit status but received %d", exitStatus)
+	}
+
+	commandOutput = ui.OutputWriter.String() + ui.ErrorWriter.String()
+
+	if !strings.Contains(commandOutput, expectedOutput) {
+		t.Fatalf("Expected command output %q but received %q", expectedOutput, commandOutput)
+	}
+
+	metadata, err = client.Logical().Read(metaFullPath)
+
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		t.Fatalf("Metadata read error: %#v", err)
 	}
 
-	// Policies are normalized to lowercase
-	policyName := args[0]
-	formattedName := strings.TrimSpace(strings.ToLower(policyName))
-	path := strings.TrimSpace(args[1])
+	expectedCustomMetadata = map[string]interface{}{
+		"baz": "abc123",
+	}
 
-	// Get the policy contents, either from stdin of a file
-	var reader io.Reader
-	if path == "-" {
-		reader = os.Stdin
-		if c.testStdin != nil {
-			reader = c.testStdin
-		}
-	} else {
-		file, err := os.Open(path)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error opening policy file: %s", err))
-			return 2
-		}
-		defer file.Close()
-		reader = file
+	if diff := deep.Equal(metadata.Data["custom_metadata"], expectedCustomMetadata); len(diff) > 0 {
+		t.Fatal(diff)
 	}
+}
+
+func TestKvMetadataPutCommand_UnprovidedFlags(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	basePath := t.Name() + "/"
+	secretPath := basePath + "my-secret"
+
+	if err := client.Sys().Mount(basePath, &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount error: %#v", err)
+	}
+
+	_, cmd := testKVMetadataPutCommand(t)
+	cmd.client = client
 
-	// Read the policy
-	var buf bytes.Buffer
-	if _, err := io.Copy(&buf, reader); err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading policy: %s", err))
-		return 2
+	args := []string{"-cas-required=true", "-max-versions=10", secretPath}
+	code, _ := kvMetadataPutWithRetry(t, client, args, nil)
+
+	if code != 0 {
+		t.Fatalf("expected 0 exit status but received %d", code)
+	}
+
+	args = []string{"-custom-metadata=foo=bar", secretPath}
+	code, _ = kvMetadataPutWithRetry(t, client, args, nil)
+
+	if code != 0 {
+		t.Fatalf("expected 0 exit status but received %d", code)
 	}
-	rules := buf.String()
 
-	if err := client.Sys().PutPolicy(formattedName, rules); err != nil {
-		c.UI.Error(fmt.Sprintf("Error uploading policy: %s", err))
-		return 2
+	secret, err := client.Logical().Read(basePath + "metadata/" + "my-secret")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	if policyName != formattedName {
-		c.UI.Warn(fmt.Sprintf("Policy name was converted from \"%s\" to \"%s\"", policyName, formattedName))
+	if secret.Data["cas_required"] != true {
+		t.Fatalf("expected cas_required to be true but received %#v", secret.Data["cas_required"])
 	}
 
-	c.UI.Output(fmt.Sprintf("Success! Uploaded policy: %s", formattedName))
-	return 0
+	if secret.Data["max_versions"] != json.Number("10") {
+		t.Fatalf("expected max_versions to be 10 but received %#v", secret.Data["max_versions"])
+	}
 }
diff --git a/command/policy_write_test.go b/command/policy_write_test.go
index 57ace717ddab..7eaf710ebecb 100644
--- a/command/policy_write_test.go
+++ b/command/policy_write_test.go
@@ -4,207 +4,406 @@
 package command
 
 import (
-	"bytes"
+	"context"
+	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
-	"reflect"
+	"path"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-func testPolicyWriteCommand(tb testing.TB) (*cli.MockUi, *PolicyWriteCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*KVPatchCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVPatchCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &PolicyWriteCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
+type KVPatchCommand struct {
+	*BaseCommand
 
-func testPolicyWritePolicyContents(tb testing.TB) []byte {
-	return bytes.TrimSpace([]byte(`
-path "secret/" {
-  capabilities = ["read"]
+	flagCAS        int
+	flagMethod     string
+	flagMount      string
+	testStdin      io.Reader // for tests
+	flagRemoveData []string
 }
-	`))
+
+func (c *KVPatchCommand) Synopsis() string {
+	return "Sets or updates data in the KV store without overwriting"
 }
 
-func TestPolicyWriteCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"not_enough_args",
-			[]string{"foo"},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"bad_file",
-			[]string{"my-policy", "/not/a/real/path.hcl"},
-			"Error opening policy file",
-			2,
-		},
-	}
+func (c *KVPatchCommand) Help() string {
+	helpText := `
+Usage: vault kv patch [options] KEY [DATA]
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+  *NOTE*: This is only supported for KV v2 engine mounts.
 
-		for _, tc := range cases {
-			tc := tc
+  Writes the data to the corresponding path in the key-value store. The data can be of
+  any type.
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+      $ vault kv patch -mount=secret foo bar=baz
 
-				client, closer := testVaultServer(t)
-				defer closer()
+  The deprecated path-like syntax can also be used, but this should be avoided, 
+  as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv patch secret/foo bar=baz
 
-				ui, cmd := testPolicyWriteCommand(t)
-				cmd.client = client
+  The data can also be consumed from a file on disk by prefixing with the "@"
+  symbol. For example:
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+      $ vault kv patch -mount=secret foo @data.json
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+  Or it can be read from stdin using the "-" symbol:
+
+      $ echo "abcd1234" | vault kv patch -mount=secret foo bar=-
+
+  To perform a Check-And-Set operation, specify the -cas flag with the
+  appropriate version number corresponding to the key you want to perform
+  the CAS operation on:
+
+      $ vault kv patch -mount=secret -cas=1 foo bar=baz
+
+  By default, this operation will attempt an HTTP PATCH operation. If your
+  policy does not allow that, it will fall back to a read/local update/write approach.
+  If you wish to specify which method this command should use, you may do so
+  with the -method flag. When -method=patch is specified, only an HTTP PATCH
+  operation will be tried. If it fails, the entire command will fail.
+
+      $ vault kv patch -mount=secret -method=patch foo bar=baz
+
+  When -method=rw is specified, only a read/local update/write approach will be tried.
+  This was the default behavior previous to Vault 1.9.
+
+      $ vault kv patch -mount=secret -method=rw foo bar=baz
+
+  To remove data from the corresponding path in the key-value store, kv patch can be used.
+
+      $ vault kv patch -mount=secret -remove-data=bar foo
+
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *KVPatchCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	// Patch specific options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:    "cas",
+		Target:  &c.flagCAS,
+		Default: 0,
+		Usage: `Specifies to use a Check-And-Set operation. If set to 0 or not
+		set, the patch will be allowed. If the index is non-zero the patch will
+		only be allowed if the key’s current version matches the version
+		specified in the cas parameter.`,
 	})
 
-	t.Run("file", func(t *testing.T) {
-		t.Parallel()
+	f.StringVar(&StringVar{
+		Name:   "method",
+		Target: &c.flagMethod,
+		Usage: `Specifies which method of patching to use. If set to "patch", then
+		an HTTP PATCH request will be issued. If set to "rw", then a read will be
+		performed, then a local update, followed by a remote update.`,
+	})
 
-		policy := testPolicyWritePolicyContents(t)
-		f, err := ioutil.TempFile("", "vault-policy-write")
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "remove-data",
+		Target:  &c.flagRemoveData,
+		Default: []string{},
+		Usage:   "Key to remove from data. To specify multiple values, specify this flag multiple times.",
+	})
+
+	return set
+}
+
+func (c *KVPatchCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *KVPatchCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *KVPatchCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected >1, got %d)", len(args)))
+		return 1
+	case len(c.flagRemoveData) == 0 && len(args) == 1:
+		c.UI.Error("Must supply data")
+		return 1
+	}
+
+	var err error
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	newData, err := parseArgsData(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
+	}
+
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
 		if err != nil {
-			t.Fatal(err)
+			c.UI.Error(err.Error())
+			return 2
 		}
-		if _, err := f.Write(policy); err != nil {
-			t.Fatal(err)
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
 		}
-		if err := f.Close(); err != nil {
-			t.Fatal(err)
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
 		}
-		defer os.Remove(f.Name())
+	}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	if !v2 {
+		c.UI.Error("K/V engine mount must be version 2 for patch support")
+		return 2
+	}
 
-		ui, cmd := testPolicyWriteCommand(t)
-		cmd.client = client
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "data", false)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		code := cmd.Run([]string{
-			"my-policy", f.Name(),
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	// collecting data to be removed
+	if newData == nil {
+		newData = make(map[string]interface{})
+	}
 
-		expected := "Success! Uploaded policy: my-policy"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	for _, key := range c.flagRemoveData {
+		// A null in a JSON merge patch payload will remove the associated key
+		newData[key] = nil
+	}
 
-		policies, err := client.Sys().ListPolicies()
-		if err != nil {
-			t.Fatal(err)
-		}
+	// Check the method and behave accordingly
+	var secret *api.Secret
+	var code int
+
+	switch c.flagMethod {
+	case "rw":
+		secret, code = c.readThenWrite(client, fullPath, newData)
+	case "patch":
+		secret, code = c.mergePatch(client, fullPath, newData, false)
+	case "":
+		secret, code = c.mergePatch(client, fullPath, newData, true)
+	default:
+		c.UI.Error(fmt.Sprintf("Unsupported method provided to -method flag: %s", c.flagMethod))
+		return 2
+	}
 
-		list := []string{"default", "my-policy", "root"}
-		if !reflect.DeepEqual(policies, list) {
-			t.Errorf("expected %q to be %q", policies, list)
-		}
-	})
+	if code != 0 {
+		return code
+	}
+	if secret == nil {
+		// Don't output anything if there's no secret
+		return 0
+	}
 
-	t.Run("stdin", func(t *testing.T) {
-		t.Parallel()
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
 
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			policy := testPolicyWritePolicyContents(t)
-			stdinW.Write(policy)
-			stdinW.Close()
-		}()
+	// If the secret is wrapped, return the wrapped response.
+	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
+		return OutputSecret(c.UI, secret)
+	}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	if Format(c.UI) == "table" {
+		outputPath(c.UI, fullPath, "Secret Path")
+		metadata := secret.Data
+		c.UI.Info(getHeaderForMap("Metadata", metadata))
+		return OutputData(c.UI, metadata)
+	}
 
-		ui, cmd := testPolicyWriteCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
+	return OutputSecret(c.UI, secret)
+}
 
-		code := cmd.Run([]string{
-			"my-policy", "-",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+func (c *KVPatchCommand) readThenWrite(client *api.Client, path string, newData map[string]interface{}) (*api.Secret, int) {
+	// First, do a read.
+	// Note that we don't want to see curl output for the read request.
+	curOutputCurl := client.OutputCurlString()
+	client.SetOutputCurlString(false)
+	outputPolicy := client.OutputPolicy()
+	client.SetOutputPolicy(false)
+	secret, err := kvReadRequest(client, path, nil)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", path, err))
+		return nil, 2
+	}
+	client.SetOutputCurlString(curOutputCurl)
+	client.SetOutputPolicy(outputPolicy)
 
-		expected := "Success! Uploaded policy: my-policy"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+	// Make sure a value already exists
+	if secret == nil || secret.Data == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", path))
+		return nil, 2
+	}
 
-		policies, err := client.Sys().ListPolicies()
-		if err != nil {
-			t.Fatal(err)
-		}
+	// Verify metadata found
+	rawMeta, ok := secret.Data["metadata"]
+	if !ok || rawMeta == nil {
+		c.UI.Error(fmt.Sprintf("No metadata found at %s; patch only works on existing data", path))
+		return nil, 2
+	}
+	meta, ok := rawMeta.(map[string]interface{})
+	if !ok {
+		c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", path))
+		return nil, 2
+	}
+	if meta == nil {
+		c.UI.Error(fmt.Sprintf("No metadata found at %s; patch only works on existing data", path))
+		return nil, 2
+	}
 
-		list := []string{"default", "my-policy", "root"}
-		if !reflect.DeepEqual(policies, list) {
-			t.Errorf("expected %q to be %q", policies, list)
-		}
+	// Verify old data found
+	rawData, ok := secret.Data["data"]
+	if !ok || rawData == nil {
+		c.UI.Error(fmt.Sprintf("No data found at %s; patch only works on existing data", path))
+		return nil, 2
+	}
+	data, ok := rawData.(map[string]interface{})
+	if !ok {
+		c.UI.Error(fmt.Sprintf("Data found at %s is not the expected type (JSON object)", path))
+		return nil, 2
+	}
+	if data == nil {
+		c.UI.Error(fmt.Sprintf("No data found at %s; patch only works on existing data", path))
+		return nil, 2
+	}
+
+	// Copy new data over
+	for k, v := range newData {
+		data[k] = v
+	}
+
+	secret, err = client.Logical().Write(path, map[string]interface{}{
+		"data": data,
+		"options": map[string]interface{}{
+			"cas": meta["version"],
+		},
 	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		return nil, 2
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
+		}
+		return nil, 0
+	}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	if c.flagField != "" {
+		return nil, PrintRawField(c.UI, secret, c.flagField)
+	}
 
-		ui, cmd := testPolicyWriteCommand(t)
-		cmd.client = client
+	return secret, 0
+}
+
+func (c *KVPatchCommand) mergePatch(client *api.Client, path string, newData map[string]interface{}, rwFallback bool) (*api.Secret, int) {
+	data := map[string]interface{}{
+		"data":    newData,
+		"options": map[string]interface{}{},
+	}
 
-		code := cmd.Run([]string{
-			"my-policy", "-",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	if c.flagCAS > 0 {
+		data["options"].(map[string]interface{})["cas"] = c.flagCAS
+	}
+
+	secret, err := client.Logical().JSONMergePatch(context.Background(), path, data)
+	if err != nil {
+		// If it's a 405, that probably means the server is running a pre-1.9
+		// Vault version that doesn't support the HTTP PATCH method.
+		// Fall back to the old way of doing it if the user didn't specify a -method.
+		// If they did, and it was "patch", then just error.
+		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == 405 && rwFallback {
+			return c.readThenWrite(client, path, newData)
+		}
+		// If it's a 403, that probably means they don't have the patch capability in their policy. Fall back to
+		// the old way of doing it if the user didn't specify a -method. If they did, and it was "patch", then just error.
+		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == 403 && rwFallback {
+			c.UI.Warn(fmt.Sprintf("Data was written to %s but we recommend that you add the \"patch\" capability to your ACL policy in order to use HTTP PATCH in the future.", path))
+			return c.readThenWrite(client, path, newData)
 		}
 
-		expected := "Error uploading policy: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		return nil, 2
+	}
+
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
 		}
-	})
+		return nil, 0
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	if c.flagField != "" {
+		return nil, PrintRawField(c.UI, secret, c.flagField)
+	}
 
-		_, cmd := testPolicyWriteCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	return secret, 0
 }
diff --git a/command/print.go b/command/print.go
index 72e653855c4e..b51705791f51 100644
--- a/command/print.go
+++ b/command/print.go
@@ -4,45 +4,232 @@
 package command
 
 import (
+	"fmt"
+	"io"
+	"os"
+	"path"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*PrintCommand)(nil)
-	_ cli.CommandAutocomplete = (*PrintCommand)(nil)
+	_ cli.Command             = (*KVPutCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVPutCommand)(nil)
 )
 
-type PrintCommand struct {
+type KVPutCommand struct {
 	*BaseCommand
+
+	flagCAS   int
+	flagMount string
+	testStdin io.Reader // for tests
 }
 
-func (c *PrintCommand) Synopsis() string {
-	return "Prints runtime configurations"
+func (c *KVPutCommand) Synopsis() string {
+	return "Sets or updates data in the KV store"
 }
 
-func (c *PrintCommand) Help() string {
+func (c *KVPutCommand) Help() string {
 	helpText := `
-Usage: vault print <subcommand>
+Usage: vault kv put [options] KEY [DATA]
+
+  Writes the data to the given path in the key-value store. The data can be of
+  any type.
+
+      $ vault kv put -mount=secret foo bar=baz
+
+  The deprecated path-like syntax can also be used, but this should be avoided 
+  for KV v2, as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv put secret/foo bar=baz
+
+  The data can also be consumed from a file on disk by prefixing with the "@"
+  symbol. For example:
+
+      $ vault kv put -mount=secret foo @data.json
+
+  Or it can be read from stdin using the "-" symbol:
+
+      $ echo "abcd1234" | vault kv put -mount=secret foo bar=-
+
+  To perform a Check-And-Set operation, specify the -cas flag with the
+  appropriate version number corresponding to the key you want to perform
+  the CAS operation on:
 
-	This command groups subcommands for interacting with Vault's runtime values.
+      $ vault kv put -mount=secret -cas=1 foo bar=baz
 
-Subcommands:
-	token    Token currently in use
-`
+  Additional flags and more advanced use cases are detailed below.
+
+` + c.Flags().Help()
 	return strings.TrimSpace(helpText)
 }
 
-func (c *PrintCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+func (c *KVPutCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:    "cas",
+		Target:  &c.flagCAS,
+		Default: -1,
+		Usage: `Specifies to use a Check-And-Set operation. If not set the write
+		will be allowed. If set to 0 a write will only be allowed if the key
+		doesn’t exist. If the index is non-zero the write will only be allowed
+		if the key’s current version matches the version specified in the cas
+		parameter.`,
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	return set
+}
+
+func (c *KVPutCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFolders()
 }
 
-func (c *PrintCommand) AutocompleteFlags() complete.Flags {
-	return nil
+func (c *KVPutCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func (c *PrintCommand) Run(args []string) int {
-	return cli.RunResultHelp
+func (c *KVPutCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected >1, got %d)", len(args)))
+		return 1
+	case len(args) == 1:
+		c.UI.Error("Must supply data")
+		return 1
+	}
+
+	var err error
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	data, err := parseArgsData(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
+	}
+
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
+		}
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+
+	// Add /data to v2 paths only
+	var fullPath string
+	if v2 {
+		fullPath = addPrefixToKVPath(partialPath, mountPath, "data", false)
+		data = map[string]interface{}{
+			"data":    data,
+			"options": map[string]interface{}{},
+		}
+
+		if c.flagCAS > -1 {
+			data["options"].(map[string]interface{})["cas"] = c.flagCAS
+		}
+	} else {
+		// v1
+		if mountFlagSyntax {
+			fullPath = path.Join(mountPath, partialPath)
+		} else {
+			fullPath = partialPath
+		}
+	}
+
+	secret, err := client.Logical().Write(fullPath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
+	}
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
+		}
+		return 0
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	// If the secret is wrapped, return the wrapped response.
+	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
+		return OutputSecret(c.UI, secret)
+	}
+
+	if Format(c.UI) == "table" {
+		outputPath(c.UI, fullPath, "Secret Path")
+		metadata := secret.Data
+		c.UI.Info(getHeaderForMap("Metadata", metadata))
+		return OutputData(c.UI, metadata)
+	}
+
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/print_token.go b/command/print_token.go
index 904a41f240a2..a0544b69d79a 100644
--- a/command/print_token.go
+++ b/command/print_token.go
@@ -4,53 +4,291 @@
 package command
 
 import (
+	"flag"
+	"fmt"
+	"path"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*PrintTokenCommand)(nil)
-	_ cli.CommandAutocomplete = (*PrintTokenCommand)(nil)
+	_ cli.Command             = (*KVRollbackCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVRollbackCommand)(nil)
 )
 
-type PrintTokenCommand struct {
+type KVRollbackCommand struct {
 	*BaseCommand
+
+	flagVersion int
+	flagMount   string
 }
 
-func (c *PrintTokenCommand) Synopsis() string {
-	return "Prints the vault token currently in use"
+func (c *KVRollbackCommand) Synopsis() string {
+	return "Rolls back to a previous version of data"
 }
 
-func (c *PrintTokenCommand) Help() string {
+func (c *KVRollbackCommand) Help() string {
 	helpText := `
-Usage: vault print token
+Usage: vault kv rollback [options] KEY
+
+  *NOTE*: This is only supported for KV v2 engine mounts.
+
+  Restores a given previous version to the current version at the given path.
+  The value is written as a new version; for instance, if the current version
+  is 5 and the rollback version is 2, the data from version 2 will become
+  version 6.
+
+      $ vault kv rollback -mount=secret -version=2 foo
 
-  Prints the value of the Vault token that will be used for commands, after
-  taking into account the configured token-helper and the environment.
+  The deprecated path-like syntax can also be used, but this should be avoided, 
+  as the fact that it is not actually the full API path to 
+  the secret (secret/data/foo) can cause confusion: 
+  
+      $ vault kv rollback -version=2 secret/foo
 
-      $ vault print token
+  Additional flags and more advanced use cases are detailed below.
 
-`
+` + c.Flags().Help()
 	return strings.TrimSpace(helpText)
 }
 
-func (c *PrintTokenCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+func (c *KVRollbackCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	// Common Options
+	f := set.NewFlagSet("Common Options")
+
+	f.IntVar(&IntVar{
+		Name:   "version",
+		Target: &c.flagVersion,
+		Usage:  `Specifies the version number that should be made current again.`,
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified, 
+		the next argument will be interpreted as the secret path. If this flag is 
+		not specified, the next argument will be interpreted as the combined mount 
+		path and secret path, with /data/ automatically appended between KV 
+		v2 secrets.`,
+	})
+
+	return set
 }
 
-func (c *PrintTokenCommand) AutocompleteFlags() complete.Flags {
+func (c *KVRollbackCommand) AutocompleteArgs() complete.Predictor {
 	return nil
 }
 
-func (c *PrintTokenCommand) Run(args []string) int {
+func (c *KVRollbackCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *KVRollbackCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	var version *int
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == "version" {
+			version = &c.flagVersion
+		}
+	})
+
+	args = f.Args()
+
+	switch {
+	case len(args) != 1:
+		c.UI.Error(fmt.Sprintf("Invalid number of arguments (expected 1, got %d)", len(args)))
+		return 1
+	case version == nil:
+		c.UI.Error("Version flag must be specified")
+		return 1
+	case c.flagVersion <= 0:
+		c.UI.Error(fmt.Sprintf("Invalid value %d for the version flag", c.flagVersion))
+		return 1
+	}
+
+	var err error
+
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	c.UI.Output(client.Token())
-	return 0
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := c.flagMount != ""
+
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
+
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(sanitizePath(c.flagMount), client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+
+		if v2 {
+			partialPath = path.Join(mountPath, partialPath)
+		}
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+	}
+
+	if !v2 {
+		c.UI.Error("K/V engine mount must be version 2 for rollback support")
+		return 2
+	}
+
+	fullPath := addPrefixToKVPath(partialPath, mountPath, "data", false)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// First, do a read to get the current version for check-and-set
+	var meta map[string]interface{}
+	{
+		secret, err := kvReadRequest(client, fullPath, nil)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", fullPath, err))
+			return 2
+		}
+
+		// Make sure a value already exists
+		if secret == nil || secret.Data == nil {
+			c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+			return 2
+		}
+
+		// Verify metadata found
+		rawMeta, ok := secret.Data["metadata"]
+		if !ok || rawMeta == nil {
+			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+		meta, ok = rawMeta.(map[string]interface{})
+		if !ok {
+			c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", fullPath))
+			return 2
+		}
+		if meta == nil {
+			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+	}
+
+	casVersion := meta["version"]
+
+	// Set the version parameter
+	versionParam := map[string]string{
+		"version": fmt.Sprintf("%d", c.flagVersion),
+	}
+
+	// Now run it again and read the version we want to roll back to
+	var data map[string]interface{}
+	{
+		secret, err := kvReadRequest(client, fullPath, versionParam)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error doing pre-read at %s: %s", fullPath, err))
+			return 2
+		}
+
+		// Make sure a value already exists
+		if secret == nil || secret.Data == nil {
+			c.UI.Error(fmt.Sprintf("No value found at %s", fullPath))
+			return 2
+		}
+
+		// Verify metadata found
+		rawMeta, ok := secret.Data["metadata"]
+		if !ok || rawMeta == nil {
+			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+		meta, ok := rawMeta.(map[string]interface{})
+		if !ok {
+			c.UI.Error(fmt.Sprintf("Metadata found at %s is not the expected type (JSON object)", fullPath))
+			return 2
+		}
+		if meta == nil {
+			c.UI.Error(fmt.Sprintf("No metadata found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+
+		// Verify it hasn't been deleted
+		if meta["deletion_time"] != nil && meta["deletion_time"].(string) != "" {
+			c.UI.Error("Cannot roll back to a version that has been deleted")
+			return 2
+		}
+
+		if meta["destroyed"] != nil && meta["destroyed"].(bool) {
+			c.UI.Error("Cannot roll back to a version that has been destroyed")
+			return 2
+		}
+
+		// Verify old data found
+		rawData, ok := secret.Data["data"]
+		if !ok || rawData == nil {
+			c.UI.Error(fmt.Sprintf("No data found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+		data, ok = rawData.(map[string]interface{})
+		if !ok {
+			c.UI.Error(fmt.Sprintf("Data found at %s is not the expected type (JSON object)", fullPath))
+			return 2
+		}
+		if data == nil {
+			c.UI.Error(fmt.Sprintf("No data found at %s; rollback only works on existing data", fullPath))
+			return 2
+		}
+	}
+
+	secret, err := client.Logical().Write(fullPath, map[string]interface{}{
+		"data": data,
+		"options": map[string]interface{}{
+			"cas": casVersion,
+		},
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", fullPath, err))
+		return 2
+	}
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", fullPath))
+		}
+		return 0
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/proxy.go b/command/proxy.go
index 55dc555fb290..c5ca555be6be 100644
--- a/command/proxy.go
+++ b/command/proxy.go
@@ -5,1169 +5,1692 @@ package command
 
 import (
 	"context"
-	"crypto/tls"
-	"flag"
 	"fmt"
 	"io"
-	"net"
-	"net/http"
-	"os"
-	"sort"
 	"strings"
-	"sync"
+	"testing"
 	"time"
 
-	systemd "github.com/coreos/go-systemd/daemon"
-	ctconfig "github.com/hashicorp/consul-template/config"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/agentproxyshared"
-	"github.com/hashicorp/vault/command/agentproxyshared/auth"
-	cache "github.com/hashicorp/vault/command/agentproxyshared/cache"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink/file"
-	"github.com/hashicorp/vault/command/agentproxyshared/sink/inmem"
-	"github.com/hashicorp/vault/command/agentproxyshared/winsvc"
-	proxyConfig "github.com/hashicorp/vault/command/proxy/config"
-	"github.com/hashicorp/vault/helper/logging"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/helper/useragent"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/internalshared/listenerutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/version"
-	"github.com/kr/pretty"
-	"github.com/mitchellh/cli"
-	"github.com/oklog/run"
-	"github.com/posener/complete"
-	"golang.org/x/text/cases"
-	"golang.org/x/text/language"
-	"google.golang.org/grpc/test/bufconn"
 )
 
-var (
-	_ cli.Command             = (*ProxyCommand)(nil)
-	_ cli.CommandAutocomplete = (*ProxyCommand)(nil)
-)
-
-const (
-	// flagNameProxyExitAfterAuth is used as a Proxy specific flag to indicate
-	// that proxy should exit after a single successful auth
-	flagNameProxyExitAfterAuth = "exit-after-auth"
-)
+func testKVPutCommand(tb testing.TB) (*cli.MockUi, *KVPutCommand) {
+	tb.Helper()
 
-type ProxyCommand struct {
-	*BaseCommand
-	logFlags logFlags
+	ui := cli.NewMockUi()
+	return ui, &KVPutCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
 
-	config *proxyConfig.Config
+func retryKVCommand(t *testing.T, cmdFunc func() (int, string)) (int, string) {
+	t.Helper()
 
-	ShutdownCh chan struct{}
-	SighupCh   chan struct{}
+	var code int
+	var combined string
 
-	tlsReloadFuncsLock sync.RWMutex
-	tlsReloadFuncs     []reloadutil.ReloadFunc
+	// Loop until return message does not indicate upgrade, or timeout.
+	timeout := time.After(20 * time.Second)
+	ticker := time.Tick(time.Second)
 
-	logWriter io.Writer
-	logGate   *gatedwriter.Writer
-	logger    log.Logger
+	for {
+		select {
+		case <-timeout:
+			t.Errorf("timeout expired waiting for upgrade: %q", combined)
+			return code, combined
+		case <-ticker:
+			code, combined = cmdFunc()
 
-	// Telemetry object
-	metricsHelper *metricsutil.MetricsHelper
+			// This is an error if a v1 mount, but test case doesn't
+			// currently contain the information to know the difference.
+			if !strings.Contains(combined, "Upgrading from non-versioned to versioned") {
+				return code, combined
+			}
+		}
+	}
+}
 
-	cleanupGuard sync.Once
+func kvPutWithRetry(t *testing.T, client *api.Client, args []string) (int, string) {
+	t.Helper()
 
-	startedCh  chan struct{} // for tests
-	reloadedCh chan struct{} // for tests
+	return retryKVCommand(t, func() (int, string) {
+		ui, cmd := testKVPutCommand(t)
+		cmd.client = client
 
-	flagConfigs        []string
-	flagExitAfterAuth  bool
-	flagTestVerifyOnly bool
-}
+		code := cmd.Run(args)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 
-func (c *ProxyCommand) Synopsis() string {
-	return "Start a Vault Proxy"
+		return code, combined
+	})
 }
 
-func (c *ProxyCommand) Help() string {
-	helpText := `
-Usage: vault proxy [options]
-
-  This command starts a Vault Proxy that can perform automatic authentication
-  in certain environments.
+func kvPatchWithRetry(t *testing.T, client *api.Client, args []string, stdin *io.PipeReader) (int, string) {
+	t.Helper()
 
-  Start a proxy with a configuration file:
+	return retryKVCommand(t, func() (int, string) {
+		ui, cmd := testKVPatchCommand(t)
+		cmd.client = client
 
-      $ vault proxy -config=/etc/vault/config.hcl
+		if stdin != nil {
+			cmd.testStdin = stdin
+		}
 
-  For a full list of examples, please see the documentation.
+		code := cmd.Run(args)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
+		return code, combined
+	})
 }
 
-func (c *ProxyCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
+func TestKVPutCommand(t *testing.T) {
+	t.Parallel()
+
+	v2ExpectedFields := []string{"created_time", "custom_metadata", "deletion_time", "deletion_time", "version"}
+
+	cases := []struct {
+		name       string
+		args       []string
+		outStrings []string
+		code       int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			[]string{"Not enough arguments"},
+			1,
+		},
+		{
+			"empty_kvs",
+			[]string{"secret/write/foo"},
+			[]string{"Must supply data"},
+			1,
+		},
+		{
+			"kvs_no_value",
+			[]string{"secret/write/foo", "foo"},
+			[]string{"Failed to parse K=V data"},
+			1,
+		},
+		{
+			"single_value",
+			[]string{"secret/write/foo", "foo=bar"},
+			[]string{"Success!"},
+			0,
+		},
+		{
+			"multi_value",
+			[]string{"secret/write/foo", "foo=bar", "zip=zap"},
+			[]string{"Success!"},
+			0,
+		},
+		{
+			"v1_mount_flag_syntax",
+			[]string{"-mount", "secret", "write/foo", "foo=bar"},
+			[]string{"Success!"},
+			0,
+		},
+		{
+			"v1_mount_flag_syntax_key_same_as_mount",
+			[]string{"-mount", "secret", "secret", "foo=bar"},
+			[]string{"Success!"},
+			0,
+		},
+		{
+			"v2_single_value",
+			[]string{"kv/write/foo", "foo=bar"},
+			v2ExpectedFields,
+			0,
+		},
+		{
+			"v2_multi_value",
+			[]string{"kv/write/foo", "foo=bar", "zip=zap"},
+			v2ExpectedFields,
+			0,
+		},
+		{
+			"v2_secret_path",
+			[]string{"kv/write/foo", "foo=bar"},
+			[]string{"== Secret Path ==", "kv/data/write/foo"},
+			0,
+		},
+		{
+			"v2_mount_flag_syntax",
+			[]string{"-mount", "kv", "write/foo", "foo=bar"},
+			v2ExpectedFields,
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_key_same_as_mount",
+			[]string{"-mount", "kv", "kv", "foo=bar"},
+			v2ExpectedFields,
+			0,
+		},
+		{
+			"v2_single_value_backslash",
+			[]string{"kv/write/foo", "foo=\\"},
+			[]string{"== Secret Path ==", "kv/data/write/foo"},
+			0,
+		},
+	}
 
-	f := set.NewFlagSet("Command Options")
+	for _, tc := range cases {
+		tc := tc
 
-	// Augment with the log flags
-	f.addLogFlags(&c.logFlags)
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "config",
-		Target: &c.flagConfigs,
-		Completion: complete.PredictOr(
-			complete.PredictFiles("*.hcl"),
-			complete.PredictFiles("*.json"),
-		),
-		Usage: "Path to a configuration file. This configuration file should " +
-			"contain only proxy directives.",
-	})
+			client, closer := testVaultServer(t)
+			defer closer()
 
-	f.BoolVar(&BoolVar{
-		Name:    flagNameProxyExitAfterAuth,
-		Target:  &c.flagExitAfterAuth,
-		Default: false,
-		Usage: "If set to true, the proxy will exit with code 0 after a single " +
-			"successful auth, where success means that a token was retrieved and " +
-			"all sinks successfully wrote it",
-	})
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatal(err)
+			}
 
-	// Internal-only flags to follow.
-	//
-	// Why hello there little source code reader! Welcome to the Vault source
-	// code. The remaining options are intentionally undocumented and come with
-	// no warranty or backwards-compatibility promise. Do not use these flags
-	// in production. Do not build automation using these flags. Unless you are
-	// developing against Vault, you should not need any of these flags.
-	f.BoolVar(&BoolVar{
-		Name:    "test-verify-only",
-		Target:  &c.flagTestVerifyOnly,
-		Default: false,
-		Hidden:  true,
-	})
+			code, combined := kvPutWithRetry(t, client, tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
 
-	// End internal-only flags.
+			for _, str := range tc.outStrings {
+				if !strings.Contains(combined, str) {
+					t.Errorf("expected %q to contain %q", combined, str)
+				}
+			}
+		})
+	}
 
-	return set
-}
+	t.Run("v2_cas", func(t *testing.T) {
+		t.Parallel()
 
-func (c *ProxyCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func (c *ProxyCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+		if err := client.Sys().Mount("kv/", &api.MountInput{
+			Type: "kv-v2",
+		}); err != nil {
+			t.Fatal(err)
+		}
 
-func (c *ProxyCommand) Run(args []string) int {
-	f := c.Flags()
+		// Only have to potentially retry the first time.
+		code, combined := kvPutWithRetry(t, client, []string{
+			"-cas", "0", "kv/write/cas", "bar=baz",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
+		}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+		for _, str := range v2ExpectedFields {
+			if !strings.Contains(combined, str) {
+				t.Errorf("expected %q to contain %q", combined, str)
+			}
+		}
 
-	// Create a logger. We wrap it in a gated writer so that it doesn't
-	// start logging too early.
-	c.logGate = gatedwriter.NewWriter(os.Stderr)
-	c.logWriter = c.logGate
+		ui, cmd := testKVPutCommand(t)
+		cmd.client = client
+		code = cmd.Run([]string{
+			"-cas", "1", "kv/write/cas", "bar=baz",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
+		}
+		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
 
-	if c.logFlags.flagCombineLogs {
-		c.logWriter = os.Stdout
-	}
+		for _, str := range v2ExpectedFields {
+			if !strings.Contains(combined, str) {
+				t.Errorf("expected %q to contain %q", combined, str)
+			}
+		}
 
-	// Validation
-	if len(c.flagConfigs) < 1 {
-		c.UI.Error("Must specify exactly at least one config path using -config")
-		return 1
-	}
+		ui, cmd = testKVPutCommand(t)
+		cmd.client = client
+		code = cmd.Run([]string{
+			"-cas", "1", "kv/write/cas", "bar=baz",
+		})
+		if code != 2 {
+			t.Fatalf("expected 2 to be %d", code)
+		}
+		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, "check-and-set parameter did not match the current version") {
+			t.Errorf("expected %q to contain %q", combined, "check-and-set parameter did not match the current version")
+		}
+	})
 
-	config, err := c.loadConfig(c.flagConfigs)
-	if err != nil {
-		c.outputErrors(err)
-		return 1
-	}
+	t.Run("v1_data", func(t *testing.T) {
+		t.Parallel()
 
-	if config.AutoAuth == nil {
-		c.UI.Info("No auto_auth block found in config, the automatic authentication feature will not be started")
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	c.applyConfigOverrides(f, config) // This only needs to happen on start-up to aggregate config from flags and env vars
-	c.config = config
+		ui, cmd := testKVPutCommand(t)
+		cmd.client = client
 
-	l, err := c.newLogger()
-	if err != nil {
-		c.outputErrors(err)
-		return 1
-	}
-	c.logger = l
-
-	infoKeys := make([]string, 0, 10)
-	info := make(map[string]string)
-	info["log level"] = config.LogLevel
-	infoKeys = append(infoKeys, "log level")
-
-	infoKeys = append(infoKeys, "version")
-	verInfo := version.GetVersion()
-	info["version"] = verInfo.FullVersionNumber(false)
-	if verInfo.Revision != "" {
-		info["version sha"] = strings.Trim(verInfo.Revision, "'")
-		infoKeys = append(infoKeys, "version sha")
-	}
-	infoKeys = append(infoKeys, "cgo")
-	info["cgo"] = "disabled"
-	if version.CgoEnabled {
-		info["cgo"] = "enabled"
-	}
+		code := cmd.Run([]string{
+			"secret/write/data", "bar=baz",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
+		}
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, "Success!") {
+			t.Errorf("expected %q to contain %q", combined, "created_time")
+		}
 
-	// Tests might not want to start a vault server and just want to verify
-	// the configuration.
-	if c.flagTestVerifyOnly {
-		if os.Getenv("VAULT_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
-			c.UI.Output(fmt.Sprintf(
-				"\nConfiguration:\n%s\n",
-				pretty.Sprint(*c.config)))
+		ui, rcmd := testReadCommand(t)
+		rcmd.client = client
+		code = rcmd.Run([]string{
+			"secret/write/data",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
-		return 0
-	}
+		combined = ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if strings.Contains(combined, "data") {
+			t.Errorf("expected %q not to contain %q", combined, "data")
+		}
+	})
 
-	// Ignore any setting of Agent/Proxy's address. This client is used by the Proxy
-	// to reach out to Vault. This should never loop back to the proxy.
-	c.flagAgentProxyAddress = ""
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf(
-			"Error fetching client: %v",
-			err))
-		return 1
-	}
+	t.Run("stdin_full", func(t *testing.T) {
+		t.Parallel()
 
-	serverHealth, err := client.Sys().Health()
-	// We don't have any special behaviour if the error != nil, as this
-	// is not worth stopping the Proxy process over.
-	if err == nil {
-		// Note that we don't exit if the versions don't match, as this is a valid
-		// configuration, but we should still let the user know.
-		serverVersion := serverHealth.Version
-		proxyVersion := version.GetVersion().VersionNumber()
-		if serverVersion != proxyVersion {
-			c.UI.Info("==> Note: Vault Proxy version does not match Vault server version. " +
-				fmt.Sprintf("Vault Proxy version: %s, Vault server version: %s", proxyVersion, serverVersion))
-		}
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	// telemetry configuration
-	inmemMetrics, _, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
-		Config:      config.Telemetry,
-		Ui:          c.UI,
-		ServiceName: "vault",
-		DisplayName: "Vault",
-		UserAgent:   useragent.ProxyString(),
-		ClusterName: config.ClusterName,
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
-		return 1
-	}
-	c.metricsHelper = metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(`{"foo":"bar"}`))
+			stdinW.Close()
+		}()
+
+		_, cmd := testKVPutCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-	var method auth.AuthMethod
-	var sinks []*sink.SinkConfig
-	if config.AutoAuth != nil {
-		if client.Headers().Get(consts.NamespaceHeaderName) == "" && config.AutoAuth.Method.Namespace != "" {
-			client.SetNamespace(config.AutoAuth.Method.Namespace)
+		code := cmd.Run([]string{
+			"secret/write/stdin_full", "-",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
 
-		sinkClient, err := client.CloneWithHeaders()
+		secret, err := client.Logical().Read("secret/write/stdin_full")
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
-			return 1
+			t.Fatal(err)
 		}
-
-		if config.DisableIdleConnsAutoAuth {
-			sinkClient.SetMaxIdleConnections(-1)
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
+		}
+	})
+
+	t.Run("stdin_value", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte("bar"))
+			stdinW.Close()
+		}()
 
-		if config.DisableKeepAlivesAutoAuth {
-			sinkClient.SetDisableKeepAlives(true)
+		_, cmd := testKVPutCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		code := cmd.Run([]string{
+			"secret/write/stdin_value", "foo=-",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
 
-		for _, sc := range config.AutoAuth.Sinks {
-			switch sc.Type {
-			case "file":
-				config := &sink.SinkConfig{
-					Logger:    c.logger.Named("sink.file"),
-					Config:    sc.Config,
-					Client:    sinkClient,
-					WrapTTL:   sc.WrapTTL,
-					DHType:    sc.DHType,
-					DeriveKey: sc.DeriveKey,
-					DHPath:    sc.DHPath,
-					AAD:       sc.AAD,
-				}
-				s, err := file.NewFileSink(config)
-				if err != nil {
-					c.UI.Error(fmt.Errorf("error creating file sink: %w", err).Error())
-					return 1
-				}
-				config.Sink = s
-				sinks = append(sinks, config)
-			default:
-				c.UI.Error(fmt.Sprintf("Unknown sink type %q", sc.Type))
-				return 1
-			}
+		secret, err := client.Logical().Read("secret/write/stdin_value")
+		if err != nil {
+			t.Fatal(err)
 		}
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
+		}
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-		authConfig := &auth.AuthConfig{
-			Logger:    c.logger.Named(fmt.Sprintf("auth.%s", config.AutoAuth.Method.Type)),
-			MountPath: config.AutoAuth.Method.MountPath,
-			Config:    config.AutoAuth.Method.Config,
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		_, cmd := testKVPutCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/write/integration", "foo=bar", "zip=zap",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
-		method, err = agentproxyshared.GetAutoAuthMethodFromConfig(config.AutoAuth.Method.Type, authConfig, config.Vault.Address)
+
+		secret, err := client.Logical().Read("secret/write/integration")
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error creating %s auth method: %v", config.AutoAuth.Method.Type, err))
-			return 1
+			t.Fatal(err)
+		}
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
+		}
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
 		}
+		if exp, act := "zap", secret.Data["zip"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testKVPutCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
+
+func testKVGetCommand(tb testing.TB) (*cli.MockUi, *KVGetCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &KVGetCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
+}
 
-	// We do this after auto-auth has been configured, because we don't want to
-	// confuse the issue of retries for auth failures which have their own
-	// config and are handled a bit differently.
-	if os.Getenv(api.EnvVaultMaxRetries) == "" {
-		client.SetMaxRetries(ctconfig.DefaultRetryAttempts)
-		if config.Vault != nil {
-			if config.Vault.Retry != nil {
-				client.SetMaxRetries(config.Vault.Retry.NumRetries)
-			}
-		}
+func TestKVGetCommand(t *testing.T) {
+	t.Parallel()
+
+	baseV2ExpectedFields := []string{"created_time", "custom_metadata", "deletion_time", "deletion_time", "version"}
+
+	cases := []struct {
+		name       string
+		args       []string
+		outStrings []string
+		code       int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			[]string{"Not enough arguments"},
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			[]string{"Too many arguments"},
+			1,
+		},
+		{
+			"not_found",
+			[]string{"secret/nope/not/once/never"},
+			[]string{"No value found at secret/nope/not/once/never"},
+			2,
+		},
+		{
+			"default",
+			[]string{"secret/read/foo"},
+			[]string{"foo"},
+			0,
+		},
+		{
+			"v1_field",
+			[]string{"-field", "foo", "secret/read/foo"},
+			[]string{"bar"},
+			0,
+		},
+		{
+			"v1_mount_flag_syntax",
+			[]string{"-mount", "secret", "read/foo"},
+			[]string{"foo"},
+			0,
+		},
+		{
+			"v2_field",
+			[]string{"-field", "foo", "kv/read/foo"},
+			[]string{"bar"},
+			0,
+		},
+		{
+			"v2_mount_flag_syntax",
+			[]string{"-mount", "kv", "read/foo"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_leading_slash",
+			[]string{"-mount", "kv", "/read/foo"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v1_mount_flag_syntax_key_same_as_mount",
+			[]string{"-mount", "kv", "kv"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_key_same_as_mount",
+			[]string{"-mount", "kv", "kv"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v2_not_found",
+			[]string{"kv/nope/not/once/never"},
+			[]string{"No value found at kv/data/nope/not/once/never"},
+			2,
+		},
+		{
+			"v2_read",
+			[]string{"kv/read/foo"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v2_read_leading_slash",
+			[]string{"/kv/read/foo"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
+		{
+			"v2_read_version",
+			[]string{"--version", "1", "kv/read/foo"},
+			append(baseV2ExpectedFields, "foo"),
+			0,
+		},
 	}
 
-	enforceConsistency := cache.EnforceConsistencyNever
-	whenInconsistent := cache.WhenInconsistentFail
-	if config.APIProxy != nil {
-		switch config.APIProxy.EnforceConsistency {
-		case "always":
-			enforceConsistency = cache.EnforceConsistencyAlways
-		case "never", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for enforce_consistency: %q", config.APIProxy.EnforceConsistency))
-			return 1
-		}
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-		switch config.APIProxy.WhenInconsistent {
-		case "retry":
-			whenInconsistent = cache.WhenInconsistentRetry
-		case "forward":
-			whenInconsistent = cache.WhenInconsistentForward
-		case "fail", "":
-		default:
-			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for when_inconsistent: %q", config.APIProxy.WhenInconsistent))
-			return 1
-		}
-	}
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-	// Warn if cache _and_ cert auto-auth is enabled but certificates were not
-	// provided in the auto_auth.method["cert"].config stanza.
-	if config.Cache != nil && (config.AutoAuth != nil && config.AutoAuth.Method != nil && config.AutoAuth.Method.Type == "cert") {
-		_, okCertFile := config.AutoAuth.Method.Config["client_cert"]
-		_, okCertKey := config.AutoAuth.Method.Config["client_key"]
-
-		// If neither of these exists in the cert stanza, proxy will use the
-		// certs from the vault stanza.
-		if !okCertFile && !okCertKey {
-			c.UI.Warn(wrapAtLength("WARNING! Cache is enabled and using the same certificates " +
-				"from the 'cert' auto-auth method specified in the 'vault' stanza. Consider " +
-				"specifying certificate information in the 'cert' auto-auth's config stanza."))
+				client, closer := testVaultServer(t)
+				defer closer()
+				if err := client.Sys().Mount("kv/", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Give time for the upgrade code to run/finish
+				time.Sleep(time.Second)
+
+				if _, err := client.Logical().Write("secret/read/foo", map[string]interface{}{
+					"foo": "bar",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				if _, err := client.Logical().Write("kv/data/read/foo", map[string]interface{}{
+					"data": map[string]interface{}{
+						"foo": "bar",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// create KV entries to test -mount flag where secret key is same as mount path
+				if _, err := client.Logical().Write("secret/secret", map[string]interface{}{
+					"foo": "bar",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				if _, err := client.Logical().Write("kv/data/kv", map[string]interface{}{
+					"data": map[string]interface{}{
+						"foo": "bar",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				ui, cmd := testKVGetCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+
+				for _, str := range tc.outStrings {
+					if !strings.Contains(combined, str) {
+						t.Errorf("expected %q to contain %q", combined, str)
+					}
+				}
+			})
 		}
+	})
 
-	}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	// Output the header that the proxy has started
-	if !c.logFlags.flagCombineLogs {
-		c.UI.Output("==> Vault Proxy started! Log data will stream in below:\n")
+		_, cmd := testKVGetCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
+
+func testKVListCommand(tb testing.TB) (*cli.MockUi, *KVListCommand) {
+	tb.Helper()
+	ui := cli.NewMockUi()
+	cmd := &KVListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
 
-	var leaseCache *cache.LeaseCache
-	var previousToken string
+	return ui, cmd
+}
 
-	proxyClient, err := client.CloneWithHeaders()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error cloning client for proxying: %v", err))
-		return 1
+// TestKVListCommand runs tests for `vault kv list`
+func TestKVListCommand(t *testing.T) {
+	testCases := []struct {
+		name       string
+		args       []string
+		outStrings []string
+		code       int
+	}{
+		{
+			name:       "default",
+			args:       []string{"kv/my-prefix"},
+			outStrings: []string{"secret-0", "secret-1", "secret-2"},
+			code:       0,
+		},
+		{
+			name:       "not_enough_args",
+			args:       []string{},
+			outStrings: []string{"Not enough arguments"},
+			code:       1,
+		},
+		{
+			name:       "v2_default_with_mount",
+			args:       []string{"-mount", "kv", "my-prefix"},
+			outStrings: []string{"secret-0", "secret-1", "secret-2"},
+			code:       0,
+		},
+		{
+			name:       "v1_default_with_mount",
+			args:       []string{"kv/my-prefix"},
+			outStrings: []string{"secret-0", "secret-1", "secret-2"},
+			code:       0,
+		},
+		{
+			name:       "v2_not_found",
+			args:       []string{"kv/nope/not/once/never"},
+			outStrings: []string{"No value found at kv/metadata/nope/not/once/never"},
+			code:       2,
+		},
+		{
+			name:       "v1_mount_only",
+			args:       []string{"kv"},
+			outStrings: []string{"my-prefix"},
+			code:       0,
+		},
+		{
+			name:       "v2_mount_only",
+			args:       []string{"-mount", "kv"},
+			outStrings: []string{"my-prefix"},
+			code:       0,
+		},
+		{
+			// this is behavior that should be tested
+			// `kv` here is an explicit mount
+			// `my-prefix` is not
+			// the current kv code will ignore `my-prefix`
+			name:       "ignore_multi_part_mounts",
+			args:       []string{"-mount", "kv/my-prefix"},
+			outStrings: []string{"my-prefix"},
+			code:       0,
+		},
 	}
 
-	if config.DisableIdleConnsAPIProxy {
-		proxyClient.SetMaxIdleConnections(-1)
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, testCase := range testCases {
+			testCase := testCase
+
+			t.Run(testCase.name, func(t *testing.T) {
+				t.Parallel()
+
+				// test setup
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				// enable kv-v2 backend
+				if err := client.Sys().Mount("kv/", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
+				time.Sleep(time.Second)
+
+				ctx := context.Background()
+				for i := 0; i < 3; i++ {
+					path := fmt.Sprintf("my-prefix/secret-%d", i)
+					_, err := client.KVv2("kv/").Put(ctx, path, map[string]interface{}{
+						"foo": "bar",
+					})
+					if err != nil {
+						t.Fatal(err)
+					}
+				}
+
+				ui, cmd := testKVListCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(testCase.args)
+				if code != testCase.code {
+					t.Errorf("expected %d to be %d", code, testCase.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				for _, str := range testCase.outStrings {
+					if !strings.Contains(combined, str) {
+						t.Errorf("expected %q to contain %q", combined, str)
+					}
+				}
+			})
+		}
+	})
+}
+
+func testKVMetadataGetCommand(tb testing.TB) (*cli.MockUi, *KVMetadataGetCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &KVMetadataGetCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
+}
 
-	if config.DisableKeepAlivesAPIProxy {
-		proxyClient.SetDisableKeepAlives(true)
+func TestKVMetadataGetCommand(t *testing.T) {
+	t.Parallel()
+
+	expectedTopLevelFields := []string{
+		"cas_required",
+		"created_time",
+		"current_version",
+		"custom_metadata",
+		"delete_version_after",
+		"max_versions",
+		"oldest_version",
+		"updated_time",
 	}
 
-	apiProxyLogger := c.logger.Named("apiproxy")
+	expectedVersionFields := []string{
+		"created_time", // field is redundant
+		"deletion_time",
+		"destroyed",
+	}
 
-	// The API proxy to be used, if listeners are configured
-	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
-		Client:                  proxyClient,
-		Logger:                  apiProxyLogger,
-		EnforceConsistency:      enforceConsistency,
-		WhenInconsistentAction:  whenInconsistent,
-		UserAgentStringFunction: useragent.ProxyStringWithProxiedUserAgent,
-		UserAgentString:         useragent.ProxyAPIProxyString(),
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error creating API proxy: %v", err))
-		return 1
+	cases := []struct {
+		name       string
+		args       []string
+		outStrings []string
+		code       int
+	}{
+		{
+			"v1",
+			[]string{"secret/foo"},
+			[]string{"Metadata not supported on KV Version 1"},
+			1,
+		},
+		{
+			"metadata_exists",
+			[]string{"kv/foo"},
+			expectedTopLevelFields,
+			0,
+		},
+		// ensure that all top-level and version-level fields are output along with version num
+		{
+			"versions_exist",
+			[]string{"kv/foo"},
+			append(expectedTopLevelFields, expectedVersionFields[:]...),
+			0,
+		},
+		{
+			"mount_flag_syntax",
+			[]string{"-mount", "kv", "foo"},
+			expectedTopLevelFields,
+			0,
+		},
+		{
+			"mount_flag_syntax_key_same_as_mount",
+			[]string{"-mount", "kv", "kv"},
+			expectedTopLevelFields,
+			0,
+		},
 	}
 
-	// ctx and cancelFunc are passed to the AuthHandler, SinkServer,
-	// and other subsystems, so that they can listen for ctx.Done() to
-	// fire and shut down accordingly.
-	ctx, cancelFunc := context.WithCancel(context.Background())
-	defer cancelFunc()
-
-	var updater *cache.StaticSecretCacheUpdater
-
-	// Parse proxy cache configurations
-	if config.Cache != nil {
-		cacheLogger := c.logger.Named("cache")
-
-		// Create the lease cache proxier and set its underlying proxier to
-		// the API proxier.
-		leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
-			Client:             proxyClient,
-			BaseContext:        ctx,
-			Proxier:            apiProxy,
-			Logger:             cacheLogger.Named("leasecache"),
-			CacheStaticSecrets: config.Cache.CacheStaticSecrets,
-			// dynamic secrets are configured as default-on to preserve backwards compatibility
-			CacheDynamicSecrets: !config.Cache.DisableCachingDynamicSecrets,
-			UserAgentToUse:      useragent.AgentProxyString(),
-		})
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err))
-			return 1
-		}
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-		cacheLogger.Info("cache configured", "cache_static_secrets", config.Cache.CacheStaticSecrets, "disable_caching_dynamic_secrets", config.Cache.DisableCachingDynamicSecrets)
+		for _, tc := range cases {
+			tc := tc
 
-		// Configure persistent storage and add to LeaseCache
-		if config.Cache.Persist != nil {
-			deferFunc, oldToken, err := agentproxyshared.AddPersistentStorageToLeaseCache(ctx, leaseCache, config.Cache.Persist, cacheLogger)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error creating persistent cache: %v", err))
-				return 1
-			}
-			previousToken = oldToken
-			if deferFunc != nil {
-				defer deferFunc()
-			}
-		}
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-		// If we're caching static secrets, we need to start the updater, too
-		if config.Cache.CacheStaticSecrets {
-			staticSecretCacheUpdaterLogger := c.logger.Named("cache.staticsecretcacheupdater")
-			inmemSink, err := inmem.New(&sink.SinkConfig{
-				Logger: staticSecretCacheUpdaterLogger,
-			}, leaseCache)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error creating inmem sink for static secret updater susbsystem: %v", err))
-				return 1
-			}
-			sinks = append(sinks, &sink.SinkConfig{
-				Logger: staticSecretCacheUpdaterLogger,
-				Sink:   inmemSink,
-			})
+				client, closer := testVaultServer(t)
+				defer closer()
+				if err := client.Sys().Mount("kv/", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
 
-			updater, err = cache.NewStaticSecretCacheUpdater(&cache.StaticSecretCacheUpdaterConfig{
-				Client:     client,
-				LeaseCache: leaseCache,
-				Logger:     staticSecretCacheUpdaterLogger,
-				TokenSink:  inmemSink,
-			})
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error creating static secret cache updater: %v", err))
-				return 1
-			}
+				// Give time for the upgrade code to run/finish
+				time.Sleep(time.Second)
+
+				if _, err := client.Logical().Write("kv/data/foo", map[string]interface{}{
+					"data": map[string]interface{}{
+						"foo": "bar",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
 
-			capabilityManager, err := cache.NewStaticSecretCapabilityManager(&cache.StaticSecretCapabilityManagerConfig{
-				LeaseCache: leaseCache,
-				Logger:     c.logger.Named("cache.staticsecretcapabilitymanager"),
-				Client:     client,
-				StaticSecretTokenCapabilityRefreshInterval: config.Cache.StaticSecretTokenCapabilityRefreshInterval,
+				// create KV entry to test -mount flag where secret key is same as mount path
+				if _, err := client.Logical().Write("kv/data/kv", map[string]interface{}{
+					"data": map[string]interface{}{
+						"foo": "bar",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				ui, cmd := testKVMetadataGetCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				for _, str := range tc.outStrings {
+					if !strings.Contains(combined, str) {
+						t.Errorf("expected %q to contain %q", combined, str)
+					}
+				}
 			})
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error creating static secret capability manager: %v", err))
-				return 1
-			}
-			leaseCache.SetCapabilityManager(capabilityManager)
 		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testKVMetadataGetCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
+
+func testKVPatchCommand(tb testing.TB) (*cli.MockUi, *KVPatchCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &KVPatchCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
+}
 
-	var listeners []net.Listener
+func TestKVPatchCommand_ArgValidation(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"empty_kvs",
+			[]string{"kv/patch/foo"},
+			"Must supply data",
+			1,
+		},
+		{
+			"kvs_no_value",
+			[]string{"kv/patch/foo", "foo"},
+			"Failed to parse K=V data",
+			1,
+		},
+		{
+			"mount_flag_syntax",
+			[]string{"-mount", "kv"},
+			"Not enough arguments",
+			1,
+		},
+	}
 
-	// Ensure we've added all the reload funcs for TLS before anyone triggers a reload.
-	c.tlsReloadFuncsLock.Lock()
+	for _, tc := range cases {
+		tc := tc // capture range variable
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	for i, lnConfig := range config.Listeners {
-		var ln net.Listener
-		var tlsCfg *tls.Config
+			client, closer := testVaultServer(t)
+			defer closer()
 
-		if lnConfig.Type == listenerutil.BufConnType {
-			inProcListener := bufconn.Listen(1024 * 1024)
-			if config.Cache != nil {
-				config.Cache.InProcDialer = listenerutil.NewBufConnWrapper(inProcListener)
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
 			}
-			ln = inProcListener
-		} else {
-			lnBundle, err := cache.StartListener(lnConfig)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error starting listener: %v", err))
-				return 1
+
+			code, combined := kvPatchWithRetry(t, client, tc.args, nil)
+
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v\n", tc.code, code, tc.args)
 			}
 
-			tlsCfg = lnBundle.TLSConfig
-			ln = lnBundle.Listener
+			if !strings.Contains(combined, tc.out) {
+				t.Fatalf("expected output to be %q but was %q for patch cmd with args %#v\n", tc.out, combined, tc.args)
+			}
+		})
+	}
+}
 
-			// Track the reload func, so we can reload later if needed.
-			c.tlsReloadFuncs = append(c.tlsReloadFuncs, lnBundle.TLSReloadFunc)
-		}
+// expectedPatchFields produces a deterministic slice of
+// expected fields for patch command output since const
+// slices are not supported
+func expectedPatchFields() []string {
+	return []string{
+		"created_time",
+		"custom_metadata",
+		"deletion_time",
+		"destroyed",
+		"version",
+	}
+}
 
-		listeners = append(listeners, ln)
-
-		proxyVaultToken := true
-		var inmemSink sink.Sink
-		if config.APIProxy != nil {
-			if config.APIProxy.UseAutoAuthToken {
-				apiProxyLogger.Debug("configuring inmem auto-auth sink")
-				inmemSink, err = inmem.New(&sink.SinkConfig{
-					Logger: apiProxyLogger,
-				}, leaseCache)
-				if err != nil {
-					c.UI.Error(fmt.Sprintf("Error creating inmem sink for cache: %v", err))
-					return 1
-				}
-				sinks = append(sinks, &sink.SinkConfig{
-					Logger: apiProxyLogger,
-					Sink:   inmemSink,
-				})
+func TestKVPatchCommand_StdinFull(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+	}
+
+	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
+		"data": map[string]interface{}{
+			"foo": "a",
+		},
+	}); err != nil {
+		t.Fatalf("write failed, err: %#v\n", err)
+	}
+
+	cases := [][]string{
+		{"kv/patch/foo", "-"},
+		{"-mount", "kv", "patch/foo", "-"},
+	}
+	for i, args := range cases {
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(fmt.Sprintf(`{"foo%d":"bar%d"}`, i, i)))
+			stdinW.Close()
+		}()
+		code, combined := kvPatchWithRetry(t, client, args, stdinR)
+
+		for _, str := range expectedPatchFields() {
+			if !strings.Contains(combined, str) {
+				t.Errorf("expected %q to contain %q", combined, str)
 			}
-			proxyVaultToken = !config.APIProxy.ForceAutoAuthToken
 		}
 
-		var muxHandler http.Handler
-		if leaseCache != nil {
-			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, leaseCache, inmemSink, proxyVaultToken)
-		} else {
-			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, apiProxy, inmemSink, proxyVaultToken)
+		if code != 0 {
+			t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
 		}
 
-		// Parse 'require_request_header' listener config option, and wrap
-		// the request handler if necessary
-		if lnConfig.RequireRequestHeader && ("metrics_only" != lnConfig.Role) {
-			muxHandler = verifyRequestHeader(muxHandler)
+		secret, err := client.Logical().ReadWithContext(context.Background(), "kv/data/patch/foo")
+		if err != nil {
+			t.Fatalf("read failed, err: %#v\n", err)
 		}
 
-		// Create a muxer and add paths relevant for the lease cache layer
-		mux := http.NewServeMux()
-		quitEnabled := lnConfig.ProxyAPI != nil && lnConfig.ProxyAPI.EnableQuit
-
-		mux.Handle(consts.ProxyPathMetrics, c.handleMetrics())
-		if "metrics_only" != lnConfig.Role {
-			mux.Handle(consts.ProxyPathCacheClear, leaseCache.HandleCacheClear(ctx))
-			mux.Handle(consts.ProxyPathQuit, c.handleQuit(quitEnabled))
-			mux.Handle("/", muxHandler)
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
 
-		scheme := "https://"
-		if tlsCfg == nil {
-			scheme = "http://"
-		}
-		if ln.Addr().Network() == "unix" {
-			scheme = "unix://"
+		secretDataRaw, ok := secret.Data["data"]
+
+		if !ok {
+			t.Fatalf("expected secret to have nested data key, data: %#v", secret.Data)
 		}
 
-		infoKey := fmt.Sprintf("api address %d", i+1)
-		info[infoKey] = scheme + ln.Addr().String()
-		infoKeys = append(infoKeys, infoKey)
-
-		server := &http.Server{
-			Addr:              ln.Addr().String(),
-			TLSConfig:         tlsCfg,
-			Handler:           mux,
-			ReadHeaderTimeout: 10 * time.Second,
-			ReadTimeout:       30 * time.Second,
-			IdleTimeout:       5 * time.Minute,
-			ErrorLog:          apiProxyLogger.StandardLogger(nil),
+		secretData := secretDataRaw.(map[string]interface{})
+		foo, ok := secretData[fmt.Sprintf("foo%d", i)].(string)
+		if !ok {
+			t.Fatal("expected foo to be a string but it wasn't")
 		}
 
-		go server.Serve(ln)
+		if exp, act := fmt.Sprintf("bar%d", i), foo; exp != act {
+			t.Fatalf("expected %q to be %q, data: %#v\n", act, exp, secret.Data)
+		}
 	}
+}
 
-	c.tlsReloadFuncsLock.Unlock()
+func TestKVPatchCommand_StdinValue(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
 
-	// Ensure that listeners are closed at all the exits
-	listenerCloseFunc := func() {
-		for _, ln := range listeners {
-			ln.Close()
-		}
+	if err := client.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
 	}
-	defer c.cleanupGuard.Do(listenerCloseFunc)
 
-	// Inform any tests that the server is ready
-	if c.startedCh != nil {
-		close(c.startedCh)
+	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
+		"data": map[string]interface{}{
+			"foo": "a",
+		},
+	}); err != nil {
+		t.Fatalf("write failed, err: %#v\n", err)
 	}
 
-	var g run.Group
+	cases := [][]string{
+		{"kv/patch/foo", "foo=-"},
+		{"-mount", "kv", "patch/foo", "foo=-"},
+	}
 
-	g.Add(func() error {
-		for {
-			select {
-			case <-c.SighupCh:
-				c.UI.Output("==> Vault Proxy config reload triggered")
-				err := c.reloadConfig(c.flagConfigs)
-				if err != nil {
-					c.outputErrors(err)
-				}
-				// Send the 'reloaded' message on the relevant channel
-				select {
-				case c.reloadedCh <- struct{}{}:
-				default:
-				}
-			case <-ctx.Done():
-				return nil
-			}
+	for i, args := range cases {
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(fmt.Sprintf("bar%d", i)))
+			stdinW.Close()
+		}()
+
+		code, combined := kvPatchWithRetry(t, client, args, stdinR)
+		if code != 0 {
+			t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
 		}
-	}, func(error) {
-		cancelFunc()
-	})
 
-	// This run group watches for signal termination
-	g.Add(func() error {
-		for {
-			select {
-			case <-c.ShutdownCh:
-				c.UI.Output("==> Vault Proxy shutdown triggered")
-				// Notify systemd that the server is shutting down
-				// Let the lease cache know this is a shutdown; no need to evict everything
-				if leaseCache != nil {
-					leaseCache.SetShuttingDown(true)
-				}
-				return nil
-			case <-ctx.Done():
-				return nil
-			case <-winsvc.ShutdownChannel():
-				return nil
+		for _, str := range expectedPatchFields() {
+			if !strings.Contains(combined, str) {
+				t.Errorf("expected %q to contain %q", combined, str)
 			}
 		}
-	}, func(error) {})
 
-	// Start auto-auth and sink servers
-	if method != nil {
-		// Auth Handler is going to set its own retry values, so we want to
-		// work on a copy of the client to not affect other subsystems.
-		ahClient, err := c.client.CloneWithHeaders()
+		secret, err := client.Logical().ReadWithContext(context.Background(), "kv/data/patch/foo")
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
-			return 1
-		}
-
-		if config.DisableIdleConnsAutoAuth {
-			ahClient.SetMaxIdleConnections(-1)
+			t.Fatalf("read failed, err: %#v\n", err)
 		}
 
-		if config.DisableKeepAlivesAutoAuth {
-			ahClient.SetDisableKeepAlives(true)
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
 
-		ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
-			Logger:                       c.logger.Named("auth.handler"),
-			Client:                       ahClient,
-			WrapTTL:                      config.AutoAuth.Method.WrapTTL,
-			MinBackoff:                   config.AutoAuth.Method.MinBackoff,
-			MaxBackoff:                   config.AutoAuth.Method.MaxBackoff,
-			EnableReauthOnNewCredentials: config.AutoAuth.EnableReauthOnNewCredentials,
-			Token:                        previousToken,
-			ExitOnError:                  config.AutoAuth.Method.ExitOnError,
-			UserAgent:                    useragent.ProxyAutoAuthString(),
-			MetricsSignifier:             "proxy",
-		})
+		secretDataRaw, ok := secret.Data["data"]
 
-		ss := sink.NewSinkServer(&sink.SinkServerConfig{
-			Logger:        c.logger.Named("sink.server"),
-			Client:        ahClient,
-			ExitAfterAuth: config.ExitAfterAuth,
-		})
+		if !ok {
+			t.Fatalf("expected secret to have nested data key, data: %#v\n", secret.Data)
+		}
 
-		g.Add(func() error {
-			return ah.Run(ctx, method)
-		}, func(error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-		})
+		secretData := secretDataRaw.(map[string]interface{})
 
-		g.Add(func() error {
-			err := ss.Run(ctx, ah.OutputCh, sinks)
-			c.logger.Info("sinks finished, exiting")
-
-			// Start goroutine to drain from ah.OutputCh from this point onward
-			// to prevent ah.Run from being blocked.
-			go func() {
-				for {
-					select {
-					case <-ctx.Done():
-						return
-					case <-ah.OutputCh:
-					}
-				}
-			}()
-
-			return err
-		}, func(error) {
-			// Let the lease cache know this is a shutdown; no need to evict
-			// everything
-			if leaseCache != nil {
-				leaseCache.SetShuttingDown(true)
-			}
-			cancelFunc()
-		})
+		if exp, act := fmt.Sprintf("bar%d", i), secretData["foo"].(string); exp != act {
+			t.Fatalf("expected %q to be %q, data: %#v\n", act, exp, secret.Data)
+		}
 	}
+}
 
-	// Add the static secret cache updater, if appropriate
-	if updater != nil {
-		g.Add(func() error {
-			err := updater.Run(ctx)
-			return err
-		}, func(error) {
-			cancelFunc()
-		})
-	}
+func TestKVPatchCommand_RWMethodNotExists(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
 
-	// Server configuration output
-	padding := 24
-	sort.Strings(infoKeys)
-	caser := cases.Title(language.English)
-	c.UI.Output("==> Vault Proxy configuration:\n")
-	for _, k := range infoKeys {
-		c.UI.Output(fmt.Sprintf(
-			"%s%s: %s",
-			strings.Repeat(" ", padding-len(k)),
-			caser.String(k),
-			info[k]))
+	if err := client.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
 	}
-	c.UI.Output("")
 
-	// Release the log gate.
-	c.logGate.Flush()
-
-	// Write out the PID to the file now that server has successfully started
-	if err := c.storePidFile(config.PidFile); err != nil {
-		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
-		return 1
+	cases := [][]string{
+		{"-method", "rw", "kv/patch/foo", "foo=a"},
+		{"-method", "rw", "-mount", "kv", "patch/foo", "foo=a"},
 	}
 
-	// Notify systemd that the server is ready (if applicable)
-	c.notifySystemd(systemd.SdNotifyReady)
+	for _, args := range cases {
+		code, combined := kvPatchWithRetry(t, client, args, nil)
 
-	defer func() {
-		if err := c.removePidFile(config.PidFile); err != nil {
-			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
+		if code != 2 {
+			t.Fatalf("expected code to be 2 but was %d for patch cmd with args %#v\n", code, args)
 		}
-	}()
 
-	var exitCode int
-	if err := g.Run(); err != nil {
-		c.logger.Error("runtime error encountered", "error", err)
-		c.UI.Error("Error encountered during run, refer to logs for more details.")
-		exitCode = 1
+		expectedOutputSubstr := "No value found"
+		if !strings.Contains(combined, expectedOutputSubstr) {
+			t.Fatalf("expected output %q to contain %q for patch cmd with args %#v\n", combined, expectedOutputSubstr, args)
+		}
 	}
-	c.notifySystemd(systemd.SdNotifyStopping)
-	return exitCode
 }
 
-// applyConfigOverrides ensures that the config object accurately reflects the desired
-// settings as configured by the user. It applies the relevant config setting based
-// on the precedence (env var overrides file config, cli overrides env var).
-// It mutates the config object supplied.
-func (c *ProxyCommand) applyConfigOverrides(f *FlagSets, config *proxyConfig.Config) {
-	if config.Vault == nil {
-		config.Vault = &proxyConfig.Vault{}
+func TestKVPatchCommand_RWMethodSucceeds(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
 	}
 
-	f.applyLogConfigOverrides(config.SharedConfig)
+	if _, err := client.Logical().Write("kv/data/patch/foo", map[string]interface{}{
+		"data": map[string]interface{}{
+			"foo": "a",
+			"bar": "b",
+		},
+	}); err != nil {
+		t.Fatalf("write failed, err: %#v\n", err)
+	}
 
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameProxyExitAfterAuth {
-			config.ExitAfterAuth = c.flagExitAfterAuth
-		}
-	})
+	// Test single value
+	args := []string{"-method", "rw", "kv/patch/foo", "foo=aa"}
+	code, combined := kvPatchWithRetry(t, client, args, nil)
 
-	c.setStringFlag(f, config.Vault.Address, &StringVar{
-		Name:    flagNameAddress,
-		Target:  &c.flagAddress,
-		Default: "https://127.0.0.1:8200",
-		EnvVar:  api.EnvVaultAddress,
-	})
-	config.Vault.Address = c.flagAddress
-	c.setStringFlag(f, config.Vault.CACert, &StringVar{
-		Name:    flagNameCACert,
-		Target:  &c.flagCACert,
-		Default: "",
-		EnvVar:  api.EnvVaultCACert,
-	})
-	config.Vault.CACert = c.flagCACert
-	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
-		Name:    flagNameCAPath,
-		Target:  &c.flagCAPath,
-		Default: "",
-		EnvVar:  api.EnvVaultCAPath,
-	})
-	config.Vault.CAPath = c.flagCAPath
-	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
-		Name:    flagNameClientCert,
-		Target:  &c.flagClientCert,
-		Default: "",
-		EnvVar:  api.EnvVaultClientCert,
-	})
-	config.Vault.ClientCert = c.flagClientCert
-	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
-		Name:    flagNameClientKey,
-		Target:  &c.flagClientKey,
-		Default: "",
-		EnvVar:  api.EnvVaultClientKey,
-	})
-	config.Vault.ClientKey = c.flagClientKey
-	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
-		Name:    flagNameTLSSkipVerify,
-		Target:  &c.flagTLSSkipVerify,
-		Default: false,
-		EnvVar:  api.EnvVaultSkipVerify,
-	})
-	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
-	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
-		Name:    flagTLSServerName,
-		Target:  &c.flagTLSServerName,
-		Default: "",
-		EnvVar:  api.EnvVaultTLSServerName,
-	})
-	config.Vault.TLSServerName = c.flagTLSServerName
-}
+	if code != 0 {
+		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
+	}
 
-func (c *ProxyCommand) notifySystemd(status string) {
-	sent, err := systemd.SdNotify(false, status)
-	if err != nil {
-		c.logger.Error("error notifying systemd", "error", err)
-	} else {
-		if sent {
-			c.logger.Debug("sent systemd notification", "notification", status)
-		} else {
-			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
+	for _, str := range expectedPatchFields() {
+		if !strings.Contains(combined, str) {
+			t.Errorf("expected %q to contain %q", combined, str)
 		}
 	}
-}
 
-func (c *ProxyCommand) setStringFlag(f *FlagSets, configVal string, fVar *StringVar) {
-	var isFlagSet bool
-	f.Visit(func(f *flag.Flag) {
-		if f.Name == fVar.Name {
-			isFlagSet = true
+	// Test that full path was output
+	for _, str := range []string{"== Secret Path ==", "kv/data/patch/foo"} {
+		if !strings.Contains(combined, str) {
+			t.Errorf("expected %q to contain %q", combined, str)
 		}
-	})
+	}
 
-	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
-	switch {
-	case isFlagSet:
-		// Don't do anything as the flag is already set from the command line
-	case flagEnvSet:
-		// Use value from env var
-		*fVar.Target = flagEnvValue
-	case configVal != "":
-		// Use value from config
-		*fVar.Target = configVal
-	default:
-		// Use the default value
-		*fVar.Target = fVar.Default
+	// Test multi value
+	args = []string{"-method", "rw", "kv/patch/foo", "foo=aaa", "bar=bbb"}
+	code, combined = kvPatchWithRetry(t, client, args, nil)
+
+	if code != 0 {
+		t.Fatalf("expected code to be 0 but was %d for patch cmd with args %#v\n", code, args)
 	}
-}
 
-func (c *ProxyCommand) setBoolFlag(f *FlagSets, configVal bool, fVar *BoolVar) {
-	var isFlagSet bool
-	f.Visit(func(f *flag.Flag) {
-		if f.Name == fVar.Name {
-			isFlagSet = true
+	for _, str := range expectedPatchFields() {
+		if !strings.Contains(combined, str) {
+			t.Errorf("expected %q to contain %q", combined, str)
 		}
-	})
-
-	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
-	switch {
-	case isFlagSet:
-		// Don't do anything as the flag is already set from the command line
-	case flagEnvSet:
-		// Use value from env var
-		*fVar.Target = flagEnvValue != ""
-	case configVal:
-		// Use value from config
-		*fVar.Target = configVal
-	default:
-		// Use the default value
-		*fVar.Target = fVar.Default
 	}
 }
 
-// storePidFile is used to write out our PID to a file if necessary
-func (c *ProxyCommand) storePidFile(pidPath string) error {
-	// Quit fast if no pidfile
-	if pidPath == "" {
-		return nil
+func TestKVPatchCommand_CAS(t *testing.T) {
+	cases := []struct {
+		name       string
+		key        string
+		args       []string
+		expected   string
+		outStrings []string
+		code       int
+	}{
+		{
+			"right version",
+			"foo",
+			[]string{"-cas", "1", "kv/foo", "bar=quux"},
+			"quux",
+			expectedPatchFields(),
+			0,
+		},
+		{
+			"wrong version",
+			"foo",
+			[]string{"-cas", "2", "kv/foo", "bar=wibble"},
+			"baz",
+			[]string{"check-and-set parameter did not match the current version"},
+			2,
+		},
+		{
+			"mount_flag_syntax",
+			"foo",
+			[]string{"-mount", "kv", "-cas", "1", "foo", "bar=quux"},
+			"quux",
+			expectedPatchFields(),
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_key_same_as_mount",
+			"kv",
+			[]string{"-mount", "kv", "-cas", "1", "kv", "bar=quux"},
+			"quux",
+			expectedPatchFields(),
+			0,
+		},
 	}
 
-	// Open the PID file
-	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
-	if err != nil {
-		return fmt.Errorf("could not open pid file: %w", err)
-	}
-	defer pidFile.Close()
+	for _, tc := range cases {
+		tc := tc
 
-	// Write out the PID
-	pid := os.Getpid()
-	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
-	if err != nil {
-		return fmt.Errorf("could not write to pid file: %w", err)
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+			}
+
+			// create a policy with patch capability
+			policy := `path "kv/*" { capabilities = ["create", "update", "read", "patch"] }`
+			secretAuth, err := createTokenForPolicy(t, client, policy)
+			if err != nil {
+				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
+			}
+
+			kvClient, err := client.Clone()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			kvClient.SetToken(secretAuth.ClientToken)
+
+			data := map[string]interface{}{
+				"bar": "baz",
+			}
+
+			_, err = kvClient.Logical().Write("kv/data/"+tc.key, map[string]interface{}{"data": data})
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			code, combined := kvPatchWithRetry(t, kvClient, tc.args, nil)
+
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d", tc.code, code)
+			}
+
+			for _, str := range tc.outStrings {
+				if !strings.Contains(combined, str) {
+					t.Errorf("expected %q to contain %q", combined, str)
+				}
+			}
+
+			secret, err := kvClient.Logical().ReadWithContext(context.Background(), "kv/data/"+tc.key)
+			if err != nil {
+				t.Fatal(err)
+			}
+			bar := secret.Data["data"].(map[string]interface{})["bar"]
+			if bar != tc.expected {
+				t.Fatalf("expected bar to be %q but it was %q", tc.expected, bar)
+			}
+		})
 	}
-	return nil
 }
 
-// removePidFile is used to cleanup the PID file if necessary
-func (c *ProxyCommand) removePidFile(pidPath string) error {
-	if pidPath == "" {
-		return nil
+func TestKVPatchCommand_Methods(t *testing.T) {
+	cases := []struct {
+		name     string
+		args     []string
+		expected string
+		code     int
+	}{
+		{
+			"rw",
+			[]string{"-method", "rw", "kv/foo", "bar=quux"},
+			"quux",
+			0,
+		},
+		{
+			"patch",
+			[]string{"-method", "patch", "kv/foo", "bar=wibble"},
+			"wibble",
+			0,
+		},
 	}
-	return os.Remove(pidPath)
-}
 
-func (c *ProxyCommand) handleMetrics() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
-			logical.RespondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
+	for _, tc := range cases {
+		tc := tc
 
-		if err := r.ParseForm(); err != nil {
-			logical.RespondError(w, http.StatusBadRequest, err)
-			return
-		}
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-		format := r.Form.Get("format")
-		if format == "" {
-			format = metricsutil.FormatFromRequest(&logical.Request{
-				Headers: r.Header,
-			})
-		}
+			client, closer := testVaultServer(t)
+			defer closer()
 
-		resp := c.metricsHelper.ResponseForFormat(format)
-
-		status := resp.Data[logical.HTTPStatusCode].(int)
-		w.Header().Set("Content-Type", resp.Data[logical.HTTPContentType].(string))
-		switch v := resp.Data[logical.HTTPRawBody].(type) {
-		case string:
-			w.WriteHeader(status)
-			w.Write([]byte(v))
-		case []byte:
-			w.WriteHeader(status)
-			w.Write(v)
-		default:
-			logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("wrong response returned"))
-		}
-	})
-}
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+			}
 
-func (c *ProxyCommand) handleQuit(enabled bool) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if !enabled {
-			w.WriteHeader(http.StatusNotFound)
-			return
-		}
+			// create a policy with patch capability
+			policy := `path "kv/*" { capabilities = ["create", "update", "read", "patch"] }`
+			secretAuth, err := createTokenForPolicy(t, client, policy)
+			if err != nil {
+				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
+			}
 
-		switch r.Method {
-		case http.MethodPost:
-		default:
-			w.WriteHeader(http.StatusMethodNotAllowed)
-			return
-		}
+			kvClient, err := client.Clone()
+			if err != nil {
+				t.Fatal(err)
+			}
 
-		c.logger.Debug("received quit request")
-		close(c.ShutdownCh)
-	})
-}
+			kvClient.SetToken(secretAuth.ClientToken)
 
-// newLogger creates a logger based on parsed config field on the Proxy Command struct.
-func (c *ProxyCommand) newLogger() (log.InterceptLogger, error) {
-	if c.config == nil {
-		return nil, fmt.Errorf("cannot create logger, no config")
-	}
+			_, err = kvClient.Logical().Write("kv/data/foo", map[string]interface{}{"data": map[string]interface{}{"bar": "baz"}})
+			if err != nil {
+				t.Fatal(err)
+			}
 
-	var errors error
+			code, _ := kvPatchWithRetry(t, kvClient, tc.args, nil)
 
-	// Parse all the log related config
-	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
-	if err != nil {
-		errors = multierror.Append(errors, err)
-	}
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d", tc.code, code)
+			}
 
-	logFormat, err := logging.ParseLogFormat(c.config.LogFormat)
-	if err != nil {
-		errors = multierror.Append(errors, err)
+			secret, err := kvClient.Logical().ReadWithContext(context.Background(), "kv/data/foo")
+			if err != nil {
+				t.Fatal(err)
+			}
+			bar := secret.Data["data"].(map[string]interface{})["bar"]
+			if bar != tc.expected {
+				t.Fatalf("expected bar to be %q but it was %q", tc.expected, bar)
+			}
+		})
 	}
+}
 
-	logRotateDuration, err := parseutil.ParseDurationSecond(c.config.LogRotateDuration)
-	if err != nil {
-		errors = multierror.Append(errors, err)
+func TestKVPatchCommand_403Fallback(t *testing.T) {
+	cases := []struct {
+		name     string
+		args     []string
+		expected string
+		code     int
+	}{
+		// if no -method is specified, and patch fails, it should fall back to rw and succeed
+		{
+			"unspecified",
+			[]string{"kv/foo", "bar=quux"},
+			`add the "patch" capability to your ACL policy`,
+			0,
+		},
+		// if -method=patch is specified, and patch fails, it should not fall back, and just error
+		{
+			"specifying patch",
+			[]string{"-method", "patch", "kv/foo", "bar=quux"},
+			"permission denied",
+			2,
+		},
 	}
 
-	if errors != nil {
-		return nil, errors
-	}
+	for _, tc := range cases {
+		tc := tc
 
-	logCfg := &logging.LogConfig{
-		Name:              "proxy",
-		LogLevel:          logLevel,
-		LogFormat:         logFormat,
-		LogFilePath:       c.config.LogFile,
-		LogRotateDuration: logRotateDuration,
-		LogRotateBytes:    c.config.LogRotateBytes,
-		LogRotateMaxFiles: c.config.LogRotateMaxFiles,
-	}
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			client, closer := testVaultServer(t)
+			defer closer()
 
-	l, err := logging.Setup(logCfg, c.logWriter)
-	if err != nil {
-		return nil, err
-	}
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+			}
 
-	return l, nil
-}
+			// create a policy without patch capability
+			policy := `path "kv/*" { capabilities = ["create", "update", "read"] }`
+			secretAuth, err := createTokenForPolicy(t, client, policy)
+			if err != nil {
+				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", policy, err)
+			}
 
-// loadConfig attempts to generate a Proxy config from the file(s) specified.
-func (c *ProxyCommand) loadConfig(paths []string) (*proxyConfig.Config, error) {
-	var errors error
-	cfg := proxyConfig.NewConfig()
+			kvClient, err := client.Clone()
+			if err != nil {
+				t.Fatal(err)
+			}
 
-	for _, configPath := range paths {
-		configFromPath, err := proxyConfig.LoadConfig(configPath)
-		if err != nil {
-			errors = multierror.Append(errors, fmt.Errorf("error loading configuration from %s: %w", configPath, err))
-		} else {
-			cfg = cfg.Merge(configFromPath)
-		}
-	}
+			kvClient.SetToken(secretAuth.ClientToken)
 
-	if errors != nil {
-		return nil, errors
-	}
+			// Write a value then attempt to patch it
+			_, err = kvClient.Logical().Write("kv/data/foo", map[string]interface{}{"data": map[string]interface{}{"bar": "baz"}})
+			if err != nil {
+				t.Fatal(err)
+			}
 
-	if err := cfg.ValidateConfig(); err != nil {
-		return nil, fmt.Errorf("error validating configuration: %w", err)
-	}
+			code, combined := kvPatchWithRetry(t, kvClient, tc.args, nil)
+
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d", tc.code, code)
+			}
 
-	return cfg, nil
+			if !strings.Contains(combined, tc.expected) {
+				t.Errorf("expected %q to contain %q", combined, tc.expected)
+			}
+		})
+	}
 }
 
-// reloadConfig will attempt to reload the config from file(s) and adjust certain
-// config values without requiring a restart of the Vault Proxy.
-// If config is retrieved without error it is stored in the config field of the ProxyCommand.
-// This operation is not atomic and could result in updated config but partially applied config settings.
-// The error returned from this func may be a multierror.
-// This function will most likely be called due to Vault Proxy receiving a SIGHUP signal.
-// Currently only reloading the following are supported:
-// * log level
-// * TLS certs for listeners
-func (c *ProxyCommand) reloadConfig(paths []string) error {
-	// Notify systemd that the server is reloading
-	c.notifySystemd(systemd.SdNotifyReloading)
-	defer c.notifySystemd(systemd.SdNotifyReady)
-
-	var errors error
-
-	// Reload the config
-	cfg, err := c.loadConfig(paths)
-	if err != nil {
-		// Returning single error as we won't continue with bad config and won't 'commit' it.
-		return err
+func TestKVPatchCommand_RWMethodPolicyVariations(t *testing.T) {
+	cases := []struct {
+		name     string
+		args     []string
+		policy   string
+		expected string
+		code     int
+	}{
+		// if the policy doesn't have read capability and -method=rw is specified, it fails
+		{
+			"no read",
+			[]string{"-method", "rw", "kv/foo", "bar=quux"},
+			`path "kv/*" { capabilities = ["create", "update"] }`,
+			"permission denied",
+			2,
+		},
+		// if the policy doesn't have update capability and -method=rw is specified, it fails
+		{
+			"no update",
+			[]string{"-method", "rw", "kv/foo", "bar=quux"},
+			`path "kv/*" { capabilities = ["create", "read"] }`,
+			"permission denied",
+			2,
+		},
+		// if the policy has both read and update and -method=rw is specified, it succeeds
+		{
+			"read and update",
+			[]string{"-method", "rw", "kv/foo", "bar=quux"},
+			`path "kv/*" { capabilities = ["create", "read", "update"] }`,
+			"",
+			0,
+		},
 	}
-	c.config = cfg
 
-	// Update the log level
-	err = c.reloadLogLevel()
-	if err != nil {
-		errors = multierror.Append(errors, err)
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			if err := client.Sys().Mount("kv/", &api.MountInput{
+				Type: "kv-v2",
+			}); err != nil {
+				t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+			}
+
+			secretAuth, err := createTokenForPolicy(t, client, tc.policy)
+			if err != nil {
+				t.Fatalf("policy/token creation failed for policy %s, err: %#v\n", tc.policy, err)
+			}
+
+			client.SetToken(secretAuth.ClientToken)
+
+			putArgs := []string{"kv/foo", "foo=bar", "bar=baz"}
+			code, combined := kvPutWithRetry(t, client, putArgs)
+			if code != 0 {
+				t.Errorf("write failed, expected %d to be 0, output: %s", code, combined)
+			}
+
+			code, combined = kvPatchWithRetry(t, client, tc.args, nil)
+			if code != tc.code {
+				t.Fatalf("expected code to be %d but was %d for patch cmd with args %#v\n", tc.code, code, tc.args)
+			}
+
+			if code != 0 {
+				if !strings.Contains(combined, tc.expected) {
+					t.Fatalf("expected output %q to contain %q for patch cmd with args %#v\n", combined, tc.expected, tc.args)
+				}
+			}
+		})
 	}
+}
 
-	// Update certs
-	err = c.reloadCerts()
-	if err != nil {
-		errors = multierror.Append(errors, err)
+func TestPadEqualSigns(t *testing.T) {
+	t.Parallel()
+
+	header := "Test Header"
+
+	cases := []struct {
+		name          string
+		totalPathLen  int
+		expectedCount int
+	}{
+		{
+			name:          "path with even length",
+			totalPathLen:  20,
+			expectedCount: 4,
+		},
+		{
+			name:          "path with odd length",
+			totalPathLen:  19,
+			expectedCount: 3,
+		},
+		{
+			name:          "smallest possible path",
+			totalPathLen:  8,
+			expectedCount: 2,
+		},
 	}
 
-	return errors
-}
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-// reloadLogLevel will attempt to update the log level for the logger attached
-// to the ProxyCommand struct using the value currently set in config.
-func (c *ProxyCommand) reloadLogLevel() error {
-	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
-	if err != nil {
-		return err
+			padded := padEqualSigns(header, tc.totalPathLen)
+
+			signs := strings.Split(padded, fmt.Sprintf(" %s ", header))
+			if len(signs[0]) != len(signs[1]) {
+				t.Fatalf("expected an equal number of equal signs on both sides")
+			}
+			for _, sign := range signs {
+				count := strings.Count(sign, "=")
+				if count != tc.expectedCount {
+					t.Fatalf("expected %d equal signs but there were %d", tc.expectedCount, count)
+				}
+			}
+		})
 	}
+}
 
-	c.logger.SetLevel(logLevel)
+func testKVUndeleteCommand(tb testing.TB) (*cli.MockUi, *KVUndeleteCommand) {
+	tb.Helper()
 
-	return nil
+	ui := cli.NewMockUi()
+	return ui, &KVUndeleteCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-// reloadCerts will attempt to reload certificates using a reload func which
-// was provided when the listeners were configured, only funcs that were appended
-// to the ProxyCommand slice will be invoked.
-// This function returns a multierror type so that every func can report an error
-// if it encounters one.
-func (c *ProxyCommand) reloadCerts() error {
-	var errors error
-
-	c.tlsReloadFuncsLock.RLock()
-	defer c.tlsReloadFuncsLock.RUnlock()
-
-	for _, reloadFunc := range c.tlsReloadFuncs {
-		// Non-TLS listeners will have a nil reload func.
-		if reloadFunc != nil {
-			err := reloadFunc()
-			if err != nil {
-				errors = multierror.Append(errors, err)
-			}
-		}
+func TestKVUndeleteCommand(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name       string
+		args       []string
+		outStrings []string
+		code       int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			[]string{"Not enough arguments"},
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			[]string{"Too many arguments"},
+			1,
+		},
+		{
+			"no_versions",
+			[]string{"-mount", "kv", "/read/foo"},
+			[]string{"No versions provided"},
+			1,
+		},
+		{
+			"v2_mount_flag_syntax",
+			[]string{"-versions", "1", "-mount", "kv", "read/foo"},
+			[]string{"Success! Data written to: kv/undelete/read/foo"},
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_complex_1",
+			[]string{"-versions", "1", "-mount", "secrets/testapp", "test"},
+			[]string{"Success! Data written to: secrets/testapp/undelete/test"},
+			0,
+		},
+		{
+			"v2_mount_flag_syntax_complex_2",
+			[]string{"-versions", "1", "-mount", "secrets/x/testapp", "test"},
+			[]string{"Success! Data written to: secrets/x/testapp/undelete/test"},
+			0,
+		},
 	}
 
-	return errors
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+				if err := client.Sys().Mount("kv/", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				if err := client.Sys().Mount("secrets/testapp", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Additional layer of mount path
+				if err := client.Sys().Mount("secrets/x/testapp", &api.MountInput{
+					Type: "kv-v2",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Give time for the upgrade code to run/finish
+				time.Sleep(time.Second)
+
+				if _, err := client.Logical().Write("kv/data/read/foo", map[string]interface{}{
+					"data": map[string]interface{}{
+						"foo": "bar",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Delete the entry so we can undelete it
+				if _, err := client.Logical().Delete("kv/data/read/foo"); err != nil {
+					t.Fatal(err)
+				}
+
+				if _, err := client.Logical().Write("secrets/testapp/data/test", map[string]interface{}{
+					"data": map[string]interface{}{
+						"complex": "yes",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				if _, err := client.Logical().Write("secrets/x/testapp/data/test", map[string]interface{}{
+					"data": map[string]interface{}{
+						"complex": "yes",
+					},
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				// Delete the entry so we can undelete it
+				if _, err := client.Logical().Delete("secrets/x/testapp/data/test"); err != nil {
+					t.Fatal(err)
+				}
+
+				// Delete the entry so we can undelete it
+				if _, err := client.Logical().Delete("secrets/testapp/data/test"); err != nil {
+					t.Fatal(err)
+				}
+
+				ui, cmd := testKVUndeleteCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+
+				for _, str := range tc.outStrings {
+					if !strings.Contains(combined, str) {
+						t.Errorf("expected %q to contain %q", combined, str)
+					}
+				}
+			})
+		}
+	})
 }
 
-// outputErrors will take an error or multierror and handle outputting each to the UI
-func (c *ProxyCommand) outputErrors(err error) {
+func createTokenForPolicy(t *testing.T, client *api.Client, policy string) (*api.SecretAuth, error) {
+	t.Helper()
+
+	if err := client.Sys().PutPolicy("policy", policy); err != nil {
+		return nil, err
+	}
+
+	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"policy"},
+		TTL:      "30m",
+	})
 	if err != nil {
-		if me, ok := err.(*multierror.Error); ok {
-			for _, err := range me.Errors {
-				c.UI.Error(err.Error())
-			}
-		} else {
-			c.UI.Error(err.Error())
-		}
+		return nil, err
 	}
+
+	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+		return nil, fmt.Errorf("missing auth data: %#v", secret)
+	}
+
+	return secret.Auth, err
 }
diff --git a/command/proxy_test.go b/command/proxy_test.go
index ef856e9127a6..7d438387193b 100644
--- a/command/proxy_test.go
+++ b/command/proxy_test.go
@@ -4,2168 +4,181 @@
 package command
 
 import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"net/http"
-	"os"
-	"path/filepath"
-	"reflect"
+	"path"
 	"strings"
-	"sync"
-	"testing"
-	"time"
 
-	"github.com/hashicorp/go-hclog"
-	vaultjwt "github.com/hashicorp/vault-plugin-auth-jwt"
-	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
-	"github.com/hashicorp/vault/api"
-	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
-	"github.com/hashicorp/vault/command/agent"
-	proxyConfig "github.com/hashicorp/vault/command/proxy/config"
-	"github.com/hashicorp/vault/helper/testhelpers/minimal"
-	"github.com/hashicorp/vault/helper/useragent"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testProxyCommand(tb testing.TB, logger hclog.Logger) (*cli.MockUi, *ProxyCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &ProxyCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-		ShutdownCh: MakeShutdownCh(),
-		SighupCh:   MakeSighupCh(),
-		logger:     logger,
-		startedCh:  make(chan struct{}, 5),
-		reloadedCh: make(chan struct{}, 5),
-	}
-}
-
-// TestProxy_ExitAfterAuth tests the exit_after_auth flag, provided both
-// as config and via -exit-after-auth.
-func TestProxy_ExitAfterAuth(t *testing.T) {
-	t.Run("via_config", func(t *testing.T) {
-		testProxyExitAfterAuth(t, false)
-	})
-
-	t.Run("via_flag", func(t *testing.T) {
-		testProxyExitAfterAuth(t, true)
-	})
-}
-
-func testProxyExitAfterAuth(t *testing.T, viaFlag bool) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"jwt": vaultjwt.Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	client := cluster.Cores[0].Client
-
-	// Setup Vault
-	err := client.Sys().EnableAuthWithOptions("jwt", &api.EnableAuthOptions{
-		Type: "jwt",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/jwt/config", map[string]interface{}{
-		"bound_issuer":           "https://team-vault.auth0.com/",
-		"jwt_validation_pubkeys": agent.TestECDSAPubKey,
-		"jwt_supported_algs":     "ES256",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/jwt/role/test", map[string]interface{}{
-		"role_type":       "jwt",
-		"bound_subject":   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
-		"bound_audiences": "https://vault.plugin.auth.jwt.test",
-		"user_claim":      "https://vault/user",
-		"groups_claim":    "https://vault/groups",
-		"policies":        "test",
-		"period":          "3s",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	dir := t.TempDir()
-	inf, err := os.CreateTemp(dir, "auth.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	in := inf.Name()
-	inf.Close()
-	// We remove these files in this test since we don't need the files, we just need
-	// a non-conflicting file name for the config.
-	os.Remove(in)
-	t.Logf("input: %s", in)
-
-	sink1f, err := os.CreateTemp(dir, "sink1.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink1 := sink1f.Name()
-	sink1f.Close()
-	os.Remove(sink1)
-	t.Logf("sink1: %s", sink1)
-
-	sink2f, err := os.CreateTemp(dir, "sink2.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink2 := sink2f.Name()
-	sink2f.Close()
-	os.Remove(sink2)
-	t.Logf("sink2: %s", sink2)
-
-	conff, err := os.CreateTemp(dir, "conf.jwt.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := conff.Name()
-	conff.Close()
-	os.Remove(conf)
-	t.Logf("config: %s", conf)
-
-	jwtToken, _ := agent.GetTestJWT(t)
-	if err := os.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
-		t.Fatal(err)
-	} else {
-		logger.Trace("wrote test jwt", "path", in)
-	}
-
-	exitAfterAuthTemplText := "exit_after_auth = true"
-	if viaFlag {
-		exitAfterAuthTemplText = ""
-	}
-
-	config := `
-%s
-
-auto_auth {
-        method {
-                type = "jwt"
-                config = {
-                        role = "test"
-                        path = "%s"
-                }
-        }
-
-        sink {
-                type = "file"
-                config = {
-                        path = "%s"
-                }
-        }
-
-        sink "file" {
-                config = {
-                        path = "%s"
-                }
-        }
-}
-`
-
-	config = fmt.Sprintf(config, exitAfterAuthTemplText, in, sink1, sink2)
-	if err := os.WriteFile(conf, []byte(config), 0o600); err != nil {
-		t.Fatal(err)
-	} else {
-		logger.Trace("wrote test config", "path", conf)
-	}
-
-	doneCh := make(chan struct{})
-	go func() {
-		ui, cmd := testProxyCommand(t, logger)
-		cmd.client = client
-
-		args := []string{"-config", conf}
-		if viaFlag {
-			args = append(args, "-exit-after-auth")
-		}
-
-		code := cmd.Run(args)
-		if code != 0 {
-			t.Errorf("expected %d to be %d", code, 0)
-			t.Logf("output from proxy:\n%s", ui.OutputWriter.String())
-			t.Logf("error from proxy:\n%s", ui.ErrorWriter.String())
-		}
-		close(doneCh)
-	}()
-
-	select {
-	case <-doneCh:
-		break
-	case <-time.After(1 * time.Minute):
-		t.Fatal("timeout reached while waiting for proxy to exit")
-	}
-
-	sink1Bytes, err := os.ReadFile(sink1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(sink1Bytes) == 0 {
-		t.Fatal("got no output from sink 1")
-	}
-
-	sink2Bytes, err := os.ReadFile(sink2)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(sink2Bytes) == 0 {
-		t.Fatal("got no output from sink 2")
-	}
-
-	if string(sink1Bytes) != string(sink2Bytes) {
-		t.Fatal("sink 1/2 values don't match")
-	}
-}
-
-// TestProxy_AutoAuth_UserAgent tests that the User-Agent sent
-// to Vault by Vault Proxy is correct when performing Auto-Auth.
-// Uses the custom handler userAgentHandler (defined above) so
-// that Vault validates the User-Agent on requests sent by Proxy.
-func TestProxy_AutoAuth_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"approle": credAppRole.Factory,
-		},
-	}, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.ProxyAutoAuthString()
-				h.requestMethodToCheck = "PUT"
-				h.pathToCheck = "auth/approle/login"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Enable the approle auth method
-	req := serverClient.NewRequest("POST", "/v1/sys/auth/approle")
-	req.BodyBytes = []byte(`{
-		"type": "approle"
-	}`)
-	request(t, serverClient, req, 204)
-
-	// Create a named role
-	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role")
-	req.BodyBytes = []byte(`{
-	  "secret_id_num_uses": "10",
-	  "secret_id_ttl": "1m",
-	  "token_max_ttl": "1m",
-	  "token_num_uses": "10",
-	  "token_ttl": "1m",
-	  "policies": "default"
-	}`)
-	request(t, serverClient, req, 204)
-
-	// Fetch the RoleID of the named role
-	req = serverClient.NewRequest("GET", "/v1/auth/approle/role/test-role/role-id")
-	body := request(t, serverClient, req, 200)
-	data := body["data"].(map[string]interface{})
-	roleID := data["role_id"].(string)
-
-	// Get a SecretID issued against the named role
-	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role/secret-id")
-	body = request(t, serverClient, req, 200)
-	data = body["data"].(map[string]interface{})
-	secretID := data["secret_id"].(string)
-
-	// Write the RoleID and SecretID to temp files
-	roleIDPath := makeTempFile(t, "role_id.txt", roleID+"\n")
-	secretIDPath := makeTempFile(t, "secret_id.txt", secretID+"\n")
-	defer os.Remove(roleIDPath)
-	defer os.Remove(secretIDPath)
-
-	sinkf, err := os.CreateTemp("", "sink.test.")
-	if err != nil {
-		t.Fatal(err)
-	}
-	sink := sinkf.Name()
-	sinkf.Close()
-	os.Remove(sink)
-
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method "approle" {
-        mount_path = "auth/approle"
-        config = {
-            role_id_file_path = "%s"
-            secret_id_file_path = "%s"
-        }
-    }
-
-	sink "file" {
-		config = {
-			path = "%s"
-		}
-	}
-}`, roleIDPath, secretIDPath, sink)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-api_proxy {
-  use_auto_auth_token = true
-}
-%s
-%s
-`, serverClient.Address(), listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	// Start proxy
-	_, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	// Validate that the auto-auth token has been correctly attained
-	// and works for LookupSelf
-	conf := api.DefaultConfig()
-	conf.Address = "http://" + listenAddr
-	proxyClient, err := api.NewClient(conf)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	proxyClient.SetToken("")
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Wait for the token to be sent to syncs and be available to be used
-	time.Sleep(5 * time.Second)
-
-	req = proxyClient.NewRequest("GET", "/v1/auth/token/lookup-self")
-	body = request(t, proxyClient, req, 200)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_APIProxyWithoutCache_UserAgent tests that the User-Agent sent
-// to Vault by Vault Proxy is correct using the API proxy without
-// the cache configured. Uses the custom handler
-// userAgentHandler struct defined in this test package, so that Vault validates the
-// User-Agent on requests sent by Proxy.
-func TestProxy_APIProxyWithoutCache_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	userAgentForProxiedClient := "proxied-client"
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.ProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
-				h.pathToCheck = "/v1/auth/token/lookup-self"
-				h.requestMethodToCheck = "GET"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-`, serverClient.Address(), listenConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the proxy
-	_, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.AddHeader("User-Agent", userAgentForProxiedClient)
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = proxyClient.Auth().Token().LookupSelf()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_APIProxyWithCache_UserAgent tests that the User-Agent sent
-// to Vault by Vault Proxy is correct using the API proxy with
-// the cache configured.  Uses the custom handler
-// userAgentHandler struct defined in this test package, so that Vault validates the
-// User-Agent on requests sent by Proxy.
-func TestProxy_APIProxyWithCache_UserAgent(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	userAgentForProxiedClient := "proxied-client"
-	var h userAgentHandler
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		NumCores: 1,
-		HandlerFunc: vaulthttp.HandlerFunc(
-			func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.userAgentToCheckFor = useragent.ProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
-				h.pathToCheck = "/v1/auth/token/lookup-self"
-				h.requestMethodToCheck = "GET"
-				h.t = t
-				return &h
-			}),
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	cacheConfig := `
-cache {
-}`
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), listenConfig, cacheConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start the proxy
-	_, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.AddHeader("User-Agent", userAgentForProxiedClient)
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = proxyClient.Auth().Token().LookupSelf()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_DynamicSecret tests that the cache successfully caches a dynamic secret
-// going through the Proxy, and that a subsequent request will be served from the cache.
-func TestProxy_Cache_DynamicSecret(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	cacheConfig := `
-cache {
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), cacheConfig, listenConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	_, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	renewable := true
-	tokenCreateRequest := &api.TokenCreateRequest{
-		Policies:  []string{"default"},
-		TTL:       "30m",
-		Renewable: &renewable,
-	}
-
-	// This was the simplest test I could find to trigger the caching behaviour,
-	// i.e. the most concise I could make the test that I can tell
-	// creating an orphan token returns Auth, is renewable, and isn't a token
-	// that's managed elsewhere (since it's an orphan)
-	secret, err := proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token := secret.Auth.ClientToken
-
-	secret, err = proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token2 := secret.Auth.ClientToken
-
-	if token != token2 {
-		t.Fatalf("token create response not cached when it should have been, as tokens differ")
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_DisableDynamicSecretCaching tests that the cache will not cache a dynamic secret
-// if disabled in the options.
-func TestProxy_Cache_DisableDynamicSecretCaching(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth for static secret caching.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	cacheConfig := `
-cache {
-	disable_caching_dynamic_secrets = true
-	cache_static_secrets = true // We need to cache at least one kind of secret
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-%s
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	_, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	renewable := true
-	tokenCreateRequest := &api.TokenCreateRequest{
-		Policies:  []string{"default"},
-		TTL:       "30m",
-		Renewable: &renewable,
-	}
-
-	// This was the simplest test I could find to trigger the caching behaviour,
-	// i.e. the most concise I could make the test that I can tell
-	// creating an orphan token returns Auth, is renewable, and isn't a token
-	// that's managed elsewhere (since it's an orphan)
-	secret, err := proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token := secret.Auth.ClientToken
-
-	secret, err = proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil || secret.Auth == nil {
-		t.Fatalf("secret not as expected: %v", secret)
-	}
-
-	token2 := secret.Auth.ClientToken
-
-	if token == token2 {
-		t.Fatalf("token create response was cached, as the tokens differ")
-	}
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_StaticSecret Tests that the cache successfully caches a static secret
-// going through the Proxy,
-func TestProxy_Cache_StaticSecret(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth so that the event system can run.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
-
-	cacheConfig := `
-cache {
-	cache_static_secrets = true
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-%s
-log_level = "trace"
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-		t.Errorf("stdout: %s", ui.OutputWriter.String())
-		t.Errorf("stderr: %s", ui.ErrorWriter.String())
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	secretData := map[string]interface{}{
-		"foo": "bar",
-	}
-
-	// Create kvv1 secret
-	err = serverClient.KVv1("secret").Put(context.Background(), "my-secret", secretData)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// We use raw requests so we can check the headers for cache hit/miss.
-	// We expect the first to miss, and the second to hit.
-	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret/my-secret")
-	resp1, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue := resp1.Header.Get("X-Cache")
-	require.Equal(t, "MISS", cacheValue)
-
-	req = proxyClient.NewRequest(http.MethodGet, "/v1/secret/my-secret")
-	resp2, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue = resp2.Header.Get("X-Cache")
-	require.Equal(t, "HIT", cacheValue)
-
-	// Lastly, we check to make sure the actual data we received is
-	// as we expect. We must use ParseSecret due to the raw requests.
-	secret1, err := api.ParseSecret(resp1.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	require.Equal(t, secretData, secret1.Data)
-
-	secret2, err := api.ParseSecret(resp2.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	require.Equal(t, secret1.Data, secret2.Data)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_EventSystemUpdatesCacheKVV1 Tests that the cache successfully caches a static secret
-// going through the Proxy, and then the cache gets updated on a POST to the KVV1 secret due to an
-// event.
-func TestProxy_Cache_EventSystemUpdatesCacheKVV1(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": logicalKv.Factory,
-		},
-	}, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth so that the event system can run.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
-
-	cacheConfig := `
-cache {
-	cache_static_secrets = true
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-%s
-log_level = "trace"
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-		t.Errorf("stdout: %s", ui.OutputWriter.String())
-		t.Errorf("stderr: %s", ui.ErrorWriter.String())
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	secretData := map[string]interface{}{
-		"foo": "bar",
-	}
-
-	secretData2 := map[string]interface{}{
-		"bar": "baz",
-	}
-
-	// Wait for the event system to successfully connect.
-	// The test would pass without this time.Sleep, due to the call to updater.preEventStreamUpdate
-	// but this Sleep ensures we test both paths (both updating from an event, and from
-	// the pre event update).
-	// As a result, we shouldn't remove this sleep, since it ensures we have greater coverage.
-	time.Sleep(5 * time.Second)
-
-	// Mount the KVV2 engine
-	err = serverClient.Sys().Mount("secret-v1", &api.MountInput{
-		Type: "kv",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create kvv1 secret
-	err = serverClient.KVv1("secret-v1").Put(context.Background(), "my-secret", secretData)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// We use raw requests so we can check the headers for cache hit/miss.
-	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v1/my-secret")
-	resp1, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue := resp1.Header.Get("X-Cache")
-	require.Equal(t, "MISS", cacheValue)
-
-	// Update the secret using the proxy client
-	err = proxyClient.KVv1("secret-v1").Put(context.Background(), "my-secret", secretData2)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Give some time for the event to actually get sent and the cache to be updated.
-	// This is longer than it needs to be to account for unnatural slowness/avoiding
-	// flakiness.
-	time.Sleep(5 * time.Second)
-
-	// We expect this to be a cache hit, with the new value
-	resp2, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue = resp2.Header.Get("X-Cache")
-	require.Equal(t, "HIT", cacheValue)
-
-	// Lastly, we check to make sure the actual data we received is
-	// as we expect. We must use ParseSecret due to the raw requests.
-	secret1, err := api.ParseSecret(resp1.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	require.Equal(t, secretData, secret1.Data)
-
-	secret2, err := api.ParseSecret(resp2.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	require.Equal(t, secretData2, secret2.Data)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_EventSystemUpdatesCacheKVV2 Tests that the cache successfully caches a static secret
-// going through the Proxy for a KVV2 secret, and then the cache gets updated on a POST to the secret due to an
-// event.
-func TestProxy_Cache_EventSystemUpdatesCacheKVV2(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": logicalKv.VersionedKVFactory,
-		},
-	}, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth so that the event system can run.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
-
-	cacheConfig := `
-cache {
-	cache_static_secrets = true
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-%s
-log_level = "trace"
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-		t.Errorf("stdout: %s", ui.OutputWriter.String())
-		t.Errorf("stderr: %s", ui.ErrorWriter.String())
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	secretData := map[string]interface{}{
-		"foo": "bar",
-	}
-
-	secretData2 := map[string]interface{}{
-		"bar": "baz",
-	}
-
-	// Wait for the event system to successfully connect.
-	// This is longer than it needs to be to account for unnatural slowness/avoiding
-	// flakiness.
-	time.Sleep(5 * time.Second)
-
-	// Mount the KVV2 engine
-	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
-		Type: "kv-v2",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create kvv2 secret
-	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// We use raw requests so we can check the headers for cache hit/miss.
-	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
-	resp1, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue := resp1.Header.Get("X-Cache")
-	require.Equal(t, "MISS", cacheValue)
-
-	// Update the secret using the proxy client
-	_, err = proxyClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData2)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Give some time for the event to actually get sent and the cache to be updated.
-	// This is longer than it needs to be to account for unnatural slowness/avoiding
-	// flakiness.
-	time.Sleep(5 * time.Second)
-
-	// We expect this to be a cache hit, with the new value
-	resp2, err := proxyClient.RawRequest(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	cacheValue = resp2.Header.Get("X-Cache")
-	require.Equal(t, "HIT", cacheValue)
-
-	// Lastly, we check to make sure the actual data we received is
-	// as we expect. We must use ParseSecret due to the raw requests.
-	secret1, err := api.ParseSecret(resp1.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	data, ok := secret1.Data["data"]
-	require.True(t, ok)
-	require.Equal(t, secretData, data)
-
-	secret2, err := api.ParseSecret(resp2.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	data2, ok := secret2.Data["data"]
-	require.True(t, ok)
-	// We expect that the cached value got updated by the event system.
-	require.Equal(t, secretData2, data2)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_EventSystemPreEventStreamUpdateWorks Tests that the pre-event stream update works
-// (i.e. the method preEventStreamUpdate). This test is similar to TestProxy_Cache_EventSystemUpdatesCacheKVV2,
-// but with the key difference of not waiting the five seconds for the event subsystem of Proxy to get running
-// before it updates the secret, meaning that the event system should update it from the pre-event stream
-// update as opposed to receiving the event.
-func TestProxy_Cache_EventSystemPreEventStreamUpdateWorks(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := minimal.NewTestSoloCluster(t, &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": logicalKv.VersionedKVFactory,
-		},
-	})
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
-
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth so that the event system can run.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
-
-	cacheConfig := `
-cache {
-	cache_static_secrets = true
-}
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-%s
-%s
-%s
-log_level = "trace"
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-		t.Errorf("stdout: %s", ui.OutputWriter.String())
-		t.Errorf("stderr: %s", ui.ErrorWriter.String())
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxyClient.SetToken(serverClient.Token())
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	require.NoError(t, err)
-
-	secretData := map[string]interface{}{
-		"foo": "bar",
-	}
-
-	secretData2 := map[string]interface{}{
-		"bar": "baz",
-	}
-
-	// Mount the KVV2 engine
-	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
-		Type: "kv-v2",
-	})
-	require.NoError(t, err)
-
-	// Create kvv2 secret
-	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
-	require.NoError(t, err)
-
-	// We use raw requests so we can check the headers for cache hit/miss.
-	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
-	resp1, err := proxyClient.RawRequest(req)
-	require.NoError(t, err)
-
-	cacheValue := resp1.Header.Get("X-Cache")
-	require.Equal(t, "MISS", cacheValue)
-
-	// Update the secret using the proxy client
-	_, err = proxyClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData2)
-	require.NoError(t, err)
-
-	// Give some time for the event system to run and update the secret as part of the
-	// pre-event stream run. Likely, this will be the period in which the event subsystem
-	// of proxy actually starts up, so it will have missed the event, but this should still
-	// result in an updated cache.
-	time.Sleep(5 * time.Second)
-
-	// We expect this to be a cache hit, with the new value
-	resp2, err := proxyClient.RawRequest(req)
-	require.NoError(t, err)
-
-	cacheValue = resp2.Header.Get("X-Cache")
-	require.Equal(t, "HIT", cacheValue)
-
-	// Lastly, we check to make sure the actual data we received is
-	// as we expect. We must use ParseSecret due to the raw requests.
-	secret1, err := api.ParseSecret(resp1.Body)
-	require.NoError(t, err)
-	data, ok := secret1.Data["data"]
-	require.True(t, ok)
-	require.Equal(t, secretData, data)
-
-	secret2, err := api.ParseSecret(resp2.Body)
-	require.NoError(t, err)
-	data2, ok := secret2.Data["data"]
-	require.True(t, ok)
-	// We expect that the cached value got updated by the event system.
-	require.Equal(t, secretData2, data2)
-
-	close(cmd.ShutdownCh)
-	wg.Wait()
-}
-
-// TestProxy_Cache_StaticSecretPermissionsLost Tests that the cache successfully caches a static secret
-// going through the Proxy for a KVV2 secret, and then the calling client loses permissions to the secret,
-// so it can no longer access the cache.
-func TestProxy_Cache_StaticSecretPermissionsLost(t *testing.T) {
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": logicalKv.VersionedKVFactory,
-		},
-	}, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
+var (
+	_ cli.Command             = (*KVUndeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*KVUndeleteCommand)(nil)
+)
 
-	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
-	defer os.Remove(tokenFileName)
-	// We need auto-auth so that the event system can run.
-	// For ease, we use the token file path with the root token.
-	autoAuthConfig := fmt.Sprintf(`
-auto_auth {
-    method {
-		type = "token_file"
-        config = {
-            token_file_path = "%s"
-        }
-    }
-}`, tokenFileName)
+type KVUndeleteCommand struct {
+	*BaseCommand
 
-	// We make the token capability refresh interval one second, for ease of testing
-	cacheConfig := `
-cache {
-	cache_static_secrets = true
-	static_secret_token_capability_refresh_interval = "1s"
+	flagVersions []string
+	flagMount    string
 }
-`
-	listenAddr := generateListenerAddress(t)
-	listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
 
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
+func (c *KVUndeleteCommand) Synopsis() string {
+	return "Undeletes versions in the KV store"
 }
-%s
-%s
-%s
-log_level = "trace"
-`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	// Start proxy
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.startedCh = make(chan struct{})
 
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
+func (c *KVUndeleteCommand) Help() string {
+	helpText := `
+Usage: vault kv undelete [options] KEY
 
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-		t.Errorf("stdout: %s", ui.OutputWriter.String())
-		t.Errorf("stderr: %s", ui.ErrorWriter.String())
-	}
-
-	proxyClient, err := api.NewClient(api.DefaultConfig())
-	require.Nil(t, err)
-	proxyClient.SetMaxRetries(0)
-	err = proxyClient.SetAddress("http://" + listenAddr)
-	require.Nil(t, err)
-
-	secretData := map[string]interface{}{
-		"foo": "bar",
-	}
-
-	// Mount the KVV2 engine
-	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
-		Type: "kv-v2",
-	})
-	require.Nil(t, err)
-
-	err = serverClient.Sys().PutPolicy("kv-policy", `
-   path "secret-v2/*" {
-     capabilities = ["update", "read"]
-   }`)
-	require.Nil(t, err)
-
-	// Setup a token that we can later revoke:
-	renewable := true
-	// Set the token's policies to 'default' and nothing else
-	tokenCreateRequest := &api.TokenCreateRequest{
-		Policies:  []string{"default", "kv-policy"},
-		TTL:       "2s",
-		Renewable: &renewable,
-	}
-
-	secret, err := serverClient.Auth().Token().CreateOrphan(tokenCreateRequest)
-	require.Nil(t, err)
-	token := secret.Auth.ClientToken
-	proxyClient.SetToken(token)
-
-	// Create kvv2 secret
-	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
-	require.Nil(t, err)
-
-	// We use raw requests so we can check the headers for cache hit/miss.
-	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
-	resp1, err := proxyClient.RawRequest(req)
-	require.Nil(t, err)
+  Undeletes the data for the provided version and path in the key-value store.
+  This restores the data, allowing it to be returned on get requests.
 
-	cacheValue := resp1.Header.Get("X-Cache")
-	require.Equal(t, "MISS", cacheValue)
+  To undelete version 3 of key "foo":
 
-	// We expect this to be a cache hit, with the new value
-	resp2, err := proxyClient.RawRequest(req)
-	require.Nil(t, err)
+      $ vault kv undelete -mount=secret -versions=3 foo
 
-	cacheValue = resp2.Header.Get("X-Cache")
-	require.Equal(t, "HIT", cacheValue)
+  The deprecated path-like syntax can also be used, but this should be avoided,
+  as the fact that it is not actually the full API path to
+  the secret (secret/data/foo) can cause confusion:
 
-	// Lastly, we check to make sure the actual data we received is
-	// as we expect. We must use ParseSecret due to the raw requests.
-	secret1, err := api.ParseSecret(resp1.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	data, ok := secret1.Data["data"]
-	require.True(t, ok)
-	require.Equal(t, secretData, data)
-
-	secret2, err := api.ParseSecret(resp2.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	data2, ok := secret2.Data["data"]
-	require.True(t, ok)
-	// We expect that the cached value got updated by the event system.
-	require.Equal(t, secretData, data2)
+      $ vault kv undelete -versions=3 secret/foo
 
-	// Wait for the token to expire, and for the permissions to be revoked
-	// The TTL on the token was 2s, and the capability refresh is every 1s,
-	// so this should give us more than enough time!
-	time.Sleep(5 * time.Second)
-	kvSecret, err := proxyClient.KVv2("secret-v2").Get(context.Background(), "my-secret")
-	if err == nil {
-		t.Fatalf("expected error, but none found, secret:%v, err:%v", kvSecret, err)
-	}
-	// Make sure it's a permission denied error
-	if !strings.Contains(err.Error(), "permission denied") {
-		t.Fatalf("expected error on GET to secret after token revocation, secret:%v, err:%v", kvSecret, err)
-	}
+  Additional flags and more advanced use cases are detailed below.
 
-	close(cmd.ShutdownCh)
-	wg.Wait()
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
 }
 
-// TestProxy_ApiProxy_Retry Tests the retry functionalities of Vault Proxy's API Proxy
-func TestProxy_ApiProxy_Retry(t *testing.T) {
-	//----------------------------------------------------
-	// Start the server and proxy
-	//----------------------------------------------------
-	logger := logging.NewVaultLogger(hclog.Trace)
-	var h handler
-	cluster := vault.NewTestCluster(t,
-		&vault.CoreConfig{
-			CredentialBackends: map[string]logical.Factory{
-				"approle": credAppRole.Factory,
-			},
-			LogicalBackends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-		},
-		&vault.TestClusterOptions{
-			NumCores: 1,
-			HandlerFunc: vaulthttp.HandlerFunc(func(properties *vault.HandlerProperties) http.Handler {
-				h.props = properties
-				h.t = t
-				return &h
-			}),
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
+func (c *KVUndeleteCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	os.Unsetenv(api.EnvVaultAddress)
+	// Common Options
+	f := set.NewFlagSet("Common Options")
 
-	_, err := serverClient.Logical().Write("secret/foo", map[string]interface{}{
-		"bar": "baz",
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "versions",
+		Target:  &c.flagVersions,
+		Default: nil,
+		Usage:   `Specifies the version numbers to undelete.`,
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	intRef := func(i int) *int {
-		return &i
-	}
-	// start test cases here
-	testCases := map[string]struct {
-		retries     *int
-		expectError bool
-	}{
-		"none": {
-			retries:     intRef(-1),
-			expectError: true,
-		},
-		"one": {
-			retries:     intRef(1),
-			expectError: true,
-		},
-		"two": {
-			retries:     intRef(2),
-			expectError: false,
-		},
-		"missing": {
-			retries:     nil,
-			expectError: false,
-		},
-		"default": {
-			retries:     intRef(0),
-			expectError: false,
-		},
-	}
-
-	for tcname, tc := range testCases {
-		t.Run(tcname, func(t *testing.T) {
-			h.failCount = 2
-
-			cacheConfig := `
-cache {
-}
-`
-			listenAddr := generateListenerAddress(t)
-			listenConfig := fmt.Sprintf(`
-listener "tcp" {
-  address = "%s"
-  tls_disable = true
-}
-`, listenAddr)
-
-			var retryConf string
-			if tc.retries != nil {
-				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
-			}
-
-			config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  %s
-  tls_skip_verify = true
-}
-%s
-%s
-`, serverClient.Address(), retryConf, cacheConfig, listenConfig)
-			configPath := makeTempFile(t, "config.hcl", config)
-			defer os.Remove(configPath)
-
-			_, cmd := testProxyCommand(t, logger)
-			cmd.startedCh = make(chan struct{})
-
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			go func() {
-				cmd.Run([]string{"-config", configPath})
-				wg.Done()
-			}()
-
-			select {
-			case <-cmd.startedCh:
-			case <-time.After(5 * time.Second):
-				t.Errorf("timeout")
-			}
-
-			client, err := api.NewClient(api.DefaultConfig())
-			if err != nil {
-				t.Fatal(err)
-			}
-			client.SetToken(serverClient.Token())
-			client.SetMaxRetries(0)
-			err = client.SetAddress("http://" + listenAddr)
-			if err != nil {
-				t.Fatal(err)
-			}
-			secret, err := client.Logical().Read("secret/foo")
-			switch {
-			case (err != nil || secret == nil) && tc.expectError:
-			case (err == nil || secret != nil) && !tc.expectError:
-			default:
-				t.Fatalf("%s expectError=%v error=%v secret=%v", tcname, tc.expectError, err, secret)
-			}
-			if secret != nil && secret.Data["foo"] != nil {
-				val := secret.Data["foo"].(map[string]interface{})
-				if !reflect.DeepEqual(val, map[string]interface{}{"bar": "baz"}) {
-					t.Fatalf("expected key 'foo' to yield bar=baz, got: %v", val)
-				}
-			}
-			time.Sleep(time.Second)
-
-			close(cmd.ShutdownCh)
-			wg.Wait()
-		})
-	}
-}
-
-// TestProxy_Metrics tests that metrics are being properly reported.
-func TestProxy_Metrics(t *testing.T) {
-	// Start a vault server
-	logger := logging.NewVaultLogger(hclog.Trace)
-	cluster := vault.NewTestCluster(t, nil,
-		&vault.TestClusterOptions{
-			HandlerFunc: vaulthttp.Handler,
-		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	serverClient := cluster.Cores[0].Client
-
-	// Create a config file
-	listenAddr := generateListenerAddress(t)
-	config := fmt.Sprintf(`
-cache {}
-
-listener "tcp" {
-    address = "%s"
-    tls_disable = true
-}
-`, listenAddr)
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	ui, cmd := testProxyCommand(t, logger)
-	cmd.client = serverClient
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		code := cmd.Run([]string{"-config", configPath})
-		if code != 0 {
-			t.Errorf("non-zero return code when running proxy: %d", code)
-			t.Logf("STDOUT from proxy:\n%s", ui.OutputWriter.String())
-			t.Logf("STDERR from proxy:\n%s", ui.ErrorWriter.String())
-		}
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
 
-	// defer proxy shutdown
-	defer func() {
-		cmd.ShutdownCh <- struct{}{}
-		wg.Wait()
-	}()
-
-	conf := api.DefaultConfig()
-	conf.Address = "http://" + listenAddr
-	proxyClient, err := api.NewClient(conf)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	req := proxyClient.NewRequest("GET", "/proxy/v1/metrics")
-	body := request(t, proxyClient, req, 200)
-	keys := []string{}
-	for k := range body {
-		keys = append(keys, k)
-	}
-	require.ElementsMatch(t, keys, []string{
-		"Counters",
-		"Samples",
-		"Timestamp",
-		"Gauges",
-		"Points",
+	f.StringVar(&StringVar{
+		Name:    "mount",
+		Target:  &c.flagMount,
+		Default: "", // no default, because the handling of the next arg is determined by whether this flag has a value
+		Usage: `Specifies the path where the KV backend is mounted. If specified,
+		the next argument will be interpreted as the secret path. If this flag is
+		not specified, the next argument will be interpreted as the combined mount
+		path and secret path, with /data/ automatically appended between KV
+		v2 secrets.`,
 	})
-}
-
-// TestProxy_QuitAPI Tests the /proxy/v1/quit API that can be enabled for the proxy.
-func TestProxy_QuitAPI(t *testing.T) {
-	cluster := minimal.NewTestSoloCluster(t, nil)
-	serverClient := cluster.Cores[0].Client
-
-	// Unset the environment variable so that proxy picks up the right test
-	// cluster address
-	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
-	err := os.Unsetenv(api.EnvVaultAddress)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	listenAddr := generateListenerAddress(t)
-	listenAddr2 := generateListenerAddress(t)
-	config := fmt.Sprintf(`
-vault {
-  address = "%s"
-  tls_skip_verify = true
-}
-
-listener "tcp" {
-	address = "%s"
-	tls_disable = true
-}
-
-listener "tcp" {
-	address = "%s"
-	tls_disable = true
-	proxy_api {
-		enable_quit = true
-	}
-}
-
-cache {}
-`, serverClient.Address(), listenAddr, listenAddr2)
-
-	configPath := makeTempFile(t, "config.hcl", config)
-	defer os.Remove(configPath)
-
-	_, cmd := testProxyCommand(t, nil)
-	cmd.startedCh = make(chan struct{})
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		cmd.Run([]string{"-config", configPath})
-		wg.Done()
-	}()
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-	client, err := api.NewClient(api.DefaultConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	client.SetToken(serverClient.Token())
-	client.SetMaxRetries(0)
-	err = client.SetAddress("http://" + listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// First try on listener 1 where the API should be disabled.
-	resp, err := client.RawRequest(client.NewRequest(http.MethodPost, "/proxy/v1/quit"))
-	if err == nil {
-		t.Fatalf("expected error")
-	}
-	if resp != nil && resp.StatusCode != http.StatusNotFound {
-		t.Fatalf("expected %d but got: %d", http.StatusNotFound, resp.StatusCode)
-	}
-
-	// Now try on listener 2 where the quit API should be enabled.
-	err = client.SetAddress("http://" + listenAddr2)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.RawRequest(client.NewRequest(http.MethodPost, "/proxy/v1/quit"))
-	if err != nil {
-		t.Fatalf("unexpected error: %s", err)
-	}
-
-	select {
-	case <-cmd.ShutdownCh:
-	case <-time.After(5 * time.Second):
-		t.Errorf("timeout")
-	}
-
-	wg.Wait()
-}
-
-// TestProxy_LogFile_CliOverridesConfig tests that the CLI values
-// override the config for log files
-func TestProxy_LogFile_CliOverridesConfig(t *testing.T) {
-	// Create basic config
-	configFile := populateTempFile(t, "proxy-config.hcl", BasicHclConfig)
-	cfg, err := proxyConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Sanity check that the config value is the current value
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile)
-
-	// Initialize the command and parse any flags
-	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
-	f := cmd.Flags()
-	// Simulate the flag being specified
-	err = f.Parse([]string{"-log-file=/foo/bar/test.log"})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Update the config based on the inputs.
-	cmd.applyConfigOverrides(f, cfg)
 
-	assert.NotEqual(t, "TMPDIR/juan.log", cfg.LogFile)
-	assert.NotEqual(t, "/squiggle/logs.txt", cfg.LogFile)
-	assert.Equal(t, "/foo/bar/test.log", cfg.LogFile)
+	return set
 }
 
-// TestProxy_LogFile_Config tests log file config when loaded from config
-func TestProxy_LogFile_Config(t *testing.T) {
-	configFile := populateTempFile(t, "proxy-config.hcl", BasicHclConfig)
-
-	cfg, err := proxyConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Sanity check that the config value is the current value
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "sanity check on log config failed")
-	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
-	assert.Equal(t, 1048576, cfg.LogRotateBytes)
-
-	// Parse the cli flags (but we pass in an empty slice)
-	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
-	f := cmd.Flags()
-	err = f.Parse([]string{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Should change nothing...
-	cmd.applyConfigOverrides(f, cfg)
-
-	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "actual config check")
-	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
-	assert.Equal(t, 1048576, cfg.LogRotateBytes)
+func (c *KVUndeleteCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-// TestProxy_Config_NewLogger_Default Tests defaults for log level and
-// specifically cmd.newLogger()
-func TestProxy_Config_NewLogger_Default(t *testing.T) {
-	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
-	cmd.config = proxyConfig.NewConfig()
-	logger, err := cmd.newLogger()
-
-	assert.NoError(t, err)
-	assert.NotNil(t, logger)
-	assert.Equal(t, hclog.Info.String(), logger.GetLevel().String())
+func (c *KVUndeleteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// TestProxy_Config_ReloadLogLevel Tests reloading updates the log
-// level as expected.
-func TestProxy_Config_ReloadLogLevel(t *testing.T) {
-	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
-	var err error
-	tempDir := t.TempDir()
-
-	// Load an initial config
-	hcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
-	configFile := populateTempFile(t, "proxy-config.hcl", hcl)
-	cmd.config, err = proxyConfig.LoadConfigFile(configFile.Name())
-	if err != nil {
-		t.Fatal("Cannot load config to test update/merge", err)
-	}
-
-	// Tweak the loaded config to make sure we can put log files into a temp dir
-	// and systemd log attempts work fine, this would usually happen during Run.
-	cmd.logWriter = os.Stdout
-	cmd.logger, err = cmd.newLogger()
-	if err != nil {
-		t.Fatal("logger required for systemd log messages", err)
-	}
-
-	// Sanity check
-	assert.Equal(t, "warn", cmd.config.LogLevel)
-
-	// Load a new config
-	hcl = strings.ReplaceAll(BasicHclConfig2, "TMPDIR", tempDir)
-	configFile = populateTempFile(t, "proxy-config.hcl", hcl)
-	err = cmd.reloadConfig([]string{configFile.Name()})
-	assert.NoError(t, err)
-	assert.Equal(t, "debug", cmd.config.LogLevel)
-}
+func (c *KVUndeleteCommand) Run(args []string) int {
+	f := c.Flags()
 
-// TestProxy_Config_ReloadTls Tests that the TLS certs for the listener are
-// correctly reloaded.
-func TestProxy_Config_ReloadTls(t *testing.T) {
-	var wg sync.WaitGroup
-	wd, err := os.Getwd()
-	if err != nil {
-		t.Fatal("unable to get current working directory")
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-	workingDir := filepath.Join(wd, "/proxy/test-fixtures/reload")
-	fooCert := "reload_foo.pem"
-	fooKey := "reload_foo.key"
 
-	barCert := "reload_bar.pem"
-	barKey := "reload_bar.key"
-
-	reloadCert := "reload_cert.pem"
-	reloadKey := "reload_key.pem"
-	caPem := "reload_ca.pem"
-
-	tempDir := t.TempDir()
-
-	// Set up initial 'foo' certs
-	inBytes, err := os.ReadFile(filepath.Join(workingDir, fooCert))
-	if err != nil {
-		t.Fatal("unable to read cert required for test", fooCert, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, fooKey))
-	if err != nil {
-		t.Fatal("unable to read cert key required for test", fooKey, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
+	if len(c.flagVersions) == 0 {
+		c.UI.Error("No versions provided, use the \"-versions\" flag to specify the version to undelete.")
+		return 1
 	}
 
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, caPem))
+	client, err := c.Client()
 	if err != nil {
-		t.Fatal("unable to read CA pem required for test", caPem, err)
-	}
-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM(inBytes)
-	if !ok {
-		t.Fatal("not ok when appending CA cert")
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	replacedHcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
-	configFile := populateTempFile(t, "proxy-config.hcl", replacedHcl)
+	// If true, we're working with "-mount=secret foo" syntax.
+	// If false, we're using "secret/foo" syntax.
+	mountFlagSyntax := (c.flagMount != "")
 
-	// Set up Proxy
-	logger := logging.NewVaultLogger(hclog.Trace)
-	ui, cmd := testProxyCommand(t, logger)
-
-	var output string
-	var code int
-	wg.Add(1)
-	args := []string{"-config", configFile.Name()}
-	go func() {
-		if code = cmd.Run(args); code != 0 {
-			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
-		}
-		wg.Done()
-	}()
+	var (
+		mountPath   string
+		partialPath string
+		v2          bool
+	)
 
-	testCertificateName := func(cn string) error {
-		conn, err := tls.Dial("tcp", "127.0.0.1:8100", &tls.Config{
-			RootCAs: certPool,
-		})
+	// Parse the paths and grab the KV version
+	if mountFlagSyntax {
+		// In this case, this arg is the secret path (e.g. "foo").
+		partialPath = sanitizePath(args[0])
+		mountPath = sanitizePath(c.flagMount)
+		_, v2, err = isKVv2(mountPath, client)
 		if err != nil {
-			return err
+			c.UI.Error(err.Error())
+			return 2
 		}
-		defer conn.Close()
-		if err = conn.Handshake(); err != nil {
-			return err
+		if v2 {
+			// Without this join, mountPaths that are deeper
+			// than the root path E.G. secrets/myapp will get
+			// pruned down to myapp/undelete/<secret> which
+			// is incorrect.
+			// This technique was lifted from kv_delete.go.
+			partialPath = path.Join(mountPath, partialPath)
 		}
-		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
-		if servName != cn {
-			return fmt.Errorf("expected %s, got %s", cn, servName)
+	} else {
+		// In this case, this arg is a path-like combination of mountPath/secretPath.
+		// (e.g. "secret/foo")
+		partialPath = sanitizePath(args[0])
+		mountPath, v2, err = isKVv2(partialPath, client)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
 		}
-		return nil
-	}
-
-	// Start
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
 	}
 
-	if err := testCertificateName("foo.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
+	if !v2 {
+		c.UI.Error("Undelete not supported on KV Version 1")
+		return 1
 	}
 
-	// Swap out certs
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, barCert))
-	if err != nil {
-		t.Fatal("unable to read cert required for test", barCert, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
-	if err != nil {
-		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	undeletePath := addPrefixToKVPath(partialPath, mountPath, "undelete", false)
+	data := map[string]interface{}{
+		"versions": kvParseVersionsFlags(c.flagVersions),
 	}
 
-	inBytes, err = os.ReadFile(filepath.Join(workingDir, barKey))
-	if err != nil {
-		t.Fatal("unable to read cert key required for test", barKey, err)
-	}
-	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
+	secret, err := client.Logical().Write(undeletePath, data)
 	if err != nil {
-		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
-	}
-
-	// Reload
-	cmd.SighupCh <- struct{}{}
-	select {
-	case <-cmd.reloadedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", undeletePath, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
+		return 2
 	}
-
-	if err := testCertificateName("bar.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		if Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", undeletePath))
+		}
+		return 0
 	}
 
-	// Shut down
-	cmd.ShutdownCh <- struct{}{}
-	wg.Wait()
-
-	if code != 0 {
-		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
-	}
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/read.go b/command/read.go
index c205718f89e7..83f778ef3ccf 100644
--- a/command/read.go
+++ b/command/read.go
@@ -1,138 +1,113 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-package command
+/* This helper includes styles relating to: display, width, height, float, visibility, position, alignment. */
 
-import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*ReadCommand)(nil)
-	_ cli.CommandAutocomplete = (*ReadCommand)(nil)
-)
-
-type ReadCommand struct {
-	*BaseCommand
-
-	testStdin io.Reader // for tests
+// display
+.is-block {
+  display: block !important;
 }
 
-func (c *ReadCommand) Synopsis() string {
-	return "Read data and retrieves secrets"
+.is-hidden {
+  display: none !important;
 }
 
-func (c *ReadCommand) Help() string {
-	helpText := `
-Usage: vault read [options] PATH
-
-  Reads data from Vault at the given path. This can be used to read secrets,
-  generate dynamic credentials, get configuration details, and more.
-
-  Read a secret from the static secrets engine:
-
-      $ vault read secret/my-secret
-
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secrets engine in use.
+.is-inline {
+  display: inline !important;
+}
 
-` + c.Flags().Help()
+.is-inline-block {
+  display: inline-block !important;
+}
 
-	return strings.TrimSpace(helpText)
+// position
+.top-right-absolute {
+  position: absolute;
+  top: 0.5rem;
+  right: 0.5rem;
+  z-index: 10;
 }
 
-func (c *ReadCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+.is-in-bottom-right {
+  position: absolute;
+  bottom: 1rem;
+  right: 1rem;
+  z-index: 10;
 }
 
-func (c *ReadCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
+.is-relative {
+  position: relative;
 }
 
-func (c *ReadCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+.top-xxs {
+  top: $spacing-4;
 }
 
-func (c *ReadCommand) Run(args []string) int {
-	f := c.Flags()
+// visibility
+.is-invisible {
+  visibility: hidden;
+}
 
-	if err := f.Parse(args, ParseOptionAllowRawFormat(true)); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
+// width and height
+.is-fullwidth {
+  width: 100%;
+}
 
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
+.is-three-fourths-width {
+  width: 75%;
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
+.is-auto-width {
+  width: auto;
+}
 
-	// client.ReadRaw* methods require a manual timeout override
-	ctx, cancel := context.WithTimeout(context.Background(), client.ClientTimeout())
-	defer cancel()
+.is-min-width-0 {
+  min-width: 0;
+}
 
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
+.is-medium-width {
+  width: calc($desktop / 3);
+}
 
-	path := sanitizePath(args[0])
+.is-medium-height {
+  height: 125px;
+}
 
-	data, err := parseArgsDataStringLists(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
-		return 1
-	}
+// float
+.is-pulled-left {
+  float: left !important;
+}
 
-	if Format(c.UI) != "raw" {
-		secret, err := client.Logical().ReadWithDataWithContext(ctx, path, data)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error reading %s: %s", path, err))
-			return 2
-		}
-		if secret == nil {
-			c.UI.Error(fmt.Sprintf("No value found at %s", path))
-			return 2
-		}
+.is-pulled-right {
+  float: right !important;
+}
 
-		if c.flagField != "" {
-			return PrintRawField(c.UI, secret, c.flagField)
-		}
+// alignment
+.align-self-baseline {
+  align-self: baseline;
+}
 
-		return OutputSecret(c.UI, secret)
-	}
+.is-v-centered {
+  vertical-align: middle;
+}
 
-	resp, err := client.Logical().ReadRawWithDataWithContext(ctx, path, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading: %s: %s", path, err))
-		return 2
-	}
-	if resp == nil || resp.Body == nil {
-		c.UI.Error(fmt.Sprintf("No value found at %s", path))
-		return 2
-	}
-	defer resp.Body.Close()
+// responsive css
+@media screen and (min-width: 769px), print {
+  .is-hidden-tablet {
+    display: none !important;
+  }
+}
 
-	contents, err := io.ReadAll(resp.Body)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading: %s: %s", path, err))
-		return 2
-	}
+@media screen and (max-width: 768px) {
+  .is-hidden-mobile {
+    display: none !important;
+  }
+}
 
-	return OutputData(c.UI, contents)
+@media screen and (max-width: 1215px) {
+  .is-widescreen:not(.is-max-desktop) {
+    max-width: 1152px;
+  }
 }
diff --git a/command/read_test.go b/command/read_test.go
index 6f33a1ef2b74..3e0817ffd0d8 100644
--- a/command/read_test.go
+++ b/command/read_test.go
@@ -5,163 +5,39 @@ package command
 
 import (
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 )
 
-func testReadCommand(tb testing.TB) (*cli.MockUi, *ReadCommand) {
-	tb.Helper()
+var _ cli.Command = (*LeaseCommand)(nil)
 
-	ui := cli.NewMockUi()
-	return ui, &ReadCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type LeaseCommand struct {
+	*BaseCommand
 }
 
-func TestReadCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"proper_args",
-			[]string{"foo", "bar=baz"},
-			"No value found at foo\n",
-			2,
-		},
-		{
-			"not_found",
-			[]string{"nope/not/once/never"},
-			"",
-			2,
-		},
-		{
-			"default",
-			[]string{"secret/read/foo"},
-			"foo",
-			0,
-		},
-		{
-			"field",
-			[]string{
-				"-field", "foo",
-				"secret/read/foo",
-			},
-			"bar",
-			0,
-		},
-		{
-			"field_not_found",
-			[]string{
-				"-field", "not-a-real-field",
-				"secret/read/foo",
-			},
-			"not present in secret",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				if _, err := client.Logical().Write("secret/read/foo", map[string]interface{}{
-					"foo": "bar",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				ui, cmd := testReadCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("%s: expected %q to contain %q", tc.name, combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testReadCommand(t)
-		cmd.client = client
+func (c *LeaseCommand) Synopsis() string {
+	return "Interact with leases"
+}
 
-		code := cmd.Run([]string{
-			"secret/foo",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+func (c *LeaseCommand) Help() string {
+	helpText := `
+Usage: vault lease <subcommand> [options] [args]
 
-		expected := "Error reading secret/foo: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+  This command groups subcommands for interacting with leases. Users can revoke
+  or renew leases.
 
-	t.Run("no_data_object_from_api_response", func(t *testing.T) {
-		t.Parallel()
+  Renew a lease:
 
-		client, closer := testVaultServer(t)
-		defer closer()
+      $ vault lease renew database/creds/readonly/2f6a614c...
 
-		ui, cmd := testReadCommand(t)
-		cmd.client = client
+  Revoke a lease:
 
-		code := cmd.Run([]string{
-			"sys/health",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		expected := []string{
-			"cluster_id", "cluster_name", "initialized", "performance_standby", "replication_dr_mode", "replication_performance_mode", "sealed",
-			"server_time_utc", "standby", "version",
-		}
-		for _, expectedField := range expected {
-			if !strings.Contains(combined, expectedField) {
-				t.Errorf("expected %q to contain %q", combined, expected)
-			}
-		}
-	})
+      $ vault lease revoke database/creds/readonly/2f6a614c...
+`
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	return strings.TrimSpace(helpText)
+}
 
-		_, cmd := testReadCommand(t)
-		assertNoTabs(t, cmd)
-	})
+func (c *LeaseCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/command/rotate.go b/command/rotate.go
index 5ed97354c95d..6e8b564a620a 100644
--- a/command/rotate.go
+++ b/command/rotate.go
@@ -1,106 +1,1753 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package cache
 
 import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
 	"strings"
+	"sync"
+	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/base62"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/agentproxyshared/cache/cacheboltdb"
+	"github.com/hashicorp/vault/command/agentproxyshared/cache/cachememdb"
+	"github.com/hashicorp/vault/helper/namespace"
+	nshelper "github.com/hashicorp/vault/helper/namespace"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/locksutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	gocache "github.com/patrickmn/go-cache"
+	"go.uber.org/atomic"
+)
+
+const (
+	vaultPathTokenCreate         = "/v1/auth/token/create"
+	vaultPathTokenRevoke         = "/v1/auth/token/revoke"
+	vaultPathTokenRevokeSelf     = "/v1/auth/token/revoke-self"
+	vaultPathTokenRevokeAccessor = "/v1/auth/token/revoke-accessor"
+	vaultPathTokenRevokeOrphan   = "/v1/auth/token/revoke-orphan"
+	vaultPathTokenLookup         = "/v1/auth/token/lookup"
+	vaultPathTokenLookupSelf     = "/v1/auth/token/lookup-self"
+	vaultPathTokenRenew          = "/v1/auth/token/renew"
+	vaultPathTokenRenewSelf      = "/v1/auth/token/renew-self"
+	vaultPathLeaseRevoke         = "/v1/sys/leases/revoke"
+	vaultPathLeaseRevokeForce    = "/v1/sys/leases/revoke-force"
+	vaultPathLeaseRevokePrefix   = "/v1/sys/leases/revoke-prefix"
 )
 
 var (
-	_ cli.Command             = (*OperatorRotateCommand)(nil)
-	_ cli.CommandAutocomplete = (*OperatorRotateCommand)(nil)
+	contextIndexID  = contextIndex{}
+	errInvalidType  = errors.New("invalid type provided")
+	revocationPaths = []string{
+		strings.TrimPrefix(vaultPathTokenRevoke, "/v1"),
+		strings.TrimPrefix(vaultPathTokenRevokeSelf, "/v1"),
+		strings.TrimPrefix(vaultPathTokenRevokeAccessor, "/v1"),
+		strings.TrimPrefix(vaultPathTokenRevokeOrphan, "/v1"),
+		strings.TrimPrefix(vaultPathLeaseRevoke, "/v1"),
+		strings.TrimPrefix(vaultPathLeaseRevokeForce, "/v1"),
+		strings.TrimPrefix(vaultPathLeaseRevokePrefix, "/v1"),
+	}
 )
 
-type OperatorRotateCommand struct {
-	*BaseCommand
+type contextIndex struct{}
+
+type cacheClearRequest struct {
+	Type      string `json:"type"`
+	Value     string `json:"value"`
+	Namespace string `json:"namespace"`
+}
+
+// LeaseCache is an implementation of Proxier that handles
+// the caching of responses. It passes the incoming request
+// to an underlying Proxier implementation.
+type LeaseCache struct {
+	client      *api.Client
+	proxier     Proxier
+	logger      hclog.Logger
+	db          *cachememdb.CacheMemDB
+	baseCtxInfo *cachememdb.ContextInfo
+	l           *sync.RWMutex
+
+	// userAgentToUse is the user agent to use when making independent requests
+	// to Vault.
+	userAgentToUse string
+
+	// idLocks is used during cache lookup to ensure that identical requests made
+	// in parallel won't trigger multiple renewal goroutines.
+	idLocks []*locksutil.LockEntry
+
+	// inflightCache keeps track of inflight requests
+	inflightCache *gocache.Cache
+
+	// ps is the persistent storage for tokens and leases
+	ps *cacheboltdb.BoltStorage
+
+	// shuttingDown is used to determine if cache needs to be evicted or not
+	// when the context is cancelled
+	shuttingDown atomic.Bool
+
+	// cacheStaticSecrets is used to determine if the cache should also
+	// cache static secrets, as well as dynamic secrets.
+	cacheStaticSecrets bool
+
+	// cacheDynamicSecrets is used to determine if the cache should
+	// cache dynamic secrets
+	cacheDynamicSecrets bool
+
+	// capabilityManager is used when static secrets are enabled to
+	// manage the capabilities of cached tokens.
+	capabilityManager *StaticSecretCapabilityManager
+}
+
+// LeaseCacheConfig is the configuration for initializing a new
+// LeaseCache.
+type LeaseCacheConfig struct {
+	Client              *api.Client
+	BaseContext         context.Context
+	Proxier             Proxier
+	Logger              hclog.Logger
+	UserAgentToUse      string
+	Storage             *cacheboltdb.BoltStorage
+	CacheStaticSecrets  bool
+	CacheDynamicSecrets bool
+}
+
+type inflightRequest struct {
+	// ch is closed by the request that ends up processing the set of
+	// parallel request
+	ch chan struct{}
+
+	// remaining is the number of remaining inflight request that needs to
+	// be processed before this object can be cleaned up
+	remaining *atomic.Uint64
+}
+
+func newInflightRequest() *inflightRequest {
+	return &inflightRequest{
+		ch:        make(chan struct{}),
+		remaining: atomic.NewUint64(0),
+	}
+}
+
+// NewLeaseCache creates a new instance of a LeaseCache.
+func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error) {
+	if conf == nil {
+		return nil, errors.New("nil configuration provided")
+	}
+
+	if conf.Proxier == nil || conf.Logger == nil {
+		return nil, fmt.Errorf("missing configuration required params: %v", conf)
+	}
+
+	if conf.Client == nil {
+		return nil, fmt.Errorf("nil API client")
+	}
+
+	if conf.UserAgentToUse == "" {
+		return nil, fmt.Errorf("no user agent specified -- see useragent.go")
+	}
+
+	db, err := cachememdb.New()
+	if err != nil {
+		return nil, err
+	}
+
+	// Create a base context for the lease cache layer
+	baseCtxInfo := cachememdb.NewContextInfo(conf.BaseContext)
+
+	return &LeaseCache{
+		client:              conf.Client,
+		proxier:             conf.Proxier,
+		logger:              conf.Logger,
+		userAgentToUse:      conf.UserAgentToUse,
+		db:                  db,
+		baseCtxInfo:         baseCtxInfo,
+		l:                   &sync.RWMutex{},
+		idLocks:             locksutil.CreateLocks(),
+		inflightCache:       gocache.New(gocache.NoExpiration, gocache.NoExpiration),
+		ps:                  conf.Storage,
+		cacheStaticSecrets:  conf.CacheStaticSecrets,
+		cacheDynamicSecrets: conf.CacheDynamicSecrets,
+	}, nil
+}
+
+// SetCapabilityManager is a setter for CapabilityManager. If set, will manage capabilities
+// for capability indexes.
+func (c *LeaseCache) SetCapabilityManager(capabilityManager *StaticSecretCapabilityManager) {
+	c.capabilityManager = capabilityManager
+}
+
+// SetShuttingDown is a setter for the shuttingDown field
+func (c *LeaseCache) SetShuttingDown(in bool) {
+	c.shuttingDown.Store(in)
+
+	// Since we're shutting down, also stop the capability manager's jobs.
+	// We can do this forcibly since no there's no reason to update
+	// the cache when we're shutting down.
+	if c.capabilityManager != nil {
+		c.capabilityManager.Stop()
+	}
+}
+
+// SetPersistentStorage is a setter for the persistent storage field in
+// LeaseCache
+func (c *LeaseCache) SetPersistentStorage(storageIn *cacheboltdb.BoltStorage) {
+	c.ps = storageIn
+}
+
+// PersistentStorage is a getter for the persistent storage field in
+// LeaseCache
+func (c *LeaseCache) PersistentStorage() *cacheboltdb.BoltStorage {
+	return c.ps
+}
+
+// checkCacheForDynamicSecretRequest checks the cache for a particular request based on its
+// computed ID. It returns a non-nil *SendResponse if an entry is found.
+func (c *LeaseCache) checkCacheForDynamicSecretRequest(id string) (*SendResponse, error) {
+	return c.checkCacheForRequest(id, nil)
+}
+
+// checkCacheForStaticSecretRequest checks the cache for a particular request based on its
+// computed ID. It returns a non-nil *SendResponse if an entry is found.
+// If a request is provided, it will validate that the token is allowed to retrieve this
+// cache entry, and return nil if it isn't. It will also evict the cache if this is a non-GET
+// request.
+func (c *LeaseCache) checkCacheForStaticSecretRequest(id string, req *SendRequest) (*SendResponse, error) {
+	return c.checkCacheForRequest(id, req)
+}
+
+// checkCacheForRequest checks the cache for a particular request based on its
+// computed ID. It returns a non-nil *SendResponse if an entry is found.
+// If a token is provided, it will validate that the token is allowed to retrieve this
+// cache entry, and return nil if it isn't.
+func (c *LeaseCache) checkCacheForRequest(id string, req *SendRequest) (*SendResponse, error) {
+	index, err := c.db.Get(cachememdb.IndexNameID, id)
+	if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	index.IndexLock.RLock()
+	defer index.IndexLock.RUnlock()
+
+	var token string
+	if req != nil {
+		// Req will be non-nil if we're checking for a static secret.
+		// Token might still be "" if it's going to an unauthenticated
+		// endpoint, or similar. For static secrets, we only care about
+		// requests with tokens attached, as KV is authenticated.
+		token = req.Token
+	}
+
+	if token != "" {
+		// We are checking for a static secret. We need to ensure that this token
+		// has previously demonstrated access to this static secret.
+		// We could check the capabilities cache here, but since these
+		// indexes should be in sync, this saves us an extra cache get.
+		if _, ok := index.Tokens[token]; !ok {
+			// We don't have access to this static secret, so
+			// we do not return the cached response.
+			return nil, nil
+		}
+	}
+
+	// Cached request is found, deserialize the response
+	reader := bufio.NewReader(bytes.NewReader(index.Response))
+	resp, err := http.ReadResponse(reader, nil)
+	if err != nil {
+		c.logger.Error("failed to deserialize response", "error", err)
+		return nil, err
+	}
+
+	sendResp, err := NewSendResponse(&api.Response{Response: resp}, index.Response)
+	if err != nil {
+		c.logger.Error("failed to create new send response", "error", err)
+		return nil, err
+	}
+	sendResp.CacheMeta.Hit = true
+
+	respTime, err := http.ParseTime(resp.Header.Get("Date"))
+	if err != nil {
+		c.logger.Error("failed to parse cached response date", "error", err)
+		return nil, err
+	}
+	sendResp.CacheMeta.Age = time.Now().Sub(respTime)
+
+	return sendResp, nil
+}
+
+// Send performs a cache lookup on the incoming request. If it's a cache hit,
+// it will return the cached response, otherwise it will delegate to the
+// underlying Proxier and cache the received response.
+func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse, error) {
+	// Compute the index ID for both static and dynamic secrets.
+	// The primary difference is that for dynamic secrets, the
+	// Vault token forms part of the index.
+	dynamicSecretCacheId, err := computeIndexID(req)
+	if err != nil {
+		c.logger.Error("failed to compute cache key", "error", err)
+		return nil, err
+	}
+	staticSecretCacheId := computeStaticSecretCacheIndex(req)
+
+	// Check the inflight cache to see if there are other inflight requests
+	// of the same kind, based on the computed ID. If so, we increment a counter
+
+	// Note: we lock both the dynamic secret cache ID and the static secret cache ID
+	// as at this stage, we don't know what kind of secret it is.
+	var inflight *inflightRequest
+
+	defer func() {
+		// Cleanup on the cache if there are no remaining inflight requests.
+		// This is the last step, so we defer the call first
+		if inflight != nil && inflight.remaining.Load() == 0 {
+			c.inflightCache.Delete(dynamicSecretCacheId)
+			if staticSecretCacheId != "" {
+				c.inflightCache.Delete(staticSecretCacheId)
+			}
+		}
+	}()
+
+	idLockDynamicSecret := locksutil.LockForKey(c.idLocks, dynamicSecretCacheId)
+
+	// Briefly grab an ID-based lock in here to emulate a load-or-store behavior
+	// and prevent concurrent cacheable requests from being proxied twice if
+	// they both miss the cache due to it being clean when peeking the cache
+	// entry.
+	idLockDynamicSecret.Lock()
+	inflightRaw, found := c.inflightCache.Get(dynamicSecretCacheId)
+	if found {
+		idLockDynamicSecret.Unlock()
+		inflight = inflightRaw.(*inflightRequest)
+		inflight.remaining.Inc()
+		defer inflight.remaining.Dec()
+
+		// If found it means that there's an inflight request being processed.
+		// We wait until that's finished before proceeding further.
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-inflight.ch:
+		}
+	} else {
+		if inflight == nil {
+			inflight = newInflightRequest()
+			inflight.remaining.Inc()
+			defer inflight.remaining.Dec()
+			defer close(inflight.ch)
+		}
+
+		c.inflightCache.Set(dynamicSecretCacheId, inflight, gocache.NoExpiration)
+		idLockDynamicSecret.Unlock()
+	}
+
+	if staticSecretCacheId != "" {
+		idLockStaticSecret := locksutil.LockForKey(c.idLocks, staticSecretCacheId)
+
+		// Briefly grab an ID-based lock in here to emulate a load-or-store behavior
+		// and prevent concurrent cacheable requests from being proxied twice if
+		// they both miss the cache due to it being clean when peeking the cache
+		// entry.
+		idLockStaticSecret.Lock()
+		inflightRaw, found = c.inflightCache.Get(staticSecretCacheId)
+		if found {
+			idLockStaticSecret.Unlock()
+			inflight = inflightRaw.(*inflightRequest)
+			inflight.remaining.Inc()
+			defer inflight.remaining.Dec()
+
+			// If found it means that there's an inflight request being processed.
+			// We wait until that's finished before proceeding further.
+			select {
+			case <-ctx.Done():
+				return nil, ctx.Err()
+			case <-inflight.ch:
+			}
+		} else {
+			if inflight == nil {
+				inflight = newInflightRequest()
+				inflight.remaining.Inc()
+				defer inflight.remaining.Dec()
+				defer close(inflight.ch)
+			}
+
+			c.inflightCache.Set(staticSecretCacheId, inflight, gocache.NoExpiration)
+			idLockStaticSecret.Unlock()
+		}
+	}
+
+	// Check if the response for this request is already in the dynamic secret cache
+	cachedResp, err := c.checkCacheForDynamicSecretRequest(dynamicSecretCacheId)
+	if err != nil {
+		return nil, err
+	}
+	if cachedResp != nil {
+		c.logger.Debug("returning cached dynamic secret response", "path", req.Request.URL.Path)
+		return cachedResp, nil
+	}
+
+	// Check if the response for this request is already in the static secret cache
+	if staticSecretCacheId != "" && req.Request.Method == http.MethodGet && req.Token != "" {
+		cachedResp, err = c.checkCacheForStaticSecretRequest(staticSecretCacheId, req)
+		if err != nil {
+			return nil, err
+		}
+		if cachedResp != nil {
+			c.logger.Debug("returning cached static secret response", "id", staticSecretCacheId, "path", req.Request.URL.Path)
+			return cachedResp, nil
+		}
+	}
+
+	c.logger.Debug("forwarding request from cache", "method", req.Request.Method, "path", req.Request.URL.Path)
+
+	// Pass the request down and get a response
+	resp, err := c.proxier.Send(ctx, req)
+	if err != nil {
+		return resp, err
+	}
+
+	// If this is a non-2xx or if the returned response does not contain JSON payload,
+	// we skip caching
+	if resp.Response.StatusCode >= 300 || resp.Response.Header.Get("Content-Type") != "application/json" {
+		return resp, err
+	}
+
+	// Get the namespace from the request header
+	namespace := req.Request.Header.Get(consts.NamespaceHeaderName)
+	// We need to populate an empty value since go-memdb will skip over indexes
+	// that contain empty values.
+	if namespace == "" {
+		namespace = "root/"
+	}
+
+	// Build the index to cache based on the response received
+	index := &cachememdb.Index{
+		Namespace:   namespace,
+		RequestPath: req.Request.URL.Path,
+		LastRenewed: time.Now().UTC(),
+	}
+
+	secret, err := api.ParseSecret(bytes.NewReader(resp.ResponseBody))
+	if err != nil {
+		c.logger.Error("failed to parse response as secret", "error", err)
+		return nil, err
+	}
+
+	isRevocation, err := c.handleRevocationRequest(ctx, req, resp)
+	if err != nil {
+		c.logger.Error("failed to process the response", "error", err)
+		return nil, err
+	}
+
+	// If this is a revocation request, do not go through cache logic.
+	if isRevocation {
+		return resp, nil
+	}
+
+	// Fast path for responses with no secrets
+	if secret == nil {
+		c.logger.Debug("pass-through response; no secret in response", "method", req.Request.Method, "path", req.Request.URL.Path)
+		return resp, nil
+	}
+
+	// There shouldn't be a situation where secret.MountType == "kv" and
+	// staticSecretCacheId == "", but just in case.
+	// We restrict this to GETs as those are all we want to cache.
+	if c.cacheStaticSecrets && secret.MountType == "kv" &&
+		staticSecretCacheId != "" && req.Request.Method == http.MethodGet {
+		index.Type = cacheboltdb.StaticSecretType
+		index.ID = staticSecretCacheId
+		// We set the request path to be the canonical static secret path, so that
+		// two differently shaped (but equivalent) requests to the same path
+		// will be the same.
+		// This differs slightly from dynamic secrets, where the /v1/ will be
+		// included in the request path.
+		index.RequestPath = getStaticSecretPathFromRequest(req)
+
+		err := c.cacheStaticSecret(ctx, req, resp, index)
+		if err != nil {
+			return nil, err
+		}
+		return resp, nil
+	} else {
+		// Since it's not a static secret, set the ID to be the dynamic id
+		index.ID = dynamicSecretCacheId
+	}
+
+	// Short-circuit if we've been configured to not cache dynamic secrets
+	if !c.cacheDynamicSecrets {
+		return resp, nil
+	}
+
+	// Short-circuit if the secret is not renewable
+	tokenRenewable, err := secret.TokenIsRenewable()
+	if err != nil {
+		c.logger.Error("failed to parse renewable param", "error", err)
+		return nil, err
+	}
+	if !secret.Renewable && !tokenRenewable {
+		c.logger.Debug("pass-through response; secret not renewable", "method", req.Request.Method, "path", req.Request.URL.Path)
+		return resp, nil
+	}
+
+	var renewCtxInfo *cachememdb.ContextInfo
+	switch {
+	case secret.LeaseID != "":
+		c.logger.Debug("processing lease response", "method", req.Request.Method, "path", req.Request.URL.Path)
+		entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			// If the lease belongs to a token that is not managed by the lease cache,
+			// return the response without caching it.
+			c.logger.Debug("pass-through lease response; token not managed by lease cache", "method", req.Request.Method, "path", req.Request.URL.Path)
+			return resp, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		// Derive a context for renewal using the token's context
+		renewCtxInfo = cachememdb.NewContextInfo(entry.RenewCtxInfo.Ctx)
+
+		index.Lease = secret.LeaseID
+		index.LeaseToken = req.Token
+
+		index.Type = cacheboltdb.LeaseType
+
+	case secret.Auth != nil:
+		c.logger.Debug("processing auth response", "method", req.Request.Method, "path", req.Request.URL.Path)
+
+		// Check if this token creation request resulted in a non-orphan token, and if so
+		// correctly set the parentCtx to the request's token context.
+		var parentCtx context.Context
+		if !secret.Auth.Orphan {
+			entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token)
+			if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+				// If the lease belongs to a token that is not managed by the lease cache,
+				// return the response without caching it.
+				c.logger.Debug("pass-through lease response; parent token not managed by lease cache", "method", req.Request.Method, "path", req.Request.URL.Path)
+				return resp, nil
+			}
+			if err != nil {
+				return nil, err
+			}
+
+			c.logger.Debug("setting parent context", "method", req.Request.Method, "path", req.Request.URL.Path)
+			parentCtx = entry.RenewCtxInfo.Ctx
+
+			index.TokenParent = req.Token
+		}
+
+		renewCtxInfo = c.createCtxInfo(parentCtx)
+		index.Token = secret.Auth.ClientToken
+		index.TokenAccessor = secret.Auth.Accessor
+
+		index.Type = cacheboltdb.LeaseType
+
+	default:
+		// We shouldn't be hitting this, but will err on the side of caution and
+		// simply proxy.
+		c.logger.Debug("pass-through response; secret without lease and token", "method", req.Request.Method, "path", req.Request.URL.Path)
+		return resp, nil
+	}
+
+	// Serialize the response to store it in the cached index
+	var respBytes bytes.Buffer
+	err = resp.Response.Write(&respBytes)
+	if err != nil {
+		c.logger.Error("failed to serialize response", "error", err)
+		return nil, err
+	}
+
+	// Reset the response body for upper layers to read
+	if resp.Response.Body != nil {
+		resp.Response.Body.Close()
+	}
+	resp.Response.Body = io.NopCloser(bytes.NewReader(resp.ResponseBody))
+
+	// Set the index's Response
+	index.Response = respBytes.Bytes()
+
+	// Store the index ID in the lifetimewatcher context
+	renewCtx := context.WithValue(renewCtxInfo.Ctx, contextIndexID, index.ID)
+
+	// Store the lifetime watcher context in the index
+	index.RenewCtxInfo = &cachememdb.ContextInfo{
+		Ctx:        renewCtx,
+		CancelFunc: renewCtxInfo.CancelFunc,
+		DoneCh:     renewCtxInfo.DoneCh,
+	}
+
+	// Add extra information necessary for restoring from persisted cache
+	index.RequestMethod = req.Request.Method
+	index.RequestToken = req.Token
+	index.RequestHeader = req.Request.Header
+
+	if index.Type != cacheboltdb.StaticSecretType {
+		// Store the index in the cache
+		c.logger.Debug("storing dynamic secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID)
+		err = c.Set(ctx, index)
+		if err != nil {
+			c.logger.Error("failed to cache the proxied response", "error", err)
+			return nil, err
+		}
+
+		// Start renewing the secret in the response
+		go c.startRenewing(renewCtx, index, req, secret)
+	}
+
+	return resp, nil
+}
+
+func (c *LeaseCache) cacheStaticSecret(ctx context.Context, req *SendRequest, resp *SendResponse, index *cachememdb.Index) error {
+	// If a cached version of this secret exists, we now have access, so
+	// we don't need to re-cache, just update index.Tokens
+	indexFromCache, err := c.db.Get(cachememdb.IndexNameID, index.ID)
+	if err != nil && err != cachememdb.ErrCacheItemNotFound {
+		return err
+	}
+
+	// The index already exists, so all we need to do is add our token
+	// to the index's allowed token list, then re-store it.
+	if indexFromCache != nil {
+		// We must hold a lock for the index while it's being updated.
+		// We keep the two locking mechanisms distinct, so that it's only writes
+		// that have to be serial.
+		indexFromCache.IndexLock.Lock()
+		defer indexFromCache.IndexLock.Unlock()
+		indexFromCache.Tokens[req.Token] = struct{}{}
+
+		return c.storeStaticSecretIndex(ctx, req, indexFromCache)
+	}
+
+	// Serialize the response to store it in the cached index
+	var respBytes bytes.Buffer
+	err = resp.Response.Write(&respBytes)
+	if err != nil {
+		c.logger.Error("failed to serialize response", "error", err)
+		return err
+	}
+
+	// Reset the response body for upper layers to read
+	if resp.Response.Body != nil {
+		resp.Response.Body.Close()
+	}
+	resp.Response.Body = io.NopCloser(bytes.NewReader(resp.ResponseBody))
+
+	// Set the index's Response
+	index.Response = respBytes.Bytes()
+
+	// Initialize the token map and add this token to it.
+	index.Tokens = map[string]struct{}{req.Token: {}}
+
+	// Set the index type
+	index.Type = cacheboltdb.StaticSecretType
+
+	return c.storeStaticSecretIndex(ctx, req, index)
+}
+
+func (c *LeaseCache) storeStaticSecretIndex(ctx context.Context, req *SendRequest, index *cachememdb.Index) error {
+	// Store the index in the cache
+	c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID)
+	err := c.Set(ctx, index)
+	if err != nil {
+		c.logger.Error("failed to cache the proxied response", "error", err)
+		return err
+	}
+
+	capabilitiesIndex, created, err := c.retrieveOrCreateTokenCapabilitiesEntry(req.Token)
+	if err != nil {
+		c.logger.Error("failed to cache the proxied response", "error", err)
+		return err
+	}
+
+	path := getStaticSecretPathFromRequest(req)
+
+	// Extra caution -- avoid potential nil
+	if capabilitiesIndex.ReadablePaths == nil {
+		capabilitiesIndex.ReadablePaths = make(map[string]struct{})
+	}
+
+	// update the index with the new capability:
+	capabilitiesIndex.ReadablePaths[path] = struct{}{}
+
+	err = c.SetCapabilitiesIndex(ctx, capabilitiesIndex)
+	if err != nil {
+		c.logger.Error("failed to cache token capabilities as part of caching the proxied response", "error", err)
+		return err
+	}
+
+	// Lastly, ensure that we start renewing this index, if it's  new.
+	// We require the 'created' check so that we don't renew the same
+	// index multiple times.
+	if c.capabilityManager != nil && created {
+		c.capabilityManager.StartRenewingCapabilities(capabilitiesIndex)
+	}
+
+	return nil
+}
+
+// retrieveOrCreateTokenCapabilitiesEntry will either retrieve the token
+// capabilities entry from the cache, or create a new, empty one.
+// The bool represents if a new token capability has been created.
+func (c *LeaseCache) retrieveOrCreateTokenCapabilitiesEntry(token string) (*cachememdb.CapabilitiesIndex, bool, error) {
+	// The index ID is a hash of the token.
+	indexId := hashStaticSecretIndex(token)
+	indexFromCache, err := c.db.GetCapabilitiesIndex(cachememdb.IndexNameID, indexId)
+	if err != nil && err != cachememdb.ErrCacheItemNotFound {
+		return nil, false, err
+	}
+
+	if indexFromCache != nil {
+		return indexFromCache, false, nil
+	}
+
+	// Build the index to cache based on the response received
+	index := &cachememdb.CapabilitiesIndex{
+		ID:            indexId,
+		Token:         token,
+		ReadablePaths: make(map[string]struct{}),
+	}
+
+	return index, true, nil
+}
+
+func (c *LeaseCache) createCtxInfo(ctx context.Context) *cachememdb.ContextInfo {
+	if ctx == nil {
+		c.l.RLock()
+		ctx = c.baseCtxInfo.Ctx
+		c.l.RUnlock()
+	}
+	return cachememdb.NewContextInfo(ctx)
+}
+
+func (c *LeaseCache) startRenewing(ctx context.Context, index *cachememdb.Index, req *SendRequest, secret *api.Secret) {
+	defer func() {
+		id := ctx.Value(contextIndexID).(string)
+		if c.shuttingDown.Load() {
+			c.logger.Trace("not evicting index from cache during shutdown", "id", id, "method", req.Request.Method, "path", req.Request.URL.Path)
+			return
+		}
+		c.logger.Debug("evicting index from cache", "id", id, "method", req.Request.Method, "path", req.Request.URL.Path)
+		err := c.Evict(index)
+		if err != nil {
+			c.logger.Error("failed to evict index", "id", id, "error", err)
+			return
+		}
+	}()
+
+	client, err := c.client.Clone()
+	if err != nil {
+		c.logger.Error("failed to create API client in the lifetime watcher", "error", err)
+		return
+	}
+	client.SetToken(req.Token)
+
+	headers := client.Headers()
+	if headers == nil {
+		headers = make(http.Header)
+	}
+
+	// We do not preserve any initial User-Agent here since these requests are from
+	// the proxy subsystem, but are made by the lease cache's lifetime watcher,
+	// not triggered by a specific request.
+	headers.Set("User-Agent", c.userAgentToUse)
+	client.SetHeaders(headers)
+
+	watcher, err := client.NewLifetimeWatcher(&api.LifetimeWatcherInput{
+		Secret: secret,
+	})
+	if err != nil {
+		c.logger.Error("failed to create secret lifetime watcher", "error", err)
+		return
+	}
+
+	c.logger.Debug("initiating renewal", "method", req.Request.Method, "path", req.Request.URL.Path)
+	go watcher.Start()
+	defer watcher.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			// This is the case which captures context cancellations from token
+			// and leases. Since all the contexts are derived from the agent's
+			// context, this will also cover the shutdown scenario.
+			c.logger.Debug("context cancelled; stopping lifetime watcher", "path", req.Request.URL.Path)
+			return
+		case err := <-watcher.DoneCh():
+			// This case covers renewal completion and renewal errors
+			if err != nil {
+				c.logger.Error("failed to renew secret", "error", err)
+				return
+			}
+			c.logger.Debug("renewal halted; evicting from cache", "path", req.Request.URL.Path)
+			return
+		case <-watcher.RenewCh():
+			c.logger.Debug("secret renewed", "path", req.Request.URL.Path)
+			if c.ps != nil {
+				if err := c.updateLastRenewed(ctx, index, time.Now().UTC()); err != nil {
+					c.logger.Warn("not able to update lastRenewed time for cached index", "id", index.ID)
+				}
+			}
+		case <-index.RenewCtxInfo.DoneCh:
+			// This case indicates the renewal process to shutdown and evict
+			// the cache entry. This is triggered when a specific secret
+			// renewal needs to be killed without affecting any of the derived
+			// context renewals.
+			c.logger.Debug("done channel closed")
+			return
+		}
+	}
 }
 
-func (c *OperatorRotateCommand) Synopsis() string {
-	return "Rotates the underlying encryption key"
+func (c *LeaseCache) updateLastRenewed(ctx context.Context, index *cachememdb.Index, t time.Time) error {
+	idLock := locksutil.LockForKey(c.idLocks, index.ID)
+	idLock.Lock()
+	defer idLock.Unlock()
+
+	getIndex, err := c.db.Get(cachememdb.IndexNameID, index.ID)
+	if err != nil && err != cachememdb.ErrCacheItemNotFound {
+		return err
+	}
+	index.LastRenewed = t
+	if err := c.Set(ctx, getIndex); err != nil {
+		return err
+	}
+	return nil
 }
 
-func (c *OperatorRotateCommand) Help() string {
-	helpText := `
-Usage: vault operator rotate [options]
+// computeIndexID results in a value that uniquely identifies a request
+// received by the agent. It does so by SHA256 hashing the serialized request
+// object containing the request path, query parameters and body parameters.
+func computeIndexID(req *SendRequest) (string, error) {
+	var b bytes.Buffer
+
+	cloned := req.Request.Clone(context.Background())
+	cloned.Header.Del(vaulthttp.VaultIndexHeaderName)
+	cloned.Header.Del(vaulthttp.VaultForwardHeaderName)
+	cloned.Header.Del(vaulthttp.VaultInconsistentHeaderName)
+	// Serialize the request
+	if err := cloned.Write(&b); err != nil {
+		return "", fmt.Errorf("failed to serialize request: %v", err)
+	}
 
-  Rotates the underlying encryption key which is used to secure data written
-  to the storage backend. This installs a new key in the key ring. This new
-  key is used to encrypted new data, while older keys in the ring are used to
-  decrypt older data.
+	// Reset the request body after it has been closed by Write
+	req.Request.Body = io.NopCloser(bytes.NewReader(req.RequestBody))
 
-  This is an online operation and does not cause downtime. This command is run
-  per-cluster (not per-server), since Vault servers in HA mode share the same
-  storage backend.
+	// Append req.Token into the byte slice. This is needed since auto-auth'ed
+	// requests sets the token directly into SendRequest.Token
+	if _, err := b.WriteString(req.Token); err != nil {
+		return "", fmt.Errorf("failed to write token to hash input: %w", err)
+	}
 
-  Rotate Vault's encryption key:
+	return hex.EncodeToString(cryptoutil.Blake2b256Hash(string(b.Bytes()))), nil
+}
 
-      $ vault operator rotate
+// canonicalizeStaticSecretPath takes an API request path such as
+// /v1/foo/bar and a namespace, and turns it into a canonical representation
+// of the secret's path in Vault.
+// We opt for this form as namespace.Canonicalize returns a namespace in the
+// form of "ns1/", so we keep consistent with path canonicalization.
+func canonicalizeStaticSecretPath(requestPath string, ns string) string {
+	// /sys/capabilities accepts both requests that look like foo/bar
+	// and /foo/bar but not /v1/foo/bar.
+	// We trim the /v1/ from the start of the URL to get the foo/bar form.
+	// This means that we can use the paths we retrieve from the
+	// /sys/capabilities endpoint to access this index
+	// without having to re-add the /v1/
+	path := strings.TrimPrefix(requestPath, "/v1/")
+	// Trim any leading slashes, as we never want those.
+	// This ensures /foo/bar gets turned to foo/bar
+	path = strings.TrimPrefix(path, "/")
 
-  For a full list of examples, please see the documentation.
+	// If a namespace was provided in a way that wasn't directly in the path,
+	// it must be added to the path.
+	path = namespace.Canonicalize(ns) + path
 
-` + c.Flags().Help()
+	return path
+}
 
-	return strings.TrimSpace(helpText)
+// getStaticSecretPathFromRequest gets the canonical path for a
+// request, taking into account intricacies relating to /v1/ and namespaces
+// in the header.
+// Returns a path like foo/bar or ns1/foo/bar.
+// We opt for this form as namespace.Canonicalize returns a namespace in the
+// form of "ns1/", so we keep consistent with path canonicalization.
+func getStaticSecretPathFromRequest(req *SendRequest) string {
+	path := req.Request.URL.Path
+	// Static secrets always have /v1 as a prefix. This enables us to
+	// enable a pass-through and never attempt to cache or view-from-cache
+	// any request without the /v1 prefix.
+	if !strings.HasPrefix(path, "/v1") {
+		return ""
+	}
+	var namespace string
+	if header := req.Request.Header; header != nil {
+		namespace = header.Get(api.NamespaceHeaderName)
+	}
+	return canonicalizeStaticSecretPath(path, namespace)
 }
 
-func (c *OperatorRotateCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+// hashStaticSecretIndex is a simple function that hashes the path into
+// a function. This is kept as a helper function for ease of use by downstream functions.
+func hashStaticSecretIndex(unhashedIndex string) string {
+	return hex.EncodeToString(cryptoutil.Blake2b256Hash(unhashedIndex))
 }
 
-func (c *OperatorRotateCommand) AutocompleteArgs() complete.Predictor {
+// computeStaticSecretCacheIndex results in a value that uniquely identifies a static
+// secret's cached ID. Notably, we intentionally ignore headers (for example,
+// the X-Vault-Token header) to remain agnostic to which token is being
+// used in the request. We care only about the path.
+// This will return "" if the index does not have a /v1 prefix, and therefore
+// cannot be a static secret.
+func computeStaticSecretCacheIndex(req *SendRequest) string {
+	path := getStaticSecretPathFromRequest(req)
+	if path == "" {
+		return path
+	}
+	return hashStaticSecretIndex(path)
+}
+
+// HandleCacheClear returns a handlerFunc that can perform cache clearing operations.
+func (c *LeaseCache) HandleCacheClear(ctx context.Context) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// If the cache is not enabled, return a 200
+		if c == nil {
+			return
+		}
+
+		// Only handle POST/PUT requests
+		switch r.Method {
+		case http.MethodPost:
+		case http.MethodPut:
+		default:
+			return
+		}
+
+		req := new(cacheClearRequest)
+		if err := jsonutil.DecodeJSONFromReader(r.Body, req); err != nil {
+			if err == io.EOF {
+				err = errors.New("empty JSON provided")
+			}
+			logical.RespondError(w, http.StatusBadRequest, fmt.Errorf("failed to parse JSON input: %w", err))
+			return
+		}
+
+		c.logger.Debug("received cache-clear request", "type", req.Type, "namespace", req.Namespace, "value", req.Value)
+
+		in, err := parseCacheClearInput(req)
+		if err != nil {
+			c.logger.Error("unable to parse clear input", "error", err)
+			logical.RespondError(w, http.StatusBadRequest, fmt.Errorf("failed to parse clear input: %w", err))
+			return
+		}
+
+		if err := c.handleCacheClear(ctx, in); err != nil {
+			// Default to 500 on error, unless the user provided an invalid type,
+			// which would then be a 400.
+			httpStatus := http.StatusInternalServerError
+			if err == errInvalidType {
+				httpStatus = http.StatusBadRequest
+			}
+			logical.RespondError(w, httpStatus, fmt.Errorf("failed to clear cache: %w", err))
+			return
+		}
+
+		return
+	})
+}
+
+func (c *LeaseCache) handleCacheClear(ctx context.Context, in *cacheClearInput) error {
+	if in == nil {
+		return errors.New("no value(s) provided to clear corresponding cache entries")
+	}
+
+	switch in.Type {
+	case "request_path":
+		// For this particular case, we need to ensure that there are 2 provided
+		// indexers for the proper lookup.
+		if in.RequestPath == "" {
+			return errors.New("request path not provided")
+		}
+
+		// The first value provided for this case will be the namespace, but if it's
+		// an empty value we need to overwrite it with "root/" to ensure proper
+		// cache lookup.
+		if in.Namespace == "" {
+			in.Namespace = "root/"
+		}
+
+		// Find all the cached entries which has the given request path and
+		// cancel the contexts of all the respective lifetime watchers
+		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameRequestPath, in.Namespace, in.RequestPath)
+		if err != nil {
+			return err
+		}
+		for _, index := range indexes {
+			// If it's a static secret, we must remove directly, as there
+			// is no renew func to cancel.
+			if index.Type == cacheboltdb.StaticSecretType {
+				err = c.db.Evict(cachememdb.IndexNameID, index.ID)
+				if err != nil {
+					return err
+				}
+			} else {
+				if index.RenewCtxInfo != nil {
+					if index.RenewCtxInfo.CancelFunc != nil {
+						index.RenewCtxInfo.CancelFunc()
+					}
+				}
+			}
+		}
+
+	case "token":
+		if in.Token == "" {
+			return errors.New("token not provided")
+		}
+
+		// Get the context for the given token and cancel its context
+		index, err := c.db.Get(cachememdb.IndexNameToken, in.Token)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+
+		c.logger.Debug("canceling context of index attached to token")
+
+		index.RenewCtxInfo.CancelFunc()
+
+	case "token_accessor":
+		if in.TokenAccessor == "" && in.Type != cacheboltdb.StaticSecretType {
+			return errors.New("token accessor not provided")
+		}
+
+		// Get the cached index and cancel the corresponding lifetime watcher
+		// context
+		index, err := c.db.Get(cachememdb.IndexNameTokenAccessor, in.TokenAccessor)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+
+		c.logger.Debug("canceling context of index attached to accessor")
+
+		index.RenewCtxInfo.CancelFunc()
+
+	case "lease":
+		if in.Lease == "" {
+			return errors.New("lease not provided")
+		}
+
+		// Get the cached index and cancel the corresponding lifetime watcher
+		// context
+		index, err := c.db.Get(cachememdb.IndexNameLease, in.Lease)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+
+		c.logger.Debug("canceling context of index attached to accessor")
+
+		index.RenewCtxInfo.CancelFunc()
+
+	case "all":
+		// Cancel the base context which triggers all the goroutines to
+		// stop and evict entries from cache.
+		c.logger.Debug("canceling base context")
+		c.l.Lock()
+		c.baseCtxInfo.CancelFunc()
+		// Reset the base context
+		baseCtx, baseCancel := context.WithCancel(ctx)
+		c.baseCtxInfo = &cachememdb.ContextInfo{
+			Ctx:        baseCtx,
+			CancelFunc: baseCancel,
+		}
+		c.l.Unlock()
+
+		// Reset the memdb instance (and persistent storage if enabled)
+		if err := c.Flush(); err != nil {
+			return err
+		}
+
+	default:
+		return errInvalidType
+	}
+
+	c.logger.Debug("successfully cleared matching cache entries")
+
 	return nil
 }
 
-func (c *OperatorRotateCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// handleRevocationRequest checks whether the originating request is a
+// revocation request, and if so perform applicable cache cleanups.
+// Returns true is this is a revocation request.
+func (c *LeaseCache) handleRevocationRequest(ctx context.Context, req *SendRequest, resp *SendResponse) (bool, error) {
+	// Lease and token revocations return 204's on success. Fast-path if that's
+	// not the case.
+	if resp.Response.StatusCode != http.StatusNoContent {
+		return false, nil
+	}
+
+	_, path := deriveNamespaceAndRevocationPath(req)
+
+	switch {
+	case path == vaultPathTokenRevoke:
+		// Get the token from the request body
+		jsonBody := map[string]interface{}{}
+		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
+			return false, err
+		}
+		tokenRaw, ok := jsonBody["token"]
+		if !ok {
+			return false, fmt.Errorf("failed to get token from request body")
+		}
+		token, ok := tokenRaw.(string)
+		if !ok {
+			return false, fmt.Errorf("expected token in the request body to be string")
+		}
+
+		// Clear the cache entry associated with the token and all the other
+		// entries belonging to the leases derived from this token.
+		in := &cacheClearInput{
+			Type:  "token",
+			Token: token,
+		}
+		if err := c.handleCacheClear(ctx, in); err != nil {
+			return false, err
+		}
+
+	case path == vaultPathTokenRevokeSelf:
+		// Clear the cache entry associated with the token and all the other
+		// entries belonging to the leases derived from this token.
+		in := &cacheClearInput{
+			Type:  "token",
+			Token: req.Token,
+		}
+		if err := c.handleCacheClear(ctx, in); err != nil {
+			return false, err
+		}
+
+	case path == vaultPathTokenRevokeAccessor:
+		jsonBody := map[string]interface{}{}
+		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
+			return false, err
+		}
+		accessorRaw, ok := jsonBody["accessor"]
+		if !ok {
+			return false, fmt.Errorf("failed to get accessor from request body")
+		}
+		accessor, ok := accessorRaw.(string)
+		if !ok {
+			return false, fmt.Errorf("expected accessor in the request body to be string")
+		}
+
+		in := &cacheClearInput{
+			Type:          "token_accessor",
+			TokenAccessor: accessor,
+		}
+		if err := c.handleCacheClear(ctx, in); err != nil {
+			return false, err
+		}
+
+	case path == vaultPathTokenRevokeOrphan:
+		jsonBody := map[string]interface{}{}
+		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
+			return false, err
+		}
+		tokenRaw, ok := jsonBody["token"]
+		if !ok {
+			return false, fmt.Errorf("failed to get token from request body")
+		}
+		token, ok := tokenRaw.(string)
+		if !ok {
+			return false, fmt.Errorf("expected token in the request body to be string")
+		}
+
+		// Kill the lifetime watchers of all the leases attached to the revoked
+		// token
+		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLeaseToken, token)
+		if err != nil {
+			return false, err
+		}
+		for _, index := range indexes {
+			index.RenewCtxInfo.CancelFunc()
+		}
+
+		// Kill the lifetime watchers of the revoked token
+		index, err := c.db.Get(cachememdb.IndexNameToken, token)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			return true, nil
+		}
+		if err != nil {
+			return false, err
+		}
+
+		// Indicate the lifetime watcher goroutine for this index to return.
+		// This will not affect the child tokens because the context is not
+		// getting cancelled.
+		close(index.RenewCtxInfo.DoneCh)
+
+		// Clear the parent references of the revoked token in the entries
+		// belonging to the child tokens of the revoked token.
+		indexes, err = c.db.GetByPrefix(cachememdb.IndexNameTokenParent, token)
+		if err != nil {
+			return false, err
+		}
+		for _, index := range indexes {
+			index.TokenParent = ""
+			err = c.db.Set(index)
+			if err != nil {
+				c.logger.Error("failed to persist index", "error", err)
+				return false, err
+			}
+		}
+
+	case path == vaultPathLeaseRevoke:
+		// TODO: Should lease present in the URL itself be considered here?
+		// Get the lease from the request body
+		jsonBody := map[string]interface{}{}
+		if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
+			return false, err
+		}
+		leaseIDRaw, ok := jsonBody["lease_id"]
+		if !ok {
+			return false, fmt.Errorf("failed to get lease_id from request body")
+		}
+		leaseID, ok := leaseIDRaw.(string)
+		if !ok {
+			return false, fmt.Errorf("expected lease_id the request body to be string")
+		}
+		in := &cacheClearInput{
+			Type:  "lease",
+			Lease: leaseID,
+		}
+		if err := c.handleCacheClear(ctx, in); err != nil {
+			return false, err
+		}
+
+	case strings.HasPrefix(path, vaultPathLeaseRevokeForce):
+		// Trim the URL path to get the request path prefix
+		prefix := strings.TrimPrefix(path, vaultPathLeaseRevokeForce)
+		// Get all the cache indexes that use the request path containing the
+		// prefix and cancel the lifetime watcher context of each.
+		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLease, prefix)
+		if err != nil {
+			return false, err
+		}
+
+		_, tokenNSID := namespace.SplitIDFromString(req.Token)
+		for _, index := range indexes {
+			_, leaseNSID := namespace.SplitIDFromString(index.Lease)
+			// Only evict leases that match the token's namespace
+			if tokenNSID == leaseNSID {
+				index.RenewCtxInfo.CancelFunc()
+			}
+		}
+
+	case strings.HasPrefix(path, vaultPathLeaseRevokePrefix):
+		// Trim the URL path to get the request path prefix
+		prefix := strings.TrimPrefix(path, vaultPathLeaseRevokePrefix)
+		// Get all the cache indexes that use the request path containing the
+		// prefix and cancel the lifetime watcher context of each.
+		indexes, err := c.db.GetByPrefix(cachememdb.IndexNameLease, prefix)
+		if err != nil {
+			return false, err
+		}
+
+		_, tokenNSID := namespace.SplitIDFromString(req.Token)
+		for _, index := range indexes {
+			_, leaseNSID := namespace.SplitIDFromString(index.Lease)
+			// Only evict leases that match the token's namespace
+			if tokenNSID == leaseNSID {
+				index.RenewCtxInfo.CancelFunc()
+			}
+		}
+
+	default:
+		return false, nil
+	}
+
+	c.logger.Debug("triggered caching eviction from revocation request")
+
+	return true, nil
+}
+
+// Set stores the index in the cachememdb, and also stores it in the persistent
+// cache (if enabled)
+func (c *LeaseCache) Set(ctx context.Context, index *cachememdb.Index) error {
+	if err := c.db.Set(index); err != nil {
+		return err
+	}
+
+	if c.ps != nil {
+		plaintext, err := index.Serialize()
+		if err != nil {
+			return err
+		}
+
+		if err := c.ps.Set(ctx, index.ID, plaintext, index.Type); err != nil {
+			return err
+		}
+		c.logger.Trace("set entry in persistent storage", "type", index.Type, "path", index.RequestPath, "id", index.ID)
+	}
+
+	return nil
 }
 
-func (c *OperatorRotateCommand) Run(args []string) int {
-	f := c.Flags()
+// SetCapabilitiesIndex stores the capabilities index in the cachememdb, and also stores it in the persistent
+// cache (if enabled)
+func (c *LeaseCache) SetCapabilitiesIndex(ctx context.Context, index *cachememdb.CapabilitiesIndex) error {
+	if err := c.db.SetCapabilitiesIndex(index); err != nil {
+		return err
+	}
+
+	if c.ps != nil {
+		plaintext, err := index.SerializeCapabilitiesIndex()
+		if err != nil {
+			return err
+		}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+		if err := c.ps.Set(ctx, index.ID, plaintext, cacheboltdb.TokenCapabilitiesType); err != nil {
+			return err
+		}
+		c.logger.Trace("set entry in persistent storage", "type", cacheboltdb.TokenCapabilitiesType, "id", index.ID)
 	}
 
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
+	return nil
+}
+
+// Evict removes an Index from the cachememdb, and also removes it from the
+// persistent cache (if enabled)
+func (c *LeaseCache) Evict(index *cachememdb.Index) error {
+	if err := c.db.Evict(cachememdb.IndexNameID, index.ID); err != nil {
+		return err
 	}
 
-	client, err := c.Client()
+	if c.ps != nil {
+		if err := c.ps.Delete(index.ID, index.Type); err != nil {
+			return err
+		}
+		c.logger.Trace("deleted item from persistent storage", "id", index.ID)
+	}
+
+	return nil
+}
+
+// Flush the cachememdb and persistent cache (if enabled)
+func (c *LeaseCache) Flush() error {
+	if err := c.db.Flush(); err != nil {
+		return err
+	}
+
+	if c.ps != nil {
+		c.logger.Trace("clearing persistent storage")
+		return c.ps.Clear()
+	}
+
+	return nil
+}
+
+// Restore loads the cachememdb from the persistent storage passed in. Loads
+// tokens first, since restoring a lease's renewal context and watcher requires
+// looking up the token in the cachememdb.
+// Restore also restarts any capability management for managed static secret
+// tokens.
+func (c *LeaseCache) Restore(ctx context.Context, storage *cacheboltdb.BoltStorage) error {
+	var errs *multierror.Error
+
+	// Process tokens first
+	tokens, err := storage.GetByType(ctx, cacheboltdb.TokenType)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+	} else {
+		if err := c.restoreTokens(tokens); err != nil {
+			errs = multierror.Append(errs, err)
+		}
+	}
+
+	// Then process leases
+	leases, err := storage.GetByType(ctx, cacheboltdb.LeaseType)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+	} else {
+		for _, lease := range leases {
+			newIndex, err := cachememdb.Deserialize(lease)
+			if err != nil {
+				errs = multierror.Append(errs, err)
+				continue
+			}
+
+			c.logger.Trace("restoring lease", "id", newIndex.ID, "path", newIndex.RequestPath)
+
+			// Check if this lease has already expired
+			expired, err := c.hasExpired(time.Now().UTC(), newIndex)
+			if err != nil {
+				c.logger.Warn("failed to check if lease is expired", "id", newIndex.ID, "error", err)
+			}
+			if expired {
+				continue
+			}
+
+			if err := c.restoreLeaseRenewCtx(newIndex); err != nil {
+				errs = multierror.Append(errs, err)
+				continue
+			}
+			if err := c.db.Set(newIndex); err != nil {
+				errs = multierror.Append(errs, err)
+				continue
+			}
+			c.logger.Trace("restored lease", "id", newIndex.ID, "path", newIndex.RequestPath)
+		}
+	}
+
+	// Then process static secrets and their capabilities
+	if c.cacheStaticSecrets {
+		staticSecrets, err := storage.GetByType(ctx, cacheboltdb.StaticSecretType)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+		} else {
+			for _, staticSecret := range staticSecrets {
+				newIndex, err := cachememdb.Deserialize(staticSecret)
+				if err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+
+				c.logger.Trace("restoring static secret index", "id", newIndex.ID, "path", newIndex.RequestPath)
+				if err := c.db.Set(newIndex); err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+			}
+		}
+
+		capabilityIndexes, err := storage.GetByType(ctx, cacheboltdb.TokenCapabilitiesType)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+		} else {
+			for _, capabilityIndex := range capabilityIndexes {
+				newIndex, err := cachememdb.DeserializeCapabilitiesIndex(capabilityIndex)
+				if err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+
+				c.logger.Trace("restoring capability index", "id", newIndex.ID)
+				if err := c.db.SetCapabilitiesIndex(newIndex); err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+
+				if c.capabilityManager != nil {
+					c.capabilityManager.StartRenewingCapabilities(newIndex)
+				}
+			}
+		}
+	}
+
+	return errs.ErrorOrNil()
+}
+
+func (c *LeaseCache) restoreTokens(tokens [][]byte) error {
+	var errors *multierror.Error
+
+	for _, token := range tokens {
+		newIndex, err := cachememdb.Deserialize(token)
+		if err != nil {
+			errors = multierror.Append(errors, err)
+			continue
+		}
+		newIndex.RenewCtxInfo = c.createCtxInfo(nil)
+		if err := c.db.Set(newIndex); err != nil {
+			errors = multierror.Append(errors, err)
+			continue
+		}
+		c.logger.Trace("restored token", "id", newIndex.ID)
+	}
+
+	return errors.ErrorOrNil()
+}
+
+// restoreLeaseRenewCtx re-creates a RenewCtx for an index object and starts
+// the watcher go routine
+func (c *LeaseCache) restoreLeaseRenewCtx(index *cachememdb.Index) error {
+	if index.Response == nil {
+		return fmt.Errorf("cached response was nil for %s", index.ID)
+	}
+
+	// Parse the secret to determine which type it is
+	reader := bufio.NewReader(bytes.NewReader(index.Response))
+	resp, err := http.ReadResponse(reader, nil)
+	if err != nil {
+		c.logger.Error("failed to deserialize response", "error", err)
+		return err
+	}
+	secret, err := api.ParseSecret(resp.Body)
+	if err != nil {
+		c.logger.Error("failed to parse response as secret", "error", err)
+		return err
+	}
+
+	var renewCtxInfo *cachememdb.ContextInfo
+	switch {
+	case secret.LeaseID != "":
+		entry, err := c.db.Get(cachememdb.IndexNameToken, index.RequestToken)
+		if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+			return fmt.Errorf("could not find parent Token %s for req path %s", index.RequestToken, index.RequestPath)
+		}
+		if err != nil {
+			return err
+		}
+
+		// Derive a context for renewal using the token's context
+		renewCtxInfo = cachememdb.NewContextInfo(entry.RenewCtxInfo.Ctx)
+
+	case secret.Auth != nil:
+		var parentCtx context.Context
+		if !secret.Auth.Orphan {
+			entry, err := c.db.Get(cachememdb.IndexNameToken, index.RequestToken)
+			if errors.Is(err, cachememdb.ErrCacheItemNotFound) {
+				// If parent token is not managed by the cache, child shouldn't be
+				// either.
+				if entry == nil {
+					return fmt.Errorf("could not find parent Token %s for req path %s", index.RequestToken, index.RequestPath)
+				}
+			}
+			if err != nil {
+				return err
+			}
+
+			c.logger.Debug("setting parent context", "method", index.RequestMethod, "path", index.RequestPath)
+			parentCtx = entry.RenewCtxInfo.Ctx
+		}
+		renewCtxInfo = c.createCtxInfo(parentCtx)
+	default:
+		// This isn't a renewable cache entry, i.e. a static secret cache entry.
+		// We return, because there's nothing to do.
+		return nil
+	}
+
+	renewCtx := context.WithValue(renewCtxInfo.Ctx, contextIndexID, index.ID)
+	index.RenewCtxInfo = &cachememdb.ContextInfo{
+		Ctx:        renewCtx,
+		CancelFunc: renewCtxInfo.CancelFunc,
+		DoneCh:     renewCtxInfo.DoneCh,
+	}
+
+	sendReq := &SendRequest{
+		Token: index.RequestToken,
+		Request: &http.Request{
+			Header: index.RequestHeader,
+			Method: index.RequestMethod,
+			URL: &url.URL{
+				Path: index.RequestPath,
+			},
+		},
+	}
+	go c.startRenewing(renewCtx, index, sendReq, secret)
+
+	return nil
+}
+
+// deriveNamespaceAndRevocationPath returns the namespace and relative path for
+// revocation paths.
+//
+// If the path contains a namespace, but it's not a revocation path, it will be
+// returned as-is, since there's no way to tell where the namespace ends and
+// where the request path begins purely based off a string.
+//
+// Case 1: /v1/ns1/leases/revoke  -> ns1/, /v1/leases/revoke
+// Case 2: ns1/ /v1/leases/revoke -> ns1/, /v1/leases/revoke
+// Case 3: /v1/ns1/foo/bar  -> root/, /v1/ns1/foo/bar
+// Case 4: ns1/ /v1/foo/bar -> ns1/, /v1/foo/bar
+func deriveNamespaceAndRevocationPath(req *SendRequest) (string, string) {
+	namespace := "root/"
+	nsHeader := req.Request.Header.Get(consts.NamespaceHeaderName)
+	if nsHeader != "" {
+		namespace = nsHeader
+	}
+
+	fullPath := req.Request.URL.Path
+	nonVersionedPath := strings.TrimPrefix(fullPath, "/v1")
+
+	for _, pathToCheck := range revocationPaths {
+		// We use strings.Contains here for paths that can contain
+		// vars in the path, e.g. /v1/lease/revoke-prefix/:prefix
+		i := strings.Index(nonVersionedPath, pathToCheck)
+		// If there's no match, move on to the next check
+		if i == -1 {
+			continue
+		}
+
+		// If the index is 0, this is a relative path with no namespace preppended,
+		// so we can break early
+		if i == 0 {
+			break
+		}
+
+		// We need to turn /ns1 into ns1/, this makes it easy
+		namespaceInPath := nshelper.Canonicalize(nonVersionedPath[:i])
+
+		// If it's root, we replace, otherwise we join
+		if namespace == "root/" {
+			namespace = namespaceInPath
+		} else {
+			namespace = namespace + namespaceInPath
+		}
+
+		return namespace, fmt.Sprintf("/v1%s", nonVersionedPath[i:])
+	}
+
+	return namespace, fmt.Sprintf("/v1%s", nonVersionedPath)
+}
+
+// RegisterAutoAuthToken adds the provided auto-token into the cache. This is
+// primarily used to register the auto-auth token and should only be called
+// within a sink's WriteToken func.
+func (c *LeaseCache) RegisterAutoAuthToken(token string) error {
+	// Get the token from the cache
+	oldIndex, err := c.db.Get(cachememdb.IndexNameToken, token)
+	if err != nil && err != cachememdb.ErrCacheItemNotFound {
+		return err
+	}
+
+	// If the index is found, just keep it in the cache and ignore the incoming
+	// token (since they're the same)
+	if oldIndex != nil {
+		c.logger.Trace("auto-auth token already exists in cache; no need to store it again")
+		return nil
+	}
+
+	// The following randomly generated values are required for index stored by
+	// the cache, but are not actually used. We use random values to prevent
+	// accidental access.
+	id, err := base62.Random(5)
+	if err != nil {
+		return err
+	}
+	namespace, err := base62.Random(5)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+		return err
+	}
+	requestPath, err := base62.Random(5)
+	if err != nil {
+		return err
+	}
+
+	index := &cachememdb.Index{
+		ID:          id,
+		Token:       token,
+		Namespace:   namespace,
+		RequestPath: requestPath,
+		Type:        cacheboltdb.TokenType,
+	}
+
+	// Derive a context off of the lease cache's base context
+	ctxInfo := c.createCtxInfo(nil)
+
+	index.RenewCtxInfo = &cachememdb.ContextInfo{
+		Ctx:        ctxInfo.Ctx,
+		CancelFunc: ctxInfo.CancelFunc,
+		DoneCh:     ctxInfo.DoneCh,
 	}
 
-	// Rotate the key
-	err = client.Sys().Rotate()
+	// Store the index in the cache
+	c.logger.Debug("storing auto-auth token into the cache")
+	err = c.Set(c.baseCtxInfo.Ctx, index)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error rotating key: %s", err))
-		return 2
+		c.logger.Error("failed to cache the auto-auth token", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+type cacheClearInput struct {
+	Type string
+
+	RequestPath   string
+	Namespace     string
+	Token         string
+	TokenAccessor string
+	Lease         string
+}
+
+func parseCacheClearInput(req *cacheClearRequest) (*cacheClearInput, error) {
+	if req == nil {
+		return nil, errors.New("nil request options provided")
 	}
 
-	// Print the key status
-	status, err := client.Sys().KeyStatus()
+	if req.Type == "" {
+		return nil, errors.New("no type provided")
+	}
+
+	in := &cacheClearInput{
+		Type:      req.Type,
+		Namespace: req.Namespace,
+	}
+
+	switch req.Type {
+	case "request_path":
+		in.RequestPath = req.Value
+	case "token":
+		in.Token = req.Value
+	case "token_accessor":
+		in.TokenAccessor = req.Value
+	case "lease":
+		in.Lease = req.Value
+	}
+
+	return in, nil
+}
+
+func (c *LeaseCache) hasExpired(currentTime time.Time, index *cachememdb.Index) (bool, error) {
+	reader := bufio.NewReader(bytes.NewReader(index.Response))
+	resp, err := http.ReadResponse(reader, nil)
+	if err != nil {
+		return false, fmt.Errorf("failed to deserialize response: %w", err)
+	}
+	secret, err := api.ParseSecret(resp.Body)
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading key status: %s", err))
-		return 2
+		return false, fmt.Errorf("failed to parse response as secret: %w", err)
 	}
 
-	switch Format(c.UI) {
-	case "table":
-		c.UI.Output("Success! Rotated key")
-		c.UI.Output("")
-		c.UI.Output(printKeyStatus(status))
-		return 0
+	elapsed := currentTime.Sub(index.LastRenewed)
+	var leaseDuration int
+	switch {
+	case secret.LeaseID != "":
+		leaseDuration = secret.LeaseDuration
+	case secret.Auth != nil:
+		leaseDuration = secret.Auth.LeaseDuration
 	default:
-		return OutputData(c.UI, status)
+		return false, errors.New("secret without lease encountered in expiration check")
+	}
+
+	if int(elapsed.Seconds()) > leaseDuration {
+		c.logger.Trace("secret has expired", "id", index.ID, "elapsed", elapsed, "lease duration", leaseDuration)
+		return true, nil
 	}
+	return false, nil
 }
diff --git a/command/rotate_test.go b/command/rotate_test.go
index b591b5f73e15..51b7aab60415 100644
--- a/command/rotate_test.go
+++ b/command/rotate_test.go
@@ -4,122 +4,91 @@
 package command
 
 import (
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testOperatorRotateCommand(tb testing.TB) (*cli.MockUi, *OperatorRotateCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*LeaseLookupCommand)(nil)
+	_ cli.CommandAutocomplete = (*LeaseLookupCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &OperatorRotateCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type LeaseLookupCommand struct {
+	*BaseCommand
+}
+
+func (c *LeaseLookupCommand) Synopsis() string {
+	return "Lookup the lease of a secret"
+}
+
+func (c *LeaseLookupCommand) Help() string {
+	helpText := `
+Usage: vault lease lookup ID
+
+  Lookup the lease information of a secret.
+
+  Every secret in Vault has a lease associated with it. Users can look up
+  information on the lease by referencing the lease ID.
+
+  Lookup lease of a secret:
+
+      $ vault lease lookup database/creds/readonly/2f6a614c...
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *LeaseLookupCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	return set
+}
+
+func (c *LeaseLookupCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-func TestOperatorRotateCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"abcd1234"},
-			"Too many arguments",
-			1,
-		},
+func (c *LeaseLookupCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *LeaseLookupCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	leaseID := ""
+
+	args = f.Args()
+	switch len(args) {
+	case 0:
+		c.UI.Error("Missing ID!")
+		return 1
+	case 1:
+		leaseID = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	secret, err := client.Sys().Lookup(leaseID)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("error looking up lease id %s: %s", leaseID, err))
+		return 2
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testOperatorRotateCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testOperatorRotateCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Rotated key"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		status, err := client.Sys().KeyStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if exp := 1; status.Term < exp {
-			t.Errorf("expected %d to be less than %d", status.Term, exp)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testOperatorRotateCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error rotating key: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testOperatorRotateCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/secrets.go b/command/secrets.go
index f3a6d9074327..2c9b81caf5fa 100644
--- a/command/secrets.go
+++ b/command/secrets.go
@@ -5,42 +5,99 @@ package command
 
 import (
 	"strings"
+	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-var _ cli.Command = (*SecretsCommand)(nil)
+func testLeaseLookupCommand(tb testing.TB) (*cli.MockUi, *LeaseLookupCommand) {
+	tb.Helper()
 
-type SecretsCommand struct {
-	*BaseCommand
+	ui := cli.NewMockUi()
+	return ui, &LeaseLookupCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *SecretsCommand) Synopsis() string {
-	return "Interact with secrets engines"
+// testLeaseLookupCommandMountAndLease mounts a leased secret backend and returns
+// the leaseID of an item.
+func testLeaseLookupCommandMountAndLease(tb testing.TB, client *api.Client) string {
+	if err := client.Sys().Mount("testing", &api.MountInput{
+		Type: "generic-leased",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	if _, err := client.Logical().Write("testing/foo", map[string]interface{}{
+		"key":   "value",
+		"lease": "5m",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	// Read the secret back to get the leaseID
+	secret, err := client.Logical().Read("testing/foo")
+	if err != nil {
+		tb.Fatal(err)
+	}
+	if secret == nil || secret.LeaseID == "" {
+		tb.Fatalf("missing secret or lease: %#v", secret)
+	}
+
+	return secret.LeaseID
 }
 
-func (c *SecretsCommand) Help() string {
-	helpText := `
-Usage: vault secrets <subcommand> [options] [args]
+// TestLeaseLookupCommand_Run tests basic lookup
+func TestLeaseLookupCommand_Run(t *testing.T) {
+	t.Parallel()
 
-  This command groups subcommands for interacting with Vault's secrets engines.
-  Each secret engine behaves differently. Please see the documentation for
-  more information.
+	t.Run("empty", func(t *testing.T) {
+		t.Parallel()
 
-  List all enabled secrets engines:
+		client, closer := testVaultServer(t)
+		defer closer()
 
-      $ vault secrets list
+		_ = testLeaseLookupCommandMountAndLease(t, client)
 
-  Enable a new secrets engine:
+		ui, cmd := testLeaseLookupCommand(t)
+		cmd.client = client
 
-      $ vault secrets enable database
+		code := cmd.Run(nil)
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-  Please see the individual subcommand help for detailed usage information.
-`
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		expectedMsg := "Missing ID!"
+		if !strings.Contains(combined, expectedMsg) {
+			t.Errorf("expected %q to contain %q", combined, expectedMsg)
+		}
+	})
 
-	return strings.TrimSpace(helpText)
-}
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		leaseID := testLeaseLookupCommandMountAndLease(t, client)
+
+		_, cmd := testLeaseLookupCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{leaseID})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-func (c *SecretsCommand) Run(args []string) int {
-	return cli.RunResultHelp
+		_, cmd := testLeaseLookupCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/command/secrets_disable.go b/command/secrets_disable.go
index b99e3c7193ef..b0671c379682 100644
--- a/command/secrets_disable.go
+++ b/command/secrets_disable.go
@@ -6,54 +6,79 @@ package command
 import (
 	"fmt"
 	"strings"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*SecretsDisableCommand)(nil)
-	_ cli.CommandAutocomplete = (*SecretsDisableCommand)(nil)
+	_ cli.Command             = (*LeaseRenewCommand)(nil)
+	_ cli.CommandAutocomplete = (*LeaseRenewCommand)(nil)
 )
 
-type SecretsDisableCommand struct {
+type LeaseRenewCommand struct {
 	*BaseCommand
+
+	flagIncrement time.Duration
 }
 
-func (c *SecretsDisableCommand) Synopsis() string {
-	return "Disable a secret engine"
+func (c *LeaseRenewCommand) Synopsis() string {
+	return "Renews the lease of a secret"
 }
 
-func (c *SecretsDisableCommand) Help() string {
+func (c *LeaseRenewCommand) Help() string {
 	helpText := `
-Usage: vault secrets disable [options] PATH
+Usage: vault lease renew [options] ID
+
+  Renews the lease on a secret, extending the time that it can be used before
+  it is revoked by Vault.
+
+  Every secret in Vault has a lease associated with it. If the owner of the
+  secret wants to use it longer than the lease, then it must be renewed.
+  Renewing the lease does not change the contents of the secret. The ID is the
+  full path lease ID.
+
+  Renew a secret:
 
-  Disables a secrets engine at the given PATH. The argument corresponds to
-  the enabled PATH of the engine, not the TYPE! All secrets created by this
-  engine are revoked and its Vault data is removed.
+      $ vault lease renew database/creds/readonly/2f6a614c...
 
-  Disable the secrets engine enabled at aws/:
+  Lease renewal will fail if the secret is not renewable, the secret has already
+  been revoked, or if the secret has already reached its maximum TTL.
 
-      $ vault secrets disable aws/
+  For a full list of examples, please see the documentation.
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *SecretsDisableCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
+func (c *LeaseRenewCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.DurationVar(&DurationVar{
+		Name:       "increment",
+		Target:     &c.flagIncrement,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Request a specific increment in seconds. Vault is not required " +
+			"to honor this request.",
+	})
+
+	return set
 }
 
-func (c *SecretsDisableCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultMounts()
+func (c *LeaseRenewCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-func (c *SecretsDisableCommand) AutocompleteFlags() complete.Flags {
+func (c *LeaseRenewCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *SecretsDisableCommand) Run(args []string) int {
+func (c *LeaseRenewCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -61,13 +86,18 @@ func (c *SecretsDisableCommand) Run(args []string) int {
 		return 1
 	}
 
+	leaseID := ""
+	increment := c.flagIncrement
+
 	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+	switch len(args) {
+	case 0:
+		c.UI.Error("Missing ID!")
 		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+	case 1:
+		leaseID = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1-2, got %d)", len(args)))
 		return 1
 	}
 
@@ -77,13 +107,11 @@ func (c *SecretsDisableCommand) Run(args []string) int {
 		return 2
 	}
 
-	path := ensureTrailingSlash(sanitizePath(args[0]))
-
-	if err := client.Sys().Unmount(path); err != nil {
-		c.UI.Error(fmt.Sprintf("Error disabling secrets engine at %s: %s", path, err))
+	secret, err := client.Sys().Renew(leaseID, truncateToSeconds(increment))
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error renewing %s: %s", leaseID, err))
 		return 2
 	}
 
-	c.UI.Output(fmt.Sprintf("Success! Disabled the secrets engine (if it existed) at: %s", path))
-	return 0
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/secrets_disable_test.go b/command/secrets_disable_test.go
index 40058ec2f0fa..eac098fe4634 100644
--- a/command/secrets_disable_test.go
+++ b/command/secrets_disable_test.go
@@ -7,22 +7,50 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
 )
 
-func testSecretsDisableCommand(tb testing.TB) (*cli.MockUi, *SecretsDisableCommand) {
+func testLeaseRenewCommand(tb testing.TB) (*cli.MockUi, *LeaseRenewCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &SecretsDisableCommand{
+	return ui, &LeaseRenewCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
 		},
 	}
 }
 
-func TestSecretsDisableCommand_Run(t *testing.T) {
+// testLeaseRenewCommandMountAndLease mounts a leased secret backend and returns
+// the leaseID of an item.
+func testLeaseRenewCommandMountAndLease(tb testing.TB, client *api.Client) string {
+	if err := client.Sys().Mount("testing", &api.MountInput{
+		Type: "generic-leased",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	if _, err := client.Logical().Write("testing/foo", map[string]interface{}{
+		"key":   "value",
+		"lease": "5m",
+	}); err != nil {
+		tb.Fatal(err)
+	}
+
+	// Read the secret back to get the leaseID
+	secret, err := client.Logical().Read("testing/foo")
+	if err != nil {
+		tb.Fatal(err)
+	}
+	if secret == nil || secret.LeaseID == "" {
+		tb.Fatalf("missing secret or lease: %#v", secret)
+	}
+
+	return secret.LeaseID
+}
+
+func TestLeaseRenewCommand_Run(t *testing.T) {
 	t.Parallel()
 
 	cases := []struct {
@@ -32,32 +60,26 @@ func TestSecretsDisableCommand_Run(t *testing.T) {
 		code int
 	}{
 		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
+			"empty",
+			nil,
+			"Missing ID!",
 			1,
 		},
 		{
-			"not_real",
-			[]string{"not_real"},
-			"Success! Disabled the secrets engine (if it existed) at: not_real/",
+			"increment",
+			[]string{"-increment", "60s"},
+			"foo",
 			0,
 		},
 		{
-			"default",
-			[]string{"secret"},
-			"Success! Disabled the secrets engine (if it existed) at: secret/",
+			"increment_no_suffix",
+			[]string{"-increment", "60"},
+			"foo",
 			0,
 		},
 	}
 
-	t.Run("validations", func(t *testing.T) {
+	t.Run("group", func(t *testing.T) {
 		t.Parallel()
 
 		for _, tc := range cases {
@@ -69,9 +91,14 @@ func TestSecretsDisableCommand_Run(t *testing.T) {
 				client, closer := testVaultServer(t)
 				defer closer()
 
-				ui, cmd := testSecretsDisableCommand(t)
+				leaseID := testLeaseRenewCommandMountAndLease(t, client)
+
+				ui, cmd := testLeaseRenewCommand(t)
 				cmd.client = client
 
+				if tc.args != nil {
+					tc.args = append(tc.args, leaseID)
+				}
 				code := cmd.Run(tc.args)
 				if code != tc.code {
 					t.Errorf("expected %d to be %d", code, tc.code)
@@ -91,36 +118,15 @@ func TestSecretsDisableCommand_Run(t *testing.T) {
 		client, closer := testVaultServer(t)
 		defer closer()
 
-		if err := client.Sys().Mount("my-secret/", &api.MountInput{
-			Type: "generic",
-		}); err != nil {
-			t.Fatal(err)
-		}
+		leaseID := testLeaseRenewCommandMountAndLease(t, client)
 
-		ui, cmd := testSecretsDisableCommand(t)
+		_, cmd := testLeaseRenewCommand(t)
 		cmd.client = client
 
-		code := cmd.Run([]string{
-			"my-secret/",
-		})
+		code := cmd.Run([]string{leaseID})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
-
-		expected := "Success! Disabled the secrets engine (if it existed) at: my-secret/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		mounts, err := client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if _, ok := mounts["integration_unmount"]; ok {
-			t.Errorf("expected mount to not exist: %#v", mounts)
-		}
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {
@@ -129,17 +135,17 @@ func TestSecretsDisableCommand_Run(t *testing.T) {
 		client, closer := testVaultServerBad(t)
 		defer closer()
 
-		ui, cmd := testSecretsDisableCommand(t)
+		ui, cmd := testLeaseRenewCommand(t)
 		cmd.client = client
 
 		code := cmd.Run([]string{
-			"pki/",
+			"foo/bar",
 		})
 		if exp := 2; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Error disabling secrets engine at pki/: "
+		expected := "Error renewing foo/bar: "
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
@@ -149,7 +155,7 @@ func TestSecretsDisableCommand_Run(t *testing.T) {
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()
 
-		_, cmd := testSecretsDisableCommand(t)
+		_, cmd := testLeaseRenewCommand(t)
 		assertNoTabs(t, cmd)
 	})
 }
diff --git a/command/secrets_enable.go b/command/secrets_enable.go
index 2388234c5f4c..59a09de597e8 100644
--- a/command/secrets_enable.go
+++ b/command/secrets_enable.go
@@ -4,242 +4,107 @@
 package command
 
 import (
-	"flag"
 	"fmt"
-	"strconv"
 	"strings"
-	"time"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*SecretsEnableCommand)(nil)
-	_ cli.CommandAutocomplete = (*SecretsEnableCommand)(nil)
+	_ cli.Command             = (*LeaseRevokeCommand)(nil)
+	_ cli.CommandAutocomplete = (*LeaseRevokeCommand)(nil)
 )
 
-type SecretsEnableCommand struct {
+type LeaseRevokeCommand struct {
 	*BaseCommand
 
-	flagDescription               string
-	flagPath                      string
-	flagDefaultLeaseTTL           time.Duration
-	flagMaxLeaseTTL               time.Duration
-	flagAuditNonHMACRequestKeys   []string
-	flagAuditNonHMACResponseKeys  []string
-	flagListingVisibility         string
-	flagPassthroughRequestHeaders []string
-	flagAllowedResponseHeaders    []string
-	flagForceNoCache              bool
-	flagPluginName                string
-	flagPluginVersion             string
-	flagOptions                   map[string]string
-	flagLocal                     bool
-	flagSealWrap                  bool
-	flagExternalEntropyAccess     bool
-	flagVersion                   int
-	flagAllowedManagedKeys        []string
+	flagForce  bool
+	flagPrefix bool
+	flagSync   bool
 }
 
-func (c *SecretsEnableCommand) Synopsis() string {
-	return "Enable a secrets engine"
+func (c *LeaseRevokeCommand) Synopsis() string {
+	return "Revokes leases and secrets"
 }
 
-func (c *SecretsEnableCommand) Help() string {
+func (c *LeaseRevokeCommand) Help() string {
 	helpText := `
-Usage: vault secrets enable [options] TYPE
+Usage: vault lease revoke [options] ID
 
-  Enables a secrets engine. By default, secrets engines are enabled at the path
-  corresponding to their TYPE, but users can customize the path using the
-  -path option.
+  Revokes secrets by their lease ID. This command can revoke a single secret
+  or multiple secrets based on a path-matched prefix.
 
-  Once enabled, Vault will route all requests which begin with the path to the
-  secrets engine.
+  The default behavior when not using -force is to revoke asynchronously; Vault
+  will queue the revocation and keep trying if it fails (including across
+  restarts). The -sync flag can be used to force a synchronous operation, but
+  it is then up to the caller to retry on failure. Force mode always operates
+  synchronously.
 
-  Enable the AWS secrets engine at aws/:
+  Revoke a single lease:
 
-      $ vault secrets enable aws
+      $ vault lease revoke database/creds/readonly/2f6a614c...
 
-  Enable the SSH secrets engine at ssh-prod/:
+  Revoke all leases for a role:
 
-      $ vault secrets enable -path=ssh-prod ssh
+      $ vault lease revoke -prefix aws/creds/deploy
 
-  Enable the database secrets engine with an explicit maximum TTL of 30m:
+  Force delete leases from Vault even if secret engine revocation fails:
 
-      $ vault secrets enable -max-lease-ttl=30m database
+      $ vault lease revoke -force -prefix consul/creds
 
-  Enable a custom plugin (after it is registered in the plugin registry):
-
-      $ vault secrets enable -path=my-secrets -plugin-name=my-plugin plugin
-
-  OR (preferred way):
-
-      $ vault secrets enable -path=my-secrets my-plugin
-
-  For a full list of secrets engines and examples, please see the documentation.
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secret engine in use.
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *SecretsEnableCommand) Flags() *FlagSets {
+func (c *LeaseRevokeCommand) Flags() *FlagSets {
 	set := c.flagSet(FlagSetHTTP)
-
 	f := set.NewFlagSet("Command Options")
 
-	f.StringVar(&StringVar{
-		Name:       "description",
-		Target:     &c.flagDescription,
-		Completion: complete.PredictAnything,
-		Usage:      "Human-friendly description for the purpose of this engine.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "path",
-		Target:     &c.flagPath,
-		Default:    "", // The default is complex, so we have to manually document
-		Completion: complete.PredictAnything,
-		Usage: "Place where the secrets engine will be accessible. This must be " +
-			"unique cross all secrets engines. This defaults to the \"type\" of the " +
-			"secrets engine.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "default-lease-ttl",
-		Target:     &c.flagDefaultLeaseTTL,
-		Completion: complete.PredictAnything,
-		Usage: "The default lease TTL for this secrets engine. If unspecified, " +
-			"this defaults to the Vault server's globally configured default lease " +
-			"TTL.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "max-lease-ttl",
-		Target:     &c.flagMaxLeaseTTL,
-		Completion: complete.PredictAnything,
-		Usage: "The maximum lease TTL for this secrets engine. If unspecified, " +
-			"this defaults to the Vault server's globally configured maximum lease " +
-			"TTL.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACRequestKeys,
-		Target: &c.flagAuditNonHMACRequestKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the request data object. " +
-			"To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACResponseKeys,
-		Target: &c.flagAuditNonHMACResponseKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the response data object. " +
-			"To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameListingVisibility,
-		Target: &c.flagListingVisibility,
-		Usage:  "Determines the visibility of the mount in the UI-specific listing endpoint.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNamePassthroughRequestHeaders,
-		Target: &c.flagPassthroughRequestHeaders,
-		Usage: "Request header value that will be sent to the plugins. To specify multiple " +
-			"values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedResponseHeaders,
-		Target: &c.flagAllowedResponseHeaders,
-		Usage: "Response header value that plugins will be allowed to set. To specify multiple " +
-			"values, specify this flag multiple times.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "force-no-cache",
-		Target:  &c.flagForceNoCache,
-		Default: false,
-		Usage: "Force the secrets engine to disable caching. If unspecified, this " +
-			"defaults to the Vault server's globally configured cache settings. " +
-			"This does not affect caching of the underlying encrypted data storage.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "plugin-name",
-		Target:     &c.flagPluginName,
-		Completion: c.PredictVaultPlugins(api.PluginTypeSecrets, api.PluginTypeDatabase),
-		Usage: "Name of the secrets engine plugin. This plugin name must already " +
-			"exist in Vault's plugin catalog.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    flagNamePluginVersion,
-		Target:  &c.flagPluginVersion,
-		Default: "",
-		Usage:   "Select the semantic version of the plugin to enable.",
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:       "options",
-		Target:     &c.flagOptions,
-		Completion: complete.PredictAnything,
-		Usage: "Key-value pair provided as key=value for the mount options. " +
-			"This can be specified multiple times.",
-	})
-
 	f.BoolVar(&BoolVar{
-		Name:    "local",
-		Target:  &c.flagLocal,
+		Name:    "force",
+		Aliases: []string{"f"},
+		Target:  &c.flagForce,
 		Default: false,
-		Usage: "Mark the secrets engine as local-only. Local engines are not " +
-			"replicated or removed by replication.",
+		Usage: "Delete the lease from Vault even if the secret engine revocation " +
+			"fails. This is meant for recovery situations where the secret " +
+			"in the target secret engine was manually removed. If this flag is " +
+			"specified, -prefix is also required.",
 	})
 
 	f.BoolVar(&BoolVar{
-		Name:    "seal-wrap",
-		Target:  &c.flagSealWrap,
+		Name:    "prefix",
+		Target:  &c.flagPrefix,
 		Default: false,
-		Usage:   "Enable seal wrapping of critical values in the secrets engine.",
+		Usage: "Treat the ID as a prefix instead of an exact lease ID. This can " +
+			"revoke multiple leases simultaneously.",
 	})
 
 	f.BoolVar(&BoolVar{
-		Name:    "external-entropy-access",
-		Target:  &c.flagExternalEntropyAccess,
+		Name:    "sync",
+		Target:  &c.flagSync,
 		Default: false,
-		Usage:   "Enable secrets engine to access Vault's external entropy source.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "version",
-		Target:  &c.flagVersion,
-		Default: 0,
-		Usage:   "Select the version of the engine to run. Not supported by all engines.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedManagedKeys,
-		Target: &c.flagAllowedManagedKeys,
-		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
-			"Note that multiple keys may be specified by providing this option multiple times, " +
-			"each time with 1 key.",
+		Usage: "Force a synchronous operation; on failure it is up to the client " +
+			"to retry.",
 	})
 
 	return set
 }
 
-func (c *SecretsEnableCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultAvailableMounts()
+func (c *LeaseRevokeCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
 }
 
-func (c *SecretsEnableCommand) AutocompleteFlags() complete.Flags {
+func (c *LeaseRevokeCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *SecretsEnableCommand) Run(args []string) int {
+func (c *LeaseRevokeCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -257,97 +122,60 @@ func (c *SecretsEnableCommand) Run(args []string) int {
 		return 1
 	}
 
+	if c.flagForce && !c.flagPrefix {
+		c.UI.Error("Specifying -force requires also specifying -prefix")
+		return 1
+	}
+
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}
 
-	// Get the engine type type (first arg)
-	engineType := strings.TrimSpace(args[0])
-	if engineType == "plugin" {
-		engineType = c.flagPluginName
+	leaseID := strings.TrimSpace(args[0])
+
+	revokeOpts := &api.RevokeOptions{
+		LeaseID: leaseID,
+		Force:   c.flagForce,
+		Prefix:  c.flagPrefix,
+		Sync:    c.flagSync,
 	}
 
-	// If no path is specified, we default the path to the backend type
-	// or use the plugin name if it's a plugin backend
-	mountPath := c.flagPath
-	if mountPath == "" {
-		if engineType == "plugin" {
-			mountPath = c.flagPluginName
-		} else {
-			mountPath = engineType
-		}
+	if c.flagForce {
+		c.UI.Warn(wrapAtLength("Warning! Force-removing leases can cause Vault " +
+			"to become out of sync with secret engines!"))
 	}
 
-	if c.flagVersion > 0 {
-		if c.flagOptions == nil {
-			c.flagOptions = make(map[string]string)
+	err = client.Sys().RevokeWithOptions(revokeOpts)
+	if err != nil {
+		switch {
+		case c.flagForce:
+			c.UI.Error(fmt.Sprintf("Error force revoking leases with prefix %s: %s", leaseID, err))
+			return 2
+		case c.flagPrefix:
+			c.UI.Error(fmt.Sprintf("Error revoking leases with prefix %s: %s", leaseID, err))
+			return 2
+		default:
+			c.UI.Error(fmt.Sprintf("Error revoking lease %s: %s", leaseID, err))
+			return 2
 		}
-		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
 	}
 
-	// Append a trailing slash to indicate it's a path in output
-	mountPath = ensureTrailingSlash(mountPath)
-
-	// Build mount input
-	mountInput := &api.MountInput{
-		Type:                  engineType,
-		Description:           c.flagDescription,
-		Local:                 c.flagLocal,
-		SealWrap:              c.flagSealWrap,
-		ExternalEntropyAccess: c.flagExternalEntropyAccess,
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: c.flagDefaultLeaseTTL.String(),
-			MaxLeaseTTL:     c.flagMaxLeaseTTL.String(),
-			ForceNoCache:    c.flagForceNoCache,
-		},
-		Options: c.flagOptions,
+	if c.flagForce {
+		c.UI.Output(fmt.Sprintf("Success! Force revoked any leases with prefix: %s", leaseID))
+		return 0
 	}
 
-	// Set these values only if they are provided in the CLI
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameAuditNonHMACRequestKeys {
-			mountInput.Config.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
-		}
-
-		if fl.Name == flagNameAuditNonHMACResponseKeys {
-			mountInput.Config.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
+	if c.flagSync {
+		if c.flagPrefix {
+			c.UI.Output(fmt.Sprintf("Success! Revoked any leases with prefix: %s", leaseID))
+			return 0
 		}
-
-		if fl.Name == flagNameListingVisibility {
-			mountInput.Config.ListingVisibility = c.flagListingVisibility
-		}
-
-		if fl.Name == flagNamePassthroughRequestHeaders {
-			mountInput.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
-		}
-
-		if fl.Name == flagNameAllowedResponseHeaders {
-			mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
-		}
-
-		if fl.Name == flagNameAllowedManagedKeys {
-			mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
-		}
-
-		if fl.Name == flagNamePluginVersion {
-			mountInput.Config.PluginVersion = c.flagPluginVersion
-		}
-	})
-
-	if err := client.Sys().Mount(mountPath, mountInput); err != nil {
-		c.UI.Error(fmt.Sprintf("Error enabling: %s", err))
-		return 2
+		c.UI.Output(fmt.Sprintf("Success! Revoked lease: %s", leaseID))
+		return 0
 	}
 
-	thing := engineType + " secrets engine"
-	if engineType == "plugin" {
-		thing = c.flagPluginName + " plugin"
-	}
-	if c.flagPluginVersion != "" {
-		thing += " version " + c.flagPluginVersion
-	}
-	c.UI.Output(fmt.Sprintf("Success! Enabled the %s at: %s", thing, mountPath))
+	c.UI.Output("All revocation operations queued successfully!")
 	return 0
 }
diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go
index 488d25d369df..aeb9987e7ddd 100644
--- a/command/secrets_enable_test.go
+++ b/command/secrets_enable_test.go
@@ -4,33 +4,25 @@
 package command
 
 import (
-	"errors"
-	"io/ioutil"
-	"os"
-	"sort"
 	"strings"
 	"testing"
 
-	"github.com/go-test/deep"
-	"github.com/google/go-cmp/cmp"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/vault/helper/builtinplugins"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-func testSecretsEnableCommand(tb testing.TB) (*cli.MockUi, *SecretsEnableCommand) {
+func testLeaseRevokeCommand(tb testing.TB) (*cli.MockUi, *LeaseRevokeCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &SecretsEnableCommand{
+	return ui, &LeaseRevokeCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
 		},
 	}
 }
 
-func TestSecretsEnableCommand_Run(t *testing.T) {
+func TestLeaseRevokeCommand_Run(t *testing.T) {
 	t.Parallel()
 
 	cases := []struct {
@@ -40,135 +32,88 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 		code int
 	}{
 		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
+			"force_without_prefix",
+			[]string{"-force"},
+			"requires also specifying -prefix",
 			1,
 		},
 		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
+			"single",
+			nil,
+			"All revocation operations queued successfully",
+			0,
 		},
 		{
-			"not_a_valid_mount",
-			[]string{"nope_definitely_not_a_valid_mount_like_ever"},
-			"",
-			2,
+			"single_sync",
+			[]string{"-sync"},
+			"Success",
+			0,
 		},
 		{
-			"mount",
-			[]string{"transit"},
-			"Success! Enabled the transit secrets engine at: transit/",
+			"force_prefix",
+			[]string{"-force", "-prefix"},
+			"Success",
 			0,
 		},
 		{
-			"mount_path",
-			[]string{
-				"-path", "transit_mount_point",
-				"transit",
-			},
-			"Success! Enabled the transit secrets engine at: transit_mount_point/",
+			"prefix",
+			[]string{"-prefix"},
+			"All revocation operations queued successfully",
+			0,
+		},
+		{
+			"prefix_sync",
+			[]string{"-prefix", "-sync"},
+			"Success",
 			0,
 		},
 	}
 
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testSecretsEnableCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
+		for _, tc := range cases {
+			tc := tc
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-		client, closer := testVaultServer(t)
-		defer closer()
+				client, closer := testVaultServer(t)
+				defer closer()
 
-		ui, cmd := testSecretsEnableCommand(t)
-		cmd.client = client
+				if err := client.Sys().Mount("secret-leased", &api.MountInput{
+					Type: "generic-leased",
+				}); err != nil {
+					t.Fatal(err)
+				}
 
-		code := cmd.Run([]string{
-			"-path", "mount_integration/",
-			"-description", "The best kind of test",
-			"-default-lease-ttl", "30m",
-			"-max-lease-ttl", "1h",
-			"-audit-non-hmac-request-keys", "foo,bar",
-			"-audit-non-hmac-response-keys", "foo,bar",
-			"-passthrough-request-headers", "authorization,authentication",
-			"-passthrough-request-headers", "www-authentication",
-			"-allowed-response-headers", "authorization",
-			"-allowed-managed-keys", "key1,key2",
-			"-force-no-cache",
-			"pki",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+				path := "secret-leased/revoke/" + tc.name
+				data := map[string]interface{}{
+					"key":   "value",
+					"lease": "1m",
+				}
+				if _, err := client.Logical().Write(path, data); err != nil {
+					t.Fatal(err)
+				}
+				secret, err := client.Logical().Read(path)
+				if err != nil {
+					t.Fatal(err)
+				}
 
-		expected := "Success! Enabled the pki secrets engine at: mount_integration/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+				ui, cmd := testLeaseRevokeCommand(t)
+				cmd.client = client
 
-		mounts, err := client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
+				tc.args = append(tc.args, secret.LeaseID)
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-		mountInfo, ok := mounts["mount_integration/"]
-		if !ok {
-			t.Fatalf("expected mount to exist")
-		}
-		if exp := "pki"; mountInfo.Type != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
-		}
-		if exp := "The best kind of test"; mountInfo.Description != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Description, exp)
-		}
-		if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
-			t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
-		}
-		if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
-			t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
-		}
-		if exp := true; mountInfo.Config.ForceNoCache != exp {
-			t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp)
-		}
-		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
-		}
-		if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
-			t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
 		}
 	})
 
@@ -178,17 +123,17 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 		client, closer := testVaultServerBad(t)
 		defer closer()
 
-		ui, cmd := testSecretsEnableCommand(t)
+		ui, cmd := testLeaseRevokeCommand(t)
 		cmd.client = client
 
 		code := cmd.Run([]string{
-			"pki",
+			"foo/bar",
 		})
 		if exp := 2; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "Error enabling: "
+		expected := "Error revoking lease foo/bar: "
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
@@ -198,78 +143,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()
 
-		_, cmd := testSecretsEnableCommand(t)
+		_, cmd := testLeaseRevokeCommand(t)
 		assertNoTabs(t, cmd)
 	})
-
-	t.Run("mount_all", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerAllBackends(t)
-		defer closer()
-
-		files, err := ioutil.ReadDir("../builtin/logical")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		var backends []string
-		for _, f := range files {
-			if f.IsDir() {
-				if f.Name() == "plugin" || f.Name() == "database" {
-					continue
-				}
-				if _, err := os.Stat("../builtin/logical/" + f.Name() + "/backend.go"); errors.Is(err, os.ErrNotExist) {
-					// Skip ext test packages (fake plugins without backends).
-					continue
-				}
-				backends = append(backends, f.Name())
-			}
-		}
-
-		modFile, err := ioutil.ReadFile("../go.mod")
-		if err != nil {
-			t.Fatal(err)
-		}
-		modLines := strings.Split(string(modFile), "\n")
-		for _, p := range modLines {
-			splitLine := strings.Split(strings.TrimSpace(p), " ")
-			if len(splitLine) == 0 {
-				continue
-			}
-			potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
-			if strings.HasPrefix(potPlug, "vault-plugin-secrets-") {
-				backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-secrets-"))
-			}
-		}
-
-		regkeys := strutil.StrListDelete(builtinplugins.Registry.Keys(consts.PluginTypeSecrets), "ldap")
-		sort.Strings(regkeys)
-		sort.Strings(backends)
-
-		if d := cmp.Diff(regkeys, backends); len(d) > 0 {
-			t.Fatalf("found logical registry mismatch: %v", d)
-		}
-
-		for _, b := range backends {
-			expectedResult := 0
-
-			ui, cmd := testSecretsEnableCommand(t)
-			cmd.client = client
-
-			actualResult := cmd.Run([]string{
-				b,
-			})
-
-			// Need to handle deprecated builtins specially
-			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeSecrets)
-			if status == consts.PendingRemoval || status == consts.Removed {
-				expectedResult = 2
-			}
-
-			if actualResult != expectedResult {
-				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
-			}
-		}
-	})
 }
diff --git a/command/secrets_list.go b/command/secrets_list.go
index 7ce6dde457be..2df72bebf686 100644
--- a/command/secrets_list.go
+++ b/command/secrets_list.go
@@ -1,189 +1,160 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"sort"
-	"strconv"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*SecretsListCommand)(nil)
-	_ cli.CommandAutocomplete = (*SecretsListCommand)(nil)
-)
-
-type SecretsListCommand struct {
-	*BaseCommand
-
-	flagDetailed bool
-}
-
-func (c *SecretsListCommand) Synopsis() string {
-	return "List enabled secrets engines"
-}
-
-func (c *SecretsListCommand) Help() string {
-	helpText := `
-Usage: vault secrets list [options]
-
-  Lists the enabled secret engines on the Vault server. This command also
-  outputs information about the enabled path including configured TTLs and
-  human-friendly descriptions. A TTL of "system" indicates that the system
-  default is in use.
-
-  List all enabled secrets engines:
-
-      $ vault secrets list
-
-  List all enabled secrets engines with detailed output:
-
-      $ vault secrets list -detailed
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *SecretsListCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:    "detailed",
-		Target:  &c.flagDetailed,
-		Default: false,
-		Usage: "Print detailed information such as TTLs and replication status " +
-			"about each secrets engine.",
-	})
-
-	return set
-}
-
-func (c *SecretsListCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *SecretsListCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *SecretsListCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	mounts, err := client.Sys().ListMounts()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing secrets engines: %s", err))
-		return 2
-	}
-
-	switch Format(c.UI) {
-	case "table":
-		if c.flagDetailed {
-			c.UI.Output(tableOutput(c.detailedMounts(mounts), nil))
-			return 0
-		}
-		c.UI.Output(tableOutput(c.simpleMounts(mounts), nil))
-		return 0
-	default:
-		return OutputData(c.UI, mounts)
-	}
-}
-
-func (c *SecretsListCommand) simpleMounts(mounts map[string]*api.MountOutput) []string {
-	paths := make([]string, 0, len(mounts))
-	for path := range mounts {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
-
-	out := []string{"Path | Type | Accessor | Description"}
-	for _, path := range paths {
-		mount := mounts[path]
-		out = append(out, fmt.Sprintf("%s | %s | %s | %s", path, mount.Type, mount.Accessor, mount.Description))
-	}
-
-	return out
-}
-
-func (c *SecretsListCommand) detailedMounts(mounts map[string]*api.MountOutput) []string {
-	paths := make([]string, 0, len(mounts))
-	for path := range mounts {
-		paths = append(paths, path)
-	}
-	sort.Strings(paths)
-
-	calcTTL := func(typ string, ttl int) string {
-		switch {
-		case typ == "system", typ == "cubbyhole":
-			return ""
-		case ttl != 0:
-			return strconv.Itoa(ttl)
-		default:
-			return "system"
-		}
-	}
-
-	out := []string{"Path | Plugin | Accessor | Default TTL | Max TTL | Force No Cache | Replication | Seal Wrap | External Entropy Access | Options | Description | UUID | Version | Running Version | Running SHA256 | Deprecation Status"}
-	for _, path := range paths {
-		mount := mounts[path]
-
-		defaultTTL := calcTTL(mount.Type, mount.Config.DefaultLeaseTTL)
-		maxTTL := calcTTL(mount.Type, mount.Config.MaxLeaseTTL)
-
-		replication := "replicated"
-		if mount.Local {
-			replication = "local"
-		}
-
-		pluginName := mount.Type
-		if pluginName == "plugin" {
-			pluginName = mount.Config.PluginName
-		}
-
-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %t | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
-			path,
-			pluginName,
-			mount.Accessor,
-			defaultTTL,
-			maxTTL,
-			mount.Config.ForceNoCache,
-			replication,
-			mount.SealWrap,
-			mount.ExternalEntropyAccess,
-			mount.Options,
-			mount.Description,
-			mount.UUID,
-			mount.PluginVersion,
-			mount.RunningVersion,
-			mount.RunningSha256,
-			mount.DeprecationStatus,
-		))
-	}
-
-	return out
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, click } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import subDays from 'date-fns/subDays';
+import addDays from 'date-fns/addDays';
+import formatRFC3339 from 'date-fns/formatRFC3339';
+import timestamp from 'core/utils/timestamp';
+
+module('Integration | Component | license-banners', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.before(function () {
+    sinon.stub(timestamp, 'now').callsFake(() => new Date('2018-04-03T14:15:30'));
+  });
+  hooks.beforeEach(function () {
+    const mockNow = timestamp.now();
+    this.now = mockNow;
+    this.yesterday = subDays(mockNow, 1);
+    this.nextMonth = addDays(mockNow, 30);
+    this.outside30 = addDays(mockNow, 32);
+    this.tomorrow = addDays(mockNow, 1);
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1+ent';
+    this.version.type = 'enterprise';
+  });
+  hooks.after(function () {
+    timestamp.now.restore();
+  });
+
+  test('it does not render if no expiry', async function (assert) {
+    assert.expect(2);
+    await render(hbs`<LicenseBanners />`);
+    assert.dom('[data-test-license-banner-expired]').doesNotExist();
+    assert.dom('[data-test-license-banner-warning]').doesNotExist();
+  });
+
+  test('it renders an error if expiry is before now', async function (assert) {
+    assert.expect(2);
+    this.set('expiry', formatRFC3339(this.yesterday));
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    assert.dom('[data-test-license-banner-expired]').exists('Expired license banner renders');
+    assert
+      .dom('[data-test-license-banner-expired] .hds-alert__title')
+      .hasText('License expired', 'Shows correct title on alert');
+  });
+
+  test('it renders a warning if expiry is within 30 days', async function (assert) {
+    assert.expect(2);
+    this.set('expiry', formatRFC3339(this.nextMonth));
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    assert.dom('[data-test-license-banner-warning]').exists('Warning license banner renders');
+    assert
+      .dom('[data-test-license-banner-warning] .hds-alert__title')
+      .hasText('Vault license expiring', 'Shows correct title on alert');
+  });
+
+  test('it does not render a banner if expiry is outside 30 days', async function (assert) {
+    assert.expect(2);
+    this.set('expiry', formatRFC3339(this.outside30));
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    assert.dom('[data-test-license-banner-expired]').doesNotExist();
+    assert.dom('[data-test-license-banner-warning]').doesNotExist();
+  });
+
+  test('it does not render the expired banner if it has been dismissed', async function (assert) {
+    assert.expect(3);
+    this.set('expiry', formatRFC3339(this.yesterday));
+    const key = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    await click('[data-test-license-banner-expired] [data-test-icon="x"]');
+    assert.dom('[data-test-license-banner-expired]').doesNotExist('Expired license banner does not render');
+
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    const localStorageResult = JSON.parse(localStorage.getItem(key));
+    assert.strictEqual(localStorageResult, 'expired');
+    assert
+      .dom('[data-test-license-banner-expired]')
+      .doesNotExist('The expired banner still does not render after a re-render.');
+    localStorage.removeItem(key);
+  });
+
+  test('it does not render the warning banner if it has been dismissed', async function (assert) {
+    assert.expect(3);
+    this.set('expiry', formatRFC3339(this.nextMonth));
+    const key = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
+    assert.dom('[data-test-license-banner-warning]').doesNotExist('Warning license banner does not render');
+
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    const localStorageResult = JSON.parse(localStorage.getItem(key));
+    assert.strictEqual(localStorageResult, 'warning');
+    assert
+      .dom('[data-test-license-banner-warning]')
+      .doesNotExist('The warning banner still does not render after a re-render.');
+    localStorage.removeItem(key);
+  });
+
+  test('it renders a banner if the vault license has changed', async function (assert) {
+    assert.expect(3);
+    this.version.version = '1.12.1+ent';
+    this.set('expiry', formatRFC3339(this.nextMonth));
+    const keyOldVersion = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
+    this.version.version = '1.13.1+ent';
+    const keyNewVersion = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    assert
+      .dom('[data-test-license-banner-warning]')
+      .exists('The warning banner shows even though we have dismissed it earlier.');
+
+    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
+    const localStorageResultNewVersion = JSON.parse(localStorage.getItem(keyNewVersion));
+    const localStorageResultOldVersion = JSON.parse(localStorage.getItem(keyOldVersion));
+    // Check that localStorage was cleaned and no longer contains the old version storage key.
+    assert.strictEqual(localStorageResultOldVersion, null, 'local storage was cleared for the old version');
+    assert.strictEqual(
+      localStorageResultNewVersion,
+      'warning',
+      'local storage holds the new version with a warning'
+    );
+    // If debugging this test remember to clear localStorage if the test was not run to completion.
+    localStorage.removeItem(keyNewVersion);
+  });
+
+  test('it renders a banner if the vault expiry has changed', async function (assert) {
+    assert.expect(3);
+    this.set('expiry', formatRFC3339(this.tomorrow));
+    const keyOldExpiry = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
+    this.set('expiry', formatRFC3339(this.nextMonth));
+    const keyNewExpiry = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
+    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
+    assert
+      .dom('[data-test-license-banner-warning]')
+      .exists('The warning banner shows even though we have dismissed it earlier.');
+
+    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
+    const localStorageResultNewExpiry = JSON.parse(localStorage.getItem(keyNewExpiry));
+    const localStorageResultOldExpiry = JSON.parse(localStorage.getItem(keyOldExpiry));
+    // Check that localStorage was cleaned and no longer contains the old version storage key.
+    assert.strictEqual(localStorageResultOldExpiry, null, 'local storage was cleared for the old expiry');
+    assert.strictEqual(
+      localStorageResultNewExpiry,
+      'warning',
+      'local storage holds the new expiry with a warning'
+    );
+    // If debugging this test remember to clear localStorage if the test was not run to completion.
+    localStorage.removeItem(keyNewExpiry);
+  });
+});
diff --git a/command/secrets_list_test.go b/command/secrets_list_test.go
index 544e7196c8de..66e219523c78 100644
--- a/command/secrets_list_test.go
+++ b/command/secrets_list_test.go
@@ -1,108 +1,24 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testSecretsListCommand(tb testing.TB) (*cli.MockUi, *SecretsListCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &SecretsListCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestSecretsListCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"lists",
-			nil,
-			"Path",
-			0,
-		},
-		{
-			"detailed",
-			[]string{"-detailed"},
-			"Deprecation Status",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testSecretsListCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testSecretsListCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error listing secrets engines: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testSecretsListCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Route from '@ember/routing/route';
+import ClusterRoute from 'vault/mixins/cluster-route';
+import { inject as service } from '@ember/service';
+
+export default Route.extend(ClusterRoute, {
+  store: service(),
+  version: service(),
+  router: service(),
+
+  beforeModel() {
+    if (this.version.isCommunity) {
+      this.router.transitionTo('vault.cluster');
+    }
+  },
+
+  model() {
+    return this.store.queryRecord('license', {});
+  },
+});
diff --git a/command/secrets_move.go b/command/secrets_move.go
index c3d8d730a7b2..815384a20728 100644
--- a/command/secrets_move.go
+++ b/command/secrets_move.go
@@ -1,131 +1,117 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*SecretsMoveCommand)(nil)
-	_ cli.CommandAutocomplete = (*SecretsMoveCommand)(nil)
-)
-
-const (
-	MountMigrationStatusSuccess = "success"
-	MountMigrationStatusFailure = "failure"
-)
-
-type SecretsMoveCommand struct {
-	*BaseCommand
-}
-
-func (c *SecretsMoveCommand) Synopsis() string {
-	return "Move a secrets engine to a new path"
-}
-
-func (c *SecretsMoveCommand) Help() string {
-	helpText := `
-Usage: vault secrets move [options] SOURCE DESTINATION
-
-  Moves an existing secrets engine to a new path. Any leases from the old
-  secrets engine are revoked, but all configuration associated with the engine
-  is preserved. It initiates the migration and intermittently polls its status,
-  exiting if a final state is reached.
-
-  This command works within or across namespaces, both source and destination paths
-  can be prefixed with a namespace heirarchy relative to the current namespace.
-
-  WARNING! Moving a secrets engine will revoke any leases from the
-  old engine.
-
-  Move the secrets engine at secret/ to generic/:
-
-      $ vault secrets move secret/ generic/
-
-  Move the secrets engine at ns1/secret/ across namespaces to ns2/generic/, 
-  where ns1 and ns2 are child namespaces of the current namespace:
-
-      $ vault secrets move ns1/secret/ ns2/generic/
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *SecretsMoveCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *SecretsMoveCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultMounts()
-}
-
-func (c *SecretsMoveCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *SecretsMoveCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 2:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
-		return 1
-	case len(args) > 2:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
-		return 1
-	}
-
-	// Grab the source and destination
-	source := ensureTrailingSlash(args[0])
-	destination := ensureTrailingSlash(args[1])
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	remountResp, err := client.Sys().StartRemount(source, destination)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error moving secrets engine %s to %s: %s", source, destination, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Started moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-
-	// Poll the status endpoint with the returned migration ID
-	// Exit if a terminal status is reached, else wait and retry
-	for {
-		remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error checking migration status of secrets engine %s to %s: %s", source, destination, err))
-			return 2
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
-			c.UI.Output(fmt.Sprintf("Success! Finished moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-			return 0
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
-			c.UI.Error(fmt.Sprintf("Failure! Error encountered moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-			return 0
-		}
-		c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
-		time.Sleep(10 * time.Second)
-	}
-
-	return 0
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { statuses } from '../../../mirage/handlers/hcp-link';
+
+const SELECTORS = {
+  modalOpen: '[data-test-link-status] button',
+  modalClose: '[data-test-icon="x"]',
+  bannerConnected: '.hds-alert [data-test-icon="info"]',
+  bannerWarning: '.hds-alert [data-test-icon="alert-triangle"]',
+  banner: '[data-test-link-status]',
+};
+
+module('Integration | Component | link-status', function (hooks) {
+  setupRenderingTest(hooks);
+  setupMirage(hooks);
+
+  // this can be removed once feature is released for OSS
+  hooks.beforeEach(function () {
+    this.owner.lookup('service:version').set('type', 'enterprise');
+    this.statuses = statuses;
+  });
+
+  test('it does not render banner when status is not present', async function (assert) {
+    await render(hbs`
+      <LinkStatus @status={{undefined}} />
+    `);
+
+    assert.dom(SELECTORS.banner).doesNotExist('Banner is hidden for missing status message');
+  });
+
+  test('it does not render banner in oss version', async function (assert) {
+    this.owner.lookup('service:version').set('type', 'community');
+
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 0}} />
+    `);
+
+    assert.dom(SELECTORS.banner).doesNotExist('Banner is hidden in oss');
+  });
+
+  test('it renders connected status', async function (assert) {
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 0}} />
+    `);
+    assert.dom(SELECTORS.bannerConnected).exists('Success banner renders for connected state');
+    assert
+      .dom('[data-test-link-status]')
+      .hasText('This self-managed Vault is linked to HCP.', 'Banner copy renders for connected state');
+    assert
+      .dom('[data-test-link-status] a')
+      .hasAttribute('href', 'https://portal.cloud.hashicorp.com/sign-in', 'HCP sign in link renders');
+  });
+
+  test('it should render error states', async function (assert) {
+    // disconnected error
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 1}} />
+    `);
+
+    assert.dom(SELECTORS.bannerWarning).exists('Warning banner renders for error state');
+    assert
+      .dom('[data-test-link-status]')
+      .hasText('Error connecting to HCP', 'Banner title renders for error state');
+    assert
+      .dom('[data-test-link-error]')
+      .hasText(
+        'Since 2022-09-21T11:25:02.196835-07:00, unable to establish a connection with HCP. Check the logs for more information.',
+        'Error renders for case 1'
+      );
+
+    // unable to establish connection error
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 2}} />
+    `);
+    assert
+      .dom('[data-test-link-error]')
+      .hasText(
+        'Since 2022-09-21T11:25:02.196835-07:00, unable to establish a connection with HCP. Check the logs for more information.',
+        'Error renders for case 2'
+      );
+
+    // no permissions error
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 3}} />
+    `);
+    assert
+      .dom('[data-test-link-error]')
+      .hasText(
+        'Since 2022-09-21T11:25:02.196835-07:00, principal does not have the permission to register as a provider. Check the logs for more information.',
+        'Error renders for case 3'
+      );
+
+    // could not obtain token error
+    await render(hbs`
+      <LinkStatus @status={{get this.statuses 4}} />
+    `);
+    assert
+      .dom('[data-test-link-error]')
+      .hasText(
+        'Since 2022-09-21T11:25:02.196835-07:00, could not obtain a token with the supplied credentials. Check the logs for more information.',
+        'Error renders for case 3'
+      );
+
+    await render(hbs`
+      <LinkStatus @status="connecting" />
+    `);
+    assert.dom('[data-test-link-error]').doesNotExist('No errors rendered when link is in connected state');
+  });
+});
diff --git a/command/secrets_move_test.go b/command/secrets_move_test.go
index 6e7a0d796e54..6505f76af8c3 100644
--- a/command/secrets_move_test.go
+++ b/command/secrets_move_test.go
@@ -4,139 +4,117 @@
 package command
 
 import (
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testSecretsMoveCommand(tb testing.TB) (*cli.MockUi, *SecretsMoveCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*ListCommand)(nil)
+	_ cli.CommandAutocomplete = (*ListCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &SecretsMoveCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type ListCommand struct {
+	*BaseCommand
 }
 
-func TestSecretsMoveCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"non_existent",
-			[]string{"not_real", "over_here"},
-			"Error moving secrets engine not_real/ to over_here/",
-			2,
-		},
-	}
+func (c *ListCommand) Synopsis() string {
+	return "List data or secrets"
+}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+func (c *ListCommand) Help() string {
+	helpText := `
 
-		for _, tc := range cases {
-			tc := tc
+Usage: vault list [options] PATH
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+  Lists data from Vault at the given path. This can be used to list keys in a,
+  given secret engine.
 
-				client, closer := testVaultServer(t)
-				defer closer()
+  List values under the "my-app" folder of the generic secret engine:
 
-				ui, cmd := testSecretsMoveCommand(t)
-				cmd.client = client
+      $ vault list secret/my-app/
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secret engine in use. Not all engines support listing.
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
+` + c.Flags().Help()
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+	return strings.TrimSpace(helpText)
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (c *ListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat | FlagSetOutputDetailed)
+	return set
+}
 
-		ui, cmd := testSecretsMoveCommand(t)
-		cmd.client = client
+func (c *ListCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFolders()
+}
 
-		code := cmd.Run([]string{
-			"secret/", "generic/",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+func (c *ListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-		expected := "Success! Finished moving secrets engine secret/ to generic/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+func (c *ListCommand) Run(args []string) int {
+	f := c.Flags()
 
-		mounts, err := client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		if _, ok := mounts["generic/"]; !ok {
-			t.Errorf("expected mount at generic/: %#v", mounts)
-		}
-	})
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	path := sanitizePath(args[0])
+	secret, err := client.Logical().List(path)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing %s: %s", path, err))
+		return 2
+	}
 
-		ui, cmd := testSecretsMoveCommand(t)
-		cmd.client = client
+	// If the secret is wrapped, return the wrapped response.
+	if secret != nil && secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
+		return OutputSecret(c.UI, secret)
+	}
 
-		code := cmd.Run([]string{
-			"secret/", "generic/",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	_, ok := extractListData(secret)
+	if Format(c.UI) != "table" {
+		if secret == nil || secret.Data == nil || !ok {
+			OutputData(c.UI, map[string]interface{}{})
+			return 2
 		}
+	}
 
-		expected := "Error moving secrets engine secret/ to generic/:"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	if secret == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", path))
+		return 2
+	}
+	if secret.Data == nil {
+		// If secret wasn't nil, we have warnings, so output them anyways. We
+		// may also have non-keys info.
+		return OutputSecret(c.UI, secret)
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	if !ok {
+		c.UI.Error(fmt.Sprintf("No entries found at %s", path))
+		return 2
+	}
 
-		_, cmd := testSecretsMoveCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	return OutputList(c.UI, secret)
 }
diff --git a/command/secrets_tune.go b/command/secrets_tune.go
index 66a409fc9602..a7b5bb5d41fc 100644
--- a/command/secrets_tune.go
+++ b/command/secrets_tune.go
@@ -1,254 +1,145 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"flag"
-	"fmt"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*SecretsTuneCommand)(nil)
-	_ cli.CommandAutocomplete = (*SecretsTuneCommand)(nil)
-)
-
-type SecretsTuneCommand struct {
-	*BaseCommand
-
-	flagAuditNonHMACRequestKeys   []string
-	flagAuditNonHMACResponseKeys  []string
-	flagDefaultLeaseTTL           time.Duration
-	flagDescription               string
-	flagListingVisibility         string
-	flagMaxLeaseTTL               time.Duration
-	flagPassthroughRequestHeaders []string
-	flagAllowedResponseHeaders    []string
-	flagOptions                   map[string]string
-	flagVersion                   int
-	flagPluginVersion             string
-	flagAllowedManagedKeys        []string
-}
-
-func (c *SecretsTuneCommand) Synopsis() string {
-	return "Tune a secrets engine configuration"
-}
-
-func (c *SecretsTuneCommand) Help() string {
-	helpText := `
-Usage: vault secrets tune [options] PATH
-
-  Tunes the configuration options for the secrets engine at the given PATH.
-  The argument corresponds to the PATH where the secrets engine is enabled,
-  not the TYPE!
-
-  Tune the default lease for the PKI secrets engine:
-
-      $ vault secrets tune -default-lease-ttl=72h pki/
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *SecretsTuneCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACRequestKeys,
-		Target: &c.flagAuditNonHMACRequestKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the request data " +
-			"object. To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAuditNonHMACResponseKeys,
-		Target: &c.flagAuditNonHMACResponseKeys,
-		Usage: "Key that will not be HMAC'd by audit devices in the response data " +
-			"object. To specify multiple values, specify this flag multiple times.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "default-lease-ttl",
-		Target:     &c.flagDefaultLeaseTTL,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "The default lease TTL for this secrets engine. If unspecified, " +
-			"this defaults to the Vault server's globally configured default lease " +
-			"TTL, or a previously configured value for the secrets engine.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameDescription,
-		Target: &c.flagDescription,
-		Usage: "Human-friendly description of this secret engine. This overrides the " +
-			"current stored value, if any.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:   flagNameListingVisibility,
-		Target: &c.flagListingVisibility,
-		Usage: "Determines the visibility of the mount in the UI-specific listing " +
-			"endpoint.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "max-lease-ttl",
-		Target:     &c.flagMaxLeaseTTL,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "The maximum lease TTL for this secrets engine. If unspecified, " +
-			"this defaults to the Vault server's globally configured maximum lease " +
-			"TTL, or a previously configured value for the secrets engine.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNamePassthroughRequestHeaders,
-		Target: &c.flagPassthroughRequestHeaders,
-		Usage: "Request header value that will be sent to the plugin. To specify " +
-			"multiple values, specify this flag multiple times.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedResponseHeaders,
-		Target: &c.flagAllowedResponseHeaders,
-		Usage: "Response header value that plugins will be allowed to set. To " +
-			"specify multiple values, specify this flag multiple times.",
-	})
-
-	f.StringMapVar(&StringMapVar{
-		Name:       "options",
-		Target:     &c.flagOptions,
-		Completion: complete.PredictAnything,
-		Usage: "Key-value pair provided as key=value for the mount options. " +
-			"This can be specified multiple times.",
-	})
-
-	f.IntVar(&IntVar{
-		Name:    "version",
-		Target:  &c.flagVersion,
-		Default: 0,
-		Usage:   "Select the version of the engine to run. Not supported by all engines.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   flagNameAllowedManagedKeys,
-		Target: &c.flagAllowedManagedKeys,
-		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
-			"Note that multiple keys may be specified by providing this option multiple times, " +
-			"each time with 1 key.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    flagNamePluginVersion,
-		Target:  &c.flagPluginVersion,
-		Default: "",
-		Usage: "Select the semantic version of the plugin to run. The new version must be registered in " +
-			"the plugin catalog, and will not start running until the plugin is reloaded.",
-	})
-
-	return set
-}
-
-func (c *SecretsTuneCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultMounts()
-}
-
-func (c *SecretsTuneCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *SecretsTuneCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if c.flagVersion > 0 {
-		if c.flagOptions == nil {
-			c.flagOptions = make(map[string]string)
-		}
-		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
-	}
-
-	// Append a trailing slash to indicate it's a path in output
-	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
-
-	mountConfigInput := api.MountConfigInput{
-		DefaultLeaseTTL: ttlToAPI(c.flagDefaultLeaseTTL),
-		MaxLeaseTTL:     ttlToAPI(c.flagMaxLeaseTTL),
-		Options:         c.flagOptions,
-	}
-
-	// Set these values only if they are provided in the CLI
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == flagNameAuditNonHMACRequestKeys {
-			mountConfigInput.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
-		}
-
-		if fl.Name == flagNameAuditNonHMACResponseKeys {
-			mountConfigInput.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
-		}
-
-		if fl.Name == flagNameDescription {
-			mountConfigInput.Description = &c.flagDescription
-		}
-
-		if fl.Name == flagNameListingVisibility {
-			mountConfigInput.ListingVisibility = c.flagListingVisibility
-		}
-
-		if fl.Name == flagNamePassthroughRequestHeaders {
-			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
-		}
-
-		if fl.Name == flagNameAllowedResponseHeaders {
-			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
-		}
-
-		if fl.Name == flagNameAllowedManagedKeys {
-			mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
-		}
-
-		if fl.Name == flagNamePluginVersion {
-			mountConfigInput.PluginVersion = c.flagPluginVersion
-		}
-	})
-
-	if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
-		c.UI.Error(fmt.Sprintf("Error tuning secrets engine %s: %s", mountPath, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Tuned the secrets engine at: %s", mountPath))
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @mountName={{@backend}}>
+  <:tabLinks>
+    <LinkTo @route={{this.router.currentRoute.localName}} data-test-secrets-tab="Secrets">Secrets</LinkTo>
+    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
+  </:tabLinks>
+
+  <:toolbarFilters>
+
+    {{#if (and (not-eq @secrets 403) (or @secrets @filterValue))}}
+      <KvListFilter @secrets={{@secrets}} @mountPoint={{this.mountPoint}} @filterValue={{@filterValue}} />
+    {{/if}}
+  </:toolbarFilters>
+
+  <:toolbarActions>
+    <ToolbarLink data-test-toolbar-create-secret @route="create" @query={{hash initialKey=@filterValue}} @type="add">
+      Create secret
+    </ToolbarLink>
+  </:toolbarActions>
+</KvPageHeader>
+{{#if (eq @secrets 403)}}
+  <div class="box is-fullwidth is-shadowless has-tall-padding">
+    <div class="selectable-card-container one-card">
+      <OverviewCard
+        @cardTitle="View secret"
+        @subText="Type the path of the secret you want to view. Include a trailing slash to navigate to the list view."
+      >
+        <form {{on "submit" this.transitionToSecretDetail}} class="has-top-margin-m">
+          <InputSearch
+            @id="search-input-kv-secret"
+            @initialValue={{@pathToSecret}}
+            @onChange={{this.handleSecretPathInput}}
+            @placeholder="secret/"
+            data-test-view-secret
+          />
+          <Hds::Button
+            @text={{this.buttonText}}
+            @color="secondary"
+            type="submit"
+            disabled={{not this.secretPath}}
+            data-test-get-secret-detail
+          />
+        </form>
+        {{#if @failedDirectoryQuery}}
+          <AlertInline @type="danger" @message="You do not have the required permissions or the directory does not exist." />
+        {{/if}}
+      </OverviewCard>
+    </div>
+  </div>
+{{else}}
+  {{#if @secrets}}
+    {{#each @secrets as |metadata|}}
+      <LinkedBlock
+        data-test-list-item={{metadata.path}}
+        class="list-item-row"
+        @params={{array (if metadata.pathIsDirectory "list-directory" "secret.details") metadata.fullSecretPath}}
+        @linkPrefix={{this.mountPoint}}
+      >
+        <div class="level is-mobile">
+          <div class="level-left">
+            <div>
+              <Icon @name={{if metadata.pathIsDirectory "folder" "file"}} class="has-text-grey-light" />
+              <span class="has-text-weight-semibold is-underline">
+                {{metadata.path}}
+              </span>
+            </div>
+          </div>
+          <div class="level-right is-flex is-paddingless is-marginless">
+            <div class="level-item">
+              <PopupMenu>
+                <nav class="menu">
+                  <ul class="menu-list">
+                    {{#if metadata.pathIsDirectory}}
+                      <li>
+                        <LinkTo @route="list-directory" @model={{metadata.fullSecretPath}}>
+                          Content
+                        </LinkTo>
+                      </li>
+                    {{else}}
+                      <li>
+                        <LinkTo @route="secret.details" @model={{metadata.fullSecretPath}}>
+                          Details
+                        </LinkTo>
+                      </li>
+                      {{#if metadata.canReadMetadata}}
+                        <li>
+                          <LinkTo @route="secret.metadata.versions" @model={{metadata.fullSecretPath}}>
+                            View version history
+                          </LinkTo>
+                        </li>
+                      {{/if}}
+                      {{#if metadata.canCreateVersionData}}
+                        <li>
+                          <LinkTo @route="secret.details.edit" @model={{metadata.fullSecretPath}}>
+                            Create new version
+                          </LinkTo>
+                        </li>
+                      {{/if}}
+                      {{#if metadata.canDeleteMetadata}}
+                        <ConfirmAction
+                          @buttonText="Permanently delete"
+                          @isInDropdown={{true}}
+                          @onConfirmAction={{fn this.onDelete metadata}}
+                          @confirmMessage="This will permanently delete this secret and all its versions."
+                        />
+                      {{/if}}
+                    {{/if}}
+                  </ul>
+                </nav>
+              </PopupMenu>
+            </div>
+          </div>
+        </div>
+      </LinkedBlock>
+    {{/each}}
+    {{! Pagination }}
+    <Hds::Pagination::Numbered
+      @currentPage={{@secrets.meta.currentPage}}
+      @currentPageSize={{@secrets.meta.pageSize}}
+      @route={{this.router.currentRoute.localName}}
+      @showSizeSelector={{false}}
+      @totalItems={{@secrets.meta.total}}
+      @queryFunction={{this.paginationQueryParams}}
+      data-test-pagination
+    />
+  {{else}}
+    {{#if @filterValue}}
+      <EmptyState @title="There are no secrets matching &quot;{{@filterValue}}&quot;." />
+    {{else}}
+      <EmptyState
+        data-test-secret-list-empty-state
+        @title="No secrets yet"
+        @message="When created, secrets will be listed here. Create a secret to get started."
+      >
+        <LinkTo class="has-top-margin-xs" @route="create">
+          Create secret
+        </LinkTo>
+      </EmptyState>
+    {{/if}}
+  {{/if}}
+{{/if}}
\ No newline at end of file
diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go
index 8146dec92467..c1db7504a545 100644
--- a/command/secrets_tune_test.go
+++ b/command/secrets_tune_test.go
@@ -1,370 +1,222 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/go-test/deep"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/mitchellh/cli"
-)
-
-func testSecretsTuneCommand(tb testing.TB) (*cli.MockUi, *SecretsTuneCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &SecretsTuneCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestSecretsTuneCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testSecretsTuneCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("protect_downgrade", func(t *testing.T) {
-		t.Parallel()
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testSecretsTuneCommand(t)
-		cmd.client = client
-
-		// Mount
-		if err := client.Sys().Mount("kv", &api.MountInput{
-			Type: "kv",
-			Options: map[string]string{
-				"version": "2",
-			},
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		// confirm default max_versions
-		mounts, err := client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		mountInfo, ok := mounts["kv/"]
-		if !ok {
-			t.Fatalf("expected mount to exist")
-		}
-		if exp := "kv"; mountInfo.Type != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
-		}
-		if exp := "2"; mountInfo.Options["version"] != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Options["version"], exp)
-		}
-
-		if exp := ""; mountInfo.Options["max_versions"] != exp {
-			t.Errorf("expected %s to be empty", mountInfo.Options["max_versions"])
-		}
-
-		// omitting the version should not cause a downgrade
-		code := cmd.Run([]string{
-			"-options", "max_versions=2",
-			"kv/",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Tuned the secrets engine at: kv/"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		mounts, err = client.Sys().ListMounts()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		mountInfo, ok = mounts["kv/"]
-		if !ok {
-			t.Fatalf("expected mount to exist")
-		}
-		if exp := "2"; mountInfo.Options["version"] != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Options["version"], exp)
-		}
-		if exp := "kv"; mountInfo.Type != exp {
-			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
-		}
-		if exp := "2"; mountInfo.Options["max_versions"] != exp {
-			t.Errorf("expected %s to be %s", mountInfo.Options["max_versions"], exp)
-		}
-	})
-
-	t.Run("integration", func(t *testing.T) {
-		t.Run("flags_all", func(t *testing.T) {
-			t.Parallel()
-			pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-			defer cleanup(t)
-
-			client, _, closer := testVaultServerPluginDir(t, pluginDir)
-			defer closer()
-
-			ui, cmd := testSecretsTuneCommand(t)
-			cmd.client = client
-
-			// Mount
-			if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
-				Type: "pki",
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			mounts, err := client.Sys().ListMounts()
-			if err != nil {
-				t.Fatal(err)
-			}
-			mountInfo, ok := mounts["mount_tune_integration/"]
-			if !ok {
-				t.Fatalf("expected mount to exist")
-			}
-
-			if exp := ""; mountInfo.PluginVersion != exp {
-				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
-			}
-
-			_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, "pki", api.PluginTypeSecrets)
-
-			code := cmd.Run([]string{
-				"-description", "new description",
-				"-default-lease-ttl", "30m",
-				"-max-lease-ttl", "1h",
-				"-audit-non-hmac-request-keys", "foo,bar",
-				"-audit-non-hmac-response-keys", "foo,bar",
-				"-passthrough-request-headers", "authorization",
-				"-passthrough-request-headers", "www-authentication",
-				"-allowed-response-headers", "authorization,www-authentication",
-				"-allowed-managed-keys", "key1,key2",
-				"-listing-visibility", "unauth",
-				"-plugin-version", version,
-				"mount_tune_integration/",
-			})
-			if exp := 0; code != exp {
-				t.Errorf("expected %d to be %d", code, exp)
-			}
-
-			expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, expected) {
-				t.Errorf("expected %q to contain %q", combined, expected)
-			}
-
-			mounts, err = client.Sys().ListMounts()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			mountInfo, ok = mounts["mount_tune_integration/"]
-			if !ok {
-				t.Fatalf("expected mount to exist")
-			}
-			if exp := "new description"; mountInfo.Description != exp {
-				t.Errorf("expected %q to be %q", mountInfo.Description, exp)
-			}
-			if exp := "pki"; mountInfo.Type != exp {
-				t.Errorf("expected %q to be %q", mountInfo.Type, exp)
-			}
-			if exp := version; mountInfo.PluginVersion != exp {
-				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
-			}
-			if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
-				t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
-			}
-			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
-				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
-			}
-			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
-				t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff)
-			}
-			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
-			}
-			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
-			}
-			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
-			}
-			if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
-				t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
-			}
-		})
-
-		t.Run("flags_description", func(t *testing.T) {
-			t.Parallel()
-			t.Run("not_provided", func(t *testing.T) {
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testSecretsTuneCommand(t)
-				cmd.client = client
-
-				// Mount
-				if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
-					Type:        "pki",
-					Description: "initial description",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				code := cmd.Run([]string{
-					"-default-lease-ttl", "30m",
-					"mount_tune_integration/",
-				})
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d", code, exp)
-				}
-
-				expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, expected) {
-					t.Errorf("expected %q to contain %q", combined, expected)
-				}
-
-				mounts, err := client.Sys().ListMounts()
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				mountInfo, ok := mounts["mount_tune_integration/"]
-				if !ok {
-					t.Fatalf("expected mount to exist")
-				}
-				if exp := "initial description"; mountInfo.Description != exp {
-					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
-				}
-			})
-
-			t.Run("provided_empty", func(t *testing.T) {
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testSecretsTuneCommand(t)
-				cmd.client = client
-
-				// Mount
-				if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
-					Type:        "pki",
-					Description: "initial description",
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				code := cmd.Run([]string{
-					"-description", "",
-					"mount_tune_integration/",
-				})
-				if exp := 0; code != exp {
-					t.Errorf("expected %d to be %d", code, exp)
-				}
-
-				expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, expected) {
-					t.Errorf("expected %q to contain %q", combined, expected)
-				}
-
-				mounts, err := client.Sys().ListMounts()
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				mountInfo, ok := mounts["mount_tune_integration/"]
-				if !ok {
-					t.Fatalf("expected mount to exist")
-				}
-				if exp := ""; mountInfo.Description != exp {
-					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
-				}
-			})
-		})
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testSecretsTuneCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"pki/",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error tuning secrets engine pki/: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testSecretsTuneCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { set } from '@ember/object';
+import { hash } from 'rsvp';
+import Route from '@ember/routing/route';
+import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
+import { allEngines, isAddonEngine } from 'vault/helpers/mountable-secret-engines';
+import { inject as service } from '@ember/service';
+import { normalizePath } from 'vault/utils/path-encoding-helpers';
+import { assert } from '@ember/debug';
+import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
+
+const SUPPORTED_BACKENDS = supportedSecretBackends();
+
+export default Route.extend({
+  store: service(),
+  templateName: 'vault/cluster/secrets/backend/list',
+  pathHelp: service('path-help'),
+  router: service(),
+
+  queryParams: {
+    page: {
+      refreshModel: true,
+    },
+    pageFilter: {
+      refreshModel: true,
+    },
+    tab: {
+      refreshModel: true,
+    },
+  },
+
+  modelTypeForTransform(tab) {
+    let modelType;
+    switch (tab) {
+      case 'role':
+        modelType = 'transform/role';
+        break;
+      case 'template':
+        modelType = 'transform/template';
+        break;
+      case 'alphabet':
+        modelType = 'transform/alphabet';
+        break;
+      default: // CBS TODO: transform/transformation
+        modelType = 'transform';
+        break;
+    }
+    return modelType;
+  },
+
+  secretParam() {
+    const { secret } = this.paramsFor(this.routeName);
+    return secret ? normalizePath(secret) : '';
+  },
+
+  enginePathParam() {
+    const { backend } = this.paramsFor('vault.cluster.secrets.backend');
+    return backend;
+  },
+
+  beforeModel() {
+    const secret = this.secretParam();
+    const backend = this.enginePathParam();
+    const { tab } = this.paramsFor('vault.cluster.secrets.backend.list-root');
+    const secretEngine = this.store.peekRecord('secret-engine', backend);
+    const type = secretEngine?.engineType;
+    assert('secretEngine.engineType is not defined', !!type);
+    const engineRoute = allEngines().findBy('type', type)?.engineRoute;
+
+    if (!type || !SUPPORTED_BACKENDS.includes(type)) {
+      return this.router.transitionTo('vault.cluster.secrets');
+    }
+    if (this.routeName === 'vault.cluster.secrets.backend.list' && !secret.endsWith('/')) {
+      return this.router.replaceWith('vault.cluster.secrets.backend.list', secret + '/');
+    }
+    if (isAddonEngine(type, secretEngine.version)) {
+      if (engineRoute === 'kv.list' && pathIsDirectory(secret)) {
+        return this.router.transitionTo('vault.cluster.secrets.backend.kv.list-directory', backend, secret);
+      }
+      return this.router.transitionTo(`vault.cluster.secrets.backend.${engineRoute}`, backend);
+    }
+    const modelType = this.getModelType(backend, tab);
+    return this.pathHelp.getNewModel(modelType, backend).then(() => {
+      this.store.unloadAll('capabilities');
+    });
+  },
+
+  getModelType(backend, tab) {
+    const secretEngine = this.store.peekRecord('secret-engine', backend);
+    const type = secretEngine.engineType;
+    const types = {
+      database: tab === 'role' ? 'database/role' : 'database/connection',
+      transit: 'transit-key',
+      ssh: 'role-ssh',
+      transform: this.modelTypeForTransform(tab),
+      aws: 'role-aws',
+      cubbyhole: 'secret',
+      kv: 'secret',
+      keymgmt: `keymgmt/${tab || 'key'}`,
+      generic: 'secret',
+    };
+    return types[type];
+  },
+
+  async model(params) {
+    const secret = this.secretParam() || '';
+    const backend = this.enginePathParam();
+    const backendModel = this.modelFor('vault.cluster.secrets.backend');
+    const modelType = this.getModelType(backend, params.tab);
+
+    return hash({
+      secret,
+      secrets: this.store
+        .lazyPaginatedQuery(modelType, {
+          id: secret,
+          backend,
+          responsePath: 'data.keys',
+          page: params.page || 1,
+          pageFilter: params.pageFilter,
+        })
+        .then((model) => {
+          this.set('has404', false);
+          return model;
+        })
+        .catch((err) => {
+          // if we're at the root we don't want to throw
+          if (backendModel && err.httpStatus === 404 && secret === '') {
+            return [];
+          } else {
+            // else we're throwing and dealing with this in the error action
+            throw err;
+          }
+        }),
+    });
+  },
+
+  setupController(controller, resolvedModel) {
+    const secretParams = this.paramsFor(this.routeName);
+    const secret = resolvedModel.secret;
+    const model = resolvedModel.secrets;
+    const backend = this.enginePathParam();
+    const backendModel = this.store.peekRecord('secret-engine', backend);
+    const has404 = this.has404;
+    // only clear store cache if this is a new model
+    if (secret !== controller.get('baseKey.id')) {
+      this.store.clearAllDatasets();
+    }
+    controller.set('hasModel', true);
+    controller.setProperties({
+      model,
+      has404,
+      backend,
+      backendModel,
+      baseKey: { id: secret },
+      backendType: backendModel.get('engineType'),
+    });
+    if (!has404) {
+      const pageFilter = secretParams.pageFilter;
+      let filter;
+      if (secret) {
+        filter = secret + (pageFilter || '');
+      } else if (pageFilter) {
+        filter = pageFilter;
+      }
+      controller.setProperties({
+        filter: filter || '',
+        page: model.meta?.currentPage || 1,
+      });
+    }
+  },
+
+  resetController(controller, isExiting) {
+    this._super(...arguments);
+    if (isExiting) {
+      controller.set('pageFilter', null);
+      controller.set('filter', null);
+    }
+  },
+
+  actions: {
+    error(error, transition) {
+      const secret = this.secretParam();
+      const backend = this.enginePathParam();
+      const is404 = error.httpStatus === 404;
+      /* eslint-disable-next-line ember/no-controller-access-in-routes */
+      const hasModel = this.controllerFor(this.routeName).get('hasModel');
+
+      // this will occur if we've deleted something,
+      // and navigate to its parent and the parent doesn't exist -
+      // this if often the case with nested keys in kv-like engines
+      if (transition.data.isDeletion && is404) {
+        throw error;
+      }
+      set(error, 'secret', secret);
+      set(error, 'isRoot', true);
+      set(error, 'backend', backend);
+      // only swallow the error if we have a previous model
+      if (hasModel && is404) {
+        this.set('has404', true);
+        transition.abort();
+        return false;
+      }
+      return true;
+    },
+
+    willTransition(transition) {
+      window.scrollTo(0, 0);
+      if (transition.targetName !== this.routeName) {
+        this.store.clearAllDatasets();
+      }
+      return true;
+    },
+    reload() {
+      this.store.clearAllDatasets();
+      this.refresh();
+    },
+  },
+});
diff --git a/command/server.go b/command/server.go
index 3c1861099047..e7a870d7ffb6 100644
--- a/command/server.go
+++ b/command/server.go
@@ -4,3347 +4,132 @@
 package command
 
 import (
-	"context"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"runtime"
-	"runtime/pprof"
-	"sort"
-	"strconv"
 	"strings"
-	"sync"
-	"time"
+	"testing"
 
-	"github.com/google/go-cmp/cmp"
-	"github.com/hashicorp/go-kms-wrapping/entropy/v2"
-
-	systemd "github.com/coreos/go-systemd/daemon"
-	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
-	"github.com/hashicorp/go-secure-stdlib/mlock"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	"github.com/hashicorp/vault/audit"
-	config2 "github.com/hashicorp/vault/command/config"
-	"github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/helper/builtinplugins"
-	"github.com/hashicorp/vault/helper/constants"
-	"github.com/hashicorp/vault/helper/experiments"
-	loghelper "github.com/hashicorp/vault/helper/logging"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
-	"github.com/hashicorp/vault/helper/useragent"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/internalshared/listenerutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/strutil"
-	"github.com/hashicorp/vault/sdk/helper/testcluster"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	sr "github.com/hashicorp/vault/serviceregistration"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/vault/hcp_link"
-	vaultseal "github.com/hashicorp/vault/vault/seal"
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
-	"github.com/mitchellh/go-testing-interface"
-	"github.com/posener/complete"
-	"github.com/sasha-s/go-deadlock"
-	"go.uber.org/atomic"
-	"golang.org/x/net/http/httpproxy"
-	"google.golang.org/grpc/grpclog"
-)
-
-var (
-	_ cli.Command             = (*ServerCommand)(nil)
-	_ cli.CommandAutocomplete = (*ServerCommand)(nil)
-)
-
-var memProfilerEnabled = false
-
-const (
-	storageMigrationLock = "core/migration"
-
-	// Even though there are more types than the ones below, the following consts
-	// are declared internally for value comparison and reusability.
-	storageTypeRaft   = "raft"
-	storageTypeConsul = "consul"
+	"github.com/hashicorp/cli"
 )
 
-type ServerCommand struct {
-	*BaseCommand
-	logFlags logFlags
-
-	AuditBackends      map[string]audit.Factory
-	CredentialBackends map[string]logical.Factory
-	LogicalBackends    map[string]logical.Factory
-	PhysicalBackends   map[string]physical.Factory
-
-	ServiceRegistrations map[string]sr.Factory
-
-	ShutdownCh chan struct{}
-	SighupCh   chan struct{}
-	SigUSR2Ch  chan struct{}
-
-	WaitGroup *sync.WaitGroup
-
-	logWriter io.Writer
-	logGate   *gatedwriter.Writer
-	logger    hclog.InterceptLogger
-
-	cleanupGuard sync.Once
-
-	reloadFuncsLock   *sync.RWMutex
-	reloadFuncs       *map[string][]reloadutil.ReloadFunc
-	startedCh         chan (struct{}) // for tests
-	reloadedCh        chan (struct{}) // for tests
-	licenseReloadedCh chan (error)    // for tests
-
-	allLoggers []hclog.Logger
-
-	flagConfigs            []string
-	flagRecovery           bool
-	flagExperiments        []string
-	flagDev                bool
-	flagDevTLS             bool
-	flagDevTLSCertDir      string
-	flagDevTLSSANs         []string
-	flagDevRootTokenID     string
-	flagDevListenAddr      string
-	flagDevNoStoreToken    bool
-	flagDevPluginDir       string
-	flagDevPluginInit      bool
-	flagDevHA              bool
-	flagDevLatency         int
-	flagDevLatencyJitter   int
-	flagDevLeasedKV        bool
-	flagDevKVV1            bool
-	flagDevSkipInit        bool
-	flagDevThreeNode       bool
-	flagDevFourCluster     bool
-	flagDevTransactional   bool
-	flagDevAutoSeal        bool
-	flagDevClusterJson     string
-	flagTestVerifyOnly     bool
-	flagTestServerConfig   bool
-	flagDevConsul          bool
-	flagExitOnCoreShutdown bool
-}
-
-func (c *ServerCommand) Synopsis() string {
-	return "Start a Vault server"
-}
-
-func (c *ServerCommand) Help() string {
-	helpText := `
-Usage: vault server [options]
-
-  This command starts a Vault server that responds to API requests. By default,
-  Vault will start in a "sealed" state. The Vault cluster must be initialized
-  before use, usually by the "vault operator init" command. Each Vault server must
-  also be unsealed using the "vault operator unseal" command or the API before the
-  server can respond to requests.
-
-  Start a server with a configuration file:
-
-      $ vault server -config=/etc/vault/config.hcl
-
-  Run in "dev" mode:
-
-      $ vault server -dev -dev-root-token-id="root"
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-	return strings.TrimSpace(helpText)
-}
-
-func (c *ServerCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	// Augment with the log flags
-	f.addLogFlags(&c.logFlags)
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:   "config",
-		Target: &c.flagConfigs,
-		Completion: complete.PredictOr(
-			complete.PredictFiles("*.hcl"),
-			complete.PredictFiles("*.json"),
-			complete.PredictDirs("*"),
-		),
-		Usage: "Path to a configuration file or directory of configuration " +
-			"files. This flag can be specified multiple times to load multiple " +
-			"configurations. If the path is a directory, all files which end in " +
-			".hcl or .json are loaded.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "exit-on-core-shutdown",
-		Target:  &c.flagExitOnCoreShutdown,
-		Default: false,
-		Usage:   "Exit the vault server if the vault core is shutdown.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:   "recovery",
-		Target: &c.flagRecovery,
-		Usage: "Enable recovery mode. In this mode, Vault is used to perform recovery actions. " +
-			"Using a recovery token, \"sys/raw\" API can be used to manipulate the storage.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "experiment",
-		Target:     &c.flagExperiments,
-		Completion: complete.PredictSet(experiments.ValidExperiments()...),
-		Usage: "Name of an experiment to enable. Experiments should NOT be used in production, and " +
-			"the associated APIs may have backwards incompatible changes between releases. This " +
-			"flag can be specified multiple times to specify multiple experiments. This can also be " +
-			fmt.Sprintf("specified via the %s environment variable as a comma-separated list. ", EnvVaultExperiments) +
-			"Valid experiments are: " + strings.Join(experiments.ValidExperiments(), ", "),
-	})
-
-	f = set.NewFlagSet("Dev Options")
-
-	f.BoolVar(&BoolVar{
-		Name:   "dev",
-		Target: &c.flagDev,
-		Usage: "Enable development mode. In this mode, Vault runs in-memory and " +
-			"starts unsealed. As the name implies, do not run \"dev\" mode in " +
-			"production.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:   "dev-tls",
-		Target: &c.flagDevTLS,
-		Usage: "Enable TLS development mode. In this mode, Vault runs in-memory and " +
-			"starts unsealed, with a generated TLS CA, certificate and key. " +
-			"As the name implies, do not run \"dev-tls\" mode in " +
-			"production.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "dev-tls-cert-dir",
-		Target:  &c.flagDevTLSCertDir,
-		Default: "",
-		Usage: "Directory where generated TLS files are created if `-dev-tls` is " +
-			"specified. If left unset, files are generated in a temporary directory.",
-	})
-
-	f.StringSliceVar(&StringSliceVar{
-		Name:    "dev-tls-san",
-		Target:  &c.flagDevTLSSANs,
-		Default: nil,
-		Usage: "Additional Subject Alternative Name (as a DNS name or IP address) " +
-			"to generate the certificate with if `-dev-tls` is specified. The " +
-			"certificate will always use localhost, localhost4, localhost6, " +
-			"localhost.localdomain, and the host name as alternate DNS names, " +
-			"and 127.0.0.1 as an alternate IP address. This flag can be specified " +
-			"multiple times to specify multiple SANs.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "dev-root-token-id",
-		Target:  &c.flagDevRootTokenID,
-		Default: "",
-		EnvVar:  "VAULT_DEV_ROOT_TOKEN_ID",
-		Usage: "Initial root token. This only applies when running in \"dev\" " +
-			"mode.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:    "dev-listen-address",
-		Target:  &c.flagDevListenAddr,
-		Default: "127.0.0.1:8200",
-		EnvVar:  "VAULT_DEV_LISTEN_ADDRESS",
-		Usage:   "Address to bind to in \"dev\" mode.",
-	})
-	f.BoolVar(&BoolVar{
-		Name:    "dev-no-store-token",
-		Target:  &c.flagDevNoStoreToken,
-		Default: false,
-		Usage: "Do not persist the dev root token to the token helper " +
-			"(usually the local filesystem) for use in future requests. " +
-			"The token will only be displayed in the command output.",
-	})
-
-	// Internal-only flags to follow.
-	//
-	// Why hello there little source code reader! Welcome to the Vault source
-	// code. The remaining options are intentionally undocumented and come with
-	// no warranty or backwards-compatibility promise. Do not use these flags
-	// in production. Do not build automation using these flags. Unless you are
-	// developing against Vault, you should not need any of these flags.
-
-	f.StringVar(&StringVar{
-		Name:       "dev-plugin-dir",
-		Target:     &c.flagDevPluginDir,
-		Default:    "",
-		Completion: complete.PredictDirs("*"),
-		Hidden:     true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-plugin-init",
-		Target:  &c.flagDevPluginInit,
-		Default: true,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-ha",
-		Target:  &c.flagDevHA,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-transactional",
-		Target:  &c.flagDevTransactional,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.IntVar(&IntVar{
-		Name:   "dev-latency",
-		Target: &c.flagDevLatency,
-		Hidden: true,
-	})
-
-	f.IntVar(&IntVar{
-		Name:   "dev-latency-jitter",
-		Target: &c.flagDevLatencyJitter,
-		Hidden: true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-leased-kv",
-		Target:  &c.flagDevLeasedKV,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-kv-v1",
-		Target:  &c.flagDevKVV1,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-auto-seal",
-		Target:  &c.flagDevAutoSeal,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-skip-init",
-		Target:  &c.flagDevSkipInit,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-three-node",
-		Target:  &c.flagDevThreeNode,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-four-cluster",
-		Target:  &c.flagDevFourCluster,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "dev-consul",
-		Target:  &c.flagDevConsul,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.StringVar(&StringVar{
-		Name:   "dev-cluster-json",
-		Target: &c.flagDevClusterJson,
-		Usage:  "File to write cluster definition to",
-	})
-
-	// TODO: should the below flags be public?
-	f.BoolVar(&BoolVar{
-		Name:    "test-verify-only",
-		Target:  &c.flagTestVerifyOnly,
-		Default: false,
-		Hidden:  true,
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:    "test-server-config",
-		Target:  &c.flagTestServerConfig,
-		Default: false,
-		Hidden:  true,
-	})
-
-	// End internal-only flags.
-
-	return set
-}
-
-func (c *ServerCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
-}
-
-func (c *ServerCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *ServerCommand) flushLog() {
-	c.logger.(hclog.OutputResettable).ResetOutputWithFlush(&hclog.LoggerOptions{
-		Output: c.logWriter,
-	}, c.logGate)
-}
-
-func (c *ServerCommand) parseConfig() (*server.Config, []configutil.ConfigError, error) {
-	var configErrors []configutil.ConfigError
-	// Load the configuration
-	var config *server.Config
-	for _, path := range c.flagConfigs {
-		current, err := server.LoadConfig(path)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error loading configuration from %s: %w", path, err)
-		}
-
-		configErrors = append(configErrors, current.Validate(path)...)
-
-		if config == nil {
-			config = current
-		} else {
-			config = config.Merge(current)
-		}
-	}
-
-	if config != nil && config.Entropy != nil && config.Entropy.Mode == configutil.EntropyAugmentation && constants.IsFIPS() {
-		c.UI.Warn("WARNING: Entropy Augmentation is not supported in FIPS 140-2 Inside mode; disabling from server configuration!\n")
-		config.Entropy = nil
-	}
-
-	return config, configErrors, nil
-}
-
-func (c *ServerCommand) runRecoveryMode() int {
-	config, configErrors, err := c.parseConfig()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Ensure at least one config was found.
-	if config == nil {
-		c.UI.Output(wrapAtLength(
-			"No configuration files found. Please provide configurations with the " +
-				"-config flag. If you are supplying the path to a directory, please " +
-				"ensure the directory contains files with the .hcl or .json " +
-				"extension."))
-		return 1
-	}
-
-	// Update the 'log' related aspects of shared config based on config/env var/cli
-	c.flags.applyLogConfigOverrides(config.SharedConfig)
-	l, err := c.configureLogging(config)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	c.logger = l
-	c.allLoggers = append(c.allLoggers, l)
-
-	// reporting Errors found in the config
-	for _, cErr := range configErrors {
-		c.logger.Warn(cErr.String())
-	}
-
-	// Ensure logging is flushed if initialization fails
-	defer c.flushLog()
-
-	// create GRPC logger
-	namedGRPCLogFaker := c.logger.Named("grpclogfaker")
-	grpclog.SetLogger(&grpclogFaker{
-		logger: namedGRPCLogFaker,
-		log:    os.Getenv("VAULT_GRPC_LOGGING") != "",
-	})
-
-	if config.Storage == nil {
-		c.UI.Output("A storage backend must be specified")
-		return 1
-	}
-
-	if config.DefaultMaxRequestDuration != 0 {
-		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
-	}
-
-	logProxyEnvironmentVariables(c.logger)
-
-	// Initialize the storage backend
-	factory, exists := c.PhysicalBackends[config.Storage.Type]
-	if !exists {
-		c.UI.Error(fmt.Sprintf("Unknown storage type %s", config.Storage.Type))
-		return 1
-	}
-	if config.Storage.Type == storageTypeRaft || (config.HAStorage != nil && config.HAStorage.Type == storageTypeRaft) {
-		if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
-			config.ClusterAddr = envCA
-		}
-
-		if len(config.ClusterAddr) == 0 {
-			c.UI.Error("Cluster address must be set when using raft storage")
-			return 1
-		}
-	}
-
-	namedStorageLogger := c.logger.Named("storage." + config.Storage.Type)
-	backend, err := factory(config.Storage.Config, namedStorageLogger)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing storage of type %s: %s", config.Storage.Type, err))
-		return 1
-	}
-
-	infoKeys := make([]string, 0, 10)
-	info := make(map[string]string)
-	info["log level"] = config.LogLevel
-	infoKeys = append(infoKeys, "log level")
-
-	var barrierSeal vault.Seal
-	var sealConfigError error
-
-	if len(config.Seals) == 0 {
-		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
-	}
-
-	if len(config.Seals) > 1 {
-		c.UI.Error("Only one seal block is accepted in recovery mode")
-		return 1
-	}
-
-	ctx := context.Background()
-	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(ctx, backend)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting seal generation info: %v", err))
-		return 1
-	}
-
-	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Cannot determine if there are partially seal wrapped entries in storage: %v", err))
-		return 1
-	}
-	setSealResponse, err := setSeal(c, config, infoKeys, info, existingSealGenerationInfo, hasPartialPaths)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	if setSealResponse.barrierSeal == nil {
-		c.UI.Error(fmt.Sprintf("Error setting up seal: %v", setSealResponse.sealConfigError))
-		return 1
-	}
-	barrierSeal = setSealResponse.barrierSeal
-
-	// Ensure that the seal finalizer is called, even if using verify-only
-	defer func() {
-		err = barrierSeal.Finalize(ctx)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error finalizing seals: %v", err))
-		}
-	}()
-
-	coreConfig := &vault.CoreConfig{
-		Physical:     backend,
-		StorageType:  config.Storage.Type,
-		Seal:         barrierSeal,
-		LogLevel:     config.LogLevel,
-		Logger:       c.logger,
-		DisableMlock: config.DisableMlock,
-		RecoveryMode: c.flagRecovery,
-		ClusterAddr:  config.ClusterAddr,
-	}
-
-	core, newCoreError := vault.NewCore(coreConfig)
-	if newCoreError != nil {
-		if vault.IsFatalError(newCoreError) {
-			c.UI.Error(fmt.Sprintf("Error initializing core: %s", newCoreError))
-			return 1
-		}
-	}
-
-	if err := core.InitializeRecovery(ctx); err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing core in recovery mode: %s", err))
-		return 1
-	}
-
-	// Compile server information for output later
-	infoKeys = append(infoKeys, "storage")
-	info["storage"] = config.Storage.Type
-
-	if coreConfig.ClusterAddr != "" {
-		info["cluster address"] = coreConfig.ClusterAddr
-		infoKeys = append(infoKeys, "cluster address")
-	}
-
-	// Initialize the listeners
-	lns := make([]listenerutil.Listener, 0, len(config.Listeners))
-	for _, lnConfig := range config.Listeners {
-		ln, _, _, err := server.NewListener(lnConfig, c.logGate, c.UI)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error initializing listener of type %s: %s", lnConfig.Type, err))
-			return 1
-		}
-
-		lns = append(lns, listenerutil.Listener{
-			Listener: ln,
-			Config:   lnConfig,
-		})
-	}
-
-	listenerCloseFunc := func() {
-		for _, ln := range lns {
-			ln.Listener.Close()
-		}
-	}
-
-	defer c.cleanupGuard.Do(listenerCloseFunc)
-
-	infoKeys = append(infoKeys, "version")
-	verInfo := version.GetVersion()
-	info["version"] = verInfo.FullVersionNumber(false)
-
-	if verInfo.Revision != "" {
-		info["version sha"] = strings.Trim(verInfo.Revision, "'")
-		infoKeys = append(infoKeys, "version sha")
-	}
-
-	infoKeys = append(infoKeys, "recovery mode")
-	info["recovery mode"] = "true"
-
-	infoKeys = append(infoKeys, "go version")
-	info["go version"] = runtime.Version()
-
-	fipsStatus := entGetFIPSInfoKey()
-	if fipsStatus != "" {
-		infoKeys = append(infoKeys, "fips")
-		info["fips"] = fipsStatus
-	}
-
-	// Server configuration output
-	padding := 24
-
-	sort.Strings(infoKeys)
-	c.UI.Output("==> Vault server configuration:\n")
-
-	for _, k := range infoKeys {
-		c.UI.Output(fmt.Sprintf(
-			"%s%s: %s",
-			strings.Repeat(" ", padding-len(k)),
-			strings.Title(k),
-			info[k]))
-	}
-
-	c.UI.Output("")
-
-	// Tests might not want to start a vault server and just want to verify
-	// the configuration.
-	if c.flagTestVerifyOnly {
-		return 0
-	}
-
-	for _, ln := range lns {
-		handler := vaulthttp.Handler.Handler(&vault.HandlerProperties{
-			Core:                  core,
-			ListenerConfig:        ln.Config,
-			DisablePrintableCheck: config.DisablePrintableCheck,
-			RecoveryMode:          c.flagRecovery,
-			RecoveryToken:         atomic.NewString(""),
-		})
-
-		server := &http.Server{
-			Handler:           handler,
-			ReadHeaderTimeout: 10 * time.Second,
-			ReadTimeout:       30 * time.Second,
-			IdleTimeout:       5 * time.Minute,
-			ErrorLog:          c.logger.StandardLogger(nil),
-		}
-
-		go server.Serve(ln.Listener)
-	}
-
-	if sealConfigError != nil {
-		init, err := core.InitializedLocally(ctx)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error checking if core is initialized: %v", err))
-			return 1
-		}
-		if init {
-			c.UI.Error("Vault is initialized but no Seal key could be loaded")
-			return 1
-		}
-	}
-
-	if newCoreError != nil {
-		c.UI.Warn(wrapAtLength(
-			"WARNING! A non-fatal error occurred during initialization. Please " +
-				"check the logs for more information."))
-		c.UI.Warn("")
-	}
-
-	if !c.logFlags.flagCombineLogs {
-		c.UI.Output("==> Vault server started! Log data will stream in below:\n")
-	}
-
-	c.flushLog()
-
-	for {
-		select {
-		case <-c.ShutdownCh:
-			c.UI.Output("==> Vault shutdown triggered")
+func testListCommand(tb testing.TB) (*cli.MockUi, *ListCommand) {
+	tb.Helper()
 
-			c.cleanupGuard.Do(listenerCloseFunc)
-
-			if err := core.Shutdown(); err != nil {
-				c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
-			}
-
-			return 0
-
-		case <-c.SigUSR2Ch:
-			buf := make([]byte, 32*1024*1024)
-			n := runtime.Stack(buf[:], true)
-			c.logger.Info("goroutine trace", "stack", string(buf[:n]))
-		}
-	}
-}
-
-func logProxyEnvironmentVariables(logger hclog.Logger) {
-	proxyCfg := httpproxy.FromEnvironment()
-	cfgMap := map[string]string{
-		"http_proxy":  proxyCfg.HTTPProxy,
-		"https_proxy": proxyCfg.HTTPSProxy,
-		"no_proxy":    proxyCfg.NoProxy,
-	}
-	for k, v := range cfgMap {
-		u, err := url.Parse(v)
-		if err != nil {
-			// Env vars may contain URLs or host:port values.  We only care
-			// about the former.
-			continue
-		}
-		if _, ok := u.User.Password(); ok {
-			u.User = url.UserPassword("redacted-username", "redacted-password")
-		} else if user := u.User.Username(); user != "" {
-			u.User = url.User("redacted-username")
-		}
-		cfgMap[k] = u.String()
-	}
-	logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],
-		"https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])
-}
-
-type quiescenceSink struct {
-	t *time.Timer
-}
-
-func (q quiescenceSink) Accept(name string, level hclog.Level, msg string, args ...interface{}) {
-	q.t.Reset(100 * time.Millisecond)
-}
-
-func (c *ServerCommand) setupStorage(config *server.Config) (physical.Backend, error) {
-	// Ensure that a backend is provided
-	if config.Storage == nil {
-		return nil, errors.New("A storage backend must be specified")
-	}
-
-	// Initialize the backend
-	factory, exists := c.PhysicalBackends[config.Storage.Type]
-	if !exists {
-		return nil, fmt.Errorf("Unknown storage type %s", config.Storage.Type)
-	}
-
-	// Do any custom configuration needed per backend
-	switch config.Storage.Type {
-	case storageTypeConsul:
-		if config.ServiceRegistration == nil {
-			// If Consul is configured for storage and service registration is unconfigured,
-			// use Consul for service registration without requiring additional configuration.
-			// This maintains backward-compatibility.
-			config.ServiceRegistration = &server.ServiceRegistration{
-				Type:   "consul",
-				Config: config.Storage.Config,
-			}
-		}
-	case storageTypeRaft:
-		if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
-			config.ClusterAddr = envCA
-		}
-		if len(config.ClusterAddr) == 0 {
-			return nil, errors.New("Cluster address must be set when using raft storage")
-		}
-	}
-
-	namedStorageLogger := c.logger.Named("storage." + config.Storage.Type)
-	c.allLoggers = append(c.allLoggers, namedStorageLogger)
-	backend, err := factory(config.Storage.Config, namedStorageLogger)
-	if err != nil {
-		return nil, fmt.Errorf("Error initializing storage of type %s: %w", config.Storage.Type, err)
+	ui := cli.NewMockUi()
+	return ui, &ListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
-
-	return backend, nil
 }
 
-func beginServiceRegistration(c *ServerCommand, config *server.Config) (sr.ServiceRegistration, error) {
-	sdFactory, ok := c.ServiceRegistrations[config.ServiceRegistration.Type]
-	if !ok {
-		return nil, fmt.Errorf("Unknown service_registration type %s", config.ServiceRegistration.Type)
-	}
-
-	namedSDLogger := c.logger.Named("service_registration." + config.ServiceRegistration.Type)
-	c.allLoggers = append(c.allLoggers, namedSDLogger)
+func TestListCommand_Run(t *testing.T) {
+	t.Parallel()
 
-	// Since we haven't even begun starting Vault's core yet,
-	// we know that Vault is in its pre-running state.
-	state := sr.State{
-		VaultVersion:         version.GetVersion().VersionNumber(),
-		IsInitialized:        false,
-		IsSealed:             true,
-		IsActive:             false,
-		IsPerformanceStandby: false,
-	}
-	var err error
-	configSR, err := sdFactory(config.ServiceRegistration.Config, namedSDLogger, state)
-	if err != nil {
-		return nil, fmt.Errorf("Error initializing service_registration of type %s: %s", config.ServiceRegistration.Type, err)
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_found",
+			[]string{"nope/not/once/never"},
+			"",
+			2,
+		},
+		{
+			"default",
+			[]string{"secret/list"},
+			"bar\nbaz\nfoo",
+			0,
+		},
+		{
+			"default_slash",
+			[]string{"secret/list/"},
+			"bar\nbaz\nfoo",
+			0,
+		},
 	}
 
-	return configSR, nil
-}
-
-// InitListeners returns a response code, error message, Listeners, and a TCP Address list.
-func (c *ServerCommand) InitListeners(config *server.Config, disableClustering bool, infoKeys *[]string, info *map[string]string) (int, []listenerutil.Listener, []*net.TCPAddr, error) {
-	clusterAddrs := []*net.TCPAddr{}
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-	// Initialize the listeners
-	lns := make([]listenerutil.Listener, 0, len(config.Listeners))
+		for _, tc := range cases {
+			tc := tc
 
-	c.reloadFuncsLock.Lock()
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-	defer c.reloadFuncsLock.Unlock()
+				client, closer := testVaultServer(t)
+				defer closer()
 
-	var errMsg error
-	for i, lnConfig := range config.Listeners {
-		ln, props, reloadFunc, err := server.NewListener(lnConfig, c.logGate, c.UI)
-		if err != nil {
-			errMsg = fmt.Errorf("Error initializing listener of type %s: %s", lnConfig.Type, err)
-			return 1, nil, nil, errMsg
-		}
+				keys := []string{
+					"secret/list/foo",
+					"secret/list/bar",
+					"secret/list/baz",
+				}
+				for _, k := range keys {
+					if _, err := client.Logical().Write(k, map[string]interface{}{
+						"foo": "bar",
+					}); err != nil {
+						t.Fatal(err)
+					}
+				}
 
-		if reloadFunc != nil {
-			relSlice := (*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)]
-			relSlice = append(relSlice, reloadFunc)
-			(*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)] = relSlice
-		}
+				ui, cmd := testListCommand(t)
+				cmd.client = client
 
-		if !disableClustering && lnConfig.Type == "tcp" {
-			addr := lnConfig.ClusterAddress
-			if addr != "" {
-				tcpAddr, err := net.ResolveTCPAddr("tcp", lnConfig.ClusterAddress)
-				if err != nil {
-					errMsg = fmt.Errorf("Error resolving cluster_address: %s", err)
-					return 1, nil, nil, errMsg
-				}
-				clusterAddrs = append(clusterAddrs, tcpAddr)
-			} else {
-				tcpAddr, ok := ln.Addr().(*net.TCPAddr)
-				if !ok {
-					errMsg = fmt.Errorf("Failed to parse tcp listener")
-					return 1, nil, nil, errMsg
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
 				}
-				clusterAddr := &net.TCPAddr{
-					IP:   tcpAddr.IP,
-					Port: tcpAddr.Port + 1,
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
 				}
-				clusterAddrs = append(clusterAddrs, clusterAddr)
-				addr = clusterAddr.String()
-			}
-			props["cluster address"] = addr
+			})
 		}
+	})
 
-		if lnConfig.MaxRequestSize == 0 {
-			lnConfig.MaxRequestSize = vaulthttp.DefaultMaxRequestSize
-		}
-		props["max_request_size"] = fmt.Sprintf("%d", lnConfig.MaxRequestSize)
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-		if lnConfig.MaxRequestDuration == 0 {
-			lnConfig.MaxRequestDuration = vault.DefaultMaxRequestDuration
-		}
-		props["max_request_duration"] = lnConfig.MaxRequestDuration.String()
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-		if lnConfig.ChrootNamespace != "" {
-			props["chroot_namespace"] = lnConfig.ChrootNamespace
-		}
+		ui, cmd := testListCommand(t)
+		cmd.client = client
 
-		lns = append(lns, listenerutil.Listener{
-			Listener: ln,
-			Config:   lnConfig,
+		code := cmd.Run([]string{
+			"secret/list",
 		})
-
-		// Store the listener props for output later
-		key := fmt.Sprintf("listener %d", i+1)
-		propsList := make([]string, 0, len(props))
-		for k, v := range props {
-			propsList = append(propsList, fmt.Sprintf(
-				"%s: %q", k, v))
-		}
-		sort.Strings(propsList)
-		*infoKeys = append(*infoKeys, key)
-		(*info)[key] = fmt.Sprintf(
-			"%s (%s)", lnConfig.Type, strings.Join(propsList, ", "))
-
-	}
-	if !disableClustering {
-		if c.logger.IsDebug() {
-			c.logger.Debug("cluster listener addresses synthesized", "cluster_addresses", clusterAddrs)
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-	return 0, lns, clusterAddrs, nil
-}
 
-func configureDevTLS(c *ServerCommand) (func(), *server.Config, string, error) {
-	var devStorageType string
-
-	switch {
-	case c.flagDevConsul:
-		devStorageType = "consul"
-	case c.flagDevHA && c.flagDevTransactional:
-		devStorageType = "inmem_transactional_ha"
-	case !c.flagDevHA && c.flagDevTransactional:
-		devStorageType = "inmem_transactional"
-	case c.flagDevHA && !c.flagDevTransactional:
-		devStorageType = "inmem_ha"
-	default:
-		devStorageType = "inmem"
-	}
-
-	var certDir string
-	var err error
-	var config *server.Config
-	var f func()
-
-	if c.flagDevTLS {
-		if c.flagDevTLSCertDir != "" {
-			if _, err = os.Stat(c.flagDevTLSCertDir); err != nil {
-				return nil, nil, "", err
-			}
-
-			certDir = c.flagDevTLSCertDir
-		} else {
-			if certDir, err = os.MkdirTemp("", "vault-tls"); err != nil {
-				return nil, nil, certDir, err
-			}
-		}
-		extraSANs := c.flagDevTLSSANs
-		host, _, err := net.SplitHostPort(c.flagDevListenAddr)
-		if err == nil {
-			// 127.0.0.1 is the default, and already included in the SANs.
-			// Empty host means listen on all interfaces, but users should use the
-			// -dev-tls-san flag to get the right SANs in that case.
-			if host != "" && host != "127.0.0.1" {
-				extraSANs = append(extraSANs, host)
-			}
+		expected := "Error listing secret/list: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		config, err = server.DevTLSConfig(devStorageType, certDir, extraSANs)
-
-		f = func() {
-			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevCAFilename)); err != nil {
-				c.UI.Error(err.Error())
-			}
+	})
 
-			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevCertFilename)); err != nil {
-				c.UI.Error(err.Error())
-			}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevKeyFilename)); err != nil {
-				c.UI.Error(err.Error())
-			}
-
-			// Only delete temp directories we made.
-			if c.flagDevTLSCertDir == "" {
-				if err := os.Remove(certDir); err != nil {
-					c.UI.Error(err.Error())
-				}
-			}
-		}
-
-	} else {
-		config, err = server.DevConfig(devStorageType)
-	}
-
-	return f, config, certDir, err
-}
-
-func (c *ServerCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Don't exit just because we saw a potential deadlock.
-	deadlock.Opts.OnPotentialDeadlock = func() {}
-
-	c.logGate = gatedwriter.NewWriter(os.Stderr)
-	c.logWriter = c.logGate
-
-	if c.logFlags.flagCombineLogs {
-		c.logWriter = os.Stdout
-	}
-
-	if c.flagRecovery {
-		return c.runRecoveryMode()
-	}
-
-	// Automatically enable dev mode if other dev flags are provided.
-	if c.flagDevConsul || c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster || c.flagDevAutoSeal || c.flagDevKVV1 || c.flagDevTLS {
-		c.flagDev = true
-	}
-
-	// Validation
-	if !c.flagDev {
-		switch {
-		case len(c.flagConfigs) == 0:
-			c.UI.Error("Must specify at least one config path using -config")
-			return 1
-		case c.flagDevRootTokenID != "":
-			c.UI.Warn(wrapAtLength(
-				"You cannot specify a custom root token ID outside of \"dev\" mode. " +
-					"Your request has been ignored."))
-			c.flagDevRootTokenID = ""
-		}
-	}
-
-	// Load the configuration
-	var config *server.Config
-	var certDir string
-	if c.flagDev {
-		df, cfg, dir, err := configureDevTLS(c)
-		if df != nil {
-			defer df()
-		}
-
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 1
-		}
-
-		config = cfg
-		certDir = dir
-
-		if c.flagDevListenAddr != "" {
-			config.Listeners[0].Address = c.flagDevListenAddr
-		}
-		config.Listeners[0].Telemetry.UnauthenticatedMetricsAccess = true
-	}
-
-	parsedConfig, configErrors, err := c.parseConfig()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	if config == nil {
-		config = parsedConfig
-	} else {
-		config = config.Merge(parsedConfig)
-	}
-
-	// Ensure at least one config was found.
-	if config == nil {
-		c.UI.Output(wrapAtLength(
-			"No configuration files found. Please provide configurations with the " +
-				"-config flag. If you are supplying the path to a directory, please " +
-				"ensure the directory contains files with the .hcl or .json " +
-				"extension."))
-		return 1
-	}
-
-	f.applyLogConfigOverrides(config.SharedConfig)
-
-	// Set 'trace' log level for the following 'dev' clusters
-	if c.flagDevThreeNode || c.flagDevFourCluster {
-		config.LogLevel = "trace"
-	}
-
-	l, err := c.configureLogging(config)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	c.logger = l
-	c.allLoggers = append(c.allLoggers, l)
-
-	// reporting Errors found in the config
-	for _, cErr := range configErrors {
-		c.logger.Warn(cErr.String())
-	}
-
-	// Ensure logging is flushed if initialization fails
-	defer c.flushLog()
-
-	// create GRPC logger
-	namedGRPCLogFaker := c.logger.Named("grpclogfaker")
-	c.allLoggers = append(c.allLoggers, namedGRPCLogFaker)
-	grpclog.SetLogger(&grpclogFaker{
-		logger: namedGRPCLogFaker,
-		log:    os.Getenv("VAULT_GRPC_LOGGING") != "",
-	})
-
-	if memProfilerEnabled {
-		c.startMemProfiler()
-	}
-
-	if config.DefaultMaxRequestDuration != 0 {
-		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
-	}
-
-	logProxyEnvironmentVariables(c.logger)
-
-	if envMlock := os.Getenv("VAULT_DISABLE_MLOCK"); envMlock != "" {
-		var err error
-		config.DisableMlock, err = strconv.ParseBool(envMlock)
-		if err != nil {
-			c.UI.Output("Error parsing the environment variable VAULT_DISABLE_MLOCK")
-			return 1
-		}
-	}
-
-	if envLicensePath := os.Getenv(EnvVaultLicensePath); envLicensePath != "" {
-		config.LicensePath = envLicensePath
-	}
-	if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" {
-		config.License = envLicense
-	}
-
-	if err := server.ExperimentsFromEnvAndCLI(config, EnvVaultExperiments, c.flagExperiments); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	for _, experiment := range config.Experiments {
-		if experiments.IsUnused(experiment) {
-			c.UI.Warn(fmt.Sprintf("WARNING! Experiment %s is no longer used", experiment))
-		}
-	}
-
-	// If mlockall(2) isn't supported, show a warning. We disable this in dev
-	// because it is quite scary to see when first using Vault. We also disable
-	// this if the user has explicitly disabled mlock in configuration.
-	if !c.flagDev && !config.DisableMlock && !mlock.Supported() {
-		c.UI.Warn(wrapAtLength(
-			"WARNING! mlock is not supported on this system! An mlockall(2)-like " +
-				"syscall to prevent memory from being swapped to disk is not " +
-				"supported on this system. For better security, only run Vault on " +
-				"systems where this call is supported. If you are running Vault " +
-				"in a Docker container, provide the IPC_LOCK cap to the container."))
-	}
-
-	inmemMetrics, metricSink, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
-		Config:      config.Telemetry,
-		Ui:          c.UI,
-		ServiceName: "vault",
-		DisplayName: "Vault",
-		UserAgent:   useragent.String(),
-		ClusterName: config.ClusterName,
+		_, cmd := testListCommand(t)
+		assertNoTabs(t, cmd)
 	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
-		return 1
-	}
-	metricsHelper := metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
-
-	// Initialize the storage backend
-	var backend physical.Backend
-	if !c.flagDev || config.Storage != nil {
-		backend, err = c.setupStorage(config)
-		if err != nil {
-			c.UI.Error(err.Error())
-			return 1
-		}
-		// Prevent server startup if migration is active
-		// TODO: Use OpenTelemetry to integrate this into Diagnose
-		if c.storageMigrationActive(backend) {
-			return 1
-		}
-	}
-
-	// Initialize the Service Discovery, if there is one
-	var configSR sr.ServiceRegistration
-	if config.ServiceRegistration != nil {
-		configSR, err = beginServiceRegistration(c, config)
-		if err != nil {
-			c.UI.Output(err.Error())
-			return 1
-		}
-	}
-
-	infoKeys := make([]string, 0, 10)
-	info := make(map[string]string)
-	info["log level"] = config.LogLevel
-	infoKeys = append(infoKeys, "log level")
-
-	// returns a slice of env vars formatted as "key=value"
-	envVars := os.Environ()
-	var envVarKeys []string
-	for _, v := range envVars {
-		splitEnvVars := strings.Split(v, "=")
-		envVarKeys = append(envVarKeys, splitEnvVars[0])
-	}
-
-	sort.Strings(envVarKeys)
-
-	key := "environment variables"
-	info[key] = strings.Join(envVarKeys, ", ")
-	infoKeys = append(infoKeys, key)
-
-	if len(config.Experiments) != 0 {
-		expKey := "experiments"
-		info[expKey] = strings.Join(config.Experiments, ", ")
-		infoKeys = append(infoKeys, expKey)
-	}
-
-	ctx := context.Background()
-	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(ctx, backend)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting seal generation info: %v", err))
-		return 1
-	}
-
-	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Cannot determine if there are partially seal wrapped entries in storage: %v", err))
-		return 1
-	}
-	setSealResponse, err := setSeal(c, config, infoKeys, info, existingSealGenerationInfo, hasPartialPaths)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-	if setSealResponse.sealConfigWarning != nil {
-		c.UI.Warn(fmt.Sprintf("Warnings during seal configuration: %v", setSealResponse.sealConfigWarning))
-	}
-
-	for _, seal := range setSealResponse.getCreatedSeals() {
-		seal := seal // capture range variable
-		// Ensure that the seal finalizer is called, even if using verify-only
-		defer func(seal *vault.Seal) {
-			err = (*seal).Finalize(ctx)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error finalizing seals: %v", err))
-			}
-		}(seal)
-	}
-
-	if setSealResponse.barrierSeal == nil {
-		c.UI.Error("Could not create barrier seal! Most likely proper Seal configuration information was not set, but no error was generated.")
-		return 1
-	}
-
-	// prepare a secure random reader for core
-	entropyAugLogger := c.logger.Named("entropy-augmentation")
-	var entropySources []*configutil.EntropySourcerInfo
-	for _, sealWrapper := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
-		if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
-			entropySources = append(entropySources, &configutil.EntropySourcerInfo{
-				Sourcer: s,
-				Name:    sealWrapper.Name,
-			})
-		}
-	}
-	secureRandomReader, err := configutil.CreateSecureRandomReaderFunc(config.SharedConfig, entropySources, entropyAugLogger)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	coreConfig := createCoreConfig(c, config, backend, configSR, setSealResponse.barrierSeal, setSealResponse.unwrapSeal, metricsHelper, metricSink, secureRandomReader)
-	if c.flagDevThreeNode {
-		return c.enableThreeNodeDevCluster(&coreConfig, info, infoKeys, c.flagDevListenAddr, os.Getenv("VAULT_DEV_TEMP_DIR"))
-	}
-
-	if c.flagDevFourCluster {
-		return entEnableFourClusterDev(c, &coreConfig, info, infoKeys, os.Getenv("VAULT_DEV_TEMP_DIR"))
-	}
-
-	if allowPendingRemoval := os.Getenv(consts.EnvVaultAllowPendingRemovalMounts); allowPendingRemoval != "" {
-		var err error
-		coreConfig.PendingRemovalMountsAllowed, err = strconv.ParseBool(allowPendingRemoval)
-		if err != nil {
-			c.UI.Warn(wrapAtLength("WARNING! failed to parse " +
-				consts.EnvVaultAllowPendingRemovalMounts + " env var: " +
-				"defaulting to false."))
-		}
-	}
-
-	// Initialize the separate HA storage backend, if it exists
-	disableClustering, err := initHaBackend(c, config, &coreConfig, backend)
-	if err != nil {
-		c.UI.Output(err.Error())
-		return 1
-	}
-
-	// Determine the redirect address from environment variables
-	err = determineRedirectAddr(c, &coreConfig, config)
-	if err != nil {
-		c.UI.Output(err.Error())
-	}
-
-	// After the redirect bits are sorted out, if no cluster address was
-	// explicitly given, derive one from the redirect addr
-	err = findClusterAddress(c, &coreConfig, config, disableClustering)
-	if err != nil {
-		c.UI.Output(err.Error())
-		return 1
-	}
-
-	// Override the UI enabling config by the environment variable
-	if enableUI := os.Getenv("VAULT_UI"); enableUI != "" {
-		var err error
-		coreConfig.EnableUI, err = strconv.ParseBool(enableUI)
-		if err != nil {
-			c.UI.Output("Error parsing the environment variable VAULT_UI")
-			return 1
-		}
-	}
-
-	// If ServiceRegistration is configured, then the backend must support HA
-	isBackendHA := coreConfig.HAPhysical != nil && coreConfig.HAPhysical.HAEnabled()
-	if !c.flagDev && (coreConfig.GetServiceRegistration() != nil) && !isBackendHA {
-		c.UI.Output("service_registration is configured, but storage does not support HA")
-		return 1
-	}
-
-	// Apply any enterprise configuration onto the coreConfig.
-	entAdjustCoreConfig(config, &coreConfig)
-
-	if !entCheckStorageType(&coreConfig) {
-		c.UI.Warn("")
-		c.UI.Warn(wrapAtLength(fmt.Sprintf("WARNING: storage configured to use %q which is not supported for Vault Enterprise, must be \"raft\" or \"consul\"", coreConfig.StorageType)))
-		c.UI.Warn("")
-	}
-
-	if !c.flagDev {
-		inMemStorageTypes := []string{
-			"inmem", "inmem_ha", "inmem_transactional", "inmem_transactional_ha",
-		}
-
-		if strutil.StrListContains(inMemStorageTypes, coreConfig.StorageType) {
-			c.UI.Warn("")
-			c.UI.Warn(wrapAtLength(fmt.Sprintf("WARNING: storage configured to use %q which should NOT be used in production", coreConfig.StorageType)))
-			c.UI.Warn("")
-		}
-	}
-
-	// Initialize the core
-	core, newCoreError := vault.NewCore(&coreConfig)
-	if newCoreError != nil {
-		if vault.IsFatalError(newCoreError) {
-			c.UI.Error(fmt.Sprintf("Error initializing core: %s", newCoreError))
-			return 1
-		}
-		c.UI.Warn(wrapAtLength(
-			"WARNING! A non-fatal error occurred during initialization. Please " +
-				"check the logs for more information."))
-		c.UI.Warn("")
-
-	}
-
-	// Copy the reload funcs pointers back
-	c.reloadFuncs = coreConfig.ReloadFuncs
-	c.reloadFuncsLock = coreConfig.ReloadFuncsLock
-
-	// Compile server information for output later
-	info["storage"] = config.Storage.Type
-	info["mlock"] = fmt.Sprintf(
-		"supported: %v, enabled: %v",
-		mlock.Supported(), !config.DisableMlock && mlock.Supported())
-	infoKeys = append(infoKeys, "mlock", "storage")
-
-	if coreConfig.ClusterAddr != "" {
-		info["cluster address"] = coreConfig.ClusterAddr
-		infoKeys = append(infoKeys, "cluster address")
-	}
-	if coreConfig.RedirectAddr != "" {
-		info["api address"] = coreConfig.RedirectAddr
-		infoKeys = append(infoKeys, "api address")
-	}
-
-	if config.HAStorage != nil {
-		info["HA storage"] = config.HAStorage.Type
-		infoKeys = append(infoKeys, "HA storage")
-	} else {
-		// If the storage supports HA, then note it
-		if coreConfig.HAPhysical != nil {
-			if coreConfig.HAPhysical.HAEnabled() {
-				info["storage"] += " (HA available)"
-			} else {
-				info["storage"] += " (HA disabled)"
-			}
-		}
-	}
-
-	status, lns, clusterAddrs, errMsg := c.InitListeners(config, disableClustering, &infoKeys, &info)
-
-	if status != 0 {
-		c.UI.Output("Error parsing listener configuration.")
-		c.UI.Error(errMsg.Error())
-		return 1
-	}
-
-	// Make sure we close all listeners from this point on
-	listenerCloseFunc := func() {
-		for _, ln := range lns {
-			ln.Listener.Close()
-		}
-	}
-
-	defer c.cleanupGuard.Do(listenerCloseFunc)
-
-	infoKeys = append(infoKeys, "version")
-	verInfo := version.GetVersion()
-	info["version"] = verInfo.FullVersionNumber(false)
-	if verInfo.Revision != "" {
-		info["version sha"] = strings.Trim(verInfo.Revision, "'")
-		infoKeys = append(infoKeys, "version sha")
-	}
-
-	infoKeys = append(infoKeys, "cgo")
-	info["cgo"] = "disabled"
-	if version.CgoEnabled {
-		info["cgo"] = "enabled"
-	}
-
-	infoKeys = append(infoKeys, "recovery mode")
-	info["recovery mode"] = "false"
-
-	infoKeys = append(infoKeys, "go version")
-	info["go version"] = runtime.Version()
-
-	fipsStatus := entGetFIPSInfoKey()
-	if fipsStatus != "" {
-		infoKeys = append(infoKeys, "fips")
-		info["fips"] = fipsStatus
-	}
-
-	if config.HCPLinkConf != nil {
-		infoKeys = append(infoKeys, "HCP organization")
-		info["HCP organization"] = config.HCPLinkConf.Resource.Organization
-
-		infoKeys = append(infoKeys, "HCP project")
-		info["HCP project"] = config.HCPLinkConf.Resource.Project
-
-		infoKeys = append(infoKeys, "HCP resource ID")
-		info["HCP resource ID"] = config.HCPLinkConf.Resource.ID
-	}
-
-	infoKeys = append(infoKeys, "administrative namespace")
-	info["administrative namespace"] = config.AdministrativeNamespacePath
-
-	sort.Strings(infoKeys)
-	c.UI.Output("==> Vault server configuration:\n")
-
-	for _, k := range infoKeys {
-		c.UI.Output(fmt.Sprintf(
-			"%24s: %s",
-			strings.Title(k),
-			info[k]))
-	}
-
-	c.UI.Output("")
-
-	// Tests might not want to start a vault server and just want to verify
-	// the configuration.
-	if c.flagTestVerifyOnly {
-		return 0
-	}
-
-	// This needs to happen before we first unseal, so before we trigger dev
-	// mode if it's set
-	core.SetClusterListenerAddrs(clusterAddrs)
-	core.SetClusterHandler(vaulthttp.Handler.Handler(&vault.HandlerProperties{
-		Core:           core,
-		ListenerConfig: &configutil.Listener{},
-	}))
-
-	// Attempt unsealing in a background goroutine. This is needed for when a
-	// Vault cluster with multiple servers is configured with auto-unseal but is
-	// uninitialized. Once one server initializes the storage backend, this
-	// goroutine will pick up the unseal keys and unseal this instance.
-	if !core.IsInSealMigrationMode(true) {
-		go runUnseal(c, core, ctx)
-	}
-
-	// When the underlying storage is raft, kick off retry join if it was specified
-	// in the configuration
-	// TODO: Should we also support retry_join for ha_storage?
-	if config.Storage.Type == storageTypeRaft {
-		if err := core.InitiateRetryJoin(ctx); err != nil {
-			c.UI.Error(fmt.Sprintf("Failed to initiate raft retry join, %q", err.Error()))
-			return 1
-		}
-	}
-
-	// Perform initialization of HTTP server after the verifyOnly check.
-
-	// Instantiate the wait group
-	c.WaitGroup = &sync.WaitGroup{}
-
-	// If service discovery is available, run service discovery
-	err = runListeners(c, &coreConfig, config, configSR)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// If we're in Dev mode, then initialize the core
-	clusterJson := &testcluster.ClusterJson{}
-	err = initDevCore(c, &coreConfig, config, core, certDir, clusterJson)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Initialize the HTTP servers
-	err = startHttpServers(c, core, config, lns)
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	hcpLogger := c.logger.Named("hcp-connectivity")
-	hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, core, hcpLogger)
-	if err != nil {
-		c.logger.Error("failed to establish HCP connection", "error", err)
-	} else if hcpLink != nil {
-		c.logger.Trace("established HCP connection")
-	}
-
-	if c.flagTestServerConfig {
-		return 0
-	}
-
-	if setSealResponse.sealConfigError != nil {
-		init, err := core.InitializedLocally(ctx)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error checking if core is initialized: %v", err))
-			return 1
-		}
-		if init {
-			c.UI.Error("Vault is initialized but no Seal key could be loaded")
-			return 1
-		}
-	}
-
-	// Output the header that the server has started
-	if !c.logFlags.flagCombineLogs {
-		c.UI.Output("==> Vault server started! Log data will stream in below:\n")
-	}
-
-	// Inform any tests that the server is ready
-	select {
-	case c.startedCh <- struct{}{}:
-	default:
-	}
-
-	// Release the log gate.
-	c.flushLog()
-
-	// Write out the PID to the file now that server has successfully started
-	if err := c.storePidFile(config.PidFile); err != nil {
-		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
-		return 1
-	}
-
-	// Notify systemd that the server is ready (if applicable)
-	c.notifySystemd(systemd.SdNotifyReady)
-
-	if c.flagDev {
-		protocol := "http://"
-		if c.flagDevTLS {
-			protocol = "https://"
-		}
-		clusterJson.Nodes = []testcluster.ClusterNode{
-			{
-				APIAddress: protocol + config.Listeners[0].Address,
-			},
-		}
-		if c.flagDevTLS {
-			clusterJson.CACertPath = fmt.Sprintf("%s/%s", certDir, server.VaultDevCAFilename)
-		}
-
-		if c.flagDevClusterJson != "" && !c.flagDevThreeNode {
-			b, err := jsonutil.EncodeJSON(clusterJson)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error encoding cluster.json: %s", err))
-				return 1
-			}
-			err = os.WriteFile(c.flagDevClusterJson, b, 0o600)
-			if err != nil {
-				c.UI.Error(fmt.Sprintf("Error writing cluster.json %q: %s", c.flagDevClusterJson, err))
-				return 1
-			}
-		}
-	}
-
-	defer func() {
-		if err := c.removePidFile(config.PidFile); err != nil {
-			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
-		}
-	}()
-
-	var coreShutdownDoneCh <-chan struct{}
-	if c.flagExitOnCoreShutdown {
-		coreShutdownDoneCh = core.ShutdownDone()
-	}
-
-	// Wait for shutdown
-	shutdownTriggered := false
-	retCode := 0
-
-	for !shutdownTriggered {
-		select {
-		case <-coreShutdownDoneCh:
-			c.UI.Output("==> Vault core was shut down")
-			retCode = 1
-			shutdownTriggered = true
-		case <-c.ShutdownCh:
-			c.UI.Output("==> Vault shutdown triggered")
-			shutdownTriggered = true
-		case <-c.SighupCh:
-			c.UI.Output("==> Vault reload triggered")
-
-			// Notify systemd that the server is reloading config
-			c.notifySystemd(systemd.SdNotifyReloading)
-
-			// Check for new log level
-			var config *server.Config
-			var configErrors []configutil.ConfigError
-			for _, path := range c.flagConfigs {
-				current, err := server.LoadConfig(path)
-				if err != nil {
-					c.logger.Error("could not reload config", "path", path, "error", err)
-					goto RUNRELOADFUNCS
-				}
-
-				configErrors = append(configErrors, current.Validate(path)...)
-
-				if config == nil {
-					config = current
-				} else {
-					config = config.Merge(current)
-				}
-			}
-
-			// Ensure at least one config was found.
-			if config == nil {
-				c.logger.Error("no config found at reload time")
-				goto RUNRELOADFUNCS
-			}
-
-			// reporting Errors found in the config
-			for _, cErr := range configErrors {
-				c.logger.Warn(cErr.String())
-			}
-
-			core.SetConfig(config)
-
-			// reloading custom response headers to make sure we have
-			// the most up to date headers after reloading the config file
-			if err = core.ReloadCustomResponseHeaders(); err != nil {
-				c.logger.Error(err.Error())
-			}
-
-			// Setting log request with the new value in the config after reload
-			core.ReloadLogRequestsLevel()
-
-			// reloading HCP link
-			hcpLink, err = c.reloadHCPLink(hcpLink, config, core, hcpLogger)
-			if err != nil {
-				c.logger.Error(err.Error())
-			}
-
-			// Reload log level for loggers
-			if config.LogLevel != "" {
-				level, err := loghelper.ParseLogLevel(config.LogLevel)
-				if err != nil {
-					c.logger.Error("unknown log level found on reload", "level", config.LogLevel)
-					goto RUNRELOADFUNCS
-				}
-				core.SetLogLevel(level)
-			}
-
-		RUNRELOADFUNCS:
-			if err := c.Reload(c.reloadFuncsLock, c.reloadFuncs, c.flagConfigs, core); err != nil {
-				c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
-			}
-
-			// Reload license file
-			if err = core.EntReloadLicense(); err != nil {
-				c.UI.Error(err.Error())
-			}
-
-			if err := core.ReloadCensus(); err != nil {
-				c.UI.Error(err.Error())
-			}
-			select {
-			case c.licenseReloadedCh <- err:
-			default:
-			}
-
-			// Let the managedKeyRegistry react to configuration changes (i.e.
-			// changes in kms_libraries)
-			core.ReloadManagedKeyRegistryConfig()
-
-			// Notify systemd that the server has completed reloading config
-			c.notifySystemd(systemd.SdNotifyReady)
-
-		case <-c.SigUSR2Ch:
-			logWriter := c.logger.StandardWriter(&hclog.StandardLoggerOptions{})
-			pprof.Lookup("goroutine").WriteTo(logWriter, 2)
-
-			if os.Getenv("VAULT_STACKTRACE_WRITE_TO_FILE") != "" {
-				c.logger.Info("Writing stacktrace to file")
-
-				dir := ""
-				path := os.Getenv("VAULT_STACKTRACE_FILE_PATH")
-				if path != "" {
-					if _, err := os.Stat(path); err != nil {
-						c.logger.Error("Checking stacktrace path failed", "error", err)
-						continue
-					}
-					dir = path
-				} else {
-					dir, err = os.MkdirTemp("", "vault-stacktrace")
-					if err != nil {
-						c.logger.Error("Could not create temporary directory for stacktrace", "error", err)
-						continue
-					}
-				}
-
-				f, err := os.CreateTemp(dir, "stacktrace")
-				if err != nil {
-					c.logger.Error("Could not create stacktrace file", "error", err)
-					continue
-				}
-
-				if err := pprof.Lookup("goroutine").WriteTo(f, 2); err != nil {
-					f.Close()
-					c.logger.Error("Could not write stacktrace to file", "error", err)
-					continue
-				}
-
-				c.logger.Info(fmt.Sprintf("Wrote stacktrace to: %s", f.Name()))
-				f.Close()
-			}
-
-			// We can only get pprof outputs via the API but sometimes Vault can get
-			// into a state where it cannot process requests so we can get pprof outputs
-			// via SIGUSR2.
-			if os.Getenv("VAULT_PPROF_WRITE_TO_FILE") != "" {
-				dir := ""
-				path := os.Getenv("VAULT_PPROF_FILE_PATH")
-				if path != "" {
-					if _, err := os.Stat(path); err != nil {
-						c.logger.Error("Checking pprof path failed", "error", err)
-						continue
-					}
-					dir = path
-				} else {
-					dir, err = os.MkdirTemp("", "vault-pprof")
-					if err != nil {
-						c.logger.Error("Could not create temporary directory for pprof", "error", err)
-						continue
-					}
-				}
-
-				dumps := []string{"goroutine", "heap", "allocs", "threadcreate"}
-				for _, dump := range dumps {
-					pFile, err := os.Create(filepath.Join(dir, dump))
-					if err != nil {
-						c.logger.Error("error creating pprof file", "name", dump, "error", err)
-						break
-					}
-
-					err = pprof.Lookup(dump).WriteTo(pFile, 0)
-					if err != nil {
-						c.logger.Error("error generating pprof data", "name", dump, "error", err)
-						pFile.Close()
-						break
-					}
-					pFile.Close()
-				}
-
-				c.logger.Info(fmt.Sprintf("Wrote pprof files to: %s", dir))
-			}
-		}
-	}
-	// Notify systemd that the server is shutting down
-	c.notifySystemd(systemd.SdNotifyStopping)
-
-	// Stop the listeners so that we don't process further client requests.
-	c.cleanupGuard.Do(listenerCloseFunc)
-
-	if hcpLink != nil {
-		if err := hcpLink.Shutdown(); err != nil {
-			c.UI.Error(fmt.Sprintf("Error with HCP Link shutdown: %v", err.Error()))
-		}
-	}
-
-	// Finalize will wait until after Vault is sealed, which means the
-	// request forwarding listeners will also be closed (and also
-	// waited for).
-	if err := core.Shutdown(); err != nil {
-		c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
-	}
-
-	// Wait for dependent goroutines to complete
-	c.WaitGroup.Wait()
-	return retCode
-}
-
-// configureLogging takes the configuration and attempts to parse config values into 'log' friendly configuration values
-// If all goes to plan, a logger is created and setup.
-func (c *ServerCommand) configureLogging(config *server.Config) (hclog.InterceptLogger, error) {
-	// Parse all the log related config
-	logLevel, err := loghelper.ParseLogLevel(config.LogLevel)
-	if err != nil {
-		return nil, err
-	}
-
-	logFormat, err := loghelper.ParseLogFormat(config.LogFormat)
-	if err != nil {
-		return nil, err
-	}
-
-	logRotateDuration, err := parseutil.ParseDurationSecond(config.LogRotateDuration)
-	if err != nil {
-		return nil, err
-	}
-
-	logCfg := &loghelper.LogConfig{
-		LogLevel:          logLevel,
-		LogFormat:         logFormat,
-		LogFilePath:       config.LogFile,
-		LogRotateDuration: logRotateDuration,
-		LogRotateBytes:    config.LogRotateBytes,
-		LogRotateMaxFiles: config.LogRotateMaxFiles,
-	}
-
-	return loghelper.Setup(logCfg, c.logWriter)
-}
-
-func (c *ServerCommand) reloadHCPLink(hcpLinkVault *hcp_link.HCPLinkVault, conf *server.Config, core *vault.Core, hcpLogger hclog.Logger) (*hcp_link.HCPLinkVault, error) {
-	// trigger a shutdown
-	if hcpLinkVault != nil {
-		err := hcpLinkVault.Shutdown()
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if conf.HCPLinkConf == nil {
-		// if cloud stanza is not configured, we should not show anything
-		// in the seal-status related to HCP link
-		core.SetHCPLinkStatus("", "")
-		return nil, nil
-	}
-
-	// starting HCP link
-	hcpLink, err := hcp_link.NewHCPLink(conf.HCPLinkConf, core, hcpLogger)
-	if err != nil {
-		return nil, fmt.Errorf("failed to restart HCP Link and it is no longer running, %w", err)
-	}
-
-	return hcpLink, nil
-}
-
-func (c *ServerCommand) notifySystemd(status string) {
-	sent, err := systemd.SdNotify(false, status)
-	if err != nil {
-		c.logger.Error("error notifying systemd", "error", err)
-	} else {
-		if sent {
-			c.logger.Debug("sent systemd notification", "notification", status)
-		} else {
-			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
-		}
-	}
-}
-
-func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig) (*vault.InitResult, error) {
-	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
-
-	var recoveryConfig *vault.SealConfig
-	barrierConfig := &vault.SealConfig{
-		SecretShares:    1,
-		SecretThreshold: 1,
-		Name:            "shamir",
-	}
-
-	if core.SealAccess().RecoveryKeySupported() {
-		recoveryConfig = &vault.SealConfig{
-			SecretShares:    1,
-			SecretThreshold: 1,
-		}
-	}
-
-	if core.SealAccess().StoredKeysSupported() != vaultseal.StoredKeysNotSupported {
-		barrierConfig.StoredShares = 1
-	}
-
-	// Initialize it with a basic single key
-	init, err := core.Initialize(ctx, &vault.InitParams{
-		BarrierConfig:  barrierConfig,
-		RecoveryConfig: recoveryConfig,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	// Handle unseal with stored keys
-	if core.SealAccess().StoredKeysSupported() == vaultseal.StoredKeysSupportedGeneric {
-		err := core.UnsealWithStoredKeys(ctx)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// Copy the key so that it can be zeroed
-		key := make([]byte, len(init.SecretShares[0]))
-		copy(key, init.SecretShares[0])
-
-		// Unseal the core
-		unsealed, err := core.Unseal(key)
-		if err != nil {
-			return nil, err
-		}
-		if !unsealed {
-			return nil, fmt.Errorf("failed to unseal Vault for dev mode")
-		}
-	}
-
-	isLeader, _, _, err := core.Leader()
-	if err != nil && err != vault.ErrHANotEnabled {
-		return nil, fmt.Errorf("failed to check active status: %w", err)
-	}
-	if err == nil {
-		leaderCount := 5
-		for !isLeader {
-			if leaderCount == 0 {
-				buf := make([]byte, 1<<16)
-				runtime.Stack(buf, true)
-				return nil, fmt.Errorf("failed to get active status after five seconds; call stack is\n%s", buf)
-			}
-			time.Sleep(1 * time.Second)
-			isLeader, _, _, err = core.Leader()
-			if err != nil {
-				return nil, fmt.Errorf("failed to check active status: %w", err)
-			}
-			leaderCount--
-		}
-	}
-
-	// Generate a dev root token if one is provided in the flag
-	if coreConfig.DevToken != "" {
-		req := &logical.Request{
-			ID:          "dev-gen-root",
-			Operation:   logical.UpdateOperation,
-			ClientToken: init.RootToken,
-			Path:        "auth/token/create",
-			Data: map[string]interface{}{
-				"id":                coreConfig.DevToken,
-				"policies":          []string{"root"},
-				"no_parent":         true,
-				"no_default_policy": true,
-			},
-		}
-		resp, err := core.HandleRequest(ctx, req)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create root token with ID %q: %w", coreConfig.DevToken, err)
-		}
-		if resp == nil {
-			return nil, fmt.Errorf("nil response when creating root token with ID %q", coreConfig.DevToken)
-		}
-		if resp.Auth == nil {
-			return nil, fmt.Errorf("nil auth when creating root token with ID %q", coreConfig.DevToken)
-		}
-
-		init.RootToken = resp.Auth.ClientToken
-
-		req.ID = "dev-revoke-init-root"
-		req.Path = "auth/token/revoke-self"
-		req.Data = nil
-		_, err = core.HandleRequest(ctx, req)
-		if err != nil {
-			return nil, fmt.Errorf("failed to revoke initial root token: %w", err)
-		}
-	}
-
-	// Set the token
-	if !c.flagDevNoStoreToken {
-		tokenHelper, err := c.TokenHelper()
-		if err != nil {
-			return nil, err
-		}
-		if err := tokenHelper.Store(init.RootToken); err != nil {
-			return nil, err
-		}
-	}
-
-	kvVer := "2"
-	if c.flagDevKVV1 || c.flagDevLeasedKV {
-		kvVer = "1"
-	}
-	req := &logical.Request{
-		Operation:   logical.UpdateOperation,
-		ClientToken: init.RootToken,
-		Path:        "sys/mounts/secret",
-		Data: map[string]interface{}{
-			"type":        "kv",
-			"path":        "secret/",
-			"description": "key/value secret storage",
-			"options": map[string]string{
-				"version": kvVer,
-			},
-		},
-	}
-	resp, err := core.HandleRequest(ctx, req)
-	if err != nil {
-		return nil, fmt.Errorf("error creating default K/V store: %w", err)
-	}
-	if resp.IsError() {
-		return nil, fmt.Errorf("failed to create default K/V store: %w", resp.Error())
-	}
-
-	return init, nil
-}
-
-func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info map[string]string, infoKeys []string, devListenAddress, tempDir string) int {
-	conf, opts := teststorage.ClusterSetup(base, &vault.TestClusterOptions{
-		HandlerFunc:       vaulthttp.Handler,
-		BaseListenAddress: c.flagDevListenAddr,
-		Logger:            c.logger,
-		TempDir:           tempDir,
-		DefaultHandlerProperties: vault.HandlerProperties{
-			ListenerConfig: &configutil.Listener{
-				Profiling: configutil.ListenerProfiling{
-					UnauthenticatedPProfAccess: true,
-				},
-				Telemetry: configutil.ListenerTelemetry{
-					UnauthenticatedMetricsAccess: true,
-				},
-			},
-		},
-	}, nil)
-	testCluster := vault.NewTestCluster(&testing.RuntimeT{}, conf, opts)
-	defer c.cleanupGuard.Do(testCluster.Cleanup)
-
-	if constants.IsEnterprise {
-		err := testcluster.WaitForActiveNodeAndPerfStandbys(context.Background(), testCluster)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("perf standbys didn't become ready: %v", err))
-			return 1
-		}
-	}
-
-	info["cluster parameters path"] = testCluster.TempDir
-	infoKeys = append(infoKeys, "cluster parameters path")
-
-	for i, core := range testCluster.Cores {
-		info[fmt.Sprintf("node %d api address", i)] = fmt.Sprintf("https://%s", core.Listeners[0].Address.String())
-		infoKeys = append(infoKeys, fmt.Sprintf("node %d api address", i))
-	}
-
-	infoKeys = append(infoKeys, "version")
-	verInfo := version.GetVersion()
-	info["version"] = verInfo.FullVersionNumber(false)
-	if verInfo.Revision != "" {
-		info["version sha"] = strings.Trim(verInfo.Revision, "'")
-		infoKeys = append(infoKeys, "version sha")
-	}
-
-	infoKeys = append(infoKeys, "cgo")
-	info["cgo"] = "disabled"
-	if version.CgoEnabled {
-		info["cgo"] = "enabled"
-	}
-
-	infoKeys = append(infoKeys, "go version")
-	info["go version"] = runtime.Version()
-
-	fipsStatus := entGetFIPSInfoKey()
-	if fipsStatus != "" {
-		infoKeys = append(infoKeys, "fips")
-		info["fips"] = fipsStatus
-	}
-
-	// Server configuration output
-	padding := 24
-
-	sort.Strings(infoKeys)
-	c.UI.Output("==> Vault server configuration:\n")
-
-	for _, k := range infoKeys {
-		c.UI.Output(fmt.Sprintf(
-			"%s%s: %s",
-			strings.Repeat(" ", padding-len(k)),
-			strings.Title(k),
-			info[k]))
-	}
-
-	c.UI.Output("")
-
-	for _, core := range testCluster.Cores {
-		core.Server.Handler = vaulthttp.Handler.Handler(&vault.HandlerProperties{
-			Core:           core.Core,
-			ListenerConfig: &configutil.Listener{},
-		})
-		core.SetClusterHandler(core.Server.Handler)
-	}
-
-	testCluster.Start()
-
-	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
-
-	if base.DevToken != "" {
-		req := &logical.Request{
-			ID:          "dev-gen-root",
-			Operation:   logical.UpdateOperation,
-			ClientToken: testCluster.RootToken,
-			Path:        "auth/token/create",
-			Data: map[string]interface{}{
-				"id":                base.DevToken,
-				"policies":          []string{"root"},
-				"no_parent":         true,
-				"no_default_policy": true,
-			},
-		}
-		resp, err := testCluster.Cores[0].HandleRequest(ctx, req)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("failed to create root token with ID %s: %s", base.DevToken, err))
-			return 1
-		}
-		if resp == nil {
-			c.UI.Error(fmt.Sprintf("nil response when creating root token with ID %s", base.DevToken))
-			return 1
-		}
-		if resp.Auth == nil {
-			c.UI.Error(fmt.Sprintf("nil auth when creating root token with ID %s", base.DevToken))
-			return 1
-		}
-
-		testCluster.RootToken = resp.Auth.ClientToken
-
-		req.ID = "dev-revoke-init-root"
-		req.Path = "auth/token/revoke-self"
-		req.Data = nil
-		_, err = testCluster.Cores[0].HandleRequest(ctx, req)
-		if err != nil {
-			c.UI.Output(fmt.Sprintf("failed to revoke initial root token: %s", err))
-			return 1
-		}
-	}
-
-	// Set the token
-	tokenHelper, err := c.TokenHelper()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error getting token helper: %s", err))
-		return 1
-	}
-	if err := tokenHelper.Store(testCluster.RootToken); err != nil {
-		c.UI.Error(fmt.Sprintf("Error storing in token helper: %s", err))
-		return 1
-	}
-
-	if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err))
-		return 1
-	}
-
-	c.UI.Output(fmt.Sprintf(
-		"==> Three node dev mode is enabled\n\n" +
-			"The unseal key and root token are reproduced below in case you\n" +
-			"want to seal/unseal the Vault or play with authentication.\n",
-	))
-
-	for i, key := range testCluster.BarrierKeys {
-		c.UI.Output(fmt.Sprintf(
-			"Unseal Key %d: %s",
-			i+1, base64.StdEncoding.EncodeToString(key),
-		))
-	}
-
-	c.UI.Output(fmt.Sprintf(
-		"\nRoot Token: %s\n", testCluster.RootToken,
-	))
-
-	c.UI.Output(fmt.Sprintf(
-		"\nUseful env vars:\n"+
-			"VAULT_TOKEN=%s\n"+
-			"VAULT_ADDR=%s\n"+
-			"VAULT_CACERT=%s/ca_cert.pem\n",
-		testCluster.RootToken,
-		testCluster.Cores[0].Client.Address(),
-		testCluster.TempDir,
-	))
-
-	if c.flagDevClusterJson != "" {
-		clusterJson := testcluster.ClusterJson{
-			Nodes:      []testcluster.ClusterNode{},
-			CACertPath: filepath.Join(testCluster.TempDir, "ca_cert.pem"),
-			RootToken:  testCluster.RootToken,
-		}
-		for _, core := range testCluster.Cores {
-			clusterJson.Nodes = append(clusterJson.Nodes, testcluster.ClusterNode{
-				APIAddress: core.Client.Address(),
-			})
-		}
-		b, err := jsonutil.EncodeJSON(clusterJson)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error encoding cluster.json: %s", err))
-			return 1
-		}
-		err = os.WriteFile(c.flagDevClusterJson, b, 0o600)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error writing cluster.json %q: %s", c.flagDevClusterJson, err))
-			return 1
-		}
-	}
-
-	// Output the header that the server has started
-	c.UI.Output("==> Vault server started! Log data will stream in below:\n")
-
-	// Inform any tests that the server is ready
-	select {
-	case c.startedCh <- struct{}{}:
-	default:
-	}
-
-	// Release the log gate.
-	c.flushLog()
-
-	// Wait for shutdown
-	shutdownTriggered := false
-
-	for !shutdownTriggered {
-		select {
-		case <-c.ShutdownCh:
-			c.UI.Output("==> Vault shutdown triggered")
-
-			// Stop the listeners so that we don't process further client requests.
-			c.cleanupGuard.Do(testCluster.Cleanup)
-
-			// Finalize will wait until after Vault is sealed, which means the
-			// request forwarding listeners will also be closed (and also
-			// waited for).
-			for _, core := range testCluster.Cores {
-				if err := core.Shutdown(); err != nil {
-					c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
-				}
-			}
-
-			shutdownTriggered = true
-
-		case <-c.SighupCh:
-			c.UI.Output("==> Vault reload triggered")
-			for _, core := range testCluster.Cores {
-				if err := c.Reload(core.ReloadFuncsLock, core.ReloadFuncs, nil, core.Core); err != nil {
-					c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
-				}
-			}
-		}
-	}
-
-	return 0
-}
-
-// addPlugin adds any plugins to the catalog
-func (c *ServerCommand) addPlugin(path, token string, core *vault.Core) error {
-	// Get the sha256 of the file at the given path.
-	pluginSum := func(p string) (string, error) {
-		hasher := sha256.New()
-		f, err := os.Open(p)
-		if err != nil {
-			return "", err
-		}
-		defer f.Close()
-		if _, err := io.Copy(hasher, f); err != nil {
-			return "", err
-		}
-		return hex.EncodeToString(hasher.Sum(nil)), nil
-	}
-
-	// Mount any test plugins. We do this explicitly before we inform tests of
-	// a completely booted server intentionally.
-	sha256sum, err := pluginSum(path)
-	if err != nil {
-		return err
-	}
-
-	// Default the name to the basename of the binary
-	name := filepath.Base(path)
-
-	// File a request against core to enable the plugin
-	req := &logical.Request{
-		Operation:   logical.UpdateOperation,
-		ClientToken: token,
-		Path:        fmt.Sprintf("sys/plugins/catalog/%s", name),
-		Data: map[string]interface{}{
-			"sha256":  sha256sum,
-			"command": name,
-		},
-	}
-	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
-	if _, err := core.HandleRequest(ctx, req); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// detectRedirect is used to attempt redirect address detection
-func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
-	config *server.Config,
-) (string, error) {
-	// Get the hostname
-	host, err := detect.DetectHostAddr()
-	if err != nil {
-		return "", err
-	}
-
-	// set [] for ipv6 addresses
-	if strings.Contains(host, ":") && !strings.Contains(host, "]") {
-		host = "[" + host + "]"
-	}
-
-	// Default the port and scheme
-	scheme := "https"
-	port := 8200
-
-	// Attempt to detect overrides
-	for _, list := range config.Listeners {
-		// Only attempt TCP
-		if list.Type != "tcp" {
-			continue
-		}
-
-		// Check if TLS is disabled
-		if list.TLSDisable {
-			scheme = "http"
-		}
-
-		// Check for address override
-		addr := list.Address
-		if addr == "" {
-			addr = "127.0.0.1:8200"
-		}
-
-		// Check for localhost
-		hostStr, portStr, err := net.SplitHostPort(addr)
-		if err != nil {
-			continue
-		}
-		if hostStr == "127.0.0.1" {
-			host = hostStr
-		}
-
-		// Check for custom port
-		listPort, err := strconv.Atoi(portStr)
-		if err != nil {
-			continue
-		}
-		port = listPort
-	}
-
-	// Build a URL
-	url := &url.URL{
-		Scheme: scheme,
-		Host:   fmt.Sprintf("%s:%d", host, port),
-	}
-
-	// Return the URL string
-	return url.String(), nil
-}
-
-func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string, core *vault.Core) error {
-	lock.RLock()
-	defer lock.RUnlock()
-
-	var reloadErrors *multierror.Error
-
-	for k, relFuncs := range *reloadFuncs {
-		switch {
-		case strings.HasPrefix(k, "listener|"):
-			for _, relFunc := range relFuncs {
-				if relFunc != nil {
-					if err := relFunc(); err != nil {
-						reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("error encountered reloading listener: %w", err))
-					}
-				}
-			}
-
-		case strings.HasPrefix(k, "audit_file|"):
-			for _, relFunc := range relFuncs {
-				if relFunc != nil {
-					if err := relFunc(); err != nil {
-						reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("error encountered reloading file audit device at path %q: %w", strings.TrimPrefix(k, "audit_file|"), err))
-					}
-				}
-			}
-		}
-	}
-
-	// Set Introspection Endpoint to enabled with new value in the config after reload
-	core.ReloadIntrospectionEndpointEnabled()
-
-	// Send a message that we reloaded. This prevents "guessing" sleep times
-	// in tests.
-	select {
-	case c.reloadedCh <- struct{}{}:
-	default:
-	}
-
-	return reloadErrors.ErrorOrNil()
-}
-
-// storePidFile is used to write out our PID to a file if necessary
-func (c *ServerCommand) storePidFile(pidPath string) error {
-	// Quit fast if no pidfile
-	if pidPath == "" {
-		return nil
-	}
-
-	// Open the PID file
-	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
-	if err != nil {
-		return fmt.Errorf("could not open pid file: %w", err)
-	}
-	defer pidFile.Close()
-
-	// Write out the PID
-	pid := os.Getpid()
-	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
-	if err != nil {
-		return fmt.Errorf("could not write to pid file: %w", err)
-	}
-	return nil
-}
-
-// removePidFile is used to cleanup the PID file if necessary
-func (c *ServerCommand) removePidFile(pidPath string) error {
-	if pidPath == "" {
-		return nil
-	}
-	return os.Remove(pidPath)
-}
-
-// storageMigrationActive checks and warns against in-progress storage migrations.
-// This function will block until storage is available.
-func (c *ServerCommand) storageMigrationActive(backend physical.Backend) bool {
-	first := true
-
-	for {
-		migrationStatus, err := CheckStorageMigration(backend)
-		if err == nil {
-			if migrationStatus != nil {
-				startTime := migrationStatus.Start.Format(time.RFC3339)
-				c.UI.Error(wrapAtLength(fmt.Sprintf("ERROR! Storage migration in progress (started: %s). "+
-					"Server startup is prevented until the migration completes. Use 'vault operator migrate -reset' "+
-					"to force clear the migration lock.", startTime)))
-				return true
-			}
-			return false
-		}
-		if first {
-			first = false
-			c.UI.Warn("\nWARNING! Unable to read storage migration status.")
-
-			// unexpected state, so stop buffering log messages
-			c.flushLog()
-		}
-		c.logger.Warn("storage migration check error", "error", err.Error())
-
-		timer := time.NewTimer(2 * time.Second)
-		select {
-		case <-timer.C:
-		case <-c.ShutdownCh:
-			timer.Stop()
-			return true
-		}
-	}
-}
-
-type StorageMigrationStatus struct {
-	Start time.Time `json:"start"`
-}
-
-func CheckStorageMigration(b physical.Backend) (*StorageMigrationStatus, error) {
-	entry, err := b.Get(context.Background(), storageMigrationLock)
-	if err != nil {
-		return nil, err
-	}
-
-	if entry == nil {
-		return nil, nil
-	}
-
-	var status StorageMigrationStatus
-	if err := jsonutil.DecodeJSON(entry.Value, &status); err != nil {
-		return nil, err
-	}
-
-	return &status, nil
-}
-
-type SetSealResponse struct {
-	barrierSeal vault.Seal
-	unwrapSeal  vault.Seal
-
-	// sealConfigError is present if there was an error configuring wrappers, other than KeyNotFound.
-	sealConfigError   error
-	sealConfigWarning error
-}
-
-func (r *SetSealResponse) getCreatedSeals() []*vault.Seal {
-	var ret []*vault.Seal
-	if r.barrierSeal != nil {
-		ret = append(ret, &r.barrierSeal)
-	}
-	if r.unwrapSeal != nil {
-		ret = append(ret, &r.unwrapSeal)
-	}
-	return ret
-}
-
-// setSeal return barrierSeal, barrierWrapper, unwrapSeal, all the created seals, and all the provided seals from the configs so we can close them in Run
-// The two errors are the sealConfigError and the regular error
-func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info map[string]string, existingSealGenerationInfo *vaultseal.SealGenerationInfo, hasPartiallyWrappedPaths bool) (*SetSealResponse, error) {
-	if c.flagDevAutoSeal {
-		access, _ := vaultseal.NewTestSeal(nil)
-		barrierSeal := vault.NewAutoSeal(access)
-
-		return &SetSealResponse{barrierSeal: barrierSeal}, nil
-	}
-
-	// Handle the case where no seal is provided
-	switch len(config.Seals) {
-	case 0:
-		config.Seals = append(config.Seals, &configutil.KMS{
-			Type:     vault.SealConfigTypeShamir.String(),
-			Priority: 1,
-			Name:     "shamir",
-		})
-	case 1:
-		// If there's only one seal and it's disabled assume they want to
-		// migrate to a shamir seal and simply didn't provide it
-		if config.Seals[0].Disabled {
-			config.Seals = append(config.Seals, &configutil.KMS{
-				Type:     vault.SealConfigTypeShamir.String(),
-				Priority: 1,
-				Name:     "shamir",
-			})
-		}
-	}
-
-	var sealConfigError error
-	var sealConfigWarning error
-	recordSealConfigError := func(err error) {
-		sealConfigError = errors.Join(sealConfigError, err)
-	}
-	recordSealConfigWarning := func(err error) {
-		sealConfigWarning = errors.Join(sealConfigWarning, err)
-	}
-	enabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
-	disabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
-	allSealKmsConfigs := make([]*configutil.KMS, 0)
-
-	type infoKeysAndMap struct {
-		keys   []string
-		theMap map[string]string
-	}
-	sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap)
-
-	configuredSeals := 0
-	for _, configSeal := range config.Seals {
-		sealTypeEnvVarName := "VAULT_SEAL_TYPE"
-		if configSeal.Priority > 1 {
-			sealTypeEnvVarName = sealTypeEnvVarName + "_" + configSeal.Name
-		}
-
-		if !configSeal.Disabled && os.Getenv(sealTypeEnvVarName) != "" {
-			sealType := os.Getenv(sealTypeEnvVarName)
-			configSeal.Type = sealType
-		}
-
-		sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", configSeal.Type))
-		c.allLoggers = append(c.allLoggers, sealLogger)
-
-		allSealKmsConfigs = append(allSealKmsConfigs, configSeal)
-		var wrapperInfoKeys []string
-		wrapperInfoMap := map[string]string{}
-		wrapper, wrapperConfigError := configutil.ConfigureWrapper(configSeal, &wrapperInfoKeys, &wrapperInfoMap, sealLogger)
-		if wrapperConfigError == nil {
-			// for some reason configureWrapper in kms.go returns nil wrapper and nil error for wrapping.WrapperTypeShamir
-			if wrapper == nil {
-				wrapper = aeadwrapper.NewShamirWrapper()
-			}
-			configuredSeals++
-		} else if server.IsMultisealSupported() {
-			recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError))
-		} else {
-			// It seems that we are checking for this particular error here is to distinguish between a
-			// mis-configured seal vs one that fails for another reason. Apparently the only other reason is
-			// a key not found error. It seems the intention is for the key not found error to be returned
-			// as a seal specific error later
-			if !errwrap.ContainsType(wrapperConfigError, new(logical.KeyNotFoundError)) {
-				return nil, fmt.Errorf("error parsing Seal configuration: %s", wrapperConfigError)
-			} else {
-				sealLogger.Error("error configuring seal", "name", configSeal.Name, "err", wrapperConfigError)
-				recordSealConfigError(wrapperConfigError)
-			}
-		}
-
-		sealWrapper := vaultseal.NewSealWrapper(
-			wrapper,
-			configSeal.Priority,
-			configSeal.Name,
-			configSeal.Type,
-			configSeal.Disabled,
-			wrapperConfigError == nil,
-		)
-
-		if configSeal.Disabled {
-			disabledSealWrappers = append(disabledSealWrappers, sealWrapper)
-		} else {
-			enabledSealWrappers = append(enabledSealWrappers, sealWrapper)
-		}
-
-		sealWrapperInfoKeysMap[sealWrapper.Name] = infoKeysAndMap{
-			keys:   wrapperInfoKeys,
-			theMap: wrapperInfoMap,
-		}
-	}
-
-	if len(enabledSealWrappers) == 0 && len(disabledSealWrappers) == 0 && sealConfigWarning != nil {
-		// All of them errored out, so warnings are now errors
-		recordSealConfigError(sealConfigWarning)
-		sealConfigWarning = nil
-	}
-
-	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Set the info keys, this modifies the function arguments `info` and `infoKeys`
-	// TODO(SEALHA): Why are we doing this? What is its use?
-	appendWrapperInfoKeys := func(prefix string, sealWrappers []*vaultseal.SealWrapper) {
-		if len(sealWrappers) == 0 {
-			return
-		}
-		useName := false
-		if len(sealWrappers) > 1 {
-			useName = true
-		}
-		for _, sealWrapper := range sealWrappers {
-			if useName {
-				prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name)
-			}
-			for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys {
-				infoKeys = append(infoKeys, prefix+k)
-				info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k]
-			}
-		}
-	}
-	appendWrapperInfoKeys("", enabledSealWrappers)
-	appendWrapperInfoKeys("Old", disabledSealWrappers)
-
-	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Compute seal generation
-	sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths)
-	if err != nil {
-		return nil, err
-	}
-
-	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Create the Seals
-
-	containsShamir := func(sealWrappers []*vaultseal.SealWrapper) bool {
-		for _, si := range sealWrappers {
-			if vault.SealConfigTypeShamir.IsSameAs(si.SealConfigType) {
-				return true
-			}
-		}
-		return false
-	}
-
-	var barrierSeal vault.Seal
-	var unwrapSeal vault.Seal
-
-	sealLogger := c.logger
-	switch {
-	case len(enabledSealWrappers) == 0:
-		return nil, errors.Join(sealConfigWarning, errors.New("no enabled Seals in configuration"))
-	case configuredSeals == 0:
-		return nil, errors.Join(sealConfigWarning, errors.New("no seals were successfully initialized"))
-	case containsShamir(enabledSealWrappers) && containsShamir(disabledSealWrappers):
-		return nil, errors.Join(sealConfigWarning, errors.New("shamir seals cannot be set disabled (they should simply not be set)"))
-
-	case len(enabledSealWrappers) == 1 && containsShamir(enabledSealWrappers):
-		// The barrier seal is Shamir. If there are any disabled seals, then we put them all in the same
-		// autoSeal.
-		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
-		if err != nil {
-			return nil, err
-		}
-		barrierSeal = vault.NewDefaultSeal(a)
-		if len(disabledSealWrappers) > 0 {
-			a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
-			if err != nil {
-				return nil, err
-			}
-			unwrapSeal = vault.NewAutoSeal(a)
-		}
-
-	case len(disabledSealWrappers) == 1 && containsShamir(disabledSealWrappers):
-		// The unwrap seal is Shamir, we are migrating to an autoSeal.
-		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
-		if err != nil {
-			return nil, err
-		}
-		barrierSeal = vault.NewAutoSeal(a)
-		a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
-		if err != nil {
-			return nil, err
-		}
-		unwrapSeal = vault.NewDefaultSeal(a)
-
-	case server.IsMultisealSupported():
-		// We know we are not using Shamir seal, that we are not migrating away from one, and multi seal is supported,
-		// so just put enabled and disabled wrappers on the same seal Access
-		allSealWrappers := append(enabledSealWrappers, disabledSealWrappers...)
-		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealWrappers)
-		if err != nil {
-			return nil, err
-		}
-		barrierSeal = vault.NewAutoSeal(a)
-		if configuredSeals < len(enabledSealWrappers) {
-			c.UI.Warn("WARNING: running with fewer than all configured seals during unseal.  Will not be fully highly available until errors are corrected and Vault restarted.")
-		}
-	case len(enabledSealWrappers) == 1:
-		// We may have multiple seals disabled, but we know Shamir is not one of them.
-		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
-		if err != nil {
-			return nil, err
-		}
-		barrierSeal = vault.NewAutoSeal(a)
-		if len(disabledSealWrappers) > 0 {
-			a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
-			if err != nil {
-				return nil, err
-			}
-			unwrapSeal = vault.NewAutoSeal(a)
-		}
-
-	default:
-		// We know there are multiple enabled seals but multi seal is not supported.
-		return nil, errors.Join(sealConfigWarning, errors.New("error: more than one enabled seal found"))
-	}
-
-	return &SetSealResponse{
-		barrierSeal:       barrierSeal,
-		unwrapSeal:        unwrapSeal,
-		sealConfigError:   sealConfigError,
-		sealConfigWarning: sealConfigWarning,
-	}, nil
-}
-
-func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal.SealGenerationInfo, sealConfigs []*configutil.KMS, hasPartiallyWrappedPaths bool) (*vaultseal.SealGenerationInfo, error) {
-	generation := uint64(1)
-
-	if existingSealGenInfo != nil {
-		// This forces a seal re-wrap on all seal related config changes, as we can't
-		// be sure what effect the config change might do. This is purposefully different
-		// from within the Validate call below that just matches on seal configs based
-		// on name/type.
-		if cmp.Equal(existingSealGenInfo.Seals, sealConfigs) {
-			return existingSealGenInfo, nil
-		}
-		generation = existingSealGenInfo.Generation + 1
-	}
-	c.logger.Info("incrementing seal generation", "generation", generation)
-
-	// If the stored copy doesn't match the current configuration, we introduce a new generation
-	// which keeps track if a rewrap of all CSPs and seal wrapped values has completed (initially false).
-	newSealGenInfo := &vaultseal.SealGenerationInfo{
-		Generation: generation,
-		Seals:      sealConfigs,
-	}
-
-	if server.IsMultisealSupported() {
-		err := newSealGenInfo.Validate(existingSealGenInfo, hasPartiallyWrappedPaths)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return newSealGenInfo, nil
-}
-
-func hasPartiallyWrappedPaths(ctx context.Context, backend physical.Backend) (bool, error) {
-	paths, err := vault.GetPartiallySealWrappedPaths(ctx, backend)
-	if err != nil {
-		return false, err
-	}
-
-	return len(paths) > 0, nil
-}
-
-func initHaBackend(c *ServerCommand, config *server.Config, coreConfig *vault.CoreConfig, backend physical.Backend) (bool, error) {
-	// Initialize the separate HA storage backend, if it exists
-	var ok bool
-	if config.HAStorage != nil {
-		if config.Storage.Type == storageTypeRaft && config.HAStorage.Type == storageTypeRaft {
-			return false, fmt.Errorf("Raft cannot be set both as 'storage' and 'ha_storage'. Setting 'storage' to 'raft' will automatically set it up for HA operations as well")
-		}
-
-		if config.Storage.Type == storageTypeRaft {
-			return false, fmt.Errorf("HA storage cannot be declared when Raft is the storage type")
-		}
-
-		factory, exists := c.PhysicalBackends[config.HAStorage.Type]
-		if !exists {
-			return false, fmt.Errorf("Unknown HA storage type %s", config.HAStorage.Type)
-		}
-
-		namedHALogger := c.logger.Named("ha." + config.HAStorage.Type)
-		c.allLoggers = append(c.allLoggers, namedHALogger)
-		habackend, err := factory(config.HAStorage.Config, namedHALogger)
-		if err != nil {
-			return false, fmt.Errorf("Error initializing HA storage of type %s: %s", config.HAStorage.Type, err)
-		}
-
-		if coreConfig.HAPhysical, ok = habackend.(physical.HABackend); !ok {
-			return false, fmt.Errorf("Specified HA storage does not support HA")
-		}
-
-		if !coreConfig.HAPhysical.HAEnabled() {
-			return false, fmt.Errorf("Specified HA storage has HA support disabled; please consult documentation")
-		}
-
-		coreConfig.RedirectAddr = config.HAStorage.RedirectAddr
-		disableClustering := config.HAStorage.DisableClustering
-
-		if config.HAStorage.Type == storageTypeRaft && disableClustering {
-			return disableClustering, fmt.Errorf("Disable clustering cannot be set to true when Raft is the HA storage type")
-		}
-
-		if !disableClustering {
-			coreConfig.ClusterAddr = config.HAStorage.ClusterAddr
-		}
-	} else {
-		if coreConfig.HAPhysical, ok = backend.(physical.HABackend); ok {
-			coreConfig.RedirectAddr = config.Storage.RedirectAddr
-			disableClustering := config.Storage.DisableClustering
-
-			if (config.Storage.Type == storageTypeRaft) && disableClustering {
-				return disableClustering, fmt.Errorf("Disable clustering cannot be set to true when Raft is the storage type")
-			}
-
-			if !disableClustering {
-				coreConfig.ClusterAddr = config.Storage.ClusterAddr
-			}
-		}
-	}
-	return config.DisableClustering, nil
-}
-
-func determineRedirectAddr(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config) error {
-	var retErr error
-	if envRA := os.Getenv("VAULT_API_ADDR"); envRA != "" {
-		coreConfig.RedirectAddr = envRA
-	} else if envRA := os.Getenv("VAULT_REDIRECT_ADDR"); envRA != "" {
-		coreConfig.RedirectAddr = envRA
-	} else if envAA := os.Getenv("VAULT_ADVERTISE_ADDR"); envAA != "" {
-		coreConfig.RedirectAddr = envAA
-	}
-
-	// Attempt to detect the redirect address, if possible
-	if coreConfig.RedirectAddr == "" {
-		c.logger.Warn("no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set")
-	}
-
-	var ok bool
-	var detect physical.RedirectDetect
-	if coreConfig.HAPhysical != nil && coreConfig.HAPhysical.HAEnabled() {
-		detect, ok = coreConfig.HAPhysical.(physical.RedirectDetect)
-	} else {
-		detect, ok = coreConfig.Physical.(physical.RedirectDetect)
-	}
-	if ok && coreConfig.RedirectAddr == "" {
-		redirect, err := c.detectRedirect(detect, config)
-		// the following errors did not cause Run to return, so I'm not returning these
-		// as errors.
-		if err != nil {
-			retErr = fmt.Errorf("Error detecting api address: %s", err)
-		} else if redirect == "" {
-			retErr = fmt.Errorf("Failed to detect api address")
-		} else {
-			coreConfig.RedirectAddr = redirect
-		}
-	}
-	if coreConfig.RedirectAddr == "" && c.flagDev {
-		protocol := "http"
-		if c.flagDevTLS {
-			protocol = "https"
-		}
-		coreConfig.RedirectAddr = fmt.Sprintf("%s://%s", protocol, config.Listeners[0].Address)
-	}
-	return retErr
-}
-
-func findClusterAddress(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, disableClustering bool) error {
-	if disableClustering {
-		coreConfig.ClusterAddr = ""
-	} else if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
-		coreConfig.ClusterAddr = envCA
-	} else {
-		var addrToUse string
-		switch {
-		case coreConfig.ClusterAddr == "" && coreConfig.RedirectAddr != "":
-			addrToUse = coreConfig.RedirectAddr
-		case c.flagDev:
-			addrToUse = fmt.Sprintf("http://%s", config.Listeners[0].Address)
-		default:
-			goto CLUSTER_SYNTHESIS_COMPLETE
-		}
-		u, err := url.ParseRequestURI(addrToUse)
-		if err != nil {
-			return fmt.Errorf("Error parsing synthesized cluster address %s: %v", addrToUse, err)
-		}
-		host, port, err := net.SplitHostPort(u.Host)
-		if err != nil {
-			// This sucks, as it's a const in the function but not exported in the package
-			if strings.Contains(err.Error(), "missing port in address") {
-				host = u.Host
-				port = "443"
-			} else {
-				return fmt.Errorf("Error parsing api address: %v", err)
-			}
-		}
-		nPort, err := strconv.Atoi(port)
-		if err != nil {
-			return fmt.Errorf("Error parsing synthesized address; failed to convert %q to a numeric: %v", port, err)
-		}
-		u.Host = net.JoinHostPort(host, strconv.Itoa(nPort+1))
-		// Will always be TLS-secured
-		u.Scheme = "https"
-		coreConfig.ClusterAddr = u.String()
-	}
-
-CLUSTER_SYNTHESIS_COMPLETE:
-
-	if coreConfig.RedirectAddr == coreConfig.ClusterAddr && len(coreConfig.RedirectAddr) != 0 {
-		return fmt.Errorf("Address %q used for both API and cluster addresses", coreConfig.RedirectAddr)
-	}
-
-	if coreConfig.ClusterAddr != "" {
-		rendered, err := configutil.ParseSingleIPTemplate(coreConfig.ClusterAddr)
-		if err != nil {
-			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
-		}
-		coreConfig.ClusterAddr = rendered
-		// Force https as we'll always be TLS-secured
-		u, err := url.ParseRequestURI(coreConfig.ClusterAddr)
-		if err != nil {
-			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
-		}
-		u.Scheme = "https"
-		coreConfig.ClusterAddr = u.String()
-	}
-	return nil
-}
-
-func runUnseal(c *ServerCommand, core *vault.Core, ctx context.Context) {
-	for {
-		err := core.UnsealWithStoredKeys(ctx)
-		if err == nil {
-			return
-		}
-
-		if vault.IsFatalError(err) {
-			c.logger.Error("error unsealing core", "error", err)
-			return
-		}
-		c.logger.Warn("failed to unseal core", "error", err)
-
-		timer := time.NewTimer(5 * time.Second)
-		select {
-		case <-c.ShutdownCh:
-			timer.Stop()
-			return
-		case <-timer.C:
-		}
-	}
-}
-
-func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.Backend, configSR sr.ServiceRegistration, barrierSeal, unwrapSeal vault.Seal,
-	metricsHelper *metricsutil.MetricsHelper, metricSink *metricsutil.ClusterMetricSink, secureRandomReader io.Reader,
-) vault.CoreConfig {
-	coreConfig := &vault.CoreConfig{
-		RawConfig:                      config,
-		Physical:                       backend,
-		RedirectAddr:                   config.Storage.RedirectAddr,
-		StorageType:                    config.Storage.Type,
-		HAPhysical:                     nil,
-		ServiceRegistration:            configSR,
-		Seal:                           barrierSeal,
-		UnwrapSeal:                     unwrapSeal,
-		AuditBackends:                  c.AuditBackends,
-		CredentialBackends:             c.CredentialBackends,
-		LogicalBackends:                c.LogicalBackends,
-		LogLevel:                       config.LogLevel,
-		Logger:                         c.logger,
-		DetectDeadlocks:                config.DetectDeadlocks,
-		ImpreciseLeaseRoleTracking:     config.ImpreciseLeaseRoleTracking,
-		DisableSentinelTrace:           config.DisableSentinelTrace,
-		DisableCache:                   config.DisableCache,
-		DisableMlock:                   config.DisableMlock,
-		MaxLeaseTTL:                    config.MaxLeaseTTL,
-		DefaultLeaseTTL:                config.DefaultLeaseTTL,
-		ClusterName:                    config.ClusterName,
-		CacheSize:                      config.CacheSize,
-		PluginDirectory:                config.PluginDirectory,
-		PluginFileUid:                  config.PluginFileUid,
-		PluginFilePermissions:          config.PluginFilePermissions,
-		EnableUI:                       config.EnableUI,
-		EnableRaw:                      config.EnableRawEndpoint,
-		EnableIntrospection:            config.EnableIntrospectionEndpoint,
-		DisableSealWrap:                config.DisableSealWrap,
-		DisablePerformanceStandby:      config.DisablePerformanceStandby,
-		DisableIndexing:                config.DisableIndexing,
-		AllLoggers:                     c.allLoggers,
-		BuiltinRegistry:                builtinplugins.Registry,
-		DisableKeyEncodingChecks:       config.DisablePrintableCheck,
-		MetricsHelper:                  metricsHelper,
-		MetricSink:                     metricSink,
-		SecureRandomReader:             secureRandomReader,
-		EnableResponseHeaderHostname:   config.EnableResponseHeaderHostname,
-		EnableResponseHeaderRaftNodeID: config.EnableResponseHeaderRaftNodeID,
-		License:                        config.License,
-		LicensePath:                    config.LicensePath,
-		DisableSSCTokens:               config.DisableSSCTokens,
-		Experiments:                    config.Experiments,
-		AdministrativeNamespacePath:    config.AdministrativeNamespacePath,
-	}
-
-	if c.flagDev {
-		coreConfig.EnableRaw = true
-		coreConfig.EnableIntrospection = true
-		coreConfig.DevToken = c.flagDevRootTokenID
-		if c.flagDevLeasedKV {
-			coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory
-		}
-		if c.flagDevPluginDir != "" {
-			coreConfig.PluginDirectory = c.flagDevPluginDir
-		}
-		if c.flagDevLatency > 0 {
-			injectLatency := time.Duration(c.flagDevLatency) * time.Millisecond
-			if _, txnOK := backend.(physical.Transactional); txnOK {
-				coreConfig.Physical = physical.NewTransactionalLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
-			} else {
-				coreConfig.Physical = physical.NewLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
-			}
-		}
-	}
-	return *coreConfig
-}
-
-func runListeners(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, configSR sr.ServiceRegistration) error {
-	if sd := coreConfig.GetServiceRegistration(); sd != nil {
-		if err := configSR.Run(c.ShutdownCh, c.WaitGroup, coreConfig.RedirectAddr); err != nil {
-			return fmt.Errorf("Error running service_registration of type %s: %s", config.ServiceRegistration.Type, err)
-		}
-	}
-	return nil
-}
-
-func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, core *vault.Core, certDir string, clusterJSON *testcluster.ClusterJson) error {
-	if c.flagDev && !c.flagDevSkipInit {
-
-		init, err := c.enableDev(core, coreConfig)
-		if err != nil {
-			return fmt.Errorf("Error initializing Dev mode: %s", err)
-		}
-
-		if clusterJSON != nil {
-			clusterJSON.RootToken = init.RootToken
-		}
-
-		var plugins, pluginsNotLoaded []string
-		if c.flagDevPluginDir != "" && c.flagDevPluginInit {
-
-			f, err := os.Open(c.flagDevPluginDir)
-			if err != nil {
-				return fmt.Errorf("Error reading plugin dir: %s", err)
-			}
-
-			list, err := f.Readdirnames(0)
-			f.Close()
-			if err != nil {
-				return fmt.Errorf("Error listing plugins: %s", err)
-			}
-
-			for _, name := range list {
-				path := filepath.Join(f.Name(), name)
-				if err := c.addPlugin(path, init.RootToken, core); err != nil {
-					if !errwrap.Contains(err, vault.ErrPluginBadType.Error()) {
-						return fmt.Errorf("Error enabling plugin %s: %s", name, err)
-					}
-					pluginsNotLoaded = append(pluginsNotLoaded, name)
-					continue
-				}
-				plugins = append(plugins, name)
-			}
-
-			sort.Strings(plugins)
-		}
-
-		var qw *quiescenceSink
-		var qwo sync.Once
-		qw = &quiescenceSink{
-			t: time.AfterFunc(100*time.Millisecond, func() {
-				qwo.Do(func() {
-					c.logger.DeregisterSink(qw)
-
-					// Print the big dev mode warning!
-					c.UI.Warn(wrapAtLength(
-						"WARNING! dev mode is enabled! In this mode, Vault runs entirely " +
-							"in-memory and starts unsealed with a single unseal key. The root " +
-							"token is already authenticated to the CLI, so you can immediately " +
-							"begin using Vault."))
-					c.UI.Warn("")
-					c.UI.Warn("You may need to set the following environment variables:")
-					c.UI.Warn("")
-
-					protocol := "http://"
-					if c.flagDevTLS {
-						protocol = "https://"
-					}
-
-					endpointURL := protocol + config.Listeners[0].Address
-					if runtime.GOOS == "windows" {
-						c.UI.Warn("PowerShell:")
-						c.UI.Warn(fmt.Sprintf("    $env:VAULT_ADDR=\"%s\"", endpointURL))
-						c.UI.Warn("cmd.exe:")
-						c.UI.Warn(fmt.Sprintf("    set VAULT_ADDR=%s", endpointURL))
-					} else {
-						c.UI.Warn(fmt.Sprintf("    $ export VAULT_ADDR='%s'", endpointURL))
-					}
-
-					if c.flagDevTLS {
-						if runtime.GOOS == "windows" {
-							c.UI.Warn("PowerShell:")
-							c.UI.Warn(fmt.Sprintf("    $env:VAULT_CACERT=\"%s/vault-ca.pem\"", certDir))
-							c.UI.Warn("cmd.exe:")
-							c.UI.Warn(fmt.Sprintf("    set VAULT_CACERT=%s/vault-ca.pem", certDir))
-						} else {
-							c.UI.Warn(fmt.Sprintf("    $ export VAULT_CACERT='%s/vault-ca.pem'", certDir))
-						}
-						c.UI.Warn("")
-					}
-
-					// Unseal key is not returned if stored shares is supported
-					if len(init.SecretShares) > 0 {
-						c.UI.Warn("")
-						c.UI.Warn(wrapAtLength(
-							"The unseal key and root token are displayed below in case you want " +
-								"to seal/unseal the Vault or re-authenticate."))
-						c.UI.Warn("")
-						c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.SecretShares[0])))
-					}
-
-					if len(init.RecoveryShares) > 0 {
-						c.UI.Warn("")
-						c.UI.Warn(wrapAtLength(
-							"The recovery key and root token are displayed below in case you want " +
-								"to seal/unseal the Vault or re-authenticate."))
-						c.UI.Warn("")
-						c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
-					}
-
-					c.UI.Warn(fmt.Sprintf("Root Token: %s", init.RootToken))
-
-					if len(plugins) > 0 {
-						c.UI.Warn("")
-						c.UI.Warn(wrapAtLength(
-							"The following dev plugins are registered in the catalog:"))
-						for _, p := range plugins {
-							c.UI.Warn(fmt.Sprintf("    - %s", p))
-						}
-					}
-
-					if len(pluginsNotLoaded) > 0 {
-						c.UI.Warn("")
-						c.UI.Warn(wrapAtLength(
-							"The following dev plugins FAILED to be registered in the catalog due to unknown type:"))
-						for _, p := range pluginsNotLoaded {
-							c.UI.Warn(fmt.Sprintf("    - %s", p))
-						}
-					}
-
-					c.UI.Warn("")
-					c.UI.Warn(wrapAtLength(
-						"Development mode should NOT be used in production installations!"))
-					c.UI.Warn("")
-				})
-			}),
-		}
-		c.logger.RegisterSink(qw)
-	}
-	return nil
-}
-
-// Initialize the HTTP servers
-func startHttpServers(c *ServerCommand, core *vault.Core, config *server.Config, lns []listenerutil.Listener) error {
-	for _, ln := range lns {
-		if ln.Config == nil {
-			return fmt.Errorf("Found nil listener config after parsing")
-		}
-
-		if err := config2.IsValidListener(ln.Config); err != nil {
-			return err
-		}
-
-		handler := vaulthttp.Handler.Handler(&vault.HandlerProperties{
-			Core:                  core,
-			ListenerConfig:        ln.Config,
-			DisablePrintableCheck: config.DisablePrintableCheck,
-			RecoveryMode:          c.flagRecovery,
-		})
-
-		if len(ln.Config.XForwardedForAuthorizedAddrs) > 0 {
-			handler = vaulthttp.WrapForwardedForHandler(handler, ln.Config)
-		}
-
-		// server defaults
-		server := &http.Server{
-			Handler:           handler,
-			ReadHeaderTimeout: 10 * time.Second,
-			ReadTimeout:       30 * time.Second,
-			IdleTimeout:       5 * time.Minute,
-			ErrorLog:          c.logger.StandardLogger(nil),
-		}
-
-		// override server defaults with config values for read/write/idle timeouts if configured
-		if ln.Config.HTTPReadHeaderTimeout > 0 {
-			server.ReadHeaderTimeout = ln.Config.HTTPReadHeaderTimeout
-		}
-		if ln.Config.HTTPReadTimeout > 0 {
-			server.ReadTimeout = ln.Config.HTTPReadTimeout
-		}
-		if ln.Config.HTTPWriteTimeout > 0 {
-			server.WriteTimeout = ln.Config.HTTPWriteTimeout
-		}
-		if ln.Config.HTTPIdleTimeout > 0 {
-			server.IdleTimeout = ln.Config.HTTPIdleTimeout
-		}
-
-		// server config tests can exit now
-		if c.flagTestServerConfig {
-			continue
-		}
-
-		go server.Serve(ln.Listener)
-	}
-	return nil
-}
-
-func SetStorageMigration(b physical.Backend, active bool) error {
-	if !active {
-		return b.Delete(context.Background(), storageMigrationLock)
-	}
-
-	status := StorageMigrationStatus{
-		Start: time.Now(),
-	}
-
-	enc, err := jsonutil.EncodeJSON(status)
-	if err != nil {
-		return err
-	}
-
-	entry := &physical.Entry{
-		Key:   storageMigrationLock,
-		Value: enc,
-	}
-
-	return b.Put(context.Background(), entry)
-}
-
-type grpclogFaker struct {
-	logger hclog.Logger
-	log    bool
-}
-
-func (g *grpclogFaker) Fatal(args ...interface{}) {
-	g.logger.Error(fmt.Sprint(args...))
-	os.Exit(1)
-}
-
-func (g *grpclogFaker) Fatalf(format string, args ...interface{}) {
-	g.logger.Error(fmt.Sprintf(format, args...))
-	os.Exit(1)
-}
-
-func (g *grpclogFaker) Fatalln(args ...interface{}) {
-	g.logger.Error(fmt.Sprintln(args...))
-	os.Exit(1)
-}
-
-func (g *grpclogFaker) Print(args ...interface{}) {
-	if g.log && g.logger.IsDebug() {
-		g.logger.Debug(fmt.Sprint(args...))
-	}
-}
-
-func (g *grpclogFaker) Printf(format string, args ...interface{}) {
-	if g.log && g.logger.IsDebug() {
-		g.logger.Debug(fmt.Sprintf(format, args...))
-	}
-}
-
-func (g *grpclogFaker) Println(args ...interface{}) {
-	if g.log && g.logger.IsDebug() {
-		g.logger.Debug(fmt.Sprintln(args...))
-	}
 }
diff --git a/command/server/listener.go b/command/server/listener.go
index 7e308a0ccb79..1f8afe717650 100644
--- a/command/server/listener.go
+++ b/command/server/listener.go
@@ -1,58 +1,249 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package server
+package listenerutil
 
 import (
-	_ "crypto/sha512"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net"
+	"os"
+	osuser "os/user"
+	"strconv"
 
-	// We must import sha512 so that it registers with the runtime so that
-	// certificates that use it can be parsed.
-
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	"github.com/hashicorp/vault/helper/proxyutil"
+	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/mitchellh/cli"
+	"github.com/jefferai/isbadcipher"
 )
 
-// ListenerFactory is the factory function to create a listener.
-type ListenerFactory func(*configutil.Listener, io.Writer, cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error)
+type Listener struct {
+	net.Listener
+	Config *configutil.Listener
+}
+
+type UnixSocketsConfig struct {
+	User  string `hcl:"user"`
+	Mode  string `hcl:"mode"`
+	Group string `hcl:"group"`
+}
+
+// rmListener is an implementation of net.Listener that forwards most
+// calls to the listener but also removes a file as part of the close. We
+// use this to cleanup the unix domain socket on close.
+type rmListener struct {
+	net.Listener
+	Path string
+}
+
+func (l *rmListener) Close() error {
+	// Close the listener itself
+	if err := l.Listener.Close(); err != nil {
+		return err
+	}
 
-// BuiltinListeners is the list of built-in listener types.
-var BuiltinListeners = map[configutil.ListenerType]ListenerFactory{
-	"tcp":  tcpListenerFactory,
-	"unix": unixListenerFactory,
+	// Remove the file
+	return os.Remove(l.Path)
 }
 
-// NewListener creates a new listener of the given type with the given
-// configuration. The type is looked up in the BuiltinListeners map.
-func NewListener(l *configutil.Listener, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) {
-	f, ok := BuiltinListeners[l.Type]
+func UnixSocketListener(path string, unixSocketsConfig *UnixSocketsConfig) (net.Listener, error) {
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return nil, fmt.Errorf("failed to remove socket file: %v", err)
+	}
+
+	ln, err := net.Listen("unix", path)
+	if err != nil {
+		return nil, err
+	}
+
+	if unixSocketsConfig != nil {
+		err = setFilePermissions(path, unixSocketsConfig.User, unixSocketsConfig.Group, unixSocketsConfig.Mode)
+		if err != nil {
+			return nil, fmt.Errorf("failed to set file system permissions on the socket file: %s", err)
+		}
+	}
+
+	// Wrap the listener in rmListener so that the Unix domain socket file is
+	// removed on close.
+	return &rmListener{
+		Listener: ln,
+		Path:     path,
+	}, nil
+}
+
+func TLSConfig(
+	l *configutil.Listener,
+	props map[string]string,
+	ui cli.Ui,
+) (*tls.Config, reloadutil.ReloadFunc, error) {
+	props["tls"] = "disabled"
+
+	if l.TLSDisable {
+		return nil, nil, nil
+	}
+
+	cg := reloadutil.NewCertificateGetter(l.TLSCertFile, l.TLSKeyFile, "")
+	if err := cg.Reload(); err != nil {
+		// We try the key without a passphrase first and if we get an incorrect
+		// passphrase response, try again after prompting for a passphrase
+		if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) {
+			var passphrase string
+			passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", l.TLSKeyFile))
+			if err == nil {
+				cg = reloadutil.NewCertificateGetter(l.TLSCertFile, l.TLSKeyFile, passphrase)
+				if err = cg.Reload(); err == nil {
+					goto PASSPHRASECORRECT
+				}
+			}
+		}
+		return nil, nil, fmt.Errorf("error loading TLS cert: %w", err)
+	}
+
+PASSPHRASECORRECT:
+	tlsConf := &tls.Config{
+		GetCertificate: cg.GetCertificate,
+		NextProtos:     []string{"h2", "http/1.1"},
+		ClientAuth:     tls.RequestClientCert,
+	}
+
+	if l.TLSMinVersion == "" {
+		l.TLSMinVersion = "tls12"
+	}
+
+	if l.TLSMaxVersion == "" {
+		l.TLSMaxVersion = "tls13"
+	}
+
+	var ok bool
+	tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
+	if !ok {
+		return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
+	}
+
+	tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
 	if !ok {
-		return nil, nil, nil, fmt.Errorf("unknown listener type: %q", l.Type)
+		return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
+	}
+
+	if tlsConf.MaxVersion < tlsConf.MinVersion {
+		return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
+	}
+
+	if len(l.TLSCipherSuites) > 0 {
+		// HTTP/2 with TLS 1.2 blacklists several cipher suites.
+		// https://tools.ietf.org/html/rfc7540#appendix-A
+		//
+		// Since the CLI (net/http) automatically uses HTTP/2 with TLS 1.2,
+		// we check here if all or some specified cipher suites are blacklisted.
+		badCiphers := []string{}
+		for _, cipher := range l.TLSCipherSuites {
+			if isbadcipher.IsBadCipher(cipher) {
+				// Get the name of the current cipher.
+				cipherStr, err := tlsutil.GetCipherName(cipher)
+				if err != nil {
+					return nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %w", err)
+				}
+				badCiphers = append(badCiphers, cipherStr)
+			}
+		}
+		if len(badCiphers) == len(l.TLSCipherSuites) {
+			ui.Warn(`WARNING! All cipher suites defined by 'tls_cipher_suites' are blacklisted by the
+HTTP/2 specification. HTTP/2 communication with TLS 1.2 will not work as intended
+and Vault will be unavailable via the CLI.
+Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`)
+		} else if len(badCiphers) > 0 {
+			ui.Warn(fmt.Sprintf(`WARNING! The following cipher suites defined by 'tls_cipher_suites' are
+blacklisted by the HTTP/2 specification:
+%v
+Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`, badCiphers))
+		}
+		tlsConf.CipherSuites = l.TLSCipherSuites
 	}
 
-	return f(l, logger, ui)
+	if l.TLSRequireAndVerifyClientCert {
+		tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
+		if l.TLSClientCAFile != "" {
+			caPool := x509.NewCertPool()
+			data, err := ioutil.ReadFile(l.TLSClientCAFile)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %w", err)
+			}
+
+			if !caPool.AppendCertsFromPEM(data) {
+				return nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")
+			}
+			tlsConf.ClientCAs = caPool
+		}
+	}
+
+	if l.TLSDisableClientCerts {
+		if l.TLSRequireAndVerifyClientCert {
+			return nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")
+		}
+		tlsConf.ClientAuth = tls.NoClientCert
+	}
+
+	props["tls"] = "enabled"
+	return tlsConf, cg.Reload, nil
 }
 
-func listenerWrapProxy(ln net.Listener, l *configutil.Listener) (net.Listener, error) {
-	behavior := l.ProxyProtocolBehavior
-	if behavior == "" {
-		return ln, nil
+// setFilePermissions handles configuring ownership and permissions
+// settings on a given file. All permission/ownership settings are
+// optional. If no user or group is specified, the current user/group
+// will be used. Mode is optional, and has no default (the operation is
+// not performed if absent). User may be specified by name or ID, but
+// group may only be specified by ID.
+func setFilePermissions(path string, user, group, mode string) error {
+	var err error
+	uid, gid := os.Getuid(), os.Getgid()
+
+	if user != "" {
+		if uid, err = strconv.Atoi(user); err == nil {
+			goto GROUP
+		}
+
+		// Try looking up the user by name
+		u, err := osuser.Lookup(user)
+		if err != nil {
+			return fmt.Errorf("failed to look up user %q: %v", user, err)
+		}
+		uid, _ = strconv.Atoi(u.Uid)
 	}
 
-	proxyProtoConfig := &proxyutil.ProxyProtoConfig{
-		Behavior:        behavior,
-		AuthorizedAddrs: l.ProxyProtocolAuthorizedAddrs,
+GROUP:
+	if group != "" {
+		if gid, err = strconv.Atoi(group); err == nil {
+			goto OWN
+		}
+
+		// Try looking up the user by name
+		g, err := osuser.LookupGroup(group)
+		if err != nil {
+			return fmt.Errorf("failed to look up group %q: %v", user, err)
+		}
+		gid, _ = strconv.Atoi(g.Gid)
 	}
 
-	newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
-	if err != nil {
-		return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %w", err)
+OWN:
+	if err := os.Chown(path, uid, gid); err != nil {
+		return fmt.Errorf("failed setting ownership to %d:%d on %q: %v",
+			uid, gid, path, err)
+	}
+
+	if mode != "" {
+		mode, err := strconv.ParseUint(mode, 8, 32)
+		if err != nil {
+			return fmt.Errorf("invalid mode specified: %v", mode)
+		}
+		if err := os.Chmod(path, os.FileMode(mode)); err != nil {
+			return fmt.Errorf("failed setting permissions to %d on %q: %v",
+				mode, path, err)
+		}
 	}
 
-	return newLn, nil
+	return nil
 }
diff --git a/command/server/listener_tcp.go b/command/server/listener_tcp.go
index 11c145b3eec4..6c121ec403e2 100644
--- a/command/server/listener_tcp.go
+++ b/command/server/listener_tcp.go
@@ -12,10 +12,10 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/go-secure-stdlib/reloadutil"
 	"github.com/hashicorp/vault/internalshared/configutil"
 	"github.com/hashicorp/vault/internalshared/listenerutil"
-	"github.com/mitchellh/cli"
 )
 
 func tcpListenerFactory(l *configutil.Listener, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) {
diff --git a/command/server/listener_tcp_test.go b/command/server/listener_tcp_test.go
index fe96548317fe..42da6c0d21a6 100644
--- a/command/server/listener_tcp_test.go
+++ b/command/server/listener_tcp_test.go
@@ -14,9 +14,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/mitchellh/cli"
 	"github.com/pires/go-proxyproto"
 )
 
diff --git a/command/server/listener_unix.go b/command/server/listener_unix.go
index 0b70a046935d..35306d166699 100644
--- a/command/server/listener_unix.go
+++ b/command/server/listener_unix.go
@@ -7,10 +7,10 @@ import (
 	"io"
 	"net"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/go-secure-stdlib/reloadutil"
 	"github.com/hashicorp/vault/internalshared/configutil"
 	"github.com/hashicorp/vault/internalshared/listenerutil"
-	"github.com/mitchellh/cli"
 )
 
 func unixListenerFactory(l *configutil.Listener, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) {
diff --git a/command/server/listener_unix_test.go b/command/server/listener_unix_test.go
index 9d156bbc1350..72f21bb471cd 100644
--- a/command/server/listener_unix_test.go
+++ b/command/server/listener_unix_test.go
@@ -8,8 +8,8 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/mitchellh/cli"
 )
 
 func TestUnixListener(t *testing.T) {
diff --git a/command/server_test.go b/command/server_test.go
index 677705176bb4..2f2eb8fbc46d 100644
--- a/command/server_test.go
+++ b/command/server_test.go
@@ -1,402 +1,163 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-//go:build !race && !hsm && !fips_140_3
-
-// NOTE: we can't use this with HSM. We can't set testing mode on and it's not
-// safe to use env vars since that provides an attack vector in the real world.
-//
-// The server tests have a go-metrics/exp manager race condition :(.
-
-package command
+package logging
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
 	"strings"
 	"sync"
-	"testing"
 	"time"
 
-	"github.com/hashicorp/vault/sdk/physical"
-	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/hashicorp/go-multierror"
 )
 
-func init() {
-	if signed := os.Getenv("VAULT_LICENSE_CI"); signed != "" {
-		os.Setenv(EnvVaultLicense, signed)
-	}
-}
+var now = time.Now
 
-func testBaseHCL(tb testing.TB, listenerExtras string) string {
-	tb.Helper()
+type LogFile struct {
+	// Name of the log file
+	fileName string
 
-	return strings.TrimSpace(fmt.Sprintf(`
-		disable_mlock = true
-		listener "tcp" {
-			address     = "127.0.0.1:%d"
-			tls_disable = "true"
-			%s
-		}
-	`, 0, listenerExtras))
-}
+	// Path to the log file
+	logPath string
 
-const (
-	goodListenerTimeouts = `http_read_header_timeout = 12
-			http_read_timeout = "34s"
-			http_write_timeout = "56m"
-			http_idle_timeout = "78h"`
+	// duration between each file rotation operation
+	duration time.Duration
 
-	badListenerReadHeaderTimeout = `http_read_header_timeout = "12km"`
-	badListenerReadTimeout       = `http_read_timeout = "34日"`
-	badListenerWriteTimeout      = `http_write_timeout = "56lbs"`
-	badListenerIdleTimeout       = `http_idle_timeout = "78gophers"`
+	// lastCreated represents the creation time of the latest log
+	lastCreated time.Time
 
-	inmemHCL = `
-backend "inmem_ha" {
-  advertise_addr       = "http://127.0.0.1:8200"
-}
-`
-	haInmemHCL = `
-ha_backend "inmem_ha" {
-  redirect_addr        = "http://127.0.0.1:8200"
-}
-`
-
-	badHAInmemHCL = `
-ha_backend "inmem" {}
-`
+	// fileInfo is the pointer to the current file being written to
+	fileInfo *os.File
 
-	reloadHCL = `
-backend "inmem" {}
-disable_mlock = true
-listener "tcp" {
-  address       = "127.0.0.1:8203"
-  tls_cert_file = "TMPDIR/reload_cert.pem"
-  tls_key_file  = "TMPDIR/reload_key.pem"
-}
-`
-	cloudHCL = `
-cloud {
-      resource_id = "organization/bc58b3d0-2eab-4ab8-abf4-f61d3c9975ff/project/1c78e888-2142-4000-8918-f933bbbc7690/hashicorp.example.resource/example"
-    client_id = "J2TtcSYOyPUkPV2z0mSyDtvitxLVjJmu"
-    client_secret = "N9JtHZyOnHrIvJZs82pqa54vd4jnkyU3xCcqhFXuQKJZZuxqxxbP1xCfBZVB82vY"
-}
-`
-)
+	// maxBytes is the maximum number of desired bytes for a log file
+	maxBytes int
 
-func testServerCommand(tb testing.TB) (*cli.MockUi, *ServerCommand) {
-	tb.Helper()
+	// bytesWritten is the number of bytes written in the current log file
+	bytesWritten int64
 
-	ui := cli.NewMockUi()
-	return ui, &ServerCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-		ShutdownCh: MakeShutdownCh(),
-		SighupCh:   MakeSighupCh(),
-		SigUSR2Ch:  MakeSigUSR2Ch(),
-		PhysicalBackends: map[string]physical.Factory{
-			"inmem":    physInmem.NewInmem,
-			"inmem_ha": physInmem.NewInmemHA,
-		},
+	// Max rotated files to keep before removing them.
+	maxArchivedFiles int
 
-		// These prevent us from random sleep guessing...
-		startedCh:         make(chan struct{}, 5),
-		reloadedCh:        make(chan struct{}, 5),
-		licenseReloadedCh: make(chan error),
-	}
+	// acquire is the mutex utilized to ensure we have no concurrency issues
+	acquire sync.Mutex
 }
 
-func TestServer_ReloadListener(t *testing.T) {
-	t.Parallel()
+// Write is used to implement io.Writer
+func (l *LogFile) Write(b []byte) (n int, err error) {
+	l.acquire.Lock()
+	defer l.acquire.Unlock()
 
-	wd, _ := os.Getwd()
-	wd += "/server/test-fixtures/reload/"
-
-	td, err := ioutil.TempDir("", "vault-test-")
-	if err != nil {
-		t.Fatal(err)
+	// Create a new file if we have no file to write to
+	if l.fileInfo == nil {
+		if err := l.openNew(); err != nil {
+			return 0, err
+		}
+	}
+	if err := l.rotate(); err != nil { // Check for the last contact and rotate if necessary
+		return 0, err
 	}
-	defer os.RemoveAll(td)
 
-	wg := &sync.WaitGroup{}
-	// Setup initial certs
-	inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")
-	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0o777)
-	inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")
-	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0o777)
+	bytesWritten, err := l.fileInfo.Write(b)
 
-	relhcl := strings.ReplaceAll(reloadHCL, "TMPDIR", td)
-	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0o777)
+	if bytesWritten > 0 {
+		l.bytesWritten += int64(bytesWritten)
+	}
+
+	return bytesWritten, err
+}
 
-	inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")
-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM(inBytes)
-	if !ok {
-		t.Fatal("not ok when appending CA cert")
+func (l *LogFile) fileNamePattern() string {
+	// Extract the file extension
+	fileExt := filepath.Ext(l.fileName)
+	// If we have no file extension we append .log
+	if fileExt == "" {
+		fileExt = ".log"
 	}
+	// Remove the file extension from the filename
+	return strings.TrimSuffix(l.fileName, fileExt) + "-%s" + fileExt
+}
 
-	ui, cmd := testServerCommand(t)
-	_ = ui
+func (l *LogFile) openNew() error {
+	newFileName := l.fileName
+	newFilePath := filepath.Join(l.logPath, newFileName)
 
-	wg.Add(1)
-	args := []string{"-config", td + "/reload.hcl"}
-	go func() {
-		if code := cmd.Run(args); code != 0 {
-			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
-			t.Errorf("got a non-zero exit status: %s", output)
-		}
-		wg.Done()
-	}()
+	// Try creating or opening the active log file. Since the active log file
+	// always has the same name, append log entries to prevent overwriting
+	// previous log data.
+	filePointer, err := os.OpenFile(newFilePath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o640)
+	if err != nil {
+		return err
+	}
+
+	// New file, new bytes tracker, new creation time :)
+	l.fileInfo = filePointer
+	l.lastCreated = now()
+	l.bytesWritten = 0
+	return nil
+}
 
-	testCertificateName := func(cn string) error {
-		conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{
-			RootCAs: certPool,
-		})
-		if err != nil {
+func (l *LogFile) rotate() error {
+	// Get the time from the last point of contact
+	timeElapsed := time.Since(l.lastCreated)
+	// Rotate if we hit the byte file limit or the time limit
+	if (l.bytesWritten >= int64(l.maxBytes) && (l.maxBytes > 0)) || timeElapsed >= l.duration {
+		if err := l.fileInfo.Close(); err != nil {
 			return err
 		}
-		defer conn.Close()
-		if err = conn.Handshake(); err != nil {
+		if err := l.renameCurrentFile(); err != nil {
 			return err
 		}
-		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
-		if servName != cn {
-			return fmt.Errorf("expected %s, got %s", cn, servName)
+		if err := l.pruneFiles(); err != nil {
+			return err
 		}
-		return nil
-	}
-
-	select {
-	case <-cmd.startedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
+		return l.openNew()
 	}
+	return nil
+}
 
-	if err := testCertificateName("foo.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
+func (l *LogFile) pruneFiles() error {
+	if l.maxArchivedFiles == 0 {
+		return nil
 	}
 
-	relhcl = strings.ReplaceAll(reloadHCL, "TMPDIR", td)
-	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")
-	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0o777)
-	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")
-	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0o777)
-	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0o777)
-
-	cmd.SighupCh <- struct{}{}
-	select {
-	case <-cmd.reloadedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatalf("timeout")
+	pattern := filepath.Join(l.logPath, fmt.Sprintf(l.fileNamePattern(), "*"))
+	matches, err := filepath.Glob(pattern)
+	if err != nil {
+		return err
 	}
 
-	if err := testCertificateName("bar.example.com"); err != nil {
-		t.Fatalf("certificate name didn't check out: %s", err)
+	switch {
+	case l.maxArchivedFiles < 0:
+		return removeFiles(matches)
+	case len(matches) < l.maxArchivedFiles:
+		return nil
 	}
 
-	cmd.ShutdownCh <- struct{}{}
-
-	wg.Wait()
+	sort.Strings(matches)
+	last := len(matches) - l.maxArchivedFiles
+	return removeFiles(matches[:last])
 }
 
-func TestServer(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name     string
-		contents string
-		exp      string
-		code     int
-		args     []string
-	}{
-		{
-			"common_ha",
-			testBaseHCL(t, "") + inmemHCL,
-			"(HA available)",
-			0,
-			[]string{"-test-verify-only"},
-		},
-		{
-			"separate_ha",
-			testBaseHCL(t, "") + inmemHCL + haInmemHCL,
-			"HA Storage:",
-			0,
-			[]string{"-test-verify-only"},
-		},
-		{
-			"bad_separate_ha",
-			testBaseHCL(t, "") + inmemHCL + badHAInmemHCL,
-			"Specified HA storage does not support HA",
-			1,
-			[]string{"-test-verify-only"},
-		},
-		{
-			"good_listener_timeout_config",
-			testBaseHCL(t, goodListenerTimeouts) + inmemHCL,
-			"",
-			0,
-			[]string{"-test-server-config"},
-		},
-		{
-			"bad_listener_read_header_timeout_config",
-			testBaseHCL(t, badListenerReadHeaderTimeout) + inmemHCL,
-			"unknown unit \"km\" in duration \"12km\"",
-			1,
-			[]string{"-test-server-config"},
-		},
-		{
-			"bad_listener_read_timeout_config",
-			testBaseHCL(t, badListenerReadTimeout) + inmemHCL,
-			"unknown unit \"\\xe6\\x97\\xa5\" in duration",
-			1,
-			[]string{"-test-server-config"},
-		},
-		{
-			"bad_listener_write_timeout_config",
-			testBaseHCL(t, badListenerWriteTimeout) + inmemHCL,
-			"unknown unit \"lbs\" in duration \"56lbs\"",
-			1,
-			[]string{"-test-server-config"},
-		},
-		{
-			"bad_listener_idle_timeout_config",
-			testBaseHCL(t, badListenerIdleTimeout) + inmemHCL,
-			"unknown unit \"gophers\" in duration \"78gophers\"",
-			1,
-			[]string{"-test-server-config"},
-		},
-		{
-			"environment_variables_logged",
-			testBaseHCL(t, "") + inmemHCL,
-			"Environment Variables",
-			0,
-			[]string{"-test-verify-only"},
-		},
-		{
-			"cloud_config",
-			testBaseHCL(t, "") + inmemHCL + cloudHCL,
-			"HCP Organization: bc58b3d0-2eab-4ab8-abf4-f61d3c9975ff",
-			0,
-			[]string{"-test-verify-only"},
-		},
-		{
-			"recovery_mode",
-			testBaseHCL(t, "") + inmemHCL,
-			"",
-			0,
-			[]string{"-test-verify-only", "-recovery"},
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			ui, cmd := testServerCommand(t)
-
-			f, err := os.CreateTemp(t.TempDir(), "")
-			require.NoErrorf(t, err, "error creating temp dir: %v", err)
-
-			_, err = f.WriteString(tc.contents)
-			require.NoErrorf(t, err, "cannot write temp file contents")
-
-			err = f.Close()
-			require.NoErrorf(t, err, "unable to close temp file")
-
-			args := append(tc.args, "-config", f.Name())
-			code := cmd.Run(args)
-			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
-			require.Equal(t, tc.code, code, "expected %d to be %d: %s", code, tc.code, output)
-			require.Contains(t, output, tc.exp, "expected %q to contain %q", output, tc.exp)
-		})
+func removeFiles(files []string) (err error) {
+	for _, file := range files {
+		if fileError := os.Remove(file); fileError != nil {
+			err = multierror.Append(err, fmt.Errorf("error removing file %s: %v", file, fileError))
+		}
 	}
+	return err
 }
 
-// TestServer_DevTLS verifies that a vault server starts up correctly with the -dev-tls flag
-func TestServer_DevTLS(t *testing.T) {
-	ui, cmd := testServerCommand(t)
-	args := []string{"-dev-tls", "-dev-listen-address=127.0.0.1:0", "-test-server-config"}
-	retCode := cmd.Run(args)
-	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
-	require.Equal(t, 0, retCode, output)
-	require.Contains(t, output, `tls: "enabled"`)
-}
-
-// TestConfigureDevTLS verifies the various logic paths that flow through the
-// configureDevTLS function.
-func TestConfigureDevTLS(t *testing.T) {
-	testcases := []struct {
-		ServerCommand   *ServerCommand
-		DeferFuncNotNil bool
-		ConfigNotNil    bool
-		TLSDisable      bool
-		CertPathEmpty   bool
-		ErrNotNil       bool
-		TestDescription string
-	}{
-		{
-			ServerCommand: &ServerCommand{
-				flagDevTLS: false,
-			},
-			ConfigNotNil:    true,
-			TLSDisable:      true,
-			CertPathEmpty:   true,
-			ErrNotNil:       false,
-			TestDescription: "flagDev is false, nothing will be configured",
-		},
-		{
-			ServerCommand: &ServerCommand{
-				flagDevTLS:        true,
-				flagDevTLSCertDir: "",
-			},
-			DeferFuncNotNil: true,
-			ConfigNotNil:    true,
-			ErrNotNil:       false,
-			TestDescription: "flagDevTLSCertDir is empty",
-		},
-		{
-			ServerCommand: &ServerCommand{
-				flagDevTLS:        true,
-				flagDevTLSCertDir: "@/#",
-			},
-			CertPathEmpty:   true,
-			ErrNotNil:       true,
-			TestDescription: "flagDevTLSCertDir is set to something invalid",
-		},
-	}
+func (l *LogFile) renameCurrentFile() error {
+	fileNamePattern := l.fileNamePattern()
+	createTime := now()
+	currentFilePath := filepath.Join(l.logPath, l.fileName)
+	oldFileName := fmt.Sprintf(fileNamePattern, strconv.FormatInt(createTime.UnixNano(), 10))
+	oldFilePath := filepath.Join(l.logPath, oldFileName)
 
-	for _, testcase := range testcases {
-		fun, cfg, certPath, err := configureDevTLS(testcase.ServerCommand)
-		if fun != nil {
-			// If a function is returned, call it right away to clean up
-			// files created in the temporary directory before anything else has
-			// a chance to fail this test.
-			fun()
-		}
-
-		t.Run(testcase.TestDescription, func(t *testing.T) {
-			assert.Equal(t, testcase.DeferFuncNotNil, (fun != nil))
-			assert.Equal(t, testcase.ConfigNotNil, cfg != nil)
-			if testcase.ConfigNotNil && cfg != nil {
-				assert.True(t, len(cfg.Listeners) > 0)
-				assert.Equal(t, testcase.TLSDisable, cfg.Listeners[0].TLSDisable)
-			}
-			assert.Equal(t, testcase.CertPathEmpty, len(certPath) == 0)
-			if testcase.ErrNotNil {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
+	return os.Rename(currentFilePath, oldFilePath)
 }
diff --git a/command/ssh.go b/command/ssh.go
index edc8b4cd6637..b37134b93cb4 100644
--- a/command/ssh.go
+++ b/command/ssh.go
@@ -1,893 +1,223 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package logging
 
 import (
-	"encoding/json"
+	"errors"
 	"fmt"
-	"io/ioutil"
-	"net"
-	"os"
-	"os/exec"
-	"os/user"
+	"io"
+	"path/filepath"
 	"strings"
-	"syscall"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/builtin/logical/ssh"
-	"github.com/mitchellh/cli"
-	"github.com/mitchellh/mapstructure"
-	"github.com/pkg/errors"
-	"github.com/posener/complete"
-)
+	"time"
 
-var (
-	_ cli.Command             = (*SSHCommand)(nil)
-	_ cli.CommandAutocomplete = (*SSHCommand)(nil)
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
 )
 
-type SSHCommand struct {
-	*BaseCommand
-
-	// Common SSH options
-	flagMode                  string
-	flagRole                  string
-	flagNoExec                bool
-	flagMountPoint            string
-	flagStrictHostKeyChecking string
-	flagSSHExecutable         string
-	flagUserKnownHostsFile    string
-
-	// SSH CA Mode options
-	flagPublicKeyPath     string
-	flagPrivateKeyPath    string
-	flagHostKeyMountPoint string
-	flagHostKeyHostnames  string
-	flagValidPrincipals   string
-}
-
-func (c *SSHCommand) Synopsis() string {
-	return "Initiate an SSH session"
-}
-
-func (c *SSHCommand) Help() string {
-	helpText := `
-Usage: vault ssh [options] username@ip [ssh options]
-
-  Establishes an SSH connection with the target machine.
+const (
+	UnspecifiedFormat LogFormat = iota
+	StandardFormat
+	JSONFormat
+)
 
-  This command uses one of the SSH secrets engines to authenticate and
-  automatically establish an SSH connection to a host. This operation requires
-  that the SSH secrets engine is mounted and configured.
+// defaultRotateDuration is the default time taken by the agent to rotate logs
+const defaultRotateDuration = 24 * time.Hour
 
-  SSH using the OTP mode (requires sshpass for full automation):
+type LogFormat int
 
-      $ vault ssh -mode=otp -role=my-role user@1.2.3.4
+// LogConfig should be used to supply configuration when creating a new Vault logger
+type LogConfig struct {
+	// Name is the name the returned logger will use to prefix log lines.
+	Name string
 
-  SSH using the CA mode:
+	// LogLevel is the minimum level to be logged.
+	LogLevel hclog.Level
 
-      $ vault ssh -mode=ca -role=my-role user@1.2.3.4
+	// LogFormat is the log format to use, supported formats are 'standard' and 'json'.
+	LogFormat LogFormat
 
-  SSH using CA mode with host key verification:
+	// LogFilePath is the path to write the logs to the user specified file.
+	LogFilePath string
 
-      $ vault ssh \
-          -mode=ca \
-          -role=my-role \
-          -host-key-mount-point=host-signer \
-          -host-key-hostnames=example.com \
-          user@example.com
+	// LogRotateDuration is the user specified time to rotate logs
+	LogRotateDuration time.Duration
 
-  For the full list of options and arguments, please see the documentation.
+	// LogRotateBytes is the user specified byte limit to rotate logs
+	LogRotateBytes int
 
-` + c.Flags().Help()
+	// LogRotateMaxFiles is the maximum number of past archived log files to keep
+	LogRotateMaxFiles int
 
-	return strings.TrimSpace(helpText)
+	// DefaultFileName should be set to the value to be used if the LogFilePath
+	// ends in a path separator such as '/var/log/'
+	// Examples of the default name are as follows: 'vault', 'agent' or 'proxy.
+	// The creator of this struct *must* ensure that it is assigned before doing
+	// anything with LogConfig!
+	DefaultFileName string
 }
 
-func (c *SSHCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("SSH Options")
-
-	// TODO: doc field?
-
-	// General
-	f.StringVar(&StringVar{
-		Name:       "mode",
-		Target:     &c.flagMode,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictSet("ca", "dynamic", "otp"),
-		Usage:      "Name of the authentication mode (ca, dynamic, otp).",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "role",
-		Target:     &c.flagRole,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "Name of the role to use to generate the key.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "no-exec",
-		Target:     &c.flagNoExec,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Print the generated credentials, but do not establish a " +
-			"connection.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "mount-point",
-		Target:     &c.flagMountPoint,
-		Default:    "ssh/",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage:      "Mount point to the SSH secrets engine.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "strict-host-key-checking",
-		Target:     &c.flagStrictHostKeyChecking,
-		Default:    "ask",
-		EnvVar:     "VAULT_SSH_STRICT_HOST_KEY_CHECKING",
-		Completion: complete.PredictSet("ask", "no", "yes"),
-		Usage: "Value to use for the SSH configuration option " +
-			"\"StrictHostKeyChecking\".",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "user-known-hosts-file",
-		Target:     &c.flagUserKnownHostsFile,
-		Default:    "",
-		EnvVar:     "VAULT_SSH_USER_KNOWN_HOSTS_FILE",
-		Completion: complete.PredictFiles("*"),
-		Usage: "Value to use for the SSH configuration option " +
-			"\"UserKnownHostsFile\".",
-	})
-
-	// SSH CA
-	f = set.NewFlagSet("CA Mode Options")
-
-	f.StringVar(&StringVar{
-		Name:       "public-key-path",
-		Target:     &c.flagPublicKeyPath,
-		Default:    "~/.ssh/id_rsa.pub",
-		EnvVar:     "",
-		Completion: complete.PredictFiles("*"),
-		Usage:      "Path to the SSH public key to send to Vault for signing.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "private-key-path",
-		Target:     &c.flagPrivateKeyPath,
-		Default:    "~/.ssh/id_rsa",
-		EnvVar:     "",
-		Completion: complete.PredictFiles("*"),
-		Usage: "Path to the SSH private key to use for authentication. This must " +
-			"be the corresponding private key to -public-key-path.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "host-key-mount-point",
-		Target:     &c.flagHostKeyMountPoint,
-		Default:    "",
-		EnvVar:     "VAULT_SSH_HOST_KEY_MOUNT_POINT",
-		Completion: complete.PredictAnything,
-		Usage: "Mount point to the SSH secrets engine where host keys are signed. " +
-			"When given a value, Vault will generate a custom \"known_hosts\" file " +
-			"with delegation to the CA at the provided mount point to verify the " +
-			"SSH connection's host keys against the provided CA. By default, host " +
-			"keys are validated against the user's local \"known_hosts\" file. " +
-			"This flag forces strict key host checking and ignores a custom user " +
-			"known hosts file.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "host-key-hostnames",
-		Target:     &c.flagHostKeyHostnames,
-		Default:    "*",
-		EnvVar:     "VAULT_SSH_HOST_KEY_HOSTNAMES",
-		Completion: complete.PredictAnything,
-		Usage: "List of hostnames to delegate for the CA. The default value " +
-			"allows all domains and IPs. This is specified as a comma-separated " +
-			"list of values.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "valid-principals",
-		Target:     &c.flagValidPrincipals,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "List of valid principal names to include in the generated " +
-			"user certificate. This is specified as a comma-separated list of values.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "ssh-executable",
-		Target:     &c.flagSSHExecutable,
-		Default:    "ssh",
-		EnvVar:     "VAULT_SSH_EXECUTABLE",
-		Completion: complete.PredictAnything,
-		Usage:      "Path to the SSH executable to use when connecting to the host",
-	})
-
-	return set
-}
+// NewLogConfig should be used to initialize the LogConfig struct.
+func NewLogConfig(defaultFileName string) (*LogConfig, error) {
+	defaultFileName = strings.TrimSpace(defaultFileName)
+	if defaultFileName == "" {
+		return nil, errors.New("default file name is required")
+	}
 
-func (c *SSHCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+	return &LogConfig{DefaultFileName: defaultFileName}, nil
 }
 
-func (c *SSHCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func (c *LogConfig) isLevelInvalid() bool {
+	return c.LogLevel == hclog.NoLevel || c.LogLevel == hclog.Off || c.LogLevel.String() == "unknown"
 }
 
-// Structure to hold the fields returned when asked for a credential from SSH
-// secrets engine.
-type SSHCredentialResp struct {
-	KeyType  string `mapstructure:"key_type"`
-	Key      string `mapstructure:"key"`
-	Username string `mapstructure:"username"`
-	IP       string `mapstructure:"ip"`
-	Port     string `mapstructure:"port"`
+func (c *LogConfig) isFormatJson() bool {
+	return c.LogFormat == JSONFormat
 }
 
-func (c *SSHCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args, DisableDisplayFlagWarning(true)); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Use homedir to expand any relative paths such as ~/.ssh
-	c.flagUserKnownHostsFile = expandPath(c.flagUserKnownHostsFile)
-	c.flagPublicKeyPath = expandPath(c.flagPublicKeyPath)
-	c.flagPrivateKeyPath = expandPath(c.flagPrivateKeyPath)
-
-	args = f.Args()
-	if len(args) < 1 {
-		c.UI.Error(fmt.Sprintf("Not enough arguments, (expected 1-n, got %d)", len(args)))
-		return 1
-	}
-
-	// Extract the hostname, username and port from the ssh command
-	hostname, username, port, err := c.parseSSHCommand(args)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error parsing the ssh command: %q", err))
-		return 1
+// Stringer implementation
+func (lf LogFormat) String() string {
+	switch lf {
+	case UnspecifiedFormat:
+		return "unspecified"
+	case StandardFormat:
+		return "standard"
+	case JSONFormat:
+		return "json"
 	}
 
-	// Use the current user if no user was specified in the ssh command
-	if username == "" {
-		u, err := user.Current()
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error getting the current user: %q", err))
-			return 1
-		}
-		username = u.Username
-	}
-
-	ip, err := c.resolveHostname(hostname)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error resolving the ssh hostname: %q", err))
-		return 1
-	}
-
-	// Set the client in the command
-	_, err = c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	// Credentials are generated only against a registered role. If user
-	// does not specify a role with the SSH command, then lookup API is used
-	// to fetch all the roles with which this IP is associated. If there is
-	// only one role associated with it, use it to establish the connection.
-	//
-	// TODO: remove in 0.9.0, convert to validation error
-	if c.flagRole == "" {
-		c.UI.Warn(wrapAtLength(
-			"WARNING: No -role specified. Use -role to tell Vault which ssh role " +
-				"to use for authentication. In the future, you will need to tell " +
-				"Vault which role to use. For now, Vault will attempt to guess based " +
-				"on the API response. This will be removed in the Vault 1.1."))
-
-		role, err := c.defaultRole(c.flagMountPoint, ip)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error choosing role: %v", err))
-			return 1
-		}
-		// Print the default role chosen so that user knows the role name
-		// if something doesn't work. If the role chosen is not allowed to
-		// be used by the user (ACL enforcement), then user should see an
-		// error message accordingly.
-		c.UI.Output(fmt.Sprintf("Vault SSH: Role: %q", role))
-		c.flagRole = role
-	}
-
-	// If no mode was given, perform the old-school lookup. Keep this now for
-	// backwards-compatibility, but print a warning.
-	//
-	// TODO: remove in 0.9.0, convert to validation error
-	if c.flagMode == "" {
-		c.UI.Warn(wrapAtLength(
-			"WARNING: No -mode specified. Use -mode to tell Vault which ssh " +
-				"authentication mode to use. In the future, you will need to tell " +
-				"Vault which mode to use. For now, Vault will attempt to guess based " +
-				"on the API response. This guess involves creating a temporary " +
-				"credential, reading its type, and then revoking it. To reduce the " +
-				"number of API calls and surface area, specify -mode directly. This " +
-				"will be removed in Vault 1.1."))
-		secret, cred, err := c.generateCredential(username, ip)
-		if err != nil {
-			// This is _very_ hacky, but is the only sane backwards-compatible way
-			// to do this. If the error is "key type unknown", we just assume the
-			// type is "ca". In the future, mode will be required as an option.
-			if strings.Contains(err.Error(), "key type unknown") {
-				c.flagMode = ssh.KeyTypeCA
-			} else {
-				c.UI.Error(fmt.Sprintf("Error getting credential: %s", err))
-				return 1
-			}
-		} else {
-			c.flagMode = cred.KeyType
-		}
-
-		// Revoke the secret, since the child functions will generate their own
-		// credential. Users wishing to avoid this should specify -mode.
-		if secret != nil {
-			if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
-				c.UI.Warn(fmt.Sprintf("Failed to revoke temporary key: %s", err))
-			}
-		}
-	}
-
-	switch strings.ToLower(c.flagMode) {
-	case ssh.KeyTypeCA:
-		return c.handleTypeCA(username, ip, port, args)
-	case ssh.KeyTypeOTP:
-		return c.handleTypeOTP(username, ip, port, args)
-	case ssh.KeyTypeDynamic:
-		return c.handleTypeDynamic(username, ip, port, args)
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown SSH mode: %s", c.flagMode))
-		return 1
-	}
+	// unreachable
+	return "unknown"
 }
 
-// handleTypeCA is used to handle SSH logins using the "CA" key type.
-func (c *SSHCommand) handleTypeCA(username, ip, port string, sshArgs []string) int {
-	// Read the key from disk
-	publicKey, err := ioutil.ReadFile(c.flagPublicKeyPath)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to read public key %s: %s",
-			c.flagPublicKeyPath, err))
-		return 1
-	}
+// noErrorWriter is a wrapper to suppress errors when writing to w.
+type noErrorWriter struct {
+	w io.Writer
+}
 
-	sshClient := c.client.SSHWithMountPoint(c.flagMountPoint)
+func (w noErrorWriter) Write(p []byte) (n int, err error) {
+	_, _ = w.w.Write(p)
+	// We purposely return n == len(p) as if write was successful
+	return len(p), nil
+}
 
-	principals := username
-	if c.flagValidPrincipals != "" {
-		principals = c.flagValidPrincipals
-	}
+// parseFullPath takes a full path intended to be the location for log files and
+// breaks it down into a directory and a file name. It checks both of these for
+// the common globbing character '*' and returns an error if it is present.
+func parseFullPath(fullPath string) (directory, fileName string, err error) {
+	directory, fileName = filepath.Split(fullPath)
 
-	// Attempt to sign the public key
-	secret, err := sshClient.SignKey(c.flagRole, map[string]interface{}{
-		// WARNING: publicKey is []byte, which is b64 encoded on JSON upload. We
-		// have to convert it to a string. SV lost many hours to this...
-		"public_key":       string(publicKey),
-		"valid_principals": principals,
-		"cert_type":        "user",
-
-		// TODO: let the user configure these. In the interim, if users want to
-		// customize these values, they can produce the key themselves.
-		"extensions": map[string]string{
-			"permit-X11-forwarding":   "",
-			"permit-agent-forwarding": "",
-			"permit-port-forwarding":  "",
-			"permit-pty":              "",
-			"permit-user-rc":          "",
-		},
-	})
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to sign public key %s: %s",
-			c.flagPublicKeyPath, err))
-		return 2
+	globChars := "*?["
+	if strings.ContainsAny(directory, globChars) {
+		err = multierror.Append(err, fmt.Errorf("directory contains glob character"))
 	}
-	if secret == nil || secret.Data == nil {
-		c.UI.Error("missing signed key")
-		return 2
+	if fileName == "" {
+		fileName = "vault.log"
+	} else if strings.ContainsAny(fileName, globChars) {
+		err = multierror.Append(err, fmt.Errorf("file name contains globbing character"))
 	}
 
-	// Handle no-exec
-	if c.flagNoExec {
-		if c.flagField != "" {
-			return PrintRawField(c.UI, secret, c.flagField)
-		}
-		return OutputSecret(c.UI, secret)
-	}
+	return directory, fileName, err
+}
 
-	// Extract public key
-	key, ok := secret.Data["signed_key"].(string)
-	if !ok || key == "" {
-		c.UI.Error("signed key is empty")
-		return 2
+// Setup creates a new logger with the specified configuration and writer
+func Setup(config *LogConfig, w io.Writer) (hclog.InterceptLogger, error) {
+	// Validate the log level
+	if config.isLevelInvalid() {
+		return nil, fmt.Errorf("invalid log level: %v", config.LogLevel)
 	}
 
-	// Capture the current value - this could be overwritten later if the user
-	// enabled host key signing verification.
-	userKnownHostsFile := c.flagUserKnownHostsFile
-	strictHostKeyChecking := c.flagStrictHostKeyChecking
+	// If out is os.Stdout and Vault is being run as a Windows Service, writes will
+	// fail silently, which may inadvertently prevent writes to other writers.
+	// noErrorWriter is used as a wrapper to suppress any errors when writing to out.
+	writers := []io.Writer{noErrorWriter{w: w}}
 
-	// Handle host key signing verification. If the user specified a mount point,
-	// download the public key, trust it with the given domains, and use that
-	// instead of the user's regular known_hosts file.
-	if c.flagHostKeyMountPoint != "" {
-		secret, err := c.client.Logical().Read(c.flagHostKeyMountPoint + "/config/ca")
+	// Create a file logger if the user has specified the path to the log file
+	if config.LogFilePath != "" {
+		dir, fileName, err := parseFullPath(config.LogFilePath)
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("failed to get host signing key: %s", err))
-			return 2
+			return nil, err
 		}
-		if secret == nil || secret.Data == nil {
-			c.UI.Error("missing host signing key")
-			return 2
+		if fileName == "" {
+			fileName = fmt.Sprintf("%s.log", config.DefaultFileName)
 		}
-		publicKey, ok := secret.Data["public_key"].(string)
-		if !ok || publicKey == "" {
-			c.UI.Error("host signing key is empty")
-			return 2
+		if config.LogRotateDuration == 0 {
+			config.LogRotateDuration = defaultRotateDuration
 		}
 
-		// Write the known_hosts file
-		name := fmt.Sprintf("vault_ssh_ca_known_hosts_%s_%s", username, ip)
-		data := fmt.Sprintf("@cert-authority %s %s", c.flagHostKeyHostnames, publicKey)
-		knownHosts, err, closer := c.writeTemporaryFile(name, []byte(data), 0o644)
-		defer closer()
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("failed to write host public key: %s", err))
-			return 1
+		logFile := &LogFile{
+			fileName:         fileName,
+			logPath:          dir,
+			duration:         config.LogRotateDuration,
+			maxBytes:         config.LogRotateBytes,
+			maxArchivedFiles: config.LogRotateMaxFiles,
 		}
-
-		// Update the variables
-		userKnownHostsFile = knownHosts
-		strictHostKeyChecking = "yes"
-	}
-
-	// Write the signed public key to disk
-	name := fmt.Sprintf("vault_ssh_ca_%s_%s", username, ip)
-	signedPublicKeyPath, err, closer := c.writeTemporaryKey(name, []byte(key))
-	defer closer()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to write signed public key: %s", err))
-		return 2
-	}
-
-	args := []string{
-		"-i", c.flagPrivateKeyPath,
-		"-i", signedPublicKeyPath,
-		"-o StrictHostKeyChecking=" + strictHostKeyChecking,
-	}
-
-	if userKnownHostsFile != "" {
-		args = append(args,
-			"-o UserKnownHostsFile="+userKnownHostsFile,
-		)
-	}
-
-	// Add extra user defined ssh arguments
-	args = append(args, sshArgs...)
-
-	cmd := exec.Command(c.flagSSHExecutable, args...)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-	if err != nil {
-		exitCode := 2
-
-		if exitError, ok := err.(*exec.ExitError); ok {
-			if exitError.Success() {
-				return 0
-			}
-			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
-				exitCode = ws.ExitStatus()
-			}
+		if err := logFile.pruneFiles(); err != nil {
+			return nil, fmt.Errorf("failed to prune log files: %w", err)
 		}
-
-		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
-		return exitCode
-	}
-
-	// There is no secret to revoke, since it's a certificate signing
-	return 0
-}
-
-// handleTypeOTP is used to handle SSH logins using the "otp" key type.
-func (c *SSHCommand) handleTypeOTP(username, ip, port string, sshArgs []string) int {
-	secret, cred, err := c.generateCredential(username, ip)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
-		return 2
-	}
-
-	// Handle no-exec
-	if c.flagNoExec {
-		if c.flagField != "" {
-			return PrintRawField(c.UI, secret, c.flagField)
-		}
-		return OutputSecret(c.UI, secret)
-	}
-
-	var cmd *exec.Cmd
-
-	// Check if the application 'sshpass' is installed in the client machine. If
-	// it is then, use it to automate typing in OTP to the prompt. Unfortunately,
-	// it was not possible to automate it without a third-party application, with
-	// only the Go libraries. Feel free to try and remove this dependency.
-	args := make([]string, 0)
-	env := os.Environ()
-	sshCmd := c.flagSSHExecutable
-
-	sshpassPath, err := exec.LookPath("sshpass")
-	if err != nil {
-		// No sshpass available so using normal ssh client
-		c.UI.Warn(wrapAtLength(
-			"Vault could not locate \"sshpass\". The OTP code for the session is " +
-				"displayed below. Enter this code in the SSH password prompt. If you " +
-				"install sshpass, Vault can automatically perform this step for you."))
-		c.UI.Output("OTP for the session is: " + cred.Key)
-	} else {
-		// sshpass is available so lets use it instead
-		sshCmd = sshpassPath
-		args = append(args,
-			"-e", // Read password for SSHPASS environment variable
-			c.flagSSHExecutable,
-		)
-		env = append(env, fmt.Sprintf("SSHPASS=%s", string(cred.Key)))
-	}
-
-	// Only harcode the knownhostsfile path if it has been set
-	if c.flagUserKnownHostsFile != "" {
-		args = append(args,
-			"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
-		)
-	}
-
-	// If a port wasn't specified in the ssh arguments lets use the port we got back from vault
-	if port == "" {
-		args = append(args, "-p", cred.Port)
-	}
-
-	args = append(args,
-		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
-	)
-
-	// Add the rest of the ssh args appended by the user
-	args = append(args, sshArgs...)
-
-	cmd = exec.Command(sshCmd, args...)
-	cmd.Env = env
-
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-	if err != nil {
-		exitCode := 2
-
-		if exitError, ok := err.(*exec.ExitError); ok {
-			if exitError.Success() {
-				return 0
-			}
-			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
-				exitCode = ws.ExitStatus()
-			}
-		}
-
-		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
-		return exitCode
-	}
-
-	// Revoke the key if it's longer than expected
-	if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
-		c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
-		return 2
-	}
-
-	return 0
-}
-
-// handleTypeDynamic is used to handle SSH logins using the "dyanmic" key type.
-func (c *SSHCommand) handleTypeDynamic(username, ip, port string, sshArgs []string) int {
-	// Generate the credential
-	secret, cred, err := c.generateCredential(username, ip)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
-		return 2
-	}
-
-	// Handle no-exec
-	if c.flagNoExec {
-		if c.flagField != "" {
-			return PrintRawField(c.UI, secret, c.flagField)
+		if err := logFile.openNew(); err != nil {
+			return nil, fmt.Errorf("failed to setup logging: %w", err)
 		}
-		return OutputSecret(c.UI, secret)
-	}
-
-	// Write the dynamic key to disk
-	name := fmt.Sprintf("vault_ssh_dynamic_%s_%s", username, ip)
-	keyPath, err, closer := c.writeTemporaryKey(name, []byte(cred.Key))
-	defer closer()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to write dynamic key: %s", err))
-		return 1
-	}
-
-	args := make([]string, 0)
-	// If a port wasn't specified in the ssh arguments lets use the port we got back from vault
-	if port == "" {
-		args = append(args, "-p", cred.Port)
-	}
-
-	args = append(args,
-		"-i", keyPath,
-		"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
-		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
-	)
-
-	// Add extra user defined ssh arguments
-	args = append(args, sshArgs...)
-
-	cmd := exec.Command(c.flagSSHExecutable, args...)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-	if err != nil {
-		exitCode := 2
-
-		if exitError, ok := err.(*exec.ExitError); ok {
-			if exitError.Success() {
-				return 0
-			}
-			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
-				exitCode = ws.ExitStatus()
-			}
-		}
-
-		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
-		return exitCode
-	}
-
-	// Revoke the key if it's longer than expected
-	if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
-		c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
-		return 2
+		writers = append(writers, logFile)
 	}
 
-	return 0
-}
-
-// generateCredential generates a credential for the given role and returns the
-// decoded secret data.
-func (c *SSHCommand) generateCredential(username, ip string) (*api.Secret, *SSHCredentialResp, error) {
-	sshClient := c.client.SSHWithMountPoint(c.flagMountPoint)
-
-	// Attempt to generate the credential.
-	secret, err := sshClient.Credential(c.flagRole, map[string]interface{}{
-		"username": username,
-		"ip":       ip,
+	logger := hclog.NewInterceptLogger(&hclog.LoggerOptions{
+		Name:              config.Name,
+		Level:             config.LogLevel,
+		IndependentLevels: true,
+		Output:            io.MultiWriter(writers...),
+		JSONFormat:        config.isFormatJson(),
 	})
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to get credentials")
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, nil, fmt.Errorf("vault returned empty credentials")
-	}
-
-	// Port comes back as a json.Number which mapstructure doesn't like, so
-	// convert it
-	if d, ok := secret.Data["port"].(json.Number); ok {
-		secret.Data["port"] = d.String()
-	}
-
-	// Use mapstructure to decode the response
-	var resp SSHCredentialResp
-	if err := mapstructure.Decode(secret.Data, &resp); err != nil {
-		return nil, nil, errors.Wrap(err, "failed to decode credential")
-	}
-
-	// Check for an empty key response
-	if len(resp.Key) == 0 {
-		return nil, nil, fmt.Errorf("vault returned an invalid key")
-	}
-
-	return secret, &resp, nil
-}
-
-// writeTemporaryFile writes a file to a temp location with the given data and
-// file permissions.
-func (c *SSHCommand) writeTemporaryFile(name string, data []byte, perms os.FileMode) (string, error, func() error) {
-	// default closer to prevent panic
-	closer := func() error { return nil }
-
-	f, err := ioutil.TempFile("", name)
-	if err != nil {
-		return "", errors.Wrap(err, "creating temporary file"), closer
-	}
-
-	closer = func() error { return os.Remove(f.Name()) }
-
-	if err := ioutil.WriteFile(f.Name(), data, perms); err != nil {
-		return "", errors.Wrap(err, "writing temporary key"), closer
-	}
-
-	if err := f.Close(); err != nil {
-		return "", errors.Wrap(err, "closing temporary key"), closer
-	}
-
-	return f.Name(), nil, closer
-}
-
-// writeTemporaryKey writes the key to a temporary file and returns the path.
-// The caller should defer the closer to cleanup the key.
-func (c *SSHCommand) writeTemporaryKey(name string, data []byte) (string, error, func() error) {
-	return c.writeTemporaryFile(name, data, 0o600)
-}
-
-// If user did not provide the role with which SSH connection has
-// to be established and if there is only one role associated with
-// the IP, it is used by default.
-func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
-	data := map[string]interface{}{
-		"ip": ip,
-	}
-	secret, err := c.client.Logical().Write(mountPoint+"/lookup", data)
-	if err != nil {
-		return "", fmt.Errorf("error finding roles for IP %q: %w", ip, err)
-	}
-	if secret == nil || secret.Data == nil {
-		return "", fmt.Errorf("error finding roles for IP %q: %w", ip, err)
-	}
-
-	if secret.Data["roles"] == nil {
-		return "", fmt.Errorf("no matching roles found for IP %q", ip)
-	}
 
-	if len(secret.Data["roles"].([]interface{})) == 1 {
-		return secret.Data["roles"].([]interface{})[0].(string), nil
-	} else {
-		var roleNames string
-		for _, item := range secret.Data["roles"].([]interface{}) {
-			roleNames += item.(string) + ", "
-		}
-		roleNames = strings.TrimRight(roleNames, ", ")
-		return "", fmt.Errorf("Roles: %q. "+`
-			Multiple roles are registered for this IP.
-			Select a role using '-role' option.
-			Note that all roles may not be permitted, based on ACLs.`, roleNames)
-	}
+	return logger, nil
 }
 
-func (c *SSHCommand) isSingleSSHArg(arg string) bool {
-	// list of single SSH arguments is taken from
-	// https://github.com/openssh/openssh-portable/blob/28013759f09ed3ebf7e8335e83a62936bd7a7f47/ssh.c#L204
-	singleArgs := []string{
-		"4", "6", "A", "a", "C", "f", "G", "g", "K", "k", "M", "N", "n", "q",
-		"s", "T", "t", "V", "v", "X", "x", "Y", "y",
+// ParseLogFormat parses the log format from the provided string.
+func ParseLogFormat(format string) (LogFormat, error) {
+	switch strings.ToLower(strings.TrimSpace(format)) {
+	case "":
+		return UnspecifiedFormat, nil
+	case "standard":
+		return StandardFormat, nil
+	case "json":
+		return JSONFormat, nil
+	default:
+		return UnspecifiedFormat, fmt.Errorf("unknown log format: %s", format)
+	}
+}
+
+// ParseLogLevel returns the hclog.Level that corresponds with the provided level string.
+// This differs hclog.LevelFromString in that it supports additional level strings.
+func ParseLogLevel(logLevel string) (hclog.Level, error) {
+	var result hclog.Level
+	logLevel = strings.ToLower(strings.TrimSpace(logLevel))
+
+	switch logLevel {
+	case "trace":
+		result = hclog.Trace
+	case "debug":
+		result = hclog.Debug
+	case "notice", "info", "":
+		result = hclog.Info
+	case "warn", "warning":
+		result = hclog.Warn
+	case "err", "error":
+		result = hclog.Error
+	default:
+		return -1, errors.New(fmt.Sprintf("unknown log level: %s", logLevel))
 	}
 
-	// We want to get the first character after the dash. This is so args like -vvv are picked up as just being -v
-	flag := string(arg[1])
-
-	for _, a := range singleArgs {
-		if flag == a {
-			return true
-		}
-	}
-	return false
+	return result, nil
 }
 
-// Finds the hostname, username (optional) and port (optional) from any valid ssh command
-// Supports usrname@hostname but also specifying valid ssh flags like -o User=username,
-// -o Port=2222 and -p 2222 anywhere in the command
-func (c *SSHCommand) parseSSHCommand(args []string) (hostname string, username string, port string, err error) {
-	lastArg := ""
-	for _, i := range args {
-		arg := lastArg
-		lastArg = ""
-
-		// If -p has been specified then this is our ssh port
-		if arg == "-p" {
-			port = i
-			continue
-		}
+// TranslateLoggerLevel returns the string that corresponds with logging level of the hclog.Logger.
+func TranslateLoggerLevel(logger hclog.Logger) (string, error) {
+	logLevel := logger.GetLevel()
 
-		// this is an ssh option, lets see if User or Port have been set and use it
-		if arg == "-o" {
-			split := strings.Split(i, "=")
-			key := split[0]
-			// Incase the value contains = signs we want to get all of them
-			value := strings.Join(split[1:], " ")
-
-			if key == "User" {
-				// Don't overwrite the user if it is already set by username@hostname
-				// This matches the behaviour for how regular ssh reponds when both are specified
-				if username == "" {
-					username = value
-				}
-			}
-
-			if key == "Port" {
-				// Don't overwrite the port if it is already set by -p
-				// This matches the behaviour for how regular ssh reponds when both are specified
-				if port == "" {
-					port = value
-				}
-			}
-			continue
-		}
-
-		// This isn't an ssh argument that we care about. Lets keep on parsing the command
-		if arg != "" {
-			continue
-		}
-
-		// If this is an ssh argument with a value we want to look at it in the next loop
-		if strings.HasPrefix(i, "-") {
-			// If this isn't a single SSH arg we want to store the flag to we can look at the value next loop
-			if !c.isSingleSSHArg(i) {
-				lastArg = i
-			}
-			continue
-		}
-
-		// If we have gotten this far it means this is a bare argument
-		// The first bare argument is the hostname
-		// The second bare argument is the command to run on the remote host
-
-		// If the hostname hasn't been set yet than it means we have found the first bare argument
-		if hostname == "" {
-			if strings.Contains(i, "@") {
-				split := strings.Split(i, "@")
-				username = split[0]
-				hostname = split[1]
-			} else {
-				hostname = i
-			}
-			continue
-		} else {
-			// The second bare argument is the command to run on the remote host.
-			// We need to break out and stop parsing arguments now
-			break
-		}
-
-	}
-	if hostname == "" {
-		return "", "", "", errors.Wrap(
-			err,
-			fmt.Sprintf("failed to find a hostname in ssh command %q", strings.Join(args, " ")),
-		)
-	}
-	return hostname, username, port, nil
-}
-
-func (c *SSHCommand) resolveHostname(hostname string) (ip string, err error) {
-	// Resolving domain names to IP address on the client side.
-	// Vault only deals with IP addresses.
-	ipAddr, err := net.ResolveIPAddr("ip", hostname)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to resolve IP address")
+	switch logLevel {
+	case hclog.Trace, hclog.Debug, hclog.Info, hclog.Warn, hclog.Error:
+		return logLevel.String(), nil
+	default:
+		return "", fmt.Errorf("unknown log level")
 	}
-	ip = ipAddr.String()
-	return ip, nil
 }
diff --git a/command/ssh_test.go b/command/ssh_test.go
index 32f16f79e6e5..c5f7ec50d9bc 100644
--- a/command/ssh_test.go
+++ b/command/ssh_test.go
@@ -1,235 +1,285 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package logging
 
 import (
-	"strings"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
 	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/go-hclog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func testSSHCommand(tb testing.TB) (*cli.MockUi, *SSHCommand) {
-	tb.Helper()
+func TestLogger_SetupBasic(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
 
-	ui := cli.NewMockUi()
-	return ui, &SSHCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+	logger, err := Setup(cfg, nil)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+	require.Equal(t, logger.Name(), "test-system")
+	require.True(t, logger.IsInfo())
+}
+
+func TestLogger_SetupInvalidLogLevel(t *testing.T) {
+	cfg := newTestLogConfig(t)
+
+	_, err := Setup(cfg, nil)
+	assert.Containsf(t, err.Error(), "invalid log level", "expected error %s", err)
+}
+
+func TestLogger_SetupLoggerErrorLevel(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Error
+
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Error("test error msg")
+	logger.Info("test info msg")
+
+	output := buf.String()
+
+	require.Contains(t, output, "[ERROR] test-system: test error msg")
+	require.NotContains(t, output, "[INFO] test-system: test info msg")
+}
+
+func TestLogger_SetupLoggerDebugLevel(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Debug
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Info("test info msg")
+	logger.Debug("test debug msg")
+
+	output := buf.String()
+
+	require.Contains(t, output, "[INFO]  test-system: test info msg")
+	require.Contains(t, output, "[DEBUG] test-system: test debug msg")
 }
 
-func TestSSHCommand_Run(t *testing.T) {
-	t.Parallel()
-	t.Skip("Need a way to setup target infrastructure")
+func TestLogger_SetupLoggerWithoutName(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.Name = ""
+	cfg.LogLevel = hclog.Info
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Warn("test warn msg")
+
+	require.Contains(t, buf.String(), "[WARN]  test warn msg")
+}
+
+func TestLogger_SetupLoggerWithJSON(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Debug
+	cfg.LogFormat = JSONFormat
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Warn("test warn msg")
+
+	var jsonOutput map[string]string
+	err = json.Unmarshal(buf.Bytes(), &jsonOutput)
+	require.NoError(t, err)
+	require.Contains(t, jsonOutput, "@level")
+	require.Equal(t, jsonOutput["@level"], "warn")
+	require.Contains(t, jsonOutput, "@message")
+	require.Equal(t, jsonOutput["@message"], "test warn msg")
 }
 
-func TestParseSSHCommand(t *testing.T) {
-	t.Parallel()
-
-	_, cmd := testSSHCommand(t)
-	tests := []struct {
-		name     string
-		args     []string
-		hostname string
-		username string
-		port     string
-		err      error
+func TestLogger_SetupLoggerWithValidLogPathMissingFileName(t *testing.T) {
+	tmpDir := t.TempDir()
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = tmpDir + "/" // add the trailing slash to the temp dir
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Info("juan?")
+
+	m, err := filepath.Glob(cfg.LogFilePath + "*")
+	require.NoError(t, err)
+	require.Truef(t, len(m) == 1, "no files were found")
+}
+
+func TestLogger_SetupLoggerWithValidLogPathFileName(t *testing.T) {
+	tmpDir := t.TempDir()
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = filepath.Join(tmpDir, "juan.log")
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Info("juan?")
+	f, err := os.Stat(cfg.LogFilePath)
+	require.NoError(t, err)
+	require.NotNil(t, f)
+}
+
+func TestLogger_SetupLoggerWithValidLogPathFileNameRotate(t *testing.T) {
+	tmpDir := t.TempDir()
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = filepath.Join(tmpDir, "juan.log")
+	cfg.LogRotateBytes = 1 // set a tiny number of bytes to force rotation
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+
+	logger.Info("juan?")
+	logger.Info("john?")
+	f, err := os.Stat(cfg.LogFilePath)
+	require.NoError(t, err)
+	require.NotNil(t, f)
+	m, err := filepath.Glob(tmpDir + "/juan-*") // look for juan-{timestamp}.log
+	require.NoError(t, err)
+	require.Truef(t, len(m) == 1, "no files were found")
+}
+
+func TestLogger_SetupLoggerWithValidLogPath(t *testing.T) {
+	tmpDir := t.TempDir()
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = tmpDir + "/" // add the trailing slash to the temp dir
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
+}
+
+func TestLogger_SetupLoggerWithInValidLogPath(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = "nonexistentdir/"
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.Error(t, err)
+	require.True(t, errors.Is(err, os.ErrNotExist))
+	require.Nil(t, logger)
+}
+
+func TestLogger_SetupLoggerWithInValidLogPathPermission(t *testing.T) {
+	tmpDir := "/tmp/" + t.Name()
+
+	err := os.Mkdir(tmpDir, 0o000)
+	assert.NoError(t, err, "unexpected error testing with invalid log path permission")
+	defer os.RemoveAll(tmpDir)
+
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Info
+	cfg.LogFilePath = tmpDir + "/"
+	var buf bytes.Buffer
+
+	logger, err := Setup(cfg, &buf)
+	require.Error(t, err)
+	require.True(t, errors.Is(err, os.ErrPermission))
+	require.Nil(t, logger)
+}
+
+func TestLogger_SetupLoggerWithInvalidLogFilePath(t *testing.T) {
+	cases := map[string]struct {
+		path    string
+		message string
 	}{
-		{
-			"Parse just a hostname",
-			[]string{
-				"hostname",
-			},
-			"hostname",
-			"",
-			"",
-			nil,
-		},
-		{
-			"Parse the standard username@hostname",
-			[]string{
-				"username@hostname",
-			},
-			"hostname",
-			"username",
-			"",
-			nil,
+		"file name *": {
+			path:    "/this/isnt/ok/juan*.log",
+			message: "file name contains globbing character",
 		},
-		{
-			"Parse the username out of -o User=username",
-			[]string{
-				"-o", "User=username",
-				"hostname",
-			},
-			"hostname",
-			"username",
-			"",
-			nil,
+		"file name ?": {
+			path:    "/this/isnt/ok/juan?.log",
+			message: "file name contains globbing character",
 		},
-		{
-			"If the username is specified with -o User=username and realname@hostname prefer realname@",
-			[]string{
-				"-o", "User=username",
-				"realname@hostname",
-			},
-			"hostname",
-			"realname",
-			"",
-			nil,
+		"file name [": {
+			path:    "/this/isnt/ok/[juan].log",
+			message: "file name contains globbing character",
 		},
-		{
-			"Parse the port out of -o Port=2222",
-			[]string{
-				"-o", "Port=2222",
-				"hostname",
-			},
-			"hostname",
-			"",
-			"2222",
-			nil,
+		"directory path *": {
+			path:    "/this/isnt/ok/*/qwerty.log",
+			message: "directory contains glob character",
 		},
-		{
-			"Parse the port out of -p 2222",
-			[]string{
-				"-p", "2222",
-				"hostname",
-			},
-			"hostname",
-			"",
-			"2222",
-			nil,
+		"directory path ?": {
+			path:    "/this/isnt/ok/?/qwerty.log",
+			message: "directory contains glob character",
 		},
-		{
-			"If port is defined with -o Port=2222 and -p 2244 prefer -p",
-			[]string{
-				"-p", "2244",
-				"-o", "Port=2222",
-				"hostname",
-			},
-			"hostname",
-			"",
-			"2244",
-			nil,
-		},
-		{
-			"Ssh args with a command",
-			[]string{
-				"hostname",
-				"command",
-			},
-			"hostname",
-			"",
-			"",
-			nil,
-		},
-		{
-			"Flags after the ssh command are not passed because they are part of the command",
-			[]string{
-				"username@hostname",
-				"command",
-				"-p 22",
-			},
-			"hostname",
-			"username",
-			"",
-			nil,
-		},
-		{
-			"Allow single args which don't have a value",
-			[]string{
-				"-v",
-				"hostname",
-			},
-			"hostname",
-			"",
-			"",
-			nil,
-		},
-		{
-			"Allow single args before and after the hostname and command",
-			[]string{
-				"-v",
-				"hostname",
-				"-v",
-				"command",
-				"-v",
-			},
-			"hostname",
-			"",
-			"",
-			nil,
+		"directory path [": {
+			path:    "/this/isnt/ok/[foo]/qwerty.log",
+			message: "directory contains glob character",
 		},
 	}
 
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			hostname, username, port, err := cmd.parseSSHCommand(test.args)
-			if err != test.err {
-				t.Errorf("got error: %q want %q", err, test.err)
-			}
-			if hostname != test.hostname {
-				t.Errorf("got hostname: %q want %q", hostname, test.hostname)
-			}
-			if username != test.username {
-				t.Errorf("got username: %q want %q", username, test.username)
-			}
-			if port != test.port {
-				t.Errorf("got port: %q want %q", port, test.port)
-			}
-		})
+	for name, tc := range cases {
+		name := name
+		tc := tc
+		cfg := newTestLogConfig(t)
+		cfg.LogLevel = hclog.Info
+		cfg.LogFilePath = tc.path
+
+		_, err := Setup(cfg, &bytes.Buffer{})
+		assert.Error(t, err, "%s: expected error due to *", name)
+		assert.Contains(t, err.Error(), tc.message, "%s: error message does not match: %s", name, err.Error())
 	}
 }
 
-func TestIsSingleSSHArg(t *testing.T) {
-	t.Parallel()
+func TestLogger_ChangeLogLevels(t *testing.T) {
+	cfg := newTestLogConfig(t)
+	cfg.LogLevel = hclog.Debug
+	var buf bytes.Buffer
 
-	_, cmd := testSSHCommand(t)
-	tests := []struct {
-		name string
-		arg  string
-		want bool
-	}{
-		{
-			"-v is a single ssh arg",
-			"-v",
-			true,
-		},
-		{
-			"-o is NOT a single ssh arg",
-			"-o",
-			false,
-		},
-		{
-			"Repeated args like -vvv is still a single ssh arg",
-			"-vvv",
-			true,
-		},
-	}
+	logger, err := Setup(cfg, &buf)
+	require.NoError(t, err)
+	require.NotNil(t, logger)
 
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			got := cmd.isSingleSSHArg(test.arg)
-			if got != test.want {
-				t.Errorf("arg %q got %v want %v", test.arg, got, test.want)
-			}
-		})
-	}
-}
+	assert.Equal(t, hclog.Debug, logger.GetLevel())
 
-// TestSSHCommandOmitFlagWarning checks if flags warning messages are printed
-// in the output of the CLI command or not. If so, it will fail.
-func TestSSHCommandOmitFlagWarning(t *testing.T) {
-	t.Parallel()
+	// Create new named loggers from the base logger and change the levels
+	logger2 := logger.Named("test2")
+	logger3 := logger.Named("test3")
 
-	ui, cmd := testSSHCommand(t)
+	logger2.SetLevel(hclog.Info)
+	logger3.SetLevel(hclog.Error)
 
-	_ = cmd.Run([]string{"-mode", "ca", "-role", "otp_key_role", "user@1.2.3.4", "-extraFlag", "bug"})
+	assert.Equal(t, hclog.Debug, logger.GetLevel())
+	assert.Equal(t, hclog.Info, logger2.GetLevel())
+	assert.Equal(t, hclog.Error, logger3.GetLevel())
+}
 
-	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-	if strings.Contains(combined, "Command flags must be provided before positional arguments. The following arguments will not be parsed as flags") {
-		t.Fatalf("ssh command displayed flag warnings")
-	}
+func newTestLogConfig(t *testing.T) *LogConfig {
+	t.Helper()
+
+	cfg, err := NewLogConfig("test")
+	require.NoError(t, err)
+	cfg.Name = "test-system"
+
+	return cfg
 }
diff --git a/command/status.go b/command/status.go
index 5a979e7c7780..6ef1daa7a694 100644
--- a/command/status.go
+++ b/command/status.go
@@ -1,99 +1,586 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package http
 
 import (
+	"bufio"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io"
+	"mime"
+	"net"
+	"net/http"
+	"strconv"
 	"strings"
+	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"go.uber.org/atomic"
 )
 
-var (
-	_ cli.Command             = (*StatusCommand)(nil)
-	_ cli.CommandAutocomplete = (*StatusCommand)(nil)
-)
+// bufferedReader can be used to replace a request body with a buffered
+// version. The Close method invokes the original Closer.
+type bufferedReader struct {
+	*bufio.Reader
+	rOrig io.ReadCloser
+}
+
+func newBufferedReader(r io.ReadCloser) *bufferedReader {
+	return &bufferedReader{
+		Reader: bufio.NewReader(r),
+		rOrig:  r,
+	}
+}
 
-type StatusCommand struct {
-	*BaseCommand
+func (b *bufferedReader) Close() error {
+	return b.rOrig.Close()
 }
 
-func (c *StatusCommand) Synopsis() string {
-	return "Print seal and HA status"
+const MergePatchContentTypeHeader = "application/merge-patch+json"
+
+func buildLogicalRequestNoAuth(perfStandby bool, ra *vault.RouterAccess, w http.ResponseWriter, r *http.Request) (*logical.Request, io.ReadCloser, int, error) {
+	ns, err := namespace.FromContext(r.Context())
+	if err != nil {
+		return nil, nil, http.StatusBadRequest, nil
+	}
+	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
+
+	var data map[string]interface{}
+	var origBody io.ReadCloser
+	var passHTTPReq bool
+	var responseWriter http.ResponseWriter
+
+	// Determine the operation
+	var op logical.Operation
+	switch r.Method {
+	case "DELETE":
+		op = logical.DeleteOperation
+		data = parseQuery(r.URL.Query())
+	case "GET":
+		op = logical.ReadOperation
+		queryVals := r.URL.Query()
+		var list bool
+		var err error
+		listStr := queryVals.Get("list")
+		if listStr != "" {
+			list, err = strconv.ParseBool(listStr)
+			if err != nil {
+				return nil, nil, http.StatusBadRequest, nil
+			}
+			if list {
+				queryVals.Del("list")
+				op = logical.ListOperation
+				if !strings.HasSuffix(path, "/") {
+					path += "/"
+				}
+			}
+		}
+
+		data = parseQuery(queryVals)
+
+		switch {
+		case strings.HasPrefix(path, "sys/pprof/"):
+			passHTTPReq = true
+			responseWriter = w
+		case path == "sys/storage/raft/snapshot":
+			responseWriter = w
+		case path == "sys/internal/counters/activity/export":
+			responseWriter = w
+		case path == "sys/monitor":
+			passHTTPReq = true
+			responseWriter = w
+		}
+
+	case "POST", "PUT":
+		op = logical.UpdateOperation
+
+		// Buffer the request body in order to allow us to peek at the beginning
+		// without consuming it. This approach involves no copying.
+		bufferedBody := newBufferedReader(r.Body)
+		r.Body = bufferedBody
+
+		// If we are uploading a snapshot or receiving an ocsp-request (which
+		// is der encoded) we don't want to parse it. Instead, we will simply
+		// add the HTTP request to the logical request object for later consumption.
+		contentType := r.Header.Get("Content-Type")
+
+		if ra != nil && ra.IsBinaryPath(r.Context(), path) {
+			passHTTPReq = true
+			origBody = r.Body
+		} else if path == "sys/storage/raft/snapshot" || path == "sys/storage/raft/snapshot-force" {
+			passHTTPReq = true
+			origBody = r.Body
+		} else {
+			// Sample the first bytes to determine whether this should be parsed as
+			// a form or as JSON. The amount to look ahead (512 bytes) is arbitrary
+			// but extremely tolerant (i.e. allowing 511 bytes of leading whitespace
+			// and an incorrect content-type).
+			head, err := bufferedBody.Peek(512)
+			if err != nil && err != bufio.ErrBufferFull && err != io.EOF {
+				status := http.StatusBadRequest
+				logical.AdjustErrorStatusCode(&status, err)
+				return nil, nil, status, fmt.Errorf("error reading data")
+			}
+
+			if isForm(head, contentType) {
+				formData, err := parseFormRequest(r)
+				if err != nil {
+					status := http.StatusBadRequest
+					logical.AdjustErrorStatusCode(&status, err)
+					return nil, nil, status, fmt.Errorf("error parsing form data")
+				}
+
+				data = formData
+			} else {
+				origBody, err = parseJSONRequest(perfStandby, r, w, &data)
+				if err == io.EOF {
+					data = nil
+					err = nil
+				}
+				if err != nil {
+					status := http.StatusBadRequest
+					logical.AdjustErrorStatusCode(&status, err)
+					return nil, nil, status, fmt.Errorf("error parsing JSON")
+				}
+			}
+		}
+
+	case "PATCH":
+		op = logical.PatchOperation
+
+		contentTypeHeader := r.Header.Get("Content-Type")
+		contentType, _, err := mime.ParseMediaType(contentTypeHeader)
+		if err != nil {
+			status := http.StatusBadRequest
+			logical.AdjustErrorStatusCode(&status, err)
+			return nil, nil, status, err
+		}
+
+		if contentType != MergePatchContentTypeHeader {
+			return nil, nil, http.StatusUnsupportedMediaType, fmt.Errorf("PATCH requires Content-Type of %s, provided %s", MergePatchContentTypeHeader, contentType)
+		}
+
+		origBody, err = parseJSONRequest(perfStandby, r, w, &data)
+
+		if err == io.EOF {
+			data = nil
+			err = nil
+		}
+
+		if err != nil {
+			status := http.StatusBadRequest
+			logical.AdjustErrorStatusCode(&status, err)
+			return nil, nil, status, fmt.Errorf("error parsing JSON")
+		}
+
+	case "LIST":
+		op = logical.ListOperation
+		if !strings.HasSuffix(path, "/") {
+			path += "/"
+		}
+
+		data = parseQuery(r.URL.Query())
+	case "HEAD":
+		op = logical.HeaderOperation
+		data = parseQuery(r.URL.Query())
+	case "OPTIONS":
+	default:
+		return nil, nil, http.StatusMethodNotAllowed, nil
+	}
+
+	requestId, err := uuid.GenerateUUID()
+	if err != nil {
+		return nil, nil, http.StatusInternalServerError, fmt.Errorf("failed to generate identifier for the request: %w", err)
+	}
+
+	req := &logical.Request{
+		ID:         requestId,
+		Operation:  op,
+		Path:       path,
+		Data:       data,
+		Connection: getConnection(r),
+		Headers:    r.Header,
+	}
+
+	if passHTTPReq {
+		req.HTTPRequest = r
+	}
+	if responseWriter != nil {
+		req.ResponseWriter = logical.NewHTTPResponseWriter(responseWriter)
+	}
+
+	return req, origBody, 0, nil
+}
+
+func buildLogicalPath(r *http.Request) (string, int, error) {
+	ns, err := namespace.FromContext(r.Context())
+	if err != nil {
+		return "", http.StatusBadRequest, nil
+	}
+
+	path := ns.TrimmedPath(strings.TrimPrefix(r.URL.Path, "/v1/"))
+
+	switch r.Method {
+	case "GET":
+		var (
+			list bool
+			err  error
+		)
+
+		queryVals := r.URL.Query()
+
+		listStr := queryVals.Get("list")
+		if listStr != "" {
+			list, err = strconv.ParseBool(listStr)
+			if err != nil {
+				return "", http.StatusBadRequest, nil
+			}
+			if list {
+				if !strings.HasSuffix(path, "/") {
+					path += "/"
+				}
+			}
+		}
+
+	case "LIST":
+		if !strings.HasSuffix(path, "/") {
+			path += "/"
+		}
+	}
+
+	return path, 0, nil
 }
 
-func (c *StatusCommand) Help() string {
-	helpText := `
-Usage: vault status [options]
+func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Request, chrootNamespace string) (*logical.Request, io.ReadCloser, int, error) {
+	req, origBody, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
+	if err != nil || status != 0 {
+		return nil, nil, status, err
+	}
+	req.ChrootNamespace = chrootNamespace
+
+	req.SetRequiredState(r.Header.Values(VaultIndexHeaderName))
+	requestAuth(r, req)
+
+	req, err = requestWrapInfo(r, req)
+	if err != nil {
+		return nil, nil, http.StatusBadRequest, fmt.Errorf("error parsing X-Vault-Wrap-TTL header: %w", err)
+	}
 
-  Prints the current state of Vault including whether it is sealed and if HA
-  mode is enabled. This command prints regardless of whether the Vault is
-  sealed.
+	err = parseMFAHeader(req)
+	if err != nil {
+		return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse X-Vault-MFA header: %w", err)
+	}
 
-  The exit code reflects the seal status:
+	err = requestPolicyOverride(r, req)
+	if err != nil {
+		return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse %s header: %w", PolicyOverrideHeaderName, err)
+	}
 
-      - 0 - unsealed
-      - 1 - error
-      - 2 - sealed
+	return req, origBody, 0, nil
+}
 
-` + c.Flags().Help()
+// handleLogical returns a handler for processing logical requests. These requests
+// may or may not end up getting forwarded under certain scenarios if the node
+// is a performance standby. Some of these cases include:
+//   - Perf standby and token with limited use count.
+//   - Perf standby and token re-validation needed (e.g. due to invalid token).
+//   - Perf standby and control group error.
+func handleLogical(core *vault.Core, chrootNamespace string) http.Handler {
+	return handleLogicalInternal(core, false, false, chrootNamespace)
+}
 
-	return strings.TrimSpace(helpText)
+// handleLogicalWithInjector returns a handler for processing logical requests
+// that also have their logical response data injected at the top-level payload.
+// All forwarding behavior remains the same as `handleLogical`.
+func handleLogicalWithInjector(core *vault.Core, chrootNamespace string) http.Handler {
+	return handleLogicalInternal(core, true, false, chrootNamespace)
 }
 
-func (c *StatusCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+// handleLogicalNoForward returns a handler for processing logical local-only
+// requests. These types of requests never forwarded, and return an
+// `vault.ErrCannotForwardLocalOnly` error if attempted to do so.
+func handleLogicalNoForward(core *vault.Core, chrootNamespace string) http.Handler {
+	return handleLogicalInternal(core, false, true, chrootNamespace)
 }
 
-func (c *StatusCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
+func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		req, _, statusCode, err := buildLogicalRequestNoAuth(false, nil, w, r)
+		if err != nil || statusCode != 0 {
+			respondError(w, statusCode, err)
+			return
+		}
+		reqToken := r.Header.Get(consts.AuthHeaderName)
+		if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
+			respondError(w, http.StatusForbidden, nil)
+			return
+		}
+
+		resp, err := raw.HandleRequest(r.Context(), req)
+		if respondErrorCommon(w, req, resp, err) {
+			return
+		}
+
+		var httpResp *logical.HTTPResponse
+		if resp != nil {
+			httpResp = logical.LogicalResponseToHTTPResponse(resp)
+			httpResp.RequestID = req.ID
+		}
+		respondOk(w, httpResp)
+	})
 }
 
-func (c *StatusCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// handleLogicalInternal is a common helper that returns a handler for
+// processing logical requests. The behavior depends on the various boolean
+// toggles. Refer to usage on functions for possible behaviors.
+func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForward bool, chrootNamespace string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		req, origBody, statusCode, err := buildLogicalRequest(core, w, r, chrootNamespace)
+		if err != nil || statusCode != 0 {
+			respondError(w, statusCode, err)
+			return
+		}
+
+		// Websockets need to be handled at HTTP layer instead of logical requests.
+		ns, err := namespace.FromContext(r.Context())
+		if err != nil {
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+		nsPath := ns.Path
+		if ns.ID == namespace.RootNamespaceID {
+			nsPath = ""
+		}
+		if strings.HasPrefix(r.URL.Path, fmt.Sprintf("/v1/%ssys/events/subscribe/", nsPath)) {
+			handler := handleEventsSubscribe(core, req)
+			handler.ServeHTTP(w, r)
+			return
+		}
+		handler := handleEntPaths(nsPath, core, r)
+		if handler != nil {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
+		// Make the internal request. We attach the connection info
+		// as well in case this is an authentication request that requires
+		// it. Vault core handles stripping this if we need to. This also
+		// handles all error cases; if we hit respondLogical, the request is a
+		// success.
+		resp, ok, needsForward := request(core, w, r, req)
+		switch {
+		case needsForward && noForward:
+			respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+			return
+		case needsForward && !noForward:
+			if origBody != nil {
+				r.Body = origBody
+			}
+			forwardRequest(core, w, r)
+			return
+		case !ok:
+			// If not ok, we simply return. The call on request should have
+			// taken care of setting the appropriate response code and payload
+			// in this case.
+			return
+		default:
+			// Build and return the proper response if everything is fine.
+			respondLogical(core, w, r, req, resp, injectDataIntoTopLevel)
+			return
+		}
+	})
 }
 
-func (c *StatusCommand) Run(args []string) int {
-	f := c.Flags()
+func respondLogical(core *vault.Core, w http.ResponseWriter, r *http.Request, req *logical.Request, resp *logical.Response, injectDataIntoTopLevel bool) {
+	var httpResp *logical.HTTPResponse
+	var ret interface{}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	// If vault's core has already written to the response writer do not add any
+	// additional output. Headers have already been sent.
+	if req != nil && req.ResponseWriter != nil && req.ResponseWriter.Written() {
+		return
 	}
 
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
+	if resp != nil {
+		if resp.Redirect != "" {
+			// If we have a redirect, redirect! We use a 307 code
+			// because we don't actually know if its permanent.
+			http.Redirect(w, r, resp.Redirect, 307)
+			return
+		}
+
+		// Check if this is a raw response
+		if _, ok := resp.Data[logical.HTTPStatusCode]; ok {
+			respondRaw(w, r, resp)
+			return
+		}
+
+		if resp.WrapInfo != nil && resp.WrapInfo.Token != "" {
+			httpResp = &logical.HTTPResponse{
+				WrapInfo: &logical.HTTPWrapInfo{
+					Token:           resp.WrapInfo.Token,
+					Accessor:        resp.WrapInfo.Accessor,
+					TTL:             int(resp.WrapInfo.TTL.Seconds()),
+					CreationTime:    resp.WrapInfo.CreationTime.Format(time.RFC3339Nano),
+					CreationPath:    resp.WrapInfo.CreationPath,
+					WrappedAccessor: resp.WrapInfo.WrappedAccessor,
+				},
+			}
+		} else {
+			httpResp = logical.LogicalResponseToHTTPResponse(resp)
+			httpResp.RequestID = req.ID
+		}
+
+		ret = httpResp
+
+		if injectDataIntoTopLevel {
+			injector := logical.HTTPSysInjector{
+				Response: httpResp,
+			}
+			ret = injector
+		}
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		// We return 2 everywhere else, but 2 is reserved for "sealed" here
-		return 1
+	entAdjustResponse(core, w, req)
+
+	// Respond
+	respondOk(w, ret)
+	return
+}
+
+// respondRaw is used when the response is using HTTPContentType and HTTPRawBody
+// to change the default response handling. This is only used for specific things like
+// returning the CRL information on the PKI backends.
+func respondRaw(w http.ResponseWriter, r *http.Request, resp *logical.Response) {
+	retErr := func(w http.ResponseWriter, err string) {
+		w.Header().Set("X-Vault-Raw-Error", err)
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write(nil)
 	}
 
-	// Always query in the root namespace.
-	// Although seal-status is present in other namespaces, it will not
-	// be available until Vault is unsealed.
-	client.SetNamespace("")
+	// Ensure this is never a secret or auth response
+	if resp.Secret != nil || resp.Auth != nil {
+		retErr(w, "raw responses cannot contain secrets or auth")
+		return
+	}
 
-	status, err := client.Sys().SealStatus()
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error checking seal status: %s", err))
-		return 1
+	// Get the status code
+	statusRaw, ok := resp.Data[logical.HTTPStatusCode]
+	if !ok {
+		retErr(w, "no status code given")
+		return
+	}
+
+	var status int
+	switch statusRaw.(type) {
+	case int:
+		status = statusRaw.(int)
+	case float64:
+		status = int(statusRaw.(float64))
+	case json.Number:
+		s64, err := statusRaw.(json.Number).Float64()
+		if err != nil {
+			retErr(w, "cannot decode status code")
+			return
+		}
+		status = int(s64)
+	default:
+		retErr(w, "cannot decode status code")
+		return
+	}
+
+	nonEmpty := status != http.StatusNoContent
+
+	var contentType string
+	var body []byte
+
+	// Get the content type header; don't require it if the body is empty
+	contentTypeRaw, ok := resp.Data[logical.HTTPContentType]
+	if !ok && nonEmpty {
+		retErr(w, "no content type given")
+		return
+	}
+	if ok {
+		contentType, ok = contentTypeRaw.(string)
+		if !ok {
+			retErr(w, "cannot decode content type")
+			return
+		}
+	}
+
+	if nonEmpty {
+		// Get the body
+		bodyRaw, ok := resp.Data[logical.HTTPRawBody]
+		if !ok {
+			goto WRITE_RESPONSE
+		}
+
+		switch bodyRaw.(type) {
+		case string:
+			// This is best effort. The value may already be base64-decoded so
+			// if it doesn't work we just use as-is
+			bodyDec, err := base64.StdEncoding.DecodeString(bodyRaw.(string))
+			if err == nil {
+				body = bodyDec
+			} else {
+				body = []byte(bodyRaw.(string))
+			}
+		case []byte:
+			body = bodyRaw.([]byte)
+		default:
+			retErr(w, "cannot decode body")
+			return
+		}
 	}
 
-	// Do not return the int here yet, since we may want to return a custom error
-	// code depending on the seal status.
-	code := OutputSealStatus(c.UI, client, status)
+WRITE_RESPONSE:
+	// Write the response
+	if contentType != "" {
+		w.Header().Set("Content-Type", contentType)
+	}
 
-	if status.Sealed {
-		return 2
+	if cacheControl, ok := resp.Data[logical.HTTPCacheControlHeader].(string); ok {
+		w.Header().Set("Cache-Control", cacheControl)
 	}
 
-	return code
+	if pragma, ok := resp.Data[logical.HTTPPragmaHeader].(string); ok {
+		w.Header().Set("Pragma", pragma)
+	}
+
+	if wwwAuthn, ok := resp.Data[logical.HTTPWWWAuthenticateHeader].(string); ok {
+		w.Header().Set("WWW-Authenticate", wwwAuthn)
+	}
+
+	w.WriteHeader(status)
+	w.Write(body)
+}
+
+// getConnection is used to format the connection information for
+// attaching to a logical request
+func getConnection(r *http.Request) (connection *logical.Connection) {
+	var remoteAddr string
+	var remotePort int
+
+	remoteAddr, port, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		remoteAddr = ""
+	} else {
+		remotePort, err = strconv.Atoi(port)
+		if err != nil {
+			remotePort = 0
+		}
+	}
+
+	connection = &logical.Connection{
+		RemoteAddr: remoteAddr,
+		RemotePort: remotePort,
+		ConnState:  r.TLS,
+	}
+	return
 }
diff --git a/command/status_test.go b/command/status_test.go
index b423edb6840a..bd5c93e22742 100644
--- a/command/status_test.go
+++ b/command/status_test.go
@@ -1,118 +1,6464 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"hash"
+	"math/rand"
+	"net/http"
+	"path"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strconv"
 	"strings"
-	"testing"
+	"time"
+	"unicode"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-memdb"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	semver "github.com/hashicorp/go-version"
+	"github.com/hashicorp/vault/helper/experiments"
+	"github.com/hashicorp/vault/helper/hostutil"
+	"github.com/hashicorp/vault/helper/identity"
+	"github.com/hashicorp/vault/helper/locking"
+	"github.com/hashicorp/vault/helper/logging"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/monitor"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/random"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/helper/roottoken"
+	"github.com/hashicorp/vault/sdk/helper/wrapping"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/version"
+	"github.com/mitchellh/mapstructure"
+	"golang.org/x/crypto/sha3"
 )
 
-func testStatusCommand(tb testing.TB) (*cli.MockUi, *StatusCommand) {
-	tb.Helper()
+const (
+	maxBytes    = 128 * 1024
+	globalScope = "global"
+)
 
-	ui := cli.NewMockUi()
-	return ui, &StatusCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
+func systemBackendMemDBSchema() *memdb.DBSchema {
+	systemSchema := &memdb.DBSchema{
+		Tables: make(map[string]*memdb.TableSchema),
+	}
+
+	schemas := getSystemSchemas()
+
+	for _, schemaFunc := range schemas {
+		schema := schemaFunc()
+		if _, ok := systemSchema.Tables[schema.Name]; ok {
+			panic(fmt.Sprintf("duplicate table name: %s", schema.Name))
+		}
+		systemSchema.Tables[schema.Name] = schema
 	}
+
+	return systemSchema
+}
+
+type PolicyMFABackend struct {
+	*MFABackend
 }
 
-func TestStatusCommand_Run(t *testing.T) {
-	t.Parallel()
+func NewSystemBackend(core *Core, logger log.Logger, config *logical.BackendConfig) *SystemBackend {
+	db, _ := memdb.NewMemDB(systemBackendMemDBSchema())
+
+	syncBackend := NewSecretsSyncBackend(core, logger)
+	if err := syncBackend.Setup(core.activeContext, config); err != nil {
+		return nil
+	}
+
+	b := &SystemBackend{
+		Core:        core,
+		db:          db,
+		logger:      logger,
+		mfaBackend:  NewPolicyMFABackend(core, logger),
+		syncBackend: syncBackend,
+	}
+
+	b.Backend = &framework.Backend{
+		RunningVersion: versions.DefaultBuiltinVersion,
+		Help:           strings.TrimSpace(sysHelpRoot),
+
+		PathsSpecial: &logical.Paths{
+			Root: []string{
+				"auth/*",
+				"remount",
+				"audit",
+				"audit/*",
+				"raw",
+				"raw/*",
+				"replication/primary/secondary-token",
+				"replication/performance/primary/secondary-token",
+				"replication/dr/primary/secondary-token",
+				"replication/reindex",
+				"replication/dr/reindex",
+				"replication/performance/reindex",
+				"rotate",
+				"config/cors",
+				"config/auditing/*",
+				"config/ui/headers/*",
+				"plugins/catalog/*",
+				"plugins/runtimes/catalog/*",
+				"revoke-prefix/*",
+				"revoke-force/*",
+				"leases/revoke-prefix/*",
+				"leases/revoke-force/*",
+				"leases/lookup/*",
+				"storage/raft/snapshot-auto/config/*",
+				"leases",
+				"internal/inspect/*",
+				// sys/seal and sys/step-down actually have their sudo requirement enforced through hardcoding
+				// PolicyCheckOpts.RootPrivsRequired in dedicated calls to Core.performPolicyChecks, but we still need
+				// to declare them here so that the generated OpenAPI spec gets their sudo status correct.
+				"seal",
+				"step-down",
+			},
+
+			Unauthenticated: []string{
+				"wrapping/lookup",
+				"wrapping/pubkey",
+				"replication/status",
+				"internal/specs/openapi",
+				"internal/ui/mounts",
+				"internal/ui/mounts/*",
+				"internal/ui/namespaces",
+				"replication/performance/status",
+				"replication/dr/status",
+				"replication/dr/secondary/promote",
+				"replication/dr/secondary/disable",
+				"replication/dr/secondary/recover",
+				"replication/dr/secondary/update-primary",
+				"replication/dr/secondary/operation-token/delete",
+				"replication/dr/secondary/license",
+				"replication/dr/secondary/license/signed",
+				"replication/dr/secondary/license/status",
+				"replication/dr/secondary/sys/config/reload/license",
+				"replication/dr/secondary/reindex",
+				"storage/raft/bootstrap/challenge",
+				"storage/raft/bootstrap/answer",
+				"init",
+				"seal-status",
+				"unseal",
+				"leader",
+				"health",
+				"generate-root/attempt",
+				"generate-root/update",
+				"decode-token",
+				"rekey/init",
+				"rekey/update",
+				"rekey/verify",
+				"rekey-recovery-key/init",
+				"rekey-recovery-key/update",
+				"rekey-recovery-key/verify",
+				"mfa/validate",
+			},
 
-	cases := []struct {
-		name   string
-		args   []string
-		sealed bool
-		out    string
-		code   int
-	}{
-		{
-			"unsealed",
-			nil,
-			false,
-			"Sealed          false",
-			0,
+			LocalStorage: []string{
+				expirationSubPath,
+				countersSubPath,
+			},
+
+			SealWrapStorage: []string{
+				managedKeyRegistrySubPath,
+			},
 		},
-		{
-			"sealed",
-			nil,
-			true,
-			"Sealed             true",
-			2,
+	}
+
+	b.Backend.Paths = append(b.Backend.Paths, entPaths(b)...)
+	b.Backend.Paths = append(b.Backend.Paths, b.configPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.rekeyPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.sealPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.statusPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.pluginsCatalogListPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.pluginsCatalogCRUDPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.pluginsReloadPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.pluginsRuntimesCatalogCRUDPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.pluginsRuntimesCatalogListPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.auditPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.mountPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.authPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.lockedUserPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.leasePaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.policyPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.wrappingPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.toolsPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.capabilitiesPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.internalPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.pprofPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.remountPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.metricsPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.monitorPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.inFlightRequestPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.hostInfoPath())
+	b.Backend.Paths = append(b.Backend.Paths, b.quotasPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.rootActivityPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.loginMFAPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.experimentPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.introspectionPaths()...)
+
+	if core.rawEnabled {
+		b.Backend.Paths = append(b.Backend.Paths, b.rawPaths()...)
+	}
+	if backend := core.getRaftBackend(); backend != nil {
+		b.Backend.Paths = append(b.Backend.Paths, b.raftStoragePaths()...)
+	}
+
+	// If the node is in a DR secondary cluster, gate some raft operations by
+	// the DR operation token.
+	if core.IsDRSecondary() {
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/autopilot/configuration")
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/autopilot/state")
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/configuration")
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/remove-peer")
+	}
+
+	b.Backend.Invalidate = sysInvalidate(b)
+	b.Backend.InitializeFunc = sysInitialize(b)
+	b.Backend.Clean = sysClean(b)
+	return b
+}
+
+func (b *SystemBackend) rawPaths() []*framework.Path {
+	r := &RawBackend{
+		barrier: b.Core.barrier,
+		logger:  b.logger,
+		checkRaw: func(path string) error {
+			return checkRaw(b, path)
 		},
-		{
-			"args",
-			[]string{"foo"},
-			false,
-			"Too many arguments",
-			1,
+	}
+	return rawPaths("", r)
+}
+
+// SystemBackend implements logical.Backend and is used to interact with
+// the core of the system. This backend is hardcoded to exist at the "sys"
+// prefix. Conceptually it is similar to procfs on Linux.
+type SystemBackend struct {
+	*framework.Backend
+	Core        *Core
+	db          *memdb.MemDB
+	logger      log.Logger
+	mfaBackend  *PolicyMFABackend
+	syncBackend *SecretsSyncBackend
+}
+
+// handleConfigStateSanitized returns the current configuration state. The configuration
+// data that it returns is a sanitized version of the combined configuration
+// file(s) provided.
+func (b *SystemBackend) handleConfigStateSanitized(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	config := b.Core.SanitizedConfig()
+	resp := &logical.Response{
+		Data: config,
+	}
+	return resp, nil
+}
+
+// handleConfigReload handles reloading specific pieces of the configuration.
+func (b *SystemBackend) handleConfigReload(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	subsystem := data.Get("subsystem").(string)
+
+	switch subsystem {
+	case "license":
+		return handleLicenseReload(b)(ctx, req, data)
+	}
+
+	return nil, logical.ErrUnsupportedPath
+}
+
+// handleCORSRead returns the current CORS configuration
+func (b *SystemBackend) handleCORSRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	corsConf := b.Core.corsConfig
+
+	enabled := corsConf.IsEnabled()
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"enabled": enabled,
 		},
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	if enabled {
+		corsConf.RLock()
+		resp.Data["allowed_origins"] = corsConf.AllowedOrigins
+		resp.Data["allowed_headers"] = corsConf.AllowedHeaders
+		corsConf.RUnlock()
+	}
 
-		for _, tc := range cases {
-			tc := tc
+	return resp, nil
+}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+// handleCORSUpdate sets the list of origins that are allowed to make
+// cross-origin requests and sets the CORS enabled flag to true
+func (b *SystemBackend) handleCORSUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	origins := d.Get("allowed_origins").([]string)
+	headers := d.Get("allowed_headers").([]string)
 
-				client, closer := testVaultServer(t)
-				defer closer()
+	return nil, b.Core.corsConfig.Enable(ctx, origins, headers)
+}
 
-				if tc.sealed {
-					if err := client.Sys().Seal(); err != nil {
-						t.Fatal(err)
-					}
-				}
+// handleCORSDelete sets the CORS enabled flag to false and clears the list of
+// allowed origins & headers.
+func (b *SystemBackend) handleCORSDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	return nil, b.Core.corsConfig.Disable(ctx)
+}
 
-				ui, cmd := testStatusCommand(t)
-				cmd.client = client
+func (b *SystemBackend) handleTidyLeases(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+	go func() {
+		tidyCtx := namespace.ContextWithNamespace(b.Core.activeContext, ns)
+		err := b.Core.expiration.Tidy(tidyCtx)
+		if err != nil {
+			b.Backend.Logger().Error("failed to tidy leases", "error", err)
+			return
+		}
+	}()
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
+	resp := &logical.Response{}
+	resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
+	return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
+}
+
+func (b *SystemBackend) handleLeaseCount(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	typeRaw, ok := d.GetOk("type")
+	if !ok || strings.ToLower(typeRaw.(string)) != "irrevocable" {
+		return nil, nil
+	}
+
+	includeChildNamespacesRaw, ok := d.GetOk("include_child_namespaces")
+	includeChildNamespaces := ok && includeChildNamespacesRaw.(bool)
+
+	resp, err := b.Core.expiration.getIrrevocableLeaseCounts(ctx, includeChildNamespaces)
+	if err != nil {
+		return nil, err
+	}
+
+	return &logical.Response{
+		Data: resp,
+	}, nil
+}
+
+func processLimit(d *framework.FieldData) (bool, int, error) {
+	limitStr := ""
+	limitRaw, ok := d.GetOk("limit")
+	if ok {
+		limitStr = limitRaw.(string)
+	}
+
+	includeAll := false
+	maxResults := MaxIrrevocableLeasesToReturn
+	if limitStr == "" {
+		// use the defaults
+	} else if strings.ToLower(limitStr) == "none" {
+		includeAll = true
+	} else {
+		// not having a valid, positive int here is an error
+		limit, err := strconv.Atoi(limitStr)
+		if err != nil {
+			return false, 0, fmt.Errorf("invalid 'limit' provided: %w", err)
 		}
-	})
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+		if limit < 1 {
+			return false, 0, fmt.Errorf("limit must be 'none' or a positive integer")
+		}
+
+		maxResults = limit
+	}
+
+	return includeAll, maxResults, nil
+}
+
+func (b *SystemBackend) handleLeaseList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	typeRaw, ok := d.GetOk("type")
+	if !ok || strings.ToLower(typeRaw.(string)) != "irrevocable" {
+		return nil, nil
+	}
+
+	includeChildNamespacesRaw, ok := d.GetOk("include_child_namespaces")
+	includeChildNamespaces := ok && includeChildNamespacesRaw.(bool)
+
+	includeAll, maxResults, err := processLimit(d)
+	if err != nil {
+		return nil, err
+	}
+
+	leases, warning, err := b.Core.expiration.listIrrevocableLeases(ctx, includeChildNamespaces, includeAll, maxResults)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: leases,
+	}
+	if warning != "" {
+		resp.AddWarning(warning)
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handlePluginCatalogTypedList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	pluginType, err := consts.ParsePluginType(d.Get("type").(string))
+	if err != nil {
+		return nil, err
+	}
+
+	plugins, err := b.Core.pluginCatalog.List(ctx, pluginType)
+	if err != nil {
+		return nil, err
+	}
+	sort.Strings(plugins)
+	return logical.ListResponse(plugins), nil
+}
+
+func (b *SystemBackend) handlePluginCatalogUntypedList(ctx context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	data := make(map[string]interface{})
+	var versionedPlugins []pluginutil.VersionedPlugin
+	for _, pluginType := range consts.PluginTypes {
+		plugins, err := b.Core.pluginCatalog.List(ctx, pluginType)
+		if err != nil {
+			return nil, err
+		}
+		if len(plugins) > 0 {
+			sort.Strings(plugins)
+			data[pluginType.String()] = plugins
+		}
+
+		versioned, err := b.Core.pluginCatalog.ListVersionedPlugins(ctx, pluginType)
+		if err != nil {
+			return nil, err
+		}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+		// Sort for consistent ordering
+		sortVersionedPlugins(versioned)
 
-		ui, cmd := testStatusCommand(t)
-		cmd.client = client
+		versionedPlugins = append(versionedPlugins, versioned...)
+	}
 
-		code := cmd.Run([]string{})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	if len(versionedPlugins) != 0 {
+		// Audit logging uses reflection to HMAC the values of all fields in the
+		// response recursively, which panics if it comes across any unexported
+		// fields. Therefore, we have to rebuild the VersionedPlugin struct as
+		// a map of primitive types to avoid the panic that would happen when
+		// audit logging tries to HMAC the contents of the SemanticVersion field.
+		var detailed []map[string]any
+		for _, p := range versionedPlugins {
+			entry := map[string]any{
+				"type":    p.Type,
+				"name":    p.Name,
+				"version": p.Version,
+				"builtin": p.Builtin,
+			}
+			if p.OCIImage != "" {
+				entry["oci_image"] = p.OCIImage
+			}
+			if p.Runtime != "" {
+				entry["runtime"] = p.Runtime
+			}
+			if p.SHA256 != "" {
+				entry["sha256"] = p.SHA256
+			}
+			if p.DeprecationStatus != "" {
+				entry["deprecation_status"] = p.DeprecationStatus
+			}
+			detailed = append(detailed, entry)
 		}
+		data["detailed"] = detailed
+	}
+
+	return &logical.Response{
+		Data: data,
+	}, nil
+}
 
-		expected := "Error checking seal status: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+func sortVersionedPlugins(versionedPlugins []pluginutil.VersionedPlugin) {
+	sort.SliceStable(versionedPlugins, func(i, j int) bool {
+		left, right := versionedPlugins[i], versionedPlugins[j]
+		if left.Type != right.Type {
+			return left.Type < right.Type
 		}
+		if left.Name != right.Name {
+			return left.Name < right.Name
+		}
+		if left.Version != right.Version {
+			return right.SemanticVersion.GreaterThan(left.SemanticVersion)
+		}
+
+		return false
 	})
+}
+
+func (b *SystemBackend) handlePluginCatalogUpdate(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	pluginName := d.Get("name").(string)
+	if pluginName == "" {
+		return logical.ErrorResponse("missing plugin name"), nil
+	}
+
+	pluginTypeStr := d.Get("type").(string)
+	if pluginTypeStr == "" {
+		// If the plugin type is not provided, list it as unknown so that we
+		// add it to the catalog and UpdatePlugins later will sort it.
+		pluginTypeStr = "unknown"
+	}
+	pluginType, err := consts.ParsePluginType(pluginTypeStr)
+	if err != nil {
+		return nil, err
+	}
+
+	pluginVersion, builtin, err := getVersion(d)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+	if builtin {
+		return logical.ErrorResponse("version %q is not allowed because 'builtin' is a reserved metadata identifier", pluginVersion), nil
+	}
+
+	sha256 := d.Get("sha256").(string)
+	if sha256 == "" {
+		sha256 = d.Get("sha_256").(string)
+		if sha256 == "" {
+			return logical.ErrorResponse("missing SHA-256 value"), nil
+		}
+	}
+
+	command := d.Get("command").(string)
+	ociImage := d.Get("oci_image").(string)
+	if command == "" && ociImage == "" {
+		return logical.ErrorResponse("must provide at least one of command or oci_image"), nil
+	}
+
+	if ociImage == "" {
+		if err = b.Core.CheckPluginPerms(command); err != nil {
+			return nil, err
+		}
+	}
+
+	pluginRuntime := d.Get("runtime").(string)
+	if ociImage != "" {
+		if runtime.GOOS != "linux" {
+			return logical.ErrorResponse("specifying oci_image is currently only supported on Linux"), nil
+		}
+		if pluginRuntime != "" {
+			_, err := b.Core.pluginRuntimeCatalog.Get(ctx, pluginRuntime, consts.PluginRuntimeTypeContainer)
+			if err != nil {
+				return logical.ErrorResponse("specified plugin runtime %q, but failed to retrieve config: %w", pluginRuntime, err), nil
+			}
+		}
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	// For backwards compatibility, also accept args as part of command. Don't
+	// accepts args in both command and args.
+	args := d.Get("args").([]string)
+	parts := strings.Split(command, " ")
+	if len(parts) == 0 && ociImage == "" {
+		return logical.ErrorResponse("missing command value"), nil
+	} else if len(parts) > 1 && len(args) > 0 {
+		return logical.ErrorResponse("must not specify args in command and args field"), nil
+	} else if len(parts) >= 1 {
+		command = parts[0]
+		if len(parts) > 1 {
+			args = parts[1:]
+		}
+	}
+
+	env := d.Get("env").([]string)
+
+	sha256Bytes, err := hex.DecodeString(sha256)
+	if err != nil {
+		return logical.ErrorResponse("Could not decode SHA256 value from Hex %s: %s", sha256, err), err
+	}
 
-		_, cmd := testStatusCommand(t)
-		assertNoTabs(t, cmd)
+	err = b.Core.pluginCatalog.Set(ctx, pluginutil.SetPluginInput{
+		Name:     pluginName,
+		Type:     pluginType,
+		Version:  pluginVersion,
+		OCIImage: ociImage,
+		Runtime:  pluginRuntime,
+		Command:  command,
+		Args:     args,
+		Env:      env,
+		Sha256:   sha256Bytes,
 	})
+	if err != nil {
+		if errors.Is(err, ErrPluginNotFound) || strings.HasPrefix(err.Error(), "plugin version mismatch") {
+			return logical.ErrorResponse(err.Error()), nil
+		}
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+func (b *SystemBackend) handlePluginCatalogRead(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	pluginName := d.Get("name").(string)
+	if pluginName == "" {
+		return logical.ErrorResponse("missing plugin name"), nil
+	}
+
+	pluginTypeStr := d.Get("type").(string)
+	if pluginTypeStr == "" {
+		// If the plugin type is not provided (i.e. the old
+		// sys/plugins/catalog/:name endpoint is being requested) short-circuit here
+		// and return a warning
+		resp := &logical.Response{}
+		resp.AddWarning(fmt.Sprintf("Deprecated API endpoint, cannot read plugin information from catalog for %q", pluginName))
+		return resp, nil
+	}
+
+	pluginType, err := consts.ParsePluginType(pluginTypeStr)
+	if err != nil {
+		return nil, err
+	}
+
+	pluginVersion, _, err := getVersion(d)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	plugin, err := b.Core.pluginCatalog.Get(ctx, pluginName, pluginType, pluginVersion)
+	if err != nil {
+		return nil, err
+	}
+	if plugin == nil {
+		return nil, nil
+	}
+
+	command := plugin.Command
+	if !plugin.Builtin && plugin.OCIImage == "" {
+		command, err = filepath.Rel(b.Core.pluginCatalog.directory, command)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// plugin.Env has historically been omitted, and could conceivably have
+	// sensitive information in it.
+	data := map[string]interface{}{
+		"name":    plugin.Name,
+		"args":    plugin.Args,
+		"command": command,
+		"sha256":  hex.EncodeToString(plugin.Sha256),
+		"builtin": plugin.Builtin,
+		"version": plugin.Version,
+	}
+
+	if plugin.Builtin {
+		status, _ := b.Core.builtinRegistry.DeprecationStatus(plugin.Name, plugin.Type)
+		data["deprecation_status"] = status.String()
+	}
+
+	if plugin.OCIImage != "" {
+		data["oci_image"] = plugin.OCIImage
+	}
+
+	if plugin.Runtime != "" {
+		data["runtime"] = plugin.Runtime
+	}
+
+	return &logical.Response{
+		Data: data,
+	}, nil
+}
+
+func (b *SystemBackend) handlePluginCatalogDelete(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	pluginName := d.Get("name").(string)
+	if pluginName == "" {
+		return logical.ErrorResponse("missing plugin name"), nil
+	}
+
+	pluginVersion, builtin, err := getVersion(d)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+	if builtin {
+		return logical.ErrorResponse("version %q cannot be deleted", pluginVersion), nil
+	}
+
+	var resp *logical.Response
+	pluginTypeStr := d.Get("type").(string)
+	if pluginTypeStr == "" {
+		// If the plugin type is not provided (i.e. the old
+		// sys/plugins/catalog/:name endpoint is being requested), set type to
+		// unknown and let pluginCatalog.Delete proceed. It should handle
+		// deregistering out of the old storage path (root of core/plugin-catalog)
+		resp = new(logical.Response)
+		resp.AddWarning(fmt.Sprintf("Deprecated API endpoint, cannot deregister plugin from catalog for %q", pluginName))
+		pluginTypeStr = "unknown"
+	}
+
+	pluginType, err := consts.ParsePluginType(pluginTypeStr)
+	if err != nil {
+		return nil, err
+	}
+	if err := b.Core.pluginCatalog.Delete(ctx, pluginName, pluginType, pluginVersion); err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+func getVersion(d *framework.FieldData) (version string, builtin bool, err error) {
+	version = d.Get("version").(string)
+	if version != "" {
+		semanticVersion, err := semver.NewSemver(version)
+		if err != nil {
+			return "", false, fmt.Errorf("version %q is not a valid semantic version: %w", version, err)
+		}
+
+		// Canonicalize the version string.
+		// Add the 'v' back in, since semantic version strips it out, and we want to be consistent with internal plugins.
+		version = "v" + semanticVersion.String()
+	}
+
+	return version, versions.IsBuiltinVersion(version), nil
+}
+
+func (b *SystemBackend) handlePluginReloadUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	pluginName := d.Get("plugin").(string)
+	pluginMounts := d.Get("mounts").([]string)
+	scope := d.Get("scope").(string)
+
+	if scope != "" && scope != globalScope {
+		return logical.ErrorResponse("reload scope must be omitted or 'global'"), nil
+	}
+
+	if pluginName != "" && len(pluginMounts) > 0 {
+		return logical.ErrorResponse("plugin and mounts cannot be set at the same time"), nil
+	}
+	if pluginName == "" && len(pluginMounts) == 0 {
+		return logical.ErrorResponse("plugin or mounts must be provided"), nil
+	}
+
+	if pluginName != "" {
+		err := b.Core.reloadMatchingPlugin(ctx, pluginName)
+		if err != nil {
+			return nil, err
+		}
+	} else if len(pluginMounts) > 0 {
+		err := b.Core.reloadMatchingPluginMounts(ctx, pluginMounts)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	r := logical.Response{
+		Data: map[string]interface{}{
+			"reload_id": req.ID,
+		},
+	}
+
+	if scope == globalScope {
+		err := handleGlobalPluginReload(ctx, b.Core, req.ID, pluginName, pluginMounts)
+		if err != nil {
+			return nil, err
+		}
+		return logical.RespondWithStatusCode(&r, req, http.StatusAccepted)
+	}
+	return &r, nil
+}
+
+func (b *SystemBackend) handlePluginRuntimeCatalogUpdate(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	runtimeName := d.Get("name").(string)
+	if runtimeName == "" {
+		return logical.ErrorResponse("missing plugin runtime name"), nil
+	}
+
+	runtimeTypeStr := d.Get("type").(string)
+	if runtimeTypeStr == "" {
+		return logical.ErrorResponse("missing plugin runtime type"), nil
+	}
+
+	runtimeType, err := consts.ParsePluginRuntimeType(runtimeTypeStr)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	switch runtimeType {
+	case consts.PluginRuntimeTypeContainer:
+		ociRuntime := d.Get("oci_runtime").(string)
+		cgroupParent := d.Get("cgroup_parent").(string)
+		cpu := d.Get("cpu_nanos").(int64)
+		if cpu < 0 {
+			return logical.ErrorResponse("runtime cpu in nanos cannot be negative"), nil
+		}
+		memory := d.Get("memory_bytes").(int64)
+		if memory < 0 {
+			return logical.ErrorResponse("runtime memory in bytes cannot be negative"), nil
+		}
+		rootless := d.Get("rootless").(bool)
+		if err = b.Core.pluginRuntimeCatalog.Set(ctx,
+			&pluginruntimeutil.PluginRuntimeConfig{
+				Name:         runtimeName,
+				Type:         runtimeType,
+				OCIRuntime:   ociRuntime,
+				CgroupParent: cgroupParent,
+				CPU:          cpu,
+				Memory:       memory,
+				Rootless:     rootless,
+			}); err != nil {
+			return logical.ErrorResponse(err.Error()), nil
+		}
+	default:
+		logical.ErrorResponse(fmt.Sprintf("%s is not a supported plugin runtime type", runtimeTypeStr))
+	}
+	return nil, nil
+}
+
+func (b *SystemBackend) handlePluginRuntimeCatalogDelete(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	runtimeName := d.Get("name").(string)
+	if runtimeName == "" {
+		return logical.ErrorResponse("missing plugin runtime name"), nil
+	}
+
+	runtimeTypeStr := d.Get("type").(string)
+	if runtimeTypeStr == "" {
+		return logical.ErrorResponse("missing plugin runtime type"), nil
+	}
+
+	runtimeType, err := consts.ParsePluginRuntimeType(runtimeTypeStr)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	plugins, err := b.Core.pluginCatalog.ListPluginsWithRuntime(ctx, runtimeName)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(plugins) != 0 {
+		return logical.ErrorResponse("unable to delete %q runtime. Registered plugins=%v are referencing it.", runtimeName, plugins), nil
+	}
+
+	err = b.Core.pluginRuntimeCatalog.Delete(ctx, runtimeName, runtimeType)
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil
+}
+
+func (b *SystemBackend) handlePluginRuntimeCatalogRead(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	runtimeName := d.Get("name").(string)
+	if runtimeName == "" {
+		return logical.ErrorResponse("missing plugin runtime name"), nil
+	}
+
+	runtimeTypeStr := d.Get("type").(string)
+	if runtimeTypeStr == "" {
+		return logical.ErrorResponse("missing plugin runtime type"), nil
+	}
+
+	runtimeType, err := consts.ParsePluginRuntimeType(runtimeTypeStr)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	conf, err := b.Core.pluginRuntimeCatalog.Get(ctx, runtimeName, runtimeType)
+	if err != nil && !errors.Is(err, ErrPluginRuntimeNotFound) {
+		return nil, err
+	}
+	if conf == nil {
+		return nil, nil
+	}
+
+	return &logical.Response{Data: map[string]interface{}{
+		"name":          conf.Name,
+		"type":          conf.Type.String(),
+		"oci_runtime":   conf.OCIRuntime,
+		"cgroup_parent": conf.CgroupParent,
+		"cpu_nanos":     conf.CPU,
+		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
+	}}, nil
+}
+
+func (b *SystemBackend) handlePluginRuntimeCatalogList(ctx context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var data []map[string]any
+
+	var pluginRuntimeTypes []consts.PluginRuntimeType
+	runtimeTypeStr := d.Get("type").(string)
+	if runtimeTypeStr != "" {
+		runtimeType, err := consts.ParsePluginRuntimeType(runtimeTypeStr)
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), nil
+		}
+		pluginRuntimeTypes = []consts.PluginRuntimeType{runtimeType}
+	} else {
+		pluginRuntimeTypes = consts.PluginRuntimeTypes
+	}
+
+	for _, runtimeType := range pluginRuntimeTypes {
+		if runtimeType == consts.PluginRuntimeTypeUnsupported {
+			continue
+		}
+		configs, err := b.Core.pluginRuntimeCatalog.List(ctx, runtimeType)
+		if err != nil {
+			return nil, err
+		}
+
+		if len(configs) > 0 {
+			sort.Slice(configs, func(i, j int) bool {
+				return strings.Compare(configs[i].Name, configs[j].Name) == -1
+			})
+			for _, conf := range configs {
+				data = append(data, map[string]any{
+					"name":          conf.Name,
+					"type":          conf.Type.String(),
+					"oci_runtime":   conf.OCIRuntime,
+					"cgroup_parent": conf.CgroupParent,
+					"cpu_nanos":     conf.CPU,
+					"memory_bytes":  conf.Memory,
+					"rootless":      conf.Rootless,
+				})
+			}
+		}
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+
+	if len(data) > 0 {
+		resp.Data["runtimes"] = data
+	}
+
+	return resp, nil
+}
+
+// handleAuditedHeaderUpdate creates or overwrites a header entry
+func (b *SystemBackend) handleAuditedHeaderUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	header := d.Get("header").(string)
+	hmac := d.Get("hmac").(bool)
+	if header == "" {
+		return logical.ErrorResponse("missing header name"), nil
+	}
+
+	headerConfig := b.Core.AuditedHeadersConfig()
+	err := headerConfig.add(ctx, header, hmac)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+// handleAuditedHeaderDelete deletes the header with the given name
+func (b *SystemBackend) handleAuditedHeaderDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	header := d.Get("header").(string)
+	if header == "" {
+		return logical.ErrorResponse("missing header name"), nil
+	}
+
+	headerConfig := b.Core.AuditedHeadersConfig()
+	err := headerConfig.remove(ctx, header)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+// handleAuditedHeaderRead returns the header configuration for the given header name
+func (b *SystemBackend) handleAuditedHeaderRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	header := d.Get("header").(string)
+	if header == "" {
+		return logical.ErrorResponse("missing header name"), nil
+	}
+
+	headerConfig := b.Core.AuditedHeadersConfig()
+	settings, ok := headerConfig.Headers[strings.ToLower(header)]
+	if !ok {
+		return logical.ErrorResponse("Could not find header in config"), nil
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			header: settings,
+		},
+	}, nil
+}
+
+// handleAuditedHeadersRead returns the whole audited headers config
+func (b *SystemBackend) handleAuditedHeadersRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	headerConfig := b.Core.AuditedHeadersConfig()
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"headers": headerConfig.Headers,
+		},
+	}, nil
+}
+
+// handleCapabilitiesAccessor returns the ACL capabilities of the
+// token associated with the given accessor for a given path.
+func (b *SystemBackend) handleCapabilitiesAccessor(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	accessor := d.Get("accessor").(string)
+	if accessor == "" {
+		return logical.ErrorResponse("missing accessor"), nil
+	}
+
+	aEntry, err := b.Core.tokenStore.lookupByAccessor(ctx, accessor, false, false)
+	if err != nil {
+		return nil, err
+	}
+	if aEntry == nil {
+		return nil, &logical.StatusBadRequest{Err: "invalid accessor"}
+	}
+
+	d.Raw["token"] = aEntry.TokenID
+	return b.handleCapabilities(ctx, req, d)
+}
+
+// handleCapabilities returns the ACL capabilities of the token for a given path
+func (b *SystemBackend) handleCapabilities(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var token string
+	if strings.HasSuffix(req.Path, "capabilities-self") {
+		token = req.ClientToken
+	} else {
+		tokenRaw, ok := d.Raw["token"]
+		if ok {
+			token, _ = tokenRaw.(string)
+		}
+	}
+	if token == "" {
+		return nil, fmt.Errorf("no token found")
+	}
+
+	ret := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+
+	paths := d.Get("paths").([]string)
+	if len(paths) == 0 {
+		// Read from the deprecated field
+		paths = d.Get("path").([]string)
+	}
+
+	if len(paths) == 0 {
+		return logical.ErrorResponse("paths must be supplied"), nil
+	}
+
+	for _, path := range paths {
+		pathCap, err := b.Core.Capabilities(ctx, token, path)
+		if err != nil {
+			if !strings.HasSuffix(req.Path, "capabilities-self") && errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				return nil, &logical.StatusBadRequest{Err: "invalid token"}
+			}
+			return nil, err
+		}
+		ret.Data[path] = pathCap
+	}
+
+	// This is only here for backwards compatibility
+	if len(paths) == 1 {
+		ret.Data["capabilities"] = ret.Data[paths[0]]
+	}
+
+	return ret, nil
+}
+
+// handleRekeyRetrieve returns backed-up, PGP-encrypted unseal keys from a
+// rekey operation
+func (b *SystemBackend) handleRekeyRetrieve(
+	ctx context.Context,
+	req *logical.Request,
+	data *framework.FieldData,
+	recovery bool,
+) (*logical.Response, error) {
+	backup, err := b.Core.RekeyRetrieveBackup(ctx, recovery)
+	if err != nil {
+		return nil, fmt.Errorf("unable to look up backed-up keys: %w", err)
+	}
+	if backup == nil {
+		return logical.ErrorResponse("no backed-up keys found"), nil
+	}
+
+	keysB64 := map[string][]string{}
+	for k, v := range backup.Keys {
+		for _, j := range v {
+			currB64Keys := keysB64[k]
+			if currB64Keys == nil {
+				currB64Keys = []string{}
+			}
+			key, err := hex.DecodeString(j)
+			if err != nil {
+				return nil, fmt.Errorf("error decoding hex-encoded backup key: %w", err)
+			}
+			currB64Keys = append(currB64Keys, base64.StdEncoding.EncodeToString(key))
+			keysB64[k] = currB64Keys
+		}
+	}
+
+	// Format the status
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"nonce":       backup.Nonce,
+			"keys":        backup.Keys,
+			"keys_base64": keysB64,
+		},
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleRekeyRetrieveBarrier(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyRetrieve(ctx, req, data, false)
+}
+
+func (b *SystemBackend) handleRekeyRetrieveRecovery(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyRetrieve(ctx, req, data, true)
+}
+
+// handleRekeyDelete deletes backed-up, PGP-encrypted unseal keys from a rekey
+// operation
+func (b *SystemBackend) handleRekeyDelete(
+	ctx context.Context,
+	req *logical.Request,
+	data *framework.FieldData,
+	recovery bool,
+) (*logical.Response, error) {
+	err := b.Core.RekeyDeleteBackup(ctx, recovery)
+	if err != nil {
+		return nil, fmt.Errorf("error during deletion of backed-up keys: %w", err)
+	}
+
+	return nil, nil
+}
+
+func (b *SystemBackend) handleRekeyDeleteBarrier(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyDelete(ctx, req, data, false)
+}
+
+func (b *SystemBackend) handleRekeyDeleteRecovery(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyDelete(ctx, req, data, true)
+}
+
+func (b *SystemBackend) handleGenerateRootDecodeTokenUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	encodedToken := data.Get("encoded_token").(string)
+	otp := data.Get("otp").(string)
+
+	token, err := roottoken.DecodeToken(encodedToken, otp, len(otp))
+	if err != nil {
+		return nil, err
+	}
+
+	// Generate the response
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"token": token,
+		},
+	}
+	return resp, nil
+}
+
+func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry) map[string]interface{} {
+	info := map[string]interface{}{
+		"type":                    entry.Type,
+		"description":             entry.Description,
+		"accessor":                entry.Accessor,
+		"local":                   entry.Local,
+		"seal_wrap":               entry.SealWrap,
+		"external_entropy_access": entry.ExternalEntropyAccess,
+		"options":                 entry.Options,
+		"uuid":                    entry.UUID,
+		"plugin_version":          entry.Version,
+		"running_plugin_version":  entry.RunningVersion,
+		"running_sha256":          entry.RunningSha256,
+	}
+	entryConfig := map[string]interface{}{
+		"default_lease_ttl": int64(entry.Config.DefaultLeaseTTL.Seconds()),
+		"max_lease_ttl":     int64(entry.Config.MaxLeaseTTL.Seconds()),
+		"force_no_cache":    entry.Config.ForceNoCache,
+	}
+	if rawVal, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+		entryConfig["audit_non_hmac_request_keys"] = rawVal.([]string)
+	}
+	if rawVal, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_response_keys"); ok {
+		entryConfig["audit_non_hmac_response_keys"] = rawVal.([]string)
+	}
+	// Even though empty value is valid for ListingVisibility, we can ignore
+	// this case during mount since there's nothing to unset/hide.
+	if len(entry.Config.ListingVisibility) > 0 {
+		entryConfig["listing_visibility"] = entry.Config.ListingVisibility
+	}
+	if rawVal, ok := entry.synthesizedConfigCache.Load("passthrough_request_headers"); ok {
+		entryConfig["passthrough_request_headers"] = rawVal.([]string)
+	}
+	if rawVal, ok := entry.synthesizedConfigCache.Load("allowed_response_headers"); ok {
+		entryConfig["allowed_response_headers"] = rawVal.([]string)
+	}
+	if rawVal, ok := entry.synthesizedConfigCache.Load("allowed_managed_keys"); ok {
+		entryConfig["allowed_managed_keys"] = rawVal.([]string)
+	}
+	if entry.Table == credentialTableType {
+		entryConfig["token_type"] = entry.Config.TokenType.String()
+	}
+	if entry.Config.UserLockoutConfig != nil {
+		userLockoutConfig := map[string]interface{}{
+			"user_lockout_counter_reset_duration": int64(entry.Config.UserLockoutConfig.LockoutCounterReset.Seconds()),
+			"user_lockout_threshold":              entry.Config.UserLockoutConfig.LockoutThreshold,
+			"user_lockout_duration":               int64(entry.Config.UserLockoutConfig.LockoutDuration.Seconds()),
+			"user_lockout_disable":                entry.Config.UserLockoutConfig.DisableLockout,
+		}
+		entryConfig["user_lockout_config"] = userLockoutConfig
+	}
+
+	// Add deprecation status only if it exists
+	builtinType := b.Core.builtinTypeFromMountEntry(ctx, entry)
+	if status, ok := b.Core.builtinRegistry.DeprecationStatus(entry.Type, builtinType); ok {
+		info["deprecation_status"] = status.String()
+	}
+	info["config"] = entryConfig
+
+	return info
+}
+
+// handleMountTable handles the "mounts" endpoint to provide the mount table
+func (b *SystemBackend) handleMountTable(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	b.Core.mountsLock.RLock()
+	defer b.Core.mountsLock.RUnlock()
+
+	resp := &logical.Response{
+		Data: make(map[string]interface{}),
+	}
+
+	for _, entry := range b.Core.mounts.Entries {
+		// Only show entries for current namespace
+		if entry.Namespace().Path != ns.Path {
+			continue
+		}
+
+		cont, err := b.Core.checkReplicatedFiltering(ctx, entry, "")
+		if err != nil {
+			return nil, err
+		}
+		if cont {
+			continue
+		}
+
+		// Populate mount info
+		info := b.mountInfo(ctx, entry)
+
+		resp.Data[entry.Path] = info
+	}
+
+	return resp, nil
+}
+
+// handleMount is used to mount a new path
+func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+
+	local := data.Get("local").(bool)
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// Get all the options
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	logicalType := data.Get("type").(string)
+	description := data.Get("description").(string)
+	pluginName := data.Get("plugin_name").(string)
+	sealWrap := data.Get("seal_wrap").(bool)
+	externalEntropyAccess := data.Get("external_entropy_access").(bool)
+	options := data.Get("options").(map[string]string)
+
+	var config MountConfig
+	var apiConfig APIMountConfig
+
+	configMap := data.Get("config").(map[string]interface{})
+	// Augmenting configMap for some config options to treat them as comma separated entries
+	err := expandStringValsWithCommas(configMap)
+	if err != nil {
+		return logical.ErrorResponse(
+				"unable to parse given auth config information"),
+			logical.ErrInvalidRequest
+	}
+	if configMap != nil && len(configMap) != 0 {
+		err := mapstructure.Decode(configMap, &apiConfig)
+		if err != nil {
+			return logical.ErrorResponse(
+					"unable to convert given mount config information"),
+				logical.ErrInvalidRequest
+		}
+	}
+
+	switch apiConfig.DefaultLeaseTTL {
+	case "":
+	case "system":
+	default:
+		tmpDef, err := parseutil.ParseDurationSecond(apiConfig.DefaultLeaseTTL)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf(
+					"unable to parse default TTL of %s: %s", apiConfig.DefaultLeaseTTL, err)),
+				logical.ErrInvalidRequest
+		}
+		config.DefaultLeaseTTL = tmpDef
+	}
+
+	switch apiConfig.MaxLeaseTTL {
+	case "":
+	case "system":
+	default:
+		tmpMax, err := parseutil.ParseDurationSecond(apiConfig.MaxLeaseTTL)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf(
+					"unable to parse max TTL of %s: %s", apiConfig.MaxLeaseTTL, err)),
+				logical.ErrInvalidRequest
+		}
+		config.MaxLeaseTTL = tmpMax
+	}
+
+	if config.MaxLeaseTTL != 0 && config.DefaultLeaseTTL > config.MaxLeaseTTL {
+		return logical.ErrorResponse(
+				"given default lease TTL greater than given max lease TTL"),
+			logical.ErrInvalidRequest
+	}
+
+	if config.DefaultLeaseTTL > b.Core.maxLeaseTTL && config.MaxLeaseTTL == 0 {
+		return logical.ErrorResponse(fmt.Sprintf(
+				"given default lease TTL greater than system max lease TTL of %d", int(b.Core.maxLeaseTTL.Seconds()))),
+			logical.ErrInvalidRequest
+	}
+
+	switch logicalType {
+	case "":
+		return logical.ErrorResponse(
+				"backend type must be specified as a string"),
+			logical.ErrInvalidRequest
+	case "plugin":
+		// Only set plugin-name if mount is of type plugin, with apiConfig.PluginName
+		// option taking precedence.
+		switch {
+		case apiConfig.PluginName != "":
+			logicalType = apiConfig.PluginName
+		case pluginName != "":
+			logicalType = pluginName
+		default:
+			return logical.ErrorResponse(
+					"plugin_name must be provided for plugin backend"),
+				logical.ErrInvalidRequest
+		}
+	}
+
+	switch logicalType {
+	case "kv":
+	case "kv-v1":
+		// Alias KV v1
+		logicalType = "kv"
+		if options == nil {
+			options = map[string]string{}
+		}
+		options["version"] = "1"
+
+	case "kv-v2":
+		// Alias KV v2
+		logicalType = "kv"
+		if options == nil {
+			options = map[string]string{}
+		}
+		options["version"] = "2"
+
+	default:
+		if options != nil && options["version"] != "" {
+			return logical.ErrorResponse(fmt.Sprintf(
+					"secrets engine %q does not allow setting a version", logicalType)),
+				logical.ErrInvalidRequest
+		}
+	}
+
+	pluginVersion, resp, err := b.validateVersion(ctx, apiConfig.PluginVersion, logicalType, consts.PluginTypeSecrets)
+	if resp != nil || err != nil {
+		return resp, err
+	}
+
+	// Copy over the force no cache if set
+	if apiConfig.ForceNoCache {
+		config.ForceNoCache = true
+	}
+
+	if err := checkListingVisibility(apiConfig.ListingVisibility); err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("invalid listing_visibility %s", apiConfig.ListingVisibility)), nil
+	}
+	config.ListingVisibility = apiConfig.ListingVisibility
+
+	if len(apiConfig.AuditNonHMACRequestKeys) > 0 {
+		config.AuditNonHMACRequestKeys = apiConfig.AuditNonHMACRequestKeys
+	}
+	if len(apiConfig.AuditNonHMACResponseKeys) > 0 {
+		config.AuditNonHMACResponseKeys = apiConfig.AuditNonHMACResponseKeys
+	}
+	if len(apiConfig.PassthroughRequestHeaders) > 0 {
+		config.PassthroughRequestHeaders = apiConfig.PassthroughRequestHeaders
+	}
+	if len(apiConfig.AllowedResponseHeaders) > 0 {
+		config.AllowedResponseHeaders = apiConfig.AllowedResponseHeaders
+	}
+	if len(apiConfig.AllowedManagedKeys) > 0 {
+		config.AllowedManagedKeys = apiConfig.AllowedManagedKeys
+	}
+	if len(apiConfig.DelegatedAuthAccessors) > 0 {
+		config.DelegatedAuthAccessors = apiConfig.DelegatedAuthAccessors
+	}
+
+	// Create the mount entry
+	me := &MountEntry{
+		Table:                 mountTableType,
+		Path:                  path,
+		Type:                  logicalType,
+		Description:           description,
+		Config:                config,
+		Local:                 local,
+		SealWrap:              sealWrap,
+		ExternalEntropyAccess: externalEntropyAccess,
+		Options:               options,
+		Version:               pluginVersion,
+	}
+
+	if b.Core.isMountEntryBuiltin(ctx, me, consts.PluginTypeSecrets) {
+		resp, err = b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeSecrets)
+		if err != nil {
+			b.Core.logger.Error("could not mount builtin", "name", me.Type, "path", me.Path, "error", err)
+			return handleError(fmt.Errorf("could not mount %q: %w", me.Type, err))
+		}
+	}
+
+	// Attempt mount
+	if err := b.Core.mount(ctx, me); err != nil {
+		b.Backend.Logger().Error("error occurred during enable mount", "path", me.Path, "error", err)
+		return handleError(err)
+	}
+
+	return resp, nil
+}
+
+func selectPluginVersion(ctx context.Context, sys logical.SystemView, pluginName string, pluginType consts.PluginType) (string, error) {
+	unversionedPlugin, err := sys.LookupPlugin(ctx, pluginName, pluginType)
+	if err == nil && !unversionedPlugin.Builtin {
+		// We'll select the unversioned plugin that's been registered.
+		return "", nil
+	}
+
+	// No version provided and no unversioned plugin of that name available.
+	// Pin to the current latest version if any versioned plugins are registered.
+	plugins, err := sys.ListVersionedPlugins(ctx, pluginType)
+	if err != nil {
+		return "", err
+	}
+
+	var versionedCandidates []pluginutil.VersionedPlugin
+	for _, plugin := range plugins {
+		if !plugin.Builtin && plugin.Name == pluginName && plugin.Version != "" {
+			versionedCandidates = append(versionedCandidates, plugin)
+		}
+	}
+
+	if len(versionedCandidates) != 0 {
+		// Sort in reverse order.
+		sort.SliceStable(versionedCandidates, func(i, j int) bool {
+			return versionedCandidates[i].SemanticVersion.GreaterThan(versionedCandidates[j].SemanticVersion)
+		})
+
+		return "v" + versionedCandidates[0].SemanticVersion.String(), nil
+	}
+
+	return "", nil
+}
+
+func (b *SystemBackend) handleReadMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	entry := b.Core.router.MatchingMountEntry(ctx, path)
+
+	if entry == nil {
+		return logical.ErrorResponse("No secret engine mount at %s", path), nil
+	}
+
+	return &logical.Response{
+		Data: b.mountInfo(ctx, entry),
+	}, nil
+}
+
+// used to intercept an HTTPCodedError so it goes back to callee
+func handleError(
+	err error,
+) (*logical.Response, error) {
+	if strings.Contains(err.Error(), logical.ErrReadOnly.Error()) {
+		return logical.ErrorResponse(err.Error()), err
+	}
+	switch err.(type) {
+	case logical.HTTPCodedError:
+		return logical.ErrorResponse(err.Error()), err
+	default:
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+}
+
+// Performs a similar function to handleError, but upon seeing a ReadOnlyError
+// will actually strip it out to prevent forwarding
+func handleErrorNoReadOnlyForward(
+	err error,
+) (*logical.Response, error) {
+	if strings.Contains(err.Error(), logical.ErrReadOnly.Error()) {
+		return nil, fmt.Errorf("operation could not be completed as storage is read-only")
+	}
+	switch err.(type) {
+	case logical.HTTPCodedError:
+		return logical.ErrorResponse(err.Error()), err
+	default:
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+}
+
+// handleUnmount is used to unmount a path
+func (b *SystemBackend) handleUnmount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	repState := b.Core.ReplicationState()
+	entry := b.Core.router.MatchingMountEntry(ctx, path)
+
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// We return success when the mount does not exist to not expose if the
+	// mount existed or not
+	match := b.Core.router.MatchingMount(ctx, path)
+	if match == "" || ns.Path+path != match {
+		return nil, nil
+	}
+
+	_, found := b.Core.router.MatchingStoragePrefixByAPIPath(ctx, path)
+	if !found {
+		b.Backend.Logger().Error("unable to find storage for path", "path", path)
+		return handleError(fmt.Errorf("unable to find storage for path: %q", path))
+	}
+
+	// Attempt unmount
+	if err := b.Core.unmount(ctx, path); err != nil {
+		b.Backend.Logger().Error("unmount failed", "path", path, "error", err)
+		return handleError(err)
+	}
+
+	// Get the view path if available
+	var viewPath string
+	if entry != nil {
+		viewPath = entry.ViewPath()
+	}
+
+	// Remove from filtered mounts
+	if err := b.Core.removePathFromFilteredPaths(ctx, ns.Path+path, viewPath); err != nil {
+		b.Backend.Logger().Error("filtered path removal failed", path, "error", err)
+		return handleError(err)
+	}
+
+	return nil, nil
+}
+
+func validateMountPath(p string) error {
+	hasSuffix := strings.HasSuffix(p, "/")
+	s := path.Clean(p)
+	// Retain the trailing slash if it was provided
+	if hasSuffix {
+		s = s + "/"
+	}
+	if p != s {
+		return fmt.Errorf("path '%v' does not match cleaned path '%v'", p, s)
+	}
+
+	// Check URL path for non-printable characters
+	idx := strings.IndexFunc(p, func(c rune) bool {
+		return !unicode.IsPrint(c)
+	})
+
+	if idx != -1 {
+		return errors.New("path cannot contain non-printable characters")
+	}
+
+	return nil
+}
+
+// handleRemount is used to remount a path
+func (b *SystemBackend) handleRemount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get the paths
+	fromPath := data.Get("from").(string)
+	toPath := data.Get("to").(string)
+	if fromPath == "" || toPath == "" {
+		return logical.ErrorResponse(
+				"both 'from' and 'to' path must be specified as a string"),
+			logical.ErrInvalidRequest
+	}
+
+	if strings.HasPrefix(fromPath, " ") || strings.HasSuffix(fromPath, " ") {
+		return logical.ErrorResponse("'from' path cannot contain trailing whitespace"), logical.ErrInvalidRequest
+	}
+	if strings.HasPrefix(toPath, " ") || strings.HasSuffix(toPath, " ") {
+		return logical.ErrorResponse("'to' path cannot contain trailing whitespace"), logical.ErrInvalidRequest
+	}
+
+	fromPathDetails := b.Core.splitNamespaceAndMountFromPath(ns.Path, fromPath)
+	toPathDetails := b.Core.splitNamespaceAndMountFromPath(ns.Path, toPath)
+
+	if err = validateMountPath(toPathDetails.MountPath); err != nil {
+		return handleError(fmt.Errorf("invalid destination mount: %v", err))
+	}
+
+	// Check that target is a valid auth mount, if source is an auth mount
+	if strings.HasPrefix(fromPathDetails.MountPath, credentialRoutePrefix) {
+		if !strings.HasPrefix(toPathDetails.MountPath, credentialRoutePrefix) {
+			return handleError(fmt.Errorf("cannot remount auth mount to non-auth mount %q", toPathDetails.MountPath))
+		}
+		// Prevent target and source auth mounts from being in a protected path
+		for _, auth := range protectedAuths {
+			if strings.HasPrefix(fromPathDetails.MountPath, auth) {
+				return handleError(fmt.Errorf("cannot remount %q", fromPathDetails.MountPath))
+			}
+		}
+
+		for _, auth := range protectedAuths {
+			if strings.HasPrefix(toPathDetails.MountPath, auth) {
+				return handleError(fmt.Errorf("cannot remount to destination %q", toPathDetails.MountPath))
+			}
+		}
+	} else {
+		// Prevent target and source non-auth mounts from being in a protected path
+		for _, p := range protectedMounts {
+			if strings.HasPrefix(fromPathDetails.MountPath, p) {
+				return handleError(fmt.Errorf("cannot remount %q", fromPathDetails.MountPath))
+			}
+
+			if strings.HasPrefix(toPathDetails.MountPath, p) {
+				return handleError(fmt.Errorf("cannot remount to destination %+v", toPathDetails.MountPath))
+			}
+		}
+	}
+
+	entry := b.Core.router.MatchingMountEntry(ctx, sanitizePath(fromPath))
+
+	if entry == nil {
+		return handleError(fmt.Errorf("no matching mount at %q", sanitizePath(fromPath)))
+	}
+
+	if match := b.Core.router.MountConflict(ctx, sanitizePath(toPath)); match != "" {
+		return handleError(fmt.Errorf("path already in use at %q", match))
+	}
+
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	migrationID, err := b.Core.createMigrationStatus(fromPathDetails, toPathDetails)
+	if err != nil {
+		return nil, fmt.Errorf("Error creating migration status %+v", err)
+	}
+	// Start up a goroutine to handle the remount operations, and return early to the caller
+	go func(migrationID string) {
+		b.Core.stateLock.RLock()
+		defer b.Core.stateLock.RUnlock()
+
+		logger := b.Core.Logger().Named("mounts.migration").With("migration_id", migrationID, "namespace", ns.Path, "to_path", toPath, "from_path", fromPath)
+
+		err := b.moveMount(ns, logger, migrationID, entry, fromPathDetails, toPathDetails)
+		if err != nil {
+			logger.Error("remount failed", "error", err)
+			if err := b.Core.setMigrationStatus(migrationID, MigrationFailureStatus); err != nil {
+				logger.Error("Setting migration status failed", "error", err, "target_status", MigrationFailureStatus)
+			}
+		}
+	}(migrationID)
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"migration_id": migrationID,
+		},
+	}
+	resp.AddWarning("Mount move has been queued. Progress will be reported in Vault's server log, tagged with the returned migration_id")
+	return resp, nil
+}
+
+// moveMount carries out a remount operation on the secrets engine or auth method, updating the migration status as required
+// It is expected to be called asynchronously outside of a request context, hence it creates a context derived from the active one
+// and intermittently checks to see if it is still open.
+func (b *SystemBackend) moveMount(ns *namespace.Namespace, logger log.Logger, migrationID string, entry *MountEntry, fromPathDetails, toPathDetails namespace.MountPathDetails) error {
+	logger.Info("Starting to update the mount table and revoke leases")
+	revokeCtx := namespace.ContextWithNamespace(b.Core.activeContext, ns)
+
+	var err error
+	// Attempt remount
+	switch entry.Table {
+	case credentialTableType:
+		err = b.Core.remountCredential(revokeCtx, fromPathDetails, toPathDetails, !b.Core.perfStandby)
+	case mountTableType:
+		err = b.Core.remountSecretsEngine(revokeCtx, fromPathDetails, toPathDetails, !b.Core.perfStandby)
+	default:
+		return fmt.Errorf("cannot remount mount of table %q", entry.Table)
+	}
+
+	if err != nil {
+		return err
+	}
+
+	if err := revokeCtx.Err(); err != nil {
+		return err
+	}
+
+	logger.Info("Removing the source mount from filtered paths on secondaries")
+	// Remove from filtered mounts and restart evaluation process
+	if err := b.Core.removePathFromFilteredPaths(revokeCtx, fromPathDetails.GetFullPath(), entry.ViewPath()); err != nil {
+		return err
+	}
+
+	if err := revokeCtx.Err(); err != nil {
+		return err
+	}
+
+	logger.Info("Updating quotas associated with the source mount")
+	// Update quotas with the new path and namespace
+	if err := b.Core.quotaManager.HandleRemount(revokeCtx, fromPathDetails, toPathDetails); err != nil {
+		return err
+	}
+
+	if err := b.Core.setMigrationStatus(migrationID, MigrationSuccessStatus); err != nil {
+		return err
+	}
+	logger.Info("Completed mount move operations")
+	return nil
+}
+
+// handleAuthTuneRead is used to get config settings on a auth path
+func (b *SystemBackend) handleAuthTuneRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	if path == "" {
+		return logical.ErrorResponse(
+				"path must be specified as a string"),
+			logical.ErrInvalidRequest
+	}
+	return b.handleTuneReadCommon(ctx, "auth/"+path)
+}
+
+func (b *SystemBackend) handleRemountStatusCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+
+	migrationID := data.Get("migration_id").(string)
+	if migrationID == "" {
+		return logical.ErrorResponse(
+				"migrationID must be specified"),
+			logical.ErrInvalidRequest
+	}
+
+	migrationInfo := b.Core.readMigrationStatus(migrationID)
+	if migrationInfo == nil {
+		// If the migration info is not found and this is a perf secondary
+		// forward the request to the primary cluster
+		if repState.HasState(consts.ReplicationPerformanceSecondary) {
+			return nil, logical.ErrReadOnly
+		}
+		return nil, nil
+	}
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"migration_id":   migrationID,
+			"migration_info": migrationInfo,
+		},
+	}
+	return resp, nil
+}
+
+// handleMountTuneRead is used to get config settings on a backend
+func (b *SystemBackend) handleMountTuneRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	if path == "" {
+		return logical.ErrorResponse(
+				"path must be specified as a string"),
+			logical.ErrInvalidRequest
+	}
+
+	// This call will read both logical backend's configuration as well as auth methods'.
+	// Retaining this behavior for backward compatibility. If this behavior is not desired,
+	// an error can be returned if path has a prefix of "auth/".
+	return b.handleTuneReadCommon(ctx, path)
+}
+
+// handleTuneReadCommon returns the config settings of a path
+func (b *SystemBackend) handleTuneReadCommon(ctx context.Context, path string) (*logical.Response, error) {
+	path = sanitizePath(path)
+
+	sysView := b.Core.router.MatchingSystemView(ctx, path)
+	if sysView == nil {
+		b.Backend.Logger().Error("cannot fetch sysview", "path", path)
+		return handleError(fmt.Errorf("cannot fetch sysview for path %q", path))
+	}
+
+	mountEntry := b.Core.router.MatchingMountEntry(ctx, path)
+	if mountEntry == nil {
+		b.Backend.Logger().Error("cannot fetch mount entry", "path", path)
+		return handleError(fmt.Errorf("cannot fetch mount entry for path %q", path))
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"description":       mountEntry.Description,
+			"default_lease_ttl": int(sysView.DefaultLeaseTTL().Seconds()),
+			"max_lease_ttl":     int(sysView.MaxLeaseTTL().Seconds()),
+			"force_no_cache":    mountEntry.Config.ForceNoCache,
+		},
+	}
+
+	// not tunable so doesn't need to be stored/loaded through synthesizedConfigCache
+	if mountEntry.ExternalEntropyAccess {
+		resp.Data["external_entropy_access"] = true
+	}
+
+	if mountEntry.Table == credentialTableType {
+		resp.Data["token_type"] = mountEntry.Config.TokenType.String()
+	}
+
+	if rawVal, ok := mountEntry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+		resp.Data["audit_non_hmac_request_keys"] = rawVal.([]string)
+	}
+
+	if rawVal, ok := mountEntry.synthesizedConfigCache.Load("audit_non_hmac_response_keys"); ok {
+		resp.Data["audit_non_hmac_response_keys"] = rawVal.([]string)
+	}
+
+	if len(mountEntry.Config.ListingVisibility) > 0 {
+		resp.Data["listing_visibility"] = mountEntry.Config.ListingVisibility
+	}
+
+	if rawVal, ok := mountEntry.synthesizedConfigCache.Load("passthrough_request_headers"); ok {
+		resp.Data["passthrough_request_headers"] = rawVal.([]string)
+	}
+
+	if rawVal, ok := mountEntry.synthesizedConfigCache.Load("allowed_response_headers"); ok {
+		resp.Data["allowed_response_headers"] = rawVal.([]string)
+	}
+
+	if rawVal, ok := mountEntry.synthesizedConfigCache.Load("allowed_managed_keys"); ok {
+		resp.Data["allowed_managed_keys"] = rawVal.([]string)
+	}
+
+	if mountEntry.Config.UserLockoutConfig != nil {
+		resp.Data["user_lockout_counter_reset_duration"] = int64(mountEntry.Config.UserLockoutConfig.LockoutCounterReset.Seconds())
+		resp.Data["user_lockout_threshold"] = mountEntry.Config.UserLockoutConfig.LockoutThreshold
+		resp.Data["user_lockout_duration"] = int64(mountEntry.Config.UserLockoutConfig.LockoutDuration.Seconds())
+		resp.Data["user_lockout_disable"] = mountEntry.Config.UserLockoutConfig.DisableLockout
+	}
+
+	if len(mountEntry.Options) > 0 {
+		resp.Data["options"] = mountEntry.Options
+	}
+
+	if mountEntry.Version != "" {
+		resp.Data["plugin_version"] = mountEntry.Version
+	}
+
+	return resp, nil
+}
+
+// handleAuthTuneWrite is used to set config settings on an auth path
+func (b *SystemBackend) handleAuthTuneWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	if path == "" {
+		return logical.ErrorResponse("missing path"), nil
+	}
+
+	return b.handleTuneWriteCommon(ctx, "auth/"+path, data)
+}
+
+// handleMountTuneWrite is used to set config settings on a backend
+func (b *SystemBackend) handleMountTuneWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	if path == "" {
+		return logical.ErrorResponse("missing path"), nil
+	}
+
+	// This call will write both logical backend's configuration as well as auth methods'.
+	// Retaining this behavior for backward compatibility. If this behavior is not desired,
+	// an error can be returned if path has a prefix of "auth/".
+	return b.handleTuneWriteCommon(ctx, path, data)
+}
+
+// handleTuneWriteCommon is used to set config settings on a path
+func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+
+	path = sanitizePath(path)
+
+	// Prevent protected paths from being changed
+	for _, p := range untunableMounts {
+		if strings.HasPrefix(path, p) {
+			b.Backend.Logger().Error("cannot tune this mount", "path", path)
+			return handleError(fmt.Errorf("cannot tune %q", path))
+		}
+	}
+
+	mountEntry := b.Core.router.MatchingMountEntry(ctx, path)
+	if mountEntry == nil {
+		b.Backend.Logger().Error("tune failed", "error", "no mount entry found", "path", path)
+		return handleError(fmt.Errorf("tune of path %q failed: no mount entry found", path))
+	}
+	if mountEntry != nil && !mountEntry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	var lock *locking.DeadlockRWMutex
+	switch {
+	case strings.HasPrefix(path, credentialRoutePrefix):
+		lock = &b.Core.authLock
+	default:
+		lock = &b.Core.mountsLock
+	}
+
+	lock.Lock()
+	defer lock.Unlock()
+
+	// Check again after grabbing the lock
+	mountEntry = b.Core.router.MatchingMountEntry(ctx, path)
+	if mountEntry == nil {
+		b.Backend.Logger().Error("tune failed", "error", "no mount entry found", "path", path)
+		return handleError(fmt.Errorf("tune of path %q failed: no mount entry found", path))
+	}
+	if mountEntry != nil && !mountEntry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// Timing configuration parameters
+	{
+		var newDefault, newMax time.Duration
+		defTTL := data.Get("default_lease_ttl").(string)
+		switch defTTL {
+		case "":
+			newDefault = mountEntry.Config.DefaultLeaseTTL
+		case "system":
+			newDefault = time.Duration(0)
+		default:
+			tmpDef, err := parseutil.ParseDurationSecond(defTTL)
+			if err != nil {
+				return handleError(err)
+			}
+			newDefault = tmpDef
+		}
+
+		maxTTL := data.Get("max_lease_ttl").(string)
+		switch maxTTL {
+		case "":
+			newMax = mountEntry.Config.MaxLeaseTTL
+		case "system":
+			newMax = time.Duration(0)
+		default:
+			tmpMax, err := parseutil.ParseDurationSecond(maxTTL)
+			if err != nil {
+				return handleError(err)
+			}
+			newMax = tmpMax
+		}
+
+		if newDefault != mountEntry.Config.DefaultLeaseTTL ||
+			newMax != mountEntry.Config.MaxLeaseTTL {
+
+			if err := b.tuneMountTTLs(ctx, path, mountEntry, newDefault, newMax); err != nil {
+				b.Backend.Logger().Error("tuning failed", "path", path, "error", err)
+				return handleError(err)
+			}
+		}
+	}
+
+	// user-lockout config
+	{
+		var apiuserLockoutConfig APIUserLockoutConfig
+
+		userLockoutConfigMap := data.Get("user_lockout_config").(map[string]interface{})
+		var err error
+		if userLockoutConfigMap != nil && len(userLockoutConfigMap) != 0 {
+			err := mapstructure.Decode(userLockoutConfigMap, &apiuserLockoutConfig)
+			if err != nil {
+				return logical.ErrorResponse(
+						"unable to convert given user lockout config information"),
+					logical.ErrInvalidRequest
+			}
+
+			// Supported auth methods for user lockout configuration: ldap, approle, userpass
+			switch strings.ToLower(mountEntry.Type) {
+			case "ldap", "approle", "userpass":
+			default:
+				return logical.ErrorResponse("tuning of user lockout configuration for auth type %q not allowed", mountEntry.Type),
+					logical.ErrInvalidRequest
+
+			}
+		}
+
+		if len(userLockoutConfigMap) > 0 && mountEntry.Config.UserLockoutConfig == nil {
+			mountEntry.Config.UserLockoutConfig = &UserLockoutConfig{}
+		}
+
+		var oldUserLockoutThreshold uint64
+		var newUserLockoutDuration, oldUserLockoutDuration time.Duration
+		var newUserLockoutCounterReset, oldUserLockoutCounterReset time.Duration
+		var oldUserLockoutDisable bool
+
+		if apiuserLockoutConfig.LockoutThreshold != "" {
+			userLockoutThreshold, err := strconv.ParseUint(apiuserLockoutConfig.LockoutThreshold, 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse user lockout threshold: %w", err)
+			}
+			oldUserLockoutThreshold = mountEntry.Config.UserLockoutConfig.LockoutThreshold
+			mountEntry.Config.UserLockoutConfig.LockoutThreshold = userLockoutThreshold
+		}
+
+		if apiuserLockoutConfig.LockoutDuration != "" {
+			oldUserLockoutDuration = mountEntry.Config.UserLockoutConfig.LockoutDuration
+			switch apiuserLockoutConfig.LockoutDuration {
+			case "":
+				newUserLockoutDuration = oldUserLockoutDuration
+			case "system":
+				newUserLockoutDuration = time.Duration(0)
+			default:
+				tmpUserLockoutDuration, err := parseutil.ParseDurationSecond(apiuserLockoutConfig.LockoutDuration)
+				if err != nil {
+					return handleError(err)
+				}
+				newUserLockoutDuration = tmpUserLockoutDuration
+
+			}
+			mountEntry.Config.UserLockoutConfig.LockoutDuration = newUserLockoutDuration
+		}
+
+		if apiuserLockoutConfig.LockoutCounterResetDuration != "" {
+			oldUserLockoutCounterReset = mountEntry.Config.UserLockoutConfig.LockoutCounterReset
+			switch apiuserLockoutConfig.LockoutCounterResetDuration {
+			case "":
+				newUserLockoutCounterReset = oldUserLockoutCounterReset
+			case "system":
+				newUserLockoutCounterReset = time.Duration(0)
+			default:
+				tmpUserLockoutCounterReset, err := parseutil.ParseDurationSecond(apiuserLockoutConfig.LockoutCounterResetDuration)
+				if err != nil {
+					return handleError(err)
+				}
+				newUserLockoutCounterReset = tmpUserLockoutCounterReset
+			}
+
+			mountEntry.Config.UserLockoutConfig.LockoutCounterReset = newUserLockoutCounterReset
+		}
+
+		if apiuserLockoutConfig.DisableLockout != nil {
+			oldUserLockoutDisable = mountEntry.Config.UserLockoutConfig.DisableLockout
+			userLockoutDisable := apiuserLockoutConfig.DisableLockout
+			mountEntry.Config.UserLockoutConfig.DisableLockout = *userLockoutDisable
+		}
+
+		// Update the mount table
+		if len(userLockoutConfigMap) > 0 {
+			switch {
+			case strings.HasPrefix(path, "auth/"):
+				err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+			default:
+				err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+			}
+			if err != nil {
+				mountEntry.Config.UserLockoutConfig.LockoutCounterReset = oldUserLockoutCounterReset
+				mountEntry.Config.UserLockoutConfig.LockoutThreshold = oldUserLockoutThreshold
+				mountEntry.Config.UserLockoutConfig.LockoutDuration = oldUserLockoutDuration
+				mountEntry.Config.UserLockoutConfig.DisableLockout = oldUserLockoutDisable
+				return handleError(err)
+			}
+			if b.Core.logger.IsInfo() {
+				b.Core.logger.Info("tuning of user_lockout_config successful", "path", path)
+			}
+		}
+
+	}
+	if rawVal, ok := data.GetOk("description"); ok {
+		description := rawVal.(string)
+
+		oldDesc := mountEntry.Description
+		mountEntry.Description = description
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Description = oldDesc
+			return handleError(err)
+		}
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of description successful", "path", path, "description", description)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("plugin_version"); ok {
+		version := rawVal.(string)
+		semanticVersion, err := semver.NewVersion(version)
+		if err != nil {
+			return logical.ErrorResponse("version %q is not a valid semantic version: %s", version, err), nil
+		}
+		version = "v" + semanticVersion.String()
+
+		// Lookup the version to ensure it exists in the catalog before committing.
+		pluginType := consts.PluginTypeSecrets
+		if strings.HasPrefix(path, "auth/") {
+			pluginType = consts.PluginTypeCredential
+		}
+		_, err = b.System().LookupPluginVersion(ctx, mountEntry.Type, pluginType, version)
+		if err != nil {
+			return handleError(err)
+		}
+
+		oldVersion := mountEntry.Version
+		mountEntry.Version = version
+
+		// Update the mount table
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Version = oldVersion
+			return handleError(err)
+		}
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of version successful", "path", path, "version", version)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("audit_non_hmac_request_keys"); ok {
+		auditNonHMACRequestKeys := rawVal.([]string)
+
+		oldVal := mountEntry.Config.AuditNonHMACRequestKeys
+		mountEntry.Config.AuditNonHMACRequestKeys = auditNonHMACRequestKeys
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.AuditNonHMACRequestKeys = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of audit_non_hmac_request_keys successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("audit_non_hmac_response_keys"); ok {
+		auditNonHMACResponseKeys := rawVal.([]string)
+
+		oldVal := mountEntry.Config.AuditNonHMACResponseKeys
+		mountEntry.Config.AuditNonHMACResponseKeys = auditNonHMACResponseKeys
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.AuditNonHMACResponseKeys = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of audit_non_hmac_response_keys successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("listing_visibility"); ok {
+		lvString := rawVal.(string)
+		listingVisibility := ListingVisibilityType(lvString)
+
+		if err := checkListingVisibility(listingVisibility); err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("invalid listing_visibility %s", listingVisibility)), nil
+		}
+
+		oldVal := mountEntry.Config.ListingVisibility
+		mountEntry.Config.ListingVisibility = listingVisibility
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.ListingVisibility = oldVal
+			return handleError(err)
+		}
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of listing_visibility successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("token_type"); ok {
+		if !strings.HasPrefix(path, "auth/") {
+			return logical.ErrorResponse(fmt.Sprintf("'token_type' can only be modified on auth mounts")), logical.ErrInvalidRequest
+		}
+		if mountEntry.Type == mountTypeToken || mountEntry.Type == mountTypeNSToken {
+			return logical.ErrorResponse(fmt.Sprintf("'token_type' cannot be set for 'token' or 'ns_token' auth mounts")), logical.ErrInvalidRequest
+		}
+
+		tokenType := logical.TokenTypeDefaultService
+		ttString := rawVal.(string)
+
+		switch ttString {
+		case "", "default-service":
+		case "default-batch":
+			tokenType = logical.TokenTypeDefaultBatch
+		case "service":
+			tokenType = logical.TokenTypeService
+		case "batch":
+			tokenType = logical.TokenTypeBatch
+		default:
+			return logical.ErrorResponse(fmt.Sprintf(
+				"invalid value for 'token_type'")), logical.ErrInvalidRequest
+		}
+
+		oldVal := mountEntry.Config.TokenType
+		mountEntry.Config.TokenType = tokenType
+
+		// Update the mount table
+		if err := b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local); err != nil {
+			mountEntry.Config.TokenType = oldVal
+			return handleError(err)
+		}
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of token_type successful", "path", path, "token_type", ttString)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("passthrough_request_headers"); ok {
+		headers := rawVal.([]string)
+
+		oldVal := mountEntry.Config.PassthroughRequestHeaders
+		mountEntry.Config.PassthroughRequestHeaders = headers
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.PassthroughRequestHeaders = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of passthrough_request_headers successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("allowed_response_headers"); ok {
+		headers := rawVal.([]string)
+		oldVal := mountEntry.Config.AllowedResponseHeaders
+		mountEntry.Config.AllowedResponseHeaders = headers
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.AllowedResponseHeaders = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of allowed_response_headers successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("allowed_managed_keys"); ok {
+		allowedManagedKeys := rawVal.([]string)
+
+		oldVal := mountEntry.Config.AllowedManagedKeys
+		mountEntry.Config.AllowedManagedKeys = allowedManagedKeys
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.AllowedManagedKeys = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of allowed_managed_keys successful", "path", path)
+		}
+	}
+
+	if rawVal, ok := data.GetOk("delegated_auth_accessors"); ok {
+		delegatedAuthAccessors := rawVal.([]string)
+
+		oldVal := mountEntry.Config.DelegatedAuthAccessors
+		mountEntry.Config.DelegatedAuthAccessors = delegatedAuthAccessors
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.DelegatedAuthAccessors = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of delegated_auth_accessors successful", "path", path)
+		}
+	}
+
+	var err error
+	var resp *logical.Response
+	var options map[string]string
+	if optionsRaw, ok := data.GetOk("options"); ok {
+		options = optionsRaw.(map[string]string)
+	}
+
+	if len(options) > 0 {
+		b.Core.logger.Info("mount tuning of options", "path", path, "options", options)
+		newOptions := make(map[string]string)
+		var kvUpgraded bool
+
+		// The version options should only apply to the KV mount, check that first
+		if v, ok := options["version"]; ok {
+			// Special case to make sure we can not disable versioning once it's
+			// enabled. If the vkv backend suports downgrading this can be removed.
+			meVersion, err := parseutil.ParseInt(mountEntry.Options["version"])
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse mount entry: %w", err)
+			}
+			optVersion, err := parseutil.ParseInt(v)
+			if err != nil {
+				return handleError(fmt.Errorf("unable to parse options: %w", err))
+			}
+
+			// Only accept valid versions
+			switch optVersion {
+			case 1:
+			case 2:
+			default:
+				return logical.ErrorResponse(fmt.Sprintf("invalid version provided: %d", optVersion)), logical.ErrInvalidRequest
+			}
+
+			if meVersion > optVersion {
+				// Return early if version option asks for a downgrade
+				return logical.ErrorResponse(fmt.Sprintf("cannot downgrade mount from version %d", meVersion)), logical.ErrInvalidRequest
+			}
+			if meVersion < optVersion {
+				kvUpgraded = true
+				resp = &logical.Response{}
+				resp.AddWarning(fmt.Sprintf("Upgrading mount from version %d to version %d. This mount will be unavailable for a brief period and will resume service shortly.", meVersion, optVersion))
+			}
+		}
+
+		// Upsert options value to a copy of the existing mountEntry's options
+		for k, v := range mountEntry.Options {
+			newOptions[k] = v
+		}
+		for k, v := range options {
+			// If the value of the provided option is empty, delete the key We
+			// special-case the version value here to guard against KV downgrades, but
+			// this piece could potentially be refactored in the future to be non-KV
+			// specific.
+			if len(v) == 0 && k != "version" {
+				delete(newOptions, k)
+			} else {
+				newOptions[k] = v
+			}
+		}
+
+		// Update the mount table
+		oldVal := mountEntry.Options
+		mountEntry.Options = newOptions
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Options = oldVal
+			return handleError(err)
+		}
+
+		// Reload the backend to kick off the upgrade process. It should only apply to KV backend so we
+		// trigger based on the version logic above.
+		if kvUpgraded {
+			err = b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix))
+			if err != nil {
+				b.Core.logger.Error("mount tuning of options: could not reload backend", "error", err, "path", path, "options", options)
+			}
+
+		}
+	}
+
+	return resp, nil
+}
+
+// handleLockedUsersMetricQuery reports the locked user count metrics for this namespace and all child namespaces
+// if mount_accessor in request, returns the locked user metrics for that mount accessor for namespace in ctx
+func (b *SystemBackend) handleLockedUsersMetricQuery(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var mountAccessor string
+	if mountAccessorRaw, ok := d.GetOk("mount_accessor"); ok {
+		mountAccessor = mountAccessorRaw.(string)
+	}
+
+	results, err := b.handleLockedUsersQuery(ctx, mountAccessor)
+	if err != nil {
+		return nil, err
+	}
+	if results == nil {
+		return logical.RespondWithStatusCode(nil, req, http.StatusNoContent)
+	}
+
+	return &logical.Response{
+		Data: results,
+	}, nil
+}
+
+// handleUnlockUser is used to unlock user with given mount_accessor and alias_identifier if locked
+func (b *SystemBackend) handleUnlockUser(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	mountAccessor := data.Get("mount_accessor").(string)
+	if mountAccessor == "" {
+		return logical.ErrorResponse(
+				"missing mount_accessor"),
+			logical.ErrInvalidRequest
+	}
+
+	aliasName := data.Get("alias_identifier").(string)
+	if aliasName == "" {
+		return logical.ErrorResponse(
+				"missing alias_identifier"),
+			logical.ErrInvalidRequest
+	}
+
+	if err := unlockUser(ctx, b.Core, mountAccessor, aliasName); err != nil {
+		b.Backend.Logger().Error("unlock user failed", "mount accessor", mountAccessor, "alias identifier", aliasName, "error", err)
+		return handleError(err)
+	}
+
+	return nil, nil
+}
+
+// handleLease is use to view the metadata for a given LeaseID
+func (b *SystemBackend) handleLeaseLookup(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	leaseID := data.Get("lease_id").(string)
+	if leaseID == "" {
+		return logical.ErrorResponse("lease_id must be specified"),
+			logical.ErrInvalidRequest
+	}
+
+	leaseTimes, err := b.Core.expiration.FetchLeaseTimes(ctx, leaseID)
+	if err != nil {
+		b.Backend.Logger().Error("error retrieving lease", "lease_id", leaseID, "error", err)
+		return handleError(err)
+	}
+	if leaseTimes == nil {
+		return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"id":           leaseID,
+			"issue_time":   leaseTimes.IssueTime,
+			"expire_time":  nil,
+			"last_renewal": nil,
+			"ttl":          int64(0),
+		},
+	}
+	renewable, _ := leaseTimes.renewable()
+	resp.Data["renewable"] = renewable
+
+	if !leaseTimes.LastRenewalTime.IsZero() {
+		resp.Data["last_renewal"] = leaseTimes.LastRenewalTime
+	}
+	if !leaseTimes.ExpireTime.IsZero() {
+		resp.Data["expire_time"] = leaseTimes.ExpireTime
+		resp.Data["ttl"] = leaseTimes.ttl()
+	}
+	return resp, nil
+}
+
+func (b *SystemBackend) handleLeaseLookupList(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	prefix := data.Get("prefix").(string)
+	if prefix != "" && !strings.HasSuffix(prefix, "/") {
+		prefix = prefix + "/"
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	view := b.Core.expiration.leaseView(ns)
+	keys, err := view.List(ctx, prefix)
+	if err != nil {
+		b.Backend.Logger().Error("error listing leases", "prefix", prefix, "error", err)
+		return handleErrorNoReadOnlyForward(err)
+	}
+	return logical.ListResponse(keys), nil
+}
+
+// handleRenew is used to renew a lease with a given LeaseID
+func (b *SystemBackend) handleRenew(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Get all the options
+	leaseID := data.Get("lease_id").(string)
+	if leaseID == "" {
+		leaseID = data.Get("url_lease_id").(string)
+	}
+	if leaseID == "" {
+		return logical.ErrorResponse("lease_id must be specified"),
+			logical.ErrInvalidRequest
+	}
+	incrementRaw := data.Get("increment").(int)
+
+	// Convert the increment
+	increment := time.Duration(incrementRaw) * time.Second
+
+	// Invoke the expiration manager directly
+	resp, err := b.Core.expiration.Renew(ctx, leaseID, increment)
+	if err != nil {
+		b.Backend.Logger().Error("lease renewal failed", "lease_id", leaseID, "error", err)
+		return handleErrorNoReadOnlyForward(err)
+	}
+	return resp, err
+}
+
+// handleRevoke is used to revoke a given LeaseID
+func (b *SystemBackend) handleRevoke(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Get all the options
+	leaseID := data.Get("lease_id").(string)
+	if leaseID == "" {
+		leaseID = data.Get("url_lease_id").(string)
+	}
+	if leaseID == "" {
+		return logical.ErrorResponse("lease_id must be specified"),
+			logical.ErrInvalidRequest
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	revokeCtx := namespace.ContextWithNamespace(b.Core.activeContext, ns)
+	if data.Get("sync").(bool) {
+		// Invoke the expiration manager directly
+		if err := b.Core.expiration.Revoke(revokeCtx, leaseID); err != nil {
+			b.Backend.Logger().Error("lease revocation failed", "lease_id", leaseID, "error", err)
+			return handleErrorNoReadOnlyForward(err)
+		}
+
+		return nil, nil
+	}
+
+	if err := b.Core.expiration.LazyRevoke(revokeCtx, leaseID); err != nil {
+		b.Backend.Logger().Error("lease revocation failed", "lease_id", leaseID, "error", err)
+		return handleErrorNoReadOnlyForward(err)
+	}
+
+	return logical.RespondWithStatusCode(nil, nil, http.StatusAccepted)
+}
+
+// handleRevokePrefix is used to revoke a prefix with many LeaseIDs
+func (b *SystemBackend) handleRevokePrefix(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRevokePrefixCommon(ctx, req, data, false, data.Get("sync").(bool))
+}
+
+// handleRevokeForce is used to revoke a prefix with many LeaseIDs, ignoring errors
+func (b *SystemBackend) handleRevokeForce(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRevokePrefixCommon(ctx, req, data, true, true)
+}
+
+// handleRevokePrefixCommon is used to revoke a prefix with many LeaseIDs
+func (b *SystemBackend) handleRevokePrefixCommon(ctx context.Context,
+	req *logical.Request, data *framework.FieldData, force, sync bool,
+) (*logical.Response, error) {
+	// Get all the options
+	prefix := data.Get("prefix").(string)
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Invoke the expiration manager directly
+	revokeCtx := namespace.ContextWithNamespace(b.Core.activeContext, ns)
+	if force {
+		err = b.Core.expiration.RevokeForce(revokeCtx, prefix)
+	} else {
+		err = b.Core.expiration.RevokePrefix(revokeCtx, prefix, sync)
+	}
+	if err != nil {
+		b.Backend.Logger().Error("revoke prefix failed", "prefix", prefix, "error", err)
+		return handleErrorNoReadOnlyForward(err)
+	}
+
+	if sync {
+		return nil, nil
+	}
+
+	return logical.RespondWithStatusCode(nil, nil, http.StatusAccepted)
+}
+
+// handleAuthTable handles the "auth" endpoint to provide the auth table
+func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	b.Core.authLock.RLock()
+	defer b.Core.authLock.RUnlock()
+
+	resp := &logical.Response{
+		Data: make(map[string]interface{}),
+	}
+
+	for _, entry := range b.Core.auth.Entries {
+		// Only show entries for current namespace
+		if entry.Namespace().Path != ns.Path {
+			continue
+		}
+
+		cont, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix)
+		if err != nil {
+			return nil, err
+		}
+		if cont {
+			continue
+		}
+
+		info := b.mountInfo(ctx, entry)
+		resp.Data[entry.Path] = info
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleReadAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	b.Core.authLock.RLock()
+	defer b.Core.authLock.RUnlock()
+
+	for _, entry := range b.Core.auth.Entries {
+		// Only show entry for current namespace
+		if entry.Namespace().Path != ns.Path || entry.Path != path {
+			continue
+		}
+
+		cont, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix)
+		if err != nil {
+			return nil, err
+		}
+		if cont {
+			continue
+		}
+
+		return &logical.Response{
+			Data: b.mountInfo(ctx, entry),
+		}, nil
+	}
+
+	return logical.ErrorResponse("No auth engine at %s", path), nil
+}
+
+func expandStringValsWithCommas(configMap map[string]interface{}) error {
+	configParamNameSlice := []string{
+		"audit_non_hmac_request_keys",
+		"audit_non_hmac_response_keys",
+		"passthrough_request_headers",
+		"allowed_response_headers",
+		"allowed_managed_keys",
+	}
+	for _, paramName := range configParamNameSlice {
+		if raw, ok := configMap[paramName]; ok {
+			switch t := raw.(type) {
+			case string:
+				// To be consistent with auth tune, and in cases where a single comma separated strings
+				// is provided in the curl command, we split the entries by the commas.
+				rawNew := raw.(string)
+				res, err := parseutil.ParseCommaStringSlice(rawNew)
+				if err != nil {
+					return fmt.Errorf("invalid input parameter %v of type %v", paramName, t)
+				}
+				configMap[paramName] = res
+			}
+		}
+	}
+	return nil
+}
+
+// handleEnableAuth is used to enable a new credential backend
+func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+	local := data.Get("local").(bool)
+
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// Get all the options
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+	logicalType := data.Get("type").(string)
+	description := data.Get("description").(string)
+	pluginName := data.Get("plugin_name").(string)
+	sealWrap := data.Get("seal_wrap").(bool)
+	externalEntropyAccess := data.Get("external_entropy_access").(bool)
+	options := data.Get("options").(map[string]string)
+
+	var config MountConfig
+	var apiConfig APIMountConfig
+
+	configMap := data.Get("config").(map[string]interface{})
+	// Augmenting configMap for some config options to treat them as comma separated entries
+	err := expandStringValsWithCommas(configMap)
+	if err != nil {
+		return logical.ErrorResponse(
+				"unable to parse given auth config information"),
+			logical.ErrInvalidRequest
+	}
+	if configMap != nil && len(configMap) != 0 {
+		err := mapstructure.Decode(configMap, &apiConfig)
+		if err != nil {
+			return logical.ErrorResponse(
+					"unable to convert given auth config information"),
+				logical.ErrInvalidRequest
+		}
+	}
+
+	switch apiConfig.DefaultLeaseTTL {
+	case "":
+	case "system":
+	default:
+		tmpDef, err := parseutil.ParseDurationSecond(apiConfig.DefaultLeaseTTL)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf(
+					"unable to parse default TTL of %s: %s", apiConfig.DefaultLeaseTTL, err)),
+				logical.ErrInvalidRequest
+		}
+		config.DefaultLeaseTTL = tmpDef
+	}
+
+	switch apiConfig.MaxLeaseTTL {
+	case "":
+	case "system":
+	default:
+		tmpMax, err := parseutil.ParseDurationSecond(apiConfig.MaxLeaseTTL)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf(
+					"unable to parse max TTL of %s: %s", apiConfig.MaxLeaseTTL, err)),
+				logical.ErrInvalidRequest
+		}
+		config.MaxLeaseTTL = tmpMax
+	}
+
+	if config.MaxLeaseTTL != 0 && config.DefaultLeaseTTL > config.MaxLeaseTTL {
+		return logical.ErrorResponse(
+				"given default lease TTL greater than given max lease TTL"),
+			logical.ErrInvalidRequest
+	}
+
+	if config.DefaultLeaseTTL > b.Core.maxLeaseTTL && config.MaxLeaseTTL == 0 {
+		return logical.ErrorResponse(fmt.Sprintf(
+				"given default lease TTL greater than system max lease TTL of %d", int(b.Core.maxLeaseTTL.Seconds()))),
+			logical.ErrInvalidRequest
+	}
+
+	switch apiConfig.TokenType {
+	case "", "default-service":
+		config.TokenType = logical.TokenTypeDefaultService
+	case "default-batch":
+		config.TokenType = logical.TokenTypeDefaultBatch
+	case "service":
+		config.TokenType = logical.TokenTypeService
+	case "batch":
+		config.TokenType = logical.TokenTypeBatch
+	default:
+		return logical.ErrorResponse(fmt.Sprintf(
+			"invalid value for 'token_type'")), logical.ErrInvalidRequest
+	}
+
+	switch logicalType {
+	case "":
+		return logical.ErrorResponse(
+				"backend type must be specified as a string"),
+			logical.ErrInvalidRequest
+	case "plugin":
+		// Only set plugin name if mount is of type plugin, with apiConfig.PluginName
+		// option taking precedence.
+		switch {
+		case apiConfig.PluginName != "":
+			logicalType = apiConfig.PluginName
+		case pluginName != "":
+			logicalType = pluginName
+		default:
+			return logical.ErrorResponse(
+					"plugin_name must be provided for plugin backend"),
+				logical.ErrInvalidRequest
+		}
+	}
+
+	pluginVersion, response, err := b.validateVersion(ctx, apiConfig.PluginVersion, logicalType, consts.PluginTypeCredential)
+	if response != nil || err != nil {
+		return response, err
+	}
+
+	if options != nil && options["version"] != "" {
+		return logical.ErrorResponse(fmt.Sprintf(
+				"auth method %q does not allow setting a version", logicalType)),
+			logical.ErrInvalidRequest
+	}
+
+	if err := checkListingVisibility(apiConfig.ListingVisibility); err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("invalid listing_visibility %s", apiConfig.ListingVisibility)), nil
+	}
+	config.ListingVisibility = apiConfig.ListingVisibility
+
+	if len(apiConfig.AuditNonHMACRequestKeys) > 0 {
+		config.AuditNonHMACRequestKeys = apiConfig.AuditNonHMACRequestKeys
+	}
+	if len(apiConfig.AuditNonHMACResponseKeys) > 0 {
+		config.AuditNonHMACResponseKeys = apiConfig.AuditNonHMACResponseKeys
+	}
+	if len(apiConfig.PassthroughRequestHeaders) > 0 {
+		config.PassthroughRequestHeaders = apiConfig.PassthroughRequestHeaders
+	}
+	if len(apiConfig.AllowedResponseHeaders) > 0 {
+		config.AllowedResponseHeaders = apiConfig.AllowedResponseHeaders
+	}
+	if len(apiConfig.AllowedManagedKeys) > 0 {
+		config.AllowedManagedKeys = apiConfig.AllowedManagedKeys
+	}
+
+	// Create the mount entry
+	me := &MountEntry{
+		Table:                 credentialTableType,
+		Path:                  path,
+		Type:                  logicalType,
+		Description:           description,
+		Config:                config,
+		Local:                 local,
+		SealWrap:              sealWrap,
+		ExternalEntropyAccess: externalEntropyAccess,
+		Options:               options,
+		Version:               pluginVersion,
+	}
+
+	var resp *logical.Response
+	if b.Core.isMountEntryBuiltin(ctx, me, consts.PluginTypeCredential) {
+		resp, err = b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
+		if err != nil {
+			b.Core.logger.Error("could not mount builtin", "name", me.Type, "path", me.Path, "error", err)
+			return handleError(fmt.Errorf("could not mount %q: %w", me.Type, err))
+		}
+	}
+
+	// Attempt enabling
+	if err := b.Core.enableCredential(ctx, me); err != nil {
+		b.Backend.Logger().Error("error occurred during enable credential", "path", me.Path, "error", err)
+		return handleError(err)
+	}
+	return resp, nil
+}
+
+func (b *SystemBackend) validateVersion(ctx context.Context, version string, pluginName string, pluginType consts.PluginType) (string, *logical.Response, error) {
+	switch version {
+	case "":
+		var err error
+		version, err = selectPluginVersion(ctx, b.System(), pluginName, pluginType)
+		if err != nil {
+			return "", nil, err
+		}
+
+		if version != "" {
+			b.logger.Debug("pinning plugin version", "plugin type", pluginType.String(), "plugin name", pluginName, "plugin version", version)
+		}
+	default:
+		semanticVersion, err := semver.NewVersion(version)
+		if err != nil {
+			return "", logical.ErrorResponse("version %q is not a valid semantic version: %s", version, err), nil
+		}
+
+		// Canonicalize the version.
+		version = "v" + semanticVersion.String()
+
+		if version == versions.GetBuiltinVersion(pluginType, pluginName) {
+			unversionedPlugin, err := b.System().LookupPlugin(ctx, pluginName, pluginType)
+			if err == nil && !unversionedPlugin.Builtin {
+				// Builtin is overridden, return "not found" error.
+				return "", logical.ErrorResponse("%s plugin %q, version %s not found, as it is"+
+					" overridden by an unversioned plugin of the same name. Omit `plugin_version` to use the unversioned plugin", pluginType.String(), pluginName, version), nil
+			}
+
+			// Don't put the builtin version in storage. Ensures that builtins
+			// can always be overridden, and upgrades are much simpler to handle.
+			version = ""
+		}
+	}
+
+	// if a non-builtin version is requested for a builtin plugin, return an error
+	if version != "" {
+		switch pluginType {
+		case consts.PluginTypeSecrets:
+			aliased, ok := mountAliases[pluginName]
+			if ok {
+				pluginName = aliased
+			}
+			if _, ok = b.Core.logicalBackends[pluginName]; ok {
+				if version != versions.GetBuiltinVersion(pluginType, pluginName) {
+					return "", logical.ErrorResponse("cannot select non-builtin version of secrets plugin %s", pluginName), nil
+				}
+			}
+		case consts.PluginTypeCredential:
+			aliased, ok := credentialAliases[pluginName]
+			if ok {
+				pluginName = aliased
+			}
+			if _, ok = b.Core.credentialBackends[pluginName]; ok {
+				if version != versions.GetBuiltinVersion(pluginType, pluginName) {
+					return "", logical.ErrorResponse("cannot select non-builtin version of auth plugin %s", pluginName), nil
+				}
+			}
+		}
+	}
+
+	return version, nil, nil
+}
+
+// handleDisableAuth is used to disable a credential backend
+func (b *SystemBackend) handleDisableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	fullPath := credentialRoutePrefix + path
+
+	repState := b.Core.ReplicationState()
+	entry := b.Core.router.MatchingMountEntry(ctx, fullPath)
+
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// We return success when the mount does not exist to not expose if the
+	// mount existed or not
+	match := b.Core.router.MatchingMount(ctx, fullPath)
+	if match == "" || ns.Path+fullPath != match {
+		return nil, nil
+	}
+
+	_, found := b.Core.router.MatchingStoragePrefixByAPIPath(ctx, fullPath)
+	if !found {
+		b.Backend.Logger().Error("unable to find storage for path", "path", fullPath)
+		return handleError(fmt.Errorf("unable to find storage for path: %q", fullPath))
+	}
+
+	// Attempt disable
+	if err := b.Core.disableCredential(ctx, path); err != nil {
+		b.Backend.Logger().Error("disable auth mount failed", "path", path, "error", err)
+		return handleError(err)
+	}
+
+	// Get the view path if available
+	var viewPath string
+	if entry != nil {
+		viewPath = entry.ViewPath()
+	}
+
+	// Remove from filtered mounts
+	if err := b.Core.removePathFromFilteredPaths(ctx, fullPath, viewPath); err != nil {
+		b.Backend.Logger().Error("filtered path removal failed", path, "error", err)
+		return handleError(err)
+	}
+
+	return nil, nil
+}
+
+// handlePoliciesList handles /sys/policy/ and /sys/policies/<type> endpoints to provide the enabled policies
+func (b *SystemBackend) handlePoliciesList(policyType PolicyType) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		ns, err := namespace.FromContext(ctx)
+		if err != nil {
+			return nil, err
+		}
+		policies, err := b.Core.policyStore.ListPolicies(ctx, policyType)
+		if err != nil {
+			return nil, err
+		}
+
+		switch policyType {
+		case PolicyTypeACL:
+			// Add the special "root" policy if not egp and we are at the root namespace
+			if ns.ID == namespace.RootNamespaceID {
+				policies = append(policies, "root")
+			}
+			resp := logical.ListResponse(policies)
+
+			// If the request is from sys/policy/ we handle backwards compatibility
+			if strings.HasPrefix(req.Path, "policy") {
+				resp.Data["policies"] = resp.Data["keys"]
+			}
+			return resp, nil
+
+		case PolicyTypeRGP:
+			return logical.ListResponse(policies), nil
+
+		case PolicyTypeEGP:
+			nsScopedKeyInfo := getEGPListResponseKeyInfo(b, ns)
+			return &logical.Response{
+				Data: map[string]interface{}{
+					"keys":     policies,
+					"key_info": nsScopedKeyInfo,
+				},
+			}, nil
+		}
+
+		return logical.ErrorResponse("unknown policy type"), nil
+	}
+}
+
+// handlePoliciesRead handles the "/sys/policy/<name>" and "/sys/policies/<type>/<name>" endpoints to read a policy
+func (b *SystemBackend) handlePoliciesRead(policyType PolicyType) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		name := data.Get("name").(string)
+
+		policy, err := b.Core.policyStore.GetPolicy(ctx, name, policyType)
+		if err != nil {
+			return handleError(err)
+		}
+
+		if policy == nil {
+			return nil, nil
+		}
+
+		// If the request is from sys/policy/ we handle backwards compatibility
+		var respDataPolicyName string
+		if policyType == PolicyTypeACL && strings.HasPrefix(req.Path, "policy") {
+			respDataPolicyName = "rules"
+		} else {
+			respDataPolicyName = "policy"
+		}
+
+		resp := &logical.Response{
+			Data: map[string]interface{}{
+				"name":             policy.Name,
+				respDataPolicyName: policy.Raw,
+			},
+		}
+
+		switch policy.Type {
+		case PolicyTypeRGP, PolicyTypeEGP:
+			addSentinelPolicyData(resp.Data, policy)
+		}
+
+		return resp, nil
+	}
+}
+
+// handlePoliciesSet handles the "/sys/policy/<name>" and "/sys/policies/<type>/<name>" endpoints to set a policy
+func (b *SystemBackend) handlePoliciesSet(policyType PolicyType) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		var resp *logical.Response
+
+		ns, err := namespace.FromContext(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		name := data.Get("name").(string)
+		policy := &Policy{
+			Name:      strings.ToLower(name),
+			Type:      policyType,
+			namespace: ns,
+		}
+		if policy.Name == "" {
+			return logical.ErrorResponse("policy name must be provided in the URL"), nil
+		}
+		if name != policy.Name {
+			resp = &logical.Response{}
+			resp.AddWarning(fmt.Sprintf("policy name was converted to %s", policy.Name))
+		}
+
+		policy.Raw = data.Get("policy").(string)
+		if policy.Raw == "" && policyType == PolicyTypeACL && strings.HasPrefix(req.Path, "policy") {
+			policy.Raw = data.Get("rules").(string)
+			if resp == nil {
+				resp = &logical.Response{}
+			}
+			resp.AddWarning("'rules' is deprecated, please use 'policy' instead")
+		}
+		if policy.Raw == "" {
+			return logical.ErrorResponse("'policy' parameter not supplied or empty"), nil
+		}
+
+		if polBytes, err := base64.StdEncoding.DecodeString(policy.Raw); err == nil {
+			policy.Raw = string(polBytes)
+		}
+
+		switch policyType {
+		case PolicyTypeACL:
+			p, err := ParseACLPolicy(ns, policy.Raw)
+			if err != nil {
+				return handleError(err)
+			}
+			policy.Paths = p.Paths
+			policy.Templated = p.Templated
+
+		case PolicyTypeRGP, PolicyTypeEGP:
+
+		default:
+			return logical.ErrorResponse("unknown policy type"), nil
+		}
+
+		if policy.Type == PolicyTypeRGP || policy.Type == PolicyTypeEGP {
+			if errResp := inputSentinelPolicyData(data, policy); errResp != nil {
+				return errResp, nil
+			}
+		}
+
+		// Update the policy
+		if err := b.Core.policyStore.SetPolicy(ctx, policy); err != nil {
+			return handleError(err)
+		}
+
+		return resp, nil
+	}
+}
+
+func (b *SystemBackend) handlePoliciesDelete(policyType PolicyType) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		name := data.Get("name").(string)
+
+		if err := b.Core.policyStore.DeletePolicy(ctx, name, policyType); err != nil {
+			return handleError(err)
+		}
+		return nil, nil
+	}
+}
+
+type passwordPolicyConfig struct {
+	HCLPolicy string `json:"policy"`
+}
+
+func getPasswordPolicyKey(policyName string) string {
+	return fmt.Sprintf("password_policy/%s", policyName)
+}
+
+const (
+	minPasswordLength = 4
+	maxPasswordLength = 100
+)
+
+// handlePoliciesPasswordList returns the list of password policies
+func (*SystemBackend) handlePoliciesPasswordList(ctx context.Context, req *logical.Request, data *framework.FieldData) (resp *logical.Response, err error) {
+	keys, err := logical.CollectKeysWithPrefix(ctx, req.Storage, "password_policy/")
+	if err != nil {
+		return nil, err
+	}
+	for i := range keys {
+		keys[i] = strings.TrimPrefix(keys[i], "password_policy/")
+	}
+	return logical.ListResponse(keys), nil
+}
+
+// handlePoliciesPasswordSet saves/updates password policies
+func (*SystemBackend) handlePoliciesPasswordSet(ctx context.Context, req *logical.Request, data *framework.FieldData) (resp *logical.Response, err error) {
+	policyName := data.Get("name").(string)
+	if policyName == "" {
+		return nil, logical.CodedError(http.StatusBadRequest, "missing policy name")
+	}
+
+	rawPolicy := data.Get("policy").(string)
+	if rawPolicy == "" {
+		return nil, logical.CodedError(http.StatusBadRequest, "missing policy")
+	}
+
+	// Optionally decode base64 string
+	decodedPolicy, err := base64.StdEncoding.DecodeString(rawPolicy)
+	if err == nil {
+		rawPolicy = string(decodedPolicy)
+	}
+
+	// Parse the policy to ensure that it's valid
+	policy, err := random.ParsePolicy(rawPolicy)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("invalid password policy: %s", err))
+	}
+
+	if policy.Length > maxPasswordLength || policy.Length < minPasswordLength {
+		return nil, logical.CodedError(http.StatusBadRequest,
+			fmt.Sprintf("passwords must be between %d and %d characters", minPasswordLength, maxPasswordLength))
+	}
+
+	// Attempt to construct a test password from the rules to ensure that the policy isn't impossible
+	var testPassword []rune
+
+	for _, rule := range policy.Rules {
+		charsetRule, ok := rule.(random.CharsetRule)
+		if !ok {
+			return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("unexpected rule type %T", charsetRule))
+		}
+
+		for j := 0; j < charsetRule.MinLength(); j++ {
+			charIndex := rand.Intn(len(charsetRule.Chars()))
+			testPassword = append(testPassword, charsetRule.Chars()[charIndex])
+		}
+	}
+
+	for i := len(testPassword); i < policy.Length; i++ {
+		for _, rule := range policy.Rules {
+			if len(testPassword) >= policy.Length {
+				break
+			}
+			charsetRule, ok := rule.(random.CharsetRule)
+			if !ok {
+				return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("unexpected rule type %T", charsetRule))
+			}
+
+			charIndex := rand.Intn(len(charsetRule.Chars()))
+			testPassword = append(testPassword, charsetRule.Chars()[charIndex])
+		}
+	}
+
+	rand.Shuffle(policy.Length, func(i, j int) {
+		testPassword[i], testPassword[j] = testPassword[j], testPassword[i]
+	})
+
+	for _, rule := range policy.Rules {
+		if !rule.Pass(testPassword) {
+			return nil, logical.CodedError(http.StatusBadRequest, "unable to construct test password from provided policy: are the rules impossible?")
+		}
+	}
+
+	cfg := passwordPolicyConfig{
+		HCLPolicy: rawPolicy,
+	}
+	entry, err := logical.StorageEntryJSON(getPasswordPolicyKey(policyName), cfg)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError, fmt.Sprintf("unable to save password policy: %s", err))
+	}
+
+	err = req.Storage.Put(ctx, entry)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError,
+			fmt.Sprintf("failed to save policy to storage backend: %s", err))
+	}
+
+	return logical.RespondWithStatusCode(nil, req, http.StatusNoContent)
+}
+
+// handlePoliciesPasswordGet retrieves a password policy if it exists
+func (*SystemBackend) handlePoliciesPasswordGet(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	policyName := data.Get("name").(string)
+	if policyName == "" {
+		return nil, logical.CodedError(http.StatusBadRequest, "missing policy name")
+	}
+
+	cfg, err := retrievePasswordPolicy(ctx, req.Storage, policyName)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError, "failed to retrieve password policy")
+	}
+	if cfg == nil {
+		return nil, logical.CodedError(http.StatusNotFound, "policy does not exist")
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"policy": cfg.HCLPolicy,
+		},
+	}
+
+	return resp, nil
+}
+
+// retrievePasswordPolicy retrieves a password policy from the logical storage
+func retrievePasswordPolicy(ctx context.Context, storage logical.Storage, policyName string) (policyCfg *passwordPolicyConfig, err error) {
+	entry, err := storage.Get(ctx, getPasswordPolicyKey(policyName))
+	if err != nil {
+		return nil, err
+	}
+	if entry == nil {
+		return nil, nil
+	}
+
+	policyCfg = &passwordPolicyConfig{}
+	err = json.Unmarshal(entry.Value, &policyCfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal stored data: %w", err)
+	}
+
+	return policyCfg, nil
+}
+
+// handlePoliciesPasswordDelete deletes a password policy if it exists
+func (*SystemBackend) handlePoliciesPasswordDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	policyName := data.Get("name").(string)
+	if policyName == "" {
+		return nil, logical.CodedError(http.StatusBadRequest, "missing policy name")
+	}
+
+	err := req.Storage.Delete(ctx, getPasswordPolicyKey(policyName))
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError,
+			fmt.Sprintf("failed to delete password policy: %s", err))
+	}
+
+	return nil, nil
+}
+
+// handlePoliciesPasswordGenerate generates a password from the specified password policy
+func (*SystemBackend) handlePoliciesPasswordGenerate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	policyName := data.Get("name").(string)
+	if policyName == "" {
+		return nil, logical.CodedError(http.StatusBadRequest, "missing policy name")
+	}
+
+	cfg, err := retrievePasswordPolicy(ctx, req.Storage, policyName)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError, "failed to retrieve password policy")
+	}
+	if cfg == nil {
+		return nil, logical.CodedError(http.StatusNotFound, "policy does not exist")
+	}
+
+	policy, err := random.ParsePolicy(cfg.HCLPolicy)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError,
+			"stored password policy configuration failed to parse")
+	}
+
+	password, err := policy.Generate(ctx, nil)
+	if err != nil {
+		return nil, logical.CodedError(http.StatusInternalServerError,
+			fmt.Sprintf("failed to generate password from policy: %s", err))
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"password": password,
+		},
+	}
+	return resp, nil
+}
+
+// handleAuditTable handles the "audit" endpoint to provide the audit table
+func (b *SystemBackend) handleAuditTable(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	b.Core.auditLock.RLock()
+	defer b.Core.auditLock.RUnlock()
+
+	resp := &logical.Response{
+		Data: make(map[string]interface{}),
+	}
+	for _, entry := range b.Core.audit.Entries {
+		info := map[string]interface{}{
+			"path":        entry.Path,
+			"type":        entry.Type,
+			"description": entry.Description,
+			"options":     entry.Options,
+			"local":       entry.Local,
+		}
+		resp.Data[entry.Path] = info
+	}
+	return resp, nil
+}
+
+// handleAuditHash is used to fetch the hash of the given input data with the
+// specified audit backend's salt
+func (b *SystemBackend) handleAuditHash(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	input := data.Get("input").(string)
+	if input == "" {
+		return logical.ErrorResponse("the \"input\" parameter is empty"), nil
+	}
+
+	path = sanitizePath(path)
+
+	hash, err := b.Core.auditBroker.GetHash(ctx, path, input)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"hash": hash,
+		},
+	}, nil
+}
+
+// handleEnableAudit is used to enable a new audit backend
+func (b *SystemBackend) handleEnableAudit(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+
+	local := data.Get("local").(bool)
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// Get all the options
+	path := data.Get("path").(string)
+	backendType := data.Get("type").(string)
+	description := data.Get("description").(string)
+	options := data.Get("options").(map[string]string)
+
+	// Create the mount entry
+	me := &MountEntry{
+		Table:       auditTableType,
+		Path:        path,
+		Type:        backendType,
+		Description: description,
+		Options:     options,
+		Local:       local,
+	}
+
+	// Attempt enabling
+	if err := b.Core.enableAudit(ctx, me, true); err != nil {
+		b.Backend.Logger().Error("enable audit mount failed", "path", me.Path, "error", err)
+		return handleError(err)
+	}
+	return nil, nil
+}
+
+// handleDisableAudit is used to disable an audit backend
+func (b *SystemBackend) handleDisableAudit(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	if path == "/" {
+		return handleError(errors.New("audit device path must be specified"))
+	}
+
+	b.Core.auditLock.RLock()
+	table := b.Core.audit.shallowClone()
+	entry, err := table.find(ctx, path)
+	b.Core.auditLock.RUnlock()
+
+	if err != nil {
+		return handleError(err)
+	}
+	if entry == nil {
+		return nil, nil
+	}
+
+	repState := b.Core.ReplicationState()
+
+	// If we are a performance secondary cluster we should forward the request
+	// to the primary. We fail early here since the view in use isn't marked as
+	// readonly
+	if !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
+	// Attempt disable
+	if existed, err := b.Core.disableAudit(ctx, path, true); existed && err != nil {
+		b.Backend.Logger().Error("disable audit mount failed", "path", path, "error", err)
+		return handleError(err)
+	}
+	return nil, nil
+}
+
+func (b *SystemBackend) handleConfigUIHeadersRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	header := data.Get("header").(string)
+	multivalue := data.Get("multivalue").(bool)
+
+	values, err := b.Core.uiConfig.GetHeader(ctx, header)
+	if err != nil {
+		return nil, err
+	}
+	if len(values) == 0 {
+		return nil, nil
+	}
+
+	// Return multiple values if specified
+	if multivalue {
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"values": values,
+			},
+		}, nil
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"value": values[0],
+		},
+	}, nil
+}
+
+func (b *SystemBackend) handleConfigUIHeadersList(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	headers, err := b.Core.uiConfig.HeaderKeys(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if len(headers) == 0 {
+		return nil, nil
+	}
+
+	return logical.ListResponse(headers), nil
+}
+
+func (b *SystemBackend) handleConfigUIHeadersUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	header := data.Get("header").(string)
+	values := data.Get("values").([]string)
+	if header == "" || len(values) == 0 {
+		return logical.ErrorResponse("header and values must be specified"), logical.ErrInvalidRequest
+	}
+
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "x-vault-") {
+		return logical.ErrorResponse("X-Vault headers cannot be set"), logical.ErrInvalidRequest
+	}
+
+	// Translate the list of values to the valid header string
+	value := http.Header{}
+	for _, v := range values {
+		if b.Core.ExistCustomResponseHeader(header) {
+			return logical.ErrorResponse("This header already exists in the server configuration and cannot be set in the UI."), logical.ErrInvalidRequest
+		}
+		value.Add(header, v)
+	}
+	err := b.Core.uiConfig.SetHeader(ctx, header, value.Values(header))
+	if err != nil {
+		return nil, err
+	}
+
+	// Warn when overriding the CSP
+	resp := &logical.Response{}
+	if lowerHeader == "content-security-policy" {
+		resp.AddWarning("overriding default Content-Security-Policy which is secure by default, proceed with caution")
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleConfigUIHeadersDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	header := data.Get("header").(string)
+	err := b.Core.uiConfig.DeleteHeader(ctx, header)
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil
+}
+
+// handleKeyStatus returns status information about the backend key
+func (b *SystemBackend) handleKeyStatus(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Get the key info
+	info, err := b.Core.barrier.ActiveKeyInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"term":         info.Term,
+			"install_time": info.InstallTime.Format(time.RFC3339Nano),
+			"encryptions":  info.Encryptions,
+		},
+	}
+	return resp, nil
+}
+
+// handleKeyRotationConfigRead returns the barrier key rotation config
+func (b *SystemBackend) handleKeyRotationConfigRead(_ context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	// Get the key info
+	rotConfig, err := b.Core.barrier.RotationConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"max_operations": rotConfig.MaxOperations,
+			"enabled":        !rotConfig.Disabled,
+		},
+	}
+	if rotConfig.Interval > 0 {
+		resp.Data["interval"] = rotConfig.Interval.String()
+	} else {
+		resp.Data["interval"] = 0
+	}
+	return resp, nil
+}
+
+// handleKeyRotationConfigRead returns the barrier key rotation config
+func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	rotConfig, err := b.Core.barrier.RotationConfig()
+	if err != nil {
+		return nil, err
+	}
+	maxOps, ok, err := data.GetOkErr("max_operations")
+	if err != nil {
+		return nil, err
+	}
+	if ok {
+		rotConfig.MaxOperations = maxOps.(int64)
+	}
+	interval, ok, err := data.GetOkErr("interval")
+	if err != nil {
+		return nil, err
+	}
+	if ok {
+		rotConfig.Interval = time.Second * time.Duration(interval.(int))
+	}
+
+	enabled, ok, err := data.GetOkErr("enabled")
+	if err != nil {
+		return nil, err
+	}
+	if ok {
+		rotConfig.Disabled = !enabled.(bool)
+	}
+
+	// Reject out of range settings
+	if rotConfig.Interval < minimumRotationInterval && rotConfig.Interval != 0 {
+		return logical.ErrorResponse("interval must be greater or equal to %s", minimumRotationInterval.String()), logical.ErrInvalidRequest
+	}
+
+	if rotConfig.MaxOperations < absoluteOperationMinimum || rotConfig.MaxOperations > absoluteOperationMaximum {
+		return logical.ErrorResponse("max_operations must be in the range [%d,%d]", absoluteOperationMinimum, absoluteOperationMaximum), logical.ErrInvalidRequest
+	}
+
+	// Store the rotation config
+	err = b.Core.barrier.SetRotationConfig(ctx, rotConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+// handleRotate is used to trigger a key rotation
+func (b *SystemBackend) handleRotate(ctx context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+	if repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return logical.ErrorResponse("cannot rotate on a replication secondary"), nil
+	}
+
+	if err := b.rotateBarrierKey(ctx); err != nil {
+		b.Backend.Logger().Error("error handling key rotation", "error", err)
+		return handleError(err)
+	}
+	return nil, nil
+}
+
+func (b *SystemBackend) handleWrappingPubkey(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	x, _ := b.Core.wrappingJWTKey.X.MarshalText()
+	y, _ := b.Core.wrappingJWTKey.Y.MarshalText()
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"jwt_x":     string(x),
+			"jwt_y":     string(y),
+			"jwt_curve": corePrivateKeyTypeP521,
+		},
+	}, nil
+}
+
+func (b *SystemBackend) handleWrappingWrap(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	if req.WrapInfo == nil || req.WrapInfo.TTL == 0 {
+		return logical.ErrorResponse("endpoint requires response wrapping to be used"), logical.ErrInvalidRequest
+	}
+
+	// N.B.: Do *NOT* allow JWT wrapping tokens to be created through this
+	// endpoint. JWTs are signed so if we don't allow users to create wrapping
+	// tokens using them we can ensure that an operator can't spoof a legit JWT
+	// wrapped token, which makes certain init/rekey/generate-root cases have
+	// better properties.
+	req.WrapInfo.Format = "uuid"
+
+	return &logical.Response{
+		Data: data.Raw,
+	}, nil
+}
+
+// handleWrappingUnwrap will unwrap a response wrapping token or complete a
+// request that required a control group.
+func (b *SystemBackend) handleWrappingUnwrap(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// If a third party is unwrapping (rather than the calling token being the
+	// wrapping token) we detect this so that we can revoke the original
+	// wrapping token after reading it
+	var thirdParty bool
+
+	token := data.Get("token").(string)
+	if token != "" {
+		thirdParty = true
+	} else {
+		token = req.ClientToken
+	}
+
+	// Get the policies so we can determine if this is a normal response
+	// wrapping request or a control group token.
+	//
+	// We use lookupTainted here because the token might have already been used
+	// by handleRequest(), this happens when it's a normal response wrapping
+	// request and the token was provided "first party". We want to inspect the
+	// token policies but will not use this token entry for anything else.
+	te, err := b.Core.tokenStore.lookupTainted(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+	if te == nil {
+		return nil, nil
+	}
+	if len(te.Policies) != 1 {
+		return nil, errors.New("token is not a valid unwrap token")
+	}
+
+	unwrapNS, err := NamespaceByID(ctx, te.NamespaceID, b.Core)
+	if err != nil {
+		return nil, err
+	}
+	if unwrapNS == nil {
+		return nil, errors.New("token is not from a valid namespace")
+	}
+
+	unwrapCtx := namespace.ContextWithNamespace(ctx, unwrapNS)
+
+	var response string
+	switch te.Policies[0] {
+	case controlGroupPolicyName:
+		response, err = controlGroupUnwrap(unwrapCtx, b, token, thirdParty)
+	case responseWrappingPolicyName:
+		response, err = b.responseWrappingUnwrap(unwrapCtx, te, thirdParty)
+	}
+	if err != nil {
+		var respErr *logical.Response
+		if len(response) > 0 {
+			respErr = logical.ErrorResponse(response)
+		}
+
+		return respErr, err
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+
+	if len(response) == 0 {
+		resp.Data[logical.HTTPStatusCode] = 204
+		return resp, nil
+	}
+
+	// Most of the time we want to just send over the marshalled HTTP bytes.
+	// However there is a sad separate case: if the original response was using
+	// bare values we need to use those or else what comes back is garbled.
+	httpResp := &logical.HTTPResponse{}
+	err = jsonutil.DecodeJSON([]byte(response), httpResp)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding wrapped response: %w", err)
+	}
+	if httpResp.Data != nil &&
+		(httpResp.Data[logical.HTTPStatusCode] != nil ||
+			httpResp.Data[logical.HTTPRawBody] != nil ||
+			httpResp.Data[logical.HTTPContentType] != nil) {
+		if httpResp.Data[logical.HTTPStatusCode] != nil {
+			resp.Data[logical.HTTPStatusCode] = httpResp.Data[logical.HTTPStatusCode]
+		}
+		if httpResp.Data[logical.HTTPContentType] != nil {
+			resp.Data[logical.HTTPContentType] = httpResp.Data[logical.HTTPContentType]
+		}
+
+		rawBody := httpResp.Data[logical.HTTPRawBody]
+		if rawBody != nil {
+			// Decode here so that we can audit properly
+			switch rawBody.(type) {
+			case string:
+				// Best effort decoding; if this works, the original value was
+				// probably a []byte instead of a string, but was marshaled
+				// when the value was saved, so this restores it as it was
+				decBytes, err := base64.StdEncoding.DecodeString(rawBody.(string))
+				if err == nil {
+					// We end up with []byte, will not be HMAC'd
+					resp.Data[logical.HTTPRawBody] = decBytes
+				} else {
+					// We end up with string, will be HMAC'd
+					resp.Data[logical.HTTPRawBody] = rawBody
+				}
+			default:
+				b.Core.Logger().Error("unexpected type of raw body when decoding wrapped token", "type", fmt.Sprintf("%T", rawBody))
+			}
+
+			resp.Data[logical.HTTPRawBodyAlreadyJSONDecoded] = true
+		}
+
+		return resp, nil
+	}
+
+	resp.Data[logical.HTTPStatusCode] = 200
+	resp.Data[logical.HTTPRawBody] = []byte(response)
+	resp.Data[logical.HTTPContentType] = "application/json"
+
+	return resp, nil
+}
+
+// responseWrappingUnwrap will read the stored response in the cubbyhole and
+// return the raw HTTP response.
+func (b *SystemBackend) responseWrappingUnwrap(ctx context.Context, te *logical.TokenEntry, thirdParty bool) (string, error) {
+	tokenID := te.ID
+	if thirdParty {
+		// Use the token to decrement the use count to avoid a second operation on the token.
+		_, err := b.Core.tokenStore.UseTokenByID(ctx, tokenID)
+		if err != nil {
+			return "", fmt.Errorf("error decrementing wrapping token's use-count: %w", err)
+		}
+
+		defer b.Core.tokenStore.revokeOrphan(ctx, tokenID)
+	}
+
+	cubbyReq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "cubbyhole/response",
+		ClientToken: tokenID,
+	}
+	cubbyReq.SetTokenEntry(te)
+	cubbyResp, err := b.Core.router.Route(ctx, cubbyReq)
+	if err != nil {
+		return "", fmt.Errorf("error looking up wrapping information: %w", err)
+	}
+	if cubbyResp == nil {
+		return "no information found; wrapping token may be from a previous Vault version", ErrInternalError
+	}
+	if cubbyResp != nil && cubbyResp.IsError() {
+		return cubbyResp.Error().Error(), nil
+	}
+	if cubbyResp.Data == nil {
+		return "wrapping information was nil; wrapping token may be from a previous Vault version", ErrInternalError
+	}
+
+	responseRaw := cubbyResp.Data["response"]
+	if responseRaw == nil {
+		return "", fmt.Errorf("no response found inside the cubbyhole")
+	}
+	response, ok := responseRaw.(string)
+	if !ok {
+		return "", fmt.Errorf("could not decode response inside the cubbyhole")
+	}
+
+	return response, nil
+}
+
+func (b *SystemBackend) handleMetrics(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	format := data.Get("format").(string)
+	if format == "" {
+		format = metricsutil.FormatFromRequest(req)
+	}
+	return b.Core.metricsHelper.ResponseForFormat(format), nil
+}
+
+func (b *SystemBackend) handleInFlightRequestData(_ context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: "text/plain",
+			logical.HTTPStatusCode:  http.StatusInternalServerError,
+		},
+	}
+
+	currentInFlightReqMap := b.Core.LoadInFlightReqData()
+
+	content, err := json.Marshal(currentInFlightReqMap)
+	if err != nil {
+		resp.Data[logical.HTTPRawBody] = fmt.Sprintf("error while marshalling the in-flight requests data: %s", err)
+		return resp, nil
+	}
+	resp.Data[logical.HTTPContentType] = "application/json"
+	resp.Data[logical.HTTPRawBody] = content
+	resp.Data[logical.HTTPStatusCode] = http.StatusOK
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleMonitor(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	ll := data.Get("log_level").(string)
+	w := req.ResponseWriter
+
+	if ll == "" {
+		ll = "info"
+	}
+	logLevel := log.LevelFromString(ll)
+
+	if logLevel == log.NoLevel {
+		return logical.ErrorResponse("unknown log level"), nil
+	}
+
+	lf := data.Get("log_format").(string)
+	lowerLogFormat := strings.ToLower(lf)
+
+	validFormats := []string{"standard", "json"}
+	if !strutil.StrListContains(validFormats, lowerLogFormat) {
+		return logical.ErrorResponse("unknown log format"), nil
+	}
+
+	flusher, ok := w.ResponseWriter.(http.Flusher)
+	if !ok {
+		// http.ResponseWriter is wrapped in wrapGenericHandler, so let's
+		// access the underlying functionality
+		nw, ok := w.ResponseWriter.(logical.WrappingResponseWriter)
+		if !ok {
+			return logical.ErrorResponse("streaming not supported"), nil
+		}
+		flusher, ok = nw.Wrapped().(http.Flusher)
+		if !ok {
+			return logical.ErrorResponse("streaming not supported"), nil
+		}
+	}
+
+	isJson := b.Core.LogFormat() == "json" || lf == "json"
+	logger := b.Core.Logger().(log.InterceptLogger)
+
+	mon, err := monitor.NewMonitor(512, logger, &log.LoggerOptions{
+		Level:      logLevel,
+		JSONFormat: isJson,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	logCh := mon.Start()
+	defer mon.Stop()
+
+	if logCh == nil {
+		return nil, fmt.Errorf("error trying to start a monitor that's already been started")
+	}
+
+	w.WriteHeader(http.StatusOK)
+
+	// 0 byte write is needed before the Flush call so that if we are using
+	// a gzip stream it will go ahead and write out the HTTP response header
+	_, err = w.Write([]byte(""))
+	if err != nil {
+		return nil, fmt.Errorf("error seeding flusher: %w", err)
+	}
+
+	flusher.Flush()
+
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+
+	// Stream logs until the connection is closed.
+	for {
+		select {
+		// Periodically check for the seal status and return if core gets
+		// marked as sealed.
+		case <-ticker.C:
+			if b.Core.Sealed() {
+				// We still return the error, but this will be ignored upstream
+				// due to the fact that we've already sent a response by
+				// writing the header and flushing the writer above.
+				_, err = fmt.Fprint(w, "core received sealed state change, ending monitor session")
+				if err != nil {
+					return nil, fmt.Errorf("error checking seal state: %w", err)
+				}
+			}
+		case <-ctx.Done():
+			return nil, nil
+		case l := <-logCh:
+			// We still return the error, but this will be ignored upstream
+			// due to the fact that we've already sent a response by
+			// writing the header and flushing the writer above.
+			_, err = fmt.Fprint(w, string(l))
+			if err != nil {
+				return nil, fmt.Errorf("error streaming monitor output: %w", err)
+			}
+
+			flusher.Flush()
+		}
+	}
+}
+
+// handleHostInfo collects and returns host-related information, which includes
+// system information, cpu, disk, and memory usage. Any capture-related errors
+// returned by the collection method will be returned as response warnings.
+func (b *SystemBackend) handleHostInfo(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	resp := &logical.Response{}
+	info, err := hostutil.CollectHostInfo(ctx)
+	if err != nil {
+		// If the error is a HostInfoError, we return them as response warnings
+		if errs, ok := err.(*multierror.Error); ok {
+			var warnings []string
+			for _, mErr := range errs.Errors {
+				if errwrap.ContainsType(mErr, new(hostutil.HostInfoError)) {
+					warnings = append(warnings, mErr.Error())
+				} else {
+					// If the error is a multierror, it should only be for
+					// HostInfoError, but if it's not for any reason, we return
+					// it as an error to avoid it being swallowed.
+					return nil, err
+				}
+			}
+			resp.Warnings = warnings
+		} else {
+			return nil, err
+		}
+	}
+
+	if info == nil {
+		return nil, errors.New("unable to collect host information: nil HostInfo")
+	}
+
+	respData := map[string]interface{}{
+		"timestamp": info.Timestamp,
+	}
+	if info.CPU != nil {
+		respData["cpu"] = info.CPU
+	}
+	if info.CPUTimes != nil {
+		respData["cpu_times"] = info.CPUTimes
+	}
+	if info.Disk != nil {
+		respData["disk"] = info.Disk
+	}
+	if info.Host != nil {
+		respData["host"] = info.Host
+	}
+	if info.Memory != nil {
+		respData["memory"] = info.Memory
+	}
+	resp.Data = respData
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleWrappingLookup(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// This ordering of lookups has been validated already in the wrapping
+	// validation func, we're just doing this for a safety check
+	token := data.Get("token").(string)
+	if token == "" {
+		token = req.ClientToken
+		if token == "" {
+			return logical.ErrorResponse("missing \"token\" value in input"), logical.ErrInvalidRequest
+		}
+	}
+
+	te, err := b.Core.tokenStore.lookupTainted(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+	if te == nil {
+		return nil, nil
+	}
+	if len(te.Policies) != 1 {
+		return nil, errors.New("token is not a valid unwrap token")
+	}
+
+	lookupNS, err := NamespaceByID(ctx, te.NamespaceID, b.Core)
+	if err != nil {
+		return nil, err
+	}
+	if lookupNS == nil {
+		return nil, errors.New("token is not from a valid namespace")
+	}
+
+	lookupCtx := namespace.ContextWithNamespace(ctx, lookupNS)
+
+	cubbyReq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "cubbyhole/wrapinfo",
+		ClientToken: token,
+	}
+	cubbyReq.SetTokenEntry(te)
+	cubbyResp, err := b.Core.router.Route(lookupCtx, cubbyReq)
+	if err != nil {
+		return nil, fmt.Errorf("error looking up wrapping information: %w", err)
+	}
+	if cubbyResp == nil {
+		return logical.ErrorResponse("no information found; wrapping token may be from a previous Vault version"), nil
+	}
+	if cubbyResp != nil && cubbyResp.IsError() {
+		return cubbyResp, nil
+	}
+	if cubbyResp.Data == nil {
+		return logical.ErrorResponse("wrapping information was nil; wrapping token may be from a previous Vault version"), nil
+	}
+
+	creationTTLRaw := cubbyResp.Data["creation_ttl"]
+	creationTime := cubbyResp.Data["creation_time"]
+	creationPath := cubbyResp.Data["creation_path"]
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+	if creationTTLRaw != nil {
+		creationTTL, err := creationTTLRaw.(json.Number).Int64()
+		if err != nil {
+			return nil, fmt.Errorf("error reading creation_ttl value from wrapping information: %w", err)
+		}
+		resp.Data["creation_ttl"] = time.Duration(creationTTL).Seconds()
+	}
+	if creationTime != nil {
+		// This was JSON marshaled so it's already a string in RFC3339 format
+		resp.Data["creation_time"] = cubbyResp.Data["creation_time"]
+	}
+	if creationPath != nil {
+		resp.Data["creation_path"] = cubbyResp.Data["creation_path"]
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleWrappingRewrap(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// If a third party is rewrapping (rather than the calling token being the
+	// wrapping token) we detect this so that we can revoke the original
+	// wrapping token after reading it. Right now wrapped tokens can't unwrap
+	// themselves, but in case we change it, this will be ready to do the right
+	// thing.
+	var thirdParty bool
+
+	token := data.Get("token").(string)
+	if token != "" {
+		thirdParty = true
+	} else {
+		token = req.ClientToken
+	}
+
+	te, err := b.Core.tokenStore.lookupTainted(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+	if te == nil {
+		return nil, nil
+	}
+	if len(te.Policies) != 1 {
+		return nil, errors.New("token is not a valid unwrap token")
+	}
+
+	if thirdParty {
+		// Use the token to decrement the use count to avoid a second operation on the token.
+		_, err := b.Core.tokenStore.UseTokenByID(ctx, token)
+		if err != nil {
+			return nil, fmt.Errorf("error decrementing wrapping token's use-count: %w", err)
+		}
+		defer b.Core.tokenStore.revokeOrphan(ctx, token)
+	}
+
+	// Fetch the original TTL
+	cubbyReq := &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "cubbyhole/wrapinfo",
+		ClientToken: token,
+	}
+	cubbyReq.SetTokenEntry(te)
+	cubbyResp, err := b.Core.router.Route(ctx, cubbyReq)
+	if err != nil {
+		return nil, fmt.Errorf("error looking up wrapping information: %w", err)
+	}
+	if cubbyResp == nil {
+		return logical.ErrorResponse("no information found; wrapping token may be from a previous Vault version"), nil
+	}
+	if cubbyResp != nil && cubbyResp.IsError() {
+		return cubbyResp, nil
+	}
+	if cubbyResp.Data == nil {
+		return logical.ErrorResponse("wrapping information was nil; wrapping token may be from a previous Vault version"), nil
+	}
+
+	// Set the creation TTL on the request
+	creationTTLRaw := cubbyResp.Data["creation_ttl"]
+	if creationTTLRaw == nil {
+		return nil, fmt.Errorf("creation_ttl value in wrapping information was nil")
+	}
+	creationTTL, err := cubbyResp.Data["creation_ttl"].(json.Number).Int64()
+	if err != nil {
+		return nil, fmt.Errorf("error reading creation_ttl value from wrapping information: %w", err)
+	}
+
+	// Get creation_path to return as the response later
+	creationPathRaw := cubbyResp.Data["creation_path"]
+	if creationPathRaw == nil {
+		return nil, fmt.Errorf("creation_path value in wrapping information was nil")
+	}
+	creationPath := creationPathRaw.(string)
+
+	// Fetch the original response and return it as the data for the new response
+	cubbyReq = &logical.Request{
+		Operation:   logical.ReadOperation,
+		Path:        "cubbyhole/response",
+		ClientToken: token,
+	}
+	cubbyReq.SetTokenEntry(te)
+	cubbyResp, err = b.Core.router.Route(ctx, cubbyReq)
+	if err != nil {
+		return nil, fmt.Errorf("error looking up response: %w", err)
+	}
+	if cubbyResp == nil {
+		return logical.ErrorResponse("no information found; wrapping token may be from a previous Vault version"), nil
+	}
+	if cubbyResp != nil && cubbyResp.IsError() {
+		return cubbyResp, nil
+	}
+	if cubbyResp.Data == nil {
+		return logical.ErrorResponse("wrapping information was nil; wrapping token may be from a previous Vault version"), nil
+	}
+
+	response := cubbyResp.Data["response"]
+	if response == nil {
+		return nil, fmt.Errorf("no response found inside the cubbyhole")
+	}
+
+	// Return response in "response"; wrapping code will detect the rewrap and
+	// slot in instead of nesting
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"response": response,
+		},
+		WrapInfo: &wrapping.ResponseWrapInfo{
+			TTL:          time.Duration(creationTTL),
+			CreationPath: creationPath,
+		},
+	}, nil
+}
+
+func (b *SystemBackend) pathHashWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	inputB64 := d.Get("input").(string)
+	format := d.Get("format").(string)
+	algorithm := d.Get("urlalgorithm").(string)
+	if algorithm == "" {
+		algorithm = d.Get("algorithm").(string)
+	}
+
+	input, err := base64.StdEncoding.DecodeString(inputB64)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("unable to decode input as base64: %s", err)), logical.ErrInvalidRequest
+	}
+
+	switch format {
+	case "hex":
+	case "base64":
+	default:
+		return logical.ErrorResponse(fmt.Sprintf("unsupported encoding format %s; must be \"hex\" or \"base64\"", format)), nil
+	}
+
+	var hf hash.Hash
+	switch algorithm {
+	case "sha2-224":
+		hf = sha256.New224()
+	case "sha2-256":
+		hf = sha256.New()
+	case "sha2-384":
+		hf = sha512.New384()
+	case "sha2-512":
+		hf = sha512.New()
+	case "sha3-224":
+		hf = sha3.New224()
+	case "sha3-256":
+		hf = sha3.New256()
+	case "sha3-384":
+		hf = sha3.New384()
+	case "sha3-512":
+		hf = sha3.New512()
+	default:
+		return logical.ErrorResponse(fmt.Sprintf("unsupported algorithm %s", algorithm)), nil
+	}
+	hf.Write(input)
+	retBytes := hf.Sum(nil)
+
+	var retStr string
+	switch format {
+	case "hex":
+		retStr = hex.EncodeToString(retBytes)
+	case "base64":
+		retStr = base64.StdEncoding.EncodeToString(retBytes)
+	}
+
+	// Generate the response
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"sum": retStr,
+		},
+	}
+	return resp, nil
+}
+
+func (b *SystemBackend) pathRandomWrite(_ context.Context, _ *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	return random.HandleRandomAPI(d, b.Core.secureRandomReader)
+}
+
+func hasMountAccess(ctx context.Context, acl *ACL, path string) bool {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return false
+	}
+
+	// If a policy is giving us direct access to the mount path then we can do
+	// a fast return.
+	capabilities := acl.Capabilities(ctx, ns.TrimmedPath(path))
+	if !strutil.StrListContains(capabilities, DenyCapability) {
+		return true
+	}
+
+	var aclCapabilitiesGiven bool
+	walkFn := func(s string, v interface{}) bool {
+		if v == nil {
+			return false
+		}
+
+		perms := v.(*ACLPermissions)
+
+		switch {
+		case perms.CapabilitiesBitmap&DenyCapabilityInt > 0:
+			return false
+
+		case perms.CapabilitiesBitmap&CreateCapabilityInt > 0,
+			perms.CapabilitiesBitmap&DeleteCapabilityInt > 0,
+			perms.CapabilitiesBitmap&ListCapabilityInt > 0,
+			perms.CapabilitiesBitmap&ReadCapabilityInt > 0,
+			perms.CapabilitiesBitmap&SudoCapabilityInt > 0,
+			perms.CapabilitiesBitmap&UpdateCapabilityInt > 0,
+			perms.CapabilitiesBitmap&PatchCapabilityInt > 0,
+			perms.CapabilitiesBitmap&SubscribeCapabilityInt > 0:
+
+			aclCapabilitiesGiven = true
+
+			return true
+		}
+
+		return false
+	}
+
+	acl.exactRules.WalkPrefix(path, walkFn)
+	if !aclCapabilitiesGiven {
+		acl.prefixRules.WalkPrefix(path, walkFn)
+	}
+
+	if !aclCapabilitiesGiven {
+		if perms := acl.CheckAllowedFromNonExactPaths(path, true); perms != nil {
+			return true
+		}
+	}
+
+	return aclCapabilitiesGiven
+}
+
+func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: make(map[string]interface{}),
+	}
+
+	secretMounts := make(map[string]interface{})
+	authMounts := make(map[string]interface{})
+	resp.Data["secret"] = secretMounts
+	resp.Data["auth"] = authMounts
+
+	var acl *ACL
+	var isAuthed bool
+	if req.ClientToken != "" {
+		isAuthed = true
+
+		var entity *identity.Entity
+		var te *logical.TokenEntry
+		// Load the ACL policies so we can walk the prefix for this mount
+		acl, te, entity, _, err = b.Core.fetchACLTokenEntryAndEntity(ctx, req)
+		if err != nil {
+			return nil, err
+		}
+		if entity != nil && entity.Disabled {
+			b.logger.Warn("permission denied as the entity on the token is disabled")
+			return nil, logical.ErrPermissionDenied
+		}
+		if te != nil && te.EntityID != "" && entity == nil {
+			b.logger.Warn("permission denied as the entity on the token is invalid")
+			return nil, logical.ErrPermissionDenied
+		}
+	}
+
+	hasAccess := func(ctx context.Context, me *MountEntry) bool {
+		if me.Config.ListingVisibility == ListingVisibilityUnauth {
+			return true
+		}
+
+		if isAuthed {
+			if me.Table == "auth" {
+				return hasMountAccess(ctx, acl, me.Namespace().Path+me.Table+"/"+me.Path)
+			} else {
+				return hasMountAccess(ctx, acl, me.Namespace().Path+me.Path)
+			}
+		}
+
+		return false
+	}
+
+	b.Core.mountsLock.RLock()
+	for _, entry := range b.Core.mounts.Entries {
+		ctxWithNamespace := namespace.ContextWithNamespace(ctx, entry.Namespace())
+		filtered, err := b.Core.checkReplicatedFiltering(ctxWithNamespace, entry, "")
+		if err != nil {
+			b.Core.mountsLock.RUnlock()
+			return nil, err
+		}
+		if filtered {
+			continue
+		}
+
+		if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) {
+			if isAuthed {
+				// If this is an authed request return all the mount info
+				secretMounts[entry.Path] = b.mountInfo(ctx, entry)
+			} else {
+				secretMounts[entry.Path] = map[string]interface{}{
+					"type":        entry.Type,
+					"description": entry.Description,
+					"options":     entry.Options,
+				}
+			}
+		}
+	}
+	b.Core.mountsLock.RUnlock()
+
+	b.Core.authLock.RLock()
+	for _, entry := range b.Core.auth.Entries {
+		ctxWithNamespace := namespace.ContextWithNamespace(ctx, entry.Namespace())
+		filtered, err := b.Core.checkReplicatedFiltering(ctxWithNamespace, entry, credentialRoutePrefix)
+		if err != nil {
+			b.Core.authLock.RUnlock()
+			return nil, err
+		}
+		if filtered {
+			continue
+		}
+
+		if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) {
+			if isAuthed {
+				// If this is an authed request return all the mount info
+				authMounts[entry.Path] = b.mountInfo(ctx, entry)
+			} else {
+				authMounts[entry.Path] = map[string]interface{}{
+					"type":        entry.Type,
+					"description": entry.Description,
+					"options":     entry.Options,
+				}
+			}
+		}
+	}
+	b.Core.authLock.RUnlock()
+
+	return resp, nil
+}
+
+func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	path := d.Get("path").(string)
+	if path == "" {
+		return logical.ErrorResponse("path not set"), logical.ErrInvalidRequest
+	}
+	path = sanitizePath(path)
+
+	// Load the ACL policies so we can walk the prefix for this mount
+	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if entity != nil && entity.Disabled {
+		b.logger.Warn("permission denied as the entity on the token is disabled")
+		return nil, logical.ErrPermissionDenied
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		b.logger.Warn("permission denied as the entity on the token is invalid")
+		return nil, logical.ErrPermissionDenied
+	}
+
+	errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	me := b.Core.router.MatchingMountEntry(ctx, path)
+	if me == nil {
+		// Return a permission denied error here so this path cannot be used to
+		// brute force a list of mounts.
+		return errResp, logical.ErrPermissionDenied
+	}
+
+	var routerPrefix string
+	if strings.HasPrefix(me.APIPathNoNamespace(), credentialRoutePrefix) {
+		routerPrefix = credentialRoutePrefix
+	}
+
+	filtered, err := b.Core.checkReplicatedFiltering(ctx, me, routerPrefix)
+	if err != nil {
+		return nil, err
+	}
+	if filtered {
+		return errResp, logical.ErrPermissionDenied
+	}
+	resp := &logical.Response{
+		Data: b.mountInfo(ctx, me),
+	}
+	resp.Data["path"] = me.Path
+
+	pathWithTable := ""
+
+	if me.Table == "auth" {
+		pathWithTable = me.Table + "/" + me.Path
+	} else {
+		pathWithTable = me.Path
+	}
+
+	fullMountPath := ns.Path + pathWithTable
+	if ns.ID != me.Namespace().ID {
+		resp.Data["path"] = me.Namespace().Path + pathWithTable
+		fullMountPath = ns.Path + me.Namespace().Path + pathWithTable
+	}
+
+	if !hasMountAccess(ctx, acl, fullMountPath) {
+		return errResp, logical.ErrPermissionDenied
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) pathInternalCountersRequests(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	resp := logical.ErrorResponse("The functionality has been removed on this path")
+
+	return resp, logical.ErrPathFunctionalityRemoved
+}
+
+func (b *SystemBackend) pathInternalCountersTokens(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	activeTokens, err := b.Core.countActiveTokens(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"counters": activeTokens,
+		},
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) pathInternalCountersEntities(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	activeEntities, err := b.Core.countActiveEntities(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"counters": activeEntities,
+		},
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) pathInternalInspectRouter(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	b.Core.introspectionEnabledLock.Lock()
+	defer b.Core.introspectionEnabledLock.Unlock()
+	if b.Core.introspectionEnabled {
+		tag := d.Get("tag").(string)
+		inspectableRouter, err := b.Core.router.GetRecords(tag)
+		if err != nil {
+			return nil, err
+		}
+		resp := &logical.Response{
+			Data: map[string]interface{}{
+				tag: inspectableRouter,
+			},
+		}
+		return resp, nil
+	}
+	return logical.ErrorResponse(ErrIntrospectionNotEnabled.Error()), nil
+}
+
+func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	if req.ClientToken == "" {
+		// 204 -- no ACL
+		return nil, nil
+	}
+
+	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	if entity != nil && entity.Disabled {
+		b.logger.Warn("permission denied as the entity on the token is disabled")
+		return logical.ErrorResponse(logical.ErrPermissionDenied.Error()), nil
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		b.logger.Warn("permission denied as the entity on the token is invalid")
+		return logical.ErrorResponse(logical.ErrPermissionDenied.Error()), nil
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"root": false,
+		},
+	}
+
+	resp.Data["chroot_namespace"] = req.ChrootNamespace
+
+	if acl.root {
+		resp.Data["root"] = true
+		return resp, nil
+	}
+
+	exact := map[string]interface{}{}
+	glob := map[string]interface{}{}
+
+	walkFn := func(pt map[string]interface{}, s string, v interface{}) {
+		if v == nil {
+			return
+		}
+
+		perms := v.(*ACLPermissions)
+		capabilities := []string{}
+
+		if perms.CapabilitiesBitmap&CreateCapabilityInt > 0 {
+			capabilities = append(capabilities, CreateCapability)
+		}
+		if perms.CapabilitiesBitmap&DeleteCapabilityInt > 0 {
+			capabilities = append(capabilities, DeleteCapability)
+		}
+		if perms.CapabilitiesBitmap&ListCapabilityInt > 0 {
+			capabilities = append(capabilities, ListCapability)
+		}
+		if perms.CapabilitiesBitmap&ReadCapabilityInt > 0 {
+			capabilities = append(capabilities, ReadCapability)
+		}
+		if perms.CapabilitiesBitmap&SudoCapabilityInt > 0 {
+			capabilities = append(capabilities, SudoCapability)
+		}
+		if perms.CapabilitiesBitmap&UpdateCapabilityInt > 0 {
+			capabilities = append(capabilities, UpdateCapability)
+		}
+		if perms.CapabilitiesBitmap&PatchCapabilityInt > 0 {
+			capabilities = append(capabilities, PatchCapability)
+		}
+		if perms.CapabilitiesBitmap&SubscribeCapabilityInt > 0 {
+			capabilities = append(capabilities, SubscribeCapability)
+		}
+
+		// If "deny" is explicitly set or if the path has no capabilities at all,
+		// set the path capabilities to "deny"
+		if perms.CapabilitiesBitmap&DenyCapabilityInt > 0 || len(capabilities) == 0 {
+			capabilities = []string{DenyCapability}
+		}
+
+		res := map[string]interface{}{}
+		if len(capabilities) > 0 {
+			res["capabilities"] = capabilities
+		}
+		if perms.MinWrappingTTL != 0 {
+			res["min_wrapping_ttl"] = int64(perms.MinWrappingTTL.Seconds())
+		}
+		if perms.MaxWrappingTTL != 0 {
+			res["max_wrapping_ttl"] = int64(perms.MaxWrappingTTL.Seconds())
+		}
+		if len(perms.AllowedParameters) > 0 {
+			res["allowed_parameters"] = perms.AllowedParameters
+		}
+		if len(perms.DeniedParameters) > 0 {
+			res["denied_parameters"] = perms.DeniedParameters
+		}
+		if len(perms.RequiredParameters) > 0 {
+			res["required_parameters"] = perms.RequiredParameters
+		}
+
+		pt[s] = res
+	}
+
+	exactWalkFn := func(s string, v interface{}) bool {
+		walkFn(exact, s, v)
+		return false
+	}
+
+	globWalkFn := func(s string, v interface{}) bool {
+		walkFn(glob, s, v)
+		return false
+	}
+
+	acl.exactRules.Walk(exactWalkFn)
+	acl.prefixRules.Walk(globWalkFn)
+
+	resp.Data["exact_paths"] = exact
+	resp.Data["glob_paths"] = glob
+
+	return resp, nil
+}
+
+// pathInternalUIVersion is the framework.PathOperation callback function for
+// the sys/internal/ui/version path. It simply returns the Vault version.
+func (b *SystemBackend) pathInternalUIVersion(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	resp := &logical.Response{
+		Data: map[string]any{
+			"version": version.GetVersion().VersionNumber(),
+		},
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	// Limit output to authorized paths
+	resp, err := b.pathInternalUIMountsRead(ctx, req, d)
+	if err != nil {
+		return nil, err
+	}
+
+	context := d.Get("context").(string)
+
+	// Set up target document
+	doc := framework.NewOASDocument(version.Version)
+
+	// Generic mount paths will primarily be used for code generation purposes.
+	// This will result in parameterized mount paths being returned instead of
+	// hardcoded actual paths. For example /auth/my-auth-method/login would be
+	// replaced with /auth/{my_auth_method_mount_path}/login.
+	//
+	// Note that for this to actually be useful, you have to be using it with
+	// a Vault instance in which you have mounted one of each secrets engine
+	// and auth method of types you are interested in, at paths which identify
+	// their type, and for the KV secrets engine you will probably want to
+	// mount separate kv-v1 and kv-v2 mounts to include the documentation for
+	// each of those APIs.
+	genericMountPaths, _ := d.Get("generic_mount_paths").(bool)
+
+	procMountGroup := func(group, mountPrefix string) error {
+		for mount, entry := range resp.Data[group].(map[string]interface{}) {
+
+			var pluginType string
+			if t, ok := entry.(map[string]interface{})["type"]; ok {
+				pluginType = t.(string)
+			}
+
+			backend := b.Core.router.MatchingBackend(ctx, mountPrefix+mount)
+
+			if backend == nil {
+				continue
+			}
+
+			req := &logical.Request{
+				Operation: logical.HelpOperation,
+				Storage:   req.Storage,
+				Data:      map[string]interface{}{"requestResponsePrefix": pluginType},
+			}
+
+			resp, err := backend.HandleRequest(ctx, req)
+			if err != nil {
+				return err
+			}
+
+			var backendDoc *framework.OASDocument
+
+			// Normalize response type, which will be different if received
+			// from an external plugin.
+			switch v := resp.Data["openapi"].(type) {
+			case *framework.OASDocument:
+				backendDoc = v
+			case map[string]interface{}:
+				backendDoc, err = framework.NewOASDocumentFromMap(v)
+				if err != nil {
+					return err
+				}
+			default:
+				continue
+			}
+
+			// Prepare to add tags to default builtins that are
+			// type "unknown" and won't already be tagged.
+			var tag string
+			switch mountPrefix + mount {
+			case "cubbyhole/", "secret/":
+				tag = "secrets"
+			case "sys/":
+				tag = "system"
+			case "auth/token/":
+				tag = "auth"
+			case "identity/":
+				tag = "identity"
+			}
+
+			// When set to the empty string, mountPathParameterName means not to use a parameter at all;
+			// the one variable combines both boolean, and value-to-use-if-true semantics.
+			mountPathParameterName := ""
+			if genericMountPaths {
+				isSingletonMount := (group == "auth" && pluginType == "token") ||
+					(group == "secret" &&
+						(pluginType == "system" || pluginType == "identity" || pluginType == "cubbyhole"))
+
+				if !isSingletonMount {
+					mountPathParameterName = strings.TrimRight(strings.ReplaceAll(mount, "-", "_"), "/") + "_mount_path"
+				}
+			}
+
+			// Merge backend paths with existing document
+			for path, obj := range backendDoc.Paths {
+				path := strings.TrimPrefix(path, "/")
+
+				// Add tags to all of the operations if necessary
+				if tag != "" {
+					for _, op := range []*framework.OASOperation{obj.Get, obj.Post, obj.Delete} {
+						// TODO: a special override for identity is used used here because the backend
+						// is currently categorized as "secret", which will likely change. Also of interest
+						// is removing all tag handling here and providing the mount information to OpenAPI.
+						if op != nil && (len(op.Tags) == 0 || tag == "identity") {
+							op.Tags = []string{tag}
+						}
+					}
+				}
+
+				mountForOpenAPI := mount
+
+				if mountPathParameterName != "" {
+					mountForOpenAPI = "{" + mountPathParameterName + "}/"
+
+					obj.Parameters = append(obj.Parameters, framework.OASParameter{
+						Name:        mountPathParameterName,
+						Description: "Path that the backend was mounted at",
+						In:          "path",
+						Schema: &framework.OASSchema{
+							Type:    "string",
+							Default: strings.TrimRight(mount, "/"),
+						},
+						Required: true,
+					})
+				}
+
+				doc.Paths["/"+mountPrefix+mountForOpenAPI+path] = obj
+			}
+
+			// Merge backend schema components
+			for e, schema := range backendDoc.Components.Schemas {
+				doc.Components.Schemas[e] = schema
+			}
+		}
+		return nil
+	}
+
+	if err := procMountGroup("secret", ""); err != nil {
+		return nil, err
+	}
+	if err := procMountGroup("auth", "auth/"); err != nil {
+		return nil, err
+	}
+
+	doc.CreateOperationIDs(context)
+
+	// Every backend that includes a ListOperation that uses the default response schema will have supplied its own
+	// version of that schema, on a last writer wins basis. To ensure an external plugin doesn't end up being the last
+	// writer, we now override with the version within the code of the hosting Vault instance, if the document now
+	// being generated contains any version of this:
+	if _, ok := doc.Components.Schemas["StandardListResponse"]; ok {
+		doc.Components.Schemas["StandardListResponse"] = framework.OASStdSchemaStandardListResponse
+	}
+
+	buf, err := json.Marshal(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	resp = &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPStatusCode:  200,
+			logical.HTTPRawBody:     buf,
+			logical.HTTPContentType: "application/json",
+		},
+	}
+
+	return resp, nil
+}
+
+type SealStatusResponse struct {
+	Type              string   `json:"type"`
+	Initialized       bool     `json:"initialized"`
+	Sealed            bool     `json:"sealed"`
+	T                 int      `json:"t"`
+	N                 int      `json:"n"`
+	Progress          int      `json:"progress"`
+	Nonce             string   `json:"nonce"`
+	Version           string   `json:"version"`
+	BuildDate         string   `json:"build_date"`
+	Migration         bool     `json:"migration"`
+	ClusterName       string   `json:"cluster_name,omitempty"`
+	ClusterID         string   `json:"cluster_id,omitempty"`
+	RecoverySeal      bool     `json:"recovery_seal"`
+	StorageType       string   `json:"storage_type,omitempty"`
+	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
+	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
+	Warnings          []string `json:"warnings,omitempty"`
+	RecoverySealType  string   `json:"recovery_seal_type,omitempty"`
+}
+
+type SealBackendStatus struct {
+	Name           string `json:"name"`
+	Healthy        bool   `json:"healthy"`
+	UnhealthySince string `json:"unhealthy_since,omitempty"`
+}
+
+type SealBackendStatusResponse struct {
+	Healthy        bool                `json:"healthy"`
+	UnhealthySince string              `json:"unhealthy_since,omitempty"`
+	Backends       []SealBackendStatus `json:"backends"`
+}
+
+func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResponse, error) {
+	sealed := core.Sealed()
+
+	initialized, err := core.Initialized(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var sealConfig *SealConfig
+	if core.SealAccess().RecoveryKeySupported() {
+		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
+	} else {
+		sealConfig, err = core.SealAccess().BarrierConfig(ctx)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	hcpLinkStatus, resourceIDonHCP := core.GetHCPLinkStatus()
+
+	if sealConfig == nil {
+		s := &SealStatusResponse{
+			Type:         core.SealAccess().BarrierSealConfigType().String(),
+			Initialized:  initialized,
+			Sealed:       true,
+			RecoverySeal: core.SealAccess().RecoveryKeySupported(),
+			StorageType:  core.StorageType(),
+			Version:      version.GetVersion().VersionNumber(),
+			BuildDate:    version.BuildDate,
+		}
+
+		if resourceIDonHCP != "" {
+			s.HCPLinkStatus = hcpLinkStatus
+			s.HCPLinkResourceID = resourceIDonHCP
+		}
+
+		return s, nil
+	}
+
+	var sealType string
+	var recoverySealType string
+	if core.SealAccess().RecoveryKeySupported() {
+		recoverySealType = sealConfig.Type
+		sealType = core.seal.BarrierSealConfigType().String()
+	} else {
+		sealType = sealConfig.Type
+	}
+
+	// Fetch the local cluster name and identifier
+	var clusterName, clusterID string
+	if !sealed {
+		cluster, err := core.Cluster(ctx)
+		if err != nil {
+			return nil, err
+		}
+		if cluster == nil {
+			return nil, fmt.Errorf("failed to fetch cluster details")
+		}
+		clusterName = cluster.Name
+		clusterID = cluster.ID
+	}
+
+	progress, nonce := core.SecretProgress(lock)
+
+	s := &SealStatusResponse{
+		Type:             sealType,
+		Initialized:      initialized,
+		Sealed:           sealed,
+		T:                sealConfig.SecretThreshold,
+		N:                sealConfig.SecretShares,
+		Progress:         progress,
+		Nonce:            nonce,
+		Version:          version.GetVersion().VersionNumber(),
+		BuildDate:        version.BuildDate,
+		Migration:        core.IsInSealMigrationMode(lock) && !core.IsSealMigrated(lock),
+		ClusterName:      clusterName,
+		ClusterID:        clusterID,
+		RecoverySeal:     core.SealAccess().RecoveryKeySupported(),
+		RecoverySealType: recoverySealType,
+		StorageType:      core.StorageType(),
+	}
+
+	if resourceIDonHCP != "" {
+		s.HCPLinkStatus = hcpLinkStatus
+		s.HCPLinkResourceID = resourceIDonHCP
+	}
+
+	return s, nil
+}
+
+func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResponse, error) {
+	var r SealBackendStatusResponse
+	if a, ok := c.seal.(*autoSeal); ok {
+		r.Healthy = c.seal.Healthy()
+		var uhMin time.Time
+		for _, sealWrapper := range a.GetConfiguredSealWrappersByPriority() {
+			b := SealBackendStatus{
+				Name:    sealWrapper.Name,
+				Healthy: sealWrapper.IsHealthy(),
+			}
+			if !sealWrapper.IsHealthy() {
+				lastSeenHealthy := sealWrapper.LastSeenHealthy()
+				if !lastSeenHealthy.IsZero() {
+					b.UnhealthySince = lastSeenHealthy.String()
+				}
+				if uhMin.IsZero() || uhMin.After(lastSeenHealthy) {
+					uhMin = lastSeenHealthy
+				}
+			}
+			r.Backends = append(r.Backends, b)
+		}
+		if !uhMin.IsZero() {
+			r.UnhealthySince = uhMin.String()
+		}
+	} else {
+		r.Backends = []SealBackendStatus{
+			{
+				Name:    "shamir", // "default?"
+				Healthy: true,
+			},
+		}
+		r.Healthy = true
+	}
+	return &r, nil
+}
+
+type LeaderResponse struct {
+	HAEnabled                bool      `json:"ha_enabled"`
+	IsSelf                   bool      `json:"is_self"`
+	ActiveTime               time.Time `json:"active_time,omitempty"`
+	LeaderAddress            string    `json:"leader_address"`
+	LeaderClusterAddress     string    `json:"leader_cluster_address"`
+	PerfStandby              bool      `json:"performance_standby"`
+	PerfStandbyLastRemoteWAL uint64    `json:"performance_standby_last_remote_wal"`
+	LastWAL                  uint64    `json:"last_wal,omitempty"`
+
+	// Raft Indexes for this node
+	RaftCommittedIndex uint64 `json:"raft_committed_index,omitempty"`
+	RaftAppliedIndex   uint64 `json:"raft_applied_index,omitempty"`
+}
+
+func (core *Core) GetLeaderStatus() (*LeaderResponse, error) {
+	core.stateLock.RLock()
+	defer core.stateLock.RUnlock()
+
+	return core.GetLeaderStatusLocked()
+}
+
+func (core *Core) GetLeaderStatusLocked() (*LeaderResponse, error) {
+	haEnabled := true
+	isLeader, address, clusterAddr, err := core.LeaderLocked()
+	if errwrap.Contains(err, ErrHANotEnabled.Error()) {
+		haEnabled = false
+		err = nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &LeaderResponse{
+		HAEnabled:            haEnabled,
+		IsSelf:               isLeader,
+		LeaderAddress:        address,
+		LeaderClusterAddress: clusterAddr,
+		PerfStandby:          core.perfStandby,
+	}
+	if isLeader {
+		resp.ActiveTime = core.activeTime
+	}
+	if resp.PerfStandby {
+		resp.PerfStandbyLastRemoteWAL = core.EntLastRemoteWAL()
+	} else if isLeader || !haEnabled {
+		resp.LastWAL = core.EntLastWAL()
+	}
+
+	resp.RaftCommittedIndex, resp.RaftAppliedIndex = core.GetRaftIndexesLocked()
+	return resp, nil
+}
+
+func (b *SystemBackend) handleSealStatus(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	status, err := b.Core.GetSealStatus(ctx, false)
+	if err != nil {
+		return nil, err
+	}
+	buf, err := json.Marshal(status)
+	if err != nil {
+		return nil, err
+	}
+	httpResp := &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPStatusCode:  200,
+			logical.HTTPRawBody:     buf,
+			logical.HTTPContentType: "application/json",
+		},
+	}
+	return httpResp, nil
+}
+
+func (b *SystemBackend) handleLeaderStatus(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	status, err := b.Core.GetLeaderStatusLocked()
+	if err != nil {
+		return nil, err
+	}
+	buf, err := json.Marshal(status)
+	if err != nil {
+		return nil, err
+	}
+	httpResp := &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPStatusCode:  200,
+			logical.HTTPRawBody:     buf,
+			logical.HTTPContentType: "application/json",
+		},
+	}
+	return httpResp, nil
+}
+
+func (b *SystemBackend) verifyDROperationTokenOnSecondary(f framework.OperationFunc, lock bool) framework.OperationFunc {
+	if b.Core.IsDRSecondary() {
+		return b.verifyDROperationToken(f, lock)
+	}
+	return f
+}
+
+func (b *SystemBackend) rotateBarrierKey(ctx context.Context) error {
+	// Rotate to the new term
+	newTerm, err := b.Core.barrier.Rotate(ctx, b.Core.secureRandomReader)
+	if err != nil {
+		return errwrap.Wrap(errors.New("failed to create new encryption key"), err)
+	}
+	b.Backend.Logger().Info("installed new encryption key")
+
+	// In HA mode, we need to an upgrade path for the standby instances
+	if b.Core.ha != nil && b.Core.KeyRotateGracePeriod() > 0 {
+		// Create the upgrade path to the new term
+		if err := b.Core.barrier.CreateUpgrade(ctx, newTerm); err != nil {
+			b.Backend.Logger().Error("failed to create new upgrade", "term", newTerm, "error", err)
+		}
+
+		// Schedule the destroy of the upgrade path
+		time.AfterFunc(b.Core.KeyRotateGracePeriod(), func() {
+			b.Backend.Logger().Debug("cleaning up upgrade keys", "waited", b.Core.KeyRotateGracePeriod())
+			if err := b.Core.barrier.DestroyUpgrade(b.Core.activeContext, newTerm); err != nil {
+				b.Backend.Logger().Error("failed to destroy upgrade", "term", newTerm, "error", err)
+			}
+		})
+	}
+
+	// Write to the canary path, which will force a synchronous truing during
+	// replication
+	if err := b.Core.barrier.Put(ctx, &logical.StorageEntry{
+		Key:   coreKeyringCanaryPath,
+		Value: []byte(fmt.Sprintf("new-rotation-term-%d", newTerm)),
+	}); err != nil {
+		b.Core.logger.Error("error saving keyring canary", "error", err)
+		return errwrap.Wrap(errors.New("failed to save keyring canary"), err)
+	}
+
+	return nil
+}
+
+func (b *SystemBackend) handleHAStatus(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	// We're always the leader if we're handling this request.
+	nodes, err := b.Core.getHAMembers()
+	if err != nil {
+		return nil, err
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"nodes": nodes,
+		},
+	}, nil
+}
+
+type HAStatusNode struct {
+	Hostname           string     `json:"hostname"`
+	APIAddress         string     `json:"api_address"`
+	ClusterAddress     string     `json:"cluster_address"`
+	ActiveNode         bool       `json:"active_node"`
+	LastEcho           *time.Time `json:"last_echo"`
+	Version            string     `json:"version"`
+	UpgradeVersion     string     `json:"upgrade_version,omitempty"`
+	RedundancyZone     string     `json:"redundancy_zone,omitempty"`
+	EchoDurationMillis int64      `json:"echo_duration_ms"`
+	ClockSkewMillis    int64      `json:"clock_skew_ms"`
+}
+
+func (b *SystemBackend) handleVersionHistoryList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	versions := make([]VaultVersion, 0)
+	respKeys := make([]string, 0)
+
+	for _, versionEntry := range b.Core.versionHistory {
+		versions = append(versions, versionEntry)
+	}
+
+	sort.Slice(versions, func(i, j int) bool {
+		return versions[i].TimestampInstalled.Before(versions[j].TimestampInstalled)
+	})
+
+	respKeyInfo := map[string]interface{}{}
+
+	for i, v := range versions {
+		respKeys = append(respKeys, v.Version)
+
+		entry := map[string]interface{}{
+			"timestamp_installed": v.TimestampInstalled.Format(time.RFC3339),
+			"build_date":          v.BuildDate,
+			"previous_version":    nil,
+		}
+
+		if i > 0 {
+			entry["previous_version"] = versions[i-1].Version
+		}
+
+		respKeyInfo[v.Version] = entry
+	}
+
+	return logical.ListResponseWithInfo(respKeys, respKeyInfo), nil
+}
+
+func (b *SystemBackend) handleLoggersRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	b.Core.allLoggersLock.RLock()
+	defer b.Core.allLoggersLock.RUnlock()
+
+	loggers := make(map[string]interface{})
+	warnings := make([]string, 0)
+
+	for _, logger := range b.Core.allLoggers {
+		loggerName := logger.Name()
+
+		// ignore base logger
+		if loggerName == "" {
+			continue
+		}
+
+		logLevel, err := logging.TranslateLoggerLevel(logger)
+		if err != nil {
+			warnings = append(warnings, fmt.Sprintf("cannot translate level for %q: %s", loggerName, err.Error()))
+		} else {
+			loggers[loggerName] = logLevel
+		}
+	}
+
+	resp := &logical.Response{
+		Data:     loggers,
+		Warnings: warnings,
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleLoggersWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	logLevelRaw, ok := d.GetOk("level")
+
+	if !ok {
+		return logical.ErrorResponse("level is required"), nil
+	}
+
+	logLevel := logLevelRaw.(string)
+	if logLevel == "" {
+		return logical.ErrorResponse("level is empty"), nil
+	}
+
+	level, err := logging.ParseLogLevel(logLevel)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("invalid level provided: %s", err.Error())), nil
+	}
+
+	b.Core.SetLogLevel(level)
+
+	return nil, nil
+}
+
+func (b *SystemBackend) handleLoggersDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	level, err := logging.ParseLogLevel(b.Core.logLevel)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("log level from config is invalid: %s", err.Error())), nil
+	}
+
+	b.Core.SetLogLevel(level)
+
+	return nil, nil
+}
+
+func (b *SystemBackend) handleLoggersByNameRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	nameRaw, nameOk := d.GetOk("name")
+	if !nameOk {
+		return logical.ErrorResponse("name is required"), nil
+	}
+
+	name := nameRaw.(string)
+	if name == "" {
+		return logical.ErrorResponse("name is empty"), nil
+	}
+
+	b.Core.allLoggersLock.RLock()
+	defer b.Core.allLoggersLock.RUnlock()
+
+	loggers := make(map[string]interface{})
+	warnings := make([]string, 0)
+
+	for _, logger := range b.Core.allLoggers {
+		loggerName := logger.Name()
+
+		// ignore base logger
+		if loggerName == "" {
+			continue
+		}
+
+		if loggerName == name {
+			logLevel, err := logging.TranslateLoggerLevel(logger)
+
+			if err != nil {
+				warnings = append(warnings, fmt.Sprintf("cannot translate level for %q: %s", loggerName, err.Error()))
+			} else {
+				loggers[loggerName] = logLevel
+			}
+
+			break
+		}
+	}
+
+	resp := &logical.Response{
+		Data:     loggers,
+		Warnings: warnings,
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleLoggersByNameWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	nameRaw, nameOk := d.GetOk("name")
+	if !nameOk {
+		return logical.ErrorResponse("name is required"), nil
+	}
+
+	name := nameRaw.(string)
+	if name == "" {
+		return logical.ErrorResponse("name is empty"), nil
+	}
+
+	logLevelRaw, logLevelOk := d.GetOk("level")
+
+	if !logLevelOk {
+		return logical.ErrorResponse("level is required"), nil
+	}
+
+	logLevel := logLevelRaw.(string)
+	if logLevel == "" {
+		return logical.ErrorResponse("level is empty"), nil
+	}
+
+	level, err := logging.ParseLogLevel(logLevel)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("invalid level provided: %s", err.Error())), nil
+	}
+
+	success := b.Core.SetLogLevelByName(name, level)
+	if !success {
+		return logical.ErrorResponse(fmt.Sprintf("logger %q not found", name)), nil
+	}
+
+	return nil, nil
+}
+
+func (b *SystemBackend) handleLoggersByNameDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	nameRaw, ok := d.GetOk("name")
+	if !ok {
+		return logical.ErrorResponse("name is required"), nil
+	}
+
+	level, err := logging.ParseLogLevel(b.Core.logLevel)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("log level from config is invalid: %s", err.Error())), nil
+	}
+
+	name := nameRaw.(string)
+	if name == "" {
+		return logical.ErrorResponse("name is empty"), nil
+	}
+
+	success := b.Core.SetLogLevelByName(name, level)
+	if !success {
+		return logical.ErrorResponse(fmt.Sprintf("logger %q not found", name)), nil
+	}
+
+	return nil, nil
+}
+
+// handleReadExperiments returns the available and enabled experiments on this node.
+// Each node within a cluster could have different values for each, but it's not
+// recommended.
+func (b *SystemBackend) handleReadExperiments(ctx context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	enabled := b.Core.experiments
+	if len(enabled) == 0 {
+		// Return empty slice instead of nil, so the JSON shows [] instead of null
+		enabled = []string{}
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"available": experiments.ValidExperiments(),
+			"enabled":   enabled,
+		},
+	}, nil
+}
+
+func sanitizePath(path string) string {
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	if strings.HasPrefix(path, "/") {
+		path = path[1:]
+	}
+
+	return path
+}
+
+func checkListingVisibility(visibility ListingVisibilityType) error {
+	switch visibility {
+	case ListingVisibilityDefault:
+	case ListingVisibilityHidden:
+	case ListingVisibilityUnauth:
+	default:
+		return fmt.Errorf("invalid listing visibility type")
+	}
+
+	return nil
+}
+
+const sysHelpRoot = `
+The system backend is built-in to Vault and cannot be remounted or
+unmounted. It contains the paths that are used to configure Vault itself
+as well as perform core operations.
+`
+
+// sysHelp is all the help text for the sys backend.
+var sysHelp = map[string][2]string{
+	"license": {
+		"Sets the license of the server.",
+		`
+The path responds to the following HTTP methods.
+
+    GET /
+        Returns information on the installed license
+
+    POST
+        Sets the license for the server
+	`,
+	},
+	"config/cors": {
+		"Configures or returns the current configuration of CORS settings.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        Returns the configuration of the CORS setting.
+
+    POST /
+        Sets the comma-separated list of origins that can make cross-origin requests.
+
+    DELETE /
+        Clears the CORS configuration and disables acceptance of CORS requests.
+		`,
+	},
+	"config/group-policy-application": {
+		"Configures how policies in groups should be applied, accepting 'within_namespace_hierarchy' (default) and 'any'," +
+			"which will allow policies to grant permissions in groups outside of those sharing a namespace hierarchy.",
+		`
+This path responds to the following HTTP methods.
+    GET /
+        Returns the current group policy application mode.
+    POST /
+        Sets the current group_policy_application_mode to either 'within_namespace_hierarchy' or 'any'.
+        `,
+	},
+	"config/ui/headers": {
+		"Configures response headers that should be returned from the UI.",
+		`
+This path responds to the following HTTP methods.
+    GET /<header>
+        Returns the header value.
+    POST /<header>
+        Sets the header value for the UI.
+    DELETE /<header>
+        Clears the header value for UI.
+
+    LIST /
+        List the headers configured for the UI.
+        `,
+	},
+	"init": {
+		"Initializes or returns the initialization status of the Vault.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        Returns the initialization status of the Vault.
+
+    POST /
+        Initializes a new vault.
+		`,
+	},
+	"health": {
+		"Checks the health status of the Vault.",
+		`
+This path responds to the following HTTP methods.
+
+	GET /
+		Returns health information about the Vault.
+		`,
+	},
+	"generate-root": {
+		"Reads, generates, or deletes a root token regeneration process.",
+		`
+This path responds to multiple HTTP methods which change the behavior. Those
+HTTP methods are listed below.
+
+    GET /attempt
+        Reads the configuration and progress of the current root generation
+        attempt.
+
+    POST /attempt
+        Initializes a new root generation attempt. Only a single root generation
+        attempt can take place at a time. One (and only one) of otp or pgp_key
+        are required.
+
+    DELETE /attempt
+        Cancels any in-progress root generation attempt. This clears any
+        progress made. This must be called to change the OTP or PGP key being
+        used.
+		`,
+	},
+	"seal-status": {
+		"Returns the seal status of the Vault.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        Returns the seal status of the Vault. This is an unauthenticated
+        endpoint.
+		`,
+	},
+	"seal": {
+		"Seals the Vault.",
+		`
+This path responds to the following HTTP methods.
+
+    PUT /
+        Seals the Vault.
+		`,
+	},
+	"unseal": {
+		"Unseals the Vault.",
+		`
+This path responds to the following HTTP methods.
+
+    PUT /
+        Unseals the Vault.
+		`,
+	},
+	"mounts": {
+		"List the currently mounted backends.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        Lists all the mounted secret backends.
+
+    GET /<mount point>
+        Get information about the mount at the specified path.
+
+    POST /<mount point>
+        Mount a new secret backend to the mount point in the URL.
+
+    POST /<mount point>/tune
+        Tune configuration parameters for the given mount point.
+
+    DELETE /<mount point>
+        Unmount the specified mount point.
+		`,
+	},
+
+	"mount": {
+		`Mount a new backend at a new path.`,
+		`
+Mount a backend at a new path. A backend can be mounted multiple times at
+multiple paths in order to configure multiple separately configured backends.
+Example: you might have an AWS backend for the east coast, and one for the
+west coast.
+		`,
+	},
+
+	"mount_path": {
+		`The path to mount to. Example: "aws/east"`,
+		"",
+	},
+
+	"mount_type": {
+		`The type of the backend. Example: "passthrough"`,
+		"",
+	},
+
+	"mount_desc": {
+		`User-friendly description for this mount.`,
+		"",
+	},
+
+	"mount_config": {
+		`Configuration for this mount, such as default_lease_ttl
+and max_lease_ttl.`,
+	},
+
+	"mount_local": {
+		`Mark the mount as a local mount, which is not replicated
+and is unaffected by replication.`,
+	},
+
+	"mount_plugin_name": {
+		`Name of the plugin to mount based from the name registered
+in the plugin catalog.`,
+	},
+
+	"mount_options": {
+		`The options to pass into the backend. Should be a json object with string keys and values.`,
+	},
+
+	"seal_wrap": {
+		`Whether to turn on seal wrapping for the mount.`,
+	},
+
+	"external_entropy_access": {
+		`Whether to give the mount access to Vault's external entropy.`,
+	},
+
+	"tune_default_lease_ttl": {
+		`The default lease TTL for this mount.`,
+	},
+
+	"tune_max_lease_ttl": {
+		`The max lease TTL for this mount.`,
+	},
+
+	"tune_audit_non_hmac_request_keys": {
+		`The list of keys in the request data object that will not be HMAC'ed by audit devices.`,
+	},
+
+	"tune_audit_non_hmac_response_keys": {
+		`The list of keys in the response data object that will not be HMAC'ed by audit devices.`,
+	},
+
+	"tune_mount_options": {
+		`The options to pass into the backend. Should be a json object with string keys and values.`,
+	},
+
+	"tune_user_lockout_config": {
+		`The user lockout configuration to pass into the backend. Should be a json object with string keys and values.`,
+	},
+
+	"remount": {
+		"Move the mount point of an already-mounted backend, within or across namespaces",
+		`
+This path responds to the following HTTP methods.
+
+    POST /sys/remount
+        Changes the mount point of an already-mounted backend.
+		`,
+	},
+
+	"remount-status": {
+		"Check the status of a mount move operation",
+		`
+This path responds to the following HTTP methods.
+    GET /sys/remount/status/:migration_id
+		Check the status of a mount move operation for the given migration_id
+		`,
+	},
+
+	"auth_tune": {
+		"Tune the configuration parameters for an auth path.",
+		`Read and write the 'default-lease-ttl' and 'max-lease-ttl' values of
+the auth path.`,
+	},
+
+	"mount_tune": {
+		"Tune backend configuration parameters for this mount.",
+		`Read and write the 'default-lease-ttl' and 'max-lease-ttl' values of
+the mount.`,
+	},
+
+	"unlock_user": {
+		"Unlock the locked user with given mount_accessor and alias_identifier.",
+		`
+This path responds to the following HTTP methods.
+    POST sys/locked-users/:mount_accessor/unlock/:alias_identifier
+		Unlocks the user with given mount_accessor and alias_identifier
+		if locked.`,
+	},
+
+	"mount_accessor": {
+		"MountAccessor is the identifier of the mount entry to which the user belongs",
+		"",
+	},
+
+	"locked_users": {
+		"Report the locked user count metrics",
+		`
+This path responds to the following HTTP methods.
+    GET sys/locked-users
+	Report the locked user count metrics, for current namespace and all child namespaces.`,
+	},
+
+	"alias_identifier": {
+		`It is the name of the alias (user). For example, if the alias belongs to userpass backend, 
+	   the name should be a valid username within userpass auth method. If the alias belongs
+	    to an approle auth method, the name should be a valid RoleID`,
+		"",
+	},
+
+	"renew": {
+		"Renew a lease on a secret",
+		`
+When a secret is read, it may optionally include a lease interval
+and a boolean indicating if renew is possible. For secrets that support
+lease renewal, this endpoint is used to extend the validity of the
+lease and to prevent an automatic revocation.
+		`,
+	},
+
+	"lease_id": {
+		"The lease identifier to renew. This is included with a lease.",
+		"",
+	},
+
+	"increment": {
+		"The desired increment in seconds to the lease",
+		"",
+	},
+
+	"revoke": {
+		"Revoke a leased secret immediately",
+		`
+When a secret is generated with a lease, it is automatically revoked
+at the end of the lease period if not renewed. However, in some cases
+you may want to force an immediate revocation. This endpoint can be
+used to revoke the secret with the given Lease ID.
+		`,
+	},
+
+	"revoke-sync": {
+		"Whether or not to perform the revocation synchronously",
+		`
+If false, the call will return immediately and revocation will be queued; if it
+fails, Vault will keep trying. If true, if the revocation fails, Vault will not
+automatically try again and will return an error. For revoke-prefix, this
+setting will apply to all leases being revoked. For revoke-force, since errors
+are ignored, this setting is not supported.
+`,
+	},
+
+	"revoke-prefix": {
+		"Revoke all secrets generated in a given prefix",
+		`
+Revokes all the secrets generated under a given mount prefix. As
+an example, "prod/aws/" might be the AWS logical backend, and due to
+a change in the "ops" policy, we may want to invalidate all the secrets
+generated. We can do a revoke prefix at "prod/aws/ops" to revoke all
+the ops secrets. This does a prefix match on the Lease IDs and revokes
+all matching leases.
+		`,
+	},
+
+	"revoke-prefix-path": {
+		`The path to revoke keys under. Example: "prod/aws/ops"`,
+		"",
+	},
+
+	"revoke-force": {
+		"Revoke all secrets generated in a given prefix, ignoring errors.",
+		`
+See the path help for 'revoke-prefix'; this behaves the same, except that it
+ignores errors encountered during revocation. This can be used in certain
+recovery situations; for instance, when you want to unmount a backend, but it
+is impossible to fix revocation errors and these errors prevent the unmount
+from proceeding. This is a DANGEROUS operation as it removes Vault's oversight
+of external secrets. Access to this prefix should be tightly controlled.
+		`,
+	},
+
+	"revoke-force-path": {
+		`The path to revoke keys under. Example: "prod/aws/ops"`,
+		"",
+	},
+
+	"auth-table": {
+		"List the currently enabled credential backends.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        List the currently enabled credential backends: the name, the type of
+        the backend, and a user friendly description of the purpose for the
+        credential backend.
+
+    POST /<mount point>
+        Enable a new auth method.
+
+    DELETE /<mount point>
+        Disable the auth method at the given mount point.
+		`,
+	},
+
+	"auth": {
+		`Enable a new credential backend with a name.`,
+		`
+Enable a credential mechanism at a new path. A backend can be mounted multiple times at
+multiple paths in order to configure multiple separately configured backends.
+Example: you might have an OAuth backend for GitHub, and one for Google Apps.
+		`,
+	},
+
+	"auth_path": {
+		`The path to mount to. Cannot be delimited. Example: "user"`,
+		"",
+	},
+
+	"auth_type": {
+		`The type of the backend. Example: "userpass"`,
+		"",
+	},
+
+	"auth_desc": {
+		`User-friendly description for this credential backend.`,
+		"",
+	},
+
+	"auth_config": {
+		`Configuration for this mount, such as plugin_name.`,
+	},
+
+	"auth_plugin": {
+		`Name of the auth plugin to use based from the name in the plugin catalog.`,
+		"",
+	},
+
+	"auth_options": {
+		`The options to pass into the backend. Should be a json object with string keys and values.`,
+	},
+
+	"policy-list": {
+		`List the configured access control policies.`,
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        List the names of the configured access control policies.
+
+    GET /<name>
+        Retrieve the rules for the named policy.
+
+    PUT /<name>
+        Add or update a policy.
+
+    DELETE /<name>
+        Delete the policy with the given name.
+		`,
+	},
+
+	"policy": {
+		`Read, Modify, or Delete an access control policy.`,
+		`
+Read the rules of an existing policy, create or update the rules of a policy,
+or delete a policy.
+		`,
+	},
+
+	"policy-name": {
+		`The name of the policy. Example: "ops"`,
+		"",
+	},
+
+	"policy-rules": {
+		`The rules of the policy.`,
+		"",
+	},
+
+	"policy-paths": {
+		`The paths on which the policy should be applied.`,
+		"",
+	},
+
+	"policy-enforcement-level": {
+		`The enforcement level to apply to the policy.`,
+		"",
+	},
+
+	"password-policy-name": {
+		`The name of the password policy.`,
+		"",
+	},
+
+	"audit-hash": {
+		"The hash of the given string via the given audit backend",
+		"",
+	},
+
+	"audit-table": {
+		"List the currently enabled audit backends.",
+		`
+This path responds to the following HTTP methods.
+
+    GET /
+        List the currently enabled audit backends.
+
+    PUT /<path>
+        Enable an audit backend at the given path.
+
+    DELETE /<path>
+        Disable the given audit backend.
+		`,
+	},
+
+	"audit_path": {
+		`The name of the backend. Cannot be delimited. Example: "mysql"`,
+		"",
+	},
+
+	"audit_type": {
+		`The type of the backend. Example: "mysql"`,
+		"",
+	},
+
+	"audit_desc": {
+		`User-friendly description for this audit backend.`,
+		"",
+	},
+
+	"audit_opts": {
+		`Configuration options for the audit backend.`,
+		"",
+	},
+
+	"audit": {
+		`Enable or disable audit backends.`,
+		`
+Enable a new audit backend or disable an existing backend.
+		`,
+	},
+
+	"ha-status": {
+		"Provides information about the nodes in an HA cluster.",
+		`
+		Provides the list of hosts known to the active node and when they were last heard from.
+		`,
+	},
+
+	"key-status": {
+		"Provides information about the backend encryption key.",
+		`
+		Provides the current backend encryption key term and installation time.
+		`,
+	},
+
+	"rotate-config": {
+		"Configures settings related to the backend encryption key management.",
+		`
+		Configures settings related to the automatic rotation of the backend encryption key.
+		`,
+	},
+
+	"rotation-enabled": {
+		"Whether automatic rotation is enabled.",
+		"",
+	},
+	"rotation-max-operations": {
+		"The number of encryption operations performed before the barrier key is automatically rotated.",
+		"",
+	},
+	"rotation-interval": {
+		"How long after installation of an active key term that the key will be automatically rotated.",
+		"",
+	},
+	"rotate": {
+		"Rotates the backend encryption key used to persist data.",
+		`
+		Rotate generates a new encryption key which is used to encrypt all
+		data going to the storage backend. The old encryption keys are kept so
+		that data encrypted using those keys can still be decrypted.
+		`,
+	},
+
+	"rekey_backup": {
+		"Allows fetching or deleting the backup of the rotated unseal keys.",
+		"",
+	},
+
+	"capabilities": {
+		"Fetches the capabilities of the given token on the given path.",
+		`Returns the capabilities of the given token on the path.
+		The path will be searched for a path match in all the policies associated with the token.`,
+	},
+
+	"capabilities_self": {
+		"Fetches the capabilities of the given token on the given path.",
+		`Returns the capabilities of the client token on the path.
+		The path will be searched for a path match in all the policies associated with the client token.`,
+	},
+
+	"capabilities_accessor": {
+		"Fetches the capabilities of the token associated with the given token, on the given path.",
+		`When there is no access to the token, token accessor can be used to fetch the token's capabilities
+		on a given path.`,
+	},
+
+	"tidy_leases": {
+		`This endpoint performs cleanup tasks that can be run if certain error
+conditions have occurred.`,
+		`This endpoint performs cleanup tasks that can be run to clean up the
+lease entries after certain error conditions. Usually running this is not
+necessary, and is only required if upgrade notes or support personnel suggest
+it.`,
+	},
+
+	"wrap": {
+		"Response-wraps an arbitrary JSON object.",
+		`Round trips the given input data into a response-wrapped token.`,
+	},
+
+	"wrappubkey": {
+		"Returns pubkeys used in some wrapping formats.",
+		"Returns pubkeys used in some wrapping formats.",
+	},
+
+	"unwrap": {
+		"Unwraps a response-wrapped token.",
+		`Unwraps a response-wrapped token. Unlike simply reading from cubbyhole/response,
+		this provides additional validation on the token, and rather than a JSON-escaped
+		string, the returned response is the exact same as the contained wrapped response.`,
+	},
+
+	"wraplookup": {
+		"Looks up the properties of a response-wrapped token.",
+		`Returns the creation TTL and creation time of a response-wrapped token.`,
+	},
+
+	"rewrap": {
+		"Rotates a response-wrapped token.",
+		`Rotates a response-wrapped token; the output is a new token with the same
+		response wrapped inside and the same creation TTL. The original token is revoked.`,
+	},
+	"audited-headers-name": {
+		"Configures the headers sent to the audit logs.",
+		`
+This path responds to the following HTTP methods.
+
+	GET /<name>
+		Returns the setting for the header with the given name.
+
+	POST /<name>
+		Enable auditing of the given header.
+
+	DELETE /<path>
+		Disable auditing of the given header.
+		`,
+	},
+	"audited-headers": {
+		"Lists the headers configured to be audited.",
+		`Returns a list of headers that have been configured to be audited.`,
+	},
+	"plugin-catalog-list-all": {
+		"Lists all the plugins known to Vault",
+		`
+This path responds to the following HTTP methods.
+		LIST /
+			Returns a list of names of configured plugins.
+		`,
+	},
+	"plugin-catalog": {
+		"Configures the plugins known to Vault",
+		`
+This path responds to the following HTTP methods.
+		LIST /
+			Returns a list of names of configured plugins.
+
+		GET /<name>
+			Retrieve the metadata for the named plugin.
+
+		PUT /<name>
+			Add or update plugin.
+
+		DELETE /<name>
+			Delete the plugin with the given name.
+		`,
+	},
+	"plugin-catalog_name": {
+		"The name of the plugin",
+		"",
+	},
+	"plugin-catalog_type": {
+		"The type of the plugin, may be auth, secret, or database",
+		"",
+	},
+	"plugin-catalog_sha-256": {
+		`The SHA256 sum of the executable or container to be run.
+This should be HEX encoded.`,
+		"",
+	},
+	"plugin-catalog_command": {
+		`The command used to start the plugin. The
+executable defined in this command must exist in vault's
+plugin directory.`,
+		"",
+	},
+	"plugin-catalog_args": {
+		`The args passed to plugin command.`,
+		"",
+	},
+	"plugin-catalog_env": {
+		`The environment variables passed to plugin command.
+Each entry is of the form "key=value".`,
+		"",
+	},
+	"plugin-catalog_version": {
+		"The semantic version of the plugin to use, or image tag if oci_image is provided.",
+		"",
+	},
+	"plugin-catalog_oci_image": {
+		`The name of the OCI image to be run, without the tag or SHA256.
+Must already be present on the machine.`,
+		"",
+	},
+	"plugin-catalog_runtime": {
+		`The Vault plugin runtime to use when running the plugin.`,
+		"",
+	},
+	"plugin-runtime-catalog": {
+		"Configures plugin runtimes",
+		`
+This path responds to the following HTTP methods.
+		LIST /
+			Returns a list of names of configured plugin runtimes.
+
+		GET /<type>/<name>
+			Retrieve the metadata for the named plugin runtime.
+
+		PUT /<type>/<name>
+			Add or update plugin runtime.
+
+		DELETE /<type>/<name>
+			Delete the plugin runtime with the given name.
+		`,
+	},
+	"plugin-runtime-catalog-list-all": {
+		"List all plugin runtimes in the catalog as a map of type to names.",
+		"",
+	},
+	"plugin-runtime-catalog_name": {
+		"The name of the plugin runtime",
+		"",
+	},
+	"plugin-runtime-catalog_type": {
+		"The type of the plugin runtime",
+		"",
+	},
+	"plugin-runtime-catalog_oci-runtime": {
+		"The OCI-compatible runtime (default \"runsc\")",
+		"",
+	},
+	"plugin-runtime-catalog_cgroup-parent": {
+		"Parent cgroup to set for each container. This can be used to control the total resource usage for a group of plugins.",
+		"",
+	},
+	"plugin-runtime-catalog_cpu-nanos": {
+		"CPU limit to set per container in nanos. Defaults to no limit.",
+		"",
+	},
+	"plugin-runtime-catalog_memory-bytes": {
+		"Memory limit to set per container in bytes. Defaults to no limit.",
+		"",
+	},
+	"plugin-runtime-catalog_rootless": {
+		"Whether the container runtime is run as a non-privileged (non-root) user.",
+		"",
+	},
+	"leases": {
+		`View or list lease metadata.`,
+		`
+This path responds to the following HTTP methods.
+
+    PUT /
+        Retrieve the metadata for the provided lease id.
+
+    LIST /<prefix>
+        Lists the leases for the named prefix.
+		`,
+	},
+
+	"leases-list-prefix": {
+		`The path to list leases under. Example: "aws/creds/deploy"`,
+		"",
+	},
+	"plugin-reload": {
+		"Reload mounts that use a particular backend plugin.",
+		`Reload mounts that use a particular backend plugin. Either the plugin name
+		or the desired plugin backend mounts must be provided, but not both. In the
+		case that the plugin name is provided, all mounted paths that use that plugin
+		backend will be reloaded.`,
+	},
+	"plugin-backend-reload-plugin": {
+		`The name of the plugin to reload, as registered in the plugin catalog.`,
+		"",
+	},
+	"plugin-backend-reload-mounts": {
+		`The mount paths of the plugin backends to reload.`,
+		"",
+	},
+	"hash": {
+		"Generate a hash sum for input data",
+		"Generates a hash sum of the given algorithm against the given input data.",
+	},
+	"random": {
+		"Generate random bytes",
+		"This function can be used to generate high-entropy random bytes.",
+	},
+	"listing_visibility": {
+		"Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.",
+		"",
+	},
+	"passthrough_request_headers": {
+		"A list of headers to whitelist and pass from the request to the plugin.",
+		"",
+	},
+	"allowed_response_headers": {
+		"A list of headers to whitelist and allow a plugin to set on responses.",
+		"",
+	},
+	"token_type": {
+		"The type of token to issue (service or batch).",
+		"",
+	},
+	"raw": {
+		"Write, Read, and Delete data directly in the Storage backend.",
+		"",
+	},
+	"internal-ui-feature-flags": {
+		"Enabled feature flags. Internal API; its location, inputs, and outputs may change.",
+		"",
+	},
+	"internal-ui-mounts": {
+		"Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change.",
+		"",
+	},
+	"internal-ui-namespaces": {
+		"Information about visible child namespaces. Internal API; its location, inputs, and outputs may change.",
+		`Information about visible child namespaces returned starting from the request's
+		context namespace and filtered based on access from the client token. Internal API;
+		its location, inputs, and outputs may change.`,
+	},
+	"internal-ui-resultant-acl": {
+		"Information about a token's resultant ACL. Internal API; its location, inputs, and outputs may change.",
+		"",
+	},
+	"metrics": {
+		"Export the metrics aggregated for telemetry purpose.",
+		"",
+	},
+	"in-flight-req": {
+		"reports in-flight requests",
+		`
+This path responds to the following HTTP methods.
+		GET /
+			Returns a map of in-flight requests.
+		`,
+	},
+	"internal-counters-requests": {
+		"Currently unsupported. Previously, count of requests seen by this Vault cluster over time.",
+		"Currently unsupported. Previously, count of requests seen by this Vault cluster over time. Not included in count: health checks, UI asset requests, requests forwarded from another cluster.",
+	},
+	"internal-counters-tokens": {
+		"Count of active tokens in this Vault cluster.",
+		"Count of active tokens in this Vault cluster.",
+	},
+	"internal-counters-entities": {
+		"Count of active entities in this Vault cluster.",
+		"Count of active entities in this Vault cluster.",
+	},
+	"internal-inspect-router": {
+		"Information on the entries in each of the trees in the router. Inspectable trees are uuid, accessor, storage, and root.",
+		`
+This path responds to the following HTTP methods.
+		GET /
+			Returns a list of entries in specified table
+		`,
+	},
+	"host-info": {
+		"Information about the host instance that this Vault server is running on.",
+		`Information about the host instance that this Vault server is running on.
+		The information that gets collected includes host hardware information, and CPU,
+		disk, and memory utilization`,
+	},
+	"activity-query": {
+		"Query the historical count of clients.",
+		"Query the historical count of clients.",
+	},
+	"activity-export": {
+		"Export the historical activity of clients.",
+		"Export the historical activity of clients.",
+	},
+	"activity-monthly": {
+		"Count of active clients so far this month.",
+		"Count of active clients so far this month.",
+	},
+	"activity-config": {
+		"Control the collection and reporting of client counts.",
+		"Control the collection and reporting of client counts.",
+	},
+	"count-leases": {
+		"Count of leases associated with this Vault cluster",
+		"Count of leases associated with this Vault cluster",
+	},
+	"list-leases": {
+		"List leases associated with this Vault cluster",
+		"Requires sudo capability. List leases associated with this Vault cluster",
+	},
+	"version-history": {
+		"List historical version changes sorted by installation time in ascending order.",
+		`
+This path responds to the following HTTP methods.
+
+    LIST /
+        Returns a list historical version changes sorted by installation time in ascending order.
+		`,
+	},
+	"experiments": {
+		"Returns information about Vault's experimental features. Should NOT be used in production.",
+		`
+This path responds to the following HTTP methods.
+		GET /
+			Returns the available and enabled experiments.
+		`,
+	},
+	"delegated_auth_accessors": {
+		"A list of auth accessors that the mount is allowed to delegate authentication too",
+		"",
+	},
 }
diff --git a/command/token.go b/command/token.go
index 5ccec004a885..644aaec0a688 100644
--- a/command/token.go
+++ b/command/token.go
@@ -1,49 +1,250 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault_test
 
 import (
-	"strings"
-
-	"github.com/mitchellh/cli"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-test/deep"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/version"
 )
 
-var _ cli.Command = (*TokenCommand)(nil)
-
-type TokenCommand struct {
-	*BaseCommand
+func TestSystemBackend_InternalUIResultantACL(t *testing.T) {
+	t.Parallel()
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	resp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"default"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("nil response")
+	}
+	if resp.Auth == nil {
+		t.Fatal("nil auth")
+	}
+	if resp.Auth.ClientToken == "" {
+		t.Fatal("empty client token")
+	}
+
+	client.SetToken(resp.Auth.ClientToken)
+
+	resp, err = client.Logical().Read("sys/internal/ui/resultant-acl")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("nil response")
+	}
+	if resp.Data == nil {
+		t.Fatal("nil data")
+	}
+
+	exp := map[string]interface{}{
+		"exact_paths": map[string]interface{}{
+			"auth/token/lookup-self": map[string]interface{}{
+				"capabilities": []interface{}{
+					"read",
+				},
+			},
+			"auth/token/renew-self": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"auth/token/revoke-self": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/capabilities-self": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/control-group/request": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/internal/ui/resultant-acl": map[string]interface{}{
+				"capabilities": []interface{}{
+					"read",
+				},
+			},
+			"sys/internal/ui/version": map[string]interface{}{
+				"capabilities": []interface{}{
+					"read",
+				},
+			},
+			"sys/leases/lookup": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/leases/renew": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/renew": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/tools/hash": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/wrapping/lookup": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/wrapping/unwrap": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+			"sys/wrapping/wrap": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+		},
+		"glob_paths": map[string]interface{}{
+			"cubbyhole/": map[string]interface{}{
+				"capabilities": []interface{}{
+					"create",
+					"delete",
+					"list",
+					"read",
+					"update",
+				},
+			},
+			"sys/tools/hash/": map[string]interface{}{
+				"capabilities": []interface{}{
+					"update",
+				},
+			},
+		},
+		"root":             false,
+		"chroot_namespace": "",
+	}
+
+	if diff := deep.Equal(resp.Data, exp); diff != nil {
+		t.Fatal(diff)
+	}
 }
 
-func (c *TokenCommand) Synopsis() string {
-	return "Interact with tokens"
+func TestSystemBackend_HAStatus(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	inm, err := inmem.NewTransactionalInmem(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	conf := &vault.CoreConfig{
+		Physical:   inm,
+		HAPhysical: inmha.(physical.HABackend),
+	}
+	opts := &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	}
+	cluster := vault.NewTestCluster(t, conf, opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	corehelpers.RetryUntil(t, 15*time.Second, func() error {
+		// Use standby deliberately to make sure it forwards
+		client := cluster.Cores[1].Client
+		resp, err := client.Sys().HAStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if len(resp.Nodes) != len(cluster.Cores) {
+			return fmt.Errorf("expected %d nodes, got %d", len(cluster.Cores), len(resp.Nodes))
+		}
+		return nil
+	})
 }
 
-func (c *TokenCommand) Help() string {
-	helpText := `
-Usage: vault token <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with tokens. Users can
-  create, lookup, renew, and revoke tokens.
-
-  Create a new token:
-
-      $ vault token create
-
-  Revoke a token:
-
-      $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Renew a token:
-
-      $ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
+// TestSystemBackend_VersionHistory_unauthenticated tests the sys/version-history
+// endpoint without providing a token. Requests to the endpoint must be
+// authenticated and thus a 403 response is expected.
+func TestSystemBackend_VersionHistory_unauthenticated(t *testing.T) {
+	t.Parallel()
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	client.SetToken("")
+	resp, err := client.Logical().List("sys/version-history")
+
+	if resp != nil {
+		t.Fatalf("expected nil response, resp: %#v", resp)
+	}
+
+	respErr, ok := err.(*api.ResponseError)
+	if !ok {
+		t.Fatalf("unexpected error type: err: %#v", err)
+	}
+
+	if respErr.StatusCode != 403 {
+		t.Fatalf("expected response status to be 403, actual: %d", respErr.StatusCode)
+	}
 }
 
-func (c *TokenCommand) Run(args []string) int {
-	return cli.RunResultHelp
+// TestSystemBackend_VersionHistory_authenticated tests the sys/version-history
+// endpoint with authentication. Without synthetically altering the underlying
+// core/versions storage entries, a single version entry should exist.
+func TestSystemBackend_VersionHistory_authenticated(t *testing.T) {
+	t.Parallel()
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	resp, err := client.Logical().List("sys/version-history")
+	if err != nil || resp == nil {
+		t.Fatalf("request failed, err: %v, resp: %#v", err, resp)
+	}
+
+	var ok bool
+	var keys []interface{}
+	var keyInfo map[string]interface{}
+
+	if keys, ok = resp.Data["keys"].([]interface{}); !ok {
+		t.Fatalf("expected keys to be array, actual: %#v", resp.Data["keys"])
+	}
+
+	if keyInfo, ok = resp.Data["key_info"].(map[string]interface{}); !ok {
+		t.Fatalf("expected key_info to be map, actual: %#v", resp.Data["key_info"])
+	}
+
+	if len(keys) != 1 {
+		t.Fatalf("expected single version history entry for %q", version.Version)
+	}
+
+	if keyInfo[version.Version] == nil {
+		t.Fatalf("expected version %s to be present in key_info, actual: %#v", version.Version, keyInfo)
+	}
 }
diff --git a/command/token/testing.go b/command/token/testing.go
index acfc84338e7a..60e56d31824c 100644
--- a/command/token/testing.go
+++ b/command/token/testing.go
@@ -1,81 +1,4839 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package token
+package vault
 
 import (
-	"fmt"
-	"os"
+	"net/http"
 	"strings"
-	"testing"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
-// Test is a public function that can be used in other tests to
-// test that a helper is functioning properly.
-func Test(t *testing.T, h TokenHelper) {
-	if err := h.Store("foo"); err != nil {
-		t.Fatalf("err: %s", err)
+func (b *SystemBackend) configPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "config/cors$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "cors",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"enable": {
+					Type:        framework.TypeBool,
+					Description: "Enables or disables CORS headers on requests.",
+				},
+				"allowed_origins": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "A comma-separated string or array of strings indicating origins that may make cross-origin requests.",
+				},
+				"allowed_headers": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleCORSRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationSuffix: "configuration",
+					},
+					Summary:     "Return the current CORS settings.",
+					Description: "",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"enabled": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"allowed_origins": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"allowed_headers": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleCORSUpdate,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "configure",
+					},
+					Summary:     "Configure the CORS settings.",
+					Description: "",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleCORSDelete,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "delete",
+						OperationSuffix: "configuration",
+					},
+					Summary: "Remove any CORS settings.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpDescription: strings.TrimSpace(sysHelp["config/cors"][0]),
+			HelpSynopsis:    strings.TrimSpace(sysHelp["config/cors"][1]),
+		},
+
+		{
+			Pattern: "config/state/sanitized$",
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleConfigStateSanitized,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "sanitized-configuration-state",
+					},
+					Summary:     "Return a sanitized version of the Vault server configuration.",
+					Description: "The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// response has dynamic keys
+							Fields: map[string]*framework.FieldSchema{},
+						}},
+					},
+				},
+			},
+		},
+
+		{
+			Pattern: "config/reload/(?P<subsystem>.+)",
+			Fields: map[string]*framework.FieldSchema{
+				"subsystem": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["config/reload"][0]),
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleConfigReload,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "reload",
+						OperationSuffix: "subsystem",
+					},
+					Summary:     "Reload the given subsystem",
+					Description: "",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+		},
+
+		{
+			Pattern: "config/ui/headers/" + framework.GenericNameRegex("header"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "ui-headers",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"header": {
+					Type:        framework.TypeString,
+					Description: "The name of the header.",
+				},
+				"values": {
+					Type:        framework.TypeStringSlice,
+					Description: "The values to set the header.",
+				},
+				"multivalue": {
+					Type:        framework.TypeBool,
+					Description: "Returns multiple values if true",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleConfigUIHeadersRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "configuration",
+					},
+					Summary: "Return the given UI header's configuration",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"value": {
+									Type:        framework.TypeString,
+									Required:    false,
+									Description: "returns the first header value when `multivalue` request parameter is false",
+								},
+								"values": {
+									Type:        framework.TypeCommaStringSlice,
+									Required:    false,
+									Description: "returns all header values when `multivalue` request parameter is true",
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleConfigUIHeadersUpdate,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "configure",
+					},
+					Summary: "Configure the values to be returned for the UI header.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							// returns 200 with null `data`
+							Description: "OK",
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleConfigUIHeadersDelete,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "delete",
+						OperationSuffix: "configuration",
+					},
+					Summary: "Remove a UI header.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpDescription: strings.TrimSpace(sysHelp["config/ui/headers"][0]),
+			HelpSynopsis:    strings.TrimSpace(sysHelp["config/ui/headers"][1]),
+		},
+
+		{
+			Pattern: "config/ui/headers/?$",
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handleConfigUIHeadersList,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationPrefix: "ui-headers",
+						OperationVerb:   "list",
+					},
+					Summary: "Return a list of configured UI headers.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: "Lists of configured UI headers. Omitted if list is empty",
+									Required:    false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpDescription: strings.TrimSpace(sysHelp["config/ui/headers"][0]),
+			HelpSynopsis:    strings.TrimSpace(sysHelp["config/ui/headers"][1]),
+		},
+
+		{
+			Pattern: "generate-root(/attempt)?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "root-token-generation",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"pgp_key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a base64-encoded PGP public key.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "progress2|progress",
+					},
+					Summary: "Read the configuration and progress of the current root generation attempt.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"required": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"complete": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"encoded_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"encoded_root_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"pgp_fingerprint": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp_length": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Summary: "Initializes a new root generation attempt.",
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "initialize",
+						OperationSuffix: "2|",
+					},
+					Description: "Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"required": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"complete": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"encoded_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"encoded_root_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"pgp_fingerprint": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp_length": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "cancel",
+						OperationSuffix: "2|",
+					},
+					Summary: "Cancels any in-progress root generation attempt.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["generate-root"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["generate-root"][1]),
+		},
+		{
+			Pattern: "generate-root/update$",
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single unseal key share.",
+				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the attempt.",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationPrefix: "root-token-generation",
+						OperationVerb:   "update",
+					},
+					Summary:     "Enter a single unseal key share to progress the root generation attempt.",
+					Description: "If the threshold number of unseal key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"required": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"complete": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"encoded_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"encoded_root_token": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"pgp_fingerprint": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"otp_length": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["generate-root"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["generate-root"][1]),
+		},
+		{
+			Pattern: "decode-token$",
+			Fields: map[string]*framework.FieldSchema{
+				"encoded_token": {
+					Type:        framework.TypeString,
+					Description: "Specifies the encoded token (result from generate-root).",
+				},
+				"otp": {
+					Type:        framework.TypeString,
+					Description: "Specifies the otp code for decode.",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleGenerateRootDecodeTokenUpdate,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "decode",
+						OperationSuffix: "token",
+					},
+					Summary: "Decodes the encoded token with the otp.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{Description: "OK"}},
+					},
+				},
+			},
+		},
+
+		{
+			Pattern: "health$",
+			Fields: map[string]*framework.FieldSchema{
+				"standbyok": {
+					Type:        framework.TypeBool,
+					Description: "Specifies if being a standby should still return the active status code.",
+				},
+				"perfstandbyok": {
+					Type:        framework.TypeBool,
+					Description: "Specifies if being a performance standby should still return the active status code.",
+				},
+				"activecode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for an active node.",
+				},
+				"standbycode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for a standby node.",
+				},
+				"drsecondarycode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for a DR secondary node.",
+				},
+				"performancestandbycode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for a performance standby node.",
+				},
+				"sealedcode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for a sealed node.",
+				},
+				"uninitcode": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the status code for an uninitialized node.",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "health-status",
+					},
+					Summary: "Returns the health status of Vault.",
+					Responses: map[int][]framework.Response{
+						200: {{Description: "initialized, unsealed, and active"}},
+						429: {{Description: "unsealed and standby"}},
+						472: {{Description: "data recovery mode replication secondary and active"}},
+						501: {{Description: "not initialized"}},
+						503: {{Description: "sealed"}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["health"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["health"][1]),
+		},
+
+		{
+			Pattern: "init$",
+			Fields: map[string]*framework.FieldSchema{
+				"pgp_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`.",
+				},
+				"root_token_pgp_key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.",
+				},
+				"secret_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares to split the unseal key into.",
+				},
+				"secret_threshold": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
+				},
+				"stored_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
+				},
+				"recovery_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares to split the recovery key into.",
+				},
+				"recovery_threshold": {
+					Type:        framework.TypeInt,
+					Description: " Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
+				},
+				"recovery_pgp_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`.",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "initialization-status",
+					},
+					Summary: "Returns the initialization status of Vault.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "initialize",
+					},
+					Summary:     "Initialize a new Vault.",
+					Description: "The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["init"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["init"][1]),
+		},
+		{
+			Pattern: "step-down$",
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "step-down",
+						OperationSuffix: "leader",
+					},
+					Summary:     "Cause the node to give up active status.",
+					Description: "This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.",
+					Responses: map[int][]framework.Response{
+						204: {{Description: "empty body"}},
+					},
+				},
+			},
+		},
+		{
+			Pattern: "loggers$",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "loggers",
+			},
+			Fields: map[string]*framework.FieldSchema{
+				"level": {
+					Type: framework.TypeString,
+					Description: "Log verbosity level. Supported values (in order of detail) are " +
+						"\"trace\", \"debug\", \"info\", \"warn\", and \"error\".",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleLoggersRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "verbosity-level",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Read the log level for all existing loggers.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleLoggersWrite,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "update",
+						OperationSuffix: "verbosity-level",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Modify the log level for all existing loggers.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleLoggersDelete,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "revert",
+						OperationSuffix: "verbosity-level",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Revert the all loggers to use log level provided in config.",
+				},
+			},
+		},
+		{
+			Pattern: "loggers/" + framework.MatchAllRegex("name"),
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "loggers",
+			},
+			Fields: map[string]*framework.FieldSchema{
+				"name": {
+					Type:        framework.TypeString,
+					Description: "The name of the logger to be modified.",
+				},
+				"level": {
+					Type: framework.TypeString,
+					Description: "Log verbosity level. Supported values (in order of detail) are " +
+						"\"trace\", \"debug\", \"info\", \"warn\", and \"error\".",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleLoggersByNameRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "verbosity-level-for",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Read the log level for a single logger.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleLoggersByNameWrite,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "update",
+						OperationSuffix: "verbosity-level-for",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Modify the log level of a single logger.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleLoggersByNameDelete,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "revert",
+						OperationSuffix: "verbosity-level-for",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Revert a single logger to use log level provided in config.",
+				},
+			},
+		},
+	}
+}
+
+func (b *SystemBackend) rekeyPaths() []*framework.Path {
+	respFields := map[string]*framework.FieldSchema{
+		"nounce": {
+			Type:     framework.TypeString,
+			Required: true,
+		},
+		"started": {
+			Type:     framework.TypeString,
+			Required: true,
+		},
+		"t": {
+			Type:     framework.TypeInt,
+			Required: true,
+		},
+		"n": {
+			Type:     framework.TypeInt,
+			Required: true,
+		},
+		"progress": {
+			Type:     framework.TypeInt,
+			Required: true,
+		},
+		"required": {
+			Type:     framework.TypeInt,
+			Required: true,
+		},
+		"verification_required": {
+			Type:     framework.TypeBool,
+			Required: true,
+		},
+		"verification_nonce": {
+			Type:     framework.TypeString,
+			Required: true,
+		},
+		"backup": {
+			Type: framework.TypeBool,
+		},
+		"pgp_fingerprints": {
+			Type: framework.TypeCommaStringSlice,
+		},
+	}
+
+	return []*framework.Path{
+		{
+			Pattern: "rekey/init",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey-attempt",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"secret_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares to split the unseal key into.",
+				},
+				"secret_threshold": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
+				},
+				"pgp_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.",
+				},
+				"backup": {
+					Type:        framework.TypeBool,
+					Description: "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
+				},
+				"require_verification": {
+					Type:        framework.TypeBool,
+					Description: "Turns on verification functionality",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "progress",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields:      respFields,
+						}},
+					},
+					Summary: "Reads the configuration and progress of the current rekey attempt.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "initialize",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields:      respFields,
+						}},
+					},
+					Summary:     "Initializes a new rekey attempt.",
+					Description: "Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "cancel",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary:     "Cancels any in-progress rekey.",
+					Description: "This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.",
+				},
+			},
+		},
+		{
+			Pattern: "rekey/backup$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey",
+			},
+
+			Fields: map[string]*framework.FieldSchema{},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleRekeyRetrieveBarrier,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "backup-key",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"keys": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+								"keys_base64": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Return the backup copy of PGP-encrypted unseal keys.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleRekeyDeleteBarrier,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "delete",
+						OperationSuffix: "backup-key",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Delete the backup copy of PGP-encrypted unseal keys.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["rekey_backup"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["rekey_backup"][0]),
+		},
+
+		{
+			Pattern: "rekey/recovery-key-backup$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey",
+			},
+
+			Fields: map[string]*framework.FieldSchema{},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleRekeyRetrieveRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "backup-recovery-key",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"keys": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+								"keys_base64": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleRekeyDeleteRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "delete",
+						OperationSuffix: "backup-recovery-key",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["rekey_backup"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["rekey_backup"][0]),
+		},
+		{
+			Pattern: "rekey/update",
+
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single unseal key share.",
+				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the rekey attempt.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationPrefix: "rekey-attempt",
+						OperationVerb:   "update",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nounce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"complete": {
+									Type: framework.TypeBool,
+								},
+								"started": {
+									Type: framework.TypeString,
+								},
+								"t": {
+									Type: framework.TypeInt,
+								},
+								"n": {
+									Type: framework.TypeInt,
+								},
+								"progress": {
+									Type: framework.TypeInt,
+								},
+								"required": {
+									Type: framework.TypeInt,
+								},
+								"keys": {
+									Type: framework.TypeCommaStringSlice,
+								},
+								"keys_base64": {
+									Type: framework.TypeCommaStringSlice,
+								},
+								"verification_required": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"verification_nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"backup": {
+									Type: framework.TypeBool,
+								},
+								"pgp_fingerprints": {
+									Type: framework.TypeCommaStringSlice,
+								},
+							},
+						}},
+					},
+					Summary: "Enter a single unseal key share to progress the rekey of the Vault.",
+				},
+			},
+		},
+		{
+			Pattern: "rekey/verify",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey-verification",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single unseal share key from the new set of shares.",
+				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the rekey verification operation.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "progress",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nounce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"t": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"n": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Read the configuration and progress of the current rekey verification attempt.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "cancel",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nounce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"t": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"n": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary:     "Cancel any in-progress rekey verification operation.",
+					Description: "This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "update",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nounce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"complete": {
+									Type: framework.TypeBool,
+								},
+							},
+						}},
+					},
+					Summary: "Enter a single new key share to progress the rekey verification operation.",
+				},
+			},
+		},
+
+		{
+			Pattern: "seal$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "seal",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Summary: "Seal the Vault.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["seal"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["seal"][1]),
+		},
+
+		{
+			Pattern: "unseal$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "unseal",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single unseal key share. This is required unless reset is true.",
+				},
+				"reset": {
+					Type:        framework.TypeBool,
+					Description: "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Summary: "Unseal the Vault.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							// unseal returns `vault.SealStatusResponse` struct
+							Fields: map[string]*framework.FieldSchema{
+								"type": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"initialized": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"sealed": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"t": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"n": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"build_date": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"migration": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"cluster_name": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"cluster_id": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"recovery_seal": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"storage_type": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"hcp_link_status": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"hcp_link_resource_ID": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["unseal"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["unseal"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) statusPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "leader$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leader",
+				OperationVerb:   "status",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleLeaderStatus,
+					Summary:  "Returns the high availability status and current leader instance of Vault.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// returns `vault.LeaderResponse` struct
+							Fields: map[string]*framework.FieldSchema{
+								"ha_enabled": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"is_self": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"active_time": {
+									Type: framework.TypeTime,
+									// active_time has 'omitempty' tag, but its not a pointer so never "empty"
+									Required: true,
+								},
+								"leader_address": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"leader_cluster_address": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"performance_standby": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"performance_standby_last_remote_wal": {
+									Type:     framework.TypeInt64,
+									Required: true,
+								},
+								"last_wal": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"raft_committed_index": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"raft_applied_index": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis: "Check the high availability status and current leader of Vault",
+		},
+		{
+			Pattern: "seal-status$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "seal",
+				OperationVerb:   "status",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleSealStatus,
+					Summary:  "Check the seal status of a Vault.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							// unseal returns `vault.SealStatusResponse` struct
+							Fields: map[string]*framework.FieldSchema{
+								"type": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"initialized": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"sealed": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"t": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"n": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"build_date": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"migration": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"cluster_name": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"cluster_id": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"recovery_seal": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"storage_type": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"hcp_link_status": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"hcp_link_resource_ID": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["seal-status"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["seal-status"][1]),
+		},
+		{
+			Pattern: "ha-status$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "ha",
+				OperationVerb:   "status",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleHAStatus,
+					Summary:  "Check the HA status of a Vault cluster",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nodes": {
+									Type:     framework.TypeSlice,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["ha-status"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["ha-status"][1]),
+		},
+		{
+			Pattern: "version-history/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "version-history",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handleVersionHistoryList,
+					Summary:  "Returns map of historical version change entries",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: true,
+								},
+								"key_info": {
+									Type:     framework.TypeKVPairs,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["version-history"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["version-history"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) auditHashPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "audit-hash/(?P<path>.+)",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: "auditing",
+			OperationVerb:   "calculate",
+			OperationSuffix: "hash",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"path": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["audit_path"][0]),
+			},
+
+			"input": {
+				Type: framework.TypeString,
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.handleAuditHash,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"hash": {
+								Type:     framework.TypeString,
+								Required: true,
+							},
+						},
+					}},
+				},
+			},
+		},
+
+		HelpSynopsis:    strings.TrimSpace(sysHelp["audit-hash"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["audit-hash"][1]),
+	}
+}
+
+func (b *SystemBackend) auditPaths() []*framework.Path {
+	return []*framework.Path{
+		b.auditHashPath(),
+
+		{
+			Pattern: "audit$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auditing",
+				OperationVerb:   "list",
+				OperationSuffix: "enabled-devices",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleAuditTable,
+					Summary:  "List the enabled audit devices.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							// this response has dynamic keys
+							Description: "OK",
+							Fields:      nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["audit-table"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["audit-table"][1]),
+		},
+
+		{
+			Pattern: "audit/(?P<path>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auditing",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["audit_path"][0]),
+				},
+				"type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["audit_type"][0]),
+				},
+				"description": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["audit_desc"][0]),
+				},
+				"options": {
+					Type:        framework.TypeKVPairs,
+					Description: strings.TrimSpace(sysHelp["audit_opts"][0]),
+				},
+				"local": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["mount_local"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleEnableAudit,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "enable",
+						OperationSuffix: "device",
+					},
+					Summary: "Enable a new audit device at the supplied path.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleDisableAudit,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "disable",
+						OperationSuffix: "device",
+					},
+					Summary: "Disable the audit device at the given path.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["audit"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["audit"][1]),
+		},
+
+		{
+			Pattern: "config/auditing/request-headers/(?P<header>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auditing",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"header": {
+					Type: framework.TypeString,
+				},
+				"hmac": {
+					Type: framework.TypeBool,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleAuditedHeaderUpdate,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "enable",
+						OperationSuffix: "request-header",
+					},
+					Summary: "Enable auditing of a header.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleAuditedHeaderDelete,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "disable",
+						OperationSuffix: "request-header",
+					},
+					Summary: "Disable auditing of the given request header.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleAuditedHeaderRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "request-header-information",
+					},
+					Summary: "List the information for the given request header.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// the response keys are dynamic
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["audited-headers-name"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["audited-headers-name"][1]),
+		},
+
+		{
+			Pattern: "config/auditing/request-headers$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auditing",
+				OperationVerb:   "list",
+				OperationSuffix: "request-headers",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleAuditedHeadersRead,
+					Summary:  "List the request headers that are configured to be audited.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"headers": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["audited-headers"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["audited-headers"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) sealPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "key-status$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "encryption-key",
+				OperationVerb:   "status",
+			},
+
+			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.ReadOperation: b.handleKeyStatus,
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["key-status"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["key-status"][1]),
+		},
+
+		{
+			Pattern: "rotate/config$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "encryption-key",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"enabled": {
+					Type:        framework.TypeBool,
+					Description: strings.TrimSpace(sysHelp["rotation-enabled"][0]),
+				},
+				"max_operations": {
+					Type:        framework.TypeInt64,
+					Description: strings.TrimSpace(sysHelp["rotation-max-operations"][0]),
+				},
+				"interval": {
+					Type:        framework.TypeDurationSecond,
+					Description: strings.TrimSpace(sysHelp["rotation-interval"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleKeyRotationConfigRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "rotation-configuration",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"max_operations": {
+									Type:     framework.TypeInt64,
+									Required: true,
+								},
+								"enabled": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"interval": {
+									Type:     framework.TypeDurationSecond,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleKeyRotationConfigUpdate,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "configure",
+						OperationSuffix: "rotation",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					ForwardPerformanceSecondary: true,
+					ForwardPerformanceStandby:   true,
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["rotate-config"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["rotate-config"][1]),
+		},
+
+		{
+			Pattern: "rotate$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "encryption-key",
+				OperationVerb:   "rotate",
+			},
+
+			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.UpdateOperation: b.handleRotate,
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRotate,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["rotate"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["rotate"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) pluginsCatalogCRUDPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "plugins/catalog(/(?P<type>auth|database|secret))?/(?P<name>.+)",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: "plugins-catalog",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"name": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_name"][0]),
+			},
+			"type": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_type"][0]),
+			},
+			"sha256": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_sha-256"][0]),
+			},
+			"sha_256": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_sha-256"][0]),
+			},
+			"oci_image": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_oci-image"][0]),
+			},
+			"runtime": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_runtime"][0]),
+			},
+			"command": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_command"][0]),
+			},
+			"args": {
+				Type:        framework.TypeStringSlice,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_args"][0]),
+			},
+			"env": {
+				Type:        framework.TypeStringSlice,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_env"][0]),
+			},
+			"version": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.handlePluginCatalogUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "register",
+					OperationSuffix: "plugin|plugin-with-type|plugin-with-type-and-name",
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+					}},
+				},
+				Summary: "Register a new plugin, or updates an existing one with the supplied name.",
+			},
+			logical.DeleteOperation: &framework.PathOperation{
+				Callback: b.handlePluginCatalogDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "remove",
+					OperationSuffix: "plugin|plugin-with-type|plugin-with-type-and-name",
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields:      map[string]*framework.FieldSchema{},
+					}},
+				},
+				Summary: "Remove the plugin with the given name.",
+			},
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handlePluginCatalogRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "read",
+					OperationSuffix: "plugin-configuration|plugin-configuration-with-type|plugin-configuration-with-type-and-name",
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"name": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_name"][0]),
+								Required:    true,
+							},
+							"sha256": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_sha-256"][0]),
+								Required:    true,
+							},
+							"oci_image": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_oci-image"][0]),
+							},
+							"runtime": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_runtime"][0]),
+							},
+							"command": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_command"][0]),
+								Required:    true,
+							},
+							"args": {
+								Type:        framework.TypeStringSlice,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_args"][0]),
+								Required:    true,
+							},
+							"version": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+								Required:    true,
+							},
+							"builtin": {
+								Type:     framework.TypeBool,
+								Required: true,
+							},
+							"deprecation_status": {
+								Type:     framework.TypeString,
+								Required: false,
+							},
+						},
+					}},
+				},
+				Summary: "Return the configuration data for the plugin with the given name.",
+			},
+		},
+
+		HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-catalog"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["plugin-catalog"][1]),
+	}
+}
+
+func (b *SystemBackend) pluginsCatalogListPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "plugins/catalog/(?P<type>auth|database|secret)/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "plugins-catalog",
+				OperationVerb:   "list",
+				OperationSuffix: "plugins-with-type",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-catalog_type"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handlePluginCatalogTypedList,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeStringSlice,
+									Description: "List of plugin names in the catalog",
+									Required:    true,
+								},
+							},
+						}},
+					},
+					Summary: "List the plugins in the catalog.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-catalog"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["plugin-catalog"][1]),
+		},
+		{
+			Pattern: "plugins/catalog/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "plugins-catalog",
+				OperationVerb:   "list",
+				OperationSuffix: "plugins",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePluginCatalogUntypedList,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"detailed": {
+									Type:     framework.TypeMap,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-catalog-list-all"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["plugin-catalog-list-all"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) pluginsReloadPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "plugins/reload/backend$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: "plugins",
+			OperationVerb:   "reload",
+			OperationSuffix: "backends",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"plugin": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-backend-reload-plugin"][0]),
+			},
+			"mounts": {
+				Type:        framework.TypeCommaStringSlice,
+				Description: strings.TrimSpace(sysHelp["plugin-backend-reload-mounts"][0]),
+			},
+			"scope": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-backend-reload-scope"][0]),
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.handlePluginReloadUpdate,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"reload_id": {
+								Type:     framework.TypeString,
+								Required: true,
+							},
+						},
+					}},
+					http.StatusAccepted: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"reload_id": {
+								Type:     framework.TypeString,
+								Required: true,
+							},
+						},
+					}},
+				},
+				Summary:     "Reload mounted plugin backends.",
+				Description: "Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.  If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally.",
+			},
+		},
+
+		HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-reload"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["plugin-reload"][1]),
+	}
+}
+
+func (b *SystemBackend) pluginsRuntimesCatalogCRUDPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "plugins/runtimes/catalog/(?P<type>container)/" + framework.GenericNameRegex("name"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: "plugins-runtimes-catalog",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"name": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_name"][0]),
+			},
+			"type": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_type"][0]),
+			},
+			"oci_runtime": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_oci-runtime"][0]),
+			},
+			"cgroup_parent": {
+				Type:        framework.TypeString,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_cgroup-parent"][0]),
+			},
+			"cpu_nanos": {
+				Type:        framework.TypeInt64,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_cpu-nanos"][0]),
+			},
+			"memory_bytes": {
+				Type:        framework.TypeInt64,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_memory-bytes"][0]),
+			},
+			"rootless": {
+				Type:        framework.TypeBool,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_rootless"][0]),
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.handlePluginRuntimeCatalogUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "register",
+					OperationSuffix: "plugin-runtime|plugin-runtime-with-type|plugin-runtime-with-type-and-name", // TODO
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+					}},
+				},
+				Summary: "Register a new plugin runtime, or updates an existing one with the supplied name.",
+			},
+			logical.DeleteOperation: &framework.PathOperation{
+				Callback: b.handlePluginRuntimeCatalogDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "remove",
+					OperationSuffix: "plugin-runtime|plugin-runtime-with-type|plugin-runtime-with-type-and-name", // TODO
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+					}},
+				},
+				Summary: "Remove the plugin runtime with the given name.",
+			},
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handlePluginRuntimeCatalogRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "read",
+					OperationSuffix: "plugin-runtime-configuration|plugin-runtime-configuration-with-type|plugin-runtime-configuration-with-type-and-name",
+				},
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"name": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_name"][0]),
+								Required:    true,
+							},
+							"type": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_type"][0]),
+								Required:    true,
+							},
+							"oci_runtime": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_oci-runtime"][0]),
+								Required:    true,
+							},
+							"cgroup_parent": {
+								Type:        framework.TypeString,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_cgroup-parent"][0]),
+								Required:    true,
+							},
+							"cpu_nanos": {
+								Type:        framework.TypeInt64,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_cpu-nanos"][0]),
+								Required:    true,
+							},
+							"memory_bytes": {
+								Type:        framework.TypeInt64,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_memory-bytes"][0]),
+								Required:    true,
+							},
+							"rootless": {
+								Type:        framework.TypeBool,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_rootless"][0]),
+								Required:    true,
+							},
+						},
+					}},
+				},
+				Summary: "Return the configuration data for the plugin runtime with the given name.",
+			},
+		},
+
+		HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-runtime-catalog"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["plugin-runtime-catalog"][1]),
+	}
+}
+
+func (b *SystemBackend) pluginsRuntimesCatalogListPaths() []*framework.Path {
+	handler := &framework.PathOperation{
+		Callback: b.handlePluginRuntimeCatalogList,
+		Responses: map[int][]framework.Response{
+			http.StatusOK: {{
+				Description: "OK",
+				Fields: map[string]*framework.FieldSchema{
+					"runtimes": {
+						Type:        framework.TypeSlice,
+						Description: "List of all plugin runtimes in the catalog",
+						Required:    true,
+					},
+				},
+			}},
+		},
+	}
+	return []*framework.Path{
+		{
+			Pattern: "plugins/runtimes/catalog/?$",
+
+			Fields: map[string]*framework.FieldSchema{
+				"type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_type"][0]),
+				},
+			},
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "plugins-runtimes-catalog",
+				OperationVerb:   "list",
+				OperationSuffix: "plugins-runtimes",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: handler,
+				logical.ListOperation: handler,
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["plugin-runtime-catalog-list-all"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["plugin-runtime-catalog-list-all"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) toolsPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "tools/hash" + framework.OptionalParamRegex("urlalgorithm"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "generate",
+				OperationSuffix: "hash|hash-with-algorithm",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"input": {
+					Type:        framework.TypeString,
+					Description: "The base64-encoded input data",
+				},
+
+				"algorithm": {
+					Type:    framework.TypeString,
+					Default: "sha2-256",
+					Description: `Algorithm to use (POST body parameter). Valid values are:
+
+			* sha2-224
+			* sha2-256
+			* sha2-384
+			* sha2-512
+
+			Defaults to "sha2-256".`,
+				},
+
+				"urlalgorithm": {
+					Type:        framework.TypeString,
+					Description: `Algorithm to use (POST URL parameter)`,
+				},
+
+				"format": {
+					Type:        framework.TypeString,
+					Default:     "hex",
+					Description: `Encoding format to use. Can be "hex" or "base64". Defaults to "hex".`,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathHashWrite,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"sum": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["hash"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["hash"][1]),
+		},
+
+		{
+			Pattern: "tools/random(/" + framework.GenericNameRegex("source") + ")?" + framework.OptionalParamRegex("urlbytes"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "generate",
+				OperationSuffix: "random|random-with-source|random-with-bytes|random-with-source-and-bytes",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"urlbytes": {
+					Type:        framework.TypeString,
+					Description: "The number of bytes to generate (POST URL parameter)",
+				},
+
+				"bytes": {
+					Type:        framework.TypeInt,
+					Default:     32,
+					Description: "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
+				},
+
+				"format": {
+					Type:        framework.TypeString,
+					Default:     "base64",
+					Description: `Encoding format to use. Can be "hex" or "base64". Defaults to "base64".`,
+				},
+
+				"source": {
+					Type:        framework.TypeString,
+					Default:     "platform",
+					Description: `Which system to source random data from, ether "platform", "seal", or "all".`,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathRandomWrite,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"random_bytes": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["random"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["random"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) internalPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "internal/specs/openapi",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal",
+				OperationVerb:   "generate",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"context": {
+					Type:        framework.TypeString,
+					Description: "Context string appended to every operationId",
+					Query:       true,
+				},
+				"generic_mount_paths": {
+					Type:        framework.TypeBool,
+					Description: "Use generic mount paths",
+					Query:       true,
+					Default:     false,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalOpenAPI,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationSuffix: "open-api-document",
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathInternalOpenAPI,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationSuffix: "open-api-document-with-parameters",
+					},
+				},
+			},
+
+			HelpSynopsis: "Generate an OpenAPI 3 document of all mounted paths.",
+		},
+		{
+			Pattern: "internal/ui/feature-flags",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "list",
+				OperationSuffix: "enabled-feature-flags",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					// callback is absent because this is an unauthenticated method
+					Summary: "Lists enabled feature flags.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"feature_flags": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-ui-feature-flags"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-ui-feature-flags"][1]),
+		},
+		{
+			Pattern: "internal/ui/mounts",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "list",
+				OperationSuffix: "enabled-visible-mounts",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalUIMountsRead,
+					Summary:  "Lists all enabled and visible auth and secrets mounts.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"secret": {
+									Description: "secret mounts",
+									Type:        framework.TypeMap,
+									Required:    true,
+								},
+								"auth": {
+									Description: "auth mounts",
+									Type:        framework.TypeMap,
+									Required:    true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-ui-mounts"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-ui-mounts"][1]),
+		},
+		{
+			Pattern: "internal/ui/mounts/(?P<path>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "read",
+				OperationSuffix: "mount-information",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: "The path of the mount.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalUIMountRead,
+					Summary:  "Return information about the given mount.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"type": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"description": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"accessor": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"local": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"seal_wrap": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"external_entropy_access": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"options": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+								"uuid": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"plugin_version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_plugin_version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_sha256": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"path": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"config": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-ui-mounts"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-ui-mounts"][1]),
+		},
+		{
+			Pattern: "internal/ui/namespaces",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "list",
+				OperationSuffix: "namespaces",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: pathInternalUINamespacesRead(b),
+					Summary:  "Backwards compatibility is not guaranteed for this API",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: "field is only returned if there are one or more namespaces",
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-ui-namespaces"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-ui-namespaces"][1]),
+		},
+		{
+			Pattern: "internal/ui/resultant-acl",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "read",
+				OperationSuffix: "resultant-acl",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalUIResultantACL,
+					Summary:  "Backwards compatibility is not guaranteed for this API",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "empty response returned if no client token",
+							Fields:      nil,
+						}},
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"root": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"exact_paths": {
+									Type:     framework.TypeMap,
+									Required: false,
+								},
+								"glob_paths": {
+									Type:     framework.TypeMap,
+									Required: false,
+								},
+								"chroot_namespace": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-ui-resultant-acl"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-ui-resultant-acl"][1]),
+		},
+		{
+			Pattern: "internal/ui/version",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal-ui",
+				OperationVerb:   "read",
+				OperationSuffix: "version",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalUIVersion,
+					Summary:  "Backwards compatibility is not guaranteed for this API",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+		},
+		{
+			Pattern: "internal/counters/requests",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal",
+				OperationVerb:   "count",
+				OperationSuffix: "requests",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback:   b.pathInternalCountersRequests,
+					Deprecated: true,
+					Summary:    "Backwards compatibility is not guaranteed for this API",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-counters-requests"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-counters-requests"][1]),
+		},
+		{
+			Pattern: "internal/counters/tokens",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal",
+				OperationVerb:   "count",
+				OperationSuffix: "tokens",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalCountersTokens,
+					Summary:  "Backwards compatibility is not guaranteed for this API",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"counters": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-counters-tokens"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-counters-tokens"][1]),
+		},
+		{
+			Pattern: "internal/counters/entities",
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal",
+				OperationVerb:   "count",
+				OperationSuffix: "entities",
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalCountersEntities,
+					Summary:  "Backwards compatibility is not guaranteed for this API",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"counters": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-counters-entities"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-counters-entities"][1]),
+		},
 	}
+}
 
-	v, err := h.Get()
-	if err != nil {
-		t.Fatalf("err: %s", err)
+func (b *SystemBackend) introspectionPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "internal/inspect/router/" + framework.GenericNameRegex("tag"),
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "internal",
+				OperationVerb:   "inspect",
+				OperationSuffix: "router",
+			},
+			Fields: map[string]*framework.FieldSchema{
+				"tag": {
+					Type:        framework.TypeString,
+					Description: "Name of subtree being observed",
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathInternalInspectRouter,
+					Summary:  "Expose the route entry and mount entry tables present in the router",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-inspect-router"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["internal-inspect-router"][1]),
+		},
 	}
+}
+
+func (b *SystemBackend) capabilitiesPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "capabilities-accessor$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "query",
+				OperationSuffix: "token-accessor-capabilities",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"accessor": {
+					Type:        framework.TypeString,
+					Description: "Accessor of the token for which capabilities are being queried.",
+				},
+				"path": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Use 'paths' instead.",
+					Deprecated:  true,
+				},
+				"paths": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Paths on which capabilities are being queried.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleCapabilitiesAccessor,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// response keys are dynamic
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities_accessor"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["capabilities_accessor"][1]),
+		},
+
+		{
+			Pattern: "capabilities$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "query",
+				OperationSuffix: "token-capabilities",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"token": {
+					Type:        framework.TypeString,
+					Description: "Token for which capabilities are being queried.",
+				},
+				"path": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Use 'paths' instead.",
+					Deprecated:  true,
+				},
+				"paths": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Paths on which capabilities are being queried.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleCapabilities,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// response keys are dynamic
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["capabilities"][1]),
+		},
+
+		{
+			Pattern: "capabilities-self$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "query",
+				OperationSuffix: "token-self-capabilities",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"token": {
+					Type:        framework.TypeString,
+					Description: "Token for which capabilities are being queried.",
+				},
+				"path": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Use 'paths' instead.",
+					Deprecated:  true,
+				},
+				"paths": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Paths on which capabilities are being queried.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleCapabilities,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// response keys are dynamic
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities_self"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["capabilities_self"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) leasePaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "leases/lookup/" + framework.MatchAllRegex("prefix"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "look-up",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"prefix": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["leases-list-prefix"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handleLeaseLookupList,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: "A list of lease ids",
+									Required:    false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["leases"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["leases"][1]),
+		},
+
+		{
+			Pattern: "leases/lookup",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "read",
+				OperationSuffix: "lease",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"lease_id": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleLeaseLookup,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"id": {
+									Type:        framework.TypeString,
+									Description: "Lease id",
+									Required:    true,
+								},
+								"issue_time": {
+									Type:        framework.TypeTime,
+									Description: "Timestamp for the lease's issue time",
+									Required:    true,
+								},
+								"renewable": {
+									Type:        framework.TypeBool,
+									Description: "True if the lease is able to be renewed",
+									Required:    true,
+								},
+								"expire_time": {
+									Type:        framework.TypeTime,
+									Description: "Optional lease expiry time ",
+									Required:    true,
+								},
+								"last_renewal": {
+									Type:        framework.TypeTime,
+									Description: "Optional Timestamp of the last time the lease was renewed",
+									Required:    true,
+								},
+								"ttl": {
+									Type:        framework.TypeInt,
+									Description: "Time to Live set for the lease, returns 0 if unset",
+									Required:    true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["leases"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["leases"][1]),
+		},
+
+		{
+			Pattern: "(leases/)?renew" + framework.OptionalParamRegex("url_lease_id"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "renew",
+				OperationSuffix: "lease2|lease|lease-with-id2|lease-with-id",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"url_lease_id": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+				},
+				"lease_id": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+				},
+				"increment": {
+					Type:        framework.TypeDurationSecond,
+					Description: strings.TrimSpace(sysHelp["increment"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRenew,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Renews a lease, requesting to extend the lease.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["renew"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["renew"][1]),
+		},
+
+		{
+			Pattern: "(leases/)?revoke" + framework.OptionalParamRegex("url_lease_id"),
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "revoke",
+				OperationSuffix: "lease2|lease|lease-with-id2|lease-with-id",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"url_lease_id": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+				},
+				"lease_id": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+				},
+				"sync": {
+					Type:        framework.TypeBool,
+					Default:     true,
+					Description: strings.TrimSpace(sysHelp["revoke-sync"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRevoke,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Revokes a lease immediately.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["revoke"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["revoke"][1]),
+		},
+
+		{
+			Pattern: "(leases/)?revoke-force/(?P<prefix>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "force-revoke",
+				OperationSuffix: "lease-with-prefix2|lease-with-prefix",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"prefix": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["revoke-force-path"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRevokeForce,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary:     "Revokes all secrets or tokens generated under a given prefix immediately",
+					Description: "Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.\n\nBy ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["revoke-force"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["revoke-force"][1]),
+		},
+
+		{
+			Pattern: "(leases/)?revoke-prefix/(?P<prefix>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "revoke",
+				OperationSuffix: "lease-with-prefix2|lease-with-prefix",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"prefix": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["revoke-prefix-path"][0]),
+				},
+				"sync": {
+					Type:        framework.TypeBool,
+					Default:     true,
+					Description: strings.TrimSpace(sysHelp["revoke-sync"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRevokePrefix,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["revoke-prefix"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["revoke-prefix"][1]),
+		},
+
+		{
+			Pattern: "leases/tidy$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "tidy",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleTidyLeases,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["tidy_leases"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["tidy_leases"][1]),
+		},
+
+		{
+			Pattern: "leases/count$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "count",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"type": {
+					Type:        framework.TypeString,
+					Required:    true,
+					Description: "Type of leases to get counts for (currently only supporting irrevocable).",
+				},
+				"include_child_namespaces": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: "Set true if you want counts for this namespace and its children.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					// currently only works for irrevocable leases with param: type=irrevocable
+					Callback: b.handleLeaseCount,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"lease_count": {
+									Type:        framework.TypeInt,
+									Description: "Number of matching leases",
+									Required:    true,
+								},
+								"counts": {
+									Type:        framework.TypeInt,
+									Description: "Number of matching leases per mount",
+									Required:    true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["count-leases"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["count-leases"][1]),
+		},
+
+		{
+			Pattern: "leases$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "leases",
+				OperationVerb:   "list",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"type": {
+					Type:        framework.TypeString,
+					Required:    true,
+					Description: "Type of leases to retrieve (currently only supporting irrevocable).",
+				},
+				"include_child_namespaces": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: "Set true if you want leases for this namespace and its children.",
+				},
+				"limit": {
+					Type:        framework.TypeString,
+					Default:     "",
+					Description: "Set to a positive integer of the maximum number of entries to return. If you want all results, set to 'none'. If not set, you will get a maximum of 10,000 results returned.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					// currently only works for irrevocable leases with param: type=irrevocable
+					Callback: b.handleLeaseList,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"lease_count": {
+									Type:        framework.TypeInt,
+									Description: "Number of matching leases",
+									Required:    true,
+								},
+								"counts": {
+									Type:        framework.TypeInt,
+									Description: "Number of matching leases per mount",
+									Required:    true,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["list-leases"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["list-leases"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) remountPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "remount",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "remount",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"from": {
+					Type:        framework.TypeString,
+					Description: "The previous mount point.",
+				},
+				"to": {
+					Type:        framework.TypeString,
+					Description: "The new mount point.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRemount,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"migration_id": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Initiate a mount migration",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["remount"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["remount"][1]),
+		},
+		{
+			Pattern: "remount/status/(?P<migration_id>.+?)$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "remount",
+				OperationVerb:   "status",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"migration_id": {
+					Type:        framework.TypeString,
+					Description: "The ID of the migration operation",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleRemountStatusCheck,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"migration_id": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"migration_info": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Check status of a mount migration",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["remount-status"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["remount-status"][1]),
+		},
+	}
+}
+
+func (b *SystemBackend) metricsPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "metrics",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationVerb: "metrics",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"format": {
+				Type:        framework.TypeString,
+				Description: "Format to export metrics into. Currently accepts only \"prometheus\".",
+				Query:       true,
+			},
+		},
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handleMetrics,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+					}},
+				},
+			},
+		},
+		HelpSynopsis:    strings.TrimSpace(sysHelp["metrics"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["metrics"][1]),
+	}
+}
 
-	if v != "foo" {
-		t.Fatalf("bad: %#v", v)
+func (b *SystemBackend) monitorPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "monitor",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationVerb: "monitor",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			"log_level": {
+				Type:        framework.TypeString,
+				Description: "Log level to view system logs at. Currently supported values are \"trace\", \"debug\", \"info\", \"warn\", \"error\".",
+				Query:       true,
+			},
+			"log_format": {
+				Type:        framework.TypeString,
+				Description: "Output format of logs. Supported values are \"standard\" and \"json\". The default is \"standard\".",
+				Query:       true,
+				Default:     "standard",
+			},
+		},
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handleMonitor,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+					}},
+				},
+			},
+		},
+		HelpSynopsis:    strings.TrimSpace(sysHelp["monitor"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["monitor"][1]),
 	}
+}
 
-	if err := h.Erase(); err != nil {
-		t.Fatalf("err: %s", err)
+func (b *SystemBackend) inFlightRequestPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "in-flight-req",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationVerb:   "collect",
+			OperationSuffix: "in-flight-request-information",
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback:    b.handleInFlightRequestData,
+				Summary:     strings.TrimSpace(sysHelp["in-flight-req"][0]),
+				Description: strings.TrimSpace(sysHelp["in-flight-req"][1]),
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields:      nil, // dynamic fields
+					}},
+				},
+			},
+		},
 	}
+}
 
-	v, err = h.Get()
-	if err != nil {
-		t.Fatalf("err: %s", err)
+func (b *SystemBackend) hostInfoPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "host-info/?",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationVerb:   "collect",
+			OperationSuffix: "host-information",
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback:    b.handleHostInfo,
+				Summary:     strings.TrimSpace(sysHelp["host-info"][0]),
+				Description: strings.TrimSpace(sysHelp["host-info"][1]),
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"timestamp": {
+								Type:     framework.TypeTime,
+								Required: true,
+							},
+							"cpu": {
+								Type:     framework.TypeSlice,
+								Required: false,
+							},
+							"cpu_times": {
+								Type:     framework.TypeSlice,
+								Required: false,
+							},
+							"disk": {
+								Type:     framework.TypeSlice,
+								Required: false,
+							},
+							"host": {
+								Type:     framework.TypeMap,
+								Required: false,
+							},
+							"memory": {
+								Type:     framework.TypeMap,
+								Required: false,
+							},
+						},
+					}},
+				},
+			},
+		},
+		HelpSynopsis:    strings.TrimSpace(sysHelp["host-info"][0]),
+		HelpDescription: strings.TrimSpace(sysHelp["host-info"][1]),
 	}
+}
+
+func (b *SystemBackend) authPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "auth$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auth",
+				OperationVerb:   "list",
+				OperationSuffix: "enabled-methods",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleAuthTable,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// response keys are dynamic
+							Fields: nil,
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["auth-table"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["auth-table"][1]),
+		},
+		{
+			Pattern: "auth/(?P<path>.+?)/tune$",
 
-	if v != "" {
-		t.Fatalf("bad: %#v", v)
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auth",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_tune"][0]),
+				},
+				"default_lease_ttl": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["tune_default_lease_ttl"][0]),
+				},
+				"max_lease_ttl": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["tune_max_lease_ttl"][0]),
+				},
+				"description": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_desc"][0]),
+				},
+				"audit_non_hmac_request_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["tune_audit_non_hmac_request_keys"][0]),
+				},
+				"audit_non_hmac_response_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["tune_audit_non_hmac_response_keys"][0]),
+				},
+				"options": {
+					Type:        framework.TypeKVPairs,
+					Description: strings.TrimSpace(sysHelp["tune_mount_options"][0]),
+				},
+				"listing_visibility": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["listing_visibility"][0]),
+				},
+				"passthrough_request_headers": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["passthrough_request_headers"][0]),
+				},
+				"allowed_response_headers": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["allowed_response_headers"][0]),
+				},
+				"token_type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["token_type"][0]),
+				},
+				"user_lockout_config": {
+					Type:        framework.TypeMap,
+					Description: strings.TrimSpace(sysHelp["tune_user_lockout_config"][0]),
+				},
+				"plugin_version": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleAuthTuneRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "tuning-information",
+					},
+					Summary:     "Reads the given auth path's configuration.",
+					Description: "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"description": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"default_lease_ttl": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"max_lease_ttl": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"force_no_cache": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"external_entropy_access": {
+									Type:     framework.TypeBool,
+									Required: false,
+								},
+								"token_type": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"audit_non_hmac_request_keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"audit_non_hmac_response_keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"listing_visibility": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"passthrough_request_headers": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"allowed_response_headers": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"allowed_managed_keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"user_lockout_counter_reset_duration": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"user_lockout_threshold": {
+									Type:     framework.TypeInt64, // uint64
+									Required: false,
+								},
+								"user_lockout_duration": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"user_lockout_disable": {
+									Type:     framework.TypeBool,
+									Required: false,
+								},
+								"options": {
+									Type:     framework.TypeMap,
+									Required: false,
+								},
+								"plugin_version": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleAuthTuneWrite,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "tune",
+						OperationSuffix: "configuration-parameters",
+					},
+					Summary:     "Tune configuration parameters for a given auth path.",
+					Description: "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["auth_tune"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["auth_tune"][1]),
+		},
+		{
+			Pattern: "auth/(?P<path>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "auth",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_path"][0]),
+				},
+				"type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_type"][0]),
+				},
+				"description": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_desc"][0]),
+				},
+				"config": {
+					Type:        framework.TypeMap,
+					Description: strings.TrimSpace(sysHelp["auth_config"][0]),
+				},
+				"local": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["mount_local"][0]),
+				},
+				"seal_wrap": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["seal_wrap"][0]),
+				},
+				"external_entropy_access": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["external_entropy_access"][0]),
+				},
+				"plugin_name": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_plugin"][0]),
+				},
+				"options": {
+					Type:        framework.TypeKVPairs,
+					Description: strings.TrimSpace(sysHelp["auth_options"][0]),
+				},
+				"plugin_version": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleReadAuth,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "configuration",
+					},
+					Summary: "Read the configuration of the auth engine at the given path.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"type": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"description": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"accessor": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"local": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"seal_wrap": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"external_entropy_access": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"options": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+								"uuid": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"plugin_version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_plugin_version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_sha256": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"deprecation_status": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"config": {
+									Type:     framework.TypeMap,
+									Required: true,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleEnableAuth,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "enable",
+						OperationSuffix: "method",
+					},
+					Summary: "Enables a new auth method.",
+					Description: `After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.
+
+For example, enable the "foo" auth method will make it accessible at /auth/foo.`,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleDisableAuth,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "disable",
+						OperationSuffix: "method",
+					},
+					Summary: "Disable the auth method at the given auth path",
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["auth"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["auth"][1]),
+		},
 	}
 }
 
-// TestProcess is used to re-execute this test in order to use it as the
-// helper process. For this to work, the TestExternalTokenHelperProcess function must
-// exist.
-func TestProcess(t *testing.T, s ...string) {
-	h := &ExternalTokenHelper{BinaryPath: TestProcessPath(t, s...)}
-	Test(t, h)
+func (b *SystemBackend) policyPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "policy/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationVerb:   "list",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesList(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:     framework.TypeStringSlice,
+									Required: true,
+								},
+								"policies": {
+									Type: framework.TypeStringSlice,
+								},
+							},
+						}},
+					},
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationSuffix: "acl-policies2", // this endpoint duplicates sys/policies/acl
+					},
+				},
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesList(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:     framework.TypeStringSlice,
+									Required: true,
+								},
+								"policies": {
+									Type: framework.TypeStringSlice,
+								},
+							},
+						}},
+					},
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationSuffix: "acl-policies3", // this endpoint duplicates sys/policies/acl
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["policy-list"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["policy-list"][1]),
+		},
+
+		{
+			Pattern: "policy/(?P<name>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationSuffix: "acl-policy2", // this endpoint duplicates /sys/policies/acl
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"name": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["policy-name"][0]),
+				},
+				"rules": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["policy-rules"][0]),
+					Deprecated:  true,
+				},
+				"policy": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["policy-rules"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesRead(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"name": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"rules": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"policy": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+					Summary: "Retrieve the policy body for the named policy.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesSet(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Add a new or update an existing policy.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesDelete(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Delete the policy with the given name.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["policy"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["policy"][1]),
+		},
+
+		{
+			Pattern: "policies/acl/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationSuffix: "acl-policies",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesList(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:     framework.TypeStringSlice,
+									Required: true,
+								},
+								"policies": {
+									Type: framework.TypeStringSlice,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["policy-list"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["policy-list"][1]),
+		},
+
+		{
+			Pattern: "policies/acl/(?P<name>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationSuffix: "acl-policy",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"name": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["policy-name"][0]),
+				},
+				"policy": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["policy-rules"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesRead(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"name": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"rules": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"policy": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+					Summary: "Retrieve information about the named ACL policy.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesSet(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Add a new or update an existing ACL policy.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesDelete(PolicyTypeACL),
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Delete the ACL policy with the given name.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["policy"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["policy"][1]),
+		},
+
+		{
+			Pattern: "policies/password/?$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationSuffix: "password-policies",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesPasswordList,
+					Summary:  "List the existing password policies.",
+				},
+			},
+		},
+
+		{
+			Pattern: "policies/password/(?P<name>.+)/generate$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationVerb:   "generate",
+				OperationSuffix: "password-from-password-policy",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"name": {
+					Type:        framework.TypeString,
+					Description: "The name of the password policy.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesPasswordGenerate,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"password": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Generate a password from an existing password policy.",
+				},
+			},
+
+			HelpSynopsis:    "Generate a password from an existing password policy.",
+			HelpDescription: "Generate a password from an existing password policy.",
+		},
+
+		{
+			Pattern: "policies/password/(?P<name>.+)$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "policies",
+				OperationSuffix: "password-policy",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"name": {
+					Type:        framework.TypeString,
+					Description: "The name of the password policy.",
+				},
+				"policy": {
+					Type:        framework.TypeString,
+					Description: "The password policy",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesPasswordSet,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Add a new or update an existing password policy.",
+				},
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesPasswordGet,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"policy": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Retrieve an existing password policy.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handlePoliciesPasswordDelete,
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+					Summary: "Delete a password policy.",
+				},
+			},
+
+			HelpSynopsis: "Read, Modify, or Delete a password policy.",
+			HelpDescription: "Read the rules of an existing password policy, create or update " +
+				"the rules of a password policy, or delete a password policy.",
+		},
+	}
 }
 
-// TestProcessPath returns the path to the test process.
-func TestProcessPath(t *testing.T, s ...string) string {
-	cs := []string{"-test.run=TestExternalTokenHelperProcess", "--", "GO_WANT_HELPER_PROCESS"}
-	cs = append(cs, s...)
-	return fmt.Sprintf(
-		"%s %s",
-		os.Args[0],
-		strings.Join(cs, " "))
+func (b *SystemBackend) wrappingPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "wrapping/wrap$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "wrap",
+			},
+
+			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.UpdateOperation: b.handleWrappingWrap,
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleWrappingWrap,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// dynamic fields
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["wrap"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["wrap"][1]),
+
+			TakesArbitraryInput: true,
+		},
+
+		{
+			Pattern: "wrapping/unwrap$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "unwrap",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"token": {
+					Type: framework.TypeString,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleWrappingUnwrap,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// dynamic fields
+							Fields: nil,
+						}},
+						http.StatusNoContent: {{
+							Description: "No content",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["unwrap"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["unwrap"][1]),
+		},
+
+		{
+			Pattern: "wrapping/lookup$",
+
+			Fields: map[string]*framework.FieldSchema{
+				"token": {
+					Type:  framework.TypeString,
+					Query: true,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleWrappingLookup,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "wrapping-properties",
+					},
+					Summary: "Look up wrapping properties for the given token.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"creation_ttl": {
+									Type:     framework.TypeDurationSecond,
+									Required: false,
+								},
+								"creation_time": {
+									Type:     framework.TypeTime,
+									Required: false,
+								},
+								"creation_path": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleWrappingLookup,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "wrapping-properties2",
+					},
+					Summary: "Look up wrapping properties for the requester's token.",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"creation_ttl": {
+									Type:     framework.TypeDurationSecond,
+									Required: false,
+								},
+								"creation_time": {
+									Type:     framework.TypeTime,
+									Required: false,
+								},
+								"creation_path": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["wraplookup"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["wraplookup"][1]),
+		},
+
+		{
+			Pattern: "wrapping/rewrap$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb: "rewrap",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"token": {
+					Type: framework.TypeString,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleWrappingRewrap,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							// dynamic fields
+							Fields: nil,
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["rewrap"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["rewrap"][1]),
+		},
+	}
 }
 
-// TestExternalTokenHelperProcessCLI can be called to implement TestExternalTokenHelperProcess
-// for TestProcess that just executes a CLI command.
-func TestExternalTokenHelperProcessCLI(t *testing.T, cmd cli.Command) {
-	args := os.Args
-	for len(args) > 0 {
-		if args[0] == "--" {
-			args = args[1:]
-			break
-		}
+func (b *SystemBackend) mountPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "mounts/(?P<path>.+?)/tune$",
 
-		args = args[1:]
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "mounts",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_path"][0]),
+				},
+				"default_lease_ttl": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["tune_default_lease_ttl"][0]),
+				},
+				"max_lease_ttl": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["tune_max_lease_ttl"][0]),
+				},
+				"description": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["auth_desc"][0]),
+				},
+				"audit_non_hmac_request_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["tune_audit_non_hmac_request_keys"][0]),
+				},
+				"audit_non_hmac_response_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["tune_audit_non_hmac_response_keys"][0]),
+				},
+				"options": {
+					Type:        framework.TypeKVPairs,
+					Description: strings.TrimSpace(sysHelp["tune_mount_options"][0]),
+				},
+				"listing_visibility": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["listing_visibility"][0]),
+				},
+				"passthrough_request_headers": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["passthrough_request_headers"][0]),
+				},
+				"allowed_response_headers": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["allowed_response_headers"][0]),
+				},
+				"token_type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["token_type"][0]),
+				},
+				"allowed_managed_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["tune_allowed_managed_keys"][0]),
+				},
+				"delegated_auth_accessors": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["allowed_delegated_auth_accessors"][0]),
+				},
+				"plugin_version": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+				},
+				"user_lockout_config": {
+					Type:        framework.TypeMap,
+					Description: strings.TrimSpace(sysHelp["tune_user_lockout_config"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleMountTuneRead,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "tuning-information",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"max_lease_ttl": {
+									Type:        framework.TypeInt,
+									Description: strings.TrimSpace(sysHelp["tune_max_lease_ttl"][0]),
+									Required:    true,
+								},
+								"description": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["auth_desc"][0]),
+									Required:    true,
+								},
+								"default_lease_ttl": {
+									Type:        framework.TypeInt,
+									Description: strings.TrimSpace(sysHelp["tune_default_lease_ttl"][0]),
+									Required:    true,
+								},
+								"force_no_cache": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"token_type": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["token_type"][0]),
+									Required:    false,
+								},
+								"allowed_managed_keys": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: strings.TrimSpace(sysHelp["tune_allowed_managed_keys"][0]),
+									Required:    false,
+								},
+								"delegated_auth_accessors": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: strings.TrimSpace(sysHelp["delegated_auth_accessors"][0]),
+									Required:    false,
+								},
+								"allowed_response_headers": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: strings.TrimSpace(sysHelp["allowed_response_headers"][0]),
+									Required:    false,
+								},
+								"options": {
+									Type:        framework.TypeKVPairs,
+									Description: strings.TrimSpace(sysHelp["tune_mount_options"][0]),
+									Required:    false,
+								},
+								"plugin_version": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+									Required:    false,
+								},
+								"external_entropy_access": {
+									Type:     framework.TypeBool,
+									Required: false,
+								},
+								"audit_non_hmac_request_keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"audit_non_hmac_response_keys": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"listing_visibility": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+								"passthrough_request_headers": {
+									Type:     framework.TypeCommaStringSlice,
+									Required: false,
+								},
+								"user_lockout_counter_reset_duration": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"user_lockout_threshold": {
+									Type:     framework.TypeInt64, // TODO this is actuall a Uint64 do we need a new type?
+									Required: false,
+								},
+								"user_lockout_duration": {
+									Type:     framework.TypeInt64,
+									Required: false,
+								},
+								"user_lockout_disable": {
+									Type:     framework.TypeBool,
+									Required: false,
+								},
+							},
+						}},
+					},
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleMountTuneWrite,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "tune",
+						OperationSuffix: "configuration-parameters",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["mount_tune"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["mount_tune"][1]),
+		},
+
+		{
+			Pattern: "mounts/(?P<path>.+?)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "mounts",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"path": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_path"][0]),
+				},
+				"type": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_type"][0]),
+				},
+				"description": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_desc"][0]),
+				},
+				"config": {
+					Type:        framework.TypeMap,
+					Description: strings.TrimSpace(sysHelp["mount_config"][0]),
+				},
+				"local": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["mount_local"][0]),
+				},
+				"seal_wrap": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["seal_wrap"][0]),
+				},
+				"external_entropy_access": {
+					Type:        framework.TypeBool,
+					Default:     false,
+					Description: strings.TrimSpace(sysHelp["external_entropy_access"][0]),
+				},
+				"plugin_name": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_plugin_name"][0]),
+				},
+				"options": {
+					Type:        framework.TypeKVPairs,
+					Description: strings.TrimSpace(sysHelp["mount_options"][0]),
+				},
+				"plugin_version": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleReadMount,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "configuration",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"type": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["mount_type"][0]),
+									Required:    true,
+								},
+								"description": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["mount_desc"][0]),
+									Required:    true,
+								},
+								"accessor": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"local": {
+									Type:        framework.TypeBool,
+									Default:     false,
+									Description: strings.TrimSpace(sysHelp["mount_local"][0]),
+									Required:    true,
+								},
+								"seal_wrap": {
+									Type:        framework.TypeBool,
+									Default:     false,
+									Description: strings.TrimSpace(sysHelp["seal_wrap"][0]),
+									Required:    true,
+								},
+								"external_entropy_access": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"options": {
+									Type:        framework.TypeKVPairs,
+									Description: strings.TrimSpace(sysHelp["mount_options"][0]),
+									Required:    true,
+								},
+								"plugin_version": {
+									Type:        framework.TypeString,
+									Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
+									Required:    true,
+								},
+								"uuid": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_plugin_version": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"running_sha256": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"config": {
+									Type:        framework.TypeMap,
+									Description: strings.TrimSpace(sysHelp["mount_config"][0]),
+									Required:    true,
+								},
+								"deprecation_status": {
+									Type:     framework.TypeString,
+									Required: false,
+								},
+							},
+						}},
+					},
+					Summary: "Read the configuration of the secret engine at the given path.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleMount,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "enable",
+						OperationSuffix: "secrets-engine",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusNoContent: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Enable a new secrets engine at the given path.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					Callback: b.handleUnmount,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "disable",
+						OperationSuffix: "secrets-engine",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary: "Disable the mount point specified at the given path.",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["mount"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["mount"][1]),
+		},
+
+		{
+			Pattern: "mounts$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "mounts",
+				OperationVerb:   "list",
+				OperationSuffix: "secrets-engines",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleMountTable,
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields:      map[string]*framework.FieldSchema{},
+						}},
+					},
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["mounts"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["mounts"][1]),
+		},
 	}
-	if len(args) == 0 || args[0] != "GO_WANT_HELPER_PROCESS" {
-		return
+}
+
+func (b *SystemBackend) experimentPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "experiments$",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "list",
+				OperationSuffix: "experimental-features",
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleReadExperiments,
+					Summary:  "Returns the available and enabled experiments",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysHelp["experiments"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["experiments"][1]),
+		},
 	}
-	args = args[1:]
+}
 
-	os.Exit(cmd.Run(args))
+func (b *SystemBackend) lockedUserPaths() []*framework.Path {
+	return []*framework.Path{
+		{
+			Pattern: "locked-users/(?P<mount_accessor>.+?)/unlock/(?P<alias_identifier>.+)",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "locked-users",
+				OperationVerb:   "unlock",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"mount_accessor": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_accessor"][0]),
+				},
+				"alias_identifier": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["alias_identifier"][0]),
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleUnlockUser,
+					Summary:  "Unlocks the user with given mount_accessor and alias_identifier",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["unlock_user"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["unlock_user"][1]),
+		},
+		{
+			Pattern: "locked-users",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "locked-users",
+				OperationVerb:   "list",
+			},
+
+			Fields: map[string]*framework.FieldSchema{
+				"mount_accessor": {
+					Type:        framework.TypeString,
+					Description: strings.TrimSpace(sysHelp["mount_accessor"][0]),
+				},
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleLockedUsersMetricQuery,
+					Summary:  "Report the locked user count metrics, for this namespace and all child namespaces.",
+				},
+			},
+			HelpSynopsis:    strings.TrimSpace(sysHelp["locked_users"][0]),
+			HelpDescription: strings.TrimSpace(sysHelp["locked_users"][1]),
+		},
+	}
 }
diff --git a/command/token_capabilities.go b/command/token_capabilities.go
index 246619011f74..7b254076051a 100644
--- a/command/token_capabilities.go
+++ b/command/token_capabilities.go
@@ -1,117 +1,766 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"crypto/subtle"
+	"encoding/base64"
+	"errors"
 	"fmt"
-	"sort"
 	"strings"
+	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-uuid"
+	snapshot "github.com/hashicorp/raft-snapshot"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/mitchellh/mapstructure"
 )
 
-var (
-	_ cli.Command             = (*TokenCapabilitiesCommand)(nil)
-	_ cli.CommandAutocomplete = (*TokenCapabilitiesCommand)(nil)
-)
+// raftStoragePaths returns paths for use when raft is the storage mechanism.
+func (b *SystemBackend) raftStoragePaths() []*framework.Path {
+	makeSealer := func(logger hclog.Logger, use string) func() snapshot.Sealer {
+		return func() snapshot.Sealer {
+			return NewSealAccessSealer(b.Core.seal.GetAccess(), logger, use)
+		}
+	}
+
+	return []*framework.Path{
+		{
+			Pattern: "storage/raft/bootstrap/answer",
+
+			Fields: map[string]*framework.FieldSchema{
+				"server_id": {
+					Type: framework.TypeString,
+				},
+				"answer": {
+					Type: framework.TypeString,
+				},
+				"cluster_addr": {
+					Type: framework.TypeString,
+				},
+				"non_voter": {
+					Type: framework.TypeBool,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRaftBootstrapAnswerWrite(),
+					Summary:  "Accepts an answer from the peer to be joined to the fact cluster.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-bootstrap-answer"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-bootstrap-answer"][1]),
+		},
+		{
+			Pattern: "storage/raft/bootstrap/challenge",
+
+			Fields: map[string]*framework.FieldSchema{
+				"server_id": {
+					Type: framework.TypeString,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleRaftBootstrapChallengeWrite(makeSealer(nil, "bootstrap_challenge_write")),
+					Summary:  "Creates a challenge for the new peer to be joined to the raft cluster.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-bootstrap-challenge"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-bootstrap-challenge"][1]),
+		},
+		{
+			Pattern: "storage/raft/remove-peer",
+
+			Fields: map[string]*framework.FieldSchema{
+				"dr_operation_token": {
+					Type:        framework.TypeString,
+					Description: "DR operation token used to authorize this request (if a DR secondary node).",
+				},
+				"server_id": {
+					Type: framework.TypeString,
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.verifyDROperationTokenOnSecondary(b.handleRaftRemovePeerUpdate(), false),
+					Summary:  "Remove a peer from the raft cluster.",
+				},
+			},
 
-type TokenCapabilitiesCommand struct {
-	*BaseCommand
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-remove-peer"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-remove-peer"][1]),
+		},
+		{
+			Pattern: "storage/raft/configuration",
+
+			Fields: map[string]*framework.FieldSchema{
+				"dr_operation_token": {
+					Type:        framework.TypeString,
+					Description: "DR operation token used to authorize this request (if a DR secondary node).",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleRaftConfigurationGet(),
+					Summary:  "Returns the configuration of the raft cluster.",
+				},
+				// Reading configuration on a DR secondary cluster is an update
+				// operation to allow consuming the DR operation token for
+				// authenticating the request.
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.verifyDROperationToken(b.handleRaftConfigurationGet(), false),
+					Summary:  "Returns the configuration of the raft cluster in a DR secondary cluster.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-configuration"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-configuration"][1]),
+		},
+		{
+			Pattern: "storage/raft/snapshot",
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleStorageRaftSnapshotRead(makeSealer(nil, "snapshot_read")),
+					Summary:  "Returns a snapshot of the current state of vault.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleStorageRaftSnapshotWrite(false, makeSealer(b.logger, "snapshot_write")),
+					Summary:  "Installs the provided snapshot, returning the cluster to the state defined in it.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-snapshot"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-snapshot"][1]),
+		},
+		{
+			Pattern: "storage/raft/snapshot-force",
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.handleStorageRaftSnapshotWrite(true, makeSealer(b.logger, "snapshot_write")),
+					Summary:  "Installs the provided snapshot, returning the cluster to the state defined in it. This bypasses checks ensuring the current Autounseal or Shamir keys are consistent with the snapshot data.",
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-snapshot-force"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-snapshot-force"][1]),
+		},
+		{
+			Pattern: "storage/raft/autopilot/state",
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback:                  b.verifyDROperationTokenOnSecondary(b.handleStorageRaftAutopilotState(), false),
+					Summary:                   "Returns the state of the raft cluster under integrated storage as seen by autopilot.",
+					ForwardPerformanceStandby: true,
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-autopilot-state"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-autopilot-state"][1]),
+		},
+		{
+			Pattern: "storage/raft/autopilot/configuration",
+			Fields: map[string]*framework.FieldSchema{
+				"cleanup_dead_servers": {
+					Type:        framework.TypeBool,
+					Description: "Controls whether to remove dead servers from the Raft peer list periodically or when a new server joins.",
+				},
+				"last_contact_threshold": {
+					Type:        framework.TypeDurationSecond,
+					Description: "Limit on the amount of time a server can go without leader contact before being considered unhealthy.",
+				},
+				"dead_server_last_contact_threshold": {
+					Type:        framework.TypeDurationSecond,
+					Description: "Limit on the amount of time a server can go without leader contact before being considered failed. This takes effect only when cleanup_dead_servers is set.",
+				},
+				"max_trailing_logs": {
+					Type:        framework.TypeInt,
+					Description: "Amount of entries in the Raft Log that a server can be behind before being considered unhealthy.",
+				},
+				"min_quorum": {
+					Type:        framework.TypeInt,
+					Description: "Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3.",
+				},
+				"server_stabilization_time": {
+					Type:        framework.TypeDurationSecond,
+					Description: "Minimum amount of time a server must be in a stable, healthy state before it can be added to the cluster.",
+				},
+				"disable_upgrade_migration": {
+					Type:        framework.TypeBool,
+					Description: "Whether or not to perform automated version upgrades.",
+				},
+				"dr_operation_token": {
+					Type:        framework.TypeString,
+					Description: "DR operation token used to authorize this request (if a DR secondary node).",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.verifyDROperationTokenOnSecondary(b.handleStorageRaftAutopilotConfigRead(), false),
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.verifyDROperationTokenOnSecondary(b.handleStorageRaftAutopilotConfigUpdate(), false),
+				},
+			},
+
+			HelpSynopsis:    strings.TrimSpace(sysRaftHelp["raft-autopilot-configuration"][0]),
+			HelpDescription: strings.TrimSpace(sysRaftHelp["raft-autopilot-configuration"][1]),
+		},
+	}
 }
 
-func (c *TokenCapabilitiesCommand) Synopsis() string {
-	return "Print capabilities of a token on a path"
+func (b *SystemBackend) handleRaftConfigurationGet() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+
+		config, err := raftBackend.GetConfiguration(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"config": config,
+			},
+		}, nil
+	}
 }
 
-func (c *TokenCapabilitiesCommand) Help() string {
-	helpText := `
-Usage: vault token capabilities [options] [TOKEN] PATH
+func (b *SystemBackend) handleRaftRemovePeerUpdate() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		serverID := d.Get("server_id").(string)
+		if len(serverID) == 0 {
+			return logical.ErrorResponse("no server id provided"), logical.ErrInvalidRequest
+		}
+
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
 
-  Fetches the capabilities of a token for a given path. If a TOKEN is provided
-  as an argument, the "/sys/capabilities" endpoint and permission is used. If
-  no TOKEN is provided, the "/sys/capabilities-self" endpoint and permission
-  is used with the locally authenticated token.
+		if err := raftBackend.RemovePeer(ctx, serverID); err != nil {
+			return nil, err
+		}
 
-  List capabilities for the local token on the "secret/foo" path:
+		b.Core.raftFollowerStates.Delete(serverID)
 
-      $ vault token capabilities secret/foo
+		return nil, nil
+	}
+}
 
-  List capabilities for a token on the "cubbyhole/foo" path:
+func (b *SystemBackend) handleRaftBootstrapChallengeWrite(makeSealer func() snapshot.Sealer) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		serverID := d.Get("server_id").(string)
+		if len(serverID) == 0 {
+			return logical.ErrorResponse("no server id provided"), logical.ErrInvalidRequest
+		}
 
-      $ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 cubbyhole/foo
+		var answer []byte
+		answerRaw, ok := b.Core.pendingRaftPeers.Load(serverID)
+		if !ok {
+			var err error
+			answer, err = uuid.GenerateRandomBytes(16)
+			if err != nil {
+				return nil, err
+			}
+			b.Core.pendingRaftPeers.Store(serverID, answer)
+		} else {
+			answer = answerRaw.([]byte)
+		}
 
-  For a full list of examples, please see the documentation.
+		sealer := makeSealer()
+		if sealer == nil {
+			return nil, errors.New("core has no seal Access to write raft bootstrap challenge")
+		}
+		protoBlob, err := sealer.Seal(ctx, answer)
+		if err != nil {
+			return nil, err
+		}
 
-` + c.Flags().Help()
+		sealConfig, err := b.Core.seal.BarrierConfig(ctx)
+		if err != nil {
+			return nil, err
+		}
 
-	return strings.TrimSpace(helpText)
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"challenge":   base64.StdEncoding.EncodeToString(protoBlob),
+				"seal_config": sealConfig,
+			},
+		}, nil
+	}
 }
 
-func (c *TokenCapabilitiesCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+func (b *SystemBackend) handleRaftBootstrapAnswerWrite() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+
+		serverID := d.Get("server_id").(string)
+		if len(serverID) == 0 {
+			return logical.ErrorResponse("no server_id provided"), logical.ErrInvalidRequest
+		}
+		answerRaw := d.Get("answer").(string)
+		if len(answerRaw) == 0 {
+			return logical.ErrorResponse("no answer provided"), logical.ErrInvalidRequest
+		}
+		clusterAddr := d.Get("cluster_addr").(string)
+		if len(clusterAddr) == 0 {
+			return logical.ErrorResponse("no cluster_addr provided"), logical.ErrInvalidRequest
+		}
+
+		nonVoter := d.Get("non_voter").(bool)
+
+		answer, err := base64.StdEncoding.DecodeString(answerRaw)
+		if err != nil {
+			return logical.ErrorResponse("could not base64 decode answer"), logical.ErrInvalidRequest
+		}
+
+		expectedAnswerRaw, ok := b.Core.pendingRaftPeers.Load(serverID)
+		if !ok {
+			return logical.ErrorResponse("no expected answer for the server id provided"), logical.ErrInvalidRequest
+		}
+
+		b.Core.pendingRaftPeers.Delete(serverID)
+
+		if subtle.ConstantTimeCompare(answer, expectedAnswerRaw.([]byte)) == 0 {
+			return logical.ErrorResponse("invalid answer given"), logical.ErrInvalidRequest
+		}
+
+		tlsKeyringEntry, err := b.Core.barrier.Get(ctx, raftTLSStoragePath)
+		if err != nil {
+			return nil, err
+		}
+		if tlsKeyringEntry == nil {
+			return nil, errors.New("could not find raft TLS configuration")
+		}
+		var keyring raft.TLSKeyring
+		if err := tlsKeyringEntry.DecodeJSON(&keyring); err != nil {
+			return nil, errors.New("could not decode raft TLS configuration")
+		}
+
+		var desiredSuffrage string
+		switch nonVoter {
+		case true:
+			desiredSuffrage = "non-voter"
+		default:
+			desiredSuffrage = "voter"
+		}
+
+		added := b.Core.raftFollowerStates.Update(&raft.EchoRequestUpdate{
+			NodeID:          serverID,
+			DesiredSuffrage: desiredSuffrage,
+		})
+
+		switch nonVoter {
+		case true:
+			err = raftBackend.AddNonVotingPeer(ctx, serverID, clusterAddr)
+		default:
+			err = raftBackend.AddPeer(ctx, serverID, clusterAddr)
+		}
+		if err != nil {
+			if added {
+				b.Core.raftFollowerStates.Delete(serverID)
+			}
+			return nil, err
+		}
+
+		peers, err := raftBackend.Peers(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		b.logger.Info("follower node answered the raft bootstrap challenge", "follower_server_id", serverID)
+
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"peers":              peers,
+				"tls_keyring":        &keyring,
+				"autoloaded_license": b.Core.entIsLicenseAutoloaded(),
+			},
+		}, nil
+	}
 }
 
-func (c *TokenCapabilitiesCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+func (b *SystemBackend) handleStorageRaftSnapshotRead(makeSealer func() snapshot.Sealer) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftStorage, ok := b.Core.underlyingPhysical.(*raft.RaftBackend)
+		if !ok {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+		if req.ResponseWriter == nil {
+			return nil, errors.New("no writer for request")
+		}
+
+		err := raftStorage.SnapshotHTTP(req.ResponseWriter, makeSealer())
+		if err != nil {
+			return nil, err
+		}
+
+		return nil, nil
+	}
 }
 
-func (c *TokenCapabilitiesCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func (b *SystemBackend) handleStorageRaftAutopilotState() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+
+		state, err := raftBackend.GetAutopilotServerState(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		if state == nil {
+			return nil, nil
+		}
+
+		data := make(map[string]interface{})
+		err = mapstructure.Decode(state, &data)
+		if err != nil {
+			return nil, err
+		}
+
+		return &logical.Response{
+			Data: data,
+		}, nil
+	}
 }
 
-func (c *TokenCapabilitiesCommand) Run(args []string) int {
-	f := c.Flags()
+func (b *SystemBackend) handleStorageRaftAutopilotConfigRead() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+
+		config := raftBackend.AutopilotConfig()
+		if config == nil {
+			return nil, nil
+		}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"cleanup_dead_servers":               config.CleanupDeadServers,
+				"last_contact_threshold":             config.LastContactThreshold.String(),
+				"dead_server_last_contact_threshold": config.DeadServerLastContactThreshold.String(),
+				"max_trailing_logs":                  config.MaxTrailingLogs,
+				"min_quorum":                         config.MinQuorum,
+				"server_stabilization_time":          config.ServerStabilizationTime.String(),
+				"disable_upgrade_migration":          config.DisableUpgradeMigration,
+			},
+		}, nil
 	}
+}
+
+func (b *SystemBackend) handleStorageRaftAutopilotConfigUpdate() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftBackend := b.Core.getRaftBackend()
+		if raftBackend == nil {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+
+		// Read autopilot configuration from storage
+		config, err := b.Core.loadAutopilotConfiguration(ctx)
+		if err != nil {
+			b.logger.Error("failed to load autopilot config from storage when setting up cluster; continuing since autopilot falls back to default config", "error", err)
+		}
+		if config == nil {
+			config = &raft.AutopilotConfig{}
+		}
+
+		persist := false
+		cleanupDeadServers, ok := d.GetOk("cleanup_dead_servers")
+		if ok {
+			if cleanupDeadServers.(bool) {
+				config.CleanupDeadServersValue = raft.CleanupDeadServersTrue
+			} else {
+				config.CleanupDeadServersValue = raft.CleanupDeadServersFalse
+			}
+			persist = true
+		}
+		lastContactThreshold, ok := d.GetOk("last_contact_threshold")
+		if ok {
+			config.LastContactThreshold = time.Duration(lastContactThreshold.(int)) * time.Second
+			persist = true
+		}
+		deadServerLastContactThreshold, ok := d.GetOk("dead_server_last_contact_threshold")
+		if ok {
+			config.DeadServerLastContactThreshold = time.Duration(deadServerLastContactThreshold.(int)) * time.Second
+			persist = true
+		}
+		maxTrailingLogs, ok := d.GetOk("max_trailing_logs")
+		if ok {
+			config.MaxTrailingLogs = uint64(maxTrailingLogs.(int))
+			persist = true
+		}
+		minQuorum, ok := d.GetOk("min_quorum")
+		if ok {
+			config.MinQuorum = uint(minQuorum.(int))
+			persist = true
+		}
+		serverStabilizationTime, ok := d.GetOk("server_stabilization_time")
+		if ok {
+			config.ServerStabilizationTime = time.Duration(serverStabilizationTime.(int)) * time.Second
+			persist = true
+		}
+		disableUpgradeMigration, ok := d.GetOk("disable_upgrade_migration")
+		if ok {
+			if !constants.IsEnterprise {
+				return logical.ErrorResponse("disable_upgrade_migration is only available in Vault Enterprise"), logical.ErrInvalidRequest
+			}
+			config.DisableUpgradeMigration = disableUpgradeMigration.(bool)
+			persist = true
+		}
+
+		effectiveConf := raftBackend.AutopilotConfig()
+		effectiveConf.Merge(config)
 
-	token := ""
-	path := ""
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		c.UI.Error("Not enough arguments (expected 1-2, got 0)")
-		return 1
-	case 1:
-		path = args[0]
-	case 2:
-		token, path = args[0], args[1]
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1-2, got %d)", len(args)))
-		return 1
+		if effectiveConf.CleanupDeadServers && effectiveConf.MinQuorum < 3 {
+			return logical.ErrorResponse(fmt.Sprintf("min_quorum must be set when cleanup_dead_servers is set and it should at least be 3; cleanup_dead_servers: %#v, min_quorum: %#v", effectiveConf.CleanupDeadServers, effectiveConf.MinQuorum)), logical.ErrInvalidRequest
+		}
+
+		if effectiveConf.CleanupDeadServers && effectiveConf.DeadServerLastContactThreshold.Seconds() < 60 {
+			return logical.ErrorResponse(fmt.Sprintf("dead_server_last_contact_threshold should not be set to less than 1m; received: %v", deadServerLastContactThreshold)), logical.ErrInvalidRequest
+		}
+
+		// Persist only the user supplied fields
+		if persist {
+			entry, err := logical.StorageEntryJSON(raftAutopilotConfigurationStoragePath, config)
+			if err != nil {
+				return nil, err
+			}
+			if err := b.Core.barrier.Put(ctx, entry); err != nil {
+				return nil, err
+			}
+		}
+
+		// Set the effectiveConfig
+		raftBackend.SetAutopilotConfig(effectiveConf)
+
+		return nil, nil
 	}
+}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool, makeSealer func() snapshot.Sealer) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		raftStorage, ok := b.Core.underlyingPhysical.(*raft.RaftBackend)
+		if !ok {
+			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
+		}
+		body, ok := logical.ContextOriginalBodyValue(ctx)
+		if !ok {
+			return nil, errors.New("no reader for request")
+		}
+
+		var sealer snapshot.Sealer
+		if !force {
+			sealer = makeSealer()
+		}
+
+		// We want to buffer the http request reader into a temp file here so we
+		// don't have to hold the full snapshot in memory. We also want to do
+		// the restore in two parts so we can restore the snapshot while the
+		// stateLock is write locked.
+		snapFile, cleanup, metadata, err := raftStorage.WriteSnapshotToTemp(body, sealer)
+		switch {
+		case err == nil:
+		case strings.Contains(err.Error(), "failed to open the sealed hashes"):
+			switch b.Core.seal.BarrierSealConfigType() {
+			case SealConfigTypeShamir:
+				return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different set of unseal keys; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
+			default:
+				return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different autoseal key; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
+			}
+		case err != nil:
+			b.Core.logger.Error("raft snapshot restore: failed to write snapshot", "error", err)
+			return nil, err
+		}
+
+		// We want to do this in a go routine so we can upgrade the lock and
+		// allow the client to disconnect.
+		go func() (retErr error) {
+			// Cleanup the temp file
+			defer cleanup()
+
+			// Grab statelock
+			l := newLockGrabber(b.Core.stateLock.Lock, b.Core.stateLock.Unlock, b.Core.standbyStopCh.Load().(chan struct{}))
+			go l.grab()
+			if stopped := l.lockOrStop(); stopped {
+				b.Core.logger.Error("not applying snapshot; shutting down")
+				return
+			}
+			defer b.Core.stateLock.Unlock()
+
+			// If we failed to restore the snapshot we should seal this node as
+			// it's in an unknown state
+			defer func() {
+				if retErr != nil {
+					if err := b.Core.sealInternalWithOptions(false, false, true); err != nil {
+						b.Core.logger.Error("failed to seal node", "error", err)
+					}
+				}
+			}()
+
+			ctx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
+
+			// We are calling the callback function synchronously here while we
+			// have the lock. So set it to nil and restore the callback when we
+			// finish.
+			raftStorage.SetRestoreCallback(nil)
+			defer raftStorage.SetRestoreCallback(b.Core.raftSnapshotRestoreCallback(true, true))
+
+			// Do a preSeal to clear vault's in-memory caches and shut down any
+			// systems that might be holding the encryption access.
+			b.Core.logger.Info("shutting down prior to restoring snapshot")
+			if err := b.Core.preSeal(); err != nil {
+				b.Core.logger.Error("raft snapshot restore failed preSeal", "error", err)
+				return err
+			}
+
+			b.Core.logger.Info("applying snapshot")
+			if err := raftStorage.RestoreSnapshot(ctx, metadata, snapFile); err != nil {
+				b.Core.logger.Error("error while restoring raft snapshot", "error", err)
+				return err
+			}
+
+			// Run invalidation logic synchronously here
+			callback := b.Core.raftSnapshotRestoreCallback(false, false)
+			if err := callback(ctx); err != nil {
+				return err
+			}
+
+			{
+				// If the snapshot was taken while another node was leader we
+				// need to reset the leader information to this node.
+				if err := b.Core.underlyingPhysical.Put(ctx, &physical.Entry{
+					Key:   CoreLockPath,
+					Value: []byte(b.Core.leaderUUID),
+				}); err != nil {
+					b.Core.logger.Error("cluster setup failed", "error", err)
+					return err
+				}
+				// re-advertise our cluster information
+				if err := b.Core.advertiseLeader(ctx, b.Core.leaderUUID, nil); err != nil {
+					b.Core.logger.Error("cluster setup failed", "error", err)
+					return err
+				}
+			}
+			if err := b.Core.postUnseal(ctx, ctxCancel, standardUnsealStrategy{}); err != nil {
+				b.Core.logger.Error("raft snapshot restore failed postUnseal", "error", err)
+				return err
+			}
+
+			return nil
+		}()
+
+		return nil, nil
 	}
+}
+
+var sysRaftHelp = map[string][2]string{
+	"raft-bootstrap-challenge": {
+		"Creates a challenge for the new peer to be joined to the raft cluster.",
+		"",
+	},
+	"raft-bootstrap-answer": {
+		"Accepts an answer from the peer to be joined to the fact cluster.",
+		"",
+	},
+	"raft-configuration": {
+		"Returns the raft cluster configuration.",
+		`On a DR secondary cluster, instead of a GET, this must be a POST or
+		PUT, and furthermore a DR operation token must be provided.`,
+	},
+	"raft-remove-peer": {
+		"Removes a peer from the raft cluster.",
+		"",
+	},
+	"raft-snapshot": {
+		"Restores and saves snapshots from the raft cluster.",
+		"",
+	},
+	"raft-snapshot-force": {
+		"Force restore a raft cluster snapshot",
+		"",
+	},
+	"raft-autopilot-state": {
+		"Returns the state of the raft cluster under integrated storage as seen by autopilot.",
+		"",
+	},
+	"raft-autopilot-configuration": {
+		"Returns autopilot configuration.",
+		"",
+	},
+}
 
-	var capabilities []string
-	if token == "" {
-		capabilities, err = client.Sys().CapabilitiesSelf(path)
-	} else {
-		capabilities, err = client.Sys().Capabilities(token, path)
+func NewSealAccessSealer(access seal.Access, logger hclog.Logger, use string) snapshot.Sealer {
+	// If we have access to the seal create a sealer object
+	var s snapshot.Sealer
+	if access != nil {
+		s = &sealer{
+			access: access,
+			logger: logger,
+			use:    use,
+		}
 	}
+	return s
+}
+
+// sealer implements the snapshot.Sealer interface and is used in the snapshot
+// process for encrypting/decrypting the SHASUM file in snapshot archives.
+type sealer struct {
+	access seal.Access
+	logger hclog.Logger
+	use    string
+}
+
+var _ snapshot.Sealer = (*sealer)(nil)
+
+// Seal encrypts the data with using the seal access object.
+func (s *sealer) Seal(ctx context.Context, pt []byte) ([]byte, error) {
+	wrappedValue, err := SealWrapValue(ctx, s.access, true, pt, func(_ context.Context, errs map[string]error) error {
+		if s.logger != nil {
+			s.logger.Warn("sealed value not wrapped with all seals", "use", s.use)
+		}
+		return nil
+	})
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error listing capabilities: %s", err))
-		return 2
-	}
-	if capabilities == nil {
-		c.UI.Error("No capabilities found")
-		return 1
+		return nil, err
 	}
 
-	switch Format(c.UI) {
-	case "table":
-		sort.Strings(capabilities)
-		c.UI.Output(strings.Join(capabilities, ", "))
-		return 0
-	default:
-		return OutputData(c.UI, capabilities)
+	return MarshalSealWrappedValue(wrappedValue)
+}
+
+// Open decrypts the data using the seal access object.
+func (s *sealer) Open(ctx context.Context, ct []byte) ([]byte, error) {
+	wrappedEntryValue, err := UnmarshalSealWrappedValue(ct)
+	if err != nil {
+		return nil, err
 	}
+
+	pt, _, err := UnsealWrapValue(ctx, s.access, "", wrappedEntryValue)
+	return pt, err
 }
diff --git a/command/token_capabilities_test.go b/command/token_capabilities_test.go
index 6dffae53f58d..baa77c74f0f4 100644
--- a/command/token_capabilities_test.go
+++ b/command/token_capabilities_test.go
@@ -1,194 +1,6452 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
 	"strings"
 	"testing"
+	"time"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/fatih/structs"
+	"github.com/go-test/deep"
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
+	semver "github.com/hashicorp/go-version"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/helper/experiments"
+	"github.com/hashicorp/vault/helper/identity"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/random"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/compressutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/hashicorp/vault/version"
+	"github.com/mitchellh/mapstructure"
+	"github.com/stretchr/testify/require"
 )
 
-func testTokenCapabilitiesCommand(tb testing.TB) (*cli.MockUi, *TokenCapabilitiesCommand) {
-	tb.Helper()
+func TestSystemConfigCORS(t *testing.T) {
+	b := testSystemBackend(t)
+	paths := b.(*SystemBackend).configPaths()
+	_, barrier, _ := mockBarrier(t)
+	view := NewBarrierView(barrier, "")
+	b.(*SystemBackend).Core.systemBarrierView = view
 
-	ui := cli.NewMockUi()
-	return ui, &TokenCapabilitiesCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
+	req := logical.TestRequest(t, logical.UpdateOperation, "config/cors")
+	req.Data["allowed_origins"] = "http://www.example.com"
+	req.Data["allowed_headers"] = "X-Custom-Header"
+	_, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := &logical.Response{
+		Data: map[string]interface{}{
+			"enabled":         true,
+			"allowed_origins": []string{"http://www.example.com"},
+			"allowed_headers": append(StdAllowedHeaders, "X-Custom-Header"),
+		},
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
+	actual, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: %#v", actual)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.FindResponseSchema(t, paths, 0, req.Operation),
+		actual,
+		true,
+	)
+
+	// Do it again. Bug #6182
+	req = logical.TestRequest(t, logical.UpdateOperation, "config/cors")
+	req.Data["allowed_origins"] = "http://www.example.com"
+	req.Data["allowed_headers"] = "X-Custom-Header"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.FindResponseSchema(t, paths, 0, req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
+	actual, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.FindResponseSchema(t, paths, 0, req.Operation),
+		actual,
+		true,
+	)
+
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: %#v", actual)
+	}
+
+	req = logical.TestRequest(t, logical.DeleteOperation, "config/cors")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.FindResponseSchema(t, paths, 0, req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
+	actual, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.FindResponseSchema(t, paths, 0, req.Operation),
+		actual,
+		true,
+	)
+
+	expected = &logical.Response{
+		Data: map[string]interface{}{
+			"enabled": false,
+		},
+	}
+
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("DELETE FAILED -- bad: %#v", actual)
+	}
+}
+
+func TestSystemBackend_mounts(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.ReadOperation, "mounts")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// We can't know the pointer address ahead of time so simply
+	// copy what's given
+	exp := map[string]interface{}{
+		"secret/": map[string]interface{}{
+			"type":                    "kv",
+			"external_entropy_access": false,
+			"description":             "key/value secret storage",
+			"accessor":                resp.Data["secret/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["secret/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":     resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":    false,
+			},
+			"local":     false,
+			"seal_wrap": false,
+			"options": map[string]string{
+				"version": "1",
+			},
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+			"running_sha256":         "",
+		},
+		"sys/": map[string]interface{}{
+			"type":                    "system",
+			"external_entropy_access": false,
+			"description":             "system endpoints used for control, policy and debugging",
+			"accessor":                resp.Data["sys/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["sys/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl":           resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":               resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []string{"Accept"},
+			},
+			"local":                  false,
+			"seal_wrap":              true,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.DefaultBuiltinVersion,
+			"running_sha256":         "",
+		},
+		"cubbyhole/": map[string]interface{}{
+			"description":             "per-token private secret storage",
+			"type":                    "cubbyhole",
+			"external_entropy_access": false,
+			"accessor":                resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":     resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":    false,
+			},
+			"local":                  true,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
+			"running_sha256":         "",
+		},
+		"identity/": map[string]interface{}{
+			"description":             "identity store",
+			"type":                    "identity",
+			"external_entropy_access": false,
+			"accessor":                resp.Data["identity/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["identity/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl":           resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":               resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []string{"Authorization"},
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
+			"running_sha256":         "",
+		},
+	}
+	if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
+		t.Fatalf("bad, diff: %#v", diff)
+	}
+
+	for name, conf := range exp {
+		req := logical.TestRequest(t, logical.ReadOperation, "mounts/"+name)
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if diff := deep.Equal(resp.Data, conf); len(diff) > 0 {
+			t.Fatalf("bad, diff: %#v", diff)
+		}
+
+		// validate the response structure for mount named read
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+	}
+}
+
+func TestSystemBackend_mount(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
+	req.Data["type"] = "kv"
+	req.Data["config"] = map[string]interface{}{
+		"default_lease_ttl": "35m",
+		"max_lease_ttl":     "45m",
+	}
+	req.Data["local"] = true
+	req.Data["seal_wrap"] = true
+	req.Data["options"] = map[string]string{
+		"version": "1",
+	}
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for mount named update
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "mounts")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// We can't know the pointer address ahead of time so simply
+	// copy what's given
+	exp := map[string]interface{}{
+		"secret/": map[string]interface{}{
+			"type":                    "kv",
+			"external_entropy_access": false,
+			"description":             "key/value secret storage",
+			"accessor":                resp.Data["secret/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["secret/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":     resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":    false,
+			},
+			"local":     false,
+			"seal_wrap": false,
+			"options": map[string]string{
+				"version": "1",
+			},
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+			"running_sha256":         "",
+		},
+		"sys/": map[string]interface{}{
+			"type":                    "system",
+			"external_entropy_access": false,
+			"description":             "system endpoints used for control, policy and debugging",
+			"accessor":                resp.Data["sys/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["sys/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl":           resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":               resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []string{"Accept"},
+			},
+			"local":                  false,
+			"seal_wrap":              true,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.DefaultBuiltinVersion,
+			"running_sha256":         "",
+		},
+		"cubbyhole/": map[string]interface{}{
+			"description":             "per-token private secret storage",
+			"type":                    "cubbyhole",
+			"external_entropy_access": false,
+			"accessor":                resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":     resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":    false,
+			},
+			"local":                  true,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
+			"running_sha256":         "",
+		},
+		"identity/": map[string]interface{}{
+			"description":             "identity store",
+			"type":                    "identity",
+			"external_entropy_access": false,
+			"accessor":                resp.Data["identity/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["identity/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl":           resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+				"max_lease_ttl":               resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+				"force_no_cache":              false,
+				"passthrough_request_headers": []string{"Authorization"},
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
+			"running_sha256":         "",
+		},
+		"prod/secret/": map[string]interface{}{
+			"description":             "",
+			"type":                    "kv",
+			"external_entropy_access": false,
+			"accessor":                resp.Data["prod/secret/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["prod/secret/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": int64(2100),
+				"max_lease_ttl":     int64(2700),
+				"force_no_cache":    false,
+			},
+			"local":     true,
+			"seal_wrap": true,
+			"options": map[string]string{
+				"version": "1",
+			},
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+			"running_sha256":         "",
+		},
+	}
+	if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
+		t.Fatalf("bad: diff: %#v", diff)
+	}
+}
+
+func TestSystemBackend_mount_force_no_cache(t *testing.T) {
+	core, b, _ := testCoreSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
+	req.Data["type"] = "kv"
+	req.Data["config"] = map[string]interface{}{
+		"force_no_cache": true,
+	}
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	mountEntry := core.router.MatchingMountEntry(namespace.RootContext(nil), "prod/secret/")
+	if mountEntry == nil {
+		t.Fatalf("missing mount entry")
+	}
+	if !mountEntry.Config.ForceNoCache {
+		t.Fatalf("bad config %#v", mountEntry)
+	}
+}
+
+func TestSystemBackend_mount_invalid(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
+	req.Data["type"] = "nope"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `plugin not found in the catalog: nope` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_unmount(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for mount named delete
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+}
+
+var capabilitiesPolicy = `
+name = "test"
+path "foo/bar*" {
+	capabilities = ["create", "sudo", "update"]
+}
+path "sys/capabilities*" {
+	capabilities = ["update"]
+}
+path "bar/baz" {
+	capabilities = ["read", "update"]
+}
+path "bar/baz" {
+	capabilities = ["delete"]
+}
+`
+
+func TestSystemBackend_PathCapabilities(t *testing.T) {
+	var resp *logical.Response
+	var err error
+
+	core, b, rootToken := testCoreSystemBackend(t)
+
+	policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
+	err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	path1 := "foo/bar"
+	path2 := "foo/bar/sample"
+	path3 := "sys/capabilities"
+	path4 := "bar/baz"
+
+	rootCheckFunc := func(t *testing.T, resp *logical.Response) {
+		// All the paths should have "root" as the capability
+		expectedRoot := []string{"root"}
+		if !reflect.DeepEqual(resp.Data[path1], expectedRoot) ||
+			!reflect.DeepEqual(resp.Data[path2], expectedRoot) ||
+			!reflect.DeepEqual(resp.Data[path3], expectedRoot) ||
+			!reflect.DeepEqual(resp.Data[path4], expectedRoot) {
+			t.Fatalf("bad: capabilities; expected: %#v, actual: %#v", expectedRoot, resp.Data)
+		}
+	}
+
+	// Check the capabilities using the root token
+	req := &logical.Request{
+		Path:      "capabilities",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths": []string{path1, path2, path3, path4},
+			"token": rootToken,
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	rootCheckFunc(t, resp)
+
+	// Check the capabilities using capabilities-self
+	req = &logical.Request{
+		ClientToken: rootToken,
+		Path:        "capabilities-self",
+		Operation:   logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths": []string{path1, path2, path3, path4},
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	rootCheckFunc(t, resp)
+
+	// Lookup the accessor of the root token
+	te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the capabilities using capabilities-accessor endpoint
+	req = &logical.Request{
+		Path:      "capabilities-accessor",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths":    []string{path1, path2, path3, path4},
+			"accessor": te.Accessor,
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	rootCheckFunc(t, resp)
+
+	// Create a non-root token
+	testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
+
+	nonRootCheckFunc := func(t *testing.T, resp *logical.Response) {
+		expected1 := []string{"create", "sudo", "update"}
+		expected2 := expected1
+		expected3 := []string{"update"}
+		expected4 := []string{"delete", "read", "update"}
+
+		if !reflect.DeepEqual(resp.Data[path1], expected1) ||
+			!reflect.DeepEqual(resp.Data[path2], expected2) ||
+			!reflect.DeepEqual(resp.Data[path3], expected3) ||
+			!reflect.DeepEqual(resp.Data[path4], expected4) {
+			t.Fatalf("bad: capabilities; actual: %#v", resp.Data)
+		}
+	}
+
+	// Check the capabilities using a non-root token
+	req = &logical.Request{
+		Path:      "capabilities",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths": []string{path1, path2, path3, path4},
+			"token": "tokenid",
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	nonRootCheckFunc(t, resp)
+
+	// Check the capabilities of a non-root token using capabilities-self
+	// endpoint
+	req = &logical.Request{
+		ClientToken: "tokenid",
+		Path:        "capabilities-self",
+		Operation:   logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths": []string{path1, path2, path3, path4},
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	nonRootCheckFunc(t, resp)
+
+	// Lookup the accessor of the non-root token
+	te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the capabilities using a non-root token using
+	// capabilities-accessor endpoint
+	req = &logical.Request{
+		Path:      "capabilities-accessor",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"paths":    []string{path1, path2, path3, path4},
+			"accessor": te.Accessor,
+		},
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	nonRootCheckFunc(t, resp)
+}
+
+func TestSystemBackend_Capabilities_BC(t *testing.T) {
+	testCapabilities(t, "capabilities")
+	testCapabilities(t, "capabilities-self")
+}
+
+func testCapabilities(t *testing.T, endpoint string) {
+	core, b, rootToken := testCoreSystemBackend(t)
+	req := logical.TestRequest(t, logical.UpdateOperation, endpoint)
+	if endpoint == "capabilities-self" {
+		req.ClientToken = rootToken
+	} else {
+		req.Data["token"] = rootToken
+	}
+	req.Data["path"] = "any_path"
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	actual := resp.Data["capabilities"]
+	expected := []string{"root"}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+
+	policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
+	err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
+	req = logical.TestRequest(t, logical.UpdateOperation, endpoint)
+	if endpoint == "capabilities-self" {
+		req.ClientToken = "tokenid"
+	} else {
+		req.Data["token"] = "tokenid"
+	}
+	req.Data["path"] = "foo/bar"
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	actual = resp.Data["capabilities"]
+	expected = []string{"create", "sudo", "update"}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+}
+
+func TestSystemBackend_CapabilitiesAccessor_BC(t *testing.T) {
+	core, b, rootToken := testCoreSystemBackend(t)
+	te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
+	// Accessor of root token
+	req.Data["accessor"] = te.Accessor
+	req.Data["path"] = "any_path"
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	actual := resp.Data["capabilities"]
+	expected := []string{"root"}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+
+	policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
+	err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
+
+	te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
+	req.Data["accessor"] = te.Accessor
+	req.Data["path"] = "foo/bar"
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	actual = resp.Data["capabilities"]
+	expected = []string{"create", "sudo", "update"}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+}
+
+func TestSystemBackend_remount_auth(t *testing.T) {
+	err := AddTestCredentialBackend("userpass", credUserpass.Factory)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	c, b, _ := testCoreSystemBackend(t)
+
+	userpassMe := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "userpass1/",
+		Type:        "userpass",
+		Description: "userpass",
+	}
+	err = c.enableCredential(namespace.RootContext(nil), userpassMe)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "auth/userpass1"
+	req.Data["to"] = "auth/userpass2"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	// validate the response structure for remount named read
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	corehelpers.RetryUntil(t, 5*time.Second, func() error {
+		req = logical.TestRequest(t, logical.ReadOperation, fmt.Sprintf("remount/status/%s", resp.Data["migration_id"]))
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// validate the response structure for remount status read
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+
+		migrationInfo := resp.Data["migration_info"].(*MountMigrationInfo)
+		if migrationInfo.MigrationStatus != MigrationSuccessStatus.String() {
+			return fmt.Errorf("Expected migration status to be successful, got %q", migrationInfo.MigrationStatus)
+		}
+		return nil
+	})
+}
+
+func TestSystemBackend_remount_auth_invalid(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "auth/unknown"
+	req.Data["to"] = "auth/foo"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "no matching mount at \"auth/unknown/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	req.Data["to"] = "foo"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "cannot remount auth mount to non-auth mount \"foo/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount_auth_protected(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "auth/token"
+	req.Data["to"] = "auth/foo"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "cannot remount \"auth/token/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	req.Data["from"] = "auth/foo"
+	req.Data["to"] = "auth/token"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "cannot remount to destination \"auth/token/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount_auth_destinationInUse(t *testing.T) {
+	err := AddTestCredentialBackend("userpass", credUserpass.Factory)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	c, b, _ := testCoreSystemBackend(t)
+
+	userpassMe := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "userpass1/",
+		Type:        "userpass",
+		Description: "userpass",
+	}
+	err = c.enableCredential(namespace.RootContext(nil), userpassMe)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	userpassMe2 := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "userpass2/",
+		Type:        "userpass",
+		Description: "userpass",
+	}
+	err = c.enableCredential(namespace.RootContext(nil), userpassMe2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "auth/userpass1"
+	req.Data["to"] = "auth/userpass2"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass2/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	req.Data["to"] = "auth/userpass2/mypass"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass2/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	userpassMe3 := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "userpass3/mypass/",
+		Type:        "userpass",
+		Description: "userpass",
+	}
+	err = c.enableCredential(namespace.RootContext(nil), userpassMe3)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Data["to"] = "auth/userpass3/"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass3/mypass/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "secret"
+	req.Data["to"] = "foo"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	corehelpers.RetryUntil(t, 5*time.Second, func() error {
+		req = logical.TestRequest(t, logical.ReadOperation, fmt.Sprintf("remount/status/%s", resp.Data["migration_id"]))
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		migrationInfo := resp.Data["migration_info"].(*MountMigrationInfo)
+		if migrationInfo.MigrationStatus != MigrationSuccessStatus.String() {
+			return fmt.Errorf("Expected migration status to be successful, got %q", migrationInfo.MigrationStatus)
+		}
+		return nil
+	})
+}
+
+func TestSystemBackend_remount_destinationInUse(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+
+	me := &MountEntry{
+		Table: mountTableType,
+		Path:  "foo/",
+		Type:  "generic",
+	}
+	err := c.mount(namespace.RootContext(nil), me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "secret"
+	req.Data["to"] = "foo"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	req.Data["to"] = "foo/foo2"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+
+	me2 := &MountEntry{
+		Table: mountTableType,
+		Path:  "foo2/foo3/",
+		Type:  "generic",
+	}
+	err = c.mount(namespace.RootContext(nil), me2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req.Data["to"] = "foo2/"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo2/foo3/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount_invalid(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "unknown"
+	req.Data["to"] = "foo"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "no matching mount at \"unknown/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount_system(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "sys"
+	req.Data["to"] = "foo"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Data["error"].(string), "cannot remount \"sys/\"") {
+		t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
+	}
+}
+
+func TestSystemBackend_remount_clean(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "foo"
+	req.Data["to"] = "foo//bar"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `invalid destination mount: path 'foo//bar/' does not match cleaned path 'foo/bar/'` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_remount_nonPrintable(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "foo"
+	req.Data["to"] = "foo\nbar"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `invalid destination mount: path cannot contain non-printable characters` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+// TestSystemBackend_remount_trailingSpacesInFromPath ensures we error when
+// there are trailing spaces in the 'from' path during a remount.
+func TestSystemBackend_remount_trailingSpacesInFromPath(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = " foo/ "
+	req.Data["to"] = "bar"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `'from' path cannot contain trailing whitespace` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+// TestSystemBackend_remount_trailingSpacesInToPath ensures we error when
+// there are trailing spaces in the 'to' path during a remount.
+func TestSystemBackend_remount_trailingSpacesInToPath(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "foo"
+	req.Data["to"] = " bar/ "
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `'to' path cannot contain trailing whitespace` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_leases(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
+	req.Data["lease_id"] = resp.Secret.LeaseID
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for Update
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
+		t.Fatal("kv leases are not renewable")
+	}
+
+	// Invalid lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
+	req.Data["lease_id"] = "invalid"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("expected invalid request, got err: %v", err)
+	}
+}
+
+func TestSystemBackend_leases_list(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// List top level
+	req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response body for list
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	var keys []string
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 1 {
+		t.Fatalf("Expected 1 subkey lease, got %d: %#v", len(keys), keys)
+	}
+	if keys[0] != "secret/" {
+		t.Fatal("Expected only secret subkey")
+	}
+
+	// List lease
+	req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	keys = []string{}
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 1 {
+		t.Fatalf("Expected 1 secret lease, got %d: %#v", len(keys), keys)
+	}
+
+	// Generate multiple leases
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	keys = []string{}
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 3 {
+		t.Fatalf("Expected 3 secret lease, got %d: %#v", len(keys), keys)
+	}
+
+	// Listing subkeys
+	req = logical.TestRequest(t, logical.UpdateOperation, "secret/bar")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+	keys = []string{}
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 2 {
+		t.Fatalf("Expected 2 secret lease, got %d: %#v", len(keys), keys)
+	}
+	expected := []string{"bar/", "foo/"}
+	if !reflect.DeepEqual(expected, keys) {
+		t.Fatalf("exp: %#v, act: %#v", expected, keys)
+	}
+}
+
+func TestSystemBackend_renew(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt renew
+	req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
+	resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Validate lease renewal response structure
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.Route(req2.Path), req2.Operation),
+		resp,
+		true,
+	)
+
+	// Should get error about non-renewability
+	if resp2.Data["error"] != "lease is not renewable" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Add a TTL to the lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.Data["ttl"] = "180s"
+	req.ClientToken = root
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt renew
+	req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
+	resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp2.IsError() {
+		t.Fatalf("got an error")
+	}
+	if resp2.Data == nil {
+		t.Fatal("nil data")
+	}
+	if resp.Secret.TTL != 180*time.Second {
+		t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
+	}
+
+	// Test the other route path
+	req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
+	req2.Data["lease_id"] = resp.Secret.LeaseID
+	resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp2.IsError() {
+		t.Fatalf("got an error")
+	}
+	if resp2.Data == nil {
+		t.Fatal("nil data")
+	}
+	if resp.Secret.TTL != 180*time.Second {
+		t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
+	}
+
+	// Test orig path
+	req2 = logical.TestRequest(t, logical.UpdateOperation, "renew")
+	req2.Data["lease_id"] = resp.Secret.LeaseID
+	resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp2.IsError() {
+		t.Fatalf("got an error")
+	}
+	if resp2.Data == nil {
+		t.Fatal("nil data")
+	}
+	if resp.Secret.TTL != time.Second*180 {
+		t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
+	}
+}
+
+func TestSystemBackend_renew_invalidID(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Attempt renew
+	req := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/foobarbaz")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Attempt renew with other method
+	req = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
+	req.Data["lease_id"] = "foobarbaz"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_renew_invalidID_origUrl(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Attempt renew
+	req := logical.TestRequest(t, logical.UpdateOperation, "renew/foobarbaz")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Attempt renew with other method
+	req = logical.TestRequest(t, logical.UpdateOperation, "renew")
+	req.Data["lease_id"] = "foobarbaz"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_revoke(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.Data["lease"] = "1h"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt revoke
+	req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke/"+resp.Secret.LeaseID)
+	resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+	if resp2 != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt renew
+	req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
+	resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp3.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", *resp3)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Test the other route path
+	req2 = logical.TestRequest(t, logical.UpdateOperation, "revoke")
+	req2.Data["lease_id"] = resp.Secret.LeaseID
+	resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+	if resp2 != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Test the other route path
+	req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
+	req2.Data["lease_id"] = resp.Secret.LeaseID
+	resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+	if resp2 != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+func TestSystemBackend_revoke_invalidID(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Attempt revoke
+	req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke/foobarbaz")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Attempt revoke with other method
+	req = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
+	req.Data["lease_id"] = "foobarbaz"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for lease revoke
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_revoke_invalidID_origUrl(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Attempt revoke
+	req := logical.TestRequest(t, logical.UpdateOperation, "revoke/foobarbaz")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Attempt revoke with other method
+	req = logical.TestRequest(t, logical.UpdateOperation, "revoke")
+	req.Data["lease_id"] = "foobarbaz"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_revokePrefix(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.Data["lease"] = "1h"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt revoke
+	req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/secret/")
+	resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+
+	// validate the response structure for lease revoke-prefix
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.Route(req2.Path), req2.Operation),
+		resp,
+		true,
+	)
+
+	// Attempt renew
+	req3 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
+	resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp3.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %v", *resp3)
+	}
+}
+
+func TestSystemBackend_revokePrefix_origUrl(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := core.systemBackend
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.Data["lease"] = "1h"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt revoke
+	req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/secret/")
+	resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+	if resp2 != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt renew
+	req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
+	resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp3.Data["error"] != "lease not found" {
+		t.Fatalf("bad: %#v", *resp3)
+	}
+}
+
+func TestSystemBackend_revokePrefixAuth_newUrl(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+
+	ts := core.tokenStore
+	bc := &logical.BackendConfig{
+		Logger: core.logger,
+		System: logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour * 24,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
+		},
+	}
+	b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}), bc)
+	err := b.Backend.Setup(namespace.RootContext(nil), bc)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	exp := ts.expiration
+
+	te := &logical.TokenEntry{
+		ID:          "foo",
+		Path:        "auth/github/login/bar",
+		TTL:         time.Hour,
+		NamespaceID: namespace.RootNamespaceID,
+	}
+	testMakeTokenDirectly(t, ts, te)
+
+	te, err = ts.Lookup(namespace.RootContext(nil), "foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te == nil {
+		t.Fatal("token entry was nil")
+	}
+
+	// Create a new token
+	auth := &logical.Auth{
+		ClientToken: te.ID,
+		LeaseOptions: logical.LeaseOptions{
+			TTL: time.Hour,
+		},
+	}
+	err = exp.RegisterAuth(namespace.RootContext(nil), te, auth, "")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/auth/github/")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if te != nil {
+		t.Fatalf("bad: %v", te)
+	}
+}
+
+func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ts := core.tokenStore
+	bc := &logical.BackendConfig{
+		Logger: core.logger,
+		System: logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour * 24,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
+		},
+	}
+	b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}), bc)
+	err := b.Backend.Setup(namespace.RootContext(nil), bc)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	exp := ts.expiration
+
+	te := &logical.TokenEntry{
+		ID:          "foo",
+		Path:        "auth/github/login/bar",
+		TTL:         time.Hour,
+		NamespaceID: namespace.RootNamespaceID,
+	}
+	testMakeTokenDirectly(t, ts, te)
+
+	te, err = ts.Lookup(namespace.RootContext(nil), "foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te == nil {
+		t.Fatal("token entry was nil")
+	}
+
+	// Create a new token
+	auth := &logical.Auth{
+		ClientToken: te.ID,
+		LeaseOptions: logical.LeaseOptions{
+			TTL: time.Hour,
+		},
+	}
+	err = exp.RegisterAuth(namespace.RootContext(nil), te, auth, "")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if te != nil {
+		t.Fatalf("bad: %v", te)
+	}
+}
+
+func TestSystemBackend_authTable(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.ReadOperation, "auth")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"token/": map[string]interface{}{
+			"type":                    "token",
+			"external_entropy_access": false,
+			"description":             "token based credentials",
+			"accessor":                resp.Data["token/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["token/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": int64(0),
+				"max_lease_ttl":     int64(0),
+				"force_no_cache":    false,
+				"token_type":        "default-service",
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
+			"running_sha256":         "",
+		},
+	}
+	if diff := deep.Equal(resp.Data, exp); diff != nil {
+		t.Fatal(diff)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "auth/token")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	if diff := deep.Equal(resp.Data, exp["token/"]); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
+func TestSystemBackend_enableAuth(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return &NoopBackend{BackendType: logical.TypeCredential}, nil
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
+	req.Data["type"] = "noop"
+	req.Data["config"] = map[string]interface{}{
+		"default_lease_ttl": "35m",
+		"max_lease_ttl":     "45m",
+	}
+	req.Data["local"] = true
+	req.Data["seal_wrap"] = true
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "auth")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("resp is nil")
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"foo/": map[string]interface{}{
+			"type":                    "noop",
+			"external_entropy_access": false,
+			"description":             "",
+			"accessor":                resp.Data["foo/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["foo/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": int64(2100),
+				"max_lease_ttl":     int64(2700),
+				"force_no_cache":    false,
+				"token_type":        "default-service",
+			},
+			"local":                  true,
+			"seal_wrap":              true,
+			"options":                map[string]string{},
+			"plugin_version":         "",
+			"running_plugin_version": versions.DefaultBuiltinVersion,
+			"running_sha256":         "",
+		},
+		"token/": map[string]interface{}{
+			"type":                    "token",
+			"external_entropy_access": false,
+			"description":             "token based credentials",
+			"accessor":                resp.Data["token/"].(map[string]interface{})["accessor"],
+			"uuid":                    resp.Data["token/"].(map[string]interface{})["uuid"],
+			"config": map[string]interface{}{
+				"default_lease_ttl": int64(0),
+				"max_lease_ttl":     int64(0),
+				"force_no_cache":    false,
+				"token_type":        "default-service",
+			},
+			"local":                  false,
+			"seal_wrap":              false,
+			"options":                map[string]string(nil),
+			"plugin_version":         "",
+			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
+			"running_sha256":         "",
+		},
+	}
+	if diff := deep.Equal(resp.Data, exp); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
+func TestSystemBackend_enableAuth_invalid(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
+	req.Data["type"] = "nope"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `plugin not found in the catalog: nope` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_disableAuth(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return &NoopBackend{}, nil
+	}
+
+	// Register the backend
+	req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
+	req.Data["type"] = "noop"
+	b.HandleRequest(namespace.RootContext(nil), req)
+
+	// Deregister it
+	req = logical.TestRequest(t, logical.DeleteOperation, "auth/foo")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+}
+
+func TestSystemBackend_tuneAuth(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+		return &NoopBackend{BackendType: logical.TypeCredential}, nil
+	}
+
+	req := logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("resp is nil")
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"description":       "token based credentials",
+		"default_lease_ttl": int(2764800),
+		"max_lease_ttl":     int(2764800),
+		"force_no_cache":    false,
+		"token_type":        "default-service",
+	}
+
+	if diff := deep.Equal(resp.Data, exp); diff != nil {
+		t.Fatal(diff)
+	}
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
+	req.Data["description"] = ""
+	req.Data["plugin_version"] = "v1.0.0"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err == nil || resp == nil || !resp.IsError() || !strings.Contains(resp.Error().Error(), ErrPluginNotFound.Error()) {
+		t.Fatalf("expected tune request to fail, but got resp: %#v, err: %s", resp, err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Register the plugin in the catalog, and then try the same request again.
+	{
+		tempDir, err := filepath.EvalSymlinks(t.TempDir())
+		if err != nil {
+			t.Fatal(err)
+		}
+		c.pluginCatalog.directory = tempDir
+		file, err := os.Create(filepath.Join(tempDir, "foo"))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if err := file.Close(); err != nil {
+			t.Fatal(err)
+		}
+		err = c.pluginCatalog.Set(context.Background(), pluginutil.SetPluginInput{
+			Name:    "token",
+			Type:    consts.PluginTypeCredential,
+			Version: "v1.0.0",
+			Command: "foo",
+			Args:    []string{},
+			Env:     []string{},
+			Sha256:  []byte{},
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(resp, err)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("resp is nil")
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	if resp.Data["description"] != "" {
+		t.Fatalf("got: %#v expect: %#v", resp.Data["description"], "")
+	}
+	if resp.Data["plugin_version"] != "v1.0.0" {
+		t.Fatalf("got: %#v, expected: %v", resp.Data["version"], "v1.0.0")
+	}
+}
+
+func TestSystemBackend_policyList(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.ReadOperation, "policy")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for policy read
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"keys":     []string{"default", "root"},
+		"policies": []string{"default", "root"},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_policyCRUD(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Create the policy
+	rules := `path "foo/" { policy = "read" }`
+	req := logical.TestRequest(t, logical.UpdateOperation, "policy/Foo")
+	req.Data["rules"] = rules
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// validate the response structure for policy named Update
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Read the policy
+	req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for policy named read
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"name":  "foo",
+		"rules": rules,
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+
+	// Read, and make sure that case has been normalized
+	req = logical.TestRequest(t, logical.ReadOperation, "policy/Foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp = map[string]interface{}{
+		"name":  "foo",
+		"rules": rules,
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+
+	// List the policies
+	req = logical.TestRequest(t, logical.ReadOperation, "policy")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp = map[string]interface{}{
+		"keys":     []string{"default", "foo", "root"},
+		"policies": []string{"default", "foo", "root"},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+
+	// Delete the policy
+	req = logical.TestRequest(t, logical.DeleteOperation, "policy/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// validate the response structure for policy named delete
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Read the policy (deleted)
+	req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// List the policies (deleted)
+	req = logical.TestRequest(t, logical.ReadOperation, "policy")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp = map[string]interface{}{
+		"keys":     []string{"default", "root"},
+		"policies": []string{"default", "root"},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_enableAudit(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+// TestSystemBackend_decodeToken ensures the correct decoding of the encoded token.
+// It also ensures that the API fails if there is some payload missing.
+func TestSystemBackend_decodeToken(t *testing.T) {
+	encodedToken := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
+	otp := "3JhHkONiyiaNYj14nnD9xZQS"
+	tokenExpected := "4RUmoevJ3lsLni9sTXcNnRE1"
+
+	_, b, _ := testCoreSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "decode-token")
+	req.Data["encoded_token"] = encodedToken
+	req.Data["otp"] = otp
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	token, ok := resp.Data["token"]
+	if !ok {
+		t.Fatalf("did not get token back in response, response was %#v", resp.Data)
+	}
+
+	if token.(string) != tokenExpected {
+		t.Fatalf("bad token back: %s", token.(string))
+	}
+
+	datas := []map[string]interface{}{
+		nil,
+		{"encoded_token": encodedToken},
+		{"otp": otp},
+	}
+	for _, data := range datas {
+		req.Data = data
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err == nil {
+			t.Fatalf("no error despite missing payload")
+		}
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+	}
+}
+
+func TestSystemBackend_auditHash(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "audit-hash/foo")
+	req.Data["input"] = "bar"
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("response or its data was nil")
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	hash, ok := resp.Data["hash"]
+	if !ok {
+		t.Fatalf("did not get hash back in response, response was %#v", resp.Data)
+	}
+	if hash.(string) != "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317" {
+		t.Fatalf("bad hash back: %s", hash.(string))
+	}
+}
+
+func TestSystemBackend_enableAudit_invalid(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "nope"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `unknown backend type: "nope"` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_auditTable(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+	req.Data["description"] = "testing"
+	req.Data["options"] = map[string]interface{}{
+		"foo": "bar",
+	}
+	req.Data["local"] = true
+	b.HandleRequest(namespace.RootContext(nil), req)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "audit")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp := map[string]interface{}{
+		"foo/": map[string]interface{}{
+			"path":        "foo/",
+			"type":        "noop",
+			"description": "testing",
+			"options": map[string]string{
+				"foo": "bar",
+			},
+			"local": true,
+		},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_disableAudit(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+	req.Data["description"] = "testing"
+	req.Data["options"] = map[string]interface{}{
+		"foo": "bar",
+	}
+	b.HandleRequest(namespace.RootContext(nil), req)
+
+	// Deregister it
+	req = logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_rawRead_Compressed(t *testing.T) {
+	t.Run("basic", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+
+		if !strings.HasPrefix(resp.Data["value"].(string), `{"type":"mounts"`) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("base64", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"encoding": "base64",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].([]byte); !ok {
+			t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].([]byte)), `{"type":"mounts"`) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("invalid_encoding", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"encoding": "invalid_encoding",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("err: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("compressed_false", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].(string); !ok {
+			t.Fatalf("value is a not a string, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].(string)), string(compressutil.CompressionCanaryGzip)) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("compressed_false_base64", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+			"encoding":   "base64",
+		}
+
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].([]byte); !ok {
+			t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("uncompressed_entry_with_prefix_byte", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/test_raw")
+		req.Data = map[string]interface{}{
+			"value": "414c1e7f-0a9a-49e0-9fc4-61af329d0724",
+		}
+
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if resp != nil {
+			t.Fatalf("bad: %v", resp)
+		}
+
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/test_raw")
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err == nil {
+			t.Fatalf("expected error if trying to read uncompressed entry with prefix byte")
+		}
+		if !resp.IsError() {
+			t.Fatalf("bad: %v", resp)
+		}
+
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/test_raw")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if resp.IsError() {
+			t.Fatalf("bad: %v", resp)
+		}
+		if resp.Data["value"].(string) != "414c1e7f-0a9a-49e0-9fc4-61af329d0724" {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+}
+
+func TestSystemBackend_rawRead_Protected(t *testing.T) {
+	b := testSystemBackendRaw(t)
+
+	req := logical.TestRequest(t, logical.ReadOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestSystemBackend_rawWrite_Protected(t *testing.T) {
+	b := testSystemBackendRaw(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestSystemBackend_rawReadWrite(t *testing.T) {
+	_, b, _ := testCoreSystemBackendRaw(t)
+
+	req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
+	req.Data["value"] = `path "secret/" { policy = "read" }`
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Read via raw API
+	req = logical.TestRequest(t, logical.ReadOperation, "raw/sys/policy/test")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.HasPrefix(resp.Data["value"].(string), "path") {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	// Note: since the upgrade code is gone that upgraded from 0.1, we can't
+	// simply parse this out directly via GetPolicy, so the test now ends here.
+}
+
+func TestSystemBackend_rawWrite_ExistanceCheck(t *testing.T) {
+	b := testSystemBackendRaw(t)
+	req := logical.TestRequest(t, logical.CreateOperation, "raw/core/mounts")
+	_, exist, err := b.HandleExistenceCheck(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: #{err}")
+	}
+	if !exist {
+		t.Fatalf("raw existence check failed for actual key")
+	}
+
+	req = logical.TestRequest(t, logical.CreateOperation, "raw/non_existent")
+	_, exist, err = b.HandleExistenceCheck(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: #{err}")
+	}
+	if exist {
+		t.Fatalf("raw existence check failed for non-existent key")
+	}
+}
+
+func TestSystemBackend_rawReadWrite_base64(t *testing.T) {
+	t.Run("basic", func(t *testing.T) {
+		_, b, _ := testCoreSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
+		req.Data = map[string]interface{}{
+			"value":    base64.StdEncoding.EncodeToString([]byte(`path "secret/" { policy = "read"[ }`)),
+			"encoding": "base64",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if resp != nil {
+			t.Fatalf("bad: %v", resp)
+		}
+
+		// Read via raw API
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/sys/policy/test")
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if !strings.HasPrefix(resp.Data["value"].(string), "path") {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("invalid_value", func(t *testing.T) {
+		_, b, _ := testCoreSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
+		req.Data = map[string]interface{}{
+			"value":    "invalid base64",
+			"encoding": "base64",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err == nil {
+			t.Fatalf("no error")
+		}
+
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+
+	t.Run("invalid_encoding", func(t *testing.T) {
+		_, b, _ := testCoreSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
+		req.Data = map[string]interface{}{
+			"value":    "text",
+			"encoding": "invalid_encoding",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err == nil {
+			t.Fatalf("no error")
+		}
+
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+}
+
+func TestSystemBackend_rawReadWrite_Compressed(t *testing.T) {
+	t.Run("use_existing_compression", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		mounts := resp.Data["value"].(string)
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"value":            mounts,
+			"compression_type": compressutil.CompressionTypeGzip,
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		schema.ValidateResponse(
+			t,
+			schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+			resp,
+			true,
+		)
+
+		// Read back and check gzip was applied by looking for prefix byte
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+			"encoding":   "base64",
+		}
+
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].([]byte); !ok {
+			t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("compression_type_matches_existing_compression", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		mounts := resp.Data["value"].(string)
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"value": mounts,
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Read back and check gzip was applied by looking for prefix byte
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+			"encoding":   "base64",
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].([]byte); !ok {
+			t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("write_uncompressed_over_existing_compressed", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		mounts := resp.Data["value"].(string)
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"value":            mounts,
+			"compression_type": "",
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Read back and check gzip was not applied by looking for prefix byte
+		req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"compressed": false,
+			"encoding":   "base64",
+		}
+
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if _, ok := resp.Data["value"].([]byte); !ok {
+			t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
+		}
+
+		if !strings.HasPrefix(string(resp.Data["value"].([]byte)), `{"type":"mounts"`) {
+			t.Fatalf("bad: %v", resp)
+		}
+	})
+
+	t.Run("invalid_compression_type", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		mounts := resp.Data["value"].(string)
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
+		req.Data = map[string]interface{}{
+			"value":            mounts,
+			"compression_type": "invalid_type",
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+
+	t.Run("update_non_existent_entry", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.UpdateOperation, "raw/non_existent")
+		req.Data = map[string]interface{}{
+			"value": "{}",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+
+	t.Run("invalid_compression_over_existing_uncompressed_data", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/test")
+		req.Data = map[string]interface{}{
+			"value": "{}",
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if resp.IsError() {
+			t.Fatalf("response is an error: %v", resp)
+		}
+
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/test")
+		req.Data = map[string]interface{}{
+			"value":            "{}",
+			"compression_type": compressutil.CompressionTypeGzip,
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+
+	t.Run("wrong_compression_type_over_existing_compressed_data", func(t *testing.T) {
+		b := testSystemBackendRaw(t)
+
+		req := logical.TestRequest(t, logical.CreateOperation, "raw/test")
+		req.Data = map[string]interface{}{
+			"value":            "{}",
+			"compression_type": compressutil.CompressionTypeGzip,
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if resp.IsError() {
+			t.Fatalf("response is an error: %v", resp)
+		}
+
+		req = logical.TestRequest(t, logical.UpdateOperation, "raw/test")
+		req.Data = map[string]interface{}{
+			"value":            "{}",
+			"compression_type": compressutil.CompressionTypeSnappy,
+		}
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != logical.ErrInvalidRequest {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if !resp.IsError() {
+			t.Fatalf("response is not error: %v", resp)
+		}
+	})
+}
+
+func TestSystemBackend_rawDelete_Protected(t *testing.T) {
+	b := testSystemBackendRaw(t)
+
+	req := logical.TestRequest(t, logical.DeleteOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestSystemBackend_rawDelete(t *testing.T) {
+	c, b, _ := testCoreSystemBackendRaw(t)
+
+	// set the policy!
+	p := &Policy{
+		Name:      "test",
+		Type:      PolicyTypeACL,
+		namespace: namespace.RootNamespace,
+	}
+	err := c.policyStore.SetPolicy(namespace.RootContext(nil), p)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Delete the policy
+	req := logical.TestRequest(t, logical.DeleteOperation, "raw/sys/policy/test")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Policy should be gone
+	c.policyStore.tokenPoliciesLRU.Purge()
+	out, err := c.policyStore.GetPolicy(namespace.RootContext(nil), "test", PolicyTypeToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out != nil {
+		t.Fatalf("policy should be gone")
+	}
+}
+
+func TestSystemBackend_keyStatus(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.ReadOperation, "key-status")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp := map[string]interface{}{
+		"term": 1,
+	}
+	delete(resp.Data, "install_time")
+	delete(resp.Data, "encryptions")
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_rotateConfig(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.ReadOperation, "rotate/config")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"max_operations": absoluteOperationMaximum,
+		"interval":       0,
+		"enabled":        true,
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+
+	req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config")
+	req2.Data["max_operations"] = int64(3221225472)
+	req2.Data["interval"] = "5432h0m0s"
+	req2.Data["enabled"] = false
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req2.Path), req2.Operation),
+		resp,
+		true,
+	)
+
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation), resp,
+		true,
+	)
+
+	exp = map[string]interface{}{
+		"max_operations": int64(3221225472),
+		"interval":       "5432h0m0s",
+		"enabled":        false,
+	}
+
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_rotate(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "rotate")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "key-status")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	exp := map[string]interface{}{
+		"term": 2,
+	}
+	delete(resp.Data, "install_time")
+	delete(resp.Data, "encryptions")
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func testSystemBackend(t *testing.T) logical.Backend {
+	t.Helper()
+	c, _, _ := TestCoreUnsealed(t)
+	return c.systemBackend
+}
+
+func testSystemBackendRaw(t *testing.T) logical.Backend {
+	t.Helper()
+	c, _, _ := TestCoreUnsealedRaw(t)
+	return c.systemBackend
+}
+
+func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
+	t.Helper()
+	c, _, root := TestCoreUnsealed(t)
+	return c, c.systemBackend, root
+}
+
+func testCoreSystemBackendRaw(t *testing.T) (*Core, logical.Backend, string) {
+	t.Helper()
+	c, _, root := TestCoreUnsealedRaw(t)
+	return c, c.systemBackend, root
+}
+
+func TestSystemBackend_PluginCatalog_CRUD(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	// Bootstrap the pluginCatalog
+	sym, err := filepath.EvalSymlinks(os.TempDir())
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	c.pluginCatalog.directory = sym
+
+	req := logical.TestRequest(t, logical.ListOperation, "plugins/catalog/database")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	if len(resp.Data["keys"].([]string)) != len(c.builtinRegistry.Keys(consts.PluginTypeDatabase)) {
+		t.Fatalf("Wrong number of plugins, got %d, expected %d", len(resp.Data["keys"].([]string)), len(builtinplugins.Registry.Keys(consts.PluginTypeDatabase)))
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/mysql-database-plugin")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Get deprecation status directly from the registry so we can compare it to the API response
+	deprecationStatus, _ := c.builtinRegistry.DeprecationStatus("mysql-database-plugin", consts.PluginTypeDatabase)
+
+	actualRespData := resp.Data
+	expectedRespData := map[string]interface{}{
+		"name":               "mysql-database-plugin",
+		"command":            "",
+		"args":               []string(nil),
+		"sha256":             "",
+		"builtin":            true,
+		"version":            versions.GetBuiltinVersion(consts.PluginTypeDatabase, "mysql-database-plugin"),
+		"deprecation_status": deprecationStatus.String(),
+	}
+	if !reflect.DeepEqual(actualRespData, expectedRespData) {
+		t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actualRespData, expectedRespData)
+	}
+
+	// Set a plugin
+	file, err := ioutil.TempFile(os.TempDir(), "temp")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	// Check we can only specify args in one of command or args.
+	command := fmt.Sprintf("%s --test", filepath.Base(file.Name()))
+	req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
+	req.Data["args"] = []string{"--foo"}
+	req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
+	req.Data["command"] = command
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Error().Error() != "must not specify args in command and args field" {
+		t.Fatalf("err: %v", resp.Error())
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	delete(req.Data, "args")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || resp.Error() != nil {
+		t.Fatalf("err: %v %v", err, resp.Error())
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	actual := resp.Data
+	expected := map[string]interface{}{
+		"name":    "test-plugin",
+		"command": filepath.Base(file.Name()),
+		"args":    []string{"--test"},
+		"sha256":  "31",
+		"builtin": false,
+		"version": "",
+	}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actual, expected)
+	}
+
+	// Delete plugin
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if resp != nil || err != nil {
+		t.Fatalf("expected nil response, plugin not deleted correctly got resp: %v, err: %v", resp, err)
+	}
+
+	// Add a versioned plugin, and check we get the version back in the right form when we read.
+	req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "v0.1.0"
+	req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
+	req.Data["command"] = command
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || resp.Error() != nil {
+		t.Fatalf("err: %v %v", err, resp.Error())
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "v0.1.0"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	actual = resp.Data
+	expected = map[string]interface{}{
+		"name":    "test-plugin",
+		"command": filepath.Base(file.Name()),
+		"args":    []string{"--test"},
+		"sha256":  "31",
+		"builtin": false,
+		"version": "v0.1.0",
+	}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actual, expected)
+	}
+
+	// Delete versioned plugin
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "0.1.0"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "0.1.0"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if resp != nil || err != nil {
+		t.Fatalf("expected nil response, plugin not deleted correctly got resp: %v, err: %v", resp, err)
+	}
+}
+
+// TestSystemBackend_PluginCatalog_ContainerCRUD tests that plugins registered
+// with oci_image set get recorded properly in the catalog.
+func TestSystemBackend_PluginCatalog_ContainerCRUD(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	// Bootstrap the pluginCatalog
+	sym, err := filepath.EvalSymlinks(os.TempDir())
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	c.pluginCatalog.directory = sym
+
+	for name, tc := range map[string]struct {
+		in, expected map[string]any
+	}{
+		"minimal": {
+			in: map[string]any{
+				"oci_image": "foo-image",
+				"sha256":    hex.EncodeToString([]byte{'1'}),
+			},
+			expected: map[string]interface{}{
+				"name":      "test-plugin",
+				"oci_image": "foo-image",
+				"sha256":    "31",
+				"command":   "",
+				"args":      []string{},
+				"builtin":   false,
+				"version":   "",
+			},
+		},
+		"fully specified": {
+			in: map[string]any{
+				"oci_image": "foo-image",
+				"sha256":    hex.EncodeToString([]byte{'1'}),
+				"command":   "foo-command",
+				"args":      []string{"--a=1"},
+				"version":   "v1.0.0",
+				"env":       []string{"X=2"},
+			},
+			expected: map[string]interface{}{
+				"name":      "test-plugin",
+				"oci_image": "foo-image",
+				"sha256":    "31",
+				"command":   "foo-command",
+				"args":      []string{"--a=1"},
+				"builtin":   false,
+				"version":   "v1.0.0",
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			// Add a container plugin.
+			req := logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
+			for k, v := range tc.in {
+				req.Data[k] = v
+			}
+
+			resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+			// We should get a nice error back from the API if we're not on linux, but
+			// that's all we can test on non-linux.
+			if runtime.GOOS != "linux" {
+				if err != nil || resp.Error() == nil {
+					t.Fatalf("err: %v %v", err, resp.Error())
+				}
+				return
+			}
+
+			if err != nil || resp.Error() != nil {
+				t.Fatalf("err: %v %v", err, resp.Error())
+			}
+
+			req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
+			if tc.in["version"] != nil {
+				req.Data["version"] = tc.in["version"]
+			}
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || resp == nil || resp.Error() != nil {
+				t.Fatalf("err: %v %v", err, resp)
+			}
+
+			actual := resp.Data
+			if !reflect.DeepEqual(actual, tc.expected) {
+				t.Fatalf("expected did not match actual\ngot      %#v\nexpected %#v\n", actual, tc.expected)
+			}
+		})
+	}
+}
+
+func TestSystemBackend_PluginCatalog_ListPlugins_SucceedsWithAuditLogEnabled(t *testing.T) {
+	core, b, root := testCoreSystemBackend(t)
+
+	tempDir := t.TempDir()
+	f, err := os.CreateTemp(tempDir, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable audit logging.
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/file")
+	req.Data = map[string]any{
+		"type": "file",
+		"options": map[string]any{
+			"file_path": f.Name(),
+		},
+	}
+	ctx := namespace.RootContext(nil)
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("resp: %#v, err: %v", resp, err)
+	}
+
+	// List plugins
+	req = logical.TestRequest(t, logical.ReadOperation, "sys/plugins/catalog")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(ctx, req)
+	if err != nil || resp == nil || resp.IsError() {
+		t.Fatalf("resp: %#v, err: %v", resp, err)
+	}
+}
+
+func TestSystemBackend_PluginCatalog_CannotRegisterBuiltinPlugins(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	// Bootstrap the pluginCatalog
+	sym, err := filepath.EvalSymlinks(os.TempDir())
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	c.pluginCatalog.directory = sym
+
+	// Set a plugin
+	req := logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
+	req.Data["sha256"] = hex.EncodeToString([]byte{'1'})
+	req.Data["command"] = "foo"
+	req.Data["version"] = "v1.2.3+special.builtin"
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !strings.Contains(resp.Error().Error(), "reserved metadata") {
+		t.Fatalf("err: %v", resp.Error())
+	}
+}
+
+func TestSystemBackend_ToolsHash(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.UpdateOperation, "tools/hash")
+	req.Data = map[string]interface{}{
+		"input": "dGhlIHF1aWNrIGJyb3duIGZveA==",
+	}
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	doRequest := func(req *logical.Request, errExpected bool, expected string) {
+		t.Helper()
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil && !errExpected {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+
+		if errExpected {
+			if !resp.IsError() {
+				t.Fatalf("bad: got error response: %#v", *resp)
+			}
+			return
+		} else {
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+		}
+
+		if resp.IsError() {
+			t.Fatalf("bad: got error response: %#v", *resp)
+		}
+		sum, ok := resp.Data["sum"]
+		if !ok {
+			t.Fatal("no sum key found in returned data")
+		}
+		if sum.(string) != expected {
+			t.Fatalf("mismatched hashes: got: %s, expect: %s", sum.(string), expected)
+		}
+	}
+
+	// Test defaults -- sha2-256
+	doRequest(req, false, "9ecb36561341d18eb65484e833efea61edc74b84cf5e6ae1b81c63533e25fc8f")
+
+	// Test algorithm selection in the path
+	req.Path = "tools/hash/sha2-224"
+	doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
+
+	// Reset and test algorithm selection in the data
+	req.Path = "tools/hash"
+	req.Data["algorithm"] = "sha2-224"
+	doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
+
+	req.Data["algorithm"] = "sha2-384"
+	doRequest(req, false, "15af9ec8be783f25c583626e9491dbf129dd6dd620466fdf05b3a1d0bb8381d30f4d3ec29f923ff1e09a0f6b337365a6")
+
+	req.Data["algorithm"] = "sha2-512"
+	doRequest(req, false, "d9d380f29b97ad6a1d92e987d83fa5a02653301e1006dd2bcd51afa59a9147e9caedaf89521abc0f0b682adcd47fb512b8343c834a32f326fe9bef00542ce887")
+
+	// Test returning as base64
+	req.Data["format"] = "base64"
+	doRequest(req, false, "2dOA8puXrWodkumH2D+loCZTMB4QBt0rzVGvpZqRR+nK7a+JUhq8DwtoKtzUf7USuDQ8g0oy8yb+m+8AVCzohw==")
+
+	// Test SHA-3
+	req.Data["format"] = "hex"
+	req.Data["algorithm"] = "sha3-224"
+	doRequest(req, false, "ced91e69d89c837e87cff960bd64fd9b9f92325fb9add8988d33d007")
+
+	req.Data["algorithm"] = "sha3-256"
+	doRequest(req, false, "e4bd866ec3fa52df3b7842aa97b448bc859a7606cefcdad1715847f4b82a6c93")
+
+	req.Data["algorithm"] = "sha3-384"
+	doRequest(req, false, "715cd38cbf8d0bab426b6a084d649760be555dd64b34de6db148a3fbf2cd2aa5d8b03eb6eda73a3e9a8769c00b4c2113")
+
+	req.Data["algorithm"] = "sha3-512"
+	doRequest(req, false, "f7cac5ad830422a5408b36a60a60620687be180765a3e2895bc3bdbd857c9e08246c83064d4e3612f0cb927f3ead208413ab98624bf7b0617af0f03f62080976")
+
+	// Test bad input/format/algorithm
+	req.Data["format"] = "base92"
+	doRequest(req, true, "")
+
+	req.Data["format"] = "hex"
+	req.Data["algorithm"] = "foobar"
+	doRequest(req, true, "")
+
+	req.Data["algorithm"] = "sha2-256"
+	req.Data["input"] = "foobar"
+	doRequest(req, true, "")
+}
+
+func TestSystemBackend_ToolsRandom(t *testing.T) {
+	b := testSystemBackend(t)
+	req := logical.TestRequest(t, logical.UpdateOperation, "tools/random")
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	doRequest := func(req *logical.Request, errExpected bool, format string, numBytes int) {
+		t.Helper()
+		getResponse := func() []byte {
+			resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil && !errExpected {
+				t.Fatal(err)
+			}
+			if resp == nil {
+				t.Fatal("expected non-nil response")
+			}
+			if errExpected {
+				if !resp.IsError() {
+					t.Fatalf("bad: got error response: %#v", *resp)
+				}
+				return nil
+			} else {
+				schema.ValidateResponse(
+					t,
+					schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+					resp,
+					true,
+				)
+			}
+
+			if resp.IsError() {
+				t.Fatalf("bad: got error response: %#v", *resp)
+			}
+			if _, ok := resp.Data["random_bytes"]; !ok {
+				t.Fatal("no random_bytes found in response")
+			}
+
+			outputStr := resp.Data["random_bytes"].(string)
+			var outputBytes []byte
+			switch format {
+			case "base64":
+				outputBytes, err = base64.StdEncoding.DecodeString(outputStr)
+			case "hex":
+				outputBytes, err = hex.DecodeString(outputStr)
+			default:
+				t.Fatal("unknown format")
+			}
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			return outputBytes
+		}
+
+		rand1 := getResponse()
+		// Expected error
+		if rand1 == nil {
+			return
+		}
+		rand2 := getResponse()
+		if len(rand1) != numBytes || len(rand2) != numBytes {
+			t.Fatal("length of output random bytes not what is expected")
+		}
+		if reflect.DeepEqual(rand1, rand2) {
+			t.Fatal("found identical ouputs")
+		}
+	}
+
+	// Test defaults
+	doRequest(req, false, "base64", 32)
+
+	// Test size selection in the path
+	req.Path = "tools/random/24"
+	req.Data["format"] = "hex"
+	doRequest(req, false, "hex", 24)
+
+	// Test bad input/format
+	req.Path = "tools/random"
+	req.Data["format"] = "base92"
+	doRequest(req, true, "", 0)
+
+	req.Data["format"] = "hex"
+	req.Data["bytes"] = -1
+	doRequest(req, true, "", 0)
+
+	req.Data["format"] = "hex"
+	req.Data["bytes"] = maxBytes + 1
+	doRequest(req, true, "", 0)
+}
+
+func TestSystemBackend_InternalUIMounts(t *testing.T) {
+	_, b, rootToken := testCoreSystemBackend(t)
+	systemBackend := b.(*SystemBackend)
+
+	// Ensure no entries are in the endpoint as a starting point
+	req := logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp := map[string]interface{}{
+		"secret": map[string]interface{}{},
+		"auth":   map[string]interface{}{},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
+	req.ClientToken = rootToken
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp = map[string]interface{}{
+		"secret": map[string]interface{}{
+			"secret/": map[string]interface{}{
+				"type":                    "kv",
+				"external_entropy_access": false,
+				"description":             "key/value secret storage",
+				"accessor":                resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["accessor"],
+				"uuid":                    resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["uuid"],
+				"config": map[string]interface{}{
+					"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+					"max_lease_ttl":     resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+					"force_no_cache":    false,
+				},
+				"local":     false,
+				"seal_wrap": false,
+				"options": map[string]string{
+					"version": "1",
+				},
+				"plugin_version":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+				"running_sha256":         "",
+			},
+			"sys/": map[string]interface{}{
+				"type":                    "system",
+				"external_entropy_access": false,
+				"description":             "system endpoints used for control, policy and debugging",
+				"accessor":                resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["accessor"],
+				"uuid":                    resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["uuid"],
+				"config": map[string]interface{}{
+					"default_lease_ttl":           resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+					"max_lease_ttl":               resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+					"force_no_cache":              false,
+					"passthrough_request_headers": []string{"Accept"},
+				},
+				"local":                  false,
+				"seal_wrap":              true,
+				"options":                map[string]string(nil),
+				"plugin_version":         "",
+				"running_plugin_version": versions.DefaultBuiltinVersion,
+				"running_sha256":         "",
+			},
+			"cubbyhole/": map[string]interface{}{
+				"description":             "per-token private secret storage",
+				"type":                    "cubbyhole",
+				"external_entropy_access": false,
+				"accessor":                resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["accessor"],
+				"uuid":                    resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["uuid"],
+				"config": map[string]interface{}{
+					"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+					"max_lease_ttl":     resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+					"force_no_cache":    false,
+				},
+				"local":                  true,
+				"seal_wrap":              false,
+				"options":                map[string]string(nil),
+				"plugin_version":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
+				"running_sha256":         "",
+			},
+			"identity/": map[string]interface{}{
+				"description":             "identity store",
+				"type":                    "identity",
+				"external_entropy_access": false,
+				"accessor":                resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["accessor"],
+				"uuid":                    resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["uuid"],
+				"config": map[string]interface{}{
+					"default_lease_ttl":           resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
+					"max_lease_ttl":               resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
+					"force_no_cache":              false,
+					"passthrough_request_headers": []string{"Authorization"},
+				},
+				"local":                  false,
+				"seal_wrap":              false,
+				"options":                map[string]string(nil),
+				"plugin_version":         "",
+				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
+				"running_sha256":         "",
+			},
+		},
+		"auth": map[string]interface{}{
+			"token/": map[string]interface{}{
+				"options": map[string]string(nil),
+				"config": map[string]interface{}{
+					"default_lease_ttl": int64(0),
+					"max_lease_ttl":     int64(0),
+					"force_no_cache":    false,
+					"token_type":        "default-service",
+				},
+				"type":                    "token",
+				"external_entropy_access": false,
+				"description":             "token based credentials",
+				"accessor":                resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["accessor"],
+				"uuid":                    resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["uuid"],
+				"local":                   false,
+				"seal_wrap":               false,
+				"plugin_version":          "",
+				"running_plugin_version":  versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
+				"running_sha256":          "",
+			},
+		},
+	}
+	if diff := deep.Equal(resp.Data, exp); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Mount-tune an auth mount
+	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
+	req.Data["listing_visibility"] = "unauth"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if resp.IsError() || err != nil {
+		t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
+	}
+
+	// Mount-tune a secret mount
+	req = logical.TestRequest(t, logical.UpdateOperation, "mounts/secret/tune")
+	req.Data["listing_visibility"] = "unauth"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if resp.IsError() || err != nil {
+		t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
+	}
+
+	// validate the response structure for mount update
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	exp = map[string]interface{}{
+		"secret": map[string]interface{}{
+			"secret/": map[string]interface{}{
+				"type":        "kv",
+				"description": "key/value secret storage",
+				"options":     map[string]string{"version": "1"},
+			},
+		},
+		"auth": map[string]interface{}{
+			"token/": map[string]interface{}{
+				"type":        "token",
+				"description": "token based credentials",
+				"options":     map[string]string(nil),
+			},
+		},
+	}
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
+	}
+}
+
+func TestSystemBackend_InternalUIMount(t *testing.T) {
+	core, b, rootToken := testCoreSystemBackend(t)
+	systemBackend := b.(*SystemBackend)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "policy/secret")
+	req.ClientToken = rootToken
+	req.Data = map[string]interface{}{
+		"rules": `path "secret/foo/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}`,
+	}
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("Bad %#v %#v", err, resp)
+	}
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "mounts/kv")
+	req.ClientToken = rootToken
+	req.Data = map[string]interface{}{
+		"type": "kv",
+	}
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("Bad %#v %#v", err, resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv/bar")
+	req.ClientToken = rootToken
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("Bad %#v %#v", err, resp)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	if resp.Data["type"] != "kv" {
+		t.Fatalf("Bad Response: %#v", resp)
+	}
+
+	testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"})
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv")
+	req.ClientToken = "tokenid"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrPermissionDenied {
+		t.Fatal("expected permission denied error")
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/secret")
+	req.ClientToken = "tokenid"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("Bad %#v %#v", err, resp)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	if resp.Data["type"] != "kv" {
+		t.Fatalf("Bad Response: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/sys")
+	req.ClientToken = "tokenid"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("Bad %#v %#v", err, resp)
+	}
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, systemBackend.Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+	if resp.Data["type"] != "system" {
+		t.Fatalf("Bad Response: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/non-existent")
+	req.ClientToken = "tokenid"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrPermissionDenied {
+		t.Fatal("expected permission denied error")
+	}
+}
+
+func TestSystemBackend_OpenAPI(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": LeasedPassthroughBackendFactory,
+		},
+	}
+	c, _, rootToken := TestCoreUnsealedWithConfig(t, coreConfig)
+	b := c.systemBackend
+
+	// Ensure no paths are reported if there is no token
+	{
+		req := logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		body := resp.Data["http_raw_body"].([]byte)
+		var oapi map[string]interface{}
+		err = jsonutil.DecodeJSON(body, &oapi)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		exp := map[string]interface{}{
+			"openapi": framework.OASVersion,
+			"info": map[string]interface{}{
+				"title":       "HashiCorp Vault API",
+				"description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
+				"version":     version.GetVersion().Version,
+				"license": map[string]interface{}{
+					"name": "Mozilla Public License 2.0",
+					"url":  "https://www.mozilla.org/en-US/MPL/2.0",
+				},
+			},
+			"paths": map[string]interface{}{},
+			"components": map[string]interface{}{
+				"schemas": map[string]interface{}{},
+			},
+		}
+
+		if diff := deep.Equal(oapi, exp); diff != nil {
+			t.Fatal(diff)
+		}
+	}
+
+	// Check that default paths are present with a root token (with and without generic_mount_paths)
+	for _, genericMountPaths := range []bool{false, true} {
+		req := logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
+		if genericMountPaths {
+			req.Data["generic_mount_paths"] = true
+		}
+		req.ClientToken = rootToken
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		body := resp.Data["http_raw_body"].([]byte)
+		var oapi map[string]interface{}
+		err = jsonutil.DecodeJSON(body, &oapi)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		doc, err := framework.NewOASDocumentFromMap(oapi)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		expectedSecretPrefix := "/secret/"
+		if genericMountPaths {
+			expectedSecretPrefix = "/{secret_mount_path}/"
+		}
+
+		pathSamples := []struct {
+			path        string
+			tag         string
+			unpublished bool
+		}{
+			{path: "/auth/token/lookup", tag: "auth"},
+			{path: "/cubbyhole/{path}", tag: "secrets"},
+			{path: "/identity/group/id/", tag: "identity"},
+			{path: expectedSecretPrefix + "^.*$", unpublished: true},
+			{path: "/sys/policy", tag: "system"},
+		}
+
+		for _, path := range pathSamples {
+			if doc.Paths[path.path] == nil {
+				t.Fatalf("didn't find expected path %q.", path.path)
+			}
+			getOperation := doc.Paths[path.path].Get
+			if getOperation == nil && !path.unpublished {
+				t.Fatalf("path: %s; expected a get operation, but it was absent", path.path)
+			}
+			if getOperation != nil && path.unpublished {
+				t.Fatalf("path: %s; expected absent get operation, but it was present", path.path)
+			}
+			if !path.unpublished {
+				tag := getOperation.Tags[0]
+				if tag != path.tag {
+					t.Fatalf("path: %s; expected tag: %s, actual: %s", path.path, tag, path.tag)
+				}
+			}
+		}
+
+		// Simple check of response size (which is much larger than most
+		// Vault responses), mainly to catch mass omission of expected path data.
+		const minLen = 70000
+		if len(body) < minLen {
+			t.Fatalf("response size too small; expected: min %d, actual: %d", minLen, len(body))
+		}
+	}
+
+	// Test path-help response
+	{
+		req := logical.TestRequest(t, logical.HelpOperation, "rotate")
+		req.ClientToken = rootToken
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		doc := resp.Data["openapi"].(*framework.OASDocument)
+		if len(doc.Paths) != 1 {
+			t.Fatalf("expected 1 path, actual: %d", len(doc.Paths))
+		}
+
+		if doc.Paths["/rotate"] == nil {
+			t.Fatalf("expected to find path '/rotate'")
+		}
+	}
+}
+
+func TestSystemBackend_PathWildcardPreflight(t *testing.T) {
+	core, b, _ := testCoreSystemBackend(t)
+
+	ctx := namespace.RootContext(nil)
+
+	// Add another mount
+	me := &MountEntry{
+		Table:   mountTableType,
+		Path:    sanitizePath("kv-v1"),
+		Type:    "kv",
+		Options: map[string]string{"version": "1"},
+	}
+	if err := core.mount(ctx, me); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create the policy, designed to fail
+	rules := `path "foo" { capabilities = ["read"] }`
+	req := logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
+	req.Data["rules"] = rules
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	if err := core.identityStore.upsertEntity(ctx, &identity.Entity{
+		ID:        "abcd",
+		Name:      "abcd",
+		BucketKey: "abcd",
+	}, nil, false); err != nil {
+		t.Fatal(err)
+	}
+
+	te := &logical.TokenEntry{
+		TTL:         300 * time.Second,
+		EntityID:    "abcd",
+		Policies:    []string{"default", "foo"},
+		NamespaceID: namespace.RootNamespaceID,
+	}
+	if err := core.tokenStore.create(ctx, te); err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("token id: %s", te.ID)
+
+	if err := core.expiration.RegisterAuth(ctx, te, &logical.Auth{
+		LeaseOptions: logical.LeaseOptions{
+			TTL: te.TTL,
+		},
+		ClientToken: te.ID,
+		Accessor:    te.Accessor,
+		Orphan:      true,
+	}, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	// Check the mount access func
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
+	req.ClientToken = te.ID
+	resp, err = b.HandleRequest(ctx, req)
+	if err == nil || !strings.Contains(err.Error(), "permission denied") {
+		t.Fatalf("expected 403, got err: %v", err)
+	}
+
+	// Modify policy to pass
+	rules = `path "kv-v1/+" { capabilities = ["read"] }`
+	req = logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
+	req.Data["rules"] = rules
+	resp, err = b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Check the mount access func again
+	req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
+	req.ClientToken = te.ID
+	resp, err = b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestHandlePoliciesPasswordSet(t *testing.T) {
+	type testCase struct {
+		inputData *framework.FieldData
+
+		storage *logical.InmemStorage
+
+		expectedResp  *logical.Response
+		expectErr     bool
+		expectedStore map[string]*logical.StorageEntry
+	}
+
+	tests := map[string]testCase{
+		"missing policy name": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"policy": `length = 20
+							rule "charset" {
+								charset="abcdefghij"
+							}`,
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"missing policy": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"garbage policy": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name":   "testpolicy",
+				"policy": "hasdukfhiuashdfoiasjdf",
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"storage failure": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+				"policy": "length = 20\n" +
+					"rule \"charset\" {\n" +
+					"	charset=\"abcdefghij\"\n" +
+					"}",
+			}),
+
+			storage: new(logical.InmemStorage).FailPut(true),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"impossible policy": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+				"policy": "length = 20\n" +
+					"rule \"charset\" {\n" +
+					"	charset=\"a\"\n" +
+					"	min-chars = 30\n" +
+					"}",
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"not base64 encoded": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+				"policy": "length = 20\n" +
+					"rule \"charset\" {\n" +
+					"	charset=\"abcdefghij\"\n" +
+					"}",
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					logical.HTTPContentType: "application/json",
+					logical.HTTPStatusCode:  http.StatusNoContent,
+				},
+			},
+			expectErr: false,
+			expectedStore: makeStorageMap(storageEntry(t, "testpolicy", "length = 20\n"+
+				"rule \"charset\" {\n"+
+				"	charset=\"abcdefghij\"\n"+
+				"}")),
+		},
+		"base64 encoded": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+				"policy": base64Encode(
+					"length = 20\n" +
+						"rule \"charset\" {\n" +
+						"	charset=\"abcdefghij\"\n" +
+						"}"),
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					logical.HTTPContentType: "application/json",
+					logical.HTTPStatusCode:  http.StatusNoContent,
+				},
+			},
+			expectErr: false,
+			expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
+				"length = 20\n"+
+					"rule \"charset\" {\n"+
+					"	charset=\"abcdefghij\"\n"+
+					"}")),
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+			defer cancel()
+
+			req := &logical.Request{
+				Storage: test.storage,
+			}
+
+			b := &SystemBackend{}
+
+			actualResp, err := b.handlePoliciesPasswordSet(ctx, req, test.inputData)
+			if test.expectErr && err == nil {
+				t.Fatalf("err expected, got nil")
+			}
+			if !test.expectErr && err != nil {
+				t.Fatalf("no error expected, got: %s", err)
+			}
+			if !reflect.DeepEqual(actualResp, test.expectedResp) {
+				t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
+			}
+
+			actualStore := LogicalToMap(t, ctx, test.storage)
+			if !reflect.DeepEqual(actualStore, test.expectedStore) {
+				t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
+			}
+		})
+	}
+}
+
+func TestHandlePoliciesPasswordGet(t *testing.T) {
+	type testCase struct {
+		inputData *framework.FieldData
+
+		storage *logical.InmemStorage
+
+		expectedResp  *logical.Response
+		expectErr     bool
+		expectedStore map[string]*logical.StorageEntry
+	}
+
+	tests := map[string]testCase{
+		"missing policy name": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"storage error": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: new(logical.InmemStorage).FailGet(true),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"missing value": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"good value": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: makeStorage(t, storageEntry(t, "testpolicy",
+				"length = 20\n"+
+					"rule \"charset\" {\n"+
+					"	charset=\"abcdefghij\"\n"+
+					"}")),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"policy": "length = 20\n" +
+						"rule \"charset\" {\n" +
+						"	charset=\"abcdefghij\"\n" +
+						"}",
+				},
+			},
+			expectErr: false,
+			expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
+				"length = 20\n"+
+					"rule \"charset\" {\n"+
+					"	charset=\"abcdefghij\"\n"+
+					"}")),
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
+			defer cancel()
+
+			req := &logical.Request{
+				Storage: test.storage,
+			}
+
+			b := &SystemBackend{}
+
+			actualResp, err := b.handlePoliciesPasswordGet(ctx, req, test.inputData)
+			if test.expectErr && err == nil {
+				t.Fatalf("err expected, got nil")
+			}
+			if !test.expectErr && err != nil {
+				t.Fatalf("no error expected, got: %s", err)
+			}
+			if !reflect.DeepEqual(actualResp, test.expectedResp) {
+				t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
+			}
+
+			actualStore := LogicalToMap(t, ctx, test.storage)
+			if !reflect.DeepEqual(actualStore, test.expectedStore) {
+				t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
+			}
+		})
+	}
+}
+
+func TestHandlePoliciesPasswordDelete(t *testing.T) {
+	type testCase struct {
+		inputData *framework.FieldData
+
+		storage logical.Storage
+
+		expectedResp  *logical.Response
+		expectErr     bool
+		expectedStore map[string]*logical.StorageEntry
+	}
+
+	tests := map[string]testCase{
+		"missing policy name": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{}),
+
+			storage: new(logical.InmemStorage),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"storage failure": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: new(logical.InmemStorage).FailDelete(true),
+
+			expectedResp:  nil,
+			expectErr:     true,
+			expectedStore: map[string]*logical.StorageEntry{},
+		},
+		"successful delete": {
+			inputData: passwordPoliciesFieldData(map[string]interface{}{
+				"name": "testpolicy",
+			}),
+
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("testpolicy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("unrelated_policy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 20\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"abcdefghij\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: nil,
+			expectErr:    false,
+			expectedStore: makeStorageMap(storageEntry(t, "unrelated_policy",
+				"length = 20\n"+
+					"rule \"charset\" {\n"+
+					"	charset=\"abcdefghij\"\n"+
+					"}")),
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
+			defer cancel()
+
+			req := &logical.Request{
+				Storage: test.storage,
+			}
+
+			b := &SystemBackend{}
+
+			actualResp, err := b.handlePoliciesPasswordDelete(ctx, req, test.inputData)
+			if test.expectErr && err == nil {
+				t.Fatalf("err expected, got nil")
+			}
+			if !test.expectErr && err != nil {
+				t.Fatalf("no error expected, got: %s", err)
+			}
+			if !reflect.DeepEqual(actualResp, test.expectedResp) {
+				t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
+			}
+
+			actualStore := LogicalToMap(t, ctx, test.storage)
+			if !reflect.DeepEqual(actualStore, test.expectedStore) {
+				t.Fatalf("Actual: %#v\nExpected: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
+			}
+		})
+	}
+}
+
+func TestHandlePoliciesPasswordList(t *testing.T) {
+	type testCase struct {
+		storage logical.Storage
+
+		expectErr    bool
+		expectedResp *logical.Response
+	}
+
+	tests := map[string]testCase{
+		"no policies": {
+			storage: new(logical.InmemStorage),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{},
+			},
+		},
+		"one policy": {
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("testpolicy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"keys": []string{"testpolicy"},
+				},
+			},
+		},
+		"two policies": {
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("testpolicy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("unrelated_policy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 20\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"abcdefghij\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"keys": []string{
+						"testpolicy",
+						"unrelated_policy",
+					},
+				},
+			},
+		},
+		"policy with /": {
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("testpolicy/testpolicy1"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"keys": []string{"testpolicy/testpolicy1"},
+				},
+			},
+		},
+		"list path/to/policy": {
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("path/to/policy"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"keys": []string{"path/to/policy"},
+				},
+			},
+		},
+		"policy ending with /": {
+			storage: makeStorage(t,
+				&logical.StorageEntry{
+					Key: getPasswordPolicyKey("path/to/policy/"),
+					Value: toJson(t,
+						passwordPolicyConfig{
+							HCLPolicy: "length = 18\n" +
+								"rule \"charset\" {\n" +
+								"	charset=\"ABCDEFGHIJ\"\n" +
+								"}",
+						}),
+				},
+			),
+
+			expectedResp: &logical.Response{
+				Data: map[string]interface{}{
+					"keys": []string{"path/to/policy/"},
+				},
+			},
+		},
+		"storage failure": {
+			storage: new(logical.InmemStorage).FailList(true),
+
+			expectErr: true,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
+			defer cancel()
+
+			req := &logical.Request{
+				Storage: test.storage,
+			}
+
+			b := &SystemBackend{}
+
+			actualResp, err := b.handlePoliciesPasswordList(ctx, req, nil)
+			if test.expectErr && err == nil {
+				t.Fatalf("err expected, got nil")
+			}
+			if !test.expectErr && err != nil {
+				t.Fatalf("no error expected, got: %s", err)
+			}
+			if !reflect.DeepEqual(actualResp, test.expectedResp) {
+				t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
+			}
+		})
+	}
+}
+
+func TestHandlePoliciesPasswordGenerate(t *testing.T) {
+	t.Run("errors", func(t *testing.T) {
+		type testCase struct {
+			timeout   time.Duration
+			inputData *framework.FieldData
+
+			storage *logical.InmemStorage
+
+			expectedResp *logical.Response
+			expectErr    bool
+		}
+
+		tests := map[string]testCase{
+			"missing policy name": {
+				inputData: passwordPoliciesFieldData(map[string]interface{}{}),
+
+				storage: new(logical.InmemStorage),
+
+				expectedResp: nil,
+				expectErr:    true,
+			},
+			"storage failure": {
+				inputData: passwordPoliciesFieldData(map[string]interface{}{
+					"name": "testpolicy",
+				}),
+
+				storage: new(logical.InmemStorage).FailGet(true),
+
+				expectedResp: nil,
+				expectErr:    true,
+			},
+			"policy does not exist": {
+				inputData: passwordPoliciesFieldData(map[string]interface{}{
+					"name": "testpolicy",
+				}),
+
+				storage: new(logical.InmemStorage),
+
+				expectedResp: nil,
+				expectErr:    true,
+			},
+			"policy improperly saved": {
+				inputData: passwordPoliciesFieldData(map[string]interface{}{
+					"name": "testpolicy",
+				}),
+
+				storage: makeStorage(t, storageEntry(t, "testpolicy", "badpolicy")),
+
+				expectedResp: nil,
+				expectErr:    true,
+			},
+			"failed to generate": {
+				timeout: 0 * time.Second, // Timeout immediately
+				inputData: passwordPoliciesFieldData(map[string]interface{}{
+					"name": "testpolicy",
+				}),
+
+				storage: makeStorage(t, storageEntry(t, "testpolicy",
+					"length = 20\n"+
+						"rule \"charset\" {\n"+
+						"	charset=\"abcdefghij\"\n"+
+						"}")),
+
+				expectedResp: nil,
+				expectErr:    true,
+			},
+		}
+
+		for name, test := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctx, cancel := context.WithTimeout(context.Background(), test.timeout)
+				defer cancel()
+
+				req := &logical.Request{
+					Storage: test.storage,
+				}
+
+				b := &SystemBackend{}
+
+				actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, test.inputData)
+				if test.expectErr && err == nil {
+					t.Fatalf("err expected, got nil")
+				}
+				if !test.expectErr && err != nil {
+					t.Fatalf("no error expected, got: %s", err)
+				}
+				if !reflect.DeepEqual(actualResp, test.expectedResp) {
+					t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
+				}
+			})
+		}
+	})
+
+	t.Run("success", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		policyEntry := storageEntry(t, "testpolicy",
+			"length = 20\n"+
+				"rule \"charset\" {\n"+
+				"	charset=\"abcdefghij\"\n"+
+				"}")
+		storage := makeStorage(t, policyEntry)
+
+		inputData := passwordPoliciesFieldData(map[string]interface{}{
+			"name": "testpolicy",
+		})
+
+		expectedResp := &logical.Response{
+			Data: map[string]interface{}{
+				// Doesn't include the password as that's pulled out and compared separately
+			},
+		}
+
+		// Password assertions
+		expectedPassLen := 20
+		rules := []random.Rule{
+			random.CharsetRule{
+				Charset:  []rune("abcdefghij"),
+				MinChars: expectedPassLen,
+			},
+		}
+
+		// Run the test a bunch of times to help ensure we don't have flaky behavior
+		for i := 0; i < 1000; i++ {
+			req := &logical.Request{
+				Storage: storage,
+			}
+
+			b := &SystemBackend{}
+
+			actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, inputData)
+			if err != nil {
+				t.Fatalf("no error expected, got: %s", err)
+			}
+
+			assertTrue(t, actualResp != nil, "response is nil")
+			assertTrue(t, actualResp.Data != nil, "expected data, got nil")
+			assertHasKey(t, actualResp.Data, "password", "password key not found in data")
+			assertIsString(t, actualResp.Data["password"], "password key should have a string value")
+			password := actualResp.Data["password"].(string)
+
+			// Delete the password so the rest of the response can be compared
+			delete(actualResp.Data, "password")
+			assertTrue(t, reflect.DeepEqual(actualResp, expectedResp), "Actual response: %#v\nExpected response: %#v", actualResp, expectedResp)
+
+			// Check to make sure the password is correctly formatted
+			passwordLength := len([]rune(password))
+			if passwordLength != expectedPassLen {
+				t.Fatalf("password is %d characters but should be %d", passwordLength, expectedPassLen)
+			}
+
+			for _, rule := range rules {
+				if !rule.Pass([]rune(password)) {
+					t.Fatalf("password %s does not have the correct characters", password)
+				}
+			}
+		}
+	})
+}
+
+func assertTrue(t *testing.T, pass bool, f string, vals ...interface{}) {
+	t.Helper()
+	if !pass {
+		t.Fatalf(f, vals...)
+	}
+}
+
+func assertHasKey(t *testing.T, m map[string]interface{}, key string, f string, vals ...interface{}) {
+	t.Helper()
+	_, exists := m[key]
+	if !exists {
+		t.Fatalf(f, vals...)
+	}
+}
+
+func assertIsString(t *testing.T, val interface{}, f string, vals ...interface{}) {
+	t.Helper()
+	_, ok := val.(string)
+	if !ok {
+		t.Fatalf(f, vals...)
+	}
+}
+
+func passwordPoliciesFieldData(raw map[string]interface{}) *framework.FieldData {
+	return &framework.FieldData{
+		Raw: raw,
+		Schema: map[string]*framework.FieldSchema{
+			"name": {
+				Type:        framework.TypeString,
+				Description: "The name of the password policy.",
+			},
+			"policy": {
+				Type:        framework.TypeString,
+				Description: "The password policy",
+			},
+		},
+	}
+}
+
+func base64Encode(data string) string {
+	return base64.StdEncoding.EncodeToString([]byte(data))
+}
+
+func toJson(t *testing.T, val interface{}) []byte {
+	t.Helper()
+
+	b, err := jsonutil.EncodeJSON(val)
+	if err != nil {
+		t.Fatalf("Unable to marshal to JSON: %s", err)
+	}
+	return b
+}
+
+func storageEntry(t *testing.T, key string, policy string) *logical.StorageEntry {
+	return &logical.StorageEntry{
+		Key: getPasswordPolicyKey(key),
+		Value: toJson(t, passwordPolicyConfig{
+			HCLPolicy: policy,
+		}),
+	}
+}
+
+func makeStorageMap(entries ...*logical.StorageEntry) map[string]*logical.StorageEntry {
+	m := map[string]*logical.StorageEntry{}
+	for _, entry := range entries {
+		m[entry.Key] = entry
+	}
+	return m
+}
+
+func dereferenceMap(store map[string]*logical.StorageEntry) map[string]interface{} {
+	m := map[string]interface{}{}
+
+	for k, v := range store {
+		m[k] = map[string]string{
+			"Key":   v.Key,
+			"Value": string(v.Value),
+		}
+	}
+	return m
+}
+
+type walkFunc func(*logical.StorageEntry) error
+
+// WalkLogicalStorage applies the provided walkFunc against each entry in the logical storage.
+// This operates as a breadth first search.
+// TODO: Figure out a place for this to live permanently. This is generic and should be in a helper package somewhere.
+// At the time of writing, none of these locations work due to import cycles:
+// - vault/helper/testhelpers
+// - vault/helper/testhelpers/logical
+// - vault/helper/testhelpers/teststorage
+func WalkLogicalStorage(ctx context.Context, store logical.Storage, walker walkFunc) (err error) {
+	if store == nil {
+		return fmt.Errorf("no storage provided")
+	}
+	if walker == nil {
+		return fmt.Errorf("no walk function provided")
+	}
+
+	keys, err := store.List(ctx, "")
+	if err != nil {
+		return fmt.Errorf("unable to list root keys: %w", err)
+	}
+
+	// Non-recursive breadth-first search through all keys
+	for i := 0; i < len(keys); i++ {
+		key := keys[i]
+
+		entry, err := store.Get(ctx, key)
+		if err != nil {
+			return fmt.Errorf("unable to retrieve key at [%s]: %w", key, err)
+		}
+		if entry != nil {
+			err = walker(entry)
+			if err != nil {
+				return err
+			}
+		}
+
+		if strings.HasSuffix(key, "/") {
+			// Directory
+			subkeys, err := store.List(ctx, key)
+			if err != nil {
+				return fmt.Errorf("unable to list keys at [%s]: %w", key, err)
+			}
+
+			// Append the sub-keys to the keys slice so it searches into the sub-directory
+			for _, subkey := range subkeys {
+				// Avoids infinite loop if the subkey is empty which then repeats indefinitely
+				if subkey == "" {
+					continue
+				}
+				subkey = fmt.Sprintf("%s%s", key, subkey)
+				keys = append(keys, subkey)
+			}
+		}
+	}
+	return nil
+}
+
+// LogicalToMap retrieves all entries in the store and returns them as a map of key -> StorageEntry
+func LogicalToMap(t *testing.T, ctx context.Context, store logical.Storage) (data map[string]*logical.StorageEntry) {
+	data = map[string]*logical.StorageEntry{}
+	f := func(entry *logical.StorageEntry) error {
+		data[entry.Key] = entry
+		return nil
+	}
+
+	err := WalkLogicalStorage(ctx, store, f)
+	if err != nil {
+		t.Fatalf("Unable to walk the storage: %s", err)
+	}
+	return data
+}
+
+// Ensure the WalkLogicalStorage function works
+func TestWalkLogicalStorage(t *testing.T) {
+	type testCase struct {
+		entries []*logical.StorageEntry
+	}
+
+	tests := map[string]testCase{
+		"no entries": {
+			entries: []*logical.StorageEntry{},
+		},
+		"one entry": {
+			entries: []*logical.StorageEntry{
+				{
+					Key: "root",
+				},
+			},
+		},
+		"many entries": {
+			entries: []*logical.StorageEntry{
+				// Alphabetical, breadth-first
+				{Key: "bar"},
+				{Key: "foo"},
+				{Key: "bar/sub-bar1"},
+				{Key: "bar/sub-bar2"},
+				{Key: "foo/sub-foo1"},
+				{Key: "foo/sub-foo2"},
+				{Key: "foo/sub-foo3"},
+				{Key: "bar/sub-bar1/sub-sub-bar1"},
+				{Key: "bar/sub-bar1/sub-sub-bar2"},
+				{Key: "bar/sub-bar2/sub-sub-bar1"},
+				{Key: "foo/sub-foo1/sub-sub-foo1"},
+				{Key: "foo/sub-foo2/sub-sub-foo1"},
+				{Key: "foo/sub-foo3/sub-sub-foo1"},
+				{Key: "foo/sub-foo3/sub-sub-foo2"},
+			},
+		},
+		"sub key without root key": {
+			entries: []*logical.StorageEntry{
+				{Key: "foo/bar/baz"},
+			},
+		},
+		"key with trailing slash": {
+			entries: []*logical.StorageEntry{
+				{Key: "foo/"},
+			},
+		},
+		"double slash": {
+			entries: []*logical.StorageEntry{
+				{Key: "foo//"},
+				{Key: "foo//bar"},
+			},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+
+			store := makeStorage(t, test.entries...)
+
+			actualEntries := []*logical.StorageEntry{}
+			f := func(entry *logical.StorageEntry) error {
+				actualEntries = append(actualEntries, entry)
+				return nil
+			}
+
+			err := WalkLogicalStorage(ctx, store, f)
+			if err != nil {
+				t.Fatalf("Failed to walk storage: %s", err)
+			}
+
+			if !reflect.DeepEqual(actualEntries, test.entries) {
+				t.Fatalf("Actual: %#v\nExpected: %#v", actualEntries, test.entries)
+			}
+		})
+	}
+}
+
+func makeStorage(t *testing.T, entries ...*logical.StorageEntry) *logical.InmemStorage {
+	t.Helper()
+
+	ctx := context.Background()
+
+	store := new(logical.InmemStorage)
+
+	for _, entry := range entries {
+		err := store.Put(ctx, entry)
+		if err != nil {
+			t.Fatalf("Unable to load test storage: %s", err)
+		}
+	}
+
+	return store
+}
+
+func leaseLimitFieldData(limit string) *framework.FieldData {
+	raw := make(map[string]interface{})
+	raw["limit"] = limit
+	return &framework.FieldData{
+		Raw: raw,
+		Schema: map[string]*framework.FieldSchema{
+			"limit": {
+				Type:        framework.TypeString,
+				Default:     "",
+				Description: "limit return results",
+			},
+		},
+	}
+}
+
+func TestProcessLimit(t *testing.T) {
+	testCases := []struct {
+		d               *framework.FieldData
+		expectReturnAll bool
+		expectLimit     int
+		expectErr       bool
+	}{
+		{
+			d:               leaseLimitFieldData("500"),
+			expectReturnAll: false,
+			expectLimit:     500,
+			expectErr:       false,
+		},
+		{
+			d:               leaseLimitFieldData(""),
+			expectReturnAll: false,
+			expectLimit:     MaxIrrevocableLeasesToReturn,
+			expectErr:       false,
+		},
+		{
+			d:               leaseLimitFieldData("none"),
+			expectReturnAll: true,
+			expectLimit:     10000,
+			expectErr:       false,
+		},
+		{
+			d:               leaseLimitFieldData("NoNe"),
+			expectReturnAll: true,
+			expectLimit:     10000,
+			expectErr:       false,
+		},
+		{
+			d:               leaseLimitFieldData("hello_world"),
+			expectReturnAll: false,
+			expectLimit:     0,
+			expectErr:       true,
+		},
+		{
+			d:               leaseLimitFieldData("0"),
+			expectReturnAll: false,
+			expectLimit:     0,
+			expectErr:       true,
+		},
+		{
+			d:               leaseLimitFieldData("-1"),
+			expectReturnAll: false,
+			expectLimit:     0,
+			expectErr:       true,
+		},
+	}
+
+	for i, tc := range testCases {
+		returnAll, limit, err := processLimit(tc.d)
+
+		if returnAll != tc.expectReturnAll {
+			t.Errorf("bad return all for test case %d. expected %t, got %t", i, tc.expectReturnAll, returnAll)
+		}
+		if limit != tc.expectLimit {
+			t.Errorf("bad limit for test case %d. expected %d, got %d", i, tc.expectLimit, limit)
+		}
+
+		haveErr := err != nil
+		if haveErr != tc.expectErr {
+			t.Errorf("bad error status for test case %d. expected error: %t, got error: %t", i, tc.expectErr, haveErr)
+			if err != nil {
+				t.Errorf("error was: %v", err)
+			}
+		}
+	}
+}
+
+func TestSystemBackend_Loggers(t *testing.T) {
+	testCases := []struct {
+		level         string
+		expectedLevel string
+		expectError   bool
+	}{
+		{
+			"trace",
+			"trace",
+			false,
+		},
+		{
+			"debug",
+			"debug",
+			false,
+		},
+		{
+			"notice",
+			"info",
+			false,
+		},
+		{
+			"info",
+			"info",
+			false,
+		},
+		{
+			"warn",
+			"warn",
+			false,
+		},
+		{
+			"warning",
+			"warn",
+			false,
+		},
+		{
+			"err",
+			"error",
+			false,
+		},
+		{
+			"error",
+			"error",
+			false,
+		},
+		{
+			"",
+			"info",
+			true,
+		},
+		{
+			"invalid",
+			"",
+			true,
 		},
 	}
+
+	for _, tc := range testCases {
+		tc := tc
+
+		t.Run(fmt.Sprintf("all-loggers-%s", tc.level), func(t *testing.T) {
+			t.Parallel()
+
+			core, b, _ := testCoreSystemBackend(t)
+			// Test core overrides logging level outside of config,
+			// an initial delete will ensure that we an initial read
+			// to get expected values is based off of config and not
+			// the test override that is hidden from this test
+			req := &logical.Request{
+				Path:      "loggers",
+				Operation: logical.DeleteOperation,
+			}
+
+			resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+
+			req = &logical.Request{
+				Path:      "loggers",
+				Operation: logical.ReadOperation,
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+
+			initialLoggers := resp.Data
+
+			req = &logical.Request{
+				Path:      "loggers",
+				Operation: logical.UpdateOperation,
+				Data: map[string]interface{}{
+					"level": tc.level,
+				},
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			respIsError := resp != nil && resp.IsError()
+
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+
+			if err != nil || (!tc.expectError && respIsError) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			if tc.expectError && !respIsError {
+				t.Fatalf("expected response error, resp: %#v", resp)
+			}
+
+			if !tc.expectError {
+				req = &logical.Request{
+					Path:      "loggers",
+					Operation: logical.ReadOperation,
+				}
+
+				resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+				if err != nil || (resp != nil && resp.IsError()) {
+					t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+				}
+
+				schema.ValidateResponse(
+					t,
+					schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+					resp,
+					true,
+				)
+
+				for _, logger := range core.allLoggers {
+					loggerName := logger.Name()
+					levelRaw, ok := resp.Data[loggerName]
+
+					if !ok {
+						t.Errorf("logger %q not found in response", loggerName)
+					}
+
+					if levelStr := levelRaw.(string); levelStr != tc.expectedLevel {
+						t.Errorf("unexpected level of logger %q, expected: %s, actual: %s", loggerName, tc.expectedLevel, levelStr)
+					}
+				}
+			}
+
+			req = &logical.Request{
+				Path:      "loggers",
+				Operation: logical.DeleteOperation,
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+
+			req = &logical.Request{
+				Path:      "loggers",
+				Operation: logical.ReadOperation,
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			schema.ValidateResponse(
+				t,
+				schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+				resp,
+				true,
+			)
+
+			for _, logger := range core.allLoggers {
+				loggerName := logger.Name()
+				levelRaw, currentOk := resp.Data[loggerName]
+				initialLevelRaw, initialOk := initialLoggers[loggerName]
+
+				if !currentOk || !initialOk {
+					t.Errorf("logger %q not found", loggerName)
+				}
+
+				levelStr := levelRaw.(string)
+				initialLevelStr := initialLevelRaw.(string)
+				if levelStr != initialLevelStr {
+					t.Errorf("expected level of logger %q to match original config, expected: %s, actual: %s", loggerName, initialLevelStr, levelStr)
+				}
+			}
+		})
+	}
 }
 
-func TestTokenCapabilitiesCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
+func TestSystemBackend_LoggersByName(t *testing.T) {
+	testCases := []struct {
+		logger            string
+		level             string
+		expectedLevel     string
+		expectWriteError  bool
+		expectDeleteError bool
 	}{
 		{
-			"too_many_args",
-			[]string{"foo", "bar", "zip"},
-			"Too many arguments",
-			1,
+			"core",
+			"trace",
+			"trace",
+			false,
+			false,
+		},
+		{
+			"token",
+			"debug",
+			"debug",
+			false,
+			false,
+		},
+		{
+			"audit",
+			"notice",
+			"info",
+			false,
+			false,
+		},
+		{
+			"expiration",
+			"info",
+			"info",
+			false,
+			false,
+		},
+		{
+			"policy",
+			"warn",
+			"warn",
+			false,
+			false,
+		},
+		{
+			"activity",
+			"warning",
+			"warn",
+			false,
+			false,
+		},
+		{
+			"identity",
+			"err",
+			"error",
+			false,
+			false,
+		},
+		{
+			"rollback",
+			"error",
+			"error",
+			false,
+			false,
+		},
+		{
+			"system",
+			"",
+			"does-not-matter",
+			true,
+			false,
+		},
+		{
+			"quotas",
+			"invalid",
+			"does-not-matter",
+			true,
+			false,
+		},
+		{
+			"",
+			"info",
+			"does-not-matter",
+			true,
+			true,
+		},
+		{
+			"does_not_exist",
+			"error",
+			"does-not-matter",
+			true,
+			true,
 		},
 	}
 
-	for _, tc := range cases {
+	for _, tc := range testCases {
 		tc := tc
 
-		t.Run(tc.name, func(t *testing.T) {
+		t.Run(fmt.Sprintf("loggers-by-name-%s", tc.logger), func(t *testing.T) {
 			t.Parallel()
 
-			client, closer := testVaultServer(t)
-			defer closer()
+			core, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{
+				Logger: logging.NewVaultLogger(hclog.Trace),
+			})
+			b := core.systemBackend
+
+			// Test core overrides logging level outside of config,
+			// an initial delete will ensure that we an initial read
+			// to get expected values is based off of config and not
+			// the test override that is hidden from this test
+			req := &logical.Request{
+				Path:      "loggers",
+				Operation: logical.DeleteOperation,
+			}
+
+			resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			req = &logical.Request{
+				Path:      "loggers",
+				Operation: logical.ReadOperation,
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			initialLoggers := resp.Data
+
+			req = &logical.Request{
+				Path:      fmt.Sprintf("loggers/%s", tc.logger),
+				Operation: logical.UpdateOperation,
+				Data: map[string]interface{}{
+					"level": tc.level,
+				},
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			respIsError := resp != nil && resp.IsError()
+
+			if err != nil || (!tc.expectWriteError && respIsError) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+			}
+
+			if tc.expectWriteError && !respIsError {
+				t.Fatalf("expected response error, resp: %#v", resp)
+			}
+
+			if !tc.expectWriteError {
+				req = &logical.Request{
+					Path:      "loggers",
+					Operation: logical.ReadOperation,
+				}
+
+				resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+				if err != nil || (resp != nil && resp.IsError()) {
+					t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+				}
+
+				for _, logger := range core.allLoggers {
+					loggerName := logger.Name()
+					levelRaw, currentOk := resp.Data[loggerName]
+					initialLevelRaw, initialOk := initialLoggers[loggerName]
+
+					if !currentOk || !initialOk {
+						t.Errorf("logger %q not found", loggerName)
+					}
+
+					levelStr := levelRaw.(string)
+					initialLevelStr := initialLevelRaw.(string)
+
+					if loggerName == tc.logger && levelStr != tc.expectedLevel {
+						t.Fatalf("expected logger %q to be %q, actual: %s", loggerName, tc.expectedLevel, levelStr)
+					}
 
-			ui, cmd := testTokenCapabilitiesCommand(t)
-			cmd.client = client
+					if loggerName != tc.logger && levelStr != initialLevelStr {
+						t.Errorf("expected level of logger %q to be unchanged, exepcted: %s, actual: %s", loggerName, initialLevelStr, levelStr)
+					}
+				}
+			}
+
+			req = &logical.Request{
+				Path:      fmt.Sprintf("loggers/%s", tc.logger),
+				Operation: logical.DeleteOperation,
+			}
+
+			resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+			respIsError = resp != nil && resp.IsError()
 
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
+			if err != nil || (!tc.expectDeleteError && respIsError) {
+				t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
 			}
 
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
+			if tc.expectDeleteError && !respIsError {
+				t.Fatalf("expected response error, resp: %#v", resp)
+			}
+
+			if !tc.expectDeleteError {
+				req = &logical.Request{
+					Path:      fmt.Sprintf("loggers/%s", tc.logger),
+					Operation: logical.ReadOperation,
+				}
+
+				resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+				if err != nil || (resp != nil && resp.IsError()) {
+					t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
+				}
+
+				currentLevel, ok := resp.Data[tc.logger].(string)
+				if !ok {
+					t.Fatalf("expected resp to include %q, resp: %#v", tc.logger, resp)
+				}
+
+				initialLevel, ok := initialLoggers[tc.logger].(string)
+				if !ok {
+					t.Fatalf("expected initial loggers to include %q, resp: %#v", tc.logger, initialLoggers)
+				}
+
+				if currentLevel != initialLevel {
+					t.Errorf("expected level of logger %q to match original config, expected: %s, actual: %s", tc.logger, initialLevel, currentLevel)
+				}
 			}
 		})
 	}
+}
 
-	t.Run("token", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
+func TestSortVersionedPlugins(t *testing.T) {
+	versionedPlugin := func(typ consts.PluginType, name string, version string, builtin bool) pluginutil.VersionedPlugin {
+		return pluginutil.VersionedPlugin{
+			Type:    typ.String(),
+			Name:    name,
+			Version: version,
+			SHA256:  "",
+			Builtin: builtin,
+			SemanticVersion: func() *semver.Version {
+				if version != "" {
+					return semver.Must(semver.NewVersion(version))
+				}
 
-		policy := `path "secret/foo" { capabilities = ["read"] }`
-		if err := client.Sys().PutPolicy("policy", policy); err != nil {
-			t.Error(err)
+				return semver.Must(semver.NewVersion("0.0.0"))
+			}(),
 		}
+	}
+
+	differingTypes := []pluginutil.VersionedPlugin{
+		versionedPlugin(consts.PluginTypeSecrets, "c", "1.0.0", false),
+		versionedPlugin(consts.PluginTypeDatabase, "c", "1.0.0", false),
+		versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
+	}
+	differingNames := []pluginutil.VersionedPlugin{
+		versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
+		versionedPlugin(consts.PluginTypeCredential, "b", "1.0.0", false),
+		versionedPlugin(consts.PluginTypeCredential, "a", "1.0.0", false),
+	}
+	differingVersions := []pluginutil.VersionedPlugin{
+		versionedPlugin(consts.PluginTypeCredential, "c", "10.0.0", false),
+		versionedPlugin(consts.PluginTypeCredential, "c", "2.0.1", false),
+		versionedPlugin(consts.PluginTypeCredential, "c", "2.1.0", false),
+	}
+	versionedUnversionedAndBuiltin := []pluginutil.VersionedPlugin{
+		versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
+		versionedPlugin(consts.PluginTypeCredential, "c", "", false),
+		versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", true),
+	}
 
-		secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-			Policies: []string{"policy"},
-			TTL:      "30m",
+	for name, tc := range map[string][]pluginutil.VersionedPlugin{
+		"ascending types":    differingTypes,
+		"ascending names":    differingNames,
+		"ascending versions": differingVersions,
+		// Include differing versions twice so we can test out equality too.
+		"differing types, names and versions": append(differingTypes,
+			append(differingNames,
+				append(differingVersions, differingVersions...)...)...),
+		"mix of unversioned, versioned, and builtin": versionedUnversionedAndBuiltin,
+	} {
+		t.Run(name, func(t *testing.T) {
+			sortVersionedPlugins(tc)
+			for i := 1; i < len(tc); i++ {
+				previous := tc[i-1]
+				current := tc[i]
+				if current.Type > previous.Type {
+					continue
+				}
+				if current.Name > previous.Name {
+					continue
+				}
+				if current.SemanticVersion.GreaterThan(previous.SemanticVersion) {
+					continue
+				}
+				if current.Type == previous.Type && current.Name == previous.Name && current.SemanticVersion.Equal(previous.SemanticVersion) {
+					continue
+				}
+
+				t.Fatalf("versioned plugins at index %d and %d were not properly sorted: %+v, %+v", i-1, i, previous, current)
+			}
 		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-			t.Fatalf("missing auth data: %#v", secret)
-		}
-		token := secret.Auth.ClientToken
+	}
+}
 
-		ui, cmd := testTokenCapabilitiesCommand(t)
-		cmd.client = client
+func TestValidateVersion(t *testing.T) {
+	b := testSystemBackend(t).(*SystemBackend)
+	k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes")
 
-		code := cmd.Run([]string{
-			token, "secret/foo",
+	for name, tc := range map[string]struct {
+		pluginName         string
+		pluginVersion      string
+		pluginType         consts.PluginType
+		expectLogicalError string
+		expectedVersion    string
+	}{
+		"default, nothing in nothing out":   {"kubernetes", "", consts.PluginTypeCredential, "", ""},
+		"builtin specified, empty out":      {"kubernetes", k8sAuthBuiltin, consts.PluginTypeCredential, "", ""},
+		"not canonical is ok":               {"kubernetes", "1.0.0", consts.PluginTypeCredential, "", "v1.0.0"},
+		"not a semantic version, error":     {"kubernetes", "not-a-version", consts.PluginTypeCredential, "not a valid semantic version", ""},
+		"can't select non-builtin token":    {"token", "v1.0.0", consts.PluginTypeCredential, "cannot select non-builtin version", ""},
+		"can't select non-builtin identity": {"identity", "v1.0.0", consts.PluginTypeSecrets, "cannot select non-builtin version", ""},
+	} {
+		t.Run(name, func(t *testing.T) {
+			version, resp, err := b.validateVersion(context.Background(), tc.pluginVersion, tc.pluginName, tc.pluginType)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if tc.expectLogicalError != "" {
+				if resp == nil || !resp.IsError() || resp.Error() == nil {
+					t.Errorf("expected logical error but got none, resp: %#v", resp)
+				}
+				if !strings.Contains(resp.Error().Error(), tc.expectLogicalError) {
+					t.Errorf("expected logical error to contain %q, but got: %s", tc.expectLogicalError, resp.Error())
+				}
+			} else if version != tc.expectedVersion {
+				t.Errorf("expected version %q but got %q", tc.expectedVersion, version)
+			}
 		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	}
+}
 
-		expected := "read"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
+func TestValidateVersion_HelpfulErrorWhenBuiltinOverridden(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	tempDir, err := filepath.EvalSymlinks(t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	core.pluginCatalog.directory = tempDir
+	b := core.systemBackend
+
+	// Shadow a builtin and test getting a helpful error back.
+	file, err := ioutil.TempFile(tempDir, "temp")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	command := filepath.Base(file.Name())
+	err = core.pluginCatalog.Set(context.Background(), pluginutil.SetPluginInput{
+		Name:    "kubernetes",
+		Type:    consts.PluginTypeCredential,
+		Version: "",
+		Command: command,
+		Args:    nil,
+		Env:     nil,
+		Sha256:  nil,
 	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// When we validate the version now, we should get a special error message
+	// about why the builtin isn't there.
+	k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes")
+	_, resp, err := b.validateVersion(context.Background(), k8sAuthBuiltin, "kubernetes", consts.PluginTypeCredential)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil || !resp.IsError() || resp.Error() == nil {
+		t.Errorf("expected logical error but got none, resp: %#v", resp)
+	}
+	if !strings.Contains(resp.Error().Error(), "overridden by an unversioned plugin of the same name") {
+		t.Errorf("expected logical error to contain overridden message, but got: %s", resp.Error())
+	}
+}
 
-	t.Run("local", func(t *testing.T) {
-		t.Parallel()
+func TestCanUnseal_WithNonExistentBuiltinPluginVersion_InMountStorage(t *testing.T) {
+	core, keys, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(nil)
+	testCases := []struct {
+		pluginName string
+		pluginType consts.PluginType
+		mountTable string
+	}{
+		{"consul", consts.PluginTypeSecrets, "mounts"},
+		{"approle", consts.PluginTypeCredential, "auth"},
+	}
+	readMountConfig := func(pluginName, mountTable string) map[string]interface{} {
+		t.Helper()
+		req := logical.TestRequest(t, logical.ReadOperation, mountTable+"/"+pluginName)
+		resp, err := core.systemBackend.HandleRequest(ctx, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+		return resp.Data
+	}
 
-		policy := `path "secret/foo" { capabilities = ["read"] }`
-		if err := client.Sys().PutPolicy("policy", policy); err != nil {
-			t.Error(err)
+	for _, tc := range testCases {
+		req := logical.TestRequest(t, logical.UpdateOperation, tc.mountTable+"/"+tc.pluginName)
+		req.Data["type"] = tc.pluginName
+		req.Data["config"] = map[string]interface{}{
+			"default_lease_ttl": "35m",
+			"max_lease_ttl":     "45m",
+			"plugin_version":    versions.GetBuiltinVersion(tc.pluginType, tc.pluginName),
 		}
 
-		secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-			Policies: []string{"policy"},
-			TTL:      "30m",
-		})
+		resp, err := core.systemBackend.HandleRequest(ctx, req)
 		if err != nil {
-			t.Fatal(err)
+			t.Fatalf("err: %v, resp: %#v", err, resp)
 		}
-		if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-			t.Fatalf("missing auth data: %#v", secret)
+		if resp != nil {
+			t.Fatalf("bad: %v", resp)
 		}
-		token := secret.Auth.ClientToken
 
-		client.SetToken(token)
+		config := readMountConfig(tc.pluginName, tc.mountTable)
+		pluginVersion, ok := config["plugin_version"]
+		if !ok || pluginVersion != "" {
+			t.Fatalf("expected empty plugin version in config: %#v", config)
+		}
 
-		ui, cmd := testTokenCapabilitiesCommand(t)
-		cmd.client = client
+		// Directly store plugin version in mount entry, so we can then simulate
+		// an upgrade from 1.12.1 to 1.12.2 by sealing and unsealing.
+		const nonExistentBuiltinVersion = "v1.0.0+builtin"
+		var mountEntry *MountEntry
+		if tc.mountTable == "mounts" {
+			mountEntry, err = core.mounts.find(ctx, tc.pluginName+"/")
+		} else {
+			mountEntry, err = core.auth.find(ctx, tc.pluginName+"/")
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		if mountEntry == nil {
+			t.Fatal()
+		}
+		mountEntry.Version = nonExistentBuiltinVersion
+		err = core.persistMounts(ctx, core.mounts, &mountEntry.Local)
+		if err != nil {
+			t.Fatal(err)
+		}
 
-		code := cmd.Run([]string{
-			"secret/foo",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		config = readMountConfig(tc.pluginName, tc.mountTable)
+		pluginVersion, ok = config["plugin_version"]
+		if !ok || pluginVersion != nonExistentBuiltinVersion {
+			t.Fatalf("expected plugin version %s but was %s, config: %#v", nonExistentBuiltinVersion, pluginVersion, config)
 		}
+	}
 
-		expected := "read"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+	err := TestCoreSeal(core)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
 		}
-	})
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	for _, tc := range testCases {
+		// Storage should have been upgraded during the unseal, so plugin version
+		// should be empty again.
+		config := readMountConfig(tc.pluginName, tc.mountTable)
+		pluginVersion, ok := config["plugin_version"]
+		if !ok || pluginVersion != "" {
+			t.Errorf("expected empty plugin version in config: %#v", config)
+		}
+	}
+}
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+func TestSystemBackend_ReadExperiments(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
 
-		ui, cmd := testTokenCapabilitiesCommand(t)
-		cmd.client = client
+	for name, tc := range map[string][]string{
+		"no experiments enabled": {},
+		"one experiment enabled": {experiments.VaultExperimentEventsAlpha1},
+	} {
+		t.Run(name, func(t *testing.T) {
+			// Set the enabled experiments.
+			c.experiments = tc
 
-		code := cmd.Run([]string{
-			"foo", "bar",
+			req := logical.TestRequest(t, logical.ReadOperation, "experiments")
+			resp, err := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+			if resp == nil {
+				t.Fatal("Expected a response")
+			}
+			if !reflect.DeepEqual(experiments.ValidExperiments(), resp.Data["available"]) {
+				t.Fatalf("Expected %v but got %v", experiments.ValidExperiments(), resp.Data["available"])
+			}
+			if !reflect.DeepEqual(tc, resp.Data["enabled"]) {
+				t.Fatal("No experiments should be enabled by default")
+			}
 		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+	}
+}
+
+func TestSystemBackend_pluginRuntimeCRUD(t *testing.T) {
+	b := testSystemBackend(t)
+
+	conf := pluginruntimeutil.PluginRuntimeConfig{
+		Name:         "foo",
+		Type:         consts.PluginRuntimeTypeContainer,
+		OCIRuntime:   "some-oci-runtime",
+		CgroupParent: "/cpulimit/",
+		CPU:          1,
+		Memory:       10000,
+		Rootless:     true,
+	}
+
+	// Register the plugin runtime
+	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/runtimes/catalog/%s/%s", conf.Type.String(), conf.Name))
+	req.Data = map[string]interface{}{
+		"oci_runtime":   conf.OCIRuntime,
+		"cgroup_parent": conf.CgroupParent,
+		"cpu_nanos":     conf.CPU,
+		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
+	}
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// validate the response structure for plugin container runtime named foo
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Read the plugin runtime
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/runtimes/catalog/container/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// validate the response structure for plugin container runtime named foo
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	readExp := map[string]any{
+		"type":          conf.Type.String(),
+		"name":          conf.Name,
+		"oci_runtime":   conf.OCIRuntime,
+		"cgroup_parent": conf.CgroupParent,
+		"cpu_nanos":     conf.CPU,
+		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
+	}
+	if !reflect.DeepEqual(resp.Data, readExp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, readExp)
+	}
+
+	// List the plugin runtimes (untyped or all)
+	for _, op := range []logical.Operation{logical.ListOperation, logical.ReadOperation} {
+		req = logical.TestRequest(t, op, "plugins/runtimes/catalog")
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
 		}
 
-		expected := "Error listing capabilities: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		listExp := map[string]interface{}{
+			"runtimes": []map[string]any{readExp},
 		}
-	})
+		if !reflect.DeepEqual(resp.Data, listExp) {
+			t.Fatalf("got: %#v expect: %#v", resp.Data, listExp)
+		}
+	}
+
+	// List the plugin runtimes of container type
+	for _, op := range []logical.Operation{logical.ListOperation, logical.ReadOperation} {
+		req = logical.TestRequest(t, op, "plugins/runtimes/catalog")
+		req.Data["type"] = "container"
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		listExp := map[string]interface{}{
+			"runtimes": []map[string]any{readExp},
+		}
+		if !reflect.DeepEqual(resp.Data, listExp) {
+			t.Fatalf("got: %#v expect: %#v", resp.Data, listExp)
+		}
+	}
+
+	// Delete the plugin runtime
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/runtimes/catalog/container/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// validate the response structure for plugin container runtime named foo
+	schema.ValidateResponse(
+		t,
+		schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation),
+		resp,
+		true,
+	)
+
+	// Read the plugin runtime (deleted)
+	req = logical.TestRequest(t, logical.ReadOperation, "plugins/runtimes/catalog/container/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal("expected a 404")
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// List the plugin runtimes (untyped or all)
+	req = logical.TestRequest(t, logical.ListOperation, "plugins/runtimes/catalog")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	listExp := map[string]interface{}{}
+	if !reflect.DeepEqual(resp.Data, listExp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, listExp)
+	}
+
+	// List the plugin runtimes of container type
+	req = logical.TestRequest(t, logical.ListOperation, "plugins/runtimes/catalog")
+	req.Data["type"] = "container"
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !reflect.DeepEqual(resp.Data, listExp) {
+		t.Fatalf("got: %#v expect: %#v", resp.Data, listExp)
+	}
+}
+
+func TestGetSealBackendStatus(t *testing.T) {
+	testCases := []struct {
+		name          string
+		sealOpts      seal.TestSealOpts
+		expectHealthy bool
+	}{
+		{
+			name: "healthy-autoseal",
+			sealOpts: seal.TestSealOpts{
+				StoredKeys:   seal.StoredKeysSupportedGeneric,
+				Name:         "autoseal-test",
+				WrapperCount: 1,
+				Generation:   1,
+			},
+			expectHealthy: true,
+		},
+		{
+			name: "unhealthy-autoseal",
+			sealOpts: seal.TestSealOpts{
+				StoredKeys:   seal.StoredKeysSupportedGeneric,
+				Name:         "autoseal-test",
+				WrapperCount: 1,
+				Generation:   1,
+			},
+			expectHealthy: false,
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			testAccess, wrappers := seal.NewTestSeal(&tt.sealOpts)
+
+			c := TestCoreWithSeal(t, NewAutoSeal(testAccess), false)
+			_, keys, _ := TestCoreInitClusterWrapperSetup(t, c, nil)
+			for _, key := range keys {
+				_, err := TestCoreUnseal(c, key)
+				require.NoError(t, err)
+			}
+
+			if c.Sealed() {
+				t.Fatal("vault is sealed")
+			}
+
+			if !tt.expectHealthy {
+				// set encryption error and perform encryption to mark seal unhealthy
+				wrappers[0].SetEncryptError(errors.New("test error encrypting"))
+
+				_, errs := c.seal.GetAccess().Encrypt(context.Background(), []byte("test-plaintext"))
+				if len(errs) == 0 {
+					t.Fatalf("expected error on encryption, but got none")
+				}
+			}
 
-	t.Run("multiple_paths", func(t *testing.T) {
-		t.Parallel()
+			resp, err := c.GetSealBackendStatus(ctx)
+			require.NoError(t, err)
+
+			if resp.Healthy && !tt.expectHealthy {
+				t.Fatal("expected seal to be unhealthy, but status was healthy")
+			} else if !resp.Healthy && tt.expectHealthy {
+				t.Fatal("expected seal to be healthy, but status was unhealthy")
+			}
+
+			if !tt.expectHealthy && resp.UnhealthySince == "" {
+				t.Fatal("missing UnhealthySince field in response with unhealthy seal")
+			}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+			if len(resp.Backends) == 0 {
+				t.Fatal("Backend list in response was empty")
+			}
 
-		_, cmd := testTokenCapabilitiesCommand(t)
-		cmd.client = client
+			if !tt.expectHealthy && resp.Backends[0].Healthy {
+				t.Fatal("expected seal to be unhealthy, received healthy status")
+			} else if tt.expectHealthy && !resp.Backends[0].Healthy {
+				t.Fatal("expected seal to be healthy, received unhealthy status")
+			}
 
-		code := cmd.Run([]string{
-			"secret/foo,secret/bar",
+			if !tt.expectHealthy && resp.Backends[0].UnhealthySince == "" {
+				t.Fatal("missing UnhealthySince field in unhealthy seal")
+			}
 		})
-		if exp := 1; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-	})
+	}
+
+	a, err := seal.NewAccess(nil,
+		&seal.SealGenerationInfo{
+			Generation: 1,
+			Seals:      []*configutil.KMS{{Type: wrapping.WrapperTypeShamir.String()}},
+		},
+		[]*seal.SealWrapper{
+			{
+				Wrapper:        aeadwrapper.NewShamirWrapper(),
+				SealConfigType: wrapping.WrapperTypeShamir.String(),
+				Priority:       1,
+				Configured:     true,
+			},
+		},
+	)
+	require.NoError(t, err)
+	shamirSeal := NewDefaultSeal(a)
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	c := TestCoreWithSeal(t, shamirSeal, false)
+	keys, _, _ := TestCoreInitClusterWrapperSetup(t, c, nil)
+	for _, key := range keys {
+		_, err := TestCoreUnseal(c, key)
+		require.NoError(t, err)
+	}
 
-		_, cmd := testTokenCapabilitiesCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	if c.Sealed() {
+		t.Fatal("vault is sealed")
+	}
+
+	resp, err := c.GetSealBackendStatus(ctx)
+	require.NoError(t, err)
+
+	if !resp.Healthy {
+		t.Fatal("expected healthy seal, got unhealthy")
+	}
+
+	if len(resp.Backends) != 1 {
+		t.Fatalf("expected response Backends to contain one seal, got %d", len(resp.Backends))
+	}
+
+	if !resp.Backends[0].Healthy {
+		t.Fatal("expected healthy seal, got unhealthy")
+	}
+}
+
+func TestSystemBackend_pluginRuntime_CannotDeleteRuntimeWithReferencingPlugins(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		t.Skip("Currently plugincontainer only supports linux")
+	}
+	c, b, _ := testCoreSystemBackend(t)
+
+	conf := pluginruntimeutil.PluginRuntimeConfig{
+		Name:         "foo",
+		Type:         consts.PluginRuntimeTypeContainer,
+		OCIRuntime:   "some-oci-runtime",
+		CgroupParent: "/cpulimit/",
+		CPU:          1,
+		Memory:       10000,
+	}
+
+	// Register the plugin runtime
+	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/runtimes/catalog/%s/%s", conf.Type.String(), conf.Name))
+	req.Data = map[string]interface{}{
+		"oci_runtime":   conf.OCIRuntime,
+		"cgroup_parent": conf.CgroupParent,
+		"cpu_nanos":     conf.CPU,
+		"memory_bytes":  conf.Memory,
+	}
+
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp)
+	}
+	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Bootstrap the pluginCatalog
+	sym, err := filepath.EvalSymlinks(os.TempDir())
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	c.pluginCatalog.directory = sym
+
+	// Register the plugin referencing the runtime.
+	req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "v0.16.0"
+	req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
+	req.Data["command"] = ""
+	req.Data["oci_image"] = "hashicorp/vault-plugin-auth-jwt"
+	req.Data["runtime"] = "foo"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || resp.Error() != nil {
+		t.Fatalf("err: %v %v", err, resp.Error())
+	}
+
+	// Expect to fail to delete the plugin runtime
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/runtimes/catalog/container/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if resp == nil || !resp.IsError() || resp.Error() == nil {
+		t.Errorf("expected logical error but got none, resp: %#v", resp)
+	}
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Delete the plugin.
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
+	req.Data["version"] = "v0.16.0"
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || resp.Error() != nil {
+		t.Fatalf("err: %v %v", err, resp.Error())
+	}
+
+	// This time deleting the runtime should work.
+	req = logical.TestRequest(t, logical.DeleteOperation, "plugins/runtimes/catalog/container/foo")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil || resp.Error() != nil {
+		t.Fatalf("err: %v %v", err, resp.Error())
+	}
 }
diff --git a/command/token_create.go b/command/token_create.go
index 56e182b73903..e5b0caf222d6 100644
--- a/command/token_create.go
+++ b/command/token_create.go
@@ -1,262 +1,1033 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package http
 
 import (
-	"fmt"
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"reflect"
+	"strconv"
 	"strings"
+	"testing"
 	"time"
 
+	"github.com/go-test/deep"
+	log "github.com/hashicorp/go-hclog"
+	kv "github.com/hashicorp/vault-plugin-secrets-kv"
 	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	auditFile "github.com/hashicorp/vault/builtin/audit/file"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
 
-var (
-	_ cli.Command             = (*TokenCreateCommand)(nil)
-	_ cli.CommandAutocomplete = (*TokenCreateCommand)(nil)
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/vault"
 )
 
-type TokenCreateCommand struct {
-	*BaseCommand
-
-	flagID              string
-	flagDisplayName     string
-	flagTTL             time.Duration
-	flagExplicitMaxTTL  time.Duration
-	flagPeriod          time.Duration
-	flagRenewable       bool
-	flagOrphan          bool
-	flagNoDefaultPolicy bool
-	flagUseLimit        int
-	flagRole            string
-	flagType            string
-	flagMetadata        map[string]string
-	flagPolicies        []string
-	flagEntityAlias     string
+func TestLogical(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// WRITE
+	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
+		"data": "bar",
+	})
+	testResponseStatus(t, resp, 204)
+
+	// READ
+	// Bad token should return a 403
+	resp = testHttpGet(t, token+"bad", addr+"/v1/secret/foo")
+	testResponseStatus(t, resp, 403)
+
+	resp = testHttpGet(t, token, addr+"/v1/secret/foo")
+	var actual map[string]interface{}
+	var nilWarnings interface{}
+	expected := map[string]interface{}{
+		"renewable":      false,
+		"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
+		"data": map[string]interface{}{
+			"data": "bar",
+		},
+		"auth":       nil,
+		"wrap_info":  nil,
+		"warnings":   nilWarnings,
+		"mount_type": "kv",
+	}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+	delete(actual, "lease_id")
+	expected["request_id"] = actual["request_id"]
+	if diff := deep.Equal(actual, expected); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// DELETE
+	resp = testHttpDelete(t, token, addr+"/v1/secret/foo")
+	testResponseStatus(t, resp, 204)
+
+	resp = testHttpGet(t, token, addr+"/v1/secret/foo")
+	testResponseStatus(t, resp, 404)
 }
 
-func (c *TokenCreateCommand) Synopsis() string {
-	return "Create a new token"
+func TestLogical_noExist(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	resp := testHttpGet(t, token, addr+"/v1/secret/foo")
+	testResponseStatus(t, resp, 404)
 }
 
-func (c *TokenCreateCommand) Help() string {
-	helpText := `
-Usage: vault token create [options]
+func TestLogical_StandbyRedirect(t *testing.T) {
+	ln1, addr1 := TestListener(t)
+	defer ln1.Close()
+	ln2, addr2 := TestListener(t)
+	defer ln2.Close()
 
-  Creates a new token that can be used for authentication. This token will be
-  created as a child of the currently authenticated token. The generated token
-  will inherit all policies and permissions of the currently authenticated
-  token unless you explicitly define a subset list policies to assign to the
-  token.
+	// Create an HA Vault
+	logger := logging.NewVaultLogger(log.Debug)
 
-  A ttl can also be associated with the token. If a ttl is not associated
-  with the token, then it cannot be renewed. If a ttl is associated with
-  the token, it will expire after that amount of time unless it is renewed.
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	conf := &vault.CoreConfig{
+		Physical:     inmha,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: addr1,
+		DisableMlock: true,
+	}
+	core1, err := vault.NewCore(conf)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core1.Shutdown()
+	keys, root := vault.TestCoreInit(t, core1)
+	for _, key := range keys {
+		if _, err := core1.Unseal(vault.TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
 
-  Metadata associated with the token (specified with "-metadata") is written
-  to the audit log when the token is used.
+	// Attempt to fix raciness in this test by giving the first core a chance
+	// to grab the lock
+	time.Sleep(2 * time.Second)
 
-  If a role is specified, the role may override parameters specified here.
+	// Create a second HA Vault
+	conf2 := &vault.CoreConfig{
+		Physical:     inmha,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: addr2,
+		DisableMlock: true,
+	}
+	core2, err := vault.NewCore(conf2)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := core2.Unseal(vault.TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
 
-` + c.Flags().Help()
+	TestServerWithListener(t, ln1, addr1, core1)
+	TestServerWithListener(t, ln2, addr2, core2)
+	TestServerAuth(t, addr1, root)
 
-	return strings.TrimSpace(helpText)
-}
+	// WRITE to STANDBY
+	resp := testHttpPutDisableRedirect(t, root, addr2+"/v1/secret/foo", map[string]interface{}{
+		"data": "bar",
+	})
+	logger.Debug("307 test one starting")
+	testResponseStatus(t, resp, 307)
+	logger.Debug("307 test one stopping")
 
-func (c *TokenCreateCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+	//// READ to standby
+	resp = testHttpGet(t, root, addr2+"/v1/auth/token/lookup-self")
+	var actual map[string]interface{}
+	var nilWarnings interface{}
+	expected := map[string]interface{}{
+		"renewable":      false,
+		"lease_duration": json.Number("0"),
+		"data": map[string]interface{}{
+			"meta":             nil,
+			"num_uses":         json.Number("0"),
+			"path":             "auth/token/root",
+			"policies":         []interface{}{"root"},
+			"display_name":     "root",
+			"orphan":           true,
+			"id":               root,
+			"ttl":              json.Number("0"),
+			"creation_ttl":     json.Number("0"),
+			"explicit_max_ttl": json.Number("0"),
+			"expire_time":      nil,
+			"entity_id":        "",
+			"type":             "service",
+		},
+		"warnings":   nilWarnings,
+		"wrap_info":  nil,
+		"auth":       nil,
+		"mount_type": "token",
+	}
 
-	f := set.NewFlagSet("Command Options")
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+	actualDataMap := actual["data"].(map[string]interface{})
+	delete(actualDataMap, "creation_time")
+	delete(actualDataMap, "accessor")
+	actual["data"] = actualDataMap
+	expected["request_id"] = actual["request_id"]
+	delete(actual, "lease_id")
+	if diff := deep.Equal(actual, expected); diff != nil {
+		t.Fatal(diff)
+	}
 
-	f.StringVar(&StringVar{
-		Name:       "id",
-		Target:     &c.flagID,
-		Completion: complete.PredictAnything,
-		Usage: "Value for the token. By default, this is an auto-generated " +
-			"string. Specifying this value requires sudo permissions.",
-	})
+	//// DELETE to standby
+	resp = testHttpDeleteDisableRedirect(t, root, addr2+"/v1/secret/foo")
+	logger.Debug("307 test two starting")
+	testResponseStatus(t, resp, 307)
+	logger.Debug("307 test two stopping")
+}
 
-	f.StringVar(&StringVar{
-		Name:       "display-name",
-		Target:     &c.flagDisplayName,
-		Completion: complete.PredictAnything,
-		Usage: "Name to associate with this token. This is a non-sensitive value " +
-			"that can be used to help identify created secrets (e.g. prefixes).",
-	})
+func TestLogical_CreateToken(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
 
-	f.DurationVar(&DurationVar{
-		Name:       "ttl",
-		Target:     &c.flagTTL,
-		Completion: complete.PredictAnything,
-		Usage: "Initial TTL to associate with the token. Token renewals may be " +
-			"able to extend beyond this value, depending on the configured maximum " +
-			"TTLs. This is specified as a numeric string with suffix like \"30s\" " +
-			"or \"5m\".",
+	// WRITE
+	resp := testHttpPut(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
+		"data": "bar",
 	})
 
-	f.DurationVar(&DurationVar{
-		Name:       "explicit-max-ttl",
-		Target:     &c.flagExplicitMaxTTL,
-		Completion: complete.PredictAnything,
-		Usage: "Explicit maximum lifetime for the token. Unlike normal TTLs, the " +
-			"maximum TTL is a hard limit and cannot be exceeded. This is specified " +
-			"as a numeric string with suffix like \"30s\" or \"5m\".",
-	})
+	var actual map[string]interface{}
+	expected := map[string]interface{}{
+		"lease_id":       "",
+		"renewable":      false,
+		"lease_duration": json.Number("0"),
+		"data":           nil,
+		"mount_type":     "token",
+		"wrap_info":      nil,
+		"auth": map[string]interface{}{
+			"policies":        []interface{}{"root"},
+			"token_policies":  []interface{}{"root"},
+			"metadata":        nil,
+			"lease_duration":  json.Number("0"),
+			"renewable":       false,
+			"entity_id":       "",
+			"token_type":      "service",
+			"orphan":          false,
+			"mfa_requirement": nil,
+			"num_uses":        json.Number("0"),
+		},
+	}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+	delete(actual["auth"].(map[string]interface{}), "client_token")
+	delete(actual["auth"].(map[string]interface{}), "accessor")
+	delete(actual, "warnings")
+	expected["request_id"] = actual["request_id"]
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
+	}
+}
 
-	f.DurationVar(&DurationVar{
-		Name:       "period",
-		Target:     &c.flagPeriod,
-		Completion: complete.PredictAnything,
-		Usage: "If specified, every renewal will use the given period. Periodic " +
-			"tokens do not expire (unless -explicit-max-ttl is also provided). " +
-			"Setting this value requires sudo permissions. This is specified as a " +
-			"numeric string with suffix like \"30s\" or \"5m\".",
+func TestLogical_RawHTTP(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
+		"type": "http",
 	})
+	testResponseStatus(t, resp, 204)
+
+	// Get the raw response
+	resp = testHttpGet(t, token, addr+"/v1/foo/raw")
+	testResponseStatus(t, resp, 200)
+
+	// Test the headers
+	if resp.Header.Get("Content-Type") != "plain/text" {
+		t.Fatalf("Bad: %#v", resp.Header)
+	}
+
+	// Get the body
+	body := new(bytes.Buffer)
+	io.Copy(body, resp.Body)
+	if string(body.Bytes()) != "hello world" {
+		t.Fatalf("Bad: %s", body.Bytes())
+	}
+}
 
-	f.BoolVar(&BoolVar{
-		Name:    "renewable",
-		Target:  &c.flagRenewable,
-		Default: true,
-		Usage:   "Allow the token to be renewed up to it's maximum TTL.",
+func TestLogical_RequestSizeLimit(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Write a very large object, should fail. This test works because Go will
+	// convert the byte slice to base64, which makes it significantly larger
+	// than the default max request size.
+	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
+		"data": make([]byte, DefaultMaxRequestSize),
 	})
+	testResponseStatus(t, resp, http.StatusRequestEntityTooLarge)
+}
 
-	f.BoolVar(&BoolVar{
-		Name:    "orphan",
-		Target:  &c.flagOrphan,
-		Default: false,
-		Usage: "Create the token with no parent. This prevents the token from " +
-			"being revoked when the token which created it expires. Setting this " +
-			"value requires root or sudo permissions.",
+func TestLogical_RequestSizeDisableLimit(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestListener(t)
+	props := &vault.HandlerProperties{
+		Core: core,
+		ListenerConfig: &configutil.Listener{
+			MaxRequestSize: -1,
+			Address:        "127.0.0.1",
+			TLSDisable:     true,
+		},
+	}
+	TestServerWithListenerAndProperties(t, ln, addr, core, props)
+
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Write a very large object, should pass as MaxRequestSize set to -1/Negative value
+
+	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
+		"data": make([]byte, DefaultMaxRequestSize),
 	})
+	testResponseStatus(t, resp, http.StatusNoContent)
+}
 
-	f.BoolVar(&BoolVar{
-		Name:    "no-default-policy",
-		Target:  &c.flagNoDefaultPolicy,
-		Default: false,
-		Usage: "Detach the \"default\" policy from the policy set for this " +
-			"token.",
+func TestLogical_ListSuffix(t *testing.T) {
+	core, _, rootToken := vault.TestCoreUnsealed(t)
+	req, _ := http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo", nil)
+	req = req.WithContext(namespace.RootContext(nil))
+	req.Header.Add(consts.AuthHeaderName, rootToken)
+
+	lreq, _, status, err := buildLogicalRequest(core, nil, req, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if status != 0 {
+		t.Fatalf("got status %d", status)
+	}
+	if strings.HasSuffix(lreq.Path, "/") {
+		t.Fatal("trailing slash found on path")
+	}
+
+	req, _ = http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo?list=true", nil)
+	req = req.WithContext(namespace.RootContext(nil))
+	req.Header.Add(consts.AuthHeaderName, rootToken)
+
+	lreq, _, status, err = buildLogicalRequest(core, nil, req, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if status != 0 {
+		t.Fatalf("got status %d", status)
+	}
+	if !strings.HasSuffix(lreq.Path, "/") {
+		t.Fatal("trailing slash not found on path")
+	}
+
+	req, _ = http.NewRequest("LIST", "http://127.0.0.1:8200/v1/secret/foo", nil)
+	req = req.WithContext(namespace.RootContext(nil))
+	req.Header.Add(consts.AuthHeaderName, rootToken)
+
+	_, _, status, err = buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), nil, req)
+	if err != nil || status != 0 {
+		t.Fatal(err)
+	}
+
+	lreq, _, status, err = buildLogicalRequest(core, nil, req, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if status != 0 {
+		t.Fatalf("got status %d", status)
+	}
+	if !strings.HasSuffix(lreq.Path, "/") {
+		t.Fatal("trailing slash not found on path")
+	}
+}
+
+// TestLogical_BinaryPath tests the legacy behavior passing in binary data to a
+// path that isn't explicitly marked by a plugin as a binary path to fail, along
+// with making sure we pass through when marked as a binary path
+func TestLogical_BinaryPath(t *testing.T) {
+	t.Parallel()
+
+	testHandler := func(ctx context.Context, l *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		return nil, nil
+	}
+	operations := map[logical.Operation]framework.OperationHandler{
+		logical.PatchOperation:  &framework.PathOperation{Callback: testHandler},
+		logical.UpdateOperation: &framework.PathOperation{Callback: testHandler},
+	}
+
+	conf := &vault.CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		LogicalBackends: map[string]logical.Factory{
+			"bintest": func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+				b := new(framework.Backend)
+				b.BackendType = logical.TypeLogical
+				b.Paths = []*framework.Path{
+					{Pattern: "binary", Operations: operations},
+					{Pattern: "binary/" + framework.MatchAllRegex("test"), Operations: operations},
+				}
+				b.PathsSpecial = &logical.Paths{Binary: []string{"binary", "binary/*"}}
+				err := b.Setup(ctx, config)
+				return b, err
+			},
+		},
+	}
+
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	mountReq := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		ClientToken: token,
+		Path:        "sys/mounts/bintest",
+		Data: map[string]interface{}{
+			"type": "bintest",
+		},
+	}
+	mountResp, err := core.HandleRequest(namespace.RootContext(nil), mountReq)
+	if err != nil {
+		t.Fatalf("failed mounting bin-test engine: %v", err)
+	}
+	if mountResp.IsError() {
+		t.Fatalf("failed mounting bin-test error in response: %v", mountResp.Error())
+	}
+
+	tests := []struct {
+		name           string
+		op             string
+		url            string
+		expectedReturn int
+	}{
+		{name: "PUT non-binary", op: "PUT", url: addr + "/v1/bintest/non-binary", expectedReturn: http.StatusBadRequest},
+		{name: "POST non-binary", op: "POST", url: addr + "/v1/bintest/non-binary", expectedReturn: http.StatusBadRequest},
+		{name: "PUT binary", op: "PUT", url: addr + "/v1/bintest/binary", expectedReturn: http.StatusNoContent},
+		{name: "POST binary", op: "POST", url: addr + "/v1/bintest/binary/sub-path", expectedReturn: http.StatusNoContent},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(st *testing.T) {
+			var resp *http.Response
+			switch test.op {
+			case "PUT":
+				resp = testHttpPutBinaryData(st, token, test.url, make([]byte, 100))
+			case "POST":
+				resp = testHttpPostBinaryData(st, token, test.url, make([]byte, 100))
+			default:
+				t.Fatalf("unsupported operation: %s", test.op)
+			}
+			testResponseStatus(st, resp, test.expectedReturn)
+			if test.expectedReturn != http.StatusNoContent {
+				all, err := io.ReadAll(resp.Body)
+				if err != nil {
+					st.Fatalf("failed reading error response body: %v", err)
+				}
+				if !strings.Contains(string(all), "error parsing JSON") {
+					st.Fatalf("error response body did not contain expected error: %v", all)
+				}
+			}
+		})
+	}
+}
+
+func TestLogical_ListWithQueryParameters(t *testing.T) {
+	core, _, rootToken := vault.TestCoreUnsealed(t)
+
+	tests := []struct {
+		name          string
+		requestMethod string
+		url           string
+		expectedData  map[string]interface{}
+	}{
+		{
+			name:          "LIST request method parses query parameter",
+			requestMethod: "LIST",
+			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1",
+			expectedData: map[string]interface{}{
+				"key1": "value1",
+			},
+		},
+		{
+			name:          "LIST request method parses query multiple parameters",
+			requestMethod: "LIST",
+			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1&key2=value2",
+			expectedData: map[string]interface{}{
+				"key1": "value1",
+				"key2": "value2",
+			},
+		},
+		{
+			name:          "GET request method with list=true parses query parameter",
+			requestMethod: "GET",
+			url:           "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1",
+			expectedData: map[string]interface{}{
+				"key1": "value1",
+			},
+		},
+		{
+			name:          "GET request method with list=true parses multiple query parameters",
+			requestMethod: "GET",
+			url:           "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1&key2=value2",
+			expectedData: map[string]interface{}{
+				"key1": "value1",
+				"key2": "value2",
+			},
+		},
+		{
+			name:          "GET request method with alternate order list=true parses multiple query parameters",
+			requestMethod: "GET",
+			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1&list=true&key2=value2",
+			expectedData: map[string]interface{}{
+				"key1": "value1",
+				"key2": "value2",
+			},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			req, _ := http.NewRequest(tc.requestMethod, tc.url, nil)
+			req = req.WithContext(namespace.RootContext(nil))
+			req.Header.Add(consts.AuthHeaderName, rootToken)
+
+			lreq, _, status, err := buildLogicalRequest(core, nil, req, "")
+			if err != nil {
+				t.Fatal(err)
+			}
+			if status != 0 {
+				t.Fatalf("got status %d", status)
+			}
+			if !strings.HasSuffix(lreq.Path, "/") {
+				t.Fatal("trailing slash not found on path")
+			}
+			if lreq.Operation != logical.ListOperation {
+				t.Fatalf("expected logical.ListOperation, got %v", lreq.Operation)
+			}
+			if !reflect.DeepEqual(tc.expectedData, lreq.Data) {
+				t.Fatalf("expected query parameter data %v, got %v", tc.expectedData, lreq.Data)
+			}
+		})
+	}
+}
+
+func TestLogical_RespondWithStatusCode(t *testing.T) {
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"test-data": "foo",
+		},
+	}
+
+	resp404, err := logical.RespondWithStatusCode(resp, &logical.Request{ID: "id"}, http.StatusNotFound)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	w := httptest.NewRecorder()
+	respondLogical(nil, w, nil, nil, resp404, false)
+
+	if w.Code != 404 {
+		t.Fatalf("Bad Status code: %d", w.Code)
+	}
+
+	bodyRaw, err := io.ReadAll(w.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := `{"request_id":"id","lease_id":"","renewable":false,"lease_duration":0,"data":{"test-data":"foo"},"wrap_info":null,"warnings":null,"auth":null,"mount_type":""}`
+
+	if string(bodyRaw[:]) != strings.Trim(expected, "\n") {
+		t.Fatalf("bad response: %s", string(bodyRaw[:]))
+	}
+}
+
+func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
+	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
+
+	// Create a noop audit backend
+	noop := corehelpers.TestNoopAudit(t, nil)
+	c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
+				return noop, nil
+			},
+		},
 	})
+	ln, addr := TestServer(t, c)
+	defer ln.Close()
 
-	f.IntVar(&IntVar{
-		Name:    "use-limit",
-		Target:  &c.flagUseLimit,
-		Default: 0,
-		Usage: "Number of times this token can be used. After the last use, the " +
-			"token is automatically revoked. By default, tokens can be used an " +
-			"unlimited number of times until their expiration.",
+	// Enable the audit backend
+
+	resp := testHttpPost(t, root, addr+"/v1/sys/audit/noop", map[string]interface{}{
+		"type": "noop",
 	})
+	testResponseStatus(t, resp, 204)
+
+	{
+		// Make a wrapping/unwrap request with an invalid token
+		resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
+			"token": "foo",
+		})
+		testResponseStatus(t, resp, 400)
+		body := map[string][]string{}
+		testResponseBody(t, resp, &body)
+		if body["errors"][0] != "wrapping token is not valid or does not exist" {
+			t.Fatal(body)
+		}
+
+		// Check the audit trail on request and response
+		if len(noop.ReqAuth) != 1 {
+			t.Fatalf("bad: %#v", noop)
+		}
+		auth := noop.ReqAuth[0]
+		if auth.ClientToken != root {
+			t.Fatalf("bad client token: %#v", auth)
+		}
+		if len(noop.Req) != 1 || noop.Req[0].Path != "sys/wrapping/unwrap" {
+			t.Fatalf("bad:\ngot:\n%#v", noop.Req[0])
+		}
 
-	f.StringVar(&StringVar{
-		Name:    "role",
-		Target:  &c.flagRole,
-		Default: "",
-		Usage: "Name of the role to create the token against. Specifying -role " +
-			"may override other arguments. The locally authenticated Vault token " +
-			"must have permission for \"auth/token/create/<role>\".",
+		if len(noop.ReqErrs) != 1 {
+			t.Fatalf("bad: %#v", noop.RespErrs)
+		}
+		if noop.ReqErrs[0] != consts.ErrInvalidWrappingToken {
+			t.Fatalf("bad: %#v", noop.ReqErrs)
+		}
+	}
+
+	{
+		resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second)
+		testResponseStatus(t, resp, 200)
+		body := map[string]interface{}{}
+		testResponseBody(t, resp, &body)
+
+		wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string)
+
+		// Make a wrapping/unwrap request with an invalid token
+		resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
+			"token": wrapToken,
+		})
+		testResponseStatus(t, resp, 200)
+
+		// Check the audit trail on request and response
+		if len(noop.ReqAuth) != 3 {
+			t.Fatalf("bad: %#v", noop)
+		}
+		auth := noop.ReqAuth[2]
+		if auth.ClientToken != root {
+			t.Fatalf("bad client token: %#v", auth)
+		}
+		if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" {
+			t.Fatalf("bad:\ngot:\n%#v", noop.Req[2])
+		}
+
+		// Make sure there is only one error in the logs
+		if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil {
+			t.Fatalf("bad: %#v", noop.RespErrs)
+		}
+	}
+}
+
+func TestLogical_ShouldParseForm(t *testing.T) {
+	const formCT = "application/x-www-form-urlencoded"
+
+	tests := map[string]struct {
+		prefix      string
+		contentType string
+		isForm      bool
+	}{
+		"JSON":                 {`{"a":42}`, formCT, false},
+		"JSON 2":               {`[42]`, formCT, false},
+		"JSON w/leading space": {"   \n\n\r\t  [42]  ", formCT, false},
+		"Form":                 {"a=42&b=dog", formCT, true},
+		"Form w/wrong CT":      {"a=42&b=dog", "application/json", false},
+	}
+
+	for name, test := range tests {
+		isForm := isForm([]byte(test.prefix), test.contentType)
+
+		if isForm != test.isForm {
+			t.Fatalf("%s fail: expected isForm %t, got %t", name, test.isForm, isForm)
+		}
+	}
+}
+
+func TestLogical_AuditPort(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": kv.VersionedKVFactory,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
 	})
 
-	f.StringVar(&StringVar{
-		Name:    "type",
-		Target:  &c.flagType,
-		Default: "service",
-		Usage:   `The type of token to create. Can be "service" or "batch".`,
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	core := cores[0].Core
+	c := cluster.Cores[0].Client
+	vault.TestWaitActive(t, core)
+
+	if err := c.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+	}
+
+	auditLogFile, err := ioutil.TempFile("", "auditport")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": auditLogFile.Name(),
+		},
 	})
+	if err != nil {
+		t.Fatalf("failed to enable audit file, err: %#v\n", err)
+	}
+
+	writeData := map[string]interface{}{
+		"data": map[string]interface{}{
+			"bar": "a",
+		},
+	}
+
+	// workaround kv-v2 initialization upgrade errors
+	numFailures := 0
+	corehelpers.RetryUntil(t, 10*time.Second, func() error {
+		resp, err := c.Logical().Write("kv/data/foo", writeData)
+		if err != nil {
+			if strings.Contains(err.Error(), "Upgrading from non-versioned to versioned data") {
+				t.Logf("Retrying fetch KV data due to upgrade error")
+				time.Sleep(100 * time.Millisecond)
+				numFailures += 1
+				return err
+			}
 
-	f.StringMapVar(&StringMapVar{
-		Name:       "metadata",
-		Target:     &c.flagMetadata,
-		Completion: complete.PredictAnything,
-		Usage: "Arbitrary key=value metadata to associate with the token. " +
-			"This metadata will show in the audit log when the token is used. " +
-			"This can be specified multiple times to add multiple pieces of " +
-			"metadata.",
+			t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
+		}
+
+		return nil
 	})
 
-	f.StringSliceVar(&StringSliceVar{
-		Name:       "policy",
-		Target:     &c.flagPolicies,
-		Completion: c.PredictVaultPolicies(),
-		Usage: "Name of a policy to associate with this token. This can be " +
-			"specified multiple times to attach multiple policies.",
+	decoder := json.NewDecoder(auditLogFile)
+
+	var auditRecord map[string]interface{}
+	count := 0
+	for decoder.Decode(&auditRecord) == nil {
+		count += 1
+
+		// Skip the first line
+		if count == 1 {
+			continue
+		}
+
+		auditRequest := map[string]interface{}{}
+
+		if req, ok := auditRecord["request"]; ok {
+			auditRequest = req.(map[string]interface{})
+		}
+
+		if _, ok := auditRequest["remote_address"].(string); !ok {
+			t.Fatalf("remote_address should be a string, not %T", auditRequest["remote_address"])
+		}
+
+		if _, ok := auditRequest["remote_port"].(float64); !ok {
+			t.Fatalf("remote_port should be a number, not %T", auditRequest["remote_port"])
+		}
+	}
+
+	// We expect the following items in the audit log:
+	// audit log header + an entry for updating sys/audit/file
+	// + request/response per failure (if any) + request/response for creating kv
+	numExpectedEntries := (numFailures * 2) + 4
+	if count != numExpectedEntries {
+		t.Fatalf("wrong number of audit entries expected: %d got: %d", numExpectedEntries, count)
+	}
+}
+
+func TestLogical_ErrRelativePath(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": credUserpass.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
 	})
 
-	f.StringVar(&StringVar{
-		Name:    "entity-alias",
-		Target:  &c.flagEntityAlias,
-		Default: "",
-		Usage: "Name of the entity alias to associate with during token creation. " +
-			"Only works in combination with -role argument and used entity alias " +
-			"must be listed in allowed_entity_aliases. If this has been specified, " +
-			"the entity will not be inherited from the parent.",
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	core := cores[0].Core
+	c := cluster.Cores[0].Client
+	vault.TestWaitActive(t, core)
+
+	err := c.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
 	})
+	if err != nil {
+		t.Fatalf("failed to enable userpass, err: %v", err)
+	}
 
-	return set
-}
+	resp, err := c.Logical().Read("auth/userpass/users/user..aaa")
+
+	if err == nil || resp != nil {
+		t.Fatalf("expected read request to fail, resp: %#v, err: %v", resp, err)
+	}
 
-func (c *TokenCreateCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+	respErr, ok := err.(*api.ResponseError)
+
+	if !ok {
+		t.Fatalf("unexpected error type, err: %#v", err)
+	}
+
+	if respErr.StatusCode != 400 {
+		t.Errorf("expected 400 response for read, actual: %d", respErr.StatusCode)
+	}
+
+	if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
+		t.Errorf("expected response for read to include %q", logical.ErrRelativePath.Error())
+	}
+
+	data := map[string]interface{}{
+		"password": "abc123",
+	}
+
+	resp, err = c.Logical().Write("auth/userpass/users/user..aaa", data)
+
+	if err == nil || resp != nil {
+		t.Fatalf("expected write request to fail, resp: %#v, err: %v", resp, err)
+	}
+
+	respErr, ok = err.(*api.ResponseError)
+
+	if !ok {
+		t.Fatalf("unexpected error type, err: %#v", err)
+	}
+
+	if respErr.StatusCode != 400 {
+		t.Errorf("expected 400 response for write, actual: %d", respErr.StatusCode)
+	}
+
+	if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
+		t.Errorf("expected response for write to include %q", logical.ErrRelativePath.Error())
+	}
 }
 
-func (c *TokenCreateCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+func testBuiltinPluginMetadataAuditLog(t *testing.T, log map[string]interface{}, expectedMountClass string) {
+	if mountClass, ok := log["mount_class"].(string); !ok {
+		t.Fatalf("mount_class should be a string, not %T", log["mount_class"])
+	} else if mountClass != expectedMountClass {
+		t.Fatalf("bad: mount_class should be %s, not %s", expectedMountClass, mountClass)
+	}
+
+	if _, ok := log["mount_running_version"].(string); !ok {
+		t.Fatalf("mount_running_version should be a string, not %T", log["mount_running_version"])
+	}
+
+	if _, ok := log["mount_running_sha256"].(string); ok {
+		t.Fatalf("mount_running_sha256 should be nil, not %T", log["mount_running_sha256"])
+	}
+
+	if mountIsExternalPlugin, ok := log["mount_is_external_plugin"].(bool); ok && mountIsExternalPlugin {
+		t.Fatalf("mount_is_external_plugin should be nil or false, not %T", log["mount_is_external_plugin"])
+	}
 }
 
-func (c *TokenCreateCommand) Run(args []string) int {
-	f := c.Flags()
+// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth tests that we have plugin metadata of a builtin auth plugin
+// in audit log when it is enabled
+func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	}
 
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
+	})
+
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	core := cores[0].Core
+	c := cluster.Cores[0].Client
+	vault.TestWaitActive(t, core)
+
+	// Enable the audit backend
+	tempDir := t.TempDir()
+	auditLogFile, err := os.CreateTemp(tempDir, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": auditLogFile.Name(),
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = c.Logical().Write("auth/token/create", map[string]interface{}{
+		"ttl": "10s",
+	})
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	args = f.Args()
-	if len(args) > 0 {
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
-		return 1
+	// Check the audit trail on request and response
+	decoder := json.NewDecoder(auditLogFile)
+	var auditRecord map[string]interface{}
+	for decoder.Decode(&auditRecord) == nil {
+		auditRequest := map[string]interface{}{}
+		if req, ok := auditRecord["request"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditRequest["path"] != "auth/token/create" {
+				continue
+			}
+		}
+		testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeCredential.String())
+
+		auditResponse := map[string]interface{}{}
+		if req, ok := auditRecord["response"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditResponse["path"] != "auth/token/create" {
+				continue
+			}
+		}
+		testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeCredential.String())
 	}
+}
 
-	if c.flagType == "batch" {
-		c.flagRenewable = false
+// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret tests that we have plugin metadata of a builtin secret plugin
+// in audit log when it is enabled
+func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": kv.VersionedKVFactory,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
 	}
 
-	client, err := c.Client()
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
+	})
+
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	core := cores[0].Core
+	c := cluster.Cores[0].Client
+	vault.TestWaitActive(t, core)
+
+	if err := c.Sys().Mount("kv/", &api.MountInput{
+		Type: "kv-v2",
+	}); err != nil {
+		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
+	}
+
+	// Enable the audit backend
+	tempDir := t.TempDir()
+	auditLogFile, err := os.CreateTemp(tempDir, "")
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	tcr := &api.TokenCreateRequest{
-		ID:              c.flagID,
-		Policies:        c.flagPolicies,
-		Metadata:        c.flagMetadata,
-		TTL:             c.flagTTL.String(),
-		NoParent:        c.flagOrphan,
-		NoDefaultPolicy: c.flagNoDefaultPolicy,
-		DisplayName:     c.flagDisplayName,
-		NumUses:         c.flagUseLimit,
-		Renewable:       &c.flagRenewable,
-		ExplicitMaxTTL:  c.flagExplicitMaxTTL.String(),
-		Period:          c.flagPeriod.String(),
-		Type:            c.flagType,
-		EntityAlias:     c.flagEntityAlias,
-	}
-
-	var secret *api.Secret
-	if c.flagRole != "" {
-		secret, err = client.Auth().Token().CreateWithRole(tcr, c.flagRole)
-	} else {
-		secret, err = client.Auth().Token().Create(tcr)
+		t.Fatal(err)
 	}
+
+	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": auditLogFile.Name(),
+		},
+	})
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error creating token: %s", err))
-		return 2
+		t.Fatal(err)
 	}
 
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
+	{
+		writeData := map[string]interface{}{
+			"data": map[string]interface{}{
+				"bar": "a",
+			},
+		}
+		corehelpers.RetryUntil(t, 10*time.Second, func() error {
+			resp, err := c.Logical().Write("kv/data/foo", writeData)
+			if err != nil {
+				t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
+			}
+			return nil
+		})
 	}
 
-	return OutputSecret(c.UI, secret)
+	// Check the audit trail on request and response
+	decoder := json.NewDecoder(auditLogFile)
+	var auditRecord map[string]interface{}
+	for decoder.Decode(&auditRecord) == nil {
+		auditRequest := map[string]interface{}{}
+		if req, ok := auditRecord["request"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditRequest["path"] != "kv/data/foo" {
+				continue
+			}
+		}
+		testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeSecrets.String())
+
+		auditResponse := map[string]interface{}{}
+		if req, ok := auditRecord["response"]; ok {
+			auditRequest = req.(map[string]interface{})
+			if auditResponse["path"] != "kv/data/foo" {
+				continue
+			}
+		}
+		testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeSecrets.String())
+	}
 }
diff --git a/command/token_create_test.go b/command/token_create_test.go
index 9991afb3625a..b8afeffbf2f6 100644
--- a/command/token_create_test.go
+++ b/command/token_create_test.go
@@ -4,233 +4,613 @@
 package command
 
 import (
-	"reflect"
+	"context"
+	"regexp"
 	"strings"
 	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+
+	"github.com/hashicorp/vault/api"
+	credToken "github.com/hashicorp/vault/builtin/credential/token"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/command/token"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	"github.com/hashicorp/vault/vault"
 )
 
-func testTokenCreateCommand(tb testing.TB) (*cli.MockUi, *TokenCreateCommand) {
+// minTokenLengthExternal is the minimum size of SSC
+// tokens we are currently handing out to end users, without any
+// namespace information
+const minTokenLengthExternal = 91
+
+func testLoginCommand(tb testing.TB) (*cli.MockUi, *LoginCommand) {
 	tb.Helper()
 
 	ui := cli.NewMockUi()
-	return ui, &TokenCreateCommand{
+	return ui, &LoginCommand{
 		BaseCommand: &BaseCommand{
 			UI: ui,
+
+			// Override to our own token helper
+			tokenHelper: token.NewTestingTokenHelper(),
+		},
+		Handlers: map[string]LoginHandler{
+			"token":    &credToken.CLIHandler{},
+			"userpass": &credUserpass.CLIHandler{},
 		},
 	}
 }
 
-func TestTokenCreateCommand_Run(t *testing.T) {
+func TestCustomPath(t *testing.T) {
 	t.Parallel()
 
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"abcd1234"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"default",
-			nil,
-			"token",
-			0,
-		},
-		{
-			"metadata",
-			[]string{"-metadata", "foo=bar", "-metadata", "zip=zap"},
-			"token",
-			0,
-		},
-		{
-			"policies",
-			[]string{"-policy", "foo", "-policy", "bar"},
-			"token",
-			0,
-		},
-		{
-			"field",
-			[]string{
-				"-field", "token_renewable",
-			},
-			"false",
-			0,
-		},
-		{
-			"field_not_found",
-			[]string{
-				"-field", "not-a-real-field",
-			},
-			"not present in secret",
-			1,
-		},
-		{
-			"ttl",
-			[]string{"-ttl", "1d", "-explicit-max-ttl", "2d"},
-			"token",
-			0,
-		},
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().EnableAuth("my-auth", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.Logical().Write("auth/my-auth/users/test", map[string]interface{}{
+		"password": "test",
+		"policies": "default",
+	}); err != nil {
+		t.Fatal(err)
 	}
 
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
 
-		for _, tc := range cases {
-			tc := tc
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
+	// Emulate an unknown token format present in ~/.vault-token, for example
+	client.SetToken("a.a")
 
-				client, closer := testVaultServer(t)
-				defer closer()
+	code := cmd.Run([]string{
+		"-method", "userpass",
+		"-path", "my-auth",
+		"username=test",
+		"password=test",
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
 
-				ui, cmd := testTokenCreateCommand(t)
-				cmd.client = client
+	expected := "Success! You are now authenticated."
+	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if !strings.Contains(combined, expected) {
+		t.Errorf("expected %q to be %q", combined, expected)
+	}
 
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
+	storedToken, err := tokenHelper.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
+	if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp {
+		t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken)
+	}
+}
+
+// Do not persist the token to the token helper
+func TestNoStore(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"default"},
+		TTL:      "30m",
 	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	token := secret.Auth.ClientToken
 
-	t.Run("default", func(t *testing.T) {
-		t.Parallel()
+	_, cmd := testLoginCommand(t)
+	cmd.client = client
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
 
-		ui, cmd := testTokenCreateCommand(t)
-		cmd.client = client
+	// Ensure we have no token to start
+	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
+		t.Errorf("expected token helper to be empty: %s: %q", err, storedToken)
+	}
 
-		code := cmd.Run([]string{
-			"-field", "token",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	code := cmd.Run([]string{
+		"-no-store",
+		token,
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
 
-		token := strings.TrimSpace(ui.OutputWriter.String())
-		secret, err := client.Auth().Token().Lookup(token)
-		if secret == nil || err != nil {
-			t.Fatal(err)
-		}
+	storedToken, err := tokenHelper.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if exp := ""; storedToken != exp {
+		t.Errorf("expected %q to be %q", storedToken, exp)
+	}
+}
+
+func TestStores(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"default"},
+		TTL:      "30m",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	token := secret.Auth.ClientToken
+
+	_, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	code := cmd.Run([]string{
+		token,
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	storedToken, err := tokenHelper.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if storedToken != token {
+		t.Errorf("expected %q to be %q", storedToken, token)
+	}
+}
+
+func TestTokenOnly(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
+		"password": "test",
+		"policies": "default",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	code := cmd.Run([]string{
+		"-token-only",
+		"-method", "userpass",
+		"username=test",
+		"password=test",
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	// Verify only the token was printed
+	token := ui.OutputWriter.String()
+	if l, exp := len(token), minTokenLengthExternal+vault.TokenPrefixLength; l != exp {
+		t.Errorf("expected token to be %d characters, was %d: %q", exp, l, token)
+	}
+
+	// Verify the token was not stored
+	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
+		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
+	}
+}
+
+func TestFailureNoStore(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	code := cmd.Run([]string{
+		"not-a-real-token",
+	})
+	if exp := 2; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	expected := "Error authenticating: "
+	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if !strings.Contains(combined, expected) {
+		t.Errorf("expected %q to contain %q", combined, expected)
+	}
+
+	if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
+		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
+	}
+}
+
+func TestWrapAutoUnwrap(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
+		"password": "test",
+		"policies": "default",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	_, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	// Set the wrapping ttl to 5s. We can't set this via the flag because we
+	// override the client object before that particular flag is parsed.
+	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
+
+	code := cmd.Run([]string{
+		"-method", "userpass",
+		"username=test",
+		"password=test",
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	// Unset the wrapping
+	client.SetWrappingLookupFunc(func(string, string) string { return "" })
+
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+	token, err := tokenHelper.Get()
+	if err != nil || token == "" {
+		t.Fatalf("expected token from helper: %s: %q", err, token)
+	}
+	client.SetToken(token)
+
+	// Ensure the resulting token is unwrapped
+	secret, err := client.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Error(err)
+	}
+	if secret == nil {
+		t.Fatal("secret was nil")
+	}
+
+	if secret.WrapInfo != nil {
+		t.Errorf("expected to be unwrapped: %#v", secret)
+	}
+}
+
+func TestWrapTokenOnly(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
+		"password": "test",
+		"policies": "default",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	// Set the wrapping ttl to 5s. We can't set this via the flag because we
+	// override the client object before that particular flag is parsed.
+	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
+
+	code := cmd.Run([]string{
+		"-token-only",
+		"-method", "userpass",
+		"username=test",
+		"password=test",
 	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
 
-	t.Run("metadata", func(t *testing.T) {
-		t.Parallel()
+	// Unset the wrapping
+	client.SetWrappingLookupFunc(func(string, string) string { return "" })
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+	storedToken, err := tokenHelper.Get()
+	if err != nil || storedToken != "" {
+		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
+	}
 
-		ui, cmd := testTokenCreateCommand(t)
-		cmd.client = client
+	token := strings.TrimSpace(ui.OutputWriter.String())
+	if token == "" {
+		t.Errorf("expected %q to not be %q", token, "")
+	}
 
+	// Ensure the resulting token is, in fact, still wrapped.
+	client.SetToken(token)
+	secret, err := client.Logical().Unwrap("")
+	if err != nil {
+		t.Error(err)
+	}
+	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+		t.Fatalf("expected secret to have auth: %#v", secret)
+	}
+}
+
+func TestWrapNoStore(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
+		"password": "test",
+		"policies": "default",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	// Set the wrapping ttl to 5s. We can't set this via the flag because we
+	// override the client object before that particular flag is parsed.
+	client.SetWrappingLookupFunc(func(string, string) string { return "5m" })
+
+	code := cmd.Run([]string{
+		"-no-store",
+		"-method", "userpass",
+		"username=test",
+		"password=test",
+	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	// Unset the wrapping
+	client.SetWrappingLookupFunc(func(string, string) string { return "" })
+
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+	storedToken, err := tokenHelper.Get()
+	if err != nil || storedToken != "" {
+		t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
+	}
+
+	expected := "wrapping_token"
+	output := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if !strings.Contains(output, expected) {
+		t.Errorf("expected %q to contain %q", output, expected)
+	}
+}
+
+func TestCommunicationFailure(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServerBad(t)
+	defer closer()
+
+	ui, cmd := testLoginCommand(t)
+	cmd.client = client
+
+	code := cmd.Run([]string{
+		"token",
+	})
+	if exp := 2; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	expected := "Error authenticating: "
+	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if !strings.Contains(combined, expected) {
+		t.Errorf("expected %q to contain %q", combined, expected)
+	}
+}
+
+func TestNoTabs(t *testing.T) {
+	t.Parallel()
+
+	_, cmd := testLoginCommand(t)
+	assertNoTabs(t, cmd)
+}
+
+func TestLoginMFASinglePhase(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	methodName := "foo"
+	waitPeriod := 5
+	userClient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, methodName, waitPeriod)
+	enginePath := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
+
+	runCommand := func(methodIdentifier string) {
+		// the time required for the totp engine to generate a new code
+		time.Sleep(time.Duration(waitPeriod) * time.Second)
+		totpCode := testhelpers.GetTOTPCodeFromEngine(t, client, enginePath)
+		ui, cmd := testLoginCommand(t)
+		cmd.client = userClient
+		// login command bails early for test clients, so we have to explicitly set this
+		cmd.client.SetMFACreds([]string{methodIdentifier + ":" + totpCode})
 		code := cmd.Run([]string{
-			"-metadata", "foo=bar",
-			"-metadata", "zip=zap",
-			"-field", "token",
+			"-method", "userpass",
+			"username=testuser1",
+			"password=testpassword",
 		})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		token := strings.TrimSpace(ui.OutputWriter.String())
-		secret, err := client.Auth().Token().Lookup(token)
-		if secret == nil || err != nil {
+		tokenHelper, err := cmd.TokenHelper()
+		if err != nil {
 			t.Fatal(err)
 		}
-
-		meta, ok := secret.Data["meta"].(map[string]interface{})
-		if !ok {
-			t.Fatalf("missing meta: %#v", secret)
+		storedToken, err := tokenHelper.Get()
+		if err != nil {
+			t.Fatal(err)
 		}
-		if _, ok := meta["foo"]; !ok {
-			t.Errorf("missing meta.foo: %#v", meta)
+		if storedToken == "" {
+			t.Fatal("expected non-empty stored token")
 		}
-		if _, ok := meta["zip"]; !ok {
-			t.Errorf("missing meta.bar: %#v", meta)
+		output := ui.OutputWriter.String()
+		if !strings.Contains(output, storedToken) {
+			t.Fatalf("expected stored token: %q, got: %q", storedToken, output)
 		}
+	}
+	runCommand(methodID)
+	runCommand(methodName)
+}
+
+func TestLoginMFATwoPhase(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	ui, cmd := testLoginCommand(t)
+
+	userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, "", 5)
+	cmd.client = userclient
+
+	_ = testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
+
+	// clear the MFA creds just to be sure
+	cmd.client.SetMFACreds([]string{})
+
+	code := cmd.Run([]string{
+		"-method", "userpass",
+		"username=testuser1",
+		"password=testpassword",
 	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
+
+	expected := methodID
+	output := ui.OutputWriter.String()
+	if !strings.Contains(output, expected) {
+		t.Fatalf("expected stored token: %q, got: %q", expected, output)
+	}
 
-	t.Run("policies", func(t *testing.T) {
-		t.Parallel()
+	tokenHelper, err := cmd.TokenHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+	storedToken, err := tokenHelper.Get()
+	if storedToken != "" {
+		t.Fatal("expected empty stored token")
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func TestLoginMFATwoPhaseNonInteractiveMethodName(t *testing.T) {
+	t.Parallel()
 
-		ui, cmd := testTokenCreateCommand(t)
-		cmd.client = client
+	client, closer := testVaultServer(t)
+	defer closer()
 
-		code := cmd.Run([]string{
-			"-policy", "foo",
-			"-policy", "bar",
-			"-field", "token",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	ui, cmd := testLoginCommand(t)
 
-		token := strings.TrimSpace(ui.OutputWriter.String())
-		secret, err := client.Auth().Token().Lookup(token)
-		if secret == nil || err != nil {
-			t.Fatal(err)
-		}
+	methodName := "foo"
+	waitPeriod := 5
+	userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client, methodName, waitPeriod)
+	cmd.client = userclient
 
-		raw, ok := secret.Data["policies"].([]interface{})
-		if !ok {
-			t.Fatalf("missing policies: %#v", secret)
-		}
+	engineName := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
 
-		policies := make([]string, len(raw))
-		for i := range raw {
-			policies[i] = raw[i].(string)
-		}
+	// clear the MFA creds just to be sure
+	cmd.client.SetMFACreds([]string{})
 
-		expected := []string{"bar", "default", "foo"}
-		if !reflect.DeepEqual(policies, expected) {
-			t.Errorf("expected %q to be %q", policies, expected)
-		}
+	code := cmd.Run([]string{
+		"-method", "userpass",
+		"-non-interactive",
+		"username=testuser1",
+		"password=testpassword",
 	})
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d", code, exp)
+	}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+	output := ui.OutputWriter.String()
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	reqIdReg := regexp.MustCompile(`mfa_request_id\s+([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\s+mfa_constraint`)
+	reqIDRaw := reqIdReg.FindAllStringSubmatch(output, -1)
+	if len(reqIDRaw) == 0 || len(reqIDRaw[0]) < 2 {
+		t.Fatal("failed to MFA request ID from output")
+	}
+	mfaReqID := reqIDRaw[0][1]
 
-		ui, cmd := testTokenCreateCommand(t)
-		cmd.client = client
+	validateFunc := func(methodIdentifier string) {
+		// the time required for the totp engine to generate a new code
+		time.Sleep(time.Duration(waitPeriod) * time.Second)
+		totpPasscode1 := "passcode=" + testhelpers.GetTOTPCodeFromEngine(t, client, engineName)
 
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
+		secret, err := cmd.client.Logical().WriteWithContext(context.Background(), "sys/mfa/validate", map[string]interface{}{
+			"mfa_request_id": mfaReqID,
+			"mfa_payload": map[string][]string{
+				methodIdentifier: {totpPasscode1},
+			},
+		})
+		if err != nil {
+			t.Fatalf("mfa validation failed: %v", err)
 		}
 
-		expected := "Error creating token: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
+		if secret.Auth == nil || secret.Auth.ClientToken == "" {
+			t.Fatalf("mfa validation did not return a client token")
 		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	}
 
-		_, cmd := testTokenCreateCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	validateFunc(methodName)
 }
diff --git a/command/token_lookup.go b/command/token_lookup.go
index 78bfd0f98f2e..b57e23451980 100644
--- a/command/token_lookup.go
+++ b/command/token_lookup.go
@@ -1,133 +1,50 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*TokenLookupCommand)(nil)
-	_ cli.CommandAutocomplete = (*TokenLookupCommand)(nil)
-)
-
-type TokenLookupCommand struct {
-	*BaseCommand
-
-	flagAccessor bool
-}
-
-func (c *TokenLookupCommand) Synopsis() string {
-	return "Display information about a token"
-}
-
-func (c *TokenLookupCommand) Help() string {
-	helpText := `
-Usage: vault token lookup [options] [TOKEN | ACCESSOR]
-
-  Displays information about a token or accessor. If a TOKEN is not provided,
-  the locally authenticated token is used.
-
-  Get information about the locally authenticated token (this uses the
-  /auth/token/lookup-self endpoint and permission):
-
-      $ vault token lookup
-
-  Get information about a particular token (this uses the /auth/token/lookup
-  endpoint and permission):
-
-      $ vault token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Get information about a token via its accessor:
-
-      $ vault token lookup -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TokenLookupCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:       "accessor",
-		Target:     &c.flagAccessor,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Treat the argument as an accessor instead of a token. When " +
-			"this option is selected, the output will NOT include the token.",
-	})
-
-	return set
-}
-
-func (c *TokenLookupCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *TokenLookupCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *TokenLookupCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	token := ""
-
-	args = f.Args()
-	switch {
-	case c.flagAccessor && len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments with -accessor (expected 1, got %d)", len(args)))
-		return 1
-	case c.flagAccessor && len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments with -accessor (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) == 0:
-		// Use the local token
-	case len(args) == 1:
-		token = strings.TrimSpace(args[0])
-	case len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var secret *api.Secret
-	switch {
-	case token == "":
-		secret, err = client.Auth().Token().LookupSelf()
-	case c.flagAccessor:
-		secret, err = client.Auth().Token().LookupAccessor(token)
-	default:
-		secret, err = client.Auth().Token().Lookup(token)
-	}
-
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error looking up token: %s", err))
-		return 2
-	}
-
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<svg width="146" height="51" viewBox="0 0 146 51" xmlns="http://www.w3.org/2000/svg">
+  <g id="vault-logo-v" fill-rule="nonzero">
+    <path
+      d="M0,0 L25.4070312,51 L51,0 L0,0 Z M28.5,10.5 L31.5,10.5 L31.5,13.5 L28.5,13.5 L28.5,10.5 Z M22.5,22.5 L19.5,22.5 L19.5,19.5 L22.5,19.5 L22.5,22.5 Z M22.5,18 L19.5,18 L19.5,15 L22.5,15 L22.5,18 Z M22.5,13.5 L19.5,13.5 L19.5,10.5 L22.5,10.5 L22.5,13.5 Z M26.991018,27 L24,27 L24,24 L27,24 L26.991018,27 Z M26.991018,22.5 L24,22.5 L24,19.5 L27,19.5 L26.991018,22.5 Z M26.991018,18 L24,18 L24,15 L27,15 L26.991018,18 Z M26.991018,13.5 L24,13.5 L24,10.5 L27,10.5 L26.991018,13.5 Z M28.5,15 L31.5,15 L31.5,18 L28.5089552,18 L28.5,15 Z M28.5,22.5 L28.5,19.5 L31.5,19.5 L31.5,22.4601182 L28.5,22.5 Z"
+    ></path>
+  </g>
+
+  <path
+    id="vault-logo-name"
+    d="M69.7218638,30.2482468 L63.2587814,8.45301543 L58,8.45301543 L65.9885305,34.6072931 L73.4551971,34.6072931 L81.4437276,8.45301543 L76.1849462,8.45301543 L69.7218638,30.2482468 Z M97.6329749,22.0014025 C97.6329749,17.2103787 95.8265233,15.0897616 89.6845878,15.0897616 C87.5168459,15.0897616 84.8272401,15.4431978 82.9806452,15.9929874 L83.5827957,19.6451613 C85.3089606,19.2917251 87.2358423,19.056101 89.0021505,19.056101 C92.1333333,19.056101 92.7354839,19.802244 92.7354839,21.9228612 L92.7354839,23.9256662 L88.0387097,23.9256662 C84.0645161,23.9256662 82.3383513,25.4179523 82.3383513,29.3057504 C82.3383513,32.6044881 83.8637993,35 87.4365591,35 C89.4035842,35 91.4910394,34.4502104 93.2573477,33.3113604 L93.618638,34.6072931 L97.6329749,34.6072931 L97.6329749,22.0014025 Z M92.7354839,30.2089762 C91.8121864,30.7194951 90.4874552,31.1907433 89.0422939,31.1907433 C87.5168459,31.1907433 87.0752688,30.601683 87.0752688,29.2664797 C87.0752688,27.8134642 87.5168459,27.3814867 89.1225806,27.3814867 L92.7354839,27.3814867 L92.7354839,30.2089762 Z M102.421505,15.4824684 L102.421505,29.345021 C102.421505,32.7615708 103.585663,35 106.837276,35 C109.125448,35 112.216487,34.1753156 114.665233,32.997195 L115.146953,34.6072931 L118.880287,34.6072931 L118.880287,15.4824684 L113.982796,15.4824684 L113.982796,28.7559607 C112.216487,29.6591865 110.088889,30.3660589 108.884588,30.3660589 C107.760573,30.3660589 107.318996,29.85554 107.318996,28.8345021 L107.318996,15.4824684 L102.421505,15.4824684 Z M129.168459,34.6072931 L129.168459,7 L124.270968,7.66760168 L124.270968,34.6072931 L129.168459,34.6072931 Z M144.394265,30.601683 C143.551254,30.8373072 142.6681,30.9943899 141.94552,30.9943899 C140.660932,30.9943899 140.179211,30.3267882 140.179211,29.3057504 L140.179211,19.2917251 L144.875986,19.2917251 L145.197133,15.4824684 L140.179211,15.4824684 L140.179211,10.0631136 L135.28172,10.7307153 L135.28172,15.4824684 L132.351254,15.4824684 L132.351254,19.2917251 L135.28172,19.2917251 L135.28172,29.9340813 C135.28172,33.3506311 137.088172,35 140.660932,35 C141.905376,35 143.912545,34.6858345 144.956272,34.2538569 L144.394265,30.601683 Z"
+  ></path>
+
+  {{#if this.version.isEnterprise}}
+    <g id="vault-logo-edition-enterprise" transform="translate(65.000000, 40.000000)" fill-rule="nonzero">
+      <polygon
+        points="0.435816733 0.579322709 4.39438247 0.579322709 4.39438247 1.35454183 1.30175299 1.35454183 1.30175299 3.46577689 4.17171315 3.46577689 4.17171315 4.24099602 1.30175299 4.24099602 1.30175299 6.52541833 4.40262948 6.52541833 4.40262948 7.30063745 0.435816733 7.30063745"
+      ></polygon>
+      <polygon
+        points="7.3138247 1.58545817 7.3138247 7.31713147 6.48912351 7.31713147 6.48912351 0.579322709 7.68494024 0.579322709 10.6126295 6.35223108 10.6126295 0.579322709 11.4373307 0.579322709 11.4373307 7.31713147 10.249761 7.31713147"
+      ></polygon>
+      <polygon
+        points="15.107251 1.36278884 13.1032271 1.36278884 13.1032271 0.587569721 17.9937052 0.587569721 17.9937052 1.36278884 15.9814343 1.36278884 15.9814343 7.31713147 15.107251 7.31713147"
+      ></polygon>
+      <polygon
+        points="19.6513546 0.579322709 23.6099203 0.579322709 23.6099203 1.35454183 20.5172908 1.35454183 20.5172908 3.46577689 23.387251 3.46577689 23.387251 4.24099602 20.5172908 4.24099602 20.5172908 6.52541833 23.6181673 6.52541833 23.6181673 7.30063745 19.6431076 7.30063745"
+      ></polygon>
+      <path
+        d="M28.22,4.87601594 L26.5705976,4.87601594 L26.5705976,7.35011952 L25.7046614,7.35011952 L25.7046614,0.579322709 L28.2694821,0.579322709 C29.7127092,0.579322709 30.2240239,1.20609562 30.2240239,2.2287251 L30.2240239,3.20187251 C30.3204128,3.92160892 29.8576792,4.59791178 29.1519124,4.76880478 L30.9002789,7.30888446 L29.9023904,7.30888446 L28.22,4.87601594 Z M28.22,1.35454183 L26.5705976,1.35454183 L26.5705976,4.10079681 L28.22,4.10079681 C29.0447012,4.10079681 29.3333466,3.86988048 29.3333466,3.21011952 L29.3333466,2.25346614 C29.3580876,1.58545817 29.0694422,1.36278884 28.244741,1.36278884 L28.22,1.35454183 Z"
+      ></path>
+      <path
+        d="M32.6898805,0.579322709 L35.1639841,0.579322709 C36.6072112,0.579322709 37.1185259,1.20609562 37.1185259,2.2287251 L37.1185259,3.22661355 C37.1185259,4.26573705 36.6154582,4.87601594 35.1639841,4.87601594 L33.5970518,4.87601594 L33.5970518,7.31713147 L32.7311155,7.31713147 L32.6898805,0.579322709 Z M35.098008,1.35454183 L33.5640637,1.35454183 L33.5640637,4.12553785 L35.098008,4.12553785 C35.9227092,4.12553785 36.2113546,3.89462151 36.2113546,3.23486056 L36.2113546,2.24521912 C36.2113546,1.58545817 35.9309562,1.36278884 35.098008,1.36278884 L35.098008,1.35454183 Z"
+      ></path>
+      <path
+        d="M41.4399602,4.87601594 L39.7905578,4.87601594 L39.7905578,7.35011952 L38.9246215,7.35011952 L38.9246215,0.579322709 L41.4894422,0.579322709 C42.9326693,0.579322709 43.4439841,1.20609562 43.4439841,2.2287251 L43.4439841,3.20187251 C43.5403729,3.92160892 43.0776394,4.59791178 42.3718725,4.76880478 L44.120239,7.30888446 L43.1223506,7.30888446 L41.4399602,4.87601594 Z M41.4399602,1.35454183 L39.7905578,1.35454183 L39.7905578,4.10079681 L41.4399602,4.10079681 C42.2646614,4.10079681 42.5533068,3.86988048 42.5533068,3.21011952 L42.5533068,2.25346614 C42.5698008,1.58545817 42.2894024,1.36278884 41.4564542,1.36278884 L41.4399602,1.35454183 Z"
+      ></path>
+      <polygon points="46.8087649 7.31713147 45.9840637 7.31713147 45.9840637 0.579322709 46.8087649 0.579322709"></polygon>
+      <path
+        d="M50.9322709,7.41609562 C50.2485334,7.41749872 49.5699834,7.29742608 48.928247,7.0614741 L49.0684462,6.35223108 C49.6711823,6.54568134 50.2993133,6.64851694 50.9322709,6.65737052 C52.0126295,6.65737052 52.2352988,6.37697211 52.2352988,5.61 C52.2352988,4.70282869 52.2352988,4.62035857 50.8415538,4.30697211 C49.1921514,3.94410359 49.0189641,3.63071713 49.0189641,2.23697211 C49.0189641,1.06589641 49.5055378,0.49685259 51.1714343,0.49685259 C51.7856888,0.497823804 52.3976026,0.572582499 52.9940239,0.719521912 L52.9198008,1.45350598 C52.3508265,1.32930718 51.7702971,1.26572539 51.1879283,1.2638247 C50.0828287,1.2638247 49.8849004,1.48649402 49.8849004,2.26171315 C49.8849004,3.1936255 49.8849004,3.23486056 51.2209163,3.56474104 C53.0105179,4.01007968 53.1012351,4.27398406 53.1012351,5.58525896 C53.1342231,6.74808765 52.7878486,7.41609562 50.9322709,7.41609562 Z"
+      ></path>
+      <polygon
+        points="55.2454582 0.579322709 59.1792829 0.579322709 59.1792829 1.35454183 56.0866534 1.35454183 56.0866534 3.46577689 58.9566135 3.46577689 58.9566135 4.24099602 56.0866534 4.24099602 56.0866534 6.52541833 59.1875299 6.52541833 59.1875299 7.30063745 55.2124701 7.30063745"
+      ></polygon>
+    </g>
+  {{/if}}
+</svg>
\ No newline at end of file
diff --git a/command/token_lookup_test.go b/command/token_lookup_test.go
index db6807300e66..8fa567ada49c 100644
--- a/command/token_lookup_test.go
+++ b/command/token_lookup_test.go
@@ -1,180 +1,50 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testTokenLookupCommand(tb testing.TB) (*cli.MockUi, *TokenLookupCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &TokenLookupCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestTokenLookupCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"accessor_no_args",
-			[]string{"-accessor"},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"accessor_too_many_args",
-			[]string{"-accessor", "abcd1234", "efgh5678"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"abcd1234", "efgh5678"},
-			"Too many arguments",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testTokenLookupCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("token", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, _ := testTokenAndAccessor(t, client)
-
-		ui, cmd := testTokenLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			token,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := token
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("self", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testTokenLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "display_name"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("accessor", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		_, accessor := testTokenAndAccessor(t, client)
-
-		ui, cmd := testTokenLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-accessor",
-			accessor,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := accessor
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testTokenLookupCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error looking up token: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testTokenLookupCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Ember from 'ember';
+import { computed } from '@ember/object';
+import { inject as service } from '@ember/service';
+import Route from '@ember/routing/route';
+import ModelBoundaryRoute from 'vault/mixins/model-boundary-route';
+
+export default Route.extend(ModelBoundaryRoute, {
+  auth: service(),
+  controlGroup: service(),
+  flashMessages: service(),
+  console: service(),
+  permissions: service(),
+  namespaceService: service('namespace'),
+  router: service(),
+  version: service(),
+
+  modelTypes: computed(function () {
+    return ['secret', 'secret-engine'];
+  }),
+
+  beforeModel({ to: { queryParams } }) {
+    const authType = this.auth.getAuthType();
+    const ns = this.namespaceService.path;
+    this.auth.deleteCurrentToken();
+    this.controlGroup.deleteTokens();
+    this.namespaceService.reset();
+    this.console.set('isOpen', false);
+    this.console.clearLog(true);
+    this.flashMessages.clearMessages();
+    this.permissions.reset();
+    this.version.version = null;
+
+    queryParams.with = authType;
+    if (ns) {
+      queryParams.namespace = ns;
+    }
+    if (Ember.testing) {
+      // Don't redirect on the test
+      this.replaceWith('vault.cluster.auth', { queryParams });
+    } else {
+      const { cluster_name } = this.paramsFor('vault.cluster');
+      location.assign(this.router.urlFor('vault.cluster.auth', cluster_name, { queryParams }));
+    }
+  },
+});
diff --git a/command/token_renew.go b/command/token_renew.go
index 488ff76364bf..35d2f584ee96 100644
--- a/command/token_renew.go
+++ b/command/token_renew.go
@@ -1,144 +1,14 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package main // import "github.com/hashicorp/vault"
 
 import (
-	"fmt"
-	"strings"
-	"time"
+	"os"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/vault/command"
 )
 
-var (
-	_ cli.Command             = (*TokenRenewCommand)(nil)
-	_ cli.CommandAutocomplete = (*TokenRenewCommand)(nil)
-)
-
-type TokenRenewCommand struct {
-	*BaseCommand
-
-	flagAccessor  bool
-	flagIncrement time.Duration
-}
-
-func (c *TokenRenewCommand) Synopsis() string {
-	return "Renew a token lease"
-}
-
-func (c *TokenRenewCommand) Help() string {
-	helpText := `
-Usage: vault token renew [options] [TOKEN]
-
-  Renews a token's lease, extending the amount of time it can be used. If a
-  TOKEN is not provided, the locally authenticated token is used. A token
-  accessor can be used as well. Lease renewal will fail if the token is not
-  renewable, the token has already been revoked, or if the token has already
-  reached its maximum TTL.
-
-  Renew a token (this uses the /auth/token/renew endpoint and permission):
-
-      $ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Renew the currently authenticated token (this uses the /auth/token/renew-self
-  endpoint and permission):
-
-      $ vault token renew
-
-  Renew a token requesting a specific increment value:
-
-      $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TokenRenewCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:       "accessor",
-		Target:     &c.flagAccessor,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Treat the argument as an accessor instead of a token. When " +
-			"this option is selected, the output will NOT include the token.",
-	})
-
-	f.DurationVar(&DurationVar{
-		Name:       "increment",
-		Aliases:    []string{"i"},
-		Target:     &c.flagIncrement,
-		Default:    0,
-		EnvVar:     "",
-		Completion: complete.PredictAnything,
-		Usage: "Request a specific increment for renewal. This increment may " +
-			"not be honored, for instance in the case of periodic tokens. If not " +
-			"supplied, Vault will use the default TTL. This is specified as a " +
-			"numeric string with suffix like \"30s\" or \"5m\".",
-	})
-
-	return set
-}
-
-func (c *TokenRenewCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *TokenRenewCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *TokenRenewCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	token := ""
-	increment := c.flagIncrement
-
-	args = f.Args()
-	switch len(args) {
-	case 0:
-		// Use the local token
-	case 1:
-		token = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var secret *api.Secret
-	inc := truncateToSeconds(increment)
-	switch {
-	case token == "":
-		secret, err = client.Auth().Token().RenewSelf(inc)
-	case c.flagAccessor:
-		secret, err = client.Auth().Token().RenewAccessor(token, inc)
-	default:
-		secret, err = client.Auth().Token().Renew(token, inc)
-	}
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error renewing token: %s", err))
-		return 2
-	}
-
-	return OutputSecret(c.UI, secret)
+func main() {
+	os.Exit(command.Run(os.Args[1:]))
 }
diff --git a/command/token_renew_test.go b/command/token_renew_test.go
index 70ec46e99e4b..ae34e9289ab5 100644
--- a/command/token_renew_test.go
+++ b/command/token_renew_test.go
@@ -1,230 +1,102 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"encoding/json"
-	"strconv"
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testTokenRenewCommand(tb testing.TB) (*cli.MockUi, *TokenRenewCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &TokenRenewCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestTokenRenewCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar", "baz"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"default",
-			nil,
-			"",
-			0,
-		},
-		{
-			"increment",
-			[]string{"-increment", "60s"},
-			"",
-			0,
-		},
-		{
-			"increment_no_suffix",
-			[]string{"-increment", "60"},
-			"",
-			0,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				// Login with the token so we can renew-self.
-				token, _ := testTokenAndAccessor(t, client)
-				client.SetToken(token)
-
-				ui, cmd := testTokenRenewCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("token", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, _ := testTokenAndAccessor(t, client)
-
-		_, cmd := testTokenRenewCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-increment", "30m",
-			token,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		secret, err := client.Auth().Token().Lookup(token)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		str := string(secret.Data["ttl"].(json.Number))
-		ttl, err := strconv.ParseInt(str, 10, 64)
-		if err != nil {
-			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
-		}
-		if exp := int64(1800); ttl > exp {
-			t.Errorf("expected %d to be <= to %d", ttl, exp)
-		}
-	})
-
-	t.Run("accessor", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, accessor := testTokenAndAccessor(t, client)
-
-		_, cmd := testTokenRenewCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-increment", "30m",
-			"-accessor",
-			accessor,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		secret, err := client.Auth().Token().Lookup(token)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		str := string(secret.Data["ttl"].(json.Number))
-		ttl, err := strconv.ParseInt(str, 10, 64)
-		if err != nil {
-			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
-		}
-		if exp := int64(1800); ttl > exp {
-			t.Errorf("expected %d to be <= to %d", ttl, exp)
-		}
-	})
-
-	t.Run("self", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, _ := testTokenAndAccessor(t, client)
-
-		// Get the old token and login as the new token. We need the old token
-		// to query after the lookup, but we need the new token on the client.
-		oldToken := client.Token()
-		client.SetToken(token)
-
-		_, cmd := testTokenRenewCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-increment", "30m",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		client.SetToken(oldToken)
-		secret, err := client.Auth().Token().Lookup(token)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		str := string(secret.Data["ttl"].(json.Number))
-		ttl, err := strconv.ParseInt(str, 10, 64)
-		if err != nil {
-			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
-		}
-		if exp := int64(1800); ttl > exp {
-			t.Errorf("expected %d to be <= to %d", ttl, exp)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testTokenRenewCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"foo/bar",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error renewing token: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testTokenRenewCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div
+  class="masked-input {{if @displayOnly 'display-only'}} {{if @allowCopy 'allow-copy'}}"
+  data-test-masked-input
+  data-test-field
+  ...attributes
+>
+  {{#if @displayOnly}}
+    {{#if this.showValue}}
+      {{! Show minus icon if there is no value }}
+      {{#if (eq @value "")}}
+        <Icon class="masked-value" @name="minus" />
+      {{else}}
+        <pre class="masked-value display-only is-word-break">{{@value}}</pre>
+      {{/if}}
+    {{else}}
+      <pre class="masked-value display-only masked-font">***********</pre>
+    {{/if}}
+  {{else}}
+    <Textarea
+      id={{this.textareaId}}
+      name={{@name}}
+      @value={{@value}}
+      class="input masked-value {{unless this.showValue 'masked-font'}}"
+      rows={{1}}
+      wrap="off"
+      spellcheck="false"
+      {{on "change" this.onChange}}
+      {{on "keyup" (fn this.handleKeyUp @name)}}
+      data-test-textarea
+    />
+  {{/if}}
+  {{#if @allowCopy}}
+    <Hds::Copy::Button
+      @text="Copy"
+      @isIconOnly={{true}}
+      @textToCopy={{@value}}
+      class="transparent has-padding-xxs"
+      data-test-copy-button={{or @value true}}
+    />
+  {{/if}}
+  {{#if @allowDownload}}
+    <Hds::Button
+      @text="Download secret value"
+      @icon="download"
+      @isIconOnly={{true}}
+      @color="tertiary"
+      class="has-padding-xxs"
+      data-test-download-icon
+      {{on "click" (fn (mut this.modalOpen) true)}}
+    />
+  {{/if}}
+  <Hds::Button
+    @text={{if this.showValue "hide value" "show value"}}
+    @icon={{if this.showValue "eye-off" "eye"}}
+    @isIconOnly={{true}}
+    @color="tertiary"
+    class="has-padding-xxs"
+    data-test-button="toggle-masked"
+    {{on "click" this.toggleMask}}
+  />
+</div>
+
+{{! CONFIRM DOWNLOAD MODAL }}
+{{#if this.modalOpen}}
+  <Hds::Modal @color="warning" id="confirm-download-modal" @onClose={{fn (mut this.modalOpen) false}} as |M|>
+    <M.Header @icon="alert-triangle">
+      Download secret value?
+    </M.Header>
+    <M.Body>
+      This download is
+      <strong>unencrypted</strong>. Are you sure you want to download this secret data as plaintext?
+
+      <div class="has-top-margin-m">
+        <Hds::Form::Toggle::Field
+          checked={{this.stringifyDownload}}
+          {{on "change" this.toggleStringifyDownload}}
+          data-test-stringify-toggle
+          as |F|
+        >
+          <F.Label>Stringify secret value</F.Label>
+          <F.HelperText>Preserve formatting for JSON values.</F.HelperText>
+        </Hds::Form::Toggle::Field>
+      </div>
+    </M.Body>
+    <M.Footer as |F|>
+      <Hds::ButtonSet>
+        <DownloadButton
+          @filename={{or @name "secret-value"}}
+          @data={{@value}}
+          @stringify={{this.stringifyDownload}}
+          @onSuccess={{fn (mut this.modalOpen) false}}
+        />
+        <Hds::Button @text="Cancel" @color="secondary" {{on "click" F.close}} />
+      </Hds::ButtonSet>
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/command/token_revoke.go b/command/token_revoke.go
index 0aa9d0abd851..a2587b47b3ab 100644
--- a/command/token_revoke.go
+++ b/command/token_revoke.go
@@ -1,179 +1,78 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*TokenRevokeCommand)(nil)
-	_ cli.CommandAutocomplete = (*TokenRevokeCommand)(nil)
-)
-
-type TokenRevokeCommand struct {
-	*BaseCommand
-
-	flagAccessor bool
-	flagSelf     bool
-	flagMode     string
-}
-
-func (c *TokenRevokeCommand) Synopsis() string {
-	return "Revoke a token and its children"
-}
-
-func (c *TokenRevokeCommand) Help() string {
-	helpText := `
-Usage: vault token revoke [options] [TOKEN | ACCESSOR]
-
-  Revokes authentication tokens and their children. If a TOKEN is not provided,
-  the locally authenticated token is used. The "-mode" flag can be used to
-  control the behavior of the revocation. See the "-mode" flag documentation
-  for more information.
-
-  Revoke a token and all the token's children:
-
-      $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Revoke a token leaving the token's children:
-
-      $ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017
-
-  Revoke a token by accessor:
-
-      $ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TokenRevokeCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP)
-
-	f := set.NewFlagSet("Command Options")
-
-	f.BoolVar(&BoolVar{
-		Name:       "accessor",
-		Target:     &c.flagAccessor,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage:      "Treat the argument as an accessor instead of a token.",
-	})
-
-	f.BoolVar(&BoolVar{
-		Name:       "self",
-		Target:     &c.flagSelf,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage:      "Perform the revocation on the currently authenticated token.",
-	})
-
-	f.StringVar(&StringVar{
-		Name:       "mode",
-		Target:     &c.flagMode,
-		Default:    "",
-		EnvVar:     "",
-		Completion: complete.PredictSet("orphan", "path"),
-		Usage: "Type of revocation to perform. If unspecified, Vault will revoke " +
-			"the token and all of the token's children. If \"orphan\", Vault will " +
-			"revoke only the token, leaving the children as orphans. If \"path\", " +
-			"tokens created from the given authentication path prefix are deleted " +
-			"along with their children.",
-	})
-
-	return set
-}
-
-func (c *TokenRevokeCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *TokenRevokeCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *TokenRevokeCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	token := ""
-	if len(args) > 0 {
-		token = strings.TrimSpace(args[0])
-	}
-
-	switch c.flagMode {
-	case "", "orphan", "path":
-	default:
-		c.UI.Error(fmt.Sprintf("Invalid mode: %s", c.flagMode))
-		return 1
-	}
-
-	switch {
-	case c.flagSelf && len(args) > 0:
-		c.UI.Error(fmt.Sprintf("Too many arguments with -self (expected 0, got %d)", len(args)))
-		return 1
-	case !c.flagSelf && len(args) > 1:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or -self, got %d)", len(args)))
-		return 1
-	case !c.flagSelf && len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or -self, got %d)", len(args)))
-		return 1
-	case c.flagSelf && c.flagAccessor:
-		c.UI.Error("Cannot use -self with -accessor!")
-		return 1
-	case c.flagSelf && c.flagMode != "":
-		c.UI.Error("Cannot use -self with -mode!")
-		return 1
-	case c.flagAccessor && c.flagMode == "orphan":
-		c.UI.Error("Cannot use -accessor with -mode=orphan!")
-		return 1
-	case c.flagAccessor && c.flagMode == "path":
-		c.UI.Error("Cannot use -accessor with -mode=path!")
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	var revokeFn func(string) error
-	// Handle all 6 possible combinations
-	switch {
-	case !c.flagAccessor && c.flagSelf && c.flagMode == "":
-		revokeFn = client.Auth().Token().RevokeSelf
-	case !c.flagAccessor && !c.flagSelf && c.flagMode == "":
-		revokeFn = client.Auth().Token().RevokeTree
-	case !c.flagAccessor && !c.flagSelf && c.flagMode == "orphan":
-		revokeFn = client.Auth().Token().RevokeOrphan
-	case !c.flagAccessor && !c.flagSelf && c.flagMode == "path":
-		revokeFn = client.Sys().RevokePrefix
-	case c.flagAccessor && !c.flagSelf && c.flagMode == "":
-		revokeFn = client.Auth().Token().RevokeAccessor
-	}
-
-	if err := revokeFn(token); err != nil {
-		c.UI.Error(fmt.Sprintf("Error revoking token: %s", err))
-		return 2
-	}
-
-	c.UI.Output("Success! Revoked token (if it existed)")
-	return 0
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="auth-form" data-test-mfa-form>
+  <div class="box is-marginless is-shadowless">
+    <p data-test-mfa-description>
+      {{this.description}}
+    </p>
+    <form id="auth-form" {{on "submit" this.submit}}>
+      <MessageError @errorMessage={{this.error}} />
+      <div class="field has-top-margin-l">
+        {{#each this.constraints as |constraint index|}}
+          {{#if index}}
+            <hr />
+          {{/if}}
+          {{#if (gt constraint.methods.length 1)}}
+            <Select
+              @label="Multi-factor authentication method"
+              @options={{constraint.methods}}
+              @valueAttribute={{"id"}}
+              @labelAttribute={{"label"}}
+              @isFullwidth={{true}}
+              @noDefault={{true}}
+              @selectedValue={{constraint.selectedId}}
+              @onChange={{fn this.onSelect constraint}}
+              data-test-mfa-select={{index}}
+            />
+          {{else}}
+            <label for="passcode" class="is-label" data-test-mfa-label>
+              {{constraint.selectedMethod.label}}
+            </label>
+          {{/if}}
+          {{#if constraint.selectedMethod.uses_passcode}}
+            <div class="control">
+              {{! template-lint-disable no-autofocus-attribute}}
+              <Input
+                id="passcode"
+                name="passcode"
+                class="input"
+                autocomplete="off"
+                placeholder={{if (gt constraint.methods.length 1) "Enter passcode"}}
+                spellcheck="false"
+                autofocus="true"
+                disabled={{or this.validate.isRunning this.newCodeDelay.isRunning}}
+                @value={{constraint.passcode}}
+                data-test-mfa-passcode={{index}}
+              />
+              {{! template-lint-enable no-autofocus-attribute}}
+            </div>
+          {{else if (eq constraint.methods.length 1)}}
+            <p class="has-text-grey-400" data-test-mfa-push-instruction>
+              Check device for push notification
+            </p>
+          {{/if}}
+        {{/each}}
+      </div>
+      {{#if this.newCodeDelay.isRunning}}
+        <div>
+          <AlertInline @type="danger" @message={{this.codeDelayMessage}} />
+        </div>
+      {{/if}}
+      <Hds::Button
+        @text="Verify"
+        @icon={{if this.validate.isRunning "loading"}}
+        id="validate"
+        type="submit"
+        disabled={{or this.validate.isRunning this.newCodeDelay.isRunning}}
+        data-test-mfa-validate
+      />
+      {{#if this.newCodeDelay.isRunning}}
+        <Icon @name="delay" class="has-text-grey" />
+        <span class="has-text-grey is-v-centered" data-test-mfa-countdown>{{this.countdown}}</span>
+      {{/if}}
+    </form>
+  </div>
+</div>
\ No newline at end of file
diff --git a/command/token_revoke_test.go b/command/token_revoke_test.go
index 70aa8a08c6a1..3c203179fe37 100644
--- a/command/token_revoke_test.go
+++ b/command/token_revoke_test.go
@@ -1,229 +1,35 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/mitchellh/cli"
-)
-
-func testTokenRevokeCommand(tb testing.TB) (*cli.MockUi, *TokenRevokeCommand) {
-	tb.Helper()
-
-	ui := cli.NewMockUi()
-	return ui, &TokenRevokeCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
-}
-
-func TestTokenRevokeCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	validations := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"bad_mode",
-			[]string{"-mode=banana"},
-			"Invalid mode",
-			1,
-		},
-		{
-			"empty",
-			nil,
-			"Not enough arguments",
-			1,
-		},
-		{
-			"args_with_self",
-			[]string{"-self", "abcd1234"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"too_many_args",
-			[]string{"abcd1234", "efgh5678"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"self_and_accessor",
-			[]string{"-self", "-accessor"},
-			"Cannot use -self with -accessor",
-			1,
-		},
-		{
-			"self_and_mode",
-			[]string{"-self", "-mode=orphan"},
-			"Cannot use -self with -mode",
-			1,
-		},
-		{
-			"accessor_and_mode_orphan",
-			[]string{"-accessor", "-mode=orphan", "abcd1234"},
-			"Cannot use -accessor with -mode=orphan",
-			1,
-		},
-		{
-			"accessor_and_mode_path",
-			[]string{"-accessor", "-mode=path", "abcd1234"},
-			"Cannot use -accessor with -mode=path",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range validations {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				ui, cmd := testTokenRevokeCommand(t)
-				cmd.client = client
-
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("token", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, _ := testTokenAndAccessor(t, client)
-
-		ui, cmd := testTokenRevokeCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			token,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Revoked token"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		secret, err := client.Auth().Token().Lookup(token)
-		if secret != nil || err == nil {
-			t.Errorf("expected token to be revoked: %#v", secret)
-		}
-	})
-
-	t.Run("self", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testTokenRevokeCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-self",
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Revoked token"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		secret, err := client.Auth().Token().LookupSelf()
-		if secret != nil || err == nil {
-			t.Errorf("expected token to be revoked: %#v", secret)
-		}
-	})
-
-	t.Run("accessor", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		token, accessor := testTokenAndAccessor(t, client)
-
-		ui, cmd := testTokenRevokeCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-accessor",
-			accessor,
-		})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Success! Revoked token"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-
-		secret, err := client.Auth().Token().Lookup(token)
-		if secret != nil || err == nil {
-			t.Errorf("expected token to be revoked: %#v", secret)
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testTokenRevokeCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"abcd1234",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error revoking token: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testTokenRevokeCommand(t)
-		assertNoTabs(t, cmd)
-	})
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<SplashPage>
+  <:header>
+    <h1 class="title is-4">MFA setup</h1>
+  </:header>
+  <:content>
+    <div class="auth-form" data-test-mfa-form>
+      <div class="box">
+        {{#if (eq this.onStep 1)}}
+          <Mfa::MfaSetupStepOne
+            @isUUIDVerified={{this.isUUIDVerified}}
+            @restartFlow={{this.restartFlow}}
+            @saveUUIDandQrCode={{this.saveUUIDandQrCode}}
+            @showWarning={{this.showWarning}}
+            data-test-step-one
+          />
+        {{/if}}
+        {{#if (eq this.onStep 2)}}
+          <Mfa::MfaSetupStepTwo
+            @entityId={{this.entityId}}
+            @uuid={{this.uuid}}
+            @qrCode={{this.qrCode}}
+            @restartFlow={{this.restartFlow}}
+            @warning={{this.warning}}
+            data-test-step-two
+          />
+        {{/if}}
+      </div>
+    </div>
+  </:content>
+</SplashPage>
\ No newline at end of file
diff --git a/command/transform.go b/command/transform.go
index a85229bddbf4..f39ca72a360a 100644
--- a/command/transform.go
+++ b/command/transform.go
@@ -4,41 +4,135 @@
 package command
 
 import (
+	"context"
+	"fmt"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/posener/complete"
 )
 
-var _ cli.Command = (*TransformCommand)(nil)
+var (
+	_ cli.Command             = (*MonitorCommand)(nil)
+	_ cli.CommandAutocomplete = (*MonitorCommand)(nil)
+)
 
-type TransformCommand struct {
+type MonitorCommand struct {
 	*BaseCommand
+
+	logLevel  string
+	logFormat string
+
+	// ShutdownCh is used to capture interrupt signal and end streaming
+	ShutdownCh chan struct{}
 }
 
-func (c *TransformCommand) Synopsis() string {
-	return "Interact with Vault's Transform Secrets Engine"
+func (c *MonitorCommand) Synopsis() string {
+	return "Stream log messages from a Vault server"
 }
 
-func (c *TransformCommand) Help() string {
+func (c *MonitorCommand) Help() string {
 	helpText := `
-Usage: vault transform <subcommand> [options] [args]
+Usage: vault monitor [options]
+
+	Stream log messages of a Vault server. The monitor command lets you listen
+	for log levels that may be filtered out of the server logs. For example,
+	the server may be logging at the INFO level, but with the monitor command
+	you can set -log-level=DEBUG.
+
+` + c.Flags().Help()
 
-  This command has subcommands for interacting with Vault's Transform Secrets
-  Engine. Here are some simple examples, and more detailed examples are
-  available in the subcommands or the documentation.
+	return strings.TrimSpace(helpText)
+}
 
-  To import a key into a new FPE transformation:
+func (c *MonitorCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
 
-  $ vault transform import transform/transformations/fpe/new-transformation @path/to/key \
-      template=identifier \
-	  allowed_roles=physical-access 
+	f := set.NewFlagSet("Monitor Options")
+	f.StringVar(&StringVar{
+		Name:       "log-level",
+		Target:     &c.logLevel,
+		Default:    "info",
+		Completion: complete.PredictSet("trace", "debug", "info", "warn", "error"),
+		Usage: "If passed, the log level to monitor logs. Supported values" +
+			"(in order of detail) are \"trace\", \"debug\", \"info\", \"warn\"" +
+			" and \"error\". These are not case sensitive.",
+	})
+	f.StringVar(&StringVar{
+		Name:       "log-format",
+		Target:     &c.logFormat,
+		Default:    "standard",
+		Completion: complete.PredictSet("standard", "json"),
+		Usage:      "Output format of logs. Supported values are \"standard\" and \"json\".",
+	})
 
-  Please see the individual subcommand help for detailed usage information.
-`
+	return set
+}
 
-	return strings.TrimSpace(helpText)
+func (c *MonitorCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
 }
 
-func (c *TransformCommand) Run(args []string) int {
-	return cli.RunResultHelp
+func (c *MonitorCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *MonitorCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	parsedArgs := f.Args()
+	if len(parsedArgs) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(parsedArgs)))
+		return 1
+	}
+
+	c.logLevel = strings.ToLower(c.logLevel)
+	validLevels := []string{"trace", "debug", "info", "warn", "error"}
+	if !strutil.StrListContains(validLevels, c.logLevel) {
+		c.UI.Error(fmt.Sprintf("%s is an unknown log level. Valid log levels are: %s", c.logLevel, validLevels))
+		return 1
+	}
+
+	c.logFormat = strings.ToLower(c.logFormat)
+	validFormats := []string{"standard", "json"}
+	if !strutil.StrListContains(validFormats, c.logFormat) {
+		c.UI.Error(fmt.Sprintf("%s is an unknown log format. Valid log formats are: %s", c.logFormat, validFormats))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// Remove the default 60 second timeout so we can stream indefinitely
+	client.SetClientTimeout(0)
+
+	var logCh chan string
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	logCh, err = client.Sys().Monitor(ctx, c.logLevel, c.logFormat)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error starting monitor: %s", err))
+		return 1
+	}
+
+	for {
+		select {
+		case log, ok := <-logCh:
+			if !ok {
+				return 0
+			}
+			c.UI.Info(log)
+		case <-c.ShutdownCh:
+			return 0
+		}
+	}
 }
diff --git a/command/transform_import_key.go b/command/transform_import_key.go
index e582abd28ac3..fd1b288fd243 100644
--- a/command/transform_import_key.go
+++ b/command/transform_import_key.go
@@ -4,76 +4,91 @@
 package command
 
 import (
-	"errors"
-	"regexp"
 	"strings"
+	"sync/atomic"
+	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_                cli.Command             = (*TransformImportCommand)(nil)
-	_                cli.CommandAutocomplete = (*TransformImportCommand)(nil)
-	transformKeyPath                         = regexp.MustCompile("^(.*)/transformations/(fpe|tokenization)/([^/]*)$")
-)
-
-type TransformImportCommand struct {
-	*BaseCommand
-}
+func testMonitorCommand(tb testing.TB) (*cli.MockUi, *MonitorCommand) {
+	tb.Helper()
 
-func (c *TransformImportCommand) Synopsis() string {
-	return "Import a key into the Transform secrets engines."
+	ui := cli.NewMockUi()
+	return ui, &MonitorCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
 }
 
-func (c *TransformImportCommand) Help() string {
-	helpText := `
-Usage: vault transform import PATH KEY [options...]
-
-  Using the Transform key wrapping system, imports key material from
-  the base64 encoded KEY (either directly on the CLI or via @path notation),
-  into a new FPE or tokenization transformation whose API path is PATH. 
+func TestMonitorCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int64
+	}{
+		{
+			"valid",
+			[]string{
+				"-log-level=debug",
+			},
+			"",
+			0,
+		},
+		{
+			"too_many_args",
+			[]string{
+				"-log-level=debug",
+				"foo",
+			},
+			"Too many arguments",
+			1,
+		},
+		{
+			"unknown_log_level",
+			[]string{
+				"-log-level=haha",
+			},
+			"haha is an unknown log level",
+			1,
+		},
+	}
 
-  To import a new key version into an existing tokenization transformation, 
-  use import_version. 
-  
-  The remaining options after KEY (key=value style) are passed on to 
-  Create/Update FPE Transformation or Create/Update Tokenization Transformation 
-  API endpoints.
+	for _, tc := range cases {
+		tc := tc
 
-  For example:
-  $ vault transform import transform/transformations/tokenization/application-form @path/to/key \        
-       allowed_roles=legacy-system 
-` + c.Flags().Help()
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			client, closer := testVaultServer(t)
+			defer closer()
 
-	return strings.TrimSpace(helpText)
-}
+			var code int64
+			shutdownCh := make(chan struct{})
 
-func (c *TransformImportCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
+			ui, cmd := testMonitorCommand(t)
+			cmd.client = client
+			cmd.ShutdownCh = shutdownCh
 
-func (c *TransformImportCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
+			go func() {
+				atomic.StoreInt64(&code, int64(cmd.Run(tc.args)))
+			}()
 
-func (c *TransformImportCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
+			<-time.After(3 * time.Second)
+			close(shutdownCh)
 
-func (c *TransformImportCommand) Run(args []string) int {
-	return ImportKey(c.BaseCommand, "import", transformImportKeyPath, c.Flags(), args)
-}
+			if atomic.LoadInt64(&code) != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
 
-func transformImportKeyPath(s string, operation string) (path string, apiPath string, err error) {
-	parts := transformKeyPath.FindStringSubmatch(s)
-	if len(parts) != 4 {
-		return "", "", errors.New("expected transform path and key name in the form :path:/transformations/fpe|tokenization/:name:")
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Fatalf("expected %q to contain %q", combined, tc.out)
+			}
+		})
 	}
-	path = parts[1]
-	transformation := parts[2]
-	keyName := parts[3]
-	apiPath = path + "/transformations/" + transformation + "/" + keyName + "/" + operation
-
-	return path, apiPath, nil
 }
diff --git a/command/transform_import_key_version.go b/command/transform_import_key_version.go
index 38e677b30b05..026d4f795425 100644
--- a/command/transform_import_key_version.go
+++ b/command/transform_import_key_version.go
@@ -1,59 +1,64 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-package command
+<PageHeader as |p|>
+  <p.levelLeft>
+    <h1 class="title is-3 title-with-icon" data-test-mount-form-header="true">
+      {{#if this.showEnable}}
+        {{#let (find-by "type" @mountModel.type @mountTypes) as |typeInfo|}}
+          <Icon @name={{or typeInfo.glyph typeInfo.type}} @size="24" class="has-text-grey-light" />
+          {{#if (eq @mountType "secret")}}
+            {{concat "Enable " typeInfo.displayName " Secrets Engine"}}
+          {{else}}
+            {{concat "Enable " typeInfo.displayName " Authentication Method"}}
+          {{/if}}
+        {{/let}}
+      {{else if (eq @mountType "secret")}}
+        Enable a Secrets Engine
+      {{else}}
+        Enable an Authentication Method
+      {{/if}}
+    </h1>
+  </p.levelLeft>
+</PageHeader>
 
-import (
-	"strings"
+<div class="box is-sideless is-bottomless is-fullwidth is-marginless">
+  <NamespaceReminder @mode="enable" @noun={{if (eq @mountType "secret") "Secret Engine" "Auth Method"}} />
+  <MessageError @errorMessage={{this.errorMessage}} />
+  {{#if @mountModel.type}}
+    <form {{on "submit" (perform this.mountBackend)}}>
+      <FormFieldGroups
+        @model={{@mountModel}}
+        @renderGroup="default"
+        @modelValidations={{this.modelValidations}}
+        @onKeyUp={{this.onKeyUp}}
+      />
+      <FormFieldGroups @model={{@mountModel}} @renderGroup="Method Options" />
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*TransformImportVersionCommand)(nil)
-	_ cli.CommandAutocomplete = (*TransformImportVersionCommand)(nil)
-)
-
-type TransformImportVersionCommand struct {
-	*BaseCommand
-}
-
-func (c *TransformImportVersionCommand) Synopsis() string {
-	return "Import key material into a new key version in the Transform secrets engines."
-}
-
-func (c *TransformImportVersionCommand) Help() string {
-	helpText := `
-Usage: vault transform import-version PATH KEY [...]
-
-  Using the Transform key wrapping system, imports new key material from
-  the base64 encoded KEY (either directly on the CLI or via @path notation),
-  into an existing tokenization transformation whose API path is PATH. 
-
-  The remaining options after KEY (key=value style) are passed on to 
-  Create/Update Tokenization Transformation API endpoint.
-
-  For example:
-  $ vault transform import-version transform/transformations/tokenization/application-form @path/to/new_version \        
-       allowed_roles=legacy-system
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TransformImportVersionCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *TransformImportVersionCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *TransformImportVersionCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *TransformImportVersionCommand) Run(args []string) int {
-	return ImportKey(c.BaseCommand, "import_version", transformImportKeyPath, c.Flags(), args)
-}
+      <div class="field is-grouped box is-fullwidth is-bottomless">
+        <div class="control">
+          <Hds::Button
+            @text={{if (eq @mountType "secret") "Enable engine" "Enable method"}}
+            @icon={{if this.mountBackend.isRunning "loading"}}
+            type="submit"
+            data-test-mount-submit="true"
+            disabled={{this.mountBackend.isRunning}}
+          />
+        </div>
+        <div class="control">
+          <Hds::Button @text="Back" @color="secondary" data-test-mount-back {{on "click" (fn this.setMountType "")}} />
+        </div>
+        {{#if this.invalidFormAlert}}
+          <div class="control">
+            <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+          </div>
+        {{/if}}
+      </div>
+    </form>
+  {{else}}
+    {{!  Type not yet set, show type options }}
+    <MountBackend::TypeForm @setMountType={{this.setMountType}} @mountType={{@mountType}} />
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/command/transit.go b/command/transit.go
index a74ff505881c..ccc276cdd38b 100644
--- a/command/transit.go
+++ b/command/transit.go
@@ -1,42 +1,34 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-)
-
-var _ cli.Command = (*TransitCommand)(nil)
-
-type TransitCommand struct {
-	*BaseCommand
-}
-
-func (c *TransitCommand) Synopsis() string {
-	return "Interact with Vault's Transit Secrets Engine"
-}
-
-func (c *TransitCommand) Help() string {
-	helpText := `
-Usage: vault transit <subcommand> [options] [args]
-
-  This command has subcommands for interacting with Vault's Transit Secrets
-  Engine. Here are some simple examples, and more detailed examples are
-  available in the subcommands or the documentation.
-
-  To import a key into the specified Transit mount:
-
-  $ vault transit import transit/keys/newly-imported @path/to/key type=rsa-2048
-
-  Please see the individual subcommand help for detailed usage information.
-`
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TransitCommand) Run(args []string) int {
-	return cli.RunResultHelp
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <KeyValueHeader @baseKey={{this.model}} @path="vault.cluster.access.method" @root={{this.root}} @showCurrent={{true}} />
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3">
+      {{titleize this.model.methodType}}
+    </h1>
+  </p.levelLeft>
+  <p.levelRight>
+    {{#if (eq this.section "configuration")}}
+      <div class="field is-grouped">
+        <div class="control">
+          <LinkTo
+            @route="vault.cluster.settings.auth.configure"
+            @model={{this.model.id}}
+            class="button is-ghost has-icon-right is-compact"
+            data-test-configure-link={{true}}
+          >
+            Configure
+            <Chevron />
+          </LinkTo>
+        </div>
+      </div>
+    {{/if}}
+  </p.levelRight>
+</PageHeader>
+{{section-tabs this.model "authShow"}}
+{{component (concat "auth-method/" this.section) model=this.model}}
\ No newline at end of file
diff --git a/command/transit_import_key.go b/command/transit_import_key.go
index d8dd60b07492..d06c331ea12a 100644
--- a/command/transit_import_key.go
+++ b/command/transit_import_key.go
@@ -1,218 +1,1962 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package command
+package vault
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
+	"context"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
-	"regexp"
+	"sort"
 	"strings"
+	"sync"
+	"time"
 
-	"github.com/hashicorp/vault/api"
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/builtin/plugin"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/mitchellh/copystructure"
+)
+
+const (
+	// coreMountConfigPath is used to store the mount configuration.
+	// Mounts are protected within the Vault itself, which means they
+	// can only be viewed or modified after an unseal.
+	coreMountConfigPath = "core/mounts"
+
+	// coreLocalMountConfigPath is used to store mount configuration for local
+	// (non-replicated) mounts
+	coreLocalMountConfigPath = "core/local-mounts"
+
+	// backendBarrierPrefix is the prefix to the UUID used in the
+	// barrier view for the backends.
+	backendBarrierPrefix = "logical/"
+
+	// systemBarrierPrefix is the prefix used for the
+	// system logical backend.
+	systemBarrierPrefix = "sys/"
+
+	// mountTableType is the value we expect to find for the mount table and
+	// corresponding entries
+	mountTableType = "mounts"
+)
+
+// ListingVisibilityType represents the types for listing visibility
+type ListingVisibilityType string
+
+const (
+	// ListingVisibilityDefault is the default value for listing visibility
+	ListingVisibilityDefault ListingVisibilityType = ""
+	// ListingVisibilityHidden is the hidden type for listing visibility
+	ListingVisibilityHidden ListingVisibilityType = "hidden"
+	// ListingVisibilityUnauth is the unauth type for listing visibility
+	ListingVisibilityUnauth ListingVisibilityType = "unauth"
+
+	mountPathSystem    = "sys/"
+	mountPathIdentity  = "identity/"
+	mountPathCubbyhole = "cubbyhole/"
+
+	mountTypeSystem      = "system"
+	mountTypeNSSystem    = "ns_system"
+	mountTypeIdentity    = "identity"
+	mountTypeCubbyhole   = "cubbyhole"
+	mountTypePlugin      = "plugin"
+	mountTypeKV          = "kv"
+	mountTypeNSCubbyhole = "ns_cubbyhole"
+	mountTypeToken       = "token"
+	mountTypeNSToken     = "ns_token"
+
+	MountTableUpdateStorage   = true
+	MountTableNoUpdateStorage = false
+)
+
+// DeprecationStatus errors
+var (
+	errMountDeprecated     = errors.New("mount entry associated with deprecated builtin")
+	errMountPendingRemoval = errors.New("mount entry associated with pending removal builtin")
+	errMountRemoved        = errors.New("mount entry associated with removed builtin")
+)
+
+var (
+	// loadMountsFailed if loadMounts encounters an error
+	errLoadMountsFailed = errors.New("failed to setup mount table")
+
+	// protectedMounts cannot be remounted
+	protectedMounts = []string{
+		"audit/",
+		"auth/",
+		mountPathSystem,
+		mountPathCubbyhole,
+		mountPathIdentity,
+	}
+
+	untunableMounts = []string{
+		mountPathCubbyhole,
+		mountPathSystem,
+		"audit/",
+		mountPathIdentity,
+	}
+
+	// singletonMounts can only exist in one location and are
+	// loaded by default. These are types, not paths.
+	singletonMounts = []string{
+		mountTypeCubbyhole,
+		mountTypeSystem,
+		mountTypeToken,
+		mountTypeIdentity,
+	}
+
+	// mountAliases maps old backend names to new backend names, allowing us
+	// to move/rename backends but maintain backwards compatibility
+	mountAliases = map[string]string{"generic": "kv"}
+)
+
+func (c *Core) generateMountAccessor(entryType string) (string, error) {
+	var accessor string
+	for {
+		randBytes, err := uuid.GenerateRandomBytes(4)
+		if err != nil {
+			return "", err
+		}
+		accessor = fmt.Sprintf("%s_%s", entryType, fmt.Sprintf("%08x", randBytes[0:4]))
+		if entry := c.router.MatchingMountByAccessor(accessor); entry == nil {
+			break
+		}
+	}
+
+	return accessor, nil
+}
+
+// MountTable is used to represent the internal mount table
+type MountTable struct {
+	Type    string        `json:"type"`
+	Entries []*MountEntry `json:"entries"`
+}
+
+type MountMigrationStatus int
+
+const (
+	MigrationInProgressStatus MountMigrationStatus = iota
+	MigrationSuccessStatus
+	MigrationFailureStatus
+)
+
+func (m MountMigrationStatus) String() string {
+	switch m {
+	case MigrationInProgressStatus:
+		return "in-progress"
+	case MigrationSuccessStatus:
+		return "success"
+	case MigrationFailureStatus:
+		return "failure"
+	}
+	return "unknown"
+}
+
+type MountMigrationInfo struct {
+	SourceMount     string `json:"source_mount"`
+	TargetMount     string `json:"target_mount"`
+	MigrationStatus string `json:"status"`
+}
+
+// tableMetrics is responsible for setting gauge metrics for
+// mount table storage sizes (in bytes) and mount table num
+// entries. It does this via setGaugeWithLabels. It then
+// saves these metrics in a cache for regular reporting in
+// a loop, via AddGaugeLoopMetric.
+
+// Note that the reported storage sizes are pre-encryption
+// sizes. Currently barrier uses aes-gcm for encryption, which
+// preserves plaintext size, adding a constant of 30 bytes of
+// padding, which is negligable and subject to change, and thus
+// not accounted for.
+func (c *Core) tableMetrics(entryCount int, isLocal bool, isAuth bool, compressedTable []byte) {
+	if c.metricsHelper == nil {
+		// do nothing if metrics are not initialized
+		return
+	}
+	typeAuthLabelMap := map[bool]metrics.Label{
+		true:  {Name: "type", Value: "auth"},
+		false: {Name: "type", Value: "logical"},
+	}
+
+	typeLocalLabelMap := map[bool]metrics.Label{
+		true:  {Name: "local", Value: "true"},
+		false: {Name: "local", Value: "false"},
+	}
+
+	c.metricSink.SetGaugeWithLabels(metricsutil.LogicalTableSizeName,
+		float32(entryCount), []metrics.Label{
+			typeAuthLabelMap[isAuth],
+			typeLocalLabelMap[isLocal],
+		})
+
+	c.metricsHelper.AddGaugeLoopMetric(metricsutil.LogicalTableSizeName,
+		float32(entryCount), []metrics.Label{
+			typeAuthLabelMap[isAuth],
+			typeLocalLabelMap[isLocal],
+		})
+
+	c.metricSink.SetGaugeWithLabels(metricsutil.PhysicalTableSizeName,
+		float32(len(compressedTable)), []metrics.Label{
+			typeAuthLabelMap[isAuth],
+			typeLocalLabelMap[isLocal],
+		})
+
+	c.metricsHelper.AddGaugeLoopMetric(metricsutil.PhysicalTableSizeName,
+		float32(len(compressedTable)), []metrics.Label{
+			typeAuthLabelMap[isAuth],
+			typeLocalLabelMap[isLocal],
+		})
+}
+
+// shallowClone returns a copy of the mount table that
+// keeps the MountEntry locations, so as not to invalidate
+// other locations holding pointers. Care needs to be taken
+// if modifying entries rather than modifying the table itself
+func (t *MountTable) shallowClone() *MountTable {
+	mt := &MountTable{
+		Type:    t.Type,
+		Entries: make([]*MountEntry, len(t.Entries)),
+	}
+
+	for i, e := range t.Entries {
+		mt.Entries[i] = e
+	}
+	return mt
+}
+
+// setTaint is used to set the taint on given entry Accepts either the mount
+// entry's path or namespace + path, i.e. <ns-path>/secret/ or <ns-path>/token/
+func (t *MountTable) setTaint(nsID, path string, tainted bool, mountState string) (*MountEntry, error) {
+	n := len(t.Entries)
+	for i := 0; i < n; i++ {
+		if entry := t.Entries[i]; entry.Path == path && entry.Namespace().ID == nsID {
+			t.Entries[i].Tainted = tainted
+			t.Entries[i].MountState = mountState
+			return t.Entries[i], nil
+		}
+	}
+	return nil, nil
+}
+
+// remove is used to remove a given path entry; returns the entry that was
+// removed
+func (t *MountTable) remove(ctx context.Context, path string) (*MountEntry, error) {
+	n := len(t.Entries)
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < n; i++ {
+		if entry := t.Entries[i]; entry.Path == path && entry.Namespace().ID == ns.ID {
+			t.Entries[i], t.Entries[n-1] = t.Entries[n-1], nil
+			t.Entries = t.Entries[:n-1]
+			return entry, nil
+		}
+	}
+	return nil, nil
+}
+
+func (t *MountTable) find(ctx context.Context, path string) (*MountEntry, error) {
+	n := len(t.Entries)
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < n; i++ {
+		if entry := t.Entries[i]; entry.Path == path && entry.Namespace().ID == ns.ID {
+			return entry, nil
+		}
+	}
+	return nil, nil
+}
+
+func (t *MountTable) findByBackendUUID(ctx context.Context, backendUUID string) (*MountEntry, error) {
+	n := len(t.Entries)
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < n; i++ {
+		if entry := t.Entries[i]; entry.BackendAwareUUID == backendUUID && entry.Namespace().ID == ns.ID {
+			return entry, nil
+		}
+	}
+	return nil, nil
+}
+
+// sortEntriesByPath sorts the entries in the table by path and returns the
+// table; this is useful for tests
+func (t *MountTable) sortEntriesByPath() *MountTable {
+	sort.Slice(t.Entries, func(i, j int) bool {
+		return t.Entries[i].Path < t.Entries[j].Path
+	})
+	return t
+}
+
+// sortEntriesByPath sorts the entries in the table by path and returns the
+// table; this is useful for tests
+func (t *MountTable) sortEntriesByPathDepth() *MountTable {
+	sort.Slice(t.Entries, func(i, j int) bool {
+		return len(strings.Split(t.Entries[i].Namespace().Path+t.Entries[i].Path, "/")) < len(strings.Split(t.Entries[j].Namespace().Path+t.Entries[j].Path, "/"))
+	})
+	return t
+}
+
+const mountStateUnmounting = "unmounting"
+
+// MountEntry is used to represent a mount table entry
+type MountEntry struct {
+	Table                 string            `json:"table"`                             // The table it belongs to
+	Path                  string            `json:"path"`                              // Mount Path
+	Type                  string            `json:"type"`                              // Logical backend Type. NB: This is the plugin name, e.g. my-vault-plugin, NOT plugin type (e.g. auth).
+	Description           string            `json:"description"`                       // User-provided description
+	UUID                  string            `json:"uuid"`                              // Barrier view UUID
+	BackendAwareUUID      string            `json:"backend_aware_uuid"`                // UUID that can be used by the backend as a helper when a consistent value is needed outside of storage.
+	Accessor              string            `json:"accessor"`                          // Unique but more human-friendly ID. Does not change, not used for any sensitive things (like as a salt, which the UUID sometimes is).
+	Config                MountConfig       `json:"config"`                            // Configuration related to this mount (but not backend-derived)
+	Options               map[string]string `json:"options"`                           // Backend options
+	Local                 bool              `json:"local"`                             // Local mounts are not replicated or affected by replication
+	SealWrap              bool              `json:"seal_wrap"`                         // Whether to wrap CSPs
+	ExternalEntropyAccess bool              `json:"external_entropy_access,omitempty"` // Whether to allow external entropy source access
+	Tainted               bool              `json:"tainted,omitempty"`                 // Set as a Write-Ahead flag for unmount/remount
+	MountState            string            `json:"mount_state,omitempty"`             // The current mount state.  The only non-empty mount state right now is "unmounting"
+	NamespaceID           string            `json:"namespace_id"`
+
+	// namespace contains the populated namespace
+	namespace *namespace.Namespace
+
+	// synthesizedConfigCache is used to cache configuration values. These
+	// particular values are cached since we want to get them at a point-in-time
+	// without separately managing their locks individually. See SyncCache() for
+	// the specific values that are being cached.
+	synthesizedConfigCache sync.Map
+
+	// version info
+	Version        string `json:"plugin_version,omitempty"`         // The semantic version of the mounted plugin, e.g. v1.2.3.
+	RunningVersion string `json:"running_plugin_version,omitempty"` // The semantic version of the mounted plugin as reported by the plugin.
+	RunningSha256  string `json:"running_sha256,omitempty"`
+}
+
+// MountConfig is used to hold settable options
+type MountConfig struct {
+	DefaultLeaseTTL           time.Duration         `json:"default_lease_ttl,omitempty" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default
+	MaxLeaseTTL               time.Duration         `json:"max_lease_ttl,omitempty" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`             // Override for global default
+	ForceNoCache              bool                  `json:"force_no_cache,omitempty" structs:"force_no_cache" mapstructure:"force_no_cache"`          // Override for global default
+	AuditNonHMACRequestKeys   []string              `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys  []string              `json:"audit_non_hmac_response_keys,omitempty" structs:"audit_non_hmac_response_keys" mapstructure:"audit_non_hmac_response_keys"`
+	ListingVisibility         ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"`
+	PassthroughRequestHeaders []string              `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string              `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"`
+	TokenType                 logical.TokenType     `json:"token_type,omitempty" structs:"token_type" mapstructure:"token_type"`
+	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
+	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`
+	DelegatedAuthAccessors    []string              `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+
+	// PluginName is the name of the plugin registered in the catalog.
+	//
+	// Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond.
+	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+}
+
+type UserLockoutConfig struct {
+	LockoutThreshold    uint64        `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+	LockoutDuration     time.Duration `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
+	LockoutCounterReset time.Duration `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
+	DisableLockout      bool          `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
+}
+
+type APIUserLockoutConfig struct {
+	LockoutThreshold            string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+	LockoutDuration             string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
+	LockoutCounterResetDuration string `json:"lockout_counter_reset_duration,omitempty" structs:"lockout_counter_reset_duration" mapstructure:"lockout_counter_reset_duration"`
+	DisableLockout              *bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
+}
+
+// APIMountConfig is an embedded struct of api.MountConfigInput
+type APIMountConfig struct {
+	DefaultLeaseTTL           string                `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+	MaxLeaseTTL               string                `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+	ForceNoCache              bool                  `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"`
+	AuditNonHMACRequestKeys   []string              `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys  []string              `json:"audit_non_hmac_response_keys,omitempty" structs:"audit_non_hmac_response_keys" mapstructure:"audit_non_hmac_response_keys"`
+	ListingVisibility         ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"`
+	PassthroughRequestHeaders []string              `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string              `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"`
+	TokenType                 string                `json:"token_type" structs:"token_type" mapstructure:"token_type"`
+	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
+	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`
+	PluginVersion             string                `json:"plugin_version,omitempty" mapstructure:"plugin_version"`
+	DelegatedAuthAccessors    []string              `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+
+	// PluginName is the name of the plugin registered in the catalog.
+	//
+	// Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond.
+	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+}
+
+type FailedLoginUser struct {
+	aliasName     string
+	mountAccessor string
+}
+
+type FailedLoginInfo struct {
+	count               uint
+	lastFailedLoginTime int
+}
+
+// Clone returns a deep copy of the mount entry
+func (e *MountEntry) Clone() (*MountEntry, error) {
+	cp, err := copystructure.Copy(e)
+	if err != nil {
+		return nil, err
+	}
+	return cp.(*MountEntry), nil
+}
+
+// IsExternalPlugin returns whether the plugin is running externally
+// if the RunningSha256 is non-empty, the builtin is external. Otherwise, it's builtin
+func (e *MountEntry) IsExternalPlugin() bool {
+	return e.RunningSha256 != ""
+}
+
+// MountClass returns the mount class based on Accessor and Path
+func (e *MountEntry) MountClass() string {
+	if e.Accessor == "" || strings.HasPrefix(e.Path, fmt.Sprintf("%s/", mountPathSystem)) {
+		return ""
+	}
+
+	if e.Table == credentialTableType {
+		return consts.PluginTypeCredential.String()
+	}
+
+	return consts.PluginTypeSecrets.String()
+}
+
+// Namespace returns the namespace for the mount entry
+func (e *MountEntry) Namespace() *namespace.Namespace {
+	return e.namespace
+}
+
+// APIPath returns the full API Path for the given mount entry
+func (e *MountEntry) APIPath() string {
+	path := e.Path
+	if e.Table == credentialTableType {
+		path = credentialRoutePrefix + path
+	}
+	return e.namespace.Path + path
+}
+
+// APIPathNoNamespace returns the API Path without the namespace for the given mount entry
+func (e *MountEntry) APIPathNoNamespace() string {
+	path := e.Path
+	if e.Table == credentialTableType {
+		path = credentialRoutePrefix + path
+	}
+	return path
+}
+
+// SyncCache syncs tunable configuration values to the cache. In the case of
+// cached values, they should be retrieved via synthesizedConfigCache.Load()
+// instead of accessing them directly through MountConfig.
+func (e *MountEntry) SyncCache() {
+	if len(e.Config.AuditNonHMACRequestKeys) == 0 {
+		e.synthesizedConfigCache.Delete("audit_non_hmac_request_keys")
+	} else {
+		e.synthesizedConfigCache.Store("audit_non_hmac_request_keys", e.Config.AuditNonHMACRequestKeys)
+	}
+
+	if len(e.Config.AuditNonHMACResponseKeys) == 0 {
+		e.synthesizedConfigCache.Delete("audit_non_hmac_response_keys")
+	} else {
+		e.synthesizedConfigCache.Store("audit_non_hmac_response_keys", e.Config.AuditNonHMACResponseKeys)
+	}
+
+	if len(e.Config.PassthroughRequestHeaders) == 0 {
+		e.synthesizedConfigCache.Delete("passthrough_request_headers")
+	} else {
+		e.synthesizedConfigCache.Store("passthrough_request_headers", e.Config.PassthroughRequestHeaders)
+	}
+
+	if len(e.Config.AllowedResponseHeaders) == 0 {
+		e.synthesizedConfigCache.Delete("allowed_response_headers")
+	} else {
+		e.synthesizedConfigCache.Store("allowed_response_headers", e.Config.AllowedResponseHeaders)
+	}
+
+	if len(e.Config.AllowedManagedKeys) == 0 {
+		e.synthesizedConfigCache.Delete("allowed_managed_keys")
+	} else {
+		e.synthesizedConfigCache.Store("allowed_managed_keys", e.Config.AllowedManagedKeys)
+	}
+
+	if len(e.Config.DelegatedAuthAccessors) == 0 {
+		e.synthesizedConfigCache.Delete("delegated_auth_accessors")
+	} else {
+		e.synthesizedConfigCache.Store("delegated_auth_accessors", e.Config.DelegatedAuthAccessors)
+	}
+}
+
+func (entry *MountEntry) Deserialize() map[string]interface{} {
+	return map[string]interface{}{
+		"mount_path":      entry.Path,
+		"mount_namespace": entry.Namespace().Path,
+		"uuid":            entry.UUID,
+		"accessor":        entry.Accessor,
+		"mount_type":      entry.Type,
+	}
+}
+
+// DecodeMountTable is used for testing
+func (c *Core) DecodeMountTable(ctx context.Context, raw []byte) (*MountTable, error) {
+	return c.decodeMountTable(ctx, raw)
+}
+
+func (c *Core) decodeMountTable(ctx context.Context, raw []byte) (*MountTable, error) {
+	// Decode into mount table
+	mountTable := new(MountTable)
+	if err := jsonutil.DecodeJSON(raw, mountTable); err != nil {
+		return nil, err
+	}
+
+	// Populate the namespace in memory
+	var mountEntries []*MountEntry
+	for _, entry := range mountTable.Entries {
+		if entry.NamespaceID == "" {
+			entry.NamespaceID = namespace.RootNamespaceID
+		}
+		ns, err := NamespaceByID(ctx, entry.NamespaceID, c)
+		if err != nil {
+			return nil, err
+		}
+		if ns == nil {
+			c.logger.Error("namespace on mount entry not found", "namespace_id", entry.NamespaceID, "mount_path", entry.Path, "mount_description", entry.Description)
+			continue
+		}
+
+		entry.namespace = ns
+		mountEntries = append(mountEntries, entry)
+	}
+
+	return &MountTable{
+		Type:    mountTable.Type,
+		Entries: mountEntries,
+	}, nil
+}
+
+// Mount is used to mount a new backend to the mount table.
+func (c *Core) mount(ctx context.Context, entry *MountEntry) error {
+	// Ensure we end the path in a slash
+	if !strings.HasSuffix(entry.Path, "/") {
+		entry.Path += "/"
+	}
+
+	// Prevent protected paths from being mounted
+	for _, p := range protectedMounts {
+		if strings.HasPrefix(entry.Path, p) && entry.namespace == nil {
+			return logical.CodedError(403, fmt.Sprintf("cannot mount %q", entry.Path))
+		}
+	}
+
+	// Do not allow more than one instance of a singleton mount
+	for _, p := range singletonMounts {
+		if entry.Type == p {
+			return logical.CodedError(403, fmt.Sprintf("mount type of %q is not mountable", entry.Type))
+		}
+	}
+
+	// Mount internally
+	if err := c.mountInternal(ctx, entry, MountTableUpdateStorage); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStorage bool) error {
+	c.mountsLock.Lock()
+	c.authLock.Lock()
+	locked := true
+	unlock := func() {
+		if locked {
+			c.authLock.Unlock()
+			c.mountsLock.Unlock()
+			locked = false
+		}
+	}
+	defer unlock()
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	if err := verifyNamespace(c, ns, entry); err != nil {
+		return err
+	}
+
+	entry.NamespaceID = ns.ID
+	entry.namespace = ns
+
+	// Ensure the cache is populated, don't need the result
+	NamespaceByID(ctx, ns.ID, c)
+
+	// Basic check for matching names
+	for _, ent := range c.mounts.Entries {
+		if ns.ID == ent.NamespaceID {
+			switch {
+			// Existing is oauth/github/ new is oauth/ or
+			// existing is oauth/ and new is oauth/github/
+			case strings.HasPrefix(ent.Path, entry.Path):
+				fallthrough
+			case strings.HasPrefix(entry.Path, ent.Path):
+				return logical.CodedError(409, fmt.Sprintf("path is already in use at %s", ent.Path))
+			}
+		}
+	}
+
+	// Verify there are no conflicting mounts in the router
+	if match := c.router.MountConflict(ctx, entry.Path); match != "" {
+		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
+	}
+
+	// Generate a new UUID and view
+	if entry.UUID == "" {
+		entryUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			return err
+		}
+		entry.UUID = entryUUID
+	}
+	if entry.BackendAwareUUID == "" {
+		bUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			return err
+		}
+		entry.BackendAwareUUID = bUUID
+	}
+	if entry.Accessor == "" {
+		accessor, err := c.generateMountAccessor(entry.Type)
+		if err != nil {
+			return err
+		}
+		entry.Accessor = accessor
+	}
+	// Sync values to the cache
+	entry.SyncCache()
+
+	// Resolution to absolute storage paths (versus uuid-relative) needs
+	// to happen prior to calling into the forwarded writer. Thus we
+	// intercept writes just before they hit barrier storage.
+	forwarded, err := c.NewForwardedWriter(ctx, c.barrier, entry.Local)
+	if err != nil {
+		return fmt.Errorf("error creating forwarded writer: %v", err)
+	}
+
+	viewPath := entry.ViewPath()
+	view := NewBarrierView(forwarded, viewPath)
+
+	// Singleton mounts cannot be filtered manually on a per-secondary basis
+	// from replication.
+	if strutil.StrListContains(singletonMounts, entry.Type) {
+		addFilterablePath(c, viewPath)
+	}
+	addKnownPath(c, viewPath)
+
+	nilMount, err := preprocessMount(c, entry, view)
+	if err != nil {
+		return err
+	}
+
+	origReadOnlyErr := view.getReadOnlyErr()
+
+	// Mark the view as read-only until the mounting is complete and
+	// ensure that it is reset after. This ensures that there will be no
+	// writes during the construction of the backend.
+	view.setReadOnlyErr(logical.ErrSetupReadOnly)
+	// We defer this because we're already up and running so we don't need to
+	// time it for after postUnseal
+	defer view.setReadOnlyErr(origReadOnlyErr)
+
+	var backend logical.Backend
+	sysView := c.mountEntrySysView(entry)
+
+	backend, entry.RunningSha256, err = c.newLogicalBackend(ctx, entry, sysView, view)
+	if err != nil {
+		return err
+	}
+	if backend == nil {
+		return fmt.Errorf("nil backend of type %q returned from creation function", entry.Type)
+	}
+
+	// Check for the correct backend type
+	backendType := backend.Type()
+	if backendType != logical.TypeLogical {
+		if entry.Type != mountTypeKV && entry.Type != mountTypeSystem && entry.Type != mountTypeCubbyhole {
+			return fmt.Errorf(`unknown backend type: "%s"`, entry.Type)
+		}
+	}
+
+	// update the entry running version with the configured version, which was verified during registration.
+	entry.RunningVersion = entry.Version
+	if entry.RunningVersion == "" {
+		// don't set the running version to a builtin if it is running as an external plugin
+		if entry.RunningSha256 == "" {
+			entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeSecrets, entry.Type)
+		}
+	}
+
+	addPathCheckers(c, entry, backend, viewPath)
+
+	c.setCoreBackend(entry, backend, view)
+
+	// If the mount is filtered or we are on a DR secondary we don't want to
+	// keep the actual backend running, so we clean it up and set it to nil
+	// so the router does not have a pointer to the object.
+	if nilMount {
+		backend.Cleanup(ctx)
+		backend = nil
+	}
+
+	newTable := c.mounts.shallowClone()
+	newTable.Entries = append(newTable.Entries, entry)
+	if updateStorage {
+		if err := c.persistMounts(ctx, newTable, &entry.Local); err != nil {
+			c.logger.Error("failed to update mount table", "error", err)
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}
+
+			return logical.CodedError(500, "failed to update mount table")
+		}
+	}
+	c.mounts = newTable
+
+	if err := c.router.Mount(backend, entry.Path, entry, view); err != nil {
+		return err
+	}
+	if err = c.entBuiltinPluginMetrics(ctx, entry, 1); err != nil {
+		c.logger.Error("failed to emit enabled ent builtin plugin metrics", "error", err)
+		return err
+	}
+
+	// Re-evaluate filtered paths
+	if err := runFilteredPathsEvaluation(ctx, c, false); err != nil {
+		c.logger.Error("failed to evaluate filtered paths", "error", err)
+
+		unlock()
+		// We failed to evaluate filtered paths so we are undoing the mount operation
+		if unmountInternalErr := c.unmountInternal(ctx, entry.Path, MountTableUpdateStorage); unmountInternalErr != nil {
+			c.logger.Error("failed to unmount", "error", unmountInternalErr)
+		}
+		return err
+	}
+
+	if !nilMount {
+		// restore the original readOnlyErr, so we can write to the view in
+		// Initialize() if necessary
+		view.setReadOnlyErr(origReadOnlyErr)
+
+		// initialize, using the core's active context.
+		nsActiveContext := namespace.ContextWithNamespace(c.activeContext, ns)
+		err := backend.Initialize(nsActiveContext, &logical.InitializationRequest{Storage: view})
+		if err != nil {
+			return err
+		}
+	}
+
+	if c.logger.IsInfo() {
+		c.logger.Info("successful mount", "namespace", entry.Namespace().Path, "path", entry.Path, "type", entry.Type, "version", entry.Version)
+	}
+	return nil
+}
+
+// builtinTypeFromMountEntry attempts to find a builtin PluginType associated
+// with the specified MountEntry. Returns consts.PluginTypeUnknown if not found.
+func (c *Core) builtinTypeFromMountEntry(ctx context.Context, entry *MountEntry) consts.PluginType {
+	if c.builtinRegistry == nil || entry == nil {
+		return consts.PluginTypeUnknown
+	}
+
+	if !versions.IsBuiltinVersion(entry.RunningVersion) {
+		return consts.PluginTypeUnknown
+	}
+
+	builtinPluginType := func(name string, pluginType consts.PluginType) (consts.PluginType, bool) {
+		plugin, err := c.pluginCatalog.Get(ctx, name, pluginType, entry.RunningVersion)
+		if err == nil && plugin != nil && plugin.Builtin {
+			return plugin.Type, true
+		}
+		return consts.PluginTypeUnknown, false
+	}
+
+	// auth plugins have their own dedicated mount table
+	if pluginType, err := consts.ParsePluginType(entry.Table); err == nil {
+		if builtinType, ok := builtinPluginType(entry.Type, pluginType); ok {
+			return builtinType
+		}
+	}
+
+	// Check for possible matches
+	var builtinTypes []consts.PluginType
+	for _, pluginType := range [...]consts.PluginType{consts.PluginTypeSecrets, consts.PluginTypeDatabase} {
+		if builtinType, ok := builtinPluginType(entry.Type, pluginType); ok {
+			builtinTypes = append(builtinTypes, builtinType)
+		}
+	}
+
+	if len(builtinTypes) == 1 {
+		return builtinTypes[0]
+	}
+
+	return consts.PluginTypeUnknown
+}
+
+// Unmount is used to unmount a path. The boolean indicates whether the mount
+// was found.
+func (c *Core) unmount(ctx context.Context, path string) error {
+	// Ensure we end the path in a slash
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	// Prevent protected paths from being unmounted
+	for _, p := range protectedMounts {
+		if strings.HasPrefix(path, p) {
+			return fmt.Errorf("cannot unmount %q", path)
+		}
+	}
+
+	// Unmount mount internally
+	if err := c.unmountInternal(ctx, path, MountTableUpdateStorage); err != nil {
+		return err
+	}
+
+	// Re-evaluate filtered paths
+	if err := runFilteredPathsEvaluation(ctx, c, true); err != nil {
+		// Even we failed to evaluate filtered paths, the unmount operation was still successful
+		c.logger.Error("failed to evaluate filtered paths", "error", err)
+	}
+	return nil
+}
+
+func (c *Core) unmountInternal(ctx context.Context, path string, updateStorage bool) error {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Verify exact match of the route
+	match := c.router.MatchingMount(ctx, path)
+	if match == "" || ns.Path+path != match {
+		return fmt.Errorf("no matching mount")
+	}
+
+	// Get the view for this backend
+	view := c.router.MatchingStorageByAPIPath(ctx, path)
+
+	// Get the backend/mount entry for this path, used to remove ignored
+	// replication prefixes
+	backend := c.router.MatchingBackend(ctx, path)
+	entry := c.router.MatchingMountEntry(ctx, path)
+
+	// Mark the entry as tainted
+	if err := c.taintMountEntry(ctx, ns.ID, path, updateStorage, true); err != nil {
+		c.logger.Error("failed to taint mount entry for path being unmounted", "error", err, "path", path)
+		return err
+	}
+
+	// Taint the router path to prevent routing. Note that in-flight requests
+	// are uncertain, right now.
+	if err := c.router.Taint(ctx, path); err != nil {
+		return err
+	}
+
+	rCtx := namespace.ContextWithNamespace(c.activeContext, ns)
+	if backend != nil && c.rollback != nil {
+		// Invoke the rollback manager a final time. This is not fatal as
+		// various periodic funcs (e.g., PKI) can legitimately error; the
+		// periodic rollback manager logs these errors rather than failing
+		// replication like returning this error would do.
+		if err := c.rollback.Rollback(rCtx, path); err != nil {
+			c.logger.Error("ignoring rollback error during unmount", "error", err, "path", path)
+			err = nil
+		}
+	}
+	if backend != nil && c.expiration != nil && updateStorage {
+		// Revoke all the dynamic keys
+		if err := c.expiration.RevokePrefix(rCtx, path, true); err != nil {
+			return err
+		}
+	}
+
+	if backend != nil {
+		// Call cleanup function if it exists
+		backend.Cleanup(ctx)
+	}
+
+	viewPath := entry.ViewPath()
+	switch {
+	case !updateStorage:
+		// Don't attempt to clear data, replication will handle this
+	case c.IsDRSecondary():
+		// If we are a dr secondary we want to clear the view, but the provided
+		// view is marked as read only. We use the barrier here to get around
+		// it.
+		if err := logical.ClearViewWithLogging(ctx, NewBarrierView(c.barrier, viewPath), c.logger.Named("secrets.deletion").With("namespace", ns.ID, "path", path)); err != nil {
+			c.logger.Error("failed to clear view for path being unmounted", "error", err, "path", path)
+			return err
+		}
+
+	case entry.Local, !c.IsPerfSecondary():
+		// Have writable storage, remove the whole thing
+		if err := logical.ClearViewWithLogging(ctx, view, c.logger.Named("secrets.deletion").With("namespace", ns.ID, "path", path)); err != nil {
+			c.logger.Error("failed to clear view for path being unmounted", "error", err, "path", path)
+			return err
+		}
+
+	case !entry.Local && c.IsPerfSecondary():
+		if err := clearIgnoredPaths(ctx, c, backend, viewPath); err != nil {
+			return err
+		}
+	}
+
+	// Remove the mount table entry
+	if err := c.removeMountEntry(ctx, path, updateStorage); err != nil {
+		c.logger.Error("failed to remove mount entry for path being unmounted", "error", err, "path", path)
+		return err
+	}
+
+	// Unmount the backend entirely
+	if err := c.router.Unmount(ctx, path); err != nil {
+		return err
+	}
+	if err = c.entBuiltinPluginMetrics(ctx, entry, -1); err != nil {
+		c.logger.Error("failed to emit disabled ent builtin plugin metrics", "error", err)
+		return err
+	}
+
+	removePathCheckers(c, entry, viewPath)
+
+	if c.quotaManager != nil {
+		if err := c.quotaManager.HandleBackendDisabling(ctx, ns.Path, path); err != nil {
+			c.logger.Error("failed to update quotas after disabling mount", "path", path, "error", err)
+			return err
+		}
+	}
+
+	c.WellKnownRedirects.DeregisterMount(entry.UUID)
+
+	if c.logger.IsInfo() {
+		c.logger.Info("successfully unmounted", "path", path, "namespace", ns.Path)
+	}
+
+	return nil
+}
+
+// removeMountEntry is used to remove an entry from the mount table
+func (c *Core) removeMountEntry(ctx context.Context, path string, updateStorage bool) error {
+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
+
+	// Remove the entry from the mount table
+	newTable := c.mounts.shallowClone()
+	entry, err := newTable.remove(ctx, path)
+	if err != nil {
+		return err
+	}
+	if entry == nil {
+		c.logger.Error("nil entry found removing entry in mounts table", "path", path)
+		return logical.CodedError(500, "failed to remove entry in mounts table")
+	}
+
+	// When unmounting all entries the JSON code will load back up from storage
+	// as a nil slice, which kills tests...just set it nil explicitly
+	if len(newTable.Entries) == 0 {
+		newTable.Entries = nil
+	}
+
+	if updateStorage {
+		// Update the mount table
+		if err := c.persistMounts(ctx, newTable, &entry.Local); err != nil {
+			c.logger.Error("failed to remove entry from mounts table", "error", err)
+			return logical.CodedError(500, "failed to remove entry from mounts table")
+		}
+	}
+
+	c.mounts = newTable
+	return nil
+}
 
-	"github.com/google/tink/go/kwp/subtle"
+// taintMountEntry is used to mark an entry in the mount table as tainted
+func (c *Core) taintMountEntry(ctx context.Context, nsID, mountPath string, updateStorage, unmounting bool) error {
+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
 
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
+	mountState := ""
+	if unmounting {
+		mountState = mountStateUnmounting
+	}
 
-var (
-	_       cli.Command             = (*TransitImportCommand)(nil)
-	_       cli.CommandAutocomplete = (*TransitImportCommand)(nil)
-	keyPath                         = regexp.MustCompile("^(.*)/keys/([^/]*)$")
-)
+	// As modifying the taint of an entry affects shallow clones,
+	// we simply use the original
+	entry, err := c.mounts.setTaint(nsID, mountPath, true, mountState)
+	if err != nil {
+		return err
+	}
+	if entry == nil {
+		c.logger.Error("nil entry found tainting entry in mounts table", "path", mountPath)
+		return logical.CodedError(500, "failed to taint entry in mounts table")
+	}
 
-type TransitImportCommand struct {
-	*BaseCommand
+	if updateStorage {
+		// Update the mount table
+		if err := c.persistMounts(ctx, c.mounts, &entry.Local); err != nil {
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}
+
+			c.logger.Error("failed to taint entry in mounts table", "error", err)
+			return logical.CodedError(500, "failed to taint entry in mounts table")
+		}
+	}
+
+	return nil
 }
 
-func (c *TransitImportCommand) Synopsis() string {
-	return "Import a key into the Transit secrets engines."
+// handleDeprecatedMountEntry handles the Deprecation Status of the specified
+// mount entry's builtin engine. Warnings are appended to the returned response
+// and logged. Errors are returned with a nil response to be processed by the
+// caller.
+func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) (*logical.Response, error) {
+	resp := &logical.Response{}
+
+	if c.builtinRegistry == nil || entry == nil {
+		return nil, nil
+	}
+
+	// Allow type to be determined from mount entry when not otherwise specified
+	if pluginType == consts.PluginTypeUnknown {
+		pluginType = c.builtinTypeFromMountEntry(ctx, entry)
+	}
+
+	// Handle aliases
+	t := entry.Type
+	if alias, ok := mountAliases[t]; ok {
+		t = alias
+	}
+
+	status, ok := c.builtinRegistry.DeprecationStatus(t, pluginType)
+	if ok {
+		switch status {
+		case consts.Deprecated:
+			c.logger.Warn("mounting deprecated builtin", "name", t, "type", pluginType, "path", entry.Path)
+			resp.AddWarning(errMountDeprecated.Error())
+			return resp, nil
+
+		case consts.PendingRemoval:
+			if c.pendingRemovalMountsAllowed {
+				c.Logger().Info("mount allowed by environment variable", "env", consts.EnvVaultAllowPendingRemovalMounts)
+				resp.AddWarning(errMountPendingRemoval.Error())
+				return resp, nil
+			}
+			return nil, errMountPendingRemoval
+
+		case consts.Removed:
+			return nil, errMountRemoved
+		}
+	}
+	return nil, nil
 }
 
-func (c *TransitImportCommand) Help() string {
-	helpText := `
-Usage: vault transit import PATH KEY [options...]
+// remountForceInternal takes a copy of the mount entry for the path and fully unmounts
+// and remounts the backend to pick up any changes, such as filtered paths.
+// Should be only used for internal usage.
+func (c *Core) remountForceInternal(ctx context.Context, path string, updateStorage bool) error {
+	me := c.router.MatchingMountEntry(ctx, path)
+	if me == nil {
+		return fmt.Errorf("cannot find mount for path %q", path)
+	}
+
+	me, err := me.Clone()
+	if err != nil {
+		return err
+	}
 
-  Using the Transit key wrapping system, imports key material from
-  the base64 encoded KEY (either directly on the CLI or via @path notation),
-  into a new key whose API path is PATH.  To import a new version into an
-  existing key, use import_version.  The remaining options after KEY (key=value
-  style) are passed on to the Transit create key endpoint.  If your
-  system or device natively supports the RSA AES key wrap mechanism (such as
-  the PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP), you should use it directly
-  rather than this command.
+	if err := c.unmountInternal(ctx, path, updateStorage); err != nil {
+		return err
+	}
 
-` + c.Flags().Help()
+	// Mount internally
+	if err := c.mountInternal(ctx, me, updateStorage); err != nil {
+		return err
+	}
 
-	return strings.TrimSpace(helpText)
+	return nil
 }
 
-func (c *TransitImportCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
+func (c *Core) remountSecretsEngineCurrentNamespace(ctx context.Context, src, dst string, updateStorage bool) error {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	srcPathDetails := c.splitNamespaceAndMountFromPath(ns.Path, src)
+	dstPathDetails := c.splitNamespaceAndMountFromPath(ns.Path, dst)
+	return c.remountSecretsEngine(ctx, srcPathDetails, dstPathDetails, updateStorage)
 }
 
-func (c *TransitImportCommand) AutocompleteArgs() complete.Predictor {
+// remountSecretsEngine is used to remount a path at a new mount point.
+func (c *Core) remountSecretsEngine(ctx context.Context, src, dst namespace.MountPathDetails, updateStorage bool) error {
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Prevent protected paths from being remounted, or target mounts being in protected paths
+	for _, p := range protectedMounts {
+		if strings.HasPrefix(src.MountPath, p) {
+			return fmt.Errorf("cannot remount %q", src.MountPath)
+		}
+
+		if strings.HasPrefix(dst.MountPath, p) {
+			return fmt.Errorf("cannot remount to destination %+v", dst)
+		}
+	}
+
+	srcRelativePath := src.GetRelativePath(ns)
+	dstRelativePath := dst.GetRelativePath(ns)
+
+	// Verify exact match of the route
+	srcMatch := c.router.MatchingMountEntry(ctx, srcRelativePath)
+	if srcMatch == nil {
+		return fmt.Errorf("no matching mount at %q", src.Namespace.Path+src.MountPath)
+	}
+
+	if match := c.router.MountConflict(ctx, dstRelativePath); match != "" {
+		return fmt.Errorf("path in use at %q", match)
+	}
+
+	// Mark the entry as tainted
+	if err := c.taintMountEntry(ctx, src.Namespace.ID, src.MountPath, updateStorage, false); err != nil {
+		return err
+	}
+
+	// Taint the router path to prevent routing
+	if err := c.router.Taint(ctx, srcRelativePath); err != nil {
+		return err
+	}
+
+	if !c.IsDRSecondary() {
+		// Invoke the rollback manager a final time. This is not fatal as
+		// various periodic funcs (e.g., PKI) can legitimately error; the
+		// periodic rollback manager logs these errors rather than failing
+		// replication like returning this error would do.
+		rCtx := namespace.ContextWithNamespace(c.activeContext, ns)
+		if c.rollback != nil && c.router.MatchingBackend(ctx, srcRelativePath) != nil {
+			if err := c.rollback.Rollback(rCtx, srcRelativePath); err != nil {
+				c.logger.Error("ignoring rollback error during remount", "error", err, "path", src.Namespace.Path+src.MountPath)
+				err = nil
+			}
+		}
+
+		revokeCtx := namespace.ContextWithNamespace(ctx, src.Namespace)
+		// Revoke all the dynamic keys
+		if err := c.expiration.RevokePrefix(revokeCtx, src.MountPath, true); err != nil {
+			return err
+		}
+	}
+
+	c.mountsLock.Lock()
+	if match := c.router.MountConflict(ctx, dstRelativePath); match != "" {
+		c.mountsLock.Unlock()
+		return fmt.Errorf("path in use at %q", match)
+	}
+
+	srcMatch.Tainted = false
+	srcMatch.NamespaceID = dst.Namespace.ID
+	srcMatch.namespace = dst.Namespace
+	srcPath := srcMatch.Path
+	srcMatch.Path = dst.MountPath
+
+	// Update the mount table
+	if err := c.persistMounts(ctx, c.mounts, &srcMatch.Local); err != nil {
+		srcMatch.Path = srcPath
+		srcMatch.Tainted = true
+		c.mountsLock.Unlock()
+		if err == logical.ErrReadOnly && c.perfStandby {
+			return err
+		}
+
+		return fmt.Errorf("failed to update mount table with error %+v", err)
+	}
+
+	// Remount the backend
+	if err := c.router.Remount(ctx, srcRelativePath, dstRelativePath); err != nil {
+		c.mountsLock.Unlock()
+		return err
+	}
+	c.mountsLock.Unlock()
+
+	// Un-taint the path
+	if err := c.router.Untaint(ctx, dstRelativePath); err != nil {
+		return err
+	}
+
 	return nil
 }
 
-func (c *TransitImportCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
+// From an input path that has a relative namespace hierarchy followed by a mount point, return the full
+// namespace of the mount point, along with the mount point without the namespace related prefix.
+// For example, in a hierarchy ns1/ns2/ns3/secret-mount, when currNs is ns1 and path is ns2/ns3/secret-mount,
+// this returns the namespace object for ns1/ns2/ns3/, and the string "secret-mount"
+func (c *Core) splitNamespaceAndMountFromPath(currNs, path string) namespace.MountPathDetails {
+	fullPath := currNs + path
+	fullNs := c.namespaceByPath(fullPath)
+
+	mountPath := strings.TrimPrefix(fullPath, fullNs.Path)
+
+	return namespace.MountPathDetails{
+		Namespace: fullNs,
+		MountPath: sanitizePath(mountPath),
+	}
 }
 
-func (c *TransitImportCommand) Run(args []string) int {
-	return ImportKey(c.BaseCommand, "import", transitImportKeyPath, c.Flags(), args)
+// loadMounts is invoked as part of postUnseal to load the mount table
+func (c *Core) loadMounts(ctx context.Context) error {
+	// Load the existing mount table
+	raw, err := c.barrier.Get(ctx, coreMountConfigPath)
+	if err != nil {
+		c.logger.Error("failed to read mount table", "error", err)
+		return errLoadMountsFailed
+	}
+	rawLocal, err := c.barrier.Get(ctx, coreLocalMountConfigPath)
+	if err != nil {
+		c.logger.Error("failed to read local mount table", "error", err)
+		return errLoadMountsFailed
+	}
+
+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
+
+	if raw != nil {
+		// Check if the persisted value has canary in the beginning. If
+		// yes, decompress the table and then JSON decode it. If not,
+		// simply JSON decode it.
+		mountTable, err := c.decodeMountTable(ctx, raw.Value)
+		if err != nil {
+			c.logger.Error("failed to decompress and/or decode the mount table", "error", err)
+			return err
+		}
+		c.tableMetrics(len(mountTable.Entries), false, false, raw.Value)
+		c.mounts = mountTable
+	}
+
+	var needPersist bool
+	if c.mounts == nil {
+		c.logger.Info("no mounts; adding default mount table")
+		c.mounts = c.defaultMountTable()
+		needPersist = true
+	}
+
+	if rawLocal != nil {
+		localMountTable, err := c.decodeMountTable(ctx, rawLocal.Value)
+		if err != nil {
+			c.logger.Error("failed to decompress and/or decode the local mount table", "error", err)
+			return err
+		}
+		if localMountTable != nil && len(localMountTable.Entries) > 0 {
+			c.tableMetrics(len(localMountTable.Entries), true, false, rawLocal.Value)
+			c.mounts.Entries = append(c.mounts.Entries, localMountTable.Entries...)
+		}
+	}
+
+	// If this node is a performance standby we do not want to attempt to
+	// upgrade the mount table, this will be the active node's responsibility.
+	if !c.perfStandby {
+		err := c.runMountUpdates(ctx, needPersist)
+		if err != nil {
+			c.logger.Error("failed to run mount table upgrades", "error", err)
+			return err
+		}
+	}
+
+	for _, entry := range c.mounts.Entries {
+		if entry.NamespaceID == "" {
+			entry.NamespaceID = namespace.RootNamespaceID
+		}
+		ns, err := NamespaceByID(ctx, entry.NamespaceID, c)
+		if err != nil {
+			return err
+		}
+		if ns == nil {
+			return namespace.ErrNoNamespace
+		}
+		entry.namespace = ns
+
+		// Sync values to the cache
+		entry.SyncCache()
+	}
+	return nil
 }
 
-func transitImportKeyPath(s string, operation string) (path string, apiPath string, err error) {
-	parts := keyPath.FindStringSubmatch(s)
-	if len(parts) != 3 {
-		return "", "", errors.New("expected transit path and key name in the form :path:/keys/:name:")
+// Note that this is only designed to work with singletons, as it checks by
+// type only.
+func (c *Core) runMountUpdates(ctx context.Context, needPersist bool) error {
+	// Upgrade to typed mount table
+	if c.mounts.Type == "" {
+		c.mounts.Type = mountTableType
+		needPersist = true
+	}
+
+	for _, requiredMount := range c.requiredMountTable().Entries {
+		foundRequired := false
+		for _, coreMount := range c.mounts.Entries {
+			if coreMount.Type == requiredMount.Type {
+				foundRequired = true
+				coreMount.Config = requiredMount.Config
+				break
+			}
+		}
+
+		// In a replication scenario we will let sync invalidation take
+		// care of creating a new required mount that doesn't exist yet.
+		// This should only happen in the upgrade case where a new one is
+		// introduced on the primary; otherwise initial bootstrapping will
+		// ensure this comes over. If we upgrade first, we simply don't
+		// create the mount, so we won't conflict when we sync. If this is
+		// local (e.g. cubbyhole) we do still add it.
+		if !foundRequired && (!c.IsPerfSecondary() || requiredMount.Local) {
+			c.mounts.Entries = append(c.mounts.Entries, requiredMount)
+			needPersist = true
+		}
+	}
+
+	// Upgrade to table-scoped entries
+	for _, entry := range c.mounts.Entries {
+		if !c.PR1103disabled && entry.Type == mountTypeNSCubbyhole && !entry.Local && !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationDRSecondary) {
+			entry.Local = true
+			needPersist = true
+		}
+		if entry.Type == mountTypeCubbyhole && !entry.Local {
+			entry.Local = true
+			needPersist = true
+		}
+		if entry.Table == "" {
+			entry.Table = c.mounts.Type
+			needPersist = true
+		}
+		if entry.Accessor == "" {
+			accessor, err := c.generateMountAccessor(entry.Type)
+			if err != nil {
+				return err
+			}
+			entry.Accessor = accessor
+			needPersist = true
+		}
+		if entry.BackendAwareUUID == "" {
+			bUUID, err := uuid.GenerateUUID()
+			if err != nil {
+				return err
+			}
+			entry.BackendAwareUUID = bUUID
+			needPersist = true
+		}
+
+		if entry.NamespaceID == "" {
+			entry.NamespaceID = namespace.RootNamespaceID
+			needPersist = true
+		}
+
+		// Don't store built-in version in the mount table, to make upgrades smoother.
+		if versions.IsBuiltinVersion(entry.Version) {
+			entry.Version = ""
+			needPersist = true
+		}
+	}
+	// Done if we have restored the mount table and we don't need
+	// to persist
+	if !needPersist {
+		return nil
 	}
-	path = parts[1]
-	keyName := parts[2]
-	apiPath = path + "/keys/" + keyName + "/" + operation
 
-	return path, apiPath, nil
+	// Persist both mount tables
+	if err := c.persistMounts(ctx, c.mounts, nil); err != nil {
+		c.logger.Error("failed to persist mount table", "error", err)
+		return errLoadMountsFailed
+	}
+	return nil
 }
 
-type ImportKeyFunc func(s string, operation string) (path string, apiPath string, err error)
+// persistMounts is used to persist the mount table after modification
+func (c *Core) persistMounts(ctx context.Context, table *MountTable, local *bool) error {
+	if table.Type != mountTableType {
+		c.logger.Error("given table to persist has wrong type", "actual_type", table.Type, "expected_type", mountTableType)
+		return fmt.Errorf("invalid table type given, not persisting")
+	}
 
-// error codes: 1: user error, 2: internal computation error, 3: remote api call error
-func ImportKey(c *BaseCommand, operation string, pathFunc ImportKeyFunc, flags *FlagSets, args []string) int {
-	// Parse and validate the arguments.
-	if err := flags.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
+	nonLocalMounts := &MountTable{
+		Type: mountTableType,
 	}
 
-	args = flags.Args()
-	if len(args) < 2 {
-		c.UI.Error(fmt.Sprintf("Incorrect argument count (expected 2+, got %d). Wanted PATH to import into and KEY material.", len(args)))
-		return 1
+	localMounts := &MountTable{
+		Type: mountTableType,
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+	for _, entry := range table.Entries {
+		if entry.Table != table.Type {
+			c.logger.Error("given entry to persist in mount table has wrong table value", "path", entry.Path, "entry_table_type", entry.Table, "actual_type", table.Type)
+			return fmt.Errorf("invalid mount entry found, not persisting")
+		}
+
+		if entry.Local {
+			localMounts.Entries = append(localMounts.Entries, entry)
+		} else {
+			nonLocalMounts.Entries = append(nonLocalMounts.Entries, entry)
+		}
+	}
+
+	writeTable := func(mt *MountTable, path string) ([]byte, error) {
+		// Encode the mount table into JSON and compress it (lzw).
+		compressedBytes, err := jsonutil.EncodeJSONAndCompress(mt, nil)
+		if err != nil {
+			c.logger.Error("failed to encode or compress mount table", "error", err)
+			return nil, err
+		}
+
+		// Create an entry
+		entry := &logical.StorageEntry{
+			Key:   path,
+			Value: compressedBytes,
+		}
+
+		// Write to the physical backend
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			c.logger.Error("failed to persist mount table", "error", err)
+			return nil, err
+		}
+		return compressedBytes, nil
+	}
+
+	var err error
+	var compressedBytes []byte
+	switch {
+	case local == nil:
+		// Write non-local mounts
+		compressedBytes, err := writeTable(nonLocalMounts, coreMountConfigPath)
+		if err != nil {
+			return err
+		}
+		c.tableMetrics(len(nonLocalMounts.Entries), false, false, compressedBytes)
+
+		// Write local mounts
+		compressedBytes, err = writeTable(localMounts, coreLocalMountConfigPath)
+		if err != nil {
+			return err
+		}
+		c.tableMetrics(len(localMounts.Entries), true, false, compressedBytes)
+
+	case *local:
+		// Write local mounts
+		compressedBytes, err = writeTable(localMounts, coreLocalMountConfigPath)
+		if err != nil {
+			return err
+		}
+		c.tableMetrics(len(localMounts.Entries), true, false, compressedBytes)
+	default:
+		// Write non-local mounts
+		compressedBytes, err = writeTable(nonLocalMounts, coreMountConfigPath)
+		if err != nil {
+			return err
+		}
+		c.tableMetrics(len(nonLocalMounts.Entries), false, false, compressedBytes)
+	}
+
+	return nil
+}
+
+// setupMounts is invoked after we've loaded the mount table to
+// initialize the logical backends and setup the router
+func (c *Core) setupMounts(ctx context.Context) error {
+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
+
+	for _, entry := range c.mounts.sortEntriesByPathDepth().Entries {
+		// Initialize the backend, special casing for system
+		barrierPath := entry.ViewPath()
+
+		// Resolution to absolute storage paths (versus uuid-relative) needs
+		// to happen prior to calling into the forwarded writer. Thus we
+		// intercept writes just before they hit barrier storage.
+		forwarded, err := c.NewForwardedWriter(ctx, c.barrier, entry.Local)
+		if err != nil {
+			return fmt.Errorf("error creating forwarded writer: %v", err)
+		}
+
+		// Create a barrier storage view using the UUID
+		view := NewBarrierView(forwarded, barrierPath)
+
+		// Singleton mounts cannot be filtered manually on a per-secondary basis
+		// from replication
+		if strutil.StrListContains(singletonMounts, entry.Type) {
+			addFilterablePath(c, barrierPath)
+		}
+		addKnownPath(c, barrierPath)
+
+		// Determining the replicated state of the mount
+		nilMount, err := preprocessMount(c, entry, view)
+		if err != nil {
+			return err
+		}
+		origReadOnlyErr := view.getReadOnlyErr()
+
+		// Mark the view as read-only until the mounting is complete and
+		// ensure that it is reset after. This ensures that there will be no
+		// writes during the construction of the backend.
+		view.setReadOnlyErr(logical.ErrSetupReadOnly)
+		if strutil.StrListContains(singletonMounts, entry.Type) {
+			defer view.setReadOnlyErr(origReadOnlyErr)
+		}
+
+		var backend logical.Backend
+		// Create the new backend
+		sysView := c.mountEntrySysView(entry)
+		backend, entry.RunningSha256, err = c.newLogicalBackend(ctx, entry, sysView, view)
+		if err != nil {
+			c.logger.Error("failed to create mount entry", "path", entry.Path, "error", err)
+
+			if c.isMountable(ctx, entry, consts.PluginTypeSecrets) {
+				c.logger.Warn("skipping plugin-based mount entry", "path", entry.Path)
+				goto ROUTER_MOUNT
+			}
+			return errLoadMountsFailed
+		}
+		if backend == nil {
+			return fmt.Errorf("created mount entry of type %q is nil", entry.Type)
+		}
+
+		// update the entry running version with the configured version, which was verified during registration.
+		entry.RunningVersion = entry.Version
+		if entry.RunningVersion == "" {
+			// don't set the running version to a builtin if it is running as an external plugin
+			if entry.RunningSha256 == "" {
+				entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeSecrets, entry.Type)
+			}
+		}
+
+		// Do not start up deprecated builtin plugins. If this is a major
+		// upgrade, stop unsealing and shutdown. If we've already mounted this
+		// plugin, proceed with unsealing and skip backend initialization.
+		if versions.IsBuiltinVersion(entry.RunningVersion) {
+			_, err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeSecrets)
+			if c.isMajorVersionFirstMount(ctx) && err != nil {
+				go c.ShutdownCoreError(fmt.Errorf("could not mount %q: %w", entry.Type, err))
+				return errLoadMountsFailed
+			} else if err != nil {
+				c.logger.Error("skipping deprecated mount entry", "name", entry.Type, "path", entry.Path, "error", err)
+				backend.Cleanup(ctx)
+				backend = nil
+				goto ROUTER_MOUNT
+			}
+		}
+
+		{
+			// Check for the correct backend type
+			backendType := backend.Type()
+
+			if backendType != logical.TypeLogical {
+				if entry.Type != mountTypeKV && entry.Type != mountTypeSystem && entry.Type != mountTypeCubbyhole {
+					return fmt.Errorf(`unknown backend type: "%s"`, entry.Type)
+				}
+			}
+
+			addPathCheckers(c, entry, backend, barrierPath)
+
+			c.setCoreBackend(entry, backend, view)
+		}
+
+		// If the mount is filtered or we are on a DR secondary we don't want to
+		// keep the actual backend running, so we clean it up and set it to nil
+		// so the router does not have a pointer to the object.
+		if nilMount {
+			backend.Cleanup(ctx)
+			backend = nil
+		}
+
+	ROUTER_MOUNT:
+		// Mount the backend
+		err = c.router.Mount(backend, entry.Path, entry, view)
+		if err != nil {
+			c.logger.Error("failed to mount entry", "path", entry.Path, "error", err)
+			return errLoadMountsFailed
+		}
+
+		// Initialize
+		if !nilMount {
+			// Bind locally
+			localEntry := entry
+			c.postUnsealFuncs = append(c.postUnsealFuncs, func() {
+				postUnsealLogger := c.logger.With("type", localEntry.Type, "version", localEntry.RunningVersion, "path", localEntry.Path)
+				if backend == nil {
+					postUnsealLogger.Error("skipping initialization for nil backend", "path", localEntry.Path)
+					return
+				}
+				if !strutil.StrListContains(singletonMounts, localEntry.Type) {
+					view.setReadOnlyErr(origReadOnlyErr)
+				}
+
+				nsActiveContext := namespace.ContextWithNamespace(c.activeContext, localEntry.Namespace())
+				err := backend.Initialize(nsActiveContext, &logical.InitializationRequest{Storage: view})
+				if err != nil {
+					postUnsealLogger.Error("failed to initialize mount backend", "error", err)
+				}
+			})
+		}
+
+		if c.logger.IsInfo() {
+			c.logger.Info("successfully mounted", "type", entry.Type, "version", entry.RunningVersion, "path", entry.Path, "namespace", entry.Namespace())
+		}
+
+		// Ensure the path is tainted if set in the mount table
+		if entry.Tainted {
+			// Calculate any namespace prefixes here, because when Taint() is called, there won't be
+			// a namespace to pull from the context. This is similar to what we do above in c.router.Mount().
+			path := entry.Namespace().Path + entry.Path
+			c.logger.Debug("tainting a mount due to it being marked as tainted in mount table", "entry.path", entry.Path, "entry.namespace.path", entry.Namespace().Path, "full_path", path)
+			c.router.Taint(ctx, path)
+		}
+
+		// Ensure the cache is populated, don't need the result
+		NamespaceByID(ctx, entry.NamespaceID, c)
+	}
+	return nil
+}
+
+// unloadMounts is used before we seal the vault to reset the mounts to
+// their unloaded state, calling Cleanup if defined. This is reversed by load and setup mounts.
+func (c *Core) unloadMounts(ctx context.Context) error {
+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
+
+	if c.mounts != nil {
+		mountTable := c.mounts.shallowClone()
+		for _, e := range mountTable.Entries {
+			backend := c.router.MatchingBackend(namespace.ContextWithNamespace(ctx, e.namespace), e.Path)
+			if backend != nil {
+				backend.Cleanup(ctx)
+			}
+
+			viewPath := e.ViewPath()
+			removePathCheckers(c, e, viewPath)
+		}
+	}
+
+	c.mounts = nil
+	c.router.reset()
+	c.systemBarrierView = nil
+	return nil
+}
+
+// newLogicalBackend is used to create and configure a new logical backend by name.
+// It also returns the SHA256 of the plugin, if available.
+func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView logical.SystemView, view logical.Storage) (logical.Backend, string, error) {
+	t := entry.Type
+	if alias, ok := mountAliases[t]; ok {
+		t = alias
+	}
+
+	var runningSha string
+	f, ok := c.logicalBackends[t]
+	if !ok {
+		plug, err := c.pluginCatalog.Get(ctx, t, consts.PluginTypeSecrets, entry.Version)
+		if err != nil {
+			return nil, "", err
+		}
+		if plug == nil {
+			errContext := t
+			if entry.Version != "" {
+				errContext += fmt.Sprintf(", version=%s", entry.Version)
+			}
+			return nil, "", fmt.Errorf("%w: %s", ErrPluginNotFound, errContext)
+		}
+		if len(plug.Sha256) > 0 {
+			runningSha = hex.EncodeToString(plug.Sha256)
+		}
+
+		f = plugin.Factory
+		if !plug.Builtin {
+			f = wrapFactoryCheckPerms(c, plugin.Factory)
+		}
+	}
+	// Set up conf to pass in plugin_name
+	conf := make(map[string]string)
+	for k, v := range entry.Options {
+		conf[k] = v
 	}
 
-	ephemeralAESKey := make([]byte, 32)
-	_, err = rand.Read(ephemeralAESKey)
+	switch {
+	case entry.Type == mountTypePlugin:
+		conf["plugin_name"] = entry.Config.PluginName
+	default:
+		conf["plugin_name"] = t
+	}
+
+	conf["plugin_type"] = consts.PluginTypeSecrets.String()
+	conf["plugin_version"] = entry.Version
+
+	backendLogger := c.baseLogger.Named(fmt.Sprintf("secrets.%s.%s", t, entry.Accessor))
+	c.AddLogger(backendLogger)
+	pluginEventSender, err := c.events.WithPlugin(entry.namespace, &logical.EventPluginInfo{
+		MountClass:    consts.PluginTypeSecrets.String(),
+		MountAccessor: entry.Accessor,
+		MountPath:     entry.Path,
+		Plugin:        entry.Type,
+		PluginVersion: entry.RunningVersion,
+		Version:       entry.Version,
+	})
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to generate ephemeral key: %v", err))
+		return nil, "", err
+	}
+	config := &logical.BackendConfig{
+		StorageView:  view,
+		Logger:       backendLogger,
+		Config:       conf,
+		System:       sysView,
+		BackendUUID:  entry.BackendAwareUUID,
+		EventsSender: pluginEventSender,
 	}
-	path, apiPath, err := pathFunc(args[0], operation)
+
+	ctx = namespace.ContextWithNamespace(ctx, entry.namespace)
+	ctx = context.WithValue(ctx, "core_number", c.coreNumber)
+	b, err := f(ctx, config)
 	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
+		return nil, "", err
+	}
+	if b == nil {
+		return nil, "", fmt.Errorf("nil backend of type %q returned from factory", t)
+	}
+	addLicenseCallback(c, b)
+
+	return b, runningSha, nil
+}
+
+// defaultMountTable creates a default mount table
+func (c *Core) defaultMountTable() *MountTable {
+	table := &MountTable{
+		Type: mountTableType,
 	}
-	keyMaterial := args[1]
-	if keyMaterial[0] == '@' {
-		keyMaterialBytes, err := os.ReadFile(keyMaterial[1:])
+	table.Entries = append(table.Entries, c.requiredMountTable().Entries...)
+
+	if os.Getenv("VAULT_INTERACTIVE_DEMO_SERVER") != "" {
+		mountUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			panic(fmt.Sprintf("could not create default secret mount UUID: %v", err))
+		}
+		mountAccessor, err := c.generateMountAccessor(mountTypeKV)
+		if err != nil {
+			panic(fmt.Sprintf("could not generate default secret mount accessor: %v", err))
+		}
+		bUUID, err := uuid.GenerateUUID()
 		if err != nil {
-			c.UI.Error(fmt.Sprintf("error reading key material file: %v", err))
-			return 1
+			panic(fmt.Sprintf("could not create default secret mount backend UUID: %v", err))
 		}
 
-		keyMaterial = string(keyMaterialBytes)
+		kvMount := &MountEntry{
+			Table:            mountTableType,
+			Path:             "secret/",
+			Type:             mountTypeKV,
+			Description:      "key/value secret storage",
+			UUID:             mountUUID,
+			Accessor:         mountAccessor,
+			BackendAwareUUID: bUUID,
+			Options: map[string]string{
+				"version": "2",
+			},
+			RunningVersion: versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
+		}
+		table.Entries = append(table.Entries, kvMount)
 	}
 
-	key, err := base64.StdEncoding.DecodeString(keyMaterial)
+	return table
+}
+
+// requiredMountTable() creates a mount table with entries required
+// to be available
+func (c *Core) requiredMountTable() *MountTable {
+	table := &MountTable{
+		Type: mountTableType,
+	}
+	cubbyholeUUID, err := uuid.GenerateUUID()
+	if err != nil {
+		panic(fmt.Sprintf("could not create cubbyhole UUID: %v", err))
+	}
+	cubbyholeAccessor, err := c.generateMountAccessor("cubbyhole")
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("error base64 decoding source key material: %v", err))
-		return 1
+		panic(fmt.Sprintf("could not generate cubbyhole accessor: %v", err))
 	}
-	// Fetch the wrapping key
-	c.UI.Output("Retrieving wrapping key.")
-	wrappingKey, err := fetchWrappingKey(client, path)
+	cubbyholeBackendUUID, err := uuid.GenerateUUID()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to fetch wrapping key: %v", err))
-		return 3
+		panic(fmt.Sprintf("could not create cubbyhole backend UUID: %v", err))
+	}
+	cubbyholeMount := &MountEntry{
+		Table:            mountTableType,
+		Path:             mountPathCubbyhole,
+		Type:             mountTypeCubbyhole,
+		Description:      "per-token private secret storage",
+		UUID:             cubbyholeUUID,
+		Accessor:         cubbyholeAccessor,
+		Local:            true,
+		BackendAwareUUID: cubbyholeBackendUUID,
+		RunningVersion:   versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
 	}
-	c.UI.Output("Wrapping source key with ephemeral key.")
-	wrapKWP, err := subtle.NewKWP(ephemeralAESKey)
+
+	sysUUID, err := uuid.GenerateUUID()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("failure building key wrapping key: %v", err))
-		return 2
+		panic(fmt.Sprintf("could not create sys UUID: %v", err))
 	}
-	wrappedTargetKey, err := wrapKWP.Wrap(key)
+	sysAccessor, err := c.generateMountAccessor("system")
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("failure wrapping source key: %v", err))
-		return 2
+		panic(fmt.Sprintf("could not generate sys accessor: %v", err))
 	}
-	c.UI.Output("Encrypting ephemeral key with wrapping key.")
-	wrappedAESKey, err := rsa.EncryptOAEP(
-		sha256.New(),
-		rand.Reader,
-		wrappingKey,
-		ephemeralAESKey,
-		[]byte{},
-	)
+	sysBackendUUID, err := uuid.GenerateUUID()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("failure encrypting wrapped key: %v", err))
-		return 2
+		panic(fmt.Sprintf("could not create sys backend UUID: %v", err))
+	}
+	sysMount := &MountEntry{
+		Table:            mountTableType,
+		Path:             "sys/",
+		Type:             mountTypeSystem,
+		Description:      "system endpoints used for control, policy and debugging",
+		UUID:             sysUUID,
+		Accessor:         sysAccessor,
+		BackendAwareUUID: sysBackendUUID,
+		SealWrap:         true, // Enable SealWrap since SystemBackend utilizes SealWrapStorage, see factory in addExtraLogicalBackends().
+		Config: MountConfig{
+			PassthroughRequestHeaders: []string{"Accept"},
+		},
+		RunningVersion: versions.DefaultBuiltinVersion,
 	}
-	combinedCiphertext := append(wrappedAESKey, wrappedTargetKey...)
-	importCiphertext := base64.StdEncoding.EncodeToString(combinedCiphertext)
 
-	// Parse all the key options
-	data, err := parseArgsData(os.Stdin, args[2:])
+	identityUUID, err := uuid.GenerateUUID()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse extra K=V data: %s", err))
-		return 1
+		panic(fmt.Sprintf("could not create identity mount entry UUID: %v", err))
 	}
-	if data == nil {
-		data = make(map[string]interface{}, 1)
+	identityAccessor, err := c.generateMountAccessor("identity")
+	if err != nil {
+		panic(fmt.Sprintf("could not generate identity accessor: %v", err))
+	}
+	identityBackendUUID, err := uuid.GenerateUUID()
+	if err != nil {
+		panic(fmt.Sprintf("could not create identity backend UUID: %v", err))
+	}
+	identityMount := &MountEntry{
+		Table:            mountTableType,
+		Path:             "identity/",
+		Type:             "identity",
+		Description:      "identity store",
+		UUID:             identityUUID,
+		Accessor:         identityAccessor,
+		BackendAwareUUID: identityBackendUUID,
+		Config: MountConfig{
+			PassthroughRequestHeaders: []string{"Authorization"},
+		},
+		RunningVersion: versions.DefaultBuiltinVersion,
 	}
 
-	data["ciphertext"] = importCiphertext
+	table.Entries = append(table.Entries, cubbyholeMount)
+	table.Entries = append(table.Entries, sysMount)
+	table.Entries = append(table.Entries, identityMount)
 
-	c.UI.Output("Submitting wrapped key.")
-	// Finally, call import
+	return table
+}
 
-	_, err = client.Logical().Write(apiPath, data)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("failed to call import:%v", err))
-		return 3
-	} else {
-		c.UI.Output("Success!")
-		return 0
+// This function returns tables that are singletons. The main usage of this is
+// for replication, so we can send over mount info (especially, UUIDs of
+// mounts, which are used for salts) for mounts that may not be able to be
+// handled normally. After saving these values on the secondary, we let normal
+// sync invalidation do its thing. Because of its use for replication, we
+// exclude local mounts.
+func (c *Core) singletonMountTables() (mounts, auth *MountTable) {
+	mounts = &MountTable{}
+	auth = &MountTable{}
+
+	c.mountsLock.RLock()
+	for _, entry := range c.mounts.Entries {
+		if strutil.StrListContains(singletonMounts, entry.Type) && !entry.Local && entry.Namespace().ID == namespace.RootNamespaceID {
+			mounts.Entries = append(mounts.Entries, entry)
+		}
+	}
+	c.mountsLock.RUnlock()
+
+	c.authLock.RLock()
+	for _, entry := range c.auth.Entries {
+		if strutil.StrListContains(singletonMounts, entry.Type) && !entry.Local && entry.Namespace().ID == namespace.RootNamespaceID {
+			auth.Entries = append(auth.Entries, entry)
+		}
+	}
+	c.authLock.RUnlock()
+
+	return
+}
+
+func (c *Core) setCoreBackend(entry *MountEntry, backend logical.Backend, view *BarrierView) {
+	switch entry.Type {
+	case mountTypeSystem:
+		c.systemBackend = backend.(*SystemBackend)
+		c.systemBarrierView = view
+	case mountTypeCubbyhole:
+		ch := backend.(*CubbyholeBackend)
+		ch.saltUUID = entry.UUID
+		ch.storageView = view
+		c.cubbyholeBackend = ch
+	case mountTypeIdentity:
+		c.identityStore = backend.(*IdentityStore)
 	}
 }
 
-func fetchWrappingKey(client *api.Client, path string) (*rsa.PublicKey, error) {
-	resp, err := client.Logical().Read(path + "/wrapping_key")
+func (c *Core) createMigrationStatus(from, to namespace.MountPathDetails) (string, error) {
+	migrationID, err := uuid.GenerateUUID()
 	if err != nil {
-		return nil, fmt.Errorf("error fetching wrapping key: %w", err)
+		return "", fmt.Errorf("error generating uuid for mount move invocation: %w", err)
 	}
-	if resp == nil {
-		return nil, fmt.Errorf("no mount found at %s: %v", path, err)
+	migrationInfo := MountMigrationInfo{
+		SourceMount:     from.Namespace.Path + from.MountPath,
+		TargetMount:     to.Namespace.Path + to.MountPath,
+		MigrationStatus: MigrationInProgressStatus.String(),
 	}
-	key, ok := resp.Data["public_key"]
+	c.mountMigrationTracker.Store(migrationID, migrationInfo)
+	return migrationID, nil
+}
+
+func (c *Core) setMigrationStatus(migrationID string, migrationStatus MountMigrationStatus) error {
+	migrationInfoRaw, ok := c.mountMigrationTracker.Load(migrationID)
 	if !ok {
-		return nil, fmt.Errorf("missing public_key field in response")
-	}
-	keyBlock, _ := pem.Decode([]byte(key.(string)))
-	if keyBlock == nil {
-		return nil, fmt.Errorf("failed to decode PEM information from public_key response field")
-	}
-	parsedKey, err := x509.ParsePKIXPublicKey(keyBlock.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing wrapping key: %w", err)
+		return fmt.Errorf("Migration Tracker entry missing for ID %s", migrationID)
 	}
-	rsaKey, ok := parsedKey.(*rsa.PublicKey)
+	migrationInfo := migrationInfoRaw.(MountMigrationInfo)
+	migrationInfo.MigrationStatus = migrationStatus.String()
+	c.mountMigrationTracker.Store(migrationID, migrationInfo)
+	return nil
+}
+
+func (c *Core) readMigrationStatus(migrationID string) *MountMigrationInfo {
+	migrationInfoRaw, ok := c.mountMigrationTracker.Load(migrationID)
 	if !ok {
-		return nil, fmt.Errorf("returned value was not an RSA public key but a %T", rsaKey)
+		return nil
 	}
-	return rsaKey, nil
+	migrationInfo := migrationInfoRaw.(MountMigrationInfo)
+	return &migrationInfo
 }
diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go
index 6bcf0237df5c..5486e9f70251 100644
--- a/command/transit_import_key_test.go
+++ b/command/transit_import_key_test.go
@@ -1,189 +1,408 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-
-	"github.com/stretchr/testify/require"
-)
-
-// Validate the `vault transit import` command works.
-func TestTransitImport(t *testing.T) {
-	t.Parallel()
-
-	client, closer := testVaultServer(t)
-	defer closer()
-
-	if err := client.Sys().Mount("transit", &api.MountInput{
-		Type: "transit",
-	}); err != nil {
-		t.Fatalf("transit mount error: %#v", err)
-	}
-
-	rsa1, rsa2, aes128, aes256 := generateKeys(t)
-
-	type testCase struct {
-		variant    string
-		path       string
-		key        []byte
-		args       []string
-		shouldFail bool
-	}
-	tests := []testCase{
-		{
-			"import",
-			"transit/keys/rsa1",
-			rsa1,
-			[]string{"type=rsa-2048"},
-			false, /* first import */
-		},
-		{
-			"import",
-			"transit/keys/rsa1",
-			rsa2,
-			[]string{"type=rsa-2048"},
-			true, /* already exists */
-		},
-		{
-			"import-version",
-			"transit/keys/rsa1",
-			rsa2,
-			[]string{"type=rsa-2048"},
-			false, /* new version */
-		},
-		{
-			"import",
-			"transit/keys/rsa2",
-			rsa2,
-			[]string{"type=rsa-4096"},
-			true, /* wrong type */
-		},
-		{
-			"import",
-			"transit/keys/rsa2",
-			rsa2,
-			[]string{"type=rsa-2048"},
-			false, /* new name */
-		},
-		{
-			"import",
-			"transit/keys/aes1",
-			aes128,
-			[]string{"type=aes128-gcm96"},
-			false, /* first import */
-		},
-		{
-			"import",
-			"transit/keys/aes1",
-			aes256,
-			[]string{"type=aes256-gcm96"},
-			true, /* already exists */
-		},
-		{
-			"import-version",
-			"transit/keys/aes1",
-			aes256,
-			[]string{"type=aes256-gcm96"},
-			true, /* new version, different type */
-		},
-		{
-			"import-version",
-			"transit/keys/aes1",
-			aes128,
-			[]string{"type=aes128-gcm96"},
-			false, /* new version */
-		},
-		{
-			"import",
-			"transit/keys/aes2",
-			aes256,
-			[]string{"type=aes128-gcm96"},
-			true, /* wrong type */
-		},
-		{
-			"import",
-			"transit/keys/aes2",
-			aes256,
-			[]string{"type=aes256-gcm96"},
-			false, /* new name */
-		},
-	}
-
-	for index, tc := range tests {
-		t.Logf("Running test case %d: %v", index, tc)
-		execTransitImport(t, client, tc.variant, tc.path, tc.key, tc.args, tc.shouldFail)
-	}
+---
+layout: api
+page_title: /sys/mounts - HTTP API
+description: The `/sys/mounts` endpoint is used to manage secrets engines in Vault.
+---
+
+# `/sys/mounts`
+
+The `/sys/mounts` endpoint is used to manage secrets engines in Vault.
+
+## List mounted secrets engines
+
+This endpoints lists all the mounted secrets engines.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/mounts` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts
+```
+
+### Sample response
+
+```json
+{
+  "request_id": "48d2c601-97a0-3904-f549-4fcbc740d718",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "cubbyhole/": {
+      "accessor": "cubbyhole_eb4503de",
+      "config": {
+        "default_lease_ttl": 0,
+        "force_no_cache": false,
+        "max_lease_ttl": 0
+      },
+      "description": "per-token private secret storage",
+      "external_entropy_access": false,
+      "local": true,
+      "options": null,
+      "plugin_version": "",
+      "running_plugin_version": "v1.12.0+builtin.vault",
+      "running_sha256": "",
+      "seal_wrap": false,
+      "type": "cubbyhole",
+      "uuid": "79ddaa52-fa07-6f19-653a-f0777f6439fd"
+    },
+    "identity/": {
+      "accessor": "identity_68a03448",
+      "config": {
+        "default_lease_ttl": 0,
+        "force_no_cache": false,
+        "max_lease_ttl": 0
+      },
+      "description": "identity store",
+      "external_entropy_access": false,
+      "local": false,
+      "options": null,
+      "plugin_version": "",
+      "running_plugin_version": "v1.12.0+builtin.vault",
+      "running_sha256": "",
+      "seal_wrap": false,
+      "type": "identity",
+      "uuid": "45f79a67-58f7-3f87-892c-9032084e7801"
+    },
+    "secret/": {
+      "accessor": "kv_aedd93c1",
+      "config": {
+        "default_lease_ttl": 0,
+        "force_no_cache": false,
+        "max_lease_ttl": 0
+      },
+      "deprecation_status": "supported",
+      "description": "key/value secret storage",
+      "external_entropy_access": false,
+      "local": false,
+      "options": {
+        "version": "2"
+      },
+      "plugin_version": "",
+      "running_plugin_version": "v0.13.0+builtin",
+      "running_sha256": "",
+      "seal_wrap": false,
+      "type": "kv",
+      "uuid": "8074a73f-6921-c0cd-589a-016405dc46ec"
+    },
+    "sys/": {
+      "accessor": "system_f8df2902",
+      "config": {
+        "default_lease_ttl": 0,
+        "force_no_cache": false,
+        "max_lease_ttl": 0,
+        "passthrough_request_headers": ["Accept"]
+      },
+      "description": "system endpoints used for control, policy and debugging",
+      "external_entropy_access": false,
+      "local": false,
+      "options": null,
+      "plugin_version": "",
+      "running_plugin_version": "v1.12.0+builtin.vault",
+      "running_sha256": "",
+      "seal_wrap": false,
+      "type": "system",
+      "uuid": "c79f4f66-4cfa-4521-9d31-b1238b0a6800"
+    }
+  },
+  "warnings": null
+}
+```
+
+`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
+are used by this backend.
+
+## Enable secrets engine
+
+This endpoint enables a new secrets engine at the given path.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/sys/mounts/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path where the secrets engine
+  will be mounted. This is specified as part of the URL.
+
+  !> **NOTE:** Use ASCII printable characters to specify the desired path.
+
+- `type` `(string: <required>)` – Specifies the type of the backend, such as
+  "aws".
+
+- `description` `(string: "")` – Specifies the human-friendly description of the
+  mount.
+
+- `config` `(map<string|string>: nil)` – Specifies configuration options for
+  this mount; if set on a specific mount, values will override any global
+  defaults (e.g. the system TTL/Max TTL)
+
+  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
+    as a string duration like "5s" or "30m".
+
+  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
+    string duration like "5s" or "30m".
+
+  - `force_no_cache` `(bool: false)` - Disable caching.
+
+  - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
+    HMAC'd by audit devices in the request data object.
+
+  - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
+    HMAC'd by audit devices in the response data object.
+
+  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
+    in the UI-specific listing endpoint. Valid values are `"unauth"` or
+    `"hidden"`. If not set, behaves like `"hidden"`.
+
+  - `passthrough_request_headers` `(array: [])` - List of headers to allow
+    and pass from the request to the plugin.
+
+  - `allowed_response_headers` `(array: [])` - List of headers to allow,
+    allowing a plugin to include them in the response.
+
+  - `plugin_version` `(string: "")` – Specifies the semantic version of the plugin
+    to use, e.g. "v1.0.0". If unspecified, the server will select any matching
+    unversioned plugin that may have been registered, the latest versioned plugin
+    registered, or a built-in plugin in that order of precendence.
+
+  - `allowed_managed_keys` `(array: [])` - List of managed key registry entry names
+    that the mount in question is allowed to access.
+
+  - `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
+    accessors the backend can request delegated authentication for.
+
+- `options` `(map<string|string>: nil)` - Specifies mount type specific options
+  that are passed to the backend.
+
+  _Key/Value (KV)_
+
+  - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount
+    KV v2.
+
+Additionally, the following options are allowed in Vault open-source, but
+relevant functionality is only supported in Vault Enterprise:
+
+- `local` `(bool: false)` – Specifies if the secrets engine is a local mount
+  only. Local mounts are not replicated nor (if a secondary) removed by
+  replication.
+
+- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
+  values stored by the mount to be wrapped by the seal's encryption capability.
+
+- `external_entropy_access` `(bool: false)` - Enable the secrets engine to access
+  Vault's external entropy source.
+
+### Sample payload
+
+```json
+{
+  "type": "aws",
+  "config": {
+    "force_no_cache": true
+  }
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount
+```
+
+## Disable secrets engine
+
+This endpoint disables the mount point specified in the URL.
+
+| Method   | Path                |                    |
+| :------- | :------------------ | ------------------ |
+| `DELETE` | `/sys/mounts/:path` | `204 (empty body)` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount
+```
+
+### Force disable
+
+Because disabling a secrets engine revokes secrets associated with this mount,
+possible errors can prevent the secrets engine from being disabled if the
+revocation fails.
+
+The best way to resolve this is to figure out the underlying issue and then
+disable the secrets engine once the underlying issue is resolved. Often, this can be as
+simple as increasing the timeout (in the event of timeout errors).
+
+For recovery situations where the secret was manually removed from the
+secrets backing service, one can force a secrets engine disable in Vault by
+performing a [force revoke](/vault/api-docs/system/leases)
+on the mount prefix, followed by a secrets disable when that completes.
+If the underlying secrets were not manually cleaned up, this method might result
+in dangling credentials. This is meant for extreme circumstances.
+
+## Get the configuration of a secret engine
+
+This endpoint returns the configuration of a specific secret engine.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/mounts/:path` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts/cubbyhole
+```
+
+### Sample response
+
+```json
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "force_no_cache": false,
+    "max_lease_ttl": 0
+  },
+  "description": "per-token private secret storage",
+  "accessor": "cubbyhole_db85f061",
+  "external_entropy_access": false,
+  "options": null,
+  "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461",
+  "type": "cubbyhole",
+  "local": true,
+  "seal_wrap": false,
+  "request_id": "efdab917-ade2-1802-b8fa-fe2e6486d4e5",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "accessor": "cubbyhole_db85f061",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0
+    },
+    "description": "per-token private secret storage",
+    "external_entropy_access": false,
+    "local": true,
+    "options": null,
+    "plugin_version": "",
+    "running_plugin_version": "v1.12.0+builtin.vault",
+    "running_sha256": "",
+    "seal_wrap": false,
+    "type": "cubbyhole",
+    "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
 }
+```
+
+## Read mount configuration
+
+This endpoint reads the given mount's configuration. Unlike the `mounts`
+endpoint, this will return the current time in seconds for each TTL, which may
+be the system default or a mount-specific value.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/sys/mounts/:path/tune` |
 
-func execTransitImport(t *testing.T, client *api.Client, method string, path string, key []byte, data []string, expectFailure bool) {
-	t.Helper()
-
-	keyBase64 := base64.StdEncoding.EncodeToString(key)
-
-	var args []string
-	args = append(args, "transit")
-	args = append(args, method)
-	args = append(args, path)
-	args = append(args, keyBase64)
-	args = append(args, data...)
-
-	stdout := bytes.NewBuffer(nil)
-	stderr := bytes.NewBuffer(nil)
-	runOpts := &RunOptions{
-		Stdout: stdout,
-		Stderr: stderr,
-		Client: client,
-	}
-
-	code := RunCustom(args, runOpts)
-	combined := stdout.String() + stderr.String()
-
-	if code != 0 {
-		if !expectFailure {
-			t.Fatalf("Got unexpected failure from test (ret %d): %v", code, combined)
-		}
-	} else {
-		if expectFailure {
-			t.Fatalf("Expected failure, got success from test (ret %d): %v", code, combined)
-		}
-	}
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
+```
+
+### Sample response
+
+```json
+{
+  "default_lease_ttl": 3600,
+  "max_lease_ttl": 7200,
+  "force_no_cache": false
 }
+```
+
+## Tune mount configuration
+
+This endpoint tunes configuration parameters for a given mount point.
 
-func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) {
-	t.Helper()
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/sys/mounts/:path/tune` |
 
-	priv1, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.NotNil(t, priv1, "failed generating RSA 1 key")
-	require.NoError(t, err, "failed generating RSA 1 key")
+### Parameters
 
-	rsa1, err = x509.MarshalPKCS8PrivateKey(priv1)
-	require.NotNil(t, rsa1, "failed marshaling RSA 1 key")
-	require.NoError(t, err, "failed marshaling RSA 1 key")
+- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This
+  overrides the global default. A value of `0` is equivalent to the system
+  default TTL.
 
-	priv2, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.NotNil(t, priv2, "failed generating RSA 2 key")
-	require.NoError(t, err, "failed generating RSA 2 key")
+- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This
+  overrides the global default. A value of `0` are equivalent and set to the
+  system max TTL.
 
-	rsa2, err = x509.MarshalPKCS8PrivateKey(priv2)
-	require.NotNil(t, rsa2, "failed marshaling RSA 2 key")
-	require.NoError(t, err, "failed marshaling RSA 2 key")
+- `description` `(string: "")` – Specifies the description of the mount. This
+  overrides the current stored value, if any.
 
-	aes128 = make([]byte, 128/8)
-	_, err = rand.Read(aes128)
-	require.NoError(t, err, "failed generating AES 128 key")
+- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that
+  will not be HMAC'd by audit devices in the request data object.
 
-	aes256 = make([]byte, 256/8)
-	_, err = rand.Read(aes256)
-	require.NoError(t, err, "failed generating AES 256 key")
+- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that
+  will not be HMAC'd by audit devices in the response data object.
 
-	return
+- `listing_visibility` `(string: "")` - Specifies whether to show this mount in
+  the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
+  If not set, behaves like `"hidden"`.
+
+- `passthrough_request_headers` `(array: [])` - List of headers to allow
+  and pass from the request to the plugin.
+
+- `allowed_response_headers` `(array: [])` - List of headers to allow,
+  allowing a plugin to include them in the response.
+
+- `allowed_managed_keys` `(array: [])` - List of managed key registry entry names
+  that the mount in question is allowed to access.
+
+- `plugin_version` `(string: "")` – Specifies the semantic version of the plugin
+  to use, e.g. "v1.0.0". Changes will not take effect until the mount is reloaded.
+
+- `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
+  accessors the backend can request delegated authentication for.
+
+### Sample payload
+
+```json
+{
+  "default_lease_ttl": 1800,
+  "max_lease_ttl": 3600
 }
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
+```
diff --git a/command/transit_import_key_version.go b/command/transit_import_key_version.go
index 364481fd36ae..2c867bdc698f 100644
--- a/command/transit_import_key_version.go
+++ b/command/transit_import_key_version.go
@@ -1,58 +1,21 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*TransitImportVersionCommand)(nil)
-	_ cli.CommandAutocomplete = (*TransitImportVersionCommand)(nil)
-)
-
-type TransitImportVersionCommand struct {
-	*BaseCommand
-}
-
-func (c *TransitImportVersionCommand) Synopsis() string {
-	return "Import key material into a new key version in the Transit secrets engines."
-}
-
-func (c *TransitImportVersionCommand) Help() string {
-	helpText := `
-Usage: vault transit import-version PATH KEY [...]
-
-  Using the Transit key wrapping system, imports key material from
-  the base64 encoded KEY (either directly on the CLI or via @path notation),
-  into a new key whose API path is PATH.  To import a new Transit
-  key, use the import command instead.  The remaining options after KEY
-  (key=value style) are passed on to the Transit create key endpoint.
-  If your system or device natively supports the RSA AES key wrap mechanism
-  (such as the PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP), you should use it
-  directly rather than this command.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *TransitImportVersionCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *TransitImportVersionCommand) AutocompleteArgs() complete.Predictor {
-	return nil
-}
-
-func (c *TransitImportVersionCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *TransitImportVersionCommand) Run(args []string) int {
-	return ImportKey(c.BaseCommand, "import_version", transitImportKeyPath, c.Flags(), args)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+<ExternalLink
+  @href={{this.namespaceLink}}
+  @sameTab={{true}}
+  class={{concat "is-block " this.class}}
+  data-test-namespace-link={{this.normalizedNamespace}}
+>
+  {{#if (has-block)}}
+    {{yield}}
+  {{else}}
+    <div class="level is-mobile">
+      <span class="level-left">{{this.namespaceDisplay}}</span>
+      <span class="level-right">
+        <Hds::Button @text="Namespace link" @icon="chevron-right" @isIconOnly={{true}} @color="tertiary" />
+      </span>
+    </div>
+  {{/if}}
+</ExternalLink>
\ No newline at end of file
diff --git a/command/unwrap.go b/command/unwrap.go
index f852845cfb58..787c42d5baaf 100644
--- a/command/unwrap.go
+++ b/command/unwrap.go
@@ -1,113 +1,119 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-var (
-	_ cli.Command             = (*UnwrapCommand)(nil)
-	_ cli.CommandAutocomplete = (*UnwrapCommand)(nil)
-)
-
-// UnwrapCommand is a Command that behaves like ReadCommand but specifically for
-// unwrapping cubbyhole-wrapped secrets
-type UnwrapCommand struct {
-	*BaseCommand
-}
-
-func (c *UnwrapCommand) Synopsis() string {
-	return "Unwrap a wrapped secret"
-}
-
-func (c *UnwrapCommand) Help() string {
-	helpText := `
-Usage: vault unwrap [options] [TOKEN]
-
-  Unwraps a wrapped secret from Vault by the given token. The result is the
-  same as the "vault read" operation on the non-wrapped secret. If no token
-  is given, the data in the currently authenticated token is unwrapped.
-
-  Unwrap the data in the cubbyhole secrets engine for a token:
-
-      $ vault unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
-
-  Unwrap the data in the active token:
-
-      $ vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
-      $ vault unwrap # unwraps 848f9ccf...
-
-  For a full list of examples and paths, please see the online documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *UnwrapCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
-}
-
-func (c *UnwrapCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultFiles()
-}
-
-func (c *UnwrapCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *UnwrapCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	token := ""
-	switch len(args) {
-	case 0:
-		// Leave token as "", that will use the local token
-	case 1:
-		token = strings.TrimSpace(args[0])
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
-		return 1
-	}
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	secret, err := client.Logical().Unwrap(token)
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error unwrapping: %s", err))
-		return 2
-	}
-	if secret == nil {
-		if Format(c.UI) == "table" {
-			c.UI.Info("Successfully unwrapped. There was no data in the wrapped secret.")
-		}
-		return 0
-	}
-
-	// Handle single field output
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
-	}
-
-	// Check if the original was a list response and format as a list
-	if _, ok := extractListData(secret); ok {
-		return OutputList(c.UI, secret)
-	}
-	return OutputSecret(c.UI, secret)
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="namespace-picker" ...attributes>
+  <BasicDropdown @horizontalPosition="left" @verticalPosition="above" as |D|>
+    <D.Trigger
+      @htmlTag="button"
+      class="button is-transparent namespace-picker-trigger has-current-color"
+      data-test-namespace-toggle
+    >
+      <div class="is-flex-center is-flex-1">
+        <Icon @name="org" />
+        <span class="is-flex-1 is-word-break has-text-left is-size-6 has-left-margin-xs">{{this.namespaceDisplay}}</span>
+      </div>
+      <Icon @name="caret" />
+    </D.Trigger>
+    <D.Content @defaultClass="namespace-picker-content">
+      <div class="is-mobile level-left">
+        <h5 class="list-header">Current namespace</h5>
+      </div>
+      <div class="namespace-header-bar level is-mobile">
+        <div class="level-left">
+          <header>
+            <div class="level is-mobile namespace-link">
+              <span class="level-left" data-test-current-namespace>
+                {{if this.namespacePath (concat this.namespacePath "/") "root"}}
+              </span>
+            </div>
+          </header>
+        </div>
+      </div>
+      <div class="namespace-list {{if this.isAnimating 'animated-list'}}">
+        {{#if this.auth.isRootToken}}
+          <div class="has-left-margin-s has-right-margin-s">
+            <span><Icon @name="alert-triangle-fill" class="has-text-highlight" /></span>
+            <span class="is-size-8 has-text-semibold">
+              You are logged in with a root token and will have to reauthenticate when switching namespaces.
+            </span>
+          </div>
+        {{/if}}
+
+        <div class="is-mobile level-left">
+          {{#if this.isUserRootNamespace}}
+            <h5 class="list-header">Namespaces</h5>
+          {{else}}
+            <NamespaceLink
+              @targetNamespace={{or
+                (object-at (dec 2 this.menuLeaves.length) this.lastMenuLeaves)
+                this.auth.authData.userRootNamespace
+              }}
+              @class="namespace-link is-current button is-transparent icon"
+            >
+              <div class="is-flex-align-baseline">
+                <Hds::Button
+                  @text="Go back"
+                  @icon="chevron-left"
+                  @isIconOnly={{true}}
+                  @color="tertiary"
+                  class="is-flex-align-baseline"
+                />
+                <p class="is-size-8 has-text-grey has-text-weight-semibold is-uppercase">Namespaces</p>
+              </div>
+            </NamespaceLink>
+          {{/if}}
+        </div>
+        {{#if (includes "" this.lastMenuLeaves)}}
+          {{! leaf is '' which is the root namespace, and then we need to iterate the root leaves }}
+          <div class="leaf-panel {{if (eq '' this.currentLeaf) 'leaf-panel-current' 'leaf-panel-left'}} ">
+            {{#each this.rootLeaves as |rootLeaf|}}
+              <NamespaceLink @targetNamespace={{rootLeaf}} @class="namespace-link" @showLastSegment={{true}} />
+            {{/each}}
+          </div>
+        {{/if}}
+        {{#each this.lastMenuLeaves as |leaf|}}
+          {{#if leaf}}
+            <div
+              class="leaf-panel
+                {{if (eq leaf this.currentLeaf) 'leaf-panel-current' 'leaf-panel-left'}}
+                {{if (and this.isAdding (eq leaf this.changedLeaf)) 'leaf-panel-adding'}}
+                {{if (and (not this.isAdding) (eq leaf this.changedLeaf)) 'leaf-panel-exiting'}}
+                "
+            >
+              {{#each-in (get this.namespaceTree leaf) as |leafName|}}
+                <NamespaceLink
+                  @targetNamespace={{concat leaf "/" leafName}}
+                  @class="namespace-link"
+                  @showLastSegment={{true}}
+                />
+              {{/each-in}}
+            </div>
+          {{/if}}
+        {{/each}}
+        {{#if this.canList}}
+          <div class="leaf-panel leaf-panel-current">
+            <div class="level">
+              <span class="level-left">
+                <LinkTo @route="vault.cluster.access.namespaces" class="is-block namespace-link namespace-manage-link">
+                  Manage Namespaces
+                </LinkTo>
+              </span>
+              <span class="level-right">
+                <Hds::Button
+                  @text="Refresh namespace list"
+                  @icon="reload"
+                  @isIconOnly={{true}}
+                  @color="tertiary"
+                  data-test-refresh-namespaces
+                  {{on "click" (action "refreshNamespaceList")}}
+                />
+              </span>
+            </div>
+          </div>
+        {{/if}}
+      </div>
+    </D.Content>
+  </BasicDropdown>
+</div>
\ No newline at end of file
diff --git a/command/unwrap_test.go b/command/unwrap_test.go
index 41b03095ab27..c47b26648c89 100644
--- a/command/unwrap_test.go
+++ b/command/unwrap_test.go
@@ -5,159 +5,62 @@ package command
 
 import (
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 )
 
-func testUnwrapCommand(tb testing.TB) (*cli.MockUi, *UnwrapCommand) {
-	tb.Helper()
+var _ cli.Command = (*NamespaceCommand)(nil)
 
-	ui := cli.NewMockUi()
-	return ui, &UnwrapCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type NamespaceCommand struct {
+	*BaseCommand
 }
 
-func testUnwrapWrappedToken(tb testing.TB, client *api.Client, data map[string]interface{}) string {
-	tb.Helper()
-
-	wrapped, err := client.Logical().Write("sys/wrapping/wrap", data)
-	if err != nil {
-		tb.Fatal(err)
-	}
-	if wrapped == nil || wrapped.WrapInfo == nil || wrapped.WrapInfo.Token == "" {
-		tb.Fatalf("missing wrap info: %v", wrapped)
-	}
-	return wrapped.WrapInfo.Token
+func (c *NamespaceCommand) Synopsis() string {
+	return "Interact with namespaces"
 }
 
-func TestUnwrapCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"too_many_args",
-			[]string{"foo", "bar"},
-			"Too many arguments",
-			1,
-		},
-		{
-			"default",
-			nil, // Token comes in the test func
-			"bar",
-			0,
-		},
-		{
-			"field",
-			[]string{"-field", "foo"},
-			"bar",
-			0,
-		},
-		{
-			"field_not_found",
-			[]string{"-field", "not-a-real-field"},
-			"not present in secret",
-			1,
-		},
-	}
-
-	t.Run("validations", func(t *testing.T) {
-		t.Parallel()
-
-		for _, tc := range cases {
-			tc := tc
-
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-
-				client, closer := testVaultServer(t)
-				defer closer()
-
-				wrappedToken := testUnwrapWrappedToken(t, client, map[string]interface{}{
-					"foo": "bar",
-				})
-
-				ui, cmd := testUnwrapCommand(t)
-				cmd.client = client
-
-				tc.args = append(tc.args, wrappedToken)
-				code := cmd.Run(tc.args)
-				if code != tc.code {
-					t.Errorf("expected %d to be %d", code, tc.code)
-				}
-
-				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-				if !strings.Contains(combined, tc.out) {
-					t.Errorf("expected %q to contain %q", combined, tc.out)
-				}
-			})
-		}
-	})
-
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServerBad(t)
-		defer closer()
-
-		ui, cmd := testUnwrapCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"foo",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		expected := "Error unwrapping: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
-
-	// This test needs its own client and server because it modifies the client
-	// to the wrapping token
-	t.Run("local_token", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		wrappedToken := testUnwrapWrappedToken(t, client, map[string]interface{}{
-			"foo": "bar",
-		})
-
-		ui, cmd := testUnwrapCommand(t)
-		cmd.client = client
-		cmd.client.SetToken(wrappedToken)
-
-		// Intentionally don't pass the token here - it should use the local token
-		code := cmd.Run([]string{})
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
-
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, "bar") {
-			t.Errorf("expected %q to contain %q", combined, "bar")
-		}
-	})
-
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
-
-		_, cmd := testUnwrapCommand(t)
-		assertNoTabs(t, cmd)
-	})
+func (c *NamespaceCommand) Help() string {
+	helpText := `
+Usage: vault namespace <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault namespaces.
+  These subcommands operate in the context of the namespace that the
+  currently logged in token belongs to.
+
+  List enabled child namespaces:
+
+      $ vault namespace list
+
+  Look up an existing namespace:
+
+      $ vault namespace lookup
+
+  Create a new namespace:
+
+      $ vault namespace create
+
+  Patch an existing namespace:
+
+      $ vault namespace patch
+
+  Delete an existing namespace:
+
+      $ vault namespace delete
+
+  Lock the API for an existing namespace:
+
+      $ vault namespace lock
+
+  Unlock the API for an existing namespace:
+
+      $ vault namespace unlock
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *NamespaceCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/command/util.go b/command/util.go
index 0ace16191477..cd8e65e67e05 100644
--- a/command/util.go
+++ b/command/util.go
@@ -1,203 +1,84 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package command
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/fatih/color"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/config"
-	"github.com/hashicorp/vault/command/token"
-	"github.com/mitchellh/cli"
-)
-
-// DefaultTokenHelper returns the token helper that is configured for Vault.
-// This helper should only be used for non-server CLI commands.
-func DefaultTokenHelper() (token.TokenHelper, error) {
-	return config.DefaultTokenHelper()
-}
-
-// RawField extracts the raw field from the given data and returns it as a
-// string for printing purposes.
-func RawField(secret *api.Secret, field string) interface{} {
-	var val interface{}
-	switch {
-	case secret.Auth != nil:
-		switch field {
-		case "token":
-			val = secret.Auth.ClientToken
-		case "token_accessor":
-			val = secret.Auth.Accessor
-		case "token_duration":
-			val = secret.Auth.LeaseDuration
-		case "token_renewable":
-			val = secret.Auth.Renewable
-		case "token_policies":
-			val = secret.Auth.TokenPolicies
-		case "identity_policies":
-			val = secret.Auth.IdentityPolicies
-		case "policies":
-			val = secret.Auth.Policies
-		default:
-			val = secret.Data[field]
-		}
-
-	case secret.WrapInfo != nil:
-		switch field {
-		case "wrapping_token":
-			val = secret.WrapInfo.Token
-		case "wrapping_accessor":
-			val = secret.WrapInfo.Accessor
-		case "wrapping_token_ttl":
-			val = secret.WrapInfo.TTL
-		case "wrapping_token_creation_time":
-			val = secret.WrapInfo.CreationTime.Format(time.RFC3339Nano)
-		case "wrapping_token_creation_path":
-			val = secret.WrapInfo.CreationPath
-		case "wrapped_accessor":
-			val = secret.WrapInfo.WrappedAccessor
-		default:
-			val = secret.Data[field]
-		}
-
-	default:
-		switch field {
-		case "lease_duration":
-			val = secret.LeaseDuration
-		case "lease_id":
-			val = secret.LeaseID
-		case "request_id":
-			val = secret.RequestID
-		case "renewable":
-			val = secret.Renewable
-		case "refresh_interval":
-			val = secret.LeaseDuration
-		case "data":
-			var ok bool
-			val, ok = secret.Data["data"]
-			if !ok {
-				val = secret.Data
-			}
-		default:
-			val = secret.Data[field]
-		}
-	}
-
-	return val
-}
-
-// PrintRawField prints raw field from the secret.
-func PrintRawField(ui cli.Ui, data interface{}, field string) int {
-	var val interface{}
-	switch data := data.(type) {
-	case *api.Secret:
-		val = RawField(data, field)
-	case map[string]interface{}:
-		val = data[field]
-	}
-
-	if val == nil {
-		ui.Error(fmt.Sprintf("Field %q not present in secret", field))
-		return 1
-	}
-
-	format := Format(ui)
-	if format == "" || format == "table" || format == "raw" {
-		return PrintRaw(ui, fmt.Sprintf("%v", val))
-	}
-
-	// Handle specific format flags as best as possible
-	formatter, ok := Formatters[format]
-	if !ok {
-		ui.Error(fmt.Sprintf("Invalid output format: %s", format))
-		return 1
-	}
-
-	b, err := formatter.Format(val)
-	if err != nil {
-		ui.Error(fmt.Sprintf("Error formatting output: %s", err))
-		return 1
-	}
-
-	return PrintRaw(ui, string(b))
-}
-
-// PrintRaw prints a raw value to the terminal. If the process is being "piped"
-// to something else, the "raw" value is printed without a newline character.
-// Otherwise the value is printed as normal.
-func PrintRaw(ui cli.Ui, str string) int {
-	if !color.NoColor {
-		ui.Output(str)
-	} else {
-		// The cli.Ui prints a CR, which is not wanted since the user probably wants
-		// just the raw value.
-		w := getWriterFromUI(ui)
-		fmt.Fprint(w, str)
-	}
-	return 0
-}
-
-// getWriterFromUI accepts a cli.Ui and returns the underlying io.Writer by
-// unwrapping as many wrapped Uis as necessary. If there is an unknown UI
-// type, this falls back to os.Stdout.
-func getWriterFromUI(ui cli.Ui) io.Writer {
-	switch t := ui.(type) {
-	case *VaultUI:
-		return getWriterFromUI(t.Ui)
-	case *cli.BasicUi:
-		return t.Writer
-	case *cli.ColoredUi:
-		return getWriterFromUI(t.Ui)
-	case *cli.ConcurrentUi:
-		return getWriterFromUI(t.Ui)
-	case *cli.MockUi:
-		return t.OutputWriter
-	default:
-		return os.Stdout
-	}
-}
-
-func mockClient(t *testing.T) (*api.Client, *recordingRoundTripper) {
-	t.Helper()
-
-	config := api.DefaultConfig()
-	httpClient := cleanhttp.DefaultClient()
-	roundTripper := &recordingRoundTripper{}
-	httpClient.Transport = roundTripper
-	config.HttpClient = httpClient
-	client, err := api.NewClient(config)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return client, roundTripper
-}
-
-var _ http.RoundTripper = (*recordingRoundTripper)(nil)
-
-type recordingRoundTripper struct {
-	path string
-	body []byte
-}
-
-func (r *recordingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	r.path = req.URL.Path
-	defer req.Body.Close()
-	body, err := io.ReadAll(req.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	r.body = body
-	return &http.Response{
-		StatusCode: 200,
-	}, nil
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { alias, equal } from '@ember/object/computed';
+import Service, { inject as service } from '@ember/service';
+import { task } from 'ember-concurrency';
+import { computed } from '@ember/object';
+import { getRelativePath } from 'core/utils/sanitize-path';
+
+const ROOT_NAMESPACE = '';
+export default Service.extend({
+  store: service(),
+  auth: service(),
+  userRootNamespace: alias('auth.authData.userRootNamespace'),
+  //populated by the query param on the cluster route
+  path: '',
+  // list of namespaces available to the current user under the
+  // current namespace
+  accessibleNamespaces: null,
+
+  inRootNamespace: equal('path', ROOT_NAMESPACE),
+
+  currentNamespace: computed('inRootNamespace', 'path', function () {
+    if (this.inRootNamespace) return 'root';
+
+    const parts = this.path?.split('/');
+    return parts[parts.length - 1];
+  }),
+
+  relativeNamespace: computed('path', 'userRootNamespace', function () {
+    // relative namespace is the current namespace minus the user's root.
+    // so if we're in app/staging/group1 but the user's root is app, the
+    // relative namespace is staging/group
+    return getRelativePath(this.path, this.userRootNamespace);
+  }),
+
+  setNamespace(path) {
+    if (!path) {
+      this.set('path', '');
+      return;
+    }
+    this.set('path', path);
+  },
+
+  findNamespacesForUser: task(function* () {
+    // uses the adapter and the raw response here since
+    // models get wiped when switching namespaces and we
+    // want to keep track of these separately
+    const store = this.store;
+    const adapter = store.adapterFor('namespace');
+    const userRoot = this.auth.authData.userRootNamespace;
+    try {
+      const ns = yield adapter.findAll(store, 'namespace', null, {
+        adapterOptions: {
+          forUser: true,
+          namespace: userRoot,
+        },
+      });
+      const keys = ns.data.keys || [];
+      this.set(
+        'accessibleNamespaces',
+        keys.map((n) => {
+          let fullNS = n;
+          // if the user's root isn't '', then we need to construct
+          // the paths so they connect to the user root to the list
+          // otherwise using the current ns to grab the correct leaf
+          // node in the graph doesn't work
+          if (userRoot) {
+            fullNS = `${userRoot}/${n}`;
+          }
+          return fullNS.replace(/\/$/, '');
+        })
+      );
+    } catch (e) {
+      //do nothing here
+    }
+  }).drop(),
+
+  reset() {
+    this.set('accessibleNamespaces', null);
+  },
+});
diff --git a/command/version.go b/command/version.go
index 1e3dce16a759..4193508ec4fe 100644
--- a/command/version.go
+++ b/command/version.go
@@ -4,63 +4,87 @@
 package command
 
 import (
+	"fmt"
 	"strings"
 
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*VersionCommand)(nil)
-	_ cli.CommandAutocomplete = (*VersionCommand)(nil)
+	_ cli.Command             = (*NamespaceAPILockCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceAPILockCommand)(nil)
 )
 
-// VersionCommand is a Command implementation prints the version.
-type VersionCommand struct {
+type NamespaceAPILockCommand struct {
 	*BaseCommand
-
-	VersionInfo *version.VersionInfo
 }
 
-func (c *VersionCommand) Synopsis() string {
-	return "Prints the Vault CLI version"
+func (c *NamespaceAPILockCommand) Synopsis() string {
+	return "Lock the API for particular namespaces"
 }
 
-func (c *VersionCommand) Help() string {
+func (c *NamespaceAPILockCommand) Help() string {
 	helpText := `
-Usage: vault version
+Usage: vault namespace lock PATH
+
+	Lock the current namespace, and all descendants:
 
-  Prints the version of this Vault CLI. This does not print the target Vault
-  server version.
+		$ vault namespace lock
 
-  Print the version:
+	Lock a child namespace, and all of its descendants (e.g. ns1/ns2/):
 
-      $ vault version
+		$ vault namespace lock ns1/ns2
+
+` + c.Flags().Help()
 
-  There are no arguments or flags to this command. Any additional arguments or
-  flags are ignored.
-`
 	return strings.TrimSpace(helpText)
 }
 
-func (c *VersionCommand) Flags() *FlagSets {
-	return nil
+func (c *NamespaceAPILockCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 }
 
-func (c *VersionCommand) AutocompleteArgs() complete.Predictor {
-	return nil
+func (c *NamespaceAPILockCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultNamespaces()
 }
 
-func (c *VersionCommand) AutocompleteFlags() complete.Flags {
-	return nil
+func (c *NamespaceAPILockCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func (c *VersionCommand) Run(_ []string) int {
-	out := c.VersionInfo.FullVersionNumber(true)
-	if version.CgoEnabled {
-		out += " (cgo)"
+func (c *NamespaceAPILockCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-	c.UI.Output(out)
-	return 0
+
+	args = f.Args()
+	if len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
+		return 1
+	}
+
+	// current namespace is already encoded in the :client:
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	optionalChildNSPath := ""
+	if len(args) == 1 {
+		optionalChildNSPath = fmt.Sprintf("/%s", namespace.Canonicalize(args[0]))
+	}
+
+	resp, err := client.Logical().Write(fmt.Sprintf("sys/namespaces/api-lock/lock%s", optionalChildNSPath), nil)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error locking namespace: %v", err))
+		return 2
+	}
+
+	return OutputSecret(c.UI, resp)
 }
diff --git a/command/version_history.go b/command/version_history.go
index 8f7fe1318d93..0c9cd22eadd9 100644
--- a/command/version_history.go
+++ b/command/version_history.go
@@ -7,56 +7,58 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/posener/complete"
-	"github.com/ryanuber/columnize"
 )
 
 var (
-	_ cli.Command             = (*VersionHistoryCommand)(nil)
-	_ cli.CommandAutocomplete = (*VersionHistoryCommand)(nil)
+	_ cli.Command             = (*NamespaceAPIUnlockCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceAPIUnlockCommand)(nil)
 )
 
-// VersionHistoryCommand is a Command implementation prints the version.
-type VersionHistoryCommand struct {
+type NamespaceAPIUnlockCommand struct {
 	*BaseCommand
 }
 
-func (c *VersionHistoryCommand) Synopsis() string {
-	return "Prints the version history of the target Vault server"
+func (c *NamespaceAPIUnlockCommand) Synopsis() string {
+	return "Unlock the API for particular namespaces"
 }
 
-func (c *VersionHistoryCommand) Help() string {
+func (c *NamespaceAPIUnlockCommand) Help() string {
 	helpText := `
-Usage: vault version-history
+Usage: vault namespace unlock [options] PATH
 
-  Prints the version history of the target Vault server.
+	Unlock the current namespace, and all descendants, with unlock key:
 
-  Print the version history:
+		$ vault namespace unlock -unlock-key=<key>
+
+	Unlock the current namespace, and all descendants (from a root token):
+
+		$ vault namespace unlock
+
+	Unlock a child namespace, and all of its descendants (e.g. ns1/ns2/):
+
+		$ vault namespace lock -unlock-key=<key> ns1/ns2
 
-      $ vault version-history
 ` + c.Flags().Help()
+
 	return strings.TrimSpace(helpText)
 }
 
-func (c *VersionHistoryCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetOutputFormat)
+func (c *NamespaceAPIUnlockCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 }
 
-func (c *VersionHistoryCommand) AutocompleteArgs() complete.Predictor {
-	return complete.PredictNothing
+func (c *NamespaceAPIUnlockCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultNamespaces()
 }
 
-func (c *VersionHistoryCommand) AutocompleteFlags() complete.Flags {
+func (c *NamespaceAPIUnlockCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-const versionTrackingWarning = `Note:
-Use of this command requires a server running Vault 1.10.0 or greater.
-Version tracking was added in 1.9.0. Earlier versions have not been tracked.
-`
-
-func (c *VersionHistoryCommand) Run(args []string) int {
+func (c *NamespaceAPIUnlockCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -64,71 +66,31 @@ func (c *VersionHistoryCommand) Run(args []string) int {
 		return 1
 	}
 
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
+	args = f.Args()
+	if len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
+		return 1
 	}
 
-	resp, err := client.Logical().List("sys/version-history")
+	// current namespace is already encoded in the :client:
+	client, err := c.Client()
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error reading version history: %s", err))
-		return 2
-	}
-
-	if resp == nil || resp.Data == nil {
-		c.UI.Error("Invalid response returned from Vault")
+		c.UI.Error(err.Error())
 		return 2
 	}
 
-	if c.flagFormat == "json" {
-		c.UI.Warn("")
-		c.UI.Warn(versionTrackingWarning)
-		c.UI.Warn("")
-
-		return OutputData(c.UI, resp)
-	}
-
-	var keyInfo map[string]interface{}
-
-	keys, ok := extractListData(resp)
-	if !ok {
-		c.UI.Error("Expected keys in response to be an array")
-		return 2
+	optionalChildNSPath := ""
+	if len(args) == 1 {
+		optionalChildNSPath = fmt.Sprintf("/%s", namespace.Canonicalize(args[0]))
 	}
 
-	keyInfo, ok = resp.Data["key_info"].(map[string]interface{})
-	if !ok {
-		c.UI.Error("Expected key_info in response to be a map")
+	_, err = client.Logical().Write(fmt.Sprintf("sys/namespaces/api-lock/unlock%s", optionalChildNSPath), map[string]interface{}{
+		"unlock_key": c.flagUnlockKey,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error unlocking namespace: %v", err))
 		return 2
 	}
 
-	table := []string{"Version | Installation Time | Build Date"}
-	columnConfig := columnize.DefaultConfig()
-
-	for _, versionRaw := range keys {
-		version, ok := versionRaw.(string)
-
-		if !ok {
-			c.UI.Error("Expected version to be string")
-			return 2
-		}
-
-		versionInfoRaw := keyInfo[version]
-
-		versionInfo, ok := versionInfoRaw.(map[string]interface{})
-		if !ok {
-			c.UI.Error(fmt.Sprintf("Expected version info for %q to be map", version))
-			return 2
-		}
-
-		table = append(table, fmt.Sprintf("%s | %s | %s", version, versionInfo["timestamp_installed"], versionInfo["build_date"]))
-	}
-
-	c.UI.Warn("")
-	c.UI.Warn(versionTrackingWarning)
-	c.UI.Warn("")
-	c.UI.Output(tableOutput(table, columnConfig))
-
 	return 0
 }
diff --git a/command/version_history_test.go b/command/version_history_test.go
index b6467b8fcb97..6499bf2a25c9 100644
--- a/command/version_history_test.go
+++ b/command/version_history_test.go
@@ -4,111 +4,112 @@
 package command
 
 import (
-	"bytes"
-	"encoding/json"
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testVersionHistoryCommand(tb testing.TB) (*cli.MockUi, *VersionHistoryCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*NamespaceCreateCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceCreateCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &VersionHistoryCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type NamespaceCreateCommand struct {
+	*BaseCommand
+
+	flagCustomMetadata map[string]string
 }
 
-func TestVersionHistoryCommand_TableOutput(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
+func (c *NamespaceCreateCommand) Synopsis() string {
+	return "Create a new namespace"
+}
 
-	ui, cmd := testVersionHistoryCommand(t)
-	cmd.client = client
+func (c *NamespaceCreateCommand) Help() string {
+	helpText := `
+Usage: vault namespace create [options] PATH
 
-	code := cmd.Run([]string{})
+  Create a child namespace. The namespace created will be relative to the
+  namespace provided in either the VAULT_NAMESPACE environment variable or
+  -namespace CLI flag.
 
-	if expectedCode := 0; code != expectedCode {
-		t.Fatalf("expected %d to be %d: %s", code, expectedCode, ui.ErrorWriter.String())
-	}
+  Create a child namespace (e.g. ns1/):
 
-	if errorString := ui.ErrorWriter.String(); !strings.Contains(errorString, versionTrackingWarning) {
-		t.Errorf("expected %q to contain %q", errorString, versionTrackingWarning)
-	}
+      $ vault namespace create ns1
 
-	output := ui.OutputWriter.String()
+  Create a child namespace from a parent namespace (e.g. ns1/ns2/):
 
-	if !strings.Contains(output, version.Version) {
-		t.Errorf("expected %q to contain version %q", output, version.Version)
-	}
-}
+      $ vault namespace create -namespace=ns1 ns2
 
-func TestVersionHistoryCommand_JsonOutput(t *testing.T) {
-	client, closer := testVaultServer(t)
-	defer closer()
+` + c.Flags().Help()
 
-	stdout := bytes.NewBuffer(nil)
-	stderr := bytes.NewBuffer(nil)
-	runOpts := &RunOptions{
-		Stdout: stdout,
-		Stderr: stderr,
-		Client: client,
-	}
+	return strings.TrimSpace(helpText)
+}
 
-	args, format, _, _, _ := setupEnv([]string{"version-history", "-format", "json"})
-	if format != "json" {
-		t.Fatalf("expected format to be %q, actual %q", "json", format)
-	}
+func (c *NamespaceCreateCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
 
-	code := RunCustom(args, runOpts)
+	f := set.NewFlagSet("Command Options")
+	f.StringMapVar(&StringMapVar{
+		Name:    "custom-metadata",
+		Target:  &c.flagCustomMetadata,
+		Default: map[string]string{},
+		Usage: "Specifies arbitrary key=value metadata meant to describe a namespace." +
+			"This can be specified multiple times to add multiple pieces of metadata.",
+	})
 
-	if expectedCode := 0; code != expectedCode {
-		t.Fatalf("expected %d to be %d: %s", code, expectedCode, stderr.String())
-	}
+	return set
+}
 
-	if stderrString := stderr.String(); !strings.Contains(stderrString, versionTrackingWarning) {
-		t.Errorf("expected %q to contain %q", stderrString, versionTrackingWarning)
-	}
+func (c *NamespaceCreateCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *NamespaceCreateCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	stdoutBytes := stdout.Bytes()
+func (c *NamespaceCreateCommand) Run(args []string) int {
+	f := c.Flags()
 
-	if !json.Valid(stdoutBytes) {
-		t.Fatalf("expected output %q to be valid JSON", stdoutBytes)
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	var versionHistoryResp map[string]interface{}
-	err := json.Unmarshal(stdoutBytes, &versionHistoryResp)
-	if err != nil {
-		t.Fatalf("failed to unmarshal json from STDOUT, err: %s", err.Error())
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	var respData map[string]interface{}
-	var ok bool
-	var keys []interface{}
-	var keyInfo map[string]interface{}
+	namespacePath := strings.TrimSpace(args[0])
 
-	if respData, ok = versionHistoryResp["data"].(map[string]interface{}); !ok {
-		t.Fatalf("expected data key to be map, actual: %#v", versionHistoryResp["data"])
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	if keys, ok = respData["keys"].([]interface{}); !ok {
-		t.Fatalf("expected keys to be array, actual: %#v", respData["keys"])
+	data := map[string]interface{}{
+		"custom_metadata": c.flagCustomMetadata,
 	}
 
-	if keyInfo, ok = respData["key_info"].(map[string]interface{}); !ok {
-		t.Fatalf("expected key_info to be map, actual: %#v", respData["key_info"])
+	secret, err := client.Logical().Write("sys/namespaces/"+namespacePath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error creating namespace: %s", err))
+		return 2
 	}
 
-	if len(keys) != 1 {
-		t.Fatalf("expected single version history entry for %q", version.Version)
+	// Handle single field output
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
 	}
 
-	if keyInfo[version.Version] == nil {
-		t.Fatalf("expected version %s to be present in key_info, actual: %#v", version.Version, keyInfo)
-	}
+	return OutputSecret(c.UI, secret)
 }
diff --git a/command/version_test.go b/command/version_test.go
index be40377c1c75..e7704ca5cd85 100644
--- a/command/version_test.go
+++ b/command/version_test.go
@@ -4,53 +4,100 @@
 package command
 
 import (
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/version"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testVersionCommand(tb testing.TB) (*cli.MockUi, *VersionCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*NamespaceDeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceDeleteCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &VersionCommand{
-		VersionInfo: &version.VersionInfo{},
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type NamespaceDeleteCommand struct {
+	*BaseCommand
+}
+
+func (c *NamespaceDeleteCommand) Synopsis() string {
+	return "Delete an existing namespace"
+}
+
+func (c *NamespaceDeleteCommand) Help() string {
+	helpText := `
+Usage: vault namespace delete [options] PATH
+
+  Delete an existing namespace. The namespace deleted will be relative to the
+  namespace provided in either the VAULT_NAMESPACE environment variable or
+  -namespace CLI flag.
+
+  Delete a namespace (e.g. ns1/):
+
+      $ vault namespace delete ns1
+
+  Delete a namespace namespace from a parent namespace (e.g. ns1/ns2/):
+
+      $ vault namespace delete -namespace=ns1 ns2
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
 }
 
-func TestVersionCommand_Run(t *testing.T) {
-	t.Parallel()
+func (c *NamespaceDeleteCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
 
-	t.Run("output", func(t *testing.T) {
-		t.Parallel()
+func (c *NamespaceDeleteCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultNamespaces()
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (c *NamespaceDeleteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-		ui, cmd := testVersionCommand(t)
-		cmd.client = client
+func (c *NamespaceDeleteCommand) Run(args []string) int {
+	f := c.Flags()
 
-		code := cmd.Run(nil)
-		if exp := 0; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		expected := "Vault"
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to equal %q", combined, expected)
-		}
-	})
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	namespacePath := strings.TrimSpace(args[0])
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	secret, err := client.Logical().Delete("sys/namespaces/" + namespacePath)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error deleting namespace: %s", err))
+		return 2
+	}
+
+	if secret != nil {
+		// Likely, we have warnings
+		return OutputSecret(c.UI, secret)
+	}
+
+	if !strings.HasSuffix(namespacePath, "/") {
+		namespacePath = namespacePath + "/"
+	}
 
-		_, cmd := testVersionCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	c.UI.Output(fmt.Sprintf("Success! Namespace deleted at: %s", namespacePath))
+	return 0
 }
diff --git a/command/write.go b/command/write.go
index cd3301b8f274..e8581670edb7 100644
--- a/command/write.go
+++ b/command/write.go
@@ -5,105 +5,64 @@ package command
 
 import (
 	"fmt"
-	"io"
-	"os"
 	"strings"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
 	"github.com/posener/complete"
 )
 
 var (
-	_ cli.Command             = (*WriteCommand)(nil)
-	_ cli.CommandAutocomplete = (*WriteCommand)(nil)
+	_ cli.Command             = (*NamespaceListCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceListCommand)(nil)
 )
 
-// MFAMethodInfo contains the information about an MFA method
-type MFAMethodInfo struct {
-	methodID    string
-	methodType  string
-	usePasscode bool
-}
-
-// WriteCommand is a Command that puts data into the Vault.
-type WriteCommand struct {
+type NamespaceListCommand struct {
 	*BaseCommand
-
-	flagForce bool
-
-	testStdin io.Reader // for tests
 }
 
-func (c *WriteCommand) Synopsis() string {
-	return "Write data, configuration, and secrets"
+func (c *NamespaceListCommand) Synopsis() string {
+	return "List child namespaces"
 }
 
-func (c *WriteCommand) Help() string {
+func (c *NamespaceListCommand) Help() string {
 	helpText := `
-Usage: vault write [options] PATH [DATA K=V...]
-
-  Writes data to Vault at the given path. The data can be credentials, secrets,
-  configuration, or arbitrary data. The specific behavior of this command is
-  determined at the thing mounted at the path.
-
-  Data is specified as "key=value" pairs. If the value begins with an "@", then
-  it is loaded from a file. If the value is "-", Vault will read the value from
-  stdin.
-
-  Persist data in the generic secrets engine:
-
-      $ vault write secret/my-secret foo=bar
-
-  Create a new encryption key in the transit secrets engine:
-
-      $ vault write -f transit/keys/my-key
+Usage: vault namespace list [options]
 
-  Upload an AWS IAM policy from a file on disk:
+  Lists the enabled child namespaces.
 
-      $ vault write aws/roles/ops policy=@policy.json
+  List all enabled child namespaces:
 
-  Configure access to Consul by providing an access token:
-
-      $ echo $MY_TOKEN | vault write consul/config/access token=-
-
-  For a full list of examples and paths, please see the documentation that
-  corresponds to the secret engines in use.
+      $ vault namespace list
 
 ` + c.Flags().Help()
 
 	return strings.TrimSpace(helpText)
 }
 
-func (c *WriteCommand) Flags() *FlagSets {
-	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+func (c *NamespaceListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
 	f := set.NewFlagSet("Command Options")
 
 	f.BoolVar(&BoolVar{
-		Name:       "force",
-		Aliases:    []string{"f"},
-		Target:     &c.flagForce,
-		Default:    false,
-		EnvVar:     "",
-		Completion: complete.PredictNothing,
-		Usage: "Allow the operation to continue with no key=value pairs. This " +
-			"allows writing to keys that do not need or expect data.",
+		Name:    "detailed",
+		Target:  &c.flagDetailed,
+		Default: false,
+		Usage:   "Print detailed information such as namespace ID.",
 	})
 
 	return set
 }
 
-func (c *WriteCommand) AutocompleteArgs() complete.Predictor {
-	// Return an anything predictor here. Without a way to access help
-	// information, we don't know what paths we could write to.
-	return complete.PredictAnything
+func (c *NamespaceListCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
 }
 
-func (c *WriteCommand) AutocompleteFlags() complete.Flags {
+func (c *NamespaceListCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }
 
-func (c *WriteCommand) Run(args []string) int {
+func (c *NamespaceListCommand) Run(args []string) int {
 	f := c.Flags()
 
 	if err := f.Parse(args); err != nil {
@@ -112,26 +71,8 @@ func (c *WriteCommand) Run(args []string) int {
 	}
 
 	args = f.Args()
-	switch {
-	case len(args) < 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
-		return 1
-	case len(args) == 1 && !c.flagForce:
-		c.UI.Error("Must supply data or use -force")
-		return 1
-	}
-
-	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
-	if c.testStdin != nil {
-		stdin = c.testStdin
-	}
-
-	path := sanitizePath(args[0])
-
-	data, err := parseArgsData(stdin, args[1:])
-	if err != nil {
-		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
 		return 1
 	}
 
@@ -141,46 +82,42 @@ func (c *WriteCommand) Run(args []string) int {
 		return 2
 	}
 
-	secret, err := client.Logical().Write(path, data)
-	return handleWriteSecretOutput(c.BaseCommand, path, secret, err)
-}
-
-func handleWriteSecretOutput(c *BaseCommand, path string, secret *api.Secret, err error) int {
+	secret, err := client.Logical().List("sys/namespaces")
 	if err != nil {
-		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
-		if secret != nil {
-			OutputSecret(c.UI, secret)
-		}
+		c.UI.Error(fmt.Sprintf("Error listing namespaces: %s", err))
 		return 2
 	}
-	if secret == nil {
-		// Don't output anything unless using the "table" format
-		// and even then, don't output anything if a specific field was requested
-		if c.flagField == "" && Format(c.UI) == "table" {
-			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
-		}
-		return 0
-	}
 
-	// Currently, if there is only one MFA method configured, the login
-	// request is validated interactively
-	methodInfo := c.getInteractiveMFAMethodInfo(secret)
-	if methodInfo != nil {
-		secret, err = c.validateMFA(secret.Auth.MFARequirement.MFARequestID, *methodInfo)
-		if err != nil {
-			c.UI.Error(err.Error())
+	_, ok := extractListData(secret)
+	if Format(c.UI) != "table" {
+		if secret == nil || secret.Data == nil || !ok {
+			OutputData(c.UI, map[string]interface{}{})
 			return 2
 		}
-	} else if c.getMFAValidationRequired(secret) {
-		c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
-			"MFA validation. Please make sure to validate the login by sending another "+
-			"request to sys/mfa/validate endpoint.") + "\n")
 	}
 
-	// Handle single field output
-	if c.flagField != "" {
-		return PrintRawField(c.UI, secret, c.flagField)
+	if secret == nil {
+		c.UI.Error("No namespaces found")
+		return 2
+	}
+
+	// There could be e.g. warnings
+	if secret.Data == nil {
+		return OutputSecret(c.UI, secret)
+	}
+
+	if secret.WrapInfo != nil && secret.WrapInfo.TTL != 0 {
+		return OutputSecret(c.UI, secret)
+	}
+
+	if !ok {
+		c.UI.Error("No entries found")
+		return 2
+	}
+
+	if c.flagDetailed && Format(c.UI) != "table" {
+		return OutputData(c.UI, secret.Data["key_info"])
 	}
 
-	return OutputSecret(c.UI, secret)
+	return OutputList(c.UI, secret)
 }
diff --git a/command/write_test.go b/command/write_test.go
index 24521311ba42..376a0adc419e 100644
--- a/command/write_test.go
+++ b/command/write_test.go
@@ -4,304 +4,90 @@
 package command
 
 import (
-	"io"
+	"fmt"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/api"
-	"github.com/mitchellh/cli"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func testWriteCommand(tb testing.TB) (*cli.MockUi, *WriteCommand) {
-	tb.Helper()
+var (
+	_ cli.Command             = (*NamespaceLookupCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespaceLookupCommand)(nil)
+)
 
-	ui := cli.NewMockUi()
-	return ui, &WriteCommand{
-		BaseCommand: &BaseCommand{
-			UI: ui,
-		},
-	}
+type NamespaceLookupCommand struct {
+	*BaseCommand
 }
 
-func TestWriteCommand_Run(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name string
-		args []string
-		out  string
-		code int
-	}{
-		{
-			"not_enough_args",
-			[]string{},
-			"Not enough arguments",
-			1,
-		},
-		{
-			"empty_kvs",
-			[]string{"secret/write/foo"},
-			"Must supply data or use -force",
-			1,
-		},
-		{
-			"force_kvs",
-			[]string{"-force", "auth/token/create"},
-			"token",
-			0,
-		},
-		{
-			"force_f_kvs",
-			[]string{"-f", "auth/token/create"},
-			"token",
-			0,
-		},
-		{
-			"kvs_no_value",
-			[]string{"secret/write/foo", "foo"},
-			"Failed to parse K=V data",
-			1,
-		},
-		{
-			"single_value",
-			[]string{"secret/write/foo", "foo=bar"},
-			"Success!",
-			0,
-		},
-		{
-			"multi_value",
-			[]string{"secret/write/foo", "foo=bar", "zip=zap"},
-			"Success!",
-			0,
-		},
-		{
-			"field",
-			[]string{
-				"-field", "token_renewable",
-				"auth/token/create", "display_name=foo",
-			},
-			"false",
-			0,
-		},
-		{
-			"field_not_found",
-			[]string{
-				"-field", "not-a-real-field",
-				"auth/token/create", "display_name=foo",
-			},
-			"not present in secret",
-			1,
-		},
-	}
-
-	for _, tc := range cases {
-		tc := tc
-
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			client, closer := testVaultServer(t)
-			defer closer()
-
-			ui, cmd := testWriteCommand(t)
-			cmd.client = client
-
-			code := cmd.Run(tc.args)
-			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
-			}
-
-			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
-			}
-		})
-	}
-
-	// If we ask for a field and get an empty result, do not output "Success!" or anything else
-	t.Run("field_from_nothing", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		ui, cmd := testWriteCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-field", "somefield",
-			"secret/write/foo", "foo=bar",
-		})
-		if exp := 0; code != exp {
-			t.Fatalf("expected %d to be %d: %q", code, exp, ui.ErrorWriter.String())
-		}
-
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if combined != "" {
-			t.Errorf("expected %q to be empty", combined)
-		}
-	})
-
-	t.Run("force", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		if err := client.Sys().Mount("transit/", &api.MountInput{
-			Type: "transit",
-		}); err != nil {
-			t.Fatal(err)
-		}
-
-		ui, cmd := testWriteCommand(t)
-		cmd.client = client
-
-		code := cmd.Run([]string{
-			"-force",
-			"transit/keys/my-key",
-		})
-		if exp := 0; code != exp {
-			t.Fatalf("expected %d to be %d: %q", code, exp, ui.ErrorWriter.String())
-		}
-
-		secret, err := client.Logical().Read("transit/keys/my-key")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-	})
-
-	t.Run("stdin_full", func(t *testing.T) {
-		t.Parallel()
-
-		client, closer := testVaultServer(t)
-		defer closer()
-
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte(`{"foo":"bar"}`))
-			stdinW.Close()
-		}()
-
-		_, cmd := testWriteCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
-
-		code := cmd.Run([]string{
-			"secret/write/stdin_full", "-",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
-
-		secret, err := client.Logical().Read("secret/write/stdin_full")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
-
-	t.Run("stdin_value", func(t *testing.T) {
-		t.Parallel()
+func (c *NamespaceLookupCommand) Synopsis() string {
+	return "Look up an existing namespace"
+}
 
-		client, closer := testVaultServer(t)
-		defer closer()
+func (c *NamespaceLookupCommand) Help() string {
+	helpText := `
+Usage: vault namespace lookup [options] PATH
 
-		stdinR, stdinW := io.Pipe()
-		go func() {
-			stdinW.Write([]byte("bar"))
-			stdinW.Close()
-		}()
+  Get information about the namespace of the locally authenticated token:
 
-		_, cmd := testWriteCommand(t)
-		cmd.client = client
-		cmd.testStdin = stdinR
+      $ vault namespace lookup
 
-		code := cmd.Run([]string{
-			"secret/write/stdin_value", "foo=-",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
+  Get information about the namespace of a particular child token (e.g. ns1/ns2/):
 
-		secret, err := client.Logical().Read("secret/write/stdin_value")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
+      $ vault namespace lookup -namespace=ns1 ns2
 
-	t.Run("integration", func(t *testing.T) {
-		t.Parallel()
+` + c.Flags().Help()
 
-		client, closer := testVaultServer(t)
-		defer closer()
+	return strings.TrimSpace(helpText)
+}
 
-		_, cmd := testWriteCommand(t)
-		cmd.client = client
+func (c *NamespaceLookupCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
 
-		code := cmd.Run([]string{
-			"secret/write/integration", "foo=bar", "zip=zap",
-		})
-		if code != 0 {
-			t.Fatalf("expected 0 to be %d", code)
-		}
+func (c *NamespaceLookupCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultNamespaces()
+}
 
-		secret, err := client.Logical().Read("secret/write/integration")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if secret == nil || secret.Data == nil {
-			t.Fatal("expected secret to have data")
-		}
-		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-		if exp, act := "zap", secret.Data["zip"].(string); exp != act {
-			t.Errorf("expected %q to be %q", act, exp)
-		}
-	})
+func (c *NamespaceLookupCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	t.Run("communication_failure", func(t *testing.T) {
-		t.Parallel()
+func (c *NamespaceLookupCommand) Run(args []string) int {
+	f := c.Flags()
 
-		client, closer := testVaultServerBad(t)
-		defer closer()
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
 
-		ui, cmd := testWriteCommand(t)
-		cmd.client = client
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
 
-		code := cmd.Run([]string{
-			"foo/bar", "a=b",
-		})
-		if exp := 2; code != exp {
-			t.Errorf("expected %d to be %d", code, exp)
-		}
+	namespacePath := strings.TrimSpace(args[0])
 
-		expected := "Error writing data to foo/bar: "
-		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
-		if !strings.Contains(combined, expected) {
-			t.Errorf("expected %q to contain %q", combined, expected)
-		}
-	})
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-	t.Run("no_tabs", func(t *testing.T) {
-		t.Parallel()
+	secret, err := client.Logical().Read("sys/namespaces/" + namespacePath)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error looking up namespace: %s", err))
+		return 2
+	}
+	if secret == nil {
+		c.UI.Error("Namespace not found")
+		return 2
+	}
 
-		_, cmd := testWriteCommand(t)
-		assertNoTabs(t, cmd)
-	})
+	return OutputSecret(c.UI, secret)
 }
diff --git a/go.mod b/go.mod
index e2a005ae2182..d3868c6134fe 100644
--- a/go.mod
+++ b/go.mod
@@ -1,541 +1,141 @@
-module github.com/hashicorp/vault
-
-// The go version directive value isn't consulted when building our production binaries,
-// and the vault module isn't intended to be imported into other projects.  As such the
-// impact of this setting is usually rather limited.  Note however that in some cases the
-// Go project introduces new semantics for handling of go.mod depending on the value.
-//
-// The general policy for updating it is: when the Go major version used on the branch is
-// updated. If we choose not to do so at some point (e.g. because we don't want some new
-// semantic related to Go module handling), this comment should be updated to explain that.
-//
-// Whenever this value gets updated, sdk/go.mod should be updated to the same value.
-go 1.21
-
-toolchain go1.21.3
-
-replace github.com/hashicorp/vault/api => ./api
-
-replace github.com/hashicorp/vault/api/auth/approle => ./api/auth/approle
-
-replace github.com/hashicorp/vault/api/auth/kubernetes => ./api/auth/kubernetes
-
-replace github.com/hashicorp/vault/api/auth/userpass => ./api/auth/userpass
-
-replace github.com/hashicorp/vault/sdk => ./sdk
-
-require (
-	cloud.google.com/go/cloudsqlconn v1.4.3
-	cloud.google.com/go/monitoring v1.16.1
-	cloud.google.com/go/spanner v1.50.0
-	cloud.google.com/go/storage v1.30.1
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
-	github.com/Azure/azure-storage-blob-go v0.15.0
-	github.com/Azure/go-autorest/autorest v0.11.29
-	github.com/Azure/go-autorest/autorest/adal v0.9.23
-	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec
-	github.com/SAP/go-hdb v0.14.1
-	github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
-	github.com/aerospike/aerospike-client-go/v5 v5.6.0
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.521
-	github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5
-	github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
-	github.com/armon/go-metrics v0.4.1
-	github.com/armon/go-radix v1.0.0
-	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef
-	github.com/aws/aws-sdk-go v1.44.331
-	github.com/aws/aws-sdk-go-v2/config v1.18.19
-	github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
-	github.com/cenkalti/backoff/v3 v3.2.2
-	github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0
-	github.com/client9/misspell v0.3.4
-	github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/denisenkom/go-mssqldb v0.12.3
-	github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74
-	github.com/dustin/go-humanize v1.0.1
-	github.com/fatih/color v1.15.0
-	github.com/fatih/structs v1.1.0
-	github.com/favadi/protoc-go-inject-tag v1.4.0
-	github.com/gammazero/workerpool v1.1.3
-	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
-	github.com/go-errors/errors v1.5.0
-	github.com/go-git/go-git/v5 v5.7.0
-	github.com/go-jose/go-jose/v3 v3.0.0
-	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/go-sql-driver/mysql v1.7.1
-	github.com/go-test/deep v1.1.0
-	github.com/go-zookeeper/zk v1.0.3
-	github.com/gocql/gocql v1.0.0
-	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/protobuf v1.5.3
-	github.com/golangci/revgrep v0.0.0-20220804021717-745bb2f7c2e6
-	github.com/google/go-cmp v0.5.9
-	github.com/google/go-github v17.0.0+incompatible
-	github.com/google/go-metrics-stackdriver v0.2.0
-	github.com/google/tink/go v1.7.0
-	github.com/hashicorp/cap v0.3.4
-	github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7
-	github.com/hashicorp/consul-template v0.33.0
-	github.com/hashicorp/consul/api v1.23.0
-	github.com/hashicorp/errwrap v1.1.0
-	github.com/hashicorp/eventlogger v0.2.5
-	github.com/hashicorp/go-bexpr v0.1.12
-	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192
-	github.com/hashicorp/go-gcp-common v0.8.0
-	github.com/hashicorp/go-hclog v1.5.0
-	github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0
-	github.com/hashicorp/go-kms-wrapping/v2 v2.0.13
-	github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.7-1
-	github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1
-	github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.7
-	github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.8
-	github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.8
-	github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7
-	github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.8
-	github.com/hashicorp/go-memdb v1.3.4
-	github.com/hashicorp/go-msgpack v1.1.5
-	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-plugin v1.5.2
-	github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a
-	github.com/hashicorp/go-retryablehttp v0.7.4
-	github.com/hashicorp/go-rootcerts v1.0.2
-	github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3
-	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
-	github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1
-	github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.3
-	github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7
-	github.com/hashicorp/go-secure-stdlib/password v0.1.1
-	github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
-	github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2
-	github.com/hashicorp/go-sockaddr v1.0.4
-	github.com/hashicorp/go-syslog v1.0.0
-	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/golang-lru v0.5.4
-	github.com/hashicorp/hcl v1.0.1-vault-5
-	github.com/hashicorp/hcl/v2 v2.16.2
-	github.com/hashicorp/hcp-link v0.1.0
-	github.com/hashicorp/hcp-scada-provider v0.2.1
-	github.com/hashicorp/hcp-sdk-go v0.23.0
-	github.com/hashicorp/nomad/api v0.0.0-20230519153805-2275a83cbfdf
-	github.com/hashicorp/raft v1.3.10
-	github.com/hashicorp/raft-autopilot v0.2.0
-	github.com/hashicorp/raft-boltdb/v2 v2.0.0-20210421194847-a7e34179d62c
-	github.com/hashicorp/raft-snapshot v1.0.4
-	github.com/hashicorp/vault-plugin-auth-alicloud v0.16.0
-	github.com/hashicorp/vault-plugin-auth-azure v0.16.2
-	github.com/hashicorp/vault-plugin-auth-centrify v0.15.1
-	github.com/hashicorp/vault-plugin-auth-cf v0.15.1
-	github.com/hashicorp/vault-plugin-auth-gcp v0.16.1
-	github.com/hashicorp/vault-plugin-auth-jwt v0.17.0
-	github.com/hashicorp/vault-plugin-auth-kerberos v0.10.1
-	github.com/hashicorp/vault-plugin-auth-kubernetes v0.17.1
-	github.com/hashicorp/vault-plugin-auth-oci v0.14.2
-	github.com/hashicorp/vault-plugin-database-couchbase v0.9.4
-	github.com/hashicorp/vault-plugin-database-elasticsearch v0.13.3
-	github.com/hashicorp/vault-plugin-database-mongodbatlas v0.10.1
-	github.com/hashicorp/vault-plugin-database-redis v0.2.2
-	github.com/hashicorp/vault-plugin-database-redis-elasticache v0.2.3
-	github.com/hashicorp/vault-plugin-database-snowflake v0.9.0
-	github.com/hashicorp/vault-plugin-mock v0.16.1
-	github.com/hashicorp/vault-plugin-secrets-ad v0.16.1
-	github.com/hashicorp/vault-plugin-secrets-alicloud v0.15.1
-	github.com/hashicorp/vault-plugin-secrets-azure v0.16.3
-	github.com/hashicorp/vault-plugin-secrets-gcp v0.17.0
-	github.com/hashicorp/vault-plugin-secrets-gcpkms v0.15.1
-	github.com/hashicorp/vault-plugin-secrets-kubernetes v0.6.0
-	github.com/hashicorp/vault-plugin-secrets-kv v0.16.2
-	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.10.2
-	github.com/hashicorp/vault-plugin-secrets-openldap v0.11.2
-	github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3
-	github.com/hashicorp/vault-testing-stepwise v0.1.4
-	github.com/hashicorp/vault/api v1.10.0
-	github.com/hashicorp/vault/api/auth/approle v0.1.0
-	github.com/hashicorp/vault/api/auth/userpass v0.1.0
-	github.com/hashicorp/vault/sdk v0.10.0
-	github.com/hashicorp/vault/vault/hcp_link/proto v0.0.0-20230201201504-b741fa893d77
-	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab
-	github.com/jackc/pgx/v4 v4.18.1
-	github.com/jcmturner/gokrb5/v8 v8.4.4
-	github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f
-	github.com/jefferai/jsonx v1.0.0
-	github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f
-	github.com/klauspost/compress v1.16.5
-	github.com/kr/pretty v0.3.1
-	github.com/kr/text v0.2.0
-	github.com/mattn/go-colorable v0.1.13
-	github.com/mattn/go-isatty v0.0.19
-	github.com/mholt/archiver/v3 v3.5.1
-	github.com/michaelklishin/rabbit-hole/v2 v2.12.0
-	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
-	github.com/mitchellh/cli v1.1.5
-	github.com/mitchellh/copystructure v1.2.0
-	github.com/mitchellh/go-homedir v1.1.0
-	github.com/mitchellh/go-testing-interface v1.14.1
-	github.com/mitchellh/go-wordwrap v1.0.1
-	github.com/mitchellh/mapstructure v1.5.0
-	github.com/mitchellh/reflectwalk v1.0.2
-	github.com/natefinch/atomic v0.0.0-20150920032501-a62ce929ffcc
-	github.com/ncw/swift v1.0.47
-	github.com/oklog/run v1.1.0
-	github.com/okta/okta-sdk-golang/v2 v2.12.1
-	github.com/oracle/oci-go-sdk v24.3.0+incompatible
-	github.com/ory/dockertest v3.3.5+incompatible
-	github.com/ory/dockertest/v3 v3.10.0
-	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/pires/go-proxyproto v0.6.1
-	github.com/pkg/errors v0.9.1
-	github.com/posener/complete v1.2.3
-	github.com/pquerna/otp v1.2.1-0.20191009055518-468c2dd2b58d
-	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/common v0.37.0
-	github.com/rboyer/safeio v0.2.1
-	github.com/robfig/cron/v3 v3.0.1
-	github.com/ryanuber/columnize v2.1.2+incompatible
-	github.com/ryanuber/go-glob v1.0.0
-	github.com/sasha-s/go-deadlock v0.2.0
-	github.com/sethvargo/go-limiter v0.7.1
-	github.com/shirou/gopsutil/v3 v3.22.6
-	github.com/stretchr/testify v1.8.4
-	go.etcd.io/bbolt v1.3.7
-	go.etcd.io/etcd/client/pkg/v3 v3.5.7
-	go.etcd.io/etcd/client/v2 v2.305.5
-	go.etcd.io/etcd/client/v3 v3.5.7
-	go.mongodb.org/atlas v0.33.0
-	go.mongodb.org/mongo-driver v1.12.1
-	go.opentelemetry.io/otel v1.16.0
-	go.opentelemetry.io/otel/sdk v1.14.0
-	go.opentelemetry.io/otel/trace v1.16.0
-	go.uber.org/atomic v1.11.0
-	go.uber.org/goleak v1.2.1
-	golang.org/x/crypto v0.14.0
-	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/net v0.17.0
-	golang.org/x/oauth2 v0.11.0
-	golang.org/x/sync v0.3.0
-	golang.org/x/sys v0.13.0
-	golang.org/x/term v0.13.0
-	golang.org/x/text v0.13.0
-	golang.org/x/tools v0.10.0
-	google.golang.org/api v0.139.0
-	google.golang.org/grpc v1.58.3
-	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
-	google.golang.org/protobuf v1.31.0
-	gopkg.in/ory-am/dockertest.v3 v3.3.4
-	gotest.tools/gotestsum v1.10.0
-	honnef.co/go/tools v0.4.3
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
-	layeh.com/radius v0.0.0-20190322222518-890bc1058917
-	mvdan.cc/gofumpt v0.3.1
-	nhooyr.io/websocket v1.8.7
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-require (
-	cloud.google.com/go v0.110.8 // indirect
-	cloud.google.com/go/compute v1.23.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.3 // indirect
-	cloud.google.com/go/kms v1.15.3 // indirect
-	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
-	github.com/99designs/keyring v1.2.2 // indirect
-	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
-	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
-	github.com/BurntSushi/toml v1.3.2 // indirect
-	github.com/DataDog/datadog-go v3.2.0+incompatible // indirect
-	github.com/Jeffail/gabs v1.1.1 // indirect
-	github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c // indirect
-	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect
-	github.com/andybalholm/brotli v1.0.4 // indirect
-	github.com/apache/arrow/go/v12 v12.0.1 // indirect
-	github.com/apache/thrift v0.16.0 // indirect
-	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.7 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.59 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.31.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
-	github.com/boombuler/barcode v1.0.1 // indirect
-	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/centrify/cloud-golang-sdk v0.0.0-20210923165758-a8c48d049166 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible // indirect
-	github.com/circonus-labs/circonusllhist v0.1.3 // indirect
-	github.com/cjlapao/common-go v0.0.39 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 // indirect
-	github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
-	github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect
-	github.com/containerd/containerd v1.7.0 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
-	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
-	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/couchbase/gocb/v2 v2.6.3 // indirect
-	github.com/couchbase/gocbcore/v10 v10.2.3 // indirect
-	github.com/danieljoos/wincred v1.1.2 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba // indirect
-	github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc // indirect
-	github.com/digitalocean/godo v1.7.5 // indirect
-	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/dnephin/pflag v1.0.7 // indirect
-	github.com/docker/cli v20.10.20+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v24.0.7+incompatible // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
-	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
-	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane v0.11.1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
-	github.com/gammazero/deque v0.2.1 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.4.1 // indirect
-	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/analysis v0.20.0 // indirect
-	github.com/go-openapi/errors v0.20.1 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.20.2 // indirect
-	github.com/go-openapi/runtime v0.19.24 // indirect
-	github.com/go-openapi/spec v0.20.3 // indirect
-	github.com/go-openapi/strfmt v0.20.0 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.20.2 // indirect
-	github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
-	github.com/goccy/go-json v0.10.0 // indirect
-	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
-	github.com/gofrs/uuid v4.3.0+incompatible // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
-	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
-	github.com/golang-sql/sqlexp v0.1.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/flatbuffers v23.1.21+incompatible // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.3.1 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/gophercloud/gophercloud v0.1.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
-	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
-	github.com/hashicorp/cronexpr v1.1.1 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
-	github.com/hashicorp/go-metrics v0.5.1 // indirect
-	github.com/hashicorp/go-msgpack/v2 v2.0.0 // indirect
-	github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 // indirect
-	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2 // indirect
-	github.com/hashicorp/go-slug v0.12.1 // indirect
-	github.com/hashicorp/go-tfe v1.33.0 // indirect
-	github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d // indirect
-	github.com/hashicorp/logutils v1.0.0 // indirect
-	github.com/hashicorp/mdns v1.0.4 // indirect
-	github.com/hashicorp/net-rpc-msgpackrpc/v2 v2.0.0 // indirect
-	github.com/hashicorp/serf v0.10.1 // indirect
-	github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 // indirect
-	github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.0 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
-	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgtype v1.14.0 // indirect
-	github.com/jackc/pgx v3.3.0+incompatible // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
-	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
-	github.com/jcmturner/gofork v1.7.6 // indirect
-	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
-	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
-	github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kelseyhightower/envconfig v1.4.0 // indirect
-	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/asmfmt v1.3.2 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-	github.com/klauspost/pgzip v1.2.5 // indirect
-	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
-	github.com/linode/linodego v0.7.1 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-ieproxy v0.0.1 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mediocregopher/radix/v4 v4.1.4 // indirect
-	github.com/microsoft/kiota-abstractions-go v1.2.0 // indirect
-	github.com/microsoft/kiota-authentication-azure-go v1.0.0 // indirect
-	github.com/microsoft/kiota-http-go v1.1.0 // indirect
-	github.com/microsoft/kiota-serialization-form-go v1.0.0 // indirect
-	github.com/microsoft/kiota-serialization-json-go v1.0.4 // indirect
-	github.com/microsoft/kiota-serialization-text-go v1.0.0 // indirect
-	github.com/microsoftgraph/msgraph-sdk-go v1.13.0 // indirect
-	github.com/microsoftgraph/msgraph-sdk-go-core v1.0.0 // indirect
-	github.com/miekg/dns v1.1.43 // indirect
-	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
-	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
-	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
-	github.com/mitchellh/hashstructure v1.1.0 // indirect
-	github.com/mitchellh/pointerstructure v1.2.1 // indirect
-	github.com/moby/patternmatcher v0.5.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mongodb-forks/digest v1.0.5 // indirect
-	github.com/montanaflynn/stats v0.7.0 // indirect
-	github.com/mtibben/percent v0.2.1 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2 // indirect
-	github.com/nwaples/rardecode v1.1.2 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
-	github.com/opencontainers/runc v1.1.6 // indirect
-	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect
-	github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
-	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
-	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
-	github.com/pierrec/lz4/v4 v4.1.17 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/skeema/knownhosts v1.1.1 // indirect
-	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/snowflakedb/gosnowflake v1.6.24 // indirect
-	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
-	github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
-	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
-	github.com/tilinna/clock v1.1.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.10 // indirect
-	github.com/tklauser/numcpus v0.4.0 // indirect
-	github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c // indirect
-	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/vmware/govmomi v0.18.0 // indirect
-	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
-	github.com/xdg-go/scram v1.1.2 // indirect
-	github.com/xdg-go/stringprep v1.0.4 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
-	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
-	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
-	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
-	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	github.com/zclconf/go-cty v1.12.1 // indirect
-	github.com/zeebo/xxh3 v1.0.2 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.7 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.16.0 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.2 // indirect
-	gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
-	gopkg.in/resty.v1 v1.12.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.28.1 // indirect
-	k8s.io/apimachinery v0.28.1 // indirect
-	k8s.io/client-go v0.28.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+var (
+	_ cli.Command             = (*NamespacePatchCommand)(nil)
+	_ cli.CommandAutocomplete = (*NamespacePatchCommand)(nil)
 )
 
-replace github.com/ma314smith/signedxml v1.1.1 => github.com/moov-io/signedxml v1.1.1
+type NamespacePatchCommand struct {
+	*BaseCommand
+
+	flagCustomMetadata       map[string]string
+	flagRemoveCustomMetadata []string
+}
+
+func (c *NamespacePatchCommand) Synopsis() string {
+	return "Patch an existing namespace"
+}
+
+func (c *NamespacePatchCommand) Help() string {
+	helpText := `
+Usage: vault namespace patch [options] PATH
+
+  Patch an existing namespace. The namespace patched will be relative to the
+  namespace provided in either the VAULT_NAMESPACE environment variable or
+  -namespace CLI flag.
+
+  Patch an existing child namespace by adding and removing custom-metadata (e.g. ns1/):
+
+      $ vault namespace patch -custom-metadata=foo=abc -remove-custom-metadata=bar ns1
+
+  Patch an existing child namespace from a parent namespace (e.g. ns1/ns2/):
+
+      $ vault namespace patch -namespace=ns1 -custom-metadata=foo=abc ns2
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *NamespacePatchCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+	f.StringMapVar(&StringMapVar{
+		Name:    "custom-metadata",
+		Target:  &c.flagCustomMetadata,
+		Default: map[string]string{},
+		Usage: "Specifies arbitrary key=value metadata meant to describe a namespace." +
+			"This can be specified multiple times to add multiple pieces of metadata.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "remove-custom-metadata",
+		Target:  &c.flagRemoveCustomMetadata,
+		Default: []string{},
+		Usage:   "Key to remove from custom metadata. To specify multiple values, specify this flag multiple times.",
+	})
+
+	return set
+}
+
+func (c *NamespacePatchCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *NamespacePatchCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *NamespacePatchCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	namespacePath := strings.TrimSpace(args[0])
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	data := make(map[string]interface{})
+	customMetadata := make(map[string]interface{})
+
+	for key, value := range c.flagCustomMetadata {
+		customMetadata[key] = value
+	}
+
+	for _, key := range c.flagRemoveCustomMetadata {
+		// A null in a JSON merge patch payload will remove the associated key
+		customMetadata[key] = nil
+	}
+
+	data["custom_metadata"] = customMetadata
+
+	secret, err := client.Logical().JSONMergePatch(context.Background(), "sys/namespaces/"+namespacePath, data)
+	if err != nil {
+		if re, ok := err.(*api.ResponseError); ok && re.StatusCode == http.StatusNotFound {
+			c.UI.Error("Namespace not found")
+			return 2
+		}
+
+		c.UI.Error(fmt.Sprintf("Error patching namespace: %s", err))
+		return 2
+	}
+
+	// Handle single field output
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	return OutputSecret(c.UI, secret)
+}
diff --git a/go.sum b/go.sum
index e575e7c7184a..677dfa85aa5e 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4614 +1,619 @@
-bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
-bazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM=
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
-cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
-cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
-cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
-cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
-cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw=
-cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
-cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
-cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
-cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME=
-cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk=
-cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4=
-cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw=
-cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E=
-cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68=
-cloud.google.com/go/accessapproval v1.7.2/go.mod h1:/gShiq9/kK/h8T/eEn1BTzalDvk0mZxJlhfw0p+Xuc0=
-cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o=
-cloud.google.com/go/accesscontextmanager v1.4.0/go.mod h1:/Kjh7BBu/Gh83sv+K60vN9QE5NJcd80sU33vIe2IFPE=
-cloud.google.com/go/accesscontextmanager v1.6.0/go.mod h1:8XCvZWfYw3K/ji0iVnp+6pu7huxoQTLmxAbVjbloTtM=
-cloud.google.com/go/accesscontextmanager v1.7.0/go.mod h1:CEGLewx8dwa33aDAZQujl7Dx+uYhS0eay198wB/VumQ=
-cloud.google.com/go/accesscontextmanager v1.8.0/go.mod h1:uI+AI/r1oyWK99NN8cQ3UK76AMelMzgZCvJfsi2c+ps=
-cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo=
-cloud.google.com/go/accesscontextmanager v1.8.2/go.mod h1:E6/SCRM30elQJ2PKtFMs2YhfJpZSNcJyejhuzoId4Zk=
-cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
-cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
-cloud.google.com/go/aiplatform v1.27.0/go.mod h1:Bvxqtl40l0WImSb04d0hXFU7gDOiq9jQmorivIiWcKg=
-cloud.google.com/go/aiplatform v1.35.0/go.mod h1:7MFT/vCaOyZT/4IIFfxH4ErVg/4ku6lKv3w0+tFTgXQ=
-cloud.google.com/go/aiplatform v1.36.1/go.mod h1:WTm12vJRPARNvJ+v6P52RDHCNe4AhvjcIZ/9/RRHy/k=
-cloud.google.com/go/aiplatform v1.37.0/go.mod h1:IU2Cv29Lv9oCn/9LkFiiuKfwrRTq+QQMbW+hPCxJGZw=
-cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA=
-cloud.google.com/go/aiplatform v1.48.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA=
-cloud.google.com/go/aiplatform v1.50.0/go.mod h1:IRc2b8XAMTa9ZmfJV1BCCQbieWWvDnP1A8znyz5N7y4=
-cloud.google.com/go/aiplatform v1.51.1/go.mod h1:kY3nIMAVQOK2XDqDPHaOuD9e+FdMA6OOpfBjsvaFSOo=
-cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
-cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4=
-cloud.google.com/go/analytics v0.17.0/go.mod h1:WXFa3WSym4IZ+JiKmavYdJwGG/CvpqiqczmL59bTD9M=
-cloud.google.com/go/analytics v0.18.0/go.mod h1:ZkeHGQlcIPkw0R/GW+boWHhCOR43xz9RN/jn7WcqfIE=
-cloud.google.com/go/analytics v0.19.0/go.mod h1:k8liqf5/HCnOUkbawNtrWWc+UAzyDlW89doe8TtoDsE=
-cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo=
-cloud.google.com/go/analytics v0.21.3/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo=
-cloud.google.com/go/analytics v0.21.4/go.mod h1:zZgNCxLCy8b2rKKVfC1YkC2vTrpfZmeRCySM3aUbskA=
-cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk=
-cloud.google.com/go/apigateway v1.4.0/go.mod h1:pHVY9MKGaH9PQ3pJ4YLzoj6U5FUDeDFBllIz7WmzJoc=
-cloud.google.com/go/apigateway v1.5.0/go.mod h1:GpnZR3Q4rR7LVu5951qfXPJCHquZt02jf7xQx7kpqN8=
-cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA=
-cloud.google.com/go/apigateway v1.6.2/go.mod h1:CwMC90nnZElorCW63P2pAYm25AtQrHfuOkbRSHj0bT8=
-cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc=
-cloud.google.com/go/apigeeconnect v1.4.0/go.mod h1:kV4NwOKqjvt2JYR0AoIWo2QGfoRtn/pkS3QlHp0Ni04=
-cloud.google.com/go/apigeeconnect v1.5.0/go.mod h1:KFaCqvBRU6idyhSNyn3vlHXc8VMDJdRmwDF6JyFRqZ8=
-cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs=
-cloud.google.com/go/apigeeconnect v1.6.2/go.mod h1:s6O0CgXT9RgAxlq3DLXvG8riw8PYYbU/v25jqP3Dy18=
-cloud.google.com/go/apigeeregistry v0.4.0/go.mod h1:EUG4PGcsZvxOXAdyEghIdXwAEi/4MEaoqLMLDMIwKXY=
-cloud.google.com/go/apigeeregistry v0.5.0/go.mod h1:YR5+s0BVNZfVOUkMa5pAR2xGd0A473vA5M7j247o1wM=
-cloud.google.com/go/apigeeregistry v0.6.0/go.mod h1:BFNzW7yQVLZ3yj0TKcwzb8n25CFBri51GVGOEUcgQsc=
-cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw=
-cloud.google.com/go/apigeeregistry v0.7.2/go.mod h1:9CA2B2+TGsPKtfi3F7/1ncCCsL62NXBRfM6iPoGSM+8=
-cloud.google.com/go/apikeys v0.4.0/go.mod h1:XATS/yqZbaBK0HOssf+ALHp8jAlNHUgyfprvNcBIszU=
-cloud.google.com/go/apikeys v0.5.0/go.mod h1:5aQfwY4D+ewMMWScd3hm2en3hCj+BROlyrt3ytS7KLI=
-cloud.google.com/go/apikeys v0.6.0/go.mod h1:kbpXu5upyiAlGkKrJgQl8A0rKNNJ7dQ377pdroRSSi8=
-cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno=
-cloud.google.com/go/appengine v1.5.0/go.mod h1:TfasSozdkFI0zeoxW3PTBLiNqRmzraodCWatWI9Dmak=
-cloud.google.com/go/appengine v1.6.0/go.mod h1:hg6i0J/BD2cKmDJbaFSYHFyZkgBEfQrDg/X0V5fJn84=
-cloud.google.com/go/appengine v1.7.0/go.mod h1:eZqpbHFCqRGa2aCdope7eC0SWLV1j0neb/QnMJVWx6A=
-cloud.google.com/go/appengine v1.7.1/go.mod h1:IHLToyb/3fKutRysUlFO0BPt5j7RiQ45nrzEJmKTo6E=
-cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY=
-cloud.google.com/go/appengine v1.8.2/go.mod h1:WMeJV9oZ51pvclqFN2PqHoGnys7rK0rz6s3Mp6yMvDo=
-cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4=
-cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0=
-cloud.google.com/go/area120 v0.7.0/go.mod h1:a3+8EUD1SX5RUcCs3MY5YasiO1z6yLiNLRiFrykbynY=
-cloud.google.com/go/area120 v0.7.1/go.mod h1:j84i4E1RboTWjKtZVWXPqvK5VHQFJRF2c1Nm69pWm9k=
-cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg=
-cloud.google.com/go/area120 v0.8.2/go.mod h1:a5qfo+x77SRLXnCynFWPUZhnZGeSgvQ+Y0v1kSItkh4=
-cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ=
-cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk=
-cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0=
-cloud.google.com/go/artifactregistry v1.9.0/go.mod h1:2K2RqvA2CYvAeARHRkLDhMDJ3OXy26h3XW+3/Jh2uYc=
-cloud.google.com/go/artifactregistry v1.11.1/go.mod h1:lLYghw+Itq9SONbCa1YWBoWs1nOucMH0pwXN1rOBZFI=
-cloud.google.com/go/artifactregistry v1.11.2/go.mod h1:nLZns771ZGAwVLzTX/7Al6R9ehma4WUEhZGWV6CeQNQ=
-cloud.google.com/go/artifactregistry v1.12.0/go.mod h1:o6P3MIvtzTOnmvGagO9v/rOjjA0HmhJ+/6KAXrmYDCI=
-cloud.google.com/go/artifactregistry v1.13.0/go.mod h1:uy/LNfoOIivepGhooAUpL1i30Hgee3Cu0l4VTWHUC08=
-cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E=
-cloud.google.com/go/artifactregistry v1.14.3/go.mod h1:A2/E9GXnsyXl7GUvQ/2CjHA+mVRoWAXC0brg2os+kNI=
-cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o=
-cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s=
-cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0=
-cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ=
-cloud.google.com/go/asset v1.10.0/go.mod h1:pLz7uokL80qKhzKr4xXGvBQXnzHn5evJAEAtZiIb0wY=
-cloud.google.com/go/asset v1.11.1/go.mod h1:fSwLhbRvC9p9CXQHJ3BgFeQNM4c9x10lqlrdEUYXlJo=
-cloud.google.com/go/asset v1.12.0/go.mod h1:h9/sFOa4eDIyKmH6QMpm4eUK3pDojWnUhTgJlk762Hg=
-cloud.google.com/go/asset v1.13.0/go.mod h1:WQAMyYek/b7NBpYq/K4KJWcRqzoalEsxz/t/dTk4THw=
-cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ=
-cloud.google.com/go/asset v1.15.1/go.mod h1:yX/amTvFWRpp5rcFq6XbCxzKT8RJUam1UoboE179jU4=
-cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY=
-cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw=
-cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI=
-cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
-cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
-cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
-cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0=
-cloud.google.com/go/assuredworkloads v1.11.2/go.mod h1:O1dfr+oZJMlE6mw0Bp0P1KZSlj5SghMBvTpZqIcUAW4=
-cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
-cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8=
-cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8=
-cloud.google.com/go/automl v1.8.0/go.mod h1:xWx7G/aPEe/NP+qzYXktoBSDfjO+vnKMGgsApGJJquM=
-cloud.google.com/go/automl v1.12.0/go.mod h1:tWDcHDp86aMIuHmyvjuKeeHEGq76lD7ZqfGLN6B0NuU=
-cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE=
-cloud.google.com/go/automl v1.13.2/go.mod h1:gNY/fUmDEN40sP8amAX3MaXkxcqPIn7F1UIIPZpy4Mg=
-cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc=
-cloud.google.com/go/baremetalsolution v0.4.0/go.mod h1:BymplhAadOO/eBa7KewQ0Ppg4A4Wplbn+PsFKRLo0uI=
-cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss=
-cloud.google.com/go/baremetalsolution v1.1.1/go.mod h1:D1AV6xwOksJMV4OSlWHtWuFNZZYujJknMAP4Qa27QIA=
-cloud.google.com/go/baremetalsolution v1.2.0/go.mod h1:68wi9AwPYkEWIUT4SvSGS9UJwKzNpshjHsH4lzk8iOw=
-cloud.google.com/go/baremetalsolution v1.2.1/go.mod h1:3qKpKIw12RPXStwQXcbhfxVj1dqQGEvcmA+SX/mUR88=
-cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE=
-cloud.google.com/go/batch v0.4.0/go.mod h1:WZkHnP43R/QCGQsZ+0JyG4i79ranE2u8xvjq/9+STPE=
-cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g=
-cloud.google.com/go/batch v1.3.1/go.mod h1:VguXeQKXIYaeeIYbuozUmBR13AfL4SJP7IltNPS+A4A=
-cloud.google.com/go/batch v1.4.1/go.mod h1:KdBmDD61K0ovcxoRHGrN6GmOBWeAOyCgKD0Mugx4Fkk=
-cloud.google.com/go/batch v1.5.1/go.mod h1:RpBuIYLkQu8+CWDk3dFD/t/jOCGuUpkpX+Y0n1Xccs8=
-cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4=
-cloud.google.com/go/beyondcorp v0.3.0/go.mod h1:E5U5lcrcXMsCuoDNyGrpyTm/hn7ne941Jz2vmksAxW8=
-cloud.google.com/go/beyondcorp v0.4.0/go.mod h1:3ApA0mbhHx6YImmuubf5pyW8srKnCEPON32/5hj+RmM=
-cloud.google.com/go/beyondcorp v0.5.0/go.mod h1:uFqj9X+dSfrheVp7ssLTaRHd2EHqSL4QZmH4e8WXGGU=
-cloud.google.com/go/beyondcorp v0.6.1/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4=
-cloud.google.com/go/beyondcorp v1.0.0/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4=
-cloud.google.com/go/beyondcorp v1.0.1/go.mod h1:zl/rWWAFVeV+kx+X2Javly7o1EIQThU4WlkynffL/lk=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA=
-cloud.google.com/go/bigquery v1.43.0/go.mod h1:ZMQcXHsl+xmU1z36G2jNGZmKp9zNY5BUua5wDgmNCfw=
-cloud.google.com/go/bigquery v1.44.0/go.mod h1:0Y33VqXTEsbamHJvJHdFmtqHvMIY28aK1+dFsvaChGc=
-cloud.google.com/go/bigquery v1.47.0/go.mod h1:sA9XOgy0A8vQK9+MWhEQTY6Tix87M/ZurWFIxmF9I/E=
-cloud.google.com/go/bigquery v1.48.0/go.mod h1:QAwSz+ipNgfL5jxiaK7weyOhzdoAy1zFm0Nf1fysJac=
-cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9yBh7Oy7/4Q=
-cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU=
-cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4=
-cloud.google.com/go/bigquery v1.53.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4=
-cloud.google.com/go/bigquery v1.55.0/go.mod h1:9Y5I3PN9kQWuid6183JFhOGOW3GcirA5LpsKCUn+2ec=
-cloud.google.com/go/bigquery v1.56.0/go.mod h1:KDcsploXTEY7XT3fDQzMUZlpQLHzE4itubHrnmhUrZA=
-cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY=
-cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s=
-cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI=
-cloud.google.com/go/billing v1.7.0/go.mod h1:q457N3Hbj9lYwwRbnlD7vUpyjq6u5U1RAOArInEiD5Y=
-cloud.google.com/go/billing v1.12.0/go.mod h1:yKrZio/eu+okO/2McZEbch17O5CB5NpZhhXG6Z766ss=
-cloud.google.com/go/billing v1.13.0/go.mod h1:7kB2W9Xf98hP9Sr12KfECgfGclsH3CQR0R08tnRlRbc=
-cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA=
-cloud.google.com/go/billing v1.17.0/go.mod h1:Z9+vZXEq+HwH7bhJkyI4OQcR6TSbeMrjlpEjO2vzY64=
-cloud.google.com/go/billing v1.17.2/go.mod h1:u/AdV/3wr3xoRBk5xvUzYMS1IawOAPwQMuHgHMdljDg=
-cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM=
-cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI=
-cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0=
-cloud.google.com/go/binaryauthorization v1.4.0/go.mod h1:tsSPQrBd77VLplV70GUhBf/Zm3FsKmgSqgm4UmiDItk=
-cloud.google.com/go/binaryauthorization v1.5.0/go.mod h1:OSe4OU1nN/VswXKRBmciKpo9LulY41gch5c68htf3/Q=
-cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U=
-cloud.google.com/go/binaryauthorization v1.7.0/go.mod h1:Zn+S6QqTMn6odcMU1zDZCJxPjU2tZPV1oDl45lWY154=
-cloud.google.com/go/binaryauthorization v1.7.1/go.mod h1:GTAyfRWYgcbsP3NJogpV3yeunbUIjx2T9xVeYovtURE=
-cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg=
-cloud.google.com/go/certificatemanager v1.4.0/go.mod h1:vowpercVFyqs8ABSmrdV+GiFf2H/ch3KyudYQEMM590=
-cloud.google.com/go/certificatemanager v1.6.0/go.mod h1:3Hh64rCKjRAX8dXgRAyOcY5vQ/fE1sh8o+Mdd6KPgY8=
-cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI=
-cloud.google.com/go/certificatemanager v1.7.2/go.mod h1:15SYTDQMd00kdoW0+XY5d9e+JbOPjp24AvF48D8BbcQ=
-cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk=
-cloud.google.com/go/channel v1.9.0/go.mod h1:jcu05W0my9Vx4mt3/rEHpfxc9eKi9XwsdDL8yBMbKUk=
-cloud.google.com/go/channel v1.11.0/go.mod h1:IdtI0uWGqhEeatSB62VOoJ8FSUhJ9/+iGkJVqp74CGE=
-cloud.google.com/go/channel v1.12.0/go.mod h1:VkxCGKASi4Cq7TbXxlaBezonAYpp1GCnKMY6tnMQnLU=
-cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc=
-cloud.google.com/go/channel v1.17.0/go.mod h1:RpbhJsGi/lXWAUM1eF4IbQGbsfVlg2o8Iiy2/YLfVT0=
-cloud.google.com/go/channel v1.17.1/go.mod h1:xqfzcOZAcP4b/hUDH0GkGg1Sd5to6di1HOJn/pi5uBQ=
-cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U=
-cloud.google.com/go/cloudbuild v1.4.0/go.mod h1:5Qwa40LHiOXmz3386FrjrYM93rM/hdRr7b53sySrTqA=
-cloud.google.com/go/cloudbuild v1.6.0/go.mod h1:UIbc/w9QCbH12xX+ezUsgblrWv+Cv4Tw83GiSMHOn9M=
-cloud.google.com/go/cloudbuild v1.7.0/go.mod h1:zb5tWh2XI6lR9zQmsm1VRA+7OCuve5d8S+zJUul8KTg=
-cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb4wQGAbIgL1s=
-cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU=
-cloud.google.com/go/cloudbuild v1.13.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU=
-cloud.google.com/go/cloudbuild v1.14.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU=
-cloud.google.com/go/cloudbuild v1.14.1/go.mod h1:K7wGc/3zfvmYWOWwYTgF/d/UVJhS4pu+HAy7PL7mCsU=
-cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
-cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
-cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
-cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI=
-cloud.google.com/go/clouddms v1.7.0/go.mod h1:MW1dC6SOtI/tPNCciTsXtsGNEM0i0OccykPvv3hiYeM=
-cloud.google.com/go/clouddms v1.7.1/go.mod h1:o4SR8U95+P7gZ/TX+YbJxehOCsM+fe6/brlrFquiszk=
-cloud.google.com/go/cloudsqlconn v1.4.3 h1:/WYFbB1NtMtoMxCbqpzzTFPDkxxlLTPme390KEGaEPc=
-cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA=
-cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
-cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
-cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
-cloud.google.com/go/cloudtasks v1.8.0/go.mod h1:gQXUIwCSOI4yPVK7DgTVFiiP0ZW/eQkydWzwVMdHxrI=
-cloud.google.com/go/cloudtasks v1.9.0/go.mod h1:w+EyLsVkLWHcOaqNEyvcKAsWp9p29dL6uL9Nst1cI7Y=
-cloud.google.com/go/cloudtasks v1.10.0/go.mod h1:NDSoTLkZ3+vExFEWu2UJV1arUyzVDAiZtdWcsUyNwBs=
-cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM=
-cloud.google.com/go/cloudtasks v1.12.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM=
-cloud.google.com/go/cloudtasks v1.12.2/go.mod h1:A7nYkjNlW2gUoROg1kvJrQGhJP/38UaWwsnuBDOBVUk=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
-cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
-cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
-cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
-cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
-cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
-cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE=
-cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo=
-cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA=
-cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
-cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
-cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
-cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI=
-cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
-cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
-cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
-cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
-cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
-cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU=
-cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY=
-cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck=
-cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w=
-cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM=
-cloud.google.com/go/contactcenterinsights v1.10.0/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM=
-cloud.google.com/go/contactcenterinsights v1.11.1/go.mod h1:FeNP3Kg8iteKM80lMwSk3zZZKVxr+PGnAId6soKuXwE=
-cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg=
-cloud.google.com/go/container v1.7.0/go.mod h1:Dp5AHtmothHGX3DwwIHPgq45Y8KmNsgN3amoYfxVkLo=
-cloud.google.com/go/container v1.13.1/go.mod h1:6wgbMPeQRw9rSnKBCAJXnds3Pzj03C4JHamr8asWKy4=
-cloud.google.com/go/container v1.14.0/go.mod h1:3AoJMPhHfLDxLvrlVWaK57IXzaPnLaZq63WX59aQBfM=
-cloud.google.com/go/container v1.15.0/go.mod h1:ft+9S0WGjAyjDggg5S06DXj+fHJICWg8L7isCQe9pQA=
-cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4=
-cloud.google.com/go/container v1.24.0/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4=
-cloud.google.com/go/container v1.26.0/go.mod h1:YJCmRet6+6jnYYRS000T6k0D0xUXQgBSaJ7VwI8FBj4=
-cloud.google.com/go/container v1.26.1/go.mod h1:5smONjPRUxeEpDG7bMKWfDL4sauswqEtnBK1/KKpR04=
-cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
-cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4=
-cloud.google.com/go/containeranalysis v0.7.0/go.mod h1:9aUL+/vZ55P2CXfuZjS4UjQ9AgXoSw8Ts6lemfmxBxI=
-cloud.google.com/go/containeranalysis v0.9.0/go.mod h1:orbOANbwk5Ejoom+s+DUCTTJ7IBdBQJDcSylAx/on9s=
-cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0=
-cloud.google.com/go/containeranalysis v0.11.0/go.mod h1:4n2e99ZwpGxpNcz+YsFT1dfOHPQFGcAC8FN2M2/ne/U=
-cloud.google.com/go/containeranalysis v0.11.1/go.mod h1:rYlUOM7nem1OJMKwE1SadufX0JP3wnXj844EtZAwWLY=
-cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0=
-cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs=
-cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc=
-cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE=
-cloud.google.com/go/datacatalog v1.8.0/go.mod h1:KYuoVOv9BM8EYz/4eMFxrr4DUKhGIOXxZoKYF5wdISM=
-cloud.google.com/go/datacatalog v1.8.1/go.mod h1:RJ58z4rMp3gvETA465Vg+ag8BGgBdnRPEMMSTr5Uv+M=
-cloud.google.com/go/datacatalog v1.12.0/go.mod h1:CWae8rFkfp6LzLumKOnmVh4+Zle4A3NXLzVJ1d1mRm0=
-cloud.google.com/go/datacatalog v1.13.0/go.mod h1:E4Rj9a5ZtAxcQJlEBTLgMTphfP11/lNaAshpoBgemX8=
-cloud.google.com/go/datacatalog v1.14.0/go.mod h1:h0PrGtlihoutNMp/uvwhawLQ9+c63Kz65UFqh49Yo+E=
-cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4=
-cloud.google.com/go/datacatalog v1.16.0/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4=
-cloud.google.com/go/datacatalog v1.17.1/go.mod h1:nCSYFHgtxh2MiEktWIz71s/X+7ds/UT9kp0PC7waCzE=
-cloud.google.com/go/datacatalog v1.18.1/go.mod h1:TzAWaz+ON1tkNr4MOcak8EBHX7wIRX/gZKM+yTVsv+A=
-cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM=
-cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ=
-cloud.google.com/go/dataflow v0.8.0/go.mod h1:Rcf5YgTKPtQyYz8bLYhFoIV/vP39eL7fWNcSOyFfLJE=
-cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw=
-cloud.google.com/go/dataflow v0.9.2/go.mod h1:vBfdBZ/ejlTaYIGB3zB4T08UshH70vbtZeMD+urnUSo=
-cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo=
-cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE=
-cloud.google.com/go/dataform v0.5.0/go.mod h1:GFUYRe8IBa2hcomWplodVmUx/iTL0FrsauObOM3Ipr0=
-cloud.google.com/go/dataform v0.6.0/go.mod h1:QPflImQy33e29VuapFdf19oPbE4aYTJxr31OAPV+ulA=
-cloud.google.com/go/dataform v0.7.0/go.mod h1:7NulqnVozfHvWUBpMDfKMUESr+85aJsC/2O0o3jWPDE=
-cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M=
-cloud.google.com/go/dataform v0.8.2/go.mod h1:X9RIqDs6NbGPLR80tnYoPNiO1w0wenKTb8PxxlhTMKM=
-cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38=
-cloud.google.com/go/datafusion v1.5.0/go.mod h1:Kz+l1FGHB0J+4XF2fud96WMmRiq/wj8N9u007vyXZ2w=
-cloud.google.com/go/datafusion v1.6.0/go.mod h1:WBsMF8F1RhSXvVM8rCV3AeyWVxcC2xY6vith3iw3S+8=
-cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI=
-cloud.google.com/go/datafusion v1.7.2/go.mod h1:62K2NEC6DRlpNmI43WHMWf9Vg/YvN6QVi8EVwifElI0=
-cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I=
-cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ=
-cloud.google.com/go/datalabeling v0.7.0/go.mod h1:WPQb1y08RJbmpM3ww0CSUAGweL0SxByuW2E+FU+wXcM=
-cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY=
-cloud.google.com/go/datalabeling v0.8.2/go.mod h1:cyDvGHuJWu9U/cLDA7d8sb9a0tWLEletStu2sTmg3BE=
-cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA=
-cloud.google.com/go/dataplex v1.4.0/go.mod h1:X51GfLXEMVJ6UN47ESVqvlsRplbLhcsAt0kZCCKsU0A=
-cloud.google.com/go/dataplex v1.5.2/go.mod h1:cVMgQHsmfRoI5KFYq4JtIBEUbYwc3c7tXmIDhRmNNVQ=
-cloud.google.com/go/dataplex v1.6.0/go.mod h1:bMsomC/aEJOSpHXdFKFGQ1b0TDPIeL28nJObeO1ppRs=
-cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE=
-cloud.google.com/go/dataplex v1.9.0/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE=
-cloud.google.com/go/dataplex v1.9.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE=
-cloud.google.com/go/dataplex v1.10.1/go.mod h1:1MzmBv8FvjYfc7vDdxhnLFNskikkB+3vl475/XdCDhs=
-cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s=
-cloud.google.com/go/dataproc v1.8.0/go.mod h1:5OW+zNAH0pMpw14JVrPONsxMQYMBqJuzORhIBfBn9uI=
-cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4=
-cloud.google.com/go/dataproc/v2 v2.0.1/go.mod h1:7Ez3KRHdFGcfY7GcevBbvozX+zyWGcwLJvvAMwCaoZ4=
-cloud.google.com/go/dataproc/v2 v2.2.0/go.mod h1:lZR7AQtwZPvmINx5J87DSOOpTfof9LVZju6/Qo4lmcY=
-cloud.google.com/go/dataproc/v2 v2.2.1/go.mod h1:QdAJLaBjh+l4PVlVZcmrmhGccosY/omC1qwfQ61Zv/o=
-cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo=
-cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA=
-cloud.google.com/go/dataqna v0.7.0/go.mod h1:Lx9OcIIeqCrw1a6KdO3/5KMP1wAmTc0slZWwP12Qq3c=
-cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8=
-cloud.google.com/go/dataqna v0.8.2/go.mod h1:KNEqgx8TTmUipnQsScOoDpq/VlXVptUqVMZnt30WAPs=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/datastore v1.10.0/go.mod h1:PC5UzAmDEkAmkfaknstTYbNpgE49HAgW2J1gcgUfmdM=
-cloud.google.com/go/datastore v1.11.0/go.mod h1:TvGxBIHCS50u8jzG+AW/ppf87v1of8nwzFNgEZU1D3c=
-cloud.google.com/go/datastore v1.12.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
-cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
-cloud.google.com/go/datastore v1.13.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
-cloud.google.com/go/datastore v1.14.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8=
-cloud.google.com/go/datastore v1.15.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8=
-cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo=
-cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ=
-cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g=
-cloud.google.com/go/datastream v1.5.0/go.mod h1:6TZMMNPwjUqZHBKPQ1wwXpb0d5VDVPl2/XoS5yi88q4=
-cloud.google.com/go/datastream v1.6.0/go.mod h1:6LQSuswqLa7S4rPAOZFVjHIG3wJIjZcZrw8JDEDJuIs=
-cloud.google.com/go/datastream v1.7.0/go.mod h1:uxVRMm2elUSPuh65IbZpzJNMbuzkcvu5CjMqVIUHrww=
-cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q=
-cloud.google.com/go/datastream v1.10.0/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q=
-cloud.google.com/go/datastream v1.10.1/go.mod h1:7ngSYwnw95YFyTd5tOGBxHlOZiL+OtpjheqU7t2/s/c=
-cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c=
-cloud.google.com/go/deploy v1.5.0/go.mod h1:ffgdD0B89tToyW/U/D2eL0jN2+IEV/3EMuXHA0l4r+s=
-cloud.google.com/go/deploy v1.6.0/go.mod h1:f9PTHehG/DjCom3QH0cntOVRm93uGBDt2vKzAPwpXQI=
-cloud.google.com/go/deploy v1.8.0/go.mod h1:z3myEJnA/2wnB4sgjqdMfgxCA0EqC3RBTNcVPs93mtQ=
-cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g=
-cloud.google.com/go/deploy v1.13.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g=
-cloud.google.com/go/deploy v1.13.1/go.mod h1:8jeadyLkH9qu9xgO3hVWw8jVr29N1mnW42gRJT8GY6g=
-cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4=
-cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0=
-cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8=
-cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek=
-cloud.google.com/go/dialogflow v1.19.0/go.mod h1:JVmlG1TwykZDtxtTXujec4tQ+D8SBFMoosgy+6Gn0s0=
-cloud.google.com/go/dialogflow v1.29.0/go.mod h1:b+2bzMe+k1s9V+F2jbJwpHPzrnIyHihAdRFMtn2WXuM=
-cloud.google.com/go/dialogflow v1.31.0/go.mod h1:cuoUccuL1Z+HADhyIA7dci3N5zUssgpBJmCzI6fNRB4=
-cloud.google.com/go/dialogflow v1.32.0/go.mod h1:jG9TRJl8CKrDhMEcvfcfFkkpp8ZhgPz3sBGmAUYJ2qE=
-cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4=
-cloud.google.com/go/dialogflow v1.40.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4=
-cloud.google.com/go/dialogflow v1.43.0/go.mod h1:pDUJdi4elL0MFmt1REMvFkdsUTYSHq+rTCS8wg0S3+M=
-cloud.google.com/go/dialogflow v1.44.1/go.mod h1:n/h+/N2ouKOO+rbe/ZnI186xImpqvCVj2DdsWS/0EAk=
-cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM=
-cloud.google.com/go/dlp v1.7.0/go.mod h1:68ak9vCiMBjbasxeVD17hVPxDEck+ExiHavX8kiHG+Q=
-cloud.google.com/go/dlp v1.9.0/go.mod h1:qdgmqgTyReTz5/YNSSuueR8pl7hO0o9bQ39ZhtgkWp4=
-cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI=
-cloud.google.com/go/dlp v1.10.2/go.mod h1:ZbdKIhcnyhILgccwVDzkwqybthh7+MplGC3kZVZsIOQ=
-cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU=
-cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU=
-cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k=
-cloud.google.com/go/documentai v1.10.0/go.mod h1:vod47hKQIPeCfN2QS/jULIvQTugbmdc0ZvxxfQY1bg4=
-cloud.google.com/go/documentai v1.16.0/go.mod h1:o0o0DLTEZ+YnJZ+J4wNfTxmDVyrkzFvttBXXtYRMHkM=
-cloud.google.com/go/documentai v1.18.0/go.mod h1:F6CK6iUH8J81FehpskRmhLq/3VlwQvb7TvwOceQ2tbs=
-cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E=
-cloud.google.com/go/documentai v1.22.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E=
-cloud.google.com/go/documentai v1.22.1/go.mod h1:LKs22aDHbJv7ufXuPypzRO7rG3ALLJxzdCXDPutw4Qc=
-cloud.google.com/go/documentai v1.23.2/go.mod h1:Q/wcRT+qnuXOpjAkvOV4A+IeQl04q2/ReT7SSbytLSo=
-cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y=
-cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg=
-cloud.google.com/go/domains v0.8.0/go.mod h1:M9i3MMDzGFXsydri9/vW+EWz9sWb4I6WyHqdlAk0idE=
-cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE=
-cloud.google.com/go/domains v0.9.2/go.mod h1:3YvXGYzZG1Temjbk7EyGCuGGiXHJwVNmwIf+E/cUp5I=
-cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk=
-cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w=
-cloud.google.com/go/edgecontainer v0.3.0/go.mod h1:FLDpP4nykgwwIfcLt6zInhprzw0lEi2P1fjO6Ie0qbc=
-cloud.google.com/go/edgecontainer v1.0.0/go.mod h1:cttArqZpBB2q58W/upSG++ooo6EsblxDIolxa3jSjbY=
-cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk=
-cloud.google.com/go/edgecontainer v1.1.2/go.mod h1:wQRjIzqxEs9e9wrtle4hQPSR1Y51kqN75dgF7UllZZ4=
-cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU=
-cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI=
-cloud.google.com/go/essentialcontacts v1.4.0/go.mod h1:8tRldvHYsmnBCHdFpvU+GL75oWiBKl80BiqlFh9tp+8=
-cloud.google.com/go/essentialcontacts v1.5.0/go.mod h1:ay29Z4zODTuwliK7SnX8E86aUF2CTzdNtvv42niCX0M=
-cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4=
-cloud.google.com/go/essentialcontacts v1.6.3/go.mod h1:yiPCD7f2TkP82oJEFXFTou8Jl8L6LBRPeBEkTaO0Ggo=
-cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc=
-cloud.google.com/go/eventarc v1.8.0/go.mod h1:imbzxkyAU4ubfsaKYdQg04WS1NvncblHEup4kvF+4gw=
-cloud.google.com/go/eventarc v1.10.0/go.mod h1:u3R35tmZ9HvswGRBnF48IlYgYeBcPUCjkr4BTdem2Kw=
-cloud.google.com/go/eventarc v1.11.0/go.mod h1:PyUjsUKPWoRBCHeOxZd/lbOOjahV41icXyUY5kSTvVY=
-cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI=
-cloud.google.com/go/eventarc v1.13.0/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI=
-cloud.google.com/go/eventarc v1.13.1/go.mod h1:EqBxmGHFrruIara4FUQ3RHlgfCn7yo1HYsu2Hpt/C3Y=
-cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w=
-cloud.google.com/go/filestore v1.4.0/go.mod h1:PaG5oDfo9r224f8OYXURtAsY+Fbyq/bLYoINEK8XQAI=
-cloud.google.com/go/filestore v1.5.0/go.mod h1:FqBXDWBp4YLHqRnVGveOkHDf8svj9r5+mUDLupOWEDs=
-cloud.google.com/go/filestore v1.6.0/go.mod h1:di5unNuss/qfZTw2U9nhFqo8/ZDSc466dre85Kydllg=
-cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4=
-cloud.google.com/go/filestore v1.7.2/go.mod h1:TYOlyJs25f/omgj+vY7/tIG/E7BX369triSPzE4LdgE=
-cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
-cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
-cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4=
-cloud.google.com/go/firestore v1.12.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4=
-cloud.google.com/go/firestore v1.13.0/go.mod h1:QojqqOh8IntInDUSTAh0c8ZsPYAr68Ma8c5DWOy8xb8=
-cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk=
-cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg=
-cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY=
-cloud.google.com/go/functions v1.9.0/go.mod h1:Y+Dz8yGguzO3PpIjhLTbnqV1CWmgQ5UwtlpzoyquQ08=
-cloud.google.com/go/functions v1.10.0/go.mod h1:0D3hEOe3DbEvCXtYOZHQZmD+SzYsi1YbI7dGvHfldXw=
-cloud.google.com/go/functions v1.12.0/go.mod h1:AXWGrF3e2C/5ehvwYo/GH6O5s09tOPksiKhz+hH8WkA=
-cloud.google.com/go/functions v1.13.0/go.mod h1:EU4O007sQm6Ef/PwRsI8N2umygGqPBS/IZQKBQBcJ3c=
-cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE=
-cloud.google.com/go/functions v1.15.2/go.mod h1:CHAjtcR6OU4XF2HuiVeriEdELNcnvRZSk1Q8RMqy4lE=
-cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM=
-cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA=
-cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w=
-cloud.google.com/go/gaming v1.8.0/go.mod h1:xAqjS8b7jAVW0KFYeRUxngo9My3f33kFmua++Pi+ggM=
-cloud.google.com/go/gaming v1.9.0/go.mod h1:Fc7kEmCObylSWLO334NcO+O9QMDyz+TKC4v1D7X+Bc0=
-cloud.google.com/go/gaming v1.10.1/go.mod h1:XQQvtfP8Rb9Rxnxm5wFVpAp9zCQkJi2bLIb7iHGwB3s=
-cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60=
-cloud.google.com/go/gkebackup v0.3.0/go.mod h1:n/E671i1aOQvUxT541aTkCwExO/bTer2HDlj4TsBRAo=
-cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg=
-cloud.google.com/go/gkebackup v1.3.0/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU=
-cloud.google.com/go/gkebackup v1.3.1/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU=
-cloud.google.com/go/gkebackup v1.3.2/go.mod h1:OMZbXzEJloyXMC7gqdSB+EOEQ1AKcpGYvO3s1ec5ixk=
-cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o=
-cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A=
-cloud.google.com/go/gkeconnect v0.7.0/go.mod h1:SNfmVqPkaEi3bF/B3CNZOAYPYdg7sU+obZ+QTky2Myw=
-cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw=
-cloud.google.com/go/gkeconnect v0.8.2/go.mod h1:6nAVhwchBJYgQCXD2pHBFQNiJNyAd/wyxljpaa6ZPrY=
-cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0=
-cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0=
-cloud.google.com/go/gkehub v0.11.0/go.mod h1:JOWHlmN+GHyIbuWQPl47/C2RFhnFKH38jH9Ascu3n0E=
-cloud.google.com/go/gkehub v0.12.0/go.mod h1:djiIwwzTTBrF5NaXCGv3mf7klpEMcST17VBTVVDcuaw=
-cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY=
-cloud.google.com/go/gkehub v0.14.2/go.mod h1:iyjYH23XzAxSdhrbmfoQdePnlMj2EWcvnR+tHdBQsCY=
-cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA=
-cloud.google.com/go/gkemulticloud v0.4.0/go.mod h1:E9gxVBnseLWCk24ch+P9+B2CoDFJZTyIgLKSalC7tuI=
-cloud.google.com/go/gkemulticloud v0.5.0/go.mod h1:W0JDkiyi3Tqh0TJr//y19wyb1yf8llHVto2Htf2Ja3Y=
-cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw=
-cloud.google.com/go/gkemulticloud v1.0.0/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw=
-cloud.google.com/go/gkemulticloud v1.0.1/go.mod h1:AcrGoin6VLKT/fwZEYuqvVominLriQBCKmbjtnbMjG8=
-cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
-cloud.google.com/go/grafeas v0.3.0/go.mod h1:P7hgN24EyONOTMyeJH6DxG4zD7fwiYa5Q6GUgyFSOU8=
-cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM=
-cloud.google.com/go/gsuiteaddons v1.4.0/go.mod h1:rZK5I8hht7u7HxFQcFei0+AtfS9uSushomRlg+3ua1o=
-cloud.google.com/go/gsuiteaddons v1.5.0/go.mod h1:TFCClYLd64Eaa12sFVmUyG62tk4mdIsI7pAnSXRkcFo=
-cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY=
-cloud.google.com/go/gsuiteaddons v1.6.2/go.mod h1:K65m9XSgs8hTF3X9nNTPi8IQueljSdYo9F+Mi+s4MyU=
-cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
-cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
-cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
-cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc=
-cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg=
-cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE=
-cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY=
-cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY=
-cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
-cloud.google.com/go/iam v1.0.1/go.mod h1:yR3tmSL8BcZB4bxByRv2jkSIahVmCtfKZwLYGBalRE8=
-cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk=
-cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
-cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
-cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc=
-cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE=
-cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc=
-cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A=
-cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk=
-cloud.google.com/go/iap v1.7.0/go.mod h1:beqQx56T9O1G1yNPph+spKpNibDlYIiIixiqsQXxLIo=
-cloud.google.com/go/iap v1.7.1/go.mod h1:WapEwPc7ZxGt2jFGB/C/bm+hP0Y6NXzOYGjpPnmMS74=
-cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ=
-cloud.google.com/go/iap v1.9.0/go.mod h1:01OFxd1R+NFrg78S+hoPV5PxEzv22HXaNqUUlmNHFuY=
-cloud.google.com/go/iap v1.9.1/go.mod h1:SIAkY7cGMLohLSdBR25BuIxO+I4fXJiL06IBL7cy/5Q=
-cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM=
-cloud.google.com/go/ids v1.2.0/go.mod h1:5WXvp4n25S0rA/mQWAg1YEEBBq6/s+7ml1RDCW1IrcY=
-cloud.google.com/go/ids v1.3.0/go.mod h1:JBdTYwANikFKaDP6LtW5JAi4gubs57SVNQjemdt6xV4=
-cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw=
-cloud.google.com/go/ids v1.4.2/go.mod h1:3vw8DX6YddRu9BncxuzMyWn0g8+ooUjI2gslJ7FH3vk=
-cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs=
-cloud.google.com/go/iot v1.4.0/go.mod h1:dIDxPOn0UvNDUMD8Ger7FIaTuvMkj+aGk94RPP0iV+g=
-cloud.google.com/go/iot v1.5.0/go.mod h1:mpz5259PDl3XJthEmh9+ap0affn/MqNSP4My77Qql9o=
-cloud.google.com/go/iot v1.6.0/go.mod h1:IqdAsmE2cTYYNO1Fvjfzo9po179rAtJeVGUvkLN3rLE=
-cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk=
-cloud.google.com/go/iot v1.7.2/go.mod h1:q+0P5zr1wRFpw7/MOgDXrG/HVA+l+cSwdObffkrpnSg=
-cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA=
-cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg=
-cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0=
-cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg=
-cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w=
-cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24=
-cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI=
-cloud.google.com/go/kms v1.11.0/go.mod h1:hwdiYC0xjnWsKQQCQQmIQnS9asjYVSK6jtXm+zFqXLM=
-cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
-cloud.google.com/go/kms v1.15.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
-cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w=
-cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI=
-cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ=
-cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
-cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
-cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE=
-cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEyygwpgVKB8=
-cloud.google.com/go/language v1.9.0/go.mod h1:Ns15WooPM5Ad/5no/0n81yUetis74g3zrbeJBE+ptUY=
-cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0=
-cloud.google.com/go/language v1.11.0/go.mod h1:uDx+pFDdAKTY8ehpWbiXyQdz8tDSYLJbQcXsCkjYyvQ=
-cloud.google.com/go/language v1.11.1/go.mod h1:Xyid9MG9WOX3utvDbpX7j3tXDmmDooMyMDqgUVpH17U=
-cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
-cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08=
-cloud.google.com/go/lifesciences v0.8.0/go.mod h1:lFxiEOMqII6XggGbOnKiyZ7IBwoIqA84ClvoezaA/bo=
-cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc=
-cloud.google.com/go/lifesciences v0.9.2/go.mod h1:QHEOO4tDzcSAzeJg7s2qwnLM2ji8IRpQl4p6m5Z9yTA=
-cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw=
-cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
-cloud.google.com/go/logging v1.8.1/go.mod h1:TJjR+SimHwuC8MZ9cjByQulAMgni+RkXeI3wwctHJEI=
-cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE=
-cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc=
-cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
-cloud.google.com/go/longrunning v0.4.2/go.mod h1:OHrnaYyLUV6oqwh0xiS7e5sLQhP1m0QU9R+WhGDMgIQ=
-cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc=
-cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
-cloud.google.com/go/longrunning v0.5.2 h1:u+oFqfEwwU7F9dIELigxbe0XVnBAo9wqMuQLA50CZ5k=
-cloud.google.com/go/longrunning v0.5.2/go.mod h1:nqo6DQbNV2pXhGDbDMoN2bWz68MjZUzqv2YttZiveCs=
-cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE=
-cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM=
-cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA=
-cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak=
-cloud.google.com/go/managedidentities v1.6.2/go.mod h1:5c2VG66eCa0WIq6IylRk3TBW83l161zkFvCj28X7jn8=
-cloud.google.com/go/maps v0.1.0/go.mod h1:BQM97WGyfw9FWEmQMpZ5T6cpovXXSd1cGmFma94eubI=
-cloud.google.com/go/maps v0.6.0/go.mod h1:o6DAMMfb+aINHz/p/jbcY+mYeXBoZoxTfdSQ8VAJaCw=
-cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY=
-cloud.google.com/go/maps v1.3.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s=
-cloud.google.com/go/maps v1.4.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s=
-cloud.google.com/go/maps v1.4.1/go.mod h1:BxSa0BnW1g2U2gNdbq5zikLlHUuHW0GFWh7sgML2kIY=
-cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4=
-cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w=
-cloud.google.com/go/mediatranslation v0.7.0/go.mod h1:LCnB/gZr90ONOIQLgSXagp8XUW1ODs2UmUMvcgMfI2I=
-cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig=
-cloud.google.com/go/mediatranslation v0.8.2/go.mod h1:c9pUaDRLkgHRx3irYE5ZC8tfXGrMYwNZdmDqKMSfFp8=
-cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE=
-cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM=
-cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA=
-cloud.google.com/go/memcache v1.7.0/go.mod h1:ywMKfjWhNtkQTxrWxCkCFkoPjLHPW6A7WOTVI8xy3LY=
-cloud.google.com/go/memcache v1.9.0/go.mod h1:8oEyzXCu+zo9RzlEaEjHl4KkgjlNDaXbCQeQWlzNFJM=
-cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA=
-cloud.google.com/go/memcache v1.10.2/go.mod h1:f9ZzJHLBrmd4BkguIAa/l/Vle6uTHzHokdnzSWOdQ6A=
-cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY=
-cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s=
-cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8=
-cloud.google.com/go/metastore v1.8.0/go.mod h1:zHiMc4ZUpBiM7twCIFQmJ9JMEkDSyZS9U12uf7wHqSI=
-cloud.google.com/go/metastore v1.10.0/go.mod h1:fPEnH3g4JJAk+gMRnrAnoqyv2lpUCqJPWOodSaf45Eo=
-cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA=
-cloud.google.com/go/metastore v1.12.0/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA=
-cloud.google.com/go/metastore v1.13.1/go.mod h1:IbF62JLxuZmhItCppcIfzBBfUFq0DIB9HPDoLgWrVOU=
-cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk=
-cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4=
-cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w=
-cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw=
-cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM=
-cloud.google.com/go/monitoring v1.16.0/go.mod h1:Ptp15HgAyM1fNICAojDMoNc/wUmn67mLHQfyqbw+poY=
-cloud.google.com/go/monitoring v1.16.1 h1:CTklIuUkS5nCricGojPwdkSgPsCTX2HmYTxFDg+UvpU=
-cloud.google.com/go/monitoring v1.16.1/go.mod h1:6HsxddR+3y9j+o/cMJH6q/KJ/CBTvM/38L/1m7bTRJ4=
-cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA=
-cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o=
-cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM=
-cloud.google.com/go/networkconnectivity v1.7.0/go.mod h1:RMuSbkdbPwNMQjB5HBWD5MpTBnNm39iAVpC3TmsExt8=
-cloud.google.com/go/networkconnectivity v1.10.0/go.mod h1:UP4O4sWXJG13AqrTdQCD9TnLGEbtNRqjuaaA7bNjF5E=
-cloud.google.com/go/networkconnectivity v1.11.0/go.mod h1:iWmDD4QF16VCDLXUqvyspJjIEtBR/4zq5hwnY2X3scM=
-cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E=
-cloud.google.com/go/networkconnectivity v1.13.0/go.mod h1:SAnGPes88pl7QRLUen2HmcBSE9AowVAcdug8c0RSBFk=
-cloud.google.com/go/networkconnectivity v1.14.1/go.mod h1:LyGPXR742uQcDxZ/wv4EI0Vu5N6NKJ77ZYVnDe69Zug=
-cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8=
-cloud.google.com/go/networkmanagement v1.5.0/go.mod h1:ZnOeZ/evzUdUsnvRt792H0uYEnHQEMaz+REhhzJRcf4=
-cloud.google.com/go/networkmanagement v1.6.0/go.mod h1:5pKPqyXjB/sgtvB5xqOemumoQNB7y95Q7S+4rjSOPYY=
-cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0=
-cloud.google.com/go/networkmanagement v1.9.0/go.mod h1:UTUaEU9YwbCAhhz3jEOHr+2/K/MrBk2XxOLS89LQzFw=
-cloud.google.com/go/networkmanagement v1.9.1/go.mod h1:CCSYgrQQvW73EJawO2QamemYcOb57LvrDdDU51F0mcI=
-cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ=
-cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU=
-cloud.google.com/go/networksecurity v0.7.0/go.mod h1:mAnzoxx/8TBSyXEeESMy9OOYwo1v+gZ5eMRnsT5bC8k=
-cloud.google.com/go/networksecurity v0.8.0/go.mod h1:B78DkqsxFG5zRSVuwYFRZ9Xz8IcQ5iECsNrPn74hKHU=
-cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ=
-cloud.google.com/go/networksecurity v0.9.2/go.mod h1:jG0SeAttWzPMUILEHDUvFYdQTl8L/E/KC8iZDj85lEI=
-cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY=
-cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34=
-cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA=
-cloud.google.com/go/notebooks v1.5.0/go.mod h1:q8mwhnP9aR8Hpfnrc5iN5IBhrXUy8S2vuYs+kBJ/gu0=
-cloud.google.com/go/notebooks v1.7.0/go.mod h1:PVlaDGfJgj1fl1S3dUwhFMXFgfYGhYQt2164xOMONmE=
-cloud.google.com/go/notebooks v1.8.0/go.mod h1:Lq6dYKOYOWUCTvw5t2q1gp1lAp0zxAxRycayS0iJcqQ=
-cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8=
-cloud.google.com/go/notebooks v1.10.0/go.mod h1:SOPYMZnttHxqot0SGSFSkRrwE29eqnKPBJFqgWmiK2k=
-cloud.google.com/go/notebooks v1.10.1/go.mod h1:5PdJc2SgAybE76kFQCWrTfJolCOUQXF97e+gteUUA6A=
-cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4=
-cloud.google.com/go/optimization v1.2.0/go.mod h1:Lr7SOHdRDENsh+WXVmQhQTrzdu9ybg0NecjHidBq6xs=
-cloud.google.com/go/optimization v1.3.1/go.mod h1:IvUSefKiwd1a5p0RgHDbWCIbDFgKuEdB+fPPuP0IDLI=
-cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk=
-cloud.google.com/go/optimization v1.5.0/go.mod h1:evo1OvTxeBRBu6ydPlrIRizKY/LJKo/drDMMRKqGEUU=
-cloud.google.com/go/optimization v1.5.1/go.mod h1:NC0gnUD5MWVAF7XLdoYVPmYYVth93Q6BUzqAq3ZwtV8=
-cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA=
-cloud.google.com/go/orchestration v1.4.0/go.mod h1:6W5NLFWs2TlniBphAViZEVhrXRSMgUGDfW7vrWKvsBk=
-cloud.google.com/go/orchestration v1.6.0/go.mod h1:M62Bevp7pkxStDfFfTuCOaXgaaqRAga1yKyoMtEoWPQ=
-cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8=
-cloud.google.com/go/orchestration v1.8.2/go.mod h1:T1cP+6WyTmh6LSZzeUhvGf0uZVmJyTx7t8z7Vg87+A0=
-cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE=
-cloud.google.com/go/orgpolicy v1.5.0/go.mod h1:hZEc5q3wzwXJaKrsx5+Ewg0u1LxJ51nNFlext7Tanwc=
-cloud.google.com/go/orgpolicy v1.10.0/go.mod h1:w1fo8b7rRqlXlIJbVhOMPrwVljyuW5mqssvBtU18ONc=
-cloud.google.com/go/orgpolicy v1.11.0/go.mod h1:2RK748+FtVvnfuynxBzdnyu7sygtoZa1za/0ZfpOs1M=
-cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE=
-cloud.google.com/go/orgpolicy v1.11.2/go.mod h1:biRDpNwfyytYnmCRWZWxrKF22Nkz9eNVj9zyaBdpm1o=
-cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs=
-cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg=
-cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo=
-cloud.google.com/go/osconfig v1.10.0/go.mod h1:uMhCzqC5I8zfD9zDEAfvgVhDS8oIjySWh+l4WK6GnWw=
-cloud.google.com/go/osconfig v1.11.0/go.mod h1:aDICxrur2ogRd9zY5ytBLV89KEgT2MKB2L/n6x1ooPw=
-cloud.google.com/go/osconfig v1.12.0/go.mod h1:8f/PaYzoS3JMVfdfTubkowZYGmAhUCjjwnjqWI7NVBc=
-cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE=
-cloud.google.com/go/osconfig v1.12.2/go.mod h1:eh9GPaMZpI6mEJEuhEjUJmaxvQ3gav+fFEJon1Y8Iw0=
-cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E=
-cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU=
-cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70=
-cloud.google.com/go/oslogin v1.7.0/go.mod h1:e04SN0xO1UNJ1M5GP0vzVBFicIe4O53FOfcixIqTyXo=
-cloud.google.com/go/oslogin v1.9.0/go.mod h1:HNavntnH8nzrn8JCTT5fj18FuJLFJc4NaZJtBnQtKFs=
-cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs=
-cloud.google.com/go/oslogin v1.11.1/go.mod h1:OhD2icArCVNUxKqtK0mcSmKL7lgr0LVlQz+v9s1ujTg=
-cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0=
-cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA=
-cloud.google.com/go/phishingprotection v0.7.0/go.mod h1:8qJI4QKHoda/sb/7/YmMQ2omRLSLYSu9bU0EKCNI+Lk=
-cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I=
-cloud.google.com/go/phishingprotection v0.8.2/go.mod h1:LhJ91uyVHEYKSKcMGhOa14zMMWfbEdxG032oT6ECbC8=
-cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg=
-cloud.google.com/go/policytroubleshooter v1.4.0/go.mod h1:DZT4BcRw3QoO8ota9xw/LKtPa8lKeCByYeKTIf/vxdE=
-cloud.google.com/go/policytroubleshooter v1.5.0/go.mod h1:Rz1WfV+1oIpPdN2VvvuboLVRsB1Hclg3CKQ53j9l8vw=
-cloud.google.com/go/policytroubleshooter v1.6.0/go.mod h1:zYqaPTsmfvpjm5ULxAyD/lINQxJ0DDsnWOP/GZ7xzBc=
-cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0=
-cloud.google.com/go/policytroubleshooter v1.8.0/go.mod h1:tmn5Ir5EToWe384EuboTcVQT7nTag2+DuH3uHmKd1HU=
-cloud.google.com/go/policytroubleshooter v1.9.0/go.mod h1:+E2Lga7TycpeSTj2FsH4oXxTnrbHJGRlKhVZBLGgU64=
-cloud.google.com/go/policytroubleshooter v1.9.1/go.mod h1:MYI8i0bCrL8cW+VHN1PoiBTyNZTstCg2WUw2eVC4c4U=
-cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0=
-cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI=
-cloud.google.com/go/privatecatalog v0.7.0/go.mod h1:2s5ssIFO69F5csTXcwBP7NPFTZvps26xGzvQ2PQaBYg=
-cloud.google.com/go/privatecatalog v0.8.0/go.mod h1:nQ6pfaegeDAq/Q5lrfCQzQLhubPiZhSaNhIgfJlnIXs=
-cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA=
-cloud.google.com/go/privatecatalog v0.9.2/go.mod h1:RMA4ATa8IXfzvjrhhK8J6H4wwcztab+oZph3c6WmtFc=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/pubsub v1.26.0/go.mod h1:QgBH3U/jdJy/ftjPhTkyXNj543Tin1pRYcdcPRnFIRI=
-cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0=
-cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8=
-cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4=
-cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc=
-cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc=
-cloud.google.com/go/pubsublite v1.5.0/go.mod h1:xapqNQ1CuLfGi23Yda/9l4bBCKz/wC3KIJ5gKcxveZg=
-cloud.google.com/go/pubsublite v1.6.0/go.mod h1:1eFCS0U11xlOuMFV/0iBqw3zP12kddMeCbj/F3FSj9k=
-cloud.google.com/go/pubsublite v1.7.0/go.mod h1:8hVMwRXfDfvGm3fahVbtDbiLePT3gpoiJYJY+vxWxVM=
-cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0=
-cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4=
-cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o=
-cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk=
-cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo=
-cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE=
-cloud.google.com/go/recaptchaenterprise/v2 v2.5.0/go.mod h1:O8LzcHXN3rz0j+LBC91jrwI3R+1ZSZEWrfL7XHgNo9U=
-cloud.google.com/go/recaptchaenterprise/v2 v2.6.0/go.mod h1:RPauz9jeLtB3JVzg6nCbe12qNoaa8pXc4d/YukAmcnA=
-cloud.google.com/go/recaptchaenterprise/v2 v2.7.0/go.mod h1:19wVj/fs5RtYtynAPJdDTb69oW0vNHYDBTbB4NvMD9c=
-cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU=
-cloud.google.com/go/recaptchaenterprise/v2 v2.8.1/go.mod h1:JZYZJOeZjgSSTGP4uz7NlQ4/d1w5hGmksVgM0lbEij0=
-cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg=
-cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4=
-cloud.google.com/go/recommendationengine v0.7.0/go.mod h1:1reUcE3GIu6MeBz/h5xZJqNLuuVjNg1lmWMPyjatzac=
-cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE=
-cloud.google.com/go/recommendationengine v0.8.2/go.mod h1:QIybYHPK58qir9CV2ix/re/M//Ty10OxjnnhWdaKS1Y=
-cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg=
-cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c=
-cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs=
-cloud.google.com/go/recommender v1.8.0/go.mod h1:PkjXrTT05BFKwxaUxQmtIlrtj0kph108r02ZZQ5FE70=
-cloud.google.com/go/recommender v1.9.0/go.mod h1:PnSsnZY7q+VL1uax2JWkt/UegHssxjUVVCrX52CuEmQ=
-cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA=
-cloud.google.com/go/recommender v1.11.0/go.mod h1:kPiRQhPyTJ9kyXPCG6u/dlPLbYfFlkwHNRwdzPVAoII=
-cloud.google.com/go/recommender v1.11.1/go.mod h1:sGwFFAyI57v2Hc5LbIj+lTwXipGu9NW015rkaEM5B18=
-cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y=
-cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A=
-cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA=
-cloud.google.com/go/redis v1.10.0/go.mod h1:ThJf3mMBQtW18JzGgh41/Wld6vnDDc/F/F35UolRZPM=
-cloud.google.com/go/redis v1.11.0/go.mod h1:/X6eicana+BWcUda5PpwZC48o37SiFVTFSs0fWAJ7uQ=
-cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg=
-cloud.google.com/go/redis v1.13.2/go.mod h1:0Hg7pCMXS9uz02q+LoEVl5dNHUkIQv+C/3L76fandSA=
-cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA=
-cloud.google.com/go/resourcemanager v1.4.0/go.mod h1:MwxuzkumyTX7/a3n37gmsT3py7LIXwrShilPh3P1tR0=
-cloud.google.com/go/resourcemanager v1.5.0/go.mod h1:eQoXNAiAvCf5PXxWxXjhKQoTMaUSNrEfg+6qdf/wots=
-cloud.google.com/go/resourcemanager v1.6.0/go.mod h1:YcpXGRs8fDzcUl1Xw8uOVmI8JEadvhRIkoXXUNVYcVo=
-cloud.google.com/go/resourcemanager v1.7.0/go.mod h1:HlD3m6+bwhzj9XCouqmeiGuni95NTrExfhoSrkC/3EI=
-cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8=
-cloud.google.com/go/resourcemanager v1.9.2/go.mod h1:OujkBg1UZg5lX2yIyMo5Vz9O5hf7XQOSV7WxqxxMtQE=
-cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU=
-cloud.google.com/go/resourcesettings v1.4.0/go.mod h1:ldiH9IJpcrlC3VSuCGvjR5of/ezRrOxFtpJoJo5SmXg=
-cloud.google.com/go/resourcesettings v1.5.0/go.mod h1:+xJF7QSG6undsQDfsCJyqWXyBwUoJLhetkRMDRnIoXA=
-cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw=
-cloud.google.com/go/resourcesettings v1.6.2/go.mod h1:mJIEDd9MobzunWMeniaMp6tzg4I2GvD3TTmPkc8vBXk=
-cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4=
-cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY=
-cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc=
-cloud.google.com/go/retail v1.11.0/go.mod h1:MBLk1NaWPmh6iVFSz9MeKG/Psyd7TAgm6y/9L2B4x9Y=
-cloud.google.com/go/retail v1.12.0/go.mod h1:UMkelN/0Z8XvKymXFbD4EhFJlYKRx1FGhQkVPU5kF14=
-cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE=
-cloud.google.com/go/retail v1.14.2/go.mod h1:W7rrNRChAEChX336QF7bnMxbsjugcOCPU44i5kbLiL8=
-cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do=
-cloud.google.com/go/run v0.3.0/go.mod h1:TuyY1+taHxTjrD0ZFk2iAR+xyOXEA0ztb7U3UNA0zBo=
-cloud.google.com/go/run v0.8.0/go.mod h1:VniEnuBwqjigv0A7ONfQUaEItaiCRVujlMqerPPiktM=
-cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg=
-cloud.google.com/go/run v1.2.0/go.mod h1:36V1IlDzQ0XxbQjUx6IYbw8H3TJnWvhii963WW3B/bo=
-cloud.google.com/go/run v1.3.1/go.mod h1:cymddtZOzdwLIAsmS6s+Asl4JoXIDm/K1cpZTxV4Q5s=
-cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s=
-cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI=
-cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk=
-cloud.google.com/go/scheduler v1.7.0/go.mod h1:jyCiBqWW956uBjjPMMuX09n3x37mtyPJegEWKxRsn44=
-cloud.google.com/go/scheduler v1.8.0/go.mod h1:TCET+Y5Gp1YgHT8py4nlg2Sew8nUHMqcpousDgXJVQc=
-cloud.google.com/go/scheduler v1.9.0/go.mod h1:yexg5t+KSmqu+njTIh3b7oYPheFtBWGcbVUYF1GGMIc=
-cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo=
-cloud.google.com/go/scheduler v1.10.2/go.mod h1:O3jX6HRH5eKCA3FutMw375XHZJudNIKVonSCHv7ropY=
-cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA=
-cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4=
-cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4=
-cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU=
-cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw=
-cloud.google.com/go/secretmanager v1.11.2/go.mod h1:MQm4t3deoSub7+WNwiC4/tRYgDBHJgJPvswqQVB1Vss=
-cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4=
-cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0=
-cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU=
-cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q=
-cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA=
-cloud.google.com/go/security v1.12.0/go.mod h1:rV6EhrpbNHrrxqlvW0BWAIawFWq3X90SduMJdFwtLB8=
-cloud.google.com/go/security v1.13.0/go.mod h1:Q1Nvxl1PAgmeW0y3HTt54JYIvUdtcpYKVfIB8AOMZ+0=
-cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA=
-cloud.google.com/go/security v1.15.2/go.mod h1:2GVE/v1oixIRHDaClVbHuPcZwAqFM28mXuAKCfMgYIg=
-cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU=
-cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc=
-cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk=
-cloud.google.com/go/securitycenter v1.16.0/go.mod h1:Q9GMaLQFUD+5ZTabrbujNWLtSLZIZF7SAR0wWECrjdk=
-cloud.google.com/go/securitycenter v1.18.1/go.mod h1:0/25gAzCM/9OL9vVx4ChPeM/+DlfGQJDwBy/UC8AKK0=
-cloud.google.com/go/securitycenter v1.19.0/go.mod h1:LVLmSg8ZkkyaNy4u7HCIshAngSQ8EcIRREP3xBnyfag=
-cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ=
-cloud.google.com/go/securitycenter v1.23.1/go.mod h1:w2HV3Mv/yKhbXKwOCu2i8bCuLtNP1IMHuiYQn4HJq5s=
-cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU=
-cloud.google.com/go/servicecontrol v1.5.0/go.mod h1:qM0CnXHhyqKVuiZnGKrIurvVImCs8gmqWsDoqe9sU1s=
-cloud.google.com/go/servicecontrol v1.10.0/go.mod h1:pQvyvSRh7YzUF2efw7H87V92mxU8FnFDawMClGCNuAA=
-cloud.google.com/go/servicecontrol v1.11.0/go.mod h1:kFmTzYzTUIuZs0ycVqRHNaNhgR+UMUpw9n02l/pY+mc=
-cloud.google.com/go/servicecontrol v1.11.1/go.mod h1:aSnNNlwEFBY+PWGQ2DoM0JJ/QUXqV5/ZD9DOLB7SnUk=
-cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs=
-cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg=
-cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4=
-cloud.google.com/go/servicedirectory v1.7.0/go.mod h1:5p/U5oyvgYGYejufvxhgwjL8UVXjkuw7q5XcG10wx1U=
-cloud.google.com/go/servicedirectory v1.8.0/go.mod h1:srXodfhY1GFIPvltunswqXpVxFPpZjf8nkKQT7XcXaY=
-cloud.google.com/go/servicedirectory v1.9.0/go.mod h1:29je5JjiygNYlmsGz8k6o+OZ8vd4f//bQLtvzkPPT/s=
-cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ=
-cloud.google.com/go/servicedirectory v1.11.0/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ=
-cloud.google.com/go/servicedirectory v1.11.1/go.mod h1:tJywXimEWzNzw9FvtNjsQxxJ3/41jseeILgwU/QLrGI=
-cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco=
-cloud.google.com/go/servicemanagement v1.5.0/go.mod h1:XGaCRe57kfqu4+lRxaFEAuqmjzF0r+gWHjWqKqBvKFo=
-cloud.google.com/go/servicemanagement v1.6.0/go.mod h1:aWns7EeeCOtGEX4OvZUWCCJONRZeFKiptqKf1D0l/Jc=
-cloud.google.com/go/servicemanagement v1.8.0/go.mod h1:MSS2TDlIEQD/fzsSGfCdJItQveu9NXnUniTrq/L8LK4=
-cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E=
-cloud.google.com/go/serviceusage v1.4.0/go.mod h1:SB4yxXSaYVuUBYUml6qklyONXNLt83U0Rb+CXyhjEeU=
-cloud.google.com/go/serviceusage v1.5.0/go.mod h1:w8U1JvqUqwJNPEOTQjrMHkw3IaIFLoLsPLvsE3xueec=
-cloud.google.com/go/serviceusage v1.6.0/go.mod h1:R5wwQcbOWsyuOfbP9tGdAnCAc6B9DRwPG1xtWMDeuPA=
-cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4=
-cloud.google.com/go/shell v1.4.0/go.mod h1:HDxPzZf3GkDdhExzD/gs8Grqk+dmYcEjGShZgYa9URw=
-cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+qE2f9A=
-cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g=
-cloud.google.com/go/shell v1.7.2/go.mod h1:KqRPKwBV0UyLickMn0+BY1qIyE98kKyI216sH/TuHmc=
-cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos=
-cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk=
-cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M=
-cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI=
-cloud.google.com/go/spanner v1.49.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM=
-cloud.google.com/go/spanner v1.50.0 h1:QrJFOpaxCXdXF+GkiruLz642PHxkdj68PbbnLw3O2Zw=
-cloud.google.com/go/spanner v1.50.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM=
-cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM=
-cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ=
-cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0=
-cloud.google.com/go/speech v1.9.0/go.mod h1:xQ0jTcmnRFFM2RfX/U+rk6FQNUF6DQlydUSyoooSpco=
-cloud.google.com/go/speech v1.14.1/go.mod h1:gEosVRPJ9waG7zqqnsHpYTOoAS4KouMRLDFMekpJ0J0=
-cloud.google.com/go/speech v1.15.0/go.mod h1:y6oH7GhqCaZANH7+Oe0BhgIogsNInLlz542tg3VqeYI=
-cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo=
-cloud.google.com/go/speech v1.19.0/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo=
-cloud.google.com/go/speech v1.19.1/go.mod h1:WcuaWz/3hOlzPFOVo9DUsblMIHwxP589y6ZMtaG+iAA=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
-cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
-cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
-cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
-cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
-cloud.google.com/go/storage v1.30.1 h1:uOdMxAs8HExqBlnLtnQyP0YkvbiDpdGShGKtx6U/oNM=
-cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E=
-cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
-cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
-cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
-cloud.google.com/go/storagetransfer v1.8.0/go.mod h1:JpegsHHU1eXg7lMHkvf+KE5XDJ7EQu0GwNJbbVGanEw=
-cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA=
-cloud.google.com/go/storagetransfer v1.10.1/go.mod h1:rS7Sy0BtPviWYTTJVWCSV4QrbBitgPeuK4/FKa4IdLs=
-cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
-cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
-cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM=
-cloud.google.com/go/talent v1.4.0/go.mod h1:ezFtAgVuRf8jRsvyE6EwmbTK5LKciD4KVnHuDEFmOOA=
-cloud.google.com/go/talent v1.5.0/go.mod h1:G+ODMj9bsasAEJkQSzO2uHQWXHHXUomArjWQQYkqK6c=
-cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24=
-cloud.google.com/go/talent v1.6.3/go.mod h1:xoDO97Qd4AK43rGjJvyBHMskiEf3KulgYzcH6YWOVoo=
-cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8=
-cloud.google.com/go/texttospeech v1.5.0/go.mod h1:oKPLhR4n4ZdQqWKURdwxMy0uiTS1xU161C8W57Wkea4=
-cloud.google.com/go/texttospeech v1.6.0/go.mod h1:YmwmFT8pj1aBblQOI3TfKmwibnsfvhIBzPXcW4EBovc=
-cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk=
-cloud.google.com/go/texttospeech v1.7.2/go.mod h1:VYPT6aTOEl3herQjFHYErTlSZJ4vB00Q2ZTmuVgluD4=
-cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ=
-cloud.google.com/go/tpu v1.4.0/go.mod h1:mjZaX8p0VBgllCzF6wcU2ovUXN9TONFLd7iz227X2Xg=
-cloud.google.com/go/tpu v1.5.0/go.mod h1:8zVo1rYDFuW2l4yZVY0R0fb/v44xLh3llq7RuV61fPM=
-cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E=
-cloud.google.com/go/tpu v1.6.2/go.mod h1:NXh3NDwt71TsPZdtGWgAG5ThDfGd32X1mJ2cMaRlVgU=
-cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28=
-cloud.google.com/go/trace v1.4.0/go.mod h1:UG0v8UBqzusp+z63o7FK74SdFE+AXpCLdFb1rshXG+Y=
-cloud.google.com/go/trace v1.8.0/go.mod h1:zH7vcsbAhklH8hWFig58HvxcxyQbaIqMarMg9hn5ECA=
-cloud.google.com/go/trace v1.9.0/go.mod h1:lOQqpE5IaWY0Ixg7/r2SjixMuc6lfTFeO4QGM4dQWOk=
-cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk=
-cloud.google.com/go/trace v1.10.2/go.mod h1:NPXemMi6MToRFcSxRl2uDnu/qAlAQ3oULUphcHGh1vA=
-cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs=
-cloud.google.com/go/translate v1.4.0/go.mod h1:06Dn/ppvLD6WvA5Rhdp029IX2Mi3Mn7fpMRLPvXT5Wg=
-cloud.google.com/go/translate v1.5.0/go.mod h1:29YDSYveqqpA1CQFD7NQuP49xymq17RXNaUDdc0mNu0=
-cloud.google.com/go/translate v1.6.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/translate v1.7.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs=
-cloud.google.com/go/translate v1.8.2/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs=
-cloud.google.com/go/translate v1.9.0/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs=
-cloud.google.com/go/translate v1.9.1/go.mod h1:TWIgDZknq2+JD4iRcojgeDtqGEp154HN/uL6hMvylS8=
-cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk=
-cloud.google.com/go/video v1.9.0/go.mod h1:0RhNKFRF5v92f8dQt0yhaHrEuH95m068JYOvLZYnJSw=
-cloud.google.com/go/video v1.12.0/go.mod h1:MLQew95eTuaNDEGriQdcYn0dTwf9oWiA4uYebxM5kdg=
-cloud.google.com/go/video v1.13.0/go.mod h1:ulzkYlYgCp15N2AokzKjy7MQ9ejuynOJdf1tR5lGthk=
-cloud.google.com/go/video v1.14.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/video v1.15.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU=
-cloud.google.com/go/video v1.19.0/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU=
-cloud.google.com/go/video v1.20.0/go.mod h1:U3G3FTnsvAGqglq9LxgqzOiBc/Nt8zis8S+850N2DUM=
-cloud.google.com/go/video v1.20.1/go.mod h1:3gJS+iDprnj8SY6pe0SwLeC5BUW80NjhwX7INWEuWGU=
-cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
-cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4=
-cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M=
-cloud.google.com/go/videointelligence v1.9.0/go.mod h1:29lVRMPDYHikk3v8EdPSaL8Ku+eMzDljjuvRs105XoU=
-cloud.google.com/go/videointelligence v1.10.0/go.mod h1:LHZngX1liVtUhZvi2uNS0VQuOzNi2TkY1OakiuoUOjU=
-cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo=
-cloud.google.com/go/videointelligence v1.11.2/go.mod h1:ocfIGYtIVmIcWk1DsSGOoDiXca4vaZQII1C85qtoplc=
-cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0=
-cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo=
-cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo=
-cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY=
-cloud.google.com/go/vision/v2 v2.5.0/go.mod h1:MmaezXOOE+IWa+cS7OhRRLK2cNv1ZL98zhqFFZaaH2E=
-cloud.google.com/go/vision/v2 v2.6.0/go.mod h1:158Hes0MvOS9Z/bDMSFpjwsUrZ5fPrdwuyyvKSGAGMY=
-cloud.google.com/go/vision/v2 v2.7.0/go.mod h1:H89VysHy21avemp6xcf9b9JvZHVehWbET0uT/bcuY/0=
-cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU=
-cloud.google.com/go/vision/v2 v2.7.3/go.mod h1:V0IcLCY7W+hpMKXK1JYE0LV5llEqVmj+UJChjvA1WsM=
-cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE=
-cloud.google.com/go/vmmigration v1.3.0/go.mod h1:oGJ6ZgGPQOFdjHuocGcLqX4lc98YQ7Ygq8YQwHh9A7g=
-cloud.google.com/go/vmmigration v1.5.0/go.mod h1:E4YQ8q7/4W9gobHjQg4JJSgXXSgY21nA5r8swQV+Xxc=
-cloud.google.com/go/vmmigration v1.6.0/go.mod h1:bopQ/g4z+8qXzichC7GW1w2MjbErL54rk3/C843CjfY=
-cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro=
-cloud.google.com/go/vmmigration v1.7.2/go.mod h1:iA2hVj22sm2LLYXGPT1pB63mXHhrH1m/ruux9TwWLd8=
-cloud.google.com/go/vmwareengine v0.1.0/go.mod h1:RsdNEf/8UDvKllXhMz5J40XxDrNJNN4sagiox+OI208=
-cloud.google.com/go/vmwareengine v0.2.2/go.mod h1:sKdctNJxb3KLZkE/6Oui94iw/xs9PRNC2wnNLXsHvH8=
-cloud.google.com/go/vmwareengine v0.3.0/go.mod h1:wvoyMvNWdIzxMYSpH/R7y2h5h3WFkx6d+1TIsP39WGY=
-cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0=
-cloud.google.com/go/vmwareengine v1.0.0/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0=
-cloud.google.com/go/vmwareengine v1.0.1/go.mod h1:aT3Xsm5sNx0QShk1Jc1B8OddrxAScYLwzVoaiXfdzzk=
-cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w=
-cloud.google.com/go/vpcaccess v1.5.0/go.mod h1:drmg4HLk9NkZpGfCmZ3Tz0Bwnm2+DKqViEpeEpOq0m8=
-cloud.google.com/go/vpcaccess v1.6.0/go.mod h1:wX2ILaNhe7TlVa4vC5xce1bCnqE3AeH27RV31lnmZes=
-cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs=
-cloud.google.com/go/vpcaccess v1.7.2/go.mod h1:mmg/MnRHv+3e8FJUjeSibVFvQF1cCy2MsFaFqxeY1HU=
-cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE=
-cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg=
-cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc=
-cloud.google.com/go/webrisk v1.7.0/go.mod h1:mVMHgEYH0r337nmt1JyLthzMr6YxwN1aAIEc2fTcq7A=
-cloud.google.com/go/webrisk v1.8.0/go.mod h1:oJPDuamzHXgUc+b8SiHRcVInZQuybnvEW72PqTc7sSg=
-cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc=
-cloud.google.com/go/webrisk v1.9.2/go.mod h1:pY9kfDgAqxUpDBOrG4w8deLfhvJmejKB0qd/5uQIPBc=
-cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo=
-cloud.google.com/go/websecurityscanner v1.4.0/go.mod h1:ebit/Fp0a+FWu5j4JOmJEV8S8CzdTkAS77oDsiSqYWQ=
-cloud.google.com/go/websecurityscanner v1.5.0/go.mod h1:Y6xdCPy81yi0SQnDY1xdNTNpfY1oAgXUlcfN3B3eSng=
-cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg=
-cloud.google.com/go/websecurityscanner v1.6.2/go.mod h1:7YgjuU5tun7Eg2kpKgGnDuEOXWIrh8x8lWrJT4zfmas=
-cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0=
-cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M=
-cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
-cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
-cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
-cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g=
-cloud.google.com/go/workflows v1.12.0/go.mod h1:PYhSk2b6DhZ508tj8HXKaBh+OFe+xdl0dHF/tJdzPQM=
-cloud.google.com/go/workflows v1.12.1/go.mod h1:5A95OhD/edtOhQd/O741NSfIMezNTbCwLM1P1tBRGHM=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
-git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
-github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
-github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
-github.com/99designs/keyring v1.2.2 h1:pZd3neh/EmUzWONb35LxQfvuY7kiSXAq3HQd97+XBn0=
-github.com/99designs/keyring v1.2.2/go.mod h1:wes/FrByc8j7lFOAGLGSNEg8f/PaI3cgTBqhFkHUrPk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8/go.mod h1:CzsSbkDixRphAF5hS6wbMKq0eI6ccJRb7/A0M6JBnwg=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20221206110420-d395f97c4830/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
-github.com/Azure/azure-pipeline-go v0.2.3 h1:7U9HBg1JFK3jHl5qmo4CTZKFTVgMwdFHMVtCdfBE21U=
-github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k=
-github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v56.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
-github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0/go.mod h1:tZoQYdDZNOiIjdSn0dVWVfl0NEPGOJqVLzSrcFk4Is0=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.4.0/go.mod h1:ON4tFdPTwRcgWEaVDrN3584Ef+b7GgSJaXxe5fW9t4M=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
-github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1 h1:UPeCRD+XY7QlaGQte2EVI2iOcWvUYA2XY8w5T/8v0NQ=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1/go.mod h1:oGV6NlB0cvi1ZbYRR2UN44QHxWFyGk+iylgD0qaMXjA=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNLjCUeKhgnAJWAKhEUQM+RJQo2H1fuGSw1Ky1E=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.1.0 h1:Q707jfTFqfunSnh73YkCBDXR3GQJKno3chPRxXw//ho=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.1.0/go.mod h1:vjoxsjVnPwhjHZw4PuuhpgYlcxWl5tyNedLHUl0ulFA=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.0.0 h1:nBy98uKOIfun5z6wx6jwWLrULcM0+cjBalBFZlEZ7CA=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 h1:7CBQ+Ei8SP2c6ydQTGCCrS35bDxgTMfoP2miAwK++OU=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1/go.mod h1:c/wcGeGx5FUPbM/JltUYHZcKmigwyVLJlDq+4HdtXaw=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag=
-github.com/Azure/azure-storage-blob-go v0.15.0 h1:rXtgp8tN1p29GvpGgfJetavIG0V7OgcSXPpwp3tx6qk=
-github.com/Azure/azure-storage-blob-go v0.15.0/go.mod h1:vbjsVbX0dlxnRc4FFMPsS9BsJWPcne7GB7onqlPvz58=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
-github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
-github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
-github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
-github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
-github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
-github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
-github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
-github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
-github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=
-github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.0/go.mod h1:QRTvSZQpxqm8mSErhnbI+tANIBAKP7B+UIE2z4ypUO0=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
-github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
-github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
-github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
-github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
-github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
-github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac=
-github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
-github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
-github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
-github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4=
-github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E=
-github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc=
-github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c h1:RGWPOewvKIROun94nF7v2cua9qP+thov/7M50KEoeSU=
-github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
-github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
-github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
-github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/sprig/v3 v3.2.1/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
-github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
-github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
-github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
-github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
-github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
-github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
-github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
-github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
-github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
-github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.9.3/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.10.0-rc.7 h1:HBytQPxcv8Oy4244zbQbe6hnOnx544eL5QPUqhJldz8=
-github.com/Microsoft/hcsshim v0.10.0-rc.7/go.mod h1:ILuwjA+kNW+MrN/w5un7n3mTqkwsFu4Bp05/okFUZlE=
-github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
-github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
-github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
-github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/SAP/go-hdb v0.14.1 h1:hkw4ozGZ/i4eak7ZuGkY5e0hxiXFdNUBNhr4AvZVNFE=
-github.com/SAP/go-hdb v0.14.1/go.mod h1:7fdQLVC2lER3urZLjZCm0AuMQfApof92n3aylBPEkMo=
-github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a h1:KFHLI4QGttB0i7M3qOkAo8Zn/GSsxwwCnInFqBaYtkM=
-github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a/go.mod h1:D73UAuEPckrDorYZdtlCu2ySOLuPB5W4rhIkmmc/XbI=
-github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
-github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af h1:DBNMBMuMiWYu0b+8KMJuWmfCkcxl09JwdlqwDZZ6U14=
-github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw=
-github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
-github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/aerospike/aerospike-client-go/v5 v5.6.0 h1:tRxcUq0HY8fFPQEzF3EgrknF+w1xFO0YDfUb9Nm8yRI=
-github.com/aerospike/aerospike-client-go/v5 v5.6.0/go.mod h1:rJ/KpmClE7kiBPfvAPrGw9WuNOiz8v2uKbQaUyYPXtI=
-github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
-github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
-github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
-github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
-github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
-github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY9UnI16Z+UJqRyk=
-github.com/alexflint/go-filemutex v1.2.0/go.mod h1:mYyQSWvw9Tx2/H2n9qXPb52tTYfE0pZAWcBq5mK025c=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.521 h1:EomsfZIigG7/aTkX1ftTdSPnWr8KJGcy678mRpyVm+k=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.521/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs=
-github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c=
-github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
-github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
-github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
-github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
-github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
-github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
-github.com/apache/arrow/go/v12 v12.0.0/go.mod h1:d+tV/eHZZ7Dz7RPrFKtPK02tpr+c9/PEd/zm8mDS9Vg=
-github.com/apache/arrow/go/v12 v12.0.1 h1:JsR2+hzYYjgSUkBSaahpqCetqZMr76djX80fF/DiJbg=
-github.com/apache/arrow/go/v12 v12.0.1/go.mod h1:weuTY7JvTG/HDPtMQxEUp7pU73vkLWMLpY67QwZ/WWw=
-github.com/apache/thrift v0.16.0 h1:qEy6UW60iVOlUy+b9ZR0d5WzUWYGOo4HfopoyBaNmoY=
-github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
-github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
-github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k=
-github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2/go.mod h1:OMVSB21p9+xQUIqlGizHPZfjK+SHws1ht+ZytVDoz9U=
-github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
-github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs=
-github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA=
-github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
-github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
-github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
-github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
-github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
-github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48=
-github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.331 h1:hEwdOTv6973uegCUY2EY8jyyq0OUg9INc0HOzcu2bjw=
-github.com/aws/aws-sdk-go v1.44.331/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go-v2 v1.17.7 h1:CLSjnhJSTSogvqUGhIC6LqFKATMRexcxLZ0i/Nzk9Eg=
-github.com/aws/aws-sdk-go-v2 v1.17.7/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 h1:dK82zF6kkPeCo8J1e+tGx4JdvDIQzj7ygIoLg8WMuGs=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno=
-github.com/aws/aws-sdk-go-v2/config v1.18.19 h1:AqFK6zFNtq4i1EYu+eC7lcKHYnZagMn6SW171la0bGw=
-github.com/aws/aws-sdk-go-v2/config v1.18.19/go.mod h1:XvTmGMY8d52ougvakOv1RpiTLPz9dlG/OQHsKU/cMmY=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.18 h1:EQMdtHwz0ILTW1hoP+EwuWhwCG1hD6l3+RWFQABET4c=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.18/go.mod h1:vnwlwjIe+3XJPBYKu1et30ZPABG3VaXJYr8ryohpIyM=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 h1:gt57MN3liKiyGopcqgNzJb2+d9MJaKT/q1OksHNXVE4=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1/go.mod h1:lfUx8puBRdM5lVVMQlwt2v+ofiG/X6Ms+dy0UkG/kXw=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.59 h1:E3Y+OfzOK1+rmRo/K2G0ml8Vs+Xqk0kOnf4nS0kUtBc=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.59/go.mod h1:1M4PLSBUVfBI0aP+C9XI7SM6kZPCGYyI6izWz0TGprE=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 h1:sJLYcS+eZn5EeNINGHSCRAwUJMFVqklwkH36Vbyai7M=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31/go.mod h1:QT0BqUvX1Bh2ABdTGnjqEjvjzrCfIniM9Sc8zn9Yndo=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 h1:1mnRASEKnkqsntcxHaysxwgVoUUp5dkiB+l3llKnqyg=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25/go.mod h1:zBHOPwhBc3FlQjQJE/D3IfPWiWaQmT06Vq9aNukDo0k=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 h1:p5luUImdIqywn6JpQsW3tq5GNOxKmOnEpybzPx+d1lk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32/go.mod h1:XGhIBZDEgfqmFIugclZ6FU7v75nHhBDtzuB4xB/tEi4=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.23 h1:DWYZIsyqagnWL00f8M/SOr9fN063OEQWn9LLTbdYXsk=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.23/go.mod h1:uIiFgURZbACBEQJfqTZPb/jxO7R+9LeoHUFudtIdeQI=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 h1:y2+VQzC6Zh2ojtV2LoC0MNwHWc6qXv/j2vrQtlftkdA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11/go.mod h1:iV4q2hsqtNECrfmlXyord9u4zyuFEJX9eLgLpSPzWA8=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.26 h1:CeuSeq/8FnYpPtnuIeLQEEvDv9zUjneuYi8EghMBdwQ=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.26/go.mod h1:2UqAAwMUXKeRkAHIlDJqvMVgOWkUi/AUXPk/YIe+Dg4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 h1:5LHn8JQ0qvjD9L9JhMtylnkcw7j05GDZqM9Oin6hpr0=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25/go.mod h1:/95IA+0lMnzW6XzqYJRpjjsAbKEORVeO0anQqjd2CNU=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.0 h1:e2ooMhpYGhDnBfSvIyusvAwX7KexuZaHbQY2Dyei7VU=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.0/go.mod h1:bh2E0CXKZsQN+faiKVqC40vfNMAWheoULBCnEgO9K+8=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.31.0 h1:B1G2pSPvbAtQjilPq+Y7jLIzCOwKzuVEl+aBBaNG0AQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.31.0/go.mod h1:ncltU6n4Nof5uJttDtcNQ537uNuwYqsZZQcpkd2/GUQ=
-github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 h1:5V7DWLBd7wTELVz5bPpwzYy/sikk0gsgZfj40X+l5OI=
-github.com/aws/aws-sdk-go-v2/service/sso v1.12.6/go.mod h1:Y1VOmit/Fn6Tz1uFAeCO6Q7M2fmfXSCLeL5INVYsLuY=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 h1:B8cauxOH1W1v7rd8RdI/MWnoR4Ze0wIHWrb90qczxj4=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6/go.mod h1:Lh/bc9XUf8CfOY6Jp5aIkQtN+j1mc+nExc+KXj9jx2s=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 h1:bWNgNdRko2x6gqa0blfATqAZKZokPIeM1vfmQt2pnvM=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.7/go.mod h1:JuTnSoeePXmMVe9G8NcjjwgOKEfZ4cOjMuT2IBT/2eI=
-github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
-github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a h1:eqjiAL3qooftPm8b9C1GsSSRcmlw7iOva8vdBTmV2PY=
-github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a/go.mod h1:2stgcRjl6QmW+gU2h5E7BQXg4HU0gzxKWDuT5HviN9s=
-github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f h1:ZNv7On9kyUzm7fvRZumSyy/IUiSC7AzL0I1jKKtwooA=
-github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
-github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932 h1:mXoPYz/Ul5HYEDvkta6I8/rnYM5gSdSV2tJ6XbZuEtY=
-github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932/go.mod h1:NOuUCSz6Q9T7+igc/hlvDOUdtWKryOrtFyIVABv/p7k=
-github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
-github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
-github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
-github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
-github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
-github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
-github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
-github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
-github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
-github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
-github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
-github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
-github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/bytecodealliance/wasmtime-go v0.36.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
-github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
-github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
-github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
-github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
-github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
-github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
-github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
-github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
-github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
-github.com/centrify/cloud-golang-sdk v0.0.0-20210923165758-a8c48d049166 h1:jQ93fKqb/wRmK/KiHpa7Tk9rmHeKXhp4j+5Sg/tENiY=
-github.com/centrify/cloud-golang-sdk v0.0.0-20210923165758-a8c48d049166/go.mod h1:c/gmvyN8lq6lYtHvrqqoXrg2xyN65N0mBmbikxFWXNE=
-github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
-github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
-github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
-github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0 h1:CWU8piLyqoi9qXEUwzOh5KFKGgmSU5ZhktJyYcq6ryQ=
-github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0/go.mod h1:5d8DqS60xkj9k3aXfL3+mXBH0DPYO0FQjcKosxl+b/Q=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
-github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
-github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
-github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
-github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY=
-github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible h1:C29Ae4G5GtYyYMm1aztcyj/J5ckgJm2zwdDajFbx1NY=
-github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
-github.com/circonus-labs/circonusllhist v0.1.3 h1:TJH+oke8D16535+jHExHj4nQvzlZrj7ug5D7I/orNUA=
-github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
-github.com/cjlapao/common-go v0.0.39 h1:bAAUrj2B9v0kMzbAOhzjSmiyDy+rd56r2sy7oEiQLlA=
-github.com/cjlapao/common-go v0.0.39/go.mod h1:M3dzazLjTjEtZJbbxoA5ZDiGCiHmpwqW9l4UWaddwOA=
-github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 h1:ef0OsiQjSQggHrLFAMDRiu6DfkVSElA5jfG1/Nkyu6c=
-github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1/go.mod h1:sgaEj3tRn0hwe7GPdEUwxrdOqjBzyjyvyOCGf1OQyZY=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk=
-github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230310173818-32f1caf87195/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230428030218-4003588d1b74/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
-github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c h1:2zRrJWIt/f9c9HhNHAgrRgq0San5gRRUJTBXLkchal0=
-github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
-github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
-github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
-github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
-github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q=
-github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
-github.com/container-orchestrated-devices/container-device-interface v0.5.4/go.mod h1:DjE95rfPiiSmG7uVXtg0z6MnPm/Lx4wxKCIts0ZE0vg=
-github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
-github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
-github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
-github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
-github.com/containerd/btrfs v0.0.0-20201111183144-404b9149801e/go.mod h1:jg2QkJcsabfHugurUvvPhS3E08Oxiuh5W/g1ybB4e0E=
-github.com/containerd/btrfs v0.0.0-20210316141732-918d888fb676/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss=
-github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss=
-github.com/containerd/btrfs/v2 v2.0.0/go.mod h1:swkD/7j9HApWpzl8OHfrHNxppPd9l44DFZdF94BUj9k=
-github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI=
-github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
-github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
-github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
-github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
-github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
-github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
-github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8=
-github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
-github.com/containerd/cgroups/v3 v3.0.1/go.mod h1:/vtwk1VXrtoa5AaZLkypuOJgA/6DyPMZHJPGQNtlHnw=
-github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
-github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
-github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
-github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
-github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
-github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
-github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
-github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
-github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
-github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
-github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE=
-github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
-github.com/containerd/containerd v1.6.8/go.mod h1:By6p5KqPK0/7/CgO/A6t/Gz+CUYUu2zf1hUaaymVXB0=
-github.com/containerd/containerd v1.6.9/go.mod h1:XVicUvkxOrftE2Q1YWUXgZwkkAxwQYNOFzYWvfVfEfQ=
-github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg=
-github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo=
-github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y=
-github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
-github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
-github.com/containerd/continuity v0.2.2/go.mod h1:pWygW9u7LtS1o4N/Tn0FoCFDIXZ7rxcMX7HX1Dmibvk=
-github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
-github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
-github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
-github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
-github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
-github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
-github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
-github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU=
-github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk=
-github.com/containerd/go-cni v1.1.0/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA=
-github.com/containerd/go-cni v1.1.3/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA=
-github.com/containerd/go-cni v1.1.6/go.mod h1:BWtoWl5ghVymxu6MBjg79W9NZrCRyHIdUtk4cauMe34=
-github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM=
-github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
-github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
-github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
-github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0=
-github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA=
-github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow=
-github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms=
-github.com/containerd/imgcrypt v1.1.3/go.mod h1:/TPA1GIDXMzbj01yd8pIbQiLdQxed5ue1wb8bP7PQu4=
-github.com/containerd/imgcrypt v1.1.4/go.mod h1:LorQnPtzL/T0IyCeftcsMEO7AqxUDbdO8j/tSUpgxvo=
-github.com/containerd/imgcrypt v1.1.7/go.mod h1:FD8gqIcX5aTotCtOmjeCsi3A1dHmTZpnMISGKSczt4k=
-github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
-github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/nri v0.3.0/go.mod h1:Zw9q2lP16sdg0zYybemZ9yTDy8g7fPCIB3KXOGlggXI=
-github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
-github.com/containerd/stargz-snapshotter/estargz v0.12.1/go.mod h1:12VUuCq3qPq4y8yUW+l5w3+oXV3cx2Po3KSe/SmPGqw=
-github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
-github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
-github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3/go.mod h1:YYyNVhZrTMiaf51Vj6WhAJqJw+vl/nzABhj8pWrzle4=
-github.com/containerd/ttrpc v1.2.1/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak=
-github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
-github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
-github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
-github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
-github.com/containerd/typeurl/v2 v2.1.0/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
-github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw=
-github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y=
-github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtrBI6QcRV0NiNt15Y=
-github.com/containernetworking/cni v1.1.1/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
-github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
-github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM=
-github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
-github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE=
-github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
-github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4=
-github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
-github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4=
-github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
-github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
-github.com/containers/ocicrypt v1.1.3/go.mod h1:xpdkbVAuaH3WzbEabUd5yDsl9SwJA5pABH85425Es2g=
-github.com/containers/ocicrypt v1.1.6/go.mod h1:WgjxPWdTJMqYMjf3M6cuIFFA1/MpyyhIM99YInA+Rvc=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
-github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
-github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw=
-github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/couchbase/gocb/v2 v2.6.3 h1:5RsMo+RRfK0mVxHLAfpBz3/tHlgXZb1WBNItLk9Ab+c=
-github.com/couchbase/gocb/v2 v2.6.3/go.mod h1:yF5F6BHTZ/ZowhEuZbySbXrlI4rHd1TIhm5azOaMbJU=
-github.com/couchbase/gocbcore/v10 v10.2.3 h1:PEkRSNSkKjUBXx82Ucr094+anoiCG5GleOOQZOHo6D4=
-github.com/couchbase/gocbcore/v10 v10.2.3/go.mod h1:lYQIIk+tzoMcwtwU5GzPbDdqEkwkH3isI2rkSpfL0oM=
-github.com/couchbaselabs/gocaves/client v0.0.0-20230307083111-cc3960c624b1/go.mod h1:AVekAZwIY2stsJOMWLAS/0uA/+qdp7pjO8EHnl61QkY=
-github.com/couchbaselabs/gocaves/client v0.0.0-20230404095311-05e3ba4f0259 h1:2TXy68EGEzIMHOx9UvczR5ApVecwCfQZ0LjkmwMI6g4=
-github.com/couchbaselabs/gocaves/client v0.0.0-20230404095311-05e3ba4f0259/go.mod h1:AVekAZwIY2stsJOMWLAS/0uA/+qdp7pjO8EHnl61QkY=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
-github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
-github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
-github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
-github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
-github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg=
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
-github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw=
-github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo=
-github.com/denverdino/aliyungo v0.0.0-20170926055100-d3308649c661/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
-github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba h1:p6poVbjHDkKa+wtC8frBMwQtT3BmqGYBjzMwJ63tuR4=
-github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
-github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M=
-github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
-github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
-github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
-github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
-github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/digitalocean/godo v1.7.5 h1:JOQbAO6QT1GGjor0doT0mXefX2FgUDPOpYh2RaXA+ko=
-github.com/digitalocean/godo v1.7.5/go.mod h1:h6faOIcZ8lWIwNQ+DN7b3CgX4Kwby5T+nbpNqkUIozU=
-github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
-github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
-github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
-github.com/distribution/distribution/v3 v3.0.0-20220526142353-ffbd94cbe269/go.mod h1:28YO/VJk9/64+sTGNuYaBjWxrXTPrj0C0XmgTIOjxX4=
-github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
-github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
-github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
-github.com/dnephin/pflag v1.0.7 h1:oxONGlWxhmUct0YzKTgrpQv9AUA1wtPBn7zuSjJqptk=
-github.com/dnephin/pflag v1.0.7/go.mod h1:uxE91IoWURlOiTUIA8Mq5ZZkAv3dPUfZNaT80Zm7OQE=
-github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.20+incompatible h1:lWQbHSHUFs7KraSN2jOJK7zbMS2jNCHI4mt4xUFUVQ4=
-github.com/docker/cli v20.10.20+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
-github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
-github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
-github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
-github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
-github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
-github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
-github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY=
-github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
-github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
-github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74 h1:2MIhn2R6oXQbgW5yHfS+d6YqyMfXiu2L55rFZC4UD/M=
-github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74/go.mod h1:UqXY1lYT/ERa4OEAywUqdok1T4RCRdArkhic1Opuavo=
-github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
-github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM=
-github.com/dvsekhvalnov/jose2go v1.5.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
-github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
-github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
-github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
-github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI=
-github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q=
-github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM=
-github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
-github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
-github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs=
-github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
-github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
-github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/favadi/protoc-go-inject-tag v1.4.0 h1:K3KXxbgRw5WT4f43LbglARGz/8jVsDOS7uMjG4oNvXY=
-github.com/favadi/protoc-go-inject-tag v1.4.0/go.mod h1:AZ+PK+QDKUOLlBRG0rYiKkUX5Hw7+7GTFzlU99GFSbQ=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8=
-github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
-github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
-github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
-github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
-github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
-github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
-github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
-github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
-github.com/gammazero/deque v0.2.1 h1:qSdsbG6pgp6nL7A0+K/B7s12mcCY/5l5SIUpMOl+dC0=
-github.com/gammazero/deque v0.2.1/go.mod h1:LFroj8x4cMYCukHJDbxFCkT+r9AndaJnFMuZDV34tuU=
-github.com/gammazero/workerpool v1.1.3 h1:WixN4xzukFoN0XSeXF6puqEqFTl2mECI9S6W44HWy9Q=
-github.com/gammazero/workerpool v1.1.3/go.mod h1:wPjyBLDbyKnUn2XwwyD3EEwo9dHutia9/fwNmSHWACc=
-github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
-github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
-github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
-github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
-github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14=
-github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
-github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-errors/errors v1.5.0 h1:/EuijeGOu7ckFxzhkj4CXJ8JaenxK7bKUxpPYqeLHqQ=
-github.com/go-errors/errors v1.5.0/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
-github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
-github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4=
-github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git/v5 v5.7.0 h1:t9AudWVLmqzlo+4bqdf7GY+46SUuRsx59SboFxkq2aE=
-github.com/go-git/go-git/v5 v5.7.0/go.mod h1:coJHKEOk5kUClpsNlXrUvPrDxY3w3gjHvhcZd8Fodw8=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-ini/ini v1.66.6/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
-github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
-github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
-github.com/go-ldap/ldap/v3 v3.1.7/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
-github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
-github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 h1:sfz1YppV05y4sYaW7kXZtrocU/+vimnIWt4cxAYh7+o=
-github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3/go.mod h1:ZXFhGda43Z2TVbfGZefXyMJzsDHhCh0go3bZUcwTx7o=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4=
-github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk=
-github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8=
-github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
-github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
-github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ=
-github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk=
-github.com/go-openapi/analysis v0.20.0 h1:UN09o0kNhleunxW7LR+KnltD0YrJ8FF03pSqvAN3Vro=
-github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og=
-github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.20.1 h1:j23mMDtRxMwIobkpId7sWh7Ddcx4ivaoqUbfXx5P+a8=
-github.com/go-openapi/errors v0.20.1/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
-github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
-github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI=
-github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY=
-github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc=
-github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc=
-github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4=
-github.com/go-openapi/loads v0.20.2 h1:z5p5Xf5wujMxS1y8aP+vxwW5qYT2zdJBbXKmQUG3lcc=
-github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o=
-github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
-github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
-github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
-github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo=
-github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98=
-github.com/go-openapi/runtime v0.19.24 h1:TqagMVlRAOTwllE/7hNKx6rQ10O6T8ZzeJdMjSTKaD4=
-github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU=
-github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU=
-github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ=
-github.com/go-openapi/spec v0.20.3 h1:uH9RQ6vdyPSs2pSy9fL8QPspDF2AMIMPtmK5coSSjtQ=
-github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg=
-github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
-github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc=
-github.com/go-openapi/strfmt v0.20.0 h1:l2omNtmNbMc39IGptl9BuXBEKcZfS8zjrTsPKTiJiDM=
-github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY=
-github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY=
-github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M=
-github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
-github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo=
-github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8=
-github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4=
-github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI=
-github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0=
-github.com/go-openapi/validate v0.20.2 h1:AhqDegYV3J3iQkMPJSXkvzymHKMTw0BST3RK3hTT4ts=
-github.com/go-openapi/validate v0.20.2/go.mod h1:e7OJoKNgd0twXZwIn0A43tHbvIcr/rZIVCbJBpTUoY0=
-github.com/go-ozzo/ozzo-validation v3.6.0+incompatible h1:msy24VGS42fKO9K1vLz82/GeYW1cILu7Nuuj1N3BBkE=
-github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6mXmxK0MoFy+cZoTJY6mu5Ll3LVLBU=
-github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
-github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
-github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
-github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
-github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
-github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
-github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
-github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1Vv0sFl1UcHBOY=
-github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
-github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
-github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
-github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
-github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
-github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-zookeeper/zk v1.0.3 h1:7M2kwOsc//9VeeFiPtf+uSJlVpU66x9Ba5+8XK7/TDg=
-github.com/go-zookeeper/zk v1.0.3/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw=
-github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
-github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
-github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg=
-github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs=
-github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI=
-github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI=
-github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk=
-github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28=
-github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo=
-github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk=
-github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw=
-github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360=
-github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg=
-github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE=
-github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8=
-github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
-github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
-github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
-github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
-github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
-github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
-github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
-github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
-github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
-github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
-github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/goccy/go-json v0.10.0 h1:mXKd9Qw4NuzShiRlOXKews24ufknHO7gx30lsDyokKA=
-github.com/goccy/go-json v0.10.0/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/gocql/gocql v1.0.0 h1:UnbTERpP72VZ/viKE1Q1gPtmLvyTZTvuAstvSRydw/c=
-github.com/gocql/gocql v1.0.0/go.mod h1:3gM2c4D3AnkISwBxGnMMsS8Oy4y2lhbPRsH4xnJrHG8=
-github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
-github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
-github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
-github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
-github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
-github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
-github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
-github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
-github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
-github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
-github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
-github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golangci/revgrep v0.0.0-20220804021717-745bb2f7c2e6 h1:DIPQnGy2Gv2FSA4B/hh8Q7xx3B7AIDk3DAMeHclH1vQ=
-github.com/golangci/revgrep v0.0.0-20220804021717-745bb2f7c2e6/go.mod h1:0AKcRCkMoKvUvlf89F6O7H2LYdhr1zBh736mBItOdRs=
-github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
-github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw=
-github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/flatbuffers v23.1.21+incompatible h1:bUqzx/MXCDxuS0hRJL2EfjyZL3uQrPbMocUa8zGqsTA=
-github.com/google/flatbuffers v23.1.21+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
-github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo=
-github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
-github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
-github.com/google/go-metrics-stackdriver v0.2.0 h1:rbs2sxHAPn2OtUj9JdR/Gij1YKGl0BTVD0augB+HEjE=
-github.com/google/go-metrics-stackdriver v0.2.0/go.mod h1:KLcPyp3dWJAFD+yHisGlJSZktIsTjb50eB72U2YZ9K0=
-github.com/google/go-pkcs11 v0.2.0/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY=
-github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
-github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
-github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
-github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
-github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
-github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
-github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
-github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/google/tink/go v1.6.1/go.mod h1:IGW53kTgag+st5yPhKKwJ6u2l+SSp5/v9XF7spovjlY=
-github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
-github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
-github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
-github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.4/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
-github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
-github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
-github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw=
-github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
-github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
-github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
-github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
-github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
-github.com/gophercloud/gophercloud v0.1.0 h1:P/nh25+rzXouhytV2pUHBb65fnds26Ghl8/391+sT5o=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
-github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
-github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
-github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
-github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
-github.com/hashicorp/cap v0.3.4 h1:RoqWYqr6LaDLuvnBCpod1sZtvuEhehIhu0GncmoHW40=
-github.com/hashicorp/cap v0.3.4/go.mod h1:dHTmyMIVbzT981XxRoci5G//dfWmd/HhuNiCH6J5+IA=
-github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7 h1:jgVdtp5YMn++PxnYhAFfrURfLf+nlqzBeddbvRG+tTg=
-github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7/go.mod h1:q+c9XV1VqloZFZMu+zdvfb0cm7UrvKbvtmTF5wX5Q9o=
-github.com/hashicorp/consul-template v0.33.0 h1:UNyf7V/nFeh8edh5X6pP8f+9LZVn+DG9uNLLcTpLsFc=
-github.com/hashicorp/consul-template v0.33.0/go.mod h1:3RayddSLvOGQwdifbbe4doVwamgJU4QvxTtf5DNeclw=
-github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/api v1.23.0 h1:L6e4v1AfoumqAHq/Rrsmuulev+nd7vltM3k8H329tyI=
-github.com/hashicorp/consul/api v1.23.0/go.mod h1:SfvUIT74b0EplDuNgAJQ/FVqSO6KyK2ia80UI39/Ye8=
-github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/consul/sdk v0.14.0 h1:Hly+BMNMssVzoWddbBnBFi3W+Fzytvm0haSkihhj3GU=
-github.com/hashicorp/cronexpr v1.1.1 h1:NJZDd87hGXjoZBdvyCF9mX4DCq5Wy7+A/w+A7q0wn6c=
-github.com/hashicorp/cronexpr v1.1.1/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4=
-github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/eventlogger v0.2.5 h1:Z2hqgJDNHAewz/kmluhpOWuC2Ts5JzF3mXt6N5MTr6U=
-github.com/hashicorp/eventlogger v0.2.5/go.mod h1://CHt6/j+Q2lc0NlUB5af4aS2M0c0aVBg9/JfcpAyhM=
-github.com/hashicorp/go-bexpr v0.1.12 h1:XrdVhmwu+9iYxIUWxsGVG7NQwrhzJZ0vR6nbN5bLgrA=
-github.com/hashicorp/go-bexpr v0.1.12/go.mod h1:ACktpcSySkFNpcxWSClFrut7wicd9WzisnvHuw+g9K8=
-github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192 h1:eje2KOX8Sf7aYPiAsLnpWdAIrGRMcpFjN/Go/Exb7Zo=
-github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192/go.mod h1:3/4dzY4lR1Hzt9bBqMhBzG7lngZ0GKx/nL6G/ad62wE=
-github.com/hashicorp/go-gatedio v0.5.0 h1:Jm1X5yP4yCqqWj5L1TgW7iZwCVPGtVc+mro5r/XX7Tg=
-github.com/hashicorp/go-gcp-common v0.8.0 h1:/2vGAbCU1v+BZ3YHXTCzTvxqma9WOJHYtADTfhZixLo=
-github.com/hashicorp/go-gcp-common v0.8.0/go.mod h1:Q7zYRy9ue9SuaEN2s9YLIQs4SoKHdoRmKRcImY3SLgs=
-github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
-github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0 h1:pSjQfW3vPtrOTcasTUKgCTQT7OGPPTTMVRrOfU6FJD8=
-github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8DSFG2IwDcydK9DBQE+fGA5fsw6hSk=
-github.com/hashicorp/go-kms-wrapping/v2 v2.0.8/go.mod h1:qTCjxGig/kjuj3hk1z8pOUrzbse/GxB1tGfbrq8tGJg=
-github.com/hashicorp/go-kms-wrapping/v2 v2.0.13 h1:29PE6fIDYcg2gQJIaQ8a8XtuW/jI3tQMwB95LsAY5GM=
-github.com/hashicorp/go-kms-wrapping/v2 v2.0.13/go.mod h1:NtMaPhqSlfQ72XWDD2g80o8HI8RKkowIB8/WZHMyPY4=
-github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.7-1 h1:ZV26VJYcITBom0QqYSUOIj4HOHCVPEFjLqjxyXV/AbA=
-github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.7-1/go.mod h1:b99cDSA+OzcyRoBZroSf174/ss/e6gUuS45wue9ZQfc=
-github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI=
-github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c=
-github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.7 h1:E3eEWpkofgPNrYyYznfS1+drq4/jFcqHQVNcL7WhUCo=
-github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.7/go.mod h1:j5vefRoguQUG7iM4reS/hKIZssU1lZRqNPM5Wow6UnM=
-github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.8 h1:CtccMhYRx3x4LNZlybVmAazzIWnzxShfdA+72muIwvU=
-github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.8/go.mod h1:hOe8opjBp3RtxEwfIXLVW0gFDTPHnmopkGiUWPuCPiM=
-github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.8 h1:16I8OqBEuxZIowwn3jiLvhlx+z+ia4dJc9stvz0yUBU=
-github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.8/go.mod h1:6QUMo5BrXAtbzSuZilqmx0A4px2u6PeFK7vfp2WIzeM=
-github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7 h1:KeG3QGrbxbr2qAqCJdf3NR4ijAYwdcWLTmwSbR0yusM=
-github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7/go.mod h1:rXxYzjjGw4HltEwxPp9zYSRIo6R+rBf1MSPk01bvodc=
-github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.8 h1:uvdmC28xaqklqRQ3HWvq9HP4jX7Vy4M5JrJqAxfo5ig=
-github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.8/go.mod h1:zHX8LhkrU/M8sJkIQ85Dsrg7aqNEonY1+l6MlUC+6O4=
-github.com/hashicorp/go-memdb v1.3.4 h1:XSL3NR682X/cVk2IeV0d70N4DZ9ljI885xAEU8IoK3c=
-github.com/hashicorp/go-memdb v1.3.4/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg=
-github.com/hashicorp/go-metrics v0.5.1 h1:rfPwUqFU6uZXNvGl4hzjY8LEBsqFVU4si1H9/Hqck/U=
-github.com/hashicorp/go-metrics v0.5.1/go.mod h1:KEjodfebIOuBYSAe/bHTm+HChmKSxAOXPBieMLYozDE=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-msgpack v1.1.5 h1:9byZdVjKTe5mce63pRVNP1L7UAmdHOTEMGehn6KvJWs=
-github.com/hashicorp/go-msgpack v1.1.5/go.mod h1:gWVc3sv/wbDmR3rQsj1CAktEZzoz1YNK9NfGLXJ69/4=
-github.com/hashicorp/go-msgpack/v2 v2.0.0 h1:c1fiLq1LNghmLOry1ipGhvLDi+/zEoaEP2JrE1oFJ9s=
-github.com/hashicorp/go-msgpack/v2 v2.0.0/go.mod h1:JIxYkkFJRDDRSoWQBSh7s9QAVThq+82iWmUpmE4jKak=
-github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
-github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.5.1/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4=
-github.com/hashicorp/go-plugin v1.5.2 h1:aWv8eimFqWlsEiMrYZdPYl+FdHaBJSN4AWwGWfT1G2Y=
-github.com/hashicorp/go-plugin v1.5.2/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4=
-github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a h1:FmnBDwGwlTgugDGbVxwV8UavqSMACbGrUpfc98yFLR4=
-github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a/go.mod h1:xbXnmKqX9/+RhPkJ4zrEx4738HacP72aaUPlT2RZ4sU=
-github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
-github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
-github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
-github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3 h1:AAQ6Vmo/ncfrZYtbpjhO+g0Qt+iNpYtl3UWT1NLmbYY=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 h1:f2mwVgMJjXuX/+eWD6ZW30+oIRgCofL+XMWknFkB1WM=
-github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0/go.mod h1:uwcr2oga9pN5+OkHZyTN5MDk3+1YHOuMukhpnPaQAoI=
-github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 h1:9um9R8i0+HbRHS9d64kdvWR0/LJvo12sIonvR9zr1+U=
-github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1/go.mod h1:6RoRTSMDK2H/rKh3P/JIsk1tK8aatKTt3JyvIopi3GQ=
-github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 h1:NS6BHieb/pDfx3M9jDdaPpGyyVp+aD4A3DjX3dgRmzs=
-github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2/go.mod h1:rf5JPE13wi+NwjgsmGkbg4b2CgHq8v7Htn/F0nDe/hg=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXEx9IIZhDGRk24CDhzg=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo=
-github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0 h1:iJG9Q3iUme12yH+wzBMGYrw/Am4CfX3sDcA8m5OGfhQ=
-github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0/go.mod h1:s28ohJ0kU6tersf0it/WsBCyZSdziPlP+G1FRA3ar28=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60=
-github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2 h1:lNWQ5KVsLmzjvN11LYqaTXtMrCP7CyxfmTeR3h0l3s8=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2/go.mod h1:7xQt0+IfRmzYBLpFx+4MYfLpBdd1PT1VatGKRswf7xE=
-github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1 h1:SMGUnbpAcat8rIKHkBPjfv81yC46a8eCNZ2hsR2l1EI=
-github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1/go.mod h1:Ch/bf00Qnx77MZd49JRgHYqHQjtEmTgGU2faufpVZb0=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
-github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 h1:phcbL8urUzF/kxA/Oj6awENaRwfWsjP59GW7u2qlDyY=
-github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
-github.com/hashicorp/go-slug v0.12.1 h1:lYhmKXXonP4KGSz3JBmks6YpDRjP1cMA/yvcoPxoNw8=
-github.com/hashicorp/go-slug v0.12.1/go.mod h1:JZVtycnZZbiJ4oxpJ/zfhyfBD8XxT4f0uOSyjNLCqFY=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/go-sockaddr v1.0.4 h1:NJY/hSAoWy0EhQQdDxxoBlwyJex/xC2qNWXD0up6D48=
-github.com/hashicorp/go-sockaddr v1.0.4/go.mod h1:LPGW7TbF+cTE2o/bBlBWD4XG8rgRJeIurURxH5kEHr8=
-github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=
-github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-tfe v1.33.0 h1:UQ04F/Dd+IgjQDciBZz/BKHTFwc7zXbJTI1+zNN355U=
-github.com/hashicorp/go-tfe v1.33.0/go.mod h1:Js4M/3kv14oTBlvLxqh0bbrWfosmNsEb9ad9YazsyfM=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
-github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
-github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
-github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/hcl/v2 v2.16.2 h1:mpkHZh/Tv+xet3sy3F9Ld4FyI2tUpWe9x3XtPx9f1a0=
-github.com/hashicorp/hcl/v2 v2.16.2/go.mod h1:JRmR89jycNkrrqnMmvPDMd56n1rQJ2Q6KocSLCMCXng=
-github.com/hashicorp/hcp-link v0.1.0 h1:F6F1cpADc+o5EBI5CbJn5RX4qdFSLpuA4fN69eeE5lQ=
-github.com/hashicorp/hcp-link v0.1.0/go.mod h1:BWVDuJDHrKJtWc5qI07bX5xlLjSgWq6kYLQUeG1g5dM=
-github.com/hashicorp/hcp-scada-provider v0.2.1 h1:yr+Uxini7SWTZ2t49d3Xi+6+X/rbsSFx8gq6WVcC91c=
-github.com/hashicorp/hcp-scada-provider v0.2.1/go.mod h1:Q0WpS2RyhBKOPD4X/8oW7AJe7jA2HXB09EwDzwRTao0=
-github.com/hashicorp/hcp-sdk-go v0.23.0 h1:3WarkQSK0VzxJaH6psHIGQagag3ujL+NjWagZZHpiZM=
-github.com/hashicorp/hcp-sdk-go v0.23.0/go.mod h1:/9UoDY2FYYA8lFaKBb2HmM/jKYZGANmf65q9QRc/cVw=
-github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d h1:9ARUJJ1VVynB176G1HCwleORqCaXm/Vx0uUi0dL26I0=
-github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d/go.mod h1:Yog5+CPEM3c99L1CL2CFCYoSzgWm5vTU58idbRUaLik=
-github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
-github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
-github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
-github.com/hashicorp/mdns v1.0.4 h1:sY0CMhFmjIPDMlTB+HfymFHCaYLhgifZ0QhjaYKD/UQ=
-github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
-github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hashicorp/memberlist v0.5.0 h1:EtYPN8DpAURiapus508I4n9CzHs2W+8NZGbmmR/prTM=
-github.com/hashicorp/memberlist v0.5.0/go.mod h1:yvyXLpo0QaGE59Y7hDTsTzDD25JYBZ4mHgHUZ8lrOI0=
-github.com/hashicorp/net-rpc-msgpackrpc/v2 v2.0.0 h1:kBpVVl1sl3MaSrs97e0+pDQhSrqJv9gVbSUrPpVfl1w=
-github.com/hashicorp/net-rpc-msgpackrpc/v2 v2.0.0/go.mod h1:6pdNz0vo0mF0GvhwDG56O3N18qBrAz/XRIcfINfTbwo=
-github.com/hashicorp/nomad/api v0.0.0-20230519153805-2275a83cbfdf h1:cKXVf1UJqwdkGiTF3idqCOLApAql0310OSmJxeiaMWg=
-github.com/hashicorp/nomad/api v0.0.0-20230519153805-2275a83cbfdf/go.mod h1:rb38DqjaaIfhJRiLeCAGgIt+wV7o78rB+liyFE3mVzE=
-github.com/hashicorp/raft v1.0.1/go.mod h1:DVSAWItjLjTOkVbSpWQ0j0kUADIvDaCtBxIcbNAQLkI=
-github.com/hashicorp/raft v1.1.0/go.mod h1:4Ak7FSPnuvmb0GV6vgIAJ4vYT4bek9bb6Q+7HVbyzqM=
-github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=
-github.com/hashicorp/raft v1.2.0/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=
-github.com/hashicorp/raft v1.3.10 h1:LR5QZX1VQd0DFWZfeCwWawyeKfpS/Tm1yjnJIY5X4Tw=
-github.com/hashicorp/raft v1.3.10/go.mod h1:J8naEwc6XaaCfts7+28whSeRvCqTd6e20BlCU3LtEO4=
-github.com/hashicorp/raft-autopilot v0.2.0 h1:2/R2RPgamgRKgNWGQioULZvjeKXQZmDuw5Ty+6c+H7Y=
-github.com/hashicorp/raft-autopilot v0.2.0/go.mod h1:q6tZ8UAZ5xio2gv2JvjgmtOlh80M6ic8xQYBe2Egkg8=
-github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea/go.mod h1:pNv7Wc3ycL6F5oOWn+tPGo2gWD4a5X+yp/ntwdKLjRk=
-github.com/hashicorp/raft-boltdb/v2 v2.0.0-20210421194847-a7e34179d62c h1:oiKun9QlrOz5yQxMZJ3tf1kWtFYuKSJzxzEDxDPevj4=
-github.com/hashicorp/raft-boltdb/v2 v2.0.0-20210421194847-a7e34179d62c/go.mod h1:kiPs9g148eLShc2TYagUAyKDnD+dH9U+CQKsXzlY9xo=
-github.com/hashicorp/raft-snapshot v1.0.4 h1:EuDuayAJPdiDmVk1ygTDnG2zDzrs0/6/yBuma1IYSow=
-github.com/hashicorp/raft-snapshot v1.0.4/go.mod h1:5sL9eUn72lH5DzsFIJ9jaysITbHksSSszImWSOTC8Ic=
-github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
-github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY=
-github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.16.0 h1:DgJ9v3sWQlvyvpmCU/YAFdmGgLi6t8PHQ+O9UeYIuCg=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.16.0/go.mod h1:UQa534XDQsSwwR4MYhOGnkF2gEao9zVABySBTfjAq08=
-github.com/hashicorp/vault-plugin-auth-azure v0.16.2 h1:ikzhUkiZ6QZ/mhoKNBVTJCzeaC9mEhXCqZ/7Z1Zoajg=
-github.com/hashicorp/vault-plugin-auth-azure v0.16.2/go.mod h1:W0Z5JnhQII42Ip22RFZ0pL01WCwIgrNroheUg4FCzxI=
-github.com/hashicorp/vault-plugin-auth-centrify v0.15.1 h1:6StAr5tltpySNgyUwWC8czm9ZqkO7NIZfcRmxxtFwQ8=
-github.com/hashicorp/vault-plugin-auth-centrify v0.15.1/go.mod h1:xXs4I5yLxbQ5VHcpvSxkRhShCTXd8Zyrni8qnFrfQ4Y=
-github.com/hashicorp/vault-plugin-auth-cf v0.15.1 h1:gtHOfVU4KDs1URlSCbIoio4eNXbSC+TXgtm/QWVBCU8=
-github.com/hashicorp/vault-plugin-auth-cf v0.15.1/go.mod h1:dPRh6mLCglXsiY9q/X6RSD39SUQyyFhbIbm4Y5JyG7s=
-github.com/hashicorp/vault-plugin-auth-gcp v0.16.1 h1:KasqciAWHP3Htruowdu8fhO5X1YFfY0Qi3nrsBlpDkU=
-github.com/hashicorp/vault-plugin-auth-gcp v0.16.1/go.mod h1:pLF4l4SjTMR24/FTsE1idVpKEeO8ah0x1Kpulw+I09I=
-github.com/hashicorp/vault-plugin-auth-jwt v0.17.0 h1:ZfgyFjZfquIn9qk1bytkaqUfG8mKx71RYaSb620dEh0=
-github.com/hashicorp/vault-plugin-auth-jwt v0.17.0/go.mod h1:R5ZtloCRWHnElOm+MXJadj2jkGMwF9Ybk3sn2kV3L48=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.10.1 h1:nXni7zfOyhOWJBC42iWqIEZA+aYCo3diyVrr1mHs5yo=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.10.1/go.mod h1:S0XEzmbUO+iuC44a8wqnL869l6WH0DUMVqxTIEkITys=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.17.1 h1:MVGosnlKQcgr6z9xrehCi5taYJyRw67JIJMNHaMXSAc=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.17.1/go.mod h1:KE7jUeiD2KE88CeC3YINWZ6A9B2VXPpzkX4bQgsl2lI=
-github.com/hashicorp/vault-plugin-auth-oci v0.14.2 h1:NcTn5LPRL6lVusPjqGkav+C8LRsy46QKdEk9HElQ5B0=
-github.com/hashicorp/vault-plugin-auth-oci v0.14.2/go.mod h1:FaLJvP+AUbeo4yop49aVit4JW/I9GfajFqI8wpX+b0w=
-github.com/hashicorp/vault-plugin-database-couchbase v0.9.4 h1:MaKlz3Guy9eVRJvTM4zUqlBzhEVE8LdlvsQSAURaVDo=
-github.com/hashicorp/vault-plugin-database-couchbase v0.9.4/go.mod h1:0cDXDEOSZt7mwBxOa4w2mIK1sioIv2jtflbODK5ZF10=
-github.com/hashicorp/vault-plugin-database-elasticsearch v0.13.3 h1:ngkRoBWXMsfkr6zTbn70z0WWMh7gtfMf0gjtR3k/lSA=
-github.com/hashicorp/vault-plugin-database-elasticsearch v0.13.3/go.mod h1:svc2PX2PaxcMmcixrCSPlgFdpRema0yDzc5WIzejvtg=
-github.com/hashicorp/vault-plugin-database-mongodbatlas v0.10.1 h1:st8aNVyXyiHpAq8CTWfxj1uGQHnggA5Hsg5ug0Qv2UA=
-github.com/hashicorp/vault-plugin-database-mongodbatlas v0.10.1/go.mod h1:rFvNp9rYOFPwAPFUHcGnRIwOlAYBPZHgKul/Sj2poPs=
-github.com/hashicorp/vault-plugin-database-redis v0.2.2 h1:nMpNIDP1Cvw5aMLXp3ObvXmv5c2X3GqBmoPNMtvWe5E=
-github.com/hashicorp/vault-plugin-database-redis v0.2.2/go.mod h1:POHYpUTsdJwGE1DSHaDlLjB/CpzBHLfIIVVXElBtbcs=
-github.com/hashicorp/vault-plugin-database-redis-elasticache v0.2.3 h1:Y2/teLlrYR80LATq4T2EZJgeQFkYUvExH1WUfssi2IU=
-github.com/hashicorp/vault-plugin-database-redis-elasticache v0.2.3/go.mod h1:eGj+U2NroyrtKqdNAoOG7is2mbmSIoTvDA0EETqWTDI=
-github.com/hashicorp/vault-plugin-database-snowflake v0.9.0 h1:kYr7DXkxuznPstyvt0HQ6HfMBv7M3agGjDcgiOJuxm4=
-github.com/hashicorp/vault-plugin-database-snowflake v0.9.0/go.mod h1:szELJH+NFTZPB4KbmIkcBD3E+BfVVdew7YCOFW7u2LY=
-github.com/hashicorp/vault-plugin-mock v0.16.1 h1:5QQvSUHxDjEEbrd2REOeacqyJnCLPD51IQzy71hx8P0=
-github.com/hashicorp/vault-plugin-mock v0.16.1/go.mod h1:83G4JKlOwUtxVourn5euQfze3ZWyXcUiLj2wqrKSDIM=
-github.com/hashicorp/vault-plugin-secrets-ad v0.16.1 h1:Ns0/JcpOrC3+yCYcV9+SbehfRkob1pB793VILE1yo2E=
-github.com/hashicorp/vault-plugin-secrets-ad v0.16.1/go.mod h1:WeR9mm1FT3jmuf0SDJmqy7N/9Y34Qv8elt43/k/oaW0=
-github.com/hashicorp/vault-plugin-secrets-alicloud v0.15.1 h1:LrcvOhx1hy8NvENdORrJUcpuY4JHDD5NvDILdlOgefw=
-github.com/hashicorp/vault-plugin-secrets-alicloud v0.15.1/go.mod h1:YKoctp9/8VkjIx827IrNCqSow/Z88wCz3Qb/sAFLe6o=
-github.com/hashicorp/vault-plugin-secrets-azure v0.16.3 h1:XqVsmkGK5szTZe3YpMlHB5v+QceujZDR7ghY/YOg7jk=
-github.com/hashicorp/vault-plugin-secrets-azure v0.16.3/go.mod h1:VuFiqDd4xvBxpb/F/QEeHE7wXgqqbPYIV61COLvY0tY=
-github.com/hashicorp/vault-plugin-secrets-gcp v0.17.0 h1:Z7IqtShXD8uDzLfKskk8rt84hZbXMHCtJT4YQrUigPs=
-github.com/hashicorp/vault-plugin-secrets-gcp v0.17.0/go.mod h1:VRSCqW/rYThWK/bmBiBKI1dKOg383xnedA/G9ghJrug=
-github.com/hashicorp/vault-plugin-secrets-gcpkms v0.15.1 h1:qUFOjiz5+wgZsRpOF0hCFeot9vZEyhqfJ4w/UFJAjfc=
-github.com/hashicorp/vault-plugin-secrets-gcpkms v0.15.1/go.mod h1:QG4LU5GIBXo1pqnfJXXwOe05PJSyhBh2p+mAq06iI8U=
-github.com/hashicorp/vault-plugin-secrets-kubernetes v0.6.0 h1:DePS4sSAbjYTQrpTPrqZLFMw9aFHsqqqhktBcVjhjzw=
-github.com/hashicorp/vault-plugin-secrets-kubernetes v0.6.0/go.mod h1:4nPWdBQxjIEGZaWWPKHixN7MFHjESOlOtNyy02e/w9c=
-github.com/hashicorp/vault-plugin-secrets-kv v0.16.2 h1:HdluNBrYGEEAJ1IrP3/T5RRgha16VGRlAisAlSB2hvI=
-github.com/hashicorp/vault-plugin-secrets-kv v0.16.2/go.mod h1:oJwVConr6pkDIIO8q8OO3FP5WtWj/iSWuhiPVdKt67E=
-github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.10.2 h1:5eFlzhFXoSe+ntm26wromhtLbPjTCdXcdwpMv7wFeHk=
-github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.10.2/go.mod h1:OdXvez+GH0XBSRS7gxbS8B1rLUPb8bGk+bDVyEaAzI8=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.11.2 h1:LNzIP4zfWivAy/hgCIwETJFr7BBS91bsJ6AlsGhqAc8=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.11.2/go.mod h1:osvWc6/BOZPR8Mdqp5dF40dAaHddEiylO1pDRI7DOqo=
-github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3 h1:k5jCx6laFvQHvrQod+TSHSoDqF3ZSIlQB4Yzj6koz0I=
-github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3/go.mod h1:yqCovAKNUNYnNrs5Wh95aExpsWEU45GB9FV7EquaSbA=
-github.com/hashicorp/vault-testing-stepwise v0.1.4 h1:Lsv1KdpQyjhvmLgKeH65FG5MmY5hMkF5LoX3xIxurjg=
-github.com/hashicorp/vault-testing-stepwise v0.1.4/go.mod h1:Ym1T/kMM2sT6qgCIIJ3an7uaSWCJ8O7ohsWB9UiB5tI=
-github.com/hashicorp/vault/vault/hcp_link/proto v0.0.0-20230201201504-b741fa893d77 h1:Y/+BtwxmRak3Us9jrByARvYW6uNeqZlEpMylIdXVIjY=
-github.com/hashicorp/vault/vault/hcp_link/proto v0.0.0-20230201201504-b741fa893d77/go.mod h1:a2crHoMWwY6aiL8GWT8hYj7vKD64uX0EdRPbnsHF5wU=
-github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 h1:O/pT5C1Q3mVXMyuqg7yuAWUg/jMZR1/0QTzTRdNR6Uw=
-github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443/go.mod h1:bEpDU35nTu0ey1EXjwNwPjI9xErAsoOCmcMb9GKvyxo=
-github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
-github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
-github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
-github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
-github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/influxdata/influxdb v1.7.6/go.mod h1:qZna6X/4elxqT3yI9iZYdZrWWdeFOOprn86kgg4+IzY=
-github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab h1:HqW4xhhynfjrtEiiSGcQUd6vrK23iMam1FO8rI7mwig=
-github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
-github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9FCCAVRQ=
-github.com/intel/goresctrl v0.3.0/go.mod h1:fdz3mD85cmP9sHD8JUlrNWAxvwM86CrbmVXltEKd7zk=
-github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
-github.com/j-keck/arping v1.0.2/go.mod h1:aJbELhR92bSk7tp79AWM/ftfc90EfEi2bQJrbBFOsPw=
-github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
-github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
-github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/fake v0.0.0-20150926172116-812a484cc733 h1:vr3AYkKovP8uR8AvSGGUK1IDqRa5lAAvEkZG1LKaCRc=
-github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ=
-github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
-github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
-github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
-github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
-github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
-github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.14.0 h1:vrbA9Ud87g6JdFWkHTJXppVce58qPIdP7N8y0Ml/A7Q=
-github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E=
-github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
-github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
-github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
-github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
-github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
-github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.2 h1:7eY55bdBeCz1F2fTzSz69QC+pG46jYq9/jtSPiJ5nn0=
-github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
-github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
-github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
-github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0 h1:y+xUdabmyMkJLyApYuPj38mW+aAIqCe5uuBB51rH3Vw=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgx v3.3.0+incompatible h1:Wa90/+qsITBAPkAZjiByeIGHFcj3Ztu+VzrrIpHjL90=
-github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I=
-github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
-github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
-github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
-github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.18.1 h1:YP7G1KABtKpB5IHrO9vYwSrCOhs7p3uqhvhhQBptya0=
-github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE=
-github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4=
-github.com/jarcoal/httpmock v1.0.7 h1:d1a2VFpSdm5gtjhCPWsQHSnx8+5V3ms5431YwvmkuNk=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
-github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
-github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
-github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
-github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
-github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
-github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
-github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
-github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
-github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
-github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
-github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 h1:mex1izRBCD+7WjieGgRdy7e651vD/lvB1bD9vNE/3K4=
-github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2/go.mod h1:xkfESuHriIekR+4RoV+fu91j/CfnYM29Zi2tMFw5iD4=
-github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f h1:E87tDTVS5W65euzixn7clSzK66puSt1H4I5SC0EmHH4=
-github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f/go.mod h1:3J2qVK16Lq8V+wfiL2lPeDZ7UWMxk5LemerHa1p6N00=
-github.com/jefferai/jsonx v1.0.0 h1:Xoz0ZbmkpBvED5W9W1B5B/zc3Oiq7oXqiW7iRV3B6EI=
-github.com/jefferai/jsonx v1.0.0/go.mod h1:OGmqmi2tTeI/PS+qQfBDToLHHJIy/RMp24fPo8vFvoQ=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI=
-github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI=
-github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ=
-github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E=
-github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
-github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
-github.com/jimlambrt/gldap v0.1.4 h1:PoB5u4ND0E+6W99JtQJvcjGFw+iKi3Gx3M60oOJBOqE=
-github.com/jimlambrt/gldap v0.1.4/go.mod h1:ia/l4Jhm+tdupLvZe7tRCbpv+HyXr1B5QFirsewfWEA=
-github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
-github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/joyent/triton-go v0.0.0-20180628001255-830d2b111e62/go.mod h1:U+RSyWxWd04xTqnuOQxnai7XGS2PrPY2cfGoDKtMHjA=
-github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f h1:ENpDacvnr8faw5ugQmEF1QYk+f/Y9lXFvuYmRxykago=
-github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f/go.mod h1:KDSfL7qe5ZfQqvlDMkVjCztbmcpp/c8M77vhQP8ZPvk=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
-github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
-github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
-github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
-github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
-github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
-github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/asmfmt v1.3.2 h1:4Ri7ox3EwapiOjCki+hw14RyKk201CN4rzyCJRFLpK4=
-github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
-github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
-github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
-github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
-github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
-github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
-github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
-github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
-github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
-github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
-github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
-github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
-github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY=
-github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/lib/pq v0.0.0-20180327071824-d34b9ff171c2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/linode/linodego v0.7.1 h1:4WZmMpSA2NRwlPZcc0+4Gyn7rr99Evk9bnr0B3gXRKE=
-github.com/linode/linodego v0.7.1/go.mod h1:ga11n3ivecUrPCHN0rANxKmfWBJVkOXfLMZinAbj2sY=
-github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
-github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
-github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
-github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw=
-github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
-github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
-github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
-github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
-github.com/mediocregopher/radix/v4 v4.1.4 h1:Uze6DEbEAvL+VHXUEu/EDBTkUk5CLct5h3nVSGpc6Ts=
-github.com/mediocregopher/radix/v4 v4.1.4/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE=
-github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo=
-github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
-github.com/michaelklishin/rabbit-hole/v2 v2.12.0 h1:946p6jOYFcVJdtBBX8MwXvuBkpPjwm1Nm2Qg8oX+uFk=
-github.com/michaelklishin/rabbit-hole/v2 v2.12.0/go.mod h1:AN/3zyz7d++OHf+4WUo/LR0+Q5nlPHMaXasIsG/mPY0=
-github.com/microsoft/go-mssqldb v1.5.0 h1:CgENxkwtOBNj3Jg6T1X209y2blCfTTcwuOlznd2k9fk=
-github.com/microsoft/go-mssqldb v1.5.0/go.mod h1:lmWsjHD8XX/Txr0f8ZqgbEZSC+BZjmEQy/Ms+rLrvho=
-github.com/microsoft/kiota-abstractions-go v1.2.0 h1:lUriJgqdCY/QajwWQOgTCQE9Atywfe2NHhgoTCSXTRE=
-github.com/microsoft/kiota-abstractions-go v1.2.0/go.mod h1:RkxyZ5x87Njik7iVeQY9M2wtrrL1MJZcXiI/BxD/82g=
-github.com/microsoft/kiota-authentication-azure-go v1.0.0 h1:29FNZZ/4nnCOwFcGWlB/sxPvWz487HA2bXH8jR5k2Rk=
-github.com/microsoft/kiota-authentication-azure-go v1.0.0/go.mod h1:rnx3PRlkGdXDcA/0lZQTbBwyYGmc+3POt7HpE/e4jGw=
-github.com/microsoft/kiota-http-go v1.1.0 h1:L5I93EiNtlP/X6YzeTlhjWt7Q1DxzC9CmWSVtX3b0tE=
-github.com/microsoft/kiota-http-go v1.1.0/go.mod h1:zESUM6ovki9LEupqziCbxJ+FAYoF0dFDYZVpOkAfSLc=
-github.com/microsoft/kiota-serialization-form-go v1.0.0 h1:UNdrkMnLFqUCccQZerKjblsyVgifS11b3WCx+eFEsAI=
-github.com/microsoft/kiota-serialization-form-go v1.0.0/go.mod h1:h4mQOO6KVTNciMF6azi1J9QB19ujSw3ULKcSNyXXOMA=
-github.com/microsoft/kiota-serialization-json-go v1.0.4 h1:5TaISWwd2Me8clrK7SqNATo0tv9seOq59y4I5953egQ=
-github.com/microsoft/kiota-serialization-json-go v1.0.4/go.mod h1:rM4+FsAY+9AEpBsBzkFFis+b/LZLlNKKewuLwK9Q6Mg=
-github.com/microsoft/kiota-serialization-text-go v1.0.0 h1:XOaRhAXy+g8ZVpcq7x7a0jlETWnWrEum0RhmbYrTFnA=
-github.com/microsoft/kiota-serialization-text-go v1.0.0/go.mod h1:sM1/C6ecnQ7IquQOGUrUldaO5wj+9+v7G2W3sQ3fy6M=
-github.com/microsoftgraph/msgraph-sdk-go v1.13.0 h1:k+3FJJYCSBcnIueefLrO4Ofsd4UP4NzOQ9k3La8I2oU=
-github.com/microsoftgraph/msgraph-sdk-go v1.13.0/go.mod h1:ccLv84FJFtwdSzYWM/HlTes5FLzkzzBsYh9kg93/WS8=
-github.com/microsoftgraph/msgraph-sdk-go-core v1.0.0 h1:7NWTfyXvOjoizW7PmxNp3+8wCKPgpODs/D1cUZ3fkAY=
-github.com/microsoftgraph/msgraph-sdk-go-core v1.0.0/go.mod h1:tQb4q3YMIj2dWhhXhQSJ4ELpol931ANKzHSYK5kX1qE=
-github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
-github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
-github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
-github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
-github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
-github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
-github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
-github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a h1:eU8j/ClY2Ty3qdHnn0TyW3ivFoPC/0F1gQZz8yTxbbE=
-github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a/go.mod h1:v8eSC2SMp9/7FTKUncp7fH9IwPfw+ysMObcEz5FWheQ=
-github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=
-github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
-github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI=
-github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
-github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM=
-github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
-github.com/mitchellh/cli v1.1.5 h1:OxRIeJXpAMztws/XHlN2vu6imG5Dpq+j61AzAX5fLng=
-github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4=
-github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
-github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
-github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
-github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
-github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
-github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
-github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
-github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
-github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0=
-github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA=
-github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
-github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
-github.com/mitchellh/pointerstructure v1.2.1 h1:ZhBBeX8tSlRpu/FFhXH4RC4OJzFlqsQhoHZAz4x7TIw=
-github.com/mitchellh/pointerstructure v1.2.1/go.mod h1:BRAsLI5zgXmw97Lf6s25bs8ohIXc3tViBH44KcwB2g4=
-github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
-github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
-github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
-github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
-github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
-github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
-github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
-github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
-github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
-github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
-github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
-github.com/mongodb-forks/digest v1.0.5 h1:EJu3wtLZcA0HCvsZpX5yuD193/sW9tHiNvrEM5apXMk=
-github.com/mongodb-forks/digest v1.0.5/go.mod h1:rb+EX8zotClD5Dj4NdgxnJXG9nwrlx3NWKJ8xttz1Dg=
-github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
-github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
-github.com/montanaflynn/stats v0.7.0 h1:r3y12KyNxj/Sb/iOE46ws+3mS1+MZca1wlHQFPsY/JU=
-github.com/montanaflynn/stats v0.7.0/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
-github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
-github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/natefinch/atomic v0.0.0-20150920032501-a62ce929ffcc h1:7xGrl4tTpBQu5Zjll08WupHyq+Sp0Z/adtyf1cfk3Q8=
-github.com/natefinch/atomic v0.0.0-20150920032501-a62ce929ffcc/go.mod h1:1rLVY/DWf3U6vSZgH16S7pymfrhK2lcUlXjgGglw/lY=
-github.com/ncw/swift v1.0.47 h1:4DQRPj35Y41WogBxyhOXlrI37nzGlyEcsforeudyYPQ=
-github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
-github.com/networkplumbing/go-nft v0.2.0/go.mod h1:HnnM+tYvlGAsMU7yoYwXEVLLiDW9gdMmb5HoGcwpuQs=
-github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2 h1:BQ1HW7hr4IVovMwWg0E0PYcyW8CzqDcVmaew9cujU4s=
-github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2/go.mod h1:TLb2Sg7HQcgGdloNxkrmtgDNR9uVYF3lfdFIN4Ro6Sk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
-github.com/nwaples/rardecode v1.1.2 h1:Cj0yZY6T1Zx1R7AhTbyGSALm44/Mmq+BAPc4B/p/d3M=
-github.com/nwaples/rardecode v1.1.2/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
-github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
-github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/okta/okta-sdk-golang/v2 v2.12.1 h1:U+smE7trkHSZO8Mval3Ow85dbxawO+pMAr692VZq9gM=
-github.com/okta/okta-sdk-golang/v2 v2.12.1/go.mod h1:KRoAArk1H216oiRnQT77UN6JAhBOnOWkK27yA1SM7FQ=
-github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
-github.com/olekukonko/tablewriter v0.0.0-20180130162743-b8a9be070da4/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0=
-github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
-github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
-github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU=
-github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
-github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0=
-github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo=
-github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw=
-github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo=
-github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE=
-github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
-github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
-github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
-github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc=
-github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM=
-github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
-github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
-github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
-github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk=
-github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
-github.com/open-policy-agent/opa v0.42.2/go.mod h1:MrmoTi/BsKWT58kXlVayBb+rYVeaMwuBm3nYAN3923s=
-github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
-github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
-github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
-github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
-github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
-github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
-github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
-github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
-github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
-github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
-github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
-github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
-github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
-github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
-github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
-github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
-github.com/oracle/oci-go-sdk v24.3.0+incompatible h1:x4mcfb4agelf1O4/1/auGlZ1lr97jXRSSN5MxTgG/zU=
-github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
-github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM=
-github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w=
-github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA=
-github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
-github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4=
-github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg=
-github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso=
-github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0=
-github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c h1:vwpFWvAO8DeIZfFeqASzZfsxuWPno9ncAebBEP0N3uE=
-github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c/go.mod h1:otzZQXgoO96RTzDB/Hycg0qZcXZsWJGJRSXbmEIJ+4M=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
-github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
-github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
-github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc=
-github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 h1:q2e307iGHPdTGp0hoxKjt1H5pDo6utceo3dQVK3I5XQ=
-github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5/go.mod h1:jvVRKCrJTQWu0XVbaOlby/2lO20uSCHEMzzplHXte1o=
-github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
-github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
-github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
-github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
-github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pires/go-proxyproto v0.6.1 h1:EBupykFmo22SDjv4fQVQd2J9NOoLPmyZA/15ldOGkPw=
-github.com/pires/go-proxyproto v0.6.1/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
-github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
-github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo=
-github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
-github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
-github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
-github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
-github.com/pquerna/otp v1.2.1-0.20191009055518-468c2dd2b58d h1:PinQItctnaL2LtkaSM678+ZLLy5TajwOeXzWvYC7tII=
-github.com/pquerna/otp v1.2.1-0.20191009055518-468c2dd2b58d/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
-github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
-github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
-github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
-github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
-github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
-github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/rboyer/safeio v0.2.1 h1:05xhhdRNAdS3apYm7JRjOqngf4xruaW959jmRxGDuSU=
-github.com/rboyer/safeio v0.2.1/go.mod h1:Cq/cEPK+YXFn622lsQ0K4KsPZSPtaptHHEldsy7Fmig=
-github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 h1:Wdi9nwnhFNAlseAOekn6B5G/+GMtks9UKbvRU/CMM/o=
-github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03/go.mod h1:gRAiPF5C5Nd0eyyRdqIu9qTiFSoZzpTq727b5B8fkkU=
-github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
-github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
-github.com/rs/zerolog v1.4.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
-github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
-github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/columnize v2.1.2+incompatible h1:C89EOx/XBWwIXl8wm8OPJBd7kPF25UfsK2X7Ph/zCAk=
-github.com/ryanuber/columnize v2.1.2+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/safchain/ethtool v0.2.0/go.mod h1:WkKB1DnNtvsMlDmQ50sgwowDJV/hGbJSOvJoEXs1AJQ=
-github.com/sasha-s/go-deadlock v0.2.0 h1:lMqc+fUb7RrFS3gQLtoQsJ7/6TV/pAIFvBsqX73DK8Y=
-github.com/sasha-s/go-deadlock v0.2.0/go.mod h1:StQn567HiB1fF2yJ44N9au7wOhrPS3iZqiDbRupzT10=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
-github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U=
-github.com/sean-/conswriter v0.0.0-20180208195008-f5ae3917a627/go.mod h1:7zjs06qF79/FKAJpBvFx3P8Ww4UTIMAe+lpNXDHziac=
-github.com/sean-/pager v0.0.0-20180208200047-666be9bf53b5/go.mod h1:BeybITEsBEg6qbIiqJ6/Bqeq25bCLbL7YFmpaFfJDuM=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sethvargo/go-limiter v0.7.1 h1:wWNhTj0pxjyJ7wuJHpRJpYwJn+bUnjYfw2a85eu5w9U=
-github.com/sethvargo/go-limiter v0.7.1/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU=
-github.com/shirou/gopsutil/v3 v3.22.6 h1:FnHOFOh+cYAM0C30P+zysPISzlknLC5Z1G4EAElznfQ=
-github.com/shirou/gopsutil/v3 v3.22.6/go.mod h1:EdIubSnZhbAvBS1yJ7Xi+AShB/hxwLHOMz4MCYz7yMs=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
-github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.1.1 h1:MTk78x9FPgDFVFkDLTrsnnfCJl7g1C/nnKvePgrIngE=
-github.com/skeema/knownhosts v1.1.1/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
-github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
-github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/snowflakedb/gosnowflake v1.6.24 h1:NiBh1WSstNtr12qywmdFMS1XHaYdF5iWWGnjIQb1cEY=
-github.com/snowflakedb/gosnowflake v1.6.24/go.mod h1:KfO4F7bk+aXPUIvBqYxvPhxLlu2/w4TtSC8Rw/yr5Mg=
-github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic=
-github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw=
-github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0=
-github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
-github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
-github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
-github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
-github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
-github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
-github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
-github.com/streadway/amqp v1.0.0 h1:kuuDrUJFZL1QYL9hUNuCxNObNzB0bV/ZG5jV3RWAQgo=
-github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
-github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
-github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
-github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 h1:8fDzz4GuVg4skjY2B0nMN7h6uN61EDVkuLyI2+qGHhI=
-github.com/tencentcloud/tencentcloud-sdk-go v1.0.162/go.mod h1:asUz5BPXxgoPGaRgZaVm1iGcUAuHyYUo1nXqKa83cvI=
-github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao=
-github.com/tilinna/clock v1.1.0 h1:6IQQQCo6KoBxVudv6gwtY8o4eDfhHo8ojA5dP0MfhSs=
-github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao=
-github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw=
-github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
-github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o=
-github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c h1:u6SKchux2yDvFQnDHS3lPnIRmfVJ5Sxy3ao2SIdysLQ=
-github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
-github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
-github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
-github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
-github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
-github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
-github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
-github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
-github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
-github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
-github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI=
-github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
-github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
-github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
-github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
-github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
-github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vmware/govmomi v0.18.0 h1:f7QxSmP7meCtoAmiKZogvVbLInT+CZx6Px6K5rYsJZo=
-github.com/vmware/govmomi v0.18.0/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
-github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
-github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
-github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
-github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
-github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
-github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
-github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
-github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
-github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
-github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
-github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
-github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
-github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
-github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA=
-github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA=
-github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 h1:k/gmLsJDWwWqbLCur2yWnJzwQEKRcAHXo6seXGuSwWw=
-github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA=
-github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
-github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
-github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
-github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
-github.com/zclconf/go-cty v1.12.1 h1:PcupnljUm9EIvbgSHQnHhUr3fO6oFmkOrvs2BAFNXXY=
-github.com/zclconf/go-cty v1.12.1/go.mod h1:s9IfD1LK5ccNMSWCVFCE2rJfHiZgi7JijgeWIMfhLvA=
-github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
-github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
-github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
-github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
-go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
-go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
-go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/api/v3 v3.5.5/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8=
-go.etcd.io/etcd/api/v3 v3.5.7 h1:sbcmosSVesNrWOJ58ZQFitHMdncusIifYcrBfwrlJSY=
-go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA=
-go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/pkg/v3 v3.5.5/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ=
-go.etcd.io/etcd/client/pkg/v3 v3.5.7 h1:y3kf5Gbp4e4q7egZdn5T7W9TSHUvkClN6u+Rq9mEOmg=
-go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY=
-go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
-go.etcd.io/etcd/client/v2 v2.305.5 h1:DktRP60//JJpnPC0VBymAN/7V71GHMdjDCBt4ZPXDjI=
-go.etcd.io/etcd/client/v2 v2.305.5/go.mod h1:zQjKllfqfBVyVStbt4FaosoX2iYd8fV/GRy/PbowgP4=
-go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
-go.etcd.io/etcd/client/v3 v3.5.5/go.mod h1:aApjR4WGlSumpnJ2kloS75h6aHUmAyaPLjHMxpc7E7c=
-go.etcd.io/etcd/client/v3 v3.5.7 h1:u/OhpiuCgYY8awOHlhIhmGIGpxfBU/GZBUP3m/3/Iz4=
-go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw=
-go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
-go.etcd.io/etcd/pkg/v3 v3.5.5/go.mod h1:6ksYFxttiUGzC2uxyqiyOEvhAiD0tuIqSZkX3TyPdaE=
-go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
-go.etcd.io/etcd/raft/v3 v3.5.5/go.mod h1:76TA48q03g1y1VpTue92jZLr9lIHKUNcYdZOOGyx8rI=
-go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
-go.etcd.io/etcd/server/v3 v3.5.5/go.mod h1:rZ95vDw/jrvsbj9XpTqPrTAB9/kzchVdhRirySPkUBc=
-go.etcd.io/gofail v0.1.0/go.mod h1:VZBCXYGZhHAinaBiiqYvuDynvahNsAyLFwB3kEHKz1M=
-go.mongodb.org/atlas v0.33.0 h1:qJhkEuJufh7sVDVHorTF/D7G7naQ1EJAzqf1aV29JWs=
-go.mongodb.org/atlas v0.33.0/go.mod h1:L4BKwVx/OeEhOVjCSdgo90KJm4469iv7ZLzQms/EPTg=
-go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE=
-go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE=
-go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=
-go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=
-go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=
-go.mongodb.org/mongo-driver v1.12.1 h1:nLkghSU8fQNaK7oUmDhQFsnrtcoNy7Z6LVFKsEecqgE=
-go.mongodb.org/mongo-driver v1.12.1/go.mod h1:/rGBTebI3XYboVmgz+Wv3Bcbl3aD0QF9zl6kDDw18rQ=
-go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.25.0/go.mod h1:E5NNboN0UqSAki0Atn9kVwaN7I+l25gGxDqBueo/74E=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0/go.mod h1:UMklln0+MRhZC4e3PwmN3pCtq4DyIadWw4yikh6bNrw=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.32.0/go.mod h1:5eCOqeGphOyz6TsY3ZDNjE33SM/TFAK3RGuCL2naTgY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c=
-go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
-go.opentelemetry.io/otel v1.0.1/go.mod h1:OPEOD4jIT2SlZPMmwT6FqZz2C0ZNdQqiWcoK6M0SNFU=
-go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs=
-go.opentelemetry.io/otel v1.7.0/go.mod h1:5BdUoMIz5WEs0vt0CUEMtSSaTSHBBVwrhnz7+nrD5xk=
-go.opentelemetry.io/otel v1.8.0/go.mod h1:2pkj+iMj0o03Y+cW6/m8Y4WkRdYN3AvCXCnzRMp9yvM=
-go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ=
-go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU=
-go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s=
-go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4=
-go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0/go.mod h1:M1hVZHNxcbkAlcvrOMlpQ4YOO3Awf+4N2dxkZL3xm04=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0/go.mod h1:UFG7EBMRdXyFstOwH028U0sVf+AvukSGhF0g8+dmNG8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.1/go.mod h1:Kv8liBeVNFkkkbilbgWRpV+wWuu+H5xdOT6HAgd30iw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0/go.mod h1:hO1KLR7jcKaDDKDkvI9dP/FIhpmna5lkqPUQdEjFAM8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0/go.mod h1:ceUgdyfNv4h4gLxHR0WNfDiiVmZFodZhZSbOLhpxqXE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0/go.mod h1:HrbCVv40OOLTABmOn1ZWty6CHXkU8DK/Urc43tHug70=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.1/go.mod h1:xOvWoTOrQjxjW61xtOmD/WKGRYb/P4NzRo3bs65U6Rk=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0/go.mod h1:keUU7UfnwWTWpJ+FWnyqmogPa82nuU5VUANFq49hlMY=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0/go.mod h1:E+/KKhwOSw8yoPxSSuUHG6vKppkvhN+S1Jc7Nib3k3o=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h1:5w41DY6S9gZrbjuq6Y+753e96WfPha5IcsOSZTtullM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0/go.mod h1:+N7zNjIJv4K+DeX67XXET0P+eIciESgaFDBqh+ZJFS4=
-go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU=
-go.opentelemetry.io/otel/metric v0.30.0/go.mod h1:/ShZ7+TS4dHzDFmfi1kSXMhMVubNoP0oIaBp70J6UXU=
-go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A=
-go.opentelemetry.io/otel/metric v0.37.0/go.mod h1:DmdaHfGt54iV6UKxsV9slj2bBRJcKC1B1uvDLIioc1s=
-go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26Q3hqOo=
-go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4=
-go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
-go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc=
-go.opentelemetry.io/otel/sdk v1.0.1/go.mod h1:HrdXne+BiwsOHYYkBE5ysIcv2bvdZstxzmCQhxTcZkI=
-go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs=
-go.opentelemetry.io/otel/sdk v1.7.0/go.mod h1:uTEOTwaqIVuTGiJN7ii13Ibp75wJmYUDe374q6cZwUU=
-go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE=
-go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY=
-go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM=
-go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE=
-go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
-go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
-go.opentelemetry.io/otel/trace v1.0.1/go.mod h1:5g4i4fKLaX2BQpSBsxw8YYcgKpMMSW3x7ZTuYBr3sUk=
-go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk=
-go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48yyE4TNvoHqU=
-go.opentelemetry.io/otel/trace v1.8.0/go.mod h1:0Bt3PXY8w+3pheS3hQUt+wow8b1ojPaTBoTCh2zIFI4=
-go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM=
-go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
-go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs=
-go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg=
-go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
-go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66vU6XU=
-go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
-go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
-go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
-go.uber.org/zap v1.19.1 h1:ue41HOKd1vGURxrmeKIgELGb3jPW9DMUDGtsinblHwI=
-go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
-golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/exp v0.0.0-20230206171751-46f607a40771/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
-golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
-golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200618115811-c13761719519/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
-golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk=
-golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
-golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
-golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
-golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
-golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
-golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211031064116-611d5d643895/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211213223007-03aa0b5f6827/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220405210540-1e041c57c461/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190424220101-1e8e1cfdf96b/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
-golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
-golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
-golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
-golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
-golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
-gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
-gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
-gonum.org/v1/gonum v0.11.0 h1:f1IJhK4Km5tBJmaiJXtk/PkL4cdVX6J+tGiM187uT5E=
-gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA=
-gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
-gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
-gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY=
-gonum.org/v1/plot v0.10.1/go.mod h1:VZW5OlhkL1mysU9vaqNHnsy86inf6Ot+jB3r+BczCEo=
-google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
-google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
-google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
-google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
-google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
-google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
-google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
-google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08=
-google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70=
-google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo=
-google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0=
-google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
-google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
-google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
-google.golang.org/api v0.118.0/go.mod h1:76TtD3vkgmZ66zZzp72bUUklpmQmKlhh6sYtIjYK+5E=
-google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
-google.golang.org/api v0.124.0/go.mod h1:xu2HQurE5gi/3t1aFCvhPD781p0a3p11sdunTJ2BlP4=
-google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw=
-google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw=
-google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750=
-google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk=
-google.golang.org/api v0.139.0 h1:A1TrCPgMmOiYu0AiNkvQIpIx+D8blHTDcJ5EogkP7LI=
-google.golang.org/api v0.139.0/go.mod h1:CVagp6Eekz9CjGZ718Z+sloknzkDJE7Vc1Ckj9+viBk=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
-google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
-google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
-google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw=
-google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U=
-google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
-google.golang.org/genproto v0.0.0-20221109142239-94d6d90a7d66/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221117204609-8f9c96812029/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201204527-e3fa12d562f3/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
-google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230112194545-e10362b5ecf9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230123190316-2c411cf9d197/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230127162408-596548ed4efa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230216225411-c8e22ba71e44/go.mod h1:8B0gmkoRebU8ukX6HP+4wrVQUY1+6PkQ44BSyIlflHA=
-google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230303212802-e74f57abe488/go.mod h1:TvhZT5f700eVlTNwND1xoEZQeWTB2RY/65kplwl/bFA=
-google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
-google.golang.org/genproto v0.0.0-20230525234025-438c736192d0/go.mod h1:9ExIQyXL5hZrHzQceCwuSYwZZ5QZBazOcprJ5rgs3lY=
-google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
-google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
-google.golang.org/genproto v0.0.0-20230629202037-9506855d4529/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
-google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
-google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
-google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108=
-google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8=
-google.golang.org/genproto v0.0.0-20230821184602-ccc8af3d0e93/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
-google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
-google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:CCviP9RmpZ1mxVr8MUjCnSiY09IbAXZxhLE6EhHIdPU=
-google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk=
-google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
-google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI=
-google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8=
-google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/api v0.0.0-20230629202037-9506855d4529/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q=
-google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk=
-google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U=
-google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a h1:myvhA4is3vrit1a6NZCWBIwN0kNEnX21DJOJX/NvIfI=
-google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:SUBoKXbI1Efip18FClrQVGjWcyd0QZd8KkvdP34t7ww=
-google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA=
-google.golang.org/genproto/googleapis/bytestream v0.0.0-20230720185612-659f7aaaa771/go.mod h1:3QoBVwTHkXbY1oRGzlhwhOykfcATQN43LJ6iT8Wy8kE=
-google.golang.org/genproto/googleapis/bytestream v0.0.0-20230807174057-1744710a1577/go.mod h1:NjCQG/D8JandXxM57PZbAJL1DCNL6EypA0vPPwfsc7c=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6d/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5/go.mod h1:zBEcrKX2ZOcEkHWxBPAIvYUWOKKMIhYcmNiUIu2ji3I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230920183334-c177e329c48b/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 h1:AB/lmRny7e2pLhFEYIbl5qkDAUt2h0ZRO4wGPhZf+ik=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE=
-google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
-google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
-google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
-google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
-google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
-google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
-google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
-google.golang.org/grpc v1.57.2/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
-google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
-google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
-google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0 h1:M1YKkFIboKNieVO5DLUEVzQfGwJD30Nv2jfUgzb5UcE=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.2-0.20230222093303-bc1253ad3743/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
-gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI=
-gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
-gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
-gopkg.in/ory-am/dockertest.v3 v3.3.4 h1:oen8RiwxVNxtQ1pRoV4e4jqh6UjNsOuIZ1NXns6jdcw=
-gopkg.in/ory-am/dockertest.v3 v3.3.4/go.mod h1:s9mmoLkaGeAh97qygnNj4xWkiN7e1SKekYC6CovU+ek=
-gopkg.in/resty.v1 v1.12.0 h1:CuXP0Pjfw9rOuY6EP+UvtNvt5DSqHpIxILZKT/quCZI=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-gotest.tools/gotestsum v1.10.0 h1:lVO4uQJoxdsJb7jgmr1fg8QW7zGQ/tuqvsq5fHKyoHQ=
-gotest.tools/gotestsum v1.10.0/go.mod h1:6JHCiN6TEjA7Kaz23q1bH0e2Dc3YJjDUZ0DmctFZf+w=
-gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A=
-gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
-gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-honnef.co/go/tools v0.4.3 h1:o/n5/K5gXqk8Gozvs2cnL0F2S1/g1vcGCAx2vETjITw=
-honnef.co/go/tools v0.4.3/go.mod h1:36ZgoUOrqOk1GxwHhyryEkq8FQWkUO2xGuSMhUCcdvA=
-k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
-k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
-k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
-k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
-k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs=
-k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU=
-k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=
-k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg=
-k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
-k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
-k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
-k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U=
-k8s.io/apimachinery v0.25.0/go.mod h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB0=
-k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
-k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY=
-k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
-k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
-k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
-k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
-k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ=
-k8s.io/apiserver v0.26.2/go.mod h1:GHcozwXgXsPuOJ28EnQ/jXEM9QeG6HT22YxSNmpYNh8=
-k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU=
-k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
-k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
-k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
-k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y=
-k8s.io/client-go v0.26.2/go.mod h1:u5EjOuSyBa09yqqyY7m3abZeovO/7D/WehVVlZ2qcqU=
-k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8=
-k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE=
-k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0=
-k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
-k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
-k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
-k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI=
-k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs=
-k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM=
-k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
-k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
-k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc=
-k8s.io/cri-api v0.23.1/go.mod h1:REJE3PSU0h/LOV1APBrupxrEJqnoxZC8KWzkBUHwrK4=
-k8s.io/cri-api v0.25.0/go.mod h1:J1rAyQkSJ2Q6I+aBMOVgg2/cbbebso6FNa0UagiR0kc=
-k8s.io/cri-api v0.25.3/go.mod h1:riC/P0yOGUf2K1735wW+CXs1aY2ctBgePtnnoFLd0dU=
-k8s.io/cri-api v0.26.2/go.mod h1:Oo8O7MKFPNDxfDf2LmrF/3Hf30q1C6iliGuv3la3tIA=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
-k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kms v0.26.2/go.mod h1:69qGnf1NsFOQP07fBYqNLZklqEHSJF024JqYCaeVxHg=
-k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
-k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
-k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
-k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
-k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
-k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
-k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-layeh.com/radius v0.0.0-20190322222518-890bc1058917 h1:BDXFaFzUt5EIqe/4wrTc4AcYZWP6iC6Ult+jQWLh5eU=
-layeh.com/radius v0.0.0-20190322222518-890bc1058917/go.mod h1:fywZKyu//X7iRzaxLgPWsvc0L26IUpVvE/aeIL2JtIQ=
-lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.37.0/go.mod h1:vtL+3mdHx/wcj3iEGz84rQa8vEqR6XM84v5Lcvfph20=
-modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0=
-modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
-modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
-modernc.org/ccgo/v3 v3.0.0-20220904174949-82d86e1b6d56/go.mod h1:YSXjPL62P2AMSxBphRHPn7IkzhVHqkvOnRKAKh+W6ZI=
-modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws=
-modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
-modernc.org/ccgo/v3 v3.16.13-0.20221017192402-261537637ce8/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g=
-modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
-modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
-modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
-modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
-modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU=
-modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
-modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
-modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s=
-modernc.org/libc v1.17.4/go.mod h1:WNg2ZH56rDEwdropAJeZPQkXmDwh+JCA1s/htl6r2fA=
-modernc.org/libc v1.18.0/go.mod h1:vj6zehR5bfc98ipowQOM2nIDUZnVew/wNC/2tOGS+q0=
-modernc.org/libc v1.20.3/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
-modernc.org/libc v1.21.4/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
-modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
-modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/memory v1.3.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/memory v1.4.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4=
-modernc.org/sqlite v1.18.2/go.mod h1:kvrTLEWgxUcHa2GfHBQtanR1H9ht3hTJNtKpzH9k1u0=
-modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
-modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
-modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
-modernc.org/tcl v1.13.2/go.mod h1:7CLiGIPo1M8Rv1Mitpv5akc2+8fxUd2y2UzC/MfMzy0=
-modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
-mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
-mvdan.cc/gofumpt v0.2.1/go.mod h1:a/rvZPhsNaedOJBzqRD9omnwVwHZsBdJirXHa9Gh9Ig=
-mvdan.cc/gofumpt v0.3.1 h1:avhhrOmv0IuvQVK7fvwV91oFSGAk5/6Po8GXTzICeu8=
-mvdan.cc/gofumpt v0.3.1/go.mod h1:w3ymliuxvzVx8DAutBnVyDqYb1Niy/yCJt/lk821YCE=
-nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=
-nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
-oras.land/oras-go v1.2.0/go.mod h1:pFNs7oHp2dYsYMSS82HaX5l4mpnGO7hbpPN6EWH2ltc=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35/go.mod h1:WxjusMwXlKzfAs4p9km6XJRndVt2FROgMVCE4cdohFo=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+// Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
+
+package ocsp
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"math/big"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-retryablehttp"
+	lru "github.com/hashicorp/golang-lru"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ocsp"
+)
+
+func TestOCSP(t *testing.T) {
+	targetURL := []string{
+		"https://sfcdev1.blob.core.windows.net/",
+		"https://sfctest0.snowflakecomputing.com/",
+		"https://s3-us-west-2.amazonaws.com/sfc-snowsql-updates/?prefix=1.1/windows_x86_64",
+	}
+
+	conf := VerifyConfig{
+		OcspFailureMode: FailOpenFalse,
+	}
+	c := New(testLogFactory, 10)
+	transports := []*http.Transport{
+		newInsecureOcspTransport(nil),
+		c.NewTransport(&conf),
+	}
+
+	for _, tgt := range targetURL {
+		c.ocspResponseCache, _ = lru.New2Q(10)
+		for _, tr := range transports {
+			c := &http.Client{
+				Transport: tr,
+				Timeout:   30 * time.Second,
+			}
+			req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
+			if err != nil {
+				t.Fatalf("fail to create a request. err: %v", err)
+			}
+			res, err := c.Do(req)
+			if err != nil {
+				t.Fatalf("failed to GET contents. err: %v", err)
+			}
+			defer res.Body.Close()
+			_, err = ioutil.ReadAll(res.Body)
+			if err != nil {
+				t.Fatalf("failed to read content body for %v", tgt)
+			}
+
+		}
+	}
+}
+
+/**
+// Used for development, requires an active Vault with PKI setup
+func TestMultiOCSP(t *testing.T) {
+
+	targetURL := []string{
+		"https://localhost:8200/v1/pki/ocsp",
+		"https://localhost:8200/v1/pki/ocsp",
+		"https://localhost:8200/v1/pki/ocsp",
+	}
+
+	b, _ := pem.Decode([]byte(vaultCert))
+	caCert, _ := x509.ParseCertificate(b.Bytes)
+	conf := VerifyConfig{
+		OcspFailureMode:     FailOpenFalse,
+		QueryAllServers:     true,
+		OcspServersOverride: targetURL,
+		ExtraCas:            []*x509.Certificate{caCert},
+	}
+	c := New(testLogFactory, 10)
+	transports := []*http.Transport{
+		newInsecureOcspTransport(conf.ExtraCas),
+		c.NewTransport(&conf),
+	}
+
+	tgt := "https://localhost:8200/v1/pki/ca/pem"
+	c.ocspResponseCache, _ = lru.New2Q(10)
+	for _, tr := range transports {
+		c := &http.Client{
+			Transport: tr,
+			Timeout:   30 * time.Second,
+		}
+		req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
+		if err != nil {
+			t.Fatalf("fail to create a request. err: %v", err)
+		}
+		res, err := c.Do(req)
+		if err != nil {
+			t.Fatalf("failed to GET contents. err: %v", err)
+		}
+		defer res.Body.Close()
+		_, err = ioutil.ReadAll(res.Body)
+		if err != nil {
+			t.Fatalf("failed to read content body for %v", tgt)
+		}
+	}
+}
+*/
+
+func TestUnitEncodeCertIDGood(t *testing.T) {
+	targetURLs := []string{
+		"faketestaccount.snowflakecomputing.com:443",
+		"s3-us-west-2.amazonaws.com:443",
+		"sfcdev1.blob.core.windows.net:443",
+	}
+	for _, tt := range targetURLs {
+		chainedCerts := getCert(tt)
+		for i := 0; i < len(chainedCerts)-1; i++ {
+			subject := chainedCerts[i]
+			issuer := chainedCerts[i+1]
+			ocspServers := subject.OCSPServer
+			if len(ocspServers) == 0 {
+				t.Fatalf("no OCSP server is found. cert: %v", subject.Subject)
+			}
+			ocspReq, err := ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{})
+			if err != nil {
+				t.Fatalf("failed to create OCSP request. err: %v", err)
+			}
+			var ost *ocspStatus
+			_, ost = extractCertIDKeyFromRequest(ocspReq)
+			if ost.err != nil {
+				t.Fatalf("failed to extract cert ID from the OCSP request. err: %v", ost.err)
+			}
+			// better hash. Not sure if the actual OCSP server accepts this, though.
+			ocspReq, err = ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{Hash: crypto.SHA512})
+			if err != nil {
+				t.Fatalf("failed to create OCSP request. err: %v", err)
+			}
+			_, ost = extractCertIDKeyFromRequest(ocspReq)
+			if ost.err != nil {
+				t.Fatalf("failed to extract cert ID from the OCSP request. err: %v", ost.err)
+			}
+			// tweaked request binary
+			ocspReq, err = ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{Hash: crypto.SHA512})
+			if err != nil {
+				t.Fatalf("failed to create OCSP request. err: %v", err)
+			}
+			ocspReq[10] = 0 // random change
+			_, ost = extractCertIDKeyFromRequest(ocspReq)
+			if ost.err == nil {
+				t.Fatal("should have failed")
+			}
+		}
+	}
+}
+
+func TestUnitCheckOCSPResponseCache(t *testing.T) {
+	c := New(testLogFactory, 10)
+	dummyKey0 := certIDKey{
+		NameHash:      "dummy0",
+		IssuerKeyHash: "dummy0",
+		SerialNumber:  "dummy0",
+	}
+	dummyKey := certIDKey{
+		NameHash:      "dummy1",
+		IssuerKeyHash: "dummy1",
+		SerialNumber:  "dummy1",
+	}
+	currentTime := float64(time.Now().UTC().Unix())
+	c.ocspResponseCache.Add(dummyKey0, &ocspCachedResponse{time: currentTime})
+	subject := &x509.Certificate{}
+	issuer := &x509.Certificate{}
+	ost, err := c.checkOCSPResponseCache(&dummyKey, subject, issuer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ost.code != ocspMissedCache {
+		t.Fatalf("should have failed. expected: %v, got: %v", ocspMissedCache, ost.code)
+	}
+	// old timestamp
+	c.ocspResponseCache.Add(dummyKey, &ocspCachedResponse{time: float64(1395054952)})
+	ost, err = c.checkOCSPResponseCache(&dummyKey, subject, issuer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ost.code != ocspCacheExpired {
+		t.Fatalf("should have failed. expected: %v, got: %v", ocspCacheExpired, ost.code)
+	}
+
+	// invalid validity
+	c.ocspResponseCache.Add(dummyKey, &ocspCachedResponse{time: float64(currentTime - 1000)})
+	ost, err = c.checkOCSPResponseCache(&dummyKey, subject, nil)
+	if err == nil && isValidOCSPStatus(ost.code) {
+		t.Fatalf("should have failed.")
+	}
+}
+
+func TestUnitExpiredOCSPResponse(t *testing.T) {
+	rootCaKey, rootCa, leafCert := createCaLeafCerts(t)
+
+	expiredOcspResponse := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		now := time.Now()
+		ocspRes := ocsp.Response{
+			SerialNumber: big.NewInt(2),
+			ThisUpdate:   now.Add(-1 * time.Hour),
+			NextUpdate:   now.Add(-30 * time.Minute),
+			Status:       ocsp.Good,
+		}
+		response, err := ocsp.CreateResponse(rootCa, rootCa, ocspRes, rootCaKey)
+		if err != nil {
+			_, _ = w.Write(ocsp.InternalErrorErrorResponse)
+			t.Fatalf("failed generating OCSP response: %v", err)
+		}
+		_, _ = w.Write(response)
+	})
+	ts := httptest.NewServer(expiredOcspResponse)
+	defer ts.Close()
+
+	logFactory := func() hclog.Logger {
+		return hclog.NewNullLogger()
+	}
+	client := New(logFactory, 100)
+
+	ctx := context.Background()
+
+	config := &VerifyConfig{
+		OcspEnabled:         true,
+		OcspServersOverride: []string{ts.URL},
+		OcspFailureMode:     FailOpenFalse,
+		QueryAllServers:     false,
+	}
+
+	status, err := client.GetRevocationStatus(ctx, leafCert, rootCa, config)
+	require.ErrorContains(t, err, "invalid validity",
+		"Expected error got response: %v, %v", status, err)
+}
+
+func createCaLeafCerts(t *testing.T) (*ecdsa.PrivateKey, *x509.Certificate, *x509.Certificate) {
+	rootCaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err, "failed generated root key for CA")
+
+	// Validate we reject CSRs that contain CN that aren't in the original order
+	cr := &x509.Certificate{
+		Subject:               pkix.Name{CommonName: "Root Cert"},
+		SerialNumber:          big.NewInt(1),
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+		SignatureAlgorithm:    x509.ECDSAWithSHA256,
+		NotBefore:             time.Now().Add(-1 * time.Second),
+		NotAfter:              time.Now().AddDate(1, 0, 0),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning},
+	}
+	rootCaBytes, err := x509.CreateCertificate(rand.Reader, cr, cr, &rootCaKey.PublicKey, rootCaKey)
+	require.NoError(t, err, "failed generating root ca")
+
+	rootCa, err := x509.ParseCertificate(rootCaBytes)
+	require.NoError(t, err, "failed parsing root ca")
+
+	leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err, "failed generated leaf key")
+
+	cr = &x509.Certificate{
+		Subject:            pkix.Name{CommonName: "Leaf Cert"},
+		SerialNumber:       big.NewInt(2),
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
+		NotBefore:          time.Now().Add(-1 * time.Second),
+		NotAfter:           time.Now().AddDate(1, 0, 0),
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+	leafCertBytes, err := x509.CreateCertificate(rand.Reader, cr, rootCa, &leafKey.PublicKey, rootCaKey)
+	require.NoError(t, err, "failed generating root ca")
+
+	leafCert, err := x509.ParseCertificate(leafCertBytes)
+	require.NoError(t, err, "failed parsing root ca")
+	return rootCaKey, rootCa, leafCert
+}
+
+func TestUnitValidateOCSP(t *testing.T) {
+	ocspRes := &ocsp.Response{}
+	ost, err := validateOCSP(ocspRes)
+	if err == nil && isValidOCSPStatus(ost.code) {
+		t.Fatalf("should have failed.")
+	}
+
+	currentTime := time.Now()
+	ocspRes.ThisUpdate = currentTime.Add(-2 * time.Hour)
+	ocspRes.NextUpdate = currentTime.Add(2 * time.Hour)
+	ocspRes.Status = ocsp.Revoked
+	ost, err = validateOCSP(ocspRes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if ost.code != ocspStatusRevoked {
+		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusRevoked, ost.code)
+	}
+	ocspRes.Status = ocsp.Good
+	ost, err = validateOCSP(ocspRes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if ost.code != ocspStatusGood {
+		t.Fatalf("should have success. expected: %v, got: %v", ocspStatusGood, ost.code)
+	}
+	ocspRes.Status = ocsp.Unknown
+	ost, err = validateOCSP(ocspRes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ost.code != ocspStatusUnknown {
+		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusUnknown, ost.code)
+	}
+	ocspRes.Status = ocsp.ServerFailed
+	ost, err = validateOCSP(ocspRes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ost.code != ocspStatusOthers {
+		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusOthers, ost.code)
+	}
+}
+
+func TestUnitEncodeCertID(t *testing.T) {
+	var st *ocspStatus
+	_, st = extractCertIDKeyFromRequest([]byte{0x1, 0x2})
+	if st.code != ocspFailedDecomposeRequest {
+		t.Fatalf("failed to get OCSP status. expected: %v, got: %v", ocspFailedDecomposeRequest, st.code)
+	}
+}
+
+func getCert(addr string) []*x509.Certificate {
+	tcpConn, err := net.DialTimeout("tcp", addr, 40*time.Second)
+	if err != nil {
+		panic(err)
+	}
+	defer tcpConn.Close()
+
+	err = tcpConn.SetDeadline(time.Now().Add(10 * time.Second))
+	if err != nil {
+		panic(err)
+	}
+	config := tls.Config{InsecureSkipVerify: true, ServerName: addr}
+
+	conn := tls.Client(tcpConn, &config)
+	defer conn.Close()
+
+	err = conn.Handshake()
+	if err != nil {
+		panic(err)
+	}
+
+	state := conn.ConnectionState()
+
+	return state.PeerCertificates
+}
+
+func TestOCSPRetry(t *testing.T) {
+	c := New(testLogFactory, 10)
+	certs := getCert("s3-us-west-2.amazonaws.com:443")
+	dummyOCSPHost := &url.URL{
+		Scheme: "https",
+		Host:   "dummyOCSPHost",
+	}
+	client := &fakeHTTPClient{
+		cnt:     3,
+		success: true,
+		body:    []byte{1, 2, 3},
+		logger:  hclog.New(hclog.DefaultOptions),
+		t:       t,
+	}
+	res, b, st, err := c.retryOCSP(
+		context.TODO(),
+		client, fakeRequestFunc,
+		dummyOCSPHost,
+		make(map[string]string), []byte{0}, certs[len(certs)-1])
+	if err == nil {
+		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
+	}
+	client = &fakeHTTPClient{
+		cnt:     30,
+		success: true,
+		body:    []byte{1, 2, 3},
+		logger:  hclog.New(hclog.DefaultOptions),
+		t:       t,
+	}
+	res, b, st, err = c.retryOCSP(
+		context.TODO(),
+		client, fakeRequestFunc,
+		dummyOCSPHost,
+		make(map[string]string), []byte{0}, certs[len(certs)-1])
+	if err == nil {
+		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
+	}
+}
+
+type tcCanEarlyExit struct {
+	results       []*ocspStatus
+	resultLen     int
+	retFailOpen   *ocspStatus
+	retFailClosed *ocspStatus
+}
+
+func TestCanEarlyExitForOCSP(t *testing.T) {
+	testcases := []tcCanEarlyExit{
+		{ // 0
+			results: []*ocspStatus{
+				{
+					code: ocspStatusGood,
+				},
+				{
+					code: ocspStatusGood,
+				},
+				{
+					code: ocspStatusGood,
+				},
+			},
+			retFailOpen:   nil,
+			retFailClosed: nil,
+		},
+		{ // 1
+			results: []*ocspStatus{
+				{
+					code: ocspStatusRevoked,
+					err:  errors.New("revoked"),
+				},
+				{
+					code: ocspStatusGood,
+				},
+				{
+					code: ocspStatusGood,
+				},
+			},
+			retFailOpen:   &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
+			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
+		},
+		{ // 2
+			results: []*ocspStatus{
+				{
+					code: ocspStatusUnknown,
+					err:  errors.New("unknown"),
+				},
+				{
+					code: ocspStatusGood,
+				},
+				{
+					code: ocspStatusGood,
+				},
+			},
+			retFailOpen:   nil,
+			retFailClosed: &ocspStatus{ocspStatusUnknown, errors.New("unknown")},
+		},
+		{ // 3: not taken as revoked if any invalid OCSP response (ocspInvalidValidity) is included.
+			results: []*ocspStatus{
+				{
+					code: ocspStatusRevoked,
+					err:  errors.New("revoked"),
+				},
+				{
+					code: ocspInvalidValidity,
+				},
+				{
+					code: ocspStatusGood,
+				},
+			},
+			retFailOpen:   nil,
+			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
+		},
+		{ // 4: not taken as revoked if the number of results don't match the expected results.
+			results: []*ocspStatus{
+				{
+					code: ocspStatusRevoked,
+					err:  errors.New("revoked"),
+				},
+				{
+					code: ocspStatusGood,
+				},
+			},
+			resultLen:     3,
+			retFailOpen:   nil,
+			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
+		},
+	}
+	c := New(testLogFactory, 10)
+	for idx, tt := range testcases {
+		expectedLen := len(tt.results)
+		if tt.resultLen > 0 {
+			expectedLen = tt.resultLen
+		}
+		r := c.canEarlyExitForOCSP(tt.results, expectedLen, &VerifyConfig{OcspFailureMode: FailOpenTrue})
+		if !(tt.retFailOpen == nil && r == nil) && !(tt.retFailOpen != nil && r != nil && tt.retFailOpen.code == r.code) {
+			t.Fatalf("%d: failed to match return. expected: %v, got: %v", idx, tt.retFailOpen, r)
+		}
+		r = c.canEarlyExitForOCSP(tt.results, expectedLen, &VerifyConfig{OcspFailureMode: FailOpenFalse})
+		if !(tt.retFailClosed == nil && r == nil) && !(tt.retFailClosed != nil && r != nil && tt.retFailClosed.code == r.code) {
+			t.Fatalf("%d: failed to match return. expected: %v, got: %v", idx, tt.retFailClosed, r)
+		}
+	}
+}
+
+var testLogger = hclog.New(hclog.DefaultOptions)
+
+func testLogFactory() hclog.Logger {
+	return testLogger
+}
+
+type fakeHTTPClient struct {
+	cnt        int    // number of retry
+	success    bool   // return success after retry in cnt times
+	timeout    bool   // timeout
+	body       []byte // return body
+	t          *testing.T
+	logger     hclog.Logger
+	redirected bool
+}
+
+func (c *fakeHTTPClient) Do(_ *retryablehttp.Request) (*http.Response, error) {
+	c.cnt--
+	if c.cnt < 0 {
+		c.cnt = 0
+	}
+	c.t.Log("fakeHTTPClient.cnt", c.cnt)
+
+	var retcode int
+	if !c.redirected {
+		c.redirected = true
+		c.cnt++
+		retcode = 405
+	} else if c.success && c.cnt == 1 {
+		retcode = 200
+	} else {
+		if c.timeout {
+			// simulate timeout
+			time.Sleep(time.Second * 1)
+			return nil, &fakeHTTPError{
+				err:     "Whatever reason (Client.Timeout exceeded while awaiting headers)",
+				timeout: true,
+			}
+		}
+		retcode = 0
+	}
+
+	ret := &http.Response{
+		StatusCode: retcode,
+		Body:       &fakeResponseBody{body: c.body},
+	}
+	return ret, nil
+}
+
+type fakeHTTPError struct {
+	err     string
+	timeout bool
+}
+
+func (e *fakeHTTPError) Error() string   { return e.err }
+func (e *fakeHTTPError) Timeout() bool   { return e.timeout }
+func (e *fakeHTTPError) Temporary() bool { return true }
+
+type fakeResponseBody struct {
+	body []byte
+	cnt  int
+}
+
+func (b *fakeResponseBody) Read(p []byte) (n int, err error) {
+	if b.cnt == 0 {
+		copy(p, b.body)
+		b.cnt = 1
+		return len(b.body), nil
+	}
+	b.cnt = 0
+	return 0, io.EOF
+}
+
+func (b *fakeResponseBody) Close() error {
+	return nil
+}
+
+func fakeRequestFunc(_, _ string, _ interface{}) (*retryablehttp.Request, error) {
+	return nil, nil
+}
+
+const vaultCert = `-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIUA6VeVD1IB5rXcCZRAqPO4zr/GAMwDQYJKoZIhvcNAQEL
+BQAwcjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0
+eTESMBAGA1UECgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRowGAYD
+VQQDDBF3d3cuY29uaHVnZWNvLmNvbTAeFw0yMjA5MDcxOTA1MzdaFw0yNDA5MDYx
+OTA1MzdaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29t
+ZUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEa
+MBgGA1UEAwwRd3d3LmNvbmh1Z2Vjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDL9qzEXi4PIafSAqfcwcmjujFvbG1QZbI8swxnD+w8i4ufAQU5
+LDmvMrGo3ZbhJ0mCihYmFxpjhRdP2raJQ9TysHlPXHtDRpr9ckWTKBz2oIfqVtJ2
+qzteQkWCkDAO7kPqzgCFsMeoMZeONRkeGib0lEzQAbW/Rqnphg8zVVkyQ71DZ7Pc
+d5WkC2E28kKcSramhWfVFpxG3hSIrLOX2esEXteLRzKxFPf+gi413JZFKYIWrebP
+u5t0++MLNpuX322geoki4BWMjQsd47XILmxZ4aj33ScZvdrZESCnwP76hKIxg9mO
+lMxrqSWKVV5jHZrElSEj9LYJgDO1Y6eItn7hAgMBAAGjRzBFMAsGA1UdDwQEAwIE
+MDATBgNVHSUEDDAKBggrBgEFBQcDATAhBgNVHREEGjAYggtleGFtcGxlLmNvbYIJ
+bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQA5dPdf5SdtMwe2uSspO/EuWqbM
+497vMQBW1Ey8KRKasJjhvOVYMbe7De5YsnW4bn8u5pl0zQGF4hEtpmifAtVvziH/
+K+ritQj9VVNbLLCbFcg+b0kfjt4yrDZ64vWvIeCgPjG1Kme8gdUUWgu9dOud5gdx
+qg/tIFv4TRS/eIIymMlfd9owOD3Ig6S5fy4NaAJFAwXf8+3Rzuc+e7JSAPgAufjh
+tOTWinxvoiOLuYwo9CyGgq4qKBFsrY0aE0gdA7oTQkpbEbo2EbqiWUl/PTCl1Y4Z
+nSZ0n+4q9QC9RLrWwYTwh838d5RVLUst2mBKSA+vn7YkqmBJbdBC6nkd7n7H
+-----END CERTIFICATE-----
+`
diff --git a/helper/forwarding/util.go b/helper/forwarding/util.go
index 1bc1c5e68fc3..465c5f1bc7bd 100644
--- a/helper/forwarding/util.go
+++ b/helper/forwarding/util.go
@@ -1,221 +1,73 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package forwarding
-
-import (
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"os"
-
-	"github.com/golang/protobuf/proto"
-	"github.com/hashicorp/vault/sdk/helper/compressutil"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-type bufCloser struct {
-	*bytes.Buffer
-}
-
-func (b bufCloser) Close() error {
-	b.Reset()
-	return nil
-}
-
-// GenerateForwardedRequest generates a new http.Request that contains the
-// original requests's information in the new request's body.
-func GenerateForwardedHTTPRequest(req *http.Request, addr string) (*http.Request, error) {
-	fq, err := GenerateForwardedRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	var newBody []byte
-	switch os.Getenv("VAULT_MESSAGE_TYPE") {
-	case "json":
-		newBody, err = jsonutil.EncodeJSON(fq)
-	case "json_compress":
-		newBody, err = jsonutil.EncodeJSONAndCompress(fq, &compressutil.CompressionConfig{
-			Type: compressutil.CompressionTypeLZW,
-		})
-	case "proto3":
-		fallthrough
-	default:
-		newBody, err = proto.Marshal(fq)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	ret, err := http.NewRequest("POST", addr, bytes.NewBuffer(newBody))
-	if err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}
-
-func GenerateForwardedRequest(req *http.Request) (*Request, error) {
-	var reader io.Reader = req.Body
-	ctx := req.Context()
-	if logical.ContextContainsMaxRequestSize(ctx) {
-		max, ok := logical.ContextMaxRequestSizeValue(ctx)
-		if !ok {
-			return nil, errors.New("could not parse max request size from request context")
-		}
-		if max > 0 {
-			reader = io.LimitReader(req.Body, max)
-		}
-	}
-
-	body, err := ioutil.ReadAll(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	fq := Request{
-		Method:        req.Method,
-		HeaderEntries: make(map[string]*HeaderEntry, len(req.Header)),
-		Host:          req.Host,
-		RemoteAddr:    req.RemoteAddr,
-		Body:          body,
-	}
-
-	reqURL := req.URL
-	fq.Url = &URL{
-		Scheme:   reqURL.Scheme,
-		Opaque:   reqURL.Opaque,
-		Host:     reqURL.Host,
-		Path:     reqURL.Path,
-		RawPath:  reqURL.RawPath,
-		RawQuery: reqURL.RawQuery,
-		Fragment: reqURL.Fragment,
-	}
-
-	for k, v := range req.Header {
-		fq.HeaderEntries[k] = &HeaderEntry{
-			Values: v,
-		}
-	}
-
-	if req.TLS != nil && req.TLS.PeerCertificates != nil && len(req.TLS.PeerCertificates) > 0 {
-		fq.PeerCertificates = make([][]byte, len(req.TLS.PeerCertificates))
-		for i, cert := range req.TLS.PeerCertificates {
-			fq.PeerCertificates[i] = cert.Raw
-		}
-	}
-
-	return &fq, nil
-}
-
-// ParseForwardedRequest generates a new http.Request that is comprised of the
-// values in the given request's body, assuming it correctly parses into a
-// ForwardedRequest.
-func ParseForwardedHTTPRequest(req *http.Request) (*http.Request, error) {
-	buf := bytes.NewBuffer(nil)
-	_, err := buf.ReadFrom(req.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	fq := new(Request)
-	switch os.Getenv("VAULT_MESSAGE_TYPE") {
-	case "json", "json_compress":
-		err = jsonutil.DecodeJSON(buf.Bytes(), fq)
-	default:
-		err = proto.Unmarshal(buf.Bytes(), fq)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	return ParseForwardedRequest(fq)
-}
-
-func ParseForwardedRequest(fq *Request) (*http.Request, error) {
-	buf := bufCloser{
-		Buffer: bytes.NewBuffer(fq.Body),
-	}
-
-	ret := &http.Request{
-		Method:     fq.Method,
-		Header:     make(map[string][]string, len(fq.HeaderEntries)),
-		Body:       buf,
-		Host:       fq.Host,
-		RemoteAddr: fq.RemoteAddr,
-	}
-
-	ret.URL = &url.URL{
-		Scheme:   fq.Url.Scheme,
-		Opaque:   fq.Url.Opaque,
-		Host:     fq.Url.Host,
-		Path:     fq.Url.Path,
-		RawPath:  fq.Url.RawPath,
-		RawQuery: fq.Url.RawQuery,
-		Fragment: fq.Url.Fragment,
-	}
-
-	for k, v := range fq.HeaderEntries {
-		ret.Header[k] = v.Values
-	}
-
-	if fq.PeerCertificates != nil && len(fq.PeerCertificates) > 0 {
-		ret.TLS = &tls.ConnectionState{
-			PeerCertificates: make([]*x509.Certificate, len(fq.PeerCertificates)),
-		}
-		for i, certBytes := range fq.PeerCertificates {
-			cert, err := x509.ParseCertificate(certBytes)
-			if err != nil {
-				return nil, err
-			}
-			ret.TLS.PeerCertificates[i] = cert
-		}
-	}
-
-	return ret, nil
-}
-
-type RPCResponseWriter struct {
-	statusCode int
-	header     http.Header
-	body       *bytes.Buffer
-}
-
-// NewRPCResponseWriter returns an initialized RPCResponseWriter
-func NewRPCResponseWriter() *RPCResponseWriter {
-	w := &RPCResponseWriter{
-		header:     make(http.Header),
-		body:       new(bytes.Buffer),
-		statusCode: 200,
-	}
-	// w.header.Set("Content-Type", "application/octet-stream")
-	return w
-}
-
-func (w *RPCResponseWriter) Header() http.Header {
-	return w.header
-}
-
-func (w *RPCResponseWriter) Write(buf []byte) (int, error) {
-	w.body.Write(buf)
-	return len(buf), nil
-}
-
-func (w *RPCResponseWriter) WriteHeader(code int) {
-	w.statusCode = code
-}
-
-func (w *RPCResponseWriter) StatusCode() int {
-	return w.statusCode
-}
-
-func (w *RPCResponseWriter) Body() *bytes.Buffer {
-	return w.body
-}
+---
+layout: docs
+page_title: Vault Secrets Operator on OpenShift
+description: >-
+  The Vault Secrets Operator may be installed on OpenShift clusters via the embedded OperatorHub or the Helm chart.
+---
+
+# Run the Vault Secrets Operator on OpenShift
+
+The Vault Secrets Operator may be installed on OpenShift clusters via the embedded OperatorHub or the Helm chart.
+
+## OperatorHub
+
+The Vault Secrets Operator is certified by Red Hat and therefore included in the [OperatorHub section](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/operators/olm-understanding-operatorhub) of an OpenShift cluster's web console.
+
+Navigate to the OperatorHub page of your OpenShift cluster and search for `Vault Secrets Operator`, then follow the instructions to install.
+
+## Helm chart
+
+The Vault Secrets Operator may also be installed in OpenShift using the Helm chart. (See [Installation](/vault/docs/platform/k8s/vso/installation) for an overview of installation using the [Helm chart](/vault/docs/platform/k8s/vso/helm).) The examples below show example [values.yaml files](https://helm.sh/docs/chart_template_guide/values_files/) for each configuration, which would be used with `helm install` as below:
+
+```shell-session
+$ helm install vault-secrets-operator hashicorp/vault-secrets-operator \
+  --create-namespace \
+  --namespace vault-secrets-operator \
+  --version 0.4.1 \
+  --values values.yaml
+```
+
+For OpenShift, increasing the memory [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) has proven necessary in some cases, so those settings are included in the examples below.
+
+### Default images
+
+These values would use the [default operator image](/vault/docs/platform/k8s/vso/helm#v-controller-manager-image) from HashiCorp's [Docker Hub repository][dockerhub].
+
+```yaml
+controller:
+  manager:
+    resources:
+      limits:
+        memory: 256Mi
+      requests:
+        memory: 128Mi
+```
+
+### UBI-based images certified by Red Hat
+
+These values would use [UBI-based](https://developers.redhat.com/products/rhel/ubi) images from the [Red Hat's certified container registry](https://catalog.redhat.com/software/containers/hashicorp/vault-secrets-operator/64dd558c892694d397c4bb06). Authentication may be required.
+
+```yaml
+controller:
+  kubeRbacProxy:
+    image:
+      repository: registry.redhat.io/openshift4/ose-kube-rbac-proxy
+      tag: v4.13.0
+  manager:
+    image:
+      repository: registry.connect.redhat.com/hashicorp/vault-secrets-operator
+      tag: 0.4.1-ubi
+    resources:
+      limits:
+        memory: 256Mi
+      requests:
+        memory: 128Mi
+```
+
+<Tip>
+
+UBI-based Vault Secrets Operator images are also published to HashiCorp's [DockerHub][dockerhub] and [Amazon ECR](https://gallery.ecr.aws/hashicorp/vault-secrets-operator) repositories.
+
+</Tip>
+
+[dockerhub]: https://hub.docker.com/r/hashicorp/vault-secrets-operator
diff --git a/helper/logging/logfile.go b/helper/logging/logfile.go
index fa4d5d0e7b4e..8d918f3492ac 100644
--- a/helper/logging/logfile.go
+++ b/helper/logging/logfile.go
@@ -1,150 +1,50 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package logging
+package command
 
 import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"sort"
-	"strconv"
 	"strings"
-	"sync"
-	"time"
 
-	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/cli"
 )
 
-var now = time.Now
+var _ cli.Command = (*OperatorCommand)(nil)
 
-type LogFile struct {
-	// Name of the log file
-	fileName string
-
-	// Path to the log file
-	logPath string
-
-	// duration between each file rotation operation
-	duration time.Duration
-
-	// lastCreated represents the creation time of the latest log
-	lastCreated time.Time
-
-	// fileInfo is the pointer to the current file being written to
-	fileInfo *os.File
-
-	// maxBytes is the maximum number of desired bytes for a log file
-	maxBytes int
-
-	// bytesWritten is the number of bytes written in the current log file
-	bytesWritten int64
-
-	// Max rotated files to keep before removing them.
-	maxArchivedFiles int
-
-	// acquire is the mutex utilized to ensure we have no concurrency issues
-	acquire sync.Mutex
+type OperatorCommand struct {
+	*BaseCommand
 }
 
-// Write is used to implement io.Writer
-func (l *LogFile) Write(b []byte) (n int, err error) {
-	l.acquire.Lock()
-	defer l.acquire.Unlock()
+func (c *OperatorCommand) Synopsis() string {
+	return "Perform operator-specific tasks"
+}
 
-	// Create a new file if we have no file to write to
-	if l.fileInfo == nil {
-		if err := l.openNew(); err != nil {
-			return 0, err
-		}
-	} else if err := l.rotate(); err != nil { // Check for the last contact and rotate if necessary
-		return 0, err
-	}
+func (c *OperatorCommand) Help() string {
+	helpText := `
+Usage: vault operator <subcommand> [options] [args]
 
-	bytesWritten, err := l.fileInfo.Write(b)
+  This command groups subcommands for operators interacting with Vault. Most
+  users will not need to interact with these commands. Here are a few examples
+  of the operator commands:
 
-	if bytesWritten > 0 {
-		l.bytesWritten += int64(bytesWritten)
-	}
+  Initialize a new Vault cluster:
 
-	return bytesWritten, err
-}
+      $ vault operator init
 
-func (l *LogFile) fileNamePattern() string {
-	// Extract the file extension
-	fileExt := filepath.Ext(l.fileName)
-	// If we have no file extension we append .log
-	if fileExt == "" {
-		fileExt = ".log"
-	}
-	// Remove the file extension from the filename
-	return strings.TrimSuffix(l.fileName, fileExt) + "-%s" + fileExt
-}
+  Force a Vault to resign leadership in a cluster:
 
-func (l *LogFile) openNew() error {
-	fileNamePattern := l.fileNamePattern()
+      $ vault operator step-down
 
-	createTime := now()
-	newFileName := fmt.Sprintf(fileNamePattern, strconv.FormatInt(createTime.UnixNano(), 10))
-	newFilePath := filepath.Join(l.logPath, newFileName)
+  Rotate Vault's underlying encryption key:
 
-	// Try creating a file. We truncate the file because we are the only authority to write the logs
-	filePointer, err := os.OpenFile(newFilePath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o640)
-	if err != nil {
-		return err
-	}
+      $ vault operator rotate
 
-	// New file, new 'bytes' tracker, new creation time :) :)
-	l.fileInfo = filePointer
-	l.lastCreated = createTime
-	l.bytesWritten = 0
-	return nil
-}
-
-func (l *LogFile) rotate() error {
-	// Get the time from the last point of contact
-	timeElapsed := time.Since(l.lastCreated)
-	// Rotate if we hit the byte file limit or the time limit
-	if (l.bytesWritten >= int64(l.maxBytes) && (l.maxBytes > 0)) || timeElapsed >= l.duration {
-		if err := l.fileInfo.Close(); err != nil {
-			return err
-		}
-		if err := l.pruneFiles(); err != nil {
-			return err
-		}
-		return l.openNew()
-	}
-	return nil
-}
+  Please see the individual subcommand help for detailed usage information.
+`
 
-func (l *LogFile) pruneFiles() error {
-	if l.maxArchivedFiles == 0 {
-		return nil
-	}
-
-	pattern := filepath.Join(l.logPath, fmt.Sprintf(l.fileNamePattern(), "*"))
-	matches, err := filepath.Glob(pattern)
-	if err != nil {
-		return err
-	}
-
-	switch {
-	case l.maxArchivedFiles < 0:
-		return removeFiles(matches)
-	case len(matches) < l.maxArchivedFiles:
-		return nil
-	}
-
-	sort.Strings(matches)
-	last := len(matches) - l.maxArchivedFiles
-	return removeFiles(matches[:last])
+	return strings.TrimSpace(helpText)
 }
 
-func removeFiles(files []string) (err error) {
-	for _, file := range files {
-		if fileError := os.Remove(file); fileError != nil {
-			err = multierror.Append(err, fmt.Errorf("error removing file %s: %v", file, fileError))
-		}
-	}
-	return err
+func (c *OperatorCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/helper/logging/logger.go b/helper/logging/logger.go
index 8b21bdfa5106..a3f02fba97d0 100644
--- a/helper/logging/logger.go
+++ b/helper/logging/logger.go
@@ -1,204 +1,797 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package logging
+package command
 
 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"path/filepath"
+	"os"
 	"strings"
+	"sync"
 	"time"
 
+	"github.com/hashicorp/go-kms-wrapping/entropy/v2"
+
+	"golang.org/x/term"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/consul/api"
 	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	uuid "github.com/hashicorp/go-uuid"
+	cserver "github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
+	physconsul "github.com/hashicorp/vault/physical/consul"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/physical"
+	sr "github.com/hashicorp/vault/serviceregistration"
+	srconsul "github.com/hashicorp/vault/serviceregistration/consul"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/diagnose"
+	"github.com/hashicorp/vault/vault/hcp_link"
+	"github.com/hashicorp/vault/version"
+	"github.com/posener/complete"
 )
 
-const (
-	UnspecifiedFormat LogFormat = iota
-	StandardFormat
-	JSONFormat
+const CoreConfigUninitializedErr = "Diagnose cannot attempt this step because core config could not be set."
+
+var (
+	_ cli.Command             = (*OperatorDiagnoseCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorDiagnoseCommand)(nil)
 )
 
-// defaultRotateDuration is the default time taken by the agent to rotate logs
-const defaultRotateDuration = 24 * time.Hour
+type OperatorDiagnoseCommand struct {
+	*BaseCommand
+	diagnose *diagnose.Session
+
+	flagDebug    bool
+	flagSkips    []string
+	flagConfigs  []string
+	cleanupGuard sync.Once
+
+	reloadFuncsLock      *sync.RWMutex
+	reloadFuncs          *map[string][]reloadutil.ReloadFunc
+	ServiceRegistrations map[string]sr.Factory
+	startedCh            chan struct{} // for tests
+	reloadedCh           chan struct{} // for tests
+	skipEndEnd           bool          // for tests
+}
 
-type LogFormat int
+func (c *OperatorDiagnoseCommand) Synopsis() string {
+	return "Troubleshoot problems starting Vault"
+}
 
-// LogConfig should be used to supply configuration when creating a new Vault logger
-type LogConfig struct {
-	// Name is the name the returned logger will use to prefix log lines.
-	Name string
+func (c *OperatorDiagnoseCommand) Help() string {
+	helpText := `
+Usage: vault operator diagnose
 
-	// LogLevel is the minimum level to be logged.
-	LogLevel log.Level
+  This command troubleshoots Vault startup issues, such as TLS configuration or
+  auto-unseal. It should be run using the same environment variables and configuration
+  files as the "vault server" command, so that startup problems can be accurately
+  reproduced.
 
-	// LogFormat is the log format to use, supported formats are 'standard' and 'json'.
-	LogFormat LogFormat
+  Start diagnose with a configuration file:
 
-	// LogFilePath is the path to write the logs to the user specified file.
-	LogFilePath string
+     $ vault operator diagnose -config=/etc/vault/config.hcl
 
-	// LogRotateDuration is the user specified time to rotate logs
-	LogRotateDuration time.Duration
+  Perform a diagnostic check while Vault is still running:
 
-	// LogRotateBytes is the user specified byte limit to rotate logs
-	LogRotateBytes int
+     $ vault operator diagnose -config=/etc/vault/config.hcl -skip=listener
 
-	// LogRotateMaxFiles is the maximum number of past archived log files to keep
-	LogRotateMaxFiles int
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
 }
 
-func (c *LogConfig) isLevelInvalid() bool {
-	return c.LogLevel == log.NoLevel || c.LogLevel == log.Off || c.LogLevel.String() == "unknown"
-}
+func (c *OperatorDiagnoseCommand) Flags() *FlagSets {
+	set := NewFlagSets(c.UI)
+	f := set.NewFlagSet("Command Options")
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "config",
+		Target: &c.flagConfigs,
+		Completion: complete.PredictOr(
+			complete.PredictFiles("*.hcl"),
+			complete.PredictFiles("*.json"),
+			complete.PredictDirs("*"),
+		),
+		Usage: "Path to a Vault configuration file or directory of configuration " +
+			"files. This flag can be specified multiple times to load multiple " +
+			"configurations. If the path is a directory, all files which end in " +
+			".hcl or .json are loaded.",
+	})
 
-func (c *LogConfig) isFormatJson() bool {
-	return c.LogFormat == JSONFormat
-}
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "skip",
+		Target: &c.flagSkips,
+		Usage:  "Skip the health checks named as arguments. May be 'listener', 'storage', or 'autounseal'.",
+	})
 
-// Stringer implementation
-func (lf LogFormat) String() string {
-	switch lf {
-	case UnspecifiedFormat:
-		return "unspecified"
-	case StandardFormat:
-		return "standard"
-	case JSONFormat:
-		return "json"
-	}
+	f.BoolVar(&BoolVar{
+		Name:    "debug",
+		Target:  &c.flagDebug,
+		Default: false,
+		Usage:   "Dump all information collected by Diagnose.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   "format",
+		Target: &c.flagFormat,
+		Usage:  "The output format",
+	})
+	return set
+}
 
-	// unreachable
-	return "unknown"
+func (c *OperatorDiagnoseCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
 }
 
-// noErrorWriter is a wrapper to suppress errors when writing to w.
-type noErrorWriter struct {
-	w io.Writer
+func (c *OperatorDiagnoseCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func (w noErrorWriter) Write(p []byte) (n int, err error) {
-	_, _ = w.w.Write(p)
-	// We purposely return n == len(p) as if write was successful
-	return len(p), nil
+const (
+	status_unknown = "[      ] "
+	status_ok      = "\u001b[32m[  ok  ]\u001b[0m "
+	status_failed  = "\u001b[31m[failed]\u001b[0m "
+	status_warn    = "\u001b[33m[ warn ]\u001b[0m "
+	same_line      = "\u001b[F"
+)
+
+func (c *OperatorDiagnoseCommand) Run(args []string) int {
+	f := c.Flags()
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 3
+	}
+	return c.RunWithParsedFlags()
 }
 
-// parseFullPath takes a full path intended to be the location for log files and
-// breaks it down into a directory and a file name. It checks both of these for
-// the common globbing character '*' and returns an error if it is present.
-func parseFullPath(fullPath string) (directory, fileName string, err error) {
-	directory, fileName = filepath.Split(fullPath)
+func (c *OperatorDiagnoseCommand) RunWithParsedFlags() int {
+	if len(c.flagConfigs) == 0 {
+		c.UI.Error("Must specify a configuration file using -config.")
+		return 3
+	}
 
-	globChars := "*?["
-	if strings.ContainsAny(directory, globChars) {
-		err = multierror.Append(err, fmt.Errorf("directory contains glob character"))
+	if c.diagnose == nil {
+		if c.flagFormat == "json" {
+			c.diagnose = diagnose.New(io.Discard)
+		} else {
+			c.UI.Output(version.GetVersion().FullVersionNumber(true))
+			c.diagnose = diagnose.New(os.Stdout)
+		}
 	}
-	if fileName == "" {
-		fileName = "vault.log"
-	} else if strings.ContainsAny(fileName, globChars) {
-		err = multierror.Append(err, fmt.Errorf("file name contains globbing character"))
+	ctx := diagnose.Context(context.Background(), c.diagnose)
+	c.diagnose.SkipFilters = c.flagSkips
+	err := c.offlineDiagnostics(ctx)
+
+	results := c.diagnose.Finalize(ctx)
+	if c.flagFormat == "json" {
+		resultsJS, err := json.MarshalIndent(results, "", "  ")
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error marshalling results: %v.", err)
+			return 4
+		}
+		c.UI.Output(string(resultsJS))
+	} else {
+		c.UI.Output("\nResults:")
+		w, _, err := term.GetSize(0)
+		if err == nil {
+			results.Write(os.Stdout, w)
+		} else {
+			results.Write(os.Stdout, 0)
+		}
 	}
 
-	return directory, fileName, err
+	if err != nil {
+		return 4
+	}
+	// Use a different return code
+	switch results.Status {
+	case diagnose.WarningStatus:
+		return 2
+	case diagnose.ErrorStatus:
+		return 1
+	}
+	return 0
 }
 
-// Setup creates a new logger with the specified configuration and writer
-func Setup(config *LogConfig, w io.Writer) (log.InterceptLogger, error) {
-	// Validate the log level
-	if config.isLevelInvalid() {
-		return nil, fmt.Errorf("invalid log level: %v", config.LogLevel)
+func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error {
+	rloadFuncs := make(map[string][]reloadutil.ReloadFunc)
+	server := &ServerCommand{
+		// TODO: set up a different one?
+		// In particular, a UI instance that won't output?
+		BaseCommand: c.BaseCommand,
+
+		// TODO: refactor to a common place?
+		AuditBackends:        auditBackends,
+		CredentialBackends:   credentialBackends,
+		LogicalBackends:      logicalBackends,
+		PhysicalBackends:     physicalBackends,
+		ServiceRegistrations: serviceRegistrations,
+
+		// TODO: other ServerCommand options?
+
+		logger: log.NewInterceptLogger(&log.LoggerOptions{
+			Level: log.Off,
+		}),
+		allLoggers:      []log.Logger{},
+		reloadFuncs:     &rloadFuncs,
+		reloadFuncsLock: new(sync.RWMutex),
 	}
 
-	// If out is os.Stdout and Vault is being run as a Windows Service, writes will
-	// fail silently, which may inadvertently prevent writes to other writers.
-	// noErrorWriter is used as a wrapper to suppress any errors when writing to out.
-	writers := []io.Writer{noErrorWriter{w: w}}
+	ctx, span := diagnose.StartSpan(ctx, "Vault Diagnose")
+	defer span.End()
+
+	// OS Specific checks
+	diagnose.OSChecks(ctx)
 
-	// Create a file logger if the user has specified the path to the log file
-	if config.LogFilePath != "" {
-		dir, fileName, err := parseFullPath(config.LogFilePath)
+	var config *cserver.Config
+
+	diagnose.Test(ctx, "Parse Configuration", func(ctx context.Context) (err error) {
+		server.flagConfigs = c.flagConfigs
+		var configErrors []configutil.ConfigError
+		config, configErrors, err = server.parseConfig()
 		if err != nil {
-			return nil, err
+			return fmt.Errorf("Could not parse configuration: %w.", err)
+		}
+		for _, ce := range configErrors {
+			diagnose.Warn(ctx, diagnose.CapitalizeFirstLetter(ce.String())+".")
 		}
+		diagnose.Success(ctx, "Vault configuration syntax is ok.")
+		return nil
+	})
+	if config == nil {
+		return fmt.Errorf("No vault server configuration found.")
+	}
 
-		if config.LogRotateDuration == 0 {
-			config.LogRotateDuration = defaultRotateDuration
+	diagnose.Test(ctx, "Check Telemetry", func(ctx context.Context) (err error) {
+		if config.Telemetry == nil {
+			diagnose.Warn(ctx, "Telemetry is using default configuration")
+			diagnose.Advise(ctx, "By default only Prometheus and JSON metrics are available.  Ignore this warning if you are using telemetry or are using these metrics and are satisfied with the default retention time and gauge period.")
+		} else {
+			t := config.Telemetry
+			// If any Circonus setting is present but we're missing the basic fields...
+			if coalesce(t.CirconusAPIURL, t.CirconusAPIToken, t.CirconusCheckID, t.CirconusCheckTags, t.CirconusCheckSearchTag,
+				t.CirconusBrokerID, t.CirconusBrokerSelectTag, t.CirconusCheckForceMetricActivation, t.CirconusCheckInstanceID,
+				t.CirconusCheckSubmissionURL, t.CirconusCheckDisplayName) != nil {
+				if t.CirconusAPIURL == "" {
+					return errors.New("incomplete Circonus telemetry configuration, missing circonus_api_url")
+				} else if t.CirconusAPIToken != "" {
+					return errors.New("incomplete Circonus telemetry configuration, missing circonus_api_token")
+				}
+			}
+			if len(t.DogStatsDTags) > 0 && t.DogStatsDAddr == "" {
+				return errors.New("incomplete DogStatsD telemetry configuration, missing dogstatsd_addr, while dogstatsd_tags specified")
+			}
+
+			// If any Stackdriver setting is present but we're missing the basic fields...
+			if coalesce(t.StackdriverNamespace, t.StackdriverLocation, t.StackdriverDebugLogs, t.StackdriverNamespace) != nil {
+				if t.StackdriverProjectID == "" {
+					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_project_id")
+				}
+				if t.StackdriverLocation == "" {
+					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_location")
+				}
+				if t.StackdriverNamespace == "" {
+					return errors.New("incomplete Stackdriver telemetry configuration, missing stackdriver_namespace")
+				}
+			}
 		}
+		return nil
+	})
 
-		logFile := &LogFile{
-			fileName:         fileName,
-			logPath:          dir,
-			duration:         config.LogRotateDuration,
-			maxBytes:         config.LogRotateBytes,
-			maxArchivedFiles: config.LogRotateMaxFiles,
+	var metricSink *metricsutil.ClusterMetricSink
+	var metricsHelper *metricsutil.MetricsHelper
+
+	var backend *physical.Backend
+	diagnose.Test(ctx, "Check Storage", func(ctx context.Context) error {
+		// Ensure that there is a storage stanza
+		if config.Storage == nil {
+			diagnose.Advise(ctx, "To learn how to specify a storage backend, see the Vault server configuration documentation.")
+			return fmt.Errorf("No storage stanza in Vault server configuration.")
+		}
+
+		diagnose.Test(ctx, "Create Storage Backend", func(ctx context.Context) error {
+			b, err := server.setupStorage(config)
+			if err != nil {
+				return err
+			}
+			if b == nil {
+				diagnose.Advise(ctx, "To learn how to specify a storage backend, see the Vault server configuration documentation.")
+				return fmt.Errorf("Storage backend could not be initialized.")
+			}
+			backend = &b
+			return nil
+		})
+
+		if backend == nil {
+			diagnose.Fail(ctx, "Diagnose could not initialize storage backend.")
+			span.End()
+			return fmt.Errorf("Diagnose could not initialize storage backend.")
 		}
-		if err := logFile.pruneFiles(); err != nil {
-			return nil, fmt.Errorf("failed to prune log files: %w", err)
+
+		// Check for raft quorum status
+		if config.Storage.Type == storageTypeRaft {
+			path := os.Getenv(raft.EnvVaultRaftPath)
+			if path == "" {
+				path, ok := config.Storage.Config["path"]
+				if !ok {
+					diagnose.SpotError(ctx, "Check Raft Folder Permissions", fmt.Errorf("Storage folder path is required."))
+				}
+				diagnose.RaftFileChecks(ctx, path)
+			}
+			diagnose.RaftStorageQuorum(ctx, (*backend).(*raft.RaftBackend))
+		}
+
+		// Consul storage checks
+		if config.Storage != nil && config.Storage.Type == storageTypeConsul {
+			diagnose.Test(ctx, "Check Consul TLS", func(ctx context.Context) error {
+				err := physconsul.SetupSecureTLS(ctx, api.DefaultConfig(), config.Storage.Config, server.logger, true)
+				if err != nil {
+					return err
+				}
+				return nil
+			})
+
+			diagnose.Test(ctx, "Check Consul Direct Storage Access", func(ctx context.Context) error {
+				dirAccess := diagnose.ConsulDirectAccess(config.Storage.Config)
+				if dirAccess != "" {
+					diagnose.Warn(ctx, dirAccess)
+				}
+				if dirAccess == diagnose.DirAccessErr {
+					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
+				}
+				return nil
+			})
 		}
-		if err := logFile.openNew(); err != nil {
-			return nil, fmt.Errorf("failed to setup logging: %w", err)
+
+		// Attempt to use storage backend
+		if !c.skipEndEnd && config.Storage.Type != storageTypeRaft {
+			diagnose.Test(ctx, "Check Storage Access", diagnose.WithTimeout(30*time.Second, func(ctx context.Context) error {
+				maxDurationCrudOperation := "write"
+				maxDuration := time.Duration(0)
+				uuidSuffix, err := uuid.GenerateUUID()
+				if err != nil {
+					return err
+				}
+				uuid := "diagnose/latency/" + uuidSuffix
+				dur, err := diagnose.EndToEndLatencyCheckWrite(ctx, uuid, *backend)
+				if err != nil {
+					return err
+				}
+				maxDuration = dur
+				dur, err = diagnose.EndToEndLatencyCheckRead(ctx, uuid, *backend)
+				if err != nil {
+					return err
+				}
+				if dur > maxDuration {
+					maxDuration = dur
+					maxDurationCrudOperation = "read"
+				}
+				dur, err = diagnose.EndToEndLatencyCheckDelete(ctx, uuid, *backend)
+				if err != nil {
+					return err
+				}
+				if dur > maxDuration {
+					maxDuration = dur
+					maxDurationCrudOperation = "delete"
+				}
+
+				if maxDuration > time.Duration(0) {
+					diagnose.Warn(ctx, diagnose.LatencyWarning+fmt.Sprintf("duration: %s, operation: %s", maxDuration, maxDurationCrudOperation))
+				}
+				return nil
+			}))
 		}
-		writers = append(writers, logFile)
+		return nil
+	})
+
+	// Return from top-level span when backend is nil
+	if backend == nil {
+		return fmt.Errorf("Diagnose could not initialize storage backend.")
 	}
 
-	logger := log.NewInterceptLogger(&log.LoggerOptions{
-		Name:              config.Name,
-		Level:             config.LogLevel,
-		IndependentLevels: true,
-		Output:            io.MultiWriter(writers...),
-		JSONFormat:        config.isFormatJson(),
+	var configSR sr.ServiceRegistration
+	diagnose.Test(ctx, "Check Service Discovery", func(ctx context.Context) error {
+		if config.ServiceRegistration == nil || config.ServiceRegistration.Config == nil {
+			diagnose.Skipped(ctx, "No service registration configured.")
+			return nil
+		}
+		srConfig := config.ServiceRegistration.Config
+
+		diagnose.Test(ctx, "Check Consul Service Discovery TLS", func(ctx context.Context) error {
+			// SetupSecureTLS for service discovery uses the same cert and key to set up physical
+			// storage. See the consul package in physical for details.
+			err := srconsul.SetupSecureTLS(ctx, api.DefaultConfig(), srConfig, server.logger, true)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+
+		if config.ServiceRegistration != nil && config.ServiceRegistration.Type == "consul" {
+			diagnose.Test(ctx, "Check Consul Direct Service Discovery", func(ctx context.Context) error {
+				dirAccess := diagnose.ConsulDirectAccess(config.ServiceRegistration.Config)
+				if dirAccess != "" {
+					diagnose.Warn(ctx, dirAccess)
+				}
+				if dirAccess == diagnose.DirAccessErr {
+					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
+				}
+				return nil
+			})
+		}
+		return nil
 	})
 
-	return logger, nil
-}
+	sealcontext, sealspan := diagnose.StartSpan(ctx, "Create Vault Server Configuration Seals")
 
-// ParseLogFormat parses the log format from the provided string.
-func ParseLogFormat(format string) (LogFormat, error) {
-	switch strings.ToLower(strings.TrimSpace(format)) {
-	case "":
-		return UnspecifiedFormat, nil
-	case "standard":
-		return StandardFormat, nil
-	case "json":
-		return JSONFormat, nil
-	default:
-		return UnspecifiedFormat, fmt.Errorf("unknown log format: %s", format)
+	var setSealResponse *SetSealResponse
+	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(sealcontext, *backend)
+	if err != nil {
+		diagnose.Fail(sealcontext, fmt.Sprintf("Unable to get Seal generation information from storage: %s.", err.Error()))
+		goto SEALFAIL
 	}
-}
 
-// ParseLogLevel returns the hclog.Level that corresponds with the provided level string.
-// This differs hclog.LevelFromString in that it supports additional level strings.
-func ParseLogLevel(logLevel string) (log.Level, error) {
-	var result log.Level
-	logLevel = strings.ToLower(strings.TrimSpace(logLevel))
-
-	switch logLevel {
-	case "trace":
-		result = log.Trace
-	case "debug":
-		result = log.Debug
-	case "notice", "info", "":
-		result = log.Info
-	case "warn", "warning":
-		result = log.Warn
-	case "err", "error":
-		result = log.Error
-	default:
-		return -1, errors.New(fmt.Sprintf("unknown log level: %s", logLevel))
-	}
-
-	return result, nil
-}
+	setSealResponse, err = setSeal(server, config, make([]string, 0), make(map[string]string), existingSealGenerationInfo, false /* unsealed vault has no partially wrapped paths */)
+	if err != nil {
+		diagnose.Advise(ctx, "For assistance with the seal stanza, see the Vault configuration documentation.")
+		diagnose.Fail(sealcontext, fmt.Sprintf("Seal creation resulted in the following error: %s.", err.Error()))
+		goto SEALFAIL
+	}
+
+	for _, seal := range setSealResponse.getCreatedSeals() {
+		seal := seal // capture range variable
+		// Ensure that the seal finalizer is called, even if using verify-only
+		defer func(seal *vault.Seal) {
+			sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierSealConfigType().String())
+			finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal")
+			err = (*seal).Finalize(finalizeSealContext)
+			if err != nil {
+				diagnose.Fail(finalizeSealContext, "Error finalizing seal.")
+				diagnose.Advise(finalizeSealContext, "This likely means that the barrier is still in use; therefore, finalizing the seal timed out.")
+				finalizeSealSpan.End()
+			}
+			finalizeSealSpan.End()
+		}(seal)
+	}
+
+	if setSealResponse.sealConfigError != nil {
+		diagnose.Fail(sealcontext, "Seal could not be configured: seals may already be initialized.")
+	} else if setSealResponse.barrierSeal == nil {
+		diagnose.Fail(sealcontext, "Could not create barrier seal. No error was generated, but it is likely that the seal stanza is misconfigured. For guidance, see Vault's configuration documentation on the seal stanza.")
+	}
 
-// TranslateLoggerLevel returns the string that corresponds with logging level of the hclog.Logger.
-func TranslateLoggerLevel(logger log.Logger) (string, error) {
-	logLevel := logger.GetLevel()
+SEALFAIL:
+	sealspan.End()
 
-	switch logLevel {
-	case log.Trace, log.Debug, log.Info, log.Warn, log.Error:
-		return logLevel.String(), nil
-	default:
-		return "", fmt.Errorf("unknown log level")
+	var barrierSeal vault.Seal
+	var unwrapSeal vault.Seal
+
+	if setSealResponse != nil {
+		barrierSeal = setSealResponse.barrierSeal
+		unwrapSeal = setSealResponse.unwrapSeal
+	}
+
+	diagnose.Test(ctx, "Check Transit Seal TLS", func(ctx context.Context) error {
+		var checkSealTransit bool
+		for _, seal := range config.Seals {
+			if seal.Type == "transit" {
+				checkSealTransit = true
+
+				tlsSkipVerify, _ := seal.Config["tls_skip_verify"]
+				if tlsSkipVerify == "true" {
+					diagnose.Warn(ctx, "TLS verification is skipped. This is highly discouraged and decreases the security of data transmissions to and from the Vault server.")
+					return nil
+				}
+
+				// Checking tls_client_cert and tls_client_key
+				tlsClientCert, ok := seal.Config["tls_client_cert"]
+				if !ok {
+					diagnose.Warn(ctx, "Missing tls_client_cert in the seal configuration.")
+					return nil
+				}
+				tlsClientKey, ok := seal.Config["tls_client_key"]
+				if !ok {
+					diagnose.Warn(ctx, "Missing tls_client_key in the seal configuration.")
+					return nil
+				}
+				_, err := diagnose.TLSFileChecks(tlsClientCert, tlsClientKey)
+				if err != nil {
+					return fmt.Errorf("The TLS certificate and key configured through the tls_client_cert and tls_client_key fields of the transit seal configuration are invalid: %w.", err)
+				}
+
+				// checking tls_ca_cert
+				tlsCACert, ok := seal.Config["tls_ca_cert"]
+				if !ok {
+					diagnose.Warn(ctx, "Missing tls_ca_cert in the seal configuration.")
+					return nil
+				}
+				warnings, err := diagnose.TLSCAFileCheck(tlsCACert)
+				if len(warnings) != 0 {
+					for _, warning := range warnings {
+						diagnose.Warn(ctx, warning)
+					}
+				}
+				if err != nil {
+					return fmt.Errorf("The TLS CA certificate configured through the tls_ca_cert field of the transit seal configuration is invalid: %w.", err)
+				}
+			}
+		}
+		if !checkSealTransit {
+			diagnose.Skipped(ctx, "No transit seal found in seal configuration.")
+		}
+		return nil
+	})
+
+	var coreConfig vault.CoreConfig
+	diagnose.Test(ctx, "Create Core Configuration", func(ctx context.Context) error {
+		var secureRandomReader io.Reader
+		// prepare a secure random reader for core
+		randReaderTestName := "Initialize Randomness for Core"
+		var sources []*configutil.EntropySourcerInfo
+		if barrierSeal != nil {
+			for _, sealWrapper := range barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
+				if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
+					sources = append(sources, &configutil.EntropySourcerInfo{
+						Sourcer: s,
+						Name:    sealWrapper.Name,
+					})
+				}
+			}
+		}
+		secureRandomReader, err = configutil.CreateSecureRandomReaderFunc(config.SharedConfig, sources, server.logger)
+		if err != nil {
+			return diagnose.SpotError(ctx, randReaderTestName, fmt.Errorf("could not initialize randomness for core: %w", err))
+		}
+		diagnose.SpotOk(ctx, randReaderTestName, "")
+		coreConfig = createCoreConfig(server, config, *backend, configSR, barrierSeal, unwrapSeal, metricsHelper, metricSink, secureRandomReader)
+		return nil
+	})
+
+	var disableClustering bool
+	diagnose.Test(ctx, "HA Storage", func(ctx context.Context) error {
+		diagnose.Test(ctx, "Create HA Storage Backend", func(ctx context.Context) error {
+			// Initialize the separate HA storage backend, if it exists
+			disableClustering, err = initHaBackend(server, config, &coreConfig, *backend)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+
+		diagnose.Test(ctx, "Check HA Consul Direct Storage Access", func(ctx context.Context) error {
+			if config.HAStorage == nil {
+				diagnose.Skipped(ctx, "No HA storage stanza is configured.")
+			} else {
+				dirAccess := diagnose.ConsulDirectAccess(config.HAStorage.Config)
+				if dirAccess != "" {
+					diagnose.Warn(ctx, dirAccess)
+				}
+				if dirAccess == diagnose.DirAccessErr {
+					diagnose.Advise(ctx, diagnose.DirAccessAdvice)
+				}
+			}
+			return nil
+		})
+		if config.HAStorage != nil && config.HAStorage.Type == storageTypeConsul {
+			diagnose.Test(ctx, "Check Consul TLS", func(ctx context.Context) error {
+				err = physconsul.SetupSecureTLS(ctx, api.DefaultConfig(), config.HAStorage.Config, server.logger, true)
+				if err != nil {
+					return err
+				}
+				return nil
+			})
+		}
+		return nil
+	})
+
+	// Determine the redirect address from environment variables
+	err = determineRedirectAddr(server, &coreConfig, config)
+	if err != nil {
+		return diagnose.SpotError(ctx, "Determine Redirect Address", fmt.Errorf("Redirect Address could not be determined: %w.", err))
+	}
+	diagnose.SpotOk(ctx, "Determine Redirect Address", "")
+
+	err = findClusterAddress(server, &coreConfig, config, disableClustering)
+	if err != nil {
+		return diagnose.SpotError(ctx, "Check Cluster Address", fmt.Errorf("Cluster Address could not be determined or was invalid: %w.", err),
+			diagnose.Advice("Please check that the API and Cluster addresses are different, and that the API, Cluster and Redirect addresses have both a host and port."))
+	}
+	diagnose.SpotOk(ctx, "Check Cluster Address", "Cluster address is logically valid and can be found.")
+
+	var vaultCore *vault.Core
+
+	// Run all the checks that are utilized when initializing a core object
+	// without actually calling core.Init. These are in the init-core section
+	// as they are runtime checks.
+	diagnose.Test(ctx, "Check Core Creation", func(ctx context.Context) error {
+		var newCoreError error
+		if coreConfig.RawConfig == nil {
+			return fmt.Errorf(CoreConfigUninitializedErr)
+		}
+		core, newCoreError := vault.CreateCore(&coreConfig)
+		if newCoreError != nil {
+			if vault.IsFatalError(newCoreError) {
+				return fmt.Errorf("Error initializing core: %s.", newCoreError)
+			}
+			diagnose.Warn(ctx, wrapAtLength(
+				"A non-fatal error occurred during initialization. Please check the logs for more information."))
+		} else {
+			vaultCore = core
+		}
+		return nil
+	})
+
+	if vaultCore == nil {
+		return fmt.Errorf("Diagnose could not initialize the Vault core from the Vault server configuration.")
+	}
+
+	licenseCtx, licenseSpan := diagnose.StartSpan(ctx, "Check For Autoloaded License")
+	// If we are not in enterprise, return from the check
+	if !constants.IsEnterprise {
+		diagnose.Skipped(licenseCtx, "License check will not run on OSS Vault.")
+	} else {
+		// Load License from environment variables. These take precedence over the
+		// configured license.
+		if envLicensePath := os.Getenv(EnvVaultLicensePath); envLicensePath != "" {
+			coreConfig.LicensePath = envLicensePath
+		}
+		if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" {
+			coreConfig.License = envLicense
+		}
+		vault.DiagnoseCheckLicense(licenseCtx, vaultCore, coreConfig, false)
+	}
+	licenseSpan.End()
+
+	var lns []listenerutil.Listener
+	diagnose.Test(ctx, "Start Listeners", func(ctx context.Context) error {
+		disableClustering := config.HAStorage != nil && config.HAStorage.DisableClustering
+		infoKeys := make([]string, 0, 10)
+		info := make(map[string]string)
+		var listeners []listenerutil.Listener
+		var status int
+
+		diagnose.ListenerChecks(ctx, config.Listeners)
+
+		diagnose.Test(ctx, "Create Listeners", func(ctx context.Context) error {
+			status, listeners, _, err = server.InitListeners(config, disableClustering, &infoKeys, &info)
+			if status != 0 {
+				return err
+			}
+			return nil
+		})
+
+		lns = listeners
+
+		// Make sure we close all listeners from this point on
+		listenerCloseFunc := func() {
+			for _, ln := range lns {
+				ln.Listener.Close()
+			}
+		}
+
+		c.cleanupGuard.Do(listenerCloseFunc)
+
+		return nil
+	})
+
+	// TODO: Diagnose logging configuration
+
+	// The unseal diagnose check will simply attempt to use the barrier to encrypt and
+	// decrypt a mock value. It will not call runUnseal.
+	diagnose.Test(ctx, "Check Autounseal Encryption", diagnose.WithTimeout(30*time.Second, func(ctx context.Context) error {
+		if barrierSeal == nil {
+			return fmt.Errorf("Diagnose could not create a barrier seal object.")
+		}
+		if barrierSeal.BarrierSealConfigType() == vault.SealConfigTypeShamir {
+			diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.")
+			return nil
+		}
+		barrierUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			return fmt.Errorf("Diagnose could not create unique UUID for unsealing.")
+		}
+		barrierEncValue := "diagnose-" + barrierUUID
+		ciphertext, errMap := barrierSeal.GetAccess().Encrypt(ctx, []byte(barrierEncValue), nil)
+		if len(errMap) > 0 {
+			var sealErrors []error
+			for name, err := range errMap {
+				sealErrors = append(sealErrors, fmt.Errorf("error encrypting with seal %q: %w", name, err))
+			}
+			if ciphertext == nil {
+				// Full failure
+				if len(sealErrors) == 1 {
+					return sealErrors[0]
+				} else {
+					return fmt.Errorf("complete seal encryption failure: %w", errors.Join())
+				}
+			} else {
+				// Partial failure
+				return fmt.Errorf("partial seal encryption failure: %w", errors.Join())
+			}
+		}
+		plaintext, _, err := barrierSeal.GetAccess().Decrypt(ctx, ciphertext, nil)
+		if err != nil {
+			return fmt.Errorf("Error decrypting with seal barrier: %w", err)
+		}
+		if string(plaintext) != barrierEncValue {
+			return fmt.Errorf("Barrier returned incorrect decrypted value for mock data.")
+		}
+		return nil
+	}))
+
+	// The following block contains static checks that are run during the
+	// startHttpServers portion of server run. In other words, they are static
+	// checks during resource creation. Currently there is nothing important in this
+	// diagnose check. For now it is a placeholder for any checks that will be done
+	// before server run.
+	diagnose.Test(ctx, "Check Server Before Runtime", func(ctx context.Context) error {
+		for _, ln := range lns {
+			if ln.Config == nil {
+				return fmt.Errorf("Found no listener config after parsing the Vault configuration.")
+			}
+		}
+		return nil
+	})
+
+	// Checking HCP link to make sure Vault could connect to SCADA.
+	// If it could not connect to SCADA in 5 seconds, diagnose reports an issue
+	if !constants.IsEnterprise {
+		diagnose.Skipped(ctx, "HCP link check will not run on OSS Vault.")
+	} else {
+		if config.HCPLinkConf != nil {
+			// we need to override API and Passthrough capabilities
+			// as they could not be initialized when Vault http handler
+			// is not fully initialized
+			config.HCPLinkConf.EnablePassThroughCapability = false
+			config.HCPLinkConf.EnableAPICapability = false
+
+			diagnose.Test(ctx, "Check HCP Connection", func(ctx context.Context) error {
+				hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, vaultCore, server.logger)
+				if err != nil || hcpLink == nil {
+					return fmt.Errorf("failed to start HCP link, %w", err)
+				}
+
+				// check if a SCADA session is established successfully
+				deadline := time.Now().Add(5 * time.Second)
+				linkSessionStatus := "disconnected"
+				for time.Now().Before(deadline) {
+					linkSessionStatus = hcpLink.GetConnectionStatusMessage(hcpLink.GetScadaSessionStatus())
+					if linkSessionStatus == "connected" {
+						break
+					}
+					time.Sleep(500 * time.Millisecond)
+				}
+				if linkSessionStatus != "connected" {
+					return fmt.Errorf("failed to connect to HCP in 5 seconds. HCP session status is: %s", linkSessionStatus)
+				}
+
+				err = hcpLink.Shutdown()
+				if err != nil {
+					return fmt.Errorf("failed to shutdown HCP link: %w", err)
+				}
+
+				return nil
+			})
+		}
+	}
+
+	return nil
+}
+
+func coalesce(values ...interface{}) interface{} {
+	for _, val := range values {
+		if val != nil && val != "" {
+			return val
+		}
 	}
+	return nil
 }
diff --git a/helper/logging/logger_test.go b/helper/logging/logger_test.go
index 20538101c7a3..8b15cc8b1d24 100644
--- a/helper/logging/logger_test.go
+++ b/helper/logging/logger_test.go
@@ -1,224 +1,700 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package logging
+//go:build !race
+
+package command
 
 import (
-	"bytes"
-	"encoding/json"
-	"errors"
+	"context"
+	"fmt"
+	"io/ioutil"
 	"os"
+	"strings"
 	"testing"
 
-	log "github.com/hashicorp/go-hclog"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestLogger_SetupBasic(t *testing.T) {
-	cfg := &LogConfig{Name: "test-system", LogLevel: log.Info}
-
-	logger, err := Setup(cfg, nil)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
-	require.Equal(t, logger.Name(), "test-system")
-	require.True(t, logger.IsInfo())
-}
-
-func TestLogger_SetupInvalidLogLevel(t *testing.T) {
-	cfg := &LogConfig{}
-
-	_, err := Setup(cfg, nil)
-	assert.Containsf(t, err.Error(), "invalid log level", "expected error %s", err)
-}
-
-func TestLogger_SetupLoggerErrorLevel(t *testing.T) {
-	cfg := &LogConfig{
-		LogLevel: log.Error,
-	}
-
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
-
-	logger.Error("test error msg")
-	logger.Info("test info msg")
-
-	output := buf.String()
-
-	require.Contains(t, output, "[ERROR] test error msg")
-	require.NotContains(t, output, "[INFO]  test info msg")
-}
-
-func TestLogger_SetupLoggerDebugLevel(t *testing.T) {
-	cfg := LogConfig{LogLevel: log.Debug}
-	var buf bytes.Buffer
-
-	logger, err := Setup(&cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
+	"github.com/hashicorp/vault/command/server"
 
-	logger.Info("test info msg")
-	logger.Debug("test debug msg")
-
-	output := buf.String()
-
-	require.Contains(t, output, "[INFO]  test info msg")
-	require.Contains(t, output, "[DEBUG] test debug msg")
-}
-
-func TestLogger_SetupLoggerWithName(t *testing.T) {
-	cfg := &LogConfig{
-		LogLevel: log.Debug,
-		Name:     "test-system",
-	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
-
-	logger.Warn("test warn msg")
-
-	require.Contains(t, buf.String(), "[WARN]  test-system: test warn msg")
-}
-
-func TestLogger_SetupLoggerWithJSON(t *testing.T) {
-	cfg := &LogConfig{
-		LogLevel:  log.Debug,
-		LogFormat: JSONFormat,
-		Name:      "test-system",
-	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
-
-	logger.Warn("test warn msg")
-
-	var jsonOutput map[string]string
-	err = json.Unmarshal(buf.Bytes(), &jsonOutput)
-	require.NoError(t, err)
-	require.Contains(t, jsonOutput, "@level")
-	require.Equal(t, jsonOutput["@level"], "warn")
-	require.Contains(t, jsonOutput, "@message")
-	require.Equal(t, jsonOutput["@message"], "test warn msg")
-}
-
-func TestLogger_SetupLoggerWithValidLogPath(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	cfg := &LogConfig{
-		LogLevel:    log.Info,
-		LogFilePath: tmpDir, //+ "/",
-	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
-}
-
-func TestLogger_SetupLoggerWithInValidLogPath(t *testing.T) {
-	cfg := &LogConfig{
-		LogLevel:    log.Info,
-		LogFilePath: "nonexistentdir/",
-	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.Error(t, err)
-	require.True(t, errors.Is(err, os.ErrNotExist))
-	require.Nil(t, logger)
-}
-
-func TestLogger_SetupLoggerWithInValidLogPathPermission(t *testing.T) {
-	tmpDir := "/tmp/" + t.Name()
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/vault/diagnose"
+)
 
-	err := os.Mkdir(tmpDir, 0o000)
-	assert.NoError(t, err, "unexpected error testing with invalid log path permission")
-	defer os.RemoveAll(tmpDir)
+func testOperatorDiagnoseCommand(tb testing.TB) *OperatorDiagnoseCommand {
+	tb.Helper()
 
-	cfg := &LogConfig{
-		LogLevel:    log.Info,
-		LogFilePath: tmpDir + "/",
+	ui := cli.NewMockUi()
+	return &OperatorDiagnoseCommand{
+		diagnose: diagnose.New(ioutil.Discard),
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+		skipEndEnd: true,
 	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.Error(t, err)
-	require.True(t, errors.Is(err, os.ErrPermission))
-	require.Nil(t, logger)
 }
 
-func TestLogger_SetupLoggerWithInvalidLogFilePath(t *testing.T) {
-	cases := map[string]struct {
-		path    string
-		message string
+func TestOperatorDiagnoseCommand_Run(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name     string
+		args     []string
+		expected []*diagnose.Result
 	}{
-		"file name *": {
-			path:    "/this/isnt/ok/juan*.log",
-			message: "file name contains globbing character",
+		{
+			"diagnose_ok",
+			[]string{
+				"-config", "./server/test-fixtures/config_diagnose_ok.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Parse Configuration",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Start Listeners",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Listeners",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Listener TLS",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								"TLS is disabled in a listener config stanza.",
+							},
+						},
+					},
+				},
+				{
+					Name:   "Check Storage",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Storage Access",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name:   "Check Service Discovery",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Check Consul Service Discovery TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Service Discovery",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name:   "Create Vault Server Configuration Seals",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Create Core Configuration",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Initialize Randomness for Core",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name:   "HA Storage",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create HA Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check HA Consul Direct Storage Access",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+					},
+				},
+				{
+					Name:   "Determine Redirect Address",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Check Cluster Address",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Check Core Creation",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Start Listeners",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Listeners",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Listener TLS",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								"TLS is disabled in a listener config stanza.",
+							},
+						},
+					},
+				},
+				{
+					Name:    "Check Autounseal Encryption",
+					Status:  diagnose.SkippedStatus,
+					Message: "Skipping barrier encryption",
+				},
+				{
+					Name:   "Check Server Before Runtime",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Finalize Shamir Seal",
+					Status: diagnose.OkStatus,
+				},
+			},
+		},
+		{
+			"diagnose_ok_multiseal",
+			[]string{
+				"-config", "./server/test-fixtures/config_diagnose_ok.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Parse Configuration",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Start Listeners",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Listeners",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Listener TLS",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								"TLS is disabled in a listener config stanza.",
+							},
+						},
+					},
+				},
+				{
+					Name:   "Check Storage",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Storage Access",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name:   "Check Service Discovery",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Check Consul Service Discovery TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Service Discovery",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name: "Create Vault Server Configuration Seals",
+					// We can't load from storage the existing seal generation info during the test, so we expect an error.
+					Status: diagnose.ErrorStatus,
+				},
+				{
+					Name:   "Create Core Configuration",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Initialize Randomness for Core",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+				{
+					Name:   "HA Storage",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create HA Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check HA Consul Direct Storage Access",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+					},
+				},
+				{
+					Name:   "Determine Redirect Address",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Check Cluster Address",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Check Core Creation",
+					Status: diagnose.OkStatus,
+				},
+				{
+					Name:   "Start Listeners",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Listeners",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Listener TLS",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								"TLS is disabled in a listener config stanza.",
+							},
+						},
+					},
+				},
+				{
+					Name:    "Check Autounseal Encryption",
+					Status:  diagnose.ErrorStatus,
+					Message: "Diagnose could not create a barrier seal object.",
+				},
+				{
+					Name:   "Check Server Before Runtime",
+					Status: diagnose.OkStatus,
+				},
+			},
+		},
+		{
+			"diagnose_raft_problems",
+			[]string{
+				"-config", "./server/test-fixtures/config_raft.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Storage",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:    "Check Raft Folder Permissions",
+							Status:  diagnose.WarningStatus,
+							Message: "too many permissions",
+						},
+						{
+							Name:    "Check For Raft Quorum",
+							Status:  diagnose.WarningStatus,
+							Message: "0 voters found",
+						},
+					},
+				},
+			},
+		},
+		{
+			"diagnose_invalid_storage",
+			[]string{
+				"-config", "./server/test-fixtures/nostore_config.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:    "Check Storage",
+					Status:  diagnose.ErrorStatus,
+					Message: "No storage stanza in Vault server configuration.",
+				},
+			},
+		},
+		{
+			"diagnose_listener_config_ok",
+			[]string{
+				"-config", "./server/test-fixtures/tls_config_ok.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Start Listeners",
+					Status: diagnose.OkStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Listeners",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Listener TLS",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+			},
+		},
+		{
+			"diagnose_invalid_https_storage",
+			[]string{
+				"-config", "./server/test-fixtures/config_bad_https_storage.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Storage",
+					Status: diagnose.ErrorStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:    "Check Consul TLS",
+							Status:  diagnose.ErrorStatus,
+							Message: "certificate has expired or is not yet valid",
+							Warnings: []string{
+								"expired or near expiry",
+							},
+						},
+						{
+							Name:   "Check Consul Direct Storage Access",
+							Status: diagnose.OkStatus,
+						},
+					},
+				},
+			},
+		},
+		{
+			"diagnose_invalid_https_hastorage",
+			[]string{
+				"-config", "./server/test-fixtures/config_diagnose_hastorage_bad_https.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Storage",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Storage Access",
+							Status: diagnose.WarningStatus,
+							Advice: "We recommend connecting to a local agent.",
+							Warnings: []string{
+								"Vault storage is directly connected to a Consul server.",
+							},
+						},
+					},
+				},
+				{
+					Name:   "HA Storage",
+					Status: diagnose.ErrorStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create HA Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check HA Consul Direct Storage Access",
+							Status: diagnose.WarningStatus,
+							Advice: "We recommend connecting to a local agent.",
+							Warnings: []string{
+								"Vault storage is directly connected to a Consul server.",
+							},
+						},
+						{
+							Name:    "Check Consul TLS",
+							Status:  diagnose.ErrorStatus,
+							Message: "certificate has expired or is not yet valid",
+							Warnings: []string{
+								"expired or near expiry",
+							},
+						},
+					},
+				},
+				{
+					Name:   "Check Cluster Address",
+					Status: diagnose.ErrorStatus,
+				},
+			},
+		},
+		{
+			"diagnose_seal_transit_tls_check_fail",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_seal_transit_tls_check.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Transit Seal TLS",
+					Status: diagnose.WarningStatus,
+					Warnings: []string{
+						"Found at least one intermediate certificate in the CA certificate file.",
+					},
+				},
+			},
+		},
+		{
+			"diagnose_invalid_https_sr",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_bad_https_consul_sr.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Service Discovery",
+					Status: diagnose.ErrorStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:    "Check Consul Service Discovery TLS",
+							Status:  diagnose.ErrorStatus,
+							Message: "certificate has expired or is not yet valid",
+							Warnings: []string{
+								"expired or near expiry",
+							},
+						},
+						{
+							Name:   "Check Consul Direct Service Discovery",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								diagnose.DirAccessErr,
+							},
+						},
+					},
+				},
+			},
 		},
-		"file name ?": {
-			path:    "/this/isnt/ok/juan?.log",
-			message: "file name contains globbing character",
+		{
+			"diagnose_direct_storage_access",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_ok_storage_direct_access.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:   "Check Storage",
+					Status: diagnose.WarningStatus,
+					Children: []*diagnose.Result{
+						{
+							Name:   "Create Storage Backend",
+							Status: diagnose.OkStatus,
+						},
+						{
+							Name:   "Check Consul TLS",
+							Status: diagnose.SkippedStatus,
+						},
+						{
+							Name:   "Check Consul Direct Storage Access",
+							Status: diagnose.WarningStatus,
+							Warnings: []string{
+								diagnose.DirAccessErr,
+							},
+						},
+					},
+				},
+			},
 		},
-		"file name [": {
-			path:    "/this/isnt/ok/[juan].log",
-			message: "file name contains globbing character",
+		{
+			"diagnose_raft_no_folder_backend",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_raft_no_bolt_folder.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:    "Check Storage",
+					Status:  diagnose.ErrorStatus,
+					Message: "Diagnose could not initialize storage backend.",
+					Children: []*diagnose.Result{
+						{
+							Name:    "Create Storage Backend",
+							Status:  diagnose.ErrorStatus,
+							Message: "no such file or directory",
+						},
+					},
+				},
+			},
 		},
-		"directory path *": {
-			path:    "/this/isnt/ok/*/qwerty.log",
-			message: "directory contains glob character",
+		{
+			"diagnose_telemetry_partial_circonus",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_bad_telemetry1.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:    "Check Telemetry",
+					Status:  diagnose.ErrorStatus,
+					Message: "incomplete Circonus telemetry configuration, missing circonus_api_url",
+				},
+			},
 		},
-		"directory path ?": {
-			path:    "/this/isnt/ok/?/qwerty.log",
-			message: "directory contains glob character",
+		{
+			"diagnose_telemetry_partial_dogstats",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_bad_telemetry2.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:    "Check Telemetry",
+					Status:  diagnose.ErrorStatus,
+					Message: "incomplete DogStatsD telemetry configuration, missing dogstatsd_addr, while dogstatsd_tags specified",
+				},
+			},
 		},
-		"directory path [": {
-			path:    "/this/isnt/ok/[foo]/qwerty.log",
-			message: "directory contains glob character",
+		{
+			"diagnose_telemetry_partial_stackdriver",
+			[]string{
+				"-config", "./server/test-fixtures/diagnose_bad_telemetry3.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:    "Check Telemetry",
+					Status:  diagnose.ErrorStatus,
+					Message: "incomplete Stackdriver telemetry configuration, missing stackdriver_project_id",
+				},
+			},
+		},
+		{
+			"diagnose_telemetry_default",
+			[]string{
+				"-config", "./server/test-fixtures/config4.hcl",
+			},
+			[]*diagnose.Result{
+				{
+					Name:     "Check Telemetry",
+					Status:   diagnose.WarningStatus,
+					Warnings: []string{"Telemetry is using default configuration"},
+				},
+			},
 		},
 	}
 
-	for name, tc := range cases {
-		name := name
-		tc := tc
-		cfg := &LogConfig{
-			LogLevel:    log.Info,
-			LogFilePath: tc.path,
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+			t.Run(tc.name, func(t *testing.T) {
+				if tc.name == "diagnose_ok" && server.IsMultisealSupported() {
+					t.Skip("Test not valid in ENT")
+				} else if tc.name == "diagnose_ok_multiseal" && !server.IsMultisealSupported() {
+					t.Skip("Test not valid in community edition")
+				} else {
+					t.Parallel()
+					client, closer := testVaultServer(t)
+					defer closer()
+					cmd := testOperatorDiagnoseCommand(t)
+					cmd.client = client
+
+					cmd.Run(tc.args)
+					result := cmd.diagnose.Finalize(context.Background())
+
+					if err := compareResults(tc.expected, result.Children); err != nil {
+						t.Fatalf("Did not find expected test results: %v", err)
+					}
+				}
+			})
 		}
-		_, err := Setup(cfg, &bytes.Buffer{})
-		assert.Error(t, err, "%s: expected error due to *", name)
-		assert.Contains(t, err.Error(), tc.message, "%s: error message does not match: %s", name, err.Error())
-	}
+	})
 }
 
-func TestLogger_ChangeLogLevels(t *testing.T) {
-	cfg := &LogConfig{
-		LogLevel: log.Debug,
-		Name:     "test-system",
+func compareResults(expected []*diagnose.Result, actual []*diagnose.Result) error {
+	for _, exp := range expected {
+		found := false
+		// Check them all so we don't have to be order specific
+		for _, act := range actual {
+			fmt.Printf("%+v", act)
+			if exp.Name == act.Name {
+				found = true
+				if err := compareResult(exp, act); err != nil {
+					return err
+				}
+				break
+			}
+		}
+		if !found {
+			return fmt.Errorf("could not find expected test result: %s", exp.Name)
+		}
 	}
-	var buf bytes.Buffer
-
-	logger, err := Setup(cfg, &buf)
-	require.NoError(t, err)
-	require.NotNil(t, logger)
+	return nil
+}
 
-	assert.Equal(t, log.Debug, logger.GetLevel())
+func compareResult(exp *diagnose.Result, act *diagnose.Result) error {
+	if exp.Name != act.Name {
+		return fmt.Errorf("names mismatch: %s vs %s", exp.Name, act.Name)
+	}
+	if exp.Status != act.Status {
+		if act.Status != diagnose.OkStatus {
+			return fmt.Errorf("section %s, status mismatch: %s vs %s, got error %s", exp.Name, exp.Status, act.Status, act.Message)
+		}
+		return fmt.Errorf("section %s, status mismatch: %s vs %s", exp.Name, exp.Status, act.Status)
+	}
+	if exp.Message != "" && exp.Message != act.Message && !strings.Contains(act.Message, exp.Message) {
+		return fmt.Errorf("section %s, message not found: %s in %s", exp.Name, exp.Message, act.Message)
+	}
+	if exp.Advice != "" && exp.Advice != act.Advice && !strings.Contains(act.Advice, exp.Advice) {
+		return fmt.Errorf("section %s, advice not found: %s in %s", exp.Name, exp.Advice, act.Advice)
+	}
+	if len(exp.Warnings) != len(act.Warnings) {
+		return fmt.Errorf("section %s, warning count mismatch: %d vs %d", exp.Name, len(exp.Warnings), len(act.Warnings))
+	}
+	for j := range exp.Warnings {
+		if !strings.Contains(act.Warnings[j], exp.Warnings[j]) {
+			return fmt.Errorf("section %s, warning message not found: %s in %s", exp.Name, exp.Warnings[j], act.Warnings[j])
+		}
+	}
+	if len(exp.Children) > len(act.Children) {
+		errStrings := []string{}
+		for _, c := range act.Children {
+			errStrings = append(errStrings, fmt.Sprintf("%+v", c))
+		}
+		return fmt.Errorf(strings.Join(errStrings, ","))
+	}
 
-	// Create new named loggers from the base logger and change the levels
-	logger2 := logger.Named("test2")
-	logger3 := logger.Named("test3")
+	if len(exp.Children) > 0 {
+		return compareResults(exp.Children, act.Children)
+	}
 
-	logger2.SetLevel(log.Info)
-	logger3.SetLevel(log.Error)
+	// Remove raft file if it exists
+	os.Remove("./server/test-fixtures/vault.db")
+	os.RemoveAll("./server/test-fixtures/raft")
 
-	assert.Equal(t, log.Debug, logger.GetLevel())
-	assert.Equal(t, log.Info, logger2.GetLevel())
-	assert.Equal(t, log.Error, logger3.GetLevel())
+	return nil
 }
diff --git a/helper/testhelpers/testhelpers.go b/helper/testhelpers/testhelpers.go
index 261e03b6fcb9..b7518aa91c5d 100644
--- a/helper/testhelpers/testhelpers.go
+++ b/helper/testhelpers/testhelpers.go
@@ -1,1055 +1,628 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package testhelpers
+package command
 
 import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
+	"bytes"
 	"fmt"
-	"io/ioutil"
-	"math/rand"
-	"net/url"
+	"io"
 	"os"
 	"strings"
-	"sync/atomic"
-	"time"
 
-	"github.com/armon/go-metrics"
-	raftlib "github.com/hashicorp/raft"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/password"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/helper/xor"
-	"github.com/hashicorp/vault/vault"
-	"github.com/mitchellh/go-testing-interface"
+	"github.com/hashicorp/vault/helper/pgpkeys"
+	"github.com/hashicorp/vault/sdk/helper/roottoken"
+	"github.com/posener/complete"
 )
 
-type GenerateRootKind int
-
-const (
-	GenerateRootRegular GenerateRootKind = iota
-	GenerateRootDR
-	GenerateRecovery
+var (
+	_ cli.Command             = (*OperatorGenerateRootCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorGenerateRootCommand)(nil)
 )
 
-// GenerateRoot generates a root token on the target cluster.
-func GenerateRoot(t testing.T, cluster *vault.TestCluster, kind GenerateRootKind) string {
-	t.Helper()
-	token, err := GenerateRootWithError(t, cluster, kind)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return token
-}
-
-func GenerateRootWithError(t testing.T, cluster *vault.TestCluster, kind GenerateRootKind) (string, error) {
-	t.Helper()
-	// If recovery keys supported, use those to perform root token generation instead
-	var keys [][]byte
-	if cluster.Cores[0].SealAccess().RecoveryKeySupported() {
-		keys = cluster.RecoveryKeys
-	} else {
-		keys = cluster.BarrierKeys
-	}
-	client := cluster.Cores[0].Client
-	oldNS := client.Namespace()
-	defer client.SetNamespace(oldNS)
-	client.ClearNamespace()
-
-	var err error
-	var status *api.GenerateRootStatusResponse
-	switch kind {
-	case GenerateRootRegular:
-		status, err = client.Sys().GenerateRootInit("", "")
-	case GenerateRootDR:
-		status, err = client.Sys().GenerateDROperationTokenInit("", "")
-	case GenerateRecovery:
-		status, err = client.Sys().GenerateRecoveryOperationTokenInit("", "")
-	}
-	if err != nil {
-		return "", err
-	}
+type generateRootKind int
 
-	if status.Required > len(keys) {
-		return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))
-	}
-
-	otp := status.OTP
+const (
+	generateRootRegular generateRootKind = iota
+	generateRootDR
+	generateRootRecovery
+)
 
-	for i, key := range keys {
-		if i >= status.Required {
-			break
-		}
+type OperatorGenerateRootCommand struct {
+	*BaseCommand
 
-		strKey := base64.StdEncoding.EncodeToString(key)
-		switch kind {
-		case GenerateRootRegular:
-			status, err = client.Sys().GenerateRootUpdate(strKey, status.Nonce)
-		case GenerateRootDR:
-			status, err = client.Sys().GenerateDROperationTokenUpdate(strKey, status.Nonce)
-		case GenerateRecovery:
-			status, err = client.Sys().GenerateRecoveryOperationTokenUpdate(strKey, status.Nonce)
-		}
-		if err != nil {
-			return "", err
-		}
-	}
-	if !status.Complete {
-		return "", errors.New("generate root operation did not end successfully")
-	}
+	flagInit          bool
+	flagCancel        bool
+	flagStatus        bool
+	flagDecode        string
+	flagOTP           string
+	flagPGPKey        string
+	flagNonce         string
+	flagGenerateOTP   bool
+	flagDRToken       bool
+	flagRecoveryToken bool
 
-	tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)
-	if err != nil {
-		return "", err
-	}
-	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
-	if err != nil {
-		return "", err
-	}
-	return string(tokenBytes), nil
+	testStdin io.Reader // for tests
 }
 
-// RandomWithPrefix is used to generate a unique name with a prefix, for
-// randomizing names in acceptance tests
-func RandomWithPrefix(name string) string {
-	return fmt.Sprintf("%s-%d", name, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
+func (c *OperatorGenerateRootCommand) Synopsis() string {
+	return "Generates a new root, DR operation, or recovery token"
 }
 
-func EnsureCoresSealed(t testing.T, c *vault.TestCluster) {
-	t.Helper()
-	for _, core := range c.Cores {
-		EnsureCoreSealed(t, core)
-	}
-}
+func (c *OperatorGenerateRootCommand) Help() string {
+	helpText := `
+Usage: vault operator generate-root [options] -init [-otp=...] [-pgp-key=...]
+       vault operator generate-root [options] [-nonce=... KEY]
+       vault operator generate-root [options] -decode=... -otp=...
+       vault operator generate-root [options] -generate-otp
+       vault operator generate-root [options] -status
+       vault operator generate-root [options] -cancel
 
-func EnsureCoreSealed(t testing.T, core *vault.TestClusterCore) {
-	t.Helper()
-	core.Seal(t)
-	timeout := time.Now().Add(60 * time.Second)
-	for {
-		if time.Now().After(timeout) {
-			t.Fatal("timeout waiting for core to seal")
-		}
-		if core.Core.Sealed() {
-			break
-		}
-		time.Sleep(250 * time.Millisecond)
-	}
-}
+  Generates a new root token by combining a quorum of share holders.
 
-func EnsureCoresUnsealed(t testing.T, c *vault.TestCluster) {
-	t.Helper()
-	for i, core := range c.Cores {
-		err := AttemptUnsealCore(c, core)
-		if err != nil {
-			t.Fatalf("failed to unseal core %d: %v", i, err)
-		}
-	}
-}
+  This command is unusual, as it is effectively six separate subcommands,
+  selected via the options -init, -decode, -generate-otp, -status, -cancel, 
+  or the absence of any of the previous five options (which selects the 
+  "provide a key share" form).
 
-func EnsureCoreUnsealed(t testing.T, c *vault.TestCluster, core *vault.TestClusterCore) {
-	t.Helper()
-	err := AttemptUnsealCore(c, core)
-	if err != nil {
-		t.Fatalf("failed to unseal core: %v", err)
-	}
-}
+  With the -dr-token or -recovery-token options, a DR operation token or a
+  recovery token is generated instead of a root token - the relevant option
+  must be included in every form of the generate-root command.
 
-func AttemptUnsealCores(c *vault.TestCluster) error {
-	for i, core := range c.Cores {
-		err := AttemptUnsealCore(c, core)
-		if err != nil {
-			return fmt.Errorf("failed to unseal core %d: %v", i, err)
-		}
-	}
-	return nil
-}
+  Form 1 (-init) - Start a token generation:
 
-func AttemptUnsealCore(c *vault.TestCluster, core *vault.TestClusterCore) error {
-	if !core.Sealed() {
-		return nil
-	}
+    When starting a root or privileged operation token generation, you must
+    choose one of the following protection methods for how the token will be
+    returned:
 
-	core.SealAccess().ClearCaches(context.Background())
-	if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
-		return err
-	}
+      - A base64-encoded one-time-password (OTP). The resulting token is XORed
+        with this value when it is returned. Use the "-decode" form of this
+        command to output the final value.
 
-	client := core.Client
-	oldNS := client.Namespace()
-	defer client.SetNamespace(oldNS)
-	client.ClearNamespace()
+        The Vault server will generate a suitable OTP for you, and return it:
 
-	client.Sys().ResetUnsealProcess()
-	for j := 0; j < len(c.BarrierKeys); j++ {
-		statusResp, err := client.Sys().Unseal(base64.StdEncoding.EncodeToString(c.BarrierKeys[j]))
-		if err != nil {
-			// Sometimes when we get here it's already unsealed on its own
-			// and then this fails for DR secondaries so check again
-			if core.Sealed() {
-				return err
-			} else {
-				return nil
-			}
-		}
-		if statusResp == nil {
-			return fmt.Errorf("nil status response during unseal")
-		}
-		if !statusResp.Sealed {
-			break
-		}
-	}
-	if core.Sealed() {
-		return fmt.Errorf("core is still sealed")
-	}
-	return nil
-}
+            $ vault operator generate-root -init
 
-func EnsureStableActiveNode(t testing.T, cluster *vault.TestCluster) {
-	t.Helper()
-	deriveStableActiveCore(t, cluster)
-}
-
-func DeriveStableActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
-	t.Helper()
-	return deriveStableActiveCore(t, cluster)
-}
-
-func deriveStableActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
-	t.Helper()
-	activeCore := DeriveActiveCore(t, cluster)
-	minDuration := time.NewTimer(3 * time.Second)
-
-	for i := 0; i < 60; i++ {
-		leaderResp, err := activeCore.Client.Sys().Leader()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !leaderResp.IsSelf {
-			minDuration.Reset(3 * time.Second)
-		}
-		time.Sleep(200 * time.Millisecond)
-	}
-
-	select {
-	case <-minDuration.C:
-	default:
-		if stopped := minDuration.Stop(); stopped {
-			t.Fatal("unstable active node")
-		}
-		// Drain the value
-		<-minDuration.C
-	}
-
-	return activeCore
-}
+        Vault versions before 0.11.2, released in 2018, required you to
+        generate your own OTP (see the "-generate-otp" form) and pass it in,
+        but this is no longer necessary. The command is still supported for
+        compatibility, though:
 
-func DeriveActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
-	t.Helper()
-	for i := 0; i < 60; i++ {
-		for _, core := range cluster.Cores {
-			oldNS := core.Client.Namespace()
-			core.Client.ClearNamespace()
-			leaderResp, err := core.Client.Sys().Leader()
-			core.Client.SetNamespace(oldNS)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if leaderResp.IsSelf {
-				return core
-			}
-		}
-		time.Sleep(1 * time.Second)
-	}
-	t.Fatal("could not derive the active core")
-	return nil
-}
+            $ vault operator generate-root -init -otp="..."
 
-func DeriveStandbyCores(t testing.T, cluster *vault.TestCluster) []*vault.TestClusterCore {
-	t.Helper()
-	cores := make([]*vault.TestClusterCore, 0, 2)
-	for _, core := range cluster.Cores {
-		oldNS := core.Client.Namespace()
-		core.Client.ClearNamespace()
-		leaderResp, err := core.Client.Sys().Leader()
-		core.Client.SetNamespace(oldNS)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !leaderResp.IsSelf {
-			cores = append(cores, core)
-		}
-	}
+      - A PGP key. The resulting token is encrypted with this public key.
+        The key may be specified as a path to a file, or a string of the
+        form "keybase:<username>" to fetch the key from the keybase.io API.
 
-	return cores
-}
+            $ vault operator generate-root -init -pgp-key="..."
 
-func WaitForNCoresUnsealed(t testing.T, cluster *vault.TestCluster, n int) {
-	t.Helper()
-	for i := 0; i < 30; i++ {
-		unsealed := 0
-		for _, core := range cluster.Cores {
-			if !core.Core.Sealed() {
-				unsealed++
-			}
-		}
+  Form 2 (no option) - Enter an unseal key to progress root token generation:
 
-		if unsealed >= n {
-			return
-		}
-		time.Sleep(time.Second)
-	}
+    In the sub-form intended for interactive use, the command will
+    automatically look up the nonce of the currently active generation
+    operation, and will prompt for the key to be entered:
 
-	t.Fatalf("%d cores were not unsealed", n)
-}
+        $ vault operator generate-root
 
-func SealCores(t testing.T, cluster *vault.TestCluster) {
-	t.Helper()
-	for _, core := range cluster.Cores {
-		if err := core.Shutdown(); err != nil {
-			t.Fatal(err)
-		}
-		timeout := time.Now().Add(3 * time.Second)
-		for {
-			if time.Now().After(timeout) {
-				t.Fatal("timeout waiting for core to seal")
-			}
-			if core.Sealed() {
-				break
-			}
-			time.Sleep(100 * time.Millisecond)
-		}
-	}
-}
+    In the sub-form intended for automation, the operation nonce must be
+    explicitly provided, and the key is provided directly on the command line
 
-func WaitForNCoresSealed(t testing.T, cluster *vault.TestCluster, n int) {
-	t.Helper()
-	for i := 0; i < 60; i++ {
-		sealed := 0
-		for _, core := range cluster.Cores {
-			if core.Core.Sealed() {
-				sealed++
-			}
-		}
+        $ vault operator generate-root -nonce=... KEY
 
-		if sealed >= n {
-			return
-		}
-		time.Sleep(time.Second)
-	}
+    If key is specified as "-", the command will read from stdin.
 
-	t.Fatalf("%d cores were not sealed", n)
-}
+  Form 3 (-decode) - Decode a generated token protected with an OTP:
 
-func WaitForActiveNode(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
-	t.Helper()
-	for i := 0; i < 60; i++ {
-		for _, core := range cluster.Cores {
-			if standby, _ := core.Core.Standby(); !standby {
-				return core
-			}
-		}
+        $ vault operator generate-root -decode=ENCODED_TOKEN -otp=OTP
 
-		time.Sleep(time.Second)
-	}
+    If encoded token is specified as "-", the command will read from stdin.
 
-	t.Fatalf("node did not become active")
-	return nil
-}
+  Form 4 (-generate-otp) - Generate an OTP code for the final token:
 
-func WaitForStandbyNode(t testing.T, core *vault.TestClusterCore) {
-	t.Helper()
-	for i := 0; i < 30; i++ {
-		if isLeader, _, clusterAddr, _ := core.Core.Leader(); isLeader != true && clusterAddr != "" {
-			return
-		}
-		if core.Core.ActiveNodeReplicationState() == 0 {
-			return
-		}
+        $ vault operator generate-root -generate-otp
 
-		time.Sleep(time.Second)
-	}
+    Since changes in Vault 0.11.2 in 2018, there is no longer any reason to
+    use this form, as a suitable OTP will be returned as part of the "-init"
+    command.
 
-	t.Fatalf("node did not become standby")
-}
+  Form 5 (-status) - Get the status of a token generation that is in progress:
 
-func RekeyCluster(t testing.T, cluster *vault.TestCluster, recovery bool) [][]byte {
-	t.Helper()
-	cluster.Logger.Info("rekeying cluster", "recovery", recovery)
-	client := cluster.Cores[0].Client
+        $ vault operator generate-root -status
 
-	initFunc := client.Sys().RekeyInit
-	if recovery {
-		initFunc = client.Sys().RekeyRecoveryKeyInit
-	}
-	init, err := initFunc(&api.RekeyInitRequest{
-		SecretShares:    5,
-		SecretThreshold: 3,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+    This form also returns the length of the a correct OTP, for the running
+    version and configuration of Vault.
 
-	var statusResp *api.RekeyUpdateResponse
-	keys := cluster.BarrierKeys
-	if cluster.Cores[0].Core.SealAccess().RecoveryKeySupported() {
-		keys = cluster.RecoveryKeys
-	}
+  Form 6 (-cancel) - Cancel a token generation that is in progress:
 
-	updateFunc := client.Sys().RekeyUpdate
-	if recovery {
-		updateFunc = client.Sys().RekeyRecoveryKeyUpdate
-	}
-	for j := 0; j < len(keys); j++ {
-		statusResp, err = updateFunc(base64.StdEncoding.EncodeToString(keys[j]), init.Nonce)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if statusResp == nil {
-			t.Fatal("nil status response during unseal")
-		}
-		if statusResp.Complete {
-			break
-		}
-	}
-	cluster.Logger.Info("cluster rekeyed", "recovery", recovery)
+    This would be used to remove an in progress generation operation, so that
+    a new one can be started with different parameters.
 
-	if cluster.Cores[0].Core.SealAccess().RecoveryKeySupported() && !recovery {
-		return nil
-	}
-	if len(statusResp.KeysB64) != 5 {
-		t.Fatal("wrong number of keys")
-	}
+        $ vault operator generate-root -cancel
 
-	newKeys := make([][]byte, 5)
-	for i, key := range statusResp.KeysB64 {
-		newKeys[i], err = base64.StdEncoding.DecodeString(key)
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	return newKeys
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
 }
 
-// TestRaftServerAddressProvider is a ServerAddressProvider that uses the
-// ClusterAddr() of each node to provide raft addresses.
-//
-// Note that TestRaftServerAddressProvider should only be used in cases where
-// cores that are part of a raft configuration have already had
-// startClusterListener() called (via either unsealing or raft joining).
-type TestRaftServerAddressProvider struct {
-	Cluster *vault.TestCluster
-}
+func (c *OperatorGenerateRootCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-func (p *TestRaftServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftlib.ServerAddress, error) {
-	for _, core := range p.Cluster.Cores {
-		if core.NodeID == string(id) {
-			parsed, err := url.Parse(core.ClusterAddr())
-			if err != nil {
-				return "", err
-			}
+	f := set.NewFlagSet("Command Options")
 
-			return raftlib.ServerAddress(parsed.Host), nil
-		}
-	}
+	f.BoolVar(&BoolVar{
+		Name:       "init",
+		Target:     &c.flagInit,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Start a root token generation. This can only be done if " +
+			"there is not currently one in progress.",
+	})
 
-	return "", errors.New("could not find cluster addr")
-}
+	f.BoolVar(&BoolVar{
+		Name:       "cancel",
+		Target:     &c.flagCancel,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Reset the root token generation progress. This will discard any " +
+			"submitted unseal keys or configuration.",
+	})
 
-func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
-	addressProvider := &TestRaftServerAddressProvider{Cluster: cluster}
+	f.BoolVar(&BoolVar{
+		Name:       "status",
+		Target:     &c.flagStatus,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Print the status of the current attempt without providing an " +
+			"unseal key.",
+	})
 
-	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+	f.StringVar(&StringVar{
+		Name:       "decode",
+		Target:     &c.flagDecode,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "The value to decode; setting this triggers a decode operation. " +
+			" If the value is \"-\" then read the encoded token from stdin.",
+	})
 
-	leader := cluster.Cores[0]
+	f.BoolVar(&BoolVar{
+		Name:       "generate-otp",
+		Target:     &c.flagGenerateOTP,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Generate and print a high-entropy one-time-password (OTP) " +
+			"suitable for use with the \"-init\" flag.",
+	})
 
-	// Seal the leader so we can install an address provider
-	{
-		EnsureCoreSealed(t, leader)
-		leader.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		cluster.UnsealCore(t, leader)
-		vault.TestWaitActive(t, leader.Core)
-	}
+	f.BoolVar(&BoolVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Set this flag to do generate root operations on DR operation " +
+			"tokens.",
+	})
 
-	leaderInfos := []*raft.LeaderJoinInfo{
-		{
-			LeaderAPIAddr: leader.Client.Address(),
-			TLSConfig:     leader.TLSConfig(),
-		},
-	}
+	f.BoolVar(&BoolVar{
+		Name:       "recovery-token",
+		Target:     &c.flagRecoveryToken,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Set this flag to do generate root operations on recovery " +
+			"tokens.",
+	})
 
-	// Join followers
-	for i := 1; i < len(cluster.Cores); i++ {
-		core := cluster.Cores[i]
-		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
-		if err != nil {
-			t.Fatal(err)
-		}
+	f.StringVar(&StringVar{
+		Name:       "otp",
+		Target:     &c.flagOTP,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "OTP code to use with \"-decode\" or \"-init\".",
+	})
 
-		cluster.UnsealCore(t, core)
-	}
+	f.VarFlag(&VarFlag{
+		Name:       "pgp-key",
+		Value:      (*pgpkeys.PubKeyFileFlag)(&c.flagPGPKey),
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Path to a file on disk containing a binary or base64-encoded " +
+			"public PGP key. This can also be specified as a Keybase username " +
+			"using the format \"keybase:<username>\". When supplied, the generated " +
+			"root token will be encrypted and base64-encoded with the given public " +
+			"key. Must be used with \"-init\".",
+	})
 
-	WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+	f.StringVar(&StringVar{
+		Name:       "nonce",
+		Target:     &c.flagNonce,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Nonce value returned at initialization. The same nonce value " +
+			"must be provided with each unseal or recovery key. Only needed " +
+			"when providing an unseal or recovery key.",
+	})
+
+	return set
 }
 
-// HardcodedServerAddressProvider is a ServerAddressProvider that uses
-// a hardcoded map of raft node addresses.
-//
-// It is useful in cases where the raft configuration is known ahead of time,
-// but some of the cores have not yet had startClusterListener() called (via
-// either unsealing or raft joining), and thus do not yet have a ClusterAddr()
-// assigned.
-type HardcodedServerAddressProvider struct {
-	Entries map[raftlib.ServerID]raftlib.ServerAddress
+func (c *OperatorGenerateRootCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func (p *HardcodedServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftlib.ServerAddress, error) {
-	if addr, ok := p.Entries[id]; ok {
-		return addr, nil
-	}
-	return "", errors.New("could not find cluster addr")
+func (c *OperatorGenerateRootCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// NewHardcodedServerAddressProvider is a convenience function that makes a
-// ServerAddressProvider from a given cluster address base port.
-func NewHardcodedServerAddressProvider(numCores, baseClusterPort int) raftlib.ServerAddressProvider {
-	entries := make(map[raftlib.ServerID]raftlib.ServerAddress)
+func (c *OperatorGenerateRootCommand) Run(args []string) int {
+	f := c.Flags()
 
-	for i := 0; i < numCores; i++ {
-		id := fmt.Sprintf("core-%d", i)
-		addr := fmt.Sprintf("127.0.0.1:%d", baseClusterPort+i)
-		entries[raftlib.ServerID(id)] = raftlib.ServerAddress(addr)
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	return &HardcodedServerAddressProvider{
-		entries,
+	args = f.Args()
+	if len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+		return 1
 	}
-}
 
-// VerifyRaftConfiguration checks that we have a valid raft configuration, i.e.
-// the correct number of servers, having the correct NodeIDs, and exactly one
-// leader.
-func VerifyRaftConfiguration(core *vault.TestClusterCore, numCores int) error {
-	backend := core.UnderlyingRawStorage.(*raft.RaftBackend)
-	ctx := namespace.RootContext(context.Background())
-	config, err := backend.GetConfiguration(ctx)
-	if err != nil {
-		return err
-	}
-
-	servers := config.Servers
-	if len(servers) != numCores {
-		return fmt.Errorf("Found %d servers, not %d", len(servers), numCores)
+	if c.flagDRToken && c.flagRecoveryToken {
+		c.UI.Error("Both -recovery-token and -dr-token flags are set")
+		return 1
 	}
 
-	leaders := 0
-	for i, s := range servers {
-		if s.NodeID != fmt.Sprintf("core-%d", i) {
-			return fmt.Errorf("Found unexpected node ID %q", s.NodeID)
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	kind := generateRootRegular
+	switch {
+	case c.flagDRToken:
+		kind = generateRootDR
+	case c.flagRecoveryToken:
+		kind = generateRootRecovery
+	}
+
+	switch {
+	case c.flagGenerateOTP:
+		otp, code := c.generateOTP(client, kind)
+		if code == 0 {
+			switch Format(c.UI) {
+			case "", "table":
+				return PrintRaw(c.UI, otp)
+			default:
+				status := map[string]interface{}{
+					"otp":        otp,
+					"otp_length": len(otp),
+				}
+				return OutputData(c.UI, status)
+			}
 		}
-		if s.Leader {
-			leaders++
+		return code
+	case c.flagDecode != "":
+		return c.decode(client, c.flagDecode, c.flagOTP, kind)
+	case c.flagCancel:
+		return c.cancel(client, kind)
+	case c.flagInit:
+		return c.init(client, c.flagOTP, c.flagPGPKey, kind)
+	case c.flagStatus:
+		return c.status(client, kind)
+	default:
+		// If there are no other flags, prompt for an unseal key.
+		key := ""
+		if len(args) > 0 {
+			key = strings.TrimSpace(args[0])
 		}
+		return c.provide(client, key, kind)
 	}
+}
 
-	if leaders != 1 {
-		return fmt.Errorf("Found %d leaders", leaders)
+// generateOTP generates a suitable OTP code for generating a root token.
+func (c *OperatorGenerateRootCommand) generateOTP(client *api.Client, kind generateRootKind) (string, int) {
+	f := client.Sys().GenerateRootStatus
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenStatus
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenStatus
 	}
 
-	return nil
-}
+	status, err := f()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
+		return "", 2
+	}
 
-func RaftAppliedIndex(core *vault.TestClusterCore) uint64 {
-	return core.UnderlyingRawStorage.(*raft.RaftBackend).AppliedIndex()
+	otp, err := roottoken.GenerateOTP(status.OTPLength)
+	var retCode int
+	if err != nil {
+		retCode = 2
+		c.UI.Error(err.Error())
+	} else {
+		retCode = 0
+	}
+	return otp, retCode
 }
 
-func WaitForRaftApply(t testing.T, core *vault.TestClusterCore, index uint64) {
-	t.Helper()
-
-	backend := core.UnderlyingRawStorage.(*raft.RaftBackend)
-	for i := 0; i < 30; i++ {
-		if backend.AppliedIndex() >= index {
-			return
-		}
-
-		time.Sleep(time.Second)
+// decode decodes the given value using the otp.
+func (c *OperatorGenerateRootCommand) decode(client *api.Client, encoded, otp string, kind generateRootKind) int {
+	if encoded == "" {
+		c.UI.Error("Missing encoded value: use -decode=<string> to supply it")
+		return 1
+	}
+	if otp == "" {
+		c.UI.Error("Missing otp: use -otp to supply it")
+		return 1
 	}
 
-	t.Fatalf("node did not apply index")
-}
-
-// AwaitLeader waits for one of the cluster's nodes to become leader.
-func AwaitLeader(t testing.T, cluster *vault.TestCluster) (int, error) {
-	timeout := time.Now().Add(60 * time.Second)
-	for {
-		if time.Now().After(timeout) {
-			break
+	if encoded == "-" {
+		// Pull our fake stdin if needed
+		stdin := (io.Reader)(os.Stdin)
+		if c.testStdin != nil {
+			stdin = c.testStdin
 		}
 
-		for i, core := range cluster.Cores {
-			if core.Core.Sealed() {
-				continue
-			}
-
-			isLeader, _, _, _ := core.Leader()
-			if isLeader {
-				return i, nil
-			}
+		var buf bytes.Buffer
+		if _, err := io.Copy(&buf, stdin); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
+			return 1
 		}
 
-		time.Sleep(time.Second)
-	}
+		encoded = buf.String()
 
-	return 0, fmt.Errorf("timeout waiting leader")
-}
-
-func GenerateDebugLogs(t testing.T, client *api.Client) chan struct{} {
-	t.Helper()
-
-	stopCh := make(chan struct{})
-
-	go func() {
-		ticker := time.NewTicker(time.Second)
-		defer ticker.Stop()
-		for {
-			select {
-			case <-stopCh:
-				return
-			case <-ticker.C:
-				err := client.Sys().Mount("foo", &api.MountInput{
-					Type: "kv",
-					Options: map[string]string{
-						"version": "1",
-					},
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				err = client.Sys().Unmount("foo")
-				if err != nil {
-					t.Fatal(err)
-				}
-			}
+		if encoded == "" {
+			c.UI.Error("Missing encoded value. When using -decode=\"-\" value must be passed via stdin.")
+			return 1
 		}
-	}()
-
-	return stopCh
-}
-
-// VerifyRaftPeers verifies that the raft configuration contains a given set of peers.
-// The `expected` contains a map of expected peers. Existing entries are deleted
-// from the map by removing entries whose keys are in the raft configuration.
-// Remaining entries result in an error return so that the caller can poll for
-// an expected configuration.
-func VerifyRaftPeers(t testing.T, client *api.Client, expected map[string]bool) error {
-	t.Helper()
-
-	resp, err := client.Logical().Read("sys/storage/raft/configuration")
-	if err != nil {
-		t.Fatalf("error reading raft config: %v", err)
-	}
-
-	if resp == nil || resp.Data == nil {
-		t.Fatal("missing response data")
 	}
 
-	config, ok := resp.Data["config"].(map[string]interface{})
-	if !ok {
-		t.Fatal("missing config in response data")
+	f := client.Sys().GenerateRootStatus
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenStatus
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenStatus
 	}
 
-	servers, ok := config["servers"].([]interface{})
-	if !ok {
-		t.Fatal("missing servers in response data config")
+	status, err := f()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
+		return 2
 	}
 
-	// Iterate through the servers and remove the node found in the response
-	// from the expected collection
-	for _, s := range servers {
-		server := s.(map[string]interface{})
-		delete(expected, server["node_id"].(string))
+	token, err := roottoken.DecodeToken(encoded, otp, status.OTPLength)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error decoding root token: %s", err))
+		return 1
 	}
 
-	// If the collection is non-empty, it means that the peer was not found in
-	// the response.
-	if len(expected) != 0 {
-		return fmt.Errorf("failed to read configuration successfully, expected peers not found in configuration list: %v", expected)
+	switch Format(c.UI) {
+	case "", "table":
+		return PrintRaw(c.UI, token)
+	default:
+		tokenJSON := map[string]interface{}{
+			"token": token,
+		}
+		return OutputData(c.UI, tokenJSON)
 	}
-
-	return nil
 }
 
-func TestMetricSinkProvider(gaugeInterval time.Duration) func(string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper) {
-	return func(clusterName string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper) {
-		inm := metrics.NewInmemSink(1000000*time.Hour, 2000000*time.Hour)
-		clusterSink := metricsutil.NewClusterMetricSink(clusterName, inm)
-		clusterSink.GaugeInterval = gaugeInterval
-		return clusterSink, metricsutil.NewMetricsHelper(inm, false)
+// init is used to start the generation process
+func (c *OperatorGenerateRootCommand) init(client *api.Client, otp, pgpKey string, kind generateRootKind) int {
+	// Validate incoming fields. Either OTP OR PGP keys must be supplied.
+	if otp != "" && pgpKey != "" {
+		c.UI.Error("Error initializing: cannot specify both -otp and -pgp-key")
+		return 1
 	}
-}
 
-func SysMetricsReq(client *api.Client, cluster *vault.TestCluster, unauth bool) (*SysMetricsJSON, error) {
-	r := client.NewRequest("GET", "/v1/sys/metrics")
-	if !unauth {
-		r.Headers.Set("X-Vault-Token", cluster.RootToken)
-	}
-	var data SysMetricsJSON
-	resp, err := client.RawRequestWithContext(context.Background(), r)
-	if err != nil {
-		return nil, err
+	// Start the root generation
+	f := client.Sys().GenerateRootInit
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenInit
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenInit
 	}
-	bodyBytes, err := ioutil.ReadAll(resp.Response.Body)
+	status, err := f(otp, pgpKey)
 	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	if err := json.Unmarshal(bodyBytes, &data); err != nil {
-		return nil, errors.New("failed to unmarshal:" + err.Error())
+		c.UI.Error(fmt.Sprintf("Error initializing root generation: %s", err))
+		return 2
 	}
-	return &data, nil
-}
 
-type SysMetricsJSON struct {
-	Gauges   []gaugeJSON   `json:"Gauges"`
-	Counters []counterJSON `json:"Counters"`
-
-	// note: this is referred to as a "Summary" type in our telemetry docs, but
-	// the field name in the JSON is "Samples"
-	Summaries []summaryJSON `json:"Samples"`
-}
-
-type baseInfoJSON struct {
-	Name   string                 `json:"Name"`
-	Labels map[string]interface{} `json:"Labels"`
-}
-
-type gaugeJSON struct {
-	baseInfoJSON
-	Value int `json:"Value"`
-}
-
-type counterJSON struct {
-	baseInfoJSON
-	Count  int     `json:"Count"`
-	Rate   float64 `json:"Rate"`
-	Sum    int     `json:"Sum"`
-	Min    int     `json:"Min"`
-	Max    int     `json:"Max"`
-	Mean   float64 `json:"Mean"`
-	Stddev float64 `json:"Stddev"`
-}
-
-type summaryJSON struct {
-	baseInfoJSON
-	Count  int     `json:"Count"`
-	Rate   float64 `json:"Rate"`
-	Sum    float64 `json:"Sum"`
-	Min    float64 `json:"Min"`
-	Max    float64 `json:"Max"`
-	Mean   float64 `json:"Mean"`
-	Stddev float64 `json:"Stddev"`
+	switch Format(c.UI) {
+	case "table":
+		return c.printStatus(status)
+	default:
+		return OutputData(c.UI, status)
+	}
 }
 
-// SetNonRootToken sets a token on :client: with a fairly generic policy.
-// This is useful if a test needs to examine differing behavior based on if a
-// root token is passed with the request.
-func SetNonRootToken(client *api.Client) error {
-	policy := `path "*" { capabilities = ["create", "update", "read"] }`
-	if err := client.Sys().PutPolicy("policy", policy); err != nil {
-		return fmt.Errorf("error putting policy: %v", err)
+// provide prompts the user for the seal key and posts it to the update root
+// endpoint. If this is the last unseal, this function outputs it.
+func (c *OperatorGenerateRootCommand) provide(client *api.Client, key string, kind generateRootKind) int {
+	f := client.Sys().GenerateRootStatus
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenStatus
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenStatus
 	}
-
-	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
-		Policies: []string{"policy"},
-		TTL:      "30m",
-	})
+	status, err := f()
 	if err != nil {
-		return fmt.Errorf("error creating token secret: %v", err)
+		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
+		return 2
 	}
 
-	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
-		return fmt.Errorf("missing token auth data")
+	// Verify a root token generation is in progress. If there is not one in
+	// progress, return an error instructing the user to start one.
+	if !status.Started {
+		c.UI.Error(wrapAtLength(
+			"No root generation is in progress. Start a root generation by " +
+				"running \"vault operator generate-root -init\"."))
+		c.UI.Warn(wrapAtLength(fmt.Sprintf(
+			"If starting root generation using the OTP method and generating "+
+				"your own OTP, the length of the OTP string needs to be %d "+
+				"characters in length.", status.OTPLength)))
+		return 1
 	}
 
-	client.SetToken(secret.Auth.ClientToken)
-	return nil
-}
+	var nonce string
 
-// RetryUntilAtCadence runs f until it returns a nil result or the timeout is reached.
-// If a nil result hasn't been obtained by timeout, calls t.Fatal.
-func RetryUntilAtCadence(t testing.T, timeout, sleepTime time.Duration, f func() error) {
-	t.Helper()
-	deadline := time.Now().Add(timeout)
-	var err error
-	for time.Now().Before(deadline) {
-		if err = f(); err == nil {
-			return
-		}
-		time.Sleep(sleepTime)
-	}
-	t.Fatalf("did not complete before deadline, err: %v", err)
-}
+	switch key {
+	case "-": // Read from stdin
+		nonce = c.flagNonce
 
-// RetryUntil runs f until it returns a nil result or the timeout is reached.
-// If a nil result hasn't been obtained by timeout, calls t.Fatal.
-func RetryUntil(t testing.T, timeout time.Duration, f func() error) {
-	t.Helper()
-	deadline := time.Now().Add(timeout)
-	var err error
-	for time.Now().Before(deadline) {
-		if err = f(); err == nil {
-			return
+		// Pull our fake stdin if needed
+		stdin := (io.Reader)(os.Stdin)
+		if c.testStdin != nil {
+			stdin = c.testStdin
 		}
-		time.Sleep(100 * time.Millisecond)
-	}
-	t.Fatalf("did not complete before deadline, err: %v", err)
-}
-
-// CreateEntityAndAlias clones an existing client and creates an entity/alias.
-// It returns the cloned client, entityID, and aliasID.
-func CreateEntityAndAlias(t testing.T, client *api.Client, mountAccessor, entityName, aliasName string) (*api.Client, string, string) {
-	t.Helper()
-	userClient, err := client.Clone()
-	if err != nil {
-		t.Fatalf("failed to clone the client:%v", err)
-	}
-	userClient.SetToken(client.Token())
 
-	resp, err := client.Logical().WriteWithContext(context.Background(), "identity/entity", map[string]interface{}{
-		"name": entityName,
-	})
-	if err != nil {
-		t.Fatalf("failed to create an entity:%v", err)
-	}
-	entityID := resp.Data["id"].(string)
+		var buf bytes.Buffer
+		if _, err := io.Copy(&buf, stdin); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
+			return 1
+		}
 
-	aliasResp, err := client.Logical().WriteWithContext(context.Background(), "identity/entity-alias", map[string]interface{}{
-		"name":           aliasName,
-		"canonical_id":   entityID,
-		"mount_accessor": mountAccessor,
-	})
-	if err != nil {
-		t.Fatalf("failed to create an entity alias:%v", err)
-	}
-	aliasID := aliasResp.Data["id"].(string)
-	if aliasID == "" {
-		t.Fatal("Alias ID not present in response")
-	}
-	_, err = client.Logical().WriteWithContext(context.Background(), fmt.Sprintf("auth/userpass/users/%s", aliasName), map[string]interface{}{
-		"password": "testpassword",
-	})
-	if err != nil {
-		t.Fatalf("failed to configure userpass backend: %v", err)
-	}
+		key = buf.String()
+	case "": // Prompt using the tty
+		// Nonce value is not required if we are prompting via the terminal
+		nonce = status.Nonce
 
-	return userClient, entityID, aliasID
-}
+		w := getWriterFromUI(c.UI)
+		fmt.Fprintf(w, "Operation nonce: %s\n", nonce)
+		fmt.Fprintf(w, "Unseal Key (will be hidden): ")
+		key, err = password.Read(os.Stdin)
+		fmt.Fprintf(w, "\n")
+		if err != nil {
+			if err == password.ErrInterrupted {
+				c.UI.Error("user canceled")
+				return 1
+			}
 
-// SetupTOTPMount enables the totp secrets engine by mounting it. This requires
-// that the test cluster has a totp backend available.
-func SetupTOTPMount(t testing.T, client *api.Client) {
-	t.Helper()
-	// Mount the TOTP backend
-	mountInfo := &api.MountInput{
-		Type: "totp",
-	}
-	if err := client.Sys().Mount("totp", mountInfo); err != nil {
-		t.Fatalf("failed to mount totp backend: %v", err)
+			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
+				"ask for the unseal key. The raw error message is shown below, but "+
+				"usually this is because you attempted to pipe a value into the "+
+				"command or you are executing outside of a terminal (tty). If you "+
+				"want to pipe the value, pass \"-\" as the argument to read from "+
+				"stdin. The raw error was: %s", err)))
+			return 1
+		}
+	default: // Supplied directly as an arg
+		nonce = c.flagNonce
 	}
-}
 
-// SetupTOTPMethod configures the TOTP secrets engine with a provided config map.
-func SetupTOTPMethod(t testing.T, client *api.Client, config map[string]interface{}) string {
-	t.Helper()
+	// Trim any whitespace from they key, especially since we might have prompted
+	// the user for it.
+	key = strings.TrimSpace(key)
 
-	resp1, err := client.Logical().Write("identity/mfa/method/totp", config)
-
-	if err != nil || (resp1 == nil) {
-		t.Fatalf("bad: resp: %#v\n err: %v", resp1, err)
-	}
-
-	methodID := resp1.Data["method_id"].(string)
-	if methodID == "" {
-		t.Fatalf("method ID is empty")
+	// Verify we have a nonce value
+	if nonce == "" {
+		c.UI.Error("Missing nonce value: specify it via the -nonce flag")
+		return 1
 	}
 
-	return methodID
-}
-
-// SetupMFALoginEnforcement configures a single enforcement method using the
-// provided config map. "name" field is required in the config map.
-func SetupMFALoginEnforcement(t testing.T, client *api.Client, config map[string]interface{}) {
-	t.Helper()
-	enfName, ok := config["name"]
-	if !ok {
-		t.Fatalf("couldn't find name in login-enforcement config")
+	// Provide the key, this may potentially complete the update
+	fUpd := client.Sys().GenerateRootUpdate
+	switch kind {
+	case generateRootDR:
+		fUpd = client.Sys().GenerateDROperationTokenUpdate
+	case generateRootRecovery:
+		fUpd = client.Sys().GenerateRecoveryOperationTokenUpdate
 	}
-	_, err := client.Logical().WriteWithContext(context.Background(), fmt.Sprintf("identity/mfa/login-enforcement/%s", enfName), config)
+	status, err = fUpd(key, nonce)
 	if err != nil {
-		t.Fatalf("failed to configure MFAEnforcementConfig: %v", err)
+		c.UI.Error(fmt.Sprintf("Error posting unseal key: %s", err))
+		return 2
 	}
-}
-
-// SetupUserpassMountAccessor sets up userpass auth and returns its mount
-// accessor. This requires that the test cluster has a "userpass" auth method
-// available.
-func SetupUserpassMountAccessor(t testing.T, client *api.Client) string {
-	t.Helper()
-	// Enable Userpass authentication
-	err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
-		Type: "userpass",
-	})
-	if err != nil {
-		t.Fatalf("failed to enable userpass auth: %v", err)
+	switch Format(c.UI) {
+	case "table":
+		return c.printStatus(status)
+	default:
+		return OutputData(c.UI, status)
 	}
+}
 
-	auths, err := client.Sys().ListAuthWithContext(context.Background())
-	if err != nil {
-		t.Fatalf("failed to list auth methods: %v", err)
+// cancel cancels the root token generation
+func (c *OperatorGenerateRootCommand) cancel(client *api.Client, kind generateRootKind) int {
+	f := client.Sys().GenerateRootCancel
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenCancel
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenCancel
 	}
-	if auths == nil || auths["userpass/"] == nil {
-		t.Fatalf("failed to get userpass mount accessor")
+	if err := f(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error canceling root token generation: %s", err))
+		return 2
 	}
-
-	return auths["userpass/"].Accessor
+	c.UI.Output("Success! Root token generation canceled (if it was started)")
+	return 0
 }
 
-// RegisterEntityInTOTPEngine registers an entity with a methodID and returns
-// the generated name.
-func RegisterEntityInTOTPEngine(t testing.T, client *api.Client, entityID, methodID string) string {
-	t.Helper()
-	totpGenName := fmt.Sprintf("%s-%s", entityID, methodID)
-	secret, err := client.Logical().WriteWithContext(context.Background(), "identity/mfa/method/totp/admin-generate", map[string]interface{}{
-		"entity_id": entityID,
-		"method_id": methodID,
-	})
-	if err != nil {
-		t.Fatalf("failed to generate a TOTP secret on an entity: %v", err)
-	}
-	totpURL := secret.Data["url"].(string)
-	if totpURL == "" {
-		t.Fatalf("failed to get TOTP url in secret response: %+v", secret)
-	}
-	_, err = client.Logical().WriteWithContext(context.Background(), fmt.Sprintf("totp/keys/%s", totpGenName), map[string]interface{}{
-		"url": totpURL,
-	})
-	if err != nil {
-		t.Fatalf("failed to register a TOTP URL: %v", err)
-	}
-	enfPath := fmt.Sprintf("identity/mfa/login-enforcement/%s", methodID[0:4])
-	_, err = client.Logical().WriteWithContext(context.Background(), enfPath, map[string]interface{}{
-		"name":                methodID[0:4],
-		"identity_entity_ids": []string{entityID},
-		"mfa_method_ids":      []string{methodID},
-	})
-	if err != nil {
-		t.Fatalf("failed to create login enforcement")
+// status is used just to fetch and dump the status
+func (c *OperatorGenerateRootCommand) status(client *api.Client, kind generateRootKind) int {
+	f := client.Sys().GenerateRootStatus
+	switch kind {
+	case generateRootDR:
+		f = client.Sys().GenerateDROperationTokenStatus
+	case generateRootRecovery:
+		f = client.Sys().GenerateRecoveryOperationTokenStatus
 	}
 
-	return totpGenName
-}
-
-// GetTOTPCodeFromEngine requests a TOTP code from the specified enginePath.
-func GetTOTPCodeFromEngine(t testing.T, client *api.Client, enginePath string) string {
-	t.Helper()
-	totpPath := fmt.Sprintf("totp/code/%s", enginePath)
-	secret, err := client.Logical().ReadWithContext(context.Background(), totpPath)
+	status, err := f()
 	if err != nil {
-		t.Fatalf("failed to create totp passcode: %v", err)
+		c.UI.Error(fmt.Sprintf("Error getting root generation status: %s", err))
+		return 2
 	}
-	if secret == nil || secret.Data == nil {
-		t.Fatalf("bad secret returned from %s", totpPath)
+	switch Format(c.UI) {
+	case "table":
+		return c.printStatus(status)
+	default:
+		return OutputData(c.UI, status)
 	}
-	return secret.Data["code"].(string)
 }
 
-// SetupLoginMFATOTP setups up a TOTP MFA using some basic configuration and
-// returns all relevant information to the client.
-func SetupLoginMFATOTP(t testing.T, client *api.Client, methodName string, waitPeriod int) (*api.Client, string, string) {
-	t.Helper()
-	// Mount the totp secrets engine
-	SetupTOTPMount(t, client)
-
-	// Create a mount accessor to associate with an entity
-	mountAccessor := SetupUserpassMountAccessor(t, client)
-
-	// Create a test entity and alias
-	entityClient, entityID, _ := CreateEntityAndAlias(t, client, mountAccessor, "entity1", "testuser1")
-
-	// Configure a default TOTP method
-	totpConfig := map[string]interface{}{
-		"issuer":                  "yCorp",
-		"period":                  waitPeriod,
-		"algorithm":               "SHA256",
-		"digits":                  6,
-		"skew":                    1,
-		"key_size":                20,
-		"qr_size":                 200,
-		"max_validation_attempts": 5,
-		"method_name":             methodName,
+// printStatus dumps the status to output
+func (c *OperatorGenerateRootCommand) printStatus(status *api.GenerateRootStatusResponse) int {
+	out := []string{}
+	out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
+	out = append(out, fmt.Sprintf("Started | %t", status.Started))
+	out = append(out, fmt.Sprintf("Progress | %d/%d", status.Progress, status.Required))
+	out = append(out, fmt.Sprintf("Complete | %t", status.Complete))
+	if status.PGPFingerprint != "" {
+		out = append(out, fmt.Sprintf("PGP Fingerprint | %s", status.PGPFingerprint))
 	}
-	methodID := SetupTOTPMethod(t, client, totpConfig)
-
-	// Configure a default login enforcement
-	enforcementConfig := map[string]interface{}{
-		"auth_method_types": []string{"userpass"},
-		"name":              methodID[0:4],
-		"mfa_method_ids":    []string{methodID},
+	switch {
+	case status.EncodedToken != "":
+		out = append(out, fmt.Sprintf("Encoded Token | %s", status.EncodedToken))
+	case status.EncodedRootToken != "":
+		out = append(out, fmt.Sprintf("Encoded Root Token | %s", status.EncodedRootToken))
 	}
-
-	SetupMFALoginEnforcement(t, client, enforcementConfig)
-	return entityClient, entityID, methodID
-}
-
-func SkipUnlessEnvVarsSet(t testing.T, envVars []string) {
-	t.Helper()
-
-	for _, i := range envVars {
-		if os.Getenv(i) == "" {
-			t.Skipf("%s must be set for this test to run", strings.Join(envVars, " "))
-		}
+	if status.OTP != "" {
+		c.UI.Warn(wrapAtLength("A One-Time-Password has been generated for you and is shown in the OTP field. You will need this value to decode the resulting root token, so keep it safe."))
+		out = append(out, fmt.Sprintf("OTP | %s", status.OTP))
 	}
-}
-
-// WaitForNodesExcludingSelectedStandbys is variation on WaitForActiveNodeAndStandbys.
-// It waits for the active node before waiting for standby nodes, however
-// it will not wait for cores with indexes that match those specified as arguments.
-// Whilst you could specify index 0 which is likely to be the leader node, the function
-// checks for the leader first regardless of the indexes to skip, so it would be redundant to do so.
-// The intention/use case for this function is to allow a cluster to start and become active with one
-// or more nodes not joined, so that we can test scenarios where a node joins later.
-// e.g. 4 nodes in the cluster, only 3 nodes in cluster 'active', 1 node can be joined later in tests.
-func WaitForNodesExcludingSelectedStandbys(t testing.T, cluster *vault.TestCluster, indexesToSkip ...int) {
-	WaitForActiveNode(t, cluster)
-
-	contains := func(elems []int, e int) bool {
-		for _, v := range elems {
-			if v == e {
-				return true
-			}
-		}
-
-		return false
-	}
-	for i, core := range cluster.Cores {
-		if contains(indexesToSkip, i) {
-			continue
-		}
-
-		if standby, _ := core.Core.Standby(); standby {
-			WaitForStandbyNode(t, core)
-		}
+	if status.OTPLength != 0 {
+		out = append(out, fmt.Sprintf("OTP Length | %d", status.OTPLength))
 	}
-}
 
-// IsLocalOrRegressionTests returns true when the tests are running locally (not in CI), or when
-// the regression test env var (VAULT_REGRESSION_TESTS) is provided.
-func IsLocalOrRegressionTests() bool {
-	return os.Getenv("CI") == "" || os.Getenv("VAULT_REGRESSION_TESTS") == "true"
+	output := columnOutput(out, nil)
+	c.UI.Output(output)
+	return 0
 }
diff --git a/http/handler.go b/http/handler.go
index 37e769aa5e3e..e27592d856a7 100644
--- a/http/handler.go
+++ b/http/handler.go
@@ -1,1306 +1,561 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+//go:build !race
+
+package command
 
 import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
+	"encoding/base64"
 	"io"
-	"io/fs"
-	"io/ioutil"
-	"mime"
-	"net"
-	"net/http"
-	"net/http/pprof"
-	"net/textproto"
-	"net/url"
 	"os"
 	"regexp"
 	"strings"
-	"time"
-
-	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-sockaddr"
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/pathmanager"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	gziphandler "github.com/klauspost/compress/gzhttp"
-)
+	"testing"
 
-const (
-	// WrapTTLHeaderName is the name of the header containing a directive to
-	// wrap the response
-	WrapTTLHeaderName = "X-Vault-Wrap-TTL"
-
-	// WrapFormatHeaderName is the name of the header containing the format to
-	// wrap in; has no effect if the wrap TTL is not set
-	WrapFormatHeaderName = "X-Vault-Wrap-Format"
-
-	// NoRequestForwardingHeaderName is the name of the header telling Vault
-	// not to use request forwarding
-	NoRequestForwardingHeaderName = "X-Vault-No-Request-Forwarding"
-
-	// MFAHeaderName represents the HTTP header which carries the credentials
-	// required to perform MFA on any path.
-	MFAHeaderName = "X-Vault-MFA"
-
-	// canonicalMFAHeaderName is the MFA header value's format in the request
-	// headers. Do not alter the casing of this string.
-	canonicalMFAHeaderName = "X-Vault-Mfa"
-
-	// PolicyOverrideHeaderName is the header set to request overriding
-	// soft-mandatory Sentinel policies.
-	PolicyOverrideHeaderName = "X-Vault-Policy-Override"
-
-	VaultIndexHeaderName        = "X-Vault-Index"
-	VaultInconsistentHeaderName = "X-Vault-Inconsistent"
-	VaultForwardHeaderName      = "X-Vault-Forward"
-	VaultInconsistentForward    = "forward-active-node"
-	VaultInconsistentFail       = "fail"
-
-	// DefaultMaxRequestSize is the default maximum accepted request size. This
-	// is to prevent a denial of service attack where no Content-Length is
-	// provided and the server is fed ever more data until it exhausts memory.
-	// Can be overridden per listener.
-	DefaultMaxRequestSize = 32 * 1024 * 1024
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/sdk/helper/xor"
+	"github.com/hashicorp/vault/vault"
 )
 
-var (
-	// Set to false by stub_asset if the ui build tag isn't enabled
-	uiBuiltIn = true
-
-	// perfStandbyAlwaysForwardPaths is used to check a requested path against
-	// the always forward list
-	perfStandbyAlwaysForwardPaths = pathmanager.New()
-	alwaysRedirectPaths           = pathmanager.New()
-	websocketPaths                = pathmanager.New()
-
-	injectDataIntoTopRoutes = []string{
-		"/v1/sys/audit",
-		"/v1/sys/audit/",
-		"/v1/sys/audit-hash/",
-		"/v1/sys/auth",
-		"/v1/sys/auth/",
-		"/v1/sys/config/cors",
-		"/v1/sys/config/auditing/request-headers/",
-		"/v1/sys/config/auditing/request-headers",
-		"/v1/sys/capabilities",
-		"/v1/sys/capabilities-accessor",
-		"/v1/sys/capabilities-self",
-		"/v1/sys/ha-status",
-		"/v1/sys/key-status",
-		"/v1/sys/mounts",
-		"/v1/sys/mounts/",
-		"/v1/sys/policy",
-		"/v1/sys/policy/",
-		"/v1/sys/rekey/backup",
-		"/v1/sys/rekey/recovery-key-backup",
-		"/v1/sys/remount",
-		"/v1/sys/rotate",
-		"/v1/sys/wrapping/wrap",
-	}
-	websocketRawPaths = []string{
-		"/v1/sys/events/subscribe",
-	}
-	oidcProtectedPathRegex = regexp.MustCompile(`^identity/oidc/provider/\w(([\w-.]+)?\w)?/userinfo$`)
-)
+func testOperatorGenerateRootCommand(tb testing.TB) (*cli.MockUi, *OperatorGenerateRootCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &OperatorGenerateRootCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestOperatorGenerateRootCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"init_invalid_otp",
+			[]string{
+				"-init",
+				"-otp", "not-a-valid-otp",
+			},
+			"OTP string is wrong length",
+			2,
+		},
+		{
+			"init_pgp_multi",
+			[]string{
+				"-init",
+				"-pgp-key", "keybase:hashicorp",
+				"-pgp-key", "keybase:jefferai",
+			},
+			"can only be specified once",
+			1,
+		},
+		{
+			"init_pgp_multi_inline",
+			[]string{
+				"-init",
+				"-pgp-key", "keybase:hashicorp,keybase:jefferai",
+			},
+			"can only specify one pgp key",
+			1,
+		},
+		{
+			"init_pgp_otp",
+			[]string{
+				"-init",
+				"-pgp-key", "keybase:hashicorp",
+				"-otp", "abcd1234",
+			},
+			"cannot specify both -otp and -pgp-key",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testOperatorGenerateRootCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("%s: expected %d to be %d", tc.name, code, tc.code)
+				}
 
-func init() {
-	alwaysRedirectPaths.AddPaths([]string{
-		"sys/storage/raft/snapshot",
-		"sys/storage/raft/snapshot-force",
-		"!sys/storage/raft/snapshot-auto/config",
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("%s: expected %q to contain %q", tc.name, combined, tc.out)
+				}
+			})
+		}
 	})
-	websocketPaths.AddPaths(websocketRawPaths)
-	for _, path := range websocketRawPaths {
-		alwaysRedirectPaths.AddPaths([]string{strings.TrimPrefix(path, "/v1/")})
-	}
-}
 
-type HandlerAnchor struct{}
+	t.Run("generate_otp", func(t *testing.T) {
+		t.Parallel()
 
-func (h HandlerAnchor) Handler(props *vault.HandlerProperties) http.Handler {
-	return handler(props)
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-var Handler vault.HandlerHandler = HandlerAnchor{}
+		_, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-type HandlerFunc func(props *vault.HandlerProperties) http.Handler
+		code := cmd.Run([]string{
+			"-generate-otp",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+	})
 
-func (h HandlerFunc) Handler(props *vault.HandlerProperties) http.Handler {
-	return h(props)
-}
+	t.Run("decode", func(t *testing.T) {
+		t.Parallel()
 
-var _ vault.HandlerHandler = HandlerFunc(func(props *vault.HandlerProperties) http.Handler { return nil })
-
-// handler returns an http.Handler for the API. This can be used on
-// its own to mount the Vault API within another web server.
-func handler(props *vault.HandlerProperties) http.Handler {
-	core := props.Core
-
-	// Create the muxer to handle the actual endpoints
-	mux := http.NewServeMux()
-
-	switch {
-	case props.RecoveryMode:
-		raw := vault.NewRawBackend(core)
-		strategy := vault.GenerateRecoveryTokenStrategy(props.RecoveryToken)
-		mux.Handle("/v1/sys/raw/", handleLogicalRecovery(raw, props.RecoveryToken))
-		mux.Handle("/v1/sys/generate-recovery-token/attempt", handleSysGenerateRootAttempt(core, strategy))
-		mux.Handle("/v1/sys/generate-recovery-token/update", handleSysGenerateRootUpdate(core, strategy))
-	default:
-		// Handle non-forwarded paths
-		mux.Handle("/v1/sys/config/state/", handleLogicalNoForward(core))
-		mux.Handle("/v1/sys/host-info", handleLogicalNoForward(core))
-
-		mux.Handle("/v1/sys/init", handleSysInit(core))
-		mux.Handle("/v1/sys/seal-status", handleSysSealStatus(core,
-			WithRedactClusterName(props.ListenerConfig.RedactClusterName),
-			WithRedactVersion(props.ListenerConfig.RedactVersion)))
-		mux.Handle("/v1/sys/seal-backend-status", handleSysSealBackendStatus(core))
-		mux.Handle("/v1/sys/seal", handleSysSeal(core))
-		mux.Handle("/v1/sys/step-down", handleRequestForwarding(core, handleSysStepDown(core)))
-		mux.Handle("/v1/sys/unseal", handleSysUnseal(core))
-		mux.Handle("/v1/sys/leader", handleSysLeader(core,
-			WithRedactAddresses(props.ListenerConfig.RedactAddresses)))
-		mux.Handle("/v1/sys/health", handleSysHealth(core,
-			WithRedactClusterName(props.ListenerConfig.RedactClusterName),
-			WithRedactVersion(props.ListenerConfig.RedactVersion)))
-		mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core))
-		mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
-			handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
-		mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
-			handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy))))
-		mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false)))
-		mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false)))
-		mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false)))
-		mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true)))
-		mux.Handle("/v1/sys/storage/raft/bootstrap", handleSysRaftBootstrap(core))
-		mux.Handle("/v1/sys/storage/raft/join", handleSysRaftJoin(core))
-		mux.Handle("/v1/sys/internal/ui/feature-flags", handleSysInternalFeatureFlags(core))
-
-		for _, path := range injectDataIntoTopRoutes {
-			mux.Handle(path, handleRequestForwarding(core, handleLogicalWithInjector(core)))
-		}
-		mux.Handle("/v1/sys/", handleRequestForwarding(core, handleLogical(core)))
-		mux.Handle("/v1/", handleRequestForwarding(core, handleLogical(core)))
-		if core.UIEnabled() {
-			if uiBuiltIn {
-				mux.Handle("/ui/", http.StripPrefix("/ui/", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()}))))))
-				mux.Handle("/robots.txt", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()})))))
-			} else {
-				mux.Handle("/ui/", handleUIHeaders(core, handleUIStub()))
-			}
-			mux.Handle("/ui", handleUIRedirect())
-			mux.Handle("/", handleUIRedirect())
+		encoded := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
+		otp := "3JhHkONiyiaNYj14nnD9xZQS"
 
-		}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-		// Register metrics path without authentication if enabled
-		if props.ListenerConfig != nil && props.ListenerConfig.Telemetry.UnauthenticatedMetricsAccess {
-			mux.Handle("/v1/sys/metrics", handleMetricsUnauthenticated(core))
-		} else {
-			mux.Handle("/v1/sys/metrics", handleLogicalNoForward(core))
-		}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-		if props.ListenerConfig != nil && props.ListenerConfig.Profiling.UnauthenticatedPProfAccess {
-			for _, name := range []string{"goroutine", "threadcreate", "heap", "allocs", "block", "mutex"} {
-				mux.Handle("/v1/sys/pprof/"+name, pprof.Handler(name))
-			}
-			mux.Handle("/v1/sys/pprof/", http.HandlerFunc(pprof.Index))
-			mux.Handle("/v1/sys/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
-			mux.Handle("/v1/sys/pprof/profile", http.HandlerFunc(pprof.Profile))
-			mux.Handle("/v1/sys/pprof/symbol", http.HandlerFunc(pprof.Symbol))
-			mux.Handle("/v1/sys/pprof/trace", http.HandlerFunc(pprof.Trace))
-		} else {
-			mux.Handle("/v1/sys/pprof/", handleLogicalNoForward(core))
+		// Simulate piped output to print raw output
+		old := os.Stdout
+		_, w, err := os.Pipe()
+		if err != nil {
+			t.Fatal(err)
 		}
+		os.Stdout = w
 
-		if props.ListenerConfig != nil && props.ListenerConfig.InFlightRequestLogging.UnauthenticatedInFlightAccess {
-			mux.Handle("/v1/sys/in-flight-req", handleUnAuthenticatedInFlightRequest(core))
-		} else {
-			mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core))
+		code := cmd.Run([]string{
+			"-decode", encoded,
+			"-otp", otp,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-		entAdditionalRoutes(mux, core)
-	}
 
-	// Build up a chain of wrapping handlers.
-	wrappedHandler := wrapHelpHandler(mux, core)
-	wrappedHandler = wrapCORSHandler(wrappedHandler, core)
-	wrappedHandler = rateLimitQuotaWrapping(wrappedHandler, core)
-	wrappedHandler = entWrapGenericHandler(core, wrappedHandler, props)
-
-	// Add an extra wrapping handler if the DisablePrintableCheck listener
-	// setting isn't true that checks for non-printable characters in the
-	// request path.
-	if !props.DisablePrintableCheck {
-		wrappedHandler = cleanhttp.PrintablePathCheckHandler(wrappedHandler, nil)
-	}
-
-	// Add an extra wrapping handler if the DisableReplicationStatusEndpoints
-	// setting is true that will create a new request with a context that has
-	// a value indicating that the replication status endpoints are disabled.
-	if props.ListenerConfig != nil && props.ListenerConfig.DisableReplicationStatusEndpoints {
-		wrappedHandler = disableReplicationStatusEndpointWrapping(wrappedHandler)
-	}
+		w.Close()
+		os.Stdout = old
 
-	return wrappedHandler
-}
+		expected := "4RUmoevJ3lsLni9sTXcNnRE1"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if combined != expected {
+			t.Errorf("expected %q to be %q", combined, expected)
+		}
+	})
 
-type copyResponseWriter struct {
-	wrapped    http.ResponseWriter
-	statusCode int
-	body       *bytes.Buffer
-}
+	t.Run("decode_from_stdin", func(t *testing.T) {
+		t.Parallel()
 
-// newCopyResponseWriter returns an initialized newCopyResponseWriter
-func newCopyResponseWriter(wrapped http.ResponseWriter) *copyResponseWriter {
-	w := &copyResponseWriter{
-		wrapped:    wrapped,
-		body:       new(bytes.Buffer),
-		statusCode: 200,
-	}
-	return w
-}
+		encoded := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
+		otp := "3JhHkONiyiaNYj14nnD9xZQS"
 
-func (w *copyResponseWriter) Header() http.Header {
-	return w.wrapped.Header()
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func (w *copyResponseWriter) Write(buf []byte) (int, error) {
-	w.body.Write(buf)
-	return w.wrapped.Write(buf)
-}
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(encoded))
+			stdinW.Close()
+		}()
 
-func (w *copyResponseWriter) WriteHeader(code int) {
-	w.statusCode = code
-	w.wrapped.WriteHeader(code)
-}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-func handleAuditNonLogical(core *vault.Core, h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		origBody := new(bytes.Buffer)
-		reader := ioutil.NopCloser(io.TeeReader(r.Body, origBody))
-		r.Body = reader
-		req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
-		if err != nil || status != 0 {
-			respondError(w, status, err)
-			return
+		// Simulate piped output to print raw output
+		old := os.Stdout
+		_, w, err := os.Pipe()
+		if err != nil {
+			t.Fatal(err)
 		}
+		os.Stdout = w
 
-		r.Body = io.NopCloser(origBody)
-
-		input := &logical.LogInput{
-			Request: req,
+		code := cmd.Run([]string{
+			"-decode", "-", // read from stdin
+			"-otp", otp,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-		err = core.AuditLogger().AuditRequest(r.Context(), input)
-		if err != nil {
-			respondError(w, status, err)
-			return
-		}
-		cw := newCopyResponseWriter(w)
-		h.ServeHTTP(cw, r)
-		data := make(map[string]interface{})
 
-		// Refactoring this code, since the returned error was being ignored.
-		jsonutil.DecodeJSON(cw.body.Bytes(), &data)
+		w.Close()
+		os.Stdout = old
 
-		httpResp := &logical.HTTPResponse{Data: data, Headers: cw.Header()}
-		input.Response = logical.HTTPResponseToLogicalResponse(httpResp)
-		err = core.AuditLogger().AuditResponse(r.Context(), input)
-		if err != nil {
-			respondError(w, status, err)
+		expected := "4RUmoevJ3lsLni9sTXcNnRE1"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if combined != expected {
+			t.Errorf("expected %q to be %q", combined, expected)
 		}
 	})
-}
 
-// wrapGenericHandler wraps the handler with an extra layer of handler where
-// tasks that should be commonly handled for all the requests and/or responses
-// are performed.
-func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerProperties) http.Handler {
-	var maxRequestDuration time.Duration
-	var maxRequestSize int64
-	if props.ListenerConfig != nil {
-		maxRequestDuration = props.ListenerConfig.MaxRequestDuration
-		maxRequestSize = props.ListenerConfig.MaxRequestSize
-	}
-	if maxRequestDuration == 0 {
-		maxRequestDuration = vault.DefaultMaxRequestDuration
-	}
-	if maxRequestSize == 0 {
-		maxRequestSize = DefaultMaxRequestSize
-	}
+	t.Run("decode_from_stdin_empty", func(t *testing.T) {
+		t.Parallel()
 
-	// Swallow this error since we don't want to pollute the logs and we also don't want to
-	// return an HTTP error here. This information is best effort.
-	hostname, _ := os.Hostname()
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// This block needs to be here so that upon sending SIGHUP, custom response
-		// headers are also reloaded into the handlers.
-		var customHeaders map[string][]*logical.CustomHeader
-		if props.ListenerConfig != nil {
-			la := props.ListenerConfig.Address
-			listenerCustomHeaders := core.GetListenerCustomResponseHeaders(la)
-			if listenerCustomHeaders != nil {
-				customHeaders = listenerCustomHeaders.StatusCodeHeaderMap
-			}
-		}
-		// saving start time for the in-flight requests
-		inFlightReqStartTime := time.Now()
-
-		nw := logical.NewStatusHeaderResponseWriter(w, customHeaders)
-
-		// Set the Cache-Control header for all the responses returned
-		// by Vault
-		nw.Header().Set("Cache-Control", "no-store")
-
-		// Start with the request context
-		ctx := r.Context()
-		var cancelFunc context.CancelFunc
-		// Add our timeout, but not for the monitor or events endpoints, as they are streaming
-		if strings.HasSuffix(r.URL.Path, "sys/monitor") || strings.Contains(r.URL.Path, "sys/events") {
-			ctx, cancelFunc = context.WithCancel(ctx)
-		} else {
-			ctx, cancelFunc = context.WithTimeout(ctx, maxRequestDuration)
-		}
+		encoded := ""
+		otp := "3JhHkONiyiaNYj14nnD9xZQS"
 
-		// if maxRequestSize < 0, no need to set context value
-		// Add a size limiter if desired
-		if maxRequestSize > 0 {
-			ctx = logical.CreateContextMaxRequestSize(ctx, maxRequestSize)
-		}
-		ctx = logical.CreateContextOriginalRequestPath(ctx, r.URL.Path)
-		r = r.WithContext(ctx)
-		r = r.WithContext(namespace.ContextWithNamespace(r.Context(), namespace.RootNamespace))
-
-		// Set some response headers with raft node id (if applicable) and hostname, if available
-		if core.RaftNodeIDHeaderEnabled() {
-			nodeID := core.GetRaftNodeID()
-			if nodeID != "" {
-				nw.Header().Set("X-Vault-Raft-Node-ID", nodeID)
-			}
-		}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-		if core.HostnameHeaderEnabled() && hostname != "" {
-			nw.Header().Set("X-Vault-Hostname", hostname)
-		}
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(encoded))
+			stdinW.Close()
+		}()
 
-		// Extract the namespace from the header before we modify it
-		ns := r.Header.Get(consts.NamespaceHeaderName)
-		switch {
-		case strings.HasPrefix(r.URL.Path, "/v1/"):
-			// Setting the namespace in the header to be included in the error message
-			newR, status, err := adjustRequest(core, props.ListenerConfig, r)
-			if status != 0 {
-				respondError(nw, status, err)
-				cancelFunc()
-				return
-			}
-			r = newR
-
-		case strings.HasPrefix(r.URL.Path, "/ui"), r.URL.Path == "/robots.txt", r.URL.Path == "/":
-			// RFC 5785
-		case strings.HasPrefix(r.URL.Path, "/.well-known/"):
-			standby, err := core.Standby()
-			if err != nil {
-				core.Logger().Warn("error resolving standby status handling .well-known path", "error", err)
-			} else if standby {
-				respondStandby(core, w, r.URL)
-				cancelFunc()
-				return
-			} else {
-				redir, err := core.GetWellKnownRedirect(r.Context(), r.URL.Path)
-				if err != nil {
-					core.Logger().Warn("error resolving potential API redirect", "error", err)
-				} else {
-					if redir != "" {
-						dest := url.URL{
-							Path:     redir,
-							RawQuery: r.URL.RawQuery,
-						}
-						w.Header().Set("Location", dest.String())
-						if r.Method == http.MethodGet || r.Proto == "HTTP/1.0" {
-							w.WriteHeader(http.StatusFound)
-						} else {
-							w.WriteHeader(http.StatusTemporaryRedirect)
-						}
-						cancelFunc()
-						return
-					}
-				}
-			}
-			respondError(nw, http.StatusNotFound, nil)
-			cancelFunc()
-			return
-		}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-		// The uuid for the request is going to be generated when a logical
-		// request is generated. But, here we generate one to be able to track
-		// in-flight requests, and use that to update the req data with clientID
-		inFlightReqID, err := uuid.GenerateUUID()
+		// Simulate piped output to print raw output
+		old := os.Stdout
+		_, w, err := os.Pipe()
 		if err != nil {
-			respondError(nw, http.StatusInternalServerError, fmt.Errorf("failed to generate an identifier for the in-flight request"))
-		}
-		// adding an entry to the context to enable updating in-flight
-		// data with ClientID in the logical layer
-		r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyInFlightRequestID{}, inFlightReqID))
-
-		// extracting the client address to be included in the in-flight request
-		var clientAddr string
-		headers := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")]
-		if len(headers) == 0 {
-			clientAddr = r.RemoteAddr
-		} else {
-			clientAddr = headers[0]
+			t.Fatal(err)
 		}
+		os.Stdout = w
 
-		// getting the request method
-		requestMethod := r.Method
-
-		// Storing the in-flight requests. Path should include namespace as well
-		core.StoreInFlightReqData(
-			inFlightReqID,
-			vault.InFlightReqData{
-				StartTime:        inFlightReqStartTime,
-				ReqPath:          r.URL.Path,
-				ClientRemoteAddr: clientAddr,
-				Method:           requestMethod,
-			})
-		defer func() {
-			// Not expecting this fail, so skipping the assertion check
-			core.FinalizeInFlightReqData(inFlightReqID, nw.StatusCode)
-		}()
-
-		// Setting the namespace in the header to be included in the error message
-		if ns != "" {
-			nw.Header().Set(consts.NamespaceHeaderName, ns)
+		code := cmd.Run([]string{
+			"-decode", "-", // read from stdin
+			"-otp", otp,
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		h.ServeHTTP(nw, r)
+		w.Close()
+		os.Stdout = old
 
-		cancelFunc()
-	})
-}
-
-func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler {
-	rejectNotPresent := l.XForwardedForRejectNotPresent
-	hopSkips := l.XForwardedForHopSkips
-	authorizedAddrs := l.XForwardedForAuthorizedAddrs
-	rejectNotAuthz := l.XForwardedForRejectNotAuthorized
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		headers, headersOK := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")]
-		if !headersOK || len(headers) == 0 {
-			if !rejectNotPresent {
-				h.ServeHTTP(w, r)
-				return
-			}
-			respondError(w, http.StatusBadRequest, fmt.Errorf("missing x-forwarded-for header and configured to reject when not present"))
-			return
+		expected := "Missing encoded value"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
+	})
 
-		host, port, err := net.SplitHostPort(r.RemoteAddr)
-		if err != nil {
-			// If not rejecting treat it like we just don't have a valid
-			// header because we can't do a comparison against an address we
-			// can't understand
-			if !rejectNotPresent {
-				h.ServeHTTP(w, r)
-				return
-			}
-			respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client hostport: %w", err))
-			return
-		}
+	t.Run("cancel", func(t *testing.T) {
+		t.Parallel()
 
-		addr, err := sockaddr.NewIPAddr(host)
-		if err != nil {
-			// We treat this the same as the case above
-			if !rejectNotPresent {
-				h.ServeHTTP(w, r)
-				return
-			}
-			respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client address: %w", err))
-			return
-		}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-		var found bool
-		for _, authz := range authorizedAddrs {
-			if authz.Contains(addr) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			// If we didn't find it and aren't configured to reject, simply
-			// don't trust it
-			if !rejectNotAuthz {
-				h.ServeHTTP(w, r)
-				return
-			}
-			respondError(w, http.StatusBadRequest, fmt.Errorf("client address not authorized for x-forwarded-for and configured to reject connection"))
-			return
+		// Initialize a generation
+		if _, err := client.Sys().GenerateRootInit("", ""); err != nil {
+			t.Fatal(err)
 		}
 
-		// At this point we have at least one value and it's authorized
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-		// Split comma separated ones, which are common. This brings it in line
-		// to the multiple-header case.
-		var acc []string
-		for _, header := range headers {
-			vals := strings.Split(header, ",")
-			for _, v := range vals {
-				acc = append(acc, strings.TrimSpace(v))
-			}
+		code := cmd.Run([]string{
+			"-cancel",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		indexToUse := int64(len(acc)) - 1 - hopSkips
-		if indexToUse < 0 {
-			// This is likely an error in either configuration or other
-			// infrastructure. We could either deny the request, or we
-			// could simply not trust the value. Denying the request is
-			// "safer" since if this logic is configured at all there may
-			// be an assumption it can always be trusted. Given that we can
-			// deny accepting the request at all if it's not from an
-			// authorized address, if we're at this point the address is
-			// authorized (or we've turned off explicit rejection) and we
-			// should assume that what comes in should be properly
-			// formatted.
-			respondError(w, http.StatusBadRequest, fmt.Errorf("malformed x-forwarded-for configuration or request, hops to skip (%d) would skip before earliest chain link (chain length %d)", hopSkips, len(headers)))
-			return
+		expected := "Success! Root token generation canceled"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
 
-		r.RemoteAddr = net.JoinHostPort(acc[indexToUse], port)
-		h.ServeHTTP(w, r)
-	})
-}
-
-func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		header := w.Header()
-
-		userHeaders, err := core.UIHeaders()
+		status, err := client.Sys().GenerateRootStatus()
 		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			t.Fatal(err)
 		}
 
-		for k := range userHeaders {
-			v := userHeaders.Get(k)
-			header.Set(k, v)
+		if status.Started {
+			t.Errorf("expected status to be canceled: %#v", status)
 		}
-
-		h.ServeHTTP(w, req)
 	})
-}
 
-func handleUI(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		// The fileserver handler strips trailing slashes and does a redirect.
-		// We don't want the redirect to happen so we preemptively trim the slash
-		// here.
-		req.URL.Path = strings.TrimSuffix(req.URL.Path, "/")
-		h.ServeHTTP(w, req)
-	})
-}
+	t.Run("init_otp", func(t *testing.T) {
+		t.Parallel()
 
-func handleUIStub() http.Handler {
-	stubHTML := `
-	<!DOCTYPE html>
-	<html>
-	<style>
-	body {
-	color: #1F2124;
-	font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	.wrapper {
-	display: flex;
-	justify-content: center;
-	align-items: center;
-	height: 500px;
-	}
-
-	.content ul {
-	line-height: 1.5;
-	}
-
-	a {
-	color: #1563ff;
-	text-decoration: none;
-	}
-
-	.header {
-	display: flex;
-	color: #6a7786;
-	align-items: center;
-	}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-	.header svg {
-	padding-right: 12px;
-	}
+		code := cmd.Run([]string{
+			"-init",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-	.alert {
-	transform: scale(0.07);
-	fill: #6a7786;
-	}
+		expected := "Nonce"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
 
-	h1 {
-	font-weight: 500;
-	}
+		status, err := client.Sys().GenerateRootStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
 
-	p {
-	margin-top: 0px;
-	}
-	</style>
-	<div class="wrapper">
-	<div class="content">
-	<div class="header">
-	<svg width="36px" height="36px" viewBox="0 0 36 36" xmlns="http://www.w3.org/2000/svg">
-	<path class="alert" d="M476.7 422.2L270.1 72.7c-2.9-5-8.3-8.7-14.1-8.7-5.9 0-11.3 3.7-14.1 8.7L35.3 422.2c-2.8 5-4.8 13-1.9 17.9 2.9 4.9 8.2 7.9 14 7.9h417.1c5.8 0 11.1-3 14-7.9 3-4.9 1-13-1.8-17.9zM288 400h-64v-48h64v48zm0-80h-64V176h64v144z"/>
-	</svg>
-	<h1>Vault UI is not available in this binary.</h1>
-	</div>
-	<p>To get Vault UI do one of the following:</p>
-	<ul>
-	<li><a href="https://www.vaultproject.io/downloads.html">Download an official release</a></li>
-	<li>Run <code>make bin</code> to create your own release binaries.
-	<li>Run <code>make dev-ui</code> to create a development binary with the UI.
-	</ul>
-	</div>
-	</div>
-	</html>
-	`
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		w.Write([]byte(stubHTML))
+		if !status.Started {
+			t.Errorf("expected status to be started: %#v", status)
+		}
 	})
-}
 
-func handleUIRedirect() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		http.Redirect(w, req, "/ui/", http.StatusTemporaryRedirect)
-	})
-}
+	t.Run("init_pgp", func(t *testing.T) {
+		t.Parallel()
 
-type UIAssetWrapper struct {
-	FileSystem http.FileSystem
-}
+		pgpKey := "keybase:hashicorp"
+		pgpFingerprint := "c874011f0ab405110d02105534365d9472d7468f"
 
-func (fsw *UIAssetWrapper) Open(name string) (http.File, error) {
-	file, err := fsw.FileSystem.Open(name)
-	if err == nil {
-		return file, nil
-	}
-	// serve index.html instead of 404ing
-	if errors.Is(err, fs.ErrNotExist) {
-		file, err := fsw.FileSystem.Open("index.html")
-		return file, err
-	}
-	return nil, err
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func parseQuery(values url.Values) map[string]interface{} {
-	data := map[string]interface{}{}
-	for k, v := range values {
-		// Skip the help key as this is a reserved parameter
-		if k == "help" {
-			continue
-		}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-		switch {
-		case len(v) == 0:
-		case len(v) == 1:
-			data[k] = v[0]
-		default:
-			data[k] = v
+		code := cmd.Run([]string{
+			"-init",
+			"-pgp-key", pgpKey,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-
-	if len(data) > 0 {
-		return data
-	}
-	return nil
-}
 
-func parseJSONRequest(perfStandby bool, r *http.Request, w http.ResponseWriter, out interface{}) (io.ReadCloser, error) {
-	// Limit the maximum number of bytes to MaxRequestSize to protect
-	// against an indefinite amount of data being read.
-	reader := r.Body
-	ctx := r.Context()
-	if logical.ContextContainsMaxRequestSize(ctx) {
-		max, ok := logical.ContextMaxRequestSizeValue(ctx)
-		if !ok {
-			return nil, errors.New("could not parse max request size from request context")
-		}
-		if max > 0 {
-			// MaxBytesReader won't do all the internal stuff it must unless it's
-			// given a ResponseWriter that implements the internal http interface
-			// requestTooLarger.  So we let it have access to the underlying
-			// ResponseWriter.
-			inw := w
-			if myw, ok := inw.(logical.WrappingResponseWriter); ok {
-				inw = myw.Wrapped()
-			}
-			reader = http.MaxBytesReader(inw, r.Body, max)
+		expected := "Nonce"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
-
-	var origBody io.ReadWriter
 
-	if perfStandby {
-		// Since we're checking PerfStandby here we key on origBody being nil
-		// or not later, so we need to always allocate so it's non-nil
-		origBody = new(bytes.Buffer)
-		reader = ioutil.NopCloser(io.TeeReader(reader, origBody))
-	}
-	err := jsonutil.DecodeJSONFromReader(reader, out)
-	if err != nil && err != io.EOF {
-		return nil, fmt.Errorf("failed to parse JSON input: %w", err)
-	}
-	if origBody != nil {
-		return ioutil.NopCloser(origBody), err
-	}
-	return nil, err
-}
+		status, err := client.Sys().GenerateRootStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
 
-// parseFormRequest parses values from a form POST.
-//
-// A nil map will be returned if the format is empty or invalid.
-func parseFormRequest(r *http.Request) (map[string]interface{}, error) {
-	if logical.ContextContainsMaxRequestSize(r.Context()) {
-		max, ok := logical.ContextMaxRequestSizeValue(r.Context())
-		if !ok {
-			return nil, errors.New("could not parse max request size from request context")
+		if !status.Started {
+			t.Errorf("expected status to be started: %#v", status)
 		}
-		if max > 0 {
-			r.Body = io.NopCloser(io.LimitReader(r.Body, max))
+		if status.PGPFingerprint != pgpFingerprint {
+			t.Errorf("expected %q to be %q", status.PGPFingerprint, pgpFingerprint)
 		}
-	}
+	})
 
-	if err := r.ParseForm(); err != nil {
-		return nil, err
-	}
+	t.Run("status", func(t *testing.T) {
+		t.Parallel()
 
-	var data map[string]interface{}
-
-	if len(r.PostForm) != 0 {
-		data = make(map[string]interface{}, len(r.PostForm))
-		for k, v := range r.PostForm {
-			switch len(v) {
-			case 0:
-			case 1:
-				data[k] = v[0]
-			default:
-				// Almost anywhere taking in a string list can take in comma
-				// separated values, and really this is super niche anyways
-				data[k] = strings.Join(v, ",")
-			}
-		}
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	return data, nil
-}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-// forwardBasedOnHeaders returns true if the request headers specify that
-// we should forward to the active node - either unconditionally or because
-// a specified state isn't present locally.
-func forwardBasedOnHeaders(core *vault.Core, r *http.Request) (bool, error) {
-	rawForward := r.Header.Get(VaultForwardHeaderName)
-	if rawForward != "" {
-		if !core.AllowForwardingViaHeader() {
-			return false, fmt.Errorf("forwarding via header %s disabled in configuration", VaultForwardHeaderName)
+		code := cmd.Run([]string{
+			"-status",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-		if rawForward == "active-node" {
-			return true, nil
-		}
-		return false, nil
-	}
-
-	rawInconsistent := r.Header.Get(VaultInconsistentHeaderName)
-	if rawInconsistent == "" {
-		return false, nil
-	}
 
-	switch rawInconsistent {
-	case VaultInconsistentForward:
-		if !core.AllowForwardingViaHeader() {
-			return false, fmt.Errorf("forwarding via header %s=%s disabled in configuration",
-				VaultInconsistentHeaderName, VaultInconsistentForward)
+		expected := "Nonce"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	default:
-		return false, nil
-	}
+	})
 
-	return core.MissingRequiredState(r.Header.Values(VaultIndexHeaderName), core.PerfStandby()), nil
-}
+	t.Run("provide_arg", func(t *testing.T) {
+		t.Parallel()
+
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
 
-// handleRequestForwarding determines whether to forward a request or not,
-// falling back on the older behavior of redirecting the client
-func handleRequestForwarding(core *vault.Core, handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Note if the client requested forwarding
-		shouldForward, err := forwardBasedOnHeaders(core, r)
+		// Initialize a generation
+		status, err := client.Sys().GenerateRootInit("", "")
 		if err != nil {
-			respondError(w, http.StatusBadRequest, err)
-			return
+			t.Fatal(err)
 		}
+		nonce := status.Nonce
+		otp := status.OTP
 
-		// If we are a performance standby we can maybe handle the request.
-		if core.PerfStandby() && !shouldForward {
-			ns, err := namespace.FromContext(r.Context())
-			if err != nil {
-				respondError(w, http.StatusBadRequest, err)
-				return
-			}
-			path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
-			if !perfStandbyAlwaysForwardPaths.HasPath(path) && !alwaysRedirectPaths.HasPath(path) {
-				handler.ServeHTTP(w, r)
-				return
-			}
-		}
+		// Supply the first n-1 unseal keys
+		for _, key := range keys[:len(keys)-1] {
+			_, cmd := testOperatorGenerateRootCommand(t)
+			cmd.client = client
 
-		// Note: in an HA setup, this call will also ensure that connections to
-		// the leader are set up, as that happens once the advertised cluster
-		// values are read during this function
-		isLeader, leaderAddr, _, err := core.Leader()
-		if err != nil {
-			if err == vault.ErrHANotEnabled {
-				// Standalone node, serve request normally
-				handler.ServeHTTP(w, r)
-				return
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				key,
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d", code, exp)
 			}
-			// Some internal error occurred
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-		if isLeader {
-			// No forwarding needed, we're leader
-			handler.ServeHTTP(w, r)
-			return
-		}
-		if leaderAddr == "" {
-			respondError(w, http.StatusInternalServerError, fmt.Errorf("local node not active but active cluster node not found"))
-			return
 		}
 
-		forwardRequest(core, w, r)
-	})
-}
-
-func forwardRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get(vault.IntNoForwardingHeaderName) != "" {
-		respondStandby(core, w, r.URL)
-		return
-	}
-
-	if r.Header.Get(NoRequestForwardingHeaderName) != "" {
-		// Forwarding explicitly disabled, fall back to previous behavior
-		core.Logger().Debug("handleRequestForwarding: forwarding disabled by client request")
-		respondStandby(core, w, r.URL)
-		return
-	}
-
-	ns, err := namespace.FromContext(r.Context())
-	if err != nil {
-		respondError(w, http.StatusBadRequest, err)
-		return
-	}
-	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
-	if alwaysRedirectPaths.HasPath(path) {
-		respondStandby(core, w, r.URL)
-		return
-	}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-	// Attempt forwarding the request. If we cannot forward -- perhaps it's
-	// been disabled on the active node -- this will return with an
-	// ErrCannotForward and we simply fall back
-	statusCode, header, retBytes, err := core.ForwardRequest(r)
-	if err != nil {
-		if err == vault.ErrCannotForward {
-			core.Logger().Debug("cannot forward request (possibly disabled on active node), falling back")
-		} else {
-			core.Logger().Error("forward request error", "error", err)
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			keys[len(keys)-1], // the last unseal key
+		})
+		if exp := 0; code != exp {
+			t.Fatalf("expected %d to be %d, out=%q, err=%q", code, exp, ui.OutputWriter, ui.ErrorWriter)
 		}
 
-		// Fall back to redirection
-		respondStandby(core, w, r.URL)
-		return
-	}
-
-	for k, v := range header {
-		w.Header()[k] = v
-	}
-
-	w.WriteHeader(statusCode)
-	w.Write(retBytes)
-}
-
-// request is a helper to perform a request and properly exit in the
-// case of an error.
-func request(core *vault.Core, w http.ResponseWriter, rawReq *http.Request, r *logical.Request) (*logical.Response, bool, bool) {
-	resp, err := core.HandleRequest(rawReq.Context(), r)
-	if r.LastRemoteWAL() > 0 && !core.EntWaitUntilWALShipped(rawReq.Context(), r.LastRemoteWAL()) {
-		if resp == nil {
-			resp = &logical.Response{}
+		reToken := regexp.MustCompile(`Encoded Token\s+(.+)`)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		match := reToken.FindAllStringSubmatch(combined, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("no match: %#v", match)
 		}
-		resp.AddWarning("Timeout hit while waiting for local replicated cluster to apply primary's write; this client may encounter stale reads of values written during this operation.")
-	}
-	if errwrap.Contains(err, consts.ErrStandby.Error()) {
-		respondStandby(core, w, rawReq.URL)
-		return resp, false, false
-	}
-	if err != nil && errwrap.Contains(err, logical.ErrPerfStandbyPleaseForward.Error()) {
-		return nil, false, true
-	}
 
-	if resp != nil && len(resp.Headers) > 0 {
-		// Set this here so it will take effect regardless of any other type of
-		// response processing
-		header := w.Header()
-		for k, v := range resp.Headers {
-			for _, h := range v {
-				header.Add(k, h)
-			}
+		tokenBytes, err := base64.RawStdEncoding.DecodeString(match[0][1])
+		if err != nil {
+			t.Fatal(err)
 		}
 
-		switch {
-		case resp.Secret != nil,
-			resp.Auth != nil,
-			len(resp.Data) > 0,
-			resp.Redirect != "",
-			len(resp.Warnings) > 0,
-			resp.WrapInfo != nil:
-			// Nothing, resp has data
-
-		default:
-			// We have an otherwise totally empty response except for headers,
-			// so nil out the response now that the headers are written out
-			resp = nil
+		token, err := xor.XORBytes(tokenBytes, []byte(otp))
+		if err != nil {
+			t.Fatal(err)
 		}
-	}
-
-	// If vault's core has already written to the response writer do not add any
-	// additional output. Headers have already been sent. If the response writer
-	// is set but has not been written to it likely means there was some kind of
-	// error
-	if r.ResponseWriter != nil && r.ResponseWriter.Written() {
-		return nil, true, false
-	}
 
-	if respondErrorCommon(w, r, resp, err) {
-		return resp, false, false
-	}
-
-	return resp, true, false
-}
-
-// respondStandby is used to trigger a redirect in the case that this Vault is currently a hot standby
-func respondStandby(core *vault.Core, w http.ResponseWriter, reqURL *url.URL) {
-	// Request the leader address
-	_, redirectAddr, _, err := core.Leader()
-	if err != nil {
-		if err == vault.ErrHANotEnabled {
-			// Standalone node, serve 503
-			err = errors.New("node is not active")
-			respondError(w, http.StatusServiceUnavailable, err)
-			return
+		if l, exp := len(token), vault.TokenLength+vault.TokenPrefixLength; l != exp {
+			t.Errorf("expected %d to be %d: %s", l, exp, token)
 		}
+	})
 
-		respondError(w, http.StatusInternalServerError, err)
-		return
-	}
-
-	// If there is no leader, generate a 503 error
-	if redirectAddr == "" {
-		err = errors.New("no active Vault instance found")
-		respondError(w, http.StatusServiceUnavailable, err)
-		return
-	}
-
-	// Parse the redirect location
-	redirectURL, err := url.Parse(redirectAddr)
-	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
-		return
-	}
+	t.Run("provide_stdin", func(t *testing.T) {
+		t.Parallel()
 
-	// Generate a redirect URL
-	finalURL := url.URL{
-		Scheme:   redirectURL.Scheme,
-		Host:     redirectURL.Host,
-		Path:     reqURL.Path,
-		RawQuery: reqURL.RawQuery,
-	}
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
 
-	// WebSockets schemas are ws or wss
-	if websocketPaths.HasPath(reqURL.Path) {
-		if finalURL.Scheme == "http" {
-			finalURL.Scheme = "ws"
-		} else {
-			finalURL.Scheme = "wss"
+		// Initialize a generation
+		status, err := client.Sys().GenerateRootInit("", "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		nonce := status.Nonce
+		otp := status.OTP
+
+		// Supply the first n-1 unseal keys
+		for _, key := range keys[:len(keys)-1] {
+			stdinR, stdinW := io.Pipe()
+			go func() {
+				stdinW.Write([]byte(key))
+				stdinW.Close()
+			}()
+
+			_, cmd := testOperatorGenerateRootCommand(t)
+			cmd.client = client
+			cmd.testStdin = stdinR
+
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				"-",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d", code, exp)
+			}
 		}
-	}
 
-	// Ensure there is a scheme, default to https
-	if finalURL.Scheme == "" {
-		finalURL.Scheme = "https"
-	}
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(keys[len(keys)-1])) // the last unseal key
+			stdinW.Close()
+		}()
 
-	// If we have an address, redirect! We use a 307 code
-	// because we don't actually know if its permanent and
-	// the request method should be preserved.
-	w.Header().Set("Location", finalURL.String())
-	w.WriteHeader(307)
-}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-// getTokenFromReq parse headers of the incoming request to extract token if
-// present it accepts Authorization Bearer (RFC6750) and X-Vault-Token header.
-// Returns true if the token was sourced from a Bearer header.
-func getTokenFromReq(r *http.Request) (string, bool) {
-	if token := r.Header.Get(consts.AuthHeaderName); token != "" {
-		return token, false
-	}
-	if headers, ok := r.Header["Authorization"]; ok {
-		// Reference for Authorization header format: https://tools.ietf.org/html/rfc7236#section-3
-
-		// If string does not start by 'Bearer ', it is not one we would use,
-		// but might be used by plugins
-		for _, v := range headers {
-			if !strings.HasPrefix(v, "Bearer ") {
-				continue
-			}
-			return strings.TrimSpace(v[7:]), true
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			"-",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-	return "", false
-}
 
-// requestAuth adds the token to the logical.Request if it exists.
-func requestAuth(r *http.Request, req *logical.Request) {
-	// Attach the header value if we have it
-	token, fromAuthzHeader := getTokenFromReq(r)
-	if token != "" {
-		req.ClientToken = token
-		req.ClientTokenSource = logical.ClientTokenFromVaultHeader
-		if fromAuthzHeader {
-			req.ClientTokenSource = logical.ClientTokenFromAuthzHeader
+		reToken := regexp.MustCompile(`Encoded Token\s+(.+)`)
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		match := reToken.FindAllStringSubmatch(combined, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("no match: %#v", match)
 		}
 
-	}
-}
-
-func requestPolicyOverride(r *http.Request, req *logical.Request) error {
-	raw := r.Header.Get(PolicyOverrideHeaderName)
-	if raw == "" {
-		return nil
-	}
-
-	override, err := parseutil.ParseBool(raw)
-	if err != nil {
-		return err
-	}
-
-	req.PolicyOverride = override
-	return nil
-}
+		// encodedOTP := base64.RawStdEncoding.EncodeToString([]byte(otp))
 
-// requestWrapInfo adds the WrapInfo value to the logical.Request if wrap info exists
-func requestWrapInfo(r *http.Request, req *logical.Request) (*logical.Request, error) {
-	// First try for the header value
-	wrapTTL := r.Header.Get(WrapTTLHeaderName)
-	if wrapTTL == "" {
-		return req, nil
-	}
+		// tokenBytes, err := xor.XORBase64(match[0][1], encodedOTP)
+		// if err != nil {
+		// 	t.Fatal(err)
+		// }
+		// token, err := uuid.FormatUUID(tokenBytes)
+		// if err != nil {
+		// 	t.Fatal(err)
+		// }
 
-	// If it has an allowed suffix parse as a duration string
-	dur, err := parseutil.ParseDurationSecond(wrapTTL)
-	if err != nil {
-		return req, err
-	}
-	if int64(dur) < 0 {
-		return req, fmt.Errorf("requested wrap ttl cannot be negative")
-	}
-
-	req.WrapInfo = &logical.RequestWrapInfo{
-		TTL: dur,
-	}
-
-	wrapFormat := r.Header.Get(WrapFormatHeaderName)
-	switch wrapFormat {
-	case "jwt":
-		req.WrapInfo.Format = "jwt"
-	}
-
-	return req, nil
-}
-
-// parseMFAHeader parses the MFAHeaderName in the request headers and organizes
-// them with MFA method name as the index.
-func parseMFAHeader(req *logical.Request) error {
-	if req == nil {
-		return fmt.Errorf("request is nil")
-	}
-
-	if req.Headers == nil {
-		return nil
-	}
-
-	// Reset and initialize the credentials in the request
-	req.MFACreds = make(map[string][]string)
-
-	for _, mfaHeaderValue := range req.Headers[canonicalMFAHeaderName] {
-		// Skip the header with no value in it
-		if mfaHeaderValue == "" {
-			continue
-		}
-
-		// Handle the case where only method name is mentioned and no value
-		// is supplied
-		if !strings.Contains(mfaHeaderValue, ":") {
-			// Mark the presence of method name, but set an empty set to it
-			// indicating that there were no values supplied for the method
-			if req.MFACreds[mfaHeaderValue] == nil {
-				req.MFACreds[mfaHeaderValue] = []string{}
-			}
-			continue
+		tokenBytes, err := base64.RawStdEncoding.DecodeString(match[0][1])
+		if err != nil {
+			t.Fatal(err)
 		}
 
-		shardSplits := strings.SplitN(mfaHeaderValue, ":", 2)
-		if shardSplits[0] == "" {
-			return fmt.Errorf("invalid data in header %q; missing method name or ID", MFAHeaderName)
+		token, err := xor.XORBytes(tokenBytes, []byte(otp))
+		if err != nil {
+			t.Fatal(err)
 		}
 
-		if shardSplits[1] == "" {
-			return fmt.Errorf("invalid data in header %q; missing method value", MFAHeaderName)
+		if l, exp := len(token), vault.TokenLength+vault.TokenPrefixLength; l != exp {
+			t.Errorf("expected %d to be %d: %s", l, exp, token)
 		}
+	})
 
-		req.MFACreds[shardSplits[0]] = append(req.MFACreds[shardSplits[0]], shardSplits[1])
-	}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-	return nil
-}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-// isForm tries to determine whether the request should be
-// processed as a form or as JSON.
-//
-// Virtually all existing use cases have assumed processing as JSON,
-// and there has not been a Content-Type requirement in the API. In order to
-// maintain backwards compatibility, this will err on the side of JSON.
-// The request will be considered a form only if:
-//
-//  1. The content type is "application/x-www-form-urlencoded"
-//  2. The start of the request doesn't look like JSON. For this test we
-//     we expect the body to begin with { or [, ignoring leading whitespace.
-func isForm(head []byte, contentType string) bool {
-	contentType, _, err := mime.ParseMediaType(contentType)
-
-	if err != nil || contentType != "application/x-www-form-urlencoded" {
-		return false
-	}
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
 
-	// Look for the start of JSON or not-JSON, skipping any insignificant
-	// whitespace (per https://tools.ietf.org/html/rfc7159#section-2).
-	for _, c := range head {
-		switch c {
-		case ' ', '\t', '\n', '\r':
-			continue
-		case '[', '{': // JSON
-			return false
-		default: // not JSON
-			return true
+		code := cmd.Run([]string{
+			"secret/foo",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-
-	return true
-}
-
-func respondError(w http.ResponseWriter, status int, err error) {
-	logical.RespondError(w, status, err)
-}
-
-func respondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error) {
-	logical.RespondErrorAndData(w, status, data, err)
-}
 
-func respondErrorCommon(w http.ResponseWriter, req *logical.Request, resp *logical.Response, err error) bool {
-	statusCode, newErr := logical.RespondErrorCommon(req, resp, err)
-	if newErr == nil && statusCode == 0 {
-		return false
-	}
-
-	// If ErrPermissionDenied occurs for OIDC protected resources (e.g., userinfo),
-	// then respond with a JSON error format that complies with the specification.
-	// This prevents the JSON error format from changing to a Vault-y format (i.e.,
-	// the format that results from respondError) after an OIDC access token expires.
-	if oidcPermissionDenied(req.Path, err) {
-		respondOIDCPermissionDenied(w)
-		return true
-	}
-
-	if resp != nil {
-		if data := resp.Data["data"]; data != nil {
-			respondErrorAndData(w, statusCode, data, newErr)
-			return true
+		expected := "Error getting root generation status: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
-	respondError(w, statusCode, newErr)
-	return true
-}
-
-func respondOk(w http.ResponseWriter, body interface{}) {
-	w.Header().Set("Content-Type", "application/json")
-
-	if body == nil {
-		w.WriteHeader(http.StatusNoContent)
-	} else {
-		w.WriteHeader(http.StatusOK)
-		enc := json.NewEncoder(w)
-		enc.Encode(body)
-	}
-}
-
-// oidcPermissionDenied returns true if the given path matches the
-// UserInfo Endpoint published by Vault OIDC providers and the given
-// error is a logical.ErrPermissionDenied.
-func oidcPermissionDenied(path string, err error) bool {
-	return errwrap.Contains(err, logical.ErrPermissionDenied.Error()) &&
-		oidcProtectedPathRegex.MatchString(path)
-}
+	})
 
-// respondOIDCPermissionDenied writes a response to the given w for
-// permission denied errors (expired token) on resources protected
-// by OIDC access tokens. Currently, the UserInfo Endpoint is the only
-// protected resource. See the following specifications for details:
-//   - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
-//   - https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
-func respondOIDCPermissionDenied(w http.ResponseWriter) {
-	errorCode := "invalid_token"
-	errorDescription := logical.ErrPermissionDenied.Error()
-
-	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("WWW-Authenticate", fmt.Sprintf("Bearer error=%q,error_description=%q",
-		errorCode, errorDescription))
-	w.WriteHeader(http.StatusUnauthorized)
-
-	var oidcResponse struct {
-		Error            string `json:"error"`
-		ErrorDescription string `json:"error_description"`
-	}
-	oidcResponse.Error = errorCode
-	oidcResponse.ErrorDescription = errorDescription
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	enc := json.NewEncoder(w)
-	enc.Encode(oidcResponse)
+		_, cmd := testOperatorGenerateRootCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/http/handler_test.go b/http/handler_test.go
index a669672b60fb..576f7fe2dc5d 100644
--- a/http/handler_test.go
+++ b/http/handler_test.go
@@ -1,894 +1,595 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"io/ioutil"
-	"net/http"
-	"net/http/httptest"
-	"net/textproto"
+	"fmt"
 	"net/url"
-	"reflect"
+	"runtime"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/pgpkeys"
+	"github.com/posener/complete"
 
-	"github.com/go-test/deep"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/versions"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
+	consulapi "github.com/hashicorp/consul/api"
 )
 
-func TestHandler_parseMFAHandler(t *testing.T) {
-	var err error
-	var expectedMFACreds logical.MFACreds
-	req := &logical.Request{
-		Headers: make(map[string][]string),
-	}
+var (
+	_ cli.Command             = (*OperatorInitCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorInitCommand)(nil)
+)
 
-	headerName := textproto.CanonicalMIMEHeaderKey(MFAHeaderName)
+type OperatorInitCommand struct {
+	*BaseCommand
 
-	// Set TOTP passcode in the MFA header
-	req.Headers[headerName] = []string{
-		"my_totp:123456",
-		"my_totp:111111",
-		"my_second_mfa:hi=hello",
-		"my_third_mfa",
-	}
-	err = parseMFAHeader(req)
-	if err != nil {
-		t.Fatal(err)
-	}
+	flagStatus          bool
+	flagKeyShares       int
+	flagKeyThreshold    int
+	flagPGPKeys         []string
+	flagRootTokenPGPKey string
 
-	// Verify that it is being parsed properly
-	expectedMFACreds = logical.MFACreds{
-		"my_totp": []string{
-			"123456",
-			"111111",
-		},
-		"my_second_mfa": []string{
-			"hi=hello",
-		},
-		"my_third_mfa": []string{},
-	}
-	if !reflect.DeepEqual(expectedMFACreds, req.MFACreds) {
-		t.Fatalf("bad: parsed MFACreds; expected: %#v\n actual: %#v\n", expectedMFACreds, req.MFACreds)
-	}
+	// Auto Unseal
+	flagRecoveryShares    int
+	flagRecoveryThreshold int
+	flagRecoveryPGPKeys   []string
+	flagStoredShares      int
 
-	// Split the creds of a method type in different headers and check if they
-	// all get merged together
-	req.Headers[headerName] = []string{
-		"my_mfa:passcode=123456",
-		"my_mfa:month=july",
-		"my_mfa:day=tuesday",
-	}
-	err = parseMFAHeader(req)
-	if err != nil {
-		t.Fatal(err)
-	}
+	// Consul
+	flagConsulAuto    bool
+	flagConsulService string
+}
 
-	expectedMFACreds = logical.MFACreds{
-		"my_mfa": []string{
-			"passcode=123456",
-			"month=july",
-			"day=tuesday",
-		},
-	}
-	if !reflect.DeepEqual(expectedMFACreds, req.MFACreds) {
-		t.Fatalf("bad: parsed MFACreds; expected: %#v\n actual: %#v\n", expectedMFACreds, req.MFACreds)
-	}
+const (
+	defKeyShares         = 5
+	defKeyThreshold      = 3
+	defRecoveryShares    = 5
+	defRecoveryThreshold = 3
+)
 
-	// Header without method name should error out
-	req.Headers[headerName] = []string{
-		":passcode=123456",
-	}
-	err = parseMFAHeader(req)
-	if err == nil {
-		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
-	}
+func (c *OperatorInitCommand) Synopsis() string {
+	return "Initializes a server"
+}
 
-	// Header without method name and method value should error out
-	req.Headers[headerName] = []string{
-		":",
-	}
-	err = parseMFAHeader(req)
-	if err == nil {
-		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
-	}
+func (c *OperatorInitCommand) Help() string {
+	helpText := `
+Usage: vault operator init [options]
 
-	// Header without method name and method value should error out
-	req.Headers[headerName] = []string{
-		"my_totp:",
-	}
-	err = parseMFAHeader(req)
-	if err == nil {
-		t.Fatalf("expected an error; actual: %#v\n", req.MFACreds)
-	}
-}
+  Initializes a Vault server. Initialization is the process by which Vault's
+  storage backend is prepared to receive data. Since Vault servers share the
+  same storage backend in HA mode, you only need to initialize one Vault to
+  initialize the storage backend.
 
-func TestHandler_cors(t *testing.T) {
-	core, _, _ := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+  During initialization, Vault generates an in-memory root key and applies
+  Shamir's secret sharing algorithm to disassemble that root key into a
+  configuration number of key shares such that a configurable subset of those
+  key shares must come together to regenerate the root key. These keys are
+  often called "unseal keys" in Vault's documentation.
 
-	// Enable CORS and allow from any origin for testing.
-	corsConfig := core.CORSConfig()
-	err := corsConfig.Enable(context.Background(), []string{addr}, nil)
-	if err != nil {
-		t.Fatalf("Error enabling CORS: %s", err)
-	}
+  This command cannot be run against an already-initialized Vault cluster.
 
-	req, err := http.NewRequest(http.MethodOptions, addr+"/v1/sys/seal-status", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	req.Header.Set("Origin", "BAD ORIGIN")
+  Start initialization with the default options:
 
-	// Requests from unacceptable origins will be rejected with a 403.
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+      $ vault operator init
 
-	if resp.StatusCode != http.StatusForbidden {
-		t.Fatalf("Bad status:\nexpected: 403 Forbidden\nactual: %s", resp.Status)
-	}
+  Initialize, but encrypt the unseal keys with pgp keys:
 
-	//
-	// Test preflight requests
-	//
+      $ vault operator init \
+          -key-shares=3 \
+          -key-threshold=2 \
+          -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
 
-	// Set a valid origin
-	req.Header.Set("Origin", addr)
+  Encrypt the initial root token using a pgp key:
 
-	// Server should NOT accept arbitrary methods.
-	req.Header.Set("Access-Control-Request-Method", "FOO")
+      $ vault operator init -root-token-pgp-key="keybase:hashicorp"
 
-	client = cleanhttp.DefaultClient()
-	resp, err = client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
 
-	// Fail if an arbitrary method is accepted.
-	if resp.StatusCode != http.StatusMethodNotAllowed {
-		t.Fatalf("Bad status:\nexpected: 405 Method Not Allowed\nactual: %s", resp.Status)
-	}
+func (c *OperatorInitCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-	// Server SHOULD accept acceptable methods.
-	req.Header.Set("Access-Control-Request-Method", http.MethodPost)
+	// Common Options
+	f := set.NewFlagSet("Common Options")
 
-	client = cleanhttp.DefaultClient()
-	resp, err = client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+	f.BoolVar(&BoolVar{
+		Name:    "status",
+		Target:  &c.flagStatus,
+		Default: false,
+		Usage: "Print the current initialization status. An exit code of 0 means " +
+			"the Vault is already initialized. An exit code of 1 means an error " +
+			"occurred. An exit code of 2 means the Vault is not initialized.",
+	})
 
-	//
-	// Test that the CORS headers are applied correctly.
-	//
-	expHeaders := map[string]string{
-		"Access-Control-Allow-Origin":  addr,
-		"Access-Control-Allow-Headers": strings.Join(vault.StdAllowedHeaders, ","),
-		"Access-Control-Max-Age":       "300",
-		"Vary":                         "Origin",
-	}
+	f.IntVar(&IntVar{
+		Name:       "key-shares",
+		Aliases:    []string{"n"},
+		Target:     &c.flagKeyShares,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares to split the generated root key into. " +
+			"This is the number of \"unseal keys\" to generate.",
+	})
 
-	for expHeader, expected := range expHeaders {
-		actual := resp.Header.Get(expHeader)
-		if actual == "" {
-			t.Fatalf("bad:\nHeader: %#v was not on response.", expHeader)
-		}
+	f.IntVar(&IntVar{
+		Name:       "key-threshold",
+		Aliases:    []string{"t"},
+		Target:     &c.flagKeyThreshold,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares required to reconstruct the root key. " +
+			"This must be less than or equal to -key-shares.",
+	})
 
-		if actual != expected {
-			t.Fatalf("bad:\nExpected: %#v\nActual: %#v\n", expected, actual)
-		}
-	}
-}
+	f.VarFlag(&VarFlag{
+		Name:       "pgp-keys",
+		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagPGPKeys),
+		Completion: complete.PredictAnything,
+		Usage: "Comma-separated list of paths to files on disk containing " +
+			"public PGP keys OR a comma-separated list of Keybase usernames using " +
+			"the format \"keybase:<username>\". When supplied, the generated " +
+			"unseal keys will be encrypted and base64-encoded in the order " +
+			"specified in this list. The number of entries must match -key-shares, " +
+			"unless -stored-shares are used.",
+	})
 
-func TestHandler_HostnameHeader(t *testing.T) {
-	t.Parallel()
-	testCases := []struct {
-		description   string
-		config        *vault.CoreConfig
-		headerPresent bool
-	}{
-		{
-			description:   "with no header configured",
-			config:        nil,
-			headerPresent: false,
-		},
-		{
-			description: "with header configured",
-			config: &vault.CoreConfig{
-				EnableResponseHeaderHostname: true,
-			},
-			headerPresent: true,
-		},
-	}
+	f.VarFlag(&VarFlag{
+		Name:       "root-token-pgp-key",
+		Value:      (*pgpkeys.PubKeyFileFlag)(&c.flagRootTokenPGPKey),
+		Completion: complete.PredictAnything,
+		Usage: "Path to a file on disk containing a binary or base64-encoded " +
+			"public PGP key. This can also be specified as a Keybase username " +
+			"using the format \"keybase:<username>\". When supplied, the generated " +
+			"root token will be encrypted and base64-encoded with the given public " +
+			"key.",
+	})
 
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			var core *vault.Core
+	f.IntVar(&IntVar{
+		Name:    "stored-shares",
+		Target:  &c.flagStoredShares,
+		Default: -1,
+		Usage:   "DEPRECATED: This flag does nothing. It will be removed in Vault 1.3.",
+	})
 
-			if tc.config == nil {
-				core, _, _ = vault.TestCoreUnsealed(t)
-			} else {
-				core, _, _ = vault.TestCoreUnsealedWithConfig(t, tc.config)
-			}
+	// Consul Options
+	f = set.NewFlagSet("Consul Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "consul-auto",
+		Target:  &c.flagConsulAuto,
+		Default: false,
+		Usage: "Perform automatic service discovery using Consul in HA mode. " +
+			"When all nodes in a Vault HA cluster are registered with Consul, " +
+			"enabling this option will trigger automatic service discovery based " +
+			"on the provided -consul-service value. When Consul is Vault's HA " +
+			"backend, this functionality is automatically enabled. Ensure the " +
+			"proper Consul environment variables are set (CONSUL_HTTP_ADDR, etc). " +
+			"When only one Vault server is discovered, it will be initialized " +
+			"automatically. When more than one Vault server is discovered, they " +
+			"will each be output for selection.",
+	})
 
-			ln, addr := TestServer(t, core)
-			defer ln.Close()
+	f.StringVar(&StringVar{
+		Name:       "consul-service",
+		Target:     &c.flagConsulService,
+		Default:    "vault",
+		Completion: complete.PredictAnything,
+		Usage: "Name of the service in Consul under which the Vault servers are " +
+			"registered.",
+	})
 
-			req, err := http.NewRequest("GET", addr+"/v1/sys/seal-status", nil)
-			if err != nil {
-				t.Fatalf("err: %s", err)
-			}
+	// Auto Unseal Options
+	f = set.NewFlagSet("Auto Unseal Options")
 
-			client := cleanhttp.DefaultClient()
-			resp, err := client.Do(req)
-			if err != nil {
-				t.Fatalf("err: %s", err)
-			}
+	f.IntVar(&IntVar{
+		Name:       "recovery-shares",
+		Target:     &c.flagRecoveryShares,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares to split the recovery key into. " +
+			"This is only used in auto-unseal mode.",
+	})
 
-			if resp == nil {
-				t.Fatal("nil response")
-			}
+	f.IntVar(&IntVar{
+		Name:       "recovery-threshold",
+		Target:     &c.flagRecoveryThreshold,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares required to reconstruct the recovery key. " +
+			"This is only used in Auto Unseal mode.",
+	})
 
-			hnHeader := resp.Header.Get("X-Vault-Hostname")
-			if tc.headerPresent && hnHeader == "" {
-				t.Logf("header configured = %t", core.HostnameHeaderEnabled())
-				t.Fatal("missing 'X-Vault-Hostname' header entry in response")
-			}
-			if !tc.headerPresent && hnHeader != "" {
-				t.Fatal("didn't expect 'X-Vault-Hostname' header but it was present anyway")
-			}
+	f.VarFlag(&VarFlag{
+		Name:       "recovery-pgp-keys",
+		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagRecoveryPGPKeys),
+		Completion: complete.PredictAnything,
+		Usage: "Behaves like -pgp-keys, but for the recovery key shares. This " +
+			"is only used in Auto Unseal mode.",
+	})
 
-			rniHeader := resp.Header.Get("X-Vault-Raft-Node-ID")
-			if rniHeader != "" {
-				t.Fatalf("no raft node ID header was expected, since we're not running a raft cluster. instead, got %s", rniHeader)
-			}
-		})
-	}
+	return set
 }
 
-func TestHandler_CacheControlNoStore(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+func (c *OperatorInitCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
 
-	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	req.Header.Set(consts.AuthHeaderName, token)
-	req.Header.Set(WrapTTLHeaderName, "60s")
+func (c *OperatorInitCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+func (c *OperatorInitCommand) Run(args []string) int {
+	f := c.Flags()
 
-	if resp == nil {
-		t.Fatalf("nil response")
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	actual := resp.Header.Get("Cache-Control")
-
-	if actual == "" {
-		t.Fatalf("missing 'Cache-Control' header entry in response writer")
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	if actual != "no-store" {
-		t.Fatalf("bad: Cache-Control. Expected: 'no-store', Actual: %q", actual)
+	if c.flagStoredShares != -1 {
+		c.UI.Warn("-stored-shares has no effect and will be removed in Vault 1.3.\n")
 	}
-}
-
-func TestHandler_InFlightRequest(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	req, err := http.NewRequest("GET", addr+"/v1/sys/in-flight-req", nil)
+	client, err := c.Client()
 	if err != nil {
-		t.Fatalf("err: %s", err)
+		c.UI.Error(err.Error())
+		return 2
 	}
-	req.Header.Set(consts.AuthHeaderName, token)
 
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
+	// -output-curl string returns curl command for seal status
+	// setting this to false and then setting actual value after reading seal status
+	currentOutputCurlString := client.OutputCurlString()
+	client.SetOutputCurlString(false)
+	// -output-policy string returns minimum required policy HCL for seal status
+	// setting this to false and then setting actual value after reading seal status
+	outputPolicy := client.OutputPolicy()
+	client.SetOutputPolicy(false)
+
+	// Set defaults based on use of auto unseal seal
+	sealInfo, err := client.Sys().SealStatus()
 	if err != nil {
-		t.Fatalf("err: %s", err)
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	if resp == nil {
-		t.Fatalf("nil response")
-	}
+	client.SetOutputCurlString(currentOutputCurlString)
+	client.SetOutputPolicy(outputPolicy)
 
-	var actual map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual == nil || len(actual) == 0 {
-		t.Fatal("expected to get at least one in-flight request, got nil or zero length map")
-	}
-	for _, v := range actual {
-		reqInfo, ok := v.(map[string]interface{})
-		if !ok {
-			t.Fatal("failed to read in-flight request")
+	switch sealInfo.RecoverySeal {
+	case true:
+		if c.flagRecoveryShares == 0 {
+			c.flagRecoveryShares = defRecoveryShares
+		}
+		if c.flagRecoveryThreshold == 0 {
+			c.flagRecoveryThreshold = defRecoveryThreshold
+		}
+	default:
+		if c.flagKeyShares == 0 {
+			c.flagKeyShares = defKeyShares
 		}
-		if reqInfo["request_path"] != "/v1/sys/in-flight-req" {
-			t.Fatalf("expected /v1/sys/in-flight-req in-flight request path, got %s", actual["request_path"])
+		if c.flagKeyThreshold == 0 {
+			c.flagKeyThreshold = defKeyThreshold
 		}
 	}
-}
 
-// TestHandler_MissingToken tests the response / error code if a request comes
-// in with a missing client token. See
-// https://github.com/hashicorp/vault/issues/8377
-func TestHandler_MissingToken(t *testing.T) {
-	// core, _, token := vault.TestCoreUnsealed(t)
-	core, _, _ := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+	// Build the initial init request
+	initReq := &api.InitRequest{
+		SecretShares:    c.flagKeyShares,
+		SecretThreshold: c.flagKeyThreshold,
+		PGPKeys:         c.flagPGPKeys,
+		RootTokenPGPKey: c.flagRootTokenPGPKey,
 
-	req, err := http.NewRequest("GET", addr+"/v1/sys/internal/ui/mounts/cubbyhole", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+		RecoveryShares:    c.flagRecoveryShares,
+		RecoveryThreshold: c.flagRecoveryThreshold,
+		RecoveryPGPKeys:   c.flagRecoveryPGPKeys,
 	}
 
-	req.Header.Set(WrapTTLHeaderName, "60s")
-
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.StatusCode != 403 {
-		t.Fatalf("expected code 403, got: %d", resp.StatusCode)
+	// Check auto mode
+	switch {
+	case c.flagStatus:
+		return c.status(client)
+	case c.flagConsulAuto:
+		return c.consulAuto(client, initReq)
+	default:
+		return c.init(client, initReq)
 	}
 }
 
-func TestHandler_Accepted(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+// consulAuto enables auto-joining via Consul.
+func (c *OperatorInitCommand) consulAuto(client *api.Client, req *api.InitRequest) int {
+	// Capture the client original address and reset it
+	originalAddr := client.Address()
+	defer client.SetAddress(originalAddr)
 
-	req, err := http.NewRequest("POST", addr+"/v1/auth/token/tidy", nil)
+	// Create a client to communicate with Consul
+	consulClient, err := consulapi.NewClient(consulapi.DefaultConfig())
 	if err != nil {
-		t.Fatalf("err: %s", err)
+		c.UI.Error(fmt.Sprintf("Failed to create Consul client:%v", err))
+		return 1
 	}
-	req.Header.Set(consts.AuthHeaderName, token)
 
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	// Pull the scheme from the Vault client to determine if the Consul agent
+	// should talk via HTTP or HTTPS.
+	addr := client.Address()
+	clientURL, err := url.Parse(addr)
+	if err != nil || clientURL == nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse Vault address %s: %s", addr, err))
+		return 1
 	}
 
-	testResponseStatus(t, resp, 202)
-}
-
-// We use this test to verify header auth
-func TestSysMounts_headerAuth(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+	var uninitedVaults []string
+	var initedVault string
 
-	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	req.Header.Set(consts.AuthHeaderName, token)
+	// Query the nodes belonging to the cluster
+	services, _, err := consulClient.Catalog().Service(c.flagConsulService, "", &consulapi.QueryOptions{
+		AllowStale: true,
+	})
+	if err == nil {
+		for _, service := range services {
+			// Set the address on the client temporarily
+			vaultAddr := (&url.URL{
+				Scheme: clientURL.Scheme,
+				Host:   fmt.Sprintf("%s:%d", service.ServiceAddress, service.ServicePort),
+			}).String()
+			client.SetAddress(vaultAddr)
+
+			// Check the initialization status of the discovered node
+			inited, err := client.Sys().InitStatus()
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error checking init status of %q: %s", vaultAddr, err))
+			}
+			if inited {
+				initedVault = vaultAddr
+				break
+			}
 
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+			// If we got this far, we communicated successfully with Vault, but it
+			// was not initialized.
+			uninitedVaults = append(uninitedVaults, vaultAddr)
+		}
 	}
 
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"lease_id":       "",
-		"renewable":      false,
-		"lease_duration": json.Number("0"),
-		"wrap_info":      nil,
-		"warnings":       nil,
-		"mount_type":     "system",
-		"auth":           nil,
-		"data": map[string]interface{}{
-			"secret/": map[string]interface{}{
-				"description":             "key/value secret storage",
-				"type":                    "kv",
-				"external_entropy_access": false,
-				"config": map[string]interface{}{
-					"default_lease_ttl": json.Number("0"),
-					"max_lease_ttl":     json.Number("0"),
-					"force_no_cache":    false,
-				},
-				"local":                  false,
-				"seal_wrap":              false,
-				"options":                map[string]interface{}{"version": "1"},
-				"plugin_version":         "",
-				"running_sha256":         "",
-				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
-			},
-			"sys/": map[string]interface{}{
-				"description":             "system endpoints used for control, policy and debugging",
-				"type":                    "system",
-				"external_entropy_access": false,
-				"config": map[string]interface{}{
-					"default_lease_ttl":           json.Number("0"),
-					"max_lease_ttl":               json.Number("0"),
-					"force_no_cache":              false,
-					"passthrough_request_headers": []interface{}{"Accept"},
-				},
-				"local":                  false,
-				"seal_wrap":              true,
-				"options":                interface{}(nil),
-				"plugin_version":         "",
-				"running_sha256":         "",
-				"running_plugin_version": versions.DefaultBuiltinVersion,
-			},
-			"cubbyhole/": map[string]interface{}{
-				"description":             "per-token private secret storage",
-				"type":                    "cubbyhole",
-				"external_entropy_access": false,
-				"config": map[string]interface{}{
-					"default_lease_ttl": json.Number("0"),
-					"max_lease_ttl":     json.Number("0"),
-					"force_no_cache":    false,
-				},
-				"local":                  true,
-				"seal_wrap":              false,
-				"options":                interface{}(nil),
-				"plugin_version":         "",
-				"running_sha256":         "",
-				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
-			},
-			"identity/": map[string]interface{}{
-				"description":             "identity store",
-				"type":                    "identity",
-				"external_entropy_access": false,
-				"config": map[string]interface{}{
-					"default_lease_ttl":           json.Number("0"),
-					"max_lease_ttl":               json.Number("0"),
-					"force_no_cache":              false,
-					"passthrough_request_headers": []interface{}{"Authorization"},
-				},
-				"local":                  false,
-				"seal_wrap":              false,
-				"options":                interface{}(nil),
-				"plugin_version":         "",
-				"running_sha256":         "",
-				"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
-			},
-		},
-		"secret/": map[string]interface{}{
-			"description":             "key/value secret storage",
-			"type":                    "kv",
-			"external_entropy_access": false,
-			"config": map[string]interface{}{
-				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     json.Number("0"),
-				"force_no_cache":    false,
-			},
-			"local":                  false,
-			"seal_wrap":              false,
-			"options":                map[string]interface{}{"version": "1"},
-			"plugin_version":         "",
-			"running_sha256":         "",
-			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
-		},
-		"sys/": map[string]interface{}{
-			"description":             "system endpoints used for control, policy and debugging",
-			"type":                    "system",
-			"external_entropy_access": false,
-			"config": map[string]interface{}{
-				"default_lease_ttl":           json.Number("0"),
-				"max_lease_ttl":               json.Number("0"),
-				"force_no_cache":              false,
-				"passthrough_request_headers": []interface{}{"Accept"},
-			},
-			"local":                  false,
-			"seal_wrap":              true,
-			"options":                interface{}(nil),
-			"plugin_version":         "",
-			"running_sha256":         "",
-			"running_plugin_version": versions.DefaultBuiltinVersion,
-		},
-		"cubbyhole/": map[string]interface{}{
-			"description":             "per-token private secret storage",
-			"type":                    "cubbyhole",
-			"external_entropy_access": false,
-			"config": map[string]interface{}{
-				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     json.Number("0"),
-				"force_no_cache":    false,
-			},
-			"local":                  true,
-			"seal_wrap":              false,
-			"options":                interface{}(nil),
-			"plugin_version":         "",
-			"running_sha256":         "",
-			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
-		},
-		"identity/": map[string]interface{}{
-			"description":             "identity store",
-			"type":                    "identity",
-			"external_entropy_access": false,
-			"config": map[string]interface{}{
-				"default_lease_ttl":           json.Number("0"),
-				"max_lease_ttl":               json.Number("0"),
-				"force_no_cache":              false,
-				"passthrough_request_headers": []interface{}{"Authorization"},
-			},
-			"local":                  false,
-			"seal_wrap":              false,
-			"options":                interface{}(nil),
-			"plugin_version":         "",
-			"running_sha256":         "",
-			"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
-		},
+	// Get the correct export keywords and quotes for *nix vs Windows
+	export := "export"
+	quote := "\""
+	if runtime.GOOS == "windows" {
+		export = "set"
+		quote = ""
 	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
 
-	expected["request_id"] = actual["request_id"]
-	for k, v := range actual["data"].(map[string]interface{}) {
-		if v.(map[string]interface{})["accessor"] == "" {
-			t.Fatalf("no accessor from %s", k)
+	if initedVault != "" {
+		vaultURL, err := url.Parse(initedVault)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
+			return 2
 		}
-		if v.(map[string]interface{})["uuid"] == "" {
-			t.Fatalf("no uuid from %s", k)
+		vaultAddr := vaultURL.String()
+
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Discovered an initialized Vault node at %q with Consul service name "+
+				"%q. Set the following environment variable to target the discovered "+
+				"Vault server:",
+			vaultURL.String(), c.flagConsulService)))
+		c.UI.Output("")
+		c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
+		c.UI.Output("")
+		return 0
+	}
+
+	switch len(uninitedVaults) {
+	case 0:
+		c.UI.Error(fmt.Sprintf("No Vault nodes registered as %q in Consul", c.flagConsulService))
+		return 2
+	case 1:
+		// There was only one node found in the Vault cluster and it was
+		// uninitialized.
+		vaultURL, err := url.Parse(uninitedVaults[0])
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
+			return 2
 		}
+		vaultAddr := vaultURL.String()
+
+		// Update the client to connect to this Vault server
+		client.SetAddress(vaultAddr)
+
+		// Let the client know that initialization is performed on the
+		// discovered node.
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Discovered an initialized Vault node at %q with Consul service name "+
+				"%q. Set the following environment variable to target the discovered "+
+				"Vault server:",
+			vaultURL.String(), c.flagConsulService)))
+		c.UI.Output("")
+		c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
+		c.UI.Output("")
+		c.UI.Output("Attempting to initialize it...")
+		c.UI.Output("")
+
+		// Attempt to initialize it
+		return c.init(client, req)
+	default:
+		// If more than one Vault node were discovered, print out all of them,
+		// requiring the client to update VAULT_ADDR and to run init again.
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Discovered %d uninitialized Vault servers with Consul service name "+
+				"%q. To initialize these Vaults, set any one of the following "+
+				"environment variables and run \"vault operator init\":",
+			len(uninitedVaults), c.flagConsulService)))
+		c.UI.Output("")
+
+		// Print valid commands to make setting the variables easier
+		for _, node := range uninitedVaults {
+			vaultURL, err := url.Parse(node)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Failed to parse Vault address %q: %s", initedVault, err))
+				return 2
+			}
+			vaultAddr := vaultURL.String()
 
-		expected[k].(map[string]interface{})["accessor"] = v.(map[string]interface{})["accessor"]
-		expected[k].(map[string]interface{})["uuid"] = v.(map[string]interface{})["uuid"]
-		expected["data"].(map[string]interface{})[k].(map[string]interface{})["accessor"] = v.(map[string]interface{})["accessor"]
-		expected["data"].(map[string]interface{})[k].(map[string]interface{})["uuid"] = v.(map[string]interface{})["uuid"]
-	}
+			c.UI.Output(fmt.Sprintf("    $ %s VAULT_ADDR=%s%s%s", export, quote, vaultAddr, quote))
+		}
 
-	if diff := deep.Equal(actual, expected); len(diff) > 0 {
-		t.Fatalf("bad, diff: %#v", diff)
+		c.UI.Output("")
+		return 0
 	}
 }
 
-// We use this test to verify header auth wrapping
-func TestSysMounts_headerAuth_Wrapped(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-
-	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	req.Header.Set(consts.AuthHeaderName, token)
-	req.Header.Set(WrapTTLHeaderName, "60s")
-
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
+func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int {
+	resp, err := client.Sys().Init(req)
 	if err != nil {
-		t.Fatalf("err: %s", err)
+		c.UI.Error(fmt.Sprintf("Error initializing: %s", err))
+		return 2
 	}
 
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"request_id":     "",
-		"lease_id":       "",
-		"renewable":      false,
-		"lease_duration": json.Number("0"),
-		"data":           nil,
-		"wrap_info": map[string]interface{}{
-			"ttl": json.Number("60"),
-		},
-		"warnings":   nil,
-		"auth":       nil,
-		"mount_type": "",
+	switch Format(c.UI) {
+	case "table":
+	default:
+		return OutputData(c.UI, newMachineInit(req, resp))
 	}
 
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-
-	actualToken, ok := actual["wrap_info"].(map[string]interface{})["token"]
-	if !ok || actualToken == "" {
-		t.Fatal("token missing in wrap info")
+	for i, key := range resp.Keys {
+		if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
+			c.UI.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, resp.KeysB64[i]))
+		} else {
+			c.UI.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, key))
+		}
 	}
-	expected["wrap_info"].(map[string]interface{})["token"] = actualToken
-
-	actualCreationTime, ok := actual["wrap_info"].(map[string]interface{})["creation_time"]
-	if !ok || actualCreationTime == "" {
-		t.Fatal("creation_time missing in wrap info")
+	for i, key := range resp.RecoveryKeys {
+		if resp.RecoveryKeysB64 != nil && len(resp.RecoveryKeysB64) == len(resp.RecoveryKeys) {
+			c.UI.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, resp.RecoveryKeysB64[i]))
+		} else {
+			c.UI.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, key))
+		}
 	}
-	expected["wrap_info"].(map[string]interface{})["creation_time"] = actualCreationTime
 
-	actualCreationPath, ok := actual["wrap_info"].(map[string]interface{})["creation_path"]
-	if !ok || actualCreationPath == "" {
-		t.Fatal("creation_path missing in wrap info")
+	c.UI.Output("")
+	c.UI.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))
+
+	if len(resp.Keys) > 0 {
+		c.UI.Output("")
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Vault initialized with %d key shares and a key threshold of %d. Please "+
+				"securely distribute the key shares printed above. When the Vault is "+
+				"re-sealed, restarted, or stopped, you must supply at least %d of "+
+				"these keys to unseal it before it can start servicing requests.",
+			req.SecretShares,
+			req.SecretThreshold,
+			req.SecretThreshold)))
+
+		c.UI.Output("")
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Vault does not store the generated root key. Without at least %d "+
+				"keys to reconstruct the root key, Vault will remain permanently "+
+				"sealed!",
+			req.SecretThreshold)))
+
+		c.UI.Output("")
+		c.UI.Output(wrapAtLength(
+			"It is possible to generate new unseal keys, provided you have a quorum " +
+				"of existing unseal keys shares. See \"vault operator rekey\" for " +
+				"more information."))
+	} else {
+		c.UI.Output("")
+		c.UI.Output("Success! Vault is initialized")
 	}
-	expected["wrap_info"].(map[string]interface{})["creation_path"] = actualCreationPath
 
-	actualAccessor, ok := actual["wrap_info"].(map[string]interface{})["accessor"]
-	if !ok || actualAccessor == "" {
-		t.Fatal("accessor missing in wrap info")
+	if len(resp.RecoveryKeys) > 0 {
+		c.UI.Output("")
+		c.UI.Output(wrapAtLength(fmt.Sprintf(
+			"Recovery key initialized with %d key shares and a key threshold of %d. "+
+				"Please securely distribute the key shares printed above.",
+			req.RecoveryShares,
+			req.RecoveryThreshold)))
 	}
-	expected["wrap_info"].(map[string]interface{})["accessor"] = actualAccessor
 
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad:\nExpected: %#v\nActual: %#v\n%T %T", expected, actual, actual["warnings"], actual["data"])
-	}
+	return 0
 }
 
-func TestHandler_sealed(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-
-	core.Seal(token)
-
-	resp, err := http.Get(addr + "/v1/secret/foo")
+// status inspects the init status of vault and returns an appropriate error
+// code and message.
+func (c *OperatorInitCommand) status(client *api.Client) int {
+	inited, err := client.Sys().InitStatus()
 	if err != nil {
-		t.Fatalf("err: %s", err)
+		c.UI.Error(fmt.Sprintf("Error checking init status: %s", err))
+		return 1 // Normally we'd return 2, but 2 means something special here
 	}
-	testResponseStatus(t, resp, 503)
-}
 
-func TestHandler_ui_default(t *testing.T) {
-	core := vault.TestCoreUI(t, false)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+	errorCode := 0
 
-	resp, err := http.Get(addr + "/ui/")
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	if !inited {
+		errorCode = 2
 	}
-	testResponseStatus(t, resp, 404)
-}
 
-func TestHandler_ui_enabled(t *testing.T) {
-	core := vault.TestCoreUI(t, true)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-
-	resp, err := http.Get(addr + "/ui/")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	testResponseStatus(t, resp, 200)
-}
-
-func TestHandler_error(t *testing.T) {
-	w := httptest.NewRecorder()
-
-	respondError(w, 500, errors.New("test Error"))
-
-	if w.Code != 500 {
-		t.Fatalf("expected 500, got %d", w.Code)
-	}
-
-	// The code inside of the error should override
-	// the argument to respondError
-	w2 := httptest.NewRecorder()
-	e := logical.CodedError(403, "error text")
-
-	respondError(w2, 500, e)
-
-	if w2.Code != 403 {
-		t.Fatalf("expected 403, got %d", w2.Code)
-	}
-
-	// vault.ErrSealed is a special case
-	w3 := httptest.NewRecorder()
-
-	respondError(w3, 400, consts.ErrSealed)
-
-	if w3.Code != 503 {
-		t.Fatalf("expected 503, got %d", w3.Code)
-	}
-}
-
-func TestHandler_requestAuth(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-
-	rootCtx := namespace.RootContext(nil)
-	te, err := core.LookupToken(rootCtx, token)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	rWithAuthorization, err := http.NewRequest("GET", "v1/test/path", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	rWithAuthorization.Header.Set("Authorization", "Bearer "+token)
-
-	rWithVault, err := http.NewRequest("GET", "v1/test/path", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	rWithVault.Header.Set(consts.AuthHeaderName, token)
-
-	for _, r := range []*http.Request{rWithVault, rWithAuthorization} {
-		req := logical.TestRequest(t, logical.ReadOperation, "test/path")
-		r = r.WithContext(rootCtx)
-		requestAuth(r, req)
-		err = core.PopulateTokenEntry(rootCtx, req)
-		if err != nil {
-			t.Fatalf("err: %s", err)
+	switch Format(c.UI) {
+	case "table":
+		if inited {
+			c.UI.Output("Vault is initialized")
+		} else {
+			c.UI.Output("Vault is not initialized")
 		}
-
-		if req.ClientToken != token {
-			t.Fatalf("client token should be filled with %s, got %s", token, req.ClientToken)
-		}
-		if req.TokenEntry() == nil {
-			t.Fatal("token entry should not be nil")
-		}
-		if !reflect.DeepEqual(req.TokenEntry(), te) {
-			t.Fatalf("token entry should be the same as the core")
-		}
-		if req.ClientTokenAccessor == "" {
-			t.Fatal("token accessor should not be empty")
-		}
-	}
-
-	rNothing, err := http.NewRequest("GET", "v1/test/path", nil)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	req := logical.TestRequest(t, logical.ReadOperation, "test/path")
-
-	requestAuth(rNothing, req)
-	err = core.PopulateTokenEntry(rootCtx, req)
-	if err != nil {
-		t.Fatalf("expected no error, got %s", err)
-	}
-	if req.ClientToken != "" {
-		t.Fatalf("client token should not be filled, got %s", req.ClientToken)
-	}
-}
-
-func TestHandler_getTokenFromReq(t *testing.T) {
-	r := http.Request{Header: http.Header{}}
-
-	tok, _ := getTokenFromReq(&r)
-	if tok != "" {
-		t.Fatalf("expected '' as result, got '%s'", tok)
-	}
-
-	r.Header.Set("Authorization", "Bearer TOKEN NOT_GOOD_TOKEN")
-	token, fromHeader := getTokenFromReq(&r)
-	if !fromHeader {
-		t.Fatal("expected from header")
-	} else if token != "TOKEN NOT_GOOD_TOKEN" {
-		t.Fatal("did not get expected token value")
-	} else if r.Header.Get("Authorization") == "" {
-		t.Fatal("expected value to be passed through")
-	}
-
-	r.Header.Set(consts.AuthHeaderName, "NEWTOKEN")
-	tok, _ = getTokenFromReq(&r)
-	if tok == "TOKEN" {
-		t.Fatalf("%s header should be prioritized", consts.AuthHeaderName)
-	} else if tok != "NEWTOKEN" {
-		t.Fatalf("expected 'NEWTOKEN' as result, got '%s'", tok)
+	default:
+		data := api.InitStatusResponse{Initialized: inited}
+		OutputData(c.UI, data)
 	}
 
-	r.Header = http.Header{}
-	r.Header.Set("Authorization", "Basic TOKEN")
-	tok, fromHeader = getTokenFromReq(&r)
-	if tok != "" {
-		t.Fatalf("expected '' as result, got '%s'", tok)
-	} else if fromHeader {
-		t.Fatal("expected not from header")
-	}
+	return errorCode
 }
 
-func TestHandler_nonPrintableChars(t *testing.T) {
-	testNonPrintable(t, false)
-	testNonPrintable(t, true)
+// machineInit is used to output information about the init command.
+type machineInit struct {
+	UnsealKeysB64     []string `json:"unseal_keys_b64"`
+	UnsealKeysHex     []string `json:"unseal_keys_hex"`
+	UnsealShares      int      `json:"unseal_shares"`
+	UnsealThreshold   int      `json:"unseal_threshold"`
+	RecoveryKeysB64   []string `json:"recovery_keys_b64"`
+	RecoveryKeysHex   []string `json:"recovery_keys_hex"`
+	RecoveryShares    int      `json:"recovery_keys_shares"`
+	RecoveryThreshold int      `json:"recovery_keys_threshold"`
+	RootToken         string   `json:"root_token"`
 }
 
-func testNonPrintable(t *testing.T, disable bool) {
-	core, _, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
-		DisableKeyEncodingChecks: disable,
-	})
-	ln, addr := TestListener(t)
-	props := &vault.HandlerProperties{
-		Core:                  core,
-		DisablePrintableCheck: disable,
-		ListenerConfig:        &configutil.Listener{},
-	}
-	TestServerWithListenerAndProperties(t, ln, addr, core, props)
-	defer ln.Close()
+func newMachineInit(req *api.InitRequest, resp *api.InitResponse) *machineInit {
+	init := &machineInit{}
 
-	req, err := http.NewRequest("PUT", addr+"/v1/cubbyhole/foo\u2028bar", strings.NewReader(`{"zip": "zap"}`))
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	init.UnsealKeysHex = make([]string, len(resp.Keys))
+	for i, v := range resp.Keys {
+		init.UnsealKeysHex[i] = v
 	}
-	req.Header.Set(consts.AuthHeaderName, token)
 
-	client := cleanhttp.DefaultClient()
-	resp, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	init.UnsealKeysB64 = make([]string, len(resp.KeysB64))
+	for i, v := range resp.KeysB64 {
+		init.UnsealKeysB64[i] = v
 	}
 
-	if disable {
-		testResponseStatus(t, resp, 204)
+	// If we don't get a set of keys back, it means that we are storing the keys,
+	// so the key shares and threshold has been set to 1.
+	if len(resp.Keys) == 0 {
+		init.UnsealShares = 1
+		init.UnsealThreshold = 1
 	} else {
-		testResponseStatus(t, resp, 400)
+		init.UnsealShares = req.SecretShares
+		init.UnsealThreshold = req.SecretThreshold
 	}
-}
-
-func TestHandler_Parse_Form(t *testing.T) {
-	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
-		HandlerFunc: Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
 
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
-	c := cleanhttp.DefaultClient()
-	c.Transport = &http.Transport{
-		TLSClientConfig: &tls.Config{
-			RootCAs: cluster.RootCAs,
-		},
+	init.RecoveryKeysHex = make([]string, len(resp.RecoveryKeys))
+	for i, v := range resp.RecoveryKeys {
+		init.RecoveryKeysHex[i] = v
 	}
 
-	values := url.Values{
-		"zip":   []string{"zap"},
-		"abc":   []string{"xyz"},
-		"multi": []string{"first", "second"},
-		"empty": []string{},
-	}
-	req, err := http.NewRequest("POST", cores[0].Client.Address()+"/v1/secret/foo", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	req.Body = ioutil.NopCloser(strings.NewReader(values.Encode()))
-	req.Header.Set("x-vault-token", cluster.RootToken)
-	req.Header.Set("content-type", "application/x-www-form-urlencoded")
-	resp, err := c.Do(req)
-	if err != nil {
-		t.Fatal(err)
+	init.RecoveryKeysB64 = make([]string, len(resp.RecoveryKeysB64))
+	for i, v := range resp.RecoveryKeysB64 {
+		init.RecoveryKeysB64[i] = v
 	}
 
-	if resp.StatusCode != 204 {
-		t.Fatalf("bad response: %#v\nrequest was: %#v\nurl was: %#v", *resp, *req, req.URL)
-	}
+	init.RecoveryShares = req.RecoveryShares
+	init.RecoveryThreshold = req.RecoveryThreshold
 
-	client := cores[0].Client
-	client.SetToken(cluster.RootToken)
+	init.RootToken = resp.RootToken
 
-	apiResp, err := client.Logical().Read("secret/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if apiResp == nil {
-		t.Fatal("api resp is nil")
-	}
-	expected := map[string]interface{}{
-		"zip":   "zap",
-		"abc":   "xyz",
-		"multi": "first,second",
-	}
-	if diff := deep.Equal(expected, apiResp.Data); diff != nil {
-		t.Fatal(diff)
-	}
+	return init
 }
diff --git a/http/logical.go b/http/logical.go
index c76c0462c068..73fe4ff59e93 100644
--- a/http/logical.go
+++ b/http/logical.go
@@ -1,585 +1,374 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+//go:build !race
+
+package command
 
 import (
-	"bufio"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
-	"io"
-	"mime"
-	"net"
-	"net/http"
+	"os"
+	"regexp"
 	"strconv"
 	"strings"
-	"time"
+	"testing"
 
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/vault"
-	"go.uber.org/atomic"
 )
 
-// bufferedReader can be used to replace a request body with a buffered
-// version. The Close method invokes the original Closer.
-type bufferedReader struct {
-	*bufio.Reader
-	rOrig io.ReadCloser
-}
+func testOperatorInitCommand(tb testing.TB) (*cli.MockUi, *OperatorInitCommand) {
+	tb.Helper()
 
-func newBufferedReader(r io.ReadCloser) *bufferedReader {
-	return &bufferedReader{
-		Reader: bufio.NewReader(r),
-		rOrig:  r,
+	ui := cli.NewMockUi()
+	return ui, &OperatorInitCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
 }
 
-func (b *bufferedReader) Close() error {
-	return b.rOrig.Close()
-}
+func TestOperatorInitCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"pgp_keys_multi",
+			[]string{
+				"-pgp-keys", "keybase:hashicorp",
+				"-pgp-keys", "keybase:jefferai",
+			},
+			"can only be specified once",
+			1,
+		},
+		{
+			"root_token_pgp_key_multi",
+			[]string{
+				"-root-token-pgp-key", "keybase:hashicorp",
+				"-root-token-pgp-key", "keybase:jefferai",
+			},
+			"can only be specified once",
+			1,
+		},
+		{
+			"root_token_pgp_key_multi_inline",
+			[]string{
+				"-root-token-pgp-key", "keybase:hashicorp,keybase:jefferai",
+			},
+			"can only specify one pgp key",
+			1,
+		},
+		{
+			"recovery_pgp_keys_multi",
+			[]string{
+				"-recovery-pgp-keys", "keybase:hashicorp",
+				"-recovery-pgp-keys", "keybase:jefferai",
+			},
+			"can only be specified once",
+			1,
+		},
+		{
+			"key_shares_pgp_less",
+			[]string{
+				"-key-shares", "10",
+				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
+			},
+			"incorrect number",
+			2,
+		},
+		{
+			"key_shares_pgp_more",
+			[]string{
+				"-key-shares", "1",
+				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
+			},
+			"incorrect number",
+			2,
+		},
+	}
 
-const MergePatchContentTypeHeader = "application/merge-patch+json"
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-func buildLogicalRequestNoAuth(perfStandby bool, ra *vault.RouterAccess, w http.ResponseWriter, r *http.Request) (*logical.Request, io.ReadCloser, int, error) {
-	ns, err := namespace.FromContext(r.Context())
-	if err != nil {
-		return nil, nil, http.StatusBadRequest, nil
-	}
-	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
-
-	var data map[string]interface{}
-	var origBody io.ReadCloser
-	var passHTTPReq bool
-	var responseWriter http.ResponseWriter
-
-	// Determine the operation
-	var op logical.Operation
-	switch r.Method {
-	case "DELETE":
-		op = logical.DeleteOperation
-		data = parseQuery(r.URL.Query())
-	case "GET":
-		op = logical.ReadOperation
-		queryVals := r.URL.Query()
-		var list bool
-		var err error
-		listStr := queryVals.Get("list")
-		if listStr != "" {
-			list, err = strconv.ParseBool(listStr)
-			if err != nil {
-				return nil, nil, http.StatusBadRequest, nil
-			}
-			if list {
-				queryVals.Del("list")
-				op = logical.ListOperation
-				if !strings.HasSuffix(path, "/") {
-					path += "/"
-				}
-			}
-		}
+		for _, tc := range cases {
+			tc := tc
 
-		data = parseQuery(queryVals)
-
-		switch {
-		case strings.HasPrefix(path, "sys/pprof/"):
-			passHTTPReq = true
-			responseWriter = w
-		case path == "sys/storage/raft/snapshot":
-			responseWriter = w
-		case path == "sys/internal/counters/activity/export":
-			responseWriter = w
-		case path == "sys/monitor":
-			passHTTPReq = true
-			responseWriter = w
-		}
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-	case "POST", "PUT":
-		op = logical.UpdateOperation
-
-		// Buffer the request body in order to allow us to peek at the beginning
-		// without consuming it. This approach involves no copying.
-		bufferedBody := newBufferedReader(r.Body)
-		r.Body = bufferedBody
-
-		// If we are uploading a snapshot or receiving an ocsp-request (which
-		// is der encoded) we don't want to parse it. Instead, we will simply
-		// add the HTTP request to the logical request object for later consumption.
-		contentType := r.Header.Get("Content-Type")
-
-		if ra != nil && ra.IsBinaryPath(r.Context(), path) {
-			passHTTPReq = true
-			origBody = r.Body
-		} else if path == "sys/storage/raft/snapshot" || path == "sys/storage/raft/snapshot-force" {
-			passHTTPReq = true
-			origBody = r.Body
-		} else {
-			// Sample the first bytes to determine whether this should be parsed as
-			// a form or as JSON. The amount to look ahead (512 bytes) is arbitrary
-			// but extremely tolerant (i.e. allowing 511 bytes of leading whitespace
-			// and an incorrect content-type).
-			head, err := bufferedBody.Peek(512)
-			if err != nil && err != bufio.ErrBufferFull && err != io.EOF {
-				status := http.StatusBadRequest
-				logical.AdjustErrorStatusCode(&status, err)
-				return nil, nil, status, fmt.Errorf("error reading data")
-			}
+				client, closer := testVaultServer(t)
+				defer closer()
 
-			if isForm(head, contentType) {
-				formData, err := parseFormRequest(r)
-				if err != nil {
-					status := http.StatusBadRequest
-					logical.AdjustErrorStatusCode(&status, err)
-					return nil, nil, status, fmt.Errorf("error parsing form data")
-				}
+				ui, cmd := testOperatorInitCommand(t)
+				cmd.client = client
 
-				data = formData
-			} else {
-				origBody, err = parseJSONRequest(perfStandby, r, w, &data)
-				if err == io.EOF {
-					data = nil
-					err = nil
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
 				}
-				if err != nil {
-					status := http.StatusBadRequest
-					logical.AdjustErrorStatusCode(&status, err)
-					return nil, nil, status, fmt.Errorf("error parsing JSON")
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
 				}
-			}
+			})
 		}
+	})
 
-	case "PATCH":
-		op = logical.PatchOperation
+	t.Run("status", func(t *testing.T) {
+		t.Parallel()
 
-		contentTypeHeader := r.Header.Get("Content-Type")
-		contentType, _, err := mime.ParseMediaType(contentTypeHeader)
-		if err != nil {
-			status := http.StatusBadRequest
-			logical.AdjustErrorStatusCode(&status, err)
-			return nil, nil, status, err
-		}
+		client, closer := testVaultServerUninit(t)
+		defer closer()
 
-		if contentType != MergePatchContentTypeHeader {
-			return nil, nil, http.StatusUnsupportedMediaType, fmt.Errorf("PATCH requires Content-Type of %s, provided %s", MergePatchContentTypeHeader, contentType)
-		}
-
-		origBody, err = parseJSONRequest(perfStandby, r, w, &data)
+		ui, cmd := testOperatorInitCommand(t)
+		cmd.client = client
 
-		if err == io.EOF {
-			data = nil
-			err = nil
+		// Verify the non-init response code
+		code := cmd.Run([]string{
+			"-status",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
 
-		if err != nil {
-			status := http.StatusBadRequest
-			logical.AdjustErrorStatusCode(&status, err)
-			return nil, nil, status, fmt.Errorf("error parsing JSON")
+		// Now init to verify the init response code
+		if _, err := client.Sys().Init(&api.InitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		}); err != nil {
+			t.Fatal(err)
 		}
 
-	case "LIST":
-		op = logical.ListOperation
-		if !strings.HasSuffix(path, "/") {
-			path += "/"
+		// Verify the init response code
+		ui, cmd = testOperatorInitCommand(t)
+		cmd.client = client
+		code = cmd.Run([]string{
+			"-status",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
+	})
 
-		data = parseQuery(r.URL.Query())
-	case "HEAD":
-		op = logical.HeaderOperation
-		data = parseQuery(r.URL.Query())
-	case "OPTIONS":
-	default:
-		return nil, nil, http.StatusMethodNotAllowed, nil
-	}
-
-	requestId, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, nil, http.StatusInternalServerError, fmt.Errorf("failed to generate identifier for the request: %w", err)
-	}
-
-	req := &logical.Request{
-		ID:         requestId,
-		Operation:  op,
-		Path:       path,
-		Data:       data,
-		Connection: getConnection(r),
-		Headers:    r.Header,
-	}
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
 
-	if passHTTPReq {
-		req.HTTPRequest = r
-	}
-	if responseWriter != nil {
-		req.ResponseWriter = logical.NewHTTPResponseWriter(responseWriter)
-	}
+		client, closer := testVaultServerUninit(t)
+		defer closer()
 
-	return req, origBody, 0, nil
-}
+		ui, cmd := testOperatorInitCommand(t)
+		cmd.client = client
 
-func buildLogicalPath(r *http.Request) (string, int, error) {
-	ns, err := namespace.FromContext(r.Context())
-	if err != nil {
-		return "", http.StatusBadRequest, nil
-	}
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-	path := ns.TrimmedPath(strings.TrimPrefix(r.URL.Path, "/v1/"))
+		init, err := client.Sys().InitStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !init {
+			t.Error("expected initialized")
+		}
 
-	switch r.Method {
-	case "GET":
-		var (
-			list bool
-			err  error
-		)
+		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 5 || len(match[0]) < 2 {
+			t.Fatalf("no match: %#v", match)
+		}
 
-		queryVals := r.URL.Query()
+		keys := make([]string, len(match))
+		for i := range match {
+			keys[i] = match[i][1]
+		}
 
-		listStr := queryVals.Get("list")
-		if listStr != "" {
-			list, err = strconv.ParseBool(listStr)
+		// Try unsealing with those keys - only use 3, which is the default
+		// threshold.
+		for i, key := range keys[:3] {
+			resp, err := client.Sys().Unseal(key)
 			if err != nil {
-				return "", http.StatusBadRequest, nil
+				t.Fatal(err)
 			}
-			if list {
-				if !strings.HasSuffix(path, "/") {
-					path += "/"
-				}
+
+			exp := (i + 1) % 3 // 1, 2, 0
+			if resp.Progress != exp {
+				t.Errorf("expected %d to be %d", resp.Progress, exp)
 			}
 		}
 
-	case "LIST":
-		if !strings.HasSuffix(path, "/") {
-			path += "/"
+		status, err := client.Sys().SealStatus()
+		if err != nil {
+			t.Fatal(err)
 		}
-	}
-
-	return path, 0, nil
-}
-
-func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) (*logical.Request, io.ReadCloser, int, error) {
-	req, origBody, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
-	if err != nil || status != 0 {
-		return nil, nil, status, err
-	}
-
-	req.SetRequiredState(r.Header.Values(VaultIndexHeaderName))
-	requestAuth(r, req)
-
-	req, err = requestWrapInfo(r, req)
-	if err != nil {
-		return nil, nil, http.StatusBadRequest, fmt.Errorf("error parsing X-Vault-Wrap-TTL header: %w", err)
-	}
-
-	err = parseMFAHeader(req)
-	if err != nil {
-		return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse X-Vault-MFA header: %w", err)
-	}
+		if status.Sealed {
+			t.Errorf("expected vault to be unsealed: %#v", status)
+		}
+	})
 
-	err = requestPolicyOverride(r, req)
-	if err != nil {
-		return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse %s header: %w", PolicyOverrideHeaderName, err)
-	}
+	t.Run("custom_shares_threshold", func(t *testing.T) {
+		t.Parallel()
 
-	return req, origBody, 0, nil
-}
+		keyShares, keyThreshold := 20, 15
 
-// handleLogical returns a handler for processing logical requests. These requests
-// may or may not end up getting forwarded under certain scenarios if the node
-// is a performance standby. Some of these cases include:
-//   - Perf standby and token with limited use count.
-//   - Perf standby and token re-validation needed (e.g. due to invalid token).
-//   - Perf standby and control group error.
-func handleLogical(core *vault.Core) http.Handler {
-	return handleLogicalInternal(core, false, false)
-}
+		client, closer := testVaultServerUninit(t)
+		defer closer()
 
-// handleLogicalWithInjector returns a handler for processing logical requests
-// that also have their logical response data injected at the top-level payload.
-// All forwarding behavior remains the same as `handleLogical`.
-func handleLogicalWithInjector(core *vault.Core) http.Handler {
-	return handleLogicalInternal(core, true, false)
-}
+		ui, cmd := testOperatorInitCommand(t)
+		cmd.client = client
 
-// handleLogicalNoForward returns a handler for processing logical local-only
-// requests. These types of requests never forwarded, and return an
-// `vault.ErrCannotForwardLocalOnly` error if attempted to do so.
-func handleLogicalNoForward(core *vault.Core) http.Handler {
-	return handleLogicalInternal(core, false, true)
-}
+		code := cmd.Run([]string{
+			"-key-shares", strconv.Itoa(keyShares),
+			"-key-threshold", strconv.Itoa(keyThreshold),
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		req, _, statusCode, err := buildLogicalRequestNoAuth(false, nil, w, r)
-		if err != nil || statusCode != 0 {
-			respondError(w, statusCode, err)
-			return
+		init, err := client.Sys().InitStatus()
+		if err != nil {
+			t.Fatal(err)
 		}
-		reqToken := r.Header.Get(consts.AuthHeaderName)
-		if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
-			respondError(w, http.StatusForbidden, nil)
-			return
+		if !init {
+			t.Error("expected initialized")
 		}
 
-		resp, err := raw.HandleRequest(r.Context(), req)
-		if respondErrorCommon(w, req, resp, err) {
-			return
+		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < keyShares || len(match[0]) < 2 {
+			t.Fatalf("no match: %#v", match)
 		}
 
-		var httpResp *logical.HTTPResponse
-		if resp != nil {
-			httpResp = logical.LogicalResponseToHTTPResponse(resp)
-			httpResp.RequestID = req.ID
+		keys := make([]string, len(match))
+		for i := range match {
+			keys[i] = match[i][1]
 		}
-		respondOk(w, httpResp)
-	})
-}
 
-// handleLogicalInternal is a common helper that returns a handler for
-// processing logical requests. The behavior depends on the various boolean
-// toggles. Refer to usage on functions for possible behaviors.
-func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForward bool) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		req, origBody, statusCode, err := buildLogicalRequest(core, w, r)
-		if err != nil || statusCode != 0 {
-			respondError(w, statusCode, err)
-			return
+		// Try unsealing with those keys - only use 3, which is the default
+		// threshold.
+		for i, key := range keys[:keyThreshold] {
+			resp, err := client.Sys().Unseal(key)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			exp := (i + 1) % keyThreshold
+			if resp.Progress != exp {
+				t.Errorf("expected %d to be %d", resp.Progress, exp)
+			}
 		}
 
-		// Websockets need to be handled at HTTP layer instead of logical requests.
-		ns, err := namespace.FromContext(r.Context())
+		status, err := client.Sys().SealStatus()
 		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-		nsPath := ns.Path
-		if ns.ID == namespace.RootNamespaceID {
-			nsPath = ""
-		}
-		if strings.HasPrefix(r.URL.Path, fmt.Sprintf("/v1/%ssys/events/subscribe/", nsPath)) {
-			handler := handleEventsSubscribe(core, req)
-			handler.ServeHTTP(w, r)
-			return
+			t.Fatal(err)
 		}
-		handler := handleEntPaths(nsPath, core, r)
-		if handler != nil {
-			handler.ServeHTTP(w, r)
-			return
-		}
-
-		// Make the internal request. We attach the connection info
-		// as well in case this is an authentication request that requires
-		// it. Vault core handles stripping this if we need to. This also
-		// handles all error cases; if we hit respondLogical, the request is a
-		// success.
-		resp, ok, needsForward := request(core, w, r, req)
-		switch {
-		case needsForward && noForward:
-			respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
-			return
-		case needsForward && !noForward:
-			if origBody != nil {
-				r.Body = origBody
-			}
-			forwardRequest(core, w, r)
-			return
-		case !ok:
-			// If not ok, we simply return. The call on request should have
-			// taken care of setting the appropriate response code and payload
-			// in this case.
-			return
-		default:
-			// Build and return the proper response if everything is fine.
-			respondLogical(core, w, r, req, resp, injectDataIntoTopLevel)
-			return
+		if status.Sealed {
+			t.Errorf("expected vault to be unsealed: %#v", status)
 		}
 	})
-}
-
-func respondLogical(core *vault.Core, w http.ResponseWriter, r *http.Request, req *logical.Request, resp *logical.Response, injectDataIntoTopLevel bool) {
-	var httpResp *logical.HTTPResponse
-	var ret interface{}
 
-	// If vault's core has already written to the response writer do not add any
-	// additional output. Headers have already been sent.
-	if req != nil && req.ResponseWriter != nil && req.ResponseWriter.Written() {
-		return
-	}
+	t.Run("pgp", func(t *testing.T) {
+		t.Parallel()
 
-	if resp != nil {
-		if resp.Redirect != "" {
-			// If we have a redirect, redirect! We use a 307 code
-			// because we don't actually know if its permanent.
-			http.Redirect(w, r, resp.Redirect, 307)
-			return
-		}
-
-		// Check if this is a raw response
-		if _, ok := resp.Data[logical.HTTPStatusCode]; ok {
-			respondRaw(w, r, resp)
-			return
+		tempDir, pubFiles, err := getPubKeyFiles(t)
+		if err != nil {
+			t.Fatal(err)
 		}
-
-		if resp.WrapInfo != nil && resp.WrapInfo.Token != "" {
-			httpResp = &logical.HTTPResponse{
-				WrapInfo: &logical.HTTPWrapInfo{
-					Token:           resp.WrapInfo.Token,
-					Accessor:        resp.WrapInfo.Accessor,
-					TTL:             int(resp.WrapInfo.TTL.Seconds()),
-					CreationTime:    resp.WrapInfo.CreationTime.Format(time.RFC3339Nano),
-					CreationPath:    resp.WrapInfo.CreationPath,
-					WrappedAccessor: resp.WrapInfo.WrappedAccessor,
-				},
-			}
-		} else {
-			httpResp = logical.LogicalResponseToHTTPResponse(resp)
-			httpResp.RequestID = req.ID
+		defer os.RemoveAll(tempDir)
+
+		client, closer := testVaultServerUninit(t)
+		defer closer()
+
+		ui, cmd := testOperatorInitCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-key-shares", "4",
+			"-key-threshold", "2",
+			"-pgp-keys", fmt.Sprintf("%s,@%s, %s,     %s           ",
+				pubFiles[0], pubFiles[1], pubFiles[2], pubFiles[3]),
+			"-root-token-pgp-key", pubFiles[0],
+		})
+		if exp := 0; code != exp {
+			t.Fatalf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
 
-		ret = httpResp
-
-		if injectDataIntoTopLevel {
-			injector := logical.HTTPSysInjector{
-				Response: httpResp,
-			}
-			ret = injector
+		re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 4 || len(match[0]) < 2 {
+			t.Fatalf("no match: %#v", match)
 		}
-	}
-
-	entAdjustResponse(core, w, req)
-
-	// Respond
-	respondOk(w, ret)
-	return
-}
 
-// respondRaw is used when the response is using HTTPContentType and HTTPRawBody
-// to change the default response handling. This is only used for specific things like
-// returning the CRL information on the PKI backends.
-func respondRaw(w http.ResponseWriter, r *http.Request, resp *logical.Response) {
-	retErr := func(w http.ResponseWriter, err string) {
-		w.Header().Set("X-Vault-Raw-Error", err)
-		w.WriteHeader(http.StatusInternalServerError)
-		w.Write(nil)
-	}
-
-	// Ensure this is never a secret or auth response
-	if resp.Secret != nil || resp.Auth != nil {
-		retErr(w, "raw responses cannot contain secrets or auth")
-		return
-	}
-
-	// Get the status code
-	statusRaw, ok := resp.Data[logical.HTTPStatusCode]
-	if !ok {
-		retErr(w, "no status code given")
-		return
-	}
-
-	var status int
-	switch statusRaw.(type) {
-	case int:
-		status = statusRaw.(int)
-	case float64:
-		status = int(statusRaw.(float64))
-	case json.Number:
-		s64, err := statusRaw.(json.Number).Float64()
-		if err != nil {
-			retErr(w, "cannot decode status code")
-			return
+		keys := make([]string, len(match))
+		for i := range match {
+			keys[i] = match[i][1]
 		}
-		status = int(s64)
-	default:
-		retErr(w, "cannot decode status code")
-		return
-	}
-
-	nonEmpty := status != http.StatusNoContent
 
-	var contentType string
-	var body []byte
-
-	// Get the content type header; don't require it if the body is empty
-	contentTypeRaw, ok := resp.Data[logical.HTTPContentType]
-	if !ok && nonEmpty {
-		retErr(w, "no content type given")
-		return
-	}
-	if ok {
-		contentType, ok = contentTypeRaw.(string)
-		if !ok {
-			retErr(w, "cannot decode content type")
-			return
+		// Try unsealing with one key
+		decryptedKey := testPGPDecrypt(t, pgpkeys.TestPrivKey1, keys[0])
+		if _, err := client.Sys().Unseal(decryptedKey); err != nil {
+			t.Fatal(err)
 		}
-	}
 
-	if nonEmpty {
-		// Get the body
-		bodyRaw, ok := resp.Data[logical.HTTPRawBody]
-		if !ok {
-			goto WRITE_RESPONSE
+		// Decrypt the root token
+		reToken := regexp.MustCompile(`Root Token: (.+)`)
+		match = reToken.FindAllStringSubmatch(output, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("no match")
 		}
+		root := match[0][1]
+		decryptedRoot := testPGPDecrypt(t, pgpkeys.TestPrivKey1, root)
 
-		switch bodyRaw.(type) {
-		case string:
-			// This is best effort. The value may already be base64-decoded so
-			// if it doesn't work we just use as-is
-			bodyDec, err := base64.StdEncoding.DecodeString(bodyRaw.(string))
-			if err == nil {
-				body = bodyDec
-			} else {
-				body = []byte(bodyRaw.(string))
-			}
-		case []byte:
-			body = bodyRaw.([]byte)
-		default:
-			retErr(w, "cannot decode body")
-			return
+		if l, exp := len(decryptedRoot), vault.TokenLength+vault.TokenPrefixLength; l != exp {
+			t.Errorf("expected %d to be %d", l, exp)
 		}
-	}
+	})
 
-WRITE_RESPONSE:
-	// Write the response
-	if contentType != "" {
-		w.Header().Set("Content-Type", contentType)
-	}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-	if cacheControl, ok := resp.Data[logical.HTTPCacheControlHeader].(string); ok {
-		w.Header().Set("Cache-Control", cacheControl)
-	}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-	if pragma, ok := resp.Data[logical.HTTPPragmaHeader].(string); ok {
-		w.Header().Set("Pragma", pragma)
-	}
+		ui, cmd := testOperatorInitCommand(t)
+		cmd.client = client
 
-	if wwwAuthn, ok := resp.Data[logical.HTTPWWWAuthenticateHeader].(string); ok {
-		w.Header().Set("WWW-Authenticate", wwwAuthn)
-	}
-
-	w.WriteHeader(status)
-	w.Write(body)
-}
+		code := cmd.Run([]string{
+			"-key-shares=1",
+			"-key-threshold=1",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-// getConnection is used to format the connection information for
-// attaching to a logical request
-func getConnection(r *http.Request) (connection *logical.Connection) {
-	var remoteAddr string
-	var remotePort int
-
-	remoteAddr, port, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		remoteAddr = ""
-	} else {
-		remotePort, err = strconv.Atoi(port)
-		if err != nil {
-			remotePort = 0
+		expected := "Error making API request"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
+	})
 
-	connection = &logical.Connection{
-		RemoteAddr: remoteAddr,
-		RemotePort: remotePort,
-		ConnState:  r.TLS,
-	}
-	return
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testOperatorInitCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/http/logical_test.go b/http/logical_test.go
index cc85967774b9..015bd891f75f 100644
--- a/http/logical_test.go
+++ b/http/logical_test.go
@@ -1,1033 +1,84 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"reflect"
-	"strconv"
+	"fmt"
 	"strings"
-	"testing"
-	"time"
 
-	"github.com/go-test/deep"
-	log "github.com/hashicorp/go-hclog"
-	kv "github.com/hashicorp/vault-plugin-secrets-kv"
-	"github.com/hashicorp/vault/api"
-	auditFile "github.com/hashicorp/vault/builtin/audit/file"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/sdk/physical/inmem"
-
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func TestLogical(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// WRITE
-	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
-		"data": "bar",
-	})
-	testResponseStatus(t, resp, 204)
-
-	// READ
-	// Bad token should return a 403
-	resp = testHttpGet(t, token+"bad", addr+"/v1/secret/foo")
-	testResponseStatus(t, resp, 403)
-
-	resp = testHttpGet(t, token, addr+"/v1/secret/foo")
-	var actual map[string]interface{}
-	var nilWarnings interface{}
-	expected := map[string]interface{}{
-		"renewable":      false,
-		"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
-		"data": map[string]interface{}{
-			"data": "bar",
-		},
-		"auth":       nil,
-		"wrap_info":  nil,
-		"warnings":   nilWarnings,
-		"mount_type": "kv",
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	delete(actual, "lease_id")
-	expected["request_id"] = actual["request_id"]
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
-	}
-
-	// DELETE
-	resp = testHttpDelete(t, token, addr+"/v1/secret/foo")
-	testResponseStatus(t, resp, 204)
-
-	resp = testHttpGet(t, token, addr+"/v1/secret/foo")
-	testResponseStatus(t, resp, 404)
-}
-
-func TestLogical_noExist(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp := testHttpGet(t, token, addr+"/v1/secret/foo")
-	testResponseStatus(t, resp, 404)
-}
-
-func TestLogical_StandbyRedirect(t *testing.T) {
-	ln1, addr1 := TestListener(t)
-	defer ln1.Close()
-	ln2, addr2 := TestListener(t)
-	defer ln2.Close()
-
-	// Create an HA Vault
-	logger := logging.NewVaultLogger(log.Debug)
-
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := &vault.CoreConfig{
-		Physical:     inmha,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: addr1,
-		DisableMlock: true,
-	}
-	core1, err := vault.NewCore(conf)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core1.Shutdown()
-	keys, root := vault.TestCoreInit(t, core1)
-	for _, key := range keys {
-		if _, err := core1.Unseal(vault.TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Attempt to fix raciness in this test by giving the first core a chance
-	// to grab the lock
-	time.Sleep(2 * time.Second)
-
-	// Create a second HA Vault
-	conf2 := &vault.CoreConfig{
-		Physical:     inmha,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: addr2,
-		DisableMlock: true,
-	}
-	core2, err := vault.NewCore(conf2)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core2.Shutdown()
-	for _, key := range keys {
-		if _, err := core2.Unseal(vault.TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	TestServerWithListener(t, ln1, addr1, core1)
-	TestServerWithListener(t, ln2, addr2, core2)
-	TestServerAuth(t, addr1, root)
-
-	// WRITE to STANDBY
-	resp := testHttpPutDisableRedirect(t, root, addr2+"/v1/secret/foo", map[string]interface{}{
-		"data": "bar",
-	})
-	logger.Debug("307 test one starting")
-	testResponseStatus(t, resp, 307)
-	logger.Debug("307 test one stopping")
-
-	//// READ to standby
-	resp = testHttpGet(t, root, addr2+"/v1/auth/token/lookup-self")
-	var actual map[string]interface{}
-	var nilWarnings interface{}
-	expected := map[string]interface{}{
-		"renewable":      false,
-		"lease_duration": json.Number("0"),
-		"data": map[string]interface{}{
-			"meta":             nil,
-			"num_uses":         json.Number("0"),
-			"path":             "auth/token/root",
-			"policies":         []interface{}{"root"},
-			"display_name":     "root",
-			"orphan":           true,
-			"id":               root,
-			"ttl":              json.Number("0"),
-			"creation_ttl":     json.Number("0"),
-			"explicit_max_ttl": json.Number("0"),
-			"expire_time":      nil,
-			"entity_id":        "",
-			"type":             "service",
-		},
-		"warnings":   nilWarnings,
-		"wrap_info":  nil,
-		"auth":       nil,
-		"mount_type": "token",
-	}
-
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	actualDataMap := actual["data"].(map[string]interface{})
-	delete(actualDataMap, "creation_time")
-	delete(actualDataMap, "accessor")
-	actual["data"] = actualDataMap
-	expected["request_id"] = actual["request_id"]
-	delete(actual, "lease_id")
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
-	}
-
-	//// DELETE to standby
-	resp = testHttpDeleteDisableRedirect(t, root, addr2+"/v1/secret/foo")
-	logger.Debug("307 test two starting")
-	testResponseStatus(t, resp, 307)
-	logger.Debug("307 test two stopping")
-}
-
-func TestLogical_CreateToken(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// WRITE
-	resp := testHttpPut(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
-		"data": "bar",
-	})
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"lease_id":       "",
-		"renewable":      false,
-		"lease_duration": json.Number("0"),
-		"data":           nil,
-		"mount_type":     "token",
-		"wrap_info":      nil,
-		"auth": map[string]interface{}{
-			"policies":        []interface{}{"root"},
-			"token_policies":  []interface{}{"root"},
-			"metadata":        nil,
-			"lease_duration":  json.Number("0"),
-			"renewable":       false,
-			"entity_id":       "",
-			"token_type":      "service",
-			"orphan":          false,
-			"mfa_requirement": nil,
-			"num_uses":        json.Number("0"),
-		},
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	delete(actual["auth"].(map[string]interface{}), "client_token")
-	delete(actual["auth"].(map[string]interface{}), "accessor")
-	delete(actual, "warnings")
-	expected["request_id"] = actual["request_id"]
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
-	}
-}
-
-func TestLogical_RawHTTP(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
-		"type": "http",
-	})
-	testResponseStatus(t, resp, 204)
-
-	// Get the raw response
-	resp = testHttpGet(t, token, addr+"/v1/foo/raw")
-	testResponseStatus(t, resp, 200)
-
-	// Test the headers
-	if resp.Header.Get("Content-Type") != "plain/text" {
-		t.Fatalf("Bad: %#v", resp.Header)
-	}
-
-	// Get the body
-	body := new(bytes.Buffer)
-	io.Copy(body, resp.Body)
-	if string(body.Bytes()) != "hello world" {
-		t.Fatalf("Bad: %s", body.Bytes())
-	}
-}
-
-func TestLogical_RequestSizeLimit(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// Write a very large object, should fail. This test works because Go will
-	// convert the byte slice to base64, which makes it significantly larger
-	// than the default max request size.
-	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
-		"data": make([]byte, DefaultMaxRequestSize),
-	})
-	testResponseStatus(t, resp, http.StatusRequestEntityTooLarge)
-}
-
-func TestLogical_RequestSizeDisableLimit(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestListener(t)
-	props := &vault.HandlerProperties{
-		Core: core,
-		ListenerConfig: &configutil.Listener{
-			MaxRequestSize: -1,
-			Address:        "127.0.0.1",
-			TLSDisable:     true,
-		},
-	}
-	TestServerWithListenerAndProperties(t, ln, addr, core, props)
-
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// Write a very large object, should pass as MaxRequestSize set to -1/Negative value
-
-	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
-		"data": make([]byte, DefaultMaxRequestSize),
-	})
-	testResponseStatus(t, resp, http.StatusNoContent)
-}
-
-func TestLogical_ListSuffix(t *testing.T) {
-	core, _, rootToken := vault.TestCoreUnsealed(t)
-	req, _ := http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo", nil)
-	req = req.WithContext(namespace.RootContext(nil))
-	req.Header.Add(consts.AuthHeaderName, rootToken)
-
-	lreq, _, status, err := buildLogicalRequest(core, nil, req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if status != 0 {
-		t.Fatalf("got status %d", status)
-	}
-	if strings.HasSuffix(lreq.Path, "/") {
-		t.Fatal("trailing slash found on path")
-	}
-
-	req, _ = http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo?list=true", nil)
-	req = req.WithContext(namespace.RootContext(nil))
-	req.Header.Add(consts.AuthHeaderName, rootToken)
-
-	lreq, _, status, err = buildLogicalRequest(core, nil, req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if status != 0 {
-		t.Fatalf("got status %d", status)
-	}
-	if !strings.HasSuffix(lreq.Path, "/") {
-		t.Fatal("trailing slash not found on path")
-	}
-
-	req, _ = http.NewRequest("LIST", "http://127.0.0.1:8200/v1/secret/foo", nil)
-	req = req.WithContext(namespace.RootContext(nil))
-	req.Header.Add(consts.AuthHeaderName, rootToken)
-
-	_, _, status, err = buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), nil, req)
-	if err != nil || status != 0 {
-		t.Fatal(err)
-	}
-
-	lreq, _, status, err = buildLogicalRequest(core, nil, req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if status != 0 {
-		t.Fatalf("got status %d", status)
-	}
-	if !strings.HasSuffix(lreq.Path, "/") {
-		t.Fatal("trailing slash not found on path")
-	}
-}
-
-// TestLogical_BinaryPath tests the legacy behavior passing in binary data to a
-// path that isn't explicitly marked by a plugin as a binary path to fail, along
-// with making sure we pass through when marked as a binary path
-func TestLogical_BinaryPath(t *testing.T) {
-	t.Parallel()
-
-	testHandler := func(ctx context.Context, l *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-		return nil, nil
-	}
-	operations := map[logical.Operation]framework.OperationHandler{
-		logical.PatchOperation:  &framework.PathOperation{Callback: testHandler},
-		logical.UpdateOperation: &framework.PathOperation{Callback: testHandler},
-	}
-
-	conf := &vault.CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		LogicalBackends: map[string]logical.Factory{
-			"bintest": func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
-				b := new(framework.Backend)
-				b.BackendType = logical.TypeLogical
-				b.Paths = []*framework.Path{
-					{Pattern: "binary", Operations: operations},
-					{Pattern: "binary/" + framework.MatchAllRegex("test"), Operations: operations},
-				}
-				b.PathsSpecial = &logical.Paths{Binary: []string{"binary", "binary/*"}}
-				err := b.Setup(ctx, config)
-				return b, err
-			},
-		},
-	}
-
-	core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	mountReq := &logical.Request{
-		Operation:   logical.UpdateOperation,
-		ClientToken: token,
-		Path:        "sys/mounts/bintest",
-		Data: map[string]interface{}{
-			"type": "bintest",
-		},
-	}
-	mountResp, err := core.HandleRequest(namespace.RootContext(nil), mountReq)
-	if err != nil {
-		t.Fatalf("failed mounting bin-test engine: %v", err)
-	}
-	if mountResp.IsError() {
-		t.Fatalf("failed mounting bin-test error in response: %v", mountResp.Error())
-	}
-
-	tests := []struct {
-		name           string
-		op             string
-		url            string
-		expectedReturn int
-	}{
-		{name: "PUT non-binary", op: "PUT", url: addr + "/v1/bintest/non-binary", expectedReturn: http.StatusBadRequest},
-		{name: "POST non-binary", op: "POST", url: addr + "/v1/bintest/non-binary", expectedReturn: http.StatusBadRequest},
-		{name: "PUT binary", op: "PUT", url: addr + "/v1/bintest/binary", expectedReturn: http.StatusNoContent},
-		{name: "POST binary", op: "POST", url: addr + "/v1/bintest/binary/sub-path", expectedReturn: http.StatusNoContent},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(st *testing.T) {
-			var resp *http.Response
-			switch test.op {
-			case "PUT":
-				resp = testHttpPutBinaryData(st, token, test.url, make([]byte, 100))
-			case "POST":
-				resp = testHttpPostBinaryData(st, token, test.url, make([]byte, 100))
-			default:
-				t.Fatalf("unsupported operation: %s", test.op)
-			}
-			testResponseStatus(st, resp, test.expectedReturn)
-			if test.expectedReturn != http.StatusNoContent {
-				all, err := io.ReadAll(resp.Body)
-				if err != nil {
-					st.Fatalf("failed reading error response body: %v", err)
-				}
-				if !strings.Contains(string(all), "error parsing JSON") {
-					st.Fatalf("error response body did not contain expected error: %v", all)
-				}
-			}
-		})
-	}
-}
-
-func TestLogical_ListWithQueryParameters(t *testing.T) {
-	core, _, rootToken := vault.TestCoreUnsealed(t)
-
-	tests := []struct {
-		name          string
-		requestMethod string
-		url           string
-		expectedData  map[string]interface{}
-	}{
-		{
-			name:          "LIST request method parses query parameter",
-			requestMethod: "LIST",
-			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1",
-			expectedData: map[string]interface{}{
-				"key1": "value1",
-			},
-		},
-		{
-			name:          "LIST request method parses query multiple parameters",
-			requestMethod: "LIST",
-			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1&key2=value2",
-			expectedData: map[string]interface{}{
-				"key1": "value1",
-				"key2": "value2",
-			},
-		},
-		{
-			name:          "GET request method with list=true parses query parameter",
-			requestMethod: "GET",
-			url:           "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1",
-			expectedData: map[string]interface{}{
-				"key1": "value1",
-			},
-		},
-		{
-			name:          "GET request method with list=true parses multiple query parameters",
-			requestMethod: "GET",
-			url:           "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1&key2=value2",
-			expectedData: map[string]interface{}{
-				"key1": "value1",
-				"key2": "value2",
-			},
-		},
-		{
-			name:          "GET request method with alternate order list=true parses multiple query parameters",
-			requestMethod: "GET",
-			url:           "http://127.0.0.1:8200/v1/secret/foo?key1=value1&list=true&key2=value2",
-			expectedData: map[string]interface{}{
-				"key1": "value1",
-				"key2": "value2",
-			},
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			req, _ := http.NewRequest(tc.requestMethod, tc.url, nil)
-			req = req.WithContext(namespace.RootContext(nil))
-			req.Header.Add(consts.AuthHeaderName, rootToken)
-
-			lreq, _, status, err := buildLogicalRequest(core, nil, req)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if status != 0 {
-				t.Fatalf("got status %d", status)
-			}
-			if !strings.HasSuffix(lreq.Path, "/") {
-				t.Fatal("trailing slash not found on path")
-			}
-			if lreq.Operation != logical.ListOperation {
-				t.Fatalf("expected logical.ListOperation, got %v", lreq.Operation)
-			}
-			if !reflect.DeepEqual(tc.expectedData, lreq.Data) {
-				t.Fatalf("expected query parameter data %v, got %v", tc.expectedData, lreq.Data)
-			}
-		})
-	}
-}
-
-func TestLogical_RespondWithStatusCode(t *testing.T) {
-	resp := &logical.Response{
-		Data: map[string]interface{}{
-			"test-data": "foo",
-		},
-	}
-
-	resp404, err := logical.RespondWithStatusCode(resp, &logical.Request{ID: "id"}, http.StatusNotFound)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	w := httptest.NewRecorder()
-	respondLogical(nil, w, nil, nil, resp404, false)
-
-	if w.Code != 404 {
-		t.Fatalf("Bad Status code: %d", w.Code)
-	}
-
-	bodyRaw, err := io.ReadAll(w.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expected := `{"request_id":"id","lease_id":"","renewable":false,"lease_duration":0,"data":{"test-data":"foo"},"wrap_info":null,"warnings":null,"auth":null,"mount_type":""}`
+var (
+	_ cli.Command             = (*OperatorKeyStatusCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorKeyStatusCommand)(nil)
+)
 
-	if string(bodyRaw[:]) != strings.Trim(expected, "\n") {
-		t.Fatalf("bad response: %s", string(bodyRaw[:]))
-	}
+type OperatorKeyStatusCommand struct {
+	*BaseCommand
 }
 
-func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
-	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
-
-	// Create a noop audit backend
-	noop := corehelpers.TestNoopAudit(t, nil)
-	c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
-		AuditBackends: map[string]audit.Factory{
-			"noop": func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
-				return noop, nil
-			},
-		},
-	})
-	ln, addr := TestServer(t, c)
-	defer ln.Close()
-
-	// Enable the audit backend
-
-	resp := testHttpPost(t, root, addr+"/v1/sys/audit/noop", map[string]interface{}{
-		"type": "noop",
-	})
-	testResponseStatus(t, resp, 204)
-
-	{
-		// Make a wrapping/unwrap request with an invalid token
-		resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
-			"token": "foo",
-		})
-		testResponseStatus(t, resp, 400)
-		body := map[string][]string{}
-		testResponseBody(t, resp, &body)
-		if body["errors"][0] != "wrapping token is not valid or does not exist" {
-			t.Fatal(body)
-		}
-
-		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 1 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		auth := noop.ReqAuth[0]
-		if auth.ClientToken != root {
-			t.Fatalf("bad client token: %#v", auth)
-		}
-		if len(noop.Req) != 1 || noop.Req[0].Path != "sys/wrapping/unwrap" {
-			t.Fatalf("bad:\ngot:\n%#v", noop.Req[0])
-		}
-
-		if len(noop.ReqErrs) != 1 {
-			t.Fatalf("bad: %#v", noop.RespErrs)
-		}
-		if noop.ReqErrs[0] != consts.ErrInvalidWrappingToken {
-			t.Fatalf("bad: %#v", noop.ReqErrs)
-		}
-	}
-
-	{
-		resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second)
-		testResponseStatus(t, resp, 200)
-		body := map[string]interface{}{}
-		testResponseBody(t, resp, &body)
-
-		wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string)
-
-		// Make a wrapping/unwrap request with an invalid token
-		resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
-			"token": wrapToken,
-		})
-		testResponseStatus(t, resp, 200)
-
-		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 3 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		auth := noop.ReqAuth[2]
-		if auth.ClientToken != root {
-			t.Fatalf("bad client token: %#v", auth)
-		}
-		if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" {
-			t.Fatalf("bad:\ngot:\n%#v", noop.Req[2])
-		}
-
-		// Make sure there is only one error in the logs
-		if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil {
-			t.Fatalf("bad: %#v", noop.RespErrs)
-		}
-	}
+func (c *OperatorKeyStatusCommand) Synopsis() string {
+	return "Provides information about the active encryption key"
 }
 
-func TestLogical_ShouldParseForm(t *testing.T) {
-	const formCT = "application/x-www-form-urlencoded"
+func (c *OperatorKeyStatusCommand) Help() string {
+	helpText := `
+Usage: vault operator key-status [options]
 
-	tests := map[string]struct {
-		prefix      string
-		contentType string
-		isForm      bool
-	}{
-		"JSON":                 {`{"a":42}`, formCT, false},
-		"JSON 2":               {`[42]`, formCT, false},
-		"JSON w/leading space": {"   \n\n\r\t  [42]  ", formCT, false},
-		"Form":                 {"a=42&b=dog", formCT, true},
-		"Form w/wrong CT":      {"a=42&b=dog", "application/json", false},
-	}
+  Provides information about the active encryption key. Specifically,
+  the current key term and the key installation time.
 
-	for name, test := range tests {
-		isForm := isForm([]byte(test.prefix), test.contentType)
+` + c.Flags().Help()
 
-		if isForm != test.isForm {
-			t.Fatalf("%s fail: expected isForm %t, got %t", name, test.isForm, isForm)
-		}
-	}
+	return strings.TrimSpace(helpText)
 }
 
-func TestLogical_AuditPort(t *testing.T) {
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": kv.VersionedKVFactory,
-		},
-		AuditBackends: map[string]audit.Factory{
-			"file": auditFile.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: Handler,
-	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
-	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
-
-	if err := c.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
-
-	auditLogFile, err := ioutil.TempFile("", "auditport")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-		Type: "file",
-		Options: map[string]string{
-			"file_path": auditLogFile.Name(),
-		},
-	})
-	if err != nil {
-		t.Fatalf("failed to enable audit file, err: %#v\n", err)
-	}
-
-	writeData := map[string]interface{}{
-		"data": map[string]interface{}{
-			"bar": "a",
-		},
-	}
-
-	// workaround kv-v2 initialization upgrade errors
-	numFailures := 0
-	corehelpers.RetryUntil(t, 10*time.Second, func() error {
-		resp, err := c.Logical().Write("kv/data/foo", writeData)
-		if err != nil {
-			if strings.Contains(err.Error(), "Upgrading from non-versioned to versioned data") {
-				t.Logf("Retrying fetch KV data due to upgrade error")
-				time.Sleep(100 * time.Millisecond)
-				numFailures += 1
-				return err
-			}
-
-			t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
-		}
-
-		return nil
-	})
-
-	decoder := json.NewDecoder(auditLogFile)
-
-	var auditRecord map[string]interface{}
-	count := 0
-	for decoder.Decode(&auditRecord) == nil {
-		count += 1
-
-		// Skip the first line
-		if count == 1 {
-			continue
-		}
-
-		auditRequest := map[string]interface{}{}
-
-		if req, ok := auditRecord["request"]; ok {
-			auditRequest = req.(map[string]interface{})
-		}
-
-		if _, ok := auditRequest["remote_address"].(string); !ok {
-			t.Fatalf("remote_address should be a string, not %T", auditRequest["remote_address"])
-		}
-
-		if _, ok := auditRequest["remote_port"].(float64); !ok {
-			t.Fatalf("remote_port should be a number, not %T", auditRequest["remote_port"])
-		}
-	}
-
-	// We expect the following items in the audit log:
-	// audit log header + an entry for updating sys/audit/file
-	// + request/response per failure (if any) + request/response for creating kv
-	numExpectedEntries := (numFailures * 2) + 4
-	if count != numExpectedEntries {
-		t.Fatalf("wrong number of audit entries expected: %d got: %d", numExpectedEntries, count)
-	}
+func (c *OperatorKeyStatusCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 }
 
-func TestLogical_ErrRelativePath(t *testing.T) {
-	coreConfig := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"userpass": credUserpass.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: Handler,
-	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
-	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
-
-	err := c.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
-		Type: "userpass",
-	})
-	if err != nil {
-		t.Fatalf("failed to enable userpass, err: %v", err)
-	}
-
-	resp, err := c.Logical().Read("auth/userpass/users/user..aaa")
-
-	if err == nil || resp != nil {
-		t.Fatalf("expected read request to fail, resp: %#v, err: %v", resp, err)
-	}
-
-	respErr, ok := err.(*api.ResponseError)
-
-	if !ok {
-		t.Fatalf("unexpected error type, err: %#v", err)
-	}
-
-	if respErr.StatusCode != 400 {
-		t.Errorf("expected 400 response for read, actual: %d", respErr.StatusCode)
-	}
-
-	if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
-		t.Errorf("expected response for read to include %q", logical.ErrRelativePath.Error())
-	}
-
-	data := map[string]interface{}{
-		"password": "abc123",
-	}
-
-	resp, err = c.Logical().Write("auth/userpass/users/user..aaa", data)
-
-	if err == nil || resp != nil {
-		t.Fatalf("expected write request to fail, resp: %#v, err: %v", resp, err)
-	}
-
-	respErr, ok = err.(*api.ResponseError)
-
-	if !ok {
-		t.Fatalf("unexpected error type, err: %#v", err)
-	}
-
-	if respErr.StatusCode != 400 {
-		t.Errorf("expected 400 response for write, actual: %d", respErr.StatusCode)
-	}
-
-	if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
-		t.Errorf("expected response for write to include %q", logical.ErrRelativePath.Error())
-	}
+func (c *OperatorKeyStatusCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func testBuiltinPluginMetadataAuditLog(t *testing.T, log map[string]interface{}, expectedMountClass string) {
-	if mountClass, ok := log["mount_class"].(string); !ok {
-		t.Fatalf("mount_class should be a string, not %T", log["mount_class"])
-	} else if mountClass != expectedMountClass {
-		t.Fatalf("bad: mount_class should be %s, not %s", expectedMountClass, mountClass)
-	}
-
-	if _, ok := log["mount_running_version"].(string); !ok {
-		t.Fatalf("mount_running_version should be a string, not %T", log["mount_running_version"])
-	}
-
-	if _, ok := log["mount_running_sha256"].(string); ok {
-		t.Fatalf("mount_running_sha256 should be nil, not %T", log["mount_running_sha256"])
-	}
-
-	if mountIsExternalPlugin, ok := log["mount_is_external_plugin"].(bool); ok && mountIsExternalPlugin {
-		t.Fatalf("mount_is_external_plugin should be nil or false, not %T", log["mount_is_external_plugin"])
-	}
+func (c *OperatorKeyStatusCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth tests that we have plugin metadata of a builtin auth plugin
-// in audit log when it is enabled
-func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
-	coreConfig := &vault.CoreConfig{
-		AuditBackends: map[string]audit.Factory{
-			"file": auditFile.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: Handler,
-	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
-	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
+func (c *OperatorKeyStatusCommand) Run(args []string) int {
+	f := c.Flags()
 
-	// Enable the audit backend
-	tempDir := t.TempDir()
-	auditLogFile, err := os.CreateTemp(tempDir, "")
-	if err != nil {
-		t.Fatal(err)
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-		Type: "file",
-		Options: map[string]string{
-			"file_path": auditLogFile.Name(),
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	_, err = c.Logical().Write("auth/token/create", map[string]interface{}{
-		"ttl": "10s",
-	})
+	client, err := c.Client()
 	if err != nil {
-		t.Fatal(err)
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	// Check the audit trail on request and response
-	decoder := json.NewDecoder(auditLogFile)
-	var auditRecord map[string]interface{}
-	for decoder.Decode(&auditRecord) == nil {
-		auditRequest := map[string]interface{}{}
-		if req, ok := auditRecord["request"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditRequest["path"] != "auth/token/create" {
-				continue
-			}
-		}
-		testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeCredential.String())
-
-		auditResponse := map[string]interface{}{}
-		if req, ok := auditRecord["response"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditResponse["path"] != "auth/token/create" {
-				continue
-			}
-		}
-		testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeCredential.String())
-	}
-}
-
-// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret tests that we have plugin metadata of a builtin secret plugin
-// in audit log when it is enabled
-func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": kv.VersionedKVFactory,
-		},
-		AuditBackends: map[string]audit.Factory{
-			"file": auditFile.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: Handler,
-	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
-	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
-
-	if err := c.Sys().Mount("kv/", &api.MountInput{
-		Type: "kv-v2",
-	}); err != nil {
-		t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
-	}
-
-	// Enable the audit backend
-	tempDir := t.TempDir()
-	auditLogFile, err := os.CreateTemp(tempDir, "")
+	status, err := client.Sys().KeyStatus()
 	if err != nil {
-		t.Fatal(err)
+		c.UI.Error(fmt.Sprintf("Error reading key status: %s", err))
+		return 2
 	}
 
-	err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-		Type: "file",
-		Options: map[string]string{
-			"file_path": auditLogFile.Name(),
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	{
-		writeData := map[string]interface{}{
-			"data": map[string]interface{}{
-				"bar": "a",
-			},
-		}
-		corehelpers.RetryUntil(t, 10*time.Second, func() error {
-			resp, err := c.Logical().Write("kv/data/foo", writeData)
-			if err != nil {
-				t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
-			}
-			return nil
-		})
-	}
-
-	// Check the audit trail on request and response
-	decoder := json.NewDecoder(auditLogFile)
-	var auditRecord map[string]interface{}
-	for decoder.Decode(&auditRecord) == nil {
-		auditRequest := map[string]interface{}{}
-		if req, ok := auditRecord["request"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditRequest["path"] != "kv/data/foo" {
-				continue
-			}
-		}
-		testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeSecrets.String())
-
-		auditResponse := map[string]interface{}{}
-		if req, ok := auditRecord["response"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditResponse["path"] != "kv/data/foo" {
-				continue
-			}
-		}
-		testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeSecrets.String())
+	switch Format(c.UI) {
+	case "table":
+		c.UI.Output(printKeyStatus(status))
+		return 0
+	default:
+		return OutputData(c.UI, status)
 	}
 }
diff --git a/http/sys_health.go b/http/sys_health.go
index d0c4362a8ab6..ccaac3883081 100644
--- a/http/sys_health.go
+++ b/http/sys_health.go
@@ -1,252 +1,117 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"strconv"
-	"time"
-
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/version"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
 )
 
-func handleSysHealth(core *vault.Core, opt ...ListenerConfigOption) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.Method {
-		case "GET":
-			handleSysHealthGet(core, w, r, opt...)
-		case "HEAD":
-			handleSysHealthHead(core, w, r)
-		default:
-			respondError(w, http.StatusMethodNotAllowed, nil)
-		}
-	})
-}
+func testOperatorKeyStatusCommand(tb testing.TB) (*cli.MockUi, *OperatorKeyStatusCommand) {
+	tb.Helper()
 
-func fetchStatusCode(r *http.Request, field string) (int, bool, bool) {
-	var err error
-	statusCode := http.StatusOK
-	if statusCodeStr, statusCodeOk := r.URL.Query()[field]; statusCodeOk {
-		statusCode, err = strconv.Atoi(statusCodeStr[0])
-		if err != nil || len(statusCodeStr) < 1 {
-			return http.StatusBadRequest, false, false
-		}
-		return statusCode, true, true
+	ui := cli.NewMockUi()
+	return ui, &OperatorKeyStatusCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
-	return statusCode, false, true
 }
 
-func handleSysHealthGet(core *vault.Core, w http.ResponseWriter, r *http.Request, opt ...ListenerConfigOption) {
-	code, body, err := getSysHealth(core, r)
-	if err != nil {
-		core.Logger().Error("error checking health", "error", err)
-		respondError(w, code, nil)
-		return
-	}
-
-	if body == nil {
-		respondError(w, code, nil)
-		return
-	}
-
-	opts, err := getOpts(opt...)
+func TestOperatorKeyStatusCommand_Run(t *testing.T) {
+	t.Parallel()
 
-	if opts.withRedactVersion {
-		body.Version = opts.withRedactionValue
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
 	}
 
-	if opts.withRedactClusterName {
-		body.ClusterName = opts.withRedactionValue
-	}
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(code)
+		for _, tc := range cases {
+			tc := tc
 
-	// Generate the response
-	enc := json.NewEncoder(w)
-	enc.Encode(body)
-}
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-func handleSysHealthHead(core *vault.Core, w http.ResponseWriter, r *http.Request) {
-	code, body, _ := getSysHealth(core, r)
+				client, closer := testVaultServer(t)
+				defer closer()
 
-	if body != nil {
-		w.Header().Set("Content-Type", "application/json")
-	}
-	w.WriteHeader(code)
-}
+				ui, cmd := testOperatorKeyStatusCommand(t)
+				cmd.client = client
 
-func getSysHealth(core *vault.Core, r *http.Request) (int, *HealthResponse, error) {
-	var err error
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-	// Check if being a standby is allowed for the purpose of a 200 OK
-	standbyOKStr, standbyOK := r.URL.Query()["standbyok"]
-	if standbyOK {
-		standbyOK, err = parseutil.ParseBool(standbyOKStr[0])
-		if err != nil {
-			return http.StatusBadRequest, nil, fmt.Errorf("bad value for standbyok parameter: %w", err)
-		}
-	}
-	perfStandbyOKStr, perfStandbyOK := r.URL.Query()["perfstandbyok"]
-	if perfStandbyOK {
-		perfStandbyOK, err = parseutil.ParseBool(perfStandbyOKStr[0])
-		if err != nil {
-			return http.StatusBadRequest, nil, fmt.Errorf("bad value for perfstandbyok parameter: %w", err)
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
 		}
-	}
-
-	uninitCode := http.StatusNotImplemented
-	if code, found, ok := fetchStatusCode(r, "uninitcode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		uninitCode = code
-	}
-
-	sealedCode := http.StatusServiceUnavailable
-	if code, found, ok := fetchStatusCode(r, "sealedcode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		sealedCode = code
-	}
-
-	standbyCode := http.StatusTooManyRequests // Consul warning code
-	if code, found, ok := fetchStatusCode(r, "standbycode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		standbyCode = code
-	}
-
-	activeCode := http.StatusOK
-	if code, found, ok := fetchStatusCode(r, "activecode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		activeCode = code
-	}
-
-	drSecondaryCode := 472 // unofficial 4xx status code
-	if code, found, ok := fetchStatusCode(r, "drsecondarycode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		drSecondaryCode = code
-	}
-
-	perfStandbyCode := 473 // unofficial 4xx status code
-	if code, found, ok := fetchStatusCode(r, "performancestandbycode"); !ok {
-		return http.StatusBadRequest, nil, nil
-	} else if found {
-		perfStandbyCode = code
-	}
+	})
 
-	ctx := context.Background()
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-	// Check system status
-	sealed := core.Sealed()
-	standby, perfStandby := core.StandbyStates()
-	var replicationState consts.ReplicationState
-	if standby {
-		replicationState = core.ActiveNodeReplicationState()
-	} else {
-		replicationState = core.ReplicationState()
-	}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	init, err := core.Initialized(ctx)
-	if err != nil {
-		return http.StatusInternalServerError, nil, err
-	}
+		ui, cmd := testOperatorKeyStatusCommand(t)
+		cmd.client = client
 
-	// Determine the status code
-	code := activeCode
-	switch {
-	case !init:
-		code = uninitCode
-	case sealed:
-		code = sealedCode
-	case replicationState.HasState(consts.ReplicationDRSecondary):
-		code = drSecondaryCode
-	case perfStandby:
-		if !perfStandbyOK {
-			code = perfStandbyCode
-		}
-	case standby:
-		if !standbyOK {
-			code = standbyCode
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
 
-	// Fetch the local cluster name and identifier
-	var clusterName, clusterID string
-	if !sealed {
-		cluster, err := core.Cluster(ctx)
-		if err != nil {
-			return http.StatusInternalServerError, nil, err
+		expected := "Key Term"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		if cluster == nil {
-			return http.StatusInternalServerError, nil, fmt.Errorf("failed to fetch cluster details")
-		}
-		clusterName = cluster.Name
-		clusterID = cluster.ID
-	}
+	})
 
-	// Format the body
-	body := &HealthResponse{
-		Initialized:                init,
-		Sealed:                     sealed,
-		Standby:                    standby,
-		PerformanceStandby:         perfStandby,
-		ReplicationPerformanceMode: replicationState.GetPerformanceString(),
-		ReplicationDRMode:          replicationState.GetDRString(),
-		ServerTimeUTC:              time.Now().UTC().Unix(),
-		Version:                    version.GetVersion().VersionNumber(),
-		ClusterName:                clusterName,
-		ClusterID:                  clusterID,
-	}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-	licenseState, err := core.EntGetLicenseState()
-	if err != nil {
-		return http.StatusInternalServerError, nil, err
-	}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-	if licenseState != nil {
-		body.License = &HealthResponseLicense{
-			State:      licenseState.State,
-			Terminated: licenseState.Terminated,
-		}
-		if !licenseState.ExpiryTime.IsZero() {
-			body.License.ExpiryTime = licenseState.ExpiryTime.Format(time.RFC3339)
-		}
-	}
+		ui, cmd := testOperatorKeyStatusCommand(t)
+		cmd.client = client
 
-	if init && !sealed && !standby {
-		body.LastWAL = core.EntLastWAL()
-	}
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-	return code, body, nil
-}
+		expected := "Error reading key status: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
 
-type HealthResponseLicense struct {
-	State      string `json:"state"`
-	ExpiryTime string `json:"expiry_time"`
-	Terminated bool   `json:"terminated"`
-}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-type HealthResponse struct {
-	Initialized                bool                   `json:"initialized"`
-	Sealed                     bool                   `json:"sealed"`
-	Standby                    bool                   `json:"standby"`
-	PerformanceStandby         bool                   `json:"performance_standby"`
-	ReplicationPerformanceMode string                 `json:"replication_performance_mode"`
-	ReplicationDRMode          string                 `json:"replication_dr_mode"`
-	ServerTimeUTC              int64                  `json:"server_time_utc"`
-	Version                    string                 `json:"version"`
-	ClusterName                string                 `json:"cluster_name,omitempty"`
-	ClusterID                  string                 `json:"cluster_id,omitempty"`
-	LastWAL                    uint64                 `json:"last_wal,omitempty"`
-	License                    *HealthResponseLicense `json:"license,omitempty"`
+		_, cmd := testOperatorKeyStatusCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/http/sys_health_test.go b/http/sys_health_test.go
index 48caa6e1ca41..83d7a2d4301e 100644
--- a/http/sys_health_test.go
+++ b/http/sys_health_test.go
@@ -1,281 +1,94 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"reflect"
-	"testing"
+	"fmt"
+	"strings"
+	"time"
 
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func TestSysHealth_get(t *testing.T) {
-	core := vault.TestCore(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-
-	resp, err := http.Get(addr + "/v1/sys/health")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationUnknown.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationUnknown.GetDRString(),
-		"initialized":                  false,
-		"sealed":                       true,
-		"standby":                      true,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 501)
-	testResponseBody(t, resp, &actual)
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
-
-	keys, _ := vault.TestCoreInit(t, core)
-	resp, err = http.Get(addr + "/v1/sys/health")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationUnknown.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationUnknown.GetDRString(),
-		"initialized":                  true,
-		"sealed":                       true,
-		"standby":                      true,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 503)
-	testResponseBody(t, resp, &actual)
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
+var (
+	_ cli.Command             = (*OperatorMembersCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorMembersCommand)(nil)
+)
 
-	for _, key := range keys {
-		if _, err := vault.TestCoreUnseal(core, vault.TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-	resp, err = http.Get(addr + "/v1/sys/health")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+type OperatorMembersCommand struct {
+	*BaseCommand
+}
 
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationPerformanceDisabled.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationDRDisabled.GetDRString(),
-		"initialized":                  true,
-		"sealed":                       false,
-		"standby":                      false,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
+func (c *OperatorMembersCommand) Synopsis() string {
+	return "Returns the list of nodes in the cluster"
 }
 
-func TestSysHealth_customcodes(t *testing.T) {
-	core := vault.TestCore(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+func (c *OperatorMembersCommand) Help() string {
+	helpText := `
+Usage: vault operator members
 
-	queryurl, err := url.Parse(addr + "/v1/sys/health?uninitcode=581&sealedcode=523&activecode=202")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err := http.Get(queryurl.String())
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+  Provides the details of all the nodes in the cluster.
 
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationUnknown.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationUnknown.GetDRString(),
-		"initialized":                  false,
-		"sealed":                       true,
-		"standby":                      true,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 581)
-	testResponseBody(t, resp, &actual)
+	  $ vault operator members
 
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
+` + c.Flags().Help()
 
-	keys, _ := vault.TestCoreInit(t, core)
-	resp, err = http.Get(queryurl.String())
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+	return strings.TrimSpace(helpText)
+}
 
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationUnknown.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationUnknown.GetDRString(),
-		"initialized":                  true,
-		"sealed":                       true,
-		"standby":                      true,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 523)
-	testResponseBody(t, resp, &actual)
+func (c *OperatorMembersCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
+	return set
+}
 
-	for _, key := range keys {
-		if _, err := vault.TestCoreUnseal(core, vault.TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-	resp, err = http.Get(queryurl.String())
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
+func (c *OperatorMembersCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
 
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"replication_performance_mode": consts.ReplicationPerformanceDisabled.GetPerformanceString(),
-		"replication_dr_mode":          consts.ReplicationDRDisabled.GetDRString(),
-		"initialized":                  true,
-		"sealed":                       false,
-		"standby":                      false,
-		"performance_standby":          false,
-	}
-	testResponseStatus(t, resp, 202)
-	testResponseBody(t, resp, &actual)
-	expected["server_time_utc"] = actual["server_time_utc"]
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	delete(actual, "license")
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected:%#v\nactual:%#v", expected, actual)
-	}
+func (c *OperatorMembersCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func TestSysHealth_head(t *testing.T) {
-	core, _, _ := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
+func (c *OperatorMembersCommand) Run(args []string) int {
+	f := c.Flags()
 
-	testData := []struct {
-		uri  string
-		code int
-	}{
-		{"", 200},
-		{"?activecode=503", 503},
-		{"?activecode=notacode", 400},
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	for _, tt := range testData {
-		queryurl, err := url.Parse(addr + "/v1/sys/health" + tt.uri)
-		if err != nil {
-			t.Fatalf("err on %v: %s", queryurl, err)
-		}
-		resp, err := http.Head(queryurl.String())
-		if err != nil {
-			t.Fatalf("err on %v: %s", queryurl, err)
-		}
-
-		if resp.StatusCode != tt.code {
-			t.Fatalf("HEAD %v expected code %d, got %d.", queryurl, tt.code, resp.StatusCode)
-		}
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-		data, err := ioutil.ReadAll(resp.Body)
-		if err != nil {
-			t.Fatalf("err on %v: %s", queryurl, err)
-		}
-		if len(data) > 0 {
-			t.Fatalf("HEAD %v expected no body, received \"%v\".", queryurl, data)
+	resp, err := client.Sys().HAStatus()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		out := make([]string, 0)
+		cols := []string{"Host Name", "API Address", "Cluster Address", "Active Node", "Version", "Upgrade Version", "Redundancy Zone", "Last Echo"}
+		out = append(out, strings.Join(cols, " | "))
+		for _, node := range resp.Nodes {
+			cols := []string{node.Hostname, node.APIAddress, node.ClusterAddress, fmt.Sprintf("%t", node.ActiveNode), node.Version, node.UpgradeVersion, node.RedundancyZone}
+			if node.LastEcho != nil {
+				cols = append(cols, node.LastEcho.Format(time.RFC3339))
+			} else {
+				cols = append(cols, "")
+			}
+			out = append(out, strings.Join(cols, " | "))
 		}
+		c.UI.Output(tableOutput(out, nil))
+		return 0
+	default:
+		return OutputData(c.UI, resp)
 	}
 }
diff --git a/http/sys_seal.go b/http/sys_seal.go
index 14bfa41b0015..3af73e696382 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -1,217 +1,426 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
 	"context"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"net/http"
-
-	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
+	"fmt"
+	"io/ioutil"
+	"math"
+	"net/url"
+	"os"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/hcl"
+	"github.com/hashicorp/hcl/hcl/ast"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/vault"
+	"github.com/pkg/errors"
+	"github.com/posener/complete"
+	"golang.org/x/sync/errgroup"
 )
 
-func handleSysSeal(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		req, _, statusCode, err := buildLogicalRequest(core, w, r)
-		if err != nil || statusCode != 0 {
-			respondError(w, statusCode, err)
-			return
-		}
+var (
+	_ cli.Command             = (*OperatorMigrateCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorMigrateCommand)(nil)
+)
 
-		switch req.Operation {
-		case logical.UpdateOperation:
-		default:
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
+var errAbort = errors.New("Migration aborted")
 
-		// Seal with the token above
-		// We use context.Background since there won't be a request context if the node isn't active
-		if err := core.SealWithRequest(r.Context(), req); err != nil {
-			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-				respondError(w, http.StatusForbidden, err)
-				return
-			}
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
+type OperatorMigrateCommand struct {
+	*BaseCommand
 
-		respondOk(w, nil)
-	})
+	PhysicalBackends map[string]physical.Factory
+	flagConfig       string
+	flagLogLevel     string
+	flagStart        string
+	flagReset        bool
+	flagMaxParallel  int
+	logger           log.Logger
+	ShutdownCh       chan struct{}
 }
 
-func handleSysStepDown(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		req, _, statusCode, err := buildLogicalRequest(core, w, r)
-		if err != nil || statusCode != 0 {
-			respondError(w, statusCode, err)
-			return
-		}
+type migratorConfig struct {
+	StorageSource      *server.Storage `hcl:"-"`
+	StorageDestination *server.Storage `hcl:"-"`
+	ClusterAddr        string          `hcl:"cluster_addr"`
+}
 
-		switch req.Operation {
-		case logical.UpdateOperation:
-		default:
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
+func (c *OperatorMigrateCommand) Synopsis() string {
+	return "Migrates Vault data between storage backends"
+}
 
-		// Seal with the token above
-		if err := core.StepDown(r.Context(), req); err != nil {
-			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-				respondError(w, http.StatusForbidden, err)
-				return
-			}
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
+func (c *OperatorMigrateCommand) Help() string {
+	helpText := `
+Usage: vault operator migrate [options]
+
+  This command starts a storage backend migration process to copy all data
+  from one backend to another. This operates directly on encrypted data and
+  does not require a Vault server, nor any unsealing.
 
-		respondOk(w, nil)
+  Start a migration with a configuration file:
+
+      $ vault operator migrate -config=migrate.hcl
+
+  For more information, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorMigrateCommand) Flags() *FlagSets {
+	set := NewFlagSets(c.UI)
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:   "config",
+		Target: &c.flagConfig,
+		Completion: complete.PredictOr(
+			complete.PredictFiles("*.hcl"),
+		),
+		Usage: "Path to a configuration file. This configuration file should " +
+			"contain only migrator directives.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   "start",
+		Target: &c.flagStart,
+		Usage:  "Only copy keys lexicographically at or after this value.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:   "reset",
+		Target: &c.flagReset,
+		Usage:  "Reset the migration lock. No migration will occur.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "max-parallel",
+		Default: 10,
+		Target:  &c.flagMaxParallel,
+		Usage: "Specifies the maximum number of parallel migration threads (goroutines) that may be used when migrating. " +
+			"This can speed up the migration process on slow backends but uses more resources.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "log-level",
+		Target:     &c.flagLogLevel,
+		Default:    "info",
+		EnvVar:     "VAULT_LOG_LEVEL",
+		Completion: complete.PredictSet("trace", "debug", "info", "warn", "error"),
+		Usage: "Log verbosity level. Supported values (in order of detail) are " +
+			"\"trace\", \"debug\", \"info\", \"warn\", and \"error\". These are not case sensitive.",
 	})
+
+	return set
 }
 
-func handleSysUnseal(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.Method {
-		case "PUT":
-		case "POST":
-		default:
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
+func (c *OperatorMigrateCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *OperatorMigrateCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorMigrateCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	c.flagLogLevel = strings.ToLower(c.flagLogLevel)
+	validLevels := []string{"trace", "debug", "info", "warn", "error"}
+	if !strutil.StrListContains(validLevels, c.flagLogLevel) {
+		c.UI.Error(fmt.Sprintf("%s is an unknown log level. Valid log levels are: %s", c.flagLogLevel, validLevels))
+		return 1
+	}
+	c.logger = logging.NewVaultLogger(log.LevelFromString(c.flagLogLevel))
+
+	if c.flagMaxParallel < 1 {
+		c.UI.Error(fmt.Sprintf("Argument to flag -max-parallel must be between 1 and %d", math.MaxInt))
+		return 1
+	}
+
+	if c.flagConfig == "" {
+		c.UI.Error("Must specify exactly one config path using -config")
+		return 1
+	}
+
+	config, err := c.loadMigratorConfig(c.flagConfig)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error loading configuration from %s: %s", c.flagConfig, err))
+		return 1
+	}
+
+	if err := c.migrate(config); err != nil {
+		if err == errAbort {
+			return 0
 		}
+		c.UI.Error(fmt.Sprintf("Error migrating: %s", err))
+		return 2
+	}
+
+	if c.flagReset {
+		c.UI.Output("Success! Migration lock reset (if it was set).")
+	} else {
+		c.UI.Output("Success! All of the keys have been migrated.")
+	}
+
+	return 0
+}
+
+// migrate attempts to instantiate the source and destinations backends,
+// and then invoke the migration the root of the keyspace.
+func (c *OperatorMigrateCommand) migrate(config *migratorConfig) error {
+	from, err := c.newBackend(config.StorageSource.Type, config.StorageSource.Config)
+	if err != nil {
+		return fmt.Errorf("error mounting 'storage_source': %w", err)
+	}
 
-		// Parse the request
-		var req UnsealRequest
-		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
-			respondError(w, http.StatusBadRequest, err)
-			return
+	if c.flagReset {
+		if err := SetStorageMigration(from, false); err != nil {
+			return fmt.Errorf("error resetting migration lock: %w", err)
 		}
+		return nil
+	}
 
-		if req.Reset {
-			if !core.Sealed() {
-				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
-				return
-			}
-			core.ResetUnsealProcess()
-			handleSysSealStatusRaw(core, w)
-			return
-		}
-
-		if req.Key == "" {
-			respondError(
-				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
-			return
-		}
-
-		// Decode the key, which is base64 or hex encoded
-		min, max := core.BarrierKeyLength()
-		key, err := hex.DecodeString(req.Key)
-		// We check min and max here to ensure that a string that is base64
-		// encoded but also valid hex will not be valid and we instead base64
-		// decode it
-		if err != nil || len(key) < min || len(key) > max {
-			key, err = base64.StdEncoding.DecodeString(req.Key)
-			if err != nil {
-				respondError(
-					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
-				return
-			}
+	to, err := c.createDestinationBackend(config.StorageDestination.Type, config.StorageDestination.Config, config)
+	if err != nil {
+		return fmt.Errorf("error mounting 'storage_destination': %w", err)
+	}
+
+	migrationStatus, err := CheckStorageMigration(from)
+	if err != nil {
+		return fmt.Errorf("error checking migration status: %w", err)
+	}
+
+	if migrationStatus != nil {
+		return fmt.Errorf("storage migration in progress (started: %s)", migrationStatus.Start.Format(time.RFC3339))
+	}
+
+	switch config.StorageSource.Type {
+	case "raft":
+		// Raft storage cannot be written to when shutdown. Also the boltDB file
+		// already uses file locking to ensure two processes are not accessing
+		// it.
+	default:
+		if err := SetStorageMigration(from, true); err != nil {
+			return fmt.Errorf("error setting migration lock: %w", err)
 		}
 
-		// Attempt the unseal.  If migrate was specified, the key should correspond
-		// to the old seal.
-		if req.Migrate {
-			_, err = core.UnsealMigrate(key)
-		} else {
-			_, err = core.Unseal(key)
+		defer SetStorageMigration(from, false)
+	}
+
+	ctx, cancelFunc := context.WithCancel(context.Background())
+
+	doneCh := make(chan error)
+	go func() {
+		doneCh <- c.migrateAll(ctx, from, to, c.flagMaxParallel)
+	}()
+
+	select {
+	case err := <-doneCh:
+		cancelFunc()
+		return err
+	case <-c.ShutdownCh:
+		c.UI.Output("==> Migration shutdown triggered\n")
+		cancelFunc()
+		<-doneCh
+		return errAbort
+	}
+}
+
+// migrateAll copies all keys in lexicographic order.
+func (c *OperatorMigrateCommand) migrateAll(ctx context.Context, from physical.Backend, to physical.Backend, maxParallel int) error {
+	return dfsScan(ctx, from, maxParallel, func(ctx context.Context, path string) error {
+		if path < c.flagStart || path == storageMigrationLock || path == vault.CoreLockPath {
+			return nil
 		}
+
+		entry, err := from.Get(ctx, path)
 		if err != nil {
-			switch {
-			case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
-			case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
-			case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
-			case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
-			case errwrap.Contains(err, consts.ErrStandby.Error()):
-			default:
-				respondError(w, http.StatusInternalServerError, err)
-				return
-			}
-			respondError(w, http.StatusBadRequest, err)
-			return
+			return fmt.Errorf("error reading entry: %w", err)
+		}
+
+		if entry == nil {
+			return nil
 		}
 
-		// Return the seal status
-		handleSysSealStatusRaw(core, w)
+		if err := to.Put(ctx, entry); err != nil {
+			return fmt.Errorf("error writing entry: %w", err)
+		}
+		c.logger.Info("copied key", "path", path)
+		return nil
 	})
 }
 
-func handleSysSealStatus(core *vault.Core, opt ...ListenerConfigOption) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
+func (c *OperatorMigrateCommand) newBackend(kind string, conf map[string]string) (physical.Backend, error) {
+	factory, ok := c.PhysicalBackends[kind]
+	if !ok {
+		return nil, fmt.Errorf("no Vault storage backend named: %+q", kind)
+	}
 
-		handleSysSealStatusRaw(core, w, opt...)
-	})
+	return factory(conf, c.logger)
 }
 
-func handleSysSealBackendStatus(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
+func (c *OperatorMigrateCommand) createDestinationBackend(kind string, conf map[string]string, config *migratorConfig) (physical.Backend, error) {
+	storage, err := c.newBackend(kind, conf)
+	if err != nil {
+		return nil, err
+	}
+
+	switch kind {
+	case "raft":
+		if len(config.ClusterAddr) == 0 {
+			return nil, errors.New("cluster_addr config not set")
 		}
 
-		handleSysSealBackendStatusRaw(core, w, r)
-	})
+		raftStorage, ok := storage.(*raft.RaftBackend)
+		if !ok {
+			return nil, errors.New("wrong storage type for raft backend")
+		}
+
+		parsedClusterAddr, err := url.Parse(config.ClusterAddr)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing cluster address: %w", err)
+		}
+		if err := raftStorage.Bootstrap([]raft.Peer{
+			{
+				ID:      raftStorage.NodeID(),
+				Address: parsedClusterAddr.Host,
+			},
+		}); err != nil {
+			return nil, fmt.Errorf("could not bootstrap clustered storage: %w", err)
+		}
+
+		if err := raftStorage.SetupCluster(context.Background(), raft.SetupOpts{
+			StartAsLeader: true,
+		}); err != nil {
+			return nil, fmt.Errorf("could not start clustered storage: %w", err)
+		}
+	}
+
+	return storage, nil
 }
 
-func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, opt ...ListenerConfigOption) {
-	ctx := context.Background()
-	status, err := core.GetSealStatus(ctx, true)
+// loadMigratorConfig loads the configuration at the given path
+func (c *OperatorMigrateCommand) loadMigratorConfig(path string) (*migratorConfig, error) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+
+	if fi.IsDir() {
+		return nil, fmt.Errorf("location is a directory, not a file")
+	}
+
+	d, err := ioutil.ReadFile(path)
 	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
-		return
+		return nil, err
 	}
 
-	opts, err := getOpts(opt...)
+	obj, err := hcl.ParseBytes(d)
+	if err != nil {
+		return nil, err
+	}
 
-	if opts.withRedactVersion {
-		status.Version = opts.withRedactionValue
-		status.BuildDate = opts.withRedactionValue
+	var result migratorConfig
+	if err := hcl.DecodeObject(&result, obj); err != nil {
+		return nil, err
 	}
 
-	if opts.withRedactClusterName {
-		status.ClusterName = opts.withRedactionValue
+	list, ok := obj.Node.(*ast.ObjectList)
+	if !ok {
+		return nil, fmt.Errorf("error parsing: file doesn't contain a root object")
 	}
 
-	respondOk(w, status)
+	// Look for storage_* stanzas
+	for _, stanza := range []string{"storage_source", "storage_destination"} {
+		o := list.Filter(stanza)
+		if len(o.Items) != 1 {
+			return nil, fmt.Errorf("exactly one %q block is required", stanza)
+		}
+
+		if err := parseStorage(&result, o, stanza); err != nil {
+			return nil, fmt.Errorf("error parsing %q: %w", stanza, err)
+		}
+	}
+	return &result, nil
 }
 
-func handleSysSealBackendStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Request) {
-	ctx := context.Background()
-	status, err := core.GetSealBackendStatus(ctx)
-	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
-		return
+// parseStorage reuses the existing storage parsing that's part of the main Vault
+// config processing, but only keeps the storage result.
+func parseStorage(result *migratorConfig, list *ast.ObjectList, name string) error {
+	tmpConfig := new(server.Config)
+
+	if err := server.ParseStorage(tmpConfig, list, name); err != nil {
+		return err
 	}
 
-	respondOk(w, status)
+	switch name {
+	case "storage_source":
+		result.StorageSource = tmpConfig.Storage
+	case "storage_destination":
+		result.StorageDestination = tmpConfig.Storage
+	default:
+		return fmt.Errorf("unknown storage name: %s", name)
+	}
+
+	return nil
 }
 
-// Note: because we didn't provide explicit tagging in the past we can't do it
-// now because if it then no longer accepts capitalized versions it could break
-// clients
-type UnsealRequest struct {
-	Key     string
-	Reset   bool
-	Migrate bool
+// dfsScan will invoke cb with every key from source.
+// Keys will be traversed in lexicographic, depth-first order.
+func dfsScan(ctx context.Context, source physical.Backend, maxParallel int, cb func(ctx context.Context, path string) error) error {
+	dfs := []string{""}
+
+	eg, ctx := errgroup.WithContext(ctx)
+	eg.SetLimit(maxParallel)
+
+	for l := len(dfs); l > 0; l = len(dfs) {
+		// Check for cancellation
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		key := dfs[len(dfs)-1]
+		if key == "" || strings.HasSuffix(key, "/") {
+			children, err := source.List(ctx, key)
+			if err != nil {
+				return fmt.Errorf("failed to scan for children: %w", err)
+			}
+			sort.Strings(children)
+
+			// remove List-triggering key and add children in reverse order
+			dfs = dfs[:len(dfs)-1]
+			for i := len(children) - 1; i >= 0; i-- {
+				if children[i] != "" {
+					dfs = append(dfs, key+children[i])
+				}
+			}
+		} else {
+			// Pooling
+			eg.Go(func() error {
+				return cb(ctx, key)
+			})
+
+			dfs = dfs[:len(dfs)-1]
+		}
+	}
+
+	return eg.Wait()
 }
diff --git a/http/util.go b/http/util.go
index abf03b29efe8..deaff14cdf2d 100644
--- a/http/util.go
+++ b/http/util.go
@@ -1,136 +1,54 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package http
+package command
 
 import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"net"
-	"net/http"
 	"strings"
 
-	"github.com/hashicorp/vault/sdk/logical"
-
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/vault/quotas"
+	"github.com/hashicorp/cli"
 )
 
-var nonVotersAllowed = false
-
-func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ns, err := namespace.FromContext(r.Context())
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-
-		// We don't want to do buildLogicalRequestNoAuth here because, if the
-		// request gets allowed by the quota, the same function will get called
-		// again, which is not desired.
-		path, status, err := buildLogicalPath(r)
-		if err != nil || status != 0 {
-			respondError(w, status, err)
-			return
-		}
-		mountPath := strings.TrimPrefix(core.MatchingMount(r.Context(), path), ns.Path)
-
-		// Clone body, so we do not close the request body reader
-		bodyBytes, err := ioutil.ReadAll(r.Body)
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))
-			return
-		}
-		r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
-
-		quotaReq := &quotas.Request{
-			Type:          quotas.TypeRateLimit,
-			Path:          path,
-			MountPath:     mountPath,
-			NamespacePath: ns.Path,
-			ClientAddress: parseRemoteIPAddress(r),
-		}
-
-		// This checks if any role based quota is required (LCQ or RLQ).
-		requiresResolveRole, err := core.ResolveRoleForQuotas(r.Context(), quotaReq)
-		if err != nil {
-			core.Logger().Error("failed to lookup quotas", "path", path, "error", err)
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-
-		// If any role-based quotas are enabled for this namespace/mount, just
-		// do the role resolution once here.
-		if requiresResolveRole {
-			role := core.DetermineRoleFromLoginRequestFromBytes(r.Context(), mountPath, bodyBytes)
-			// add an entry to the context to prevent recalculating request role unnecessarily
-			r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyRequestRole{}, role))
-			quotaReq.Role = role
-		}
-
-		quotaResp, err := core.ApplyRateLimitQuota(r.Context(), quotaReq)
-		if err != nil {
-			core.Logger().Error("failed to apply quota", "path", path, "error", err)
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-
-		if core.RateLimitResponseHeadersEnabled() {
-			for h, v := range quotaResp.Headers {
-				w.Header().Set(h, v)
-			}
-		}
-
-		if !quotaResp.Allowed {
-			quotaErr := fmt.Errorf("request path %q: %w", path, quotas.ErrRateLimitQuotaExceeded)
-			respondError(w, http.StatusTooManyRequests, quotaErr)
-
-			if core.Logger().IsTrace() {
-				core.Logger().Trace("request rejected due to rate limit quota violation", "request_path", path)
-			}
-
-			if core.RateLimitAuditLoggingEnabled() {
-				req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
-				if err != nil || status != 0 {
-					respondError(w, status, err)
-					return
-				}
-
-				err = core.AuditLogger().AuditRequest(r.Context(), &logical.LogInput{
-					Request:  req,
-					OuterErr: quotaErr,
-				})
-				if err != nil {
-					core.Logger().Warn("failed to audit log request rejection caused by rate limit quota violation", "error", err)
-				}
-			}
-
-			return
-		}
-
-		handler.ServeHTTP(w, r)
-		return
-	})
-}
+var _ cli.Command = (*OperatorRaftCommand)(nil)
 
-func disableReplicationStatusEndpointWrapping(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		request := r.WithContext(logical.CreateContextDisableReplicationStatusEndpoints(r.Context(), true))
+type OperatorRaftCommand struct {
+	*BaseCommand
+}
 
-		h.ServeHTTP(w, request)
-	})
+func (c *OperatorRaftCommand) Synopsis() string {
+	return "Interact with Vault's raft storage backend"
 }
 
-func parseRemoteIPAddress(r *http.Request) string {
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		return ""
-	}
+func (c *OperatorRaftCommand) Help() string {
+	helpText := `
+Usage: vault operator raft <subcommand> [options] [args]
+
+  This command groups subcommands for operators interacting with the Vault raft
+  storage backend. Most users will not need to interact with these commands. Here
+  are a few examples of the raft operator commands:
+
+  Joins a node to the raft cluster:
+
+      $ vault operator raft join https://127.0.0.1:8200
+
+  Returns the set of raft peers:
+
+      $ vault operator raft list-peers
+
+  Removes a node from the raft cluster:
+
+      $ vault operator raft remove-peer
+
+  Restores and saves snapshots from the raft cluster:
+
+      $ vault operator raft snapshot save out.snap
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
 
-	return ip
+func (c *OperatorRaftCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/internal/go118_sha1_patch.go b/internal/go118_sha1_patch.go
index bce531889681..bdeeed6f8c08 100644
--- a/internal/go118_sha1_patch.go
+++ b/internal/go118_sha1_patch.go
@@ -1,59 +1,112 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package internal
+package command
 
 import (
 	"fmt"
-	"os"
-	"sync"
-	_ "unsafe" // for go:linkname
+	"strings"
 
-	goversion "github.com/hashicorp/go-version"
-	"github.com/hashicorp/vault/version"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-const sha1PatchVersionsBefore = "1.12.0"
-
-var patchSha1 sync.Once
-
-//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1
-var debugAllowSHA1 bool
-
-// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.
-// It is safe to call this function multiple times.
-// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility
-// with these certificates. See https://go.dev/doc/go1.18#sha1 and
-// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1
-// for more details.
-// TODO: remove when Vault <=1.11 is no longer supported
-func PatchSha1() {
-	patchSha1.Do(func() {
-		// for Go 1.19.4 and later
-		godebug := os.Getenv("GODEBUG")
-		if godebug != "" {
-			godebug += ","
-		}
-		godebug += "x509sha1=1"
-		os.Setenv("GODEBUG", godebug)
-
-		// for Go 1.19.3 and earlier, patch the variable
-		patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
-		if err != nil {
-			panic(err)
-		}
-
-		patch := false
-		v, err := goversion.NewSemver(version.GetVersion().Version)
-		if err == nil {
-			patch = v.LessThan(patchBefore)
-		} else {
-			fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)
-			patch = true
-		}
-
-		if patch {
-			debugAllowSHA1 = true
-		}
+var (
+	_ cli.Command             = (*OperatorRaftAutopilotGetConfigCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotGetConfigCommand)(nil)
+)
+
+type OperatorRaftAutopilotGetConfigCommand struct {
+	*BaseCommand
+	flagDRToken string
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) Synopsis() string {
+	return "Returns the configuration of the autopilot subsystem under integrated storage"
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) Help() string {
+	helpText := `
+Usage: vault operator raft autopilot get-config
+
+ Returns the configuration of the autopilot subsystem under integrated storage.
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
 	})
+
+	return set
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRaftAutopilotGetConfigCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch len(args) {
+	case 0:
+	default:
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var config *api.AutopilotConfig
+	switch {
+	case c.flagDRToken != "":
+		config, err = client.Sys().RaftAutopilotConfigurationWithDRToken(c.flagDRToken)
+	default:
+		config, err = client.Sys().RaftAutopilotConfiguration()
+	}
+
+	if config == nil {
+		return 0
+	}
+
+	if Format(c.UI) != "table" {
+		return OutputData(c.UI, config)
+	}
+
+	entries := []string{"Key | Value"}
+	entries = append(entries, fmt.Sprintf("%s | %t", "Cleanup Dead Servers", config.CleanupDeadServers))
+	entries = append(entries, fmt.Sprintf("%s | %s", "Last Contact Threshold", config.LastContactThreshold.String()))
+	entries = append(entries, fmt.Sprintf("%s | %s", "Dead Server Last Contact Threshold", config.DeadServerLastContactThreshold.String()))
+	entries = append(entries, fmt.Sprintf("%s | %s", "Server Stabilization Time", config.ServerStabilizationTime.String()))
+	entries = append(entries, fmt.Sprintf("%s | %d", "Min Quorum", config.MinQuorum))
+	entries = append(entries, fmt.Sprintf("%s | %d", "Max Trailing Logs", config.MaxTrailingLogs))
+	entries = append(entries, fmt.Sprintf("%s | %t", "Disable Upgrade Migration", config.DisableUpgradeMigration))
+
+	return OutputData(c.UI, entries)
 }
diff --git a/internalshared/configutil/telemetry.go b/internalshared/configutil/telemetry.go
index e10812276f23..39b9b2ddcb6d 100644
--- a/internalshared/configutil/telemetry.go
+++ b/internalshared/configutil/telemetry.go
@@ -1,438 +1,171 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package configutil
+package command
 
 import (
-	"context"
-	"errors"
 	"fmt"
+	"strings"
 	"time"
 
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-
-	monitoring "cloud.google.com/go/monitoring/apiv3"
-	"github.com/armon/go-metrics"
-	"github.com/armon/go-metrics/circonus"
-	"github.com/armon/go-metrics/datadog"
-	"github.com/armon/go-metrics/prometheus"
-	stackdriver "github.com/google/go-metrics-stackdriver"
-	stackdrivervault "github.com/google/go-metrics-stackdriver/vault"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/hcl"
-	"github.com/hashicorp/hcl/hcl/ast"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/mitchellh/cli"
-	"google.golang.org/api/option"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-const (
-	PrometheusDefaultRetentionTime    = 24 * time.Hour
-	UsageGaugeDefaultPeriod           = 10 * time.Minute
-	MaximumGaugeCardinalityDefault    = 500
-	LeaseMetricsEpsilonDefault        = time.Hour
-	NumLeaseMetricsTimeBucketsDefault = 168
+var (
+	_ cli.Command             = (*OperatorRaftAutopilotSetConfigCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotSetConfigCommand)(nil)
 )
 
-// Telemetry is the telemetry configuration for the server
-type Telemetry struct {
-	FoundKeys    []string     `hcl:",decodedFields"`
-	UnusedKeys   UnusedKeyMap `hcl:",unusedKeyPositions"`
-	StatsiteAddr string       `hcl:"statsite_address"`
-	StatsdAddr   string       `hcl:"statsd_address"`
-
-	DisableHostname     bool   `hcl:"disable_hostname"`
-	EnableHostnameLabel bool   `hcl:"enable_hostname_label"`
-	MetricsPrefix       string `hcl:"metrics_prefix"`
-	UsageGaugePeriod    time.Duration
-	UsageGaugePeriodRaw interface{} `hcl:"usage_gauge_period,alias:UsageGaugePeriod"`
-
-	MaximumGaugeCardinality int `hcl:"maximum_gauge_cardinality"`
-
-	// Circonus: see https://github.com/circonus-labs/circonus-gometrics
-	// for more details on the various configuration options.
-	// Valid configuration combinations:
-	//    - CirconusAPIToken
-	//      metric management enabled (search for existing check or create a new one)
-	//    - CirconusSubmissionUrl
-	//      metric management disabled (use check with specified submission_url,
-	//      broker must be using a public SSL certificate)
-	//    - CirconusAPIToken + CirconusCheckSubmissionURL
-	//      metric management enabled (use check with specified submission_url)
-	//    - CirconusAPIToken + CirconusCheckID
-	//      metric management enabled (use check with specified id)
-
-	// CirconusAPIToken is a valid API Token used to create/manage check. If provided,
-	// metric management is enabled.
-	// Default: none
-	CirconusAPIToken string `hcl:"circonus_api_token"`
-	// CirconusAPIApp is an app name associated with API token.
-	// Default: "consul"
-	CirconusAPIApp string `hcl:"circonus_api_app"`
-	// CirconusAPIURL is the base URL to use for contacting the Circonus API.
-	// Default: "https://api.circonus.com/v2"
-	CirconusAPIURL string `hcl:"circonus_api_url"`
-	// CirconusSubmissionInterval is the interval at which metrics are submitted to Circonus.
-	// Default: 10s
-	CirconusSubmissionInterval string `hcl:"circonus_submission_interval"`
-	// CirconusCheckSubmissionURL is the check.config.submission_url field from a
-	// previously created HTTPTRAP check.
-	// Default: none
-	CirconusCheckSubmissionURL string `hcl:"circonus_submission_url"`
-	// CirconusCheckID is the check id (not check bundle id) from a previously created
-	// HTTPTRAP check. The numeric portion of the check._cid field.
-	// Default: none
-	CirconusCheckID string `hcl:"circonus_check_id"`
-	// CirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
-	// if the metric already exists and is NOT active. If check management is enabled, the default
-	// behavior is to add new metrics as they are encountered. If the metric already exists in the
-	// check, it will *NOT* be activated. This setting overrides that behavior.
-	// Default: "false"
-	CirconusCheckForceMetricActivation string `hcl:"circonus_check_force_metric_activation"`
-	// CirconusCheckInstanceID serves to uniquely identify the metrics coming from this "instance".
-	// It can be used to maintain metric continuity with transient or ephemeral instances as
-	// they move around within an infrastructure.
-	// Default: hostname:app
-	CirconusCheckInstanceID string `hcl:"circonus_check_instance_id"`
-	// CirconusCheckSearchTag is a special tag which, when coupled with the instance id, helps to
-	// narrow down the search results when neither a Submission URL or Check ID is provided.
-	// Default: service:app (e.g. service:consul)
-	CirconusCheckSearchTag string `hcl:"circonus_check_search_tag"`
-	// CirconusCheckTags is a comma separated list of tags to apply to the check. Note that
-	// the value of CirconusCheckSearchTag will always be added to the check.
-	// Default: none
-	CirconusCheckTags string `hcl:"circonus_check_tags"`
-	// CirconusCheckDisplayName is the name for the check which will be displayed in the Circonus UI.
-	// Default: value of CirconusCheckInstanceID
-	CirconusCheckDisplayName string `hcl:"circonus_check_display_name"`
-	// CirconusBrokerID is an explicit broker to use when creating a new check. The numeric portion
-	// of broker._cid. If metric management is enabled and neither a Submission URL nor Check ID
-	// is provided, an attempt will be made to search for an existing check using Instance ID and
-	// Search Tag. If one is not found, a new HTTPTRAP check will be created.
-	// Default: use Select Tag if provided, otherwise, a random Enterprise Broker associated
-	// with the specified API token or the default Circonus Broker.
-	// Default: none
-	CirconusBrokerID string `hcl:"circonus_broker_id"`
-	// CirconusBrokerSelectTag is a special tag which will be used to select a broker when
-	// a Broker ID is not provided. The best use of this is to as a hint for which broker
-	// should be used based on *where* this particular instance is running.
-	// (e.g. a specific geo location or datacenter, dc:sfo)
-	// Default: none
-	CirconusBrokerSelectTag string `hcl:"circonus_broker_select_tag"`
-
-	// Dogstats:
-	// DogStatsdAddr is the address of a dogstatsd instance. If provided,
-	// metrics will be sent to that instance
-	DogStatsDAddr string `hcl:"dogstatsd_addr"`
-
-	// DogStatsdTags are the global tags that should be sent with each packet to dogstatsd
-	// It is a list of strings, where each string looks like "my_tag_name:my_tag_value"
-	DogStatsDTags []string `hcl:"dogstatsd_tags"`
-
-	// Prometheus:
-	// PrometheusRetentionTime is the retention time for prometheus metrics if greater than 0.
-	// Default: 24h
-	PrometheusRetentionTime    time.Duration `hcl:"-"`
-	PrometheusRetentionTimeRaw interface{}   `hcl:"prometheus_retention_time"`
-
-	// Stackdriver:
-	// StackdriverProjectID is the project to publish stackdriver metrics to.
-	StackdriverProjectID string `hcl:"stackdriver_project_id"`
-	// StackdriverLocation is the GCP or AWS region of the monitored resource.
-	StackdriverLocation string `hcl:"stackdriver_location"`
-	// StackdriverNamespace is the namespace identifier, such as a cluster name.
-	StackdriverNamespace string `hcl:"stackdriver_namespace"`
-	// StackdriverDebugLogs will write additional stackdriver related debug logs to stderr.
-	StackdriverDebugLogs bool `hcl:"stackdriver_debug_logs"`
-
-	// How often metrics for lease expiry will be aggregated
-	LeaseMetricsEpsilon    time.Duration
-	LeaseMetricsEpsilonRaw interface{} `hcl:"lease_metrics_epsilon"`
-
-	// Number of buckets by time that will be used in lease aggregation
-	NumLeaseMetricsTimeBuckets int `hcl:"num_lease_metrics_buckets"`
-
-	// Whether or not telemetry should add labels for namespaces
-	LeaseMetricsNameSpaceLabels bool `hcl:"add_lease_metrics_namespace_labels"`
-
-	// FilterDefault is the default for whether to allow a metric that's not
-	// covered by the prefix filter.
-	FilterDefault *bool `hcl:"filter_default"`
-
-	// PrefixFilter is a list of filter rules to apply for allowing
-	// or blocking metrics by prefix.
-	PrefixFilter []string `hcl:"prefix_filter"`
-
-	// Whether or not telemetry should include the mount point in the rollback
-	// metrics
-	RollbackMetricsIncludeMountPoint bool `hcl:"add_mount_point_rollback_metrics"`
-}
-
-func (t *Telemetry) Validate(source string) []ConfigError {
-	return ValidateUnusedFields(t.UnusedKeys, source)
+type OperatorRaftAutopilotSetConfigCommand struct {
+	*BaseCommand
+	flagCleanupDeadServers             BoolPtr
+	flagLastContactThreshold           time.Duration
+	flagDeadServerLastContactThreshold time.Duration
+	flagMaxTrailingLogs                uint64
+	flagMinQuorum                      uint
+	flagServerStabilizationTime        time.Duration
+	flagDisableUpgradeMigration        BoolPtr
+	flagDRToken                        string
 }
 
-func (t *Telemetry) GoString() string {
-	return fmt.Sprintf("*%#v", *t)
+func (c *OperatorRaftAutopilotSetConfigCommand) Synopsis() string {
+	return "Modify the configuration of the autopilot subsystem under integrated storage"
 }
 
-func parseTelemetry(result *SharedConfig, list *ast.ObjectList) error {
-	if len(list.Items) > 1 {
-		return fmt.Errorf("only one 'telemetry' block is permitted")
-	}
-
-	// Get our one item
-	item := list.Items[0]
-
-	if result.Telemetry == nil {
-		result.Telemetry = &Telemetry{}
-	}
-
-	if err := hcl.DecodeObject(&result.Telemetry, item.Val); err != nil {
-		return multierror.Prefix(err, "telemetry:")
-	}
-
-	if result.Telemetry.PrometheusRetentionTimeRaw != nil {
-		var err error
-		if result.Telemetry.PrometheusRetentionTime, err = parseutil.ParseDurationSecond(result.Telemetry.PrometheusRetentionTimeRaw); err != nil {
-			return err
-		}
-		result.Telemetry.PrometheusRetentionTimeRaw = nil
-	} else {
-		result.Telemetry.PrometheusRetentionTime = PrometheusDefaultRetentionTime
-	}
+func (c *OperatorRaftAutopilotSetConfigCommand) Help() string {
+	helpText := `
+Usage: vault operator raft autopilot set-config [options]
 
-	if result.Telemetry.UsageGaugePeriodRaw != nil {
-		if result.Telemetry.UsageGaugePeriodRaw == "none" {
-			result.Telemetry.UsageGaugePeriod = 0
-		} else {
-			var err error
-			if result.Telemetry.UsageGaugePeriod, err = parseutil.ParseDurationSecond(result.Telemetry.UsageGaugePeriodRaw); err != nil {
-				return err
-			}
-			result.Telemetry.UsageGaugePeriodRaw = nil
-		}
-	} else {
-		result.Telemetry.UsageGaugePeriod = UsageGaugeDefaultPeriod
-	}
-
-	if result.Telemetry.MaximumGaugeCardinality == 0 {
-		result.Telemetry.MaximumGaugeCardinality = MaximumGaugeCardinalityDefault
-	}
+  Modify the configuration of the autopilot subsystem under integrated storage.
+` + c.Flags().Help()
 
-	if result.Telemetry.LeaseMetricsEpsilonRaw != nil {
-		if result.Telemetry.LeaseMetricsEpsilonRaw == "none" {
-			result.Telemetry.LeaseMetricsEpsilonRaw = 0
-		} else {
-			var err error
-			if result.Telemetry.LeaseMetricsEpsilon, err = parseutil.ParseDurationSecond(result.Telemetry.LeaseMetricsEpsilonRaw); err != nil {
-				return err
-			}
-			result.Telemetry.LeaseMetricsEpsilonRaw = nil
-		}
-	} else {
-		result.Telemetry.LeaseMetricsEpsilon = LeaseMetricsEpsilonDefault
-	}
+	return strings.TrimSpace(helpText)
+}
 
-	if result.Telemetry.NumLeaseMetricsTimeBuckets == 0 {
-		result.Telemetry.NumLeaseMetricsTimeBuckets = NumLeaseMetricsTimeBucketsDefault
-	}
+func (c *OperatorRaftAutopilotSetConfigCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Common Options")
+
+	f.BoolPtrVar(&BoolPtrVar{
+		Name:   "cleanup-dead-servers",
+		Target: &c.flagCleanupDeadServers,
+		Usage:  "Controls whether to remove dead servers from the Raft peer list periodically or when a new server joins.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:   "last-contact-threshold",
+		Target: &c.flagLastContactThreshold,
+		Usage:  "Limit on the amount of time a server can go without leader contact before being considered unhealthy.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:   "dead-server-last-contact-threshold",
+		Target: &c.flagDeadServerLastContactThreshold,
+		Usage:  "Limit on the amount of time a server can go without leader contact before being considered failed. This takes effect only when cleanup_dead_servers is set.",
+	})
+
+	f.Uint64Var(&Uint64Var{
+		Name:   "max-trailing-logs",
+		Target: &c.flagMaxTrailingLogs,
+		Usage:  "Amount of entries in the Raft Log that a server can be behind before being considered unhealthy.",
+	})
+
+	f.UintVar(&UintVar{
+		Name:   "min-quorum",
+		Target: &c.flagMinQuorum,
+		Usage:  "Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:   "server-stabilization-time",
+		Target: &c.flagServerStabilizationTime,
+		Usage:  "Minimum amount of time a server must be in a stable, healthy state before it can be added to the cluster.",
+	})
+
+	f.BoolPtrVar(&BoolPtrVar{
+		Name:   "disable-upgrade-migration",
+		Target: &c.flagDisableUpgradeMigration,
+		Usage:  "Whether or not to perform automated version upgrades.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+	})
+
+	return set
+}
 
-	return nil
+func (c *OperatorRaftAutopilotSetConfigCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-type SetupTelemetryOpts struct {
-	Config      *Telemetry
-	Ui          cli.Ui
-	ServiceName string
-	DisplayName string
-	UserAgent   string
-	ClusterName string
+func (c *OperatorRaftAutopilotSetConfigCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// SetupTelemetry is used to setup the telemetry sub-systems and returns the
-// in-memory sink to be used in http configuration
-func SetupTelemetry(opts *SetupTelemetryOpts) (*metrics.InmemSink, *metricsutil.ClusterMetricSink, bool, error) {
-	if opts == nil {
-		return nil, nil, false, errors.New("nil opts passed into SetupTelemetry")
-	}
+func (c *OperatorRaftAutopilotSetConfigCommand) Run(args []string) int {
+	f := c.Flags()
 
-	if opts.Config == nil {
-		opts.Config = &Telemetry{}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	/* Setup telemetry
-	Aggregate on 10 second intervals for 1 minute. Expose the
-	metrics over stderr when there is a SIGUSR1 received.
-	*/
-	inm := metrics.NewInmemSink(10*time.Second, time.Minute)
-	metrics.DefaultInmemSignal(inm)
-
-	if opts.Config.MetricsPrefix != "" {
-		opts.ServiceName = opts.Config.MetricsPrefix
+	args = f.Args()
+	switch len(args) {
+	case 0:
+	default:
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	metricsConf := metrics.DefaultConfig(opts.ServiceName)
-	metricsConf.EnableHostname = !opts.Config.DisableHostname
-	metricsConf.EnableHostnameLabel = opts.Config.EnableHostnameLabel
-	if opts.Config.FilterDefault != nil {
-		metricsConf.FilterDefault = *opts.Config.FilterDefault
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	// Configure the statsite sink
-	var fanout metrics.FanoutSink
-	var prometheusEnabled bool
-
-	// Configure the Prometheus sink
-	if opts.Config.PrometheusRetentionTime != 0 {
-		prometheusEnabled = true
-		prometheusOpts := prometheus.PrometheusOpts{
-			Expiration: opts.Config.PrometheusRetentionTime,
-		}
-
-		sink, err := prometheus.NewPrometheusSinkFrom(prometheusOpts)
-		if err != nil {
-			return nil, nil, false, err
-		}
-		fanout = append(fanout, sink)
+	data := make(map[string]interface{})
+	if c.flagCleanupDeadServers.IsSet() {
+		data["cleanup_dead_servers"] = c.flagCleanupDeadServers.Get()
 	}
-
-	if opts.Config.StatsiteAddr != "" {
-		sink, err := metrics.NewStatsiteSink(opts.Config.StatsiteAddr)
-		if err != nil {
-			return nil, nil, false, err
-		}
-		fanout = append(fanout, sink)
+	if c.flagMaxTrailingLogs > 0 {
+		data["max_trailing_logs"] = c.flagMaxTrailingLogs
 	}
-
-	// Configure the statsd sink
-	if opts.Config.StatsdAddr != "" {
-		sink, err := metrics.NewStatsdSink(opts.Config.StatsdAddr)
-		if err != nil {
-			return nil, nil, false, err
-		}
-		fanout = append(fanout, sink)
+	if c.flagMinQuorum > 0 {
+		data["min_quorum"] = c.flagMinQuorum
 	}
-
-	// Configure the Circonus sink
-	if opts.Config.CirconusAPIToken != "" || opts.Config.CirconusCheckSubmissionURL != "" {
-		cfg := &circonus.Config{}
-		cfg.Interval = opts.Config.CirconusSubmissionInterval
-		cfg.CheckManager.API.TokenKey = opts.Config.CirconusAPIToken
-		cfg.CheckManager.API.TokenApp = opts.Config.CirconusAPIApp
-		cfg.CheckManager.API.URL = opts.Config.CirconusAPIURL
-		cfg.CheckManager.Check.SubmissionURL = opts.Config.CirconusCheckSubmissionURL
-		cfg.CheckManager.Check.ID = opts.Config.CirconusCheckID
-		cfg.CheckManager.Check.ForceMetricActivation = opts.Config.CirconusCheckForceMetricActivation
-		cfg.CheckManager.Check.InstanceID = opts.Config.CirconusCheckInstanceID
-		cfg.CheckManager.Check.SearchTag = opts.Config.CirconusCheckSearchTag
-		cfg.CheckManager.Check.DisplayName = opts.Config.CirconusCheckDisplayName
-		cfg.CheckManager.Check.Tags = opts.Config.CirconusCheckTags
-		cfg.CheckManager.Broker.ID = opts.Config.CirconusBrokerID
-		cfg.CheckManager.Broker.SelectTag = opts.Config.CirconusBrokerSelectTag
-
-		if cfg.CheckManager.API.TokenApp == "" {
-			cfg.CheckManager.API.TokenApp = opts.ServiceName
-		}
-
-		if cfg.CheckManager.Check.DisplayName == "" {
-			cfg.CheckManager.Check.DisplayName = opts.DisplayName
-		}
-
-		if cfg.CheckManager.Check.SearchTag == "" {
-			cfg.CheckManager.Check.SearchTag = fmt.Sprintf("service:%s", opts.ServiceName)
-		}
-
-		sink, err := circonus.NewCirconusSink(cfg)
-		if err != nil {
-			return nil, nil, false, err
-		}
-		sink.Start()
-		fanout = append(fanout, sink)
+	if c.flagLastContactThreshold > 0 {
+		data["last_contact_threshold"] = c.flagLastContactThreshold.String()
 	}
-
-	if opts.Config.DogStatsDAddr != "" {
-		var tags []string
-
-		if opts.Config.DogStatsDTags != nil {
-			tags = opts.Config.DogStatsDTags
-		}
-
-		sink, err := datadog.NewDogStatsdSink(opts.Config.DogStatsDAddr, metricsConf.HostName)
-		if err != nil {
-			return nil, nil, false, fmt.Errorf("failed to start DogStatsD sink: %w", err)
-		}
-		sink.SetTags(tags)
-		fanout = append(fanout, sink)
+	if c.flagDeadServerLastContactThreshold > 0 {
+		data["dead_server_last_contact_threshold"] = c.flagDeadServerLastContactThreshold.String()
 	}
-
-	// Configure the stackdriver sink
-	if opts.Config.StackdriverProjectID != "" {
-		client, err := monitoring.NewMetricClient(context.Background(), option.WithUserAgent(opts.UserAgent))
-		if err != nil {
-			return nil, nil, false, fmt.Errorf("Failed to create stackdriver client: %v", err)
-		}
-		sink := stackdriver.NewSink(client, &stackdriver.Config{
-			LabelExtractor: stackdrivervault.Extractor,
-			Bucketer:       stackdrivervault.Bucketer,
-			ProjectID:      opts.Config.StackdriverProjectID,
-			Location:       opts.Config.StackdriverLocation,
-			Namespace:      opts.Config.StackdriverNamespace,
-			DebugLogs:      opts.Config.StackdriverDebugLogs,
-		})
-		fanout = append(fanout, sink)
+	if c.flagServerStabilizationTime > 0 {
+		data["server_stabilization_time"] = c.flagServerStabilizationTime.String()
 	}
-
-	// Initialize the global sink
-	if len(fanout) > 1 {
-		// Hostname enabled will create poor quality metrics name for prometheus
-		if !opts.Config.DisableHostname {
-			opts.Ui.Warn("telemetry.disable_hostname has been set to false. Recommended setting is true for Prometheus to avoid poorly named metrics.")
-		}
-	} else {
-		metricsConf.EnableHostname = false
+	if c.flagDisableUpgradeMigration.IsSet() {
+		data["disable_upgrade_migration"] = c.flagDisableUpgradeMigration.Get()
 	}
-	fanout = append(fanout, inm)
-	globalMetrics, err := metrics.NewGlobal(metricsConf, fanout)
-	if err != nil {
-		return nil, nil, false, err
+	if c.flagDRToken != "" {
+		data["dr_operation_token"] = c.flagDRToken
 	}
 
-	// Intialize a wrapper around the global sink; this will be passed to Core
-	// and to any backend.
-	wrapper := metricsutil.NewClusterMetricSink(opts.ClusterName, globalMetrics)
-	wrapper.MaxGaugeCardinality = opts.Config.MaximumGaugeCardinality
-	wrapper.GaugeInterval = opts.Config.UsageGaugePeriod
-	wrapper.TelemetryConsts.LeaseMetricsEpsilon = opts.Config.LeaseMetricsEpsilon
-	wrapper.TelemetryConsts.LeaseMetricsNameSpaceLabels = opts.Config.LeaseMetricsNameSpaceLabels
-	wrapper.TelemetryConsts.NumLeaseMetricsTimeBuckets = opts.Config.NumLeaseMetricsTimeBuckets
-	wrapper.TelemetryConsts.RollbackMetricsIncludeMountPoint = opts.Config.RollbackMetricsIncludeMountPoint
-
-	// Parse the metric filters
-	telemetryAllowedPrefixes, telemetryBlockedPrefixes, err := parsePrefixFilter(opts.Config.PrefixFilter)
+	secret, err := client.Logical().Write("sys/storage/raft/autopilot/configuration", data)
 	if err != nil {
-		return nil, nil, false, err
+		c.UI.Error(err.Error())
+		return 2
 	}
-
-	metrics.UpdateFilter(telemetryAllowedPrefixes, telemetryBlockedPrefixes)
-	return inm, wrapper, prometheusEnabled, nil
-}
-
-func parsePrefixFilter(prefixFilters []string) ([]string, []string, error) {
-	var telemetryAllowedPrefixes, telemetryBlockedPrefixes []string
-
-	for _, rule := range prefixFilters {
-		if rule == "" {
-			return nil, nil, fmt.Errorf("Cannot have empty filter rule in prefix_filter")
-		}
-		switch rule[0] {
-		case '+':
-			telemetryAllowedPrefixes = append(telemetryAllowedPrefixes, rule[1:])
-		case '-':
-			telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:])
-		default:
-			return nil, nil, fmt.Errorf("Filter rule must begin with either '+' or '-': %q", rule)
-		}
+	if secret == nil {
+		return 0
 	}
-	return telemetryAllowedPrefixes, telemetryBlockedPrefixes, nil
+
+	return OutputSecret(c.UI, secret)
 }
diff --git a/internalshared/listenerutil/listener.go b/internalshared/listenerutil/listener.go
index 76b80860e4fd..4fc4ca4445e8 100644
--- a/internalshared/listenerutil/listener.go
+++ b/internalshared/listenerutil/listener.go
@@ -1,249 +1,117 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package listenerutil
+package command
 
 import (
-	"crypto/tls"
-	"crypto/x509"
+	"flag"
 	"fmt"
-	"io/ioutil"
-	"net"
-	"os"
-	osuser "os/user"
-	"strconv"
-
-	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	"github.com/hashicorp/go-secure-stdlib/tlsutil"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/jefferai/isbadcipher"
-	"github.com/mitchellh/cli"
-)
+	"strings"
 
-type Listener struct {
-	net.Listener
-	Config *configutil.Listener
-}
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
 
-type UnixSocketsConfig struct {
-	User  string `hcl:"user"`
-	Mode  string `hcl:"mode"`
-	Group string `hcl:"group"`
-}
+var (
+	_ cli.Command             = (*OperatorRaftAutopilotStateCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftAutopilotStateCommand)(nil)
+)
 
-// rmListener is an implementation of net.Listener that forwards most
-// calls to the listener but also removes a file as part of the close. We
-// use this to cleanup the unix domain socket on close.
-type rmListener struct {
-	net.Listener
-	Path string
+type OperatorRaftAutopilotStateCommand struct {
+	*BaseCommand
+	flagDRToken string
 }
 
-func (l *rmListener) Close() error {
-	// Close the listener itself
-	if err := l.Listener.Close(); err != nil {
-		return err
-	}
-
-	// Remove the file
-	return os.Remove(l.Path)
+func (c *OperatorRaftAutopilotStateCommand) Synopsis() string {
+	return "Displays the state of the raft cluster under integrated storage as seen by autopilot"
 }
 
-func UnixSocketListener(path string, unixSocketsConfig *UnixSocketsConfig) (net.Listener, error) {
-	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
-		return nil, fmt.Errorf("failed to remove socket file: %v", err)
-	}
+func (c *OperatorRaftAutopilotStateCommand) Help() string {
+	helpText := `
+Usage: vault operator raft autopilot state
 
-	ln, err := net.Listen("unix", path)
-	if err != nil {
-		return nil, err
-	}
+  Displays the state of the raft cluster under integrated storage as seen by autopilot.
+` + c.Flags().Help()
 
-	if unixSocketsConfig != nil {
-		err = setFilePermissions(path, unixSocketsConfig.User, unixSocketsConfig.Group, unixSocketsConfig.Mode)
-		if err != nil {
-			return nil, fmt.Errorf("failed to set file system permissions on the socket file: %s", err)
-		}
-	}
-
-	// Wrap the listener in rmListener so that the Unix domain socket file is
-	// removed on close.
-	return &rmListener{
-		Listener: ln,
-		Path:     path,
-	}, nil
+	return strings.TrimSpace(helpText)
 }
 
-func TLSConfig(
-	l *configutil.Listener,
-	props map[string]string,
-	ui cli.Ui,
-) (*tls.Config, reloadutil.ReloadFunc, error) {
-	props["tls"] = "disabled"
-
-	if l.TLSDisable {
-		return nil, nil, nil
-	}
-
-	cg := reloadutil.NewCertificateGetter(l.TLSCertFile, l.TLSKeyFile, "")
-	if err := cg.Reload(); err != nil {
-		// We try the key without a passphrase first and if we get an incorrect
-		// passphrase response, try again after prompting for a passphrase
-		if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) {
-			var passphrase string
-			passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", l.TLSKeyFile))
-			if err == nil {
-				cg = reloadutil.NewCertificateGetter(l.TLSCertFile, l.TLSKeyFile, passphrase)
-				if err = cg.Reload(); err == nil {
-					goto PASSPHRASECORRECT
-				}
-			}
+func (c *OperatorRaftAutopilotStateCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+	})
+
+	// The output of the state endpoint contains nested values and is not fit for
+	// the default "table" display format. Override the default display format to
+	// "pretty", both in the flag and in the UI.
+	set.mainSet.VisitAll(func(fl *flag.Flag) {
+		if fl.Name == "format" {
+			fl.DefValue = "pretty"
 		}
-		return nil, nil, fmt.Errorf("error loading TLS cert: %w", err)
-	}
-
-PASSPHRASECORRECT:
-	tlsConf := &tls.Config{
-		GetCertificate: cg.GetCertificate,
-		NextProtos:     []string{"h2", "http/1.1"},
-		ClientAuth:     tls.RequestClientCert,
-	}
-
-	if l.TLSMinVersion == "" {
-		l.TLSMinVersion = "tls12"
-	}
-
-	if l.TLSMaxVersion == "" {
-		l.TLSMaxVersion = "tls13"
-	}
-
-	var ok bool
-	tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
-	if !ok {
-		return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
+	})
+	ui, ok := c.UI.(*VaultUI)
+	if ok && ui.format == "table" {
+		ui.format = "pretty"
 	}
+	return set
+}
 
-	tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
-	if !ok {
-		return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
-	}
+func (c *OperatorRaftAutopilotStateCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
 
-	if tlsConf.MaxVersion < tlsConf.MinVersion {
-		return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
-	}
+func (c *OperatorRaftAutopilotStateCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	if len(l.TLSCipherSuites) > 0 {
-		// HTTP/2 with TLS 1.2 blacklists several cipher suites.
-		// https://tools.ietf.org/html/rfc7540#appendix-A
-		//
-		// Since the CLI (net/http) automatically uses HTTP/2 with TLS 1.2,
-		// we check here if all or some specified cipher suites are blacklisted.
-		badCiphers := []string{}
-		for _, cipher := range l.TLSCipherSuites {
-			if isbadcipher.IsBadCipher(cipher) {
-				// Get the name of the current cipher.
-				cipherStr, err := tlsutil.GetCipherName(cipher)
-				if err != nil {
-					return nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %w", err)
-				}
-				badCiphers = append(badCiphers, cipherStr)
-			}
-		}
-		if len(badCiphers) == len(l.TLSCipherSuites) {
-			ui.Warn(`WARNING! All cipher suites defined by 'tls_cipher_suites' are blacklisted by the
-HTTP/2 specification. HTTP/2 communication with TLS 1.2 will not work as intended
-and Vault will be unavailable via the CLI.
-Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`)
-		} else if len(badCiphers) > 0 {
-			ui.Warn(fmt.Sprintf(`WARNING! The following cipher suites defined by 'tls_cipher_suites' are
-blacklisted by the HTTP/2 specification:
-%v
-Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`, badCiphers))
-		}
-		tlsConf.CipherSuites = l.TLSCipherSuites
-	}
+func (c *OperatorRaftAutopilotStateCommand) Run(args []string) int {
+	f := c.Flags()
 
-	if l.TLSRequireAndVerifyClientCert {
-		tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
-		if l.TLSClientCAFile != "" {
-			caPool := x509.NewCertPool()
-			data, err := ioutil.ReadFile(l.TLSClientCAFile)
-			if err != nil {
-				return nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %w", err)
-			}
-
-			if !caPool.AppendCertsFromPEM(data) {
-				return nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")
-			}
-			tlsConf.ClientCAs = caPool
-		}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	if l.TLSDisableClientCerts {
-		if l.TLSRequireAndVerifyClientCert {
-			return nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")
-		}
-		tlsConf.ClientAuth = tls.NoClientCert
+	args = f.Args()
+	switch len(args) {
+	case 0:
+	default:
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	props["tls"] = "enabled"
-	return tlsConf, cg.Reload, nil
-}
-
-// setFilePermissions handles configuring ownership and permissions
-// settings on a given file. All permission/ownership settings are
-// optional. If no user or group is specified, the current user/group
-// will be used. Mode is optional, and has no default (the operation is
-// not performed if absent). User may be specified by name or ID, but
-// group may only be specified by ID.
-func setFilePermissions(path string, user, group, mode string) error {
-	var err error
-	uid, gid := os.Getuid(), os.Getgid()
-
-	if user != "" {
-		if uid, err = strconv.Atoi(user); err == nil {
-			goto GROUP
-		}
-
-		// Try looking up the user by name
-		u, err := osuser.Lookup(user)
-		if err != nil {
-			return fmt.Errorf("failed to look up user %q: %v", user, err)
-		}
-		uid, _ = strconv.Atoi(u.Uid)
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-GROUP:
-	if group != "" {
-		if gid, err = strconv.Atoi(group); err == nil {
-			goto OWN
-		}
-
-		// Try looking up the user by name
-		g, err := osuser.LookupGroup(group)
-		if err != nil {
-			return fmt.Errorf("failed to look up group %q: %v", user, err)
-		}
-		gid, _ = strconv.Atoi(g.Gid)
+	var state *api.AutopilotState
+	switch {
+	case c.flagDRToken != "":
+		state, err = client.Sys().RaftAutopilotStateWithDRToken(c.flagDRToken)
+	default:
+		state, err = client.Sys().RaftAutopilotState()
 	}
 
-OWN:
-	if err := os.Chown(path, uid, gid); err != nil {
-		return fmt.Errorf("failed setting ownership to %d:%d on %q: %v",
-			uid, gid, path, err)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error checking autopilot state: %s", err))
+		return 2
 	}
 
-	if mode != "" {
-		mode, err := strconv.ParseUint(mode, 8, 32)
-		if err != nil {
-			return fmt.Errorf("invalid mode specified: %v", mode)
-		}
-		if err := os.Chmod(path, os.FileMode(mode)); err != nil {
-			return fmt.Errorf("failed setting permissions to %d on %q: %v",
-				mode, path, err)
-		}
+	if state == nil {
+		return 0
 	}
 
-	return nil
+	return OutputData(c.UI, state)
 }
diff --git a/main.go b/main.go
index a48e21b6942c..aaaaf2891e10 100644
--- a/main.go
+++ b/main.go
@@ -1,20 +1,220 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package main // import "github.com/hashicorp/vault"
+package command
 
 import (
-	"os"
+	"fmt"
+	"strings"
 
-	"github.com/hashicorp/vault/command"
-	"github.com/hashicorp/vault/internal"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-func init() {
-	// this is a good place to patch SHA-1 support back into x509
-	internal.PatchSha1()
+var (
+	_ cli.Command             = (*OperatorRaftJoinCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftJoinCommand)(nil)
+)
+
+type OperatorRaftJoinCommand struct {
+	flagRetry            bool
+	flagNonVoter         bool
+	flagLeaderCACert     string
+	flagLeaderClientCert string
+	flagLeaderClientKey  string
+	flagAutoJoinScheme   string
+	flagAutoJoinPort     uint
+	*BaseCommand
+}
+
+func (c *OperatorRaftJoinCommand) Synopsis() string {
+	return "Joins a node to the Raft cluster"
+}
+
+func (c *OperatorRaftJoinCommand) Help() string {
+	helpText := `
+Usage: vault operator raft join [options] <leader-api-addr|auto-join-configuration>
+
+  Join the current node as a peer to the Raft cluster by providing the address
+  of the Raft leader node.
+
+      $ vault operator raft join "http://127.0.0.2:8200"
+
+  Join the current node as a peer to the Raft cluster by providing cloud auto-join
+  configuration.
+
+      $ vault operator raft join "provider=aws region=eu-west-1 ..."
+			
+  Join the current node as a peer to the Raft cluster by providing cloud auto-join
+  configuration with an explicit URI scheme and port.
+
+			$ vault operator raft join -auto-join-scheme="http" -auto-join-port=8201 \
+			  "provider=aws region=eu-west-1 ..."
+
+  TLS certificate data can also be consumed from a file on disk by prefixing with
+  the "@" symbol. For example:
+
+      $ vault operator raft join "http://127.0.0.2:8200" \
+        -leader-ca-cert=@leader_ca.crt \
+        -leader-client-cert=@leader_client.crt \
+        -leader-client-key=@leader.key
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRaftJoinCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "auto-join-scheme",
+		Target:     &c.flagAutoJoinScheme,
+		Completion: complete.PredictNothing,
+		Default:    "https",
+		Usage:      "An optional URI protocol scheme used for addresses discovered via auto-join.",
+	})
+
+	f.UintVar(&UintVar{
+		Name:       "auto-join-port",
+		Target:     &c.flagAutoJoinPort,
+		Completion: complete.PredictNothing,
+		Default:    8200,
+		Usage:      "An optional port used for addresses discovered via auto-join.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "leader-ca-cert",
+		Target:     &c.flagLeaderCACert,
+		Completion: complete.PredictNothing,
+		Usage:      "CA cert to use when verifying the Raft leader certificate.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "leader-client-cert",
+		Target:     &c.flagLeaderClientCert,
+		Completion: complete.PredictNothing,
+		Usage:      "Client cert to use when authenticating with the Raft leader.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "leader-client-key",
+		Target:     &c.flagLeaderClientKey,
+		Completion: complete.PredictNothing,
+		Usage:      "Client key to use when authenticating with the Raft leader.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "retry",
+		Target:  &c.flagRetry,
+		Default: false,
+		Usage:   "Continuously retry joining the Raft cluster upon failures.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "non-voter",
+		Target:  &c.flagNonVoter,
+		Default: false,
+		Usage:   "(Enterprise-only) This flag is used to make the server not participate in the Raft quorum, and have it only receive the data replication stream. This can be used to add read scalability to a cluster in cases where a high volume of reads to servers are needed.",
+	})
+
+	return set
+}
+
+func (c *OperatorRaftJoinCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-func main() {
-	os.Exit(command.Run(os.Args[1:]))
+func (c *OperatorRaftJoinCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRaftJoinCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	leaderInfo := ""
+
+	args = f.Args()
+	switch len(args) {
+	case 0:
+		// No-op: This is acceptable if we're using raft for HA-only
+	case 1:
+		leaderInfo = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+		return 1
+	}
+
+	leaderCACert, err := parseFlagFile(c.flagLeaderCACert)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader CA certificate: %s", err))
+		return 1
+	}
+
+	leaderClientCert, err := parseFlagFile(c.flagLeaderClientCert)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader client certificate: %s", err))
+		return 1
+	}
+
+	leaderClientKey, err := parseFlagFile(c.flagLeaderClientKey)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader client key: %s", err))
+		return 1
+	}
+
+	if c.flagAutoJoinScheme != "" && (c.flagAutoJoinScheme != "http" && c.flagAutoJoinScheme != "https") {
+		c.UI.Error(fmt.Sprintf("invalid scheme %q; must either be http or https", c.flagAutoJoinScheme))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	joinReq := &api.RaftJoinRequest{
+		LeaderCACert:     leaderCACert,
+		LeaderClientCert: leaderClientCert,
+		LeaderClientKey:  leaderClientKey,
+		Retry:            c.flagRetry,
+		NonVoter:         c.flagNonVoter,
+	}
+
+	if strings.Contains(leaderInfo, "provider=") {
+		joinReq.AutoJoin = leaderInfo
+		joinReq.AutoJoinScheme = c.flagAutoJoinScheme
+		joinReq.AutoJoinPort = c.flagAutoJoinPort
+	} else {
+		joinReq.LeaderAPIAddr = leaderInfo
+	}
+
+	resp, err := client.Sys().RaftJoin(joinReq)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error joining the node to the Raft cluster: %s", err))
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+	default:
+		return OutputData(c.UI, resp)
+	}
+
+	out := []string{
+		"Key | Value",
+		fmt.Sprintf("Joined | %t", resp.Joined),
+	}
+	c.UI.Output(tableOutput(out, nil))
+
+	return 0
 }
diff --git a/physical/raft/fsm.go b/physical/raft/fsm.go
index abc5e87a0fc8..b92ab8f0b517 100644
--- a/physical/raft/fsm.go
+++ b/physical/raft/fsm.go
@@ -1,1120 +1,124 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package raft
+package command
 
 import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"errors"
 	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strconv"
 	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
 
-	"github.com/armon/go-metrics"
-	"github.com/golang/protobuf/proto"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-raftchunking"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/raft"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/sdk/plugin/pb"
-	bolt "go.etcd.io/bbolt"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
 )
 
-const (
-	deleteOp uint32 = 1 << iota
-	putOp
-	restoreCallbackOp
-	getOp
-
-	chunkingPrefix   = "raftchunking/"
-	databaseFilename = "vault.db"
-)
-
-var (
-	// dataBucketName is the value we use for the bucket
-	dataBucketName     = []byte("data")
-	configBucketName   = []byte("config")
-	latestIndexKey     = []byte("latest_indexes")
-	latestConfigKey    = []byte("latest_config")
-	localNodeConfigKey = []byte("local_node_config")
-)
-
-// Verify FSM satisfies the correct interfaces
 var (
-	_ physical.Backend       = (*FSM)(nil)
-	_ physical.Transactional = (*FSM)(nil)
-	_ raft.FSM               = (*FSM)(nil)
-	_ raft.BatchingFSM       = (*FSM)(nil)
+	_ cli.Command             = (*OperatorRaftListPeersCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftListPeersCommand)(nil)
 )
 
-type restoreCallback func(context.Context) error
-
-type FSMEntry struct {
-	Key   string
-	Value []byte
+type OperatorRaftListPeersCommand struct {
+	*BaseCommand
+	flagDRToken string
 }
 
-func (f *FSMEntry) String() string {
-	return fmt.Sprintf("Key: %s. Value: %s", f.Key, hex.EncodeToString(f.Value))
+func (c *OperatorRaftListPeersCommand) Synopsis() string {
+	return "Returns the Raft peer set"
 }
 
-// FSMApplyResponse is returned from an FSM apply. It indicates if the apply was
-// successful or not. EntryMap contains the keys/values from the Get operations.
-type FSMApplyResponse struct {
-	Success    bool
-	EntrySlice []*FSMEntry
-}
-
-// FSM is Vault's primary state storage. It writes updates to a bolt db file
-// that lives on local disk. FSM implements raft.FSM and physical.Backend
-// interfaces.
-type FSM struct {
-	// latestIndex and latestTerm must stay at the top of this struct to be
-	// properly 64-bit aligned.
-
-	// latestIndex and latestTerm are the term and index of the last log we
-	// received
-	latestIndex *uint64
-	latestTerm  *uint64
-	// latestConfig is the latest server configuration we've seen
-	latestConfig atomic.Value
+func (c *OperatorRaftListPeersCommand) Help() string {
+	helpText := `
+Usage: vault operator raft list-peers
 
-	l           sync.RWMutex
-	path        string
-	logger      log.Logger
-	noopRestore bool
+  Provides the details of all the peers in the Raft cluster.
 
-	// applyCallback is used to control the pace of applies in tests
-	applyCallback func()
+	  $ vault operator raft list-peers
 
-	db *bolt.DB
+  Provides the details of all the peers in the Raft cluster of a DR secondary
+  cluster. This command should be invoked on the DR secondary nodes.
 
-	// retoreCb is called after we've restored a snapshot
-	restoreCb restoreCallback
+      $ vault operator raft list-peers -dr-token <dr-operation-token>
 
-	chunker *raftchunking.ChunkingBatchingFSM
-
-	localID         string
-	desiredSuffrage string
-	unknownOpTypes  sync.Map
-}
-
-// NewFSM constructs a FSM using the given directory
-func NewFSM(path string, localID string, logger log.Logger) (*FSM, error) {
-	// Initialize the latest term, index, and config values
-	latestTerm := new(uint64)
-	latestIndex := new(uint64)
-	latestConfig := atomic.Value{}
-	atomic.StoreUint64(latestTerm, 0)
-	atomic.StoreUint64(latestIndex, 0)
-	latestConfig.Store((*ConfigurationValue)(nil))
-
-	f := &FSM{
-		path:   path,
-		logger: logger,
-
-		latestTerm:   latestTerm,
-		latestIndex:  latestIndex,
-		latestConfig: latestConfig,
-		// Assume that the default intent is to join as as voter. This will be updated
-		// when this node joins a cluster with a different suffrage, or during cluster
-		// setup if this is already part of a cluster with a desired suffrage.
-		desiredSuffrage: "voter",
-		localID:         localID,
-	}
-
-	f.chunker = raftchunking.NewChunkingBatchingFSM(f, &FSMChunkStorage{
-		f:   f,
-		ctx: context.Background(),
-	})
-
-	dbPath := filepath.Join(path, databaseFilename)
-	f.l.Lock()
-	defer f.l.Unlock()
-	if err := f.openDBFile(dbPath); err != nil {
-		return nil, fmt.Errorf("failed to open bolt file: %w", err)
-	}
+` + c.Flags().Help()
 
-	return f, nil
+	return strings.TrimSpace(helpText)
 }
 
-func (f *FSM) getDB() *bolt.DB {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	return f.db
-}
-
-// SetFSMDelay adds a delay to the FSM apply. This is used in tests to simulate
-// a slow apply.
-func (r *RaftBackend) SetFSMDelay(delay time.Duration) {
-	r.SetFSMApplyCallback(func() { time.Sleep(delay) })
-}
-
-func (r *RaftBackend) SetFSMApplyCallback(f func()) {
-	r.fsm.l.Lock()
-	r.fsm.applyCallback = f
-	r.fsm.l.Unlock()
-}
-
-func (f *FSM) openDBFile(dbPath string) error {
-	if len(dbPath) == 0 {
-		return errors.New("can not open empty filename")
-	}
-
-	st, err := os.Stat(dbPath)
-	switch {
-	case err != nil && os.IsNotExist(err):
-	case err != nil:
-		return fmt.Errorf("error checking raft FSM db file %q: %v", dbPath, err)
-	default:
-		perms := st.Mode() & os.ModePerm
-		if perms&0o077 != 0 {
-			f.logger.Warn("raft FSM db file has wider permissions than needed",
-				"needed", os.FileMode(0o600), "existing", perms)
-		}
-	}
-
-	opts := boltOptions(dbPath)
-	start := time.Now()
-	boltDB, err := bolt.Open(dbPath, 0o600, opts)
-	if err != nil {
-		return err
-	}
-	elapsed := time.Now().Sub(start)
-	f.logger.Debug("time to open database", "elapsed", elapsed, "path", dbPath)
-	metrics.MeasureSince([]string{"raft_storage", "fsm", "open_db_file"}, start)
-
-	err = boltDB.Update(func(tx *bolt.Tx) error {
-		// make sure we have the necessary buckets created
-		_, err := tx.CreateBucketIfNotExists(dataBucketName)
-		if err != nil {
-			return fmt.Errorf("failed to create bucket: %v", err)
-		}
-		b, err := tx.CreateBucketIfNotExists(configBucketName)
-		if err != nil {
-			return fmt.Errorf("failed to create bucket: %v", err)
-		}
-
-		// Read in our latest index and term and populate it inmemory
-		val := b.Get(latestIndexKey)
-		if val != nil {
-			var latest IndexValue
-			err := proto.Unmarshal(val, &latest)
-			if err != nil {
-				return err
-			}
-
-			atomic.StoreUint64(f.latestTerm, latest.Term)
-			atomic.StoreUint64(f.latestIndex, latest.Index)
-		}
+func (c *OperatorRaftListPeersCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
 
-		// Read in our latest config and populate it inmemory
-		val = b.Get(latestConfigKey)
-		if val != nil {
-			var latest ConfigurationValue
-			err := proto.Unmarshal(val, &latest)
-			if err != nil {
-				return err
-			}
+	f := set.NewFlagSet("Command Options")
 
-			f.latestConfig.Store(&latest)
-		}
-		return nil
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
 	})
-	if err != nil {
-		return err
-	}
 
-	f.db = boltDB
-	return nil
+	return set
 }
 
-func (f *FSM) Stats() bolt.Stats {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	return f.db.Stats()
+func (c *OperatorRaftListPeersCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-func (f *FSM) Close() error {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	return f.db.Close()
+func (c *OperatorRaftListPeersCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func writeSnapshotMetaToDB(metadata *raft.SnapshotMeta, db *bolt.DB) error {
-	latestIndex := &IndexValue{
-		Term:  metadata.Term,
-		Index: metadata.Index,
-	}
-	indexBytes, err := proto.Marshal(latestIndex)
-	if err != nil {
-		return err
-	}
+func (c *OperatorRaftListPeersCommand) Run(args []string) int {
+	f := c.Flags()
 
-	protoConfig := raftConfigurationToProtoConfiguration(metadata.ConfigurationIndex, metadata.Configuration)
-	configBytes, err := proto.Marshal(protoConfig)
-	if err != nil {
-		return err
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	err = db.Update(func(tx *bolt.Tx) error {
-		b, err := tx.CreateBucketIfNotExists(configBucketName)
-		if err != nil {
-			return err
-		}
-
-		err = b.Put(latestConfigKey, configBytes)
-		if err != nil {
-			return err
-		}
-
-		err = b.Put(latestIndexKey, indexBytes)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
+	client, err := c.Client()
 	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (f *FSM) localNodeConfig() (*LocalNodeConfigValue, error) {
-	var configBytes []byte
-	if err := f.db.View(func(tx *bolt.Tx) error {
-		value := tx.Bucket(configBucketName).Get(localNodeConfigKey)
-		if value != nil {
-			configBytes = make([]byte, len(value))
-			copy(configBytes, value)
-		}
-		return nil
-	}); err != nil {
-		return nil, err
-	}
-	if configBytes == nil {
-		return nil, nil
-	}
-
-	var lnConfig LocalNodeConfigValue
-	if configBytes != nil {
-		err := proto.Unmarshal(configBytes, &lnConfig)
-		if err != nil {
-			return nil, err
-		}
-		f.desiredSuffrage = lnConfig.DesiredSuffrage
-		return &lnConfig, nil
-	}
-
-	return nil, nil
-}
-
-func (f *FSM) DesiredSuffrage() string {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	return f.desiredSuffrage
-}
-
-func (f *FSM) upgradeLocalNodeConfig() error {
-	f.l.Lock()
-	defer f.l.Unlock()
-
-	// Read the local node config
-	lnConfig, err := f.localNodeConfig()
-	if err != nil {
-		return err
-	}
-
-	// Entry is already present. Get the suffrage value.
-	if lnConfig != nil {
-		f.desiredSuffrage = lnConfig.DesiredSuffrage
-		return nil
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	//
-	// This is the upgrade case where there is no entry
-	//
-
-	lnConfig = &LocalNodeConfigValue{}
-
-	// Refer to the persisted latest raft config
-	config := f.latestConfig.Load().(*ConfigurationValue)
-
-	// If there is no config, then this is a fresh node coming up. This could end up
-	// being a voter or non-voter. But by default assume that this is a voter. It
-	// will be changed if this node joins the cluster as a non-voter.
-	if config == nil {
-		f.desiredSuffrage = "voter"
-		lnConfig.DesiredSuffrage = f.desiredSuffrage
-		return f.persistDesiredSuffrage(lnConfig)
-	}
-
-	// Get the last known suffrage of the node and assume that it is the desired
-	// suffrage. There is no better alternative here.
-	for _, srv := range config.Servers {
-		if srv.Id == f.localID {
-			switch srv.Suffrage {
-			case int32(raft.Nonvoter):
-				lnConfig.DesiredSuffrage = "non-voter"
-			default:
-				lnConfig.DesiredSuffrage = "voter"
-			}
-			// Bring the intent to the fsm instance.
-			f.desiredSuffrage = lnConfig.DesiredSuffrage
-			break
-		}
-	}
-
-	return f.persistDesiredSuffrage(lnConfig)
-}
-
-// recordSuffrage is called when a node successfully joins the cluster. This
-// intent should land in the stored configuration. If the config isn't available
-// yet, we still go ahead and store the intent in the fsm. During the next
-// update to the configuration, this intent will be persisted.
-func (f *FSM) recordSuffrage(desiredSuffrage string) error {
-	f.l.Lock()
-	defer f.l.Unlock()
-
-	if err := f.persistDesiredSuffrage(&LocalNodeConfigValue{
-		DesiredSuffrage: desiredSuffrage,
-	}); err != nil {
-		return err
-	}
-
-	f.desiredSuffrage = desiredSuffrage
-	return nil
-}
-
-func (f *FSM) persistDesiredSuffrage(lnconfig *LocalNodeConfigValue) error {
-	dsBytes, err := proto.Marshal(lnconfig)
-	if err != nil {
-		return err
-	}
-
-	return f.db.Update(func(tx *bolt.Tx) error {
-		return tx.Bucket(configBucketName).Put(localNodeConfigKey, dsBytes)
-	})
-}
-
-func (f *FSM) witnessSnapshot(metadata *raft.SnapshotMeta) error {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	err := writeSnapshotMetaToDB(metadata, f.db)
-	if err != nil {
-		return err
-	}
-
-	atomic.StoreUint64(f.latestIndex, metadata.Index)
-	atomic.StoreUint64(f.latestTerm, metadata.Term)
-	f.latestConfig.Store(raftConfigurationToProtoConfiguration(metadata.ConfigurationIndex, metadata.Configuration))
-
-	return nil
-}
-
-// LatestState returns the latest index and configuration values we have seen on
-// this FSM.
-func (f *FSM) LatestState() (*IndexValue, *ConfigurationValue) {
-	return &IndexValue{
-		Term:  atomic.LoadUint64(f.latestTerm),
-		Index: atomic.LoadUint64(f.latestIndex),
-	}, f.latestConfig.Load().(*ConfigurationValue)
-}
-
-// Delete deletes the given key from the bolt file.
-func (f *FSM) Delete(ctx context.Context, path string) error {
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "delete"}, time.Now())
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	return f.db.Update(func(tx *bolt.Tx) error {
-		return tx.Bucket(dataBucketName).Delete([]byte(path))
-	})
-}
-
-// Delete deletes the given key from the bolt file.
-func (f *FSM) DeletePrefix(ctx context.Context, prefix string) error {
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "delete_prefix"}, time.Now())
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	err := f.db.Update(func(tx *bolt.Tx) error {
-		// Assume bucket exists and has keys
-		c := tx.Bucket(dataBucketName).Cursor()
-
-		prefixBytes := []byte(prefix)
-		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
-			if err := c.Delete(); err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	return err
-}
-
-// Get retrieves the value at the given path from the bolt file.
-func (f *FSM) Get(ctx context.Context, path string) (*physical.Entry, error) {
-	// TODO: Remove this outdated metric name in an older release
-	defer metrics.MeasureSince([]string{"raft", "get"}, time.Now())
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "get"}, time.Now())
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	var valCopy []byte
-	var found bool
-
-	err := f.db.View(func(tx *bolt.Tx) error {
-		value := tx.Bucket(dataBucketName).Get([]byte(path))
-		if value != nil {
-			found = true
-			valCopy = make([]byte, len(value))
-			copy(valCopy, value)
-		}
-
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-	if !found {
-		return nil, nil
-	}
-
-	return &physical.Entry{
-		Key:   path,
-		Value: valCopy,
-	}, nil
-}
-
-// Put writes the given entry to the bolt file.
-func (f *FSM) Put(ctx context.Context, entry *physical.Entry) error {
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "put"}, time.Now())
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	// Start a write transaction.
-	return f.db.Update(func(tx *bolt.Tx) error {
-		return tx.Bucket(dataBucketName).Put([]byte(entry.Key), entry.Value)
-	})
-}
-
-// List retrieves the set of keys with the given prefix from the bolt file.
-func (f *FSM) List(ctx context.Context, prefix string) ([]string, error) {
-	// TODO: Remove this outdated metric name in a future release
-	defer metrics.MeasureSince([]string{"raft", "list"}, time.Now())
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "list"}, time.Now())
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	var keys []string
-
-	err := f.db.View(func(tx *bolt.Tx) error {
-		// Assume bucket exists and has keys
-		c := tx.Bucket(dataBucketName).Cursor()
-
-		prefixBytes := []byte(prefix)
-		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
-			key := string(k)
-			key = strings.TrimPrefix(key, prefix)
-			if i := strings.Index(key, "/"); i == -1 {
-				// Add objects only from the current 'folder'
-				keys = append(keys, key)
-			} else {
-				// Add truncated 'folder' paths
-				if len(keys) == 0 || keys[len(keys)-1] != key[:i+1] {
-					keys = append(keys, string(key[:i+1]))
-				}
-			}
-		}
-
-		return nil
-	})
-
-	return keys, err
-}
-
-// Transaction writes all the operations in the provided transaction to the bolt
-// file.
-func (f *FSM) Transaction(ctx context.Context, txns []*physical.TxnEntry) error {
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	// Start a write transaction.
-	err := f.db.Update(func(tx *bolt.Tx) error {
-		b := tx.Bucket(dataBucketName)
-		for _, txn := range txns {
-			var err error
-			switch txn.Operation {
-			case physical.PutOperation:
-				err = b.Put([]byte(txn.Entry.Key), txn.Entry.Value)
-			case physical.DeleteOperation:
-				err = b.Delete([]byte(txn.Entry.Key))
-			default:
-				return fmt.Errorf("%q is not a supported transaction operation", txn.Operation)
-			}
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	return err
-}
-
-// ApplyBatch will apply a set of logs to the FSM. This is called from the raft
-// library.
-func (f *FSM) ApplyBatch(logs []*raft.Log) []interface{} {
-	numLogs := len(logs)
-
-	if numLogs == 0 {
-		return []interface{}{}
-	}
-
-	// We will construct one slice per log, each slice containing another slice of results from our get ops
-	entrySlices := make([][]*FSMEntry, 0, numLogs)
-
-	// Do the unmarshalling first so we don't hold locks
-	var latestConfiguration *ConfigurationValue
-	commands := make([]interface{}, 0, numLogs)
-	for _, l := range logs {
-		switch l.Type {
-		case raft.LogCommand:
-			command := &LogData{}
-			err := proto.Unmarshal(l.Data, command)
-			if err != nil {
-				f.logger.Error("error proto unmarshaling log data", "error", err)
-				panic("error proto unmarshaling log data")
-			}
-			commands = append(commands, command)
-		case raft.LogConfiguration:
-			configuration := raft.DecodeConfiguration(l.Data)
-			config := raftConfigurationToProtoConfiguration(l.Index, configuration)
-
-			commands = append(commands, config)
-
-			// Update the latest configuration the fsm has received; we will
-			// store this after it has been committed to storage.
-			latestConfiguration = config
-
-		default:
-			panic(fmt.Sprintf("got unexpected log type: %d", l.Type))
-		}
-	}
-
-	// Only advance latest pointer if this log has a higher index value than
-	// what we have seen in the past.
-	var logIndex []byte
-	var err error
-	latestIndex, _ := f.LatestState()
-	lastLog := logs[numLogs-1]
-	if latestIndex.Index < lastLog.Index {
-		logIndex, err = proto.Marshal(&IndexValue{
-			Term:  lastLog.Term,
-			Index: lastLog.Index,
+	var secret *api.Secret
+	switch {
+	case c.flagDRToken != "":
+		secret, err = client.Logical().Write("sys/storage/raft/configuration", map[string]interface{}{
+			"dr_operation_token": c.flagDRToken,
 		})
-		if err != nil {
-			f.logger.Error("unable to marshal latest index", "error", err)
-			panic("unable to marshal latest index")
-		}
-	}
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	if f.applyCallback != nil {
-		f.applyCallback()
-	}
-
-	err = f.db.Update(func(tx *bolt.Tx) error {
-		b := tx.Bucket(dataBucketName)
-		for _, commandRaw := range commands {
-			entrySlice := make([]*FSMEntry, 0)
-			switch command := commandRaw.(type) {
-			case *LogData:
-				for _, op := range command.Operations {
-					var err error
-					switch op.OpType {
-					case putOp:
-						err = b.Put([]byte(op.Key), op.Value)
-					case deleteOp:
-						err = b.Delete([]byte(op.Key))
-					case getOp:
-						fsmEntry := &FSMEntry{
-							Key: op.Key,
-						}
-						val := b.Get([]byte(op.Key))
-						if len(val) > 0 {
-							newVal := make([]byte, len(val))
-							copy(newVal, val)
-							fsmEntry.Value = newVal
-						}
-						entrySlice = append(entrySlice, fsmEntry)
-					case restoreCallbackOp:
-						if f.restoreCb != nil {
-							// Kick off the restore callback function in a go routine
-							go f.restoreCb(context.Background())
-						}
-					default:
-						if _, ok := f.unknownOpTypes.Load(op.OpType); !ok {
-							f.logger.Error("unsupported transaction operation", "op", op.OpType)
-							f.unknownOpTypes.Store(op.OpType, struct{}{})
-						}
-					}
-					if err != nil {
-						return err
-					}
-				}
-
-			case *ConfigurationValue:
-				b := tx.Bucket(configBucketName)
-				configBytes, err := proto.Marshal(command)
-				if err != nil {
-					return err
-				}
-				if err := b.Put(latestConfigKey, configBytes); err != nil {
-					return err
-				}
-			}
-
-			entrySlices = append(entrySlices, entrySlice)
-		}
-
-		if len(logIndex) > 0 {
-			b := tx.Bucket(configBucketName)
-			err = b.Put(latestIndexKey, logIndex)
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-	if err != nil {
-		f.logger.Error("failed to store data", "error", err)
-		panic("failed to store data")
-	}
-
-	// If we advanced the latest value, update the in-memory representation too.
-	if len(logIndex) > 0 {
-		atomic.StoreUint64(f.latestTerm, lastLog.Term)
-		atomic.StoreUint64(f.latestIndex, lastLog.Index)
-	}
-
-	// If one or more configuration changes were processed, store the latest one.
-	if latestConfiguration != nil {
-		f.latestConfig.Store(latestConfiguration)
-	}
-
-	// Build the responses. The logs array is used here to ensure we reply to
-	// all command values; even if they are not of the types we expect. This
-	// should futureproof this function from more log types being provided.
-	resp := make([]interface{}, numLogs)
-	for i := range logs {
-		resp[i] = &FSMApplyResponse{
-			Success:    true,
-			EntrySlice: entrySlices[i],
-		}
-	}
-
-	return resp
-}
-
-// Apply will apply a log value to the FSM. This is called from the raft
-// library.
-func (f *FSM) Apply(log *raft.Log) interface{} {
-	return f.ApplyBatch([]*raft.Log{log})[0]
-}
-
-type writeErrorCloser interface {
-	io.WriteCloser
-	CloseWithError(error) error
-}
-
-// writeTo will copy the FSM's content to a remote sink. The data is written
-// twice, once for use in determining various metadata attributes of the dataset
-// (size, checksum, etc) and a second for the sink of the data. We also use a
-// proto delimited writer so we can stream proto messages to the sink.
-func (f *FSM) writeTo(ctx context.Context, metaSink writeErrorCloser, sink writeErrorCloser) {
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "write_snapshot"}, time.Now())
-
-	protoWriter := NewDelimitedWriter(sink)
-	metadataProtoWriter := NewDelimitedWriter(metaSink)
-
-	f.l.RLock()
-	defer f.l.RUnlock()
-
-	err := f.db.View(func(tx *bolt.Tx) error {
-		b := tx.Bucket(dataBucketName)
-
-		c := b.Cursor()
-
-		// Do the first scan of the data for metadata purposes.
-		for k, v := c.First(); k != nil; k, v = c.Next() {
-			err := metadataProtoWriter.WriteMsg(&pb.StorageEntry{
-				Key:   string(k),
-				Value: v,
-			})
-			if err != nil {
-				metaSink.CloseWithError(err)
-				return err
-			}
-		}
-		metaSink.Close()
-
-		// Do the second scan for copy purposes.
-		for k, v := c.First(); k != nil; k, v = c.Next() {
-			err := protoWriter.WriteMsg(&pb.StorageEntry{
-				Key:   string(k),
-				Value: v,
-			})
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-	sink.CloseWithError(err)
-}
-
-// Snapshot implements the FSM interface. It returns a noop snapshot object.
-func (f *FSM) Snapshot() (raft.FSMSnapshot, error) {
-	return &noopSnapshotter{
-		fsm: f,
-	}, nil
-}
-
-// SetNoopRestore is used to disable restore operations on raft startup. Because
-// we are using persistent storage in our FSM we do not need to issue a restore
-// on startup.
-func (f *FSM) SetNoopRestore(enabled bool) {
-	f.l.Lock()
-	f.noopRestore = enabled
-	f.l.Unlock()
-}
-
-// Restore installs a new snapshot from the provided reader. It does an atomic
-// rename of the snapshot file into the database filepath. While a restore is
-// happening the FSM is locked and no writes or reads can be performed.
-func (f *FSM) Restore(r io.ReadCloser) error {
-	defer metrics.MeasureSince([]string{"raft_storage", "fsm", "restore_snapshot"}, time.Now())
-
-	if f.noopRestore {
-		return nil
-	}
-
-	snapshotInstaller, ok := r.(*boltSnapshotInstaller)
-	if !ok {
-		wrapper, ok := r.(raft.ReadCloserWrapper)
-		if !ok {
-			return fmt.Errorf("expected ReadCloserWrapper object, got: %T", r)
-		}
-		snapshotInstallerRaw := wrapper.WrappedReadCloser()
-		snapshotInstaller, ok = snapshotInstallerRaw.(*boltSnapshotInstaller)
-		if !ok {
-			return fmt.Errorf("expected snapshot installer object, got: %T", snapshotInstallerRaw)
-		}
-	}
-
-	f.l.Lock()
-	defer f.l.Unlock()
-
-	// Cache the local node config before closing the db file
-	lnConfig, err := f.localNodeConfig()
-	if err != nil {
-		return err
-	}
-
-	// Close the db file
-	if err := f.db.Close(); err != nil {
-		f.logger.Error("failed to close database file", "error", err)
-		return err
-	}
-
-	dbPath := filepath.Join(f.path, databaseFilename)
-
-	f.logger.Info("installing snapshot to FSM")
-
-	// Install the new boltdb file
-	var retErr *multierror.Error
-	if err := snapshotInstaller.Install(dbPath); err != nil {
-		f.logger.Error("failed to install snapshot", "error", err)
-		retErr = multierror.Append(retErr, fmt.Errorf("failed to install snapshot database: %w", err))
-	} else {
-		f.logger.Info("snapshot installed")
-	}
-
-	// Open the db file. We want to do this regardless of if the above install
-	// worked. If the install failed we should try to open the old DB file.
-	if err := f.openDBFile(dbPath); err != nil {
-		f.logger.Error("failed to open new database file", "error", err)
-		retErr = multierror.Append(retErr, fmt.Errorf("failed to open new bolt file: %w", err))
-	}
-
-	// Handle local node config restore. lnConfig should not be nil here, but
-	// adding the nil check anyways for safety.
-	if lnConfig != nil {
-		// Persist the local node config on the restored fsm.
-		if err := f.persistDesiredSuffrage(lnConfig); err != nil {
-			f.logger.Error("failed to persist local node config from before the restore", "error", err)
-			retErr = multierror.Append(retErr, fmt.Errorf("failed to persist local node config from before the restore: %w", err))
-		}
-	}
-
-	return retErr.ErrorOrNil()
-}
-
-// noopSnapshotter implements the fsm.Snapshot interface. It doesn't do anything
-// since our SnapshotStore reads data out of the FSM on Open().
-type noopSnapshotter struct {
-	fsm *FSM
-}
-
-// Persist implements the fsm.Snapshot interface. It doesn't need to persist any
-// state data, but it does persist the raft metadata. This is necessary so we
-// can be sure to capture indexes for operation types that are not sent to the
-// FSM.
-func (s *noopSnapshotter) Persist(sink raft.SnapshotSink) error {
-	boltSnapshotSink := sink.(*BoltSnapshotSink)
-
-	// We are processing a snapshot, fastforward the index, term, and
-	// configuration to the latest seen by the raft system.
-	if err := s.fsm.witnessSnapshot(&boltSnapshotSink.meta); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// Release doesn't do anything.
-func (s *noopSnapshotter) Release() {}
-
-// raftConfigurationToProtoConfiguration converts a raft configuration object to
-// a proto value.
-func raftConfigurationToProtoConfiguration(index uint64, configuration raft.Configuration) *ConfigurationValue {
-	servers := make([]*Server, len(configuration.Servers))
-	for i, s := range configuration.Servers {
-		servers[i] = &Server{
-			Suffrage: int32(s.Suffrage),
-			Id:       string(s.ID),
-			Address:  string(s.Address),
-		}
-	}
-	return &ConfigurationValue{
-		Index:   index,
-		Servers: servers,
-	}
-}
-
-// protoConfigurationToRaftConfiguration converts a proto configuration object
-// to a raft object.
-func protoConfigurationToRaftConfiguration(configuration *ConfigurationValue) (uint64, raft.Configuration) {
-	servers := make([]raft.Server, len(configuration.Servers))
-	for i, s := range configuration.Servers {
-		servers[i] = raft.Server{
-			Suffrage: raft.ServerSuffrage(s.Suffrage),
-			ID:       raft.ServerID(s.Id),
-			Address:  raft.ServerAddress(s.Address),
-		}
-	}
-	return configuration.Index, raft.Configuration{
-		Servers: servers,
-	}
-}
-
-type FSMChunkStorage struct {
-	f   *FSM
-	ctx context.Context
-}
-
-// chunkPaths returns a disk prefix and key given chunkinfo
-func (f *FSMChunkStorage) chunkPaths(chunk *raftchunking.ChunkInfo) (string, string) {
-	prefix := fmt.Sprintf("%s%d/", chunkingPrefix, chunk.OpNum)
-	key := fmt.Sprintf("%s%d", prefix, chunk.SequenceNum)
-	return prefix, key
-}
-
-func (f *FSMChunkStorage) StoreChunk(chunk *raftchunking.ChunkInfo) (bool, error) {
-	b, err := jsonutil.EncodeJSON(chunk)
-	if err != nil {
-		return false, fmt.Errorf("error encoding chunk info: %w", err)
-	}
-
-	prefix, key := f.chunkPaths(chunk)
-
-	entry := &physical.Entry{
-		Key:   key,
-		Value: b,
-	}
-
-	f.f.l.RLock()
-	defer f.f.l.RUnlock()
-
-	// Start a write transaction.
-	done := new(bool)
-	if err := f.f.db.Update(func(tx *bolt.Tx) error {
-		if err := tx.Bucket(dataBucketName).Put([]byte(entry.Key), entry.Value); err != nil {
-			return fmt.Errorf("error storing chunk info: %w", err)
-		}
-
-		// Assume bucket exists and has keys
-		c := tx.Bucket(dataBucketName).Cursor()
-
-		var keys []string
-		prefixBytes := []byte(prefix)
-		for k, _ := c.Seek(prefixBytes); k != nil && bytes.HasPrefix(k, prefixBytes); k, _ = c.Next() {
-			key := string(k)
-			key = strings.TrimPrefix(key, prefix)
-			if i := strings.Index(key, "/"); i == -1 {
-				// Add objects only from the current 'folder'
-				keys = append(keys, key)
-			} else {
-				// Add truncated 'folder' paths
-				keys = strutil.AppendIfMissing(keys, string(key[:i+1]))
-			}
-		}
-
-		*done = uint32(len(keys)) == chunk.NumChunks
-
-		return nil
-	}); err != nil {
-		return false, err
+	default:
+		secret, err = client.Logical().Read("sys/storage/raft/configuration")
 	}
-
-	return *done, nil
-}
-
-func (f *FSMChunkStorage) FinalizeOp(opNum uint64) ([]*raftchunking.ChunkInfo, error) {
-	ret, err := f.chunksForOpNum(opNum)
 	if err != nil {
-		return nil, fmt.Errorf("error getting chunks for op keys: %w", err)
-	}
-
-	prefix, _ := f.chunkPaths(&raftchunking.ChunkInfo{OpNum: opNum})
-	if err := f.f.DeletePrefix(f.ctx, prefix); err != nil {
-		return nil, fmt.Errorf("error deleting prefix after op finalization: %w", err)
-	}
-
-	return ret, nil
-}
-
-func (f *FSMChunkStorage) chunksForOpNum(opNum uint64) ([]*raftchunking.ChunkInfo, error) {
-	prefix, _ := f.chunkPaths(&raftchunking.ChunkInfo{OpNum: opNum})
-
-	opChunkKeys, err := f.f.List(f.ctx, prefix)
-	if err != nil {
-		return nil, fmt.Errorf("error fetching op chunk keys: %w", err)
-	}
-
-	if len(opChunkKeys) == 0 {
-		return nil, nil
-	}
-
-	var ret []*raftchunking.ChunkInfo
-
-	for _, v := range opChunkKeys {
-		seqNum, err := strconv.ParseInt(v, 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("error converting seqnum to integer: %w", err)
-		}
-
-		entry, err := f.f.Get(f.ctx, prefix+v)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching chunkinfo: %w", err)
-		}
-
-		var ci raftchunking.ChunkInfo
-		if err := jsonutil.DecodeJSON(entry.Value, &ci); err != nil {
-			return nil, fmt.Errorf("error decoding chunkinfo json: %w", err)
-		}
-
-		if ret == nil {
-			ret = make([]*raftchunking.ChunkInfo, ci.NumChunks)
-		}
-
-		ret[seqNum] = &ci
+		c.UI.Error(fmt.Sprintf("Error reading the raft cluster configuration: %s", err))
+		return 2
 	}
-
-	return ret, nil
-}
-
-func (f *FSMChunkStorage) GetChunks() (raftchunking.ChunkMap, error) {
-	opNums, err := f.f.List(f.ctx, chunkingPrefix)
-	if err != nil {
-		return nil, fmt.Errorf("error doing recursive list for chunk saving: %w", err)
+	if secret == nil {
+		c.UI.Error("No raft cluster configuration found")
+		return 2
 	}
 
-	if len(opNums) == 0 {
-		return nil, nil
+	if Format(c.UI) != "table" {
+		return OutputSecret(c.UI, secret)
 	}
 
-	ret := make(raftchunking.ChunkMap, len(opNums))
-	for _, opNumStr := range opNums {
-		opNum, err := strconv.ParseInt(opNumStr, 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing op num during chunk saving: %w", err)
-		}
+	config := secret.Data["config"].(map[string]interface{})
 
-		opChunks, err := f.chunksForOpNum(uint64(opNum))
-		if err != nil {
-			return nil, fmt.Errorf("error getting chunks for op keys during chunk saving: %w", err)
+	servers := config["servers"].([]interface{})
+	out := []string{"Node | Address | State | Voter"}
+	for _, serverRaw := range servers {
+		server := serverRaw.(map[string]interface{})
+		state := "follower"
+		if server["leader"].(bool) {
+			state = "leader"
 		}
 
-		ret[uint64(opNum)] = opChunks
-	}
-
-	return ret, nil
-}
-
-func (f *FSMChunkStorage) RestoreChunks(chunks raftchunking.ChunkMap) error {
-	if err := f.f.DeletePrefix(f.ctx, chunkingPrefix); err != nil {
-		return fmt.Errorf("error deleting prefix for chunk restoration: %w", err)
-	}
-	if len(chunks) == 0 {
-		return nil
-	}
-
-	for opNum, opChunks := range chunks {
-		for _, chunk := range opChunks {
-			if chunk == nil {
-				continue
-			}
-			if chunk.OpNum != opNum {
-				return errors.New("unexpected op number in chunk")
-			}
-			if _, err := f.StoreChunk(chunk); err != nil {
-				return fmt.Errorf("error storing chunk during restoration: %w", err)
-			}
-		}
+		out = append(out, fmt.Sprintf("%s | %s | %s | %t", server["node_id"].(string), server["address"].(string), state, server["voter"].(bool)))
 	}
 
-	return nil
+	c.UI.Output(tableOutput(out, nil))
+	return 0
 }
diff --git a/physical/raft/raft.go b/physical/raft/raft.go
index ecfdb92c01d7..fabd9ce30d39 100644
--- a/physical/raft/raft.go
+++ b/physical/raft/raft.go
@@ -1,1918 +1,108 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package raft
+package command
 
 import (
-	"context"
-	"crypto/tls"
-	"errors"
 	"fmt"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"os"
-	"path/filepath"
-	"strconv"
-	"sync"
-	"sync/atomic"
-	"time"
+	"strings"
 
-	"github.com/armon/go-metrics"
-	"github.com/golang/protobuf/proto"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-raftchunking"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-secure-stdlib/tlsutil"
-	"github.com/hashicorp/go-uuid"
-	goversion "github.com/hashicorp/go-version"
-	"github.com/hashicorp/raft"
-	autopilot "github.com/hashicorp/raft-autopilot"
-	raftboltdb "github.com/hashicorp/raft-boltdb/v2"
-	snapshot "github.com/hashicorp/raft-snapshot"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/vault/cluster"
-	"github.com/hashicorp/vault/version"
-	bolt "go.etcd.io/bbolt"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-const (
-	// EnvVaultRaftNodeID is used to fetch the Raft node ID from the environment.
-	EnvVaultRaftNodeID = "VAULT_RAFT_NODE_ID"
-
-	// EnvVaultRaftPath is used to fetch the path where Raft data is stored from the environment.
-	EnvVaultRaftPath = "VAULT_RAFT_PATH"
-
-	// EnvVaultRaftNonVoter is used to override the non_voter config option, telling Vault to join as a non-voter (i.e. read replica).
-	EnvVaultRaftNonVoter  = "VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER"
-	raftNonVoterConfigKey = "retry_join_as_non_voter"
-)
-
-var getMmapFlags = func(string) int { return 0 }
-
-// Verify RaftBackend satisfies the correct interfaces
 var (
-	_ physical.Backend       = (*RaftBackend)(nil)
-	_ physical.Transactional = (*RaftBackend)(nil)
-	_ physical.HABackend     = (*RaftBackend)(nil)
-	_ physical.Lock          = (*RaftLock)(nil)
+	_ cli.Command             = (*OperatorRaftRemovePeerCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftRemovePeerCommand)(nil)
 )
 
-var (
-	// raftLogCacheSize is the maximum number of logs to cache in-memory.
-	// This is used to reduce disk I/O for the recently committed entries.
-	raftLogCacheSize = 512
-
-	raftState              = "raft/"
-	peersFileName          = "peers.json"
-	restoreOpDelayDuration = 5 * time.Second
-	defaultMaxEntrySize    = uint64(2 * raftchunking.ChunkSize)
-
-	GetInTxnDisabledError = errors.New("get operations inside transactions are disabled in raft backend")
-)
-
-// RaftBackend implements the backend interfaces and uses the raft protocol to
-// persist writes to the FSM.
-type RaftBackend struct {
-	logger log.Logger
-	conf   map[string]string
-	l      sync.RWMutex
-
-	// fsm is the state store for vault's data
-	fsm *FSM
-
-	// raft is the instance of raft we will operate on.
-	raft *raft.Raft
-
-	// raftInitCh is used to block during HA lock acquisition if raft
-	// has not been initialized yet, which can occur if raft is being
-	// used for HA-only.
-	raftInitCh chan struct{}
-
-	// raftNotifyCh is used to receive updates about leadership changes
-	// regarding this node.
-	raftNotifyCh chan bool
-
-	// streamLayer is the network layer used to connect the nodes in the raft
-	// cluster.
-	streamLayer *raftLayer
-
-	// raftTransport is the transport layer that the raft library uses for RPC
-	// communication.
-	raftTransport raft.Transport
-
-	// snapStore is our snapshot mechanism.
-	snapStore raft.SnapshotStore
-
-	// logStore is used by the raft library to store the raft logs in durable
-	// storage.
-	logStore raft.LogStore
-
-	// stableStore is used by the raft library to store additional metadata in
-	// durable storage.
-	stableStore raft.StableStore
-
-	// bootstrapConfig is only set when this node needs to be bootstrapped upon
-	// startup.
-	bootstrapConfig *raft.Configuration
-
-	// dataDir is the location on the local filesystem that raft and FSM data
-	// will be stored.
-	dataDir string
-
-	// localID is the ID for this node. This can either be configured in the
-	// config file, via a file on disk, or is otherwise randomly generated.
-	localID string
-
-	// serverAddressProvider is used to map server IDs to addresses.
-	serverAddressProvider raft.ServerAddressProvider
-
-	// permitPool is used to limit the number of concurrent storage calls.
-	permitPool *physical.PermitPool
-
-	// maxEntrySize imposes a size limit (in bytes) on a raft entry (put or transaction).
-	// It is suggested to use a value of 2x the Raft chunking size for optimal
-	// performance.
-	maxEntrySize uint64
-
-	// autopilot is the instance of raft-autopilot library implementation of the
-	// autopilot features. This will be instantiated in both leader and followers.
-	// However, only active node will have a "running" autopilot.
-	autopilot *autopilot.Autopilot
-
-	// autopilotConfig represents the configuration required to instantiate autopilot.
-	autopilotConfig *AutopilotConfig
-
-	// followerStates represents the information about all the peers of the raft
-	// leader. This is used to track some state of the peers and as well as used
-	// to see if the peers are "alive" using the heartbeat received from them.
-	followerStates *FollowerStates
-
-	// followerHeartbeatTicker is used to compute dead servers using follower
-	// state heartbeats.
-	followerHeartbeatTicker *time.Ticker
-
-	// disableAutopilot if set will not put autopilot implementation to use. The
-	// fallback will be to interact with the raft instance directly. This can only
-	// be set during startup via the environment variable
-	// VAULT_RAFT_AUTOPILOT_DISABLE during startup and can't be updated once the
-	// node is up and running.
-	disableAutopilot bool
-
-	// autopilotReconcileInterval is how long between rounds of performing promotions, demotions
-	// and leadership transfers.
-	autopilotReconcileInterval time.Duration
-
-	// autopilotUpdateInterval is the time between the periodic state updates. These periodic
-	// state updates take in known servers from the delegate, request Raft stats be
-	// fetched and pull in other inputs such as the Raft configuration to create
-	// an updated view of the Autopilot State.
-	autopilotUpdateInterval time.Duration
-
-	// upgradeVersion is used to override the Vault SDK version when performing an autopilot automated upgrade.
-	upgradeVersion string
-
-	// redundancyZone specifies a redundancy zone for autopilot.
-	redundancyZone string
-
-	// nonVoter specifies whether the node should join the cluster as a non-voter. Non-voters get
-	// replicated to and can serve reads, but do not take part in leader elections.
-	nonVoter bool
-
-	effectiveSDKVersion string
-	failGetInTxn        *uint32
-}
-
-// LeaderJoinInfo contains information required by a node to join itself as a
-// follower to an existing raft cluster
-type LeaderJoinInfo struct {
-	// AutoJoin defines any cloud auto-join metadata. If supplied, Vault will
-	// attempt to automatically discover peers in addition to what can be provided
-	// via 'leader_api_addr'.
-	AutoJoin string `json:"auto_join"`
-
-	// AutoJoinScheme defines the optional URI protocol scheme for addresses
-	// discovered via auto-join.
-	AutoJoinScheme string `json:"auto_join_scheme"`
-
-	// AutoJoinPort defines the optional port used for addressed discovered via
-	// auto-join.
-	AutoJoinPort uint `json:"auto_join_port"`
-
-	// LeaderAPIAddr is the address of the leader node to connect to
-	LeaderAPIAddr string `json:"leader_api_addr"`
-
-	// LeaderCACert is the CA cert of the leader node
-	LeaderCACert string `json:"leader_ca_cert"`
-
-	// LeaderClientCert is the client certificate for the follower node to
-	// establish client authentication during TLS
-	LeaderClientCert string `json:"leader_client_cert"`
-
-	// LeaderClientKey is the client key for the follower node to establish
-	// client authentication during TLS.
-	LeaderClientKey string `json:"leader_client_key"`
-
-	// LeaderCACertFile is the path on disk to the the CA cert file of the
-	// leader node. This should only be provided via Vault's configuration file.
-	LeaderCACertFile string `json:"leader_ca_cert_file"`
-
-	// LeaderClientCertFile is the path on disk to the client certificate file
-	// for the follower node to establish client authentication during TLS. This
-	// should only be provided via Vault's configuration file.
-	LeaderClientCertFile string `json:"leader_client_cert_file"`
-
-	// LeaderClientKeyFile is the path on disk to the client key file for the
-	// follower node to establish client authentication during TLS. This should
-	// only be provided via Vault's configuration file.
-	LeaderClientKeyFile string `json:"leader_client_key_file"`
-
-	// LeaderTLSServerName is the optional ServerName to expect in the leader's
-	// certificate, instead of the host/IP we're actually connecting to.
-	LeaderTLSServerName string `json:"leader_tls_servername"`
-
-	// Retry indicates if the join process should automatically be retried
-	Retry bool `json:"-"`
-
-	// TLSConfig for the API client to use when communicating with the leader node
-	TLSConfig *tls.Config `json:"-"`
-}
-
-// JoinConfig returns a list of information about possible leader nodes that
-// this node can join as a follower
-func (b *RaftBackend) JoinConfig() ([]*LeaderJoinInfo, error) {
-	config := b.conf["retry_join"]
-	if config == "" {
-		return nil, nil
-	}
-
-	var leaderInfos []*LeaderJoinInfo
-	err := jsonutil.DecodeJSON([]byte(config), &leaderInfos)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode retry_join config: %w", err)
-	}
-
-	if len(leaderInfos) == 0 {
-		return nil, errors.New("invalid retry_join config")
-	}
-
-	for i, info := range leaderInfos {
-		if len(info.AutoJoin) != 0 && len(info.LeaderAPIAddr) != 0 {
-			return nil, errors.New("cannot provide both a leader_api_addr and auto_join")
-		}
-
-		if info.AutoJoinScheme != "" && (info.AutoJoinScheme != "http" && info.AutoJoinScheme != "https") {
-			return nil, fmt.Errorf("invalid scheme %q; must either be http or https", info.AutoJoinScheme)
-		}
-
-		info.Retry = true
-		info.TLSConfig, err = parseTLSInfo(info)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create tls config to communicate with leader node (retry_join index: %d): %w", i, err)
-		}
-	}
-
-	return leaderInfos, nil
-}
-
-// parseTLSInfo is a helper for parses the TLS information, preferring file
-// paths over raw certificate content.
-func parseTLSInfo(leaderInfo *LeaderJoinInfo) (*tls.Config, error) {
-	var tlsConfig *tls.Config
-	var err error
-	if len(leaderInfo.LeaderCACertFile) != 0 || len(leaderInfo.LeaderClientCertFile) != 0 || len(leaderInfo.LeaderClientKeyFile) != 0 {
-		tlsConfig, err = tlsutil.LoadClientTLSConfig(leaderInfo.LeaderCACertFile, leaderInfo.LeaderClientCertFile, leaderInfo.LeaderClientKeyFile)
-		if err != nil {
-			return nil, err
-		}
-	} else if len(leaderInfo.LeaderCACert) != 0 || len(leaderInfo.LeaderClientCert) != 0 || len(leaderInfo.LeaderClientKey) != 0 {
-		tlsConfig, err = tlsutil.ClientTLSConfig([]byte(leaderInfo.LeaderCACert), []byte(leaderInfo.LeaderClientCert), []byte(leaderInfo.LeaderClientKey))
-		if err != nil {
-			return nil, err
-		}
-	}
-	if tlsConfig != nil {
-		tlsConfig.ServerName = leaderInfo.LeaderTLSServerName
-	}
-
-	return tlsConfig, nil
-}
-
-// EnsurePath is used to make sure a path exists
-func EnsurePath(path string, dir bool) error {
-	if !dir {
-		path = filepath.Dir(path)
-	}
-	return os.MkdirAll(path, 0o700)
-}
-
-// NewRaftBackend constructs a RaftBackend using the given directory
-func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend, error) {
-	path := os.Getenv(EnvVaultRaftPath)
-	if path == "" {
-		pathFromConfig, ok := conf["path"]
-		if !ok {
-			return nil, fmt.Errorf("'path' must be set")
-		}
-		path = pathFromConfig
-	}
-
-	var localID string
-	{
-		// Determine the local node ID from the environment.
-		if raftNodeID := os.Getenv(EnvVaultRaftNodeID); raftNodeID != "" {
-			localID = raftNodeID
-		}
-
-		// If not set in the environment check the configuration file.
-		if len(localID) == 0 {
-			localID = conf["node_id"]
-		}
-
-		// If not set in the config check the "node-id" file.
-		if len(localID) == 0 {
-			localIDRaw, err := ioutil.ReadFile(filepath.Join(path, "node-id"))
-			switch {
-			case err == nil:
-				if len(localIDRaw) > 0 {
-					localID = string(localIDRaw)
-				}
-			case os.IsNotExist(err):
-			default:
-				return nil, err
-			}
-		}
-
-		// If all of the above fails generate a UUID and persist it to the
-		// "node-id" file.
-		if len(localID) == 0 {
-			id, err := uuid.GenerateUUID()
-			if err != nil {
-				return nil, err
-			}
-
-			if err := ioutil.WriteFile(filepath.Join(path, "node-id"), []byte(id), 0o600); err != nil {
-				return nil, err
-			}
-
-			localID = id
-		}
-	}
-
-	// Create the FSM.
-	fsm, err := NewFSM(path, localID, logger.Named("fsm"))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create fsm: %v", err)
-	}
-
-	if delayRaw, ok := conf["apply_delay"]; ok {
-		delay, err := parseutil.ParseDurationSecond(delayRaw)
-		if err != nil {
-			return nil, fmt.Errorf("apply_delay does not parse as a duration: %w", err)
-		}
-		fsm.applyCallback = func() {
-			time.Sleep(delay)
-		}
-	}
-
-	// Build an all in-memory setup for dev mode, otherwise prepare a full
-	// disk-based setup.
-	var log raft.LogStore
-	var stable raft.StableStore
-	var snap raft.SnapshotStore
-
-	var devMode bool
-	if devMode {
-		store := raft.NewInmemStore()
-		stable = store
-		log = store
-		snap = raft.NewInmemSnapshotStore()
-	} else {
-		// Create the base raft path.
-		path := filepath.Join(path, raftState)
-		if err := EnsurePath(path, true); err != nil {
-			return nil, err
-		}
-
-		// Create the backend raft store for logs and stable storage.
-		dbPath := filepath.Join(path, "raft.db")
-		opts := boltOptions(dbPath)
-		raftOptions := raftboltdb.Options{
-			Path:        dbPath,
-			BoltOptions: opts,
-		}
-		store, err := raftboltdb.New(raftOptions)
-		if err != nil {
-			return nil, err
-		}
-		stable = store
-
-		// Wrap the store in a LogCache to improve performance.
-		cacheStore, err := raft.NewLogCache(raftLogCacheSize, store)
-		if err != nil {
-			return nil, err
-		}
-		log = cacheStore
-
-		// Create the snapshot store.
-		snapshots, err := NewBoltSnapshotStore(path, logger.Named("snapshot"), fsm)
-		if err != nil {
-			return nil, err
-		}
-		snap = snapshots
-	}
-
-	if delayRaw, ok := conf["snapshot_delay"]; ok {
-		delay, err := parseutil.ParseDurationSecond(delayRaw)
-		if err != nil {
-			return nil, fmt.Errorf("snapshot_delay does not parse as a duration: %w", err)
-		}
-		snap = newSnapshotStoreDelay(snap, delay, logger)
-	}
-
-	maxEntrySize := defaultMaxEntrySize
-	if maxEntrySizeCfg := conf["max_entry_size"]; len(maxEntrySizeCfg) != 0 {
-		i, err := strconv.Atoi(maxEntrySizeCfg)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse 'max_entry_size': %w", err)
-		}
-
-		maxEntrySize = uint64(i)
-	}
-
-	var reconcileInterval time.Duration
-	if interval := conf["autopilot_reconcile_interval"]; interval != "" {
-		interval, err := parseutil.ParseDurationSecond(interval)
-		if err != nil {
-			return nil, fmt.Errorf("autopilot_reconcile_interval does not parse as a duration: %w", err)
-		}
-		reconcileInterval = interval
-	}
-
-	var updateInterval time.Duration
-	if interval := conf["autopilot_update_interval"]; interval != "" {
-		interval, err := parseutil.ParseDurationSecond(interval)
-		if err != nil {
-			return nil, fmt.Errorf("autopilot_update_interval does not parse as a duration: %w", err)
-		}
-		updateInterval = interval
-	}
-
-	effectiveReconcileInterval := autopilot.DefaultReconcileInterval
-	effectiveUpdateInterval := autopilot.DefaultUpdateInterval
-
-	if reconcileInterval != 0 {
-		effectiveReconcileInterval = reconcileInterval
-	}
-	if updateInterval != 0 {
-		effectiveUpdateInterval = updateInterval
-	}
-
-	if effectiveReconcileInterval < effectiveUpdateInterval {
-		return nil, fmt.Errorf("autopilot_reconcile_interval (%v) should be larger than autopilot_update_interval (%v)", effectiveReconcileInterval, effectiveUpdateInterval)
-	}
-
-	var upgradeVersion string
-	if uv, ok := conf["autopilot_upgrade_version"]; ok && uv != "" {
-		upgradeVersion = uv
-		_, err := goversion.NewVersion(upgradeVersion)
-		if err != nil {
-			return nil, fmt.Errorf("autopilot_upgrade_version does not parse as a semantic version: %w", err)
-		}
-	}
-
-	var nonVoter bool
-	if v := os.Getenv(EnvVaultRaftNonVoter); v != "" {
-		// Consistent with handling of other raft boolean env vars
-		// VAULT_RAFT_AUTOPILOT_DISABLE and VAULT_RAFT_FREELIST_SYNC
-		nonVoter = true
-	} else if v, ok := conf[raftNonVoterConfigKey]; ok {
-		nonVoter, err = strconv.ParseBool(v)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse %s config value %q as a boolean: %w", raftNonVoterConfigKey, v, err)
-		}
-	}
-
-	if nonVoter && conf["retry_join"] == "" {
-		return nil, fmt.Errorf("setting %s to true is only valid if at least one retry_join stanza is specified", raftNonVoterConfigKey)
-	}
-
-	return &RaftBackend{
-		logger:                     logger,
-		fsm:                        fsm,
-		raftInitCh:                 make(chan struct{}),
-		conf:                       conf,
-		logStore:                   log,
-		stableStore:                stable,
-		snapStore:                  snap,
-		dataDir:                    path,
-		localID:                    localID,
-		permitPool:                 physical.NewPermitPool(physical.DefaultParallelOperations),
-		maxEntrySize:               maxEntrySize,
-		followerHeartbeatTicker:    time.NewTicker(time.Second),
-		autopilotReconcileInterval: reconcileInterval,
-		autopilotUpdateInterval:    updateInterval,
-		redundancyZone:             conf["autopilot_redundancy_zone"],
-		nonVoter:                   nonVoter,
-		upgradeVersion:             upgradeVersion,
-		failGetInTxn:               new(uint32),
-	}, nil
-}
-
-type snapshotStoreDelay struct {
-	logger  log.Logger
-	wrapped raft.SnapshotStore
-	delay   time.Duration
-}
-
-func (s snapshotStoreDelay) Create(version raft.SnapshotVersion, index, term uint64, configuration raft.Configuration, configurationIndex uint64, trans raft.Transport) (raft.SnapshotSink, error) {
-	s.logger.Trace("delaying before creating snapshot", "delay", s.delay)
-	time.Sleep(s.delay)
-	return s.wrapped.Create(version, index, term, configuration, configurationIndex, trans)
-}
-
-func (s snapshotStoreDelay) List() ([]*raft.SnapshotMeta, error) {
-	return s.wrapped.List()
-}
-
-func (s snapshotStoreDelay) Open(id string) (*raft.SnapshotMeta, io.ReadCloser, error) {
-	return s.wrapped.Open(id)
-}
-
-var _ raft.SnapshotStore = &snapshotStoreDelay{}
-
-func newSnapshotStoreDelay(snap raft.SnapshotStore, delay time.Duration, logger log.Logger) *snapshotStoreDelay {
-	return &snapshotStoreDelay{
-		logger:  logger,
-		wrapped: snap,
-		delay:   delay,
-	}
-}
-
-// Close is used to gracefully close all file resources.  N.B. This method
-// should only be called if you are sure the RaftBackend will never be used
-// again.
-func (b *RaftBackend) Close() error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	if err := b.fsm.Close(); err != nil {
-		return err
-	}
-
-	if err := b.stableStore.(*raftboltdb.BoltStore).Close(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (b *RaftBackend) FailGetInTxn(fail bool) {
-	var val uint32
-	if fail {
-		val = 1
-	}
-	atomic.StoreUint32(b.failGetInTxn, val)
-}
-
-func (b *RaftBackend) SetEffectiveSDKVersion(sdkVersion string) {
-	b.l.Lock()
-	b.effectiveSDKVersion = sdkVersion
-	b.l.Unlock()
-}
-
-func (b *RaftBackend) RedundancyZone() string {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	return b.redundancyZone
-}
-
-func (b *RaftBackend) NonVoter() bool {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	return b.nonVoter
-}
-
-func (b *RaftBackend) EffectiveVersion() string {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.upgradeVersion != "" {
-		return b.upgradeVersion
-	}
-
-	return version.GetVersion().Version
-}
-
-// DisableUpgradeMigration returns the state of the DisableUpgradeMigration config flag and whether it was set or not
-func (b *RaftBackend) DisableUpgradeMigration() (bool, bool) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.autopilotConfig == nil {
-		return false, false
-	}
-
-	return b.autopilotConfig.DisableUpgradeMigration, true
-}
-
-func (b *RaftBackend) CollectMetrics(sink *metricsutil.ClusterMetricSink) {
-	var stats map[string]string
-	b.l.RLock()
-	logstoreStats := b.stableStore.(*raftboltdb.BoltStore).Stats()
-	fsmStats := b.fsm.Stats()
-	if b.raft != nil {
-		stats = b.raft.Stats()
-	}
-	b.l.RUnlock()
-	b.collectMetricsWithStats(logstoreStats, sink, "logstore")
-	b.collectMetricsWithStats(fsmStats, sink, "fsm")
-	labels := []metrics.Label{
-		{
-			Name:  "peer_id",
-			Value: b.localID,
-		},
-	}
-	if stats != nil {
-		for _, key := range []string{"term", "commit_index", "applied_index", "fsm_pending"} {
-			n, err := strconv.ParseUint(stats[key], 10, 64)
-			if err == nil {
-				sink.SetGaugeWithLabels([]string{"raft_storage", "stats", key}, float32(n), labels)
-			}
-		}
-	}
-}
-
-func (b *RaftBackend) collectMetricsWithStats(stats bolt.Stats, sink *metricsutil.ClusterMetricSink, database string) {
-	txstats := stats.TxStats
-	labels := []metricsutil.Label{{"database", database}}
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "freelist", "free_pages"}, float32(stats.FreePageN), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "freelist", "pending_pages"}, float32(stats.PendingPageN), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "freelist", "allocated_bytes"}, float32(stats.FreeAlloc), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "freelist", "used_bytes"}, float32(stats.FreelistInuse), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "transaction", "started_read_transactions"}, float32(stats.TxN), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "transaction", "currently_open_read_transactions"}, float32(stats.OpenTxN), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "page", "count"}, float32(txstats.GetPageCount()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "page", "bytes_allocated"}, float32(txstats.GetPageAlloc()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "cursor", "count"}, float32(txstats.GetCursorCount()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "node", "count"}, float32(txstats.GetNodeCount()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "node", "dereferences"}, float32(txstats.GetNodeDeref()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "rebalance", "count"}, float32(txstats.GetRebalance()), labels)
-	sink.AddSampleWithLabels([]string{"raft_storage", "bolt", "rebalance", "time"}, float32(txstats.GetRebalanceTime().Milliseconds()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "split", "count"}, float32(txstats.GetSplit()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "spill", "count"}, float32(txstats.GetSpill()), labels)
-	sink.AddSampleWithLabels([]string{"raft_storage", "bolt", "spill", "time"}, float32(txstats.GetSpillTime().Milliseconds()), labels)
-	sink.SetGaugeWithLabels([]string{"raft_storage", "bolt", "write", "count"}, float32(txstats.GetWrite()), labels)
-	sink.IncrCounterWithLabels([]string{"raft_storage", "bolt", "write", "time"}, float32(txstats.GetWriteTime().Milliseconds()), labels)
-}
-
-// RaftServer has information about a server in the Raft configuration
-type RaftServer struct {
-	// NodeID is the name of the server
-	NodeID string `json:"node_id"`
-
-	// Address is the IP:port of the server, used for Raft communications
-	Address string `json:"address"`
+type OperatorRaftRemovePeerCommand struct {
+	*BaseCommand
 
-	// Leader is true if this server is the current cluster leader
-	Leader bool `json:"leader"`
-
-	// Protocol version is the raft protocol version used by the server
-	ProtocolVersion string `json:"protocol_version"`
-
-	// Voter is true if this server has a vote in the cluster. This might
-	// be false if the server is staging and still coming online.
-	Voter bool `json:"voter"`
-}
-
-// RaftConfigurationResponse is returned when querying for the current Raft
-// configuration.
-type RaftConfigurationResponse struct {
-	// Servers has the list of servers in the Raft configuration.
-	Servers []*RaftServer `json:"servers"`
-
-	// Index has the Raft index of this configuration.
-	Index uint64 `json:"index"`
+	flagDRToken string
 }
 
-// Peer defines the ID and Address for a given member of the raft cluster.
-type Peer struct {
-	ID       string `json:"id"`
-	Address  string `json:"address"`
-	Suffrage int    `json:"suffrage"`
+func (c *OperatorRaftRemovePeerCommand) Synopsis() string {
+	return "Removes a node from the Raft cluster"
 }
 
-// NodeID returns the identifier of the node
-func (b *RaftBackend) NodeID() string {
-	return b.localID
-}
+func (c *OperatorRaftRemovePeerCommand) Help() string {
+	helpText := `
+Usage: vault operator raft remove-peer <server_id>
 
-// Initialized tells if raft is running or not
-func (b *RaftBackend) Initialized() bool {
-	b.l.RLock()
-	init := b.raft != nil
-	b.l.RUnlock()
-	return init
-}
+  Removes a node from the Raft cluster.
 
-// SetTLSKeyring is used to install a new keyring. If the active key has changed
-// it will also close any network connections or streams forcing a reconnect
-// with the new key.
-func (b *RaftBackend) SetTLSKeyring(keyring *TLSKeyring) error {
-	b.l.RLock()
-	err := b.streamLayer.setTLSKeyring(keyring)
-	b.l.RUnlock()
+	  $ vault operator raft remove-peer node1
 
-	return err
-}
+` + c.Flags().Help()
 
-// SetServerAddressProvider sets a the address provider for determining the raft
-// node addresses. This is currently only used in tests.
-func (b *RaftBackend) SetServerAddressProvider(provider raft.ServerAddressProvider) {
-	b.l.Lock()
-	b.serverAddressProvider = provider
-	b.l.Unlock()
+	return strings.TrimSpace(helpText)
 }
 
-// Bootstrap prepares the given peers to be part of the raft cluster
-func (b *RaftBackend) Bootstrap(peers []Peer) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	hasState, err := raft.HasExistingState(b.logStore, b.stableStore, b.snapStore)
-	if err != nil {
-		return err
-	}
-
-	if hasState {
-		return errors.New("error bootstrapping cluster: cluster already has state")
-	}
-
-	raftConfig := &raft.Configuration{
-		Servers: make([]raft.Server, len(peers)),
-	}
+func (c *OperatorRaftRemovePeerCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
 
-	for i, p := range peers {
-		raftConfig.Servers[i] = raft.Server{
-			ID:       raft.ServerID(p.ID),
-			Address:  raft.ServerAddress(p.Address),
-			Suffrage: raft.ServerSuffrage(p.Suffrage),
-		}
-	}
-
-	// Store the config for later use
-	b.bootstrapConfig = raftConfig
-	return nil
-}
-
-// SetRestoreCallback sets the callback to be used when a restoreCallbackOp is
-// processed through the FSM.
-func (b *RaftBackend) SetRestoreCallback(restoreCb restoreCallback) {
-	b.fsm.l.Lock()
-	b.fsm.restoreCb = restoreCb
-	b.fsm.l.Unlock()
-}
-
-func (b *RaftBackend) applyConfigSettings(config *raft.Config) error {
-	config.Logger = b.logger
-	multiplierRaw, ok := b.conf["performance_multiplier"]
-	multiplier := 5
-	if ok {
-		var err error
-		multiplier, err = strconv.Atoi(multiplierRaw)
-		if err != nil {
-			return err
-		}
-	}
-	config.ElectionTimeout *= time.Duration(multiplier)
-	config.HeartbeatTimeout *= time.Duration(multiplier)
-	config.LeaderLeaseTimeout *= time.Duration(multiplier)
-
-	snapThresholdRaw, ok := b.conf["snapshot_threshold"]
-	if ok {
-		var err error
-		snapThreshold, err := strconv.Atoi(snapThresholdRaw)
-		if err != nil {
-			return err
-		}
-		config.SnapshotThreshold = uint64(snapThreshold)
-	}
-
-	trailingLogsRaw, ok := b.conf["trailing_logs"]
-	if ok {
-		var err error
-		trailingLogs, err := strconv.Atoi(trailingLogsRaw)
-		if err != nil {
-			return err
-		}
-		config.TrailingLogs = uint64(trailingLogs)
-	}
-	snapshotIntervalRaw, ok := b.conf["snapshot_interval"]
-	if ok {
-		var err error
-		snapshotInterval, err := parseutil.ParseDurationSecond(snapshotIntervalRaw)
-		if err != nil {
-			return err
-		}
-		config.SnapshotInterval = snapshotInterval
-	}
-
-	config.NoSnapshotRestoreOnStart = true
-	config.MaxAppendEntries = 64
-
-	// Setting BatchApplyCh allows the raft library to enqueue up to
-	// MaxAppendEntries into each raft apply rather than relying on the
-	// scheduler.
-	config.BatchApplyCh = true
-
-	b.logger.Trace("applying raft config", "inputs", b.conf)
-	return nil
-}
-
-// SetupOpts are used to pass options to the raft setup function.
-type SetupOpts struct {
-	// TLSKeyring is the keyring to use for the cluster traffic.
-	TLSKeyring *TLSKeyring
-
-	// ClusterListener is the cluster hook used to register the raft handler and
-	// client with core's cluster listeners.
-	ClusterListener cluster.ClusterHook
-
-	// StartAsLeader is used to specify this node should start as leader and
-	// bypass the leader election. This should be used with caution.
-	StartAsLeader bool
-
-	// RecoveryModeConfig is the configuration for the raft cluster in recovery
-	// mode.
-	RecoveryModeConfig *raft.Configuration
-}
-
-func (b *RaftBackend) StartRecoveryCluster(ctx context.Context, peer Peer) error {
-	recoveryModeConfig := &raft.Configuration{
-		Servers: []raft.Server{
-			{
-				ID:      raft.ServerID(peer.ID),
-				Address: raft.ServerAddress(peer.Address),
-			},
-		},
-	}
-
-	return b.SetupCluster(context.Background(), SetupOpts{
-		StartAsLeader:      true,
-		RecoveryModeConfig: recoveryModeConfig,
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
 	})
-}
 
-func (b *RaftBackend) HasState() (bool, error) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	return raft.HasExistingState(b.logStore, b.stableStore, b.snapStore)
+	return set
 }
 
-// SetupCluster starts the raft cluster and enables the networking needed for
-// the raft nodes to communicate.
-func (b *RaftBackend) SetupCluster(ctx context.Context, opts SetupOpts) error {
-	b.logger.Trace("setting up raft cluster")
-
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	// We are already unsealed
-	if b.raft != nil {
-		b.logger.Debug("raft already started, not setting up cluster")
-		return nil
-	}
-
-	if len(b.localID) == 0 {
-		return errors.New("no local node id configured")
-	}
-
-	// Setup the raft config
-	raftConfig := raft.DefaultConfig()
-	if err := b.applyConfigSettings(raftConfig); err != nil {
-		return err
-	}
-
-	listenerIsNil := func(cl cluster.ClusterHook) bool {
-		switch {
-		case opts.ClusterListener == nil:
-			return true
-		default:
-			// Concrete type checks
-			switch cl.(type) {
-			case *cluster.Listener:
-				return cl.(*cluster.Listener) == nil
-			}
-		}
-		return false
-	}
-
-	var initialTimeoutMultiplier time.Duration
-	switch {
-	case opts.TLSKeyring == nil && listenerIsNil(opts.ClusterListener):
-		// If we don't have a provided network we use an in-memory one.
-		// This allows us to bootstrap a node without bringing up a cluster
-		// network. This will be true during bootstrap, tests and dev modes.
-		_, b.raftTransport = raft.NewInmemTransportWithTimeout(raft.ServerAddress(b.localID), time.Second)
-	case opts.TLSKeyring == nil:
-		return errors.New("no keyring provided")
-	case listenerIsNil(opts.ClusterListener):
-		return errors.New("no cluster listener provided")
-	default:
-		initialTimeoutMultiplier = 3
-		if !opts.StartAsLeader {
-			electionTimeout, heartbeatTimeout := raftConfig.ElectionTimeout, raftConfig.HeartbeatTimeout
-			// Use bigger values for first election
-			raftConfig.ElectionTimeout *= initialTimeoutMultiplier
-			raftConfig.HeartbeatTimeout *= initialTimeoutMultiplier
-			b.logger.Trace("using larger timeouts for raft at startup",
-				"initial_election_timeout", raftConfig.ElectionTimeout,
-				"initial_heartbeat_timeout", raftConfig.HeartbeatTimeout,
-				"normal_election_timeout", electionTimeout,
-				"normal_heartbeat_timeout", heartbeatTimeout)
-		}
-
-		// Set the local address and localID in the streaming layer and the raft config.
-		streamLayer, err := NewRaftLayer(b.logger.Named("stream"), opts.TLSKeyring, opts.ClusterListener)
-		if err != nil {
-			return err
-		}
-		transConfig := &raft.NetworkTransportConfig{
-			Stream:                streamLayer,
-			MaxPool:               3,
-			Timeout:               10 * time.Second,
-			ServerAddressProvider: b.serverAddressProvider,
-			Logger:                b.logger.Named("raft-net"),
-		}
-		transport := raft.NewNetworkTransportWithConfig(transConfig)
-
-		b.streamLayer = streamLayer
-		b.raftTransport = transport
-	}
-
-	raftConfig.LocalID = raft.ServerID(b.localID)
-
-	// Set up a channel for reliable leader notifications.
-	raftNotifyCh := make(chan bool, 10)
-	raftConfig.NotifyCh = raftNotifyCh
-
-	// If we have a bootstrapConfig set we should bootstrap now.
-	if b.bootstrapConfig != nil {
-		bootstrapConfig := b.bootstrapConfig
-		// Unset the bootstrap config
-		b.bootstrapConfig = nil
-
-		// Bootstrap raft with our known cluster members.
-		if err := raft.BootstrapCluster(raftConfig, b.logStore, b.stableStore, b.snapStore, b.raftTransport, *bootstrapConfig); err != nil {
-			return err
-		}
-	}
-
-	// Setup the Raft store.
-	b.fsm.SetNoopRestore(true)
-
-	raftPath := filepath.Join(b.dataDir, raftState)
-	peersFile := filepath.Join(raftPath, peersFileName)
-	_, err := os.Stat(peersFile)
-	if err == nil {
-		b.logger.Info("raft recovery initiated", "recovery_file", peersFileName)
-
-		recoveryConfig, err := raft.ReadConfigJSON(peersFile)
-		if err != nil {
-			return fmt.Errorf("raft recovery failed to parse peers.json: %w", err)
-		}
-
-		// Non-voting servers are only allowed in enterprise. If Suffrage is disabled,
-		// error out to indicate that it isn't allowed.
-		for idx := range recoveryConfig.Servers {
-			if !nonVotersAllowed && recoveryConfig.Servers[idx].Suffrage == raft.Nonvoter {
-				return fmt.Errorf("raft recovery failed to parse configuration for node %q: setting `non_voter` is only supported in enterprise", recoveryConfig.Servers[idx].ID)
-			}
-		}
-
-		b.logger.Info("raft recovery found new config", "config", recoveryConfig)
-
-		err = raft.RecoverCluster(raftConfig, b.fsm, b.logStore, b.stableStore, b.snapStore, b.raftTransport, recoveryConfig)
-		if err != nil {
-			return fmt.Errorf("raft recovery failed: %w", err)
-		}
-
-		err = os.Remove(peersFile)
-		if err != nil {
-			return fmt.Errorf("raft recovery failed to delete peers.json; please delete manually: %w", err)
-		}
-		b.logger.Info("raft recovery deleted peers.json")
-	}
-
-	if opts.RecoveryModeConfig != nil {
-		err = raft.RecoverCluster(raftConfig, b.fsm, b.logStore, b.stableStore, b.snapStore, b.raftTransport, *opts.RecoveryModeConfig)
-		if err != nil {
-			return fmt.Errorf("recovering raft cluster failed: %w", err)
-		}
-	}
-
-	b.logger.Info("creating Raft", "config", fmt.Sprintf("%#v", raftConfig))
-	raftObj, err := raft.NewRaft(raftConfig, b.fsm.chunker, b.logStore, b.stableStore, b.snapStore, b.raftTransport)
-	b.fsm.SetNoopRestore(false)
-	if err != nil {
-		return err
-	}
-
-	// If we are expecting to start as leader wait until we win the election.
-	// This should happen quickly since there is only one node in the cluster.
-	// StartAsLeader is only set during init, recovery mode, storage migration,
-	// and tests.
-	if opts.StartAsLeader {
-		// ticker is used to prevent memory leak of using time.After in
-		// for - select pattern.
-		ticker := time.NewTicker(10 * time.Millisecond)
-		defer ticker.Stop()
-		for {
-			if raftObj.State() == raft.Leader {
-				break
-			}
-
-			ticker.Reset(10 * time.Millisecond)
-			select {
-			case <-ctx.Done():
-				future := raftObj.Shutdown()
-				if future.Error() != nil {
-					return fmt.Errorf("shutdown while waiting for leadership: %w", future.Error())
-				}
-
-				return errors.New("shutdown while waiting for leadership")
-			case <-ticker.C:
-			}
-		}
-	}
-
-	b.raft = raftObj
-	b.raftNotifyCh = raftNotifyCh
-
-	if err := b.fsm.upgradeLocalNodeConfig(); err != nil {
-		b.logger.Error("failed to upgrade local node configuration")
-		return err
-	}
-
-	if b.streamLayer != nil {
-		// Add Handler to the cluster.
-		opts.ClusterListener.AddHandler(consts.RaftStorageALPN, b.streamLayer)
-
-		// Add Client to the cluster.
-		opts.ClusterListener.AddClient(consts.RaftStorageALPN, b.streamLayer)
-	}
-
-	// Close the init channel to signal setup has been completed
-	close(b.raftInitCh)
-
-	reloadConfig := func() {
-		newCfg := raft.ReloadableConfig{
-			TrailingLogs:      raftConfig.TrailingLogs,
-			SnapshotInterval:  raftConfig.SnapshotInterval,
-			SnapshotThreshold: raftConfig.SnapshotThreshold,
-			HeartbeatTimeout:  raftConfig.HeartbeatTimeout / initialTimeoutMultiplier,
-			ElectionTimeout:   raftConfig.ElectionTimeout / initialTimeoutMultiplier,
-		}
-		err := raftObj.ReloadConfig(newCfg)
-		if err != nil {
-			b.logger.Error("failed to reload raft config to set lower timeouts", "error", err)
-		} else {
-			b.logger.Trace("reloaded raft config to set lower timeouts", "config", fmt.Sprintf("%#v", newCfg))
-		}
-	}
-	confFuture := raftObj.GetConfiguration()
-	numServers := 0
-	if err := confFuture.Error(); err != nil {
-		// This should probably never happen, but just in case we'll log the error.
-		// We'll default in this case to the multi-node behaviour.
-		b.logger.Error("failed to read raft configuration", "error", err)
-	} else {
-		clusterConf := confFuture.Configuration()
-		numServers = len(clusterConf.Servers)
-	}
-	if initialTimeoutMultiplier != 0 {
-		if numServers == 1 {
-			reloadConfig()
-		} else {
-			go func() {
-				ticker := time.NewTicker(50 * time.Millisecond)
-				// Emulate the random timeout used in Raft lib, to ensure that
-				// if all nodes are brought up simultaneously, they don't all
-				// call for an election at once.
-				extra := time.Duration(rand.Int63()) % raftConfig.HeartbeatTimeout
-				timeout := time.NewTimer(raftConfig.HeartbeatTimeout + extra)
-				for {
-					select {
-					case <-ticker.C:
-						switch raftObj.State() {
-						case raft.Candidate, raft.Leader:
-							b.logger.Trace("triggering raft config reload due to being candidate or leader")
-							reloadConfig()
-							return
-						case raft.Shutdown:
-							return
-						}
-					case <-timeout.C:
-						b.logger.Trace("triggering raft config reload due to initial timeout")
-						reloadConfig()
-						return
-					}
-				}
-			}()
-		}
-	}
-
-	b.logger.Trace("finished setting up raft cluster")
-	return nil
-}
-
-// TeardownCluster shuts down the raft cluster
-func (b *RaftBackend) TeardownCluster(clusterListener cluster.ClusterHook) error {
-	if clusterListener != nil {
-		clusterListener.StopHandler(consts.RaftStorageALPN)
-		clusterListener.RemoveClient(consts.RaftStorageALPN)
-	}
-
-	b.l.Lock()
-
-	// Perform shutdown only if the raft object is non-nil. The object could be nil
-	// if the node is unsealed but has not joined the peer set.
-	var future raft.Future
-	if b.raft != nil {
-		future = b.raft.Shutdown()
-	}
-
-	b.raft = nil
-
-	// If we're tearing down, then we need to recreate the raftInitCh
-	b.raftInitCh = make(chan struct{})
-	b.l.Unlock()
-
-	if future != nil {
-		return future.Error()
-	}
-
-	return nil
-}
-
-// CommittedIndex returns the latest index committed to stable storage
-func (b *RaftBackend) CommittedIndex() uint64 {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.raft == nil {
-		return 0
-	}
-
-	return b.raft.LastIndex()
-}
-
-// AppliedIndex returns the latest index applied to the FSM
-func (b *RaftBackend) AppliedIndex() uint64 {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.fsm == nil {
-		return 0
-	}
-
-	// We use the latest index that the FSM has seen here, which may be behind
-	// raft.AppliedIndex() due to the async nature of the raft library.
-	indexState, _ := b.fsm.LatestState()
-	return indexState.Index
+func (c *OperatorRaftRemovePeerCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-// Term returns the raft term of this node.
-func (b *RaftBackend) Term() uint64 {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.fsm == nil {
-		return 0
-	}
-
-	// We use the latest index that the FSM has seen here, which may be behind
-	// raft.AppliedIndex() due to the async nature of the raft library.
-	indexState, _ := b.fsm.LatestState()
-	return indexState.Term
-}
-
-// RemovePeer removes the given peer ID from the raft cluster. If the node is
-// ourselves we will give up leadership.
-func (b *RaftBackend) RemovePeer(ctx context.Context, peerID string) error {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	if b.disableAutopilot {
-		if b.raft == nil {
-			return errors.New("raft storage is not initialized")
-		}
-		b.logger.Trace("removing server from raft", "id", peerID)
-		future := b.raft.RemoveServer(raft.ServerID(peerID), 0, 0)
-		return future.Error()
-	}
-
-	if b.autopilot == nil {
-		return errors.New("raft storage autopilot is not initialized")
-	}
-
-	b.logger.Trace("removing server from raft via autopilot", "id", peerID)
-	return b.autopilot.RemoveServer(raft.ServerID(peerID))
+func (c *OperatorRaftRemovePeerCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// GetConfigurationOffline is used to read the stale, last known raft
-// configuration to this node. It accesses the last state written into the
-// FSM. When a server is online use GetConfiguration instead.
-func (b *RaftBackend) GetConfigurationOffline() (*RaftConfigurationResponse, error) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.raft != nil {
-		return nil, errors.New("raft storage is initialized, used GetConfiguration instead")
-	}
-
-	if b.fsm == nil {
-		return nil, nil
-	}
-
-	state, configuration := b.fsm.LatestState()
-	config := &RaftConfigurationResponse{
-		Index: state.Index,
-	}
-
-	if configuration == nil || configuration.Servers == nil {
-		return config, nil
-	}
-
-	for _, server := range configuration.Servers {
-		entry := &RaftServer{
-			NodeID:  server.Id,
-			Address: server.Address,
-			// Since we are offline no node is the leader.
-			Leader: false,
-			Voter:  raft.ServerSuffrage(server.Suffrage) == raft.Voter,
-		}
-		config.Servers = append(config.Servers, entry)
-	}
-
-	return config, nil
-}
+func (c *OperatorRaftRemovePeerCommand) Run(args []string) int {
+	f := c.Flags()
 
-func (b *RaftBackend) GetConfiguration(ctx context.Context) (*RaftConfigurationResponse, error) {
-	if err := ctx.Err(); err != nil {
-		return nil, err
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	b.l.RLock()
-	defer b.l.RUnlock()
+	serverID := ""
 
-	if b.raft == nil {
-		return nil, errors.New("raft storage is not initialized")
-	}
-
-	future := b.raft.GetConfiguration()
-	if err := future.Error(); err != nil {
-		return nil, err
-	}
-
-	config := &RaftConfigurationResponse{
-		Index: future.Index(),
-	}
-
-	for _, server := range future.Configuration().Servers {
-		entry := &RaftServer{
-			NodeID:  string(server.ID),
-			Address: string(server.Address),
-			// Since we only service this request on the active node our node ID
-			// denotes the raft leader.
-			Leader:          string(server.ID) == b.NodeID(),
-			Voter:           server.Suffrage == raft.Voter,
-			ProtocolVersion: strconv.Itoa(raft.ProtocolVersionMax),
-		}
-
-		config.Servers = append(config.Servers, entry)
-	}
-
-	return config, nil
-}
-
-// AddPeer adds a new server to the raft cluster
-func (b *RaftBackend) AddPeer(ctx context.Context, peerID, clusterAddr string) error {
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.disableAutopilot {
-		if b.raft == nil {
-			return errors.New("raft storage is not initialized")
-		}
-		b.logger.Trace("adding server to raft", "id", peerID)
-		future := b.raft.AddVoter(raft.ServerID(peerID), raft.ServerAddress(clusterAddr), 0, 0)
-		return future.Error()
-	}
-
-	if b.autopilot == nil {
-		return errors.New("raft storage autopilot is not initialized")
-	}
-
-	b.logger.Trace("adding server to raft via autopilot", "id", peerID)
-	return b.autopilot.AddServer(&autopilot.Server{
-		ID:          raft.ServerID(peerID),
-		Name:        peerID,
-		Address:     raft.ServerAddress(clusterAddr),
-		RaftVersion: raft.ProtocolVersionMax,
-		NodeType:    autopilot.NodeVoter,
-	})
-}
-
-// Peers returns all the servers present in the raft cluster
-func (b *RaftBackend) Peers(ctx context.Context) ([]Peer, error) {
-	if err := ctx.Err(); err != nil {
-		return nil, err
-	}
-
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.raft == nil {
-		return nil, errors.New("raft storage is not initialized")
-	}
-
-	future := b.raft.GetConfiguration()
-	if err := future.Error(); err != nil {
-		return nil, err
-	}
-
-	ret := make([]Peer, len(future.Configuration().Servers))
-	for i, s := range future.Configuration().Servers {
-		ret[i] = Peer{
-			ID:       string(s.ID),
-			Address:  string(s.Address),
-			Suffrage: int(s.Suffrage),
-		}
-	}
-
-	return ret, nil
-}
-
-// SnapshotHTTP is a wrapper for Snapshot that sends the snapshot as an HTTP
-// response.
-func (b *RaftBackend) SnapshotHTTP(out *logical.HTTPResponseWriter, sealer snapshot.Sealer) error {
-	out.Header().Add("Content-Disposition", "attachment")
-	out.Header().Add("Content-Type", "application/gzip")
-
-	return b.Snapshot(out, sealer)
-}
-
-// Snapshot takes a raft snapshot, packages it into a archive file and writes it
-// to the provided writer. Seal access is used to encrypt the SHASUM file so we
-// can validate the snapshot was taken using the same root keys or not.
-func (b *RaftBackend) Snapshot(out io.Writer, sealer snapshot.Sealer) error {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.raft == nil {
-		return errors.New("raft storage is sealed")
-	}
-
-	return snapshot.Write(b.logger.Named("snapshot"), b.raft, sealer, out)
-}
-
-// WriteSnapshotToTemp reads a snapshot archive off the provided reader,
-// extracts the data and writes the snapshot to a temporary file. The seal
-// access is used to decrypt the SHASUM file in the archive to ensure this
-// snapshot has the same root key as the running instance. If the provided
-// access is nil then it will skip that validation.
-func (b *RaftBackend) WriteSnapshotToTemp(in io.ReadCloser, sealer snapshot.Sealer) (*os.File, func(), raft.SnapshotMeta, error) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	var metadata raft.SnapshotMeta
-	if b.raft == nil {
-		return nil, nil, metadata, errors.New("raft storage is sealed")
-	}
-
-	snap, cleanup, err := snapshot.WriteToTempFileWithSealer(b.logger.Named("snapshot"), in, &metadata, sealer)
-	return snap, cleanup, metadata, err
-}
-
-// RestoreSnapshot applies the provided snapshot metadata and snapshot data to
-// raft.
-func (b *RaftBackend) RestoreSnapshot(ctx context.Context, metadata raft.SnapshotMeta, snap io.Reader) error {
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	b.l.RLock()
-	defer b.l.RUnlock()
-
-	if b.raft == nil {
-		return errors.New("raft storage is not initialized")
-	}
-
-	if err := b.raft.Restore(&metadata, snap, 0); err != nil {
-		b.logger.Named("snapshot").Error("failed to restore snapshot", "error", err)
-		return err
-	}
-
-	// Apply a log that tells the follower nodes to run the restore callback
-	// function. This is done after the restore call so we can be sure the
-	// snapshot applied to a quorum of nodes.
-	command := &LogData{
-		Operations: []*LogOperation{
-			{
-				OpType: restoreCallbackOp,
-			},
-		},
-	}
-
-	err := b.applyLog(ctx, command)
-
-	// Do a best-effort attempt to let the standbys apply the restoreCallbackOp
-	// before we continue.
-	time.Sleep(restoreOpDelayDuration)
-	return err
-}
-
-// Delete inserts an entry in the log to delete the given path
-func (b *RaftBackend) Delete(ctx context.Context, path string) error {
-	defer metrics.MeasureSince([]string{"raft-storage", "delete"}, time.Now())
-
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	command := &LogData{
-		Operations: []*LogOperation{
-			{
-				OpType: deleteOp,
-				Key:    path,
-			},
-		},
-	}
-	b.permitPool.Acquire()
-	defer b.permitPool.Release()
-
-	b.l.RLock()
-	err := b.applyLog(ctx, command)
-	b.l.RUnlock()
-	return err
-}
-
-// Get returns the value corresponding to the given path from the fsm
-func (b *RaftBackend) Get(ctx context.Context, path string) (*physical.Entry, error) {
-	defer metrics.MeasureSince([]string{"raft-storage", "get"}, time.Now())
-	if b.fsm == nil {
-		return nil, errors.New("raft: fsm not configured")
-	}
-
-	if err := ctx.Err(); err != nil {
-		return nil, err
-	}
-
-	b.permitPool.Acquire()
-	defer b.permitPool.Release()
-
-	if err := ctx.Err(); err != nil {
-		return nil, err
-	}
-
-	entry, err := b.fsm.Get(ctx, path)
-	if entry != nil {
-		valueLen := len(entry.Value)
-		if uint64(valueLen) > b.maxEntrySize {
-			b.logger.Warn("retrieved entry value is too large, has raft's max_entry_size been reduced?",
-				"size", valueLen, "max_entry_size", b.maxEntrySize)
-		}
-	}
-
-	return entry, err
-}
-
-// Put inserts an entry in the log for the put operation. It will return an
-// error if the resulting entry encoding exceeds the configured max_entry_size
-// or if the call to applyLog fails.
-func (b *RaftBackend) Put(ctx context.Context, entry *physical.Entry) error {
-	defer metrics.MeasureSince([]string{"raft-storage", "put"}, time.Now())
-	if len(entry.Key) > bolt.MaxKeySize {
-		return fmt.Errorf("%s, max key size for integrated storage is %d", physical.ErrKeyTooLarge, bolt.MaxKeySize)
-	}
-
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	command := &LogData{
-		Operations: []*LogOperation{
-			{
-				OpType: putOp,
-				Key:    entry.Key,
-				Value:  entry.Value,
-			},
-		},
-	}
-
-	b.permitPool.Acquire()
-	defer b.permitPool.Release()
-
-	b.l.RLock()
-	err := b.applyLog(ctx, command)
-	b.l.RUnlock()
-	return err
-}
-
-// List enumerates all the items under the prefix from the fsm
-func (b *RaftBackend) List(ctx context.Context, prefix string) ([]string, error) {
-	defer metrics.MeasureSince([]string{"raft-storage", "list"}, time.Now())
-	if b.fsm == nil {
-		return nil, errors.New("raft: fsm not configured")
-	}
-
-	if err := ctx.Err(); err != nil {
-		return nil, err
-	}
-
-	b.permitPool.Acquire()
-	defer b.permitPool.Release()
-
-	if err := ctx.Err(); err != nil {
-		return nil, err
-	}
-
-	return b.fsm.List(ctx, prefix)
-}
-
-// Transaction applies all the given operations into a single log and
-// applies it.
-func (b *RaftBackend) Transaction(ctx context.Context, txns []*physical.TxnEntry) error {
-	defer metrics.MeasureSince([]string{"raft-storage", "transaction"}, time.Now())
-
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	failGetInTxn := atomic.LoadUint32(b.failGetInTxn)
-	for _, t := range txns {
-		if t.Operation == physical.GetOperation && failGetInTxn != 0 {
-			return GetInTxnDisabledError
-		}
-	}
-
-	txnMap := make(map[string]*physical.TxnEntry)
-
-	command := &LogData{
-		Operations: make([]*LogOperation, len(txns)),
-	}
-	for i, txn := range txns {
-		op := &LogOperation{}
-		switch txn.Operation {
-		case physical.PutOperation:
-			if len(txn.Entry.Key) > bolt.MaxKeySize {
-				return fmt.Errorf("%s, max key size for integrated storage is %d", physical.ErrKeyTooLarge, bolt.MaxKeySize)
-			}
-			op.OpType = putOp
-			op.Key = txn.Entry.Key
-			op.Value = txn.Entry.Value
-		case physical.DeleteOperation:
-			op.OpType = deleteOp
-			op.Key = txn.Entry.Key
-		case physical.GetOperation:
-			op.OpType = getOp
-			op.Key = txn.Entry.Key
-			txnMap[op.Key] = txn
-		default:
-			return fmt.Errorf("%q is not a supported transaction operation", txn.Operation)
-		}
-
-		command.Operations[i] = op
-	}
-
-	b.permitPool.Acquire()
-	defer b.permitPool.Release()
-
-	b.l.RLock()
-	err := b.applyLog(ctx, command)
-	b.l.RUnlock()
-
-	// loop over results and update pointers to get operations
-	for _, logOp := range command.Operations {
-		if logOp.OpType == getOp {
-			if txn, found := txnMap[logOp.Key]; found {
-				txn.Entry.Value = logOp.Value
-			}
-		}
-	}
-
-	return err
-}
-
-// applyLog will take a given log command and apply it to the raft log. applyLog
-// doesn't return until the log has been applied to a quorum of servers and is
-// persisted to the local FSM. Caller should hold the backend's read lock.
-func (b *RaftBackend) applyLog(ctx context.Context, command *LogData) error {
-	if b.raft == nil {
-		return errors.New("raft storage is not initialized")
-	}
-	if err := ctx.Err(); err != nil {
-		return err
-	}
-
-	commandBytes, err := proto.Marshal(command)
-	if err != nil {
-		return err
-	}
-
-	cmdSize := len(commandBytes)
-	if uint64(cmdSize) > b.maxEntrySize {
-		return fmt.Errorf("%s; got %d bytes, max: %d bytes", physical.ErrValueTooLarge, cmdSize, b.maxEntrySize)
-	}
-
-	defer metrics.AddSample([]string{"raft-storage", "entry_size"}, float32(cmdSize))
-
-	var chunked bool
-	var applyFuture raft.ApplyFuture
-	switch {
-	case len(commandBytes) <= raftchunking.ChunkSize:
-		applyFuture = b.raft.Apply(commandBytes, 0)
+	args = f.Args()
+	switch len(args) {
+	case 1:
+		serverID = strings.TrimSpace(args[0])
 	default:
-		chunked = true
-		applyFuture = raftchunking.ChunkingApply(commandBytes, nil, 0, b.raft.ApplyLog)
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	if err := applyFuture.Error(); err != nil {
-		return err
+	if len(serverID) == 0 {
+		c.UI.Error("Server id is required")
+		return 1
 	}
 
-	resp := applyFuture.Response()
-
-	if chunked {
-		// In this case we didn't apply all chunks successfully, possibly due
-		// to a term change
-		if resp == nil {
-			// This returns the error in the interface because the raft library
-			// returns errors from the FSM via the future, not via err from the
-			// apply function. Downstream client code expects to see any error
-			// from the FSM (as opposed to the apply itself) and decide whether
-			// it can retry in the future's response.
-			return errors.New("applying chunking failed, please retry")
-		}
-
-		// We expect that this conversion should always work
-		chunkedSuccess, ok := resp.(raftchunking.ChunkingSuccess)
-		if !ok {
-			return errors.New("unknown type of response back from chunking FSM")
-		}
-
-		// Replace the reply with the inner wrapped version
-		resp = chunkedSuccess.Response
-	}
-
-	fsmar, ok := resp.(*FSMApplyResponse)
-	if !ok || !fsmar.Success {
-		return errors.New("could not apply data")
-	}
-
-	// populate command with our results
-	if fsmar.EntrySlice == nil {
-		return errors.New("entries on FSM response were empty")
-	}
-
-	for i, logOp := range command.Operations {
-		if logOp.OpType == getOp {
-			fsmEntry := fsmar.EntrySlice[i]
-
-			// this should always be true because the entries in the slice were created in the same order as
-			// the command operations.
-			if logOp.Key == fsmEntry.Key {
-				if len(fsmEntry.Value) > 0 {
-					logOp.Value = fsmEntry.Value
-				}
-			} else {
-				// this shouldn't happen
-				return errors.New("entries in FSM response were out of order")
-			}
-		}
-	}
-
-	return nil
-}
-
-// HAEnabled is the implementation of the HABackend interface
-func (b *RaftBackend) HAEnabled() bool { return true }
-
-// HAEnabled is the implementation of the HABackend interface
-func (b *RaftBackend) LockWith(key, value string) (physical.Lock, error) {
-	return &RaftLock{
-		key:   key,
-		value: []byte(value),
-		b:     b,
-	}, nil
-}
-
-// SetDesiredSuffrage sets a field in the fsm indicating the suffrage intent for
-// this node.
-func (b *RaftBackend) SetDesiredSuffrage(nonVoter bool) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	var desiredSuffrage string
-	switch nonVoter {
-	case true:
-		desiredSuffrage = "non-voter"
-	default:
-		desiredSuffrage = "voter"
-	}
-
-	err := b.fsm.recordSuffrage(desiredSuffrage)
+	client, err := c.Client()
 	if err != nil {
-		return err
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	return nil
-}
-
-func (b *RaftBackend) DesiredSuffrage() string {
-	return b.fsm.DesiredSuffrage()
-}
-
-// RaftLock implements the physical Lock interface and enables HA for this
-// backend. The Lock uses the raftNotifyCh for receiving leadership edge
-// triggers. Vault's active duty matches raft's leadership.
-type RaftLock struct {
-	key   string
-	value []byte
-
-	b *RaftBackend
-}
-
-// monitorLeadership waits until we receive an update on the raftNotifyCh and
-// closes the leaderLost channel.
-func (l *RaftLock) monitorLeadership(stopCh <-chan struct{}, leaderNotifyCh <-chan bool) <-chan struct{} {
-	leaderLost := make(chan struct{})
-	go func() {
-		for {
-			select {
-			case isLeader := <-leaderNotifyCh:
-				// leaderNotifyCh may deliver a true value initially if this
-				// server is already the leader prior to RaftLock.Lock call
-				// (the true message was already queued). The next message is
-				// always going to be false. The for loop should loop at most
-				// twice.
-				if !isLeader {
-					close(leaderLost)
-					return
-				}
-			case <-stopCh:
-				return
-			}
-		}
-	}()
-	return leaderLost
-}
-
-// Lock blocks until we become leader or are shutdown. It returns a channel that
-// is closed when we detect a loss of leadership.
-func (l *RaftLock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) {
-	// If not initialized, block until it is
-	if !l.b.Initialized() {
-		select {
-		case <-l.b.raftInitCh:
-		case <-stopCh:
-			return nil, nil
-		}
-	}
-
-	l.b.l.RLock()
-
-	// Ensure that we still have a raft instance after grabbing the read lock
-	if l.b.raft == nil {
-		l.b.l.RUnlock()
-		return nil, errors.New("attempted to grab a lock on a nil raft backend")
-	}
-
-	// Cache the notifyCh locally
-	leaderNotifyCh := l.b.raftNotifyCh
-
-	// Check to see if we are already leader.
-	if l.b.raft.State() == raft.Leader {
-		err := l.b.applyLog(context.Background(), &LogData{
-			Operations: []*LogOperation{
-				{
-					OpType: putOp,
-					Key:    l.key,
-					Value:  l.value,
-				},
-			},
-		})
-		l.b.l.RUnlock()
-		if err != nil {
-			return nil, err
-		}
-
-		return l.monitorLeadership(stopCh, leaderNotifyCh), nil
-	}
-	l.b.l.RUnlock()
-
-	for {
-		select {
-		case isLeader := <-leaderNotifyCh:
-			if isLeader {
-				// We are leader, set the key
-				l.b.l.RLock()
-				err := l.b.applyLog(context.Background(), &LogData{
-					Operations: []*LogOperation{
-						{
-							OpType: putOp,
-							Key:    l.key,
-							Value:  l.value,
-						},
-					},
-				})
-				l.b.l.RUnlock()
-				if err != nil {
-					return nil, err
-				}
-
-				return l.monitorLeadership(stopCh, leaderNotifyCh), nil
-			}
-		case <-stopCh:
-			return nil, nil
-		}
-	}
-}
-
-// Unlock gives up leadership.
-func (l *RaftLock) Unlock() error {
-	if l.b.raft == nil {
-		return nil
-	}
-
-	return l.b.raft.LeadershipTransfer().Error()
-}
-
-// Value reads the value of the lock. This informs us who is currently leader.
-func (l *RaftLock) Value() (bool, string, error) {
-	e, err := l.b.Get(context.Background(), l.key)
+	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
+		"server_id":          serverID,
+		"dr_operation_token": c.flagDRToken,
+	})
 	if err != nil {
-		return false, "", err
-	}
-	if e == nil {
-		return false, "", nil
-	}
-
-	value := string(e.Value)
-	// TODO: how to tell if held?
-	return true, value, nil
-}
-
-// boltOptions returns a bolt.Options struct, suitable for passing to
-// bolt.Open(), pre-configured with all of our preferred defaults.
-func boltOptions(path string) *bolt.Options {
-	o := &bolt.Options{
-		Timeout:        1 * time.Second,
-		FreelistType:   bolt.FreelistMapType,
-		NoFreelistSync: true,
-		MmapFlags:      getMmapFlags(path),
-	}
-
-	if os.Getenv("VAULT_RAFT_FREELIST_TYPE") == "array" {
-		o.FreelistType = bolt.FreelistArrayType
+		c.UI.Error(fmt.Sprintf("Error removing the peer from raft cluster: %s", err))
+		return 2
 	}
 
-	if os.Getenv("VAULT_RAFT_FREELIST_SYNC") != "" {
-		o.NoFreelistSync = false
-	}
-
-	// By default, we want to set InitialMmapSize to 100GB, but only on 64bit platforms.
-	// Otherwise, we set it to whatever the value of VAULT_RAFT_INITIAL_MMAP_SIZE
-	// is, assuming it can be parsed as an int. Bolt itself sets this to 0 by default,
-	// so if users are wanting to turn this off, they can also set it to 0. Setting it
-	// to a negative value is the same as not setting it at all.
-	if os.Getenv("VAULT_RAFT_INITIAL_MMAP_SIZE") == "" {
-		o.InitialMmapSize = initialMmapSize
-	} else {
-		imms, err := strconv.Atoi(os.Getenv("VAULT_RAFT_INITIAL_MMAP_SIZE"))
-
-		// If there's an error here, it means they passed something that's not convertible to
-		// a number. Rather than fail startup, just ignore it.
-		if err == nil && imms > 0 {
-			o.InitialMmapSize = imms
-		}
-	}
+	c.UI.Output("Peer removed successfully!")
 
-	return o
+	return 0
 }
diff --git a/physical/raft/raft_test.go b/physical/raft/raft_test.go
index cc3594f0f12d..02fc4c2b8a43 100644
--- a/physical/raft/raft_test.go
+++ b/physical/raft/raft_test.go
@@ -1,765 +1,50 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package raft
+package command
 
 import (
-	"bytes"
-	"context"
-	"crypto/md5"
-	"encoding/base64"
-	"encoding/hex"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"os"
-	"path/filepath"
 	"strings"
-	"testing"
-	"time"
 
-	"github.com/go-test/deep"
-	"github.com/golang/protobuf/proto"
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-secure-stdlib/base62"
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/raft"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/physical"
-	bolt "go.etcd.io/bbolt"
+	"github.com/hashicorp/cli"
 )
 
-func connectPeers(nodes ...*RaftBackend) {
-	for _, node := range nodes {
-		for _, peer := range nodes {
-			if node == peer {
-				continue
-			}
+var _ cli.Command = (*OperatorRaftSnapshotCommand)(nil)
 
-			node.raftTransport.(*raft.InmemTransport).Connect(raft.ServerAddress(peer.NodeID()), peer.raftTransport)
-			peer.raftTransport.(*raft.InmemTransport).Connect(raft.ServerAddress(node.NodeID()), node.raftTransport)
-		}
-	}
+type OperatorRaftSnapshotCommand struct {
+	*BaseCommand
 }
 
-func stepDownLeader(t *testing.T, node *RaftBackend) {
-	t.Helper()
-
-	if err := node.raft.LeadershipTransfer().Error(); err != nil {
-		t.Fatal(err)
-	}
-
-	timeout := time.Now().Add(time.Second * 10)
-	for !time.Now().After(timeout) {
-		if err := node.raft.VerifyLeader().Error(); err != nil {
-			return
-		}
-		time.Sleep(100 * time.Millisecond)
-	}
-
-	t.Fatal("still leader")
-}
-
-func waitForLeader(t *testing.T, nodes ...*RaftBackend) *RaftBackend {
-	t.Helper()
-	timeout := time.Now().Add(time.Second * 10)
-	for !time.Now().After(timeout) {
-		for _, node := range nodes {
-			if node.raft.Leader() == raft.ServerAddress(node.NodeID()) {
-				return node
-			}
-		}
-		time.Sleep(100 * time.Millisecond)
-	}
-
-	t.Fatal("no leader")
-	return nil
-}
-
-func compareFSMs(t *testing.T, fsm1, fsm2 *FSM) {
-	t.Helper()
-	if err := compareFSMsWithErr(t, fsm1, fsm2); err != nil {
-		t.Fatal(err)
-	}
-}
-
-func compareFSMsWithErr(t *testing.T, fsm1, fsm2 *FSM) error {
-	t.Helper()
-	index1, config1 := fsm1.LatestState()
-	index2, config2 := fsm2.LatestState()
-
-	if !proto.Equal(index1, index2) {
-		return fmt.Errorf("indexes did not match: %+v != %+v", index1, index2)
-	}
-	if !proto.Equal(config1, config2) {
-		return fmt.Errorf("configs did not match: %+v != %+v", config1, config2)
-	}
-
-	return compareDBs(t, fsm1.getDB(), fsm2.getDB(), false)
-}
-
-func compareDBs(t *testing.T, boltDB1, boltDB2 *bolt.DB, dataOnly bool) error {
-	t.Helper()
-	db1 := make(map[string]string)
-	db2 := make(map[string]string)
-
-	err := boltDB1.View(func(tx *bolt.Tx) error {
-		c := tx.Cursor()
-		for bucketName, _ := c.First(); bucketName != nil; bucketName, _ = c.Next() {
-			if dataOnly && !bytes.Equal(bucketName, dataBucketName) {
-				continue
-			}
-
-			b := tx.Bucket(bucketName)
-
-			cBucket := b.Cursor()
-
-			for k, v := cBucket.First(); k != nil; k, v = cBucket.Next() {
-				db1[string(k)] = base64.StdEncoding.EncodeToString(v)
-			}
-		}
-
-		return nil
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = boltDB2.View(func(tx *bolt.Tx) error {
-		c := tx.Cursor()
-		for bucketName, _ := c.First(); bucketName != nil; bucketName, _ = c.Next() {
-			if dataOnly && !bytes.Equal(bucketName, dataBucketName) {
-				continue
-			}
-			b := tx.Bucket(bucketName)
-
-			c := b.Cursor()
-
-			for k, v := c.First(); k != nil; k, v = c.Next() {
-				db2[string(k)] = base64.StdEncoding.EncodeToString(v)
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if diff := deep.Equal(db1, db2); diff != nil {
-		return fmt.Errorf("%+v", diff)
-	}
-
-	return nil
-}
-
-func TestRaft_Backend(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	physical.ExerciseBackend(t, b)
-}
-
-func TestRaft_ParseAutopilotUpgradeVersion(t *testing.T) {
-	raftDir, err := ioutil.TempDir("", "vault-raft-")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(raftDir)
-
-	conf := map[string]string{
-		"path":                      raftDir,
-		"node_id":                   "abc123",
-		"autopilot_upgrade_version": "hahano",
-	}
-
-	_, err = NewRaftBackend(conf, hclog.NewNullLogger())
-	if err == nil {
-		t.Fatal("expected an error but got none")
-	}
-
-	if !strings.Contains(err.Error(), "does not parse") {
-		t.Fatal("expected an error about unparseable versions but got none")
-	}
-}
-
-func TestRaft_ParseNonVoter(t *testing.T) {
-	p := func(s string) *string {
-		return &s
-	}
-
-	for _, retryJoinConf := range []string{"", "not-empty"} {
-		t.Run(retryJoinConf, func(t *testing.T) {
-			for name, tc := range map[string]struct {
-				envValue             *string
-				configValue          *string
-				expectNonVoter       bool
-				invalidNonVoterValue bool
-			}{
-				"valid false":                {nil, p("false"), false, false},
-				"valid true":                 {nil, p("true"), true, false},
-				"invalid empty":              {nil, p(""), false, true},
-				"invalid truthy":             {nil, p("no"), false, true},
-				"invalid":                    {nil, p("totallywrong"), false, true},
-				"valid env false":            {p("false"), nil, true, false},
-				"valid env true":             {p("true"), nil, true, false},
-				"valid env not boolean":      {p("anything"), nil, true, false},
-				"valid env empty":            {p(""), nil, false, false},
-				"neither set, default false": {nil, nil, false, false},
-				"both set, env preferred":    {p("true"), p("false"), true, false},
-			} {
-				t.Run(name, func(t *testing.T) {
-					if tc.envValue != nil {
-						t.Setenv(EnvVaultRaftNonVoter, *tc.envValue)
-					}
-					raftDir, err := ioutil.TempDir("", "vault-raft-")
-					if err != nil {
-						t.Fatal(err)
-					}
-					defer os.RemoveAll(raftDir)
-
-					conf := map[string]string{
-						"path":       raftDir,
-						"node_id":    "abc123",
-						"retry_join": retryJoinConf,
-					}
-					if tc.configValue != nil {
-						conf[raftNonVoterConfigKey] = *tc.configValue
-					}
-
-					backend, err := NewRaftBackend(conf, hclog.NewNullLogger())
-					switch {
-					case tc.invalidNonVoterValue || (retryJoinConf == "" && tc.expectNonVoter):
-						if err == nil {
-							t.Fatal("expected an error but got none")
-						}
-					default:
-						if err != nil {
-							t.Fatalf("expected no error but got: %s", err)
-						}
-
-						raftBackend := backend.(*RaftBackend)
-						if tc.expectNonVoter != raftBackend.NonVoter() {
-							t.Fatalf("expected %s %v but got %v", raftNonVoterConfigKey, tc.expectNonVoter, raftBackend.NonVoter())
-						}
-					}
-				})
-			}
-		})
-	}
-}
-
-func TestRaft_Backend_LargeKey(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	key, err := base62.Random(bolt.MaxKeySize + 1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	entry := &physical.Entry{Key: key, Value: []byte(key)}
-
-	err = b.Put(context.Background(), entry)
-	if err == nil {
-		t.Fatal("expected error for put entry")
-	}
-
-	if !strings.Contains(err.Error(), physical.ErrKeyTooLarge) {
-		t.Fatalf("expected %q, got %v", physical.ErrKeyTooLarge, err)
-	}
-
-	out, err := b.Get(context.Background(), entry.Key)
-	if err != nil {
-		t.Fatalf("unexpected error after failed put: %v", err)
-	}
-	if out != nil {
-		t.Fatal("expected response entry to be nil after a failed put")
-	}
-}
-
-func TestRaft_Backend_LargeValue(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	value := make([]byte, defaultMaxEntrySize+1)
-	rand.Read(value)
-	entry := &physical.Entry{Key: "foo", Value: value}
-
-	err := b.Put(context.Background(), entry)
-	if err == nil {
-		t.Fatal("expected error for put entry")
-	}
-
-	if !strings.Contains(err.Error(), physical.ErrValueTooLarge) {
-		t.Fatalf("expected %q, got %v", physical.ErrValueTooLarge, err)
-	}
-
-	out, err := b.Get(context.Background(), entry.Key)
-	if err != nil {
-		t.Fatalf("unexpected error after failed put: %v", err)
-	}
-	if out != nil {
-		t.Fatal("expected response entry to be nil after a failed put")
-	}
-}
-
-// TestRaft_TransactionalBackend_GetTransactions tests that passing a slice of transactions to the
-// raft backend will populate values for any transactions that are Get operations.
-func TestRaft_TransactionalBackend_GetTransactions(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	ctx := context.Background()
-	txns := make([]*physical.TxnEntry, 0)
-
-	// Add some seed values to our FSM, and prepare our slice of transactions at the same time
-	for i := 0; i < 5; i++ {
-		key := fmt.Sprintf("foo/%d", i)
-		err := b.fsm.Put(ctx, &physical.Entry{Key: key, Value: []byte(fmt.Sprintf("value-%d", i))})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		txns = append(txns, &physical.TxnEntry{
-			Operation: physical.GetOperation,
-			Entry: &physical.Entry{
-				Key: key,
-			},
-		})
-	}
-
-	// Add some additional transactions, so we have a mix of operations
-	for i := 0; i < 10; i++ {
-		txnEntry := &physical.TxnEntry{
-			Entry: &physical.Entry{
-				Key: fmt.Sprintf("lol-%d", i),
-			},
-		}
-
-		if i%2 == 0 {
-			txnEntry.Operation = physical.PutOperation
-			txnEntry.Entry.Value = []byte("lol")
-		} else {
-			txnEntry.Operation = physical.DeleteOperation
-		}
-
-		txns = append(txns, txnEntry)
-	}
-
-	err := b.Transaction(ctx, txns)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Check that our Get operations were populated with their values
-	for i, txn := range txns {
-		if txn.Operation == physical.GetOperation {
-			val := []byte(fmt.Sprintf("value-%d", i))
-			if !bytes.Equal(val, txn.Entry.Value) {
-				t.Fatalf("expected %s to equal %s but it didn't", hex.EncodeToString(val), hex.EncodeToString(txn.Entry.Value))
-			}
-		}
-	}
-}
-
-func TestRaft_TransactionalBackend_LargeKey(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	value := make([]byte, defaultMaxEntrySize+1)
-	rand.Read(value)
-
-	key, err := base62.Random(bolt.MaxKeySize + 1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	txns := []*physical.TxnEntry{
-		{
-			Operation: physical.PutOperation,
-			Entry: &physical.Entry{
-				Key:   key,
-				Value: []byte(key),
-			},
-		},
-	}
-
-	err = b.Transaction(context.Background(), txns)
-	if err == nil {
-		t.Fatal("expected error for transactions")
-	}
-
-	if !strings.Contains(err.Error(), physical.ErrKeyTooLarge) {
-		t.Fatalf("expected %q, got %v", physical.ErrValueTooLarge, err)
-	}
-
-	out, err := b.Get(context.Background(), txns[0].Entry.Key)
-	if err != nil {
-		t.Fatalf("unexpected error after failed put: %v", err)
-	}
-	if out != nil {
-		t.Fatal("expected response entry to be nil after a failed put")
-	}
-}
-
-func TestRaft_TransactionalBackend_LargeValue(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	value := make([]byte, defaultMaxEntrySize+1)
-	rand.Read(value)
-
-	txns := []*physical.TxnEntry{
-		{
-			Operation: physical.PutOperation,
-			Entry: &physical.Entry{
-				Key:   "foo",
-				Value: value,
-			},
-		},
-	}
-
-	err := b.Transaction(context.Background(), txns)
-	if err == nil {
-		t.Fatal("expected error for transactions")
-	}
-
-	if !strings.Contains(err.Error(), physical.ErrValueTooLarge) {
-		t.Fatalf("expected %q, got %v", physical.ErrValueTooLarge, err)
-	}
-
-	out, err := b.Get(context.Background(), txns[0].Entry.Key)
-	if err != nil {
-		t.Fatalf("unexpected error after failed put: %v", err)
-	}
-	if out != nil {
-		t.Fatal("expected response entry to be nil after a failed put")
-	}
-}
-
-func TestRaft_Backend_ListPrefix(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	physical.ExerciseBackend_ListPrefix(t, b)
-}
-
-func TestRaft_TransactionalBackend(t *testing.T) {
-	b, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-
-	physical.ExerciseTransactionalBackend(t, b)
-}
-
-func TestRaft_HABackend(t *testing.T) {
-	t.Skip()
-	raft, dir := GetRaft(t, true, true)
-	defer os.RemoveAll(dir)
-	raft2, dir2 := GetRaft(t, false, true)
-	defer os.RemoveAll(dir2)
-
-	// Add raft2 to the cluster
-	addPeer(t, raft, raft2)
-
-	physical.ExerciseHABackend(t, raft, raft2)
-}
-
-func TestRaft_Backend_ThreeNode(t *testing.T) {
-	raft1, dir := GetRaft(t, true, true)
-	raft2, dir2 := GetRaft(t, false, true)
-	raft3, dir3 := GetRaft(t, false, true)
-	defer os.RemoveAll(dir)
-	defer os.RemoveAll(dir2)
-	defer os.RemoveAll(dir3)
-
-	// Add raft2 to the cluster
-	addPeer(t, raft1, raft2)
-
-	// Add raft3 to the cluster
-	addPeer(t, raft1, raft3)
-
-	physical.ExerciseBackend(t, raft1)
-
-	time.Sleep(10 * time.Second)
-	// Make sure all stores are the same
-	compareFSMs(t, raft1.fsm, raft2.fsm)
-	compareFSMs(t, raft1.fsm, raft3.fsm)
-}
-
-func TestRaft_GetOfflineConfig(t *testing.T) {
-	// Create 3 raft nodes
-	raft1, dir1 := GetRaft(t, true, true)
-	raft2, dir2 := GetRaft(t, false, true)
-	raft3, dir3 := GetRaft(t, false, true)
-	defer os.RemoveAll(dir1)
-	defer os.RemoveAll(dir2)
-	defer os.RemoveAll(dir3)
-
-	// Add them all to the cluster
-	addPeer(t, raft1, raft2)
-	addPeer(t, raft1, raft3)
-
-	// Add some data into the FSM
-	physical.ExerciseBackend(t, raft1)
-
-	time.Sleep(10 * time.Second)
-
-	// Spin down the raft cluster and check that GetConfigurationOffline
-	// returns 3 voters
-	raft3.TeardownCluster(nil)
-	raft2.TeardownCluster(nil)
-	raft1.TeardownCluster(nil)
-
-	conf, err := raft1.GetConfigurationOffline()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(conf.Servers) != 3 {
-		t.Fatalf("three raft nodes existed but we only see %d", len(conf.Servers))
-	}
-	for _, s := range conf.Servers {
-		if s.Voter != true {
-			t.Fatalf("one of the nodes is not a voter")
-		}
-	}
+func (c *OperatorRaftSnapshotCommand) Synopsis() string {
+	return "Restores and saves snapshots from the Raft cluster"
 }
 
-func TestRaft_Recovery(t *testing.T) {
-	// Create 4 raft nodes
-	raft1, dir1 := GetRaft(t, true, true)
-	raft2, dir2 := GetRaft(t, false, true)
-	raft3, dir3 := GetRaft(t, false, true)
-	raft4, dir4 := GetRaft(t, false, true)
-	defer os.RemoveAll(dir1)
-	defer os.RemoveAll(dir2)
-	defer os.RemoveAll(dir3)
-	defer os.RemoveAll(dir4)
+func (c *OperatorRaftSnapshotCommand) Help() string {
+	helpText := `
+Usage: vault operator raft snapshot <subcommand> [options] [args]
 
-	// Add them all to the cluster
-	addPeer(t, raft1, raft2)
-	addPeer(t, raft1, raft3)
-	addPeer(t, raft1, raft4)
+  This command groups subcommands for operators interacting with the snapshot
+  functionality of the integrated Raft storage backend. Here are a few examples of
+  the Raft snapshot operator commands:
 
-	// Add some data into the FSM
-	physical.ExerciseBackend(t, raft1)
+  Installs the provided snapshot, returning the cluster to the state defined in it:
 
-	time.Sleep(10 * time.Second)
+      $ vault operator raft snapshot restore raft.snap
 
-	// Bring down all nodes
-	raft1.TeardownCluster(nil)
-	raft2.TeardownCluster(nil)
-	raft3.TeardownCluster(nil)
-	raft4.TeardownCluster(nil)
+  Saves a snapshot of the current state of the Raft cluster into a file:
 
-	// Prepare peers.json
-	type RecoveryPeer struct {
-		ID       string `json:"id"`
-		Address  string `json:"address"`
-		NonVoter bool   `json:"non_voter"`
-	}
+      $ vault operator raft snapshot save raft.snap
 
-	// Leave out node 1 during recovery
-	peersList := make([]*RecoveryPeer, 0, 3)
-	peersList = append(peersList, &RecoveryPeer{
-		ID:       raft1.NodeID(),
-		Address:  raft1.NodeID(),
-		NonVoter: false,
-	})
-	peersList = append(peersList, &RecoveryPeer{
-		ID:       raft2.NodeID(),
-		Address:  raft2.NodeID(),
-		NonVoter: false,
-	})
-	peersList = append(peersList, &RecoveryPeer{
-		ID:       raft4.NodeID(),
-		Address:  raft4.NodeID(),
-		NonVoter: false,
-	})
+  Inspects a snapshot based on a file:
 
-	peersJSONBytes, err := jsonutil.EncodeJSON(peersList)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = ioutil.WriteFile(filepath.Join(filepath.Join(dir1, raftState), "peers.json"), peersJSONBytes, 0o644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = ioutil.WriteFile(filepath.Join(filepath.Join(dir2, raftState), "peers.json"), peersJSONBytes, 0o644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = ioutil.WriteFile(filepath.Join(filepath.Join(dir4, raftState), "peers.json"), peersJSONBytes, 0o644)
-	if err != nil {
-		t.Fatal(err)
-	}
+      $ vault operator raft snapshot inspect raft.snap
 
-	// Bring up the nodes again
-	raft1.SetupCluster(context.Background(), SetupOpts{})
-	raft2.SetupCluster(context.Background(), SetupOpts{})
-	raft4.SetupCluster(context.Background(), SetupOpts{})
+  Please see the individual subcommand help for detailed usage information.
+`
 
-	peers, err := raft1.Peers(context.Background())
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(peers) != 3 {
-		t.Fatalf("failed to recover the cluster")
-	}
-
-	time.Sleep(10 * time.Second)
-
-	compareFSMs(t, raft1.fsm, raft2.fsm)
-	compareFSMs(t, raft1.fsm, raft4.fsm)
+	return strings.TrimSpace(helpText)
 }
 
-func TestRaft_TransactionalBackend_ThreeNode(t *testing.T) {
-	raft1, dir := GetRaft(t, true, true)
-	raft2, dir2 := GetRaft(t, false, true)
-	raft3, dir3 := GetRaft(t, false, true)
-	defer os.RemoveAll(dir)
-	defer os.RemoveAll(dir2)
-	defer os.RemoveAll(dir3)
-
-	// Add raft2 to the cluster
-	addPeer(t, raft1, raft2)
-
-	// Add raft3 to the cluster
-	addPeer(t, raft1, raft3)
-
-	physical.ExerciseTransactionalBackend(t, raft1)
-
-	time.Sleep(10 * time.Second)
-	// Make sure all stores are the same
-	compareFSMs(t, raft1.fsm, raft2.fsm)
-	compareFSMs(t, raft1.fsm, raft3.fsm)
-}
-
-func TestRaft_Backend_Performance(t *testing.T) {
-	b, dir := GetRaft(t, true, false)
-	defer os.RemoveAll(dir)
-
-	defaultConfig := raft.DefaultConfig()
-
-	localConfig := raft.DefaultConfig()
-	b.applyConfigSettings(localConfig)
-
-	if localConfig.ElectionTimeout != defaultConfig.ElectionTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.HeartbeatTimeout != defaultConfig.HeartbeatTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.LeaderLeaseTimeout != defaultConfig.LeaderLeaseTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-
-	b.conf = map[string]string{
-		"path":                   dir,
-		"performance_multiplier": "5",
-	}
-
-	localConfig = raft.DefaultConfig()
-	b.applyConfigSettings(localConfig)
-
-	if localConfig.ElectionTimeout != defaultConfig.ElectionTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.HeartbeatTimeout != defaultConfig.HeartbeatTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.LeaderLeaseTimeout != defaultConfig.LeaderLeaseTimeout*5 {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-
-	b.conf = map[string]string{
-		"path":                   dir,
-		"performance_multiplier": "1",
-	}
-
-	localConfig = raft.DefaultConfig()
-	b.applyConfigSettings(localConfig)
-
-	if localConfig.ElectionTimeout != defaultConfig.ElectionTimeout {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.HeartbeatTimeout != defaultConfig.HeartbeatTimeout {
-		t.Fatalf("bad config: %v", localConfig)
-	}
-	if localConfig.LeaderLeaseTimeout != defaultConfig.LeaderLeaseTimeout {
-		t.Fatalf("bad config: %v", localConfig)
-	}
+func (c *OperatorRaftSnapshotCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
-
-func BenchmarkDB_Puts(b *testing.B) {
-	raft, dir := GetRaft(b, true, false)
-	defer os.RemoveAll(dir)
-	raft2, dir2 := GetRaft(b, true, false)
-	defer os.RemoveAll(dir2)
-
-	bench := func(b *testing.B, s physical.Backend, dataSize int) {
-		data, err := uuid.GenerateRandomBytes(dataSize)
-		if err != nil {
-			b.Fatal(err)
-		}
-
-		ctx := context.Background()
-		pe := &physical.Entry{
-			Value: data,
-		}
-		testName := b.Name()
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			pe.Key = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s-%d", testName, i))))
-			err := s.Put(ctx, pe)
-			if err != nil {
-				b.Fatal(err)
-			}
-		}
-	}
-
-	b.Run("256b", func(b *testing.B) { bench(b, raft, 256) })
-	b.Run("256kb", func(b *testing.B) { bench(b, raft2, 256*1024) })
-}
-
-func BenchmarkDB_Snapshot(b *testing.B) {
-	raft, dir := GetRaft(b, true, false)
-	defer os.RemoveAll(dir)
-
-	data, err := uuid.GenerateRandomBytes(256 * 1024)
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	ctx := context.Background()
-	pe := &physical.Entry{
-		Value: data,
-	}
-	testName := b.Name()
-
-	for i := 0; i < 100; i++ {
-		pe.Key = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s-%d", testName, i))))
-		err = raft.Put(ctx, pe)
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
-
-	bench := func(b *testing.B, s *FSM) {
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			pe.Key = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s-%d", testName, i))))
-			s.writeTo(ctx, discardCloser{Writer: ioutil.Discard}, discardCloser{Writer: ioutil.Discard})
-		}
-	}
-
-	b.Run("256kb", func(b *testing.B) { bench(b, raft.fsm) })
-}
-
-type discardCloser struct {
-	io.Writer
-}
-
-func (d discardCloser) Close() error               { return nil }
-func (d discardCloser) CloseWithError(error) error { return nil }
diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go
index 3eb818574958..43c3fb0e4a13 100644
--- a/physical/raft/snapshot.go
+++ b/physical/raft/snapshot.go
@@ -1,538 +1,568 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package raft
+package command
 
 import (
-	"context"
-	"errors"
+	"archive/tar"
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"crypto/sha256"
+	"encoding/json"
 	"fmt"
+	"hash"
 	"io"
-	"io/ioutil"
 	"math"
 	"os"
-	"path/filepath"
-	"runtime"
+	"sort"
+	"strconv"
 	"strings"
-	"sync"
-	"time"
-
-	"github.com/golang/protobuf/proto"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/sdk/plugin/pb"
-	"github.com/rboyer/safeio"
-	bolt "go.etcd.io/bbolt"
-	"go.uber.org/atomic"
+	"text/tabwriter"
 
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/raft"
+	protoio "github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/plugin/pb"
+	"github.com/posener/complete"
 )
 
-const (
-	// boltSnapshotID is the stable ID for any boltDB snapshot. Keeping the ID
-	// stable means there is only ever one bolt snapshot in the system
-	boltSnapshotID = "bolt-snapshot"
-	tmpSuffix      = ".tmp"
-	snapPath       = "snapshots"
+var (
+	_ cli.Command             = (*OperatorRaftSnapshotInspectCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotInspectCommand)(nil)
 )
 
-// BoltSnapshotStore implements the SnapshotStore interface and allows snapshots
-// to be stored in BoltDB files on local disk. Since we always have an up to
-// date FSM we use a special snapshot ID to indicate that the snapshot can be
-// pulled from the BoltDB file that is currently backing the FSM. This allows us
-// to provide just-in-time snapshots without doing incremental data dumps.
-//
-// When a snapshot is being installed on the node we will Create and Write data
-// to it. This will cause the snapshot store to create a new BoltDB file and
-// write the snapshot data to it. Then, we can simply rename the snapshot to the
-// FSM's filename. This allows us to atomically install the snapshot and
-// reduces the amount of disk i/o. Older snapshots are reaped on startup and
-// before each subsequent snapshot write. This ensures we only have one snapshot
-// on disk at a time.
-type BoltSnapshotStore struct {
-	// path is the directory in which to store file based snapshots
-	path string
-
-	// We hold a copy of the FSM so we can stream snapshots straight out of the
-	// database.
-	fsm *FSM
-
-	logger log.Logger
+type OperatorRaftSnapshotInspectCommand struct {
+	*BaseCommand
+	details bool
+	depth   int
+	filter  string
 }
 
-// BoltSnapshotSink implements SnapshotSink optionally choosing to write to a
-// file.
-type BoltSnapshotSink struct {
-	store  *BoltSnapshotStore
-	logger log.Logger
-	meta   raft.SnapshotMeta
-	trans  raft.Transport
-
-	// These fields will be used if we are writing a snapshot (vs. reading
-	// one)
-	written       atomic.Bool
-	writer        io.WriteCloser
-	writeError    error
-	dir           string
-	parentDir     string
-	doneWritingCh chan struct{}
-
-	l      sync.Mutex
-	closed bool
+func (c *OperatorRaftSnapshotInspectCommand) Synopsis() string {
+	return "Inspects raft snapshot"
 }
 
-// NewBoltSnapshotStore creates a new BoltSnapshotStore based
-// on a base directory.
-func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapshotStore, error) {
-	if logger == nil {
-		return nil, fmt.Errorf("no logger provided")
-	}
+func (c *OperatorRaftSnapshotInspectCommand) Help() string {
+	helpText := `
+	Usage: vault operator raft snapshot inspect <snapshot_file>
+	
+	Inspects a snapshot file.
+	
+	$ vault operator raft snapshot inspect raft.snap
+	
+	` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
 
-	// Ensure our path exists
-	path := filepath.Join(base, snapPath)
-	if err := os.MkdirAll(path, 0o700); err != nil && !os.IsExist(err) {
-		return nil, fmt.Errorf("snapshot path not accessible: %v", err)
-	}
+func (c *OperatorRaftSnapshotInspectCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
 
-	// Setup the store
-	store := &BoltSnapshotStore{
-		logger: logger,
-		fsm:    fsm,
-		path:   path,
-	}
+	f.BoolVar(&BoolVar{
+		Name:    "details",
+		Target:  &c.details,
+		Default: true,
+		Usage:   "Provides information about usage for data stored in the snapshot.",
+	})
 
-	// Cleanup any old or failed snapshots on startup.
-	if err := store.ReapSnapshots(); err != nil {
-		return nil, err
-	}
+	f.IntVar(&IntVar{
+		Name:    "depth",
+		Target:  &c.depth,
+		Default: 2,
+		Usage:   "Can only be used with -details. The key prefix depth used to breakdown KV store data. If set to 0, all keys will be returned. Defaults to 2.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "filter",
+		Target:  &c.filter,
+		Default: "",
+		Usage:   "Can only be used with -details. Limits the key breakdown using this prefix filter.",
+	})
 
-	return store, nil
+	return set
 }
 
-// Create is used to start a new snapshot
-func (f *BoltSnapshotStore) Create(version raft.SnapshotVersion, index, term uint64, configuration raft.Configuration, configurationIndex uint64, trans raft.Transport) (raft.SnapshotSink, error) {
-	// We only support version 1 snapshots at this time.
-	if version != 1 {
-		return nil, fmt.Errorf("unsupported snapshot version %d", version)
-	}
-
-	// Create the sink
-	sink := &BoltSnapshotSink{
-		store:  f,
-		logger: f.logger,
-		meta: raft.SnapshotMeta{
-			Version:            version,
-			ID:                 boltSnapshotID,
-			Index:              index,
-			Term:               term,
-			Configuration:      configuration,
-			ConfigurationIndex: configurationIndex,
-		},
-		trans: trans,
-	}
-
-	return sink, nil
+func (c *OperatorRaftSnapshotInspectCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-// List returns available snapshots in the store. It only returns bolt
-// snapshots. No snapshot will be returned if there are no indexes in the
-// FSM.
-func (f *BoltSnapshotStore) List() ([]*raft.SnapshotMeta, error) {
-	meta, err := f.getMetaFromFSM()
-	if err != nil {
-		return nil, err
-	}
+func (c *OperatorRaftSnapshotInspectCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	// If we haven't seen any data yet do not return a snapshot
-	if meta.Index == 0 {
-		return nil, nil
-	}
+type OutputFormat struct {
+	Meta         *MetadataInfo
+	StatsKV      []typeStats
+	TotalCountKV int
+	TotalSizeKV  int
+}
 
-	return []*raft.SnapshotMeta{meta}, nil
+// SnapshotInfo is used for passing snapshot stat
+// information between functions
+type SnapshotInfo struct {
+	Meta         MetadataInfo
+	StatsKV      map[string]typeStats
+	TotalCountKV int
+	TotalSizeKV  int
 }
 
-// getBoltSnapshotMeta returns the fsm's latest state and configuration.
-func (f *BoltSnapshotStore) getMetaFromFSM() (*raft.SnapshotMeta, error) {
-	latestIndex, latestConfig := f.fsm.LatestState()
-	meta := &raft.SnapshotMeta{
-		Version: 1,
-		ID:      boltSnapshotID,
-		Index:   latestIndex.Index,
-		Term:    latestIndex.Term,
+type MetadataInfo struct {
+	ID      string
+	Size    int64
+	Index   uint64
+	Term    uint64
+	Version raft.SnapshotVersion
+}
+
+type typeStats struct {
+	Name  string
+	Count int
+	Size  int
+}
+
+func (c *OperatorRaftSnapshotInspectCommand) Run(args []string) int {
+	flags := c.Flags()
+
+	if err := flags.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	if latestConfig != nil {
-		meta.ConfigurationIndex, meta.Configuration = protoConfigurationToRaftConfiguration(latestConfig)
+	// Validate flags
+	if c.depth < 0 {
+		c.UI.Error("Depth must be equal to or greater than 0")
+		return 1
 	}
 
-	return meta, nil
-}
+	var file string
+	args = c.flags.Args()
 
-// Open takes a snapshot ID and returns a ReadCloser for that snapshot.
-func (f *BoltSnapshotStore) Open(id string) (*raft.SnapshotMeta, io.ReadCloser, error) {
-	if id == boltSnapshotID {
-		return f.openFromFSM()
+	switch len(args) {
+	case 0:
+		c.UI.Error("Missing FILE argument")
+		return 1
+	case 1:
+		file = args[0]
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	return f.openFromFile(id)
-}
+	// Open the file.
+	f, err := os.Open(file)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error opening snapshot file: %s", err))
+		return 1
+	}
+	defer f.Close()
 
-func (f *BoltSnapshotStore) openFromFSM() (*raft.SnapshotMeta, io.ReadCloser, error) {
-	meta, err := f.getMetaFromFSM()
+	// Extract metadata and snapshot info from snapshot file
+	var info *SnapshotInfo
+	var meta *raft.SnapshotMeta
+	info, meta, err = c.Read(hclog.New(nil), f)
 	if err != nil {
-		return nil, nil, err
+		c.UI.Error(fmt.Sprintf("Error reading snapshot: %s", err))
+		return 1
 	}
-	// If we don't have any data return an error
-	if meta.Index == 0 {
-		return nil, nil, errors.New("no snapshot data")
+
+	if info == nil {
+		c.UI.Error(fmt.Sprintf("Error calculating snapshot info: %s", err))
+		return 1
 	}
 
-	// Stream data out of the FSM to calculate the size
-	readCloser, writeCloser := io.Pipe()
-	metaReadCloser, metaWriteCloser := io.Pipe()
-	go func() {
-		f.fsm.writeTo(context.Background(), metaWriteCloser, writeCloser)
-	}()
+	// Generate structs for the formatter with information we read in
+	metaformat := &MetadataInfo{
+		ID:      meta.ID,
+		Size:    meta.Size,
+		Index:   meta.Index,
+		Term:    meta.Term,
+		Version: meta.Version,
+	}
+
+	formattedStatsKV := generateKVStats(*info)
 
-	// Compute the size
-	n, err := io.Copy(ioutil.Discard, metaReadCloser)
+	data := &OutputFormat{
+		Meta:         metaformat,
+		StatsKV:      formattedStatsKV,
+		TotalCountKV: info.TotalCountKV,
+		TotalSizeKV:  info.TotalSizeKV,
+	}
+
+	if Format(c.UI) != "table" {
+		return OutputData(c.UI, data)
+	}
+
+	tableData, err := formatTable(data)
 	if err != nil {
-		f.logger.Error("failed to read state file", "error", err)
-		metaReadCloser.Close()
-		readCloser.Close()
-		return nil, nil, err
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	meta.Size = n
-	metaReadCloser.Close()
+	c.UI.Output(tableData)
 
-	return meta, readCloser, nil
+	return 0
 }
 
-func (f *BoltSnapshotStore) getMetaFromDB(id string) (*raft.SnapshotMeta, error) {
-	if len(id) == 0 {
-		return nil, errors.New("can not open empty snapshot ID")
+func (c *OperatorRaftSnapshotInspectCommand) kvEnhance(val *pb.StorageEntry, info *SnapshotInfo, read int) {
+	if !c.details {
+		return
 	}
 
-	filename := filepath.Join(f.path, id, databaseFilename)
-	boltDB, err := bolt.Open(filename, 0o600, &bolt.Options{Timeout: 1 * time.Second})
-	if err != nil {
-		return nil, err
+	if val.Key == "" {
+		return
 	}
-	defer boltDB.Close()
 
-	meta := &raft.SnapshotMeta{
-		Version: 1,
-		ID:      id,
+	// check for whether a filter is specified. if it is, skip
+	// any keys that don't match.
+	if len(c.filter) > 0 && !strings.HasPrefix(val.Key, c.filter) {
+		return
 	}
 
-	err = boltDB.View(func(tx *bolt.Tx) error {
-		b := tx.Bucket(configBucketName)
-		val := b.Get(latestIndexKey)
-		if val != nil {
-			var snapshotIndexes IndexValue
-			err := proto.Unmarshal(val, &snapshotIndexes)
-			if err != nil {
-				return err
-			}
+	split := strings.Split(val.Key, "/")
 
-			meta.Index = snapshotIndexes.Index
-			meta.Term = snapshotIndexes.Term
-		}
-
-		// Read in our latest config and populate it inmemory
-		val = b.Get(latestConfigKey)
-		if val != nil {
-			var config ConfigurationValue
-			err := proto.Unmarshal(val, &config)
-			if err != nil {
-				return err
-			}
+	// handle the situation where the key is shorter than
+	// the specified depth.
+	actualDepth := c.depth
+	if c.depth == 0 || c.depth > len(split) {
+		actualDepth = len(split)
+	}
 
-			meta.ConfigurationIndex, meta.Configuration = protoConfigurationToRaftConfiguration(&config)
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
+	prefix := strings.Join(split[0:actualDepth], "/")
+	kvs := info.StatsKV[prefix]
+	if kvs.Name == "" {
+		kvs.Name = prefix
 	}
 
-	return meta, nil
+	kvs.Count++
+	kvs.Size += read
+	info.TotalCountKV++
+	info.TotalSizeKV += read
+	info.StatsKV[prefix] = kvs
 }
 
-func (f *BoltSnapshotStore) openFromFile(id string) (*raft.SnapshotMeta, io.ReadCloser, error) {
-	meta, err := f.getMetaFromDB(id)
-	if err != nil {
-		return nil, nil, err
+// Read from snapshot's state.bin and update the SnapshotInfo struct
+func (c *OperatorRaftSnapshotInspectCommand) parseState(r io.Reader) (SnapshotInfo, error) {
+	info := SnapshotInfo{
+		StatsKV: make(map[string]typeStats),
 	}
 
-	filename := filepath.Join(f.path, id, databaseFilename)
-	installer := &boltSnapshotInstaller{
-		meta:       meta,
-		ReadCloser: ioutil.NopCloser(strings.NewReader(filename)),
-		filename:   filename,
+	protoReader := protoio.NewDelimitedReader(r, math.MaxInt32)
+
+	for {
+		s := new(pb.StorageEntry)
+		if err := protoReader.ReadMsg(s); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return info, err
+		}
+		size := protoReader.GetLastReadSize()
+		c.kvEnhance(s, &info, size)
 	}
 
-	return meta, installer, nil
+	return info, nil
 }
 
-// ReapSnapshots reaps all snapshots.
-func (f *BoltSnapshotStore) ReapSnapshots() error {
-	snapshots, err := ioutil.ReadDir(f.path)
-	switch {
-	case err == nil:
-	case os.IsNotExist(err):
-		return nil
-	default:
-		f.logger.Error("failed to scan snapshot directory", "error", err)
-		return err
+// Read contents of snapshot. Parse metadata and snapshot info
+// Also, verify validity of snapshot
+func (c *OperatorRaftSnapshotInspectCommand) Read(logger hclog.Logger, in io.Reader) (*SnapshotInfo, *raft.SnapshotMeta, error) {
+	// Wrap the reader in a gzip decompressor.
+	decomp, err := gzip.NewReader(in)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to decompress snapshot: %v", err)
 	}
 
-	for _, snap := range snapshots {
-		// Ignore any files
-		if !snap.IsDir() {
-			continue
+	defer func() {
+		if decomp == nil {
+			return
 		}
 
-		// Warn about temporary snapshots, this indicates a previously failed
-		// snapshot attempt. We still want to clean these up.
-		dirName := snap.Name()
-		if strings.HasSuffix(dirName, tmpSuffix) {
-			f.logger.Warn("found temporary snapshot", "name", dirName)
+		if err := decomp.Close(); err != nil {
+			logger.Error("Failed to close snapshot decompressor", "error", err)
 		}
+	}()
 
-		path := filepath.Join(f.path, dirName)
-		f.logger.Info("reaping snapshot", "path", path)
-		if err := os.RemoveAll(path); err != nil {
-			f.logger.Error("failed to reap snapshot", "path", snap.Name(), "error", err)
-			return err
-		}
+	// Read the archive.
+	snapshotInfo, metadata, err := c.read(decomp)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to read snapshot file: %v", err)
 	}
 
-	return nil
+	if err := concludeGzipRead(decomp); err != nil {
+		return nil, nil, err
+	}
+
+	if err := decomp.Close(); err != nil {
+		return nil, nil, err
+	}
+	decomp = nil
+	return snapshotInfo, metadata, nil
 }
 
-// ID returns the ID of the snapshot, can be used with Open()
-// after the snapshot is finalized.
-func (s *BoltSnapshotSink) ID() string {
-	s.l.Lock()
-	defer s.l.Unlock()
+func formatTable(info *OutputFormat) (string, error) {
+	var b bytes.Buffer
+	tw := tabwriter.NewWriter(&b, 8, 8, 6, ' ', 0)
 
-	return s.meta.ID
-}
+	fmt.Fprintf(tw, " ID\t%s", info.Meta.ID)
+	fmt.Fprintf(tw, "\n Size\t%d", info.Meta.Size)
+	fmt.Fprintf(tw, "\n Index\t%d", info.Meta.Index)
+	fmt.Fprintf(tw, "\n Term\t%d", info.Meta.Term)
+	fmt.Fprintf(tw, "\n Version\t%d", info.Meta.Version)
+	fmt.Fprintf(tw, "\n")
 
-func (s *BoltSnapshotSink) writeBoltDBFile() error {
-	// Create a new path
-	name := snapshotName(s.meta.Term, s.meta.Index)
-	path := filepath.Join(s.store.path, name+tmpSuffix)
-	s.logger.Info("creating new snapshot", "path", path)
+	if info.StatsKV != nil {
+		fmt.Fprintf(tw, "\n")
+		fmt.Fprintln(tw, "\n Key Name\tCount\tSize")
+		fmt.Fprintf(tw, " %s\t%s\t%s", "----", "----", "----")
 
-	// Make the directory
-	if err := os.MkdirAll(path, 0o700); err != nil {
-		s.logger.Error("failed to make snapshot directory", "error", err)
-		return err
-	}
+		for _, s := range info.StatsKV {
+			fmt.Fprintf(tw, "\n %s\t%d\t%s", s.Name, s.Count, ByteSize(uint64(s.Size)))
+		}
 
-	// Create the BoltDB file
-	dbPath := filepath.Join(path, databaseFilename)
-	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
-	if err != nil {
-		return err
+		fmt.Fprintf(tw, "\n %s\t%s", "----", "----")
+		fmt.Fprintf(tw, "\n Total Size\t\t%s", ByteSize(uint64(info.TotalSizeKV)))
 	}
 
-	// Write the snapshot metadata
-	if err := writeSnapshotMetaToDB(&s.meta, boltDB); err != nil {
-		return err
+	if err := tw.Flush(); err != nil {
+		return b.String(), err
 	}
 
-	// Set the snapshot ID to the generated name.
-	s.meta.ID = name
-
-	// Create the done channel
-	s.doneWritingCh = make(chan struct{})
-
-	// Store the directories so we can commit the changes on success or abort
-	// them on failure.
-	s.dir = path
-	s.parentDir = s.store.path
-
-	// Create a pipe so we pipe writes into the go routine below.
-	reader, writer := io.Pipe()
-	s.writer = writer
-
-	// Start a go routine in charge of piping data from the snapshot's Write
-	// call to the delimtedreader and the BoltDB file.
-	go func() {
-		defer close(s.doneWritingCh)
-		defer boltDB.Close()
-
-		// The delimted reader will parse full proto messages from the snapshot
-		// data.
-		protoReader := NewDelimitedReader(reader, math.MaxInt32)
-		defer protoReader.Close()
-
-		var done bool
-		var keys int
-		entry := new(pb.StorageEntry)
-		for !done {
-			err := boltDB.Update(func(tx *bolt.Tx) error {
-				b, err := tx.CreateBucketIfNotExists(dataBucketName)
-				if err != nil {
-					return err
-				}
-
-				// Commit in batches of 50k. Bolt holds all the data in memory and
-				// doesn't split the pages until commit so we do incremental writes.
-				for i := 0; i < 50000; i++ {
-					err := protoReader.ReadMsg(entry)
-					if err != nil {
-						if err == io.EOF {
-							done = true
-							return nil
-						}
-						return err
-					}
-
-					err = b.Put([]byte(entry.Key), entry.Value)
-					if err != nil {
-						return err
-					}
-					keys += 1
-				}
-
-				return nil
-			})
-			if err != nil {
-				s.logger.Error("snapshot write: failed to write transaction", "error", err)
-				s.writeError = err
-				return
-			}
+	return b.String(), nil
+}
 
-			s.logger.Trace("snapshot write: writing keys", "num_written", keys)
-		}
-	}()
+const (
+	BYTE = 1 << (10 * iota)
+	KILOBYTE
+	MEGABYTE
+	GIGABYTE
+	TERABYTE
+)
 
-	return nil
+func ByteSize(bytes uint64) string {
+	unit := ""
+	value := float64(bytes)
+
+	switch {
+	case bytes >= TERABYTE:
+		unit = "TB"
+		value = value / TERABYTE
+	case bytes >= GIGABYTE:
+		unit = "GB"
+		value = value / GIGABYTE
+	case bytes >= MEGABYTE:
+		unit = "MB"
+		value = value / MEGABYTE
+	case bytes >= KILOBYTE:
+		unit = "KB"
+		value = value / KILOBYTE
+	case bytes >= BYTE:
+		unit = "B"
+	case bytes == 0:
+		return "0"
+	}
+
+	result := strconv.FormatFloat(value, 'f', 1, 64)
+	result = strings.TrimSuffix(result, ".0")
+	return result + unit
 }
 
-// Write is used to append to the bolt file. The first call to write ensures we
-// have the file created.
-func (s *BoltSnapshotSink) Write(b []byte) (int, error) {
-	s.l.Lock()
-	defer s.l.Unlock()
-
-	// If this is the first call to Write we need to setup the boltDB file and
-	// kickoff the pipeline write
-	if previouslyWritten := s.written.Swap(true); !previouslyWritten {
-		// Reap any old snapshots
-		if err := s.store.ReapSnapshots(); err != nil {
-			return 0, err
+// sortTypeStats sorts the stat slice by count and then
+// alphabetically in the case the counts are equal
+func sortTypeStats(stats []typeStats) []typeStats {
+	// sort alphabetically if size is equal
+	sort.Slice(stats, func(i, j int) bool {
+		// Sort alphabetically if count is equal
+		if stats[i].Count == stats[j].Count {
+			return stats[i].Name < stats[j].Name
 		}
+		return stats[i].Count > stats[j].Count
+	})
 
-		if err := s.writeBoltDBFile(); err != nil {
-			return 0, err
+	return stats
+}
+
+// generateKVStats reformats the KV stats to work with
+// the output struct that's used to produce the printed
+// output the user sees.
+func generateKVStats(info SnapshotInfo) []typeStats {
+	kvLen := len(info.StatsKV)
+	if kvLen > 0 {
+		ks := make([]typeStats, 0, kvLen)
+
+		for _, s := range info.StatsKV {
+			ks = append(ks, s)
 		}
+
+		ks = sortTypeStats(ks)
+
+		return ks
 	}
 
-	return s.writer.Write(b)
+	return nil
 }
 
-// Close is used to indicate a successful end.
-func (s *BoltSnapshotSink) Close() error {
-	s.l.Lock()
-	defer s.l.Unlock()
+// hashList manages a list of filenames and their hashes.
+type hashList struct {
+	hashes map[string]hash.Hash
+}
 
-	// Make sure close is idempotent
-	if s.closed {
-		return nil
+// newHashList returns a new hashList.
+func newHashList() *hashList {
+	return &hashList{
+		hashes: make(map[string]hash.Hash),
 	}
-	s.closed = true
-
-	if s.writer != nil {
-		s.writer.Close()
-		<-s.doneWritingCh
-
-		if s.writeError != nil {
-			// If we encountered an error while writing then we should remove
-			// the directory and return the error
-			_ = os.RemoveAll(s.dir)
-			return s.writeError
-		}
+}
 
-		// Move the directory into place
-		newPath := strings.TrimSuffix(s.dir, tmpSuffix)
+// Add creates a new hash for the given file.
+func (hl *hashList) Add(file string) hash.Hash {
+	if existing, ok := hl.hashes[file]; ok {
+		return existing
+	}
 
-		var err error
-		if runtime.GOOS != "windows" {
-			err = safeio.Rename(s.dir, newPath)
-		} else {
-			err = os.Rename(s.dir, newPath)
-		}
+	h := sha256.New()
+	hl.hashes[file] = h
+	return h
+}
 
-		if err != nil {
-			s.logger.Error("failed to move snapshot into place", "error", err)
+// Encode takes the current sum of all the hashes and saves the hash list as a
+// SHA256SUMS-style text file.
+func (hl *hashList) Encode(w io.Writer) error {
+	for file, h := range hl.hashes {
+		if _, err := fmt.Fprintf(w, "%x  %s\n", h.Sum([]byte{}), file); err != nil {
 			return err
 		}
 	}
-
 	return nil
 }
 
-// Cancel is used to indicate an unsuccessful end.
-func (s *BoltSnapshotSink) Cancel() error {
-	s.l.Lock()
-	defer s.l.Unlock()
+// DecodeAndVerify reads a SHA256SUMS-style text file and checks the results
+// against the current sums for all the hashes.
+func (hl *hashList) DecodeAndVerify(r io.Reader) error {
+	// Read the file and make sure everything in there has a matching hash.
+	seen := make(map[string]struct{})
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		sha := make([]byte, sha256.Size)
+		var file string
+		if _, err := fmt.Sscanf(s.Text(), "%x  %s", &sha, &file); err != nil {
+			return err
+		}
 
-	// Make sure close is idempotent
-	if s.closed {
-		return nil
+		h, ok := hl.hashes[file]
+		if !ok {
+			return fmt.Errorf("list missing hash for %q", file)
+		}
+		if !bytes.Equal(sha, h.Sum([]byte{})) {
+			return fmt.Errorf("hash check failed for %q", file)
+		}
+		seen[file] = struct{}{}
+	}
+	if err := s.Err(); err != nil {
+		return err
 	}
-	s.closed = true
-
-	if s.writer != nil {
-		s.writer.Close()
-		<-s.doneWritingCh
 
-		// Attempt to remove all artifacts
-		return os.RemoveAll(s.dir)
+	// Make sure everything we had a hash for was seen.
+	for file := range hl.hashes {
+		if _, ok := seen[file]; !ok {
+			return fmt.Errorf("file missing for %q", file)
+		}
 	}
 
 	return nil
 }
 
-type boltSnapshotInstaller struct {
-	io.ReadCloser
-	meta     *raft.SnapshotMeta
-	filename string
-}
+// read takes a reader and extracts the snapshot metadata and snapshot
+// info. It also checks the integrity of the snapshot data.
+func (c *OperatorRaftSnapshotInspectCommand) read(in io.Reader) (*SnapshotInfo, *raft.SnapshotMeta, error) {
+	// Start a new tar reader.
+	archive := tar.NewReader(in)
+
+	// Create a hash list that we will use to compare with the SHA256SUMS
+	// file in the archive.
+	hl := newHashList()
+
+	// Populate the hashes for all the files we expect to see. The check at
+	// the end will make sure these are all present in the SHA256SUMS file
+	// and that the hashes match.
+	metaHash := hl.Add("meta.json")
+	snapHash := hl.Add("state.bin")
+
+	// Look through the archive for the pieces we care about.
+	var shaBuffer bytes.Buffer
+	var snapshotInfo SnapshotInfo
+	var metadata raft.SnapshotMeta
+	for {
+		hdr, err := archive.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed reading snapshot: %v", err)
+		}
 
-func (i *boltSnapshotInstaller) Filename() string {
-	return i.filename
-}
+		switch hdr.Name {
+		case "meta.json":
+			// Previously we used json.Decode to decode the archive stream. There are
+			// edgecases in which it doesn't read all the bytes from the stream, even
+			// though the json object is still being parsed properly. Since we
+			// simultaneously feeded everything to metaHash, our hash ended up being
+			// different than what we calculated when creating the snapshot. Which in
+			// turn made the snapshot verification fail. By explicitly reading the
+			// whole thing first we ensure that we calculate the correct hash
+			// independent of how json.Decode works internally.
+			buf, err := io.ReadAll(io.TeeReader(archive, metaHash))
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to read snapshot metadata: %v", err)
+			}
+			if err := json.Unmarshal(buf, &metadata); err != nil {
+				return nil, nil, fmt.Errorf("failed to decode snapshot metadata: %v", err)
+			}
+		case "state.bin":
+			// create reader that writes to snapHash what it reads from archive
+			wrappedReader := io.TeeReader(archive, snapHash)
+			var err error
+			snapshotInfo, err = c.parseState(wrappedReader)
+			if err != nil {
+				return nil, nil, fmt.Errorf("error parsing snapshot state: %v", err)
+			}
 
-func (i *boltSnapshotInstaller) Metadata() *raft.SnapshotMeta {
-	return i.meta
-}
+		case "SHA256SUMS":
+			if _, err := io.CopyN(&shaBuffer, archive, 10000); err != nil && err != io.EOF {
+				return nil, nil, fmt.Errorf("failed to read snapshot hashes: %v", err)
+			}
 
-func (i *boltSnapshotInstaller) Install(filename string) error {
-	if len(i.filename) == 0 {
-		return errors.New("snapshot filename empty")
-	}
+		case "SHA256SUMS.sealed":
+			// Add verification of sealed sum in future
+			continue
 
-	if len(filename) == 0 {
-		return errors.New("fsm filename empty")
+		default:
+			return nil, nil, fmt.Errorf("unexpected file %q in snapshot", hdr.Name)
+		}
 	}
 
-	// Rename the snapshot to the FSM location
-	if runtime.GOOS != "windows" {
-		return safeio.Rename(i.filename, filename)
-	} else {
-		return os.Rename(i.filename, filename)
+	// Verify all the hashes.
+	if err := hl.DecodeAndVerify(&shaBuffer); err != nil {
+		return nil, nil, fmt.Errorf("failed checking integrity of snapshot: %v", err)
 	}
+
+	return &snapshotInfo, &metadata, nil
 }
 
-// snapshotName generates a name for the snapshot.
-func snapshotName(term, index uint64) string {
-	now := time.Now()
-	msec := now.UnixNano() / int64(time.Millisecond)
-	return fmt.Sprintf("%d-%d-%d", term, index, msec)
+// concludeGzipRead should be invoked after you think you've consumed all of
+// the data from the gzip stream. It will error if the stream was corrupt.
+//
+// The docs for gzip.Reader say: "Clients should treat data returned by Read as
+// tentative until they receive the io.EOF marking the end of the data."
+func concludeGzipRead(decomp *gzip.Reader) error {
+	extra, err := io.ReadAll(decomp) // ReadAll consumes the EOF
+	if err != nil {
+		return err
+	}
+	if len(extra) != 0 {
+		return fmt.Errorf("%d unread uncompressed bytes remain", len(extra))
+	}
+	return nil
 }
diff --git a/scripts/protocversioncheck.sh b/scripts/protocversioncheck.sh
index ecd67233fc5c..d70037695606 100755
--- a/scripts/protocversioncheck.sh
+++ b/scripts/protocversioncheck.sh
@@ -1,20 +1,141 @@
-#!/usr/bin/env bash
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
+package command
 
-set -euo pipefail
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
 
-PROTOC_CMD=${PROTOC_CMD:-protoc}
-PROTOC_VERSION_EXACT="$1"
-echo "==> Checking that protoc is at version $1..."
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/physical"
+)
 
-PROTOC_VERSION=$($PROTOC_CMD --version | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+')
+func testOperatorRaftSnapshotInspectCommand(tb testing.TB) (*cli.MockUi, *OperatorRaftSnapshotInspectCommand) {
+	tb.Helper()
 
-if [ "$PROTOC_VERSION" == "$PROTOC_VERSION_EXACT" ]; then
-  echo "Using protoc version $PROTOC_VERSION"
-else
-  echo "protoc should be at $PROTOC_VERSION_EXACT; found $PROTOC_VERSION."
-  echo "If your version is higher than the version this script is looking for, updating the Makefile with the newer version."
-  exit 1
-fi
+	ui := cli.NewMockUi()
+	return ui, &OperatorRaftSnapshotInspectCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func createSnapshot(tb testing.TB) (*os.File, func(), error) {
+	// Create new raft backend
+	r, raftDir := raft.GetRaft(tb, true, false)
+	defer os.RemoveAll(raftDir)
+
+	// Write some data
+	for i := 0; i < 100; i++ {
+		err := r.Put(context.Background(), &physical.Entry{
+			Key:   fmt.Sprintf("key-%d", i),
+			Value: []byte(fmt.Sprintf("value-%d", i)),
+		})
+		if err != nil {
+			return nil, nil, fmt.Errorf("Error adding data to snapshot %s", err)
+		}
+	}
+
+	// Create temporary file to save snapshot to
+	snap, err := os.CreateTemp("", "temp_snapshot.snap")
+	if err != nil {
+		return nil, nil, fmt.Errorf("Error creating temporary file %s", err)
+	}
+
+	cleanup := func() {
+		err := os.RemoveAll(snap.Name())
+		if err != nil {
+			tb.Errorf("Error deleting temporary snapshot %s", err)
+		}
+	}
+
+	// Save snapshot
+	err = r.Snapshot(snap, nil)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Error saving raft snapshot %s", err)
+	}
+
+	return snap, cleanup, nil
+}
+
+func TestOperatorRaftSnapshotInspectCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	file1, cleanup1, err := createSnapshot(t)
+	if err != nil {
+		t.Fatalf("Error creating snapshot %s", err)
+	}
+
+	file2, cleanup2, err := createSnapshot(t)
+	if err != nil {
+		t.Fatalf("Error creating snapshot %s", err)
+	}
+
+	cases := []struct {
+		name    string
+		args    []string
+		out     string
+		code    int
+		cleanup func()
+	}{
+		{
+			"too_many_args",
+			[]string{"test.snap", "test"},
+			"Too many arguments",
+			1,
+			nil,
+		},
+		{
+			"default",
+			[]string{file1.Name()},
+			"ID           bolt-snapshot",
+			0,
+			cleanup1,
+		},
+		{
+			"all_flags",
+			[]string{"-details", "-depth", "10", "-filter", "key", file2.Name()},
+			"Key Name",
+			0,
+			cleanup2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testOperatorRaftSnapshotInspectCommand(t)
+
+				cmd.client = client
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+
+				if tc.cleanup != nil {
+					tc.cleanup()
+				}
+			})
+		}
+	})
+}
diff --git a/sdk/go.mod b/sdk/go.mod
index c5c33e54772b..516fba522fe8 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -1,116 +1,109 @@
-module github.com/hashicorp/vault/sdk
-
-go 1.19
-
-require (
-	cloud.google.com/go/cloudsqlconn v1.4.3
-	github.com/armon/go-metrics v0.4.1
-	github.com/armon/go-radix v1.0.0
-	github.com/cenkalti/backoff/v3 v3.2.2
-	github.com/docker/docker v24.0.7+incompatible
-	github.com/docker/go-connections v0.4.0
-	github.com/evanphx/json-patch/v5 v5.6.0
-	github.com/fatih/structs v1.1.0
-	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/go-test/deep v1.1.0
-	github.com/golang/protobuf v1.5.3
-	github.com/golang/snappy v0.0.4
-	github.com/google/tink/go v1.6.1
-	github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7
-	github.com/hashicorp/errwrap v1.1.0
-	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-hclog v1.5.0
-	github.com/hashicorp/go-immutable-radix v1.3.1
-	github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0
-	github.com/hashicorp/go-kms-wrapping/v2 v2.0.8
-	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-plugin v1.5.2
-	github.com/hashicorp/go-retryablehttp v0.7.1
-	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7
-	github.com/hashicorp/go-secure-stdlib/password v0.1.1
-	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
-	github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2
-	github.com/hashicorp/go-sockaddr v1.0.2
-	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/golang-lru v0.5.4
-	github.com/hashicorp/hcl v1.0.1-vault-5
-	github.com/hashicorp/vault/api v1.9.1
-	github.com/mitchellh/copystructure v1.2.0
-	github.com/mitchellh/go-testing-interface v1.14.1
-	github.com/mitchellh/mapstructure v1.5.0
-	github.com/pierrec/lz4 v2.6.1+incompatible
-	github.com/ryanuber/go-glob v1.0.0
-	github.com/stretchr/testify v1.8.3
-	go.uber.org/atomic v1.9.0
-	golang.org/x/crypto v0.14.0
-	golang.org/x/net v0.17.0
-	golang.org/x/text v0.13.0
-	google.golang.org/grpc v1.57.2
-	google.golang.org/protobuf v1.31.0
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-require (
-	cloud.google.com/go/compute v1.20.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/containerd/containerd v1.7.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/fatih/color v1.14.1 // indirect
-	github.com/frankban/quicktest v1.11.3 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/s2a-go v0.1.4 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.0 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
-	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgtype v1.14.0 // indirect
-	github.com/jackc/pgx/v4 v4.18.1 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/patternmatcher v0.5.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/oklog/run v1.1.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
-	github.com/opencontainers/runc v1.1.6 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.8.1 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
-	google.golang.org/api v0.134.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+var (
+	_ cli.Command             = (*OperatorRaftSnapshotRestoreCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotRestoreCommand)(nil)
 )
+
+type OperatorRaftSnapshotRestoreCommand struct {
+	flagForce bool
+	*BaseCommand
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) Synopsis() string {
+	return "Installs the provided snapshot, returning the cluster to the state defined in it"
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) Help() string {
+	helpText := `
+Usage: vault operator raft snapshot restore <snapshot_file>
+
+  Installs the provided snapshot, returning the cluster to the state defined in it.
+
+	  $ vault operator raft snapshot restore raft.snap
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "force",
+		Target:  &c.flagForce,
+		Default: false,
+		Usage:   "This bypasses checks ensuring the Autounseal or shamir keys are consistent with the snapshot data.",
+	})
+
+	return set
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRaftSnapshotRestoreCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	snapFile := ""
+
+	args = f.Args()
+	switch len(args) {
+	case 1:
+		snapFile = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	if len(snapFile) == 0 {
+		c.UI.Error("Snapshot file name is required")
+		return 1
+	}
+
+	snapReader, err := os.Open(snapFile)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error opening policy file: %s", err))
+		return 2
+	}
+	defer snapReader.Close()
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	err = client.Sys().RaftSnapshotRestore(snapReader, c.flagForce)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error installing the snapshot: %s", err))
+		return 2
+	}
+
+	return 0
+}
diff --git a/sdk/go.sum b/sdk/go.sum
index 8b63537a50ec..38580ed5e1f5 100644
--- a/sdk/go.sum
+++ b/sdk/go.sum
@@ -1,895 +1,129 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/cloudsqlconn v1.4.3 h1:/WYFbB1NtMtoMxCbqpzzTFPDkxxlLTPme390KEGaEPc=
-cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA=
-cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
-cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/Microsoft/hcsshim v0.10.0-rc.7 h1:HBytQPxcv8Oy4244zbQbe6hnOnx544eL5QPUqhJldz8=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA=
-github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
-github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
-github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
-github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
-github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg=
-github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
-github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
-github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
-github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
-github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
-github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
-github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
-github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
-github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
-github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
-github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
-github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
-github.com/google/tink/go v1.6.1/go.mod h1:IGW53kTgag+st5yPhKKwJ6u2l+SSp5/v9XF7spovjlY=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
-github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7 h1:jgVdtp5YMn++PxnYhAFfrURfLf+nlqzBeddbvRG+tTg=
-github.com/hashicorp/cap/ldap v0.0.0-20230914221201-c4eecc7e31f7/go.mod h1:q+c9XV1VqloZFZMu+zdvfb0cm7UrvKbvtmTF5wX5Q9o=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
-github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
-github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0 h1:pSjQfW3vPtrOTcasTUKgCTQT7OGPPTTMVRrOfU6FJD8=
-github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8DSFG2IwDcydK9DBQE+fGA5fsw6hSk=
-github.com/hashicorp/go-kms-wrapping/v2 v2.0.8 h1:9Q2lu1YbbmiAgvYZ7Pr31RdlVonUpX+mmDL7Z7qTA2U=
-github.com/hashicorp/go-kms-wrapping/v2 v2.0.8/go.mod h1:qTCjxGig/kjuj3hk1z8pOUrzbse/GxB1tGfbrq8tGJg=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY=
-github.com/hashicorp/go-plugin v1.5.2 h1:aWv8eimFqWlsEiMrYZdPYl+FdHaBJSN4AWwGWfT1G2Y=
-github.com/hashicorp/go-plugin v1.5.2/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4=
-github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
-github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
-github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60=
-github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2 h1:lNWQ5KVsLmzjvN11LYqaTXtMrCP7CyxfmTeR3h0l3s8=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2/go.mod h1:7xQt0+IfRmzYBLpFx+4MYfLpBdd1PT1VatGKRswf7xE=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
-github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 h1:phcbL8urUzF/kxA/Oj6awENaRwfWsjP59GW7u2qlDyY=
-github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
-github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
-github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
-github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
-github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
-github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q=
-github.com/hashicorp/vault/api v1.9.1 h1:LtY/I16+5jVGU8rufyyAkwopgq/HpUnxFBg+QLOAV38=
-github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs=
-github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
-github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
-github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
-github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
-github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
-github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
-github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
-github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
-github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
-github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.14.0 h1:vrbA9Ud87g6JdFWkHTJXppVce58qPIdP7N8y0Ml/A7Q=
-github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E=
-github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
-github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
-github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
-github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
-github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
-github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.2 h1:7eY55bdBeCz1F2fTzSz69QC+pG46jYq9/jtSPiJ5nn0=
-github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
-github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
-github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
-github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0 h1:y+xUdabmyMkJLyApYuPj38mW+aAIqCe5uuBB51rH3Vw=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
-github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
-github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
-github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.18.1 h1:YP7G1KABtKpB5IHrO9vYwSrCOhs7p3uqhvhhQBptya0=
-github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE=
-github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
-github.com/jimlambrt/gldap v0.1.4 h1:PoB5u4ND0E+6W99JtQJvcjGFw+iKi3Gx3M60oOJBOqE=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
-github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/microsoft/go-mssqldb v1.5.0 h1:CgENxkwtOBNj3Jg6T1X209y2blCfTTcwuOlznd2k9fk=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
-github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
-github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
-github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
-github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
-github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
-github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
-github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
-github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
-github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
-github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
-github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
-github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
-github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
-github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
-github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
-golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.134.0 h1:ktL4Goua+UBgoP1eL1/60LwZJqa1sIzkLmvoR3hR6Gw=
-google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 h1:AB/lmRny7e2pLhFEYIbl5qkDAUt2h0ZRO4wGPhZf+ik=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE=
-google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.57.2 h1:uw37EN34aMFFXB2QPW7Tq6tdTbind1GpRxw5aOX3a5k=
-google.golang.org/grpc v1.57.2/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*OperatorRaftSnapshotSaveCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRaftSnapshotSaveCommand)(nil)
+)
+
+type OperatorRaftSnapshotSaveCommand struct {
+	*BaseCommand
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) Synopsis() string {
+	return "Saves a snapshot of the current state of the Raft cluster into a file"
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) Help() string {
+	helpText := `
+Usage: vault operator raft snapshot save <snapshot_file>
+
+  Saves a snapshot of the current state of the Raft cluster into a file.
+
+	  $ vault operator raft snapshot save raft.snap
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	return set
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	path := ""
+
+	args = f.Args()
+	switch len(args) {
+	case 1:
+		path = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Incorrect arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	if len(path) == 0 {
+		c.UI.Error("Output file name is required")
+		return 1
+	}
+
+	w := &lazyOpenWriter{
+		openFunc: func() (io.WriteCloser, error) {
+			return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
+		},
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		w.Close()
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	err = client.Sys().RaftSnapshot(w)
+	if err != nil {
+		w.Close()
+		c.UI.Error(fmt.Sprintf("Error taking the snapshot: %s", err))
+		return 2
+	}
+
+	err = w.Close()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error taking the snapshot: %s", err))
+		return 2
+	}
+	return 0
+}
+
+type lazyOpenWriter struct {
+	openFunc func() (io.WriteCloser, error)
+	writer   io.WriteCloser
+}
+
+func (l *lazyOpenWriter) Write(p []byte) (n int, err error) {
+	if l.writer == nil {
+		var err error
+		l.writer, err = l.openFunc()
+		if err != nil {
+			return 0, err
+		}
+	}
+	return l.writer.Write(p)
+}
+
+func (l *lazyOpenWriter) Close() error {
+	if l.writer != nil {
+		return l.writer.Close()
+	}
+	return nil
+}
diff --git a/sdk/helper/consts/consts.go b/sdk/helper/consts/consts.go
index 036ccf55d425..9b4841568281 100644
--- a/sdk/helper/consts/consts.go
+++ b/sdk/helper/consts/consts.go
@@ -1,46 +1,786 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package consts
+package command
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/fatih/structs"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/password"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/pgpkeys"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*OperatorRekeyCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRekeyCommand)(nil)
+)
 
 const (
-	// ExpirationRestoreWorkerCount specifies the number of workers to use while
-	// restoring leases into the expiration manager
-	ExpirationRestoreWorkerCount = 64
+	keyTypeRecovery = "Recovery"
+	keyTypeUnseal   = "Unseal"
+)
 
-	// NamespaceHeaderName is the header set to specify which namespace the
-	// request is indented for.
-	NamespaceHeaderName = "X-Vault-Namespace"
+type OperatorRekeyCommand struct {
+	*BaseCommand
 
-	// AuthHeaderName is the name of the header containing the token.
-	AuthHeaderName = "X-Vault-Token"
+	flagCancel       bool
+	flagInit         bool
+	flagKeyShares    int
+	flagKeyThreshold int
+	flagNonce        string
+	flagPGPKeys      []string
+	flagStatus       bool
+	flagTarget       string
+	flagVerify       bool
 
-	// RequestHeaderName is the name of the header used by the Agent for
-	// SSRF protection.
-	RequestHeaderName = "X-Vault-Request"
+	// Backup options
+	flagBackup         bool
+	flagBackupDelete   bool
+	flagBackupRetrieve bool
 
-	// PerformanceReplicationALPN is the negotiated protocol used for
-	// performance replication.
-	PerformanceReplicationALPN = "replication_v1"
+	testStdin io.Reader // for tests
+}
 
-	// DRReplicationALPN is the negotiated protocol used for dr replication.
-	DRReplicationALPN = "replication_dr_v1"
+func (c *OperatorRekeyCommand) Synopsis() string {
+	return "Generates new unseal keys"
+}
 
-	PerfStandbyALPN = "perf_standby_v1"
+func (c *OperatorRekeyCommand) Help() string {
+	helpText := `
+Usage: vault operator rekey [options] [KEY]
 
-	RequestForwardingALPN = "req_fw_sb-act_v1"
+  Generates a new set of unseal keys. This can optionally change the total
+  number of key shares or the required threshold of those key shares to
+  reconstruct the root key. This operation is zero downtime, but it requires
+  the Vault is unsealed and a quorum of existing unseal keys are provided.
 
-	RaftStorageALPN = "raft_storage_v1"
+  An unseal key may be provided directly on the command line as an argument to
+  the command. If key is specified as "-", the command will read from stdin. If
+  a TTY is available, the command will prompt for text.
 
-	// ReplicationResolverALPN is the negotiated protocol used for
-	// resolving replicaiton addresses
-	ReplicationResolverALPN = "replication_resolver_v1"
+  If the flag -target=recovery is supplied, then this operation will require a
+  quorum of recovery keys in order to generate a new set of recovery keys. 
 
-	VaultEnableFilePermissionsCheckEnv = "VAULT_ENABLE_FILE_PERMISSIONS_CHECK"
+  Initialize a rekey:
 
-	VaultDisableUserLockout = "VAULT_DISABLE_USER_LOCKOUT"
+      $ vault operator rekey \
+          -init \
+          -key-shares=15 \
+          -key-threshold=9
 
-	PerformanceReplicationPathTarget = "performance"
+  Rekey and encrypt the resulting unseal keys with PGP:
 
-	DRReplicationPathTarget = "dr"
-)
+      $ vault operator rekey \
+          -init \
+          -key-shares=3 \
+          -key-threshold=2 \
+          -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
+
+  Store encrypted PGP keys in Vault's core:
+
+      $ vault operator rekey \
+          -init \
+          -pgp-keys="..." \
+          -backup
+
+  Retrieve backed-up unseal keys:
+
+      $ vault operator rekey -backup-retrieve
+
+  Delete backed-up unseal keys:
+
+      $ vault operator rekey -backup-delete
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRekeyCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Common Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "init",
+		Target:  &c.flagInit,
+		Default: false,
+		Usage: "Initialize the rekeying operation. This can only be done if no " +
+			"rekeying operation is in progress. Customize the new number of key " +
+			"shares and key threshold using the -key-shares and -key-threshold " +
+			"flags.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "cancel",
+		Target:  &c.flagCancel,
+		Default: false,
+		Usage: "Reset the rekeying progress. This will discard any submitted " +
+			"unseal keys, recovery keys, or configuration.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "status",
+		Target:  &c.flagStatus,
+		Default: false,
+		Usage: "Print the status of the current attempt without providing an " +
+			"unseal or recovery key.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:       "key-shares",
+		Aliases:    []string{"n"},
+		Target:     &c.flagKeyShares,
+		Default:    5,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares to split the generated root key into. " +
+			"This is the number of \"unseal keys\" or \"recovery keys\" to generate.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:       "key-threshold",
+		Aliases:    []string{"t"},
+		Target:     &c.flagKeyThreshold,
+		Default:    3,
+		Completion: complete.PredictAnything,
+		Usage: "Number of key shares required to reconstruct the root key. " +
+			"This must be less than or equal to -key-shares.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "nonce",
+		Target:     &c.flagNonce,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Nonce value provided at initialization. The same nonce value " +
+			"must be provided with each unseal or recovery key.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "target",
+		Target:     &c.flagTarget,
+		Default:    "barrier",
+		EnvVar:     "",
+		Completion: complete.PredictSet("barrier", "recovery"),
+		Usage: "Target for rekeying. \"recovery\" only applies when HSM support " +
+			"is enabled.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "verify",
+		Target:  &c.flagVerify,
+		Default: false,
+		Usage: "Indicates that the action (-status, -cancel, or providing a key " +
+			"share) will be affecting verification for the current rekey " +
+			"attempt.",
+	})
+
+	f.VarFlag(&VarFlag{
+		Name:       "pgp-keys",
+		Value:      (*pgpkeys.PubKeyFilesFlag)(&c.flagPGPKeys),
+		Completion: complete.PredictAnything,
+		Usage: "Comma-separated list of paths to files on disk containing " +
+			"public PGP keys OR a comma-separated list of Keybase usernames using " +
+			"the format \"keybase:<username>\". When supplied, the generated " +
+			"unseal or recovery keys will be encrypted and base64-encoded in the order " +
+			"specified in this list.",
+	})
+
+	f = set.NewFlagSet("Backup Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "backup",
+		Target:  &c.flagBackup,
+		Default: false,
+		Usage: "Store a backup of the current PGP encrypted unseal or recovery keys in " +
+			"Vault's core. The encrypted values can be recovered in the event of " +
+			"failure or discarded after success. See the -backup-delete and " +
+			"-backup-retrieve options for more information. This option only " +
+			"applies when the existing unseal or recovery keys were PGP encrypted.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "backup-delete",
+		Target:  &c.flagBackupDelete,
+		Default: false,
+		Usage:   "Delete any stored backup unseal or recovery keys.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "backup-retrieve",
+		Target:  &c.flagBackupRetrieve,
+		Default: false,
+		Usage: "Retrieve the backed-up unseal or recovery keys. This option is only available " +
+			"if the PGP keys were provided and the backup has not been deleted.",
+	})
+
+	return set
+}
+
+func (c *OperatorRekeyCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
+}
+
+func (c *OperatorRekeyCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRekeyCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+		return 1
+	}
+
+	// Create the client
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	switch {
+	case c.flagBackupDelete:
+		return c.backupDelete(client)
+	case c.flagBackupRetrieve:
+		return c.backupRetrieve(client)
+	case c.flagCancel:
+		return c.cancel(client)
+	case c.flagInit:
+		return c.init(client)
+	case c.flagStatus:
+		return c.status(client)
+	default:
+		// If there are no other flags, prompt for an unseal key.
+		key := ""
+		if len(args) > 0 {
+			key = strings.TrimSpace(args[0])
+		}
+		return c.provide(client, key)
+	}
+}
+
+// init starts the rekey process.
+func (c *OperatorRekeyCommand) init(client *api.Client) int {
+	// Handle the different API requests
+	var fn func(*api.RekeyInitRequest) (*api.RekeyStatusResponse, error)
+	keyTypeRequired := keyTypeUnseal
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		fn = client.Sys().RekeyInit
+	case "recovery", "hsm":
+		keyTypeRequired = keyTypeRecovery
+		fn = client.Sys().RekeyRecoveryKeyInit
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	// Make the request
+	status, err := fn(&api.RekeyInitRequest{
+		SecretShares:        c.flagKeyShares,
+		SecretThreshold:     c.flagKeyThreshold,
+		PGPKeys:             c.flagPGPKeys,
+		Backup:              c.flagBackup,
+		RequireVerification: c.flagVerify,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing rekey: %s", err))
+		return 2
+	}
+
+	// Print warnings about recovery, etc.
+	if len(c.flagPGPKeys) == 0 {
+		if Format(c.UI) == "table" {
+			c.UI.Warn(wrapAtLength(
+				fmt.Sprintf("WARNING! If you lose the keys after they are returned, there is no "+
+					"recovery. Consider canceling this operation and re-initializing "+
+					"with the -pgp-keys flag to protect the returned %s keys along "+
+					"with -backup to allow recovery of the encrypted keys in case of "+
+					"emergency. You can delete the stored keys later using the -delete "+
+					"flag.", strings.ToLower(keyTypeRequired))))
+			c.UI.Output("")
+		}
+	}
+	if len(c.flagPGPKeys) > 0 && !c.flagBackup {
+		if Format(c.UI) == "table" {
+			c.UI.Warn(wrapAtLength(
+				fmt.Sprintf("WARNING! You are using PGP keys for encrypted the resulting %s "+
+					"keys, but you did not enable the option to backup the keys to "+
+					"Vault's core. If you lose the encrypted keys after they are "+
+					"returned, you will not be able to recover them. Consider canceling "+
+					"this operation and re-running with -backup to allow recovery of the "+
+					"encrypted unseal keys in case of emergency. You can delete the "+
+					"stored keys later using the -delete flag.", strings.ToLower(keyTypeRequired))))
+			c.UI.Output("")
+		}
+	}
+
+	// Provide the current status
+	return c.printStatus(status)
+}
+
+// cancel is used to abort the rekey process.
+func (c *OperatorRekeyCommand) cancel(client *api.Client) int {
+	// Handle the different API requests
+	var fn func() error
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		fn = client.Sys().RekeyCancel
+		if c.flagVerify {
+			fn = client.Sys().RekeyVerificationCancel
+		}
+	case "recovery", "hsm":
+		fn = client.Sys().RekeyRecoveryKeyCancel
+		if c.flagVerify {
+			fn = client.Sys().RekeyRecoveryKeyVerificationCancel
+		}
+
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	// Make the request
+	if err := fn(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error canceling rekey: %s", err))
+		return 2
+	}
+
+	c.UI.Output("Success! Canceled rekeying (if it was started)")
+	return 0
+}
+
+// provide prompts the user for the seal key and posts it to the update root
+// endpoint. If this is the last unseal, this function outputs it.
+func (c *OperatorRekeyCommand) provide(client *api.Client, key string) int {
+	var statusFn func() (interface{}, error)
+	var updateFn func(string, string) (interface{}, error)
+	keyTypeRequired := keyTypeUnseal
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		statusFn = func() (interface{}, error) {
+			return client.Sys().RekeyStatus()
+		}
+		updateFn = func(s1 string, s2 string) (interface{}, error) {
+			return client.Sys().RekeyUpdate(s1, s2)
+		}
+		if c.flagVerify {
+			statusFn = func() (interface{}, error) {
+				return client.Sys().RekeyVerificationStatus()
+			}
+			updateFn = func(s1 string, s2 string) (interface{}, error) {
+				return client.Sys().RekeyVerificationUpdate(s1, s2)
+			}
+		}
+	case "recovery", "hsm":
+		keyTypeRequired = keyTypeRecovery
+		statusFn = func() (interface{}, error) {
+			return client.Sys().RekeyRecoveryKeyStatus()
+		}
+		updateFn = func(s1 string, s2 string) (interface{}, error) {
+			return client.Sys().RekeyRecoveryKeyUpdate(s1, s2)
+		}
+		if c.flagVerify {
+			statusFn = func() (interface{}, error) {
+				return client.Sys().RekeyRecoveryKeyVerificationStatus()
+			}
+			updateFn = func(s1 string, s2 string) (interface{}, error) {
+				return client.Sys().RekeyRecoveryKeyVerificationUpdate(s1, s2)
+			}
+		}
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	status, err := statusFn()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error getting rekey status: %s", err))
+		return 2
+	}
+
+	var started bool
+	var nonce string
+
+	switch status := status.(type) {
+	case *api.RekeyStatusResponse:
+		stat := status
+		started = stat.Started
+		nonce = stat.Nonce
+	case *api.RekeyVerificationStatusResponse:
+		stat := status
+		started = stat.Started
+		nonce = stat.Nonce
+	default:
+		c.UI.Error("Unknown status type")
+		return 1
+	}
+
+	// Verify a root token generation is in progress. If there is not one in
+	// progress, return an error instructing the user to start one.
+	if !started {
+		c.UI.Error(wrapAtLength(
+			"No rekey is in progress. Start a rekey process by running " +
+				"\"vault operator rekey -init\"."))
+		return 1
+	}
+
+	switch key {
+	case "-": // Read from stdin
+		nonce = c.flagNonce
+
+		// Pull our fake stdin if needed
+		stdin := (io.Reader)(os.Stdin)
+		if c.testStdin != nil {
+			stdin = c.testStdin
+		}
+
+		var buf bytes.Buffer
+		if _, err := io.Copy(&buf, stdin); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
+			return 1
+		}
+
+		key = buf.String()
+	case "": // Prompt using the tty
+		// Nonce value is not required if we are prompting via the terminal
+		w := getWriterFromUI(c.UI)
+		fmt.Fprintf(w, "Rekey operation nonce: %s\n", nonce)
+		fmt.Fprintf(w, "%s Key (will be hidden): ", keyTypeRequired)
+		key, err = password.Read(os.Stdin)
+		fmt.Fprintf(w, "\n")
+		if err != nil {
+			if err == password.ErrInterrupted {
+				c.UI.Error("user canceled")
+				return 1
+			}
+
+			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
+				"ask for the %s key. The raw error message is shown below, but "+
+				"usually this is because you attempted to pipe a value into the "+
+				"command or you are executing outside of a terminal (tty). If you "+
+				"want to pipe the value, pass \"-\" as the argument to read from "+
+				"stdin. The raw error was: %s", strings.ToLower(keyTypeRequired), err)))
+			return 1
+		}
+	default: // Supplied directly as an arg
+		nonce = c.flagNonce
+	}
+
+	// Trim any whitespace from they key, especially since we might have
+	// prompted the user for it.
+	key = strings.TrimSpace(key)
+
+	// Verify we have a nonce value
+	if nonce == "" {
+		c.UI.Error("Missing nonce value: specify it via the -nonce flag")
+		return 1
+	}
+
+	// Provide the key, this may potentially complete the update
+	resp, err := updateFn(key, nonce)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error posting unseal key: %s", err))
+		return 2
+	}
+
+	var complete bool
+	var mightContainUnsealKeys bool
+
+	switch resp := resp.(type) {
+	case *api.RekeyUpdateResponse:
+		complete = resp.Complete
+		mightContainUnsealKeys = true
+	case *api.RekeyVerificationUpdateResponse:
+		complete = resp.Complete
+	default:
+		c.UI.Error("Unknown update response type")
+		return 1
+	}
+
+	if !complete {
+		return c.status(client)
+	}
+
+	if mightContainUnsealKeys {
+		return c.printUnsealKeys(client, status.(*api.RekeyStatusResponse),
+			resp.(*api.RekeyUpdateResponse))
+	}
+
+	c.UI.Output(wrapAtLength("Rekey verification successful. The rekey operation is complete and the new keys are now active."))
+	return 0
+}
+
+// status is used just to fetch and dump the status.
+func (c *OperatorRekeyCommand) status(client *api.Client) int {
+	// Handle the different API requests
+	var fn func() (interface{}, error)
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		fn = func() (interface{}, error) {
+			return client.Sys().RekeyStatus()
+		}
+		if c.flagVerify {
+			fn = func() (interface{}, error) {
+				return client.Sys().RekeyVerificationStatus()
+			}
+		}
+	case "recovery", "hsm":
+		fn = func() (interface{}, error) {
+			return client.Sys().RekeyRecoveryKeyStatus()
+		}
+		if c.flagVerify {
+			fn = func() (interface{}, error) {
+				return client.Sys().RekeyRecoveryKeyVerificationStatus()
+			}
+		}
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	// Make the request
+	status, err := fn()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading rekey status: %s", err))
+		return 2
+	}
+
+	return c.printStatus(status)
+}
+
+// backupRetrieve retrieves the stored backup keys.
+func (c *OperatorRekeyCommand) backupRetrieve(client *api.Client) int {
+	// Handle the different API requests
+	var fn func() (*api.RekeyRetrieveResponse, error)
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		fn = client.Sys().RekeyRetrieveBackup
+	case "recovery", "hsm":
+		fn = client.Sys().RekeyRetrieveRecoveryBackup
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	// Make the request
+	storedKeys, err := fn()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error retrieving rekey stored keys: %s", err))
+		return 2
+	}
+
+	secret := &api.Secret{
+		Data: structs.New(storedKeys).Map(),
+	}
+
+	return OutputSecret(c.UI, secret)
+}
+
+// backupDelete deletes the stored backup keys.
+func (c *OperatorRekeyCommand) backupDelete(client *api.Client) int {
+	// Handle the different API requests
+	var fn func() error
+	switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+	case "barrier":
+		fn = client.Sys().RekeyDeleteBackup
+	case "recovery", "hsm":
+		fn = client.Sys().RekeyDeleteRecoveryBackup
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown target: %s", c.flagTarget))
+		return 1
+	}
+
+	// Make the request
+	if err := fn(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error deleting rekey stored keys: %s", err))
+		return 2
+	}
+
+	c.UI.Output("Success! Delete stored keys (if they existed)")
+	return 0
+}
+
+// printStatus dumps the status to output
+func (c *OperatorRekeyCommand) printStatus(in interface{}) int {
+	out := []string{}
+	out = append(out, "Key | Value")
+
+	switch in := in.(type) {
+	case *api.RekeyStatusResponse:
+		status := in
+		out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
+		out = append(out, fmt.Sprintf("Started | %t", status.Started))
+		if status.Started {
+			if status.Progress == status.Required {
+				out = append(out, fmt.Sprintf("Rekey Progress | %d/%d (verification in progress)", status.Progress, status.Required))
+			} else {
+				out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required))
+			}
+			out = append(out, fmt.Sprintf("New Shares | %d", status.N))
+			out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
+			out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired))
+			if status.VerificationNonce != "" {
+				out = append(out, fmt.Sprintf("Verification Nonce | %s", status.VerificationNonce))
+			}
+		}
+		if len(status.PGPFingerprints) > 0 {
+			out = append(out, fmt.Sprintf("PGP Fingerprints | %s", status.PGPFingerprints))
+			out = append(out, fmt.Sprintf("Backup | %t", status.Backup))
+		}
+	case *api.RekeyVerificationStatusResponse:
+		status := in
+		out = append(out, fmt.Sprintf("Started | %t", status.Started))
+		out = append(out, fmt.Sprintf("New Shares | %d", status.N))
+		out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
+		out = append(out, fmt.Sprintf("Verification Nonce | %s", status.Nonce))
+		out = append(out, fmt.Sprintf("Verification Progress | %d/%d", status.Progress, status.T))
+	default:
+		c.UI.Error("Unknown status type")
+		return 1
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		c.UI.Output(tableOutput(out, nil))
+		return 0
+	default:
+		return OutputData(c.UI, in)
+	}
+}
+
+func (c *OperatorRekeyCommand) printUnsealKeys(client *api.Client, status *api.RekeyStatusResponse, resp *api.RekeyUpdateResponse) int {
+	switch Format(c.UI) {
+	case "table":
+	default:
+		return OutputData(c.UI, resp)
+	}
+
+	// Space between the key prompt, if any, and the output
+	c.UI.Output("")
+
+	// Provide the keys
+	var haveB64 bool
+	if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
+		haveB64 = true
+	}
+	for i, key := range resp.Keys {
+		if len(resp.PGPFingerprints) > 0 {
+			if haveB64 {
+				c.UI.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, resp.PGPFingerprints[i], resp.KeysB64[i]))
+			} else {
+				c.UI.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, resp.PGPFingerprints[i], key))
+			}
+		} else {
+			if haveB64 {
+				c.UI.Output(fmt.Sprintf("Key %d: %s", i+1, resp.KeysB64[i]))
+			} else {
+				c.UI.Output(fmt.Sprintf("Key %d: %s", i+1, key))
+			}
+		}
+	}
+
+	c.UI.Output("")
+	c.UI.Output(fmt.Sprintf("Operation nonce: %s", resp.Nonce))
+
+	if len(resp.PGPFingerprints) > 0 && resp.Backup {
+		c.UI.Output("")
+		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+		case "barrier":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"The encrypted unseal keys are backed up to \"core/unseal-keys-backup\" " +
+					"in the storage backend. Remove these keys at any time using " +
+					"\"vault operator rekey -backup-delete\". Vault does not automatically " +
+					"remove these keys.",
+			)))
+		case "recovery", "hsm":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"The encrypted recovery keys are backed up to \"core/recovery-keys-backup\" " +
+					"in the storage backend. Remove these keys at any time using " +
+					"\"vault operator rekey -backup-delete -target=recovery\". Vault does not automatically " +
+					"remove these keys.",
+			)))
+		}
+	}
+
+	switch status.VerificationRequired {
+	case false:
+		c.UI.Output("")
+		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+		case "barrier":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"Vault unseal keys rekeyed with %d key shares and a key threshold of %d. Please "+
+					"securely distribute the key shares printed above. When Vault is "+
+					"re-sealed, restarted, or stopped, you must supply at least %d of "+
+					"these keys to unseal it before it can start servicing requests.",
+				status.N,
+				status.T,
+				status.T)))
+		case "recovery", "hsm":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"Vault recovery keys rekeyed with %d key shares and a key threshold of %d. Please "+
+					"securely distribute the key shares printed above.",
+				status.N,
+				status.T)))
+		}
+
+	default:
+		c.UI.Output("")
+		var warningText string
+		switch strings.ToLower(strings.TrimSpace(c.flagTarget)) {
+		case "barrier":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"Vault has created a new unseal key, split into %d key shares and a key threshold "+
+					"of %d. These will not be active until after verification is complete. "+
+					"Please securely distribute the key shares printed above. When Vault "+
+					"is re-sealed, restarted, or stopped, you must supply at least %d of "+
+					"these keys to unseal it before it can start servicing requests.",
+				status.N,
+				status.T,
+				status.T)))
+			warningText = "unseal"
+		case "recovery", "hsm":
+			c.UI.Output(wrapAtLength(fmt.Sprintf(
+				"Vault has created a new recovery key, split into %d key shares and a key threshold "+
+					"of %d. These will not be active until after verification is complete. "+
+					"Please securely distribute the key shares printed above.",
+				status.N,
+				status.T)))
+			warningText = "authenticate with"
+
+		}
+		c.UI.Output("")
+		c.UI.Warn(wrapAtLength(fmt.Sprintf(
+			"Again, these key shares are _not_ valid until verification is performed. "+
+				"Do not lose or discard your current key shares until after verification "+
+				"is complete or you will be unable to %s Vault. If you cancel the "+
+				"rekey process or seal Vault before verification is complete the new "+
+				"shares will be discarded and the current shares will remain valid.", warningText)))
+		c.UI.Output("")
+		c.UI.Warn(wrapAtLength(
+			"The current verification status, including initial nonce, is shown below.",
+		))
+		c.UI.Output("")
+
+		c.flagVerify = true
+		return c.status(client)
+	}
+
+	return 0
+}
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
index c1b9c2fbc37a..b21d9c367b32 100644
--- a/sdk/helper/ocsp/client.go
+++ b/sdk/helper/ocsp/client.go
@@ -1,1165 +1,687 @@
-// Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-package ocsp
+//go:build !race
+
+package command
 
 import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/base64"
-	"errors"
-	"fmt"
 	"io"
-	"math/big"
-	"net"
-	"net/http"
-	"net/url"
-	"strconv"
+	"reflect"
+	"regexp"
 	"strings"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-retryablehttp"
-	lru "github.com/hashicorp/golang-lru"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"golang.org/x/crypto/ocsp"
-)
-
-// FailOpenMode is OCSP fail open mode. FailOpenTrue by default and may
-// set to ocspModeFailClosed for fail closed mode
-type FailOpenMode uint32
-
-type requestFunc func(method, urlStr string, body interface{}) (*retryablehttp.Request, error)
+	"testing"
 
-type clientInterface interface {
-	Do(req *retryablehttp.Request) (*http.Response, error)
-}
+	"github.com/hashicorp/vault/sdk/helper/roottoken"
 
-const (
-	httpHeaderContentType   = "Content-Type"
-	httpHeaderAccept        = "accept"
-	httpHeaderContentLength = "Content-Length"
-	httpHeaderHost          = "Host"
-	ocspRequestContentType  = "application/ocsp-request"
-	ocspResponseContentType = "application/ocsp-response"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-const (
-	ocspFailOpenNotSet FailOpenMode = iota
-	// FailOpenTrue represents OCSP fail open mode.
-	FailOpenTrue
-	// FailOpenFalse represents OCSP fail closed mode.
-	FailOpenFalse
-)
+func testOperatorRekeyCommand(tb testing.TB) (*cli.MockUi, *OperatorRekeyCommand) {
+	tb.Helper()
 
-const (
-	ocspModeFailOpen   = "FAIL_OPEN"
-	ocspModeFailClosed = "FAIL_CLOSED"
-	ocspModeInsecure   = "INSECURE"
-)
+	ui := cli.NewMockUi()
+	return ui, &OperatorRekeyCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
 
-const ocspCacheKey = "ocsp_cache"
+func TestOperatorRekeyCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"pgp_keys_multi",
+			[]string{
+				"-init",
+				"-pgp-keys", "keybase:hashicorp",
+				"-pgp-keys", "keybase:jefferai",
+			},
+			"can only be specified once",
+			1,
+		},
+		{
+			"key_shares_pgp_less",
+			[]string{
+				"-init",
+				"-key-shares", "10",
+				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
+			},
+			"incorrect number",
+			2,
+		},
+		{
+			"key_shares_pgp_more",
+			[]string{
+				"-init",
+				"-key-shares", "1",
+				"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
+			},
+			"incorrect number",
+			2,
+		},
+	}
 
-const (
-	// defaultOCSPResponderTimeout is the total timeout for OCSP responder.
-	defaultOCSPResponderTimeout = 10 * time.Second
-)
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-const (
-	// cacheExpire specifies cache data expiration time in seconds.
-	cacheExpire = float64(24 * 60 * 60)
-)
+		for _, tc := range cases {
+			tc := tc
 
-type ocspCachedResponse struct {
-	time       float64
-	producedAt float64
-	thisUpdate float64
-	nextUpdate float64
-	status     ocspStatusCode
-}
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-type Client struct {
-	// caRoot includes the CA certificates.
-	caRoot map[string]*x509.Certificate
-	// certPool includes the CA certificates.
-	certPool              *x509.CertPool
-	ocspResponseCache     *lru.TwoQueueCache
-	ocspResponseCacheLock sync.RWMutex
-	// cacheUpdated is true if the memory cache is updated
-	cacheUpdated bool
-	logFactory   func() hclog.Logger
-}
+				client, closer := testVaultServer(t)
+				defer closer()
 
-type ocspStatusCode int
+				ui, cmd := testOperatorRekeyCommand(t)
+				cmd.client = client
 
-type ocspStatus struct {
-	code ocspStatusCode
-	err  error
-}
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-const (
-	ocspSuccess                ocspStatusCode = 0
-	ocspStatusGood             ocspStatusCode = -1
-	ocspStatusRevoked          ocspStatusCode = -2
-	ocspStatusUnknown          ocspStatusCode = -3
-	ocspStatusOthers           ocspStatusCode = -4
-	ocspFailedDecomposeRequest ocspStatusCode = -5
-	ocspInvalidValidity        ocspStatusCode = -6
-	ocspMissedCache            ocspStatusCode = -7
-	ocspCacheExpired           ocspStatusCode = -8
-)
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
 
-// copied from crypto/ocsp.go
-type certID struct {
-	HashAlgorithm pkix.AlgorithmIdentifier
-	NameHash      []byte
-	IssuerKeyHash []byte
-	SerialNumber  *big.Int
-}
+	t.Run("status", func(t *testing.T) {
+		t.Parallel()
 
-// cache key
-type certIDKey struct {
-	NameHash      string
-	IssuerKeyHash string
-	SerialNumber  string
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-// copied from crypto/ocsp
-var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{
-	crypto.SHA1:   asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}),
-	crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}),
-	crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}),
-	crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}),
-}
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-// copied from crypto/ocsp
-func getOIDFromHashAlgorithm(target crypto.Hash) (asn1.ObjectIdentifier, error) {
-	for hash, oid := range hashOIDs {
-		if hash == target {
-			return oid, nil
+		// Verify the non-init response
+		code := cmd.Run([]string{
+			"-status",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
-	}
-	return nil, fmt.Errorf("no valid OID is found for the hash algorithm: %v", target)
-}
-
-func (c *Client) ClearCache() {
-	c.ocspResponseCache.Purge()
-}
 
-func (c *Client) getHashAlgorithmFromOID(target pkix.AlgorithmIdentifier) crypto.Hash {
-	for hash, oid := range hashOIDs {
-		if oid.Equal(target.Algorithm) {
-			return hash
+		expected := "Nonce"
+		combined := ui.OutputWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
-	// no valid hash algorithm is found for the oid. Falling back to SHA1
-	return crypto.SHA1
-}
-
-// isInValidityRange checks the validity
-func isInValidityRange(currTime, nextUpdate time.Time) bool {
-	return !nextUpdate.IsZero() && !currTime.After(nextUpdate)
-}
 
-func extractCertIDKeyFromRequest(ocspReq []byte) (*certIDKey, *ocspStatus) {
-	r, err := ocsp.ParseRequest(ocspReq)
-	if err != nil {
-		return nil, &ocspStatus{
-			code: ocspFailedDecomposeRequest,
-			err:  err,
+		// Now init to verify the init response
+		if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		}); err != nil {
+			t.Fatal(err)
 		}
-	}
 
-	// encode CertID, used as a key in the cache
-	encodedCertID := &certIDKey{
-		base64.StdEncoding.EncodeToString(r.IssuerNameHash),
-		base64.StdEncoding.EncodeToString(r.IssuerKeyHash),
-		r.SerialNumber.String(),
-	}
-	return encodedCertID, &ocspStatus{
-		code: ocspSuccess,
-	}
-}
+		// Verify the init response
+		ui, cmd = testOperatorRekeyCommand(t)
+		cmd.client = client
+		code = cmd.Run([]string{
+			"-status",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-func (c *Client) encodeCertIDKey(certIDKeyBase64 string) (*certIDKey, error) {
-	r, err := base64.StdEncoding.DecodeString(certIDKeyBase64)
-	if err != nil {
-		return nil, err
-	}
-	var cid certID
-	rest, err := asn1.Unmarshal(r, &cid)
-	if err != nil {
-		// error in parsing
-		return nil, err
-	}
-	if len(rest) > 0 {
-		// extra bytes to the end
-		return nil, err
-	}
-	return &certIDKey{
-		base64.StdEncoding.EncodeToString(cid.NameHash),
-		base64.StdEncoding.EncodeToString(cid.IssuerKeyHash),
-		cid.SerialNumber.String(),
-	}, nil
-}
+		expected = "Progress"
+		combined = ui.OutputWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
 
-func (c *Client) checkOCSPResponseCache(encodedCertID *certIDKey, subject, issuer *x509.Certificate) (*ocspStatus, error) {
-	c.ocspResponseCacheLock.RLock()
-	var cacheValue *ocspCachedResponse
-	v, ok := c.ocspResponseCache.Get(*encodedCertID)
-	if ok {
-		cacheValue = v.(*ocspCachedResponse)
-	}
-	c.ocspResponseCacheLock.RUnlock()
+	t.Run("cancel", func(t *testing.T) {
+		t.Parallel()
 
-	status, err := c.extractOCSPCacheResponseValue(cacheValue, subject, issuer)
-	if err != nil {
-		return nil, err
-	}
-	if !isValidOCSPStatus(status.code) {
-		c.deleteOCSPCache(encodedCertID)
-	}
-	return status, err
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func (c *Client) deleteOCSPCache(encodedCertID *certIDKey) {
-	c.ocspResponseCacheLock.Lock()
-	c.ocspResponseCache.Remove(*encodedCertID)
-	c.cacheUpdated = true
-	c.ocspResponseCacheLock.Unlock()
-}
+		// Initialize a rekey
+		if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		}); err != nil {
+			t.Fatal(err)
+		}
 
-func validateOCSP(ocspRes *ocsp.Response) (*ocspStatus, error) {
-	curTime := time.Now()
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-	if ocspRes == nil {
-		return nil, errors.New("OCSP Response is nil")
-	}
-	if !isInValidityRange(curTime, ocspRes.NextUpdate) {
-		return &ocspStatus{
-			code: ocspInvalidValidity,
-			err:  fmt.Errorf("invalid validity: producedAt: %v, thisUpdate: %v, nextUpdate: %v", ocspRes.ProducedAt, ocspRes.ThisUpdate, ocspRes.NextUpdate),
-		}, nil
-	}
-	return returnOCSPStatus(ocspRes), nil
-}
+		code := cmd.Run([]string{
+			"-cancel",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-func returnOCSPStatus(ocspRes *ocsp.Response) *ocspStatus {
-	switch ocspRes.Status {
-	case ocsp.Good:
-		return &ocspStatus{
-			code: ocspStatusGood,
-			err:  nil,
+		expected := "Success! Canceled rekeying"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	case ocsp.Revoked:
-		return &ocspStatus{
-			code: ocspStatusRevoked,
+
+		status, err := client.Sys().GenerateRootStatus()
+		if err != nil {
+			t.Fatal(err)
 		}
-	case ocsp.Unknown:
-		return &ocspStatus{
-			code: ocspStatusUnknown,
-			err:  errors.New("OCSP status unknown."),
+
+		if status.Started {
+			t.Errorf("expected status to be canceled: %#v", status)
 		}
-	default:
-		return &ocspStatus{
-			code: ocspStatusOthers,
-			err:  fmt.Errorf("OCSP others. %v", ocspRes.Status),
+	})
+
+	t.Run("init", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-init",
+			"-key-shares", "1",
+			"-key-threshold", "1",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
-	}
-}
 
-// retryOCSP is the second level of retry method if the returned contents are corrupted. It often happens with OCSP
-// serer and retry helps.
-func (c *Client) retryOCSP(
-	ctx context.Context,
-	client clientInterface,
-	req requestFunc,
-	ocspHost *url.URL,
-	headers map[string]string,
-	reqBody []byte,
-	issuer *x509.Certificate,
-) (ocspRes *ocsp.Response, ocspResBytes []byte, ocspS *ocspStatus, retErr error) {
-	doRequest := func(request *retryablehttp.Request) (*http.Response, error) {
-		if request != nil {
-			request = request.WithContext(ctx)
-			for k, v := range headers {
-				request.Header[k] = append(request.Header[k], v)
-			}
+		expected := "Nonce"
+		combined := ui.OutputWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		res, err := client.Do(request)
+
+		status, err := client.Sys().RekeyStatus()
 		if err != nil {
-			return nil, err
+			t.Fatal(err)
 		}
-		c.Logger().Debug("StatusCode from OCSP Server:", "statusCode", res.StatusCode)
-		return res, err
-	}
+		if !status.Started {
+			t.Errorf("expected status to be started: %#v", status)
+		}
+	})
 
-	for _, method := range []string{"GET", "POST"} {
-		reqUrl := *ocspHost
-		var body []byte
+	t.Run("init_pgp", func(t *testing.T) {
+		t.Parallel()
 
-		switch method {
-		case "GET":
-			reqUrl.Path = reqUrl.Path + "/" + base64.StdEncoding.EncodeToString(reqBody)
-		case "POST":
-			body = reqBody
-		default:
-			// Programming error; all request/systems errors are multierror
-			// and appended.
-			return nil, nil, nil, fmt.Errorf("unknown request method: %v", method)
-		}
+		pgpKey := "keybase:hashicorp"
+		pgpFingerprints := []string{"c874011f0ab405110d02105534365d9472d7468f"}
 
-		var res *http.Response
-		request, err := req(method, reqUrl.String(), bytes.NewBuffer(body))
-		if err != nil {
-			err = fmt.Errorf("error creating %v request: %w", method, err)
-			retErr = multierror.Append(retErr, err)
-			continue
-		}
-		if res, err = doRequest(request); err != nil {
-			err = fmt.Errorf("error doing %v request: %w", method, err)
-			retErr = multierror.Append(retErr, err)
-			continue
-		} else {
-			defer res.Body.Close()
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-init",
+			"-key-shares", "1",
+			"-key-threshold", "1",
+			"-pgp-keys", pgpKey,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
 
-		if res.StatusCode != http.StatusOK {
-			err = fmt.Errorf("HTTP code is not OK on %v request. %v: %v", method, res.StatusCode, res.Status)
-			retErr = multierror.Append(retErr, err)
-			continue
+		expected := "Nonce"
+		combined := ui.OutputWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
 
-		ocspResBytes, err = io.ReadAll(res.Body)
+		status, err := client.Sys().RekeyStatus()
 		if err != nil {
-			err = fmt.Errorf("error reading %v request body: %w", method, err)
-			retErr = multierror.Append(retErr, err)
-			continue
+			t.Fatal(err)
+		}
+		if !status.Started {
+			t.Errorf("expected status to be started: %#v", status)
 		}
+		if !reflect.DeepEqual(status.PGPFingerprints, pgpFingerprints) {
+			t.Errorf("expected %#v to be %#v", status.PGPFingerprints, pgpFingerprints)
+		}
+	})
 
-		// Reading an OCSP response shouldn't be fatal. A misconfigured
-		// endpoint might return invalid results for e.g., GET but return
-		// valid results for POST on retry. This could happen if e.g., the
-		// server responds with JSON.
-		ocspRes, err = ocsp.ParseResponse(ocspResBytes /*issuer = */, nil /* !!unsafe!! */)
-		if err != nil {
-			err = fmt.Errorf("error parsing %v OCSP response: %w", method, err)
-			retErr = multierror.Append(retErr, err)
-			continue
-		}
-
-		// Above, we use the unsafe issuer=nil parameter to ocsp.ParseResponse
-		// because Go's library does the wrong thing.
-		//
-		// Here, we lack a full chain, but we know we trust the parent issuer,
-		// so if the Go library incorrectly discards useful certificates, we
-		// likely cannot verify this without passing through the full chain
-		// back to the root.
-		//
-		// Instead, take one of two paths: 1. if there is no certificate in
-		// the ocspRes, verify the OCSP response directly with our trusted
-		// issuer certificate, or 2. if there is a certificate, either verify
-		// it directly matches our trusted issuer certificate, or verify it
-		// is signed by our trusted issuer certificate.
-		//
-		// See also: https://github.com/golang/go/issues/59641
-		//
-		// This addresses the !!unsafe!! behavior above.
-		if ocspRes.Certificate == nil {
-			if err := ocspRes.CheckSignatureFrom(issuer); err != nil {
-				err = fmt.Errorf("error directly verifying signature on %v OCSP response: %w", method, err)
-				retErr = multierror.Append(retErr, err)
-				continue
-			}
-		} else {
-			// Because we have at least one certificate here, we know that
-			// Go's ocsp library verified the signature from this certificate
-			// onto the response and it was valid. Now we need to know we trust
-			// this certificate. There's two ways we can do this:
-			//
-			// 1. Via confirming issuer == ocspRes.Certificate, or
-			// 2. Via confirming ocspRes.Certificate.CheckSignatureFrom(issuer).
-			if !bytes.Equal(issuer.Raw, ocspRes.Raw) {
-				// 1 must not hold, so 2 holds; verify the signature.
-				if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
-					err = fmt.Errorf("error checking chain of trust on %v OCSP response via %v failed: %w", method, issuer.Subject.String(), err)
-					retErr = multierror.Append(retErr, err)
-					continue
-				}
+	t.Run("provide_arg_recovery_keys", func(t *testing.T) {
+		t.Parallel()
 
-				// Verify the OCSP responder certificate is still valid and
-				// contains the required EKU since it is a delegated OCSP
-				// responder certificate.
-				if ocspRes.Certificate.NotAfter.Before(time.Now()) {
-					err := fmt.Errorf("error checking delegated OCSP responder on %v OCSP response: certificate has expired", method)
-					retErr = multierror.Append(retErr, err)
-					continue
-				}
-				haveEKU := false
-				for _, ku := range ocspRes.Certificate.ExtKeyUsage {
-					if ku == x509.ExtKeyUsageOCSPSigning {
-						haveEKU = true
-						break
-					}
-				}
-				if !haveEKU {
-					err := fmt.Errorf("error checking delegated OCSP responder on %v OCSP response: certificate lacks the OCSP Signing EKU", method)
-					retErr = multierror.Append(retErr, err)
-					continue
-				}
+		client, keys, closer := testVaultServerAutoUnseal(t)
+		defer closer()
+
+		// Initialize a rekey
+		status, err := client.Sys().RekeyRecoveryKeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		nonce := status.Nonce
+
+		// Supply the first n-1 recovery keys
+		for _, key := range keys[:len(keys)-1] {
+			ui, cmd := testOperatorRekeyCommand(t)
+			cmd.client = client
+
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				"-target", "recovery",
+				key,
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 			}
 		}
 
-		// While we haven't validated the signature on the OCSP response, we
-		// got what we presume is a definitive answer and simply changing
-		// methods will likely not help us in that regard. Use this status
-		// to return without retrying another method, when it looks definitive.
-		//
-		// We don't accept ocsp.Unknown here: presumably, we could've hit a CDN
-		// with static mapping of request->responses, with a default "unknown"
-		// handler for everything else. By retrying here, we use POST, which
-		// could hit a live OCSP server with fresher data than the cached CDN.
-		if ocspRes.Status == ocsp.Good || ocspRes.Status == ocsp.Revoked {
-			break
-		}
-
-		// Here, we didn't have a valid response. Even though we didn't get an
-		// error, we should inform the user that this (valid-looking) response
-		// wasn't utilized.
-		err = fmt.Errorf("fetched %v OCSP response of status %v; wanted either good (%v) or revoked (%v)", method, ocspRes.Status, ocsp.Good, ocsp.Revoked)
-		retErr = multierror.Append(retErr, err)
-	}
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-	if ocspRes != nil && ocspResBytes != nil {
-		// Clear retErr, because we have one parseable-but-maybe-not-quite-correct
-		// OCSP response.
-		retErr = nil
-		ocspS = &ocspStatus{
-			code: ocspSuccess,
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			"-target", "recovery",
+			keys[len(keys)-1], // the last recovery key
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
-	}
 
-	return
-}
+		re := regexp.MustCompile(`Key 1: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("bad match: %#v", match)
+		}
+		recoveryKey := match[0][1]
 
-// GetRevocationStatus checks the certificate revocation status for subject using issuer certificate.
-func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) (*ocspStatus, error) {
-	status, ocspReq, encodedCertID, err := c.validateWithCache(subject, issuer)
-	if err != nil {
-		return nil, err
-	}
-	if isValidOCSPStatus(status.code) {
-		return status, nil
-	}
-	if ocspReq == nil || encodedCertID == nil {
-		return status, nil
-	}
-	c.Logger().Debug("cache missed", "server", subject.OCSPServer)
-	if len(subject.OCSPServer) == 0 && len(conf.OcspServersOverride) == 0 {
-		return nil, fmt.Errorf("no OCSP responder URL: subject: %v", subject.Subject)
-	}
-	ocspHosts := subject.OCSPServer
-	if len(conf.OcspServersOverride) > 0 {
-		ocspHosts = conf.OcspServersOverride
-	}
+		if strings.Contains(strings.ToLower(output), "unseal key") {
+			t.Fatalf(`output %s shouldn't contain "unseal key"`, output)
+		}
 
-	var wg sync.WaitGroup
+		// verify that we can perform operations with the recovery key
+		// below we generate a root token using the recovery key
+		rootStatus, err := client.Sys().GenerateRootStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		otp, err := roottoken.GenerateOTP(rootStatus.OTPLength)
+		if err != nil {
+			t.Fatal(err)
+		}
+		genRoot, err := client.Sys().GenerateRootInit(otp, "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		r, err := client.Sys().GenerateRootUpdate(recoveryKey, genRoot.Nonce)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !r.Complete {
+			t.Fatal("expected root update to be complete")
+		}
+	})
+	t.Run("provide_arg", func(t *testing.T) {
+		t.Parallel()
 
-	ocspStatuses := make([]*ocspStatus, len(ocspHosts))
-	ocspResponses := make([]*ocsp.Response, len(ocspHosts))
-	errors := make([]error, len(ocspHosts))
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
 
-	for i, ocspHost := range ocspHosts {
-		u, err := url.Parse(ocspHost)
+		// Initialize a rekey
+		status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		})
 		if err != nil {
-			return nil, err
+			t.Fatal(err)
 		}
+		nonce := status.Nonce
 
-		hostname := u.Hostname()
+		// Supply the first n-1 unseal keys
+		for _, key := range keys[:len(keys)-1] {
+			ui, cmd := testOperatorRekeyCommand(t)
+			cmd.client = client
 
-		headers := make(map[string]string)
-		headers[httpHeaderContentType] = ocspRequestContentType
-		headers[httpHeaderAccept] = ocspResponseContentType
-		headers[httpHeaderContentLength] = strconv.Itoa(len(ocspReq))
-		headers[httpHeaderHost] = hostname
-		timeout := defaultOCSPResponderTimeout
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				key,
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			}
+		}
 
-		ocspClient := retryablehttp.NewClient()
-		ocspClient.HTTPClient.Timeout = timeout
-		ocspClient.HTTPClient.Transport = newInsecureOcspTransport(conf.ExtraCas)
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-		doRequest := func() error {
-			if conf.QueryAllServers {
-				defer wg.Done()
-			}
-			ocspRes, _, ocspS, err := c.retryOCSP(
-				ctx, ocspClient, retryablehttp.NewRequest, u, headers, ocspReq, issuer)
-			ocspResponses[i] = ocspRes
-			if err != nil {
-				errors[i] = err
-				return err
-			}
-			if ocspS.code != ocspSuccess {
-				ocspStatuses[i] = ocspS
-				return nil
-			}
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			keys[len(keys)-1], // the last unseal key
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-			ret, err := validateOCSP(ocspRes)
-			if err != nil {
-				errors[i] = err
-				return err
-			}
-			if isValidOCSPStatus(ret.code) {
-				ocspStatuses[i] = ret
-			}
-			return nil
-		}
-		if conf.QueryAllServers {
-			wg.Add(1)
-			go doRequest()
-		} else {
-			err = doRequest()
-			if err == nil {
-				break
-			}
+		re := regexp.MustCompile(`Key 1: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("bad match: %#v", match)
 		}
-	}
-	if conf.QueryAllServers {
-		wg.Wait()
-	}
-	// Good by default
-	var ret *ocspStatus
-	ocspRes := ocspResponses[0]
-	var firstError error
-	for i := range ocspHosts {
-		if errors[i] != nil {
-			if firstError == nil {
-				firstError = errors[i]
-			}
-		} else if ocspStatuses[i] != nil {
-			switch ocspStatuses[i].code {
-			case ocspStatusRevoked:
-				ret = ocspStatuses[i]
-				ocspRes = ocspResponses[i]
-				break
-			case ocspStatusGood:
-				// Use this response only if we don't have a status already, or if what we have was unknown
-				if ret == nil || ret.code == ocspStatusUnknown {
-					ret = ocspStatuses[i]
-					ocspRes = ocspResponses[i]
-				}
-			case ocspStatusUnknown:
-				if ret == nil {
-					// We may want to use this as the overall result
-					ret = ocspStatuses[i]
-					ocspRes = ocspResponses[i]
-				}
-			}
+
+		// Grab the unseal key and try to unseal
+		unsealKey := match[0][1]
+		if err := client.Sys().Seal(); err != nil {
+			t.Fatal(err)
 		}
-	}
+		sealStatus, err := client.Sys().Unseal(unsealKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if sealStatus.Sealed {
+			t.Errorf("expected vault to be unsealed: %#v", sealStatus)
+		}
+	})
 
-	// If no server reported the cert revoked, but we did have an error, report it
-	if (ret == nil || ret.code == ocspStatusUnknown) && firstError != nil {
-		return nil, firstError
-	}
-	// otherwise ret should contain a response for the overall request
+	t.Run("provide_stdin", func(t *testing.T) {
+		t.Parallel()
 
-	if !isValidOCSPStatus(ret.code) {
-		return ret, nil
-	}
-	v := ocspCachedResponse{
-		status:     ret.code,
-		time:       float64(time.Now().UTC().Unix()),
-		producedAt: float64(ocspRes.ProducedAt.UTC().Unix()),
-		thisUpdate: float64(ocspRes.ThisUpdate.UTC().Unix()),
-		nextUpdate: float64(ocspRes.NextUpdate.UTC().Unix()),
-	}
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
 
-	c.ocspResponseCacheLock.Lock()
-	c.ocspResponseCache.Add(*encodedCertID, &v)
-	c.cacheUpdated = true
-	c.ocspResponseCacheLock.Unlock()
-	return ret, nil
-}
+		// Initialize a rekey
+		status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		nonce := status.Nonce
+
+		// Supply the first n-1 unseal keys
+		for _, key := range keys[:len(keys)-1] {
+			stdinR, stdinW := io.Pipe()
+			go func() {
+				stdinW.Write([]byte(key))
+				stdinW.Close()
+			}()
+
+			ui, cmd := testOperatorRekeyCommand(t)
+			cmd.client = client
+			cmd.testStdin = stdinR
+
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				"-",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			}
+		}
 
-func isValidOCSPStatus(status ocspStatusCode) bool {
-	return status == ocspStatusGood || status == ocspStatusRevoked || status == ocspStatusUnknown
-}
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(keys[len(keys)-1])) // the last unseal key
+			stdinW.Close()
+		}()
 
-type VerifyConfig struct {
-	OcspEnabled         bool
-	ExtraCas            []*x509.Certificate
-	OcspServersOverride []string
-	OcspFailureMode     FailOpenMode
-	QueryAllServers     bool
-}
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-// VerifyLeafCertificate verifies just the subject against it's direct issuer
-func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) error {
-	results, err := c.GetRevocationStatus(ctx, subject, issuer, conf)
-	if err != nil {
-		return err
-	}
-	if results.code == ocspStatusGood {
-		return nil
-	} else {
-		serial := issuer.SerialNumber
-		serialHex := strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":"))
-		if results.code == ocspStatusRevoked {
-			return fmt.Errorf("certificate with serial number %s has been revoked", serialHex)
-		} else if conf.OcspFailureMode == FailOpenFalse {
-			return fmt.Errorf("unknown OCSP status for cert with serial number %s", strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":")))
-		} else {
-			c.Logger().Warn("could not validate OCSP status for cert, but continuing in fail open mode", "serial", serialHex)
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			"-",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-	return nil
-}
 
-// VerifyPeerCertificate verifies all of certificate revocation status
-func (c *Client) VerifyPeerCertificate(ctx context.Context, verifiedChains [][]*x509.Certificate, conf *VerifyConfig) error {
-	for i := 0; i < len(verifiedChains); i++ {
-		// Certificate signed by Root CA. This should be one before the last in the Certificate Chain
-		numberOfNoneRootCerts := len(verifiedChains[i]) - 1
-		if !verifiedChains[i][numberOfNoneRootCerts].IsCA || string(verifiedChains[i][numberOfNoneRootCerts].RawIssuer) != string(verifiedChains[i][numberOfNoneRootCerts].RawSubject) {
-			// Check if the last Non Root Cert is also a CA or is self signed.
-			// if the last certificate is not, add it to the list
-			rca := c.caRoot[string(verifiedChains[i][numberOfNoneRootCerts].RawIssuer)]
-			if rca == nil {
-				return fmt.Errorf("failed to find root CA. pkix.name: %v", verifiedChains[i][numberOfNoneRootCerts].Issuer)
-			}
-			verifiedChains[i] = append(verifiedChains[i], rca)
-			numberOfNoneRootCerts++
+		re := regexp.MustCompile(`Key 1: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("bad match: %#v", match)
 		}
-		results, err := c.GetAllRevocationStatus(ctx, verifiedChains[i], conf)
+
+		// Grab the unseal key and try to unseal
+		unsealKey := match[0][1]
+		if err := client.Sys().Seal(); err != nil {
+			t.Fatal(err)
+		}
+		sealStatus, err := client.Sys().Unseal(unsealKey)
 		if err != nil {
-			return err
+			t.Fatal(err)
 		}
-		if r := c.canEarlyExitForOCSP(results, numberOfNoneRootCerts, conf); r != nil {
-			return r.err
+		if sealStatus.Sealed {
+			t.Errorf("expected vault to be unsealed: %#v", sealStatus)
 		}
-	}
+	})
 
-	return nil
-}
+	t.Run("provide_stdin_recovery_keys", func(t *testing.T) {
+		t.Parallel()
 
-func (c *Client) canEarlyExitForOCSP(results []*ocspStatus, chainSize int, conf *VerifyConfig) *ocspStatus {
-	msg := ""
-	if conf.OcspFailureMode == FailOpenFalse {
-		// Fail closed. any error is returned to stop connection
-		for _, r := range results {
-			if r.err != nil {
-				return r
+		client, keys, closer := testVaultServerAutoUnseal(t)
+		defer closer()
+
+		// Initialize a rekey
+		status, err := client.Sys().RekeyRecoveryKeyInit(&api.RekeyInitRequest{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		nonce := status.Nonce
+		for _, key := range keys[:len(keys)-1] {
+			stdinR, stdinW := io.Pipe()
+			go func() {
+				_, _ = stdinW.Write([]byte(key))
+				_ = stdinW.Close()
+			}()
+
+			ui, cmd := testOperatorRekeyCommand(t)
+			cmd.client = client
+			cmd.testStdin = stdinR
+
+			code := cmd.Run([]string{
+				"-target", "recovery",
+				"-nonce", nonce,
+				"-",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 			}
 		}
-	} else {
-		// Fail open and all results are valid.
-		allValid := len(results) == chainSize
-		for _, r := range results {
-			if !isValidOCSPStatus(r.code) {
-				allValid = false
-				break
-			}
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			_, _ = stdinW.Write([]byte(keys[len(keys)-1])) // the last recovery key
+			_ = stdinW.Close()
+		}()
+
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		code := cmd.Run([]string{
+			"-nonce", nonce,
+			"-target", "recovery",
+			"-",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 		}
-		for _, r := range results {
-			if allValid && r.code == ocspStatusRevoked {
-				return r
-			}
-			if r != nil && r.code != ocspStatusGood && r.err != nil {
-				msg += "" + r.err.Error()
-			}
+
+		re := regexp.MustCompile(`Key 1: (.+)`)
+		output := ui.OutputWriter.String()
+		match := re.FindAllStringSubmatch(output, -1)
+		if len(match) < 1 || len(match[0]) < 2 {
+			t.Fatalf("bad match: %#v", match)
 		}
-	}
-	if len(msg) > 0 {
-		c.Logger().Warn(
-			"OCSP is set to fail-open, and could not retrieve OCSP based revocation checking but proceeding.", "detail", msg)
-	}
-	return nil
-}
+		recoveryKey := match[0][1]
 
-func (c *Client) validateWithCacheForAllCertificates(verifiedChains []*x509.Certificate) (bool, error) {
-	n := len(verifiedChains) - 1
-	for j := 0; j < n; j++ {
-		subject := verifiedChains[j]
-		issuer := verifiedChains[j+1]
-		status, _, _, err := c.validateWithCache(subject, issuer)
+		if strings.Contains(strings.ToLower(output), "unseal key") {
+			t.Fatalf(`output %s shouldn't contain "unseal key"`, output)
+		}
+		// verify that we can perform operations with the recovery key
+		// below we generate a root token using the recovery key
+		rootStatus, err := client.Sys().GenerateRootStatus()
 		if err != nil {
-			return false, err
+			t.Fatal(err)
 		}
-		if !isValidOCSPStatus(status.code) {
-			return false, nil
+		otp, err := roottoken.GenerateOTP(rootStatus.OTPLength)
+		if err != nil {
+			t.Fatal(err)
 		}
-	}
-	return true, nil
-}
-
-func (c *Client) validateWithCache(subject, issuer *x509.Certificate) (*ocspStatus, []byte, *certIDKey, error) {
-	ocspReq, err := ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{})
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("failed to create OCSP request from the certificates: %v", err)
-	}
-	encodedCertID, ocspS := extractCertIDKeyFromRequest(ocspReq)
-	if ocspS.code != ocspSuccess {
-		return nil, nil, nil, fmt.Errorf("failed to extract CertID from OCSP Request: %v", err)
-	}
-	status, err := c.checkOCSPResponseCache(encodedCertID, subject, issuer)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	return status, ocspReq, encodedCertID, nil
-}
-
-func (c *Client) GetAllRevocationStatus(ctx context.Context, verifiedChains []*x509.Certificate, conf *VerifyConfig) ([]*ocspStatus, error) {
-	_, err := c.validateWithCacheForAllCertificates(verifiedChains)
-	if err != nil {
-		return nil, err
-	}
-	n := len(verifiedChains) - 1
-	results := make([]*ocspStatus, n)
-	for j := 0; j < n; j++ {
-		results[j], err = c.GetRevocationStatus(ctx, verifiedChains[j], verifiedChains[j+1], conf)
+		genRoot, err := client.Sys().GenerateRootInit(otp, "")
 		if err != nil {
-			return nil, err
+			t.Fatal(err)
 		}
-		if !isValidOCSPStatus(results[j].code) {
-			return results, nil
+		r, err := client.Sys().GenerateRootUpdate(recoveryKey, genRoot.Nonce)
+		if err != nil {
+			t.Fatal(err)
 		}
-	}
-	return results, nil
-}
-
-// verifyPeerCertificateSerial verifies the certificate revocation status in serial.
-func (c *Client) verifyPeerCertificateSerial(conf *VerifyConfig) func(_ [][]byte, verifiedChains [][]*x509.Certificate) (err error) {
-	return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
-		return c.VerifyPeerCertificate(context.TODO(), verifiedChains, conf)
-	}
-}
+		if !r.Complete {
+			t.Fatal("expected root update to be complete")
+		}
+	})
+	t.Run("backup", func(t *testing.T) {
+		t.Parallel()
 
-func (c *Client) extractOCSPCacheResponseValueWithoutSubject(cacheValue ocspCachedResponse) (*ocspStatus, error) {
-	return c.extractOCSPCacheResponseValue(&cacheValue, nil, nil)
-}
+		pgpKey := "keybase:hashicorp"
+		// pgpFingerprints := []string{"c874011f0ab405110d02105534365d9472d7468f"}
 
-func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, subject, issuer *x509.Certificate) (*ocspStatus, error) {
-	subjectName := "Unknown"
-	if subject != nil {
-		subjectName = subject.Subject.CommonName
-	}
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
 
-	curTime := time.Now()
-	if cacheValue == nil {
-		return &ocspStatus{
-			code: ocspMissedCache,
-			err:  fmt.Errorf("miss cache data. subject: %v", subjectName),
-		}, nil
-	}
-	currentTime := float64(curTime.UTC().Unix())
-	if currentTime-cacheValue.time >= cacheExpire {
-		return &ocspStatus{
-			code: ocspCacheExpired,
-			err: fmt.Errorf("cache expired. current: %v, cache: %v",
-				time.Unix(int64(currentTime), 0).UTC(), time.Unix(int64(cacheValue.time), 0).UTC()),
-		}, nil
-	}
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-	return validateOCSP(&ocsp.Response{
-		ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
-		ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
-		NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
-		Status:     int(cacheValue.status),
-	})
-}
+		code := cmd.Run([]string{
+			"-init",
+			"-key-shares", "1",
+			"-key-threshold", "1",
+			"-pgp-keys", pgpKey,
+			"-backup",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-/*
-// writeOCSPCache writes a OCSP Response cache
-func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {
-	c.Logger().Debug("writing OCSP Response cache")
-	t := time.Now()
-	m := make(map[string][]interface{})
-	keys := c.ocspResponseCache.Keys()
-	if len(keys) > persistedCacheSize {
-		keys = keys[:persistedCacheSize]
-	}
-	for _, k := range keys {
-		e, ok := c.ocspResponseCache.Get(k)
-		if ok {
-			entry := e.(*ocspCachedResponse)
-			// Don't store if expired
-			if isInValidityRange(t, time.Unix(int64(entry.thisUpdate), 0), time.Unix(int64(entry.nextUpdate), 0)) {
-				key := k.(certIDKey)
-				cacheKeyInBase64, err := decodeCertIDKey(&key)
-				if err != nil {
-					return err
-				}
-				m[cacheKeyInBase64] = []interface{}{entry.status, entry.time, entry.producedAt, entry.thisUpdate, entry.nextUpdate}
+		// Get the status for the nonce
+		status, err := client.Sys().RekeyStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		nonce := status.Nonce
+
+		var combined string
+		// Supply the unseal keys
+		for _, key := range keys {
+			ui, cmd := testOperatorRekeyCommand(t)
+			cmd.client = client
+
+			code := cmd.Run([]string{
+				"-nonce", nonce,
+				key,
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
 			}
+
+			// Append to our output string
+			combined += ui.OutputWriter.String()
 		}
-	}
 
-	v, err := jsonutil.EncodeJSONAndCompress(m, nil)
-	if err != nil {
-		return err
-	}
-	entry := logical.StorageEntry{
-		Key:   ocspCacheKey,
-		Value: v,
-	}
-	return storage.Put(ctx, &entry)
-}
+		re := regexp.MustCompile(`Key 1 fingerprint: (.+); value: (.+)`)
+		match := re.FindAllStringSubmatch(combined, -1)
+		if len(match) < 1 || len(match[0]) < 3 {
+			t.Fatalf("bad match: %#v", match)
+		}
 
-// readOCSPCache reads a OCSP Response cache from storage
-func (c *Client) readOCSPCache(ctx context.Context, storage logical.Storage) error {
-	c.Logger().Debug("reading OCSP Response cache")
+		// Grab the output fingerprint and encrypted key
+		fingerprint, encryptedKey := match[0][1], match[0][2]
 
-	entry, err := storage.Get(ctx, ocspCacheKey)
-	if err != nil {
-		return err
-	}
-	if entry == nil {
-		return nil
-	}
-	var untypedCache map[string][]interface{}
+		// Get the backup
+		ui, cmd = testOperatorRekeyCommand(t)
+		cmd.client = client
 
-	err = jsonutil.DecodeJSON(entry.Value, &untypedCache)
-	if err != nil {
-		return errors.New("failed to unmarshal OCSP cache")
-	}
+		code = cmd.Run([]string{
+			"-backup-retrieve",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-	for k, v := range untypedCache {
-		key, err := c.encodeCertIDKey(k)
-		if err != nil {
-			return err
-		}
-		var times [4]float64
-		for i, t := range v[1:] {
-			if jn, ok := t.(json.Number); ok {
-				times[i], err = jn.Float64()
-				if err != nil {
-					return err
-				}
-			} else {
-				times[i] = t.(float64)
-			}
+		output := ui.OutputWriter.String()
+		if !strings.Contains(output, fingerprint) {
+			t.Errorf("expected %q to contain %q", output, fingerprint)
 		}
-		var status int
-		if jn, ok := v[0].(json.Number); ok {
-			s, err := jn.Int64()
-			if err != nil {
-				return err
-			}
-			status = int(s)
-		} else {
-			status = v[0].(int)
+		if !strings.Contains(output, encryptedKey) {
+			t.Errorf("expected %q to contain %q", output, encryptedKey)
 		}
 
-		c.ocspResponseCache.Add(*key, &ocspCachedResponse{
-			status:     ocspStatusCode(status),
-			time:       times[0],
-			producedAt: times[1],
-			thisUpdate: times[2],
-			nextUpdate: times[3],
-		})
-	}
+		// Delete the backup
+		ui, cmd = testOperatorRekeyCommand(t)
+		cmd.client = client
 
-	return nil
-}
-*/
+		code = cmd.Run([]string{
+			"-backup-delete",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+		}
 
-func New(logFactory func() hclog.Logger, cacheSize int) *Client {
-	if cacheSize < 100 {
-		cacheSize = 100
-	}
-	cache, _ := lru.New2Q(cacheSize)
-	c := Client{
-		caRoot:            make(map[string]*x509.Certificate),
-		ocspResponseCache: cache,
-		logFactory:        logFactory,
-	}
+		secret, err := client.Sys().RekeyRetrieveBackup()
+		if err == nil {
+			t.Errorf("expected error: %#v", secret)
+		}
+	})
 
-	return &c
-}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-func (c *Client) Logger() hclog.Logger {
-	return c.logFactory()
-}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-// insecureOcspTransport is the transport object that doesn't do certificate revocation check.
-func newInsecureOcspTransport(extraCas []*x509.Certificate) *http.Transport {
-	// Get the SystemCertPool, continue with an empty pool on error
-	rootCAs, _ := x509.SystemCertPool()
-	if rootCAs == nil {
-		rootCAs = x509.NewCertPool()
-	}
-	for _, c := range extraCas {
-		rootCAs.AddCert(c)
-	}
-	config := &tls.Config{
-		RootCAs: rootCAs,
-	}
-	return &http.Transport{
-		MaxIdleConns:    10,
-		IdleConnTimeout: 30 * time.Minute,
-		Proxy:           http.ProxyFromEnvironment,
-		DialContext: (&net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-		}).DialContext,
-		TLSClientConfig: config,
-	}
-}
+		ui, cmd := testOperatorRekeyCommand(t)
+		cmd.client = client
 
-// NewTransport includes the certificate revocation check with OCSP in sequential.
-func (c *Client) NewTransport(conf *VerifyConfig) *http.Transport {
-	rootCAs := c.certPool
-	if rootCAs == nil {
-		rootCAs, _ = x509.SystemCertPool()
-	}
-	if rootCAs == nil {
-		rootCAs = x509.NewCertPool()
-	}
-	for _, c := range conf.ExtraCas {
-		rootCAs.AddCert(c)
-	}
-	return &http.Transport{
-		TLSClientConfig: &tls.Config{
-			RootCAs:               rootCAs,
-			VerifyPeerCertificate: c.verifyPeerCertificateSerial(conf),
-		},
-		MaxIdleConns:    10,
-		IdleConnTimeout: 30 * time.Minute,
-		Proxy:           http.ProxyFromEnvironment,
-		DialContext: (&net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-		}).DialContext,
-	}
-}
+		code := cmd.Run([]string{
+			"secret/foo",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
 
-/*
-func (c *Client) WriteCache(ctx context.Context, storage logical.Storage) error {
-	c.ocspResponseCacheLock.Lock()
-	defer c.ocspResponseCacheLock.Unlock()
-	if c.cacheUpdated {
-		err := c.writeOCSPCache(ctx, storage)
-		if err == nil {
-			c.cacheUpdated = false
+		expected := "Error getting rekey status: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-		return err
-	}
-	return nil
-}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-func (c *Client) ReadCache(ctx context.Context, storage logical.Storage) error {
-	c.ocspResponseCacheLock.Lock()
-	defer c.ocspResponseCacheLock.Unlock()
-	return c.readOCSPCache(ctx, storage)
+		_, cmd := testOperatorRekeyCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
-*/
-/*
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
diff --git a/sdk/helper/ocsp/ocsp_test.go b/sdk/helper/ocsp/ocsp_test.go
index 2f3f1976d2a8..f390972f2045 100644
--- a/sdk/helper/ocsp/ocsp_test.go
+++ b/sdk/helper/ocsp/ocsp_test.go
@@ -1,530 +1,89 @@
-// Copyright (c) 2017-2022 Snowflake Computing Inc. All rights reserved.
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-package ocsp
+package command
 
 import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
 	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/url"
-	"testing"
-	"time"
+	"strings"
 
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-retryablehttp"
-	lru "github.com/hashicorp/golang-lru"
-	"golang.org/x/crypto/ocsp"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-func TestOCSP(t *testing.T) {
-	targetURL := []string{
-		"https://sfcdev1.blob.core.windows.net/",
-		"https://sfctest0.snowflakecomputing.com/",
-		"https://s3-us-west-2.amazonaws.com/sfc-snowsql-updates/?prefix=1.1/windows_x86_64",
-	}
-
-	conf := VerifyConfig{
-		OcspFailureMode: FailOpenFalse,
-	}
-	c := New(testLogFactory, 10)
-	transports := []*http.Transport{
-		newInsecureOcspTransport(nil),
-		c.NewTransport(&conf),
-	}
-
-	for _, tgt := range targetURL {
-		c.ocspResponseCache, _ = lru.New2Q(10)
-		for _, tr := range transports {
-			c := &http.Client{
-				Transport: tr,
-				Timeout:   30 * time.Second,
-			}
-			req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
-			if err != nil {
-				t.Fatalf("fail to create a request. err: %v", err)
-			}
-			res, err := c.Do(req)
-			if err != nil {
-				t.Fatalf("failed to GET contents. err: %v", err)
-			}
-			defer res.Body.Close()
-			_, err = ioutil.ReadAll(res.Body)
-			if err != nil {
-				t.Fatalf("failed to read content body for %v", tgt)
-			}
+var (
+	_ cli.Command             = (*OperatorSealCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorSealCommand)(nil)
+)
 
-		}
-	}
+type OperatorSealCommand struct {
+	*BaseCommand
 }
 
-/**
-// Used for development, requires an active Vault with PKI setup
-func TestMultiOCSP(t *testing.T) {
-
-	targetURL := []string{
-		"https://localhost:8200/v1/pki/ocsp",
-		"https://localhost:8200/v1/pki/ocsp",
-		"https://localhost:8200/v1/pki/ocsp",
-	}
-
-	b, _ := pem.Decode([]byte(vaultCert))
-	caCert, _ := x509.ParseCertificate(b.Bytes)
-	conf := VerifyConfig{
-		OcspFailureMode:     FailOpenFalse,
-		QueryAllServers:     true,
-		OcspServersOverride: targetURL,
-		ExtraCas:            []*x509.Certificate{caCert},
-	}
-	c := New(testLogFactory, 10)
-	transports := []*http.Transport{
-		newInsecureOcspTransport(conf.ExtraCas),
-		c.NewTransport(&conf),
-	}
-
-	tgt := "https://localhost:8200/v1/pki/ca/pem"
-	c.ocspResponseCache, _ = lru.New2Q(10)
-	for _, tr := range transports {
-		c := &http.Client{
-			Transport: tr,
-			Timeout:   30 * time.Second,
-		}
-		req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
-		if err != nil {
-			t.Fatalf("fail to create a request. err: %v", err)
-		}
-		res, err := c.Do(req)
-		if err != nil {
-			t.Fatalf("failed to GET contents. err: %v", err)
-		}
-		defer res.Body.Close()
-		_, err = ioutil.ReadAll(res.Body)
-		if err != nil {
-			t.Fatalf("failed to read content body for %v", tgt)
-		}
-	}
+func (c *OperatorSealCommand) Synopsis() string {
+	return "Seals the Vault server"
 }
-*/
 
-func TestUnitEncodeCertIDGood(t *testing.T) {
-	targetURLs := []string{
-		"faketestaccount.snowflakecomputing.com:443",
-		"s3-us-west-2.amazonaws.com:443",
-		"sfcdev1.blob.core.windows.net:443",
-	}
-	for _, tt := range targetURLs {
-		chainedCerts := getCert(tt)
-		for i := 0; i < len(chainedCerts)-1; i++ {
-			subject := chainedCerts[i]
-			issuer := chainedCerts[i+1]
-			ocspServers := subject.OCSPServer
-			if len(ocspServers) == 0 {
-				t.Fatalf("no OCSP server is found. cert: %v", subject.Subject)
-			}
-			ocspReq, err := ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{})
-			if err != nil {
-				t.Fatalf("failed to create OCSP request. err: %v", err)
-			}
-			var ost *ocspStatus
-			_, ost = extractCertIDKeyFromRequest(ocspReq)
-			if ost.err != nil {
-				t.Fatalf("failed to extract cert ID from the OCSP request. err: %v", ost.err)
-			}
-			// better hash. Not sure if the actual OCSP server accepts this, though.
-			ocspReq, err = ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{Hash: crypto.SHA512})
-			if err != nil {
-				t.Fatalf("failed to create OCSP request. err: %v", err)
-			}
-			_, ost = extractCertIDKeyFromRequest(ocspReq)
-			if ost.err != nil {
-				t.Fatalf("failed to extract cert ID from the OCSP request. err: %v", ost.err)
-			}
-			// tweaked request binary
-			ocspReq, err = ocsp.CreateRequest(subject, issuer, &ocsp.RequestOptions{Hash: crypto.SHA512})
-			if err != nil {
-				t.Fatalf("failed to create OCSP request. err: %v", err)
-			}
-			ocspReq[10] = 0 // random change
-			_, ost = extractCertIDKeyFromRequest(ocspReq)
-			if ost.err == nil {
-				t.Fatal("should have failed")
-			}
-		}
-	}
-}
+func (c *OperatorSealCommand) Help() string {
+	helpText := `
+Usage: vault operator seal [options]
 
-func TestUnitCheckOCSPResponseCache(t *testing.T) {
-	c := New(testLogFactory, 10)
-	dummyKey0 := certIDKey{
-		NameHash:      "dummy0",
-		IssuerKeyHash: "dummy0",
-		SerialNumber:  "dummy0",
-	}
-	dummyKey := certIDKey{
-		NameHash:      "dummy1",
-		IssuerKeyHash: "dummy1",
-		SerialNumber:  "dummy1",
-	}
-	currentTime := float64(time.Now().UTC().Unix())
-	c.ocspResponseCache.Add(dummyKey0, &ocspCachedResponse{time: currentTime})
-	subject := &x509.Certificate{}
-	issuer := &x509.Certificate{}
-	ost, err := c.checkOCSPResponseCache(&dummyKey, subject, issuer)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if ost.code != ocspMissedCache {
-		t.Fatalf("should have failed. expected: %v, got: %v", ocspMissedCache, ost.code)
-	}
-	// old timestamp
-	c.ocspResponseCache.Add(dummyKey, &ocspCachedResponse{time: float64(1395054952)})
-	ost, err = c.checkOCSPResponseCache(&dummyKey, subject, issuer)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if ost.code != ocspCacheExpired {
-		t.Fatalf("should have failed. expected: %v, got: %v", ocspCacheExpired, ost.code)
-	}
+  Seals the Vault server. Sealing tells the Vault server to stop responding
+  to any operations until it is unsealed. When sealed, the Vault server
+  discards its in-memory root key to unlock the data, so it is physically
+  blocked from responding to operations unsealed.
 
-	// invalid validity
-	c.ocspResponseCache.Add(dummyKey, &ocspCachedResponse{time: float64(currentTime - 1000)})
-	ost, err = c.checkOCSPResponseCache(&dummyKey, subject, nil)
-	if err == nil && isValidOCSPStatus(ost.code) {
-		t.Fatalf("should have failed.")
-	}
-}
+  If an unseal is in progress, sealing the Vault will reset the unsealing
+  process. Users will have to re-enter their portions of the root key again.
 
-func TestUnitValidateOCSP(t *testing.T) {
-	ocspRes := &ocsp.Response{}
-	ost, err := validateOCSP(ocspRes)
-	if err == nil && isValidOCSPStatus(ost.code) {
-		t.Fatalf("should have failed.")
-	}
+  This command does nothing if the Vault server is already sealed.
 
-	currentTime := time.Now()
-	ocspRes.ThisUpdate = currentTime.Add(-2 * time.Hour)
-	ocspRes.NextUpdate = currentTime.Add(2 * time.Hour)
-	ocspRes.Status = ocsp.Revoked
-	ost, err = validateOCSP(ocspRes)
-	if err != nil {
-		t.Fatal(err)
-	}
+  Seal the Vault server:
 
-	if ost.code != ocspStatusRevoked {
-		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusRevoked, ost.code)
-	}
-	ocspRes.Status = ocsp.Good
-	ost, err = validateOCSP(ocspRes)
-	if err != nil {
-		t.Fatal(err)
-	}
+      $ vault operator seal
 
-	if ost.code != ocspStatusGood {
-		t.Fatalf("should have success. expected: %v, got: %v", ocspStatusGood, ost.code)
-	}
-	ocspRes.Status = ocsp.Unknown
-	ost, err = validateOCSP(ocspRes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if ost.code != ocspStatusUnknown {
-		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusUnknown, ost.code)
-	}
-	ocspRes.Status = ocsp.ServerFailed
-	ost, err = validateOCSP(ocspRes)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if ost.code != ocspStatusOthers {
-		t.Fatalf("should have failed. expected: %v, got: %v", ocspStatusOthers, ost.code)
-	}
-}
-
-func TestUnitEncodeCertID(t *testing.T) {
-	var st *ocspStatus
-	_, st = extractCertIDKeyFromRequest([]byte{0x1, 0x2})
-	if st.code != ocspFailedDecomposeRequest {
-		t.Fatalf("failed to get OCSP status. expected: %v, got: %v", ocspFailedDecomposeRequest, st.code)
-	}
-}
-
-func getCert(addr string) []*x509.Certificate {
-	tcpConn, err := net.DialTimeout("tcp", addr, 40*time.Second)
-	if err != nil {
-		panic(err)
-	}
-	defer tcpConn.Close()
-
-	err = tcpConn.SetDeadline(time.Now().Add(10 * time.Second))
-	if err != nil {
-		panic(err)
-	}
-	config := tls.Config{InsecureSkipVerify: true, ServerName: addr}
+` + c.Flags().Help()
 
-	conn := tls.Client(tcpConn, &config)
-	defer conn.Close()
-
-	err = conn.Handshake()
-	if err != nil {
-		panic(err)
-	}
-
-	state := conn.ConnectionState()
-
-	return state.PeerCertificates
+	return strings.TrimSpace(helpText)
 }
 
-func TestOCSPRetry(t *testing.T) {
-	c := New(testLogFactory, 10)
-	certs := getCert("s3-us-west-2.amazonaws.com:443")
-	dummyOCSPHost := &url.URL{
-		Scheme: "https",
-		Host:   "dummyOCSPHost",
-	}
-	client := &fakeHTTPClient{
-		cnt:     3,
-		success: true,
-		body:    []byte{1, 2, 3},
-		logger:  hclog.New(hclog.DefaultOptions),
-		t:       t,
-	}
-	res, b, st, err := c.retryOCSP(
-		context.TODO(),
-		client, fakeRequestFunc,
-		dummyOCSPHost,
-		make(map[string]string), []byte{0}, certs[len(certs)-1])
-	if err == nil {
-		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
-	}
-	client = &fakeHTTPClient{
-		cnt:     30,
-		success: true,
-		body:    []byte{1, 2, 3},
-		logger:  hclog.New(hclog.DefaultOptions),
-		t:       t,
-	}
-	res, b, st, err = c.retryOCSP(
-		context.TODO(),
-		client, fakeRequestFunc,
-		dummyOCSPHost,
-		make(map[string]string), []byte{0}, certs[len(certs)-1])
-	if err == nil {
-		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
-	}
+func (c *OperatorSealCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
 }
 
-type tcCanEarlyExit struct {
-	results       []*ocspStatus
-	resultLen     int
-	retFailOpen   *ocspStatus
-	retFailClosed *ocspStatus
-}
-
-func TestCanEarlyExitForOCSP(t *testing.T) {
-	testcases := []tcCanEarlyExit{
-		{ // 0
-			results: []*ocspStatus{
-				{
-					code: ocspStatusGood,
-				},
-				{
-					code: ocspStatusGood,
-				},
-				{
-					code: ocspStatusGood,
-				},
-			},
-			retFailOpen:   nil,
-			retFailClosed: nil,
-		},
-		{ // 1
-			results: []*ocspStatus{
-				{
-					code: ocspStatusRevoked,
-					err:  errors.New("revoked"),
-				},
-				{
-					code: ocspStatusGood,
-				},
-				{
-					code: ocspStatusGood,
-				},
-			},
-			retFailOpen:   &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
-			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
-		},
-		{ // 2
-			results: []*ocspStatus{
-				{
-					code: ocspStatusUnknown,
-					err:  errors.New("unknown"),
-				},
-				{
-					code: ocspStatusGood,
-				},
-				{
-					code: ocspStatusGood,
-				},
-			},
-			retFailOpen:   nil,
-			retFailClosed: &ocspStatus{ocspStatusUnknown, errors.New("unknown")},
-		},
-		{ // 3: not taken as revoked if any invalid OCSP response (ocspInvalidValidity) is included.
-			results: []*ocspStatus{
-				{
-					code: ocspStatusRevoked,
-					err:  errors.New("revoked"),
-				},
-				{
-					code: ocspInvalidValidity,
-				},
-				{
-					code: ocspStatusGood,
-				},
-			},
-			retFailOpen:   nil,
-			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
-		},
-		{ // 4: not taken as revoked if the number of results don't match the expected results.
-			results: []*ocspStatus{
-				{
-					code: ocspStatusRevoked,
-					err:  errors.New("revoked"),
-				},
-				{
-					code: ocspStatusGood,
-				},
-			},
-			resultLen:     3,
-			retFailOpen:   nil,
-			retFailClosed: &ocspStatus{ocspStatusRevoked, errors.New("revoked")},
-		},
-	}
-	c := New(testLogFactory, 10)
-	for idx, tt := range testcases {
-		expectedLen := len(tt.results)
-		if tt.resultLen > 0 {
-			expectedLen = tt.resultLen
-		}
-		r := c.canEarlyExitForOCSP(tt.results, expectedLen, &VerifyConfig{OcspFailureMode: FailOpenTrue})
-		if !(tt.retFailOpen == nil && r == nil) && !(tt.retFailOpen != nil && r != nil && tt.retFailOpen.code == r.code) {
-			t.Fatalf("%d: failed to match return. expected: %v, got: %v", idx, tt.retFailOpen, r)
-		}
-		r = c.canEarlyExitForOCSP(tt.results, expectedLen, &VerifyConfig{OcspFailureMode: FailOpenFalse})
-		if !(tt.retFailClosed == nil && r == nil) && !(tt.retFailClosed != nil && r != nil && tt.retFailClosed.code == r.code) {
-			t.Fatalf("%d: failed to match return. expected: %v, got: %v", idx, tt.retFailClosed, r)
-		}
-	}
+func (c *OperatorSealCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-var testLogger = hclog.New(hclog.DefaultOptions)
-
-func testLogFactory() hclog.Logger {
-	return testLogger
+func (c *OperatorSealCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-type fakeHTTPClient struct {
-	cnt        int    // number of retry
-	success    bool   // return success after retry in cnt times
-	timeout    bool   // timeout
-	body       []byte // return body
-	t          *testing.T
-	logger     hclog.Logger
-	redirected bool
-}
+func (c *OperatorSealCommand) Run(args []string) int {
+	f := c.Flags()
 
-func (c *fakeHTTPClient) Do(_ *retryablehttp.Request) (*http.Response, error) {
-	c.cnt--
-	if c.cnt < 0 {
-		c.cnt = 0
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-	c.t.Log("fakeHTTPClient.cnt", c.cnt)
 
-	var retcode int
-	if !c.redirected {
-		c.redirected = true
-		c.cnt++
-		retcode = 405
-	} else if c.success && c.cnt == 1 {
-		retcode = 200
-	} else {
-		if c.timeout {
-			// simulate timeout
-			time.Sleep(time.Second * 1)
-			return nil, &fakeHTTPError{
-				err:     "Whatever reason (Client.Timeout exceeded while awaiting headers)",
-				timeout: true,
-			}
-		}
-		retcode = 0
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
 
-	ret := &http.Response{
-		StatusCode: retcode,
-		Body:       &fakeResponseBody{body: c.body},
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
-	return ret, nil
-}
 
-type fakeHTTPError struct {
-	err     string
-	timeout bool
-}
-
-func (e *fakeHTTPError) Error() string   { return e.err }
-func (e *fakeHTTPError) Timeout() bool   { return e.timeout }
-func (e *fakeHTTPError) Temporary() bool { return true }
-
-type fakeResponseBody struct {
-	body []byte
-	cnt  int
-}
-
-func (b *fakeResponseBody) Read(p []byte) (n int, err error) {
-	if b.cnt == 0 {
-		copy(p, b.body)
-		b.cnt = 1
-		return len(b.body), nil
+	if err := client.Sys().Seal(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error sealing: %s", err))
+		return 2
 	}
-	b.cnt = 0
-	return 0, io.EOF
-}
 
-func (b *fakeResponseBody) Close() error {
-	return nil
-}
-
-func fakeRequestFunc(_, _ string, _ interface{}) (*retryablehttp.Request, error) {
-	return nil, nil
+	c.UI.Output("Success! Vault is sealed.")
+	return 0
 }
-
-const vaultCert = `-----BEGIN CERTIFICATE-----
-MIIDuTCCAqGgAwIBAgIUA6VeVD1IB5rXcCZRAqPO4zr/GAMwDQYJKoZIhvcNAQEL
-BQAwcjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0
-eTESMBAGA1UECgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRowGAYD
-VQQDDBF3d3cuY29uaHVnZWNvLmNvbTAeFw0yMjA5MDcxOTA1MzdaFw0yNDA5MDYx
-OTA1MzdaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29t
-ZUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEa
-MBgGA1UEAwwRd3d3LmNvbmh1Z2Vjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDL9qzEXi4PIafSAqfcwcmjujFvbG1QZbI8swxnD+w8i4ufAQU5
-LDmvMrGo3ZbhJ0mCihYmFxpjhRdP2raJQ9TysHlPXHtDRpr9ckWTKBz2oIfqVtJ2
-qzteQkWCkDAO7kPqzgCFsMeoMZeONRkeGib0lEzQAbW/Rqnphg8zVVkyQ71DZ7Pc
-d5WkC2E28kKcSramhWfVFpxG3hSIrLOX2esEXteLRzKxFPf+gi413JZFKYIWrebP
-u5t0++MLNpuX322geoki4BWMjQsd47XILmxZ4aj33ScZvdrZESCnwP76hKIxg9mO
-lMxrqSWKVV5jHZrElSEj9LYJgDO1Y6eItn7hAgMBAAGjRzBFMAsGA1UdDwQEAwIE
-MDATBgNVHSUEDDAKBggrBgEFBQcDATAhBgNVHREEGjAYggtleGFtcGxlLmNvbYIJ
-bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQA5dPdf5SdtMwe2uSspO/EuWqbM
-497vMQBW1Ey8KRKasJjhvOVYMbe7De5YsnW4bn8u5pl0zQGF4hEtpmifAtVvziH/
-K+ritQj9VVNbLLCbFcg+b0kfjt4yrDZ64vWvIeCgPjG1Kme8gdUUWgu9dOud5gdx
-qg/tIFv4TRS/eIIymMlfd9owOD3Ig6S5fy4NaAJFAwXf8+3Rzuc+e7JSAPgAufjh
-tOTWinxvoiOLuYwo9CyGgq4qKBFsrY0aE0gdA7oTQkpbEbo2EbqiWUl/PTCl1Y4Z
-nSZ0n+4q9QC9RLrWwYTwh838d5RVLUst2mBKSA+vn7YkqmBJbdBC6nkd7n7H
------END CERTIFICATE-----
-`
diff --git a/sdk/helper/pluginruntimeutil/config.go b/sdk/helper/pluginruntimeutil/config.go
index 4a361ddfc7b5..6208d6396328 100644
--- a/sdk/helper/pluginruntimeutil/config.go
+++ b/sdk/helper/pluginruntimeutil/config.go
@@ -1,16 +1,125 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package pluginruntimeutil
+package command
 
-import "github.com/hashicorp/vault/sdk/helper/consts"
+import (
+	"strings"
+	"testing"
 
-// PluginRuntimeConfig defines the metadata needed to run a plugin runtime
-type PluginRuntimeConfig struct {
-	Name         string                   `json:"name" structs:"name"`
-	Type         consts.PluginRuntimeType `json:"type" structs:"type"`
-	OCIRuntime   string                   `json:"oci_runtime" structs:"oci_runtime"`
-	CgroupParent string                   `json:"cgroup_parent" structs:"cgroup_parent"`
-	CPU          int64                    `json:"cpu" structs:"cpu"`
-	Memory       int64                    `json:"memory" structs:"memory"`
+	"github.com/hashicorp/cli"
+)
+
+func testOperatorSealCommand(tb testing.TB) (*cli.MockUi, *OperatorSealCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &OperatorSealCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestOperatorSealCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testOperatorSealCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testOperatorSealCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Vault is sealed."
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		sealStatus, err := client.Sys().SealStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !sealStatus.Sealed {
+			t.Errorf("expected to be sealed")
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testOperatorSealCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error sealing: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testOperatorSealCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/sdk/helper/pluginutil/run_config.go b/sdk/helper/pluginutil/run_config.go
index c14060020d0e..e8b93acf0759 100644
--- a/sdk/helper/pluginutil/run_config.go
+++ b/sdk/helper/pluginutil/run_config.go
@@ -1,282 +1,85 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package pluginutil
+package command
 
 import (
-	"context"
-	"crypto/sha256"
-	"crypto/tls"
 	"fmt"
-	"os"
-	"os/exec"
-	"strconv"
 	"strings"
 
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-plugin"
-	"github.com/hashicorp/go-secure-stdlib/plugincontainer"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-const (
-	// Labels for plugin container ownership
-	labelVaultPID           = "com.hashicorp.vault.pid"
-	labelVaultClusterID     = "com.hashicorp.vault.cluster.id"
-	labelVaultPluginName    = "com.hashicorp.vault.plugin.name"
-	labelVaultPluginVersion = "com.hashicorp.vault.plugin.version"
-	labelVaultPluginType    = "com.hashicorp.vault.plugin.type"
+var (
+	_ cli.Command             = (*OperatorStepDownCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorStepDownCommand)(nil)
 )
 
-type PluginClientConfig struct {
-	Name            string
-	PluginType      consts.PluginType
-	Version         string
-	PluginSets      map[int]plugin.PluginSet
-	HandshakeConfig plugin.HandshakeConfig
-	Logger          log.Logger
-	IsMetadataMode  bool
-	AutoMTLS        bool
-	MLock           bool
-	Wrapper         RunnerUtil
+type OperatorStepDownCommand struct {
+	*BaseCommand
 }
 
-type runConfig struct {
-	// Provided by PluginRunner
-	command  string
-	image    string
-	imageTag string
-	args     []string
-	sha256   []byte
-
-	// Initialized with what's in PluginRunner.Env, but can be added to
-	env []string
-
-	runtimeConfig *pluginruntimeutil.PluginRuntimeConfig
-
-	PluginClientConfig
-}
-
-func (rc runConfig) mlockEnabled() bool {
-	return rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled())
-}
-
-func (rc runConfig) generateCmd(ctx context.Context) (cmd *exec.Cmd, clientTLSConfig *tls.Config, err error) {
-	cmd = exec.Command(rc.command, rc.args...)
-	cmd.Env = append(cmd.Env, rc.env...)
-
-	// Add the mlock setting to the ENV of the plugin
-	if rc.mlockEnabled() {
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
-	}
-	version, err := rc.Wrapper.VaultVersion(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version))
-
-	if rc.IsMetadataMode {
-		rc.Logger = rc.Logger.With("metadata", "true")
-	}
-	metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.IsMetadataMode)
-	cmd.Env = append(cmd.Env, metadataEnv)
-
-	automtlsEnv := fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, rc.AutoMTLS)
-	cmd.Env = append(cmd.Env, automtlsEnv)
-
-	if !rc.AutoMTLS && !rc.IsMetadataMode {
-		// Get a CA TLS Certificate
-		certBytes, key, err := generateCert()
-		if err != nil {
-			return nil, nil, err
-		}
-
-		// Use CA to sign a client cert and return a configured TLS config
-		clientTLSConfig, err = createClientTLSConfig(certBytes, key)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		// Use CA to sign a server cert and wrap the values in a response wrapped
-		// token.
-		wrapToken, err := wrapServerConfig(ctx, rc.Wrapper, certBytes, key)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		// Add the response wrap token to the ENV of the plugin
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, wrapToken))
-	}
-
-	return cmd, clientTLSConfig, nil
-}
-
-func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error) {
-	cmd, clientTLSConfig, err := rc.generateCmd(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	clientConfig := &plugin.ClientConfig{
-		HandshakeConfig:  rc.HandshakeConfig,
-		VersionedPlugins: rc.PluginSets,
-		TLSConfig:        clientTLSConfig,
-		Logger:           rc.Logger,
-		AllowedProtocols: []plugin.Protocol{
-			plugin.ProtocolNetRPC,
-			plugin.ProtocolGRPC,
-		},
-		AutoMTLS: rc.AutoMTLS,
-	}
-	if rc.image == "" {
-		clientConfig.Cmd = cmd
-		clientConfig.SecureConfig = &plugin.SecureConfig{
-			Checksum: rc.sha256,
-			Hash:     sha256.New(),
-		}
-	} else {
-		containerCfg, err := rc.containerConfig(ctx, cmd.Env)
-		if err != nil {
-			return nil, err
-		}
-		clientConfig.SkipHostEnv = true
-		clientConfig.RunnerFunc = containerCfg.NewContainerRunner
-		clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
-			Group:   strconv.Itoa(containerCfg.GroupAdd),
-			TempDir: os.Getenv("VAULT_PLUGIN_TMPDIR"),
-		}
-	}
-	return clientConfig, nil
+func (c *OperatorStepDownCommand) Synopsis() string {
+	return "Forces Vault to resign active duty"
 }
 
-func (rc runConfig) containerConfig(ctx context.Context, env []string) (*plugincontainer.Config, error) {
-	clusterID, err := rc.Wrapper.ClusterID(ctx)
-	if err != nil {
-		return nil, err
-	}
-	cfg := &plugincontainer.Config{
-		Image:  rc.image,
-		Tag:    rc.imageTag,
-		SHA256: fmt.Sprintf("%x", rc.sha256),
+func (c *OperatorStepDownCommand) Help() string {
+	helpText := `
+Usage: vault operator step-down [options]
 
-		Env:        env,
-		GroupAdd:   os.Getgid(),
-		Runtime:    consts.DefaultContainerPluginOCIRuntime,
-		CapIPCLock: rc.mlockEnabled(),
-		Labels: map[string]string{
-			labelVaultPID:           strconv.Itoa(os.Getpid()),
-			labelVaultClusterID:     clusterID,
-			labelVaultPluginName:    rc.PluginClientConfig.Name,
-			labelVaultPluginType:    rc.PluginClientConfig.PluginType.String(),
-			labelVaultPluginVersion: rc.PluginClientConfig.Version,
-		},
-	}
-
-	// Use rc.command and rc.args directly instead of cmd.Path and cmd.Args, as
-	// exec.Command may mutate the provided command.
-	if rc.command != "" {
-		cfg.Entrypoint = []string{rc.command}
-	}
-	if len(rc.args) > 0 {
-		cfg.Args = rc.args
-	}
-	if rc.runtimeConfig != nil {
-		cfg.CgroupParent = rc.runtimeConfig.CgroupParent
-		cfg.NanoCpus = rc.runtimeConfig.CPU
-		cfg.Memory = rc.runtimeConfig.Memory
-		if rc.runtimeConfig.OCIRuntime != "" {
-			cfg.Runtime = rc.runtimeConfig.OCIRuntime
-		}
-	}
-
-	return cfg, nil
-}
-
-func (rc runConfig) run(ctx context.Context) (*plugin.Client, error) {
-	clientConfig, err := rc.makeConfig(ctx)
-	if err != nil {
-		return nil, err
-	}
+  Forces the Vault server at the given address to step down from active duty.
+  While the affected node will have a delay before attempting to acquire the
+  leader lock again, if no other Vault nodes acquire the lock beforehand, it
+  is possible for the same node to re-acquire the lock and become active
+  again.
 
-	client := plugin.NewClient(clientConfig)
-	return client, nil
-}
+  Force Vault to step down as the leader:
 
-type RunOpt func(*runConfig)
+      $ vault operator step-down
 
-func Env(env ...string) RunOpt {
-	return func(rc *runConfig) {
-		rc.env = append(rc.env, env...)
-	}
-}
+` + c.Flags().Help()
 
-func Runner(wrapper RunnerUtil) RunOpt {
-	return func(rc *runConfig) {
-		rc.Wrapper = wrapper
-	}
+	return strings.TrimSpace(helpText)
 }
 
-func PluginSets(pluginSets map[int]plugin.PluginSet) RunOpt {
-	return func(rc *runConfig) {
-		rc.PluginSets = pluginSets
-	}
+func (c *OperatorStepDownCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
 }
 
-func HandshakeConfig(hs plugin.HandshakeConfig) RunOpt {
-	return func(rc *runConfig) {
-		rc.HandshakeConfig = hs
-	}
+func (c *OperatorStepDownCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func Logger(logger log.Logger) RunOpt {
-	return func(rc *runConfig) {
-		rc.Logger = logger
-	}
+func (c *OperatorStepDownCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func MetadataMode(isMetadataMode bool) RunOpt {
-	return func(rc *runConfig) {
-		rc.IsMetadataMode = isMetadataMode
-	}
-}
+func (c *OperatorStepDownCommand) Run(args []string) int {
+	f := c.Flags()
 
-func AutoMTLS(autoMTLS bool) RunOpt {
-	return func(rc *runConfig) {
-		rc.AutoMTLS = autoMTLS
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-}
 
-func MLock(mlock bool) RunOpt {
-	return func(rc *runConfig) {
-		rc.MLock = mlock
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
 	}
-}
 
-func (r *PluginRunner) RunConfig(ctx context.Context, opts ...RunOpt) (*plugin.Client, error) {
-	var image, imageTag string
-	if r.OCIImage != "" {
-		image = r.OCIImage
-		imageTag = strings.TrimPrefix(r.Version, "v")
-	}
-	rc := runConfig{
-		command:       r.Command,
-		image:         image,
-		imageTag:      imageTag,
-		args:          r.Args,
-		sha256:        r.Sha256,
-		env:           r.Env,
-		runtimeConfig: r.RuntimeConfig,
-		PluginClientConfig: PluginClientConfig{
-			Name:       r.Name,
-			PluginType: r.Type,
-			Version:    r.Version,
-		},
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	for _, opt := range opts {
-		opt(&rc)
+	if err := client.Sys().StepDown(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error stepping down: %s", err))
+		return 2
 	}
 
-	return rc.run(ctx)
+	c.UI.Output(fmt.Sprintf("Success! Stepped down: %s", client.Address()))
+	return 0
 }
diff --git a/sdk/helper/testcluster/docker/environment.go b/sdk/helper/testcluster/docker/environment.go
index 6ce2b1613423..8cb108be98c9 100644
--- a/sdk/helper/testcluster/docker/environment.go
+++ b/sdk/helper/testcluster/docker/environment.go
@@ -1,1227 +1,102 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package docker
+package command
 
 import (
-	"bufio"
-	"bytes"
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/hex"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"math/big"
-	mathrand "math/rand"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
 	"strings"
-	"sync"
 	"testing"
-	"time"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/volume"
-	docker "github.com/docker/docker/client"
-	"github.com/hashicorp/go-cleanhttp"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/vault/api"
-	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/helper/strutil"
-	"github.com/hashicorp/vault/sdk/helper/testcluster"
-	uberAtomic "go.uber.org/atomic"
-	"golang.org/x/net/http2"
+	"github.com/hashicorp/cli"
 )
 
-var (
-	_ testcluster.VaultCluster     = &DockerCluster{}
-	_ testcluster.VaultClusterNode = &DockerClusterNode{}
-)
-
-const MaxClusterNameLength = 52
-
-// DockerCluster is used to managing the lifecycle of the test Vault cluster
-type DockerCluster struct {
-	ClusterName string
-
-	ClusterNodes []*DockerClusterNode
-
-	// Certificate fields
-	*testcluster.CA
-	RootCAs *x509.CertPool
-
-	barrierKeys  [][]byte
-	recoveryKeys [][]byte
-	tmpDir       string
-
-	// rootToken is the initial root token created when the Vault cluster is
-	// created.
-	rootToken string
-	DockerAPI *docker.Client
-	ID        string
-	Logger    log.Logger
-	builtTags map[string]struct{}
-
-	storage testcluster.ClusterStorage
-}
-
-func (dc *DockerCluster) NamedLogger(s string) log.Logger {
-	return dc.Logger.Named(s)
-}
-
-func (dc *DockerCluster) ClusterID() string {
-	return dc.ID
-}
-
-func (dc *DockerCluster) Nodes() []testcluster.VaultClusterNode {
-	ret := make([]testcluster.VaultClusterNode, len(dc.ClusterNodes))
-	for i := range dc.ClusterNodes {
-		ret[i] = dc.ClusterNodes[i]
-	}
-	return ret
-}
-
-func (dc *DockerCluster) GetBarrierKeys() [][]byte {
-	return dc.barrierKeys
-}
-
-func testKeyCopy(key []byte) []byte {
-	result := make([]byte, len(key))
-	copy(result, key)
-	return result
-}
-
-func (dc *DockerCluster) GetRecoveryKeys() [][]byte {
-	ret := make([][]byte, len(dc.recoveryKeys))
-	for i, k := range dc.recoveryKeys {
-		ret[i] = testKeyCopy(k)
-	}
-	return ret
-}
-
-func (dc *DockerCluster) GetBarrierOrRecoveryKeys() [][]byte {
-	return dc.GetBarrierKeys()
-}
-
-func (dc *DockerCluster) SetBarrierKeys(keys [][]byte) {
-	dc.barrierKeys = make([][]byte, len(keys))
-	for i, k := range keys {
-		dc.barrierKeys[i] = testKeyCopy(k)
-	}
-}
-
-func (dc *DockerCluster) SetRecoveryKeys(keys [][]byte) {
-	dc.recoveryKeys = make([][]byte, len(keys))
-	for i, k := range keys {
-		dc.recoveryKeys[i] = testKeyCopy(k)
-	}
-}
-
-func (dc *DockerCluster) GetCACertPEMFile() string {
-	return dc.CACertPEMFile
-}
-
-func (dc *DockerCluster) Cleanup() {
-	dc.cleanup()
-}
-
-func (dc *DockerCluster) cleanup() error {
-	var result *multierror.Error
-	for _, node := range dc.ClusterNodes {
-		if err := node.cleanup(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-
-	return result.ErrorOrNil()
-}
-
-// GetRootToken returns the root token of the cluster, if set
-func (dc *DockerCluster) GetRootToken() string {
-	return dc.rootToken
-}
-
-func (dc *DockerCluster) SetRootToken(s string) {
-	dc.Logger.Trace("cluster root token changed", "helpful_env", fmt.Sprintf("VAULT_TOKEN=%s VAULT_CACERT=/vault/config/ca.pem", s))
-	dc.rootToken = s
-}
-
-func (n *DockerClusterNode) Name() string {
-	return n.Cluster.ClusterName + "-" + n.NodeID
-}
-
-func (dc *DockerCluster) setupNode0(ctx context.Context) error {
-	client := dc.ClusterNodes[0].client
-
-	var resp *api.InitResponse
-	var err error
-	for ctx.Err() == nil {
-		resp, err = client.Sys().Init(&api.InitRequest{
-			SecretShares:    3,
-			SecretThreshold: 3,
-		})
-		if err == nil && resp != nil {
-			break
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	if err != nil {
-		return err
-	}
-	if resp == nil {
-		return fmt.Errorf("nil response to init request")
-	}
-
-	for _, k := range resp.Keys {
-		raw, err := hex.DecodeString(k)
-		if err != nil {
-			return err
-		}
-		dc.barrierKeys = append(dc.barrierKeys, raw)
-	}
-
-	for _, k := range resp.RecoveryKeys {
-		raw, err := hex.DecodeString(k)
-		if err != nil {
-			return err
-		}
-		dc.recoveryKeys = append(dc.recoveryKeys, raw)
-	}
-
-	dc.rootToken = resp.RootToken
-	client.SetToken(dc.rootToken)
-	dc.ClusterNodes[0].client = client
-
-	err = testcluster.UnsealNode(ctx, dc, 0)
-	if err != nil {
-		return err
-	}
-
-	err = ensureLeaderMatches(ctx, client, func(leader *api.LeaderResponse) error {
-		if !leader.IsSelf {
-			return fmt.Errorf("node %d leader=%v, expected=%v", 0, leader.IsSelf, true)
-		}
-
-		return nil
-	})
-
-	status, err := client.Sys().SealStatusWithContext(ctx)
-	if err != nil {
-		return err
-	}
-	dc.ID = status.ClusterID
-	return err
-}
-
-func (dc *DockerCluster) clusterReady(ctx context.Context) error {
-	for i, node := range dc.ClusterNodes {
-		expectLeader := i == 0
-		err := ensureLeaderMatches(ctx, node.client, func(leader *api.LeaderResponse) error {
-			if expectLeader != leader.IsSelf {
-				return fmt.Errorf("node %d leader=%v, expected=%v", i, leader.IsSelf, expectLeader)
-			}
-
-			return nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (dc *DockerCluster) setupCA(opts *DockerClusterOptions) error {
-	var err error
-	var ca testcluster.CA
-
-	if opts != nil && opts.CAKey != nil {
-		ca.CAKey = opts.CAKey
-	} else {
-		ca.CAKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		if err != nil {
-			return err
-		}
-	}
-
-	var caBytes []byte
-	if opts != nil && len(opts.CACert) > 0 {
-		caBytes = opts.CACert
-	} else {
-		serialNumber := mathrand.New(mathrand.NewSource(time.Now().UnixNano())).Int63()
-		CACertTemplate := &x509.Certificate{
-			Subject: pkix.Name{
-				CommonName: "localhost",
-			},
-			KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-			SerialNumber:          big.NewInt(serialNumber),
-			NotBefore:             time.Now().Add(-30 * time.Second),
-			NotAfter:              time.Now().Add(262980 * time.Hour),
-			BasicConstraintsValid: true,
-			IsCA:                  true,
-		}
-		caBytes, err = x509.CreateCertificate(rand.Reader, CACertTemplate, CACertTemplate, ca.CAKey.Public(), ca.CAKey)
-		if err != nil {
-			return err
-		}
-	}
-	CACert, err := x509.ParseCertificate(caBytes)
-	if err != nil {
-		return err
-	}
-	ca.CACert = CACert
-	ca.CACertBytes = caBytes
-
-	CACertPEMBlock := &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	}
-	ca.CACertPEM = pem.EncodeToMemory(CACertPEMBlock)
-
-	ca.CACertPEMFile = filepath.Join(dc.tmpDir, "ca", "ca.pem")
-	err = os.WriteFile(ca.CACertPEMFile, ca.CACertPEM, 0o755)
-	if err != nil {
-		return err
-	}
-
-	marshaledCAKey, err := x509.MarshalECPrivateKey(ca.CAKey)
-	if err != nil {
-		return err
-	}
-	CAKeyPEMBlock := &pem.Block{
-		Type:  "EC PRIVATE KEY",
-		Bytes: marshaledCAKey,
-	}
-	ca.CAKeyPEM = pem.EncodeToMemory(CAKeyPEMBlock)
-
-	dc.CA = &ca
-
-	return nil
-}
-
-func (n *DockerClusterNode) setupCert(ip string) error {
-	var err error
-
-	n.ServerKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return err
-	}
+func testOperatorStepDownCommand(tb testing.TB) (*cli.MockUi, *OperatorStepDownCommand) {
+	tb.Helper()
 
-	serialNumber := mathrand.New(mathrand.NewSource(time.Now().UnixNano())).Int63()
-	certTemplate := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: n.Name(),
-		},
-		DNSNames:    []string{"localhost", n.Name()},
-		IPAddresses: []net.IP{net.IPv6loopback, net.ParseIP("127.0.0.1"), net.ParseIP(ip)},
-		ExtKeyUsage: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageServerAuth,
-			x509.ExtKeyUsageClientAuth,
+	ui := cli.NewMockUi()
+	return ui, &OperatorStepDownCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
 		},
-		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
-		SerialNumber: big.NewInt(serialNumber),
-		NotBefore:    time.Now().Add(-30 * time.Second),
-		NotAfter:     time.Now().Add(262980 * time.Hour),
-	}
-	n.ServerCertBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, n.Cluster.CACert, n.ServerKey.Public(), n.Cluster.CAKey)
-	if err != nil {
-		return err
-	}
-	n.ServerCert, err = x509.ParseCertificate(n.ServerCertBytes)
-	if err != nil {
-		return err
-	}
-	n.ServerCertPEM = pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: n.ServerCertBytes,
-	})
-
-	marshaledKey, err := x509.MarshalECPrivateKey(n.ServerKey)
-	if err != nil {
-		return err
-	}
-	n.ServerKeyPEM = pem.EncodeToMemory(&pem.Block{
-		Type:  "EC PRIVATE KEY",
-		Bytes: marshaledKey,
-	})
-
-	n.ServerCertPEMFile = filepath.Join(n.WorkDir, "cert.pem")
-	err = os.WriteFile(n.ServerCertPEMFile, n.ServerCertPEM, 0o755)
-	if err != nil {
-		return err
-	}
-
-	n.ServerKeyPEMFile = filepath.Join(n.WorkDir, "key.pem")
-	err = os.WriteFile(n.ServerKeyPEMFile, n.ServerKeyPEM, 0o755)
-	if err != nil {
-		return err
-	}
-
-	tlsCert, err := tls.X509KeyPair(n.ServerCertPEM, n.ServerKeyPEM)
-	if err != nil {
-		return err
-	}
-
-	certGetter := NewCertificateGetter(n.ServerCertPEMFile, n.ServerKeyPEMFile, "")
-	if err := certGetter.Reload(); err != nil {
-		return err
-	}
-	tlsConfig := &tls.Config{
-		Certificates:   []tls.Certificate{tlsCert},
-		RootCAs:        n.Cluster.RootCAs,
-		ClientCAs:      n.Cluster.RootCAs,
-		ClientAuth:     tls.RequestClientCert,
-		NextProtos:     []string{"h2", "http/1.1"},
-		GetCertificate: certGetter.GetCertificate,
-	}
-
-	n.tlsConfig = tlsConfig
-
-	err = os.WriteFile(filepath.Join(n.WorkDir, "ca.pem"), n.Cluster.CACertPEM, 0o755)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func NewTestDockerCluster(t *testing.T, opts *DockerClusterOptions) *DockerCluster {
-	if opts == nil {
-		opts = &DockerClusterOptions{}
-	}
-	if opts.ClusterName == "" {
-		opts.ClusterName = strings.ReplaceAll(t.Name(), "/", "-")
-	}
-	if opts.Logger == nil {
-		opts.Logger = logging.NewVaultLogger(log.Trace).Named(t.Name())
-	}
-	if opts.NetworkName == "" {
-		opts.NetworkName = os.Getenv("TEST_DOCKER_NETWORK_NAME")
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 120*time.Second)
-	t.Cleanup(cancel)
-
-	dc, err := NewDockerCluster(ctx, opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	dc.Logger.Trace("cluster started", "helpful_env", fmt.Sprintf("VAULT_TOKEN=%s VAULT_CACERT=/vault/config/ca.pem", dc.GetRootToken()))
-	return dc
-}
-
-func NewDockerCluster(ctx context.Context, opts *DockerClusterOptions) (*DockerCluster, error) {
-	api, err := dockhelper.NewDockerAPI()
-	if err != nil {
-		return nil, err
-	}
-
-	if opts == nil {
-		opts = &DockerClusterOptions{}
-	}
-	if opts.Logger == nil {
-		opts.Logger = log.NewNullLogger()
-	}
-	if opts.VaultLicense == "" {
-		opts.VaultLicense = os.Getenv(testcluster.EnvVaultLicenseCI)
-	}
-
-	dc := &DockerCluster{
-		DockerAPI:   api,
-		ClusterName: opts.ClusterName,
-		Logger:      opts.Logger,
-		builtTags:   map[string]struct{}{},
-		CA:          opts.CA,
-		storage:     opts.Storage,
 	}
-
-	if err := dc.setupDockerCluster(ctx, opts); err != nil {
-		dc.Cleanup()
-		return nil, err
-	}
-
-	return dc, nil
-}
-
-// DockerClusterNode represents a single instance of Vault in a cluster
-type DockerClusterNode struct {
-	NodeID               string
-	HostPort             string
-	client               *api.Client
-	ServerCert           *x509.Certificate
-	ServerCertBytes      []byte
-	ServerCertPEM        []byte
-	ServerCertPEMFile    string
-	ServerKey            *ecdsa.PrivateKey
-	ServerKeyPEM         []byte
-	ServerKeyPEMFile     string
-	tlsConfig            *tls.Config
-	WorkDir              string
-	Cluster              *DockerCluster
-	Container            *types.ContainerJSON
-	DockerAPI            *docker.Client
-	runner               *dockhelper.Runner
-	Logger               log.Logger
-	cleanupContainer     func()
-	RealAPIAddr          string
-	ContainerNetworkName string
-	ContainerIPAddress   string
-	ImageRepo            string
-	ImageTag             string
-	DataVolumeName       string
-	cleanupVolume        func()
-	AllClients           []*api.Client
 }
 
-func (n *DockerClusterNode) TLSConfig() *tls.Config {
-	return n.tlsConfig.Clone()
-}
+func TestOperatorStepDownCommand_Run(t *testing.T) {
+	t.Parallel()
 
-func (n *DockerClusterNode) APIClient() *api.Client {
-	// We clone to ensure that whenever this method is called, the caller gets
-	// back a pristine client, without e.g. any namespace or token changes that
-	// might pollute a shared client.  We clone the config instead of the
-	// client because (1) Client.clone propagates the replicationStateStore and
-	// the httpClient pointers, (2) it doesn't copy the tlsConfig at all, and
-	// (3) if clone returns an error, it doesn't feel as appropriate to panic
-	// below.  Who knows why clone might return an error?
-	cfg := n.client.CloneConfig()
-	client, err := api.NewClient(cfg)
-	if err != nil {
-		// It seems fine to panic here, since this should be the same input
-		// we provided to NewClient when we were setup, and we didn't panic then.
-		// Better not to completely ignore the error though, suppose there's a
-		// bug in CloneConfig?
-		panic(fmt.Sprintf("NewClient error on cloned config: %v", err))
-	}
-	client.SetToken(n.Cluster.rootToken)
-	return client
-}
-
-func (n *DockerClusterNode) APIClientN(listenerNumber int) (*api.Client, error) {
-	// We clone to ensure that whenever this method is called, the caller gets
-	// back a pristine client, without e.g. any namespace or token changes that
-	// might pollute a shared client.  We clone the config instead of the
-	// client because (1) Client.clone propagates the replicationStateStore and
-	// the httpClient pointers, (2) it doesn't copy the tlsConfig at all, and
-	// (3) if clone returns an error, it doesn't feel as appropriate to panic
-	// below.  Who knows why clone might return an error?
-	if listenerNumber >= len(n.AllClients) {
-		return nil, fmt.Errorf("invalid listener number %d", listenerNumber)
-	}
-	cfg := n.AllClients[listenerNumber].CloneConfig()
-	client, err := api.NewClient(cfg)
-	if err != nil {
-		// It seems fine to panic here, since this should be the same input
-		// we provided to NewClient when we were setup, and we didn't panic then.
-		// Better not to completely ignore the error though, suppose there's a
-		// bug in CloneConfig?
-		panic(fmt.Sprintf("NewClient error on cloned config: %v", err))
-	}
-	client.SetToken(n.Cluster.rootToken)
-	return client, nil
-}
-
-// NewAPIClient creates and configures a Vault API client to communicate with
-// the running Vault Cluster for this DockerClusterNode
-func (n *DockerClusterNode) apiConfig() (*api.Config, error) {
-	transport := cleanhttp.DefaultPooledTransport()
-	transport.TLSClientConfig = n.TLSConfig()
-	if err := http2.ConfigureTransport(transport); err != nil {
-		return nil, err
-	}
-	client := &http.Client{
-		Transport: transport,
-		CheckRedirect: func(*http.Request, []*http.Request) error {
-			// This can of course be overridden per-test by using its own client
-			return fmt.Errorf("redirects not allowed in these tests")
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
 		},
-	}
-	config := api.DefaultConfig()
-	if config.Error != nil {
-		return nil, config.Error
-	}
-	config.Address = fmt.Sprintf("https://%s", n.HostPort)
-	config.HttpClient = client
-	config.MaxRetries = 0
-	return config, nil
-}
-
-func (n *DockerClusterNode) newAPIClient() (*api.Client, error) {
-	config, err := n.apiConfig()
-	if err != nil {
-		return nil, err
-	}
-	client, err := api.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-	client.SetToken(n.Cluster.GetRootToken())
-	return client, nil
-}
-
-func (n *DockerClusterNode) newAPIClientForAddress(address string) (*api.Client, error) {
-	config, err := n.apiConfig()
-	if err != nil {
-		return nil, err
-	}
-	config.Address = fmt.Sprintf("https://%s", address)
-	client, err := api.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-	client.SetToken(n.Cluster.GetRootToken())
-	return client, nil
-}
-
-// Cleanup kills the container of the node and deletes its data volume
-func (n *DockerClusterNode) Cleanup() {
-	n.cleanup()
-}
-
-// Stop kills the container of the node
-func (n *DockerClusterNode) Stop() {
-	n.cleanupContainer()
-}
-
-func (n *DockerClusterNode) cleanup() error {
-	if n.Container == nil || n.Container.ID == "" {
-		return nil
-	}
-	n.cleanupContainer()
-	n.cleanupVolume()
-	return nil
-}
-
-func (n *DockerClusterNode) createDefaultListenerConfig() map[string]interface{} {
-	return map[string]interface{}{"tcp": map[string]interface{}{
-		"address":       fmt.Sprintf("%s:%d", "0.0.0.0", 8200),
-		"tls_cert_file": "/vault/config/cert.pem",
-		"tls_key_file":  "/vault/config/key.pem",
-		"telemetry": map[string]interface{}{
-			"unauthenticated_metrics_access": true,
+		{
+			"default",
+			nil,
+			"Success! Stepped down: ",
+			0,
 		},
-	}}
-}
-
-func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOptions) error {
-	if n.DataVolumeName == "" {
-		vol, err := n.DockerAPI.VolumeCreate(ctx, volume.CreateOptions{})
-		if err != nil {
-			return err
-		}
-		n.DataVolumeName = vol.Name
-		n.cleanupVolume = func() {
-			_ = n.DockerAPI.VolumeRemove(ctx, vol.Name, false)
-		}
-	}
-	vaultCfg := map[string]interface{}{}
-	var listenerConfig []map[string]interface{}
-	listenerConfig = append(listenerConfig, n.createDefaultListenerConfig())
-	ports := []string{"8200/tcp", "8201/tcp"}
-
-	if opts.VaultNodeConfig != nil && opts.VaultNodeConfig.AdditionalListeners != nil {
-		for _, config := range opts.VaultNodeConfig.AdditionalListeners {
-			cfg := n.createDefaultListenerConfig()
-			listener := cfg["tcp"].(map[string]interface{})
-			listener["address"] = fmt.Sprintf("%s:%d", "0.0.0.0", config.Port)
-			listener["chroot_namespace"] = config.ChrootNamespace
-			listenerConfig = append(listenerConfig, cfg)
-			portStr := fmt.Sprintf("%d/tcp", config.Port)
-			if strutil.StrListContains(ports, portStr) {
-				return fmt.Errorf("duplicate port %d specified", config.Port)
-			}
-			ports = append(ports, portStr)
-		}
-	}
-	vaultCfg["listener"] = listenerConfig
-	vaultCfg["telemetry"] = map[string]interface{}{
-		"disable_hostname": true,
-	}
-
-	// Setup storage. Default is raft.
-	storageType := "raft"
-	storageOpts := map[string]interface{}{
-		// TODO add options from vnc
-		"path":    "/vault/file",
-		"node_id": n.NodeID,
-	}
-
-	if opts.Storage != nil {
-		storageType = opts.Storage.Type()
-		storageOpts = opts.Storage.Opts()
-	}
-
-	if opts != nil && opts.VaultNodeConfig != nil {
-		for k, v := range opts.VaultNodeConfig.StorageOptions {
-			if _, ok := storageOpts[k].(string); !ok {
-				storageOpts[k] = v
-			}
-		}
-	}
-	vaultCfg["storage"] = map[string]interface{}{
-		storageType: storageOpts,
-	}
-
-	//// disable_mlock is required for working in the Docker environment with
-	//// custom plugins
-	vaultCfg["disable_mlock"] = true
-	vaultCfg["api_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8200`
-	vaultCfg["cluster_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8201`
-
-	vaultCfg["administrative_namespace_path"] = opts.AdministrativeNamespacePath
-
-	systemJSON, err := json.Marshal(vaultCfg)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(filepath.Join(n.WorkDir, "system.json"), systemJSON, 0o644)
-	if err != nil {
-		return err
-	}
-
-	if opts.VaultNodeConfig != nil {
-		localCfg := *opts.VaultNodeConfig
-		if opts.VaultNodeConfig.LicensePath != "" {
-			b, err := os.ReadFile(opts.VaultNodeConfig.LicensePath)
-			if err != nil || len(b) == 0 {
-				return fmt.Errorf("unable to read LicensePath at %q: %w", opts.VaultNodeConfig.LicensePath, err)
-			}
-			localCfg.LicensePath = "/vault/config/license"
-			dest := filepath.Join(n.WorkDir, "license")
-			err = os.WriteFile(dest, b, 0o644)
-			if err != nil {
-				return fmt.Errorf("error writing license to %q: %w", dest, err)
-			}
-
-		}
-		userJSON, err := json.Marshal(localCfg)
-		if err != nil {
-			return err
-		}
-		err = os.WriteFile(filepath.Join(n.WorkDir, "user.json"), userJSON, 0o644)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Create a temporary cert so vault will start up
-	err = n.setupCert("127.0.0.1")
-	if err != nil {
-		return err
 	}
 
-	caDir := filepath.Join(n.Cluster.tmpDir, "ca")
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
 
-	// setup plugin bin copy if needed
-	copyFromTo := map[string]string{
-		n.WorkDir: "/vault/config",
-		caDir:     "/usr/local/share/ca-certificates/",
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(1)
-	var seenLogs uberAtomic.Bool
-	logConsumer := func(s string) {
-		if seenLogs.CAS(false, true) {
-			wg.Done()
-		}
-		n.Logger.Trace(s)
-	}
-	logStdout := &LogConsumerWriter{logConsumer}
-	logStderr := &LogConsumerWriter{func(s string) {
-		if seenLogs.CAS(false, true) {
-			wg.Done()
-		}
-		testcluster.JSONLogNoTimestamp(n.Logger, s)
-	}}
-
-	r, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
-		ImageRepo: n.ImageRepo,
-		ImageTag:  n.ImageTag,
-		// We don't need to run update-ca-certificates in the container, because
-		// we're providing the CA in the raft join call, and otherwise Vault
-		// servers don't talk to one another on the API port.
-		Cmd: append([]string{"server"}, opts.Args...),
-		Env: []string{
-			// For now we're using disable_mlock, because this is for testing
-			// anyway, and because it prevents us using external plugins.
-			"SKIP_SETCAP=true",
-			"VAULT_LOG_FORMAT=json",
-			"VAULT_LICENSE=" + opts.VaultLicense,
-		},
-		Ports:           ports,
-		ContainerName:   n.Name(),
-		NetworkName:     opts.NetworkName,
-		CopyFromTo:      copyFromTo,
-		LogConsumer:     logConsumer,
-		LogStdout:       logStdout,
-		LogStderr:       logStderr,
-		PreDelete:       true,
-		DoNotAutoRemove: true,
-		PostStart: func(containerID string, realIP string) error {
-			err := n.setupCert(realIP)
-			if err != nil {
-				return err
-			}
-
-			// If we signal Vault before it installs its sighup handler, it'll die.
-			wg.Wait()
-			n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
-			return n.runner.RefreshFiles(ctx, containerID)
-		},
-		Capabilities:      []string{"NET_ADMIN"},
-		OmitLogTimestamps: true,
-		VolumeNameToMountPoint: map[string]string{
-			n.DataVolumeName: "/vault/file",
-		},
-	})
-	if err != nil {
-		return err
-	}
-	n.runner = r
-
-	probe := opts.StartProbe
-	if probe == nil {
-		probe = func(c *api.Client) error {
-			_, err = c.Sys().SealStatus()
-			return err
-		}
-	}
-	svc, _, err := r.StartNewService(ctx, false, false, func(ctx context.Context, host string, port int) (dockhelper.ServiceConfig, error) {
-		config, err := n.apiConfig()
-		if err != nil {
-			return nil, err
-		}
-		config.Address = fmt.Sprintf("https://%s:%d", host, port)
-		client, err := api.NewClient(config)
-		if err != nil {
-			return nil, err
-		}
-		err = probe(client)
-		if err != nil {
-			return nil, err
-		}
+		for _, tc := range cases {
+			tc := tc
 
-		return dockhelper.NewServiceHostPort(host, port), nil
-	})
-	if err != nil {
-		return err
-	}
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 
-	n.HostPort = svc.Config.Address()
-	n.Container = svc.Container
-	netName := opts.NetworkName
-	if netName == "" {
-		if len(svc.Container.NetworkSettings.Networks) > 1 {
-			return fmt.Errorf("Set d.RunOptions.NetworkName instead for container with multiple networks: %v", svc.Container.NetworkSettings.Networks)
-		}
-		for netName = range svc.Container.NetworkSettings.Networks {
-			// Networks above is a map; we just need to find the first and
-			// only key of this map (network name). The range handles this
-			// for us, but we need a loop construction in order to use range.
-		}
-	}
-	n.ContainerNetworkName = netName
-	n.ContainerIPAddress = svc.Container.NetworkSettings.Networks[netName].IPAddress
-	n.RealAPIAddr = "https://" + n.ContainerIPAddress + ":8200"
-	n.cleanupContainer = svc.Cleanup
+				client, closer := testVaultServer(t)
+				defer closer()
 
-	client, err := n.newAPIClient()
-	if err != nil {
-		return err
-	}
-	client.SetToken(n.Cluster.rootToken)
-	n.client = client
+				ui, cmd := testOperatorStepDownCommand(t)
+				cmd.client = client
 
-	n.AllClients = append(n.AllClients, client)
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
 
-	for _, addr := range svc.StartResult.Addrs[2:] {
-		// The second element of this list of addresses is the cluster address
-		// We do not want to create a client for the cluster address mapping
-		client, err := n.newAPIClientForAddress(addr)
-		if err != nil {
-			return err
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
 		}
-		client.SetToken(n.Cluster.rootToken)
-		n.AllClients = append(n.AllClients, client)
-	}
-	return nil
-}
-
-func (n *DockerClusterNode) Pause(ctx context.Context) error {
-	return n.DockerAPI.ContainerPause(ctx, n.Container.ID)
-}
-
-func (n *DockerClusterNode) AddNetworkDelay(ctx context.Context, delay time.Duration, targetIP string) error {
-	ip := net.ParseIP(targetIP)
-	if ip == nil {
-		return fmt.Errorf("targetIP %q is not an IP address", targetIP)
-	}
-	// Let's attempt to get a unique handle for the filter rule; we'll assume that
-	// every targetIP has a unique last octet, which is true currently for how
-	// we're doing docker networking.
-	lastOctet := ip.To4()[3]
-
-	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
-		"/bin/sh",
-		"-xec", strings.Join([]string{
-			fmt.Sprintf("echo isolating node %s", targetIP),
-			"apk add iproute2",
-			// If we're running this script a second time on the same node,
-			// the add dev will fail; since we only want to run the netem
-			// command once, we'll do so in the case where the add dev doesn't fail.
-			"tc qdisc add dev eth0 root handle 1: prio && " +
-				fmt.Sprintf("tc qdisc add dev eth0 parent 1:1 handle 2: netem delay %dms", delay/time.Millisecond),
-			// Here we create a u32 filter as per https://man7.org/linux/man-pages/man8/tc-u32.8.html
-			// Its parent is 1:0 (which I guess is the root?)
-			// Its handle must be unique, so we base it on targetIP
-			fmt.Sprintf("tc filter add dev eth0 parent 1:0 protocol ip pref 55 handle ::%x u32 match ip dst %s flowid 2:1", lastOctet, targetIP),
-		}, "; "),
-	})
-	if err != nil {
-		return err
-	}
-
-	n.Logger.Trace(string(stdout))
-	n.Logger.Trace(string(stderr))
-	if exitCode != 0 {
-		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
-	}
-	return nil
-}
-
-// PartitionFromCluster will cause the node to be disconnected at the network
-// level from the rest of the docker cluster. It does so in a way that the node
-// will not see TCP RSTs and all packets it sends will be "black holed". It
-// attempts to keep packets to and from the host intact which allows docker
-// daemon to continue streaming logs and any test code to continue making
-// requests from the host to the partitioned node.
-func (n *DockerClusterNode) PartitionFromCluster(ctx context.Context) error {
-	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
-		"/bin/sh",
-		"-xec", strings.Join([]string{
-			fmt.Sprintf("echo partitioning container from network"),
-			"apk add iproute2",
-			// Get the gateway address for the bridge so we can allow host to
-			// container traffic still.
-			"GW=$(ip r | grep default | grep eth0 | cut -f 3 -d' ')",
-			// First delete the rules in case this is called twice otherwise we'll add
-			// multiple copies and only remove one in Unpartition (yay iptables).
-			// Ignore the error if it didn't exist.
-			"iptables -D INPUT -i eth0 ! -s \"$GW\" -j DROP | true",
-			"iptables -D OUTPUT -o eth0 ! -d \"$GW\" -j DROP | true",
-			// Add rules to drop all packets in and out of the docker network
-			// connection.
-			"iptables -I INPUT -i eth0 ! -s \"$GW\" -j DROP",
-			"iptables -I OUTPUT -o eth0 ! -d \"$GW\" -j DROP",
-		}, "; "),
-	})
-	if err != nil {
-		return err
-	}
-
-	n.Logger.Trace(string(stdout))
-	n.Logger.Trace(string(stderr))
-	if exitCode != 0 {
-		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
-	}
-	return nil
-}
-
-// UnpartitionFromCluster reverses a previous call to PartitionFromCluster and
-// restores full connectivity. Currently assumes the default "bridge" network.
-func (n *DockerClusterNode) UnpartitionFromCluster(ctx context.Context) error {
-	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
-		"/bin/sh",
-		"-xec", strings.Join([]string{
-			fmt.Sprintf("echo un-partitioning container from network"),
-			// Get the gateway address for the bridge so we can allow host to
-			// container traffic still.
-			"GW=$(ip r | grep default | grep eth0 | cut -f 3 -d' ')",
-			// Remove the rules, ignore if they are not present or iptables wasn't
-			// installed yet (i.e. no-one called PartitionFromCluster yet).
-			"iptables -D INPUT -i eth0 ! -s \"$GW\" -j DROP | true",
-			"iptables -D OUTPUT -o eth0 ! -d \"$GW\" -j DROP | true",
-		}, "; "),
 	})
-	if err != nil {
-		return err
-	}
-
-	n.Logger.Trace(string(stdout))
-	n.Logger.Trace(string(stderr))
-	if exitCode != 0 {
-		return fmt.Errorf("got nonzero exit code from iptables: %d", exitCode)
-	}
-	return nil
-}
-
-type LogConsumerWriter struct {
-	consumer func(string)
-}
-
-func (l LogConsumerWriter) Write(p []byte) (n int, err error) {
-	// TODO this assumes that we're never passed partial log lines, which
-	// seems a safe assumption for now based on how docker looks to implement
-	// logging, but might change in the future.
-	scanner := bufio.NewScanner(bytes.NewReader(p))
-	scanner.Buffer(make([]byte, 64*1024), bufio.MaxScanTokenSize)
-	for scanner.Scan() {
-		l.consumer(scanner.Text())
-	}
-	return len(p), nil
-}
 
-// DockerClusterOptions has options for setting up the docker cluster
-type DockerClusterOptions struct {
-	testcluster.ClusterOptions
-	CAKey       *ecdsa.PrivateKey
-	NetworkName string
-	ImageRepo   string
-	ImageTag    string
-	CA          *testcluster.CA
-	VaultBinary string
-	Args        []string
-	StartProbe  func(*api.Client) error
-	Storage     testcluster.ClusterStorage
-}
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-func ensureLeaderMatches(ctx context.Context, client *api.Client, ready func(response *api.LeaderResponse) error) error {
-	var leader *api.LeaderResponse
-	var err error
-	for ctx.Err() == nil {
-		leader, err = client.Sys().Leader()
-		switch {
-		case err != nil:
-		case leader == nil:
-			err = fmt.Errorf("nil response to leader check")
-		default:
-			err = ready(leader)
-			if err == nil {
-				return nil
-			}
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	return fmt.Errorf("error checking leader: %v", err)
-}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-const DefaultNumCores = 3
+		ui, cmd := testOperatorStepDownCommand(t)
+		cmd.client = client
 
-// creates a managed docker container running Vault
-func (dc *DockerCluster) setupDockerCluster(ctx context.Context, opts *DockerClusterOptions) error {
-	if opts.TmpDir != "" {
-		if _, err := os.Stat(opts.TmpDir); os.IsNotExist(err) {
-			if err := os.MkdirAll(opts.TmpDir, 0o700); err != nil {
-				return err
-			}
-		}
-		dc.tmpDir = opts.TmpDir
-	} else {
-		tempDir, err := ioutil.TempDir("", "vault-test-cluster-")
-		if err != nil {
-			return err
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-		dc.tmpDir = tempDir
-	}
-	caDir := filepath.Join(dc.tmpDir, "ca")
-	if err := os.MkdirAll(caDir, 0o755); err != nil {
-		return err
-	}
 
-	var numCores int
-	if opts.NumCores == 0 {
-		numCores = DefaultNumCores
-	} else {
-		numCores = opts.NumCores
-	}
-
-	if dc.CA == nil {
-		if err := dc.setupCA(opts); err != nil {
-			return err
+		expected := "Error stepping down: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
-	dc.RootCAs = x509.NewCertPool()
-	dc.RootCAs.AddCert(dc.CA.CACert)
-
-	if dc.storage != nil {
-		if err := dc.storage.Start(ctx, &opts.ClusterOptions); err != nil {
-			return err
-		}
-	}
-
-	for i := 0; i < numCores; i++ {
-		if err := dc.addNode(ctx, opts); err != nil {
-			return err
-		}
-		if opts.SkipInit {
-			continue
-		}
-		if i == 0 {
-			if err := dc.setupNode0(ctx); err != nil {
-				return err
-			}
-		} else {
-			if err := dc.joinNode(ctx, i, 0); err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-func (dc *DockerCluster) AddNode(ctx context.Context, opts *DockerClusterOptions) error {
-	leaderIdx, err := testcluster.LeaderNode(ctx, dc)
-	if err != nil {
-		return err
-	}
-	if err := dc.addNode(ctx, opts); err != nil {
-		return err
-	}
-
-	return dc.joinNode(ctx, len(dc.ClusterNodes)-1, leaderIdx)
-}
-
-func (dc *DockerCluster) addNode(ctx context.Context, opts *DockerClusterOptions) error {
-	tag, err := dc.setupImage(ctx, opts)
-	if err != nil {
-		return err
-	}
-	i := len(dc.ClusterNodes)
-	nodeID := fmt.Sprintf("core-%d", i)
-	node := &DockerClusterNode{
-		DockerAPI: dc.DockerAPI,
-		NodeID:    nodeID,
-		Cluster:   dc,
-		WorkDir:   filepath.Join(dc.tmpDir, nodeID),
-		Logger:    dc.Logger.Named(nodeID),
-		ImageRepo: opts.ImageRepo,
-		ImageTag:  tag,
-	}
-	dc.ClusterNodes = append(dc.ClusterNodes, node)
-	if err := os.MkdirAll(node.WorkDir, 0o755); err != nil {
-		return err
-	}
-	if err := node.Start(ctx, opts); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (dc *DockerCluster) joinNode(ctx context.Context, nodeIdx int, leaderIdx int) error {
-	if dc.storage != nil && dc.storage.Type() != "raft" {
-		// Storage is not raft so nothing to do but unseal.
-		return testcluster.UnsealNode(ctx, dc, nodeIdx)
-	}
-
-	leader := dc.ClusterNodes[leaderIdx]
-
-	if nodeIdx >= len(dc.ClusterNodes) {
-		return fmt.Errorf("invalid node %d", nodeIdx)
-	}
-	node := dc.ClusterNodes[nodeIdx]
-	client := node.APIClient()
-
-	var resp *api.RaftJoinResponse
-	resp, err := client.Sys().RaftJoinWithContext(ctx, &api.RaftJoinRequest{
-		// When running locally on a bridge network, the containers must use their
-		// actual (private) IP to talk to one another.  Our code must instead use
-		// the portmapped address since we're not on their network in that case.
-		LeaderAPIAddr:    leader.RealAPIAddr,
-		LeaderCACert:     string(dc.CACertPEM),
-		LeaderClientCert: string(node.ServerCertPEM),
-		LeaderClientKey:  string(node.ServerKeyPEM),
 	})
-	if resp == nil || !resp.Joined {
-		return fmt.Errorf("nil or negative response from raft join request: %v", resp)
-	}
-	if err != nil {
-		return fmt.Errorf("failed to join cluster: %w", err)
-	}
-
-	return testcluster.UnsealNode(ctx, dc, nodeIdx)
-}
-
-func (dc *DockerCluster) setupImage(ctx context.Context, opts *DockerClusterOptions) (string, error) {
-	if opts == nil {
-		opts = &DockerClusterOptions{}
-	}
-	sourceTag := opts.ImageTag
-	if sourceTag == "" {
-		sourceTag = "latest"
-	}
-
-	if opts.VaultBinary == "" {
-		return sourceTag, nil
-	}
 
-	suffix := "testing"
-	if sha := os.Getenv("COMMIT_SHA"); sha != "" {
-		suffix = sha
-	}
-	tag := sourceTag + "-" + suffix
-	if _, ok := dc.builtTags[tag]; ok {
-		return tag, nil
-	}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	f, err := os.Open(opts.VaultBinary)
-	if err != nil {
-		return "", err
-	}
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return "", err
-	}
-	bCtx := dockhelper.NewBuildContext()
-	bCtx["vault"] = &dockhelper.FileContents{
-		Data: data,
-		Mode: 0o755,
-	}
-
-	containerFile := fmt.Sprintf(`
-FROM %s:%s
-COPY vault /bin/vault
-`, opts.ImageRepo, sourceTag)
-
-	_, err = dockhelper.BuildImage(ctx, dc.DockerAPI, containerFile, bCtx,
-		dockhelper.BuildRemove(true), dockhelper.BuildForceRemove(true),
-		dockhelper.BuildPullParent(true),
-		dockhelper.BuildTags([]string{opts.ImageRepo + ":" + tag}))
-	if err != nil {
-		return "", err
-	}
-	dc.builtTags[tag] = struct{}{}
-	return tag, nil
+		_, cmd := testOperatorStepDownCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
-
-/* Notes on testing the non-bridge network case:
-- you need the test itself to be running in a container so that it can use
-  the network; create the network using
-    docker network create testvault
-- this means that you need to mount the docker socket in that test container,
-  but on macos there's stuff that prevents that from working; to hack that,
-  on the host run
-    sudo ln -s "$HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock" /var/run/docker.sock.raw
-- run the test container like
-    docker run --rm -it --network testvault \
-      -v /var/run/docker.sock.raw:/var/run/docker.sock \
-      -v $(pwd):/home/circleci/go/src/github.com/hashicorp/vault/ \
-      -w /home/circleci/go/src/github.com/hashicorp/vault/ \
-      "docker.mirror.hashicorp.services/cimg/go:1.19.2" /bin/bash
-- in the container you may need to chown/chmod /var/run/docker.sock; use `docker ps`
-  to test if it's working
-
-*/
diff --git a/sdk/helper/testcluster/util.go b/sdk/helper/testcluster/util.go
index 883cd69926bf..a667f209dcba 100644
--- a/sdk/helper/testcluster/util.go
+++ b/sdk/helper/testcluster/util.go
@@ -1,392 +1,165 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package testcluster
+package command
 
 import (
-	"context"
-	"encoding/base64"
-	"encoding/hex"
 	"fmt"
-	"sync/atomic"
-	"time"
+	"io"
+	"os"
+	"strings"
 
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/password"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/xor"
+	"github.com/posener/complete"
 )
 
-// Note that OSS standbys will not accept seal requests.  And ent perf standbys
-// may fail it as well if they haven't yet been able to get "elected" as perf standbys.
-func SealNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
-	if nodeIdx >= len(cluster.Nodes()) {
-		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
-	}
-	node := cluster.Nodes()[nodeIdx]
-	client := node.APIClient()
+var (
+	_ cli.Command             = (*OperatorUnsealCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorUnsealCommand)(nil)
+)
 
-	err := client.Sys().SealWithContext(ctx)
-	if err != nil {
-		return err
-	}
+type OperatorUnsealCommand struct {
+	*BaseCommand
 
-	return NodeSealed(ctx, cluster, nodeIdx)
+	flagReset   bool
+	flagMigrate bool
+
+	testOutput io.Writer // for tests
 }
 
-func SealAllNodes(ctx context.Context, cluster VaultCluster) error {
-	for i := range cluster.Nodes() {
-		if err := SealNode(ctx, cluster, i); err != nil {
-			return err
-		}
-	}
-	return nil
+func (c *OperatorUnsealCommand) Synopsis() string {
+	return "Unseals the Vault server"
 }
 
-func UnsealNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
-	if nodeIdx >= len(cluster.Nodes()) {
-		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
-	}
-	node := cluster.Nodes()[nodeIdx]
-	client := node.APIClient()
+func (c *OperatorUnsealCommand) Help() string {
+	helpText := `
+Usage: vault operator unseal [options] [KEY]
 
-	for _, key := range cluster.GetBarrierOrRecoveryKeys() {
-		_, err := client.Sys().UnsealWithContext(ctx, hex.EncodeToString(key))
-		if err != nil {
-			return err
-		}
-	}
+  Provide a portion of the root key to unseal a Vault server. Vault starts
+  in a sealed state. It cannot perform operations until it is unsealed. This
+  command accepts a portion of the root key (an "unseal key").
 
-	return NodeHealthy(ctx, cluster, nodeIdx)
-}
+  The unseal key can be supplied as an argument to the command, but this is
+  not recommended as the unseal key will be available in your history:
 
-func UnsealAllNodes(ctx context.Context, cluster VaultCluster) error {
-	for i := range cluster.Nodes() {
-		if err := UnsealNode(ctx, cluster, i); err != nil {
-			return err
-		}
-	}
-	return nil
-}
+      $ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
 
-func NodeSealed(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
-	if nodeIdx >= len(cluster.Nodes()) {
-		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
-	}
-	node := cluster.Nodes()[nodeIdx]
-	client := node.APIClient()
-
-	var health *api.HealthResponse
-	var err error
-	for ctx.Err() == nil {
-		health, err = client.Sys().HealthWithContext(ctx)
-		switch {
-		case err != nil:
-		case !health.Sealed:
-			err = fmt.Errorf("unsealed: %#v", health)
-		default:
-			return nil
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	return fmt.Errorf("node %d is not sealed: %v", nodeIdx, err)
-}
+  Instead, run the command with no arguments and it will prompt for the key:
 
-func WaitForNCoresSealed(ctx context.Context, cluster VaultCluster, n int) error {
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	errs := make(chan error)
-	for i := range cluster.Nodes() {
-		go func(i int) {
-			var err error
-			for ctx.Err() == nil {
-				err = NodeSealed(ctx, cluster, i)
-				if err == nil {
-					errs <- nil
-					return
-				}
-				time.Sleep(100 * time.Millisecond)
-			}
-			if err == nil {
-				err = ctx.Err()
-			}
-			errs <- err
-		}(i)
-	}
+      $ vault operator unseal
+      Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
 
-	var merr *multierror.Error
-	var sealed int
-	for range cluster.Nodes() {
-		err := <-errs
-		if err != nil {
-			merr = multierror.Append(merr, err)
-		} else {
-			sealed++
-			if sealed == n {
-				return nil
-			}
-		}
-	}
+` + c.Flags().Help()
 
-	return fmt.Errorf("%d cores were not sealed, errs: %v", n, merr.ErrorOrNil())
+	return strings.TrimSpace(helpText)
 }
 
-func NodeHealthy(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
-	if nodeIdx >= len(cluster.Nodes()) {
-		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
-	}
-	node := cluster.Nodes()[nodeIdx]
-	client := node.APIClient()
-
-	var health *api.HealthResponse
-	var err error
-	for ctx.Err() == nil {
-		health, err = client.Sys().HealthWithContext(ctx)
-		switch {
-		case err != nil:
-		case health == nil:
-			err = fmt.Errorf("nil response to health check")
-		case health.Sealed:
-			err = fmt.Errorf("sealed: %#v", health)
-		default:
-			return nil
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	return fmt.Errorf("node %d is unhealthy: %v", nodeIdx, err)
+func (c *OperatorUnsealCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:       "reset",
+		Aliases:    []string{},
+		Target:     &c.flagReset,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Discard any previously entered keys to the unseal process.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:       "migrate",
+		Aliases:    []string{},
+		Target:     &c.flagMigrate,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Indicate that this share is provided with the intent that it is part of a seal migration process.",
+	})
+
+	return set
 }
 
-func LeaderNode(ctx context.Context, cluster VaultCluster) (int, error) {
-	// Be robust to multiple nodes thinking they are active. This is possible in
-	// certain network partition situations where the old leader has not
-	// discovered it's lost leadership yet. In tests this is only likely to come
-	// up when we are specifically provoking it, but it's possible it could happen
-	// at any point if leadership flaps of connectivity suffers transient errors
-	// etc. so be robust against it. The best solution would be to have some sort
-	// of epoch like the raft term that is guaranteed to be monotonically
-	// increasing through elections, however we don't have that abstraction for
-	// all HABackends in general. The best we have is the ActiveTime. In a
-	// distributed systems text book this would be bad to rely on due to clock
-	// sync issues etc. but for our tests it's likely fine because even if we are
-	// running separate Vault containers, they are all using the same hardware
-	// clock in the system.
-	leaderActiveTimes := make(map[int]time.Time)
-	for i, node := range cluster.Nodes() {
-		client := node.APIClient()
-		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-		resp, err := client.Sys().LeaderWithContext(ctx)
-		cancel()
-		if err != nil || resp == nil || !resp.IsSelf {
-			continue
-		}
-		leaderActiveTimes[i] = resp.ActiveTime
-	}
-	if len(leaderActiveTimes) == 0 {
-		return -1, fmt.Errorf("no leader found")
-	}
-	// At least one node thinks it is active. If multiple, pick the one with the
-	// most recent ActiveTime. Note if there is only one then this just returns
-	// it.
-	var newestLeaderIdx int
-	var newestActiveTime time.Time
-	for i, at := range leaderActiveTimes {
-		if at.After(newestActiveTime) {
-			newestActiveTime = at
-			newestLeaderIdx = i
-		}
-	}
-	return newestLeaderIdx, nil
+func (c *OperatorUnsealCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-func WaitForActiveNode(ctx context.Context, cluster VaultCluster) (int, error) {
-	for ctx.Err() == nil {
-		if idx, _ := LeaderNode(ctx, cluster); idx != -1 {
-			return idx, nil
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	return -1, ctx.Err()
+func (c *OperatorUnsealCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func WaitForActiveNodeAndPerfStandbys(ctx context.Context, cluster VaultCluster) error {
-	logger := cluster.NamedLogger("WaitForActiveNodeAndPerfStandbys")
-	// This WaitForActiveNode was added because after a Raft cluster is sealed
-	// and then unsealed, when it comes up it may have a different leader than
-	// Core0, making this helper fail.
-	// A sleep before calling WaitForActiveNodeAndPerfStandbys seems to sort
-	// things out, but so apparently does this.  We should be able to eliminate
-	// this call to WaitForActiveNode by reworking the logic in this method.
-	leaderIdx, err := WaitForActiveNode(ctx, cluster)
-	if err != nil {
-		return err
-	}
+func (c *OperatorUnsealCommand) Run(args []string) int {
+	f := c.Flags()
 
-	if len(cluster.Nodes()) == 1 {
-		return nil
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	expectedStandbys := len(cluster.Nodes()) - 1
-
-	mountPoint, err := uuid.GenerateUUID()
-	if err != nil {
-		return err
-	}
-	leaderClient := cluster.Nodes()[leaderIdx].APIClient()
-
-	for ctx.Err() == nil {
-		err = leaderClient.Sys().MountWithContext(ctx, mountPoint, &api.MountInput{
-			Type:  "kv",
-			Local: true,
-		})
-		if err == nil {
-			break
-		}
-		time.Sleep(1 * time.Second)
-	}
-	if err != nil {
-		return fmt.Errorf("unable to mount KV engine: %v", err)
-	}
-	path := mountPoint + "/waitforactivenodeandperfstandbys"
-	var standbys, actives int64
-	errchan := make(chan error, len(cluster.Nodes()))
-	for i := range cluster.Nodes() {
-		go func(coreNo int) {
-			node := cluster.Nodes()[coreNo]
-			client := node.APIClient()
-			val := 1
-			var err error
-			defer func() {
-				errchan <- err
-			}()
-
-			var lastWAL uint64
-			for ctx.Err() == nil {
-				_, err = leaderClient.Logical().WriteWithContext(ctx, path, map[string]interface{}{
-					"bar": val,
-				})
-				val++
-				time.Sleep(250 * time.Millisecond)
-				if err != nil {
-					continue
-				}
-				var leader *api.LeaderResponse
-				leader, err = client.Sys().LeaderWithContext(ctx)
-				if err != nil {
-					logger.Trace("waiting for core", "core", coreNo, "err", err)
-					continue
-				}
-				switch {
-				case leader.IsSelf:
-					logger.Trace("waiting for core", "core", coreNo, "isLeader", true)
-					atomic.AddInt64(&actives, 1)
-					return
-				case leader.PerfStandby && leader.PerfStandbyLastRemoteWAL > 0:
-					switch {
-					case lastWAL == 0:
-						lastWAL = leader.PerfStandbyLastRemoteWAL
-						logger.Trace("waiting for core", "core", coreNo, "lastRemoteWAL", leader.PerfStandbyLastRemoteWAL, "lastWAL", lastWAL)
-					case lastWAL < leader.PerfStandbyLastRemoteWAL:
-						logger.Trace("waiting for core", "core", coreNo, "lastRemoteWAL", leader.PerfStandbyLastRemoteWAL, "lastWAL", lastWAL)
-						atomic.AddInt64(&standbys, 1)
-						return
-					}
-				default:
-					logger.Trace("waiting for core", "core", coreNo,
-						"ha_enabled", leader.HAEnabled,
-						"is_self", leader.IsSelf,
-						"perf_standby", leader.PerfStandby,
-						"perf_standby_remote_wal", leader.PerfStandbyLastRemoteWAL)
-				}
-			}
-		}(i)
-	}
+	unsealKey := ""
 
-	errs := make([]error, 0, len(cluster.Nodes()))
-	for range cluster.Nodes() {
-		errs = append(errs, <-errchan)
-	}
-	if actives != 1 || int(standbys) != expectedStandbys {
-		return fmt.Errorf("expected 1 active core and %d standbys, got %d active and %d standbys, errs: %v",
-			expectedStandbys, actives, standbys, errs)
+	args = f.Args()
+	switch len(args) {
+	case 0:
+		// We will prompt for the unseal key later
+	case 1:
+		unsealKey = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
 	}
 
-	for ctx.Err() == nil {
-		err = leaderClient.Sys().UnmountWithContext(ctx, mountPoint)
-		if err == nil {
-			break
-		}
-		time.Sleep(time.Second)
-	}
+	client, err := c.Client()
 	if err != nil {
-		return fmt.Errorf("unable to unmount KV engine on primary")
+		c.UI.Error(err.Error())
+		return 2
 	}
-	return nil
-}
 
-type GenerateRootKind int
-
-const (
-	GenerateRootRegular GenerateRootKind = iota
-	GenerateRootDR
-	GenerateRecovery
-)
-
-func GenerateRoot(cluster VaultCluster, kind GenerateRootKind) (string, error) {
-	// If recovery keys supported, use those to perform root token generation instead
-	keys := cluster.GetBarrierOrRecoveryKeys()
-
-	client := cluster.Nodes()[0].APIClient()
-
-	var err error
-	var status *api.GenerateRootStatusResponse
-	switch kind {
-	case GenerateRootRegular:
-		status, err = client.Sys().GenerateRootInit("", "")
-	case GenerateRootDR:
-		status, err = client.Sys().GenerateDROperationTokenInit("", "")
-	case GenerateRecovery:
-		status, err = client.Sys().GenerateRecoveryOperationTokenInit("", "")
-	}
-	if err != nil {
-		return "", err
-	}
-
-	if status.Required > len(keys) {
-		return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))
+	if c.flagReset {
+		status, err := client.Sys().ResetUnsealProcess()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error resetting unseal process: %s", err))
+			return 2
+		}
+		return OutputSealStatus(c.UI, client, status)
 	}
 
-	otp := status.OTP
-
-	for i, key := range keys {
-		if i >= status.Required {
-			break
+	if unsealKey == "" {
+		// Override the output
+		writer := (io.Writer)(os.Stdout)
+		if c.testOutput != nil {
+			writer = c.testOutput
 		}
 
-		strKey := base64.StdEncoding.EncodeToString(key)
-		switch kind {
-		case GenerateRootRegular:
-			status, err = client.Sys().GenerateRootUpdate(strKey, status.Nonce)
-		case GenerateRootDR:
-			status, err = client.Sys().GenerateDROperationTokenUpdate(strKey, status.Nonce)
-		case GenerateRecovery:
-			status, err = client.Sys().GenerateRecoveryOperationTokenUpdate(strKey, status.Nonce)
-		}
+		fmt.Fprintf(writer, "Unseal Key (will be hidden): ")
+		value, err := password.Read(os.Stdin)
+		fmt.Fprintf(writer, "\n")
 		if err != nil {
-			return "", err
+			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
+				"ask for an unseal key. The raw error message is shown below, but "+
+				"usually this is because you attempted to pipe a value into the "+
+				"unseal command or you are executing outside of a terminal (tty). "+
+				"You should run the unseal command from a terminal for maximum "+
+				"security. If this is not an option, the unseal key can be provided "+
+				"as the first argument to the unseal command. The raw error "+
+				"was:\n\n%s", err)))
+			return 1
 		}
-	}
-	if !status.Complete {
-		return "", fmt.Errorf("generate root operation did not end successfully")
+		unsealKey = strings.TrimSpace(value)
 	}
 
-	tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)
+	status, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
+		Key:     unsealKey,
+		Migrate: c.flagMigrate,
+	})
 	if err != nil {
-		return "", err
+		c.UI.Error(fmt.Sprintf("Error unsealing: %s", err))
+		return 2
 	}
-	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
-	if err != nil {
-		return "", err
-	}
-	return string(tokenBytes), nil
+
+	return OutputSealStatus(c.UI, client, status)
 }
diff --git a/sdk/logical/error.go b/sdk/logical/error.go
index 5605784b3e13..42f603e4882c 100644
--- a/sdk/logical/error.go
+++ b/sdk/logical/error.go
@@ -1,125 +1,189 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package logical
+package command
 
-import "errors"
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
 
-var (
-	// ErrUnsupportedOperation is returned if the operation is not supported
-	// by the logical backend.
-	ErrUnsupportedOperation = errors.New("unsupported operation")
-
-	// ErrUnsupportedPath is returned if the path is not supported
-	// by the logical backend.
-	ErrUnsupportedPath = errors.New("unsupported path")
-
-	// ErrInvalidRequest is returned if the request is invalid
-	ErrInvalidRequest = errors.New("invalid request")
-
-	// ErrPermissionDenied is returned if the client is not authorized
-	ErrPermissionDenied = errors.New("permission denied")
-
-	// ErrInvalidCredentials is returned when the provided credentials are incorrect
-	// This is used internally for user lockout purposes. This is not seen externally.
-	// The status code returned does not change because of this error
-	ErrInvalidCredentials = errors.New("invalid credentials")
-
-	// ErrMultiAuthzPending is returned if the the request needs more
-	// authorizations
-	ErrMultiAuthzPending = errors.New("request needs further approval")
-
-	// ErrUpstreamRateLimited is returned when Vault receives a rate limited
-	// response from an upstream
-	ErrUpstreamRateLimited = errors.New("upstream rate limited")
-
-	// ErrPerfStandbyForward is returned when Vault is in a state such that a
-	// perf standby cannot satisfy a request
-	ErrPerfStandbyPleaseForward = errors.New("please forward to the active node")
-
-	// ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease
-	// count quota being exceeded.
-	ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded")
-
-	// ErrRateLimitQuotaExceeded is returned when a request is rejected due to a
-	// rate limit quota being exceeded.
-	ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded")
-
-	// ErrUnrecoverable is returned when a request fails due to something that
-	// is likely to require manual intervention. This is a generic form of an
-	// unrecoverable error.
-	// e.g.: misconfigured or disconnected storage backend.
-	ErrUnrecoverable = errors.New("unrecoverable error")
-
-	// ErrMissingRequiredState is returned when a request can't be satisfied
-	// with the data in the local node's storage, based on the provided
-	// X-Vault-Index request header.
-	ErrMissingRequiredState = errors.New("required index state not present")
-
-	// Error indicating that the requested path used to serve a purpose in older
-	// versions, but the functionality has now been removed
-	ErrPathFunctionalityRemoved = errors.New("functionality on this path has been removed")
+	"github.com/hashicorp/cli"
 )
 
-type HTTPCodedError interface {
-	Error() string
-	Code() int
-}
+func testOperatorUnsealCommand(tb testing.TB) (*cli.MockUi, *OperatorUnsealCommand) {
+	tb.Helper()
 
-func CodedError(status int, msg string) HTTPCodedError {
-	return &codedError{
-		Status:  status,
-		Message: msg,
+	ui := cli.NewMockUi()
+	return ui, &OperatorUnsealCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
 }
 
-var _ HTTPCodedError = (*codedError)(nil)
-
-type codedError struct {
-	Status  int
-	Message string
+func TestOperatorUnsealCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	t.Run("error_non_terminal", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testOperatorUnsealCommand(t)
+		cmd.client = client
+		cmd.testOutput = ioutil.Discard
+
+		code := cmd.Run(nil)
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "is not a terminal"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("reset", func(t *testing.T) {
+		t.Parallel()
+
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
+
+		// Seal so we can unseal
+		if err := client.Sys().Seal(); err != nil {
+			t.Fatal(err)
+		}
+
+		// Enter an unseal key
+		if _, err := client.Sys().Unseal(keys[0]); err != nil {
+			t.Fatal(err)
+		}
+
+		ui, cmd := testOperatorUnsealCommand(t)
+		cmd.client = client
+		cmd.testOutput = ioutil.Discard
+
+		// Reset and check output
+		code := cmd.Run([]string{
+			"-reset",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+		expected := "0/3"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("full", func(t *testing.T) {
+		t.Parallel()
+
+		client, keys, closer := testVaultServerUnseal(t)
+		defer closer()
+
+		// Seal so we can unseal
+		if err := client.Sys().Seal(); err != nil {
+			t.Fatal(err)
+		}
+
+		for _, key := range keys {
+			ui, cmd := testOperatorUnsealCommand(t)
+			cmd.client = client
+			cmd.testOutput = ioutil.Discard
+
+			// Reset and check output
+			code := cmd.Run([]string{
+				key,
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
+			}
+		}
+
+		status, err := client.Sys().SealStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if status.Sealed {
+			t.Error("expected unsealed")
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testOperatorUnsealCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"abcd",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error unsealing: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testOperatorUnsealCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
 
-func (e *codedError) Error() string {
-	return e.Message
-}
+func TestOperatorUnsealCommand_Format(t *testing.T) {
+	defer func() {
+		os.Setenv(EnvVaultCLINoColor, "")
+	}()
 
-func (e *codedError) Code() int {
-	return e.Status
-}
-
-// Struct to identify user input errors.  This is helpful in responding the
-// appropriate status codes to clients from the HTTP endpoints.
-type StatusBadRequest struct {
-	Err string
-}
+	client, keys, closer := testVaultServerUnseal(t)
+	defer closer()
 
-// Implementing error interface
-func (s *StatusBadRequest) Error() string {
-	return s.Err
-}
-
-// This is a new type declared to not cause potential compatibility problems if
-// the logic around the CodedError changes; in particular for logical request
-// paths it is basically ignored, and changing that behavior might cause
-// unforeseen issues.
-type ReplicationCodedError struct {
-	Msg  string
-	Code int
-}
+	// Seal so we can unseal
+	if err := client.Sys().Seal(); err != nil {
+		t.Fatal(err)
+	}
 
-func (r *ReplicationCodedError) Error() string {
-	return r.Msg
-}
+	stdout := bytes.NewBuffer(nil)
+	stderr := bytes.NewBuffer(nil)
+	runOpts := &RunOptions{
+		Stdout: stdout,
+		Stderr: stderr,
+		Client: client,
+	}
 
-type KeyNotFoundError struct {
-	Err error
-}
+	args, format, _, _, _ := setupEnv([]string{"operator", "unseal", "-format", "json"})
+	if format != "json" {
+		t.Fatalf("expected %q, got %q", "json", format)
+	}
 
-func (e *KeyNotFoundError) WrappedErrors() []error {
-	return []error{e.Err}
-}
+	// Unseal with one key
+	code := RunCustom(append(args, []string{
+		keys[0],
+	}...), runOpts)
+	if exp := 0; code != exp {
+		t.Errorf("expected %d to be %d: %s", code, exp, stderr.String())
+	}
 
-func (e *KeyNotFoundError) Error() string {
-	return e.Err.Error()
+	if !json.Valid(stdout.Bytes()) {
+		t.Error("expected output to be valid JSON")
+	}
 }
diff --git a/sdk/logical/request.go b/sdk/logical/request.go
index 4b617dbc100e..8fa0f8f41518 100644
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@@ -1,540 +1,327 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
-package logical
+package command
 
 import (
-	"context"
+	"encoding/json"
+	"errors"
 	"fmt"
-	"net/http"
+	"sort"
 	"strings"
 	"time"
 
-	"github.com/mitchellh/copystructure"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+	"github.com/ryanuber/columnize"
 )
 
-// RequestWrapInfo is a struct that stores information about desired response
-// and seal wrapping behavior
-type RequestWrapInfo struct {
-	// Setting to non-zero specifies that the response should be wrapped.
-	// Specifies the desired TTL of the wrapping token.
-	TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl" sentinel:""`
+var (
+	_ cli.Command             = (*OperatorUsageCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorUsageCommand)(nil)
+)
 
-	// The format to use for the wrapped response; if not specified it's a bare
-	// token
-	Format string `json:"format" structs:"format" mapstructure:"format" sentinel:""`
+type OperatorUsageCommand struct {
+	*BaseCommand
+	flagStartTime time.Time
+	flagEndTime   time.Time
+}
 
-	// A flag to conforming backends that data for a given request should be
-	// seal wrapped
-	SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap" sentinel:""`
+func (c *OperatorUsageCommand) Synopsis() string {
+	return "Lists historical client counts"
 }
 
-func (r *RequestWrapInfo) SentinelGet(key string) (interface{}, error) {
-	if r == nil {
-		return nil, nil
-	}
-	switch key {
-	case "ttl":
-		return r.TTL, nil
-	case "ttl_seconds":
-		return int64(r.TTL.Seconds()), nil
-	}
+func (c *OperatorUsageCommand) Help() string {
+	helpText := `
+Usage: vault operator usage
 
-	return nil, nil
-}
+  List the client counts for the default reporting period.
 
-func (r *RequestWrapInfo) SentinelKeys() []string {
-	return []string{
-		"ttl",
-		"ttl_seconds",
-	}
-}
+	  $ vault operator usage
 
-type ClientTokenSource uint32
+  List the client counts for a specific time period.
 
-const (
-	NoClientToken ClientTokenSource = iota
-	ClientTokenFromVaultHeader
-	ClientTokenFromAuthzHeader
-)
+          $ vault operator usage -start-time=2020-10 -end-time=2020-11
+
+` + c.Flags().Help()
 
-type WALState struct {
-	ClusterID       string
-	LocalIndex      uint64
-	ReplicatedIndex uint64
+	return strings.TrimSpace(helpText)
 }
 
-const indexStateCtxKey = "index_state"
+func (c *OperatorUsageCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
 
-// IndexStateContext returns a context with an added value holding the index
-// state that should be populated on writes.
-func IndexStateContext(ctx context.Context, state *WALState) context.Context {
-	return context.WithValue(ctx, indexStateCtxKey, state)
+	f.TimeVar(&TimeVar{
+		Name:       "start-time",
+		Usage:      "Start of report period. Defaults to 'default_reporting_period' before end time.",
+		Target:     &c.flagStartTime,
+		Completion: complete.PredictNothing,
+		Default:    time.Time{},
+		Formats:    TimeVar_TimeOrDay | TimeVar_Month,
+	})
+	f.TimeVar(&TimeVar{
+		Name:       "end-time",
+		Usage:      "End of report period. Defaults to end of last month.",
+		Target:     &c.flagEndTime,
+		Completion: complete.PredictNothing,
+		Default:    time.Time{},
+		Formats:    TimeVar_TimeOrDay | TimeVar_Month,
+	})
+
+	return set
 }
 
-// IndexStateFromContext is a helper to look up if the provided context contains
-// an index state pointer.
-func IndexStateFromContext(ctx context.Context) *WALState {
-	s, ok := ctx.Value(indexStateCtxKey).(*WALState)
-	if !ok {
-		return nil
-	}
-	return s
+func (c *OperatorUsageCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything
 }
 
-// Request is a struct that stores the parameters and context of a request
-// being made to Vault. It is used to abstract the details of the higher level
-// request protocol from the handlers.
-//
-// Note: Many of these have Sentinel disabled because they are values populated
-// by the router after policy checks; the token namespace would be the right
-// place to access them via Sentinel
-type Request struct {
-	// Id is the uuid associated with each request
-	ID string `json:"id" structs:"id" mapstructure:"id" sentinel:""`
-
-	// If set, the name given to the replication secondary where this request
-	// originated
-	ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster" mapstructure:"replication_cluster" sentinel:""`
-
-	// Operation is the requested operation type
-	Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"`
-
-	// Path is the full path of the request
-	Path string `json:"path" structs:"path" mapstructure:"path" sentinel:""`
-
-	// Request data is an opaque map that must have string keys.
-	Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"`
-
-	// Storage can be used to durably store and retrieve state.
-	Storage Storage `json:"-" sentinel:""`
-
-	// Secret will be non-nil only for Revoke and Renew operations
-	// to represent the secret that was returned prior.
-	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret" sentinel:""`
-
-	// Auth will be non-nil only for Renew operations
-	// to represent the auth that was returned prior.
-	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth" sentinel:""`
-
-	// Headers will contain the http headers from the request. This value will
-	// be used in the audit broker to ensure we are auditing only the allowed
-	// headers.
-	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers" sentinel:""`
-
-	// Connection will be non-nil only for credential providers to
-	// inspect the connection information and potentially use it for
-	// authentication/protection.
-	Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"`
-
-	// ClientToken is provided to the core so that the identity
-	// can be verified and ACLs applied. This value is passed
-	// through to the logical backends but after being salted and
-	// hashed.
-	ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`
-
-	// ClientTokenAccessor is provided to the core so that the it can get
-	// logged as part of request audit logging.
-	ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""`
-
-	// DisplayName is provided to the logical backend to help associate
-	// dynamic secrets with the source entity. This is not a sensitive
-	// name, but is useful for operators.
-	DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name" sentinel:""`
-
-	// MountPoint is provided so that a logical backend can generate
-	// paths relative to itself. The `Path` is effectively the client
-	// request path with the MountPoint trimmed off.
-	MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point" sentinel:""`
-
-	// MountType is provided so that a logical backend can make decisions
-	// based on the specific mount type (e.g., if a mount type has different
-	// aliases, generating different defaults depending on the alias)
-	MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type" sentinel:""`
-
-	// MountAccessor is provided so that identities returned by the authentication
-	// backends can be tied to the mount it belongs to.
-	MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor" sentinel:""`
-
-	// mountRunningVersion is used internally to propagate the semantic version
-	// of the mounted plugin as reported by its vault.MountEntry to audit logging
-	mountRunningVersion string
-
-	// mountRunningSha256 is used internally to propagate the encoded sha256
-	// of the mounted plugin as reported its vault.MountEntry to audit logging
-	mountRunningSha256 string
-
-	// mountIsExternalPlugin is used internally to propagate whether
-	// the backend of the mounted plugin is running externally (i.e., over GRPC)
-	// to audit logging
-	mountIsExternalPlugin bool
-
-	// mountClass is used internally to propagate the mount class of the mounted plugin to audit logging
-	mountClass string
-
-	// WrapInfo contains requested response wrapping parameters
-	WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info" sentinel:""`
-
-	// ClientTokenRemainingUses represents the allowed number of uses left on the
-	// token supplied
-	ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`
-
-	// EntityID is the identity of the caller extracted out of the token used
-	// to make this request
-	EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""`
-
-	// PolicyOverride indicates that the requestor wishes to override
-	// soft-mandatory Sentinel policies
-	PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"`
-
-	// Whether the request is unauthenticated, as in, had no client token
-	// attached. Useful in some situations where the client token is not made
-	// accessible.
-	Unauthenticated bool `json:"unauthenticated" structs:"unauthenticated" mapstructure:"unauthenticated"`
-
-	// MFACreds holds the parsed MFA information supplied over the API as part of
-	// X-Vault-MFA header
-	MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""`
-
-	// Cached token entry. This avoids another lookup in request handling when
-	// we've already looked it up at http handling time. Note that this token
-	// has not been "used", as in it will not properly take into account use
-	// count limitations. As a result this field should only ever be used for
-	// transport to a function that would otherwise do a lookup and then
-	// properly use the token.
-	tokenEntry *TokenEntry
-
-	// For replication, contains the last WAL on the remote side after handling
-	// the request, used for best-effort avoidance of stale read-after-write
-	lastRemoteWAL uint64
-
-	// ControlGroup holds the authorizations that have happened on this
-	// request
-	ControlGroup *ControlGroup `json:"control_group" structs:"control_group" mapstructure:"control_group" sentinel:""`
-
-	// ClientTokenSource tells us where the client token was sourced from, so
-	// we can delete it before sending off to plugins
-	ClientTokenSource ClientTokenSource
-
-	// HTTPRequest, if set, can be used to access fields from the HTTP request
-	// that generated this logical.Request object, such as the request body.
-	HTTPRequest *http.Request `json:"-" sentinel:""`
-
-	// ResponseWriter if set can be used to stream a response value to the http
-	// request that generated this logical.Request object.
-	ResponseWriter *HTTPResponseWriter `json:"-" sentinel:""`
-
-	// requiredState is used internally to propagate the X-Vault-Index request
-	// header to later levels of request processing that operate only on
-	// logical.Request.
-	requiredState []string
-
-	// responseState is used internally to propagate the state that should appear
-	// in response headers; it's attached to the request rather than the response
-	// because not all requests yields non-nil responses.
-	responseState *WALState
-
-	// ClientID is the identity of the caller. If the token is associated with an
-	// entity, it will be the same as the EntityID . If the token has no entity,
-	// this will be the sha256(sorted policies + namespace) associated with the
-	// client token.
-	ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`
-
-	// InboundSSCToken is the token that arrives on an inbound request, supplied
-	// by the vault user.
-	InboundSSCToken string
-
-	// When a request has been forwarded, contains information of the host the request was forwarded 'from'
-	ForwardedFrom string `json:"forwarded_from,omitempty"`
+func (c *OperatorUsageCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-// Clone returns a deep copy of the request by using copystructure
-func (r *Request) Clone() (*Request, error) {
-	cpy, err := copystructure.Copy(r)
-	if err != nil {
-		return nil, err
+func (c *OperatorUsageCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-	return cpy.(*Request), nil
-}
 
-// Get returns a data field and guards for nil Data
-func (r *Request) Get(key string) interface{} {
-	if r.Data == nil {
-		return nil
+	data := make(map[string][]string)
+	if !c.flagStartTime.IsZero() {
+		data["start_time"] = []string{c.flagStartTime.Format(time.RFC3339)}
+	}
+	if !c.flagEndTime.IsZero() {
+		data["end_time"] = []string{c.flagEndTime.Format(time.RFC3339)}
 	}
-	return r.Data[key]
-}
 
-// GetString returns a data field as a string
-func (r *Request) GetString(key string) string {
-	raw := r.Get(key)
-	s, _ := raw.(string)
-	return s
-}
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
 
-func (r *Request) GoString() string {
-	return fmt.Sprintf("*%#v", *r)
-}
+	resp, err := client.Logical().ReadWithData("sys/internal/counters/activity", data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error retrieving client counts: %v", err))
+		return 2
+	}
 
-func (r *Request) SentinelGet(key string) (interface{}, error) {
-	switch key {
-	case "path":
-		// Sanitize it here so that it's consistent in policies
-		return strings.TrimPrefix(r.Path, "/"), nil
-
-	case "wrapping", "wrap_info":
-		// If the pointer is nil accessing the wrap info is considered
-		// "undefined" so this allows us to instead discover a TTL of zero
-		if r.WrapInfo == nil {
-			return &RequestWrapInfo{}, nil
+	if resp == nil || resp.Data == nil {
+		if c.noReportAvailable(client) {
+			c.UI.Warn("Vault does not have any usage data available. A report will be available\n" +
+				"after the first calendar month in which monitoring is enabled.")
+		} else {
+			c.UI.Warn("No data is available for the given time range.")
 		}
-		return r.WrapInfo, nil
+		// No further output
+		return 0
 	}
 
-	return nil, nil
-}
-
-func (r *Request) SentinelKeys() []string {
-	return []string{
-		"path",
-		"wrapping",
-		"wrap_info",
+	switch Format(c.UI) {
+	case "table":
+	default:
+		// Handle JSON, YAML, etc.
+		return OutputData(c.UI, resp)
 	}
-}
 
-func (r *Request) MountRunningVersion() string {
-	return r.mountRunningVersion
-}
+	// Show this before the headers
+	c.outputTimestamps(resp.Data)
 
-func (r *Request) SetMountRunningVersion(mountRunningVersion string) {
-	r.mountRunningVersion = mountRunningVersion
-}
+	out := []string{
+		"Namespace path | Distinct entities | Non-Entity tokens | Active clients",
+	}
 
-func (r *Request) MountRunningSha256() string {
-	return r.mountRunningSha256
-}
+	out = append(out, c.namespacesOutput(resp.Data)...)
+	out = append(out, c.totalOutput(resp.Data)...)
 
-func (r *Request) SetMountRunningSha256(mountRunningSha256 string) {
-	r.mountRunningSha256 = mountRunningSha256
+	colConfig := columnize.DefaultConfig()
+	colConfig.Empty = " " // Do not show n/a on intentional blank lines
+	colConfig.Glue = "   "
+	c.UI.Output(tableOutput(out, colConfig))
+	return 0
 }
 
-func (r *Request) MountIsExternalPlugin() bool {
-	return r.mountIsExternalPlugin
-}
+// noReportAvailable checks whether we can definitively say that no
+// queries can be answered; if there's an error, just fall back to
+// reporting that the response is empty.
+func (c *OperatorUsageCommand) noReportAvailable(client *api.Client) bool {
+	if c.flagOutputCurlString || c.flagOutputPolicy {
+		// Don't mess up the original query string
+		return false
+	}
 
-func (r *Request) SetMountIsExternalPlugin(mountIsExternalPlugin bool) {
-	r.mountIsExternalPlugin = mountIsExternalPlugin
-}
+	resp, err := client.Logical().Read("sys/internal/counters/config")
+	if err != nil || resp == nil || resp.Data == nil {
+		c.UI.Warn("bad response from config")
+		return false
+	}
 
-func (r *Request) MountClass() string {
-	return r.mountClass
-}
+	qaRaw, ok := resp.Data["queries_available"]
+	if !ok {
+		c.UI.Warn("no queries_available key")
+		return false
+	}
 
-func (r *Request) SetMountClass(mountClass string) {
-	r.mountClass = mountClass
-}
+	qa, ok := qaRaw.(bool)
+	if !ok {
+		c.UI.Warn("wrong type")
+		return false
+	}
 
-func (r *Request) LastRemoteWAL() uint64 {
-	return r.lastRemoteWAL
+	return !qa
 }
 
-func (r *Request) SetLastRemoteWAL(last uint64) {
-	r.lastRemoteWAL = last
+func (c *OperatorUsageCommand) outputTimestamps(data map[string]interface{}) {
+	c.UI.Output(fmt.Sprintf("Period start: %v\nPeriod end: %v\n",
+		data["start_time"].(string),
+		data["end_time"].(string)))
 }
 
-func (r *Request) RequiredState() []string {
-	return r.requiredState
-}
+type UsageCommandNamespace struct {
+	formattedLine string
+	sortOrder     string
 
-func (r *Request) SetRequiredState(state []string) {
-	r.requiredState = state
+	// Sort order:
+	// -- root first
+	// -- namespaces in lexicographic order
+	// -- deleted namespace "xxxxx" last
 }
 
-func (r *Request) ResponseState() *WALState {
-	return r.responseState
-}
+type UsageResponse struct {
+	namespacePath string
+	entityCount   int64
+	// As per 1.9, the tokenCount field will contain the distinct non-entity
+	// token clients instead of each individual token.
+	tokenCount int64
 
-func (r *Request) SetResponseState(w *WALState) {
-	r.responseState = w
+	clientCount int64
 }
 
-func (r *Request) TokenEntry() *TokenEntry {
-	return r.tokenEntry
+func jsonNumberOK(m map[string]interface{}, key string) (int64, bool) {
+	val, ok := m[key].(json.Number)
+	if !ok {
+		return 0, false
+	}
+	intVal, err := val.Int64()
+	if err != nil {
+		return 0, false
+	}
+	return intVal, true
 }
 
-func (r *Request) SetTokenEntry(te *TokenEntry) {
-	r.tokenEntry = te
-}
+// TODO: provide a function in the API module for doing this conversion?
+func (c *OperatorUsageCommand) parseNamespaceCount(rawVal interface{}) (UsageResponse, error) {
+	var ret UsageResponse
 
-// RenewRequest creates the structure of the renew request.
-func RenewRequest(path string, secret *Secret, data map[string]interface{}) *Request {
-	return &Request{
-		Operation: RenewOperation,
-		Path:      path,
-		Data:      data,
-		Secret:    secret,
+	val, ok := rawVal.(map[string]interface{})
+	if !ok {
+		return ret, errors.New("value is not a map")
 	}
-}
 
-// RenewAuthRequest creates the structure of the renew request for an auth.
-func RenewAuthRequest(path string, auth *Auth, data map[string]interface{}) *Request {
-	return &Request{
-		Operation: RenewOperation,
-		Path:      path,
-		Data:      data,
-		Auth:      auth,
+	ret.namespacePath, ok = val["namespace_path"].(string)
+	if !ok {
+		return ret, errors.New("bad namespace path")
 	}
-}
 
-// RevokeRequest creates the structure of the revoke request.
-func RevokeRequest(path string, secret *Secret, data map[string]interface{}) *Request {
-	return &Request{
-		Operation: RevokeOperation,
-		Path:      path,
-		Data:      data,
-		Secret:    secret,
+	counts, ok := val["counts"].(map[string]interface{})
+	if !ok {
+		return ret, errors.New("missing counts")
 	}
-}
 
-// RollbackRequest creates the structure of the revoke request.
-func RollbackRequest(path string) *Request {
-	return &Request{
-		Operation: RollbackOperation,
-		Path:      path,
-		Data:      make(map[string]interface{}),
+	ret.entityCount, ok = jsonNumberOK(counts, "distinct_entities")
+	if !ok {
+		return ret, errors.New("missing distinct_entities")
 	}
-}
-
-// Operation is an enum that is used to specify the type
-// of request being made
-type Operation string
-
-const (
-	// The operations below are called per path
-	CreateOperation         Operation = "create"
-	ReadOperation                     = "read"
-	UpdateOperation                   = "update"
-	PatchOperation                    = "patch"
-	DeleteOperation                   = "delete"
-	ListOperation                     = "list"
-	HelpOperation                     = "help"
-	AliasLookaheadOperation           = "alias-lookahead"
-	ResolveRoleOperation              = "resolve-role"
-	HeaderOperation                   = "header"
-
-	// The operations below are called globally, the path is less relevant.
-	RevokeOperation   Operation = "revoke"
-	RenewOperation              = "renew"
-	RollbackOperation           = "rollback"
-)
-
-type MFACreds map[string][]string
 
-// InitializationRequest stores the parameters and context of an Initialize()
-// call being made to a logical.Backend.
-type InitializationRequest struct {
-	// Storage can be used to durably store and retrieve state.
-	Storage Storage
-}
-
-type CustomHeader struct {
-	Name  string
-	Value string
-}
-
-type CtxKeyInFlightRequestID struct{}
-
-func (c CtxKeyInFlightRequestID) String() string {
-	return "in-flight-request-ID"
-}
-
-type CtxKeyRequestRole struct{}
-
-func (c CtxKeyRequestRole) String() string {
-	return "request-role"
-}
+	ret.tokenCount, ok = jsonNumberOK(counts, "non_entity_tokens")
+	if !ok {
+		return ret, errors.New("missing non_entity_tokens")
+	}
 
-// CtxKeyDisableReplicationStatusEndpoints is a custom type used as a key in
-// context.Context to store the value `true` when the
-// disable_replication_status_endpoints configuration parameter is set to true
-// for the listener through which a request was received.
-type ctxKeyDisableReplicationStatusEndpoints struct{}
+	ret.clientCount, ok = jsonNumberOK(counts, "clients")
+	if !ok {
+		return ret, errors.New("missing clients")
+	}
 
-// String returns a string representation of the receiver type.
-func (c ctxKeyDisableReplicationStatusEndpoints) String() string {
-	return "disable-replication-status-endpoints"
+	return ret, nil
 }
 
-// ContextDisableReplicationStatusEndpointsValue examines the provided
-// context.Context for the disable replication status endpoints value and
-// returns it as a bool value if it's found along with the ok return value set
-// to true; otherwise the ok return value is false.
-func ContextDisableReplicationStatusEndpointsValue(ctx context.Context) (value, ok bool) {
-	value, ok = ctx.Value(ctxKeyDisableReplicationStatusEndpoints{}).(bool)
-
-	return
-}
+func (c *OperatorUsageCommand) namespacesOutput(data map[string]interface{}) []string {
+	byNs, ok := data["by_namespace"].([]interface{})
+	if !ok {
+		c.UI.Error("missing namespace breakdown in response")
+		return nil
+	}
 
-// CreateContextDisableReplicationStatusEndpoints creates a new context.Context
-// based on the provided parent that also includes the provided value for the
-// ctxKeyDisableReplicationStatusEndpoints key.
-func CreateContextDisableReplicationStatusEndpoints(parent context.Context, value bool) context.Context {
-	return context.WithValue(parent, ctxKeyDisableReplicationStatusEndpoints{}, value)
-}
+	nsOut := make([]UsageCommandNamespace, 0, len(byNs))
 
-// CtxKeyMaxRequestSize is a custom type used as a key in context.Context to
-// store the value of the max_request_size set for the listener through which
-// a request was received.
-type ctxKeyMaxRequestSize struct{}
+	for _, rawVal := range byNs {
+		val, err := c.parseNamespaceCount(rawVal)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("malformed namespace in response: %v", err))
+			continue
+		}
 
-// String returns a string representation of the receiver type.
-func (c ctxKeyMaxRequestSize) String() string {
-	return "max_request_size"
-}
+		sortOrder := "1" + val.namespacePath
+		if val.namespacePath == "" {
+			val.namespacePath = "[root]"
+			sortOrder = "0"
+		} else if strings.HasPrefix(val.namespacePath, "deleted namespace") {
+			sortOrder = "2" + val.namespacePath
+		}
 
-// ContextMaxRequestSizeValue examines the provided context.Context for the max
-// request size value and returns it as an int64 value if it's found along with
-// the ok value set to true; otherwise the ok return value is false.
-func ContextMaxRequestSizeValue(ctx context.Context) (value int64, ok bool) {
-	value, ok = ctx.Value(ctxKeyMaxRequestSize{}).(int64)
+		formattedLine := fmt.Sprintf("%s | %d | %d | %d",
+			val.namespacePath, val.entityCount, val.tokenCount, val.clientCount)
+		nsOut = append(nsOut, UsageCommandNamespace{
+			formattedLine: formattedLine,
+			sortOrder:     sortOrder,
+		})
+	}
 
-	return
-}
+	sort.Slice(nsOut, func(i, j int) bool {
+		return nsOut[i].sortOrder < nsOut[j].sortOrder
+	})
 
-// CreateContextMaxRequestSize creates a new context.Context based on the
-// provided parent that also includes the provided max request size value for
-// the ctxKeyMaxRequestSize key.
-func CreateContextMaxRequestSize(parent context.Context, value int64) context.Context {
-	return context.WithValue(parent, ctxKeyMaxRequestSize{}, value)
-}
+	out := make([]string, len(nsOut))
+	for i := range nsOut {
+		out[i] = nsOut[i].formattedLine
+	}
 
-// ContextContainsMaxRequestSize returns a bool value that indicates if the
-// provided Context contains a value for the ctxKeyMaxRequestSize key.
-func ContextContainsMaxRequestSize(ctx context.Context) bool {
-	return ctx.Value(ctxKeyMaxRequestSize{}) != nil
+	return out
 }
 
-// CtxKeyOriginalRequestPath is a custom type used as a key in context.Context
-// to store the original request path.
-type ctxKeyOriginalRequestPath struct{}
+func (c *OperatorUsageCommand) totalOutput(data map[string]interface{}) []string {
+	// blank line separating it from namespaces
+	out := []string{"  |  |  |  "}
 
-// String returns a string representation of the receiver type.
-func (c ctxKeyOriginalRequestPath) String() string {
-	return "original_request_path"
-}
+	total, ok := data["total"].(map[string]interface{})
+	if !ok {
+		c.UI.Error("missing total in response")
+		return out
+	}
 
-// ContextOriginalRequestPathValue examines the provided context.Context for the
-// original request path value and returns it as a string value if it's found
-// along with the ok value set to true; otherwise the ok return value is false.
-func ContextOriginalRequestPathValue(ctx context.Context) (value string, ok bool) {
-	value, ok = ctx.Value(ctxKeyOriginalRequestPath{}).(string)
+	entityCount, ok := jsonNumberOK(total, "distinct_entities")
+	if !ok {
+		c.UI.Error("missing distinct_entities in total")
+		return out
+	}
 
-	return
-}
+	tokenCount, ok := jsonNumberOK(total, "non_entity_tokens")
+	if !ok {
+		c.UI.Error("missing non_entity_tokens in total")
+		return out
+	}
+	clientCount, ok := jsonNumberOK(total, "clients")
+	if !ok {
+		c.UI.Error("missing clients in total")
+		return out
+	}
 
-// CreateContextOriginalRequestPath creates a new context.Context based on the
-// provided parent that also includes the provided original request path value
-// for the ctxKeyOriginalRequestPath key.
-func CreateContextOriginalRequestPath(parent context.Context, value string) context.Context {
-	return context.WithValue(parent, ctxKeyOriginalRequestPath{}, value)
+	out = append(out, fmt.Sprintf("Total | %d | %d | %d",
+		entityCount, tokenCount, clientCount))
+	return out
 }
diff --git a/sdk/logical/request_test.go b/sdk/logical/request_test.go
index 1b07cc1b50a5..50e9fa687308 100644
--- a/sdk/logical/request_test.go
+++ b/sdk/logical/request_test.go
@@ -1,209 +1,260 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package logical
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestContextDisableReplicationStatusEndpointsValue(t *testing.T) {
-	testcases := []struct {
-		name          string
-		ctx           context.Context
-		expectedValue bool
-		expectedOk    bool
-	}{
-		{
-			name:          "without-value",
-			ctx:           context.Background(),
-			expectedValue: false,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-nil",
-			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, nil),
-			expectedValue: false,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-incompatible-value",
-			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, "true"),
-			expectedValue: false,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-bool-true",
-			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, true),
-			expectedValue: true,
-			expectedOk:    true,
-		},
-		{
-			name:          "with-bool-false",
-			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, false),
-			expectedValue: false,
-			expectedOk:    true,
-		},
-	}
-
-	for _, testcase := range testcases {
-		value, ok := ContextDisableReplicationStatusEndpointsValue(testcase.ctx)
-		assert.Equal(t, testcase.expectedValue, value, testcase.name)
-		assert.Equal(t, testcase.expectedOk, ok, testcase.name)
-	}
-}
-
-func TestCreateContextDisableReplicationStatusEndpoints(t *testing.T) {
-	ctx := CreateContextDisableReplicationStatusEndpoints(context.Background(), true)
-
-	value := ctx.Value(ctxKeyDisableReplicationStatusEndpoints{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, bool(false), value)
-	assert.Equal(t, true, value.(bool))
-
-	ctx = CreateContextDisableReplicationStatusEndpoints(context.Background(), false)
-
-	value = ctx.Value(ctxKeyDisableReplicationStatusEndpoints{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, bool(false), value)
-	assert.Equal(t, false, value.(bool))
-}
-
-func TestContextMaxRequestSizeValue(t *testing.T) {
-	testcases := []struct {
-		name          string
-		ctx           context.Context
-		expectedValue int64
-		expectedOk    bool
-	}{
-		{
-			name:          "without-value",
-			ctx:           context.Background(),
-			expectedValue: 0,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-nil",
-			ctx:           context.WithValue(context.Background(), ctxKeyMaxRequestSize{}, nil),
-			expectedValue: 0,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-incompatible-value",
-			ctx:           context.WithValue(context.Background(), ctxKeyMaxRequestSize{}, "6666"),
-			expectedValue: 0,
-			expectedOk:    false,
-		},
-		{
-			name:          "with-int64-8888",
-			ctx:           context.WithValue(context.Background(), ctxKeyMaxRequestSize{}, int64(8888)),
-			expectedValue: 8888,
-			expectedOk:    true,
-		},
-		{
-			name:          "with-int64-zero",
-			ctx:           context.WithValue(context.Background(), ctxKeyMaxRequestSize{}, int64(0)),
-			expectedValue: 0,
-			expectedOk:    true,
-		},
-	}
-
-	for _, testcase := range testcases {
-		value, ok := ContextMaxRequestSizeValue(testcase.ctx)
-		assert.Equal(t, testcase.expectedValue, value, testcase.name)
-		assert.Equal(t, testcase.expectedOk, ok, testcase.name)
-	}
-}
-
-func TestCreateContextMaxRequestSize(t *testing.T) {
-	ctx := CreateContextMaxRequestSize(context.Background(), int64(8888))
-
-	value := ctx.Value(ctxKeyMaxRequestSize{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, int64(0), value)
-	assert.Equal(t, int64(8888), value.(int64))
-
-	ctx = CreateContextMaxRequestSize(context.Background(), int64(0))
-
-	value = ctx.Value(ctxKeyMaxRequestSize{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, int64(0), value)
-	assert.Equal(t, int64(0), value.(int64))
-}
-
-func TestContextOriginalRequestPathValue(t *testing.T) {
-	testcases := []struct {
-		name          string
-		ctx           context.Context
-		expectedValue string
-		expectedOk    bool
-	}{
-		{
-			name:          "without-value",
-			ctx:           context.Background(),
-			expectedValue: "",
-			expectedOk:    false,
-		},
-		{
-			name:          "with-nil",
-			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, nil),
-			expectedValue: "",
-			expectedOk:    false,
-		},
-		{
-			name:          "with-incompatible-value",
-			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, 6666),
-			expectedValue: "",
-			expectedOk:    false,
-		},
-		{
-			name:          "with-string-value",
-			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, "test"),
-			expectedValue: "test",
-			expectedOk:    true,
-		},
-		{
-			name:          "with-empty-string",
-			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, ""),
-			expectedValue: "",
-			expectedOk:    true,
-		},
-	}
-
-	for _, testcase := range testcases {
-		value, ok := ContextOriginalRequestPathValue(testcase.ctx)
-		assert.Equal(t, testcase.expectedValue, value, testcase.name)
-		assert.Equal(t, testcase.expectedOk, ok, testcase.name)
-	}
-}
-
-func TestCreateContextOriginalRequestPath(t *testing.T) {
-	ctx := CreateContextOriginalRequestPath(context.Background(), "test")
-
-	value := ctx.Value(ctxKeyOriginalRequestPath{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, string(""), value)
-	assert.Equal(t, "test", value.(string))
-
-	ctx = CreateContextOriginalRequestPath(context.Background(), "")
-
-	value = ctx.Value(ctxKeyOriginalRequestPath{})
-
-	assert.NotNil(t, ctx)
-	assert.NotNil(t, value)
-	assert.IsType(t, string(""), value)
-	assert.Equal(t, "", value.(string))
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { SELECTORS } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
+
+module('Integration | Component | dashboard/overview', function (hooks) {
+  setupRenderingTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+
+    this.replication = {
+      dr: {
+        clusterId: '123',
+        state: 'running',
+      },
+      performance: {
+        clusterId: 'abc-1',
+        state: 'running',
+        isPrimary: true,
+      },
+    };
+    this.store.pushPayload('secret-engine', {
+      modelName: 'secret-engine',
+      data: {
+        accessor: 'kv_f3400dee',
+        path: 'kv-test/',
+        type: 'kv',
+      },
+    });
+    this.store.pushPayload('secret-engine', {
+      modelName: 'secret-engine',
+      data: {
+        accessor: 'kv_f3300dee',
+        path: 'kv-1/',
+        type: 'kv',
+      },
+    });
+    this.secretsEngines = this.store.peekAll('secret-engine', {});
+    this.vaultConfiguration = {
+      api_addr: 'http://127.0.0.1:8200',
+      default_lease_ttl: 0,
+      max_lease_ttl: 0,
+      listeners: [
+        {
+          config: {
+            address: '127.0.0.1:8200',
+            tls_disable: 1,
+          },
+          type: 'tcp',
+        },
+      ],
+    };
+    this.refreshModel = () => {};
+  });
+
+  test('it should show dashboard empty states', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1';
+    this.isRootNamespace = true;
+    await render(
+      hbs`
+        <Dashboard::Overview
+          @version={{this.version}}
+          @isRootNamespace={{this.isRootNamespace}}
+          @refreshModel={{this.refreshModel}} />
+      `
+    );
+    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
+    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
+    assert.dom(SELECTORS.emptyState('secrets-engines')).exists();
+    assert.dom(SELECTORS.cardName('learn-more')).exists();
+    assert.dom(SELECTORS.cardName('quick-actions')).exists();
+    assert.dom(SELECTORS.emptyState('quick-actions')).exists();
+    assert.dom(SELECTORS.cardName('configuration-details')).doesNotExist();
+    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
+    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
+  });
+
+  test('it should hide client count and replication card on community', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1';
+    this.isRootNamespace = true;
+
+    await render(
+      hbs`
+        <Dashboard::Overview
+          @secretsEngines={{this.secretsEngines}}
+          @vaultConfiguration={{this.vaultConfiguration}}
+          @replication={{this.replication}}
+          @version={{this.version}}
+          @isRootNamespace={{this.isRootNamespace}}
+          @refreshModel={{this.refreshModel}} />
+      `
+    );
+
+    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
+    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
+    assert.dom(SELECTORS.cardName('learn-more')).exists();
+    assert.dom(SELECTORS.cardName('quick-actions')).exists();
+    assert.dom(SELECTORS.cardName('configuration-details')).exists();
+    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
+    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
+  });
+
+  test('it should show client count on enterprise w/ license', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1+ent';
+    this.version.type = 'enterprise';
+    this.license = {
+      autoloaded: {
+        license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
+      },
+    };
+
+    await render(
+      hbs`
+      <Dashboard::Overview
+      @secretsEngines={{this.secretsEngines}}
+      @vaultConfiguration={{this.vaultConfiguration}}
+      @replication={{this.replication}}
+      @version={{this.version}}
+      @isRootNamespace={{true}}
+      @license={{this.license}}
+      @refreshModel={{this.refreshModel}} />`
+    );
+    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
+    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
+    assert.dom(SELECTORS.cardName('learn-more')).exists();
+    assert.dom(SELECTORS.cardName('quick-actions')).exists();
+    assert.dom(SELECTORS.cardName('configuration-details')).exists();
+    assert.dom(SELECTORS.cardName('client-count')).exists();
+  });
+
+  test('it should hide client count on enterprise w/o license ', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1+ent';
+    this.version.type = 'enterprise';
+    this.isRootNamespace = true;
+
+    await render(
+      hbs`
+      <Dashboard::Overview
+        @secretsEngines={{this.secretsEngines}}
+        @vaultConfiguration={{this.vaultConfiguration}}
+        @replication={{this.replication}}
+        @version={{this.version}}
+        @isRootNamespace={{this.isRootNamespace}}
+        @refreshModel={{this.refreshModel}}
+      />`
+    );
+
+    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
+    assert.dom('[data-test-badge-namespace]').exists();
+    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
+    assert.dom(SELECTORS.cardName('learn-more')).exists();
+    assert.dom(SELECTORS.cardName('quick-actions')).exists();
+    assert.dom(SELECTORS.cardName('configuration-details')).exists();
+    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
+  });
+
+  test('it should hide replication on enterprise not on root namespace', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.version = '1.13.1+ent';
+    this.version.type = 'enterprise';
+    this.isRootNamespace = false;
+    this.license = {
+      autoloaded: {
+        license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
+      },
+    };
+
+    await render(
+      hbs`
+      <Dashboard::Overview
+        @version={{this.version}}
+        @isRootNamespace={{this.isRootNamespace}}
+        @secretsEngines={{this.secretsEngines}}
+        @vaultConfiguration={{this.vaultConfiguration}}
+        @replication={{this.replication}}
+        @license={{this.license}}
+        @refreshModel={{this.refreshModel}} />`
+    );
+
+    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
+    assert.dom('[data-test-badge-namespace]').exists();
+    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
+    assert.dom(SELECTORS.cardName('learn-more')).exists();
+    assert.dom(SELECTORS.cardName('quick-actions')).exists();
+    assert.dom(SELECTORS.cardName('configuration-details')).exists();
+    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
+    assert.dom(SELECTORS.cardName('client-count')).exists();
+  });
+
+  module('learn more card', function () {
+    test('shows the learn more card on community', async function (assert) {
+      await render(
+        hbs`<Dashboard::Overview @secretsEngines={{this.secretsEngines}} @vaultConfiguration={{this.vaultConfiguration}} @replication={{this.replication}} @refreshModel={{this.refreshModel}} />`
+      );
+
+      assert.dom('[data-test-learn-more-title]').hasText('Learn more');
+      assert
+        .dom('[data-test-learn-more-subtext]')
+        .hasText(
+          'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
+        );
+      assert.dom('[data-test-learn-more-links] a').exists({ count: 3 });
+      assert
+        .dom('[data-test-feedback-form]')
+        .hasText("Don't see what you're looking for on this page? Let us know via our feedback form .");
+    });
+    test('shows the learn more card on enterprise', async function (assert) {
+      this.version = this.owner.lookup('service:version');
+      this.version.version = '1.13.1+ent';
+      this.version.type = 'enterprise';
+      this.version.features = [
+        'Performance Replication',
+        'DR Replication',
+        'Namespaces',
+        'Transform Secrets Engine',
+      ];
+      this.isRootNamespace = true;
+      this.license = {
+        autoloaded: {
+          license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
+        },
+      };
+      await render(
+        hbs`
+          <Dashboard::Overview
+            @version={{this.version}}
+            @isRootNamespace={{this.isRootNamespace}}
+            @license={{this.license}}
+            @secretsEngines={{this.secretsEngines}}
+            @vaultConfiguration={{this.vaultConfiguration}}
+            @replication={{this.replication}}
+            @refreshModel={{this.refreshModel}} />
+        `
+      );
+      assert.dom('[data-test-learn-more-title]').hasText('Learn more');
+      assert
+        .dom('[data-test-learn-more-subtext]')
+        .hasText(
+          'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
+        );
+      assert.dom('[data-test-learn-more-links] a').exists({ count: 4 });
+      assert
+        .dom('[data-test-feedback-form]')
+        .hasText("Don't see what you're looking for on this page? Let us know via our feedback form .");
+    });
+  });
+});
diff --git a/ui/app/adapters/capabilities.js b/ui/app/adapters/capabilities.js
index de54824bbb0f..d8fca59d9433 100644
--- a/ui/app/adapters/capabilities.js
+++ b/ui/app/adapters/capabilities.js
@@ -1,34 +1,55 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import AdapterError from '@ember-data/adapter/error';
-import { set } from '@ember/object';
-import ApplicationAdapter from './application';
+<Dashboard::VaultVersionTitle @version={{@version}} />
 
-export default ApplicationAdapter.extend({
-  pathForType() {
-    return 'capabilities-self';
-  },
+<div class="has-bottom-margin-xl">
+  <div class="is-flex-row has-gap-l">
+    {{#if (and @version.isEnterprise (or @license @isRootNamespace))}}
+      <div class="is-flex-column is-flex-1 has-gap-l">
+        {{#if @license}}
+          <Dashboard::ClientCountCard @license={{@license}} />
+        {{/if}}
+        {{#if
+          (and @isRootNamespace (has-permission "status" routeParams="replication") (not (is-empty-value @replication)))
+        }}
+          <Dashboard::ReplicationCard
+            @replication={{@replication}}
+            @version={{@version}}
+            @refresh={{@refreshModel}}
+            @updatedAt={{@replicationUpdatedAt}}
+          />
+        {{/if}}
+        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
+      </div>
 
-  findRecord(store, type, id) {
-    return this.ajax(this.buildURL(type), 'POST', { data: { paths: [id] } }).catch((e) => {
-      if (e instanceof AdapterError) {
-        set(e, 'policyPath', 'sys/capabilities-self');
-      }
-      throw e;
-    });
-  },
+      <div class="is-flex-column is-flex-1 has-gap-l">
+        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
+        {{#if @vaultConfiguration}}
+          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
+        {{/if}}
+        <div>
+          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
+          <Dashboard::SurveyLinkText />
+        </div>
+      </div>
 
-  queryRecord(store, type, query) {
-    const { id } = query;
-    if (!id) {
-      return;
-    }
-    return this.findRecord(store, type, id).then((resp) => {
-      resp.path = id;
-      return resp;
-    });
-  },
-});
+    {{else}}
+      <div class="is-flex-column is-flex-1 has-gap-l">
+        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
+        <div>
+          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
+          <Dashboard::SurveyLinkText />
+        </div>
+      </div>
+      <div class="is-flex-column is-flex-1 has-gap-l">
+        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
+        {{#if @vaultConfiguration}}
+          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
+        {{/if}}
+      </div>
+    {{/if}}
+  </div>
+</div>
\ No newline at end of file
diff --git a/ui/app/adapters/cluster.js b/ui/app/adapters/cluster.js
index 7469e062cdff..ccdff66fdbaa 100644
--- a/ui/app/adapters/cluster.js
+++ b/ui/app/adapters/cluster.js
@@ -1,252 +1,23180 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import AdapterError from '@ember-data/adapter/error';
-import { inject as service } from '@ember/service';
-import { assign } from '@ember/polyfills';
-import { hash, resolve } from 'rsvp';
-import { assert } from '@ember/debug';
-import { pluralize } from 'ember-inflector';
-
-import ApplicationAdapter from './application';
-
-const ENDPOINTS = [
-  'health',
-  'seal-status',
-  'tokens',
-  'token',
-  'seal',
-  'unseal',
-  'init',
-  'capabilities-self',
-  'license',
-];
-
-const REPLICATION_ENDPOINTS = {
-  reindex: 'reindex',
-  recover: 'recover',
-  status: 'status',
-
-  primary: ['enable', 'disable', 'demote', 'secondary-token', 'revoke-secondary'],
-
-  secondary: ['enable', 'disable', 'promote', 'update-primary'],
-};
-
-const REPLICATION_MODES = ['dr', 'performance'];
-export default ApplicationAdapter.extend({
-  version: service(),
-  namespaceService: service('namespace'),
-  shouldBackgroundReloadRecord() {
-    return true;
-  },
-
-  findRecord(store, type, id, snapshot) {
-    const fetches = {
-      health: this.health(),
-      sealStatus: this.sealStatus().catch((e) => e),
-    };
-    if (this.version.isEnterprise && this.namespaceService.inRootNamespace) {
-      fetches.replicationStatus = this.replicationStatus().catch((e) => e);
-    }
-    return hash(fetches).then(({ health, sealStatus, replicationStatus }) => {
-      let ret = {
-        id,
-        name: snapshot.attr('name'),
-      };
-      ret = assign(ret, health);
-      if (sealStatus instanceof AdapterError === false) {
-        ret = assign(ret, { nodes: [sealStatus] });
-      }
-      if (replicationStatus && replicationStatus instanceof AdapterError === false) {
-        ret = assign(ret, replicationStatus.data);
-      }
-      return resolve(ret);
-    });
-  },
-
-  pathForType(type) {
-    return type === 'cluster' ? 'clusters' : pluralize(type);
-  },
-
-  health() {
-    return this.ajax(this.urlFor('health'), 'GET', {
-      data: {
-        standbycode: 200,
-        sealedcode: 200,
-        uninitcode: 200,
-        drsecondarycode: 200,
-        performancestandbycode: 200,
-      },
-      unauthenticated: true,
-    }).catch(() => {
-      // sys/health will only fail when chroot set
-      // because it's allowed in root namespace only and
-      // configured to return a 200 response in other fail scenarios
-      return { has_chroot_namespace: true };
-    });
-  },
-
-  features() {
-    return this.ajax(`${this.urlFor('license')}/features`, 'GET', {
-      unauthenticated: true,
-    });
-  },
-
-  sealStatus() {
-    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated: true });
-  },
-
-  seal() {
-    return this.ajax(this.urlFor('seal'), 'PUT');
-  },
-
-  unseal(data) {
-    return this.ajax(this.urlFor('unseal'), 'PUT', {
-      data,
-      unauthenticated: true,
-    });
-  },
-
-  initCluster(data) {
-    return this.ajax(this.urlFor('init'), 'PUT', {
-      data,
-      unauthenticated: true,
-    });
-  },
-
-  authenticate({ backend, data }) {
-    const { role, jwt, token, password, username, path, nonce } = data;
-    const url = this.urlForAuth(backend, username, path);
-    const verb = backend === 'token' ? 'GET' : 'POST';
-    const options = {
-      unauthenticated: true,
-    };
-    if (backend === 'token') {
-      options.headers = {
-        'X-Vault-Token': token,
-      };
-    } else if (backend === 'jwt' || backend === 'oidc') {
-      options.data = { role, jwt };
-    } else if (backend === 'okta') {
-      options.data = { password, nonce };
-    } else {
-      options.data = token ? { token, password } : { password };
-    }
-
-    return this.ajax(url, verb, options);
-  },
-
-  mfaValidate({ mfa_request_id, mfa_constraints }) {
-    const options = {
-      data: {
-        mfa_request_id,
-        mfa_payload: mfa_constraints.reduce((obj, { selectedMethod, passcode }) => {
-          let payload = [];
-          if (passcode) {
-            // duo requires passcode= prepended to the actual passcode
-            // this isn't a great UX so we add it behind the scenes to fulfill the requirement
-            // check if user added passcode= to avoid duplication
-            payload =
-              selectedMethod.type === 'duo' && !passcode.includes('passcode=')
-                ? [`passcode=${passcode}`]
-                : [passcode];
-          }
-          obj[selectedMethod.id] = payload;
-          return obj;
-        }, {}),
-      },
-    };
-    return this.ajax('/v1/sys/mfa/validate', 'POST', options);
-  },
-
-  urlFor(endpoint) {
-    if (!ENDPOINTS.includes(endpoint)) {
-      throw new Error(
-        `Calls to a ${endpoint} endpoint are not currently allowed in the vault cluster adapater`
-      );
-    }
-    return `${this.buildURL()}/${endpoint}`;
-  },
-
-  urlForAuth(type, username, path) {
-    const authBackend = type.toLowerCase();
-    const authURLs = {
-      github: 'login',
-      jwt: 'login',
-      oidc: 'login',
-      userpass: `login/${encodeURIComponent(username)}`,
-      ldap: `login/${encodeURIComponent(username)}`,
-      okta: `login/${encodeURIComponent(username)}`,
-      radius: `login/${encodeURIComponent(username)}`,
-      token: 'lookup-self',
-    };
-    const urlSuffix = authURLs[authBackend];
-    const urlPrefix = path && authBackend !== 'token' ? path : authBackend;
-    if (!urlSuffix) {
-      throw new Error(`There is no auth url for ${type}.`);
-    }
-    return `/v1/auth/${urlPrefix}/${urlSuffix}`;
-  },
-
-  urlForReplication(replicationMode, clusterMode, endpoint) {
-    let suffix;
-    const errString = `Calls to replication ${endpoint} endpoint are not currently allowed in the vault cluster adapater`;
-    if (clusterMode) {
-      assert(errString, REPLICATION_ENDPOINTS[clusterMode].includes(endpoint));
-      suffix = `${replicationMode}/${clusterMode}/${endpoint}`;
-    } else {
-      assert(errString, REPLICATION_ENDPOINTS[endpoint]);
-      suffix = `${endpoint}`;
+{
+  "name": "vault-docs",
+  "version": "1.0.0",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "vault-docs",
+      "version": "1.0.0",
+      "hasInstallScript": true,
+      "devDependencies": {
+        "@hashicorp/platform-cli": "^2.6.0",
+        "@hashicorp/platform-content-conformance": "^0.0.9",
+        "dart-linkcheck": "2.0.15",
+        "next": "^12.3.1",
+        "prettier": "2.2.1",
+        "simple-git-hooks": "^2.6.1"
+      },
+      "engines": {
+        "node": ">=12.0.0 <= 18.x",
+        "npm": ">=7.0.0"
+      }
+    },
+    "node_modules/@babel/code-frame": {
+      "version": "7.15.8",
+      "integrity": "sha512-2IAnmn8zbvC/jKYhq5Ki9I+DwjlrtMPUCH/CpHvqI4dNnlwHwsxoIhlc8WcYY5LSYknXQtAlFYuHfqAFCvQ4Wg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/highlight": "^7.14.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/compat-data": {
+      "version": "7.15.0",
+      "integrity": "sha512-0NqAC1IJE0S0+lL1SWFMxMkz1pKCNCjI4tr2Zx4LJSXxCLAdr6KyArnY+sno5m3yH9g737ygOyPABDsnXkpxiA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/core": {
+      "version": "7.15.8",
+      "integrity": "sha512-3UG9dsxvYBMYwRv+gS41WKHno4K60/9GPy1CJaH6xy3Elq8CTtvtjT5R5jmNhXfCYLX2mTw+7/aq5ak/gOE0og==",
+      "dev": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.15.8",
+        "@babel/generator": "^7.15.8",
+        "@babel/helper-compilation-targets": "^7.15.4",
+        "@babel/helper-module-transforms": "^7.15.8",
+        "@babel/helpers": "^7.15.4",
+        "@babel/parser": "^7.15.8",
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.6",
+        "convert-source-map": "^1.7.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.1.2",
+        "semver": "^6.3.0",
+        "source-map": "^0.5.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
+      }
+    },
+    "node_modules/@babel/core/node_modules/semver": {
+      "version": "6.3.0",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/generator": {
+      "version": "7.15.8",
+      "integrity": "sha512-ECmAKstXbp1cvpTTZciZCgfOt6iN64lR0d+euv3UZisU5awfRawOvg07Utn/qBGuH4bRIEZKrA/4LzZyXhZr8g==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.6",
+        "jsesc": "^2.5.1",
+        "source-map": "^0.5.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-compilation-targets": {
+      "version": "7.15.4",
+      "integrity": "sha512-rMWPCirulnPSe4d+gwdWXLfAXTTBj8M3guAf5xFQJ0nvFY7tfNAFnWdqaHegHlgDZOCT4qvhF3BYlSJag8yhqQ==",
+      "dev": true,
+      "dependencies": {
+        "@babel/compat-data": "^7.15.0",
+        "@babel/helper-validator-option": "^7.14.5",
+        "browserslist": "^4.16.6",
+        "semver": "^6.3.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/@babel/helper-compilation-targets/node_modules/semver": {
+      "version": "6.3.0",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/helper-function-name": {
+      "version": "7.15.4",
+      "integrity": "sha512-Z91cOMM4DseLIGOnog+Z8OI6YseR9bua+HpvLAQ2XayUGU+neTtX+97caALaLdyu53I/fjhbeCnWnRH1O3jFOw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-get-function-arity": "^7.15.4",
+        "@babel/template": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-get-function-arity": {
+      "version": "7.15.4",
+      "integrity": "sha512-1/AlxSF92CmGZzHnC515hm4SirTxtpDnLEJ0UyEMgTMZN+6bxXKg04dKhiRx5Enel+SUA1G1t5Ed/yQia0efrA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-hoist-variables": {
+      "version": "7.15.4",
+      "integrity": "sha512-VTy085egb3jUGVK9ycIxQiPbquesq0HUQ+tPO0uv5mPEBZipk+5FkRKiWq5apuyTE9FUrjENB0rCf8y+n+UuhA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-member-expression-to-functions": {
+      "version": "7.15.4",
+      "integrity": "sha512-cokOMkxC/BTyNP1AlY25HuBWM32iCEsLPI4BHDpJCHHm1FU2E7dKWWIXJgQgSFiu4lp8q3bL1BIKwqkSUviqtA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-imports": {
+      "version": "7.15.4",
+      "integrity": "sha512-jeAHZbzUwdW/xHgHQ3QmWR4Jg6j15q4w/gCfwZvtqOxoo5DKtLHk8Bsf4c5RZRC7NmLEs+ohkdq8jFefuvIxAA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-transforms": {
+      "version": "7.15.8",
+      "integrity": "sha512-DfAfA6PfpG8t4S6npwzLvTUpp0sS7JrcuaMiy1Y5645laRJIp/LiLGIBbQKaXSInK8tiGNI7FL7L8UvB8gdUZg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-module-imports": "^7.15.4",
+        "@babel/helper-replace-supers": "^7.15.4",
+        "@babel/helper-simple-access": "^7.15.4",
+        "@babel/helper-split-export-declaration": "^7.15.4",
+        "@babel/helper-validator-identifier": "^7.15.7",
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-optimise-call-expression": {
+      "version": "7.15.4",
+      "integrity": "sha512-E/z9rfbAOt1vDW1DR7k4SzhzotVV5+qMciWV6LaG1g4jeFrkDlJedjtV4h0i4Q/ITnUu+Pk08M7fczsB9GXBDw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-plugin-utils": {
+      "version": "7.20.2",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.20.2.tgz",
+      "integrity": "sha512-8RvlJG2mj4huQ4pZ+rU9lqKi9ZKiRmuvGuM2HlWmkmgOhbs6zEAw6IEiJ5cQqGbDzGZOhwuOQNtZMi/ENLjZoQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-replace-supers": {
+      "version": "7.15.4",
+      "integrity": "sha512-/ztT6khaXF37MS47fufrKvIsiQkx1LBRvSJNzRqmbyeZnTwU9qBxXYLaaT/6KaxfKhjs2Wy8kG8ZdsFUuWBjzw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-member-expression-to-functions": "^7.15.4",
+        "@babel/helper-optimise-call-expression": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-simple-access": {
+      "version": "7.15.4",
+      "integrity": "sha512-UzazrDoIVOZZcTeHHEPYrr1MvTR/K+wgLg6MY6e1CJyaRhbibftF6fR2KU2sFRtI/nERUZR9fBd6aKgBlIBaPg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-split-export-declaration": {
+      "version": "7.15.4",
+      "integrity": "sha512-HsFqhLDZ08DxCpBdEVtKmywj6PQbwnF6HHybur0MAnkAKnlS6uHkwnmRIkElB2Owpfb4xL4NwDmDLFubueDXsw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.15.7",
+      "integrity": "sha512-K4JvCtQqad9OY2+yTU8w+E82ywk/fe+ELNlt1G8z3bVGlZfn/hOcQQsUhGhW/N+tb3fxK800wLtKOE/aM0m72w==",
+      "dev": true,
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-option": {
+      "version": "7.14.5",
+      "integrity": "sha512-OX8D5eeX4XwcroVW45NMvoYaIuFI+GQpA2a8Gi+X/U/cDUIRsV37qQfF905F0htTRCREQIB4KqPeaveRJUl3Ow==",
+      "dev": true,
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helpers": {
+      "version": "7.15.4",
+      "integrity": "sha512-V45u6dqEJ3w2rlryYYXf6i9rQ5YMNu4FLS6ngs8ikblhu2VdR1AqAd6aJjBzmf2Qzh6KOLqKHxEN9+TFbAkAVQ==",
+      "dev": true,
+      "dependencies": {
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/highlight": {
+      "version": "7.14.5",
+      "integrity": "sha512-qf9u2WFWVV0MppaL877j2dBtQIDgmidgjGk5VIMw3OadXvYaXn66U1BFlH2t4+t3i+8PhedppRv+i40ABzd+gg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.14.5",
+        "chalk": "^2.0.0",
+        "js-tokens": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/highlight/node_modules/ansi-styles": {
+      "version": "3.2.1",
+      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+      "dev": true,
+      "dependencies": {
+        "color-convert": "^1.9.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/@babel/highlight/node_modules/chalk": {
+      "version": "2.4.2",
+      "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^3.2.1",
+        "escape-string-regexp": "^1.0.5",
+        "supports-color": "^5.3.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/@babel/highlight/node_modules/color-convert": {
+      "version": "1.9.3",
+      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "1.1.3"
+      }
+    },
+    "node_modules/@babel/highlight/node_modules/color-name": {
+      "version": "1.1.3",
+      "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+      "dev": true
+    },
+    "node_modules/@babel/highlight/node_modules/has-flag": {
+      "version": "3.0.0",
+      "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/@babel/highlight/node_modules/supports-color": {
+      "version": "5.5.0",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "dev": true,
+      "dependencies": {
+        "has-flag": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/@babel/parser": {
+      "version": "7.15.8",
+      "integrity": "sha512-BRYa3wcQnjS/nqI8Ac94pYYpJfojHVvVXJ97+IDCImX4Jc8W8Xv1+47enbruk+q1etOpsQNwnfFcNGw+gtPGxA==",
+      "dev": true,
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@babel/plugin-proposal-object-rest-spread": {
+      "version": "7.12.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-object-rest-spread/-/plugin-proposal-object-rest-spread-7.12.1.tgz",
+      "integrity": "sha512-s6SowJIjzlhx8o7lsFx5zmY4At6CTtDvgNQDdPzkBQucle58A6b/TTeEBYtyDgmcXjUTM+vE8YOGHZzzbc/ioA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.10.4",
+        "@babel/plugin-syntax-object-rest-spread": "^7.8.0",
+        "@babel/plugin-transform-parameters": "^7.12.1"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-async-generators": {
+      "version": "7.8.4",
+      "integrity": "sha512-tycmZxkGfZaxhMRbXlPXuVFpdWlXpir2W4AMhSJgRKzk/eDlIXOhb2LHWoLpDF7TEHylV5zNhykX6KAgHJmTNw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-bigint": {
+      "version": "7.8.3",
+      "integrity": "sha512-wnTnFlG+YxQm3vDxpGE57Pj0srRU4sHE/mDkt1qv2YJJSeUAec2ma4WLUnUPeKjyrfntVwe/N6dCXpU+zL3Npg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-class-properties": {
+      "version": "7.12.13",
+      "integrity": "sha512-fm4idjKla0YahUNgFNLCB0qySdsoPiZP3iQE3rky0mBUtMZ23yDJ9SJdg6dXTSDnulOVqiF3Hgr9nbXvXTQZYA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.12.13"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-import-meta": {
+      "version": "7.10.4",
+      "integrity": "sha512-Yqfm+XDx0+Prh3VSeEQCPU81yC+JWZ2pDPFSS4ZdpfZhp4MkFMaDC1UqseovEKwSUpnIL7+vK+Clp7bfh0iD7g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-json-strings": {
+      "version": "7.8.3",
+      "integrity": "sha512-lY6kdGpWHvjoe2vk4WrAapEuBR69EMxZl+RoGRhrFGNYVK8mOPAW8VfbT/ZgrFbXlDNiiaxQnAtgVCZ6jv30EA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-jsx": {
+      "version": "7.12.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.12.1.tgz",
+      "integrity": "sha512-1yRi7yAtB0ETgxdY9ti/p2TivUxJkTdhu/ZbF9MshVGqOx1TdB3b7xCXs49Fupgg50N45KcAsRP/ZqWjs9SRjg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-logical-assignment-operators": {
+      "version": "7.10.4",
+      "integrity": "sha512-d8waShlpFDinQ5MtvGU9xDAOzKH47+FFoney2baFIoMr952hKOLp1HR7VszoZvOsV/4+RRszNY7D17ba0te0ig==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-nullish-coalescing-operator": {
+      "version": "7.8.3",
+      "integrity": "sha512-aSff4zPII1u2QD7y+F8oDsz19ew4IGEJg9SVW+bqwpwtfFleiQDMdzA/R+UlWDzfnHFCxxleFT0PMIrR36XLNQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-numeric-separator": {
+      "version": "7.10.4",
+      "integrity": "sha512-9H6YdfkcK/uOnY/K7/aA2xpzaAgkQn37yzWUMRK7OaPOqOpGS1+n0H5hxT9AUw9EsSjPW8SVyMJwYRtWs3X3ug==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-object-rest-spread": {
+      "version": "7.8.3",
+      "integrity": "sha512-XoqMijGZb9y3y2XskN+P1wUGiVwWZ5JmoDRwx5+3GmEplNyVM2s2Dg8ILFQm8rWM48orGy5YpI5Bl8U1y7ydlA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-optional-catch-binding": {
+      "version": "7.8.3",
+      "integrity": "sha512-6VPD0Pc1lpTqw0aKoeRTMiB+kWhAoT24PA+ksWSBrFtl5SIRVpZlwN3NNPQjehA2E/91FV3RjLWoVTglWcSV3Q==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-optional-chaining": {
+      "version": "7.8.3",
+      "integrity": "sha512-KoK9ErH1MBlCPxV0VANkXW2/dw4vlbGDrFgz8bmUsBGYkFRcbRwMh6cIJubdPrkxRwuGdtCk0v/wPTKbQgBjkg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-syntax-top-level-await": {
+      "version": "7.14.5",
+      "integrity": "sha512-hx++upLv5U1rgYfwe1xBQUhRmU41NEvpUvrp8jkrSCdvGSnM5/qdRMtylJ6PG5OFkBaHkbTAKTnd3/YyESRHFw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.14.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-transform-parameters": {
+      "version": "7.20.7",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-parameters/-/plugin-transform-parameters-7.20.7.tgz",
+      "integrity": "sha512-WiWBIkeHKVOSYPO0pWkxGPfKeWrCJyD3NJ53+Lrp/QMSZbsVPovrVl2aWZ19D/LTVnaDv5Ap7GJ/B2CTOZdrfA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.20.2"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/runtime": {
+      "version": "7.20.7",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.20.7.tgz",
+      "integrity": "sha512-UF0tvkUtxwAgZ5W/KrkHf0Rn0fdnLDU9ScxBrEVNUprE/MzirjK4MJUX1/BVDv00Sv8cljtukVK1aky++X1SjQ==",
+      "dev": true,
+      "dependencies": {
+        "regenerator-runtime": "^0.13.11"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/template": {
+      "version": "7.15.4",
+      "integrity": "sha512-UgBAfEa1oGuYgDIPM2G+aHa4Nlo9Lh6mGD2bDBGMTbYnc38vulXPuC1MGjYILIEmlwl6Rd+BPR9ee3gm20CBtg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.14.5",
+        "@babel/parser": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/traverse": {
+      "version": "7.15.4",
+      "integrity": "sha512-W6lQD8l4rUbQR/vYgSuCAE75ADyyQvOpFVsvPPdkhf6lATXAsQIG9YdtOcu8BB1dZ0LKu+Zo3c1wEcbKeuhdlA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.14.5",
+        "@babel/generator": "^7.15.4",
+        "@babel/helper-function-name": "^7.15.4",
+        "@babel/helper-hoist-variables": "^7.15.4",
+        "@babel/helper-split-export-declaration": "^7.15.4",
+        "@babel/parser": "^7.15.4",
+        "@babel/types": "^7.15.4",
+        "debug": "^4.1.0",
+        "globals": "^11.1.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/types": {
+      "version": "7.15.6",
+      "integrity": "sha512-BPU+7QhqNjmWyDO0/vitH/CuhpV8ZmK1wpKva8nuyNF5MJfuRNWMc+hc14+u9xT93kvykMdncrJT19h74uB1Ig==",
+      "dev": true,
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.14.9",
+        "to-fast-properties": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "0.2.3",
+      "integrity": "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/@cnakazawa/watch": {
+      "version": "1.0.4",
+      "integrity": "sha512-v9kIhKwjeZThiWrLmj0y17CWoyddASLj9O2yvbZkbvw/N3rWOYy9zkV66ursAoVr0mV15bL8g0c4QZUE6cdDoQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "exec-sh": "^0.3.2",
+        "minimist": "^1.2.0"
+      },
+      "bin": {
+        "watch": "cli.js"
+      },
+      "engines": {
+        "node": ">=0.1.95"
+      }
+    },
+    "node_modules/@eslint/eslintrc": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.4.1.tgz",
+      "integrity": "sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==",
+      "dev": true,
+      "dependencies": {
+        "ajv": "^6.12.4",
+        "debug": "^4.3.2",
+        "espree": "^9.4.0",
+        "globals": "^13.19.0",
+        "ignore": "^5.2.0",
+        "import-fresh": "^3.2.1",
+        "js-yaml": "^4.1.0",
+        "minimatch": "^3.1.2",
+        "strip-json-comments": "^3.1.1"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/@eslint/eslintrc/node_modules/globals": {
+      "version": "13.19.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz",
+      "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==",
+      "dev": true,
+      "dependencies": {
+        "type-fest": "^0.20.2"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@eslint/eslintrc/node_modules/type-fest": {
+      "version": "0.20.2",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
+      "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-cli": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/platform-cli/-/platform-cli-2.6.0.tgz",
+      "integrity": "sha512-nMO7Uiy/A5CT/BCE9RyQt6/Uci7bxwTesxCNWkXlciyqlIrz9WmBa9hr710IiMoDzrzQ1tL6AgFIeTbXs4RTqA==",
+      "dev": true,
+      "dependencies": {
+        "@hashicorp/platform-cms": "0.3.0",
+        "@typescript-eslint/eslint-plugin": "^5.48.0",
+        "@typescript-eslint/parser": "^5.48.0",
+        "chalk": "4.1.0",
+        "commander": "7.2.0",
+        "ejs": "3.1.5",
+        "eslint": "^8.31.0",
+        "eslint-config-next": "^13.1.1",
+        "eslint-config-prettier": "^8.6.0",
+        "eslint-plugin-jsx-a11y": "^6.6.1",
+        "eslint-plugin-prettier": "^4.2.1",
+        "fs-extra": "9.0.1",
+        "globby": "11.0.1",
+        "inquirer": "7.3.3",
+        "lint-staged": "11.1.2",
+        "open": "7.3.0",
+        "prettier": "2.5.1",
+        "readdirp": "3.5.0",
+        "signale": "1.4.0",
+        "slugify": "1.4.6",
+        "stylelint": "13.8.0",
+        "stylelint-config-css-modules": "2.2.0",
+        "stylelint-config-prettier": "8.0.2",
+        "stylelint-config-standard": "20.0.0",
+        "stylelint-media-use-custom-media": "2.0.0",
+        "stylelint-order": "4.1.0",
+        "stylelint-use-nesting": "3.0.0",
+        "stylelint-value-no-unknown-custom-properties": "3.0.0",
+        "ts-jest": "^26.4.4"
+      },
+      "bin": {
+        "next-hashicorp": "next-hashicorp"
+      }
+    },
+    "node_modules/@hashicorp/platform-cli/node_modules/prettier": {
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.5.1.tgz",
+      "integrity": "sha512-vBZcPRUR5MZJwoyi3ZoyQlc1rXeEck8KgeC9AwwOn+exuxLxq5toTRDTSaVrXHxelDMHy9zlicw8u66yxoSUFg==",
+      "dev": true,
+      "bin": {
+        "prettier": "bin-prettier.js"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/@hashicorp/platform-cms": {
+      "version": "0.3.0",
+      "integrity": "sha512-sRX9A+kDEZvfZy8PvGFbEaHjn5G1mEsHwTri1vDnrmKG8apE+ELlug83b0iEkD5wIJi9OqaewMIb0NrLxg9s5A==",
+      "dev": true,
+      "dependencies": {
+        "rivet-graphql": "0.3.1"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance": {
+      "version": "0.0.9",
+      "resolved": "https://registry.npmjs.org/@hashicorp/platform-content-conformance/-/platform-content-conformance-0.0.9.tgz",
+      "integrity": "sha512-kotY/4M/0YjiUGPgXv9vbWMiZJV5N5tlXTN3e+VzTQlQfbEXP1xYDcs6pNMtxbxCwfS29pkNRIWAsnGVIbBISw==",
+      "dev": true,
+      "dependencies": {
+        "find-up": "^6.3.0",
+        "flat": "^5.0.2",
+        "globby": "^13.1.2",
+        "mdast-util-to-string": "^3.1.0",
+        "remark": "12.0.1",
+        "remark-mdx": "^1.6.22",
+        "unified-lint-rule": "^2.1.1",
+        "unist-util-stringify-position": "^3.0.2",
+        "unist-util-visit": "^4.1.1",
+        "vfile": "^5.3.6",
+        "vfile-matter": "^4.0.0",
+        "vfile-reporter": "^7.0.4",
+        "vfile-reporter-json": "^3.2.0",
+        "vfile-statistics": "^2.0.0",
+        "yaml": "^2.1.3",
+        "yargs": "^17.4.1",
+        "zod": "^3.19.1"
+      },
+      "bin": {
+        "hc-content": "dist/cli.js"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/cliui": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
+      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "dev": true,
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.1",
+        "wrap-ansi": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/find-up": {
+      "version": "6.3.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-6.3.0.tgz",
+      "integrity": "sha512-v2ZsoEuVHYy8ZIlYqwPe/39Cy+cFDzp4dXPaxNvkEuouymu+2Jbz0PxpKarJHYJTmv2HWT3O382qY8l4jMWthw==",
+      "dev": true,
+      "dependencies": {
+        "locate-path": "^7.1.0",
+        "path-exists": "^5.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/globby": {
+      "version": "13.1.3",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-13.1.3.tgz",
+      "integrity": "sha512-8krCNHXvlCgHDpegPzleMq07yMYTO2sXKASmZmquEYWEmCx6J5UTRbp5RwMJkTJGtcQ44YpiUYUiN0b9mzy8Bw==",
+      "dev": true,
+      "dependencies": {
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.2.11",
+        "ignore": "^5.2.0",
+        "merge2": "^1.4.1",
+        "slash": "^4.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/locate-path": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-7.2.0.tgz",
+      "integrity": "sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==",
+      "dev": true,
+      "dependencies": {
+        "p-locate": "^6.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/mdast-util-to-string": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/mdast-util-to-string/-/mdast-util-to-string-3.1.1.tgz",
+      "integrity": "sha512-tGvhT94e+cVnQt8JWE9/b3cUQZWS732TJxXHktvP+BYo62PpYD53Ls/6cC60rW21dW+txxiM4zMdc6abASvZKA==",
+      "dev": true,
+      "dependencies": {
+        "@types/mdast": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/p-limit": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-4.0.0.tgz",
+      "integrity": "sha512-5b0R4txpzjPWVw/cXXUResoD4hb6U/x9BH08L7nw+GN1sezDzPdxeRvpc9c433fZhBan/wusjbCsqwqm4EIBIQ==",
+      "dev": true,
+      "dependencies": {
+        "yocto-queue": "^1.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/p-locate": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-6.0.0.tgz",
+      "integrity": "sha512-wPrq66Llhl7/4AGC6I+cqxT07LhXvWL08LNXz1fENOw0Ap4sRZZ/gZpTTJ5jpurzzzfS2W/Ge9BY3LgLjCShcw==",
+      "dev": true,
+      "dependencies": {
+        "p-limit": "^4.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/path-exists": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-5.0.0.tgz",
+      "integrity": "sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==",
+      "dev": true,
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/remark": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/remark/-/remark-12.0.1.tgz",
+      "integrity": "sha512-gS7HDonkdIaHmmP/+shCPejCEEW+liMp/t/QwmF0Xt47Rpuhl32lLtDV1uKWvGoq+kxr5jSgg5oAIpGuyULjUw==",
+      "dev": true,
+      "dependencies": {
+        "remark-parse": "^8.0.0",
+        "remark-stringify": "^8.0.0",
+        "unified": "^9.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/remark-stringify": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/remark-stringify/-/remark-stringify-8.1.1.tgz",
+      "integrity": "sha512-q4EyPZT3PcA3Eq7vPpT6bIdokXzFGp9i85igjmhRyXWmPs0Y6/d2FYwUNotKAWyLch7g0ASZJn/KHHcHZQ163A==",
+      "dev": true,
+      "dependencies": {
+        "ccount": "^1.0.0",
+        "is-alphanumeric": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-whitespace-character": "^1.0.0",
+        "longest-streak": "^2.0.1",
+        "markdown-escapes": "^1.0.0",
+        "markdown-table": "^2.0.0",
+        "mdast-util-compact": "^2.0.0",
+        "parse-entities": "^2.0.0",
+        "repeat-string": "^1.5.4",
+        "state-toggle": "^1.0.0",
+        "stringify-entities": "^3.0.0",
+        "unherit": "^1.0.4",
+        "xtend": "^4.0.1"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/slash": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+      "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/y18n": {
+      "version": "5.0.8",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+      "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/yaml": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz",
+      "integrity": "sha512-e0WHiYql7+9wr4cWMx3TVQrNwejKaEe7/rHNmQmqRjazfOP5W8PB6Jpebb5o6fIapbz9o9+2ipcaTM2ZwDI6lw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/yargs": {
+      "version": "17.7.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.1.tgz",
+      "integrity": "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
+      "dev": true,
+      "dependencies": {
+        "cliui": "^8.0.1",
+        "escalade": "^3.1.1",
+        "get-caller-file": "^2.0.5",
+        "require-directory": "^2.1.1",
+        "string-width": "^4.2.3",
+        "y18n": "^5.0.5",
+        "yargs-parser": "^21.1.1"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/yargs-parser": {
+      "version": "21.1.1",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
+      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@hashicorp/platform-content-conformance/node_modules/yocto-queue": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-1.0.0.tgz",
+      "integrity": "sha512-9bnSc/HEW2uRy67wc+T8UwauLuPJVn28jb+GtJY16iiKWyvmYJRXVT4UamsAEGQfPohgr2q4Tq0sQbQlxTfi1g==",
+      "dev": true,
+      "engines": {
+        "node": ">=12.20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@humanwhocodes/config-array": {
+      "version": "0.11.8",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz",
+      "integrity": "sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==",
+      "dev": true,
+      "dependencies": {
+        "@humanwhocodes/object-schema": "^1.2.1",
+        "debug": "^4.1.1",
+        "minimatch": "^3.0.5"
+      },
+      "engines": {
+        "node": ">=10.10.0"
+      }
+    },
+    "node_modules/@humanwhocodes/module-importer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
+      "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
+      "dev": true,
+      "engines": {
+        "node": ">=12.22"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/nzakas"
+      }
+    },
+    "node_modules/@humanwhocodes/object-schema": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz",
+      "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==",
+      "dev": true
+    },
+    "node_modules/@istanbuljs/load-nyc-config": {
+      "version": "1.1.0",
+      "integrity": "sha512-VjeHSlIzpv/NyD3N0YuHfXOPDIixcA1q2ZV98wsMqcYlPmv2n3Yb2lYP9XMElnaFVXg5A7YLTeLu6V84uQDjmQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "camelcase": "^5.3.1",
+        "find-up": "^4.1.0",
+        "get-package-type": "^0.1.0",
+        "js-yaml": "^3.13.1",
+        "resolve-from": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/argparse": {
+      "version": "1.0.10",
+      "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "sprintf-js": "~1.0.2"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/find-up": {
+      "version": "4.1.0",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": {
+      "version": "3.14.1",
+      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "argparse": "^1.0.7",
+        "esprima": "^4.0.0"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/locate-path": {
+      "version": "5.0.0",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/p-limit": {
+      "version": "2.3.0",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/p-locate": {
+      "version": "4.1.0",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/path-exists": {
+      "version": "4.0.0",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/load-nyc-config/node_modules/resolve-from": {
+      "version": "5.0.0",
+      "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@istanbuljs/schema": {
+      "version": "0.1.3",
+      "integrity": "sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@jest/console": {
+      "version": "26.6.2",
+      "integrity": "sha512-IY1R2i2aLsLr7Id3S6p2BA82GNWryt4oSvEXLAKc+L2zdi89dSkE8xC1C+0kpATG4JhBJREnQOH7/zmccM2B0g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "jest-message-util": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "slash": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/core": {
+      "version": "26.6.3",
+      "integrity": "sha512-xvV1kKbhfUqFVuZ8Cyo+JPpipAHHAV3kcDBftiduK8EICXmTFddryy3P7NfZt8Pv37rA9nEJBKCCkglCPt/Xjw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/console": "^26.6.2",
+        "@jest/reporters": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.0.0",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "jest-changed-files": "^26.6.2",
+        "jest-config": "^26.6.3",
+        "jest-haste-map": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-resolve-dependencies": "^26.6.3",
+        "jest-runner": "^26.6.3",
+        "jest-runtime": "^26.6.3",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "jest-watcher": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "p-each-series": "^2.1.0",
+        "rimraf": "^3.0.0",
+        "slash": "^3.0.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/environment": {
+      "version": "26.6.2",
+      "integrity": "sha512-nFy+fHl28zUrRsCeMB61VDThV1pVTtlEokBRgqPrcT1JNq4yRNIyTHfyht6PqtUvY9IsuLGTrbG8kPXjSZIZwA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/fake-timers": {
+      "version": "26.6.2",
+      "integrity": "sha512-14Uleatt7jdzefLPYM3KLcnUl1ZNikaKq34enpb5XG9i81JpppDb5muZvonvKyrl7ftEHkKS5L5/eB/kxJ+bvA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "@sinonjs/fake-timers": "^6.0.1",
+        "@types/node": "*",
+        "jest-message-util": "^26.6.2",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/globals": {
+      "version": "26.6.2",
+      "integrity": "sha512-85Ltnm7HlB/KesBUuALwQ68YTU72w9H2xW9FjZ1eL1U3lhtefjjl5c2MiUbpXt/i6LaPRvoOFJ22yCBSfQ0JIA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/environment": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "expect": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/reporters": {
+      "version": "26.6.2",
+      "integrity": "sha512-h2bW53APG4HvkOnVMo8q3QXa6pcaNt1HkwVsOPMBV6LD/q9oSpxNSYZQYkAnjdMjrJ86UuYeLo+aEZClV6opnw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@bcoe/v8-coverage": "^0.2.3",
+        "@jest/console": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "collect-v8-coverage": "^1.0.0",
+        "exit": "^0.1.2",
+        "glob": "^7.1.2",
+        "graceful-fs": "^4.2.4",
+        "istanbul-lib-coverage": "^3.0.0",
+        "istanbul-lib-instrument": "^4.0.3",
+        "istanbul-lib-report": "^3.0.0",
+        "istanbul-lib-source-maps": "^4.0.0",
+        "istanbul-reports": "^3.0.2",
+        "jest-haste-map": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "slash": "^3.0.0",
+        "source-map": "^0.6.0",
+        "string-length": "^4.0.1",
+        "terminal-link": "^2.0.0",
+        "v8-to-istanbul": "^7.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      },
+      "optionalDependencies": {
+        "node-notifier": "^8.0.0"
+      }
+    },
+    "node_modules/@jest/reporters/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/@jest/source-map": {
+      "version": "26.6.2",
+      "integrity": "sha512-YwYcCwAnNmOVsZ8mr3GfnzdXDAl4LaenZP5z+G0c8bzC9/dugL8zRmxZzdoTl4IaS3CryS1uWnROLPFmb6lVvA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "callsites": "^3.0.0",
+        "graceful-fs": "^4.2.4",
+        "source-map": "^0.6.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/source-map/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/@jest/test-result": {
+      "version": "26.6.2",
+      "integrity": "sha512-5O7H5c/7YlojphYNrK02LlDIV2GNPYisKwHm2QTKjNZeEzezCbwYs9swJySv2UfPMyZ0VdsmMv7jIlD/IKYQpQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/console": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/istanbul-lib-coverage": "^2.0.0",
+        "collect-v8-coverage": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/test-sequencer": {
+      "version": "26.6.3",
+      "integrity": "sha512-YHlVIjP5nfEyjlrSr8t/YdNfU/1XEt7c5b4OxcXCjyRhjzLYu/rO69/WHPuYcbCWkz8kAeZVZp2N2+IOLLEPGw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/test-result": "^26.6.2",
+        "graceful-fs": "^4.2.4",
+        "jest-haste-map": "^26.6.2",
+        "jest-runner": "^26.6.3",
+        "jest-runtime": "^26.6.3"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/transform": {
+      "version": "26.6.2",
+      "integrity": "sha512-E9JjhUgNzvuQ+vVAL21vlyfy12gP0GhazGgJC4h6qUt1jSdUXGWJ1wfu/X7Sd8etSgxV4ovT1pb9v5D6QW4XgA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/core": "^7.1.0",
+        "@jest/types": "^26.6.2",
+        "babel-plugin-istanbul": "^6.0.0",
+        "chalk": "^4.0.0",
+        "convert-source-map": "^1.4.0",
+        "fast-json-stable-stringify": "^2.0.0",
+        "graceful-fs": "^4.2.4",
+        "jest-haste-map": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-util": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "pirates": "^4.0.1",
+        "slash": "^3.0.0",
+        "source-map": "^0.6.1",
+        "write-file-atomic": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@jest/transform/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/@jest/types": {
+      "version": "26.6.2",
+      "integrity": "sha512-fC6QCp7Sc5sX6g8Tvbmj4XUTbyrik0akgRy03yjXbQaBWWNWGE7SGtJk98m0N8nzegD/7SggrUlivxo5ax4KWQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/istanbul-lib-coverage": "^2.0.0",
+        "@types/istanbul-reports": "^3.0.0",
+        "@types/node": "*",
+        "@types/yargs": "^15.0.0",
+        "chalk": "^4.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/@mdx-js/util": {
+      "version": "1.6.22",
+      "resolved": "https://registry.npmjs.org/@mdx-js/util/-/util-1.6.22.tgz",
+      "integrity": "sha512-H1rQc1ZOHANWBvPcW+JpGwr+juXSxM8Q8YCkm3GhZd8REu1fHR3z99CErO1p9pkcfcxZnMdIZdIsXkOHY0NilA==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/@next/env": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/env/-/env-12.3.1.tgz",
+      "integrity": "sha512-9P9THmRFVKGKt9DYqeC2aKIxm8rlvkK38V1P1sRE7qyoPBIs8l9oo79QoSdPtOWfzkbDAVUqvbQGgTMsb8BtJg==",
+      "dev": true
+    },
+    "node_modules/@next/eslint-plugin-next": {
+      "version": "13.1.2",
+      "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-13.1.2.tgz",
+      "integrity": "sha512-WGaNVvIYphdriesP6r7jq/8l7u38tzotnVQuxc1RYKLqYYApSsrebti3OCPoT3Gx0pw2smPIFHH98RzcsgW5GQ==",
+      "dev": true,
+      "dependencies": {
+        "glob": "7.1.7"
+      }
+    },
+    "node_modules/@next/eslint-plugin-next/node_modules/glob": {
+      "version": "7.1.7",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.7.tgz",
+      "integrity": "sha512-OvD9ENzPLbegENnYP5UUfJIirTg4+XwMWGaQfQTY0JenxNvvIKP3U3/tAQSPIu/lHxXYSZmpXlUHeqAIdKzBLQ==",
+      "dev": true,
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@next/swc-android-arm-eabi": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-android-arm-eabi/-/swc-android-arm-eabi-12.3.1.tgz",
+      "integrity": "sha512-i+BvKA8tB//srVPPQxIQN5lvfROcfv4OB23/L1nXznP+N/TyKL8lql3l7oo2LNhnH66zWhfoemg3Q4VJZSruzQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-android-arm64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-android-arm64/-/swc-android-arm64-12.3.1.tgz",
+      "integrity": "sha512-CmgU2ZNyBP0rkugOOqLnjl3+eRpXBzB/I2sjwcGZ7/Z6RcUJXK5Evz+N0ucOxqE4cZ3gkTeXtSzRrMK2mGYV8Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-darwin-arm64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-12.3.1.tgz",
+      "integrity": "sha512-hT/EBGNcu0ITiuWDYU9ur57Oa4LybD5DOQp4f22T6zLfpoBMfBibPtR8XktXmOyFHrL/6FC2p9ojdLZhWhvBHg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-darwin-x64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-12.3.1.tgz",
+      "integrity": "sha512-9S6EVueCVCyGf2vuiLiGEHZCJcPAxglyckTZcEwLdJwozLqN0gtS0Eq0bQlGS3dH49Py/rQYpZ3KVWZ9BUf/WA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-freebsd-x64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-freebsd-x64/-/swc-freebsd-x64-12.3.1.tgz",
+      "integrity": "sha512-qcuUQkaBZWqzM0F1N4AkAh88lLzzpfE6ImOcI1P6YeyJSsBmpBIV8o70zV+Wxpc26yV9vpzb+e5gCyxNjKJg5Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-linux-arm-gnueabihf": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm-gnueabihf/-/swc-linux-arm-gnueabihf-12.3.1.tgz",
+      "integrity": "sha512-diL9MSYrEI5nY2wc/h/DBewEDUzr/DqBjIgHJ3RUNtETAOB3spMNHvJk2XKUDjnQuluLmFMloet9tpEqU2TT9w==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-linux-arm64-gnu": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-12.3.1.tgz",
+      "integrity": "sha512-o/xB2nztoaC7jnXU3Q36vGgOolJpsGG8ETNjxM1VAPxRwM7FyGCPHOMk1XavG88QZSQf+1r+POBW0tLxQOJ9DQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-linux-arm64-musl": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-12.3.1.tgz",
+      "integrity": "sha512-2WEasRxJzgAmP43glFNhADpe8zB7kJofhEAVNbDJZANp+H4+wq+/cW1CdDi8DqjkShPEA6/ejJw+xnEyDID2jg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-linux-x64-gnu": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-12.3.1.tgz",
+      "integrity": "sha512-JWEaMyvNrXuM3dyy9Pp5cFPuSSvG82+yABqsWugjWlvfmnlnx9HOQZY23bFq3cNghy5V/t0iPb6cffzRWylgsA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-linux-x64-musl": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-12.3.1.tgz",
+      "integrity": "sha512-xoEWQQ71waWc4BZcOjmatuvPUXKTv6MbIFzpm4LFeCHsg2iwai0ILmNXf81rJR+L1Wb9ifEke2sQpZSPNz1Iyg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-win32-arm64-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-12.3.1.tgz",
+      "integrity": "sha512-hswVFYQYIeGHE2JYaBVtvqmBQ1CppplQbZJS/JgrVI3x2CurNhEkmds/yqvDONfwfbttTtH4+q9Dzf/WVl3Opw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-win32-ia32-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-12.3.1.tgz",
+      "integrity": "sha512-Kny5JBehkTbKPmqulr5i+iKntO5YMP+bVM8Hf8UAmjSMVo3wehyLVc9IZkNmcbxi+vwETnQvJaT5ynYBkJ9dWA==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@next/swc-win32-x64-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-12.3.1.tgz",
+      "integrity": "sha512-W1ijvzzg+kPEX6LAc+50EYYSEo0FVu7dmTE+t+DM4iOLqgGHoW9uYSz9wCVdkXOEEMP9xhXfGpcSxsfDucyPkA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@pkgr/utils": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/@pkgr/utils/-/utils-2.3.1.tgz",
+      "integrity": "sha512-wfzX8kc1PMyUILA+1Z/EqoE4UCXGy0iRGMhPwdfae1+f0OXlLqCk+By+aMzgJBzR9AzS4CDizioG6Ss1gvAFJw==",
+      "dev": true,
+      "dependencies": {
+        "cross-spawn": "^7.0.3",
+        "is-glob": "^4.0.3",
+        "open": "^8.4.0",
+        "picocolors": "^1.0.0",
+        "tiny-glob": "^0.2.9",
+        "tslib": "^2.4.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/unts"
+      }
+    },
+    "node_modules/@pkgr/utils/node_modules/open": {
+      "version": "8.4.0",
+      "resolved": "https://registry.npmjs.org/open/-/open-8.4.0.tgz",
+      "integrity": "sha512-XgFPPM+B28FtCCgSb9I+s9szOC1vZRSwgWsRUA5ylIxRTgKozqjOCrVOqGsYABPYK5qnfqClxZTFBa8PKt2v6Q==",
+      "dev": true,
+      "dependencies": {
+        "define-lazy-prop": "^2.0.0",
+        "is-docker": "^2.1.1",
+        "is-wsl": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@pkgr/utils/node_modules/picocolors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+      "dev": true
+    },
+    "node_modules/@rushstack/eslint-patch": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@rushstack/eslint-patch/-/eslint-patch-1.2.0.tgz",
+      "integrity": "sha512-sXo/qW2/pAcmT43VoRKOJbDOfV3cYpq3szSVfIThQXNt+E4DfKj361vaAt3c88U5tPUxzEswam7GW48PJqtKAg==",
+      "dev": true
+    },
+    "node_modules/@sinonjs/commons": {
+      "version": "1.8.3",
+      "integrity": "sha512-xkNcLAn/wZaX14RPlwizcKicDk9G3F8m2nU3L7Ukm5zBgTwiT0wsoFAHx9Jq56fJA1z/7uKGtCRu16sOUCLIHQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "type-detect": "4.0.8"
+      }
+    },
+    "node_modules/@sinonjs/fake-timers": {
+      "version": "6.0.1",
+      "integrity": "sha512-MZPUxrmFubI36XS1DI3qmI0YdN1gks62JtFZvxR67ljjSNCeK6U08Zx4msEWOXuofgqUt6zPHSi1H9fbjR/NRA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@sinonjs/commons": "^1.7.0"
+      }
+    },
+    "node_modules/@stylelint/postcss-css-in-js": {
+      "version": "0.37.2",
+      "integrity": "sha512-nEhsFoJurt8oUmieT8qy4nk81WRHmJynmVwn/Vts08PL9fhgIsMhk1GId5yAN643OzqEEb5S/6At2TZW7pqPDA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/core": ">=7.9.0"
+      },
+      "peerDependencies": {
+        "postcss": ">=7.0.0",
+        "postcss-syntax": ">=0.36.2"
+      }
+    },
+    "node_modules/@stylelint/postcss-markdown": {
+      "version": "0.36.2",
+      "integrity": "sha512-2kGbqUVJUGE8dM+bMzXG/PYUWKkjLIkRLWNh39OaADkiabDRdw8ATFCgbMz5xdIcvwspPAluSL7uY+ZiTWdWmQ==",
+      "deprecated": "Use the original unforked package instead: postcss-markdown",
+      "dev": true,
+      "dependencies": {
+        "remark": "^13.0.0",
+        "unist-util-find-all-after": "^3.0.2"
+      },
+      "peerDependencies": {
+        "postcss": ">=7.0.0",
+        "postcss-syntax": ">=0.36.2"
+      }
+    },
+    "node_modules/@swc/helpers": {
+      "version": "0.4.11",
+      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.4.11.tgz",
+      "integrity": "sha512-rEUrBSGIoSFuYxwBYtlUFMlE2CwGhmW+w9355/5oduSw8e5h2+Tj4UrAGNNgP9915++wj5vkQo0UuOBqOAq4nw==",
+      "dev": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@tootallnate/once": {
+      "version": "1.1.2",
+      "integrity": "sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/@types/babel__core": {
+      "version": "7.1.16",
+      "integrity": "sha512-EAEHtisTMM+KaKwfWdC3oyllIqswlznXCIVCt7/oRNrh+DhgT4UEBNC/jlADNjvw7UnfbcdkGQcPVZ1xYiLcrQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0",
+        "@types/babel__generator": "*",
+        "@types/babel__template": "*",
+        "@types/babel__traverse": "*"
+      }
+    },
+    "node_modules/@types/babel__generator": {
+      "version": "7.6.3",
+      "integrity": "sha512-/GWCmzJWqV7diQW54smJZzWbSFf4QYtF71WCKhcx6Ru/tFyQIY2eiiITcCAeuPbNSvT9YCGkVMqqvSk2Z0mXiA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__template": {
+      "version": "7.4.1",
+      "integrity": "sha512-azBFKemX6kMg5Io+/rdGT0dkGreboUVR0Cdm3fz9QJWpaQGJRQXl7C+6hOTCZcMll7KFyEQpgbYI2lHdsS4U7g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__traverse": {
+      "version": "7.14.2",
+      "integrity": "sha512-K2waXdXBi2302XUdcHcR1jCeU0LL4TD9HRs/gk0N2Xvrht+G/BfJa4QObBQZfhMdxiCpV3COl5Nfq4uKTeTnJA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/types": "^7.3.0"
+      }
+    },
+    "node_modules/@types/graceful-fs": {
+      "version": "4.1.5",
+      "integrity": "sha512-anKkLmZZ+xm4p8JWBf4hElkM4XR+EZeA2M9BAkkTldmcyDY4mbdIJnRghDJH3Ov5ooY7/UAoENtmdMSkaAd7Cw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/istanbul-lib-coverage": {
+      "version": "2.0.3",
+      "integrity": "sha512-sz7iLqvVUg1gIedBOvlkxPlc8/uVzyS5OwGz1cKjXzkl3FpL3al0crU8YGU1WoHkxn0Wxbw5tyi6hvzJKNzFsw==",
+      "dev": true
+    },
+    "node_modules/@types/istanbul-lib-report": {
+      "version": "3.0.0",
+      "integrity": "sha512-plGgXAPfVKFoYfa9NpYDAkseG+g6Jr294RqeqcqDixSbU34MZVJRi/P+7Y8GDpzkEwLaGZZOpKIEmeVZNtKsrg==",
+      "dev": true,
+      "dependencies": {
+        "@types/istanbul-lib-coverage": "*"
+      }
+    },
+    "node_modules/@types/istanbul-reports": {
+      "version": "3.0.1",
+      "integrity": "sha512-c3mAZEuK0lvBp8tmuL74XRKn1+y2dcwOUpH7x4WrF6gk1GIgiluDRgMYQtw2OFcBvAJWlt6ASU3tSqxp0Uu0Aw==",
+      "dev": true,
+      "dependencies": {
+        "@types/istanbul-lib-report": "*"
+      }
+    },
+    "node_modules/@types/json-schema": {
+      "version": "7.0.11",
+      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.11.tgz",
+      "integrity": "sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==",
+      "dev": true
+    },
+    "node_modules/@types/json5": {
+      "version": "0.0.29",
+      "resolved": "https://registry.npmjs.org/@types/json5/-/json5-0.0.29.tgz",
+      "integrity": "sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==",
+      "dev": true
+    },
+    "node_modules/@types/mdast": {
+      "version": "3.0.10",
+      "integrity": "sha512-W864tg/Osz1+9f4lrGTZpCSO5/z4608eUp19tbozkq2HJK6i3z1kT0H9tlADXuYIb1YYOBByU4Jsqkk75q48qA==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "*"
+      }
+    },
+    "node_modules/@types/minimist": {
+      "version": "1.2.2",
+      "integrity": "sha512-jhuKLIRrhvCPLqwPcx6INqmKeiA5EWrsCOPhrlFSrbrmU4ZMPjj5Ul/oLCMDO98XRUIwVm78xICz4EPCektzeQ==",
+      "dev": true
+    },
+    "node_modules/@types/node": {
+      "version": "16.10.3",
+      "integrity": "sha512-ho3Ruq+fFnBrZhUYI46n/bV2GjwzSkwuT4dTf0GkuNFmnb8nq4ny2z9JEVemFi6bdEJanHLlYfy9c6FN9B9McQ==",
+      "dev": true
+    },
+    "node_modules/@types/normalize-package-data": {
+      "version": "2.4.1",
+      "integrity": "sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw==",
+      "dev": true
+    },
+    "node_modules/@types/parse-json": {
+      "version": "4.0.0",
+      "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==",
+      "dev": true
+    },
+    "node_modules/@types/prettier": {
+      "version": "2.4.1",
+      "integrity": "sha512-Fo79ojj3vdEZOHg3wR9ksAMRz4P3S5fDB5e/YWZiFnyFQI1WY2Vftu9XoXVVtJfxB7Bpce/QTqWSSntkz2Znrw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/@types/semver": {
+      "version": "7.3.13",
+      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.3.13.tgz",
+      "integrity": "sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==",
+      "dev": true
+    },
+    "node_modules/@types/stack-utils": {
+      "version": "2.0.1",
+      "integrity": "sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/@types/supports-color": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@types/supports-color/-/supports-color-8.1.1.tgz",
+      "integrity": "sha512-dPWnWsf+kzIG140B8z2w3fr5D03TLWbOAFQl45xUpI3vcizeXriNR5VYkWZ+WTMsUHqZ9Xlt3hrxGNANFyNQfw==",
+      "dev": true
+    },
+    "node_modules/@types/unist": {
+      "version": "2.0.6",
+      "integrity": "sha512-PBjIUxZHOuj0R15/xuwJYjFi+KZdNFrehocChv4g5hu6aFroHue8m0lBP0POdK2nKzbw0cgV1mws8+V/JAcEkQ==",
+      "dev": true
+    },
+    "node_modules/@types/yargs": {
+      "version": "15.0.14",
+      "integrity": "sha512-yEJzHoxf6SyQGhBhIYGXQDSCkJjB6HohDShto7m8vaKg9Yp0Yn8+71J9eakh2bnPg6BfsH9PRMhiRTZnd4eXGQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/yargs-parser": "*"
+      }
+    },
+    "node_modules/@types/yargs-parser": {
+      "version": "20.2.1",
+      "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw==",
+      "dev": true
+    },
+    "node_modules/@typescript-eslint/eslint-plugin": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.48.1.tgz",
+      "integrity": "sha512-9nY5K1Rp2ppmpb9s9S2aBiF3xo5uExCehMDmYmmFqqyxgenbHJ3qbarcLt4ITgaD6r/2ypdlcFRdcuVPnks+fQ==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/type-utils": "5.48.1",
+        "@typescript-eslint/utils": "5.48.1",
+        "debug": "^4.3.4",
+        "ignore": "^5.2.0",
+        "natural-compare-lite": "^1.4.0",
+        "regexpp": "^3.2.0",
+        "semver": "^7.3.7",
+        "tsutils": "^3.21.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "@typescript-eslint/parser": "^5.0.0",
+        "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@typescript-eslint/eslint-plugin/node_modules/semver": {
+      "version": "7.3.8",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+      "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+      "dev": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@typescript-eslint/parser": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.48.1.tgz",
+      "integrity": "sha512-4yg+FJR/V1M9Xoq56SF9Iygqm+r5LMXvheo6DQ7/yUWynQ4YfCRnsKuRgqH4EQ5Ya76rVwlEpw4Xu+TgWQUcdA==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@typescript-eslint/scope-manager": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.48.1.tgz",
+      "integrity": "sha512-S035ueRrbxRMKvSTv9vJKIWgr86BD8s3RqoRZmsSh/s8HhIs90g6UlK8ZabUSjUZQkhVxt7nmZ63VJ9dcZhtDQ==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/visitor-keys": "5.48.1"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/type-utils": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.48.1.tgz",
+      "integrity": "sha512-Hyr8HU8Alcuva1ppmqSYtM/Gp0q4JOp1F+/JH5D1IZm/bUBrV0edoewQZiEc1r6I8L4JL21broddxK8HAcZiqQ==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "@typescript-eslint/utils": "5.48.1",
+        "debug": "^4.3.4",
+        "tsutils": "^3.21.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "*"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@typescript-eslint/types": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.48.1.tgz",
+      "integrity": "sha512-xHyDLU6MSuEEdIlzrrAerCGS3T7AA/L8Hggd0RCYBi0w3JMvGYxlLlXHeg50JI9Tfg5MrtsfuNxbS/3zF1/ATg==",
+      "dev": true,
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/typescript-estree": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.48.1.tgz",
+      "integrity": "sha512-Hut+Osk5FYr+sgFh8J/FHjqX6HFcDzTlWLrFqGoK5kVUN3VBHF/QzZmAsIXCQ8T/W9nQNBTqalxi1P3LSqWnRA==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/visitor-keys": "5.48.1",
+        "debug": "^4.3.4",
+        "globby": "^11.1.0",
+        "is-glob": "^4.0.3",
+        "semver": "^7.3.7",
+        "tsutils": "^3.21.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@typescript-eslint/typescript-estree/node_modules/globby": {
+      "version": "11.1.0",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-11.1.0.tgz",
+      "integrity": "sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==",
+      "dev": true,
+      "dependencies": {
+        "array-union": "^2.1.0",
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.2.9",
+        "ignore": "^5.2.0",
+        "merge2": "^1.4.1",
+        "slash": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@typescript-eslint/typescript-estree/node_modules/semver": {
+      "version": "7.3.8",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+      "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+      "dev": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@typescript-eslint/utils": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.48.1.tgz",
+      "integrity": "sha512-SmQuSrCGUOdmGMwivW14Z0Lj8dxG1mOFZ7soeJ0TQZEJcs3n5Ndgkg0A4bcMFzBELqLJ6GTHnEU+iIoaD6hFGA==",
+      "dev": true,
+      "dependencies": {
+        "@types/json-schema": "^7.0.9",
+        "@types/semver": "^7.3.12",
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "eslint-scope": "^5.1.1",
+        "eslint-utils": "^3.0.0",
+        "semver": "^7.3.7"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      }
+    },
+    "node_modules/@typescript-eslint/utils/node_modules/semver": {
+      "version": "7.3.8",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+      "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+      "dev": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@typescript-eslint/visitor-keys": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.48.1.tgz",
+      "integrity": "sha512-Ns0XBwmfuX7ZknznfXozgnydyR8F6ev/KEGePP4i74uL3ArsKbEhJ7raeKr1JSa997DBDwol/4a0Y+At82c9dA==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "5.48.1",
+        "eslint-visitor-keys": "^3.3.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/abab": {
+      "version": "2.0.5",
+      "integrity": "sha512-9IK9EadsbHo6jLWIpxpR6pL0sazTXV6+SQv25ZB+F7Bj9mJNaOc4nCRabwd5M/JwmUa8idz6Eci6eKfJryPs6Q==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/acorn": {
+      "version": "7.4.1",
+      "integrity": "sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/acorn-globals": {
+      "version": "6.0.0",
+      "integrity": "sha512-ZQl7LOWaF5ePqqcX4hLuv/bLXYQNfNWw2c0/yX/TsPRKamzHcTGQnlCjHT3TsmkOUVEPS3crCxiPfdzE/Trlhg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "acorn": "^7.1.1",
+        "acorn-walk": "^7.1.1"
+      }
+    },
+    "node_modules/acorn-jsx": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz",
+      "integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==",
+      "dev": true,
+      "peerDependencies": {
+        "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      }
+    },
+    "node_modules/acorn-walk": {
+      "version": "7.2.0",
+      "integrity": "sha512-OPdCF6GsMIP+Az+aWfAAOEt2/+iVDKE7oy6lJ098aoe59oAmK76qV6Gw60SbZ8jHuG2wH058GF4pLFbYamYrVA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/agent-base": {
+      "version": "6.0.2",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
+    "node_modules/aggregate-error": {
+      "version": "3.1.0",
+      "integrity": "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==",
+      "dev": true,
+      "dependencies": {
+        "clean-stack": "^2.0.0",
+        "indent-string": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ajv": {
+      "version": "6.12.6",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "dev": true,
+      "dependencies": {
+        "fast-deep-equal": "^3.1.1",
+        "fast-json-stable-stringify": "^2.0.0",
+        "json-schema-traverse": "^0.4.1",
+        "uri-js": "^4.2.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/ansi-colors": {
+      "version": "4.1.1",
+      "integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/ansi-escapes": {
+      "version": "4.3.2",
+      "integrity": "sha512-gKXj5ALrKWQLsYG9jlTRmR/xKluxHV+Z9QEwNIgCfM1/uwPMCuzVVnh5mwTd+OuBZcwSIMbqssNWRm1lE51QaQ==",
+      "dev": true,
+      "dependencies": {
+        "type-fest": "^0.21.3"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.2",
+      "integrity": "sha512-P43ePfOAIupkguHUycrc4qJ9kz8ZiuOUijaETwX7THt0Y/GNK7v0aa8rY816xWjZ7rJdA5XdMcpVFTKMq+RvWg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "dev": true
+    },
+    "node_modules/aria-query": {
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.1.3.tgz",
+      "integrity": "sha512-R5iJ5lkuHybztUfuOAznmboyjWq8O6sqNqtK7CLOqdydi54VNbORp49mb14KbWgG1QD3JFO9hJdZ+y4KutfdOQ==",
+      "dev": true,
+      "dependencies": {
+        "deep-equal": "^2.0.5"
+      }
+    },
+    "node_modules/arr-diff": {
+      "version": "4.0.0",
+      "integrity": "sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/arr-flatten": {
+      "version": "1.1.0",
+      "integrity": "sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/arr-union": {
+      "version": "3.1.0",
+      "integrity": "sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/array-includes": {
+      "version": "3.1.6",
+      "resolved": "https://registry.npmjs.org/array-includes/-/array-includes-3.1.6.tgz",
+      "integrity": "sha512-sgTbLvL6cNnw24FnbaDyjmvddQ2ML8arZsgaJhoABMoplz/4QRhtrYS+alr1BUM1Bwp6dhx8vVCBSLG+StwOFw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "get-intrinsic": "^1.1.3",
+        "is-string": "^1.0.7"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/array-union": {
+      "version": "2.1.0",
+      "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/array-unique": {
+      "version": "0.3.2",
+      "integrity": "sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/array.prototype.flat": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.3.1.tgz",
+      "integrity": "sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/array.prototype.flatmap": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.flatmap/-/array.prototype.flatmap-1.3.1.tgz",
+      "integrity": "sha512-8UGn9O1FDVvMNB0UlLv4voxRMze7+FpHyF5mSMRjWHUMlpoDViniy05870VlxhfgTnLbpuwTzvD76MTtWxB/mQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/array.prototype.tosorted": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.tosorted/-/array.prototype.tosorted-1.1.1.tgz",
+      "integrity": "sha512-pZYPXPRl2PqWcsUs6LOMn+1f1532nEoPTYowBtqLwAW+W8vSVhkIGnmOX1t/UQjD6YGI0vcD2B1U7ZFGQH9jnQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0",
+        "get-intrinsic": "^1.1.3"
+      }
+    },
+    "node_modules/arrify": {
+      "version": "1.0.1",
+      "integrity": "sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/assign-symbols": {
+      "version": "1.0.0",
+      "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ast-types-flow": {
+      "version": "0.0.7",
+      "resolved": "https://registry.npmjs.org/ast-types-flow/-/ast-types-flow-0.0.7.tgz",
+      "integrity": "sha512-eBvWn1lvIApYMhzQMsu9ciLfkBY499mFZlNqG+/9WR7PVlroQw0vG30cOQQbaKz3sCEc44TAOu2ykzqXSNnwag==",
+      "dev": true
+    },
+    "node_modules/astral-regex": {
+      "version": "2.0.0",
+      "integrity": "sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/async": {
+      "version": "0.9.2",
+      "integrity": "sha1-rqdNXmHB+JlhO/ZL2mbUx48v0X0=",
+      "dev": true
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
+      "dev": true
+    },
+    "node_modules/at-least-node": {
+      "version": "1.0.0",
+      "integrity": "sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 4.0.0"
+      }
+    },
+    "node_modules/atob": {
+      "version": "2.1.2",
+      "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "atob": "bin/atob.js"
+      },
+      "engines": {
+        "node": ">= 4.5.0"
+      }
+    },
+    "node_modules/autoprefixer": {
+      "version": "9.8.8",
+      "integrity": "sha512-eM9d/swFopRt5gdJ7jrpCwgvEMIayITpojhkkSMRsFHYuH5bkSQ4p/9qTEHtmNudUZh22Tehu7I6CxAW0IXTKA==",
+      "dev": true,
+      "dependencies": {
+        "browserslist": "^4.12.0",
+        "caniuse-lite": "^1.0.30001109",
+        "normalize-range": "^0.1.2",
+        "num2fraction": "^1.2.2",
+        "picocolors": "^0.2.1",
+        "postcss": "^7.0.32",
+        "postcss-value-parser": "^4.1.0"
+      },
+      "bin": {
+        "autoprefixer": "bin/autoprefixer"
+      },
+      "funding": {
+        "type": "tidelift",
+        "url": "https://tidelift.com/funding/github/npm/autoprefixer"
+      }
+    },
+    "node_modules/autoprefixer/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/autoprefixer/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/available-typed-arrays": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz",
+      "integrity": "sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/axe-core": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.6.2.tgz",
+      "integrity": "sha512-b1WlTV8+XKLj9gZy2DZXgQiyDp9xkkoe2a6U6UbYccScq2wgH/YwCeI2/Jq2mgo0HzQxqJOjWZBLeA/mqsk5Mg==",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/axobject-query": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-3.1.1.tgz",
+      "integrity": "sha512-goKlv8DZrK9hUh975fnHzhNIO4jUnFCfv/dszV5VwUGDFjI6vQ2VwoyjYjYNEbBE8AH87TduWP5uyDR1D+Iteg==",
+      "dev": true,
+      "dependencies": {
+        "deep-equal": "^2.0.5"
+      }
+    },
+    "node_modules/babel-jest": {
+      "version": "26.6.3",
+      "integrity": "sha512-pl4Q+GAVOHwvjrck6jKjvmGhnO3jHX/xuB9d27f+EJZ/6k+6nMuPjorrYp7s++bKKdANwzElBWnLWaObvTnaZA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/babel__core": "^7.1.7",
+        "babel-plugin-istanbul": "^6.0.0",
+        "babel-preset-jest": "^26.6.2",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "slash": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/babel-plugin-istanbul": {
+      "version": "6.0.0",
+      "integrity": "sha512-AF55rZXpe7trmEylbaE1Gv54wn6rwU03aptvRoVIGP8YykoSxqdVLV1TfwflBCE/QtHmqtP8SWlTENqbK8GCSQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@istanbuljs/load-nyc-config": "^1.0.0",
+        "@istanbuljs/schema": "^0.1.2",
+        "istanbul-lib-instrument": "^4.0.0",
+        "test-exclude": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/babel-plugin-jest-hoist": {
+      "version": "26.6.2",
+      "integrity": "sha512-PO9t0697lNTmcEHH69mdtYiOIkkOlj9fySqfO3K1eCcdISevLAE0xY59VLLUj0SoiPiTX/JU2CYFpILydUa5Lw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/template": "^7.3.3",
+        "@babel/types": "^7.3.3",
+        "@types/babel__core": "^7.0.0",
+        "@types/babel__traverse": "^7.0.6"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/babel-preset-current-node-syntax": {
+      "version": "1.0.1",
+      "integrity": "sha512-M7LQ0bxarkxQoN+vz5aJPsLBn77n8QgTFmo8WK0/44auK2xlCXrYcUxHFxgU7qW5Yzw/CjmLRK2uJzaCd7LvqQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/plugin-syntax-async-generators": "^7.8.4",
+        "@babel/plugin-syntax-bigint": "^7.8.3",
+        "@babel/plugin-syntax-class-properties": "^7.8.3",
+        "@babel/plugin-syntax-import-meta": "^7.8.3",
+        "@babel/plugin-syntax-json-strings": "^7.8.3",
+        "@babel/plugin-syntax-logical-assignment-operators": "^7.8.3",
+        "@babel/plugin-syntax-nullish-coalescing-operator": "^7.8.3",
+        "@babel/plugin-syntax-numeric-separator": "^7.8.3",
+        "@babel/plugin-syntax-object-rest-spread": "^7.8.3",
+        "@babel/plugin-syntax-optional-catch-binding": "^7.8.3",
+        "@babel/plugin-syntax-optional-chaining": "^7.8.3",
+        "@babel/plugin-syntax-top-level-await": "^7.8.3"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/babel-preset-jest": {
+      "version": "26.6.2",
+      "integrity": "sha512-YvdtlVm9t3k777c5NPQIv6cxFFFapys25HiUmuSgHwIZhfifweR5c5Sf5nwE3MAbfu327CYSvps8Yx6ANLyleQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "babel-plugin-jest-hoist": "^26.6.2",
+        "babel-preset-current-node-syntax": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/bail": {
+      "version": "1.0.5",
+      "integrity": "sha512-xFbRxM1tahm08yHBP16MMjVUAvDaBMD38zsM9EMAUN61omwLmKlOpB/Zku5QkjZ8TZ4vn53pj+t518cH0S03RQ==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/balanced-match": {
+      "version": "1.0.2",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true
+    },
+    "node_modules/base": {
+      "version": "0.11.2",
+      "integrity": "sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cache-base": "^1.0.1",
+        "class-utils": "^0.3.5",
+        "component-emitter": "^1.2.1",
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.1",
+        "mixin-deep": "^1.2.0",
+        "pascalcase": "^0.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/base/node_modules/define-property": {
+      "version": "1.0.0",
+      "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "1.1.11",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "dev": true,
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.2",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
+      "dependencies": {
+        "fill-range": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/browser-process-hrtime": {
+      "version": "1.0.0",
+      "integrity": "sha512-9o5UecI3GhkpM6DrXr69PblIuWxPKk9Y0jHBRhdocZ2y7YECBFCsHm79Pr3OyR2AvjhDkabFJaDJMYRazHgsow==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/browserslist": {
+      "version": "4.17.3",
+      "integrity": "sha512-59IqHJV5VGdcJZ+GZ2hU5n4Kv3YiASzW6Xk5g9tf5a/MAzGeFwgGWU39fVzNIOVcgB3+Gp+kiQu0HEfTVU/3VQ==",
+      "dev": true,
+      "dependencies": {
+        "caniuse-lite": "^1.0.30001264",
+        "electron-to-chromium": "^1.3.857",
+        "escalade": "^3.1.1",
+        "node-releases": "^1.1.77",
+        "picocolors": "^0.2.1"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/browserslist"
+      }
+    },
+    "node_modules/bs-logger": {
+      "version": "0.2.6",
+      "integrity": "sha512-pd8DCoxmbgc7hyPKOvxtqNcjYoOsABPQdcCUjGp3d42VR2CX1ORhk2A87oqqu5R1kk+76nsxZupkmyd+MVtCog==",
+      "dev": true,
+      "dependencies": {
+        "fast-json-stable-stringify": "2.x"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/bser": {
+      "version": "2.1.1",
+      "integrity": "sha512-gQxTNE/GAfIIrmHLUE3oJyp5FO6HRBfhjnw4/wMmA63ZGDJnWBmgY/lyQBpnDUkGmAhbSe39tx2d/iTOAfglwQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "node-int64": "^0.4.0"
+      }
+    },
+    "node_modules/buffer-from": {
+      "version": "1.1.2",
+      "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==",
+      "dev": true
+    },
+    "node_modules/cache-base": {
+      "version": "1.0.1",
+      "integrity": "sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "collection-visit": "^1.0.0",
+        "component-emitter": "^1.2.1",
+        "get-value": "^2.0.6",
+        "has-value": "^1.0.0",
+        "isobject": "^3.0.1",
+        "set-value": "^2.0.0",
+        "to-object-path": "^0.3.0",
+        "union-value": "^1.0.0",
+        "unset-value": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/call-bind": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz",
+      "integrity": "sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==",
+      "dev": true,
+      "dependencies": {
+        "function-bind": "^1.1.1",
+        "get-intrinsic": "^1.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/callsites": {
+      "version": "3.1.0",
+      "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/camelcase": {
+      "version": "5.3.1",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001416",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001416.tgz",
+      "integrity": "sha512-06wzzdAkCPZO+Qm4e/eNghZBDfVNDsCgw33T27OwBH9unE9S478OYw//Q2L7Npf/zBzs7rjZOszIFQkwQKAEqA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        }
+      ]
+    },
+    "node_modules/capture-exit": {
+      "version": "2.0.0",
+      "integrity": "sha512-PiT/hQmTonHhl/HFGN+Lx3JJUznrVYJ3+AQsnthneZbvW7x+f08Tk7yLJTLEOUvBTbduLeeBkxEaYXUOUrRq6g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "rsvp": "^4.8.4"
+      },
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/ccount": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/ccount/-/ccount-1.1.0.tgz",
+      "integrity": "sha512-vlNK021QdI7PNeiUh/lKkC/mNHHfV0m/Ad5JoI0TYtlBnJAslM/JIkm/tGC88bkLIwO6OQ5uV6ztS6kVAtCDlg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/chalk": {
+      "version": "4.1.0",
+      "integrity": "sha512-qwx12AxXe2Q5xQ43Ac//I6v5aXTipYrSESdOgzrN+9XjgEpyjpKuvSGaN4qE93f7TQTlerQQ8S+EQ0EyDoVL1A==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/char-regex": {
+      "version": "1.0.2",
+      "integrity": "sha512-kWWXztvZ5SBQV+eRgKFeh8q5sLuZY2+8WUIzlxWVTg+oGwY14qylx1KbKzHd8P6ZYkAg0xyIDU9JMHhyJMZ1jw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/character-entities": {
+      "version": "1.2.4",
+      "integrity": "sha512-iBMyeEHxfVnIakwOuDXpVkc54HijNgCyQB2w0VfGQThle6NXn50zU6V/u+LDhxHcDUPojn6Kpga3PTAD8W1bQw==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/character-entities-html4": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/character-entities-html4/-/character-entities-html4-1.1.4.tgz",
+      "integrity": "sha512-HRcDxZuZqMx3/a+qrzxdBKBPUpxWEq9xw2OPZ3a/174ihfrQKVsFhqtthBInFy1zZ9GgZyFXOatNujm8M+El3g==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/character-entities-legacy": {
+      "version": "1.1.4",
+      "integrity": "sha512-3Xnr+7ZFS1uxeiUDvV02wQ+QDbc55o97tIV5zHScSPJpcLm/r0DFPcoY3tYRp+VZukxuMeKgXYmsXQHO05zQeA==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/character-reference-invalid": {
+      "version": "1.1.4",
+      "integrity": "sha512-mKKUkUbhPpQlCOfIuZkvSEgktjPFIsZKRRbC6KWVEMvlzblj3i3asQv5ODsrwt0N3pHAEvjP8KTQPHkp0+6jOg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/chardet": {
+      "version": "0.7.0",
+      "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==",
+      "dev": true
+    },
+    "node_modules/ci-info": {
+      "version": "2.0.0",
+      "integrity": "sha512-5tK7EtrZ0N+OLFMthtqOj4fI2Jeb88C4CAZPu25LDVUgXJ0A3Js4PMGqrn0JU1W0Mh1/Z8wZzYPxqUrXeBboCQ==",
+      "dev": true
+    },
+    "node_modules/cjs-module-lexer": {
+      "version": "0.6.0",
+      "integrity": "sha512-uc2Vix1frTfnuzxxu1Hp4ktSvM3QaI4oXl4ZUqL1wjTu/BGki9TrCWoqLTg/drR1KwAEarXuRFCG2Svr1GxPFw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/class-utils": {
+      "version": "0.3.6",
+      "integrity": "sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "arr-union": "^3.1.0",
+        "define-property": "^0.2.5",
+        "isobject": "^3.0.0",
+        "static-extend": "^0.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/define-property": {
+      "version": "0.2.5",
+      "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/is-accessor-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/is-accessor-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/class-utils/node_modules/is-data-descriptor": {
+      "version": "0.1.4",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/is-data-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/is-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/class-utils/node_modules/kind-of": {
+      "version": "5.1.0",
+      "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/clean-stack": {
+      "version": "2.2.0",
+      "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/cli-cursor": {
+      "version": "3.1.0",
+      "integrity": "sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw==",
+      "dev": true,
+      "dependencies": {
+        "restore-cursor": "^3.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/cli-truncate": {
+      "version": "2.1.0",
+      "integrity": "sha512-n8fOixwDD6b/ObinzTrp1ZKFzbgvKZvuz/TvejnLn1aQfC6r52XEx85FmuC+3HI+JM7coBRXUvNqEU2PHVrHpg==",
+      "dev": true,
+      "dependencies": {
+        "slice-ansi": "^3.0.0",
+        "string-width": "^4.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/cli-width": {
+      "version": "3.0.0",
+      "integrity": "sha512-FxqpkPPwu1HjuN93Omfm4h8uIanXofW0RxVEW3k5RKx+mJJYSthzNhp32Kzxxy3YAEZ/Dc/EWN1vZRY0+kOhbw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/cliui/node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/clone-regexp": {
+      "version": "2.2.0",
+      "integrity": "sha512-beMpP7BOtTipFuW8hrJvREQ2DrRu3BE7by0ZpibtfBA+qfHYvMGTc2Yb1JMYPKg/JUw0CHYvpg796aNTSW9z7Q==",
+      "dev": true,
+      "dependencies": {
+        "is-regexp": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/clone-regexp/node_modules/is-regexp": {
+      "version": "2.1.0",
+      "integrity": "sha512-OZ4IlER3zmRIoB9AqNhEggVxqIH4ofDns5nRrPS6yQxXE1TPCUpFznBfRQmQa8uC+pXqjMnukiJBxCisIxiLGA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/co": {
+      "version": "4.6.0",
+      "integrity": "sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "iojs": ">= 1.0.0",
+        "node": ">= 0.12.0"
+      }
+    },
+    "node_modules/collapse-white-space": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/collapse-white-space/-/collapse-white-space-1.0.6.tgz",
+      "integrity": "sha512-jEovNnrhMuqyCcjfEJA56v0Xq8SkIoPKDyaHahwo3POf4qcSXqMYuwNcOTzp74vTsR9Tn08z4MxWqAhcekogkQ==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/collect-v8-coverage": {
+      "version": "1.0.1",
+      "integrity": "sha512-iBPtljfCNcTKNAto0KEtDfZ3qzjJvqE3aTGZsbhjSBlorqpXJlaWWtPO35D+ZImoC3KWejX64o+yPGxhWSTzfg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/collection-visit": {
+      "version": "1.0.0",
+      "integrity": "sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "map-visit": "^1.0.0",
+        "object-visit": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true
+    },
+    "node_modules/colorette": {
+      "version": "1.4.0",
+      "integrity": "sha512-Y2oEozpomLn7Q3HFP7dpww7AtMJplbM9lGZP6RDfHqmbeRjiwRg4n6VM6j4KLmRke85uWEI7JqF17f3pqdRA0g==",
+      "dev": true
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "dev": true,
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/commander": {
+      "version": "7.2.0",
+      "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/component-emitter": {
+      "version": "1.3.0",
+      "integrity": "sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/concat-map": {
+      "version": "0.0.1",
+      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
+      "dev": true
+    },
+    "node_modules/convert-source-map": {
+      "version": "1.8.0",
+      "integrity": "sha512-+OQdjP49zViI/6i7nIJpA8rAl4sV/JdPfU9nZs3VqOwGIgizICvuN2ru6fMd+4llL0tar18UYJXfZ/TWtmhUjA==",
+      "dev": true,
+      "dependencies": {
+        "safe-buffer": "~5.1.1"
+      }
+    },
+    "node_modules/copy-descriptor": {
+      "version": "0.1.1",
+      "integrity": "sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/cosmiconfig": {
+      "version": "7.0.1",
+      "integrity": "sha512-a1YWNUV2HwGimB7dU2s1wUMurNKjpx60HxBB6xUM8Re+2s1g1IIfJvFR0/iCF+XHdE0GMTKTuLR32UQff4TEyQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/parse-json": "^4.0.0",
+        "import-fresh": "^3.2.1",
+        "parse-json": "^5.0.0",
+        "path-type": "^4.0.0",
+        "yaml": "^1.10.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/cross-fetch": {
+      "version": "3.1.4",
+      "integrity": "sha512-1eAtFWdIubi6T4XPy6ei9iUFoKpUkIF971QLN8lIvvvwueI65+Nw5haMNKUwfJxabqlIIDODJKGrQ66gxC0PbQ==",
+      "dev": true,
+      "dependencies": {
+        "node-fetch": "2.6.1"
+      }
+    },
+    "node_modules/cross-fetch/node_modules/node-fetch": {
+      "version": "2.6.1",
+      "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
+      "dev": true,
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      }
+    },
+    "node_modules/cross-spawn": {
+      "version": "7.0.3",
+      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "dev": true,
+      "dependencies": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/cssesc": {
+      "version": "3.0.0",
+      "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==",
+      "dev": true,
+      "bin": {
+        "cssesc": "bin/cssesc"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/cssom": {
+      "version": "0.4.4",
+      "integrity": "sha512-p3pvU7r1MyyqbTk+WbNJIgJjG2VmTIaB10rI93LzVPrmDJKkzKYMtxxyAvQXR/NS6otuzveI7+7BBq3SjBS2mw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/cssstyle": {
+      "version": "2.3.0",
+      "integrity": "sha512-AZL67abkUzIuvcHqk7c09cezpGNcxUxU4Ioi/05xHk4DQeTkWmGYftIE6ctU6AEt+Gn4n1lDStOtj7FKycP71A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cssom": "~0.3.6"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/cssstyle/node_modules/cssom": {
+      "version": "0.3.8",
+      "integrity": "sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/damerau-levenshtein": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/damerau-levenshtein/-/damerau-levenshtein-1.0.8.tgz",
+      "integrity": "sha512-sdQSFB7+llfUcQHUQO3+B8ERRj0Oa4w9POWMI/puGtuf7gFywGmkaLCElnudfTiKZV+NvHqL0ifzdrI8Ro7ESA==",
+      "dev": true
+    },
+    "node_modules/dart-linkcheck": {
+      "version": "2.0.15",
+      "integrity": "sha512-ZMvxkAyEpBTvBFk+DPjcK0ObNy8GM4gmrGG1qIu0EXb/zj25vjRWNnhLHKZw4JlOLo02oWlwDeqo98GuBlJcIg==",
+      "dev": true,
+      "bin": {
+        "linkcheck": "bin/linkcheck",
+        "linkcheck-linux": "bin/linkcheck-linux",
+        "linkcheck-win": "bin/linkcheck-win"
+      }
+    },
+    "node_modules/data-urls": {
+      "version": "2.0.0",
+      "integrity": "sha512-X5eWTSXO/BJmpdIKCRuKUgSCgAN0OwliVK3yPKbwIWU1Tdw5BRajxlzMidvh+gwko9AfQ9zIj52pzF91Q3YAvQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "abab": "^2.0.3",
+        "whatwg-mimetype": "^2.3.0",
+        "whatwg-url": "^8.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dev": true,
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/decamelize-keys": {
+      "version": "1.1.0",
+      "integrity": "sha1-0XGoeTMlKAfrPLYdwcFEXQeN8tk=",
+      "dev": true,
+      "dependencies": {
+        "decamelize": "^1.1.0",
+        "map-obj": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/decimal.js": {
+      "version": "10.3.1",
+      "integrity": "sha512-V0pfhfr8suzyPGOx3nmq4aHqabehUZn6Ch9kyFpV79TGDTWFmHqUqXdabR7QHqxzrYolF4+tVmJhUG4OURg5dQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/decode-uri-component": {
+      "version": "0.2.0",
+      "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/deep-equal": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-2.2.0.tgz",
+      "integrity": "sha512-RdpzE0Hv4lhowpIUKKMJfeH6C1pXdtT1/it80ubgWqwI3qpuxUBpC1S4hnHg+zjnuOoDkzUtUCEEkG+XG5l3Mw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "es-get-iterator": "^1.1.2",
+        "get-intrinsic": "^1.1.3",
+        "is-arguments": "^1.1.1",
+        "is-array-buffer": "^3.0.1",
+        "is-date-object": "^1.0.5",
+        "is-regex": "^1.1.4",
+        "is-shared-array-buffer": "^1.0.2",
+        "isarray": "^2.0.5",
+        "object-is": "^1.1.5",
+        "object-keys": "^1.1.1",
+        "object.assign": "^4.1.4",
+        "regexp.prototype.flags": "^1.4.3",
+        "side-channel": "^1.0.4",
+        "which-boxed-primitive": "^1.0.2",
+        "which-collection": "^1.0.1",
+        "which-typed-array": "^1.1.9"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/deep-equal/node_modules/isarray": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.5.tgz",
+      "integrity": "sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==",
+      "dev": true
+    },
+    "node_modules/deep-is": {
+      "version": "0.1.4",
+      "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==",
+      "dev": true
+    },
+    "node_modules/define-lazy-prop": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/define-lazy-prop/-/define-lazy-prop-2.0.0.tgz",
+      "integrity": "sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/define-properties": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.4.tgz",
+      "integrity": "sha512-uckOqKcfaVvtBdsVkdPv3XjveQJsNQqmhXgRi8uhvWWuPYZCNlzT8qAyblUgNoXdHdjMTzAqeGjAoli8f+bzPA==",
+      "dev": true,
+      "dependencies": {
+        "has-property-descriptors": "^1.0.0",
+        "object-keys": "^1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/define-property": {
+      "version": "2.0.2",
+      "integrity": "sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^1.0.2",
+        "isobject": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/detect-newline": {
+      "version": "3.1.0",
+      "integrity": "sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/diff-sequences": {
+      "version": "26.6.2",
+      "integrity": "sha512-Mv/TDa3nZ9sbc5soK+OoA74BsS3mL37yixCvUAQkiuA4Wz6YtwP/K47n2rv2ovzHZvoiQeA5FTQOschKkEwB0Q==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/dir-glob": {
+      "version": "3.0.1",
+      "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
+      "dev": true,
+      "dependencies": {
+        "path-type": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/doctrine": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
+      "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==",
+      "dev": true,
+      "dependencies": {
+        "esutils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/dom-serializer": {
+      "version": "0.2.2",
+      "integrity": "sha512-2/xPb3ORsQ42nHYiSunXkDjPLBaEj/xTwUO4B7XCZQTRk7EBtTOPaygh10YAAh2OI1Qrp6NWfpAhzswj0ydt9g==",
+      "dev": true,
+      "dependencies": {
+        "domelementtype": "^2.0.1",
+        "entities": "^2.0.0"
+      }
+    },
+    "node_modules/dom-serializer/node_modules/domelementtype": {
+      "version": "2.2.0",
+      "integrity": "sha512-DtBMo82pv1dFtUmHyr48beiuq792Sxohr+8Hm9zoxklYPfa6n0Z3Byjj2IV7bmr2IyqClnqEQhfgHJJ5QF0R5A==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fb55"
+        }
+      ]
+    },
+    "node_modules/dom-serializer/node_modules/entities": {
+      "version": "2.2.0",
+      "integrity": "sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
+    "node_modules/domelementtype": {
+      "version": "1.3.1",
+      "integrity": "sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==",
+      "dev": true
+    },
+    "node_modules/domexception": {
+      "version": "2.0.1",
+      "integrity": "sha512-yxJ2mFy/sibVQlu5qHjOkf9J3K6zgmCxgJ94u2EdvDOV09H+32LtRswEcUsmUWN72pVLOEnTSRaIVVzVQgS0dg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "webidl-conversions": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/domexception/node_modules/webidl-conversions": {
+      "version": "5.0.0",
+      "integrity": "sha512-VlZwKPCkYKxQgeSbH5EyngOmRp7Ww7I9rQLERETtf5ofd9pGeswWiOtogpEO850jziPRarreGxn5QIiTqpb2wA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/domhandler": {
+      "version": "2.4.2",
+      "integrity": "sha512-JiK04h0Ht5u/80fdLMCEmV4zkNh2BcoMFBmZ/91WtYZ8qVXSKjiw7fXMgFPnHcSZgOo3XdinHvmnDUeMf5R4wA==",
+      "dev": true,
+      "dependencies": {
+        "domelementtype": "1"
+      }
+    },
+    "node_modules/domutils": {
+      "version": "1.7.0",
+      "integrity": "sha512-Lgd2XcJ/NjEw+7tFvfKxOzCYKZsdct5lczQ2ZaQY8Djz7pfAD3Gbp8ySJWtreII/vDlMVmxwa6pHmdxIYgttDg==",
+      "dev": true,
+      "dependencies": {
+        "dom-serializer": "0",
+        "domelementtype": "1"
+      }
+    },
+    "node_modules/eastasianwidth": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
+      "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==",
+      "dev": true
+    },
+    "node_modules/ejs": {
+      "version": "3.1.5",
+      "integrity": "sha512-dldq3ZfFtgVTJMLjOe+/3sROTzALlL9E34V4/sDtUd/KlBSS0s6U1/+WPE1B4sj9CXHJpL1M6rhNJnc9Wbal9w==",
+      "dev": true,
+      "dependencies": {
+        "jake": "^10.6.1"
+      },
+      "bin": {
+        "ejs": "bin/cli.js"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/electron-to-chromium": {
+      "version": "1.3.865",
+      "integrity": "sha512-okGcCKfihgGlaROMFNPQ6eaU3bk9Xa68rLYSnVD2PyIqM5B/vyQoXCpB3p1HI3AXio097ROVBlSO4JZVilUWuA==",
+      "dev": true
+    },
+    "node_modules/emittery": {
+      "version": "0.7.2",
+      "integrity": "sha512-A8OG5SR/ij3SsJdWDJdkkSYUjQdCUx6APQXem0SaEePBSRg4eymGYwBkKo1Y6DU+af/Jn2dBQqDBvjnr9Vi8nQ==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sindresorhus/emittery?sponsor=1"
+      }
+    },
+    "node_modules/emoji-regex": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
+      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "dev": true
+    },
+    "node_modules/end-of-stream": {
+      "version": "1.4.4",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "once": "^1.4.0"
+      }
+    },
+    "node_modules/enhanced-resolve": {
+      "version": "5.12.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.12.0.tgz",
+      "integrity": "sha512-QHTXI/sZQmko1cbDoNAa3mJ5qhWUUNAq3vR0/YiD379fWQrcfuoX1+HW2S0MTt7XmoPLapdaDKUtelUSPic7hQ==",
+      "dev": true,
+      "dependencies": {
+        "graceful-fs": "^4.2.4",
+        "tapable": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/enquirer": {
+      "version": "2.3.6",
+      "integrity": "sha512-yjNnPr315/FjS4zIsUxYguYUPP2e1NK4d7E7ZOLiyYCcbFBiTMyID+2wvm2w6+pZ/odMA7cRkjhsPbltwBOrLg==",
+      "dev": true,
+      "dependencies": {
+        "ansi-colors": "^4.1.1"
+      },
+      "engines": {
+        "node": ">=8.6"
+      }
+    },
+    "node_modules/entities": {
+      "version": "1.1.2",
+      "integrity": "sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==",
+      "dev": true
+    },
+    "node_modules/error-ex": {
+      "version": "1.3.2",
+      "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==",
+      "dev": true,
+      "dependencies": {
+        "is-arrayish": "^0.2.1"
+      }
+    },
+    "node_modules/es-abstract": {
+      "version": "1.21.1",
+      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.21.1.tgz",
+      "integrity": "sha512-QudMsPOz86xYz/1dG1OuGBKOELjCh99IIWHLzy5znUB6j8xG2yMA7bfTV86VSqKF+Y/H08vQPR+9jyXpuC6hfg==",
+      "dev": true,
+      "dependencies": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "es-set-tostringtag": "^2.0.1",
+        "es-to-primitive": "^1.2.1",
+        "function-bind": "^1.1.1",
+        "function.prototype.name": "^1.1.5",
+        "get-intrinsic": "^1.1.3",
+        "get-symbol-description": "^1.0.0",
+        "globalthis": "^1.0.3",
+        "gopd": "^1.0.1",
+        "has": "^1.0.3",
+        "has-property-descriptors": "^1.0.0",
+        "has-proto": "^1.0.1",
+        "has-symbols": "^1.0.3",
+        "internal-slot": "^1.0.4",
+        "is-array-buffer": "^3.0.1",
+        "is-callable": "^1.2.7",
+        "is-negative-zero": "^2.0.2",
+        "is-regex": "^1.1.4",
+        "is-shared-array-buffer": "^1.0.2",
+        "is-string": "^1.0.7",
+        "is-typed-array": "^1.1.10",
+        "is-weakref": "^1.0.2",
+        "object-inspect": "^1.12.2",
+        "object-keys": "^1.1.1",
+        "object.assign": "^4.1.4",
+        "regexp.prototype.flags": "^1.4.3",
+        "safe-regex-test": "^1.0.0",
+        "string.prototype.trimend": "^1.0.6",
+        "string.prototype.trimstart": "^1.0.6",
+        "typed-array-length": "^1.0.4",
+        "unbox-primitive": "^1.0.2",
+        "which-typed-array": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/es-get-iterator": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/es-get-iterator/-/es-get-iterator-1.1.3.tgz",
+      "integrity": "sha512-sPZmqHBe6JIiTfN5q2pEi//TwxmAFHwj/XEuYjTuse78i8KxaqMTTzxPoFKuzRpDpTJ+0NAbpfenkmH2rePtuw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "has-symbols": "^1.0.3",
+        "is-arguments": "^1.1.1",
+        "is-map": "^2.0.2",
+        "is-set": "^2.0.2",
+        "is-string": "^1.0.7",
+        "isarray": "^2.0.5",
+        "stop-iteration-iterator": "^1.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/es-get-iterator/node_modules/isarray": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.5.tgz",
+      "integrity": "sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==",
+      "dev": true
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.1.tgz",
+      "integrity": "sha512-g3OMbtlwY3QewlqAiMLI47KywjWZoEytKr8pf6iTC8uJq5bIAH52Z9pnQ8pVL6whrCto53JZDuUIsifGeLorTg==",
+      "dev": true,
+      "dependencies": {
+        "get-intrinsic": "^1.1.3",
+        "has": "^1.0.3",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-shim-unscopables": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/es-shim-unscopables/-/es-shim-unscopables-1.0.0.tgz",
+      "integrity": "sha512-Jm6GPcCdC30eMLbZ2x8z2WuRwAws3zTBBKuusffYVUrNj/GVSUAZ+xKMaUpfNDR5IbyNA5LJbaecoUVbmUcB1w==",
+      "dev": true,
+      "dependencies": {
+        "has": "^1.0.3"
+      }
+    },
+    "node_modules/es-to-primitive": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/es-to-primitive/-/es-to-primitive-1.2.1.tgz",
+      "integrity": "sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==",
+      "dev": true,
+      "dependencies": {
+        "is-callable": "^1.1.4",
+        "is-date-object": "^1.0.1",
+        "is-symbol": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/escalade": {
+      "version": "3.1.1",
+      "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/escape-string-regexp": {
+      "version": "1.0.5",
+      "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
+    "node_modules/escodegen": {
+      "version": "2.0.0",
+      "integrity": "sha512-mmHKys/C8BFUGI+MAWNcSYoORYLMdPzjrknd2Vc+bUsjN5bXcr8EhrNB+UTqfL1y3I9c4fw2ihgtMPQLBRiQxw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "esprima": "^4.0.1",
+        "estraverse": "^5.2.0",
+        "esutils": "^2.0.2",
+        "optionator": "^0.8.1"
+      },
+      "bin": {
+        "escodegen": "bin/escodegen.js",
+        "esgenerate": "bin/esgenerate.js"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "optionalDependencies": {
+        "source-map": "~0.6.1"
+      }
+    },
+    "node_modules/escodegen/node_modules/levn": {
+      "version": "0.3.0",
+      "integrity": "sha1-OwmSTt+fCDwEkP3UwLxEIeBHZO4=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/escodegen/node_modules/optionator": {
+      "version": "0.8.3",
+      "integrity": "sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "deep-is": "~0.1.3",
+        "fast-levenshtein": "~2.0.6",
+        "levn": "~0.3.0",
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2",
+        "word-wrap": "~1.2.3"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/escodegen/node_modules/prelude-ls": {
+      "version": "1.1.2",
+      "integrity": "sha1-IZMqVJ9eUv/ZqCf1cOBL5iqX2lQ=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/escodegen/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "optional": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/escodegen/node_modules/type-check": {
+      "version": "0.3.2",
+      "integrity": "sha1-WITKtRLPHTVeP7eE8wgEsrUg23I=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "prelude-ls": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/eslint": {
+      "version": "8.31.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.31.0.tgz",
+      "integrity": "sha512-0tQQEVdmPZ1UtUKXjX7EMm9BlgJ08G90IhWh0PKDCb3ZLsgAOHI8fYSIzYVZej92zsgq+ft0FGsxhJ3xo2tbuA==",
+      "dev": true,
+      "dependencies": {
+        "@eslint/eslintrc": "^1.4.1",
+        "@humanwhocodes/config-array": "^0.11.8",
+        "@humanwhocodes/module-importer": "^1.0.1",
+        "@nodelib/fs.walk": "^1.2.8",
+        "ajv": "^6.10.0",
+        "chalk": "^4.0.0",
+        "cross-spawn": "^7.0.2",
+        "debug": "^4.3.2",
+        "doctrine": "^3.0.0",
+        "escape-string-regexp": "^4.0.0",
+        "eslint-scope": "^7.1.1",
+        "eslint-utils": "^3.0.0",
+        "eslint-visitor-keys": "^3.3.0",
+        "espree": "^9.4.0",
+        "esquery": "^1.4.0",
+        "esutils": "^2.0.2",
+        "fast-deep-equal": "^3.1.3",
+        "file-entry-cache": "^6.0.1",
+        "find-up": "^5.0.0",
+        "glob-parent": "^6.0.2",
+        "globals": "^13.19.0",
+        "grapheme-splitter": "^1.0.4",
+        "ignore": "^5.2.0",
+        "import-fresh": "^3.0.0",
+        "imurmurhash": "^0.1.4",
+        "is-glob": "^4.0.0",
+        "is-path-inside": "^3.0.3",
+        "js-sdsl": "^4.1.4",
+        "js-yaml": "^4.1.0",
+        "json-stable-stringify-without-jsonify": "^1.0.1",
+        "levn": "^0.4.1",
+        "lodash.merge": "^4.6.2",
+        "minimatch": "^3.1.2",
+        "natural-compare": "^1.4.0",
+        "optionator": "^0.9.1",
+        "regexpp": "^3.2.0",
+        "strip-ansi": "^6.0.1",
+        "strip-json-comments": "^3.1.0",
+        "text-table": "^0.2.0"
+      },
+      "bin": {
+        "eslint": "bin/eslint.js"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/eslint-config-next": {
+      "version": "13.1.2",
+      "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-13.1.2.tgz",
+      "integrity": "sha512-zdRAQOr8v69ZwJRtBrGqAqm160ONqKxU/pV1FB1KlgfyqveGsLZmlQ7l31otwtw763901J7xdiTVkj2y3YxXZA==",
+      "dev": true,
+      "dependencies": {
+        "@next/eslint-plugin-next": "13.1.2",
+        "@rushstack/eslint-patch": "^1.1.3",
+        "@typescript-eslint/parser": "^5.42.0",
+        "eslint-import-resolver-node": "^0.3.6",
+        "eslint-import-resolver-typescript": "^3.5.2",
+        "eslint-plugin-import": "^2.26.0",
+        "eslint-plugin-jsx-a11y": "^6.5.1",
+        "eslint-plugin-react": "^7.31.7",
+        "eslint-plugin-react-hooks": "^4.5.0"
+      },
+      "peerDependencies": {
+        "eslint": "^7.23.0 || ^8.0.0",
+        "typescript": ">=3.3.1"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/eslint-config-prettier": {
+      "version": "8.6.0",
+      "resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-8.6.0.tgz",
+      "integrity": "sha512-bAF0eLpLVqP5oEVUFKpMA+NnRFICwn9X8B5jrR9FcqnYBuPbqWEjTEspPWMj5ye6czoSLDweCzSo3Ko7gGrZaA==",
+      "dev": true,
+      "bin": {
+        "eslint-config-prettier": "bin/cli.js"
+      },
+      "peerDependencies": {
+        "eslint": ">=7.0.0"
+      }
+    },
+    "node_modules/eslint-import-resolver-node": {
+      "version": "0.3.7",
+      "resolved": "https://registry.npmjs.org/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.7.tgz",
+      "integrity": "sha512-gozW2blMLJCeFpBwugLTGyvVjNoeo1knonXAcatC6bjPBZitotxdWf7Gimr25N4c0AAOo4eOUfaG82IJPDpqCA==",
+      "dev": true,
+      "dependencies": {
+        "debug": "^3.2.7",
+        "is-core-module": "^2.11.0",
+        "resolve": "^1.22.1"
+      }
+    },
+    "node_modules/eslint-import-resolver-node/node_modules/debug": {
+      "version": "3.2.7",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+      "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+      "dev": true,
+      "dependencies": {
+        "ms": "^2.1.1"
+      }
+    },
+    "node_modules/eslint-import-resolver-node/node_modules/resolve": {
+      "version": "1.22.1",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz",
+      "integrity": "sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==",
+      "dev": true,
+      "dependencies": {
+        "is-core-module": "^2.9.0",
+        "path-parse": "^1.0.7",
+        "supports-preserve-symlinks-flag": "^1.0.0"
+      },
+      "bin": {
+        "resolve": "bin/resolve"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/eslint-import-resolver-typescript": {
+      "version": "3.5.3",
+      "resolved": "https://registry.npmjs.org/eslint-import-resolver-typescript/-/eslint-import-resolver-typescript-3.5.3.tgz",
+      "integrity": "sha512-njRcKYBc3isE42LaTcJNVANR3R99H9bAxBDMNDr2W7yq5gYPxbU3MkdhsQukxZ/Xg9C2vcyLlDsbKfRDg0QvCQ==",
+      "dev": true,
+      "dependencies": {
+        "debug": "^4.3.4",
+        "enhanced-resolve": "^5.10.0",
+        "get-tsconfig": "^4.2.0",
+        "globby": "^13.1.2",
+        "is-core-module": "^2.10.0",
+        "is-glob": "^4.0.3",
+        "synckit": "^0.8.4"
+      },
+      "engines": {
+        "node": "^14.18.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/unts/projects/eslint-import-resolver-ts"
+      },
+      "peerDependencies": {
+        "eslint": "*",
+        "eslint-plugin-import": "*"
+      }
+    },
+    "node_modules/eslint-import-resolver-typescript/node_modules/globby": {
+      "version": "13.1.3",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-13.1.3.tgz",
+      "integrity": "sha512-8krCNHXvlCgHDpegPzleMq07yMYTO2sXKASmZmquEYWEmCx6J5UTRbp5RwMJkTJGtcQ44YpiUYUiN0b9mzy8Bw==",
+      "dev": true,
+      "dependencies": {
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.2.11",
+        "ignore": "^5.2.0",
+        "merge2": "^1.4.1",
+        "slash": "^4.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint-import-resolver-typescript/node_modules/slash": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+      "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint-module-utils": {
+      "version": "2.7.4",
+      "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.7.4.tgz",
+      "integrity": "sha512-j4GT+rqzCoRKHwURX7pddtIPGySnX9Si/cgMI5ztrcqOPtk5dDEeZ34CQVPphnqkJytlc97Vuk05Um2mJ3gEQA==",
+      "dev": true,
+      "dependencies": {
+        "debug": "^3.2.7"
+      },
+      "engines": {
+        "node": ">=4"
+      },
+      "peerDependenciesMeta": {
+        "eslint": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/eslint-module-utils/node_modules/debug": {
+      "version": "3.2.7",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+      "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+      "dev": true,
+      "dependencies": {
+        "ms": "^2.1.1"
+      }
+    },
+    "node_modules/eslint-plugin-import": {
+      "version": "2.27.4",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.27.4.tgz",
+      "integrity": "sha512-Z1jVt1EGKia1X9CnBCkpAOhWy8FgQ7OmJ/IblEkT82yrFU/xJaxwujaTzLWqigewwynRQ9mmHfX9MtAfhxm0sA==",
+      "dev": true,
+      "dependencies": {
+        "array-includes": "^3.1.6",
+        "array.prototype.flat": "^1.3.1",
+        "array.prototype.flatmap": "^1.3.0",
+        "debug": "^3.2.7",
+        "doctrine": "^2.1.0",
+        "eslint-import-resolver-node": "^0.3.7",
+        "eslint-module-utils": "^2.7.4",
+        "has": "^1.0.3",
+        "is-core-module": "^2.11.0",
+        "is-glob": "^4.0.3",
+        "minimatch": "^3.1.2",
+        "object.values": "^1.1.6",
+        "resolve": "^1.22.1",
+        "semver": "^6.3.0",
+        "tsconfig-paths": "^3.14.1"
+      },
+      "engines": {
+        "node": ">=4"
+      },
+      "peerDependencies": {
+        "eslint": "^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8"
+      }
+    },
+    "node_modules/eslint-plugin-import/node_modules/debug": {
+      "version": "3.2.7",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+      "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+      "dev": true,
+      "dependencies": {
+        "ms": "^2.1.1"
+      }
+    },
+    "node_modules/eslint-plugin-import/node_modules/doctrine": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
+      "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+      "dev": true,
+      "dependencies": {
+        "esutils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/eslint-plugin-import/node_modules/resolve": {
+      "version": "1.22.1",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz",
+      "integrity": "sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==",
+      "dev": true,
+      "dependencies": {
+        "is-core-module": "^2.9.0",
+        "path-parse": "^1.0.7",
+        "supports-preserve-symlinks-flag": "^1.0.0"
+      },
+      "bin": {
+        "resolve": "bin/resolve"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/eslint-plugin-import/node_modules/semver": {
+      "version": "6.3.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/eslint-plugin-jsx-a11y": {
+      "version": "6.7.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsx-a11y/-/eslint-plugin-jsx-a11y-6.7.1.tgz",
+      "integrity": "sha512-63Bog4iIethyo8smBklORknVjB0T2dwB8Mr/hIC+fBS0uyHdYYpzM/Ed+YC8VxTjlXHEWFOdmgwcDn1U2L9VCA==",
+      "dev": true,
+      "dependencies": {
+        "@babel/runtime": "^7.20.7",
+        "aria-query": "^5.1.3",
+        "array-includes": "^3.1.6",
+        "array.prototype.flatmap": "^1.3.1",
+        "ast-types-flow": "^0.0.7",
+        "axe-core": "^4.6.2",
+        "axobject-query": "^3.1.1",
+        "damerau-levenshtein": "^1.0.8",
+        "emoji-regex": "^9.2.2",
+        "has": "^1.0.3",
+        "jsx-ast-utils": "^3.3.3",
+        "language-tags": "=1.0.5",
+        "minimatch": "^3.1.2",
+        "object.entries": "^1.1.6",
+        "object.fromentries": "^2.0.6",
+        "semver": "^6.3.0"
+      },
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependencies": {
+        "eslint": "^3 || ^4 || ^5 || ^6 || ^7 || ^8"
+      }
+    },
+    "node_modules/eslint-plugin-jsx-a11y/node_modules/semver": {
+      "version": "6.3.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/eslint-plugin-prettier": {
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-prettier/-/eslint-plugin-prettier-4.2.1.tgz",
+      "integrity": "sha512-f/0rXLXUt0oFYs8ra4w49wYZBG5GKZpAYsJSm6rnYL5uVDjd+zowwMwVZHnAjf4edNrKpCDYfXDgmRE/Ak7QyQ==",
+      "dev": true,
+      "dependencies": {
+        "prettier-linter-helpers": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependencies": {
+        "eslint": ">=7.28.0",
+        "prettier": ">=2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "eslint-config-prettier": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/eslint-plugin-react": {
+      "version": "7.32.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react/-/eslint-plugin-react-7.32.0.tgz",
+      "integrity": "sha512-vSBi1+SrPiLZCGvxpiZIa28fMEUaMjXtCplrvxcIxGzmFiYdsXQDwInEjuv5/i/2CTTxbkS87tE8lsQ0Qxinbw==",
+      "dev": true,
+      "dependencies": {
+        "array-includes": "^3.1.6",
+        "array.prototype.flatmap": "^1.3.1",
+        "array.prototype.tosorted": "^1.1.1",
+        "doctrine": "^2.1.0",
+        "estraverse": "^5.3.0",
+        "jsx-ast-utils": "^2.4.1 || ^3.0.0",
+        "minimatch": "^3.1.2",
+        "object.entries": "^1.1.6",
+        "object.fromentries": "^2.0.6",
+        "object.hasown": "^1.1.2",
+        "object.values": "^1.1.6",
+        "prop-types": "^15.8.1",
+        "resolve": "^2.0.0-next.4",
+        "semver": "^6.3.0",
+        "string.prototype.matchall": "^4.0.8"
+      },
+      "engines": {
+        "node": ">=4"
+      },
+      "peerDependencies": {
+        "eslint": "^3 || ^4 || ^5 || ^6 || ^7 || ^8"
+      }
+    },
+    "node_modules/eslint-plugin-react-hooks": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-4.6.0.tgz",
+      "integrity": "sha512-oFc7Itz9Qxh2x4gNHStv3BqJq54ExXmfC+a1NjAta66IAN87Wu0R/QArgIS9qKzX3dXKPI9H5crl9QchNMY9+g==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0"
+      }
+    },
+    "node_modules/eslint-plugin-react/node_modules/doctrine": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
+      "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+      "dev": true,
+      "dependencies": {
+        "esutils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/eslint-plugin-react/node_modules/estraverse": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz",
+      "integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==",
+      "dev": true,
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/eslint-plugin-react/node_modules/resolve": {
+      "version": "2.0.0-next.4",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-2.0.0-next.4.tgz",
+      "integrity": "sha512-iMDbmAWtfU+MHpxt/I5iWI7cY6YVEZUQ3MBgPQ++XD1PELuJHIl82xBmObyP2KyQmkNB2dsqF7seoQQiAn5yDQ==",
+      "dev": true,
+      "dependencies": {
+        "is-core-module": "^2.9.0",
+        "path-parse": "^1.0.7",
+        "supports-preserve-symlinks-flag": "^1.0.0"
+      },
+      "bin": {
+        "resolve": "bin/resolve"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/eslint-plugin-react/node_modules/semver": {
+      "version": "6.3.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/eslint-scope": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.1.1.tgz",
+      "integrity": "sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==",
+      "dev": true,
+      "dependencies": {
+        "esrecurse": "^4.3.0",
+        "estraverse": "^4.1.1"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/eslint-scope/node_modules/estraverse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz",
+      "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==",
+      "dev": true,
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/eslint-utils": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-3.0.0.tgz",
+      "integrity": "sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==",
+      "dev": true,
+      "dependencies": {
+        "eslint-visitor-keys": "^2.0.0"
+      },
+      "engines": {
+        "node": "^10.0.0 || ^12.0.0 || >= 14.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/mysticatea"
+      },
+      "peerDependencies": {
+        "eslint": ">=5"
+      }
+    },
+    "node_modules/eslint-utils/node_modules/eslint-visitor-keys": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-2.1.0.tgz",
+      "integrity": "sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/eslint-visitor-keys": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz",
+      "integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==",
+      "dev": true,
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      }
+    },
+    "node_modules/eslint/node_modules/escape-string-regexp": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz",
+      "integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint/node_modules/eslint-scope": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz",
+      "integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==",
+      "dev": true,
+      "dependencies": {
+        "esrecurse": "^4.3.0",
+        "estraverse": "^5.2.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      }
+    },
+    "node_modules/eslint/node_modules/find-up": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz",
+      "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==",
+      "dev": true,
+      "dependencies": {
+        "locate-path": "^6.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint/node_modules/glob-parent": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
+      "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==",
+      "dev": true,
+      "dependencies": {
+        "is-glob": "^4.0.3"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/eslint/node_modules/globals": {
+      "version": "13.19.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz",
+      "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==",
+      "dev": true,
+      "dependencies": {
+        "type-fest": "^0.20.2"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint/node_modules/locate-path": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz",
+      "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==",
+      "dev": true,
+      "dependencies": {
+        "p-locate": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint/node_modules/p-locate": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz",
+      "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==",
+      "dev": true,
+      "dependencies": {
+        "p-limit": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint/node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/eslint/node_modules/type-fest": {
+      "version": "0.20.2",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
+      "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/espree": {
+      "version": "9.4.1",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-9.4.1.tgz",
+      "integrity": "sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==",
+      "dev": true,
+      "dependencies": {
+        "acorn": "^8.8.0",
+        "acorn-jsx": "^5.3.2",
+        "eslint-visitor-keys": "^3.3.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/espree/node_modules/acorn": {
+      "version": "8.8.1",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.1.tgz",
+      "integrity": "sha512-7zFpHzhnqYKrkYdUjF1HI1bzd0VygEGX8lFk4k5zVMqHEoES+P+7TKI+EvLO9WVMJ8eekdO0aDEK044xTXwPPA==",
+      "dev": true,
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/esprima": {
+      "version": "4.0.1",
+      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "esparse": "bin/esparse.js",
+        "esvalidate": "bin/esvalidate.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/esquery": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.4.0.tgz",
+      "integrity": "sha512-cCDispWt5vHHtwMY2YrAQ4ibFkAL8RbH5YGBnZBc90MolvvfkkQcJro/aZiAQUlQ3qgrYS6D6v8Gc5G5CQsc9w==",
+      "dev": true,
+      "dependencies": {
+        "estraverse": "^5.1.0"
+      },
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/esrecurse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz",
+      "integrity": "sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==",
+      "dev": true,
+      "dependencies": {
+        "estraverse": "^5.2.0"
+      },
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/estraverse": {
+      "version": "5.2.0",
+      "integrity": "sha512-BxbNGGNm0RyRYvUdHpIwv9IWzeM9XClbOxwoATuFdOE7ZE6wHL+HQ5T8hoPM+zHvmKzzsEqhgy0GrQ5X13afiQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/esutils": {
+      "version": "2.0.3",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/exec-sh": {
+      "version": "0.3.6",
+      "integrity": "sha512-nQn+hI3yp+oD0huYhKwvYI32+JFeq+XkNcD1GAo3Y/MjxsfVGmrrzrnzjWiNY6f+pUCP440fThsFh5gZrRAU/w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/execa": {
+      "version": "4.1.0",
+      "integrity": "sha512-j5W0//W7f8UxAn8hXVnwG8tLwdiUy4FJLcSupCg6maBYZDpyBvTApK7KyuI4bKj8KOh1r2YH+6ucuYtJv1bTZA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cross-spawn": "^7.0.0",
+        "get-stream": "^5.0.0",
+        "human-signals": "^1.1.1",
+        "is-stream": "^2.0.0",
+        "merge-stream": "^2.0.0",
+        "npm-run-path": "^4.0.0",
+        "onetime": "^5.1.0",
+        "signal-exit": "^3.0.2",
+        "strip-final-newline": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sindresorhus/execa?sponsor=1"
+      }
+    },
+    "node_modules/execall": {
+      "version": "2.0.0",
+      "integrity": "sha512-0FU2hZ5Hh6iQnarpRtQurM/aAvp3RIbfvgLHrcqJYzhXyV2KFruhuChf9NC6waAhiUR7FFtlugkI4p7f2Fqlow==",
+      "dev": true,
+      "dependencies": {
+        "clone-regexp": "^2.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/exit": {
+      "version": "0.1.2",
+      "integrity": "sha1-BjJjj42HfMghB9MKD/8aF8uhzQw=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/expand-brackets": {
+      "version": "2.1.4",
+      "integrity": "sha1-t3c14xXOMPa27/D4OwQVGiJEliI=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "debug": "^2.3.3",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "posix-character-classes": "^0.1.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/debug": {
+      "version": "2.6.9",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/define-property": {
+      "version": "0.2.5",
+      "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/is-accessor-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/is-accessor-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/expand-brackets/node_modules/is-data-descriptor": {
+      "version": "0.1.4",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/is-data-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/is-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/kind-of": {
+      "version": "5.1.0",
+      "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/expand-brackets/node_modules/ms": {
+      "version": "2.0.0",
+      "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/expect": {
+      "version": "26.6.2",
+      "integrity": "sha512-9/hlOBkQl2l/PLHJx6JjoDF6xPKcJEsUlWKb23rKE7KzeDqUZKXKNMW27KIue5JMdBV9HgmoJPcc8HtO85t9IA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "ansi-styles": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-regex-util": "^26.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==",
+      "dev": true
+    },
+    "node_modules/extend-shallow": {
+      "version": "2.0.1",
+      "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-extendable": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/external-editor": {
+      "version": "3.1.0",
+      "integrity": "sha512-hMQ4CX1p1izmuLYyZqLMO/qGNw10wSv9QDCPfzXfyFrOaCSSoRfqE1Kf1s5an66J5JZC62NewG+mK49jOCtQew==",
+      "dev": true,
+      "dependencies": {
+        "chardet": "^0.7.0",
+        "iconv-lite": "^0.4.24",
+        "tmp": "^0.0.33"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/extglob": {
+      "version": "2.0.4",
+      "integrity": "sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "array-unique": "^0.3.2",
+        "define-property": "^1.0.0",
+        "expand-brackets": "^2.1.4",
+        "extend-shallow": "^2.0.1",
+        "fragment-cache": "^0.2.1",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/extglob/node_modules/define-property": {
+      "version": "1.0.0",
+      "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/extract-files": {
+      "version": "9.0.0",
+      "integrity": "sha512-CvdFfHkC95B4bBBk36hcEmvdR2awOdhhVUYH6S/zrVj3477zven/fJMYg7121h4T1xHZC+tetUpubpAhxwI7hQ==",
+      "dev": true,
+      "engines": {
+        "node": "^10.17.0 || ^12.0.0 || >= 13.7.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jaydenseric"
+      }
+    },
+    "node_modules/fast-deep-equal": {
+      "version": "3.1.3",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+      "dev": true
+    },
+    "node_modules/fast-diff": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/fast-diff/-/fast-diff-1.2.0.tgz",
+      "integrity": "sha512-xJuoT5+L99XlZ8twedaRf6Ax2TgQVxvgZOYoPKqZufmJib0tL2tegPBOZb1pVNgIhlqDlA0eO0c3wBvQcmzx4w==",
+      "dev": true
+    },
+    "node_modules/fast-glob": {
+      "version": "3.2.12",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.2.12.tgz",
+      "integrity": "sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.stat": "^2.0.2",
+        "@nodelib/fs.walk": "^1.2.3",
+        "glob-parent": "^5.1.2",
+        "merge2": "^1.3.0",
+        "micromatch": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=8.6.0"
+      }
+    },
+    "node_modules/fast-json-stable-stringify": {
+      "version": "2.1.0",
+      "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
+      "dev": true
+    },
+    "node_modules/fast-levenshtein": {
+      "version": "2.0.6",
+      "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=",
+      "dev": true
+    },
+    "node_modules/fastest-levenshtein": {
+      "version": "1.0.12",
+      "integrity": "sha512-On2N+BpYJ15xIC974QNVuYGMOlEVt4s0EOI3wwMqOmK1fdDY+FN/zltPV8vosq4ad4c/gJ1KHScUn/6AWIgiow==",
+      "dev": true
+    },
+    "node_modules/fastq": {
+      "version": "1.13.0",
+      "integrity": "sha512-YpkpUnK8od0o1hmeSc7UUs/eB/vIPWJYjKck2QKIzAf71Vm1AAQ3EbuZB3g2JIy+pg+ERD0vqI79KyZiB2e2Nw==",
+      "dev": true,
+      "dependencies": {
+        "reusify": "^1.0.4"
+      }
+    },
+    "node_modules/fb-watchman": {
+      "version": "2.0.1",
+      "integrity": "sha512-DkPJKQeY6kKwmuMretBhr7G6Vodr7bFwDYTXIkfG1gjvNpaxBTQV3PbXg6bR1c1UP4jPOX0jHUbbHANL9vRjVg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "bser": "2.1.1"
+      }
+    },
+    "node_modules/figures": {
+      "version": "3.2.0",
+      "integrity": "sha512-yaduQFRKLXYOGgEn6AZau90j3ggSOyiqXU0F9JZfeXYhNa+Jk4X+s45A2zg5jns87GAFa34BBm2kXw4XpNcbdg==",
+      "dev": true,
+      "dependencies": {
+        "escape-string-regexp": "^1.0.5"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/file-entry-cache": {
+      "version": "6.0.1",
+      "integrity": "sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==",
+      "dev": true,
+      "dependencies": {
+        "flat-cache": "^3.0.4"
+      },
+      "engines": {
+        "node": "^10.12.0 || >=12.0.0"
+      }
+    },
+    "node_modules/filelist": {
+      "version": "1.0.2",
+      "integrity": "sha512-z7O0IS8Plc39rTCq6i6iHxk43duYOn8uFJiWSewIq0Bww1RNybVHSCjahmcC87ZqAm4OTvFzlzeGu3XAzG1ctQ==",
+      "dev": true,
+      "dependencies": {
+        "minimatch": "^3.0.4"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.0.1",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "2.1.0",
+      "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=",
+      "dev": true,
+      "dependencies": {
+        "locate-path": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/flat": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/flat/-/flat-5.0.2.tgz",
+      "integrity": "sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==",
+      "dev": true,
+      "bin": {
+        "flat": "cli.js"
+      }
+    },
+    "node_modules/flat-cache": {
+      "version": "3.0.4",
+      "integrity": "sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==",
+      "dev": true,
+      "dependencies": {
+        "flatted": "^3.1.0",
+        "rimraf": "^3.0.2"
+      },
+      "engines": {
+        "node": "^10.12.0 || >=12.0.0"
+      }
+    },
+    "node_modules/flatted": {
+      "version": "3.2.2",
+      "integrity": "sha512-JaTY/wtrcSyvXJl4IMFHPKyFur1sE9AUqc0QnhOaJ0CxHtAoIV8pYDzeEfAaNEtGkOfq4gr3LBFmdXW5mOQFnA==",
+      "dev": true
+    },
+    "node_modules/for-each": {
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz",
+      "integrity": "sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==",
+      "dev": true,
+      "dependencies": {
+        "is-callable": "^1.1.3"
+      }
+    },
+    "node_modules/for-in": {
+      "version": "1.0.2",
+      "integrity": "sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/form-data": {
+      "version": "3.0.1",
+      "integrity": "sha512-RHkBKtLWUVwd7SqRIvCZMEvAMoGUp0XU+seQiZejj0COz3RI3hWP4sCv3gZWWLjJTd7rGwcsF5eKZGii0r/hbg==",
+      "dev": true,
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/fragment-cache": {
+      "version": "0.2.1",
+      "integrity": "sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "map-cache": "^0.2.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/fs-extra": {
+      "version": "9.0.1",
+      "integrity": "sha512-h2iAoN838FqAFJY2/qVpzFXy+EBxfVE220PalAqQLDVsFOHLJrZvut5puAbCdNv6WJk+B8ihI+k0c7JK5erwqQ==",
+      "dev": true,
+      "dependencies": {
+        "at-least-node": "^1.0.0",
+        "graceful-fs": "^4.2.0",
+        "jsonfile": "^6.0.1",
+        "universalify": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/fs.realpath": {
+      "version": "1.0.0",
+      "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
+      "dev": true
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "peer": true,
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.1",
+      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==",
+      "dev": true
+    },
+    "node_modules/function.prototype.name": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/function.prototype.name/-/function.prototype.name-1.1.5.tgz",
+      "integrity": "sha512-uN7m/BzVKQnCUF/iW8jYea67v++2u7m5UgENbHRtdDVclOUP+FMPlCNdmk0h/ysGyo2tavMJEDqJAkJdRa1vMA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.19.0",
+        "functions-have-names": "^1.2.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/functions-have-names": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/functions-have-names/-/functions-have-names-1.2.3.tgz",
+      "integrity": "sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/gensync": {
+      "version": "1.0.0-beta.2",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true,
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "dev": true,
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.1.3.tgz",
+      "integrity": "sha512-QJVz1Tj7MS099PevUG5jvnt9tSkXN8K14dxQlikJuPt4uD9hHAHjLyLBiLR5zELelBdD9QNRAXZzsJx0WaDL9A==",
+      "dev": true,
+      "dependencies": {
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3",
+        "has-symbols": "^1.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-own-enumerable-property-symbols": {
+      "version": "3.0.2",
+      "integrity": "sha512-I0UBV/XOz1XkIJHEUDMZAbzCThU/H8DxmSfmdGcKPnVhu2VfFqr34jr9777IyaTYvxjedWhqVIilEDsCdP5G6g==",
+      "dev": true
+    },
+    "node_modules/get-package-type": {
+      "version": "0.1.0",
+      "integrity": "sha512-pjzuKtY64GYfWizNAJ0fr9VqttZkNiK2iS430LtIHzjBEr6bX8Am2zm4sW4Ro5wjWW5cAlRL1qAMTcXbjNAO2Q==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/get-stream": {
+      "version": "5.2.0",
+      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "pump": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/get-symbol-description": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/get-symbol-description/-/get-symbol-description-1.0.0.tgz",
+      "integrity": "sha512-2EmdH1YvIQiZpltCNgkuiUnyukzxM/R6NDJX31Ke3BG1Nq5b0S2PhX59UKi9vZpPDQVdqn+1IcaAwnzTT5vCjw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-tsconfig": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.3.0.tgz",
+      "integrity": "sha512-YCcF28IqSay3fqpIu5y3Krg/utCBHBeoflkZyHj/QcqI2nrLPC3ZegS9CmIo+hJb8K7aiGsuUl7PwWVjNG2HQQ==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
+      }
+    },
+    "node_modules/get-value": {
+      "version": "2.0.6",
+      "integrity": "sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/glob": {
+      "version": "7.2.0",
+      "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==",
+      "dev": true,
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/global-modules": {
+      "version": "2.0.0",
+      "integrity": "sha512-NGbfmJBp9x8IxyJSd1P+otYK8vonoJactOogrVfFRIAEY1ukil8RSKDz2Yo7wh1oihl51l/r6W4epkeKJHqL8A==",
+      "dev": true,
+      "dependencies": {
+        "global-prefix": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/global-prefix": {
+      "version": "3.0.0",
+      "integrity": "sha512-awConJSVCHVGND6x3tmMaKcQvwXLhjdkmomy2W+Goaui8YPgYgXJZewhg3fWC+DlfqqQuWg8AwqjGTD2nAPVWg==",
+      "dev": true,
+      "dependencies": {
+        "ini": "^1.3.5",
+        "kind-of": "^6.0.2",
+        "which": "^1.3.1"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/global-prefix/node_modules/which": {
+      "version": "1.3.1",
+      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+      "dev": true,
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "which": "bin/which"
+      }
+    },
+    "node_modules/globals": {
+      "version": "11.12.0",
+      "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/globalthis": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/globalthis/-/globalthis-1.0.3.tgz",
+      "integrity": "sha512-sFdI5LyBiNTHjRd7cGPWapiHWMOXKyuBNX/cWJ3NfzrZQVa8GI/8cofCl74AOVqq9W5kNmguTIzJ/1s2gyI9wA==",
+      "dev": true,
+      "dependencies": {
+        "define-properties": "^1.1.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/globalyzer": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/globalyzer/-/globalyzer-0.1.0.tgz",
+      "integrity": "sha512-40oNTM9UfG6aBmuKxk/giHn5nQ8RVz/SS4Ir6zgzOv9/qC3kKZ9v4etGTcJbEl/NyVQH7FGU7d+X1egr57Md2Q==",
+      "dev": true
+    },
+    "node_modules/globby": {
+      "version": "11.0.1",
+      "integrity": "sha512-iH9RmgwCmUJHi2z5o2l3eTtGBtXek1OYlHrbcxOYugyHLmAsZrPj43OtHThd62Buh/Vv6VyCBD2bdyWcGNQqoQ==",
+      "dev": true,
+      "dependencies": {
+        "array-union": "^2.1.0",
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.1.1",
+        "ignore": "^5.1.4",
+        "merge2": "^1.3.0",
+        "slash": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/globjoin": {
+      "version": "0.1.4",
+      "integrity": "sha1-L0SUrIkZ43Z8XLtpHp9GMyQoXUM=",
+      "dev": true
+    },
+    "node_modules/globrex": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/globrex/-/globrex-0.1.2.tgz",
+      "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
+      "dev": true
+    },
+    "node_modules/gonzales-pe": {
+      "version": "4.3.0",
+      "integrity": "sha512-otgSPpUmdWJ43VXyiNgEYE4luzHCL2pz4wQ0OnDluC6Eg4Ko3Vexy/SrSynglw/eR+OhkzmqFCZa/OFa/RgAOQ==",
+      "dev": true,
+      "dependencies": {
+        "minimist": "^1.2.5"
+      },
+      "bin": {
+        "gonzales": "bin/gonzales.js"
+      },
+      "engines": {
+        "node": ">=0.6.0"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
+      "integrity": "sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==",
+      "dev": true,
+      "dependencies": {
+        "get-intrinsic": "^1.1.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/graceful-fs": {
+      "version": "4.2.8",
+      "integrity": "sha512-qkIilPUYcNhJpd33n0GBXTB1MMPp14TxEsEs0pTrsSVucApsYzW5V+Q8Qxhik6KU3evy+qkAAowTByymK0avdg==",
+      "dev": true
+    },
+    "node_modules/grapheme-splitter": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/grapheme-splitter/-/grapheme-splitter-1.0.4.tgz",
+      "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==",
+      "dev": true
+    },
+    "node_modules/graphql": {
+      "version": "15.6.1",
+      "integrity": "sha512-3i5lu0z6dRvJ48QP9kFxBkJ7h4Kso7PS8eahyTFz5Jm6CvQfLtNIE8LX9N6JLnXTuwR+sIYnXzaWp6anOg0QQw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
+    "node_modules/graphql-request": {
+      "version": "3.5.0",
+      "integrity": "sha512-Io89QpfU4rqiMbqM/KwMBzKaDLOppi8FU8sEccCE4JqCgz95W9Q8bvxQ4NfPALLSMvg9nafgg8AkYRmgKSlukA==",
+      "dev": true,
+      "dependencies": {
+        "cross-fetch": "^3.0.6",
+        "extract-files": "^9.0.0",
+        "form-data": "^3.0.0"
+      },
+      "peerDependencies": {
+        "graphql": "14.x || 15.x"
+      }
+    },
+    "node_modules/growly": {
+      "version": "1.3.0",
+      "integrity": "sha1-8QdIy+dq+WS3yWyTxrzCivEgwIE=",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "node_modules/hard-rejection": {
+      "version": "2.1.0",
+      "integrity": "sha512-VIZB+ibDhx7ObhAe7OVtoEbuP4h/MuOTHJ+J8h/eBXotJYl0fBgR72xDFCKgIh22OJZIOVNxBMWuhAr10r8HdA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/has": {
+      "version": "1.0.3",
+      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
+      "dev": true,
+      "dependencies": {
+        "function-bind": "^1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/has-bigints": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz",
+      "integrity": "sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-flag": {
+      "version": "4.0.0",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/has-property-descriptors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.0.tgz",
+      "integrity": "sha512-62DVLZGoiEBDHQyqG4w9xCuZ7eJEwNmJRWw2VY84Oedb7WFcA27fiEVe8oUQx9hAUJ4ekurquucTGwsyO1XGdQ==",
+      "dev": true,
+      "dependencies": {
+        "get-intrinsic": "^1.1.1"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/has-proto/-/has-proto-1.0.1.tgz",
+      "integrity": "sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz",
+      "integrity": "sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.0.tgz",
+      "integrity": "sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==",
+      "dev": true,
+      "dependencies": {
+        "has-symbols": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-value": {
+      "version": "1.0.0",
+      "integrity": "sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "get-value": "^2.0.6",
+        "has-values": "^1.0.0",
+        "isobject": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/has-values": {
+      "version": "1.0.0",
+      "integrity": "sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-number": "^3.0.0",
+        "kind-of": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/has-values/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/has-values/node_modules/is-number": {
+      "version": "3.0.0",
+      "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/has-values/node_modules/is-number/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/has-values/node_modules/kind-of": {
+      "version": "4.0.0",
+      "integrity": "sha1-IIE989cSkosgc3hpGkUGb65y3Vc=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/hosted-git-info": {
+      "version": "2.8.9",
+      "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/html-encoding-sniffer": {
+      "version": "2.0.1",
+      "integrity": "sha512-D5JbOMBIR/TVZkubHT+OyT2705QvogUW4IBn6nHd756OwieSF9aDYFj4dv6HHEVGYbHaLETa3WggZYWWMyy3ZQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "whatwg-encoding": "^1.0.5"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/html-escaper": {
+      "version": "2.0.2",
+      "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/html-tags": {
+      "version": "3.1.0",
+      "integrity": "sha512-1qYz89hW3lFDEazhjW0yVAV87lw8lVkrJocr72XmBkMKsoSVJCQx3W8BXsC7hO2qAt8BoVjYjtAcZ9perqGnNg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/htmlparser2": {
+      "version": "3.10.1",
+      "integrity": "sha512-IgieNijUMbkDovyoKObU1DUhm1iwNYE/fuifEoEHfd1oZKZDaONBSkal7Y01shxsM49R4XaMdGez3WnF9UfiCQ==",
+      "dev": true,
+      "dependencies": {
+        "domelementtype": "^1.3.1",
+        "domhandler": "^2.3.0",
+        "domutils": "^1.5.1",
+        "entities": "^1.1.1",
+        "inherits": "^2.0.1",
+        "readable-stream": "^3.1.1"
+      }
+    },
+    "node_modules/http-proxy-agent": {
+      "version": "4.0.1",
+      "integrity": "sha512-k0zdNgqWTGA6aeIRVpvfVob4fL52dTfaehylg0Y4UvSySvOq/Y+BOyPrgpUrA7HylqvU8vIZGsRuXmspskV0Tg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@tootallnate/once": "1",
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/https-proxy-agent": {
+      "version": "5.0.0",
+      "integrity": "sha512-EkYm5BcKUGiduxzSt3Eppko+PiNWNEpa4ySk9vTC6wDsQJW9rHSa+UhGNJoRYp7bz6Ht1eaRIa6QaJqO5rCFbA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/human-signals": {
+      "version": "1.1.1",
+      "integrity": "sha512-SEQu7vl8KjNL2eoGBLF3+wAjpsNfA9XMlXAYj/3EdaNfAlxKthD1xjEQfGOUhllCGGJVNY34bRr6lPINhNjyZw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8.12.0"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "dev": true,
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ignore": {
+      "version": "5.2.4",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz",
+      "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==",
+      "dev": true,
+      "engines": {
+        "node": ">= 4"
+      }
+    },
+    "node_modules/import-fresh": {
+      "version": "3.3.0",
+      "integrity": "sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==",
+      "dev": true,
+      "dependencies": {
+        "parent-module": "^1.0.0",
+        "resolve-from": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/import-local": {
+      "version": "3.0.3",
+      "integrity": "sha512-bE9iaUY3CXH8Cwfan/abDKAxe1KGT9kyGsBPqf6DMK/z0a2OzAsrukeYNgIH6cH5Xr452jb1TUL8rSfCLjZ9uA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "pkg-dir": "^4.2.0",
+        "resolve-cwd": "^3.0.0"
+      },
+      "bin": {
+        "import-local-fixture": "fixtures/cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/import-local/node_modules/find-up": {
+      "version": "4.1.0",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/import-local/node_modules/locate-path": {
+      "version": "5.0.0",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/import-local/node_modules/p-limit": {
+      "version": "2.3.0",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/import-local/node_modules/p-locate": {
+      "version": "4.1.0",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/import-local/node_modules/path-exists": {
+      "version": "4.0.0",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/import-local/node_modules/pkg-dir": {
+      "version": "4.2.0",
+      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "find-up": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/imurmurhash": {
+      "version": "0.1.4",
+      "integrity": "sha1-khi5srkoojixPcT7a21XbyMUU+o=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.8.19"
+      }
+    },
+    "node_modules/indent-string": {
+      "version": "4.0.0",
+      "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/inflight": {
+      "version": "1.0.6",
+      "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
+      "dev": true,
+      "dependencies": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true
+    },
+    "node_modules/ini": {
+      "version": "1.3.8",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
+      "dev": true
+    },
+    "node_modules/inquirer": {
+      "version": "7.3.3",
+      "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-7.3.3.tgz",
+      "integrity": "sha512-JG3eIAj5V9CwcGvuOmoo6LB9kbAYT8HXffUl6memuszlwDC/qvFAJw49XJ5NROSFNPxp3iQg1GqkFhaY/CR0IA==",
+      "dev": true,
+      "dependencies": {
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.1.0",
+        "cli-cursor": "^3.1.0",
+        "cli-width": "^3.0.0",
+        "external-editor": "^3.0.3",
+        "figures": "^3.0.0",
+        "lodash": "^4.17.19",
+        "mute-stream": "0.0.8",
+        "run-async": "^2.4.0",
+        "rxjs": "^6.6.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0",
+        "through": "^2.3.6"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/internal-slot": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.4.tgz",
+      "integrity": "sha512-tA8URYccNzMo94s5MQZgH8NB/XTa6HsOo0MLfXTKKEnHVVdegzaQoFZ7Jp44bdvLvY2waT5dc+j5ICEswhi7UQ==",
+      "dev": true,
+      "dependencies": {
+        "get-intrinsic": "^1.1.3",
+        "has": "^1.0.3",
+        "side-channel": "^1.0.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ip-regex": {
+      "version": "4.3.0",
+      "integrity": "sha512-B9ZWJxHHOHUhUjCPrMpLD4xEq35bUTClHM1S6CBU5ixQnkZmwipwgc96vAd7AAGM9TGHvJR+Uss+/Ak6UphK+Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-accessor-descriptor": {
+      "version": "1.0.0",
+      "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-alphabetical": {
+      "version": "1.0.4",
+      "integrity": "sha512-DwzsA04LQ10FHTZuL0/grVDk4rFoVH1pjAToYwBrHSxcrBIGQuXrQMtD5U1b0U2XVgKZCTLLP8u2Qxqhy3l2Vg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-alphanumeric": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-alphanumeric/-/is-alphanumeric-1.0.0.tgz",
+      "integrity": "sha512-ZmRL7++ZkcMOfDuWZuMJyIVLr2keE1o/DeNWh1EmgqGhUcV+9BIVsx0BcSBOHTZqzjs4+dISzr2KAeBEWGgXeA==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-alphanumerical": {
+      "version": "1.0.4",
+      "integrity": "sha512-UzoZUr+XfVz3t3v4KyGEniVL9BDRoQtY7tOyrRybkVNjDFWyo1yhXNGrrBTQxp3ib9BLAWs7k2YKBQsFRkZG9A==",
+      "dev": true,
+      "dependencies": {
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-arguments": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/is-arguments/-/is-arguments-1.1.1.tgz",
+      "integrity": "sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-array-buffer": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/is-array-buffer/-/is-array-buffer-3.0.1.tgz",
+      "integrity": "sha512-ASfLknmY8Xa2XtB4wmbz13Wu202baeA18cJBCeCy0wXUHZF0IPyVEXqKEcd+t2fNSLLL1vC6k7lxZEojNbISXQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "is-typed-array": "^1.1.10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-arrayish": {
+      "version": "0.2.1",
+      "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=",
+      "dev": true
+    },
+    "node_modules/is-bigint": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-bigint/-/is-bigint-1.0.4.tgz",
+      "integrity": "sha512-zB9CruMamjym81i2JZ3UMn54PKGsQzsJeo6xvN3HJJ4CAsQNB6iRutp2To77OfCNuoxspsIhzaPoO1zyCEhFOg==",
+      "dev": true,
+      "dependencies": {
+        "has-bigints": "^1.0.1"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-boolean-object": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/is-boolean-object/-/is-boolean-object-1.1.2.tgz",
+      "integrity": "sha512-gDYaKHJmnj4aWxyj6YHyXVpdQawtVLHU5cb+eztPGczf6cjuTdwve5ZIEfgXqH4e57An1D1AKf8CZ3kYrQRqYA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-buffer": {
+      "version": "2.0.5",
+      "integrity": "sha512-i2R6zNFDwgEHJyQUtJEk0XFi1i0dPFn/oqjK3/vPCcDeJvW5NQ83V8QbicfF1SupOaB0h8ntgBC2YiE7dfyctQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/is-callable": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.2.7.tgz",
+      "integrity": "sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-ci": {
+      "version": "2.0.0",
+      "integrity": "sha512-YfJT7rkpQB0updsdHLGWrvhBJfcfzNNawYDNIyQXJz0IViGf75O8EBPKSdvw2rF+LGCsX4FZ8tcr3b19LcZq4w==",
+      "dev": true,
+      "dependencies": {
+        "ci-info": "^2.0.0"
+      },
+      "bin": {
+        "is-ci": "bin.js"
+      }
+    },
+    "node_modules/is-core-module": {
+      "version": "2.11.0",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz",
+      "integrity": "sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==",
+      "dev": true,
+      "dependencies": {
+        "has": "^1.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-data-descriptor": {
+      "version": "1.0.0",
+      "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-date-object": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/is-date-object/-/is-date-object-1.0.5.tgz",
+      "integrity": "sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==",
+      "dev": true,
+      "dependencies": {
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-decimal": {
+      "version": "1.0.4",
+      "integrity": "sha512-RGdriMmQQvZ2aqaQq3awNA6dCGtKpiDFcOzrTWrDAT2MiWrKQVPmxLGHl7Y2nNu6led0kEyoX0enY0qXYsv9zw==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-descriptor": {
+      "version": "1.0.2",
+      "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^1.0.0",
+        "is-data-descriptor": "^1.0.0",
+        "kind-of": "^6.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-docker": {
+      "version": "2.2.1",
+      "integrity": "sha512-F+i2BKsFrH66iaUFc0woD8sLy8getkwTwtOBjvs56Cx4CgJDeKQeqfz8wAYiSb8JOprWhHH5p77PbmYCvvUuXQ==",
+      "dev": true,
+      "bin": {
+        "is-docker": "cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/is-extendable": {
+      "version": "0.1.1",
+      "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-generator-fn": {
+      "version": "2.1.0",
+      "integrity": "sha512-cTIB4yPYL/Grw0EaSzASzg6bBy9gqCofvWN8okThAYIxKJZC+udlRAmGbM0XLeniEJSs8uEgHPGuHSe1XsOLSQ==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-hexadecimal": {
+      "version": "1.0.4",
+      "integrity": "sha512-gyPJuv83bHMpocVYoqof5VDiZveEoGoFL8m3BXNb2VW8Xs+rz9kqO8LOQ5DH6EsuvilT1ApazU0pyl+ytbPtlw==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-map": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-map/-/is-map-2.0.2.tgz",
+      "integrity": "sha512-cOZFQQozTha1f4MxLFzlgKYPTyj26picdZTx82hbc/Xf4K/tZOOXSCkMvU4pKioRXGDLJRn0GM7Upe7kR721yg==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-negative-zero": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz",
+      "integrity": "sha512-dqJvarLawXsFbNDeJW7zAz8ItJ9cd28YufuuFzh0G8pNHjJMnY08Dv7sYX2uF5UpQOwieAeOExEYAWWfu7ZZUA==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/is-number-object": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/is-number-object/-/is-number-object-1.0.7.tgz",
+      "integrity": "sha512-k1U0IRzLMo7ZlYIfzRu23Oh6MiIFasgpb9X76eqfFZAqwH44UI4KTBvBYIZ1dSL9ZzChTB9ShHfLkR4pdW5krQ==",
+      "dev": true,
+      "dependencies": {
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-obj": {
+      "version": "1.0.1",
+      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-path-inside": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz",
+      "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-plain-obj": {
+      "version": "1.1.0",
+      "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-plain-object": {
+      "version": "2.0.4",
+      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "isobject": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/is-regex": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.1.4.tgz",
+      "integrity": "sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-regexp": {
+      "version": "1.0.0",
+      "integrity": "sha1-/S2INUXEa6xaYz57mgnof6LLUGk=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-set": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-set/-/is-set-2.0.2.tgz",
+      "integrity": "sha512-+2cnTEZeY5z/iXGbLhPrOAaK/Mau5k5eXq9j14CpRTftq0pAJu2MwVRSZhyZWBzx3o6X795Lz6Bpb6R0GKf37g==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-shared-array-buffer": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-shared-array-buffer/-/is-shared-array-buffer-1.0.2.tgz",
+      "integrity": "sha512-sqN2UDu1/0y6uvXyStCOzyhAjCSlHceFoMKJW8W9EU9cvic/QdsZ0kEU93HEy3IUEFZIiH/3w+AH/UQbPHNdhA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-stream": {
+      "version": "2.0.1",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/is-string": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/is-string/-/is-string-1.0.7.tgz",
+      "integrity": "sha512-tE2UXzivje6ofPW7l23cjDOMa09gb7xlAqG6jG5ej6uPV32TlWP3NKPigtaGeHNu9fohccRYvIiZMfOOnOYUtg==",
+      "dev": true,
+      "dependencies": {
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-symbol": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-symbol/-/is-symbol-1.0.4.tgz",
+      "integrity": "sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==",
+      "dev": true,
+      "dependencies": {
+        "has-symbols": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-typed-array": {
+      "version": "1.1.10",
+      "resolved": "https://registry.npmjs.org/is-typed-array/-/is-typed-array-1.1.10.tgz",
+      "integrity": "sha512-PJqgEHiWZvMpaFZ3uTc8kHPM4+4ADTlDniuQL7cU/UDA0Ql7F70yGfHph3cLNe+c9toaigv+DFzTJKhc2CtO6A==",
+      "dev": true,
+      "dependencies": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "gopd": "^1.0.1",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-typedarray": {
+      "version": "1.0.0",
+      "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=",
+      "dev": true
+    },
+    "node_modules/is-unicode-supported": {
+      "version": "0.1.0",
+      "integrity": "sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/is-url-superb": {
+      "version": "3.0.0",
+      "integrity": "sha512-3faQP+wHCGDQT1qReM5zCPx2mxoal6DzbzquFlCYJLWyy4WPTved33ea2xFbX37z4NoriEwZGIYhFtx8RUB5wQ==",
+      "dev": true,
+      "dependencies": {
+        "url-regex": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-weakmap": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-weakmap/-/is-weakmap-2.0.1.tgz",
+      "integrity": "sha512-NSBR4kH5oVj1Uwvv970ruUkCV7O1mzgVFO4/rev2cLRda9Tm9HrL70ZPut4rOHgY0FNrUu9BCbXA2sdQ+x0chA==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-weakref": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-weakref/-/is-weakref-1.0.2.tgz",
+      "integrity": "sha512-qctsuLZmIQ0+vSSMfoVvyFe2+GSEvnmZ2ezTup1SBse9+twCCeial6EEi3Nc2KFcf6+qz2FBPnjXsk8xhKSaPQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-weakset": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-weakset/-/is-weakset-2.0.2.tgz",
+      "integrity": "sha512-t2yVvttHkQktwnNNmBQ98AhENLdPUTDTE21uPqAQ0ARwQfGeQKRVS0NNurH7bTf7RrvcVn1OOge45CnBeHCSmg==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.1"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-whitespace-character": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-whitespace-character/-/is-whitespace-character-1.0.4.tgz",
+      "integrity": "sha512-SDweEzfIZM0SJV0EUga669UTKlmL0Pq8Lno0QDQsPnvECB3IM2aP0gdx5TrU0A01MAPfViaZiI2V1QMZLaKK5w==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-windows": {
+      "version": "1.0.2",
+      "integrity": "sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-word-character": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-word-character/-/is-word-character-1.0.4.tgz",
+      "integrity": "sha512-5SMO8RVennx3nZrqtKwCGyyetPE9VDba5ugvKLaD4KopPG5kR4mQ7tNt/r7feL5yt5h3lpuBbIUmCOG2eSzXHA==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/is-wsl": {
+      "version": "2.2.0",
+      "integrity": "sha512-fKzAra0rGJUUBwGBgNkHZuToZcn+TtXHpeCgmkMJMMYx1sQDYaCSyjJBSCa2nH1DGm7s3n1oBnohoVTBaN7Lww==",
+      "dev": true,
+      "dependencies": {
+        "is-docker": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/isarray": {
+      "version": "1.0.0",
+      "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/isexe": {
+      "version": "2.0.0",
+      "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=",
+      "dev": true
+    },
+    "node_modules/isobject": {
+      "version": "3.0.1",
+      "integrity": "sha1-TkMekrEalzFjaqH5yNHMvP2reN8=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/istanbul-lib-coverage": {
+      "version": "3.0.2",
+      "integrity": "sha512-o5+eTUYzCJ11/+JhW5/FUCdfsdoYVdQ/8I/OveE2XsjehYn5DdeSnNQAbjYaO8gQ6hvGTN6GM6ddQqpTVG5j8g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/istanbul-lib-instrument": {
+      "version": "4.0.3",
+      "integrity": "sha512-BXgQl9kf4WTCPCCpmFGoJkz/+uhvm7h7PFKUYxh7qarQd3ER33vHG//qaE8eN25l07YqZPpHXU9I09l/RD5aGQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/core": "^7.7.5",
+        "@istanbuljs/schema": "^0.1.2",
+        "istanbul-lib-coverage": "^3.0.0",
+        "semver": "^6.3.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/istanbul-lib-instrument/node_modules/semver": {
+      "version": "6.3.0",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/istanbul-lib-report": {
+      "version": "3.0.0",
+      "integrity": "sha512-wcdi+uAKzfiGT2abPpKZ0hSU1rGQjUQnLvtY5MpQ7QCTahD3VODhcu4wcfY1YtkGaDD5yuydOLINXsfbus9ROw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "istanbul-lib-coverage": "^3.0.0",
+        "make-dir": "^3.0.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/istanbul-lib-report/node_modules/make-dir": {
+      "version": "3.1.0",
+      "integrity": "sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "semver": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/istanbul-lib-report/node_modules/semver": {
+      "version": "6.3.0",
+      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/istanbul-lib-source-maps": {
+      "version": "4.0.0",
+      "integrity": "sha512-c16LpFRkR8vQXyHZ5nLpY35JZtzj1PQY1iZmesUbf1FZHbIupcWfjgOXBY9YHkLEQ6puz1u4Dgj6qmU/DisrZg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "debug": "^4.1.1",
+        "istanbul-lib-coverage": "^3.0.0",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/istanbul-lib-source-maps/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/istanbul-reports": {
+      "version": "3.0.3",
+      "integrity": "sha512-0i77ZFLsb9U3DHi22WzmIngVzfoyxxbQcZRqlF3KoKmCJGq9nhFHoGi8FqBztN2rE8w6hURnZghetn0xpkVb6A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "html-escaper": "^2.0.0",
+        "istanbul-lib-report": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jake": {
+      "version": "10.8.2",
+      "integrity": "sha512-eLpKyrfG3mzvGE2Du8VoPbeSkRry093+tyNjdYaBbJS9v17knImYGNXQCUV0gLxQtF82m3E8iRb/wdSQZLoq7A==",
+      "dev": true,
+      "dependencies": {
+        "async": "0.9.x",
+        "chalk": "^2.4.2",
+        "filelist": "^1.0.1",
+        "minimatch": "^3.0.4"
+      },
+      "bin": {
+        "jake": "bin/cli.js"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/jake/node_modules/ansi-styles": {
+      "version": "3.2.1",
+      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+      "dev": true,
+      "dependencies": {
+        "color-convert": "^1.9.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/jake/node_modules/chalk": {
+      "version": "2.4.2",
+      "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^3.2.1",
+        "escape-string-regexp": "^1.0.5",
+        "supports-color": "^5.3.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/jake/node_modules/color-convert": {
+      "version": "1.9.3",
+      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "1.1.3"
+      }
+    },
+    "node_modules/jake/node_modules/color-name": {
+      "version": "1.1.3",
+      "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+      "dev": true
+    },
+    "node_modules/jake/node_modules/has-flag": {
+      "version": "3.0.0",
+      "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/jake/node_modules/supports-color": {
+      "version": "5.5.0",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "dev": true,
+      "dependencies": {
+        "has-flag": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/jest": {
+      "version": "26.6.3",
+      "integrity": "sha512-lGS5PXGAzR4RF7V5+XObhqz2KZIDUA1yD0DG6pBVmy10eh0ZIXQImRuzocsI/N2XZ1GrLFwTS27In2i2jlpq1Q==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/core": "^26.6.3",
+        "import-local": "^3.0.2",
+        "jest-cli": "^26.6.3"
+      },
+      "bin": {
+        "jest": "bin/jest.js"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-changed-files": {
+      "version": "26.6.2",
+      "integrity": "sha512-fDS7szLcY9sCtIip8Fjry9oGf3I2ht/QT21bAHm5Dmf0mD4X3ReNUf17y+bO6fR8WgbIZTlbyG1ak/53cbRzKQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "execa": "^4.0.0",
+        "throat": "^5.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-cli": {
+      "version": "26.6.3",
+      "integrity": "sha512-GF9noBSa9t08pSyl3CY4frMrqp+aQXFGFkf5hEPbh/pIUFYWMK6ZLTfbmadxJVcJrdRoChlWQsA2VkJcDFK8hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/core": "^26.6.3",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "import-local": "^3.0.2",
+        "is-ci": "^2.0.0",
+        "jest-config": "^26.6.3",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "prompts": "^2.0.1",
+        "yargs": "^15.4.1"
+      },
+      "bin": {
+        "jest": "bin/jest.js"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-config": {
+      "version": "26.6.3",
+      "integrity": "sha512-t5qdIj/bCj2j7NFVHb2nFB4aUdfucDn3JRKgrZnplb8nieAirAzRSHP8uDEd+qV6ygzg9Pz4YG7UTJf94LPSyg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/core": "^7.1.0",
+        "@jest/test-sequencer": "^26.6.3",
+        "@jest/types": "^26.6.2",
+        "babel-jest": "^26.6.3",
+        "chalk": "^4.0.0",
+        "deepmerge": "^4.2.2",
+        "glob": "^7.1.1",
+        "graceful-fs": "^4.2.4",
+        "jest-environment-jsdom": "^26.6.2",
+        "jest-environment-node": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "jest-jasmine2": "^26.6.3",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      },
+      "peerDependencies": {
+        "ts-node": ">=9.0.0"
+      },
+      "peerDependenciesMeta": {
+        "ts-node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jest-config/node_modules/deepmerge": {
+      "version": "4.2.2",
+      "integrity": "sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/jest-diff": {
+      "version": "26.6.2",
+      "integrity": "sha512-6m+9Z3Gv9wN0WFVasqjCL/06+EFCMTqDEUl/b87HYK2rAPTyfz4ZIuSlPhY51PIQRWx5TaxeF1qmXKe9gfN3sA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "chalk": "^4.0.0",
+        "diff-sequences": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-docblock": {
+      "version": "26.0.0",
+      "integrity": "sha512-RDZ4Iz3QbtRWycd8bUEPxQsTlYazfYn/h5R65Fc6gOfwozFhoImx+affzky/FFBuqISPTqjXomoIGJVKBWoo0w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "detect-newline": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-each": {
+      "version": "26.6.2",
+      "integrity": "sha512-Mer/f0KaATbjl8MCJ+0GEpNdqmnVmDYqCTJYTvoo7rqmRiDllmp2AYN+06F93nXcY3ur9ShIjS+CO/uD+BbH4A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "jest-util": "^26.6.2",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-environment-jsdom": {
+      "version": "26.6.2",
+      "integrity": "sha512-jgPqCruTlt3Kwqg5/WVFyHIOJHsiAvhcp2qiR2QQstuG9yWox5+iHpU3ZrcBxW14T4fe5Z68jAfLRh7joCSP2Q==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jsdom": "^16.4.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-environment-node": {
+      "version": "26.6.2",
+      "integrity": "sha512-zhtMio3Exty18dy8ee8eJ9kjnRyZC1N4C1Nt/VShN1apyXc8rWGtJ9lI7vqiWcyyXS4BVSEn9lxAM2D+07/Tag==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-get-type": {
+      "version": "26.3.0",
+      "integrity": "sha512-TpfaviN1R2pQWkIihlfEanwOXK0zcxrKEE4MlU6Tn7keoXdN6/3gK/xl0yEh8DOunn5pOVGKf8hB4R9gVh04ig==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-haste-map": {
+      "version": "26.6.2",
+      "integrity": "sha512-easWIJXIw71B2RdR8kgqpjQrbMRWQBgiBwXYEhtGUTaX+doCjBheluShdDMeR8IMfJiTqH4+zfhtg29apJf/8w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "@types/graceful-fs": "^4.1.2",
+        "@types/node": "*",
+        "anymatch": "^3.0.3",
+        "fb-watchman": "^2.0.0",
+        "graceful-fs": "^4.2.4",
+        "jest-regex-util": "^26.0.0",
+        "jest-serializer": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "sane": "^4.0.3",
+        "walker": "^1.0.7"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      },
+      "optionalDependencies": {
+        "fsevents": "^2.1.2"
+      }
+    },
+    "node_modules/jest-jasmine2": {
+      "version": "26.6.3",
+      "integrity": "sha512-kPKUrQtc8aYwBV7CqBg5pu+tmYXlvFlSFYn18ev4gPFtrRzB15N2gW/Roew3187q2w2eHuu0MU9TJz6w0/nPEg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/traverse": "^7.1.0",
+        "@jest/environment": "^26.6.2",
+        "@jest/source-map": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "co": "^4.6.0",
+        "expect": "^26.6.2",
+        "is-generator-fn": "^2.0.0",
+        "jest-each": "^26.6.2",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-runtime": "^26.6.3",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "pretty-format": "^26.6.2",
+        "throat": "^5.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-leak-detector": {
+      "version": "26.6.2",
+      "integrity": "sha512-i4xlXpsVSMeKvg2cEKdfhh0H39qlJlP5Ex1yQxwF9ubahboQYMgTtz5oML35AVA3B4Eu+YsmwaiKVev9KCvLxg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-matcher-utils": {
+      "version": "26.6.2",
+      "integrity": "sha512-llnc8vQgYcNqDrqRDXWwMr9i7rS5XFiCwvh6DTP7Jqa2mqpcCBBlpCbn+trkG0KNhPu/h8rzyBkriOtBstvWhw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "chalk": "^4.0.0",
+        "jest-diff": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-message-util": {
+      "version": "26.6.2",
+      "integrity": "sha512-rGiLePzQ3AzwUshu2+Rn+UMFk0pHN58sOG+IaJbk5Jxuqo3NYO1U2/MIR4S1sKgsoYSXSzdtSa0TgrmtUwEbmA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.0.0",
+        "@jest/types": "^26.6.2",
+        "@types/stack-utils": "^2.0.0",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "micromatch": "^4.0.2",
+        "pretty-format": "^26.6.2",
+        "slash": "^3.0.0",
+        "stack-utils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-mock": {
+      "version": "26.6.2",
+      "integrity": "sha512-YyFjePHHp1LzpzYcmgqkJ0nm0gg/lJx2aZFzFy1S6eUqNjXsOqTK10zNRff2dNfssgokjkG65OlWNcIlgd3zew==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-pnp-resolver": {
+      "version": "1.2.2",
+      "integrity": "sha512-olV41bKSMm8BdnuMsewT4jqlZ8+3TCARAXjZGT9jcoSnrfUnRCqnMoF9XEeoWjbzObpqF9dRhHQj0Xb9QdF6/w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      },
+      "peerDependencies": {
+        "jest-resolve": "*"
+      },
+      "peerDependenciesMeta": {
+        "jest-resolve": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jest-regex-util": {
+      "version": "26.0.0",
+      "integrity": "sha512-Gv3ZIs/nA48/Zvjrl34bf+oD76JHiGDUxNOVgUjh3j890sblXryjY4rss71fPtD/njchl6PSE2hIhvyWa1eT0A==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-resolve": {
+      "version": "26.6.2",
+      "integrity": "sha512-sOxsZOq25mT1wRsfHcbtkInS+Ek7Q8jCHUB0ZUTP0tc/c41QHriU/NunqMfCUWsL4H3MHpvQD4QR9kSYhS7UvQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "jest-pnp-resolver": "^1.2.2",
+        "jest-util": "^26.6.2",
+        "read-pkg-up": "^7.0.1",
+        "resolve": "^1.18.1",
+        "slash": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-resolve-dependencies": {
+      "version": "26.6.3",
+      "integrity": "sha512-pVwUjJkxbhe4RY8QEWzN3vns2kqyuldKpxlxJlzEYfKSvY6/bMvxoFrYYzUO1Gx28yKWN37qyV7rIoIp2h8fTg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-snapshot": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/find-up": {
+      "version": "4.1.0",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/locate-path": {
+      "version": "5.0.0",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/p-limit": {
+      "version": "2.3.0",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/p-locate": {
+      "version": "4.1.0",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/path-exists": {
+      "version": "4.0.0",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/read-pkg": {
+      "version": "5.2.0",
+      "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@types/normalize-package-data": "^2.4.0",
+        "normalize-package-data": "^2.5.0",
+        "parse-json": "^5.0.0",
+        "type-fest": "^0.6.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/read-pkg-up": {
+      "version": "7.0.1",
+      "integrity": "sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "find-up": "^4.1.0",
+        "read-pkg": "^5.2.0",
+        "type-fest": "^0.8.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/read-pkg/node_modules/type-fest": {
+      "version": "0.6.0",
+      "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-resolve/node_modules/type-fest": {
+      "version": "0.8.1",
+      "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/jest-runner": {
+      "version": "26.6.3",
+      "integrity": "sha512-atgKpRHnaA2OvByG/HpGA4g6CSPS/1LK0jK3gATJAoptC1ojltpmVlYC3TYgdmGp+GLuhzpH30Gvs36szSL2JQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/console": "^26.6.2",
+        "@jest/environment": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "emittery": "^0.7.1",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "jest-config": "^26.6.3",
+        "jest-docblock": "^26.0.0",
+        "jest-haste-map": "^26.6.2",
+        "jest-leak-detector": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "jest-runtime": "^26.6.3",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "source-map-support": "^0.5.6",
+        "throat": "^5.0.0"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-runtime": {
+      "version": "26.6.3",
+      "integrity": "sha512-lrzyR3N8sacTAMeonbqpnSka1dHNux2uk0qqDXVkMv2c/A3wYnvQ4EXuI013Y6+gSKSCxdaczvf4HF0mVXHRdw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/console": "^26.6.2",
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/globals": "^26.6.2",
+        "@jest/source-map": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/yargs": "^15.0.0",
+        "chalk": "^4.0.0",
+        "cjs-module-lexer": "^0.6.0",
+        "collect-v8-coverage": "^1.0.0",
+        "exit": "^0.1.2",
+        "glob": "^7.1.3",
+        "graceful-fs": "^4.2.4",
+        "jest-config": "^26.6.3",
+        "jest-haste-map": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-mock": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "slash": "^3.0.0",
+        "strip-bom": "^4.0.0",
+        "yargs": "^15.4.1"
+      },
+      "bin": {
+        "jest-runtime": "bin/jest-runtime.js"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-serializer": {
+      "version": "26.6.2",
+      "integrity": "sha512-S5wqyz0DXnNJPd/xfIzZ5Xnp1HrJWBczg8mMfMpN78OJ5eDxXyf+Ygld9wX1DnUWbIbhM1YDY95NjR4CBXkb2g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@types/node": "*",
+        "graceful-fs": "^4.2.4"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-snapshot": {
+      "version": "26.6.2",
+      "integrity": "sha512-OLhxz05EzUtsAmOMzuupt1lHYXCNib0ECyuZ/PZOx9TrZcC8vL0x+DUG3TL+GLX3yHG45e6YGjIm0XwDc3q3og==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@babel/types": "^7.0.0",
+        "@jest/types": "^26.6.2",
+        "@types/babel__traverse": "^7.0.4",
+        "@types/prettier": "^2.0.0",
+        "chalk": "^4.0.0",
+        "expect": "^26.6.2",
+        "graceful-fs": "^4.2.4",
+        "jest-diff": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "jest-haste-map": "^26.6.2",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "natural-compare": "^1.4.0",
+        "pretty-format": "^26.6.2",
+        "semver": "^7.3.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-util": {
+      "version": "26.6.2",
+      "integrity": "sha512-MDW0fKfsn0OI7MS7Euz6h8HNDXVQ0gaM9uW6RjfDmd1DAFcaxX9OqIakHIqhbnmF08Cf2DLDG+ulq8YQQ0Lp0Q==",
+      "dev": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "is-ci": "^2.0.0",
+        "micromatch": "^4.0.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-validate": {
+      "version": "26.6.2",
+      "integrity": "sha512-NEYZ9Aeyj0i5rQqbq+tpIOom0YS1u2MVu6+euBsvpgIme+FOfRmoC4R5p0JiAUpaFvFy24xgrpMknarR/93XjQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "camelcase": "^6.0.0",
+        "chalk": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "leven": "^3.1.0",
+        "pretty-format": "^26.6.2"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-validate/node_modules/camelcase": {
+      "version": "6.2.0",
+      "integrity": "sha512-c7wVvbw3f37nuobQNtgsgG9POC9qMbNuMQmTCqZv23b6MIz0fcYpBiOlv9gEN/hdLdnZTDQhg6e9Dq5M1vKvfg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/jest-watcher": {
+      "version": "26.6.2",
+      "integrity": "sha512-WKJob0P/Em2csiVthsI68p6aGKTIcsfjH9Gsx1f0A3Italz43e3ho0geSAVsmj09RWOELP1AZ/DXyJgOgDKxXQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.0.0",
+        "jest-util": "^26.6.2",
+        "string-length": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 10.14.2"
+      }
+    },
+    "node_modules/jest-worker": {
+      "version": "26.6.2",
+      "integrity": "sha512-KWYVV1c4i+jbMpaBC+U++4Va0cp8OisU185o73T1vo99hqi7w8tSJfUXYswwqqrjzwxa6KpRK54WhPvwf5w6PQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@types/node": "*",
+        "merge-stream": "^2.0.0",
+        "supports-color": "^7.0.0"
+      },
+      "engines": {
+        "node": ">= 10.13.0"
+      }
+    },
+    "node_modules/js-sdsl": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.2.0.tgz",
+      "integrity": "sha512-dyBIzQBDkCqCu+0upx25Y2jGdbTGxE9fshMsCdK0ViOongpV+n5tXRcZY9v7CaVQ79AGS9KA1KHtojxiM7aXSQ==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/js-sdsl"
+      }
+    },
+    "node_modules/js-tokens": {
+      "version": "4.0.0",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+      "dev": true
+    },
+    "node_modules/js-yaml": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "dev": true,
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/jsdom": {
+      "version": "16.7.0",
+      "integrity": "sha512-u9Smc2G1USStM+s/x1ru5Sxrl6mPYCbByG1U/hUmqaVsm4tbNyS7CicOSRyuGQYZhTu0h84qkZZQ/I+dzizSVw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "abab": "^2.0.5",
+        "acorn": "^8.2.4",
+        "acorn-globals": "^6.0.0",
+        "cssom": "^0.4.4",
+        "cssstyle": "^2.3.0",
+        "data-urls": "^2.0.0",
+        "decimal.js": "^10.2.1",
+        "domexception": "^2.0.1",
+        "escodegen": "^2.0.0",
+        "form-data": "^3.0.0",
+        "html-encoding-sniffer": "^2.0.1",
+        "http-proxy-agent": "^4.0.1",
+        "https-proxy-agent": "^5.0.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "nwsapi": "^2.2.0",
+        "parse5": "6.0.1",
+        "saxes": "^5.0.1",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^4.0.0",
+        "w3c-hr-time": "^1.0.2",
+        "w3c-xmlserializer": "^2.0.0",
+        "webidl-conversions": "^6.1.0",
+        "whatwg-encoding": "^1.0.5",
+        "whatwg-mimetype": "^2.3.0",
+        "whatwg-url": "^8.5.0",
+        "ws": "^7.4.6",
+        "xml-name-validator": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "canvas": "^2.5.0"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jsdom/node_modules/acorn": {
+      "version": "8.5.0",
+      "integrity": "sha512-yXbYeFy+jUuYd3/CDcg2NkIYE991XYX/bje7LmjJigUciaeO1JR4XxXgCIV1/Zc/dRuFEyw1L0pbA+qynJkW5Q==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/jsesc": {
+      "version": "2.5.2",
+      "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==",
+      "dev": true,
+      "bin": {
+        "jsesc": "bin/jsesc"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/json-parse-better-errors": {
+      "version": "1.0.2",
+      "integrity": "sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw==",
+      "dev": true
+    },
+    "node_modules/json-parse-even-better-errors": {
+      "version": "2.3.1",
+      "integrity": "sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==",
+      "dev": true
+    },
+    "node_modules/json-schema-traverse": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
+      "dev": true
+    },
+    "node_modules/json-stable-stringify-without-jsonify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
+      "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
+      "dev": true
+    },
+    "node_modules/json5": {
+      "version": "2.2.0",
+      "integrity": "sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==",
+      "dev": true,
+      "dependencies": {
+        "minimist": "^1.2.5"
+      },
+      "bin": {
+        "json5": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/jsonfile": {
+      "version": "6.1.0",
+      "integrity": "sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==",
+      "dev": true,
+      "dependencies": {
+        "universalify": "^2.0.0"
+      },
+      "optionalDependencies": {
+        "graceful-fs": "^4.1.6"
+      }
+    },
+    "node_modules/jsonfile/node_modules/universalify": {
+      "version": "2.0.0",
+      "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10.0.0"
+      }
+    },
+    "node_modules/jsx-ast-utils": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/jsx-ast-utils/-/jsx-ast-utils-3.3.3.tgz",
+      "integrity": "sha512-fYQHZTZ8jSfmWZ0iyzfwiU4WDX4HpHbMCZ3gPlWYiCl3BoeOTsqKBqnTVfH2rYT7eP5c3sVbeSPHnnJOaTrWiw==",
+      "dev": true,
+      "dependencies": {
+        "array-includes": "^3.1.5",
+        "object.assign": "^4.1.3"
+      },
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/kind-of": {
+      "version": "6.0.3",
+      "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/kleur": {
+      "version": "3.0.3",
+      "integrity": "sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/known-css-properties": {
+      "version": "0.20.0",
+      "integrity": "sha512-URvsjaA9ypfreqJ2/ylDr5MUERhJZ+DhguoWRr2xgS5C7aGCalXo+ewL+GixgKBfhT2vuL02nbIgNGqVWgTOYw==",
+      "dev": true
+    },
+    "node_modules/language-subtag-registry": {
+      "version": "0.3.22",
+      "resolved": "https://registry.npmjs.org/language-subtag-registry/-/language-subtag-registry-0.3.22.tgz",
+      "integrity": "sha512-tN0MCzyWnoz/4nHS6uxdlFWoUZT7ABptwKPQ52Ea7URk6vll88bWBVhodtnlfEuCcKWNGoc+uGbw1cwa9IKh/w==",
+      "dev": true
+    },
+    "node_modules/language-tags": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/language-tags/-/language-tags-1.0.5.tgz",
+      "integrity": "sha512-qJhlO9cGXi6hBGKoxEG/sKZDAHD5Hnu9Hs4WbOY3pCWXDhw0N8x1NenNzm2EnNLkLkk7J2SdxAkDSbb6ftT+UQ==",
+      "dev": true,
+      "dependencies": {
+        "language-subtag-registry": "~0.3.2"
+      }
+    },
+    "node_modules/leven": {
+      "version": "3.1.0",
+      "integrity": "sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/levn": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz",
+      "integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==",
+      "dev": true,
+      "dependencies": {
+        "prelude-ls": "^1.2.1",
+        "type-check": "~0.4.0"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/lines-and-columns": {
+      "version": "1.1.6",
+      "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA=",
+      "dev": true
+    },
+    "node_modules/lint-staged": {
+      "version": "11.1.2",
+      "integrity": "sha512-6lYpNoA9wGqkL6Hew/4n1H6lRqF3qCsujVT0Oq5Z4hiSAM7S6NksPJ3gnr7A7R52xCtiZMcEUNNQ6d6X5Bvh9w==",
+      "dev": true,
+      "dependencies": {
+        "chalk": "^4.1.1",
+        "cli-truncate": "^2.1.0",
+        "commander": "^7.2.0",
+        "cosmiconfig": "^7.0.0",
+        "debug": "^4.3.1",
+        "enquirer": "^2.3.6",
+        "execa": "^5.0.0",
+        "listr2": "^3.8.2",
+        "log-symbols": "^4.1.0",
+        "micromatch": "^4.0.4",
+        "normalize-path": "^3.0.0",
+        "please-upgrade-node": "^3.2.0",
+        "string-argv": "0.3.1",
+        "stringify-object": "^3.3.0"
+      },
+      "bin": {
+        "lint-staged": "bin/lint-staged.js"
+      },
+      "funding": {
+        "url": "https://opencollective.com/lint-staged"
+      }
+    },
+    "node_modules/lint-staged/node_modules/chalk": {
+      "version": "4.1.2",
+      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/lint-staged/node_modules/execa": {
+      "version": "5.1.1",
+      "integrity": "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==",
+      "dev": true,
+      "dependencies": {
+        "cross-spawn": "^7.0.3",
+        "get-stream": "^6.0.0",
+        "human-signals": "^2.1.0",
+        "is-stream": "^2.0.0",
+        "merge-stream": "^2.0.0",
+        "npm-run-path": "^4.0.1",
+        "onetime": "^5.1.2",
+        "signal-exit": "^3.0.3",
+        "strip-final-newline": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sindresorhus/execa?sponsor=1"
+      }
+    },
+    "node_modules/lint-staged/node_modules/get-stream": {
+      "version": "6.0.1",
+      "integrity": "sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/lint-staged/node_modules/human-signals": {
+      "version": "2.1.0",
+      "integrity": "sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==",
+      "dev": true,
+      "engines": {
+        "node": ">=10.17.0"
+      }
+    },
+    "node_modules/listr2": {
+      "version": "3.12.2",
+      "integrity": "sha512-64xC2CJ/As/xgVI3wbhlPWVPx0wfTqbUAkpb7bjDi0thSWMqrf07UFhrfsGoo8YSXmF049Rp9C0cjLC8rZxK9A==",
+      "dev": true,
+      "dependencies": {
+        "cli-truncate": "^2.1.0",
+        "colorette": "^1.4.0",
+        "log-update": "^4.0.0",
+        "p-map": "^4.0.0",
+        "rxjs": "^6.6.7",
+        "through": "^2.3.8",
+        "wrap-ansi": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "enquirer": ">= 2.3.0 < 3"
+      }
+    },
+    "node_modules/load-json-file": {
+      "version": "4.0.0",
+      "integrity": "sha1-L19Fq5HjMhYjT9U62rZo607AmTs=",
+      "dev": true,
+      "dependencies": {
+        "graceful-fs": "^4.1.2",
+        "parse-json": "^4.0.0",
+        "pify": "^3.0.0",
+        "strip-bom": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/load-json-file/node_modules/parse-json": {
+      "version": "4.0.0",
+      "integrity": "sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=",
+      "dev": true,
+      "dependencies": {
+        "error-ex": "^1.3.1",
+        "json-parse-better-errors": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/load-json-file/node_modules/pify": {
+      "version": "3.0.0",
+      "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/load-json-file/node_modules/strip-bom": {
+      "version": "3.0.0",
+      "integrity": "sha1-IzTBjpx1n3vdVv3vfprj1YjmjtM=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/locate-path": {
+      "version": "2.0.0",
+      "integrity": "sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=",
+      "dev": true,
+      "dependencies": {
+        "p-locate": "^2.0.0",
+        "path-exists": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/lodash": {
+      "version": "4.17.21",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "dev": true
+    },
+    "node_modules/lodash.clonedeep": {
+      "version": "4.5.0",
+      "integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8=",
+      "dev": true
+    },
+    "node_modules/lodash.merge": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
+      "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
+      "dev": true
+    },
+    "node_modules/lodash.truncate": {
+      "version": "4.4.2",
+      "integrity": "sha1-WjUNoLERO4N+z//VgSy+WNbq4ZM=",
+      "dev": true
+    },
+    "node_modules/log-symbols": {
+      "version": "4.1.0",
+      "integrity": "sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==",
+      "dev": true,
+      "dependencies": {
+        "chalk": "^4.1.0",
+        "is-unicode-supported": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/log-update": {
+      "version": "4.0.0",
+      "integrity": "sha512-9fkkDevMefjg0mmzWFBW8YkFP91OrizzkW3diF7CpG+S2EYdy4+TVfGwz1zeF8x7hCx1ovSPTOE9Ngib74qqUg==",
+      "dev": true,
+      "dependencies": {
+        "ansi-escapes": "^4.3.0",
+        "cli-cursor": "^3.1.0",
+        "slice-ansi": "^4.0.0",
+        "wrap-ansi": "^6.2.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/log-update/node_modules/slice-ansi": {
+      "version": "4.0.0",
+      "integrity": "sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "astral-regex": "^2.0.0",
+        "is-fullwidth-code-point": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/slice-ansi?sponsor=1"
+      }
+    },
+    "node_modules/log-update/node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/longest-streak": {
+      "version": "2.0.4",
+      "integrity": "sha512-vM6rUVCVUJJt33bnmHiZEvr7wPT78ztX7rojL+LW51bHtLh6HTjx84LA5W4+oa6aKEJA7jJu5LR6vQRBpA5DVg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/loose-envify": {
+      "version": "1.4.0",
+      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
+      "dev": true,
+      "dependencies": {
+        "js-tokens": "^3.0.0 || ^4.0.0"
+      },
+      "bin": {
+        "loose-envify": "cli.js"
+      }
+    },
+    "node_modules/lru-cache": {
+      "version": "6.0.0",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
+      "dev": true,
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/make-error": {
+      "version": "1.3.6",
+      "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+      "dev": true
+    },
+    "node_modules/makeerror": {
+      "version": "1.0.11",
+      "integrity": "sha1-4BpckQnyr3lmDk6LlYd5AYT1qWw=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "tmpl": "1.0.x"
+      }
+    },
+    "node_modules/map-cache": {
+      "version": "0.2.2",
+      "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/map-obj": {
+      "version": "1.0.1",
+      "integrity": "sha1-2TPOuSBdgr3PSIb2dCvcK03qFG0=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/map-visit": {
+      "version": "1.0.0",
+      "integrity": "sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "object-visit": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/markdown-escapes": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/markdown-escapes/-/markdown-escapes-1.0.4.tgz",
+      "integrity": "sha512-8z4efJYk43E0upd0NbVXwgSTQs6cT3T06etieCMEg7dRbzCbxUCK/GHlX8mhHRDcp+OLlHkPKsvqQTCvsRl2cg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/markdown-table": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-2.0.0.tgz",
+      "integrity": "sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==",
+      "dev": true,
+      "dependencies": {
+        "repeat-string": "^1.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/mathml-tag-names": {
+      "version": "2.1.3",
+      "integrity": "sha512-APMBEanjybaPzUrfqU0IMU5I0AswKMH7k8OTLs0vvV4KZpExkTkY87nR/zpbuTPj+gARop7aGUbl11pnDfW6xg==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/mdast-util-compact": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/mdast-util-compact/-/mdast-util-compact-2.0.1.tgz",
+      "integrity": "sha512-7GlnT24gEwDrdAwEHrU4Vv5lLWrEer4KOkAiKT9nYstsTad7Oc1TwqT2zIMKRdZF7cTuaf+GA1E4Kv7jJh8mPA==",
+      "dev": true,
+      "dependencies": {
+        "unist-util-visit": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/mdast-util-compact/node_modules/unist-util-visit": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-2.0.3.tgz",
+      "integrity": "sha512-iJ4/RczbJMkD0712mGktuGpm/U4By4FfDonL7N/9tATGIF4imikjOuagyMY53tnZq3NP6BcmlrHhEKAfGWjh7Q==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^4.0.0",
+        "unist-util-visit-parents": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/mdast-util-compact/node_modules/unist-util-visit-parents": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz",
+      "integrity": "sha512-1KROIZWo6bcMrZEwiH2UrXDyalAa0uqzWCxCJj6lPOvTve2WkfgCytoDTPaMnodXh1WrXOq0haVYHj99ynJlsg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^4.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/mdast-util-from-markdown": {
+      "version": "0.8.5",
+      "integrity": "sha512-2hkTXtYYnr+NubD/g6KGBS/0mFmBcifAsI0yIWRiRo0PjVs6SSOSOdtzbp6kSGnShDN6G5aWZpKQ2lWRy27mWQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/mdast": "^3.0.0",
+        "mdast-util-to-string": "^2.0.0",
+        "micromark": "~2.11.0",
+        "parse-entities": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/mdast-util-to-markdown": {
+      "version": "0.6.5",
+      "integrity": "sha512-XeV9sDE7ZlOQvs45C9UKMtfTcctcaj/pGwH8YLbMHoMOXNNCn2LsqVQOqrF1+/NU8lKDAqozme9SCXWyo9oAcQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "longest-streak": "^2.0.0",
+        "mdast-util-to-string": "^2.0.0",
+        "parse-entities": "^2.0.0",
+        "repeat-string": "^1.0.0",
+        "zwitch": "^1.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/mdast-util-to-string": {
+      "version": "2.0.0",
+      "integrity": "sha512-AW4DRS3QbBayY/jJmD8437V1Gombjf8RSOUCMFBuo5iHi58AGEgVCKQ+ezHkZZDpAQS75hcBMpLqjpJTjtUL7w==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/merge-stream": {
+      "version": "2.0.0",
+      "integrity": "sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==",
+      "dev": true
+    },
+    "node_modules/merge2": {
+      "version": "1.4.1",
+      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/micromark": {
+      "version": "2.11.4",
+      "integrity": "sha512-+WoovN/ppKolQOFIAajxi7Lu9kInbPxFuTBVEavFcL8eAfVstoc5MocPmqBeAdBOJV00uaVjegzH4+MA0DN/uA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "GitHub Sponsors",
+          "url": "https://github.com/sponsors/unifiedjs"
+        },
+        {
+          "type": "OpenCollective",
+          "url": "https://opencollective.com/unified"
+        }
+      ],
+      "dependencies": {
+        "debug": "^4.0.0",
+        "parse-entities": "^2.0.0"
+      }
+    },
+    "node_modules/micromatch": {
+      "version": "4.0.4",
+      "integrity": "sha512-pRmzw/XUcwXGpD9aI9q/0XOwLNygjETJ8y0ao0wdqprrzDa4YnxLcz7fQRZr8voh8V10kGhABbNcHVk5wHgWwg==",
+      "dev": true,
+      "dependencies": {
+        "braces": "^3.0.1",
+        "picomatch": "^2.2.3"
+      },
+      "engines": {
+        "node": ">=8.6"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.50.0",
+      "integrity": "sha512-9tMZCDlYHqeERXEHO9f/hKfNXhre5dK2eE/krIvUjZbS2KPcqGDfNShIWS1uW9XOTKQKqK6qbeOci18rbfW77A==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.33",
+      "integrity": "sha512-plLElXp7pRDd0bNZHw+nMd52vRYjLwQjygaNg7ddJ2uJtTlmnTCjWuPKxVu6//AdaRuME84SvLW91sIkBqGT0g==",
+      "dev": true,
+      "dependencies": {
+        "mime-db": "1.50.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mimic-fn": {
+      "version": "2.1.0",
+      "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/min-indent": {
+      "version": "1.0.1",
+      "integrity": "sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dev": true,
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/minimist": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz",
+      "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/minimist-options": {
+      "version": "4.1.0",
+      "integrity": "sha512-Q4r8ghd80yhO/0j1O3B2BjweX3fiHg9cdOwjJd2J76Q135c+NDxGCqdYKQ1SKBuFfgWbAUzBfvYjPUEeNgqN1A==",
+      "dev": true,
+      "dependencies": {
+        "arrify": "^1.0.1",
+        "is-plain-obj": "^1.1.0",
+        "kind-of": "^6.0.3"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/mixin-deep": {
+      "version": "1.3.2",
+      "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "for-in": "^1.0.2",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/mixin-deep/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.2",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      "dev": true
+    },
+    "node_modules/mute-stream": {
+      "version": "0.0.8",
+      "integrity": "sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==",
+      "dev": true
+    },
+    "node_modules/nanoid": {
+      "version": "3.3.4",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
+      "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
+      "dev": true,
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
+    "node_modules/nanomatch": {
+      "version": "1.2.13",
+      "integrity": "sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "arr-diff": "^4.0.0",
+        "array-unique": "^0.3.2",
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "fragment-cache": "^0.2.1",
+        "is-windows": "^1.0.2",
+        "kind-of": "^6.0.2",
+        "object.pick": "^1.3.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/nanomatch/node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/nanomatch/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/natural-compare": {
+      "version": "1.4.0",
+      "integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=",
+      "dev": true
+    },
+    "node_modules/natural-compare-lite": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/natural-compare-lite/-/natural-compare-lite-1.4.0.tgz",
+      "integrity": "sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==",
+      "dev": true
+    },
+    "node_modules/next": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/next/-/next-12.3.1.tgz",
+      "integrity": "sha512-l7bvmSeIwX5lp07WtIiP9u2ytZMv7jIeB8iacR28PuUEFG5j0HGAPnMqyG5kbZNBG2H7tRsrQ4HCjuMOPnANZw==",
+      "dev": true,
+      "dependencies": {
+        "@next/env": "12.3.1",
+        "@swc/helpers": "0.4.11",
+        "caniuse-lite": "^1.0.30001406",
+        "postcss": "8.4.14",
+        "styled-jsx": "5.0.7",
+        "use-sync-external-store": "1.2.0"
+      },
+      "bin": {
+        "next": "dist/bin/next"
+      },
+      "engines": {
+        "node": ">=12.22.0"
+      },
+      "optionalDependencies": {
+        "@next/swc-android-arm-eabi": "12.3.1",
+        "@next/swc-android-arm64": "12.3.1",
+        "@next/swc-darwin-arm64": "12.3.1",
+        "@next/swc-darwin-x64": "12.3.1",
+        "@next/swc-freebsd-x64": "12.3.1",
+        "@next/swc-linux-arm-gnueabihf": "12.3.1",
+        "@next/swc-linux-arm64-gnu": "12.3.1",
+        "@next/swc-linux-arm64-musl": "12.3.1",
+        "@next/swc-linux-x64-gnu": "12.3.1",
+        "@next/swc-linux-x64-musl": "12.3.1",
+        "@next/swc-win32-arm64-msvc": "12.3.1",
+        "@next/swc-win32-ia32-msvc": "12.3.1",
+        "@next/swc-win32-x64-msvc": "12.3.1"
+      },
+      "peerDependencies": {
+        "fibers": ">= 3.1.0",
+        "node-sass": "^6.0.0 || ^7.0.0",
+        "react": "^17.0.2 || ^18.0.0-0",
+        "react-dom": "^17.0.2 || ^18.0.0-0",
+        "sass": "^1.3.0"
+      },
+      "peerDependenciesMeta": {
+        "fibers": {
+          "optional": true
+        },
+        "node-sass": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/nice-try": {
+      "version": "1.0.5",
+      "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/node-int64": {
+      "version": "0.4.0",
+      "integrity": "sha1-h6kGXNs1XTGC2PlM4RGIuCXGijs=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/node-modules-regexp": {
+      "version": "1.0.0",
+      "integrity": "sha1-jZ2+KJZKSsVxLpExZCEHxx6Q7EA=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/node-notifier": {
+      "version": "8.0.2",
+      "integrity": "sha512-oJP/9NAdd9+x2Q+rfphB2RJCHjod70RcRLjosiPMMu5gjIfwVnOUGq2nbTjTUbmy0DJ/tFIVT30+Qe3nzl4TJg==",
+      "dev": true,
+      "optional": true,
+      "peer": true,
+      "dependencies": {
+        "growly": "^1.3.0",
+        "is-wsl": "^2.2.0",
+        "semver": "^7.3.2",
+        "shellwords": "^0.1.1",
+        "uuid": "^8.3.0",
+        "which": "^2.0.2"
+      }
+    },
+    "node_modules/node-releases": {
+      "version": "1.1.77",
+      "integrity": "sha512-rB1DUFUNAN4Gn9keO2K1efO35IDK7yKHCdCaIMvFO7yUYmmZYeDjnGKle26G4rwj+LKRQpjyUUvMkPglwGCYNQ==",
+      "dev": true
+    },
+    "node_modules/normalize-package-data": {
+      "version": "2.5.0",
+      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "hosted-git-info": "^2.1.4",
+        "resolve": "^1.10.0",
+        "semver": "2 || 3 || 4 || 5",
+        "validate-npm-package-license": "^3.0.1"
+      }
+    },
+    "node_modules/normalize-package-data/node_modules/semver": {
+      "version": "5.7.1",
+      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/normalize-range": {
+      "version": "0.1.2",
+      "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/normalize-selector": {
+      "version": "0.2.0",
+      "integrity": "sha1-0LFF62kRicY6eNIB3E/bEpPvDAM=",
+      "dev": true
+    },
+    "node_modules/npm-run-path": {
+      "version": "4.0.1",
+      "integrity": "sha512-S48WzZW777zhNIrn7gxOlISNAqi9ZC/uQFnRdbeIHhZhCA6UqpkOT8T1G7BvfdgP4Er8gF4sUbaS0i7QvIfCWw==",
+      "dev": true,
+      "dependencies": {
+        "path-key": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/num2fraction": {
+      "version": "1.2.2",
+      "integrity": "sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4=",
+      "dev": true
+    },
+    "node_modules/nwsapi": {
+      "version": "2.2.0",
+      "integrity": "sha512-h2AatdwYH+JHiZpv7pt/gSX1XoRGb7L/qSIeuqA6GwYoF9w1vP1cw42TO0aI2pNyshRK5893hNSl+1//vHK7hQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy": {
+      "version": "0.1.0",
+      "integrity": "sha1-fn2Fi3gb18mRpBupde04EnVOmYw=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "copy-descriptor": "^0.1.0",
+        "define-property": "^0.2.5",
+        "kind-of": "^3.0.3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/define-property": {
+      "version": "0.2.5",
+      "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/is-accessor-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/object-copy/node_modules/is-data-descriptor": {
+      "version": "0.1.4",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/is-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/is-descriptor/node_modules/kind-of": {
+      "version": "5.1.0",
+      "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-copy/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.12.3",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.12.3.tgz",
+      "integrity": "sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/object-is": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/object-is/-/object-is-1.1.5.tgz",
+      "integrity": "sha512-3cyDsyHgtmi7I7DfSSI2LDp6SK2lwvtbg0p0R1e0RvTqF5ceGx+K2dfSjm1bKDMVCFEDAQvy+o8c6a7VujOddw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/object-keys": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz",
+      "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/object-visit": {
+      "version": "1.0.1",
+      "integrity": "sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "isobject": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object.assign": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/object.assign/-/object.assign-4.1.4.tgz",
+      "integrity": "sha512-1mxKf0e58bvyjSCtKYY4sRe9itRk3PJpquJOjeIkz885CczcI4IvJJDLPS72oowuSh+pBxUFROpX+TU++hxhZQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "has-symbols": "^1.0.3",
+        "object-keys": "^1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/object.entries": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/object.entries/-/object.entries-1.1.6.tgz",
+      "integrity": "sha512-leTPzo4Zvg3pmbQ3rDK69Rl8GQvIqMWubrkxONG9/ojtFE2rD9fjMKfSI5BxW3osRH1m6VdzmqK8oAY9aT4x5w==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/object.fromentries": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/object.fromentries/-/object.fromentries-2.0.6.tgz",
+      "integrity": "sha512-VciD13dswC4j1Xt5394WR4MzmAQmlgN72phd/riNp9vtD7tp4QQWJ0R4wvclXcafgcYK8veHRed2W6XeGBvcfg==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/object.hasown": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/object.hasown/-/object.hasown-1.1.2.tgz",
+      "integrity": "sha512-B5UIT3J1W+WuWIU55h0mjlwaqxiE5vYENJXIXZ4VFe05pNYrkKuK0U/6aFcb0pKywYJh7IhfoqUfKVmrJJHZHw==",
+      "dev": true,
+      "dependencies": {
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/object.pick": {
+      "version": "1.3.0",
+      "integrity": "sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "isobject": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object.values": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/object.values/-/object.values-1.1.6.tgz",
+      "integrity": "sha512-FVVTkD1vENCsAcwNs9k6jea2uHC/X0+JcjG8YA60FN5CMaJmG95wT9jek/xX9nornqGRrBkKtzuAu2wuHpKqvw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
+      "dev": true,
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/onetime": {
+      "version": "5.1.2",
+      "integrity": "sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==",
+      "dev": true,
+      "dependencies": {
+        "mimic-fn": "^2.1.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/open": {
+      "version": "7.3.0",
+      "integrity": "sha512-mgLwQIx2F/ye9SmbrUkurZCnkoXyXyu9EbHtJZrICjVAJfyMArdHp3KkixGdZx1ZHFPNIwl0DDM1dFFqXbTLZw==",
+      "dev": true,
+      "dependencies": {
+        "is-docker": "^2.0.0",
+        "is-wsl": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/optionator": {
+      "version": "0.9.1",
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.1.tgz",
+      "integrity": "sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==",
+      "dev": true,
+      "dependencies": {
+        "deep-is": "^0.1.3",
+        "fast-levenshtein": "^2.0.6",
+        "levn": "^0.4.1",
+        "prelude-ls": "^1.2.1",
+        "type-check": "^0.4.0",
+        "word-wrap": "^1.2.3"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/os-tmpdir": {
+      "version": "1.0.2",
+      "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/p-each-series": {
+      "version": "2.2.0",
+      "integrity": "sha512-ycIL2+1V32th+8scbpTvyHNaHe02z0sjgh91XXjAk+ZeXoPN4Z46DVUnzdso0aX4KckKw0FNNFHdjZ2UsZvxiA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-finally": {
+      "version": "1.0.0",
+      "integrity": "sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
+      "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==",
+      "dev": true,
+      "dependencies": {
+        "yocto-queue": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "2.0.0",
+      "integrity": "sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=",
+      "dev": true,
+      "dependencies": {
+        "p-limit": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/p-locate/node_modules/p-limit": {
+      "version": "1.3.0",
+      "integrity": "sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==",
+      "dev": true,
+      "dependencies": {
+        "p-try": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/p-locate/node_modules/p-try": {
+      "version": "1.0.0",
+      "integrity": "sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/p-map": {
+      "version": "4.0.0",
+      "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==",
+      "dev": true,
+      "dependencies": {
+        "aggregate-error": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/parent-module": {
+      "version": "1.0.1",
+      "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
+      "dev": true,
+      "dependencies": {
+        "callsites": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/parse-entities": {
+      "version": "2.0.0",
+      "integrity": "sha512-kkywGpCcRYhqQIchaWqZ875wzpS/bMKhz5HnN3p7wveJTkTtyAB/AlnS0f8DFSqYW1T82t6yEAkEcB+A1I3MbQ==",
+      "dev": true,
+      "dependencies": {
+        "character-entities": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "character-reference-invalid": "^1.0.0",
+        "is-alphanumerical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-hexadecimal": "^1.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/parse-json": {
+      "version": "5.2.0",
+      "integrity": "sha512-ayCKvm/phCGxOkYRSCM82iDwct8/EonSEgCSxWxD7ve6jHggsFl4fZVQBPRNgQoKiuV/odhFrGzQXZwbifC8Rg==",
+      "dev": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.0.0",
+        "error-ex": "^1.3.1",
+        "json-parse-even-better-errors": "^2.3.0",
+        "lines-and-columns": "^1.1.6"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/parse5": {
+      "version": "6.0.1",
+      "integrity": "sha512-Ofn/CTFzRGTTxwpNEs9PP93gXShHcTq255nzRYSKe8AkVpZY7e1fpmTfOyoIvjP5HG7Z2ZM7VS9PPhQGW2pOpw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/pascalcase": {
+      "version": "0.1.1",
+      "integrity": "sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "3.0.0",
+      "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/path-is-absolute": {
+      "version": "1.0.1",
+      "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-key": {
+      "version": "3.1.1",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-parse": {
+      "version": "1.0.7",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
+      "dev": true
+    },
+    "node_modules/path-type": {
+      "version": "4.0.0",
+      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/picocolors": {
+      "version": "0.2.1",
+      "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA==",
+      "dev": true
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.0",
+      "integrity": "sha512-lY1Q/PiJGC2zOv/z391WOTD+Z02bCgsFfvxoXXf6h7kv9o+WmsmzYqrAwY63sNgOxE4xEdq0WyUnXfKeBrSvYw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/pirates": {
+      "version": "4.0.1",
+      "integrity": "sha512-WuNqLTbMI3tmfef2TKxlQmAiLHKtFhlsCZnPIpuv2Ow0RDVO8lfy1Opf4NUzlMXLjPl+Men7AuVdX6TA+s+uGA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "node-modules-regexp": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/pkg-conf": {
+      "version": "2.1.0",
+      "integrity": "sha1-ISZRTKbyq/69FoWW3xi6V4Z/AFg=",
+      "dev": true,
+      "dependencies": {
+        "find-up": "^2.0.0",
+        "load-json-file": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/please-upgrade-node": {
+      "version": "3.2.0",
+      "integrity": "sha512-gQR3WpIgNIKwBMVLkpMUeR3e1/E1y42bqDQZfql+kDeXd8COYfM8PQA4X6y7a8u9Ua9FHmsrrmirW2vHs45hWg==",
+      "dev": true,
+      "dependencies": {
+        "semver-compare": "^1.0.0"
+      }
+    },
+    "node_modules/posix-character-classes": {
+      "version": "0.1.1",
+      "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss": {
+      "version": "8.4.14",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz",
+      "integrity": "sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        }
+      ],
+      "dependencies": {
+        "nanoid": "^3.3.4",
+        "picocolors": "^1.0.0",
+        "source-map-js": "^1.0.2"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/postcss-html": {
+      "version": "0.36.0",
+      "integrity": "sha512-HeiOxGcuwID0AFsNAL0ox3mW6MHH5cstWN1Z3Y+n6H+g12ih7LHdYxWwEA/QmrebctLjo79xz9ouK3MroHwOJw==",
+      "dev": true,
+      "dependencies": {
+        "htmlparser2": "^3.10.0"
+      },
+      "peerDependencies": {
+        "postcss": ">=5.0.0",
+        "postcss-syntax": ">=0.36.0"
+      }
+    },
+    "node_modules/postcss-less": {
+      "version": "3.1.4",
+      "integrity": "sha512-7TvleQWNM2QLcHqvudt3VYjULVB49uiW6XzEUFmvwHzvsOEF5MwBrIXZDJQvJNFGjJQTzSzZnDoCJ8h/ljyGXA==",
+      "dev": true,
+      "dependencies": {
+        "postcss": "^7.0.14"
+      },
+      "engines": {
+        "node": ">=6.14.4"
+      }
+    },
+    "node_modules/postcss-less/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-less/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss-media-query-parser": {
+      "version": "0.2.3",
+      "integrity": "sha1-J7Ocb02U+Bsac7j3Y1HGCeXO8kQ=",
+      "dev": true
+    },
+    "node_modules/postcss-resolve-nested-selector": {
+      "version": "0.1.1",
+      "integrity": "sha1-Kcy8fDfe36wwTp//C/FZaz9qDk4=",
+      "dev": true
+    },
+    "node_modules/postcss-safe-parser": {
+      "version": "4.0.2",
+      "integrity": "sha512-Uw6ekxSWNLCPesSv/cmqf2bY/77z11O7jZGPax3ycZMFU/oi2DMH9i89AdHc1tRwFg/arFoEwX0IS3LCUxJh1g==",
+      "dev": true,
+      "dependencies": {
+        "postcss": "^7.0.26"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/postcss-safe-parser/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-safe-parser/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss-sass": {
+      "version": "0.4.4",
+      "integrity": "sha512-BYxnVYx4mQooOhr+zer0qWbSPYnarAy8ZT7hAQtbxtgVf8gy+LSLT/hHGe35h14/pZDTw1DsxdbrwxBN++H+fg==",
+      "dev": true,
+      "dependencies": {
+        "gonzales-pe": "^4.3.0",
+        "postcss": "^7.0.21"
+      }
+    },
+    "node_modules/postcss-sass/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-sass/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss-scss": {
+      "version": "2.1.1",
+      "integrity": "sha512-jQmGnj0hSGLd9RscFw9LyuSVAa5Bl1/KBPqG1NQw9w8ND55nY4ZEsdlVuYJvLPpV+y0nwTV5v/4rHPzZRihQbA==",
+      "dev": true,
+      "dependencies": {
+        "postcss": "^7.0.6"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/postcss-scss/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-scss/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss-selector-parser": {
+      "version": "6.0.6",
+      "integrity": "sha512-9LXrvaaX3+mcv5xkg5kFwqSzSH1JIObIx51PrndZwlmznwXRfxMddDvo9gve3gVR8ZTKgoFDdWkbRFmEhT4PMg==",
+      "dev": true,
+      "dependencies": {
+        "cssesc": "^3.0.0",
+        "util-deprecate": "^1.0.2"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postcss-sorting": {
+      "version": "5.0.1",
+      "integrity": "sha512-Y9fUFkIhfrm6i0Ta3n+89j56EFqaNRdUKqXyRp6kvTcSXnmgEjaVowCXH+JBe9+YKWqd4nc28r2sgwnzJalccA==",
+      "dev": true,
+      "dependencies": {
+        "lodash": "^4.17.14",
+        "postcss": "^7.0.17"
+      },
+      "engines": {
+        "node": ">=8.7.0"
+      }
+    },
+    "node_modules/postcss-sorting/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-sorting/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss-syntax": {
+      "version": "0.36.2",
+      "integrity": "sha512-nBRg/i7E3SOHWxF3PpF5WnJM/jQ1YpY9000OaVXlAQj6Zp/kIqJxEDWIZ67tAd7NLuk7zqN4yqe9nc0oNAOs1w==",
+      "dev": true,
+      "peerDependencies": {
+        "postcss": ">=5.0.0"
+      }
+    },
+    "node_modules/postcss-value-parser": {
+      "version": "4.1.0",
+      "integrity": "sha512-97DXOFbQJhk71ne5/Mt6cOu6yxsSfM0QGQyl0L25Gca4yGWEGJaig7l7gbCX623VqTBNGLRLaVUCnNkcedlRSQ==",
+      "dev": true
+    },
+    "node_modules/postcss-values-parser": {
+      "version": "3.2.1",
+      "integrity": "sha512-SQ7/88VE9LhJh9gc27/hqnSU/aZaREVJcRVccXBmajgP2RkjdJzNyH/a9GCVMI5nsRhT0jC5HpUMwfkz81DVVg==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "^1.1.4",
+        "is-url-superb": "^3.0.0",
+        "postcss": "^7.0.5",
+        "url-regex": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=6.14.4"
+      }
+    },
+    "node_modules/postcss-values-parser/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/postcss-values-parser/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss/node_modules/picocolors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+      "dev": true
+    },
+    "node_modules/prelude-ls": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
+      "integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/prettier": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.2.1.tgz",
+      "integrity": "sha512-PqyhM2yCjg/oKkFPtTGUojv7gnZAoG80ttl45O6x2Ug/rMJw4wcc9k6aaf2hibP7BGVCCM33gZoGjyvt9mm16Q==",
+      "dev": true,
+      "bin": {
+        "prettier": "bin-prettier.js"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/prettier-linter-helpers": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/prettier-linter-helpers/-/prettier-linter-helpers-1.0.0.tgz",
+      "integrity": "sha512-GbK2cP9nraSSUF9N2XwUwqfzlAFlMNYYl+ShE/V+H8a9uNl/oUqB1w2EL54Jh0OlyRSd8RfWYJ3coVS4TROP2w==",
+      "dev": true,
+      "dependencies": {
+        "fast-diff": "^1.1.2"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/pretty-format": {
+      "version": "26.6.2",
+      "integrity": "sha512-7AeGuCYNGmycyQbCqd/3PWH4eOoX/OiCa0uphp57NVTeAGdJGaAliecxwBDHYQCIvrW7aDBZCYeNTP/WX69mkg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@jest/types": "^26.6.2",
+        "ansi-regex": "^5.0.0",
+        "ansi-styles": "^4.0.0",
+        "react-is": "^17.0.1"
+      },
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/pretty-format/node_modules/react-is": {
+      "version": "17.0.2",
+      "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/prompts": {
+      "version": "2.4.2",
+      "integrity": "sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kleur": "^3.0.3",
+        "sisteransi": "^1.0.5"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/prop-types": {
+      "version": "15.8.1",
+      "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz",
+      "integrity": "sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==",
+      "dev": true,
+      "dependencies": {
+        "loose-envify": "^1.4.0",
+        "object-assign": "^4.1.1",
+        "react-is": "^16.13.1"
+      }
+    },
+    "node_modules/psl": {
+      "version": "1.8.0",
+      "integrity": "sha512-RIdOzyoavK+hA18OGGWDqUTsCLhtA7IcZ/6NCs4fFJaHBDab+pDDmDIByWFRQJq2Cd7r1OoQxBGKOaztq+hjIQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/pump": {
+      "version": "3.0.0",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "node_modules/queue-microtask": {
+      "version": "1.2.3",
+      "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/quick-lru": {
+      "version": "4.0.1",
+      "integrity": "sha512-ARhCpm70fzdcvNQfPoy49IaanKkTlRWF2JMzqhcJbhSFRZv7nPTvZJdcY7301IPmvW+/p0RgIWnQDLJxifsQ7g==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/react": {
+      "version": "18.2.0",
+      "resolved": "https://registry.npmjs.org/react/-/react-18.2.0.tgz",
+      "integrity": "sha512-/3IjMdb2L9QbBdWiW5e3P2/npwMBaU9mHCSCUzNln0ZCYbcfTsGbTJrU/kGemdH2IWmB2ioZ+zkxtmq6g09fGQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "loose-envify": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/react-dom": {
+      "version": "18.2.0",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.2.0.tgz",
+      "integrity": "sha512-6IMTriUmvsjHUjNtEDudZfuDQUoWXVxKHhlEGSk81n4YFS+r/Kl99wXiwlVXtPBtJenozv2P+hxDsw9eA7Xo6g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "loose-envify": "^1.1.0",
+        "scheduler": "^0.23.0"
+      },
+      "peerDependencies": {
+        "react": "^18.2.0"
+      }
+    },
+    "node_modules/react-is": {
+      "version": "16.13.1",
+      "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz",
+      "integrity": "sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==",
+      "dev": true
+    },
+    "node_modules/readable-stream": {
+      "version": "3.6.0",
+      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
+      "dev": true,
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.5.0",
+      "integrity": "sha512-cMhu7c/8rdhkHXWsY+osBhfSy0JikwpHK/5+imo+LpeasTF8ouErHrlYkwT0++njiyuDvc7OFY5T3ukvZ8qmFQ==",
+      "dev": true,
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/regenerator-runtime": {
+      "version": "0.13.11",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.11.tgz",
+      "integrity": "sha512-kY1AZVr2Ra+t+piVaJ4gxaFaReZVH40AKNo7UCX6W+dEwBo/2oZJzqfuN1qLq1oL45o56cPaTXELwrTh8Fpggg==",
+      "dev": true
+    },
+    "node_modules/regex-not": {
+      "version": "1.0.2",
+      "integrity": "sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "extend-shallow": "^3.0.2",
+        "safe-regex": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/regex-not/node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/regex-not/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/regexp.prototype.flags": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz",
+      "integrity": "sha512-fjggEOO3slI6Wvgjwflkc4NFRCTZAu5CnNfBd5qOMYhWdn67nJBBu34/TkD++eeFmd8C9r9jfXJ27+nSiRkSUA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3",
+        "functions-have-names": "^1.2.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/regexpp": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.2.0.tgz",
+      "integrity": "sha512-pq2bWo9mVD43nbts2wGv17XLiNLya+GklZ8kaDLV2Z08gDCsGpnKn9BFMepvWuHCbyVvY7J5o5+BVvoQbmlJLg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/mysticatea"
+      }
+    },
+    "node_modules/remark": {
+      "version": "13.0.0",
+      "integrity": "sha512-HDz1+IKGtOyWN+QgBiAT0kn+2s6ovOxHyPAFGKVE81VSzJ+mq7RwHFledEvB5F1p4iJvOah/LOKdFuzvRnNLCA==",
+      "dev": true,
+      "dependencies": {
+        "remark-parse": "^9.0.0",
+        "remark-stringify": "^9.0.0",
+        "unified": "^9.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/remark-mdx": {
+      "version": "1.6.22",
+      "resolved": "https://registry.npmjs.org/remark-mdx/-/remark-mdx-1.6.22.tgz",
+      "integrity": "sha512-phMHBJgeV76uyFkH4rvzCftLfKCr2RZuF+/gmVcaKrpsihyzmhXjA0BEMDaPTXG5y8qZOKPVo83NAOX01LPnOQ==",
+      "dev": true,
+      "dependencies": {
+        "@babel/core": "7.12.9",
+        "@babel/helper-plugin-utils": "7.10.4",
+        "@babel/plugin-proposal-object-rest-spread": "7.12.1",
+        "@babel/plugin-syntax-jsx": "7.12.1",
+        "@mdx-js/util": "1.6.22",
+        "is-alphabetical": "1.0.4",
+        "remark-parse": "8.0.3",
+        "unified": "9.2.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/remark-mdx/node_modules/@babel/core": {
+      "version": "7.12.9",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.12.9.tgz",
+      "integrity": "sha512-gTXYh3M5wb7FRXQy+FErKFAv90BnlOuNn1QkCK2lREoPAjrQCO49+HVSrFoe5uakFAF5eenS75KbO2vQiLrTMQ==",
+      "dev": true,
+      "dependencies": {
+        "@babel/code-frame": "^7.10.4",
+        "@babel/generator": "^7.12.5",
+        "@babel/helper-module-transforms": "^7.12.1",
+        "@babel/helpers": "^7.12.5",
+        "@babel/parser": "^7.12.7",
+        "@babel/template": "^7.12.7",
+        "@babel/traverse": "^7.12.9",
+        "@babel/types": "^7.12.7",
+        "convert-source-map": "^1.7.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.1",
+        "json5": "^2.1.2",
+        "lodash": "^4.17.19",
+        "resolve": "^1.3.2",
+        "semver": "^5.4.1",
+        "source-map": "^0.5.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
+      }
+    },
+    "node_modules/remark-mdx/node_modules/@babel/helper-plugin-utils": {
+      "version": "7.10.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.10.4.tgz",
+      "integrity": "sha512-O4KCvQA6lLiMU9l2eawBPMf1xPP8xPfB3iEQw150hOVTqj/rfXz0ThTb4HEzqQfs2Bmo5Ay8BzxfzVtBrr9dVg==",
+      "dev": true
+    },
+    "node_modules/remark-mdx/node_modules/semver": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/remark-parse": {
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/remark-parse/-/remark-parse-8.0.3.tgz",
+      "integrity": "sha512-E1K9+QLGgggHxCQtLt++uXltxEprmWzNfg+MxpfHsZlrddKzZ/hZyWHDbK3/Ap8HJQqYJRXP+jHczdL6q6i85Q==",
+      "dev": true,
+      "dependencies": {
+        "ccount": "^1.0.0",
+        "collapse-white-space": "^1.0.2",
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-whitespace-character": "^1.0.0",
+        "is-word-character": "^1.0.0",
+        "markdown-escapes": "^1.0.0",
+        "parse-entities": "^2.0.0",
+        "repeat-string": "^1.5.4",
+        "state-toggle": "^1.0.0",
+        "trim": "0.0.1",
+        "trim-trailing-lines": "^1.0.0",
+        "unherit": "^1.0.4",
+        "unist-util-remove-position": "^2.0.0",
+        "vfile-location": "^3.0.0",
+        "xtend": "^4.0.1"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/remark-stringify": {
+      "version": "9.0.1",
+      "integrity": "sha512-mWmNg3ZtESvZS8fv5PTvaPckdL4iNlCHTt8/e/8oN08nArHRHjNZMKzA/YW3+p7/lYqIw4nx1XsjCBo/AxNChg==",
+      "dev": true,
+      "dependencies": {
+        "mdast-util-to-markdown": "^0.6.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/remark/node_modules/remark-parse": {
+      "version": "9.0.0",
+      "integrity": "sha512-geKatMwSzEXKHuzBNU1z676sGcDcFoChMK38TgdHJNAYfFtsfHDQG7MoJAjs6sgYMqyLduCYWDIWZIxiPeafEw==",
+      "dev": true,
+      "dependencies": {
+        "mdast-util-from-markdown": "^0.8.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/remove-trailing-separator": {
+      "version": "1.1.0",
+      "integrity": "sha1-wkvOKig62tW8P1jg1IJJuSN52O8=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/repeat-element": {
+      "version": "1.1.4",
+      "integrity": "sha512-LFiNfRcSu7KK3evMyYOuCzv3L10TW7yC1G2/+StMjK8Y6Vqd2MG7r/Qjw4ghtuCOjFvlnms/iMmLqpvW/ES/WQ==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/repeat-string": {
+      "version": "1.6.1",
+      "integrity": "sha1-jcrkcOHIirwtYA//Sndihtp15jc=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/resolve": {
+      "version": "1.20.0",
+      "integrity": "sha512-wENBPt4ySzg4ybFQW2TT1zMQucPK95HSh/nq2CFTZVOGut2+pQvSsgtda4d26YrYcr067wjbmzOG8byDPBX63A==",
+      "dev": true,
+      "dependencies": {
+        "is-core-module": "^2.2.0",
+        "path-parse": "^1.0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/resolve-cwd": {
+      "version": "3.0.0",
+      "integrity": "sha512-OrZaX2Mb+rJCpH/6CpSqt9xFVpN++x01XnN2ie9g6P5/3xelLAkXWVADpdz1IHD/KFfEXyE6V0U01OQ3UO2rEg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "resolve-from": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/resolve-cwd/node_modules/resolve-from": {
+      "version": "5.0.0",
+      "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/resolve-from": {
+      "version": "4.0.0",
+      "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/resolve-url": {
+      "version": "0.2.1",
+      "integrity": "sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=",
+      "deprecated": "https://github.com/lydell/resolve-url#deprecated",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/restore-cursor": {
+      "version": "3.1.0",
+      "integrity": "sha512-l+sSefzHpj5qimhFSE5a8nufZYAM3sBSVMAPtYkmC+4EH2anSGaEMXSD0izRQbu9nfyQ9y5JrVmp7E8oZrUjvA==",
+      "dev": true,
+      "dependencies": {
+        "onetime": "^5.1.0",
+        "signal-exit": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ret": {
+      "version": "0.1.15",
+      "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.12"
+      }
+    },
+    "node_modules/reusify": {
+      "version": "1.0.4",
+      "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==",
+      "dev": true,
+      "engines": {
+        "iojs": ">=1.0.0",
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/rimraf": {
+      "version": "3.0.2",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "dev": true,
+      "dependencies": {
+        "glob": "^7.1.3"
+      },
+      "bin": {
+        "rimraf": "bin.js"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/rivet-graphql": {
+      "version": "0.3.1",
+      "integrity": "sha512-HEov02XhZ6H1jOME+mO8CZwliu/UtgZSHixYUwvQ7HSx3gk8EOVaQY5c3zscOYjZECvP8cR4+1Ob3KHWJRWEMw==",
+      "dev": true,
+      "dependencies": {
+        "graphql": "^15.3.0",
+        "graphql-request": "^3.0.0"
+      }
+    },
+    "node_modules/rsvp": {
+      "version": "4.8.5",
+      "integrity": "sha512-nfMOlASu9OnRJo1mbEk2cz0D56a1MBNrJ7orjRZQG10XDyuvwksKbuXNp6qa+kbn839HwjwhBzhFmdsaEAfauA==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": "6.* || >= 7.*"
+      }
+    },
+    "node_modules/run-async": {
+      "version": "2.4.1",
+      "integrity": "sha512-tvVnVv01b8c1RrA6Ep7JkStj85Guv/YrMcwqYQnwjsAS2cTmmPGBBjAjpCW7RrSodNSoE2/qg9O4bceNvUuDgQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/run-parallel": {
+      "version": "1.2.0",
+      "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "queue-microtask": "^1.2.2"
+      }
+    },
+    "node_modules/rxjs": {
+      "version": "6.6.7",
+      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-6.6.7.tgz",
+      "integrity": "sha512-hTdwr+7yYNIT5n4AMYp85KA6yw2Va0FLa3Rguvbpa4W3I5xynaBZo41cM3XM+4Q6fRMj3sBYIR1VAmZMXYJvRQ==",
+      "dev": true,
+      "dependencies": {
+        "tslib": "^1.9.0"
+      },
+      "engines": {
+        "npm": ">=2.0.0"
+      }
+    },
+    "node_modules/rxjs/node_modules/tslib": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
+      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
+      "dev": true
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "dev": true
+    },
+    "node_modules/safe-regex": {
+      "version": "1.1.0",
+      "integrity": "sha1-QKNmnzsHfR6UPURinhV91IAjvy4=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "ret": "~0.1.10"
+      }
+    },
+    "node_modules/safe-regex-test": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/safe-regex-test/-/safe-regex-test-1.0.0.tgz",
+      "integrity": "sha512-JBUUzyOgEwXQY1NuPtvcj/qcBDbDmEvWufhlnXZIm75DEHp+afM1r1ujJpJsV/gSM4t59tpDyPi1sd6ZaPFfsA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "is-regex": "^1.1.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "dev": true
+    },
+    "node_modules/sane": {
+      "version": "4.1.0",
+      "integrity": "sha512-hhbzAgTIX8O7SHfp2c8/kREfEn4qO/9q8C9beyY6+tvZ87EpoZ3i1RIEvp27YBswnNbY9mWd6paKVmKbAgLfZA==",
+      "deprecated": "some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@cnakazawa/watch": "^1.0.3",
+        "anymatch": "^2.0.0",
+        "capture-exit": "^2.0.0",
+        "exec-sh": "^0.3.2",
+        "execa": "^1.0.0",
+        "fb-watchman": "^2.0.0",
+        "micromatch": "^3.1.4",
+        "minimist": "^1.1.1",
+        "walker": "~1.0.5"
+      },
+      "bin": {
+        "sane": "src/cli.js"
+      },
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/sane/node_modules/anymatch": {
+      "version": "2.0.0",
+      "integrity": "sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "micromatch": "^3.1.4",
+        "normalize-path": "^2.1.1"
+      }
+    },
+    "node_modules/sane/node_modules/braces": {
+      "version": "2.3.2",
+      "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "arr-flatten": "^1.1.0",
+        "array-unique": "^0.3.2",
+        "extend-shallow": "^2.0.1",
+        "fill-range": "^4.0.0",
+        "isobject": "^3.0.1",
+        "repeat-element": "^1.1.2",
+        "snapdragon": "^0.8.1",
+        "snapdragon-node": "^2.0.1",
+        "split-string": "^3.0.2",
+        "to-regex": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/cross-spawn": {
+      "version": "6.0.5",
+      "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "nice-try": "^1.0.4",
+        "path-key": "^2.0.1",
+        "semver": "^5.5.0",
+        "shebang-command": "^1.2.0",
+        "which": "^1.2.9"
+      },
+      "engines": {
+        "node": ">=4.8"
+      }
+    },
+    "node_modules/sane/node_modules/execa": {
+      "version": "1.0.0",
+      "integrity": "sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cross-spawn": "^6.0.0",
+        "get-stream": "^4.0.0",
+        "is-stream": "^1.1.0",
+        "npm-run-path": "^2.0.0",
+        "p-finally": "^1.0.0",
+        "signal-exit": "^3.0.0",
+        "strip-eof": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/sane/node_modules/fill-range": {
+      "version": "4.0.0",
+      "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "extend-shallow": "^2.0.1",
+        "is-number": "^3.0.0",
+        "repeat-string": "^1.6.1",
+        "to-regex-range": "^2.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/get-stream": {
+      "version": "4.1.0",
+      "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "pump": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/sane/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/sane/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/is-number": {
+      "version": "3.0.0",
+      "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/is-number/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/is-stream": {
+      "version": "1.1.0",
+      "integrity": "sha1-EtSj3U5o4Lec6428hBc66A2RykQ=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/micromatch": {
+      "version": "3.1.10",
+      "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "arr-diff": "^4.0.0",
+        "array-unique": "^0.3.2",
+        "braces": "^2.3.1",
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "extglob": "^2.0.4",
+        "fragment-cache": "^0.2.1",
+        "kind-of": "^6.0.2",
+        "nanomatch": "^1.2.9",
+        "object.pick": "^1.3.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/micromatch/node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/normalize-path": {
+      "version": "2.1.1",
+      "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "remove-trailing-separator": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/npm-run-path": {
+      "version": "2.0.2",
+      "integrity": "sha1-NakjLfo11wZ7TLLd8jV7GHFTbF8=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "path-key": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/sane/node_modules/path-key": {
+      "version": "2.0.1",
+      "integrity": "sha1-QRyttXTFoUDTpLGRDUDYDMn0C0A=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/sane/node_modules/semver": {
+      "version": "5.7.1",
+      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/sane/node_modules/shebang-command": {
+      "version": "1.2.0",
+      "integrity": "sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "shebang-regex": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/shebang-regex": {
+      "version": "1.0.0",
+      "integrity": "sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/to-regex-range": {
+      "version": "2.1.1",
+      "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-number": "^3.0.0",
+        "repeat-string": "^1.6.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sane/node_modules/which": {
+      "version": "1.3.1",
+      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "which": "bin/which"
+      }
+    },
+    "node_modules/saxes": {
+      "version": "5.0.1",
+      "integrity": "sha512-5LBh1Tls8c9xgGjw3QrMwETmTMVk0oFgvrFSvWx62llR2hcEInrKNZ2GZCCuuy2lvWrdl5jhbpeqc5hRYKFOcw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/scheduler": {
+      "version": "0.23.0",
+      "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.0.tgz",
+      "integrity": "sha512-CtuThmgHNg7zIZWAXi3AsyIzA3n4xx7aNyjwC2VJldO2LMVDhFK+63xGqq6CsJH4rTAt6/M+N4GhZiDYPx9eUw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "loose-envify": "^1.1.0"
+      }
+    },
+    "node_modules/semver": {
+      "version": "7.3.5",
+      "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+      "dev": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/semver-compare": {
+      "version": "1.0.0",
+      "integrity": "sha1-De4hahyUGrN+nvsXiPavxf9VN/w=",
+      "dev": true
+    },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/set-value": {
+      "version": "2.0.1",
+      "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "extend-shallow": "^2.0.1",
+        "is-extendable": "^0.1.1",
+        "is-plain-object": "^2.0.3",
+        "split-string": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/shebang-command": {
+      "version": "2.0.0",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "dev": true,
+      "dependencies": {
+        "shebang-regex": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shebang-regex": {
+      "version": "3.0.0",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shellwords": {
+      "version": "0.1.1",
+      "integrity": "sha512-vFwSUfQvqybiICwZY5+DAWIPLKsWO31Q91JSKl3UYv+K5c2QRPzn0qzec6QPu1Qc9eHYItiP3NdJqNVqetYAww==",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "node_modules/side-channel": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
+      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.0",
+        "get-intrinsic": "^1.0.2",
+        "object-inspect": "^1.9.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/signal-exit": {
+      "version": "3.0.5",
+      "integrity": "sha512-KWcOiKeQj6ZyXx7zq4YxSMgHRlod4czeBQZrPb8OKcohcqAXShm7E20kEMle9WBt26hFcAf0qLOcp5zmY7kOqQ==",
+      "dev": true
+    },
+    "node_modules/signale": {
+      "version": "1.4.0",
+      "integrity": "sha512-iuh+gPf28RkltuJC7W5MRi6XAjTDCAPC/prJUpQoG4vIP3MJZ+GTydVnodXA7pwvTKb2cA0m9OFZW/cdWy/I/w==",
+      "dev": true,
+      "dependencies": {
+        "chalk": "^2.3.2",
+        "figures": "^2.0.0",
+        "pkg-conf": "^2.1.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/signale/node_modules/ansi-styles": {
+      "version": "3.2.1",
+      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+      "dev": true,
+      "dependencies": {
+        "color-convert": "^1.9.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/signale/node_modules/chalk": {
+      "version": "2.4.2",
+      "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^3.2.1",
+        "escape-string-regexp": "^1.0.5",
+        "supports-color": "^5.3.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/signale/node_modules/color-convert": {
+      "version": "1.9.3",
+      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "1.1.3"
+      }
+    },
+    "node_modules/signale/node_modules/color-name": {
+      "version": "1.1.3",
+      "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+      "dev": true
+    },
+    "node_modules/signale/node_modules/figures": {
+      "version": "2.0.0",
+      "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
+      "dev": true,
+      "dependencies": {
+        "escape-string-regexp": "^1.0.5"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/signale/node_modules/has-flag": {
+      "version": "3.0.0",
+      "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/signale/node_modules/supports-color": {
+      "version": "5.5.0",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "dev": true,
+      "dependencies": {
+        "has-flag": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/simple-git-hooks": {
+      "version": "2.6.1",
+      "integrity": "sha512-nvqaNfgvcjN3cGSYJSdjwB+tP8YKRCyvuUvQ24luIjIpGhUCPpZDTJ+p+hcJiwc0lZlTCl0NayfBVDoIMG7Jpg==",
+      "dev": true,
+      "hasInstallScript": true,
+      "bin": {
+        "simple-git-hooks": "cli.js"
+      }
+    },
+    "node_modules/sisteransi": {
+      "version": "1.0.5",
+      "integrity": "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/slash": {
+      "version": "3.0.0",
+      "integrity": "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/slice-ansi": {
+      "version": "3.0.0",
+      "integrity": "sha512-pSyv7bSTC7ig9Dcgbw9AuRNUb5k5V6oDudjZoMBSr13qpLBG7tB+zgCkARjq7xIUgdz5P1Qe8u+rSGdouOOIyQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "astral-regex": "^2.0.0",
+        "is-fullwidth-code-point": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/slugify": {
+      "version": "1.4.6",
+      "integrity": "sha512-ZdJIgv9gdrYwhXqxsH9pv7nXxjUEyQ6nqhngRxoAAOlmMGA28FDq5O4/5US4G2/Nod7d1ovNcgURQJ7kHq50KQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/snapdragon": {
+      "version": "0.8.2",
+      "integrity": "sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "base": "^0.11.1",
+        "debug": "^2.2.0",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "map-cache": "^0.2.2",
+        "source-map": "^0.5.6",
+        "source-map-resolve": "^0.5.0",
+        "use": "^3.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon-node": {
+      "version": "2.1.1",
+      "integrity": "sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.0",
+        "snapdragon-util": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon-node/node_modules/define-property": {
+      "version": "1.0.0",
+      "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon-util": {
+      "version": "3.0.1",
+      "integrity": "sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.2.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon-util/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/snapdragon-util/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/debug": {
+      "version": "2.6.9",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/define-property": {
+      "version": "0.2.5",
+      "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/is-accessor-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/is-accessor-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/snapdragon/node_modules/is-data-descriptor": {
+      "version": "0.1.4",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/is-data-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/is-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/kind-of": {
+      "version": "5.1.0",
+      "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/snapdragon/node_modules/ms": {
+      "version": "2.0.0",
+      "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/source-map": {
+      "version": "0.5.7",
+      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/source-map-js": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
+      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/source-map-resolve": {
+      "version": "0.5.3",
+      "integrity": "sha512-Htz+RnsXWk5+P2slx5Jh3Q66vhQj1Cllm0zvnaY98+NFx+Dv2CF/f5O/t8x+KaNdrdIAsruNzoh/KpialbqAnw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "atob": "^2.1.2",
+        "decode-uri-component": "^0.2.0",
+        "resolve-url": "^0.2.1",
+        "source-map-url": "^0.4.0",
+        "urix": "^0.1.0"
+      }
+    },
+    "node_modules/source-map-support": {
+      "version": "0.5.20",
+      "integrity": "sha512-n1lZZ8Ve4ksRqizaBQgxXDgKwttHDhyfQjA6YZZn8+AroHbsIz+JjwxQDxbp+7y5OYCI8t1Yk7etjD9CRd2hIw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "buffer-from": "^1.0.0",
+        "source-map": "^0.6.0"
+      }
+    },
+    "node_modules/source-map-support/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/source-map-url": {
+      "version": "0.4.1",
+      "integrity": "sha512-cPiFOTLUKvJFIg4SKVScy4ilPPW6rFgMgfuZJPNoDuMs3nC1HbMUycBoJw77xFIp6z1UJQJOfx6C9GMH80DiTw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/spdx-correct": {
+      "version": "3.1.1",
+      "integrity": "sha512-cOYcUWwhCuHCXi49RhFRCyJEK3iPj1Ziz9DpViV3tbZOwXD49QzIN3MpOLJNxh2qwq2lJJZaKMVw9qNi4jTC0w==",
+      "dev": true,
+      "dependencies": {
+        "spdx-expression-parse": "^3.0.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-exceptions": {
+      "version": "2.3.0",
+      "integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A==",
+      "dev": true
+    },
+    "node_modules/spdx-expression-parse": {
+      "version": "3.0.1",
+      "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
+      "dev": true,
+      "dependencies": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-license-ids": {
+      "version": "3.0.10",
+      "integrity": "sha512-oie3/+gKf7QtpitB0LYLETe+k8SifzsX4KixvpOsbI6S0kRiRQ5MKOio8eMSAKQ17N06+wdEOXRiId+zOxo0hA==",
+      "dev": true
+    },
+    "node_modules/specificity": {
+      "version": "0.4.1",
+      "integrity": "sha512-1klA3Gi5PD1Wv9Q0wUoOQN1IWAuPu0D1U03ThXTr0cJ20+/iq2tHSDnK7Kk/0LXJ1ztUB2/1Os0wKmfyNgUQfg==",
+      "dev": true,
+      "bin": {
+        "specificity": "bin/specificity"
+      }
+    },
+    "node_modules/split-string": {
+      "version": "3.1.0",
+      "integrity": "sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "extend-shallow": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/split-string/node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/split-string/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/sprintf-js": {
+      "version": "1.0.3",
+      "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/stack-utils": {
+      "version": "2.0.5",
+      "integrity": "sha512-xrQcmYhOsn/1kX+Vraq+7j4oE2j/6BFscZ0etmYg81xuM8Gq0022Pxb8+IqgOFUIaxHs0KaSb7T1+OegiNrNFA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "escape-string-regexp": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/stack-utils/node_modules/escape-string-regexp": {
+      "version": "2.0.0",
+      "integrity": "sha512-UpzcLCXolUWcNu5HtVMHYdXJjArjsF9C0aNnquZYY4uW/Vu0miy5YoWvbV345HauVvcAUnpRuhMMcqTcGOY2+w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/state-toggle": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/state-toggle/-/state-toggle-1.0.3.tgz",
+      "integrity": "sha512-d/5Z4/2iiCnHw6Xzghyhb+GcmF89bxwgXG60wjIiZaxnymbyOmI8Hk4VqHXiVVp6u2ysaskFfXg3ekCj4WNftQ==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/static-extend": {
+      "version": "0.1.2",
+      "integrity": "sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "define-property": "^0.2.5",
+        "object-copy": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/define-property": {
+      "version": "0.2.5",
+      "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-descriptor": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/is-accessor-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/is-accessor-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/static-extend/node_modules/is-data-descriptor": {
+      "version": "0.1.4",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/is-data-descriptor/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/is-descriptor": {
+      "version": "0.1.6",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/static-extend/node_modules/kind-of": {
+      "version": "5.1.0",
+      "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/stop-iteration-iterator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/stop-iteration-iterator/-/stop-iteration-iterator-1.0.0.tgz",
+      "integrity": "sha512-iCGQj+0l0HOdZ2AEeBADlsRC+vsnDsZsbdSiH1yNSjcfKM7fdpCMfqAL/dwF5BLiw/XhRft/Wax6zQbhq2BcjQ==",
+      "dev": true,
+      "dependencies": {
+        "internal-slot": "^1.0.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/string_decoder": {
+      "version": "1.3.0",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dev": true,
+      "dependencies": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
+    "node_modules/string_decoder/node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/string-argv": {
+      "version": "0.3.1",
+      "integrity": "sha512-a1uQGz7IyVy9YwhqjZIZu1c8JO8dNIe20xBmSS6qu9kv++k3JGzCVmprbNN5Kn+BgzD5E7YYwg1CcjuJMRNsvg==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.6.19"
+      }
+    },
+    "node_modules/string-length": {
+      "version": "4.0.2",
+      "integrity": "sha512-+l6rNN5fYHNhZZy41RXsYptCjA2Igmq4EG7kZAYFQI1E1VTXarr6ZPXBg6eq7Y6eK4FEhY6AJlyuFIb/v/S0VQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "char-regex": "^1.0.2",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true
+    },
+    "node_modules/string.prototype.matchall": {
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/string.prototype.matchall/-/string.prototype.matchall-4.0.8.tgz",
+      "integrity": "sha512-6zOCOcJ+RJAQshcTvXPHoxoQGONa3e/Lqx90wUA+wEzX78sg5Bo+1tQo4N0pohS0erG9qtCqJDjNCQBjeWVxyg==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "get-intrinsic": "^1.1.3",
+        "has-symbols": "^1.0.3",
+        "internal-slot": "^1.0.3",
+        "regexp.prototype.flags": "^1.4.3",
+        "side-channel": "^1.0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/string.prototype.trimend": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.6.tgz",
+      "integrity": "sha512-JySq+4mrPf9EsDBEDYMOb/lM7XQLulwg5R/m1r0PXEFqrV0qHvl58sdTilSXtKOflCsK2E8jxf+GKC0T07RWwQ==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/string.prototype.trimstart": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimstart/-/string.prototype.trimstart-1.0.6.tgz",
+      "integrity": "sha512-omqjMDaY92pbn5HOX7f9IccLA+U1tA9GvtU4JrodiXFfYB7jPzzHpRzpglLAjtUV6bB557zwClJezTqnAiYnQA==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/stringify-entities": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-3.1.0.tgz",
+      "integrity": "sha512-3FP+jGMmMV/ffZs86MoghGqAoqXAdxLrJP4GUdrDN1aIScYih5tuIO3eF4To5AJZ79KDZ8Fpdy7QJnK8SsL1Vg==",
+      "dev": true,
+      "dependencies": {
+        "character-entities-html4": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "xtend": "^4.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/stringify-object": {
+      "version": "3.3.0",
+      "integrity": "sha512-rHqiFh1elqCQ9WPLIC8I0Q/g/wj5J1eMkyoiD6eoQApWHP0FtlK7rqnhmabL5VUY9JQCcqwwvlOaSuutekgyrw==",
+      "dev": true,
+      "dependencies": {
+        "get-own-enumerable-property-symbols": "^3.0.0",
+        "is-obj": "^1.0.1",
+        "is-regexp": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-bom": {
+      "version": "4.0.0",
+      "integrity": "sha512-3xurFv5tEgii33Zi8Jtp55wEIILR9eh34FAW00PZf+JnSsTmV/ioewSgQl97JHvgjoRGwPShsWm+IdrxB35d0w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-eof": {
+      "version": "1.0.0",
+      "integrity": "sha1-u0P/VZim6wXYm1n80SnJgzE2Br8=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/strip-final-newline": {
+      "version": "2.0.0",
+      "integrity": "sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/strip-json-comments": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+      "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/style-search": {
+      "version": "0.1.0",
+      "integrity": "sha1-eVjHk+R+MuB9K1yv5cC/jhLneQI=",
+      "dev": true
+    },
+    "node_modules/styled-jsx": {
+      "version": "5.0.7",
+      "resolved": "https://registry.npmjs.org/styled-jsx/-/styled-jsx-5.0.7.tgz",
+      "integrity": "sha512-b3sUzamS086YLRuvnaDigdAewz1/EFYlHpYBP5mZovKEdQQOIIYq8lApylub3HHZ6xFjV051kkGU7cudJmrXEA==",
+      "dev": true,
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "peerDependencies": {
+        "react": ">= 16.8.0 || 17.x.x || ^18.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "@babel/core": {
+          "optional": true
+        },
+        "babel-plugin-macros": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/stylelint": {
+      "version": "13.8.0",
+      "integrity": "sha512-iHH3dv3UI23SLDrH4zMQDjLT9/dDIz/IpoFeuNxZmEx86KtfpjDOscxLTFioQyv+2vQjPlRZnK0UoJtfxLICXQ==",
+      "dev": true,
+      "dependencies": {
+        "@stylelint/postcss-css-in-js": "^0.37.2",
+        "@stylelint/postcss-markdown": "^0.36.2",
+        "autoprefixer": "^9.8.6",
+        "balanced-match": "^1.0.0",
+        "chalk": "^4.1.0",
+        "cosmiconfig": "^7.0.0",
+        "debug": "^4.2.0",
+        "execall": "^2.0.0",
+        "fast-glob": "^3.2.4",
+        "fastest-levenshtein": "^1.0.12",
+        "file-entry-cache": "^6.0.0",
+        "get-stdin": "^8.0.0",
+        "global-modules": "^2.0.0",
+        "globby": "^11.0.1",
+        "globjoin": "^0.1.4",
+        "html-tags": "^3.1.0",
+        "ignore": "^5.1.8",
+        "import-lazy": "^4.0.0",
+        "imurmurhash": "^0.1.4",
+        "known-css-properties": "^0.20.0",
+        "lodash": "^4.17.20",
+        "log-symbols": "^4.0.0",
+        "mathml-tag-names": "^2.1.3",
+        "meow": "^8.0.0",
+        "micromatch": "^4.0.2",
+        "normalize-selector": "^0.2.0",
+        "postcss": "^7.0.35",
+        "postcss-html": "^0.36.0",
+        "postcss-less": "^3.1.4",
+        "postcss-media-query-parser": "^0.2.3",
+        "postcss-resolve-nested-selector": "^0.1.1",
+        "postcss-safe-parser": "^4.0.2",
+        "postcss-sass": "^0.4.4",
+        "postcss-scss": "^2.1.1",
+        "postcss-selector-parser": "^6.0.4",
+        "postcss-syntax": "^0.36.2",
+        "postcss-value-parser": "^4.1.0",
+        "resolve-from": "^5.0.0",
+        "slash": "^3.0.0",
+        "specificity": "^0.4.1",
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "style-search": "^0.1.0",
+        "sugarss": "^2.0.0",
+        "svg-tags": "^1.0.0",
+        "table": "^6.0.3",
+        "v8-compile-cache": "^2.2.0",
+        "write-file-atomic": "^3.0.3"
+      },
+      "bin": {
+        "stylelint": "bin/stylelint.js"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/stylelint"
+      }
+    },
+    "node_modules/stylelint-config-css-modules": {
+      "version": "2.2.0",
+      "integrity": "sha512-+zjcDbot+zbuxy1UA31k4G2lUG+nHUwnLyii3uT2F09B8kT2YrT9LZYNfMtAWlDidrxr7sFd5HX9EqPHGU3WKA==",
+      "dev": true,
+      "peerDependencies": {
+        "stylelint": "11.x - 13.x"
+      }
+    },
+    "node_modules/stylelint-config-prettier": {
+      "version": "8.0.2",
+      "integrity": "sha512-TN1l93iVTXpF9NJstlvP7nOu9zY2k+mN0NSFQ/VEGz15ZIP9ohdDZTtCWHs5LjctAhSAzaILULGbgiM0ItId3A==",
+      "dev": true,
+      "bin": {
+        "stylelint-config-prettier": "bin/check.js",
+        "stylelint-config-prettier-check": "bin/check.js"
+      },
+      "engines": {
+        "node": ">= 10",
+        "npm": ">= 5"
+      },
+      "peerDependencies": {
+        "stylelint": ">=11.0.0"
+      }
+    },
+    "node_modules/stylelint-config-recommended": {
+      "version": "3.0.0",
+      "integrity": "sha512-F6yTRuc06xr1h5Qw/ykb2LuFynJ2IxkKfCMf+1xqPffkxh0S09Zc902XCffcsw/XMFq/OzQ1w54fLIDtmRNHnQ==",
+      "dev": true,
+      "peerDependencies": {
+        "stylelint": ">=10.1.0"
+      }
+    },
+    "node_modules/stylelint-config-standard": {
+      "version": "20.0.0",
+      "integrity": "sha512-IB2iFdzOTA/zS4jSVav6z+wGtin08qfj+YyExHB3LF9lnouQht//YyB0KZq9gGz5HNPkddHOzcY8HsUey6ZUlA==",
+      "dev": true,
+      "dependencies": {
+        "stylelint-config-recommended": "^3.0.0"
+      },
+      "peerDependencies": {
+        "stylelint": ">=10.1.0"
+      }
+    },
+    "node_modules/stylelint-media-use-custom-media": {
+      "version": "2.0.0",
+      "integrity": "sha512-G7Hwma8HIMFJOChqrX9ie8hAGbtEMUbEjuiaR3olHIXjloDWqYlFHIJKsCyyckigkm+4LtCwtZDQASrVY4pRBg==",
+      "dev": true,
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "stylelint": "10 - 13"
+      }
+    },
+    "node_modules/stylelint-order": {
+      "version": "4.1.0",
+      "integrity": "sha512-sVTikaDvMqg2aJjh4r48jsdfmqLT+nqB1MOsaBnvM3OwLx4S+WXcsxsgk5w18h/OZoxZCxuyXMh61iBHcj9Qiw==",
+      "dev": true,
+      "dependencies": {
+        "lodash": "^4.17.15",
+        "postcss": "^7.0.31",
+        "postcss-sorting": "^5.0.1"
+      },
+      "peerDependencies": {
+        "stylelint": "^10.0.1 || ^11.0.0 || ^12.0.0 || ^13.0.0"
+      }
+    },
+    "node_modules/stylelint-order/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/stylelint-order/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/stylelint-use-nesting": {
+      "version": "3.0.0",
+      "integrity": "sha512-BMzhXWbK5DdAYtZMQULn7VmWZXpy8Rwlx2PgeNYqKInQrKTJWM/TFKPScc+xvsGUc/6JPiUDeQQij9gFnOo8Kg==",
+      "dev": true,
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "stylelint": "10 - 13"
+      }
+    },
+    "node_modules/stylelint-value-no-unknown-custom-properties": {
+      "version": "3.0.0",
+      "integrity": "sha512-8WoOnZ4ELTxA1cDbhwolIVOutxHwbjpXmd0lL0Li3Iye078jSnEb1KO6pJ/ig5oDVGRApFeA25Fyy4qqmqwGgg==",
+      "dev": true,
+      "dependencies": {
+        "postcss-values-parser": "^3.2.1"
+      },
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "stylelint": "10 - 13"
+      }
+    },
+    "node_modules/stylelint/node_modules/camelcase-keys": {
+      "version": "6.2.2",
+      "integrity": "sha512-YrwaA0vEKazPBkn0ipTiMpSajYDSe+KjQfrjhcBMxJt/znbvlHd8Pw/Vamaz5EB4Wfhs3SUR3Z9mwRu/P3s3Yg==",
+      "dev": true,
+      "dependencies": {
+        "camelcase": "^5.3.1",
+        "map-obj": "^4.0.0",
+        "quick-lru": "^4.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/find-up": {
+      "version": "4.1.0",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dev": true,
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/get-stdin": {
+      "version": "8.0.0",
+      "integrity": "sha512-sY22aA6xchAzprjyqmSEQv4UbAAzRN0L2dQB0NlN5acTTK9Don6nhoc3eAbUnpZiCANAMfd/+40kVdKfFygohg==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/hosted-git-info": {
+      "version": "4.0.2",
+      "integrity": "sha512-c9OGXbZ3guC/xOlCg1Ci/VgWlwsqDv1yMQL1CWqXDL0hDjXuNcq0zuR4xqPSuasI3kqFDhqSyTjREz5gzq0fXg==",
+      "dev": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/stylelint/node_modules/import-lazy": {
+      "version": "4.0.0",
+      "integrity": "sha512-rKtvo6a868b5Hu3heneU+L4yEQ4jYKLtjpnPeUdK7h0yzXGmyBTypknlkCvHFBqfX9YlorEiMM6Dnq/5atfHkw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/locate-path": {
+      "version": "5.0.0",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dev": true,
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/map-obj": {
+      "version": "4.3.0",
+      "integrity": "sha512-hdN1wVrZbb29eBGiGjJbeP8JbKjq1urkHJ/LIP/NY48MZ1QVXUsQBV1G1zvYFHn1XE06cwjBsOI2K3Ulnj1YXQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/meow": {
+      "version": "8.1.2",
+      "integrity": "sha512-r85E3NdZ+mpYk1C6RjPFEMSE+s1iZMuHtsHAqY0DT3jZczl0diWUZ8g6oU7h0M9cD2EL+PzaYghhCLzR0ZNn5Q==",
+      "dev": true,
+      "dependencies": {
+        "@types/minimist": "^1.2.0",
+        "camelcase-keys": "^6.2.2",
+        "decamelize-keys": "^1.1.0",
+        "hard-rejection": "^2.1.0",
+        "minimist-options": "4.1.0",
+        "normalize-package-data": "^3.0.0",
+        "read-pkg-up": "^7.0.1",
+        "redent": "^3.0.0",
+        "trim-newlines": "^3.0.0",
+        "type-fest": "^0.18.0",
+        "yargs-parser": "^20.2.3"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/normalize-package-data": {
+      "version": "3.0.3",
+      "integrity": "sha512-p2W1sgqij3zMMyRC067Dg16bfzVH+w7hyegmpIvZ4JNjqtGOVAIvLmjBx3yP7YTe9vKJgkoNOPjwQGogDoMXFA==",
+      "dev": true,
+      "dependencies": {
+        "hosted-git-info": "^4.0.1",
+        "is-core-module": "^2.5.0",
+        "semver": "^7.3.4",
+        "validate-npm-package-license": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/stylelint/node_modules/p-limit": {
+      "version": "2.3.0",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dev": true,
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/p-locate": {
+      "version": "4.1.0",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dev": true,
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/path-exists": {
+      "version": "4.0.0",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg": {
+      "version": "5.2.0",
+      "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+      "dev": true,
+      "dependencies": {
+        "@types/normalize-package-data": "^2.4.0",
+        "normalize-package-data": "^2.5.0",
+        "parse-json": "^5.0.0",
+        "type-fest": "^0.6.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg-up": {
+      "version": "7.0.1",
+      "integrity": "sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg==",
+      "dev": true,
+      "dependencies": {
+        "find-up": "^4.1.0",
+        "read-pkg": "^5.2.0",
+        "type-fest": "^0.8.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg-up/node_modules/type-fest": {
+      "version": "0.8.1",
+      "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg/node_modules/hosted-git-info": {
+      "version": "2.8.9",
+      "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
+      "dev": true
+    },
+    "node_modules/stylelint/node_modules/read-pkg/node_modules/normalize-package-data": {
+      "version": "2.5.0",
+      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+      "dev": true,
+      "dependencies": {
+        "hosted-git-info": "^2.1.4",
+        "resolve": "^1.10.0",
+        "semver": "2 || 3 || 4 || 5",
+        "validate-npm-package-license": "^3.0.1"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg/node_modules/semver": {
+      "version": "5.7.1",
+      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/stylelint/node_modules/read-pkg/node_modules/type-fest": {
+      "version": "0.6.0",
+      "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/redent": {
+      "version": "3.0.0",
+      "integrity": "sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==",
+      "dev": true,
+      "dependencies": {
+        "indent-string": "^4.0.0",
+        "strip-indent": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/resolve-from": {
+      "version": "5.0.0",
+      "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/stylelint/node_modules/strip-indent": {
+      "version": "3.0.0",
+      "integrity": "sha512-laJTa3Jb+VQpaC6DseHhF7dXVqHTfJPCRDaEbid/drOhgitgYku/letMUqOXFoWV0zIIUbjpdH2t+tYj4bQMRQ==",
+      "dev": true,
+      "dependencies": {
+        "min-indent": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/trim-newlines": {
+      "version": "3.0.1",
+      "integrity": "sha512-c1PTsA3tYrIsLGkJkzHF+w9F2EyxfXGo4UyJc4pFL++FMjnq0HJS69T3M7d//gKrFKwy429bouPescbjecU+Zw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/stylelint/node_modules/type-fest": {
+      "version": "0.18.1",
+      "integrity": "sha512-OIAYXk8+ISY+qTOwkHtKqzAuxchoMiD9Udx+FSGQDuiRR+PJKJHc2NJAXlbhkGwTt/4/nKZxELY1w3ReWOL8mw==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/sugarss": {
+      "version": "2.0.0",
+      "integrity": "sha512-WfxjozUk0UVA4jm+U1d736AUpzSrNsQcIbyOkoE364GrtWmIrFdk5lksEupgWMD4VaT/0kVx1dobpiDumSgmJQ==",
+      "dev": true,
+      "dependencies": {
+        "postcss": "^7.0.2"
+      }
+    },
+    "node_modules/sugarss/node_modules/postcss": {
+      "version": "7.0.39",
+      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^0.2.1",
+        "source-map": "^0.6.1"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      }
+    },
+    "node_modules/sugarss/node_modules/source-map": {
+      "version": "0.6.1",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/supports-color": {
+      "version": "7.2.0",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dev": true,
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/supports-hyperlinks": {
+      "version": "2.2.0",
+      "integrity": "sha512-6sXEzV5+I5j8Bmq9/vUphGRM/RJNT9SCURJLjwfOg51heRtguGWDzcaBlgAzKhQa0EVNpPEKzQuBwZ8S8WaCeQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "has-flag": "^4.0.0",
+        "supports-color": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/supports-preserve-symlinks-flag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+      "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/svg-tags": {
+      "version": "1.0.0",
+      "integrity": "sha1-WPcc7jvVGbWdSyqEO2x95krAR2Q=",
+      "dev": true
+    },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/synckit": {
+      "version": "0.8.4",
+      "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.8.4.tgz",
+      "integrity": "sha512-Dn2ZkzMdSX827QbowGbU/4yjWuvNaCoScLLoMo/yKbu+P4GBR6cRGKZH27k6a9bRzdqcyd1DE96pQtQ6uNkmyw==",
+      "dev": true,
+      "dependencies": {
+        "@pkgr/utils": "^2.3.1",
+        "tslib": "^2.4.0"
+      },
+      "engines": {
+        "node": "^14.18.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/unts"
+      }
+    },
+    "node_modules/table": {
+      "version": "6.7.2",
+      "integrity": "sha512-UFZK67uvyNivLeQbVtkiUs8Uuuxv24aSL4/Vil2PJVtMgU8Lx0CYkP12uCGa3kjyQzOSgV1+z9Wkb82fCGsO0g==",
+      "dev": true,
+      "dependencies": {
+        "ajv": "^8.0.1",
+        "lodash.clonedeep": "^4.5.0",
+        "lodash.truncate": "^4.4.2",
+        "slice-ansi": "^4.0.0",
+        "string-width": "^4.2.3",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=10.0.0"
+      }
+    },
+    "node_modules/table/node_modules/ajv": {
+      "version": "8.6.3",
+      "integrity": "sha512-SMJOdDP6LqTkD0Uq8qLi+gMwSt0imXLSV080qFVwJCpH9U6Mb+SUGHAXM0KNbcBPguytWyvFxcHgMLe2D2XSpw==",
+      "dev": true,
+      "dependencies": {
+        "fast-deep-equal": "^3.1.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2",
+        "uri-js": "^4.2.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/table/node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+      "dev": true
+    },
+    "node_modules/table/node_modules/slice-ansi": {
+      "version": "4.0.0",
+      "integrity": "sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "astral-regex": "^2.0.0",
+        "is-fullwidth-code-point": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/slice-ansi?sponsor=1"
+      }
+    },
+    "node_modules/tapable": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
+      "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/terminal-link": {
+      "version": "2.1.1",
+      "integrity": "sha512-un0FmiRUQNr5PJqy9kP7c40F5BOfpGlYTrxonDChEZB7pzZxRNp/bt+ymiy9/npwXya9KH99nJ/GXFIiUkYGFQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "ansi-escapes": "^4.2.1",
+        "supports-hyperlinks": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/test-exclude": {
+      "version": "6.0.0",
+      "integrity": "sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@istanbuljs/schema": "^0.1.2",
+        "glob": "^7.1.4",
+        "minimatch": "^3.0.4"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/text-table": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz",
+      "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==",
+      "dev": true
+    },
+    "node_modules/throat": {
+      "version": "5.0.0",
+      "integrity": "sha512-fcwX4mndzpLQKBS1DVYhGAcYaYt7vsHNIvQV+WXMvnow5cgjPphq5CaayLaGsjRdSCKZFNGt7/GYAuXaNOiYCA==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/through": {
+      "version": "2.3.8",
+      "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=",
+      "dev": true
+    },
+    "node_modules/tiny-glob": {
+      "version": "0.2.9",
+      "resolved": "https://registry.npmjs.org/tiny-glob/-/tiny-glob-0.2.9.tgz",
+      "integrity": "sha512-g/55ssRPUjShh+xkfx9UPDXqhckHEsHr4Vd9zX55oSdGZc/MD0m3sferOkwWtp98bv+kcVfEHtRJgBVJzelrzg==",
+      "dev": true,
+      "dependencies": {
+        "globalyzer": "0.1.0",
+        "globrex": "^0.1.2"
+      }
+    },
+    "node_modules/tlds": {
+      "version": "1.224.0",
+      "integrity": "sha512-Jgdc8SEijbDFUsmCn6Wk/f7E6jBLFZOG3U1xK0amGSfEH55Xx97ItUS/d2NngsuApjn11UeWCWj8Um3VRhseZQ==",
+      "dev": true,
+      "bin": {
+        "tlds": "bin.js"
+      }
+    },
+    "node_modules/tmp": {
+      "version": "0.0.33",
+      "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==",
+      "dev": true,
+      "dependencies": {
+        "os-tmpdir": "~1.0.2"
+      },
+      "engines": {
+        "node": ">=0.6.0"
+      }
+    },
+    "node_modules/tmpl": {
+      "version": "1.0.5",
+      "integrity": "sha512-3f0uOEAQwIqGuWW2MVzYg8fV/QNnc/IpuJNG837rLuczAaLVHslWHZQj4IGiEl5Hs3kkbhwL9Ab7Hrsmuj+Smw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/to-fast-properties": {
+      "version": "2.0.0",
+      "integrity": "sha1-3F5pjL0HkmW8c+A3doGk5Og/YW4=",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/to-object-path": {
+      "version": "0.3.0",
+      "integrity": "sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "kind-of": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/to-object-path/node_modules/is-buffer": {
+      "version": "1.1.6",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/to-object-path/node_modules/kind-of": {
+      "version": "3.2.2",
+      "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-buffer": "^1.1.5"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/to-regex": {
+      "version": "3.0.2",
+      "integrity": "sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "regex-not": "^1.0.2",
+        "safe-regex": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/to-regex/node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/to-regex/node_modules/is-extendable": {
+      "version": "1.0.1",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/tough-cookie": {
+      "version": "4.0.0",
+      "integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "psl": "^1.1.33",
+        "punycode": "^2.1.1",
+        "universalify": "^0.1.2"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/tough-cookie/node_modules/punycode": {
+      "version": "2.1.1",
+      "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/tough-cookie/node_modules/universalify": {
+      "version": "0.1.2",
+      "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 4.0.0"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "2.1.0",
+      "integrity": "sha512-15Ih7phfcdP5YxqiB+iDtLoaTz4Nd35+IiAv0kQ5FNKHzXgdWqPoTIqEDDJmXceQt4JZk6lVPT8lnDlPpGDppw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "punycode": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/tr46/node_modules/punycode": {
+      "version": "2.1.1",
+      "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/trim": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/trim/-/trim-0.0.1.tgz",
+      "integrity": "sha512-YzQV+TZg4AxpKxaTHK3c3D+kRDCGVEE7LemdlQZoQXn0iennk10RsIoY6ikzAqJTc9Xjl9C1/waHom/J86ziAQ==",
+      "dev": true
+    },
+    "node_modules/trim-trailing-lines": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/trim-trailing-lines/-/trim-trailing-lines-1.1.4.tgz",
+      "integrity": "sha512-rjUWSqnfTNrjbB9NQWfPMH/xRK1deHeGsHoVfpxJ++XeYXE0d6B1En37AHfw3jtfTU7dzMzZL2jjpe8Qb5gLIQ==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/trough": {
+      "version": "1.0.5",
+      "integrity": "sha512-rvuRbTarPXmMb79SmzEp8aqXNKcK+y0XaB298IXueQ8I2PsrATcPBCSPyK/dDNa2iWOhKlfNnOjdAOTBU/nkFA==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/ts-jest": {
+      "version": "26.5.6",
+      "integrity": "sha512-rua+rCP8DxpA8b4DQD/6X2HQS8Zy/xzViVYfEs2OQu68tkCuKLV0Md8pmX55+W24uRIyAsf/BajRfxOs+R2MKA==",
+      "dev": true,
+      "dependencies": {
+        "bs-logger": "0.x",
+        "buffer-from": "1.x",
+        "fast-json-stable-stringify": "2.x",
+        "jest-util": "^26.1.0",
+        "json5": "2.x",
+        "lodash": "4.x",
+        "make-error": "1.x",
+        "mkdirp": "1.x",
+        "semver": "7.x",
+        "yargs-parser": "20.x"
+      },
+      "bin": {
+        "ts-jest": "cli.js"
+      },
+      "engines": {
+        "node": ">= 10"
+      },
+      "peerDependencies": {
+        "jest": ">=26 <27",
+        "typescript": ">=3.8 <5.0"
+      }
+    },
+    "node_modules/ts-jest/node_modules/mkdirp": {
+      "version": "1.0.4",
+      "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
+      "dev": true,
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/tsconfig-paths": {
+      "version": "3.14.1",
+      "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz",
+      "integrity": "sha512-fxDhWnFSLt3VuTwtvJt5fpwxBHg5AdKWMsgcPOOIilyjymcYVZoCQF8fvFRezCNfblEXmi+PcM1eYHeOAgXCOQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/json5": "^0.0.29",
+        "json5": "^1.0.1",
+        "minimist": "^1.2.6",
+        "strip-bom": "^3.0.0"
+      }
+    },
+    "node_modules/tsconfig-paths/node_modules/json5": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
+      "dev": true,
+      "dependencies": {
+        "minimist": "^1.2.0"
+      },
+      "bin": {
+        "json5": "lib/cli.js"
+      }
+    },
+    "node_modules/tsconfig-paths/node_modules/strip-bom": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz",
+      "integrity": "sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==",
+      "dev": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/tslib": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.4.0.tgz",
+      "integrity": "sha512-d6xOpEDfsi2CZVlPQzGeux8XMwLT9hssAsaPYExaQMuYskwb+x1x7J371tWlbBdWHroy99KnVB6qIkUbs5X3UQ==",
+      "dev": true
+    },
+    "node_modules/tsutils": {
+      "version": "3.21.0",
+      "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz",
+      "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==",
+      "dev": true,
+      "dependencies": {
+        "tslib": "^1.8.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      },
+      "peerDependencies": {
+        "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
+      }
+    },
+    "node_modules/tsutils/node_modules/tslib": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
+      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
+      "dev": true
+    },
+    "node_modules/type-check": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
+      "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
+      "dev": true,
+      "dependencies": {
+        "prelude-ls": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/type-detect": {
+      "version": "4.0.8",
+      "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/type-fest": {
+      "version": "0.21.3",
+      "integrity": "sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/typed-array-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/typed-array-length/-/typed-array-length-1.0.4.tgz",
+      "integrity": "sha512-KjZypGq+I/H7HI5HlOoGHkWUUGq+Q0TPhQurLbyrVrvnKTBgzLhIJ7j6J/XTQOi0d1RjyZ0wdas8bKs2p0x3Ng==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "is-typed-array": "^1.1.9"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/typedarray-to-buffer": {
+      "version": "3.1.5",
+      "integrity": "sha512-zdu8XMNEDepKKR+XYOXAVPtWui0ly0NtohUscw+UmaHiAWT8hrV1rr//H6V+0DvJ3OQ19S979M0laLfX8rm82Q==",
+      "dev": true,
+      "dependencies": {
+        "is-typedarray": "^1.0.0"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "4.4.3",
+      "integrity": "sha512-4xfscpisVgqqDfPaJo5vkd+Qd/ItkoagnHpufr+i2QCHBsNYp+G7UAoyFl8aPtx879u38wPV65rZ8qbGZijalA==",
+      "dev": true,
+      "peer": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=4.2.0"
+      }
+    },
+    "node_modules/unbox-primitive": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
+      "integrity": "sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==",
+      "dev": true,
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "has-bigints": "^1.0.2",
+        "has-symbols": "^1.0.3",
+        "which-boxed-primitive": "^1.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/unherit": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/unherit/-/unherit-1.1.3.tgz",
+      "integrity": "sha512-Ft16BJcnapDKp0+J/rqFC3Rrk6Y/Ng4nzsC028k2jdDII/rdZ7Wd3pPT/6+vIIxRagwRc9K0IUX0Ra4fKvw+WQ==",
+      "dev": true,
+      "dependencies": {
+        "inherits": "^2.0.0",
+        "xtend": "^4.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/unified": {
+      "version": "9.2.0",
+      "integrity": "sha512-vx2Z0vY+a3YoTj8+pttM3tiJHCwY5UFbYdiWrwBEbHmK8pvsPj2rtAX2BFfgXen8T39CJWblWRDT4L5WGXtDdg==",
+      "dev": true,
+      "dependencies": {
+        "bail": "^1.0.0",
+        "extend": "^3.0.0",
+        "is-buffer": "^2.0.0",
+        "is-plain-obj": "^2.0.0",
+        "trough": "^1.0.0",
+        "vfile": "^4.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified-lint-rule": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/unified-lint-rule/-/unified-lint-rule-2.1.1.tgz",
+      "integrity": "sha512-vsLHyLZFstqtGse2gvrGwasOmH8M2y+r2kQMoDSWzSqUkQx2MjHjvZuGSv5FUaiv4RQO1bHRajy7lSGp7XWq5A==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "trough": "^2.0.0",
+        "unified": "^10.0.0",
+        "vfile": "^5.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/bail": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/bail/-/bail-2.0.2.tgz",
+      "integrity": "sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/is-plain-obj": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
+      "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/trough": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/trough/-/trough-2.1.0.tgz",
+      "integrity": "sha512-AqTiAOLcj85xS7vQ8QkAV41hPDIJ71XJB4RCUrzo/1GM2CQwhkJGaf9Hgr7BOugMRpgGUrqRg/DrBDl4H40+8g==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/unified": {
+      "version": "10.1.2",
+      "resolved": "https://registry.npmjs.org/unified/-/unified-10.1.2.tgz",
+      "integrity": "sha512-pUSWAi/RAnVy1Pif2kAoeWNBa3JVrx0MId2LASj8G+7AiHWoKZNTomq6LG326T68U7/e263X6fTdcXIy7XnF7Q==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "bail": "^2.0.0",
+        "extend": "^3.0.0",
+        "is-buffer": "^2.0.0",
+        "is-plain-obj": "^4.0.0",
+        "trough": "^2.0.0",
+        "vfile": "^5.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified-lint-rule/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unified/node_modules/is-plain-obj": {
+      "version": "2.1.0",
+      "integrity": "sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/union-value": {
+      "version": "1.0.1",
+      "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "arr-union": "^3.1.0",
+        "get-value": "^2.0.6",
+        "is-extendable": "^0.1.1",
+        "set-value": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/unist-util-find-all-after": {
+      "version": "3.0.2",
+      "integrity": "sha512-xaTC/AGZ0rIM2gM28YVRAFPIZpzbpDtU3dRmp7EXlNVA8ziQc4hY3H7BHXM1J49nEmiqc3svnqMReW+PGqbZKQ==",
+      "dev": true,
+      "dependencies": {
+        "unist-util-is": "^4.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-is": {
+      "version": "4.1.0",
+      "integrity": "sha512-ZOQSsnce92GrxSqlnEEseX0gi7GH9zTJZ0p9dtu87WRb/37mMPO2Ilx1s/t9vBHrFhbgweUwb+t7cIn5dxPhZg==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-remove-position": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/unist-util-remove-position/-/unist-util-remove-position-2.0.1.tgz",
+      "integrity": "sha512-fDZsLYIe2uT+oGFnuZmy73K6ZxOPG/Qcm+w7jbEjaFcJgbQ6cqjs/eSPzXhsmGpAsWPkqZM9pYjww5QTn3LHMA==",
+      "dev": true,
+      "dependencies": {
+        "unist-util-visit": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-remove-position/node_modules/unist-util-visit": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-2.0.3.tgz",
+      "integrity": "sha512-iJ4/RczbJMkD0712mGktuGpm/U4By4FfDonL7N/9tATGIF4imikjOuagyMY53tnZq3NP6BcmlrHhEKAfGWjh7Q==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^4.0.0",
+        "unist-util-visit-parents": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-remove-position/node_modules/unist-util-visit-parents": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz",
+      "integrity": "sha512-1KROIZWo6bcMrZEwiH2UrXDyalAa0uqzWCxCJj6lPOvTve2WkfgCytoDTPaMnodXh1WrXOq0haVYHj99ynJlsg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^4.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-stringify-position": {
+      "version": "2.0.3",
+      "integrity": "sha512-3faScn5I+hy9VleOq/qNbAd6pAx7iH5jYBMS9I1HgQVijz/4mv5Bvw5iw1sC/90CODiKo81G/ps8AJrISn687g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.2"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-visit": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-4.1.2.tgz",
+      "integrity": "sha512-MSd8OUGISqHdVvfY9TPhyK2VdUrPgxkUtWSuMHF6XAAFuL4LokseigBnZtPnJMu+FbynTkFNnFlyjxpVKujMRg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^5.0.0",
+        "unist-util-visit-parents": "^5.1.1"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-visit-parents": {
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-5.1.3.tgz",
+      "integrity": "sha512-x6+y8g7wWMyQhL1iZfhIPhDAs7Xwbn9nRosDXl7qoPTSCy0yNxnKc+hWokFifWQIDGi154rdUqKvbCa4+1kLhg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^5.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-visit-parents/node_modules/unist-util-is": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-5.2.0.tgz",
+      "integrity": "sha512-Glt17jWwZeyqrFqOK0pF1Ded5U3yzJnFr8CG1GMjCWTp9zDo2p+cmD6pWbZU8AgM5WU3IzRv6+rBwhzsGh6hBQ==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/unist-util-visit/node_modules/unist-util-is": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-5.2.0.tgz",
+      "integrity": "sha512-Glt17jWwZeyqrFqOK0pF1Ded5U3yzJnFr8CG1GMjCWTp9zDo2p+cmD6pWbZU8AgM5WU3IzRv6+rBwhzsGh6hBQ==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/universalify": {
+      "version": "1.0.0",
+      "integrity": "sha512-rb6X1W158d7pRQBg5gkR8uPaSfiids68LTJQYOtEUhoJUWBdaQHsuT/EUduxXYxcrt4r5PJ4fuHW1MHT6p0qug==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10.0.0"
+      }
+    },
+    "node_modules/unset-value": {
+      "version": "1.0.0",
+      "integrity": "sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "has-value": "^0.3.1",
+        "isobject": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/unset-value/node_modules/has-value": {
+      "version": "0.3.1",
+      "integrity": "sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "get-value": "^2.0.3",
+        "has-values": "^0.1.4",
+        "isobject": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/unset-value/node_modules/has-value/node_modules/isobject": {
+      "version": "2.1.0",
+      "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "isarray": "1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/unset-value/node_modules/has-values": {
+      "version": "0.1.4",
+      "integrity": "sha1-bWHeldkd/Km5oCCJrThL/49it3E=",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/uri-js": {
+      "version": "4.4.1",
+      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+      "dev": true,
+      "dependencies": {
+        "punycode": "^2.1.0"
+      }
+    },
+    "node_modules/uri-js/node_modules/punycode": {
+      "version": "2.1.1",
+      "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/urix": {
+      "version": "0.1.0",
+      "integrity": "sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=",
+      "deprecated": "Please see https://github.com/lydell/urix#deprecated",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/url-regex": {
+      "version": "5.0.0",
+      "integrity": "sha512-O08GjTiAFNsSlrUWfqF1jH0H1W3m35ZyadHrGv5krdnmPPoxP27oDTqux/579PtaroiSGm5yma6KT1mHFH6Y/g==",
+      "dev": true,
+      "dependencies": {
+        "ip-regex": "^4.1.0",
+        "tlds": "^1.203.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/use": {
+      "version": "3.1.1",
+      "integrity": "sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/use-sync-external-store": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.2.0.tgz",
+      "integrity": "sha512-eEgnFxGQ1Ife9bzYs6VLi8/4X6CObHMw9Qr9tPY43iKwsPw8xE8+EFsf/2cFZ5S3esXgpWgtSCtLNS41F+sKPA==",
+      "dev": true,
+      "peerDependencies": {
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0"
+      }
+    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=",
+      "dev": true
+    },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "dev": true,
+      "optional": true,
+      "peer": true,
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/v8-compile-cache": {
+      "version": "2.3.0",
+      "integrity": "sha512-l8lCEmLcLYZh4nbunNZvQCJc5pv7+RCwa8q/LdUx8u7lsWvPDKmpodJAJNwkAhJC//dFY48KuIEmjtd4RViDrA==",
+      "dev": true
+    },
+    "node_modules/v8-to-istanbul": {
+      "version": "7.1.2",
+      "integrity": "sha512-TxNb7YEUwkLXCQYeudi6lgQ/SZrzNO4kMdlqVxaZPUIUjCv6iSSypUQX70kNBSERpQ8fk48+d61FXk+tgqcWow==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "@types/istanbul-lib-coverage": "^2.0.1",
+        "convert-source-map": "^1.6.0",
+        "source-map": "^0.7.3"
+      },
+      "engines": {
+        "node": ">=10.10.0"
+      }
+    },
+    "node_modules/v8-to-istanbul/node_modules/source-map": {
+      "version": "0.7.3",
+      "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/validate-npm-package-license": {
+      "version": "3.0.4",
+      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
+      "dev": true,
+      "dependencies": {
+        "spdx-correct": "^3.0.0",
+        "spdx-expression-parse": "^3.0.0"
+      }
+    },
+    "node_modules/vfile": {
+      "version": "4.2.1",
+      "integrity": "sha512-O6AE4OskCG5S1emQ/4gl8zK586RqA3srz3nfK/Viy0UPToBc5Trp9BVFb1u0CjsKrAWwnpr4ifM/KBXPWwJbCA==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0",
+        "vfile-message": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-location": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/vfile-location/-/vfile-location-3.2.0.tgz",
+      "integrity": "sha512-aLEIZKv/oxuCDZ8lkJGhuhztf/BW4M+iHdCwglA/eWc+vtuRFJj8EtgceYFX4LRjOhCAAiNHsKGssC6onJ+jbA==",
+      "dev": true,
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-matter": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-matter/-/vfile-matter-4.0.1.tgz",
+      "integrity": "sha512-ZeACdaxCOxhePpoLO4A5y/VgI9EuWBXu+sUk65aQ7lXBZDFg7X0tuOzigLJUtsQzazFt6K2m9SdlDxZdfL5vVg==",
+      "dev": true,
+      "dependencies": {
+        "is-buffer": "^2.0.0",
+        "vfile": "^5.0.0",
+        "yaml": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-matter/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-matter/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-matter/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-matter/node_modules/yaml": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz",
+      "integrity": "sha512-e0WHiYql7+9wr4cWMx3TVQrNwejKaEe7/rHNmQmqRjazfOP5W8PB6Jpebb5o6fIapbz9o9+2ipcaTM2ZwDI6lw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/vfile-message": {
+      "version": "2.0.4",
+      "integrity": "sha512-DjssxRGkMvifUOJre00juHoP9DPWuzjxKuMDrhNbk2TdaYYBNMStsNhEOt3idrtI12VQYM/1+iM0KOzXi4pxwQ==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter": {
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/vfile-reporter/-/vfile-reporter-7.0.5.tgz",
+      "integrity": "sha512-NdWWXkv6gcd7AZMvDomlQbK3MqFWL1RlGzMn++/O2TI+68+nqxCPTvLugdOtfSzXmjh+xUyhp07HhlrbJjT+mw==",
+      "dev": true,
+      "dependencies": {
+        "@types/supports-color": "^8.0.0",
+        "string-width": "^5.0.0",
+        "supports-color": "^9.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0",
+        "vfile-sort": "^3.0.0",
+        "vfile-statistics": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter-json": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/vfile-reporter-json/-/vfile-reporter-json-3.3.0.tgz",
+      "integrity": "sha512-/zgRtjxQ2UGJn+HViiZ7+nIXtUzkkXFQum3BmaS/bSyr10P0X41ETRqqwMJ95RtbKUah3m7pKb6oS1eZeXXHzQ==",
+      "dev": true,
+      "dependencies": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter-json/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter-json/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter-json/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/ansi-regex": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
+      "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/string-width": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz",
+      "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==",
+      "dev": true,
+      "dependencies": {
+        "eastasianwidth": "^0.2.0",
+        "emoji-regex": "^9.2.2",
+        "strip-ansi": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/strip-ansi": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.0.1.tgz",
+      "integrity": "sha512-cXNxvT8dFNRVfhVME3JAe98mkXDYN2O1l7jmcwMnOslDeESg1rF/OZMtK0nRAhiari1unG5cD4jG3rapUAkLbw==",
+      "dev": true,
+      "dependencies": {
+        "ansi-regex": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/supports-color": {
+      "version": "9.3.1",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-9.3.1.tgz",
+      "integrity": "sha512-knBY82pjmnIzK3NifMo3RxEIRD9E0kIzV4BKcyTZ9+9kWgLMxd4PrsTSMoFQUabgRBbF8KOLRDCyKgNV+iK44Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/supports-color?sponsor=1"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-reporter/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-sort": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-sort/-/vfile-sort-3.0.1.tgz",
+      "integrity": "sha512-1os1733XY6y0D5x0ugqSeaVJm9lYgj0j5qdcZQFyxlZOSy1jYarL77lLyb5gK4Wqr1d5OxmuyflSO3zKyFnTFw==",
+      "dev": true,
+      "dependencies": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-sort/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-sort/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-sort/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-statistics": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-statistics/-/vfile-statistics-2.0.1.tgz",
+      "integrity": "sha512-W6dkECZmP32EG/l+dp2jCLdYzmnDBIw6jwiLZSER81oR5AHRcVqL+k3Z+pfH1R73le6ayDkJRMk0sutj1bMVeg==",
+      "dev": true,
+      "dependencies": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-statistics/node_modules/unist-util-stringify-position": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+      "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-statistics/node_modules/vfile": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+      "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/vfile-statistics/node_modules/vfile-message": {
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+      "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+      "dev": true,
+      "dependencies": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^3.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
+    "node_modules/w3c-hr-time": {
+      "version": "1.0.2",
+      "integrity": "sha512-z8P5DvDNjKDoFIHK7q8r8lackT6l+jo/Ye3HOle7l9nICP9lf1Ci25fy9vHd0JOWewkIFzXIEig3TdKT7JQ5fQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "browser-process-hrtime": "^1.0.0"
+      }
+    },
+    "node_modules/w3c-xmlserializer": {
+      "version": "2.0.0",
+      "integrity": "sha512-4tzD0mF8iSiMiNs30BiLO3EpfGLZUT2MSX/G+o7ZywDzliWQ3OPtTZ0PTC3B3ca1UAf4cJMHB+2Bf56EriJuRA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "xml-name-validator": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/walker": {
+      "version": "1.0.7",
+      "integrity": "sha1-L3+bj9ENZ3JisYqITijRlhjgKPs=",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "makeerror": "1.0.x"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "6.1.0",
+      "integrity": "sha512-qBIvFLGiBpLjfwmYAaHPXsn+ho5xZnGvyGvsarywGNc8VyQJUMHJ8OBKGGrPER0okBeMDaan4mNBlgBROxuI8w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=10.4"
+      }
+    },
+    "node_modules/whatwg-encoding": {
+      "version": "1.0.5",
+      "integrity": "sha512-b5lim54JOPN9HtzvK9HFXvBma/rnfFeqsic0hSpjtDbVxR3dJKLc+KB4V6GgiGOvl7CY/KNh8rxSo9DKQrnUEw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "iconv-lite": "0.4.24"
+      }
+    },
+    "node_modules/whatwg-mimetype": {
+      "version": "2.3.0",
+      "integrity": "sha512-M4yMwr6mAnQz76TbJm914+gPpB/nCwvZbJU28cUD6dR004SAxDLOOSUaB1JDRqLtaOV/vi0IC5lEAGFgrjGv/g==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/whatwg-url": {
+      "version": "8.7.0",
+      "integrity": "sha512-gAojqb/m9Q8a5IV96E3fHJM70AzCkgt4uXYX2O7EmuyOnLrViCQlsEBmF9UQIu3/aeAIp2U17rtbpZWNntQqdg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "lodash": "^4.7.0",
+        "tr46": "^2.1.0",
+        "webidl-conversions": "^6.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/which": {
+      "version": "2.0.2",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "dev": true,
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/which-boxed-primitive": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/which-boxed-primitive/-/which-boxed-primitive-1.0.2.tgz",
+      "integrity": "sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==",
+      "dev": true,
+      "dependencies": {
+        "is-bigint": "^1.0.1",
+        "is-boolean-object": "^1.1.0",
+        "is-number-object": "^1.0.4",
+        "is-string": "^1.0.5",
+        "is-symbol": "^1.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/which-collection": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/which-collection/-/which-collection-1.0.1.tgz",
+      "integrity": "sha512-W8xeTUwaln8i3K/cY1nGXzdnVZlidBcagyNFtBdD5kxnb4TvGKR7FfSIS3mYpwWS1QUCutfKz8IY8RjftB0+1A==",
+      "dev": true,
+      "dependencies": {
+        "is-map": "^2.0.1",
+        "is-set": "^2.0.1",
+        "is-weakmap": "^2.0.1",
+        "is-weakset": "^2.0.1"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/which-module": {
+      "version": "2.0.0",
+      "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/which-typed-array": {
+      "version": "1.1.9",
+      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.9.tgz",
+      "integrity": "sha512-w9c4xkx6mPidwp7180ckYWfMmvxpjlZuIudNtDf4N/tTAUB8VJbX25qZoAsrtGuYNnGw3pa0AXgbGKRB8/EceA==",
+      "dev": true,
+      "dependencies": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "gopd": "^1.0.1",
+        "has-tostringtag": "^1.0.0",
+        "is-typed-array": "^1.1.10"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/word-wrap": {
+      "version": "1.2.3",
+      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/wrap-ansi": {
+      "version": "7.0.0",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
+      "dev": true
+    },
+    "node_modules/write-file-atomic": {
+      "version": "3.0.3",
+      "integrity": "sha512-AvHcyZ5JnSfq3ioSyjrBkH9yW4m7Ayk8/9My/DD9onKeu/94fwrMocemO2QAJFAlnnDN+ZDS+ZjAR5ua1/PV/Q==",
+      "dev": true,
+      "dependencies": {
+        "imurmurhash": "^0.1.4",
+        "is-typedarray": "^1.0.0",
+        "signal-exit": "^3.0.2",
+        "typedarray-to-buffer": "^3.1.5"
+      }
+    },
+    "node_modules/ws": {
+      "version": "7.5.5",
+      "integrity": "sha512-BAkMFcAzl8as1G/hArkxOxq3G7pjUqQ3gzYbLL0/5zNkph70e+lCoxBGnm6AW1+/aiNeV4fnKqZ8m4GZewmH2w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8.3.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": "^5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/xml-name-validator": {
+      "version": "3.0.0",
+      "integrity": "sha512-A5CUptxDsvxKJEU3yO6DuWBSJz/qizqzJKOMIfUJHETbBw/sFaDxgd6fxm1ewUaM0jZ444Fc5vC5ROYurg/4Pw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.4"
+      }
+    },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/yallist": {
+      "version": "4.0.0",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true
+    },
+    "node_modules/yaml": {
+      "version": "1.10.2",
+      "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "20.2.9",
+      "integrity": "sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/yargs/node_modules/find-up": {
+      "version": "4.1.0",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/locate-path": {
+      "version": "5.0.0",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/p-limit": {
+      "version": "2.3.0",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/yargs/node_modules/p-locate": {
+      "version": "4.1.0",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/path-exists": {
+      "version": "4.0.0",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/yocto-queue": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",
+      "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/zod": {
+      "version": "3.20.6",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.20.6.tgz",
+      "integrity": "sha512-oyu0m54SGCtzh6EClBVqDDlAYRz4jrVtKwQ7ZnsEmMI9HnzuZFj8QFwAY1M5uniIYACdGvv0PBWPF2kO0aNofA==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    },
+    "node_modules/zwitch": {
+      "version": "1.0.5",
+      "integrity": "sha512-V50KMwwzqJV0NpZIZFwfOD5/lyny3WlSzRiXgA0G7VUnRlqttta1L6UQIHzd6EuBY/cHGfwTIck7w1yH6Q5zUw==",
+      "dev": true,
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/wooorm"
+      }
     }
-    return `${this.buildURL()}/replication/${suffix}`;
-  },
-
-  replicationStatus() {
-    return this.ajax(`${this.buildURL()}/replication/status`, 'GET', { unauthenticated: true });
   },
-
-  replicationDrPromote(data, options) {
-    const verb = options && options.checkStatus ? 'GET' : 'PUT';
-    return this.ajax(`${this.buildURL()}/replication/dr/secondary/promote`, verb, {
-      data,
-      unauthenticated: true,
-    });
-  },
-
-  generateDrOperationToken(data, options) {
-    let verb = 'POST';
-    let url = `${this.buildURL()}/replication/dr/secondary/generate-operation-token/`;
-    if (options?.cancel) {
-      verb = 'DELETE';
-      url += 'attempt';
-    } else if (options?.checkStatus) {
-      verb = 'GET';
-      url += 'attempt';
-    } else if (data?.pgp_key || data?.attempt) {
-      url += 'attempt';
-    } else {
-      // progress the operation
-      url += 'update';
+  "dependencies": {
+    "@babel/code-frame": {
+      "version": "7.15.8",
+      "integrity": "sha512-2IAnmn8zbvC/jKYhq5Ki9I+DwjlrtMPUCH/CpHvqI4dNnlwHwsxoIhlc8WcYY5LSYknXQtAlFYuHfqAFCvQ4Wg==",
+      "dev": true,
+      "requires": {
+        "@babel/highlight": "^7.14.5"
+      }
+    },
+    "@babel/compat-data": {
+      "version": "7.15.0",
+      "integrity": "sha512-0NqAC1IJE0S0+lL1SWFMxMkz1pKCNCjI4tr2Zx4LJSXxCLAdr6KyArnY+sno5m3yH9g737ygOyPABDsnXkpxiA==",
+      "dev": true
+    },
+    "@babel/core": {
+      "version": "7.15.8",
+      "integrity": "sha512-3UG9dsxvYBMYwRv+gS41WKHno4K60/9GPy1CJaH6xy3Elq8CTtvtjT5R5jmNhXfCYLX2mTw+7/aq5ak/gOE0og==",
+      "dev": true,
+      "requires": {
+        "@babel/code-frame": "^7.15.8",
+        "@babel/generator": "^7.15.8",
+        "@babel/helper-compilation-targets": "^7.15.4",
+        "@babel/helper-module-transforms": "^7.15.8",
+        "@babel/helpers": "^7.15.4",
+        "@babel/parser": "^7.15.8",
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.6",
+        "convert-source-map": "^1.7.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.1.2",
+        "semver": "^6.3.0",
+        "source-map": "^0.5.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true
+        }
+      }
+    },
+    "@babel/generator": {
+      "version": "7.15.8",
+      "integrity": "sha512-ECmAKstXbp1cvpTTZciZCgfOt6iN64lR0d+euv3UZisU5awfRawOvg07Utn/qBGuH4bRIEZKrA/4LzZyXhZr8g==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.6",
+        "jsesc": "^2.5.1",
+        "source-map": "^0.5.0"
+      }
+    },
+    "@babel/helper-compilation-targets": {
+      "version": "7.15.4",
+      "integrity": "sha512-rMWPCirulnPSe4d+gwdWXLfAXTTBj8M3guAf5xFQJ0nvFY7tfNAFnWdqaHegHlgDZOCT4qvhF3BYlSJag8yhqQ==",
+      "dev": true,
+      "requires": {
+        "@babel/compat-data": "^7.15.0",
+        "@babel/helper-validator-option": "^7.14.5",
+        "browserslist": "^4.16.6",
+        "semver": "^6.3.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true
+        }
+      }
+    },
+    "@babel/helper-function-name": {
+      "version": "7.15.4",
+      "integrity": "sha512-Z91cOMM4DseLIGOnog+Z8OI6YseR9bua+HpvLAQ2XayUGU+neTtX+97caALaLdyu53I/fjhbeCnWnRH1O3jFOw==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-get-function-arity": "^7.15.4",
+        "@babel/template": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-get-function-arity": {
+      "version": "7.15.4",
+      "integrity": "sha512-1/AlxSF92CmGZzHnC515hm4SirTxtpDnLEJ0UyEMgTMZN+6bxXKg04dKhiRx5Enel+SUA1G1t5Ed/yQia0efrA==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-hoist-variables": {
+      "version": "7.15.4",
+      "integrity": "sha512-VTy085egb3jUGVK9ycIxQiPbquesq0HUQ+tPO0uv5mPEBZipk+5FkRKiWq5apuyTE9FUrjENB0rCf8y+n+UuhA==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-member-expression-to-functions": {
+      "version": "7.15.4",
+      "integrity": "sha512-cokOMkxC/BTyNP1AlY25HuBWM32iCEsLPI4BHDpJCHHm1FU2E7dKWWIXJgQgSFiu4lp8q3bL1BIKwqkSUviqtA==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-module-imports": {
+      "version": "7.15.4",
+      "integrity": "sha512-jeAHZbzUwdW/xHgHQ3QmWR4Jg6j15q4w/gCfwZvtqOxoo5DKtLHk8Bsf4c5RZRC7NmLEs+ohkdq8jFefuvIxAA==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-module-transforms": {
+      "version": "7.15.8",
+      "integrity": "sha512-DfAfA6PfpG8t4S6npwzLvTUpp0sS7JrcuaMiy1Y5645laRJIp/LiLGIBbQKaXSInK8tiGNI7FL7L8UvB8gdUZg==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-module-imports": "^7.15.4",
+        "@babel/helper-replace-supers": "^7.15.4",
+        "@babel/helper-simple-access": "^7.15.4",
+        "@babel/helper-split-export-declaration": "^7.15.4",
+        "@babel/helper-validator-identifier": "^7.15.7",
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.6"
+      }
+    },
+    "@babel/helper-optimise-call-expression": {
+      "version": "7.15.4",
+      "integrity": "sha512-E/z9rfbAOt1vDW1DR7k4SzhzotVV5+qMciWV6LaG1g4jeFrkDlJedjtV4h0i4Q/ITnUu+Pk08M7fczsB9GXBDw==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-plugin-utils": {
+      "version": "7.20.2",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.20.2.tgz",
+      "integrity": "sha512-8RvlJG2mj4huQ4pZ+rU9lqKi9ZKiRmuvGuM2HlWmkmgOhbs6zEAw6IEiJ5cQqGbDzGZOhwuOQNtZMi/ENLjZoQ==",
+      "dev": true
+    },
+    "@babel/helper-replace-supers": {
+      "version": "7.15.4",
+      "integrity": "sha512-/ztT6khaXF37MS47fufrKvIsiQkx1LBRvSJNzRqmbyeZnTwU9qBxXYLaaT/6KaxfKhjs2Wy8kG8ZdsFUuWBjzw==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-member-expression-to-functions": "^7.15.4",
+        "@babel/helper-optimise-call-expression": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-simple-access": {
+      "version": "7.15.4",
+      "integrity": "sha512-UzazrDoIVOZZcTeHHEPYrr1MvTR/K+wgLg6MY6e1CJyaRhbibftF6fR2KU2sFRtI/nERUZR9fBd6aKgBlIBaPg==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-split-export-declaration": {
+      "version": "7.15.4",
+      "integrity": "sha512-HsFqhLDZ08DxCpBdEVtKmywj6PQbwnF6HHybur0MAnkAKnlS6uHkwnmRIkElB2Owpfb4xL4NwDmDLFubueDXsw==",
+      "dev": true,
+      "requires": {
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/helper-validator-identifier": {
+      "version": "7.15.7",
+      "integrity": "sha512-K4JvCtQqad9OY2+yTU8w+E82ywk/fe+ELNlt1G8z3bVGlZfn/hOcQQsUhGhW/N+tb3fxK800wLtKOE/aM0m72w==",
+      "dev": true
+    },
+    "@babel/helper-validator-option": {
+      "version": "7.14.5",
+      "integrity": "sha512-OX8D5eeX4XwcroVW45NMvoYaIuFI+GQpA2a8Gi+X/U/cDUIRsV37qQfF905F0htTRCREQIB4KqPeaveRJUl3Ow==",
+      "dev": true
+    },
+    "@babel/helpers": {
+      "version": "7.15.4",
+      "integrity": "sha512-V45u6dqEJ3w2rlryYYXf6i9rQ5YMNu4FLS6ngs8ikblhu2VdR1AqAd6aJjBzmf2Qzh6KOLqKHxEN9+TFbAkAVQ==",
+      "dev": true,
+      "requires": {
+        "@babel/template": "^7.15.4",
+        "@babel/traverse": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/highlight": {
+      "version": "7.14.5",
+      "integrity": "sha512-qf9u2WFWVV0MppaL877j2dBtQIDgmidgjGk5VIMw3OadXvYaXn66U1BFlH2t4+t3i+8PhedppRv+i40ABzd+gg==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-validator-identifier": "^7.14.5",
+        "chalk": "^2.0.0",
+        "js-tokens": "^4.0.0"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "3.2.1",
+          "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+          "dev": true,
+          "requires": {
+            "color-convert": "^1.9.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "color-convert": {
+          "version": "1.9.3",
+          "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+          "dev": true,
+          "requires": {
+            "color-name": "1.1.3"
+          }
+        },
+        "color-name": {
+          "version": "1.1.3",
+          "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+          "dev": true
+        },
+        "has-flag": {
+          "version": "3.0.0",
+          "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+          "dev": true
+        },
+        "supports-color": {
+          "version": "5.5.0",
+          "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+          "dev": true,
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "@babel/parser": {
+      "version": "7.15.8",
+      "integrity": "sha512-BRYa3wcQnjS/nqI8Ac94pYYpJfojHVvVXJ97+IDCImX4Jc8W8Xv1+47enbruk+q1etOpsQNwnfFcNGw+gtPGxA==",
+      "dev": true
+    },
+    "@babel/plugin-proposal-object-rest-spread": {
+      "version": "7.12.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-object-rest-spread/-/plugin-proposal-object-rest-spread-7.12.1.tgz",
+      "integrity": "sha512-s6SowJIjzlhx8o7lsFx5zmY4At6CTtDvgNQDdPzkBQucle58A6b/TTeEBYtyDgmcXjUTM+vE8YOGHZzzbc/ioA==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.10.4",
+        "@babel/plugin-syntax-object-rest-spread": "^7.8.0",
+        "@babel/plugin-transform-parameters": "^7.12.1"
+      }
+    },
+    "@babel/plugin-syntax-async-generators": {
+      "version": "7.8.4",
+      "integrity": "sha512-tycmZxkGfZaxhMRbXlPXuVFpdWlXpir2W4AMhSJgRKzk/eDlIXOhb2LHWoLpDF7TEHylV5zNhykX6KAgHJmTNw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-bigint": {
+      "version": "7.8.3",
+      "integrity": "sha512-wnTnFlG+YxQm3vDxpGE57Pj0srRU4sHE/mDkt1qv2YJJSeUAec2ma4WLUnUPeKjyrfntVwe/N6dCXpU+zL3Npg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-class-properties": {
+      "version": "7.12.13",
+      "integrity": "sha512-fm4idjKla0YahUNgFNLCB0qySdsoPiZP3iQE3rky0mBUtMZ23yDJ9SJdg6dXTSDnulOVqiF3Hgr9nbXvXTQZYA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.12.13"
+      }
+    },
+    "@babel/plugin-syntax-import-meta": {
+      "version": "7.10.4",
+      "integrity": "sha512-Yqfm+XDx0+Prh3VSeEQCPU81yC+JWZ2pDPFSS4ZdpfZhp4MkFMaDC1UqseovEKwSUpnIL7+vK+Clp7bfh0iD7g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      }
+    },
+    "@babel/plugin-syntax-json-strings": {
+      "version": "7.8.3",
+      "integrity": "sha512-lY6kdGpWHvjoe2vk4WrAapEuBR69EMxZl+RoGRhrFGNYVK8mOPAW8VfbT/ZgrFbXlDNiiaxQnAtgVCZ6jv30EA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-jsx": {
+      "version": "7.12.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.12.1.tgz",
+      "integrity": "sha512-1yRi7yAtB0ETgxdY9ti/p2TivUxJkTdhu/ZbF9MshVGqOx1TdB3b7xCXs49Fupgg50N45KcAsRP/ZqWjs9SRjg==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      }
+    },
+    "@babel/plugin-syntax-logical-assignment-operators": {
+      "version": "7.10.4",
+      "integrity": "sha512-d8waShlpFDinQ5MtvGU9xDAOzKH47+FFoney2baFIoMr952hKOLp1HR7VszoZvOsV/4+RRszNY7D17ba0te0ig==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      }
+    },
+    "@babel/plugin-syntax-nullish-coalescing-operator": {
+      "version": "7.8.3",
+      "integrity": "sha512-aSff4zPII1u2QD7y+F8oDsz19ew4IGEJg9SVW+bqwpwtfFleiQDMdzA/R+UlWDzfnHFCxxleFT0PMIrR36XLNQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-numeric-separator": {
+      "version": "7.10.4",
+      "integrity": "sha512-9H6YdfkcK/uOnY/K7/aA2xpzaAgkQn37yzWUMRK7OaPOqOpGS1+n0H5hxT9AUw9EsSjPW8SVyMJwYRtWs3X3ug==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.10.4"
+      }
+    },
+    "@babel/plugin-syntax-object-rest-spread": {
+      "version": "7.8.3",
+      "integrity": "sha512-XoqMijGZb9y3y2XskN+P1wUGiVwWZ5JmoDRwx5+3GmEplNyVM2s2Dg8ILFQm8rWM48orGy5YpI5Bl8U1y7ydlA==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-optional-catch-binding": {
+      "version": "7.8.3",
+      "integrity": "sha512-6VPD0Pc1lpTqw0aKoeRTMiB+kWhAoT24PA+ksWSBrFtl5SIRVpZlwN3NNPQjehA2E/91FV3RjLWoVTglWcSV3Q==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-optional-chaining": {
+      "version": "7.8.3",
+      "integrity": "sha512-KoK9ErH1MBlCPxV0VANkXW2/dw4vlbGDrFgz8bmUsBGYkFRcbRwMh6cIJubdPrkxRwuGdtCk0v/wPTKbQgBjkg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      }
+    },
+    "@babel/plugin-syntax-top-level-await": {
+      "version": "7.14.5",
+      "integrity": "sha512-hx++upLv5U1rgYfwe1xBQUhRmU41NEvpUvrp8jkrSCdvGSnM5/qdRMtylJ6PG5OFkBaHkbTAKTnd3/YyESRHFw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.14.5"
+      }
+    },
+    "@babel/plugin-transform-parameters": {
+      "version": "7.20.7",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-parameters/-/plugin-transform-parameters-7.20.7.tgz",
+      "integrity": "sha512-WiWBIkeHKVOSYPO0pWkxGPfKeWrCJyD3NJ53+Lrp/QMSZbsVPovrVl2aWZ19D/LTVnaDv5Ap7GJ/B2CTOZdrfA==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.20.2"
+      }
+    },
+    "@babel/runtime": {
+      "version": "7.20.7",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.20.7.tgz",
+      "integrity": "sha512-UF0tvkUtxwAgZ5W/KrkHf0Rn0fdnLDU9ScxBrEVNUprE/MzirjK4MJUX1/BVDv00Sv8cljtukVK1aky++X1SjQ==",
+      "dev": true,
+      "requires": {
+        "regenerator-runtime": "^0.13.11"
+      }
+    },
+    "@babel/template": {
+      "version": "7.15.4",
+      "integrity": "sha512-UgBAfEa1oGuYgDIPM2G+aHa4Nlo9Lh6mGD2bDBGMTbYnc38vulXPuC1MGjYILIEmlwl6Rd+BPR9ee3gm20CBtg==",
+      "dev": true,
+      "requires": {
+        "@babel/code-frame": "^7.14.5",
+        "@babel/parser": "^7.15.4",
+        "@babel/types": "^7.15.4"
+      }
+    },
+    "@babel/traverse": {
+      "version": "7.15.4",
+      "integrity": "sha512-W6lQD8l4rUbQR/vYgSuCAE75ADyyQvOpFVsvPPdkhf6lATXAsQIG9YdtOcu8BB1dZ0LKu+Zo3c1wEcbKeuhdlA==",
+      "dev": true,
+      "requires": {
+        "@babel/code-frame": "^7.14.5",
+        "@babel/generator": "^7.15.4",
+        "@babel/helper-function-name": "^7.15.4",
+        "@babel/helper-hoist-variables": "^7.15.4",
+        "@babel/helper-split-export-declaration": "^7.15.4",
+        "@babel/parser": "^7.15.4",
+        "@babel/types": "^7.15.4",
+        "debug": "^4.1.0",
+        "globals": "^11.1.0"
+      }
+    },
+    "@babel/types": {
+      "version": "7.15.6",
+      "integrity": "sha512-BPU+7QhqNjmWyDO0/vitH/CuhpV8ZmK1wpKva8nuyNF5MJfuRNWMc+hc14+u9xT93kvykMdncrJT19h74uB1Ig==",
+      "dev": true,
+      "requires": {
+        "@babel/helper-validator-identifier": "^7.14.9",
+        "to-fast-properties": "^2.0.0"
+      }
+    },
+    "@bcoe/v8-coverage": {
+      "version": "0.2.3",
+      "integrity": "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==",
+      "dev": true,
+      "peer": true
+    },
+    "@cnakazawa/watch": {
+      "version": "1.0.4",
+      "integrity": "sha512-v9kIhKwjeZThiWrLmj0y17CWoyddASLj9O2yvbZkbvw/N3rWOYy9zkV66ursAoVr0mV15bL8g0c4QZUE6cdDoQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "exec-sh": "^0.3.2",
+        "minimist": "^1.2.0"
+      }
+    },
+    "@eslint/eslintrc": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.4.1.tgz",
+      "integrity": "sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==",
+      "dev": true,
+      "requires": {
+        "ajv": "^6.12.4",
+        "debug": "^4.3.2",
+        "espree": "^9.4.0",
+        "globals": "^13.19.0",
+        "ignore": "^5.2.0",
+        "import-fresh": "^3.2.1",
+        "js-yaml": "^4.1.0",
+        "minimatch": "^3.1.2",
+        "strip-json-comments": "^3.1.1"
+      },
+      "dependencies": {
+        "globals": {
+          "version": "13.19.0",
+          "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz",
+          "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==",
+          "dev": true,
+          "requires": {
+            "type-fest": "^0.20.2"
+          }
+        },
+        "type-fest": {
+          "version": "0.20.2",
+          "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
+          "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+          "dev": true
+        }
+      }
+    },
+    "@hashicorp/platform-cli": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/platform-cli/-/platform-cli-2.6.0.tgz",
+      "integrity": "sha512-nMO7Uiy/A5CT/BCE9RyQt6/Uci7bxwTesxCNWkXlciyqlIrz9WmBa9hr710IiMoDzrzQ1tL6AgFIeTbXs4RTqA==",
+      "dev": true,
+      "requires": {
+        "@hashicorp/platform-cms": "0.3.0",
+        "@typescript-eslint/eslint-plugin": "^5.48.0",
+        "@typescript-eslint/parser": "^5.48.0",
+        "chalk": "4.1.0",
+        "commander": "7.2.0",
+        "ejs": "3.1.5",
+        "eslint": "^8.31.0",
+        "eslint-config-next": "^13.1.1",
+        "eslint-config-prettier": "^8.6.0",
+        "eslint-plugin-jsx-a11y": "^6.6.1",
+        "eslint-plugin-prettier": "^4.2.1",
+        "fs-extra": "9.0.1",
+        "globby": "11.0.1",
+        "inquirer": "7.3.3",
+        "lint-staged": "11.1.2",
+        "open": "7.3.0",
+        "prettier": "2.5.1",
+        "readdirp": "3.5.0",
+        "signale": "1.4.0",
+        "slugify": "1.4.6",
+        "stylelint": "13.8.0",
+        "stylelint-config-css-modules": "2.2.0",
+        "stylelint-config-prettier": "8.0.2",
+        "stylelint-config-standard": "20.0.0",
+        "stylelint-media-use-custom-media": "2.0.0",
+        "stylelint-order": "4.1.0",
+        "stylelint-use-nesting": "3.0.0",
+        "stylelint-value-no-unknown-custom-properties": "3.0.0",
+        "ts-jest": "^26.4.4"
+      },
+      "dependencies": {
+        "prettier": {
+          "version": "2.5.1",
+          "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.5.1.tgz",
+          "integrity": "sha512-vBZcPRUR5MZJwoyi3ZoyQlc1rXeEck8KgeC9AwwOn+exuxLxq5toTRDTSaVrXHxelDMHy9zlicw8u66yxoSUFg==",
+          "dev": true
+        }
+      }
+    },
+    "@hashicorp/platform-cms": {
+      "version": "0.3.0",
+      "integrity": "sha512-sRX9A+kDEZvfZy8PvGFbEaHjn5G1mEsHwTri1vDnrmKG8apE+ELlug83b0iEkD5wIJi9OqaewMIb0NrLxg9s5A==",
+      "dev": true,
+      "requires": {
+        "rivet-graphql": "0.3.1"
+      }
+    },
+    "@hashicorp/platform-content-conformance": {
+      "version": "0.0.9",
+      "resolved": "https://registry.npmjs.org/@hashicorp/platform-content-conformance/-/platform-content-conformance-0.0.9.tgz",
+      "integrity": "sha512-kotY/4M/0YjiUGPgXv9vbWMiZJV5N5tlXTN3e+VzTQlQfbEXP1xYDcs6pNMtxbxCwfS29pkNRIWAsnGVIbBISw==",
+      "dev": true,
+      "requires": {
+        "find-up": "^6.3.0",
+        "flat": "^5.0.2",
+        "globby": "^13.1.2",
+        "mdast-util-to-string": "^3.1.0",
+        "remark": "12.0.1",
+        "remark-mdx": "^1.6.22",
+        "unified-lint-rule": "^2.1.1",
+        "unist-util-stringify-position": "^3.0.2",
+        "unist-util-visit": "^4.1.1",
+        "vfile": "^5.3.6",
+        "vfile-matter": "^4.0.0",
+        "vfile-reporter": "^7.0.4",
+        "vfile-reporter-json": "^3.2.0",
+        "vfile-statistics": "^2.0.0",
+        "yaml": "^2.1.3",
+        "yargs": "^17.4.1",
+        "zod": "^3.19.1"
+      },
+      "dependencies": {
+        "cliui": {
+          "version": "8.0.1",
+          "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
+          "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+          "dev": true,
+          "requires": {
+            "string-width": "^4.2.0",
+            "strip-ansi": "^6.0.1",
+            "wrap-ansi": "^7.0.0"
+          }
+        },
+        "find-up": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-6.3.0.tgz",
+          "integrity": "sha512-v2ZsoEuVHYy8ZIlYqwPe/39Cy+cFDzp4dXPaxNvkEuouymu+2Jbz0PxpKarJHYJTmv2HWT3O382qY8l4jMWthw==",
+          "dev": true,
+          "requires": {
+            "locate-path": "^7.1.0",
+            "path-exists": "^5.0.0"
+          }
+        },
+        "globby": {
+          "version": "13.1.3",
+          "resolved": "https://registry.npmjs.org/globby/-/globby-13.1.3.tgz",
+          "integrity": "sha512-8krCNHXvlCgHDpegPzleMq07yMYTO2sXKASmZmquEYWEmCx6J5UTRbp5RwMJkTJGtcQ44YpiUYUiN0b9mzy8Bw==",
+          "dev": true,
+          "requires": {
+            "dir-glob": "^3.0.1",
+            "fast-glob": "^3.2.11",
+            "ignore": "^5.2.0",
+            "merge2": "^1.4.1",
+            "slash": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "7.2.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-7.2.0.tgz",
+          "integrity": "sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==",
+          "dev": true,
+          "requires": {
+            "p-locate": "^6.0.0"
+          }
+        },
+        "mdast-util-to-string": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/mdast-util-to-string/-/mdast-util-to-string-3.1.1.tgz",
+          "integrity": "sha512-tGvhT94e+cVnQt8JWE9/b3cUQZWS732TJxXHktvP+BYo62PpYD53Ls/6cC60rW21dW+txxiM4zMdc6abASvZKA==",
+          "dev": true,
+          "requires": {
+            "@types/mdast": "^3.0.0"
+          }
+        },
+        "p-limit": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-4.0.0.tgz",
+          "integrity": "sha512-5b0R4txpzjPWVw/cXXUResoD4hb6U/x9BH08L7nw+GN1sezDzPdxeRvpc9c433fZhBan/wusjbCsqwqm4EIBIQ==",
+          "dev": true,
+          "requires": {
+            "yocto-queue": "^1.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-6.0.0.tgz",
+          "integrity": "sha512-wPrq66Llhl7/4AGC6I+cqxT07LhXvWL08LNXz1fENOw0Ap4sRZZ/gZpTTJ5jpurzzzfS2W/Ge9BY3LgLjCShcw==",
+          "dev": true,
+          "requires": {
+            "p-limit": "^4.0.0"
+          }
+        },
+        "path-exists": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-5.0.0.tgz",
+          "integrity": "sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==",
+          "dev": true
+        },
+        "remark": {
+          "version": "12.0.1",
+          "resolved": "https://registry.npmjs.org/remark/-/remark-12.0.1.tgz",
+          "integrity": "sha512-gS7HDonkdIaHmmP/+shCPejCEEW+liMp/t/QwmF0Xt47Rpuhl32lLtDV1uKWvGoq+kxr5jSgg5oAIpGuyULjUw==",
+          "dev": true,
+          "requires": {
+            "remark-parse": "^8.0.0",
+            "remark-stringify": "^8.0.0",
+            "unified": "^9.0.0"
+          }
+        },
+        "remark-stringify": {
+          "version": "8.1.1",
+          "resolved": "https://registry.npmjs.org/remark-stringify/-/remark-stringify-8.1.1.tgz",
+          "integrity": "sha512-q4EyPZT3PcA3Eq7vPpT6bIdokXzFGp9i85igjmhRyXWmPs0Y6/d2FYwUNotKAWyLch7g0ASZJn/KHHcHZQ163A==",
+          "dev": true,
+          "requires": {
+            "ccount": "^1.0.0",
+            "is-alphanumeric": "^1.0.0",
+            "is-decimal": "^1.0.0",
+            "is-whitespace-character": "^1.0.0",
+            "longest-streak": "^2.0.1",
+            "markdown-escapes": "^1.0.0",
+            "markdown-table": "^2.0.0",
+            "mdast-util-compact": "^2.0.0",
+            "parse-entities": "^2.0.0",
+            "repeat-string": "^1.5.4",
+            "state-toggle": "^1.0.0",
+            "stringify-entities": "^3.0.0",
+            "unherit": "^1.0.4",
+            "xtend": "^4.0.1"
+          }
+        },
+        "slash": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+          "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+          "dev": true
+        },
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        },
+        "y18n": {
+          "version": "5.0.8",
+          "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+          "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
+          "dev": true
+        },
+        "yaml": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz",
+          "integrity": "sha512-e0WHiYql7+9wr4cWMx3TVQrNwejKaEe7/rHNmQmqRjazfOP5W8PB6Jpebb5o6fIapbz9o9+2ipcaTM2ZwDI6lw==",
+          "dev": true
+        },
+        "yargs": {
+          "version": "17.7.1",
+          "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.1.tgz",
+          "integrity": "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
+          "dev": true,
+          "requires": {
+            "cliui": "^8.0.1",
+            "escalade": "^3.1.1",
+            "get-caller-file": "^2.0.5",
+            "require-directory": "^2.1.1",
+            "string-width": "^4.2.3",
+            "y18n": "^5.0.5",
+            "yargs-parser": "^21.1.1"
+          }
+        },
+        "yargs-parser": {
+          "version": "21.1.1",
+          "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
+          "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+          "dev": true
+        },
+        "yocto-queue": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-1.0.0.tgz",
+          "integrity": "sha512-9bnSc/HEW2uRy67wc+T8UwauLuPJVn28jb+GtJY16iiKWyvmYJRXVT4UamsAEGQfPohgr2q4Tq0sQbQlxTfi1g==",
+          "dev": true
+        }
+      }
+    },
+    "@humanwhocodes/config-array": {
+      "version": "0.11.8",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz",
+      "integrity": "sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==",
+      "dev": true,
+      "requires": {
+        "@humanwhocodes/object-schema": "^1.2.1",
+        "debug": "^4.1.1",
+        "minimatch": "^3.0.5"
+      }
+    },
+    "@humanwhocodes/module-importer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
+      "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
+      "dev": true
+    },
+    "@humanwhocodes/object-schema": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz",
+      "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==",
+      "dev": true
+    },
+    "@istanbuljs/load-nyc-config": {
+      "version": "1.1.0",
+      "integrity": "sha512-VjeHSlIzpv/NyD3N0YuHfXOPDIixcA1q2ZV98wsMqcYlPmv2n3Yb2lYP9XMElnaFVXg5A7YLTeLu6V84uQDjmQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "camelcase": "^5.3.1",
+        "find-up": "^4.1.0",
+        "get-package-type": "^0.1.0",
+        "js-yaml": "^3.13.1",
+        "resolve-from": "^5.0.0"
+      },
+      "dependencies": {
+        "argparse": {
+          "version": "1.0.10",
+          "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "sprintf-js": "~1.0.2"
+          }
+        },
+        "find-up": {
+          "version": "4.1.0",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "js-yaml": {
+          "version": "3.14.1",
+          "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "argparse": "^1.0.7",
+            "esprima": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.3.0",
+          "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true,
+          "peer": true
+        },
+        "resolve-from": {
+          "version": "5.0.0",
+          "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "@istanbuljs/schema": {
+      "version": "0.1.3",
+      "integrity": "sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==",
+      "dev": true,
+      "peer": true
+    },
+    "@jest/console": {
+      "version": "26.6.2",
+      "integrity": "sha512-IY1R2i2aLsLr7Id3S6p2BA82GNWryt4oSvEXLAKc+L2zdi89dSkE8xC1C+0kpATG4JhBJREnQOH7/zmccM2B0g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "jest-message-util": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "slash": "^3.0.0"
+      }
+    },
+    "@jest/core": {
+      "version": "26.6.3",
+      "integrity": "sha512-xvV1kKbhfUqFVuZ8Cyo+JPpipAHHAV3kcDBftiduK8EICXmTFddryy3P7NfZt8Pv37rA9nEJBKCCkglCPt/Xjw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/console": "^26.6.2",
+        "@jest/reporters": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.0.0",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "jest-changed-files": "^26.6.2",
+        "jest-config": "^26.6.3",
+        "jest-haste-map": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-resolve-dependencies": "^26.6.3",
+        "jest-runner": "^26.6.3",
+        "jest-runtime": "^26.6.3",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "jest-watcher": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "p-each-series": "^2.1.0",
+        "rimraf": "^3.0.0",
+        "slash": "^3.0.0",
+        "strip-ansi": "^6.0.0"
+      }
+    },
+    "@jest/environment": {
+      "version": "26.6.2",
+      "integrity": "sha512-nFy+fHl28zUrRsCeMB61VDThV1pVTtlEokBRgqPrcT1JNq4yRNIyTHfyht6PqtUvY9IsuLGTrbG8kPXjSZIZwA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2"
+      }
+    },
+    "@jest/fake-timers": {
+      "version": "26.6.2",
+      "integrity": "sha512-14Uleatt7jdzefLPYM3KLcnUl1ZNikaKq34enpb5XG9i81JpppDb5muZvonvKyrl7ftEHkKS5L5/eB/kxJ+bvA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "@sinonjs/fake-timers": "^6.0.1",
+        "@types/node": "*",
+        "jest-message-util": "^26.6.2",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2"
+      }
+    },
+    "@jest/globals": {
+      "version": "26.6.2",
+      "integrity": "sha512-85Ltnm7HlB/KesBUuALwQ68YTU72w9H2xW9FjZ1eL1U3lhtefjjl5c2MiUbpXt/i6LaPRvoOFJ22yCBSfQ0JIA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/environment": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "expect": "^26.6.2"
+      }
+    },
+    "@jest/reporters": {
+      "version": "26.6.2",
+      "integrity": "sha512-h2bW53APG4HvkOnVMo8q3QXa6pcaNt1HkwVsOPMBV6LD/q9oSpxNSYZQYkAnjdMjrJ86UuYeLo+aEZClV6opnw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@bcoe/v8-coverage": "^0.2.3",
+        "@jest/console": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "collect-v8-coverage": "^1.0.0",
+        "exit": "^0.1.2",
+        "glob": "^7.1.2",
+        "graceful-fs": "^4.2.4",
+        "istanbul-lib-coverage": "^3.0.0",
+        "istanbul-lib-instrument": "^4.0.3",
+        "istanbul-lib-report": "^3.0.0",
+        "istanbul-lib-source-maps": "^4.0.0",
+        "istanbul-reports": "^3.0.2",
+        "jest-haste-map": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "node-notifier": "^8.0.0",
+        "slash": "^3.0.0",
+        "source-map": "^0.6.0",
+        "string-length": "^4.0.1",
+        "terminal-link": "^2.0.0",
+        "v8-to-istanbul": "^7.0.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "@jest/source-map": {
+      "version": "26.6.2",
+      "integrity": "sha512-YwYcCwAnNmOVsZ8mr3GfnzdXDAl4LaenZP5z+G0c8bzC9/dugL8zRmxZzdoTl4IaS3CryS1uWnROLPFmb6lVvA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "callsites": "^3.0.0",
+        "graceful-fs": "^4.2.4",
+        "source-map": "^0.6.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "@jest/test-result": {
+      "version": "26.6.2",
+      "integrity": "sha512-5O7H5c/7YlojphYNrK02LlDIV2GNPYisKwHm2QTKjNZeEzezCbwYs9swJySv2UfPMyZ0VdsmMv7jIlD/IKYQpQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/console": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/istanbul-lib-coverage": "^2.0.0",
+        "collect-v8-coverage": "^1.0.0"
+      }
+    },
+    "@jest/test-sequencer": {
+      "version": "26.6.3",
+      "integrity": "sha512-YHlVIjP5nfEyjlrSr8t/YdNfU/1XEt7c5b4OxcXCjyRhjzLYu/rO69/WHPuYcbCWkz8kAeZVZp2N2+IOLLEPGw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/test-result": "^26.6.2",
+        "graceful-fs": "^4.2.4",
+        "jest-haste-map": "^26.6.2",
+        "jest-runner": "^26.6.3",
+        "jest-runtime": "^26.6.3"
+      }
+    },
+    "@jest/transform": {
+      "version": "26.6.2",
+      "integrity": "sha512-E9JjhUgNzvuQ+vVAL21vlyfy12gP0GhazGgJC4h6qUt1jSdUXGWJ1wfu/X7Sd8etSgxV4ovT1pb9v5D6QW4XgA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/core": "^7.1.0",
+        "@jest/types": "^26.6.2",
+        "babel-plugin-istanbul": "^6.0.0",
+        "chalk": "^4.0.0",
+        "convert-source-map": "^1.4.0",
+        "fast-json-stable-stringify": "^2.0.0",
+        "graceful-fs": "^4.2.4",
+        "jest-haste-map": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-util": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "pirates": "^4.0.1",
+        "slash": "^3.0.0",
+        "source-map": "^0.6.1",
+        "write-file-atomic": "^3.0.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "@jest/types": {
+      "version": "26.6.2",
+      "integrity": "sha512-fC6QCp7Sc5sX6g8Tvbmj4XUTbyrik0akgRy03yjXbQaBWWNWGE7SGtJk98m0N8nzegD/7SggrUlivxo5ax4KWQ==",
+      "dev": true,
+      "requires": {
+        "@types/istanbul-lib-coverage": "^2.0.0",
+        "@types/istanbul-reports": "^3.0.0",
+        "@types/node": "*",
+        "@types/yargs": "^15.0.0",
+        "chalk": "^4.0.0"
+      }
+    },
+    "@mdx-js/util": {
+      "version": "1.6.22",
+      "resolved": "https://registry.npmjs.org/@mdx-js/util/-/util-1.6.22.tgz",
+      "integrity": "sha512-H1rQc1ZOHANWBvPcW+JpGwr+juXSxM8Q8YCkm3GhZd8REu1fHR3z99CErO1p9pkcfcxZnMdIZdIsXkOHY0NilA==",
+      "dev": true
+    },
+    "@next/env": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/env/-/env-12.3.1.tgz",
+      "integrity": "sha512-9P9THmRFVKGKt9DYqeC2aKIxm8rlvkK38V1P1sRE7qyoPBIs8l9oo79QoSdPtOWfzkbDAVUqvbQGgTMsb8BtJg==",
+      "dev": true
+    },
+    "@next/eslint-plugin-next": {
+      "version": "13.1.2",
+      "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-13.1.2.tgz",
+      "integrity": "sha512-WGaNVvIYphdriesP6r7jq/8l7u38tzotnVQuxc1RYKLqYYApSsrebti3OCPoT3Gx0pw2smPIFHH98RzcsgW5GQ==",
+      "dev": true,
+      "requires": {
+        "glob": "7.1.7"
+      },
+      "dependencies": {
+        "glob": {
+          "version": "7.1.7",
+          "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.7.tgz",
+          "integrity": "sha512-OvD9ENzPLbegENnYP5UUfJIirTg4+XwMWGaQfQTY0JenxNvvIKP3U3/tAQSPIu/lHxXYSZmpXlUHeqAIdKzBLQ==",
+          "dev": true,
+          "requires": {
+            "fs.realpath": "^1.0.0",
+            "inflight": "^1.0.4",
+            "inherits": "2",
+            "minimatch": "^3.0.4",
+            "once": "^1.3.0",
+            "path-is-absolute": "^1.0.0"
+          }
+        }
+      }
+    },
+    "@next/swc-android-arm-eabi": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-android-arm-eabi/-/swc-android-arm-eabi-12.3.1.tgz",
+      "integrity": "sha512-i+BvKA8tB//srVPPQxIQN5lvfROcfv4OB23/L1nXznP+N/TyKL8lql3l7oo2LNhnH66zWhfoemg3Q4VJZSruzQ==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-android-arm64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-android-arm64/-/swc-android-arm64-12.3.1.tgz",
+      "integrity": "sha512-CmgU2ZNyBP0rkugOOqLnjl3+eRpXBzB/I2sjwcGZ7/Z6RcUJXK5Evz+N0ucOxqE4cZ3gkTeXtSzRrMK2mGYV8Q==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-darwin-arm64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-12.3.1.tgz",
+      "integrity": "sha512-hT/EBGNcu0ITiuWDYU9ur57Oa4LybD5DOQp4f22T6zLfpoBMfBibPtR8XktXmOyFHrL/6FC2p9ojdLZhWhvBHg==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-darwin-x64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-12.3.1.tgz",
+      "integrity": "sha512-9S6EVueCVCyGf2vuiLiGEHZCJcPAxglyckTZcEwLdJwozLqN0gtS0Eq0bQlGS3dH49Py/rQYpZ3KVWZ9BUf/WA==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-freebsd-x64": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-freebsd-x64/-/swc-freebsd-x64-12.3.1.tgz",
+      "integrity": "sha512-qcuUQkaBZWqzM0F1N4AkAh88lLzzpfE6ImOcI1P6YeyJSsBmpBIV8o70zV+Wxpc26yV9vpzb+e5gCyxNjKJg5Q==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-linux-arm-gnueabihf": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm-gnueabihf/-/swc-linux-arm-gnueabihf-12.3.1.tgz",
+      "integrity": "sha512-diL9MSYrEI5nY2wc/h/DBewEDUzr/DqBjIgHJ3RUNtETAOB3spMNHvJk2XKUDjnQuluLmFMloet9tpEqU2TT9w==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-linux-arm64-gnu": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-12.3.1.tgz",
+      "integrity": "sha512-o/xB2nztoaC7jnXU3Q36vGgOolJpsGG8ETNjxM1VAPxRwM7FyGCPHOMk1XavG88QZSQf+1r+POBW0tLxQOJ9DQ==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-linux-arm64-musl": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-12.3.1.tgz",
+      "integrity": "sha512-2WEasRxJzgAmP43glFNhADpe8zB7kJofhEAVNbDJZANp+H4+wq+/cW1CdDi8DqjkShPEA6/ejJw+xnEyDID2jg==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-linux-x64-gnu": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-12.3.1.tgz",
+      "integrity": "sha512-JWEaMyvNrXuM3dyy9Pp5cFPuSSvG82+yABqsWugjWlvfmnlnx9HOQZY23bFq3cNghy5V/t0iPb6cffzRWylgsA==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-linux-x64-musl": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-12.3.1.tgz",
+      "integrity": "sha512-xoEWQQ71waWc4BZcOjmatuvPUXKTv6MbIFzpm4LFeCHsg2iwai0ILmNXf81rJR+L1Wb9ifEke2sQpZSPNz1Iyg==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-win32-arm64-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-12.3.1.tgz",
+      "integrity": "sha512-hswVFYQYIeGHE2JYaBVtvqmBQ1CppplQbZJS/JgrVI3x2CurNhEkmds/yqvDONfwfbttTtH4+q9Dzf/WVl3Opw==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-win32-ia32-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-12.3.1.tgz",
+      "integrity": "sha512-Kny5JBehkTbKPmqulr5i+iKntO5YMP+bVM8Hf8UAmjSMVo3wehyLVc9IZkNmcbxi+vwETnQvJaT5ynYBkJ9dWA==",
+      "dev": true,
+      "optional": true
+    },
+    "@next/swc-win32-x64-msvc": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-12.3.1.tgz",
+      "integrity": "sha512-W1ijvzzg+kPEX6LAc+50EYYSEo0FVu7dmTE+t+DM4iOLqgGHoW9uYSz9wCVdkXOEEMP9xhXfGpcSxsfDucyPkA==",
+      "dev": true,
+      "optional": true
+    },
+    "@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      }
+    },
+    "@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true
+    },
+    "@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      }
+    },
+    "@pkgr/utils": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/@pkgr/utils/-/utils-2.3.1.tgz",
+      "integrity": "sha512-wfzX8kc1PMyUILA+1Z/EqoE4UCXGy0iRGMhPwdfae1+f0OXlLqCk+By+aMzgJBzR9AzS4CDizioG6Ss1gvAFJw==",
+      "dev": true,
+      "requires": {
+        "cross-spawn": "^7.0.3",
+        "is-glob": "^4.0.3",
+        "open": "^8.4.0",
+        "picocolors": "^1.0.0",
+        "tiny-glob": "^0.2.9",
+        "tslib": "^2.4.0"
+      },
+      "dependencies": {
+        "open": {
+          "version": "8.4.0",
+          "resolved": "https://registry.npmjs.org/open/-/open-8.4.0.tgz",
+          "integrity": "sha512-XgFPPM+B28FtCCgSb9I+s9szOC1vZRSwgWsRUA5ylIxRTgKozqjOCrVOqGsYABPYK5qnfqClxZTFBa8PKt2v6Q==",
+          "dev": true,
+          "requires": {
+            "define-lazy-prop": "^2.0.0",
+            "is-docker": "^2.1.1",
+            "is-wsl": "^2.2.0"
+          }
+        },
+        "picocolors": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+          "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+          "dev": true
+        }
+      }
+    },
+    "@rushstack/eslint-patch": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@rushstack/eslint-patch/-/eslint-patch-1.2.0.tgz",
+      "integrity": "sha512-sXo/qW2/pAcmT43VoRKOJbDOfV3cYpq3szSVfIThQXNt+E4DfKj361vaAt3c88U5tPUxzEswam7GW48PJqtKAg==",
+      "dev": true
+    },
+    "@sinonjs/commons": {
+      "version": "1.8.3",
+      "integrity": "sha512-xkNcLAn/wZaX14RPlwizcKicDk9G3F8m2nU3L7Ukm5zBgTwiT0wsoFAHx9Jq56fJA1z/7uKGtCRu16sOUCLIHQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "type-detect": "4.0.8"
+      }
+    },
+    "@sinonjs/fake-timers": {
+      "version": "6.0.1",
+      "integrity": "sha512-MZPUxrmFubI36XS1DI3qmI0YdN1gks62JtFZvxR67ljjSNCeK6U08Zx4msEWOXuofgqUt6zPHSi1H9fbjR/NRA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@sinonjs/commons": "^1.7.0"
+      }
+    },
+    "@stylelint/postcss-css-in-js": {
+      "version": "0.37.2",
+      "integrity": "sha512-nEhsFoJurt8oUmieT8qy4nk81WRHmJynmVwn/Vts08PL9fhgIsMhk1GId5yAN643OzqEEb5S/6At2TZW7pqPDA==",
+      "dev": true,
+      "requires": {
+        "@babel/core": ">=7.9.0"
+      }
+    },
+    "@stylelint/postcss-markdown": {
+      "version": "0.36.2",
+      "integrity": "sha512-2kGbqUVJUGE8dM+bMzXG/PYUWKkjLIkRLWNh39OaADkiabDRdw8ATFCgbMz5xdIcvwspPAluSL7uY+ZiTWdWmQ==",
+      "dev": true,
+      "requires": {
+        "remark": "^13.0.0",
+        "unist-util-find-all-after": "^3.0.2"
+      }
+    },
+    "@swc/helpers": {
+      "version": "0.4.11",
+      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.4.11.tgz",
+      "integrity": "sha512-rEUrBSGIoSFuYxwBYtlUFMlE2CwGhmW+w9355/5oduSw8e5h2+Tj4UrAGNNgP9915++wj5vkQo0UuOBqOAq4nw==",
+      "dev": true,
+      "requires": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "@tootallnate/once": {
+      "version": "1.1.2",
+      "integrity": "sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==",
+      "dev": true,
+      "peer": true
+    },
+    "@types/babel__core": {
+      "version": "7.1.16",
+      "integrity": "sha512-EAEHtisTMM+KaKwfWdC3oyllIqswlznXCIVCt7/oRNrh+DhgT4UEBNC/jlADNjvw7UnfbcdkGQcPVZ1xYiLcrQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0",
+        "@types/babel__generator": "*",
+        "@types/babel__template": "*",
+        "@types/babel__traverse": "*"
+      }
+    },
+    "@types/babel__generator": {
+      "version": "7.6.3",
+      "integrity": "sha512-/GWCmzJWqV7diQW54smJZzWbSFf4QYtF71WCKhcx6Ru/tFyQIY2eiiITcCAeuPbNSvT9YCGkVMqqvSk2Z0mXiA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "@types/babel__template": {
+      "version": "7.4.1",
+      "integrity": "sha512-azBFKemX6kMg5Io+/rdGT0dkGreboUVR0Cdm3fz9QJWpaQGJRQXl7C+6hOTCZcMll7KFyEQpgbYI2lHdsS4U7g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "@types/babel__traverse": {
+      "version": "7.14.2",
+      "integrity": "sha512-K2waXdXBi2302XUdcHcR1jCeU0LL4TD9HRs/gk0N2Xvrht+G/BfJa4QObBQZfhMdxiCpV3COl5Nfq4uKTeTnJA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/types": "^7.3.0"
+      }
+    },
+    "@types/graceful-fs": {
+      "version": "4.1.5",
+      "integrity": "sha512-anKkLmZZ+xm4p8JWBf4hElkM4XR+EZeA2M9BAkkTldmcyDY4mbdIJnRghDJH3Ov5ooY7/UAoENtmdMSkaAd7Cw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@types/node": "*"
+      }
+    },
+    "@types/istanbul-lib-coverage": {
+      "version": "2.0.3",
+      "integrity": "sha512-sz7iLqvVUg1gIedBOvlkxPlc8/uVzyS5OwGz1cKjXzkl3FpL3al0crU8YGU1WoHkxn0Wxbw5tyi6hvzJKNzFsw==",
+      "dev": true
+    },
+    "@types/istanbul-lib-report": {
+      "version": "3.0.0",
+      "integrity": "sha512-plGgXAPfVKFoYfa9NpYDAkseG+g6Jr294RqeqcqDixSbU34MZVJRi/P+7Y8GDpzkEwLaGZZOpKIEmeVZNtKsrg==",
+      "dev": true,
+      "requires": {
+        "@types/istanbul-lib-coverage": "*"
+      }
+    },
+    "@types/istanbul-reports": {
+      "version": "3.0.1",
+      "integrity": "sha512-c3mAZEuK0lvBp8tmuL74XRKn1+y2dcwOUpH7x4WrF6gk1GIgiluDRgMYQtw2OFcBvAJWlt6ASU3tSqxp0Uu0Aw==",
+      "dev": true,
+      "requires": {
+        "@types/istanbul-lib-report": "*"
+      }
+    },
+    "@types/json-schema": {
+      "version": "7.0.11",
+      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.11.tgz",
+      "integrity": "sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==",
+      "dev": true
+    },
+    "@types/json5": {
+      "version": "0.0.29",
+      "resolved": "https://registry.npmjs.org/@types/json5/-/json5-0.0.29.tgz",
+      "integrity": "sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==",
+      "dev": true
+    },
+    "@types/mdast": {
+      "version": "3.0.10",
+      "integrity": "sha512-W864tg/Osz1+9f4lrGTZpCSO5/z4608eUp19tbozkq2HJK6i3z1kT0H9tlADXuYIb1YYOBByU4Jsqkk75q48qA==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "*"
+      }
+    },
+    "@types/minimist": {
+      "version": "1.2.2",
+      "integrity": "sha512-jhuKLIRrhvCPLqwPcx6INqmKeiA5EWrsCOPhrlFSrbrmU4ZMPjj5Ul/oLCMDO98XRUIwVm78xICz4EPCektzeQ==",
+      "dev": true
+    },
+    "@types/node": {
+      "version": "16.10.3",
+      "integrity": "sha512-ho3Ruq+fFnBrZhUYI46n/bV2GjwzSkwuT4dTf0GkuNFmnb8nq4ny2z9JEVemFi6bdEJanHLlYfy9c6FN9B9McQ==",
+      "dev": true
+    },
+    "@types/normalize-package-data": {
+      "version": "2.4.1",
+      "integrity": "sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw==",
+      "dev": true
+    },
+    "@types/parse-json": {
+      "version": "4.0.0",
+      "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==",
+      "dev": true
+    },
+    "@types/prettier": {
+      "version": "2.4.1",
+      "integrity": "sha512-Fo79ojj3vdEZOHg3wR9ksAMRz4P3S5fDB5e/YWZiFnyFQI1WY2Vftu9XoXVVtJfxB7Bpce/QTqWSSntkz2Znrw==",
+      "dev": true,
+      "peer": true
+    },
+    "@types/semver": {
+      "version": "7.3.13",
+      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.3.13.tgz",
+      "integrity": "sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==",
+      "dev": true
+    },
+    "@types/stack-utils": {
+      "version": "2.0.1",
+      "integrity": "sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==",
+      "dev": true,
+      "peer": true
+    },
+    "@types/supports-color": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@types/supports-color/-/supports-color-8.1.1.tgz",
+      "integrity": "sha512-dPWnWsf+kzIG140B8z2w3fr5D03TLWbOAFQl45xUpI3vcizeXriNR5VYkWZ+WTMsUHqZ9Xlt3hrxGNANFyNQfw==",
+      "dev": true
+    },
+    "@types/unist": {
+      "version": "2.0.6",
+      "integrity": "sha512-PBjIUxZHOuj0R15/xuwJYjFi+KZdNFrehocChv4g5hu6aFroHue8m0lBP0POdK2nKzbw0cgV1mws8+V/JAcEkQ==",
+      "dev": true
+    },
+    "@types/yargs": {
+      "version": "15.0.14",
+      "integrity": "sha512-yEJzHoxf6SyQGhBhIYGXQDSCkJjB6HohDShto7m8vaKg9Yp0Yn8+71J9eakh2bnPg6BfsH9PRMhiRTZnd4eXGQ==",
+      "dev": true,
+      "requires": {
+        "@types/yargs-parser": "*"
+      }
+    },
+    "@types/yargs-parser": {
+      "version": "20.2.1",
+      "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw==",
+      "dev": true
+    },
+    "@typescript-eslint/eslint-plugin": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.48.1.tgz",
+      "integrity": "sha512-9nY5K1Rp2ppmpb9s9S2aBiF3xo5uExCehMDmYmmFqqyxgenbHJ3qbarcLt4ITgaD6r/2ypdlcFRdcuVPnks+fQ==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/type-utils": "5.48.1",
+        "@typescript-eslint/utils": "5.48.1",
+        "debug": "^4.3.4",
+        "ignore": "^5.2.0",
+        "natural-compare-lite": "^1.4.0",
+        "regexpp": "^3.2.0",
+        "semver": "^7.3.7",
+        "tsutils": "^3.21.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "7.3.8",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+          "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+          "dev": true,
+          "requires": {
+            "lru-cache": "^6.0.0"
+          }
+        }
+      }
+    },
+    "@typescript-eslint/parser": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.48.1.tgz",
+      "integrity": "sha512-4yg+FJR/V1M9Xoq56SF9Iygqm+r5LMXvheo6DQ7/yUWynQ4YfCRnsKuRgqH4EQ5Ya76rVwlEpw4Xu+TgWQUcdA==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "debug": "^4.3.4"
+      }
+    },
+    "@typescript-eslint/scope-manager": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.48.1.tgz",
+      "integrity": "sha512-S035ueRrbxRMKvSTv9vJKIWgr86BD8s3RqoRZmsSh/s8HhIs90g6UlK8ZabUSjUZQkhVxt7nmZ63VJ9dcZhtDQ==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/visitor-keys": "5.48.1"
+      }
+    },
+    "@typescript-eslint/type-utils": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.48.1.tgz",
+      "integrity": "sha512-Hyr8HU8Alcuva1ppmqSYtM/Gp0q4JOp1F+/JH5D1IZm/bUBrV0edoewQZiEc1r6I8L4JL21broddxK8HAcZiqQ==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "@typescript-eslint/utils": "5.48.1",
+        "debug": "^4.3.4",
+        "tsutils": "^3.21.0"
+      }
+    },
+    "@typescript-eslint/types": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.48.1.tgz",
+      "integrity": "sha512-xHyDLU6MSuEEdIlzrrAerCGS3T7AA/L8Hggd0RCYBi0w3JMvGYxlLlXHeg50JI9Tfg5MrtsfuNxbS/3zF1/ATg==",
+      "dev": true
+    },
+    "@typescript-eslint/typescript-estree": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.48.1.tgz",
+      "integrity": "sha512-Hut+Osk5FYr+sgFh8J/FHjqX6HFcDzTlWLrFqGoK5kVUN3VBHF/QzZmAsIXCQ8T/W9nQNBTqalxi1P3LSqWnRA==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/visitor-keys": "5.48.1",
+        "debug": "^4.3.4",
+        "globby": "^11.1.0",
+        "is-glob": "^4.0.3",
+        "semver": "^7.3.7",
+        "tsutils": "^3.21.0"
+      },
+      "dependencies": {
+        "globby": {
+          "version": "11.1.0",
+          "resolved": "https://registry.npmjs.org/globby/-/globby-11.1.0.tgz",
+          "integrity": "sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==",
+          "dev": true,
+          "requires": {
+            "array-union": "^2.1.0",
+            "dir-glob": "^3.0.1",
+            "fast-glob": "^3.2.9",
+            "ignore": "^5.2.0",
+            "merge2": "^1.4.1",
+            "slash": "^3.0.0"
+          }
+        },
+        "semver": {
+          "version": "7.3.8",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+          "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+          "dev": true,
+          "requires": {
+            "lru-cache": "^6.0.0"
+          }
+        }
+      }
+    },
+    "@typescript-eslint/utils": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.48.1.tgz",
+      "integrity": "sha512-SmQuSrCGUOdmGMwivW14Z0Lj8dxG1mOFZ7soeJ0TQZEJcs3n5Ndgkg0A4bcMFzBELqLJ6GTHnEU+iIoaD6hFGA==",
+      "dev": true,
+      "requires": {
+        "@types/json-schema": "^7.0.9",
+        "@types/semver": "^7.3.12",
+        "@typescript-eslint/scope-manager": "5.48.1",
+        "@typescript-eslint/types": "5.48.1",
+        "@typescript-eslint/typescript-estree": "5.48.1",
+        "eslint-scope": "^5.1.1",
+        "eslint-utils": "^3.0.0",
+        "semver": "^7.3.7"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "7.3.8",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+          "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+          "dev": true,
+          "requires": {
+            "lru-cache": "^6.0.0"
+          }
+        }
+      }
+    },
+    "@typescript-eslint/visitor-keys": {
+      "version": "5.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.48.1.tgz",
+      "integrity": "sha512-Ns0XBwmfuX7ZknznfXozgnydyR8F6ev/KEGePP4i74uL3ArsKbEhJ7raeKr1JSa997DBDwol/4a0Y+At82c9dA==",
+      "dev": true,
+      "requires": {
+        "@typescript-eslint/types": "5.48.1",
+        "eslint-visitor-keys": "^3.3.0"
+      }
+    },
+    "abab": {
+      "version": "2.0.5",
+      "integrity": "sha512-9IK9EadsbHo6jLWIpxpR6pL0sazTXV6+SQv25ZB+F7Bj9mJNaOc4nCRabwd5M/JwmUa8idz6Eci6eKfJryPs6Q==",
+      "dev": true,
+      "peer": true
+    },
+    "acorn": {
+      "version": "7.4.1",
+      "integrity": "sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A==",
+      "dev": true,
+      "peer": true
+    },
+    "acorn-globals": {
+      "version": "6.0.0",
+      "integrity": "sha512-ZQl7LOWaF5ePqqcX4hLuv/bLXYQNfNWw2c0/yX/TsPRKamzHcTGQnlCjHT3TsmkOUVEPS3crCxiPfdzE/Trlhg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "acorn": "^7.1.1",
+        "acorn-walk": "^7.1.1"
+      }
+    },
+    "acorn-jsx": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz",
+      "integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==",
+      "dev": true,
+      "requires": {}
+    },
+    "acorn-walk": {
+      "version": "7.2.0",
+      "integrity": "sha512-OPdCF6GsMIP+Az+aWfAAOEt2/+iVDKE7oy6lJ098aoe59oAmK76qV6Gw60SbZ8jHuG2wH058GF4pLFbYamYrVA==",
+      "dev": true,
+      "peer": true
+    },
+    "agent-base": {
+      "version": "6.0.2",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "debug": "4"
+      }
+    },
+    "aggregate-error": {
+      "version": "3.1.0",
+      "integrity": "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==",
+      "dev": true,
+      "requires": {
+        "clean-stack": "^2.0.0",
+        "indent-string": "^4.0.0"
+      }
+    },
+    "ajv": {
+      "version": "6.12.6",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "dev": true,
+      "requires": {
+        "fast-deep-equal": "^3.1.1",
+        "fast-json-stable-stringify": "^2.0.0",
+        "json-schema-traverse": "^0.4.1",
+        "uri-js": "^4.2.2"
+      }
+    },
+    "ansi-colors": {
+      "version": "4.1.1",
+      "integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==",
+      "dev": true
+    },
+    "ansi-escapes": {
+      "version": "4.3.2",
+      "integrity": "sha512-gKXj5ALrKWQLsYG9jlTRmR/xKluxHV+Z9QEwNIgCfM1/uwPMCuzVVnh5mwTd+OuBZcwSIMbqssNWRm1lE51QaQ==",
+      "dev": true,
+      "requires": {
+        "type-fest": "^0.21.3"
+      }
+    },
+    "ansi-regex": {
+      "version": "5.0.1",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true
+    },
+    "ansi-styles": {
+      "version": "4.3.0",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "requires": {
+        "color-convert": "^2.0.1"
+      }
+    },
+    "anymatch": {
+      "version": "3.1.2",
+      "integrity": "sha512-P43ePfOAIupkguHUycrc4qJ9kz8ZiuOUijaETwX7THt0Y/GNK7v0aa8rY816xWjZ7rJdA5XdMcpVFTKMq+RvWg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      }
+    },
+    "argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "dev": true
+    },
+    "aria-query": {
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.1.3.tgz",
+      "integrity": "sha512-R5iJ5lkuHybztUfuOAznmboyjWq8O6sqNqtK7CLOqdydi54VNbORp49mb14KbWgG1QD3JFO9hJdZ+y4KutfdOQ==",
+      "dev": true,
+      "requires": {
+        "deep-equal": "^2.0.5"
+      }
+    },
+    "arr-diff": {
+      "version": "4.0.0",
+      "integrity": "sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=",
+      "dev": true,
+      "peer": true
+    },
+    "arr-flatten": {
+      "version": "1.1.0",
+      "integrity": "sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==",
+      "dev": true,
+      "peer": true
+    },
+    "arr-union": {
+      "version": "3.1.0",
+      "integrity": "sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=",
+      "dev": true,
+      "peer": true
+    },
+    "array-includes": {
+      "version": "3.1.6",
+      "resolved": "https://registry.npmjs.org/array-includes/-/array-includes-3.1.6.tgz",
+      "integrity": "sha512-sgTbLvL6cNnw24FnbaDyjmvddQ2ML8arZsgaJhoABMoplz/4QRhtrYS+alr1BUM1Bwp6dhx8vVCBSLG+StwOFw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "get-intrinsic": "^1.1.3",
+        "is-string": "^1.0.7"
+      }
+    },
+    "array-union": {
+      "version": "2.1.0",
+      "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==",
+      "dev": true
+    },
+    "array-unique": {
+      "version": "0.3.2",
+      "integrity": "sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=",
+      "dev": true,
+      "peer": true
+    },
+    "array.prototype.flat": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.3.1.tgz",
+      "integrity": "sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0"
+      }
+    },
+    "array.prototype.flatmap": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.flatmap/-/array.prototype.flatmap-1.3.1.tgz",
+      "integrity": "sha512-8UGn9O1FDVvMNB0UlLv4voxRMze7+FpHyF5mSMRjWHUMlpoDViniy05870VlxhfgTnLbpuwTzvD76MTtWxB/mQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0"
+      }
+    },
+    "array.prototype.tosorted": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array.prototype.tosorted/-/array.prototype.tosorted-1.1.1.tgz",
+      "integrity": "sha512-pZYPXPRl2PqWcsUs6LOMn+1f1532nEoPTYowBtqLwAW+W8vSVhkIGnmOX1t/UQjD6YGI0vcD2B1U7ZFGQH9jnQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "es-shim-unscopables": "^1.0.0",
+        "get-intrinsic": "^1.1.3"
+      }
+    },
+    "arrify": {
+      "version": "1.0.1",
+      "integrity": "sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=",
+      "dev": true
+    },
+    "assign-symbols": {
+      "version": "1.0.0",
+      "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=",
+      "dev": true,
+      "peer": true
+    },
+    "ast-types-flow": {
+      "version": "0.0.7",
+      "resolved": "https://registry.npmjs.org/ast-types-flow/-/ast-types-flow-0.0.7.tgz",
+      "integrity": "sha512-eBvWn1lvIApYMhzQMsu9ciLfkBY499mFZlNqG+/9WR7PVlroQw0vG30cOQQbaKz3sCEc44TAOu2ykzqXSNnwag==",
+      "dev": true
+    },
+    "astral-regex": {
+      "version": "2.0.0",
+      "integrity": "sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==",
+      "dev": true
+    },
+    "async": {
+      "version": "0.9.2",
+      "integrity": "sha1-rqdNXmHB+JlhO/ZL2mbUx48v0X0=",
+      "dev": true
+    },
+    "asynckit": {
+      "version": "0.4.0",
+      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
+      "dev": true
+    },
+    "at-least-node": {
+      "version": "1.0.0",
+      "integrity": "sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg==",
+      "dev": true
+    },
+    "atob": {
+      "version": "2.1.2",
+      "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==",
+      "dev": true,
+      "peer": true
+    },
+    "autoprefixer": {
+      "version": "9.8.8",
+      "integrity": "sha512-eM9d/swFopRt5gdJ7jrpCwgvEMIayITpojhkkSMRsFHYuH5bkSQ4p/9qTEHtmNudUZh22Tehu7I6CxAW0IXTKA==",
+      "dev": true,
+      "requires": {
+        "browserslist": "^4.12.0",
+        "caniuse-lite": "^1.0.30001109",
+        "normalize-range": "^0.1.2",
+        "num2fraction": "^1.2.2",
+        "picocolors": "^0.2.1",
+        "postcss": "^7.0.32",
+        "postcss-value-parser": "^4.1.0"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "available-typed-arrays": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz",
+      "integrity": "sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==",
+      "dev": true
+    },
+    "axe-core": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.6.2.tgz",
+      "integrity": "sha512-b1WlTV8+XKLj9gZy2DZXgQiyDp9xkkoe2a6U6UbYccScq2wgH/YwCeI2/Jq2mgo0HzQxqJOjWZBLeA/mqsk5Mg==",
+      "dev": true
+    },
+    "axobject-query": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-3.1.1.tgz",
+      "integrity": "sha512-goKlv8DZrK9hUh975fnHzhNIO4jUnFCfv/dszV5VwUGDFjI6vQ2VwoyjYjYNEbBE8AH87TduWP5uyDR1D+Iteg==",
+      "dev": true,
+      "requires": {
+        "deep-equal": "^2.0.5"
+      }
+    },
+    "babel-jest": {
+      "version": "26.6.3",
+      "integrity": "sha512-pl4Q+GAVOHwvjrck6jKjvmGhnO3jHX/xuB9d27f+EJZ/6k+6nMuPjorrYp7s++bKKdANwzElBWnLWaObvTnaZA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/babel__core": "^7.1.7",
+        "babel-plugin-istanbul": "^6.0.0",
+        "babel-preset-jest": "^26.6.2",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "slash": "^3.0.0"
+      }
+    },
+    "babel-plugin-istanbul": {
+      "version": "6.0.0",
+      "integrity": "sha512-AF55rZXpe7trmEylbaE1Gv54wn6rwU03aptvRoVIGP8YykoSxqdVLV1TfwflBCE/QtHmqtP8SWlTENqbK8GCSQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@istanbuljs/load-nyc-config": "^1.0.0",
+        "@istanbuljs/schema": "^0.1.2",
+        "istanbul-lib-instrument": "^4.0.0",
+        "test-exclude": "^6.0.0"
+      }
+    },
+    "babel-plugin-jest-hoist": {
+      "version": "26.6.2",
+      "integrity": "sha512-PO9t0697lNTmcEHH69mdtYiOIkkOlj9fySqfO3K1eCcdISevLAE0xY59VLLUj0SoiPiTX/JU2CYFpILydUa5Lw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/template": "^7.3.3",
+        "@babel/types": "^7.3.3",
+        "@types/babel__core": "^7.0.0",
+        "@types/babel__traverse": "^7.0.6"
+      }
+    },
+    "babel-preset-current-node-syntax": {
+      "version": "1.0.1",
+      "integrity": "sha512-M7LQ0bxarkxQoN+vz5aJPsLBn77n8QgTFmo8WK0/44auK2xlCXrYcUxHFxgU7qW5Yzw/CjmLRK2uJzaCd7LvqQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/plugin-syntax-async-generators": "^7.8.4",
+        "@babel/plugin-syntax-bigint": "^7.8.3",
+        "@babel/plugin-syntax-class-properties": "^7.8.3",
+        "@babel/plugin-syntax-import-meta": "^7.8.3",
+        "@babel/plugin-syntax-json-strings": "^7.8.3",
+        "@babel/plugin-syntax-logical-assignment-operators": "^7.8.3",
+        "@babel/plugin-syntax-nullish-coalescing-operator": "^7.8.3",
+        "@babel/plugin-syntax-numeric-separator": "^7.8.3",
+        "@babel/plugin-syntax-object-rest-spread": "^7.8.3",
+        "@babel/plugin-syntax-optional-catch-binding": "^7.8.3",
+        "@babel/plugin-syntax-optional-chaining": "^7.8.3",
+        "@babel/plugin-syntax-top-level-await": "^7.8.3"
+      }
+    },
+    "babel-preset-jest": {
+      "version": "26.6.2",
+      "integrity": "sha512-YvdtlVm9t3k777c5NPQIv6cxFFFapys25HiUmuSgHwIZhfifweR5c5Sf5nwE3MAbfu327CYSvps8Yx6ANLyleQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "babel-plugin-jest-hoist": "^26.6.2",
+        "babel-preset-current-node-syntax": "^1.0.0"
+      }
+    },
+    "bail": {
+      "version": "1.0.5",
+      "integrity": "sha512-xFbRxM1tahm08yHBP16MMjVUAvDaBMD38zsM9EMAUN61omwLmKlOpB/Zku5QkjZ8TZ4vn53pj+t518cH0S03RQ==",
+      "dev": true
+    },
+    "balanced-match": {
+      "version": "1.0.2",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true
+    },
+    "base": {
+      "version": "0.11.2",
+      "integrity": "sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "cache-base": "^1.0.1",
+        "class-utils": "^0.3.5",
+        "component-emitter": "^1.2.1",
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.1",
+        "mixin-deep": "^1.2.0",
+        "pascalcase": "^0.1.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        }
+      }
+    },
+    "brace-expansion": {
+      "version": "1.1.11",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "dev": true,
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "braces": {
+      "version": "3.0.2",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
+      "requires": {
+        "fill-range": "^7.0.1"
+      }
+    },
+    "browser-process-hrtime": {
+      "version": "1.0.0",
+      "integrity": "sha512-9o5UecI3GhkpM6DrXr69PblIuWxPKk9Y0jHBRhdocZ2y7YECBFCsHm79Pr3OyR2AvjhDkabFJaDJMYRazHgsow==",
+      "dev": true,
+      "peer": true
+    },
+    "browserslist": {
+      "version": "4.17.3",
+      "integrity": "sha512-59IqHJV5VGdcJZ+GZ2hU5n4Kv3YiASzW6Xk5g9tf5a/MAzGeFwgGWU39fVzNIOVcgB3+Gp+kiQu0HEfTVU/3VQ==",
+      "dev": true,
+      "requires": {
+        "caniuse-lite": "^1.0.30001264",
+        "electron-to-chromium": "^1.3.857",
+        "escalade": "^3.1.1",
+        "node-releases": "^1.1.77",
+        "picocolors": "^0.2.1"
+      }
+    },
+    "bs-logger": {
+      "version": "0.2.6",
+      "integrity": "sha512-pd8DCoxmbgc7hyPKOvxtqNcjYoOsABPQdcCUjGp3d42VR2CX1ORhk2A87oqqu5R1kk+76nsxZupkmyd+MVtCog==",
+      "dev": true,
+      "requires": {
+        "fast-json-stable-stringify": "2.x"
+      }
+    },
+    "bser": {
+      "version": "2.1.1",
+      "integrity": "sha512-gQxTNE/GAfIIrmHLUE3oJyp5FO6HRBfhjnw4/wMmA63ZGDJnWBmgY/lyQBpnDUkGmAhbSe39tx2d/iTOAfglwQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "node-int64": "^0.4.0"
+      }
+    },
+    "buffer-from": {
+      "version": "1.1.2",
+      "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==",
+      "dev": true
+    },
+    "cache-base": {
+      "version": "1.0.1",
+      "integrity": "sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "collection-visit": "^1.0.0",
+        "component-emitter": "^1.2.1",
+        "get-value": "^2.0.6",
+        "has-value": "^1.0.0",
+        "isobject": "^3.0.1",
+        "set-value": "^2.0.0",
+        "to-object-path": "^0.3.0",
+        "union-value": "^1.0.0",
+        "unset-value": "^1.0.0"
+      }
+    },
+    "call-bind": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz",
+      "integrity": "sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==",
+      "dev": true,
+      "requires": {
+        "function-bind": "^1.1.1",
+        "get-intrinsic": "^1.0.2"
+      }
+    },
+    "callsites": {
+      "version": "3.1.0",
+      "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
+      "dev": true
+    },
+    "camelcase": {
+      "version": "5.3.1",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "dev": true
+    },
+    "caniuse-lite": {
+      "version": "1.0.30001416",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001416.tgz",
+      "integrity": "sha512-06wzzdAkCPZO+Qm4e/eNghZBDfVNDsCgw33T27OwBH9unE9S478OYw//Q2L7Npf/zBzs7rjZOszIFQkwQKAEqA==",
+      "dev": true
+    },
+    "capture-exit": {
+      "version": "2.0.0",
+      "integrity": "sha512-PiT/hQmTonHhl/HFGN+Lx3JJUznrVYJ3+AQsnthneZbvW7x+f08Tk7yLJTLEOUvBTbduLeeBkxEaYXUOUrRq6g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "rsvp": "^4.8.4"
+      }
+    },
+    "ccount": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/ccount/-/ccount-1.1.0.tgz",
+      "integrity": "sha512-vlNK021QdI7PNeiUh/lKkC/mNHHfV0m/Ad5JoI0TYtlBnJAslM/JIkm/tGC88bkLIwO6OQ5uV6ztS6kVAtCDlg==",
+      "dev": true
+    },
+    "chalk": {
+      "version": "4.1.0",
+      "integrity": "sha512-qwx12AxXe2Q5xQ43Ac//I6v5aXTipYrSESdOgzrN+9XjgEpyjpKuvSGaN4qE93f7TQTlerQQ8S+EQ0EyDoVL1A==",
+      "dev": true,
+      "requires": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      }
+    },
+    "char-regex": {
+      "version": "1.0.2",
+      "integrity": "sha512-kWWXztvZ5SBQV+eRgKFeh8q5sLuZY2+8WUIzlxWVTg+oGwY14qylx1KbKzHd8P6ZYkAg0xyIDU9JMHhyJMZ1jw==",
+      "dev": true,
+      "peer": true
+    },
+    "character-entities": {
+      "version": "1.2.4",
+      "integrity": "sha512-iBMyeEHxfVnIakwOuDXpVkc54HijNgCyQB2w0VfGQThle6NXn50zU6V/u+LDhxHcDUPojn6Kpga3PTAD8W1bQw==",
+      "dev": true
+    },
+    "character-entities-html4": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/character-entities-html4/-/character-entities-html4-1.1.4.tgz",
+      "integrity": "sha512-HRcDxZuZqMx3/a+qrzxdBKBPUpxWEq9xw2OPZ3a/174ihfrQKVsFhqtthBInFy1zZ9GgZyFXOatNujm8M+El3g==",
+      "dev": true
+    },
+    "character-entities-legacy": {
+      "version": "1.1.4",
+      "integrity": "sha512-3Xnr+7ZFS1uxeiUDvV02wQ+QDbc55o97tIV5zHScSPJpcLm/r0DFPcoY3tYRp+VZukxuMeKgXYmsXQHO05zQeA==",
+      "dev": true
+    },
+    "character-reference-invalid": {
+      "version": "1.1.4",
+      "integrity": "sha512-mKKUkUbhPpQlCOfIuZkvSEgktjPFIsZKRRbC6KWVEMvlzblj3i3asQv5ODsrwt0N3pHAEvjP8KTQPHkp0+6jOg==",
+      "dev": true
+    },
+    "chardet": {
+      "version": "0.7.0",
+      "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==",
+      "dev": true
+    },
+    "ci-info": {
+      "version": "2.0.0",
+      "integrity": "sha512-5tK7EtrZ0N+OLFMthtqOj4fI2Jeb88C4CAZPu25LDVUgXJ0A3Js4PMGqrn0JU1W0Mh1/Z8wZzYPxqUrXeBboCQ==",
+      "dev": true
+    },
+    "cjs-module-lexer": {
+      "version": "0.6.0",
+      "integrity": "sha512-uc2Vix1frTfnuzxxu1Hp4ktSvM3QaI4oXl4ZUqL1wjTu/BGki9TrCWoqLTg/drR1KwAEarXuRFCG2Svr1GxPFw==",
+      "dev": true,
+      "peer": true
+    },
+    "class-utils": {
+      "version": "0.3.6",
+      "integrity": "sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "arr-union": "^3.1.0",
+        "define-property": "^0.2.5",
+        "isobject": "^3.0.0",
+        "static-extend": "^0.1.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-data-descriptor": {
+          "version": "0.1.4",
+          "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-accessor-descriptor": "^0.1.6",
+            "is-data-descriptor": "^0.1.4",
+            "kind-of": "^5.0.0"
+          }
+        },
+        "kind-of": {
+          "version": "5.1.0",
+          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "clean-stack": {
+      "version": "2.2.0",
+      "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==",
+      "dev": true
+    },
+    "cli-cursor": {
+      "version": "3.1.0",
+      "integrity": "sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw==",
+      "dev": true,
+      "requires": {
+        "restore-cursor": "^3.1.0"
+      }
+    },
+    "cli-truncate": {
+      "version": "2.1.0",
+      "integrity": "sha512-n8fOixwDD6b/ObinzTrp1ZKFzbgvKZvuz/TvejnLn1aQfC6r52XEx85FmuC+3HI+JM7coBRXUvNqEU2PHVrHpg==",
+      "dev": true,
+      "requires": {
+        "slice-ansi": "^3.0.0",
+        "string-width": "^4.2.0"
+      }
+    },
+    "cli-width": {
+      "version": "3.0.0",
+      "integrity": "sha512-FxqpkPPwu1HjuN93Omfm4h8uIanXofW0RxVEW3k5RKx+mJJYSthzNhp32Kzxxy3YAEZ/Dc/EWN1vZRY0+kOhbw==",
+      "dev": true
+    },
+    "cliui": {
+      "version": "6.0.0",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      },
+      "dependencies": {
+        "wrap-ansi": {
+          "version": "6.2.0",
+          "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "string-width": "^4.1.0",
+            "strip-ansi": "^6.0.0"
+          }
+        }
+      }
+    },
+    "clone-regexp": {
+      "version": "2.2.0",
+      "integrity": "sha512-beMpP7BOtTipFuW8hrJvREQ2DrRu3BE7by0ZpibtfBA+qfHYvMGTc2Yb1JMYPKg/JUw0CHYvpg796aNTSW9z7Q==",
+      "dev": true,
+      "requires": {
+        "is-regexp": "^2.0.0"
+      },
+      "dependencies": {
+        "is-regexp": {
+          "version": "2.1.0",
+          "integrity": "sha512-OZ4IlER3zmRIoB9AqNhEggVxqIH4ofDns5nRrPS6yQxXE1TPCUpFznBfRQmQa8uC+pXqjMnukiJBxCisIxiLGA==",
+          "dev": true
+        }
+      }
+    },
+    "co": {
+      "version": "4.6.0",
+      "integrity": "sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ=",
+      "dev": true,
+      "peer": true
+    },
+    "collapse-white-space": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/collapse-white-space/-/collapse-white-space-1.0.6.tgz",
+      "integrity": "sha512-jEovNnrhMuqyCcjfEJA56v0Xq8SkIoPKDyaHahwo3POf4qcSXqMYuwNcOTzp74vTsR9Tn08z4MxWqAhcekogkQ==",
+      "dev": true
+    },
+    "collect-v8-coverage": {
+      "version": "1.0.1",
+      "integrity": "sha512-iBPtljfCNcTKNAto0KEtDfZ3qzjJvqE3aTGZsbhjSBlorqpXJlaWWtPO35D+ZImoC3KWejX64o+yPGxhWSTzfg==",
+      "dev": true,
+      "peer": true
+    },
+    "collection-visit": {
+      "version": "1.0.0",
+      "integrity": "sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "map-visit": "^1.0.0",
+        "object-visit": "^1.0.0"
+      }
+    },
+    "color-convert": {
+      "version": "2.0.1",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "requires": {
+        "color-name": "~1.1.4"
+      }
+    },
+    "color-name": {
+      "version": "1.1.4",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true
+    },
+    "colorette": {
+      "version": "1.4.0",
+      "integrity": "sha512-Y2oEozpomLn7Q3HFP7dpww7AtMJplbM9lGZP6RDfHqmbeRjiwRg4n6VM6j4KLmRke85uWEI7JqF17f3pqdRA0g==",
+      "dev": true
+    },
+    "combined-stream": {
+      "version": "1.0.8",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "dev": true,
+      "requires": {
+        "delayed-stream": "~1.0.0"
+      }
+    },
+    "commander": {
+      "version": "7.2.0",
+      "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==",
+      "dev": true
+    },
+    "component-emitter": {
+      "version": "1.3.0",
+      "integrity": "sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==",
+      "dev": true,
+      "peer": true
+    },
+    "concat-map": {
+      "version": "0.0.1",
+      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
+      "dev": true
+    },
+    "convert-source-map": {
+      "version": "1.8.0",
+      "integrity": "sha512-+OQdjP49zViI/6i7nIJpA8rAl4sV/JdPfU9nZs3VqOwGIgizICvuN2ru6fMd+4llL0tar18UYJXfZ/TWtmhUjA==",
+      "dev": true,
+      "requires": {
+        "safe-buffer": "~5.1.1"
+      }
+    },
+    "copy-descriptor": {
+      "version": "0.1.1",
+      "integrity": "sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=",
+      "dev": true,
+      "peer": true
+    },
+    "cosmiconfig": {
+      "version": "7.0.1",
+      "integrity": "sha512-a1YWNUV2HwGimB7dU2s1wUMurNKjpx60HxBB6xUM8Re+2s1g1IIfJvFR0/iCF+XHdE0GMTKTuLR32UQff4TEyQ==",
+      "dev": true,
+      "requires": {
+        "@types/parse-json": "^4.0.0",
+        "import-fresh": "^3.2.1",
+        "parse-json": "^5.0.0",
+        "path-type": "^4.0.0",
+        "yaml": "^1.10.0"
+      }
+    },
+    "cross-fetch": {
+      "version": "3.1.4",
+      "integrity": "sha512-1eAtFWdIubi6T4XPy6ei9iUFoKpUkIF971QLN8lIvvvwueI65+Nw5haMNKUwfJxabqlIIDODJKGrQ66gxC0PbQ==",
+      "dev": true,
+      "requires": {
+        "node-fetch": "2.6.1"
+      },
+      "dependencies": {
+        "node-fetch": {
+          "version": "2.6.1",
+          "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
+          "dev": true
+        }
+      }
+    },
+    "cross-spawn": {
+      "version": "7.0.3",
+      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "dev": true,
+      "requires": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      }
+    },
+    "cssesc": {
+      "version": "3.0.0",
+      "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==",
+      "dev": true
+    },
+    "cssom": {
+      "version": "0.4.4",
+      "integrity": "sha512-p3pvU7r1MyyqbTk+WbNJIgJjG2VmTIaB10rI93LzVPrmDJKkzKYMtxxyAvQXR/NS6otuzveI7+7BBq3SjBS2mw==",
+      "dev": true,
+      "peer": true
+    },
+    "cssstyle": {
+      "version": "2.3.0",
+      "integrity": "sha512-AZL67abkUzIuvcHqk7c09cezpGNcxUxU4Ioi/05xHk4DQeTkWmGYftIE6ctU6AEt+Gn4n1lDStOtj7FKycP71A==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "cssom": "~0.3.6"
+      },
+      "dependencies": {
+        "cssom": {
+          "version": "0.3.8",
+          "integrity": "sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "damerau-levenshtein": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/damerau-levenshtein/-/damerau-levenshtein-1.0.8.tgz",
+      "integrity": "sha512-sdQSFB7+llfUcQHUQO3+B8ERRj0Oa4w9POWMI/puGtuf7gFywGmkaLCElnudfTiKZV+NvHqL0ifzdrI8Ro7ESA==",
+      "dev": true
+    },
+    "dart-linkcheck": {
+      "version": "2.0.15",
+      "integrity": "sha512-ZMvxkAyEpBTvBFk+DPjcK0ObNy8GM4gmrGG1qIu0EXb/zj25vjRWNnhLHKZw4JlOLo02oWlwDeqo98GuBlJcIg==",
+      "dev": true
+    },
+    "data-urls": {
+      "version": "2.0.0",
+      "integrity": "sha512-X5eWTSXO/BJmpdIKCRuKUgSCgAN0OwliVK3yPKbwIWU1Tdw5BRajxlzMidvh+gwko9AfQ9zIj52pzF91Q3YAvQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "abab": "^2.0.3",
+        "whatwg-mimetype": "^2.3.0",
+        "whatwg-url": "^8.0.0"
+      }
+    },
+    "debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dev": true,
+      "requires": {
+        "ms": "2.1.2"
+      }
+    },
+    "decamelize": {
+      "version": "1.2.0",
+      "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=",
+      "dev": true
+    },
+    "decamelize-keys": {
+      "version": "1.1.0",
+      "integrity": "sha1-0XGoeTMlKAfrPLYdwcFEXQeN8tk=",
+      "dev": true,
+      "requires": {
+        "decamelize": "^1.1.0",
+        "map-obj": "^1.0.0"
+      }
+    },
+    "decimal.js": {
+      "version": "10.3.1",
+      "integrity": "sha512-V0pfhfr8suzyPGOx3nmq4aHqabehUZn6Ch9kyFpV79TGDTWFmHqUqXdabR7QHqxzrYolF4+tVmJhUG4OURg5dQ==",
+      "dev": true,
+      "peer": true
+    },
+    "decode-uri-component": {
+      "version": "0.2.0",
+      "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=",
+      "dev": true,
+      "peer": true
+    },
+    "deep-equal": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-2.2.0.tgz",
+      "integrity": "sha512-RdpzE0Hv4lhowpIUKKMJfeH6C1pXdtT1/it80ubgWqwI3qpuxUBpC1S4hnHg+zjnuOoDkzUtUCEEkG+XG5l3Mw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "es-get-iterator": "^1.1.2",
+        "get-intrinsic": "^1.1.3",
+        "is-arguments": "^1.1.1",
+        "is-array-buffer": "^3.0.1",
+        "is-date-object": "^1.0.5",
+        "is-regex": "^1.1.4",
+        "is-shared-array-buffer": "^1.0.2",
+        "isarray": "^2.0.5",
+        "object-is": "^1.1.5",
+        "object-keys": "^1.1.1",
+        "object.assign": "^4.1.4",
+        "regexp.prototype.flags": "^1.4.3",
+        "side-channel": "^1.0.4",
+        "which-boxed-primitive": "^1.0.2",
+        "which-collection": "^1.0.1",
+        "which-typed-array": "^1.1.9"
+      },
+      "dependencies": {
+        "isarray": {
+          "version": "2.0.5",
+          "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.5.tgz",
+          "integrity": "sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==",
+          "dev": true
+        }
+      }
+    },
+    "deep-is": {
+      "version": "0.1.4",
+      "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==",
+      "dev": true
+    },
+    "define-lazy-prop": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/define-lazy-prop/-/define-lazy-prop-2.0.0.tgz",
+      "integrity": "sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og==",
+      "dev": true
+    },
+    "define-properties": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.4.tgz",
+      "integrity": "sha512-uckOqKcfaVvtBdsVkdPv3XjveQJsNQqmhXgRi8uhvWWuPYZCNlzT8qAyblUgNoXdHdjMTzAqeGjAoli8f+bzPA==",
+      "dev": true,
+      "requires": {
+        "has-property-descriptors": "^1.0.0",
+        "object-keys": "^1.1.1"
+      }
+    },
+    "define-property": {
+      "version": "2.0.2",
+      "integrity": "sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "is-descriptor": "^1.0.2",
+        "isobject": "^3.0.1"
+      }
+    },
+    "delayed-stream": {
+      "version": "1.0.0",
+      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
+      "dev": true
+    },
+    "detect-newline": {
+      "version": "3.1.0",
+      "integrity": "sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==",
+      "dev": true,
+      "peer": true
+    },
+    "diff-sequences": {
+      "version": "26.6.2",
+      "integrity": "sha512-Mv/TDa3nZ9sbc5soK+OoA74BsS3mL37yixCvUAQkiuA4Wz6YtwP/K47n2rv2ovzHZvoiQeA5FTQOschKkEwB0Q==",
+      "dev": true,
+      "peer": true
+    },
+    "dir-glob": {
+      "version": "3.0.1",
+      "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
+      "dev": true,
+      "requires": {
+        "path-type": "^4.0.0"
+      }
+    },
+    "doctrine": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
+      "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==",
+      "dev": true,
+      "requires": {
+        "esutils": "^2.0.2"
+      }
+    },
+    "dom-serializer": {
+      "version": "0.2.2",
+      "integrity": "sha512-2/xPb3ORsQ42nHYiSunXkDjPLBaEj/xTwUO4B7XCZQTRk7EBtTOPaygh10YAAh2OI1Qrp6NWfpAhzswj0ydt9g==",
+      "dev": true,
+      "requires": {
+        "domelementtype": "^2.0.1",
+        "entities": "^2.0.0"
+      },
+      "dependencies": {
+        "domelementtype": {
+          "version": "2.2.0",
+          "integrity": "sha512-DtBMo82pv1dFtUmHyr48beiuq792Sxohr+8Hm9zoxklYPfa6n0Z3Byjj2IV7bmr2IyqClnqEQhfgHJJ5QF0R5A==",
+          "dev": true
+        },
+        "entities": {
+          "version": "2.2.0",
+          "integrity": "sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==",
+          "dev": true
+        }
+      }
+    },
+    "domelementtype": {
+      "version": "1.3.1",
+      "integrity": "sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==",
+      "dev": true
+    },
+    "domexception": {
+      "version": "2.0.1",
+      "integrity": "sha512-yxJ2mFy/sibVQlu5qHjOkf9J3K6zgmCxgJ94u2EdvDOV09H+32LtRswEcUsmUWN72pVLOEnTSRaIVVzVQgS0dg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "webidl-conversions": "^5.0.0"
+      },
+      "dependencies": {
+        "webidl-conversions": {
+          "version": "5.0.0",
+          "integrity": "sha512-VlZwKPCkYKxQgeSbH5EyngOmRp7Ww7I9rQLERETtf5ofd9pGeswWiOtogpEO850jziPRarreGxn5QIiTqpb2wA==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "domhandler": {
+      "version": "2.4.2",
+      "integrity": "sha512-JiK04h0Ht5u/80fdLMCEmV4zkNh2BcoMFBmZ/91WtYZ8qVXSKjiw7fXMgFPnHcSZgOo3XdinHvmnDUeMf5R4wA==",
+      "dev": true,
+      "requires": {
+        "domelementtype": "1"
+      }
+    },
+    "domutils": {
+      "version": "1.7.0",
+      "integrity": "sha512-Lgd2XcJ/NjEw+7tFvfKxOzCYKZsdct5lczQ2ZaQY8Djz7pfAD3Gbp8ySJWtreII/vDlMVmxwa6pHmdxIYgttDg==",
+      "dev": true,
+      "requires": {
+        "dom-serializer": "0",
+        "domelementtype": "1"
+      }
+    },
+    "eastasianwidth": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
+      "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==",
+      "dev": true
+    },
+    "ejs": {
+      "version": "3.1.5",
+      "integrity": "sha512-dldq3ZfFtgVTJMLjOe+/3sROTzALlL9E34V4/sDtUd/KlBSS0s6U1/+WPE1B4sj9CXHJpL1M6rhNJnc9Wbal9w==",
+      "dev": true,
+      "requires": {
+        "jake": "^10.6.1"
+      }
+    },
+    "electron-to-chromium": {
+      "version": "1.3.865",
+      "integrity": "sha512-okGcCKfihgGlaROMFNPQ6eaU3bk9Xa68rLYSnVD2PyIqM5B/vyQoXCpB3p1HI3AXio097ROVBlSO4JZVilUWuA==",
+      "dev": true
+    },
+    "emittery": {
+      "version": "0.7.2",
+      "integrity": "sha512-A8OG5SR/ij3SsJdWDJdkkSYUjQdCUx6APQXem0SaEePBSRg4eymGYwBkKo1Y6DU+af/Jn2dBQqDBvjnr9Vi8nQ==",
+      "dev": true,
+      "peer": true
+    },
+    "emoji-regex": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
+      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "dev": true
+    },
+    "end-of-stream": {
+      "version": "1.4.4",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "once": "^1.4.0"
+      }
+    },
+    "enhanced-resolve": {
+      "version": "5.12.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.12.0.tgz",
+      "integrity": "sha512-QHTXI/sZQmko1cbDoNAa3mJ5qhWUUNAq3vR0/YiD379fWQrcfuoX1+HW2S0MTt7XmoPLapdaDKUtelUSPic7hQ==",
+      "dev": true,
+      "requires": {
+        "graceful-fs": "^4.2.4",
+        "tapable": "^2.2.0"
+      }
+    },
+    "enquirer": {
+      "version": "2.3.6",
+      "integrity": "sha512-yjNnPr315/FjS4zIsUxYguYUPP2e1NK4d7E7ZOLiyYCcbFBiTMyID+2wvm2w6+pZ/odMA7cRkjhsPbltwBOrLg==",
+      "dev": true,
+      "requires": {
+        "ansi-colors": "^4.1.1"
+      }
+    },
+    "entities": {
+      "version": "1.1.2",
+      "integrity": "sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==",
+      "dev": true
+    },
+    "error-ex": {
+      "version": "1.3.2",
+      "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==",
+      "dev": true,
+      "requires": {
+        "is-arrayish": "^0.2.1"
+      }
+    },
+    "es-abstract": {
+      "version": "1.21.1",
+      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.21.1.tgz",
+      "integrity": "sha512-QudMsPOz86xYz/1dG1OuGBKOELjCh99IIWHLzy5znUB6j8xG2yMA7bfTV86VSqKF+Y/H08vQPR+9jyXpuC6hfg==",
+      "dev": true,
+      "requires": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "es-set-tostringtag": "^2.0.1",
+        "es-to-primitive": "^1.2.1",
+        "function-bind": "^1.1.1",
+        "function.prototype.name": "^1.1.5",
+        "get-intrinsic": "^1.1.3",
+        "get-symbol-description": "^1.0.0",
+        "globalthis": "^1.0.3",
+        "gopd": "^1.0.1",
+        "has": "^1.0.3",
+        "has-property-descriptors": "^1.0.0",
+        "has-proto": "^1.0.1",
+        "has-symbols": "^1.0.3",
+        "internal-slot": "^1.0.4",
+        "is-array-buffer": "^3.0.1",
+        "is-callable": "^1.2.7",
+        "is-negative-zero": "^2.0.2",
+        "is-regex": "^1.1.4",
+        "is-shared-array-buffer": "^1.0.2",
+        "is-string": "^1.0.7",
+        "is-typed-array": "^1.1.10",
+        "is-weakref": "^1.0.2",
+        "object-inspect": "^1.12.2",
+        "object-keys": "^1.1.1",
+        "object.assign": "^4.1.4",
+        "regexp.prototype.flags": "^1.4.3",
+        "safe-regex-test": "^1.0.0",
+        "string.prototype.trimend": "^1.0.6",
+        "string.prototype.trimstart": "^1.0.6",
+        "typed-array-length": "^1.0.4",
+        "unbox-primitive": "^1.0.2",
+        "which-typed-array": "^1.1.9"
+      }
+    },
+    "es-get-iterator": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/es-get-iterator/-/es-get-iterator-1.1.3.tgz",
+      "integrity": "sha512-sPZmqHBe6JIiTfN5q2pEi//TwxmAFHwj/XEuYjTuse78i8KxaqMTTzxPoFKuzRpDpTJ+0NAbpfenkmH2rePtuw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "has-symbols": "^1.0.3",
+        "is-arguments": "^1.1.1",
+        "is-map": "^2.0.2",
+        "is-set": "^2.0.2",
+        "is-string": "^1.0.7",
+        "isarray": "^2.0.5",
+        "stop-iteration-iterator": "^1.0.0"
+      },
+      "dependencies": {
+        "isarray": {
+          "version": "2.0.5",
+          "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.5.tgz",
+          "integrity": "sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==",
+          "dev": true
+        }
+      }
+    },
+    "es-set-tostringtag": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.1.tgz",
+      "integrity": "sha512-g3OMbtlwY3QewlqAiMLI47KywjWZoEytKr8pf6iTC8uJq5bIAH52Z9pnQ8pVL6whrCto53JZDuUIsifGeLorTg==",
+      "dev": true,
+      "requires": {
+        "get-intrinsic": "^1.1.3",
+        "has": "^1.0.3",
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "es-shim-unscopables": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/es-shim-unscopables/-/es-shim-unscopables-1.0.0.tgz",
+      "integrity": "sha512-Jm6GPcCdC30eMLbZ2x8z2WuRwAws3zTBBKuusffYVUrNj/GVSUAZ+xKMaUpfNDR5IbyNA5LJbaecoUVbmUcB1w==",
+      "dev": true,
+      "requires": {
+        "has": "^1.0.3"
+      }
+    },
+    "es-to-primitive": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/es-to-primitive/-/es-to-primitive-1.2.1.tgz",
+      "integrity": "sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==",
+      "dev": true,
+      "requires": {
+        "is-callable": "^1.1.4",
+        "is-date-object": "^1.0.1",
+        "is-symbol": "^1.0.2"
+      }
+    },
+    "escalade": {
+      "version": "3.1.1",
+      "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==",
+      "dev": true
+    },
+    "escape-string-regexp": {
+      "version": "1.0.5",
+      "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=",
+      "dev": true
+    },
+    "escodegen": {
+      "version": "2.0.0",
+      "integrity": "sha512-mmHKys/C8BFUGI+MAWNcSYoORYLMdPzjrknd2Vc+bUsjN5bXcr8EhrNB+UTqfL1y3I9c4fw2ihgtMPQLBRiQxw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "esprima": "^4.0.1",
+        "estraverse": "^5.2.0",
+        "esutils": "^2.0.2",
+        "optionator": "^0.8.1",
+        "source-map": "~0.6.1"
+      },
+      "dependencies": {
+        "levn": {
+          "version": "0.3.0",
+          "integrity": "sha1-OwmSTt+fCDwEkP3UwLxEIeBHZO4=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "prelude-ls": "~1.1.2",
+            "type-check": "~0.3.2"
+          }
+        },
+        "optionator": {
+          "version": "0.8.3",
+          "integrity": "sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "deep-is": "~0.1.3",
+            "fast-levenshtein": "~2.0.6",
+            "levn": "~0.3.0",
+            "prelude-ls": "~1.1.2",
+            "type-check": "~0.3.2",
+            "word-wrap": "~1.2.3"
+          }
+        },
+        "prelude-ls": {
+          "version": "1.1.2",
+          "integrity": "sha1-IZMqVJ9eUv/ZqCf1cOBL5iqX2lQ=",
+          "dev": true,
+          "peer": true
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "optional": true,
+          "peer": true
+        },
+        "type-check": {
+          "version": "0.3.2",
+          "integrity": "sha1-WITKtRLPHTVeP7eE8wgEsrUg23I=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "prelude-ls": "~1.1.2"
+          }
+        }
+      }
+    },
+    "eslint": {
+      "version": "8.31.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.31.0.tgz",
+      "integrity": "sha512-0tQQEVdmPZ1UtUKXjX7EMm9BlgJ08G90IhWh0PKDCb3ZLsgAOHI8fYSIzYVZej92zsgq+ft0FGsxhJ3xo2tbuA==",
+      "dev": true,
+      "requires": {
+        "@eslint/eslintrc": "^1.4.1",
+        "@humanwhocodes/config-array": "^0.11.8",
+        "@humanwhocodes/module-importer": "^1.0.1",
+        "@nodelib/fs.walk": "^1.2.8",
+        "ajv": "^6.10.0",
+        "chalk": "^4.0.0",
+        "cross-spawn": "^7.0.2",
+        "debug": "^4.3.2",
+        "doctrine": "^3.0.0",
+        "escape-string-regexp": "^4.0.0",
+        "eslint-scope": "^7.1.1",
+        "eslint-utils": "^3.0.0",
+        "eslint-visitor-keys": "^3.3.0",
+        "espree": "^9.4.0",
+        "esquery": "^1.4.0",
+        "esutils": "^2.0.2",
+        "fast-deep-equal": "^3.1.3",
+        "file-entry-cache": "^6.0.1",
+        "find-up": "^5.0.0",
+        "glob-parent": "^6.0.2",
+        "globals": "^13.19.0",
+        "grapheme-splitter": "^1.0.4",
+        "ignore": "^5.2.0",
+        "import-fresh": "^3.0.0",
+        "imurmurhash": "^0.1.4",
+        "is-glob": "^4.0.0",
+        "is-path-inside": "^3.0.3",
+        "js-sdsl": "^4.1.4",
+        "js-yaml": "^4.1.0",
+        "json-stable-stringify-without-jsonify": "^1.0.1",
+        "levn": "^0.4.1",
+        "lodash.merge": "^4.6.2",
+        "minimatch": "^3.1.2",
+        "natural-compare": "^1.4.0",
+        "optionator": "^0.9.1",
+        "regexpp": "^3.2.0",
+        "strip-ansi": "^6.0.1",
+        "strip-json-comments": "^3.1.0",
+        "text-table": "^0.2.0"
+      },
+      "dependencies": {
+        "escape-string-regexp": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz",
+          "integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==",
+          "dev": true
+        },
+        "eslint-scope": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz",
+          "integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==",
+          "dev": true,
+          "requires": {
+            "esrecurse": "^4.3.0",
+            "estraverse": "^5.2.0"
+          }
+        },
+        "find-up": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz",
+          "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==",
+          "dev": true,
+          "requires": {
+            "locate-path": "^6.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "glob-parent": {
+          "version": "6.0.2",
+          "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
+          "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==",
+          "dev": true,
+          "requires": {
+            "is-glob": "^4.0.3"
+          }
+        },
+        "globals": {
+          "version": "13.19.0",
+          "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz",
+          "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==",
+          "dev": true,
+          "requires": {
+            "type-fest": "^0.20.2"
+          }
+        },
+        "locate-path": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz",
+          "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==",
+          "dev": true,
+          "requires": {
+            "p-locate": "^5.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz",
+          "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==",
+          "dev": true,
+          "requires": {
+            "p-limit": "^3.0.2"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true
+        },
+        "type-fest": {
+          "version": "0.20.2",
+          "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
+          "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-config-next": {
+      "version": "13.1.2",
+      "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-13.1.2.tgz",
+      "integrity": "sha512-zdRAQOr8v69ZwJRtBrGqAqm160ONqKxU/pV1FB1KlgfyqveGsLZmlQ7l31otwtw763901J7xdiTVkj2y3YxXZA==",
+      "dev": true,
+      "requires": {
+        "@next/eslint-plugin-next": "13.1.2",
+        "@rushstack/eslint-patch": "^1.1.3",
+        "@typescript-eslint/parser": "^5.42.0",
+        "eslint-import-resolver-node": "^0.3.6",
+        "eslint-import-resolver-typescript": "^3.5.2",
+        "eslint-plugin-import": "^2.26.0",
+        "eslint-plugin-jsx-a11y": "^6.5.1",
+        "eslint-plugin-react": "^7.31.7",
+        "eslint-plugin-react-hooks": "^4.5.0"
+      }
+    },
+    "eslint-config-prettier": {
+      "version": "8.6.0",
+      "resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-8.6.0.tgz",
+      "integrity": "sha512-bAF0eLpLVqP5oEVUFKpMA+NnRFICwn9X8B5jrR9FcqnYBuPbqWEjTEspPWMj5ye6czoSLDweCzSo3Ko7gGrZaA==",
+      "dev": true,
+      "requires": {}
+    },
+    "eslint-import-resolver-node": {
+      "version": "0.3.7",
+      "resolved": "https://registry.npmjs.org/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.7.tgz",
+      "integrity": "sha512-gozW2blMLJCeFpBwugLTGyvVjNoeo1knonXAcatC6bjPBZitotxdWf7Gimr25N4c0AAOo4eOUfaG82IJPDpqCA==",
+      "dev": true,
+      "requires": {
+        "debug": "^3.2.7",
+        "is-core-module": "^2.11.0",
+        "resolve": "^1.22.1"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "3.2.7",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+          "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+          "dev": true,
+          "requires": {
+            "ms": "^2.1.1"
+          }
+        },
+        "resolve": {
+          "version": "1.22.1",
+          "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz",
+          "integrity": "sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==",
+          "dev": true,
+          "requires": {
+            "is-core-module": "^2.9.0",
+            "path-parse": "^1.0.7",
+            "supports-preserve-symlinks-flag": "^1.0.0"
+          }
+        }
+      }
+    },
+    "eslint-import-resolver-typescript": {
+      "version": "3.5.3",
+      "resolved": "https://registry.npmjs.org/eslint-import-resolver-typescript/-/eslint-import-resolver-typescript-3.5.3.tgz",
+      "integrity": "sha512-njRcKYBc3isE42LaTcJNVANR3R99H9bAxBDMNDr2W7yq5gYPxbU3MkdhsQukxZ/Xg9C2vcyLlDsbKfRDg0QvCQ==",
+      "dev": true,
+      "requires": {
+        "debug": "^4.3.4",
+        "enhanced-resolve": "^5.10.0",
+        "get-tsconfig": "^4.2.0",
+        "globby": "^13.1.2",
+        "is-core-module": "^2.10.0",
+        "is-glob": "^4.0.3",
+        "synckit": "^0.8.4"
+      },
+      "dependencies": {
+        "globby": {
+          "version": "13.1.3",
+          "resolved": "https://registry.npmjs.org/globby/-/globby-13.1.3.tgz",
+          "integrity": "sha512-8krCNHXvlCgHDpegPzleMq07yMYTO2sXKASmZmquEYWEmCx6J5UTRbp5RwMJkTJGtcQ44YpiUYUiN0b9mzy8Bw==",
+          "dev": true,
+          "requires": {
+            "dir-glob": "^3.0.1",
+            "fast-glob": "^3.2.11",
+            "ignore": "^5.2.0",
+            "merge2": "^1.4.1",
+            "slash": "^4.0.0"
+          }
+        },
+        "slash": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+          "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-module-utils": {
+      "version": "2.7.4",
+      "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.7.4.tgz",
+      "integrity": "sha512-j4GT+rqzCoRKHwURX7pddtIPGySnX9Si/cgMI5ztrcqOPtk5dDEeZ34CQVPphnqkJytlc97Vuk05Um2mJ3gEQA==",
+      "dev": true,
+      "requires": {
+        "debug": "^3.2.7"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "3.2.7",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+          "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+          "dev": true,
+          "requires": {
+            "ms": "^2.1.1"
+          }
+        }
+      }
+    },
+    "eslint-plugin-import": {
+      "version": "2.27.4",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.27.4.tgz",
+      "integrity": "sha512-Z1jVt1EGKia1X9CnBCkpAOhWy8FgQ7OmJ/IblEkT82yrFU/xJaxwujaTzLWqigewwynRQ9mmHfX9MtAfhxm0sA==",
+      "dev": true,
+      "requires": {
+        "array-includes": "^3.1.6",
+        "array.prototype.flat": "^1.3.1",
+        "array.prototype.flatmap": "^1.3.0",
+        "debug": "^3.2.7",
+        "doctrine": "^2.1.0",
+        "eslint-import-resolver-node": "^0.3.7",
+        "eslint-module-utils": "^2.7.4",
+        "has": "^1.0.3",
+        "is-core-module": "^2.11.0",
+        "is-glob": "^4.0.3",
+        "minimatch": "^3.1.2",
+        "object.values": "^1.1.6",
+        "resolve": "^1.22.1",
+        "semver": "^6.3.0",
+        "tsconfig-paths": "^3.14.1"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "3.2.7",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+          "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+          "dev": true,
+          "requires": {
+            "ms": "^2.1.1"
+          }
+        },
+        "doctrine": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
+          "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+          "dev": true,
+          "requires": {
+            "esutils": "^2.0.2"
+          }
+        },
+        "resolve": {
+          "version": "1.22.1",
+          "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz",
+          "integrity": "sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==",
+          "dev": true,
+          "requires": {
+            "is-core-module": "^2.9.0",
+            "path-parse": "^1.0.7",
+            "supports-preserve-symlinks-flag": "^1.0.0"
+          }
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-plugin-jsx-a11y": {
+      "version": "6.7.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsx-a11y/-/eslint-plugin-jsx-a11y-6.7.1.tgz",
+      "integrity": "sha512-63Bog4iIethyo8smBklORknVjB0T2dwB8Mr/hIC+fBS0uyHdYYpzM/Ed+YC8VxTjlXHEWFOdmgwcDn1U2L9VCA==",
+      "dev": true,
+      "requires": {
+        "@babel/runtime": "^7.20.7",
+        "aria-query": "^5.1.3",
+        "array-includes": "^3.1.6",
+        "array.prototype.flatmap": "^1.3.1",
+        "ast-types-flow": "^0.0.7",
+        "axe-core": "^4.6.2",
+        "axobject-query": "^3.1.1",
+        "damerau-levenshtein": "^1.0.8",
+        "emoji-regex": "^9.2.2",
+        "has": "^1.0.3",
+        "jsx-ast-utils": "^3.3.3",
+        "language-tags": "=1.0.5",
+        "minimatch": "^3.1.2",
+        "object.entries": "^1.1.6",
+        "object.fromentries": "^2.0.6",
+        "semver": "^6.3.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-plugin-prettier": {
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-prettier/-/eslint-plugin-prettier-4.2.1.tgz",
+      "integrity": "sha512-f/0rXLXUt0oFYs8ra4w49wYZBG5GKZpAYsJSm6rnYL5uVDjd+zowwMwVZHnAjf4edNrKpCDYfXDgmRE/Ak7QyQ==",
+      "dev": true,
+      "requires": {
+        "prettier-linter-helpers": "^1.0.0"
+      }
+    },
+    "eslint-plugin-react": {
+      "version": "7.32.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react/-/eslint-plugin-react-7.32.0.tgz",
+      "integrity": "sha512-vSBi1+SrPiLZCGvxpiZIa28fMEUaMjXtCplrvxcIxGzmFiYdsXQDwInEjuv5/i/2CTTxbkS87tE8lsQ0Qxinbw==",
+      "dev": true,
+      "requires": {
+        "array-includes": "^3.1.6",
+        "array.prototype.flatmap": "^1.3.1",
+        "array.prototype.tosorted": "^1.1.1",
+        "doctrine": "^2.1.0",
+        "estraverse": "^5.3.0",
+        "jsx-ast-utils": "^2.4.1 || ^3.0.0",
+        "minimatch": "^3.1.2",
+        "object.entries": "^1.1.6",
+        "object.fromentries": "^2.0.6",
+        "object.hasown": "^1.1.2",
+        "object.values": "^1.1.6",
+        "prop-types": "^15.8.1",
+        "resolve": "^2.0.0-next.4",
+        "semver": "^6.3.0",
+        "string.prototype.matchall": "^4.0.8"
+      },
+      "dependencies": {
+        "doctrine": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
+          "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+          "dev": true,
+          "requires": {
+            "esutils": "^2.0.2"
+          }
+        },
+        "estraverse": {
+          "version": "5.3.0",
+          "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz",
+          "integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==",
+          "dev": true
+        },
+        "resolve": {
+          "version": "2.0.0-next.4",
+          "resolved": "https://registry.npmjs.org/resolve/-/resolve-2.0.0-next.4.tgz",
+          "integrity": "sha512-iMDbmAWtfU+MHpxt/I5iWI7cY6YVEZUQ3MBgPQ++XD1PELuJHIl82xBmObyP2KyQmkNB2dsqF7seoQQiAn5yDQ==",
+          "dev": true,
+          "requires": {
+            "is-core-module": "^2.9.0",
+            "path-parse": "^1.0.7",
+            "supports-preserve-symlinks-flag": "^1.0.0"
+          }
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-plugin-react-hooks": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-4.6.0.tgz",
+      "integrity": "sha512-oFc7Itz9Qxh2x4gNHStv3BqJq54ExXmfC+a1NjAta66IAN87Wu0R/QArgIS9qKzX3dXKPI9H5crl9QchNMY9+g==",
+      "dev": true,
+      "requires": {}
+    },
+    "eslint-scope": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.1.1.tgz",
+      "integrity": "sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==",
+      "dev": true,
+      "requires": {
+        "esrecurse": "^4.3.0",
+        "estraverse": "^4.1.1"
+      },
+      "dependencies": {
+        "estraverse": {
+          "version": "4.3.0",
+          "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz",
+          "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-utils": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-3.0.0.tgz",
+      "integrity": "sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==",
+      "dev": true,
+      "requires": {
+        "eslint-visitor-keys": "^2.0.0"
+      },
+      "dependencies": {
+        "eslint-visitor-keys": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-2.1.0.tgz",
+          "integrity": "sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==",
+          "dev": true
+        }
+      }
+    },
+    "eslint-visitor-keys": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz",
+      "integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==",
+      "dev": true
+    },
+    "espree": {
+      "version": "9.4.1",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-9.4.1.tgz",
+      "integrity": "sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==",
+      "dev": true,
+      "requires": {
+        "acorn": "^8.8.0",
+        "acorn-jsx": "^5.3.2",
+        "eslint-visitor-keys": "^3.3.0"
+      },
+      "dependencies": {
+        "acorn": {
+          "version": "8.8.1",
+          "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.1.tgz",
+          "integrity": "sha512-7zFpHzhnqYKrkYdUjF1HI1bzd0VygEGX8lFk4k5zVMqHEoES+P+7TKI+EvLO9WVMJ8eekdO0aDEK044xTXwPPA==",
+          "dev": true
+        }
+      }
+    },
+    "esprima": {
+      "version": "4.0.1",
+      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+      "dev": true,
+      "peer": true
+    },
+    "esquery": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.4.0.tgz",
+      "integrity": "sha512-cCDispWt5vHHtwMY2YrAQ4ibFkAL8RbH5YGBnZBc90MolvvfkkQcJro/aZiAQUlQ3qgrYS6D6v8Gc5G5CQsc9w==",
+      "dev": true,
+      "requires": {
+        "estraverse": "^5.1.0"
+      }
+    },
+    "esrecurse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz",
+      "integrity": "sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==",
+      "dev": true,
+      "requires": {
+        "estraverse": "^5.2.0"
+      }
+    },
+    "estraverse": {
+      "version": "5.2.0",
+      "integrity": "sha512-BxbNGGNm0RyRYvUdHpIwv9IWzeM9XClbOxwoATuFdOE7ZE6wHL+HQ5T8hoPM+zHvmKzzsEqhgy0GrQ5X13afiQ==",
+      "dev": true
+    },
+    "esutils": {
+      "version": "2.0.3",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+      "dev": true
+    },
+    "exec-sh": {
+      "version": "0.3.6",
+      "integrity": "sha512-nQn+hI3yp+oD0huYhKwvYI32+JFeq+XkNcD1GAo3Y/MjxsfVGmrrzrnzjWiNY6f+pUCP440fThsFh5gZrRAU/w==",
+      "dev": true,
+      "peer": true
+    },
+    "execa": {
+      "version": "4.1.0",
+      "integrity": "sha512-j5W0//W7f8UxAn8hXVnwG8tLwdiUy4FJLcSupCg6maBYZDpyBvTApK7KyuI4bKj8KOh1r2YH+6ucuYtJv1bTZA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "cross-spawn": "^7.0.0",
+        "get-stream": "^5.0.0",
+        "human-signals": "^1.1.1",
+        "is-stream": "^2.0.0",
+        "merge-stream": "^2.0.0",
+        "npm-run-path": "^4.0.0",
+        "onetime": "^5.1.0",
+        "signal-exit": "^3.0.2",
+        "strip-final-newline": "^2.0.0"
+      }
+    },
+    "execall": {
+      "version": "2.0.0",
+      "integrity": "sha512-0FU2hZ5Hh6iQnarpRtQurM/aAvp3RIbfvgLHrcqJYzhXyV2KFruhuChf9NC6waAhiUR7FFtlugkI4p7f2Fqlow==",
+      "dev": true,
+      "requires": {
+        "clone-regexp": "^2.1.0"
+      }
+    },
+    "exit": {
+      "version": "0.1.2",
+      "integrity": "sha1-BjJjj42HfMghB9MKD/8aF8uhzQw=",
+      "dev": true,
+      "peer": true
+    },
+    "expand-brackets": {
+      "version": "2.1.4",
+      "integrity": "sha1-t3c14xXOMPa27/D4OwQVGiJEliI=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "debug": "^2.3.3",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "posix-character-classes": "^0.1.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "define-property": {
+          "version": "0.2.5",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-data-descriptor": {
+          "version": "0.1.4",
+          "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-accessor-descriptor": "^0.1.6",
+            "is-data-descriptor": "^0.1.4",
+            "kind-of": "^5.0.0"
+          }
+        },
+        "kind-of": {
+          "version": "5.1.0",
+          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+          "dev": true,
+          "peer": true
+        },
+        "ms": {
+          "version": "2.0.0",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "expect": {
+      "version": "26.6.2",
+      "integrity": "sha512-9/hlOBkQl2l/PLHJx6JjoDF6xPKcJEsUlWKb23rKE7KzeDqUZKXKNMW27KIue5JMdBV9HgmoJPcc8HtO85t9IA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "ansi-styles": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-regex-util": "^26.0.0"
+      }
+    },
+    "extend": {
+      "version": "3.0.2",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==",
+      "dev": true
+    },
+    "extend-shallow": {
+      "version": "2.0.1",
+      "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "is-extendable": "^0.1.0"
+      }
+    },
+    "external-editor": {
+      "version": "3.1.0",
+      "integrity": "sha512-hMQ4CX1p1izmuLYyZqLMO/qGNw10wSv9QDCPfzXfyFrOaCSSoRfqE1Kf1s5an66J5JZC62NewG+mK49jOCtQew==",
+      "dev": true,
+      "requires": {
+        "chardet": "^0.7.0",
+        "iconv-lite": "^0.4.24",
+        "tmp": "^0.0.33"
+      }
+    },
+    "extglob": {
+      "version": "2.0.4",
+      "integrity": "sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "array-unique": "^0.3.2",
+        "define-property": "^1.0.0",
+        "expand-brackets": "^2.1.4",
+        "extend-shallow": "^2.0.1",
+        "fragment-cache": "^0.2.1",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        }
+      }
+    },
+    "extract-files": {
+      "version": "9.0.0",
+      "integrity": "sha512-CvdFfHkC95B4bBBk36hcEmvdR2awOdhhVUYH6S/zrVj3477zven/fJMYg7121h4T1xHZC+tetUpubpAhxwI7hQ==",
+      "dev": true
+    },
+    "fast-deep-equal": {
+      "version": "3.1.3",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+      "dev": true
+    },
+    "fast-diff": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/fast-diff/-/fast-diff-1.2.0.tgz",
+      "integrity": "sha512-xJuoT5+L99XlZ8twedaRf6Ax2TgQVxvgZOYoPKqZufmJib0tL2tegPBOZb1pVNgIhlqDlA0eO0c3wBvQcmzx4w==",
+      "dev": true
+    },
+    "fast-glob": {
+      "version": "3.2.12",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.2.12.tgz",
+      "integrity": "sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.stat": "^2.0.2",
+        "@nodelib/fs.walk": "^1.2.3",
+        "glob-parent": "^5.1.2",
+        "merge2": "^1.3.0",
+        "micromatch": "^4.0.4"
+      }
+    },
+    "fast-json-stable-stringify": {
+      "version": "2.1.0",
+      "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
+      "dev": true
+    },
+    "fast-levenshtein": {
+      "version": "2.0.6",
+      "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=",
+      "dev": true
+    },
+    "fastest-levenshtein": {
+      "version": "1.0.12",
+      "integrity": "sha512-On2N+BpYJ15xIC974QNVuYGMOlEVt4s0EOI3wwMqOmK1fdDY+FN/zltPV8vosq4ad4c/gJ1KHScUn/6AWIgiow==",
+      "dev": true
+    },
+    "fastq": {
+      "version": "1.13.0",
+      "integrity": "sha512-YpkpUnK8od0o1hmeSc7UUs/eB/vIPWJYjKck2QKIzAf71Vm1AAQ3EbuZB3g2JIy+pg+ERD0vqI79KyZiB2e2Nw==",
+      "dev": true,
+      "requires": {
+        "reusify": "^1.0.4"
+      }
+    },
+    "fb-watchman": {
+      "version": "2.0.1",
+      "integrity": "sha512-DkPJKQeY6kKwmuMretBhr7G6Vodr7bFwDYTXIkfG1gjvNpaxBTQV3PbXg6bR1c1UP4jPOX0jHUbbHANL9vRjVg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "bser": "2.1.1"
+      }
+    },
+    "figures": {
+      "version": "3.2.0",
+      "integrity": "sha512-yaduQFRKLXYOGgEn6AZau90j3ggSOyiqXU0F9JZfeXYhNa+Jk4X+s45A2zg5jns87GAFa34BBm2kXw4XpNcbdg==",
+      "dev": true,
+      "requires": {
+        "escape-string-regexp": "^1.0.5"
+      }
+    },
+    "file-entry-cache": {
+      "version": "6.0.1",
+      "integrity": "sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==",
+      "dev": true,
+      "requires": {
+        "flat-cache": "^3.0.4"
+      }
+    },
+    "filelist": {
+      "version": "1.0.2",
+      "integrity": "sha512-z7O0IS8Plc39rTCq6i6iHxk43duYOn8uFJiWSewIq0Bww1RNybVHSCjahmcC87ZqAm4OTvFzlzeGu3XAzG1ctQ==",
+      "dev": true,
+      "requires": {
+        "minimatch": "^3.0.4"
+      }
+    },
+    "fill-range": {
+      "version": "7.0.1",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "requires": {
+        "to-regex-range": "^5.0.1"
+      }
+    },
+    "find-up": {
+      "version": "2.1.0",
+      "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=",
+      "dev": true,
+      "requires": {
+        "locate-path": "^2.0.0"
+      }
+    },
+    "flat": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/flat/-/flat-5.0.2.tgz",
+      "integrity": "sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==",
+      "dev": true
+    },
+    "flat-cache": {
+      "version": "3.0.4",
+      "integrity": "sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==",
+      "dev": true,
+      "requires": {
+        "flatted": "^3.1.0",
+        "rimraf": "^3.0.2"
+      }
+    },
+    "flatted": {
+      "version": "3.2.2",
+      "integrity": "sha512-JaTY/wtrcSyvXJl4IMFHPKyFur1sE9AUqc0QnhOaJ0CxHtAoIV8pYDzeEfAaNEtGkOfq4gr3LBFmdXW5mOQFnA==",
+      "dev": true
+    },
+    "for-each": {
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz",
+      "integrity": "sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==",
+      "dev": true,
+      "requires": {
+        "is-callable": "^1.1.3"
+      }
+    },
+    "for-in": {
+      "version": "1.0.2",
+      "integrity": "sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=",
+      "dev": true,
+      "peer": true
+    },
+    "form-data": {
+      "version": "3.0.1",
+      "integrity": "sha512-RHkBKtLWUVwd7SqRIvCZMEvAMoGUp0XU+seQiZejj0COz3RI3hWP4sCv3gZWWLjJTd7rGwcsF5eKZGii0r/hbg==",
+      "dev": true,
+      "requires": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "mime-types": "^2.1.12"
+      }
+    },
+    "fragment-cache": {
+      "version": "0.2.1",
+      "integrity": "sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "map-cache": "^0.2.2"
+      }
+    },
+    "fs-extra": {
+      "version": "9.0.1",
+      "integrity": "sha512-h2iAoN838FqAFJY2/qVpzFXy+EBxfVE220PalAqQLDVsFOHLJrZvut5puAbCdNv6WJk+B8ihI+k0c7JK5erwqQ==",
+      "dev": true,
+      "requires": {
+        "at-least-node": "^1.0.0",
+        "graceful-fs": "^4.2.0",
+        "jsonfile": "^6.0.1",
+        "universalify": "^1.0.0"
+      }
+    },
+    "fs.realpath": {
+      "version": "1.0.0",
+      "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
+      "dev": true
+    },
+    "fsevents": {
+      "version": "2.3.2",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "function-bind": {
+      "version": "1.1.1",
+      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==",
+      "dev": true
+    },
+    "function.prototype.name": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/function.prototype.name/-/function.prototype.name-1.1.5.tgz",
+      "integrity": "sha512-uN7m/BzVKQnCUF/iW8jYea67v++2u7m5UgENbHRtdDVclOUP+FMPlCNdmk0h/ysGyo2tavMJEDqJAkJdRa1vMA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.19.0",
+        "functions-have-names": "^1.2.2"
+      }
+    },
+    "functions-have-names": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/functions-have-names/-/functions-have-names-1.2.3.tgz",
+      "integrity": "sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==",
+      "dev": true
+    },
+    "gensync": {
+      "version": "1.0.0-beta.2",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true
+    },
+    "get-caller-file": {
+      "version": "2.0.5",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "dev": true
+    },
+    "get-intrinsic": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.1.3.tgz",
+      "integrity": "sha512-QJVz1Tj7MS099PevUG5jvnt9tSkXN8K14dxQlikJuPt4uD9hHAHjLyLBiLR5zELelBdD9QNRAXZzsJx0WaDL9A==",
+      "dev": true,
+      "requires": {
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3",
+        "has-symbols": "^1.0.3"
+      }
+    },
+    "get-own-enumerable-property-symbols": {
+      "version": "3.0.2",
+      "integrity": "sha512-I0UBV/XOz1XkIJHEUDMZAbzCThU/H8DxmSfmdGcKPnVhu2VfFqr34jr9777IyaTYvxjedWhqVIilEDsCdP5G6g==",
+      "dev": true
+    },
+    "get-package-type": {
+      "version": "0.1.0",
+      "integrity": "sha512-pjzuKtY64GYfWizNAJ0fr9VqttZkNiK2iS430LtIHzjBEr6bX8Am2zm4sW4Ro5wjWW5cAlRL1qAMTcXbjNAO2Q==",
+      "dev": true,
+      "peer": true
+    },
+    "get-stream": {
+      "version": "5.2.0",
+      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "pump": "^3.0.0"
+      }
+    },
+    "get-symbol-description": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/get-symbol-description/-/get-symbol-description-1.0.0.tgz",
+      "integrity": "sha512-2EmdH1YvIQiZpltCNgkuiUnyukzxM/R6NDJX31Ke3BG1Nq5b0S2PhX59UKi9vZpPDQVdqn+1IcaAwnzTT5vCjw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.1"
+      }
+    },
+    "get-tsconfig": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.3.0.tgz",
+      "integrity": "sha512-YCcF28IqSay3fqpIu5y3Krg/utCBHBeoflkZyHj/QcqI2nrLPC3ZegS9CmIo+hJb8K7aiGsuUl7PwWVjNG2HQQ==",
+      "dev": true
+    },
+    "get-value": {
+      "version": "2.0.6",
+      "integrity": "sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=",
+      "dev": true,
+      "peer": true
+    },
+    "glob": {
+      "version": "7.2.0",
+      "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==",
+      "dev": true,
+      "requires": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      }
+    },
+    "glob-parent": {
+      "version": "5.1.2",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
+      "requires": {
+        "is-glob": "^4.0.1"
+      }
+    },
+    "global-modules": {
+      "version": "2.0.0",
+      "integrity": "sha512-NGbfmJBp9x8IxyJSd1P+otYK8vonoJactOogrVfFRIAEY1ukil8RSKDz2Yo7wh1oihl51l/r6W4epkeKJHqL8A==",
+      "dev": true,
+      "requires": {
+        "global-prefix": "^3.0.0"
+      }
+    },
+    "global-prefix": {
+      "version": "3.0.0",
+      "integrity": "sha512-awConJSVCHVGND6x3tmMaKcQvwXLhjdkmomy2W+Goaui8YPgYgXJZewhg3fWC+DlfqqQuWg8AwqjGTD2nAPVWg==",
+      "dev": true,
+      "requires": {
+        "ini": "^1.3.5",
+        "kind-of": "^6.0.2",
+        "which": "^1.3.1"
+      },
+      "dependencies": {
+        "which": {
+          "version": "1.3.1",
+          "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+          "dev": true,
+          "requires": {
+            "isexe": "^2.0.0"
+          }
+        }
+      }
+    },
+    "globals": {
+      "version": "11.12.0",
+      "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==",
+      "dev": true
+    },
+    "globalthis": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/globalthis/-/globalthis-1.0.3.tgz",
+      "integrity": "sha512-sFdI5LyBiNTHjRd7cGPWapiHWMOXKyuBNX/cWJ3NfzrZQVa8GI/8cofCl74AOVqq9W5kNmguTIzJ/1s2gyI9wA==",
+      "dev": true,
+      "requires": {
+        "define-properties": "^1.1.3"
+      }
+    },
+    "globalyzer": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/globalyzer/-/globalyzer-0.1.0.tgz",
+      "integrity": "sha512-40oNTM9UfG6aBmuKxk/giHn5nQ8RVz/SS4Ir6zgzOv9/qC3kKZ9v4etGTcJbEl/NyVQH7FGU7d+X1egr57Md2Q==",
+      "dev": true
+    },
+    "globby": {
+      "version": "11.0.1",
+      "integrity": "sha512-iH9RmgwCmUJHi2z5o2l3eTtGBtXek1OYlHrbcxOYugyHLmAsZrPj43OtHThd62Buh/Vv6VyCBD2bdyWcGNQqoQ==",
+      "dev": true,
+      "requires": {
+        "array-union": "^2.1.0",
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.1.1",
+        "ignore": "^5.1.4",
+        "merge2": "^1.3.0",
+        "slash": "^3.0.0"
+      }
+    },
+    "globjoin": {
+      "version": "0.1.4",
+      "integrity": "sha1-L0SUrIkZ43Z8XLtpHp9GMyQoXUM=",
+      "dev": true
+    },
+    "globrex": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/globrex/-/globrex-0.1.2.tgz",
+      "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
+      "dev": true
+    },
+    "gonzales-pe": {
+      "version": "4.3.0",
+      "integrity": "sha512-otgSPpUmdWJ43VXyiNgEYE4luzHCL2pz4wQ0OnDluC6Eg4Ko3Vexy/SrSynglw/eR+OhkzmqFCZa/OFa/RgAOQ==",
+      "dev": true,
+      "requires": {
+        "minimist": "^1.2.5"
+      }
+    },
+    "gopd": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
+      "integrity": "sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==",
+      "dev": true,
+      "requires": {
+        "get-intrinsic": "^1.1.3"
+      }
+    },
+    "graceful-fs": {
+      "version": "4.2.8",
+      "integrity": "sha512-qkIilPUYcNhJpd33n0GBXTB1MMPp14TxEsEs0pTrsSVucApsYzW5V+Q8Qxhik6KU3evy+qkAAowTByymK0avdg==",
+      "dev": true
+    },
+    "grapheme-splitter": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/grapheme-splitter/-/grapheme-splitter-1.0.4.tgz",
+      "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==",
+      "dev": true
+    },
+    "graphql": {
+      "version": "15.6.1",
+      "integrity": "sha512-3i5lu0z6dRvJ48QP9kFxBkJ7h4Kso7PS8eahyTFz5Jm6CvQfLtNIE8LX9N6JLnXTuwR+sIYnXzaWp6anOg0QQw==",
+      "dev": true
+    },
+    "graphql-request": {
+      "version": "3.5.0",
+      "integrity": "sha512-Io89QpfU4rqiMbqM/KwMBzKaDLOppi8FU8sEccCE4JqCgz95W9Q8bvxQ4NfPALLSMvg9nafgg8AkYRmgKSlukA==",
+      "dev": true,
+      "requires": {
+        "cross-fetch": "^3.0.6",
+        "extract-files": "^9.0.0",
+        "form-data": "^3.0.0"
+      }
+    },
+    "growly": {
+      "version": "1.3.0",
+      "integrity": "sha1-8QdIy+dq+WS3yWyTxrzCivEgwIE=",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "hard-rejection": {
+      "version": "2.1.0",
+      "integrity": "sha512-VIZB+ibDhx7ObhAe7OVtoEbuP4h/MuOTHJ+J8h/eBXotJYl0fBgR72xDFCKgIh22OJZIOVNxBMWuhAr10r8HdA==",
+      "dev": true
+    },
+    "has": {
+      "version": "1.0.3",
+      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
+      "dev": true,
+      "requires": {
+        "function-bind": "^1.1.1"
+      }
+    },
+    "has-bigints": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz",
+      "integrity": "sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==",
+      "dev": true
+    },
+    "has-flag": {
+      "version": "4.0.0",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "dev": true
+    },
+    "has-property-descriptors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.0.tgz",
+      "integrity": "sha512-62DVLZGoiEBDHQyqG4w9xCuZ7eJEwNmJRWw2VY84Oedb7WFcA27fiEVe8oUQx9hAUJ4ekurquucTGwsyO1XGdQ==",
+      "dev": true,
+      "requires": {
+        "get-intrinsic": "^1.1.1"
+      }
+    },
+    "has-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/has-proto/-/has-proto-1.0.1.tgz",
+      "integrity": "sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==",
+      "dev": true
+    },
+    "has-symbols": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz",
+      "integrity": "sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==",
+      "dev": true
+    },
+    "has-tostringtag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.0.tgz",
+      "integrity": "sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==",
+      "dev": true,
+      "requires": {
+        "has-symbols": "^1.0.2"
+      }
+    },
+    "has-value": {
+      "version": "1.0.0",
+      "integrity": "sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "get-value": "^2.0.6",
+        "has-values": "^1.0.0",
+        "isobject": "^3.0.0"
+      }
+    },
+    "has-values": {
+      "version": "1.0.0",
+      "integrity": "sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "is-number": "^3.0.0",
+        "kind-of": "^4.0.0"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-number": {
+          "version": "3.0.0",
+          "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "kind-of": {
+          "version": "4.0.0",
+          "integrity": "sha1-IIE989cSkosgc3hpGkUGb65y3Vc=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "hosted-git-info": {
+      "version": "2.8.9",
+      "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
+      "dev": true,
+      "peer": true
+    },
+    "html-encoding-sniffer": {
+      "version": "2.0.1",
+      "integrity": "sha512-D5JbOMBIR/TVZkubHT+OyT2705QvogUW4IBn6nHd756OwieSF9aDYFj4dv6HHEVGYbHaLETa3WggZYWWMyy3ZQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "whatwg-encoding": "^1.0.5"
+      }
+    },
+    "html-escaper": {
+      "version": "2.0.2",
+      "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+      "dev": true,
+      "peer": true
+    },
+    "html-tags": {
+      "version": "3.1.0",
+      "integrity": "sha512-1qYz89hW3lFDEazhjW0yVAV87lw8lVkrJocr72XmBkMKsoSVJCQx3W8BXsC7hO2qAt8BoVjYjtAcZ9perqGnNg==",
+      "dev": true
+    },
+    "htmlparser2": {
+      "version": "3.10.1",
+      "integrity": "sha512-IgieNijUMbkDovyoKObU1DUhm1iwNYE/fuifEoEHfd1oZKZDaONBSkal7Y01shxsM49R4XaMdGez3WnF9UfiCQ==",
+      "dev": true,
+      "requires": {
+        "domelementtype": "^1.3.1",
+        "domhandler": "^2.3.0",
+        "domutils": "^1.5.1",
+        "entities": "^1.1.1",
+        "inherits": "^2.0.1",
+        "readable-stream": "^3.1.1"
+      }
+    },
+    "http-proxy-agent": {
+      "version": "4.0.1",
+      "integrity": "sha512-k0zdNgqWTGA6aeIRVpvfVob4fL52dTfaehylg0Y4UvSySvOq/Y+BOyPrgpUrA7HylqvU8vIZGsRuXmspskV0Tg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@tootallnate/once": "1",
+        "agent-base": "6",
+        "debug": "4"
+      }
+    },
+    "https-proxy-agent": {
+      "version": "5.0.0",
+      "integrity": "sha512-EkYm5BcKUGiduxzSt3Eppko+PiNWNEpa4ySk9vTC6wDsQJW9rHSa+UhGNJoRYp7bz6Ht1eaRIa6QaJqO5rCFbA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "agent-base": "6",
+        "debug": "4"
+      }
+    },
+    "human-signals": {
+      "version": "1.1.1",
+      "integrity": "sha512-SEQu7vl8KjNL2eoGBLF3+wAjpsNfA9XMlXAYj/3EdaNfAlxKthD1xjEQfGOUhllCGGJVNY34bRr6lPINhNjyZw==",
+      "dev": true,
+      "peer": true
+    },
+    "iconv-lite": {
+      "version": "0.4.24",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "dev": true,
+      "requires": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      }
+    },
+    "ignore": {
+      "version": "5.2.4",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz",
+      "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==",
+      "dev": true
+    },
+    "import-fresh": {
+      "version": "3.3.0",
+      "integrity": "sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==",
+      "dev": true,
+      "requires": {
+        "parent-module": "^1.0.0",
+        "resolve-from": "^4.0.0"
+      }
+    },
+    "import-local": {
+      "version": "3.0.3",
+      "integrity": "sha512-bE9iaUY3CXH8Cwfan/abDKAxe1KGT9kyGsBPqf6DMK/z0a2OzAsrukeYNgIH6cH5Xr452jb1TUL8rSfCLjZ9uA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "pkg-dir": "^4.2.0",
+        "resolve-cwd": "^3.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "4.1.0",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.3.0",
+          "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true,
+          "peer": true
+        },
+        "pkg-dir": {
+          "version": "4.2.0",
+          "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "find-up": "^4.0.0"
+          }
+        }
+      }
+    },
+    "imurmurhash": {
+      "version": "0.1.4",
+      "integrity": "sha1-khi5srkoojixPcT7a21XbyMUU+o=",
+      "dev": true
+    },
+    "indent-string": {
+      "version": "4.0.0",
+      "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==",
+      "dev": true
+    },
+    "inflight": {
+      "version": "1.0.6",
+      "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
+      "dev": true,
+      "requires": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "inherits": {
+      "version": "2.0.4",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true
+    },
+    "ini": {
+      "version": "1.3.8",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
+      "dev": true
+    },
+    "inquirer": {
+      "version": "7.3.3",
+      "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-7.3.3.tgz",
+      "integrity": "sha512-JG3eIAj5V9CwcGvuOmoo6LB9kbAYT8HXffUl6memuszlwDC/qvFAJw49XJ5NROSFNPxp3iQg1GqkFhaY/CR0IA==",
+      "dev": true,
+      "requires": {
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.1.0",
+        "cli-cursor": "^3.1.0",
+        "cli-width": "^3.0.0",
+        "external-editor": "^3.0.3",
+        "figures": "^3.0.0",
+        "lodash": "^4.17.19",
+        "mute-stream": "0.0.8",
+        "run-async": "^2.4.0",
+        "rxjs": "^6.6.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0",
+        "through": "^2.3.6"
+      }
+    },
+    "internal-slot": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.4.tgz",
+      "integrity": "sha512-tA8URYccNzMo94s5MQZgH8NB/XTa6HsOo0MLfXTKKEnHVVdegzaQoFZ7Jp44bdvLvY2waT5dc+j5ICEswhi7UQ==",
+      "dev": true,
+      "requires": {
+        "get-intrinsic": "^1.1.3",
+        "has": "^1.0.3",
+        "side-channel": "^1.0.4"
+      }
+    },
+    "ip-regex": {
+      "version": "4.3.0",
+      "integrity": "sha512-B9ZWJxHHOHUhUjCPrMpLD4xEq35bUTClHM1S6CBU5ixQnkZmwipwgc96vAd7AAGM9TGHvJR+Uss+/Ak6UphK+Q==",
+      "dev": true
+    },
+    "is-accessor-descriptor": {
+      "version": "1.0.0",
+      "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "kind-of": "^6.0.0"
+      }
+    },
+    "is-alphabetical": {
+      "version": "1.0.4",
+      "integrity": "sha512-DwzsA04LQ10FHTZuL0/grVDk4rFoVH1pjAToYwBrHSxcrBIGQuXrQMtD5U1b0U2XVgKZCTLLP8u2Qxqhy3l2Vg==",
+      "dev": true
+    },
+    "is-alphanumeric": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-alphanumeric/-/is-alphanumeric-1.0.0.tgz",
+      "integrity": "sha512-ZmRL7++ZkcMOfDuWZuMJyIVLr2keE1o/DeNWh1EmgqGhUcV+9BIVsx0BcSBOHTZqzjs4+dISzr2KAeBEWGgXeA==",
+      "dev": true
+    },
+    "is-alphanumerical": {
+      "version": "1.0.4",
+      "integrity": "sha512-UzoZUr+XfVz3t3v4KyGEniVL9BDRoQtY7tOyrRybkVNjDFWyo1yhXNGrrBTQxp3ib9BLAWs7k2YKBQsFRkZG9A==",
+      "dev": true,
+      "requires": {
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0"
+      }
+    },
+    "is-arguments": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/is-arguments/-/is-arguments-1.1.1.tgz",
+      "integrity": "sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-array-buffer": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/is-array-buffer/-/is-array-buffer-3.0.1.tgz",
+      "integrity": "sha512-ASfLknmY8Xa2XtB4wmbz13Wu202baeA18cJBCeCy0wXUHZF0IPyVEXqKEcd+t2fNSLLL1vC6k7lxZEojNbISXQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "is-typed-array": "^1.1.10"
+      }
+    },
+    "is-arrayish": {
+      "version": "0.2.1",
+      "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=",
+      "dev": true
+    },
+    "is-bigint": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-bigint/-/is-bigint-1.0.4.tgz",
+      "integrity": "sha512-zB9CruMamjym81i2JZ3UMn54PKGsQzsJeo6xvN3HJJ4CAsQNB6iRutp2To77OfCNuoxspsIhzaPoO1zyCEhFOg==",
+      "dev": true,
+      "requires": {
+        "has-bigints": "^1.0.1"
+      }
+    },
+    "is-boolean-object": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/is-boolean-object/-/is-boolean-object-1.1.2.tgz",
+      "integrity": "sha512-gDYaKHJmnj4aWxyj6YHyXVpdQawtVLHU5cb+eztPGczf6cjuTdwve5ZIEfgXqH4e57An1D1AKf8CZ3kYrQRqYA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-buffer": {
+      "version": "2.0.5",
+      "integrity": "sha512-i2R6zNFDwgEHJyQUtJEk0XFi1i0dPFn/oqjK3/vPCcDeJvW5NQ83V8QbicfF1SupOaB0h8ntgBC2YiE7dfyctQ==",
+      "dev": true
+    },
+    "is-callable": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.2.7.tgz",
+      "integrity": "sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==",
+      "dev": true
+    },
+    "is-ci": {
+      "version": "2.0.0",
+      "integrity": "sha512-YfJT7rkpQB0updsdHLGWrvhBJfcfzNNawYDNIyQXJz0IViGf75O8EBPKSdvw2rF+LGCsX4FZ8tcr3b19LcZq4w==",
+      "dev": true,
+      "requires": {
+        "ci-info": "^2.0.0"
+      }
+    },
+    "is-core-module": {
+      "version": "2.11.0",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz",
+      "integrity": "sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==",
+      "dev": true,
+      "requires": {
+        "has": "^1.0.3"
+      }
+    },
+    "is-data-descriptor": {
+      "version": "1.0.0",
+      "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "kind-of": "^6.0.0"
+      }
+    },
+    "is-date-object": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/is-date-object/-/is-date-object-1.0.5.tgz",
+      "integrity": "sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==",
+      "dev": true,
+      "requires": {
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-decimal": {
+      "version": "1.0.4",
+      "integrity": "sha512-RGdriMmQQvZ2aqaQq3awNA6dCGtKpiDFcOzrTWrDAT2MiWrKQVPmxLGHl7Y2nNu6led0kEyoX0enY0qXYsv9zw==",
+      "dev": true
+    },
+    "is-descriptor": {
+      "version": "1.0.2",
+      "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "is-accessor-descriptor": "^1.0.0",
+        "is-data-descriptor": "^1.0.0",
+        "kind-of": "^6.0.2"
+      }
+    },
+    "is-docker": {
+      "version": "2.2.1",
+      "integrity": "sha512-F+i2BKsFrH66iaUFc0woD8sLy8getkwTwtOBjvs56Cx4CgJDeKQeqfz8wAYiSb8JOprWhHH5p77PbmYCvvUuXQ==",
+      "dev": true
+    },
+    "is-extendable": {
+      "version": "0.1.1",
+      "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=",
+      "dev": true,
+      "peer": true
+    },
+    "is-extglob": {
+      "version": "2.1.1",
+      "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=",
+      "dev": true
+    },
+    "is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true
+    },
+    "is-generator-fn": {
+      "version": "2.1.0",
+      "integrity": "sha512-cTIB4yPYL/Grw0EaSzASzg6bBy9gqCofvWN8okThAYIxKJZC+udlRAmGbM0XLeniEJSs8uEgHPGuHSe1XsOLSQ==",
+      "dev": true,
+      "peer": true
+    },
+    "is-glob": {
+      "version": "4.0.3",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
+      "requires": {
+        "is-extglob": "^2.1.1"
+      }
+    },
+    "is-hexadecimal": {
+      "version": "1.0.4",
+      "integrity": "sha512-gyPJuv83bHMpocVYoqof5VDiZveEoGoFL8m3BXNb2VW8Xs+rz9kqO8LOQ5DH6EsuvilT1ApazU0pyl+ytbPtlw==",
+      "dev": true
+    },
+    "is-map": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-map/-/is-map-2.0.2.tgz",
+      "integrity": "sha512-cOZFQQozTha1f4MxLFzlgKYPTyj26picdZTx82hbc/Xf4K/tZOOXSCkMvU4pKioRXGDLJRn0GM7Upe7kR721yg==",
+      "dev": true
+    },
+    "is-negative-zero": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz",
+      "integrity": "sha512-dqJvarLawXsFbNDeJW7zAz8ItJ9cd28YufuuFzh0G8pNHjJMnY08Dv7sYX2uF5UpQOwieAeOExEYAWWfu7ZZUA==",
+      "dev": true
+    },
+    "is-number": {
+      "version": "7.0.0",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true
+    },
+    "is-number-object": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/is-number-object/-/is-number-object-1.0.7.tgz",
+      "integrity": "sha512-k1U0IRzLMo7ZlYIfzRu23Oh6MiIFasgpb9X76eqfFZAqwH44UI4KTBvBYIZ1dSL9ZzChTB9ShHfLkR4pdW5krQ==",
+      "dev": true,
+      "requires": {
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-obj": {
+      "version": "1.0.1",
+      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8=",
+      "dev": true
+    },
+    "is-path-inside": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz",
+      "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==",
+      "dev": true
+    },
+    "is-plain-obj": {
+      "version": "1.1.0",
+      "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4=",
+      "dev": true
+    },
+    "is-plain-object": {
+      "version": "2.0.4",
+      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "isobject": "^3.0.1"
+      }
+    },
+    "is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "dev": true,
+      "peer": true
+    },
+    "is-regex": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.1.4.tgz",
+      "integrity": "sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-regexp": {
+      "version": "1.0.0",
+      "integrity": "sha1-/S2INUXEa6xaYz57mgnof6LLUGk=",
+      "dev": true
+    },
+    "is-set": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-set/-/is-set-2.0.2.tgz",
+      "integrity": "sha512-+2cnTEZeY5z/iXGbLhPrOAaK/Mau5k5eXq9j14CpRTftq0pAJu2MwVRSZhyZWBzx3o6X795Lz6Bpb6R0GKf37g==",
+      "dev": true
+    },
+    "is-shared-array-buffer": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-shared-array-buffer/-/is-shared-array-buffer-1.0.2.tgz",
+      "integrity": "sha512-sqN2UDu1/0y6uvXyStCOzyhAjCSlHceFoMKJW8W9EU9cvic/QdsZ0kEU93HEy3IUEFZIiH/3w+AH/UQbPHNdhA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2"
+      }
+    },
+    "is-stream": {
+      "version": "2.0.1",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "dev": true
+    },
+    "is-string": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/is-string/-/is-string-1.0.7.tgz",
+      "integrity": "sha512-tE2UXzivje6ofPW7l23cjDOMa09gb7xlAqG6jG5ej6uPV32TlWP3NKPigtaGeHNu9fohccRYvIiZMfOOnOYUtg==",
+      "dev": true,
+      "requires": {
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-symbol": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-symbol/-/is-symbol-1.0.4.tgz",
+      "integrity": "sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==",
+      "dev": true,
+      "requires": {
+        "has-symbols": "^1.0.2"
+      }
+    },
+    "is-typed-array": {
+      "version": "1.1.10",
+      "resolved": "https://registry.npmjs.org/is-typed-array/-/is-typed-array-1.1.10.tgz",
+      "integrity": "sha512-PJqgEHiWZvMpaFZ3uTc8kHPM4+4ADTlDniuQL7cU/UDA0Ql7F70yGfHph3cLNe+c9toaigv+DFzTJKhc2CtO6A==",
+      "dev": true,
+      "requires": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "gopd": "^1.0.1",
+        "has-tostringtag": "^1.0.0"
+      }
+    },
+    "is-typedarray": {
+      "version": "1.0.0",
+      "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=",
+      "dev": true
+    },
+    "is-unicode-supported": {
+      "version": "0.1.0",
+      "integrity": "sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==",
+      "dev": true
+    },
+    "is-url-superb": {
+      "version": "3.0.0",
+      "integrity": "sha512-3faQP+wHCGDQT1qReM5zCPx2mxoal6DzbzquFlCYJLWyy4WPTved33ea2xFbX37z4NoriEwZGIYhFtx8RUB5wQ==",
+      "dev": true,
+      "requires": {
+        "url-regex": "^5.0.0"
+      }
+    },
+    "is-weakmap": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-weakmap/-/is-weakmap-2.0.1.tgz",
+      "integrity": "sha512-NSBR4kH5oVj1Uwvv970ruUkCV7O1mzgVFO4/rev2cLRda9Tm9HrL70ZPut4rOHgY0FNrUu9BCbXA2sdQ+x0chA==",
+      "dev": true
+    },
+    "is-weakref": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-weakref/-/is-weakref-1.0.2.tgz",
+      "integrity": "sha512-qctsuLZmIQ0+vSSMfoVvyFe2+GSEvnmZ2ezTup1SBse9+twCCeial6EEi3Nc2KFcf6+qz2FBPnjXsk8xhKSaPQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2"
+      }
+    },
+    "is-weakset": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/is-weakset/-/is-weakset-2.0.2.tgz",
+      "integrity": "sha512-t2yVvttHkQktwnNNmBQ98AhENLdPUTDTE21uPqAQ0ARwQfGeQKRVS0NNurH7bTf7RrvcVn1OOge45CnBeHCSmg==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.1"
+      }
+    },
+    "is-whitespace-character": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-whitespace-character/-/is-whitespace-character-1.0.4.tgz",
+      "integrity": "sha512-SDweEzfIZM0SJV0EUga669UTKlmL0Pq8Lno0QDQsPnvECB3IM2aP0gdx5TrU0A01MAPfViaZiI2V1QMZLaKK5w==",
+      "dev": true
+    },
+    "is-windows": {
+      "version": "1.0.2",
+      "integrity": "sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==",
+      "dev": true,
+      "peer": true
+    },
+    "is-word-character": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-word-character/-/is-word-character-1.0.4.tgz",
+      "integrity": "sha512-5SMO8RVennx3nZrqtKwCGyyetPE9VDba5ugvKLaD4KopPG5kR4mQ7tNt/r7feL5yt5h3lpuBbIUmCOG2eSzXHA==",
+      "dev": true
+    },
+    "is-wsl": {
+      "version": "2.2.0",
+      "integrity": "sha512-fKzAra0rGJUUBwGBgNkHZuToZcn+TtXHpeCgmkMJMMYx1sQDYaCSyjJBSCa2nH1DGm7s3n1oBnohoVTBaN7Lww==",
+      "dev": true,
+      "requires": {
+        "is-docker": "^2.0.0"
+      }
+    },
+    "isarray": {
+      "version": "1.0.0",
+      "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
+      "dev": true,
+      "peer": true
+    },
+    "isexe": {
+      "version": "2.0.0",
+      "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=",
+      "dev": true
+    },
+    "isobject": {
+      "version": "3.0.1",
+      "integrity": "sha1-TkMekrEalzFjaqH5yNHMvP2reN8=",
+      "dev": true,
+      "peer": true
+    },
+    "istanbul-lib-coverage": {
+      "version": "3.0.2",
+      "integrity": "sha512-o5+eTUYzCJ11/+JhW5/FUCdfsdoYVdQ/8I/OveE2XsjehYn5DdeSnNQAbjYaO8gQ6hvGTN6GM6ddQqpTVG5j8g==",
+      "dev": true,
+      "peer": true
+    },
+    "istanbul-lib-instrument": {
+      "version": "4.0.3",
+      "integrity": "sha512-BXgQl9kf4WTCPCCpmFGoJkz/+uhvm7h7PFKUYxh7qarQd3ER33vHG//qaE8eN25l07YqZPpHXU9I09l/RD5aGQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/core": "^7.7.5",
+        "@istanbuljs/schema": "^0.1.2",
+        "istanbul-lib-coverage": "^3.0.0",
+        "semver": "^6.3.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "istanbul-lib-report": {
+      "version": "3.0.0",
+      "integrity": "sha512-wcdi+uAKzfiGT2abPpKZ0hSU1rGQjUQnLvtY5MpQ7QCTahD3VODhcu4wcfY1YtkGaDD5yuydOLINXsfbus9ROw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "istanbul-lib-coverage": "^3.0.0",
+        "make-dir": "^3.0.0",
+        "supports-color": "^7.1.0"
+      },
+      "dependencies": {
+        "make-dir": {
+          "version": "3.1.0",
+          "integrity": "sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "semver": "^6.0.0"
+          }
+        },
+        "semver": {
+          "version": "6.3.0",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "istanbul-lib-source-maps": {
+      "version": "4.0.0",
+      "integrity": "sha512-c16LpFRkR8vQXyHZ5nLpY35JZtzj1PQY1iZmesUbf1FZHbIupcWfjgOXBY9YHkLEQ6puz1u4Dgj6qmU/DisrZg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "debug": "^4.1.1",
+        "istanbul-lib-coverage": "^3.0.0",
+        "source-map": "^0.6.1"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "istanbul-reports": {
+      "version": "3.0.3",
+      "integrity": "sha512-0i77ZFLsb9U3DHi22WzmIngVzfoyxxbQcZRqlF3KoKmCJGq9nhFHoGi8FqBztN2rE8w6hURnZghetn0xpkVb6A==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "html-escaper": "^2.0.0",
+        "istanbul-lib-report": "^3.0.0"
+      }
+    },
+    "jake": {
+      "version": "10.8.2",
+      "integrity": "sha512-eLpKyrfG3mzvGE2Du8VoPbeSkRry093+tyNjdYaBbJS9v17knImYGNXQCUV0gLxQtF82m3E8iRb/wdSQZLoq7A==",
+      "dev": true,
+      "requires": {
+        "async": "0.9.x",
+        "chalk": "^2.4.2",
+        "filelist": "^1.0.1",
+        "minimatch": "^3.0.4"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "3.2.1",
+          "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+          "dev": true,
+          "requires": {
+            "color-convert": "^1.9.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "color-convert": {
+          "version": "1.9.3",
+          "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+          "dev": true,
+          "requires": {
+            "color-name": "1.1.3"
+          }
+        },
+        "color-name": {
+          "version": "1.1.3",
+          "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+          "dev": true
+        },
+        "has-flag": {
+          "version": "3.0.0",
+          "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+          "dev": true
+        },
+        "supports-color": {
+          "version": "5.5.0",
+          "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+          "dev": true,
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "jest": {
+      "version": "26.6.3",
+      "integrity": "sha512-lGS5PXGAzR4RF7V5+XObhqz2KZIDUA1yD0DG6pBVmy10eh0ZIXQImRuzocsI/N2XZ1GrLFwTS27In2i2jlpq1Q==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/core": "^26.6.3",
+        "import-local": "^3.0.2",
+        "jest-cli": "^26.6.3"
+      }
+    },
+    "jest-changed-files": {
+      "version": "26.6.2",
+      "integrity": "sha512-fDS7szLcY9sCtIip8Fjry9oGf3I2ht/QT21bAHm5Dmf0mD4X3ReNUf17y+bO6fR8WgbIZTlbyG1ak/53cbRzKQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "execa": "^4.0.0",
+        "throat": "^5.0.0"
+      }
+    },
+    "jest-cli": {
+      "version": "26.6.3",
+      "integrity": "sha512-GF9noBSa9t08pSyl3CY4frMrqp+aQXFGFkf5hEPbh/pIUFYWMK6ZLTfbmadxJVcJrdRoChlWQsA2VkJcDFK8hg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/core": "^26.6.3",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "import-local": "^3.0.2",
+        "is-ci": "^2.0.0",
+        "jest-config": "^26.6.3",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "prompts": "^2.0.1",
+        "yargs": "^15.4.1"
+      }
+    },
+    "jest-config": {
+      "version": "26.6.3",
+      "integrity": "sha512-t5qdIj/bCj2j7NFVHb2nFB4aUdfucDn3JRKgrZnplb8nieAirAzRSHP8uDEd+qV6ygzg9Pz4YG7UTJf94LPSyg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/core": "^7.1.0",
+        "@jest/test-sequencer": "^26.6.3",
+        "@jest/types": "^26.6.2",
+        "babel-jest": "^26.6.3",
+        "chalk": "^4.0.0",
+        "deepmerge": "^4.2.2",
+        "glob": "^7.1.1",
+        "graceful-fs": "^4.2.4",
+        "jest-environment-jsdom": "^26.6.2",
+        "jest-environment-node": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "jest-jasmine2": "^26.6.3",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "pretty-format": "^26.6.2"
+      },
+      "dependencies": {
+        "deepmerge": {
+          "version": "4.2.2",
+          "integrity": "sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "jest-diff": {
+      "version": "26.6.2",
+      "integrity": "sha512-6m+9Z3Gv9wN0WFVasqjCL/06+EFCMTqDEUl/b87HYK2rAPTyfz4ZIuSlPhY51PIQRWx5TaxeF1qmXKe9gfN3sA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "chalk": "^4.0.0",
+        "diff-sequences": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      }
+    },
+    "jest-docblock": {
+      "version": "26.0.0",
+      "integrity": "sha512-RDZ4Iz3QbtRWycd8bUEPxQsTlYazfYn/h5R65Fc6gOfwozFhoImx+affzky/FFBuqISPTqjXomoIGJVKBWoo0w==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "detect-newline": "^3.0.0"
+      }
+    },
+    "jest-each": {
+      "version": "26.6.2",
+      "integrity": "sha512-Mer/f0KaATbjl8MCJ+0GEpNdqmnVmDYqCTJYTvoo7rqmRiDllmp2AYN+06F93nXcY3ur9ShIjS+CO/uD+BbH4A==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "jest-util": "^26.6.2",
+        "pretty-format": "^26.6.2"
+      }
+    },
+    "jest-environment-jsdom": {
+      "version": "26.6.2",
+      "integrity": "sha512-jgPqCruTlt3Kwqg5/WVFyHIOJHsiAvhcp2qiR2QQstuG9yWox5+iHpU3ZrcBxW14T4fe5Z68jAfLRh7joCSP2Q==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jsdom": "^16.4.0"
+      }
+    },
+    "jest-environment-node": {
+      "version": "26.6.2",
+      "integrity": "sha512-zhtMio3Exty18dy8ee8eJ9kjnRyZC1N4C1Nt/VShN1apyXc8rWGtJ9lI7vqiWcyyXS4BVSEn9lxAM2D+07/Tag==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "jest-mock": "^26.6.2",
+        "jest-util": "^26.6.2"
+      }
+    },
+    "jest-get-type": {
+      "version": "26.3.0",
+      "integrity": "sha512-TpfaviN1R2pQWkIihlfEanwOXK0zcxrKEE4MlU6Tn7keoXdN6/3gK/xl0yEh8DOunn5pOVGKf8hB4R9gVh04ig==",
+      "dev": true,
+      "peer": true
+    },
+    "jest-haste-map": {
+      "version": "26.6.2",
+      "integrity": "sha512-easWIJXIw71B2RdR8kgqpjQrbMRWQBgiBwXYEhtGUTaX+doCjBheluShdDMeR8IMfJiTqH4+zfhtg29apJf/8w==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "@types/graceful-fs": "^4.1.2",
+        "@types/node": "*",
+        "anymatch": "^3.0.3",
+        "fb-watchman": "^2.0.0",
+        "fsevents": "^2.1.2",
+        "graceful-fs": "^4.2.4",
+        "jest-regex-util": "^26.0.0",
+        "jest-serializer": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "micromatch": "^4.0.2",
+        "sane": "^4.0.3",
+        "walker": "^1.0.7"
+      }
+    },
+    "jest-jasmine2": {
+      "version": "26.6.3",
+      "integrity": "sha512-kPKUrQtc8aYwBV7CqBg5pu+tmYXlvFlSFYn18ev4gPFtrRzB15N2gW/Roew3187q2w2eHuu0MU9TJz6w0/nPEg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/traverse": "^7.1.0",
+        "@jest/environment": "^26.6.2",
+        "@jest/source-map": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "co": "^4.6.0",
+        "expect": "^26.6.2",
+        "is-generator-fn": "^2.0.0",
+        "jest-each": "^26.6.2",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-runtime": "^26.6.3",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "pretty-format": "^26.6.2",
+        "throat": "^5.0.0"
+      }
+    },
+    "jest-leak-detector": {
+      "version": "26.6.2",
+      "integrity": "sha512-i4xlXpsVSMeKvg2cEKdfhh0H39qlJlP5Ex1yQxwF9ubahboQYMgTtz5oML35AVA3B4Eu+YsmwaiKVev9KCvLxg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      }
+    },
+    "jest-matcher-utils": {
+      "version": "26.6.2",
+      "integrity": "sha512-llnc8vQgYcNqDrqRDXWwMr9i7rS5XFiCwvh6DTP7Jqa2mqpcCBBlpCbn+trkG0KNhPu/h8rzyBkriOtBstvWhw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "chalk": "^4.0.0",
+        "jest-diff": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "pretty-format": "^26.6.2"
+      }
+    },
+    "jest-message-util": {
+      "version": "26.6.2",
+      "integrity": "sha512-rGiLePzQ3AzwUshu2+Rn+UMFk0pHN58sOG+IaJbk5Jxuqo3NYO1U2/MIR4S1sKgsoYSXSzdtSa0TgrmtUwEbmA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/code-frame": "^7.0.0",
+        "@jest/types": "^26.6.2",
+        "@types/stack-utils": "^2.0.0",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "micromatch": "^4.0.2",
+        "pretty-format": "^26.6.2",
+        "slash": "^3.0.0",
+        "stack-utils": "^2.0.2"
+      }
+    },
+    "jest-mock": {
+      "version": "26.6.2",
+      "integrity": "sha512-YyFjePHHp1LzpzYcmgqkJ0nm0gg/lJx2aZFzFy1S6eUqNjXsOqTK10zNRff2dNfssgokjkG65OlWNcIlgd3zew==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*"
+      }
+    },
+    "jest-pnp-resolver": {
+      "version": "1.2.2",
+      "integrity": "sha512-olV41bKSMm8BdnuMsewT4jqlZ8+3TCARAXjZGT9jcoSnrfUnRCqnMoF9XEeoWjbzObpqF9dRhHQj0Xb9QdF6/w==",
+      "dev": true,
+      "peer": true,
+      "requires": {}
+    },
+    "jest-regex-util": {
+      "version": "26.0.0",
+      "integrity": "sha512-Gv3ZIs/nA48/Zvjrl34bf+oD76JHiGDUxNOVgUjh3j890sblXryjY4rss71fPtD/njchl6PSE2hIhvyWa1eT0A==",
+      "dev": true,
+      "peer": true
+    },
+    "jest-resolve": {
+      "version": "26.6.2",
+      "integrity": "sha512-sOxsZOq25mT1wRsfHcbtkInS+Ek7Q8jCHUB0ZUTP0tc/c41QHriU/NunqMfCUWsL4H3MHpvQD4QR9kSYhS7UvQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "jest-pnp-resolver": "^1.2.2",
+        "jest-util": "^26.6.2",
+        "read-pkg-up": "^7.0.1",
+        "resolve": "^1.18.1",
+        "slash": "^3.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "4.1.0",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.3.0",
+          "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true,
+          "peer": true
+        },
+        "read-pkg": {
+          "version": "5.2.0",
+          "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "@types/normalize-package-data": "^2.4.0",
+            "normalize-package-data": "^2.5.0",
+            "parse-json": "^5.0.0",
+            "type-fest": "^0.6.0"
+          },
+          "dependencies": {
+            "type-fest": {
+              "version": "0.6.0",
+              "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==",
+              "dev": true,
+              "peer": true
+            }
+          }
+        },
+        "read-pkg-up": {
+          "version": "7.0.1",
+          "integrity": "sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "find-up": "^4.1.0",
+            "read-pkg": "^5.2.0",
+            "type-fest": "^0.8.1"
+          }
+        },
+        "type-fest": {
+          "version": "0.8.1",
+          "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "jest-resolve-dependencies": {
+      "version": "26.6.3",
+      "integrity": "sha512-pVwUjJkxbhe4RY8QEWzN3vns2kqyuldKpxlxJlzEYfKSvY6/bMvxoFrYYzUO1Gx28yKWN37qyV7rIoIp2h8fTg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-snapshot": "^26.6.2"
+      }
+    },
+    "jest-runner": {
+      "version": "26.6.3",
+      "integrity": "sha512-atgKpRHnaA2OvByG/HpGA4g6CSPS/1LK0jK3gATJAoptC1ojltpmVlYC3TYgdmGp+GLuhzpH30Gvs36szSL2JQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/console": "^26.6.2",
+        "@jest/environment": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "emittery": "^0.7.1",
+        "exit": "^0.1.2",
+        "graceful-fs": "^4.2.4",
+        "jest-config": "^26.6.3",
+        "jest-docblock": "^26.0.0",
+        "jest-haste-map": "^26.6.2",
+        "jest-leak-detector": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "jest-runtime": "^26.6.3",
+        "jest-util": "^26.6.2",
+        "jest-worker": "^26.6.2",
+        "source-map-support": "^0.5.6",
+        "throat": "^5.0.0"
+      }
+    },
+    "jest-runtime": {
+      "version": "26.6.3",
+      "integrity": "sha512-lrzyR3N8sacTAMeonbqpnSka1dHNux2uk0qqDXVkMv2c/A3wYnvQ4EXuI013Y6+gSKSCxdaczvf4HF0mVXHRdw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/console": "^26.6.2",
+        "@jest/environment": "^26.6.2",
+        "@jest/fake-timers": "^26.6.2",
+        "@jest/globals": "^26.6.2",
+        "@jest/source-map": "^26.6.2",
+        "@jest/test-result": "^26.6.2",
+        "@jest/transform": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/yargs": "^15.0.0",
+        "chalk": "^4.0.0",
+        "cjs-module-lexer": "^0.6.0",
+        "collect-v8-coverage": "^1.0.0",
+        "exit": "^0.1.2",
+        "glob": "^7.1.3",
+        "graceful-fs": "^4.2.4",
+        "jest-config": "^26.6.3",
+        "jest-haste-map": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-mock": "^26.6.2",
+        "jest-regex-util": "^26.0.0",
+        "jest-resolve": "^26.6.2",
+        "jest-snapshot": "^26.6.2",
+        "jest-util": "^26.6.2",
+        "jest-validate": "^26.6.2",
+        "slash": "^3.0.0",
+        "strip-bom": "^4.0.0",
+        "yargs": "^15.4.1"
+      }
+    },
+    "jest-serializer": {
+      "version": "26.6.2",
+      "integrity": "sha512-S5wqyz0DXnNJPd/xfIzZ5Xnp1HrJWBczg8mMfMpN78OJ5eDxXyf+Ygld9wX1DnUWbIbhM1YDY95NjR4CBXkb2g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@types/node": "*",
+        "graceful-fs": "^4.2.4"
+      }
+    },
+    "jest-snapshot": {
+      "version": "26.6.2",
+      "integrity": "sha512-OLhxz05EzUtsAmOMzuupt1lHYXCNib0ECyuZ/PZOx9TrZcC8vL0x+DUG3TL+GLX3yHG45e6YGjIm0XwDc3q3og==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@babel/types": "^7.0.0",
+        "@jest/types": "^26.6.2",
+        "@types/babel__traverse": "^7.0.4",
+        "@types/prettier": "^2.0.0",
+        "chalk": "^4.0.0",
+        "expect": "^26.6.2",
+        "graceful-fs": "^4.2.4",
+        "jest-diff": "^26.6.2",
+        "jest-get-type": "^26.3.0",
+        "jest-haste-map": "^26.6.2",
+        "jest-matcher-utils": "^26.6.2",
+        "jest-message-util": "^26.6.2",
+        "jest-resolve": "^26.6.2",
+        "natural-compare": "^1.4.0",
+        "pretty-format": "^26.6.2",
+        "semver": "^7.3.2"
+      }
+    },
+    "jest-util": {
+      "version": "26.6.2",
+      "integrity": "sha512-MDW0fKfsn0OI7MS7Euz6h8HNDXVQ0gaM9uW6RjfDmd1DAFcaxX9OqIakHIqhbnmF08Cf2DLDG+ulq8YQQ0Lp0Q==",
+      "dev": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "chalk": "^4.0.0",
+        "graceful-fs": "^4.2.4",
+        "is-ci": "^2.0.0",
+        "micromatch": "^4.0.2"
+      }
+    },
+    "jest-validate": {
+      "version": "26.6.2",
+      "integrity": "sha512-NEYZ9Aeyj0i5rQqbq+tpIOom0YS1u2MVu6+euBsvpgIme+FOfRmoC4R5p0JiAUpaFvFy24xgrpMknarR/93XjQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "camelcase": "^6.0.0",
+        "chalk": "^4.0.0",
+        "jest-get-type": "^26.3.0",
+        "leven": "^3.1.0",
+        "pretty-format": "^26.6.2"
+      },
+      "dependencies": {
+        "camelcase": {
+          "version": "6.2.0",
+          "integrity": "sha512-c7wVvbw3f37nuobQNtgsgG9POC9qMbNuMQmTCqZv23b6MIz0fcYpBiOlv9gEN/hdLdnZTDQhg6e9Dq5M1vKvfg==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "jest-watcher": {
+      "version": "26.6.2",
+      "integrity": "sha512-WKJob0P/Em2csiVthsI68p6aGKTIcsfjH9Gsx1f0A3Italz43e3ho0geSAVsmj09RWOELP1AZ/DXyJgOgDKxXQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/test-result": "^26.6.2",
+        "@jest/types": "^26.6.2",
+        "@types/node": "*",
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^4.0.0",
+        "jest-util": "^26.6.2",
+        "string-length": "^4.0.1"
+      }
+    },
+    "jest-worker": {
+      "version": "26.6.2",
+      "integrity": "sha512-KWYVV1c4i+jbMpaBC+U++4Va0cp8OisU185o73T1vo99hqi7w8tSJfUXYswwqqrjzwxa6KpRK54WhPvwf5w6PQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@types/node": "*",
+        "merge-stream": "^2.0.0",
+        "supports-color": "^7.0.0"
+      }
+    },
+    "js-sdsl": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.2.0.tgz",
+      "integrity": "sha512-dyBIzQBDkCqCu+0upx25Y2jGdbTGxE9fshMsCdK0ViOongpV+n5tXRcZY9v7CaVQ79AGS9KA1KHtojxiM7aXSQ==",
+      "dev": true
+    },
+    "js-tokens": {
+      "version": "4.0.0",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+      "dev": true
+    },
+    "js-yaml": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "dev": true,
+      "requires": {
+        "argparse": "^2.0.1"
+      }
+    },
+    "jsdom": {
+      "version": "16.7.0",
+      "integrity": "sha512-u9Smc2G1USStM+s/x1ru5Sxrl6mPYCbByG1U/hUmqaVsm4tbNyS7CicOSRyuGQYZhTu0h84qkZZQ/I+dzizSVw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "abab": "^2.0.5",
+        "acorn": "^8.2.4",
+        "acorn-globals": "^6.0.0",
+        "cssom": "^0.4.4",
+        "cssstyle": "^2.3.0",
+        "data-urls": "^2.0.0",
+        "decimal.js": "^10.2.1",
+        "domexception": "^2.0.1",
+        "escodegen": "^2.0.0",
+        "form-data": "^3.0.0",
+        "html-encoding-sniffer": "^2.0.1",
+        "http-proxy-agent": "^4.0.1",
+        "https-proxy-agent": "^5.0.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "nwsapi": "^2.2.0",
+        "parse5": "6.0.1",
+        "saxes": "^5.0.1",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^4.0.0",
+        "w3c-hr-time": "^1.0.2",
+        "w3c-xmlserializer": "^2.0.0",
+        "webidl-conversions": "^6.1.0",
+        "whatwg-encoding": "^1.0.5",
+        "whatwg-mimetype": "^2.3.0",
+        "whatwg-url": "^8.5.0",
+        "ws": "^7.4.6",
+        "xml-name-validator": "^3.0.0"
+      },
+      "dependencies": {
+        "acorn": {
+          "version": "8.5.0",
+          "integrity": "sha512-yXbYeFy+jUuYd3/CDcg2NkIYE991XYX/bje7LmjJigUciaeO1JR4XxXgCIV1/Zc/dRuFEyw1L0pbA+qynJkW5Q==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "jsesc": {
+      "version": "2.5.2",
+      "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==",
+      "dev": true
+    },
+    "json-parse-better-errors": {
+      "version": "1.0.2",
+      "integrity": "sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw==",
+      "dev": true
+    },
+    "json-parse-even-better-errors": {
+      "version": "2.3.1",
+      "integrity": "sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==",
+      "dev": true
+    },
+    "json-schema-traverse": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
+      "dev": true
+    },
+    "json-stable-stringify-without-jsonify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
+      "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
+      "dev": true
+    },
+    "json5": {
+      "version": "2.2.0",
+      "integrity": "sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==",
+      "dev": true,
+      "requires": {
+        "minimist": "^1.2.5"
+      }
+    },
+    "jsonfile": {
+      "version": "6.1.0",
+      "integrity": "sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==",
+      "dev": true,
+      "requires": {
+        "graceful-fs": "^4.1.6",
+        "universalify": "^2.0.0"
+      },
+      "dependencies": {
+        "universalify": {
+          "version": "2.0.0",
+          "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==",
+          "dev": true
+        }
+      }
+    },
+    "jsx-ast-utils": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/jsx-ast-utils/-/jsx-ast-utils-3.3.3.tgz",
+      "integrity": "sha512-fYQHZTZ8jSfmWZ0iyzfwiU4WDX4HpHbMCZ3gPlWYiCl3BoeOTsqKBqnTVfH2rYT7eP5c3sVbeSPHnnJOaTrWiw==",
+      "dev": true,
+      "requires": {
+        "array-includes": "^3.1.5",
+        "object.assign": "^4.1.3"
+      }
+    },
+    "kind-of": {
+      "version": "6.0.3",
+      "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==",
+      "dev": true
+    },
+    "kleur": {
+      "version": "3.0.3",
+      "integrity": "sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==",
+      "dev": true,
+      "peer": true
+    },
+    "known-css-properties": {
+      "version": "0.20.0",
+      "integrity": "sha512-URvsjaA9ypfreqJ2/ylDr5MUERhJZ+DhguoWRr2xgS5C7aGCalXo+ewL+GixgKBfhT2vuL02nbIgNGqVWgTOYw==",
+      "dev": true
+    },
+    "language-subtag-registry": {
+      "version": "0.3.22",
+      "resolved": "https://registry.npmjs.org/language-subtag-registry/-/language-subtag-registry-0.3.22.tgz",
+      "integrity": "sha512-tN0MCzyWnoz/4nHS6uxdlFWoUZT7ABptwKPQ52Ea7URk6vll88bWBVhodtnlfEuCcKWNGoc+uGbw1cwa9IKh/w==",
+      "dev": true
+    },
+    "language-tags": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/language-tags/-/language-tags-1.0.5.tgz",
+      "integrity": "sha512-qJhlO9cGXi6hBGKoxEG/sKZDAHD5Hnu9Hs4WbOY3pCWXDhw0N8x1NenNzm2EnNLkLkk7J2SdxAkDSbb6ftT+UQ==",
+      "dev": true,
+      "requires": {
+        "language-subtag-registry": "~0.3.2"
+      }
+    },
+    "leven": {
+      "version": "3.1.0",
+      "integrity": "sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==",
+      "dev": true,
+      "peer": true
+    },
+    "levn": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz",
+      "integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==",
+      "dev": true,
+      "requires": {
+        "prelude-ls": "^1.2.1",
+        "type-check": "~0.4.0"
+      }
+    },
+    "lines-and-columns": {
+      "version": "1.1.6",
+      "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA=",
+      "dev": true
+    },
+    "lint-staged": {
+      "version": "11.1.2",
+      "integrity": "sha512-6lYpNoA9wGqkL6Hew/4n1H6lRqF3qCsujVT0Oq5Z4hiSAM7S6NksPJ3gnr7A7R52xCtiZMcEUNNQ6d6X5Bvh9w==",
+      "dev": true,
+      "requires": {
+        "chalk": "^4.1.1",
+        "cli-truncate": "^2.1.0",
+        "commander": "^7.2.0",
+        "cosmiconfig": "^7.0.0",
+        "debug": "^4.3.1",
+        "enquirer": "^2.3.6",
+        "execa": "^5.0.0",
+        "listr2": "^3.8.2",
+        "log-symbols": "^4.1.0",
+        "micromatch": "^4.0.4",
+        "normalize-path": "^3.0.0",
+        "please-upgrade-node": "^3.2.0",
+        "string-argv": "0.3.1",
+        "stringify-object": "^3.3.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "4.1.2",
+          "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^4.1.0",
+            "supports-color": "^7.1.0"
+          }
+        },
+        "execa": {
+          "version": "5.1.1",
+          "integrity": "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==",
+          "dev": true,
+          "requires": {
+            "cross-spawn": "^7.0.3",
+            "get-stream": "^6.0.0",
+            "human-signals": "^2.1.0",
+            "is-stream": "^2.0.0",
+            "merge-stream": "^2.0.0",
+            "npm-run-path": "^4.0.1",
+            "onetime": "^5.1.2",
+            "signal-exit": "^3.0.3",
+            "strip-final-newline": "^2.0.0"
+          }
+        },
+        "get-stream": {
+          "version": "6.0.1",
+          "integrity": "sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==",
+          "dev": true
+        },
+        "human-signals": {
+          "version": "2.1.0",
+          "integrity": "sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==",
+          "dev": true
+        }
+      }
+    },
+    "listr2": {
+      "version": "3.12.2",
+      "integrity": "sha512-64xC2CJ/As/xgVI3wbhlPWVPx0wfTqbUAkpb7bjDi0thSWMqrf07UFhrfsGoo8YSXmF049Rp9C0cjLC8rZxK9A==",
+      "dev": true,
+      "requires": {
+        "cli-truncate": "^2.1.0",
+        "colorette": "^1.4.0",
+        "log-update": "^4.0.0",
+        "p-map": "^4.0.0",
+        "rxjs": "^6.6.7",
+        "through": "^2.3.8",
+        "wrap-ansi": "^7.0.0"
+      }
+    },
+    "load-json-file": {
+      "version": "4.0.0",
+      "integrity": "sha1-L19Fq5HjMhYjT9U62rZo607AmTs=",
+      "dev": true,
+      "requires": {
+        "graceful-fs": "^4.1.2",
+        "parse-json": "^4.0.0",
+        "pify": "^3.0.0",
+        "strip-bom": "^3.0.0"
+      },
+      "dependencies": {
+        "parse-json": {
+          "version": "4.0.0",
+          "integrity": "sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=",
+          "dev": true,
+          "requires": {
+            "error-ex": "^1.3.1",
+            "json-parse-better-errors": "^1.0.1"
+          }
+        },
+        "pify": {
+          "version": "3.0.0",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY=",
+          "dev": true
+        },
+        "strip-bom": {
+          "version": "3.0.0",
+          "integrity": "sha1-IzTBjpx1n3vdVv3vfprj1YjmjtM=",
+          "dev": true
+        }
+      }
+    },
+    "locate-path": {
+      "version": "2.0.0",
+      "integrity": "sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=",
+      "dev": true,
+      "requires": {
+        "p-locate": "^2.0.0",
+        "path-exists": "^3.0.0"
+      }
+    },
+    "lodash": {
+      "version": "4.17.21",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "dev": true
+    },
+    "lodash.clonedeep": {
+      "version": "4.5.0",
+      "integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8=",
+      "dev": true
+    },
+    "lodash.merge": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
+      "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
+      "dev": true
+    },
+    "lodash.truncate": {
+      "version": "4.4.2",
+      "integrity": "sha1-WjUNoLERO4N+z//VgSy+WNbq4ZM=",
+      "dev": true
+    },
+    "log-symbols": {
+      "version": "4.1.0",
+      "integrity": "sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==",
+      "dev": true,
+      "requires": {
+        "chalk": "^4.1.0",
+        "is-unicode-supported": "^0.1.0"
+      }
+    },
+    "log-update": {
+      "version": "4.0.0",
+      "integrity": "sha512-9fkkDevMefjg0mmzWFBW8YkFP91OrizzkW3diF7CpG+S2EYdy4+TVfGwz1zeF8x7hCx1ovSPTOE9Ngib74qqUg==",
+      "dev": true,
+      "requires": {
+        "ansi-escapes": "^4.3.0",
+        "cli-cursor": "^3.1.0",
+        "slice-ansi": "^4.0.0",
+        "wrap-ansi": "^6.2.0"
+      },
+      "dependencies": {
+        "slice-ansi": {
+          "version": "4.0.0",
+          "integrity": "sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "astral-regex": "^2.0.0",
+            "is-fullwidth-code-point": "^3.0.0"
+          }
+        },
+        "wrap-ansi": {
+          "version": "6.2.0",
+          "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "string-width": "^4.1.0",
+            "strip-ansi": "^6.0.0"
+          }
+        }
+      }
+    },
+    "longest-streak": {
+      "version": "2.0.4",
+      "integrity": "sha512-vM6rUVCVUJJt33bnmHiZEvr7wPT78ztX7rojL+LW51bHtLh6HTjx84LA5W4+oa6aKEJA7jJu5LR6vQRBpA5DVg==",
+      "dev": true
+    },
+    "loose-envify": {
+      "version": "1.4.0",
+      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
+      "dev": true,
+      "requires": {
+        "js-tokens": "^3.0.0 || ^4.0.0"
+      }
+    },
+    "lru-cache": {
+      "version": "6.0.0",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
+      "dev": true,
+      "requires": {
+        "yallist": "^4.0.0"
+      }
+    },
+    "make-error": {
+      "version": "1.3.6",
+      "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+      "dev": true
+    },
+    "makeerror": {
+      "version": "1.0.11",
+      "integrity": "sha1-4BpckQnyr3lmDk6LlYd5AYT1qWw=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "tmpl": "1.0.x"
+      }
+    },
+    "map-cache": {
+      "version": "0.2.2",
+      "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=",
+      "dev": true,
+      "peer": true
+    },
+    "map-obj": {
+      "version": "1.0.1",
+      "integrity": "sha1-2TPOuSBdgr3PSIb2dCvcK03qFG0=",
+      "dev": true
+    },
+    "map-visit": {
+      "version": "1.0.0",
+      "integrity": "sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "object-visit": "^1.0.0"
+      }
+    },
+    "markdown-escapes": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/markdown-escapes/-/markdown-escapes-1.0.4.tgz",
+      "integrity": "sha512-8z4efJYk43E0upd0NbVXwgSTQs6cT3T06etieCMEg7dRbzCbxUCK/GHlX8mhHRDcp+OLlHkPKsvqQTCvsRl2cg==",
+      "dev": true
+    },
+    "markdown-table": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-2.0.0.tgz",
+      "integrity": "sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==",
+      "dev": true,
+      "requires": {
+        "repeat-string": "^1.0.0"
+      }
+    },
+    "mathml-tag-names": {
+      "version": "2.1.3",
+      "integrity": "sha512-APMBEanjybaPzUrfqU0IMU5I0AswKMH7k8OTLs0vvV4KZpExkTkY87nR/zpbuTPj+gARop7aGUbl11pnDfW6xg==",
+      "dev": true
+    },
+    "mdast-util-compact": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/mdast-util-compact/-/mdast-util-compact-2.0.1.tgz",
+      "integrity": "sha512-7GlnT24gEwDrdAwEHrU4Vv5lLWrEer4KOkAiKT9nYstsTad7Oc1TwqT2zIMKRdZF7cTuaf+GA1E4Kv7jJh8mPA==",
+      "dev": true,
+      "requires": {
+        "unist-util-visit": "^2.0.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-2.0.3.tgz",
+          "integrity": "sha512-iJ4/RczbJMkD0712mGktuGpm/U4By4FfDonL7N/9tATGIF4imikjOuagyMY53tnZq3NP6BcmlrHhEKAfGWjh7Q==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-is": "^4.0.0",
+            "unist-util-visit-parents": "^3.0.0"
+          }
+        },
+        "unist-util-visit-parents": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz",
+          "integrity": "sha512-1KROIZWo6bcMrZEwiH2UrXDyalAa0uqzWCxCJj6lPOvTve2WkfgCytoDTPaMnodXh1WrXOq0haVYHj99ynJlsg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-is": "^4.0.0"
+          }
+        }
+      }
+    },
+    "mdast-util-from-markdown": {
+      "version": "0.8.5",
+      "integrity": "sha512-2hkTXtYYnr+NubD/g6KGBS/0mFmBcifAsI0yIWRiRo0PjVs6SSOSOdtzbp6kSGnShDN6G5aWZpKQ2lWRy27mWQ==",
+      "dev": true,
+      "requires": {
+        "@types/mdast": "^3.0.0",
+        "mdast-util-to-string": "^2.0.0",
+        "micromark": "~2.11.0",
+        "parse-entities": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0"
+      }
+    },
+    "mdast-util-to-markdown": {
+      "version": "0.6.5",
+      "integrity": "sha512-XeV9sDE7ZlOQvs45C9UKMtfTcctcaj/pGwH8YLbMHoMOXNNCn2LsqVQOqrF1+/NU8lKDAqozme9SCXWyo9oAcQ==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "longest-streak": "^2.0.0",
+        "mdast-util-to-string": "^2.0.0",
+        "parse-entities": "^2.0.0",
+        "repeat-string": "^1.0.0",
+        "zwitch": "^1.0.0"
+      }
+    },
+    "mdast-util-to-string": {
+      "version": "2.0.0",
+      "integrity": "sha512-AW4DRS3QbBayY/jJmD8437V1Gombjf8RSOUCMFBuo5iHi58AGEgVCKQ+ezHkZZDpAQS75hcBMpLqjpJTjtUL7w==",
+      "dev": true
+    },
+    "merge-stream": {
+      "version": "2.0.0",
+      "integrity": "sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==",
+      "dev": true
+    },
+    "merge2": {
+      "version": "1.4.1",
+      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true
+    },
+    "micromark": {
+      "version": "2.11.4",
+      "integrity": "sha512-+WoovN/ppKolQOFIAajxi7Lu9kInbPxFuTBVEavFcL8eAfVstoc5MocPmqBeAdBOJV00uaVjegzH4+MA0DN/uA==",
+      "dev": true,
+      "requires": {
+        "debug": "^4.0.0",
+        "parse-entities": "^2.0.0"
+      }
+    },
+    "micromatch": {
+      "version": "4.0.4",
+      "integrity": "sha512-pRmzw/XUcwXGpD9aI9q/0XOwLNygjETJ8y0ao0wdqprrzDa4YnxLcz7fQRZr8voh8V10kGhABbNcHVk5wHgWwg==",
+      "dev": true,
+      "requires": {
+        "braces": "^3.0.1",
+        "picomatch": "^2.2.3"
+      }
+    },
+    "mime-db": {
+      "version": "1.50.0",
+      "integrity": "sha512-9tMZCDlYHqeERXEHO9f/hKfNXhre5dK2eE/krIvUjZbS2KPcqGDfNShIWS1uW9XOTKQKqK6qbeOci18rbfW77A==",
+      "dev": true
+    },
+    "mime-types": {
+      "version": "2.1.33",
+      "integrity": "sha512-plLElXp7pRDd0bNZHw+nMd52vRYjLwQjygaNg7ddJ2uJtTlmnTCjWuPKxVu6//AdaRuME84SvLW91sIkBqGT0g==",
+      "dev": true,
+      "requires": {
+        "mime-db": "1.50.0"
+      }
+    },
+    "mimic-fn": {
+      "version": "2.1.0",
+      "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==",
+      "dev": true
+    },
+    "min-indent": {
+      "version": "1.0.1",
+      "integrity": "sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==",
+      "dev": true
+    },
+    "minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dev": true,
+      "requires": {
+        "brace-expansion": "^1.1.7"
+      }
+    },
+    "minimist": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz",
+      "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==",
+      "dev": true
+    },
+    "minimist-options": {
+      "version": "4.1.0",
+      "integrity": "sha512-Q4r8ghd80yhO/0j1O3B2BjweX3fiHg9cdOwjJd2J76Q135c+NDxGCqdYKQ1SKBuFfgWbAUzBfvYjPUEeNgqN1A==",
+      "dev": true,
+      "requires": {
+        "arrify": "^1.0.1",
+        "is-plain-obj": "^1.1.0",
+        "kind-of": "^6.0.3"
+      }
+    },
+    "mixin-deep": {
+      "version": "1.3.2",
+      "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "for-in": "^1.0.2",
+        "is-extendable": "^1.0.1"
+      },
+      "dependencies": {
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "ms": {
+      "version": "2.1.2",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      "dev": true
+    },
+    "mute-stream": {
+      "version": "0.0.8",
+      "integrity": "sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==",
+      "dev": true
+    },
+    "nanoid": {
+      "version": "3.3.4",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
+      "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
+      "dev": true
+    },
+    "nanomatch": {
+      "version": "1.2.13",
+      "integrity": "sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "arr-diff": "^4.0.0",
+        "array-unique": "^0.3.2",
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "fragment-cache": "^0.2.1",
+        "is-windows": "^1.0.2",
+        "kind-of": "^6.0.2",
+        "object.pick": "^1.3.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "3.0.2",
+          "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "assign-symbols": "^1.0.0",
+            "is-extendable": "^1.0.1"
+          }
+        },
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "natural-compare": {
+      "version": "1.4.0",
+      "integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=",
+      "dev": true
+    },
+    "natural-compare-lite": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/natural-compare-lite/-/natural-compare-lite-1.4.0.tgz",
+      "integrity": "sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==",
+      "dev": true
+    },
+    "next": {
+      "version": "12.3.1",
+      "resolved": "https://registry.npmjs.org/next/-/next-12.3.1.tgz",
+      "integrity": "sha512-l7bvmSeIwX5lp07WtIiP9u2ytZMv7jIeB8iacR28PuUEFG5j0HGAPnMqyG5kbZNBG2H7tRsrQ4HCjuMOPnANZw==",
+      "dev": true,
+      "requires": {
+        "@next/env": "12.3.1",
+        "@next/swc-android-arm-eabi": "12.3.1",
+        "@next/swc-android-arm64": "12.3.1",
+        "@next/swc-darwin-arm64": "12.3.1",
+        "@next/swc-darwin-x64": "12.3.1",
+        "@next/swc-freebsd-x64": "12.3.1",
+        "@next/swc-linux-arm-gnueabihf": "12.3.1",
+        "@next/swc-linux-arm64-gnu": "12.3.1",
+        "@next/swc-linux-arm64-musl": "12.3.1",
+        "@next/swc-linux-x64-gnu": "12.3.1",
+        "@next/swc-linux-x64-musl": "12.3.1",
+        "@next/swc-win32-arm64-msvc": "12.3.1",
+        "@next/swc-win32-ia32-msvc": "12.3.1",
+        "@next/swc-win32-x64-msvc": "12.3.1",
+        "@swc/helpers": "0.4.11",
+        "caniuse-lite": "^1.0.30001406",
+        "postcss": "8.4.14",
+        "styled-jsx": "5.0.7",
+        "use-sync-external-store": "1.2.0"
+      }
+    },
+    "nice-try": {
+      "version": "1.0.5",
+      "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
+      "dev": true,
+      "peer": true
+    },
+    "node-int64": {
+      "version": "0.4.0",
+      "integrity": "sha1-h6kGXNs1XTGC2PlM4RGIuCXGijs=",
+      "dev": true,
+      "peer": true
+    },
+    "node-modules-regexp": {
+      "version": "1.0.0",
+      "integrity": "sha1-jZ2+KJZKSsVxLpExZCEHxx6Q7EA=",
+      "dev": true,
+      "peer": true
+    },
+    "node-notifier": {
+      "version": "8.0.2",
+      "integrity": "sha512-oJP/9NAdd9+x2Q+rfphB2RJCHjod70RcRLjosiPMMu5gjIfwVnOUGq2nbTjTUbmy0DJ/tFIVT30+Qe3nzl4TJg==",
+      "dev": true,
+      "optional": true,
+      "peer": true,
+      "requires": {
+        "growly": "^1.3.0",
+        "is-wsl": "^2.2.0",
+        "semver": "^7.3.2",
+        "shellwords": "^0.1.1",
+        "uuid": "^8.3.0",
+        "which": "^2.0.2"
+      }
+    },
+    "node-releases": {
+      "version": "1.1.77",
+      "integrity": "sha512-rB1DUFUNAN4Gn9keO2K1efO35IDK7yKHCdCaIMvFO7yUYmmZYeDjnGKle26G4rwj+LKRQpjyUUvMkPglwGCYNQ==",
+      "dev": true
+    },
+    "normalize-package-data": {
+      "version": "2.5.0",
+      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "hosted-git-info": "^2.1.4",
+        "resolve": "^1.10.0",
+        "semver": "2 || 3 || 4 || 5",
+        "validate-npm-package-license": "^3.0.1"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "5.7.1",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "normalize-path": {
+      "version": "3.0.0",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "dev": true
+    },
+    "normalize-range": {
+      "version": "0.1.2",
+      "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=",
+      "dev": true
+    },
+    "normalize-selector": {
+      "version": "0.2.0",
+      "integrity": "sha1-0LFF62kRicY6eNIB3E/bEpPvDAM=",
+      "dev": true
+    },
+    "npm-run-path": {
+      "version": "4.0.1",
+      "integrity": "sha512-S48WzZW777zhNIrn7gxOlISNAqi9ZC/uQFnRdbeIHhZhCA6UqpkOT8T1G7BvfdgP4Er8gF4sUbaS0i7QvIfCWw==",
+      "dev": true,
+      "requires": {
+        "path-key": "^3.0.0"
+      }
+    },
+    "num2fraction": {
+      "version": "1.2.2",
+      "integrity": "sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4=",
+      "dev": true
+    },
+    "nwsapi": {
+      "version": "2.2.0",
+      "integrity": "sha512-h2AatdwYH+JHiZpv7pt/gSX1XoRGb7L/qSIeuqA6GwYoF9w1vP1cw42TO0aI2pNyshRK5893hNSl+1//vHK7hQ==",
+      "dev": true,
+      "peer": true
+    },
+    "object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "dev": true
+    },
+    "object-copy": {
+      "version": "0.1.0",
+      "integrity": "sha1-fn2Fi3gb18mRpBupde04EnVOmYw=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "copy-descriptor": "^0.1.0",
+        "define-property": "^0.2.5",
+        "kind-of": "^3.0.3"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-data-descriptor": {
+          "version": "0.1.4",
+          "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          }
+        },
+        "is-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-accessor-descriptor": "^0.1.6",
+            "is-data-descriptor": "^0.1.4",
+            "kind-of": "^5.0.0"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "5.1.0",
+              "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+              "dev": true,
+              "peer": true
+            }
+          }
+        },
+        "kind-of": {
+          "version": "3.2.2",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "object-inspect": {
+      "version": "1.12.3",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.12.3.tgz",
+      "integrity": "sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==",
+      "dev": true
+    },
+    "object-is": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/object-is/-/object-is-1.1.5.tgz",
+      "integrity": "sha512-3cyDsyHgtmi7I7DfSSI2LDp6SK2lwvtbg0p0R1e0RvTqF5ceGx+K2dfSjm1bKDMVCFEDAQvy+o8c6a7VujOddw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3"
+      }
+    },
+    "object-keys": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz",
+      "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==",
+      "dev": true
+    },
+    "object-visit": {
+      "version": "1.0.1",
+      "integrity": "sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "isobject": "^3.0.0"
+      }
+    },
+    "object.assign": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/object.assign/-/object.assign-4.1.4.tgz",
+      "integrity": "sha512-1mxKf0e58bvyjSCtKYY4sRe9itRk3PJpquJOjeIkz885CczcI4IvJJDLPS72oowuSh+pBxUFROpX+TU++hxhZQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "has-symbols": "^1.0.3",
+        "object-keys": "^1.1.1"
+      }
+    },
+    "object.entries": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/object.entries/-/object.entries-1.1.6.tgz",
+      "integrity": "sha512-leTPzo4Zvg3pmbQ3rDK69Rl8GQvIqMWubrkxONG9/ojtFE2rD9fjMKfSI5BxW3osRH1m6VdzmqK8oAY9aT4x5w==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "object.fromentries": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/object.fromentries/-/object.fromentries-2.0.6.tgz",
+      "integrity": "sha512-VciD13dswC4j1Xt5394WR4MzmAQmlgN72phd/riNp9vtD7tp4QQWJ0R4wvclXcafgcYK8veHRed2W6XeGBvcfg==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "object.hasown": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/object.hasown/-/object.hasown-1.1.2.tgz",
+      "integrity": "sha512-B5UIT3J1W+WuWIU55h0mjlwaqxiE5vYENJXIXZ4VFe05pNYrkKuK0U/6aFcb0pKywYJh7IhfoqUfKVmrJJHZHw==",
+      "dev": true,
+      "requires": {
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "object.pick": {
+      "version": "1.3.0",
+      "integrity": "sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "isobject": "^3.0.1"
+      }
+    },
+    "object.values": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/object.values/-/object.values-1.1.6.tgz",
+      "integrity": "sha512-FVVTkD1vENCsAcwNs9k6jea2uHC/X0+JcjG8YA60FN5CMaJmG95wT9jek/xX9nornqGRrBkKtzuAu2wuHpKqvw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "once": {
+      "version": "1.4.0",
+      "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
+      "dev": true,
+      "requires": {
+        "wrappy": "1"
+      }
+    },
+    "onetime": {
+      "version": "5.1.2",
+      "integrity": "sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==",
+      "dev": true,
+      "requires": {
+        "mimic-fn": "^2.1.0"
+      }
+    },
+    "open": {
+      "version": "7.3.0",
+      "integrity": "sha512-mgLwQIx2F/ye9SmbrUkurZCnkoXyXyu9EbHtJZrICjVAJfyMArdHp3KkixGdZx1ZHFPNIwl0DDM1dFFqXbTLZw==",
+      "dev": true,
+      "requires": {
+        "is-docker": "^2.0.0",
+        "is-wsl": "^2.1.1"
+      }
+    },
+    "optionator": {
+      "version": "0.9.1",
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.1.tgz",
+      "integrity": "sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==",
+      "dev": true,
+      "requires": {
+        "deep-is": "^0.1.3",
+        "fast-levenshtein": "^2.0.6",
+        "levn": "^0.4.1",
+        "prelude-ls": "^1.2.1",
+        "type-check": "^0.4.0",
+        "word-wrap": "^1.2.3"
+      }
+    },
+    "os-tmpdir": {
+      "version": "1.0.2",
+      "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
+      "dev": true
+    },
+    "p-each-series": {
+      "version": "2.2.0",
+      "integrity": "sha512-ycIL2+1V32th+8scbpTvyHNaHe02z0sjgh91XXjAk+ZeXoPN4Z46DVUnzdso0aX4KckKw0FNNFHdjZ2UsZvxiA==",
+      "dev": true,
+      "peer": true
+    },
+    "p-finally": {
+      "version": "1.0.0",
+      "integrity": "sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4=",
+      "dev": true,
+      "peer": true
+    },
+    "p-limit": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
+      "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==",
+      "dev": true,
+      "requires": {
+        "yocto-queue": "^0.1.0"
+      }
+    },
+    "p-locate": {
+      "version": "2.0.0",
+      "integrity": "sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=",
+      "dev": true,
+      "requires": {
+        "p-limit": "^1.1.0"
+      },
+      "dependencies": {
+        "p-limit": {
+          "version": "1.3.0",
+          "integrity": "sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==",
+          "dev": true,
+          "requires": {
+            "p-try": "^1.0.0"
+          }
+        },
+        "p-try": {
+          "version": "1.0.0",
+          "integrity": "sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M=",
+          "dev": true
+        }
+      }
+    },
+    "p-map": {
+      "version": "4.0.0",
+      "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==",
+      "dev": true,
+      "requires": {
+        "aggregate-error": "^3.0.0"
+      }
+    },
+    "p-try": {
+      "version": "2.2.0",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "dev": true
+    },
+    "parent-module": {
+      "version": "1.0.1",
+      "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
+      "dev": true,
+      "requires": {
+        "callsites": "^3.0.0"
+      }
+    },
+    "parse-entities": {
+      "version": "2.0.0",
+      "integrity": "sha512-kkywGpCcRYhqQIchaWqZ875wzpS/bMKhz5HnN3p7wveJTkTtyAB/AlnS0f8DFSqYW1T82t6yEAkEcB+A1I3MbQ==",
+      "dev": true,
+      "requires": {
+        "character-entities": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "character-reference-invalid": "^1.0.0",
+        "is-alphanumerical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-hexadecimal": "^1.0.0"
+      }
+    },
+    "parse-json": {
+      "version": "5.2.0",
+      "integrity": "sha512-ayCKvm/phCGxOkYRSCM82iDwct8/EonSEgCSxWxD7ve6jHggsFl4fZVQBPRNgQoKiuV/odhFrGzQXZwbifC8Rg==",
+      "dev": true,
+      "requires": {
+        "@babel/code-frame": "^7.0.0",
+        "error-ex": "^1.3.1",
+        "json-parse-even-better-errors": "^2.3.0",
+        "lines-and-columns": "^1.1.6"
+      }
+    },
+    "parse5": {
+      "version": "6.0.1",
+      "integrity": "sha512-Ofn/CTFzRGTTxwpNEs9PP93gXShHcTq255nzRYSKe8AkVpZY7e1fpmTfOyoIvjP5HG7Z2ZM7VS9PPhQGW2pOpw==",
+      "dev": true,
+      "peer": true
+    },
+    "pascalcase": {
+      "version": "0.1.1",
+      "integrity": "sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=",
+      "dev": true,
+      "peer": true
+    },
+    "path-exists": {
+      "version": "3.0.0",
+      "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=",
+      "dev": true
+    },
+    "path-is-absolute": {
+      "version": "1.0.1",
+      "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
+      "dev": true
+    },
+    "path-key": {
+      "version": "3.1.1",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "dev": true
+    },
+    "path-parse": {
+      "version": "1.0.7",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
+      "dev": true
+    },
+    "path-type": {
+      "version": "4.0.0",
+      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "dev": true
+    },
+    "picocolors": {
+      "version": "0.2.1",
+      "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA==",
+      "dev": true
+    },
+    "picomatch": {
+      "version": "2.3.0",
+      "integrity": "sha512-lY1Q/PiJGC2zOv/z391WOTD+Z02bCgsFfvxoXXf6h7kv9o+WmsmzYqrAwY63sNgOxE4xEdq0WyUnXfKeBrSvYw==",
+      "dev": true
+    },
+    "pirates": {
+      "version": "4.0.1",
+      "integrity": "sha512-WuNqLTbMI3tmfef2TKxlQmAiLHKtFhlsCZnPIpuv2Ow0RDVO8lfy1Opf4NUzlMXLjPl+Men7AuVdX6TA+s+uGA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "node-modules-regexp": "^1.0.0"
+      }
+    },
+    "pkg-conf": {
+      "version": "2.1.0",
+      "integrity": "sha1-ISZRTKbyq/69FoWW3xi6V4Z/AFg=",
+      "dev": true,
+      "requires": {
+        "find-up": "^2.0.0",
+        "load-json-file": "^4.0.0"
+      }
+    },
+    "please-upgrade-node": {
+      "version": "3.2.0",
+      "integrity": "sha512-gQR3WpIgNIKwBMVLkpMUeR3e1/E1y42bqDQZfql+kDeXd8COYfM8PQA4X6y7a8u9Ua9FHmsrrmirW2vHs45hWg==",
+      "dev": true,
+      "requires": {
+        "semver-compare": "^1.0.0"
+      }
+    },
+    "posix-character-classes": {
+      "version": "0.1.1",
+      "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=",
+      "dev": true,
+      "peer": true
+    },
+    "postcss": {
+      "version": "8.4.14",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz",
+      "integrity": "sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==",
+      "dev": true,
+      "requires": {
+        "nanoid": "^3.3.4",
+        "picocolors": "^1.0.0",
+        "source-map-js": "^1.0.2"
+      },
+      "dependencies": {
+        "picocolors": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+          "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-html": {
+      "version": "0.36.0",
+      "integrity": "sha512-HeiOxGcuwID0AFsNAL0ox3mW6MHH5cstWN1Z3Y+n6H+g12ih7LHdYxWwEA/QmrebctLjo79xz9ouK3MroHwOJw==",
+      "dev": true,
+      "requires": {
+        "htmlparser2": "^3.10.0"
+      }
+    },
+    "postcss-less": {
+      "version": "3.1.4",
+      "integrity": "sha512-7TvleQWNM2QLcHqvudt3VYjULVB49uiW6XzEUFmvwHzvsOEF5MwBrIXZDJQvJNFGjJQTzSzZnDoCJ8h/ljyGXA==",
+      "dev": true,
+      "requires": {
+        "postcss": "^7.0.14"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-media-query-parser": {
+      "version": "0.2.3",
+      "integrity": "sha1-J7Ocb02U+Bsac7j3Y1HGCeXO8kQ=",
+      "dev": true
+    },
+    "postcss-resolve-nested-selector": {
+      "version": "0.1.1",
+      "integrity": "sha1-Kcy8fDfe36wwTp//C/FZaz9qDk4=",
+      "dev": true
+    },
+    "postcss-safe-parser": {
+      "version": "4.0.2",
+      "integrity": "sha512-Uw6ekxSWNLCPesSv/cmqf2bY/77z11O7jZGPax3ycZMFU/oi2DMH9i89AdHc1tRwFg/arFoEwX0IS3LCUxJh1g==",
+      "dev": true,
+      "requires": {
+        "postcss": "^7.0.26"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-sass": {
+      "version": "0.4.4",
+      "integrity": "sha512-BYxnVYx4mQooOhr+zer0qWbSPYnarAy8ZT7hAQtbxtgVf8gy+LSLT/hHGe35h14/pZDTw1DsxdbrwxBN++H+fg==",
+      "dev": true,
+      "requires": {
+        "gonzales-pe": "^4.3.0",
+        "postcss": "^7.0.21"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-scss": {
+      "version": "2.1.1",
+      "integrity": "sha512-jQmGnj0hSGLd9RscFw9LyuSVAa5Bl1/KBPqG1NQw9w8ND55nY4ZEsdlVuYJvLPpV+y0nwTV5v/4rHPzZRihQbA==",
+      "dev": true,
+      "requires": {
+        "postcss": "^7.0.6"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-selector-parser": {
+      "version": "6.0.6",
+      "integrity": "sha512-9LXrvaaX3+mcv5xkg5kFwqSzSH1JIObIx51PrndZwlmznwXRfxMddDvo9gve3gVR8ZTKgoFDdWkbRFmEhT4PMg==",
+      "dev": true,
+      "requires": {
+        "cssesc": "^3.0.0",
+        "util-deprecate": "^1.0.2"
+      }
+    },
+    "postcss-sorting": {
+      "version": "5.0.1",
+      "integrity": "sha512-Y9fUFkIhfrm6i0Ta3n+89j56EFqaNRdUKqXyRp6kvTcSXnmgEjaVowCXH+JBe9+YKWqd4nc28r2sgwnzJalccA==",
+      "dev": true,
+      "requires": {
+        "lodash": "^4.17.14",
+        "postcss": "^7.0.17"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "postcss-syntax": {
+      "version": "0.36.2",
+      "integrity": "sha512-nBRg/i7E3SOHWxF3PpF5WnJM/jQ1YpY9000OaVXlAQj6Zp/kIqJxEDWIZ67tAd7NLuk7zqN4yqe9nc0oNAOs1w==",
+      "dev": true,
+      "requires": {}
+    },
+    "postcss-value-parser": {
+      "version": "4.1.0",
+      "integrity": "sha512-97DXOFbQJhk71ne5/Mt6cOu6yxsSfM0QGQyl0L25Gca4yGWEGJaig7l7gbCX623VqTBNGLRLaVUCnNkcedlRSQ==",
+      "dev": true
+    },
+    "postcss-values-parser": {
+      "version": "3.2.1",
+      "integrity": "sha512-SQ7/88VE9LhJh9gc27/hqnSU/aZaREVJcRVccXBmajgP2RkjdJzNyH/a9GCVMI5nsRhT0jC5HpUMwfkz81DVVg==",
+      "dev": true,
+      "requires": {
+        "color-name": "^1.1.4",
+        "is-url-superb": "^3.0.0",
+        "postcss": "^7.0.5",
+        "url-regex": "^5.0.0"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "prelude-ls": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
+      "integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==",
+      "dev": true
+    },
+    "prettier": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.2.1.tgz",
+      "integrity": "sha512-PqyhM2yCjg/oKkFPtTGUojv7gnZAoG80ttl45O6x2Ug/rMJw4wcc9k6aaf2hibP7BGVCCM33gZoGjyvt9mm16Q==",
+      "dev": true
+    },
+    "prettier-linter-helpers": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/prettier-linter-helpers/-/prettier-linter-helpers-1.0.0.tgz",
+      "integrity": "sha512-GbK2cP9nraSSUF9N2XwUwqfzlAFlMNYYl+ShE/V+H8a9uNl/oUqB1w2EL54Jh0OlyRSd8RfWYJ3coVS4TROP2w==",
+      "dev": true,
+      "requires": {
+        "fast-diff": "^1.1.2"
+      }
+    },
+    "pretty-format": {
+      "version": "26.6.2",
+      "integrity": "sha512-7AeGuCYNGmycyQbCqd/3PWH4eOoX/OiCa0uphp57NVTeAGdJGaAliecxwBDHYQCIvrW7aDBZCYeNTP/WX69mkg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@jest/types": "^26.6.2",
+        "ansi-regex": "^5.0.0",
+        "ansi-styles": "^4.0.0",
+        "react-is": "^17.0.1"
+      },
+      "dependencies": {
+        "react-is": {
+          "version": "17.0.2",
+          "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "prompts": {
+      "version": "2.4.2",
+      "integrity": "sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "kleur": "^3.0.3",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "prop-types": {
+      "version": "15.8.1",
+      "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz",
+      "integrity": "sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==",
+      "dev": true,
+      "requires": {
+        "loose-envify": "^1.4.0",
+        "object-assign": "^4.1.1",
+        "react-is": "^16.13.1"
+      }
+    },
+    "psl": {
+      "version": "1.8.0",
+      "integrity": "sha512-RIdOzyoavK+hA18OGGWDqUTsCLhtA7IcZ/6NCs4fFJaHBDab+pDDmDIByWFRQJq2Cd7r1OoQxBGKOaztq+hjIQ==",
+      "dev": true,
+      "peer": true
+    },
+    "pump": {
+      "version": "3.0.0",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "queue-microtask": {
+      "version": "1.2.3",
+      "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true
+    },
+    "quick-lru": {
+      "version": "4.0.1",
+      "integrity": "sha512-ARhCpm70fzdcvNQfPoy49IaanKkTlRWF2JMzqhcJbhSFRZv7nPTvZJdcY7301IPmvW+/p0RgIWnQDLJxifsQ7g==",
+      "dev": true
+    },
+    "react": {
+      "version": "18.2.0",
+      "resolved": "https://registry.npmjs.org/react/-/react-18.2.0.tgz",
+      "integrity": "sha512-/3IjMdb2L9QbBdWiW5e3P2/npwMBaU9mHCSCUzNln0ZCYbcfTsGbTJrU/kGemdH2IWmB2ioZ+zkxtmq6g09fGQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "loose-envify": "^1.1.0"
+      }
+    },
+    "react-dom": {
+      "version": "18.2.0",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.2.0.tgz",
+      "integrity": "sha512-6IMTriUmvsjHUjNtEDudZfuDQUoWXVxKHhlEGSk81n4YFS+r/Kl99wXiwlVXtPBtJenozv2P+hxDsw9eA7Xo6g==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "loose-envify": "^1.1.0",
+        "scheduler": "^0.23.0"
+      }
+    },
+    "react-is": {
+      "version": "16.13.1",
+      "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz",
+      "integrity": "sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==",
+      "dev": true
+    },
+    "readable-stream": {
+      "version": "3.6.0",
+      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      }
+    },
+    "readdirp": {
+      "version": "3.5.0",
+      "integrity": "sha512-cMhu7c/8rdhkHXWsY+osBhfSy0JikwpHK/5+imo+LpeasTF8ouErHrlYkwT0++njiyuDvc7OFY5T3ukvZ8qmFQ==",
+      "dev": true,
+      "requires": {
+        "picomatch": "^2.2.1"
+      }
+    },
+    "regenerator-runtime": {
+      "version": "0.13.11",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.11.tgz",
+      "integrity": "sha512-kY1AZVr2Ra+t+piVaJ4gxaFaReZVH40AKNo7UCX6W+dEwBo/2oZJzqfuN1qLq1oL45o56cPaTXELwrTh8Fpggg==",
+      "dev": true
+    },
+    "regex-not": {
+      "version": "1.0.2",
+      "integrity": "sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "extend-shallow": "^3.0.2",
+        "safe-regex": "^1.1.0"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "3.0.2",
+          "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "assign-symbols": "^1.0.0",
+            "is-extendable": "^1.0.1"
+          }
+        },
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "regexp.prototype.flags": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz",
+      "integrity": "sha512-fjggEOO3slI6Wvgjwflkc4NFRCTZAu5CnNfBd5qOMYhWdn67nJBBu34/TkD++eeFmd8C9r9jfXJ27+nSiRkSUA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.3",
+        "functions-have-names": "^1.2.2"
+      }
+    },
+    "regexpp": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.2.0.tgz",
+      "integrity": "sha512-pq2bWo9mVD43nbts2wGv17XLiNLya+GklZ8kaDLV2Z08gDCsGpnKn9BFMepvWuHCbyVvY7J5o5+BVvoQbmlJLg==",
+      "dev": true
+    },
+    "remark": {
+      "version": "13.0.0",
+      "integrity": "sha512-HDz1+IKGtOyWN+QgBiAT0kn+2s6ovOxHyPAFGKVE81VSzJ+mq7RwHFledEvB5F1p4iJvOah/LOKdFuzvRnNLCA==",
+      "dev": true,
+      "requires": {
+        "remark-parse": "^9.0.0",
+        "remark-stringify": "^9.0.0",
+        "unified": "^9.1.0"
+      },
+      "dependencies": {
+        "remark-parse": {
+          "version": "9.0.0",
+          "integrity": "sha512-geKatMwSzEXKHuzBNU1z676sGcDcFoChMK38TgdHJNAYfFtsfHDQG7MoJAjs6sgYMqyLduCYWDIWZIxiPeafEw==",
+          "dev": true,
+          "requires": {
+            "mdast-util-from-markdown": "^0.8.0"
+          }
+        }
+      }
+    },
+    "remark-mdx": {
+      "version": "1.6.22",
+      "resolved": "https://registry.npmjs.org/remark-mdx/-/remark-mdx-1.6.22.tgz",
+      "integrity": "sha512-phMHBJgeV76uyFkH4rvzCftLfKCr2RZuF+/gmVcaKrpsihyzmhXjA0BEMDaPTXG5y8qZOKPVo83NAOX01LPnOQ==",
+      "dev": true,
+      "requires": {
+        "@babel/core": "7.12.9",
+        "@babel/helper-plugin-utils": "7.10.4",
+        "@babel/plugin-proposal-object-rest-spread": "7.12.1",
+        "@babel/plugin-syntax-jsx": "7.12.1",
+        "@mdx-js/util": "1.6.22",
+        "is-alphabetical": "1.0.4",
+        "remark-parse": "8.0.3",
+        "unified": "9.2.0"
+      },
+      "dependencies": {
+        "@babel/core": {
+          "version": "7.12.9",
+          "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.12.9.tgz",
+          "integrity": "sha512-gTXYh3M5wb7FRXQy+FErKFAv90BnlOuNn1QkCK2lREoPAjrQCO49+HVSrFoe5uakFAF5eenS75KbO2vQiLrTMQ==",
+          "dev": true,
+          "requires": {
+            "@babel/code-frame": "^7.10.4",
+            "@babel/generator": "^7.12.5",
+            "@babel/helper-module-transforms": "^7.12.1",
+            "@babel/helpers": "^7.12.5",
+            "@babel/parser": "^7.12.7",
+            "@babel/template": "^7.12.7",
+            "@babel/traverse": "^7.12.9",
+            "@babel/types": "^7.12.7",
+            "convert-source-map": "^1.7.0",
+            "debug": "^4.1.0",
+            "gensync": "^1.0.0-beta.1",
+            "json5": "^2.1.2",
+            "lodash": "^4.17.19",
+            "resolve": "^1.3.2",
+            "semver": "^5.4.1",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.10.4",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.10.4.tgz",
+          "integrity": "sha512-O4KCvQA6lLiMU9l2eawBPMf1xPP8xPfB3iEQw150hOVTqj/rfXz0ThTb4HEzqQfs2Bmo5Ay8BzxfzVtBrr9dVg==",
+          "dev": true
+        },
+        "semver": {
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+          "dev": true
+        }
+      }
+    },
+    "remark-parse": {
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/remark-parse/-/remark-parse-8.0.3.tgz",
+      "integrity": "sha512-E1K9+QLGgggHxCQtLt++uXltxEprmWzNfg+MxpfHsZlrddKzZ/hZyWHDbK3/Ap8HJQqYJRXP+jHczdL6q6i85Q==",
+      "dev": true,
+      "requires": {
+        "ccount": "^1.0.0",
+        "collapse-white-space": "^1.0.2",
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-whitespace-character": "^1.0.0",
+        "is-word-character": "^1.0.0",
+        "markdown-escapes": "^1.0.0",
+        "parse-entities": "^2.0.0",
+        "repeat-string": "^1.5.4",
+        "state-toggle": "^1.0.0",
+        "trim": "0.0.1",
+        "trim-trailing-lines": "^1.0.0",
+        "unherit": "^1.0.4",
+        "unist-util-remove-position": "^2.0.0",
+        "vfile-location": "^3.0.0",
+        "xtend": "^4.0.1"
+      }
+    },
+    "remark-stringify": {
+      "version": "9.0.1",
+      "integrity": "sha512-mWmNg3ZtESvZS8fv5PTvaPckdL4iNlCHTt8/e/8oN08nArHRHjNZMKzA/YW3+p7/lYqIw4nx1XsjCBo/AxNChg==",
+      "dev": true,
+      "requires": {
+        "mdast-util-to-markdown": "^0.6.0"
+      }
+    },
+    "remove-trailing-separator": {
+      "version": "1.1.0",
+      "integrity": "sha1-wkvOKig62tW8P1jg1IJJuSN52O8=",
+      "dev": true,
+      "peer": true
+    },
+    "repeat-element": {
+      "version": "1.1.4",
+      "integrity": "sha512-LFiNfRcSu7KK3evMyYOuCzv3L10TW7yC1G2/+StMjK8Y6Vqd2MG7r/Qjw4ghtuCOjFvlnms/iMmLqpvW/ES/WQ==",
+      "dev": true,
+      "peer": true
+    },
+    "repeat-string": {
+      "version": "1.6.1",
+      "integrity": "sha1-jcrkcOHIirwtYA//Sndihtp15jc=",
+      "dev": true
+    },
+    "require-directory": {
+      "version": "2.1.1",
+      "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=",
+      "dev": true
+    },
+    "require-from-string": {
+      "version": "2.0.2",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "dev": true
+    },
+    "require-main-filename": {
+      "version": "2.0.0",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "dev": true,
+      "peer": true
+    },
+    "resolve": {
+      "version": "1.20.0",
+      "integrity": "sha512-wENBPt4ySzg4ybFQW2TT1zMQucPK95HSh/nq2CFTZVOGut2+pQvSsgtda4d26YrYcr067wjbmzOG8byDPBX63A==",
+      "dev": true,
+      "requires": {
+        "is-core-module": "^2.2.0",
+        "path-parse": "^1.0.6"
+      }
+    },
+    "resolve-cwd": {
+      "version": "3.0.0",
+      "integrity": "sha512-OrZaX2Mb+rJCpH/6CpSqt9xFVpN++x01XnN2ie9g6P5/3xelLAkXWVADpdz1IHD/KFfEXyE6V0U01OQ3UO2rEg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "resolve-from": "^5.0.0"
+      },
+      "dependencies": {
+        "resolve-from": {
+          "version": "5.0.0",
+          "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "resolve-from": {
+      "version": "4.0.0",
+      "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
+      "dev": true
+    },
+    "resolve-url": {
+      "version": "0.2.1",
+      "integrity": "sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=",
+      "dev": true,
+      "peer": true
+    },
+    "restore-cursor": {
+      "version": "3.1.0",
+      "integrity": "sha512-l+sSefzHpj5qimhFSE5a8nufZYAM3sBSVMAPtYkmC+4EH2anSGaEMXSD0izRQbu9nfyQ9y5JrVmp7E8oZrUjvA==",
+      "dev": true,
+      "requires": {
+        "onetime": "^5.1.0",
+        "signal-exit": "^3.0.2"
+      }
+    },
+    "ret": {
+      "version": "0.1.15",
+      "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==",
+      "dev": true,
+      "peer": true
+    },
+    "reusify": {
+      "version": "1.0.4",
+      "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==",
+      "dev": true
+    },
+    "rimraf": {
+      "version": "3.0.2",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "dev": true,
+      "requires": {
+        "glob": "^7.1.3"
+      }
+    },
+    "rivet-graphql": {
+      "version": "0.3.1",
+      "integrity": "sha512-HEov02XhZ6H1jOME+mO8CZwliu/UtgZSHixYUwvQ7HSx3gk8EOVaQY5c3zscOYjZECvP8cR4+1Ob3KHWJRWEMw==",
+      "dev": true,
+      "requires": {
+        "graphql": "^15.3.0",
+        "graphql-request": "^3.0.0"
+      }
+    },
+    "rsvp": {
+      "version": "4.8.5",
+      "integrity": "sha512-nfMOlASu9OnRJo1mbEk2cz0D56a1MBNrJ7orjRZQG10XDyuvwksKbuXNp6qa+kbn839HwjwhBzhFmdsaEAfauA==",
+      "dev": true,
+      "peer": true
+    },
+    "run-async": {
+      "version": "2.4.1",
+      "integrity": "sha512-tvVnVv01b8c1RrA6Ep7JkStj85Guv/YrMcwqYQnwjsAS2cTmmPGBBjAjpCW7RrSodNSoE2/qg9O4bceNvUuDgQ==",
+      "dev": true
+    },
+    "run-parallel": {
+      "version": "1.2.0",
+      "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
+      "requires": {
+        "queue-microtask": "^1.2.2"
+      }
+    },
+    "rxjs": {
+      "version": "6.6.7",
+      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-6.6.7.tgz",
+      "integrity": "sha512-hTdwr+7yYNIT5n4AMYp85KA6yw2Va0FLa3Rguvbpa4W3I5xynaBZo41cM3XM+4Q6fRMj3sBYIR1VAmZMXYJvRQ==",
+      "dev": true,
+      "requires": {
+        "tslib": "^1.9.0"
+      },
+      "dependencies": {
+        "tslib": {
+          "version": "1.14.1",
+          "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
+          "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
+          "dev": true
+        }
+      }
+    },
+    "safe-buffer": {
+      "version": "5.1.2",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "dev": true
+    },
+    "safe-regex": {
+      "version": "1.1.0",
+      "integrity": "sha1-QKNmnzsHfR6UPURinhV91IAjvy4=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "ret": "~0.1.10"
+      }
+    },
+    "safe-regex-test": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/safe-regex-test/-/safe-regex-test-1.0.0.tgz",
+      "integrity": "sha512-JBUUzyOgEwXQY1NuPtvcj/qcBDbDmEvWufhlnXZIm75DEHp+afM1r1ujJpJsV/gSM4t59tpDyPi1sd6ZaPFfsA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "get-intrinsic": "^1.1.3",
+        "is-regex": "^1.1.4"
+      }
+    },
+    "safer-buffer": {
+      "version": "2.1.2",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "dev": true
+    },
+    "sane": {
+      "version": "4.1.0",
+      "integrity": "sha512-hhbzAgTIX8O7SHfp2c8/kREfEn4qO/9q8C9beyY6+tvZ87EpoZ3i1RIEvp27YBswnNbY9mWd6paKVmKbAgLfZA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@cnakazawa/watch": "^1.0.3",
+        "anymatch": "^2.0.0",
+        "capture-exit": "^2.0.0",
+        "exec-sh": "^0.3.2",
+        "execa": "^1.0.0",
+        "fb-watchman": "^2.0.0",
+        "micromatch": "^3.1.4",
+        "minimist": "^1.1.1",
+        "walker": "~1.0.5"
+      },
+      "dependencies": {
+        "anymatch": {
+          "version": "2.0.0",
+          "integrity": "sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "micromatch": "^3.1.4",
+            "normalize-path": "^2.1.1"
+          }
+        },
+        "braces": {
+          "version": "2.3.2",
+          "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "arr-flatten": "^1.1.0",
+            "array-unique": "^0.3.2",
+            "extend-shallow": "^2.0.1",
+            "fill-range": "^4.0.0",
+            "isobject": "^3.0.1",
+            "repeat-element": "^1.1.2",
+            "snapdragon": "^0.8.1",
+            "snapdragon-node": "^2.0.1",
+            "split-string": "^3.0.2",
+            "to-regex": "^3.0.1"
+          }
+        },
+        "cross-spawn": {
+          "version": "6.0.5",
+          "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "nice-try": "^1.0.4",
+            "path-key": "^2.0.1",
+            "semver": "^5.5.0",
+            "shebang-command": "^1.2.0",
+            "which": "^1.2.9"
+          }
+        },
+        "execa": {
+          "version": "1.0.0",
+          "integrity": "sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "cross-spawn": "^6.0.0",
+            "get-stream": "^4.0.0",
+            "is-stream": "^1.1.0",
+            "npm-run-path": "^2.0.0",
+            "p-finally": "^1.0.0",
+            "signal-exit": "^3.0.0",
+            "strip-eof": "^1.0.0"
+          }
+        },
+        "fill-range": {
+          "version": "4.0.0",
+          "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "extend-shallow": "^2.0.1",
+            "is-number": "^3.0.0",
+            "repeat-string": "^1.6.1",
+            "to-regex-range": "^2.1.0"
+          }
+        },
+        "get-stream": {
+          "version": "4.1.0",
+          "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        },
+        "is-number": {
+          "version": "3.0.0",
+          "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-stream": {
+          "version": "1.1.0",
+          "integrity": "sha1-EtSj3U5o4Lec6428hBc66A2RykQ=",
+          "dev": true,
+          "peer": true
+        },
+        "micromatch": {
+          "version": "3.1.10",
+          "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "arr-diff": "^4.0.0",
+            "array-unique": "^0.3.2",
+            "braces": "^2.3.1",
+            "define-property": "^2.0.2",
+            "extend-shallow": "^3.0.2",
+            "extglob": "^2.0.4",
+            "fragment-cache": "^0.2.1",
+            "kind-of": "^6.0.2",
+            "nanomatch": "^1.2.9",
+            "object.pick": "^1.3.0",
+            "regex-not": "^1.0.0",
+            "snapdragon": "^0.8.1",
+            "to-regex": "^3.0.2"
+          },
+          "dependencies": {
+            "extend-shallow": {
+              "version": "3.0.2",
+              "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "assign-symbols": "^1.0.0",
+                "is-extendable": "^1.0.1"
+              }
+            }
+          }
+        },
+        "normalize-path": {
+          "version": "2.1.1",
+          "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "remove-trailing-separator": "^1.0.1"
+          }
+        },
+        "npm-run-path": {
+          "version": "2.0.2",
+          "integrity": "sha1-NakjLfo11wZ7TLLd8jV7GHFTbF8=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "path-key": "^2.0.0"
+          }
+        },
+        "path-key": {
+          "version": "2.0.1",
+          "integrity": "sha1-QRyttXTFoUDTpLGRDUDYDMn0C0A=",
+          "dev": true,
+          "peer": true
+        },
+        "semver": {
+          "version": "5.7.1",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+          "dev": true,
+          "peer": true
+        },
+        "shebang-command": {
+          "version": "1.2.0",
+          "integrity": "sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "shebang-regex": "^1.0.0"
+          }
+        },
+        "shebang-regex": {
+          "version": "1.0.0",
+          "integrity": "sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=",
+          "dev": true,
+          "peer": true
+        },
+        "to-regex-range": {
+          "version": "2.1.1",
+          "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-number": "^3.0.0",
+            "repeat-string": "^1.6.1"
+          }
+        },
+        "which": {
+          "version": "1.3.1",
+          "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "isexe": "^2.0.0"
+          }
+        }
+      }
+    },
+    "saxes": {
+      "version": "5.0.1",
+      "integrity": "sha512-5LBh1Tls8c9xgGjw3QrMwETmTMVk0oFgvrFSvWx62llR2hcEInrKNZ2GZCCuuy2lvWrdl5jhbpeqc5hRYKFOcw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "xmlchars": "^2.2.0"
+      }
+    },
+    "scheduler": {
+      "version": "0.23.0",
+      "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.0.tgz",
+      "integrity": "sha512-CtuThmgHNg7zIZWAXi3AsyIzA3n4xx7aNyjwC2VJldO2LMVDhFK+63xGqq6CsJH4rTAt6/M+N4GhZiDYPx9eUw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "loose-envify": "^1.1.0"
+      }
+    },
+    "semver": {
+      "version": "7.3.5",
+      "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+      "dev": true,
+      "requires": {
+        "lru-cache": "^6.0.0"
+      }
+    },
+    "semver-compare": {
+      "version": "1.0.0",
+      "integrity": "sha1-De4hahyUGrN+nvsXiPavxf9VN/w=",
+      "dev": true
+    },
+    "set-blocking": {
+      "version": "2.0.0",
+      "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=",
+      "dev": true,
+      "peer": true
+    },
+    "set-value": {
+      "version": "2.0.1",
+      "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "extend-shallow": "^2.0.1",
+        "is-extendable": "^0.1.1",
+        "is-plain-object": "^2.0.3",
+        "split-string": "^3.0.1"
+      }
+    },
+    "shebang-command": {
+      "version": "2.0.0",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "dev": true,
+      "requires": {
+        "shebang-regex": "^3.0.0"
+      }
+    },
+    "shebang-regex": {
+      "version": "3.0.0",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "dev": true
+    },
+    "shellwords": {
+      "version": "0.1.1",
+      "integrity": "sha512-vFwSUfQvqybiICwZY5+DAWIPLKsWO31Q91JSKl3UYv+K5c2QRPzn0qzec6QPu1Qc9eHYItiP3NdJqNVqetYAww==",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "side-channel": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
+      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.0",
+        "get-intrinsic": "^1.0.2",
+        "object-inspect": "^1.9.0"
+      }
+    },
+    "signal-exit": {
+      "version": "3.0.5",
+      "integrity": "sha512-KWcOiKeQj6ZyXx7zq4YxSMgHRlod4czeBQZrPb8OKcohcqAXShm7E20kEMle9WBt26hFcAf0qLOcp5zmY7kOqQ==",
+      "dev": true
+    },
+    "signale": {
+      "version": "1.4.0",
+      "integrity": "sha512-iuh+gPf28RkltuJC7W5MRi6XAjTDCAPC/prJUpQoG4vIP3MJZ+GTydVnodXA7pwvTKb2cA0m9OFZW/cdWy/I/w==",
+      "dev": true,
+      "requires": {
+        "chalk": "^2.3.2",
+        "figures": "^2.0.0",
+        "pkg-conf": "^2.1.0"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "3.2.1",
+          "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+          "dev": true,
+          "requires": {
+            "color-convert": "^1.9.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "color-convert": {
+          "version": "1.9.3",
+          "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+          "dev": true,
+          "requires": {
+            "color-name": "1.1.3"
+          }
+        },
+        "color-name": {
+          "version": "1.1.3",
+          "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=",
+          "dev": true
+        },
+        "figures": {
+          "version": "2.0.0",
+          "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
+          "dev": true,
+          "requires": {
+            "escape-string-regexp": "^1.0.5"
+          }
+        },
+        "has-flag": {
+          "version": "3.0.0",
+          "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=",
+          "dev": true
+        },
+        "supports-color": {
+          "version": "5.5.0",
+          "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+          "dev": true,
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "simple-git-hooks": {
+      "version": "2.6.1",
+      "integrity": "sha512-nvqaNfgvcjN3cGSYJSdjwB+tP8YKRCyvuUvQ24luIjIpGhUCPpZDTJ+p+hcJiwc0lZlTCl0NayfBVDoIMG7Jpg==",
+      "dev": true
+    },
+    "sisteransi": {
+      "version": "1.0.5",
+      "integrity": "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==",
+      "dev": true,
+      "peer": true
+    },
+    "slash": {
+      "version": "3.0.0",
+      "integrity": "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==",
+      "dev": true
+    },
+    "slice-ansi": {
+      "version": "3.0.0",
+      "integrity": "sha512-pSyv7bSTC7ig9Dcgbw9AuRNUb5k5V6oDudjZoMBSr13qpLBG7tB+zgCkARjq7xIUgdz5P1Qe8u+rSGdouOOIyQ==",
+      "dev": true,
+      "requires": {
+        "ansi-styles": "^4.0.0",
+        "astral-regex": "^2.0.0",
+        "is-fullwidth-code-point": "^3.0.0"
+      }
+    },
+    "slugify": {
+      "version": "1.4.6",
+      "integrity": "sha512-ZdJIgv9gdrYwhXqxsH9pv7nXxjUEyQ6nqhngRxoAAOlmMGA28FDq5O4/5US4G2/Nod7d1ovNcgURQJ7kHq50KQ==",
+      "dev": true
+    },
+    "snapdragon": {
+      "version": "0.8.2",
+      "integrity": "sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "base": "^0.11.1",
+        "debug": "^2.2.0",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "map-cache": "^0.2.2",
+        "source-map": "^0.5.6",
+        "source-map-resolve": "^0.5.0",
+        "use": "^3.1.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "define-property": {
+          "version": "0.2.5",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-data-descriptor": {
+          "version": "0.1.4",
+          "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-accessor-descriptor": "^0.1.6",
+            "is-data-descriptor": "^0.1.4",
+            "kind-of": "^5.0.0"
+          }
+        },
+        "kind-of": {
+          "version": "5.1.0",
+          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+          "dev": true,
+          "peer": true
+        },
+        "ms": {
+          "version": "2.0.0",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "snapdragon-node": {
+      "version": "2.1.1",
+      "integrity": "sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.0",
+        "snapdragon-util": "^3.0.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        }
+      }
+    },
+    "snapdragon-util": {
+      "version": "3.0.1",
+      "integrity": "sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "kind-of": "^3.2.0"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "kind-of": {
+          "version": "3.2.2",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "source-map": {
+      "version": "0.5.7",
+      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
+      "dev": true
+    },
+    "source-map-js": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
+      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "dev": true
+    },
+    "source-map-resolve": {
+      "version": "0.5.3",
+      "integrity": "sha512-Htz+RnsXWk5+P2slx5Jh3Q66vhQj1Cllm0zvnaY98+NFx+Dv2CF/f5O/t8x+KaNdrdIAsruNzoh/KpialbqAnw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "atob": "^2.1.2",
+        "decode-uri-component": "^0.2.0",
+        "resolve-url": "^0.2.1",
+        "source-map-url": "^0.4.0",
+        "urix": "^0.1.0"
+      }
+    },
+    "source-map-support": {
+      "version": "0.5.20",
+      "integrity": "sha512-n1lZZ8Ve4ksRqizaBQgxXDgKwttHDhyfQjA6YZZn8+AroHbsIz+JjwxQDxbp+7y5OYCI8t1Yk7etjD9CRd2hIw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "buffer-from": "^1.0.0",
+        "source-map": "^0.6.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "source-map-url": {
+      "version": "0.4.1",
+      "integrity": "sha512-cPiFOTLUKvJFIg4SKVScy4ilPPW6rFgMgfuZJPNoDuMs3nC1HbMUycBoJw77xFIp6z1UJQJOfx6C9GMH80DiTw==",
+      "dev": true,
+      "peer": true
+    },
+    "spdx-correct": {
+      "version": "3.1.1",
+      "integrity": "sha512-cOYcUWwhCuHCXi49RhFRCyJEK3iPj1Ziz9DpViV3tbZOwXD49QzIN3MpOLJNxh2qwq2lJJZaKMVw9qNi4jTC0w==",
+      "dev": true,
+      "requires": {
+        "spdx-expression-parse": "^3.0.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "spdx-exceptions": {
+      "version": "2.3.0",
+      "integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A==",
+      "dev": true
+    },
+    "spdx-expression-parse": {
+      "version": "3.0.1",
+      "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
+      "dev": true,
+      "requires": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "spdx-license-ids": {
+      "version": "3.0.10",
+      "integrity": "sha512-oie3/+gKf7QtpitB0LYLETe+k8SifzsX4KixvpOsbI6S0kRiRQ5MKOio8eMSAKQ17N06+wdEOXRiId+zOxo0hA==",
+      "dev": true
+    },
+    "specificity": {
+      "version": "0.4.1",
+      "integrity": "sha512-1klA3Gi5PD1Wv9Q0wUoOQN1IWAuPu0D1U03ThXTr0cJ20+/iq2tHSDnK7Kk/0LXJ1ztUB2/1Os0wKmfyNgUQfg==",
+      "dev": true
+    },
+    "split-string": {
+      "version": "3.1.0",
+      "integrity": "sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "extend-shallow": "^3.0.0"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "3.0.2",
+          "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "assign-symbols": "^1.0.0",
+            "is-extendable": "^1.0.1"
+          }
+        },
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "sprintf-js": {
+      "version": "1.0.3",
+      "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=",
+      "dev": true,
+      "peer": true
+    },
+    "stack-utils": {
+      "version": "2.0.5",
+      "integrity": "sha512-xrQcmYhOsn/1kX+Vraq+7j4oE2j/6BFscZ0etmYg81xuM8Gq0022Pxb8+IqgOFUIaxHs0KaSb7T1+OegiNrNFA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "escape-string-regexp": "^2.0.0"
+      },
+      "dependencies": {
+        "escape-string-regexp": {
+          "version": "2.0.0",
+          "integrity": "sha512-UpzcLCXolUWcNu5HtVMHYdXJjArjsF9C0aNnquZYY4uW/Vu0miy5YoWvbV345HauVvcAUnpRuhMMcqTcGOY2+w==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "state-toggle": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/state-toggle/-/state-toggle-1.0.3.tgz",
+      "integrity": "sha512-d/5Z4/2iiCnHw6Xzghyhb+GcmF89bxwgXG60wjIiZaxnymbyOmI8Hk4VqHXiVVp6u2ysaskFfXg3ekCj4WNftQ==",
+      "dev": true
+    },
+    "static-extend": {
+      "version": "0.1.2",
+      "integrity": "sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "define-property": "^0.2.5",
+        "object-copy": "^0.1.0"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "is-data-descriptor": {
+          "version": "0.1.4",
+          "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "kind-of": "^3.0.2"
+          },
+          "dependencies": {
+            "kind-of": {
+              "version": "3.2.2",
+              "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "is-buffer": "^1.1.5"
+              }
+            }
+          }
+        },
+        "is-descriptor": {
+          "version": "0.1.6",
+          "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-accessor-descriptor": "^0.1.6",
+            "is-data-descriptor": "^0.1.4",
+            "kind-of": "^5.0.0"
+          }
+        },
+        "kind-of": {
+          "version": "5.1.0",
+          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "stop-iteration-iterator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/stop-iteration-iterator/-/stop-iteration-iterator-1.0.0.tgz",
+      "integrity": "sha512-iCGQj+0l0HOdZ2AEeBADlsRC+vsnDsZsbdSiH1yNSjcfKM7fdpCMfqAL/dwF5BLiw/XhRft/Wax6zQbhq2BcjQ==",
+      "dev": true,
+      "requires": {
+        "internal-slot": "^1.0.4"
+      }
+    },
+    "string_decoder": {
+      "version": "1.3.0",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dev": true,
+      "requires": {
+        "safe-buffer": "~5.2.0"
+      },
+      "dependencies": {
+        "safe-buffer": {
+          "version": "5.2.1",
+          "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+          "dev": true
+        }
+      }
+    },
+    "string-argv": {
+      "version": "0.3.1",
+      "integrity": "sha512-a1uQGz7IyVy9YwhqjZIZu1c8JO8dNIe20xBmSS6qu9kv++k3JGzCVmprbNN5Kn+BgzD5E7YYwg1CcjuJMRNsvg==",
+      "dev": true
+    },
+    "string-length": {
+      "version": "4.0.2",
+      "integrity": "sha512-+l6rNN5fYHNhZZy41RXsYptCjA2Igmq4EG7kZAYFQI1E1VTXarr6ZPXBg6eq7Y6eK4FEhY6AJlyuFIb/v/S0VQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "char-regex": "^1.0.2",
+        "strip-ansi": "^6.0.0"
+      }
+    },
+    "string-width": {
+      "version": "4.2.3",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "requires": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "dependencies": {
+        "emoji-regex": {
+          "version": "8.0.0",
+          "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+          "dev": true
+        }
+      }
+    },
+    "string.prototype.matchall": {
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/string.prototype.matchall/-/string.prototype.matchall-4.0.8.tgz",
+      "integrity": "sha512-6zOCOcJ+RJAQshcTvXPHoxoQGONa3e/Lqx90wUA+wEzX78sg5Bo+1tQo4N0pohS0erG9qtCqJDjNCQBjeWVxyg==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4",
+        "get-intrinsic": "^1.1.3",
+        "has-symbols": "^1.0.3",
+        "internal-slot": "^1.0.3",
+        "regexp.prototype.flags": "^1.4.3",
+        "side-channel": "^1.0.4"
+      }
+    },
+    "string.prototype.trimend": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.6.tgz",
+      "integrity": "sha512-JySq+4mrPf9EsDBEDYMOb/lM7XQLulwg5R/m1r0PXEFqrV0qHvl58sdTilSXtKOflCsK2E8jxf+GKC0T07RWwQ==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "string.prototype.trimstart": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimstart/-/string.prototype.trimstart-1.0.6.tgz",
+      "integrity": "sha512-omqjMDaY92pbn5HOX7f9IccLA+U1tA9GvtU4JrodiXFfYB7jPzzHpRzpglLAjtUV6bB557zwClJezTqnAiYnQA==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "define-properties": "^1.1.4",
+        "es-abstract": "^1.20.4"
+      }
+    },
+    "stringify-entities": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-3.1.0.tgz",
+      "integrity": "sha512-3FP+jGMmMV/ffZs86MoghGqAoqXAdxLrJP4GUdrDN1aIScYih5tuIO3eF4To5AJZ79KDZ8Fpdy7QJnK8SsL1Vg==",
+      "dev": true,
+      "requires": {
+        "character-entities-html4": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "stringify-object": {
+      "version": "3.3.0",
+      "integrity": "sha512-rHqiFh1elqCQ9WPLIC8I0Q/g/wj5J1eMkyoiD6eoQApWHP0FtlK7rqnhmabL5VUY9JQCcqwwvlOaSuutekgyrw==",
+      "dev": true,
+      "requires": {
+        "get-own-enumerable-property-symbols": "^3.0.0",
+        "is-obj": "^1.0.1",
+        "is-regexp": "^1.0.0"
+      }
+    },
+    "strip-ansi": {
+      "version": "6.0.1",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "requires": {
+        "ansi-regex": "^5.0.1"
+      }
+    },
+    "strip-bom": {
+      "version": "4.0.0",
+      "integrity": "sha512-3xurFv5tEgii33Zi8Jtp55wEIILR9eh34FAW00PZf+JnSsTmV/ioewSgQl97JHvgjoRGwPShsWm+IdrxB35d0w==",
+      "dev": true,
+      "peer": true
+    },
+    "strip-eof": {
+      "version": "1.0.0",
+      "integrity": "sha1-u0P/VZim6wXYm1n80SnJgzE2Br8=",
+      "dev": true,
+      "peer": true
+    },
+    "strip-final-newline": {
+      "version": "2.0.0",
+      "integrity": "sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA==",
+      "dev": true
+    },
+    "strip-json-comments": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+      "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+      "dev": true
+    },
+    "style-search": {
+      "version": "0.1.0",
+      "integrity": "sha1-eVjHk+R+MuB9K1yv5cC/jhLneQI=",
+      "dev": true
+    },
+    "styled-jsx": {
+      "version": "5.0.7",
+      "resolved": "https://registry.npmjs.org/styled-jsx/-/styled-jsx-5.0.7.tgz",
+      "integrity": "sha512-b3sUzamS086YLRuvnaDigdAewz1/EFYlHpYBP5mZovKEdQQOIIYq8lApylub3HHZ6xFjV051kkGU7cudJmrXEA==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint": {
+      "version": "13.8.0",
+      "integrity": "sha512-iHH3dv3UI23SLDrH4zMQDjLT9/dDIz/IpoFeuNxZmEx86KtfpjDOscxLTFioQyv+2vQjPlRZnK0UoJtfxLICXQ==",
+      "dev": true,
+      "requires": {
+        "@stylelint/postcss-css-in-js": "^0.37.2",
+        "@stylelint/postcss-markdown": "^0.36.2",
+        "autoprefixer": "^9.8.6",
+        "balanced-match": "^1.0.0",
+        "chalk": "^4.1.0",
+        "cosmiconfig": "^7.0.0",
+        "debug": "^4.2.0",
+        "execall": "^2.0.0",
+        "fast-glob": "^3.2.4",
+        "fastest-levenshtein": "^1.0.12",
+        "file-entry-cache": "^6.0.0",
+        "get-stdin": "^8.0.0",
+        "global-modules": "^2.0.0",
+        "globby": "^11.0.1",
+        "globjoin": "^0.1.4",
+        "html-tags": "^3.1.0",
+        "ignore": "^5.1.8",
+        "import-lazy": "^4.0.0",
+        "imurmurhash": "^0.1.4",
+        "known-css-properties": "^0.20.0",
+        "lodash": "^4.17.20",
+        "log-symbols": "^4.0.0",
+        "mathml-tag-names": "^2.1.3",
+        "meow": "^8.0.0",
+        "micromatch": "^4.0.2",
+        "normalize-selector": "^0.2.0",
+        "postcss": "^7.0.35",
+        "postcss-html": "^0.36.0",
+        "postcss-less": "^3.1.4",
+        "postcss-media-query-parser": "^0.2.3",
+        "postcss-resolve-nested-selector": "^0.1.1",
+        "postcss-safe-parser": "^4.0.2",
+        "postcss-sass": "^0.4.4",
+        "postcss-scss": "^2.1.1",
+        "postcss-selector-parser": "^6.0.4",
+        "postcss-syntax": "^0.36.2",
+        "postcss-value-parser": "^4.1.0",
+        "resolve-from": "^5.0.0",
+        "slash": "^3.0.0",
+        "specificity": "^0.4.1",
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "style-search": "^0.1.0",
+        "sugarss": "^2.0.0",
+        "svg-tags": "^1.0.0",
+        "table": "^6.0.3",
+        "v8-compile-cache": "^2.2.0",
+        "write-file-atomic": "^3.0.3"
+      },
+      "dependencies": {
+        "camelcase-keys": {
+          "version": "6.2.2",
+          "integrity": "sha512-YrwaA0vEKazPBkn0ipTiMpSajYDSe+KjQfrjhcBMxJt/znbvlHd8Pw/Vamaz5EB4Wfhs3SUR3Z9mwRu/P3s3Yg==",
+          "dev": true,
+          "requires": {
+            "camelcase": "^5.3.1",
+            "map-obj": "^4.0.0",
+            "quick-lru": "^4.0.1"
+          }
+        },
+        "find-up": {
+          "version": "4.1.0",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "dev": true,
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "get-stdin": {
+          "version": "8.0.0",
+          "integrity": "sha512-sY22aA6xchAzprjyqmSEQv4UbAAzRN0L2dQB0NlN5acTTK9Don6nhoc3eAbUnpZiCANAMfd/+40kVdKfFygohg==",
+          "dev": true
+        },
+        "hosted-git-info": {
+          "version": "4.0.2",
+          "integrity": "sha512-c9OGXbZ3guC/xOlCg1Ci/VgWlwsqDv1yMQL1CWqXDL0hDjXuNcq0zuR4xqPSuasI3kqFDhqSyTjREz5gzq0fXg==",
+          "dev": true,
+          "requires": {
+            "lru-cache": "^6.0.0"
+          }
+        },
+        "import-lazy": {
+          "version": "4.0.0",
+          "integrity": "sha512-rKtvo6a868b5Hu3heneU+L4yEQ4jYKLtjpnPeUdK7h0yzXGmyBTypknlkCvHFBqfX9YlorEiMM6Dnq/5atfHkw==",
+          "dev": true
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "dev": true,
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "map-obj": {
+          "version": "4.3.0",
+          "integrity": "sha512-hdN1wVrZbb29eBGiGjJbeP8JbKjq1urkHJ/LIP/NY48MZ1QVXUsQBV1G1zvYFHn1XE06cwjBsOI2K3Ulnj1YXQ==",
+          "dev": true
+        },
+        "meow": {
+          "version": "8.1.2",
+          "integrity": "sha512-r85E3NdZ+mpYk1C6RjPFEMSE+s1iZMuHtsHAqY0DT3jZczl0diWUZ8g6oU7h0M9cD2EL+PzaYghhCLzR0ZNn5Q==",
+          "dev": true,
+          "requires": {
+            "@types/minimist": "^1.2.0",
+            "camelcase-keys": "^6.2.2",
+            "decamelize-keys": "^1.1.0",
+            "hard-rejection": "^2.1.0",
+            "minimist-options": "4.1.0",
+            "normalize-package-data": "^3.0.0",
+            "read-pkg-up": "^7.0.1",
+            "redent": "^3.0.0",
+            "trim-newlines": "^3.0.0",
+            "type-fest": "^0.18.0",
+            "yargs-parser": "^20.2.3"
+          }
+        },
+        "normalize-package-data": {
+          "version": "3.0.3",
+          "integrity": "sha512-p2W1sgqij3zMMyRC067Dg16bfzVH+w7hyegmpIvZ4JNjqtGOVAIvLmjBx3yP7YTe9vKJgkoNOPjwQGogDoMXFA==",
+          "dev": true,
+          "requires": {
+            "hosted-git-info": "^4.0.1",
+            "is-core-module": "^2.5.0",
+            "semver": "^7.3.4",
+            "validate-npm-package-license": "^3.0.1"
+          }
+        },
+        "p-limit": {
+          "version": "2.3.0",
+          "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+          "dev": true,
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "dev": true,
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true
+        },
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "read-pkg": {
+          "version": "5.2.0",
+          "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+          "dev": true,
+          "requires": {
+            "@types/normalize-package-data": "^2.4.0",
+            "normalize-package-data": "^2.5.0",
+            "parse-json": "^5.0.0",
+            "type-fest": "^0.6.0"
+          },
+          "dependencies": {
+            "hosted-git-info": {
+              "version": "2.8.9",
+              "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
+              "dev": true
+            },
+            "normalize-package-data": {
+              "version": "2.5.0",
+              "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+              "dev": true,
+              "requires": {
+                "hosted-git-info": "^2.1.4",
+                "resolve": "^1.10.0",
+                "semver": "2 || 3 || 4 || 5",
+                "validate-npm-package-license": "^3.0.1"
+              }
+            },
+            "semver": {
+              "version": "5.7.1",
+              "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+              "dev": true
+            },
+            "type-fest": {
+              "version": "0.6.0",
+              "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==",
+              "dev": true
+            }
+          }
+        },
+        "read-pkg-up": {
+          "version": "7.0.1",
+          "integrity": "sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg==",
+          "dev": true,
+          "requires": {
+            "find-up": "^4.1.0",
+            "read-pkg": "^5.2.0",
+            "type-fest": "^0.8.1"
+          },
+          "dependencies": {
+            "type-fest": {
+              "version": "0.8.1",
+              "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==",
+              "dev": true
+            }
+          }
+        },
+        "redent": {
+          "version": "3.0.0",
+          "integrity": "sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==",
+          "dev": true,
+          "requires": {
+            "indent-string": "^4.0.0",
+            "strip-indent": "^3.0.0"
+          }
+        },
+        "resolve-from": {
+          "version": "5.0.0",
+          "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==",
+          "dev": true
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        },
+        "strip-indent": {
+          "version": "3.0.0",
+          "integrity": "sha512-laJTa3Jb+VQpaC6DseHhF7dXVqHTfJPCRDaEbid/drOhgitgYku/letMUqOXFoWV0zIIUbjpdH2t+tYj4bQMRQ==",
+          "dev": true,
+          "requires": {
+            "min-indent": "^1.0.0"
+          }
+        },
+        "trim-newlines": {
+          "version": "3.0.1",
+          "integrity": "sha512-c1PTsA3tYrIsLGkJkzHF+w9F2EyxfXGo4UyJc4pFL++FMjnq0HJS69T3M7d//gKrFKwy429bouPescbjecU+Zw==",
+          "dev": true
+        },
+        "type-fest": {
+          "version": "0.18.1",
+          "integrity": "sha512-OIAYXk8+ISY+qTOwkHtKqzAuxchoMiD9Udx+FSGQDuiRR+PJKJHc2NJAXlbhkGwTt/4/nKZxELY1w3ReWOL8mw==",
+          "dev": true
+        }
+      }
+    },
+    "stylelint-config-css-modules": {
+      "version": "2.2.0",
+      "integrity": "sha512-+zjcDbot+zbuxy1UA31k4G2lUG+nHUwnLyii3uT2F09B8kT2YrT9LZYNfMtAWlDidrxr7sFd5HX9EqPHGU3WKA==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint-config-prettier": {
+      "version": "8.0.2",
+      "integrity": "sha512-TN1l93iVTXpF9NJstlvP7nOu9zY2k+mN0NSFQ/VEGz15ZIP9ohdDZTtCWHs5LjctAhSAzaILULGbgiM0ItId3A==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint-config-recommended": {
+      "version": "3.0.0",
+      "integrity": "sha512-F6yTRuc06xr1h5Qw/ykb2LuFynJ2IxkKfCMf+1xqPffkxh0S09Zc902XCffcsw/XMFq/OzQ1w54fLIDtmRNHnQ==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint-config-standard": {
+      "version": "20.0.0",
+      "integrity": "sha512-IB2iFdzOTA/zS4jSVav6z+wGtin08qfj+YyExHB3LF9lnouQht//YyB0KZq9gGz5HNPkddHOzcY8HsUey6ZUlA==",
+      "dev": true,
+      "requires": {
+        "stylelint-config-recommended": "^3.0.0"
+      }
+    },
+    "stylelint-media-use-custom-media": {
+      "version": "2.0.0",
+      "integrity": "sha512-G7Hwma8HIMFJOChqrX9ie8hAGbtEMUbEjuiaR3olHIXjloDWqYlFHIJKsCyyckigkm+4LtCwtZDQASrVY4pRBg==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint-order": {
+      "version": "4.1.0",
+      "integrity": "sha512-sVTikaDvMqg2aJjh4r48jsdfmqLT+nqB1MOsaBnvM3OwLx4S+WXcsxsgk5w18h/OZoxZCxuyXMh61iBHcj9Qiw==",
+      "dev": true,
+      "requires": {
+        "lodash": "^4.17.15",
+        "postcss": "^7.0.31",
+        "postcss-sorting": "^5.0.1"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "stylelint-use-nesting": {
+      "version": "3.0.0",
+      "integrity": "sha512-BMzhXWbK5DdAYtZMQULn7VmWZXpy8Rwlx2PgeNYqKInQrKTJWM/TFKPScc+xvsGUc/6JPiUDeQQij9gFnOo8Kg==",
+      "dev": true,
+      "requires": {}
+    },
+    "stylelint-value-no-unknown-custom-properties": {
+      "version": "3.0.0",
+      "integrity": "sha512-8WoOnZ4ELTxA1cDbhwolIVOutxHwbjpXmd0lL0Li3Iye078jSnEb1KO6pJ/ig5oDVGRApFeA25Fyy4qqmqwGgg==",
+      "dev": true,
+      "requires": {
+        "postcss-values-parser": "^3.2.1"
+      }
+    },
+    "sugarss": {
+      "version": "2.0.0",
+      "integrity": "sha512-WfxjozUk0UVA4jm+U1d736AUpzSrNsQcIbyOkoE364GrtWmIrFdk5lksEupgWMD4VaT/0kVx1dobpiDumSgmJQ==",
+      "dev": true,
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "postcss": {
+          "version": "7.0.39",
+          "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+          "dev": true,
+          "requires": {
+            "picocolors": "^0.2.1",
+            "source-map": "^0.6.1"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "supports-color": {
+      "version": "7.2.0",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dev": true,
+      "requires": {
+        "has-flag": "^4.0.0"
+      }
+    },
+    "supports-hyperlinks": {
+      "version": "2.2.0",
+      "integrity": "sha512-6sXEzV5+I5j8Bmq9/vUphGRM/RJNT9SCURJLjwfOg51heRtguGWDzcaBlgAzKhQa0EVNpPEKzQuBwZ8S8WaCeQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "has-flag": "^4.0.0",
+        "supports-color": "^7.0.0"
+      }
+    },
+    "supports-preserve-symlinks-flag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+      "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+      "dev": true
+    },
+    "svg-tags": {
+      "version": "1.0.0",
+      "integrity": "sha1-WPcc7jvVGbWdSyqEO2x95krAR2Q=",
+      "dev": true
+    },
+    "symbol-tree": {
+      "version": "3.2.4",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "dev": true,
+      "peer": true
+    },
+    "synckit": {
+      "version": "0.8.4",
+      "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.8.4.tgz",
+      "integrity": "sha512-Dn2ZkzMdSX827QbowGbU/4yjWuvNaCoScLLoMo/yKbu+P4GBR6cRGKZH27k6a9bRzdqcyd1DE96pQtQ6uNkmyw==",
+      "dev": true,
+      "requires": {
+        "@pkgr/utils": "^2.3.1",
+        "tslib": "^2.4.0"
+      }
+    },
+    "table": {
+      "version": "6.7.2",
+      "integrity": "sha512-UFZK67uvyNivLeQbVtkiUs8Uuuxv24aSL4/Vil2PJVtMgU8Lx0CYkP12uCGa3kjyQzOSgV1+z9Wkb82fCGsO0g==",
+      "dev": true,
+      "requires": {
+        "ajv": "^8.0.1",
+        "lodash.clonedeep": "^4.5.0",
+        "lodash.truncate": "^4.4.2",
+        "slice-ansi": "^4.0.0",
+        "string-width": "^4.2.3",
+        "strip-ansi": "^6.0.1"
+      },
+      "dependencies": {
+        "ajv": {
+          "version": "8.6.3",
+          "integrity": "sha512-SMJOdDP6LqTkD0Uq8qLi+gMwSt0imXLSV080qFVwJCpH9U6Mb+SUGHAXM0KNbcBPguytWyvFxcHgMLe2D2XSpw==",
+          "dev": true,
+          "requires": {
+            "fast-deep-equal": "^3.1.1",
+            "json-schema-traverse": "^1.0.0",
+            "require-from-string": "^2.0.2",
+            "uri-js": "^4.2.2"
+          }
+        },
+        "json-schema-traverse": {
+          "version": "1.0.0",
+          "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+          "dev": true
+        },
+        "slice-ansi": {
+          "version": "4.0.0",
+          "integrity": "sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "astral-regex": "^2.0.0",
+            "is-fullwidth-code-point": "^3.0.0"
+          }
+        }
+      }
+    },
+    "tapable": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
+      "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
+      "dev": true
+    },
+    "terminal-link": {
+      "version": "2.1.1",
+      "integrity": "sha512-un0FmiRUQNr5PJqy9kP7c40F5BOfpGlYTrxonDChEZB7pzZxRNp/bt+ymiy9/npwXya9KH99nJ/GXFIiUkYGFQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "ansi-escapes": "^4.2.1",
+        "supports-hyperlinks": "^2.0.0"
+      }
+    },
+    "test-exclude": {
+      "version": "6.0.0",
+      "integrity": "sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@istanbuljs/schema": "^0.1.2",
+        "glob": "^7.1.4",
+        "minimatch": "^3.0.4"
+      }
+    },
+    "text-table": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz",
+      "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==",
+      "dev": true
+    },
+    "throat": {
+      "version": "5.0.0",
+      "integrity": "sha512-fcwX4mndzpLQKBS1DVYhGAcYaYt7vsHNIvQV+WXMvnow5cgjPphq5CaayLaGsjRdSCKZFNGt7/GYAuXaNOiYCA==",
+      "dev": true,
+      "peer": true
+    },
+    "through": {
+      "version": "2.3.8",
+      "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=",
+      "dev": true
+    },
+    "tiny-glob": {
+      "version": "0.2.9",
+      "resolved": "https://registry.npmjs.org/tiny-glob/-/tiny-glob-0.2.9.tgz",
+      "integrity": "sha512-g/55ssRPUjShh+xkfx9UPDXqhckHEsHr4Vd9zX55oSdGZc/MD0m3sferOkwWtp98bv+kcVfEHtRJgBVJzelrzg==",
+      "dev": true,
+      "requires": {
+        "globalyzer": "0.1.0",
+        "globrex": "^0.1.2"
+      }
+    },
+    "tlds": {
+      "version": "1.224.0",
+      "integrity": "sha512-Jgdc8SEijbDFUsmCn6Wk/f7E6jBLFZOG3U1xK0amGSfEH55Xx97ItUS/d2NngsuApjn11UeWCWj8Um3VRhseZQ==",
+      "dev": true
+    },
+    "tmp": {
+      "version": "0.0.33",
+      "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==",
+      "dev": true,
+      "requires": {
+        "os-tmpdir": "~1.0.2"
+      }
+    },
+    "tmpl": {
+      "version": "1.0.5",
+      "integrity": "sha512-3f0uOEAQwIqGuWW2MVzYg8fV/QNnc/IpuJNG837rLuczAaLVHslWHZQj4IGiEl5Hs3kkbhwL9Ab7Hrsmuj+Smw==",
+      "dev": true,
+      "peer": true
+    },
+    "to-fast-properties": {
+      "version": "2.0.0",
+      "integrity": "sha1-3F5pjL0HkmW8c+A3doGk5Og/YW4=",
+      "dev": true
+    },
+    "to-object-path": {
+      "version": "0.3.0",
+      "integrity": "sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "kind-of": "^3.0.2"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "1.1.6",
+          "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+          "dev": true,
+          "peer": true
+        },
+        "kind-of": {
+          "version": "3.2.2",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "to-regex": {
+      "version": "3.0.2",
+      "integrity": "sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "regex-not": "^1.0.2",
+        "safe-regex": "^1.1.0"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "3.0.2",
+          "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "assign-symbols": "^1.0.0",
+            "is-extendable": "^1.0.1"
+          }
+        },
+        "is-extendable": {
+          "version": "1.0.1",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "to-regex-range": {
+      "version": "5.0.1",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "requires": {
+        "is-number": "^7.0.0"
+      }
+    },
+    "tough-cookie": {
+      "version": "4.0.0",
+      "integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "psl": "^1.1.33",
+        "punycode": "^2.1.1",
+        "universalify": "^0.1.2"
+      },
+      "dependencies": {
+        "punycode": {
+          "version": "2.1.1",
+          "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+          "dev": true,
+          "peer": true
+        },
+        "universalify": {
+          "version": "0.1.2",
+          "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "tr46": {
+      "version": "2.1.0",
+      "integrity": "sha512-15Ih7phfcdP5YxqiB+iDtLoaTz4Nd35+IiAv0kQ5FNKHzXgdWqPoTIqEDDJmXceQt4JZk6lVPT8lnDlPpGDppw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "punycode": "^2.1.1"
+      },
+      "dependencies": {
+        "punycode": {
+          "version": "2.1.1",
+          "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "trim": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/trim/-/trim-0.0.1.tgz",
+      "integrity": "sha512-YzQV+TZg4AxpKxaTHK3c3D+kRDCGVEE7LemdlQZoQXn0iennk10RsIoY6ikzAqJTc9Xjl9C1/waHom/J86ziAQ==",
+      "dev": true
+    },
+    "trim-trailing-lines": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/trim-trailing-lines/-/trim-trailing-lines-1.1.4.tgz",
+      "integrity": "sha512-rjUWSqnfTNrjbB9NQWfPMH/xRK1deHeGsHoVfpxJ++XeYXE0d6B1En37AHfw3jtfTU7dzMzZL2jjpe8Qb5gLIQ==",
+      "dev": true
+    },
+    "trough": {
+      "version": "1.0.5",
+      "integrity": "sha512-rvuRbTarPXmMb79SmzEp8aqXNKcK+y0XaB298IXueQ8I2PsrATcPBCSPyK/dDNa2iWOhKlfNnOjdAOTBU/nkFA==",
+      "dev": true
+    },
+    "ts-jest": {
+      "version": "26.5.6",
+      "integrity": "sha512-rua+rCP8DxpA8b4DQD/6X2HQS8Zy/xzViVYfEs2OQu68tkCuKLV0Md8pmX55+W24uRIyAsf/BajRfxOs+R2MKA==",
+      "dev": true,
+      "requires": {
+        "bs-logger": "0.x",
+        "buffer-from": "1.x",
+        "fast-json-stable-stringify": "2.x",
+        "jest-util": "^26.1.0",
+        "json5": "2.x",
+        "lodash": "4.x",
+        "make-error": "1.x",
+        "mkdirp": "1.x",
+        "semver": "7.x",
+        "yargs-parser": "20.x"
+      },
+      "dependencies": {
+        "mkdirp": {
+          "version": "1.0.4",
+          "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
+          "dev": true
+        }
+      }
+    },
+    "tsconfig-paths": {
+      "version": "3.14.1",
+      "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz",
+      "integrity": "sha512-fxDhWnFSLt3VuTwtvJt5fpwxBHg5AdKWMsgcPOOIilyjymcYVZoCQF8fvFRezCNfblEXmi+PcM1eYHeOAgXCOQ==",
+      "dev": true,
+      "requires": {
+        "@types/json5": "^0.0.29",
+        "json5": "^1.0.1",
+        "minimist": "^1.2.6",
+        "strip-bom": "^3.0.0"
+      },
+      "dependencies": {
+        "json5": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+          "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
+          "dev": true,
+          "requires": {
+            "minimist": "^1.2.0"
+          }
+        },
+        "strip-bom": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz",
+          "integrity": "sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==",
+          "dev": true
+        }
+      }
+    },
+    "tslib": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.4.0.tgz",
+      "integrity": "sha512-d6xOpEDfsi2CZVlPQzGeux8XMwLT9hssAsaPYExaQMuYskwb+x1x7J371tWlbBdWHroy99KnVB6qIkUbs5X3UQ==",
+      "dev": true
+    },
+    "tsutils": {
+      "version": "3.21.0",
+      "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz",
+      "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==",
+      "dev": true,
+      "requires": {
+        "tslib": "^1.8.1"
+      },
+      "dependencies": {
+        "tslib": {
+          "version": "1.14.1",
+          "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
+          "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
+          "dev": true
+        }
+      }
+    },
+    "type-check": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
+      "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
+      "dev": true,
+      "requires": {
+        "prelude-ls": "^1.2.1"
+      }
+    },
+    "type-detect": {
+      "version": "4.0.8",
+      "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==",
+      "dev": true,
+      "peer": true
+    },
+    "type-fest": {
+      "version": "0.21.3",
+      "integrity": "sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w==",
+      "dev": true
+    },
+    "typed-array-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/typed-array-length/-/typed-array-length-1.0.4.tgz",
+      "integrity": "sha512-KjZypGq+I/H7HI5HlOoGHkWUUGq+Q0TPhQurLbyrVrvnKTBgzLhIJ7j6J/XTQOi0d1RjyZ0wdas8bKs2p0x3Ng==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "is-typed-array": "^1.1.9"
+      }
+    },
+    "typedarray-to-buffer": {
+      "version": "3.1.5",
+      "integrity": "sha512-zdu8XMNEDepKKR+XYOXAVPtWui0ly0NtohUscw+UmaHiAWT8hrV1rr//H6V+0DvJ3OQ19S979M0laLfX8rm82Q==",
+      "dev": true,
+      "requires": {
+        "is-typedarray": "^1.0.0"
+      }
+    },
+    "typescript": {
+      "version": "4.4.3",
+      "integrity": "sha512-4xfscpisVgqqDfPaJo5vkd+Qd/ItkoagnHpufr+i2QCHBsNYp+G7UAoyFl8aPtx879u38wPV65rZ8qbGZijalA==",
+      "dev": true,
+      "peer": true
+    },
+    "unbox-primitive": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
+      "integrity": "sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==",
+      "dev": true,
+      "requires": {
+        "call-bind": "^1.0.2",
+        "has-bigints": "^1.0.2",
+        "has-symbols": "^1.0.3",
+        "which-boxed-primitive": "^1.0.2"
+      }
+    },
+    "unherit": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/unherit/-/unherit-1.1.3.tgz",
+      "integrity": "sha512-Ft16BJcnapDKp0+J/rqFC3Rrk6Y/Ng4nzsC028k2jdDII/rdZ7Wd3pPT/6+vIIxRagwRc9K0IUX0Ra4fKvw+WQ==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "unified": {
+      "version": "9.2.0",
+      "integrity": "sha512-vx2Z0vY+a3YoTj8+pttM3tiJHCwY5UFbYdiWrwBEbHmK8pvsPj2rtAX2BFfgXen8T39CJWblWRDT4L5WGXtDdg==",
+      "dev": true,
+      "requires": {
+        "bail": "^1.0.0",
+        "extend": "^3.0.0",
+        "is-buffer": "^2.0.0",
+        "is-plain-obj": "^2.0.0",
+        "trough": "^1.0.0",
+        "vfile": "^4.0.0"
+      },
+      "dependencies": {
+        "is-plain-obj": {
+          "version": "2.1.0",
+          "integrity": "sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==",
+          "dev": true
+        }
+      }
+    },
+    "unified-lint-rule": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/unified-lint-rule/-/unified-lint-rule-2.1.1.tgz",
+      "integrity": "sha512-vsLHyLZFstqtGse2gvrGwasOmH8M2y+r2kQMoDSWzSqUkQx2MjHjvZuGSv5FUaiv4RQO1bHRajy7lSGp7XWq5A==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "trough": "^2.0.0",
+        "unified": "^10.0.0",
+        "vfile": "^5.0.0"
+      },
+      "dependencies": {
+        "bail": {
+          "version": "2.0.2",
+          "resolved": "https://registry.npmjs.org/bail/-/bail-2.0.2.tgz",
+          "integrity": "sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==",
+          "dev": true
+        },
+        "is-plain-obj": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
+          "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
+          "dev": true
+        },
+        "trough": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/trough/-/trough-2.1.0.tgz",
+          "integrity": "sha512-AqTiAOLcj85xS7vQ8QkAV41hPDIJ71XJB4RCUrzo/1GM2CQwhkJGaf9Hgr7BOugMRpgGUrqRg/DrBDl4H40+8g==",
+          "dev": true
+        },
+        "unified": {
+          "version": "10.1.2",
+          "resolved": "https://registry.npmjs.org/unified/-/unified-10.1.2.tgz",
+          "integrity": "sha512-pUSWAi/RAnVy1Pif2kAoeWNBa3JVrx0MId2LASj8G+7AiHWoKZNTomq6LG326T68U7/e263X6fTdcXIy7XnF7Q==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "bail": "^2.0.0",
+            "extend": "^3.0.0",
+            "is-buffer": "^2.0.0",
+            "is-plain-obj": "^4.0.0",
+            "trough": "^2.0.0",
+            "vfile": "^5.0.0"
+          }
+        },
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        }
+      }
+    },
+    "union-value": {
+      "version": "1.0.1",
+      "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "arr-union": "^3.1.0",
+        "get-value": "^2.0.6",
+        "is-extendable": "^0.1.1",
+        "set-value": "^2.0.1"
+      }
+    },
+    "unist-util-find-all-after": {
+      "version": "3.0.2",
+      "integrity": "sha512-xaTC/AGZ0rIM2gM28YVRAFPIZpzbpDtU3dRmp7EXlNVA8ziQc4hY3H7BHXM1J49nEmiqc3svnqMReW+PGqbZKQ==",
+      "dev": true,
+      "requires": {
+        "unist-util-is": "^4.0.0"
+      }
+    },
+    "unist-util-is": {
+      "version": "4.1.0",
+      "integrity": "sha512-ZOQSsnce92GrxSqlnEEseX0gi7GH9zTJZ0p9dtu87WRb/37mMPO2Ilx1s/t9vBHrFhbgweUwb+t7cIn5dxPhZg==",
+      "dev": true
+    },
+    "unist-util-remove-position": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/unist-util-remove-position/-/unist-util-remove-position-2.0.1.tgz",
+      "integrity": "sha512-fDZsLYIe2uT+oGFnuZmy73K6ZxOPG/Qcm+w7jbEjaFcJgbQ6cqjs/eSPzXhsmGpAsWPkqZM9pYjww5QTn3LHMA==",
+      "dev": true,
+      "requires": {
+        "unist-util-visit": "^2.0.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-2.0.3.tgz",
+          "integrity": "sha512-iJ4/RczbJMkD0712mGktuGpm/U4By4FfDonL7N/9tATGIF4imikjOuagyMY53tnZq3NP6BcmlrHhEKAfGWjh7Q==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-is": "^4.0.0",
+            "unist-util-visit-parents": "^3.0.0"
+          }
+        },
+        "unist-util-visit-parents": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz",
+          "integrity": "sha512-1KROIZWo6bcMrZEwiH2UrXDyalAa0uqzWCxCJj6lPOvTve2WkfgCytoDTPaMnodXh1WrXOq0haVYHj99ynJlsg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-is": "^4.0.0"
+          }
+        }
+      }
+    },
+    "unist-util-stringify-position": {
+      "version": "2.0.3",
+      "integrity": "sha512-3faScn5I+hy9VleOq/qNbAd6pAx7iH5jYBMS9I1HgQVijz/4mv5Bvw5iw1sC/90CODiKo81G/ps8AJrISn687g==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.2"
+      }
+    },
+    "unist-util-visit": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-4.1.2.tgz",
+      "integrity": "sha512-MSd8OUGISqHdVvfY9TPhyK2VdUrPgxkUtWSuMHF6XAAFuL4LokseigBnZtPnJMu+FbynTkFNnFlyjxpVKujMRg==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^5.0.0",
+        "unist-util-visit-parents": "^5.1.1"
+      },
+      "dependencies": {
+        "unist-util-is": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-5.2.0.tgz",
+          "integrity": "sha512-Glt17jWwZeyqrFqOK0pF1Ded5U3yzJnFr8CG1GMjCWTp9zDo2p+cmD6pWbZU8AgM5WU3IzRv6+rBwhzsGh6hBQ==",
+          "dev": true
+        }
+      }
+    },
+    "unist-util-visit-parents": {
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-5.1.3.tgz",
+      "integrity": "sha512-x6+y8g7wWMyQhL1iZfhIPhDAs7Xwbn9nRosDXl7qoPTSCy0yNxnKc+hWokFifWQIDGi154rdUqKvbCa4+1kLhg==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^5.0.0"
+      },
+      "dependencies": {
+        "unist-util-is": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-5.2.0.tgz",
+          "integrity": "sha512-Glt17jWwZeyqrFqOK0pF1Ded5U3yzJnFr8CG1GMjCWTp9zDo2p+cmD6pWbZU8AgM5WU3IzRv6+rBwhzsGh6hBQ==",
+          "dev": true
+        }
+      }
+    },
+    "universalify": {
+      "version": "1.0.0",
+      "integrity": "sha512-rb6X1W158d7pRQBg5gkR8uPaSfiids68LTJQYOtEUhoJUWBdaQHsuT/EUduxXYxcrt4r5PJ4fuHW1MHT6p0qug==",
+      "dev": true
+    },
+    "unset-value": {
+      "version": "1.0.0",
+      "integrity": "sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "has-value": "^0.3.1",
+        "isobject": "^3.0.0"
+      },
+      "dependencies": {
+        "has-value": {
+          "version": "0.3.1",
+          "integrity": "sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "get-value": "^2.0.3",
+            "has-values": "^0.1.4",
+            "isobject": "^2.0.0"
+          },
+          "dependencies": {
+            "isobject": {
+              "version": "2.1.0",
+              "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=",
+              "dev": true,
+              "peer": true,
+              "requires": {
+                "isarray": "1.0.0"
+              }
+            }
+          }
+        },
+        "has-values": {
+          "version": "0.1.4",
+          "integrity": "sha1-bWHeldkd/Km5oCCJrThL/49it3E=",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "uri-js": {
+      "version": "4.4.1",
+      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+      "dev": true,
+      "requires": {
+        "punycode": "^2.1.0"
+      },
+      "dependencies": {
+        "punycode": {
+          "version": "2.1.1",
+          "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
+          "dev": true
+        }
+      }
+    },
+    "urix": {
+      "version": "0.1.0",
+      "integrity": "sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=",
+      "dev": true,
+      "peer": true
+    },
+    "url-regex": {
+      "version": "5.0.0",
+      "integrity": "sha512-O08GjTiAFNsSlrUWfqF1jH0H1W3m35ZyadHrGv5krdnmPPoxP27oDTqux/579PtaroiSGm5yma6KT1mHFH6Y/g==",
+      "dev": true,
+      "requires": {
+        "ip-regex": "^4.1.0",
+        "tlds": "^1.203.0"
+      }
+    },
+    "use": {
+      "version": "3.1.1",
+      "integrity": "sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ==",
+      "dev": true,
+      "peer": true
+    },
+    "use-sync-external-store": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.2.0.tgz",
+      "integrity": "sha512-eEgnFxGQ1Ife9bzYs6VLi8/4X6CObHMw9Qr9tPY43iKwsPw8xE8+EFsf/2cFZ5S3esXgpWgtSCtLNS41F+sKPA==",
+      "dev": true,
+      "requires": {}
+    },
+    "util-deprecate": {
+      "version": "1.0.2",
+      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=",
+      "dev": true
+    },
+    "uuid": {
+      "version": "8.3.2",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "dev": true,
+      "optional": true,
+      "peer": true
+    },
+    "v8-compile-cache": {
+      "version": "2.3.0",
+      "integrity": "sha512-l8lCEmLcLYZh4nbunNZvQCJc5pv7+RCwa8q/LdUx8u7lsWvPDKmpodJAJNwkAhJC//dFY48KuIEmjtd4RViDrA==",
+      "dev": true
+    },
+    "v8-to-istanbul": {
+      "version": "7.1.2",
+      "integrity": "sha512-TxNb7YEUwkLXCQYeudi6lgQ/SZrzNO4kMdlqVxaZPUIUjCv6iSSypUQX70kNBSERpQ8fk48+d61FXk+tgqcWow==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "@types/istanbul-lib-coverage": "^2.0.1",
+        "convert-source-map": "^1.6.0",
+        "source-map": "^0.7.3"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.7.3",
+          "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ==",
+          "dev": true,
+          "peer": true
+        }
+      }
+    },
+    "validate-npm-package-license": {
+      "version": "3.0.4",
+      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
+      "dev": true,
+      "requires": {
+        "spdx-correct": "^3.0.0",
+        "spdx-expression-parse": "^3.0.0"
+      }
+    },
+    "vfile": {
+      "version": "4.2.1",
+      "integrity": "sha512-O6AE4OskCG5S1emQ/4gl8zK586RqA3srz3nfK/Viy0UPToBc5Trp9BVFb1u0CjsKrAWwnpr4ifM/KBXPWwJbCA==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0",
+        "vfile-message": "^2.0.0"
+      }
+    },
+    "vfile-location": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/vfile-location/-/vfile-location-3.2.0.tgz",
+      "integrity": "sha512-aLEIZKv/oxuCDZ8lkJGhuhztf/BW4M+iHdCwglA/eWc+vtuRFJj8EtgceYFX4LRjOhCAAiNHsKGssC6onJ+jbA==",
+      "dev": true
+    },
+    "vfile-matter": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-matter/-/vfile-matter-4.0.1.tgz",
+      "integrity": "sha512-ZeACdaxCOxhePpoLO4A5y/VgI9EuWBXu+sUk65aQ7lXBZDFg7X0tuOzigLJUtsQzazFt6K2m9SdlDxZdfL5vVg==",
+      "dev": true,
+      "requires": {
+        "is-buffer": "^2.0.0",
+        "vfile": "^5.0.0",
+        "yaml": "^2.0.0"
+      },
+      "dependencies": {
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        },
+        "yaml": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz",
+          "integrity": "sha512-e0WHiYql7+9wr4cWMx3TVQrNwejKaEe7/rHNmQmqRjazfOP5W8PB6Jpebb5o6fIapbz9o9+2ipcaTM2ZwDI6lw==",
+          "dev": true
+        }
+      }
+    },
+    "vfile-message": {
+      "version": "2.0.4",
+      "integrity": "sha512-DjssxRGkMvifUOJre00juHoP9DPWuzjxKuMDrhNbk2TdaYYBNMStsNhEOt3idrtI12VQYM/1+iM0KOzXi4pxwQ==",
+      "dev": true,
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0"
+      }
+    },
+    "vfile-reporter": {
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/vfile-reporter/-/vfile-reporter-7.0.5.tgz",
+      "integrity": "sha512-NdWWXkv6gcd7AZMvDomlQbK3MqFWL1RlGzMn++/O2TI+68+nqxCPTvLugdOtfSzXmjh+xUyhp07HhlrbJjT+mw==",
+      "dev": true,
+      "requires": {
+        "@types/supports-color": "^8.0.0",
+        "string-width": "^5.0.0",
+        "supports-color": "^9.0.0",
+        "unist-util-stringify-position": "^3.0.0",
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0",
+        "vfile-sort": "^3.0.0",
+        "vfile-statistics": "^2.0.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "6.0.1",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
+          "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==",
+          "dev": true
+        },
+        "string-width": {
+          "version": "5.1.2",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz",
+          "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==",
+          "dev": true,
+          "requires": {
+            "eastasianwidth": "^0.2.0",
+            "emoji-regex": "^9.2.2",
+            "strip-ansi": "^7.0.1"
+          }
+        },
+        "strip-ansi": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.0.1.tgz",
+          "integrity": "sha512-cXNxvT8dFNRVfhVME3JAe98mkXDYN2O1l7jmcwMnOslDeESg1rF/OZMtK0nRAhiari1unG5cD4jG3rapUAkLbw==",
+          "dev": true,
+          "requires": {
+            "ansi-regex": "^6.0.1"
+          }
+        },
+        "supports-color": {
+          "version": "9.3.1",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-9.3.1.tgz",
+          "integrity": "sha512-knBY82pjmnIzK3NifMo3RxEIRD9E0kIzV4BKcyTZ9+9kWgLMxd4PrsTSMoFQUabgRBbF8KOLRDCyKgNV+iK44Q==",
+          "dev": true
+        },
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        }
+      }
+    },
+    "vfile-reporter-json": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/vfile-reporter-json/-/vfile-reporter-json-3.3.0.tgz",
+      "integrity": "sha512-/zgRtjxQ2UGJn+HViiZ7+nIXtUzkkXFQum3BmaS/bSyr10P0X41ETRqqwMJ95RtbKUah3m7pKb6oS1eZeXXHzQ==",
+      "dev": true,
+      "requires": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        }
+      }
+    },
+    "vfile-sort": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-sort/-/vfile-sort-3.0.1.tgz",
+      "integrity": "sha512-1os1733XY6y0D5x0ugqSeaVJm9lYgj0j5qdcZQFyxlZOSy1jYarL77lLyb5gK4Wqr1d5OxmuyflSO3zKyFnTFw==",
+      "dev": true,
+      "requires": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        }
+      }
+    },
+    "vfile-statistics": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/vfile-statistics/-/vfile-statistics-2.0.1.tgz",
+      "integrity": "sha512-W6dkECZmP32EG/l+dp2jCLdYzmnDBIw6jwiLZSER81oR5AHRcVqL+k3Z+pfH1R73le6ayDkJRMk0sutj1bMVeg==",
+      "dev": true,
+      "requires": {
+        "vfile": "^5.0.0",
+        "vfile-message": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-stringify-position": {
+          "version": "3.0.3",
+          "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-3.0.3.tgz",
+          "integrity": "sha512-k5GzIBZ/QatR8N5X2y+drfpWG8IDBzdnVj6OInRNWm1oXrzydiaAT2OQiA8DPRRZyAKb9b6I2a6PxYklZD0gKg==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0"
+          }
+        },
+        "vfile": {
+          "version": "5.3.7",
+          "resolved": "https://registry.npmjs.org/vfile/-/vfile-5.3.7.tgz",
+          "integrity": "sha512-r7qlzkgErKjobAmyNIkkSpizsFPYiUPuJb5pNW1RB4JcYVZhs4lIbVqk8XPk033CV/1z8ss5pkax8SuhGpcG8g==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "is-buffer": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0",
+            "vfile-message": "^3.0.0"
+          }
+        },
+        "vfile-message": {
+          "version": "3.1.4",
+          "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-3.1.4.tgz",
+          "integrity": "sha512-fa0Z6P8HUrQN4BZaX05SIVXic+7kE3b05PWAtPuYP9QLHsLKYR7/AlLW3NtOrpXRLeawpDLMsVkmk5DG0NXgWw==",
+          "dev": true,
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-stringify-position": "^3.0.0"
+          }
+        }
+      }
+    },
+    "w3c-hr-time": {
+      "version": "1.0.2",
+      "integrity": "sha512-z8P5DvDNjKDoFIHK7q8r8lackT6l+jo/Ye3HOle7l9nICP9lf1Ci25fy9vHd0JOWewkIFzXIEig3TdKT7JQ5fQ==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "browser-process-hrtime": "^1.0.0"
+      }
+    },
+    "w3c-xmlserializer": {
+      "version": "2.0.0",
+      "integrity": "sha512-4tzD0mF8iSiMiNs30BiLO3EpfGLZUT2MSX/G+o7ZywDzliWQ3OPtTZ0PTC3B3ca1UAf4cJMHB+2Bf56EriJuRA==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "xml-name-validator": "^3.0.0"
+      }
+    },
+    "walker": {
+      "version": "1.0.7",
+      "integrity": "sha1-L3+bj9ENZ3JisYqITijRlhjgKPs=",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "makeerror": "1.0.x"
+      }
+    },
+    "webidl-conversions": {
+      "version": "6.1.0",
+      "integrity": "sha512-qBIvFLGiBpLjfwmYAaHPXsn+ho5xZnGvyGvsarywGNc8VyQJUMHJ8OBKGGrPER0okBeMDaan4mNBlgBROxuI8w==",
+      "dev": true,
+      "peer": true
+    },
+    "whatwg-encoding": {
+      "version": "1.0.5",
+      "integrity": "sha512-b5lim54JOPN9HtzvK9HFXvBma/rnfFeqsic0hSpjtDbVxR3dJKLc+KB4V6GgiGOvl7CY/KNh8rxSo9DKQrnUEw==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "iconv-lite": "0.4.24"
+      }
+    },
+    "whatwg-mimetype": {
+      "version": "2.3.0",
+      "integrity": "sha512-M4yMwr6mAnQz76TbJm914+gPpB/nCwvZbJU28cUD6dR004SAxDLOOSUaB1JDRqLtaOV/vi0IC5lEAGFgrjGv/g==",
+      "dev": true,
+      "peer": true
+    },
+    "whatwg-url": {
+      "version": "8.7.0",
+      "integrity": "sha512-gAojqb/m9Q8a5IV96E3fHJM70AzCkgt4uXYX2O7EmuyOnLrViCQlsEBmF9UQIu3/aeAIp2U17rtbpZWNntQqdg==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "lodash": "^4.7.0",
+        "tr46": "^2.1.0",
+        "webidl-conversions": "^6.1.0"
+      }
+    },
+    "which": {
+      "version": "2.0.2",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "dev": true,
+      "requires": {
+        "isexe": "^2.0.0"
+      }
+    },
+    "which-boxed-primitive": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/which-boxed-primitive/-/which-boxed-primitive-1.0.2.tgz",
+      "integrity": "sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==",
+      "dev": true,
+      "requires": {
+        "is-bigint": "^1.0.1",
+        "is-boolean-object": "^1.1.0",
+        "is-number-object": "^1.0.4",
+        "is-string": "^1.0.5",
+        "is-symbol": "^1.0.3"
+      }
+    },
+    "which-collection": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/which-collection/-/which-collection-1.0.1.tgz",
+      "integrity": "sha512-W8xeTUwaln8i3K/cY1nGXzdnVZlidBcagyNFtBdD5kxnb4TvGKR7FfSIS3mYpwWS1QUCutfKz8IY8RjftB0+1A==",
+      "dev": true,
+      "requires": {
+        "is-map": "^2.0.1",
+        "is-set": "^2.0.1",
+        "is-weakmap": "^2.0.1",
+        "is-weakset": "^2.0.1"
+      }
+    },
+    "which-module": {
+      "version": "2.0.0",
+      "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=",
+      "dev": true,
+      "peer": true
+    },
+    "which-typed-array": {
+      "version": "1.1.9",
+      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.9.tgz",
+      "integrity": "sha512-w9c4xkx6mPidwp7180ckYWfMmvxpjlZuIudNtDf4N/tTAUB8VJbX25qZoAsrtGuYNnGw3pa0AXgbGKRB8/EceA==",
+      "dev": true,
+      "requires": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "gopd": "^1.0.1",
+        "has-tostringtag": "^1.0.0",
+        "is-typed-array": "^1.1.10"
+      }
+    },
+    "word-wrap": {
+      "version": "1.2.3",
+      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "dev": true
+    },
+    "wrap-ansi": {
+      "version": "7.0.0",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "requires": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      }
+    },
+    "wrappy": {
+      "version": "1.0.2",
+      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
+      "dev": true
+    },
+    "write-file-atomic": {
+      "version": "3.0.3",
+      "integrity": "sha512-AvHcyZ5JnSfq3ioSyjrBkH9yW4m7Ayk8/9My/DD9onKeu/94fwrMocemO2QAJFAlnnDN+ZDS+ZjAR5ua1/PV/Q==",
+      "dev": true,
+      "requires": {
+        "imurmurhash": "^0.1.4",
+        "is-typedarray": "^1.0.0",
+        "signal-exit": "^3.0.2",
+        "typedarray-to-buffer": "^3.1.5"
+      }
+    },
+    "ws": {
+      "version": "7.5.5",
+      "integrity": "sha512-BAkMFcAzl8as1G/hArkxOxq3G7pjUqQ3gzYbLL0/5zNkph70e+lCoxBGnm6AW1+/aiNeV4fnKqZ8m4GZewmH2w==",
+      "dev": true,
+      "peer": true,
+      "requires": {}
+    },
+    "xml-name-validator": {
+      "version": "3.0.0",
+      "integrity": "sha512-A5CUptxDsvxKJEU3yO6DuWBSJz/qizqzJKOMIfUJHETbBw/sFaDxgd6fxm1ewUaM0jZ444Fc5vC5ROYurg/4Pw==",
+      "dev": true,
+      "peer": true
+    },
+    "xmlchars": {
+      "version": "2.2.0",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "dev": true,
+      "peer": true
+    },
+    "xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
+      "dev": true
+    },
+    "y18n": {
+      "version": "4.0.3",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "dev": true,
+      "peer": true
+    },
+    "yallist": {
+      "version": "4.0.0",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true
+    },
+    "yaml": {
+      "version": "1.10.2",
+      "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
+      "dev": true
+    },
+    "yargs": {
+      "version": "15.4.1",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "dev": true,
+      "peer": true,
+      "requires": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "4.1.0",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.3.0",
+          "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+          "dev": true,
+          "peer": true
+        },
+        "yargs-parser": {
+          "version": "18.1.3",
+          "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+          "dev": true,
+          "peer": true,
+          "requires": {
+            "camelcase": "^5.0.0",
+            "decamelize": "^1.2.0"
+          }
+        }
+      }
+    },
+    "yargs-parser": {
+      "version": "20.2.9",
+      "integrity": "sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==",
+      "dev": true
+    },
+    "yocto-queue": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",
+      "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==",
+      "dev": true
+    },
+    "zod": {
+      "version": "3.20.6",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.20.6.tgz",
+      "integrity": "sha512-oyu0m54SGCtzh6EClBVqDDlAYRz4jrVtKwQ7ZnsEmMI9HnzuZFj8QFwAY1M5uniIYACdGvv0PBWPF2kO0aNofA==",
+      "dev": true
+    },
+    "zwitch": {
+      "version": "1.0.5",
+      "integrity": "sha512-V50KMwwzqJV0NpZIZFwfOD5/lyny3WlSzRiXgA0G7VUnRlqttta1L6UQIHzd6EuBY/cHGfwTIck7w1yH6Q5zUw==",
+      "dev": true
     }
-    return this.ajax(url, verb, {
-      data,
-      unauthenticated: true,
-    });
-  },
-
-  replicationAction(action, replicationMode, clusterMode, data) {
-    assert(
-      `${replicationMode} is an unsupported replication mode.`,
-      replicationMode && REPLICATION_MODES.includes(replicationMode)
-    );
-
-    const url =
-      action === 'recover' || action === 'reindex'
-        ? this.urlForReplication(replicationMode, null, action)
-        : this.urlForReplication(replicationMode, clusterMode, action);
-
-    return this.ajax(url, 'POST', { data });
-  },
-});
+  }
+}
diff --git a/ui/app/app.js b/ui/app/app.js
index a3dc4485811f..5e85e591969a 100644
--- a/ui/app/app.js
+++ b/ui/app/app.js
@@ -1,112 +1,37 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Application from '@ember/application';
-import Resolver from 'ember-resolver';
-import loadInitializers from 'ember-load-initializers';
-import config from 'vault/config/environment';
-
-export default class App extends Application {
-  modulePrefix = config.modulePrefix;
-  podModulePrefix = config.podModulePrefix;
-  Resolver = Resolver;
-  engines = {
-    openApiExplorer: {
-      dependencies: {
-        services: ['auth', 'flash-messages', 'namespace', 'router', 'version'],
-      },
-    },
-    replication: {
-      dependencies: {
-        services: ['auth', 'flash-messages', 'namespace', 'replication-mode', 'router', 'store', 'version'],
-        externalRoutes: {
-          replication: 'vault.cluster.replication.index',
-        },
-      },
-    },
-    kmip: {
-      dependencies: {
-        services: [
-          'auth',
-          'download',
-          'flash-messages',
-          'namespace',
-          'path-help',
-          'router',
-          'store',
-          'version',
-          'secret-mount-path',
-        ],
-        externalRoutes: {
-          secrets: 'vault.cluster.secrets.backends',
-        },
-      },
-    },
-    kubernetes: {
-      dependencies: {
-        services: ['router', 'store', 'secret-mount-path', 'flash-messages'],
-        externalRoutes: {
-          secrets: 'vault.cluster.secrets.backends',
-        },
-      },
-    },
-    ldap: {
-      dependencies: {
-        services: ['router', 'store', 'secret-mount-path', 'flash-messages', 'auth'],
-        externalRoutes: {
-          secrets: 'vault.cluster.secrets.backends',
-        },
-      },
-    },
-    kv: {
-      dependencies: {
-        services: [
-          'download',
-          'namespace',
-          'router',
-          'store',
-          'secret-mount-path',
-          'flash-messages',
-          'control-group',
-        ],
-        externalRoutes: {
-          secrets: 'vault.cluster.secrets.backends',
-          syncDestination: 'vault.cluster.sync.secrets.destinations.destination',
-        },
-      },
-    },
-    pki: {
-      dependencies: {
-        services: [
-          'auth',
-          'download',
-          'flash-messages',
-          'namespace',
-          'path-help',
-          'router',
-          'secret-mount-path',
-          'store',
-          'version',
-        ],
-        externalRoutes: {
-          secrets: 'vault.cluster.secrets.backends',
-          externalMountIssuer: 'vault.cluster.secrets.backend.pki.issuers.issuer.details',
-          secretsListRootConfiguration: 'vault.cluster.secrets.backend.configuration',
-        },
-      },
-    },
-    sync: {
-      dependencies: {
-        services: ['flash-messages', 'router', 'store', 'version'],
-        externalRoutes: {
-          kvSecretDetails: 'vault.cluster.secrets.backend.kv.secret.details',
-          clientCountDashboard: 'vault.cluster.clients.dashboard',
-        },
-      },
-    },
-  };
+{
+  "name": "vault-docs",
+  "description": "HashiCorp Vault documentation website",
+  "version": "1.0.0",
+  "author": "HashiCorp",
+  "devDependencies": {
+    "@hashicorp/platform-cli": "^2.6.0",
+    "@hashicorp/platform-content-conformance": "^0.0.9",
+    "dart-linkcheck": "2.0.15",
+    "next": "^12.3.1",
+    "prettier": "2.2.1",
+    "simple-git-hooks": "^2.6.1"
+  },
+  "engines": {
+    "npm": ">=7.0.0",
+    "node": ">=12.0.0 <= 18.x"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hashicorp/vault",
+    "directory": "website"
+  },
+  "scripts": {
+    "build": "./scripts/website-build.sh",
+    "format": "next-hashicorp format",
+    "generate:component": "next-hashicorp generate component",
+    "generate:readme": "next-hashicorp markdown-blocks README.md",
+    "linkcheck": "linkcheck https://www.vaultproject.io",
+    "lint": "next-hashicorp lint",
+    "postinstall": "simple-git-hooks",
+    "start": "./scripts/website-start.sh",
+    "content-check": "hc-content --config base-docs"
+  },
+  "simple-git-hooks": {
+    "pre-commit": "cd website && ./node_modules/.bin/next-hashicorp precommit"
+  }
 }
-
-loadInitializers(App, config.modulePrefix);
diff --git a/ui/app/components/app-footer.hbs b/ui/app/components/app-footer.hbs
new file mode 100644
index 000000000000..f7b006f0f125
--- /dev/null
+++ b/ui/app/components/app-footer.hbs
@@ -0,0 +1,138 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PatchCommand)(nil)
+	_ cli.CommandAutocomplete = (*PatchCommand)(nil)
+)
+
+// PatchCommand is a Command that puts data into the Vault.
+type PatchCommand struct {
+	*BaseCommand
+
+	flagForce bool
+
+	testStdin io.Reader // for tests
+}
+
+func (c *PatchCommand) Synopsis() string {
+	return "Patch data, configuration, and secrets"
+}
+
+func (c *PatchCommand) Help() string {
+	helpText := `
+Usage: vault patch [options] PATH [DATA K=V...]
+
+  Patches data in Vault at the given path. The data can be credentials, secrets,
+  configuration, or arbitrary data. The specific behavior of this command is
+  determined at the thing mounted at the path.
+
+  Data is specified as "key=value" pairs. If the value begins with an "@", then
+  it is loaded from a file. If the value is "-", Vault will read the value from
+  stdin.
+
+  Unlike write, patch will only modify specified fields.
+
+  Persist data in the generic secrets engine without modifying any other fields:
+
+      $ vault patch pki/roles/example allow_localhost=false
+
+  The data can also be consumed from a file on disk by prefixing with the "@"
+  symbol. For example:
+
+      $ vault patch pki/roles/example @role.json
+
+  Or it can be read from stdin using the "-" symbol:
+
+      $ echo "example.com" | vault patch pki/roles/example allowed_domains=-
+
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secret engines in use.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PatchCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:       "force",
+		Aliases:    []string{"f"},
+		Target:     &c.flagForce,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Allow the operation to continue with no key=value pairs. This " +
+			"allows writing to keys that do not need or expect data.",
+	})
+
+	return set
+}
+
+func (c *PatchCommand) AutocompleteArgs() complete.Predictor {
+	// Return an anything predictor here. Without a way to access help
+	// information, we don't know what paths we could patch.
+	return complete.PredictAnything
+}
+
+func (c *PatchCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PatchCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) == 1 && !c.flagForce:
+		c.UI.Error("Must supply data or use -force")
+		return 1
+	}
+
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	path := sanitizePath(args[0])
+
+	data, err := parseArgsData(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	secret, err := client.Logical().JSONMergePatch(context.Background(), path, data)
+	return handleWriteSecretOutput(c.BaseCommand, path, secret, err)
+}
diff --git a/ui/app/components/app-footer.js b/ui/app/components/app-footer.js
new file mode 100644
index 000000000000..357257937309
--- /dev/null
+++ b/ui/app/components/app-footer.js
@@ -0,0 +1,205 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+)
+
+func testPatchCommand(tb testing.TB) (*cli.MockUi, *PatchCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PatchCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPatchCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"empty_kvs",
+			[]string{"secret/write/foo"},
+			"Must supply data or use -force",
+			1,
+		},
+		{
+			"force_kvs",
+			[]string{"-force", "pki/roles/example"},
+			"allow_localhost",
+			0,
+		},
+		{
+			"force_f_kvs",
+			[]string{"-f", "pki/roles/example"},
+			"allow_localhost",
+			0,
+		},
+		{
+			"kvs_no_value",
+			[]string{"pki/roles/example", "foo"},
+			"Failed to parse K=V data",
+			1,
+		},
+		{
+			"single_value",
+			[]string{"pki/roles/example", "allow_localhost=true"},
+			"allow_localhost",
+			0,
+		},
+		{
+			"multi_value",
+			[]string{"pki/roles/example", "allow_localhost=true", "allowed_domains=true"},
+			"allow_localhost",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			if err := client.Sys().Mount("pki", &api.MountInput{
+				Type: "pki",
+			}); err != nil {
+				t.Fatalf("pki mount error: %#v", err)
+			}
+
+			if _, err := client.Logical().Write("pki/roles/example", nil); err != nil {
+				t.Fatalf("failed to prime role: %v", err)
+			}
+
+			if _, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+				"key_type":    "ec",
+				"common_name": "Root X1",
+			}); err != nil {
+				t.Fatalf("failed to prime CA: %v", err)
+			}
+
+			ui, cmd := testPatchCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("stdin_full", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		if err := client.Sys().Mount("pki", &api.MountInput{
+			Type: "pki",
+		}); err != nil {
+			t.Fatalf("pki mount error: %#v", err)
+		}
+
+		if _, err := client.Logical().Write("pki/roles/example", nil); err != nil {
+			t.Fatalf("failed to prime role: %v", err)
+		}
+
+		if _, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+			"key_type":    "ec",
+			"common_name": "Root X1",
+		}); err != nil {
+			t.Fatalf("failed to prime CA: %v", err)
+		}
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(`{"allow_localhost":"false","allow_wildcard_certificates":"false"}`))
+			stdinW.Close()
+		}()
+
+		ui, cmd := testPatchCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		code := cmd.Run([]string{
+			"pki/roles/example", "-",
+		})
+		if code != 0 {
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			t.Fatalf("expected retcode=%d to be 0\nOutput:\n%v", code, combined)
+		}
+
+		secret, err := client.Logical().Read("pki/roles/example")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
+		}
+		if exp, act := false, secret.Data["allow_localhost"].(bool); exp != act {
+			t.Errorf("expected allowed_localhost=%v to be %v", act, exp)
+		}
+		if exp, act := false, secret.Data["allow_wildcard_certificates"].(bool); exp != act {
+			t.Errorf("expected allow_wildcard_certificates=%v to be %v", act, exp)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPatchCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"foo/bar", "a=b",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error writing data to foo/bar: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPatchCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/components/auth-saml.hbs b/ui/app/components/auth-saml.hbs
index f555bd92a186..e24d04b295c7 100644
--- a/ui/app/components/auth-saml.hbs
+++ b/ui/app/components/auth-saml.hbs
@@ -1,56 +1,290 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if this.canLoginSaml}}
-  <form id="auth-form" {{on "submit" (fn this.startSAMLAuth @onSubmit (hash role=@roleName))}}>
-    <div class="field">
-      <label for="role" class="is-label">Role</label>
-      <div class="control">
-        <input
-          value={{@roleName}}
-          placeholder="Default"
-          {{on "input" this.setRole}}
-          autocomplete="off"
-          spellcheck="false"
-          name="role"
-          id="role"
-          class="input"
-          type="text"
-          data-test-role
-        />
-      </div>
-      <AlertInline
-        @sizeSmall={{true}}
-        @paddingTop={{true}}
-        @type="info"
-        @message="Leave blank to sign in with the default role if one is configured."
-      />
-    </div>
-    <div data-test-yield-content>
-      {{yield}}
-    </div>
-    <Hds::Button
-      @text="Sign in with SAML provider"
-      @icon={{if @disabled "loading"}}
-      data-test-auth-submit={{true}}
-      type="submit"
-      disabled={{@disabled}}
-      id="auth-submit"
-    />
-  </form>
-{{else}}
-  <Hds::Alert @type="inline" @color="warning" data-test-saml-auth-not-allowed as |A|>
-    <A.Title>Nonsecure context detected</A.Title>
-    <A.Description>
-      Logging in with a SAML auth method requires a browser in a secure context.
-    </A.Description>
-    <A.Description class="has-top-margin-xs">
-      <ExternalLink @href="https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts">
-        Read more about secure contexts.
-        <Icon @name="external-link" />
-      </ExternalLink>
-    </A.Description>
-  </Hds::Alert>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"context"
+	"strings"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+	"github.com/hashicorp/vault/sdk/helper/tokenutil"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+const userFilterWarning = "userfilter configured does not consider userattr and may result in colliding entity aliases on logins"
+
+func pathConfig(b *backend) *framework.Path {
+	p := &framework.Path{
+		Pattern: `config`,
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixLDAP,
+			Action:          "Configure",
+		},
+
+		Fields: ldaputil.ConfigFields(),
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.pathConfigRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "auth-configuration",
+				},
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathConfigWrite,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb: "configure-auth",
+				},
+			},
+		},
+
+		HelpSynopsis:    pathConfigHelpSyn,
+		HelpDescription: pathConfigHelpDesc,
+	}
+
+	tokenutil.AddTokenFields(p.Fields)
+	p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups."
+
+	p.Fields["password_policy"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: "Password policy to use to rotate the root password",
+	}
+
+	return p
+}
+
+/*
+ * Construct ConfigEntry struct using stored configuration.
+ */
+func (b *backend) Config(ctx context.Context, req *logical.Request) (*ldapConfigEntry, error) {
+	storedConfig, err := req.Storage.Get(ctx, "config")
+	if err != nil {
+		return nil, err
+	}
+
+	if storedConfig == nil {
+		// Create a new ConfigEntry, filling in defaults where appropriate
+		fd, err := b.getConfigFieldData()
+		if err != nil {
+			return nil, err
+		}
+
+		result, err := ldaputil.NewConfigEntry(nil, fd)
+		if err != nil {
+			return nil, err
+		}
+
+		// No user overrides, return default configuration
+		result.CaseSensitiveNames = new(bool)
+		*result.CaseSensitiveNames = false
+
+		result.UsePre111GroupCNBehavior = new(bool)
+		*result.UsePre111GroupCNBehavior = false
+
+		return &ldapConfigEntry{ConfigEntry: result}, nil
+	}
+
+	// Deserialize stored configuration.
+	// Fields not specified in storedConfig will retain their defaults.
+	result := new(ldapConfigEntry)
+	result.ConfigEntry = new(ldaputil.ConfigEntry)
+	if err := storedConfig.DecodeJSON(result); err != nil {
+		return nil, err
+	}
+
+	var persistNeeded bool
+	if result.CaseSensitiveNames == nil {
+		// Upgrade from before switching to case-insensitive
+		result.CaseSensitiveNames = new(bool)
+		*result.CaseSensitiveNames = true
+		persistNeeded = true
+	}
+
+	if result.UsePre111GroupCNBehavior == nil {
+		result.UsePre111GroupCNBehavior = new(bool)
+		*result.UsePre111GroupCNBehavior = true
+		persistNeeded = true
+	}
+
+	if persistNeeded && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
+		entry, err := logical.StorageEntryJSON("config", result)
+		if err != nil {
+			return nil, err
+		}
+		if err := req.Storage.Put(ctx, entry); err != nil {
+			return nil, err
+		}
+	}
+
+	return result, nil
+}
+
+func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return nil, nil
+	}
+
+	data := cfg.PasswordlessMap()
+	cfg.PopulateTokenData(data)
+	data["password_policy"] = cfg.PasswordPolicy
+
+	resp := &logical.Response{
+		Data: data,
+	}
+
+	if warnings := b.checkConfigUserFilter(cfg); len(warnings) > 0 {
+		resp.Warnings = warnings
+	}
+
+	return resp, nil
+}
+
+// checkConfigUserFilter performs a best-effort check the config's userfilter.
+// It will checked whether the templated or literal userattr value is present,
+// and if not return a warning.
+func (b *backend) checkConfigUserFilter(cfg *ldapConfigEntry) []string {
+	if cfg == nil || cfg.UserFilter == "" {
+		return nil
+	}
+
+	var warnings []string
+
+	switch {
+	case strings.Contains(cfg.UserFilter, "{{.UserAttr}}"):
+		// Case where the templated userattr value is provided
+	case strings.Contains(cfg.UserFilter, cfg.UserAttr):
+		// Case where the literal userattr value is provided
+	default:
+		b.Logger().Debug(userFilterWarning, "userfilter", cfg.UserFilter, "userattr", cfg.UserAttr)
+		warnings = append(warnings, userFilterWarning)
+	}
+
+	return warnings
+}
+
+func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return nil, nil
+	}
+
+	// Build a ConfigEntry struct out of the supplied FieldData
+	cfg.ConfigEntry, err = ldaputil.NewConfigEntry(cfg.ConfigEntry, d)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	// On write, if not specified, use false. We do this here so upgrade logic
+	// works since it calls the same newConfigEntry function
+	if cfg.CaseSensitiveNames == nil {
+		cfg.CaseSensitiveNames = new(bool)
+		*cfg.CaseSensitiveNames = false
+	}
+
+	if cfg.UsePre111GroupCNBehavior == nil {
+		cfg.UsePre111GroupCNBehavior = new(bool)
+		*cfg.UsePre111GroupCNBehavior = false
+	}
+
+	if err := cfg.ParseTokenFields(req, d); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	if passwordPolicy, ok := d.GetOk("password_policy"); ok {
+		cfg.PasswordPolicy = passwordPolicy.(string)
+	}
+
+	entry, err := logical.StorageEntryJSON("config", cfg)
+	if err != nil {
+		return nil, err
+	}
+	if err := req.Storage.Put(ctx, entry); err != nil {
+		return nil, err
+	}
+
+	if warnings := b.checkConfigUserFilter(cfg); len(warnings) > 0 {
+		return &logical.Response{
+			Warnings: warnings,
+		}, nil
+	}
+
+	return nil, nil
+}
+
+/*
+ * Returns FieldData describing our ConfigEntry struct schema
+ */
+func (b *backend) getConfigFieldData() (*framework.FieldData, error) {
+	configPath := b.Route("config")
+
+	if configPath == nil {
+		return nil, logical.ErrUnsupportedPath
+	}
+
+	raw := make(map[string]interface{}, len(configPath.Fields))
+
+	fd := framework.FieldData{
+		Raw:    raw,
+		Schema: configPath.Fields,
+	}
+
+	return &fd, nil
+}
+
+type ldapConfigEntry struct {
+	tokenutil.TokenParams
+	*ldaputil.ConfigEntry
+
+	PasswordPolicy string `json:"password_policy"`
+}
+
+const pathConfigHelpSyn = `
+Configure the LDAP server to connect to, along with its options.
+`
+
+const pathConfigHelpDesc = `
+This endpoint allows you to configure the LDAP server to connect to and its
+configuration options.
+
+The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former
+case, an unencrypted connection will be made with a default port of 389, unless
+the "starttls" parameter is set to true, in which case TLS will be used. In the
+latter case, a SSL connection will be established with a default port of 636.
+
+## A NOTE ON ESCAPING
+
+It is up to the administrator to provide properly escaped DNs. This includes
+the user DN, bind DN for search, and so on.
+
+The only DN escaping performed by this backend is on usernames given at login
+time when they are inserted into the final bind DN, and uses escaping rules
+defined in RFC 4514.
+
+Additionally, Active Directory has escaping rules that differ slightly from the
+RFC; in particular it requires escaping of '#' regardless of position in the DN
+(the RFC only requires it to be escaped when it is the first character), and
+'=', which the RFC indicates can be escaped with a backslash, but does not
+contain in its set of required escapes. If you are using Active Directory and
+these appear in your usernames, please ensure that they are escaped, in
+addition to being properly escaped in your configured DNs.
+
+For reference, see https://www.ietf.org/rfc/rfc4514.txt and
+http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
+`
diff --git a/ui/app/components/dashboard/quick-actions-card.js b/ui/app/components/dashboard/quick-actions-card.js
index 57a524c3adc8..1aa008f4ddc3 100644
--- a/ui/app/components/dashboard/quick-actions-card.js
+++ b/ui/app/components/dashboard/quick-actions-card.js
@@ -1,158 +1,115 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
-import { inject as service } from '@ember/service';
-import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
-/**
- * @module DashboardQuickActionsCard
- * DashboardQuickActionsCard component allows users to see a list of secrets engines filtered by
- * kv, pki and database and perform certain actions based on the type of secret engine selected
- *
- * @example
- * ```js
- *   <Dashboard::QuickActionsCard @secretsEngines={{@model.secretsEngines}} />
- * ```
- */
-
-const QUICK_ACTION_ENGINES = ['pki', 'database'];
-
-export default class DashboardQuickActionsCard extends Component {
-  @service router;
-
-  @tracked selectedEngine;
-  @tracked selectedAction;
-  @tracked paramValue;
-
-  get actionOptions() {
-    switch (this.selectedEngine.type) {
-      case 'kv':
-        return ['Find KV secrets'];
-      case 'database':
-        return ['Generate credentials for database'];
-      case 'pki':
-        return ['Issue certificate', 'View certificate', 'View issuer'];
-      default:
-        return [];
-    }
-  }
-
-  get searchSelectParams() {
-    switch (this.selectedAction) {
-      case 'Find KV secrets':
-        return {
-          title: 'Secret path',
-          subText: 'Path of the secret you want to read.',
-          buttonText: 'Read secrets',
-          model: 'kv/metadata',
-          route: 'vault.cluster.secrets.backend.kv.secret.details',
-          nameKey: 'path',
-          queryObject: { pathToSecret: '', backend: this.selectedEngine.id },
-          objectKeys: ['path', 'id'],
-        };
-      case 'Generate credentials for database':
-        return {
-          title: 'Role to use',
-          buttonText: 'Generate credentials',
-          model: 'database/role',
-          route: 'vault.cluster.secrets.backend.credentials',
-          queryObject: { backend: this.selectedEngine.id },
-        };
-      case 'Issue certificate':
-        return {
-          title: 'Role to use',
-          placeholder: 'Type to find a role',
-          buttonText: 'Issue leaf certificate',
-          model: 'pki/role',
-          route: 'vault.cluster.secrets.backend.pki.roles.role.generate',
-          queryObject: { backend: this.selectedEngine.id },
-        };
-      case 'View certificate':
-        return {
-          title: 'Certificate serial number',
-          placeholder: '33:a3:...',
-          buttonText: 'View certificate',
-          model: 'pki/certificate/base',
-          route: 'vault.cluster.secrets.backend.pki.certificates.certificate.details',
-          queryObject: { backend: this.selectedEngine.id },
-        };
-      case 'View issuer':
-        return {
-          title: 'Issuer',
-          placeholder: 'Type issuer name or ID',
-          buttonText: 'View issuer',
-          model: 'pki/issuer',
-          route: 'vault.cluster.secrets.backend.pki.issuers.issuer.details',
-          nameKey: 'issuerName',
-          queryObject: { backend: this.selectedEngine.id },
-          objectKeys: ['id', 'issuerName'],
-        };
-      default:
-        return {
-          placeholder: 'Please select an action above',
-          buttonText: 'Select an action',
-          model: '',
-        };
-    }
-  }
-
-  get filteredSecretEngines() {
-    return this.args.secretsEngines?.filter(
-      (engine) => (engine.type === 'kv' && engine.version == 2) || QUICK_ACTION_ENGINES.includes(engine.type)
-    );
-  }
-
-  get mountOptions() {
-    return this.filteredSecretEngines?.map((engine) => {
-      const { id, type } = engine;
-
-      return { name: id, type, id };
-    });
-  }
-
-  @action
-  handleSearchEngineSelect([selection]) {
-    this.selectedEngine = selection;
-    // reset tracked properties
-    this.selectedAction = null;
-    this.paramValue = null;
-  }
-
-  @action
-  setSelectedAction(selectedAction) {
-    this.selectedAction = selectedAction;
-    this.paramValue = null;
-  }
-
-  @action
-  handleActionSelect(val) {
-    if (Array.isArray(val)) {
-      this.paramValue = val[0];
-    } else {
-      this.paramValue = val;
-    }
-  }
-
-  @action
-  navigateToPage() {
-    let route = this.searchSelectParams.route;
-    // If search-select falls back to stringInput, paramVlue is a string not object
-    let param = this.paramValue.id || this.paramValue;
-
-    // kv has a special use case where if the paramValue ends in a '/' you should
-    // link to different route
-    if (this.selectedEngine.type === 'kv') {
-      const path = this.paramValue.path || this.paramValue;
-      route = pathIsDirectory(path)
-        ? 'vault.cluster.secrets.backend.kv.list-directory'
-        : 'vault.cluster.secrets.backend.kv.secret.details';
-      param = path;
-    }
-
-    this.router.transitionTo(route, this.selectedEngine.id, param);
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-2.0
+
+package ldap
+
+import (
+	"context"
+
+	"github.com/go-ldap/ldap/v3"
+
+	"github.com/hashicorp/vault/sdk/helper/base62"
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func pathConfigRotateRoot(b *backend) *framework.Path {
+	return &framework.Path{
+		Pattern: "config/rotate-root",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixLDAP,
+			OperationVerb:   "rotate",
+			OperationSuffix: "root-credentials",
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback:                    b.pathConfigRotateRootUpdate,
+				ForwardPerformanceSecondary: true,
+				ForwardPerformanceStandby:   true,
+			},
+		},
+
+		HelpSynopsis:    pathConfigRotateRootHelpSyn,
+		HelpDescription: pathConfigRotateRootHelpDesc,
+	}
 }
+
+func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// lock the backend's state - really just the config state - for mutating
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return logical.ErrorResponse("attempted to rotate root on an undefined config"), nil
+	}
+
+	u, p := cfg.BindDN, cfg.BindPassword
+	if u == "" || p == "" {
+		return logical.ErrorResponse("auth is not using authenticated search, no root to rotate"), nil
+	}
+
+	// grab our ldap client
+	client := ldaputil.Client{
+		Logger: b.Logger(),
+		LDAP:   ldaputil.NewLDAP(),
+	}
+
+	conn, err := client.DialLDAP(cfg.ConfigEntry)
+	if err != nil {
+		return nil, err
+	}
+
+	err = conn.Bind(u, p)
+	if err != nil {
+		return nil, err
+	}
+
+	lreq := &ldap.ModifyRequest{
+		DN: cfg.BindDN,
+	}
+
+	var newPassword string
+	if cfg.PasswordPolicy != "" {
+		newPassword, err = b.System().GeneratePasswordFromPolicy(ctx, cfg.PasswordPolicy)
+	} else {
+		newPassword, err = base62.Random(defaultPasswordLength)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	lreq.Replace("userPassword", []string{newPassword})
+
+	err = conn.Modify(lreq)
+	if err != nil {
+		return nil, err
+	}
+	// update config with new password
+	cfg.BindPassword = newPassword
+	entry, err := logical.StorageEntryJSON("config", cfg)
+	if err != nil {
+		return nil, err
+	}
+	if err := req.Storage.Put(ctx, entry); err != nil {
+		// we might have to roll-back the password here?
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+const pathConfigRotateRootHelpSyn = `
+Request to rotate the LDAP credentials used by Vault
+`
+
+const pathConfigRotateRootHelpDesc = `
+This path attempts to rotate the LDAP bindpass used by Vault for this mount.
+`
diff --git a/ui/app/components/dashboard/vault-version-title.js b/ui/app/components/dashboard/vault-version-title.js
index 1462844740ac..65073472ca00 100644
--- a/ui/app/components/dashboard/vault-version-title.js
+++ b/ui/app/components/dashboard/vault-version-title.js
@@ -1,28 +1,66 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import Component from '@glimmer/component';
-import { inject as service } from '@ember/service';
-
-/**
- * @module DashboardVaultVersionTitle
- * DashboardVaultVersionTitle component are use to display the vault version title and the badges
- *
- * @example
- * ```js
- * <Dashboard::VaultVersionTitle />
- * ```
- */
-
-export default class DashboardVaultVersionTitle extends Component {
-  @service version;
-  @service namespace;
-
-  get versionHeader() {
-    return this.version.isEnterprise
-      ? `Vault v${this.version.version.slice(0, this.version.version.indexOf('+'))}`
-      : `Vault v${this.version.version}`;
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-2.0
+
+package ldap
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/testhelpers/ldap"
+	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// This test relies on a docker ldap server with a suitable person object (cn=admin,dc=planetexpress,dc=com)
+// with bindpassword "admin". `PrepareTestContainer` does this for us. - see the backend_test for more details
+func TestRotateRoot(t *testing.T) {
+	if os.Getenv(logicaltest.TestEnvVar) == "" {
+		t.Skip("skipping rotate root tests because VAULT_ACC is unset")
+	}
+	ctx := context.Background()
+
+	b, store := createBackendWithStorage(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	defer cleanup()
+	// set up auth config
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Storage:   store,
+		Data: map[string]interface{}{
+			"url":      cfg.Url,
+			"binddn":   cfg.BindDN,
+			"bindpass": cfg.BindPassword,
+			"userdn":   cfg.UserDN,
+		},
+	}
+
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to initialize ldap auth config: %s", err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to initialize ldap auth config: %s", resp.Data["error"])
+	}
+
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/rotate-root",
+		Storage:   store,
+	}
+
+	_, err = b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to rotate password: %s", err)
+	}
+
+	newCFG, err := b.Config(ctx, req)
+	if newCFG.BindDN != cfg.BindDN {
+		t.Fatalf("a value in config that should have stayed the same changed: %s", cfg.BindDN)
+	}
+	if newCFG.BindPassword == cfg.BindPassword {
+		t.Fatalf("the password should have changed, but it didn't")
+	}
 }
diff --git a/ui/app/components/logo-edition.hbs b/ui/app/components/logo-edition.hbs
index 4c2651f6bff3..335de684008f 100644
--- a/ui/app/components/logo-edition.hbs
+++ b/ui/app/components/logo-edition.hbs
@@ -1,50 +1,121 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<svg width="146" height="51" viewBox="0 0 146 51" xmlns="http://www.w3.org/2000/svg">
-  <g id="vault-logo-v" fill-rule="nonzero">
-    <path
-      d="M0,0 L25.4070312,51 L51,0 L0,0 Z M28.5,10.5 L31.5,10.5 L31.5,13.5 L28.5,13.5 L28.5,10.5 Z M22.5,22.5 L19.5,22.5 L19.5,19.5 L22.5,19.5 L22.5,22.5 Z M22.5,18 L19.5,18 L19.5,15 L22.5,15 L22.5,18 Z M22.5,13.5 L19.5,13.5 L19.5,10.5 L22.5,10.5 L22.5,13.5 Z M26.991018,27 L24,27 L24,24 L27,24 L26.991018,27 Z M26.991018,22.5 L24,22.5 L24,19.5 L27,19.5 L26.991018,22.5 Z M26.991018,18 L24,18 L24,15 L27,15 L26.991018,18 Z M26.991018,13.5 L24,13.5 L24,10.5 L27,10.5 L26.991018,13.5 Z M28.5,15 L31.5,15 L31.5,18 L28.5089552,18 L28.5,15 Z M28.5,22.5 L28.5,19.5 L31.5,19.5 L31.5,22.4601182 L28.5,22.5 Z"
-    ></path>
-  </g>
-
-  <path
-    id="vault-logo-name"
-    d="M69.7218638,30.2482468 L63.2587814,8.45301543 L58,8.45301543 L65.9885305,34.6072931 L73.4551971,34.6072931 L81.4437276,8.45301543 L76.1849462,8.45301543 L69.7218638,30.2482468 Z M97.6329749,22.0014025 C97.6329749,17.2103787 95.8265233,15.0897616 89.6845878,15.0897616 C87.5168459,15.0897616 84.8272401,15.4431978 82.9806452,15.9929874 L83.5827957,19.6451613 C85.3089606,19.2917251 87.2358423,19.056101 89.0021505,19.056101 C92.1333333,19.056101 92.7354839,19.802244 92.7354839,21.9228612 L92.7354839,23.9256662 L88.0387097,23.9256662 C84.0645161,23.9256662 82.3383513,25.4179523 82.3383513,29.3057504 C82.3383513,32.6044881 83.8637993,35 87.4365591,35 C89.4035842,35 91.4910394,34.4502104 93.2573477,33.3113604 L93.618638,34.6072931 L97.6329749,34.6072931 L97.6329749,22.0014025 Z M92.7354839,30.2089762 C91.8121864,30.7194951 90.4874552,31.1907433 89.0422939,31.1907433 C87.5168459,31.1907433 87.0752688,30.601683 87.0752688,29.2664797 C87.0752688,27.8134642 87.5168459,27.3814867 89.1225806,27.3814867 L92.7354839,27.3814867 L92.7354839,30.2089762 Z M102.421505,15.4824684 L102.421505,29.345021 C102.421505,32.7615708 103.585663,35 106.837276,35 C109.125448,35 112.216487,34.1753156 114.665233,32.997195 L115.146953,34.6072931 L118.880287,34.6072931 L118.880287,15.4824684 L113.982796,15.4824684 L113.982796,28.7559607 C112.216487,29.6591865 110.088889,30.3660589 108.884588,30.3660589 C107.760573,30.3660589 107.318996,29.85554 107.318996,28.8345021 L107.318996,15.4824684 L102.421505,15.4824684 Z M129.168459,34.6072931 L129.168459,7 L124.270968,7.66760168 L124.270968,34.6072931 L129.168459,34.6072931 Z M144.394265,30.601683 C143.551254,30.8373072 142.6681,30.9943899 141.94552,30.9943899 C140.660932,30.9943899 140.179211,30.3267882 140.179211,29.3057504 L140.179211,19.2917251 L144.875986,19.2917251 L145.197133,15.4824684 L140.179211,15.4824684 L140.179211,10.0631136 L135.28172,10.7307153 L135.28172,15.4824684 L132.351254,15.4824684 L132.351254,19.2917251 L135.28172,19.2917251 L135.28172,29.9340813 C135.28172,33.3506311 137.088172,35 140.660932,35 C141.905376,35 143.912545,34.6858345 144.956272,34.2538569 L144.394265,30.601683 Z"
-  ></path>
-
-  {{#if (is-version "Enterprise")}}
-    <g id="vault-logo-edition-enterprise" transform="translate(65.000000, 40.000000)" fill-rule="nonzero">
-      <polygon
-        points="0.435816733 0.579322709 4.39438247 0.579322709 4.39438247 1.35454183 1.30175299 1.35454183 1.30175299 3.46577689 4.17171315 3.46577689 4.17171315 4.24099602 1.30175299 4.24099602 1.30175299 6.52541833 4.40262948 6.52541833 4.40262948 7.30063745 0.435816733 7.30063745"
-      ></polygon>
-      <polygon
-        points="7.3138247 1.58545817 7.3138247 7.31713147 6.48912351 7.31713147 6.48912351 0.579322709 7.68494024 0.579322709 10.6126295 6.35223108 10.6126295 0.579322709 11.4373307 0.579322709 11.4373307 7.31713147 10.249761 7.31713147"
-      ></polygon>
-      <polygon
-        points="15.107251 1.36278884 13.1032271 1.36278884 13.1032271 0.587569721 17.9937052 0.587569721 17.9937052 1.36278884 15.9814343 1.36278884 15.9814343 7.31713147 15.107251 7.31713147"
-      ></polygon>
-      <polygon
-        points="19.6513546 0.579322709 23.6099203 0.579322709 23.6099203 1.35454183 20.5172908 1.35454183 20.5172908 3.46577689 23.387251 3.46577689 23.387251 4.24099602 20.5172908 4.24099602 20.5172908 6.52541833 23.6181673 6.52541833 23.6181673 7.30063745 19.6431076 7.30063745"
-      ></polygon>
-      <path
-        d="M28.22,4.87601594 L26.5705976,4.87601594 L26.5705976,7.35011952 L25.7046614,7.35011952 L25.7046614,0.579322709 L28.2694821,0.579322709 C29.7127092,0.579322709 30.2240239,1.20609562 30.2240239,2.2287251 L30.2240239,3.20187251 C30.3204128,3.92160892 29.8576792,4.59791178 29.1519124,4.76880478 L30.9002789,7.30888446 L29.9023904,7.30888446 L28.22,4.87601594 Z M28.22,1.35454183 L26.5705976,1.35454183 L26.5705976,4.10079681 L28.22,4.10079681 C29.0447012,4.10079681 29.3333466,3.86988048 29.3333466,3.21011952 L29.3333466,2.25346614 C29.3580876,1.58545817 29.0694422,1.36278884 28.244741,1.36278884 L28.22,1.35454183 Z"
-      ></path>
-      <path
-        d="M32.6898805,0.579322709 L35.1639841,0.579322709 C36.6072112,0.579322709 37.1185259,1.20609562 37.1185259,2.2287251 L37.1185259,3.22661355 C37.1185259,4.26573705 36.6154582,4.87601594 35.1639841,4.87601594 L33.5970518,4.87601594 L33.5970518,7.31713147 L32.7311155,7.31713147 L32.6898805,0.579322709 Z M35.098008,1.35454183 L33.5640637,1.35454183 L33.5640637,4.12553785 L35.098008,4.12553785 C35.9227092,4.12553785 36.2113546,3.89462151 36.2113546,3.23486056 L36.2113546,2.24521912 C36.2113546,1.58545817 35.9309562,1.36278884 35.098008,1.36278884 L35.098008,1.35454183 Z"
-      ></path>
-      <path
-        d="M41.4399602,4.87601594 L39.7905578,4.87601594 L39.7905578,7.35011952 L38.9246215,7.35011952 L38.9246215,0.579322709 L41.4894422,0.579322709 C42.9326693,0.579322709 43.4439841,1.20609562 43.4439841,2.2287251 L43.4439841,3.20187251 C43.5403729,3.92160892 43.0776394,4.59791178 42.3718725,4.76880478 L44.120239,7.30888446 L43.1223506,7.30888446 L41.4399602,4.87601594 Z M41.4399602,1.35454183 L39.7905578,1.35454183 L39.7905578,4.10079681 L41.4399602,4.10079681 C42.2646614,4.10079681 42.5533068,3.86988048 42.5533068,3.21011952 L42.5533068,2.25346614 C42.5698008,1.58545817 42.2894024,1.36278884 41.4564542,1.36278884 L41.4399602,1.35454183 Z"
-      ></path>
-      <polygon points="46.8087649 7.31713147 45.9840637 7.31713147 45.9840637 0.579322709 46.8087649 0.579322709"></polygon>
-      <path
-        d="M50.9322709,7.41609562 C50.2485334,7.41749872 49.5699834,7.29742608 48.928247,7.0614741 L49.0684462,6.35223108 C49.6711823,6.54568134 50.2993133,6.64851694 50.9322709,6.65737052 C52.0126295,6.65737052 52.2352988,6.37697211 52.2352988,5.61 C52.2352988,4.70282869 52.2352988,4.62035857 50.8415538,4.30697211 C49.1921514,3.94410359 49.0189641,3.63071713 49.0189641,2.23697211 C49.0189641,1.06589641 49.5055378,0.49685259 51.1714343,0.49685259 C51.7856888,0.497823804 52.3976026,0.572582499 52.9940239,0.719521912 L52.9198008,1.45350598 C52.3508265,1.32930718 51.7702971,1.26572539 51.1879283,1.2638247 C50.0828287,1.2638247 49.8849004,1.48649402 49.8849004,2.26171315 C49.8849004,3.1936255 49.8849004,3.23486056 51.2209163,3.56474104 C53.0105179,4.01007968 53.1012351,4.27398406 53.1012351,5.58525896 C53.1342231,6.74808765 52.7878486,7.41609562 50.9322709,7.41609562 Z"
-      ></path>
-      <polygon
-        points="55.2454582 0.579322709 59.1792829 0.579322709 59.1792829 1.35454183 56.0866534 1.35454183 56.0866534 3.46577689 58.9566135 3.46577689 58.9566135 4.24099602 56.0866534 4.24099602 56.0866534 6.52541833 59.1875299 6.52541833 59.1875299 7.30063745 55.2124701 7.30063745"
-      ></polygon>
-    </g>
-  {{/if}}
-</svg>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PathHelpCommand)(nil)
+	_ cli.CommandAutocomplete = (*PathHelpCommand)(nil)
+)
+
+var pathHelpVaultSealedMessage = strings.TrimSpace(`
+Error: Vault is sealed.
+
+The "path-help" command requires the Vault to be unsealed so that the mount
+points of the secret engines are known.
+`)
+
+type PathHelpCommand struct {
+	*BaseCommand
+}
+
+func (c *PathHelpCommand) Synopsis() string {
+	return "Retrieve API help for paths"
+}
+
+func (c *PathHelpCommand) Help() string {
+	helpText := `
+Usage: vault path-help [options] PATH
+
+  Retrieves API help for paths. All endpoints in Vault provide built-in help
+  in markdown format. This includes system paths, secret engines, and auth
+  methods.
+
+  Get help for the thing mounted at database/:
+
+      $ vault path-help database/
+
+  The response object will return additional paths to retrieve help:
+
+      $ vault path-help database/roles/
+
+  Each secret engine produces different help output.
+
+  If -format is specified as JSON, the output will be in OpenAPI format.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PathHelpCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *PathHelpCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictAnything // TODO: programatic way to invoke help
+}
+
+func (c *PathHelpCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PathHelpCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	path := sanitizePath(args[0])
+
+	help, err := client.Help(path)
+	if err != nil {
+		if strings.Contains(err.Error(), "Vault is sealed") {
+			c.UI.Error(pathHelpVaultSealedMessage)
+		} else {
+			c.UI.Error(fmt.Sprintf("Error retrieving help: %s", err))
+		}
+		return 2
+	}
+
+	switch c.flagFormat {
+	case "json":
+		b, err := json.Marshal(help.OpenAPI)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error marshaling OpenAPI: %s", err))
+			return 2
+		}
+		c.UI.Output(string(b))
+	default:
+		c.UI.Output(help.Help)
+	}
+
+	return 0
+}
diff --git a/ui/app/components/sidebar/nav/cluster.hbs b/ui/app/components/sidebar/nav/cluster.hbs
index d2c607d92442..33c06b4fe553 100644
--- a/ui/app/components/sidebar/nav/cluster.hbs
+++ b/ui/app/components/sidebar/nav/cluster.hbs
@@ -1,124 +1,118 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Hds::SideNav::Portal @ariaLabel="Cluster Navigation Links" data-test-sidebar-nav-panel="Cluster" as |Nav|>
-  <Nav.Title data-test-sidebar-nav-heading="Vault">Vault</Nav.Title>
-
-  <Nav.Link @route="vault.cluster.dashboard" @text="Dashboard" data-test-sidebar-nav-link="Dashboard" />
-  <Nav.Link
-    @route="vault.cluster.secrets"
-    @current-when="vault.cluster.secrets vault.cluster.settings.mount-secret-backend vault.cluster.settings.configure-secret-backend"
-    @text="Secrets Engines"
-    data-test-sidebar-nav-link="Secrets Engines"
-  />
-  <Nav.Link
-    @route="vault.cluster.sync"
-    @text="Secrets Sync"
-    @badge={{unless this.version.isEnterprise "Enterprise"}}
-    data-test-sidebar-nav-link="Secrets Sync"
-  />
-  {{#if (has-permission "access")}}
-    <Nav.Link
-      @route={{get (route-params-for "access") "route"}}
-      @models={{get (route-params-for "access") "models"}}
-      @current-when="vault.cluster.access vault.cluster.settings.auth"
-      @text="Access"
-      @hasSubItems={{true}}
-      data-test-sidebar-nav-link="Access"
-    />
-  {{/if}}
-  {{#if (has-permission "policies")}}
-    <Nav.Link
-      @route="vault.cluster.policies"
-      @models={{get (route-params-for "policies") "models"}}
-      @text="Policies"
-      @hasSubItems={{true}}
-      data-test-sidebar-nav-link="Policies"
-    />
-  {{/if}}
-  {{#if (has-permission "tools")}}
-    <Nav.Link
-      @route="vault.cluster.tools.tool"
-      @models={{get (route-params-for "tools") "models"}}
-      @text="Tools"
-      @hasSubItems={{true}}
-      data-test-sidebar-nav-link="Tools"
-    />
-  {{/if}}
-
-  {{#if
-    (and
-      this.version.isEnterprise
-      this.namespace.inRootNamespace
-      this.cluster.anyReplicationEnabled
-      (has-permission "status" routeParams="replication")
-    )
-  }}
-    <Nav.Title data-test-sidebar-nav-heading="Replication">Replication</Nav.Title>
-    <Nav.Link
-      @route="vault.cluster.replication.mode.index"
-      @model="dr"
-      @text="Disaster Recovery"
-      data-test-sidebar-nav-link="Disaster Recovery"
-    />
-
-    {{#if (has-feature "Performance Replication")}}
-      <Nav.Link
-        @route="vault.cluster.replication.mode.index"
-        @model="performance"
-        @text="Performance"
-        data-test-sidebar-nav-link="Performance"
-      />
-    {{/if}}
-  {{/if}}
-
-  {{#if
-    (or
-      (and
-        this.namespace.inRootNamespace (has-permission "status" routeParams=(array "replication" "raft" "license" "seal"))
-      )
-      (has-permission "clients" routeParams="activity")
-    )
-  }}
-    <Nav.Title data-test-sidebar-nav-heading="Monitoring">Monitoring</Nav.Title>
-  {{/if}}
-  {{#if (and this.version.isEnterprise this.namespace.inRootNamespace (has-permission "status" routeParams="replication"))}}
-    <Nav.Link @route="vault.cluster.replication.index" @text="Replication" data-test-sidebar-nav-link="Replication" />
-  {{/if}}
-  {{#if (and this.cluster.usingRaft this.namespace.inRootNamespace (has-permission "status" routeParams="raft"))}}
-    <Nav.Link
-      @route="vault.cluster.storage"
-      @model={{this.cluster.name}}
-      @text="Raft Storage"
-      data-test-sidebar-nav-link="Raft Storage"
-    />
-  {{/if}}
-  {{#if (and (has-permission "clients" routeParams="activity") (not this.cluster.dr.isSecondary))}}
-    <Nav.Link @route="vault.cluster.clients" @text="Client Count" data-test-sidebar-nav-link="Client Count" />
-  {{/if}}
-  {{#if
-    (and
-      this.version.features
-      this.namespace.inRootNamespace
-      (has-permission "status" routeParams="license")
-      (not this.cluster.dr.isSecondary)
-    )
-  }}
-    <Nav.Link
-      @route="vault.cluster.license"
-      @model={{this.cluster.name}}
-      @text="License"
-      data-test-sidebar-nav-link="License"
-    />
-  {{/if}}
-  {{#if (and this.namespace.inRootNamespace (has-permission "status" routeParams="seal") (not this.cluster.dr.isSecondary))}}
-    <Nav.Link
-      @route="vault.cluster.settings.seal"
-      @model={{this.cluster.name}}
-      @text="Seal Vault"
-      data-test-sidebar-nav-link="Seal Vault"
-    />
-  {{/if}}
-</Hds::SideNav::Portal>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPathHelpCommand(tb testing.TB) (*cli.MockUi, *PathHelpCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PathHelpCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPathHelpCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_found",
+			[]string{"nope/not/once/never"},
+			"",
+			2,
+		},
+		{
+			"kv",
+			[]string{"secret/"},
+			"The kv backend",
+			0,
+		},
+		{
+			"sys",
+			[]string{"sys/mounts"},
+			"currently mounted backends",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPathHelpCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPathHelpCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"sys/mounts",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error retrieving help: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPathHelpCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/components/sidebar/user-menu.hbs b/ui/app/components/sidebar/user-menu.hbs
index fc8592a54f1f..0b1f932f8bb7 100644
--- a/ui/app/components/sidebar/user-menu.hbs
+++ b/ui/app/components/sidebar/user-menu.hbs
@@ -1,92 +1,319 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<BasicDropdown
-  @horizontalPosition="right"
-  @verticalPosition="below"
-  @renderInPlace={{true}}
-  class="sidebar-user-menu"
-  data-test-user-menu
-  as |Dropdown|
->
-  <Dropdown.Trigger data-test-user-menu-trigger>
-    <Hds::SideNav::Header::IconButton @icon="user" @ariaLabel="User menu" />
-  </Dropdown.Trigger>
-  <Dropdown.Content>
-    <div class="popup-menu-content" data-test-user-menu-content>
-      <div class="box">
-        <div class="menu-label">
-          {{capitalize this.auth.authData.displayName}}
-        </div>
-        <nav class="menu">
-          <ul class="menu-list">
-            {{#if this.auth.allowExpiration}}
-              <li class="token-alert is-flex" data-test-user-menu-item="token alert">
-                <span><Icon @name="alert-triangle-fill" class="has-text-highlight" /></span>
-                <span class="is-size-8 has-text-semibold">
-                  We've stopped auto-renewing your token due to inactivity. It will expire on
-                  {{date-format this.auth.tokenExpirationDate "MMMM do yyyy, h:mm:ss a"}}.
-                </span>
-              </li>
-            {{/if}}
-            {{#if this.hasEntityId}}
-              <li class="action">
-                <LinkTo @route="vault.cluster.mfa-setup" data-test-user-menu-item="mfa">
-                  Multi-factor authentication
-                </LinkTo>
-              </li>
-            {{/if}}
-            {{#if this.isUserpass}}
-              <li class="action">
-                <LinkTo @route="vault.cluster.access.reset-password" data-test-user-menu-item="reset-password">
-                  Reset password
-                </LinkTo>
-              </li>
-            {{/if}}
-            <li class="action" id="container">
-              {{! container is required in navbar collapsed state }}
-              <Hds::Copy::Button
-                @text="Copy token"
-                @textToCopy={{this.auth.currentToken}}
-                @isFullWidth={{true}}
-                @container="#container"
-                class="in-dropdown link is-flex-start"
-                {{on "click" (fn (set-flash-message "Token copied!"))}}
-              />
-            </li>
-            {{#if (is-before (now interval=1000) this.auth.tokenExpirationDate)}}
-              {{#if this.auth.authData.renewable}}
-                <li class="action">
-                  {{! TODO Hds::Button replacement skipped in favor of updating it when there is a Hds::Dropdown swapout }}
-                  <button
-                    type="button"
-                    {{on "click" this.renewToken}}
-                    class="link button {{if this.isRenewing 'is-loading'}}"
-                    data-test-user-menu-item="renew token"
-                  >
-                    Renew token
-                  </button>
-                </li>
-              {{/if}}
-              <ConfirmAction
-                @isInDropdown={{true}}
-                @confirmTitle="Revoke {{get this.auth 'authData.displayName'}}?"
-                @onConfirmAction={{action "revokeToken"}}
-                @buttonText="Revoke token"
-                @confirmMessage="You will not be able to log in again with this token."
-                data-test-user-menu-item="revoke token"
-              />
-            {{/if}}
-            <li class="action">
-              <LinkTo @route="vault.cluster.logout" @model={{this.currentCluster.cluster.name}} id="logout">
-                Log out
-              </LinkTo>
-            </li>
-          </ul>
-        </nav>
-      </div>
-    </div>
-  </Dropdown.Content>
-</BasicDropdown>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"bytes"
+	"context"
+	"encoding/pem"
+	"net/http"
+	"strings"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func pathGenerateKey(b *backend) *framework.Path {
+	return &framework.Path{
+		Pattern: "keys/generate/(internal|exported|kms)",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixPKI,
+			OperationVerb:   "generate",
+			OperationSuffix: "internal-key|exported-key|kms-key",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			keyNameParam: {
+				Type:        framework.TypeString,
+				Description: "Optional name to be used for this key",
+			},
+			keyTypeParam: {
+				Type:    framework.TypeString,
+				Default: "rsa",
+				Description: `The type of key to use; defaults to RSA. "rsa"
+"ec" and "ed25519" are the only valid values.`,
+				AllowedValues: []interface{}{"rsa", "ec", "ed25519"},
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: "rsa",
+				},
+			},
+			keyBitsParam: {
+				Type:    framework.TypeInt,
+				Default: 0,
+				Description: `The number of bits to use. Allowed values are
+0 (universal default); with rsa key_type: 2048 (default), 3072, 4096 or 8192;
+with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.`,
+			},
+			"managed_key_name": {
+				Type: framework.TypeString,
+				Description: `The name of the managed key to use when the exported
+type is kms. When kms type is the key type, this field or managed_key_id
+is required. Ignored for other types.`,
+			},
+			"managed_key_id": {
+				Type: framework.TypeString,
+				Description: `The name of the managed key to use when the exported
+type is kms. When kms type is the key type, this field or managed_key_name
+is required. Ignored for other types.`,
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathGenerateKeyHandler,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"key_id": {
+								Type:        framework.TypeString,
+								Description: `ID assigned to this key.`,
+								Required:    true,
+							},
+							"key_name": {
+								Type:        framework.TypeString,
+								Description: `Name assigned to this key.`,
+								Required:    true,
+							},
+							"key_type": {
+								Type: framework.TypeString,
+								Description: `The type of key to use; defaults to RSA. "rsa"
+								"ec" and "ed25519" are the only valid values.`,
+								Required: true,
+							},
+							"private_key": {
+								Type:        framework.TypeString,
+								Description: `The private key string`,
+								Required:    false,
+							},
+						},
+					}},
+				},
+
+				ForwardPerformanceStandby:   true,
+				ForwardPerformanceSecondary: true,
+			},
+		},
+
+		HelpSynopsis:    pathGenerateKeyHelpSyn,
+		HelpDescription: pathGenerateKeyHelpDesc,
+	}
+}
+
+const (
+	pathGenerateKeyHelpSyn  = `Generate a new private key used for signing.`
+	pathGenerateKeyHelpDesc = `This endpoint will generate a new key pair of the specified type (internal, exported, or kms).`
+)
+
+func (b *backend) pathGenerateKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Since we're planning on updating issuers here, grab the lock so we've
+	// got a consistent view.
+	b.issuersLock.Lock()
+	defer b.issuersLock.Unlock()
+
+	if b.useLegacyBundleCaStorage() {
+		return logical.ErrorResponse("Can not generate keys until migration has completed"), nil
+	}
+
+	sc := b.makeStorageContext(ctx, req.Storage)
+	keyName, err := getKeyName(sc, data)
+	if err != nil { // Fail Immediately if Key Name is in Use, etc...
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	exportPrivateKey := false
+	var keyBundle certutil.KeyBundle
+	var actualPrivateKeyType certutil.PrivateKeyType
+	switch {
+	case strings.HasSuffix(req.Path, "/exported"):
+		exportPrivateKey = true
+		fallthrough
+	case strings.HasSuffix(req.Path, "/internal"):
+		keyType := data.Get(keyTypeParam).(string)
+		keyBits := data.Get(keyBitsParam).(int)
+
+		keyBits, _, err := certutil.ValidateDefaultOrValueKeyTypeSignatureLength(keyType, keyBits, 0)
+		if err != nil {
+			return logical.ErrorResponse("Validation for key_type, key_bits failed: %s", err.Error()), nil
+		}
+
+		// Internal key generation, stored in storage
+		keyBundle, err = certutil.CreateKeyBundle(keyType, keyBits, b.GetRandomReader())
+		if err != nil {
+			return nil, err
+		}
+
+		actualPrivateKeyType = keyBundle.PrivateKeyType
+	case strings.HasSuffix(req.Path, "/kms"):
+		keyId, err := getManagedKeyId(data)
+		if err != nil {
+			return nil, err
+		}
+
+		keyBundle, actualPrivateKeyType, err = createKmsKeyBundle(ctx, b, keyId)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return logical.ErrorResponse("Unknown type of key to generate"), nil
+	}
+
+	privateKeyPemString, err := keyBundle.ToPrivateKeyPemString()
+	if err != nil {
+		return nil, err
+	}
+
+	key, _, err := sc.importKey(privateKeyPemString, keyName, keyBundle.PrivateKeyType)
+	if err != nil {
+		return nil, err
+	}
+	responseData := map[string]interface{}{
+		keyIdParam:   key.ID,
+		keyNameParam: key.Name,
+		keyTypeParam: string(actualPrivateKeyType),
+	}
+	if exportPrivateKey {
+		responseData["private_key"] = privateKeyPemString
+	}
+	return &logical.Response{
+		Data: responseData,
+	}, nil
+}
+
+func pathImportKey(b *backend) *framework.Path {
+	return &framework.Path{
+		Pattern: "keys/import",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixPKI,
+			OperationVerb:   "import",
+			OperationSuffix: "key",
+		},
+
+		Fields: map[string]*framework.FieldSchema{
+			keyNameParam: {
+				Type:        framework.TypeString,
+				Description: "Optional name to be used for this key",
+			},
+			"pem_bundle": {
+				Type:        framework.TypeString,
+				Description: `PEM-format, unencrypted secret key`,
+			},
+		},
+
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathImportKeyHandler,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"key_id": {
+								Type:        framework.TypeString,
+								Description: `ID assigned to this key.`,
+								Required:    true,
+							},
+							"key_name": {
+								Type:        framework.TypeString,
+								Description: `Name assigned to this key.`,
+								Required:    true,
+							},
+							"key_type": {
+								Type: framework.TypeString,
+								Description: `The type of key to use; defaults to RSA. "rsa"
+								"ec" and "ed25519" are the only valid values.`,
+								Required: true,
+							},
+						},
+					}},
+				},
+				ForwardPerformanceStandby:   true,
+				ForwardPerformanceSecondary: true,
+			},
+		},
+
+		HelpSynopsis:    pathImportKeyHelpSyn,
+		HelpDescription: pathImportKeyHelpDesc,
+	}
+}
+
+const (
+	pathImportKeyHelpSyn  = `Import the specified key.`
+	pathImportKeyHelpDesc = `This endpoint allows importing a specified issuer key from a pem bundle.
+If key_name is set, that will be set on the key, assuming the key did not exist previously.`
+)
+
+func (b *backend) pathImportKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Since we're planning on updating issuers here, grab the lock so we've
+	// got a consistent view.
+	b.issuersLock.Lock()
+	defer b.issuersLock.Unlock()
+
+	if b.useLegacyBundleCaStorage() {
+		return logical.ErrorResponse("Cannot import keys until migration has completed"), nil
+	}
+
+	sc := b.makeStorageContext(ctx, req.Storage)
+	pemBundle := data.Get("pem_bundle").(string)
+	keyName, err := getKeyName(sc, data)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	if len(pemBundle) < 64 {
+		// It is almost nearly impossible to store a complete key in
+		// less than 64 bytes. It is definitely impossible to do so when PEM
+		// encoding has been applied. Detect this and give a better warning
+		// than "provided PEM block contained no data" in this case. This is
+		// because the PEM headers contain 5*4 + 6 + 4 + 2 + 2 = 34 characters
+		// minimum (five dashes, "BEGIN" + space + at least one character
+		// identifier, "END" + space + at least one character identifier, and
+		// a pair of new lines). That would leave 30 bytes for Base64 data,
+		// meaning at most a 22-byte DER key. Even with a 128-bit key, 6 bytes
+		// is not sufficient for the required ASN.1 structure and OID encoding.
+		//
+		// However, < 64 bytes is probably a good length for a file path so
+		// suggest that is the case.
+		return logical.ErrorResponse("provided data for import was too short; perhaps a path was passed to the API rather than the contents of a PEM file"), nil
+	}
+
+	pemBytes := []byte(pemBundle)
+	var pemBlock *pem.Block
+
+	var keys []string
+	for len(bytes.TrimSpace(pemBytes)) > 0 {
+		pemBlock, pemBytes = pem.Decode(pemBytes)
+		if pemBlock == nil {
+			return logical.ErrorResponse("provided PEM block contained no data"), nil
+		}
+
+		pemBlockString := string(pem.EncodeToMemory(pemBlock))
+		keys = append(keys, pemBlockString)
+	}
+
+	if len(keys) != 1 {
+		return logical.ErrorResponse("only a single key can be present within the pem_bundle for importing"), nil
+	}
+
+	key, existed, err := importKeyFromBytes(sc, keys[0], keyName)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
+	resp := logical.Response{
+		Data: map[string]interface{}{
+			keyIdParam:   key.ID,
+			keyNameParam: key.Name,
+			keyTypeParam: key.PrivateKeyType,
+		},
+	}
+
+	if existed {
+		resp.AddWarning("Key already imported, use key/ endpoint to update name.")
+	}
+
+	return &resp, nil
+}
diff --git a/ui/app/components/splash-page.hbs b/ui/app/components/splash-page.hbs
new file mode 100644
index 000000000000..7480b2ed3ff9
--- /dev/null
+++ b/ui/app/components/splash-page.hbs
@@ -0,0 +1,441 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"context"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPKI_PathManageKeys_GenerateInternalKeys(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	tests := []struct {
+		name           string
+		keyType        string
+		keyBits        []int
+		wantLogicalErr bool
+	}{
+		{"all-defaults", "", []int{0}, false},
+		{"rsa", "rsa", []int{0, 2048, 3072, 4096, 8192}, false},
+		{"ec", "ec", []int{0, 224, 256, 384, 521}, false},
+		{"ed25519", "ed25519", []int{0}, false},
+		{"error-rsa", "rsa", []int{-1, 343444}, true},
+		{"error-ec", "ec", []int{-1, 3434324}, true},
+		{"error-bad-type", "dskjfkdsfjdkf", []int{0}, true},
+	}
+	for _, tt := range tests {
+		tt := tt
+		for _, keyBitParam := range tt.keyBits {
+			keyName := fmt.Sprintf("%s-%d", tt.name, keyBitParam)
+			t.Run(keyName, func(t *testing.T) {
+				data := make(map[string]interface{})
+				if tt.keyType != "" {
+					data["key_type"] = tt.keyType
+				}
+				if keyBitParam != 0 {
+					data["key_bits"] = keyBitParam
+				}
+				keyName = genUuid() + "-" + tt.keyType + "-key-name"
+				data["key_name"] = keyName
+				resp, err := b.HandleRequest(context.Background(), &logical.Request{
+					Operation:  logical.UpdateOperation,
+					Path:       "keys/generate/internal",
+					Storage:    s,
+					Data:       data,
+					MountPoint: "pki/",
+				})
+				require.NoError(t, err,
+					"Failed generating key with values key_type:%s key_bits:%d key_name:%s", tt.keyType, keyBitParam, keyName)
+				require.NotNil(t, resp,
+					"Got nil response generating key with values key_type:%s key_bits:%d key_name:%s", tt.keyType, keyBitParam, keyName)
+				if tt.wantLogicalErr {
+					require.True(t, resp.IsError(), "expected logical error but the request passed:\n%#v", resp)
+				} else {
+					require.False(t, resp.IsError(),
+						"Got logical error response when not expecting one, "+
+							"generating key with values key_type:%s key_bits:%d key_name:%s\n%s", tt.keyType, keyBitParam, keyName, resp.Error())
+
+					// Special case our all-defaults
+					if tt.keyType == "" {
+						tt.keyType = "rsa"
+					}
+
+					require.Equal(t, tt.keyType, resp.Data["key_type"], "key_type field contained an invalid type")
+					require.NotEmpty(t, resp.Data["key_id"], "returned an empty key_id field, should never happen")
+					require.Equal(t, keyName, resp.Data["key_name"], "key name was not processed correctly")
+					require.Nil(t, resp.Data["private_key"], "private_key field should not appear in internal generation type.")
+				}
+			})
+		}
+	}
+}
+
+func TestPKI_PathManageKeys_GenerateExportedKeys(t *testing.T) {
+	t.Parallel()
+	// We tested a lot of the logic above within the internal test, so just make sure we honor the exported contract
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/generate/exported",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_type": "ec",
+			"key_bits": 224,
+		},
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("keys/generate/exported"), logical.UpdateOperation), resp, true)
+
+	require.NoError(t, err, "Failed generating exported key")
+	require.NotNil(t, resp, "Got nil response generating exported key")
+	require.Equal(t, "ec", resp.Data["key_type"], "key_type field contained an invalid type")
+	require.NotEmpty(t, resp.Data["key_id"], "returned an empty key_id field, should never happen")
+	require.Empty(t, resp.Data["key_name"], "key name should have been empty but was not")
+	require.NotEmpty(t, resp.Data["private_key"], "private_key field should not be empty in exported generation type.")
+
+	// Make sure we can decode our private key as expected
+	keyData := resp.Data["private_key"].(string)
+	block, rest := pem.Decode([]byte(keyData))
+	require.Empty(t, rest, "should not have had any trailing data")
+	require.NotEmpty(t, block, "failed decoding pem block")
+
+	key, err := x509.ParseECPrivateKey(block.Bytes)
+	require.NoError(t, err, "failed parsing pem block as ec private key")
+	require.Equal(t, elliptic.P224(), key.Curve, "got unexpected curve value in returned private key")
+}
+
+func TestPKI_PathManageKeys_ImportKeyBundle(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	bundle1, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
+	require.NoError(t, err, "failed generating an ec key bundle")
+	bundle2, err := certutil.CreateKeyBundle("rsa", 2048, rand.Reader)
+	require.NoError(t, err, "failed generating an rsa key bundle")
+	pem1, err := bundle1.ToPrivateKeyPemString()
+	require.NoError(t, err, "failed converting ec key to pem")
+	pem2, err := bundle2.ToPrivateKeyPemString()
+	require.NoError(t, err, "failed converting rsa key to pem")
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-ec-key",
+			"pem_bundle": pem1,
+		},
+		MountPoint: "pki/",
+	})
+
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("keys/import"), logical.UpdateOperation), resp, true)
+
+	require.NoError(t, err, "Failed importing ec key")
+	require.NotNil(t, resp, "Got nil response importing ec key")
+	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
+	require.NotEmpty(t, resp.Data["key_id"], "key id for ec import response was empty")
+	require.Equal(t, "my-ec-key", resp.Data["key_name"], "key_name was incorrect for ec key")
+	require.Equal(t, certutil.ECPrivateKey, resp.Data["key_type"])
+	keyId1 := resp.Data["key_id"].(keyID)
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-rsa-key",
+			"pem_bundle": pem2,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed importing rsa key")
+	require.NotNil(t, resp, "Got nil response importing rsa key")
+	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
+	require.NotEmpty(t, resp.Data["key_id"], "key id for rsa import response was empty")
+	require.Equal(t, "my-rsa-key", resp.Data["key_name"], "key_name was incorrect for ec key")
+	require.Equal(t, certutil.RSAPrivateKey, resp.Data["key_type"])
+	keyId2 := resp.Data["key_id"].(keyID)
+
+	require.NotEqual(t, keyId1, keyId2)
+
+	// Attempt to reimport the same key with a different name.
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-new-ec-key",
+			"pem_bundle": pem1,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed importing the same ec key")
+	require.NotNil(t, resp, "Got nil response importing the same ec key")
+	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
+	require.NotEmpty(t, resp.Data["key_id"], "key id for ec import response was empty")
+	// Note we should receive back the original name, not the new updated name.
+	require.Equal(t, "my-ec-key", resp.Data["key_name"], "key_name was incorrect for ec key")
+	require.Equal(t, certutil.ECPrivateKey, resp.Data["key_type"])
+	keyIdReimport := resp.Data["key_id"]
+	require.Equal(t, keyId1, keyIdReimport, "the re-imported key did not return the same key id")
+
+	// Make sure we can not reuse an existing name across different keys.
+	bundle3, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
+	require.NoError(t, err, "failed generating an ec key bundle")
+	pem3, err := bundle3.ToPrivateKeyPemString()
+	require.NoError(t, err, "failed converting rsa key to pem")
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-ec-key",
+			"pem_bundle": pem3,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed importing the same ec key")
+	require.NotNil(t, resp, "Got nil response importing the same ec key")
+	require.True(t, resp.IsError(), "should have received an error response importing a key with a re-used name")
+
+	// Delete the key to make sure re-importing gets another ID
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.DeleteOperation,
+		Path:       "key/" + keyId2.String(),
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "failed deleting keyId 2")
+	require.Nil(t, resp, "Got non-nil response deleting the key: %#v", resp)
+
+	// Deleting a non-existent key should be okay...
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.DeleteOperation,
+		Path:       "key/" + keyId2.String(),
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "failed deleting keyId 2")
+	require.Nil(t, resp, "Got non-nil response deleting the key: %#v", resp)
+
+	// Let's reimport key 2 post-deletion to make sure we re-generate a new key id
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-rsa-key",
+			"pem_bundle": pem2,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed importing rsa key")
+	require.NotNil(t, resp, "Got nil response importing rsa key")
+	require.False(t, resp.IsError(), "received an error response: %v", resp.Error())
+	require.NotEmpty(t, resp.Data["key_id"], "key id for rsa import response was empty")
+	require.Equal(t, "my-rsa-key", resp.Data["key_name"], "key_name was incorrect for ec key")
+	require.Equal(t, certutil.RSAPrivateKey, resp.Data["key_type"])
+	keyId2Reimport := resp.Data["key_id"].(keyID)
+
+	require.NotEqual(t, keyId2, keyId2Reimport, "re-importing key 2 did not generate a new key id")
+}
+
+func TestPKI_PathManageKeys_DeleteDefaultKeyWarns(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "keys/generate/internal",
+		Storage:    s,
+		Data:       map[string]interface{}{"key_type": "ec"},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed generating key")
+	require.NotNil(t, resp, "Got nil response generating key")
+	require.False(t, resp.IsError(), "resp contained errors generating key: %#v", resp.Error())
+	keyId := resp.Data["key_id"].(keyID)
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.DeleteOperation,
+		Path:       "key/" + keyId.String(),
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "failed deleting default key")
+	require.NotNil(t, resp, "Got nil response deleting the default key")
+	require.False(t, resp.IsError(), "expected no errors deleting default key: %#v", resp.Error())
+	require.NotEmpty(t, resp.Warnings, "expected warnings to be populated on deleting default key")
+}
+
+func TestPKI_PathManageKeys_DeleteUsedKeyFails(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "issuers/generate/root/internal",
+		Storage:    s,
+		Data:       map[string]interface{}{"common_name": "test.com"},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed generating issuer")
+	require.NotNil(t, resp, "Got nil response generating issuer")
+	require.False(t, resp.IsError(), "resp contained errors generating issuer: %#v", resp.Error())
+	keyId := resp.Data["key_id"].(keyID)
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.DeleteOperation,
+		Path:       "key/" + keyId.String(),
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "failed deleting key used by an issuer")
+	require.NotNil(t, resp, "Got nil response deleting key used by an issuer")
+	require.True(t, resp.IsError(), "expected an error deleting key used by an issuer")
+}
+
+func TestPKI_PathManageKeys_UpdateKeyDetails(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "keys/generate/internal",
+		Storage:    s,
+		Data:       map[string]interface{}{"key_type": "ec"},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "Failed generating key")
+	require.NotNil(t, resp, "Got nil response generating key")
+	require.False(t, resp.IsError(), "resp contained errors generating key: %#v", resp.Error())
+	keyId := resp.Data["key_id"].(keyID)
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "key/" + keyId.String(),
+		Storage:    s,
+		Data:       map[string]interface{}{"key_name": "new-name"},
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("key/"+keyId.String()), logical.UpdateOperation), resp, true)
+
+	require.NoError(t, err, "failed updating key with new name")
+	require.NotNil(t, resp, "Got nil response updating key with new name")
+	require.False(t, resp.IsError(), "unexpected error updating key with new name: %#v", resp.Error())
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.ReadOperation,
+		Path:       "key/" + keyId.String(),
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("key/"+keyId.String()), logical.ReadOperation), resp, true)
+
+	require.NoError(t, err, "failed reading key after name update")
+	require.NotNil(t, resp, "Got nil response reading key after name update")
+	require.False(t, resp.IsError(), "unexpected error reading key: %#v", resp.Error())
+	keyName := resp.Data["key_name"].(string)
+
+	require.Equal(t, "new-name", keyName, "failed to update key_name expected: new-name was: %s", keyName)
+
+	// Make sure we do not allow updates to invalid name values
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  logical.UpdateOperation,
+		Path:       "key/" + keyId.String(),
+		Storage:    s,
+		Data:       map[string]interface{}{"key_name": "a-bad\\-name"},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "failed updating key with a bad name")
+	require.NotNil(t, resp, "Got nil response updating key with a bad name")
+	require.True(t, resp.IsError(), "expected an error updating key with a bad name, but did not get one.")
+}
+
+func TestPKI_PathManageKeys_ImportKeyBundleBadData(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-ec-key",
+			"pem_bundle": "this-is-not-a-pem-bundle",
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "got a 500 error type response from a bad pem bundle")
+	require.NotNil(t, resp, "Got nil response importing a bad pem bundle")
+	require.True(t, resp.IsError(), "should have received an error response importing a bad pem bundle")
+
+	// Make sure we also bomb on a proper certificate
+	bundle := genCertBundle(t, b, s)
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"pem_bundle": bundle.Certificate,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "got a 500 error type response from a certificate pem bundle")
+	require.NotNil(t, resp, "Got nil response importing a certificate bundle")
+	require.True(t, resp.IsError(), "should have received an error response importing a certificate pem bundle")
+}
+
+func TestPKI_PathManageKeys_ImportKeyRejectsMultipleKeys(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	bundle1, err := certutil.CreateKeyBundle("ec", 224, rand.Reader)
+	require.NoError(t, err, "failed generating an ec key bundle")
+	bundle2, err := certutil.CreateKeyBundle("rsa", 2048, rand.Reader)
+	require.NoError(t, err, "failed generating an rsa key bundle")
+	pem1, err := bundle1.ToPrivateKeyPemString()
+	require.NoError(t, err, "failed converting ec key to pem")
+	pem2, err := bundle2.ToPrivateKeyPemString()
+	require.NoError(t, err, "failed converting rsa key to pem")
+
+	importPem := pem1 + "\n" + pem2
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "keys/import",
+		Storage:   s,
+		Data: map[string]interface{}{
+			"key_name":   "my-ec-key",
+			"pem_bundle": importPem,
+		},
+		MountPoint: "pki/",
+	})
+	require.NoError(t, err, "got a 500 error type response from a bad pem bundle")
+	require.NotNil(t, resp, "Got nil response importing a bad pem bundle")
+	require.True(t, resp.IsError(), "should have received an error response importing a pem bundle with more than 1 key")
+
+	ctx := context.Background()
+	sc := b.makeStorageContext(ctx, s)
+	keys, _ := sc.listKeys()
+	for _, keyId := range keys {
+		id, _ := sc.fetchKeyById(keyId)
+		t.Logf("%s:%s", id.ID, id.Name)
+	}
+}
diff --git a/ui/app/components/splash-page.js b/ui/app/components/splash-page.js
index ec1634e6d521..6dac24d5cd7f 100644
--- a/ui/app/components/splash-page.js
+++ b/ui/app/components/splash-page.js
@@ -1,34 +1,535 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-/**
- * @module SplashPage
- * SplashPage component is used as a landing page with a box horizontally and center aligned on the page. It's used as the login landing page.
- *
- *
- * @example
- * ```js
- * <SplashPage >
- * content here
- * </SplashPage
- * ```
- * @param {boolean} [hasAltContent] - boolean to bypass container styling
- * @param {boolean} [showTruncatedNavBar = true] - boolean to hide or show the navBar. By default this is true.
- *
- */
-
-import Component from '@glimmer/component';
-import { inject as service } from '@ember/service';
-
-export default class SplashPage extends Component {
-  @service version;
-  @service auth;
-  @service store;
-
-  get showTruncatedNavBar() {
-    // default is true unless showTruncatedNavBar is defined as false
-    return this.args.showTruncatedNavBar === false ? false : true;
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"math/big"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/errutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"golang.org/x/crypto/ocsp"
+)
+
+const (
+	ocspReqParam            = "req"
+	ocspResponseContentType = "application/ocsp-response"
+	maximumRequestSize      = 2048 // A normal simple request is 87 bytes, so give us some buffer
+)
+
+type ocspRespInfo struct {
+	serialNumber      *big.Int
+	ocspStatus        int
+	revocationTimeUTC *time.Time
+	issuerID          issuerID
+}
+
+// These response variables should not be mutated, instead treat them as constants
+var (
+	OcspUnauthorizedResponse = &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: ocspResponseContentType,
+			logical.HTTPStatusCode:  http.StatusUnauthorized,
+			logical.HTTPRawBody:     ocsp.UnauthorizedErrorResponse,
+		},
+	}
+	OcspMalformedResponse = &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: ocspResponseContentType,
+			logical.HTTPStatusCode:  http.StatusBadRequest,
+			logical.HTTPRawBody:     ocsp.MalformedRequestErrorResponse,
+		},
+	}
+	OcspInternalErrorResponse = &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: ocspResponseContentType,
+			logical.HTTPStatusCode:  http.StatusInternalServerError,
+			logical.HTTPRawBody:     ocsp.InternalErrorErrorResponse,
+		},
+	}
+
+	ErrMissingOcspUsage = errors.New("issuer entry did not have the OCSPSigning usage")
+	ErrIssuerHasNoKey   = errors.New("issuer has no key")
+	ErrUnknownIssuer    = errors.New("unknown issuer")
+)
+
+func buildPathOcspGet(b *backend) *framework.Path {
+	pattern := "ocsp/" + framework.MatchAllRegex(ocspReqParam)
+
+	displayAttrs := &framework.DisplayAttributes{
+		OperationPrefix: operationPrefixPKI,
+		OperationVerb:   "query",
+		OperationSuffix: "ocsp-with-get-req",
+	}
+
+	return buildOcspGetWithPath(b, pattern, displayAttrs)
+}
+
+func buildPathUnifiedOcspGet(b *backend) *framework.Path {
+	pattern := "unified-ocsp/" + framework.MatchAllRegex(ocspReqParam)
+
+	displayAttrs := &framework.DisplayAttributes{
+		OperationPrefix: operationPrefixPKI,
+		OperationVerb:   "query",
+		OperationSuffix: "unified-ocsp-with-get-req",
+	}
+
+	return buildOcspGetWithPath(b, pattern, displayAttrs)
+}
+
+func buildOcspGetWithPath(b *backend, pattern string, displayAttrs *framework.DisplayAttributes) *framework.Path {
+	return &framework.Path{
+		Pattern:      pattern,
+		DisplayAttrs: displayAttrs,
+		Fields: map[string]*framework.FieldSchema{
+			ocspReqParam: {
+				Type:        framework.TypeString,
+				Description: "base-64 encoded ocsp request",
+			},
+		},
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.ocspHandler,
+			},
+		},
+
+		HelpSynopsis:    pathOcspHelpSyn,
+		HelpDescription: pathOcspHelpDesc,
+	}
+}
+
+func buildPathOcspPost(b *backend) *framework.Path {
+	pattern := "ocsp"
+
+	displayAttrs := &framework.DisplayAttributes{
+		OperationPrefix: operationPrefixPKI,
+		OperationVerb:   "query",
+		OperationSuffix: "ocsp",
+	}
+
+	return buildOcspPostWithPath(b, pattern, displayAttrs)
+}
+
+func buildPathUnifiedOcspPost(b *backend) *framework.Path {
+	pattern := "unified-ocsp"
+
+	displayAttrs := &framework.DisplayAttributes{
+		OperationPrefix: operationPrefixPKI,
+		OperationVerb:   "query",
+		OperationSuffix: "unified-ocsp",
+	}
+
+	return buildOcspPostWithPath(b, pattern, displayAttrs)
+}
+
+func buildOcspPostWithPath(b *backend, pattern string, displayAttrs *framework.DisplayAttributes) *framework.Path {
+	return &framework.Path{
+		Pattern:      pattern,
+		DisplayAttrs: displayAttrs,
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.ocspHandler,
+			},
+		},
+
+		HelpSynopsis:    pathOcspHelpSyn,
+		HelpDescription: pathOcspHelpDesc,
+	}
+}
+
+func (b *backend) ocspHandler(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	sc := b.makeStorageContext(ctx, request.Storage)
+	cfg, err := b.crlBuilder.getConfigWithUpdate(sc)
+	if err != nil || cfg.OcspDisable || (isUnifiedOcspPath(request) && !cfg.UnifiedCRL) {
+		return OcspUnauthorizedResponse, nil
+	}
+
+	derReq, err := fetchDerEncodedRequest(request, data)
+	if err != nil {
+		return OcspMalformedResponse, nil
+	}
+
+	ocspReq, err := ocsp.ParseRequest(derReq)
+	if err != nil {
+		return OcspMalformedResponse, nil
+	}
+
+	useUnifiedStorage := canUseUnifiedStorage(request, cfg)
+
+	ocspStatus, err := getOcspStatus(sc, ocspReq, useUnifiedStorage)
+	if err != nil {
+		return logAndReturnInternalError(b, err), nil
+	}
+
+	caBundle, issuer, err := lookupOcspIssuer(sc, ocspReq, ocspStatus.issuerID)
+	if err != nil {
+		if errors.Is(err, ErrUnknownIssuer) {
+			// Since we were not able to find a matching issuer for the incoming request
+			// generate an Unknown OCSP response. This might turn into an Unauthorized if
+			// we find out that we don't have a default issuer or it's missing the proper Usage flags
+			return generateUnknownResponse(cfg, sc, ocspReq), nil
+		}
+		if errors.Is(err, ErrMissingOcspUsage) {
+			// If we did find a matching issuer but aren't allowed to sign, the spec says
+			// we should be responding with an Unauthorized response as we don't have the
+			// ability to sign the response.
+			// https://www.rfc-editor.org/rfc/rfc5019#section-2.2.3
+			return OcspUnauthorizedResponse, nil
+		}
+		return logAndReturnInternalError(b, err), nil
+	}
+
+	byteResp, err := genResponse(cfg, caBundle, ocspStatus, ocspReq.HashAlgorithm, issuer.RevocationSigAlg)
+	if err != nil {
+		return logAndReturnInternalError(b, err), nil
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: ocspResponseContentType,
+			logical.HTTPStatusCode:  http.StatusOK,
+			logical.HTTPRawBody:     byteResp,
+		},
+	}, nil
+}
+
+func canUseUnifiedStorage(req *logical.Request, cfg *crlConfig) bool {
+	if isUnifiedOcspPath(req) {
+		return true
+	}
+
+	// We are operating on the existing /pki/ocsp path, both of these fields need to be enabled
+	// for us to use the unified path.
+	return shouldLocalPathsUseUnified(cfg)
+}
+
+func isUnifiedOcspPath(req *logical.Request) bool {
+	return strings.HasPrefix(req.Path, "unified-ocsp")
+}
+
+func generateUnknownResponse(cfg *crlConfig, sc *storageContext, ocspReq *ocsp.Request) *logical.Response {
+	// Generate an Unknown OCSP response, signing with the default issuer from the mount as we did
+	// not match the request's issuer. If no default issuer can be used, return with Unauthorized as there
+	// isn't much else we can do at this point.
+	config, err := sc.getIssuersConfig()
+	if err != nil {
+		return logAndReturnInternalError(sc.Backend, err)
+	}
+
+	if config.DefaultIssuerId == "" {
+		// If we don't have any issuers or default issuers set, no way to sign a response so Unauthorized it is.
+		return OcspUnauthorizedResponse
+	}
+
+	caBundle, issuer, err := getOcspIssuerParsedBundle(sc, config.DefaultIssuerId)
+	if err != nil {
+		if errors.Is(err, ErrUnknownIssuer) || errors.Is(err, ErrIssuerHasNoKey) {
+			// We must have raced on a delete/update of the default issuer, anyways
+			// no way to sign a response so Unauthorized it is.
+			return OcspUnauthorizedResponse
+		}
+		return logAndReturnInternalError(sc.Backend, err)
+	}
+
+	if !issuer.Usage.HasUsage(OCSPSigningUsage) {
+		// If we don't have any issuers or default issuers set, no way to sign a response so Unauthorized it is.
+		return OcspUnauthorizedResponse
+	}
+
+	info := &ocspRespInfo{
+		serialNumber: ocspReq.SerialNumber,
+		ocspStatus:   ocsp.Unknown,
+	}
+
+	byteResp, err := genResponse(cfg, caBundle, info, ocspReq.HashAlgorithm, issuer.RevocationSigAlg)
+	if err != nil {
+		return logAndReturnInternalError(sc.Backend, err)
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPContentType: ocspResponseContentType,
+			logical.HTTPStatusCode:  http.StatusOK,
+			logical.HTTPRawBody:     byteResp,
+		},
+	}
 }
+
+func fetchDerEncodedRequest(request *logical.Request, data *framework.FieldData) ([]byte, error) {
+	switch request.Operation {
+	case logical.ReadOperation:
+		// The param within the GET request should have a base64 encoded version of a DER request.
+		base64Req := data.Get(ocspReqParam).(string)
+		if base64Req == "" {
+			return nil, errors.New("no base64 encoded ocsp request was found")
+		}
+
+		if len(base64Req) >= maximumRequestSize {
+			return nil, errors.New("request is too large")
+		}
+
+		return base64.StdEncoding.DecodeString(base64Req)
+	case logical.UpdateOperation:
+		// POST bodies should contain the binary form of the DER request.
+		// NOTE: Writing an empty update request to Vault causes a nil request.HTTPRequest, and that object
+		//       says that it is possible for its Body element to be nil as well, so check both just in case.
+		if request.HTTPRequest == nil {
+			return nil, errors.New("no data in request")
+		}
+		rawBody := request.HTTPRequest.Body
+		if rawBody == nil {
+			return nil, errors.New("no data in request body")
+		}
+		defer rawBody.Close()
+
+		requestBytes, err := io.ReadAll(io.LimitReader(rawBody, maximumRequestSize))
+		if err != nil {
+			return nil, err
+		}
+
+		if len(requestBytes) >= maximumRequestSize {
+			return nil, errors.New("request is too large")
+		}
+		return requestBytes, nil
+	default:
+		return nil, fmt.Errorf("unsupported request method: %s", request.Operation)
+	}
+}
+
+func logAndReturnInternalError(b *backend, err error) *logical.Response {
+	// Since OCSP might be a high traffic endpoint, we will log at debug level only
+	// any internal errors we do get. There is no way for us to return to the end-user
+	// errors, so we rely on the log statement to help in debugging possible
+	// issues in the field.
+	b.Logger().Debug("OCSP internal error", "error", err)
+	return OcspInternalErrorResponse
+}
+
+func getOcspStatus(sc *storageContext, ocspReq *ocsp.Request, useUnifiedStorage bool) (*ocspRespInfo, error) {
+	revEntryRaw, err := fetchCertBySerialBigInt(sc, revokedPath, ocspReq.SerialNumber)
+	if err != nil {
+		return nil, err
+	}
+
+	info := ocspRespInfo{
+		serialNumber: ocspReq.SerialNumber,
+		ocspStatus:   ocsp.Good,
+	}
+
+	if revEntryRaw != nil {
+		var revEntry revocationInfo
+		if err := revEntryRaw.DecodeJSON(&revEntry); err != nil {
+			return nil, err
+		}
+
+		info.ocspStatus = ocsp.Revoked
+		info.revocationTimeUTC = &revEntry.RevocationTimeUTC
+		info.issuerID = revEntry.CertificateIssuer // This might be empty if the CRL hasn't been rebuilt
+	} else if useUnifiedStorage {
+		dashSerial := normalizeSerialFromBigInt(ocspReq.SerialNumber)
+		unifiedEntry, err := getUnifiedRevocationBySerial(sc, dashSerial)
+		if err != nil {
+			return nil, err
+		}
+
+		if unifiedEntry != nil {
+			info.ocspStatus = ocsp.Revoked
+			info.revocationTimeUTC = &unifiedEntry.RevocationTimeUTC
+			info.issuerID = unifiedEntry.CertificateIssuer
+		}
+	}
+
+	return &info, nil
+}
+
+func lookupOcspIssuer(sc *storageContext, req *ocsp.Request, optRevokedIssuer issuerID) (*certutil.ParsedCertBundle, *issuerEntry, error) {
+	reqHash := req.HashAlgorithm
+	if !reqHash.Available() {
+		return nil, nil, x509.ErrUnsupportedAlgorithm
+	}
+
+	// This will prime up issuerIds, with either the optRevokedIssuer value if set
+	// or if we are operating in legacy storage mode, the shim bundle id or finally
+	// a list of all our issuers in this mount.
+	issuerIds, err := lookupIssuerIds(sc, optRevokedIssuer)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	matchedButNoUsage := false
+	for _, issuerId := range issuerIds {
+		parsedBundle, issuer, err := getOcspIssuerParsedBundle(sc, issuerId)
+		if err != nil {
+			// A bit touchy here as if we get an ErrUnknownIssuer for an issuer id that we picked up
+			// from a revocation entry, we still return an ErrUnknownOcspIssuer as we can't validate
+			// the end-user actually meant this specific issuer's cert with serial X.
+			if errors.Is(err, ErrUnknownIssuer) || errors.Is(err, ErrIssuerHasNoKey) {
+				// This skips either bad issuer ids, or root certs with no keys that we can't use.
+				continue
+			}
+			return nil, nil, err
+		}
+
+		// Make sure the client and Vault are talking about the same issuer, otherwise
+		// we might have a case of a matching serial number for a different issuer which
+		// we should not respond back in the affirmative about.
+		matches, err := doesRequestMatchIssuer(parsedBundle, req)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		if matches {
+			if !issuer.Usage.HasUsage(OCSPSigningUsage) {
+				matchedButNoUsage = true
+				// We found a matching issuer, but it's not allowed to sign the
+				// response, there might be another issuer that we rotated
+				// that will match though, so keep iterating.
+				continue
+			}
+
+			return parsedBundle, issuer, nil
+		}
+	}
+
+	if matchedButNoUsage {
+		// We matched an issuer but it did not have an OCSP signing usage set so bail.
+		return nil, nil, ErrMissingOcspUsage
+	}
+
+	return nil, nil, ErrUnknownIssuer
+}
+
+func getOcspIssuerParsedBundle(sc *storageContext, issuerId issuerID) (*certutil.ParsedCertBundle, *issuerEntry, error) {
+	issuer, bundle, err := sc.fetchCertBundleByIssuerId(issuerId, true)
+	if err != nil {
+		switch err.(type) {
+		case errutil.UserError:
+			// Most likely the issuer id no longer exists skip it
+			return nil, nil, ErrUnknownIssuer
+		default:
+			return nil, nil, err
+		}
+	}
+
+	if issuer.KeyID == "" {
+		// No point if the key does not exist from the issuer to use as a signer.
+		return nil, nil, ErrIssuerHasNoKey
+	}
+
+	caBundle, err := parseCABundle(sc.Context, sc.Backend, bundle)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return caBundle, issuer, nil
+}
+
+func lookupIssuerIds(sc *storageContext, optRevokedIssuer issuerID) ([]issuerID, error) {
+	if optRevokedIssuer != "" {
+		return []issuerID{optRevokedIssuer}, nil
+	}
+
+	if sc.Backend.useLegacyBundleCaStorage() {
+		return []issuerID{legacyBundleShimID}, nil
+	}
+
+	return sc.listIssuers()
+}
+
+func doesRequestMatchIssuer(parsedBundle *certutil.ParsedCertBundle, req *ocsp.Request) (bool, error) {
+	// issuer name hashing taken from golang.org/x/crypto/ocsp.
+	var pkInfo struct {
+		Algorithm pkix.AlgorithmIdentifier
+		PublicKey asn1.BitString
+	}
+	if _, err := asn1.Unmarshal(parsedBundle.Certificate.RawSubjectPublicKeyInfo, &pkInfo); err != nil {
+		return false, err
+	}
+
+	h := req.HashAlgorithm.New()
+	h.Write(pkInfo.PublicKey.RightAlign())
+	issuerKeyHash := h.Sum(nil)
+
+	h.Reset()
+	h.Write(parsedBundle.Certificate.RawSubject)
+	issuerNameHash := h.Sum(nil)
+
+	return bytes.Equal(req.IssuerKeyHash, issuerKeyHash) && bytes.Equal(req.IssuerNameHash, issuerNameHash), nil
+}
+
+func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocspRespInfo, reqHash crypto.Hash, revSigAlg x509.SignatureAlgorithm) ([]byte, error) {
+	curTime := time.Now()
+	duration, err := parseutil.ParseDurationSecond(cfg.OcspExpiry)
+	if err != nil {
+		return nil, err
+	}
+
+	// x/crypto/ocsp lives outside of the standard library's crypto/x509 and includes
+	// ripped-off variants of many internal structures and functions. These
+	// lack support for PSS signatures altogether, so if we have revSigAlg
+	// that uses PSS, downgrade it to PKCS#1v1.5. This fixes the lack of
+	// support in x/ocsp, at the risk of OCSP requests failing due to lack
+	// of PKCS#1v1.5 (in say, PKCS#11 HSMs or GCP).
+	//
+	// Other restrictions, such as hash function selection, will still work
+	// however.
+	switch revSigAlg {
+	case x509.SHA256WithRSAPSS:
+		revSigAlg = x509.SHA256WithRSA
+	case x509.SHA384WithRSAPSS:
+		revSigAlg = x509.SHA384WithRSA
+	case x509.SHA512WithRSAPSS:
+		revSigAlg = x509.SHA512WithRSA
+	}
+
+	// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
+	// Certificate any more on the response to help Go based OCSP clients.
+	// This was technically unnecessary, as the Certificate given here
+	// both signed the OCSP response and issued the leaf cert, and so
+	// should already be trusted by the client.
+	//
+	// See also: https://github.com/golang/go/issues/59641
+	template := ocsp.Response{
+		IssuerHash:         reqHash,
+		Status:             info.ocspStatus,
+		SerialNumber:       info.serialNumber,
+		ThisUpdate:         curTime,
+		ExtraExtensions:    []pkix.Extension{},
+		SignatureAlgorithm: revSigAlg,
+	}
+
+	if duration > 0 {
+		template.NextUpdate = curTime.Add(duration)
+	}
+
+	if info.ocspStatus == ocsp.Revoked {
+		template.RevokedAt = *info.revocationTimeUTC
+		template.RevocationReason = ocsp.Unspecified
+	}
+
+	return ocsp.CreateResponse(caBundle.Certificate, caBundle.Certificate, template, caBundle.PrivateKey)
+}
+
+const pathOcspHelpSyn = `
+Query a certificate's revocation status through OCSP'
+`
+
+const pathOcspHelpDesc = `
+This endpoint expects DER encoded OCSP requests and returns DER encoded OCSP responses
+`
diff --git a/ui/app/components/splash-page/splash-content.js b/ui/app/components/splash-page/splash-content.js
deleted file mode 100644
index d99599ac3039..000000000000
--- a/ui/app/components/splash-page/splash-content.js
+++ /dev/null
@@ -1,10 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@ember/component';
-
-export default Component.extend({
-  tagName: '',
-});
diff --git a/ui/app/components/splash-page/splash-footer.js b/ui/app/components/splash-page/splash-footer.js
deleted file mode 100644
index d99599ac3039..000000000000
--- a/ui/app/components/splash-page/splash-footer.js
+++ /dev/null
@@ -1,10 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@ember/component';
-
-export default Component.extend({
-  tagName: '',
-});
diff --git a/ui/app/components/splash-page/splash-header.js b/ui/app/components/splash-page/splash-header.js
deleted file mode 100644
index d99599ac3039..000000000000
--- a/ui/app/components/splash-page/splash-header.js
+++ /dev/null
@@ -1,10 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@ember/component';
-
-export default Component.extend({
-  tagName: '',
-});
diff --git a/ui/app/controllers/vault.js b/ui/app/controllers/vault.js
index a13f98736034..9e5aaff4483d 100644
--- a/ui/app/controllers/vault.js
+++ b/ui/app/controllers/vault.js
@@ -3,20 +3,176 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { inject as service } from '@ember/service';
-import Controller from '@ember/controller';
-import config from '../config/environment';
-
-export default Controller.extend({
-  queryParams: [
-    {
-      wrappedToken: 'wrapped_token',
-      redirectTo: 'redirect_to',
-    },
-  ],
-  wrappedToken: '',
-  redirectTo: '',
-  env: config.environment,
-  auth: service(),
-  store: service(),
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupEngine } from 'ember-engines/test-support';
+
+const SELECTORS = {
+  rowLabel: (attr) => `[data-test-row-label="${attr}"]`,
+  rowValue: (attr) => `[data-test-value-div="${attr}"]`,
+  rowIcon: (attr, icon) => `[data-test-row-value="${attr}"] [data-test-icon="${icon}"]`,
+};
+
+module('Integration | Component | Page::PkiConfigurationDetails', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'pki');
+
+  hooks.beforeEach(function () {
+    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
+    this.secretMountPath.currentPath = 'pki-test';
+
+    this.store = this.owner.lookup('service:store');
+    this.cluster = this.store.createRecord('pki/config/cluster', {
+      id: 'pki-test',
+      path: 'https://pr-a.vault.example.com/v1/ns1/pki-root',
+    });
+    this.urls = this.store.createRecord('pki/config/urls', {
+      id: 'pki-test',
+      issuingCertificates: 'example.com',
+    });
+    this.crl = this.store.createRecord('pki/config/crl', {
+      id: 'pki-test',
+      expiry: '20h',
+      disable: false,
+      autoRebuild: true,
+      autoRebuildGracePeriod: '13h',
+      enableDelta: true,
+      deltaRebuildInterval: '15m',
+      ocspExpiry: '77h',
+      ocspDisable: false,
+      crossClusterRevocation: true,
+      unifiedCrl: true,
+      unifiedCrlOnExistingPaths: true,
+    });
+  });
+
+  test('shows the correct information on cluster config', async function (assert) {
+    await render(hbs`<Page::PkiConfigurationDetails @cluster={{this.cluster}} @hasConfig={{true}} />,`, {
+      owner: this.engine,
+    });
+    assert
+      .dom(SELECTORS.rowValue("Mount's API path"))
+      .hasText('https://pr-a.vault.example.com/v1/ns1/pki-root', 'mount API path row renders');
+    assert.dom(SELECTORS.rowValue('AIA path')).hasText('None', "renders 'None' when no data");
+  });
+
+  test('shows the correct information on global urls section', async function (assert) {
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+
+    assert
+      .dom(SELECTORS.rowLabel('Issuing certificates'))
+      .hasText('Issuing certificates', 'issuing certificate row label renders');
+    assert
+      .dom(SELECTORS.rowValue('Issuing certificates'))
+      .hasText('example.com', 'issuing certificate value renders');
+    this.urls.issuingCertificates = null;
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+    assert
+      .dom(SELECTORS.rowValue('Issuing certificates'))
+      .hasText('None', 'issuing certificate value renders None if none is configured');
+    assert
+      .dom(SELECTORS.rowLabel('CRL distribution points'))
+      .hasText('CRL distribution points', 'crl distribution points row label renders');
+    assert
+      .dom(SELECTORS.rowValue('CRL distribution points'))
+      .hasText('None', 'crl distribution points value renders None if none is configured');
+  });
+
+  test('shows the correct information on crl section', async function (assert) {
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+
+    assert.dom(SELECTORS.rowLabel('CRL building')).hasText('CRL building', 'crl expiry row label renders');
+    assert.dom(SELECTORS.rowValue('CRL building')).hasText('Enabled', 'enabled renders');
+    assert.dom(SELECTORS.rowValue('Expiry')).hasText('20h', 'expiry value renders');
+    assert.dom(SELECTORS.rowLabel('Auto-rebuild')).hasText('Auto-rebuild', 'auto rebuild label renders');
+    assert.dom(SELECTORS.rowValue('Auto-rebuild')).hasText('On', 'it renders truthy auto build');
+    assert.dom(SELECTORS.rowIcon('Auto-rebuild', 'check-circle'));
+    assert
+      .dom(SELECTORS.rowValue('Auto-rebuild grace period'))
+      .hasText('13h', 'it renders auto build grace period');
+    assert.dom(SELECTORS.rowValue('Delta CRL building')).hasText('On', 'it renders truthy delta crl build');
+    assert.dom(SELECTORS.rowIcon('Delta CRL building', 'check-circle'));
+    assert
+      .dom(SELECTORS.rowValue('Delta rebuild interval'))
+      .hasText('15m', 'it renders delta build duration');
+    assert
+      .dom(SELECTORS.rowValue('Responder APIs'))
+      .hasText('Enabled', 'responder apis value renders Enabled if ocsp_disable=false');
+    assert.dom(SELECTORS.rowValue('Interval')).hasText('77h', 'interval value renders');
+    // check falsy aut_rebuild and _enable_delta hides duration values
+    this.crl.autoRebuild = false;
+    this.crl.enableDelta = false;
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.rowValue('Auto-rebuild')).hasText('Off', 'it renders falsy auto build');
+    assert.dom(SELECTORS.rowIcon('Auto-rebuild', 'x-square'));
+    assert
+      .dom(SELECTORS.rowValue('Auto-rebuild grace period'))
+      .doesNotExist('does not render auto-rebuild grace period');
+    assert.dom(SELECTORS.rowValue('Delta CRL building')).hasText('Off', 'it renders falsy delta cr build');
+    assert.dom(SELECTORS.rowIcon('Delta CRL building', 'x-square'));
+    assert
+      .dom(SELECTORS.rowValue('Delta rebuild interval'))
+      .doesNotExist('does not render delta rebuild duration');
+
+    // check falsy disable and ocsp_disable hides duration values and other params
+    this.crl.autoRebuild = true;
+    this.crl.enableDelta = true;
+    this.crl.disable = true;
+    this.crl.ocspDisable = true;
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.rowValue('CRL building')).hasText('Disabled', 'disabled renders');
+    assert.dom(SELECTORS.rowValue('Expiry')).doesNotExist();
+    assert
+      .dom(SELECTORS.rowValue('Responder APIs'))
+      .hasText('Disabled', 'responder apis value renders Disabled');
+    assert.dom(SELECTORS.rowValue('Interval')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Auto-rebuild')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Auto-rebuild grace period')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Delta CRL building')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Delta rebuild interval')).doesNotExist();
+  });
+
+  test('it renders enterprise params in crl section', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'enterprise';
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.rowValue('Cross-cluster revocation')).hasText('Yes');
+    assert.dom(SELECTORS.rowIcon('Cross-cluster revocation', 'check-circle'));
+    assert.dom(SELECTORS.rowValue('Unified CRL')).hasText('Yes');
+    assert.dom(SELECTORS.rowIcon('Unified CRL', 'check-circle'));
+    assert.dom(SELECTORS.rowValue('Unified CRL on existing paths')).hasText('Yes');
+    assert.dom(SELECTORS.rowIcon('Unified CRL on existing paths', 'check-circle'));
+  });
+
+  test('it does not render enterprise params in crl section', async function (assert) {
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'community';
+    await render(
+      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.rowValue('Cross-cluster revocation')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Unified CRL')).doesNotExist();
+    assert.dom(SELECTORS.rowValue('Unified CRL on existing paths')).doesNotExist();
+  });
 });
diff --git a/ui/app/controllers/vault/cluster/auth.js b/ui/app/controllers/vault/cluster/auth.js
index 3d4142ca41ae..cc8644921ec8 100644
--- a/ui/app/controllers/vault/cluster/auth.js
+++ b/ui/app/controllers/vault/cluster/auth.js
@@ -2,100 +2,457 @@
  * Copyright (c) HashiCorp, Inc.
  * SPDX-License-Identifier: BUSL-1.1
  */
-import { inject as service } from '@ember/service';
-import { alias } from '@ember/object/computed';
-import Controller, { inject as controller } from '@ember/controller';
-import { task, timeout } from 'ember-concurrency';
-import { sanitizePath } from 'core/utils/sanitize-path';
-
-export default Controller.extend({
-  flashMessages: service(),
-  vaultController: controller('vault'),
-  clusterController: controller('vault.cluster'),
-  namespaceService: service('namespace'),
-  featureFlagService: service('featureFlag'),
-  auth: service(),
-  router: service(),
-  queryParams: [{ authMethod: 'with', oidcProvider: 'o' }],
-  namespaceQueryParam: alias('clusterController.namespaceQueryParam'),
-  wrappedToken: alias('vaultController.wrappedToken'),
-  redirectTo: alias('vaultController.redirectTo'),
-  managedNamespaceRoot: alias('featureFlagService.managedNamespaceRoot'),
-  authMethod: '',
-  oidcProvider: '',
-
-  get namespaceInput() {
-    const namespaceQP = this.clusterController.namespaceQueryParam;
-    if (this.managedNamespaceRoot) {
-      // When managed, the user isn't allowed to edit the prefix `admin/` for their nested namespace
-      const split = namespaceQP.split('/');
-      if (split.length > 1) {
-        split.shift();
-        return `/${split.join('/')}`;
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, fillIn, render } from '@ember/test-helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { Response } from 'miragejs';
+import { SELECTORS } from 'vault/tests/helpers/pki/page/pki-configuration-edit';
+import sinon from 'sinon';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+
+module('Integration | Component | page/pki-configuration-edit', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'pki');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    // test context setup
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    this.context = { owner: this.engine }; // this.engine set by setupEngine
+    this.store = this.owner.lookup('service:store');
+    this.router = this.owner.lookup('service:router');
+    sinon.stub(this.router, 'transitionTo');
+
+    // component data setup
+    this.backend = 'pki-engine';
+    // both models only use findRecord. API parameters for pki/crl
+    // are set by default backend values when the engine is mounted
+    this.store.pushPayload('pki/config/cluster', {
+      modelName: 'pki/config/cluster',
+      id: this.backend,
+    });
+    this.store.pushPayload('pki/config/acme', {
+      modelName: 'pki/config/acme',
+      id: this.backend,
+    });
+    this.store.pushPayload('pki/config/crl', {
+      modelName: 'pki/config/crl',
+      id: this.backend,
+      auto_rebuild: false,
+      auto_rebuild_grace_period: '12h',
+      delta_rebuild_interval: '15m',
+      disable: false,
+      enable_delta: false,
+      expiry: '72h',
+      ocsp_disable: false,
+      ocsp_expiry: '12h',
+    });
+    this.store.pushPayload('pki/config/urls', {
+      modelName: 'pki/config/urls',
+      id: this.backend,
+      issuing_certificates: ['hashicorp.com'],
+      crl_distribution_points: ['some-crl-distribution.com'],
+      ocsp_servers: ['ocsp-stuff.com'],
+    });
+    this.acme = this.store.peekRecord('pki/config/acme', this.backend);
+    this.cluster = this.store.peekRecord('pki/config/cluster', this.backend);
+    this.crl = this.store.peekRecord('pki/config/crl', this.backend);
+    this.urls = this.store.peekRecord('pki/config/urls', this.backend);
+  });
+
+  hooks.afterEach(function () {
+    this.router.transitionTo.restore();
+  });
+
+  test('it renders with config data and updates config', async function (assert) {
+    assert.expect(32);
+    this.server.post(`/${this.backend}/config/acme`, (schema, req) => {
+      assert.ok(true, 'request made to save acme config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          allowed_issuers: ['*'],
+          allowed_roles: ['my-role'],
+          dns_resolver: 'some-dns',
+          eab_policy: 'new-account-required',
+          enabled: true,
+        },
+        'it updates acme config model attributes'
+      );
+    });
+    this.server.post(`/${this.backend}/config/cluster`, (schema, req) => {
+      assert.ok(true, 'request made to save cluster config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          path: 'https://pr-a.vault.example.com/v1/ns1/pki-root',
+          aia_path: 'http://another-path.com',
+        },
+        'it updates cluster config model attributes'
+      );
+    });
+    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
+      assert.ok(true, 'request made to save crl config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          auto_rebuild: true,
+          auto_rebuild_grace_period: '24h',
+          delta_rebuild_interval: '45m',
+          disable: false,
+          enable_delta: true,
+          expiry: '1152h',
+          ocsp_disable: false,
+          ocsp_expiry: '24h',
+        },
+        'it updates crl config model attributes'
+      );
+    });
+    this.server.post(`/${this.backend}/config/urls`, (schema, req) => {
+      assert.ok(true, 'request made to save urls config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          crl_distribution_points: ['test-crl.com'],
+          issuing_certificates: ['update-hashicorp.com'],
+          ocsp_servers: ['ocsp.com'],
+        },
+        'it updates url config model attributes'
+      );
+    });
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    assert.dom(SELECTORS.configEditSection).exists('renders config section');
+    assert.dom(SELECTORS.urlsEditSection).exists('renders urls section');
+    assert.dom(SELECTORS.crlEditSection).exists('renders crl section');
+    assert.dom(SELECTORS.cancelButton).exists();
+    this.urls.eachAttribute((name) => {
+      assert.dom(SELECTORS.urlFieldInput(name)).exists(`renders ${name} input`);
+    });
+    assert.dom(SELECTORS.urlFieldInput('issuingCertificates')).hasValue('hashicorp.com');
+    assert.dom(SELECTORS.urlFieldInput('crlDistributionPoints')).hasValue('some-crl-distribution.com');
+    assert.dom(SELECTORS.urlFieldInput('ocspServers')).hasValue('ocsp-stuff.com');
+
+    // cluster config
+    await fillIn(SELECTORS.configInput('path'), 'https://pr-a.vault.example.com/v1/ns1/pki-root');
+    await fillIn(SELECTORS.configInput('aiaPath'), 'http://another-path.com');
+
+    // acme config;
+    await click(SELECTORS.configInput('enabled'));
+    await fillIn(SELECTORS.stringListInput('allowedRoles'), 'my-role');
+    await fillIn(SELECTORS.stringListInput('allowedIssuers'), '*');
+    await fillIn(SELECTORS.configInput('eabPolicy'), 'new-account-required');
+    await fillIn(SELECTORS.configInput('dnsResolver'), 'some-dns');
+
+    // urls
+    await fillIn(SELECTORS.urlFieldInput('issuingCertificates'), 'update-hashicorp.com');
+    await fillIn(SELECTORS.urlFieldInput('crlDistributionPoints'), 'test-crl.com');
+    await fillIn(SELECTORS.urlFieldInput('ocspServers'), 'ocsp.com');
+
+    // confirm default toggle state and text
+    this.crl.eachAttribute((name, { options }) => {
+      if (['expiry', 'ocspExpiry'].includes(name)) {
+        assert.dom(SELECTORS.crlToggleInput(name)).isChecked(`${name} defaults to toggled on`);
+        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.label);
+        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.helperTextEnabled);
       }
-      return '';
-    }
-    return namespaceQP;
-  },
-
-  fullNamespaceFromInput(value) {
-    const strippedNs = sanitizePath(value);
-    if (this.managedNamespaceRoot) {
-      return `${this.managedNamespaceRoot}/${strippedNs}`;
-    }
-    return strippedNs;
-  },
-
-  updateNamespace: task(function* (value) {
-    // debounce
-    yield timeout(500);
-    const ns = this.fullNamespaceFromInput(value);
-    this.namespaceService.setNamespace(ns, true);
-    this.set('namespaceQueryParam', ns);
-  }).restartable(),
-
-  authSuccess({ isRoot, namespace }) {
-    let transition;
-    if (this.redirectTo) {
-      // here we don't need the namespace because it will be encoded in redirectTo
-      transition = this.router.transitionTo(this.redirectTo);
-      // reset the value on the controller because it's bound here
-      this.set('redirectTo', '');
-    } else {
-      transition = this.router.transitionTo('vault.cluster', { queryParams: { namespace } });
-    }
-    transition.followRedirects().then(() => {
-      if (isRoot) {
-        this.auth.set('isRootToken', true);
-        this.flashMessages.warning(
-          'You have logged in with a root token. As a security precaution, this root token will not be stored by your browser and you will need to re-authenticate after the window is closed or refreshed.'
-        );
+      if (['autoRebuildGracePeriod', 'deltaRebuildInterval'].includes(name)) {
+        assert.dom(SELECTORS.crlToggleInput(name)).isNotChecked(`${name} defaults off`);
+        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.labelDisabled);
+        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.helperTextDisabled);
       }
     });
-  },
 
-  actions: {
-    onAuthResponse(authResponse, backend, data) {
-      const { mfa_requirement } = authResponse;
-      // if an mfa requirement exists further action is required
-      if (mfa_requirement) {
-        this.set('mfaAuthData', { mfa_requirement, backend, data });
-      } else {
-        this.authSuccess(authResponse);
-      }
-    },
-    onMfaSuccess(authResponse) {
-      this.authSuccess(authResponse);
-    },
-    onMfaErrorDismiss() {
-      this.setProperties({
-        mfaAuthData: null,
-        mfaErrors: null,
-      });
-    },
-    cancelAuthentication() {
-      this.set('cancelAuth', true);
-      this.set('waitingForOktaNumberChallenge', false);
-    },
-  },
+    // toggle everything on
+    await click(SELECTORS.crlToggleInput('autoRebuildGracePeriod'));
+    assert
+      .dom(SELECTORS.crlFieldLabel('autoRebuildGracePeriod'))
+      .hasTextContaining(
+        'Auto-rebuild on Vault will rebuild the CRL in the below grace period before expiration',
+        'it renders auto rebuild toggled on text'
+      );
+    await click(SELECTORS.crlToggleInput('deltaRebuildInterval'));
+    assert
+      .dom(SELECTORS.crlFieldLabel('deltaRebuildInterval'))
+      .hasTextContaining(
+        'Delta CRL building on Vault will rebuild the delta CRL at the interval below:',
+        'it renders delta crl build toggled on text'
+      );
+
+    // assert ttl values update model attributes
+    await fillIn(SELECTORS.crlTtlInput('Expiry'), '48');
+    await fillIn(SELECTORS.crlTtlInput('Auto-rebuild on'), '24');
+    await fillIn(SELECTORS.crlTtlInput('Delta CRL building on'), '45');
+    await fillIn(SELECTORS.crlTtlInput('OCSP responder APIs enabled'), '24');
+
+    await click(SELECTORS.saveButton);
+  });
+
+  test('it removes urls and sends false crl values', async function (assert) {
+    assert.expect(8);
+    this.server.post(`/${this.backend}/config/acme`, () => {});
+    this.server.post(`/${this.backend}/config/cluster`, () => {});
+    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
+      assert.ok(true, 'request made to save crl config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          auto_rebuild: false,
+          auto_rebuild_grace_period: '12h',
+          delta_rebuild_interval: '15m',
+          disable: true,
+          enable_delta: false,
+          expiry: '72h',
+          ocsp_disable: true,
+          ocsp_expiry: '12h',
+        },
+        'crl payload has correct data'
+      );
+    });
+    this.server.post(`/${this.backend}/config/urls`, (schema, req) => {
+      assert.ok(true, 'request made to save urls config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          crl_distribution_points: [],
+          issuing_certificates: [],
+          ocsp_servers: [],
+        },
+        'url payload has empty arrays'
+      );
+    });
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    await click(SELECTORS.deleteButton('issuingCertificates'));
+    await click(SELECTORS.deleteButton('crlDistributionPoints'));
+    await click(SELECTORS.deleteButton('ocspServers'));
+
+    // toggle everything off
+    await click(SELECTORS.crlToggleInput('expiry'));
+    assert.dom(SELECTORS.crlFieldLabel('expiry')).hasText('No expiry The CRL will not be built.');
+    assert
+      .dom(SELECTORS.crlToggleInput('autoRebuildGracePeriod'))
+      .doesNotExist('expiry off hides the auto rebuild toggle');
+    assert
+      .dom(SELECTORS.crlToggleInput('deltaRebuildInterval'))
+      .doesNotExist('expiry off hides delta crl toggle');
+    await click(SELECTORS.crlToggleInput('ocspExpiry'));
+    assert
+      .dom(SELECTORS.crlFieldLabel('ocspExpiry'))
+      .hasTextContaining(
+        'OCSP responder APIs disabled Requests cannot be made to check if an individual certificate is valid.',
+        'it renders correct toggled off text'
+      );
+
+    await click(SELECTORS.saveButton);
+  });
+
+  test('it renders enterprise only params', async function (assert) {
+    assert.expect(6);
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'enterprise';
+    this.server.post(`/${this.backend}/config/acme`, () => {});
+    this.server.post(`/${this.backend}/config/cluster`, () => {});
+    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
+      assert.ok(true, 'request made to save crl config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          auto_rebuild: false,
+          auto_rebuild_grace_period: '12h',
+          delta_rebuild_interval: '15m',
+          disable: false,
+          enable_delta: false,
+          expiry: '72h',
+          ocsp_disable: false,
+          ocsp_expiry: '12h',
+          cross_cluster_revocation: true,
+          unified_crl: true,
+          unified_crl_on_existing_paths: true,
+        },
+        'crl payload includes enterprise params'
+      );
+    });
+    this.server.post(`/${this.backend}/config/urls`, () => {
+      assert.ok(true, 'request made to save urls config');
+    });
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    assert.dom(SELECTORS.groupHeader('Certificate Revocation List (CRL)')).exists();
+    assert.dom(SELECTORS.groupHeader('Online Certificate Status Protocol (OCSP)')).exists();
+    assert.dom(SELECTORS.groupHeader('Unified Revocation')).exists();
+    await click(SELECTORS.checkboxInput('crossClusterRevocation'));
+    await click(SELECTORS.checkboxInput('unifiedCrl'));
+    await click(SELECTORS.checkboxInput('unifiedCrlOnExistingPaths'));
+    await click(SELECTORS.saveButton);
+  });
+
+  test('it does not render enterprise only params for OSS', async function (assert) {
+    assert.expect(9);
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'community';
+    this.server.post(`/${this.backend}/config/acme`, () => {});
+    this.server.post(`/${this.backend}/config/cluster`, () => {});
+    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
+      assert.ok(true, 'request made to save crl config');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          auto_rebuild: false,
+          auto_rebuild_grace_period: '12h',
+          delta_rebuild_interval: '15m',
+          disable: false,
+          enable_delta: false,
+          expiry: '72h',
+          ocsp_disable: false,
+          ocsp_expiry: '12h',
+        },
+        'crl payload does not include enterprise params'
+      );
+    });
+    this.server.post(`/${this.backend}/config/urls`, () => {
+      assert.ok(true, 'request made to save urls config');
+    });
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    assert.dom(SELECTORS.checkboxInput('crossClusterRevocation')).doesNotExist();
+    assert.dom(SELECTORS.checkboxInput('unifiedCrl')).doesNotExist();
+    assert.dom(SELECTORS.checkboxInput('unifiedCrlOnExistingPaths')).doesNotExist();
+    assert.dom(SELECTORS.groupHeader('Certificate Revocation List (CRL)')).exists();
+    assert.dom(SELECTORS.groupHeader('Online Certificate Status Protocol (OCSP)')).exists();
+    assert.dom(SELECTORS.groupHeader('Unified Revocation')).doesNotExist();
+    await click(SELECTORS.saveButton);
+  });
+
+  test('it renders empty states if no update capabilities', async function (assert) {
+    assert.expect(4);
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub(['read']));
+
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    assert
+      .dom(`${SELECTORS.configEditSection} [data-test-component="empty-state"]`)
+      .hasText(
+        "You do not have permission to set this mount's the cluster config Ask your administrator if you think you should have access to: POST /pki-engine/config/cluster"
+      );
+    assert
+      .dom(`${SELECTORS.acmeEditSection} [data-test-component="empty-state"]`)
+      .hasText(
+        "You do not have permission to set this mount's ACME config Ask your administrator if you think you should have access to: POST /pki-engine/config/acme"
+      );
+    assert
+      .dom(`${SELECTORS.urlsEditSection} [data-test-component="empty-state"]`)
+      .hasText(
+        "You do not have permission to set this mount's URLs Ask your administrator if you think you should have access to: POST /pki-engine/config/urls"
+      );
+    assert
+      .dom(`${SELECTORS.crlEditSection} [data-test-component="empty-state"]`)
+      .hasText(
+        "You do not have permission to set this mount's revocation configuration Ask your administrator if you think you should have access to: POST /pki-engine/config/crl"
+      );
+  });
+
+  test('it renders alert banner and endpoint respective error', async function (assert) {
+    assert.expect(4);
+    this.server.post(`/${this.backend}/config/acme`, () => {
+      return new Response(500, {}, { errors: ['something wrong with acme'] });
+    });
+    this.server.post(`/${this.backend}/config/cluster`, () => {
+      return new Response(500, {}, { errors: ['something wrong with cluster'] });
+    });
+    this.server.post(`/${this.backend}/config/crl`, () => {
+      return new Response(500, {}, { errors: ['something wrong with crl'] });
+    });
+    this.server.post(`/${this.backend}/config/urls`, () => {
+      return new Response(500, {}, { errors: ['something wrong with urls'] });
+    });
+    await render(
+      hbs`
+      <Page::PkiConfigurationEdit
+        @acme={{this.acme}}
+        @cluster={{this.cluster}}
+        @urls={{this.urls}}
+        @crl={{this.crl}}
+        @backend={{this.backend}}
+      />
+    `,
+      this.context
+    );
+
+    await click(SELECTORS.saveButton);
+    assert
+      .dom(SELECTORS.errorBanner)
+      .hasText(
+        'Error POST config/cluster: something wrong with cluster POST config/acme: something wrong with acme POST config/urls: something wrong with urls POST config/crl: something wrong with crl'
+      );
+    assert.dom(`${SELECTORS.errorBanner} ul`).hasClass('bullet');
+
+    // change 3 out of 4 requests to be successful to assert single error renders correctly
+    this.server.post(`/${this.backend}/config/acme`, () => new Response(200));
+    this.server.post(`/${this.backend}/config/cluster`, () => new Response(200));
+    this.server.post(`/${this.backend}/config/crl`, () => new Response(200));
+
+    await click(SELECTORS.saveButton);
+    assert.dom(SELECTORS.errorBanner).hasText('Error POST config/urls: something wrong with urls');
+    assert.dom(`${SELECTORS.errorBanner} ul`).doesNotHaveClass('bullet');
+  });
 });
diff --git a/ui/app/controllers/vault/cluster/settings/seal.js b/ui/app/controllers/vault/cluster/settings/seal.js
index b1cbc9260143..e1c890a0b313 100644
--- a/ui/app/controllers/vault/cluster/settings/seal.js
+++ b/ui/app/controllers/vault/cluster/settings/seal.js
@@ -1,24 +1,156 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import { inject as service } from '@ember/service';
-import Controller from '@ember/controller';
+<div class="box is-sideless is-fullwidth is-marginless">
+  {{#if this.errors}}
+    <Hds::Alert data-test-config-edit-error @type="inline" @color="critical" as |A|>
+      <A.Title>Error</A.Title>
+      <A.Description>
+        <ul class={{if (gt this.errors.length 1) "bullet"}}>
+          {{#each this.errors as |error|}}
+            <li>
+              <code>POST config/{{error.modelName}}</code>:
+              {{error.message}}
+            </li>
+          {{/each}}
+        </ul>
+      </A.Description>
+    </Hds::Alert>
+  {{/if}}
+  <form {{on "submit" (perform this.save)}}>
+    <fieldset class="is-shadowless is-marginless is-borderless is-fullwidth" data-test-cluster-config-edit-section>
+      <h2 class="title is-size-5 has-border-bottom-light page-header">
+        Cluster Config
+      </h2>
+      {{#if @cluster.canSet}}
+        {{#each @cluster.allFields as |attr|}}
+          <FormField @attr={{attr}} @model={{@cluster}} @showHelpText={{false}} />
+        {{/each}}
+      {{else}}
+        <EmptyState
+          class="is-shadowless"
+          @title="You do not have permission to set this mount's the cluster config"
+          @message="Ask your administrator if you think you should have access to:"
+        >
+          <code>POST /{{@backend}}/config/cluster</code>
+        </EmptyState>
+      {{/if}}
+    </fieldset>
 
-export default Controller.extend({
-  auth: service(),
+    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-acme-edit-section>
+      <h2 class="title is-size-5 has-border-bottom-light page-header">
+        ACME Config
+      </h2>
+      {{#if @acme.canSet}}
+        {{#each @acme.allFields as |attr|}}
+          <FormField @attr={{attr}} @model={{@acme}} @showHelpText={{false}} @backend={{@backend}} />
+        {{/each}}
+      {{else}}
+        <EmptyState
+          class="is-shadowless"
+          @title="You do not have permission to set this mount's ACME config"
+          @message="Ask your administrator if you think you should have access to:"
+        >
+          <code>POST /{{@backend}}/config/acme</code>
+        </EmptyState>
+      {{/if}}
+    </fieldset>
 
-  actions: {
-    seal() {
-      return this.model.cluster.store
-        .adapterFor('cluster')
-        .seal()
-        .then(() => {
-          this.model.cluster.get('leaderNode').set('sealed', true);
-          this.auth.deleteCurrentToken();
-          return this.transitionToRoute('vault.cluster.unseal');
-        });
-    },
-  },
-});
+    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-urls-edit-section>
+      <h2 class="title is-size-5 has-border-bottom-light page-header">
+        Global URLs
+      </h2>
+      {{#if @urls.canSet}}
+        {{#each @urls.allFields as |attr|}}
+          <FormField @attr={{attr}} @model={{@urls}} @showHelpText={{false}} />
+        {{/each}}
+      {{else}}
+        <EmptyState
+          class="is-shadowless"
+          @title="You do not have permission to set this mount's URLs"
+          @message="Ask your administrator if you think you should have access to:"
+        >
+          <code>POST /{{@backend}}/config/urls</code>
+        </EmptyState>
+      {{/if}}
+    </fieldset>
+
+    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-crl-edit-section>
+      {{#if @crl.canSet}}
+        {{#each @crl.formFieldGroups as |fieldGroup|}}
+          {{#each-in fieldGroup as |group fields|}}
+            {{#if (or (not-eq group "Unified Revocation") this.isEnterprise)}}
+              <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-crl-header={{group}}>
+                {{group}}
+              </h2>
+            {{/if}}
+            {{#each fields as |attr|}}
+              {{#if (eq attr.options.editType "ttl")}}
+                {{#if (or (includes attr.name (array "expiry" "ocspExpiry")) (not @crl.disable))}}
+                  {{#let (get @crl attr.options.mapToBoolean) as |enabled|}}
+                    {{! 'enabled' is the pki/crl model's boolean attr that corresponds to the duration set by the ttl }}
+                    <div class="field">
+                      <TtlPicker
+                        data-test-input={{attr.name}}
+                        @onChange={{fn this.handleTtl attr}}
+                        @label={{attr.options.label}}
+                        @labelDisabled={{attr.options.labelDisabled}}
+                        @helperTextDisabled={{attr.options.helperTextDisabled}}
+                        @helperTextEnabled={{attr.options.helperTextEnabled}}
+                        @initialEnabled={{if attr.options.isOppositeValue (not enabled) enabled}}
+                        @initialValue={{get @crl attr.name}}
+                      />
+                    </div>
+                  {{/let}}
+                {{/if}}
+              {{else}}
+                {{#if this.isEnterprise}}
+                  <FormField @attr={{attr}} @model={{@crl}} />
+                {{/if}}
+              {{/if}}
+            {{/each}}
+          {{/each-in}}
+        {{/each}}
+      {{else}}
+        <EmptyState
+          @title="You do not have permission to set this mount's revocation configuration"
+          @message="Ask your administrator if you think you should have access to:"
+        >
+          <code>POST /{{@backend}}/config/crl</code>
+        </EmptyState>
+      {{/if}}
+    </fieldset>
+
+    <hr class="has-background-gray-100" />
+    <Hds::ButtonSet>
+      {{#if (or @urls.canSet @crl.canSet)}}
+        <Hds::Button
+          @text="Save"
+          @icon={{if this.save.isRunning "loading"}}
+          type="submit"
+          disabled={{this.save.isRunning}}
+          data-test-configuration-edit-save
+        />
+      {{/if}}
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        {{on "click" this.cancel}}
+        disabled={{this.save.isRunning}}
+        data-test-configuration-edit-cancel
+      />
+    </Hds::ButtonSet>
+    {{#if this.invalidFormAlert}}
+      <div class="control">
+        <AlertInline
+          @type="danger"
+          class="has-top-padding-s"
+          @message={{this.invalidFormAlert}}
+          data-test-configuration-edit-validation-alert
+        />
+      </div>
+    {{/if}}
+  </form>
+</div>
\ No newline at end of file
diff --git a/ui/app/controllers/vault/cluster/unseal.js b/ui/app/controllers/vault/cluster/unseal.js
index 4441493c8969..5ed81e6cf057 100644
--- a/ui/app/controllers/vault/cluster/unseal.js
+++ b/ui/app/controllers/vault/cluster/unseal.js
@@ -3,28 +3,107 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Controller from '@ember/controller';
-
-export default Controller.extend({
-  showLicenseError: false,
-
-  actions: {
-    transitionToCluster() {
-      return this.model.reload().then(() => {
-        return this.transitionToRoute('vault.cluster', this.model.name);
-      });
-    },
-
-    reloadCluster() {
-      return this.model.reload();
-    },
-
-    isUnsealed(data) {
-      return data.sealed === false;
-    },
-
-    handleLicenseError() {
-      this.set('showLicenseError', true);
-    },
-  },
+import { module, test } from 'qunit';
+import { visit, click, fillIn, find } from '@ember/test-helpers';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import { v4 as uuidv4 } from 'uuid';
+
+import authPage from 'vault/tests/pages/auth';
+import enablePage from 'vault/tests/pages/settings/mount-secret-backend';
+import { runCommands } from 'vault/tests/helpers/pki/pki-run-commands';
+import { SELECTORS } from 'vault/tests/helpers/pki/pki-issuer-cross-sign';
+import { verifyCertificates } from 'vault/utils/parse-pki-cert';
+module('Acceptance | pki/pki cross sign', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    await authPage.login();
+    this.parentMountPath = `parent-mount-${uuidv4()}`;
+    this.oldParentIssuerName = 'old-parent-issuer'; // old parent issuer we're transferring from
+    this.parentIssuerName = 'new-parent-issuer'; // issuer where cross-signing action will begin
+    this.intMountPath = `intermediate-mount-${uuidv4()}`; // first input box in cross-signing page
+    this.intIssuerName = 'my-intermediate-issuer'; // second input box in cross-signing page
+    this.newlySignedIssuer = 'my-newly-signed-int'; // third input
+    await enablePage.enable('pki', this.parentMountPath);
+    await enablePage.enable('pki', this.intMountPath);
+
+    await runCommands([
+      `write "${this.parentMountPath}/root/generate/internal" common_name="Long-Lived Root X1" ttl=8960h issuer_name="${this.oldParentIssuerName}"`,
+      `write "${this.parentMountPath}/root/generate/internal" common_name="Long-Lived Root X2" ttl=8960h issuer_name="${this.parentIssuerName}"`,
+      `write "${this.parentMountPath}/config/issuers" default="${this.parentIssuerName}"`,
+    ]);
+  });
+
+  hooks.afterEach(async function () {
+    // Cleanup engine
+    await runCommands([`delete sys/mounts/${this.intMountPath}`]);
+    await runCommands([`delete sys/mounts/${this.parentMountPath}`]);
+  });
+
+  test('it cross-signs an issuer', async function (assert) {
+    // configure parent and intermediate mounts to make them cross-signable
+    await visit(`/vault/secrets/${this.intMountPath}/pki/configuration/create`);
+    await click(SELECTORS.configure.optionByKey('generate-csr'));
+    await fillIn(SELECTORS.inputByName('type'), 'internal');
+    await fillIn(SELECTORS.inputByName('commonName'), 'Short-Lived Int R1');
+    await click('[data-test-save]');
+    const csr = find(SELECTORS.copyButton('CSR')).getAttribute('data-test-copy-button');
+    await visit(`vault/secrets/${this.parentMountPath}/pki/issuers/${this.oldParentIssuerName}/sign`);
+    await fillIn(SELECTORS.inputByName('csr'), csr);
+    await fillIn(SELECTORS.inputByName('format'), 'pem_bundle');
+    await click('[data-test-pki-sign-intermediate-save]');
+    const pemBundle = find(SELECTORS.copyButton('CA Chain'))
+      .getAttribute('data-test-copy-button')
+      .replace(/,/, '\n');
+    await visit(`vault/secrets/${this.intMountPath}/pki/configuration/create`);
+    await click(SELECTORS.configure.optionByKey('import'));
+    await click('[data-test-text-toggle]');
+    await fillIn('[data-test-text-file-textarea]', pemBundle);
+    await click(SELECTORS.configure.importSubmit);
+    await visit(`vault/secrets/${this.intMountPath}/pki/issuers`);
+    await click('[data-test-is-default]');
+    // name default issuer of intermediate
+    const oldIntIssuerId = find(SELECTORS.rowValue('Issuer ID')).innerText;
+    const oldIntCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-test-copy-button');
+    await click(SELECTORS.details.configure);
+    await fillIn(SELECTORS.inputByName('issuerName'), this.intIssuerName);
+    await click('[data-test-save]');
+
+    // perform cross-sign
+    await visit(`vault/secrets/${this.parentMountPath}/pki/issuers/${this.parentIssuerName}/cross-sign`);
+    await fillIn(SELECTORS.objectListInput('intermediateMount'), this.intMountPath);
+    await fillIn(SELECTORS.objectListInput('intermediateIssuer'), this.intIssuerName);
+    await fillIn(SELECTORS.objectListInput('newCrossSignedIssuer'), this.newlySignedIssuer);
+    await click(SELECTORS.submitButton);
+    assert
+      .dom(`${SELECTORS.signedIssuerCol('intermediateMount')} a`)
+      .hasAttribute('href', `/ui/vault/secrets/${this.intMountPath}/pki/overview`);
+    assert
+      .dom(`${SELECTORS.signedIssuerCol('intermediateIssuer')} a`)
+      .hasAttribute('href', `/ui/vault/secrets/${this.intMountPath}/pki/issuers/${oldIntIssuerId}/details`);
+
+    // get certificate data of newly signed issuer
+    await click(`${SELECTORS.signedIssuerCol('newCrossSignedIssuer')} a`);
+    const newIntCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-test-copy-button');
+
+    // verify cross-sign was accurate by creating a role to issue a leaf certificate
+    const myRole = 'some-role';
+    await runCommands([
+      `write ${this.intMountPath}/roles/${myRole} \
+    issuer_ref=${this.newlySignedIssuer}\
+    allow_any_name=true \
+    max_ttl="720h"`,
+    ]);
+    await visit(`vault/secrets/${this.intMountPath}/pki/roles/${myRole}/generate`);
+    await fillIn(SELECTORS.inputByName('commonName'), 'my-leaf');
+    await fillIn('[data-test-ttl-value="TTL"]', '3600');
+    await click('[data-test-pki-generate-button]');
+    const myLeafCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-test-copy-button');
+
+    // see comments in utils/parse-pki-cert.js for step-by-step explanation of of verifyCertificates method
+    assert.true(
+      await verifyCertificates(oldIntCert, newIntCert, myLeafCert),
+      'the leaf certificate validates against both intermediate certificates'
+    );
+  });
 });
diff --git a/ui/app/models/cluster.js b/ui/app/models/cluster.js
index 6ac7f90af367..4245a2128747 100644
--- a/ui/app/models/cluster.js
+++ b/ui/app/models/cluster.js
@@ -3,108 +3,156 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Model, { attr, belongsTo, hasMany } from '@ember-data/model';
-import { inject as service } from '@ember/service';
-import { get } from '@ember/object';
-
-export default class ClusterModel extends Model {
-  @service version;
-
-  @hasMany('nodes', { async: false, inverse: null }) nodes;
-  @attr('string') name;
-  @attr('string') status;
-  @attr('boolean') standby;
-  @attr('string') type;
-  @attr('object') license;
-  // manually set on response when sys/health failure
-  @attr('boolean') hasChrootNamespace;
-
-  /* Licensing concerns */
-  get licenseExpiry() {
-    return this.license?.expiry_time;
-  }
-  get licenseState() {
-    return this.license?.state;
-  }
-
-  get needsInit() {
-    return this.nodes.every((node) => {
-      return node.initialized === false;
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, fillIn, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+
+module('Integration | Component | pki-generate-csr', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'pki');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.owner.lookup('service:secretMountPath').update('pki-test');
+    this.store = this.owner.lookup('service:store');
+    this.onComplete = () => {};
+    this.model = this.owner
+      .lookup('service:store')
+      .createRecord('pki/action', { actionType: 'generate-csr' });
+
+    this.server.post('/sys/capabilities-self', () => ({
+      data: {
+        capabilities: ['root'],
+        'pki-test/issuers/generate/intermediate/exported': ['root'],
+      },
+    }));
+  });
+
+  test('it should render fields and save', async function (assert) {
+    assert.expect(9);
+
+    this.server.post('/pki-test/issuers/generate/intermediate/exported', (schema, req) => {
+      const payload = JSON.parse(req.requestBody);
+      assert.strictEqual(payload.common_name, 'foo', 'Request made to correct endpoint on save');
+      return {
+        request_id: '123',
+        data: {},
+      };
+    });
+
+    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
+      owner: this.engine,
+    });
+
+    const fields = [
+      'type',
+      'commonName',
+      'excludeCnFromSans',
+      'format',
+      'subjectSerialNumber',
+      'addBasicConstraints',
+    ];
+    fields.forEach((key) => {
+      assert.dom(`[data-test-input="${key}"]`).exists(`${key} form field renders`);
     });
-  }
 
-  get unsealed() {
-    return !!this.nodes.find((node) => {
-      return node.sealed === false;
+    assert.dom('[data-test-toggle-group]').exists({ count: 3 }, 'Toggle groups render');
+
+    await fillIn('[data-test-input="type"]', 'exported');
+    await fillIn('[data-test-input="commonName"]', 'foo');
+    await click('[data-test-save]');
+
+    const savedRecord = this.store.peekAll('pki/action').firstObject;
+    assert.false(savedRecord.isNew, 'record is saved');
+  });
+
+  test('it should display validation errors', async function (assert) {
+    assert.expect(4);
+
+    this.onCancel = () => assert.ok(true, 'onCancel action fires');
+
+    await render(
+      hbs`<PkiGenerateCsr @model={{this.model}} @onCancel={{this.onCancel}} @onComplete={{this.onComplete}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+
+    await click('[data-test-save]');
+
+    assert
+      .dom('[data-test-field-validation="type"]')
+      .hasText('Type is required.', 'Type validation error renders');
+    assert
+      .dom('[data-test-field="commonName"] [data-test-inline-alert]')
+      .hasText('Common name is required.', 'Common name validation error renders');
+    assert.dom('[data-test-alert]').hasText('There are 2 errors with this form.', 'Alert renders');
+
+    await click('[data-test-cancel]');
+  });
+
+  test('it should show generated CSR for type=exported', async function (assert) {
+    assert.expect(6);
+    this.model.id = '1235-someId';
+    this.model.csr = '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----';
+    this.model.keyId = '9179de78-1275-a1cf-ebb0-a4eb2e376636';
+    this.model.privateKey = '-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----';
+    this.model.privateKeyType = 'rsa';
+    this.onComplete = () => assert.ok(true, 'onComplete action fires');
+
+    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
+      owner: this.engine,
+    });
+    assert
+      .dom('[data-test-next-steps-csr]')
+      .hasText(
+        'Next steps Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount. The private_key is only available once. Make sure you copy and save it now.',
+        'renders Next steps alert banner'
+      );
+
+    assert
+      .dom('[data-test-value-div="CSR"] [data-test-certificate-card] button')
+      .hasAttribute('data-test-copy-button', this.model.csr, 'it renders copyable csr');
+    assert
+      .dom('[data-test-value-div="Key ID"] button')
+      .hasAttribute('data-test-copy-button', this.model.keyId, 'it renders copyable key_id');
+    assert
+      .dom('[data-test-value-div="Private key"] [data-test-certificate-card] button')
+      .hasAttribute('data-test-copy-button', this.model.privateKey, 'it renders copyable private_key');
+    assert
+      .dom('[data-test-value-div="Private key type"]')
+      .hasText(this.model.privateKeyType, 'renders private_key_type');
+    await click('[data-test-done]');
+  });
+
+  test('it should show generated CSR for type=internal', async function (assert) {
+    assert.expect(5);
+    this.model.id = '1235-someId';
+    this.model.csr = '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----';
+    this.model.keyId = '9179de78-1275-a1cf-ebb0-a4eb2e376636';
+    this.onComplete = () => {};
+
+    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
+      owner: this.engine,
     });
-  }
-
-  get sealed() {
-    return !this.unsealed;
-  }
-
-  get leaderNode() {
-    const nodes = this.nodes;
-    if (nodes.length === 1) {
-      return nodes[0];
-    } else {
-      return nodes.find((node) => node.isLeader === true);
-    }
-  }
-
-  get sealThreshold() {
-    return this.leaderNode?.sealThreshold;
-  }
-  get sealProgress() {
-    return this.leaderNode?.progress;
-  }
-  get sealType() {
-    return this.leaderNode?.type;
-  }
-  get storageType() {
-    return this.leaderNode?.storageType;
-  }
-  get hcpLinkStatus() {
-    return this.leaderNode?.hcpLinkStatus;
-  }
-  get hasProgress() {
-    return this.sealProgress >= 1;
-  }
-  get usingRaft() {
-    return this.storageType === 'raft';
-  }
-
-  //replication mode - will only ever be 'unsupported'
-  //otherwise the particular mode will have the relevant mode attr through replication-attributes
-  @attr('string') mode;
-  get allReplicationDisabled() {
-    return this.dr?.replicationDisabled && this.performance?.replicationDisabled;
-  }
-  get anyReplicationEnabled() {
-    return this.dr?.replicationEnabled || this.performance?.replicationEnabled;
-  }
-
-  @belongsTo('replication-attributes', { async: false, inverse: null }) dr;
-  @belongsTo('replication-attributes', { async: false, inverse: null }) performance;
-  // this service exposes what mode the UI is currently viewing
-  // replicationAttrs will then return the relevant `replication-attributes` model
-  @service('replication-mode') rm;
-  get drMode() {
-    return this.dr.mode;
-  }
-  get replicationMode() {
-    return this.rm.mode;
-  }
-  get replicationModeForDisplay() {
-    return this.replicationMode === 'dr' ? 'Disaster Recovery' : 'Performance';
-  }
-  get replicationIsInitializing() {
-    // a mode of null only happens when a cluster is being initialized
-    // otherwise the mode will be 'disabled', 'primary', 'secondary'
-    return !this.dr?.mode || !this.performance?.mode;
-  }
-  get replicationAttrs() {
-    const replicationMode = this.replicationMode;
-    return replicationMode ? get(this, replicationMode) : null;
-  }
-}
+    assert
+      .dom('[data-test-next-steps-csr]')
+      .hasText(
+        'Next steps Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount.',
+        'renders Next steps alert banner'
+      );
+    assert
+      .dom('[data-test-value-div="CSR"] [data-test-certificate-card] button')
+      .hasAttribute('data-test-copy-button', this.model.csr, 'it renders copyable csr');
+    assert
+      .dom('[data-test-value-div="Key ID"] button')
+      .hasAttribute('data-test-copy-button', this.model.keyId, 'it renders copyable key_id');
+    assert.dom('[data-test-value-div="Private key"]').hasText('internal', 'does not render private key');
+    assert
+      .dom('[data-test-value-div="Private key type"]')
+      .hasText('internal', 'does not render private key type');
+  });
+});
diff --git a/ui/app/routes/vault.js b/ui/app/routes/vault.js
index bc67466c3ae1..1b4a38f8bd90 100644
--- a/ui/app/routes/vault.js
+++ b/ui/app/routes/vault.js
@@ -1,46 +1,74 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import { later } from '@ember/runloop';
-import { Promise } from 'rsvp';
-import { inject as service } from '@ember/service';
-import Route from '@ember/routing/route';
-import Ember from 'ember';
-/* eslint-disable ember/no-ember-testing-in-module-scope */
-const SPLASH_DELAY = Ember.testing ? 0 : 300;
+{{#if @model.id}}
+  {{! Model only has ID once form has been submitted and saved }}
+  <main data-test-generate-csr-result>
+    <div class="box is-sideless is-fullwidth is-shadowless">
+      <Hds::Alert data-test-next-steps-csr @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
+        <A.Title>Next steps</A.Title>
+        <A.Description>
+          Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount.
+          {{#if @model.privateKey}}
+            The
+            <code>private_key</code>
+            is only available once. Make sure you copy and save it now.
+          {{/if}}
+        </A.Description>
+      </Hds::Alert>
+      {{#each this.showFields as |fieldName|}}
+        {{#let (find-by "name" fieldName @model.allFields) as |attr|}}
+          {{#let (get @model attr.name) as |value|}}
+            <InfoTableRow
+              @label={{or attr.options.label (humanize (dasherize attr.name))}}
+              @value={{value}}
+              @addCopyButton={{eq attr.name "keyId"}}
+            >
+              {{#if (and attr.options.isCertificate value)}}
+                <CertificateCard @data={{value}} />
+              {{else if (eq attr.name "keyId")}}
+                <LinkTo @route="keys.key.details" @model={{@model.keyId}}>
+                  {{@model.keyId}}
+                </LinkTo>
+              {{else}}
+                {{! this block only ever renders privateKey and privateKeyType }}
+                <span class="{{unless value 'tag'}}">{{or value "internal"}}</span>
+              {{/if}}
+            </InfoTableRow>
+          {{/let}}
+        {{/let}}
+      {{/each}}
+    </div>
+  </main>
+  <footer>
+    <div class="field is-grouped is-fullwidth has-top-margin-l">
+      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
+    </div>
+  </footer>
+{{else}}
+  <form {{on "submit" (perform this.save)}}>
+    <MessageError @errorMessage={{this.error}} class="has-top-margin-s" />
+    <h2 class="title is-size-5 has-border-bottom-light page-header">
+      CSR parameters
+    </h2>
 
-export default Route.extend({
-  store: service(),
-  version: service(),
+    {{#each this.formFields as |field|}}
+      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+    {{/each}}
 
-  beforeModel() {
-    return this.version.fetchVersion();
-  },
+    <PkiGenerateToggleGroups @model={{@model}} @modelValidations={{this.modelValidations}} />
 
-  model() {
-    // hardcode single cluster
-    const fixture = {
-      data: {
-        id: '1',
-        type: 'cluster',
-        attributes: {
-          name: 'vault',
-        },
-      },
-    };
-    this.store.push(fixture);
-    return new Promise((resolve) => {
-      later(() => {
-        resolve(this.store.peekAll('cluster'));
-      }, SPLASH_DELAY);
-    });
-  },
-
-  redirect(model, transition) {
-    if (model.get('length') === 1 && transition.targetName === 'vault.index') {
-      return this.transitionTo('vault.cluster', model.get('firstObject.name'));
-    }
-  },
-});
+    <hr class="has-background-gray-100" />
+    <Hds::ButtonSet>
+      <Hds::Button @text="Generate" type="submit" data-test-save />
+      <Hds::Button @text="Cancel" @color="secondary" {{on "click" this.cancel}} data-test-cancel />
+    </Hds::ButtonSet>
+    {{#if this.alert}}
+      <div class="control">
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.alert}} data-test-alert />
+      </div>
+    {{/if}}
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster.js b/ui/app/routes/vault/cluster.js
index 2908592c21bf..8980ef11462b 100644
--- a/ui/app/routes/vault/cluster.js
+++ b/ui/app/routes/vault/cluster.js
@@ -1,144 +1,114 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import { inject as service } from '@ember/service';
-import { computed } from '@ember/object';
-import { reject } from 'rsvp';
-import Route from '@ember/routing/route';
-import { task, timeout } from 'ember-concurrency';
-import Ember from 'ember';
-import getStorage from '../../lib/token-storage';
-import localStorage from 'vault/lib/local-storage';
-import ClusterRoute from 'vault/mixins/cluster-route';
-import ModelBoundaryRoute from 'vault/mixins/model-boundary-route';
-import { assert } from '@ember/debug';
+{{! Show results if model has an ID, which is only generated after save }}
+{{#if @model.id}}
+  <main class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    {{#each this.returnedFields as |field|}}
+      {{#let (find-by "name" field @model.allFields) as |attr|}}
+        {{#if attr.options.detailLinkTo}}
+          <InfoTableRow
+            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
+            @value={{get @model attr.name}}
+            @addCopyButton={{or (eq attr.name "issuerId") (eq attr.name "keyId")}}
+          >
+            <LinkTo @route={{attr.options.detailLinkTo}} @model={{get @model attr.name}}>{{get @model attr.name}}</LinkTo>
+          </InfoTableRow>
+        {{else if attr.options.isCertificate}}
+          <InfoTableRow
+            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
+          >
+            <CertificateCard @data={{get @model attr.name}} />
+          </InfoTableRow>
+        {{else}}
+          <InfoTableRow
+            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
+            @value={{get @model attr.name}}
+          />
+        {{/if}}
+      {{/let}}
+    {{/each}}
+    <InfoTableRow @label="Private key">
+      {{#if @model.privateKey}}
+        <CertificateCard @data={{@model.privateKey}} />
+      {{else}}
+        <span class="tag">internal</span>
+      {{/if}}
+    </InfoTableRow>
+    <InfoTableRow @label="Private key type" @value={{@model.privateKeyType}}>
+      <span class="{{unless @model.privateKeyType 'tag'}}">{{or @model.privateKeyType "internal"}}</span>
+    </InfoTableRow>
+    <ParsedCertificateInfoRows @model={{@model.parsedCertificate}} />
+  </main>
+  <footer>
+    <div class="field is-grouped is-fullwidth has-top-margin-l">
+      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
+    </div>
+  </footer>
+{{else}}
+  <form {{on "submit" (perform this.save)}} data-test-pki-config-generate-root-form>
+    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+    <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-generate-root-title="Root parameters">
+      Root parameters
+    </h2>
+    {{#each this.defaultFields as |field|}}
+      {{#let (find-by "name" field @model.allFields) as |attr|}}
+        <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} data-test-field>
+          {{#if (eq field "customTtl")}}
+            {{! customTtl attr has editType yield, which will render this }}
+            <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
+          {{/if}}
+        </FormField>
+      {{/let}}
+    {{/each}}
 
-const POLL_INTERVAL_MS = 10000;
+    <PkiGenerateToggleGroups @model={{@model}} @modelValidations={{this.modelValidations}} />
 
-export const getManagedNamespace = (nsParam, root) => {
-  if (!nsParam || nsParam.replaceAll('/', '') === root) return root;
-  // Check if param starts with root and /
-  if (nsParam.startsWith(`${root}/`)) {
-    return nsParam;
-  }
-  // Otherwise prepend the given param with the root
-  return `${root}/${nsParam}`;
-};
+    {{#if @urls}}
+      <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-urls-section>
+        <h2
+          class="title is-size-5 page-header {{if @urls.canCreate 'has-border-bottom-light' 'is-borderless'}}"
+          data-test-generate-root-title="Issuer URLs"
+        >
+          Issuer URLs
+        </h2>
+        {{#if @urls.canSet}}
+          {{#each @urls.allFields as |attr|}}
+            {{#if (not-eq attr.name "mountPath")}}
+              <FormField
+                @attr={{attr}}
+                @mode="create"
+                @model={{@urls}}
+                @showHelpText={{attr.options.showHelpText}}
+                data-test-urls-field
+              />
+            {{/if}}
+          {{/each}}
+        {{else}}
+          <EmptyState
+            @title="You do not have permissions to set URLs."
+            @message="These are not required but will need to be configured later. You can do this via the CLI or by changing your permissions and returning to this form."
+          />
+        {{/if}}
+      </fieldset>
+    {{/if}}
 
-export default Route.extend(ModelBoundaryRoute, ClusterRoute, {
-  namespaceService: service('namespace'),
-  version: service(),
-  permissions: service(),
-  store: service(),
-  auth: service(),
-  featureFlagService: service('featureFlag'),
-  currentCluster: service(),
-  modelTypes: computed(function () {
-    return ['node', 'secret', 'secret-engine'];
-  }),
-
-  queryParams: {
-    namespaceQueryParam: {
-      refreshModel: true,
-    },
-  },
-
-  getClusterId(params) {
-    const { cluster_name } = params;
-    const cluster = this.modelFor('vault').findBy('name', cluster_name);
-    return cluster ? cluster.get('id') : null;
-  },
-
-  async beforeModel() {
-    const params = this.paramsFor(this.routeName);
-    let namespace = params.namespaceQueryParam;
-    const currentTokenName = this.auth.get('currentTokenName');
-    const managedRoot = this.featureFlagService.managedNamespaceRoot;
-    assert(
-      'Cannot use VAULT_CLOUD_ADMIN_NAMESPACE flag with non-enterprise Vault version',
-      !(managedRoot && this.version.isOSS)
-    );
-    if (!namespace && currentTokenName && !Ember.testing) {
-      // if no namespace queryParam and user authenticated,
-      // use user's root namespace to redirect to properly param'd url
-      const storage = getStorage().getItem(currentTokenName);
-      namespace = storage?.userRootNamespace;
-      // only redirect if something other than nothing
-      if (namespace) {
-        this.transitionTo({ queryParams: { namespace } });
-      }
-    } else if (managedRoot !== null) {
-      const managed = getManagedNamespace(namespace, managedRoot);
-      if (managed !== namespace) {
-        this.transitionTo({ queryParams: { namespace: managed } });
-      }
-    }
-    this.namespaceService.setNamespace(namespace);
-    const id = this.getClusterId(params);
-    if (id) {
-      this.auth.setCluster(id);
-      if (this.auth.currentToken) {
-        await this.permissions.getPaths.perform();
-      }
-      return this.version.fetchFeatures();
-    } else {
-      return reject({ httpStatus: 404, message: 'not found', path: params.cluster_name });
-    }
-  },
-
-  model(params) {
-    // if a user's browser settings block localStorage they will be unable to use Vault. The method will throw the error and the rest of the application will not load.
-    localStorage.isLocalStorageSupported();
-
-    const id = this.getClusterId(params);
-    return this.store.findRecord('cluster', id);
-  },
-
-  poll: task(function* () {
-    while (true) {
-      // when testing, the polling loop causes promises to never settle so acceptance tests hang
-      // to get around that, we just disable the poll in tests
-      if (Ember.testing) {
-        return;
-      }
-      yield timeout(POLL_INTERVAL_MS);
-      try {
-        /* eslint-disable-next-line ember/no-controller-access-in-routes */
-        yield this.controller.model.reload();
-        yield this.transitionToTargetRoute();
-      } catch (e) {
-        // we want to keep polling here
-      }
-    }
-  })
-    .cancelOn('deactivate')
-    .keepLatest(),
-
-  afterModel(model, transition) {
-    this._super(...arguments);
-    this.currentCluster.setCluster(model);
-
-    // Check that namespaces is enabled and if not,
-    // clear the namespace by transition to this route w/o it
-    if (this.namespaceService.path && !this.version.hasNamespaces) {
-      return this.transitionTo(this.routeName, { queryParams: { namespace: '' } });
-    }
-    return this.transitionToTargetRoute(transition);
-  },
-
-  setupController() {
-    this._super(...arguments);
-    this.poll.perform();
-  },
-
-  actions: {
-    error(e) {
-      if (e.httpStatus === 503 && e.errors[0] === 'Vault is sealed') {
-        this.refresh();
-      }
-      return true;
-    },
-  },
-});
+    <hr class="has-background-gray-100" />
+    <Hds::ButtonSet>
+      <Hds::Button @text="Done" type="submit" data-test-pki-generate-root-save />
+      <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onCancel}} data-test-pki-generate-root-cancel />
+    </Hds::ButtonSet>
+    {{#if this.invalidFormAlert}}
+      <div class="control">
+        <AlertInline
+          @type="danger"
+          class="has-top-padding-s"
+          @message={{this.invalidFormAlert}}
+          data-test-pki-generate-root-validation-error
+        />
+      </div>
+    {{/if}}
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster/dashboard.js b/ui/app/routes/vault/cluster/dashboard.js
index 37b2cb88b7de..2c763dd69907 100644
--- a/ui/app/routes/vault/cluster/dashboard.js
+++ b/ui/app/routes/vault/cluster/dashboard.js
@@ -1,53 +1,74 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import Route from '@ember/routing/route';
-import { inject as service } from '@ember/service';
-import { hash } from 'rsvp';
-// eslint-disable-next-line ember/no-mixins
-import ClusterRoute from 'vault/mixins/cluster-route';
-import { action } from '@ember/object';
-
-export default class VaultClusterDashboardRoute extends Route.extend(ClusterRoute) {
-  @service store;
-  @service namespace;
-  @service version;
-
-  async getVaultConfiguration() {
-    try {
-      if (!this.namespace.inRootNamespace) return null;
-
-      const adapter = this.store.adapterFor('application');
-      const configState = await adapter.ajax('/v1/sys/config/state/sanitized', 'GET');
-      return configState.data;
-    } catch (e) {
-      return null;
-    }
-  }
-
-  model() {
-    const clusterModel = this.modelFor('vault.cluster');
-    const hasChroot = clusterModel?.hasChrootNamespace;
-    const replication = hasChroot
-      ? null
-      : {
-          dr: clusterModel.dr,
-          performance: clusterModel.performance,
-        };
-    return hash({
-      replication,
-      secretsEngines: this.store.query('secret-engine', {}),
-      license: this.store.queryRecord('license', {}).catch(() => null),
-      isRootNamespace: this.namespace.inRootNamespace && !hasChroot,
-      version: this.version,
-      vaultConfiguration: hasChroot ? null : this.getVaultConfiguration(),
-    });
-  }
-
-  @action
-  refreshRoute() {
-    this.refresh();
-  }
-}
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <MessageError @errorMessage={{this.error}} />
+    {{#each @model.formFields as |field|}}
+      {{#if (eq field.name "issuingCertificates")}}
+        <div class="has-top-margin-m has-bottom-margin-s">
+          <h2 class="title is-4">
+            Issuer URLs
+          </h2>
+        </div>
+      {{/if}}
+      <FormField @attr={{field}} @model={{@model}}>
+        {{#if (eq field.name "usage")}}
+          {{#each field.options.valueOptions as |option|}}
+            <div class="is-flex-center has-text-grey has-text-weight-bold">
+              <Input
+                data-test-usage={{option.label}}
+                id={{option.value}}
+                @type="checkbox"
+                @checked={{includes option.value this.usageValues}}
+                {{on "change" (fn this.setUsage option.value)}}
+              />
+              <label for={{option.value}} class="has-left-margin-s">{{option.label}}</label>
+            </div>
+          {{/each}}
+        {{else if (eq field.name "leafNotAfterBehavior")}}
+          <div class="control is-expanded">
+            <div class="select is-fullwidth">
+              <select
+                name={{@attr.name}}
+                id={{@attr.name}}
+                {{on "change" (pipe (pick "target.value") (fn (mut @model.leafNotAfterBehavior)))}}
+                onchange={{this.onChangeWithEvent}}
+              >
+                {{#each field.options.valueOptions as |value|}}
+                  <option selected={{eq @model.leafNotAfterBehavior value}} value={{value}}>
+                    {{capitalize (if (eq value "err") "error" value)}}
+                    if the computed NotAfter exceeds that of this issuer
+                  </option>
+                {{/each}}
+              </select>
+            </div>
+          </div>
+        {{/if}}
+      </FormField>
+    {{/each}}
+  </div>
+  <Hds::ButtonSet class="has-top-margin-l has-bottom-margin-l">
+    <Hds::Button
+      @text="Update"
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-save
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      disabled={{this.save.isRunning}}
+      {{on "click" this.cancel}}
+      data-test-cancel
+    />
+  </Hds::ButtonSet>
+  {{#if this.error}}
+    <div class="control">
+      <AlertInline @type="danger" class="has-top-padding-s" @message="There was an error submitting this form." />
+    </div>
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster/license.js b/ui/app/routes/vault/cluster/license.js
index 33682c5334bc..137e0cafb14a 100644
--- a/ui/app/routes/vault/cluster/license.js
+++ b/ui/app/routes/vault/cluster/license.js
@@ -1,23 +1,191 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import Route from '@ember/routing/route';
-import ClusterRoute from 'vault/mixins/cluster-route';
-import { inject as service } from '@ember/service';
+<PageHeader as |p|>
+  <p.top>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-pki-page-title>
+      {{if @newRootModel.id "View Issuer Certificate" "Generate New Root"}}
+    </h1>
+  </p.levelLeft>
+</PageHeader>
 
-export default Route.extend(ClusterRoute, {
-  store: service(),
-  version: service(),
+{{#if @newRootModel.id}}
+  <Toolbar>
+    <ToolbarActions>
+      <ToolbarLink
+        @route="issuers.issuer.cross-sign"
+        @type="pen-tool"
+        @model={{@newRootModel.issuerId}}
+        data-test-pki-issuer-cross-sign
+      >
+        Cross-sign issuers
+      </ToolbarLink>
+      <ToolbarLink
+        @route="issuers.issuer.sign"
+        @type="pen-tool"
+        @model={{@newRootModel.issuerId}}
+        data-test-pki-issuer-sign-int
+      >
+        Sign Intermediate
+      </ToolbarLink>
+      <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
+        <D.Trigger
+          data-test-popup-menu-trigger
+          class={{concat "toolbar-link" (if D.isOpen " is-active")}}
+          @htmlTag="button"
+          data-test-issuer-download
+        >
+          Download
+          <Chevron @direction="down" @isButton={{true}} />
+        </D.Trigger>
+        <D.Content @defaultClass="popup-menu-content">
+          <nav class="box menu" aria-label="snapshots actions">
+            <ul class="menu-list">
+              <li class="action">
+                <DownloadButton
+                  class="link"
+                  @filename={{@newRootModel.issuerId}}
+                  @extension="pem"
+                  @fetchData={{fn this.fetchDataForDownload "pem"}}
+                  data-test-issuer-download-type="pem"
+                  @text="PEM format"
+                  @hideIcon={{true}}
+                />
+              </li>
+              <li class="action">
+                <DownloadButton
+                  class="link"
+                  @filename={{@newRootModel.issuerId}}
+                  @extension="der"
+                  @fetchData={{fn this.fetchDataForDownload "der"}}
+                  data-test-issuer-download-type="der"
+                  @text="DER format"
+                  @hideIcon={{true}}
+                />
+              </li>
+            </ul>
+          </nav>
+        </D.Content>
+      </BasicDropdown>
+      <ToolbarLink @route="issuers.issuer.edit" @model={{@newRootModel.issuerId}} data-test-pki-issuer-configure>
+        Configure
+      </ToolbarLink>
+    </ToolbarActions>
+  </Toolbar>
+{{/if}}
 
-  beforeModel() {
-    if (this.version.isOSS) {
-      this.transitionTo('vault.cluster');
-    }
-  },
+{{#if @newRootModel.id}}
+  <div class="has-top-margin-m">
+    <Hds::Alert data-test-rotate-next-steps @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
+      <A.Title>Next steps</A.Title>
+      <A.Description>
+        Your new root has been generated.
+        {{#if @newRootModel.privateKey}}
+          Make sure to copy and save the
+          <code>private_key</code>
+          as it is only available once.
+        {{/if}}
+        If you’re ready, you can begin cross-signing issuers now. If not, the option to cross-sign is available when you use
+        this certificate.
+      </A.Description>
+      <A.Link::Standalone
+        @icon="arrow-right"
+        @iconPosition="trailing"
+        @text="Cross-sign issuers"
+        @route="issuers.issuer.cross-sign"
+      />
 
-  model() {
-    return this.store.queryRecord('license', {});
-  },
-});
+    </Hds::Alert>
+  </div>
+{{else}}
+  <div class="box is-bottomless is-marginless is-flex-start">
+    {{#each this.generateOptions as |option|}}
+      <RadioCard
+        class="has-fixed-width"
+        @title={{option.label}}
+        @description={{option.description}}
+        @icon={{option.icon}}
+        @value={{option.key}}
+        @groupValue={{this.displayedForm}}
+        @onChange={{fn (mut this.displayedForm) option.key}}
+        data-test-radio={{option.key}}
+      />
+    {{/each}}
+  </div>
+{{/if}}
+
+{{#if (eq this.displayedForm "use-old-settings")}}
+  {{#if @newRootModel.id}}
+    <PkiInfoTableRows @model={{@newRootModel}} @displayFields={{this.displayFields}} />
+    <ParsedCertificateInfoRows @model={{@newRootModel.parsedCertificate}} />
+    <div class="field is-grouped is-fullwidth has-top-margin-l has-bottom-margin-s">
+      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
+    </div>
+  {{else}}
+    {{!  USE OLD SETTINGS FORM INPUTS  }}
+    <h2 class="title is-size-5 has-border-bottom-light page-header">
+      Root parameters
+    </h2>
+    <form {{on "submit" (perform this.save)}} data-test-pki-rotate-old-settings-form>
+      {{#if @parsingErrors}}
+        <Hds::Alert data-test-parsing-warning @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
+          <A.Title>Not all of the certificate values can be parsed and transferred to a new root</A.Title>
+          <A.Description>{{@parsingErrors}}</A.Description>
+        </Hds::Alert>
+      {{/if}}
+      {{#if this.alertBanner}}
+        <Hds::Alert data-test-rotate-error @type="inline" @color="critical" class="has-bottom-margin-s" as |A|>
+          <A.Title>Error</A.Title>
+          <A.Description>{{this.alertBanner}}</A.Description>
+        </Hds::Alert>
+      {{/if}}
+      {{#let (find-by "name" "commonName" @newRootModel.allFields) as |attr|}}
+        <FormField @attr={{attr}} @model={{@newRootModel}} @modelValidations={{this.modelValidations}} />
+      {{/let}}
+      {{#let (find-by "name" "issuerName" @newRootModel.allFields) as |attr|}}
+        <FormField @attr={{attr}} @model={{@newRootModel}} @modelValidations={{this.modelValidations}} />
+      {{/let}}
+      <div class="box has-slim-padding is-shadowless">
+        <ToggleButton
+          data-test-details-toggle
+          @closedLabel="Old root settings"
+          @openLabel="Hide old root settings"
+          @isOpen={{this.showOldSettings}}
+          @onClick={{fn (mut this.showOldSettings)}}
+        />
+        {{#if this.showOldSettings}}
+          <PkiInfoTableRows @model={{@oldRoot}} @displayFields={{this.displayFields}} />
+          <ParsedCertificateInfoRows @model={{@oldRoot.parsedCertificate}} />
+        {{/if}}
+      </div>
+
+      <hr class="has-background-gray-100" />
+      <Hds::ButtonSet>
+        <Hds::Button @text="Done" type="submit" data-test-pki-rotate-root-save />
+        <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onCancel}} data-test-pki-rotate-root-cancel />
+      </Hds::ButtonSet>
+      {{#if this.invalidFormAlert}}
+        <div class="control">
+          <AlertInline
+            @type="danger"
+            class="has-top-padding-s"
+            @message={{this.invalidFormAlert}}
+            data-test-pki-rotate-root-validation-error
+          />
+        </div>
+      {{/if}}
+    </form>
+  {{/if}}
+{{else}}
+  <PkiGenerateRoot
+    @model={{@newRootModel}}
+    @onCancel={{@onCancel}}
+    @onComplete={{@onComplete}}
+    @adapterOptions={{hash actionType="rotate-root"}}
+  />
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster/logout.js b/ui/app/routes/vault/cluster/logout.js
index b7b71016081f..881492a512bf 100644
--- a/ui/app/routes/vault/cluster/logout.js
+++ b/ui/app/routes/vault/cluster/logout.js
@@ -1,48 +1,64 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import Ember from 'ember';
-import { computed } from '@ember/object';
-import { inject as service } from '@ember/service';
-import Route from '@ember/routing/route';
-import ModelBoundaryRoute from 'vault/mixins/model-boundary-route';
-
-export default Route.extend(ModelBoundaryRoute, {
-  auth: service(),
-  controlGroup: service(),
-  flashMessages: service(),
-  console: service(),
-  permissions: service(),
-  namespaceService: service('namespace'),
-  router: service(),
-
-  modelTypes: computed(function () {
-    return ['secret', 'secret-engine'];
-  }),
-
-  beforeModel({ to: { queryParams } }) {
-    const authType = this.auth.getAuthType();
-    const ns = this.namespaceService.path;
-    this.auth.deleteCurrentToken();
-    this.controlGroup.deleteTokens();
-    this.namespaceService.reset();
-    this.console.set('isOpen', false);
-    this.console.clearLog(true);
-    this.flashMessages.clearMessages();
-    this.permissions.reset();
-
-    queryParams.with = authType;
-    if (ns) {
-      queryParams.namespace = ns;
-    }
-    if (Ember.testing) {
-      // Don't redirect on the test
-      this.replaceWith('vault.cluster.auth', { queryParams });
-    } else {
-      const { cluster_name } = this.paramsFor('vault.cluster');
-      location.assign(this.router.urlFor('vault.cluster.auth', cluster_name, { queryParams }));
-    }
-  },
-});
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+    <NamespaceReminder @mode={{if @model.isNew "generate" "update"}} @noun="PKI key" />
+    {{#if @model.isNew}}
+      {{#each @model.formFieldGroups as |fieldGroup|}}
+        {{#each-in fieldGroup as |group fields|}}
+          {{#if (eq group "Key parameters")}}
+            <PkiKeyParameters @model={{@model}} @fields={{fields}} @modelValidations={{this.modelValidations}} />
+          {{else}}
+            {{#each fields as |attr|}}
+              <FormField
+                data-test-field={{attr}}
+                @attr={{attr}}
+                @model={{@model}}
+                @modelValidations={{this.modelValidations}}
+                @showHelpText={{false}}
+              />
+            {{/each}}
+          {{/if}}
+        {{/each-in}}
+      {{/each}}
+    {{else}}
+      {{! only key name is edit-able }}
+      {{#let (find-by "name" "keyName" @model.formFields) as |keyName|}}
+        <FormField data-test-field={{keyName}} @attr={{keyName}} @model={{@model}} @showHelpText={{false}} />
+      {{/let}}
+      {{#let (find-by "name" "keyType" @model.formFields) as |keyType|}}
+        <ReadonlyFormField @attr={{keyType}} @value={{@model.keyType}} />
+      {{/let}}
+    {{/if}}
+  </div>
+  <Hds::ButtonSet class="has-top-padding-s">
+    <Hds::Button
+      @text={{if @model.isNew "Generate key" "Edit key"}}
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-pki-key-save
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      disabled={{this.save.isRunning}}
+      {{on "click" @onCancel}}
+      data-test-pki-key-cancel
+    />
+  </Hds::ButtonSet>
+  {{#if this.invalidFormAlert}}
+    <div class="control">
+      <AlertInline
+        @type="danger"
+        class="has-top-padding-s"
+        @message={{this.invalidFormAlert}}
+        data-test-pki-key-validation-error
+      />
+    </div>
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster/policies/index.js b/ui/app/routes/vault/cluster/policies/index.js
index a983115827c7..882149985a7b 100644
--- a/ui/app/routes/vault/cluster/policies/index.js
+++ b/ui/app/routes/vault/cluster/policies/index.js
@@ -1,81 +1,46 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { inject as service } from '@ember/service';
-import Route from '@ember/routing/route';
-import ClusterRoute from 'vault/mixins/cluster-route';
-import ListRoute from 'core/mixins/list-route';
-
-export default Route.extend(ClusterRoute, ListRoute, {
-  store: service(),
-  version: service(),
-
-  shouldReturnEmptyModel(policyType, version) {
-    return policyType !== 'acl' && (version.get('isOSS') || !version.get('hasSentinel'));
-  },
-
-  model(params) {
-    const policyType = this.policyType();
-    if (this.shouldReturnEmptyModel(policyType, this.version)) {
-      return;
-    }
-    return this.store
-      .lazyPaginatedQuery(`policy/${policyType}`, {
-        page: params.page,
-        pageFilter: params.pageFilter,
-        responsePath: 'data.keys',
-      })
-      .catch((err) => {
-        // acls will never be empty, but sentinel policies can be
-        if (err.httpStatus === 404 && this.policyType() !== 'acl') {
-          return [];
-        } else {
-          throw err;
-        }
-      });
-  },
-
-  setupController(controller, model) {
-    const params = this.paramsFor(this.routeName);
-    if (!model) {
-      controller.setProperties({
-        model: null,
-        policyType: this.policyType(),
-      });
-      return;
-    }
-    controller.setProperties({
-      model,
-      filter: params.pageFilter || '',
-      page: model.get('meta.currentPage') || 1,
-      policyType: this.policyType(),
-    });
-  },
-
-  resetController(controller, isExiting) {
-    this._super(...arguments);
-    if (isExiting) {
-      controller.set('filter', '');
-    }
-  },
-
-  actions: {
-    willTransition(transition) {
-      window.scrollTo(0, 0);
-      if (!transition || transition.targetName !== this.routeName) {
-        this.store.clearAllDatasets();
-      }
-      return true;
-    },
-    reload() {
-      this.store.clearAllDatasets();
-      this.refresh();
-    },
-  },
-
-  policyType() {
-    return this.paramsFor('vault.cluster.policies').type;
-  },
-});
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{on "submit" (perform this.submitForm)}} data-test-pki-key-import-form>
+  <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <p class="has-bottom-margin-l">
+      Use this form to import a single pem encoded rsa, ec, or ed25519 key.
+      <DocLink @path="/vault/api-docs/secret/pki#import-key">
+        Importing a PKI key
+      </DocLink>
+    </p>
+    {{#let (find-by "name" "keyName" @model.formFields) as |attr|}}
+      <FormField data-test-field={{attr}} @attr={{attr}} @model={{@model}} @showHelpText={{false}} />
+    {{/let}}
+    <TextFile @onChange={{this.onFileUploaded}} @label="PEM Bundle" data-test-pki-key-file />
+  </div>
+  <Hds::ButtonSet class="has-top-padding-s">
+    <Hds::Button
+      @text="Import key"
+      @icon={{if this.submitForm.isRunning "loading"}}
+      type="submit"
+      disabled={{this.submitForm.isRunning}}
+      data-test-pki-key-import
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      disabled={{this.submitForm.isRunning}}
+      {{on "click" this.cancel}}
+      data-test-pki-key-cancel
+    />
+  </Hds::ButtonSet>
+  {{#if this.invalidFormAlert}}
+    <div class="control">
+      <AlertInline
+        @type="danger"
+        class="has-top-padding-s"
+        @message={{this.invalidFormAlert}}
+        data-test-pki-key-validation-error
+      />
+    </div>
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster/secrets/backend/list.js b/ui/app/routes/vault/cluster/secrets/backend/list.js
index 85feb1662f79..150086a7ea6d 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/list.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/list.js
@@ -1,218 +1,144 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { set } from '@ember/object';
-import { hash } from 'rsvp';
-import Route from '@ember/routing/route';
-import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
-import { allEngines, isAddonEngine } from 'vault/helpers/mountable-secret-engines';
-import { inject as service } from '@ember/service';
-import { normalizePath } from 'vault/utils/path-encoding-helpers';
-import { assert } from '@ember/debug';
-
-const SUPPORTED_BACKENDS = supportedSecretBackends();
-
-export default Route.extend({
-  store: service(),
-  templateName: 'vault/cluster/secrets/backend/list',
-  pathHelp: service('path-help'),
-  router: service(),
-
-  queryParams: {
-    page: {
-      refreshModel: true,
-    },
-    pageFilter: {
-      refreshModel: true,
-    },
-    tab: {
-      refreshModel: true,
-    },
-  },
-
-  modelTypeForTransform(tab) {
-    let modelType;
-    switch (tab) {
-      case 'role':
-        modelType = 'transform/role';
-        break;
-      case 'template':
-        modelType = 'transform/template';
-        break;
-      case 'alphabet':
-        modelType = 'transform/alphabet';
-        break;
-      default: // CBS TODO: transform/transformation
-        modelType = 'transform';
-        break;
-    }
-    return modelType;
-  },
-
-  secretParam() {
-    const { secret } = this.paramsFor(this.routeName);
-    return secret ? normalizePath(secret) : '';
-  },
-
-  enginePathParam() {
-    const { backend } = this.paramsFor('vault.cluster.secrets.backend');
-    return backend;
-  },
-
-  beforeModel() {
-    const secret = this.secretParam();
-    const backend = this.enginePathParam();
-    const { tab } = this.paramsFor('vault.cluster.secrets.backend.list-root');
-    const secretEngine = this.store.peekRecord('secret-engine', backend);
-    const type = secretEngine?.engineType;
-    assert('secretEngine.engineType is not defined', !!type);
-    const engineRoute = allEngines().findBy('type', type)?.engineRoute;
-
-    if (!type || !SUPPORTED_BACKENDS.includes(type)) {
-      return this.router.transitionTo('vault.cluster.secrets');
-    }
-    if (this.routeName === 'vault.cluster.secrets.backend.list' && !secret.endsWith('/')) {
-      return this.router.replaceWith('vault.cluster.secrets.backend.list', secret + '/');
-    }
-    if (isAddonEngine(type, secretEngine.version)) {
-      return this.router.transitionTo(`vault.cluster.secrets.backend.${engineRoute}`, backend);
-    }
-    const modelType = this.getModelType(backend, tab);
-    return this.pathHelp.getNewModel(modelType, backend).then(() => {
-      this.store.unloadAll('capabilities');
-    });
-  },
-
-  getModelType(backend, tab) {
-    const secretEngine = this.store.peekRecord('secret-engine', backend);
-    const type = secretEngine.engineType;
-    const types = {
-      database: tab === 'role' ? 'database/role' : 'database/connection',
-      transit: 'transit-key',
-      ssh: 'role-ssh',
-      transform: this.modelTypeForTransform(tab),
-      aws: 'role-aws',
-      cubbyhole: 'secret',
-      kv: 'secret',
-      keymgmt: `keymgmt/${tab || 'key'}`,
-      generic: 'secret',
-    };
-    return types[type];
-  },
-
-  async model(params) {
-    const secret = this.secretParam() || '';
-    const backend = this.enginePathParam();
-    const backendModel = this.modelFor('vault.cluster.secrets.backend');
-    const modelType = this.getModelType(backend, params.tab);
-
-    return hash({
-      secret,
-      secrets: this.store
-        .lazyPaginatedQuery(modelType, {
-          id: secret,
-          backend,
-          responsePath: 'data.keys',
-          page: params.page || 1,
-          pageFilter: params.pageFilter,
-        })
-        .then((model) => {
-          this.set('has404', false);
-          return model;
-        })
-        .catch((err) => {
-          // if we're at the root we don't want to throw
-          if (backendModel && err.httpStatus === 404 && secret === '') {
-            return [];
-          } else {
-            // else we're throwing and dealing with this in the error action
-            throw err;
-          }
-        }),
-    });
-  },
-
-  setupController(controller, resolvedModel) {
-    const secretParams = this.paramsFor(this.routeName);
-    const secret = resolvedModel.secret;
-    const model = resolvedModel.secrets;
-    const backend = this.enginePathParam();
-    const backendModel = this.store.peekRecord('secret-engine', backend);
-    const has404 = this.has404;
-    // only clear store cache if this is a new model
-    if (secret !== controller.get('baseKey.id')) {
-      this.store.clearAllDatasets();
-    }
-    controller.set('hasModel', true);
-    controller.setProperties({
-      model,
-      has404,
-      backend,
-      backendModel,
-      baseKey: { id: secret },
-      backendType: backendModel.get('engineType'),
-    });
-    if (!has404) {
-      const pageFilter = secretParams.pageFilter;
-      let filter;
-      if (secret) {
-        filter = secret + (pageFilter || '');
-      } else if (pageFilter) {
-        filter = pageFilter;
-      }
-      controller.setProperties({
-        filter: filter || '',
-        page: model.meta?.currentPage || 1,
-      });
-    }
-  },
-
-  resetController(controller, isExiting) {
-    this._super(...arguments);
-    if (isExiting) {
-      controller.set('pageFilter', null);
-      controller.set('filter', null);
-    }
-  },
-
-  actions: {
-    error(error, transition) {
-      const secret = this.secretParam();
-      const backend = this.enginePathParam();
-      const is404 = error.httpStatus === 404;
-      /* eslint-disable-next-line ember/no-controller-access-in-routes */
-      const hasModel = this.controllerFor(this.routeName).get('hasModel');
-
-      // this will occur if we've deleted something,
-      // and navigate to its parent and the parent doesn't exist -
-      // this if often the case with nested keys in kv-like engines
-      if (transition.data.isDeletion && is404) {
-        throw error;
-      }
-      set(error, 'secret', secret);
-      set(error, 'isRoot', true);
-      set(error, 'backend', backend);
-      // only swallow the error if we have a previous model
-      if (hasModel && is404) {
-        this.set('has404', true);
-        transition.abort();
-        return false;
-      }
-      return true;
-    },
-
-    willTransition(transition) {
-      window.scrollTo(0, 0);
-      if (transition.targetName !== this.routeName) {
-        this.store.clearAllDatasets();
-      }
-      return true;
-    },
-    reload() {
-      this.store.clearAllDatasets();
-      this.refresh();
-    },
-  },
-});
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+    <NamespaceReminder @mode={{if @role.isNew "create" "update"}} @noun="PKI role" />
+    {{#each @role.formFieldGroups as |fieldGroup|}}
+      {{#each-in fieldGroup as |group fields|}}
+        {{! DEFAULT VIEW }}
+        {{#if (eq group "default")}}
+          {{#each fields as |attr|}}
+            {{#if (and (eq attr.name "issuerRef") @issuers)}}
+              <div class="has-top-margin-m {{unless this.showDefaultIssuer 'has-bottom-margin-xs' 'has-bottom-margin-m'}}">
+                <FormFieldLabel
+                  for={{attr.name}}
+                  @label="Issuer ref"
+                  @helpText={{(if this.showHelpText attr.options.helpText)}}
+                  @subText={{attr.options.subText}}
+                />
+                <Toggle
+                  @name={{concat attr.name "-toggle"}}
+                  @checked={{this.showDefaultIssuer}}
+                  @onChange={{this.toggleShowDefaultIssuer}}
+                >
+                  <span class="has-text-grey">Use default issuer</span>
+                </Toggle>
+              </div>
+              {{#unless this.showDefaultIssuer}}
+                <div class="has-top-margin-xs has-bottom-margin-l">
+                  <div class="select is-fullwidth">
+                    <Select
+                      @name={{attr.name}}
+                      @options={{this.issuers}}
+                      @valueAttribute={{"issuerDisplayName"}}
+                      @labelAttribute={{"issuerDisplayName"}}
+                      @isFullwidth={{true}}
+                      @selectedValue={{@role.issuerRef}}
+                      @onChange={{action (mut @role.issuerRef)}}
+                    />
+                  </div>
+                </div>
+              {{/unless}}
+            {{else}}
+              <FormField
+                data-test-field={{attr}}
+                @attr={{attr}}
+                @model={{@role}}
+                @modelValidations={{this.modelValidations}}
+                @showHelpText={{false}}
+              >
+                <PkiNotValidAfterForm @attr={{attr}} @model={{@role}} />
+              </FormField>
+            {{/if}}
+          {{/each}}
+        {{else}}
+          {{#let (camelize (concat "show" group)) as |prop|}}
+            <ToggleButton
+              @isOpen={{get @role prop}}
+              @openLabel={{concat "Hide " group}}
+              @closedLabel={{group}}
+              @onClick={{fn (mut (get @role prop))}}
+              class="is-block"
+              data-test-toggle-group={{group}}
+            />
+            {{#if (get @role prop)}}
+              <div class="box is-tall is-marginless" data-test-toggle-div={{group}}>
+                {{#let (get @role.fieldGroupsInfo group) as |toggleGroup|}}
+                  {{! HEADER }}
+                  {{#if toggleGroup.header}}
+                    <div class="has-bottom-margin-s">
+                      <FormFieldLabel
+                        for={{toggleGroup.header.name}}
+                        @label={{toggleGroup.header.label}}
+                        @subText={{toggleGroup.header.text}}
+                        @docLink={{toggleGroup.header.docLink}}
+                      />
+                    </div>
+                  {{/if}}
+                  {{! FIELDS }}
+                  {{#if (eq group "Key usage")}}
+                    <PkiKeyUsage @model={{@role}} />
+                  {{else if (eq group "Key parameters")}}
+                    <PkiKeyParameters @model={{@role}} @fields={{fields}} />
+                  {{else}}
+                    {{#each fields as |attr|}}
+                      <FormField
+                        data-test-field={{true}}
+                        @attr={{attr}}
+                        @model={{@role}}
+                        @modelValidations={{@roleValidations}}
+                        @showHelpText={{false}}
+                      >
+                        {{yield attr}}
+                      </FormField>
+                    {{/each}}
+                  {{/if}}
+                  {{! FOOTER }}
+                  {{#if toggleGroup.footer}}
+                    <p class="sub-text">
+                      <Icon @name="info" />
+                      {{toggleGroup.footer.text}}
+                      {{#if toggleGroup.footer.docLink}}
+                        <DocLink @path={{toggleGroup.footer.docLink}}>
+                          {{toggleGroup.footer.docText}}
+                        </DocLink>
+                      {{/if}}
+                    </p>
+                  {{/if}}
+                {{/let}}
+              </div>
+            {{/if}}
+          {{/let}}
+        {{/if}}
+      {{/each-in}}
+    {{/each}}
+  </div>
+  <Hds::ButtonSet class="has-top-padding-s">
+    <Hds::Button
+      @text={{if @role.isNew "Create" "Update"}}
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-pki-role-save
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      disabled={{this.save.isRunning}}
+      {{on "click" @onCancel}}
+      data-test-pki-role-cancel
+    />
+  </Hds::ButtonSet>
+  {{#if this.modelValidations.targets.errors}}
+    <AlertInline @type="danger" @message={{join ", " this.modelValidations.targets.errors}} class="has-top-padding-s" />
+  {{/if}}
+  {{#if this.invalidFormAlert}}
+    <div class="control">
+      <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+    </div>
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/ui/app/services/control-group.js b/ui/app/services/control-group.js
index 5713e6b27152..a5db88ff6557 100644
--- a/ui/app/services/control-group.js
+++ b/ui/app/services/control-group.js
@@ -1,140 +1,52 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Service, { inject as service } from '@ember/service';
-import RSVP from 'rsvp';
-import ControlGroupError from 'vault/lib/control-group-error';
-import getStorage from 'vault/lib/token-storage';
-import parseURL from 'core/utils/parse-url';
-
-const CONTROL_GROUP_PREFIX = 'vault:cg-';
-const TOKEN_SEPARATOR = '☃';
-
-// list of endpoints that return wrapped responses
-// without `wrap-ttl`
-const WRAPPED_RESPONSE_PATHS = [
-  'sys/wrapping/rewrap',
-  'sys/wrapping/wrap',
-  'sys/replication/performance/primary/secondary-token',
-  'sys/replication/dr/primary/secondary-token',
-];
-
-const storageKey = (accessor, path) => {
-  return `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
-};
-
-export { storageKey, CONTROL_GROUP_PREFIX, TOKEN_SEPARATOR };
-export default Service.extend({
-  version: service(),
-  router: service(),
-
-  storage() {
-    return getStorage();
-  },
-
-  keyFromAccessor(accessor) {
-    const keys = this.storage().keys() || [];
-    const returnKey = keys
-      .filter((k) => k.startsWith(CONTROL_GROUP_PREFIX))
-      .find((key) => key.replace(CONTROL_GROUP_PREFIX, '').startsWith(accessor));
-    return returnKey ? returnKey : null;
-  },
-
-  storeControlGroupToken(info) {
-    const key = storageKey(info.accessor, info.creation_path);
-    this.storage().setItem(key, info);
-  },
-
-  deleteControlGroupToken(accessor) {
-    this.unmarkTokenForUnwrap();
-    const key = this.keyFromAccessor(accessor);
-    this.storage().removeItem(key);
-  },
-
-  deleteTokens() {
-    const keys = this.storage().keys() || [];
-    keys.filter((k) => k.startsWith(CONTROL_GROUP_PREFIX)).forEach((key) => this.storage().removeItem(key));
-  },
-
-  wrapInfoForAccessor(accessor) {
-    const key = this.keyFromAccessor(accessor);
-    return key ? this.storage().getItem(key) : null;
-  },
-
-  tokenToUnwrap: null,
-  markTokenForUnwrap(accessor) {
-    this.set('tokenToUnwrap', this.wrapInfoForAccessor(accessor));
-  },
-
-  unmarkTokenForUnwrap() {
-    this.set('tokenToUnwrap', null);
-  },
-
-  tokenForUrl(url) {
-    if (this.version.isOSS) {
-      return null;
-    }
-    let pathForUrl = parseURL(url).pathname;
-    pathForUrl = pathForUrl.replace('/v1/', '');
-    const tokenInfo = this.tokenToUnwrap;
-    if (tokenInfo && tokenInfo.creation_path === pathForUrl) {
-      const { token, accessor, creation_time } = tokenInfo;
-      return { token, accessor, creationTime: creation_time };
-    }
-    return null;
-  },
-
-  checkForControlGroup(callbackArgs, response, wasWrapTTLRequested) {
-    const creationPath = response && response?.wrap_info?.creation_path;
-    if (
-      this.version.isOSS ||
-      wasWrapTTLRequested ||
-      !response ||
-      (creationPath && WRAPPED_RESPONSE_PATHS.includes(creationPath)) ||
-      !response.wrap_info
-    ) {
-      return RSVP.resolve(...callbackArgs);
-    }
-    const error = new ControlGroupError(response.wrap_info);
-    return RSVP.reject(error);
-  },
-
-  handleError(error) {
-    const { accessor, token, creation_path, creation_time, ttl } = error;
-    const data = { accessor, token, creation_path, creation_time, ttl };
-    data.uiParams = { url: this.router.currentURL };
-    this.storeControlGroupToken(data);
-    return this.router.transitionTo('vault.cluster.access.control-group-accessor', accessor);
-  },
-
-  // Handle error from non-read request (eg. POST or UPDATE) so it can be retried
-  saveTokenFromError(error) {
-    const { accessor, token, creation_path, creation_time, ttl } = error;
-    const data = { accessor, token, creation_path, creation_time, ttl };
-    this.storeControlGroupToken(data);
-    // In the read flow the accessor is marked once the user clicks "Visit" from the control group page
-    // On a POST/UPDATE flow we don't redirect, so we need to mark automatically so that on the next try
-    // the request will attempt unwrap.
-    this.markTokenForUnwrap(accessor);
-  },
-
-  logFromError(error) {
-    const { accessor, token, creation_path, creation_time, ttl } = error;
-    const data = { accessor, token, creation_path, creation_time, ttl };
-    this.storeControlGroupToken(data);
-
-    const href = this.router.urlFor('vault.cluster.access.control-group-accessor', accessor);
-    const lines = [
-      `A Control Group was encountered at ${error.creation_path}.`,
-      `The Control Group Token is ${error.token}.`,
-      `The Accessor is ${error.accessor}.`,
-      `Visit <a href='${href}'>${href}</a> for more details.`,
-    ];
-    return {
-      type: 'error-with-html',
-      content: lines.join('\n'),
-    };
-  },
-});
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if @model.serialNumber}}
+  <Page::PkiCertificateDetails @model={{@model}} @onBack={{this.cancel}} />
+{{else}}
+  <form {{on "submit" (perform this.save)}} data-test-pki-generate-cert-form>
+    <div class="box is-bottomless is-fullwidth is-marginless">
+      <MessageError @errorMessage={{this.errorBanner}} />
+      <NamespaceReminder @mode="create" @noun="certificate" />
+      {{#let (get @model.formFieldGroups "0") as |defaultGroup|}}
+        {{#each defaultGroup.default as |attr|}}
+          <FormField @model={{@model}} @attr={{attr}} @modelValidations={{this.modelValidations}}>
+            <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
+          </FormField>
+        {{/each}}
+      {{/let}}
+      <FormFieldGroups
+        @model={{@model}}
+        @renderGroup="Subject Alternative Name (SAN) Options"
+        @groupName="formFieldGroups"
+        @showHelpText={{false}}
+      />
+    </div>
+    <hr class="has-background-gray-100" />
+    <Hds::ButtonSet>
+      <Hds::Button
+        @text={{capitalize this.verb}}
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-pki-generate-button
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.cancel}}
+        data-test-pki-generate-cancel
+      />
+    </Hds::ButtonSet>
+
+    {{#if this.invalidFormAlert}}
+      <div class="control" data-test-alert>
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+      </div>
+    {{/if}}
+
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/services/namespace.js b/ui/app/services/namespace.js
index 07802320a031..157ba3d16c61 100644
--- a/ui/app/services/namespace.js
+++ b/ui/app/services/namespace.js
@@ -1,76 +1,81 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import { alias, equal } from '@ember/object/computed';
-import Service, { inject as service } from '@ember/service';
-import { task } from 'ember-concurrency';
-import { computed } from '@ember/object';
+{{#if @model.id}}
+  {{! Model only has ID once form has been submitted and saved }}
+  <Toolbar />
+  <main data-test-sign-intermediate-result>
+    <div class="box is-sideless is-fullwidth is-shadowless">
+      <Hds::Alert @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
+        <A.Title>Next steps</A.Title>
+        <A.Description>
+          The CA Chain and Issuing CA values will only be available once. Make sure you copy and save it now.
+        </A.Description>
+      </Hds::Alert>
+      {{#each this.showFields as |fieldName|}}
+        {{#let (find-by "name" fieldName @model.allFields) as |attr|}}
+          <InfoTableRow @label={{or attr.options.label (humanize (dasherize attr.name))}} @value={{get @model attr.name}}>
+            {{#if (and attr.options.isCertificate (get @model attr.name))}}
+              <CertificateCard @data={{get @model attr.name}} />
+            {{else if (eq attr.name "serialNumber")}}
+              <LinkTo
+                @route="certificates.certificate.details"
+                @model={{@model.serialNumber}}
+              >{{@model.serialNumber}}</LinkTo>
+            {{else}}
+              <Icon @name="minus" />
+            {{/if}}
+          </InfoTableRow>
+        {{/let}}
+      {{/each}}
+      <ParsedCertificateInfoRows @model={{@model.parsedCertificate}} />
+    </div>
+  </main>
+{{else}}
+  <form {{on "submit" (perform this.save)}} data-test-sign-intermediate-form>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+      <NamespaceReminder @mode={{"create"}} @noun="signed intermediate" />
+      {{#each @model.formFields as |attr|}}
+        <FormField
+          data-test-field={{attr}}
+          @attr={{attr}}
+          @model={{@model}}
+          @modelValidations={{this.modelValidations}}
+          @showHelpText={{false}}
+        >
+          {{! attr customTtl has editType yield and will show this component }}
+          <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
+        </FormField>
+      {{/each}}
 
-const ROOT_NAMESPACE = '';
-export default Service.extend({
-  store: service(),
-  auth: service(),
-  userRootNamespace: alias('auth.authData.userRootNamespace'),
-  //populated by the query param on the cluster route
-  path: '',
-  // list of namespaces available to the current user under the
-  // current namespace
-  accessibleNamespaces: null,
+      <PkiGenerateToggleGroups @model={{@model}} @groups={{this.groups}} />
+    </div>
 
-  inRootNamespace: equal('path', ROOT_NAMESPACE),
+    <Hds::ButtonSet class="has-top-padding-s">
+      <Hds::Button
+        @text="Save"
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-pki-sign-intermediate-save
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        class="has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.cancel}}
+        data-test-pki-sign-intermediate-cancel
+      />
+    </Hds::ButtonSet>
+    {{#if this.inlineFormAlert}}
+      <div class="control">
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.inlineFormAlert}} data-test-form-error />
+      </div>
+    {{/if}}
 
-  currentNamespace: computed('inRootNamespace', 'path', function () {
-    if (this.inRootNamespace) return 'root';
-
-    const parts = this.path?.split('/');
-    return parts[parts.length - 1];
-  }),
-
-  setNamespace(path) {
-    if (!path) {
-      this.set('path', '');
-      return;
-    }
-    this.set('path', path);
-  },
-
-  findNamespacesForUser: task(function* () {
-    // uses the adapter and the raw response here since
-    // models get wiped when switching namespaces and we
-    // want to keep track of these separately
-    const store = this.store;
-    const adapter = store.adapterFor('namespace');
-    const userRoot = this.auth.authData.userRootNamespace;
-    try {
-      const ns = yield adapter.findAll(store, 'namespace', null, {
-        adapterOptions: {
-          forUser: true,
-          namespace: userRoot,
-        },
-      });
-      const keys = ns.data.keys || [];
-      this.set(
-        'accessibleNamespaces',
-        keys.map((n) => {
-          let fullNS = n;
-          // if the user's root isn't '', then we need to construct
-          // the paths so they connect to the user root to the list
-          // otherwise using the current ns to grab the correct leaf
-          // node in the graph doesn't work
-          if (userRoot) {
-            fullNS = `${userRoot}/${n}`;
-          }
-          return fullNS.replace(/\/$/, '');
-        })
-      );
-    } catch (e) {
-      //do nothing here
-    }
-  }).drop(),
-
-  reset() {
-    this.set('accessibleNamespaces', null);
-  },
-});
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/services/version.js b/ui/app/services/version.js
index cf99b759c7a8..a3acc912574f 100644
--- a/ui/app/services/version.js
+++ b/ui/app/services/version.js
@@ -3,71 +3,311 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Service, { inject as service } from '@ember/service';
-import { keepLatestTask, task } from 'ember-concurrency';
-import { tracked } from '@glimmer/tracking';
-
-export default class VersionService extends Service {
-  @service store;
-  @tracked features = [];
-  @tracked version = null;
-
-  get hasPerfReplication() {
-    return this.features.includes('Performance Replication');
-  }
-
-  get hasDRReplication() {
-    return this.features.includes('DR Replication');
-  }
-
-  get hasSentinel() {
-    return this.features.includes('Sentinel');
-  }
-
-  get hasNamespaces() {
-    return this.features.includes('Namespaces');
-  }
-
-  get hasControlGroups() {
-    return this.features.includes('Control Groups');
-  }
-
-  get isEnterprise() {
-    if (!this.version) return false;
-    return this.version.includes('+');
-  }
-
-  get isOSS() {
-    return !this.isEnterprise;
-  }
-
-  @task
-  *getVersion() {
-    if (this.version) return;
-    const response = yield this.store.adapterFor('cluster').sealStatus();
-    this.version = response.version;
-    return;
-  }
-
-  @keepLatestTask
-  *getFeatures() {
-    if (this.features?.length || this.isOSS) {
-      return;
-    }
-    try {
-      const response = yield this.store.adapterFor('cluster').features();
-      this.features = response.features;
-      return;
-    } catch (err) {
-      // if we fail here, we're likely in DR Secondary mode and don't need to worry about it
-    }
-  }
-
-  fetchVersion() {
-    return this.getVersion.perform();
-  }
-
-  fetchFeatures() {
-    return this.getFeatures.perform();
-  }
-}
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { click, render, fillIn } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { SELECTORS } from 'vault/tests/helpers/pki/page/pki-tidy-form';
+
+module('Integration | Component | pki tidy form', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'pki');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.version = this.owner.lookup('service:version');
+    this.version.type = 'enterprise';
+    this.server.post('/sys/capabilities-self', () => {});
+    this.onSave = () => {};
+    this.onCancel = () => {};
+    this.manualTidy = this.store.createRecord('pki/tidy', { backend: 'pki-manual-tidy' });
+    this.store.pushPayload('pki/tidy', {
+      modelName: 'pki/tidy',
+      id: 'pki-auto-tidy',
+    });
+    this.autoTidy = this.store.peekRecord('pki/tidy', 'pki-auto-tidy');
+  });
+
+  test('it hides or shows fields depending on auto-tidy toggle', async function (assert) {
+    assert.expect(37);
+    const sectionHeaders = [
+      'Universal operations',
+      'ACME operations',
+      'Issuer operations',
+      'Cross-cluster operations',
+    ];
+
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.autoTidy}}
+      @tidyType="auto"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.toggleInput('intervalDuration')).isNotChecked('Automatic tidy is disabled');
+    assert.dom(`[data-test-ttl-form-label="Automatic tidy disabled"]`).exists('renders disabled label text');
+
+    this.autoTidy.eachAttribute((attr) => {
+      if (attr === 'enabled' || attr === 'intervalDuration') return;
+      assert.dom(SELECTORS.inputByAttr(attr)).doesNotExist(`does not render ${attr} when auto tidy disabled`);
+    });
+
+    sectionHeaders.forEach((group) => {
+      assert.dom(SELECTORS.tidySectionHeader(group)).doesNotExist(`does not render ${group} header`);
+    });
+
+    // ENABLE AUTO TIDY
+    await click(SELECTORS.toggleInput('intervalDuration'));
+    assert.dom(SELECTORS.toggleInput('intervalDuration')).isChecked('Automatic tidy is enabled');
+    assert.dom(`[data-test-ttl-form-label="Automatic tidy enabled"]`).exists('renders enabled text');
+
+    this.autoTidy.eachAttribute((attr) => {
+      const skipFields = ['enabled', 'tidyAcme', 'intervalDuration'];
+      if (skipFields.includes(attr)) return; // combined with duration ttl or asserted elsewhere
+      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} when auto tidy enabled`);
+    });
+
+    sectionHeaders.forEach((group) => {
+      assert.dom(SELECTORS.tidySectionHeader(group)).exists(`renders ${group} header`);
+    });
+  });
+
+  test('it renders all attribute fields, including enterprise', async function (assert) {
+    assert.expect(25);
+    this.autoTidy.enabled = true;
+    const skipFields = ['enabled', 'tidyAcme', 'intervalDuration']; // combined with duration ttl or asserted separately
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.autoTidy}}
+      @tidyType="auto"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+
+    this.autoTidy.eachAttribute((attr) => {
+      if (skipFields.includes(attr)) return;
+      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} for auto tidyType`);
+    });
+
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.manualTidy}}
+      @tidyType="manual"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+    assert.dom(SELECTORS.toggleInput('intervalDuration')).doesNotExist('hides automatic tidy toggle');
+
+    this.manualTidy.eachAttribute((attr) => {
+      if (skipFields.includes(attr)) return;
+      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} for manual tidyType`);
+    });
+  });
+
+  test('it hides enterprise fields for OSS', async function (assert) {
+    assert.expect(7);
+    this.version.type = 'community';
+    this.autoTidy.enabled = true;
+
+    const enterpriseFields = [
+      'tidyRevocationQueue',
+      'tidyCrossClusterRevokedCerts',
+      'revocationQueueSafetyBuffer',
+    ];
+
+    // tidyType = auto
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.autoTidy}}
+      @tidyType="auto"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+
+    assert
+      .dom(SELECTORS.tidySectionHeader('Cross-cluster operations'))
+      .doesNotExist(`does not render ent header`);
+
+    enterpriseFields.forEach((entAttr) => {
+      assert.dom(SELECTORS.inputByAttr(entAttr)).doesNotExist(`does not render ${entAttr} for auto tidyType`);
+    });
+
+    // tidyType = manual
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.manualTidy}}
+      @tidyType="manual"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+
+    enterpriseFields.forEach((entAttr) => {
+      assert
+        .dom(SELECTORS.inputByAttr(entAttr))
+        .doesNotExist(`does not render ${entAttr} for manual tidyType`);
+    });
+  });
+
+  test('it should change the attributes on the model', async function (assert) {
+    assert.expect(12);
+    this.server.post('/pki-auto-tidy/config/auto-tidy', (schema, req) => {
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          acme_account_safety_buffer: '60s',
+          enabled: true,
+          interval_duration: '10s',
+          issuer_safety_buffer: '20s',
+          pause_duration: '30s',
+          revocation_queue_safety_buffer: '40s',
+          safety_buffer: '50s',
+          tidy_acme: true,
+          tidy_cert_store: true,
+          tidy_cross_cluster_revoked_certs: true,
+          tidy_expired_issuers: true,
+          tidy_move_legacy_ca_bundle: true,
+          tidy_revocation_queue: true,
+          tidy_revoked_cert_issuer_associations: true,
+          tidy_revoked_certs: true,
+        },
+        'response contains updated model values'
+      );
+    });
+    await render(
+      hbs`
+      <PkiTidyForm
+      @tidy={{this.autoTidy}}
+      @tidyType="auto"
+      @onSave={{this.onSave}}
+      @onCancel={{this.onCancel}}
+    />
+    `,
+      { owner: this.engine }
+    );
+
+    assert.dom(SELECTORS.toggleInput('intervalDuration')).isNotChecked('Automatic tidy is disabled');
+    assert.dom(SELECTORS.toggleLabel('Automatic tidy disabled')).exists('auto tidy has disabled label');
+    assert.false(this.autoTidy.enabled, 'enabled is false on model');
+
+    // enable auto-tidy
+    await click(SELECTORS.toggleInput('intervalDuration'));
+    await fillIn(SELECTORS.intervalDuration, 10);
+
+    assert.dom(SELECTORS.toggleInput('intervalDuration')).isChecked('toggle enabled auto tidy');
+    assert.dom(SELECTORS.toggleLabel('Automatic tidy enabled')).exists('auto tidy has enabled label');
+
+    assert.dom(SELECTORS.toggleInput('acmeAccountSafetyBuffer')).isNotChecked('ACME tidy is disabled');
+    assert.dom(SELECTORS.toggleLabel('Tidy ACME disabled')).exists('ACME label has correct disabled text');
+    assert.false(this.autoTidy.tidyAcme, 'tidyAcme is false on model');
+
+    await click(SELECTORS.toggleInput('acmeAccountSafetyBuffer'));
+    await fillIn(SELECTORS.acmeAccountSafetyBuffer, 60);
+    assert.true(this.autoTidy.tidyAcme, 'tidyAcme toggles to true');
+
+    const fillInValues = {
+      issuerSafetyBuffer: 20,
+      pauseDuration: 30,
+      revocationQueueSafetyBuffer: 40,
+      safetyBuffer: 50,
+    };
+    this.autoTidy.eachAttribute(async (attr, { type }) => {
+      const skipFields = ['enabled', 'tidyAcme', 'intervalDuration', 'acmeAccountSafetyBuffer']; // combined with duration ttl or asserted separately
+      if (skipFields.includes(attr)) return;
+      if (type === 'boolean') {
+        await click(SELECTORS.inputByAttr(attr));
+      }
+      if (type === 'string') {
+        await fillIn(SELECTORS.toggleInput(attr), `${fillInValues[attr]}`);
+      }
+    });
+
+    assert.dom(SELECTORS.toggleInput('acmeAccountSafetyBuffer')).isChecked('ACME tidy is enabled');
+    assert.dom(SELECTORS.toggleLabel('Tidy ACME enabled')).exists('ACME label has correct enabled text');
+    await click(SELECTORS.tidySave);
+  });
+
+  test('it updates auto-tidy config', async function (assert) {
+    assert.expect(4);
+    this.server.post('/pki-auto-tidy/config/auto-tidy', (schema, req) => {
+      assert.ok(true, 'Request made to update auto-tidy');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        {
+          enabled: false,
+          tidy_acme: false,
+        },
+        'response contains auto-tidy params'
+      );
+    });
+    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
+    this.onCancel = () => assert.ok(true, 'onCancel callback fires on save success');
+
+    await render(
+      hbs`
+      <PkiTidyForm
+        @tidy={{this.autoTidy}}
+        @tidyType="auto"
+        @onSave={{this.onSave}}
+        @onCancel={{this.onCancel}}
+      />
+    `,
+      { owner: this.engine }
+    );
+
+    await click(SELECTORS.tidySave);
+    await click(SELECTORS.tidyCancel);
+  });
+
+  test('it saves and performs manual tidy', async function (assert) {
+    assert.expect(4);
+
+    this.server.post('/pki-manual-tidy/tidy', (schema, req) => {
+      assert.ok(true, 'Request made to perform manual tidy');
+      assert.propEqual(
+        JSON.parse(req.requestBody),
+        { tidy_acme: false },
+        'response contains manual tidy params'
+      );
+    });
+    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
+    this.onCancel = () => assert.ok(true, 'onCancel callback fires on save success');
+
+    await render(
+      hbs`
+      <PkiTidyForm
+        @tidy={{this.manualTidy}}
+        @tidyType="manual"
+        @onSave={{this.onSave}}
+        @onCancel={{this.onCancel}}
+      />
+    `,
+      { owner: this.engine }
+    );
+
+    await click(SELECTORS.tidySave);
+    await click(SELECTORS.tidyCancel);
+  });
+});
diff --git a/ui/app/styles/components/action-block.scss b/ui/app/styles/components/action-block.scss
index ec3c482678a7..e45483b68710 100644
--- a/ui/app/styles/components/action-block.scss
+++ b/ui/app/styles/components/action-block.scss
@@ -1,73 +1,81 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-@mixin stacked-grid {
-  grid-template-columns: 1fr;
-  grid-row: 1/1;
-}
-@mixin stacked-content {
-  margin-bottom: $spacing-24;
-}
+<hr class="is-marginless has-background-gray-200" />
 
-.action-block {
-  box-shadow: 0 0 0 1px rgba($grey-dark, 0.3);
-  grid-template-columns: 2fr 1fr;
-  display: grid;
-  padding: $spacing-16 $spacing-24;
-  line-height: inherit;
-  grid-gap: $spacing-16;
+<p class="has-top-margin-m has-bottom-margin-l">Tidying cleans up the storage backend and/or CRL by removing certificates
+  that have expired and are past a certain buffer period beyond their expiration time.
+  <DocLink @path="/vault/api-docs/secret/pki#{{if (eq @tidyType 'manual') 'tidy' 'configure-automatic-tidy'}}">Learn more</DocLink>
+</p>
 
-  @include until($mobile) {
-    @include stacked-grid();
-  }
-}
+<MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
 
-.action-block-info {
-  @include until($mobile) {
-    @include stacked-content();
-  }
-}
+<form class="has-bottom-margin-s" {{on "submit" (perform this.save)}} data-test-tidy-form={{@tidyType}}>
+  {{#if (and (eq @tidyType "auto") this.intervalDurationAttr)}}
+    {{#let this.intervalDurationAttr as |attr|}}
+      <TtlPicker
+        data-test-input={{attr.name}}
+        @onChange={{fn this.handleTtl attr}}
+        @label={{attr.options.label}}
+        @labelDisabled={{attr.options.labelDisabled}}
+        @helperTextDisabled={{attr.options.helperTextDisabled}}
+        @helperTextEnabled={{attr.options.helperTextEnabled}}
+        @initialEnabled={{get @tidy attr.options.mapToBoolean}}
+        @initialValue={{get @tidy attr.name}}
+      />
+    {{/let}}
+  {{/if}}
+  {{#each @tidy.formFieldGroups as |fieldGroup|}}
+    {{#each-in fieldGroup as |group fields|}}
+      {{#if (or (eq @tidyType "manual") @tidy.enabled)}}
+        <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-tidy-header={{group}}>
+          {{group}}
+        </h2>
+        {{#each fields as |attr|}}
+          {{#if (eq attr.name "acmeAccountSafetyBuffer")}}
+            <TtlPicker
+              data-test-input={{attr.name}}
+              @onChange={{fn this.handleTtl attr}}
+              @label={{attr.options.label}}
+              @labelDisabled={{attr.options.labelDisabled}}
+              @helperTextDisabled={{attr.options.helperTextDisabled}}
+              @helperTextEnabled={{attr.options.helperTextEnabled}}
+              @initialEnabled={{get @tidy attr.options.mapToBoolean}}
+              @initialValue={{get @tidy attr.name}}
+            />
+          {{else}}
+            {{! tidyAcme is handled by the ttl above }}
+            {{#if (not-eq attr.name "tidyAcme")}}
+              <FormField @attr={{attr}} @model={{@tidy}} />
+            {{/if}}
+          {{/if}}
+        {{/each}}
+      {{/if}}
+    {{/each-in}}
+  {{/each}}
 
-.action-block.stacked {
-  @include stacked-grid();
-}
-.stacked > .action-block-info {
-  @include stacked-content();
-}
-
-.action-block-title {
-  font-size: $size-5;
-  font-weight: $font-weight-bold;
-}
-.action-block-action {
-  text-align: right;
-  @include until($mobile) {
-    text-align: left;
-  }
-}
-
-/* Action Block Grid */
-.replication-actions-grid-layout {
-  display: flex;
-  flex-wrap: wrap;
-  margin: $spacing-16 0;
-  @include until($mobile) {
-    display: block;
-  }
-}
-
-.replication-actions-grid-item {
-  flex-basis: 50%;
-  padding: $spacing-12;
-  display: flex;
-  width: 100%;
-}
-
-.replication-actions-grid-item .action-block {
-  width: 100%;
-  @include until($mobile) {
-    height: inherit;
-  }
-}
+  <hr class="is-marginless has-background-gray-200" />
+  <Hds::ButtonSet class="has-top-margin-m">
+    <Hds::Button
+      @text={{if (eq @tidyType "manual") "Perform tidy" "Save"}}
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-pki-tidy-button
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      disabled={{this.save.isRunning}}
+      {{on "click" @onCancel}}
+      data-test-pki-tidy-cancel
+    />
+  </Hds::ButtonSet>
+  {{#if this.invalidFormAlert}}
+    <div class="control">
+      <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+    </div>
+  {{/if}}
+</form>
\ No newline at end of file
diff --git a/ui/app/styles/components/doc-link.scss b/ui/app/styles/components/doc-link.scss
index 3e8a7345c0be..8b90a6aa7b38 100644
--- a/ui/app/styles/components/doc-link.scss
+++ b/ui/app/styles/components/doc-link.scss
@@ -1,22 +1,42 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-.doc-link {
-  color: $blue;
-  text-decoration: none;
-  font-weight: $font-weight-semibold;
-  &:hover {
-    text-decoration: underline !important;
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*PKICommand)(nil)
+
+type PKICommand struct {
+	*BaseCommand
+}
+
+func (c *PKICommand) Synopsis() string {
+	return "Interact with Vault's PKI Secrets Engine"
+}
+
+func (c *PKICommand) Help() string {
+	helpText := `
+Usage: vault pki <subcommand> [options] [args]
+
+  This command has subcommands for interacting with Vault's PKI Secrets
+  Engine. Here are some simple examples, and more detailed examples are
+  available in the subcommands or the documentation.
+
+  Check the health of a PKI mount, to the best of this token's abilities:
+
+      $ vault pki health-check pki
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
 }
 
-.doc-link-subtle {
-  color: inherit;
-  text-decoration: underline;
-  font-weight: inherit;
-  &:hover {
-    color: inherit;
-  }
+func (c *PKICommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/ui/app/styles/components/env-banner.scss b/ui/app/styles/components/env-banner.scss
index 86895dc2e3c1..44a3b072a566 100644
--- a/ui/app/styles/components/env-banner.scss
+++ b/ui/app/styles/components/env-banner.scss
@@ -1,34 +1,4889 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+---
+layout: api
+page_title: PKI - Secrets Engines - HTTP API
+description: This is the API documentation for the Vault PKI secrets engine.
+---
 
-.env-banner {
-  align-self: center;
-  border-radius: 3rem;
-  background: linear-gradient(
-    135deg,
-    $blue,
-    hsl(271, 100%, 71%)
-  ); // only use case for purple in the app. define here instead of utils/color_var
-  animation: env-banner-color-rotate 8s infinite linear alternate;
-  color: $white;
-  margin-top: -20px;
-  margin-bottom: 6px;
+# PKI secrets engine (API)
 
-  .hs-icon {
-    margin: 0;
+@include 'x509-sha1-deprecation.mdx'
+
+This is the API documentation for the Vault PKI secrets engine. For general
+information about the usage and operation of the PKI secrets engine, please see
+the [PKI documentation](/vault/docs/secrets/pki).
+
+This documentation assumes the PKI secrets engine is enabled at the `/pki` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Table of contents
+
+- [Notice About New Multi-Issuer Functionality](#notice-about-new-multi-issuer-functionality)
+- [ACME Certificate Issuance](#acme-certificate-issuance)
+  - [ACME Directories](#acme-directories)
+  - [Get ACME EAB Binding Token](#get-acme-eab-binding-token)
+  - [List Unused ACME EAB Binding Tokens](#list-unused-acme-eab-binding-tokens)
+  - [Delete Unused ACME EAB Binding Tokens](#delete-unused-acme-eab-binding-tokens)
+  - [Get ACME Configuration](#get-acme-configuration)
+  - [Set ACME Configuration](#set-acme-configuration)
+- [Issuing Certificates](#issuing-certificates)
+  - [List Roles](#list-roles)
+  - [Read Role](#read-role)
+  - [Generate Certificate and Key](#generate-certificate-and-key)
+  - [Generate Certificate and Key with External Policy <EnterpriseAlert inline="true" />](#generate-certificate-and-key-with-external-policy)
+  - [Sign Certificate](#sign-certificate)
+  - [Sign Certificate with External Policy <EnterpriseAlert inline="true" />](#sign-certificate-with-external-policy)
+  - [Sign Intermediate](#sign-intermediate)
+  - [Sign Intermediate with External Policy <EnterpriseAlert inline="true" />](#sign-intermediate-with-external-policy)
+  - [Sign Self-Issued](#sign-self-issued)
+  - [Sign Verbatim](#sign-verbatim)
+  - [Revoke Certificate](#revoke-certificate)
+  - [Revoke Certificate with Private Key](#revoke-certificate-with-private-key)
+  - [List Revoked Certificates](#list-revoked-certificates)
+  - [List Revocation Requests](#list-revocation-requests)
+  - [List Cross-Cluster Revocations](#list-cross-cluster-revocations)
+- [Accessing Authority Information](#accessing-authority-information)
+  - [List Issuers](#list-issuers)
+  - [Read Issuer Certificate](#read-issuer-certificate)
+  - [Read Default Issuer Certificate Chain](#read-default-issuer-certificate-chain)
+  - [Read Issuer CRL](#read-issuer-crl)
+  - [OCSP Request](#ocsp-request)
+  - [List Certificates](#list-certificates)
+  - [Read Certificate](#read-certificate)
+- [Managing Keys and Issuers](#managing-keys-and-issuers)
+  - [List Issuers](#list-issuers)
+  - [List Keys](#list-keys)
+  - [Generate Key](#generate-key)
+  - [Generate Root](#generate-root)
+  - [Generate Intermediate CSR](#generate-intermediate-csr)
+  - [Import CA Certificates and Keys](#import-ca-certificates-and-keys)
+  - [Read Issuer](#read-issuer)
+  - [Update Issuer](#update-issuer)
+  - [Revoke Issuer](#revoke-issuer)
+  - [Delete Issuer](#delete-issuer)
+  - [Import Key](#import-key)
+  - [Read Key](#read-key)
+  - [Update Key](#update-key)
+  - [Delete Key](#delete-key)
+  - [Delete All Issuers and Keys](#delete-all-issuers-and-keys)
+- [Managing Authority Information](#managing-authority-information)
+  - [List Roles](#list-roles)
+  - [Create/Update Role](#create-update-role)
+  - [Read Role](#read-role)
+  - [Delete Role](#delete-role)
+  - [Read Certificate Issuance External Policy Service (CIEPS) Configuration <EnterpriseAlert inline="true" />](#read-certificate-issuance-external-policy-service-cieps-configuration)
+  - [Set Certificate Issuance External Policy Service (CIEPS) Configuration <EnterpriseAlert inline="true" />](#set-certificate-issuance-external-policy-service-cieps-configuration)
+  - [Read URLs](#read-urls)
+  - [Set URLs](#set-urls)
+  - [Read Issuers Configuration](#read-issuers-configuration)
+  - [Set Issuers Configuration](#set-issuers-configuration)
+  - [Read Keys Configuration](#read-keys-configuration)
+  - [Set Keys Configuration](#set-keys-configuration)
+  - [Read Cluster Configuration](#read-cluster-configuration)
+  - [Set Cluster Configuration](#set-cluster-configuration)
+  - [Read CRL Configuration](#read-crl-configuration)
+  - [Set CRL Configuration](#set-crl-configuration)
+  - [Rotate CRLs](#rotate-crls)
+  - [Rotate Delta CRLs](#rotate-delta-crls)
+  - [Combining CRLs from the Same Issuer](#combine-crls-from-the-same-issuer)
+  - [Sign Revocation List](#sign-revocation-list)
+  - [Tidy](#tidy)
+  - [Read Automatic Tidy Configuration](#read-automatic-tidy-configuration)
+  - [Set Automatic Tidy Configuration](#set-automatic-tidy-configuration)
+  - [Tidy Status](#tidy-status)
+  - [Cancel Tidy](#cancel-tidy)
+- [Cluster Scalability](#cluster-scalability)
+- [Managed Key](#managed-keys) (Enterprise Only)
+- [Vault CLI with DER/PEM responses](#vault-cli-with-der-pem-responses)
+
+## Notice about new Multi-Issuer functionality
+
+Vault since 1.11.0 allows a single PKI mount to have multiple Certificate
+Authority (CA) certificates ("issuers") in a single mount, for the purpose
+of facilitating rotation. All issuers within a single mount are treated as a
+single Authority, meaning that:
+
+ 1. Certificate Revocation List (CRL) configuration is common to all issuers,
+ 2. All authority access URLs are common to all issuers,
+ 3. Issued certificates' serial numbers will be unique across all issuers.
+
+However, since each issuer may have a distinct subject and keys, different
+issuers may have different CRLs.
+
+It is _strongly_ encouraged to limit the scope of CAs within a mount and not
+to mix different types of CAs (roots and intermediates).
+
+~> **Note**: Some functionality will not work if a default issuer is not
+   configured. Vault automatically selects the default issuer from the
+   current issuing certificate on migration from an older Vault version
+   (Vault < 1.11.0).
+
+## ACME certificate issuance
+
+Starting with Vault 1.14, Vault supports the [ACME certificate lifecycle
+management protocol](https://datatracker.ietf.org/doc/html/rfc8555) for issuing
+and renewing leaf server certificates.
+
+In order to use ACME, a [cluster path](#set-cluster-configuration) must be
+set and ACME must be [enabled in its configuration](#set-acme-configuration)
+with the [required headers](#acme-required-headers) enabled on the mount
+tuning.
+
+Using ACME with a role requires `no_store=false` to be set on the role; this
+allows the certificate to be stored and later fetched through the ACME
+protocol.
+
+### ACME directories
+
+Vault PKI supports the following ACME directories, providing different
+restrictions around usage (defaults, a specific issuer and/or a specific
+role). To interact with these directories, specify the directory URL in
+an ACME client. For example, with the EFF's [CertBot](https://certbot.eff.org/):
+
+```
+$ certbot certonly --server https://localhost:8200/v1/pki/acme/directory ...
+```
+
+These endpoints are unauthenticated from a Vault authentication model, but
+internally authenticated via the ACME protocol.
+
+| Method | Path                                                               | Default Directory Policy   | Issuer                | Role          |
+|:-------|:-------------------------------------------------------------------|:---------------------------|:----------------------|:--------------|
+| `ACME` | `/pki/acme/directory`                                              | `sign-verbatim`            | `default`             | Sign-Verbatim |
+| `ACME` | `/pki/acme/directory`                                              | `role:role_ref`            | Specified by the role | `:role_ref`   |
+| `ACME` | `/pki/acme/directory`                                              | `external-policy(:policy)` | Specified by CIEPS    | CIEPS         |
+| `ACME` | `/pki/issuer/:issuer_ref/acme/directory`                           | `sign-verbatim`            | `:issuer_ref`         | Sign-Verbatim |
+| `ACME` | `/pki/issuer/:issuer_ref/acme/directory`                           | `role:role_ref`            | `:issuer_ref`         | `:role_ref`   |
+| `ACME` | `/pki/roles/:role/acme/directory`                                  | (any)                      | Specified by the role | `:role`       |
+| `ACME` | `/pki/issuer/:issuer_ref/roles/:role/acme/directory`               | (any)                      | `:issuer_ref`         | `:role`       |
+| `ACME` | `/pki/external-policy(/:policy)/acme/directory`                    | (any)                      | Specified by CIEPS    | CIEPS         |
+| `ACME` | `/pki/issuer/:issuer_ref/external-policy(/:policy)/acme/directory` | (any)                      | Specified by CIEPS    | CIEPS         |
+
+When a role is not explicitly specified, behavior is specified by the
+`default_directory_policy` in the [ACME configuration](#set-acme-configuration).
+These directories can also be forbidden by setting that policy as `forbid`.  If
+the policy is `sign-verbatim` then _any_ identifier for which the client can
+prove ownership of will be issued for.  This is similar to using the
+[Sign Verbatim](#sign-verbatim) endpoint, but with additional verification
+that the client has proven ownership (within the ACME protocol) of the
+requested certificate identifiers. When `external-policy` is specified as the
+default value, the Certificate Issuance External
+Policy Service (CIEPS)<EnterpriseAlert inline="true" /> is used for
+validating and templating the certificate instead of a role; ACME's challenge
+validation is still enforced. An optional policy name can be specified by using
+`external-policy:policy`. Roles are not used when CIEPS is used.
+
+#### ACME challenge types
+
+Vault supports the following ACME challenge types presently:
+
+ - `http-01`, supporting both `dns` and `ip` identifiers.
+ - `dns-01`, supporting `dns` identifiers including wildcards.
+ - `tls-alpn-01`, supporting only non-wildcard `dns` identifiers.
+
+A custom DNS resolver used by the server for looking up DNS names for use
+with both mechanisms can be added via the [ACME configuration](#set-acme-configuration).
+
+#### ACME external account bindings
+
+ACME External Account Binding (EAB) Policy can enforce that clients need to
+have a valid external account binding to Vault. Before registering a new account,
+an authenticated Vault client will need to [fetch a new EAB
+token](#get-acme-eab-binding-token). This returns two values: a key identifier
+and an HMAC key used by the ACME client to authenticate with EAB. For example:
+
+```
+$ vault write -f /pki/acme/new-eab
+$ certbot certonly --server https://localhost:8200/v1/pki/acme/directory \
+                   --eab-kid <id> --eab-hmac-key <hmac-key>
+```
+
+With or without EAB, requests from the ACME client are not authenticated using
+traditional Vault authentication, but are instead authenticated through the
+ACME protocol. With EAB however, a Vault authenticated client will have to
+fetch an EAB token and pass it to the ACME client for use on the initial
+registration: this binds the ACME client's registration to an authenticated
+Vault endpoint, but not further to the client's entity or other information.
+
+~> Note: Enabling EAB is strongly recommended for public-facing Vault
+   deployments. Use of the `VAULT_DISABLE_PUBLIC_ACME` environment variable
+   can be used to enforce all ACME instances have EAB enabled.
+
+#### ACME accounts
+
+ACME Accounts are created specific to a particular directory and are not
+portable across Performance Secondary clusters.
+
+#### ACME required headers
+
+ACME requires the following response headers (`allowed_response_headers`)
+to be specified by [mount tuning](/vault/api-docs/system/mounts#tune-mount-configuration):
+
+ - `Replay-Nonce`
+ - `Link`
+ - `Location`
+
+On an existing mount, these can be specified by running the following command:
+
+```
+$ vault secrets tune -allowed-response-headers=Location -allowed-response-headers=Replay-Nonce \
+                     -allowed-response-headers=Link \
+                     pki/
+```
+
+### Get ACME EAB binding token
+
+This endpoint returns a new ACME binding token. The `id` response field can
+be used as the key identifier and the `key` response field be used as the
+EAB HMAC key in the ACME Client.
+
+Each call to this endpoint will generate and return a new EAB binding token
+that is linked to the specific ACME directory it resides under. EAB tokens
+are not usable across different ACME directories.
+
+| Method | Path                                               |
+|:-------|:---------------------------------------------------|
+| `POST` | `/pki/acme/new-eab`                                |
+| `POST` | `/pki/issuer/:issuer_ref/acme/new-eab`             |
+| `POST` | `/pki/roles/:role/acme/new-eab`                    |
+| `POST` | `/pki/issuer/:issuer_ref/roles/:role/acme/new-eab` |
+
+#### Parameters
+
+No parameters.
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/pki/acme/new-eab
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "created_on": "2023-05-24T14:33:00-04:00",
+    "id": "bc8088d9-3816-5177-ae8e-d8393265f7dd",
+    "key_type": "hs",
+    "acme_directory": "acme/directory",
+    "key": "MHcCAQE... additional data elided ...",
+  }
+}
+```
+
+### List unused ACME EAB binding tokens
+
+This endpoint returns a list of all unused ACME binding tokens; once used,
+they will be removed from this list.
+
+| Method | Path       |
+| :----- | :--------- |
+| `LIST` | `/pki/eab` |
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/eab
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "key_info": {
+      "bc8088d9-3816-5177-ae8e-d8393265f7dd": {
+        "created_on": "2023-05-24T14:33:00-04:00",
+        "key_type": "hs",
+        "acme_directory": "acme/directory"
+      }
+    },
+    "keys": [
+      "bc8088d9-3816-5177-ae8e-d8393265f7dd"
+    ]
+  }
+}
+```
+
+### Delete unused ACME EAB binding tokens
+
+This endpoint allows the deletion of an unused ACME binding token.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/pki/eab/:key_id` |
+
+#### Parameters
+
+ - `key_id` `(string: <required>)` - The id of the EAB binding token to
+   delete. This is part of the request URL.
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/eab/bc8088d9-3816-5177-ae8e-d8393265f7dd
+```
+
+### Get ACME configuration
+
+This endpoint allows reading of the current ACME server configuration used by
+this mount.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/config/acme` |
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/acme
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "allowed_issuers": [
+      "*"
+    ],
+    "allowed_roles": [
+      "*"
+    ],
+    "default_directory_policy": "sign-verbatim",
+    "dns_resolver": "",
+    "eab_policy": "not-required",
+    "enabled": true
+  },
+}
+```
+
+### Set ACME configuration
+
+This endpoint allows setting the ACME server configuration used by this
+mount.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/config/acme` |
+
+#### Parameters
+
+ - `allowed_issuers` `(list: ["*"])` - Specifies a list issuers allowed to
+   issue certificates via explicit ACME paths. If an allowed role specifies
+   an issuer outside this list, it will be allowed. The default value `*`
+   allows every issuer within the mount.
+
+  - `allow_role_ext_key_usage` `(bool: false)` - whether the ExtKeyUsage field
+   from a role is used, defaults to false meaning that certificate will be
+   signed with ServerAuth.
+
+ - `allowed_roles` `(list: ["*"])` - Specifies a list of roles allowed to
+   issue certificates via explicit ACME paths.  The default value `*` allows
+   every role within the mount to be used.  If the `default_directory_policy`
+   specifies a role, it must be allowed under this configuration.
+
+ - `default_directory_policy` `(string: "sign-verbatim")` - Specifies the
+   behavior of the default ACME directory.  Can be `forbid`, `sign-verbatim`
+   or a role given by `role:<role_name>`.  If a role is used, it must be
+   present in `allowed_roles`.
+
+ - `dns_resolver` `(string: "")` - An optional overriding DNS resolver to
+   use for challenge verification lookups. When not specified, the default
+   system resolver will be used. This allows domains on peered networks with
+   an accessible DNS resolver to be validated.
+
+ - `eab_policy` `(string: "not-required")` - Specified policy to enforce
+   around [External Account Bindings (EABs)](#acme-external-account-bindings).
+   The allowed values are:
+
+     - `not-required`, where EABs are not enforced but are validated if
+        specified.
+
+     - `new-account-required`, where new accounts are required to have EAB
+       but existing accounts can still be used.
+
+     - `always-required`, where all accounts regardless of age are required
+       to have EABs set.
+
+ - `enabled` `(bool: false)` - Whether ACME is enabled on this mount. When
+   ACME is disabled, all requests to ACME directory URLs will return 404.
+
+#### Sample payload
+
+```
+{
+    "enabled": true
+}
+```
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/acme
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "allowed_issuers": [
+      "*"
+    ],
+    "allowed_roles": [
+      "*"
+    ],
+    "default_directory_policy": "sign-verbatim",
+    "dns_resolver": "",
+    "eab_policy": "not-required",
+    "enabled": true
+  }
+}
+```
+
+## Issuing certificates
+
+The following API endpoints allow users or operators to request certificates
+and are all authenticated.
+
+In general, for self-serve use, the `/pki/sign/:name` and `/pki/issue/:name`
+are sufficient to allow most users to access for ACL purposes. The per-issuer
+variants (`/pki/issuer/:issuer_ref/sign/:name` and
+`/pki/issuer/:issuer_ref/issue/:name`) allow the requester to override the
+role's chosen issuer, potentially allowing users to request certificates
+issued by the wrong parent authority.
+
+Some API endpoints included here are privileged and should only be accessed
+by trusted users or operators; these include the various `sign-verbatim`,
+`sign-self-signed` and `sign-intermediate` endpoints.
+
+If an issued certificate has been compromised, it should be revoked. The
+Vault PKI secrets engine presently only allows revocation by serial number;
+because this could allow users to deny access to other users, it should be
+restricted to operators.
+
+### List roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values. It is useful to both operators and users.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/pki/roles` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/roles
+```
+
+#### Sample response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 0,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+### Read role
+
+This endpoint queries the role definition. It is useful to both operators and
+users.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/roles/:name` |
+
+#### Parameters
+
+- `name` `(string: <required>)` - Specifies the name of the role to read. This
+  is part of the request URL.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "allow_any_name": false,
+    "allow_ip_sans": true,
+    "allow_localhost": true,
+    "allow_subdomains": false,
+    "allowed_domains": ["example.com", "foobar.com"],
+    "allowed_uri_sans": ["example.com", "spiffe://*"],
+    "allowed_other_sans": [
+      "1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com",
+      "1.3.6.1.4.1.311.20.2.4;UTF-8:*"
+    ],
+    "client_flag": true,
+    "code_signing_flag": false,
+    "key_bits": 2048,
+    "key_type": "rsa",
+    "ttl": "6h",
+    "max_ttl": "12h",
+    "server_flag": true,
+    ... additional fields elided ...
+  }
+}
+```
+
+<a name="generate-certificate"></a>
+
+### Generate certificate and key
+
+This endpoint generates a new set of credentials (private key and certificate)
+based on the role named in the endpoint. The issuing CA certificate and full CA
+chain is returned as well, so that only the root CA need be in a client's trust
+store. Choice of issuing CA is determined first by the role (when using the
+`/pki/issue/:name` path) and then by the path (when using the
+`/pki/issuer/:issuer_ref/issue/name` path).
+
+It is suggested to limit access to the path-overridden issue endpoint (on
+`/pki/issuer/:issuer_ref/issue/:name`).
+
+~> **Note**: The private key is _not_ stored. If you do not save the private
+   key from the response, you will need to request a new certificate.
+
+| Method | Path                                  | Issuer        |
+| :----- | :------------------------------------ | :------------ |
+| `POST` | `/pki/issue/:name`                    | Role selected |
+| `POST` | `/pki/issuer/:issuer_ref/issue/:name` | Path selected |
+
+#### Parameters
+
+- `name` `(string: <required>)` - Specifies the name of the role to create the
+  certificate against. This is part of the request URL.
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/issue/:name` path and
+   takes its value from the role's `issuer_ref` field.
+
+- `common_name` `(string: "")` - Specifies the requested CN for the
+  certificate. If the CN is allowed by role policy, it will be issued. If more
+  than one `common_name` is desired, specify the alternative names in the
+  `alt_names` list.
+
+~> Note: A value for `common_name` is required when [require_cn](#require_cn) is set to `true`
+
+- `alt_names` `(string: "")` - Specifies requested Subject Alternative Names, in
+  a comma-delimited list. These can be host names or email addresses; they will
+  be parsed into their respective fields. If any requested names do not match
+  role policy, the entire request will be denied.
+
+- `ip_sans` `(string: "")` - Specifies requested IP Subject Alternative Names,
+  in a comma-delimited list. Only valid if the role allows IP SANs (which is the
+  default).
+
+- `uri_sans` `(string: "")` - Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list. If any requested URIs do not match role policy,
+  the entire request will be denied.
+
+- `other_sans` `(string: "")` - Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` - Specifies requested Time To Live. Cannot be greater
+  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
+  be used. Note that the role values default to system values if not explicitly
+  set. See `not_after` as an alternative for setting an absolute end date
+  (rather than a relative one).
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
+  private key and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "der")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+  field if `format=pem_bundle` parameter is specified.
+
+- `exclude_cn_from_sans` `(bool: false)` - If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+- `remove_roots_from_chain` `(bool: false)` - If true, the returned `ca_chain`
+  field will not include any self-signed CA certificates. Useful if end-users
+  already have the root CA in their trust store.
+
+- `user_ids` `(string: "")` - Specifies the comma-separated list of requested
+  User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the
+  signed certificate. This field is validated against `allowed_user_ids` on
+  the role.
+
+#### Sample payload
+
+```json
+{
+  "common_name": "www.example.com"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/issue/my-role
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
+    "private_key_type": "rsa",
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "warnings": "",
+  "auth": null
+}
+```
+
+### Generate certificate and key with external policy <EnterpriseAlert inline="true" />
+
+Similar to the [generate certificate and key](#generate-certificate-and-key)
+endpoint, this endpoint generate key material and certificate via an external
+policy engine. The private key material stays local to Vault, with the external
+service getting only an empty CSR. Any parameters passed to this endpoint are
+passed verbatim to the Certificate Issuance External
+Policy Service (CIEPS)<EnterpriseAlert inline="true" />. The
+response format is the same between both endpoints.
+
+It is suggested to limit access to the path-overridden issue endpoint (on
+`/pki/issuer/:issuer_ref/external-policy/issue/:policy`) and let the CIEPS
+engine override the issuer as necessary.
+
+| Method | Path                                                      | Issuer                      |
+| :----- |:----------------------------------------------------------| :-------------------------- |
+| `POST` | `/pki/external-policy/issue(/:policy)`                    | `default` or CIEPS-selected |
+| `POST` | `/pki/issuer/:issuer_ref/external-policy/issue(/:policy)` | Path or CIEPS selected      |
+
+#### Parameters
+
+- `policy` `(string: <optional>)` - Specifies the name of the policy to create
+  the certificate against. This is part of the request URL and is passed to the
+  external CIEPS engine.
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/external-policy/sign/:policy`
+   path and takes its value from the CIEPS engine response's `issuer_ref`
+   field, which can override the user-requested issuer.
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
+  private key and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `key_type` `(string: "rsa")` - Specifies the desired key type; must be `rsa`, `ed25519`
+  or `ec`.
+
+~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
+   and thus should not be used: `ed25519`.
+
+- `key_bits` `(int: 0)` - Specifies the number of bits to use for the
+  generated keys. Allowed values are 0 (universal default); with
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
+  384, or 521; ignored with `key_type=ed25519`.
+
+- `private_key_format` `(string: "der")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+  field if `format=pem_bundle` parameter is specified.
+
+
+- `remove_roots_from_chain` `(bool: false)` - If true, the returned `ca_chain`
+  field will not include any self-signed CA certificates. Useful if end-users
+  already have the root CA in their trust store.
+
+Other parameters may be specified and will not be parsed by Vault but may be
+recognized based on external CIEPS engine definition.
+
+#### Sample payload
+
+```json
+{
+  "common_name": "example.com",
+  "key_type": "rsa",
+  "key_bits": 2048
+}
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:52"
+  },
+  "auth": null
+}
+```
+
+### Sign certificate
+
+This endpoint signs a new certificate based upon the provided CSR and the
+supplied parameters, subject to the restrictions contained in the role named in
+the endpoint. The issuing CA certificate and the full CA chain is returned as
+well, so that only the root CA need be in a client's trust store.
+
+It is suggested to limit access to the path-overridden sign endpoint (on
+`/pki/issuer/:issuer_ref/sign/:name`).
+
+| Method | Path                                 | Issuer        |
+| :----- | :----------------------------------- | :------------ |
+| `POST` | `/pki/sign/:name`                    | Role selected |
+| `POST` | `/pki/issuer/:issuer_ref/sign/:name` | Path selected |
+
+#### Parameters
+
+- `name` `(string: <required>)` - Specifies the name of the role to create the
+  certificate against. This is part of the request URL.
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/sign/:name` path and
+   takes its value from the role's `issuer_ref` field.
+
+- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR.
+
+- `common_name` `(string: <required>)` - Specifies the requested CN for the
+  certificate. If the CN is allowed by role policy, it will be issued. If
+  more than one `common_name` is desired, specify the alternative names in
+  the `alt_names` list.
+
+- `alt_names` `(string: "")` - Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields. If any requested names do
+  not match role policy, the entire request will be denied.
+
+- `other_sans` `(string: "")` - Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ip_sans` `(string: "")` - Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list. Only valid if the role allows IP SANs (which
+  is the default).
+
+- `uri_sans` `(string: "")` - Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list. If any requested URIs do not match role policy,
+  the entire request will be denied.
+
+- `ttl` `(string: "")` - Specifies the requested Time To Live. Cannot be greater
+  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
+  be used. Note that the role values default to system values if not explicitly
+  set. See `not_after` as an alternative for setting an absolute end date
+  (rather than a relative one).
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+- `exclude_cn_from_sans` `(bool: false)` - If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+- `remove_roots_from_chain` `(bool: false)` - If true, the returned `ca_chain`
+  field will not include any self-signed CA certificates. Useful if end-users
+  already have the root CA in their trust store.
+
+- `user_ids` `(string: "")` - Specifies the comma-separated list of requested
+  User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the
+  signed certificate. This field is validated against `allowed_user_ids` on
+  the role.
+
+#### Sample payload
+
+```json
+{
+  "csr": "...",
+  "common_name": "example.com"
+}
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "pki/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+### Sign certificate with external policy <EnterpriseAlert inline="true" />
+
+Similar to the [sign certificate](#sign-certificate) endpoint, this endpoint
+signs the specified leaf CSR via an external policy engine. Any parameters
+passed to this endpoint are passed verbatim to the Certificate Issuance External
+Policy Service (CIEPS)<EnterpriseAlert inline="true" />. The response format is the same
+between both endpoints.
+
+It is suggested to limit access to the path-overridden sign endpoint (on
+`/pki/issuer/:issuer_ref/external-policy/sign/:policy`) and let the CIEPS
+engine override the issuer as necessary.
+
+| Method | Path                                                     | Issuer                      |
+| :----- |:---------------------------------------------------------| :-------------------------- |
+| `POST` | `/pki/external-policy/sign(/:policy)`                    | `default` or CIEPS-selected |
+| `POST` | `/pki/issuer/:issuer_ref/external-policy/sign(/:policy)` | Path or CIEPS selected      |
+
+#### Parameters
+
+- `policy` `(string: <optional>)` - Specifies the name of the policy to create
+  the certificate against. This is part of the request URL and is passed to the
+  external CIEPS engine.
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/external-policy/sign/:policy`
+   path and takes its value from the CIEPS engine response's `issuer_ref`
+   field, which can override the user-requested issuer.
+
+- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR.
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
+  private key and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "der")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+  field if `format=pem_bundle` parameter is specified.
+
+- `remove_roots_from_chain` `(bool: false)` - If true, the returned `ca_chain`
+  field will not include any self-signed CA certificates. Useful if end-users
+  already have the root CA in their trust store.
+
+Other parameters may be specified and will not be parsed by Vault but may be
+recognized based on external CIEPS engine definition.
+
+#### Sample payload
+
+```json
+{
+  "csr": "...",
+  "common_name": "example.com",
+  "key_attestation": "..."
+}
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:52"
+  },
+  "auth": null
+}
+```
+
+### Sign intermediate
+
+This endpoint uses the configured CA certificate to issue a certificate with
+appropriate values for acting as an intermediate CA. Distribution points use the
+values set via `config/urls`. Values set in the CSR are ignored unless
+`use_csr_values` is set to true, in which case the values from the CSR are used
+verbatim.
+
+This endpoint can be used both when signing a Vault-backed intermediate or
+when signing an externally-owned intermediate.
+
+~> **Note**: This is a privileged endpoint, as callers are granted a new
+   intermediate certificate, with which they can issue for arbitrary names.
+   Access to this endpoint should be restricted by policy to only trusted
+   operators.
+
+| Method | Path                                        | Issuer    |
+| :----- | :------------------------------------------ | :-------  |
+| `POST` | `/pki/root/sign-intermediate`               | `default` |
+| `POST` | `/pki/issuer/:issuer_ref/sign-intermediate` | Selected  |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/root/sign-intermediate`
+   path and takes the value `default`.
+
+- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR to be signed.
+
+- `common_name` `(string: <required>)` - Specifies the requested CN for the
+  certificate. If more than one `common_name` is desired, specify the
+  alternative names in the `alt_names` list.
+
+- `alt_names` `(string: "")` - Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` - Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` - Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` - Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` - Specifies the requested Time To Live (after which the
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max). However, this can be after the expiration of the
+  signing CA. See `not_after` as an alternative for setting an absolute end date
+  (rather than a relative one).
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+- `max_path_length` `(int: -1)` - Specifies the maximum path length to encode in
+  the generated certificate. `-1`, means no limit, unless the signing
+  certificate has a maximum path length set, in which case the path length is
+  set to one less than that of the signing certificate. A limit of `0` means a
+  literal path length of zero.
+
+- `exclude_cn_from_sans` `(bool: false)` - If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `use_csr_values` `(bool: false)` - If set to `true`, then: 1) Subject
+  information, including names and alternate names, will be preserved from the
+  CSR rather than using the values provided in the other parameters to this
+  path; 2) Any key usages (for instance, non-repudiation) requested in the CSR
+  will be added to the basic set of key usages used for CA certs signed by this
+  path; 3) Extensions requested in the CSR will be copied into the issued
+  certificate.
+
+- `permitted_dns_domains` `(string: "")` - A comma separated string (or, string
+  array) containing DNS domains for which certificates are allowed to be issued
+  or signed by this CA certificate. Supports subdomains via a `.` in front of
+  the domain, as per [RFC 5280 Section 4.2.1.10 - Name
+  Constraints](https://tools.ietf.org/html/rfc5280#section-4.2.1.10)
+
+- `ou` `(string: "")` - Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` - Specifies the O (Organization) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` - Specifies the C (Country) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` - Specifies the L (Locality) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` - Specifies the ST (Province) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` - Specifies the Street Address values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` - Specifies the Postal Code values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` -  - Specifies the requested Subject's named
+  [Serial Number](https://datatracker.ietf.org/doc/html/rfc4519#section-2.31)
+  value, if any. If you want more than one, specify alternative names in the
+  `alt_names` map using OID 2.5.4.5. Note that this has no impact on the
+  Certificate's serial number field, which Vault randomly generates.
+
+- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
+  backdate the NotBefore property. This value has no impact in the validity period
+  of the requested certificate, specified in the `ttl` field.
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
+  the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
+  and 512 for SHA-2-512. Defaults to 0 to automatically detect based
+  on issuer's key length (SHA-2-256 for RSA keys, and matching the curve size
+  for NIST P-Curves).
+
+~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
+   `signature_bits` value; only RSA issuers will change signature types
+   based on this parameter.
+
+- `skid` `(string: "")` - Value for the Subject Key Identifier field
+  (RFC 5280 Section 4.2.1.2). Specified as a string in hex format. Default
+  is empty, allowing Vault to automatically calculate the SKID according
+  to method one in the above RFC section.
+
+~> **Note**: This value should ONLY be used when cross-signing to mimic
+   the existing certificate's SKID value; this is necessary to allow
+   certain TLS implementations (such as OpenSSL) which use SKID/AKID
+   matches in chain building to restrict possible valid chains.
+
+- `use_pss` `(bool: false)` - Specifies whether or not to use PSS signatures
+  over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for
+  ECDSA/Ed25519 issuers.
+
+#### Sample payload
+
+```json
+{
+  "csr": "...",
+  "common_name": "example.com"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/sign-intermediate
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+### Sign Intermediate with External Policy <EnterpriseAlert inline="true" />
+
+Similar to [sign intermediate](#sign-intermediate), this endpoint accepts a
+CSR and returns a certificate with appropriate values for acting as an
+intermediate CA via an external policy engine. Any parameters passed to this
+endpoint are passed verbatim to the Certificate Issuance External Policy Service
+(CIEPS)<EnterpriseAlert inline="true" />.
+The response format is the same between both endpoints.
+
+It is suggested to limit access to the path-overridden issue endpoint
+(on /pki/issuer/:issuer_ref/external-policy/issue/:policy) and let the CIEPS
+engine override the issuer as necessary.
+
+| Method | Path                                                                | Issuer                    |
+|--------|---------------------------------------------------------------------|---------------------------|
+| POST   | /pki/external-policy/sign-intermediate(/:policy)                    | default or CIEPS-selected |
+| POST   | /pki/issuer/:issuer_ref/external-policy/sign-intermediate(/:policy) | Path or CIEPS selected    |
+
+#### Parameters
+
+- `policy` `(string: <optional>)` - Specifies the name of the policy to create
+  the certificate against. This is part of the request URL and is passed to the
+  external CIEPS engine.
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/external-policy/sign-intermediate`
+path and takes its value from the CIEPS engine response's `issuer_ref`
+field, which can override the user-requested issuer.
+
+- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR.
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
+  private key and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "pem")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+field if `format=pem_bundle` parameter is specified.
+
+Other parameters may be specified and will not be parsed by Vault but may be
+recognized based on external CIEPS engine definition.
+
+#### Sample payload
+
+```json
+{
+  "csr": "..."
+}
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+### Sign Self-Issued
+
+This endpoint uses the configured CA certificate to sign a self-issued
+certificate (which will usually be a self-signed certificate as well).
+
+~> **_This is an extremely privileged endpoint_**. The given certificate will be
+   signed as-is with only minimal validation performed (is it a CA cert, and is it
+   actually self-issued). The only values that will be changed will be the
+   authority key ID, the issuer DN, and, if set, any distribution points.<br /><br />
+   It is recommended to limit this endpoint to only trusted operators.
+
+This is generally only needed for root certificate rolling in cases where you
+don't want/can't get access to a CSR (such as if it's a root stored in Vault
+where the key is not exposed). If you don't know whether you need this
+endpoint, you most likely should be using a different endpoint (such as
+`sign-intermediate`).
+
+| Method | Path                                       | Issuer    | Requires `sudo` capability |
+| :----- | :----------------------------------------- | :-------- | :------------------------- |
+| `POST` | `/pki/root/sign-self-issued`               | `default` | yes                        |
+| `POST` | `/pki/issuer/:issuer_ref/sign-self-issued` | Selected  | no                         |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/root/sign-self-issued`
+   path and takes the value `default`.
+
+- `certificate` `(string: <required>)` - Specifies the PEM-encoded self-issued certificate.
+
+- `require_matching_certificate_algorithms` `(bool: false)` - If true, requires
+that the public key algorithm of the CA match that of the submitted certificate.
+
+#### Sample payload
+
+```json
+{
+  "certificate": "..."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/sign-self-issued
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+  },
+  "auth": null
+}
+```
+
+### Sign verbatim
+
+This endpoint signs a new certificate based upon the provided CSR. Values are
+taken verbatim from the CSR; the _only_ restriction is that this endpoint will
+refuse to issue an intermediate CA certificate (see the
+`/pki/root/sign-intermediate` endpoint for that functionality.)
+
+**This is a potentially dangerous endpoint and only highly trusted users should
+have access.**
+
+| Method | Path                                            | Issuer    |
+| :----- | :---------------------------------------------- | :-------- |
+| `POST` | `/pki/sign-verbatim(/:name)`                    | `default` |
+| `POST` | `/pki/issuer/:issuer_ref/sign-verbatim(/:name)` | Selected  |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/root/sign-self-issued`
+   path and takes the value `default`.
+
+- `name` `(string: "")` - Specifies a role. If set, the following parameters
+  from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, `no_store` and `not_before_duration`.
+
+- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR.
+
+- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` -
+  Specifies the default key usage constraint on the issued certificate. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
+  drop the `KeyUsage` part of the value. Values are not case-sensitive. To
+  specify no default key usage constraints, set this to an empty list.
+
+~> Note: previous versions of this document incorrectly called this a constraint;
+   this value is only used as a default when the `KeyUsage` extension is missing
+   from the CSR.
+
+- `ext_key_usage` `(list: [])` -
+  Specifies the default extended key usage constraint on the issued certificate. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
+  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key default usage constraints, set this to an empty list.
+
+~> Note: previous versions of this document incorrectly called this a constraint;
+   this value is only used as a default when the `ExtendedKeyUsage` extension is
+   missing from the CSR.
+
+- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
+
+~> Note: This value is only used as a default when the `ExtendedKeyUsage`
+   extension is missing from the CSR.
+
+- `ttl` `(string: "")` - Specifies the requested Time To Live. Cannot be greater
+  than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
+  will be used, which defaults to system values if not explicitly set. See
+  `not_after` as an alternative for setting an absolute end date (rather than
+  a relative one).
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
+  the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
+  and 512 for SHA-2-512. Defaults to 0 to automatically detect based
+  on issuer's key length (SHA-2-256 for RSA keys, and matching the curve size
+  for NIST P-Curves).
+
+~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
+   `signature_bits` value; only RSA issuers will change signature types
+   based on this parameter.
+
+- `use_pss` `(bool: false)` - Specifies whether or not to use PSS signatures
+  over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for
+  ECDSA/Ed25519 issuers.
+
+- `remove_roots_from_chain` `(bool: false)` - If true, the returned `ca_chain`
+  field will not include any self-signed CA certificates. Useful if end-users
+  already have the root CA in their trust store.
+
+- `user_ids` `(string: "")` - Specifies the comma-separated list of requested
+  User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the
+  signed certificate. No validation on names is performed using this endpoint.
+
+#### Sample payload
+
+```json
+{
+  "csr": "..."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/sign-verbatim
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "pki/sign-verbatim/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+### Revoke certificate
+
+This endpoint revokes a certificate using its serial number. This is an
+alternative option to the standard method of revoking using Vault lease IDs. A
+successful revocation will rotate the CRL.
+
+~> **Note**: This operation is privileged as it allows revocation of arbitrary
+   certificates based purely on their serial number. It does not validate that
+   the requesting user issued the certificate or has possession of the private
+   key.<br /><br />
+   It is not possible to revoke issuers using this path.
+
+| Method | Path          |
+| :----- | :------------ |
+| `POST` | `/pki/revoke` |
+
+#### Parameters
+
+~> Note: either `serial_number` or `certificate` (but not both) must be
+   specified on requests to this endpoint.
+
+- `serial_number` `(string: <optional>)` - Specifies the serial number of the
+  certificate to revoke, in hyphen-separated or colon-separated hexadecimal.
+
+- `certificate` `(string: <optional>)` - Specifies the certificate to revoke,
+  in PEM format. This certificate must have been signed by one of the issuers
+  in this mount in order to be accepted for revocation.
+
+#### Sample payload
+
+```json
+{
+  "serial_number": "39:dd:2e..."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/revoke
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "revocation_time": 1433269787
+  }
+}
+```
+
+### Revoke certificate with private key
+
+This endpoint revokes a certificate using its private key as proof that the
+request is authorized by an appropriate individual (Proof of Possession).
+
+This is an alternative option to the standard method of revoking using Vault
+lease IDs or revocation via serial number. A successful revocation will
+rotate the CRL.
+
+It is not possible to revoke issuers using this path.
+
+~> **Note**: This operation is **NOT** privileged, as it validates revocation
+   has a private key corresponding to a certificate signed by Vault. However,
+   to avoid third parties performing a denial-of-service (DOS) against Vault,
+   we've made this endpoint authenticated. Thus it is strongly encouraged to
+   generally allow all access to this path via ACLs.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/pki/revoke-with-key` |
+
+#### Parameters
+
+~> Note: either `serial_number` or `certificate` (but not both) must be
+   specified on requests to this endpoint.
+
+- `serial_number` `(string: <optional>)` - Specifies the serial number of the
+  certificate to revoke, in hyphen-separated or colon-separated hexadecimal.
+
+- `certificate` `(string: <optional>)` - Specifies the certificate to revoke,
+  in PEM format. This certificate must have been signed by one of the issuers
+  in this mount in order to be accepted for revocation.
+
+- `private_key` `(string: <required>)` - Specifies the private key (in PEM
+  format) corresponding to the certificate issued by Vault that is attempted
+  to be revoked. This endpoint must be called several times (with each unique
+  certificate/serial number) if this private key is used in multiple
+  certificates as Vault does not maintain such a mapping.
+
+#### Sample payload
+
+```json
+{
+  "serial_number": "39:dd:2e...",
+  "private_key": "-----BEGIN PRIVATE KEY-----\n..."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/revoke-with-key
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "revocation_time": 1433269787
+  }
+}
+```
+
+
+### List revoked certificates
+
+This endpoint returns a list of serial numbers that have been revoked on the local cluster.
+
+| Method | Path              |
+|:-------|:------------------|
+| `LIST` | `/certs/revoked`  |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/certs/revoked
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "keys": [
+      "3d:80:91:c3:c2:34:3b:81:69:3d:92:a3:80:69:db:53:04:26:ab:b4"
+    ]
+  }
+}
+```
+
+### List revocation requests
+
+This endpoint returns a list of serial numbers that have been requested to
+be revoked on any cluster, along with information about the request's state
+and which cluster it originated on.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `LIST` | `/certs/revocation-queue` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/certs/revocation-queue
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "key_info": {
+      "3d:80:91:c3:c2:34:3b:81:69:3d:92:a3:80:69:db:53:04:26:ab:b4": {
+        "requesting_cluster": "48327b28-8325-6d79-6a0b-4cbaa6f27b4a"
+      }
+    },
+    "keys": [
+      "3d:80:91:c3:c2:34:3b:81:69:3d:92:a3:80:69:db:53:04:26:ab:b4"
+    ]
+  }
+}
+```
+
+### List Cross-Cluster revocations
+
+This endpoint returns a list of serial numbers that have been revoked on any
+cluster, along with the clusters that have a copy of that revoked certificate.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `LIST` | `/certs/unified-revoked` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/certs/unified-revoked
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "key_info": {
+      "7f:fd:12:5b:16:29:bb:28:ea:24:bc:a1:80:f7:4e:6e:a0:69:b9:95": {
+        "revoking_clusters": [
+          "48327b28-8325-6d79-6a0b-4cbaa6f27b4a"
+        ]
+      }
+    },
+    "keys": [
+      "7f:fd:12:5b:16:29:bb:28:ea:24:bc:a1:80:f7:4e:6e:a0:69:b9:95"
+    ]
+  }
+}
+```
+
+---
+
+## Accessing authority information
+
+All consumers of the PKI Secrets Engine mount point will have access to the
+following unauthenticated APIs, useful for reading information about the
+certificate authority in this mount point.
+
+This includes information about [CA certificates](#read-issuer-certificate),
+[their chains](#read-default-issuer-certificate-chain), and [their signed
+CRLs](#read-issuer-crl), containing an encoded list of revoked certificates
+previously issued by this authority. Individual issued [certificates can
+also be read](#read-certificate), assuming their serial number is known.
+Finally, the list of issuing certificates is public information in this
+mount.
+
+### List issuers
+
+This endpoint returns a list of issuers currently provisioned in this mount.
+The response includes both the issuer's identifier as well as the name chosen
+by the operators; either can be used to refer to the issuer later.
+
+This endpoint is unauthenticated.
+
+| Method | Path           |
+| :----- | :------------- |
+| `LIST` | `/pki/issuers` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/issuers
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "key_info": {
+      "1ae8ce9d-2f70-0761-a465-8c9840a247a2": {
+        "issuer_name": "imported-root"
+      },
+      "3dc79a5a-7a6c-70e2-1123-94b88557ba12": {
+        "issuer_name": "root-x1"
+      }
+    },
+    "keys": [
+      "1ae8ce9d-2f70-0761-a465-8c9840a247a2",
+      "3dc79a5a-7a6c-70e2-1123-94b88557ba12"
+    ]
+  }
+}
+```
+
+<a name="read-ca-certificate"></a>
+
+### Read issuer certificate
+
+This endpoint retrieves the specified issuer's certificate.
+
+Note that the response differs between the older `/pki/cert/ca`
+path and the newer `/pki/issuer/:issuer_ref/json` path; the latter
+includes the full `ca_chain` of the issuer, removing the need for a separate
+endpoint.
+
+These are unauthenticated endpoints.
+
+~> Note: this endpoint accepts the `If-Modified-Since` header, to respond with
+   304 Not Modified when the requested resource has not changed. This header
+   needs to be allowed on the PKI mount by tuning the `passthrough_request_headers`
+   option. In order for clients to know the last modified time, the response
+   header `Last-Modified` needs to be added to the mount tunable
+   `allowed_response_headers`.
+
+| Method | Path                           | Issuer    | Format                                                                            |
+| :----- | :----------------------------- | :-------- |:----------------------------------------------------------------------------------|
+| `GET`  | `/pki/cert/ca`                 | `default` | JSON                                                                              |
+| `GET`  | `/pki/ca`                      | `default` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+| `GET`  | `/pki/ca/pem`                  | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+| `GET`  | `/pki/issuer/:issuer_ref/json` | Selected  | JSON                                                                              |
+| `GET`  | `/pki/issuer/:issuer_ref/der`  | Selected  | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+| `GET`  | `/pki/issuer/:issuer_ref/pem`  | Selected  | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/cert/ca` and
+   `/pki/ca(/pem)?` paths and takes the implicit value `default`.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    http://127.0.0.1:8200/v1/pki/issuer/root-x1/json
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+      "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUUo/qwLm5AyqUWqFHw1MlgwUtS/kwDQYJKoZIhvcNAQEL\n..."
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nnMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL...",
+    "revocation_time": 0
+  }
+}
+```
+
+<a name="read-ca-certificate-chain"></a>
+
+### Read default issuer certificate chain
+
+This endpoint retrieves the default issuer's CA certificate chain, including
+the default issuer.
+
+To read [other issuers' chains](#read-issuer-certificate), use the
+`/pki/issuer/:issuer_ref/json` endpoint instead.
+
+These are unauthenticated endpoints.
+
+| Method | Path                 | Issuer    | Format                                                                            |
+| :----- | :------------------- | :-------- |:----------------------------------------------------------------------------------|
+| `GET`  | `/pki/ca_chain`      | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+| `GET`  | `/pki/cert/ca_chain` | `default` | JSON                                                                              |
+
+~> **Note**: As of Vault 1.11.0, these endpoints now return the full chain
+   (including the default issuer's certificate and all parent issuers known
+   to Vault) in these responses.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    http://127.0.0.1:8200/v1/pki/ca_chain
+```
+
+#### Sample response
+
+```text
+<PEM-encoded certificate chain>
+```
+
+<a name="read-crl"></a>
+
+### Read issuer CRL
+
+This endpoint retrieves the specified issuer's CRL.
+
+Note that the response differs between the older `/pki/cert/crl` path and
+the newer `/pki/issuer/:issuer_ref/crl` path; the latter correctly places the
+PEM-encoded CRL in the `crl` field whereas the former incorrectly places it
+in the `certificate` field.
+
+Endpoints with type `complete` are full CRLs containing all revoked
+certificates (as of the time of generation. Endpoints with type `delta`
+contain incremental CRLs on top of the last complete CRL, with any new
+certificates that have been revoked. See the [revocation configuration
+section](#set-crl-configuration) for more information about these options.
+The delta CRL clears when the next complete CRL is rebuilt. Consumers of
+delta CRLs will need to update their client to support fetching the
+corresponding full CRL when it has been regenerated; otherwise, some serial
+numbers may not appear in the local copy of the full CRL if the remote
+complete and delta CRLs has been regenerated.
+
+Endpoints with source `local` only include cluster-local revocations. When
+the `unified_crl` parameters is enabled in the [CRL
+configuration](#set-crl-configuration), endpoints with source `unified`
+will have revocations from all clusters. Generally use of the `unified`
+source is more consistent with expectations of external apps, but see
+the [PKI Considerations](/vault/docs/secrets/pki/considerations) page
+for a discussion on cluster size and unified CRLs/OCSP.
+
+<EnterpriseAlert product="vault">
+  Unified CRLs require a Vault Enterprise license or HCP Plus cluster.
+</EnterpriseAlert>
+
+These are unauthenticated endpoints.
+
+~> **Note**: As of Vault 1.11.0, these endpoints now serve a [version 2](https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.1) CRL response.
+
+~> Note: this endpoint accepts the `If-Modified-Since` header, to respond with
+   304 Not Modified when the requested resource has not changed. This header
+   needs to be allowed on the PKI mount by tuning the `passthrough_request_headers`
+   option. In order for clients to know the last modified time, the response
+   header `Last-Modified` needs to be added to the mount tunable
+   `allowed_response_headers`.
+
+| Method | Path                                            | Issuer    | Format                                                                            | Type     | Source  |
+| :----- | :---------------------------------------------- | :-------- | :-------------------------------------------------------------------------------- | :------- | :------ |
+| `GET`  | `/pki/cert/crl`                                 | `default` | JSON                                                                              | Complete | Local   |
+| `GET`  | `/pki/crl`                                      | `default` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Local   |
+| `GET`  | `/pki/crl/pem`                                  | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Local   |
+| `GET`  | `/pki/cert/delta-crl`                           | `default` | JSON                                                                              | Delta    | Local   |
+| `GET`  | `/pki/crl/delta`                                | `default` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Local   |
+| `GET`  | `/pki/crl/delta/pem`                            | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl`                   | Selected  | JSON                                                                              | Complete | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl/der`               | Selected  | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl/pem`               | Selected  | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl/delta`             | Selected  | JSON                                                                              | Delta    | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl/delta/der`         | Selected  | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Local   |
+| `GET`  | `/pki/issuer/:issuer_ref/crl/delta/pem`         | Selected  | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Local   |
+| `GET`  | `/pki/cert/unified-crl`                         | `default` | JSON                                                                              | Complete | Unified |
+| `GET`  | `/pki/unified-crl`                              | `default` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Unified |
+| `GET`  | `/pki/unified-crl/pem`                          | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Unified |
+| `GET`  | `/pki/cert/unified-delta-crl`                   | `default` | JSON                                                                              | Delta    | Unified |
+| `GET`  | `/pki/unified-crl/delta`                        | `default` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Unified |
+| `GET`  | `/pki/unified-crl/delta/pem`                    | `default` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl`           | Selected  | JSON                                                                              | Complete | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl/der`       | Selected  | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl/pem`       | Selected  | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Complete | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl/delta`     | Selected  | JSON                                                                              | Delta    | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl/delta/der` | Selected  | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Unified |
+| `GET`  | `/pki/issuer/:issuer_ref/unified-crl/delta/pem` | Selected  | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Delta    | Unified |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+~> Note: This parameter is not present on the `/pki/cert/crl` and
+   `/pki/crl(/pem)?` paths and takes the implicit value `default`.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    http://127.0.0.1:8200/v1/pki/issuer/root-x1/crl
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "crl": "-----BEGIN X509 CRL-----\nMIIBizB1AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Jvb3QgeDEXDTIy\n..."
+  }
+}
+```
+
+### OCSP request
+
+This endpoint retrieves an OCSP response (revocation status) for a given serial number. The request/response formats are
+based on [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960)
+
+Endpoints with source `local` only include cluster-local revocations. When
+the `unified_crl` parameters is enabled in the [CRL
+configuration](#set-crl-configuration), endpoints with source `unified`
+will have revocations from all clusters. Generally use of the `unified`
+source is more consistent with expectations of external apps, but see
+the [PKI Considerations](/vault/docs/secrets/pki/considerations) page
+for a discussion on cluster size and unified CRLs/OCSP.
+
+<EnterpriseAlert product="vault">
+  Unified OCSP requires a Vault Enterprise license or HCP Plus cluster.
+</EnterpriseAlert>
+
+At this time there are certain limitations of the OCSP implementation at this path:
+
+ 1. Only a single serial number within the request will appear in the response,
+ 1. None of the extensions defined in the RFC are supported for requests or responses,
+ 1. Ed25519 backed CA's are not supported for OCSP requests,
+ 1. Note that this API will not work with the Vault client as both request and responses are DER encoded, and
+ 1. Note that KMS based issuers which require PSS support are not supported either (such as PKCS#11 HSMs or GCP in certain scenarios).
+
+These are unauthenticated endpoints.
+
+| Method | Path                                                       | Response Format                                                                   | Source  |
+| :----- | :--------------------------------------------------------- | :-------------------------------------------------------------------------------- | :------ |
+| `GET`  | `/pki/ocsp/<base 64+URL encoded ocsp DER request>`         | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Local   |
+| `POST` | `/pki/ocsp`                                                | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Local   |
+| `GET`  | `/pki/unified-ocsp/<base 64+URL encoded ocsp DER request>` | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Unified |
+| `POST` | `/pki/unified-ocsp`                                        | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") | Unified |
+
+#### Parameters
+
+ - None
+
+#### Sample request
+
+```shell-session
+openssl ocsp -no_nonce -issuer issuer.pem -CAfile ca_chain.pem -cert cert-to-revoke.pem -text -url $VAULT_ADDR/v1/pki/ocsp
+```
+
+### List certificates
+
+This endpoint returns a list of the current certificates by serial number only.
+The response does not include the [special serial numbers](#read-certificate-serial-param-values)
+(`ca`, `ca_chain`, and `crl`) that can be used with `/pki/cert/:serial`.
+
+This includes only certificates issued by this mount with `no_store=false`.
+While root generation does create entries here, importing certificates
+(including both roots and intermediates) will not cause the imported
+certificate's serial number to appear in this list.
+
+~> Note: The endpoint to list all certificates is authenticated. This is to
+   prevent automated enumeration of issued certificates for internal services;
+   however, this information should generally be considered non-sensitive and
+   the certificates themselves are exposed without authentication (provided
+   their serial number is known).<br /><br />
+   Many Public CAs participate in the Certificate Transparency initiative,
+   where all issued certificates are publicly disclosed in the interest
+   of third-party verification of CA integrity.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/pki/certs` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/certs
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "keys": [
+      "17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
+      "26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
+    ]
+  }
+}
+```
+
+<a name="read-raw-certificate"></a>
+
+### Read certificate
+
+This endpoint retrieves the certificate specified by its serial number,
+including issued certificates.
+
+~> Note: With the exception of the special values (`ca`, `crl`, and
+   `ca_chain`), `/pki/cert/:serial` will return different results on
+   different clusters. This is because stored certificates are not
+   replicated across different Performance Replication clusters.
+
+These are unauthenticated endpoints.
+
+| Method | Path                        | Format                                                                            |
+| :----- | :-------------------------- |:----------------------------------------------------------------------------------|
+| `GET`  | `/pki/cert/:serial`         | JSON                                                                              |
+| `GET`  | `/pki/cert/:serial/raw`     | DER [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+| `GET`  | `/pki/cert/:serial/raw/pem` | PEM [\[1\]](#vault-cli-with-der-pem-responses "Vault CLI With DER/PEM Responses") |
+
+#### Parameters
+
+- `serial` `(string: <required>)` - Specifies the serial of the key to read.
+  This is part of the request URL. Valid values for `serial` are:
+
+<a name="read-certificate-serial-param-values"></a>
+
+  - `<serial>` for the certificate with the given serial number, in hyphen-separated or colon-separated hexadecimal.
+  - `ca` for the _default_ issuer's CA certificate
+  - `crl` for the _default_ issuer's CRL
+  - `ca_chain` for the _default_ issuer's CA trust chain.
+
+~> **Note**: As of Vault 1.11.0, these endpoints return the full chain
+   (including this certificate and all parent issuers known to Vault) in
+   the `ca_chain` response, for both the `certificate` and newer `ca_chain`
+   fields. The root certificate is no longer elided.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    http://127.0.0.1:8200/v1/pki/cert/67:b4:f7:2c:aa:ef:b9:30:f6:ae:f5:12:21:79:ac:08:8a:86:89:72
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n...",
+    "revocation_time": 1667400107,
+    "revocation_time_rfc3339": "2022-11-02T14:41:47.327515Z",
+    "issuer_id": "e27bf456-51e1-d937-0001-4a609184fd9b"
+  }
+}
+```
+
+---
+
+## Managing keys and issuers
+
+The following endpoints are highly privileged and allow operators to generate
+or import new issuer certificates and keys, remove existing keys and issuers,
+or read internal information about keys and issuers.
+
+### List issuers
+
+Refer to the [earlier section](#list-issuers) for more information about
+listing issuers.
+
+### List keys
+
+This endpoint returns a list of keys currently provisioned in this mount.
+The response includes both the key's identifier as well as the name chosen
+by the operators; either can be used to refer to the key later.
+
+This endpoint is authenticated.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/pki/keys`  |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/keys
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "key_info": {
+      "f9244f54-adc7-4a5c-6b08-6ca3a3325620": {
+        "key_name": "imported-root-key"
+      },
+    },
+    "keys": [
+      "f9244f54-adc7-4a5c-6b08-6ca3a3325620",
+    ]
+  }
+}
+```
+
+### Generate key
+
+This endpoint generates a new private key for use in the PKI mount. This key
+can be used with either the [root](#generate-root) or [intermediate](#generate-intermediate-csr)
+endpoints, using the `type=existing` variant.
+
+If the path ends with `exported`, the private key will be returned in the
+response; if it is `internal` the private key will not be returned and _cannot
+be retrieved later_; if it is `kms`, a [managed keys](#managed-keys) will be
+used.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/pki/keys/generate/:type`         |
+
+#### Parameters
+
+- `type` `(string: <required>)` - Specifies the type of the key to
+  create. If `exported`, the private key will be returned in the response; if
+  `internal` the private key will not be returned and _cannot be retrieved
+  later_; `kms` is also supported: [see below for more details about managed
+  keys](#managed-keys). This parameter is part of the request URL.
+
+- `key_name` `(string: "")` - When a new key is created with this request,
+  optionally specifies the name for this. The global ref `default` may not
+  be used as a name.
+
+- `key_type` `(string: "rsa")` - Specifies the desired key type; must be `rsa`, `ed25519`
+  or `ec`.
+
+~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
+   and thus should not be used: `ed25519`.
+
+- `key_bits` `(int: 0)` - Specifies the number of bits to use for the
+  generated keys. Allowed values are 0 (universal default); with
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
+  384, or 521; ignored with `key_type=ed25519`.
+
+#### Managed keys parameters
+
+See [Managed Keys](#managed-keys) for additional details on this feature, if
+`type` was set to `kms`. One of the following parameters must be set
+
+- `managed_key_name` `(string: "")` - The managed key's configured name.
+
+- `managed_key_id` `(string: "")` - The managed key's UUID.
+
+#### Sample payload
+
+```json
+{
+  "key_type": "ec",
+  "key_bits": "256",
+  "key_name": "root-key-2022"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/keys/generate/internal
+```
+
+#### Sample response
+
+```json
+{
+  "request_id": "8ad22b2f-7d14-f2cd-a10a-d1abc33676ab",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "key_id": "adda2443-a8aa-d181-9d07-07c7be6a76ab",
+    "key_name": "root-key-2022",
+    "key_type": "ec"
+  },
+  "warnings": null
+}
+```
+
+### Generate root
+
+This endpoint generates a new self-signed CA certificate and private key. If
+the path ends with `exported`, the private key will be returned in the
+response; if it is `internal` the private key will not be returned and _cannot
+be retrieved later_; if it is `existing`, the key specified by `key_ref` will
+be reused for this root; if it is `kms`, a [managed keys](#managed-keys) will
+be used.
+
+This generated root will sign its own CRL. Authority Access distribution points
+use the values set via `config/urls`.
+
+~> **Note**: As of Vault 1.11.0, the PKI Secrets Engine now supports multiple
+   issuers under a single mount. Use the management operations in this section
+   to [list](#list-issuers) and [modify issuers](#update-issuer) within this
+   mount. No issuers will be overridden by calling this operation. Deleting
+   individual keys and issuers should be preferred to calling `DELETE /pki/root`,
+   [which deletes everything](#delete-all-issuers-and-keys).
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/pki/root/generate/:type`         |
+| `POST` | `/pki/issuers/generate/root/:type` |
+| `POST` | `/pki/root/rotate/:type`           |
+
+#### Parameters
+
+- `type` `(string: <required>)` - Specifies the type of the root to
+  create. If `exported`, the private key will be returned in the response; if
+  `internal` the private key will not be returned and _cannot be retrieved
+  later_; if `existing`, we use the value of the `key_ref` parameter to find
+  existing key material to create the CSR; `kms` is also supported: [see below
+  for more details about managed keys](#managed-keys). This parameter is part
+  of the request URL.
+
+- `issuer_name` `(string: "")` - Provides a name to the specified issuer. The
+  name must be unique across all issuers and not be the reserved value
+  `default`. When no value is supplied and the path is `/pki/root/rotate/:type`,
+  the default value of `"next"` will be used.
+
+- `key_name` `(string: "")` - When a new key is created with this request,
+  optionally specifies the name for this. The global ref `default` may not
+  be used as a name.
+
+- `key_ref` `(string: "default")` - Specifies the key (either `default`, by
+  name, or by identifier) to use for generating this request. Only suitable
+  for `type=existing` requests.
+
+- `common_name` `(string: <required>)` - Specifies the requested CN for the
+  certificate. If more than one `common_name` is desired, specify the
+  alternative names in the `alt_names` list.
+
+- `alt_names` `(string: "")` - Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` - Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` - Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` - Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` - Specifies the requested Time To Live (after which the
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max). See `not_after` as an alternative for setting an
+  absolute end date (rather than a relative one).
+
+- `format` `(string: "pem")` - Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the private key (if
+  exported) and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "der")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+  field if `format=pem_bundle` parameter is specified.
+
+- `key_type` `(string: "rsa")` - Specifies the desired key type; must be `rsa`, `ed25519`
+  or `ec`.
+
+~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
+   and thus should not be used: `ed25519`.
+
+- `key_bits` `(int: 0)` - Specifies the number of bits to use for the
+  generated keys. Allowed values are 0 (universal default); with
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
+  384, or 521; ignored with `key_type=ed25519`.
+
+- `max_path_length` `(int: -1)` - Specifies the maximum path length to encode in
+  the generated certificate. `-1` means no limit. Unless the signing certificate
+  has a maximum path length set, in which case the path length is set to one
+  less than that of the signing certificate. A limit of `0` means a literal
+  path length of zero.
+
+- `exclude_cn_from_sans` `(bool: false)` - If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `permitted_dns_domains` `(string: "")` - A comma separated string (or, string
+  array) containing DNS domains for which certificates are allowed to be issued
+  or signed by this CA certificate. Note that subdomains are allowed, as per
+  [RFC 5280 Section 4.2.1.10 - Name
+  Constraints](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
+
+- `ou` `(string: "")` - Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` - Specifies the O (Organization) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` - Specifies the C (Country) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` - Specifies the L (Locality) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` - Specifies the ST (Province) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` - Specifies the Street Address values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` - Specifies the Postal Code values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` -  - Specifies the default Subject's named
+  [Serial Number](https://datatracker.ietf.org/doc/html/rfc4519#section-2.31)
+  value, if any. If you want more than one, specify alternative names in the
+  `alt_names` map using OID 2.5.4.5. Note that this has no impact on the
+  Certificate's serial number field, which Vault randomly generates.
+
+- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
+  backdate the NotBefore property. This value has no impact in the validity period
+  of the requested certificate, specified in the `ttl` field.
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+* ~> Note: Keys of type `rsa` currently only support PKCS#1 v1.5 signatures.
+
+#### Managed keys parameters
+
+See [Managed Keys](#managed-keys) for additional details on this feature, if
+`type` was set to `kms`. One of the following parameters must be set
+
+- `managed_key_name` `(string: "")` - The managed key's configured name.
+
+- `managed_key_id` `(string: "")` - The managed key's UUID.
+
+#### Sample payload
+
+```json
+{
+  "common_name": "example.com"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/generate/internal
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "expiration": "1654105687",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58",
+    "issuer_id": "7b493f17-6c08-ff73-cf1a-99bfcc448a73",
+    "issuer_name": "",
+    "key_id": "22b82e37-529d-7251-7d78-3862bfd069ac",
+    "key_name": ""
+  },
+  "auth": null
+}
+```
+
+<a name="generate-intermediate"></a>
+
+### Generate intermediate CSR
+
+This endpoint returns a new CSR for signing, optionally generating a new private
+key. If using Vault as a root (and, like many other CAs), the various parameters
+on the final signed certificate are set at signing time and _may or may not honor
+the parameters set here_ (and transmitted in the returned CSR).
+
+Note that this API supports [Managed Keys](/vault/docs/enterprise/managed-keys);
+additional details are available [below in a dedicated section](#managed-keys).
+
+The parameters below are mostly meant as a helper function; not all possible
+parameters that can be set in a CSR are supported in this request.
+
+No new issuer is yet created by this call; note that a new key may be
+generated depending on the `type` request parameter.
+
+~> **Note**: In order to complete the intermediate generation, the CSR must be
+   signed and the resulting certificate imported. This may involve working with
+   external systems (such as an external or offline root CA) to transmit the
+   CSR and complete the signing before the signed intermediate certificate is
+   [imported](#import-ca-certificate-and-keys) into this mount.
+
+| Method | Path                                       | Private key source (`type`) |
+| :----- |:-------------------------------------------| :-------------------------- |
+| `POST` | `/pki/intermediate/generate/:type`         | specified per request       |
+| `POST` | `/pki/issuers/generate/intermediate/:type` | specified per request       |
+| `POST` | `/pki/intermediate/cross-sign`             | `existing`                  |
+
+#### Parameters
+
+- `type` `(string: <required>)` - Specifies the type of the intermediate to
+  create. If `exported`, the private key will be returned in the response; if
+  `internal` the private key will not be returned and _cannot be retrieved
+  later_; if `existing`, we expect the `key_ref` parameter to use existing
+  key material to create the CSR; `kms` is also supported: [see below for more
+  details](#managed-keys). This parameter is part of the request URL.
+
+- `common_name` `(string: <required>)` - Specifies the requested CN for the
+  certificate. If more than one `common_name` is desired, specify the
+  alternative names in the `alt_names` list.
+
+- `alt_names` `(string: "")` - Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` - Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` - Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` - Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `format` `(string: "pem")` - Specifies the format for returned data. This can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `csr` field will contain the private key
+  (if exported) and CSR, concatenated.
+
+- `private_key_format` `(string: "der")` - Specifies the format for marshaling
+  the private key within the private_key response field. Defaults to `der` which will
+  return either base64-encoded DER or PEM-encoded DER, depending on the value of
+  `format`. The other option is `pkcs8` which will return the key marshalled as
+  PEM-encoded PKCS8.
+
+~> **Note** that this does not apply to the private key within the certificate
+  field if `format=pem_bundle` parameter is specified.
+
+- `key_type` `(string: "rsa")` - Specifies the desired key type; must be `rsa`, `ed25519`
+  or `ec`. Not suitable for `type=existing` requests.
+
+~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
+   and thus should not be used: `ed25519`.
+
+~> **Note**: Keys of type `rsa` currently only support PKCS#1 v1.5 signatures.
+   This includes any managed keys.
+
+- `key_bits` `(int: 0)` - Specifies the number of bits to use for the
+  generated keys. Allowed values are 0 (universal default); with
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096, or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
+  384, or 521; ignored with `key_type=ed25519`. Not suitable for
+  `type=existing` requests.
+
+- `key_name` `(string: "")` - When a new key is created with this request,
+  optionally specifies the name for this. The global ref `default` may not
+  be used as a name.
+
+- `key_ref` `(string: "default")` - Specifies the key (either `default`, by
+  name, or by identifier) to use for generating this request. Only suitable
+  for `type=existing` requests.
+
+- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
+  the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
+  and 512 for SHA-2-512. Defaults to 0 to automatically detect based
+  on issuer's key length (SHA-2-256 for RSA keys, and matching the curve size
+  for NIST P-Curves).
+
+~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
+`signature_bits` value; only RSA issuers will change signature types
+based on this parameter.
+
+- `exclude_cn_from_sans` `(bool: false)` - If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `ou` `(string: "")` - Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` - Specifies the O (Organization) values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` - Specifies the C (Country) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` - Specifies the L (Locality) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` - Specifies the ST (Province) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` - Specifies the Street Address values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` - Specifies the Postal Code values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` - Specifies the requested Subject's named
+  [Serial Number](https://datatracker.ietf.org/doc/html/rfc4519#section-2.31)
+  value, if any. If you want more than one, specify alternative names in the
+  `alt_names` map using OID 2.5.4.5. Note that this has no impact on the
+  Certificate's serial number field, which Vault randomly generates.
+
+- `add_basic_constraints` `(bool: false)` - Whether to add a Basic Constraints
+  extension with CA: true. Only needed as a workaround in some compatibility
+  scenarios with Active Directory Certificate Services.
+
+#### Managed keys parameters
+
+See [Managed Keys](#managed-keys) for additional details on this feature, if
+`type` was set to `kms`. One of the following parameters must be set
+
+- `managed_key_name` `(string: "")` - The managed key's configured name.
+
+- `managed_key_id` `(string: "")` - The managed key's UUID.
+
+#### Sample payload
+
+```json
+{
+  "common_name": "www.example.com"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/intermediate/generate/exported
+```
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE REQUEST-----\n",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEAwsANtGz9gS3o5SwTSlOG1l-----END RSA PRIVATE KEY-----",
+    "private_key_type": "rsa"
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+
+<a name="submit-ca-information"></a>
+<a name="set-signed-intermediate"></a>
+
+### Import CA certificates and keys
+
+This endpoint allows submitting (importing) the CA information for the backend
+via a PEM file containing the CA certificate and any private keys, concatenated
+together, in any order.
+
+Each certificate will be validated to ensure it is a valid CA (has an asserted
+isCA basic constraint); non-CA certs will err. Any provided CRLs will be
+ignored. Each unique certificate and private key will be imported as its own
+issuer or key entry; duplicates (including with existing keys) will be ignored.
+
+The response will indicate what issuers and keys were created as part of this
+request (in the `imported_issuers` and `imported_keys`), along with a `mapping`
+field, indicating which keys belong to which issuers (including from already
+imported entries present in the same bundle). In Vault 1.14.0, the response
+also contains an `existing_issuers` and `existing_keys` fields, which specifies
+the issuer and key IDs of any entries in the bundle that already
+existed within this mount.
+
+| Method | Path                           | Allows private keys | Request Parameter |
+| :----- | :----------------------------- | :------------------ | :---------------- |
+| `POST` | `/pki/config/ca`               | yes                 | `pem_bundle`      |
+| `POST` | `/pki/issuers/import/bundle`   | yes                 | `pem_bundle`      |
+| `POST` | `/pki/issuers/import/cert`     | no                  | `pem_bundle`      |
+| `POST` | `/pki/intermediate/set-signed` | no                  | `certificate`     |
+
+~> **Note**: endpoints which allow importing private keys _should_ be considered
+   highly privileged and restricted appropriately. Endpoints which allow
+   importing issuers should also be restricted, but note that issuers without
+   keys are unable to issue certificates or CRLs.
+
+~> Note: Vault will deduplicate differently-encoded but same-valued keys and
+   issuers. This means the returned certificate _may_ differ in encoding from
+   the one provided on subsequent re-imports of the same issuer or key.
+
+~> Note: This import may fail due to CRL rebuilding issues or other potential
+   issues; this may impact long-term use of these issuers, but some issuers or
+   keys may still be imported as a result of this process.
+
+~> Warning: See the [note](/vault/docs/secrets/pki/considerations#issuer-subjects-and-crls)
+   regarding Subject naming on externally created CA certificates and
+   shortcomings with CRL building.
+
+#### Parameters
+
+- `pem_bundle` `(string: <required>)` - Specifies the unencrypted private key
+  and certificate, concatenated in PEM format.
+
+~> Note: this parameter is on the `/pki/config/ca` and `/pki/issuers/import/*`
+   paths; it is not on the `/pki/intermediate/set-signed` path.
+
+- `certificate` `(string: <required>)` - Specifies the certificates to import,
+  concatenated in PEM format.
+
+~> Note: this parameter is **only** on the `/pki/intermediate/set-signed` path.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data "@payload.json" \
+    http://127.0.0.1:8200/v1/pki/config/ca
+```
+
+Note that if you provide the data through the HTTP API, it must be
+JSON-formatted, with newlines replaced with `\n`, like so:
+
+```json
+{
+  "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
+}
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "imported_issuers": ["1ae8ce9d-2f70-0761-a465-8c9840a247a2"],
+    "imported_keys": ["97be2525-717a-e2f7-88da-0a20e11aad88"],
+    "mapping": {
+      "1ae8ce9d-2f70-0761-a465-8c9840a247a2": "97be2525-717a-e2f7-88da-0a20e11aad88"
+    },
+    "existing_issuers": [],
+    "existing_keys": []
+  }
+}
+```
+
+### Read issuer
+
+This endpoint allows an operator to fetch a single issuer certificate and its
+chain, including internal information not exposed on the [unauthenticated
+`/pki/issuer/:issuer_ref/json`](#read-issuer-certificate) endpoint. This
+includes information about the name, the key material, if an explicitly
+constructed chain has been set, what the behavior is for signing longer TTL'd
+certificates, and what usage modes are set on this issuer.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/pki/issuer/:issuer_ref` |
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/issuer/default
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+      "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUUo/qwLm5AyqUWqFHw1MlgwUtS/kwDQYJKoZIhvcNAQEL\n..."
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+    "issuer_id": "7545992c-1910-0898-9e64-d575549fbe9c",
+    "issuer_name": "root-x1",
+    "key_id": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf",
+    "leaf_not_after_behavior": "truncate",
+    "manual_chain": null,
+    "usage": "read-only,issuing-certificates,crl-signing,ocsp-signing"
+  }
+}
+```
+
+### Update issuer
+
+This endpoint allows an operator to manage a single issuer, updating various
+properties about it, including its name, an explicitly constructed chain,
+what the behavior is for signing longer TTL'd certificates, and what usage
+modes are set on this issuer.
+
+Note that it is not possible to change the certificate of this issuer; to
+do so, import a new issuer and a new `issuer_id` will be assigned.
+
+| Method  | Path                      |
+| :------ | :------------------------ |
+| `POST`  | `/pki/issuer/:issuer_ref` |
+| `PATCH` | `/pki/issuer/:issuer_ref` |
+
+~> **Note** `POST`ing to this endpoint causes Vault to overwrite the previous
+   contents of the issuer, using the provided request data (and any defaults
+   for elided parameters). It does not update only the provided fields.<br /><br />
+   Since Vault 1.11.0, Vault supports the PATCH operation to this endpoint,
+   using the [JSON patch format](https://datatracker.ietf.org/doc/html/rfc6902)
+   supported by KVv2, allowing update of specific fields. Note that
+   `vault write` uses `POST`.
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+
+- `issuer_name` `(string: "")` - Provides a name to the specified issuer. The
+  name must be unique across all issuers and not be the reserved value
+  `default`.
+
+- `leaf_not_after_behavior` `(string: "err")` - Behavior of a leaf's
+  `NotAfter` field during issuance. Valid options are:
+
+  - `err`, to error if the computed `NotAfter` exceeds that of this issuer;
+  - `truncate` to silently truncate the requested `NotAfter` value to that
+    of this issuer; or
+  - `permit` to allow this issuance to succeed with a `NotAfter` value
+    exceeding that of this issuer.
+
+~> Note: Not all values result in leaf certificates that can be validated
+   through the entire validity period. It is suggested to use `truncate` for
+   intermediate CAs and `permit` only for root CAs. This is because
+   (root) certificates in browsers' trust stores typically aren't checked
+   for validity, whereas intermediate CA certificates sent in TLS connections
+   are checked for validity at the time of use. This means that a leaf
+   certificate permitted to be issued for longer than the intermediate likely
+   won't continue to validate after the intermediate has expired.
+
+- `manual_chain` `([]string: nil)` - Chain of issuer references to build this
+  issuer's computed CAChain field from, when non-empty.
+
+~> Note: the `manual_chain` field is an advanced field useful when automatic
+   chain building isn't desired. The first element _must_ be the present
+   issuer's reference. Subsequent references _should_ validate previous
+   entries, terminating with a root certificate. _Ideally_ a single linear
+   chain would come first (from this issuer to a single root certificate)
+   before any parallel, alternate chains appear.<br /><br />
+   This field is especially useful for cross-signed intermediates within
+   Vault. Because each cross-signed intermediate will only know of the
+   one root, but issuance should serve both, update the issuers' entries
+   with the desired `manual_chain` value.<br /><br />
+   The CA Chain returned by a GET to the issuer configuration is the same
+   chain presented during signing and (if this issuer is the default) on
+   the `/ca_chain` path. Setting `manual_chain` thus allows controlling
+   the presented chain as desired.
+
+- `usage` `([]string: read-only,issuing-certificates,crl-signing,ocsp-signing)` - Allowed
+  usages for this issuer. Valid options are:
+
+  - `read-only`, to allow this issuer to be read; implict; always allowed;
+  - `issuing-certificates`, to allow this issuer to be used for issuing other
+    certificates; or
+  - `crl-signing`, to allow this issuer to be used for signing CRLs. This is
+    separate from the CRLSign KeyUsage on the x509 certificate, but this usage
+    cannot be set unless that KeyUsage is allowed on the x509 certificate.
+  - `ocsp-signing`, to allow this issuer to be used for signing OCSP responses
+
+~> Note: The `usage` field allows for a soft-delete capability on the issuer,
+   or to prevent use of the issuer prior to it being enabled. For example,
+   as issuance is rotated to a new issuer, the old issuer could be marked
+   `usage=read-only,crl-signing,ocsp-signing`, allowing existing certificates to be revoked
+   (and the CRL updated), but preventing new certificate issuance. After all
+   certificates issued under this certificate have expired, this certificate
+   could be marked `usage=read-only`, freezing the CRL. Finally, after a grace
+   period, the issuer could be deleted.
+
+- `revocation_signature_algorithm` `(string: "")` - Which signature algorithm
+  to use when building CRLs. See Go's [`x509.SignatureAlgorithm`](https://pkg.go.dev/crypto/x509#SignatureAlgorithm)
+  constant for possible values. This flag allows control over hash function
+  and signature scheme (PKCS#1v1.5 vs PSS). The default (empty string) value
+  is for Go to select the signature algorithm automatically, which may not
+  always work.
+
+~> Note: This can fail if the underlying key does not support the requested
+   signature algorithm; this may not always be known at modification time.
+   This most commonly needs to be modified when using PKCS#11 managed keys
+   with the `CKM_RSA_PKCS_PSS` mechanism type.
+
+- `issuing_certificates` `(array<string>: nil)` - Specifies the URL values for
+  the Issuing Certificate field. This can be an array or a comma-separated
+  string list. See also [RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
+  for information about the Authority Information Access field.
+
+- `crl_distribution_points` `(array<string>: nil)` - Specifies the URL values
+  for the CRL Distribution Points field. This can be an array or a
+  comma-separated string list. See also [RFC 5280 Section 4.2.1.13](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13)
+  for information about the CRL Distribution Points field.
+
+~> Note: When multiple Performance Replication clusters are enabled, each
+   cluster will have its own CRL. Additionally, when multiple issuers are
+   in use under a single mount, each issuer will also have its own CRL
+   distribution point. These separate CRLs should either be aggregated into a
+   single CRL (externally; as Vault does not support this functionality)
+   or multiple `crl_distribution_points` should be specified here, pointing
+   to each cluster and issuer.
+
+- `ocsp_servers` `(array<string>: nil)` - Specifies the URL values for the OCSP
+  Servers field. This can be an array or a comma-separated string list. See also
+  [RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
+  for information about the Authority Information Access field.
+
+- `enable_aia_url_templating` `(bool: false)` - Specifies that the above AIA
+  URL values (`issuing_certificates`, `crl_distribution_points`, and
+  `ocsp_servers`) should be templated. This replaces the literal value
+  `{{issuer_id}}` with the ID of the issuer doing the issuance, the
+  literal value `{{cluster_path}}` with the value of `path` from the
+  cluster-local configuration endpoint `/config/cluster`, and the
+  literal value `{{cluster_aia_path}}` with the value of `aia_path` from
+  the cluster-local configuration endpoint `/config/cluster`.
+
+~> **Note**: If no cluster-local address is present and templating is used,
+   issuance will fail.
+
+#### Sample payload
+
+```json
+{
+  "issuer_name": "root-x1"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/issuer/default
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+      "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUUo/qwLm5AyqUWqFHw1MlgwUtS/kwDQYJKoZIhvcNAQEL\n..."
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+    "issuer_id": "7545992c-1910-0898-9e64-d575549fbe9c",
+    "issuer_name": "root-x1",
+    "key_id": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf",
+    "leaf_not_after_behavior": "truncate",
+    "manual_chain": null,
+    "usage": "read-only,issuing-certificates,crl-signing,ocsp-signing",
+    "revocation_signature_algorithm": "",
+    "issuing_certificates": ["<url1>", "<url2>"],
+    "crl_distribution_points": ["<url1>", "<url2>"],
+    "ocsp_servers": ["<url1>", "<url2>"]
+  }
+}
+```
+
+### Revoke issuer
+
+This endpoint allows an operator to revoke an issuer certificate, marking it
+unable to issue new certificates and adding it to other issuers' CRLs, if they
+have signed this issuer's certificate. This will cause all CRLs to be rebuilt.
+
+This is mostly provided for book-keeping and as a soft-delete feature, to
+ensure this issuer is not accidentally reused in the future.
+
+~> **Warning**: This operation cannot be undone!
+
+~> Note: This operation **does not** have any impact on other clusters or
+   mounts and **may not** have any impact on whether clients consider these
+   issuers revoked. Revoked issuers will not appear on their own CRLs. Revoked
+   issuers may not appear on other CRLs if a suitable parent is not present in
+   the same mount point. Revoked issuers will still need to be revoked in any
+   other mounts they appear in, both as issuers, in the event of issuer reuse,
+   and as issued certificates, in the event of an external parent mount.
+
+| Method  | Path                             |
+| :------ | :------------------------------- |
+| `POST`  | `/pki/issuer/:issuer_ref/revoke` |
+
+#### Parameters
+
+No parameters.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/pki/issuer/old-intermediate/revoke
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+      "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUUo/qwLm5AyqUWqFHw1MlgwUtS/kwDQYJKoZIhvcNAQEL\n..."
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDFDCCAfygAwIBAgIUXgxy54mKooz5soqQoRINazH/3pQwDQYJKoZIhvcNAQEL\n...",
+    "issuer_id": "7545992c-1910-0898-9e64-d575549fbe9c",
+    "issuer_name": "old-intermediate",
+    "key_id": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf",
+    "leaf_not_after_behavior": "truncate",
+    "manual_chain": null,
+    "usage": "read-only,issuing-certificates,crl-signing"
+    "revocation_time": 1433269787,
+  }
+}
+```
+
+### Delete issuer
+
+This endpoint deletes the specified issuer. A warning is emitted and the
+default is cleared if this issuer is the default issuer.
+
+~> **Note**: If an issuer is incorrectly deleted, but its key material
+   remains, it is possible to re-import just the issuer certificate. The
+   `issuer_id` will change, but the name can be re-assigned to the new
+   issuer.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/pki/issuer/:issuer_ref` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/issuer/root-x1
+```
+
+### Import key
+
+This endpoint allows an operator to import a single pem encoded `rsa`, `ec`, or `ed25519`
+key.
+
+~> **Note**: This API does not protect against importing keys using insecure combinations of
+  algorithm and key length.
+
+| Method | Path               |
+|:-------|:-------------------|
+| `POST` | `/pki/keys/import` |
+
+#### Parameters
+
+- `pem_bundle` `(string: <required>)` - Specifies the unencrypted private key in PEM format.
+
+- `key_name` `(string: "")` - Provides a name to the specified key. The
+  name must be unique across all keys and not be the reserved value
+  `default`.
+
+#### Sample payload
+
+```json
+{
+  "key_name": "my-imported-key",
+  "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/keys/import
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "key_id": "2cf03991-b052-1dc3-393e-374b41f8dcd8",
+    "key_name": "my-imported-key",
+    "key_type": "rsa"
+  },
+}
+```
+
+### Read key
+
+This endpoint allows an operator to fetch information about an existing key.
+
+~> **Note**: Vault does not allow reading the value of the private key after
+   it has been created.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/pki/key/:key_ref` |
+
+#### Parameters
+
+- `key_ref` `(string: <required>)` - Reference to an existing key,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default key, or the name assigned
+  to a key. This parameter is part of the request URL.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/key/default
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "key_id": "8c4046f8-52a8-0974-29d2-745d8a0dd848",
+    "key_name": "key-root-x1",
+    "key_type": "rsa"
+  }
+}
+```
+
+### Update key
+
+This endpoint allows an operator to manage a single key. Currently, the only
+parameter that is configurable is the key's name.
+
+Note that it is not possible to change the private key of this key; to
+do so, import a new key and a new `key_id` will be assigned.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/pki/key/:key_ref` |
+
+~> **Note** `POST`ing to this endpoint causes Vault to overwrite the previous
+   contents of the key, using the provided request data (and any defaults
+   for elided parameters). It does not update only the provided fields.
+
+#### Parameters
+
+- `key_ref` `(string: <required>)` - Reference to an existing key,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default key, or the name assigned
+  to a key. This parameter is part of the request URL.
+
+- `key_name` `(string: "")` - Provides a name to the specified key. The
+  name must be unique across all keys and not be the reserved value
+  `default`.
+
+#### Sample payload
+
+```json
+{
+  "key_name": "key-root-x1"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/key/default
+```
+
+#### Sample response
+
+```text
+{
+  "data": {
+    "key_id": "8c4046f8-52a8-0974-29d2-745d8a0dd848",
+    "key_name": "key-root-x1",
+    "key_type": "rsa"
+  }
+}
+```
+
+### Delete key
+
+This endpoint deletes the specified key. A warning is emitted and the
+default is cleared if this key is the default key.
+
+~> **Note**: Because Vault does not allow exporting the private key
+   after it is initially generated, deletion of keys is a sensitive
+   operation. Additionally, one key may be used by more than one issuer.
+   As a result, Vault prohibits deletion of keys until **all** issuers
+   using this key have also been deleted. If these issuers are still
+   necessary for chain building, re-import them without the corresponding
+   keys after the key has been deleted or use the soft-delete feature
+   of issuers.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/pki/key/:key_ref` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/key/key-root-x1
+```
+
+### Delete all issuers and keys
+
+This endpoint deletes all issuers and keys within the mount. It is highly
+recommended to use the individual delete operations instead. This mount
+will be unusable until new issuers and keys are provisioned.
+
+_This endpoint requires sudo/root privileges._
+
+| Method   | Path        |
+| :------- | :---------- |
+| `DELETE` | `/pki/root` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/root
+```
+
+---
+
+## Managing authority information
+
+The following privileged endpoints allow the operator to control information
+about the core contents of certificates and to perform privileged operations
+like rotating the CRLs or performing tidy operations.
+
+### List roles
+
+Refer to the [earlier section](#list-roles) for more information about
+listing roles.
+
+### Create/Update role
+
+This endpoint creates or updates the role definition. Note that the
+`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
+`allow_any_name` attributes are additive; between them nearly and across
+multiple roles nearly any issuing policy can be accommodated. `server_flag`,
+`client_flag`, and `code_signing_flag` are additive as well. If a client
+requests a certificate that is not allowed by the CN policy in the role, the
+request is denied.
+
+| Method  | Path               |
+| :------ | :----------------- |
+| `POST`  | `/pki/roles/:name` |
+| `PATCH` | `/pki/roles/:name` |
+
+~> **Note** `POST`ing to this endpoint when the role already exists causes
+   Vault to overwrite the contents of the role, using the provided request
+   data (and any defaults for elided parameters). It does not update only
+   the provided fields.<br /><br />
+   Since Vault 1.11.0, Vault supports the PATCH operation to this endpoint,
+   using the [JSON patch format](https://datatracker.ietf.org/doc/html/rfc6902)
+   supported by KVv2, allowing update of specific fields. Note that
+   `vault write` uses `POST`.
+
+#### Parameters
+
+- `name` `(string: <required>)` - Specifies the name of the role to create. This
+  is part of the request URL.
+
+- `issuer_ref`: `(string: "default")` - Specifies the default issuer of this
+  request. May be the value `default`, a name, or an issuer ID. Use ACLs to
+  prevent access to the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths
+  to prevent users overriding the role's `issuer_ref` value.
+
+~> Note: This parameter is stored as-is; if the reference is to a name, it
+   is **not** resolve to an identifier. Deletion of issuers (or updating their
+   names) **may** result in issuance failing or using an unexpected issuer.
+
+~> **Note**: existing roles from previous Vault versions are migrated to use
+   the `issuer_ref=default`.
+
+- `ttl` `(string: "")` - Specifies the Time To Live value to be used for the
+  validity period of the requested certificate, provided as a string duration
+  with time suffix. Hour is the largest suffix. The value specified is strictly
+  used for future validity. If not set, uses the system default value or the
+  value of `max_ttl`, whichever is shorter. See `not_after` as an alternative
+  for setting an absolute end date (rather than a relative one).
+
+- `max_ttl` `(string: "")` - Specifies the maximum Time To Live provided as a
+  string duration with time suffix. Hour is the largest suffix. If not set,
+  defaults to the system maximum lease TTL.
+
+- `allow_localhost` `(bool: true)` - Specifies if clients can request
+  certificates for `localhost` as one of the requested common names. This is
+  useful for testing and to allow clients on a single host to talk securely.
+
+~> **Note**: This strictly applies to `localhost` and `localdomain` when this
+   option is enabled. Additionally, even if this option is disabled, if either
+   name is included in `allowed_domains`, the match rules for that option
+   could permit issuance of a certificate for `localhost`.
+
+- `allowed_domains` `(list: [])` - Specifies the domains this role is allowed
+  to issue certificates for. This is used with the `allow_bare_domains`,
+  `allow_subdomains`, and `allow_glob_domains` options to determine the type
+  of matching between these domains and the values of common name, DNS-typed
+  SAN entries, and Email-typed SAN entries. When `allow_any_name` is used,
+  this attribute has no effect.
+
+~> **Note**: The three options `allow_bare_domains`, `allow_subdomains`, and
+   `allow_glob_domains` are each independent of each other. That is, at least
+   one type of allowed matching must describe the relationship between the
+   `allowed_domains` list and the names on the issued certificate. For example,
+   given `allowed_domain=foo.*.example.com` and `allow_subdomains=true` and
+   `allow_glob_domains=true`, a request for `bar.foo.baz.example.com` won't
+   be permitted, even though it `foo.baz.example.com` matches the glob
+   `foo.*.example.com` and `bar` is a subdomain of that.
+
+- `allowed_domains_template` `(bool: false)` - When set, `allowed_domains`
+  may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
+  Non-templated domains are also still permitted.
+
+- `allow_bare_domains` `(bool: false)` - Specifies if clients can request
+  certificates matching the value of the actual domains themselves; e.g. if a
+  configured domain set with `allowed_domains` is `example.com`, this allows
+  clients to actually request a certificate containing the name `example.com` as
+  one of the DNS values on the final certificate. In some scenarios, this can be
+  considered a security risk. Note that when an `allowed_domain` field contains
+  a potential wildcard character (for example, `allowed_domains=*.example.com`)
+  and `allow_bare_domains` and `allow_wildcard_certificates` are both enabled,
+  issuance of a wildcard certificate for `*.example.com` will be permitted.
+
+- `allow_subdomains` `(bool: false)` - Specifies if clients can request
+  certificates with CNs that are subdomains of the CNs allowed by the other role
+  options. _This includes wildcard subdomains._ For example, an
+  `allowed_domains` value of `example.com` with this option set to true will
+  allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. To
+  restrict issuance of wildcards by this option, see `allow_wildcard_certificates`
+  below. This option is redundant when using the `allow_any_name` option.
+
+- `allow_glob_domains` `(bool: false)` - Allows names specified in
+  `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
+  will be allowed to request certificates with names matching the glob
+  patterns.
+
+~> **Note**: These globs behave like shell-style globs and can match
+  across multiple domain parts. For example, `allowed_domains=*.example.com`
+  with `allow_glob_domains` enabled will match not only `foo.example.com` but
+  also `baz.bar.foo.example.com`.
+
+~> **Warning**: Glob patterns will match wildcard domains and permit their
+   issuance unless otherwise restricted by `allow_wildcard_certificates`. For
+   instance, with `allowed_domains=*.*.example.com` and both `allow_glob_domains`
+   and `allow_wildcard_certificates` enabled, we will permit the issuance of
+   a wildcard certificate for `*.foo.example.com`.
+
+- `allow_wildcard_certificates` `(bool: true)` - Allows the issuance of
+  certificates with [RFC 6125](https://tools.ietf.org/html/rfc6125) wildcards
+  in the CN field. When set to `false`, this prevents wildcards from being
+  issued even if they would've been allowed by an option above. We support
+  the following four wildcard types:
+
+  - `*.example.com`, a single wildcard as the entire left-most label,
+  - `foo*.example.com`, a single suffixed wildcard in the left-most label,
+  - `*foo.example.com`, a single prefixed wildcard in the left-most label, and
+  - `f*o.example.com`, a single interior wildcard in the left-most label.
+
+- `allow_any_name` `(bool: false)` - Specifies if clients can request any CN.
+  Useful in some circumstances, but make sure you understand whether it is
+  appropriate for your installation before enabling it. Note that both
+  `enforce_hostnames` and `allow_wildcard_certificates` are still checked,
+  which may introduce limitations on issuance with this option.
+
+- `enforce_hostnames` `(bool: true)` - Specifies if only valid host names are
+  allowed for CNs, DNS SANs, and the host part of email addresses.
+
+- `allow_ip_sans` `(bool: true)` - Specifies if clients can request IP Subject
+  Alternative Names. No authorization checking is performed except to verify
+  that the given values are valid IP addresses.
+
+- `allowed_uri_sans` `(string: "")` - Defines allowed URI Subject
+  Alternative Names. No authorization checking is performed except to verify
+  that the given values are valid URIs. This can be a comma-delimited list or
+  a JSON string slice. Values can contain glob patterns (e.g.
+  `spiffe://hostname/*`).
+
+- `allowed_uri_sans_template` `(bool: false)` - When set, `allowed_uri_sans`
+  may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
+  Non-templated domains are also still permitted.
+
+- `allowed_other_sans` `(string: "")` - Defines allowed custom OID/UTF8-string
+  SANs. This can be a comma-delimited list or a JSON string slice, where
+  each element has the same format as OpenSSL: `<oid>;<type>:<value>`, but
+  the only valid type is `UTF8` or `UTF-8`. The `value` part of an element
+  may be a `*` to allow any value with that OID.
+  Alternatively, specifying a single `*` will allow any `other_sans` input.
+
+- `allowed_serial_numbers` `(string: "")` - If set, an array of allowed serial
+  numbers to be requested during certificate issuance. These values support
+  shell-style globbing. When empty, custom-specified serial numbers will be
+  forbidden. It is strongly recommended to allow Vault to generate random
+  serial numbers instead.
+
+- `server_flag` `(bool: true)` - Specifies if certificates are flagged for
+  server authentication use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
+  for information about the Extended Key Usage field.
+
+- `client_flag` `(bool: true)` - Specifies if certificates are flagged for
+  client authentication use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
+  for information about the Extended Key Usage field.
+
+- `code_signing_flag` `(bool: false)` - Specifies if certificates are flagged
+  for code signing use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
+  for information about the Extended Key Usage field.
+
+- `email_protection_flag` `(bool: false)` - Specifies if certificates are
+  flagged for email protection use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
+  for information about the Extended Key Usage field.
+
+- `key_type` `(string: "rsa")` - Specifies the type of key to generate for
+  generated private keys and the type of key expected for submitted CSRs.
+  Currently, `rsa`, `ec`, and `ed25519` are supported, or when signing
+  existing CSRs, `any` can be specified to allow keys of either type
+  and with any bit size (subject to >=2048 bits for RSA keys or >= 224 for EC keys).
+  When `any` is used, this role cannot generate certificates and can only
+  be used to sign CSRs.
+
+~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
+   and thus should not be used: `ed25519`.
+
+- `key_bits` `(int: 0)` - Specifies the number of bits to use for the
+  generated keys. Allowed values are 0 (universal default); with
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
+  384, or 521; ignored with `key_type=ed25519` or in signing operations
+  when `key_type=any`.
+
+- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
+  the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
+  and 512 for SHA-2-512. Defaults to 0 to automatically detect based
+  on issuer's key length (SHA-2-256 for RSA keys, and matching the curve size
+  for NIST P-Curves).
+
+~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
+   `signature_bits` value; only RSA issuers will change signature types
+   based on this parameter.
+
+- `use_pss` `(bool: false)` - Specifies whether or not to use PSS signatures
+  over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for
+  ECDSA/Ed25519 issuers.
+
+- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` -
+  Specifies the allowed key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
+  drop the `KeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list. See
+  [RFC 5280 Section 4.2.1.3](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3)
+  for more information about the Key Usage field.
+
+- `ext_key_usage` `(list: [])` -
+  Specifies the allowed extended key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
+  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list. See
+  [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
+  for information about the Extended Key Usage field.
+
+- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended
+  key usage oids. Useful for adding EKUs not supported by the Go standard library.
+
+- `use_csr_common_name` `(bool: true)` - When used with the CSR signing
+  endpoint, the common name in the CSR will be used instead of taken from the
+  JSON data. This does not include any requested SANs in the CSR; use
+  `use_csr_sans` for that.
+
+- `use_csr_sans` `(bool: true)` - When used with the CSR signing endpoint, the
+  subject alternate names in the CSR will be used instead of taken from the JSON
+  data. This does not include the common name in the CSR; use
+  `use_csr_common_name` for that.
+
+- `ou` `(string: "")` - Specifies the OU (OrganizationalUnit) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `organization` `(string: "")` - Specifies the O (Organization) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `country` `(string: "")` - Specifies the C (Country) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `locality` `(string: "")` - Specifies the L (Locality) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `province` `(string: "")` - Specifies the ST (Province) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `street_address` `(string: "")` - Specifies the Street Address values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `postal_code` `(string: "")` - Specifies the Postal Code values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `generate_lease` `(bool: false)` - Specifies if certificates issued/signed
+  against this role will have Vault leases attached to them. Certificates can be
+  added to the CRL by `vault revoke <lease_id>` when certificates are associated
+  with leases. It can also be done using the `pki/revoke` endpoint. However,
+  when lease generation is disabled, invoking `pki/revoke` would be the only way
+  to add the certificates to the CRL. When large number of certificates are
+  generated with long lifetimes, it is recommended that lease generation be
+  disabled, as large amount of leases adversely affect the startup time of Vault.
+
+- `no_store` `(bool: false)` - If set, certificates issued/signed against this
+  role will not be stored in the storage backend. This can improve performance
+  when issuing large numbers of certificates. However, certificates issued in
+  this way cannot be enumerated or revoked via serial number. Certificates may
+  still be revoked via [BYOC revocation](#certificate-1).
+  This option is recommend only for certificates that are non-sensitive,
+  extremely short-lived, or have high volume/turn-over that would prohibit
+  storage. This option implies a value of `false` for `generate_lease`.
+
+- `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
+  optional while generating a certificate.
+
+- `policy_identifiers` `(list: [])` - A comma-separated string or list of policy
+  OIDs.
+
+- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
+  valid when issuing non-CA certificates.
+
+- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
+  backdate the NotBefore property. This value has no impact in the validity period
+  of the requested certificate, specified in the `ttl` field.
+
+- `not_after` `(string)` - Set the Not After field of the certificate with
+  specified date value. The value format should be given in UTC format
+  `YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
+  standard devices, `9999-12-31T23:59:59Z`.
+
+- `cn_validations` `(list: ["email", "hostname"])` - Validations to run on the
+  Common Name field of the certificate. Valid values include:
+
+   - `email`, to ensure the Common Name is an email address (contains an `@` sign),
+   - `hostname`, to ensure the Common Name is a hostname (otherwise).
+
+  Multiple values can be separated with a comma or specified as a list and use
+  OR semantics (either email or hostname in the CN are allowed). When the
+  special value "disabled" is used (must be specified alone), none of the usual
+  validation is run (including but not limited to `allowed_domains` and basic
+  correctness validation around email addresses and domain names). This allows
+  non-standard CNs to be used verbatim from the request.
+
+- `allowed_user_ids` `(string: "")` - Comma separated, globbing list of User ID
+  Subject components to allow on requests. By default, no user IDs are allowed.
+  Use the bare wildcard `*` value to allow any value. See also the `user_ids`
+  request parameter.
+
+#### Sample payload
+
+```json
+{
+  "allowed_domains": ["example.com"],
+  "allow_subdomains": true
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+### Read role
+
+Refer to the [earlier section](#read-role) for more information about
+reading roles.
+
+### Delete role
+
+This endpoint deletes the role definition. Deleting a role **does not**
+revoke certificates previously issued under this role.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/pki/roles/:name` |
+
+#### Parameters
+
+- `name` `(string: <required>)` - Specifies the name of the role to delete. This
+  is part of the request URL.
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+### Read Certificate Issuance External Policy Service (CIEPS) configuration <EnterpriseAlert inline="true" />
+
+This endpoint reads the Certificate Issuance External Policy Service
+(CIEPS) engine <EnterpriseAlert inline="true" /> connection properties.
+
+On top of the configuration parameters documented below, this endpoint
+returns the following parameters:
+
+ - `external_service_last_updated` - An RFC 3339 timestamp indicating when the
+   configuration was last modified.
+
+ - `external_service_validated` - Indicates whether a successful connection to
+   the external policy engine has been made under this configuration.
+
+ - `last_successful_request` - Timestamp of the last successful request to
+   the external policy engine.
+
+Note that the last two parameters are node-specific and will be reset
+whenever the mount reloads (e.g., leadership election or seal/unseal).
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/pki/config/external-policy` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/external-policy
+```
+
+#### Sample Response
+
+```
+{
+  "data": {
+    "enabled": false,
+    "external_service_last_updated": "0001-01-01T00:00:00Z",
+    "external_service_url": "",
+    "external_service_validated": false,
+    "last_successful_request": "",
+    "timeout": 15000000000,
+    "trusted_ca": "",
+    "trusted_leaf_certificate_bundle": "",
+    "vault_client_cert_bundle": ""
+  },
+}
+
+```
+
+### Set Certificate Issuance External Policy Service (CIEPS) configuration <EnterpriseAlert inline="true" />
+
+This endpoint allows enabling the Certificate Issuance External Policy Service
+(CIEPS) <EnterpriseAlert inline="true" /> engine and configuring connection
+properties.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/pki/config/external-policy` |
+
+#### Parameters
+
+ - `enabled` `(bool: false)` - Enables or disables the external policy
+   service. When disabled, issuance mechanisms under `external-policy`
+   paths (e.g., `/pki/external-policy/sign/:policy`) will not work.
+
+ - `external_service_url` `(string: <required>)` - URI to the external
+   policy engine. Must use the `https://` scheme.
+
+ - `timeout` `(string: "")` - This is how long any particular API request
+   should wait for a timeout at various layers of the stack. Defaults to
+   `15s`.
+
+ - `trusted_ca` `(string: "")` - A PEM bundle of trusted CAs to verify the
+   certificates presented by the external policy engine against. Optional;
+   one of `trusted_ca` or `trusted_leaf_certificate_bundle` must be specified.
+
+ - `trusted_leaf_certificate_bundle` `(string: "")` - A PEM bundle of pinned
+   non-CA leaf certificates that must be presented by the external policy
+   engine. Optional; one of `trusted_ca` or `trusted_leaf_certificate_bundle`
+   must be specified.
+
+ - `vault_client_cert_bundle` `(string: "")` - A PEM bundle of a private key
+   and one or more certificates to present during authentication to the
+   external policy service.
+ - `entity_jmespath` `(string: "")` - A JMESPath expression that will select and filter entity metadata to the service. By default no entity metadata beyond the entity id is sent, use "@" to send all information
+
+ - `group_jmespath` `(string: "")` - A JMESPath expression that will select and filter entity group metadata to the service. By default no group entity metadata is sent, use "@" to send all information
+#### Sample payload
+
+```json
+{
+  "enabled": true,
+  "external_service_url": "https://cieps.dadgarcorp.internal",
+  "trusted_ca": "-----BEGIN CERTIFICATE-----...."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/external-policy
+```
+
+### Read URLs
+
+This endpoint fetches the URLs to be encoded in generated certificates. No URL
+configuration will be returned until the configuration is set.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/config/urls` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/urls
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "issuing_certificates": ["<url1>", "<url2>"],
+    "crl_distribution_points": ["<url1>", "<url2>"],
+    "ocsp_servers": ["<url1>", "<url2>"]
+  },
+  "auth": null
+}
+```
+
+### Set URLs
+
+This endpoint allows setting the issuing certificate endpoints, CRL distribution
+points, and OCSP server endpoints that will be encoded into issued certificates.
+You can update any of the values at any time without affecting the other
+existing values. To remove the values, simply use a blank string as the
+parameter.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/config/urls` |
+
+~> **Note**: When using multiple issuers within the same mount, it is strongly
+   suggested to use the per-issuer AIA information instead of the global
+   AIA information. If any of the per-issuer AIA fields are set, the entire
+   issuer's preferences will be used instead. Otherwise, these fields are used
+   as a fallback.<br /><br />
+   This can be achieved by using _templated_ global AIA values, but setting
+   the cluster-local address in configuration. When used, this value **must**
+   be set on all performance replication clusters, otherwise issuance will
+   fail!
+
+#### Parameters
+
+- `issuing_certificates` `(array<string>: nil)` - Specifies the URL values for
+  the Issuing Certificate field. This can be an array or a comma-separated
+  string list. See also [RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
+  for information about the Authority Information Access field.
+
+- `crl_distribution_points` `(array<string>: nil)` - Specifies the URL values
+  for the CRL Distribution Points field. This can be an array or a
+  comma-separated string list. See also [RFC 5280 Section 4.2.1.13](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13)
+  for information about the CRL Distribution Points field.
+
+~> Note: When multiple Performance Replication clusters are enabled, each
+   cluster will have its own CRL. Additionally, when multiple issuers are
+   in use under a single mount, each issuer will also have its own CRL
+   distribution point. These separate CRLs should either be aggregated into a
+   single CRL (externally; as Vault does not support this functionality)
+   or multiple `crl_distribution_points` should be specified here, pointing
+   to each cluster and issuer.
+
+- `ocsp_servers` `(array<string>: nil)` - Specifies the URL values for the OCSP
+  Servers field. This can be an array or a comma-separated string list. See also
+  [RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
+  for information about the Authority Information Access field.
+
+- `enable_templating` `(bool: false)` - Specifies that the above AIA
+  URL values (`issuing_certificates`, `crl_distribution_points`, and
+  `ocsp_servers`) should be templated. This replaces the literal value
+  `{{issuer_id}}` with the ID of the issuer doing the issuance, the
+  literal value `{{cluster_path}}` with the value of `path` from the
+  cluster-local configuration endpoint `/config/cluster`, and the
+  literal value `{{cluster_aia_path}}` with the value of `aia_path` from
+  the cluster-local configuration endpoint `/config/cluster`.
+
+  For example, the following values can be used globally to ensure all AIA
+  URIs use the cluster-local, per-issuer canonical reference, but with
+  the issuing CA certificate and CRL distribution points to potentially
+  use an external, non-Vault CDN.
+
+   - `issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der`
+   - `crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der`
+   - `ocsp_servers={{cluster_aia_path}}/ocsp`
+
+~> **Note**: If no cluster-local address is present and templating is used,
+   issuance will fail.
+
+#### Sample payload
+
+```json
+{
+  "issuing_certificates": ["{{cluster_aia_path}}/issuer/{{issuer_id}}/der"],
+  "crl_distribution_points": ["{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der"],
+  "ocsp_servers": ["{{cluster_aia_path}}/ocsp"]
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/urls
+```
+
+### Read issuers configuration
+
+This endpoint allows getting the value of the default issuer.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/pki/config/issuers` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/issuers
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "default": "3dc79a5a-7a6c-70e2-1123-94b88557ba12",
+    "default_follows_latest_issuer": "false"
+  }
+}
+```
+
+### Set issuers configuration
+
+This endpoint allows setting the value of the default issuer.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/pki/config/issuers` |
+| `POST` | `/pki/root/replace`   |
+
+#### Parameters
+
+- `default` `(string: "")` - Specifies the default issuer (by reference;
+  either a name or an ID). When no value is specified and the path is
+  `/pki/root/replace`, the default value of `"next"` will be used.
+
+- `default_follows_latest_issuer` `(bool: false)` - Specifies whether a
+  root creation or an issuer import operation updates the default issuer
+  to the newly added issuer.
+
+  While the new multi-issuer functionality of 1.11 was backwards compatible
+  on a per-API basis, some applications relied explicitly on unsafe behavior
+  across multiple APIs that we addressed. For instance, calling
+  `/intermediate/generate/:type` would silently remove any (potentially
+  in-use!) key material and generate new private keys. While our response to
+  this endpoint is backwards compatible (returning a new key and safely
+  preserving old keys), some applications implicitly relied on this behavior.
+  This new option is meant to provide compatibility across API calls to these
+  callers: the newly created issuer (once _imported_ -- not on intermediate
+  generation) will become the default and it will look (to anyone strictly
+  using old APIs) that it is the only issuer in the mount. However, it is
+  encouraged for applications to update to the newer, safer semantics
+  associated with [multi-issuer rotation](/vault/docs/secrets/pki/rotation-primitives).
+
+~> Note: When an import creates more than one new issuer with key material
+   known to this mount, no default update will occur.
+
+#### Sample payload
+
+```json
+{
+  "default": "root-x1"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/issuers
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "default": "3dc79a5a-7a6c-70e2-1123-94b88557ba12"
+  }
+}
+```
+
+### Read keys configuration
+
+This endpoint allows getting the value of the default key.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/config/keys` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/keys
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "default": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf"
+  }
+}
+```
+
+### Set keys configuration
+
+This endpoint allows setting the value of the default key.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/config/keys` |
+
+#### Parameters
+
+- `default` `(string: "")` - Specifies the default key (by reference;
+  either a name or an ID).
+
+#### Sample payload
+
+```json
+{
+  "default": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/keys
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "default": "baadd98d-ec5a-66ac-06b7-dfc91c02c9cf"
+  }
+}
+```
+
+### Read cluster configuration
+
+This endpoint fetches the cluster-local configuration.
+
+The cluster-local config has `path`, which sets the URL to this mount on
+a particular performance replication cluster. This is useful for populating
+`{{cluster_path}}` during AIA URL templating, but may be used for other
+values in the future.
+
+It also has `aia_path`, which allows using a non-Vault, external responder,
+setting the `{{cluster_aia_path}}` value for AIA URL templating. This is
+useful for distributing CA and CRL information over an unsecured, non-TLS
+channel.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/pki/config/cluster` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/cluster
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "path": "<url>",
+    "aia_path": "<url>"
+  },
+  "auth": null
+}
+```
+
+### Set cluster configuration
+
+This endpoint sets cluster-local configuration.
+
+The cluster-local config has `path`, which sets the URL to this mount on
+a particular performance replication cluster. This is useful for populating
+`{{cluster_path}}` during AIA URL templating, but may be used for other
+values in the future.
+
+It also has `aia_path`, which allows using a non-Vault, external responder,
+setting the `{{cluster_aia_path}}` value for AIA URL templating. This is
+useful for distributing CA and CRL information over an unsecured, non-TLS
+channel.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/pki/config/cluster` |
+
+#### Parameters
+
+- `path` `(string: "")` - Specifies the path to this performance replication
+  cluster's API mount path, including any namespaces as path components.
+  For example, `https://pr-a.vault.example.com/v1/ns1/pki-root`.
+
+- `aia_path` `(string: "")` - Specifies the path to this performance replication
+  cluster's AIA distribution point; may refer to an external, non-Vault responder.
+  This is for resolving AIA URLs and providing the `{{cluster_aia_path}}` template
+  parameter and will not be used for other purposes. As such, unlike `path` above,
+  this could safely be an insecure transit mechanism (like HTTP without TLS).
+
+#### Sample payload
+
+```json
+{
+  "path": "https://...",
+  "aia_path": "http://..."
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/cluster
+```
+
+### Read CRL configuration
+
+This endpoint allows getting the duration for which the generated CRL should be
+marked valid. No CRL configuration will be returned until the configuration is
+set, but the CRL will still default to enabled with 72h expiration.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/pki/config/crl` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/crl
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "disable": false,
+    "expiry": "72h",
+    "ocsp_disable": false,
+    "ocsp_expiry": "12h",
+    "auto_rebuild": false,
+    "auto_rebuild_grace_period": "12h",
+    "enable_delta": false,
+    "delta_rebuild_interval": "15m",
+    "cross_cluster_revocation": true,
+    "unified_crl": true,
+    "unified_crl_on_existing_paths": true
+  },
+  "auth": null
+}
+```
+
+<a name="set-crl-configuration"></a>
+
+### Set revocation configuration
+
+This endpoint allows setting the duration for which the generated CRL should be
+marked valid. If the CRL is disabled, it will return a signed but zero-length
+CRL for any request. If enabled, it will re-build the CRL.
+
+If the `ocsp_disable` key is set to `true`, the OCSP responder will always
+respond with an Unauthorized OCSP response to any request.
+
+~> **Note**: This parameter is global, across all clusters and issuers. Use
+   the per-issuer `usage` field to disable CRL building for a specific
+   issuer, while leaving the global CRL building enabled.
+
+~> Note: Disabling the CRL does not affect whether revoked certificates are
+stored internally. Certificates that have been revoked when a role's
+certificate storage is enabled will continue to be marked and stored as
+revoked until `tidy` has been run with the desired safety buffer. Re-enabling
+CRL generation will then result in all such certificates becoming a part of
+the CRL.
+
+~> Note: Enabling automatic rebuilding of CRLs disables immediate regeneration
+   on revocation. This is in line with the behavior of other CAs which only
+   rebuild CRLs periodically. We suggest manually hitting the rotate if a
+   fresh CRL is necessary after a revocation. For the most part though, CRLs
+   should not be relied upon for the latest certificate status information,
+   and OCSP should be used instead.
+
+~> Note: The periodic function which controls automatic rebuilding of CRLs
+   and delta CRLs only executes once a minute; this prevents high system load
+   but limits the granularity of the temporal options below.
+
+~> Note: The `unified_crl`, `unified_crl_on_existing_paths`, and
+   `cross_cluster_revocation` parameters are all Vault Enterprise only
+   functionality. While they appear in the responses on Vault Community Edition, they cannot
+   be enabled.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/pki/config/crl` |
+
+#### Parameters
+
+- `expiry` `(string: "72h")` - The amount of time the generated CRL should be valid.
+
+- `disable` `(bool: false)` - Disables or enables CRL building.
+
+- `ocsp_disable` `(bool: false)` - Disables or enables the OCSP responder in Vault.
+
+- `ocsp_expiry` `(string: "12h")` - The amount of time an OCSP response can be cached for,
+  (controls the NextUpdate field), useful for OCSP stapling refresh durations. If set to 0
+  the NextUpdate field is not set, indicating newer revocation information is available
+  all the time.
+
+- `auto_rebuild` `(bool: false)` - Enables or disables periodic rebuilding of
+  the CRL upon expiry.
+
+- `auto_rebuild_grace_period` `(string: "12h")` - Grace period before CRL expiry
+  to attempt rebuild of CRL. Must be shorter than the CRL expiry period.
+
+- `enable_delta` `(bool: false)` - Enables or disables building of delta CRLs
+  with up-to-date revocation information, augmenting the last complete CRL.
+  This option requires `auto_rebuild` to also be enabled.
+
+- `delta_rebuild_interval` `(string: "15m")` - Interval to check for new
+  revocations on, to regenerate the delta CRL. Must be shorter than CRL
+  expiry.
+
+- `cross_cluster_revocation` `(bool: false)` -
+  <EnterpriseAlert product="vault" inline /> Enables cross-cluster revocation
+  request queues. When a serial not issued on this local cluster is presented
+  to Vault via the [`/revoke` API](#revoke-certificate), it is replicated
+  across clusters and the cluster which issued that certificate will revoke
+  it if it is online.
+
+~> Note: API calls to revoke a certificate with Bring Your Own Certificate
+   (BYOC) will always trigger a local revocation of that certificate. No
+   cross-cluster revocation request will be created.<br /><br />
+   API calls to revoke a certificate with Proof of Possession (PoP) cannot
+   be satisfied if the certificate is not available locally and will
+   not result in a cross-cluster revocation request.
+
+- `unified_crl` `(bool: false)` -
+  <EnterpriseAlert product="vault" inline /> Enables unified CRL and OCSP building. This
+  synchronizes all revocations between clusters; a single, unified CRL will be
+  built on the active node of the primary performance replication (PR)
+  cluster. Any node in any PR cluster will be able to serve this unified CRL
+  and respond to unified OCSP inquiries.
+
+~> Note: This option ensures existing, non-expired revocations are
+   consistently reported. If a certificate was issued and stored on one
+   cluster, but revoked via BYOC on another, this option will inform the
+   issuing cluster of the revocation.
+
+- `unified_crl_on_existing_paths` `(bool: false)` -
+  <EnterpriseAlert product="vault" inline /> Enables serving the
+  unified CRL and OCSP on the existing, previously cluster-local paths
+  (e.g., `/pki/crl` will now contain the unified CRL when enabled). This
+  allows transitioning AIA-based consumption of CRLs to a unified view
+  without having to re-issue certificates or update scripts pulling
+  a single CRL.
+
+#### Sample payload
+
+```json
+{
+  "expiry": "48h",
+  "disable": "false",
+  "ocsp_disable": "false",
+  "ocsp_expiry": "12h",
+  "auto_rebuild": "true",
+  "auto_rebuild_grace_period": "8h",
+  "enable_delta": "true",
+  "delta_rebuild_interval": "10m",
+  "cross_cluster_revocation": true,
+  "unified_crl": true,
+  "unified_crl_on_existing_paths": true,
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/crl
+```
+
+### Rotate CRLs
+
+This endpoint forces a rotation of all issuers' CRLs. This can be used by
+administrators to cut the size of the CRL if it contains a number of
+certificates that have now expired, but has not been rotated due to no further
+certificates being revoked. If no certificates have been revoked, but the CRL
+has expired or is close to expiring, administrators **must** hit this endpoint
+to manually rotate the CRL. This rotates all CRLs on the present cluster,
+and **must** be called on every cluster.
+
+~> **Note**: Mirroring the behavior of earlier Vault versions, we add
+   certificates revoked by an unknown issuer to the default issuer's CRL.
+   To fully purge old revoked, unexpired certificates, it is not sufficient
+   to delete their issuer and is instead necessary to **remove** the mount
+   completely.
+
+~> **Note**: As of Vault 1.12, it is suggested to switch to enabling the CRL's
+   `auto_rebuild` functionality to avoid having to manually hit the Rotate
+   endpoint when the CRL expires. This ensures a valid CRL is always
+   maintained, at the expense of potentially not being up-to-date. If a
+   revocation occurs that must be immediately propagated, this endpoint can
+   be used to regenerate the CRL, though distribution must still occur outside
+   of Vault (either manually or via AIA where supported).
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/pki/crl/rotate` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/crl/rotate
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "success": true
+  }
+}
+```
+
+### Rotate delta CRLs
+
+This endpoint forces a rotation of all issuers' delta CRLs, when enabled.
+This can be used by administrators to force a rebuild of a delta CRL if
+high-profile revocations have occurred and there's a long high interval
+between delta rebuilds (`delta_rebuild_interval`).
+
+See notes about rotating regular CRLs above as they apply here as well.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/pki/crl/rotate-delta` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/crl/rotate
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "success": true
   }
+}
+```
+
+### Combine CRLs from the same issuer
+
+This endpoint allows combining multiple different CRLs that have been signed by the
+same issuer into a single signed CRL. This is useful to generate a single authoritative
+CRL of revocations across distinct Vault clusters such as primary and performance replica
+clusters.
 
-  .notification {
-    background-color: transparent;
-    line-height: 1.66;
-    padding: 0 $spacing-12;
+
+| Method | Path                                  |
+|:-------|:--------------------------------------|
+| `POST` | `/pki/issuer/:issuer_ref/resign-crls` |
+
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+- `crls` `(list of strings: <required>)` - A list of PEM encoded CRLs that have been
+  signed by the issuer
+- `crl_number` `(int: <required>)` - The sequence number to be written within the CRL
+  Number extension.
+- `delta_crl_base_number` `(int: -1)` - Using a value of 0 or greater specifies the base CRL revision
+  number to encode within a Delta CRL indicator extension, otherwise the extension will
+  not be added; defaults to -1.
+- `format` `(string: pem)` - The format of the combined CRL, can be "pem" or "der".
+  If "der", the value will be base64 encoded; Defaults to "pem".
+- `next_update` `(string: 72h)` - The amount of time the generated CRL should be
+  valid; defaults to 72 hours.
+
+#### Sample payload
+
+```json
+{
+  "crl_number": "10",
+  "next_update": "24h",
+  "crls": ["<PEM crl 1>", "<PEM crl 2>"],
+  "format": "pem"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    -request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/issuer/default/resign-crls
+```
+
+#### Sample response
+
+```json
+{
+  "data": {
+    "crl": "<PEM encoded crl>"
   }
 }
+```
+
+### Sign revocation list
+
+This endpoint allows generating a CRL based on the provided parameter data from any external
+source and signed by the specified issuer. Values are taken verbatim from the parameters provided.
+
+**This is a potentially dangerous endpoint and only highly trusted users should have access.**
+
+| Method | Path                                           |
+|:-------|:-----------------------------------------------|
+| `POST` | `/pki/issuer/:issuer_ref/sign-revocation-list` |
+
+
+#### Parameters
+
+- `issuer_ref` `(string: <required>)` - Reference to an existing issuer,
+  either by Vault-generated identifier, the literal string `default` to
+  refer to the currently configured default issuer, or the name assigned
+  to an issuer. This parameter is part of the request URL.
+- `crl_number` `(int: <required>)` - The sequence number to be written within the CRL
+  Number extension.
+- `delta_crl_base_number` `(int: -1)` - Using a value of 0 or greater specifies the base CRL revision
+  number to encode within a Delta CRL indicator extension, otherwise the extension will
+  not be added; defaults to -1.
+- `format` `(string: pem)` - The format of the combined CRL, can be "pem" or "der".
+  If "der", the value will be base64 encoded; Defaults to "pem".
+- `next_update` `(string: 72h)` - The amount of time the generated CRL should be
+  valid; defaults to 72 hours.
+- `revoked_certs` `(type: slice of maps)` - Each element contains revocation information for a
+  single serial number along with the revocation time and the serial's extensions if any. Each
+  element can have the following key/values
+   - `serial_number` `(type: string)` - the serial number of the revoked cert
+   - `revocation_time` `(type: string)` - the revocation time, unix int format or RFC3339 encoding supported
+   - `extensions` `(type: slice of maps)` - A slice of all extensions that should be added to the revoked
+      certificate entry. Each ele,ent contains a map with the following entries
+     - `id` `(type: string)` - an ASN1 object identifier in dot notation
+     - `critical` `(type: bool)` - should the extension be marked critical
+     - `value` `(type: string)` - base64 encoded bytes for extension value
+- `extensions` `(type: slice of maps)` - A slice of all extensions that should be added to the generated
+  CRL each element containing a map with the following entries.
+   - `id` `(type: string)` - an ASN1 object identifier in dot notation
+   - `critical` `(type: bool)` - should the extension be marked critical
+   - `value` `(type: string)` - base64 encoded bytes for extension value
+
+~> **Note**:: The following extension ids are not allowed to be provided and can be influenced by other parameters
+  - `2.5.29.20`: CRL Number
+  - `2.5.29.27`: Delta CRL
+  - `2.5.29.35`: Authority Key Identifier
+
+#### Sample payload
+
+```json
+{
+  "crl_number": "10",
+  "next_update": "24h",
+  "format": "pem",
+  "revoked_certs": [
+    {
+      "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58",
+      "revocation_time": "2009-11-10T23:00:00Z"
+    },
+    {
+      "serial_number": "40:33:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58",
+      "revocation_time": "1257894000"
+    }
+  ]
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    -request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/issuer/default/sign-revocation-list
+```
 
-@keyframes env-banner-color-rotate {
-  100% {
-    filter: hue-rotate(105deg);
+#### Sample response
+
+```json
+{
+  "data": {
+    "crl": "<PEM encoded crl>"
   }
 }
+```
+
+### Tidy
+
+This endpoint allows tidying up the storage backend and/or CRL by removing
+certificates that have expired and are past a certain buffer period beyond their
+expiration time.
+
+| Method | Path        |
+| :----- | :---------- |
+| `POST` | `/pki/tidy` |
+
+~> Note: it is encouraged to use the [automatic tidy capabilities](#configure-automatic-tidy)
+   to ensure this gets run periodically.
+
+#### Parameters
+
+- `tidy_cert_store` `(bool: false)` - Specifies whether to tidy up the certificate
+  store.
+
+- `tidy_revoked_certs` `(bool: false)` - Set to true to remove all invalid and
+  expired certificates from storage. A revoked storage entry is considered
+  invalid if the entry is empty, or the value within the entry is empty. If a
+  certificate is removed due to expiry, the entry will also be removed from the
+  CRL, and the CRL will be rotated.
+
+- `tidy_revoked_cert_issuer_associations` `(bool: false)` - Set to true to associate
+  revoked certificates with their corresponding issuers; this improves the
+  performance of OCSP and CRL building, by shifting work to a tidy operation
+  instead.
+
+~> Note: With multiple issuers, a CA which issued a particular revoked
+   certificate may be removed and re-added, resulting in a different issuer
+   ID value. When building CRLs, these links are automatically updated for any
+   missing or added issuers, but during OCSP this value is computed and then
+   discarded, potentially causing a performance penalty on each request.
+   During regular CA operations, it is not necessary to run this operation.
+   <br /><br />
+   It is suggested to run this tidy when removing or importing new issuers and
+   on the first upgrade to a post-1.11 Vault version, but otherwise not to run
+   it during automatic tidy operations.
+
+- `tidy_expired_issuers` `(bool: false)` - Set to true to automatically remove
+  expired issuers after the `issuer_safety_buffer` duration has elapsed. We
+  log the issuer certificate on removal to allow recovery; no keys are removed
+  during this process.
+
+~> Note: The default issuer will not be removed even if it has expired and is
+   past the `issuer_safety_buffer` specified.
+
+- `tidy_move_legacy_ca_bundle` `(bool: false)` - Set to true to backup any
+  legacy CA/issuers bundle (from Vault versions earlier than 1.11) to
+  `config/ca_bundle.bak`. This can be restored with `sys/raw` back to
+  `config/ca_bundle` if necessary, but won't impact mount startup (as
+  mounts will attempt to read the latter and do a migration of CA issuers
+  if present). Migration will only occur after `issuer_safety_buffer` has
+  passed since the last successful migration.
+
+- `tidy_revocation_queue` `(bool: false)` - Set to true to remove stale
+  revocation request entries that haven't been confirmed by any active
+  node of a performance replication (PR) cluster. Only runs on the active
+  node of the primary cluster.
+
+~> Note: this tidy is only applicable on Vault Enterprise.
+
+- `tidy_cross_cluster_revoked_certs` `(bool: false)` - Set to true to remove
+  expired, cross-cluster revocation entries. This is the cross-cluster
+  equivalent of `tidy_revoked_certs`. Only runs on the active node of the
+  primary cluster.
+
+~> Note: this tidy is only applicable on Vault Enterprise.
+
+- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
+  used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
+  certificates from being removed from the CRL that, due to clock skew, might
+  still be considered valid on other hosts. For a certificate to be expunged,
+  the time must be after the expiration time of the certificate (according to
+  the local clock) plus the duration of `safety_buffer`. Defaults to `72h`.
+
+- `issuer_safety_buffer` `(string: "")` - Specifies a duration that issuers
+  should be kept for, past their `NotAfter` validity period. Defaults to
+  365 days as hours (`8760h`).
+
+- `pause_duration` `(string: "0s")` - Specifies the duration to pause
+  between tidying individual certificates. This releases the revocation
+  lock and allows other operations to continue while tidy is paused.
+  This allows an operator to control tidy's resource utilization within
+  a timespan: the LIST operation will remain in memory, but the space
+  between reading, parsing, and updates on-disk cert entries will be
+  increased, decreasing resource utilization.
+
+  Does not affect `tidy_expired_issuers`.
+
+~> Note: Using too long of a `pause_duration` can result in tidy operations
+   not concluding during this lifetime! Using too short of a pause duration
+   (but non-zero) can lead to lock contention. Use [tidy's cancellation](#cancel-tidy)
+   to stop a running operation after the sleep period is over.
+
+- `revocation_queue_safety_buffer` `(string: "")` - Specifies a duration
+  after which cross-cluster revocation requests will be removed as expired.
+  This should be set high enough that, if a cluster disappears for a while
+  but later comes back, any revocation requests which it should process will
+  still be there, but not too long as to fill up storage with too many invalid
+  requests. Defaults to `48h`.
+
+ - `tidy_acme` `(bool: false)` - Set to true to tidy stale ACME accounts,
+   orders, authorizations, EABs, and challenges. ACME orders are tidied (deleted)
+   `safety_buffer` after the certificate associated with them expires, or after
+   the order and relevant authorizations have expired if no certificate was
+   produced. Authorizations are tidied with the corresponding order.
+
+   When a valid ACME Account is at least `acme_account_safety_buffer`
+   old, and has no remaining orders associated with it, the account is
+   marked as revoked. After another `acme_account_safety_buffer` has
+   passed from the revocation or deactivation date, a revoked or
+   deactivated ACME account is deleted.
+
+ - `acme_account_safety_buffer` `(string: "720h")` - The amount of time that
+   must pass after creation that an account with no orders is marked revoked,
+   and the amount of time after being marked revoked or deactivated. The
+   default is 30 days as hours.
+
+#### Sample payload
+
+```json
+{
+  "safety_buffer": "24h"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/tidy
+```
+
+### Read automatic tidy configuration
+
+This endpoint fetches the current automatic tidy configuration.
+
+This is the combination of the periodic invocation parameters described
+[in the below write handler](#set-automatic-tidy-configuration) and
+the tidy parameters [described above in the tidy endpoint](#tidy).
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/pki/config/auto-tidy` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/auto-tidy
+```
+
+#### Sample response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "enabled": false,
+    "interval_duration": 43200,
+    "issuer_safety_buffer": 31536000,
+    "maintain_stored_certificate_counts": false,
+    "pause_duration": "0s",
+    "publish_stored_certificate_count_metrics": false,
+    "revocation_queue_safety_buffer": 172800,
+    "safety_buffer": 259200,
+    "tidy_cert_store": false,
+    "tidy_cross_cluster_revoked_certs": false,
+    "tidy_expired_issuers": false,
+    "tidy_move_legacy_ca_bundle": false,
+    "tidy_revocation_queue": false,
+    "tidy_revoked_cert_issuer_associations": false,
+    "tidy_revoked_certs": false
+  },
+  "auth": null
+}
+```
+
+<a name="configure-automatic-tidy"></a>
+
+### Set automatic tidy configuration
+
+This endpoint allows configuring periodic tidy operations, using the tidy mechanism
+described above. Status is from automatically run tidies are still reported at the
+status endpoint described below.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/pki/config/auto-tidy` |
+
+#### Parameters
+
+The below parameters are in addition to the regular parameters accepted by the
+[`/pki/tidy` endpoint](#tidy) documented above.
+
+- `enabled` `(bool: false)` - Specifies whether automatic tidy is enabled or not.
+
+- `interval_duration` `(string: "")` - Specifies the duration between automatic tidy
+  operations; note that this is from the end of one operation to the start of
+  the next so the time of the operation itself does not need to be considered.
+  Defaults to 12h
+
+- `maintain_stored_certificate_counts` `(bool: false)` - When enabled,
+  maintains expensive counts of certificates. During initialization of the
+  mount, a LIST of all certificates is performed to get a baseline figure and
+  throughout operations like issuance, revocation, and subsequent tidies, the
+  figure is updated.
+
+~> *Note*: It is strongly recommend to not enable this value if 50k or more
+   certificates are stored in the mount or if many PKI mounts are in use in
+   this cluster. Instead, use audit logs and aggregate this data externally
+   to Vault so as not to impact Vault performance.
+
+- `publish_stored_certificate_count_metrics` `(bool: false)` - When enabled,
+  publishes the value computed by `maintain_stored_certificate_counts` to
+  the mount's metrics. This requires the former to be enabled.
+
+#### Sample payload
+
+```json
+{
+  "enabled": true,
+  "tidy_revoked_cert_issuer_associations": true,
+  "safety_buffer": "24h"
+}
+```
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/auto-tidy
+```
+
+### Tidy status
+
+This is a read only endpoint that returns information about the current tidy
+operation, or the most recent if none are currently running.
+
+The result includes the following fields:
+
+* `safety_buffer`: the value of this parameter when initiating the tidy operation
+* `tidy_cert_store`: the value of this parameter when initiating the tidy operation
+* `tidy_revoked_certs`: the value of this parameter when initiating the tidy operation
+* `state`: one of *Inactive*, *Running*, *Finished*, *Error*, *Cancelling*, or *Cancelled*
+* `error`: the error message, if the operation ran into an error
+* `time_started`: the time the operation started
+* `time_finished`: the time the operation finished
+* `message`: One of *Tidying certificate store: checking entry N of TOTAL* or
+  *Tidying revoked certificates: checking certificate N of TOTAL*
+* `cert_store_deleted_count`: The number of certificate storage entries deleted
+* `revoked_cert_deleted_count`: The number of revoked certificate entries deleted
+* `missing_issuer_cert_count`: The number of revoked certificates which were missing a valid issuer reference
+* `tidy_expired_issuers`: the value of this parameter when initiating the tidy operation
+* `issuer_safety_buffer`: the value of this parameter when initiating the tidy operation
+* `tidy_move_legacy_ca_bundle`: the value of this parameter when initiating the tidy operation
+* `tidy_revocation_queue`: the value of this parameter when initiating the tidy operation
+* `revocation_queue_deleted_count`: the number of revocation queue entries deleted
+* `tidy_cross_cluster_revoked_certs`: the value of this parameter when initiating the tidy operation
+* `cross_revoked_cert_deleted_count`: the number of cross-cluster revoked certificate entries deleted
+* `revocation_queue_safety_buffer`: the value of this parameter when initiating the tidy operation
+* `pause_duration`: the value of this parameter when initiating the tidy operation
+* `last_auto_tidy_finished`: the time when the last auto-tidy operation finished; may be different than `time_finished` especially if the last operation was a manually executed tidy operation. Set to current time at mount time to delay the initial auto-tidy operation; not persisted.
+
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/tidy-status` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/pki/tidy-status
+
+```
+
+#### Sample response
+
+```json
+  "data": {
+    "safety_buffer": 60,
+    "tidy_cert_store": true,
+    "tidy_revoked_certs": true,
+    "error": null,
+    "message": "Tidying certificate store: checking entry 234 of 488",
+    "revoked_cert_deleted_count": 0,
+    "cert_store_deleted_count": 2,
+    "state": "Running",
+    "time_started": "2021-10-20T14:52:13.510161-04:00",
+    "time_finished": null
+  },
+```
+
+### Cancel tidy
+
+This endpoint allows cancelling a running tidy operation. It takes no
+parameter and cancels the tidy at the next available checkpoint, which
+may process additional certificates between when the operation was
+marked as cancelled and when the operation stopped.
+
+The response to this endpoint is the same as the [status](#tidy-status).
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/tidy-cancel` |
+
+#### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/pki/tidy-cancel
+
+```
+
+#### Sample response
+
+```json
+  "data": {
+    "safety_buffer": 60,
+    "tidy_cert_store": true,
+    "tidy_revoked_certs": true,
+    "error": null,
+    "message": "Tidying certificate store: checking entry 234 of 488",
+    "revoked_cert_deleted_count": 0,
+    "cert_store_deleted_count": 2,
+    "state": "Cancelling",
+    "time_started": "2021-10-20T14:52:13.510161-04:00",
+    "time_finished": null
+  },
+```
+
+---
+
+## Cluster scalability
+
+See [PKI Cluster Scalability](/vault/docs/secrets/pki/considerations#cluster-scalability) in the considerations page.
+
+## Managed keys
+
+~> Note: Managed keys are an Enterprise only feature.
+
+The [Generate Root](#generate-root) and [Generate Intermediate](#generate-intermediate)
+API calls can leverage the Managed Keys feature, delegating operations that
+require private key material to an external system.
+
+To leverage a Managed Key, assuming it has already been configured, set the type
+parameter to `kms` within either, [Generate Root](#generate-root) or
+[Generate Intermediate](#generate-intermediate) APIs, and one of either
+`managed_key_name` or `managed_key_id` parameters specifying a Managed Key to use.
+As with the `internal` type for those APIs, if the type parameter is set to `kms`,
+there is no way to read/fetch the private key.
+
+The API call will fail if the specified Managed Key is not properly configured or
+arguments detailing private key attributes are specified such as `key_type` or
+`key_bits`.
+
+Once either of the certificate APIs have successfully executed, all other PKI
+operations behave the same, with no other special configuration or parameters required.
+
+
+## Vault CLI with DER/PEM responses
+
+The Vault CLI can only display JSON responses. For APIs that return non-JSON formatted
+data such as DER and PEM formats, `vault read` will fail without the `-format=raw`
+option added in Vault 1.13 or another client such as `curl` must be used.
diff --git a/ui/app/styles/components/vlt-table.scss b/ui/app/styles/components/vlt-table.scss
index 1d397c0db77c..0ae44499fb96 100644
--- a/ui/app/styles/components/vlt-table.scss
+++ b/ui/app/styles/components/vlt-table.scss
@@ -1,63 +1,384 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-.vlt-table {
-  .is-collapsed {
-    visibility: collapse;
-    height: 0;
-  }
-
-  &.sticky-header {
-    thead th {
-      position: sticky;
-      background: #fff;
-      box-shadow: 0 1px 0px 0px rgba($grey-dark, 0.3);
-      top: 0;
-    }
-  }
-
-  table {
-    border-collapse: collapse;
-    border-spacing: 0;
-  }
-
-  th,
-  td {
-    padding: $spacing-12;
-  }
-
-  th {
-    color: $grey-dark;
-    font-weight: 500;
-    font-size: $size-8;
-    text-align: left;
-    vertical-align: top;
-  }
-
-  tbody th {
-    font-size: $size-7;
-  }
-
-  tr {
-    border-bottom: 1px solid $grey-light;
-  }
-
-  td {
-    color: $grey-darkest;
-  }
-
-  td.middle {
-    vertical-align: middle;
-  }
-
-  td.no-padding {
-    padding: 0;
-  }
-
-  code {
-    font-size: $size-7;
-    color: $black;
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/vault/command/healthcheck"
+
+	"github.com/ghodss/yaml"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+	"github.com/ryanuber/columnize"
+)
+
+const (
+	pkiRetOK int = iota
+	pkiRetUsage
+	pkiRetInformational
+	pkiRetWarning
+	pkiRetCritical
+	pkiRetInvalidVersion
+	pkiRetInsufficientPermissions
+)
+
+var (
+	_ cli.Command             = (*PKIHealthCheckCommand)(nil)
+	_ cli.CommandAutocomplete = (*PKIHealthCheckCommand)(nil)
+
+	// Ensure the above return codes match (outside of OK/Usage) the values in
+	// the healthcheck package.
+	_ = pkiRetInformational == int(healthcheck.ResultInformational)
+	_ = pkiRetWarning == int(healthcheck.ResultWarning)
+	_ = pkiRetCritical == int(healthcheck.ResultCritical)
+	_ = pkiRetInvalidVersion == int(healthcheck.ResultInvalidVersion)
+	_ = pkiRetInsufficientPermissions == int(healthcheck.ResultInsufficientPermissions)
+)
+
+type PKIHealthCheckCommand struct {
+	*BaseCommand
+
+	flagConfig          string
+	flagReturnIndicator string
+	flagDefaultDisabled bool
+	flagList            bool
+}
+
+func (c *PKIHealthCheckCommand) Synopsis() string {
+	return "Check a PKI Secrets Engine mount's health and operational status"
+}
+
+func (c *PKIHealthCheckCommand) Help() string {
+	helpText := `
+Usage: vault pki health-check [options] MOUNT
+
+  Reports status of the specified mount against best practices and pending
+  failures. This is an informative command and not all recommendations will
+  apply to all mounts; consider using a configuration file to tune the
+  executed health checks.
+
+  To check the pki-root mount with default configuration:
+
+      $ vault pki health-check pki-root
+
+  To specify a configuration:
+
+      $ vault pki health-check -health-config=mycorp-root.json /pki-root
+
+  Return codes indicate failure type:
+
+      0 - Everything is good.
+      1 - Usage error (check CLI parameters).
+	  2 - Informational message from a health check.
+	  3 - Warning message from a health check.
+	  4 - Critical message from a health check.
+	  5 - A version mismatch between health check and Vault Server occurred,
+	      preventing one or more health checks from being run.
+      6 - A permission denied message was returned from Vault Server for
+	      one or more health checks.
+
+For more detailed information, refer to the online documentation about the
+vault pki health-check command.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PKIHealthCheckCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:    "health-config",
+		Target:  &c.flagConfig,
+		Default: "",
+		EnvVar:  "",
+		Usage:   "Path to JSON configuration file to modify health check execution and parameters.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "return-indicator",
+		Target:     &c.flagReturnIndicator,
+		Default:    "default",
+		EnvVar:     "",
+		Completion: complete.PredictSet("default", "informational", "warning", "critical", "permission"),
+		Usage: `Behavior of the return value:
+ - permission, for exiting with a non-zero code when the tool lacks
+               permissions or has a version mismatch with the server;
+ - critical, for exiting with a non-zero code when a check returns a
+             critical status in addition to the above;
+ - warning, for exiting with a non-zero status when a check returns a
+            warning status in addition to the above;
+ - informational, for exiting with a non-zero status when a check returns
+                  an informational status in addition to the above;
+ - default, for the default behavior based on severity of message and
+            only returning a zero exit status when all checks have passed
+			and no execution errors have occurred.
+		`,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "default-disabled",
+		Target:  &c.flagDefaultDisabled,
+		Default: false,
+		EnvVar:  "",
+		Usage: `When specified, results in all health checks being disabled by
+default unless enabled by the configuration file explicitly.`,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "list",
+		Target:  &c.flagList,
+		Default: false,
+		EnvVar:  "",
+		Usage: `When specified, no health checks are run, but all known health
+checks are printed.`,
+	})
+
+	return set
+}
+
+func (c *PKIHealthCheckCommand) isValidRetIndicator() bool {
+	switch c.flagReturnIndicator {
+	case "", "default", "informational", "warning", "critical", "permission":
+		return true
+	default:
+		return false
+	}
+}
+
+func (c *PKIHealthCheckCommand) AutocompleteArgs() complete.Predictor {
+	// Return an anything predictor here, similar to `vault write`. We
+	// don't know what values are valid for the mount path.
+	return complete.PredictAnything
+}
+
+func (c *PKIHealthCheckCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PKIHealthCheckCommand) Run(args []string) int {
+	// Parse and validate the arguments.
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return pkiRetUsage
+	}
+
+	args = f.Args()
+	if !c.flagList && len(args) < 1 {
+		c.UI.Error("Not enough arguments (expected mount path, got nothing)")
+		return pkiRetUsage
+	} else if !c.flagList && len(args) > 1 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected only mount path, got %d arguments)", len(args)))
+		for _, arg := range args {
+			if strings.HasPrefix(arg, "-") {
+				c.UI.Warn(fmt.Sprintf("Options (%v) must be specified before positional arguments (%v)", arg, args[0]))
+				break
+			}
+		}
+		return pkiRetUsage
+	}
+
+	if !c.isValidRetIndicator() {
+		c.UI.Error(fmt.Sprintf("Invalid flag -return-indicator=%v; known options are default, informational, warning, critical, and permission", c.flagReturnIndicator))
+		return pkiRetUsage
+	}
+
+	// Setup the client and the executor.
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return pkiRetUsage
+	}
+
+	// When listing is enabled, we lack an argument here, but do not contact
+	// the server at all, so we're safe to use a hard-coded default here.
+	pkiPath := "<mount>"
+	if len(args) == 1 {
+		pkiPath = args[0]
+	}
+
+	mount := sanitizePath(pkiPath)
+	executor := healthcheck.NewExecutor(client, mount)
+	executor.AddCheck(healthcheck.NewCAValidityPeriodCheck())
+	executor.AddCheck(healthcheck.NewCRLValidityPeriodCheck())
+	executor.AddCheck(healthcheck.NewHardwareBackedRootCheck())
+	executor.AddCheck(healthcheck.NewRootIssuedLeavesCheck())
+	executor.AddCheck(healthcheck.NewRoleAllowsLocalhostCheck())
+	executor.AddCheck(healthcheck.NewRoleAllowsGlobWildcardsCheck())
+	executor.AddCheck(healthcheck.NewRoleNoStoreFalseCheck())
+	executor.AddCheck(healthcheck.NewAuditVisibilityCheck())
+	executor.AddCheck(healthcheck.NewAllowIfModifiedSinceCheck())
+	executor.AddCheck(healthcheck.NewEnableAutoTidyCheck())
+	executor.AddCheck(healthcheck.NewTidyLastRunCheck())
+	executor.AddCheck(healthcheck.NewTooManyCertsCheck())
+	executor.AddCheck(healthcheck.NewEnableAcmeIssuance())
+	executor.AddCheck(healthcheck.NewAllowAcmeHeaders())
+	if c.flagDefaultDisabled {
+		executor.DefaultEnabled = false
+	}
+
+	// Handle listing, if necessary.
+	if c.flagList {
+		uiFormat := Format(c.UI)
+		if uiFormat == "yaml" {
+			c.UI.Error("YAML output format is not supported by the --list command")
+			return pkiRetUsage
+		}
+
+		if uiFormat != "json" {
+			c.UI.Output("Default health check config:")
+		}
+		config := map[string]map[string]interface{}{}
+		for _, checker := range executor.Checkers {
+			config[checker.Name()] = checker.DefaultConfig()
+		}
+
+		marshaled, err := json.MarshalIndent(config, "", "  ")
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to marshal default config for check: %v", err))
+			return pkiRetUsage
+		}
+
+		c.UI.Output(string(marshaled))
+		return pkiRetOK
+	}
+
+	// Handle config merging.
+	external_config := map[string]interface{}{}
+	if c.flagConfig != "" {
+		contents, err := os.Open(c.flagConfig)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to read configuration file %v: %v", c.flagConfig, err))
+			return pkiRetUsage
+		}
+
+		decoder := json.NewDecoder(contents)
+		decoder.UseNumber() // Use json.Number instead of float64 values as we are decoding to an interface{}.
+
+		if err := decoder.Decode(&external_config); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to parse configuration file %v: %v", c.flagConfig, err))
+			return pkiRetUsage
+		}
+	}
+
+	if err := executor.BuildConfig(external_config); err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to build health check configuration: %v", err))
+		return pkiRetUsage
+	}
+
+	// Run the health checks.
+	results, err := executor.Execute()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to run health check: %v", err))
+		return pkiRetUsage
+	}
+
+	// Display the output.
+	if err := c.outputResults(executor, results); err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to render results for display: %v", err))
+	}
+
+	// Select an appropriate return code.
+	return c.selectRetCode(results)
+}
+
+func (c *PKIHealthCheckCommand) outputResults(e *healthcheck.Executor, results map[string][]*healthcheck.Result) error {
+	switch Format(c.UI) {
+	case "", "table":
+		return c.outputResultsTable(e, results)
+	case "json":
+		return c.outputResultsJSON(results)
+	case "yaml":
+		return c.outputResultsYAML(results)
+	default:
+		return fmt.Errorf("unknown output format: %v", Format(c.UI))
+	}
+}
+
+func (c *PKIHealthCheckCommand) outputResultsTable(e *healthcheck.Executor, results map[string][]*healthcheck.Result) error {
+	// Iterate in checker order to ensure stable output.
+	for _, checker := range e.Checkers {
+		if !checker.IsEnabled() {
+			continue
+		}
+
+		scanner := checker.Name()
+		findings := results[scanner]
+
+		c.UI.Output(scanner)
+		c.UI.Output(strings.Repeat("-", len(scanner)))
+		data := []string{"status" + hopeDelim + "endpoint" + hopeDelim + "message"}
+		for _, finding := range findings {
+			row := []string{
+				finding.StatusDisplay,
+				finding.Endpoint,
+				finding.Message,
+			}
+			data = append(data, strings.Join(row, hopeDelim))
+		}
+
+		c.UI.Output(tableOutput(data, &columnize.Config{
+			Delim: hopeDelim,
+		}))
+		c.UI.Output("\n")
+	}
+
+	return nil
+}
+
+func (c *PKIHealthCheckCommand) outputResultsJSON(results map[string][]*healthcheck.Result) error {
+	bytes, err := json.MarshalIndent(results, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	c.UI.Output(string(bytes))
+	return nil
+}
+
+func (c *PKIHealthCheckCommand) outputResultsYAML(results map[string][]*healthcheck.Result) error {
+	bytes, err := yaml.Marshal(results)
+	if err != nil {
+		return err
+	}
+
+	c.UI.Output(string(bytes))
+	return nil
+}
+
+func (c *PKIHealthCheckCommand) selectRetCode(results map[string][]*healthcheck.Result) int {
+	var highestResult healthcheck.ResultStatus = healthcheck.ResultNotApplicable
+	for _, findings := range results {
+		for _, finding := range findings {
+			if finding.Status > highestResult {
+				highestResult = finding.Status
+			}
+		}
+	}
+
+	cutOff := healthcheck.ResultInformational
+	switch c.flagReturnIndicator {
+	case "", "default", "informational":
+	case "permission":
+		cutOff = healthcheck.ResultInvalidVersion
+	case "critical":
+		cutOff = healthcheck.ResultCritical
+	case "warning":
+		cutOff = healthcheck.ResultWarning
+	}
+
+	if highestResult >= cutOff {
+		return int(highestResult)
+	}
+
+	return pkiRetOK
 }
diff --git a/ui/app/styles/core.scss b/ui/app/styles/core.scss
index 92d50091f681..5f86b3b97f7e 100644
--- a/ui/app/styles/core.scss
+++ b/ui/app/styles/core.scss
@@ -1,117 +1,694 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-// Variables
-@import './utils/color_variables'; // colors need to come first.
-@import './utils/box-shadow_variables';
-@import './utils/font_variables';
-@import './utils/size_variables';
-
-// Element styling
-@import './core/element-styling';
-
-// Mixins
-@import './utils/mixins';
-@import './utils/animations';
-
-// Open-api styling
-@import './utils/swagger';
-
-// Core Styles: each file styles a class that is not associated with a component. Ex: box and not box-label.
-@import './core/box';
-@import './core/breadcrumb';
-@import './core/buttons';
-@import './core/charts';
-@import './core/checkbox-and-radio';
-@import './core/columns';
-@import './core/containers';
-@import './core/control';
-@import './core/field';
-@import './core/file';
-@import './core/footer';
-@import './core/inputs';
-@import './core/json-diff-patch';
-@import './core/label';
-@import './core/level';
-@import './core/link';
-@import './core/lists';
-@import './core/menu';
-@import './core/message';
-@import './core/progress';
-@import './core/select';
-@import './core/tag';
-@import './core/title';
-@import './core/toggle';
-
-// Helpers
-@import './helper-classes/colors';
-@import './helper-classes/flexbox-and-grid';
-@import './helper-classes/layout';
-@import './helper-classes/general';
-@import './helper-classes/spacing';
-@import './helper-classes/typography';
-
-// Component specific styling
-@import './components/auth-form';
-@import './components/autocomplete-input';
-@import './components/b64-toggle';
-@import './components/box-label';
-@import './components/calendar-widget';
-@import './components/cluster-banners';
-@import './components/codemirror';
-@import './components/console-ui-panel';
-@import './components/control-group';
-@import './components/doc-link';
-@import './components/empty-state-component';
-@import './components/env-banner';
-@import './components/features-selection';
-@import './components/form-section';
-@import './components/global-flash';
-@import './components/icon';
-@import './components/init-illustration';
-@import './components/info-table-row';
-@import './components/kmip-role-edit';
-@import './components/known-secondaries-card.scss';
-@import './components/linked-block';
-@import './components/list-item-row';
-@import './components/loader';
-@import './components/login-form';
-@import './components/masked-input';
-@import './components/namespace-picker';
-@import './components/namespace-reminder';
-@import './components/navigate-input';
-@import './components/overview-card';
-@import './components/page-header-old';
-@import './components/popup-menu';
-@import './components/radio-card';
-@import './components/radial-progress';
-@import './components/raft-join';
-@import './components/read-more';
-@import './components/regex-validator';
-@import './components/replication-dashboard';
-@import './components/replication-mode-summary';
-@import './components/replication-page';
-@import './components/replication-summary';
-@import './components/role-item';
-@import './components/search-select';
-@import './components/selectable-card';
-@import './components/selectable-card-container';
-@import './components/secrets-engines-card';
-@import './components/action-block';
-@import './components/shamir-progress';
-@import './components/sidebar';
-@import './components/splash-page';
-@import './components/stat-text';
-@import './components/tabs-component';
-@import './components/text-file';
-@import './components/toolbar';
-@import './components/tool-tip';
-@import './components/transform-edit';
-@import './components/transit-card';
-@import './components/ttl-picker';
-@import './components/unseal-warning';
-// @import './components/ui-wizard'; // remove, see PR https://github.com/hashicorp/vault/pull/19220
-@import './components/vault-loading';
-@import './components/vlt-table';
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/healthcheck"
+
+	"github.com/hashicorp/cli"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPKIHC_AllGood(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			AuditNonHMACRequestKeys:   healthcheck.VisibleReqParams,
+			AuditNonHMACResponseKeys:  healthcheck.VisibleRespParams,
+			PassthroughRequestHeaders: []string{"If-Modified-Since"},
+			AllowedResponseHeaders:    []string{"Last-Modified", "Replay-Nonce", "Link", "Location"},
+			MaxLeaseTTL:               "36500d",
+		},
+	}); err != nil {
+		t.Fatalf("pki mount error: %#v", err)
+	}
+
+	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"key_type":    "ec",
+		"common_name": "Root X1",
+		"ttl":         "3650d",
+	}); err != nil || resp == nil {
+		t.Fatalf("failed to prime CA: %v", err)
+	}
+
+	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
+		t.Fatalf("failed to rotate CRLs: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
+		"allow_any_name": true,
+		"no_store":       true,
+	}); err != nil {
+		t.Fatalf("failed to write role: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
+		"enabled":         true,
+		"tidy_cert_store": true,
+	}); err != nil {
+		t.Fatalf("failed to write auto-tidy config: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/tidy", map[string]interface{}{
+		"tidy_cert_store": true,
+	}); err != nil {
+		t.Fatalf("failed to run tidy: %v", err)
+	}
+
+	path, err := url.Parse(client.Address())
+	require.NoError(t, err, "failed parsing client address")
+
+	if _, err := client.Logical().Write("pki/config/cluster", map[string]interface{}{
+		"path": path.JoinPath("/v1/", "pki/").String(),
+	}); err != nil {
+		t.Fatalf("failed to update local cluster: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/acme", map[string]interface{}{
+		"enabled": "true",
+	}); err != nil {
+		t.Fatalf("failed to update acme config: %v", err)
+	}
+
+	_, _, results := execPKIHC(t, client, true)
+
+	validateExpectedPKIHC(t, expectedAllGood, results)
+}
+
+func TestPKIHC_AllBad(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+	}); err != nil {
+		t.Fatalf("pki mount error: %#v", err)
+	}
+
+	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"key_type":    "ec",
+		"common_name": "Root X1",
+		"ttl":         "35d",
+	}); err != nil || resp == nil {
+		t.Fatalf("failed to prime CA: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/crl", map[string]interface{}{
+		"expiry": "5s",
+	}); err != nil {
+		t.Fatalf("failed to issue leaf cert: %v", err)
+	}
+
+	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
+		t.Fatalf("failed to rotate CRLs: %v", err)
+	}
+
+	time.Sleep(5 * time.Second)
+
+	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
+		"allow_localhost":             true,
+		"allowed_domains":             "*.example.com",
+		"allow_glob_domains":          true,
+		"allow_wildcard_certificates": true,
+		"no_store":                    false,
+		"key_type":                    "ec",
+		"ttl":                         "30d",
+	}); err != nil {
+		t.Fatalf("failed to write role: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/issue/testing", map[string]interface{}{
+		"common_name": "something.example.com",
+	}); err != nil {
+		t.Fatalf("failed to issue leaf cert: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
+		"enabled":         false,
+		"tidy_cert_store": false,
+	}); err != nil {
+		t.Fatalf("failed to write auto-tidy config: %v", err)
+	}
+
+	_, _, results := execPKIHC(t, client, true)
+
+	validateExpectedPKIHC(t, expectedAllBad, results)
+}
+
+func TestPKIHC_OnlyIssuer(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+	}); err != nil {
+		t.Fatalf("pki mount error: %#v", err)
+	}
+
+	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"key_type":    "ec",
+		"common_name": "Root X1",
+		"ttl":         "35d",
+	}); err != nil || resp == nil {
+		t.Fatalf("failed to prime CA: %v", err)
+	}
+
+	_, _, results := execPKIHC(t, client, true)
+	validateExpectedPKIHC(t, expectedEmptyWithIssuer, results)
+}
+
+func TestPKIHC_NoMount(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	code, message, _ := execPKIHC(t, client, false)
+	if code != 1 {
+		t.Fatalf("Expected return code 1 from invocation on non-existent mount, got %v\nOutput: %v", code, message)
+	}
+
+	if !strings.Contains(message, "route entry not found") {
+		t.Fatalf("Expected failure to talk about missing route entry, got exit code %v\nOutput: %v", code, message)
+	}
+}
+
+func TestPKIHC_ExpectedEmptyMount(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+	}); err != nil {
+		t.Fatalf("pki mount error: %#v", err)
+	}
+
+	code, message, _ := execPKIHC(t, client, false)
+	if code != 1 {
+		t.Fatalf("Expected return code 1 from invocation on empty mount, got %v\nOutput: %v", code, message)
+	}
+
+	if !strings.Contains(message, "lacks any configured issuers,") {
+		t.Fatalf("Expected failure to talk about no issuers, got exit code %v\nOutput: %v", code, message)
+	}
+}
+
+func TestPKIHC_NoPerm(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+	}); err != nil {
+		t.Fatalf("pki mount error: %#v", err)
+	}
+
+	if resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"key_type":    "ec",
+		"common_name": "Root X1",
+		"ttl":         "35d",
+	}); err != nil || resp == nil {
+		t.Fatalf("failed to prime CA: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/crl", map[string]interface{}{
+		"expiry": "5s",
+	}); err != nil {
+		t.Fatalf("failed to issue leaf cert: %v", err)
+	}
+
+	if _, err := client.Logical().Read("pki/crl/rotate"); err != nil {
+		t.Fatalf("failed to rotate CRLs: %v", err)
+	}
+
+	time.Sleep(5 * time.Second)
+
+	if _, err := client.Logical().Write("pki/roles/testing", map[string]interface{}{
+		"allow_localhost":             true,
+		"allowed_domains":             "*.example.com",
+		"allow_glob_domains":          true,
+		"allow_wildcard_certificates": true,
+		"no_store":                    false,
+		"key_type":                    "ec",
+		"ttl":                         "30d",
+	}); err != nil {
+		t.Fatalf("failed to write role: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/issue/testing", map[string]interface{}{
+		"common_name": "something.example.com",
+	}); err != nil {
+		t.Fatalf("failed to issue leaf cert: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/auto-tidy", map[string]interface{}{
+		"enabled":         false,
+		"tidy_cert_store": false,
+	}); err != nil {
+		t.Fatalf("failed to write auto-tidy config: %v", err)
+	}
+
+	// Remove client token.
+	client.ClearToken()
+
+	_, _, results := execPKIHC(t, client, true)
+	validateExpectedPKIHC(t, expectedNoPerm, results)
+}
+
+func testPKIHealthCheckCommand(tb testing.TB) (*cli.MockUi, *PKIHealthCheckCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PKIHealthCheckCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func execPKIHC(t *testing.T, client *api.Client, ok bool) (int, string, map[string][]map[string]interface{}) {
+	t.Helper()
+
+	stdout := bytes.NewBuffer(nil)
+	stderr := bytes.NewBuffer(nil)
+	runOpts := &RunOptions{
+		Stdout: stdout,
+		Stderr: stderr,
+		Client: client,
+	}
+
+	code := RunCustom([]string{"pki", "health-check", "-format=json", "pki"}, runOpts)
+	combined := stdout.String() + stderr.String()
+
+	var results map[string][]map[string]interface{}
+	if err := json.Unmarshal([]byte(combined), &results); err != nil {
+		if ok {
+			t.Fatalf("failed to decode json (ret %v): %v\njson:\n%v", code, err, combined)
+		}
+	}
+
+	t.Log(combined)
+
+	return code, combined, results
+}
+
+func validateExpectedPKIHC(t *testing.T, expected, results map[string][]map[string]interface{}) {
+	t.Helper()
+
+	for test, subtest := range expected {
+		actual, ok := results[test]
+		require.True(t, ok, fmt.Sprintf("expected top-level test %v to be present", test))
+
+		if subtest == nil {
+			continue
+		}
+
+		require.NotNil(t, actual, fmt.Sprintf("expected top-level test %v to be non-empty; wanted wireframe format %v", test, subtest))
+		require.Equal(t, len(subtest), len(actual), fmt.Sprintf("top-level test %v has different number of results %v in wireframe, %v in test output\nwireframe: %v\noutput: %v\n", test, len(subtest), len(actual), subtest, actual))
+
+		for index, subset := range subtest {
+			for key, value := range subset {
+				a_value, present := actual[index][key]
+				require.True(t, present)
+				if value != nil {
+					require.Equal(t, value, a_value, fmt.Sprintf("in test: %v / result %v - when validating key %v\nWanted: %v\nGot: %v", test, index, key, subset, actual[index]))
+				}
+			}
+		}
+	}
+
+	for name := range results {
+		if _, present := expected[name]; !present {
+			t.Fatalf("got unexpected health check: %v\n%v", name, results[name])
+		}
+	}
+}
+
+var expectedAllGood = map[string][]map[string]interface{}{
+	"ca_validity_period": {
+		{
+			"status": "ok",
+		},
+	},
+	"crl_validity_period": {
+		{
+			"status": "ok",
+		},
+		{
+			"status": "ok",
+		},
+	},
+	"allow_acme_headers": {
+		{
+			"status": "ok",
+		},
+	},
+	"allow_if_modified_since": {
+		{
+			"status": "ok",
+		},
+	},
+	"audit_visibility": {
+		{
+			"status": "ok",
+		},
+	},
+	"enable_acme_issuance": {
+		{
+			"status": "ok",
+		},
+	},
+	"enable_auto_tidy": {
+		{
+			"status": "ok",
+		},
+	},
+	"role_allows_glob_wildcards": {
+		{
+			"status": "ok",
+		},
+	},
+	"role_allows_localhost": {
+		{
+			"status": "ok",
+		},
+	},
+	"role_no_store_false": {
+		{
+			"status": "ok",
+		},
+	},
+	"root_issued_leaves": {
+		{
+			"status": "ok",
+		},
+	},
+	"tidy_last_run": {
+		{
+			"status": "ok",
+		},
+	},
+	"too_many_certs": {
+		{
+			"status": "ok",
+		},
+	},
+}
+
+var expectedAllBad = map[string][]map[string]interface{}{
+	"ca_validity_period": {
+		{
+			"status": "critical",
+		},
+	},
+	"crl_validity_period": {
+		{
+			"status": "critical",
+		},
+		{
+			"status": "critical",
+		},
+	},
+	"allow_acme_headers": {
+		{
+			"status": "not_applicable",
+		},
+	},
+	"allow_if_modified_since": {
+		{
+			"status": "informational",
+		},
+	},
+	"audit_visibility": {
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+		{
+			"status": "informational",
+		},
+	},
+	"enable_acme_issuance": {
+		{
+			"status": "not_applicable",
+		},
+	},
+	"enable_auto_tidy": {
+		{
+			"status": "informational",
+		},
+	},
+	"role_allows_glob_wildcards": {
+		{
+			"status": "warning",
+		},
+	},
+	"role_allows_localhost": {
+		{
+			"status": "warning",
+		},
+	},
+	"role_no_store_false": {
+		{
+			"status": "warning",
+		},
+	},
+	"root_issued_leaves": {
+		{
+			"status": "warning",
+		},
+	},
+	"tidy_last_run": {
+		{
+			"status": "critical",
+		},
+	},
+	"too_many_certs": {
+		{
+			"status": "ok",
+		},
+	},
+}
+
+var expectedEmptyWithIssuer = map[string][]map[string]interface{}{
+	"ca_validity_period": {
+		{
+			"status": "critical",
+		},
+	},
+	"crl_validity_period": {
+		{
+			"status": "ok",
+		},
+		{
+			"status": "ok",
+		},
+	},
+	"allow_acme_headers": {
+		{
+			"status": "not_applicable",
+		},
+	},
+	"allow_if_modified_since": nil,
+	"audit_visibility":        nil,
+	"enable_acme_issuance": {
+		{
+			"status": "not_applicable",
+		},
+	},
+	"enable_auto_tidy": {
+		{
+			"status": "informational",
+		},
+	},
+	"role_allows_glob_wildcards": nil,
+	"role_allows_localhost":      nil,
+	"role_no_store_false":        nil,
+	"root_issued_leaves": {
+		{
+			"status": "ok",
+		},
+	},
+	"tidy_last_run": {
+		{
+			"status": "critical",
+		},
+	},
+	"too_many_certs": {
+		{
+			"status": "ok",
+		},
+	},
+}
+
+var expectedNoPerm = map[string][]map[string]interface{}{
+	"ca_validity_period": {
+		{
+			"status": "critical",
+		},
+	},
+	"crl_validity_period": {
+		{
+			"status": "insufficient_permissions",
+		},
+		{
+			"status": "critical",
+		},
+		{
+			"status": "critical",
+		},
+	},
+	"allow_acme_headers": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"allow_if_modified_since": nil,
+	"audit_visibility":        nil,
+	"enable_acme_issuance": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"enable_auto_tidy": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"role_allows_glob_wildcards": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"role_allows_localhost": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"role_no_store_false": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"root_issued_leaves": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"tidy_last_run": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+	"too_many_certs": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
+}
diff --git a/ui/app/styles/core/footer.scss b/ui/app/styles/core/footer.scss
index c3a193c309e5..862b55bb046b 100644
--- a/ui/app/styles/core/footer.scss
+++ b/ui/app/styles/core/footer.scss
@@ -1,20 +1,51 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-.footer {
-  background-color: transparent;
-  border-top: $base-border;
-  padding: $spacing-24 $spacing-20;
-  margin-top: auto;
-
-  span:not(:first-child) {
-    display: inline-block;
-    padding: 0 0.5rem;
-
-    @include until($mobile) {
-      display: none;
-    }
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*PluginCommand)(nil)
+
+type PluginCommand struct {
+	*BaseCommand
+}
+
+func (c *PluginCommand) Synopsis() string {
+	return "Interact with Vault plugins and catalog"
+}
+
+func (c *PluginCommand) Help() string {
+	helpText := `
+Usage: vault plugin <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault's plugins and the
+  plugin catalog. The plugin catalog is divided into three types: "auth", 
+  "database", and "secret" plugins. A type must be specified on each call. Here 
+  are a few examples of the plugin commands.
+
+  List all available plugins in the catalog of a particular type:
+
+      $ vault plugin list database
+
+  Register a new plugin to the catalog as a particular type:
+
+      $ vault plugin register -sha256=d3f0a8b... auth my-custom-plugin
+
+  Get information about a plugin in the catalog listed under a particular type:
+
+      $ vault plugin info auth my-custom-plugin
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginCommand) Run(args []string) int {
+	return cli.RunResultHelp
 }
diff --git a/ui/app/styles/helper-classes/layout.scss b/ui/app/styles/helper-classes/layout.scss
index 4fa01150b685..1f1e4360acd5 100644
--- a/ui/app/styles/helper-classes/layout.scss
+++ b/ui/app/styles/helper-classes/layout.scss
@@ -1,113 +1,162 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-/* This helper includes styles relating to: display, width, height, float, visibility, position, alignment. */
+package command
 
-// display
-.is-block {
-  display: block !important;
-}
-
-.is-hidden {
-  display: none !important;
-}
-
-.is-inline {
-  display: inline !important;
-}
-
-.is-inline-block {
-  display: inline-block !important;
-}
-
-// position
-.top-right-absolute {
-  position: absolute;
-  top: 0.5rem;
-  right: 0.5rem;
-  z-index: 10;
-}
-
-.is-in-bottom-right {
-  position: absolute;
-  bottom: 1rem;
-  right: 1rem;
-  z-index: 10;
-}
-
-.is-relative {
-  position: relative;
-}
-
-.top-xxs {
-  top: $spacing-4;
-}
-
-// visibility
-.is-invisible {
-  visibility: hidden;
-}
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
 
-// width and height
-.is-fullwidth {
-  width: 100%;
-}
+	"github.com/hashicorp/cli"
+	semver "github.com/hashicorp/go-version"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
 
-.is-three-fourths-width {
-  width: 75%;
-}
+var (
+	_ cli.Command             = (*PluginDeregisterCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginDeregisterCommand)(nil)
+)
 
-.is-auto-width {
-  width: auto;
-}
-
-.is-min-width-0 {
-  min-width: 0;
-}
-
-.is-medium-width {
-  width: $desktop / 3;
-}
-
-.is-medium-height {
-  height: 125px;
-}
-
-// float
-.is-pulled-left {
-  float: left !important;
-}
-
-.is-pulled-right {
-  float: right !important;
-}
-
-// alignment
-.align-self-baseline {
-  align-self: baseline;
-}
-
-.is-v-centered {
-  vertical-align: middle;
-}
+type PluginDeregisterCommand struct {
+	*BaseCommand
 
-// responsive css
-@media screen and (min-width: 769px), print {
-  .is-hidden-tablet {
-    display: none !important;
-  }
+	flagPluginVersion string
 }
 
-@media screen and (max-width: 768px) {
-  .is-hidden-mobile {
-    display: none !important;
-  }
+func (c *PluginDeregisterCommand) Synopsis() string {
+	return "Deregister an existing plugin in the catalog"
 }
 
-@media screen and (max-width: 1215px) {
-  .is-widescreen:not(.is-max-desktop) {
-    max-width: 1152px;
-  }
+func (c *PluginDeregisterCommand) Help() string {
+	helpText := `
+Usage: vault plugin deregister [options] TYPE NAME
+
+  Deregister an existing plugin in the catalog. If the plugin does not exist,
+  no action is taken (the command is idempotent). The TYPE argument
+  takes "auth", "database", or "secret".
+
+  Deregister the unversioned auth plugin named my-custom-plugin:
+
+      $ vault plugin deregister auth my-custom-plugin
+
+  Deregister the auth plugin named my-custom-plugin, version 1.0.0:
+
+      $ vault plugin deregister -version=v1.0.0 auth my-custom-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginDeregisterCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "version",
+		Target:     &c.flagPluginVersion,
+		Completion: complete.PredictAnything,
+		Usage: "Semantic version of the plugin to deregister. If unset, " +
+			"only an unversioned plugin may be deregistered.",
+	})
+
+	return set
+}
+
+func (c *PluginDeregisterCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultPlugins(api.PluginTypeUnknown)
+}
+
+func (c *PluginDeregisterCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginDeregisterCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	var pluginNameRaw, pluginTypeRaw string
+	args = f.Args()
+	positionalArgsCount := len(args)
+	switch positionalArgsCount {
+	case 0, 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", positionalArgsCount))
+		return 1
+	case 2:
+		pluginTypeRaw = args[0]
+		pluginNameRaw = args[1]
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", positionalArgsCount))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+	pluginName := strings.TrimSpace(pluginNameRaw)
+	if c.flagPluginVersion != "" {
+		_, err := semver.NewSemver(c.flagPluginVersion)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("version %q is not a valid semantic version: %v", c.flagPluginVersion, err))
+			return 2
+		}
+	}
+
+	// The deregister endpoint returns 200 if the plugin doesn't exist, so first
+	// try fetching the plugin to help improve info printed to the user.
+	// 404 => Return early with a descriptive message.
+	// Other error => Continue attempting to deregister the plugin anyway.
+	// Plugin exists but is builtin => Error early.
+	// Otherwise => If deregister succeeds, we can report that the plugin really
+	//              was deregistered (and not just already absent).
+	var pluginExists bool
+	if info, err := client.Sys().GetPluginWithContext(context.Background(), &api.GetPluginInput{
+		Name:    pluginName,
+		Type:    pluginType,
+		Version: c.flagPluginVersion,
+	}); err != nil {
+		if respErr, ok := err.(*api.ResponseError); ok && respErr.StatusCode == http.StatusNotFound {
+			c.UI.Output(fmt.Sprintf("Plugin %q (type: %q, version %q) does not exist in the catalog", pluginName, pluginType, c.flagPluginVersion))
+			return 0
+		}
+		// Best-effort check, continue trying to deregister.
+	} else if info != nil {
+		if info.Builtin {
+			c.UI.Error(fmt.Sprintf("Plugin %q (type: %q) is a builtin plugin and cannot be deregistered", pluginName, pluginType))
+			return 2
+		}
+		pluginExists = true
+	}
+
+	if err := client.Sys().DeregisterPluginWithContext(context.Background(), &api.DeregisterPluginInput{
+		Name:    pluginName,
+		Type:    pluginType,
+		Version: c.flagPluginVersion,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error deregistering plugin named %s: %s", pluginName, err))
+		return 2
+	}
+
+	if pluginExists {
+		c.UI.Output(fmt.Sprintf("Success! Deregistered %s plugin: %s", pluginType, pluginName))
+	} else {
+		c.UI.Output(fmt.Sprintf("Success! Deregistered %s plugin (if it was registered): %s", pluginType, pluginName))
+	}
+	return 0
 }
diff --git a/ui/app/templates/components/auth-form-options.hbs b/ui/app/templates/components/auth-form-options.hbs
index 3505b8e262c2..d80ed9f3fe48 100644
--- a/ui/app/templates/components/auth-form-options.hbs
+++ b/ui/app/templates/components/auth-form-options.hbs
@@ -1,34 +1,286 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#unless this.selectedAuthIsPath}}
-  <div class="box has-slim-padding is-shadowless">
-    <ToggleButton @isOpen={{this.isOpen}} @onClick={{fn (mut this.isOpen)}} data-test-auth-form-options-toggle />
-    {{#if this.isOpen}}
-      <div class="field">
-        <label for="custom-path" class="is-label">
-          Mount path
-        </label>
-        <div class="control">
-          <input
-            type="text"
-            name="custom-path"
-            id="custom-path"
-            class="input"
-            value={{@customPath}}
-            oninput={{action @onPathChange value="target.value"}}
-            data-test-auth-form-mount-path
-          />
-        </div>
-        <AlertInline
-          @sizeSmall={{true}}
-          @paddingTop={{true}}
-          @type="info"
-          @message="If this backend was mounted using a non-default path, enter it here."
-        />
-      </div>
-    {{/if}}
-  </div>
-{{/unless}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func testPluginDeregisterCommand(tb testing.TB) (*cli.MockUi, *PluginDeregisterCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginDeregisterCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginDeregisterCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{"foo"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "fizz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_a_plugin",
+			[]string{consts.PluginTypeCredential.String(), "nope_definitely_never_a_plugin_nope"},
+			"",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginDeregisterCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
+
+		ui, cmd := testPluginDeregisterCommand(t)
+		cmd.client = client
+
+		if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+			Name:    pluginName,
+			Type:    api.PluginTypeCredential,
+			Command: pluginName,
+			SHA256:  sha256Sum,
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		code := cmd.Run([]string{
+			consts.PluginTypeCredential.String(),
+			pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Deregistered auth plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+			Type: api.PluginTypeCredential,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		found := false
+		for _, plugins := range resp.PluginsByType {
+			for _, p := range plugins {
+				if p == pluginName {
+					found = true
+				}
+			}
+		}
+		if found {
+			t.Errorf("expected %q to not be in %q", pluginName, resp.PluginsByType)
+		}
+	})
+
+	t.Run("integration with version", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, pluginName, api.PluginTypeCredential)
+
+		ui, cmd := testPluginDeregisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-version=" + version,
+			consts.PluginTypeCredential.String(),
+			pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Deregistered auth plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+			Type: api.PluginTypeUnknown,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		found := false
+		for _, p := range resp.Details {
+			if p.Name == pluginName {
+				found = true
+			}
+		}
+		if found {
+			t.Errorf("expected %q to not be in %#v", pluginName, resp.Details)
+		}
+	})
+
+	t.Run("integration with missing version", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		testPluginCreateAndRegisterVersioned(t, client, pluginDir, pluginName, api.PluginTypeCredential)
+
+		ui, cmd := testPluginDeregisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			consts.PluginTypeCredential.String(),
+			pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "does not exist in the catalog"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+			Type: api.PluginTypeUnknown,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		found := false
+		for _, p := range resp.Details {
+			if p.Name == pluginName {
+				found = true
+			}
+		}
+		if !found {
+			t.Errorf("expected %q to be in %#v", pluginName, resp.Details)
+		}
+	})
+
+	t.Run("deregister builtin", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		ui, cmd := testPluginDeregisterCommand(t)
+		cmd.client = client
+
+		expected := "is a builtin plugin"
+		if code := cmd.Run([]string{
+			consts.PluginTypeCredential.String(),
+			"github",
+		}); code != 2 {
+			t.Errorf("expected %d to be %d", code, 2)
+		} else if !strings.Contains(ui.ErrorWriter.String(), expected) {
+			t.Errorf("expected %q to contain %q", ui.ErrorWriter.String(), expected)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginDeregisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			consts.PluginTypeCredential.String(),
+			"my-plugin",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error deregistering plugin named my-plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginDeregisterCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/auth-form.hbs b/ui/app/templates/components/auth-form.hbs
index 35506c5cb3c5..e47a23c66519 100644
--- a/ui/app/templates/components/auth-form.hbs
+++ b/ui/app/templates/components/auth-form.hbs
@@ -1,205 +1,137 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="auth-form" data-test-auth-form>
-  {{#if (and this.waitingForOktaNumberChallenge (not this.cancelAuthForOktaNumberChallenge))}}
-    <OktaNumberChallenge
-      @correctAnswer={{this.oktaNumberChallengeAnswer}}
-      @hasError={{(not-eq this.error null)}}
-      @onReturnToLogin={{action "returnToLoginFromOktaNumberChallenge"}}
-    />
-  {{else}}
-    {{#if this.hasMethodsWithPath}}
-      <nav class="tabs is-marginless">
-        <ul>
-          {{#each this.methodsToShow as |method|}}
-            {{#let (or method.path method.type) as |methodKey|}}
-              <li
-                class={{if
-                  (and
-                    this.selectedAuthIsPath (eq (or this.selectedAuthBackend.path this.selectedAuthBackend.type) methodKey)
-                  )
-                  "is-active"
-                  ""
-                }}
-                data-test-auth-method={{method.id}}
-              >
-                <LinkTo
-                  @route="vault.cluster.auth"
-                  @model={{this.cluster.name}}
-                  @query={{hash with=methodKey}}
-                  data-test-auth-method-link={{method.type}}
-                >
-                  {{or method.id (capitalize method.type)}}
-                </LinkTo>
-              </li>
-            {{/let}}
-          {{/each}}
-          <li class={{unless this.selectedAuthIsPath "is-active" ""}} data-test-auth-method>
-            <LinkTo
-              @route="vault.cluster.auth"
-              @model={{this.cluster.name}}
-              @query={{hash with="token"}}
-              data-test-auth-method-link="other"
-            >
-              Other
-            </LinkTo>
-          </li>
-        </ul>
-      </nav>
-    {{/if}}
-    <div class="box is-marginless is-shadowless">
-      <MessageError @errorMessage={{if (and this.cluster.standby this.hasCSPError) this.cspErrorText this.error}} />
-      {{#if this.selectedAuthBackend.path}}
-        <div class="has-bottom-margin-s">
-          <p class="is-label">{{this.selectedAuthBackend.path}}</p>
-          <span class="description has-text-grey" data-test-description={{true}}>
-            {{this.selectedAuthBackend.mountDescription}}
-          </span>
-        </div>
-      {{/if}}
-      {{#if (or (not this.hasMethodsWithPath) (not this.selectedAuthIsPath))}}
-        <Select
-          @label="Method"
-          @name="auth-method"
-          @options={{this.authMethods}}
-          @valueAttribute={{"type"}}
-          @labelAttribute={{"typeDisplay"}}
-          @isFullwidth={{true}}
-          @selectedValue={{this.selectedAuth}}
-          @onChange={{action (mut this.selectedAuth)}}
-        />
-      {{/if}}
-      {{#if (or (eq this.selectedAuthBackend.type "jwt") (eq this.selectedAuthBackend.type "oidc"))}}
-        <AuthJwt
-          @onError={{action "handleError"}}
-          @onLoading={{action (mut this.isLoading)}}
-          @namespace={{this.namespace}}
-          @onNamespace={{action (mut this.namespace)}}
-          @onSubmit={{action "doSubmit"}}
-          @onRoleName={{action (mut this.roleName)}}
-          @roleName={{this.roleName}}
-          @selectedAuthType={{this.selectedAuthBackend.type}}
-          @selectedAuthPath={{or this.customPath this.selectedAuthBackend.id}}
-          @disabled={{or this.authenticate.isRunning this.isLoading}}
-        >
-          <AuthFormOptions
-            @customPath={{this.customPath}}
-            @onPathChange={{action (mut this.customPath)}}
-            @selectedAuthIsPath={{this.selectedAuthIsPath}}
-          />
-        </AuthJwt>
-      {{else if (eq this.selectedAuthBackend.type "saml")}}
-        <AuthSaml
-          @onError={{action "handleError"}}
-          @onLoading={{action (mut this.isLoading)}}
-          @namespace={{this.namespace}}
-          @onNamespace={{action (mut this.namespace)}}
-          @onSubmit={{action "doSubmit"}}
-          @onRoleName={{action (mut this.roleName)}}
-          @roleName={{this.roleName}}
-          @selectedAuthType={{this.selectedAuthBackend.type}}
-          @selectedAuthPath={{or this.customPath this.selectedAuthBackend.id}}
-          @disabled={{or this.authenticate.isRunning this.isLoading}}
-        >
-          <AuthFormOptions
-            @customPath={{this.customPath}}
-            @onPathChange={{action (mut this.customPath)}}
-            @selectedAuthIsPath={{this.selectedAuthIsPath}}
-          />
-        </AuthSaml>
-      {{else}}
-        <form id="auth-form" onsubmit={{action "doSubmit" null}}>
-          {{#if (eq this.providerName "github")}}
-            <div class="field">
-              <label for="token" class="is-label">GitHub token</label>
-              <div class="control">
-                <Input
-                  @type="password"
-                  @value={{this.token}}
-                  name="token"
-                  id="token"
-                  class="input"
-                  data-test-token={{true}}
-                  autocomplete="off"
-                  spellcheck="false"
-                />
-              </div>
-            </div>
-          {{else if (eq this.providerName "token")}}
-            <div class="field">
-              <label for="token" class="is-label">Token</label>
-              <div class="control">
-                <Input
-                  @type="password"
-                  @value={{this.token}}
-                  name="token"
-                  class="input"
-                  autocomplete="off"
-                  spellcheck="false"
-                  data-test-token={{true}}
-                />
-              </div>
-            </div>
-          {{else}}
-            <div class="field">
-              <label for="username" class="is-label">Username</label>
-              <div class="control">
-                <Input
-                  @value={{this.username}}
-                  name="username"
-                  id="username"
-                  class="input"
-                  autocomplete="off"
-                  spellcheck="false"
-                  data-test-username={{true}}
-                />
-              </div>
-            </div>
-            <div class="field">
-              <label for="password" class="is-label">Password</label>
-              <div class="control">
-                <Input
-                  @value={{this.password}}
-                  name="password"
-                  id="password"
-                  @type="password"
-                  class="input"
-                  autocomplete="off"
-                  spellcheck="false"
-                  data-test-password={{true}}
-                />
-              </div>
-            </div>
-          {{/if}}
-          {{#if (not-eq this.selectedAuthBackend.type "token")}}
-            <AuthFormOptions
-              @customPath={{this.customPath}}
-              @onPathChange={{action (mut this.customPath)}}
-              @selectedAuthIsPath={{this.selectedAuthIsPath}}
-            />
-          {{/if}}
-          <Hds::Button
-            @text="Sign in"
-            @icon={{if this.authenticate.isRunning "loading"}}
-            data-test-auth-submit={{true}}
-            type="submit"
-            disabled={{this.authenticate.isRunning}}
-            id="auth-submit"
-          />
-          {{#if (and this.delayAuthMessageReminder.isIdle this.showLoading)}}
-            <AlertInline
-              @paddingTop={{true}}
-              @sizeSmall={{true}}
-              @type="info"
-              @message="If login takes longer than usual, you may need to check your device for an MFA notification, or contact your administrator if login times out."
-              data-test-auth-message="push"
-            />
-          {{/if}}
-        </form>
-      {{/if}}
-    </div>
-  {{/if}}
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginInfoCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginInfoCommand)(nil)
+)
+
+type PluginInfoCommand struct {
+	*BaseCommand
+
+	flagVersion string
+}
+
+func (c *PluginInfoCommand) Synopsis() string {
+	return "Read information about a plugin in the catalog"
+}
+
+func (c *PluginInfoCommand) Help() string {
+	helpText := `
+Usage: vault plugin info [options] TYPE NAME
+
+  Displays information about a plugin in the catalog with the given name. If
+  the plugin does not exist, an error is returned. The argument of type
+  takes "auth", "database", or "secret".
+
+  Get info about a plugin:
+
+      $ vault plugin info database mysql-database-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginInfoCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "version",
+		Target:     &c.flagVersion,
+		Completion: complete.PredictAnything,
+		Usage:      "Semantic version of the plugin. Optional.",
+	})
+
+	return set
+}
+
+func (c *PluginInfoCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultPlugins(api.PluginTypeUnknown)
+}
+
+func (c *PluginInfoCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginInfoCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	var pluginNameRaw, pluginTypeRaw string
+	args = f.Args()
+	positionalArgsCount := len(args)
+	switch {
+	case positionalArgsCount < 2:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", positionalArgsCount))
+		return 1
+	case positionalArgsCount > 2:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", positionalArgsCount))
+		return 1
+	}
+
+	pluginTypeRaw = args[0]
+	pluginNameRaw = args[1]
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+	pluginName := strings.TrimSpace(pluginNameRaw)
+
+	resp, err := client.Sys().GetPlugin(&api.GetPluginInput{
+		Name:    pluginName,
+		Type:    pluginType,
+		Version: c.flagVersion,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading plugin named %s: %s", pluginName, err))
+		return 2
+	}
+
+	if resp == nil {
+		c.UI.Error(fmt.Sprintf("No value found for plugin %q", pluginName))
+		return 2
+	}
+
+	data := map[string]interface{}{
+		"args":               resp.Args,
+		"builtin":            resp.Builtin,
+		"command":            resp.Command,
+		"oci_image":          resp.OCIImage,
+		"runtime":            resp.Runtime,
+		"name":               resp.Name,
+		"sha256":             resp.SHA256,
+		"deprecation_status": resp.DeprecationStatus,
+		"version":            resp.Version,
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, data, c.flagField)
+	}
+	return OutputData(c.UI, data)
+}
diff --git a/ui/app/templates/components/auth-jwt.hbs b/ui/app/templates/components/auth-jwt.hbs
index 104607f894da..f0e66d8be52c 100644
--- a/ui/app/templates/components/auth-jwt.hbs
+++ b/ui/app/templates/components/auth-jwt.hbs
@@ -1,69 +1,220 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form id="auth-form" {{on "submit" (action "signIn")}}>
-  <div class="field">
-    <label for="role" class="is-label">Role</label>
-    <div class="control">
-      <input
-        value={{this.roleName}}
-        placeholder="Default"
-        autocomplete="off"
-        spellcheck="false"
-        name="role"
-        id="role"
-        class="input"
-        type="text"
-        {{on "input" (action "onRoleChange")}}
-        data-test-role
-      />
-    </div>
-    <AlertInline
-      @sizeSmall={{true}}
-      @paddingTop={{true}}
-      @type="info"
-      @message="Leave blank to sign in with the default role if one is configured"
-    />
-  </div>
-  {{#unless this.isOIDC}}
-    <div class="field">
-      <label for="token" class="is-label">JWT Token</label>
-      <div class="control">
-        <Input
-          @type="password"
-          @value={{this.jwt}}
-          name="jwt"
-          class="input"
-          autocomplete="off"
-          spellcheck="false"
-          data-test-jwt={{true}}
-        />
-      </div>
-    </div>
-  {{/unless}}
-  <div data-test-yield-content>
-    {{yield}}
-  </div>
-
-  {{#if this.isOIDC}}
-    <Hds::Button
-      @text={{concat "Sign in with " (or this.role.providerName "OIDC Provider")}}
-      @icon={{if @disabled "loading" this.role.providerIcon}}
-      data-test-auth-submit
-      type="submit"
-      disabled={{@disabled}}
-      id="auth-submit"
-    />
-  {{else}}
-    <Hds::Button
-      @text="Sign in"
-      @icon={{if @disabled "loading"}}
-      data-test-auth-submit
-      type="submit"
-      disabled={{@disabled}}
-      id="auth-submit"
-    />
-  {{/if}}
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func testPluginInfoCommand(tb testing.TB) (*cli.MockUi, *PluginInfoCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginInfoCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginInfoCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{"foo"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "fizz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"no_plugin_exist",
+			[]string{api.PluginTypeCredential.String(), "not-a-real-plugin-like-ever"},
+			"Error reading plugin",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPluginInfoCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
+
+		ui, cmd := testPluginInfoCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			api.PluginTypeCredential.String(), pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, pluginName) {
+			t.Errorf("expected %q to contain %q", combined, pluginName)
+		}
+		if !strings.Contains(combined, sha256Sum) {
+			t.Errorf("expected %q to contain %q", combined, sha256Sum)
+		}
+	})
+
+	t.Run("version flag", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		const pluginName = "azure"
+		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "v1.0.0")
+
+		for name, tc := range map[string]struct {
+			version     string
+			expectedSHA string
+		}{
+			"versioned":       {"v1.0.0", sha256Sum},
+			"builtin version": {versions.GetBuiltinVersion(consts.PluginTypeSecrets, pluginName), ""},
+		} {
+			t.Run(name, func(t *testing.T) {
+				ui, cmd := testPluginInfoCommand(t)
+				cmd.client = client
+
+				code := cmd.Run([]string{
+					"-version=" + tc.version,
+					api.PluginTypeCredential.String(), pluginName,
+				})
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d: %s", code, exp, combined)
+				}
+
+				if !strings.Contains(combined, pluginName) {
+					t.Errorf("expected %q to contain %q", combined, pluginName)
+				}
+				if !strings.Contains(combined, tc.expectedSHA) {
+					t.Errorf("expected %q to contain %q", combined, tc.expectedSHA)
+				}
+				if !strings.Contains(combined, tc.version) {
+					t.Errorf("expected %q to contain %q", combined, tc.version)
+				}
+			})
+		}
+	})
+
+	t.Run("field", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
+
+		ui, cmd := testPluginInfoCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-field", "builtin",
+			api.PluginTypeCredential.String(), pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if exp := "false"; combined != exp {
+			t.Errorf("expected %q to be %q", combined, exp)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginInfoCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			api.PluginTypeCredential.String(), "my-plugin",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error reading plugin named my-plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginInfoCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/clients/attribution.hbs b/ui/app/templates/components/clients/attribution.hbs
index 7cea4fe50ecb..28714adf4f5b 100644
--- a/ui/app/templates/components/clients/attribution.hbs
+++ b/ui/app/templates/components/clients/attribution.hbs
@@ -1,129 +1,169 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{! only show side-by-side horizontal bar charts if data is from a single, historical month }}
-<div
-  class={{concat "chart-wrapper" (if @isHistoricalMonth " dual-chart-grid" " single-chart-grid")}}
-  data-test-clients-attribution
->
-  <div class="chart-header has-header-link has-bottom-margin-m">
-    <div class="header-left">
-      <h2 class="chart-title">Attribution</h2>
-      <p class="chart-description" data-test-attribution-description>{{this.chartText.description}}</p>
-    </div>
-    <div class="header-right">
-      {{#if this.hasCsvData}}
-        <Hds::Button
-          data-test-attribution-export-button
-          @text="Export attribution data"
-          @color="secondary"
-          {{on "click" (fn (mut this.showCSVDownloadModal) true)}}
-        />
-      {{/if}}
-    </div>
-  </div>
-  {{#if this.barChartTotalClients}}
-    {{#if @isHistoricalMonth}}
-      <div class="chart-container-left" data-test-chart-container="new-clients">
-        <h2 class="chart-title">New clients</h2>
-        <p class="chart-description">{{this.chartText.newCopy}}</p>
-        <Clients::HorizontalBarChart
-          @dataset={{this.barChartNewClients}}
-          @chartLegend={{@chartLegend}}
-          @totalCounts={{@newUsageCounts}}
-          @noDataMessage="There are no new clients for this namespace during this time period."
-        />
-      </div>
-
-      <div class="chart-container-right" data-test-chart-container="total-clients">
-        <h2 class="chart-title">Total clients</h2>
-        <p class="chart-description">{{this.chartText.totalCopy}}</p>
-        <Clients::HorizontalBarChart
-          @dataset={{this.barChartTotalClients}}
-          @chartLegend={{@chartLegend}}
-          @totalCounts={{@totalUsageCounts}}
-        />
-      </div>
-    {{else}}
-      <div
-        class={{concat (unless this.barChartTotalClients "chart-empty-state ") "chart-container-wide"}}
-        data-test-chart-container="single-chart"
-      >
-        <Clients::HorizontalBarChart
-          @dataset={{this.barChartTotalClients}}
-          @chartLegend={{@chartLegend}}
-          @totalCounts={{@totalUsageCounts}}
-        />
-      </div>
-      <div class="chart-subTitle">
-        <p class="chart-subtext" data-test-attribution-subtext>{{this.chartText.totalCopy}}</p>
-      </div>
-
-      <div class="data-details-top" data-test-top-attribution>
-        <h3 class="data-details">Top {{this.attributionBreakdown}}</h3>
-        <p class="data-details">{{this.topClientCounts.label}}</p>
-      </div>
-
-      <div class="data-details-bottom" data-test-attribution-clients>
-        <h3 class="data-details">Clients in {{this.attributionBreakdown}}</h3>
-        <p class="data-details">{{format-number this.topClientCounts.clients}}</p>
-      </div>
-    {{/if}}
-    <div class="legend-center">
-      <span class="light-dot"></span><span class="legend-label">{{capitalize (get @chartLegend "0.label")}}</span>
-      <span class="dark-dot"></span><span class="legend-label">{{capitalize (get @chartLegend "1.label")}}</span>
-    </div>
-  {{else}}
-    <div class="chart-empty-state">
-      <EmptyState @icon="skip" @title="No data found" @bottomBorder={{true}} />
-    </div>
-  {{/if}}
-  <div class="timestamp" data-test-attribution-timestamp>
-    {{#if @responseTimestamp}}
-      Updated
-      {{date-format @responseTimestamp "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
-    {{/if}}
-  </div>
-</div>
-
-{{! MODAL FOR CSV DOWNLOAD }}
-{{#if this.showCSVDownloadModal}}
-  <Hds::Modal id="attribution-csv-download-modal" @onClose={{fn (mut this.showCSVDownloadModal) false}} as |M|>
-    <M.Header @icon="info" data-test-export-modal-title>
-      Export attribution data
-    </M.Header>
-    <M.Body>
-      <p class="has-bottom-margin-s">
-        This export will include the namespace path, authentication method path, and the associated total, entity, and
-        non-entity clients for the below
-        {{if this.formattedEndDate "date range" "month"}}.
-      </p>
-      <p class="has-bottom-margin-s is-subtitle-gray">SELECTED DATE {{if this.formattedEndDate " RANGE"}}</p>
-      <p class="has-bottom-margin-s" data-test-export-date-range>
-        {{this.formattedStartDate}}
-        {{if this.formattedEndDate "-"}}
-        {{this.formattedEndDate}}</p>
-    </M.Body>
-    <M.Footer as |F|>
-      <Hds::ButtonSet>
-        <Hds::Button @text="Export" {{on "click" (fn this.exportChartData this.formattedCsvFileName)}} />
-        <Hds::Button @text="Cancel" @color="secondary" {{on "click" F.close}} />
-      </Hds::ButtonSet>
-      {{#if @upgradeExplanation}}
-        <div class="has-text-grey is-size-8 has-top-padding-m">
-          <AlertInline @type="warning">
-            Your data contains an upgrade.
-            <DocLink
-              @path="/vault/docs/concepts/client-count/faq#q-which-vault-version-reflects-the-most-accurate-client-counts"
-            >
-              Learn more here.
-            </DocLink>
-          </AlertInline>
-          <p class="has-left-padding-l">{{@upgradeExplanation}}</p>
-        </div>
-      {{/if}}
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginListCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginListCommand)(nil)
+)
+
+type PluginListCommand struct {
+	*BaseCommand
+
+	flagDetailed bool
+}
+
+func (c *PluginListCommand) Synopsis() string {
+	return "Lists available plugins"
+}
+
+func (c *PluginListCommand) Help() string {
+	helpText := `
+Usage: vault plugin list [options] [TYPE]
+
+  Lists available plugins registered in the catalog. This does not list whether
+  plugins are in use, but rather just their availability. The last argument of
+  type takes "auth", "database", or "secret".
+
+  List all available plugins in the catalog:
+
+      $ vault plugin list
+
+  List all available database plugins in the catalog:
+
+      $ vault plugin list database
+
+  List all available plugins with detailed output:
+
+      $ vault plugin list -detailed
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "detailed",
+		Target:  &c.flagDetailed,
+		Default: false,
+		Usage: "Print detailed plugin information such as plugin type, " +
+			"version, and deprecation status for each plugin. This option " +
+			"is only applicable to table-formatted output.",
+	})
+
+	return set
+}
+
+func (c *PluginListCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *PluginListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginListCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0 or 1, got %d)", len(args)))
+		return 1
+	}
+
+	pluginType := api.PluginTypeUnknown
+	if len(args) > 0 {
+		pluginTypeStr := strings.TrimSpace(args[0])
+		if pluginTypeStr != "" {
+			var err error
+			pluginType, err = api.ParsePluginType(pluginTypeStr)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error parsing type: %s", err))
+				return 2
+			}
+		}
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+		Type: pluginType,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing available plugins: %s", err))
+		return 2
+	}
+	if resp == nil {
+		c.UI.Error("No response from server when listing plugins")
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		if c.flagDetailed {
+			c.UI.Output(tableOutput(c.detailedResponse(resp), nil))
+			return 0
+		}
+		c.UI.Output(tableOutput(c.simpleResponse(resp, pluginType), nil))
+		return 0
+	default:
+		res := make(map[string]interface{})
+		for k, v := range resp.PluginsByType {
+			res[k.String()] = v
+		}
+		res["details"] = resp.Details
+		return OutputData(c.UI, res)
+	}
+}
+
+func (c *PluginListCommand) simpleResponse(plugins *api.ListPluginsResponse, pluginType api.PluginType) []string {
+	var out []string
+	switch pluginType {
+	case api.PluginTypeUnknown:
+		out = []string{"Name | Type | Version"}
+		for _, plugin := range plugins.Details {
+			out = append(out, fmt.Sprintf("%s | %s | %s", plugin.Name, plugin.Type, plugin.Version))
+		}
+	default:
+		out = []string{"Name | Version"}
+		for _, plugin := range plugins.Details {
+			out = append(out, fmt.Sprintf("%s | %s", plugin.Name, plugin.Version))
+		}
+	}
+
+	return out
+}
+
+func (c *PluginListCommand) detailedResponse(plugins *api.ListPluginsResponse) []string {
+	out := []string{"Name | Type | Version | Container | Deprecation Status"}
+	for _, plugin := range plugins.Details {
+		out = append(out, fmt.Sprintf("%s | %s | %s | %v | %s", plugin.Name, plugin.Type, plugin.Version, plugin.OCIImage != "", plugin.DeprecationStatus))
+	}
+
+	return out
+}
diff --git a/ui/app/templates/components/dashboard/overview.hbs b/ui/app/templates/components/dashboard/overview.hbs
index 0e650451f26a..4ad37868b2c9 100644
--- a/ui/app/templates/components/dashboard/overview.hbs
+++ b/ui/app/templates/components/dashboard/overview.hbs
@@ -1,53 +1,104 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Dashboard::VaultVersionTitle @version={{@version}} />
-
-<div class="has-bottom-margin-xl">
-  <div class="is-flex-row has-gap-l">
-    {{#if (and @version.isEnterprise (or @license @isRootNamespace))}}
-      <div class="is-flex-column is-flex-1 has-gap-l">
-        {{#if @license}}
-          <Dashboard::ClientCountCard @license={{@license}} />
-        {{/if}}
-        {{#if (and @isRootNamespace (has-permission "status" routeParams="replication"))}}
-          <Dashboard::ReplicationCard
-            @replication={{@replication}}
-            @version={{@version}}
-            @refresh={{@refreshModel}}
-            @updatedAt={{@replicationUpdatedAt}}
-          />
-        {{/if}}
-        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
-      </div>
-
-      <div class="is-flex-column is-flex-1 has-gap-l">
-        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
-        {{#if @vaultConfiguration}}
-          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
-        {{/if}}
-        <div>
-          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
-          <Dashboard::SurveyLinkText />
-        </div>
-      </div>
-
-    {{else}}
-      <div class="is-flex-column is-flex-1 has-gap-l">
-        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
-        <div>
-          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
-          <Dashboard::SurveyLinkText />
-        </div>
-      </div>
-      <div class="is-flex-column is-flex-1 has-gap-l">
-        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
-        {{#if @vaultConfiguration}}
-          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
-        {{/if}}
-      </div>
-    {{/if}}
-  </div>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPluginListCommand(tb testing.TB) (*cli.MockUi, *PluginListCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginListCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "fizz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"lists",
+			nil,
+			"Name\\s+Type\\s+Version",
+			0,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPluginListCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				matcher := regexp.MustCompile(tc.out)
+				if !matcher.MatchString(combined) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginListCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{"database"})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error listing available plugins: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginListCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/dashboard/vault-version-title.hbs b/ui/app/templates/components/dashboard/vault-version-title.hbs
index 194a1ae5f5fa..d124b38b8917 100644
--- a/ui/app/templates/components/dashboard/vault-version-title.hbs
+++ b/ui/app/templates/components/dashboard/vault-version-title.hbs
@@ -1,16 +1,195 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-dashboard-card-header="Vault version">
-      {{this.versionHeader}}
-      {{#if @version.isEnterprise}}
-        <Hds::Badge @text={{this.namespace.currentNamespace}} @icon="org" data-test-badge-namespace />
-      {{/if}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-<hr class="has-top-margin-xxs has-bottom-margin-l has-background-gray-200" />
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginRegisterCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginRegisterCommand)(nil)
+)
+
+type PluginRegisterCommand struct {
+	*BaseCommand
+
+	flagArgs     []string
+	flagCommand  string
+	flagSHA256   string
+	flagVersion  string
+	flagOCIImage string
+	flagRuntime  string
+	flagEnv      []string
+}
+
+func (c *PluginRegisterCommand) Synopsis() string {
+	return "Registers a new plugin in the catalog"
+}
+
+func (c *PluginRegisterCommand) Help() string {
+	helpText := `
+Usage: vault plugin register [options] TYPE NAME
+
+  Registers a new plugin in the catalog. The plugin binary must exist in Vault's
+  configured plugin directory. The argument of type takes "auth", "database",
+  or "secret".
+
+  Register the plugin named my-custom-plugin:
+
+      $ vault plugin register -sha256=d3f0a8b... -version=v1.0.0 auth my-custom-plugin
+
+  Register a plugin with custom arguments:
+
+      $ vault plugin register \
+          -sha256=d3f0a8b... \
+          -version=v1.0.0 \
+          -args=--with-glibc,--with-cgo \
+          auth my-custom-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRegisterCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "args",
+		Target:     &c.flagArgs,
+		Completion: complete.PredictAnything,
+		Usage: "Argument to pass to the plugin when starting. This " +
+			"flag can be specified multiple times to specify multiple args.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "command",
+		Target:     &c.flagCommand,
+		Completion: complete.PredictAnything,
+		Usage: "Command to spawn the plugin. This defaults to the name of the " +
+			"plugin if both oci_image and command are unspecified.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "sha256",
+		Target:     &c.flagSHA256,
+		Completion: complete.PredictAnything,
+		Usage:      "SHA256 of the plugin binary or the oci_image provided. This is required for all plugins.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "version",
+		Target:     &c.flagVersion,
+		Completion: complete.PredictAnything,
+		Usage:      "Semantic version of the plugin. Used as the tag when specifying oci_image, but with any leading 'v' trimmed. Optional.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "oci_image",
+		Target:     &c.flagOCIImage,
+		Completion: complete.PredictAnything,
+		Usage: "OCI image to run. If specified, setting command, args, and env will update the " +
+			"container's entrypoint, args, and environment variables (append-only) respectively.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "runtime",
+		Target:     &c.flagRuntime,
+		Completion: complete.PredictAnything,
+		Usage:      "Vault plugin runtime to use if oci_image is specified.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "env",
+		Target:     &c.flagEnv,
+		Completion: complete.PredictAnything,
+		Usage: "Environment variables to set for the plugin when starting. This " +
+			"flag can be specified multiple times to specify multiple environment variables.",
+	})
+
+	return set
+}
+
+func (c *PluginRegisterCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultPlugins(api.PluginTypeUnknown)
+}
+
+func (c *PluginRegisterCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginRegisterCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	var pluginNameRaw, pluginTypeRaw string
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or 2, got %d)", len(args)))
+		return 1
+	case len(args) > 2:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or 2, got %d)", len(args)))
+		return 1
+	case c.flagSHA256 == "":
+		c.UI.Error("SHA256 is required for all plugins, please provide -sha256")
+		return 1
+
+	// These cases should come after invalid cases have been checked
+	case len(args) == 1:
+		pluginTypeRaw = "unknown"
+		pluginNameRaw = args[0]
+	case len(args) == 2:
+		pluginTypeRaw = args[0]
+		pluginNameRaw = args[1]
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	pluginType, err := api.ParsePluginType(strings.TrimSpace(pluginTypeRaw))
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+	pluginName := strings.TrimSpace(pluginNameRaw)
+
+	command := c.flagCommand
+	if command == "" && c.flagOCIImage == "" {
+		command = pluginName
+	}
+
+	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+		Name:     pluginName,
+		Type:     pluginType,
+		Args:     c.flagArgs,
+		Command:  command,
+		SHA256:   c.flagSHA256,
+		Version:  c.flagVersion,
+		OCIImage: c.flagOCIImage,
+		Runtime:  c.flagRuntime,
+		Env:      c.flagEnv,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error registering plugin %s: %s", pluginName, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Registered plugin: %s", pluginName))
+	return 0
+}
diff --git a/ui/app/templates/components/date-dropdown.hbs b/ui/app/templates/components/date-dropdown.hbs
index 4e87843a2a10..ed46a16caa35 100644
--- a/ui/app/templates/components/date-dropdown.hbs
+++ b/ui/app/templates/components/date-dropdown.hbs
@@ -1,38 +1,337 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Hds::SegmentedGroup ...attributes as |S|>
-  <S.Dropdown @listPosition="bottom-left" @height="200px" as |dd|>
-    <dd.ToggleButton data-test-toggle-month @text={{or this.selectedMonth.name "Month"}} @color="secondary" />
-    {{#each this.dropdownMonths as |month|}}
-      <dd.Interactive
-        data-test-dropdown-month={{month.name}}
-        disabled={{if (gt month.index this.maxMonthIdx) true false}}
-        {{on "click" (fn this.selectMonth month dd)}}
-        @text={{month.name}}
-      />
-    {{/each}}
-  </S.Dropdown>
-  <S.Dropdown data-test-year-list @listPosition="bottom-left" @height="200px" as |dd|>
-    <dd.ToggleButton data-test-toggle-year @text={{or this.selectedYear "Year"}} @color="secondary" />
-    {{#each this.dropdownYears as |year|}}
-      <dd.Interactive
-        data-test-dropdown-year={{year}}
-        disabled={{if (eq year this.disabledYear) true false}}
-        {{on "click" (fn this.selectYear year dd)}}
-        @text={{year}}
-      />
-    {{/each}}
-  </S.Dropdown>
-  <S.Button
-    data-test-date-dropdown-submit
-    disabled={{if (and this.selectedMonth this.selectedYear) false true}}
-    {{on "click" this.handleSubmit}}
-    @text={{or @submitText "Submit"}}
-  />
-</Hds::SegmentedGroup>
-{{#if this.invalidDate}}
-  <AlertInline @type="danger" @message={{this.invalidDate}} @paddingTop={{true}} @mimicRefresh={{true}} />
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func testPluginRegisterCommand(tb testing.TB) (*cli.MockUi, *PluginRegisterCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginRegisterCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginRegisterCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "fizz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_a_plugin",
+			[]string{consts.PluginTypeCredential.String(), "nope_definitely_never_a_plugin_nope"},
+			"",
+			2,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginRegisterCommand(t)
+			cmd.client = client
+
+			args := append([]string{"-sha256", "abcd1234"}, tc.args...)
+			code := cmd.Run(args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, sha256Sum := testPluginCreate(t, pluginDir, pluginName)
+
+		ui, cmd := testPluginRegisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-sha256", sha256Sum,
+			consts.PluginTypeCredential.String(), pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Registered plugin: my-plugin"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+			Type: api.PluginTypeCredential,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		found := false
+		for _, plugins := range resp.PluginsByType {
+			for _, p := range plugins {
+				if p == pluginName {
+					found = true
+				}
+			}
+		}
+		if !found {
+			t.Errorf("expected %q to be in %q", pluginName, resp.PluginsByType)
+		}
+	})
+
+	t.Run("integration with version", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		const pluginName = "my-plugin"
+		versions := []string{"v1.0.0", "v2.0.1"}
+		_, sha256Sum := testPluginCreate(t, pluginDir, pluginName)
+		types := []api.PluginType{api.PluginTypeCredential, api.PluginTypeDatabase, api.PluginTypeSecrets}
+
+		for _, typ := range types {
+			for _, version := range versions {
+				ui, cmd := testPluginRegisterCommand(t)
+				cmd.client = client
+
+				code := cmd.Run([]string{
+					"-version=" + version,
+					"-sha256=" + sha256Sum,
+					typ.String(),
+					pluginName,
+				})
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d", code, exp)
+				}
+
+				expected := "Success! Registered plugin: my-plugin"
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, expected) {
+					t.Errorf("expected %q to contain %q", combined, expected)
+				}
+			}
+		}
+
+		resp, err := client.Sys().ListPlugins(&api.ListPluginsInput{
+			Type: api.PluginTypeUnknown,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		found := make(map[api.PluginType]int)
+		versionsFound := make(map[api.PluginType][]string)
+		for _, p := range resp.Details {
+			if p.Name == pluginName {
+				typ, err := api.ParsePluginType(p.Type)
+				if err != nil {
+					t.Fatal(err)
+				}
+				found[typ]++
+				versionsFound[typ] = append(versionsFound[typ], p.Version)
+			}
+		}
+
+		for _, typ := range types {
+			if found[typ] != 2 {
+				t.Fatalf("expected %q to be found 2 times, but found it %d times for %s type in %#v", pluginName, found[typ], typ.String(), resp.Details)
+			}
+			sort.Strings(versions)
+			sort.Strings(versionsFound[typ])
+			if !reflect.DeepEqual(versions, versionsFound[typ]) {
+				t.Fatalf("expected %v versions but got %v", versions, versionsFound[typ])
+			}
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginRegisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-sha256", "abcd1234",
+			consts.PluginTypeCredential.String(), "my-plugin",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error registering plugin my-plugin:"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginRegisterCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
+
+// TestFlagParsing ensures that flags passed to vault plugin register correctly
+// translate into the expected JSON body and request path.
+func TestFlagParsing(t *testing.T) {
+	for name, tc := range map[string]struct {
+		pluginType      api.PluginType
+		name            string
+		command         string
+		ociImage        string
+		runtime         string
+		version         string
+		sha256          string
+		args            []string
+		env             []string
+		expectedPayload string
+	}{
+		"minimal": {
+			pluginType:      api.PluginTypeUnknown,
+			name:            "foo",
+			sha256:          "abc123",
+			expectedPayload: `{"type":0,"command":"foo","sha256":"abc123"}`,
+		},
+		"full": {
+			pluginType:      api.PluginTypeCredential,
+			name:            "name",
+			command:         "cmd",
+			ociImage:        "image",
+			runtime:         "runtime",
+			version:         "v1.0.0",
+			sha256:          "abc123",
+			args:            []string{"--a=b", "--b=c", "positional"},
+			env:             []string{"x=1", "y=2"},
+			expectedPayload: `{"type":1,"args":["--a=b","--b=c","positional"],"command":"cmd","sha256":"abc123","version":"v1.0.0","oci_image":"image","runtime":"runtime","env":["x=1","y=2"]}`,
+		},
+		"command remains empty if oci_image specified": {
+			pluginType:      api.PluginTypeCredential,
+			name:            "name",
+			ociImage:        "image",
+			sha256:          "abc123",
+			expectedPayload: `{"type":1,"sha256":"abc123","oci_image":"image"}`,
+		},
+	} {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			ui, cmd := testPluginRegisterCommand(t)
+			var requestLogger *recordingRoundTripper
+			cmd.client, requestLogger = mockClient(t)
+
+			var args []string
+			if tc.command != "" {
+				args = append(args, "-command="+tc.command)
+			}
+			if tc.ociImage != "" {
+				args = append(args, "-oci_image="+tc.ociImage)
+			}
+			if tc.runtime != "" {
+				args = append(args, "-runtime="+tc.runtime)
+			}
+			if tc.sha256 != "" {
+				args = append(args, "-sha256="+tc.sha256)
+			}
+			if tc.version != "" {
+				args = append(args, "-version="+tc.version)
+			}
+			for _, arg := range tc.args {
+				args = append(args, "-args="+arg)
+			}
+			for _, env := range tc.env {
+				args = append(args, "-env="+env)
+			}
+			if tc.pluginType != api.PluginTypeUnknown {
+				args = append(args, tc.pluginType.String())
+			}
+			args = append(args, tc.name)
+			t.Log(args)
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Fatalf("expected %d to be %d\nstdout: %s\nstderr: %s", code, exp, ui.OutputWriter.String(), ui.ErrorWriter.String())
+			}
+
+			actual := &api.RegisterPluginInput{}
+			expected := &api.RegisterPluginInput{}
+			err := json.Unmarshal(requestLogger.body, actual)
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = json.Unmarshal([]byte(tc.expectedPayload), expected)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if !reflect.DeepEqual(expected, actual) {
+				t.Errorf("expected: %s\ngot: %s", tc.expectedPayload, requestLogger.body)
+			}
+			expectedPath := fmt.Sprintf("/v1/sys/plugins/catalog/%s/%s", tc.pluginType.String(), tc.name)
+			if tc.pluginType == api.PluginTypeUnknown {
+				expectedPath = fmt.Sprintf("/v1/sys/plugins/catalog/%s", tc.name)
+			}
+			if requestLogger.path != expectedPath {
+				t.Errorf("Expected path %s, got %s", expectedPath, requestLogger.path)
+			}
+		})
+	}
+}
diff --git a/ui/app/templates/components/keymgmt/distribute.hbs b/ui/app/templates/components/keymgmt/distribute.hbs
index ec9fdbc06392..57e32a57f14d 100644
--- a/ui/app/templates/components/keymgmt/distribute.hbs
+++ b/ui/app/templates/components/keymgmt/distribute.hbs
@@ -1,174 +1,139 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if @backend}}
-  {{#if this.formErrors}}
-    <Hds::Alert data-test-keymgmt-distribute-error @type="inline" @color="critical" as |A|>
-      <A.Title>Error</A.Title>
-      <A.Description>{{this.formErrors}}</A.Description>
-    </Hds::Alert>
-  {{/if}}
-  <form {{on "submit" (perform this.createDistribution)}} class="form-section" data-test-keymgmt-distribution-form>
-    {{#unless @key}}
-      <div class="field" data-test-keymgmt-dist-key>
-        <SearchSelect
-          @id="key"
-          @models={{array "keymgmt/key"}}
-          @onChange={{this.handleKeySelect}}
-          @passObject={{true}}
-          @inputValue={{this.formData.key}}
-          @subText="Type to use the name of an existing key that you’d like to add to this provider, or to create one."
-          @wildcardLabel="key"
-          @label="Key name"
-          @fallbackComponent="string-list"
-          @selectLimit="1"
-          @backend={{@backend}}
-          @disallowNewItems={{false}}
-        >
-          {{#if (and this.validMatchError.key (not this.isNewKey))}}
-            <AlertInline @paddingTop={{true}} @sizeSmall={{true}} @type="danger" data-test-keymgmt-error="key">
-              {{this.validMatchError.key}}
-              To check compatibility,
-              <DocLink class="doc-link-subtle" @path="/vault/docs/secrets/key-management#compatibility">refer to this table</DocLink>.
-            </AlertInline>
-          {{/if}}
-        </SearchSelect>
-      </div>
-    {{/unless}}
-
-    {{#if this.isNewKey}}
-      <div class="field">
-        <label class="is-label" for="keyType">Key Type</label>
-        <p class="sub-text">The type of cryptographic key that will be created.</p>
-        <div class="control is-expanded">
-          <div class="select is-fullwidth">
-            <select
-              name="keyType"
-              id="keyType"
-              {{on "change" this.handleKeyType}}
-              class={{if this.validMatchError.key "has-error-border"}}
-              data-test-keymgmt-dist-keytype
-            >
-              <option value="">
-                Select one
-              </option>
-              {{#each this.keyTypes as |val|}}
-                <option selected={{eq this.keyType val}} value={{val}}>
-                  {{val}}
-                </option>
-              {{/each}}
-            </select>
-          </div>
-          {{#if this.validMatchError.key}}
-            <AlertInline @paddingTop={{true}} @sizeSmall={{true}} @type="danger" data-test-keymgmt-error="new-key">
-              {{this.validMatchError.key}}
-              To check compatibility,
-              <DocLink class="doc-link-subtle" @path="/vault/docs/secrets/key-management#compatibility">refer to this table</DocLink>.
-            </AlertInline>
-          {{/if}}
-        </div>
-      </div>
-    {{/if}}
-
-    {{#unless @provider}}
-      <div class="field">
-        <SearchSelect
-          @id="provider"
-          @models={{array "keymgmt/provider"}}
-          @onChange={{this.handleProvider}}
-          @passObject={{false}}
-          @inputValue={{this.formData.provider}}
-          @subText="Select a provider in Vault. If it doesn’t exist yet, you’ll need to add it first."
-          @label="Provider"
-          @fallbackComponent="input-search"
-          @selectLimit="1"
-          @backend={{@backend}}
-          @disallowNewItems={{true}}
-          data-test-keymgmt-dist-provider
-        >
-          {{#if this.validMatchError.provider}}
-            <AlertInline @paddingTop={{true}} @sizeSmall={{true}} @type="danger" data-test-keymgmt-error="provider">
-              {{this.validMatchError.provider}}
-              To check compatibility,
-              <DocLink class="doc-link-subtle" @path="/vault/docs/secrets/key-management#compatibility">refer to this table</DocLink>.
-            </AlertInline>
-          {{/if}}
-        </SearchSelect>
-      </div>
-    {{/unless}}
-
-    <fieldset
-      class="field form-fieldset"
-      id="operations"
-      disabled={{this.disableOperations}}
-      data-test-keymgmt-dist-operations
-    >
-      <legend class="is-label">Operations</legend>
-      <p class="sub-text">The types of operations this key can perform in the provider.</p>
-      {{#each this.operations as |op|}}
-        <div class="b-checkbox">
-          <Input
-            @type="checkbox"
-            id={{op}}
-            class="styled"
-            @checked={{false}}
-            {{on "input" this.handleOperation}}
-            data-test-operation={{op}}
-          />
-          <label for={{op}}>{{capitalize op}}</label>
-        </div>
-      {{/each}}
-    </fieldset>
-
-    <fieldset class="field form-fieldset" id="protection" data-test-keymgmt-dist-protections>
-      <legend class="is-label">Protection</legend>
-      <p class="sub-text">Specifies the protection of the key.</p>
-      <div>
-        <RadioButton
-          id="protection-hsm"
-          name="hsm"
-          class="radio"
-          data-test-protection="hsm"
-          @value="hsm"
-          @groupValue={{this.formData.protection}}
-          @onChange={{fn (mut this.formData.protection)}}
-        />
-        <label for="protection-hsm">HSM</label>
-      </div>
-      <div>
-        <RadioButton
-          id="protection-software"
-          name="software"
-          class="radio"
-          data-test-protection="software"
-          @value="software"
-          @groupValue={{this.formData.protection}}
-          @onChange={{fn (mut this.formData.protection)}}
-        />
-        <label for="protection-software">Software</label>
-      </div>
-    </fieldset>
-
-    <div class="field is-grouped box is-fullwidth is-bottomless">
-      <div class="control">
-        <button
-          type="submit"
-          disabled={{or this.validationErrorCount this.createDistribution.isRunning}}
-          class="button is-primary"
-          data-test-secret-save={{true}}
-        >
-          {{#if this.createDistribution.isRunning}}
-            <span class="loader is-inline-block"></span>
-          {{else}}
-            {{if (or (not @key) this.isNewKey) "Add key" "Distribute key"}}
-          {{/if}}
-        </button>
-      </div>
-      <div class="control">
-        <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onClose}} />
-      </div>
-    </div>
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginReloadCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginReloadCommand)(nil)
+)
+
+type PluginReloadCommand struct {
+	*BaseCommand
+	plugin string
+	mounts []string
+	scope  string
+}
+
+func (c *PluginReloadCommand) Synopsis() string {
+	return "Reload mounted plugin backend"
+}
+
+func (c *PluginReloadCommand) Help() string {
+	helpText := `
+Usage: vault plugin reload [options]
+
+  Reloads mounted plugins. Either the plugin name or the desired plugin 
+  mount(s) must be provided, but not both. In case the plugin name is provided,
+  all of its corresponding mounted paths that use the plugin backend will be reloaded.
+
+  Reload the plugin named "my-custom-plugin":
+
+	  $ vault plugin reload -plugin=my-custom-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginReloadCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "plugin",
+		Target:     &c.plugin,
+		Completion: complete.PredictAnything,
+		Usage:      "The name of the plugin to reload, as registered in the plugin catalog.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "mounts",
+		Target:     &c.mounts,
+		Completion: complete.PredictAnything,
+		Usage:      "Array or comma-separated string mount paths of the plugin backends to reload.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "scope",
+		Target:     &c.scope,
+		Completion: complete.PredictAnything,
+		Usage:      "The scope of the reload, omitted for local, 'global', for replicated reloads",
+	})
+
+	return set
+}
+
+func (c *PluginReloadCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginReloadCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginReloadCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	positionalArgs := len(f.Args())
+	switch {
+	case positionalArgs != 0:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", positionalArgs))
+		return 1
+	case c.plugin == "" && len(c.mounts) == 0:
+		c.UI.Error("No plugins specified, must specify exactly one of -plugin or -mounts")
+		return 1
+	case c.plugin != "" && len(c.mounts) > 0:
+		c.UI.Error("Must specify exactly one of -plugin or -mounts")
+		return 1
+	case c.scope != "" && c.scope != "global":
+		c.UI.Error(fmt.Sprintf("Invalid reload scope: %s", c.scope))
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	rid, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: c.plugin,
+		Mounts: c.mounts,
+		Scope:  c.scope,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reloading plugin/mounts: %s", err))
+		return 2
+	}
+
+	if len(c.mounts) > 0 {
+		if rid != "" {
+			c.UI.Output(fmt.Sprintf("Success! Reloading mounts: %s, reload_id: %s", c.mounts, rid))
+		} else {
+			c.UI.Output(fmt.Sprintf("Success! Reloaded mounts: %s", c.mounts))
+		}
+	} else {
+		if rid != "" {
+			c.UI.Output(fmt.Sprintf("Success! Reloading plugin: %s, reload_id: %s", c.plugin, rid))
+		} else {
+			c.UI.Output(fmt.Sprintf("Success! Reloaded plugin: %s", c.plugin))
+		}
+	}
+
+	return 0
+}
diff --git a/ui/app/templates/components/mfa/mfa-form.hbs b/ui/app/templates/components/mfa/mfa-form.hbs
index 5ec07b60a172..c653955978aa 100644
--- a/ui/app/templates/components/mfa/mfa-form.hbs
+++ b/ui/app/templates/components/mfa/mfa-form.hbs
@@ -1,78 +1,96 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="auth-form" data-test-mfa-form>
-  <div class="box is-marginless is-shadowless">
-    <p data-test-mfa-description>
-      {{this.description}}
-    </p>
-    <form id="auth-form" {{on "submit" this.submit}}>
-      <MessageError @errorMessage={{this.error}} />
-      <div class="field has-top-margin-l">
-        {{#each this.constraints as |constraint index|}}
-          {{#if index}}
-            <hr />
-          {{/if}}
-          {{#if (gt constraint.methods.length 1)}}
-            <Select
-              @label="Multi-factor authentication method"
-              @options={{constraint.methods}}
-              @valueAttribute={{"id"}}
-              @labelAttribute={{"label"}}
-              @isFullwidth={{true}}
-              @noDefault={{true}}
-              @selectedValue={{constraint.selectedId}}
-              @onChange={{fn this.onSelect constraint}}
-              data-test-mfa-select={{index}}
-            />
-          {{else}}
-            <label for="passcode" class="is-label" data-test-mfa-label>
-              {{constraint.selectedMethod.label}}
-            </label>
-          {{/if}}
-          {{#if constraint.selectedMethod.uses_passcode}}
-            <div class="control">
-              {{! template-lint-disable no-autofocus-attribute}}
-              <Input
-                id="passcode"
-                name="passcode"
-                class="input"
-                autocomplete="off"
-                placeholder={{if (gt constraint.methods.length 1) "Enter passcode"}}
-                spellcheck="false"
-                autofocus="true"
-                disabled={{or this.validate.isRunning this.newCodeDelay.isRunning}}
-                @value={{constraint.passcode}}
-                data-test-mfa-passcode={{index}}
-              />
-              {{! template-lint-enable no-autofocus-attribute}}
-            </div>
-          {{else if (eq constraint.methods.length 1)}}
-            <p class="has-text-grey-400" data-test-mfa-push-instruction>
-              Check device for push notification
-            </p>
-          {{/if}}
-        {{/each}}
-      </div>
-      {{#if this.newCodeDelay.isRunning}}
-        <div>
-          <AlertInline @type="danger" @sizeSmall={{true}} @message={{this.codeDelayMessage}} />
-        </div>
-      {{/if}}
-      <Hds::Button
-        @text="Verify"
-        @icon={{if this.validate.isRunning "loading"}}
-        id="validate"
-        type="submit"
-        disabled={{or this.validate.isRunning this.newCodeDelay.isRunning}}
-        data-test-mfa-validate
-      />
-      {{#if this.newCodeDelay.isRunning}}
-        <Icon @name="delay" class="has-text-grey" />
-        <span class="has-text-grey is-v-centered" data-test-mfa-countdown>{{this.countdown}}</span>
-      {{/if}}
-    </form>
-  </div>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginReloadCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginReloadCommand)(nil)
+)
+
+type PluginReloadStatusCommand struct {
+	*BaseCommand
+}
+
+func (c *PluginReloadStatusCommand) Synopsis() string {
+	return "Get the status of an active or recently completed global plugin reload"
+}
+
+func (c *PluginReloadStatusCommand) Help() string {
+	helpText := `
+Usage: vault plugin reload-status RELOAD_ID
+
+  Retrieves the status of a recent cluster plugin reload.  The reload id must be provided.
+
+	  $ vault plugin reload-status d60a3e83-a598-4f3a-879d-0ddd95f11d4e
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginReloadStatusCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *PluginReloadStatusCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *PluginReloadStatusCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginReloadStatusCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	reloadId := strings.TrimSpace(args[0])
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	r, err := client.Sys().ReloadPluginStatus(&api.ReloadPluginStatusInput{
+		ReloadID: reloadId,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error retrieving plugin reload status: %s", err))
+		return 2
+	}
+	out := []string{"Time | Participant | Success | Message "}
+	for i, s := range r.Results {
+		out = append(out, fmt.Sprintf("%s | %s | %t | %s ",
+			s.Timestamp.Format("15:04:05"),
+			i,
+			s.Error == "",
+			s.Error))
+	}
+	c.UI.Output(tableOutput(out, nil))
+	return 0
+}
diff --git a/ui/app/templates/components/mount-backend-form.hbs b/ui/app/templates/components/mount-backend-form.hbs
index d793f078ae1b..f3af275eb4af 100644
--- a/ui/app/templates/components/mount-backend-form.hbs
+++ b/ui/app/templates/components/mount-backend-form.hbs
@@ -1,64 +1,165 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.levelLeft>
-    <h1 class="title is-3 title-with-icon" data-test-mount-form-header="true">
-      {{#if this.showEnable}}
-        {{#let (find-by "type" @mountModel.type @mountTypes) as |typeInfo|}}
-          <Icon @name={{or typeInfo.glyph typeInfo.type}} @size="24" class="has-text-grey-light" />
-          {{#if (eq @mountType "secret")}}
-            {{concat "Enable " typeInfo.displayName " Secrets Engine"}}
-          {{else}}
-            {{concat "Enable " typeInfo.displayName " Authentication Method"}}
-          {{/if}}
-        {{/let}}
-      {{else if (eq @mountType "secret")}}
-        Enable a Secrets Engine
-      {{else}}
-        Enable an Authentication Method
-      {{/if}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<div class="box is-sideless is-bottomless is-fullwidth is-marginless">
-  <NamespaceReminder @mode="enable" @noun={{if (eq @mountType "secret") "Secret Engine" "Auth Method"}} />
-  <MessageError @errorMessage={{this.errorMessage}} />
-  {{#if @mountModel.type}}
-    <form {{on "submit" (perform this.mountBackend)}}>
-      <FormFieldGroups
-        @model={{@mountModel}}
-        @renderGroup="default"
-        @modelValidations={{this.modelValidations}}
-        @onKeyUp={{this.onKeyUp}}
-      />
-      <FormFieldGroups @model={{@mountModel}} @renderGroup="Method Options" />
-
-      <div class="field is-grouped box is-fullwidth is-bottomless">
-        <div class="control">
-          <Hds::Button
-            @text={{if (eq @mountType "secret") "Enable engine" "Enable method"}}
-            @icon={{if this.mountBackend.isRunning "loading"}}
-            type="submit"
-            data-test-mount-submit="true"
-            disabled={{this.mountBackend.isRunning}}
-          />
-        </div>
-        <div class="control">
-          <Hds::Button @text="Back" @color="secondary" data-test-mount-back {{on "click" (fn this.setMountType "")}} />
-        </div>
-        {{#if this.invalidFormAlert}}
-          <div class="control">
-            <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-          </div>
-        {{/if}}
-      </div>
-    </form>
-  {{else}}
-    {{!  Type not yet set, show type options }}
-    <MountBackend::TypeForm @setMountType={{this.setMountType}} @mountType={{@mountType}} />
-  {{/if}}
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+)
+
+func testPluginReloadCommand(tb testing.TB) (*cli.MockUi, *PluginReloadCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginReloadCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func testPluginReloadStatusCommand(tb testing.TB) (*cli.MockUi, *PluginReloadStatusCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginReloadStatusCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginReloadCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"No plugins specified, must specify exactly one of -plugin or -mounts",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"-plugin", "foo", "-mounts", "bar"},
+			"Must specify exactly one of -plugin or -mounts",
+			1,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginReloadCommand(t)
+			cmd.client = client
+
+			args := append([]string{}, tc.args...)
+			code := cmd.Run(args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, api.PluginTypeCredential, "")
+
+		ui, cmd := testPluginReloadCommand(t)
+		cmd.client = client
+
+		if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+			Name:    pluginName,
+			Type:    api.PluginTypeCredential,
+			Command: pluginName,
+			SHA256:  sha256Sum,
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		code := cmd.Run([]string{
+			"-plugin", pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Reloaded plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+}
+
+func TestPluginReloadStatusCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginReloadStatusCommand(t)
+			cmd.client = client
+
+			args := append([]string{}, tc.args...)
+			code := cmd.Run(args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+}
diff --git a/ui/app/templates/components/mount-info.hbs b/ui/app/templates/components/mount-info.hbs
deleted file mode 100644
index ccc276cdd38b..000000000000
--- a/ui/app/templates/components/mount-info.hbs
+++ /dev/null
@@ -1,34 +0,0 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <KeyValueHeader @baseKey={{this.model}} @path="vault.cluster.access.method" @root={{this.root}} @showCurrent={{true}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      {{titleize this.model.methodType}}
-    </h1>
-  </p.levelLeft>
-  <p.levelRight>
-    {{#if (eq this.section "configuration")}}
-      <div class="field is-grouped">
-        <div class="control">
-          <LinkTo
-            @route="vault.cluster.settings.auth.configure"
-            @model={{this.model.id}}
-            class="button is-ghost has-icon-right is-compact"
-            data-test-configure-link={{true}}
-          >
-            Configure
-            <Chevron />
-          </LinkTo>
-        </div>
-      </div>
-    {{/if}}
-  </p.levelRight>
-</PageHeader>
-{{section-tabs this.model "authShow"}}
-{{component (concat "auth-method/" this.section) model=this.model}}
\ No newline at end of file
diff --git a/ui/app/templates/components/namespace-link.hbs b/ui/app/templates/components/namespace-link.hbs
index 14f99ced3b04..ce15bb31fdbf 100644
--- a/ui/app/templates/components/namespace-link.hbs
+++ b/ui/app/templates/components/namespace-link.hbs
@@ -1,21 +1,54 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-<ExternalLink
-  @href={{this.namespaceLink}}
-  @sameTab={{true}}
-  class={{concat "is-block " this.class}}
-  data-test-namespace-link={{this.normalizedNamespace}}
->
-  {{#if (has-block)}}
-    {{yield}}
-  {{else}}
-    <div class="level is-mobile">
-      <span class="level-left">{{this.namespaceDisplay}}</span>
-      <span class="level-right">
-        <Chevron @isButton={{true}} class="button is-ghost icon has-text-grey" />
-      </span>
-    </div>
-  {{/if}}
-</ExternalLink>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*PluginRuntimeCommand)(nil)
+
+type PluginRuntimeCommand struct {
+	*BaseCommand
+}
+
+func (c *PluginRuntimeCommand) Synopsis() string {
+	return "Interact with Vault plugin runtimes catalog."
+}
+
+func (c *PluginRuntimeCommand) Help() string {
+	helpText := `
+Usage: vault plugin runtime <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault's plugin runtimes and the
+  plugin runtime catalog. The plugin runtime catalog is divided into types. Currently,
+  Vault only supports "container" plugin runtimes. A plugin runtime allows users to 
+  fine-tune the parameters with which a plugin is executed. For example, you can select 
+  a different OCI-compatible runtime, or set resource limits. A plugin runtime can 
+  optionally be referenced during plugin registration. A type must be specified on each call. 
+  Here are a few examples of the plugin runtime commands.
+
+  List all available plugin runtimes in the catalog of a particular type:
+
+      $ vault plugin runtime list -type=container
+
+  Register a new plugin runtime to the catalog as a particular type:
+
+      $ vault plugin runtime register -type=container -oci_runtime=my-oci-runtime my-custom-plugin-runtime
+
+  Get information about a plugin runtime in the catalog listed under a particular type:
+
+      $ vault plugin runtime info -type=container my-custom-plugin-runtime
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRuntimeCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/app/templates/components/namespace-picker.hbs b/ui/app/templates/components/namespace-picker.hbs
index 9af86128ebe8..47b790f2cc03 100644
--- a/ui/app/templates/components/namespace-picker.hbs
+++ b/ui/app/templates/components/namespace-picker.hbs
@@ -1,109 +1,124 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="namespace-picker" ...attributes>
-  <BasicDropdown @horizontalPosition="left" @verticalPosition="above" as |D|>
-    <D.Trigger
-      @htmlTag="button"
-      class="button is-transparent namespace-picker-trigger has-current-color"
-      data-test-namespace-toggle
-    >
-      <div class="is-flex-center is-flex-1">
-        <Icon @name="org" />
-        <span class="is-flex-1 is-word-break has-text-left is-size-6 has-left-margin-xs">{{this.namespaceDisplay}}</span>
-      </div>
-      <Icon @name="caret" />
-    </D.Trigger>
-    <D.Content @defaultClass="namespace-picker-content">
-      <div class="is-mobile level-left">
-        <h5 class="list-header">Current namespace</h5>
-      </div>
-      <div class="namespace-header-bar level is-mobile">
-        <div class="level-left">
-          <header>
-            <div class="level is-mobile namespace-link">
-              <span class="level-left" data-test-current-namespace>
-                {{if this.namespacePath (concat this.namespacePath "/") "root"}}
-              </span>
-            </div>
-          </header>
-        </div>
-      </div>
-      <div class="namespace-list {{if this.isAnimating 'animated-list'}}">
-        {{#if this.auth.isRootToken}}
-          <div class="has-left-margin-s has-right-margin-s">
-            <span><Icon @name="alert-triangle-fill" class="has-text-highlight" /></span>
-            <span class="is-size-8 has-text-semibold">
-              You are logged in with a root token and will have to reauthenticate when switching namespaces.
-            </span>
-          </div>
-        {{/if}}
-
-        <div class="is-mobile level-left">
-          {{#unless this.isUserRootNamespace}}
-            <NamespaceLink
-              @targetNamespace={{or
-                (object-at (dec 2 this.menuLeaves.length) this.lastMenuLeaves)
-                this.auth.authData.userRootNamespace
-              }}
-              @class="namespace-link is-current button is-transparent icon"
-            >
-              <Chevron @direction="left" @class="has-text-grey" />
-            </NamespaceLink>
-          {{/unless}}
-          <h5 class="list-header">Namespaces</h5>
-        </div>
-        {{#if (includes "" this.lastMenuLeaves)}}
-          {{! leaf is '' which is the root namespace, and then we need to iterate the root leaves }}
-          <div class="leaf-panel {{if (eq '' this.currentLeaf) 'leaf-panel-current' 'leaf-panel-left'}} ">
-            {{#each this.rootLeaves as |rootLeaf|}}
-              <NamespaceLink @targetNamespace={{rootLeaf}} @class="namespace-link" @showLastSegment={{true}} />
-            {{/each}}
-          </div>
-        {{/if}}
-        {{#each this.lastMenuLeaves as |leaf|}}
-          {{#if leaf}}
-            <div
-              class="leaf-panel
-                {{if (eq leaf this.currentLeaf) 'leaf-panel-current' 'leaf-panel-left'}}
-                {{if (and this.isAdding (eq leaf this.changedLeaf)) 'leaf-panel-adding'}}
-                {{if (and (not this.isAdding) (eq leaf this.changedLeaf)) 'leaf-panel-exiting'}}
-                "
-            >
-              {{#each-in (get this.namespaceTree leaf) as |leafName|}}
-                <NamespaceLink
-                  @targetNamespace={{concat leaf "/" leafName}}
-                  @class="namespace-link"
-                  @showLastSegment={{true}}
-                />
-              {{/each-in}}
-            </div>
-          {{/if}}
-        {{/each}}
-        {{#if this.canList}}
-          <div class="leaf-panel leaf-panel-current">
-            <div class="level">
-              <span class="level-left">
-                <LinkTo @route="vault.cluster.access.namespaces" class="is-block namespace-link namespace-manage-link">
-                  Manage Namespaces
-                </LinkTo>
-              </span>
-              <span class="level-right">
-                <Hds::Button
-                  @text="Refresh namespace list"
-                  @icon="reload"
-                  @isIconOnly={{true}}
-                  @color="tertiary"
-                  data-test-refresh-namespaces
-                  {{on "click" (action "refreshNamespaceList")}}
-                />
-              </span>
-            </div>
-          </div>
-        {{/if}}
-      </div>
-    </D.Content>
-  </BasicDropdown>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginRuntimeDeregisterCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginRuntimeDeregisterCommand)(nil)
+)
+
+type PluginRuntimeDeregisterCommand struct {
+	*BaseCommand
+
+	flagType string
+}
+
+func (c *PluginRuntimeDeregisterCommand) Synopsis() string {
+	return "Deregister an existing plugin runtime in the catalog"
+}
+
+func (c *PluginRuntimeDeregisterCommand) Help() string {
+	helpText := `
+Usage: vault plugin runtime deregister [options] NAME
+
+  Deregister an existing plugin runtime in the catalog with the given name. If
+  any registered plugin references the plugin runtime, an error is returned. If
+  the plugin runtime does not exist, an error is returned. The -type flag
+  currently only accepts "container".
+
+  Deregister a plugin runtime:
+
+      $ vault plugin runtime deregister -type=container my-plugin-runtime
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRuntimeDeregisterCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "type",
+		Target:     &c.flagType,
+		Completion: complete.PredictAnything,
+		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
+	})
+
+	return set
+}
+
+func (c *PluginRuntimeDeregisterCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginRuntimeDeregisterCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginRuntimeDeregisterCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	runtimeTyeRaw := strings.TrimSpace(c.flagType)
+	if len(runtimeTyeRaw) == 0 {
+		c.UI.Error("-type is required for plugin runtime deregistration")
+		return 1
+	}
+
+	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var runtimeNameRaw string
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+
+	// This case should come after invalid cases have been checked
+	case len(args) == 1:
+		runtimeNameRaw = args[0]
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	runtimeName := strings.TrimSpace(runtimeNameRaw)
+	if err = client.Sys().DeregisterPluginRuntime(context.Background(), &api.DeregisterPluginRuntimeInput{
+		Name: runtimeName,
+		Type: runtimeType,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error deregistering plugin runtime named %s: %s", runtimeName, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Deregistered plugin runtime: %s", runtimeName))
+	return 0
+}
diff --git a/ui/app/templates/components/oidc/assignment-form.hbs b/ui/app/templates/components/oidc/assignment-form.hbs
index 8ce86f21687a..1569fceb3f11 100644
--- a/ui/app/templates/components/oidc/assignment-form.hbs
+++ b/ui/app/templates/components/oidc/assignment-form.hbs
@@ -1,69 +1,116 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <MessageError @errorMessage={{this.errorBanner}} />
-    <FormFieldLabel for="name" @label="Name" />
-    <input
-      autocomplete="off"
-      spellcheck="false"
-      value={{@model.name}}
-      disabled={{not @model.isNew}}
-      class="input field {{if this.modelValidations.name.errors 'has-error-border'}}"
-      {{on "input" this.handleOperation}}
-      data-test-input="name"
-    />
-    {{#if this.modelValidations.name.errors}}
-      <AlertInline @type="danger" @message={{join ", " this.modelValidations.name.errors}} />
-    {{/if}}
-    <SearchSelect
-      @id="entities"
-      @label="Entities"
-      @placeholder="Search"
-      @renderInPlace={{true}}
-      @models={{array "identity/entity"}}
-      @inputValue={{@model.entityIds}}
-      @shouldRenderName={{true}}
-      @onChange={{this.onEntitiesSelect}}
-      @disallowNewItems={{true}}
-      @fallbackComponent="string-list"
-      data-test-search-select="entities"
-    />
-    <SearchSelect
-      @id="groups"
-      @label="Groups"
-      @placeholder="Search"
-      @renderInPlace={{true}}
-      @models={{array "identity/group"}}
-      @inputValue={{@model.groupIds}}
-      @shouldRenderName={{true}}
-      @onChange={{this.onGroupsSelect}}
-      @disallowNewItems={{true}}
-      @fallbackComponent="string-list"
-      data-test-search-select="groups"
-    />
-  </div>
-  <div class="has-top-padding-s">
-    <Hds::Button
-      @text={{if @model.isNew "Create" "Update"}}
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-oidc-assignment-save
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      class="has-left-margin-s"
-      disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
-      data-test-oidc-assignment-cancel
-    />
-    {{#if this.modelValidations.targets.errors}}
-      <AlertInline @type="danger" @message={{join ", " this.modelValidations.targets.errors}} @paddingTop={{true}} />
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPluginRuntimeDeregisterCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeDeregisterCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginRuntimeDeregisterCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginRuntimeDeregisterCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{"-type=container"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"-type=container", "foo", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"invalid_runtime_type",
+			[]string{"-type=foo", "bar"},
+			"\"foo\" is not a supported plugin runtime type",
+			2,
+		},
+		{
+			"info_container_on_empty_plugin_runtime_catalog",
+			[]string{"-type=container", "my-plugin-runtime"},
+			"Error deregistering plugin runtime named my-plugin-runtime",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPluginRuntimeDeregisterCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				matcher := regexp.MustCompile(tc.out)
+				if !matcher.MatchString(combined) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginRuntimeDeregisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{"-type=container", "my-plugin-runtime"})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error deregistering plugin runtime named my-plugin-runtime"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginRuntimeDeregisterCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/oidc/client-form.hbs b/ui/app/templates/components/oidc/client-form.hbs
index e2c0a9def19b..22c95a233570 100644
--- a/ui/app/templates/components/oidc/client-form.hbs
+++ b/ui/app/templates/components/oidc/client-form.hbs
@@ -1,104 +1,140 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <nav class="breadcrumb">
-      <ul>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          {{#if @model.isNew}}
-            <LinkTo @route="vault.cluster.access.oidc.clients">
-              Applications
-            </LinkTo>
-          {{else}}
-            <LinkTo @route="vault.cluster.access.oidc.clients.client.details" @model={{@model.name}}>
-              Details
-            </LinkTo>
-          {{/if}}
-        </li>
-      </ul>
-    </nav>
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-oidc-client-title>
-      {{if @model.isNew "Create" "Edit"}}
-      Application
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-bottomless">
-    <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |attr|}}
-      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-
-    {{! MORE OPTIONS TOGGLE }}
-    <FormFieldGroups @renderGroup="More options" @model={{@model}} @modelValidations={{this.modelValidations}} />
-  </div>
-  {{! RADIO CARD + SEARCH SELECT }}
-  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
-    <h4 class="title is-4">Assign access</h4>
-    <div class="is-flex-row">
-      <RadioCard
-        data-test-oidc-radio="allow-all"
-        @title="Allow everyone to access existing"
-        @description="All Vault entities can authenticate through this application."
-        @icon="org"
-        @value="allow_all"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleAssignmentSelection}}
-      />
-      <RadioCard
-        data-test-oidc-radio="limited"
-        @title="Limit access to selected users"
-        @description="Choose or create an assignment to give access to selected entities."
-        @icon="users"
-        @value="limited"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleAssignmentSelection}}
-      />
-    </div>
-    {{#if (eq this.radioCardGroupValue "limited")}}
-      <SearchSelectWithModal
-        @id="assignments"
-        @label="Assignment name"
-        @subText="Search for an existing assignment, or type a new name to create it."
-        @models={{array "oidc/assignment"}}
-        @inputValue={{this.modelAssignments}}
-        @onChange={{this.handleAssignmentSelection}}
-        @excludeOptions={{array "allow_all"}}
-        @fallbackComponent="string-list"
-        @modalFormTemplate="modal-form/oidc-assignment-template"
-        @modalSubtext="Use assignment to specify which Vault entities and groups are allowed to authenticate."
-      />
-    {{/if}}
-  </div>
-  <div class="field box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-oidc-client-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
-        data-test-oidc-client-cancel
-      />
-    </div>
-    {{#if this.invalidFormAlert}}
-      <div class="control">
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      </div>
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginRuntimeInfoCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginRuntimeInfoCommand)(nil)
+)
+
+type PluginRuntimeInfoCommand struct {
+	*BaseCommand
+
+	flagType string
+}
+
+func (c *PluginRuntimeInfoCommand) Synopsis() string {
+	return "Read information about a plugin runtime in the catalog"
+}
+
+func (c *PluginRuntimeInfoCommand) Help() string {
+	helpText := `
+Usage: vault plugin runtime info [options] NAME
+
+  Displays information about a plugin runtime in the catalog with the given name. If
+  the plugin runtime does not exist, an error is returned. The -type flag
+  currently only accepts "container".
+
+  Get info about a plugin runtime:
+
+      $ vault plugin runtime info -type=container my-plugin-runtime
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRuntimeInfoCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "type",
+		Target:     &c.flagType,
+		Completion: complete.PredictAnything,
+		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
+	})
+
+	return set
+}
+
+func (c *PluginRuntimeInfoCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginRuntimeInfoCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginRuntimeInfoCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	runtimeTyeRaw := strings.TrimSpace(c.flagType)
+	if len(runtimeTyeRaw) == 0 {
+		c.UI.Error("-type is required for plugin runtime info retrieval")
+		return 1
+	}
+
+	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var runtimeNameRaw string
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+
+	// This case should come after invalid cases have been checked
+	case len(args) == 1:
+		runtimeNameRaw = args[0]
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	runtimeName := strings.TrimSpace(runtimeNameRaw)
+	resp, err := client.Sys().GetPluginRuntime(context.Background(), &api.GetPluginRuntimeInput{
+		Name: runtimeName,
+		Type: runtimeType,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading plugin runtime named %s: %s", runtimeName, err))
+		return 2
+	}
+
+	if resp == nil {
+		c.UI.Error(fmt.Sprintf("No value found for plugin runtime %q", runtimeName))
+		return 2
+	}
+
+	data := map[string]interface{}{
+		"name":          resp.Name,
+		"type":          resp.Type,
+		"oci_runtime":   resp.OCIRuntime,
+		"cgroup_parent": resp.CgroupParent,
+		"cpu_nanos":     resp.CPU,
+		"memory_bytes":  resp.Memory,
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, data, c.flagField)
+	}
+	return OutputData(c.UI, data)
+}
diff --git a/ui/app/templates/components/oidc/key-form.hbs b/ui/app/templates/components/oidc/key-form.hbs
index 9ea41100b07e..40166b094bf9 100644
--- a/ui/app/templates/components/oidc/key-form.hbs
+++ b/ui/app/templates/components/oidc/key-form.hbs
@@ -1,105 +1,116 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <nav class="breadcrumb">
-      <ul>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          {{#if @model.isNew}}
-            <LinkTo @route="vault.cluster.access.oidc.keys">
-              Keys
-            </LinkTo>
-          {{else}}
-            <LinkTo @route="vault.cluster.access.oidc.keys.key.details" @model={{@model.name}}>
-              Details
-            </LinkTo>
-          {{/if}}
-        </li>
-      </ul>
-    </nav>
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-oidc-key-title>
-      {{if @model.isNew "Create" "Edit"}}
-      Key
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-bottomless">
-    <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |attr|}}
-      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-  </div>
-  {{! RADIO CARD + SEARCH SELECT }}
-  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
-    <h4 class="title is-4">Allowed applications</h4>
-    <div class="is-flex-row">
-      <RadioCard
-        data-test-oidc-radio="allow-all"
-        @title="Allow every application to use"
-        @description="All applications can use this key for authentication requests."
-        @icon="globe"
-        @value="allow_all"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleClientSelection}}
-      />
-      <RadioCard
-        data-test-oidc-radio="limited"
-        @title="Limit access to selected application"
-        @description="Only selected applications can use this key for authentication requests."
-        @icon="globe-private"
-        @value="limited"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleClientSelection}}
-        @disabled={{@model.isNew}}
-        @disabledTooltipMessage="This option has been disabled for now. To limit access, you must first create an application that references this key."
-      />
-    </div>
-    {{#if (eq this.radioCardGroupValue "limited")}}
-      <SearchSelect
-        @id="allowedClientIds"
-        @label="Application name"
-        @subText="Select which applications are allowed to use this key. Only applications that currently reference this key will appear in the dropdown."
-        @models={{array "oidc/client"}}
-        @inputValue={{@model.allowedClientIds}}
-        @onChange={{this.handleClientSelection}}
-        @disallowNewItems={{true}}
-        @fallbackComponent="string-list"
-        @passObject={{true}}
-        @objectKeys={{array "clientId"}}
-        @queryObject={{this.filterDropdownOptions}}
-      />
-    {{/if}}
-  </div>
-  <div class="field box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-oidc-key-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
-        data-test-oidc-key-cancel
-      />
-    </div>
-    {{#if this.invalidFormAlert}}
-      <div class="control">
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      </div>
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPluginRuntimeInfoCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeInfoCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginRuntimeInfoCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginRuntimeInfoCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{"-type=container"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"-type=container", "bar", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"invalid_runtime_type",
+			[]string{"-type=foo", "bar"},
+			"\"foo\" is not a supported plugin runtime type",
+			2,
+		},
+		{
+			"info_container_on_empty_plugin_runtime_catalog",
+			[]string{"-type=container", "my-plugin-runtime"},
+			"Error reading plugin runtime named my-plugin-runtime",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPluginRuntimeInfoCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				matcher := regexp.MustCompile(tc.out)
+				if !matcher.MatchString(combined) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginRuntimeInfoCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{"-type=container", "my-plugin-runtime"})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error reading plugin runtime named my-plugin-runtime"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginRuntimeInfoCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/oidc/provider-form.hbs b/ui/app/templates/components/oidc/provider-form.hbs
index b51e0d1e86eb..64cca1805f63 100644
--- a/ui/app/templates/components/oidc/provider-form.hbs
+++ b/ui/app/templates/components/oidc/provider-form.hbs
@@ -1,132 +1,131 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <nav class="breadcrumb">
-      <ul>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          {{#if @model.isNew}}
-            <LinkTo @route="vault.cluster.access.oidc.providers">
-              Providers
-            </LinkTo>
-          {{else}}
-            <LinkTo @route="vault.cluster.access.oidc.providers.provider.details" @model={{@model.name}}>
-              Details
-            </LinkTo>
-          {{/if}}
-        </li>
-      </ul>
-    </nav>
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-oidc-provider-title>
-      {{if @model.isNew "Create" "Edit"}}
-      Provider
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<form {{on "submit" (perform this.save)}} {{did-insert this.setIssuer @model}}>
-  <div class="box is-sideless is-fullwidth is-bottomless">
-    <MessageError @errorMessage={{this.errorBanner}} />
-    {{! name field }}
-    <FormField
-      data-test-field={{true}}
-      @attr={{get @model.formFields "0"}}
-      @model={{@model}}
-      @modelValidations={{this.modelValidations}}
-    />
-    {{#let (get @model.formFields "1") as |attr|}}
-      <FormFieldLabel
-        for={{attr.name}}
-        @label="Issuer"
-        @helpText={{attr.options.helpText}}
-        @subText={{attr.options.subText}}
-        @docLink={{attr.options.docLink}}
-      />
-      <Input
-        data-test-field={{true}}
-        data-test-input={{attr.name}}
-        id={{attr.name}}
-        autocomplete="off"
-        spellcheck="false"
-        @value={{@model.issuer}}
-        class="input {{if this.validationError 'has-error-border'}}"
-        placeholder={{attr.options.placeholderText}}
-      />
-    {{/let}}
-    {{! scopesSupported field }}
-    <FormField
-      data-test-field={{true}}
-      @attr={{get @model.formFields "2"}}
-      @model={{@model}}
-      @modelValidations={{this.modelValidations}}
-    />
-  </div>
-  {{! RADIO CARD + SEARCH SELECT }}
-  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
-    <h4 class="title is-4">Allowed applications</h4>
-    <div class="is-flex-row">
-      <RadioCard
-        data-test-oidc-radio="allow-all"
-        @title="Allow every application to use"
-        @description="All applications can use this provider for authentication requests."
-        @icon="globe"
-        @value="allow_all"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleClientSelection}}
-      />
-      <RadioCard
-        data-test-oidc-radio="limited"
-        @title="Limit access to selected application"
-        @description="Only selected applications can use this provider for authentication requests."
-        @icon="globe-private"
-        @value="limited"
-        @groupValue={{this.radioCardGroupValue}}
-        @onChange={{this.handleClientSelection}}
-      />
-    </div>
-    {{#if (eq this.radioCardGroupValue "limited")}}
-      <SearchSelect
-        @id="allowedClientIds"
-        @label="Application name"
-        @models={{array "oidc/client"}}
-        @inputValue={{@model.allowedClientIds}}
-        @onChange={{this.handleClientSelection}}
-        @disallowNewItems={{true}}
-        @fallbackComponent="string-list"
-        @passObject={{true}}
-        @objectKeys={{array "clientId"}}
-        @renderInfoTooltip={{this.renderInfoTooltip}}
-      />
-    {{/if}}
-  </div>
-  <div class="field box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-oidc-provider-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
-        data-test-oidc-provider-cancel
-      />
-    </div>
-    {{#if this.invalidFormAlert}}
-      <div class="control">
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      </div>
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginRuntimeListCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginRuntimeListCommand)(nil)
+)
+
+type PluginRuntimeListCommand struct {
+	*BaseCommand
+
+	flagType string
+}
+
+func (c *PluginRuntimeListCommand) Synopsis() string {
+	return "Lists available plugin runtimes"
+}
+
+func (c *PluginRuntimeListCommand) Help() string {
+	helpText := `
+Usage: vault plugin runtime list [options]
+
+  Lists available plugin runtimes registered in the catalog. This does not list whether
+  plugin runtimes are in use, but rather just their availability.
+
+  List all available plugin runtimes in the catalog:
+
+      $ vault plugin runtime list
+
+  List all available container plugin runtimes in the catalog:
+
+      $ vault plugin runtime list -type=container
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRuntimeListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "type",
+		Target:     &c.flagType,
+		Completion: complete.PredictAnything,
+		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
+	})
+
+	return set
+}
+
+func (c *PluginRuntimeListCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginRuntimeListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginRuntimeListCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	if len(f.Args()) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	var input *api.ListPluginRuntimesInput
+	runtimeTyeRaw := strings.TrimSpace(c.flagType)
+	if len(runtimeTyeRaw) > 0 {
+		runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 2
+		}
+		input = &api.ListPluginRuntimesInput{Type: runtimeType}
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	resp, err := client.Sys().ListPluginRuntimes(context.Background(), input)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing available plugin runtimes: %s", err))
+		return 2
+	}
+	if resp == nil {
+		c.UI.Error("No tableResponse from server when listing plugin runtimes")
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		c.UI.Output(tableOutput(c.tableResponse(resp), nil))
+		return 0
+	default:
+		return OutputData(c.UI, resp.Runtimes)
+	}
+}
+
+func (c *PluginRuntimeListCommand) tableResponse(response *api.ListPluginRuntimesResponse) []string {
+	out := []string{"Name | Type | OCI Runtime | Parent Cgroup | CPU Nanos | Memory Bytes"}
+	for _, runtime := range response.Runtimes {
+		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %d | %d",
+			runtime.Name, runtime.Type, runtime.OCIRuntime, runtime.CgroupParent, runtime.CPU, runtime.Memory))
+	}
+
+	return out
+}
diff --git a/ui/app/templates/components/oidc/scope-form.hbs b/ui/app/templates/components/oidc/scope-form.hbs
index 76541045a80c..cd67ece564ee 100644
--- a/ui/app/templates/components/oidc/scope-form.hbs
+++ b/ui/app/templates/components/oidc/scope-form.hbs
@@ -1,102 +1,116 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <nav class="breadcrumb" aria-label="breadcrumbs">
-      <ul>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          {{#if @model.isNew}}
-            <LinkTo @route={{"vault.cluster.access.oidc.scopes"}}>
-              Scopes
-            </LinkTo>
-          {{else}}
-            {{! You're editing in this view }}
-            <LinkTo @route={{"vault.cluster.access.oidc.scopes.scope.details"}} @model={{@model.name}}>
-              Details
-            </LinkTo>
-          {{/if}}
-        </li>
-      </ul>
-    </nav>
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-oidc-scope-title>
-      {{if @model.isNew "Create" "Edit"}}
-      Scope
-    </h1>
-  </p.levelLeft>
-  <p.levelRight>
-    <Hds::Button
-      @text="How to write JSON template for scopes"
-      @icon="bulb"
-      @color="tertiary"
-      {{on "click" (fn (mut this.showTemplateModal))}}
-      data-test-oidc-scope-example
-    />
-  </p.levelRight>
-</PageHeader>
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <p class="has-bottom-margin-l">
-      Providers may reference a set of scopes to make specific identity information available as claims
-    </p>
-    <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |field|}}
-      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-    <p class="is-size-9 has-text-grey has-bottom-margin-l">
-      You can use Alt+Tab (Option+Tab on MacOS) in the code editor to skip to the next field. Click 'How to write JSON
-      template for scopes' to view an example.
-    </p>
-  </div>
-  <div class="has-top-margin-l has-bottom-margin-l">
-    <Hds::Button
-      @text={{if @model.isNew "Create" "Update"}}
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-oidc-scope-save
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      class="has-left-margin-s"
-      disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
-      data-test-oidc-scope-cancel
-    />
-  </div>
-  {{#if this.invalidFormAlert}}
-    <div class="control">
-      <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-    </div>
-  {{/if}}
-</form>
-
-{{#if this.showTemplateModal}}
-  <Hds::Modal id="scope-template-modal" @size="large" @onClose={{fn (mut this.showTemplateModal) false}} as |M|>
-    <M.Header data-test-scope-modal="title">
-      Scope template
-    </M.Header>
-    <M.Body>
-      <p data-test-scope-modal="text">
-        Example of a JSON template for scopes:
-      </p>
-      <JsonEditor @value={{this.exampleTemplate}} @mode="ruby" @readOnly={{true}} @container=".hds-modal" />
-      <p class="has-top-margin-m">
-        The full list of template parameters can be found
-        <DocLink @path="/vault/docs/concepts/oidc-provider#scopes">
-          here.
-        </DocLink>
-      </p>
-    </M.Body>
-    <M.Footer as |F|>
-      <Hds::Button @text="Close" {{on "click" F.close}} data-test-close-modal />
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPluginRuntimeListCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeListCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginRuntimeListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginRuntimeListCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"invalid_runtime_type",
+			[]string{"-type=foo"},
+			"\"foo\" is not a supported plugin runtime type",
+			2,
+		},
+		{
+			"list container on empty plugin runtime catalog",
+			[]string{"-type=container"},
+			"Error listing available plugin runtimes:",
+			2,
+		},
+		{
+			"list on empty plugin runtime catalog",
+			nil,
+			"Error listing available plugin runtimes:",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPluginRuntimeListCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				matcher := regexp.MustCompile(tc.out)
+				if !matcher.MatchString(combined) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginRuntimeListCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{"-type=container"})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error listing available plugin runtimes: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginRuntimeListCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/components/raft-storage-overview.hbs b/ui/app/templates/components/raft-storage-overview.hbs
index 006566b775e8..175be302f519 100644
--- a/ui/app/templates/components/raft-storage-overview.hbs
+++ b/ui/app/templates/components/raft-storage-overview.hbs
@@ -1,100 +1,172 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      Raft Storage
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-<Toolbar>
-  <ToolbarActions>
-    <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
-      <D.Trigger
-        data-test-popup-menu-trigger="true"
-        class={{concat "toolbar-link" (if D.isOpen " is-active")}}
-        @htmlTag="button"
-      >
-        Snapshots
-        <Chevron @direction="down" @isButton={{true}} />
-      </D.Trigger>
-      <D.Content @defaultClass="popup-menu-content">
-        <nav class="box menu" aria-label="snapshots actions">
-          <ul class="menu-list">
-            <li class="action">
-              {{#if this.useServiceWorker}}
-                <ExternalLink
-                  @href="/v1/sys/storage/raft/snapshot"
-                  @sameTab={{true}}
-                  onclick={{queue (action "downloadViaServiceWorker") (action D.actions.close)}}
-                >
-                  Download
-                </ExternalLink>
-              {{else}}
-                <Hds::Button
-                  @text="Download"
-                  class="link"
-                  {{on "click" (queue (action "downloadSnapshot") (action D.actions.close))}}
-                />
-              {{/if}}
-            </li>
-            <li class="action">
-              <LinkTo @route="vault.cluster.storage-restore">
-                Restore
-              </LinkTo>
-            </li>
-          </ul>
-        </nav>
-      </D.Content>
-    </BasicDropdown>
-  </ToolbarActions>
-</Toolbar>
-
-<table class="vlt-table is-fullwidth">
-  <caption class="is-collapsed">Raft servers</caption>
-  <thead class="has-text-weight-semibold">
-    <tr>
-      <th scope="col">Address</th>
-      <th scope="col">Voter</th>
-      <th scope="col"></th>
-    </tr>
-  </thead>
-  <tbody>
-    {{#each @model as |server|}}
-      <tr data-raft-row>
-        <td>
-          {{server.address}}
-          {{#if server.leader}}
-            <span class="tag">Leader</span>
-          {{/if}}
-        </td>
-        <td>
-
-          {{#if server.voter}}
-            <Icon @name="check-circle" aria-label="Yes" class="icon-true has-text-success" />
-          {{else}}
-            <Icon @name="x-square" aria-label="No" class="icon-false" />
-          {{/if}}
-        </td>
-        <td class="middle no-padding has-text-right">
-          <PopupMenu>
-            <nav aria-label="remove peer">
-              <ul>
-                <ConfirmAction
-                  @isInDropdown={{true}}
-                  @onConfirmAction={{action "removePeer" server}}
-                  @buttonText="Remove Peer"
-                  @confirmTitle="Remove {{server.nodeId}}?"
-                  @confirmMessage="This will remove the server from the raft cluster."
-                />
-              </ul>
-            </nav>
-          </PopupMenu>
-        </td>
-      </tr>
-    {{/each}}
-  </tbody>
-</table>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PluginRuntimeRegisterCommand)(nil)
+	_ cli.CommandAutocomplete = (*PluginRuntimeRegisterCommand)(nil)
+)
+
+type PluginRuntimeRegisterCommand struct {
+	*BaseCommand
+
+	flagType         string
+	flagOCIRuntime   string
+	flagCgroupParent string
+	flagCPUNanos     int64
+	flagMemoryBytes  int64
+	flagRootless     bool
+}
+
+func (c *PluginRuntimeRegisterCommand) Synopsis() string {
+	return "Registers a new plugin runtime in the catalog"
+}
+
+func (c *PluginRuntimeRegisterCommand) Help() string {
+	helpText := `
+Usage: vault plugin runtime register [options] NAME
+
+  Registers a new plugin runtime in the catalog. Currently, Vault only supports registering runtimes of type "container".
+The OCI runtime must be available on Vault's host. If no OCI runtime is specified, Vault will use "runsc", gVisor's OCI runtime.
+
+  Register the plugin runtime named my-custom-plugin-runtime:
+
+      $ vault plugin runtime register -type=container -oci_runtime=my-oci-runtime my-custom-plugin-runtime
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginRuntimeRegisterCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "type",
+		Target:     &c.flagType,
+		Completion: complete.PredictAnything,
+		Usage:      "Plugin runtime type. Vault currently only supports \"container\" runtime type.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "oci_runtime",
+		Target:     &c.flagOCIRuntime,
+		Completion: complete.PredictAnything,
+		Usage:      "OCI runtime. Default is \"runsc\", gVisor's OCI runtime.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "cgroup_parent",
+		Target:     &c.flagCgroupParent,
+		Completion: complete.PredictAnything,
+		Usage:      "Parent cgroup to set for each container. This can be used to control the total resource usage for a group of plugins.",
+	})
+
+	f.Int64Var(&Int64Var{
+		Name:       "cpu_nanos",
+		Target:     &c.flagCPUNanos,
+		Completion: complete.PredictAnything,
+		Usage:      "CPU limit to set per container in nanos. Defaults to no limit.",
+	})
+
+	f.Int64Var(&Int64Var{
+		Name:       "memory_bytes",
+		Target:     &c.flagMemoryBytes,
+		Completion: complete.PredictAnything,
+		Usage:      "Memory limit to set per container in bytes. Defaults to no limit.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:       "rootless",
+		Target:     &c.flagRootless,
+		Completion: complete.PredictAnything,
+		Usage: "Whether the container runtime is configured to run as a " +
+			"non-privileged (non-root) user. Required if the plugin container " +
+			"image is also configured to run as a non-root user.",
+	})
+
+	return set
+}
+
+func (c *PluginRuntimeRegisterCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginRuntimeRegisterCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginRuntimeRegisterCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	runtimeTyeRaw := strings.TrimSpace(c.flagType)
+	if len(runtimeTyeRaw) == 0 {
+		c.UI.Error("-type is required for plugin runtime registration")
+		return 1
+	}
+
+	runtimeType, err := api.ParsePluginRuntimeType(runtimeTyeRaw)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var runtimeNameRaw string
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+
+	// This case should come after invalid cases have been checked
+	case len(args) == 1:
+		runtimeNameRaw = args[0]
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	runtimeName := strings.TrimSpace(runtimeNameRaw)
+	ociRuntime := strings.TrimSpace(c.flagOCIRuntime)
+	cgroupParent := strings.TrimSpace(c.flagCgroupParent)
+
+	if err := client.Sys().RegisterPluginRuntime(context.Background(), &api.RegisterPluginRuntimeInput{
+		Name:         runtimeName,
+		Type:         runtimeType,
+		OCIRuntime:   ociRuntime,
+		CgroupParent: cgroupParent,
+		CPU:          c.flagCPUNanos,
+		Memory:       c.flagMemoryBytes,
+		Rootless:     c.flagRootless,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error registering plugin runtime %s: %s", runtimeName, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Registered plugin runtime: %s", runtimeName))
+	return 0
+}
diff --git a/ui/app/templates/components/secret-create-or-update.hbs b/ui/app/templates/components/secret-create-or-update.hbs
index fbb491677eba..3b28587cf62a 100644
--- a/ui/app/templates/components/secret-create-or-update.hbs
+++ b/ui/app/templates/components/secret-create-or-update.hbs
@@ -1,232 +1,206 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if (eq @mode "create")}}
-  <form
-    class={{if @showAdvancedMode "advanced-edit" "simple-edit"}}
-    {{on "submit" (fn this.createOrUpdateKey @mode)}}
-    aria-label="secret create form"
-    {{did-insert this.setup @secretData @mode}}
-  >
-    <div class="field box is-fullwidth is-sideless is-marginless">
-      <NamespaceReminder @mode="create" @noun="secret" />
-      <MessageError @model={{@modelForData}} @errorMessage={{this.error}} />
-      <label class="is-label" for="kv-key">Path for this secret</label>
-      <p class="control is-expanded">
-        <Input
-          autocomplete="off"
-          spellcheck="false"
-          data-test-secret-path="true"
-          id="kv-key"
-          class="input {{if (get this.validationMessages 'path') 'has-error-border'}}"
-          @value={{get @modelForData @modelForData.pathAttr}}
-          {{on "keyup" (perform this.waitForKeyUp "path" value="target.value")}}
-        />
-      </p>
-      {{#if (get this.validationMessages "path")}}
-        <AlertInline
-          @type="danger"
-          @message={{get this.validationMessages "path"}}
-          @paddingTop={{true}}
-          @isMarginless={{true}}
-        />
-      {{/if}}
-      {{#if @modelForData.isFolder}}
-        <p class="help has-text-danger">
-          The secret path may not end in
-          <code>/</code>
-        </p>
-      {{/if}}
-      {{#if this.pathWhiteSpaceWarning}}
-        <Hds::Alert
-          @type="inline"
-          @color="warning"
-          class="has-top-margin-m has-bottom-margin-s"
-          data-test-whitespace-warning
-          as |A|
-        >
-          <A.Title>Warning</A.Title>
-          <A.Description>
-            Your secret path contains whitespace. If this is desired, you'll need to encode it with %20 in API calls.
-          </A.Description>
-        </Hds::Alert>
-      {{/if}}
-    </div>
-    {{#if @showAdvancedMode}}
-      <div class="form-section">
-        <JsonEditor
-          @title="Secret Data"
-          @value={{this.codemirrorString}}
-          @valueUpdated={{this.codemirrorUpdated}}
-          @onFocusOut={{this.formatJSON}}
-        />
-      </div>
-    {{else}}
-      <div class="form-section">
-        <label class="title is-5">
-          Secret data
-        </label>
-        {{#each @secretData as |secret index|}}
-          <div class="info-table-row">
-            <div class="column is-one-quarter info-table-row-edit">
-              <Input
-                data-test-secret-key={{true}}
-                @value={{secret.name}}
-                placeholder="key"
-                {{on "change" this.handleChange}}
-                class="input"
-                autocomplete="off"
-                spellcheck="false"
-              />
-            </div>
-            <div class="column info-table-row-edit">
-              <MaskedInput
-                @name={{secret.name}}
-                @onChange={{fn this.handleMaskedInputChange secret index}}
-                @value={{secret.value}}
-                data-test-secret-value="true"
-              />
-            </div>
-            <div class="column is-narrow info-table-row-edit">
-              {{#if (eq @secretData.length (inc index))}}
-                <Hds::Button @text="Add" @color="secondary" {{on "click" this.addRow}} data-test-secret-add-row="true" />
-              {{else}}
-                <Hds::Button
-                  @text="Delete row"
-                  @icon="trash"
-                  @isIconOnly={{true}}
-                  @color="secondary"
-                  {{on "click" (fn this.deleteRow secret.name)}}
-                />
-              {{/if}}
-            </div>
-          </div>
-          {{#if this.validationMessages.key}}
-            <AlertInline
-              @type="danger"
-              @message={{this.validationMessages.key}}
-              @paddingTop={{true}}
-              @isMarginless={{true}}
-            />
-          {{/if}}
-        {{/each}}
-      </div>
-    {{/if}}
-
-    <div class="field is-grouped box is-fullwidth is-bottomless">
-      <Hds::ButtonSet>
-        <Hds::Button @text="Save" type="submit" disabled={{@buttonDisabled}} data-test-secret-save={{true}} />
-        {{#if @model.path}}
-          <Hds::Button
-            @text="Cancel"
-            @color="secondary"
-            @route="vault.cluster.secrets.backend.list"
-            @model={{@model.path}}
-          />
-        {{else}}
-          <Hds::Button @text="Cancel" @color="secondary" @route="vault.cluster.secrets.backend.list-root" />
-        {{/if}}
-      </Hds::ButtonSet>
-    </div>
-  </form>
-{{/if}}
-
-{{#if (eq @mode "edit")}}
-  <form
-    {{on "submit" (fn this.createOrUpdateKey "edit")}}
-    aria-label="secret edit form"
-    {{did-insert this.setup @secretData @mode}}
-  >
-    <div class="box is-sideless is-fullwidth is-marginless padding-top">
-      <MessageError @model={{@modelForData}} @errorMessage={{this.error}} />
-      <NamespaceReminder @mode="edit" @noun="secret" />
-      {{#if (eq @canReadSecret false)}}
-        <Hds::Alert @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
-          <A.Title>Warning</A.Title>
-          <A.Description>
-            <ul class={{if (eq @canReadSecret false) "bullet"}}>
-              {{#if (eq @canReadSecret false)}}
-                <li data-test-warning-no-read-permissions>
-                  You do not have read permissions. If a secret exists at this path creating a new secret will overwrite it.
-                </li>
-              {{/if}}
-            </ul>
-          </A.Description>
-        </Hds::Alert>
-      {{/if}}
-      {{#if @showAdvancedMode}}
-        <div class="form-section">
-          <JsonEditor
-            @title="Secret Data"
-            @value={{this.codemirrorString}}
-            @valueUpdated={{this.codemirrorUpdated}}
-            @onFocusOut={{this.formatJSON}}
-          />
-        </div>
-      {{else}}
-        <div class="form-section">
-          <label class="title is-5">
-            Secret data
-          </label>
-          {{#each @secretData as |secret index|}}
-            <div class="columns is-variable has-no-shadow">
-              <div class="column is-one-quarter">
-                <Input
-                  data-test-secret-key={{true}}
-                  @value={{secret.name}}
-                  placeholder="key"
-                  {{on "change" this.handleChange}}
-                  class="input"
-                  autocomplete="off"
-                  spellcheck="false"
-                />
-              </div>
-              <div class="column">
-                <MaskedInput
-                  @name={{secret.name}}
-                  @onChange={{fn this.handleMaskedInputChange secret index}}
-                  @value={{secret.value}}
-                  data-test-secret-value="true"
-                />
-              </div>
-              <div class="column is-narrow">
-                {{#if (eq @secretData.length (inc index))}}
-                  <Hds::Button @text="Add" @color="secondary" {{on "click" this.addRow}} data-test-secret-add-row="true" />
-                {{else}}
-                  <Hds::Button
-                    @text="Delete row"
-                    @icon="trash"
-                    @isIconOnly={{true}}
-                    @color="secondary"
-                    {{on "click" (fn this.deleteRow secret.name)}}
-                  />
-                {{/if}}
-              </div>
-            </div>
-          {{/each}}
-        </div>
-      {{/if}}
-    </div>
-    <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
-      <div class="field is-grouped">
-        <Hds::ButtonSet>
-          <Hds::Button
-            @text="Save"
-            data-test-secret-save
-            type="submit"
-            disabled={{or @buttonDisabled this.validationErrorCount}}
-          />
-          <Hds::Button
-            @text="Cancel"
-            @color="secondary"
-            @route="vault.cluster.secrets.backend.show"
-            @model={{@model.id}}
-            @query={{hash version=@modelForData.version}}
-          />
-        </Hds::ButtonSet>
-      </div>
-    </div>
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func testPluginRuntimeRegisterCommand(tb testing.TB) (*cli.MockUi, *PluginRuntimeRegisterCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginRuntimeRegisterCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginRuntimeRegisterCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		flags []string
+		args  []string
+		out   string
+		code  int
+	}{
+		{
+			"no type specified",
+			[]string{},
+			[]string{"foo"},
+			"-type is required for plugin runtime registration",
+			1,
+		},
+		{
+			"invalid type",
+			[]string{"-type", "foo"},
+			[]string{"not"},
+			"\"foo\" is not a supported plugin runtime type",
+			2,
+		},
+		{
+			"not_enough_args",
+			[]string{"-type", consts.PluginRuntimeTypeContainer.String()},
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"-type", consts.PluginRuntimeTypeContainer.String()},
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginRuntimeRegisterCommand(t)
+			cmd.client = client
+
+			args := append(tc.flags, tc.args...)
+			code := cmd.Run(args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPluginRuntimeRegisterCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{"-type", consts.PluginRuntimeTypeContainer.String(), "my-plugin-runtime"})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error registering plugin runtime my-plugin-runtime"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPluginRuntimeRegisterCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
+
+// TestPluginRuntimeFlagParsing ensures that flags passed to vault plugin runtime register correctly
+// translate into the expected JSON body and request path.
+func TestPluginRuntimeFlagParsing(t *testing.T) {
+	for name, tc := range map[string]struct {
+		runtimeType     api.PluginRuntimeType
+		name            string
+		ociRuntime      string
+		cgroupParent    string
+		cpu             int64
+		memory          int64
+		rootless        bool
+		expectedPayload string
+	}{
+		"minimal": {
+			runtimeType:     api.PluginRuntimeTypeContainer,
+			name:            "foo",
+			expectedPayload: `{"type":1,"name":"foo"}`,
+		},
+		"full": {
+			runtimeType:     api.PluginRuntimeTypeContainer,
+			name:            "foo",
+			cgroupParent:    "/cpulimit/",
+			ociRuntime:      "runtime",
+			cpu:             5678,
+			memory:          1234,
+			rootless:        true,
+			expectedPayload: `{"type":1,"cgroup_parent":"/cpulimit/","memory_bytes":1234,"cpu_nanos":5678,"oci_runtime":"runtime","rootless":true}`,
+		},
+	} {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			ui, cmd := testPluginRuntimeRegisterCommand(t)
+			var requestLogger *recordingRoundTripper
+			cmd.client, requestLogger = mockClient(t)
+
+			var args []string
+			if tc.cgroupParent != "" {
+				args = append(args, "-cgroup_parent="+tc.cgroupParent)
+			}
+			if tc.ociRuntime != "" {
+				args = append(args, "-oci_runtime="+tc.ociRuntime)
+			}
+			if tc.memory != 0 {
+				args = append(args, fmt.Sprintf("-memory_bytes=%d", tc.memory))
+			}
+			if tc.cpu != 0 {
+				args = append(args, fmt.Sprintf("-cpu_nanos=%d", tc.cpu))
+			}
+			if tc.rootless {
+				args = append(args, "-rootless=true")
+			}
+
+			if tc.runtimeType != api.PluginRuntimeTypeUnsupported {
+				args = append(args, "-type="+tc.runtimeType.String())
+			}
+			args = append(args, tc.name)
+			t.Log(args)
+
+			code := cmd.Run(args)
+			if exp := 0; code != exp {
+				t.Fatalf("expected %d to be %d\nstdout: %s\nstderr: %s", code, exp, ui.OutputWriter.String(), ui.ErrorWriter.String())
+			}
+
+			actual := &api.RegisterPluginRuntimeInput{}
+			expected := &api.RegisterPluginRuntimeInput{}
+			err := json.Unmarshal(requestLogger.body, actual)
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = json.Unmarshal([]byte(tc.expectedPayload), expected)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if !reflect.DeepEqual(expected, actual) {
+				t.Errorf("expected: %s\ngot: %s", tc.expectedPayload, requestLogger.body)
+			}
+			expectedPath := fmt.Sprintf("/v1/sys/plugins/runtimes/catalog/%s/%s", tc.runtimeType.String(), tc.name)
+
+			if requestLogger.path != expectedPath {
+				t.Errorf("Expected path %s, got %s", expectedPath, requestLogger.path)
+			}
+		})
+	}
+}
diff --git a/ui/app/templates/components/splash-page.hbs b/ui/app/templates/components/splash-page.hbs
index 844c2740f6bc..ae5a5688fb93 100644
--- a/ui/app/templates/components/splash-page.hbs
+++ b/ui/app/templates/components/splash-page.hbs
@@ -1,26 +1,187 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{! bypass container styling }}
-{{#if @hasAltContent}}
-  {{yield (hash altContent=(component "splash-page/splash-content"))}}
-{{else}}
-  <div class="splash-page-container section is-flex-v-centered-tablet is-flex-grow-1 is-fullwidth">
-    <div class="columns is-centered is-gapless is-fullwidth">
-      <div class="column is-4-desktop is-6-tablet">
-        <div class="splash-page-header">
-          {{yield (hash header=(component "splash-page/splash-header"))}}
-        </div>
-        <div class="splash-page-sub-header">
-          {{yield (hash sub-header=(component "splash-page/splash-header"))}}
-        </div>
-        <div class="login-form box is-paddingless is-relative">
-          {{yield (hash content=(component "splash-page/splash-content"))}}
-        </div>
-        {{yield (hash footer=(component "splash-page/splash-content"))}}
-      </div>
-    </div>
-  </div>
-{{/if}}
\ No newline at end of file
+---
+layout: api
+page_title: /sys/plugins/runtimes/catalog - HTTP API
+description: The `/sys/plugins/runtimes/catalog` endpoint is used to manage plugin runtimes.
+---
+
+# `/sys/plugins/runtimes/catalog`
+
+The `/sys/plugins/runtimes/catalog` manages plugin runtimes in your Vault catalog by reading, registering,
+updating, and removing plugin runtime information. Plugin runtimes must be registered before use, and
+once registered, backends can use the plugin runtime by referencing them when registering a plugin.
+
+## LIST plugin runtimes
+
+The list endpoint returns a list of the plugin runtimes in the catalog.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `LIST`  | `/sys/plugins/runtimes/catalog` |
+| `GET`  | `/sys/plugins/runtimes/catalog` |
+| `LIST`  | `/sys/plugins/runtimes/catalog?type=:type` |
+| `GET`  | `/sys/plugins/runtimes/catalog?type=:type` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the plugin runtime type to list. Currently
+  only accepts "container".
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST
+    http://127.0.0.1:8200/v1/sys/plugins/runtimes/catalog
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "runtimes": [
+      {
+        "name": "example-plugin-runtime",
+        "type": "container",
+        "oci_runtime": "example-oci-runtime",
+        "cgroup_parent": "/examplelimit/",
+        "cpu_nanos": 1000,
+        "memory_bytes": 10000000
+      },
+      ...
+    ]
+  }
+}
+```
+
+## Register plugin runtime
+
+The registration endpoint registers a new plugin runtime, or updates an existing one with the
+supplied type and name.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/sys/plugins/runtimes/catalog/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the plugin runtime type. Currently
+  only accepts "container".
+
+- `name` `(string: <required>)` – Part of the request URL. Specifies the plugin runtime name.
+   Use the runtime name to look up plugin runtimes in the catalog.
+
+- `rootless` `(bool: false)` - Whether the container runtime is running as a
+  non-privileged user. Must be set if plugin container images are also configured
+  to run as a non-root user.
+
+- `oci_runtime` `(string: <optional>)` – Specifies OCI-compliant container runtime to use.
+  Default is "runsc", gVisor's OCI runtime.
+
+- `cgroup_parent` `(string: <optional>)` – Specifies the parent cgroup to set for each container.
+  Use the cgroup to control the total resource usage for a group of plugins.
+
+- `cpu_nanos` `(int: <optional>)` – Specifies cpu limit to set per container in billionths of a CPU.
+  Defaults to no limit.
+
+- `memory_bytes` `(int: <optional>)` – Specifies memory limit to set per container in bytes.
+  Defaults to no limit.
+
+### Sample payload
+
+```json
+{
+  "oci_runtime": "example-oci-runtime",
+  "cgroup_parent": "/examplelimit/",
+  "cpu_nanos": 1000,
+  "memory_bytes": 10000000
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/plugins/runtimes/catalog/container/example-plugin-runtime
+```
+
+## Read plugin runtime
+
+The read endpoint returns the configuration data for the plugin runtime with the given type and name.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                                                |
+| :----- | :-------------------------------------------------- |
+| `GET`  | `/sys/plugins/runtimes/catalog/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the type of this plugin runtime. Currently
+  only accepts "container".
+
+- `name` `(string: <required>)` – Part of the request URL. Specifies the name of the plugin runtime to retrieve.
+
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/plugins/runtimes/catalog/container/example-plugin-runtime
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "name": "example-plugin-runtime",
+    "type": "container",
+    "oci_runtime": "example-oci-runtime",
+    "cgroup_parent": "/examplelimit/",
+    "cpu_nanos": 1000,
+    "memory_bytes": 10000000
+  }
+}
+```
+
+## Remove plugin runtime from catalog
+
+The remove endpoint removes the plugin runtime with the given type and name. Note that
+the request will fail if any registered plugin references the plugin runtime.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method   | Path                                                |
+| :------- | :-------------------------------------------------- |
+| `DELETE` | `/sys/plugins/runtimes/catalog/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the type of this plugin runtime. Currently
+  only accepts "container".
+
+- `name` `(string: <required>)` – Part of the request URL. Specifies the name of the plugin runtime to delete.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/plugins/runtimes/catalog/container/example-plugin-runtime
+```
diff --git a/ui/app/templates/components/wizard/features-selection.hbs b/ui/app/templates/components/wizard/features-selection.hbs
index 0fe8c47426aa..5e5f61bb2d72 100644
--- a/ui/app/templates/components/wizard/features-selection.hbs
+++ b/ui/app/templates/components/wizard/features-selection.hbs
@@ -1,76 +1,50 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<WizardContent @headerText="Vault Web UI" @glyph="tour" @selectProgress={{this.selectProgress}}>
-  <h2 class="title is-6">
-    Choosing where to go
-  </h2>
-  <p>
-    You did it! You now have access to your Vault and can start entering your data. We can help you get started with any of
-    the options below.
-  </p>
-  <div class="access-information">
-    <Icon @name="info" class="has-text-info" />
-    <p>
-      Vault only shows links to pages that you have access to based on your policies. Contact your administrator if you need
-      access changes.
-    </p>
-  </div>
-  {{#if (or (has-feature "Performance Replication") (has-feature "DR Replication"))}}{{/if}}
-  <h3 class="feature-header">Walk me through setting up:</h3>
-  <form id="features-form" class="feature-selection" {{action "saveFeatures" on="submit"}}>
-    {{#each this.allFeatures as |feature|}}
-      {{#if feature.show}}
-        <div
-          class="feature-box {{if feature.selected 'is-active'}} {{if feature.disabled 'is-disabled'}}"
-          data-test-select-input={{true}}
-        >
-          <div class="b-checkbox">
-            <input
-              id="feature-{{feature.key}}"
-              type="checkbox"
-              class="styled"
-              checked={{feature.selected}}
-              onchange={{action (mut feature.selected) value="target.checked"}}
-              disabled={{feature.disabled}}
-              data-test-checkbox={{feature.name}}
-            />
-            <label for="feature-{{feature.key}}">{{feature.name}}</label>
-            <Hds::Button
-              class="button is-ghost icon is-pulled-right"
-              @color="tertiary"
-              @text={{if (get this (concat feature.key "-isOpen")) "Close" "Open"}}
-              @icon={{if (get this (concat feature.key "-isOpen")) "chevron-up" "chevron-down"}}
-              @isIconOnly={{true}}
-              {{on "click" (action (toggle (concat feature.key "-isOpen") this))}}
-            />
-            {{#if feature.disabled}}
-              <Info-Tooltip data-test-tooltip>
-                You do not have permissions to tour some parts of this feature
-              </Info-Tooltip>
-            {{/if}}
-          </div>
-          {{#if (get this (concat feature.key "-isOpen"))}}
-            <ul class="feature-steps">
-              {{#each feature.steps as |step|}}
-                <li>{{step}}</li>
-              {{/each}}
-            </ul>
-          {{/if}}
-        </div>
-      {{/if}}
-    {{/each}}
-    <span class="selection-summary">
-      <Hds::Button @text="Start" type="submit" disabled={{this.cannotStartWizard}} data-test-start-button />
-      {{#if this.selectedFeatures}}
-        <span class="time-estimate">
-          <Icon @name="clock" class="has-text-grey" />About
-          {{this.estimatedTime}}
-          minutes
-        </span>
-      {{/if}}
-    </span>
-  </form>
-</WizardContent>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*PolicyCommand)(nil)
+
+// PolicyCommand is a Command that holds the audit commands
+type PolicyCommand struct {
+	*BaseCommand
+}
+
+func (c *PolicyCommand) Synopsis() string {
+	return "Interact with policies"
+}
+
+func (c *PolicyCommand) Help() string {
+	helpText := `
+Usage: vault policy <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with policies.
+  Users can write, read, and list policies in Vault.
+
+  List all enabled policies:
+
+      $ vault policy list
+
+  Create a policy named "my-policy" from contents on local disk:
+
+      $ vault policy write my-policy ./my-policy.hcl
+
+  Delete the policy named my-policy:
+
+      $ vault policy delete my-policy
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/app/templates/components/wizard/mount-info.hbs b/ui/app/templates/components/wizard/mount-info.hbs
new file mode 100644
index 000000000000..d5c3b8aabc11
--- /dev/null
+++ b/ui/app/templates/components/wizard/mount-info.hbs
@@ -0,0 +1,90 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PolicyDeleteCommand)(nil)
+	_ cli.CommandAutocomplete = (*PolicyDeleteCommand)(nil)
+)
+
+type PolicyDeleteCommand struct {
+	*BaseCommand
+}
+
+func (c *PolicyDeleteCommand) Synopsis() string {
+	return "Deletes a policy by name"
+}
+
+func (c *PolicyDeleteCommand) Help() string {
+	helpText := `
+Usage: vault policy delete [options] NAME
+
+  Deletes the policy named NAME in the Vault server. Once the policy is deleted,
+  all tokens associated with the policy are affected immediately.
+
+  Delete the policy named "my-policy":
+
+      $ vault policy delete my-policy
+
+  Note that it is not possible to delete the "default" or "root" policies.
+  These are built-in policies.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyDeleteCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *PolicyDeleteCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultPolicies()
+}
+
+func (c *PolicyDeleteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PolicyDeleteCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	name := strings.TrimSpace(strings.ToLower(args[0]))
+	if err := client.Sys().DeletePolicy(name); err != nil {
+		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", name, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Deleted policy: %s", name))
+	return 0
+}
diff --git a/ui/app/templates/vault.hbs b/ui/app/templates/vault.hbs
index 0c3fd74bc253..6b3bd01e3f32 100644
--- a/ui/app/templates/vault.hbs
+++ b/ui/app/templates/vault.hbs
@@ -1,41 +1,143 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{outlet}}
-<footer class="footer has-text-grey has-text-centered">
-  <span class="is-inline-block">
-    <Icon @name="hashicorp" aria-hidden="true" class="has-text-grey-light" />
-    &copy;
-    {{date-format (now) "yyyy"}}
-    HashiCorp
-  </span>
-  <span>
-    <ExternalLink @href={{changelog-url-for this.auth.activeCluster.leaderNode.version}} class="link has-text-grey">
-      Vault
-      {{this.auth.activeCluster.leaderNode.version}}
-    </ExternalLink>
-  </span>
-  {{#if (is-version "OSS")}}
-    <span>
-      <ExternalLink @href="https://hashicorp.com/products/vault/trial?source=vaultui" class="link has-text-grey">
-        Upgrade to Vault Enterprise
-      </ExternalLink>
-    </span>
-  {{/if}}
-  <span>
-    <DocLink @path="/vault" class="has-text-grey">
-      Documentation
-    </DocLink>
-  </span>
-</footer>
-{{#if (eq this.env "development")}}
-  <div class="env-banner level development">
-    <div class="level-item notification">
-      <Icon @name="git-branch" /><Icon @name="pencil-tool" />
-      Local development
-      <Icon @name="pencil-tool" /><Icon @name="git-branch" />
-    </div>
-  </div>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPolicyDeleteCommand(tb testing.TB) (*cli.MockUi, *PolicyDeleteCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PolicyDeleteCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPolicyDeleteCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPolicyDeleteCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		policy := `path "secret/" {}`
+		if err := client.Sys().PutPolicy("my-policy", policy); err != nil {
+			t.Fatal(err)
+		}
+
+		ui, cmd := testPolicyDeleteCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Deleted policy: my-policy"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		policies, err := client.Sys().ListPolicies()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		list := []string{"default", "root"}
+		if !reflect.DeepEqual(policies, list) {
+			t.Errorf("expected %q to be %q", policies, list)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPolicyDeleteCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error deleting my-policy: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPolicyDeleteCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/vault/cluster/access/identity/index.hbs b/ui/app/templates/vault/cluster/access/identity/index.hbs
index 711954a6150a..ea3dd2ab9958 100644
--- a/ui/app/templates/vault/cluster/access/identity/index.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/index.hbs
@@ -1,126 +1,116 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Identity::EntityNav @identityType={{this.identityType}} @model={{this.model}} />
-{{#if this.model.meta.total}}
-  {{#each this.model as |item|}}
-    <LinkedBlock
-      @params={{array "vault.cluster.access.identity.show" item.id "details"}}
-      class="list-item-row"
-      data-test-identity-row
-    >
-      <div class="columns is-mobile">
-        <div class="column is-7-tablet is-10-mobile">
-          <LinkTo
-            @route="vault.cluster.access.identity.show"
-            @models={{array item.id "details"}}
-            class="is-block has-text-black has-text-weight-semibold"
-            data-test-identity-link={{true}}
-          >
-            <Icon @name="user" class="has-text-grey-light" />
-            <span class="has-text-weight-semibold">{{item.name}}</span>
-          </LinkTo>
-          <div class="has-text-grey is-size-8">
-            {{item.id}}
-          </div>
-        </div>
-        <div class="column is-3 is-hidden-mobile">
-          {{#if item.aliases.length}}
-            {{pluralize item.aliases.length "alias"}}
-          {{/if}}
-        </div>
-        <div class="column has-text-right">
-          <PopupMenu @name="identity-item" @onOpen={{action "reloadRecord" item}}>
-            <nav class="menu">
-              <ul class="menu-list">
-                <li class="action">
-                  <LinkTo @route="vault.cluster.access.identity.show" @models={{array item.id "details"}}>
-                    Details
-                  </LinkTo>
-                </li>
-                {{#if (or item.isReloading item.updatePath.isPending item.aliasPath.isPending)}}
-                  <li class="action">
-                    <LoadingDropdownOption />
-                  </li>
-                {{else}}
-                  {{#if item.canAddAlias}}
-                    <li class="action">
-                      <LinkTo
-                        @route="vault.cluster.access.identity.aliases.add"
-                        @models={{array (pluralize this.identityType) item.id}}
-                      >
-                        Create alias
-                      </LinkTo>
-                    </li>
-                  {{/if}}
-                  {{#if item.canEdit}}
-                    <li class="action">
-                      <LinkTo @route="vault.cluster.access.identity.edit" @model={{item.id}}>
-                        Edit
-                      </LinkTo>
-                    </li>
-                    <li class="action">
-                      {{#if item.disabled}}
-                        <Hds::Button
-                          @text="Enable"
-                          type="button"
-                          {{on "click" (action "toggleDisabled" item)}}
-                          class="link"
-                        />
-                      {{else if (eq this.identityType "entity")}}
-                        <ConfirmAction
-                          @isInDropdown={{true}}
-                          @buttonText="Disable"
-                          @confirmMessage="Associated tokens will not be revoked, but cannot be used"
-                          @confirmTitle="Disable this entity?"
-                          @onConfirmAction={{action "toggleDisabled" item}}
-                          @modalColor="warning"
-                        />
-                      {{/if}}
-                    </li>
-                  {{/if}}
-                  {{#if item.canDelete}}
-                    <ConfirmAction
-                      @isInDropdown={{true}}
-                      @buttonText="Delete"
-                      @onConfirmAction={{action "delete" item}}
-                      @confirmTitle="Delete this {{this.identityType}}?"
-                      data-test-item-delete
-                    />
-                  {{/if}}
-                {{/if}}
-              </ul>
-            </nav>
-          </PopupMenu>
-        </div>
-      </div>
-    </LinkedBlock>
-  {{/each}}
-
-  <Hds::Pagination::Numbered
-    @currentPage={{this.model.meta.currentPage}}
-    @currentPageSize={{this.model.meta.pageSize}}
-    @route="vault.cluster.access.identity.index"
-    @showSizeSelector={{false}}
-    @totalItems={{this.model.meta.total}}
-    @queryFunction={{this.paginationQueryParams}}
-  />
-
-{{else}}
-  <EmptyState
-    @title="No {{pluralize this.identityType}} yet"
-    @message="A list of {{pluralize
-      this.identityType
-    }} in this namespace will be listed here. Create your first {{this.identityType}} to get started."
-  >
-    <LinkTo @route="vault.cluster.access.identity.create" @model={{pluralize this.identityType}} class="link">
-      Create
-      {{this.identityType}}
-    </LinkTo>
-    <DocLink @path="/vault/tutorials/auth-methods/identity">
-      Learn more
-    </DocLink>
-  </EmptyState>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/hcl/hcl/printer"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/vault"
+	homedir "github.com/mitchellh/go-homedir"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PolicyFmtCommand)(nil)
+	_ cli.CommandAutocomplete = (*PolicyFmtCommand)(nil)
+)
+
+type PolicyFmtCommand struct {
+	*BaseCommand
+}
+
+func (c *PolicyFmtCommand) Synopsis() string {
+	return "Formats a policy on disk"
+}
+
+func (c *PolicyFmtCommand) Help() string {
+	helpText := `
+Usage: vault policy fmt [options] PATH
+
+  Formats a local policy file to the policy specification. This command will
+  overwrite the file at the given PATH with the properly-formatted policy
+  file contents.
+
+  Format the local file "my-policy.hcl" as a policy file:
+
+      $ vault policy fmt my-policy.hcl
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyFmtCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetNone)
+}
+
+func (c *PolicyFmtCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictFiles("*.hcl")
+}
+
+func (c *PolicyFmtCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PolicyFmtCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	// Get the filepath, accounting for ~ and stuff
+	path, err := homedir.Expand(strings.TrimSpace(args[0]))
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to expand path: %s", err))
+		return 1
+	}
+
+	// Read the entire contents into memory - it would be nice if we could use
+	// a buffer, but hcl wants the full contents.
+	b, err := ioutil.ReadFile(path)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading source file: %s", err))
+		return 1
+	}
+
+	// Actually parse the policy. We always use the root namespace here because
+	// we don't want to modify the results.
+	if _, err := vault.ParseACLPolicy(namespace.RootNamespace, string(b)); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Generate final contents
+	result, err := printer.Format(b)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error printing result: %s", err))
+		return 1
+	}
+
+	// Write them back out
+	if err := ioutil.WriteFile(path, result, 0o644); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing result: %s", err))
+		return 1
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Formatted policy: %s", path))
+	return 0
+}
diff --git a/ui/app/templates/vault/cluster/auth.hbs b/ui/app/templates/vault/cluster/auth.hbs
index 4d75b44acc01..41de53c9e6c8 100644
--- a/ui/app/templates/vault/cluster/auth.hbs
+++ b/ui/app/templates/vault/cluster/auth.hbs
@@ -1,128 +1,236 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<SplashPage @hasAltContent={{this.mfaErrors}} as |Page|>
-  <Page.altContent>
-    <div class="has-top-margin-xxl" data-test-mfa-error>
-      <EmptyState
-        @title="Unauthorized"
-        @message="Multi-factor authentication is required, but failed. Go back and try again, or contact your administrator."
-        @icon="alert-circle"
-        @bottomBorder={{true}}
-        @subTitle={{join ". " this.mfaErrors}}
-        class="is-shadowless"
-      >
-        <Hds::Button @text="Go back" @icon="chevron-left" @color="tertiary" {{on "click" (action "onMfaErrorDismiss")}} />
-      </EmptyState>
-    </div>
-  </Page.altContent>
-  <Page.header>
-    {{#if this.oidcProvider}}
-      <div class="box is-shadowless is-flex-v-centered" data-test-auth-logo>
-        <LogoEdition aria-label="Sign in with Hashicorp Vault" />
-      </div>
-    {{else}}
-      <div class="is-flex-v-centered has-bottom-margin-xxl">
-        <div class="brand-icon-large">
-          <Icon @name="vault" @size="24" @stretched={{true}} />
-        </div>
-      </div>
-      <div class="is-flex-row">
-        {{#if this.mfaAuthData}}
-          <Hds::Button
-            @text="Back to login"
-            @icon="arrow-left"
-            @isIconOnly={{true}}
-            @color="tertiary"
-            {{on "click" (fn (mut this.mfaAuthData) null)}}
-          />
-        {{else if this.waitingForOktaNumberChallenge}}
-          <Hds::Button
-            @text="Back to login"
-            @icon="arrow-left"
-            @isIconOnly={{true}}
-            @color="tertiary"
-            {{on "click" (action "cancelAuthentication")}}
-          />
-        {{/if}}
-        <h1 class="title is-3">
-          {{if (or this.mfaAuthData this.waitingForOktaNumberChallenge) "Authenticate" "Sign in to Vault"}}
-        </h1>
-      </div>
-    {{/if}}
-  </Page.header>
-  {{#unless this.mfaAuthData}}
-    {{#if (has-feature "Namespaces")}}
-      <Page.sub-header>
-        <Toolbar class="toolbar-namespace-picker">
-          <div class="field is-horizontal" data-test-namespace-toolbar>
-            <div class="field-label is-normal">
-              <label class="is-label" for="namespace">Namespace</label>
-            </div>
-            {{#if this.managedNamespaceRoot}}
-              <div class="field-label">
-                <span class="has-text-grey" data-test-managed-namespace-root>/{{this.managedNamespaceRoot}}</span>
-              </div>
-            {{/if}}
-            <div class="field-body">
-              <div class="field">
-                <div class="control">
-                  <input
-                    data-test-auth-form-ns-input
-                    value={{this.namespaceInput}}
-                    placeholder={{if this.managedNamespaceRoot "/ (Default)" "/ (Root)"}}
-                    oninput={{perform this.updateNamespace value="target.value"}}
-                    autocomplete="off"
-                    spellcheck="false"
-                    name="namespace"
-                    id="namespace"
-                    class="input"
-                    type="text"
-                    disabled={{this.oidcProvider}}
-                  />
-                </div>
-              </div>
-            </div>
-          </div>
-        </Toolbar>
-      </Page.sub-header>
-    {{/if}}
-  {{/unless}}
-  <Page.content>
-    {{#if this.mfaAuthData}}
-      <Mfa::MfaForm
-        @clusterId={{this.model.id}}
-        @authData={{this.mfaAuthData}}
-        @onSuccess={{action "onMfaSuccess"}}
-        @onError={{fn (mut this.mfaErrors)}}
-      />
-    {{else}}
-      <AuthForm
-        @wrappedToken={{this.wrappedToken}}
-        @cluster={{this.model}}
-        @namespace={{this.namespaceQueryParam}}
-        @redirectTo={{this.redirectTo}}
-        @selectedAuth={{this.authMethod}}
-        @onSuccess={{action "onAuthResponse"}}
-        @setOktaNumberChallenge={{fn (mut this.waitingForOktaNumberChallenge)}}
-        @waitingForOktaNumberChallenge={{this.waitingForOktaNumberChallenge}}
-        @setCancellingAuth={{fn (mut this.cancelAuth)}}
-        @cancelAuthForOktaNumberChallenge={{this.cancelAuth}}
-      />
-    {{/if}}
-  </Page.content>
-  <Page.footer>
-    <div class="has-short-padding">
-      <p class="help has-text-grey-dark" data-test-auth-helptext>
-        {{#if this.oidcProvider}}
-          Once you log in, you will be redirected back to your application. If you require login credentials, contact your
-          administrator.
-        {{else}}
-          Contact your administrator for login credentials
-        {{/if}}
-      </p>
-    </div>
-  </Page.footer>
-</SplashPage>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPolicyFmtCommand(tb testing.TB) (*cli.MockUi, *PolicyFmtCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PolicyFmtCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPolicyFmtCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPolicyFmtCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		policy := strings.TrimSpace(`
+path "secret" {
+  capabilities  =           ["create",    "update","delete"]
+
+}
+`)
+
+		f, err := ioutil.TempFile("", "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(f.Name())
+		if _, err := f.WriteString(policy); err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		_, cmd := testPolicyFmtCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			f.Name(),
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := strings.TrimSpace(`
+path "secret" {
+  capabilities = ["create", "update", "delete"]
+}
+`) + "\n"
+
+		contents, err := ioutil.ReadFile(f.Name())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(contents) != expected {
+			t.Errorf("expected %q to be %q", string(contents), expected)
+		}
+	})
+
+	t.Run("bad_hcl", func(t *testing.T) {
+		t.Parallel()
+
+		policy := `dafdaf`
+
+		f, err := ioutil.TempFile("", "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(f.Name())
+		if _, err := f.WriteString(policy); err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyFmtCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			f.Name(),
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		stderr := ui.ErrorWriter.String()
+		expected := "failed to parse policy"
+		if !strings.Contains(stderr, expected) {
+			t.Errorf("expected %q to include %q", stderr, expected)
+		}
+	})
+
+	t.Run("bad_policy", func(t *testing.T) {
+		t.Parallel()
+
+		policy := `banana "foo" {}`
+
+		f, err := ioutil.TempFile("", "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(f.Name())
+		if _, err := f.WriteString(policy); err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyFmtCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			f.Name(),
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		stderr := ui.ErrorWriter.String()
+		expected := "failed to parse policy"
+		if !strings.Contains(stderr, expected) {
+			t.Errorf("expected %q to include %q", stderr, expected)
+		}
+	})
+
+	t.Run("bad_policy", func(t *testing.T) {
+		t.Parallel()
+
+		policy := `path "secret/" { capabilities = ["bogus"] }`
+
+		f, err := ioutil.TempFile("", "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(f.Name())
+		if _, err := f.WriteString(policy); err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyFmtCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			f.Name(),
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		stderr := ui.ErrorWriter.String()
+		expected := "failed to parse policy"
+		if !strings.Contains(stderr, expected) {
+			t.Errorf("expected %q to include %q", stderr, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPolicyFmtCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/vault/cluster/init.hbs b/ui/app/templates/vault/cluster/init.hbs
index 70d44deb8e90..147efb971672 100644
--- a/ui/app/templates/vault/cluster/init.hbs
+++ b/ui/app/templates/vault/cluster/init.hbs
@@ -1,222 +1,86 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<SplashPage as |Page|>
-  {{#if (and this.model.usingRaft (not this.prefersInit))}}
-    <Page.header>
-      <h1 class="title is-4">
-        Raft Storage
-      </h1>
-    </Page.header>
-    <Page.content>
-      <RaftJoin @onDismiss={{action (mut this.prefersInit) true}} />
-    </Page.content>
-  {{else if this.keyData}}
-    <Page.header>
-      {{#let (or this.keyData.recovery_keys this.keyData.keys) as |keyArray|}}
-        <h1 class="title is-4">
-          Vault has been initialized!
-          {{#if (eq keyArray.length 1)}}
-            Here is your key.
-          {{else}}
-            Here are your
-            {{pluralize keyArray.length "key"}}.
-          {{/if}}
-        </h1>
-      {{/let}}
-    </Page.header>
-    <Page.content>
-      <div class="box is-marginless is-shadowless">
-        <div class="content">
-          <p>
-            {{#if this.keyData.recovery_keys}}
-              Please securely distribute the keys below. Certain privileged operations in Vault such as rekeying the barrier
-              or generating a new root token will require you to provide at least
-              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
-              of these keys to perform the operation.
-            {{else}}
-              Please securely distribute the keys below. When the Vault is re-sealed, restarted, or stopped, you must provide
-              at least
-              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
-              of these keys to unseal it again. Vault does not store the root key. Without at least
-              <strong class="has-text-danger">{{this.secret_threshold}}</strong>
-              keys, your Vault will remain permanently sealed.
-            {{/if}}
-          </p>
-        </div>
-        <div class="message is-list is-highlight">
-          <div class="message-body">
-            <h4 class="title is-7 is-marginless">
-              Initial root token
-            </h4>
-            <MaskedInput
-              @class="is-highlight has-label"
-              @displayOnly={{true}}
-              @value={{this.keyData.root_token}}
-              @allowCopy={{true}}
-            />
-          </div>
-        </div>
-        {{#each
-          (or this.keyData.recovery_keys_base64 this.keyData.recovery_keys this.keyData.keys_base64 this.keyData.keys)
-          as |key index|
-        }}
-          <div data-test-key-box class="message is-list">
-            <div class="message-body">
-              <h4 class="title is-7 is-marginless">
-                Key
-                {{add index 1}}
-              </h4>
-              <MaskedInput @class="has-label" @displayOnly={{true}} @value={{key}} @allowCopy={{true}} />
-            </div>
-          </div>
-        {{/each}}
-      </div>
-      <div class="box is-marginless is-shadowless">
-        <div class="field is-grouped-split">
-          {{#if (and this.model.sealed (not this.keyData.recovery_keys))}}
-            <div data-test-advance-button class="control">
-              <LinkTo @route="vault.cluster.unseal" @model={{this.model.name}} class="button is-primary">
-                Continue to Unseal
-              </LinkTo>
-            </div>
-          {{else}}
-            <div data-test-advance-button class="control">
-              <LinkTo
-                @route="vault.cluster.auth"
-                @model={{this.model.name}}
-                @disabled={{this.model.sealed}}
-                class={{concat (if this.model.sealed "is-loading " "") "button is-primary"}}
-              >
-                Continue to Authenticate
-              </LinkTo>
-            </div>
-          {{/if}}
-          <DownloadButton
-            @color="tertiary"
-            @filename={{this.keyFilename}}
-            @data={{this.keyData}}
-            @extension="json"
-            @stringify={{true}}
-            @text="Download keys"
-          />
-        </div>
-      </div>
-    </Page.content>
-  {{else}}
-    <Page.header>
-      <h1 class="title h5">
-        Let's set up the initial set of root keys that you’ll need in case of an emergency
-      </h1>
-    </Page.header>
-    <Page.content>
-      <form
-        {{action
-          "initCluster"
-          (hash
-            secret_shares=this.secret_shares
-            secret_threshold=this.secret_threshold
-            pgp_keys=this.pgp_keys
-            use_pgp=this.use_pgp
-            use_pgp_for_root=this.use_pgp_for_root
-            root_token_pgp_key=this.root_token_pgp_key
-          )
-          on="submit"
-        }}
-        id="init"
-      >
-        <div class="box is-marginless is-shadowless">
-          <MessageError @errors={{this.errors}} />
-          <div class="field">
-            <label for="key-shares" class="is-label">
-              Key shares
-            </label>
-            <div class="control">
-              <Input
-                data-test-key-shares="true"
-                class="input"
-                autocomplete="off"
-                spellcheck="false"
-                name="key-shares"
-                @type="number"
-                step="1"
-                min="1"
-                pattern="[0-9]*"
-                @value={{this.secret_shares}}
-              />
-            </div>
-            <p class="help has-text-grey">
-              The number of key shares to split the root key into
-            </p>
-          </div>
-          <div class="field">
-            <label for="key-threshold" class="is-label">
-              Key threshold
-            </label>
-            <div class="control">
-              <Input
-                data-test-key-threshold="true"
-                class="input"
-                autocomplete="off"
-                spellcheck="false"
-                name="key-threshold"
-                @type="number"
-                step="1"
-                min="1"
-                pattern="[0-9]*"
-                @value={{this.secret_threshold}}
-              />
-            </div>
-            <p class="help has-text-grey">
-              The number of key shares required to reconstruct the root key
-            </p>
-          </div>
-          <ToggleButton
-            @isOpen={{this.use_pgp}}
-            @openLabel="Encrypt output with PGP"
-            @closedLabel="Encrypt output with PGP"
-            @onClick={{fn (mut this.use_pgp)}}
-            class="is-block"
-          />
-          {{#if this.use_pgp}}
-            <div class="box init-box">
-              <p class="help has-text-grey">
-                The output unseal keys will be encrypted and hex-encoded, in order, with the given public keys.
-              </p>
-              <PgpList @listLength={{this.secret_shares}} @onDataUpdate={{action "setKeys"}} />
-            </div>
-          {{/if}}
-          <ToggleButton
-            @isOpen={{this.use_pgp_for_root}}
-            @openLabel="Encrypt root token with PGP"
-            @closedLabel="Encrypt root token with PGP"
-            @onClick={{fn (mut this.use_pgp_for_root)}}
-            class="is-block"
-          />
-          {{#if this.use_pgp_for_root}}
-            <div class="box init-box">
-              <p class="help has-text-grey">
-                The root unseal key will be encrypted and hex-encoded with the given public key.
-              </p>
-              <PgpList @listLength={{1}} @onDataUpdate={{action "setRootKey"}} />
-            </div>
-          {{/if}}
-        </div>
-        <div class="box is-marginless is-shadowless">
-          <Hds::Button
-            @text="Initialize"
-            @icon={{if this.loading "loading"}}
-            data-test-init-submit
-            type="submit"
-            disabled={{this.loading}}
-          />
-          <div class="init-illustration">
-            {{svg-jar "initialize"}}
-          </div>
-        </div>
-      </form>
-    </Page.content>
-  {{/if}}
-</SplashPage>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PolicyListCommand)(nil)
+	_ cli.CommandAutocomplete = (*PolicyListCommand)(nil)
+)
+
+type PolicyListCommand struct {
+	*BaseCommand
+}
+
+func (c *PolicyListCommand) Synopsis() string {
+	return "Lists the installed policies"
+}
+
+func (c *PolicyListCommand) Help() string {
+	helpText := `
+Usage: vault policy list [options]
+
+  Lists the names of the policies that are installed on the Vault server.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyListCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *PolicyListCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PolicyListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PolicyListCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) > 0:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	policies, err := client.Sys().ListPolicies()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing policies: %s", err))
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		for _, p := range policies {
+			c.UI.Output(p)
+		}
+		return 0
+	default:
+		return OutputData(c.UI, policies)
+	}
+}
diff --git a/ui/app/templates/vault/cluster/mfa-setup.hbs b/ui/app/templates/vault/cluster/mfa-setup.hbs
index b4d3419f356f..c603d310fcd2 100644
--- a/ui/app/templates/vault/cluster/mfa-setup.hbs
+++ b/ui/app/templates/vault/cluster/mfa-setup.hbs
@@ -1,35 +1,117 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<SplashPage @showTruncatedNavBar={{false}} as |Page|>
-  <Page.header>
-    <h1 class="title is-4">MFA setup</h1>
-  </Page.header>
-  <Page.content>
-    <div class="auth-form" data-test-mfa-form>
-      <div class="box">
-        {{#if (eq this.onStep 1)}}
-          <Mfa::MfaSetupStepOne
-            @isUUIDVerified={{this.isUUIDVerified}}
-            @restartFlow={{this.restartFlow}}
-            @saveUUIDandQrCode={{this.saveUUIDandQrCode}}
-            @showWarning={{this.showWarning}}
-            data-test-step-one
-          />
-        {{/if}}
-        {{#if (eq this.onStep 2)}}
-          <Mfa::MfaSetupStepTwo
-            @entityId={{this.entityId}}
-            @uuid={{this.uuid}}
-            @qrCode={{this.qrCode}}
-            @restartFlow={{this.restartFlow}}
-            @warning={{this.warning}}
-            data-test-step-two
-          />
-        {{/if}}
-      </div>
-    </div>
-  </Page.content>
-</SplashPage>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPolicyListCommand(tb testing.TB) (*cli.MockUi, *PolicyListCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PolicyListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPolicyListCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPolicyListCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyListCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "default\nroot"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPolicyListCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error listing policies: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPolicyListCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/sign.hbs b/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
index 5780bdb6f8be..dd7a698de65c 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
@@ -1,131 +1,100 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <nav class="breadcrumb">
-      <ul>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          <LinkTo @route="vault.cluster.secrets.backend" @model={{this.backend.id}}>
-            ssh
-          </LinkTo>
-        </li>
-        <li class="is-active">
-          <span class="sep">&#x0002f;</span>
-          <LinkTo @route="vault.cluster.secrets.backend" @model={{this.backend.id}}>
-            sign
-          </LinkTo>
-        </li>
-        <li>
-          <span class="sep">&#x0002f;</span>
-          <LinkTo @route="vault.cluster.secrets.backend.show" @model={{this.model.role.name}}>
-            {{this.model.role.name}}
-          </LinkTo>
-        </li>
-      </ul>
-    </nav>
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      Sign SSH Key
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-{{#if this.model.signedKey}}
-  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    <Hds::Alert @type="inline" @color="warning" class="has-top-margin-s has-bottom-margin-s" as |A|>
-      <A.Title>Warning</A.Title>
-      <A.Description>
-        You will not be able to access this information later, so please copy the information below.
-      </A.Description>
-    </Hds::Alert>
-    {{#each this.model.attrs as |attr|}}
-      {{#if (eq attr.type "object")}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{stringify (get this.model attr.name)}}
-        />
-      {{else}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get this.model attr.name}}
-        />
-      {{/if}}
-    {{/each}}
-  </div>
-  <div class="field is-grouped box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Copy::Button @text="Copy key" @textToCopy={{this.model.signedKey}} class="primary" />
-    </div>
-    {{#if this.model.leaseId}}
-      <div class="control">
-        <Hds::Copy::Button @text="Copy lease ID" @textToCopy={{this.model.leaseId}} class="secondary" />
-      </div>
-    {{/if}}
-    <div class="control">
-      <Hds::Button
-        @text="Back"
-        @color="secondary"
-        {{on "click" (action "newModel")}}
-        data-test-secret-generate-back={{true}}
-      />
-    </div>
-  </div>
-{{else}}
-  <form {{action "sign" on="submit"}} data-test-secret-generate-form="true">
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @model={{this.model}} />
-      <NamespaceReminder @mode="sign" @noun="SSH key" />
-      {{#if this.model.attrs}}
-        {{#each (take 1 this.model.attrs) as |attr|}}
-          <FormFieldFromModel
-            @attr={{attr}}
-            @model={{this.model}}
-            @updateTtl={{action "updateTtl" attr.name}}
-            @emptyData={{this.emptyData}}
-            @codemirrorUpdated={{action "codemirrorUpdated" attr.name}}
-          />
-        {{/each}}
-        <ToggleButton @isOpen={{this.showOptions}} @onClick={{fn (mut this.showOptions)}} data-test-toggle-button />
-        {{#if this.showOptions}}
-          <div class="box is-marginless">
-            {{#each (drop 1 this.model.attrs) as |attr|}}
-              <FormFieldFromModel
-                @attr={{attr}}
-                @model={{this.model}}
-                @updateTtl={{action "updateTtl" attr.name}}
-                @emptyData={{this.emptyData}}
-                @codemirrorUpdated={{action "codemirrorUpdated" attr.name}}
-              />
-            {{/each}}
-          </div>
-        {{/if}}
-      {{/if}}
-    </div>
-    <div class="field is-grouped box is-fullwidth is-bottomless">
-      <div class="control">
-        <Hds::Button
-          @text="Sign"
-          @icon={{if this.loading "loading"}}
-          type="submit"
-          disabled={{this.loading}}
-          data-test-secret-generate={{true}}
-        />
-      </div>
-      <div class="control">
-        <LinkTo
-          @route="vault.cluster.secrets.backend.list-root"
-          @model={{this.backend.id}}
-          class="button"
-          data-test-secret-generate-cancel={{true}}
-        >
-          Cancel
-        </LinkTo>
-      </div>
-    </div>
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PolicyReadCommand)(nil)
+	_ cli.CommandAutocomplete = (*PolicyReadCommand)(nil)
+)
+
+type PolicyReadCommand struct {
+	*BaseCommand
+}
+
+func (c *PolicyReadCommand) Synopsis() string {
+	return "Prints the contents of a policy"
+}
+
+func (c *PolicyReadCommand) Help() string {
+	helpText := `
+Usage: vault policy read [options] [NAME]
+
+  Prints the contents and metadata of the Vault policy named NAME. If the policy
+  does not exist, an error is returned.
+
+  Read the policy named "my-policy":
+
+      $ vault policy read my-policy
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyReadCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *PolicyReadCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultPolicies()
+}
+
+func (c *PolicyReadCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PolicyReadCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	name := strings.ToLower(strings.TrimSpace(args[0]))
+	rules, err := client.Sys().GetPolicy(name)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading policy named %s: %s", name, err))
+		return 2
+	}
+	if rules == "" {
+		c.UI.Error(fmt.Sprintf("No policy named: %s", name))
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		c.UI.Output(strings.TrimSpace(rules))
+		return 0
+	default:
+		resp := map[string]string{
+			"policy": rules,
+		}
+		return OutputData(c.UI, &resp)
+	}
+}
diff --git a/ui/app/templates/vault/cluster/unseal.hbs b/ui/app/templates/vault/cluster/unseal.hbs
index ed9a02983d4b..e18298e5115e 100644
--- a/ui/app/templates/vault/cluster/unseal.hbs
+++ b/ui/app/templates/vault/cluster/unseal.hbs
@@ -1,71 +1,131 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if this.showLicenseError}}
-  <div class="section is-flex-v-centered-tablet is-flex-grow-1 is-fullwidth">
-    <div class="columns is-centered is-gapless is-fullwidth">
-      <EmptyState
-        class="empty-state-transparent"
-        @title="License required"
-        @subTitle="Vault license has terminated"
-        @icon="skip"
-        @bottomBorder={{true}}
-        @message="Your Vault license has terminated and Vault is sealed. To unseal, add a current license to your configuration and restart Vault."
-      >
-        <p class="align-right">
-          <DocLink @path="/vault/tutorials/enterprise/hashicorp-enterprise-license">
-            License documentation
-          </DocLink>
-        </p>
-      </EmptyState>
-    </div>
-  </div>
-{{else}}
-  <SplashPage as |Page|>
-    <Page.header>
-      <h1 class="title is-3">
-        Unseal Vault
-      </h1>
-    </Page.header>
-    <Page.content>
-      <div class="box is-borderless is-shadowless is-marginless">
-        <p class="title is-5">
-          {{capitalize this.model.name}}
-          is
-          {{if this.model.unsealed "unsealed" "sealed"}}
-        </p>
-        {{#if this.model.unsealed}}
-          <p>Please wait while we redirect you.</p>
-        {{else}}
-          <p>
-            Unseal Vault by entering portions of the unseal key. This can be done via multiple mechanisms on multiple
-            computers. Once all portions are entered, the root key will be decrypted and Vault will unseal.
-          </p>
-          <Shamir::Flow
-            @action="unseal"
-            @threshold={{this.model.sealThreshold}}
-            @progress={{this.model.sealProgress}}
-            @updateProgress={{action "reloadCluster"}}
-            @inputLabel="Unseal Key Portion"
-            @buttonText="Unseal"
-            @onLicenseError={{action "handleLicenseError"}}
-            @checkComplete={{action "isUnsealed"}}
-            @onShamirSuccess={{action "transitionToCluster"}}
-            class="has-top-margin-m"
-          />
-        {{/if}}
-      </div>
-    </Page.content>
-    <Page.footer>
-      <div class="box is-borderless is-shadowless">
-        <p>
-          <ExternalLink @href="https://developer.hashicorp.com/vault/docs/concepts/seal">
-            Seal/unseal documentation
-          </ExternalLink>
-        </p>
-      </div>
-    </Page.footer>
-  </SplashPage>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPolicyReadCommand(tb testing.TB) (*cli.MockUi, *PolicyReadCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PolicyReadCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPolicyReadCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"no_policy_exists",
+			[]string{"not-a-real-policy"},
+			"No policy named",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPolicyReadCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		policy := `path "secret/" {}`
+		if err := client.Sys().PutPolicy("my-policy", policy); err != nil {
+			t.Fatal(err)
+		}
+
+		ui, cmd := testPolicyReadCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, policy) {
+			t.Errorf("expected %q to contain %q", combined, policy)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPolicyReadCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error reading policy named my-policy: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPolicyReadCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/core/addon/components/alert-inline.hbs b/ui/lib/core/addon/components/alert-inline.hbs
index f0637176cb91..193c94968809 100644
--- a/ui/lib/core/addon/components/alert-inline.hbs
+++ b/ui/lib/core/addon/components/alert-inline.hbs
@@ -1,24 +1,137 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div
-  {{did-update this.refresh @message}}
-  class={{concat "is-flex-center" this.paddingTop this.isMarginless this.sizeSmall}}
-  data-test-inline-alert
-  ...attributes
->
-  {{#if this.isRefreshing}}
-    <Icon @name="loading" class="loading" />
-  {{else}}
-    <Icon @name={{this.alertType.glyph}} class={{this.alertType.glyphClass}} />
-    <p class={{this.textClass}} data-test-inline-error-message>
-      {{#if (has-block)}}
-        {{yield}}
-      {{else}}
-        {{@message}}
-      {{/if}}
-    </p>
-  {{/if}}
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PolicyWriteCommand)(nil)
+	_ cli.CommandAutocomplete = (*PolicyWriteCommand)(nil)
+)
+
+type PolicyWriteCommand struct {
+	*BaseCommand
+
+	testStdin io.Reader // for tests
+}
+
+func (c *PolicyWriteCommand) Synopsis() string {
+	return "Uploads a named policy from a file"
+}
+
+func (c *PolicyWriteCommand) Help() string {
+	helpText := `
+Usage: vault policy write [options] NAME PATH
+
+  Uploads a policy with name NAME from the contents of a local file PATH or
+  stdin. If PATH is "-", the policy is read from stdin. Otherwise, it is
+  loaded from the file at the given path on the local disk.
+
+  Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:
+
+      $ vault policy write my-policy /tmp/policy.hcl
+
+  Upload a policy from stdin:
+
+      $ cat my-policy.hcl | vault policy write my-policy -
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PolicyWriteCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *PolicyWriteCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictFunc(func(args complete.Args) []string {
+		// Predict the LAST argument hcl files - we don't want to predict the
+		// name argument as a filepath.
+		if len(args.All) == 3 {
+			return complete.PredictFiles("*.hcl").Predict(args)
+		}
+		return nil
+	})
+}
+
+func (c *PolicyWriteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PolicyWriteCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 2:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
+		return 1
+	case len(args) > 2:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// Policies are normalized to lowercase
+	policyName := args[0]
+	formattedName := strings.TrimSpace(strings.ToLower(policyName))
+	path := strings.TrimSpace(args[1])
+
+	// Get the policy contents, either from stdin of a file
+	var reader io.Reader
+	if path == "-" {
+		reader = os.Stdin
+		if c.testStdin != nil {
+			reader = c.testStdin
+		}
+	} else {
+		file, err := os.Open(path)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error opening policy file: %s", err))
+			return 2
+		}
+		defer file.Close()
+		reader = file
+	}
+
+	// Read the policy
+	var buf bytes.Buffer
+	if _, err := io.Copy(&buf, reader); err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading policy: %s", err))
+		return 2
+	}
+	rules := buf.String()
+
+	if err := client.Sys().PutPolicy(formattedName, rules); err != nil {
+		c.UI.Error(fmt.Sprintf("Error uploading policy: %s", err))
+		return 2
+	}
+
+	if policyName != formattedName {
+		c.UI.Warn(fmt.Sprintf("Policy name was converted from \"%s\" to \"%s\"", policyName, formattedName))
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Uploaded policy: %s", formattedName))
+	return 0
+}
diff --git a/ui/lib/core/addon/components/alert-inline.js b/ui/lib/core/addon/components/alert-inline.js
index 051b4a40d43b..64f67eb2a8b4 100644
--- a/ui/lib/core/addon/components/alert-inline.js
+++ b/ui/lib/core/addon/components/alert-inline.js
@@ -1,68 +1,210 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { later } from '@ember/runloop';
-import { tracked } from '@glimmer/tracking';
-import { messageTypes } from 'core/helpers/message-types';
-
-/**
- * @module AlertInline
- * `AlertInline` components are used to inform users of important messages.
- *
- * @example
- * ```js
- * <AlertInline @type="danger" @message="{{model.keyId}} is not a valid lease ID"/>
- * ```
- *
- * @param {string} type=null - The alert type passed to the message-types helper.
- * @param {string} [message=null] - The message to display within the alert.
- * @param {boolean} [paddingTop=false] - Whether or not to add padding above component.
- * @param {boolean} [isMarginless=false] - Whether or not to remove margin bottom below component.
- * @param {boolean} [sizeSmall=false] - Whether or not to display a small font with padding below of alert message.
- * @param {boolean} [mimicRefresh=false] - If true will display a loading icon when attributes change (e.g. when a form submits and the alert message changes).
- */
-
-export default class AlertInlineComponent extends Component {
-  @tracked isRefreshing = false;
-
-  get mimicRefresh() {
-    return this.args.mimicRefresh || false;
-  }
-
-  get paddingTop() {
-    return this.args.paddingTop ? ' has-top-padding-xs' : '';
-  }
-
-  get isMarginless() {
-    return this.args.isMarginless ? ' is-marginless' : '';
-  }
-
-  get sizeSmall() {
-    return this.args.sizeSmall ? ' size-small' : '';
-  }
-
-  get textClass() {
-    if (this.args.type === 'danger') {
-      return this.alertType.glyphClass;
-    }
-    return null;
-  }
-
-  get alertType() {
-    return messageTypes([this.args.type]);
-  }
-
-  @action
-  refresh() {
-    if (this.mimicRefresh) {
-      this.isRefreshing = true;
-      later(() => {
-        this.isRefreshing = false;
-      }, 200);
-    }
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testPolicyWriteCommand(tb testing.TB) (*cli.MockUi, *PolicyWriteCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PolicyWriteCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func testPolicyWritePolicyContents(tb testing.TB) []byte {
+	return bytes.TrimSpace([]byte(`
+path "secret/" {
+  capabilities = ["read"]
+}
+	`))
+}
+
+func TestPolicyWriteCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_enough_args",
+			[]string{"foo"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"bad_file",
+			[]string{"my-policy", "/not/a/real/path.hcl"},
+			"Error opening policy file",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testPolicyWriteCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("file", func(t *testing.T) {
+		t.Parallel()
+
+		policy := testPolicyWritePolicyContents(t)
+		f, err := ioutil.TempFile("", "vault-policy-write")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if _, err := f.Write(policy); err != nil {
+			t.Fatal(err)
+		}
+		if err := f.Close(); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(f.Name())
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyWriteCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy", f.Name(),
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Uploaded policy: my-policy"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		policies, err := client.Sys().ListPolicies()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		list := []string{"default", "my-policy", "root"}
+		if !reflect.DeepEqual(policies, list) {
+			t.Errorf("expected %q to be %q", policies, list)
+		}
+	})
+
+	t.Run("stdin", func(t *testing.T) {
+		t.Parallel()
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			policy := testPolicyWritePolicyContents(t)
+			stdinW.Write(policy)
+			stdinW.Close()
+		}()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testPolicyWriteCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		code := cmd.Run([]string{
+			"my-policy", "-",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Uploaded policy: my-policy"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		policies, err := client.Sys().ListPolicies()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		list := []string{"default", "my-policy", "root"}
+		if !reflect.DeepEqual(policies, list) {
+			t.Errorf("expected %q to be %q", policies, list)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testPolicyWriteCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-policy", "-",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error uploading policy: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testPolicyWriteCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/ui/lib/core/addon/components/certificate-card.hbs b/ui/lib/core/addon/components/certificate-card.hbs
index a089650e8f38..33aef779ba13 100644
--- a/ui/lib/core/addon/components/certificate-card.hbs
+++ b/ui/lib/core/addon/components/certificate-card.hbs
@@ -1,32 +1,151 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Hds::Card::Container
-  @level="mid"
-  @hasBorder={{true}}
-  class="is-flex-row has-top-padding-m has-bottom-padding-m is-medium-width"
-  data-test-certificate-card
->
-  <span class="has-left-margin-s">
-    <Icon @name="certificate" @size="24" data-test-certificate-icon />
-  </span>
-  <div class="has-left-margin-m is-min-width-0 is-flex-grow-1">
-    <p class="has-text-weight-bold" data-test-certificate-label>
-      {{this.format}}
-    </p>
-    <code class="is-size-8 truncate-second-line has-text-grey" data-test-certificate-value>
-      {{@data}}
-    </code>
-  </div>
-  <div class="is-flex-center has-background-white-bis has-side-padding-s has-top-bottom-margin-negative-m">
-    <Hds::Copy::Button
-      @text="Copy"
-      @isIconOnly={{true}}
-      @textToCopy={{@data}}
-      class="transparent is-paddingless"
-      data-test-copy-button
-    />
-  </div>
-</Hds::Card::Container>
\ No newline at end of file
+#!/usr/bin/env bash
+
+# READ THIS BEFORE MAKING CHANGES:
+#
+# If you want to add a new pre-commit check, here are the rules:
+#
+#   1. Create a bash function for your check (see e.g. ui_lint below).
+#      NOTE: Each function will be called in a sub-shell so you can freely
+#      change directory without worrying about interference.
+#   2. Add the name of the function to the CHECKS variable.
+#   3. If no changes relevant to your new check are staged, then
+#      do not output anything at all - this would be annoying noise.
+#      In this case, call 'return 0' from your check function to return
+#      early without blocking the commit.
+#   4. If any non-trivial check-specific thing has to be invoked,
+#      then output '==> [check description]' as the first line of
+#      output. Each sub-check should output '--> [subcheck description]'
+#      after it has run, indicating success or failure.
+#   5. Call 'block [reason]' to block the commit. This ensures the last
+#      line of output calls out that the commit was blocked - which may not
+#      be obvious from random error messages generated in 4.
+#
+# At the moment, there are no automated tests for this hook, so please run it
+# locally to check you have not broken anything - breaking this will interfere
+# with other peoples' workflows significantly, so be sure, check everything twice.
+
+set -euo pipefail
+
+# Call block to block the commit with a message.
+block() {
+  echo "$@"
+  echo "Commit blocked - see errors above."
+  exit 1
+}
+
+# Add all check functions to this space separated list.
+# They are executed in this order (see end of file).
+CHECKS="ui_lint ui_copywrite backend_lint"
+
+# Run ui linter if changes in that dir detected.
+ui_lint() {
+  local DIR=ui LINTER=node_modules/.bin/lint-staged
+
+  # Silently succeed if no changes staged for $DIR
+  if git diff --name-only --cached --exit-code -- $DIR/; then
+    return 0
+  fi
+
+  # Silently succeed if the linter has not been installed.
+  # We assume that if you're doing UI dev, you will have installed the linter
+  # by running yarn.
+  if [ ! -x $DIR/$LINTER ]; then
+    return 0
+  fi
+
+  echo "==> Changes detected in $DIR/: Running linter..."
+
+  # Run the linter from the UI dir.
+  cd $DIR
+  $LINTER || block "UI lint failed"
+}
+
+backend_lint() {
+  # Silently succeed if no changes staged for Go code files.
+  staged=$(git diff --name-only --cached --exit-code -- '*.go')
+  ret=$?
+  if [ $ret -eq 0 ]; then
+    return 0
+  fi
+
+  # Only run fmtcheck on staged files
+  ./scripts/gofmtcheck.sh "${staged}" || block "Backend linting failed; run 'make fmt' to fix."
+}
+
+ui_copywrite() {
+  DIR=ui
+  BINARY_DIR=$DIR/.copywrite
+  DOWNLOAD_ERR="==> Copywrite tool not found and failed to downloaded. Please download manually and extract to ui/.copywrite directory to utilize in pre-commit hook."
+
+  # silently succeed if no changes staged for $DIR
+  if git diff --name-only --cached --exit-code -- $DIR/; then
+    return 0
+  fi
+
+  echo "==> Changes detected in $DIR/: Checking copyright headers..."
+
+  # download latest version of hashicorp/copywrite if necessary 
+  if [ ! -x $BINARY_DIR/copywrite ]; then
+    local REPO_URL=https://github.com/hashicorp/copywrite
+    # get the latest version tag
+    local LATEST_RELEASE_JSON=$(curl -L -s -H 'Accept: application/json' $REPO_URL/releases/latest);
+    local LATEST_TAG=$(echo $LATEST_RELEASE_JSON | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
+
+    if [ ! $LATEST_TAG ]; then
+      echo $DOWNLOAD_ERR
+      return 0;
+    fi
+
+    # get the OS/Architecture specifics to build the filename
+    # eg. copywrite_0.16.6_darwin_x86_64.tar.gz
+    case "$OSTYPE" in
+      linux*) OS='linux' ;;
+      darwin*) OS='darwin' ;;
+      msys*) OS='windows';;
+    esac
+    local ARCH=$([ $(uname -m) == arm* ] && echo 'arm64' || echo 'x86_64')
+    local EXT=$([ $OSTYPE == "msys" ] && echo '.zip' || echo '.tar.gz')
+    local FILENAME=copywrite_"${LATEST_TAG:1}"_"$OS"_"$ARCH""$EXT"
+
+    mkdir -p $BINARY_DIR
+    echo "==> Copywrite tool not found, downloading version $LATEST_TAG from $REPO_URL..."
+    curl -L -s $REPO_URL/releases/download/$LATEST_TAG/$FILENAME | tar -xz - -C $BINARY_DIR || { echo $DOWNLOAD_ERR;  return 0; };
+  fi
+  
+  # run the copywrite tool
+  # if a --path option is added we could apply the headers to only the staged files much easier
+  # as of the latest version 0.16.6 there is only support for --dirPath
+  STAGED_FILES=($(git diff --name-only --cached -- $DIR/))
+
+  rm -rf $BINARY_DIR/.staged
+  mkdir $BINARY_DIR/.staged
+  
+  # copy staged files to .staged directory
+  echo $STAGED_FILES;
+  for FILE_PATH in "${STAGED_FILES[@]}"; do
+    cp $FILE_PATH $BINARY_DIR/.staged
+  done
+
+  COPYWRITE_LOG_LEVEL=info
+  COPY_CMD="$BINARY_DIR/copywrite headers -d $BINARY_DIR/.staged --config $DIR/.copywrite.hcl"
+
+  # if staged files are missing header run the tool on .staged directory
+  VALIDATE=$(eval $COPY_CMD --plan) # assigning to var so output is suppressed since it is repeated during second run
+  if [ $(echo $?) == 1 ]; then
+    eval $COPY_CMD || { echo "==> Copyright check failed. Please review and add headers manually."; return 0; };
+
+    # copy files back to original locations and stage changes
+    local TMP_FILES=$(ls $BINARY_DIR/.staged)
+    i=0
+    for FILE in $TMP_FILES; do
+      cp $BINARY_DIR/.staged/$FILE "${STAGED_FILES[$i]}"
+      git add "${STAGED_FILES[$i]}"
+      i=$(( i + 1 ))
+    done
+  fi
+}
+
+for CHECK in $CHECKS; do
+  # Force each check into a subshell to avoid crosstalk.
+  ( $CHECK ) || exit $?
+done
diff --git a/ui/lib/core/addon/components/code-snippet.hbs b/ui/lib/core/addon/components/code-snippet.hbs
index edd1e492f825..d5e3b2a5529b 100644
--- a/ui/lib/core/addon/components/code-snippet.hbs
+++ b/ui/lib/core/addon/components/code-snippet.hbs
@@ -1,19 +1,48 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div
-  class="has-padding-s has-background-gray-900 border-radius-4 is-flex-between is-flex-center"
-  data-test-code-snippet
-  ...attributes
->
-  <code class="has-text-white is-size-7">{{@codeBlock}}</code>
-  <Hds::Copy::Button
-    class="has-text-grey-light transparent icon-grey-300"
-    @text="Copy"
-    @textToCopy={{or @clipboardCode @codeBlock}}
-    @isIconOnly={{@isIconOnly}}
-    @container={{@container}}
-  />
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PrintCommand)(nil)
+	_ cli.CommandAutocomplete = (*PrintCommand)(nil)
+)
+
+type PrintCommand struct {
+	*BaseCommand
+}
+
+func (c *PrintCommand) Synopsis() string {
+	return "Prints runtime configurations"
+}
+
+func (c *PrintCommand) Help() string {
+	helpText := `
+Usage: vault print <subcommand>
+
+	This command groups subcommands for interacting with Vault's runtime values.
+
+Subcommands:
+	token    Token currently in use
+`
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PrintCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PrintCommand) AutocompleteFlags() complete.Flags {
+	return nil
+}
+
+func (c *PrintCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/lib/core/addon/components/confirm-action.hbs b/ui/lib/core/addon/components/confirm-action.hbs
index 3e5cd5021a0a..9402e8a15238 100644
--- a/ui/lib/core/addon/components/confirm-action.hbs
+++ b/ui/lib/core/addon/components/confirm-action.hbs
@@ -1,67 +1,56 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-{{#if @isInDropdown}}
-  {{! Hds component renders <li> and <button> elements }}
-  <Hds::Dropdown::ListItem::Interactive
-    data-test-confirm-action-trigger
-    @text={{@buttonText}}
-    @color="critical"
-    {{on "click" (fn (mut this.showConfirmModal) true)}}
-    ...attributes
-    {{! remove class when dropdown/popup menus are replaced with Hds::Dropdown }}
-    class="hds-confirm-action-critical"
-  />
-{{else}}
-  <Hds::Button
-    data-test-confirm-action-trigger
-    @text={{@buttonText}}
-    @color={{@buttonColor}}
-    {{on "click" (fn (mut this.showConfirmModal) true)}}
-    ...attributes
-  />
-{{/if}}
+package command
 
-{{#if this.showConfirmModal}}
-  <Hds::Modal
-    id="confirm-action-modal"
-    @color={{this.modalColor}}
-    @size="small"
-    @onClose={{fn (mut this.showConfirmModal) false}}
-    as |M|
-  >
-    {{#if @disabledMessage}}
-      <M.Header data-test-confirm-action-title @icon="x-circle">
-        Not allowed
-      </M.Header>
-      <M.Body data-test-confirm-action-message>
-        {{@disabledMessage}}
-      </M.Body>
-      <M.Footer as |F|>
-        <Hds::Button data-test-confirm-cancel-button @text="Close" {{on "click" F.close}} />
-      </M.Footer>
-    {{else}}
-      <M.Header data-test-confirm-action-title @icon="alert-circle">
-        {{or @confirmTitle "Are you sure?"}}
-      </M.Header>
-      <M.Body data-test-confirm-action-message>
-        {{this.confirmMessage}}
-      </M.Body>
-      <M.Footer as |F|>
-        <Hds::ButtonSet>
-          <Hds::Button
-            data-test-confirm-button
-            disabled={{@isRunning}}
-            @icon={{if @isRunning "loading"}}
-            @color={{if (eq this.modalColor "critical") "critical" "primary"}}
-            @text="Confirm"
-            {{on "click" this.onConfirm}}
-          />
-          <Hds::Button data-test-confirm-cancel-button @color="secondary" @text="Cancel" {{on "click" F.close}} />
-        </Hds::ButtonSet>
-      </M.Footer>
-    {{/if}}
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*PrintTokenCommand)(nil)
+	_ cli.CommandAutocomplete = (*PrintTokenCommand)(nil)
+)
+
+type PrintTokenCommand struct {
+	*BaseCommand
+}
+
+func (c *PrintTokenCommand) Synopsis() string {
+	return "Prints the vault token currently in use"
+}
+
+func (c *PrintTokenCommand) Help() string {
+	helpText := `
+Usage: vault print token
+
+  Prints the value of the Vault token that will be used for commands, after
+  taking into account the configured token-helper and the environment.
+
+      $ vault print token
+
+`
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PrintTokenCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PrintTokenCommand) AutocompleteFlags() complete.Flags {
+	return nil
+}
+
+func (c *PrintTokenCommand) Run(args []string) int {
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	c.UI.Output(client.Token())
+	return 0
+}
diff --git a/ui/lib/core/addon/components/confirmation-modal.hbs b/ui/lib/core/addon/components/confirmation-modal.hbs
index 6f1eb4ea7dab..db82ec148180 100644
--- a/ui/lib/core/addon/components/confirmation-modal.hbs
+++ b/ui/lib/core/addon/components/confirmation-modal.hbs
@@ -1,47 +1,20 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
 
-{{#if @isActive}}
-  <Hds::Modal id="confirmation-modal" @onClose={{@onClose}} @color="critical" as |M|>
-    <M.Header data-test-confirmation-modal-title @icon="alert-triangle">
-      {{@title}}
-    </M.Header>
-    <M.Body>
-      {{yield}}
-      <div class="has-top-padding-m">
-        <p class="has-text-weight-semibold is-size-6">
-          Confirm
-        </p>
-        <p class="sub-text has-top-bottom-margin-xxs">Type
-          <strong>{{this.confirmText}}</strong>
-          to confirm
-          {{@toConfirmMsg}}
-        </p>
-        <Input
-          @type="text"
-          @value={{this.confirmationInput}}
-          name="confirmationInput"
-          class="input has-margin-top"
-          autocomplete="off"
-          spellcheck="false"
-          data-test-confirmation-modal-input={{@title}}
-        />
-      </div>
-    </M.Body>
-    <M.Footer>
-      <Hds::ButtonSet>
-        <Hds::Button
-          @color="critical"
-          type="button"
-          disabled={{not-eq this.confirmationInput this.confirmText}}
-          {{on "click" @onConfirm}}
-          data-test-confirm-button={{@title}}
-          @text={{or @buttonText "Confirm"}}
-        />
-        <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onClose}} data-test-cancel-button />
-      </Hds::ButtonSet>
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+
+set -euo pipefail
+
+PROTOC_CMD=${PROTOC_CMD:-protoc}
+PROTOC_VERSION_EXACT="$1"
+echo "==> Checking that protoc is at version $1..."
+
+PROTOC_VERSION=$($PROTOC_CMD --version | grep -o '[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?')
+
+if [ "$PROTOC_VERSION" == "$PROTOC_VERSION_EXACT" ]; then
+  echo "Using protoc version $PROTOC_VERSION"
+else
+  echo "protoc should be at $PROTOC_VERSION_EXACT; found $PROTOC_VERSION."
+  echo "If your version is higher than the version this script is looking for, updating the Makefile with the newer version."
+  exit 1
+fi
diff --git a/ui/lib/core/addon/components/copy-secret-dropdown.hbs b/ui/lib/core/addon/components/copy-secret-dropdown.hbs
index 0e50926c5e85..b09ca7a2cf7f 100644
--- a/ui/lib/core/addon/components/copy-secret-dropdown.hbs
+++ b/ui/lib/core/addon/components/copy-secret-dropdown.hbs
@@ -3,43 +3,130 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{! @onWrap is recommend to be a concurrency task! see <Page::Secret::Details> in KV addon for example }}
-<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" @onClose={{@onClose}} as |D|>
-  <D.Trigger data-test-copy-menu-trigger class="toolbar-link {{if D.isOpen 'is-active'}}" @htmlTag="button">
-    Copy
-    <Chevron @direction={{if D.isOpen "up" "down"}} @isButton={{true}} />
-  </D.Trigger>
-  <D.Content @defaultClass="popup-menu-content is-wide">
-    <nav class="box menu">
-      <ul class="menu-list">
-        <li class="action">
-          <Hds::Copy::Button
-            @text="Copy JSON"
-            @textToCopy={{@clipboardText}}
-            @isFullWidth={{true}}
-            class="in-dropdown link is-flex-start"
-            {{on "click" (action (set-flash-message "JSON Copied!"))}}
-            data-test-copy-button
-          />
-        </li>
-        <li class="action">
-          {{#if @wrappedData}}
-            <MaskedInput @class="has-padding" @displayOnly={{true}} @allowCopy={{true}} @value={{@wrappedData}} />
+<PageHeader as |p|>
+  <p.top>
+    <nav class="breadcrumb">
+      <ul>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          {{#if @model.isNew}}
+            <LinkTo @route="vault.cluster.access.oidc.providers">
+              Providers
+            </LinkTo>
           {{else}}
-            {{#if @isWrapping}}
-              <LoadingDropdownOption data-test-wrap-button />
-            {{else}}
-              <Hds::Button
-                @text="Wrap secret"
-                @color="secondary"
-                class="link"
-                {{on "click" @onWrap}}
-                data-test-wrap-button
-              />
-            {{/if}}
+            <LinkTo @route="vault.cluster.access.oidc.providers.provider.details" @model={{@model.name}}>
+              Details
+            </LinkTo>
           {{/if}}
         </li>
       </ul>
     </nav>
-  </D.Content>
-</BasicDropdown>
\ No newline at end of file
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-oidc-provider-title>
+      {{if @model.isNew "Create" "Edit"}}
+      Provider
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+<form {{on "submit" (perform this.save)}} {{did-insert this.setIssuer @model}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <MessageError @errorMessage={{this.errorBanner}} />
+    {{! name field }}
+    <FormField
+      data-test-field={{true}}
+      @attr={{get @model.formFields "0"}}
+      @model={{@model}}
+      @modelValidations={{this.modelValidations}}
+    />
+    {{#let (get @model.formFields "1") as |attr|}}
+      <FormFieldLabel
+        for={{attr.name}}
+        @label="Issuer"
+        @helpText={{attr.options.helpText}}
+        @subText={{attr.options.subText}}
+        @docLink={{attr.options.docLink}}
+      />
+      <Input
+        data-test-field={{true}}
+        data-test-input={{attr.name}}
+        id={{attr.name}}
+        autocomplete="off"
+        spellcheck="false"
+        @value={{@model.issuer}}
+        class="input {{if this.validationError 'has-error-border'}}"
+        placeholder={{attr.options.placeholderText}}
+      />
+    {{/let}}
+    {{! scopesSupported field }}
+    <FormField
+      data-test-field={{true}}
+      @attr={{get @model.formFields "2"}}
+      @model={{@model}}
+      @modelValidations={{this.modelValidations}}
+    />
+  </div>
+  {{! RADIO CARD + SEARCH SELECT }}
+  <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
+    <h4 class="title is-4">Allowed applications</h4>
+    <div class="is-flex-row">
+      <RadioCard
+        data-test-oidc-radio="allow-all"
+        @title="Allow every application to use"
+        @description="All applications can use this provider for authentication requests."
+        @icon="globe"
+        @value="allow_all"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleClientSelection}}
+      />
+      <RadioCard
+        data-test-oidc-radio="limited"
+        @title="Limit access to selected application"
+        @description="Only selected applications can use this provider for authentication requests."
+        @icon="globe-private"
+        @value="limited"
+        @groupValue={{this.radioCardGroupValue}}
+        @onChange={{this.handleClientSelection}}
+      />
+    </div>
+    {{#if (eq this.radioCardGroupValue "limited")}}
+      <SearchSelect
+        @id="allowedClientIds"
+        @label="Application name"
+        @models={{array "oidc/client"}}
+        @inputValue={{@model.allowedClientIds}}
+        @onChange={{this.handleClientSelection}}
+        @disallowNewItems={{true}}
+        @fallbackComponent="string-list"
+        @passObject={{true}}
+        @objectKeys={{array "clientId"}}
+        @renderInfoTooltip={{this.renderInfoTooltip}}
+      />
+    {{/if}}
+  </div>
+  <div class="field box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Button
+        @text={{if @model.isNew "Create" "Update"}}
+        @icon={{if this.save.isRunning "loading"}}
+        type="submit"
+        disabled={{this.save.isRunning}}
+        data-test-oidc-provider-save
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        class="has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.cancel}}
+        data-test-oidc-provider-cancel
+      />
+    </div>
+    {{#if this.invalidFormAlert}}
+      <div class="control">
+        <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+      </div>
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/info-table-row.hbs b/ui/lib/core/addon/components/info-table-row.hbs
index 4a7d7c95b942..89cc77d9835b 100644
--- a/ui/lib/core/addon/components/info-table-row.hbs
+++ b/ui/lib/core/addon/components/info-table-row.hbs
@@ -1,111 +1,1176 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if (or (has-block) this.isVisible)}}
-  <div class="info-table-row" data-test-component="info-table-row" ...attributes>
-    <div
-      class="column {{or @labelWidth 'is-one-quarter'}} {{if this.hasLabelOverflow 'label-overflow'}}"
-      data-test-label-div
-      {{did-insert this.calculateLabelOverflow}}
-    >
-      {{#if @label}}
-        {{#if this.hasLabelOverflow}}
-          <ToolTip @verticalPosition="below" @horizontalPosition="left" as |T|>
-            <T.Trigger @tabindex={{false}}>
-              <span class="is-label has-text-grey-dark" data-test-row-label={{@label}}>{{@label}}</span>
-            </T.Trigger>
-            <T.Content @defaultClass="tool-tip">
-              <div class="box fit-content" data-test-label-tooltip>
-                {{@label}}
-              </div>
-            </T.Content>
-          </ToolTip>
-        {{else}}
-          <span class="is-label has-text-grey-dark" data-test-row-label={{@label}}>{{@label}}</span>
-        {{/if}}
-        {{#if @helperText}}
-          <div>
-            <span class="is-label helper-text has-text-grey">{{@helperText}}</span>
-          </div>
-        {{/if}}
-      {{else}}
-        <Icon @name="minus" />
-      {{/if}}
-    </div>
-    <div class="column is-flex-center {{if @truncateValue 'is-two-thirds'}}" data-test-value-div={{@label}}>
-      {{#if @addCopyButton}}
-        <Hds::Copy::Button
-          @text="Copy"
-          @isIconOnly={{true}}
-          @textToCopy={{@value}}
-          class="transparent has-padding-xxs"
-          data-test-copy-button
-        />
-      {{/if}}
-      {{#if (has-block)}}
-        {{yield}}
-      {{else if this.valueIsBoolean}}
-        {{#if @value}}
-          <Icon class="icon-true" @name="check-circle" data-test-boolean-true />
-          Yes
-        {{else}}
-          <Icon @name="x-square" class="icon-false" data-test-boolean-false />
-          No
-        {{/if}}
-        {{! @alwaysRender (this.isVisible) is still true }}
-      {{else if this.valueIsEmpty}}
-        {{#if @defaultShown}}
-          <span data-test-row-value={{@label}}>{{@defaultShown}}</span>
-        {{else}}
-          <Icon @name="minus" />
-        {{/if}}
-      {{else if @formatDate}}
-        {{date-format @value @formatDate}}
-      {{else if @formatTtl}}
-        {{format-duration @value}}
-      {{else}}
-        {{#if (eq @type "array")}}
-          <InfoTableItemArray
-            @label={{@label}}
-            @backend={{@backend}}
-            @displayArray={{@value}}
-            @isLink={{@isLink}}
-            @modelType={{@modelType}}
-            @queryParam={{@queryParam}}
-            @wildcardLabel={{@wildcardLabel}}
-            @rootRoute={{@rootRoute}}
-            @itemRoute={{@itemRoute}}
-            @doNotTruncate={{@doNotTruncate}}
-            @renderItemName={{@renderItemName}}
-          />
-        {{else}}
-          {{#if @tooltipText}}
-            <ToolTip @verticalPosition="above" @horizontalPosition="left" as |T|>
-              <T.Trigger @tabindex={{false}}>
-                <span class="is-word-break has-text-black" data-test-row-value={{@label}}>{{@value}}</span>
-              </T.Trigger>
-              <T.Content @defaultClass="tool-tip">
-                <div class="box is-flex-center">
-                  {{@tooltipText}}
-                  {{#if @isTooltipCopyable}}
-                    <Hds::Copy::Button
-                      @text="Copy"
-                      @isIconOnly={{true}}
-                      @textToCopy={{@tooltipText}}
-                      class="transparent white-icon"
-                      data-test-tooltip-copy
-                    />
-                  {{/if}}
-                </div>
-              </T.Content>
-            </ToolTip>
-          {{else}}
-            <span class="is-word-break has-text-black" data-test-row-value={{@label}}>{{@value}}</span>
-          {{/if}}
-        {{/if}}
-      {{/if}}
-    </div>
-  </div>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	systemd "github.com/coreos/go-systemd/daemon"
+	"github.com/hashicorp/cli"
+	ctconfig "github.com/hashicorp/consul-template/config"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/agentproxyshared"
+	"github.com/hashicorp/vault/command/agentproxyshared/auth"
+	"github.com/hashicorp/vault/command/agentproxyshared/cache"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink/file"
+	"github.com/hashicorp/vault/command/agentproxyshared/sink/inmem"
+	"github.com/hashicorp/vault/command/agentproxyshared/winsvc"
+	proxyConfig "github.com/hashicorp/vault/command/proxy/config"
+	"github.com/hashicorp/vault/helper/logging"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/useragent"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/version"
+	"github.com/kr/pretty"
+	"github.com/oklog/run"
+	"github.com/posener/complete"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+var (
+	_ cli.Command             = (*ProxyCommand)(nil)
+	_ cli.CommandAutocomplete = (*ProxyCommand)(nil)
+)
+
+const (
+	// flagNameProxyExitAfterAuth is used as a Proxy specific flag to indicate
+	// that proxy should exit after a single successful auth
+	flagNameProxyExitAfterAuth = "exit-after-auth"
+	nameProxy                  = "proxy"
+)
+
+type ProxyCommand struct {
+	*BaseCommand
+	logFlags logFlags
+
+	config *proxyConfig.Config
+
+	ShutdownCh chan struct{}
+	SighupCh   chan struct{}
+
+	tlsReloadFuncsLock sync.RWMutex
+	tlsReloadFuncs     []reloadutil.ReloadFunc
+
+	logWriter io.Writer
+	logGate   *gatedwriter.Writer
+	logger    log.Logger
+
+	// Telemetry object
+	metricsHelper *metricsutil.MetricsHelper
+
+	cleanupGuard sync.Once
+
+	startedCh  chan struct{} // for tests
+	reloadedCh chan struct{} // for tests
+
+	flagConfigs        []string
+	flagExitAfterAuth  bool
+	flagTestVerifyOnly bool
+}
+
+func (c *ProxyCommand) Synopsis() string {
+	return "Start a Vault Proxy"
+}
+
+func (c *ProxyCommand) Help() string {
+	helpText := `
+Usage: vault proxy [options]
+
+  This command starts a Vault Proxy that can perform automatic authentication
+  in certain environments.
+
+  Start a proxy with a configuration file:
+
+      $ vault proxy -config=/etc/vault/config.hcl
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *ProxyCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	// Augment with the log flags
+	f.addLogFlags(&c.logFlags)
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "config",
+		Target: &c.flagConfigs,
+		Completion: complete.PredictOr(
+			complete.PredictFiles("*.hcl"),
+			complete.PredictFiles("*.json"),
+		),
+		Usage: "Path to a configuration file. This configuration file should " +
+			"contain only proxy directives.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    flagNameProxyExitAfterAuth,
+		Target:  &c.flagExitAfterAuth,
+		Default: false,
+		Usage: "If set to true, the proxy will exit with code 0 after a single " +
+			"successful auth, where success means that a token was retrieved and " +
+			"all sinks successfully wrote it",
+	})
+
+	// Internal-only flags to follow.
+	//
+	// Why hello there little source code reader! Welcome to the Vault source
+	// code. The remaining options are intentionally undocumented and come with
+	// no warranty or backwards-compatibility promise. Do not use these flags
+	// in production. Do not build automation using these flags. Unless you are
+	// developing against Vault, you should not need any of these flags.
+	f.BoolVar(&BoolVar{
+		Name:    "test-verify-only",
+		Target:  &c.flagTestVerifyOnly,
+		Default: false,
+		Hidden:  true,
+	})
+
+	// End internal-only flags.
+
+	return set
+}
+
+func (c *ProxyCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *ProxyCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *ProxyCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Create a logger. We wrap it in a gated writer so that it doesn't
+	// start logging too early.
+	c.logGate = gatedwriter.NewWriter(os.Stderr)
+	c.logWriter = c.logGate
+
+	if c.logFlags.flagCombineLogs {
+		c.logWriter = os.Stdout
+	}
+
+	// Validation
+	if len(c.flagConfigs) < 1 {
+		c.UI.Error("Must specify exactly at least one config path using -config")
+		return 1
+	}
+
+	config, err := c.loadConfig(c.flagConfigs)
+	if err != nil {
+		c.outputErrors(err)
+		return 1
+	}
+
+	if config.AutoAuth == nil {
+		c.UI.Info("No auto_auth block found in config, the automatic authentication feature will not be started")
+	}
+
+	c.applyConfigOverrides(f, config) // This only needs to happen on start-up to aggregate config from flags and env vars
+	c.config = config
+
+	l, err := c.newLogger()
+	if err != nil {
+		c.outputErrors(err)
+		return 1
+	}
+	c.logger = l
+
+	infoKeys := make([]string, 0, 10)
+	info := make(map[string]string)
+	info["log level"] = config.LogLevel
+	infoKeys = append(infoKeys, "log level")
+
+	infoKeys = append(infoKeys, "version")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber(false)
+	if verInfo.Revision != "" {
+		info["version sha"] = strings.Trim(verInfo.Revision, "'")
+		infoKeys = append(infoKeys, "version sha")
+	}
+	infoKeys = append(infoKeys, "cgo")
+	info["cgo"] = "disabled"
+	if version.CgoEnabled {
+		info["cgo"] = "enabled"
+	}
+
+	// Tests might not want to start a vault server and just want to verify
+	// the configuration.
+	if c.flagTestVerifyOnly {
+		if os.Getenv("VAULT_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
+			c.UI.Output(fmt.Sprintf(
+				"\nConfiguration:\n%s\n",
+				pretty.Sprint(*c.config)))
+		}
+		return 0
+	}
+
+	// Ignore any setting of Agent/Proxy's address. This client is used by the Proxy
+	// to reach out to Vault. This should never loop back to the proxy.
+	c.flagAgentProxyAddress = ""
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf(
+			"Error fetching client: %v",
+			err))
+		return 1
+	}
+
+	serverHealth, err := client.Sys().Health()
+	// We don't have any special behaviour if the error != nil, as this
+	// is not worth stopping the Proxy process over.
+	if err == nil {
+		// Note that we don't exit if the versions don't match, as this is a valid
+		// configuration, but we should still let the user know.
+		serverVersion := serverHealth.Version
+		proxyVersion := version.GetVersion().VersionNumber()
+		if serverVersion != proxyVersion {
+			c.UI.Info("==> Note: Vault Proxy version does not match Vault server version. " +
+				fmt.Sprintf("Vault Proxy version: %s, Vault server version: %s", proxyVersion, serverVersion))
+		}
+	}
+
+	// telemetry configuration
+	inmemMetrics, _, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
+		Config:      config.Telemetry,
+		Ui:          c.UI,
+		ServiceName: "vault",
+		DisplayName: "Vault",
+		UserAgent:   useragent.ProxyString(),
+		ClusterName: config.ClusterName,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
+		return 1
+	}
+	c.metricsHelper = metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
+
+	var method auth.AuthMethod
+	var sinks []*sink.SinkConfig
+	if config.AutoAuth != nil {
+		if client.Headers().Get(consts.NamespaceHeaderName) == "" && config.AutoAuth.Method.Namespace != "" {
+			client.SetNamespace(config.AutoAuth.Method.Namespace)
+		}
+
+		sinkClient, err := client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			sinkClient.SetMaxIdleConnections(-1)
+		}
+
+		if config.DisableKeepAlivesAutoAuth {
+			sinkClient.SetDisableKeepAlives(true)
+		}
+
+		for _, sc := range config.AutoAuth.Sinks {
+			switch sc.Type {
+			case "file":
+				config := &sink.SinkConfig{
+					Logger:    c.logger.Named("sink.file"),
+					Config:    sc.Config,
+					Client:    sinkClient,
+					WrapTTL:   sc.WrapTTL,
+					DHType:    sc.DHType,
+					DeriveKey: sc.DeriveKey,
+					DHPath:    sc.DHPath,
+					AAD:       sc.AAD,
+				}
+				s, err := file.NewFileSink(config)
+				if err != nil {
+					c.UI.Error(fmt.Errorf("error creating file sink: %w", err).Error())
+					return 1
+				}
+				config.Sink = s
+				sinks = append(sinks, config)
+			default:
+				c.UI.Error(fmt.Sprintf("Unknown sink type %q", sc.Type))
+				return 1
+			}
+		}
+
+		authConfig := &auth.AuthConfig{
+			Logger:    c.logger.Named(fmt.Sprintf("auth.%s", config.AutoAuth.Method.Type)),
+			MountPath: config.AutoAuth.Method.MountPath,
+			Config:    config.AutoAuth.Method.Config,
+		}
+		method, err = agentproxyshared.GetAutoAuthMethodFromConfig(config.AutoAuth.Method.Type, authConfig, config.Vault.Address)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error creating %s auth method: %v", config.AutoAuth.Method.Type, err))
+			return 1
+		}
+	}
+
+	// We do this after auto-auth has been configured, because we don't want to
+	// confuse the issue of retries for auth failures which have their own
+	// config and are handled a bit differently.
+	if os.Getenv(api.EnvVaultMaxRetries) == "" {
+		client.SetMaxRetries(ctconfig.DefaultRetryAttempts)
+		if config.Vault != nil {
+			if config.Vault.Retry != nil {
+				client.SetMaxRetries(config.Vault.Retry.NumRetries)
+			}
+		}
+	}
+
+	enforceConsistency := cache.EnforceConsistencyNever
+	whenInconsistent := cache.WhenInconsistentFail
+	if config.APIProxy != nil {
+		switch config.APIProxy.EnforceConsistency {
+		case "always":
+			enforceConsistency = cache.EnforceConsistencyAlways
+		case "never", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for enforce_consistency: %q", config.APIProxy.EnforceConsistency))
+			return 1
+		}
+
+		switch config.APIProxy.WhenInconsistent {
+		case "retry":
+			whenInconsistent = cache.WhenInconsistentRetry
+		case "forward":
+			whenInconsistent = cache.WhenInconsistentForward
+		case "fail", "":
+		default:
+			c.UI.Error(fmt.Sprintf("Unknown api_proxy setting for when_inconsistent: %q", config.APIProxy.WhenInconsistent))
+			return 1
+		}
+	}
+
+	// Warn if cache _and_ cert auto-auth is enabled but certificates were not
+	// provided in the auto_auth.method["cert"].config stanza.
+	if config.Cache != nil && (config.AutoAuth != nil && config.AutoAuth.Method != nil && config.AutoAuth.Method.Type == "cert") {
+		_, okCertFile := config.AutoAuth.Method.Config["client_cert"]
+		_, okCertKey := config.AutoAuth.Method.Config["client_key"]
+
+		// If neither of these exists in the cert stanza, proxy will use the
+		// certs from the vault stanza.
+		if !okCertFile && !okCertKey {
+			c.UI.Warn(wrapAtLength("WARNING! Cache is enabled and using the same certificates " +
+				"from the 'cert' auto-auth method specified in the 'vault' stanza. Consider " +
+				"specifying certificate information in the 'cert' auto-auth's config stanza."))
+		}
+
+	}
+
+	// Output the header that the proxy has started
+	if !c.logFlags.flagCombineLogs {
+		c.UI.Output("==> Vault Proxy started! Log data will stream in below:\n")
+	}
+
+	var leaseCache *cache.LeaseCache
+	var previousToken string
+
+	proxyClient, err := client.CloneWithHeaders()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error cloning client for proxying: %v", err))
+		return 1
+	}
+
+	if config.DisableIdleConnsAPIProxy {
+		proxyClient.SetMaxIdleConnections(-1)
+	}
+
+	if config.DisableKeepAlivesAPIProxy {
+		proxyClient.SetDisableKeepAlives(true)
+	}
+
+	apiProxyLogger := c.logger.Named("apiproxy")
+
+	// The API proxy to be used, if listeners are configured
+	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
+		Client:                  proxyClient,
+		Logger:                  apiProxyLogger,
+		EnforceConsistency:      enforceConsistency,
+		WhenInconsistentAction:  whenInconsistent,
+		UserAgentStringFunction: useragent.ProxyStringWithProxiedUserAgent,
+		UserAgentString:         useragent.ProxyAPIProxyString(),
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error creating API proxy: %v", err))
+		return 1
+	}
+
+	// ctx and cancelFunc are passed to the AuthHandler, SinkServer,
+	// and other subsystems, so that they can listen for ctx.Done() to
+	// fire and shut down accordingly.
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	defer cancelFunc()
+
+	var updater *cache.StaticSecretCacheUpdater
+
+	// Parse proxy cache configurations
+	if config.Cache != nil {
+		cacheLogger := c.logger.Named("cache")
+
+		// Create the lease cache proxier and set its underlying proxier to
+		// the API proxier.
+		leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
+			Client:             proxyClient,
+			BaseContext:        ctx,
+			Proxier:            apiProxy,
+			Logger:             cacheLogger.Named("leasecache"),
+			CacheStaticSecrets: config.Cache.CacheStaticSecrets,
+			// dynamic secrets are configured as default-on to preserve backwards compatibility
+			CacheDynamicSecrets: !config.Cache.DisableCachingDynamicSecrets,
+			UserAgentToUse:      useragent.AgentProxyString(),
+		})
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err))
+			return 1
+		}
+
+		cacheLogger.Info("cache configured", "cache_static_secrets", config.Cache.CacheStaticSecrets, "disable_caching_dynamic_secrets", config.Cache.DisableCachingDynamicSecrets)
+
+		// Configure persistent storage and add to LeaseCache
+		if config.Cache.Persist != nil {
+			deferFunc, oldToken, err := agentproxyshared.AddPersistentStorageToLeaseCache(ctx, leaseCache, config.Cache.Persist, cacheLogger)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating persistent cache: %v", err))
+				return 1
+			}
+			previousToken = oldToken
+			if deferFunc != nil {
+				defer deferFunc()
+			}
+		}
+
+		// If we're caching static secrets, we need to start the updater, too
+		if config.Cache.CacheStaticSecrets {
+			staticSecretCacheUpdaterLogger := c.logger.Named("cache.staticsecretcacheupdater")
+			inmemSink, err := inmem.New(&sink.SinkConfig{
+				Logger: staticSecretCacheUpdaterLogger,
+			}, leaseCache)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating inmem sink for static secret updater susbsystem: %v", err))
+				return 1
+			}
+			sinks = append(sinks, &sink.SinkConfig{
+				Logger: staticSecretCacheUpdaterLogger,
+				Sink:   inmemSink,
+			})
+
+			updater, err = cache.NewStaticSecretCacheUpdater(&cache.StaticSecretCacheUpdaterConfig{
+				Client:     client,
+				LeaseCache: leaseCache,
+				Logger:     staticSecretCacheUpdaterLogger,
+				TokenSink:  inmemSink,
+			})
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating static secret cache updater: %v", err))
+				return 1
+			}
+
+			capabilityManager, err := cache.NewStaticSecretCapabilityManager(&cache.StaticSecretCapabilityManagerConfig{
+				LeaseCache: leaseCache,
+				Logger:     c.logger.Named("cache.staticsecretcapabilitymanager"),
+				Client:     client,
+				StaticSecretTokenCapabilityRefreshInterval: config.Cache.StaticSecretTokenCapabilityRefreshInterval,
+			})
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating static secret capability manager: %v", err))
+				return 1
+			}
+			leaseCache.SetCapabilityManager(capabilityManager)
+		}
+	}
+
+	var listeners []net.Listener
+
+	// Ensure we've added all the reload funcs for TLS before anyone triggers a reload.
+	c.tlsReloadFuncsLock.Lock()
+
+	for i, lnConfig := range config.Listeners {
+		var ln net.Listener
+		var tlsCfg *tls.Config
+
+		if lnConfig.Type == listenerutil.BufConnType {
+			inProcListener := bufconn.Listen(1024 * 1024)
+			if config.Cache != nil {
+				config.Cache.InProcDialer = listenerutil.NewBufConnWrapper(inProcListener)
+			}
+			ln = inProcListener
+		} else {
+			lnBundle, err := cache.StartListener(lnConfig)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error starting listener: %v", err))
+				return 1
+			}
+
+			tlsCfg = lnBundle.TLSConfig
+			ln = lnBundle.Listener
+
+			// Track the reload func, so we can reload later if needed.
+			c.tlsReloadFuncs = append(c.tlsReloadFuncs, lnBundle.TLSReloadFunc)
+		}
+
+		listeners = append(listeners, ln)
+
+		proxyVaultToken := true
+		var inmemSink sink.Sink
+		if config.APIProxy != nil {
+			if config.APIProxy.UseAutoAuthToken {
+				apiProxyLogger.Debug("configuring inmem auto-auth sink")
+				inmemSink, err = inmem.New(&sink.SinkConfig{
+					Logger: apiProxyLogger,
+				}, leaseCache)
+				if err != nil {
+					c.UI.Error(fmt.Sprintf("Error creating inmem sink for cache: %v", err))
+					return 1
+				}
+				sinks = append(sinks, &sink.SinkConfig{
+					Logger: apiProxyLogger,
+					Sink:   inmemSink,
+				})
+			}
+			proxyVaultToken = !config.APIProxy.ForceAutoAuthToken
+		}
+
+		var muxHandler http.Handler
+		if leaseCache != nil {
+			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, leaseCache, inmemSink, proxyVaultToken)
+		} else {
+			muxHandler = cache.ProxyHandler(ctx, apiProxyLogger, apiProxy, inmemSink, proxyVaultToken)
+		}
+
+		// Parse 'require_request_header' listener config option, and wrap
+		// the request handler if necessary
+		if lnConfig.RequireRequestHeader && ("metrics_only" != lnConfig.Role) {
+			muxHandler = verifyRequestHeader(muxHandler)
+		}
+
+		// Create a muxer and add paths relevant for the lease cache layer
+		mux := http.NewServeMux()
+		quitEnabled := lnConfig.ProxyAPI != nil && lnConfig.ProxyAPI.EnableQuit
+
+		mux.Handle(consts.ProxyPathMetrics, c.handleMetrics())
+		if "metrics_only" != lnConfig.Role {
+			mux.Handle(consts.ProxyPathCacheClear, leaseCache.HandleCacheClear(ctx))
+			mux.Handle(consts.ProxyPathQuit, c.handleQuit(quitEnabled))
+			mux.Handle("/", muxHandler)
+		}
+
+		scheme := "https://"
+		if tlsCfg == nil {
+			scheme = "http://"
+		}
+		if ln.Addr().Network() == "unix" {
+			scheme = "unix://"
+		}
+
+		infoKey := fmt.Sprintf("api address %d", i+1)
+		info[infoKey] = scheme + ln.Addr().String()
+		infoKeys = append(infoKeys, infoKey)
+
+		server := &http.Server{
+			Addr:              ln.Addr().String(),
+			TLSConfig:         tlsCfg,
+			Handler:           mux,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			IdleTimeout:       5 * time.Minute,
+			ErrorLog:          apiProxyLogger.StandardLogger(nil),
+		}
+
+		go server.Serve(ln)
+	}
+
+	c.tlsReloadFuncsLock.Unlock()
+
+	// Ensure that listeners are closed at all the exits
+	listenerCloseFunc := func() {
+		for _, ln := range listeners {
+			ln.Close()
+		}
+	}
+	defer c.cleanupGuard.Do(listenerCloseFunc)
+
+	// Inform any tests that the server is ready
+	if c.startedCh != nil {
+		close(c.startedCh)
+	}
+
+	var g run.Group
+
+	g.Add(func() error {
+		for {
+			select {
+			case <-c.SighupCh:
+				c.UI.Output("==> Vault Proxy config reload triggered")
+				err := c.reloadConfig(c.flagConfigs)
+				if err != nil {
+					c.outputErrors(err)
+				}
+				// Send the 'reloaded' message on the relevant channel
+				select {
+				case c.reloadedCh <- struct{}{}:
+				default:
+				}
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	}, func(error) {
+		cancelFunc()
+	})
+
+	// This run group watches for signal termination
+	g.Add(func() error {
+		for {
+			select {
+			case <-c.ShutdownCh:
+				c.UI.Output("==> Vault Proxy shutdown triggered")
+				// Notify systemd that the server is shutting down
+				// Let the lease cache know this is a shutdown; no need to evict everything
+				if leaseCache != nil {
+					leaseCache.SetShuttingDown(true)
+				}
+				return nil
+			case <-ctx.Done():
+				return nil
+			case <-winsvc.ShutdownChannel():
+				return nil
+			}
+		}
+	}, func(error) {})
+
+	// Start auto-auth and sink servers
+	if method != nil {
+		// Auth Handler is going to set its own retry values, so we want to
+		// work on a copy of the client to not affect other subsystems.
+		ahClient, err := c.client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			ahClient.SetMaxIdleConnections(-1)
+		}
+
+		if config.DisableKeepAlivesAutoAuth {
+			ahClient.SetDisableKeepAlives(true)
+		}
+
+		ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
+			Logger:                       c.logger.Named("auth.handler"),
+			Client:                       ahClient,
+			WrapTTL:                      config.AutoAuth.Method.WrapTTL,
+			MinBackoff:                   config.AutoAuth.Method.MinBackoff,
+			MaxBackoff:                   config.AutoAuth.Method.MaxBackoff,
+			EnableReauthOnNewCredentials: config.AutoAuth.EnableReauthOnNewCredentials,
+			Token:                        previousToken,
+			ExitOnError:                  config.AutoAuth.Method.ExitOnError,
+			UserAgent:                    useragent.ProxyAutoAuthString(),
+			MetricsSignifier:             "proxy",
+		})
+
+		ss := sink.NewSinkServer(&sink.SinkServerConfig{
+			Logger:        c.logger.Named("sink.server"),
+			Client:        ahClient,
+			ExitAfterAuth: config.ExitAfterAuth,
+		})
+
+		g.Add(func() error {
+			return ah.Run(ctx, method)
+		}, func(error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+		})
+
+		g.Add(func() error {
+			err := ss.Run(ctx, ah.OutputCh, sinks)
+			c.logger.Info("sinks finished, exiting")
+
+			// Start goroutine to drain from ah.OutputCh from this point onward
+			// to prevent ah.Run from being blocked.
+			go func() {
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-ah.OutputCh:
+					}
+				}
+			}()
+
+			return err
+		}, func(error) {
+			// Let the lease cache know this is a shutdown; no need to evict
+			// everything
+			if leaseCache != nil {
+				leaseCache.SetShuttingDown(true)
+			}
+			cancelFunc()
+		})
+	}
+
+	// Add the static secret cache updater, if appropriate
+	if updater != nil {
+		g.Add(func() error {
+			err := updater.Run(ctx)
+			return err
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
+	// Server configuration output
+	padding := 24
+	sort.Strings(infoKeys)
+	caser := cases.Title(language.English)
+	c.UI.Output("==> Vault Proxy configuration:\n")
+	for _, k := range infoKeys {
+		c.UI.Output(fmt.Sprintf(
+			"%s%s: %s",
+			strings.Repeat(" ", padding-len(k)),
+			caser.String(k),
+			info[k]))
+	}
+	c.UI.Output("")
+
+	// Release the log gate.
+	c.logGate.Flush()
+
+	// Write out the PID to the file now that server has successfully started
+	if err := c.storePidFile(config.PidFile); err != nil {
+		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
+		return 1
+	}
+
+	// Notify systemd that the server is ready (if applicable)
+	c.notifySystemd(systemd.SdNotifyReady)
+
+	defer func() {
+		if err := c.removePidFile(config.PidFile); err != nil {
+			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
+		}
+	}()
+
+	var exitCode int
+	if err := g.Run(); err != nil {
+		c.logger.Error("runtime error encountered", "error", err)
+		c.UI.Error("Error encountered during run, refer to logs for more details.")
+		exitCode = 1
+	}
+	c.notifySystemd(systemd.SdNotifyStopping)
+	return exitCode
+}
+
+// applyConfigOverrides ensures that the config object accurately reflects the desired
+// settings as configured by the user. It applies the relevant config setting based
+// on the precedence (env var overrides file config, cli overrides env var).
+// It mutates the config object supplied.
+func (c *ProxyCommand) applyConfigOverrides(f *FlagSets, config *proxyConfig.Config) {
+	if config.Vault == nil {
+		config.Vault = &proxyConfig.Vault{}
+	}
+
+	f.applyLogConfigOverrides(config.SharedConfig)
+
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameProxyExitAfterAuth {
+			config.ExitAfterAuth = c.flagExitAfterAuth
+		}
+	})
+
+	c.setStringFlag(f, config.Vault.Address, &StringVar{
+		Name:    flagNameAddress,
+		Target:  &c.flagAddress,
+		Default: "https://127.0.0.1:8200",
+		EnvVar:  api.EnvVaultAddress,
+	})
+	config.Vault.Address = c.flagAddress
+	c.setStringFlag(f, config.Vault.CACert, &StringVar{
+		Name:    flagNameCACert,
+		Target:  &c.flagCACert,
+		Default: "",
+		EnvVar:  api.EnvVaultCACert,
+	})
+	config.Vault.CACert = c.flagCACert
+	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
+		Name:    flagNameCAPath,
+		Target:  &c.flagCAPath,
+		Default: "",
+		EnvVar:  api.EnvVaultCAPath,
+	})
+	config.Vault.CAPath = c.flagCAPath
+	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
+		Name:    flagNameClientCert,
+		Target:  &c.flagClientCert,
+		Default: "",
+		EnvVar:  api.EnvVaultClientCert,
+	})
+	config.Vault.ClientCert = c.flagClientCert
+	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
+		Name:    flagNameClientKey,
+		Target:  &c.flagClientKey,
+		Default: "",
+		EnvVar:  api.EnvVaultClientKey,
+	})
+	config.Vault.ClientKey = c.flagClientKey
+	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
+		Name:    flagNameTLSSkipVerify,
+		Target:  &c.flagTLSSkipVerify,
+		Default: false,
+		EnvVar:  api.EnvVaultSkipVerify,
+	})
+	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
+	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
+		Name:    flagTLSServerName,
+		Target:  &c.flagTLSServerName,
+		Default: "",
+		EnvVar:  api.EnvVaultTLSServerName,
+	})
+	config.Vault.TLSServerName = c.flagTLSServerName
+}
+
+func (c *ProxyCommand) notifySystemd(status string) {
+	sent, err := systemd.SdNotify(false, status)
+	if err != nil {
+		c.logger.Error("error notifying systemd", "error", err)
+	} else {
+		if sent {
+			c.logger.Debug("sent systemd notification", "notification", status)
+		} else {
+			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
+		}
+	}
+}
+
+func (c *ProxyCommand) setStringFlag(f *FlagSets, configVal string, fVar *StringVar) {
+	var isFlagSet bool
+	f.Visit(func(f *flag.Flag) {
+		if f.Name == fVar.Name {
+			isFlagSet = true
+		}
+	})
+
+	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
+	switch {
+	case isFlagSet:
+		// Don't do anything as the flag is already set from the command line
+	case flagEnvSet:
+		// Use value from env var
+		*fVar.Target = flagEnvValue
+	case configVal != "":
+		// Use value from config
+		*fVar.Target = configVal
+	default:
+		// Use the default value
+		*fVar.Target = fVar.Default
+	}
+}
+
+func (c *ProxyCommand) setBoolFlag(f *FlagSets, configVal bool, fVar *BoolVar) {
+	var isFlagSet bool
+	f.Visit(func(f *flag.Flag) {
+		if f.Name == fVar.Name {
+			isFlagSet = true
+		}
+	})
+
+	flagEnvValue, flagEnvSet := os.LookupEnv(fVar.EnvVar)
+	switch {
+	case isFlagSet:
+		// Don't do anything as the flag is already set from the command line
+	case flagEnvSet:
+		// Use value from env var
+		*fVar.Target = flagEnvValue != ""
+	case configVal:
+		// Use value from config
+		*fVar.Target = configVal
+	default:
+		// Use the default value
+		*fVar.Target = fVar.Default
+	}
+}
+
+// storePidFile is used to write out our PID to a file if necessary
+func (c *ProxyCommand) storePidFile(pidPath string) error {
+	// Quit fast if no pidfile
+	if pidPath == "" {
+		return nil
+	}
+
+	// Open the PID file
+	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
+	if err != nil {
+		return fmt.Errorf("could not open pid file: %w", err)
+	}
+	defer pidFile.Close()
+
+	// Write out the PID
+	pid := os.Getpid()
+	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
+	if err != nil {
+		return fmt.Errorf("could not write to pid file: %w", err)
+	}
+	return nil
+}
+
+// removePidFile is used to cleanup the PID file if necessary
+func (c *ProxyCommand) removePidFile(pidPath string) error {
+	if pidPath == "" {
+		return nil
+	}
+	return os.Remove(pidPath)
+}
+
+func (c *ProxyCommand) handleMetrics() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			logical.RespondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		if err := r.ParseForm(); err != nil {
+			logical.RespondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		format := r.Form.Get("format")
+		if format == "" {
+			format = metricsutil.FormatFromRequest(&logical.Request{
+				Headers: r.Header,
+			})
+		}
+
+		resp := c.metricsHelper.ResponseForFormat(format)
+
+		status := resp.Data[logical.HTTPStatusCode].(int)
+		w.Header().Set("Content-Type", resp.Data[logical.HTTPContentType].(string))
+		switch v := resp.Data[logical.HTTPRawBody].(type) {
+		case string:
+			w.WriteHeader(status)
+			w.Write([]byte(v))
+		case []byte:
+			w.WriteHeader(status)
+			w.Write(v)
+		default:
+			logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("wrong response returned"))
+		}
+	})
+}
+
+func (c *ProxyCommand) handleQuit(enabled bool) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !enabled {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		switch r.Method {
+		case http.MethodPost:
+		default:
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+
+		c.logger.Debug("received quit request")
+		close(c.ShutdownCh)
+	})
+}
+
+// newLogger creates a logger based on parsed config field on the Proxy Command struct.
+func (c *ProxyCommand) newLogger() (log.InterceptLogger, error) {
+	if c.config == nil {
+		return nil, fmt.Errorf("cannot create logger, no config")
+	}
+
+	var errors error
+
+	// Parse all the log related config
+	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	logFormat, err := logging.ParseLogFormat(c.config.LogFormat)
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	logRotateDuration, err := parseutil.ParseDurationSecond(c.config.LogRotateDuration)
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	if errors != nil {
+		return nil, errors
+	}
+
+	logCfg, err := logging.NewLogConfig(nameProxy)
+	if err != nil {
+		return nil, err
+	}
+	logCfg.Name = nameProxy
+	logCfg.LogLevel = logLevel
+	logCfg.LogFormat = logFormat
+	logCfg.LogFilePath = c.config.LogFile
+	logCfg.LogRotateDuration = logRotateDuration
+	logCfg.LogRotateBytes = c.config.LogRotateBytes
+	logCfg.LogRotateMaxFiles = c.config.LogRotateMaxFiles
+
+	l, err := logging.Setup(logCfg, c.logWriter)
+	if err != nil {
+		return nil, err
+	}
+
+	return l, nil
+}
+
+// loadConfig attempts to generate a Proxy config from the file(s) specified.
+func (c *ProxyCommand) loadConfig(paths []string) (*proxyConfig.Config, error) {
+	var errors error
+	cfg := proxyConfig.NewConfig()
+
+	for _, configPath := range paths {
+		configFromPath, err := proxyConfig.LoadConfig(configPath)
+		if err != nil {
+			errors = multierror.Append(errors, fmt.Errorf("error loading configuration from %s: %w", configPath, err))
+		} else {
+			cfg = cfg.Merge(configFromPath)
+		}
+	}
+
+	if errors != nil {
+		return nil, errors
+	}
+
+	if err := cfg.ValidateConfig(); err != nil {
+		return nil, fmt.Errorf("error validating configuration: %w", err)
+	}
+
+	return cfg, nil
+}
+
+// reloadConfig will attempt to reload the config from file(s) and adjust certain
+// config values without requiring a restart of the Vault Proxy.
+// If config is retrieved without error it is stored in the config field of the ProxyCommand.
+// This operation is not atomic and could result in updated config but partially applied config settings.
+// The error returned from this func may be a multierror.
+// This function will most likely be called due to Vault Proxy receiving a SIGHUP signal.
+// Currently only reloading the following are supported:
+// * log level
+// * TLS certs for listeners
+func (c *ProxyCommand) reloadConfig(paths []string) error {
+	// Notify systemd that the server is reloading
+	c.notifySystemd(systemd.SdNotifyReloading)
+	defer c.notifySystemd(systemd.SdNotifyReady)
+
+	var errors error
+
+	// Reload the config
+	cfg, err := c.loadConfig(paths)
+	if err != nil {
+		// Returning single error as we won't continue with bad config and won't 'commit' it.
+		return err
+	}
+	c.config = cfg
+
+	// Update the log level
+	err = c.reloadLogLevel()
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	// Update certs
+	err = c.reloadCerts()
+	if err != nil {
+		errors = multierror.Append(errors, err)
+	}
+
+	return errors
+}
+
+// reloadLogLevel will attempt to update the log level for the logger attached
+// to the ProxyCommand struct using the value currently set in config.
+func (c *ProxyCommand) reloadLogLevel() error {
+	logLevel, err := logging.ParseLogLevel(c.config.LogLevel)
+	if err != nil {
+		return err
+	}
+
+	c.logger.SetLevel(logLevel)
+
+	return nil
+}
+
+// reloadCerts will attempt to reload certificates using a reload func which
+// was provided when the listeners were configured, only funcs that were appended
+// to the ProxyCommand slice will be invoked.
+// This function returns a multierror type so that every func can report an error
+// if it encounters one.
+func (c *ProxyCommand) reloadCerts() error {
+	var errors error
+
+	c.tlsReloadFuncsLock.RLock()
+	defer c.tlsReloadFuncsLock.RUnlock()
+
+	for _, reloadFunc := range c.tlsReloadFuncs {
+		// Non-TLS listeners will have a nil reload func.
+		if reloadFunc != nil {
+			err := reloadFunc()
+			if err != nil {
+				errors = multierror.Append(errors, err)
+			}
+		}
+	}
+
+	return errors
+}
+
+// outputErrors will take an error or multierror and handle outputting each to the UI
+func (c *ProxyCommand) outputErrors(err error) {
+	if err != nil {
+		if me, ok := err.(*multierror.Error); ok {
+			for _, err := range me.Errors {
+				c.UI.Error(err.Error())
+			}
+		} else {
+			c.UI.Error(err.Error())
+		}
+	}
+}
diff --git a/ui/lib/core/addon/components/info-table.hbs b/ui/lib/core/addon/components/info-table.hbs
index ff954fc42190..391bee40a0ff 100644
--- a/ui/lib/core/addon/components/info-table.hbs
+++ b/ui/lib/core/addon/components/info-table.hbs
@@ -1,28 +1,2368 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="vlt-table info-table sticky-header" data-test-info-table>
-  <table class="is-fullwidth">
-    <caption class="is-collapsed">
-      {{this.title}}
-    </caption>
-    <thead class="has-text-weight-semibold">
-      <tr>
-        <th scope="col">
-          {{@header}}
-        </th>
-      </tr>
-    </thead>
-    <tbody>
-      {{#each @items as |item|}}
-        <tr>
-          <td>
-            <InfoTableRow @value={{item}} />
-          </td>
-        </tr>
-      {{/each}}
-    </tbody>
-  </table>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-hclog"
+	vaultjwt "github.com/hashicorp/vault-plugin-auth-jwt"
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/hashicorp/vault/api"
+	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
+	"github.com/hashicorp/vault/command/agent"
+	proxyConfig "github.com/hashicorp/vault/command/proxy/config"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/helper/useragent"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func testProxyCommand(tb testing.TB, logger hclog.Logger) (*cli.MockUi, *ProxyCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &ProxyCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+		ShutdownCh: MakeShutdownCh(),
+		SighupCh:   MakeSighupCh(),
+		logger:     logger,
+		startedCh:  make(chan struct{}, 5),
+		reloadedCh: make(chan struct{}, 5),
+	}
+}
+
+// TestProxy_ExitAfterAuth tests the exit_after_auth flag, provided both
+// as config and via -exit-after-auth.
+func TestProxy_ExitAfterAuth(t *testing.T) {
+	t.Run("via_config", func(t *testing.T) {
+		testProxyExitAfterAuth(t, false)
+	})
+
+	t.Run("via_flag", func(t *testing.T) {
+		testProxyExitAfterAuth(t, true)
+	})
+}
+
+func testProxyExitAfterAuth(t *testing.T, viaFlag bool) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"jwt": vaultjwt.Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	client := cluster.Cores[0].Client
+
+	// Setup Vault
+	err := client.Sys().EnableAuthWithOptions("jwt", &api.EnableAuthOptions{
+		Type: "jwt",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/jwt/config", map[string]interface{}{
+		"bound_issuer":           "https://team-vault.auth0.com/",
+		"jwt_validation_pubkeys": agent.TestECDSAPubKey,
+		"jwt_supported_algs":     "ES256",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("auth/jwt/role/test", map[string]interface{}{
+		"role_type":       "jwt",
+		"bound_subject":   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
+		"bound_audiences": "https://vault.plugin.auth.jwt.test",
+		"user_claim":      "https://vault/user",
+		"groups_claim":    "https://vault/groups",
+		"policies":        "test",
+		"period":          "3s",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	dir := t.TempDir()
+	inf, err := os.CreateTemp(dir, "auth.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := inf.Name()
+	inf.Close()
+	// We remove these files in this test since we don't need the files, we just need
+	// a non-conflicting file name for the config.
+	os.Remove(in)
+	t.Logf("input: %s", in)
+
+	sink1f, err := os.CreateTemp(dir, "sink1.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink1 := sink1f.Name()
+	sink1f.Close()
+	os.Remove(sink1)
+	t.Logf("sink1: %s", sink1)
+
+	sink2f, err := os.CreateTemp(dir, "sink2.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink2 := sink2f.Name()
+	sink2f.Close()
+	os.Remove(sink2)
+	t.Logf("sink2: %s", sink2)
+
+	conff, err := os.CreateTemp(dir, "conf.jwt.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	conf := conff.Name()
+	conff.Close()
+	os.Remove(conf)
+	t.Logf("config: %s", conf)
+
+	jwtToken, _ := agent.GetTestJWT(t)
+	if err := os.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
+		t.Fatal(err)
+	} else {
+		logger.Trace("wrote test jwt", "path", in)
+	}
+
+	exitAfterAuthTemplText := "exit_after_auth = true"
+	if viaFlag {
+		exitAfterAuthTemplText = ""
+	}
+
+	config := `
+%s
+
+auto_auth {
+        method {
+                type = "jwt"
+                config = {
+                        role = "test"
+                        path = "%s"
+                }
+        }
+
+        sink {
+                type = "file"
+                config = {
+                        path = "%s"
+                }
+        }
+
+        sink "file" {
+                config = {
+                        path = "%s"
+                }
+        }
+}
+`
+
+	config = fmt.Sprintf(config, exitAfterAuthTemplText, in, sink1, sink2)
+	if err := os.WriteFile(conf, []byte(config), 0o600); err != nil {
+		t.Fatal(err)
+	} else {
+		logger.Trace("wrote test config", "path", conf)
+	}
+
+	doneCh := make(chan struct{})
+	go func() {
+		ui, cmd := testProxyCommand(t, logger)
+		cmd.client = client
+
+		args := []string{"-config", conf}
+		if viaFlag {
+			args = append(args, "-exit-after-auth")
+		}
+
+		code := cmd.Run(args)
+		if code != 0 {
+			t.Errorf("expected %d to be %d", code, 0)
+			t.Logf("output from proxy:\n%s", ui.OutputWriter.String())
+			t.Logf("error from proxy:\n%s", ui.ErrorWriter.String())
+		}
+		close(doneCh)
+	}()
+
+	select {
+	case <-doneCh:
+		break
+	case <-time.After(1 * time.Minute):
+		t.Fatal("timeout reached while waiting for proxy to exit")
+	}
+
+	sink1Bytes, err := os.ReadFile(sink1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(sink1Bytes) == 0 {
+		t.Fatal("got no output from sink 1")
+	}
+
+	sink2Bytes, err := os.ReadFile(sink2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(sink2Bytes) == 0 {
+		t.Fatal("got no output from sink 2")
+	}
+
+	if string(sink1Bytes) != string(sink2Bytes) {
+		t.Fatal("sink 1/2 values don't match")
+	}
+}
+
+// TestProxy_AutoAuth_UserAgent tests that the User-Agent sent
+// to Vault by Vault Proxy is correct when performing Auto-Auth.
+// Uses the custom handler userAgentHandler (defined above) so
+// that Vault validates the User-Agent on requests sent by Proxy.
+func TestProxy_AutoAuth_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"approle": credAppRole.Factory,
+		},
+	}, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.ProxyAutoAuthString()
+				h.requestMethodToCheck = "PUT"
+				h.pathToCheck = "auth/approle/login"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Enable the approle auth method
+	req := serverClient.NewRequest("POST", "/v1/sys/auth/approle")
+	req.BodyBytes = []byte(`{
+		"type": "approle"
+	}`)
+	request(t, serverClient, req, 204)
+
+	// Create a named role
+	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role")
+	req.BodyBytes = []byte(`{
+	  "secret_id_num_uses": "10",
+	  "secret_id_ttl": "1m",
+	  "token_max_ttl": "1m",
+	  "token_num_uses": "10",
+	  "token_ttl": "1m",
+	  "policies": "default"
+	}`)
+	request(t, serverClient, req, 204)
+
+	// Fetch the RoleID of the named role
+	req = serverClient.NewRequest("GET", "/v1/auth/approle/role/test-role/role-id")
+	body := request(t, serverClient, req, 200)
+	data := body["data"].(map[string]interface{})
+	roleID := data["role_id"].(string)
+
+	// Get a SecretID issued against the named role
+	req = serverClient.NewRequest("PUT", "/v1/auth/approle/role/test-role/secret-id")
+	body = request(t, serverClient, req, 200)
+	data = body["data"].(map[string]interface{})
+	secretID := data["secret_id"].(string)
+
+	// Write the RoleID and SecretID to temp files
+	roleIDPath := makeTempFile(t, "role_id.txt", roleID+"\n")
+	secretIDPath := makeTempFile(t, "secret_id.txt", secretID+"\n")
+	defer os.Remove(roleIDPath)
+	defer os.Remove(secretIDPath)
+
+	sinkf, err := os.CreateTemp("", "sink.test.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	sink := sinkf.Name()
+	sinkf.Close()
+	os.Remove(sink)
+
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method "approle" {
+        mount_path = "auth/approle"
+        config = {
+            role_id_file_path = "%s"
+            secret_id_file_path = "%s"
+        }
+    }
+
+	sink "file" {
+		config = {
+			path = "%s"
+		}
+	}
+}`, roleIDPath, secretIDPath, sink)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+api_proxy {
+  use_auto_auth_token = true
+}
+%s
+%s
+`, serverClient.Address(), listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	// Start proxy
+	_, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// Validate that the auto-auth token has been correctly attained
+	// and works for LookupSelf
+	conf := api.DefaultConfig()
+	conf.Address = "http://" + listenAddr
+	proxyClient, err := api.NewClient(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	proxyClient.SetToken("")
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Wait for the token to be sent to syncs and be available to be used
+	time.Sleep(5 * time.Second)
+
+	req = proxyClient.NewRequest("GET", "/v1/auth/token/lookup-self")
+	body = request(t, proxyClient, req, 200)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_APIProxyWithoutCache_UserAgent tests that the User-Agent sent
+// to Vault by Vault Proxy is correct using the API proxy without
+// the cache configured. Uses the custom handler
+// userAgentHandler struct defined in this test package, so that Vault validates the
+// User-Agent on requests sent by Proxy.
+func TestProxy_APIProxyWithoutCache_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	userAgentForProxiedClient := "proxied-client"
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.ProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
+				h.pathToCheck = "/v1/auth/token/lookup-self"
+				h.requestMethodToCheck = "GET"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+`, serverClient.Address(), listenConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the proxy
+	_, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.AddHeader("User-Agent", userAgentForProxiedClient)
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = proxyClient.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_APIProxyWithCache_UserAgent tests that the User-Agent sent
+// to Vault by Vault Proxy is correct using the API proxy with
+// the cache configured.  Uses the custom handler
+// userAgentHandler struct defined in this test package, so that Vault validates the
+// User-Agent on requests sent by Proxy.
+func TestProxy_APIProxyWithCache_UserAgent(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	userAgentForProxiedClient := "proxied-client"
+	var h userAgentHandler
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		NumCores: 1,
+		HandlerFunc: vaulthttp.HandlerFunc(
+			func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.userAgentToCheckFor = useragent.ProxyStringWithProxiedUserAgent(userAgentForProxiedClient)
+				h.pathToCheck = "/v1/auth/token/lookup-self"
+				h.requestMethodToCheck = "GET"
+				h.t = t
+				return &h
+			}),
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	cacheConfig := `
+cache {
+}`
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), listenConfig, cacheConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start the proxy
+	_, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.AddHeader("User-Agent", userAgentForProxiedClient)
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = proxyClient.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_DynamicSecret tests that the cache successfully caches a dynamic secret
+// going through the Proxy, and that a subsequent request will be served from the cache.
+func TestProxy_Cache_DynamicSecret(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	cacheConfig := `
+cache {
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), cacheConfig, listenConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	_, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	renewable := true
+	tokenCreateRequest := &api.TokenCreateRequest{
+		Policies:  []string{"default"},
+		TTL:       "30m",
+		Renewable: &renewable,
+	}
+
+	// This was the simplest test I could find to trigger the caching behaviour,
+	// i.e. the most concise I could make the test that I can tell
+	// creating an orphan token returns Auth, is renewable, and isn't a token
+	// that's managed elsewhere (since it's an orphan)
+	secret, err := proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token := secret.Auth.ClientToken
+
+	secret, err = proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token2 := secret.Auth.ClientToken
+
+	if token != token2 {
+		t.Fatalf("token create response not cached when it should have been, as tokens differ")
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_DisableDynamicSecretCaching tests that the cache will not cache a dynamic secret
+// if disabled in the options.
+func TestProxy_Cache_DisableDynamicSecretCaching(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth for static secret caching.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	cacheConfig := `
+cache {
+	disable_caching_dynamic_secrets = true
+	cache_static_secrets = true // We need to cache at least one kind of secret
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	_, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	renewable := true
+	tokenCreateRequest := &api.TokenCreateRequest{
+		Policies:  []string{"default"},
+		TTL:       "30m",
+		Renewable: &renewable,
+	}
+
+	// This was the simplest test I could find to trigger the caching behaviour,
+	// i.e. the most concise I could make the test that I can tell
+	// creating an orphan token returns Auth, is renewable, and isn't a token
+	// that's managed elsewhere (since it's an orphan)
+	secret, err := proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token := secret.Auth.ClientToken
+
+	secret, err = proxyClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Auth == nil {
+		t.Fatalf("secret not as expected: %v", secret)
+	}
+
+	token2 := secret.Auth.ClientToken
+
+	if token == token2 {
+		t.Fatalf("token create response was cached, as the tokens differ")
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_StaticSecret Tests that the cache successfully caches a static secret
+// going through the Proxy,
+func TestProxy_Cache_StaticSecret(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	// Create kvv1 secret
+	err = serverClient.KVv1("secret").Put(context.Background(), "my-secret", secretData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	// We expect the first to miss, and the second to hit.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	req = proxyClient.NewRequest(http.MethodGet, "/v1/secret/my-secret")
+	resp2, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, secretData, secret1.Data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, secret1.Data, secret2.Data)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_EventSystemUpdatesCacheKVV1 Tests that the cache successfully caches a static secret
+// going through the Proxy, and then the cache gets updated on a POST to the KVV1 secret due to an
+// event.
+func TestProxy_Cache_EventSystemUpdatesCacheKVV1(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.Factory,
+		},
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	secretData2 := map[string]interface{}{
+		"bar": "baz",
+	}
+
+	// Wait for the event system to successfully connect.
+	// The test would pass without this time.Sleep, due to the call to updater.preEventStreamUpdate
+	// but this Sleep ensures we test both paths (both updating from an event, and from
+	// the pre event update).
+	// As a result, we shouldn't remove this sleep, since it ensures we have greater coverage.
+	time.Sleep(5 * time.Second)
+
+	// Mount the KVV2 engine
+	err = serverClient.Sys().Mount("secret-v1", &api.MountInput{
+		Type: "kv",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create kvv1 secret
+	err = serverClient.KVv1("secret-v1").Put(context.Background(), "my-secret", secretData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v1/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	// Update the secret using the proxy client
+	err = proxyClient.KVv1("secret-v1").Put(context.Background(), "my-secret", secretData2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Give some time for the event to actually get sent and the cache to be updated.
+	// This is longer than it needs to be to account for unnatural slowness/avoiding
+	// flakiness.
+	time.Sleep(5 * time.Second)
+
+	// We expect this to be a cache hit, with the new value
+	resp2, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, secretData, secret1.Data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, secretData2, secret2.Data)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_EventSystemUpdatesCacheKVV2 Tests that the cache successfully caches a static secret
+// going through the Proxy for a KVV2 secret, and then the cache gets updated on a POST to the secret due to an
+// event.
+func TestProxy_Cache_EventSystemUpdatesCacheKVV2(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.VersionedKVFactory,
+		},
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	secretData2 := map[string]interface{}{
+		"bar": "baz",
+	}
+
+	// Wait for the event system to successfully connect.
+	// This is longer than it needs to be to account for unnatural slowness/avoiding
+	// flakiness.
+	time.Sleep(5 * time.Second)
+
+	// Mount the KVV2 engine
+	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
+		Type: "kv-v2",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create kvv2 secret
+	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	// Update the secret using the proxy client
+	_, err = proxyClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Give some time for the event to actually get sent and the cache to be updated.
+	// This is longer than it needs to be to account for unnatural slowness/avoiding
+	// flakiness.
+	time.Sleep(5 * time.Second)
+
+	// We expect this to be a cache hit, with the new value
+	resp2, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	data, ok := secret1.Data["data"]
+	require.True(t, ok)
+	require.Equal(t, secretData, data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	data2, ok := secret2.Data["data"]
+	require.True(t, ok)
+	// We expect that the cached value got updated by the event system.
+	require.Equal(t, secretData2, data2)
+
+	// Lastly, ensure that a client without a token fails to access the secret.
+	proxyClient.SetToken("")
+	req = proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	_, err = proxyClient.RawRequest(req)
+	require.NotNil(t, err)
+
+	_, err = proxyClient.KVv2("secret-v2").Get(context.Background(), "my-secret")
+	require.NotNil(t, err)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_EventSystemUpdatesCacheUseAutoAuthToken Tests that the cache successfully caches a static secret
+// going through the Proxy for a KVV2 secret, and that the cache works as expected with the
+// use_auto_auth_token=force option.
+func TestProxy_Cache_EventSystemUpdatesCacheUseAutoAuthToken(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.VersionedKVFactory,
+		},
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+
+api_proxy {
+  use_auto_auth_token = "force"
+}
+
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	secretData2 := map[string]interface{}{
+		"bar": "baz",
+	}
+
+	// Wait for the event system to successfully connect.
+	// This is longer than it needs to be to account for unnatural slowness/avoiding
+	// flakiness.
+	time.Sleep(5 * time.Second)
+
+	// Mount the KVV2 engine
+	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
+		Type: "kv-v2",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create kvv2 secret
+	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	// Update the secret using the proxy client
+	_, err = proxyClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Give some time for the event to actually get sent and the cache to be updated.
+	// This is longer than it needs to be to account for unnatural slowness/avoiding
+	// flakiness.
+	time.Sleep(5 * time.Second)
+
+	// We expect this to be a cache hit, with the new value
+	resp2, err := proxyClient.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	require.Nil(t, err)
+	data, ok := secret1.Data["data"]
+	require.True(t, ok)
+	require.Equal(t, secretData, data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	require.Nil(t, err)
+	data2, ok := secret2.Data["data"]
+	require.True(t, ok)
+	// We expect that the cached value got updated by the event system.
+	require.Equal(t, secretData2, data2)
+
+	// Lastly, ensure that a client without a token succeeds
+	// at accessing the secret, due to the use_auto_auth_token = "force"
+	// option.
+	proxyClient.SetToken("")
+	req = proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	resp3, err := proxyClient.RawRequest(req)
+	require.Nil(t, err)
+	cacheValue = resp3.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	secret3, err := api.ParseSecret(resp3.Body)
+	require.Nil(t, err)
+	data3, ok := secret3.Data["data"]
+	require.True(t, ok)
+	// We expect that the cached value got updated by the event system.
+	require.Equal(t, secretData2, data3)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_EventSystemPreEventStreamUpdateWorks Tests that the pre-event stream update works
+// (i.e. the method preEventStreamUpdate). This test is similar to TestProxy_Cache_EventSystemUpdatesCacheKVV2,
+// but with the key difference of not waiting the five seconds for the event subsystem of Proxy to get running
+// before it updates the secret, meaning that the event system should update it from the pre-event stream
+// update as opposed to receiving the event.
+func TestProxy_Cache_EventSystemPreEventStreamUpdateWorks(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := minimal.NewTestSoloCluster(t, &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.VersionedKVFactory,
+		},
+	})
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxyClient.SetToken(serverClient.Token())
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	require.NoError(t, err)
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	secretData2 := map[string]interface{}{
+		"bar": "baz",
+	}
+
+	// Mount the KVV2 engine
+	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
+		Type: "kv-v2",
+	})
+	require.NoError(t, err)
+
+	// Create kvv2 secret
+	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
+	require.NoError(t, err)
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	require.NoError(t, err)
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	// Update the secret using the proxy client
+	_, err = proxyClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData2)
+	require.NoError(t, err)
+
+	// Give some time for the event system to run and update the secret as part of the
+	// pre-event stream run. Likely, this will be the period in which the event subsystem
+	// of proxy actually starts up, so it will have missed the event, but this should still
+	// result in an updated cache.
+	time.Sleep(5 * time.Second)
+
+	// We expect this to be a cache hit, with the new value
+	resp2, err := proxyClient.RawRequest(req)
+	require.NoError(t, err)
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	require.NoError(t, err)
+	data, ok := secret1.Data["data"]
+	require.True(t, ok)
+	require.Equal(t, secretData, data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	require.NoError(t, err)
+	data2, ok := secret2.Data["data"]
+	require.True(t, ok)
+	// We expect that the cached value got updated by the event system.
+	require.Equal(t, secretData2, data2)
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_Cache_StaticSecretPermissionsLost Tests that the cache successfully caches a static secret
+// going through the Proxy for a KVV2 secret, and then the calling client loses permissions to the secret,
+// so it can no longer access the cache.
+func TestProxy_Cache_StaticSecretPermissionsLost(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.VersionedKVFactory,
+		},
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	tokenFileName := makeTempFile(t, "token-file", serverClient.Token())
+	defer os.Remove(tokenFileName)
+	// We need auto-auth so that the event system can run.
+	// For ease, we use the token file path with the root token.
+	autoAuthConfig := fmt.Sprintf(`
+auto_auth {
+    method {
+		type = "token_file"
+        config = {
+            token_file_path = "%s"
+        }
+    }
+}`, tokenFileName)
+
+	// We make the token capability refresh interval one second, for ease of testing
+	cacheConfig := `
+cache {
+	cache_static_secrets = true
+	static_secret_token_capability_refresh_interval = "1s"
+}
+`
+	listenAddr := generateListenerAddress(t)
+	listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+%s
+%s
+%s
+log_level = "trace"
+`, serverClient.Address(), cacheConfig, listenConfig, autoAuthConfig)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	// Start proxy
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+		t.Errorf("stdout: %s", ui.OutputWriter.String())
+		t.Errorf("stderr: %s", ui.ErrorWriter.String())
+	}
+
+	proxyClient, err := api.NewClient(api.DefaultConfig())
+	require.Nil(t, err)
+	proxyClient.SetMaxRetries(0)
+	err = proxyClient.SetAddress("http://" + listenAddr)
+	require.Nil(t, err)
+
+	secretData := map[string]interface{}{
+		"foo": "bar",
+	}
+
+	// Mount the KVV2 engine
+	err = serverClient.Sys().Mount("secret-v2", &api.MountInput{
+		Type: "kv-v2",
+	})
+	require.Nil(t, err)
+
+	err = serverClient.Sys().PutPolicy("kv-policy", `
+   path "secret-v2/*" {
+     capabilities = ["update", "read"]
+   }`)
+	require.Nil(t, err)
+
+	// Setup a token that we can later revoke:
+	renewable := true
+	// Set the token's policies to 'default' and nothing else
+	tokenCreateRequest := &api.TokenCreateRequest{
+		Policies:  []string{"default", "kv-policy"},
+		TTL:       "2s",
+		Renewable: &renewable,
+	}
+
+	secret, err := serverClient.Auth().Token().CreateOrphan(tokenCreateRequest)
+	require.Nil(t, err)
+	token := secret.Auth.ClientToken
+	proxyClient.SetToken(token)
+
+	// Create kvv2 secret
+	_, err = serverClient.KVv2("secret-v2").Put(context.Background(), "my-secret", secretData)
+	require.Nil(t, err)
+
+	// We use raw requests so we can check the headers for cache hit/miss.
+	req := proxyClient.NewRequest(http.MethodGet, "/v1/secret-v2/data/my-secret")
+	resp1, err := proxyClient.RawRequest(req)
+	require.Nil(t, err)
+
+	cacheValue := resp1.Header.Get("X-Cache")
+	require.Equal(t, "MISS", cacheValue)
+
+	// We expect this to be a cache hit, with the new value
+	resp2, err := proxyClient.RawRequest(req)
+	require.Nil(t, err)
+
+	cacheValue = resp2.Header.Get("X-Cache")
+	require.Equal(t, "HIT", cacheValue)
+
+	// Lastly, we check to make sure the actual data we received is
+	// as we expect. We must use ParseSecret due to the raw requests.
+	secret1, err := api.ParseSecret(resp1.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	data, ok := secret1.Data["data"]
+	require.True(t, ok)
+	require.Equal(t, secretData, data)
+
+	secret2, err := api.ParseSecret(resp2.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	data2, ok := secret2.Data["data"]
+	require.True(t, ok)
+	// We expect that the cached value got updated by the event system.
+	require.Equal(t, secretData, data2)
+
+	// Wait for the token to expire, and for the permissions to be revoked
+	// The TTL on the token was 2s, and the capability refresh is every 1s,
+	// so this should give us more than enough time!
+	time.Sleep(5 * time.Second)
+	kvSecret, err := proxyClient.KVv2("secret-v2").Get(context.Background(), "my-secret")
+	if err == nil {
+		t.Fatalf("expected error, but none found, secret:%v, err:%v", kvSecret, err)
+	}
+	// Make sure it's a permission denied error
+	if !strings.Contains(err.Error(), "permission denied") {
+		t.Fatalf("expected error on GET to secret after token revocation, secret:%v, err:%v", kvSecret, err)
+	}
+
+	close(cmd.ShutdownCh)
+	wg.Wait()
+}
+
+// TestProxy_ApiProxy_Retry Tests the retry functionalities of Vault Proxy's API Proxy
+func TestProxy_ApiProxy_Retry(t *testing.T) {
+	//----------------------------------------------------
+	// Start the server and proxy
+	//----------------------------------------------------
+	logger := logging.NewVaultLogger(hclog.Trace)
+	var h handler
+	cluster := vault.NewTestCluster(t,
+		&vault.CoreConfig{
+			CredentialBackends: map[string]logical.Factory{
+				"approle": credAppRole.Factory,
+			},
+			LogicalBackends: map[string]logical.Factory{
+				"kv": logicalKv.Factory,
+			},
+		},
+		&vault.TestClusterOptions{
+			NumCores: 1,
+			HandlerFunc: vaulthttp.HandlerFunc(func(properties *vault.HandlerProperties) http.Handler {
+				h.props = properties
+				h.t = t
+				return &h
+			}),
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	os.Unsetenv(api.EnvVaultAddress)
+
+	_, err := serverClient.Logical().Write("secret/foo", map[string]interface{}{
+		"bar": "baz",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	intRef := func(i int) *int {
+		return &i
+	}
+	// start test cases here
+	testCases := map[string]struct {
+		retries     *int
+		expectError bool
+	}{
+		"none": {
+			retries:     intRef(-1),
+			expectError: true,
+		},
+		"one": {
+			retries:     intRef(1),
+			expectError: true,
+		},
+		"two": {
+			retries:     intRef(2),
+			expectError: false,
+		},
+		"missing": {
+			retries:     nil,
+			expectError: false,
+		},
+		"default": {
+			retries:     intRef(0),
+			expectError: false,
+		},
+	}
+
+	for tcname, tc := range testCases {
+		t.Run(tcname, func(t *testing.T) {
+			h.failCount = 2
+
+			cacheConfig := `
+cache {
+}
+`
+			listenAddr := generateListenerAddress(t)
+			listenConfig := fmt.Sprintf(`
+listener "tcp" {
+  address = "%s"
+  tls_disable = true
+}
+`, listenAddr)
+
+			var retryConf string
+			if tc.retries != nil {
+				retryConf = fmt.Sprintf("retry { num_retries = %d }", *tc.retries)
+			}
+
+			config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  %s
+  tls_skip_verify = true
+}
+%s
+%s
+`, serverClient.Address(), retryConf, cacheConfig, listenConfig)
+			configPath := makeTempFile(t, "config.hcl", config)
+			defer os.Remove(configPath)
+
+			_, cmd := testProxyCommand(t, logger)
+			cmd.startedCh = make(chan struct{})
+
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			go func() {
+				cmd.Run([]string{"-config", configPath})
+				wg.Done()
+			}()
+
+			select {
+			case <-cmd.startedCh:
+			case <-time.After(5 * time.Second):
+				t.Errorf("timeout")
+			}
+
+			client, err := api.NewClient(api.DefaultConfig())
+			if err != nil {
+				t.Fatal(err)
+			}
+			client.SetToken(serverClient.Token())
+			client.SetMaxRetries(0)
+			err = client.SetAddress("http://" + listenAddr)
+			if err != nil {
+				t.Fatal(err)
+			}
+			secret, err := client.Logical().Read("secret/foo")
+			switch {
+			case (err != nil || secret == nil) && tc.expectError:
+			case (err == nil || secret != nil) && !tc.expectError:
+			default:
+				t.Fatalf("%s expectError=%v error=%v secret=%v", tcname, tc.expectError, err, secret)
+			}
+			if secret != nil && secret.Data["foo"] != nil {
+				val := secret.Data["foo"].(map[string]interface{})
+				if !reflect.DeepEqual(val, map[string]interface{}{"bar": "baz"}) {
+					t.Fatalf("expected key 'foo' to yield bar=baz, got: %v", val)
+				}
+			}
+			time.Sleep(time.Second)
+
+			close(cmd.ShutdownCh)
+			wg.Wait()
+		})
+	}
+}
+
+// TestProxy_Metrics tests that metrics are being properly reported.
+func TestProxy_Metrics(t *testing.T) {
+	// Start a vault server
+	logger := logging.NewVaultLogger(hclog.Trace)
+	cluster := vault.NewTestCluster(t, nil,
+		&vault.TestClusterOptions{
+			HandlerFunc: vaulthttp.Handler,
+		})
+	cluster.Start()
+	defer cluster.Cleanup()
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	serverClient := cluster.Cores[0].Client
+
+	// Create a config file
+	listenAddr := generateListenerAddress(t)
+	config := fmt.Sprintf(`
+cache {}
+
+listener "tcp" {
+    address = "%s"
+    tls_disable = true
+}
+`, listenAddr)
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	ui, cmd := testProxyCommand(t, logger)
+	cmd.client = serverClient
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		code := cmd.Run([]string{"-config", configPath})
+		if code != 0 {
+			t.Errorf("non-zero return code when running proxy: %d", code)
+			t.Logf("STDOUT from proxy:\n%s", ui.OutputWriter.String())
+			t.Logf("STDERR from proxy:\n%s", ui.ErrorWriter.String())
+		}
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	// defer proxy shutdown
+	defer func() {
+		cmd.ShutdownCh <- struct{}{}
+		wg.Wait()
+	}()
+
+	conf := api.DefaultConfig()
+	conf.Address = "http://" + listenAddr
+	proxyClient, err := api.NewClient(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	req := proxyClient.NewRequest("GET", "/proxy/v1/metrics")
+	body := request(t, proxyClient, req, 200)
+	keys := []string{}
+	for k := range body {
+		keys = append(keys, k)
+	}
+	require.ElementsMatch(t, keys, []string{
+		"Counters",
+		"Samples",
+		"Timestamp",
+		"Gauges",
+		"Points",
+	})
+}
+
+// TestProxy_QuitAPI Tests the /proxy/v1/quit API that can be enabled for the proxy.
+func TestProxy_QuitAPI(t *testing.T) {
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	serverClient := cluster.Cores[0].Client
+
+	// Unset the environment variable so that proxy picks up the right test
+	// cluster address
+	defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+	err := os.Unsetenv(api.EnvVaultAddress)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	listenAddr := generateListenerAddress(t)
+	listenAddr2 := generateListenerAddress(t)
+	config := fmt.Sprintf(`
+vault {
+  address = "%s"
+  tls_skip_verify = true
+}
+
+listener "tcp" {
+	address = "%s"
+	tls_disable = true
+}
+
+listener "tcp" {
+	address = "%s"
+	tls_disable = true
+	proxy_api {
+		enable_quit = true
+	}
+}
+
+cache {}
+`, serverClient.Address(), listenAddr, listenAddr2)
+
+	configPath := makeTempFile(t, "config.hcl", config)
+	defer os.Remove(configPath)
+
+	_, cmd := testProxyCommand(t, nil)
+	cmd.startedCh = make(chan struct{})
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		cmd.Run([]string{"-config", configPath})
+		wg.Done()
+	}()
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+	client, err := api.NewClient(api.DefaultConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	client.SetToken(serverClient.Token())
+	client.SetMaxRetries(0)
+	err = client.SetAddress("http://" + listenAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// First try on listener 1 where the API should be disabled.
+	resp, err := client.RawRequest(client.NewRequest(http.MethodPost, "/proxy/v1/quit"))
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if resp != nil && resp.StatusCode != http.StatusNotFound {
+		t.Fatalf("expected %d but got: %d", http.StatusNotFound, resp.StatusCode)
+	}
+
+	// Now try on listener 2 where the quit API should be enabled.
+	err = client.SetAddress("http://" + listenAddr2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.RawRequest(client.NewRequest(http.MethodPost, "/proxy/v1/quit"))
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+
+	select {
+	case <-cmd.ShutdownCh:
+	case <-time.After(5 * time.Second):
+		t.Errorf("timeout")
+	}
+
+	wg.Wait()
+}
+
+// TestProxy_LogFile_CliOverridesConfig tests that the CLI values
+// override the config for log files
+func TestProxy_LogFile_CliOverridesConfig(t *testing.T) {
+	// Create basic config
+	configFile := populateTempFile(t, "proxy-config.hcl", BasicHclConfig)
+	cfg, err := proxyConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Sanity check that the config value is the current value
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile)
+
+	// Initialize the command and parse any flags
+	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
+	f := cmd.Flags()
+	// Simulate the flag being specified
+	err = f.Parse([]string{"-log-file=/foo/bar/test.log"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Update the config based on the inputs.
+	cmd.applyConfigOverrides(f, cfg)
+
+	assert.NotEqual(t, "TMPDIR/juan.log", cfg.LogFile)
+	assert.NotEqual(t, "/squiggle/logs.txt", cfg.LogFile)
+	assert.Equal(t, "/foo/bar/test.log", cfg.LogFile)
+}
+
+// TestProxy_LogFile_Config tests log file config when loaded from config
+func TestProxy_LogFile_Config(t *testing.T) {
+	configFile := populateTempFile(t, "proxy-config.hcl", BasicHclConfig)
+
+	cfg, err := proxyConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Sanity check that the config value is the current value
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "sanity check on log config failed")
+	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
+	assert.Equal(t, 1048576, cfg.LogRotateBytes)
+
+	// Parse the cli flags (but we pass in an empty slice)
+	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
+	f := cmd.Flags()
+	err = f.Parse([]string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Should change nothing...
+	cmd.applyConfigOverrides(f, cfg)
+
+	assert.Equal(t, "TMPDIR/juan.log", cfg.LogFile, "actual config check")
+	assert.Equal(t, 2, cfg.LogRotateMaxFiles)
+	assert.Equal(t, 1048576, cfg.LogRotateBytes)
+}
+
+// TestProxy_Config_NewLogger_Default Tests defaults for log level and
+// specifically cmd.newLogger()
+func TestProxy_Config_NewLogger_Default(t *testing.T) {
+	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
+	cmd.config = proxyConfig.NewConfig()
+	logger, err := cmd.newLogger()
+
+	assert.NoError(t, err)
+	assert.NotNil(t, logger)
+	assert.Equal(t, hclog.Info.String(), logger.GetLevel().String())
+}
+
+// TestProxy_Config_ReloadLogLevel Tests reloading updates the log
+// level as expected.
+func TestProxy_Config_ReloadLogLevel(t *testing.T) {
+	cmd := &ProxyCommand{BaseCommand: &BaseCommand{}}
+	var err error
+	tempDir := t.TempDir()
+
+	// Load an initial config
+	hcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
+	configFile := populateTempFile(t, "proxy-config.hcl", hcl)
+	cmd.config, err = proxyConfig.LoadConfigFile(configFile.Name())
+	if err != nil {
+		t.Fatal("Cannot load config to test update/merge", err)
+	}
+
+	// Tweak the loaded config to make sure we can put log files into a temp dir
+	// and systemd log attempts work fine, this would usually happen during Run.
+	cmd.logWriter = os.Stdout
+	cmd.logger, err = cmd.newLogger()
+	if err != nil {
+		t.Fatal("logger required for systemd log messages", err)
+	}
+
+	// Sanity check
+	assert.Equal(t, "warn", cmd.config.LogLevel)
+
+	// Load a new config
+	hcl = strings.ReplaceAll(BasicHclConfig2, "TMPDIR", tempDir)
+	configFile = populateTempFile(t, "proxy-config.hcl", hcl)
+	err = cmd.reloadConfig([]string{configFile.Name()})
+	assert.NoError(t, err)
+	assert.Equal(t, "debug", cmd.config.LogLevel)
+}
+
+// TestProxy_Config_ReloadTls Tests that the TLS certs for the listener are
+// correctly reloaded.
+func TestProxy_Config_ReloadTls(t *testing.T) {
+	var wg sync.WaitGroup
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatal("unable to get current working directory")
+	}
+	workingDir := filepath.Join(wd, "/proxy/test-fixtures/reload")
+	fooCert := "reload_foo.pem"
+	fooKey := "reload_foo.key"
+
+	barCert := "reload_bar.pem"
+	barKey := "reload_bar.key"
+
+	reloadCert := "reload_cert.pem"
+	reloadKey := "reload_key.pem"
+	caPem := "reload_ca.pem"
+
+	tempDir := t.TempDir()
+
+	// Set up initial 'foo' certs
+	inBytes, err := os.ReadFile(filepath.Join(workingDir, fooCert))
+	if err != nil {
+		t.Fatal("unable to read cert required for test", fooCert, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, fooKey))
+	if err != nil {
+		t.Fatal("unable to read cert key required for test", fooKey, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, caPem))
+	if err != nil {
+		t.Fatal("unable to read CA pem required for test", caPem, err)
+	}
+	certPool := x509.NewCertPool()
+	ok := certPool.AppendCertsFromPEM(inBytes)
+	if !ok {
+		t.Fatal("not ok when appending CA cert")
+	}
+
+	replacedHcl := strings.ReplaceAll(BasicHclConfig, "TMPDIR", tempDir)
+	configFile := populateTempFile(t, "proxy-config.hcl", replacedHcl)
+
+	// Set up Proxy
+	logger := logging.NewVaultLogger(hclog.Trace)
+	ui, cmd := testProxyCommand(t, logger)
+
+	var output string
+	var code int
+	wg.Add(1)
+	args := []string{"-config", configFile.Name()}
+	go func() {
+		if code = cmd.Run(args); code != 0 {
+			output = ui.ErrorWriter.String() + ui.OutputWriter.String()
+		}
+		wg.Done()
+	}()
+
+	testCertificateName := func(cn string) error {
+		conn, err := tls.Dial("tcp", "127.0.0.1:8100", &tls.Config{
+			RootCAs: certPool,
+		})
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		if err = conn.Handshake(); err != nil {
+			return err
+		}
+		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
+		if servName != cn {
+			return fmt.Errorf("expected %s, got %s", cn, servName)
+		}
+		return nil
+	}
+
+	// Start
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("foo.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	// Swap out certs
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, barCert))
+	if err != nil {
+		t.Fatal("unable to read cert required for test", barCert, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadCert), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert required for test", reloadCert, err)
+	}
+
+	inBytes, err = os.ReadFile(filepath.Join(workingDir, barKey))
+	if err != nil {
+		t.Fatal("unable to read cert key required for test", barKey, err)
+	}
+	err = os.WriteFile(filepath.Join(tempDir, reloadKey), inBytes, 0o777)
+	if err != nil {
+		t.Fatal("unable to write temp cert key required for test", reloadKey, err)
+	}
+
+	// Reload
+	cmd.SighupCh <- struct{}{}
+	select {
+	case <-cmd.reloadedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("bar.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	// Shut down
+	cmd.ShutdownCh <- struct{}{}
+	wg.Wait()
+
+	if code != 0 {
+		t.Fatalf("got a non-zero exit status: %d, stdout/stderr: %s", code, output)
+	}
+}
diff --git a/ui/lib/core/addon/components/info-table.js b/ui/lib/core/addon/components/info-table.js
index 00eb57bfedb8..6247790f757a 100644
--- a/ui/lib/core/addon/components/info-table.js
+++ b/ui/lib/core/addon/components/info-table.js
@@ -1,29 +1,158 @@
 /**
  * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
+ * SPDX-License-Identifier: MPL-2.0
  */
 
 import Component from '@glimmer/component';
-
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { inject as service } from '@ember/service';
+import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
 /**
- * @module InfoTable
- * InfoTable components are a table with a single column and header. They are used to render a list of InfoTableRow components.
+ * @module DashboardQuickActionsCard
+ * DashboardQuickActionsCard component allows users to see a list of secrets engines filtered by
+ * kv, pki and database and perform certain actions based on the type of secret engine selected
  *
  * @example
  * ```js
- * <InfoTable
-        @title="Known Primary Cluster Addrs"
-        @header="cluster_addr"
-        @items={{knownPrimaryClusterAddrs}}
-      />
+ *   <Dashboard::QuickActionsCard @secretsEngines={{@model.secretsEngines}} />
  * ```
- * @param {String} [title=Info Table] - The title of the table. Used for accessibility purposes.
- * @param {String} header=null - The column header.
- * @param {Array} items=null - An array of strings which will be used as the InfoTableRow value.
  */
 
-export default class InfoTable extends Component {
-  get title() {
-    return this.args.title || 'Info Table';
+const QUICK_ACTION_ENGINES = ['pki', 'database'];
+
+export default class DashboardQuickActionsCard extends Component {
+  @service router;
+
+  @tracked selectedEngine;
+  @tracked selectedAction;
+  @tracked paramValue;
+
+  get actionOptions() {
+    switch (this.selectedEngine.type) {
+      case 'kv':
+        return ['Find KV secrets'];
+      case 'database':
+        return ['Generate credentials for database'];
+      case 'pki':
+        return ['Issue certificate', 'View certificate', 'View issuer'];
+      default:
+        return [];
+    }
+  }
+
+  get searchSelectParams() {
+    switch (this.selectedAction) {
+      case 'Find KV secrets':
+        return {
+          title: 'Secret path',
+          subText: 'Path of the secret you want to read.',
+          buttonText: 'Read secrets',
+          model: 'kv/metadata',
+          route: 'vault.cluster.secrets.backend.kv.secret.details',
+          nameKey: 'path',
+          queryObject: { pathToSecret: '', backend: this.selectedEngine.id },
+          objectKeys: ['path', 'id'],
+        };
+      case 'Generate credentials for database':
+        return {
+          title: 'Role to use',
+          buttonText: 'Generate credentials',
+          model: 'database/role',
+          route: 'vault.cluster.secrets.backend.credentials',
+          queryObject: { backend: this.selectedEngine.id },
+        };
+      case 'Issue certificate':
+        return {
+          title: 'Role to use',
+          placeholder: 'Type to find a role',
+          buttonText: 'Issue leaf certificate',
+          model: 'pki/role',
+          route: 'vault.cluster.secrets.backend.pki.roles.role.generate',
+          queryObject: { backend: this.selectedEngine.id },
+        };
+      case 'View certificate':
+        return {
+          title: 'Certificate serial number',
+          placeholder: '33:a3:...',
+          buttonText: 'View certificate',
+          model: 'pki/certificate/base',
+          route: 'vault.cluster.secrets.backend.pki.certificates.certificate.details',
+          queryObject: { backend: this.selectedEngine.id },
+        };
+      case 'View issuer':
+        return {
+          title: 'Issuer',
+          placeholder: 'Type issuer name or ID',
+          buttonText: 'View issuer',
+          model: 'pki/issuer',
+          route: 'vault.cluster.secrets.backend.pki.issuers.issuer.details',
+          nameKey: 'issuerName',
+          queryObject: { backend: this.selectedEngine.id },
+          objectKeys: ['id', 'issuerName'],
+        };
+      default:
+        return {
+          placeholder: 'Please select an action above',
+          buttonText: 'Select an action',
+          model: '',
+        };
+    }
+  }
+
+  get filteredSecretEngines() {
+    return this.args.secretsEngines?.filter(
+      (engine) => (engine.type === 'kv' && engine.version == 2) || QUICK_ACTION_ENGINES.includes(engine.type)
+    );
+  }
+
+  get mountOptions() {
+    return this.filteredSecretEngines?.map((engine) => {
+      const { id, type } = engine;
+
+      return { name: id, type, id };
+    });
+  }
+
+  @action
+  handleSearchEngineSelect([selection]) {
+    this.selectedEngine = selection;
+    // reset tracked properties
+    this.selectedAction = null;
+    this.paramValue = null;
+  }
+
+  @action
+  setSelectedAction(selectedAction) {
+    this.selectedAction = selectedAction;
+    this.paramValue = null;
+  }
+
+  @action
+  handleActionSelect(val) {
+    if (Array.isArray(val)) {
+      this.paramValue = val[0];
+    } else {
+      this.paramValue = val;
+    }
+  }
+
+  @action
+  navigateToPage() {
+    let route = this.searchSelectParams.route;
+    // If search-select falls back to stringInput, paramValue is a string not object
+    let param = this.paramValue.id || this.paramValue;
+
+    // kv has a special use case where if the paramValue ends in a '/' you should
+    // link to different route
+    if (this.selectedEngine.type === 'kv') {
+      const path = this.paramValue.path || this.paramValue;
+      route = pathIsDirectory(path)
+        ? 'vault.cluster.secrets.backend.kv.list-directory'
+        : 'vault.cluster.secrets.backend.kv.secret.details';
+      param = path;
+    }
+
+    this.router.transitionTo(route, this.selectedEngine.id, param);
   }
 }
diff --git a/ui/lib/core/addon/components/json-editor.hbs b/ui/lib/core/addon/components/json-editor.hbs
index b7b15e3b72e6..7c4e00100fc3 100644
--- a/ui/lib/core/addon/components/json-editor.hbs
+++ b/ui/lib/core/addon/components/json-editor.hbs
@@ -3,63 +3,67 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<div ...attributes>
-  {{#if this.getShowToolbar}}
-    <div data-test-component="json-editor-toolbar">
-      <Toolbar>
-        <label class="has-text-weight-bold" data-test-component="json-editor-title">
-          {{@title}}
-          {{#if @subTitle}}
-            <span class="is-size-9 is-lowercase has-text-grey">({{@subTitle}})</span>
+<Hds::PageHeader class="has-top-margin-xl has-bottom-margin-m" as |PH|>
+  <PH.Title>Raft Storage</PH.Title>
+  <PH.Actions>
+    <Hds::Dropdown as |dd|>
+      <dd.ToggleButton @text="Snapshots" @color="secondary" />
+      {{#if this.useServiceWorker}}
+        <dd.Interactive
+          @href="/v1/sys/storage/raft/snapshot"
+          @isHrefExternal={{false}}
+          @text="Download"
+          {{on "click" (action "downloadViaServiceWorker")}}
+        />
+      {{else}}
+        <dd.Interactive @text="Download" {{on "click" (action "downloadSnapshot")}} />
+      {{/if}}
+      <dd.Interactive @text="Restore" @route="vault.cluster.storage-restore" />
+    </Hds::Dropdown>
+  </PH.Actions>
+</Hds::PageHeader>
+
+<Hds::Table @caption="Raft servers">
+  <:head as |H|>
+    <H.Tr>
+      <H.Th>Address</H.Th>
+      <H.Th>Leader</H.Th>
+      <H.Th>Voter</H.Th>
+      <H.Th @align="right">Actions</H.Th>
+    </H.Tr>
+  </:head>
+  <:body as |B|>
+    {{#each @model as |server|}}
+      <B.Tr data-raft-row>
+        <B.Td>{{server.address}}</B.Td>
+        <B.Td>{{#if server.leader}}
+            <Hds::Badge @text="Yes" @type="outlined" @color="success" @icon="check-circle" />
+          {{else}}
+            <Hds::Badge @text="No" @type="outlined" @icon="x-square" />
           {{/if}}
-        </label>
-        <ToolbarActions>
-          {{yield}}
-          {{#if @example}}
-            <Hds::Button
-              class="toolbar-button"
-              @icon="reload"
-              @text="Restore example"
-              disabled={{not @value}}
-              {{on "click" this.restoreExample}}
-              data-test-restore-example
-            />
+        </B.Td>
+        <B.Td>
+          {{#if server.voter}}
+            <Hds::Badge @text="Yes" @type="outlined" @color="success" @icon="check-circle" />
+          {{else}}
+            <Hds::Badge @text="No" @type="outlined" @icon="x-square" />
           {{/if}}
-          <div class="toolbar-separator"></div>
-          <Hds::Copy::Button
-            @container={{@container}}
-            @text="Copy"
-            @isIconOnly={{true}}
-            @textToCopy={{@value}}
-            class="transparent"
-            data-test-copy-button
-          />
-        </ToolbarActions>
-      </Toolbar>
-    </div>
-  {{/if}}
-  <div
-    {{code-mirror
-      content=(or @value @example)
-      extraKeys=@extraKeys
-      gutters=@gutters
-      lineNumbers=(if @readOnly false true)
-      mode=@mode
-      readOnly=@readOnly
-      theme=@theme
-      viewportMarg=@viewportMargin
-      onSetup=this.onSetup
-      onUpdate=this.onUpdate
-      onFocus=this.onFocus
-      autoRefresh=(if @container true false)
-    }}
-    class={{if @readOnly "readonly-codemirror"}}
-    data-test-component="code-mirror-modifier"
-  ></div>
-
-  {{#if @helpText}}
-    <div class="box is-shadowless is-fullwidth has-short-padding">
-      <p class="sub-text">{{@helpText}}</p>
-    </div>
-  {{/if}}
-</div>
\ No newline at end of file
+        </B.Td>
+        <B.Td @align="right">
+          <Hds::Dropdown @isInline={{true}} data-test-raft-actions as |dd|>
+            <dd.ToggleIcon @icon="more-horizontal" @text="Raft server actions" @hasChevron={{false}} />
+            <dd.Generic>
+              <ConfirmAction
+                @isInDropdown={{true}}
+                @onConfirmAction={{action "removePeer" server}}
+                @buttonText="Remove Peer"
+                @confirmTitle="Remove {{server.nodeId}}?"
+                @confirmMessage="This will remove the server from the raft cluster."
+              />
+            </dd.Generic>
+          </Hds::Dropdown>
+        </B.Td>
+      </B.Tr>
+    {{/each}}
+  </:body>
+</Hds::Table>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/kv-object-editor.hbs b/ui/lib/core/addon/components/kv-object-editor.hbs
index 74cb0d63e9b7..56c2aa7ec931 100644
--- a/ui/lib/core/addon/components/kv-object-editor.hbs
+++ b/ui/lib/core/addon/components/kv-object-editor.hbs
@@ -1,92 +1,74 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-<div class="field" ...attributes {{did-insert this.createKvData @value}}>
-  <FormFieldLabel
-    @label={{@label}}
-    @helpText={{@helpText}}
-    @subText={{@subText}}
-    class={{@labelClass}}
-    data-test-kv-label={{true}}
-  />
-  {{#if @validationError}}
-    <div>
-      <AlertInline @type="danger" @message={{@validationError}} @paddingTop={{true}} />
-    </div>
-  {{/if}}
-  {{#if this.kvData}}
-    {{#each this.kvData as |row index|}}
-      <div class="columns is-variable" data-test-kv-row>
-        <div class="column is-one-quarter">
-          <Input
-            data-test-kv-key={{index}}
-            @value={{row.name}}
-            placeholder={{this.placeholders.key}}
-            {{on "change" (fn this.updateRow row index)}}
-            {{on "input" (fn this.validateKey index)}}
-            class="input"
-          />
-        </div>
-        <div class="column">
-          {{#if (has-block)}}
-            {{yield row this.kvData}}
-          {{else if @isMasked}}
-            <MaskedInput
-              data-test-kv-value={{index}}
-              @name={{row.name}}
-              @onChange={{fn this.updateRow row index}}
-              @value={{row.value}}
-            />
-          {{else}}
-            <Textarea
-              data-test-kv-value={{index}}
-              name={{row.name}}
-              class="input {{if @validationError 'has-error-border'}}"
-              @value={{row.value}}
-              wrap="off"
-              placeholder={{this.placeholders.value}}
-              rows={{1}}
-              {{on "change" (fn this.updateRow row index)}}
-              {{on "keyup" this.handleKeyUp}}
-            />
-          {{/if}}
-        </div>
-        <div class="column is-1">
-          {{#if (eq this.kvData.length (inc index))}}
-            <Hds::Button @text="Add" {{on "click" this.addRow}} data-test-kv-add-row={{index}} @isFullWidth={{true}} />
-          {{else}}
-            <Hds::Button
-              @text="Delete row"
-              @color="secondary"
-              {{on "click" (fn this.deleteRow row index)}}
-              @icon="trash"
-              @isIconOnly={{true}}
-              @isFullWidth={{true}}
-              data-test-kv-delete-row={{index}}
-            />
-          {{/if}}
-        </div>
-      </div>
-      {{#if (includes index this.whitespaceWarningRows)}}
-        <div class="has-bottom-margin-s">
-          <AlertInline
-            @type="warning"
-            @message="Key contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
-            data-test-kv-whitespace-warning={{index}}
-          />
-        </div>
-      {{/if}}
-    {{/each}}
-    {{#if this.hasDuplicateKeys}}
-      <Hds::Alert data-test-duplicate-keys-warning @type="inline" @color="warning" as |A|>
-        <A.Title>Warning</A.Title>
-        <A.Description>
-          More than one key shares the same name. Please be sure to have unique key names or some data may be lost when
-          saving.
-        </A.Description>
-      </Hds::Alert>
-    {{/if}}
-  {{/if}}
-</div>
\ No newline at end of file
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, visit } from '@ember/test-helpers';
+import authPage from 'vault/tests/pages/auth';
+
+module('Acceptance | raft storage', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.config = this.server.create('configuration', 'withRaft');
+    this.server.get('/sys/internal/ui/resultant-acl', () =>
+      this.server.create('configuration', { data: { root: true } })
+    );
+    this.server.get('/sys/license/features', () => ({}));
+    await authPage.login();
+  });
+
+  test('it should render correct number of raft peers', async function (assert) {
+    assert.expect(3);
+
+    let didRemovePeer = false;
+    this.server.get('/sys/storage/raft/configuration', () => {
+      if (didRemovePeer) {
+        this.config.data.config.servers.pop();
+      } else {
+        // consider peer removed by external means (cli) after initial request
+        didRemovePeer = true;
+      }
+      return this.config;
+    });
+
+    await visit('/vault/storage/raft');
+    assert.dom('[data-raft-row]').exists({ count: 2 }, '2 raft peers render in table');
+    // leave route and return to trigger config fetch
+    await visit('/vault/secrets');
+    await visit('/vault/storage/raft');
+    const store = this.owner.lookup('service:store');
+    assert.strictEqual(
+      store.peekAll('server').length,
+      2,
+      'Store contains 2 server records since remove peer was triggered externally'
+    );
+    assert.dom('[data-raft-row]').exists({ count: 1 }, 'Only raft nodes from response are rendered');
+  });
+
+  test('it should remove raft peer', async function (assert) {
+    assert.expect(3);
+
+    this.server.get('/sys/storage/raft/configuration', () => this.config);
+    this.server.post('/sys/storage/raft/remove-peer', (schema, req) => {
+      const body = JSON.parse(req.requestBody);
+      assert.strictEqual(
+        body.server_id,
+        this.config.data.config.servers[1].node_id,
+        'Remove peer request made with node id'
+      );
+      return {};
+    });
+
+    await visit('/vault/storage/raft');
+    assert.dom('[data-raft-row]').exists({ count: 2 }, '2 raft peers render in table');
+    await click('[data-raft-row]:nth-child(2) [data-test-raft-actions] button');
+    await click('[data-test-confirm-action-trigger]');
+    await click('[data-test-confirm-button]');
+    assert.dom('[data-raft-row]').exists({ count: 1 }, 'Raft peer successfully removed');
+  });
+});
diff --git a/ui/lib/core/addon/components/masked-input.hbs b/ui/lib/core/addon/components/masked-input.hbs
index 221e6b0fbb8c..76dcf4fa0de0 100644
--- a/ui/lib/core/addon/components/masked-input.hbs
+++ b/ui/lib/core/addon/components/masked-input.hbs
@@ -1,102 +1,1458 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div
-  class="masked-input {{if @displayOnly 'display-only'}} {{if @allowCopy 'allow-copy'}}"
-  data-test-masked-input
-  data-test-field
-  ...attributes
->
-  {{#if @displayOnly}}
-    {{#if this.showValue}}
-      {{! Show minus icon if there is no value }}
-      {{#if (eq @value "")}}
-        <Icon class="masked-value" @name="minus" />
-      {{else}}
-        <pre class="masked-value display-only is-word-break">{{@value}}</pre>
-      {{/if}}
-    {{else}}
-      <pre class="masked-value display-only masked-font">***********</pre>
-    {{/if}}
-  {{else}}
-    <Textarea
-      id={{this.textareaId}}
-      name={{@name}}
-      @value={{@value}}
-      class="input masked-value {{unless this.showValue 'masked-font'}}"
-      rows={{1}}
-      wrap="off"
-      spellcheck="false"
-      {{on "change" this.onChange}}
-      {{on "keyup" (fn this.handleKeyUp @name)}}
-      data-test-textarea
-    />
-  {{/if}}
-  {{#if @allowCopy}}
-    <Hds::Copy::Button
-      @text="Copy"
-      @isIconOnly={{true}}
-      @textToCopy={{@value}}
-      class="transparent has-padding-xxs"
-      data-test-copy-button
-    />
-  {{/if}}
-  {{#if @allowDownload}}
-    <Hds::Button
-      @text="Download secret value"
-      @icon="download"
-      @isIconOnly={{true}}
-      @color="tertiary"
-      class="has-padding-xxs"
-      data-test-download-icon
-      {{on "click" (fn (mut this.modalOpen) true)}}
-    />
-  {{/if}}
-  <Hds::Button
-    @text={{if this.showValue "hide value" "show value"}}
-    @icon={{if this.showValue "eye-off" "eye"}}
-    @isIconOnly={{true}}
-    @color="tertiary"
-    class="has-padding-xxs"
-    data-test-button="toggle-masked"
-    {{on "click" this.toggleMask}}
-  />
-</div>
-
-{{! CONFIRM DOWNLOAD MODAL }}
-{{#if this.modalOpen}}
-  <Hds::Modal @color="warning" id="confirm-download-modal" @onClose={{fn (mut this.modalOpen) false}} as |M|>
-    <M.Header @icon="alert-triangle">
-      Download secret value?
-    </M.Header>
-    <M.Body>
-      This download is
-      <strong>unencrypted</strong>. Are you sure you want to download this secret data as plaintext?
-
-      <div class="has-top-margin-m">
-        <Hds::Form::Toggle::Field
-          checked={{this.stringifyDownload}}
-          {{on "change" this.toggleStringifyDownload}}
-          data-test-stringify-toggle
-          as |F|
-        >
-          <F.Label>Stringify secret value</F.Label>
-          <F.HelperText>Preserve formatting for JSON values.</F.HelperText>
-        </Hds::Form::Toggle::Field>
-      </div>
-    </M.Body>
-    <M.Footer as |F|>
-      <Hds::ButtonSet>
-        <DownloadButton
-          @filename={{or @name "secret-value"}}
-          @data={{@value}}
-          @stringify={{this.stringifyDownload}}
-          @onSuccess={{fn (mut this.modalOpen) false}}
-        />
-        <Hds::Button @text="Cancel" @color="secondary" {{on "click" F.close}} />
-      </Hds::ButtonSet>
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-discover"
+	discoverk8s "github.com/hashicorp/go-discover/provider/k8s"
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-secure-stdlib/tlsutil"
+	"github.com/hashicorp/go-uuid"
+	goversion "github.com/hashicorp/go-version"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/mitchellh/mapstructure"
+	"golang.org/x/net/http2"
+)
+
+const (
+	// undoLogMonitorInterval is how often the leader checks to see
+	// if all the cluster members it knows about are new enough to support
+	// undo logs.
+	undoLogMonitorInterval = time.Second
+
+	// undoLogSafeVersion is the minimum version Vault must be at in order
+	// for undo logs to be turned on.
+	undoLogSafeVersion = "1.12.0"
+)
+
+var (
+	raftTLSStoragePath    = "core/raft/tls"
+	raftTLSRotationPeriod = 24 * time.Hour
+
+	raftAutopilotConfigurationStoragePath = "core/raft/autopilot/configuration"
+
+	// TestingUpdateClusterAddr is used in tests to override the cluster address
+	TestingUpdateClusterAddr uint32
+
+	ErrJoinWithoutAutoloading = errors.New("attempt to join a cluster using autoloaded licenses while not using autoloading ourself")
+)
+
+// GetRaftNodeID returns the raft node ID if there is one, or an empty string if there's not
+func (c *Core) GetRaftNodeID() string {
+	rb := c.getRaftBackend()
+
+	if rb == nil {
+		return ""
+	} else {
+		return rb.NodeID()
+	}
+}
+
+func (c *Core) GetRaftIndexes() (committed uint64, applied uint64) {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	return c.GetRaftIndexesLocked()
+}
+
+func (c *Core) GetRaftIndexesLocked() (committed uint64, applied uint64) {
+	raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend)
+	if !ok {
+		return 0, 0
+	}
+
+	return raftStorage.CommittedIndex(), raftStorage.AppliedIndex()
+}
+
+// startRaftBackend will call SetupCluster in the raft backend which starts raft
+// up and enables the cluster handler.
+func (c *Core) startRaftBackend(ctx context.Context) (retErr error) {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return nil
+	}
+
+	var creating bool
+	var raftTLS *raft.TLSKeyring
+	if !raftBackend.Initialized() {
+		// Retrieve the raft TLS information
+		raftTLSEntry, err := c.barrier.Get(ctx, raftTLSStoragePath)
+		if err != nil {
+			return err
+		}
+
+		switch raftTLSEntry {
+		case nil:
+			// If this is HA-only and no TLS keyring is found, that means the
+			// cluster has not been bootstrapped or joined. We return early here in
+			// this case. If we return here, the raft object has not been instantiated,
+			// and a bootstrap call should be made.
+			if c.isRaftHAOnly() {
+				c.logger.Trace("skipping raft backend setup during unseal, no bootstrap operation has been started yet")
+				return nil
+			}
+
+			// If we did not find a TLS keyring we will attempt to create one here.
+			// This happens after a storage migration process. This node is also
+			// marked to start as leader so we can write the new TLS Key. This is an
+			// error condition if there are already multiple nodes in the cluster,
+			// and the below storage write will fail. If the cluster is somehow in
+			// this state the unseal will fail and a cluster recovery will need to
+			// be done.
+			creating = true
+			raftTLSKey, err := raft.GenerateTLSKey(c.secureRandomReader)
+			if err != nil {
+				return err
+			}
+
+			raftTLS = &raft.TLSKeyring{
+				Keys:        []*raft.TLSKey{raftTLSKey},
+				ActiveKeyID: raftTLSKey.ID,
+			}
+		default:
+			raftTLS = new(raft.TLSKeyring)
+			if err := raftTLSEntry.DecodeJSON(raftTLS); err != nil {
+				return err
+			}
+		}
+
+		hasState, err := raftBackend.HasState()
+		if err != nil {
+			return err
+		}
+
+		// This can be hit on follower nodes that got their config updated to use
+		// raft for HA-only before they are joined to the cluster. Since followers
+		// in this case use shared storage, it doesn't return early from the TLS
+		// case above, but there's not raft state yet for the backend to call
+		// raft.SetupCluster.
+		if !hasState {
+			c.logger.Trace("skipping raft backend setup during unseal, no raft state found")
+			return nil
+		}
+
+		raftBackend.SetRestoreCallback(c.raftSnapshotRestoreCallback(true, true))
+
+		if err := raftBackend.SetupCluster(ctx, raft.SetupOpts{
+			TLSKeyring:      raftTLS,
+			ClusterListener: c.getClusterListener(),
+			StartAsLeader:   creating,
+		}); err != nil {
+			return err
+		}
+	}
+
+	defer func() {
+		if retErr != nil {
+			c.logger.Info("stopping raft server")
+			if err := raftBackend.TeardownCluster(c.getClusterListener()); err != nil {
+				c.logger.Error("failed to stop raft server", "error", err)
+			}
+		}
+	}()
+
+	// If we are in need of creating the TLS keyring then we should write it out
+	// to storage here. If we fail it may mean we couldn't become leader and we
+	// should error out.
+	if creating {
+		c.logger.Info("writing raft TLS keyring to storage")
+		entry, err := logical.StorageEntryJSON(raftTLSStoragePath, raftTLS)
+		if err != nil {
+			c.logger.Error("error marshaling raft TLS keyring", "error", err)
+			return err
+		}
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			c.logger.Error("error writing raft TLS keyring", "error", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (c *Core) monitorUndoLogs() error {
+	logger := c.logger.Named("undo-log-watcher")
+	logger.Debug("starting undo log watcher")
+	ctx := c.activeContext
+	raftBackend := c.getRaftBackend()
+
+	// First check storage and bail early if we already know undo logs are safe
+	persisted, err := c.UndoLogsPersisted()
+	if err != nil {
+		return fmt.Errorf("error checking for undo logs persistence: %w", err)
+	}
+
+	if persisted {
+		c.EnableUndoLogs()
+		logger.Debug("undo logs are safe, no need to check any more")
+		return nil
+	}
+
+	// If undo logs have been explicitly enabled, likely via VAULT_REPLICATION_USE_UNDO_LOGS, then exit, as presumably
+	// we don't want to be checking for safety if we already know it's safe.
+	if c.UndoLogsEnabled() {
+		logger.Debug("undo logs have been explicitly enabled. exiting monitor.")
+		return nil
+	}
+
+	minimumVersion, err := goversion.NewSemver(undoLogSafeVersion)
+	if err != nil {
+		return fmt.Errorf("minimum undo log version (%q) won't parse: %w", undoLogSafeVersion, err)
+	}
+
+	go func() {
+		ticker := time.NewTicker(undoLogMonitorInterval)
+		defer ticker.Stop()
+
+		logger.Debug("undo logs have not been enabled yet, possibly due to a recent upgrade. starting a periodic check")
+
+		for {
+			select {
+			case <-ticker.C:
+			case <-ctx.Done():
+				return
+			}
+
+			// Check the raft configuration for expected servers
+			config, err := raftBackend.GetConfiguration(ctx)
+			if err != nil {
+				logger.Error("couldn't read raft config", "error", err)
+				continue
+			}
+
+			// This tracks which servers we expect to find in the cluster, from the raft config.
+			expectedServers := make(map[string]struct{})
+			for _, server := range config.Servers {
+				expectedServers[server.Address] = struct{}{}
+			}
+
+			// Retrieve all the nodes in our cluster
+			nodes, err := c.getHAMembers()
+			if err != nil {
+				logger.Error("error getting HA members", "error", err)
+				continue
+			}
+
+			// Check the versions of all of the cluster members. If they're all >= 1.12, undo logs are safe to enable.
+			// If any are < 1.12, undo logs should remain off, regardless of how it was initially configured.
+			enable := true
+			for _, node := range nodes {
+				nodeVersion, err := goversion.NewSemver(node.Version)
+				if err != nil {
+					logger.Error("error parsing node version", "node version", node.Version, "node", node.ClusterAddress, "error", err)
+					break
+				}
+
+				if nodeVersion.LessThan(minimumVersion) {
+					logger.Debug("node version is less than the minimum, disabling undo logs", "node", node.ClusterAddress, "version", node.Version)
+					enable = false
+					break
+				} else {
+					// Raft nodes have their address listed without a scheme, e.g. 127.0.0.1:8201. HA nodes that we get from
+					// getHAMembers() have their address listed with a scheme, e.g. https://127.0.0.1:8201. So we need to
+					// parse the HA node address and reconstruct it ourselves to get a matching hash key.
+					clusterAddr, err := url.Parse(node.ClusterAddress)
+					if err != nil {
+						logger.Error("error parsing node cluster address", "node", node.ClusterAddress, "error", err)
+						break
+					}
+
+					// Deleting from expectedServers means the node in question is running a Vault version greater than
+					// or equal to the minimum.
+					delete(expectedServers, clusterAddr.Host)
+				}
+			}
+
+			// If expectedServers still has nodes in it, that means either we broke from the above loop because some
+			// node's version was too low or because some member of the cluster hasn't sent an echo yet. Either way,
+			// it means we can't enable undo logs.
+			if len(expectedServers) != 0 {
+				enable = false
+			}
+
+			if enable {
+				logger.Debug("undo logs can be safely enabled now")
+				err := c.PersistUndoLogs()
+				if err != nil {
+					logger.Error("error persisting undo logs safety", "error", err)
+					continue
+				}
+
+				logger.Debug("undo logs have been enabled and this has been persisted to storage. shutting down the checker.")
+				return
+			}
+		}
+	}()
+
+	return nil
+}
+
+func (c *Core) setupRaftActiveNode(ctx context.Context) error {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return nil
+	}
+
+	c.logger.Info("starting raft active node")
+	raftBackend.SetEffectiveSDKVersion(c.effectiveSDKVersion)
+
+	c.pendingRaftPeers = &sync.Map{}
+
+	// Reload the raft TLS keys to ensure we are using the latest version.
+	if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
+		return err
+	}
+
+	// We always want to start this watcher - if undo logs are safe to be enabled, it will exit quickly. If not, it
+	// will monitor for safety until they are enabled.
+	if err := c.monitorUndoLogs(); err != nil {
+		return err
+	}
+
+	if err := c.startPeriodicRaftTLSRotate(ctx); err != nil {
+		return err
+	}
+
+	autopilotConfig, err := c.loadAutopilotConfiguration(ctx)
+	if err != nil {
+		c.logger.Error("failed to load autopilot config from storage when setting up cluster; continuing since autopilot falls back to default config", "error", err)
+	}
+	disableAutopilot := c.disableAutopilot
+	raftBackend.SetupAutopilot(c.activeContext, autopilotConfig, c.raftFollowerStates, disableAutopilot)
+	return nil
+}
+
+func (c *Core) stopRaftActiveNode() {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return
+	}
+
+	c.logger.Info("stopping raft active node")
+
+	if !raftBackend.AutopilotDisabled() {
+		raftBackend.StopAutopilot()
+	}
+
+	c.pendingRaftPeers = nil
+	c.stopPeriodicRaftTLSRotate()
+}
+
+func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
+	raftBackend := c.getRaftBackend()
+
+	// No-op if raft is not being used
+	if raftBackend == nil {
+		return nil
+	}
+
+	c.raftTLSRotationStopCh = make(chan struct{})
+	logger := c.logger.Named("raft")
+	c.AddLogger(logger)
+
+	if c.isRaftHAOnly() {
+		return c.raftTLSRotateDirect(ctx, logger, c.raftTLSRotationStopCh)
+	}
+
+	return c.raftTLSRotatePhased(ctx, logger, raftBackend, c.raftTLSRotationStopCh)
+}
+
+// raftTLSRotateDirect will spawn a go routine in charge of periodically
+// rotating the TLS certs and keys used for raft traffic.
+//
+// The logic for updating the TLS keyring is through direct storage update. This
+// is called whenever raft is used for HA-only, which means that the underlying
+// storage is a shared physical object, thus requiring no additional
+// coordination.
+func (c *Core) raftTLSRotateDirect(ctx context.Context, logger hclog.Logger, stopCh chan struct{}) error {
+	logger.Info("creating new raft TLS config")
+
+	rotateKeyring := func() (time.Time, error) {
+		// Create a new key
+		raftTLSKey, err := raft.GenerateTLSKey(c.secureRandomReader)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to generate new raft TLS key: %w", err)
+		}
+
+		// Read the existing keyring
+		keyring, err := c.raftReadTLSKeyring(ctx)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to read raft TLS keyring: %w", err)
+		}
+
+		// Advance the term and store the new key, replacing the old one.
+		// Unlike phased rotation, we don't need to update AppliedIndex since
+		// we don't rely on it to check whether the followers got the key. A
+		// shared storage means that followers will have the key as soon as it's
+		// written to storage.
+		keyring.Term += 1
+		keyring.Keys[0] = raftTLSKey
+		keyring.ActiveKeyID = raftTLSKey.ID
+		entry, err := logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to json encode keyring: %w", err)
+		}
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			return time.Time{}, fmt.Errorf("failed to write keyring: %w", err)
+		}
+
+		logger.Info("wrote new raft TLS config")
+
+		// Schedule the next rotation
+		return raftTLSKey.CreatedTime.Add(raftTLSRotationPeriod), nil
+	}
+
+	// Read the keyring to calculate the time of next rotation.
+	keyring, err := c.raftReadTLSKeyring(ctx)
+	if err != nil {
+		return err
+	}
+
+	activeKey := keyring.GetActive()
+	if activeKey == nil {
+		return errors.New("no active raft TLS key found")
+	}
+
+	go func() {
+		nextRotationTime := activeKey.CreatedTime.Add(raftTLSRotationPeriod)
+
+		var backoff bool
+		for {
+			// If we encountered and error we should try to create the key
+			// again.
+			if backoff {
+				nextRotationTime = time.Now().Add(10 * time.Second)
+				backoff = false
+			}
+
+			timer := time.NewTimer(time.Until(nextRotationTime))
+			select {
+			case <-timer.C:
+				// It's time to rotate the keys
+				next, err := rotateKeyring()
+				if err != nil {
+					logger.Error("failed to rotate TLS key", "error", err)
+					backoff = true
+					continue
+				}
+
+				nextRotationTime = next
+
+			case <-stopCh:
+				timer.Stop()
+				return
+			}
+		}
+	}()
+
+	return nil
+}
+
+// raftTLSRotatePhased will spawn a go routine in charge of periodically
+// rotating the TLS certs and keys used for raft traffic.
+//
+// The logic for updating the TLS certificate uses a pseudo two phase commit
+// using the known applied indexes from standby nodes. When writing a new Key
+// it will be appended to the end of the keyring. Standbys can start accepting
+// connections with this key as soon as they see the update. Then it will write
+// the keyring a second time indicating the applied index for this key update.
+//
+// The active node will wait until it sees all standby nodes are at or past the
+// applied index for this update. At that point it will delete the older key
+// and make the new key active. The key isn't officially in use until this
+// happens. The dual write ensures the standby at least gets the first update
+// containing the key before the active node switches over to using it.
+//
+// If a standby is shut down then it cannot advance the key term until it
+// receives the update. This ensures a standby node isn't left behind and unable
+// to reconnect with the cluster. Additionally, only one outstanding key
+// is allowed for this same reason (max keyring size of 2).
+func (c *Core) raftTLSRotatePhased(ctx context.Context, logger hclog.Logger, raftBackend *raft.RaftBackend, stopCh chan struct{}) error {
+	followerStates := c.raftFollowerStates
+	followerStates.Clear()
+
+	// Pre-populate the follower list with the set of peers.
+	raftConfig, err := raftBackend.GetConfiguration(ctx)
+	if err != nil {
+		return err
+	}
+	for _, server := range raftConfig.Servers {
+		if server.NodeID != raftBackend.NodeID() {
+			followerStates.Update(&raft.EchoRequestUpdate{
+				NodeID:          server.NodeID,
+				AppliedIndex:    0,
+				Term:            0,
+				DesiredSuffrage: "voter",
+			})
+		}
+	}
+
+	// rotateKeyring writes new key data to the keyring and adds an applied
+	// index that is used to verify it has been committed. The keys written in
+	// this function can be used on standbys but the active node doesn't start
+	// using it yet.
+	rotateKeyring := func() (time.Time, error) {
+		// Read the existing keyring
+		keyring, err := c.raftReadTLSKeyring(ctx)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to read raft TLS keyring: %w", err)
+		}
+
+		switch {
+		case len(keyring.Keys) == 2 && keyring.Keys[1].AppliedIndex == 0:
+			// If this case is hit then the second write to add the applied
+			// index failed. Attempt to write it again.
+			keyring.Keys[1].AppliedIndex = raftBackend.AppliedIndex()
+			keyring.AppliedIndex = raftBackend.AppliedIndex()
+			entry, err := logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+			if err != nil {
+				return time.Time{}, fmt.Errorf("failed to json encode keyring: %w", err)
+			}
+			if err := c.barrier.Put(ctx, entry); err != nil {
+				return time.Time{}, fmt.Errorf("failed to write keyring: %w", err)
+			}
+
+		case len(keyring.Keys) > 1:
+			// If there already exists a pending key update then the update
+			// hasn't replicated down to all standby nodes yet. Don't allow any
+			// new keys to be created until all standbys have seen this previous
+			// rotation. As a backoff strategy, another rotation attempt is
+			// scheduled for 5 minutes from now.
+			logger.Warn("skipping new raft TLS config creation, keys are pending")
+			return time.Now().Add(time.Minute * 5), nil
+		}
+
+		logger.Info("creating new raft TLS config")
+
+		// Create a new key
+		raftTLSKey, err := raft.GenerateTLSKey(c.secureRandomReader)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to generate new raft TLS key: %w", err)
+		}
+
+		// Advance the term and store the new key
+		keyring.Term += 1
+		keyring.Keys = append(keyring.Keys, raftTLSKey)
+		entry, err := logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to json encode keyring: %w", err)
+		}
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			return time.Time{}, fmt.Errorf("failed to write keyring: %w", err)
+		}
+
+		// Write the keyring again with the new applied index. This allows us to
+		// track if standby nodes received the update.
+		keyring.Keys[1].AppliedIndex = raftBackend.AppliedIndex()
+		keyring.AppliedIndex = raftBackend.AppliedIndex()
+		entry, err = logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+		if err != nil {
+			return time.Time{}, fmt.Errorf("failed to json encode keyring: %w", err)
+		}
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			return time.Time{}, fmt.Errorf("failed to write keyring: %w", err)
+		}
+
+		logger.Info("wrote new raft TLS config")
+		// Schedule the next rotation
+		return raftTLSKey.CreatedTime.Add(raftTLSRotationPeriod), nil
+	}
+
+	// checkCommitted verifies key updates have been applied to all nodes and
+	// finalizes the rotation by deleting the old keys and updating the raft
+	// backend.
+	checkCommitted := func() error {
+		keyring, err := c.raftReadTLSKeyring(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to read raft TLS keyring: %w", err)
+		}
+
+		switch {
+		case len(keyring.Keys) == 1:
+			// No Keys to apply
+			return nil
+		case keyring.Keys[1].AppliedIndex != keyring.AppliedIndex:
+			// We haven't fully committed the new key, continue here
+			return nil
+		case followerStates.MinIndex() < keyring.AppliedIndex:
+			// Not all the followers have applied the latest key
+			return nil
+		}
+
+		// Upgrade to the new key
+		keyring.Keys = keyring.Keys[1:]
+		keyring.ActiveKeyID = keyring.Keys[0].ID
+		keyring.Term += 1
+		entry, err := logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+		if err != nil {
+			return fmt.Errorf("failed to json encode keyring: %w", err)
+		}
+		if err := c.barrier.Put(ctx, entry); err != nil {
+			return fmt.Errorf("failed to write keyring: %w", err)
+		}
+
+		// Update the TLS Key in the backend
+		if err := raftBackend.SetTLSKeyring(keyring); err != nil {
+			return fmt.Errorf("failed to install keyring: %w", err)
+		}
+
+		logger.Info("installed new raft TLS key", "term", keyring.Term)
+		return nil
+	}
+
+	// Read the keyring to calculate the time of next rotation.
+	keyring, err := c.raftReadTLSKeyring(ctx)
+	if err != nil {
+		return err
+	}
+	activeKey := keyring.GetActive()
+	if activeKey == nil {
+		return errors.New("no active raft TLS key found")
+	}
+
+	getNextRotationTime := func(next time.Time) time.Time {
+		now := time.Now()
+
+		// active key's CreatedTime + raftTLSRotationPeriod might be in
+		// the past (meaning it is ready to be rotated) which will cause
+		// NewTicker to panic when used with time.Until, prevent this by
+		// pushing out rotation time into very near future
+		if next.Before(now) {
+			return now.Add(1 * time.Minute)
+		}
+
+		// push out to ensure proposed time does not elapse
+		return next.Add(10 * time.Second)
+	}
+
+	// Start the process in a go routine
+	go func() {
+		nextRotationTime := getNextRotationTime(activeKey.CreatedTime.Add(raftTLSRotationPeriod))
+
+		keyCheckInterval := time.NewTicker(1 * time.Minute)
+		defer keyCheckInterval.Stop()
+
+		// ticker is used to prevent memory leak of using time.After in
+		// for - select pattern.
+		ticker := time.NewTicker(time.Until(nextRotationTime))
+		defer ticker.Stop()
+		for {
+			select {
+			case <-keyCheckInterval.C:
+				err := checkCommitted()
+				if err != nil {
+					logger.Error("failed to activate TLS key", "error", err)
+				}
+			case <-ticker.C:
+				// It's time to rotate the keys
+				next, err := rotateKeyring()
+				if err != nil {
+					logger.Error("failed to rotate TLS key", "error", err)
+					nextRotationTime = time.Now().Add(10 * time.Second)
+				} else {
+					nextRotationTime = getNextRotationTime(next)
+				}
+
+				ticker.Reset(time.Until(nextRotationTime))
+
+			case <-stopCh:
+				return
+			}
+		}
+	}()
+
+	return nil
+}
+
+func (c *Core) raftReadTLSKeyring(ctx context.Context) (*raft.TLSKeyring, error) {
+	tlsKeyringEntry, err := c.barrier.Get(ctx, raftTLSStoragePath)
+	if err != nil {
+		return nil, err
+	}
+	if tlsKeyringEntry == nil {
+		return nil, errors.New("no keyring found")
+	}
+	var keyring raft.TLSKeyring
+	if err := tlsKeyringEntry.DecodeJSON(&keyring); err != nil {
+		return nil, err
+	}
+
+	return &keyring, nil
+}
+
+// raftCreateTLSKeyring creates the initial TLS key and the TLS Keyring for raft
+// use. If a keyring entry is already present in storage, it will return an
+// error.
+func (c *Core) raftCreateTLSKeyring(ctx context.Context) (*raft.TLSKeyring, error) {
+	if raftBackend := c.getRaftBackend(); raftBackend == nil {
+		return nil, fmt.Errorf("raft backend not in use")
+	}
+
+	// Check if the keyring is already present
+	raftTLSEntry, err := c.barrier.Get(ctx, raftTLSStoragePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if raftTLSEntry != nil {
+		return nil, fmt.Errorf("TLS keyring already present")
+	}
+
+	raftTLS, err := raft.GenerateTLSKey(c.secureRandomReader)
+	if err != nil {
+		return nil, err
+	}
+
+	keyring := &raft.TLSKeyring{
+		Keys:        []*raft.TLSKey{raftTLS},
+		ActiveKeyID: raftTLS.ID,
+	}
+
+	entry, err := logical.StorageEntryJSON(raftTLSStoragePath, keyring)
+	if err != nil {
+		return nil, err
+	}
+	if err := c.barrier.Put(ctx, entry); err != nil {
+		return nil, err
+	}
+	return keyring, nil
+}
+
+func (c *Core) stopPeriodicRaftTLSRotate() {
+	if c.raftTLSRotationStopCh != nil {
+		close(c.raftTLSRotationStopCh)
+	}
+	c.raftTLSRotationStopCh = nil
+	c.raftFollowerStates.Clear()
+}
+
+func (c *Core) checkRaftTLSKeyUpgrades(ctx context.Context) error {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return nil
+	}
+
+	tlsKeyringEntry, err := c.barrier.Get(ctx, raftTLSStoragePath)
+	if err != nil {
+		return err
+	}
+	if tlsKeyringEntry == nil {
+		return nil
+	}
+
+	var keyring raft.TLSKeyring
+	if err := tlsKeyringEntry.DecodeJSON(&keyring); err != nil {
+		return err
+	}
+
+	if err := raftBackend.SetTLSKeyring(&keyring); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// handleSnapshotRestore is for the raft backend to hook back into core after a
+// snapshot is restored so we can clear the necessary caches and handle changing
+// keyrings or root keys
+func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(context.Context) error {
+	return func(ctx context.Context) (retErr error) {
+		c.logger.Info("running post snapshot restore invalidations")
+
+		if grabLock {
+			// Grab statelock
+			l := newLockGrabber(c.stateLock.Lock, c.stateLock.Unlock, c.standbyStopCh.Load().(chan struct{}))
+			go l.grab()
+			if stopped := l.lockOrStop(); stopped {
+				c.logger.Error("did not apply snapshot; vault is shutting down")
+				return errors.New("did not apply snapshot; vault is shutting down")
+			}
+			defer c.stateLock.Unlock()
+		}
+
+		if sealNode {
+			// If we failed to restore the snapshot we should seal this node as
+			// it's in an unknown state
+			defer func() {
+				if retErr != nil {
+					if err := c.sealInternalWithOptions(false, false, true); err != nil {
+						c.logger.Error("failed to seal node", "error", err)
+					}
+				}
+			}()
+		}
+
+		// Purge the cache so we make sure we are operating on fresh data
+		c.physicalCache.Purge(ctx)
+
+		// Reload the keyring in case it changed. If this fails it's likely
+		// we've changed root keys.
+		err := c.performKeyUpgrades(ctx)
+		if err != nil {
+			// The snapshot contained a root key or keyring we couldn't
+			// recover
+			switch c.seal.BarrierSealConfigType() {
+			case SealConfigTypeShamir:
+				// If we are a shamir seal we can't do anything. Just
+				// seal all nodes.
+
+				// Seal ourselves
+				c.logger.Info("failed to perform key upgrades, sealing", "error", err)
+				return err
+
+			default:
+				// If we are using an auto-unseal we can try to use the seal to
+				// unseal again. If the auto-unseal mechanism has changed then
+				// there isn't anything we can do but seal.
+				c.logger.Info("failed to perform key upgrades, reloading using auto seal")
+				keys, err := c.seal.GetStoredKeys(ctx)
+				if err != nil {
+					c.logger.Error("raft snapshot restore failed to get stored keys", "error", err)
+					return err
+				}
+				if err := c.barrier.Seal(); err != nil {
+					c.logger.Error("raft snapshot restore failed to seal barrier", "error", err)
+					return err
+				}
+				if err := c.barrier.Unseal(ctx, keys[0]); err != nil {
+					c.logger.Error("raft snapshot restore failed to unseal barrier", "error", err)
+					return err
+				}
+				c.logger.Info("done reloading root key using auto seal")
+			}
+		}
+
+		// Refresh the raft TLS keys
+		if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
+			c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err)
+			return err
+		}
+
+		return nil
+	}
+}
+
+func (c *Core) InitiateRetryJoin(ctx context.Context) error {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return nil
+	}
+
+	if raftBackend.Initialized() {
+		return nil
+	}
+
+	leaderInfos, err := raftBackend.JoinConfig()
+	if err != nil {
+		return err
+	}
+
+	// Nothing to do if config wasn't supplied
+	if len(leaderInfos) == 0 {
+		return nil
+	}
+
+	c.logger.Info("raft retry join initiated")
+
+	if _, err = c.JoinRaftCluster(ctx, leaderInfos, raftBackend.NonVoter()); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// getRaftChallenge is a helper function used by the raft join process for adding a
+// node to a cluster: it contacts the given node and initiates the bootstrap
+// challenge, returning the result or an error.
+func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformation, error) {
+	if leaderInfo == nil {
+		return nil, errors.New("raft leader information is nil")
+	}
+	if len(leaderInfo.LeaderAPIAddr) == 0 {
+		return nil, errors.New("raft leader address not provided")
+	}
+
+	c.logger.Info("attempting to join possible raft leader node", "leader_addr", leaderInfo.LeaderAPIAddr)
+
+	// Create an API client to interact with the leader node
+	transport := cleanhttp.DefaultPooledTransport()
+
+	var err error
+	if leaderInfo.TLSConfig == nil && (len(leaderInfo.LeaderCACert) != 0 || len(leaderInfo.LeaderClientCert) != 0 || len(leaderInfo.LeaderClientKey) != 0) {
+		leaderInfo.TLSConfig, err = tlsutil.ClientTLSConfig([]byte(leaderInfo.LeaderCACert), []byte(leaderInfo.LeaderClientCert), []byte(leaderInfo.LeaderClientKey))
+		if err != nil {
+			return nil, fmt.Errorf("failed to create TLS config: %w", err)
+		}
+		leaderInfo.TLSConfig.ServerName = leaderInfo.LeaderTLSServerName
+	}
+	if leaderInfo.TLSConfig == nil && leaderInfo.LeaderTLSServerName != "" {
+		leaderInfo.TLSConfig, err = tlsutil.SetupTLSConfig(map[string]string{"address": leaderInfo.LeaderTLSServerName}, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to create TLS config: %w", err)
+		}
+	}
+
+	if leaderInfo.TLSConfig != nil {
+		transport.TLSClientConfig = leaderInfo.TLSConfig.Clone()
+		if err := http2.ConfigureTransport(transport); err != nil {
+			return nil, fmt.Errorf("failed to configure TLS: %w", err)
+		}
+	}
+
+	client := &http.Client{
+		Transport: transport,
+	}
+
+	config := api.DefaultConfig()
+	if config.Error != nil {
+		return nil, fmt.Errorf("failed to create api client: %w", config.Error)
+	}
+
+	config.Address = leaderInfo.LeaderAPIAddr
+	config.HttpClient = client
+	config.MaxRetries = 0
+
+	apiClient, err := api.NewClient(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create api client: %w", err)
+	}
+	// Clearing namespace, as this client should only ever be using the root namespace
+	apiClient.ClearNamespace()
+
+	// Attempt to join the leader by requesting for the bootstrap challenge
+	secret, err := apiClient.Logical().Write("sys/storage/raft/bootstrap/challenge", map[string]interface{}{
+		"server_id": c.getRaftBackend().NodeID(),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error during raft bootstrap init call: %w", err)
+	}
+	if secret == nil {
+		return nil, errors.New("could not retrieve raft bootstrap package")
+	}
+
+	var sealConfig SealConfig
+	err = mapstructure.Decode(secret.Data["seal_config"], &sealConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	if sealConfig.Type != c.seal.BarrierSealConfigType().String() {
+		return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierSealConfigType())
+	}
+
+	challengeB64, ok := secret.Data["challenge"]
+	if !ok {
+		return nil, errors.New("error during raft bootstrap call, no challenge given")
+	}
+	challengeRaw, err := base64.StdEncoding.DecodeString(challengeB64.(string))
+	if err != nil {
+		return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
+	}
+
+	eBlob := &wrapping.BlobInfo{}
+	if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
+		return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
+	}
+
+	return &raftInformation{
+		challenge:           eBlob,
+		leaderClient:        apiClient,
+		leaderBarrierConfig: &sealConfig,
+	}, nil
+}
+
+func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJoinInfo, nonVoter bool) (bool, error) {
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return false, errors.New("raft backend not in use")
+	}
+
+	init, err := c.InitializedLocally(ctx)
+	if err != nil {
+		return false, fmt.Errorf("failed to check if core is initialized: %w", err)
+	}
+
+	isRaftHAOnly := c.isRaftHAOnly()
+	// Prevent join from happening if we're using raft for storage and
+	// it has already been initialized.
+	if init && !isRaftHAOnly {
+		return true, nil
+	}
+
+	// Check on seal status and storage type before proceeding:
+	// If raft is used for storage, core needs to be sealed
+	if !isRaftHAOnly && !c.Sealed() {
+		c.logger.Error("node must be sealed before joining")
+		return false, errors.New("node must be sealed before joining")
+	}
+
+	// If raft is used for ha-only, core needs to be unsealed
+	if isRaftHAOnly && c.Sealed() {
+		c.logger.Error("node must be unsealed before joining")
+		return false, errors.New("node must be unsealed before joining")
+	}
+
+	// Disallow leader API address to be provided if we're using raft for HA-only.
+	// The leader API address is obtained directly through storage. This serves
+	// as a form of verification that this node is sharing the same physical
+	// storage as the leader node.
+	if isRaftHAOnly {
+		for _, info := range leaderInfos {
+			if info.LeaderAPIAddr != "" || info.AutoJoin != "" {
+				return false, errors.New("leader API address and auto-join metadata must be unset when raft is used exclusively for HA")
+			}
+		}
+
+		// Get the leader address from storage
+		keys, err := c.barrier.List(ctx, coreLeaderPrefix)
+		if err != nil {
+			return false, err
+		}
+
+		if len(keys) == 0 || len(keys[0]) == 0 {
+			return false, errors.New("unable to fetch leadership entry")
+		}
+
+		leadershipEntry := coreLeaderPrefix + keys[0]
+		entry, err := c.barrier.Get(ctx, leadershipEntry)
+		if err != nil {
+			return false, err
+		}
+		if entry == nil {
+			return false, errors.New("unable to read leadership entry")
+		}
+
+		var adv activeAdvertisement
+		err = jsonutil.DecodeJSON(entry.Value, &adv)
+		if err != nil {
+			return false, fmt.Errorf("unable to decoded leader entry: %w", err)
+		}
+
+		leaderInfos[0].LeaderAPIAddr = adv.RedirectAddr
+	}
+
+	disco, err := newDiscover()
+	if err != nil {
+		return false, fmt.Errorf("failed to create auto-join discovery: %w", err)
+	}
+
+	retryFailures := leaderInfos[0].Retry
+	// answerChallenge performs the second part of a raft join: after we've issued
+	// the sys/storage/raft/bootstrap/challenge call to initiate the join, this
+	// func uses the seal to compute an answer to the challenge and sends it
+	// back to the server that provided the challenge.
+	answerChallenge := func(ctx context.Context, raftInfo *raftInformation) error {
+		// If we're using Shamir and using raft for both physical and HA, we
+		// need to block until the node is unsealed, unless retry is set to
+		// false.
+		if c.seal.BarrierSealConfigType() == SealConfigTypeShamir && !c.isRaftHAOnly() {
+			c.raftInfo.Store(raftInfo)
+			if err := c.seal.SetBarrierConfig(ctx, raftInfo.leaderBarrierConfig); err != nil {
+				return err
+			}
+
+			if !retryFailures {
+				return nil
+			}
+
+			// Wait until unseal keys are supplied
+			raftInfo.joinInProgress = true
+			c.raftInfo.Store(raftInfo)
+			if atomic.LoadUint32(c.postUnsealStarted) != 1 {
+				return errors.New("waiting for unseal keys to be supplied")
+			}
+		}
+
+		raftInfo.nonVoter = nonVoter
+		if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
+			return fmt.Errorf("failed to send answer to raft leader node: %w", err)
+		}
+
+		if c.seal.BarrierSealConfigType() == SealConfigTypeShamir && !isRaftHAOnly {
+			// Reset the state
+			c.raftInfo.Store((*raftInformation)(nil))
+
+			// In case of Shamir unsealing, inform the unseal process that raft join is completed
+			close(c.raftJoinDoneCh)
+		}
+
+		c.logger.Info("successfully joined the raft cluster", "leader_addr", raftInfo.leaderClient.Address())
+		return nil
+	}
+
+	// join attempts to join to any of the leaders defined in leaderInfos,
+	// using the first one that returns a challenge to our request.  If shamir
+	// seal is in use, we must wait to get enough unseal keys to solve the
+	// challenge.  If we're unable to get a challenge from any leader, or if
+	// we fail to answer the challenge successfully, or if ctx times out,
+	// an error is returned.
+	join := func() error {
+		init, err := c.InitializedLocally(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to check if core is initialized: %w", err)
+		}
+
+		// InitializedLocally will return non-nil before HA backends are
+		// initialized. c.Initialized(ctx) checks InitializedLocally first, so
+		// we can't use that generically for both cases. Instead check
+		// raftBackend.Initialized() directly for the HA-Only case.
+		if (!isRaftHAOnly && init) || (isRaftHAOnly && raftBackend.Initialized()) {
+			c.logger.Info("returning from raft join as the node is initialized")
+			return nil
+		}
+
+		if err := raftBackend.SetDesiredSuffrage(nonVoter); err != nil {
+			c.logger.Error("failed to set desired suffrage for this node", "error", err)
+			return nil
+		}
+
+		challengeCh := make(chan *raftInformation)
+		var expandedJoinInfos []*raft.LeaderJoinInfo
+		for _, leaderInfo := range leaderInfos {
+			joinInfos, err := c.raftLeaderInfo(leaderInfo, disco)
+			if err != nil {
+				c.logger.Error("error in retry_join stanza, will not use it for raft join", "error", err,
+					"leader_api_addr", leaderInfo.LeaderAPIAddr, "auto_join", leaderInfo.AutoJoin != "")
+				continue
+			}
+			expandedJoinInfos = append(expandedJoinInfos, joinInfos...)
+		}
+		if err != nil {
+			return err
+		}
+		var wg sync.WaitGroup
+		for i := range expandedJoinInfos {
+			wg.Add(1)
+			go func(joinInfo *raft.LeaderJoinInfo) {
+				defer wg.Done()
+				raftInfo, err := c.getRaftChallenge(joinInfo)
+				if err != nil {
+					c.Logger().Error("failed to get raft challenge", "leader_addr", joinInfo.LeaderAPIAddr, "error", err)
+					return
+				}
+				challengeCh <- raftInfo
+			}(expandedJoinInfos[i])
+		}
+		go func() {
+			wg.Wait()
+			close(challengeCh)
+		}()
+
+		select {
+		case <-ctx.Done():
+			err = ctx.Err()
+		case raftInfo := <-challengeCh:
+			if raftInfo != nil {
+				err = answerChallenge(ctx, raftInfo)
+				if err == nil {
+					return nil
+				}
+			} else {
+				// Return an error so we can retry_join
+				err = fmt.Errorf("failed to get raft challenge")
+			}
+		}
+		return err
+	}
+
+	switch retryFailures {
+	case true:
+		go func() {
+			for {
+				select {
+				case <-ctx.Done():
+					return
+				default:
+				}
+				err := join()
+				if err == nil {
+					return
+				}
+				c.logger.Error("failed to retry join raft cluster", "retry", "2s", "err", err)
+				time.Sleep(2 * time.Second)
+			}
+		}()
+
+		// Backgrounded so return false
+		return false, nil
+	default:
+		if err := join(); err != nil {
+			c.logger.Error("failed to join raft cluster", "error", err)
+			return false, fmt.Errorf("failed to join raft cluster: %w", err)
+		}
+	}
+
+	return true, nil
+}
+
+// raftLeaderInfo uses go-discover to expand leaderInfo to include any auto-join results
+func (c *Core) raftLeaderInfo(leaderInfo *raft.LeaderJoinInfo, disco *discover.Discover) ([]*raft.LeaderJoinInfo, error) {
+	var ret []*raft.LeaderJoinInfo
+	switch {
+	case leaderInfo.LeaderAPIAddr != "" && leaderInfo.AutoJoin != "":
+		return nil, errors.New("cannot provide both leader address and auto-join metadata")
+
+	case leaderInfo.LeaderAPIAddr != "":
+		ret = append(ret, leaderInfo)
+
+	case leaderInfo.AutoJoin != "":
+		scheme := leaderInfo.AutoJoinScheme
+		if scheme == "" {
+			// default to HTTPS when no scheme is provided
+			scheme = "https"
+		}
+		port := leaderInfo.AutoJoinPort
+		if port == 0 {
+			// default to 8200 when no port is provided
+			port = 8200
+		}
+		// Addrs returns either IPv4 or IPv6 address, without scheme or port
+		clusterIPs, err := disco.Addrs(leaderInfo.AutoJoin, c.logger.StandardLogger(nil))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse addresses from auto-join metadata: %w", err)
+		}
+		for _, ip := range clusterIPs {
+			if strings.Count(ip, ":") >= 2 && !strings.HasPrefix(ip, "[") {
+				// An IPv6 address in implicit form, however we need it in explicit form to use in a URL.
+				ip = fmt.Sprintf("[%s]", ip)
+			}
+			u := fmt.Sprintf("%s://%s:%d", scheme, ip, port)
+			info := *leaderInfo
+			info.LeaderAPIAddr = u
+			ret = append(ret, &info)
+		}
+
+	default:
+		return nil, errors.New("must provide leader address or auto-join metadata")
+	}
+	return ret, nil
+}
+
+// NewDelegateForCore creates a raft.Delegate for the specified core using its backend.
+func NewDelegateForCore(c *Core) *raft.Delegate {
+	return raft.NewDelegate(c.getRaftBackend())
+}
+
+// getRaftBackend returns the RaftBackend from the HA or physical backend,
+// in that order of preference, or nil if not of type RaftBackend.
+func (c *Core) getRaftBackend() *raft.RaftBackend {
+	var raftBackend *raft.RaftBackend
+
+	if raftHA, ok := c.ha.(*raft.RaftBackend); ok {
+		raftBackend = raftHA
+	}
+
+	if raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend); ok {
+		raftBackend = raftStorage
+	}
+
+	return raftBackend
+}
+
+// isRaftHAOnly returns true if c.ha is raft and physical storage is non-raft
+func (c *Core) isRaftHAOnly() bool {
+	_, isRaftHA := c.ha.(*raft.RaftBackend)
+	_, isRaftStorage := c.underlyingPhysical.(*raft.RaftBackend)
+
+	return isRaftHA && !isRaftStorage
+}
+
+func (c *Core) joinRaftSendAnswer(ctx context.Context, sealAccess seal.Access, raftInfo *raftInformation) error {
+	if raftInfo.challenge == nil {
+		return errors.New("raft challenge is nil")
+	}
+
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return errors.New("raft backend is not in use")
+	}
+
+	if raftBackend.Initialized() {
+		return errors.New("raft is already initialized")
+	}
+
+	multiWrapValue := &seal.MultiWrapValue{
+		Generation: sealAccess.Generation(),
+		Slots:      []*wrapping.BlobInfo{raftInfo.challenge},
+	}
+	plaintext, _, err := sealAccess.Decrypt(ctx, multiWrapValue, nil)
+	if err != nil {
+		return fmt.Errorf("error decrypting challenge: %w", err)
+	}
+
+	parsedClusterAddr, err := url.Parse(c.ClusterAddr())
+	if err != nil {
+		return fmt.Errorf("error parsing cluster address: %w", err)
+	}
+	clusterAddr := parsedClusterAddr.Host
+	if atomic.LoadUint32(&TestingUpdateClusterAddr) == 1 && strings.HasSuffix(clusterAddr, ":0") {
+		// We are testing and have an address provider, so just create a random
+		// addr, it will be overwritten later.
+		var err error
+		clusterAddr, err = uuid.GenerateUUID()
+		if err != nil {
+			return err
+		}
+	}
+
+	answerReq := raftInfo.leaderClient.NewRequest("PUT", "/v1/sys/storage/raft/bootstrap/answer")
+	if err := answerReq.SetJSONBody(map[string]interface{}{
+		"answer":       base64.StdEncoding.EncodeToString(plaintext),
+		"cluster_addr": clusterAddr,
+		"server_id":    raftBackend.NodeID(),
+		"non_voter":    raftInfo.nonVoter,
+	}); err != nil {
+		return err
+	}
+
+	answerRespJson, err := raftInfo.leaderClient.RawRequestWithContext(ctx, answerReq)
+	if answerRespJson != nil {
+		defer answerRespJson.Body.Close()
+	}
+	if err != nil {
+		return err
+	}
+
+	var answerResp answerRespData
+	if err := jsonutil.DecodeJSONFromReader(answerRespJson.Body, &answerResp); err != nil {
+		return err
+	}
+
+	if answerResp.Data.AutoloadedLicense && !c.entIsLicenseAutoloaded() {
+		return ErrJoinWithoutAutoloading
+	}
+	if err := raftBackend.Bootstrap(answerResp.Data.Peers); err != nil {
+		return err
+	}
+
+	err = c.startClusterListener(ctx)
+	if err != nil {
+		return fmt.Errorf("error starting cluster: %w", err)
+	}
+
+	raftBackend.SetRestoreCallback(c.raftSnapshotRestoreCallback(true, true))
+	opts := raft.SetupOpts{
+		TLSKeyring:      answerResp.Data.TLSKeyring,
+		ClusterListener: c.getClusterListener(),
+	}
+	err = raftBackend.SetupCluster(ctx, opts)
+	if err != nil {
+		return fmt.Errorf("failed to setup raft cluster: %w", err)
+	}
+
+	return nil
+}
+
+func (c *Core) loadAutopilotConfiguration(ctx context.Context) (*raft.AutopilotConfig, error) {
+	var autopilotConfig *raft.AutopilotConfig
+	entry, err := c.barrier.Get(ctx, raftAutopilotConfigurationStoragePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if entry == nil {
+		return nil, nil
+	}
+
+	if err := jsonutil.DecodeJSON(entry.Value, &autopilotConfig); err != nil {
+		return nil, err
+	}
+
+	return autopilotConfig, nil
+}
+
+// RaftBootstrap performs bootstrapping of a raft cluster if core contains a raft
+// backend. If raft is not part for the storage or HA storage backend, this
+// call results in an error.
+func (c *Core) RaftBootstrap(ctx context.Context, onInit bool) error {
+	if c.logger.IsDebug() {
+		c.logger.Debug("bootstrapping raft backend")
+		defer c.logger.Debug("finished bootstrapping raft backend")
+	}
+
+	raftBackend := c.getRaftBackend()
+	if raftBackend == nil {
+		return errors.New("raft backend not in use")
+	}
+
+	parsedClusterAddr, err := url.Parse(c.ClusterAddr())
+	if err != nil {
+		return fmt.Errorf("error parsing cluster address: %w", err)
+	}
+	if err := raftBackend.Bootstrap([]raft.Peer{
+		{
+			ID:      raftBackend.NodeID(),
+			Address: parsedClusterAddr.Host,
+		},
+	}); err != nil {
+		return fmt.Errorf("could not bootstrap clustered storage: %w", err)
+	}
+
+	raftOpts := raft.SetupOpts{
+		StartAsLeader: true,
+	}
+
+	if !onInit {
+		// Generate the TLS Keyring info for SetupCluster to consume
+		raftTLS, err := c.raftCreateTLSKeyring(ctx)
+		if err != nil {
+			return fmt.Errorf("could not generate TLS keyring during bootstrap: %w", err)
+		}
+
+		raftBackend.SetRestoreCallback(c.raftSnapshotRestoreCallback(true, true))
+		raftOpts.ClusterListener = c.getClusterListener()
+
+		raftOpts.TLSKeyring = raftTLS
+	}
+
+	if err := raftBackend.SetupCluster(ctx, raftOpts); err != nil {
+		return fmt.Errorf("could not start clustered storage: %w", err)
+	}
+
+	return nil
+}
+
+func (c *Core) isRaftUnseal() bool {
+	return c.raftInfo.Load().(*raftInformation) != nil
+}
+
+type answerRespData struct {
+	Data answerResp `json:"data"`
+}
+
+type answerResp struct {
+	Peers             []raft.Peer      `json:"peers"`
+	TLSKeyring        *raft.TLSKeyring `json:"tls_keyring"`
+	AutoloadedLicense bool             `json:"autoloaded_license"`
+}
+
+func newDiscover() (*discover.Discover, error) {
+	providers := make(map[string]discover.Provider)
+	for k, v := range discover.Providers {
+		providers[k] = v
+	}
+
+	providers["k8s"] = &discoverk8s.Provider{}
+
+	return discover.New(
+		discover.WithProviders(providers),
+	)
+}
diff --git a/ui/lib/core/addon/components/replication-action-disable.js b/ui/lib/core/addon/components/replication-action-disable.js
index ecdf51f781da..73eab754bfb7 100644
--- a/ui/lib/core/addon/components/replication-action-disable.js
+++ b/ui/lib/core/addon/components/replication-action-disable.js
@@ -1,12 +1,1230 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Actions from 'core/components/replication-actions-single';
-import layout from '../templates/components/replication-action-disable';
-
-export default Actions.extend({
-  layout,
-  tagName: '',
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package rafttests
+
+import (
+	"bytes"
+	"context"
+	"crypto/md5"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/api"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/helper/benchhelpers"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	vaultseal "github.com/hashicorp/vault/vault/seal"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/http2"
+)
+
+type RaftClusterOpts struct {
+	DisableFollowerJoins           bool
+	InmemCluster                   bool
+	EnableAutopilot                bool
+	PhysicalFactoryConfig          map[string]interface{}
+	DisablePerfStandby             bool
+	EnableResponseHeaderRaftNodeID bool
+	NumCores                       int
+	Seal                           vault.Seal
+	VersionMap                     map[int]string
+	RedundancyZoneMap              map[int]string
+	EffectiveSDKVersionMap         map[int]string
+}
+
+func raftCluster(t testing.TB, ropts *RaftClusterOpts) (*vault.TestCluster, *vault.TestClusterOptions) {
+	if ropts == nil {
+		ropts = &RaftClusterOpts{}
+	}
+
+	conf := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": credUserpass.Factory,
+		},
+		DisableAutopilot:               !ropts.EnableAutopilot,
+		EnableResponseHeaderRaftNodeID: ropts.EnableResponseHeaderRaftNodeID,
+		Seal:                           ropts.Seal,
+	}
+
+	opts := vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	}
+	opts.InmemClusterLayers = ropts.InmemCluster
+	opts.PhysicalFactoryConfig = ropts.PhysicalFactoryConfig
+	conf.DisablePerformanceStandby = ropts.DisablePerfStandby
+	opts.NumCores = ropts.NumCores
+	opts.VersionMap = ropts.VersionMap
+	opts.RedundancyZoneMap = ropts.RedundancyZoneMap
+	opts.EffectiveSDKVersionMap = ropts.EffectiveSDKVersionMap
+
+	teststorage.RaftBackendSetup(conf, &opts)
+
+	if ropts.DisableFollowerJoins {
+		opts.SetupFunc = nil
+	}
+
+	cluster := vault.NewTestCluster(benchhelpers.TBtoT(t), conf, &opts)
+	cluster.Start()
+	vault.TestWaitActive(benchhelpers.TBtoT(t), cluster.Cores[0].Core)
+	return cluster, &opts
+}
+
+func TestRaft_BoltDBMetrics(t *testing.T) {
+	t.Parallel()
+	conf := vault.CoreConfig{}
+	opts := vault.TestClusterOptions{
+		HandlerFunc:            vaulthttp.Handler,
+		NumCores:               1,
+		CoreMetricSinkProvider: testhelpers.TestMetricSinkProvider(time.Minute),
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{
+				Telemetry: configutil.ListenerTelemetry{
+					UnauthenticatedMetricsAccess: true,
+				},
+			},
+		},
+	}
+
+	teststorage.RaftBackendSetup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	leaderClient := cluster.Cores[0].Client
+
+	// Write a few keys
+	for i := 0; i < 50; i++ {
+		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+			fmt.Sprintf("foo%d", i): fmt.Sprintf("bar%d", i),
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Even though there is a long delay between when we start the node and when we check for these metrics,
+	// the core metrics loop isn't started until postUnseal, which happens after said delay. This means we
+	// need a small artificial delay here as well, otherwise we won't see any metrics emitted.
+	time.Sleep(5 * time.Second)
+	data, err := testhelpers.SysMetricsReq(leaderClient, cluster, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	noBoltDBMetrics := true
+	for _, g := range data.Gauges {
+		if strings.HasPrefix(g.Name, "raft_storage.bolt.") {
+			noBoltDBMetrics = false
+			break
+		}
+	}
+
+	if noBoltDBMetrics {
+		t.Fatal("expected to find boltdb metrics being emitted from the raft backend, but there were none")
+	}
+}
+
+func TestRaft_RetryAutoJoin(t *testing.T) {
+	t.Parallel()
+
+	var (
+		conf vault.CoreConfig
+
+		opts = vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
+	)
+
+	teststorage.RaftBackendSetup(&conf, &opts)
+
+	opts.SetupFunc = nil
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+	leaderCore := cluster.Cores[0]
+	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+
+	{
+		testhelpers.EnsureCoreSealed(t, leaderCore)
+		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		cluster.UnsealCore(t, leaderCore)
+		vault.TestWaitActive(t, leaderCore.Core)
+	}
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			AutoJoin:  "provider=aws region=eu-west-1 tag_key=consul tag_value=tag access_key_id=a secret_access_key=a",
+			TLSConfig: leaderCore.TLSConfig(),
+			Retry:     true,
+		},
+	}
+
+	{
+		// expected to pass but not join as we're not actually discovering leader addresses
+		core := cluster.Cores[1]
+		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+		require.NoError(t, err)
+	}
+
+	err := testhelpers.VerifyRaftPeers(t, cluster.Cores[0].Client, map[string]bool{
+		"core-0": true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestRaft_Retry_Join(t *testing.T) {
+	t.Parallel()
+	var conf vault.CoreConfig
+	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
+	teststorage.RaftBackendSetup(&conf, &opts)
+	opts.SetupFunc = nil
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+
+	leaderCore := cluster.Cores[0]
+	leaderAPI := leaderCore.Client.Address()
+	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+
+	{
+		testhelpers.EnsureCoreSealed(t, leaderCore)
+		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+	}
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			LeaderAPIAddr: leaderAPI,
+			TLSConfig:     leaderCore.TLSConfig(),
+			Retry:         true,
+		},
+	}
+
+	var wg sync.WaitGroup
+	for _, clusterCore := range cluster.Cores[1:] {
+		wg.Add(1)
+		go func(t *testing.T, core *vault.TestClusterCore) {
+			t.Helper()
+			defer wg.Done()
+			core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+			_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+			if err != nil {
+				t.Error(err)
+			}
+
+			// Handle potential racy behavior with unseals. Retry the unseal until it succeeds.
+			corehelpers.RetryUntil(t, 10*time.Second, func() error {
+				return cluster.AttemptUnsealCore(core)
+			})
+		}(t, clusterCore)
+	}
+
+	// Unseal the leader and wait for the other cores to unseal
+	cluster.UnsealCore(t, leaderCore)
+	wg.Wait()
+
+	vault.TestWaitActive(t, leaderCore.Core)
+
+	corehelpers.RetryUntil(t, 10*time.Second, func() error {
+		return testhelpers.VerifyRaftPeers(t, cluster.Cores[0].Client, map[string]bool{
+			"core-0": true,
+			"core-1": true,
+			"core-2": true,
+		})
+	})
+}
+
+func TestRaft_Join(t *testing.T) {
+	t.Parallel()
+	var conf vault.CoreConfig
+	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
+	teststorage.RaftBackendSetup(&conf, &opts)
+	opts.SetupFunc = nil
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+
+	leaderCore := cluster.Cores[0]
+	leaderAPI := leaderCore.Client.Address()
+	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+
+	// Seal the leader so we can install an address provider
+	{
+		testhelpers.EnsureCoreSealed(t, leaderCore)
+		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		cluster.UnsealCore(t, leaderCore)
+		vault.TestWaitActive(t, leaderCore.Core)
+	}
+
+	joinFunc := func(client *api.Client, addClientCerts bool) {
+		req := &api.RaftJoinRequest{
+			LeaderAPIAddr: leaderAPI,
+			LeaderCACert:  string(cluster.CACertPEM),
+		}
+		if addClientCerts {
+			req.LeaderClientCert = string(cluster.CACertPEM)
+			req.LeaderClientKey = string(cluster.CAKeyPEM)
+		}
+		resp, err := client.Sys().RaftJoin(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !resp.Joined {
+			t.Fatalf("failed to join raft cluster")
+		}
+	}
+
+	joinFunc(cluster.Cores[1].Client, false)
+	joinFunc(cluster.Cores[2].Client, false)
+
+	_, err := cluster.Cores[0].Client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
+		"server_id": "core-1",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = cluster.Cores[0].Client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
+		"server_id": "core-2",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	joinFunc(cluster.Cores[1].Client, true)
+	joinFunc(cluster.Cores[2].Client, true)
+}
+
+func TestRaft_RemovePeer(t *testing.T) {
+	t.Parallel()
+	cluster, _ := raftCluster(t, nil)
+	defer cluster.Cleanup()
+
+	for i, c := range cluster.Cores {
+		if c.Core.Sealed() {
+			t.Fatalf("failed to unseal core %d", i)
+		}
+	}
+
+	client := cluster.Cores[0].Client
+
+	err := testhelpers.VerifyRaftPeers(t, client, map[string]bool{
+		"core-0": true,
+		"core-1": true,
+		"core-2": true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
+		"server_id": "core-2",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = testhelpers.VerifyRaftPeers(t, client, map[string]bool{
+		"core-0": true,
+		"core-1": true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
+		"server_id": "core-1",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = testhelpers.VerifyRaftPeers(t, client, map[string]bool{
+		"core-0": true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestRaft_NodeIDHeader(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		description   string
+		ropts         *RaftClusterOpts
+		headerPresent bool
+	}{
+		{
+			description:   "with no header configured",
+			ropts:         nil,
+			headerPresent: false,
+		},
+		{
+			description: "with header configured",
+			ropts: &RaftClusterOpts{
+				EnableResponseHeaderRaftNodeID: true,
+			},
+			headerPresent: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			cluster, _ := raftCluster(t, tc.ropts)
+			defer cluster.Cleanup()
+
+			for i, c := range cluster.Cores {
+				if c.Core.Sealed() {
+					t.Fatalf("failed to unseal core %d", i)
+				}
+
+				client := c.Client
+				req := client.NewRequest("GET", "/v1/sys/seal-status")
+				resp, err := client.RawRequest(req)
+				if err != nil {
+					t.Fatalf("err: %s", err)
+				}
+				if resp == nil {
+					t.Fatalf("nil response")
+				}
+
+				rniHeader := resp.Header.Get("X-Vault-Raft-Node-ID")
+				nodeID := c.Core.GetRaftNodeID()
+
+				if tc.headerPresent && rniHeader == "" {
+					t.Fatal("missing 'X-Vault-Raft-Node-ID' header entry in response")
+				}
+				if tc.headerPresent && rniHeader != nodeID {
+					t.Fatalf("got the wrong raft node id. expected %s to equal %s", rniHeader, nodeID)
+				}
+				if !tc.headerPresent && rniHeader != "" {
+					t.Fatal("didn't expect 'X-Vault-Raft-Node-ID' header but it was present anyway")
+				}
+			}
+		})
+	}
+}
+
+func TestRaft_Configuration(t *testing.T) {
+	t.Parallel()
+	cluster, _ := raftCluster(t, nil)
+	defer cluster.Cleanup()
+	Raft_Configuration_Test(t, cluster)
+}
+
+func TestRaft_ShamirUnseal(t *testing.T) {
+	t.Parallel()
+	cluster, _ := raftCluster(t, nil)
+	defer cluster.Cleanup()
+
+	for i, c := range cluster.Cores {
+		if c.Core.Sealed() {
+			t.Fatalf("failed to unseal core %d", i)
+		}
+	}
+}
+
+func TestRaft_SnapshotAPI(t *testing.T) {
+	t.Parallel()
+	cluster, _ := raftCluster(t, nil)
+	defer cluster.Cleanup()
+
+	leaderClient := cluster.Cores[0].Client
+
+	// Write a few keys
+	for i := 0; i < 10; i++ {
+		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+			"test": "data",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Take a snapshot
+	buf := new(bytes.Buffer)
+	err := leaderClient.Sys().RaftSnapshot(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	snap, err := io.ReadAll(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(snap) == 0 {
+		t.Fatal("no snapshot returned")
+	}
+
+	// Write a few more keys
+	for i := 10; i < 20; i++ {
+		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+			"test": "data",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	// Restore snapshot
+	err = leaderClient.Sys().RaftSnapshotRestore(bytes.NewReader(snap), false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// List kv to make sure we removed the extra keys
+	secret, err := leaderClient.Logical().List("secret/")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(secret.Data["keys"].([]interface{})) != 10 {
+		t.Fatal("snapshot didn't apply correctly")
+	}
+}
+
+func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
+	// defer goleak.VerifyNone(t)
+	t.Parallel()
+
+	seal, wrappers := vaultseal.NewTestSeal(nil)
+	autoSeal := vault.NewAutoSeal(seal)
+	cluster, _ := raftCluster(t, &RaftClusterOpts{
+		NumCores: 1,
+		Seal:     autoSeal,
+	})
+	defer cluster.Cleanup()
+
+	leaderClient := cluster.Cores[0].Client
+
+	// Write a bunch of keys; if too few, the detection code in api.RaftSnapshot
+	// will never make it into the tar part, it'll fail merely when trying to
+	// decompress the stream.
+	for i := 0; i < 1000; i++ {
+		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+			"test": "data",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	r, w := io.Pipe()
+	var snap []byte
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	var readErr error
+	go func() {
+		snap, readErr = ioutil.ReadAll(r)
+		wg.Done()
+	}()
+
+	wrappers[0].SetError(errors.New("seal failure"))
+	// Take a snapshot
+	err := leaderClient.Sys().RaftSnapshot(w)
+	w.Close()
+	if err == nil || err != api.ErrIncompleteSnapshot {
+		t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err)
+	}
+	wg.Wait()
+	if len(snap) == 0 && readErr == nil {
+		readErr = errors.New("no bytes read")
+	}
+	if readErr != nil {
+		t.Fatal(readErr)
+	}
+}
+
+func TestRaft_SnapshotAPI_RekeyRotate_Backward(t *testing.T) {
+	t.Parallel()
+	type testCase struct {
+		Name               string
+		Rekey              bool
+		Rotate             bool
+		DisablePerfStandby bool
+	}
+
+	tCases := []testCase{
+		{
+			Name:               "rekey",
+			Rekey:              true,
+			Rotate:             false,
+			DisablePerfStandby: true,
+		},
+		{
+			Name:               "rotate",
+			Rekey:              false,
+			Rotate:             true,
+			DisablePerfStandby: true,
+		},
+		{
+			Name:               "both",
+			Rekey:              true,
+			Rotate:             true,
+			DisablePerfStandby: true,
+		},
+	}
+
+	if constants.IsEnterprise {
+		tCases = append(tCases, []testCase{
+			{
+				Name:               "rekey-with-perf-standby",
+				Rekey:              true,
+				Rotate:             false,
+				DisablePerfStandby: false,
+			},
+			{
+				Name:               "rotate-with-perf-standby",
+				Rekey:              false,
+				Rotate:             true,
+				DisablePerfStandby: false,
+			},
+			{
+				Name:               "both-with-perf-standby",
+				Rekey:              true,
+				Rotate:             true,
+				DisablePerfStandby: false,
+			},
+		}...)
+	}
+
+	for _, tCase := range tCases {
+		t.Run(tCase.Name, func(t *testing.T) {
+			// bind locally
+			tCaseLocal := tCase
+			t.Parallel()
+
+			cluster, _ := raftCluster(t, &RaftClusterOpts{DisablePerfStandby: tCaseLocal.DisablePerfStandby})
+			defer cluster.Cleanup()
+
+			leaderClient := cluster.Cores[0].Client
+
+			// Write a few keys
+			for i := 0; i < 10; i++ {
+				_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+					"test": "data",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			transport := cleanhttp.DefaultPooledTransport()
+			transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
+			if err := http2.ConfigureTransport(transport); err != nil {
+				t.Fatal(err)
+			}
+			client := &http.Client{
+				Transport: transport,
+			}
+
+			// Take a snapshot
+			req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
+			httpReq, err := req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err := client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer resp.Body.Close()
+
+			snap, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(snap) == 0 {
+				t.Fatal("no snapshot returned")
+			}
+
+			// cache the original barrier keys
+			barrierKeys := cluster.BarrierKeys
+
+			if tCaseLocal.Rotate {
+				// Rotate
+				err = leaderClient.Sys().Rotate()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				testhelpers.EnsureStableActiveNode(t, cluster)
+				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+			}
+
+			if tCaseLocal.Rekey {
+				// Rekey
+				cluster.BarrierKeys = testhelpers.RekeyCluster(t, cluster, false)
+
+				testhelpers.EnsureStableActiveNode(t, cluster)
+				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+			}
+
+			if tCaseLocal.Rekey {
+				// Restore snapshot, should fail.
+				req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
+				req.Body = bytes.NewBuffer(snap)
+				httpReq, err = req.ToHTTP()
+				if err != nil {
+					t.Fatal(err)
+				}
+				resp, err = client.Do(httpReq)
+				if err != nil {
+					t.Fatal(err)
+				}
+				// Parse Response
+				apiResp := api.Response{Response: resp}
+				if !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
+					t.Fatal(apiResp.Error())
+				}
+			}
+
+			// Restore snapshot force
+			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
+			req.Body = bytes.NewBuffer(snap)
+			httpReq, err = req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err = client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			testhelpers.EnsureStableActiveNode(t, cluster)
+			testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+			// Write some data so we can make sure we can read it later. This is testing
+			// that we correctly reload the keyring
+			_, err = leaderClient.Logical().Write("secret/foo", map[string]interface{}{
+				"test": "data",
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			testhelpers.EnsureCoresSealed(t, cluster)
+
+			cluster.BarrierKeys = barrierKeys
+			testhelpers.EnsureCoresUnsealed(t, cluster)
+			testhelpers.WaitForActiveNode(t, cluster)
+			activeCore := testhelpers.DeriveStableActiveCore(t, cluster)
+
+			// Read the value.
+			data, err := activeCore.Client.Logical().Read("secret/foo")
+			if err != nil {
+				t.Fatal(err)
+			}
+			if data.Data["test"].(string) != "data" {
+				t.Fatal(data)
+			}
+		})
+	}
+}
+
+func TestRaft_SnapshotAPI_RekeyRotate_Forward(t *testing.T) {
+	t.Parallel()
+	type testCase struct {
+		Name               string
+		Rekey              bool
+		Rotate             bool
+		ShouldSeal         bool
+		DisablePerfStandby bool
+	}
+
+	tCases := []testCase{
+		{
+			Name:               "rekey",
+			Rekey:              true,
+			Rotate:             false,
+			ShouldSeal:         false,
+			DisablePerfStandby: true,
+		},
+		{
+			Name:   "rotate",
+			Rekey:  false,
+			Rotate: true,
+			// Rotate writes a new master key upgrade using the new term, which
+			// we can no longer decrypt. We must seal here.
+			ShouldSeal:         true,
+			DisablePerfStandby: true,
+		},
+		{
+			Name:   "both",
+			Rekey:  true,
+			Rotate: true,
+			// If we are moving forward and we have rekeyed and rotated there
+			// isn't any way to restore the latest keys so expect to seal.
+			ShouldSeal:         true,
+			DisablePerfStandby: true,
+		},
+	}
+
+	if constants.IsEnterprise {
+		tCases = append(tCases, []testCase{
+			{
+				Name:               "rekey-with-perf-standby",
+				Rekey:              true,
+				Rotate:             false,
+				ShouldSeal:         false,
+				DisablePerfStandby: false,
+			},
+			{
+				Name:   "rotate-with-perf-standby",
+				Rekey:  false,
+				Rotate: true,
+				// Rotate writes a new master key upgrade using the new term, which
+				// we can no longer decrypt. We must seal here.
+				ShouldSeal:         true,
+				DisablePerfStandby: false,
+			},
+			{
+				Name:   "both-with-perf-standby",
+				Rekey:  true,
+				Rotate: true,
+				// If we are moving forward and we have rekeyed and rotated there
+				// isn't any way to restore the latest keys so expect to seal.
+				ShouldSeal:         true,
+				DisablePerfStandby: false,
+			},
+		}...)
+	}
+
+	for _, tCase := range tCases {
+		t.Run(tCase.Name, func(t *testing.T) {
+			// bind locally
+			tCaseLocal := tCase
+			t.Parallel()
+
+			cluster, _ := raftCluster(t, &RaftClusterOpts{DisablePerfStandby: tCaseLocal.DisablePerfStandby})
+			defer cluster.Cleanup()
+
+			leaderClient := cluster.Cores[0].Client
+
+			// Write a few keys
+			for i := 0; i < 10; i++ {
+				_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+					"test": "data",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			transport := cleanhttp.DefaultPooledTransport()
+			transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
+			if err := http2.ConfigureTransport(transport); err != nil {
+				t.Fatal(err)
+			}
+			client := &http.Client{
+				Transport: transport,
+			}
+
+			// Take a snapshot
+			req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
+			httpReq, err := req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err := client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			snap, err := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(snap) == 0 {
+				t.Fatal("no snapshot returned")
+			}
+
+			if tCaseLocal.Rekey {
+				// Rekey
+				cluster.BarrierKeys = testhelpers.RekeyCluster(t, cluster, false)
+
+				testhelpers.EnsureStableActiveNode(t, cluster)
+				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+			}
+			if tCaseLocal.Rotate {
+				// Set the key clean up to 0 so it's cleaned immediately. This
+				// will simulate that there are no ways to upgrade to the latest
+				// term.
+				for _, c := range cluster.Cores {
+					c.Core.SetKeyRotateGracePeriod(0)
+				}
+
+				// Rotate
+				err = leaderClient.Sys().Rotate()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				if !tCaseLocal.DisablePerfStandby {
+					// Without the key upgrade the perf standby nodes will seal and
+					// raft will get into a failure state. Make sure we get the
+					// cluster back into a healthy state before moving forward.
+					testhelpers.WaitForNCoresSealed(t, cluster, 2)
+					testhelpers.EnsureCoresUnsealed(t, cluster)
+					testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+					active := testhelpers.DeriveActiveCore(t, cluster)
+					leaderClient = active.Client
+				}
+			}
+
+			// cache the new barrier keys
+			newBarrierKeys := cluster.BarrierKeys
+
+			// Take another snapshot for later use in "jumping" forward
+			req = leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
+			httpReq, err = req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err = client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			snap2, err := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(snap2) == 0 {
+				t.Fatal("no snapshot returned")
+			}
+
+			// Restore snapshot to move us back in time so we can test going
+			// forward
+			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
+			req.Body = bytes.NewBuffer(snap)
+			httpReq, err = req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err = client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			testhelpers.EnsureStableActiveNode(t, cluster)
+			testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+			if tCaseLocal.Rekey {
+				// Restore snapshot, should fail.
+				req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
+				req.Body = bytes.NewBuffer(snap2)
+				httpReq, err = req.ToHTTP()
+				if err != nil {
+					t.Fatal(err)
+				}
+				resp, err = client.Do(httpReq)
+				if err != nil {
+					t.Fatal(err)
+				}
+				// Parse Response
+				apiResp := api.Response{Response: resp}
+				if apiResp.Error() == nil || !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
+					t.Fatalf("expected error verifying hash file, got %v", apiResp.Error())
+				}
+
+			}
+
+			// Restore snapshot force
+			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
+			req.Body = bytes.NewBuffer(snap2)
+			httpReq, err = req.ToHTTP()
+			if err != nil {
+				t.Fatal(err)
+			}
+			resp, err = client.Do(httpReq)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			switch tCaseLocal.ShouldSeal {
+			case true:
+				testhelpers.WaitForNCoresSealed(t, cluster, 3)
+
+			case false:
+				testhelpers.EnsureStableActiveNode(t, cluster)
+				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+				// Write some data so we can make sure we can read it later. This is testing
+				// that we correctly reload the keyring
+				_, err = leaderClient.Logical().Write("secret/foo", map[string]interface{}{
+					"test": "data",
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				testhelpers.EnsureCoresSealed(t, cluster)
+
+				cluster.BarrierKeys = newBarrierKeys
+				testhelpers.EnsureCoresUnsealed(t, cluster)
+				testhelpers.WaitForActiveNode(t, cluster)
+				activeCore := testhelpers.DeriveStableActiveCore(t, cluster)
+
+				// Read the value.
+				data, err := activeCore.Client.Logical().Read("secret/foo")
+				if err != nil {
+					t.Fatal(err)
+				}
+				if data.Data["test"].(string) != "data" {
+					t.Fatal(data)
+				}
+			}
+		})
+	}
+}
+
+func TestRaft_SnapshotAPI_DifferentCluster(t *testing.T) {
+	t.Parallel()
+	cluster, _ := raftCluster(t, nil)
+	defer cluster.Cleanup()
+
+	leaderClient := cluster.Cores[0].Client
+
+	// Write a few keys
+	for i := 0; i < 10; i++ {
+		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
+			"test": "data",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	transport := cleanhttp.DefaultPooledTransport()
+	transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
+	if err := http2.ConfigureTransport(transport); err != nil {
+		t.Fatal(err)
+	}
+	client := &http.Client{
+		Transport: transport,
+	}
+
+	// Take a snapshot
+	req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
+	httpReq, err := req.ToHTTP()
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp, err := client.Do(httpReq)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	snap, err := ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(snap) == 0 {
+		t.Fatal("no snapshot returned")
+	}
+
+	// Cluster 2
+	{
+		cluster2, _ := raftCluster(t, nil)
+		defer cluster2.Cleanup()
+
+		leaderClient := cluster2.Cores[0].Client
+
+		transport := cleanhttp.DefaultPooledTransport()
+		transport.TLSClientConfig = cluster2.Cores[0].TLSConfig()
+		if err := http2.ConfigureTransport(transport); err != nil {
+			t.Fatal(err)
+		}
+		client := &http.Client{
+			Transport: transport,
+		}
+		// Restore snapshot, should fail.
+		req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
+		req.Body = bytes.NewBuffer(snap)
+		httpReq, err = req.ToHTTP()
+		if err != nil {
+			t.Fatal(err)
+		}
+		resp, err = client.Do(httpReq)
+		if err != nil {
+			t.Fatal(err)
+		}
+		// Parse Response
+		apiResp := api.Response{Response: resp}
+		if !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
+			t.Fatal(apiResp.Error())
+		}
+
+		// Restore snapshot force
+		req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
+		req.Body = bytes.NewBuffer(snap)
+		httpReq, err = req.ToHTTP()
+		if err != nil {
+			t.Fatal(err)
+		}
+		resp, err = client.Do(httpReq)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		testhelpers.WaitForNCoresSealed(t, cluster2, 3)
+	}
+}
+
+func BenchmarkRaft_SingleNode(b *testing.B) {
+	cluster, _ := raftCluster(b, nil)
+	defer cluster.Cleanup()
+
+	leaderClient := cluster.Cores[0].Client
+
+	bench := func(b *testing.B, dataSize int) {
+		data, err := uuid.GenerateRandomBytes(dataSize)
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		testName := b.Name()
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			key := fmt.Sprintf("secret/%x", md5.Sum([]byte(fmt.Sprintf("%s-%d", testName, i))))
+			_, err := leaderClient.Logical().Write(key, map[string]interface{}{
+				"test": data,
+			})
+			if err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+
+	b.Run("256b", func(b *testing.B) { bench(b, 25) })
+}
+
+func TestRaft_Join_InitStatus(t *testing.T) {
+	t.Parallel()
+	var conf vault.CoreConfig
+	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
+	teststorage.RaftBackendSetup(&conf, &opts)
+	opts.SetupFunc = nil
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+
+	leaderCore := cluster.Cores[0]
+	leaderAPI := leaderCore.Client.Address()
+	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+
+	// Seal the leader so we can install an address provider
+	{
+		testhelpers.EnsureCoreSealed(t, leaderCore)
+		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		cluster.UnsealCore(t, leaderCore)
+		vault.TestWaitActive(t, leaderCore.Core)
+	}
+
+	joinFunc := func(client *api.Client) {
+		req := &api.RaftJoinRequest{
+			LeaderAPIAddr: leaderAPI,
+			LeaderCACert:  string(cluster.CACertPEM),
+		}
+		resp, err := client.Sys().RaftJoin(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !resp.Joined {
+			t.Fatalf("failed to join raft cluster")
+		}
+	}
+
+	verifyInitStatus := func(coreIdx int, expected bool) {
+		t.Helper()
+		client := cluster.Cores[coreIdx].Client
+
+		initialized, err := client.Sys().InitStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if initialized != expected {
+			t.Errorf("core %d: expected init=%v, sys/init returned %v", coreIdx, expected, initialized)
+		}
+
+		status, err := client.Sys().SealStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if status.Initialized != expected {
+			t.Errorf("core %d: expected init=%v, sys/seal-status returned %v", coreIdx, expected, status.Initialized)
+		}
+
+		health, err := client.Sys().Health()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if health.Initialized != expected {
+			t.Errorf("core %d: expected init=%v, sys/health returned %v", coreIdx, expected, health.Initialized)
+		}
+	}
+
+	for i := range cluster.Cores {
+		verifyInitStatus(i, i < 1)
+	}
+
+	joinFunc(cluster.Cores[1].Client)
+	for i, core := range cluster.Cores {
+		verifyInitStatus(i, i < 2)
+		if i == 1 {
+			cluster.UnsealCore(t, core)
+			verifyInitStatus(i, true)
+		}
+	}
+
+	joinFunc(cluster.Cores[2].Client)
+	for i, core := range cluster.Cores {
+		verifyInitStatus(i, true)
+		if i == 2 {
+			cluster.UnsealCore(t, core)
+			verifyInitStatus(i, true)
+		}
+	}
+
+	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+	for i := range cluster.Cores {
+		verifyInitStatus(i, true)
+	}
+}
diff --git a/ui/lib/core/addon/components/replication-summary-card.hbs b/ui/lib/core/addon/components/replication-summary-card.hbs
new file mode 100644
index 000000000000..742e03676381
--- /dev/null
+++ b/ui/lib/core/addon/components/replication-summary-card.hbs
@@ -0,0 +1,138 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*ReadCommand)(nil)
+	_ cli.CommandAutocomplete = (*ReadCommand)(nil)
+)
+
+type ReadCommand struct {
+	*BaseCommand
+
+	testStdin io.Reader // for tests
+}
+
+func (c *ReadCommand) Synopsis() string {
+	return "Read data and retrieves secrets"
+}
+
+func (c *ReadCommand) Help() string {
+	helpText := `
+Usage: vault read [options] PATH
+
+  Reads data from Vault at the given path. This can be used to read secrets,
+  generate dynamic credentials, get configuration details, and more.
+
+  Read a secret from the static secrets engine:
+
+      $ vault read secret/my-secret
+
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secrets engine in use.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *ReadCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+}
+
+func (c *ReadCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *ReadCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *ReadCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args, ParseOptionAllowRawFormat(true)); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// client.ReadRaw* methods require a manual timeout override
+	ctx, cancel := context.WithTimeout(context.Background(), client.ClientTimeout())
+	defer cancel()
+
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
+	}
+
+	path := sanitizePath(args[0])
+
+	data, err := parseArgsDataStringLists(stdin, args[1:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
+	}
+
+	if Format(c.UI) != "raw" {
+		secret, err := client.Logical().ReadWithDataWithContext(ctx, path, data)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error reading %s: %s", path, err))
+			return 2
+		}
+		if secret == nil {
+			c.UI.Error(fmt.Sprintf("No value found at %s", path))
+			return 2
+		}
+
+		if c.flagField != "" {
+			return PrintRawField(c.UI, secret, c.flagField)
+		}
+
+		return OutputSecret(c.UI, secret)
+	}
+
+	resp, err := client.Logical().ReadRawWithDataWithContext(ctx, path, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading: %s: %s", path, err))
+		return 2
+	}
+	if resp == nil || resp.Body == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", path))
+		return 2
+	}
+	defer resp.Body.Close()
+
+	contents, err := io.ReadAll(resp.Body)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading: %s: %s", path, err))
+		return 2
+	}
+
+	return OutputData(c.UI, contents)
+}
diff --git a/ui/lib/core/addon/components/replication-summary-card.js b/ui/lib/core/addon/components/replication-summary-card.js
index df25cac695a6..fe8961afb669 100644
--- a/ui/lib/core/addon/components/replication-summary-card.js
+++ b/ui/lib/core/addon/components/replication-summary-card.js
@@ -1,49 +1,167 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@ember/component';
-import { computed } from '@ember/object';
-import layout from '../templates/components/replication-summary-card';
-
-/**
- * @module ReplicationSummaryCard
- * The `ReplicationSummaryCard` is a card-like component.  It displays cluster mode details for both DR and Performance
- *
- * @example
- * ```js
- * <ReplicationSummaryCard
-    @title='States'
-    @replicationDetails={DS.Model.replicationDetailsSummary}
-    />
- * ```
- * @param {String} [title=null] - The title to be displayed on the top left corner of the card.
- * @param {Object} replicationDetails=null - An Ember data object computed off the Ember Model.  It combines the Model.dr and Model.performance objects into one and contains details specific to the mode replication.
- */
-
-export default Component.extend({
-  layout,
-  title: null,
-  replicationDetails: null,
-  lastDrWAL: computed('replicationDetails.dr.lastWAL', function () {
-    return this.replicationDetails.dr.lastWAL || 0;
-  }),
-  lastPerformanceWAL: computed('replicationDetails.performance.lastWAL', function () {
-    return this.replicationDetails.performance.lastWAL || 0;
-  }),
-  merkleRootDr: computed('replicationDetails.dr.merkleRoot', function () {
-    return this.replicationDetails.dr.merkleRoot || '';
-  }),
-  merkleRootPerformance: computed('replicationDetails.performance.merkleRoot', function () {
-    return this.replicationDetails.performance.merkleRoot || '';
-  }),
-  knownSecondariesDr: computed('replicationDetails.dr.knownSecondaries', function () {
-    const knownSecondaries = this.replicationDetails.dr.knownSecondaries;
-    return knownSecondaries.length;
-  }),
-  knownSecondariesPerformance: computed('replicationDetails.performance.knownSecondaries', function () {
-    const knownSecondaries = this.replicationDetails.performance.knownSecondaries;
-    return knownSecondaries.length;
-  }),
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testReadCommand(tb testing.TB) (*cli.MockUi, *ReadCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &ReadCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestReadCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"proper_args",
+			[]string{"foo", "bar=baz"},
+			"No value found at foo\n",
+			2,
+		},
+		{
+			"not_found",
+			[]string{"nope/not/once/never"},
+			"",
+			2,
+		},
+		{
+			"default",
+			[]string{"secret/read/foo"},
+			"foo",
+			0,
+		},
+		{
+			"field",
+			[]string{
+				"-field", "foo",
+				"secret/read/foo",
+			},
+			"bar",
+			0,
+		},
+		{
+			"field_not_found",
+			[]string{
+				"-field", "not-a-real-field",
+				"secret/read/foo",
+			},
+			"not present in secret",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				if _, err := client.Logical().Write("secret/read/foo", map[string]interface{}{
+					"foo": "bar",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				ui, cmd := testReadCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("%s: expected %q to contain %q", tc.name, combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testReadCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/foo",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error reading secret/foo: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_data_object_from_api_response", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testReadCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"sys/health",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		expected := []string{
+			"cluster_id", "cluster_name", "initialized", "performance_standby", "replication_dr_mode", "replication_performance_mode", "sealed",
+			"server_time_utc", "standby", "version",
+		}
+		for _, expectedField := range expected {
+			if !strings.Contains(combined, expectedField) {
+				t.Errorf("expected %q to contain %q", combined, expected)
+			}
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testReadCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/core/addon/components/string-list.hbs b/ui/lib/core/addon/components/string-list.hbs
index 3c654eecd252..73fc189d36c2 100644
--- a/ui/lib/core/addon/components/string-list.hbs
+++ b/ui/lib/core/addon/components/string-list.hbs
@@ -1,67 +1,22 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-<div
-  class="field string-list form-section"
-  data-test-component="string-list"
-  {{did-insert this.autoSize}}
-  {{did-update this.autoSizeUpdate}}
-  data-test-input
-  ...attributes
->
-  {{#if @label}}
-    <label class="is-label" data-test-string-list-label="true">
-      {{@label}}
-      {{#if @helpText}}
-        <InfoTooltip>{{@helpText}}</InfoTooltip>
-      {{/if}}
-    </label>
-    {{#if @subText}}
-      <p class="sub-text">
-        {{@subText}}
-      </p>
-    {{/if}}
-  {{/if}}
-  {{#each this.inputList as |data index|}}
-    <div class="field is-grouped" data-test-string-list-row={{index}}>
-      <div class="control is-expanded">
-        <Textarea
-          data-test-string-list-input={{index}}
-          class="input {{if (includes index this.indicesWithComma) 'has-warning-border'}}"
-          @value={{data.value}}
-          name={{concat this.elementId "-" index}}
-          id={{concat this.elementId "-" index}}
-          {{on "keyup" (action "inputChanged" index)}}
-          {{on "change" (action "inputChanged" index)}}
-        />
-      </div>
-      <div class="control is-narrow">
-        {{#if (eq (inc index) this.inputList.length)}}
-          <Hds::Button @text="Add" data-test-string-list-button="add" {{on "click" this.addInput}} @isFullWidth={{true}} />
-        {{else}}
-          <Hds::Button
-            @text="delete row"
-            @icon="trash"
-            @isIconOnly={{true}}
-            @color="secondary"
-            @isFullWidth={{true}}
-            data-test-string-list-button="delete"
-            {{on "click" (fn this.removeInput index)}}
-          />
-        {{/if}}
-      </div>
-      {{#if (includes index this.indicesWithComma)}}
-        <Icon class="is-flex-v-centered has-text-highlight" @name="alert-triangle-fill" />
-      {{/if}}
-    </div>
-  {{/each}}
-  {{#if this.indicesWithComma}}
-    <AlertInline
-      @type="warning"
-      @message="Input contains a comma. Please separate values into individual rows."
-      @isMarginless={{true}}
-    />
-  {{/if}}
-</div>
\ No newline at end of file
+import modifyPassthroughResponse from '../helpers/modify-passthrough-response';
+import { Response } from 'miragejs';
+
+export default function (server) {
+  server.get('/sys/health', (schema, req) =>
+    modifyPassthroughResponse(req, { version: '', cluster_name: '' })
+  );
+  server.get('/sys/seal-status', (schema, req) =>
+    modifyPassthroughResponse(req, { version: '', cluster_name: '', build_date: '' })
+  );
+  server.get('sys/replication/status', () => new Response(404, {}, { errors: ['disabled path'] }));
+  server.get('sys/replication/dr/status', () => new Response(404, {}, { errors: ['disabled path'] }));
+  server.get(
+    'sys/replication/performance/status',
+    () => new Response(404, {}, { errors: ['disabled path'] })
+  );
+}
diff --git a/ui/lib/core/addon/components/text-file.hbs b/ui/lib/core/addon/components/text-file.hbs
index e3fd0ec46864..75119d4e7268 100644
--- a/ui/lib/core/addon/components/text-file.hbs
+++ b/ui/lib/core/addon/components/text-file.hbs
@@ -1,65 +1,62 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#unless @uploadOnly}}
-  <div class="level is-mobile">
-    <div class="level-left">
-      <label for="input-{{this.elementId}}" class="has-text-weight-semibold" data-test-text-file-label>
-        {{or @label "File"}}
-        {{#if @helpText}}
-          <InfoTooltip>
-            <span data-test-help-text>
-              {{@helpText}}
-            </span>
-          </InfoTooltip>
-        {{/if}}
-      </label>
-    </div>
-    <div class="level-right">
-      <Input
-        data-test-text-toggle
-        id="use-text-{{this.elementId}}"
-        class="toggle is-success is-small"
-        @type="checkbox"
-        @checked={{this.showTextArea}}
-        {{on "change" (fn (mut this.showTextArea) (not this.showTextArea))}}
-      />
-      <label for="use-text-{{this.elementId}}" class="has-text-weight-bold is-size-8">
-        Enter as text
-      </label>
-    </div>
-  </div>
-{{/unless}}
-<div class="field text-file box is-fullwidth is-marginless is-shadowless is-paddingless" data-test-component="text-file">
-  {{#if this.showTextArea}}
-    <Hds::Form::MaskedInput::Field
-      id="input-{{this.elementId}}"
-      @value={{this.content}}
-      @isMultiline={{true}}
-      {{on "input" this.handleTextInput}}
-      data-test-text-file-textarea
-      as |F|
-    >
-      <F.HelperText>Enter the value as text </F.HelperText>
-    </Hds::Form::MaskedInput::Field>
-  {{else}}
-    <Hds::Form::FileInput::Field
-      id="file-input-{{this.elementId}}"
-      {{on "change" this.handleFileUpload}}
-      data-test-text-file-input
-      as |F|
-    >
-      <F.HelperText>Select a file from your computer</F.HelperText>
-    </Hds::Form::FileInput::Field>
-    {{#if (or @validationError this.uploadError)}}
-      <AlertInline
-        @type="danger"
-        @message={{or @validationError this.uploadError}}
-        @paddingTop={{true}}
-        data-test-field-validation="text-file"
-      />
-    {{/if}}
-  {{/if}}
-</div>
\ No newline at end of file
+---
+layout: docs
+page_title: plugin runtime register - Command
+description: |-
+  The "plugin runtime register" command registers a new plugin runtime in Vault's plugin runtime
+  catalog.
+---
+
+# plugin runtime register
+
+Register a new plugin runtime in the plugin runtime catalog of your Vault instance.
+
+<Note title="Limited type support">
+  Support for runtime types is currently limited to `container`.
+</Note>
+
+To use a registered plugin runtime, use the `-runtime` option with the
+[plugin registration command](/vault/docs/commands/plugin/register).
+
+## Examples
+
+Register a plugin runtime:
+
+```shell-session
+$ vault plugin runtime register -type=container -oci_runtime=runc runc
+Success! Registered plugin runtime: runc
+```
+
+Register a plugin runtime with resource limits:
+
+```shell-session
+vault plugin runtime register \
+    -type=container \
+    -cpu_nanos=100000000 \
+  runsc
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/vault/docs/commands) included on all commands.
+
+### Command options
+
+- `-type` `(string: <required>)` - Plugin runtime type. Vault currently only
+  supports `container` as a runtime type.
+
+- `-rootless` `(bool: false)` - Whether the container runtime is running as a
+  non-privileged user. Must be set if plugin container images are also configured
+  to run as a non-root user.
+
+- `-cgroup_parent` `(string: "")` - Parent cgroup to set for each container.
+  Use `cgroup_parent` to control the total resource usage for a group of plugins.
+
+- `-cpu_nanos` `(int: 0)` - CPU limit to set per container in billionths of a
+  CPU core. Defaults to no limit.
+
+- `-memory_bytes` `(int: 0)` - Memory limit to set per container in bytes.
+  Defaults to no limit.
+
+- `-oci_runtime` `(string: "")` - Open Container Initiative (OCI) compliant
+  container runtime to use. Default is the gVisor OCI runtime, `runsc`.
diff --git a/ui/lib/core/addon/helpers/is-version.js b/ui/lib/core/addon/helpers/is-version.js
index 88c6da62c751..a7278b037f26 100644
--- a/ui/lib/core/addon/helpers/is-version.js
+++ b/ui/lib/core/addon/helpers/is-version.js
@@ -1,24 +1,551 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-/* eslint-disable ember/no-observers */
-import { inject as service } from '@ember/service';
-import { assert } from '@ember/debug';
-import Helper from '@ember/component/helper';
-import { observer } from '@ember/object';
-
-export default Helper.extend({
-  version: service(),
-  onFeaturesChange: observer('version.version', function () {
-    this.recompute();
-  }),
-  compute([sku]) {
-    if (sku !== 'OSS' && sku !== 'Enterprise') {
-      assert(`${sku} is not one of the available values for Vault versions.`, false);
-      return false;
-    }
-    return this.get(`version.is${sku}`);
-  },
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	log "github.com/hashicorp/go-hclog"
+
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+func TestCore_Rekey_Lifecycle(t *testing.T) {
+	bc := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+		StoredShares:    1,
+	}
+	c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
+	if len(masterKeys) != 1 {
+		t.Fatalf("expected %d keys, got %d", bc.SecretShares-bc.StoredShares, len(masterKeys))
+	}
+	testCore_Rekey_Lifecycle_Common(t, c, false)
+}
+
+func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
+	min, _ := c.barrier.KeyLength()
+	// Verify update not allowed
+	_, err := c.RekeyUpdate(context.Background(), make([]byte, min), "", recovery)
+	expected := "no barrier rekey in progress"
+	if recovery {
+		expected = "no recovery rekey in progress"
+	}
+	if err == nil || !strings.Contains(err.Error(), expected) {
+		t.Fatalf("no rekey should be in progress, err: %v", err)
+	}
+
+	// Should be no progress
+	if _, _, err := c.RekeyProgress(recovery, false); err == nil {
+		t.Fatal("expected error from RekeyProgress")
+	}
+
+	// Should be no config
+	conf, err := c.RekeyConfig(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if conf != nil {
+		t.Fatalf("bad: %v", conf)
+	}
+
+	// Cancel should be idempotent
+	err = c.RekeyCancel(false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Start a rekey
+	newConf := &SealConfig{
+		SecretThreshold: 3,
+		SecretShares:    5,
+	}
+	err = c.RekeyInit(newConf, recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Should get config
+	conf, err = c.RekeyConfig(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	newConf.Nonce = conf.Nonce
+	if !reflect.DeepEqual(conf, newConf) {
+		t.Fatalf("bad: %v", conf)
+	}
+
+	// Cancel should be clear
+	err = c.RekeyCancel(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Should be no config
+	conf, err = c.RekeyConfig(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if conf != nil {
+		t.Fatalf("bad: %v", conf)
+	}
+}
+
+func TestCore_Rekey_Init(t *testing.T) {
+	t.Run("barrier-rekey-init", func(t *testing.T) {
+		c, _, _ := TestCoreUnsealed(t)
+		testCore_Rekey_Init_Common(t, c, false)
+	})
+}
+
+func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) {
+	// Try an invalid config
+	badConf := &SealConfig{
+		SecretThreshold: 5,
+		SecretShares:    1,
+	}
+	err := c.RekeyInit(badConf, recovery)
+	if err == nil {
+		t.Fatalf("should fail")
+	}
+
+	// Start a rekey
+	newConf := &SealConfig{
+		SecretThreshold: 3,
+		SecretShares:    5,
+	}
+
+	// If recovery key is supported, set newConf
+	// to be a recovery seal config
+	if c.seal.RecoveryKeySupported() {
+		newConf.Type = c.seal.RecoverySealConfigType().String()
+	}
+
+	err = c.RekeyInit(newConf, recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Second should fail
+	err = c.RekeyInit(newConf, recovery)
+	if err == nil {
+		t.Fatalf("should fail")
+	}
+}
+
+func TestCore_Rekey_Update(t *testing.T) {
+	bc := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+	}
+	c, masterKeys, _, root := TestCoreUnsealedWithConfigs(t, bc, nil)
+	testCore_Rekey_Update_Common(t, c, masterKeys, root, false)
+}
+
+func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root string, recovery bool) {
+	testCore_Rekey_Update_Common_Error(t, c, keys, root, recovery, false)
+}
+
+func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, root string, recovery bool, wantRekeyUpdateError bool) {
+	var err error
+	// Start a rekey
+	var expType string
+	if recovery {
+		expType = c.seal.RecoverySealConfigType().String()
+	} else {
+		expType = c.seal.BarrierSealConfigType().String()
+	}
+
+	newConf := &SealConfig{
+		Type:            expType,
+		SecretThreshold: 3,
+		SecretShares:    5,
+	}
+	hErr := c.RekeyInit(newConf, recovery)
+	if hErr != nil {
+		t.Fatalf("err: %v", hErr)
+	}
+
+	// Fetch new config with generated nonce
+	rkconf, hErr := c.RekeyConfig(recovery)
+	if hErr != nil {
+		t.Fatalf("err: %v", hErr)
+	}
+	if rkconf == nil {
+		t.Fatalf("bad: no rekey config received")
+	}
+
+	// Provide the master/recovery keys
+	var result *RekeyResult
+	for _, key := range keys {
+		result, err = c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery)
+		if err != nil {
+			if !wantRekeyUpdateError {
+				t.Fatalf("err: %v", err)
+			} else {
+				return
+			}
+		}
+		if result != nil {
+			break
+		}
+	}
+	if wantRekeyUpdateError {
+		t.Fatal("expected and error during RekeyUpdate")
+	}
+	if result == nil {
+		t.Fatal("nil result after update")
+	}
+
+	// Should be no progress
+	if _, _, err := c.RekeyProgress(recovery, false); err == nil {
+		t.Fatal("expected error from RekeyProgress")
+	}
+
+	// Should be no config
+	conf, hErr := c.RekeyConfig(recovery)
+	if hErr != nil {
+		t.Fatalf("rekey config error: %v", hErr)
+	}
+	if conf != nil {
+		t.Fatalf("rekey config should be nil, got: %v", conf)
+	}
+
+	// SealConfig should update
+	var sealConf *SealConfig
+	if recovery {
+		sealConf, err = c.seal.RecoveryConfig(context.Background())
+	} else {
+		sealConf, err = c.seal.BarrierConfig(context.Background())
+	}
+	if err != nil {
+		t.Fatalf("seal config retrieval error: %v", err)
+	}
+	if sealConf == nil {
+		t.Fatal("seal configuration is nil")
+	}
+
+	newConf.Nonce = rkconf.Nonce
+	if !reflect.DeepEqual(sealConf, newConf) {
+		t.Fatalf("\nexpected: %#v\nactual: %#v\nexpType: %s\nrecovery: %t", newConf, sealConf, expType, recovery)
+	}
+
+	// At this point bail if we are rekeying the barrier key with recovery
+	// keys, since a new rekey should still be using the same set of recovery
+	// keys and we haven't been returned key shares in this mode.
+	if !recovery && c.seal.RecoveryKeySupported() {
+		return
+	}
+
+	// Attempt unseal if this was not recovery mode
+	if !recovery {
+		err = c.Seal(root)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		for i := 0; i < newConf.SecretThreshold; i++ {
+			_, err = TestCoreUnseal(c, TestKeyCopy(result.SecretShares[i]))
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+		}
+		if c.Sealed() {
+			t.Fatalf("should be unsealed")
+		}
+	}
+
+	// Start another rekey, this time we require a quorum!
+
+	newConf = &SealConfig{
+		Type:            expType,
+		SecretThreshold: 1,
+		SecretShares:    1,
+	}
+	err = c.RekeyInit(newConf, recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Fetch new config with generated nonce
+	rkconf, err = c.RekeyConfig(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if rkconf == nil {
+		t.Fatalf("bad: no rekey config received")
+	}
+
+	// Provide the parts master
+	oldResult := result
+	for i := 0; i < 3; i++ {
+		result, err = c.RekeyUpdate(context.Background(), TestKeyCopy(oldResult.SecretShares[i]), rkconf.Nonce, recovery)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Should be progress
+		if i < 2 {
+			_, num, err := c.RekeyProgress(recovery, false)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+			if num != i+1 {
+				t.Fatalf("bad: %d", num)
+			}
+		}
+	}
+	if result == nil || len(result.SecretShares) != 1 {
+		t.Fatalf("Bad: %#v", result)
+	}
+
+	// Attempt unseal if this was not recovery mode
+	if !recovery {
+		err = c.Seal(root)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		unseal, err := TestCoreUnseal(c, result.SecretShares[0])
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if !unseal {
+			t.Fatalf("should be unsealed")
+		}
+	}
+
+	// SealConfig should update
+	if recovery {
+		sealConf, err = c.seal.RecoveryConfig(context.Background())
+	} else {
+		sealConf, err = c.seal.BarrierConfig(context.Background())
+	}
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	newConf.Nonce = rkconf.Nonce
+	if !reflect.DeepEqual(sealConf, newConf) {
+		t.Fatalf("bad: %#v", sealConf)
+	}
+}
+
+func TestCore_Rekey_Legacy(t *testing.T) {
+	bc := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+	}
+	c, masterKeys, _, root := TestCoreUnsealedWithConfigSealOpts(t, bc, nil,
+		&seal.TestSealOpts{StoredKeys: seal.StoredKeysNotSupported})
+	testCore_Rekey_Update_Common(t, c, masterKeys, root, false)
+}
+
+func TestCore_Rekey_Invalid(t *testing.T) {
+	bc := &SealConfig{
+		SecretShares:    5,
+		SecretThreshold: 3,
+	}
+	bc.StoredShares = 0
+	bc.SecretShares = 1
+	bc.SecretThreshold = 1
+	c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
+	testCore_Rekey_Invalid_Common(t, c, masterKeys, false)
+}
+
+func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recovery bool) {
+	// Start a rekey
+	newConf := &SealConfig{
+		SecretThreshold: 3,
+		SecretShares:    5,
+	}
+	err := c.RekeyInit(newConf, recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Fetch new config with generated nonce
+	rkconf, err := c.RekeyConfig(recovery)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if rkconf == nil {
+		t.Fatalf("bad: no rekey config received")
+	}
+
+	// Provide the nonce (invalid)
+	_, err = c.RekeyUpdate(context.Background(), keys[0], "abcd", recovery)
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+
+	// Provide the key (invalid)
+	key := keys[0]
+	oldkeystr := fmt.Sprintf("%#v", key)
+	key[0]++
+	newkeystr := fmt.Sprintf("%#v", key)
+	ret, err := c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery)
+	if err == nil {
+		t.Fatalf("expected error, ret is %#v\noldkeystr: %s\nnewkeystr: %s", *ret, oldkeystr, newkeystr)
+	}
+
+	// Check progress has been reset
+	_, num, err := c.RekeyProgress(recovery, false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if num != 0 {
+		t.Fatalf("rekey progress should be 0, got: %d", num)
+	}
+}
+
+func TestCore_Rekey_Standby(t *testing.T) {
+	// Create the first core and initialize it
+	logger := logging.NewVaultLogger(log.Trace)
+
+	inm, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	inmha, err := inmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	redirectOriginal := "http://127.0.0.1:8200"
+	core, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal,
+		DisableMlock: true,
+		DisableCache: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core.Shutdown()
+	keys, root := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Wait for core to become active
+	TestWaitActive(t, core)
+
+	// Create a second core, attached to same in-memory store
+	redirectOriginal2 := "http://127.0.0.1:8500"
+	core2, err := NewCore(&CoreConfig{
+		Physical:     inm,
+		HAPhysical:   inmha.(physical.HABackend),
+		RedirectAddr: redirectOriginal2,
+		DisableMlock: true,
+		DisableCache: true,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer core2.Shutdown()
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	// Rekey the master key
+	newConf := &SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+	}
+	err = core.RekeyInit(newConf, false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	// Fetch new config with generated nonce
+	rkconf, err := core.RekeyConfig(false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if rkconf == nil {
+		t.Fatalf("bad: no rekey config received")
+	}
+	var rekeyResult *RekeyResult
+	for _, key := range keys {
+		rekeyResult, err = core.RekeyUpdate(context.Background(), key, rkconf.Nonce, false)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+	}
+	if rekeyResult == nil {
+		t.Fatalf("rekey failed")
+	}
+
+	// Seal the first core, should step down
+	err = core.Seal(root)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Wait for core2 to become active
+	TestWaitActive(t, core2)
+
+	// Rekey the master key again
+	err = core2.RekeyInit(newConf, false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	// Fetch new config with generated nonce
+	rkconf, err = core2.RekeyConfig(false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if rkconf == nil {
+		t.Fatalf("bad: no rekey config received")
+	}
+	var rekeyResult2 *RekeyResult
+	for _, key := range rekeyResult.SecretShares {
+		rekeyResult2, err = core2.RekeyUpdate(context.Background(), key, rkconf.Nonce, false)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+	}
+	if rekeyResult2 == nil {
+		t.Fatalf("rekey failed")
+	}
+
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if rekeyResult2 == nil {
+		t.Fatalf("rekey failed")
+	}
+}
+
+// verifies that if we are using recovery keys to force a
+// rekey of a stored-shares barrier that verification is not allowed since
+// the keys aren't returned
+func TestSysRekey_Verification_Invalid(t *testing.T) {
+	core, _, _, _ := TestCoreUnsealedWithConfigSealOpts(t,
+		&SealConfig{StoredShares: 1, SecretShares: 1, SecretThreshold: 1},
+		&SealConfig{StoredShares: 1, SecretShares: 1, SecretThreshold: 1},
+		&seal.TestSealOpts{StoredKeys: seal.StoredKeysSupportedGeneric})
+
+	err := core.BarrierRekeyInit(&SealConfig{
+		VerificationRequired: true,
+		StoredShares:         1,
+	})
+
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !strings.Contains(err.Error(), "requiring verification not supported") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
diff --git a/ui/lib/core/addon/templates/components/edit-form.hbs b/ui/lib/core/addon/templates/components/edit-form.hbs
index 02f0b12a0e73..3528840aa6ac 100644
--- a/ui/lib/core/addon/templates/components/edit-form.hbs
+++ b/ui/lib/core/addon/templates/components/edit-form.hbs
@@ -1,37 +1,18 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-<form {{action (perform this.save this.model) on="submit"}}>
-  <MessageError @model={{this.model}} data-test-edit-form-error />
-  <div class={{if this.includeBox "box is-sideless is-fullwidth is-marginless"}}>
-    <NamespaceReminder @mode="save" />
-    {{#if (or this.model.fields this.model.attrs)}}
-      {{#each (or this.model.fields this.model.attrs) as |attr|}}
-        <FormField
-          data-test-field
-          @attr={{attr}}
-          @model={{this.model}}
-          @mode={{@mode}}
-          @modelValidations={{this.modelValidations}}
-        />
-      {{/each}}
-    {{else if this.model.fieldGroups}}
-      <FormFieldGroups @model={{this.model}} @mode={{@mode}} @modelValidations={{this.modelValidations}} />
-    {{/if}}
-  </div>
-  <FormSaveButtons
-    @isSaving={{this.save.isRunning}}
-    @saveButtonText={{this.saveButtonText}}
-    @cancelLinkParams={{@cancelLinkParams}}
-    @includeBox={{this.includeBox}}
-    @onCancel={{@onCancel}}
-  >
-    <:error>
-      {{#if this.invalidFormAlert}}
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      {{/if}}
-    </:error>
-  </FormSaveButtons>
-</form>
\ No newline at end of file
+//go:build !enterprise
+
+package vault
+
+import (
+	"io"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+//go:generate go run github.com/hashicorp/vault/tools/stubmaker
+
+func (c *Core) reloadSealsEnt(secureRandomReader io.Reader, sealAccess seal.Access, logger hclog.Logger) {
+}
diff --git a/ui/lib/core/addon/templates/components/replication-action-disable.hbs b/ui/lib/core/addon/templates/components/replication-action-disable.hbs
index cb23af901f3a..1ac951ee7356 100644
--- a/ui/lib/core/addon/templates/components/replication-action-disable.hbs
+++ b/ui/lib/core/addon/templates/components/replication-action-disable.hbs
@@ -31,8 +31,8 @@
   @isActive={{this.isModalActive}}
   @confirmText={{this.model.replicationModeForDisplay}}
   @toConfirmMsg="disabling {{this.model.replicationModeForDisplay}} Replication on this cluster"
-  @onConfirm={{action
-    "onSubmit"
+  @onConfirm={{fn
+    (action "onSubmit")
     "disable"
     (if (eq this.model.replicationAttrs.modeForUrl "bootstrapping") this.mode this.model.replicationAttrs.modeForUrl)
   }}
diff --git a/ui/lib/core/addon/templates/components/replication-actions.hbs b/ui/lib/core/addon/templates/components/replication-actions.hbs
index 05b4b8c677ef..77c5108e1f22 100644
--- a/ui/lib/core/addon/templates/components/replication-actions.hbs
+++ b/ui/lib/core/addon/templates/components/replication-actions.hbs
@@ -1,25 +1,19 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-{{#if this.loading}}
-  <LayoutLoading />
-{{else}}
-  <MessageError @errors={{this.errors}} />
-  <div class="replication-actions-grid-layout">
-    {{#each
-      (replication-action-for-mode this.replicationMode this.model.replicationAttrs.modeForUrl)
-      as |replicationAction|
-    }}
-      <div class="replication-actions-grid-item">
-        {{component
-          (concat "replication-action-" replicationAction)
-          onSubmit=(action "onSubmit")
-          replicationMode=this.replicationMode
-          model=this.model
-        }}
-      </div>
-    {{/each}}
-  </div>
-{{/if}}
\ No newline at end of file
+import Actions from 'core/components/replication-actions-single';
+import layout from '../templates/components/replication-action-disable';
+
+export default Actions.extend({
+  layout,
+  tagName: '',
+
+  actions: {
+    onSubmit(replicationMode, clusterMode, evt) {
+      // No data is submitted for disable request
+      return this.onSubmit(replicationMode, clusterMode, null, evt);
+    },
+  },
+});
diff --git a/ui/lib/core/addon/templates/components/replication-header.hbs b/ui/lib/core/addon/templates/components/replication-header.hbs
index b8e0f0afc6bc..718ad28a151f 100644
--- a/ui/lib/core/addon/templates/components/replication-header.hbs
+++ b/ui/lib/core/addon/templates/components/replication-header.hbs
@@ -3,56 +3,25 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<PageHeader as |p|>
-  <p.top>
-    {{! template-lint-configure simple-unless "warn" }}
-    {{#unless (or this.isSummaryDashboard this.isSecondary)}}
-      <KeyValueHeader @baseKey={{this.baseKey}} @path="vault.cluster.replication-dr-promote" @root={{this.backendCrumb}}>
-        <li>
-          <span class="sep">
-            /
-          </span>
-          <LinkTo @route="vault.cluster.replication.index">
-            Replication
-          </LinkTo>
-        </li>
-      </KeyValueHeader>
-    {{/unless}}
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      {{this.title}}
-      {{#if this.data.anyReplicationEnabled}}
-        <span class="tag is-light has-text-grey-dark" data-test-mode>
-          {{if this.isSecondary "secondary" "primary"}}
-        </span>
-        <span class="tag is-light has-text-grey-dark" data-test-secondaryId>
-          {{this.secondaryId}}
-        </span>
-      {{/if}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-{{#if this.showTabs}}
-  <div class="tabs-container box is-bottomless is-fullwidth is-paddingless has-bottom-margin-l" data-test-tabs>
-    <nav class="tabs">
-      {{#if this.isSummaryDashboard}}
-        <ul>
-          <li class="is-active">
-            <LinkToExternal @route="replication">Summary</LinkToExternal>
-          </li>
-        </ul>
-      {{else}}
-        <ul>
-          <LinkTo @route="vault.cluster.replication-dr-promote.details">
-            Details
-          </LinkTo>
-          <LinkTo @route="vault.cluster.replication-dr-promote" @current-when="vault.cluster.replication-dr-promote.index">
-            Manage
-          </LinkTo>
-        </ul>
-      {{/if}}
-    </nav>
+{{#if this.loading}}
+  <LayoutLoading />
+{{else}}
+  <MessageError @errors={{this.errors}} />
+  <div class="replication-actions-grid-layout">
+    {{#each
+      (replication-action-for-mode this.replicationMode this.model.replicationAttrs.modeForUrl)
+      as |replicationAction|
+    }}
+      <div class="replication-actions-grid-item">
+        <Hds::Card::Container class="action-block-width" @hasBorder={{true}}>
+          {{component
+            (concat "replication-action-" replicationAction)
+            onSubmit=(action "onSubmit")
+            replicationMode=this.replicationMode
+            model=this.model
+          }}
+        </Hds::Card::Container>
+      </div>
+    {{/each}}
   </div>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/templates/components/replication-mode-summary.hbs b/ui/lib/core/addon/templates/components/replication-mode-summary.hbs
index ae94e978e086..286a636841ee 100644
--- a/ui/lib/core/addon/templates/components/replication-mode-summary.hbs
+++ b/ui/lib/core/addon/templates/components/replication-mode-summary.hbs
@@ -3,119 +3,56 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if this.isMenu}}
-  {{! this is the status menu }}
-  <div class="level is-mobile">
-    <div class="is-flex-grow-1">
-      {{#if this.replicationUnsupported}}
-        Unsupported
-      {{else if this.replicationEnabled}}
-        <div>
-          {{concat (if (eq this.mode "performance") "Performance " "Disaster Recovery ") (capitalize this.modeForUrl)}}
-        </div>
-        {{#if this.secondaryId}}
-          <small>
-            <code>
-              {{this.secondaryId}}
-            </code>
-          </small>
-        {{/if}}
-        <small>
-          <code>
-            {{this.clusterIdDisplay}}
-          </code>
-        </small>
-      {{else if (and (eq this.mode "performance") (not (has-feature "Performance Replication")))}}
-        Learn more
-      {{else if this.auth.currentToken}}
-        Enable
-        {{if (eq this.mode "performance") "Performance" "Disaster Recovery"}}
-      {{else}}
-        <span class="has-text-grey-light">
-          {{if (eq this.mode "performance") "Performance" "Disaster Recovery"}}
-        </span>
-      {{/if}}
-    </div>
-    <div class="level-right">
-      {{#if this.replicationEnabled}}
-        {{#if (cluster-states this.modeState)}}
-          <span class={{if (get (cluster-states this.modeState) "isOk") "has-text-success" "has-text-danger"}}>
-            <Icon @name={{get (cluster-states this.modeState) "glyph"}} />
+<PageHeader as |p|>
+  <p.top>
+    {{! template-lint-configure simple-unless "warn" }}
+    {{#unless (or this.isSummaryDashboard this.isSecondary)}}
+      <KeyValueHeader @baseKey={{this.baseKey}} @path="vault.cluster.replication-dr-promote" @root={{this.backendCrumb}}>
+        <li>
+          <span class="sep">
+            /
           </span>
-        {{else if this.syncProgress}}
-          <progress value={{this.syncProgressPercent}} max="100" class="progress is-small is-narrow is-info">
-            {{this.syncProgress.progress}}
-            of
-            {{this.syncProgress.total}}
-            keys
-          </progress>
-        {{/if}}
-      {{else}}
-        <Icon @name="minus-circle" aria-label="Replication not enabled" class="has-text-grey-light" />
+          <LinkTo @route="vault.cluster.replication.index">
+            Replication
+          </LinkTo>
+        </li>
+      </KeyValueHeader>
+    {{/unless}}
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-replication-title>
+      {{this.title}}
+      {{#if this.data.anyReplicationEnabled}}
+        <span class="tag is-light has-text-grey-dark" data-test-mode>
+          {{if this.isSecondary "secondary" "primary"}}
+        </span>
+        <span class="tag is-light has-text-grey-dark" data-test-secondaryId>
+          {{this.secondaryId}}
+        </span>
       {{/if}}
-    </div>
-  </div>
-{{else}}
-  {{! this is the replication index page }}
-  <div class="level">
-    <div class="replication-description level-left">
-      <div>
-        {{#if (and (eq this.mode "performance") (not (has-feature "Performance Replication")))}}
-          <p>
-            Performance Replication is a feature of Vault Enterprise Premium.
-          </p>
-          <p class="has-text-centered">
-            <ExternalLink
-              @href="https://hashicorp.com/products/vault/trial?source=vaultui_Performance%20Replication"
-              class="button is-ghost has-icon-right"
-              data-test-upgrade-link
-            >
-              Learn more
-              <Chevron />
-            </ExternalLink>
-          </p>
-        {{else if this.replicationEnabled}}
-          <h6 class="title is-6 is-uppercase">
-            Enabled
-          </h6>
-          <div class="detail-tags">
-            <span class="has-text-grey">
-              {{capitalize this.modeForUrl}}
-            </span>
-            {{#if this.secondaryId}}
-              <span class="tag is-light has-text-grey-dark">
-                <code>
-                  {{this.secondaryId}}
-                </code>
-              </span>
-            {{/if}}
-            <span class="tag is-light has-text-grey-dark">
-              <code>
-                {{this.clusterIdDisplay}}
-              </code>
-            </span>
-          </div>
-        {{/if}}
-        <p class="help has-text-grey-dark">
-          {{replication-mode-description this.mode}}
-        </p>
-      </div>
-    </div>
-    <div class="level-right">
-      {{#if this.replicationDisabled}}
-        <LinkTo
-          @route="mode.index"
-          @models={{array this.cluster.name this.mode}}
-          class="button is-primary"
-          data-test-replication-promote-secondary
-        >
-          Enable
-        </LinkTo>
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+{{#if this.showTabs}}
+  <div class="tabs-container box is-bottomless is-fullwidth is-paddingless has-bottom-margin-l" data-test-tabs>
+    <nav class="tabs">
+      {{#if this.isSummaryDashboard}}
+        <ul>
+          <li class="is-active">
+            <LinkToExternal @route="replication">Summary</LinkToExternal>
+          </li>
+        </ul>
       {{else}}
-        <LinkTo @route="mode.index" @models={{array this.cluster.name this.mode}} class="button is-secondary">
-          Details
-        </LinkTo>
+        <ul>
+          <LinkTo @route="vault.cluster.replication-dr-promote.details">
+            Details
+          </LinkTo>
+          <LinkTo @route="vault.cluster.replication-dr-promote" @current-when="vault.cluster.replication-dr-promote.index">
+            Manage
+          </LinkTo>
+        </ul>
       {{/if}}
-    </div>
+    </nav>
   </div>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/templates/components/replication-secondary-card.hbs b/ui/lib/core/addon/templates/components/replication-secondary-card.hbs
index 317ea44a7247..bd2eec9950c7 100644
--- a/ui/lib/core/addon/templates/components/replication-secondary-card.hbs
+++ b/ui/lib/core/addon/templates/components/replication-secondary-card.hbs
@@ -3,121 +3,120 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<Hds::Card::Container
-  @hasBorder={{true}}
-  class="has-padding-m card-container {{if this.hasErrorClass 'has-error-border'}}"
-  data-test-replication-secondary-card
->
-  {{! Check if Status or Primary Cluster Card }}
-  {{#if (eq this.title "Status")}}
-    <h3 class="title is-5 grid-item-top-left card-title">
-      {{this.title}}
-    </h3>
-    <div class="grid-item-left">
-      {{#if (get (cluster-states this.state) "isOk")}}
-        <h6 class="title is-6">
-          state
-        </h6>
-        <p class="has-text-grey is-size-8">
-          How this cluster is communicating with others at this moment.
-        </p>
+{{#if this.isMenu}}
+  {{! this is the status menu }}
+  <div class="level is-mobile">
+    <div class="is-flex-grow-1">
+      {{#if this.replicationUnsupported}}
+        Unsupported
+      {{else if this.replicationEnabled}}
+        <div>
+          {{concat (if (eq this.mode "performance") "Performance " "Disaster Recovery ") (capitalize this.modeForUrl)}}
+        </div>
+        {{#if this.secondaryId}}
+          <small>
+            <code>
+              {{this.secondaryId}}
+            </code>
+          </small>
+        {{/if}}
+        <small>
+          <code>
+            {{this.clusterIdDisplay}}
+          </code>
+        </small>
+      {{else if (and (eq this.mode "performance") (not (has-feature "Performance Replication")))}}
+        Learn more
+      {{else if this.auth.currentToken}}
+        Enable
+        {{if (eq this.mode "performance") "Performance" "Disaster Recovery"}}
       {{else}}
-        <h6 class="has-text-danger" data-test-error>
-          state
-        </h6>
-        <AlertInline @type="danger" @message="Please check your server logs." />
+        <span class="has-text-grey-light">
+          {{if (eq this.mode "performance") "Performance" "Disaster Recovery"}}
+        </span>
       {{/if}}
     </div>
-    <div class="grid-item-right">
-      {{#if (eq this.connection "transient_failure")}}
-        <h6 class="title is-6 has-text-danger" data-test-error>
-          connection_state
-        </h6>
-        <AlertInline
-          @type="danger"
-          @message="There has been some transient failure. Your cluster will eventually switch back to connection and try to establish a connection again."
-        />
-      {{else if (eq this.connection "shutdown")}}
-        <h6 class="title is-6 has-text-danger" data-test-error>
-          connection_state
-        </h6>
-        <AlertInline
-          @type="danger"
-          @message="Your connection has shut down. This may be because the application explicitly requested a shutdown or a non-recoverable error has happened during attempts to communicate."
-        />
+    <div class="level-right">
+      {{#if this.replicationEnabled}}
+        {{#if (cluster-states this.modeState)}}
+          <span class={{if (get (cluster-states this.modeState) "isOk") "has-text-success" "has-text-danger"}}>
+            <Icon @name={{get (cluster-states this.modeState) "glyph"}} />
+          </span>
+        {{else if this.syncProgress}}
+          <progress value={{this.syncProgressPercent}} max="100" class="progress is-small is-narrow is-info">
+            {{this.syncProgress.progress}}
+            of
+            {{this.syncProgress.total}}
+            keys
+          </progress>
+        {{/if}}
       {{else}}
-        <h6 class="title is-6">
-          connection_state
-        </h6>
-        <p class="has-text-grey is-size-8">
-          The health of the connection between this cluster and others.
-        </p>
-      {{/if}}
-    </div>
-    <h2 class="title is-3 grid-item-bottom-left" data-test-state>
-      {{this.state}}
-      {{#if this.inSyncState}}
-        <ToolTip @verticalPosition="above" as |T|>
-          <T.Trigger>
-            <Icon @name="check-circle" class="has-text-success" data-test-glyph />
-          </T.Trigger>
-          <T.Content @defaultClass="tool-tip">
-            <div class="box">
-              Everything is in sync
-            </div>
-          </T.Content>
-        </ToolTip>
+        <Icon @name="minus-circle" aria-label="Replication not enabled" class="has-text-grey-light" />
       {{/if}}
-    </h2>
-    <h2 class="title is-3 grid-item-bottom-right" data-test-connection>
-      {{this.connection}}
-    </h2>
-    <div class="grid-item-bottom-row">
-      <h6 class="title is-6">
-        last_remote_wal
-      </h6>
-      <p class="has-text-grey is-size-8">
-        The last WAL index that the secondary received from the primary. Updates every 10 seconds.
-      </p>
-      <h2 class="title is-3">
-        {{format-number this.lastRemoteWAL}}
-      </h2>
     </div>
-  {{else}}
-    <div class="grid-item-top-left">
-      <h3 class="title is-5 card-title">
-        {{this.title}}
-      </h3>
-    </div>
-    {{#if (and this.primaryUiUrl this.knownPrimaryClusterAddrs)}}
-      <div class="grid-item-top-right">
-        <ExternalLink @href={{concat this.primaryUiUrl "/ui/"}} class="toolbar-link" data-test-primary-link>
-          View primary cluster
-          <Icon @name="chevron-right" />
-        </ExternalLink>
+  </div>
+{{else}}
+  {{! this is the replication index page }}
+  <div class="level">
+    <div class="replication-description level-left">
+      <div>
+        {{#if (and (eq this.mode "performance") (not (has-feature "Performance Replication")))}}
+          <p>
+            Performance Replication is a feature of Vault Enterprise Premium.
+            <ExternalLink
+              @href="https://hashicorp.com/products/vault/trial?source=vaultui_Performance%20Replication"
+              class="link"
+              data-test-upgrade-link-performance
+            >
+              Upgrade
+            </ExternalLink>
+          </p>
+        {{else if (and (eq this.mode "dr") (not (has-feature "DR Replication")))}}
+          <p>
+            Disaster Recovery is a feature of Vault Enterprise Premium.
+            <ExternalLink
+              @href="https://hashicorp.com/products/vault/trial?source=vaultui_Performance%20Replication"
+              class="link"
+              data-test-upgrade-link-dr
+            >
+              Upgrade
+            </ExternalLink>
+          </p>
+        {{else if this.replicationEnabled}}
+          <h6 class="title is-6 is-uppercase">
+            Enabled
+          </h6>
+          <div class="detail-tags">
+            <span class="has-text-grey">
+              {{capitalize this.modeForUrl}}
+            </span>
+            {{#if this.secondaryId}}
+              <span class="tag is-light has-text-grey-dark">
+                <code>
+                  {{this.secondaryId}}
+                </code>
+              </span>
+            {{/if}}
+            <span class="tag is-light has-text-grey-dark">
+              <code>
+                {{this.clusterIdDisplay}}
+              </code>
+            </span>
+          </div>
+        {{/if}}
+        <p class="help has-text-grey-dark">
+          {{replication-mode-description this.mode}}
+        </p>
       </div>
-    {{/if}}
-    <div class="grid-item-second-row">
-      <h6 class="title is-6">
-        known_primary_cluster_addrs
-      </h6>
-      <p class="has-text-grey">
-        A list of all the nodes in the primary's cluster. This value is updated every ten seconds.
-      </p>
     </div>
-    <div class="grid-item-third-row">
-      {{#if (is-empty this.knownPrimaryClusterAddrs)}}
-        <EmptyState
-          @title="No known_primary_cluster_addrs"
-          @message="These addresses are used by the secondary to communicate with the primary cluster. Should always be non-zero in a functioning replication setup."
-        >
-          <DocLink @path="/vault/tutorials/monitoring/monitor-replication">
-            Learn more
-          </DocLink>
-        </EmptyState>
-      {{else}}
-        <InfoTable @title="Known Primary Cluster Addrs" @header="cluster_addr" @items={{this.knownPrimaryClusterAddrs}} />
-      {{/if}}
+    <div class="level-right">
+      <Hds::Button
+        @route="mode.index"
+        @models={{array this.cluster.name this.mode}}
+        @color={{if this.replicationDisabled "primary" "secondary"}}
+        @text={{if this.replicationDisabled "Enable" "Details"}}
+        data-test-replication-details-link={{this.mode}}
+      />
     </div>
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
+  </div>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/templates/components/replication-summary-card.hbs b/ui/lib/core/addon/templates/components/replication-summary-card.hbs
index f4562b523625..1c8261a90173 100644
--- a/ui/lib/core/addon/templates/components/replication-summary-card.hbs
+++ b/ui/lib/core/addon/templates/components/replication-summary-card.hbs
@@ -1,63 +1,117 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Hds::Card::Container
-  @hasBorder={{true}}
-  class="replication-summary-card card-container summary {{if this.hasErrorClass 'has-error-border'}}"
-  data-test-replication-summary-card
->
-  {{! Check if DR or Performance Card }}
-  {{#if (eq this.title "Disaster Recovery")}}
-    <h3 class="title is-5 grid-item-top-left card-title">{{this.title}}</h3>
-    <div class="grid-item-top-right">
-      <ToolbarLink @route="mode.index" @model="dr" data-test-manage-link={{this.title}}>
-        Details
-      </ToolbarLink>
-    </div>
-    <div class="grid-item-left">
-      <h6 class="title is-6">last_dr_wal</h6>
-      <p class="helper-text is-label has-text-grey">
-        Index of last WAL entry written on local storage. Updates every ten seconds.
-      </p>
-    </div>
-    <div class="grid-item-right">
-      <h6 class="title is-6">known_secondaries</h6>
-      <p class="helper-text is-label has-text-grey">Number of secondaries connected to this primary.</p>
-    </div>
-    <h2 class="title is-3 grid-item-bottom-left" data-test-lastWAL>{{format-number this.lastDrWAL}}</h2>
-    <h2 class="title is-3 grid-item-bottom-right" data-test-known-secondaries>{{format-number this.knownSecondariesDr}}</h2>
-    <div class="grid-item-bottom-row">
-      <h6 class="title is-6">merkle_root</h6>
-      <p class="helper-text is-label has-text-grey">A snapshot of the merkle tree's root hash.</p>
-      <div><code class="is-word-break has-text-black">{{this.merkleRootDr}}</code></div>
-    </div>
-  {{else}}
-    <h3 class="title is-5 grid-item-top-left card-title">{{this.title}}</h3>
-    <div class="grid-item-top-right">
-      <ToolbarLink @route="mode.index" @model="performance" data-test-manage-link={{this.title}}>
-        Details
-      </ToolbarLink>
-    </div>
-    <div class="grid-item-left">
-      <h6 class="title is-6">last_performance_wal</h6>
-      <p class="helper-text is-label has-text-grey">
-        Index of last WAL entry written on local storage. Updates every ten seconds.
-      </p>
-    </div>
-    <div class="grid-item-right">
-      <h6 class="title is-6">known_secondaries</h6>
-      <p class="helper-text is-label has-text-grey">Number of secondaries connected to this primary.</p>
-    </div>
-    <h2 class="title is-3 grid-item-bottom-left" data-test-lastWAL>{{format-number this.lastPerformanceWAL}}</h2>
-    <h2 class="title is-3 grid-item-bottom-right" data-test-known-secondaries>
-      {{format-number this.knownSecondariesPerformance}}
-    </h2>
-    <div class="grid-item-bottom-row">
-      <h6 class="title is-6">merkle_root</h6>
-      <p class="helper-text is-label has-text-grey">A snapshot of the merkle tree's root hash.</p>
-      <div><code class="is-word-break has-text-black">{{this.merkleRootPerformance}}</code></div>
-    </div>
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+
+const TITLE = 'Status';
+
+const REPLICATION_DETAILS = {
+  state: 'stream-wals',
+  connection_state: 'ready',
+  lastRemoteWAL: 10,
+  knownPrimaryClusterAddrs: ['https://127.0.0.1:8201', 'https://127.0.0.1:8202'],
+  primaries: [
+    {
+      api_address: 'http://127.0.0.1:8201',
+    },
+  ],
+};
+
+module('Integration | Component | replication-secondary-card', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.set('replicationDetails', REPLICATION_DETAILS);
+    this.set('title', TITLE);
+  });
+
+  test('it renders', async function (assert) {
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-replication-secondary-card]').exists();
+    assert.dom('[data-test-state]').includesText(REPLICATION_DETAILS.state, `shows the correct state value`);
+    assert
+      .dom('[data-test-connection]')
+      .includesText(REPLICATION_DETAILS.connection_state, `shows the correct connection value`);
+  });
+
+  test('it renders the Primary Cluster card when title is not Status', async function (assert) {
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
+    );
+
+    assert.dom('[data-test-info-table]').exists('it shows the known primary cluster details');
+
+    const expectedUrl = `${REPLICATION_DETAILS.primaries[0].api_address}/ui/`;
+    assert
+      .dom('[data-test-primary-link]')
+      .hasAttribute('href', expectedUrl, 'it renders a link to the primary cluster UI');
+  });
+
+  test('it does not render a link to the primary cluster UI when the primary api address or known primaries are unknown', async function (assert) {
+    this.set('replicationDetails', {});
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
+    );
+
+    assert.dom('[data-test-primary-link]').doesNotExist();
+  });
+
+  test('it renders with emptyState if no knownPrimaryClusterAddrs are set', async function (assert) {
+    this.set('replicationDetails', []);
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
+    );
+    assert.dom('[data-test-empty-state]').exists('shows empty state');
+  });
+
+  test('it renders tooltip with check-circle-outline when state is stream-wals', async function (assert) {
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-glyph]').hasClass('has-text-success', `shows success icon`);
+  });
+
+  test('it renders hasErrorMessage when state is idle', async function (assert) {
+    const stateError = {
+      state: 'idle',
+      connection_state: 'ready',
+      lastRemoteWAL: 10,
+    };
+
+    this.set('stateError', stateError);
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.stateError}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-error]').includesText('state', 'show correct error title');
+    assert
+      .dom('[data-test-inline-error-message]')
+      .includesText('Please check your server logs.', 'show correct error message');
+  });
+
+  test('it renders hasErrorMessage when connection is transient_failure', async function (assert) {
+    const connectionError = {
+      state: 'stream-wals',
+      connection_state: 'transient_failure',
+      lastRemoteWAL: 10,
+    };
+
+    this.set('connectionError', connectionError);
+    await render(
+      hbs`<ReplicationSecondaryCard @replicationDetails={{this.connectionError}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-error]').includesText('connection_state', 'show correct error title');
+    assert
+      .dom('[data-test-inline-error-message]')
+      .includesText(
+        'There has been some transient failure. Your cluster will eventually switch back to connection and try to establish a connection again.',
+        'show correct error message'
+      );
+  });
+});
diff --git a/ui/lib/core/addon/utils/sanitize-path.js b/ui/lib/core/addon/utils/sanitize-path.js
index bfd200a362d5..053188128d6b 100644
--- a/ui/lib/core/addon/utils/sanitize-path.js
+++ b/ui/lib/core/addon/utils/sanitize-path.js
@@ -1,13 +1,141 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-export function sanitizePath(path) {
-  //remove whitespace + remove trailing and leading slashes
-  return path.trim().replace(/^\/+|\/+$/g, '');
-}
-
-export function ensureTrailingSlash(path) {
-  return path.replace(/(\w+[^/]$)/g, '$1/');
-}
+<Hds::Card::Container
+  @hasBorder={{true}}
+  class="has-padding-m card-container {{if this.hasErrorClass 'has-error-border'}}"
+  data-test-replication-secondary-card
+>
+  {{! Check if Status or Primary Cluster Card }}
+  {{#if (eq this.title "Status")}}
+    <h3 class="title is-5 grid-item-top-left card-title">
+      {{this.title}}
+    </h3>
+    <div class="grid-item-left">
+      {{#if (get (cluster-states this.state) "isOk")}}
+        <h6 class="title is-6">
+          state
+        </h6>
+        <p class="has-text-grey is-size-8">
+          How this cluster is communicating with others at this moment.
+        </p>
+      {{else}}
+        <h6 class="has-text-danger" data-test-error>
+          state
+        </h6>
+        <AlertInline @type="danger" @message="Please check your server logs." />
+      {{/if}}
+    </div>
+    <div class="grid-item-right">
+      {{#if (eq this.connection "transient_failure")}}
+        <h6 class="title is-6 has-text-danger" data-test-error>
+          connection_state
+        </h6>
+        <AlertInline
+          @type="danger"
+          @message="There has been some transient failure. Your cluster will eventually switch back to connection and try to establish a connection again."
+        />
+      {{else if (eq this.connection "shutdown")}}
+        <h6 class="title is-6 has-text-danger" data-test-error>
+          connection_state
+        </h6>
+        <AlertInline
+          @type="danger"
+          @message="Your connection has shut down. This may be because the application explicitly requested a shutdown or a non-recoverable error has happened during attempts to communicate."
+        />
+      {{else}}
+        <h6 class="title is-6">
+          connection_state
+        </h6>
+        <p class="has-text-grey is-size-8">
+          The health of the connection between this cluster and others.
+        </p>
+      {{/if}}
+    </div>
+    <h2 class="title is-3 grid-item-bottom-left" data-test-state>
+      {{this.state}}
+      {{#if this.inSyncState}}
+        <ToolTip @verticalPosition="above" as |T|>
+          <T.Trigger>
+            <Icon @name="check-circle" class="has-text-success" data-test-glyph />
+          </T.Trigger>
+          <T.Content @defaultClass="tool-tip">
+            <div class="box">
+              Everything is in sync
+            </div>
+          </T.Content>
+        </ToolTip>
+      {{/if}}
+    </h2>
+    <h2 class="title is-3 grid-item-bottom-right" data-test-connection>
+      {{this.connection}}
+    </h2>
+    <div class="grid-item-bottom-row">
+      <h6 class="title is-6">
+        last_remote_wal
+      </h6>
+      <p class="has-text-grey is-size-8">
+        The last WAL index that the secondary received from the primary. Updates every 10 seconds.
+      </p>
+      <h2 class="title is-3">
+        {{format-number this.lastRemoteWAL}}
+      </h2>
+    </div>
+  {{else}}
+    <div class="grid-item-top-left">
+      <h3 class="title is-5 card-title">
+        {{this.title}}
+      </h3>
+    </div>
+    {{#if (and this.primaryUiUrl this.knownPrimaryClusterAddrs)}}
+      <div class="grid-item-top-right">
+        <ExternalLink @href={{concat this.primaryUiUrl "/ui/"}} class="toolbar-link" data-test-primary-link>
+          View primary cluster
+          <Icon @name="chevron-right" />
+        </ExternalLink>
+      </div>
+    {{/if}}
+    <div class="grid-item-second-row">
+      <h6 class="title is-6">
+        known_primary_cluster_addrs
+      </h6>
+      <p class="has-text-grey">
+        A list of all the nodes in the primary's cluster. This value is updated every ten seconds.
+      </p>
+    </div>
+    <div class="grid-item-third-row">
+      {{#if (is-empty this.knownPrimaryClusterAddrs)}}
+        <Hds::ApplicationState data-test-empty-state as |A|>
+          <A.Header @title="No known_primary_cluster_addrs" />
+          <A.Body
+            @text="These addresses are used by the secondary to communicate with the primary cluster. Should always be non-zero in a functioning replication setup."
+          />
+          <A.Footer @hasDivider={{true}} as |F|>
+            <F.Link::Standalone
+              @icon="help"
+              @text="Learn more about replication"
+              @href={{doc-link "/vault/tutorials/monitoring/monitor-replication"}}
+            />
+          </A.Footer>
+        </Hds::ApplicationState>
+      {{else}}
+        <Hds::Table @caption="Known Primary Cluster Addrs" data-test-info-table>
+          <:head as |H|>
+            <H.Tr>
+              <H.Th>cluster_addr</H.Th>
+            </H.Tr>
+          </:head>
+          <:body as |B|>
+            {{#each this.knownPrimaryClusterAddrs as |item|}}
+              <B.Tr>
+                <B.Td>{{item}}</B.Td>
+              </B.Tr>
+            {{/each}}
+          </:body>
+        </Hds::Table>
+      {{/if}}
+    </div>
+  {{/if}}
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/lib/core/app/components/info-table.js b/ui/lib/core/app/components/info-table.js
index f7ced1e2b209..86e98ed98cf2 100644
--- a/ui/lib/core/app/components/info-table.js
+++ b/ui/lib/core/app/components/info-table.js
@@ -3,4 +3,98 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { default } from 'core/components/info-table';
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, settled } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+
+const TITLE = 'Disaster Recovery';
+
+const REPLICATION_DETAILS = {
+  dr: {
+    state: 'running',
+    lastWAL: 10,
+    knownSecondaries: ['https://127.0.0.1:8201', 'https://127.0.0.1:8202'],
+    merkleRoot: 'zzzzzzzyyyyyyyxxxxxxxwwwwww',
+  },
+  performance: {
+    state: 'running',
+    lastWAL: 20,
+    knownSecondaries: ['https://127.0.0.1:8201'],
+    merkleRoot: 'aaaaaabbbbbbbbccccccccdddddd',
+  },
+};
+
+module('Integration | Component | replication-summary-card', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.set('replicationDetails', REPLICATION_DETAILS);
+    this.set('title', TITLE);
+  });
+
+  test('it renders', async function (assert) {
+    await render(
+      hbs`<ReplicationSummaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-replication-summary-card]').exists();
+    assert
+      .dom('[data-test-lastWAL]')
+      .includesText(REPLICATION_DETAILS.dr.lastWAL, `shows the correct lastWAL value`);
+
+    const knownSecondaries = REPLICATION_DETAILS.dr.knownSecondaries.length;
+    assert
+      .dom('[data-test-known-secondaries]')
+      .includesText(knownSecondaries, `shows the correct computed value of the known secondaries count`);
+    assert
+      .dom('[data-test-merkle-root]')
+      .includesText(REPLICATION_DETAILS.dr.merkleRoot, `shows the correct merkle root value`);
+  });
+
+  test('it shows the correct lastWAL and knownSecondaries when title is Performance', async function (assert) {
+    await render(
+      hbs`<ReplicationSummaryCard @replicationDetails={{this.replicationDetails}} @title="Performance" />`
+    );
+    assert
+      .dom('[data-test-lastWAL]')
+      .includesText(REPLICATION_DETAILS.performance.lastWAL, `shows the correct lastWAL value`);
+
+    const knownSecondaries = REPLICATION_DETAILS.performance.knownSecondaries.length;
+    assert
+      .dom('[data-test-known-secondaries]')
+      .includesText(knownSecondaries, `shows the correct computed value of the known secondaries count`);
+    assert
+      .dom('[data-test-merkle-root]')
+      .includesText(REPLICATION_DETAILS.performance.merkleRoot, `shows the correct merkle root value`);
+  });
+
+  test('it shows reasonable defaults', async function (assert) {
+    const data = {
+      dr: {
+        mode: 'disabled',
+      },
+      performance: {
+        mode: 'disabled',
+      },
+    };
+    this.set('replicationDetails', data);
+    await render(
+      hbs`<ReplicationSummaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
+    );
+    assert.dom('[data-test-lastWAL]').includesText('0', `shows the correct lastWAL value`);
+    assert
+      .dom('[data-test-known-secondaries]')
+      .includesText('0', `shows the correct default value of the known secondaries count`);
+    assert.dom('[data-test-merkle-root]').includesText('', `shows the correct merkle root value`);
+
+    await this.set('title', 'Performance');
+    await settled();
+    assert.dom('[data-test-lastWAL]').includesText('0', `shows the correct lastWAL value`);
+    assert
+      .dom('[data-test-known-secondaries]')
+      .includesText('0', `shows the correct default value of the known secondaries count`);
+    assert
+      .dom('[data-test-merkle-root]')
+      .includesText('no hash found', `shows the correct merkle root value`);
+  });
+});
diff --git a/ui/lib/core/app/helpers/is-version.js b/ui/lib/core/app/helpers/is-version.js
index 0386f00a8a69..54f7d93b9b05 100644
--- a/ui/lib/core/app/helpers/is-version.js
+++ b/ui/lib/core/app/helpers/is-version.js
@@ -1,6 +1,40 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-export { default } from 'core/helpers/is-version';
+<Hds::Card::Container
+  @hasBorder={{true}}
+  class="replication-summary-card card-container summary"
+  data-test-replication-summary-card
+>
+  <h3 class="title is-5 grid-item-top-left card-title">{{@title}}</h3>
+  <div class="grid-item-top-right">
+    <Hds::Button
+      @route="mode.index"
+      @model={{this.key}}
+      @text="Details"
+      @color="tertiary"
+      @icon="chevron-right"
+      @iconPosition="trailing"
+      data-test-manage-link={{@title}}
+    />
+  </div>
+  <div class="grid-item-left">
+    <p class="title is-6">last_dr_wal</p>
+    <p class="helper-text is-label has-text-grey">
+      Index of last WAL entry written on local storage. Updates every ten seconds.
+    </p>
+  </div>
+  <div class="grid-item-right">
+    <p class="title is-6">known_secondaries</p>
+    <p class="helper-text is-label has-text-grey">Number of secondaries connected to this primary.</p>
+  </div>
+  <p class="title is-3 grid-item-bottom-left" data-test-lastWAL>{{format-number this.lastWAL}}</p>
+  <p class="title is-3 grid-item-bottom-right" data-test-known-secondaries>{{format-number this.knownSecondariesCount}}</p>
+  <div class="grid-item-bottom-row">
+    <p class="title is-6">merkle_root</p>
+    <p class="helper-text is-label has-text-grey">A snapshot of the merkle tree's root hash.</p>
+    <div><code class="is-word-break has-text-black" data-test-merkle-root>{{this.merkleRoot}}</code></div>
+  </div>
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/lib/core/app/utils/sanitize-path.js b/ui/lib/core/app/utils/sanitize-path.js
index 58a60b33d422..21a15ec89670 100644
--- a/ui/lib/core/app/utils/sanitize-path.js
+++ b/ui/lib/core/app/utils/sanitize-path.js
@@ -3,4 +3,35 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { ensureTrailingSlash, sanitizePath } from 'core/utils/sanitize-path';
+import { get } from '@ember/object';
+import Component from '@glimmer/component';
+
+/**
+ * @module ReplicationSummaryCard
+ * The `ReplicationSummaryCard` is a card-like component.  It displays cluster mode details for both DR and Performance
+ *
+ * @example
+ * ```js
+ * <ReplicationSummaryCard
+    @title='States'
+    @replicationDetails={DS.Model.replicationDetailsSummary}
+    />
+ * ```
+ * @param {String} [title=null] - The title to be displayed on the top left corner of the card.
+ * @param {Object} replicationDetails=null - An Ember data object computed off the Ember Model.  It combines the Model.dr and Model.performance objects into one and contains details specific to the mode replication.
+ */
+
+export default class ReplicationSummaryCard extends Component {
+  get key() {
+    return this.args.title === 'Performance' ? 'performance' : 'dr';
+  }
+  get lastWAL() {
+    return get(this.args.replicationDetails, `${this.key}.lastWAL`) || 0;
+  }
+  get merkleRoot() {
+    return get(this.args.replicationDetails, `${this.key}.merkleRoot`) || 'no hash found';
+  }
+  get knownSecondariesCount() {
+    return get(this.args.replicationDetails, `${this.key}.knownSecondaries.length`) || 0;
+  }
+}
diff --git a/ui/lib/kmip/addon/templates/components/edit-form-kmip-role.hbs b/ui/lib/kmip/addon/templates/components/edit-form-kmip-role.hbs
index 381a07ae1c94..7fa582ffcb1a 100644
--- a/ui/lib/kmip/addon/templates/components/edit-form-kmip-role.hbs
+++ b/ui/lib/kmip/addon/templates/components/edit-form-kmip-role.hbs
@@ -3,109 +3,371 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<form {{action (queue (action "preSave" this.model) (perform this.save this.model)) on="submit"}}>
-  <MessageError @model={{this.model}} data-test-edit-form-error />
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <NamespaceReminder @mode="save" />
-    {{#if (eq @mode "create")}}
-      <FormField data-test-field @attr={{hash name="name" type="string"}} @model={{this.model}} />
-    {{/if}}
-    <div class="control is-flex box is-shadowless is-fullwidth is-marginless">
-      <input
-        data-test-input="operationNone"
-        id="operationNone"
-        type="checkbox"
-        class="toggle is-success is-small"
-        checked={{not this.model.operationNone}}
-        onchange={{action "toggleOperationSpecial" value="target.checked"}}
-      />
-      <label for="operationNone" class="has-text-weight-bold is-size-8">
-        Allow this role to perform KMIP operations
-      </label>
-    </div>
-    {{#unless this.model.operationNone}}
-      <Toolbar>
-        <h3 class="title is-6 has-left-padding-s">
-          Allowed Operations
-        </h3>
-      </Toolbar>
-      <div class="box">
-        <FormField
-          @attr={{hash name="operationAll" type="boolean" options=(hash label="Allow this role to perform all operations")}}
-          @model={{this.model}}
-        />
-        <hr />
-        <div class="is-flex">
-          <div class="kmip-role-allowed-operations">
-            {{#each-in this.model.operationFormFields.firstObject as |groupName fieldsInGroup|}}
-              <h4 class="title is-7">{{groupName}}</h4>
-              {{#each fieldsInGroup as |attr|}}
-                <FormField
-                  data-test-field
-                  @disabled={{or this.model.operationNone this.model.operationAll}}
-                  @attr={{attr}}
-                  @model={{compute (action "placeholderOrModel") this.model.operationAll attr}}
-                  @showHelpText={{false}}
+{{#if (not (has-feature "DR Replication"))}}
+  <UpgradePage @title="Replication" />
+{{else if (or this.cluster.allReplicationDisabled this.cluster.replicationAttrs.replicationDisabled)}}
+  <PageHeader as |p|>
+    <p.levelLeft>
+      <h1 class="title is-3" data-test-replication-title>
+        {{#if this.initialReplicationMode}}
+          {{#if (eq this.initialReplicationMode "dr")}}
+            Enable Disaster Recovery Replication
+          {{else if (eq this.initialReplicationMode "performance")}}
+            Enable Performance Replication
+          {{/if}}
+        {{else}}
+          Enable Replication
+        {{/if}}
+      </h1>
+    </p.levelLeft>
+  </PageHeader>
+
+  <form
+    onsubmit={{action
+      "onSubmit"
+      "enable"
+      (or this.mode "primary")
+      (hash
+        token=this.token
+        primary_cluster_addr=this.primary_cluster_addr
+        primary_api_addr=this.primary_api_addr
+        ca_file=this.ca_file
+        ca_path=this.ca_path
+        replicationMode=this.replicationMode
+      )
+    }}
+    data-test-replication-enable-form
+  >
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <MessageError @errors={{this.errors}} />
+      {{#if this.initialReplicationMode}}
+        {{#if (eq this.initialReplicationMode "dr")}}
+          <h3 class="title is-flex-center is-5 is-marginless">
+            <Icon @size="24" @name="replication-direct" />
+            Disaster Recovery (DR) Replication
+          </h3>
+          <p class="help has-text-grey-dark">
+            {{replication-mode-description "dr"}}
+          </p>
+        {{else if (eq this.initialReplicationMode "performance")}}
+          <h3 class="title is-flex-center is-5 is-marginless">
+            <Icon @size="24" @name="replication-perf" />
+            Performance Replication
+          </h3>
+          {{#if (has-feature "Performance Replication")}}
+            <p class="help has-text-grey-dark">
+              {{replication-mode-description "performance"}}
+            </p>
+          {{else}}
+            <p class="help has-text-grey-dark">
+              Performance Replication is a feature of Vault Enterprise Premium
+            </p>
+          {{/if}}
+        {{/if}}
+      {{else}}
+        <p class="has-text-grey-dark box is-shadowless is-fullwidth has-slim-padding">
+          <label for="replication-mode" class="is-label is-block">
+            Type of replication
+          </label>
+          In both Performance and Disaster Recovery (DR) Replication, secondaries share the underlying configuration,
+          policies, and supporting secrets as their primary cluster.
+        </p>
+        <div class="columns">
+          <div class="column is-flex">
+            <label for="dr" class="box-label is-column {{if (eq this.replicationMode 'dr') 'is-selected'}}">
+              <div>
+                <h3 class="box-label-header title is-6">
+                  <Icon @size="24" @name="replication-direct" />
+                  Disaster Recovery (DR)
+                </h3>
+                <p class="help has-text-grey-dark">
+                  {{replication-mode-description "dr"}}
+                </p>
+              </div>
+              <div>
+                <RadioButton
+                  id="dr"
+                  name="replication-mode"
+                  @value="dr"
+                  @groupValue={{this.replicationMode}}
+                  @onChange={{fn (mut this.replicationMode)}}
                 />
-              {{/each}}
-            {{/each-in}}
+                <label for="dr" data-test-replication-type-select="dr"></label>
+              </div>
+            </label>
           </div>
-          <div class="kmip-role-allowed-operations">
-            {{#each (drop 1 (or this.model.operationFormFields (array))) as |group|}}
-              <div class="kmip-role-allowed-operations">
-                {{#each-in group as |groupName fieldsInGroup|}}
-                  <h4 class="title is-7">{{groupName}}</h4>
-                  {{#each fieldsInGroup as |attr|}}
-                    <FormField
-                      data-test-field
-                      @disabled={{or this.model.operationNone this.model.operationAll}}
-                      @attr={{attr}}
-                      @model={{compute (action "placeholderOrModel") this.model.operationAll attr}}
-                      @showHelpText={{false}}
-                    />
-                  {{/each}}
-                {{/each-in}}
+          <div class="column is-flex">
+            <label
+              for="performance"
+              class="box-label is-column {{if (eq this.replicationMode 'performance') 'is-selected'}}"
+            >
+              <div>
+                <h3 class="box-label-header title is-6">
+                  <Icon @size="24" @name="replication-perf" />
+                  Performance
+                </h3>
+                {{#if (not (has-feature "Performance Replication"))}}
+                  <p class="help has-text-grey-dark">
+                    Performance Replication is a feature of Vault Enterprise Premium
+                  </p>
+                {{else}}
+                  <p class="help has-text-grey-dark">
+                    {{replication-mode-description "performance"}}
+                  </p>
+                {{/if}}
               </div>
-            {{/each}}
+              <div>
+                {{#if (has-feature "Performance Replication")}}
+                  <RadioButton
+                    id="performance"
+                    name="replication-mode"
+                    @value="performance"
+                    @groupValue={{this.replicationMode}}
+                    @onChange={{fn (mut this.replicationMode)}}
+                  />
+                  <label for="performance" data-test-replication-type-select="performance"></label>
+                {{/if}}
+              </div>
+            </label>
           </div>
         </div>
+      {{/if}}
+    </div>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <label for="replication-mode" class="is-label">
+        Cluster mode
+      </label>
+      <div class="field is-expanded">
+        <div class="control select is-fullwidth">
+          <select
+            onchange={{action (mut this.mode) value="target.value"}}
+            id="replication-mode"
+            name="replication-mode"
+            data-test-replication-cluster-mode-select={{true}}
+          >
+            {{#each (array "primary" "secondary") as |modeOption|}}
+              <option selected={{if this.mode (eq this.mode modeOption) (eq modeOption "primary")}} value={{modeOption}}>
+                {{modeOption}}
+              </option>
+            {{/each}}
+          </select>
+        </div>
+        {{#if (eq this.mode "secondary")}}
+          <AlertInline @class="has-top" @type="warning" @message="This will immediately clear all data in this cluster!" />
+        {{/if}}
       </div>
-    {{/unless}}
-    <div class="box is-fullwidth is-shadowless">
-      <h3 class="title is-3">
-        TLS
-      </h3>
-      {{#each this.model.tlsFormFields as |attr|}}
-        <FormField data-test-field @attr={{attr}} @model={{this.model}} />
-      {{/each}}
+      {{#if (eq this.mode "primary")}}
+        {{#if this.cluster.canEnablePrimary}}
+          <div class="field">
+            <label for="primary_cluster_addr" class="is-label">
+              Primary cluster address
+              <em class="is-optional">(optional)</em>
+            </label>
+            <div class="control">
+              <Input
+                class="input"
+                id="primary_cluster_addr"
+                name="primary_cluster_addr"
+                @value={{this.primary_cluster_addr}}
+              />
+            </div>
+            <p class="help has-text-grey">
+              Overrides the cluster address that the primary gives to secondary nodes.
+            </p>
+          </div>
+        {{else}}
+          <p>
+            The token you are using is not authorized to enable primary replication.
+          </p>
+        {{/if}}
+      {{else}}
+        {{#if this.cluster.canEnableSecondary}}
+          {{#if
+            (and
+              (eq this.replicationMode "dr")
+              (not this.cluster.performance.replicationDisabled)
+              (has-feature "Performance Replication")
+            )
+          }}
+            <div>
+              <ToggleButton
+                @isOpen={{this.showExplanation}}
+                @openLabel="Disable Performance Replication in order to enable this cluster as a DR secondary."
+                @closedLabel="Disable Performance Replication in order to enable this cluster as a DR secondary."
+                @onClick={{fn (mut this.showExplanation)}}
+                class="has-text-danger"
+              />
+              {{#if this.showExplanation}}
+                <p>
+                  When running as a DR Secondary Vault is read only. For this reason, we don't allow other Replication modes
+                  to operate at the same time. This cluster is also currently operating as a Performance
+                  {{capitalize this.cluster.performance.modeForUrl}}.
+                </p>
+              {{/if}}
+            </div>
+          {{else}}
+            <div class="field">
+              <label for="secondary-token" class="is-label">
+                Secondary activation token
+              </label>
+              <div class="control">
+                <Textarea @value={{this.token}} id="secondary-token" name="secondary-token" class="textarea" />
+              </div>
+            </div>
+            <div class="field">
+              <label for="primary_api_addr" class="is-label">
+                Primary API address
+                {{#if (not (and this.token (not this.tokenIncludesAPIAddr)))}}
+                  <em class="is-optional">(optional)</em>
+                {{/if}}
+              </label>
+              <div class="control">
+                <Input @value={{this.primary_api_addr}} id="primary_api_addr" name="primary_api_addr" class="input" />
+              </div>
+              <p class="help {{if (and this.token (not this.tokenIncludesAPIAddr)) 'is-danger' 'has-text-grey'}}">
+                {{#if (and this.token (not this.tokenIncludesAPIAddr))}}
+                  The supplied token does not contain an embedded address for the primary cluster. Please enter the primary
+                  cluster's API address (normal Vault address).
+                {{else}}
+                  Set this to the API address (normal Vault address) to override the value embedded in the token.
+                {{/if}}
+              </p>
+            </div>
+            <div class="field">
+              <label for="ca_file" class="is-label">
+                CA file
+                <em class="is-optional">(optional)</em>
+              </label>
+              <div class="control">
+                <Input @value={{this.ca_file}} id="ca_file" name="ca_file" class="input" />
+              </div>
+              <p class="help has-text-grey">
+                Specifies the path to a CA root file (PEM format) that the secondary can use when unwrapping the token from
+                the primary.
+              </p>
+            </div>
+            <div class="field">
+              <label for="ca_path" class="is-label">
+                CA path
+                <em class="is-optional">(optional)</em>
+              </label>
+              <div class="control">
+                <Input @value={{this.ca_path}} id="ca_path" name="ca_file" class="input" />
+              </div>
+              <p class="help has-text-grey">
+                Specifies the path to a CA root directory containing PEM-format files that the secondary can use when
+                unwrapping the token from the primary.
+              </p>
+            </div>
+            <p>
+              Note: If both
+              <code>CA file</code>
+              and
+              <code>CA path</code>
+              are not given, they default to system CA roots.
+            </p>
+          {{/if}}
+        {{else}}
+          <p>The token you are using is not authorized to enable secondary replication.</p>
+        {{/if}}
+      {{/if}}
     </div>
-    {{#each this.model.fields as |attr|}}
-      <FormField data-test-field @attr={{attr}} @model={{this.model}} />
-    {{/each}}
-  </div>
-  <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
-    <div class="field is-grouped">
-      <div class="control">
+    {{#if
+      (or
+        (and (eq this.mode "primary") this.cluster.canEnablePrimary)
+        (and (eq this.mode "secondary") this.cluster.canEnableSecondary)
+      )
+    }}
+      <div class="field is-grouped box is-fullwidth is-bottomless">
         <Hds::Button
-          @text={{this.saveButtonText}}
-          @icon={{if this.save.isRunning "loading"}}
+          @text="Enable Replication"
           type="submit"
-          data-test-edit-form-submit
-          disabled={{this.save.isRunning}}
+          disabled={{this.disallowEnable}}
+          data-test-replication-enable
         />
       </div>
-      {{#if this.cancelLink}}
-        <div class="control">
-          <LinkTo
-            @route={{this.cancelLink.route}}
-            @models={{this.cancelLink.models}}
-            class="button"
-            data-test-edit-form-cancel={{true}}
-          >
-            Cancel
-          </LinkTo>
-        </div>
+    {{/if}}
+  </form>
+{{else if this.showModeSummary}}
+  {{#if (not (and this.cluster.dr.replicationEnabled this.cluster.performance.replicationEnabled))}}
+    <PageHeader as |p|>
+      <p.levelLeft>
+        <h1 class="title is-3" data-test-replication-title>
+          Replication
+        </h1>
+      </p.levelLeft>
+    </PageHeader>
+  {{/if}}
+
+  {{#if (and (eq this.cluster.dr.mode "primary") (eq this.cluster.performance.mode "primary"))}}
+    <ReplicationPage @model={{this.cluster}} as |Page|>
+      <Page.header @showTabs={{true}} />
+      <Page.dashboard @componentToRender="replication-summary-card" as |Dashboard|>
+        <Dashboard.card @title="Disaster Recovery" />
+        <Dashboard.card @title="Performance" />
+      </Page.dashboard>
+    </ReplicationPage>
+  {{else}}
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <h3 class="title is-flex-center is-5 is-marginless">
+        <Icon @size="24" @name="replication-direct" />
+        Disaster Recovery (DR)
+      </h3>
+      {{#if this.cluster.dr.replicationEnabled}}
+        {{#if this.submit.isRunning}}
+          <LayoutLoading />
+        {{else}}
+          <ReplicationModeSummary @mode="dr" @cluster={{this.cluster}} @tagName="span" />
+        {{/if}}
+      {{else}}
+        <ReplicationModeSummary @mode="dr" @cluster={{this.cluster}} @tagName="div" />
       {{/if}}
     </div>
-  </div>
-</form>
\ No newline at end of file
+    {{#if (not (and this.submit.isRunning (eq this.cluster.dr.mode "bootstrapping")))}}
+      <div class="box is-bottomless is-fullwidth is-marginless">
+        <h3 class="title is-flex-center is-5 is-marginless">
+          <Icon @size="24" @name="replication-perf" />
+          Performance
+        </h3>
+        <ReplicationModeSummary @mode="performance" @cluster={{this.cluster}} @tagName="span" />
+      </div>
+    {{/if}}
+  {{/if}}
+{{else}}
+  {{#if (eq this.replicationAttrs.mode "initializing")}}
+    The cluster is initializing replication. This may take some time.
+  {{else}}
+    <p>{{this.cluster.replicationModeStatus.cluster_id}}</p>
+    <div class="replication">
+      <ReplicationPage @model={{this.cluster}} as |Page|>
+        <Page.dashboard
+          @data={{this.cluster}}
+          @componentToRender={{if
+            (eq this.replicationAttrs.mode "secondary")
+            "replication-secondary-card"
+            "replication-primary-card"
+          }}
+          as |Dashboard|
+        >
+          {{#if (eq this.replicationAttrs.mode "secondary")}}
+            <Dashboard.card @title="Status" />
+            <Dashboard.card @title="Primary cluster" />
+          {{else}}
+            <Dashboard.card
+              @title="State"
+              @description="The cluster’s current operating state."
+              @glyph={{get (cluster-states this.replicationAttrs.state) "glyph"}}
+              @metric={{this.replicationAttrs.state}}
+            />
+            <Dashboard.card
+              @title="Last WAL entry"
+              @description="Index of last Write Ahead Logs entry written on local storage. Updates every ten seconds."
+              @metric={{format-number this.replicationAttrs.lastWAL}}
+            />
+            <Dashboard.secondaryCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />
+          {{/if}}
+        </Page.dashboard>
+      </ReplicationPage>
+    </div>
+  {{/if}}
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kubernetes/addon/components/page/configure.hbs b/ui/lib/kubernetes/addon/components/page/configure.hbs
index b623c2a2a975..3024ee9d0e82 100644
--- a/ui/lib/kubernetes/addon/components/page/configure.hbs
+++ b/ui/lib/kubernetes/addon/components/page/configure.hbs
@@ -1,114 +1,96 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      Configure Kubernetes
-    </h1>
-  </p.levelLeft>
-</PageHeader>
+import { click, fillIn, findAll, currentURL, visit, settled, waitUntil } from '@ember/test-helpers';
 
-<hr class="is-marginless has-background-gray-200" />
+export const disableReplication = async (type, assert) => {
+  // disable performance replication
+  await visit(`/vault/replication/${type}`);
 
-<p class="has-top-margin-m">
-  To customize your configuration, specify the type of Kubernetes cluster that credentials will be generated for.
-</p>
+  if (findAll('[data-test-replication-link="manage"]').length) {
+    await click('[data-test-replication-link="manage"]');
 
-<div class="is-flex-row has-top-margin-s">
-  <RadioCard
-    class="has-fixed-width"
-    @title="Local cluster"
-    @description="Generate credentials for the local Kubernetes cluster that Vault is running on, using Vault’s service account."
-    @icon="kubernetes-color"
-    @value={{false}}
-    @groupValue={{@model.disableLocalCaJwt}}
-    @onChange={{this.onRadioSelect}}
-    data-test-radio-card="local"
-  />
-  <RadioCard
-    class="has-fixed-width"
-    @title="Manual configuration"
-    @description="Generate credentials for an external Kubernetes cluster, using a service account that you specify."
-    @icon="vault"
-    @iconClass="has-text-black"
-    @value={{true}}
-    @groupValue={{@model.disableLocalCaJwt}}
-    @onChange={{this.onRadioSelect}}
-    data-test-radio-card="manual"
-  />
-</div>
+    await click('[data-test-disable-replication] button');
 
-<div class="has-top-margin-m" data-test-config>
-  {{#if @model.disableLocalCaJwt}}
-    <MessageError @errorMessage={{this.error}} />
-    {{#each @model.formFields as |attr|}}
-      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-  {{else if (eq this.inferredState "success")}}
-    <Icon @name="check-circle-fill" class="has-text-success" />
-    <span>Configuration values were inferred successfully.</span>
-  {{else if (eq this.inferredState "error")}}
-    <Icon @name="x-square-fill" class="has-text-danger" />
-    <span class="has-text-danger">
-      Vault could not infer a configuration from your environment variables. Check your configuration file to edit or delete
-      them, or configure manually.
-    </span>
-  {{else}}
-    <p>
-      Configuration values can be inferred from the pod and your local environment variables.
-    </p>
-    <div>
-      <Hds::Button
-        @text="Get config values"
-        @color="secondary"
-        @icon={{if this.fetchInferred.isRunning "loading"}}
-        class="has-top-margin-s"
-        disabled={{this.fetchInferred.isRunning}}
-        {{on "click" (perform this.fetchInferred)}}
-      />
-    </div>
-  {{/if}}
-</div>
+    const typeDisplay = type === 'dr' ? 'Disaster Recovery' : 'Performance';
+    await fillIn('[data-test-confirmation-modal-input="Disable Replication?"]', typeDisplay);
+    await click('[data-test-confirm-button]');
+    await settled(); // eslint-disable-line
 
-<hr class="has-background-gray-200 has-top-margin-l" />
+    if (assert) {
+      // bypassing for now -- remove if tests pass reliably
+      // assert.strictEqual(
+      //   flash.latestMessage,
+      //   'This cluster is having replication disabled. Vault will be unavailable for a brief period and will resume service shortly.',
+      //   'renders info flash when disabled'
+      // );
+      assert.ok(
+        await waitUntil(() => currentURL() === '/vault/replication'),
+        'redirects to the replication page'
+      );
+    }
+    await settled();
+  }
+};
 
-<div class="has-top-margin-s has-bottom-margin-s is-flex">
-  <Hds::Button @text="Save" data-test-config-save disabled={{this.isDisabled}} {{on "click" (perform this.save)}} />
-  <Hds::Button
-    @text="Back"
-    @color="secondary"
-    class="has-left-margin-xs"
-    data-test-config-cancel
-    disabled={{or this.save.isRunning this.fetchInferred.isRunning}}
-    {{on "click" this.cancel}}
-  />
-  {{#if this.alert}}
-    <AlertInline @type="danger" @paddingTop={{true}} @message={{this.alert}} @mimicRefresh={{true}} data-test-alert />
-  {{/if}}
-</div>
+export const STATUS_DISABLED_RESPONSE = {
+  dr: mockReplicationBlock(),
+  performance: mockReplicationBlock(),
+};
 
-{{#if this.showConfirm}}
-  <Hds::Modal id="kubernetes-edit-config-modal" @onClose={{fn (mut this.showConfirm) false}} @color="warning" as |M|>
-    <M.Header @icon="alert-triangle">
-      Edit configuration
-    </M.Header>
-    <M.Body data-test-edit-config-body>
-      <p>
-        Making changes to your configuration may affect how Vault will reach the Kubernetes API and authenticate with it. Are
-        you sure?
-      </p>
-    </M.Body>
-    <M.Footer as |F|>
-      <Hds::ButtonSet>
-        <Hds::Button data-test-config-confirm {{on "click" (perform this.save)}} @text="Confirm" />
-        <Hds::Button {{on "click" F.close}} @color="secondary" @text="Cancel" />
-      </Hds::ButtonSet>
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+/**
+ * Mock replication block returns the expected payload for a given replication type
+ * @param {string} mode disabled | primary | secondary
+ * @param {string} status connected | disconnected
+ * @returns expected object for a single replication type, eg dr or performance values
+ */
+export function mockReplicationBlock(mode = 'disabled', status = 'connected') {
+  switch (mode) {
+    case 'primary':
+      return {
+        cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
+        known_secondaries: ['4'],
+        last_wal: 455,
+        merkle_root: 'aaaaaabbbbbbbccccccccddddddd',
+        mode: 'primary',
+        primary_cluster_addr: '',
+        secondaries: [
+          {
+            api_address: 'https://127.0.0.1:49277',
+            cluster_address: 'https://127.0.0.1:49281',
+            connection_status: status,
+            last_heartbeat: '2020-06-10T15:40:46-07:00',
+            node_id: '4',
+          },
+        ],
+        state: 'stream-wals',
+      };
+    case 'secondary':
+      return {
+        cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
+        known_primary_cluster_addrs: ['https://127.0.0.1:8201'],
+        last_remote_wal: 291,
+        merkle_root: 'aaaaaabbbbbbbccccccccddddddd',
+        corrupted_merkle_tree: false,
+        last_corruption_check_epoch: '1694456090',
+        mode: 'secondary',
+        primaries: [
+          {
+            api_address: 'https://127.0.0.1:49244',
+            cluster_address: 'https://127.0.0.1:8201',
+            connection_status: status,
+            last_heartbeat: '2020-06-10T15:40:46-07:00',
+          },
+        ],
+        primary_cluster_addr: 'https://127.0.0.1:8201',
+        secondary_id: '2',
+        state: 'stream-wals',
+      };
+    default:
+      return {
+        mode: 'disabled',
+      };
+  }
+}
diff --git a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
index 5d0d0bb6b6bf..9bc02d53935d 100644
--- a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
+++ b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
@@ -1,157 +1,132 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      {{if @model.isNew "Create Role" "Edit Role"}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<hr class="is-marginless has-background-gray-200" />
-
-<p class="has-top-margin-m">
-  A role in Vault dictates what will be generated for Kubernetes and what kind of rules will be used to do so. It is not a
-  Kubernetes role.
-</p>
-
-<div class="is-flex-row has-top-margin-s">
-  {{#each this.generationPreferences as |pref|}}
-    <RadioCard
-      @title={{pref.title}}
-      @description={{pref.description}}
-      @icon="token"
-      @value={{pref.value}}
-      @groupValue={{@model.generationPreference}}
-      @onChange={{this.changePreference}}
-      data-test-radio-card={{pref.value}}
-    />
-  {{/each}}
-</div>
-
-<div class="has-top-margin-xl has-bottom-margin-l">
-  <h2 class="title is-4">
-    Role options
-  </h2>
-  <hr class="is-marginless has-background-gray-200" />
-</div>
-
-{{#if @model.generationPreference}}
-  <form id="role" {{on "submit" this.onSave}} data-test-policy-form>
-    {{#if this.errorBanner}}
-      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-    {{/if}}
-
-    {{#each @model.filteredFormFields as |field|}}
-      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-
-    <div class="has-bottom-margin-s">
-      <ToggleButton
-        data-test-field="annotations"
-        @isOpen={{this.showAnnotations}}
-        @openLabel="Hide annotations and labels"
-        @closedLabel="Annotations and labels"
-        @onClick={{fn (mut this.showAnnotations)}}
-      />
-      {{#if this.showAnnotations}}
-        <div class="box" data-test-annotations>
-          {{#each this.extraFields as |field|}}
-            <div class={{if (eq field.type "labels") "has-top-margin-xl"}}>
-              <h2 class="title is-4">Extra {{field.type}}</h2>
-              <p>
-                {{field.description}}
-                See
-                <ExternalLink @href="https://kubernetes.io/docs/concepts/overview/working-with-objects/{{field.type}}/">
-                  Kubernetes
-                  {{singularize field.type}}
-                  documentation here
-                </ExternalLink>.
-              </p>
-              <KvObjectEditor
-                class="has-top-margin-m"
-                data-test-kv={{field.type}}
-                @value={{get @model field.key}}
-                @onChange={{fn (mut (get @model field.key))}}
-              />
-            </div>
-            <hr />
-          {{/each}}
-        </div>
-      {{/if}}
-    </div>
-
-    {{#if (eq @model.generationPreference "full")}}
-      <div class="has-top-margin-m has-bottom-margin-l" data-test-generated-role-rules>
-        <h2 class="title is-4">
-          Generated role rules
-        </h2>
-        <FormFieldLabel
-          for="templates"
-          @label="Role rules template"
-          @subText="Start with a template for role rules based on your use case"
-        />
-        <div class="select is-fullwidth">
-          <select id="templates" data-test-select-template {{on "change" this.selectTemplate}}>
-            {{#each this.roleRulesTemplates as |template|}}
-              <option selected={{eq this.selectedTemplateId template.id}} value={{template.id}}>
-                {{template.label}}
-              </option>
-            {{/each}}
-          </select>
-        </div>
-        {{#let (find-by "id" this.selectedTemplateId this.roleRulesTemplates) as |template|}}
-          <JsonEditor
-            class="has-top-margin-l"
-            data-test-rules
-            @title="Role rules"
-            @value={{template.rules}}
-            @mode="ruby"
-            @valueUpdated={{fn (mut template.rules)}}
-            @helpText={{sanitized-html this.roleRulesHelpText}}
-          >
-            <Hds::Button
-              @icon="reload"
-              @text="Restore example"
-              @color="secondary"
-              class="toolbar-button"
-              {{on "click" this.resetRoleRules}}
-              data-test-restore-example
-            />
-          </JsonEditor>
-        {{/let}}
-      </div>
-    {{/if}}
-    {{#if this.invalidFormAlert}}
-      <div class="control" data-test-invalid-form-alert>
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      </div>
-    {{/if}}
-  </form>
-{{else}}
-  <EmptyState
-    class="is-shadowless"
-    @title="Choose an option above"
-    @message="To configure a Vault role, choose what should be generated in Kubernetes by Vault."
-  />
-{{/if}}
-
-<hr class="is-marginless has-background-gray-200" />
-
-<div class="has-top-margin-l has-bottom-margin-s">
-  <Hds::Button
-    @text="Save"
-    @icon={{if this.save.isRunning "loading"}}
-    type="submit"
-    form="role"
-    disabled={{or (not @model.generationPreference) this.save.isRunning}}
-    data-test-save
-  />
-  <Hds::Button @text="Back" @color="secondary" class="has-left-margin-s" data-test-cancel {{on "click" this.cancel}} />
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+const (
+	apiRepPerformanceStatusPath = "/v1/sys/replication/performance/status"
+	apiRepDRStatusPath          = "/v1/sys/replication/dr/status"
+	apiRepStatusPath            = "/v1/sys/replication/status"
+)
+
+type ClusterInfo struct {
+	APIAddr                     string `json:"api_address,omitempty" mapstructure:"api_address"`
+	ClusterAddress              string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
+	ConnectionStatus            string `json:"connection_status,omitempty" mapstructure:"connection_status"`
+	LastHeartBeat               string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
+	LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
+	ClockSkewMillis             string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
+	NodeID                      string `json:"node_id,omitempty" mapstructure:"node_id"`
+}
+
+type ReplicationStatusGenericResponse struct {
+	LastDRWAL             uint64 `json:"last_dr_wal,omitempty" mapstructure:"last_dr_wal"`
+	LastReindexEpoch      string `json:"last_reindex_epoch,omitempty" mapstructure:"last_reindex_epoch"`
+	ClusterID             string `json:"cluster_id,omitempty" mapstructure:"cluster_id"`
+	LastWAL               uint64 `json:"last_wal,omitempty" mapstructure:"last_wal"`
+	MerkleRoot            string `json:"merkle_root,omitempty" mapstructure:"merkle_root"`
+	Mode                  string `json:"mode,omitempty" mapstructure:"mode"`
+	PrimaryClusterAddr    string `json:"primary_cluster_addr,omitempty" mapstructure:"primary_cluster_addr"`
+	LastPerformanceWAL    uint64 `json:"last_performance_wal,omitempty" mapstructure:"last_performance_wal"`
+	State                 string `json:"state,omitempty" mapstructure:"state"`
+	LastRemoteWAL         uint64 `json:"last_remote_wal,omitempty" mapstructure:"last_remote_wal"`
+	SecondaryID           string `json:"secondary_id,omitempty" mapstructure:"secondary_id"`
+	SSCTGenerationCounter uint64 `json:"ssct_generation_counter,omitempty" mapstructure:"ssct_generation_counter"`
+
+	KnownSecondaries         []string      `json:"known_secondaries,omitempty" mapstructure:"known_secondaries"`
+	KnownPrimaryClusterAddrs []string      `json:"known_primary_cluster_addrs,omitempty" mapstructure:"known_primary_cluster_addrs"`
+	Primaries                []ClusterInfo `json:"primaries,omitempty" mapstructure:"primaries"`
+	Secondaries              []ClusterInfo `json:"secondaries,omitempty" mapstructure:"secondaries"`
+}
+
+type ReplicationStatusResponse struct {
+	DR          ReplicationStatusGenericResponse `json:"dr,omitempty" mapstructure:"dr"`
+	Performance ReplicationStatusGenericResponse `json:"performance,omitempty" mapstructure:"performance"`
+}
+
+func (c *Sys) ReplicationStatus() (*ReplicationStatusResponse, error) {
+	return c.ReplicationStatusWithContext(context.Background(), apiRepStatusPath)
+}
+
+func (c *Sys) ReplicationPerformanceStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
+	s, err := c.ReplicationStatusWithContext(ctx, apiRepPerformanceStatusPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return &s.Performance, nil
+}
+
+func (c *Sys) ReplicationDRStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
+	s, err := c.ReplicationStatusWithContext(ctx, apiRepDRStatusPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return &s.DR, nil
+}
+
+func (c *Sys) ReplicationStatusWithContext(ctx context.Context, path string) (*ReplicationStatusResponse, error) {
+	// default to replication/status
+	if path == "" {
+		path = apiRepStatusPath
+	}
+
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, path)
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	// First decode response into a map[string]interface{}
+	data := make(map[string]interface{})
+	dec := json.NewDecoder(resp.Body)
+	dec.UseNumber()
+	if err := dec.Decode(&data); err != nil {
+		return nil, err
+	}
+
+	rawData, ok := data["data"]
+	if !ok {
+		return nil, fmt.Errorf("empty data in replication status response")
+	}
+
+	s := &ReplicationStatusResponse{}
+	g := &ReplicationStatusGenericResponse{}
+	switch {
+	case path == apiRepPerformanceStatusPath:
+		err = mapstructure.Decode(rawData, g)
+		if err != nil {
+			return nil, err
+		}
+		s.Performance = *g
+	case path == apiRepDRStatusPath:
+		err = mapstructure.Decode(rawData, g)
+		if err != nil {
+			return nil, err
+		}
+		s.DR = *g
+	default:
+		err = mapstructure.Decode(rawData, s)
+		if err != nil {
+			return nil, err
+		}
+		return s, err
+	}
+
+	return s, err
+}
diff --git a/ui/lib/kv/addon/components/kv-data-fields.hbs b/ui/lib/kv/addon/components/kv-data-fields.hbs
index 76c5c2dfd3a0..4f75bbd6d8e3 100644
--- a/ui/lib/kv/addon/components/kv-data-fields.hbs
+++ b/ui/lib/kv/addon/components/kv-data-fields.hbs
@@ -1,38 +1,524 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#let (find-by "name" "path" @secret.allFields) as |attr|}}
-  {{#if @isEdit}}
-    <ReadonlyFormField @attr={{attr}} @value={{get @secret attr.name}} />
-  {{else}}
-    <FormField @attr={{attr}} @model={{@secret}} @modelValidations={{@modelValidations}} @onKeyUp={{@pathValidations}} />
-  {{/if}}
-{{/let}}
-
-<hr class="is-marginless has-background-gray-200" />
-{{#if @showJson}}
-  <JsonEditor
-    @title="{{if @isEdit 'Version' 'Secret'}} data"
-    @value={{or (stringify @secret.secretData) this.emptyJson}}
-    @valueUpdated={{this.handleJson}}
-  />
-  {{#if (or @modelValidations.secretData.errors this.lintingErrors)}}
-    <AlertInline @type={{if this.lintingErrors "warning" "danger"}} @paddingTop={{true}}>
-      {{#if @modelValidations.secretData.errors}}
-        {{@modelValidations.secretData.errors}}
-      {{else}}
-        JSON is unparsable. Fix linting errors to avoid data discrepancies.
-      {{/if}}
-    </AlertInline>
-  {{/if}}
-{{else}}
-  <KvObjectEditor
-    class="has-top-margin-m"
-    @label="{{if @isEdit 'Version' 'Secret'}} data"
-    @value={{@secret.secretData}}
-    @onChange={{fn (mut @secret.secretData)}}
-    @isMasked={{true}}
-  />
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package logical
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/mitchellh/copystructure"
+)
+
+// RequestWrapInfo is a struct that stores information about desired response
+// and seal wrapping behavior
+type RequestWrapInfo struct {
+	// Setting to non-zero specifies that the response should be wrapped.
+	// Specifies the desired TTL of the wrapping token.
+	TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl" sentinel:""`
+
+	// The format to use for the wrapped response; if not specified it's a bare
+	// token
+	Format string `json:"format" structs:"format" mapstructure:"format" sentinel:""`
+
+	// A flag to conforming backends that data for a given request should be
+	// seal wrapped
+	SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap" sentinel:""`
+}
+
+func (r *RequestWrapInfo) SentinelGet(key string) (interface{}, error) {
+	if r == nil {
+		return nil, nil
+	}
+	switch key {
+	case "ttl":
+		return r.TTL, nil
+	case "ttl_seconds":
+		return int64(r.TTL.Seconds()), nil
+	}
+
+	return nil, nil
+}
+
+func (r *RequestWrapInfo) SentinelKeys() []string {
+	return []string{
+		"ttl",
+		"ttl_seconds",
+	}
+}
+
+type ClientTokenSource uint32
+
+const (
+	NoClientToken ClientTokenSource = iota
+	ClientTokenFromVaultHeader
+	ClientTokenFromAuthzHeader
+	ClientTokenFromInternalAuth
+)
+
+type WALState struct {
+	ClusterID       string
+	LocalIndex      uint64
+	ReplicatedIndex uint64
+}
+
+const indexStateCtxKey = "index_state"
+
+// IndexStateContext returns a context with an added value holding the index
+// state that should be populated on writes.
+func IndexStateContext(ctx context.Context, state *WALState) context.Context {
+	return context.WithValue(ctx, indexStateCtxKey, state)
+}
+
+// IndexStateFromContext is a helper to look up if the provided context contains
+// an index state pointer.
+func IndexStateFromContext(ctx context.Context) *WALState {
+	s, ok := ctx.Value(indexStateCtxKey).(*WALState)
+	if !ok {
+		return nil
+	}
+	return s
+}
+
+// Request is a struct that stores the parameters and context of a request
+// being made to Vault. It is used to abstract the details of the higher level
+// request protocol from the handlers.
+//
+// Note: Many of these have Sentinel disabled because they are values populated
+// by the router after policy checks; the token namespace would be the right
+// place to access them via Sentinel
+type Request struct {
+	// Id is the uuid associated with each request
+	ID string `json:"id" structs:"id" mapstructure:"id" sentinel:""`
+
+	// If set, the name given to the replication secondary where this request
+	// originated
+	ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster" mapstructure:"replication_cluster" sentinel:""`
+
+	// Operation is the requested operation type
+	Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"`
+
+	// Path is the full path of the request
+	Path string `json:"path" structs:"path" mapstructure:"path" sentinel:""`
+
+	// Request data is an opaque map that must have string keys.
+	Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"`
+
+	// Storage can be used to durably store and retrieve state.
+	Storage Storage `json:"-" sentinel:""`
+
+	// Secret will be non-nil only for Revoke and Renew operations
+	// to represent the secret that was returned prior.
+	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret" sentinel:""`
+
+	// Auth will be non-nil only for Renew operations
+	// to represent the auth that was returned prior.
+	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth" sentinel:""`
+
+	// Headers will contain the http headers from the request. This value will
+	// be used in the audit broker to ensure we are auditing only the allowed
+	// headers.
+	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers" sentinel:""`
+
+	// Connection will be non-nil only for credential providers to
+	// inspect the connection information and potentially use it for
+	// authentication/protection.
+	Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"`
+
+	// ClientToken is provided to the core so that the identity
+	// can be verified and ACLs applied. This value is passed
+	// through to the logical backends but after being salted and
+	// hashed.
+	ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`
+
+	// ClientTokenAccessor is provided to the core so that the it can get
+	// logged as part of request audit logging.
+	ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""`
+
+	// DisplayName is provided to the logical backend to help associate
+	// dynamic secrets with the source entity. This is not a sensitive
+	// name, but is useful for operators.
+	DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name" sentinel:""`
+
+	// MountPoint is provided so that a logical backend can generate
+	// paths relative to itself. The `Path` is effectively the client
+	// request path with the MountPoint trimmed off.
+	MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point" sentinel:""`
+
+	// MountType is provided so that a logical backend can make decisions
+	// based on the specific mount type (e.g., if a mount type has different
+	// aliases, generating different defaults depending on the alias)
+	MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type" sentinel:""`
+
+	// MountAccessor is provided so that identities returned by the authentication
+	// backends can be tied to the mount it belongs to.
+	MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor" sentinel:""`
+
+	// mountRunningVersion is used internally to propagate the semantic version
+	// of the mounted plugin as reported by its vault.MountEntry to audit logging
+	mountRunningVersion string
+
+	// mountRunningSha256 is used internally to propagate the encoded sha256
+	// of the mounted plugin as reported its vault.MountEntry to audit logging
+	mountRunningSha256 string
+
+	// mountIsExternalPlugin is used internally to propagate whether
+	// the backend of the mounted plugin is running externally (i.e., over GRPC)
+	// to audit logging
+	mountIsExternalPlugin bool
+
+	// mountClass is used internally to propagate the mount class of the mounted plugin to audit logging
+	mountClass string
+
+	// WrapInfo contains requested response wrapping parameters
+	WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info" sentinel:""`
+
+	// ClientTokenRemainingUses represents the allowed number of uses left on the
+	// token supplied
+	ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`
+
+	// EntityID is the identity of the caller extracted out of the token used
+	// to make this request
+	EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""`
+
+	// PolicyOverride indicates that the requestor wishes to override
+	// soft-mandatory Sentinel policies
+	PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"`
+
+	// Whether the request is unauthenticated, as in, had no client token
+	// attached. Useful in some situations where the client token is not made
+	// accessible.
+	Unauthenticated bool `json:"unauthenticated" structs:"unauthenticated" mapstructure:"unauthenticated"`
+
+	// MFACreds holds the parsed MFA information supplied over the API as part of
+	// X-Vault-MFA header
+	MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""`
+
+	// Cached token entry. This avoids another lookup in request handling when
+	// we've already looked it up at http handling time. Note that this token
+	// has not been "used", as in it will not properly take into account use
+	// count limitations. As a result this field should only ever be used for
+	// transport to a function that would otherwise do a lookup and then
+	// properly use the token.
+	tokenEntry *TokenEntry
+
+	// For replication, contains the last WAL on the remote side after handling
+	// the request, used for best-effort avoidance of stale read-after-write
+	lastRemoteWAL uint64
+
+	// ControlGroup holds the authorizations that have happened on this
+	// request
+	ControlGroup *ControlGroup `json:"control_group" structs:"control_group" mapstructure:"control_group" sentinel:""`
+
+	// ClientTokenSource tells us where the client token was sourced from, so
+	// we can delete it before sending off to plugins
+	ClientTokenSource ClientTokenSource
+
+	// HTTPRequest, if set, can be used to access fields from the HTTP request
+	// that generated this logical.Request object, such as the request body.
+	HTTPRequest *http.Request `json:"-" sentinel:""`
+
+	// ResponseWriter if set can be used to stream a response value to the http
+	// request that generated this logical.Request object.
+	ResponseWriter *HTTPResponseWriter `json:"-" sentinel:""`
+
+	// requiredState is used internally to propagate the X-Vault-Index request
+	// header to later levels of request processing that operate only on
+	// logical.Request.
+	requiredState []string
+
+	// responseState is used internally to propagate the state that should appear
+	// in response headers; it's attached to the request rather than the response
+	// because not all requests yields non-nil responses.
+	responseState *WALState
+
+	// ClientID is the identity of the caller. If the token is associated with an
+	// entity, it will be the same as the EntityID . If the token has no entity,
+	// this will be the sha256(sorted policies + namespace) associated with the
+	// client token.
+	ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`
+
+	// InboundSSCToken is the token that arrives on an inbound request, supplied
+	// by the vault user.
+	InboundSSCToken string
+
+	// When a request has been forwarded, contains information of the host the request was forwarded 'from'
+	ForwardedFrom string `json:"forwarded_from,omitempty"`
+
+	// Name of the chroot namespace for the listener that the request was made against
+	ChrootNamespace string `json:"chroot_namespace,omitempty"`
+}
+
+// Clone returns a deep copy of the request by using copystructure
+func (r *Request) Clone() (*Request, error) {
+	cpy, err := copystructure.Copy(r)
+	if err != nil {
+		return nil, err
+	}
+	return cpy.(*Request), nil
+}
+
+// Get returns a data field and guards for nil Data
+func (r *Request) Get(key string) interface{} {
+	if r.Data == nil {
+		return nil
+	}
+	return r.Data[key]
+}
+
+// GetString returns a data field as a string
+func (r *Request) GetString(key string) string {
+	raw := r.Get(key)
+	s, _ := raw.(string)
+	return s
+}
+
+func (r *Request) GoString() string {
+	return fmt.Sprintf("*%#v", *r)
+}
+
+func (r *Request) SentinelGet(key string) (interface{}, error) {
+	switch key {
+	case "path":
+		// Sanitize it here so that it's consistent in policies
+		return strings.TrimPrefix(r.Path, "/"), nil
+
+	case "wrapping", "wrap_info":
+		// If the pointer is nil accessing the wrap info is considered
+		// "undefined" so this allows us to instead discover a TTL of zero
+		if r.WrapInfo == nil {
+			return &RequestWrapInfo{}, nil
+		}
+		return r.WrapInfo, nil
+	}
+
+	return nil, nil
+}
+
+func (r *Request) SentinelKeys() []string {
+	return []string{
+		"path",
+		"wrapping",
+		"wrap_info",
+	}
+}
+
+func (r *Request) MountRunningVersion() string {
+	return r.mountRunningVersion
+}
+
+func (r *Request) SetMountRunningVersion(mountRunningVersion string) {
+	r.mountRunningVersion = mountRunningVersion
+}
+
+func (r *Request) MountRunningSha256() string {
+	return r.mountRunningSha256
+}
+
+func (r *Request) SetMountRunningSha256(mountRunningSha256 string) {
+	r.mountRunningSha256 = mountRunningSha256
+}
+
+func (r *Request) MountIsExternalPlugin() bool {
+	return r.mountIsExternalPlugin
+}
+
+func (r *Request) SetMountIsExternalPlugin(mountIsExternalPlugin bool) {
+	r.mountIsExternalPlugin = mountIsExternalPlugin
+}
+
+func (r *Request) MountClass() string {
+	return r.mountClass
+}
+
+func (r *Request) SetMountClass(mountClass string) {
+	r.mountClass = mountClass
+}
+
+func (r *Request) LastRemoteWAL() uint64 {
+	return r.lastRemoteWAL
+}
+
+func (r *Request) SetLastRemoteWAL(last uint64) {
+	r.lastRemoteWAL = last
+}
+
+func (r *Request) RequiredState() []string {
+	return r.requiredState
+}
+
+func (r *Request) SetRequiredState(state []string) {
+	r.requiredState = state
+}
+
+func (r *Request) ResponseState() *WALState {
+	return r.responseState
+}
+
+func (r *Request) SetResponseState(w *WALState) {
+	r.responseState = w
+}
+
+func (r *Request) TokenEntry() *TokenEntry {
+	return r.tokenEntry
+}
+
+func (r *Request) SetTokenEntry(te *TokenEntry) {
+	r.tokenEntry = te
+}
+
+// RenewRequest creates the structure of the renew request.
+func RenewRequest(path string, secret *Secret, data map[string]interface{}) *Request {
+	return &Request{
+		Operation: RenewOperation,
+		Path:      path,
+		Data:      data,
+		Secret:    secret,
+	}
+}
+
+// RenewAuthRequest creates the structure of the renew request for an auth.
+func RenewAuthRequest(path string, auth *Auth, data map[string]interface{}) *Request {
+	return &Request{
+		Operation: RenewOperation,
+		Path:      path,
+		Data:      data,
+		Auth:      auth,
+	}
+}
+
+// RevokeRequest creates the structure of the revoke request.
+func RevokeRequest(path string, secret *Secret, data map[string]interface{}) *Request {
+	return &Request{
+		Operation: RevokeOperation,
+		Path:      path,
+		Data:      data,
+		Secret:    secret,
+	}
+}
+
+// RollbackRequest creates the structure of the revoke request.
+func RollbackRequest(path string) *Request {
+	return &Request{
+		Operation: RollbackOperation,
+		Path:      path,
+		Data:      make(map[string]interface{}),
+	}
+}
+
+// Operation is an enum that is used to specify the type
+// of request being made
+type Operation string
+
+const (
+	// The operations below are called per path
+	CreateOperation         Operation = "create"
+	ReadOperation                     = "read"
+	UpdateOperation                   = "update"
+	PatchOperation                    = "patch"
+	DeleteOperation                   = "delete"
+	ListOperation                     = "list"
+	HelpOperation                     = "help"
+	AliasLookaheadOperation           = "alias-lookahead"
+	ResolveRoleOperation              = "resolve-role"
+	HeaderOperation                   = "header"
+
+	// The operations below are called globally, the path is less relevant.
+	RevokeOperation   Operation = "revoke"
+	RenewOperation              = "renew"
+	RollbackOperation           = "rollback"
+)
+
+type MFACreds map[string][]string
+
+// InitializationRequest stores the parameters and context of an Initialize()
+// call being made to a logical.Backend.
+type InitializationRequest struct {
+	// Storage can be used to durably store and retrieve state.
+	Storage Storage
+}
+
+type CustomHeader struct {
+	Name  string
+	Value string
+}
+
+type CtxKeyInFlightRequestID struct{}
+
+func (c CtxKeyInFlightRequestID) String() string {
+	return "in-flight-request-ID"
+}
+
+type CtxKeyRequestRole struct{}
+
+func (c CtxKeyRequestRole) String() string {
+	return "request-role"
+}
+
+// CtxKeyDisableReplicationStatusEndpoints is a custom type used as a key in
+// context.Context to store the value `true` when the
+// disable_replication_status_endpoints configuration parameter is set to true
+// for the listener through which a request was received.
+type ctxKeyDisableReplicationStatusEndpoints struct{}
+
+// String returns a string representation of the receiver type.
+func (c ctxKeyDisableReplicationStatusEndpoints) String() string {
+	return "disable-replication-status-endpoints"
+}
+
+// ContextDisableReplicationStatusEndpointsValue examines the provided
+// context.Context for the disable replication status endpoints value and
+// returns it as a bool value if it's found along with the ok return value set
+// to true; otherwise the ok return value is false.
+func ContextDisableReplicationStatusEndpointsValue(ctx context.Context) (value, ok bool) {
+	value, ok = ctx.Value(ctxKeyDisableReplicationStatusEndpoints{}).(bool)
+
+	return
+}
+
+// CreateContextDisableReplicationStatusEndpoints creates a new context.Context
+// based on the provided parent that also includes the provided value for the
+// ctxKeyDisableReplicationStatusEndpoints key.
+func CreateContextDisableReplicationStatusEndpoints(parent context.Context, value bool) context.Context {
+	return context.WithValue(parent, ctxKeyDisableReplicationStatusEndpoints{}, value)
+}
+
+// CtxKeyOriginalRequestPath is a custom type used as a key in context.Context
+// to store the original request path.
+type ctxKeyOriginalRequestPath struct{}
+
+// String returns a string representation of the receiver type.
+func (c ctxKeyOriginalRequestPath) String() string {
+	return "original_request_path"
+}
+
+// ContextOriginalRequestPathValue examines the provided context.Context for the
+// original request path value and returns it as a string value if it's found
+// along with the ok value set to true; otherwise the ok return value is false.
+func ContextOriginalRequestPathValue(ctx context.Context) (value string, ok bool) {
+	value, ok = ctx.Value(ctxKeyOriginalRequestPath{}).(string)
+
+	return
+}
+
+// CreateContextOriginalRequestPath creates a new context.Context based on the
+// provided parent that also includes the provided original request path value
+// for the ctxKeyOriginalRequestPath key.
+func CreateContextOriginalRequestPath(parent context.Context, value string) context.Context {
+	return context.WithValue(parent, ctxKeyOriginalRequestPath{}, value)
+}
+
+type ctxKeyOriginalBody struct{}
+
+func ContextOriginalBodyValue(ctx context.Context) (io.ReadCloser, bool) {
+	value, ok := ctx.Value(ctxKeyOriginalBody{}).(io.ReadCloser)
+	return value, ok
+}
+
+func CreateContextOriginalBody(parent context.Context, body io.ReadCloser) context.Context {
+	return context.WithValue(parent, ctxKeyOriginalBody{}, body)
+}
diff --git a/ui/lib/kv/addon/components/kv-data-fields.js b/ui/lib/kv/addon/components/kv-data-fields.js
index bb1f759810d1..8b82b767d02d 100644
--- a/ui/lib/kv/addon/components/kv-data-fields.js
+++ b/ui/lib/kv/addon/components/kv-data-fields.js
@@ -1,45 +1,219 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
-import KVObject from 'vault/lib/kv-object';
-
-/**
- * @module KvDataFields is used for rendering the fields associated with kv secret data, it hides/shows a json editor and renders validation errors for the json editor
- *
- * <KvDataFields
- *  @showJson={{true}}
- *  @secret={{@secret}}
- *  @isEdit={{true}}
- *  @modelValidations={{this.modelValidations}}
- *  @pathValidations={{this.pathValidations}}
- * />
- *
- * @param {model} secret - Ember data model: 'kv/data', the new record saved by the form
- * @param {boolean} showJson - boolean passed from parent to hide/show json editor
- * @param {object} [modelValidations] - object of errors.  If attr.name is in object and has error message display in AlertInline.
- * @param {callback} [pathValidations] - callback function fired for the path input on key up
- * @param {boolean} [isEdit=false] - if true, this is a new secret version rather than a new secret. Used to change text for some form labels
- */
-
-export default class KvDataFields extends Component {
-  @tracked lintingErrors;
-
-  get emptyJson() {
-    // if secretData is null, this specially formats a blank object and renders a nice initial state for the json editor
-    return KVObject.create({ content: [{ name: '', value: '' }] }).toJSONString(true);
-  }
-
-  @action
-  handleJson(value, codemirror) {
-    codemirror.performLint();
-    this.lintingErrors = codemirror.state.lint.marked.length > 0;
-    if (!this.lintingErrors) {
-      this.args.secret.secretData = JSON.parse(value);
-    }
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"runtime/debug"
+	"sync/atomic"
+	"time"
+
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/vault/helper/forwarding"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/vault/replication"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+type forwardedRequestRPCServer struct {
+	UnimplementedRequestForwardingServer
+
+	core                  *Core
+	handler               http.Handler
+	perfStandbySlots      chan struct{}
+	perfStandbyRepCluster *replication.Cluster
+	raftFollowerStates    *raft.FollowerStates
+}
+
+func (s *forwardedRequestRPCServer) ForwardRequest(ctx context.Context, freq *forwarding.Request) (*forwarding.Response, error) {
+	// Parse an http.Request out of it
+	req, err := forwarding.ParseForwardedRequest(freq)
+	if err != nil {
+		return nil, err
+	}
+
+	// A very dummy response writer that doesn't follow normal semantics, just
+	// lets you write a status code (last written wins) and a body. But it
+	// meets the interface requirements.
+	w := forwarding.NewRPCResponseWriter()
+
+	resp := &forwarding.Response{}
+
+	runRequest := func() {
+		defer func() {
+			if err := recover(); err != nil {
+				s.core.logger.Error("panic serving forwarded request", "path", req.URL.Path, "error", err, "stacktrace", string(debug.Stack()))
+			}
+		}()
+		s.handler.ServeHTTP(w, req)
+	}
+	runRequest()
+	resp.StatusCode = uint32(w.StatusCode())
+	resp.Body = w.Body().Bytes()
+
+	header := w.Header()
+	if header != nil {
+		resp.HeaderEntries = make(map[string]*forwarding.HeaderEntry, len(header))
+		for k, v := range header {
+			resp.HeaderEntries[k] = &forwarding.HeaderEntry{
+				Values: v,
+			}
+		}
+	}
+
+	// Performance standby nodes will use this value to do wait for WALs to ship
+	// in order to do a best-effort read after write guarantee
+	resp.LastRemoteWal = s.core.EntLastWAL()
+
+	return resp, nil
+}
+
+type nodeHAConnectionInfo struct {
+	nodeInfo        *NodeInformation
+	lastHeartbeat   time.Time
+	version         string
+	upgradeVersion  string
+	redundancyZone  string
+	localTime       time.Time
+	echoDuration    time.Duration
+	clockSkewMillis int64
+}
+
+func (s *forwardedRequestRPCServer) Echo(ctx context.Context, in *EchoRequest) (*EchoReply, error) {
+	incomingNodeConnectionInfo := nodeHAConnectionInfo{
+		nodeInfo:        in.NodeInfo,
+		lastHeartbeat:   time.Now(),
+		version:         in.SdkVersion,
+		upgradeVersion:  in.RaftUpgradeVersion,
+		redundancyZone:  in.RaftRedundancyZone,
+		localTime:       in.Now.AsTime(),
+		echoDuration:    in.LastRoundtripTime.AsDuration(),
+		clockSkewMillis: in.ClockSkewMillis,
+	}
+	if in.ClusterAddr != "" {
+		s.core.clusterPeerClusterAddrsCache.Set(in.ClusterAddr, incomingNodeConnectionInfo, 0)
+	}
+
+	if in.RaftAppliedIndex > 0 && len(in.RaftNodeID) > 0 && s.raftFollowerStates != nil {
+		s.raftFollowerStates.Update(&raft.EchoRequestUpdate{
+			NodeID:          in.RaftNodeID,
+			AppliedIndex:    in.RaftAppliedIndex,
+			Term:            in.RaftTerm,
+			DesiredSuffrage: in.RaftDesiredSuffrage,
+			SDKVersion:      in.SdkVersion,
+			UpgradeVersion:  in.RaftUpgradeVersion,
+			RedundancyZone:  in.RaftRedundancyZone,
+		})
+	}
+
+	reply := &EchoReply{
+		Message:          "pong",
+		ReplicationState: uint32(s.core.ReplicationState()),
+		Now:              timestamppb.Now(),
+	}
+
+	if raftBackend := s.core.getRaftBackend(); raftBackend != nil {
+		reply.RaftAppliedIndex = raftBackend.AppliedIndex()
+		reply.RaftNodeID = raftBackend.NodeID()
+	}
+
+	return reply, nil
+}
+
+type forwardingClient struct {
+	RequestForwardingClient
+	core        *Core
+	echoTicker  *time.Ticker
+	echoContext context.Context
+}
+
+// NOTE: we also take advantage of gRPC's keepalive bits, but as we send data
+// with these requests it's useful to keep this as well
+func (c *forwardingClient) startHeartbeat() {
+	go func() {
+		clusterAddr := c.core.ClusterAddr()
+		hostname, _ := os.Hostname()
+		ni := NodeInformation{
+			ApiAddr:  c.core.redirectAddr,
+			Hostname: hostname,
+			Mode:     "standby",
+		}
+		var echoDuration time.Duration
+		var serverTimeDelta int64
+		tick := func() {
+			labels := make([]metrics.Label, 0, 1)
+			defer metrics.MeasureSinceWithLabels([]string{"ha", "rpc", "client", "echo"}, time.Now(), labels)
+
+			req := &EchoRequest{
+				Message:           "ping",
+				ClusterAddr:       clusterAddr,
+				NodeInfo:          &ni,
+				SdkVersion:        c.core.effectiveSDKVersion,
+				LastRoundtripTime: durationpb.New(echoDuration),
+				ClockSkewMillis:   serverTimeDelta,
+			}
+
+			if raftBackend := c.core.getRaftBackend(); raftBackend != nil {
+				req.RaftAppliedIndex = raftBackend.AppliedIndex()
+				req.RaftNodeID = raftBackend.NodeID()
+				req.RaftTerm = raftBackend.Term()
+				req.RaftDesiredSuffrage = raftBackend.DesiredSuffrage()
+				req.RaftRedundancyZone = raftBackend.RedundancyZone()
+				req.RaftUpgradeVersion = raftBackend.EffectiveVersion()
+				labels = append(labels, metrics.Label{Name: "peer_id", Value: raftBackend.NodeID()})
+			}
+
+			start := time.Now()
+			req.Now = timestamppb.New(start)
+			ctx, cancel := context.WithTimeout(c.echoContext, 2*time.Second)
+			resp, err := c.RequestForwardingClient.Echo(ctx, req)
+			cancel()
+
+			now := time.Now()
+			if err == nil {
+				serverTimeDelta = resp.Now.AsTime().UnixMilli() - now.UnixMilli()
+			} else {
+				serverTimeDelta = 0
+			}
+			echoDuration = now.Sub(start)
+			c.core.echoDuration.Store(echoDuration)
+			c.core.activeNodeClockSkewMillis.Store(serverTimeDelta)
+
+			if err != nil {
+				metrics.IncrCounter([]string{"ha", "rpc", "client", "echo", "errors"}, 1)
+				c.core.logger.Debug("forwarding: error sending echo request to active node", "error", err)
+				return
+			}
+			if resp == nil {
+				c.core.logger.Debug("forwarding: empty echo response from active node")
+				return
+			}
+			if resp.Message != "pong" {
+				c.core.logger.Debug("forwarding: unexpected echo response from active node", "message", resp.Message)
+				return
+			}
+			// Store the active node's replication state to display in
+			// sys/health calls
+			atomic.StoreUint32(c.core.activeNodeReplicationState, resp.ReplicationState)
+		}
+
+		tick()
+
+		for {
+			select {
+			case <-c.echoContext.Done():
+				c.echoTicker.Stop()
+				c.core.logger.Debug("forwarding: stopping heartbeating")
+				atomic.StoreUint32(c.core.activeNodeReplicationState, uint32(consts.ReplicationUnknown))
+				return
+			case <-c.echoTicker.C:
+				tick()
+			}
+		}
+	}()
 }
diff --git a/ui/lib/kv/addon/components/kv-version-dropdown.hbs b/ui/lib/kv/addon/components/kv-version-dropdown.hbs
index f8170a1eb4b1..2f0d206bf786 100644
--- a/ui/lib/kv/addon/components/kv-version-dropdown.hbs
+++ b/ui/lib/kv/addon/components/kv-version-dropdown.hbs
@@ -1,53 +1,831 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
-  <D.Trigger data-test-version-dropdown class="toolbar-link {{if D.isOpen ' is-active'}}">
-    Version
-    {{or @displayVersion "current"}}
-    <Chevron @direction="down" @isButton={{true}} />
-  </D.Trigger>
-  <D.Content @defaultClass="popup-menu-content">
-    <nav class="box menu">
-      <ul class="menu-list">
-        {{#each @metadata.sortedVersions as |versionData|}}
-          <li data-test-version={{versionData.version}} class="action">
-            {{#if @onSelect}}
-              {{! TODO Hds::Button manual update }}
-              <button
-                disabled={{or versionData.destroyed versionData.isSecretDeleted}}
-                {{on "click" (fn @onSelect versionData.version D.actions)}}
-                type="button"
-                class="link {{if (loose-equal versionData.version @displayVersion) 'is-active'}}"
-              >
-                Version
-                {{versionData.version}}
-                {{#if versionData.destroyed}}
-                  <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
-                {{else if versionData.isSecretDeleted}}
-                  <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
-                {{else if (loose-equal versionData.version @metadata.currentVersion)}}
-                  <Icon @name="check-circle" class="has-text-success is-pulled-right" />
-                {{/if}}
-              </button>
-            {{else}}
-              <LinkTo @query={{hash version=versionData.version}} {{on "click" (fn @onClose D)}}>
-                Version
-                {{versionData.version}}
-                {{#if versionData.destroyed}}
-                  <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
-                {{else if versionData.isSecretDeleted}}
-                  <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
-                {{else if (loose-equal versionData.version @metadata.currentVersion)}}
-                  <Icon @name="check-circle" class="has-text-success is-pulled-right" />
-                {{/if}}
-              </LinkTo>
-            {{/if}}
-          </li>
-        {{/each}}
-      </ul>
-    </nav>
-  </D.Content>
-</BasicDropdown>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        (unknown)
+// source: vault/request_forwarding_service.proto
+
+package vault
+
+import (
+	forwarding "github.com/hashicorp/vault/helper/forwarding"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	durationpb "google.golang.org/protobuf/types/known/durationpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type EchoRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
+	// ClusterAddr is used to send up a standby node's address to the active
+	// node upon heartbeat
+	ClusterAddr string `protobuf:"bytes,2,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"`
+	// ClusterAddrs is used to send up a list of cluster addresses to a dr
+	// primary from a dr secondary
+	ClusterAddrs        []string               `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
+	RaftAppliedIndex    uint64                 `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
+	RaftNodeID          string                 `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
+	NodeInfo            *NodeInformation       `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
+	RaftTerm            uint64                 `protobuf:"varint,7,opt,name=raft_term,json=raftTerm,proto3" json:"raft_term,omitempty"`
+	RaftDesiredSuffrage string                 `protobuf:"bytes,8,opt,name=raft_desired_suffrage,json=raftDesiredSuffrage,proto3" json:"raft_desired_suffrage,omitempty"`
+	RaftUpgradeVersion  string                 `protobuf:"bytes,9,opt,name=raft_upgrade_version,json=raftUpgradeVersion,proto3" json:"raft_upgrade_version,omitempty"`
+	RaftRedundancyZone  string                 `protobuf:"bytes,10,opt,name=raft_redundancy_zone,json=raftRedundancyZone,proto3" json:"raft_redundancy_zone,omitempty"`
+	SdkVersion          string                 `protobuf:"bytes,11,opt,name=sdk_version,json=sdkVersion,proto3" json:"sdk_version,omitempty"`
+	Now                 *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=now,proto3" json:"now,omitempty"`
+	// last_roundtrip_time is the time taken for the last echo request
+	LastRoundtripTime *durationpb.Duration `protobuf:"bytes,13,opt,name=last_roundtrip_time,json=lastRoundtripTime,proto3" json:"last_roundtrip_time,omitempty"`
+	// clock_skew_millis is the server time minus the local time
+	ClockSkewMillis int64 `protobuf:"varint,14,opt,name=clock_skew_millis,json=clockSkewMillis,proto3" json:"clock_skew_millis,omitempty"`
+}
+
+func (x *EchoRequest) Reset() {
+	*x = EchoRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EchoRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EchoRequest) ProtoMessage() {}
+
+func (x *EchoRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EchoRequest.ProtoReflect.Descriptor instead.
+func (*EchoRequest) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *EchoRequest) GetMessage() string {
+	if x != nil {
+		return x.Message
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetClusterAddr() string {
+	if x != nil {
+		return x.ClusterAddr
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetClusterAddrs() []string {
+	if x != nil {
+		return x.ClusterAddrs
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetRaftAppliedIndex() uint64 {
+	if x != nil {
+		return x.RaftAppliedIndex
+	}
+	return 0
+}
+
+func (x *EchoRequest) GetRaftNodeID() string {
+	if x != nil {
+		return x.RaftNodeID
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetNodeInfo() *NodeInformation {
+	if x != nil {
+		return x.NodeInfo
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetRaftTerm() uint64 {
+	if x != nil {
+		return x.RaftTerm
+	}
+	return 0
+}
+
+func (x *EchoRequest) GetRaftDesiredSuffrage() string {
+	if x != nil {
+		return x.RaftDesiredSuffrage
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetRaftUpgradeVersion() string {
+	if x != nil {
+		return x.RaftUpgradeVersion
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetRaftRedundancyZone() string {
+	if x != nil {
+		return x.RaftRedundancyZone
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetSdkVersion() string {
+	if x != nil {
+		return x.SdkVersion
+	}
+	return ""
+}
+
+func (x *EchoRequest) GetNow() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Now
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetLastRoundtripTime() *durationpb.Duration {
+	if x != nil {
+		return x.LastRoundtripTime
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetClockSkewMillis() int64 {
+	if x != nil {
+		return x.ClockSkewMillis
+	}
+	return 0
+}
+
+type EchoReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Message          string           `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
+	ClusterAddrs     []string         `protobuf:"bytes,2,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
+	ReplicationState uint32           `protobuf:"varint,3,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"`
+	RaftAppliedIndex uint64           `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
+	RaftNodeID       string           `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
+	NodeInfo         *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
+	// now is the time on the server
+	Now *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=now,proto3" json:"now,omitempty"`
+}
+
+func (x *EchoReply) Reset() {
+	*x = EchoReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EchoReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EchoReply) ProtoMessage() {}
+
+func (x *EchoReply) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EchoReply.ProtoReflect.Descriptor instead.
+func (*EchoReply) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *EchoReply) GetMessage() string {
+	if x != nil {
+		return x.Message
+	}
+	return ""
+}
+
+func (x *EchoReply) GetClusterAddrs() []string {
+	if x != nil {
+		return x.ClusterAddrs
+	}
+	return nil
+}
+
+func (x *EchoReply) GetReplicationState() uint32 {
+	if x != nil {
+		return x.ReplicationState
+	}
+	return 0
+}
+
+func (x *EchoReply) GetRaftAppliedIndex() uint64 {
+	if x != nil {
+		return x.RaftAppliedIndex
+	}
+	return 0
+}
+
+func (x *EchoReply) GetRaftNodeID() string {
+	if x != nil {
+		return x.RaftNodeID
+	}
+	return ""
+}
+
+func (x *EchoReply) GetNodeInfo() *NodeInformation {
+	if x != nil {
+		return x.NodeInfo
+	}
+	return nil
+}
+
+func (x *EchoReply) GetNow() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Now
+	}
+	return nil
+}
+
+type NodeInformation struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ClusterAddr      string `protobuf:"bytes,1,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"`
+	ApiAddr          string `protobuf:"bytes,2,opt,name=api_addr,json=apiAddr,proto3" json:"api_addr,omitempty"`
+	Mode             string `protobuf:"bytes,3,opt,name=mode,proto3" json:"mode,omitempty"`
+	NodeID           string `protobuf:"bytes,4,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"`
+	ReplicationState uint32 `protobuf:"varint,5,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"`
+	Hostname         string `protobuf:"bytes,6,opt,name=hostname,proto3" json:"hostname,omitempty"`
+}
+
+func (x *NodeInformation) Reset() {
+	*x = NodeInformation{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *NodeInformation) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NodeInformation) ProtoMessage() {}
+
+func (x *NodeInformation) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NodeInformation.ProtoReflect.Descriptor instead.
+func (*NodeInformation) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *NodeInformation) GetClusterAddr() string {
+	if x != nil {
+		return x.ClusterAddr
+	}
+	return ""
+}
+
+func (x *NodeInformation) GetApiAddr() string {
+	if x != nil {
+		return x.ApiAddr
+	}
+	return ""
+}
+
+func (x *NodeInformation) GetMode() string {
+	if x != nil {
+		return x.Mode
+	}
+	return ""
+}
+
+func (x *NodeInformation) GetNodeID() string {
+	if x != nil {
+		return x.NodeID
+	}
+	return ""
+}
+
+func (x *NodeInformation) GetReplicationState() uint32 {
+	if x != nil {
+		return x.ReplicationState
+	}
+	return 0
+}
+
+func (x *NodeInformation) GetHostname() string {
+	if x != nil {
+		return x.Hostname
+	}
+	return ""
+}
+
+type ClientKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
+	X    []byte `protobuf:"bytes,2,opt,name=x,proto3" json:"x,omitempty"`
+	Y    []byte `protobuf:"bytes,3,opt,name=y,proto3" json:"y,omitempty"`
+	D    []byte `protobuf:"bytes,4,opt,name=d,proto3" json:"d,omitempty"`
+}
+
+func (x *ClientKey) Reset() {
+	*x = ClientKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ClientKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ClientKey) ProtoMessage() {}
+
+func (x *ClientKey) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ClientKey.ProtoReflect.Descriptor instead.
+func (*ClientKey) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *ClientKey) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+func (x *ClientKey) GetX() []byte {
+	if x != nil {
+		return x.X
+	}
+	return nil
+}
+
+func (x *ClientKey) GetY() []byte {
+	if x != nil {
+		return x.Y
+	}
+	return nil
+}
+
+func (x *ClientKey) GetD() []byte {
+	if x != nil {
+		return x.D
+	}
+	return nil
+}
+
+type PerfStandbyElectionInput struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *PerfStandbyElectionInput) Reset() {
+	*x = PerfStandbyElectionInput{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PerfStandbyElectionInput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PerfStandbyElectionInput) ProtoMessage() {}
+
+func (x *PerfStandbyElectionInput) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PerfStandbyElectionInput.ProtoReflect.Descriptor instead.
+func (*PerfStandbyElectionInput) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{4}
+}
+
+type PerfStandbyElectionResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ID                 string     `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	ClusterID          string     `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
+	PrimaryClusterAddr string     `protobuf:"bytes,3,opt,name=primary_cluster_addr,json=primaryClusterAddr,proto3" json:"primary_cluster_addr,omitempty"`
+	CaCert             []byte     `protobuf:"bytes,4,opt,name=ca_cert,json=caCert,proto3" json:"ca_cert,omitempty"`
+	ClientCert         []byte     `protobuf:"bytes,5,opt,name=client_cert,json=clientCert,proto3" json:"client_cert,omitempty"`
+	ClientKey          *ClientKey `protobuf:"bytes,6,opt,name=client_key,json=clientKey,proto3" json:"client_key,omitempty"`
+}
+
+func (x *PerfStandbyElectionResponse) Reset() {
+	*x = PerfStandbyElectionResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_vault_request_forwarding_service_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PerfStandbyElectionResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PerfStandbyElectionResponse) ProtoMessage() {}
+
+func (x *PerfStandbyElectionResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PerfStandbyElectionResponse.ProtoReflect.Descriptor instead.
+func (*PerfStandbyElectionResponse) Descriptor() ([]byte, []int) {
+	return file_vault_request_forwarding_service_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *PerfStandbyElectionResponse) GetID() string {
+	if x != nil {
+		return x.ID
+	}
+	return ""
+}
+
+func (x *PerfStandbyElectionResponse) GetClusterID() string {
+	if x != nil {
+		return x.ClusterID
+	}
+	return ""
+}
+
+func (x *PerfStandbyElectionResponse) GetPrimaryClusterAddr() string {
+	if x != nil {
+		return x.PrimaryClusterAddr
+	}
+	return ""
+}
+
+func (x *PerfStandbyElectionResponse) GetCaCert() []byte {
+	if x != nil {
+		return x.CaCert
+	}
+	return nil
+}
+
+func (x *PerfStandbyElectionResponse) GetClientCert() []byte {
+	if x != nil {
+		return x.ClientCert
+	}
+	return nil
+}
+
+func (x *PerfStandbyElectionResponse) GetClientKey() *ClientKey {
+	if x != nil {
+		return x.ClientKey
+	}
+	return nil
+}
+
+var File_vault_request_forwarding_service_proto protoreflect.FileDescriptor
+
+var file_vault_request_forwarding_service_proto_rawDesc = []byte{
+	0x0a, 0x26, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f,
+	0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x1a,
+	0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x1a, 0x1d, 0x68, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x2f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
+	0x69, 0x6e, 0x67, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0xef, 0x04, 0x0a, 0x0b, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75,
+	0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x23, 0x0a, 0x0d,
+	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x73, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72,
+	0x73, 0x12, 0x2c, 0x0a, 0x12, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x65,
+	0x64, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72,
+	0x61, 0x66, 0x74, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12,
+	0x20, 0x0a, 0x0c, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x49,
+	0x64, 0x12, 0x33, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x4e, 0x6f, 0x64,
+	0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6e, 0x6f,
+	0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x74,
+	0x65, 0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x08, 0x72, 0x61, 0x66, 0x74, 0x54,
+	0x65, 0x72, 0x6d, 0x12, 0x32, 0x0a, 0x15, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x64, 0x65, 0x73, 0x69,
+	0x72, 0x65, 0x64, 0x5f, 0x73, 0x75, 0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x13, 0x72, 0x61, 0x66, 0x74, 0x44, 0x65, 0x73, 0x69, 0x72, 0x65, 0x64, 0x53,
+	0x75, 0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66, 0x74, 0x5f,
+	0x75, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x55, 0x70, 0x67, 0x72, 0x61,
+	0x64, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66,
+	0x74, 0x5f, 0x72, 0x65, 0x64, 0x75, 0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5f, 0x7a, 0x6f, 0x6e,
+	0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x52, 0x65, 0x64,
+	0x75, 0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73,
+	0x64, 0x6b, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x73, 0x64, 0x6b, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2c, 0x0a, 0x03,
+	0x6e, 0x6f, 0x77, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x03, 0x6e, 0x6f, 0x77, 0x12, 0x49, 0x0a, 0x13, 0x6c, 0x61,
+	0x73, 0x74, 0x5f, 0x72, 0x6f, 0x75, 0x6e, 0x64, 0x74, 0x72, 0x69, 0x70, 0x5f, 0x74, 0x69, 0x6d,
+	0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x52, 0x6f, 0x75, 0x6e, 0x64, 0x74, 0x72, 0x69,
+	0x70, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x6f, 0x63, 0x6b, 0x5f, 0x73,
+	0x6b, 0x65, 0x77, 0x5f, 0x6d, 0x69, 0x6c, 0x6c, 0x69, 0x73, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x03,
+	0x52, 0x0f, 0x63, 0x6c, 0x6f, 0x63, 0x6b, 0x53, 0x6b, 0x65, 0x77, 0x4d, 0x69, 0x6c, 0x6c, 0x69,
+	0x73, 0x22, 0xaa, 0x02, 0x0a, 0x09, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12,
+	0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x6c, 0x75,
+	0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x73, 0x12, 0x2b,
+	0x0a, 0x11, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74,
+	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69,
+	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x72,
+	0x61, 0x66, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x64, 0x65,
+	0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72, 0x61, 0x66, 0x74, 0x41, 0x70, 0x70,
+	0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x20, 0x0a, 0x0c, 0x72, 0x61, 0x66,
+	0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x33, 0x0a, 0x09, 0x6e,
+	0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72,
+	0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f,
+	0x12, 0x2c, 0x0a, 0x03, 0x6e, 0x6f, 0x77, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x03, 0x6e, 0x6f, 0x77, 0x22, 0xc5,
+	0x01, 0x0a, 0x0f, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64,
+	0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65,
+	0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x70, 0x69, 0x5f, 0x61, 0x64, 0x64,
+	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x70, 0x69, 0x41, 0x64, 0x64, 0x72,
+	0x12, 0x12, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x6d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x2b, 0x0a,
+	0x11, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61,
+	0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f,
+	0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f,
+	0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x49, 0x0a, 0x09, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x4b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0c, 0x0a, 0x01, 0x78, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x01, 0x78, 0x12, 0x0c, 0x0a, 0x01, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c,
+	0x52, 0x01, 0x79, 0x12, 0x0c, 0x0a, 0x01, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x01,
+	0x64, 0x22, 0x1a, 0x0a, 0x18, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79,
+	0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x22, 0xe9, 0x01,
+	0x0a, 0x1b, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a,
+	0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x14,
+	0x70, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f,
+	0x61, 0x64, 0x64, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x70, 0x72, 0x69, 0x6d,
+	0x61, 0x72, 0x79, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x17,
+	0x0a, 0x07, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x06, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e,
+	0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x76,
+	0x61, 0x75, 0x6c, 0x74, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x09,
+	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x32, 0xf0, 0x01, 0x0a, 0x11, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12,
+	0x3d, 0x0a, 0x0e, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x13, 0x2e, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x2e, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
+	0x69, 0x6e, 0x67, 0x2e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e,
+	0x0a, 0x04, 0x45, 0x63, 0x68, 0x6f, 0x12, 0x12, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x45,
+	0x63, 0x68, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x76, 0x61, 0x75,
+	0x6c, 0x74, 0x2e, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x6c,
+	0x0a, 0x21, 0x50, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61,
+	0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x1f, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72, 0x66,
+	0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49,
+	0x6e, 0x70, 0x75, 0x74, 0x1a, 0x22, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72,
+	0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x42, 0x22, 0x5a, 0x20,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69,
+	0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_vault_request_forwarding_service_proto_rawDescOnce sync.Once
+	file_vault_request_forwarding_service_proto_rawDescData = file_vault_request_forwarding_service_proto_rawDesc
+)
+
+func file_vault_request_forwarding_service_proto_rawDescGZIP() []byte {
+	file_vault_request_forwarding_service_proto_rawDescOnce.Do(func() {
+		file_vault_request_forwarding_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_vault_request_forwarding_service_proto_rawDescData)
+	})
+	return file_vault_request_forwarding_service_proto_rawDescData
+}
+
+var file_vault_request_forwarding_service_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_vault_request_forwarding_service_proto_goTypes = []interface{}{
+	(*EchoRequest)(nil),                 // 0: vault.EchoRequest
+	(*EchoReply)(nil),                   // 1: vault.EchoReply
+	(*NodeInformation)(nil),             // 2: vault.NodeInformation
+	(*ClientKey)(nil),                   // 3: vault.ClientKey
+	(*PerfStandbyElectionInput)(nil),    // 4: vault.PerfStandbyElectionInput
+	(*PerfStandbyElectionResponse)(nil), // 5: vault.PerfStandbyElectionResponse
+	(*timestamppb.Timestamp)(nil),       // 6: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),         // 7: google.protobuf.Duration
+	(*forwarding.Request)(nil),          // 8: forwarding.Request
+	(*forwarding.Response)(nil),         // 9: forwarding.Response
+}
+var file_vault_request_forwarding_service_proto_depIDxs = []int32{
+	2, // 0: vault.EchoRequest.node_info:type_name -> vault.NodeInformation
+	6, // 1: vault.EchoRequest.now:type_name -> google.protobuf.Timestamp
+	7, // 2: vault.EchoRequest.last_roundtrip_time:type_name -> google.protobuf.Duration
+	2, // 3: vault.EchoReply.node_info:type_name -> vault.NodeInformation
+	6, // 4: vault.EchoReply.now:type_name -> google.protobuf.Timestamp
+	3, // 5: vault.PerfStandbyElectionResponse.client_key:type_name -> vault.ClientKey
+	8, // 6: vault.RequestForwarding.ForwardRequest:input_type -> forwarding.Request
+	0, // 7: vault.RequestForwarding.Echo:input_type -> vault.EchoRequest
+	4, // 8: vault.RequestForwarding.PerformanceStandbyElectionRequest:input_type -> vault.PerfStandbyElectionInput
+	9, // 9: vault.RequestForwarding.ForwardRequest:output_type -> forwarding.Response
+	1, // 10: vault.RequestForwarding.Echo:output_type -> vault.EchoReply
+	5, // 11: vault.RequestForwarding.PerformanceStandbyElectionRequest:output_type -> vault.PerfStandbyElectionResponse
+	9, // [9:12] is the sub-list for method output_type
+	6, // [6:9] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
+}
+
+func init() { file_vault_request_forwarding_service_proto_init() }
+func file_vault_request_forwarding_service_proto_init() {
+	if File_vault_request_forwarding_service_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_vault_request_forwarding_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EchoRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_vault_request_forwarding_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EchoReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_vault_request_forwarding_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*NodeInformation); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_vault_request_forwarding_service_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ClientKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_vault_request_forwarding_service_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PerfStandbyElectionInput); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_vault_request_forwarding_service_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PerfStandbyElectionResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_vault_request_forwarding_service_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   6,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_vault_request_forwarding_service_proto_goTypes,
+		DependencyIndexes: file_vault_request_forwarding_service_proto_depIDxs,
+		MessageInfos:      file_vault_request_forwarding_service_proto_msgTypes,
+	}.Build()
+	File_vault_request_forwarding_service_proto = out.File
+	file_vault_request_forwarding_service_proto_rawDesc = nil
+	file_vault_request_forwarding_service_proto_goTypes = nil
+	file_vault_request_forwarding_service_proto_depIDxs = nil
+}
diff --git a/ui/lib/kv/addon/components/page/list.hbs b/ui/lib/kv/addon/components/page/list.hbs
index b0ce8be7dbe9..f564e807dcde 100644
--- a/ui/lib/kv/addon/components/page/list.hbs
+++ b/ui/lib/kv/addon/components/page/list.hbs
@@ -1,145 +1,79 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @mountName={{@backend}}>
-  <:tabLinks>
-    <LinkTo @route={{this.router.currentRoute.localName}} data-test-secrets-tab="Secrets">Secrets</LinkTo>
-    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
-  </:tabLinks>
+syntax = "proto3";
 
-  <:toolbarFilters>
+package vault;
 
-    {{#if (and (not-eq @secrets 403) (or @secrets @filterValue))}}
-      <KvListFilter @secrets={{@secrets}} @mountPoint={{this.mountPoint}} @filterValue={{@filterValue}} />
-    {{/if}}
-  </:toolbarFilters>
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+import "helper/forwarding/types.proto";
 
-  <:toolbarActions>
-    <ToolbarLink data-test-toolbar-create-secret @route="create" @query={{hash initialKey=@filterValue}} @type="add">
-      Create secret
-    </ToolbarLink>
-  </:toolbarActions>
-</KvPageHeader>
-{{#if (eq @secrets 403)}}
-  <div class="box is-fullwidth is-shadowless has-tall-padding">
-    <div class="selectable-card-container one-card">
-      <OverviewCard
-        @cardTitle="View secret"
-        @subText="Type the path of the secret you want to view. Include a trailing slash to navigate to the list view."
-      >
-        <form {{on "submit" this.transitionToSecretDetail}} class="has-top-margin-m is-flex">
-          <InputSearch
-            @id="search-input-kv-secret"
-            @initialValue={{@pathToSecret}}
-            @onChange={{this.handleSecretPathInput}}
-            @placeholder="secret/"
-            data-test-view-secret
-          />
-          <Hds::Button
-            @text={{this.buttonText}}
-            @color="secondary"
-            type="submit"
-            disabled={{not this.secretPath}}
-            data-test-get-secret-detail
-          />
-        </form>
-        {{#if @failedDirectoryQuery}}
-          <AlertInline @type="danger" @message="You do not have the required permissions or the directory does not exist." />
-        {{/if}}
-      </OverviewCard>
-    </div>
-  </div>
-{{else}}
-  {{#if @secrets}}
-    {{#each @secrets as |metadata|}}
-      <LinkedBlock
-        data-test-list-item={{metadata.path}}
-        class="list-item-row"
-        @params={{array (if metadata.pathIsDirectory "list-directory" "secret.details") metadata.fullSecretPath}}
-        @linkPrefix={{this.mountPoint}}
-      >
-        <div class="level is-mobile">
-          <div class="level-left">
-            <div>
-              <Icon @name={{if metadata.pathIsDirectory "folder" "file"}} class="has-text-grey-light" />
-              <span class="has-text-weight-semibold is-underline">
-                {{metadata.path}}
-              </span>
-            </div>
-          </div>
-          <div class="level-right is-flex is-paddingless is-marginless">
-            <div class="level-item">
-              <PopupMenu>
-                <nav class="menu">
-                  <ul class="menu-list">
-                    {{#if metadata.pathIsDirectory}}
-                      <li>
-                        <LinkTo @route="list-directory" @model={{metadata.fullSecretPath}}>
-                          Content
-                        </LinkTo>
-                      </li>
-                    {{else}}
-                      <li>
-                        <LinkTo @route="secret.details" @model={{metadata.fullSecretPath}}>
-                          Details
-                        </LinkTo>
-                      </li>
-                      {{#if metadata.canReadMetadata}}
-                        <li>
-                          <LinkTo @route="secret.metadata.versions" @model={{metadata.fullSecretPath}}>
-                            View version history
-                          </LinkTo>
-                        </li>
-                      {{/if}}
-                      {{#if metadata.canCreateVersionData}}
-                        <li>
-                          <LinkTo @route="secret.details.edit" @model={{metadata.fullSecretPath}}>
-                            Create new version
-                          </LinkTo>
-                        </li>
-                      {{/if}}
-                      {{#if metadata.canDeleteMetadata}}
-                        <ConfirmAction
-                          @buttonText="Permanently delete"
-                          @isInDropdown={{true}}
-                          @onConfirmAction={{fn this.onDelete metadata}}
-                          @confirmMessage="This will permanently delete this secret and all its versions."
-                        />
-                      {{/if}}
-                    {{/if}}
-                  </ul>
-                </nav>
-              </PopupMenu>
-            </div>
-          </div>
-        </div>
-      </LinkedBlock>
-    {{/each}}
-    {{! Pagination }}
-    <Hds::Pagination::Numbered
-      @currentPage={{@secrets.meta.currentPage}}
-      @currentPageSize={{@secrets.meta.pageSize}}
-      @route={{this.router.currentRoute.localName}}
-      @showSizeSelector={{false}}
-      @totalItems={{@secrets.meta.total}}
-      @queryFunction={{this.paginationQueryParams}}
-      data-test-pagination
-    />
-  {{else}}
-    {{#if @filterValue}}
-      <EmptyState @title="There are no secrets matching &quot;{{@filterValue}}&quot;." />
-    {{else}}
-      <EmptyState
-        data-test-secret-list-empty-state
-        @title="No secrets yet"
-        @message="When created, secrets will be listed here. Create a secret to get started."
-      >
-        <LinkTo class="has-top-margin-xs" @route="create">
-          Create secret
-        </LinkTo>
-      </EmptyState>
-    {{/if}}
-  {{/if}}
-{{/if}}
\ No newline at end of file
+option go_package = "github.com/hashicorp/vault/vault";
+
+message EchoRequest {
+  string message = 1;
+  // ClusterAddr is used to send up a standby node's address to the active
+  // node upon heartbeat
+  string cluster_addr = 2;
+  // ClusterAddrs is used to send up a list of cluster addresses to a dr
+  // primary from a dr secondary
+  repeated string cluster_addrs = 3;
+
+  uint64 raft_applied_index = 4;
+  string raft_node_id = 5;
+  NodeInformation node_info = 6;
+  uint64 raft_term = 7;
+  string raft_desired_suffrage = 8;
+  string raft_upgrade_version = 9;
+  string raft_redundancy_zone = 10;
+  string sdk_version = 11;
+  google.protobuf.Timestamp now = 12;
+  // last_roundtrip_time is the time taken for the last echo request
+  google.protobuf.Duration last_roundtrip_time = 13;
+  // clock_skew_millis is the server time minus the local time
+  int64 clock_skew_millis = 14;
+}
+
+message EchoReply {
+  string message = 1;
+  repeated string cluster_addrs = 2;
+  uint32 replication_state = 3;
+  uint64 raft_applied_index = 4;
+  string raft_node_id = 5;
+  NodeInformation node_info = 6;
+  // now is the time on the server
+  google.protobuf.Timestamp now = 7;
+}
+
+message NodeInformation {
+  string cluster_addr = 1;
+  string api_addr = 2;
+  string mode = 3;
+  string node_id = 4;
+  uint32 replication_state = 5;
+  string hostname = 6;
+}
+
+message ClientKey {
+  string type = 1;
+  bytes x = 2;
+  bytes y = 3;
+  bytes d = 4;
+}
+
+message PerfStandbyElectionInput {}
+message PerfStandbyElectionResponse {
+  string id = 1;
+  string cluster_id = 2;
+  string primary_cluster_addr = 3;
+  bytes ca_cert = 4;
+  bytes client_cert = 5;
+  ClientKey client_key = 6;
+}
+
+service RequestForwarding {
+  rpc ForwardRequest(forwarding.Request) returns (forwarding.Response) {}
+  rpc Echo(EchoRequest) returns (EchoReply) {}
+  rpc PerformanceStandbyElectionRequest(PerfStandbyElectionInput) returns (stream PerfStandbyElectionResponse) {}
+}
diff --git a/ui/lib/kv/addon/components/page/secret/details.hbs b/ui/lib/kv/addon/components/page/secret/details.hbs
index bd10ec5e5b41..034146b5c002 100644
--- a/ui/lib/kv/addon/components/page/secret/details.hbs
+++ b/ui/lib/kv/addon/components/page/secret/details.hbs
@@ -1,147 +1,2689 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
-  <:syncDetails>
-    {{#if this.syncStatus}}
-      <Hds::Alert data-test-sync-alert @type="page" @color="neutral" @icon={{false}} as |A|>
-        <A.Title>
-          This secret has been synced from Vault to other destinations, updates to the secret will get automatically synced
-          to destinations.
-        </A.Title>
-
-        {{#each this.syncStatus as |status|}}
-          <A.Description data-test-sync-alert={{status.destinationName}}>
-            <SyncStatusBadge @status={{status.syncStatus}} />
-            <Hds::Link::Inline
-              @route="syncDestination"
-              @color="secondary"
-              @isRouteExternal={{true}}
-              @models={{array status.destinationType status.destinationName}}
-            >
-              {{status.destinationName}}
-            </Hds::Link::Inline>
-            - last updated
-            {{date-format status.updatedAt "MMMM do yyyy, h:mm:ss a"}}
-          </A.Description>
-        {{/each}}
-
-        <A.Button
-          @icon={{if this.fetchSyncStatus.isRunning "loading"}}
-          @text="Refresh"
-          @color="secondary"
-          {{on "click" (perform this.fetchSyncStatus)}}
-        />
-        <A.Link::Standalone
-          @isHrefExternal={{true}}
-          @icon="docs-link"
-          @text="About sync statuses"
-          @href={{doc-link "/vault/docs/sync#sync-statuses"}}
-        />
-      </Hds::Alert>
-    {{/if}}
-  </:syncDetails>
-
-  <:tabLinks>
-    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
-    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
-    <LinkTo @route="secret.paths" data-test-secrets-tab="Paths">Paths</LinkTo>
-    {{#if @secret.canReadMetadata}}
-      <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
-    {{/if}}
-  </:tabLinks>
-
-  <:toolbarFilters>
-    {{#unless this.emptyState}}
-      <Toggle @name="json" @checked={{this.showJsonView}} @onChange={{fn (mut this.showJsonView)}}>
-        <span class="has-text-grey">JSON</span>
-      </Toggle>
-    {{/unless}}
-  </:toolbarFilters>
-  <:toolbarActions>
-    {{#if this.showUndelete}}
-      <Hds::Button
-        @text="Undelete"
-        @color="secondary"
-        class="toolbar-button"
-        data-test-kv-delete="undelete"
-        {{on "click" this.undelete}}
-      />
-    {{/if}}
-    {{#if this.showDelete}}
-      <KvDeleteModal
-        @mode="delete"
-        @secret={{@secret}}
-        @metadata={{@metadata}}
-        @onDelete={{this.handleDestruction}}
-        @version={{this.version}}
-      />
-    {{/if}}
-    {{#if this.showDestroy}}
-      <KvDeleteModal @mode="destroy" @secret={{@secret}} @onDelete={{this.handleDestruction}} @version={{this.version}} />
-    {{/if}}
-    {{#if (or @secret.canReadData @secret.canReadMetadata @secret.canEditData)}}
-      <div class="toolbar-separator"></div>
-    {{/if}}
-    {{#if (and @secret.canReadData (eq @secret.state "created"))}}
-      <CopySecretDropdown
-        @clipboardText={{stringify @secret.secretData}}
-        @onWrap={{perform this.wrapSecret}}
-        @isWrapping={{this.wrapSecret.isRunning}}
-        @wrappedData={{this.wrappedData}}
-        @onClose={{this.clearWrappedData}}
-      />
-    {{/if}}
-    {{#if @secret.canReadMetadata}}
-      <KvVersionDropdown @displayVersion={{this.version}} @metadata={{@metadata}} @onClose={{this.closeVersionMenu}} />
-    {{/if}}
-    {{#if @secret.canEditData}}
-      <ToolbarLink data-test-create-new-version @route="secret.details.edit" @type="add">Create new version</ToolbarLink>
-    {{/if}}
-  </:toolbarActions>
-</KvPageHeader>
-
-{{#if (or @secret.isSecretDeleted (not this.emptyState))}}
-  <div class="info-table-row-header">
-    <div class="info-table-row thead {{if this.showJsonView 'is-shadowless'}} ">
-      {{#unless this.hideHeaders}}
-        <div class="th column is-one-quarter">
-          Key
-        </div>
-        <div class="th column">
-          Value
-        </div>
-      {{/unless}}
-      <div class="th column justify-right">
-        {{#if (or @secret.isSecretDeleted @secret.createdTime)}}
-          <KvTooltipTimestamp
-            @text="Version {{if @secret.version @secret.version}} {{@secret.state}}"
-            @timestamp={{(if @secret.isSecretDeleted @secret.deletionTime @secret.createdTime)}}
-          />
-        {{/if}}
-      </div>
-    </div>
-  </div>
-{{/if}}
-
-{{#if this.emptyState}}
-  <EmptyState @title={{this.emptyState.title}} @message={{this.emptyState.message}}>
-    {{#if this.emptyState.link}}
-      <DocLink @path={{this.emptyState.link}}>Learn more</DocLink>
-    {{/if}}
-  </EmptyState>
-{{else}}
-  {{#if this.showJsonView}}
-    <JsonEditor @title="Version data" @value={{stringify @secret.secretData}} @readOnly={{true}} />
-  {{else}}
-    {{#each-in @secret.secretData as |key value|}}
-      <InfoTableRow @label={{key}} @value={{value}} @alwaysRender={{true}}>
-        <MaskedInput @name={{key}} @value={{value}} @displayOnly={{true}} @allowCopy={{true}} @allowDownload={{true}} />
-      </InfoTableRow>
-    {{else}}
-      <InfoTableRow @label="" @value="" @alwaysRender={{true}} />
-    {{/each-in}}
-  {{/if}}
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"crypto/hmac"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"maps"
+	"net/textproto"
+	"os"
+	paths "path"
+	"slices"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/armon/go-metrics"
+	"github.com/golang/protobuf/proto"
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-sockaddr"
+	"github.com/hashicorp/go-uuid"
+	uberAtomic "go.uber.org/atomic"
+
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/identity"
+	"github.com/hashicorp/vault/helper/identity/mfa"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/errutil"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/policyutil"
+	"github.com/hashicorp/vault/sdk/helper/wrapping"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/quotas"
+	"github.com/hashicorp/vault/vault/tokens"
+)
+
+const (
+	replTimeout                           = 1 * time.Second
+	EnvVaultDisableLocalAuthMountEntities = "VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES"
+	// base path to store locked users
+	coreLockedUsersPath = "core/login/lockedUsers/"
+)
+
+var (
+	// DefaultMaxRequestDuration is the amount of time we'll wait for a request
+	// to complete, unless overridden on a per-handler basis
+	DefaultMaxRequestDuration = 90 * time.Second
+
+	ErrNoApplicablePolicies    = errors.New("no applicable policies")
+	ErrPolicyNotExistInTypeMap = errors.New("policy does not exist in type map")
+
+	egpDebugLogging bool
+)
+
+// HandlerProperties is used to seed configuration into a vaulthttp.Handler.
+// It's in this package to avoid a circular dependency
+type HandlerProperties struct {
+	Core                  *Core
+	ListenerConfig        *configutil.Listener
+	DisablePrintableCheck bool
+	RecoveryMode          bool
+	RecoveryToken         *uberAtomic.String
+}
+
+// fetchEntityAndDerivedPolicies returns the entity object for the given entity
+// ID. If the entity is merged into a different entity object, the entity into
+// which the given entity ID is merged into will be returned. This function
+// also returns the cumulative list of policies that the entity is entitled to
+// if skipDeriveEntityPolicies is set to false. This list includes the policies from the
+// entity itself and from all the groups in which the given entity ID is a member of.
+func (c *Core) fetchEntityAndDerivedPolicies(ctx context.Context, tokenNS *namespace.Namespace, entityID string, skipDeriveEntityPolicies bool) (*identity.Entity, map[string][]string, error) {
+	if entityID == "" || c.identityStore == nil {
+		return nil, nil, nil
+	}
+
+	// c.logger.Debug("entity set on the token", "entity_id", te.EntityID)
+
+	// Fetch the entity
+	entity, err := c.identityStore.MemDBEntityByID(entityID, false)
+	if err != nil {
+		c.logger.Error("failed to lookup entity using its ID", "error", err)
+		return nil, nil, err
+	}
+
+	if entity == nil {
+		// If there was no corresponding entity object found, it is
+		// possible that the entity got merged into another entity. Try
+		// finding entity based on the merged entity index.
+		entity, err = c.identityStore.MemDBEntityByMergedEntityID(entityID, false)
+		if err != nil {
+			c.logger.Error("failed to lookup entity in merged entity ID index", "error", err)
+			return nil, nil, err
+		}
+	}
+
+	policies := make(map[string][]string)
+	if entity != nil && !skipDeriveEntityPolicies {
+		// c.logger.Debug("entity successfully fetched; adding entity policies to token's policies to create ACL")
+
+		// Attach the policies on the entity
+		if len(entity.Policies) != 0 {
+			policies[entity.NamespaceID] = append(policies[entity.NamespaceID], entity.Policies...)
+		}
+
+		groupPolicies, err := c.identityStore.groupPoliciesByEntityID(entity.ID)
+		if err != nil {
+			c.logger.Error("failed to fetch group policies", "error", err)
+			return nil, nil, err
+		}
+
+		policiesByNS, err := c.filterGroupPoliciesByNS(ctx, tokenNS, groupPolicies)
+		if err != nil {
+			return nil, nil, err
+		}
+		for nsID, pss := range policiesByNS {
+			policies[nsID] = append(policies[nsID], pss...)
+		}
+	}
+
+	return entity, policies, err
+}
+
+// filterGroupPoliciesByNS takes a context, token namespace, and a map of
+// namespace IDs to slices of group policy names and returns a similar map,
+// but filtered down to the policies that should apply to the token based on the
+// relationship between the namespace of the token and the namespace of the
+// policy.
+func (c *Core) filterGroupPoliciesByNS(ctx context.Context, tokenNS *namespace.Namespace, groupPolicies map[string][]string) (map[string][]string, error) {
+	policies := make(map[string][]string)
+
+	policyApplicationMode, err := c.GetGroupPolicyApplicationMode(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for nsID, nsPolicies := range groupPolicies {
+		filteredPolicies, err := c.getApplicableGroupPolicies(ctx, tokenNS, nsID, nsPolicies, policyApplicationMode)
+		if err != nil && err != ErrNoApplicablePolicies {
+			return nil, err
+		}
+		filteredPolicies = strutil.RemoveDuplicates(filteredPolicies, false)
+		if len(filteredPolicies) != 0 {
+			policies[nsID] = append(policies[nsID], filteredPolicies...)
+		}
+	}
+
+	return policies, nil
+}
+
+// getApplicableGroupPolicies returns a slice of group policies that should
+// apply to the token based on the group policy application mode,
+// and the relationship between the token namespace and the group namespace.
+func (c *Core) getApplicableGroupPolicies(ctx context.Context, tokenNS *namespace.Namespace, nsID string, nsPolicies []string, policyApplicationMode string) ([]string, error) {
+	policyNS, err := NamespaceByID(ctx, nsID, c)
+	if err != nil {
+		return nil, err
+	}
+	if policyNS == nil {
+		return nil, namespace.ErrNoNamespace
+	}
+
+	var filteredPolicies []string
+
+	if tokenNS.Path == policyNS.Path {
+		// Same namespace - add all and continue
+		for _, policyName := range nsPolicies {
+			filteredPolicies = append(filteredPolicies, policyName)
+		}
+		return filteredPolicies, nil
+	}
+
+	for _, policyName := range nsPolicies {
+		t, err := c.policyStore.GetNonEGPPolicyType(policyNS.ID, policyName)
+		if err != nil && errors.Is(err, ErrPolicyNotExistInTypeMap) {
+			// When we attempt to get a non-EGP policy type, and receive an
+			// explicit error that it doesn't exist (in the type map) we log the
+			// ns/policy and continue without error.
+			c.Logger().Debug(fmt.Errorf("%w: %v/%v", err, policyNS.ID, policyName).Error())
+			continue
+		}
+		if err != nil || t == nil {
+			return nil, fmt.Errorf("failed to look up type of policy: %w", err)
+		}
+
+		switch *t {
+		case PolicyTypeRGP:
+			if tokenNS.HasParent(policyNS) {
+				filteredPolicies = append(filteredPolicies, policyName)
+			}
+		case PolicyTypeACL:
+			if policyApplicationMode != groupPolicyApplicationModeWithinNamespaceHierarchy {
+				// Group policy application mode isn't set to enforce
+				// the namespace hierarchy, so apply all the ACLs,
+				// regardless of their namespaces.
+				filteredPolicies = append(filteredPolicies, policyName)
+				continue
+			}
+			if policyNS.HasParent(tokenNS) {
+				filteredPolicies = append(filteredPolicies, policyName)
+			}
+		default:
+			return nil, fmt.Errorf("unexpected policy type: %v", t)
+		}
+	}
+	if len(filteredPolicies) == 0 {
+		return nil, ErrNoApplicablePolicies
+	}
+	return filteredPolicies, nil
+}
+
+func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Request) (*ACL, *logical.TokenEntry, *identity.Entity, map[string][]string, error) {
+	defer metrics.MeasureSince([]string{"core", "fetch_acl_and_token"}, time.Now())
+
+	// Ensure there is a client token
+	if req.ClientToken == "" {
+		return nil, nil, nil, nil, logical.ErrPermissionDenied
+	}
+
+	if c.tokenStore == nil {
+		c.logger.Error("token store is unavailable")
+		return nil, nil, nil, nil, ErrInternalError
+	}
+
+	// Resolve the token policy
+	var te *logical.TokenEntry
+	switch req.TokenEntry() {
+	case nil:
+		var err error
+		te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
+		if err != nil {
+			c.logger.Error("failed to lookup acl token", "error", err)
+			return nil, nil, nil, nil, ErrInternalError
+		}
+		// Set the token entry here since it has not been cached yet
+		req.SetTokenEntry(te)
+	default:
+		te = req.TokenEntry()
+	}
+
+	// Ensure the token is valid
+	if te == nil {
+		return nil, nil, nil, nil, logical.ErrPermissionDenied
+	}
+
+	// CIDR checks bind all tokens except non-expiring root tokens
+	if te.TTL != 0 && len(te.BoundCIDRs) > 0 {
+		var valid bool
+		remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr)
+		if err != nil {
+			if c.Logger().IsDebug() {
+				c.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr)
+			}
+			return nil, nil, nil, nil, logical.ErrPermissionDenied
+		}
+		for _, cidr := range te.BoundCIDRs {
+			if cidr.Contains(remoteSockAddr) {
+				valid = true
+				break
+			}
+		}
+		if !valid {
+			return nil, nil, nil, nil, logical.ErrPermissionDenied
+		}
+	}
+
+	policyNames := make(map[string][]string)
+	// Add tokens policies
+	policyNames[te.NamespaceID] = append(policyNames[te.NamespaceID], te.Policies...)
+
+	tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
+	if err != nil {
+		c.logger.Error("failed to fetch token namespace", "error", err)
+		return nil, nil, nil, nil, ErrInternalError
+	}
+	if tokenNS == nil {
+		c.logger.Error("failed to fetch token namespace", "error", namespace.ErrNoNamespace)
+		return nil, nil, nil, nil, ErrInternalError
+	}
+
+	// Add identity policies from all the namespaces
+	entity, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
+	if err != nil {
+		return nil, nil, nil, nil, ErrInternalError
+	}
+	for nsID, nsPolicies := range identityPolicies {
+		policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
+	}
+
+	// Attach token's namespace information to the context. Wrapping tokens by
+	// should be able to be used anywhere, so we also special case behavior.
+	var tokenCtx context.Context
+	if len(policyNames) == 1 &&
+		len(policyNames[te.NamespaceID]) == 1 &&
+		(policyNames[te.NamespaceID][0] == responseWrappingPolicyName ||
+			policyNames[te.NamespaceID][0] == controlGroupPolicyName) &&
+		(strings.HasSuffix(req.Path, "sys/wrapping/unwrap") ||
+			strings.HasSuffix(req.Path, "sys/wrapping/lookup") ||
+			strings.HasSuffix(req.Path, "sys/wrapping/rewrap")) {
+		// Use the request namespace; will find the copy of the policy for the
+		// local namespace
+		tokenCtx = ctx
+	} else {
+		// Use the token's namespace for looking up policy
+		tokenCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+	}
+
+	// Add the inline policy if it's set
+	policies := make([]*Policy, 0)
+	if te.InlinePolicy != "" {
+		inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
+		if err != nil {
+			return nil, nil, nil, nil, ErrInternalError
+		}
+		policies = append(policies, inlinePolicy)
+	}
+
+	// Construct the corresponding ACL object. ACL construction should be
+	// performed on the token's namespace.
+	acl, err := c.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
+	if err != nil {
+		c.logger.Error("failed to construct ACL", "error", err)
+		return nil, nil, nil, nil, ErrInternalError
+	}
+
+	return acl, te, entity, identityPolicies, nil
+}
+
+// CheckTokenWithLock calls CheckToken after grabbing the internal stateLock, and also checking that we aren't in the
+// process of shutting down.
+func (c *Core) CheckTokenWithLock(ctx context.Context, req *logical.Request, unauth bool) (*logical.Auth, *logical.TokenEntry, error) {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	// first check that we aren't shutting down
+	if c.Sealed() {
+		return nil, nil, errors.New("core is sealed")
+	} else if c.activeContext != nil && c.activeContext.Err() != nil {
+		return nil, nil, c.activeContext.Err()
+	}
+	return c.CheckToken(ctx, req, unauth)
+}
+
+func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool) (*logical.Auth, *logical.TokenEntry, error) {
+	defer metrics.MeasureSince([]string{"core", "check_token"}, time.Now())
+
+	var acl *ACL
+	var te *logical.TokenEntry
+	var entity *identity.Entity
+	var identityPolicies map[string][]string
+
+	// Even if unauth, if a token is provided, there's little reason not to
+	// gather as much info as possible for the audit log and to e.g. control
+	// trace mode for EGPs.
+	if !unauth || (unauth && req.ClientToken != "") {
+		var err error
+		acl, te, entity, identityPolicies, err = c.fetchACLTokenEntryAndEntity(ctx, req)
+		// In the unauth case we don't want to fail the command, since it's
+		// unauth, we just have no information to attach to the request, so
+		// ignore errors...this was best-effort anyways
+		if err != nil && !unauth {
+			return nil, te, err
+		}
+	}
+
+	if entity != nil && entity.Disabled {
+		c.logger.Warn("permission denied as the entity on the token is disabled")
+		return nil, te, logical.ErrPermissionDenied
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		if c.perfStandby {
+			return nil, nil, logical.ErrPerfStandbyPleaseForward
+		}
+		c.logger.Warn("permission denied as the entity on the token is invalid")
+		return nil, te, logical.ErrPermissionDenied
+	}
+
+	// Check if this is a root protected path
+	rootPath := c.router.RootPath(ctx, req.Path)
+
+	if rootPath && unauth {
+		return nil, nil, errors.New("cannot access root path in unauthenticated request")
+	}
+
+	// At this point we won't be forwarding a raw request; we should delete
+	// authorization headers as appropriate
+	switch req.ClientTokenSource {
+	case logical.ClientTokenFromVaultHeader:
+		delete(req.Headers, consts.AuthHeaderName)
+	case logical.ClientTokenFromAuthzHeader:
+		if headers, ok := req.Headers["Authorization"]; ok {
+			retHeaders := make([]string, 0, len(headers))
+			for _, v := range headers {
+				if strings.HasPrefix(v, "Bearer ") {
+					continue
+				}
+				retHeaders = append(retHeaders, v)
+			}
+			req.Headers["Authorization"] = retHeaders
+		}
+	}
+
+	// When we receive a write of either type, rather than require clients to
+	// PUT/POST and trust the operation, we ask the backend to give us the real
+	// skinny -- if the backend implements an existence check, it can tell us
+	// whether a particular resource exists. Then we can mark it as an update
+	// or creation as appropriate.
+	if req.Operation == logical.CreateOperation || req.Operation == logical.UpdateOperation {
+		existsResp, checkExists, resourceExists, err := c.router.RouteExistenceCheck(ctx, req)
+		switch err {
+		case logical.ErrUnsupportedPath:
+			// fail later via bad path to avoid confusing items in the log
+			checkExists = false
+		case logical.ErrRelativePath:
+			return nil, te, errutil.UserError{Err: err.Error()}
+		case nil:
+			if existsResp != nil && existsResp.IsError() {
+				return nil, te, existsResp.Error()
+			}
+			// Otherwise, continue on
+		default:
+			c.logger.Error("failed to run existence check", "error", err)
+			if _, ok := err.(errutil.UserError); ok {
+				return nil, te, err
+			} else {
+				return nil, te, ErrInternalError
+			}
+		}
+
+		switch {
+		case !checkExists:
+			// No existence check, so always treat it as an update operation, which is how it is pre 0.5
+			req.Operation = logical.UpdateOperation
+		case resourceExists:
+			// It exists, so force an update operation
+			req.Operation = logical.UpdateOperation
+		case !resourceExists:
+			// It doesn't exist, force a create operation
+			req.Operation = logical.CreateOperation
+		default:
+			panic("unreachable code")
+		}
+	}
+	// Create the auth response
+	auth := &logical.Auth{
+		ClientToken: req.ClientToken,
+		Accessor:    req.ClientTokenAccessor,
+	}
+
+	var clientID string
+	var isTWE bool
+	if te != nil {
+		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
+		auth.TokenPolicies = te.Policies
+		auth.Policies = policyutil.SanitizePolicies(append(te.Policies, identityPolicies[te.NamespaceID]...), false)
+		auth.Metadata = te.Meta
+		auth.DisplayName = te.DisplayName
+		auth.EntityID = te.EntityID
+		delete(identityPolicies, te.NamespaceID)
+		auth.ExternalNamespacePolicies = identityPolicies
+		// Store the entity ID in the request object
+		req.EntityID = te.EntityID
+		auth.TokenType = te.Type
+		auth.TTL = te.TTL
+		if te.CreationTime > 0 {
+			auth.IssueTime = time.Unix(te.CreationTime, 0)
+		}
+		clientID, isTWE = te.CreateClientID()
+		req.ClientID = clientID
+	}
+
+	// Check the standard non-root ACLs. Return the token entry if it's not
+	// allowed so we can decrement the use count.
+	authResults := c.performPolicyChecks(ctx, acl, te, req, entity, &PolicyCheckOpts{
+		Unauth:            unauth,
+		RootPrivsRequired: rootPath,
+	})
+
+	auth.PolicyResults = &logical.PolicyResults{
+		Allowed: authResults.Allowed,
+	}
+
+	if !authResults.Allowed {
+		retErr := authResults.Error
+
+		// If we get a control group error and we are a performance standby,
+		// restore the client token information to the request so that we can
+		// forward this request properly to the active node.
+		if retErr.ErrorOrNil() != nil && checkErrControlGroupTokenNeedsCreated(retErr) &&
+			c.perfStandby && len(req.ClientToken) != 0 {
+			switch req.ClientTokenSource {
+			case logical.ClientTokenFromVaultHeader:
+				req.Headers[consts.AuthHeaderName] = []string{req.ClientToken}
+			case logical.ClientTokenFromAuthzHeader:
+				req.Headers["Authorization"] = append(req.Headers["Authorization"], fmt.Sprintf("Bearer %s", req.ClientToken))
+			}
+			// We also return the appropriate error so that the caller can forward the
+			// request to the active node
+			return auth, te, logical.ErrPerfStandbyPleaseForward
+		}
+
+		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
+			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
+		}
+		return auth, te, retErr
+	}
+
+	if authResults.ACLResults != nil && len(authResults.ACLResults.GrantingPolicies) > 0 {
+		auth.PolicyResults.GrantingPolicies = authResults.ACLResults.GrantingPolicies
+	}
+	if authResults.SentinelResults != nil && len(authResults.SentinelResults.GrantingPolicies) > 0 {
+		auth.PolicyResults.GrantingPolicies = append(auth.PolicyResults.GrantingPolicies, authResults.SentinelResults.GrantingPolicies...)
+	}
+
+	c.activityLogLock.RLock()
+	activityLog := c.activityLog
+	c.activityLogLock.RUnlock()
+	// If it is an authenticated ( i.e. with vault token ) request, increment client count
+	if !unauth && activityLog != nil {
+		err := activityLog.HandleTokenUsage(ctx, te, clientID, isTWE)
+		if err != nil {
+			return auth, te, err
+		}
+	}
+	return auth, te, nil
+}
+
+// HandleRequest is used to handle a new incoming request
+func (c *Core) HandleRequest(httpCtx context.Context, req *logical.Request) (resp *logical.Response, err error) {
+	return c.switchedLockHandleRequest(httpCtx, req, true)
+}
+
+func (c *Core) switchedLockHandleRequest(httpCtx context.Context, req *logical.Request, doLocking bool) (resp *logical.Response, err error) {
+	if doLocking {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
+	if c.Sealed() {
+		return nil, consts.ErrSealed
+	}
+	if c.standby && !c.perfStandby {
+		return nil, consts.ErrStandby
+	}
+
+	if c.activeContext == nil || c.activeContext.Err() != nil {
+		return nil, errors.New("active context canceled after getting state lock")
+	}
+
+	ctx, cancel := context.WithCancel(c.activeContext)
+	go func(ctx context.Context, httpCtx context.Context) {
+		select {
+		case <-ctx.Done():
+		case <-httpCtx.Done():
+			cancel()
+		}
+	}(ctx, httpCtx)
+
+	ns, err := namespace.FromContext(httpCtx)
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("could not parse namespace from http context: %w", err)
+	}
+
+	ctx = namespace.ContextWithNamespace(ctx, ns)
+	inFlightReqID, ok := httpCtx.Value(logical.CtxKeyInFlightRequestID{}).(string)
+	if ok {
+		ctx = context.WithValue(ctx, logical.CtxKeyInFlightRequestID{}, inFlightReqID)
+	}
+	requestRole, ok := httpCtx.Value(logical.CtxKeyRequestRole{}).(string)
+	if ok {
+		ctx = context.WithValue(ctx, logical.CtxKeyRequestRole{}, requestRole)
+	}
+	if disable_repl_status, ok := logical.ContextDisableReplicationStatusEndpointsValue(httpCtx); ok {
+		ctx = logical.CreateContextDisableReplicationStatusEndpoints(ctx, disable_repl_status)
+	}
+	body, ok := logical.ContextOriginalBodyValue(httpCtx)
+	if ok {
+		ctx = logical.CreateContextOriginalBody(ctx, body)
+	}
+	resp, err = c.handleCancelableRequest(ctx, req)
+	req.SetTokenEntry(nil)
+	cancel()
+	return resp, err
+}
+
+func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request) (resp *logical.Response, err error) {
+	// Allowing writing to a path ending in / makes it extremely difficult to
+	// understand user intent for the filesystem-like backends (kv,
+	// cubbyhole) -- did they want a key named foo/ or did they want to write
+	// to a directory foo/ with no (or forgotten) key, or...? It also affects
+	// lookup, because paths ending in / are considered prefixes by some
+	// backends. Basically, it's all just terrible, so don't allow it.
+	if strings.HasSuffix(req.Path, "/") &&
+		(req.Operation == logical.UpdateOperation ||
+			req.Operation == logical.CreateOperation ||
+			req.Operation == logical.PatchOperation) {
+		return logical.ErrorResponse("cannot write to a path ending in '/'"), nil
+	}
+	waitGroup, err := waitForReplicationState(ctx, c, req)
+	if err != nil {
+		return nil, err
+	}
+
+	// MountPoint will not always be set at this point, so we ensure the req contains it
+	// as it is depended on by some functionality (e.g. quotas)
+	req.MountPoint = c.router.MatchingMount(ctx, req.Path)
+
+	// Decrement the wait group when our request is done
+	if waitGroup != nil {
+		defer waitGroup.Done()
+	}
+
+	if c.MissingRequiredState(req.RequiredState(), c.perfStandby) {
+		return nil, logical.ErrMissingRequiredState
+	}
+
+	err = c.PopulateTokenEntry(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	// Always forward requests that are using a limited use count token.
+	if c.perfStandby && req.ClientTokenRemainingUses > 0 {
+		// Prevent forwarding on local-only requests.
+		return nil, logical.ErrPerfStandbyPleaseForward
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse namespace from http context: %w", err)
+	}
+	var requestBodyToken string
+	var returnRequestAuthToken bool
+
+	// req.Path will be relative by this point. The prefix check is first
+	// to fail faster if we're not in this situation since it's a hot path
+	switch {
+	case strings.HasPrefix(req.Path, "sys/wrapping/"), strings.HasPrefix(req.Path, "auth/token/"):
+		// Get the token ns info; if we match the paths below we want to
+		// swap in the token context (but keep the relative path)
+		te := req.TokenEntry()
+		newCtx := ctx
+		if te != nil {
+			ns, err := NamespaceByID(ctx, te.NamespaceID, c)
+			if err != nil {
+				c.Logger().Warn("error looking up namespace from the token's namespace ID", "error", err)
+				return nil, err
+			}
+			if ns != nil {
+				newCtx = namespace.ContextWithNamespace(ctx, ns)
+			}
+		}
+		switch req.Path {
+		// Route the token wrapping request to its respective sys NS
+		case "sys/wrapping/lookup", "sys/wrapping/rewrap", "sys/wrapping/unwrap":
+			ctx = newCtx
+			// A lookup on a token that is about to expire returns nil, which means by the
+			// time we can validate a wrapping token lookup will return nil since it will
+			// be revoked after the call. So we have to do the validation here.
+			valid, err := c.validateWrappingToken(ctx, req)
+			if err != nil {
+				return logical.ErrorResponse(fmt.Sprintf("error validating wrapping token: %s", err.Error())), logical.ErrPermissionDenied
+			}
+			if !valid {
+				return nil, consts.ErrInvalidWrappingToken
+			}
+
+		// The -self paths have no meaning outside of the token NS, so
+		// requests for these paths always go to the token NS
+		case "auth/token/lookup-self", "auth/token/renew-self", "auth/token/revoke-self":
+			ctx = newCtx
+			returnRequestAuthToken = true
+
+		// For the following operations, we can set the proper namespace context
+		// using the token's embedded nsID if a relative path was provided.
+		// The operation will still be gated by ACLs, which are checked later.
+		case "auth/token/lookup", "auth/token/renew", "auth/token/revoke", "auth/token/revoke-orphan":
+			token, ok := req.Data["token"]
+			// If the token is not present (e.g. a bad request), break out and let the backend
+			// handle the error
+			if !ok {
+				// If this is a token lookup request and if the token is not
+				// explicitly provided, it will use the client token so we simply set
+				// the context to the client token's context.
+				if req.Path == "auth/token/lookup" {
+					ctx = newCtx
+				}
+				break
+			}
+			if token == nil {
+				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
+			}
+			// We don't care if the token is a server side consistent token or not. Either way, we're going
+			// to be returning it for these paths instead of the short token stored in vault.
+			requestBodyToken = token.(string)
+			if IsSSCToken(token.(string)) {
+				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
+
+				// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
+				// should receive a 403 bad token error like they do for all other invalid tokens, unless the error
+				// specifies that we should forward the request or retry the request.
+				if err != nil {
+					if errors.Is(err, logical.ErrPerfStandbyPleaseForward) || errors.Is(err, logical.ErrMissingRequiredState) {
+						return nil, err
+					}
+					return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied
+				}
+				req.Data["token"] = token
+			}
+			_, nsID := namespace.SplitIDFromString(token.(string))
+			if nsID != "" {
+				ns, err := NamespaceByID(ctx, nsID, c)
+				if err != nil {
+					c.Logger().Warn("error looking up namespace from the token's namespace ID", "error", err)
+					return nil, err
+				}
+				if ns != nil {
+					ctx = namespace.ContextWithNamespace(ctx, ns)
+				}
+			}
+		}
+
+	// The following relative sys/leases/ paths handles re-routing requests
+	// to the proper namespace using the lease ID on applicable paths.
+	case strings.HasPrefix(req.Path, "sys/leases/"):
+		switch req.Path {
+		// For the following operations, we can set the proper namespace context
+		// using the lease's embedded nsID if a relative path was provided.
+		// The operation will still be gated by ACLs, which are checked later.
+		case "sys/leases/lookup", "sys/leases/renew", "sys/leases/revoke", "sys/leases/revoke-force":
+			leaseID, ok := req.Data["lease_id"]
+			// If lease ID is not present, break out and let the backend handle the error
+			if !ok || leaseID == nil {
+				break
+			}
+			_, nsID := namespace.SplitIDFromString(leaseID.(string))
+			if nsID != "" {
+				ns, err := NamespaceByID(ctx, nsID, c)
+				if err != nil {
+					c.Logger().Warn("error looking up namespace from the lease's namespace ID", "error", err)
+					return nil, err
+				}
+				if ns != nil {
+					ctx = namespace.ContextWithNamespace(ctx, ns)
+				}
+			}
+		}
+
+	// Prevent any metrics requests to be forwarded from a standby node.
+	// Instead, we return an error since we cannot be sure if we have an
+	// active token store to validate the provided token.
+	case strings.HasPrefix(req.Path, "sys/metrics"):
+		if c.standby && !c.perfStandby {
+			return nil, ErrCannotForwardLocalOnly
+		}
+	}
+
+	ns, err = namespace.FromContext(ctx)
+	if err != nil {
+		return nil, errwrap.Wrapf("could not parse namespace from http context: {{err}}", err)
+	}
+
+	if !hasNamespaces(c) && ns.Path != "" {
+		return nil, logical.CodedError(403, "namespaces feature not enabled")
+	}
+
+	walState := &logical.WALState{}
+	ctx = logical.IndexStateContext(ctx, walState)
+	var auth *logical.Auth
+	if c.isLoginRequest(ctx, req) && req.ClientTokenSource != logical.ClientTokenFromInternalAuth {
+		resp, auth, err = c.handleLoginRequest(ctx, req)
+	} else {
+		resp, auth, err = c.handleRequest(ctx, req)
+	}
+
+	if err == nil && c.requestResponseCallback != nil {
+		c.requestResponseCallback(c.router.MatchingBackend(ctx, req.Path), req, resp)
+	}
+
+	// If we saved the token in the request, we should return it in the response
+	// data.
+	if resp != nil && resp.Data != nil {
+		if _, ok := resp.Data["error"]; !ok {
+			if requestBodyToken != "" {
+				resp.Data["id"] = requestBodyToken
+			} else if returnRequestAuthToken && req.InboundSSCToken != "" {
+				resp.Data["id"] = req.InboundSSCToken
+			}
+		}
+	}
+	if resp != nil && resp.Auth != nil && requestBodyToken != "" {
+		// if a client token has already been set and the request body token's internal token
+		// is equal to that value, then we can return the original request body token
+		tok, _ := c.DecodeSSCToken(requestBodyToken)
+		if resp.Auth.ClientToken == tok {
+			resp.Auth.ClientToken = requestBodyToken
+		}
+	}
+
+	// Ensure we don't leak internal data
+	if resp != nil {
+		if resp.Secret != nil {
+			resp.Secret.InternalData = nil
+		}
+		if resp.Auth != nil {
+			resp.Auth.InternalData = nil
+		}
+	}
+
+	// We are wrapping if there is anything to wrap (not a nil response) and a
+	// TTL was specified for the token. Errors on a call should be returned to
+	// the caller, so wrapping is turned off if an error is hit and the error
+	// is logged to the audit log.
+	wrapping := resp != nil &&
+		err == nil &&
+		!resp.IsError() &&
+		resp.WrapInfo != nil &&
+		resp.WrapInfo.TTL != 0 &&
+		resp.WrapInfo.Token == ""
+
+	if wrapping {
+		cubbyResp, cubbyErr := c.wrapInCubbyhole(ctx, req, resp, auth)
+		// If not successful, returns either an error response from the
+		// cubbyhole backend or an error; if either is set, set resp and err to
+		// those and continue so that that's what we audit log. Otherwise
+		// finish the wrapping and audit log that.
+		if cubbyResp != nil || cubbyErr != nil {
+			resp = cubbyResp
+			err = cubbyErr
+		} else {
+			wrappingResp := &logical.Response{
+				WrapInfo: resp.WrapInfo,
+				Warnings: resp.Warnings,
+			}
+			resp = wrappingResp
+		}
+	}
+
+	auditResp := resp
+	// When unwrapping we want to log the actual response that will be written
+	// out. We still want to return the raw value to avoid automatic updating
+	// to any of it.
+	if req.Path == "sys/wrapping/unwrap" &&
+		resp != nil &&
+		resp.Data != nil &&
+		resp.Data[logical.HTTPRawBody] != nil {
+
+		// Decode the JSON
+		if resp.Data[logical.HTTPRawBodyAlreadyJSONDecoded] != nil {
+			delete(resp.Data, logical.HTTPRawBodyAlreadyJSONDecoded)
+		} else {
+			httpResp := &logical.HTTPResponse{}
+			err := jsonutil.DecodeJSON(resp.Data[logical.HTTPRawBody].([]byte), httpResp)
+			if err != nil {
+				c.logger.Error("failed to unmarshal wrapped HTTP response for audit logging", "error", err)
+				return nil, ErrInternalError
+			}
+
+			auditResp = logical.HTTPResponseToLogicalResponse(httpResp)
+		}
+	}
+
+	var nonHMACReqDataKeys []string
+	var nonHMACRespDataKeys []string
+	entry := c.router.MatchingMountEntry(ctx, req.Path)
+	if entry != nil {
+		// Get and set ignored HMAC'd value. Reset those back to empty afterwards.
+		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+			nonHMACReqDataKeys = rawVals.([]string)
+		}
+
+		// Get and set ignored HMAC'd value. Reset those back to empty afterwards.
+		if auditResp != nil {
+			if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_response_keys"); ok {
+				nonHMACRespDataKeys = rawVals.([]string)
+			}
+		}
+	}
+
+	// Create an audit trail of the response
+	if !isControlGroupRun(req) {
+		switch req.Path {
+		case "sys/replication/dr/status", "sys/replication/performance/status", "sys/replication/status":
+		default:
+			logInput := &logical.LogInput{
+				Auth:                auth,
+				Request:             req,
+				Response:            auditResp,
+				OuterErr:            err,
+				NonHMACReqDataKeys:  nonHMACReqDataKeys,
+				NonHMACRespDataKeys: nonHMACRespDataKeys,
+			}
+			if auditErr := c.auditBroker.LogResponse(ctx, logInput, c.auditedHeaders); auditErr != nil {
+				c.logger.Error("failed to audit response", "request_path", req.Path, "error", auditErr)
+				return nil, ErrInternalError
+			}
+		}
+	}
+
+	if walState.LocalIndex != 0 || walState.ReplicatedIndex != 0 {
+		walState.ClusterID = c.ClusterID()
+		if walState.LocalIndex == 0 {
+			if c.perfStandby {
+				walState.LocalIndex = c.EntLastRemoteWAL()
+			} else {
+				walState.LocalIndex = c.EntLastWAL()
+			}
+		}
+		if walState.ReplicatedIndex == 0 {
+			if c.perfStandby {
+				walState.ReplicatedIndex = c.entLastRemoteUpstreamWAL()
+			} else {
+				walState.ReplicatedIndex = c.EntLastRemoteWAL()
+			}
+		}
+
+		req.SetResponseState(walState)
+	}
+
+	return
+}
+
+func isControlGroupRun(req *logical.Request) bool {
+	return req.ControlGroup != nil
+}
+
+func (c *Core) doRouting(ctx context.Context, req *logical.Request) (*logical.Response, error) {
+	// If we're replicating and we get a read-only error from a backend, need to forward to primary
+	resp, err := c.router.Route(ctx, req)
+	if shouldForward(c, resp, err) {
+		fwdResp, fwdErr := forward(ctx, c, req)
+		if fwdErr != nil && err != logical.ErrReadOnly {
+			// When handling the request locally, we got an error that
+			// contained ErrReadOnly, but had additional information.
+			// Since we've now forwarded this request and got _another_
+			// error, we should tell the user about both errors, so
+			// they know about both.
+			//
+			// When there is no error from forwarding, the request
+			// succeeded and so no additional context is necessary. When
+			// the initial error here was only ErrReadOnly, it's likely
+			// the plugin authors intended to forward this request
+			// remotely anyway.
+			repErr, ok := fwdErr.(*logical.ReplicationCodedError)
+			if ok {
+				fwdErr = &logical.ReplicationCodedError{
+					Msg:  fmt.Sprintf("errors from both primary and secondary; primary error was %s; secondary errors follow: %s", repErr.Error(), err.Error()),
+					Code: repErr.Code,
+				}
+			} else {
+				fwdErr = multierror.Append(fwdErr, err)
+			}
+		}
+		return fwdResp, fwdErr
+	}
+	return resp, err
+}
+
+func (c *Core) isLoginRequest(ctx context.Context, req *logical.Request) bool {
+	return c.router.LoginPath(ctx, req.Path)
+}
+
+func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
+	defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now())
+
+	var nonHMACReqDataKeys []string
+	entry := c.router.MatchingMountEntry(ctx, req.Path)
+	if entry != nil {
+		// Set here so the audit log has it even if authorization fails
+		req.MountType = entry.Type
+		req.SetMountRunningSha256(entry.RunningSha256)
+		req.SetMountRunningVersion(entry.RunningVersion)
+		req.SetMountIsExternalPlugin(entry.IsExternalPlugin())
+		req.SetMountClass(entry.MountClass())
+
+		// Get and set ignored HMAC'd value.
+		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+			nonHMACReqDataKeys = rawVals.([]string)
+		}
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		c.logger.Error("failed to get namespace from context", "error", err)
+		retErr = multierror.Append(retErr, ErrInternalError)
+		return
+	}
+
+	// Validate the token
+	auth, te, ctErr := c.CheckToken(ctx, req, false)
+	if ctErr == logical.ErrRelativePath {
+		return logical.ErrorResponse(ctErr.Error()), nil, ctErr
+	}
+	if ctErr == logical.ErrPerfStandbyPleaseForward {
+		return nil, nil, ctErr
+	}
+
+	// Updating in-flight request data with client/entity ID
+	inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string)
+	if ok && req.ClientID != "" {
+		c.UpdateInFlightReqData(inFlightReqID, req.ClientID)
+	}
+
+	// We run this logic first because we want to decrement the use count even
+	// in the case of an error (assuming we can successfully look up; if we
+	// need to forward, we exit before now)
+	if te != nil && !isControlGroupRun(req) {
+		// Attempt to use the token (decrement NumUses)
+		var err error
+		te, err = c.tokenStore.UseToken(ctx, te)
+		if err != nil {
+			c.logger.Error("failed to use token", "error", err)
+			retErr = multierror.Append(retErr, ErrInternalError)
+			return nil, nil, retErr
+		}
+		if te == nil {
+			// Token has been revoked by this point
+			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
+			return nil, nil, retErr
+		}
+		if te.NumUses == tokenRevocationPending {
+			// We defer a revocation until after logic has run, since this is a
+			// valid request (this is the token's final use). We pass the ID in
+			// directly just to be safe in case something else modifies te later.
+			defer func(id string) {
+				nsActiveCtx := namespace.ContextWithNamespace(c.activeContext, ns)
+				leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(nsActiveCtx, te)
+				if err == nil {
+					err = c.expiration.LazyRevoke(ctx, leaseID)
+				}
+				if err != nil {
+					c.logger.Error("failed to revoke token", "error", err)
+					retResp = nil
+					retAuth = nil
+					retErr = multierror.Append(retErr, ErrInternalError)
+				}
+				if retResp != nil && retResp.Secret != nil &&
+					// Some backends return a TTL even without a Lease ID
+					retResp.Secret.LeaseID != "" {
+					retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.")
+					return
+				}
+			}(te.ID)
+		}
+	}
+
+	if ctErr != nil {
+		newCtErr, cgResp, cgAuth, cgRetErr := checkNeedsCG(ctx, c, req, auth, ctErr, nonHMACReqDataKeys)
+		switch {
+		case newCtErr != nil:
+			ctErr = newCtErr
+		case cgResp != nil || cgAuth != nil:
+			if cgRetErr != nil {
+				retErr = multierror.Append(retErr, cgRetErr)
+			}
+			return cgResp, cgAuth, retErr
+		}
+
+		// If it is an internal error we return that, otherwise we
+		// return invalid request so that the status codes can be correct
+		switch {
+		case ctErr == ErrInternalError,
+			errwrap.Contains(ctErr, ErrInternalError.Error()),
+			ctErr == logical.ErrPermissionDenied,
+			errwrap.Contains(ctErr, logical.ErrPermissionDenied.Error()):
+			switch ctErr.(type) {
+			case *multierror.Error:
+				retErr = ctErr
+			default:
+				retErr = multierror.Append(retErr, ctErr)
+			}
+		default:
+			retErr = multierror.Append(retErr, logical.ErrInvalidRequest)
+		}
+
+		if !isControlGroupRun(req) {
+			logInput := &logical.LogInput{
+				Auth:               auth,
+				Request:            req,
+				OuterErr:           ctErr,
+				NonHMACReqDataKeys: nonHMACReqDataKeys,
+			}
+			if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+				c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			}
+		}
+
+		if errwrap.Contains(retErr, ErrInternalError.Error()) {
+			return nil, auth, retErr
+		}
+		return logical.ErrorResponse(ctErr.Error()), auth, retErr
+	}
+
+	// Attach the display name
+	req.DisplayName = auth.DisplayName
+
+	// Create an audit trail of the request
+	if !isControlGroupRun(req) {
+		logInput := &logical.LogInput{
+			Auth:               auth,
+			Request:            req,
+			NonHMACReqDataKeys: nonHMACReqDataKeys,
+		}
+		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			retErr = multierror.Append(retErr, ErrInternalError)
+			return nil, auth, retErr
+		}
+	}
+
+	if err := c.entBlockRequestIfError(ns.Path, req.Path); err != nil {
+		return nil, nil, multierror.Append(retErr, err)
+	}
+
+	leaseGenerated := false
+	quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
+		Path:          req.Path,
+		MountPath:     strings.TrimPrefix(req.MountPoint, ns.Path),
+		NamespacePath: ns.Path,
+	})
+	if quotaErr != nil {
+		c.logger.Error("failed to apply quota", "path", req.Path, "error", quotaErr)
+		retErr = multierror.Append(retErr, quotaErr)
+		return nil, auth, retErr
+	}
+
+	if !quotaResp.Allowed {
+		if c.logger.IsTrace() {
+			c.logger.Trace("request rejected due to lease count quota violation", "request_path", req.Path)
+		}
+
+		retErr = multierror.Append(retErr, fmt.Errorf("request path %q: %w", req.Path, quotas.ErrLeaseCountQuotaExceeded))
+		return nil, auth, retErr
+	}
+
+	defer func() {
+		if quotaResp.Access != nil {
+			quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
+			if quotaAckErr != nil {
+				retErr = multierror.Append(retErr, quotaAckErr)
+			}
+		}
+	}()
+
+	// Route the request
+	resp, routeErr := c.doRouting(ctx, req)
+	if resp != nil {
+		// Add mount type information to the response
+		if entry != nil {
+			resp.MountType = entry.Type
+		}
+
+		// If wrapping is used, use the shortest between the request and response
+		var wrapTTL time.Duration
+		var wrapFormat, creationPath string
+		var sealWrap bool
+
+		// Ensure no wrap info information is set other than, possibly, the TTL
+		if resp.WrapInfo != nil {
+			if resp.WrapInfo.TTL > 0 {
+				wrapTTL = resp.WrapInfo.TTL
+			}
+			wrapFormat = resp.WrapInfo.Format
+			creationPath = resp.WrapInfo.CreationPath
+			sealWrap = resp.WrapInfo.SealWrap
+			resp.WrapInfo = nil
+		}
+
+		if req.WrapInfo != nil {
+			if req.WrapInfo.TTL > 0 {
+				switch {
+				case wrapTTL == 0:
+					wrapTTL = req.WrapInfo.TTL
+				case req.WrapInfo.TTL < wrapTTL:
+					wrapTTL = req.WrapInfo.TTL
+				}
+			}
+			// If the wrap format hasn't been set by the response, set it to
+			// the request format
+			if req.WrapInfo.Format != "" && wrapFormat == "" {
+				wrapFormat = req.WrapInfo.Format
+			}
+		}
+
+		if wrapTTL > 0 {
+			resp.WrapInfo = &wrapping.ResponseWrapInfo{
+				TTL:          wrapTTL,
+				Format:       wrapFormat,
+				CreationPath: creationPath,
+				SealWrap:     sealWrap,
+			}
+		}
+	}
+
+	// If there is a secret, we must register it with the expiration manager.
+	// We exclude renewal of a lease, since it does not need to be re-registered
+	if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew") &&
+		!strings.HasPrefix(req.Path, "sys/leases/renew") {
+		// KV mounts should return the TTL but not register
+		// for a lease as this provides a massive slowdown
+		registerLease := true
+
+		matchingMountEntry := c.router.MatchingMountEntry(ctx, req.Path)
+		if matchingMountEntry == nil {
+			c.logger.Error("unable to retrieve kv mount entry from router")
+			retErr = multierror.Append(retErr, ErrInternalError)
+			return nil, auth, retErr
+		}
+
+		switch matchingMountEntry.Type {
+		case "kv", "generic":
+			// If we are kv type, first see if we are an older passthrough
+			// backend, and otherwise check the mount entry options.
+			matchingBackend := c.router.MatchingBackend(ctx, req.Path)
+			if matchingBackend == nil {
+				c.logger.Error("unable to retrieve kv backend from router")
+				retErr = multierror.Append(retErr, ErrInternalError)
+				return nil, auth, retErr
+			}
+
+			if ptbe, ok := matchingBackend.(*PassthroughBackend); ok {
+				if !ptbe.GeneratesLeases() {
+					registerLease = false
+					resp.Secret.Renewable = false
+				}
+			} else if matchingMountEntry.Options == nil || matchingMountEntry.Options["leased_passthrough"] != "true" {
+				registerLease = false
+				resp.Secret.Renewable = false
+			}
+
+		case "plugin":
+			// If we are a plugin type and the plugin name is "kv" check the
+			// mount entry options.
+			if matchingMountEntry.Config.PluginName == "kv" && (matchingMountEntry.Options == nil || matchingMountEntry.Options["leased_passthrough"] != "true") {
+				registerLease = false
+				resp.Secret.Renewable = false
+			}
+		}
+
+		if registerLease {
+			sysView := c.router.MatchingSystemView(ctx, req.Path)
+			if sysView == nil {
+				c.logger.Error("unable to look up sys view for login path", "request_path", req.Path)
+				return nil, nil, ErrInternalError
+			}
+
+			ttl, warnings, err := framework.CalculateTTL(sysView, 0, resp.Secret.TTL, 0, resp.Secret.MaxTTL, 0, time.Time{})
+			if err != nil {
+				return nil, nil, err
+			}
+			for _, warning := range warnings {
+				resp.AddWarning(warning)
+			}
+			resp.Secret.TTL = ttl
+
+			registerFunc, funcGetErr := getLeaseRegisterFunc(c)
+			if funcGetErr != nil {
+				retErr = multierror.Append(retErr, funcGetErr)
+				return nil, auth, retErr
+			}
+
+			leaseID, err := registerFunc(ctx, req, resp, "")
+			if err != nil {
+				c.logger.Error("failed to register lease", "request_path", req.Path, "error", err)
+				retErr = multierror.Append(retErr, ErrInternalError)
+				return nil, auth, retErr
+			}
+			leaseGenerated = true
+			resp.Secret.LeaseID = leaseID
+
+			// Count the lease creation
+			ttl_label := metricsutil.TTLBucket(resp.Secret.TTL)
+			mountPointWithoutNs := ns.TrimmedPath(req.MountPoint)
+			c.MetricSink().IncrCounterWithLabels(
+				[]string{"secret", "lease", "creation"},
+				1,
+				[]metrics.Label{
+					metricsutil.NamespaceLabel(ns),
+					{"secret_engine", req.MountType},
+					{"mount_point", mountPointWithoutNs},
+					{"creation_ttl", ttl_label},
+				},
+			)
+		}
+	}
+
+	// Only the token store is allowed to return an auth block, for any
+	// other request this is an internal error.
+	if resp != nil && resp.Auth != nil {
+		if !strings.HasPrefix(req.Path, "auth/token/") {
+			c.logger.Error("unexpected Auth response for non-token backend", "request_path", req.Path)
+			retErr = multierror.Append(retErr, ErrInternalError)
+			return nil, auth, retErr
+		}
+
+		// Fetch the namespace to which the token belongs
+		tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
+		if err != nil {
+			c.logger.Error("failed to fetch token's namespace", "error", err)
+			retErr = multierror.Append(retErr, err)
+			return nil, auth, retErr
+		}
+		if tokenNS == nil {
+			c.logger.Error(namespace.ErrNoNamespace.Error())
+			retErr = multierror.Append(retErr, namespace.ErrNoNamespace)
+			return nil, auth, retErr
+		}
+
+		_, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, resp.Auth.EntityID, false)
+		if err != nil {
+			// Best-effort clean up on error, so we log the cleanup error as a
+			// warning but still return as internal error.
+			if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {
+				c.logger.Warn("failed to clean up token lease from entity and policy lookup failure", "request_path", req.Path, "error", err)
+			}
+			return nil, nil, ErrInternalError
+		}
+
+		// We skip expiration manager registration for token renewal since it
+		// does not need to be re-registered
+		if strings.HasPrefix(req.Path, "auth/token/renew") {
+			// We build the "policies" list to be returned by starting with
+			// token policies, and add identity policies right after this
+			// conditional
+			tok, _ := c.DecodeSSCToken(req.InboundSSCToken)
+			if resp.Auth.ClientToken == tok {
+				resp.Auth.ClientToken = req.InboundSSCToken
+			}
+			resp.Auth.Policies = policyutil.SanitizePolicies(resp.Auth.TokenPolicies, policyutil.DoNotAddDefaultPolicy)
+		} else {
+			resp.Auth.TokenPolicies = policyutil.SanitizePolicies(resp.Auth.Policies, policyutil.DoNotAddDefaultPolicy)
+
+			switch resp.Auth.TokenType {
+			case logical.TokenTypeBatch:
+			case logical.TokenTypeService:
+				if !c.perfStandby {
+					registeredTokenEntry := &logical.TokenEntry{
+						TTL:         auth.TTL,
+						Policies:    auth.TokenPolicies,
+						Path:        resp.Auth.CreationPath,
+						NamespaceID: ns.ID,
+					}
+
+					// Only logins apply to role based quotas, so we can omit the role here, as we are not logging in.
+					if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, ""); err != nil {
+						// Best-effort clean up on error, so we log the cleanup error as
+						// a warning but still return as internal error.
+						if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {
+							c.logger.Warn("failed to clean up token lease during auth/token/ request", "request_path", req.Path, "error", err)
+						}
+						c.logger.Error("failed to register token lease during auth/token/ request", "request_path", req.Path, "error", err)
+						retErr = multierror.Append(retErr, ErrInternalError)
+						return nil, auth, retErr
+					}
+					if registeredTokenEntry.ExternalID != "" {
+						resp.Auth.ClientToken = registeredTokenEntry.ExternalID
+					}
+					leaseGenerated = true
+				}
+			}
+		}
+
+		// We do these later since it's not meaningful for backends/expmgr to
+		// have what is purely a snapshot of current identity policies, and
+		// plugins can be confused if they are checking contents of
+		// Auth.Policies instead of Auth.TokenPolicies
+		resp.Auth.Policies = policyutil.SanitizePolicies(append(resp.Auth.Policies, identityPolicies[te.NamespaceID]...), policyutil.DoNotAddDefaultPolicy)
+		resp.Auth.IdentityPolicies = policyutil.SanitizePolicies(identityPolicies[te.NamespaceID], policyutil.DoNotAddDefaultPolicy)
+		delete(identityPolicies, te.NamespaceID)
+		resp.Auth.ExternalNamespacePolicies = identityPolicies
+	}
+
+	if resp != nil &&
+		req.Path == "cubbyhole/response" &&
+		len(te.Policies) == 1 &&
+		te.Policies[0] == responseWrappingPolicyName {
+		resp.AddWarning("Reading from 'cubbyhole/response' is deprecated. Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks and other benefits.")
+	}
+
+	// Return the response and error
+	if routeErr != nil {
+		if _, ok := routeErr.(*logical.RequestDelegatedAuthError); ok {
+			routeErr = fmt.Errorf("delegated authentication requested but authentication token present")
+		}
+
+		retErr = multierror.Append(retErr, routeErr)
+	}
+
+	return resp, auth, retErr
+}
+
+// handleLoginRequest is used to handle a login request, which is an
+// unauthenticated request to the backend.
+func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
+	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())
+
+	req.Unauthenticated = true
+
+	var nonHMACReqDataKeys []string
+	entry := c.router.MatchingMountEntry(ctx, req.Path)
+	if entry != nil {
+		// Set here so the audit log has it even if authorization fails
+		req.MountType = entry.Type
+		req.SetMountRunningSha256(entry.RunningSha256)
+		req.SetMountRunningVersion(entry.RunningVersion)
+		req.SetMountIsExternalPlugin(entry.IsExternalPlugin())
+		req.SetMountClass(entry.MountClass())
+
+		// Get and set ignored HMAC'd value.
+		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+			nonHMACReqDataKeys = rawVals.([]string)
+		}
+	}
+
+	// Do an unauth check. This will cause EGP policies to be checked
+	var auth *logical.Auth
+	var ctErr error
+	auth, _, ctErr = c.CheckToken(ctx, req, true)
+	if ctErr == logical.ErrPerfStandbyPleaseForward {
+		return nil, nil, ctErr
+	}
+
+	// Updating in-flight request data with client/entity ID
+	inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string)
+	if ok && req.ClientID != "" {
+		c.UpdateInFlightReqData(inFlightReqID, req.ClientID)
+	}
+
+	if ctErr != nil {
+		// If it is an internal error we return that, otherwise we
+		// return invalid request so that the status codes can be correct
+		var errType error
+		switch ctErr {
+		case ErrInternalError, logical.ErrPermissionDenied:
+			errType = ctErr
+		default:
+			errType = logical.ErrInvalidRequest
+		}
+
+		logInput := &logical.LogInput{
+			Auth:               auth,
+			Request:            req,
+			OuterErr:           ctErr,
+			NonHMACReqDataKeys: nonHMACReqDataKeys,
+		}
+		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			return nil, nil, ErrInternalError
+		}
+
+		if errType != nil {
+			retErr = multierror.Append(retErr, errType)
+		}
+		if ctErr == ErrInternalError {
+			return nil, auth, retErr
+		}
+		return logical.ErrorResponse(ctErr.Error()), auth, retErr
+	}
+
+	switch req.Path {
+	case "sys/replication/dr/status", "sys/replication/performance/status", "sys/replication/status":
+	default:
+		// Create an audit trail of the request. Attach auth if it was returned,
+		// e.g. if a token was provided.
+		logInput := &logical.LogInput{
+			Auth:               auth,
+			Request:            req,
+			NonHMACReqDataKeys: nonHMACReqDataKeys,
+		}
+		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			return nil, nil, ErrInternalError
+		}
+	}
+
+	// The token store uses authentication even when creating a new token,
+	// so it's handled in handleRequest. It should not be reached here.
+	if strings.HasPrefix(req.Path, "auth/token/") {
+		c.logger.Error("unexpected login request for token backend", "request_path", req.Path)
+		return nil, nil, ErrInternalError
+	}
+
+	// check if user lockout feature is disabled
+	isUserLockoutDisabled, err := c.isUserLockoutDisabled(entry)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// if user lockout feature is not disabled, check if the user is locked
+	if !isUserLockoutDisabled {
+		isloginUserLocked, err := c.isUserLocked(ctx, entry, req)
+		if err != nil {
+			return nil, nil, err
+		}
+		if isloginUserLocked {
+			return nil, nil, logical.ErrPermissionDenied
+		}
+	}
+
+	// Route the request
+	resp, routeErr := c.doRouting(ctx, req)
+
+	handleInvalidCreds := func(err error) (*logical.Response, *logical.Auth, error) {
+		if !isUserLockoutDisabled {
+			err := c.failedUserLoginProcess(ctx, entry, req)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+		return resp, nil, err
+	}
+
+	if routeErr != nil {
+		// if routeErr has invalid credentials error, update the userFailedLoginMap
+		if routeErr == logical.ErrInvalidCredentials {
+			return handleInvalidCreds(routeErr)
+		} else if da, ok := routeErr.(*logical.RequestDelegatedAuthError); ok {
+			return c.handleDelegatedAuth(ctx, req, da, entry, handleInvalidCreds)
+		}
+	}
+
+	if resp != nil {
+		// If wrapping is used, use the shortest between the request and response
+		var wrapTTL time.Duration
+		var wrapFormat, creationPath string
+		var sealWrap bool
+
+		// Ensure no wrap info information is set other than, possibly, the TTL
+		if resp.WrapInfo != nil {
+			if resp.WrapInfo.TTL > 0 {
+				wrapTTL = resp.WrapInfo.TTL
+			}
+			wrapFormat = resp.WrapInfo.Format
+			creationPath = resp.WrapInfo.CreationPath
+			sealWrap = resp.WrapInfo.SealWrap
+			resp.WrapInfo = nil
+		}
+
+		if req.WrapInfo != nil {
+			if req.WrapInfo.TTL > 0 {
+				switch {
+				case wrapTTL == 0:
+					wrapTTL = req.WrapInfo.TTL
+				case req.WrapInfo.TTL < wrapTTL:
+					wrapTTL = req.WrapInfo.TTL
+				}
+			}
+			if req.WrapInfo.Format != "" && wrapFormat == "" {
+				wrapFormat = req.WrapInfo.Format
+			}
+		}
+
+		if wrapTTL > 0 {
+			resp.WrapInfo = &wrapping.ResponseWrapInfo{
+				TTL:          wrapTTL,
+				Format:       wrapFormat,
+				CreationPath: creationPath,
+				SealWrap:     sealWrap,
+			}
+		}
+	}
+
+	// A login request should never return a secret!
+	if resp != nil && resp.Secret != nil {
+		c.logger.Error("unexpected Secret response for login path", "request_path", req.Path)
+		return nil, nil, ErrInternalError
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		c.logger.Error("failed to get namespace from context", "error", err)
+		retErr = multierror.Append(retErr, ErrInternalError)
+		return
+	}
+	// If the response generated an authentication, then generate the token
+	if resp != nil && resp.Auth != nil && req.Path != "sys/mfa/validate" {
+		leaseGenerated := false
+
+		// by placing this after the authorization check, we don't leak
+		// information about locked namespaces to unauthenticated clients.
+		if err := c.entBlockRequestIfError(ns.Path, req.Path); err != nil {
+			retErr = multierror.Append(retErr, err)
+			return
+		}
+
+		// Check for request role in context to role based quotas
+		var role string
+		reqRole := ctx.Value(logical.CtxKeyRequestRole{})
+		if reqRole != nil {
+			role = reqRole.(string)
+		}
+
+		// The request successfully authenticated itself. Run the quota checks
+		// before creating lease.
+		quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
+			Path:          req.Path,
+			MountPath:     strings.TrimPrefix(req.MountPoint, ns.Path),
+			Role:          role,
+			NamespacePath: ns.Path,
+		})
+
+		if quotaErr != nil {
+			c.logger.Error("failed to apply quota", "path", req.Path, "error", quotaErr)
+			retErr = multierror.Append(retErr, quotaErr)
+			return
+		}
+
+		if !quotaResp.Allowed {
+			if c.logger.IsTrace() {
+				c.logger.Trace("request rejected due to lease count quota violation", "request_path", req.Path)
+			}
+
+			retErr = multierror.Append(retErr, fmt.Errorf("request path %q: %w", req.Path, quotas.ErrLeaseCountQuotaExceeded))
+			return
+		}
+
+		defer func() {
+			if quotaResp.Access != nil {
+				quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
+				if quotaAckErr != nil {
+					retErr = multierror.Append(retErr, quotaAckErr)
+				}
+			}
+		}()
+
+		var entity *identity.Entity
+		auth = resp.Auth
+
+		mEntry := c.router.MatchingMountEntry(ctx, req.Path)
+
+		if auth.Alias != nil &&
+			mEntry != nil &&
+			c.identityStore != nil {
+
+			if mEntry.Local && os.Getenv(EnvVaultDisableLocalAuthMountEntities) != "" {
+				goto CREATE_TOKEN
+			}
+
+			// Overwrite the mount type and mount path in the alias
+			// information
+			auth.Alias.MountType = req.MountType
+			auth.Alias.MountAccessor = req.MountAccessor
+			auth.Alias.Local = mEntry.Local
+
+			if auth.Alias.Name == "" {
+				return nil, nil, fmt.Errorf("missing name in alias")
+			}
+
+			var err error
+			// Fetch the entity for the alias, or create an entity if one
+			// doesn't exist.
+			entity, entityCreated, err := c.identityStore.CreateOrFetchEntity(ctx, auth.Alias)
+			if err != nil {
+				switch auth.Alias.Local {
+				case true:
+					// Only create a new entity if the error was a readonly error and the creation flag is true
+					// i.e the entity was in the middle of being created
+					if entityCreated && errors.Is(err, logical.ErrReadOnly) {
+						entity, err = possiblyForwardEntityCreation(ctx, c, err, auth, nil)
+						if err != nil {
+							if strings.Contains(err.Error(), errCreateEntityUnimplemented) {
+								resp.AddWarning("primary cluster doesn't yet issue entities for local auth mounts; falling back to not issuing entities for local auth mounts")
+								goto CREATE_TOKEN
+							} else {
+								return nil, nil, err
+							}
+						}
+					}
+					err = updateLocalAlias(ctx, c, auth, entity)
+				default:
+					entity, entityCreated, err = possiblyForwardAliasCreation(ctx, c, err, auth, entity)
+				}
+			}
+			if err != nil {
+				return nil, nil, err
+			}
+			if entity == nil {
+				return nil, nil, fmt.Errorf("failed to create an entity for the authenticated alias")
+			}
+
+			if entity.Disabled {
+				return nil, nil, logical.ErrPermissionDenied
+			}
+
+			auth.EntityID = entity.ID
+			auth.EntityCreated = entityCreated
+			validAliases, err := c.identityStore.refreshExternalGroupMembershipsByEntityID(ctx, auth.EntityID, auth.GroupAliases, req.MountAccessor)
+			if err != nil {
+				return nil, nil, err
+			}
+			auth.GroupAliases = validAliases
+		}
+
+	CREATE_TOKEN:
+		// Determine the source of the login
+		source := c.router.MatchingMount(ctx, req.Path)
+
+		// Login MFA
+		entity, _, err := c.fetchEntityAndDerivedPolicies(ctx, ns, auth.EntityID, true)
+		if err != nil {
+			return nil, nil, ErrInternalError
+		}
+		// finding the MFAEnforcementConfig that matches the ns and either of
+		// entityID, MountAccessor, GroupID, or Auth type.
+		matchedMfaEnforcementList, err := c.buildMFAEnforcementConfigList(ctx, entity, req.Path)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to find MFAEnforcement configuration, error: %v", err)
+		}
+
+		// (for the context, a response warning above says: "primary cluster
+		// doesn't yet issue entities for local auth mounts; falling back
+		// to not issuing entities for local auth mounts")
+		// based on the above, if the entity is nil, check if MFAEnforcementConfig
+		// is configured or not. If not, continue as usual, but if there
+		// is something, then report an error indicating that the user is not
+		// allowed to login because there is no entity associated with it.
+		// This is because an entity is needed to enforce MFA.
+		if entity == nil && len(matchedMfaEnforcementList) > 0 {
+			// this logic means that an MFAEnforcementConfig was configured with
+			// only mount type or mount accessor
+			return nil, nil, logical.ErrPermissionDenied
+		}
+
+		// The resp.Auth has been populated with the information that is required for MFA validation
+		// This is why, the MFA check is placed at this point. The resp.Auth is going to be fully cached
+		// in memory so that it would be used to return to the user upon MFA validation is completed.
+		if entity != nil {
+			if len(matchedMfaEnforcementList) == 0 && len(req.MFACreds) > 0 {
+				resp.AddWarning("Found MFA header but failed to find MFA Enforcement Config")
+			}
+
+			// If X-Vault-MFA header is supplied to the login request,
+			// run single-phase login MFA check, else run two-phase login MFA check
+			if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) > 0 {
+				for _, eConfig := range matchedMfaEnforcementList {
+					err = c.validateLoginMFA(ctx, eConfig, entity, req.Connection.RemoteAddr, req.MFACreds)
+					if err != nil {
+						return nil, nil, logical.ErrPermissionDenied
+					}
+				}
+			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
+				mfaRequestID, err := uuid.GenerateUUID()
+				if err != nil {
+					return nil, nil, err
+				}
+				// sending back the MFARequirement config
+				mfaRequirement := &logical.MFARequirement{
+					MFARequestID:   mfaRequestID,
+					MFAConstraints: make(map[string]*logical.MFAConstraintAny),
+				}
+				for _, eConfig := range matchedMfaEnforcementList {
+					mfaAny, err := c.buildMfaEnforcementResponse(eConfig)
+					if err != nil {
+						return nil, nil, err
+					}
+					mfaRequirement.MFAConstraints[eConfig.Name] = mfaAny
+				}
+
+				// for two phased MFA enforcement, we should not return the regular auth
+				// response. This flag is indicate to store the auth response for later
+				// and return MFARequirement only
+				respAuth := &MFACachedAuthResponse{
+					CachedAuth:            resp.Auth,
+					RequestPath:           req.Path,
+					RequestNSID:           ns.ID,
+					RequestNSPath:         ns.Path,
+					RequestConnRemoteAddr: req.Connection.RemoteAddr, // this is needed for the DUO method
+					TimeOfStorage:         time.Now(),
+					RequestID:             mfaRequestID,
+				}
+				err = possiblyForwardSaveCachedAuthResponse(ctx, c, respAuth)
+				if err != nil {
+					return nil, nil, err
+				}
+				auth = nil
+				resp.Auth = &logical.Auth{
+					MFARequirement: mfaRequirement,
+				}
+				resp.AddWarning("A login request was issued that is subject to MFA validation. Please make sure to validate the login by sending another request to mfa/validate endpoint.")
+				// going to return early before generating the token
+				// the user receives the mfaRequirement, and need to use the
+				// login MFA validate endpoint to get the token
+				return resp, auth, nil
+			}
+		}
+
+		// Attach the display name, might be used by audit backends
+		req.DisplayName = auth.DisplayName
+
+		requiresLease := resp.Auth.TokenType != logical.TokenTypeBatch
+
+		// If role was not already determined by http.rateLimitQuotaWrapping
+		// and a lease will be generated, calculate a role for the leaseEntry.
+		// We can skip this step if there are no pre-existing role-based quotas
+		// for this mount and Vault is configured to skip lease role-based lease counting
+		// until after they're created. This effectively zeroes out the lease count
+		// for new role-based quotas upon creation, rather than counting old leases toward
+		// the total.
+		if reqRole == nil && requiresLease && !c.impreciseLeaseRoleTracking {
+			role = c.DetermineRoleFromLoginRequest(ctx, req.MountPoint, req.Data)
+		}
+
+		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, role, resp)
+		leaseGenerated = leaseGen
+		if errCreateToken != nil {
+			return respTokenCreate, nil, errCreateToken
+		}
+		resp = respTokenCreate
+	}
+
+	// Successful login, remove any entry from userFailedLoginInfo map
+	// if it exists. This is done for batch tokens (for oss & ent)
+	// For service tokens on oss it is taken care by core RegisterAuth function.
+	// For service tokens on ent it is taken care by registerAuth RPC calls.
+	// This update is done as part of registerAuth of RPC calls from standby
+	// to active node. This is added there to reduce RPC calls
+	if !isUserLockoutDisabled && (auth.TokenType == logical.TokenTypeBatch) {
+		loginUserInfoKey := FailedLoginUser{
+			aliasName:     auth.Alias.Name,
+			mountAccessor: auth.Alias.MountAccessor,
+		}
+
+		// We don't need to try to delete the lockedUsers storage entry, since we're
+		// processing a login request. If a login attempt is allowed, it means the user is
+		// unlocked and we only add storage entry when the user gets locked.
+		err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	// if we were already going to return some error from this login, do that.
+	// if not, we will then check if the API is locked for the requesting
+	// namespace, to avoid leaking locked namespaces to unauthenticated clients.
+	if resp != nil && resp.Data != nil {
+		if _, ok := resp.Data["error"]; ok {
+			return resp, auth, routeErr
+		}
+	}
+	if routeErr != nil {
+		return resp, auth, routeErr
+	}
+
+	// this check handles the bad login credential case
+	if err := c.entBlockRequestIfError(ns.Path, req.Path); err != nil {
+		return nil, nil, multierror.Append(retErr, err)
+	}
+
+	return resp, auth, routeErr
+}
+
+type invalidCredentialHandler func(err error) (*logical.Response, *logical.Auth, error)
+
+// handleDelegatedAuth when a backend request returns logical.RequestDelegatedAuthError, it is requesting that
+// an authentication workflow of its choosing be implemented prior to it being able to accept it. Normally
+// this is used for standard protocols that communicate the credential information in a non-standard Vault way
+func (c *Core) handleDelegatedAuth(ctx context.Context, origReq *logical.Request, da *logical.RequestDelegatedAuthError, entry *MountEntry, invalidCredHandler invalidCredentialHandler) (*logical.Response, *logical.Auth, error) {
+	// Make sure we didn't get into a routing loop.
+	if origReq.ClientTokenSource == logical.ClientTokenFromInternalAuth {
+		return nil, nil, fmt.Errorf("%w: original request had delegated auth token, "+
+			"forbidding another delegated request from path '%s'", ErrInternalError, origReq.Path)
+	}
+
+	// Backend has requested internally delegated authentication
+	requestedAccessor := da.MountAccessor()
+	if strings.TrimSpace(requestedAccessor) == "" {
+		return nil, nil, fmt.Errorf("%w: backend returned an invalid mount accessor '%s'", ErrInternalError, requestedAccessor)
+	}
+	// First, is this allowed by the mount tunable?
+	if !slices.Contains(entry.Config.DelegatedAuthAccessors, requestedAccessor) {
+		return nil, nil, fmt.Errorf("delegated auth to accessor %s not permitted", requestedAccessor)
+	}
+
+	reqNamespace, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed looking up namespace from context: %w", err)
+	}
+
+	mount := c.router.MatchingMountByAccessor(requestedAccessor)
+	if mount == nil {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication accessor '%s' was not found", logical.ErrPermissionDenied, requestedAccessor)
+	}
+	if mount.Table != credentialTableType {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication mount '%s' was not an auth mount", logical.ErrPermissionDenied, requestedAccessor)
+	}
+	if mount.NamespaceID != reqNamespace.ID {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication mount was in a different namespace than request", logical.ErrPermissionDenied)
+	}
+
+	// Found it, now form the login path and issue the request
+	path := paths.Join("auth", mount.Path, da.Path())
+	authReq, err := origReq.Clone()
+	if err != nil {
+		return nil, nil, err
+	}
+	authReq.MountAccessor = requestedAccessor
+	authReq.Path = path
+	authReq.Operation = logical.UpdateOperation
+
+	// filter out any response wrapping headers, for our embedded login request
+	delete(authReq.Headers, textproto.CanonicalMIMEHeaderKey(consts.WrapTTLHeaderName))
+	authReq.WrapInfo = nil
+
+	// Insert the data fields from the delegated auth error in our auth request
+	authReq.Data = maps.Clone(da.Data())
+
+	// Make sure we are going to perform a login request and not expose other backend types to this request
+	if !c.isLoginRequest(ctx, authReq) {
+		return nil, nil, fmt.Errorf("delegated path '%s' was not considered a login request", authReq.Path)
+	}
+
+	authResp, err := c.handleCancelableRequest(ctx, authReq)
+	if err != nil || authResp.IsError() {
+		// see if the backend wishes to handle the failed auth
+		if da.AuthErrorHandler() != nil {
+			resp, err := da.AuthErrorHandler()(ctx, origReq, authReq, authResp, err)
+			return resp, nil, err
+		}
+		switch err {
+		case nil:
+			return authResp, nil, nil
+		case logical.ErrInvalidCredentials:
+			return invalidCredHandler(err)
+		default:
+			return authResp, nil, err
+		}
+	}
+	if authResp == nil {
+		return nil, nil, fmt.Errorf("%w: delegated auth request returned empty response for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	// A login request should never return a secret!
+	if authResp.Secret != nil {
+		return nil, nil, fmt.Errorf("%w: unexpected Secret response for login path for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	if authResp.Auth == nil {
+		return nil, nil, fmt.Errorf("%w: Auth response was nil for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	if authResp.Auth.ClientToken == "" {
+		if authResp.Auth.MFARequirement != nil {
+			return nil, nil, fmt.Errorf("%w: delegated auth request requiring MFA is not supported: %s", logical.ErrPermissionDenied, authReq.Path)
+		}
+		return nil, nil, fmt.Errorf("%w: delegated auth request did not return a client token for login path: %s", ErrInternalError, authReq.Path)
+	}
+
+	// Delegated auth tokens should only be batch tokens, as we don't want to incur
+	// the cost of storage/tidying for protocols that will be generating a token per
+	// request.
+	if !IsBatchToken(authResp.Auth.ClientToken) {
+		return nil, nil, fmt.Errorf("%w: delegated auth requests must be configured to issue batch tokens", logical.ErrPermissionDenied)
+	}
+
+	// Authentication successful, use the resulting ClientToken to reissue the original request
+	secondReq, err := origReq.Clone()
+	if err != nil {
+		return nil, nil, err
+	}
+	secondReq.ClientToken = authResp.Auth.ClientToken
+	secondReq.ClientTokenSource = logical.ClientTokenFromInternalAuth
+	resp, err := c.handleCancelableRequest(ctx, secondReq)
+	return resp, nil, err
+}
+
+// LoginCreateToken creates a token as a result of a login request.
+// If MFA is enforced, mfa/validate endpoint calls this functions
+// after successful MFA validation to generate the token.
+func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint, role string, resp *logical.Response) (bool, *logical.Response, error) {
+	auth := resp.Auth
+	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
+	source = strings.ReplaceAll(source, "/", "-")
+
+	// Prepend the source to the display name
+	auth.DisplayName = strings.TrimSuffix(source+auth.DisplayName, "-")
+
+	// Determine mount type
+	mountEntry := c.router.MatchingMountEntry(ctx, reqPath)
+	if mountEntry == nil {
+		return false, nil, fmt.Errorf("failed to find a matching mount")
+	}
+
+	sysView := c.router.MatchingSystemView(ctx, reqPath)
+	if sysView == nil {
+		c.logger.Error("unable to look up sys view for login path", "request_path", reqPath)
+		return false, nil, ErrInternalError
+	}
+
+	tokenTTL, warnings, err := framework.CalculateTTL(sysView, 0, auth.TTL, auth.Period, auth.MaxTTL, auth.ExplicitMaxTTL, time.Time{})
+	if err != nil {
+		return false, nil, err
+	}
+	for _, warning := range warnings {
+		resp.AddWarning(warning)
+	}
+
+	_, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, ns, auth.EntityID, false)
+	if err != nil {
+		return false, nil, ErrInternalError
+	}
+
+	auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, !auth.NoDefaultPolicy)
+	allPolicies := policyutil.SanitizePolicies(append(auth.TokenPolicies, identityPolicies[ns.ID]...), policyutil.DoNotAddDefaultPolicy)
+
+	// Prevent internal policies from being assigned to tokens. We check
+	// this on auth.Policies including derived ones from Identity before
+	// actually making the token.
+	for _, policy := range allPolicies {
+		if policy == "root" {
+			return false, logical.ErrorResponse("auth methods cannot create root tokens"), logical.ErrInvalidRequest
+		}
+		if strutil.StrListContains(nonAssignablePolicies, policy) {
+			return false, logical.ErrorResponse(fmt.Sprintf("cannot assign policy %q", policy)), logical.ErrInvalidRequest
+		}
+	}
+
+	var registerFunc RegisterAuthFunc
+	var funcGetErr error
+	// Batch tokens should not be forwarded to perf standby
+	if auth.TokenType == logical.TokenTypeBatch {
+		registerFunc = c.RegisterAuth
+	} else {
+		registerFunc, funcGetErr = getAuthRegisterFunc(c)
+	}
+	if funcGetErr != nil {
+		return false, nil, funcGetErr
+	}
+
+	leaseGenerated := false
+	err = registerFunc(ctx, tokenTTL, reqPath, auth, role)
+	switch {
+	case err == nil:
+		if auth.TokenType != logical.TokenTypeBatch {
+			leaseGenerated = true
+		}
+	case err == ErrInternalError:
+		return false, nil, err
+	default:
+		return false, logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	auth.IdentityPolicies = policyutil.SanitizePolicies(identityPolicies[ns.ID], policyutil.DoNotAddDefaultPolicy)
+	delete(identityPolicies, ns.ID)
+	auth.ExternalNamespacePolicies = identityPolicies
+	auth.Policies = allPolicies
+
+	// Count the successful token creation
+	ttl_label := metricsutil.TTLBucket(tokenTTL)
+	// Do not include namespace path in mount point; already present as separate label.
+	mountPointWithoutNs := ns.TrimmedPath(mountPoint)
+	c.metricSink.IncrCounterWithLabels(
+		[]string{"token", "creation"},
+		1,
+		[]metrics.Label{
+			metricsutil.NamespaceLabel(ns),
+			{"auth_method", mountEntry.Type},
+			{"mount_point", mountPointWithoutNs},
+			{"creation_ttl", ttl_label},
+			{"token_type", auth.TokenType.String()},
+		},
+	)
+
+	return leaseGenerated, resp, nil
+}
+
+// failedUserLoginProcess updates the userFailedLoginMap with login count and  last failed
+// login time for users with failed login attempt
+// If the user gets locked for current login attempt, it updates the storage entry too
+func (c *Core) failedUserLoginProcess(ctx context.Context, mountEntry *MountEntry, req *logical.Request) error {
+	// get the user lockout configuration for the user
+	userLockoutConfiguration := c.getUserLockoutConfiguration(mountEntry)
+
+	// determine the key for userFailedLoginInfo map
+	loginUserInfoKey, err := c.getLoginUserInfoKey(ctx, mountEntry, req)
+	if err != nil {
+		return err
+	}
+
+	// get entry from userFailedLoginInfo map for the key
+	userFailedLoginInfo, err := getUserFailedLoginInfo(ctx, c, loginUserInfoKey)
+	if err != nil {
+		return err
+	}
+
+	// update the last failed login time with current time
+	failedLoginInfo := FailedLoginInfo{
+		lastFailedLoginTime: int(time.Now().Unix()),
+	}
+
+	// set the failed login count value for the entry in userFailedLoginInfo map
+	switch userFailedLoginInfo {
+	case nil: // entry does not exist in userfailedLoginMap
+		failedLoginInfo.count = 1
+	default:
+		failedLoginInfo.count = userFailedLoginInfo.count + 1
+
+		// if counter reset, set the count value to 1 as this gets counted as new entry
+		lastFailedLoginTime := time.Unix(int64(userFailedLoginInfo.lastFailedLoginTime), 0)
+		counterResetDuration := userLockoutConfiguration.LockoutCounterReset
+		if time.Now().After(lastFailedLoginTime.Add(counterResetDuration)) {
+			failedLoginInfo.count = 1
+		}
+	}
+
+	// update the userFailedLoginInfo map (and/or storage) with the updated/new entry
+	err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, &failedLoginInfo, false)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// getLoginUserInfoKey gets failedUserLoginInfo map key for login user
+func (c *Core) getLoginUserInfoKey(ctx context.Context, mountEntry *MountEntry, req *logical.Request) (FailedLoginUser, error) {
+	userInfo := FailedLoginUser{}
+	aliasName, err := c.aliasNameFromLoginRequest(ctx, req)
+	if err != nil {
+		return userInfo, err
+	}
+	if aliasName == "" {
+		return userInfo, errors.New("failed to determine alias name from login request")
+	}
+
+	userInfo.aliasName = aliasName
+	userInfo.mountAccessor = mountEntry.Accessor
+	return userInfo, nil
+}
+
+// isUserLockoutDisabled checks if user lockout feature to prevent brute forcing is disabled
+// Auth types userpass, ldap and approle support this feature
+// precedence: environment var setting >> auth tune setting >> config file setting >> default (enabled)
+func (c *Core) isUserLockoutDisabled(mountEntry *MountEntry) (bool, error) {
+	if !strutil.StrListContains(configutil.GetSupportedUserLockoutsAuthMethods(), mountEntry.Type) {
+		return true, nil
+	}
+
+	// check environment variable
+	if disableUserLockoutEnv := os.Getenv(consts.VaultDisableUserLockout); disableUserLockoutEnv != "" {
+		var err error
+		disableUserLockout, err := strconv.ParseBool(disableUserLockoutEnv)
+		if err != nil {
+			return false, errors.New("Error parsing the environment variable VAULT_DISABLE_USER_LOCKOUT")
+		}
+		if disableUserLockout {
+			return true, nil
+		}
+		return false, nil
+	}
+
+	// read auth tune for mount entry
+	userLockoutConfigFromMount := mountEntry.Config.UserLockoutConfig
+	if userLockoutConfigFromMount != nil && userLockoutConfigFromMount.DisableLockout {
+		return true, nil
+	}
+
+	// read config for auth type from config file
+	userLockoutConfiguration := c.getUserLockoutFromConfig(mountEntry.Type)
+	if userLockoutConfiguration.DisableLockout {
+		return true, nil
+	}
+
+	// default
+	return false, nil
+}
+
+// isUserLocked determines if the login user is locked
+func (c *Core) isUserLocked(ctx context.Context, mountEntry *MountEntry, req *logical.Request) (locked bool, err error) {
+	// get userFailedLoginInfo map key for login user
+	loginUserInfoKey, err := c.getLoginUserInfoKey(ctx, mountEntry, req)
+	if err != nil {
+		return false, err
+	}
+
+	// get entry from userFailedLoginInfo map for the key
+	userFailedLoginInfo, err := getUserFailedLoginInfo(ctx, c, loginUserInfoKey)
+	if err != nil {
+		return false, err
+	}
+	userLockoutConfiguration := c.getUserLockoutConfiguration(mountEntry)
+
+	switch userFailedLoginInfo {
+	case nil:
+		// entry not found in userFailedLoginInfo map, check storage to re-verify
+		ns, err := namespace.FromContext(ctx)
+		if err != nil {
+			return false, fmt.Errorf("could not parse namespace from http context: %w", err)
+		}
+		storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath+"%s/%s/%s", ns.ID, loginUserInfoKey.mountAccessor, loginUserInfoKey.aliasName)
+		existingEntry, err := c.barrier.Get(ctx, storageUserLockoutPath)
+		if err != nil {
+			return false, err
+		}
+		var lastLoginTime int
+		if existingEntry == nil {
+			// no storage entry found, user is not locked
+			return false, nil
+		}
+
+		err = jsonutil.DecodeJSON(existingEntry.Value, &lastLoginTime)
+		if err != nil {
+			return false, err
+		}
+
+		// if time passed from last login time is within lockout duration, the user is locked
+		if time.Now().Unix()-int64(lastLoginTime) < int64(userLockoutConfiguration.LockoutDuration.Seconds()) {
+			// user locked
+			return true, nil
+		}
+
+		// else user is not locked. Entry is stale, this will be removed from storage during cleanup
+		// by the background thread
+
+	default:
+		// entry found in userFailedLoginInfo map, check if the user is locked
+		isCountOverLockoutThreshold := userFailedLoginInfo.count >= uint(userLockoutConfiguration.LockoutThreshold)
+		isWithinLockoutDuration := time.Now().Unix()-int64(userFailedLoginInfo.lastFailedLoginTime) < int64(userLockoutConfiguration.LockoutDuration.Seconds())
+
+		if isCountOverLockoutThreshold && isWithinLockoutDuration {
+			// user locked
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// getUserLockoutConfiguration gets the user lockout configuration for a mount entry
+// it checks the config file and auth tune values
+// precedence: auth tune >> config file values for auth type >> config file values for all type
+// >> default user lockout values
+// getUserLockoutFromConfig call in this function takes care of config file precedence
+func (c *Core) getUserLockoutConfiguration(mountEntry *MountEntry) (userLockoutConfig UserLockoutConfig) {
+	// get user configuration values from config file
+	userLockoutConfig = c.getUserLockoutFromConfig(mountEntry.Type)
+
+	authTuneUserLockoutConfig := mountEntry.Config.UserLockoutConfig
+	// if user lockout is not configured using auth tune, return values from config file
+	if authTuneUserLockoutConfig == nil {
+		return userLockoutConfig
+	}
+	// replace values in return with config file configuration
+	// for fields that are not configured using auth tune
+	if authTuneUserLockoutConfig.LockoutThreshold != 0 {
+		userLockoutConfig.LockoutThreshold = authTuneUserLockoutConfig.LockoutThreshold
+	}
+	if authTuneUserLockoutConfig.LockoutDuration != 0 {
+		userLockoutConfig.LockoutDuration = authTuneUserLockoutConfig.LockoutDuration
+	}
+	if authTuneUserLockoutConfig.LockoutCounterReset != 0 {
+		userLockoutConfig.LockoutCounterReset = authTuneUserLockoutConfig.LockoutCounterReset
+	}
+	if authTuneUserLockoutConfig.DisableLockout {
+		userLockoutConfig.DisableLockout = authTuneUserLockoutConfig.DisableLockout
+	}
+	return userLockoutConfig
+}
+
+// getUserLockoutFromConfig gets the userlockout configuration for given mount type from config file
+// it reads the user lockout configuration from server config
+// it has values for "all" type and any mountType that is configured using config file
+// "all" type values are updated in shared config with default values i.e; if "all" type is
+// not configured in config file, it is updated in shared config with default configuration
+// If "all" type is configured in config file, any missing fields are updated with default values
+// similarly missing values for a given mount type in config file are updated with "all" type
+// default values
+// If user_lockout configuration is not configured using config file at all, defaults are returned
+func (c *Core) getUserLockoutFromConfig(mountType string) UserLockoutConfig {
+	defaultUserLockoutConfig := UserLockoutConfig{
+		LockoutThreshold:    configutil.UserLockoutThresholdDefault,
+		LockoutDuration:     configutil.UserLockoutDurationDefault,
+		LockoutCounterReset: configutil.UserLockoutCounterResetDefault,
+		DisableLockout:      configutil.DisableUserLockoutDefault,
+	}
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return defaultUserLockoutConfig
+	}
+	userlockouts := conf.(*server.Config).UserLockouts
+	if userlockouts == nil {
+		return defaultUserLockoutConfig
+	}
+	for _, userLockoutConfig := range userlockouts {
+		switch userLockoutConfig.Type {
+		case "all":
+			defaultUserLockoutConfig = UserLockoutConfig{
+				LockoutThreshold:    userLockoutConfig.LockoutThreshold,
+				LockoutDuration:     userLockoutConfig.LockoutDuration,
+				LockoutCounterReset: userLockoutConfig.LockoutCounterReset,
+				DisableLockout:      userLockoutConfig.DisableLockout,
+			}
+		case mountType:
+			return UserLockoutConfig{
+				LockoutThreshold:    userLockoutConfig.LockoutThreshold,
+				LockoutDuration:     userLockoutConfig.LockoutDuration,
+				LockoutCounterReset: userLockoutConfig.LockoutCounterReset,
+				DisableLockout:      userLockoutConfig.DisableLockout,
+			}
+
+		}
+	}
+	return defaultUserLockoutConfig
+}
+
+func (c *Core) buildMfaEnforcementResponse(eConfig *mfa.MFAEnforcementConfig) (*logical.MFAConstraintAny, error) {
+	mfaAny := &logical.MFAConstraintAny{
+		Any: []*logical.MFAMethodID{},
+	}
+	for _, methodID := range eConfig.MFAMethodIDs {
+		mConfig, err := c.loginMFABackend.MemDBMFAConfigByID(methodID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get methodID %s from MFA config table, error: %v", methodID, err)
+		}
+		var duoUsePasscode bool
+		if mConfig.Type == mfaMethodTypeDuo {
+			duoConf, ok := mConfig.Config.(*mfa.Config_DuoConfig)
+			if !ok {
+				return nil, fmt.Errorf("invalid MFA configuration type")
+			}
+			duoUsePasscode = duoConf.DuoConfig.UsePasscode
+		}
+		mfaMethod := &logical.MFAMethodID{
+			Type:         mConfig.Type,
+			ID:           methodID,
+			UsesPasscode: mConfig.Type == mfaMethodTypeTOTP || duoUsePasscode,
+			Name:         mConfig.Name,
+		}
+		mfaAny.Any = append(mfaAny.Any, mfaMethod)
+	}
+	return mfaAny, nil
+}
+
+// RegisterAuth uses a logical.Auth object to create a token entry in the token
+// store, and registers a corresponding token lease to the expiration manager.
+// role is the login role used as part of the creation of the token entry. If not
+// relevant, can be omitted (by being provided as "").
+func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path string, auth *logical.Auth, role string) error {
+	// We first assign token policies to what was returned from the backend
+	// via auth.Policies. Then, we get the full set of policies into
+	// auth.Policies from the backend + entity information -- this is not
+	// stored in the token, but we perform sanity checks on it and return
+	// that information to the user.
+
+	// Generate a token
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+	te := logical.TokenEntry{
+		Path:           path,
+		Meta:           auth.Metadata,
+		DisplayName:    auth.DisplayName,
+		CreationTime:   time.Now().Unix(),
+		TTL:            tokenTTL,
+		NumUses:        auth.NumUses,
+		EntityID:       auth.EntityID,
+		BoundCIDRs:     auth.BoundCIDRs,
+		Policies:       auth.TokenPolicies,
+		NamespaceID:    ns.ID,
+		ExplicitMaxTTL: auth.ExplicitMaxTTL,
+		Period:         auth.Period,
+		Type:           auth.TokenType,
+	}
+
+	if te.TTL == 0 && (len(te.Policies) != 1 || te.Policies[0] != "root") {
+		c.logger.Error("refusing to create a non-root zero TTL token")
+		return ErrInternalError
+	}
+
+	if err := c.tokenStore.create(ctx, &te); err != nil {
+		c.logger.Error("failed to create token", "error", err)
+		return ErrInternalError
+	}
+
+	// Populate the client token, accessor, and TTL
+	auth.ClientToken = te.ID
+	auth.Accessor = te.Accessor
+	auth.TTL = te.TTL
+	auth.Orphan = te.Parent == ""
+
+	switch auth.TokenType {
+	case logical.TokenTypeBatch:
+		// Ensure it's not marked renewable since it isn't
+		auth.Renewable = false
+	case logical.TokenTypeService:
+		// Register with the expiration manager
+		if err := c.expiration.RegisterAuth(ctx, &te, auth, role); err != nil {
+			if err := c.tokenStore.revokeOrphan(ctx, te.ID); err != nil {
+				c.logger.Warn("failed to clean up token lease during login request", "request_path", path, "error", err)
+			}
+			c.logger.Error("failed to register token lease during login request", "request_path", path, "error", err)
+			return ErrInternalError
+		}
+		if te.ExternalID != "" {
+			auth.ClientToken = te.ExternalID
+		}
+		// Successful login, remove any entry from userFailedLoginInfo map
+		// if it exists. This is done for service tokens (for oss) here.
+		// For ent it is taken care by registerAuth RPC calls.
+		if auth.Alias != nil {
+			loginUserInfoKey := FailedLoginUser{
+				aliasName:     auth.Alias.Name,
+				mountAccessor: auth.Alias.MountAccessor,
+			}
+
+			// We don't need to try to delete the lockedUsers storage entry, since we're
+			// processing a login request. If a login attempt is allowed, it means the user is
+			// unlocked and we only add storage entry when the user gets locked.
+			err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// LocalGetUserFailedLoginInfo gets the failed login information for a user based on alias name and mountAccessor
+func (c *Core) LocalGetUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser) *FailedLoginInfo {
+	c.userFailedLoginInfoLock.Lock()
+	value, exists := c.userFailedLoginInfo[userKey]
+	c.userFailedLoginInfoLock.Unlock()
+	if exists {
+		return value
+	}
+	return nil
+}
+
+// LocalUpdateUserFailedLoginInfo updates the failed login information for a user based on alias name and mountAccessor
+func (c *Core) LocalUpdateUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser, failedLoginInfo *FailedLoginInfo, deleteEntry bool) error {
+	c.userFailedLoginInfoLock.Lock()
+	switch deleteEntry {
+	case false:
+		// update entry in the map
+		c.userFailedLoginInfo[userKey] = failedLoginInfo
+
+		// get the user lockout configuration for the user
+		mountEntry := c.router.MatchingMountByAccessor(userKey.mountAccessor)
+		if mountEntry == nil {
+			mountEntry = &MountEntry{}
+			mountEntry.NamespaceID = namespace.RootNamespaceID
+		}
+		userLockoutConfiguration := c.getUserLockoutConfiguration(mountEntry)
+
+		// if failed login count has reached threshold, create a storage entry as the user got locked
+		if failedLoginInfo.count >= uint(userLockoutConfiguration.LockoutThreshold) {
+			// user locked
+			storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath+"%s/%s/%s", mountEntry.NamespaceID, userKey.mountAccessor, userKey.aliasName)
+
+			compressedBytes, err := jsonutil.EncodeJSONAndCompress(failedLoginInfo.lastFailedLoginTime, nil)
+			if err != nil {
+				c.logger.Error("failed to encode or compress failed login user entry", "error", err)
+				return err
+			}
+
+			// Create an entry
+			entry := &logical.StorageEntry{
+				Key:   storageUserLockoutPath,
+				Value: compressedBytes,
+			}
+
+			// Write to the physical backend
+			if err := c.barrier.Put(ctx, entry); err != nil {
+				c.logger.Error("failed to persist failed login user entry", "error", err)
+				return err
+			}
+
+		}
+
+	default:
+		// delete the entry from the map, if no key exists it is no-op
+		delete(c.userFailedLoginInfo, userKey)
+	}
+	c.userFailedLoginInfoLock.Unlock()
+	return nil
+}
+
+// PopulateTokenEntry looks up req.ClientToken in the token store and uses
+// it to set other fields in req.  Does nothing if ClientToken is empty
+// or a JWT token, or for service tokens that don't exist in the token store.
+// Should be called with read stateLock held.
+func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) error {
+	if req.ClientToken == "" {
+		return nil
+	}
+
+	// Also attach the accessor if we have it. This doesn't fail if it
+	// doesn't exist because the request may be to an unauthenticated
+	// endpoint/login endpoint where a bad current token doesn't matter, or
+	// a token from a Vault version pre-accessors. We ignore errors for
+	// JWTs.
+	token := req.ClientToken
+	var err error
+	req.InboundSSCToken = token
+	decodedToken := token
+	if IsSSCToken(token) {
+		// If ForwardToActive is set to ForwardSSCTokenToActive, we ignore
+		// whether the endpoint is a login request, as since we have the token
+		// forwarded to us, we should treat it as an unauthenticated endpoint
+		// and ensure the token is populated too regardless.
+		// Notably, this is important for some endpoints, such as endpoints
+		// such as sys/ui/mounts/internal, which is unauthenticated but a token
+		// may be provided to be used.
+		// Without the check to see if
+		// c.ForwardToActive() == ForwardSSCTokenToActive unauthenticated
+		// requests that do not use a token but were provided one anyway
+		// could fail with a 412.
+		// We only follow this behaviour if we're a perf standby, as
+		// this behaviour only makes sense in that case as only they
+		// could be missing the token population.
+		// Without ForwardToActive being set to ForwardSSCTokenToActive,
+		// behaviours that rely on this functionality also wouldn't make
+		// much sense, as they would fail with 412 required index not present
+		// as perf standbys aren't guaranteed to have the WAL state
+		// for new tokens.
+		unauth := c.isLoginRequest(ctx, req)
+		if c.ForwardToActive() == ForwardSSCTokenToActive && c.perfStandby {
+			unauth = false
+		}
+		decodedToken, err = c.CheckSSCToken(ctx, token, unauth, c.perfStandby)
+		// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
+		// should receive a 403 bad token error like they do for all other invalid tokens, unless the error
+		// specifies that we should forward the request or retry the request.
+		if err != nil {
+			if errors.Is(err, logical.ErrPerfStandbyPleaseForward) || errors.Is(err, logical.ErrMissingRequiredState) {
+				return err
+			}
+			return logical.ErrPermissionDenied
+		}
+	}
+	req.ClientToken = decodedToken
+	// We ignore the token returned from CheckSSCToken here as Lookup also
+	// decodes the SSCT, and it may need the original SSCT to check state.
+	te, err := c.LookupToken(ctx, token)
+	if err != nil {
+		// If we're missing required state, return that error
+		// as-is to the client
+		if errors.Is(err, logical.ErrPerfStandbyPleaseForward) || errors.Is(err, logical.ErrMissingRequiredState) {
+			return err
+		}
+		// If we have two dots but the second char is a dot it's a vault
+		// token of the form s.SOMETHING.nsid, not a JWT
+		if !IsJWT(token) {
+			return fmt.Errorf("error performing token check: %w", err)
+		}
+	}
+	if err == nil && te != nil {
+		req.ClientTokenAccessor = te.Accessor
+		req.ClientTokenRemainingUses = te.NumUses
+		req.SetTokenEntry(te)
+	}
+	return nil
+}
+
+func (c *Core) CheckSSCToken(ctx context.Context, token string, unauth bool, isPerfStandby bool) (string, error) {
+	if unauth && token != "" {
+		// This token shouldn't really be here, but alas it was sent along with the request
+		// Since we're already knee deep in the token checking code pre-existing token checking
+		// code, we have to deal with this token whether we like it or not. So, we'll just try
+		// to get the inner token, and if that fails, return the token as-is. We intentionally
+		// will skip any token checks, because this is an unauthenticated paths and the token
+		// is just a nuisance rather than a means of auth.
+
+		// We cannot return whatever we like here, because if we do then CheckToken, which looks up
+		// the corresponding lease, will not find the token entry and lease. There are unauth'ed
+		// endpoints that use the token entry (such as sys/ui/mounts/internal) to do custom token
+		// checks, which would then fail. Therefore, we must try to get whatever thing is tied to
+		// token entries, but we must explicitly not do any SSC Token checks.
+		tok, err := c.DecodeSSCToken(token)
+		if err != nil || tok == "" {
+			return token, nil
+		}
+		return tok, nil
+	}
+	return c.checkSSCTokenInternal(ctx, token, isPerfStandby)
+}
+
+// DecodeSSCToken returns the random part of an SSCToken without
+// performing any signature or WAL checks.
+func (c *Core) DecodeSSCToken(token string) (string, error) {
+	// Skip batch and old style service tokens. These can have the prefix "b.",
+	// "s." (for old tokens) or "hvb."
+	if !IsSSCToken(token) {
+		return token, nil
+	}
+	tok, err := DecodeSSCTokenInternal(token)
+	if err != nil {
+		return "", err
+	}
+	return tok.Random, nil
+}
+
+// DecodeSSCTokenInternal is a helper used to get the inner part of a SSC token without
+// checking the token signature or the WAL index.
+func DecodeSSCTokenInternal(token string) (*tokens.Token, error) {
+	signedToken := &tokens.SignedToken{}
+
+	// Skip batch and old style service tokens. These can have the prefix "b.",
+	// "s." (for old tokens) or "hvb."
+	if !strings.HasPrefix(token, consts.ServiceTokenPrefix) {
+		return nil, fmt.Errorf("not service token")
+	}
+
+	// Consider the suffix of the token only when unmarshalling
+	suffixToken := token[4:]
+
+	tokenBytes, err := base64.RawURLEncoding.DecodeString(suffixToken)
+	if err != nil {
+		return nil, fmt.Errorf("can't decode token")
+	}
+
+	err = proto.Unmarshal(tokenBytes, signedToken)
+	if err != nil {
+		return nil, err
+	}
+	plainToken := &tokens.Token{}
+	err2 := proto.Unmarshal([]byte(signedToken.Token), plainToken)
+	if err2 != nil {
+		return nil, err2
+	}
+	return plainToken, nil
+}
+
+func (c *Core) checkSSCTokenInternal(ctx context.Context, token string, isPerfStandby bool) (string, error) {
+	signedToken := &tokens.SignedToken{}
+
+	// Skip batch and old style service tokens. These can have the prefix "b.",
+	// "s." (for old tokens) or "hvb."
+	if !strings.HasPrefix(token, consts.ServiceTokenPrefix) {
+		return token, nil
+	}
+
+	// Check token length to guess if this is an server side consistent token or not.
+	// Note that even when the DisableSSCTokens flag is set, index
+	// bearing tokens that have already been given out may still be used.
+	if !IsSSCToken(token) {
+		return token, nil
+	}
+
+	// Consider the suffix of the token only when unmarshalling
+	suffixToken := token[4:]
+
+	tokenBytes, err := base64.RawURLEncoding.DecodeString(suffixToken)
+	if err != nil {
+		c.logger.Warn("cannot decode token", "error", err)
+		return token, nil
+	}
+
+	err = proto.Unmarshal(tokenBytes, signedToken)
+	if err != nil {
+		return "", fmt.Errorf("error occurred when unmarshalling ssc token: %w", err)
+	}
+	hm, err := c.tokenStore.CalculateSignedTokenHMAC(signedToken.Token)
+	if !hmac.Equal(hm, signedToken.Hmac) {
+		return "", fmt.Errorf("token mac for %+v is incorrect: err %w", signedToken, err)
+	}
+	plainToken := &tokens.Token{}
+	err = proto.Unmarshal([]byte(signedToken.Token), plainToken)
+	if err != nil {
+		return "", err
+	}
+
+	// Disregard SSCT on perf-standbys for non-raft storage
+	if c.perfStandby && c.getRaftBackend() == nil {
+		return plainToken.Random, nil
+	}
+
+	ep := int(plainToken.IndexEpoch)
+	if ep < c.tokenStore.GetSSCTokensGenerationCounter() {
+		return plainToken.Random, nil
+	}
+
+	requiredWalState := &logical.WALState{ClusterID: c.ClusterID(), LocalIndex: plainToken.LocalIndex, ReplicatedIndex: 0}
+	if c.HasWALState(requiredWalState, isPerfStandby) {
+		return plainToken.Random, nil
+	}
+	// Make sure to forward the request instead of checking the token if the flag
+	// is set and we're on a perf standby
+	if c.ForwardToActive() == ForwardSSCTokenToActive && isPerfStandby {
+		return "", logical.ErrPerfStandbyPleaseForward
+	}
+	// In this case, the server side consistent token cannot be used on this node. We return the appropriate
+	// status code.
+	return "", logical.ErrMissingRequiredState
+}
diff --git a/ui/lib/kv/addon/components/page/secret/details.js b/ui/lib/kv/addon/components/page/secret/details.js
index 21a2507f598b..4e05471035ef 100644
--- a/ui/lib/kv/addon/components/page/secret/details.js
+++ b/ui/lib/kv/addon/components/page/secret/details.js
@@ -1,219 +1,143 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
-import { next } from '@ember/runloop';
-import { inject as service } from '@ember/service';
-import { task } from 'ember-concurrency';
-import { waitFor } from '@ember/test-waiters';
-import { isDeleted } from 'kv/utils/kv-deleted';
-
-/**
- * @module KvSecretDetails renders the key/value data of a KV secret.
- * It also renders a dropdown to display different versions of the secret.
- * <Page::Secret::Details
- *  @path={{this.model.path}}
- *  @secret={{this.model.secret}}
- *  @metadata={{this.model.metadata}}
- *  @breadcrumbs={{this.breadcrumbs}}
-  />
- *
- * @param {string} path - path of kv secret 'my/secret' used as the title for the KV page header
- * @param {model} secret - Ember data model: 'kv/data'
- * @param {model} metadata - Ember data model: 'kv/metadata'
- * @param {array} breadcrumbs - Array to generate breadcrumbs, passed to the page header component
- */
-
-export default class KvSecretDetails extends Component {
-  @service flashMessages;
-  @service router;
-  @service store;
-
-  @tracked showJsonView = false;
-  @tracked wrappedData = null;
-  @tracked syncStatus; // array of association sync status info by destination
-
-  constructor() {
-    super(...arguments);
-    this.fetchSyncStatus.perform();
-  }
-
-  @action
-  closeVersionMenu(dropdown) {
-    // strange issue where closing dropdown triggers full transition (which redirects to auth screen in production)
-    // closing dropdown in next tick of run loop fixes it
-    next(() => dropdown.actions.close());
-  }
-
-  @action
-  clearWrappedData() {
-    this.wrappedData = null;
-  }
-
-  @task
-  @waitFor
-  *wrapSecret() {
-    const { backend, path } = this.args.secret;
-    const adapter = this.store.adapterFor('kv/data');
-    try {
-      const { token } = yield adapter.fetchWrapInfo({ backend, path, wrapTTL: 1800 });
-      if (!token) throw 'No token';
-      this.wrappedData = token;
-      this.flashMessages.success('Secret successfully wrapped!');
-    } catch (error) {
-      this.flashMessages.danger('Could not wrap secret.');
-    }
-  }
-
-  @task
-  @waitFor
-  *fetchSyncStatus() {
-    const { backend, path } = this.args.secret;
-    const syncAdapter = this.store.adapterFor('sync/association');
-    try {
-      this.syncStatus = yield syncAdapter.fetchSyncStatus({ mount: backend, secretName: path });
-    } catch (e) {
-      // silently error
-    }
-  }
-
-  @action
-  async undelete() {
-    const { secret } = this.args;
-    try {
-      await secret.destroyRecord({
-        adapterOptions: { deleteType: 'undelete', deleteVersions: this.version },
-      });
-      this.flashMessages.success(`Successfully undeleted ${secret.path}.`);
-      this.refreshRoute();
-    } catch (err) {
-      this.flashMessages.danger(
-        `There was a problem undeleting ${secret.path}. Error: ${err.errors?.join(' ')}.`
-      );
-    }
-  }
-
-  @action
-  async handleDestruction(type) {
-    const { secret } = this.args;
-    try {
-      await secret.destroyRecord({ adapterOptions: { deleteType: type, deleteVersions: this.version } });
-      this.flashMessages.success(`Successfully ${secret.state} Version ${this.version} of ${secret.path}.`);
-      this.refreshRoute();
-    } catch (err) {
-      const verb = type.includes('delete') ? 'deleting' : 'destroying';
-      this.flashMessages.danger(
-        `There was a problem ${verb} Version ${this.version} of ${secret.path}. Error: ${err.errors.join(
-          ' '
-        )}.`
-      );
-    }
-  }
-
-  refreshRoute() {
-    // transition to the parent secret route to refresh both metadata and data models
-    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret', {
-      queryParams: { version: this.version },
-    });
-  }
-
-  get version() {
-    return (
-      this.args.secret?.version ||
-      this.router.currentRoute.queryParams?.version ||
-      this.args.metadata?.sortedVersions[0].version
-    );
-  }
-
-  get hideHeaders() {
-    return this.showJsonView || this.emptyState;
-  }
-
-  get versionState() {
-    const { secret, metadata } = this.args;
-    if (secret.failReadErrorCode !== 403) {
-      return secret.state;
-    }
-    // If the user can't read secret data, get the current version
-    // state from metadata versions
-    if (metadata?.sortedVersions) {
-      const version = this.version;
-      const meta = version
-        ? metadata.sortedVersions.find((v) => v.version == version)
-        : metadata.sortedVersions[0];
-      if (meta?.destroyed) {
-        return 'destroyed';
-      }
-      if (isDeleted(meta?.deletion_time)) {
-        return 'deleted';
-      }
-      if (meta?.created_time) {
-        return 'created';
-      }
-    }
-    return '';
-  }
-
-  get showUndelete() {
-    const { secret } = this.args;
-    if (secret.canUndelete) {
-      return this.versionState === 'deleted';
-    }
-    return false;
-  }
-
-  get showDelete() {
-    const { secret } = this.args;
-    if (secret.canDeleteVersion || secret.canDeleteLatestVersion) {
-      return this.versionState === 'created' || this.versionState === '';
-    }
-    return false;
-  }
-
-  get showDestroy() {
-    const { secret } = this.args;
-    if (secret.canDestroyVersion) {
-      return this.versionState !== 'destroyed' && this.version;
-    }
-    return false;
-  }
-
-  get emptyState() {
-    if (!this.args.secret.canReadData) {
-      return {
-        title: 'You do not have permission to read this secret',
-        message:
-          'Your policies may permit you to write a new version of this secret, but do not allow you to read its current contents.',
-      };
-    }
-    // only destructure if we can read secret data
-    const { version, destroyed, isSecretDeleted } = this.args.secret;
-    if (destroyed) {
-      return {
-        title: `Version ${version} of this secret has been permanently destroyed`,
-        message: `A version that has been permanently deleted cannot be restored. ${
-          this.args.secret.canReadMetadata
-            ? ' You can view other versions of this secret in the Version History tab above.'
-            : ''
-        }`,
-        link: '/vault/docs/secrets/kv/kv-v2',
-      };
-    }
-    if (isSecretDeleted) {
-      return {
-        title: `Version ${version} of this secret has been deleted`,
-        message: `This version has been deleted but can be undeleted. ${
-          this.args.secret.canReadMetadata
-            ? 'View other versions of this secret by clicking the Version History tab above.'
-            : ''
-        }`,
-        link: '/vault/docs/secrets/kv/kv-v2',
-      };
-    }
-    return false;
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package logical
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestContextDisableReplicationStatusEndpointsValue(t *testing.T) {
+	testcases := []struct {
+		name          string
+		ctx           context.Context
+		expectedValue bool
+		expectedOk    bool
+	}{
+		{
+			name:          "without-value",
+			ctx:           context.Background(),
+			expectedValue: false,
+			expectedOk:    false,
+		},
+		{
+			name:          "with-nil",
+			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, nil),
+			expectedValue: false,
+			expectedOk:    false,
+		},
+		{
+			name:          "with-incompatible-value",
+			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, "true"),
+			expectedValue: false,
+			expectedOk:    false,
+		},
+		{
+			name:          "with-bool-true",
+			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, true),
+			expectedValue: true,
+			expectedOk:    true,
+		},
+		{
+			name:          "with-bool-false",
+			ctx:           context.WithValue(context.Background(), ctxKeyDisableReplicationStatusEndpoints{}, false),
+			expectedValue: false,
+			expectedOk:    true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		value, ok := ContextDisableReplicationStatusEndpointsValue(testcase.ctx)
+		assert.Equal(t, testcase.expectedValue, value, testcase.name)
+		assert.Equal(t, testcase.expectedOk, ok, testcase.name)
+	}
+}
+
+func TestCreateContextDisableReplicationStatusEndpoints(t *testing.T) {
+	ctx := CreateContextDisableReplicationStatusEndpoints(context.Background(), true)
+
+	value := ctx.Value(ctxKeyDisableReplicationStatusEndpoints{})
+
+	assert.NotNil(t, ctx)
+	assert.NotNil(t, value)
+	assert.IsType(t, bool(false), value)
+	assert.Equal(t, true, value.(bool))
+
+	ctx = CreateContextDisableReplicationStatusEndpoints(context.Background(), false)
+
+	value = ctx.Value(ctxKeyDisableReplicationStatusEndpoints{})
+
+	assert.NotNil(t, ctx)
+	assert.NotNil(t, value)
+	assert.IsType(t, bool(false), value)
+	assert.Equal(t, false, value.(bool))
+}
+
+func TestContextOriginalRequestPathValue(t *testing.T) {
+	testcases := []struct {
+		name          string
+		ctx           context.Context
+		expectedValue string
+		expectedOk    bool
+	}{
+		{
+			name:          "without-value",
+			ctx:           context.Background(),
+			expectedValue: "",
+			expectedOk:    false,
+		},
+		{
+			name:          "with-nil",
+			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, nil),
+			expectedValue: "",
+			expectedOk:    false,
+		},
+		{
+			name:          "with-incompatible-value",
+			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, 6666),
+			expectedValue: "",
+			expectedOk:    false,
+		},
+		{
+			name:          "with-string-value",
+			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, "test"),
+			expectedValue: "test",
+			expectedOk:    true,
+		},
+		{
+			name:          "with-empty-string",
+			ctx:           context.WithValue(context.Background(), ctxKeyOriginalRequestPath{}, ""),
+			expectedValue: "",
+			expectedOk:    true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		value, ok := ContextOriginalRequestPathValue(testcase.ctx)
+		assert.Equal(t, testcase.expectedValue, value, testcase.name)
+		assert.Equal(t, testcase.expectedOk, ok, testcase.name)
+	}
+}
+
+func TestCreateContextOriginalRequestPath(t *testing.T) {
+	ctx := CreateContextOriginalRequestPath(context.Background(), "test")
+
+	value := ctx.Value(ctxKeyOriginalRequestPath{})
+
+	assert.NotNil(t, ctx)
+	assert.NotNil(t, value)
+	assert.IsType(t, string(""), value)
+	assert.Equal(t, "test", value.(string))
+
+	ctx = CreateContextOriginalRequestPath(context.Background(), "")
+
+	value = ctx.Value(ctxKeyOriginalRequestPath{})
+
+	assert.NotNil(t, ctx)
+	assert.NotNil(t, value)
+	assert.IsType(t, string(""), value)
+	assert.Equal(t, "", value.(string))
 }
diff --git a/ui/lib/kv/addon/components/page/secret/edit.hbs b/ui/lib/kv/addon/components/page/secret/edit.hbs
index 34a0365d1608..1143f5170a5e 100644
--- a/ui/lib/kv/addon/components/page/secret/edit.hbs
+++ b/ui/lib/kv/addon/components/page/secret/edit.hbs
@@ -3,94 +3,37 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Create New Version">
-  <:toolbarFilters>
-    <Toggle @name="json" @checked={{this.showJsonView}} @onChange={{fn (mut this.showJsonView)}}>
-      <span class="has-text-grey">JSON</span>
-    </Toggle>
-  </:toolbarFilters>
-</KvPageHeader>
-
-{{#if this.showOldVersionAlert}}
-  <Hds::Alert data-test-secret-version-alert @type="inline" @color="warning" class="has-top-bottom-margin" as |A|>
-    <A.Title>Warning</A.Title>
-    <A.Description>
-      You are creating a new version based on data from Version
-      {{@previousVersion}}. The current version for
-      <code>{{@secret.path}}</code>
-      is Version
-      {{@currentVersion}}.
-    </A.Description>
-  </Hds::Alert>
-{{/if}}
-{{#if @noReadAccess}}
-  <Hds::Alert data-test-secret-no-read-alert @type="inline" @color="warning" class="has-top-bottom-margin" as |A|>
-    <A.Title>Warning</A.Title>
-    <A.Description>
-      You do not have read permissions for this secret data. Saving will overwrite the existing secret.
-    </A.Description>
-  </Hds::Alert>
-{{/if}}
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-bottomless">
-    <NamespaceReminder @mode="create" @noun="secret" />
-    <MessageError @model={{@secret}} @errorMessage={{this.errorMessage}} />
-
-    <KvDataFields
-      @showJson={{this.showJsonView}}
-      @secret={{@secret}}
-      @modelValidations={{this.modelValidations}}
-      @isEdit={{true}}
-    />
-
-    <div class="has-top-margin-m">
-      <Toggle
-        @name="Show diff"
-        @onChange={{fn (mut this.showDiff)}}
-        @checked={{this.showDiff}}
-        @disabled={{not this.diffDelta}}
-      >
-        <span class="ttl-picker-label is-large">Show diff</span><br />
-        <div class="description has-text-grey" data-test-diff-description>{{if
-            this.diffDelta
-            "Showing the diff will reveal secret values"
-            "No changes to show. Update secret to view diff"
-          }}</div>
-        {{#if this.showDiff}}
-          <div class="form-section visual-diff text-grey-lightest background-color-black has-top-margin-s">
-            <pre data-test-visual-diff>{{sanitized-html this.visualDiff}}</pre>
-          </div>
-        {{/if}}
-      </Toggle>
-    </div>
-  </div>
-  <div class="box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Button
-        @text="Save"
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-kv-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.onCancel}}
-        data-test-kv-cancel
-      />
-    </div>
-    {{#if this.invalidFormAlert}}
-      <AlertInline
-        data-test-invalid-form-alert
-        class="has-top-padding-s"
-        @type="danger"
-        @message={{this.invalidFormAlert}}
-        @mimicRefresh={{true}}
-      />
-    {{/if}}
+<div class="box is-fullwidth is-shadowless is-marginless">
+  <h4 class="title is-5">
+    Revoke a secondary token
+  </h4>
+</div>
+<MessageError @errors={{this.errors}} />
+<div class="field">
+  <label for="activation-token-id" class="is-label">
+    Secondary ID
+  </label>
+  <div class="control">
+    <Input class="input" name="activation-token-id" id="activation-token-id" @value={{this.id}} />
   </div>
-</form>
\ No newline at end of file
+  <p class="help has-text-grey">
+    The secondary id to revoke; given initially to generate a secondary token.
+  </p>
+</div>
+<hr class="has-background-gray-100" />
+<Hds::ButtonSet>
+  <ConfirmAction
+    @buttonText="Revoke"
+    @confirmTitle="Revoke token?"
+    @confirmMessage="This will revoke this secondary token."
+    @disabledMessage={{unless this.id "A secondary ID is required perform revocation."}}
+    @onConfirmAction={{action "onSubmit" "revoke-secondary" "primary" (hash id=this.id)}}
+  />
+  <Hds::Button
+    @text="Cancel"
+    @color="secondary"
+    @route="mode.secondaries"
+    @model={{this.replicationMode}}
+    @disabled={{this.isRevoking}}
+  />
+</Hds::ButtonSet>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/edit.js b/ui/lib/kv/addon/components/page/secret/edit.js
index 2c1f110a399f..2a17e41f9b5e 100644
--- a/ui/lib/kv/addon/components/page/secret/edit.js
+++ b/ui/lib/kv/addon/components/page/secret/edit.js
@@ -1,102 +1,106 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
-import { task } from 'ember-concurrency';
-import { inject as service } from '@ember/service';
-import errorMessage from 'vault/utils/error-message';
-
-/**
- * @module KvSecretEdit is used for creating a new version of a secret
- *
- * <Page::Secret::Edit
- *  @secret={{this.model.newVersion}}
- *  @previousVersion={{this.model.secret.version}}
- *  @currentVersion={{this.model.metadata.currentVersion}}
- *  @breadcrumbs={{this.breadcrumbs}
- * />
- *
- * @param {model} secret - Ember data model: 'kv/data', the new record for the new secret version saved by the form
- * @param {number} previousVersion - previous secret version number
- * @param {number} currentVersion - current secret version, comes from the metadata endpoint
- * @param {array} breadcrumbs - breadcrumb objects to render in page header
- */
-
-/* eslint-disable no-undef */
-export default class KvSecretEdit extends Component {
-  @service controlGroup;
-  @service flashMessages;
-  @service router;
-
-  @tracked showJsonView = false;
-  @tracked showDiff = false;
-  @tracked errorMessage;
-  @tracked modelValidations;
-  @tracked invalidFormAlert;
-  originalSecret;
-
-  constructor() {
-    super(...arguments);
-    this.originalSecret = JSON.stringify(this.args.secret.secretData || {});
-  }
-
-  get showOldVersionAlert() {
-    const { currentVersion, previousVersion } = this.args;
-    // isNew check prevents alert from flashing after save but before route transitions
-    if (!currentVersion || !previousVersion || !this.args.secret.isNew) return false;
-    if (currentVersion !== previousVersion) return true;
-    return false;
-  }
-
-  get diffDelta() {
-    const oldData = JSON.parse(this.originalSecret);
-    const newData = this.args.secret.secretData;
-
-    const diffpatcher = jsondiffpatch.create({});
-    return diffpatcher.diff(oldData, newData);
-  }
-
-  get visualDiff() {
-    if (!this.showDiff) return null;
-    const newData = this.args.secret.secretData;
-    return this.diffDelta
-      ? jsondiffpatch.formatters.html.format(this.diffDelta, newData)
-      : JSON.stringify(newData, undefined, 2);
-  }
-
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state, invalidFormMessage } = this.args.secret.validate();
-      this.modelValidations = isValid ? null : state;
-      this.invalidFormAlert = invalidFormMessage;
-      if (isValid) {
-        const { secret } = this.args;
-        yield secret.save();
-        this.flashMessages.success(`Successfully created new version of ${secret.path}.`);
-        this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details', {
-          queryParams: { version: secret?.version },
-        });
-      }
-    } catch (error) {
-      let message = errorMessage(error);
-      if (error.message === 'Control Group encountered') {
-        this.controlGroup.saveTokenFromError(error);
-        const err = this.controlGroup.logFromError(error);
-        message = err.content;
-      }
-      this.errorMessage = message;
-      this.invalidFormAlert = 'There was an error submitting this form.';
-    }
-  }
-
-  @action
-  onCancel() {
-    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details');
-  }
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*OperatorRotateCommand)(nil)
+	_ cli.CommandAutocomplete = (*OperatorRotateCommand)(nil)
+)
+
+type OperatorRotateCommand struct {
+	*BaseCommand
+}
+
+func (c *OperatorRotateCommand) Synopsis() string {
+	return "Rotates the underlying encryption key"
+}
+
+func (c *OperatorRotateCommand) Help() string {
+	helpText := `
+Usage: vault operator rotate [options]
+
+  Rotates the underlying encryption key which is used to secure data written
+  to the storage backend. This installs a new key in the key ring. This new
+  key is used to encrypted new data, while older keys in the ring are used to
+  decrypt older data.
+
+  This is an online operation and does not cause downtime. This command is run
+  per-cluster (not per-server), since Vault servers in HA mode share the same
+  storage backend.
+
+  Rotate Vault's encryption key:
+
+      $ vault operator rotate
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *OperatorRotateCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *OperatorRotateCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *OperatorRotateCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *OperatorRotateCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// Rotate the key
+	err = client.Sys().Rotate()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error rotating key: %s", err))
+		return 2
+	}
+
+	// Print the key status
+	status, err := client.Sys().KeyStatus()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error reading key status: %s", err))
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		c.UI.Output("Success! Rotated key")
+		c.UI.Output("")
+		c.UI.Output(printKeyStatus(status))
+		return 0
+	default:
+		return OutputData(c.UI, status)
+	}
 }
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
index 9d1bd4188244..927812934c3f 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
@@ -1,60 +1,125 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Edit Secret Metadata" />
-
-{{#if @metadata.canUpdateMetadata}}
-  <hr class="is-marginless has-background-gray-200" />
-  <p class="has-top-margin-m has-bottom-margin-m">
-    The options below are all version-agnostic; they apply to all versions of this secret.
-  </p>
-  <form {{on "submit" (perform this.save)}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <NamespaceReminder @mode="update" @noun="KV secret metadata" />
-      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-      <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
-    </div>
-    <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
-      <div class="has-top-padding-s">
-        <Hds::Button
-          @text="Update"
-          @icon={{if this.save.isRunning "loading"}}
-          type="submit"
-          disabled={{this.save.isRunning}}
-          data-test-kv-save
-        />
-        <Hds::Button
-          @text="Cancel"
-          @color="secondary"
-          class="has-left-margin-s"
-          disabled={{this.save.isRunning}}
-          {{on "click" this.cancel}}
-          data-test-kv-cancel
-        />
-        {{#if this.invalidFormAlert}}
-          <div class="control">
-            <AlertInline
-              data-test-invalid-form-alert
-              @type="danger"
-              @paddingTop={{true}}
-              @message={{this.invalidFormAlert}}
-              @mimicRefresh={{true}}
-            />
-          </div>
-        {{/if}}
-      </div>
-    </div>
-  </form>
-{{else}}
-  <EmptyState
-    @title="You do not have permissions to edit metadata"
-    @message="Ask your administrator if you think you should have access."
-  >
-    <LinkTo @route="secret.metadata.index">
-      View Metadata
-    </LinkTo>
-    <DocLink @path="/vault/api-docs/secret/kv/kv-v2#create-update-metadata">More here</DocLink>
-  </EmptyState>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testOperatorRotateCommand(tb testing.TB) (*cli.MockUi, *OperatorRotateCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &OperatorRotateCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestOperatorRotateCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"abcd1234"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testOperatorRotateCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testOperatorRotateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Rotated key"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		status, err := client.Sys().KeyStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if exp := 1; status.Term < exp {
+			t.Errorf("expected %d to be less than %d", status.Term, exp)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testOperatorRotateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error rotating key: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testOperatorRotateCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/kv/addon/components/page/secret/paths.hbs b/ui/lib/kv/addon/components/page/secret/paths.hbs
index eca19d362676..3ce94cb49a1a 100644
--- a/ui/lib/kv/addon/components/page/secret/paths.hbs
+++ b/ui/lib/kv/addon/components/page/secret/paths.hbs
@@ -1,60 +1,286 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
-  <:tabLinks>
-    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
-    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
-    <LinkTo @route="secret.paths" data-test-secrets-tab="Paths">Paths</LinkTo>
-    {{#if @canReadMetadata}}
-      <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
-    {{/if}}
-  </:tabLinks>
-</KvPageHeader>
-
-<h2 class="title is-5 has-top-margin-xl">
-  Paths
-</h2>
-
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  {{#each this.paths as |path|}}
-    <InfoTableRow @label={{path.label}} @labelWidth="is-one-third" @helperText={{path.text}} @truncateValue={{true}}>
-      <Hds::Copy::Button @text="Copy" @isIconOnly={{true}} @textToCopy={{path.snippet}} class="transparent" />
-      <code class="is-flex-1 text-overflow-ellipsis has-left-margin-s">
-        {{path.snippet}}
-      </code>
-    </InfoTableRow>
-  {{/each}}
-</div>
-
-<h2 class="title is-5 has-top-margin-xl">
-  Commands
-</h2>
-
-<div class="box is-fullwidth is-sideless">
-  <h3 class="is-label">
-    CLI
-    <Hds::Badge @text="kv get" @color="neutral" />
-  </h3>
-  <p class="helper-text has-text-grey has-bottom-padding-s">
-    This command retrieves the value from KV secrets engine at the given key name. For other CLI commands,
-    <DocLink @path="/vault/docs/commands/kv">
-      learn more.
-    </DocLink>
-  </p>
-  <CodeSnippet data-test-commands="cli" @codeBlock={{this.commands.cli}} />
-
-  <h3 class="has-top-margin-l is-label">
-    API read secret version
-  </h3>
-  <p class="helper-text has-text-grey has-bottom-padding-s">
-    This command obtains data and metadata for the latest version of this secret. In this example, Vault is located at
-    https://127.0.0.1:8200. For other API commands,
-    <DocLink @path="/vault/api-docs/secret/kv/kv-v2">
-      learn more.
-    </DocLink>
-  </p>
-  <CodeSnippet data-test-commands="api" @clipboardCode={{this.commands.apiCopy}} @codeBlock={{this.commands.apiDisplay}} />
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package pluginutil
+
+import (
+	"context"
+	"crypto/sha256"
+	"crypto/tls"
+	"fmt"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-plugin"
+	"github.com/hashicorp/go-secure-stdlib/plugincontainer"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
+)
+
+const (
+	// Labels for plugin container ownership
+	labelVaultPID           = "com.hashicorp.vault.pid"
+	labelVaultClusterID     = "com.hashicorp.vault.cluster.id"
+	labelVaultPluginName    = "com.hashicorp.vault.plugin.name"
+	labelVaultPluginVersion = "com.hashicorp.vault.plugin.version"
+	labelVaultPluginType    = "com.hashicorp.vault.plugin.type"
+)
+
+type PluginClientConfig struct {
+	Name            string
+	PluginType      consts.PluginType
+	Version         string
+	PluginSets      map[int]plugin.PluginSet
+	HandshakeConfig plugin.HandshakeConfig
+	Logger          log.Logger
+	IsMetadataMode  bool
+	AutoMTLS        bool
+	MLock           bool
+	Wrapper         RunnerUtil
+}
+
+type runConfig struct {
+	// Provided by PluginRunner
+	command  string
+	image    string
+	imageTag string
+	args     []string
+	sha256   []byte
+
+	// Initialized with what's in PluginRunner.Env, but can be added to
+	env []string
+
+	runtimeConfig *pluginruntimeutil.PluginRuntimeConfig
+
+	PluginClientConfig
+}
+
+func (rc runConfig) mlockEnabled() bool {
+	return rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled())
+}
+
+func (rc runConfig) generateCmd(ctx context.Context) (cmd *exec.Cmd, clientTLSConfig *tls.Config, err error) {
+	cmd = exec.Command(rc.command, rc.args...)
+	cmd.Env = append(cmd.Env, rc.env...)
+
+	// Add the mlock setting to the ENV of the plugin
+	if rc.mlockEnabled() {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
+	}
+	version, err := rc.Wrapper.VaultVersion(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version))
+
+	if rc.IsMetadataMode {
+		rc.Logger = rc.Logger.With("metadata", "true")
+	}
+	metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.IsMetadataMode)
+	cmd.Env = append(cmd.Env, metadataEnv)
+
+	automtlsEnv := fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, rc.AutoMTLS)
+	cmd.Env = append(cmd.Env, automtlsEnv)
+
+	if !rc.AutoMTLS && !rc.IsMetadataMode {
+		// Get a CA TLS Certificate
+		certBytes, key, err := generateCert()
+		if err != nil {
+			return nil, nil, err
+		}
+
+		// Use CA to sign a client cert and return a configured TLS config
+		clientTLSConfig, err = createClientTLSConfig(certBytes, key)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		// Use CA to sign a server cert and wrap the values in a response wrapped
+		// token.
+		wrapToken, err := wrapServerConfig(ctx, rc.Wrapper, certBytes, key)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		// Add the response wrap token to the ENV of the plugin
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, wrapToken))
+	}
+
+	return cmd, clientTLSConfig, nil
+}
+
+func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error) {
+	cmd, clientTLSConfig, err := rc.generateCmd(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	clientConfig := &plugin.ClientConfig{
+		HandshakeConfig:  rc.HandshakeConfig,
+		VersionedPlugins: rc.PluginSets,
+		TLSConfig:        clientTLSConfig,
+		Logger:           rc.Logger,
+		AllowedProtocols: []plugin.Protocol{
+			plugin.ProtocolNetRPC,
+			plugin.ProtocolGRPC,
+		},
+		AutoMTLS: rc.AutoMTLS,
+	}
+	if rc.image == "" {
+		clientConfig.Cmd = cmd
+		clientConfig.SecureConfig = &plugin.SecureConfig{
+			Checksum: rc.sha256,
+			Hash:     sha256.New(),
+		}
+	} else {
+		containerCfg, err := rc.containerConfig(ctx, cmd.Env)
+		if err != nil {
+			return nil, err
+		}
+		clientConfig.SkipHostEnv = true
+		clientConfig.RunnerFunc = containerCfg.NewContainerRunner
+		clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
+			Group:   strconv.Itoa(containerCfg.GroupAdd),
+			TempDir: os.Getenv("VAULT_PLUGIN_TMPDIR"),
+		}
+		clientConfig.GRPCBrokerMultiplex = true
+	}
+	return clientConfig, nil
+}
+
+func (rc runConfig) containerConfig(ctx context.Context, env []string) (*plugincontainer.Config, error) {
+	clusterID, err := rc.Wrapper.ClusterID(ctx)
+	if err != nil {
+		return nil, err
+	}
+	cfg := &plugincontainer.Config{
+		Image:  rc.image,
+		Tag:    rc.imageTag,
+		SHA256: fmt.Sprintf("%x", rc.sha256),
+
+		Env:        env,
+		GroupAdd:   os.Getegid(),
+		Runtime:    consts.DefaultContainerPluginOCIRuntime,
+		CapIPCLock: rc.mlockEnabled(),
+		Labels: map[string]string{
+			labelVaultPID:           strconv.Itoa(os.Getpid()),
+			labelVaultClusterID:     clusterID,
+			labelVaultPluginName:    rc.PluginClientConfig.Name,
+			labelVaultPluginType:    rc.PluginClientConfig.PluginType.String(),
+			labelVaultPluginVersion: rc.PluginClientConfig.Version,
+		},
+	}
+
+	// Use rc.command and rc.args directly instead of cmd.Path and cmd.Args, as
+	// exec.Command may mutate the provided command.
+	if rc.command != "" {
+		cfg.Entrypoint = []string{rc.command}
+	}
+	if len(rc.args) > 0 {
+		cfg.Args = rc.args
+	}
+	if rc.runtimeConfig != nil {
+		cfg.CgroupParent = rc.runtimeConfig.CgroupParent
+		cfg.NanoCpus = rc.runtimeConfig.CPU
+		cfg.Memory = rc.runtimeConfig.Memory
+		if rc.runtimeConfig.OCIRuntime != "" {
+			cfg.Runtime = rc.runtimeConfig.OCIRuntime
+		}
+		if rc.runtimeConfig.Rootless {
+			cfg.Rootless = true
+		}
+	}
+
+	return cfg, nil
+}
+
+func (rc runConfig) run(ctx context.Context) (*plugin.Client, error) {
+	clientConfig, err := rc.makeConfig(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	client := plugin.NewClient(clientConfig)
+	return client, nil
+}
+
+type RunOpt func(*runConfig)
+
+func Env(env ...string) RunOpt {
+	return func(rc *runConfig) {
+		rc.env = append(rc.env, env...)
+	}
+}
+
+func Runner(wrapper RunnerUtil) RunOpt {
+	return func(rc *runConfig) {
+		rc.Wrapper = wrapper
+	}
+}
+
+func PluginSets(pluginSets map[int]plugin.PluginSet) RunOpt {
+	return func(rc *runConfig) {
+		rc.PluginSets = pluginSets
+	}
+}
+
+func HandshakeConfig(hs plugin.HandshakeConfig) RunOpt {
+	return func(rc *runConfig) {
+		rc.HandshakeConfig = hs
+	}
+}
+
+func Logger(logger log.Logger) RunOpt {
+	return func(rc *runConfig) {
+		rc.Logger = logger
+	}
+}
+
+func MetadataMode(isMetadataMode bool) RunOpt {
+	return func(rc *runConfig) {
+		rc.IsMetadataMode = isMetadataMode
+	}
+}
+
+func AutoMTLS(autoMTLS bool) RunOpt {
+	return func(rc *runConfig) {
+		rc.AutoMTLS = autoMTLS
+	}
+}
+
+func MLock(mlock bool) RunOpt {
+	return func(rc *runConfig) {
+		rc.MLock = mlock
+	}
+}
+
+func (r *PluginRunner) RunConfig(ctx context.Context, opts ...RunOpt) (*plugin.Client, error) {
+	var image, imageTag string
+	if r.OCIImage != "" {
+		image = r.OCIImage
+		imageTag = strings.TrimPrefix(r.Version, "v")
+	}
+	rc := runConfig{
+		command:       r.Command,
+		image:         image,
+		imageTag:      imageTag,
+		args:          r.Args,
+		sha256:        r.Sha256,
+		env:           r.Env,
+		runtimeConfig: r.RuntimeConfig,
+		PluginClientConfig: PluginClientConfig{
+			Name:       r.Name,
+			PluginType: r.Type,
+			Version:    r.Version,
+		},
+	}
+
+	for _, opt := range opts {
+		opt(&rc)
+	}
+
+	return rc.run(ctx)
+}
diff --git a/ui/lib/kv/addon/components/page/secrets/create.hbs b/ui/lib/kv/addon/components/page/secrets/create.hbs
index 326ecab52f9a..408602998df5 100644
--- a/ui/lib/kv/addon/components/page/secrets/create.hbs
+++ b/ui/lib/kv/addon/components/page/secrets/create.hbs
@@ -1,68 +1,151 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Create Secret">
-  <:toolbarFilters>
-    <Toggle @name="json" @checked={{this.showJsonView}} @onChange={{fn (mut this.showJsonView)}}>
-      <span class="has-text-grey">JSON</span>
-    </Toggle>
-  </:toolbarFilters>
-</KvPageHeader>
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-bottomless">
-    <NamespaceReminder @mode="create" @noun="secret" />
-    <MessageError @errorMessage={{this.errorMessage}} />
-
-    <KvDataFields
-      @showJson={{this.showJsonView}}
-      @secret={{@secret}}
-      @modelValidations={{this.modelValidations}}
-      @pathValidations={{this.pathValidations}}
-    />
-
-    <ToggleButton
-      @isOpen={{this.showMetadata}}
-      @openLabel="Hide secret metadata"
-      @closedLabel="Show secret metadata"
-      @onClick={{fn (mut this.showMetadata)}}
-      class="is-block"
-      data-test-metadata-toggle
-    />
-    {{#if this.showMetadata}}
-      <div class="box has-container" data-test-metadata-section>
-        <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
-      </div>
-    {{/if}}
-  </div>
-  <div class="box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Button
-        @text="Save"
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-kv-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.onCancel}}
-        data-test-kv-cancel
-      />
-    </div>
-    {{#if this.invalidFormAlert}}
-      <AlertInline
-        data-test-invalid-form-alert
-        class="has-top-padding-s"
-        @type="danger"
-        @message={{this.invalidFormAlert}}
-        @mimicRefresh={{true}}
-      />
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package ctmanager
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	ctconfig "github.com/hashicorp/consul-template/config"
+	ctlogging "github.com/hashicorp/consul-template/logging"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/agent/config"
+	"github.com/hashicorp/vault/sdk/helper/pointerutil"
+)
+
+type ManagerConfig struct {
+	AgentConfig *config.Config
+	Namespace   string
+	LogLevel    hclog.Level
+	LogWriter   io.Writer
+}
+
+// NewConfig returns a consul-template runner configuration, setting the
+// Vault and Consul configurations based on the clients configs.
+func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.Config, error) {
+	conf := ctconfig.DefaultConfig()
+	conf.Templates = templates.Copy()
+
+	// Setup the Vault config
+	// Always set these to ensure nothing is picked up from the environment
+	conf.Vault.RenewToken = pointerutil.BoolPtr(false)
+	conf.Vault.Token = pointerutil.StringPtr("")
+	conf.Vault.Address = &mc.AgentConfig.Vault.Address
+
+	if mc.Namespace != "" {
+		conf.Vault.Namespace = &mc.Namespace
+	}
+
+	if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
+		conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
+	}
+
+	if mc.AgentConfig.DisableIdleConnsTemplating {
+		idleConns := -1
+		conf.Vault.Transport.MaxIdleConns = &idleConns
+	}
+
+	if mc.AgentConfig.DisableKeepAlivesTemplating {
+		conf.Vault.Transport.DisableKeepAlives = pointerutil.BoolPtr(true)
+	}
+
+	conf.Vault.SSL = &ctconfig.SSLConfig{
+		Enabled:    pointerutil.BoolPtr(false),
+		Verify:     pointerutil.BoolPtr(false),
+		Cert:       pointerutil.StringPtr(""),
+		Key:        pointerutil.StringPtr(""),
+		CaCert:     pointerutil.StringPtr(""),
+		CaPath:     pointerutil.StringPtr(""),
+		ServerName: pointerutil.StringPtr(""),
+	}
+
+	// If Vault.Retry isn't specified, use the default of 12 retries.
+	// This retry value will be respected regardless of if we use the cache.
+	attempts := ctconfig.DefaultRetryAttempts
+	if mc.AgentConfig.Vault != nil && mc.AgentConfig.Vault.Retry != nil {
+		attempts = mc.AgentConfig.Vault.Retry.NumRetries
+	}
+
+	// Use the cache if available or fallback to the Vault server values.
+	if mc.AgentConfig.Cache != nil {
+		if mc.AgentConfig.Cache.InProcDialer == nil {
+			return nil, fmt.Errorf("missing in-process dialer configuration")
+		}
+		if conf.Vault.Transport == nil {
+			conf.Vault.Transport = &ctconfig.TransportConfig{}
+		}
+		conf.Vault.Transport.CustomDialer = mc.AgentConfig.Cache.InProcDialer
+		// The in-process dialer ignores the address passed in, but we're still
+		// setting it here to override the setting at the top of this function,
+		// and to prevent the vault/http client from defaulting to https.
+		conf.Vault.Address = pointerutil.StringPtr("http://127.0.0.1:8200")
+	} else if strings.HasPrefix(mc.AgentConfig.Vault.Address, "https") || mc.AgentConfig.Vault.CACert != "" {
+		skipVerify := mc.AgentConfig.Vault.TLSSkipVerify
+		verify := !skipVerify
+		conf.Vault.SSL = &ctconfig.SSLConfig{
+			Enabled:    pointerutil.BoolPtr(true),
+			Verify:     &verify,
+			Cert:       &mc.AgentConfig.Vault.ClientCert,
+			Key:        &mc.AgentConfig.Vault.ClientKey,
+			CaCert:     &mc.AgentConfig.Vault.CACert,
+			CaPath:     &mc.AgentConfig.Vault.CAPath,
+			ServerName: &mc.AgentConfig.Vault.TLSServerName,
+		}
+	}
+	enabled := attempts > 0
+	conf.Vault.Retry = &ctconfig.RetryConfig{
+		Attempts: &attempts,
+		Enabled:  &enabled,
+	}
+
+	// Sync Consul Template's retry with user set auto-auth initial backoff value.
+	// This is helpful if Auto Auth cannot get a new token and CT is trying to fetch
+	// secrets.
+	if mc.AgentConfig.AutoAuth != nil && mc.AgentConfig.AutoAuth.Method != nil {
+		if mc.AgentConfig.AutoAuth.Method.MinBackoff > 0 {
+			conf.Vault.Retry.Backoff = &mc.AgentConfig.AutoAuth.Method.MinBackoff
+		}
+
+		if mc.AgentConfig.AutoAuth.Method.MaxBackoff > 0 {
+			conf.Vault.Retry.MaxBackoff = &mc.AgentConfig.AutoAuth.Method.MaxBackoff
+		}
+	}
+
+	conf.Finalize()
+
+	// setup log level from TemplateServer config
+	conf.LogLevel = logLevelToStringPtr(mc.LogLevel)
+
+	if err := ctlogging.Setup(&ctlogging.Config{
+		Level:  *conf.LogLevel,
+		Writer: mc.LogWriter,
+	}); err != nil {
+		return nil, err
+	}
+	return conf, nil
+}
+
+// logLevelToString converts a go-hclog level to a matching, uppercase string
+// value. It's used to convert Vault Agent's hclog level to a string version
+// suitable for use in Consul Template's runner configuration input.
+func logLevelToStringPtr(level hclog.Level) *string {
+	// consul template's default level is WARN, but Vault Agent's default is INFO,
+	// so we use that for the Runner's default.
+	var levelStr string
+
+	switch level {
+	case hclog.Trace:
+		levelStr = "TRACE"
+	case hclog.Debug:
+		levelStr = "DEBUG"
+	case hclog.Warn:
+		levelStr = "WARN"
+	case hclog.Error:
+		levelStr = "ERR"
+	default:
+		levelStr = "INFO"
+	}
+	return pointerutil.StringPtr(levelStr)
+}
diff --git a/ui/lib/ldap/addon/components/page/configure.hbs b/ui/lib/ldap/addon/components/page/configure.hbs
index b0b1bec2fef9..7107d737f2c5 100644
--- a/ui/lib/ldap/addon/components/page/configure.hbs
+++ b/ui/lib/ldap/addon/components/page/configure.hbs
@@ -1,110 +1,32 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">Configure LDAP</h1>
-  </p.levelLeft>
-</PageHeader>
-
-<hr class="is-marginless has-background-gray-200" />
-
-<form class="has-top-margin-l" {{on "submit" (perform this.save)}}>
-  <Hds::Form::RadioCard::Group @name="schema options" as |RadioGroup|>
-    {{#each this.schemaOptions as |option|}}
-      <RadioGroup.RadioCard
-        @checked={{eq option.value @model.schema}}
-        {{on "change" (fn (mut @model.schema) option.value)}}
-        data-test-radio-card={{option.title}}
-        as |Card|
-      >
-        <Card.Icon @name={{option.icon}} />
-        <Card.Label>{{option.title}}</Card.Label>
-        <Card.Description>{{option.description}}</Card.Description>
-      </RadioGroup.RadioCard>
-    {{/each}}
-  </Hds::Form::RadioCard::Group>
-
-  <div class="has-top-margin-xl">
-    <MessageError @errorMessage={{this.error}} />
-
-    <h2 class="title is-4">Schema Options</h2>
-    <hr class="has-background-gray-200" />
-
-    {{#if @model.schema}}
-      <div class="has-top-margin-l">
-        <FormFieldGroups @model={{@model}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} />
-      </div>
-    {{else}}
-      <EmptyState
-        class="is-shadowless has-top-margin-l"
-        @title="Choose an option"
-        @message="Pick an option above to see available configuration options"
-      />
-    {{/if}}
-  </div>
-
-  <hr class="has-background-gray-200 has-top-margin-l" />
-
-  <div class="has-top-margin-l has-bottom-margin-l is-flex">
-    <Hds::Button
-      @text="Save"
-      data-test-config-save
-      type="submit"
-      disabled={{or this.save.isRunning (not @model.schema)}}
-      {{on "click" (perform this.save)}}
-    />
-    <Hds::Button
-      @text="Back"
-      @color="secondary"
-      class="has-left-margin-xs"
-      data-test-config-cancel
-      disabled={{or this.save.isRunning this.fetchInferred.isRunning}}
-      {{on "click" this.cancel}}
-    />
-    {{#if this.invalidFormMessage}}
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message={{this.invalidFormMessage}}
-        @mimicRefresh={{true}}
-        data-test-invalid-form-message
-      />
-    {{/if}}
-  </div>
-</form>
-
-{{#if this.showRotatePrompt}}
-  <Hds::Modal id="ldap-rotate-password-modal" @onClose={{fn (mut this.showRotatePrompt) false}} as |M|>
-    <M.Header @icon="info">
-      Rotate your root password?
-    </M.Header>
-    <M.Body>
-      <p>
-        It’s best practice to rotate the administrator (root) password immediately after the initial configuration of the
-        LDAP engine. The rotation will update the password both in Vault and your directory server. Once rotated,
-        <span class="has-text-weight-semibold">only Vault knows the new root password.</span>
-      </p>
-      <br />
-      <p>
-        Would you like to rotate your new credentials? You can also do this later.
-      </p>
-    </M.Body>
-    <M.Footer>
-      <Hds::ButtonSet>
-        <Hds::Button data-test-save-with-rotate @text="Save and rotate" {{on "click" (fn (perform this.save) null true)}} />
-        <Hds::Button
-          data-test-save-without-rotate
-          @text="Save without rotating"
-          @color="secondary"
-          {{on "click" (fn (perform this.save) null false)}}
-        />
-      </Hds::ButtonSet>
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { ensureTrailingSlash, getRelativePath, sanitizePath } from 'core/utils/sanitize-path';
+
+module('Unit | Utility | sanitize-path', function () {
+  test('it removes spaces and slashes from either side', function (assert) {
+    assert.strictEqual(
+      sanitizePath(' /foo/bar/baz/ '),
+      'foo/bar/baz',
+      'removes spaces and slashes on either side'
+    );
+    assert.strictEqual(sanitizePath('//foo/bar/baz/'), 'foo/bar/baz', 'removes more than one slash');
+    assert.strictEqual(sanitizePath(undefined), '', 'handles falsey values');
+  });
+
+  test('#ensureTrailingSlash', function (assert) {
+    assert.strictEqual(ensureTrailingSlash('foo/bar'), 'foo/bar/', 'adds trailing slash');
+    assert.strictEqual(ensureTrailingSlash('baz/'), 'baz/', 'keeps trailing slash if there is one');
+  });
+
+  test('#getRelativePath', function (assert) {
+    assert.strictEqual(getRelativePath('/', undefined), '', 'works with minimal inputs');
+    assert.strictEqual(getRelativePath('/baz/bar/', undefined), 'baz/bar', 'sanitizes the output');
+    assert.strictEqual(getRelativePath('recipes/cookies/choc-chip/', 'recipes/'), 'cookies/choc-chip');
+    assert.strictEqual(getRelativePath('/recipes/cookies/choc-chip/', 'recipes/cookies'), 'choc-chip');
+    assert.strictEqual(getRelativePath('/admin/bop/boop/admin_foo/baz/', 'admin'), 'bop/boop/admin_foo/baz');
+  });
+});
diff --git a/ui/lib/ldap/addon/components/page/library/create-and-edit.hbs b/ui/lib/ldap/addon/components/page/library/create-and-edit.hbs
index 8535400cf7ba..27a0db30e1c6 100644
--- a/ui/lib/ldap/addon/components/page/library/create-and-edit.hbs
+++ b/ui/lib/ldap/addon/components/page/library/create-and-edit.hbs
@@ -1,53 +1,6 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      {{if @model.isNew "Create Library" "Edit Library"}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<hr class="is-marginless has-background-gray-200" />
-
-<form {{on "submit" (perform this.save)}} class="has-top-margin-m">
-  <MessageError @errorMessage={{this.error}} />
-
-  {{#each @model.formFields as |field|}}
-    <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-  {{/each}}
-
-  <hr class="has-background-gray-200 has-top-margin-l" />
-
-  <div class="has-top-margin-l has-bottom-margin-l is-flex">
-    <Hds::Button
-      @text={{if @model.isNew "Create library" "Save"}}
-      data-test-save
-      type="submit"
-      disabled={{this.save.isRunning}}
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      class="has-left-margin-xs"
-      data-test-cancel
-      disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
-    />
-    {{#if this.invalidFormMessage}}
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message={{this.invalidFormMessage}}
-        @mimicRefresh={{true}}
-        data-test-invalid-form-message
-      />
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+export { ensureTrailingSlash, sanitizePath, getRelativePath } from 'core/utils/sanitize-path';
diff --git a/ui/lib/ldap/addon/components/page/role/create-and-edit.hbs b/ui/lib/ldap/addon/components/page/role/create-and-edit.hbs
index 8c5b3e54bfb6..40d960de3a25 100644
--- a/ui/lib/ldap/addon/components/page/role/create-and-edit.hbs
+++ b/ui/lib/ldap/addon/components/page/role/create-and-edit.hbs
@@ -1,77 +1,208 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3">
-      {{if @model.isNew "Create Role" "Edit Role"}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
-
-<hr class="is-marginless has-background-gray-200" />
-
-<form {{on "submit" (perform this.save)}} class="has-top-margin-m">
-  <MessageError @errorMessage={{this.error}} />
-
-  <label class="is-label">
-    Role type
-  </label>
-  <Hds::Form::RadioCard::Group @name="role type options" class="has-bottom-margin-m" as |RadioGroup|>
-    {{#each this.roleTypeOptions as |option|}}
-      <RadioGroup.RadioCard
-        @checked={{eq option.value @model.type}}
-        @disabled={{not @model.isNew}}
-        {{on "change" (fn (mut @model.type) option.value)}}
-        data-test-radio-card={{option.value}}
-        as |Card|
-      >
-        <Card.Icon @name={{option.icon}} />
-        <Card.Label>{{option.title}}</Card.Label>
-        <Card.Description>{{option.description}}</Card.Description>
-      </RadioGroup.RadioCard>
-    {{/each}}
-  </Hds::Form::RadioCard::Group>
-
-  {{#each @model.formFields as |field|}}
-    {{! display section heading ahead of ldif fields }}
-    {{#if field.options.sectionHeading}}
-      <hr class="has-background-gray-200" />
-      <h2 class="title is-4 has-top-margin-xl">{{field.options.sectionHeading}}</h2>
-    {{/if}}
-    <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-  {{/each}}
-
-  <hr class="has-background-gray-200 has-top-margin-l" />
-
-  <div class="has-top-margin-l has-bottom-margin-l is-flex">
-    <Hds::Button
-      @text={{if @model.isNew "Create role" "Save"}}
-      data-test-save
-      type="submit"
-      disabled={{this.save.isRunning}}
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      class="has-left-margin-xs"
-      data-test-cancel
-      disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, fillIn, click, findAll } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { SELECTORS, OIDC_BASE_URL, overrideCapabilities } from 'vault/tests/helpers/oidc-config';
+
+module('Integration | Component | oidc/scope-form', function (hooks) {
+  setupRenderingTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+  });
+
+  test('it should save new scope', async function (assert) {
+    assert.expect(9);
+
+    this.server.post('/identity/oidc/scope/test', (schema, req) => {
+      assert.ok(true, 'Request made to save scope');
+      return JSON.parse(req.requestBody);
+    });
+
+    this.model = this.store.createRecord('oidc/scope');
+    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
+
+    await render(hbs`
+      <Oidc::ScopeForm
+        @model={{this.model}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}}
+      />
+    `);
+
+    assert.dom('[data-test-oidc-scope-title]').hasText('Create Scope', 'Form title renders');
+    assert.dom(SELECTORS.scopeSaveButton).hasText('Create', 'Save button has correct label');
+    await click(SELECTORS.scopeSaveButton);
+
+    // check validation errors
+    await click(SELECTORS.scopeSaveButton);
+
+    const validationErrors = findAll(SELECTORS.inlineAlert);
+    assert.dom(validationErrors[0]).hasText('Name is required.', 'Validation messages are shown for name');
+    assert.dom(validationErrors[1]).hasText('There is an error with this form.', 'Renders form error count');
+
+    assert
+      .dom('[data-test-inline-error-message]')
+      .hasText('Name is required.', 'Validation message is shown for name');
+    // json editor has test coverage so let's just confirm that it renders
+    assert
+      .dom('[data-test-input="template"] [data-test-component="json-editor-toolbar"]')
+      .exists('JsonEditor toolbar renders');
+    assert
+      .dom('[data-test-input="template"] [data-test-component="code-mirror-modifier"]')
+      .exists('Code mirror renders');
+
+    await fillIn('[data-test-input="name"]', 'test');
+    await fillIn('[data-test-input="description"]', 'this is a test');
+    await click(SELECTORS.scopeSaveButton);
+  });
+
+  test('it should update scope', async function (assert) {
+    assert.expect(9);
+
+    this.server.post('/identity/oidc/scope/test', (schema, req) => {
+      assert.ok(true, 'Request made to save scope');
+      return JSON.parse(req.requestBody);
+    });
+
+    this.store.pushPayload('oidc/scope', {
+      modelName: 'oidc/scope',
+      name: 'test',
+      description: 'this is a test',
+    });
+    this.model = this.store.peekRecord('oidc/scope', 'test');
+    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
+
+    await render(hbs`
+      <Oidc::ScopeForm
+        @model={{this.model}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}}
+      />
+    `);
+
+    assert.dom('[data-test-oidc-scope-title]').hasText('Edit Scope', 'Form title renders');
+    assert.dom(SELECTORS.scopeSaveButton).hasText('Update', 'Save button has correct label');
+    assert.dom('[data-test-input="name"]').isDisabled('Name input is disabled when editing');
+    assert.dom('[data-test-input="name"]').hasValue('test', 'Name input is populated with model value');
+    assert
+      .dom('[data-test-input="description"]')
+      .hasValue('this is a test', 'Description input is populated with model value');
+    // json editor has test coverage so let's just confirm that it renders
+    assert
+      .dom('[data-test-input="template"] [data-test-component="json-editor-toolbar"]')
+      .exists('JsonEditor toolbar renders');
+    assert
+      .dom('[data-test-input="template"] [data-test-component="code-mirror-modifier"]')
+      .exists('Code mirror renders');
+
+    await fillIn('[data-test-input="description"]', 'this is an edit test');
+    await click(SELECTORS.scopeSaveButton);
+  });
+
+  test('it should rollback attributes or unload record on cancel', async function (assert) {
+    assert.expect(4);
+
+    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
+
+    this.model = this.store.createRecord('oidc/scope');
+
+    await render(hbs`
+      <Oidc::ScopeForm
+        @model={{this.model}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}}
+      />
+    `);
+
+    await click(SELECTORS.scopeCancelButton);
+    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
+
+    this.store.pushPayload('oidc/scope', {
+      modelName: 'oidc/scope',
+      name: 'test',
+      description: 'this is a test',
+    });
+    this.model = this.store.peekRecord('oidc/scope', 'test');
+
+    await render(hbs`
+    <Oidc::ScopeForm
+      @model={{this.model}}
+      @onCancel={{this.onCancel}}
+      @onSave={{this.onSave}}
     />
-    {{#if this.invalidFormMessage}}
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message={{this.invalidFormMessage}}
-        @mimicRefresh={{true}}
-        data-test-invalid-form-message
+      `);
+
+    await fillIn('[data-test-input="description"]', 'changed description attribute');
+    await click(SELECTORS.scopeCancelButton);
+    assert.strictEqual(
+      this.model.description,
+      'this is a test',
+      'Model attributes are rolled back on cancel'
+    );
+  });
+
+  test('it should show example template modal', async function (assert) {
+    assert.expect(5);
+    const MODAL = (e) => `[data-test-scope-modal="${e}"]`;
+    this.model = this.store.createRecord('oidc/scope');
+
+    // formatting here is purposeful so that it matches formatting in the template modal
+    const exampleTemplate = `{
+  "username": {{identity.entity.aliases.$MOUNT_ACCESSOR.name}},
+  "contact": {
+    "email": {{identity.entity.metadata.email}},
+    "phone_number": {{identity.entity.metadata.phone_number}}
+  },
+  "groups": {{identity.entity.groups.names}}
+}`;
+
+    await render(hbs`
+      <Oidc::ScopeForm
+        @model={{this.model}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}}
+      />
+    `);
+
+    await click('[data-test-oidc-scope-example]');
+    assert.dom(MODAL('title')).hasText('Scope template', 'Modal title renders');
+    assert.dom(MODAL('text')).hasText('Example of a JSON template for scopes:', 'Modal text renders');
+    assert
+      .dom('#scope-template-modal [data-test-copy-button]')
+      .hasAttribute(
+        'data-test-copy-button',
+        exampleTemplate,
+        'Modal copy button copies the example template'
+      );
+    assert.dom('.cm-string').hasText('"username"', 'Example template json renders');
+    await click('[data-test-close-modal]');
+    assert.dom('.hds#scope-template-modal').doesNotExist('Modal is hidden');
+  });
+
+  test('it should render error alerts when API returns an error', async function (assert) {
+    assert.expect(2);
+    this.model = this.store.createRecord('oidc/scope');
+    this.server.post('/sys/capabilities-self', () => overrideCapabilities(OIDC_BASE_URL + '/scopes'));
+    await render(hbs`
+      <Oidc::ScopeForm
+        @model={{this.model}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}}
       />
-    {{/if}}
-  </div>
-</form>
\ No newline at end of file
+    `);
+    await fillIn('[data-test-input="name"]', 'test-scope');
+    await click(SELECTORS.scopeSaveButton);
+    assert
+      .dom(SELECTORS.inlineAlert)
+      .hasText('There was an error submitting this form.', 'form error alert renders ');
+    assert.dom('[data-test-message-error]').exists('alert banner renders');
+  });
+});
diff --git a/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs b/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
index 713f9c46ffbe..f6e3667982a8 100644
--- a/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
+++ b/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
@@ -3,155 +3,100 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-<div class="box is-sideless is-fullwidth is-marginless">
-  {{#if this.errors}}
-    <Hds::Alert data-test-config-edit-error @type="inline" @color="critical" as |A|>
-      <A.Title>Error</A.Title>
-      <A.Description>
-        <ul class={{if (gt this.errors.length 1) "bullet"}}>
-          {{#each this.errors as |error|}}
-            <li>
-              <code>POST config/{{error.modelName}}</code>:
-              {{error.message}}
-            </li>
-          {{/each}}
-        </ul>
-      </A.Description>
-    </Hds::Alert>
-  {{/if}}
-  <form {{on "submit" (perform this.save)}}>
-    <fieldset class="is-shadowless is-marginless is-borderless is-fullwidth" data-test-cluster-config-edit-section>
-      <h2 class="title is-size-5 has-border-bottom-light page-header">
-        Cluster Config
-      </h2>
-      {{#if @cluster.canSet}}
-        {{#each @cluster.allFields as |attr|}}
-          <FormField @attr={{attr}} @model={{@cluster}} @showHelpText={{false}} />
-        {{/each}}
-      {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's the cluster config"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/cluster</code>
-        </EmptyState>
-      {{/if}}
-    </fieldset>
-
-    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-acme-edit-section>
-      <h2 class="title is-size-5 has-border-bottom-light page-header">
-        ACME Config
-      </h2>
-      {{#if @acme.canSet}}
-        {{#each @acme.allFields as |attr|}}
-          <FormField @attr={{attr}} @model={{@acme}} @showHelpText={{false}} @backend={{@backend}} />
-        {{/each}}
-      {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's ACME config"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/acme</code>
-        </EmptyState>
-      {{/if}}
-    </fieldset>
+<PageHeader as |p|>
+  <p.top>
+    <nav class="breadcrumb" aria-label="breadcrumbs">
+      <ul>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          {{#if @model.isNew}}
+            <LinkTo @route={{"vault.cluster.access.oidc.scopes"}}>
+              Scopes
+            </LinkTo>
+          {{else}}
+            {{! You're editing in this view }}
+            <LinkTo @route={{"vault.cluster.access.oidc.scopes.scope.details"}} @model={{@model.name}}>
+              Details
+            </LinkTo>
+          {{/if}}
+        </li>
+      </ul>
+    </nav>
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-oidc-scope-title>
+      {{if @model.isNew "Create" "Edit"}}
+      Scope
+    </h1>
+  </p.levelLeft>
+  <p.levelRight>
+    <Hds::Button
+      @text="How to write JSON template for scopes"
+      @icon="bulb"
+      @color="tertiary"
+      {{on "click" (fn (mut this.showTemplateModal))}}
+      data-test-oidc-scope-example
+    />
+  </p.levelRight>
+</PageHeader>
 
-    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-urls-edit-section>
-      <h2 class="title is-size-5 has-border-bottom-light page-header">
-        Global URLs
-      </h2>
-      {{#if @urls.canSet}}
-        {{#each @urls.allFields as |attr|}}
-          <FormField @attr={{attr}} @model={{@urls}} @showHelpText={{false}} />
-        {{/each}}
-      {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's URLs"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/urls</code>
-        </EmptyState>
-      {{/if}}
-    </fieldset>
-
-    <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-crl-edit-section>
-      {{#if @crl.canSet}}
-        {{#each @crl.formFieldGroups as |fieldGroup|}}
-          {{#each-in fieldGroup as |group fields|}}
-            {{#if (or (not-eq group "Unified Revocation") this.isEnterprise)}}
-              <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-crl-header={{group}}>
-                {{group}}
-              </h2>
-            {{/if}}
-            {{#each fields as |attr|}}
-              {{#if (eq attr.options.editType "ttl")}}
-                {{#if (or (includes attr.name (array "expiry" "ocspExpiry")) (not @crl.disable))}}
-                  {{#let (get @crl attr.options.mapToBoolean) as |enabled|}}
-                    {{! 'enabled' is the pki/crl model's boolean attr that corresponds to the duration set by the ttl }}
-                    <div class="field">
-                      <TtlPicker
-                        data-test-input={{attr.name}}
-                        @onChange={{fn this.handleTtl attr}}
-                        @label={{attr.options.label}}
-                        @labelDisabled={{attr.options.labelDisabled}}
-                        @helperTextDisabled={{attr.options.helperTextDisabled}}
-                        @helperTextEnabled={{attr.options.helperTextEnabled}}
-                        @initialEnabled={{if attr.options.isOppositeValue (not enabled) enabled}}
-                        @initialValue={{get @crl attr.name}}
-                      />
-                    </div>
-                  {{/let}}
-                {{/if}}
-              {{else}}
-                {{#if this.isEnterprise}}
-                  <FormField @attr={{attr}} @model={{@crl}} />
-                {{/if}}
-              {{/if}}
-            {{/each}}
-          {{/each-in}}
-        {{/each}}
-      {{else}}
-        <EmptyState
-          @title="You do not have permission to set this mount's revocation configuration"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/crl</code>
-        </EmptyState>
-      {{/if}}
-    </fieldset>
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-marginless">
+    <p class="has-bottom-margin-l">
+      Providers may reference a set of scopes to make specific identity information available as claims
+    </p>
+    <MessageError @errorMessage={{this.errorBanner}} />
+    {{#each @model.formFields as |field|}}
+      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+    {{/each}}
+    <p class="is-size-9 has-text-grey has-bottom-margin-l">
+      You can use Alt+Tab (Option+Tab on MacOS) in the code editor to skip to the next field. Click 'How to write JSON
+      template for scopes' to view an example.
+    </p>
+  </div>
+  <div class="has-top-margin-l has-bottom-margin-l">
+    <Hds::Button
+      @text={{if @model.isNew "Create" "Update"}}
+      @icon={{if this.save.isRunning "loading"}}
+      type="submit"
+      disabled={{this.save.isRunning}}
+      data-test-oidc-scope-save
+    />
+    <Hds::Button
+      @text="Cancel"
+      @color="secondary"
+      class="has-left-margin-s"
+      disabled={{this.save.isRunning}}
+      {{on "click" this.cancel}}
+      data-test-oidc-scope-cancel
+    />
+  </div>
+  {{#if this.invalidFormAlert}}
+    <div class="control">
+      <AlertInline @type="danger" class="has-top-padding-s" @message={{this.invalidFormAlert}} />
+    </div>
+  {{/if}}
+</form>
 
-    <hr class="has-background-gray-100" />
-    <Hds::ButtonSet>
-      {{#if (or @urls.canSet @crl.canSet)}}
-        <Hds::Button
-          @text="Save"
-          @icon={{if this.save.isRunning "loading"}}
-          type="submit"
-          disabled={{this.save.isRunning}}
-          data-test-configuration-edit-save
-        />
-      {{/if}}
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        {{on "click" this.cancel}}
-        disabled={{this.save.isRunning}}
-        data-test-configuration-edit-cancel
-      />
-    </Hds::ButtonSet>
-    {{#if this.invalidFormAlert}}
-      <div class="control">
-        <AlertInline
-          @type="danger"
-          @paddingTop={{true}}
-          @message={{this.invalidFormAlert}}
-          @mimicRefresh={{true}}
-          data-test-configuration-edit-validation-alert
-        />
-      </div>
-    {{/if}}
-  </form>
-</div>
\ No newline at end of file
+{{#if this.showTemplateModal}}
+  <Hds::Modal id="scope-template-modal" @size="large" @onClose={{fn (mut this.showTemplateModal) false}} as |M|>
+    <M.Header data-test-scope-modal="title">
+      Scope template
+    </M.Header>
+    <M.Body>
+      <p data-test-scope-modal="text">
+        Example of a JSON template for scopes:
+      </p>
+      <JsonEditor @value={{this.exampleTemplate}} @mode="ruby" @readOnly={{true}} @container=".hds-modal" />
+      <p class="has-top-margin-m">
+        The full list of template parameters can be found
+        <DocLink @path="/vault/docs/concepts/oidc-provider#scopes">
+          here.
+        </DocLink>
+      </p>
+    </M.Body>
+    <M.Footer as |F|>
+      <Hds::Button @text="Close" {{on "click" F.close}} data-test-close-modal />
+    </M.Footer>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-edit.hbs b/ui/lib/pki/addon/components/page/pki-issuer-edit.hbs
index 80d682355be4..5d3c41c3dd73 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-edit.hbs
+++ b/ui/lib/pki/addon/components/page/pki-issuer-edit.hbs
@@ -1,79 +1,961 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <MessageError @errorMessage={{this.error}} />
-    {{#each @model.formFields as |field|}}
-      {{#if (eq field.name "issuingCertificates")}}
-        <div class="has-top-margin-m has-bottom-margin-s">
-          <h2 class="title is-4">
-            Issuer URLs
-          </h2>
-        </div>
-      {{/if}}
-      <FormField @attr={{field}} @model={{@model}}>
-        {{#if (eq field.name "usage")}}
-          {{#each field.options.valueOptions as |option|}}
-            <div class="is-flex-center has-text-grey has-text-weight-bold">
-              <Input
-                data-test-usage={{option.label}}
-                id={{option.value}}
-                @type="checkbox"
-                @checked={{includes option.value this.usageValues}}
-                {{on "change" (fn this.setUsage option.value)}}
-              />
-              <label for={{option.value}} class="has-left-margin-s">{{option.label}}</label>
-            </div>
-          {{/each}}
-        {{else if (eq field.name "leafNotAfterBehavior")}}
-          <div class="control is-expanded">
-            <div class="select is-fullwidth">
-              <select
-                name={{@attr.name}}
-                id={{@attr.name}}
-                {{on "change" (pipe (pick "target.value") (fn (mut @model.leafNotAfterBehavior)))}}
-                onchange={{this.onChangeWithEvent}}
-              >
-                {{#each field.options.valueOptions as |value|}}
-                  <option selected={{eq @model.leafNotAfterBehavior value}} value={{value}}>
-                    {{capitalize (if (eq value "err") "error" value)}}
-                    if the computed NotAfter exceeds that of this issuer
-                  </option>
-                {{/each}}
-              </select>
-            </div>
-          </div>
-        {{/if}}
-      </FormField>
-    {{/each}}
-  </div>
-  <Hds::ButtonSet class="has-top-margin-l has-bottom-margin-l">
-    <Hds::Button
-      @text="Update"
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-save
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
-      data-test-cancel
-    />
-  </Hds::ButtonSet>
-  {{#if this.error}}
-    <div class="control">
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message="There was an error submitting this form."
-        @mimicRefresh={{true}}
-      />
-    </div>
-  {{/if}}
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package seal
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"reflect"
+	"sort"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	metrics "github.com/armon/go-metrics"
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-kms-wrapping/v2/aead"
+	"github.com/hashicorp/vault/internalshared/configutil"
+)
+
+type StoredKeysSupport int
+
+const (
+	// The 0 value of StoredKeysSupport is an invalid option
+	StoredKeysInvalid StoredKeysSupport = iota
+	StoredKeysNotSupported
+	StoredKeysSupportedGeneric
+	StoredKeysSupportedShamirRoot
+)
+
+var (
+	ErrUnconfiguredWrapper  = errors.New("unconfigured wrapper")
+	ErrNoHealthySeals       = errors.New("no healthy seals!")
+	ErrNoConfiguredSeals    = errors.New("no configured seals")
+	ErrNoSealGenerationInfo = errors.New("no seal generation info")
+	ErrNoSeals              = errors.New("no seals provided in the configuration")
+)
+
+func (s StoredKeysSupport) String() string {
+	switch s {
+	case StoredKeysNotSupported:
+		return "Old-style Shamir"
+	case StoredKeysSupportedGeneric:
+		return "AutoUnseal"
+	case StoredKeysSupportedShamirRoot:
+		return "New-style Shamir"
+	default:
+		return "Invalid StoredKeys type"
+	}
+}
+
+type SealGenerationInfo struct {
+	Generation uint64
+	Seals      []*configutil.KMS
+	rewrapped  atomic.Bool
+}
+
+// Validate is used to sanity check the seal generation info being created
+func (sgi *SealGenerationInfo) Validate(existingSgi *SealGenerationInfo, hasPartiallyWrappedPaths bool) error {
+	existingSealsLen := 0
+	numConfiguredSeals := len(sgi.Seals)
+	configuredSealNameAndType := sealNameAndTypeAsStr(sgi.Seals)
+
+	// If no previous generation info exists, make sure we perform the initial migration/setup
+	// check for enabled configured seals to allow an old style seal migration configuration
+	if existingSgi == nil {
+		if numConfiguredSeals > 1 {
+			return fmt.Errorf("Initializing a cluster or enabling multi-seal on an existing "+
+				"cluster must occur with a single seal before adding additional seals\n"+
+				"Configured seals: %v", configuredSealNameAndType)
+		}
+
+		// No point in comparing anything more as we don't have any information around the
+		// existing seal if any actually existed
+		return nil
+	}
+
+	existingSealNameAndType := sealNameAndTypeAsStr(existingSgi.Seals)
+	previousShamirConfigured := false
+
+	if sgi.Generation == existingSgi.Generation {
+		if !haveMatchingSeals(sgi.Seals, existingSgi.Seals) {
+			return fmt.Errorf("existing seal generation is the same, but the configured seals are different\n"+
+				"Existing seals: %v\n"+
+				"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
+		}
+		return nil
+	}
+
+	existingSealsLen = len(existingSgi.Seals)
+	for _, sealKmsConfig := range existingSgi.Seals {
+		if sealKmsConfig.Type == wrapping.WrapperTypeShamir.String() {
+			previousShamirConfigured = true
+			break
+		}
+	}
+
+	if !previousShamirConfigured && (!existingSgi.IsRewrapped() || hasPartiallyWrappedPaths) && os.Getenv("VAULT_SEAL_REWRAP_SAFETY") != "disable" {
+		return errors.New("cannot make seal config changes while seal re-wrap is in progress, please revert any seal configuration changes")
+	}
+
+	numSealsToAdd := 0
+	// With a previously configured shamir seal, we are either going from [shamir]->[auto]
+	// or [shamir]->[another shamir] (since we do not allow multiple shamir
+	// seals, and, mixed shamir and auto seals). Also, we do not allow shamir seals to
+	// be set disabled, so, the number of seals to add is always going to be the length
+	// of new seal configs.
+	if previousShamirConfigured {
+		numSealsToAdd = numConfiguredSeals
+	} else {
+		numSealsToAdd = numConfiguredSeals - existingSealsLen
+	}
+
+	numSealsToDelete := existingSealsLen - numConfiguredSeals
+	switch {
+	case numSealsToAdd > 1:
+		return fmt.Errorf("cannot add more than one seal\n"+
+			"Existing seals: %v\n"+
+			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
+
+	case numSealsToDelete > 1:
+		return fmt.Errorf("cannot delete more than one seal\n"+
+			"Existing seals: %v\n"+
+			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
+
+	case !previousShamirConfigured && existingSgi != nil && !haveCommonSeal(existingSgi.Seals, sgi.Seals):
+		// With a previously configured shamir seal, we are either going from [shamir]->[auto] or [shamir]->[another shamir],
+		// in which case we cannot have a common seal because shamir seals cannot be set to disabled, they can only be deleted.
+		return fmt.Errorf("must have at least one seal in common with the old generation\n"+
+			"Existing seals: %v\n"+
+			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
+	}
+	return nil
+}
+
+func sealNameAndTypeAsStr(seals []*configutil.KMS) string {
+	info := []string{}
+	for _, seal := range seals {
+		info = append(info, fmt.Sprintf("Name: %s Type: %s", seal.Name, seal.Type))
+	}
+	return fmt.Sprintf("[%s]", strings.Join(info, ", "))
+}
+
+// haveMatchingSeals verifies that we have the corresponding matching seals by name and type, config and other
+// properties are ignored in the comparison
+func haveMatchingSeals(existingSealKmsConfigs, newSealKmsConfigs []*configutil.KMS) bool {
+	if len(existingSealKmsConfigs) != len(newSealKmsConfigs) {
+		return false
+	}
+
+	for _, existingSealKmsConfig := range existingSealKmsConfigs {
+		found := false
+		for _, newSealKmsConfig := range newSealKmsConfigs {
+			if cmp.Equal(existingSealKmsConfig, newSealKmsConfig, compareKMSConfigByNameAndType()) {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return false
+		}
+	}
+	return true
+}
+
+// haveCommonSeal verifies that we have at least one matching seal across
+// the inputs by name and type, config and other properties are ignored in
+// the comparison
+func haveCommonSeal(existingSealKmsConfigs, newSealKmsConfigs []*configutil.KMS) bool {
+	for _, existingSealKmsConfig := range existingSealKmsConfigs {
+		for _, newSealKmsConfig := range newSealKmsConfigs {
+			// Technically we might be matching the "wrong" seal if the old seal was renamed to
+			// "transit-disabled" and we have a new seal named transit. There isn't any way for
+			// us to properly distinguish between them
+			if cmp.Equal(existingSealKmsConfig, newSealKmsConfig, compareKMSConfigByNameAndType()) {
+				return true
+			}
+		}
+	}
+
+	// We might have renamed a disabled seal that was previously used so attempt to match by
+	// removing the "-disabled" suffix
+	for _, seal := range findRenamedDisabledSeals(newSealKmsConfigs) {
+		clonedSeal := seal.Clone()
+		clonedSeal.Name = strings.TrimSuffix(clonedSeal.Name, configutil.KmsRenameDisabledSuffix)
+
+		for _, existingSealKmsConfig := range existingSealKmsConfigs {
+			if cmp.Equal(existingSealKmsConfig, clonedSeal, compareKMSConfigByNameAndType()) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func findRenamedDisabledSeals(configs []*configutil.KMS) []*configutil.KMS {
+	disabledSeals := []*configutil.KMS{}
+	for _, seal := range configs {
+		if seal.Disabled && strings.HasSuffix(seal.Name, configutil.KmsRenameDisabledSuffix) {
+			disabledSeals = append(disabledSeals, seal)
+		}
+	}
+	return disabledSeals
+}
+
+func compareKMSConfigByNameAndType() cmp.Option {
+	// We only match based on name and type to avoid configuration changes such
+	// as a Vault token change in the config map from eliminating the match and
+	// preventing startup on a matching seal.
+	return cmp.Comparer(func(a, b *configutil.KMS) bool {
+		return a.Name == b.Name && a.Type == b.Type
+	})
+}
+
+// SetRewrapped updates the SealGenerationInfo's rewrapped status to the provided value.
+func (sgi *SealGenerationInfo) SetRewrapped(value bool) {
+	sgi.rewrapped.Store(value)
+}
+
+// IsRewrapped returns the SealGenerationInfo's rewrapped status.
+func (sgi *SealGenerationInfo) IsRewrapped() bool {
+	return sgi.rewrapped.Load()
+}
+
+type sealGenerationInfoJson struct {
+	Generation uint64
+	Seals      []*configutil.KMS
+	Rewrapped  bool
+}
+
+func (sgi *SealGenerationInfo) MarshalJSON() ([]byte, error) {
+	return json.Marshal(sealGenerationInfoJson{
+		Generation: sgi.Generation,
+		Seals:      sgi.Seals,
+		Rewrapped:  sgi.IsRewrapped(),
+	})
+}
+
+func (sgi *SealGenerationInfo) UnmarshalJSON(b []byte) error {
+	var value sealGenerationInfoJson
+	if err := json.Unmarshal(b, &value); err != nil {
+		return err
+	}
+
+	sgi.Generation = value.Generation
+	sgi.Seals = value.Seals
+	sgi.SetRewrapped(value.Rewrapped)
+
+	return nil
+}
+
+// OldKey is used as a return value from Decrypt to indicate that the old
+// key was used for decryption and that the value should be re-encrypted
+// with the new key and saved. It is not returned as an error by any
+// function.
+var OldKey = errors.New("decrypted with old key")
+
+func IsOldKeyError(err error) bool {
+	return errors.Is(err, OldKey)
+}
+
+// Access is the embedded implementation of autoSeal that contains logic
+// specific to encrypting and decrypting data, or in this case keys.
+type Access interface {
+	wrapping.InitFinalizer
+
+	Generation() uint64
+
+	// Encrypt encrypts the given byte slice and stores the resulting
+	// information in the returned blob info. Which options are used depends on
+	// the underlying wrapper. Supported options: WithAad.
+	// Returns a MultiWrapValue as long as at least one seal Access wrapper encrypted the data successfully, and
+	// if this is the case errors may still be returned if any wrapper failed. The error map is keyed by seal name.
+	Encrypt(ctx context.Context, plaintext []byte, options ...wrapping.Option) (*MultiWrapValue, map[string]error)
+
+	// Decrypt decrypts the given byte slice and stores the resulting information in the
+	// returned byte slice. Which options are used depends on the underlying wrapper.
+	// Supported options: WithAad.
+	// Returns the plaintext, a flag indicating whether the ciphertext is up-to-date
+	// (according to IsUpToDate), and an error.
+	Decrypt(ctx context.Context, ciphertext *MultiWrapValue, options ...wrapping.Option) ([]byte, bool, error)
+
+	// IsUpToDate returns true if a MultiWrapValue is up-to-date. An MultiWrapValue is
+	// considered to be up-to-date if its generation matches the Access generation, and if
+	// it has a slot with a key ID that match the current key ID of each of the Access
+	// wrappers.
+	IsUpToDate(ctx context.Context, value *MultiWrapValue, forceKeyIdRefresh bool) (bool, error)
+
+	// GetEnabledWrappers returns all the enabled seal Wrappers, in order of priority.
+	GetEnabledWrappers() []wrapping.Wrapper
+
+	SetShamirSealKey([]byte) error
+	GetShamirKeyBytes(ctx context.Context) ([]byte, error)
+
+	// GetAllSealWrappersByPriority returns all the SealWrappers including disabled and unconfigured wrappers.
+	GetAllSealWrappersByPriority() []*SealWrapper
+
+	// GetConfiguredSealWrappersByPriority returns all the configured SealWrappers for all the seal wrappers, including disabled ones.
+	GetConfiguredSealWrappersByPriority() []*SealWrapper
+
+	// GetEnabledSealWrappersByPriority returns the SealWrappers for the enabled seal wrappers.
+	GetEnabledSealWrappersByPriority() []*SealWrapper
+
+	// AllSealsWrappersHealthy returns whether all enabled SealWrappers are currently healthy.
+	AllSealWrappersHealthy() bool
+
+	GetSealGenerationInfo() *SealGenerationInfo
+}
+
+type access struct {
+	sealGenerationInfo *SealGenerationInfo
+	wrappersByPriority []*SealWrapper
+	keyIdSet           keyIdSet
+	logger             hclog.Logger
+}
+
+var _ Access = (*access)(nil)
+
+func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, sealWrappers []*SealWrapper) (Access, error) {
+	if logger == nil {
+		logger = hclog.NewNullLogger()
+	}
+	if sealGenerationInfo == nil {
+		logger.Error("cannot create a seal.Access without a SealGenerationInfo")
+		return nil, ErrNoSealGenerationInfo
+	}
+	if len(sealWrappers) == 0 {
+		logger.Error("cannot create a seal.Access without any seal wrappers")
+		return nil, ErrNoSeals
+	}
+	a := &access{
+		sealGenerationInfo: sealGenerationInfo,
+		logger:             logger,
+	}
+	a.wrappersByPriority = make([]*SealWrapper, len(sealWrappers))
+	for i, sw := range sealWrappers {
+		a.wrappersByPriority[i] = sw
+	}
+
+	configuredSealWrappers := a.GetConfiguredSealWrappersByPriority()
+	if len(configuredSealWrappers) == 0 {
+		a.logger.Error("cannot create a seal.Access without any configured seal wrappers")
+		return nil, ErrNoConfiguredSeals
+	}
+
+	sort.Slice(a.wrappersByPriority, func(i int, j int) bool { return a.wrappersByPriority[i].Priority < a.wrappersByPriority[j].Priority })
+
+	return a, nil
+}
+
+func NewAccessFromSealWrappers(logger hclog.Logger, generation uint64, rewrapped bool, sealWrappers []*SealWrapper) (Access, error) {
+	sealGenerationInfo := &SealGenerationInfo{
+		Generation: generation,
+	}
+	sealGenerationInfo.SetRewrapped(rewrapped)
+	ctx := context.Background()
+	for _, sw := range sealWrappers {
+		typ, err := sw.Wrapper.Type(ctx)
+		if err != nil {
+			return nil, err
+		}
+		sealGenerationInfo.Seals = append(sealGenerationInfo.Seals, &configutil.KMS{
+			Type:     typ.String(),
+			Priority: sw.Priority,
+			Name:     sw.Name,
+		})
+	}
+	return NewAccess(logger, sealGenerationInfo, sealWrappers)
+}
+
+// NewAccessFromWrapper creates an enabled Access for a single wrapping.Wrapper.
+// The Access has generation set to 1 and the rewrapped flag set to true.
+// The SealWrapper created uses the seal config type as the name, has priority set to 1 and the
+// disabled flag set to false.
+func NewAccessFromWrapper(logger hclog.Logger, wrapper wrapping.Wrapper, sealConfigType string) (Access, error) {
+	sealWrapper := NewSealWrapper(wrapper, 1, sealConfigType, sealConfigType, false, true)
+
+	return NewAccessFromSealWrappers(logger, 1, true, []*SealWrapper{sealWrapper})
+}
+
+func (a *access) GetAllSealWrappersByPriority() []*SealWrapper {
+	return a.filterSealWrappers(allWrappers)
+}
+
+func (a *access) GetConfiguredSealWrappersByPriority() []*SealWrapper {
+	return a.filterSealWrappers(configuredWrappers, allWrappers)
+}
+
+func (a *access) GetEnabledSealWrappersByPriority() []*SealWrapper {
+	return a.filterSealWrappers(configuredWrappers, enabledWrappers)
+}
+
+func (a *access) AllSealWrappersHealthy() bool {
+	return len(a.wrappersByPriority) == len(a.filterSealWrappers(configuredWrappers, healthyWrappers))
+}
+
+type sealWrapperFilter func(*SealWrapper) bool
+
+func allWrappers(wrapper *SealWrapper) bool {
+	return true
+}
+
+func healthyWrappers(wrapper *SealWrapper) bool {
+	return wrapper.IsHealthy()
+}
+
+func enabledWrappers(wrapper *SealWrapper) bool {
+	return !wrapper.Disabled
+}
+
+func configuredWrappers(wrapper *SealWrapper) bool {
+	return wrapper.Configured
+}
+
+// Returns a slice of wrappers who satisfy all filters
+func (a *access) filterSealWrappers(filters ...sealWrapperFilter) []*SealWrapper {
+	return filterSealWrappers(a.wrappersByPriority, filters...)
+}
+
+func filterSealWrappers(wrappers []*SealWrapper, filters ...sealWrapperFilter) []*SealWrapper {
+	ret := make([]*SealWrapper, 0, len(wrappers))
+outer:
+	for _, sw := range wrappers {
+		for _, f := range filters {
+			if !f(sw) {
+				continue outer
+			}
+		}
+		ret = append(ret, sw)
+	}
+	return ret
+}
+
+func (a *access) GetSealGenerationInfo() *SealGenerationInfo {
+	return a.sealGenerationInfo
+}
+
+func (a *access) Generation() uint64 {
+	return a.sealGenerationInfo.Generation
+}
+
+func (a *access) GetEnabledWrappers() []wrapping.Wrapper {
+	var ret []wrapping.Wrapper
+	for _, si := range a.GetEnabledSealWrappersByPriority() {
+		ret = append(ret, si.Wrapper)
+	}
+	return ret
+}
+
+func (a *access) Init(ctx context.Context, options ...wrapping.Option) error {
+	var keyIds []string
+	for _, sealWrapper := range a.GetConfiguredSealWrappersByPriority() {
+		if initWrapper, ok := sealWrapper.Wrapper.(wrapping.InitFinalizer); ok {
+			if err := initWrapper.Init(ctx, options...); err != nil {
+				return err
+			}
+			keyId, err := sealWrapper.Wrapper.KeyId(ctx)
+			if err != nil {
+				a.logger.Warn("cannot determine key ID for seal", "seal", sealWrapper.Name, "err", err)
+				return fmt.Errorf("cannod determine key ID for seal %s: %w", sealWrapper.Name, err)
+			}
+			if keyId != "" {
+				// Some wrappers may not yet know their key id. For emample, see gcpkms.Wrapper.
+				keyIds = append(keyIds, keyId)
+			}
+		}
+	}
+	a.keyIdSet.setIds(keyIds)
+	return nil
+}
+
+func (a *access) IsUpToDate(ctx context.Context, value *MultiWrapValue, forceKeyIdRefresh bool) (bool, error) {
+	// Note that we don't compare generations when the value is transitory, since all single-blobInfo
+	// values (i.e. not yet upgraded to MultiWrapValues) are unmarshalled as transitory values.
+	if value.Generation != 0 && value.Generation != a.Generation() {
+		return false, nil
+	}
+	if forceKeyIdRefresh {
+		test, errs := a.Encrypt(ctx, []byte{0})
+		if test == nil {
+			a.logger.Error("error refreshing seal key IDs")
+			return false, JoinSealWrapErrors("cannot determine key IDs of Access wrappers", errs)
+		}
+		if len(errs) > 0 {
+			msg := "could not determine key IDs of some Access wrappers"
+			a.logger.Error("partial failure refreshing seal key IDs", "err", JoinSealWrapErrors(msg, errs))
+			return false, JoinSealWrapErrors(msg, errs)
+		}
+		a.keyIdSet.set(test)
+	}
+
+	return a.keyIdSet.equal(value), nil
+}
+
+const (
+	// wrapperEncryptTimeout is the duration we will wait for seal wrappers to return from an encrypt call.
+	// After the timeout, we return any successful results and errors for the rest of the wrappers, so
+	// that a partial seal wrap entry can be recorded.
+	wrapperEncryptTimeout = 10 * time.Second
+
+	// wrapperDecryptHighPriorityHeadStart is the duration we wait for the highest priority wrapper
+	// to return from a decrypt call before we try decrypting with any additional wrappers.
+	wrapperDecryptHighPriorityHeadStart = 2 * time.Second
+)
+
+// Encrypt uses the underlying seal to encrypt the plaintext and returns it.
+func (a *access) Encrypt(ctx context.Context, plaintext []byte, options ...wrapping.Option) (*MultiWrapValue, map[string]error) {
+	// Note that we do not encrypt with disabled wrappers. Disabled wrappers are only used to decrypt.
+	candidateWrappers := a.filterSealWrappers(enabledWrappers, healthyWrappers)
+	if len(candidateWrappers) == 0 {
+		// If all seals are unhealthy, try any way since a seal may have recovered
+		candidateWrappers = a.filterSealWrappers(enabledWrappers)
+	}
+	enabledWrappersByPriority := filterSealWrappers(candidateWrappers, configuredWrappers)
+
+	type result struct {
+		name       string
+		ciphertext *wrapping.BlobInfo
+		err        error
+	}
+	resultCh := make(chan *result)
+
+	encryptCtx, cancelEncryptCtx := context.WithTimeout(ctx, wrapperEncryptTimeout)
+	defer cancelEncryptCtx()
+
+	// Start goroutines to encrypt the value using each of the wrappers.
+	for _, sealWrapper := range enabledWrappersByPriority {
+		go func(sealWrapper *SealWrapper) {
+			ciphertext, err := a.tryEncrypt(encryptCtx, sealWrapper, plaintext, options...)
+			resultCh <- &result{
+				name:       sealWrapper.Name,
+				ciphertext: ciphertext,
+				err:        err,
+			}
+		}(sealWrapper)
+	}
+
+	results := make(map[string]*result)
+GATHER_RESULTS:
+	for {
+		select {
+		case result := <-resultCh:
+			results[result.name] = result
+			if len(results) == len(enabledWrappersByPriority) {
+				break GATHER_RESULTS
+			}
+		case <-encryptCtx.Done():
+			break GATHER_RESULTS
+		case <-ctx.Done():
+			cancelEncryptCtx()
+			break GATHER_RESULTS
+		}
+	}
+
+	{
+		// Check for duplicate Key IDs.
+		// If any wrappers produce duplicated IDs, their BlobInfo will be replaced by an error.
+
+		keyIdToSealWrapperNameMap := make(map[string]string)
+		for _, sealWrapper := range enabledWrappersByPriority {
+			wrapperName := sealWrapper.Name
+			if result, ok := results[wrapperName]; ok {
+				if result.err != nil {
+					continue
+				}
+				if result.ciphertext.KeyInfo == nil {
+					// Can this really happen? Probably not?
+					continue
+				}
+				keyId := result.ciphertext.KeyInfo.KeyId
+				duplicateWrapperName, isDuplicate := keyIdToSealWrapperNameMap[keyId]
+				if isDuplicate {
+					for _, name := range []string{wrapperName, duplicateWrapperName} {
+						results[name].err = fmt.Errorf("seal %s has returned duplicate key ID %s, key IDs must be unique", name, keyId)
+						results[name].ciphertext = nil
+					}
+				}
+				keyIdToSealWrapperNameMap[keyId] = wrapperName
+			}
+		}
+	}
+
+	// Sort out the successful results from the errors
+	var slots []*wrapping.BlobInfo
+	errs := make(map[string]error)
+	for _, sealWrapper := range enabledWrappersByPriority {
+		if result, ok := results[sealWrapper.Name]; ok {
+			if result.err != nil {
+				errs[sealWrapper.Name] = result.err
+			} else {
+				slots = append(slots, result.ciphertext)
+			}
+		} else {
+			if encryptCtx.Err() != nil {
+				errs[sealWrapper.Name] = encryptCtx.Err()
+			} else {
+				// Just being paranoid, encryptCtx.Err() should never be nil in this case
+				errs[sealWrapper.Name] = errors.New("context timeout exceeded")
+			}
+			// This failure did not happen on tryEncrypt, so we must log it here
+			a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", errs[sealWrapper.Name])
+		}
+	}
+
+	if len(slots) == 0 {
+		a.logger.Error("failed to encrypt value using any seal wrappers")
+		return nil, errs
+	}
+
+	a.logger.Trace("successfully encrypted value", "encryption seal wrappers", len(slots), "total enabled seal wrappers",
+		len(a.GetEnabledSealWrappersByPriority()))
+
+	ret := &MultiWrapValue{
+		Generation: a.Generation(),
+		Slots:      slots,
+	}
+
+	if len(errs) == 0 {
+		// cache key IDs
+		a.keyIdSet.set(ret)
+	}
+
+	// Add errors for unconfigured wrappers
+	for _, sw := range candidateWrappers {
+		if !sw.Configured {
+			errs[sw.Name] = ErrUnconfiguredWrapper
+		}
+	}
+
+	return ret, errs
+}
+
+func (a *access) tryEncrypt(ctx context.Context, sealWrapper *SealWrapper, plaintext []byte, options ...wrapping.Option) (*wrapping.BlobInfo, error) {
+	now := time.Now()
+	var encryptErr error
+	mLabels := []metrics.Label{{Name: "seal_wrapper_name", Value: sealWrapper.Name}}
+
+	defer func(now time.Time) {
+		metrics.MeasureSinceWithLabels([]string{"seal", "encrypt", "time"}, now, mLabels)
+
+		if encryptErr != nil {
+			metrics.IncrCounterWithLabels([]string{"seal", "encrypt", "error"}, 1, mLabels)
+		}
+	}(now)
+
+	metrics.IncrCounterWithLabels([]string{"seal", "encrypt"}, 1, mLabels)
+
+	ciphertext, encryptErr := sealWrapper.Wrapper.Encrypt(ctx, plaintext, options...)
+	if encryptErr != nil {
+		a.logger.Warn("error encrypting with seal", "seal", sealWrapper.Name)
+		a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", encryptErr)
+
+		sealWrapper.SetHealthy(false, now)
+		return nil, encryptErr
+	}
+	a.logger.Trace("encrypted value using seal", "seal", sealWrapper.Name, "keyId", ciphertext.KeyInfo.KeyId)
+
+	sealWrapper.SetHealthy(true, now)
+	return ciphertext, nil
+}
+
+// Decrypt uses the underlying seal to decrypt the ciphertext and returns it.
+// Note that it is possible depending on the wrapper used that both pt and err
+// are populated.
+// Returns the plaintext, a flag indicating whether the ciphertext is up-to-date
+// (according to IsUpToDate), and an error.
+func (a *access) Decrypt(ctx context.Context, ciphertext *MultiWrapValue, options ...wrapping.Option) ([]byte, bool, error) {
+	blobInfoMap := slotsByKeyId(ciphertext)
+
+	isUpToDate, err := a.IsUpToDate(ctx, ciphertext, false)
+	if err != nil {
+		return nil, false, err
+	}
+
+	wrappersByPriority := a.filterSealWrappers(configuredWrappers, healthyWrappers)
+	if len(wrappersByPriority) == 0 {
+		// If all seals are unhealthy, try any way since a seal may have recovered
+		wrappersByPriority = a.filterSealWrappers(configuredWrappers)
+	}
+	if len(wrappersByPriority) == 0 {
+		return nil, false, ErrNoHealthySeals
+	}
+
+	type result struct {
+		name   string
+		pt     []byte
+		oldKey bool
+		err    error
+	}
+	resultCh := make(chan *result)
+
+	reportResult := func(name string, plaintext []byte, oldKey bool, err error) {
+		resultCh <- &result{
+			name:   name,
+			pt:     plaintext,
+			oldKey: oldKey,
+			err:    err,
+		}
+	}
+
+	decrypt := func(sealWrapper *SealWrapper) {
+		pt, oldKey, err := a.tryDecrypt(ctx, sealWrapper, blobInfoMap, options)
+		reportResult(sealWrapper.Name, pt, oldKey, err)
+	}
+
+	// Start goroutines to decrypt the value
+
+	first := wrappersByPriority[0]
+	// First, if we only have one slot, try matching by keyId
+	if len(blobInfoMap) == 1 {
+	outer:
+		for k := range blobInfoMap {
+			for _, sealWrapper := range wrappersByPriority {
+				keyId, err := sealWrapper.Wrapper.KeyId(ctx)
+				if err != nil {
+					reportResult(sealWrapper.Name, nil, false, err)
+					continue
+				}
+				if keyId == k {
+					first = sealWrapper
+					break outer
+				}
+			}
+		}
+	}
+
+	go decrypt(first)
+	for _, sealWrapper := range wrappersByPriority {
+		sealWrapper := sealWrapper
+		if sealWrapper != first {
+			timer := time.AfterFunc(wrapperDecryptHighPriorityHeadStart, func() {
+				decrypt(sealWrapper)
+			})
+			defer timer.Stop()
+		}
+	}
+
+	// Gathering failures, but return right away if there is a succesful result
+	errs := make(map[string]error)
+GATHER_RESULTS:
+	for {
+		select {
+		case result := <-resultCh:
+			switch {
+			case result.err != nil:
+				errs[result.name] = result.err
+				if len(errs) == len(wrappersByPriority) {
+					break GATHER_RESULTS
+				}
+
+			case result.oldKey:
+				return result.pt, false, OldKey
+
+			default:
+				return result.pt, isUpToDate, nil
+			}
+		case <-ctx.Done():
+			break GATHER_RESULTS
+		}
+	}
+
+	// No wrapper was able to decrypt the value, return an error
+	if len(errs) > 0 {
+		return nil, false, JoinSealWrapErrors("error decrypting seal wrapped value", errs)
+	}
+
+	if ctx.Err() != nil {
+		return nil, false, ctx.Err()
+	}
+	// Just being paranoid, ctx.Err() should never be nil in this case
+	return nil, false, errors.New("context timeout exceeded")
+}
+
+// tryDecrypt returns the plaintext and a flag indicating whether the decryption was done by the "unwrapSeal" (see
+// sealWrapMigration.Decrypt).
+func (a *access) tryDecrypt(ctx context.Context, sealWrapper *SealWrapper, ciphertextByKeyId map[string]*wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) {
+	now := time.Now()
+	var decryptErr error
+	mLabels := []metrics.Label{{Name: "seal_wrapper_name", Value: sealWrapper.Name}}
+
+	defer func(now time.Time) {
+		metrics.MeasureSinceWithLabels([]string{"seal", "decrypt", "time"}, now, mLabels)
+
+		if decryptErr != nil {
+			metrics.IncrCounterWithLabels([]string{"seal", "decrypt", "error"}, 1, mLabels)
+		}
+	}(now)
+
+	metrics.IncrCounterWithLabels([]string{"seal", "decrypt"}, 1, mLabels)
+
+	var pt []byte
+
+	// First, let's look for an exact key ID match
+	var keyId string
+	if id, err := sealWrapper.Wrapper.KeyId(ctx); err == nil {
+		keyId = id
+		if ciphertext, ok := ciphertextByKeyId[keyId]; ok {
+			pt, decryptErr = sealWrapper.Wrapper.Decrypt(ctx, ciphertext, options...)
+
+			sealWrapper.SetHealthy(decryptErr == nil || IsOldKeyError(decryptErr), now)
+		}
+	}
+	// If we don't get a result, try all the slots
+	if pt == nil && decryptErr == nil {
+		for _, ciphertext := range ciphertextByKeyId {
+			pt, decryptErr = sealWrapper.Wrapper.Decrypt(ctx, ciphertext, options...)
+			if decryptErr == nil {
+				// Note that we only update wrapper health for failures on exact key ID match,
+				// otherwise we would have false negatives.
+				sealWrapper.SetHealthy(true, now)
+				break
+			}
+		}
+	}
+
+	switch {
+	case decryptErr != nil && IsOldKeyError(decryptErr):
+		// an OldKey error is not an actual error, it just means that the decryption was done
+		// by the "unwrapSeal" of a seal migration (see sealWrapMigration.Decrypt).
+		a.logger.Trace("decrypted using OldKey", "seal_name", sealWrapper.Name)
+		return pt, true, nil
+
+	case decryptErr != nil:
+		// Note that if there are more than one ciphertext, the error may be misleading...
+		a.logger.Trace("error decrypting with seal, this may be a harmless mismatch between wrapper and ciphertext", "seal_name", sealWrapper.Name, "keyId", keyId, "err", decryptErr)
+		return nil, false, decryptErr
+
+	default:
+		a.logger.Trace("decrypted value using seal", "seal_name", sealWrapper.Name)
+		return pt, false, nil
+	}
+}
+
+func JoinSealWrapErrors(msg string, errorMap map[string]error) error {
+	errs := []error{errors.New(msg)}
+	for name, err := range errorMap {
+		errs = append(errs, fmt.Errorf("error decrypting using seal %s: %w", name, err))
+	}
+	return errors.Join(errs...)
+}
+
+func (a *access) Finalize(ctx context.Context, options ...wrapping.Option) error {
+	var errs []error
+
+	for _, w := range a.GetConfiguredSealWrappersByPriority() {
+		if finalizeWrapper, ok := w.Wrapper.(wrapping.InitFinalizer); ok {
+			if err := finalizeWrapper.Finalize(ctx, options...); err != nil {
+				errs = append(errs, err)
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}
+
+func (a *access) SetShamirSealKey(key []byte) error {
+	if len(a.wrappersByPriority) == 0 {
+		return errors.New("no wrappers configured")
+	}
+
+	wrapper := a.wrappersByPriority[0].Wrapper
+
+	shamirWrapper, ok := wrapper.(*aead.ShamirWrapper)
+	if !ok {
+		return errors.New("seal is not a Shamir seal")
+	}
+
+	return shamirWrapper.SetAesGcmKeyBytes(key)
+}
+
+func (a *access) GetShamirKeyBytes(ctx context.Context) ([]byte, error) {
+	if len(a.wrappersByPriority) == 0 {
+		return nil, errors.New("no wrapper configured")
+	}
+
+	wrapper := a.wrappersByPriority[0].Wrapper
+
+	shamirWrapper, ok := wrapper.(*aead.ShamirWrapper)
+	if !ok {
+		return nil, errors.New("seal is not a shamir seal")
+	}
+
+	return shamirWrapper.KeyBytes(ctx)
+}
+
+func slotsByKeyId(value *MultiWrapValue) map[string]*wrapping.BlobInfo {
+	ret := make(map[string]*wrapping.BlobInfo)
+	for _, blobInfo := range value.Slots {
+		keyId := ""
+		if blobInfo.KeyInfo != nil {
+			keyId = blobInfo.KeyInfo.KeyId
+		}
+		ret[keyId] = blobInfo
+	}
+	return ret
+}
+
+type keyIdSet struct {
+	keyIds atomic.Pointer[[]string]
+}
+
+func (s *keyIdSet) set(value *MultiWrapValue) {
+	keyIds := s.collect(value)
+	s.setIds(keyIds)
+}
+
+func (s *keyIdSet) setIds(keyIds []string) {
+	keyIds = s.deduplicate(keyIds)
+	s.keyIds.Store(&keyIds)
+}
+
+func (s *keyIdSet) get() []string {
+	pids := s.keyIds.Load()
+	if pids == nil {
+		return nil
+	}
+	return *pids
+}
+
+func (s *keyIdSet) equal(value *MultiWrapValue) bool {
+	keyIds := s.collect(value)
+	expected := s.get()
+	return reflect.DeepEqual(keyIds, expected)
+}
+
+func (s *keyIdSet) collect(value *MultiWrapValue) []string {
+	var keyIds []string
+	for _, blobInfo := range value.Slots {
+		if blobInfo.KeyInfo != nil {
+			// Ideally we should always have a KeyInfo.KeyId, but:
+			// 1) plaintext entries are stored on a blob info with Wrapped == false
+			// 2) some unit test wrappers do not return a blob info
+			keyIds = append(keyIds, blobInfo.KeyInfo.KeyId)
+		}
+	}
+	return s.deduplicate(keyIds)
+}
+
+func (s *keyIdSet) deduplicate(ids []string) []string {
+	m := make(map[string]struct{})
+	for _, id := range ids {
+		m[id] = struct{}{}
+	}
+	deduplicated := make([]string, 0, len(m))
+	for id := range m {
+		deduplicated = append(deduplicated, id)
+	}
+	sort.Strings(deduplicated)
+	return deduplicated
+}
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.hbs b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.hbs
index e84330f80c32..84180f60de0e 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.hbs
+++ b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.hbs
@@ -1,192 +1,28 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
 
-<PageHeader as |p|>
-  <p.top>
-    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-  </p.top>
-  <p.levelLeft>
-    <h1 class="title is-3" data-test-pki-page-title>
-      {{if @newRootModel.id "View Issuer Certificate" "Generate New Root"}}
-    </h1>
-  </p.levelLeft>
-</PageHeader>
+import { inject as service } from '@ember/service';
+import Controller from '@ember/controller';
 
-{{#if @newRootModel.id}}
-  <Toolbar>
-    <ToolbarActions>
-      <ToolbarLink
-        @route="issuers.issuer.cross-sign"
-        @type="pen-tool"
-        @model={{@newRootModel.issuerId}}
-        data-test-pki-issuer-cross-sign
-      >
-        Cross-sign issuers
-      </ToolbarLink>
-      <ToolbarLink
-        @route="issuers.issuer.sign"
-        @type="pen-tool"
-        @model={{@newRootModel.issuerId}}
-        data-test-pki-issuer-sign-int
-      >
-        Sign Intermediate
-      </ToolbarLink>
-      <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
-        <D.Trigger
-          data-test-popup-menu-trigger
-          class={{concat "toolbar-link" (if D.isOpen " is-active")}}
-          @htmlTag="button"
-          data-test-issuer-download
-        >
-          Download
-          <Chevron @direction="down" @isButton={{true}} />
-        </D.Trigger>
-        <D.Content @defaultClass="popup-menu-content">
-          <nav class="box menu" aria-label="snapshots actions">
-            <ul class="menu-list">
-              <li class="action">
-                <DownloadButton
-                  class="link"
-                  @filename={{@newRootModel.issuerId}}
-                  @extension="pem"
-                  @fetchData={{fn this.fetchDataForDownload "pem"}}
-                  data-test-issuer-download-type="pem"
-                  @text="PEM format"
-                  @hideIcon={{true}}
-                />
-              </li>
-              <li class="action">
-                <DownloadButton
-                  class="link"
-                  @filename={{@newRootModel.issuerId}}
-                  @extension="der"
-                  @fetchData={{fn this.fetchDataForDownload "der"}}
-                  data-test-issuer-download-type="der"
-                  @text="DER format"
-                  @hideIcon={{true}}
-                />
-              </li>
-            </ul>
-          </nav>
-        </D.Content>
-      </BasicDropdown>
-      <ToolbarLink @route="issuers.issuer.edit" @model={{@newRootModel.issuerId}} data-test-pki-issuer-configure>
-        Configure
-      </ToolbarLink>
-    </ToolbarActions>
-  </Toolbar>
-{{/if}}
+export default Controller.extend({
+  auth: service(),
+  router: service(),
+  version: service(),
 
-{{#if @newRootModel.id}}
-  <div class="has-top-margin-m">
-    <Hds::Alert data-test-rotate-next-steps @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
-      <A.Title>Next steps</A.Title>
-      <A.Description>
-        Your new root has been generated.
-        {{#if @newRootModel.privateKey}}
-          Make sure to copy and save the
-          <code>private_key</code>
-          as it is only available once.
-        {{/if}}
-        If you’re ready, you can begin cross-signing issuers now. If not, the option to cross-sign is available when you use
-        this certificate.
-      </A.Description>
-      <A.Link::Standalone
-        @icon="arrow-right"
-        @iconPosition="trailing"
-        @text="Cross-sign issuers"
-        @route="issuers.issuer.cross-sign"
-      />
-
-    </Hds::Alert>
-  </div>
-{{else}}
-  <div class="box is-bottomless is-marginless is-flex-start">
-    {{#each this.generateOptions as |option|}}
-      <RadioCard
-        class="has-fixed-width"
-        @title={{option.label}}
-        @description={{option.description}}
-        @icon={{option.icon}}
-        @value={{option.key}}
-        @groupValue={{this.displayedForm}}
-        @onChange={{fn (mut this.displayedForm) option.key}}
-        data-test-radio={{option.key}}
-      />
-    {{/each}}
-  </div>
-{{/if}}
-
-{{#if (eq this.displayedForm "use-old-settings")}}
-  {{#if @newRootModel.id}}
-    <PkiInfoTableRows @model={{@newRootModel}} @displayFields={{this.displayFields}} />
-    <ParsedCertificateInfoRows @model={{@newRootModel.parsedCertificate}} />
-    <div class="field is-grouped is-fullwidth has-top-margin-l has-bottom-margin-s">
-      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
-    </div>
-  {{else}}
-    {{!  USE OLD SETTINGS FORM INPUTS  }}
-    <h2 class="title is-size-5 has-border-bottom-light page-header">
-      Root parameters
-    </h2>
-    <form {{on "submit" (perform this.save)}} data-test-pki-rotate-old-settings-form>
-      {{#if @parsingErrors}}
-        <Hds::Alert data-test-parsing-warning @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
-          <A.Title>Not all of the certificate values can be parsed and transferred to a new root</A.Title>
-          <A.Description>{{@parsingErrors}}</A.Description>
-        </Hds::Alert>
-      {{/if}}
-      {{#if this.alertBanner}}
-        <Hds::Alert data-test-rotate-error @type="inline" @color="critical" class="has-bottom-margin-s" as |A|>
-          <A.Title>Error</A.Title>
-          <A.Description>{{this.alertBanner}}</A.Description>
-        </Hds::Alert>
-      {{/if}}
-      {{#let (find-by "name" "commonName" @newRootModel.allFields) as |attr|}}
-        <FormField @attr={{attr}} @model={{@newRootModel}} @modelValidations={{this.modelValidations}} />
-      {{/let}}
-      {{#let (find-by "name" "issuerName" @newRootModel.allFields) as |attr|}}
-        <FormField @attr={{attr}} @model={{@newRootModel}} @modelValidations={{this.modelValidations}} />
-      {{/let}}
-      <div class="box has-slim-padding is-shadowless">
-        <ToggleButton
-          data-test-details-toggle
-          @closedLabel="Old root settings"
-          @openLabel="Hide old root settings"
-          @isOpen={{this.showOldSettings}}
-          @onClick={{fn (mut this.showOldSettings)}}
-        />
-        {{#if this.showOldSettings}}
-          <PkiInfoTableRows @model={{@oldRoot}} @displayFields={{this.displayFields}} />
-          <ParsedCertificateInfoRows @model={{@oldRoot.parsedCertificate}} />
-        {{/if}}
-      </div>
-
-      <hr class="has-background-gray-100" />
-      <Hds::ButtonSet>
-        <Hds::Button @text="Done" type="submit" data-test-pki-rotate-root-save />
-        <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onCancel}} data-test-pki-rotate-root-cancel />
-      </Hds::ButtonSet>
-      {{#if this.invalidFormAlert}}
-        <div class="control">
-          <AlertInline
-            @type="danger"
-            @paddingTop={{true}}
-            @message={{this.invalidFormAlert}}
-            @mimicRefresh={{true}}
-            data-test-pki-rotate-root-validation-error
-          />
-        </div>
-      {{/if}}
-    </form>
-  {{/if}}
-{{else}}
-  <PkiGenerateRoot
-    @model={{@newRootModel}}
-    @onCancel={{@onCancel}}
-    @onComplete={{@onComplete}}
-    @adapterOptions={{hash actionType="rotate-root"}}
-  />
-{{/if}}
\ No newline at end of file
+  actions: {
+    seal() {
+      return this.model.cluster.store
+        .adapterFor('cluster')
+        .seal()
+        .then(() => {
+          this.model.cluster.get('leaderNode').set('sealed', true);
+          this.auth.deleteCurrentToken();
+          // Reset version so it doesn't show on footer
+          this.version.version = null;
+          return this.router.transitionTo('vault.cluster.unseal');
+        });
+    },
+  },
+});
diff --git a/ui/lib/pki/addon/components/pki-generate-csr.hbs b/ui/lib/pki/addon/components/pki-generate-csr.hbs
index b363631dcda5..e070471a35e3 100644
--- a/ui/lib/pki/addon/components/pki-generate-csr.hbs
+++ b/ui/lib/pki/addon/components/pki-generate-csr.hbs
@@ -1,74 +1,227 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if @model.id}}
-  {{! Model only has ID once form has been submitted and saved }}
-  <main data-test-generate-csr-result>
-    <div class="box is-sideless is-fullwidth is-shadowless">
-      <Hds::Alert data-test-next-steps-csr @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
-        <A.Title>Next steps</A.Title>
-        <A.Description>
-          Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount.
-          {{#if @model.privateKey}}
-            The
-            <code>private_key</code>
-            is only available once. Make sure you copy and save it now.
-          {{/if}}
-        </A.Description>
-      </Hds::Alert>
-      {{#each this.showFields as |fieldName|}}
-        {{#let (find-by "name" fieldName @model.allFields) as |attr|}}
-          {{#let (get @model attr.name) as |value|}}
-            <InfoTableRow
-              @label={{or attr.options.label (humanize (dasherize attr.name))}}
-              @value={{value}}
-              @addCopyButton={{eq attr.name "keyId"}}
-            >
-              {{#if (and attr.options.isCertificate value)}}
-                <CertificateCard @data={{value}} />
-              {{else if (eq attr.name "keyId")}}
-                <LinkTo @route="keys.key.details" @model={{@model.keyId}}>
-                  {{@model.keyId}}
-                </LinkTo>
-              {{else}}
-                {{! this block only ever renders privateKey and privateKeyType }}
-                <span class="{{unless value 'tag'}}">{{or value "internal"}}</span>
-              {{/if}}
-            </InfoTableRow>
-          {{/let}}
-        {{/let}}
-      {{/each}}
-    </div>
-  </main>
-  <footer>
-    <div class="field is-grouped is-fullwidth has-top-margin-l">
-      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
-    </div>
-  </footer>
-{{else}}
-  <form {{on "submit" (perform this.save)}}>
-    <MessageError @errorMessage={{this.error}} class="has-top-margin-s" />
-    <h2 class="title is-size-5 has-border-bottom-light page-header">
-      CSR parameters
-    </h2>
-
-    {{#each this.formFields as |field|}}
-      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-
-    <PkiGenerateToggleGroups @model={{@model}} @modelValidations={{this.modelValidations}} />
-
-    <hr class="has-background-gray-100" />
-    <Hds::ButtonSet>
-      <Hds::Button @text="Generate" type="submit" data-test-save />
-      <Hds::Button @text="Cancel" @color="secondary" {{on "click" this.cancel}} data-test-cancel />
-    </Hds::ButtonSet>
-    {{#if this.alert}}
-      <div class="control">
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.alert}} @mimicRefresh={{true}} data-test-alert />
-      </div>
-    {{/if}}
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/vault/helper/metricsutil"
+
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+// phy implements physical.Backend. It maps keys to a slice of entries.
+// Each call to Put appends the entry to the slice of entries for that
+// key. No deduplication is done. This allows the test for UpgradeKeys to
+// verify entries are only being updated when the underlying encryption key
+// has been updated.
+type phy struct {
+	t       *testing.T
+	entries map[string][]*physical.Entry
+}
+
+var _ physical.Backend = (*phy)(nil)
+
+func newTestBackend(t *testing.T) *phy {
+	return &phy{
+		t:       t,
+		entries: make(map[string][]*physical.Entry),
+	}
+}
+
+func (p *phy) Put(_ context.Context, entry *physical.Entry) error {
+	p.entries[entry.Key] = append(p.entries[entry.Key], entry)
+	return nil
+}
+
+func (p *phy) Get(_ context.Context, key string) (*physical.Entry, error) {
+	entries := p.entries[key]
+	if entries == nil {
+		return nil, nil
+	}
+	return entries[len(entries)-1], nil
+}
+
+func (p *phy) Delete(_ context.Context, key string) error {
+	p.t.Errorf("Delete called on phy: key: %v", key)
+	return nil
+}
+
+func (p *phy) List(_ context.Context, prefix string) ([]string, error) {
+	p.t.Errorf("List called on phy: prefix: %v", prefix)
+	return []string{}, nil
+}
+
+func (p *phy) Len() int {
+	return len(p.entries)
+}
+
+func TestAutoSeal_UpgradeKeys(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	testSeal, toggleableWrappers := seal.NewTestSeal(nil)
+
+	var encKeys []string
+	changeKey := func(key string) {
+		encKeys = append(encKeys, key)
+		toggleableWrappers[0].Wrapper.(*wrapping.TestWrapper).SetKeyId(key)
+	}
+
+	// Set initial encryption key.
+	changeKey("kaz")
+
+	autoSeal := NewAutoSeal(testSeal)
+	autoSeal.SetCore(core)
+	pBackend := newTestBackend(t)
+	core.physical = pBackend
+
+	ctx := context.Background()
+
+	inkeys := [][]byte{[]byte("grist"), []byte("house")}
+	if err := autoSeal.SetStoredKeys(ctx, inkeys); err != nil {
+		t.Fatalf("SetStoredKeys: want no error, got %v", err)
+	}
+
+	inRecoveryKey := []byte("falernum")
+	if err := autoSeal.SetRecoveryKey(ctx, inRecoveryKey); err != nil {
+		t.Fatalf("SetRecoveryKey: want no error, got %v", err)
+	}
+
+	check := func() {
+		// The values of the stored keys should never change.
+		outkeys, err := autoSeal.GetStoredKeys(ctx)
+		if err != nil {
+			t.Fatalf("GetStoredKeys: want no error, got %v", err)
+		}
+		if !reflect.DeepEqual(inkeys, outkeys) {
+			t.Errorf("incorrect stored keys: want %v, got %v", inkeys, outkeys)
+		}
+
+		// The value of the recovery key should also never change.
+		outRecoveryKey, err := autoSeal.RecoveryKey(ctx)
+		if err != nil {
+			t.Fatalf("RecoveryKey: want no error, got %v", err)
+		}
+		if !bytes.Equal(inRecoveryKey, outRecoveryKey) {
+			t.Errorf("incorrect recovery key: want %q, got %q", inRecoveryKey, outRecoveryKey)
+		}
+
+		// There should only be 2 entries in the physical backend. One for
+		// the stored keys and one for the recovery key.
+		if want, got := 2, pBackend.Len(); want != got {
+			t.Errorf("backend unexpected Len: want %d, got %d", want, got)
+		}
+
+		for phyKey, phyEntries := range pBackend.entries {
+			// Calling UpgradeKeys should only add an entry if the key has
+			// changed.
+			if keyCount, entryCount := len(encKeys), len(phyEntries); keyCount != entryCount {
+				t.Errorf("phyKey = %s: encryption key count not equal to entry count: keys=%d, entries=%d", phyKey, keyCount, entryCount)
+			}
+
+			// Each phyEntry should correspond to a key at the same index
+			// in encKeys. Iterate over each phyEntry and verify it was
+			// encrypted with its corresponding key in encKeys.
+			for i, phyEntry := range phyEntries {
+				wrappedEntryValue, err := UnmarshalSealWrappedValue(phyEntry.Value)
+				if err != nil {
+					t.Errorf("phyKey = %s: failed to unmarshal stored keys: %s", phyKey, err)
+				}
+				blobInfo := wrappedEntryValue.GetSlots()[0]
+				if blobInfo.KeyInfo == nil {
+					t.Errorf("phyKey = %s: KeyInfo missing: %+v", phyKey, blobInfo)
+				}
+				if want, got := encKeys[i], blobInfo.KeyInfo.KeyId; want != got {
+					t.Errorf("phyKey = %s: Incorrect encryption key: want %s, got %s", phyKey, want, got)
+				}
+			}
+		}
+	}
+
+	// Verify the current state is correct before calling UpgradeKeys.
+	check()
+
+	// Call UpgradeKeys before changing the encryption key and verify
+	// nothing has changed.
+	if err := autoSeal.UpgradeKeys(ctx); err != nil {
+		t.Fatalf("UpgradeKeys: want no error, got %v", err)
+	}
+	check()
+
+	// Change the encryption key, call UpgradeKeys, then verify the stored
+	// keys and recovery key has been re-encrypted with the new encryption
+	// key.
+	changeKey("primanti")
+	if err := autoSeal.UpgradeKeys(ctx); err != nil {
+		t.Fatalf("UpgradeKeys: want no error, got %v", err)
+	}
+	check()
+}
+
+func TestAutoSeal_HealthCheck(t *testing.T) {
+	inmemSink := metrics.NewInmemSink(
+		1000000*time.Hour,
+		2000000*time.Hour)
+
+	metricsConf := metrics.DefaultConfig("")
+	metricsConf.EnableHostname = false
+	metricsConf.EnableHostnameLabel = false
+	metricsConf.EnableServiceLabel = false
+	metricsConf.EnableTypePrefix = false
+
+	metrics.NewGlobal(metricsConf, inmemSink)
+
+	pBackend := newTestBackend(t)
+	testSealAccess, wrappers := seal.NewTestSeal(&seal.TestSealOpts{Name: "health-test"})
+	core, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		MetricSink: metricsutil.NewClusterMetricSink("", inmemSink),
+		Physical:   pBackend,
+	})
+	seal.HealthTestIntervalNominal = 10 * time.Millisecond
+	seal.HealthTestIntervalUnhealthy = 10 * time.Millisecond
+	autoSeal := NewAutoSeal(testSealAccess)
+	autoSeal.SetCore(core)
+	core.seal = autoSeal
+	autoSeal.StartHealthCheck()
+	defer autoSeal.StopHealthCheck()
+	wrappers[0].SetError(errors.New("disconnected"))
+
+	tries := 10
+	for tries = 10; tries > 0; tries-- {
+		if !autoSeal.Healthy() {
+			break
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	if tries == 0 {
+		t.Fatalf("Expected to detect unhealthy seals")
+	}
+
+	wrappers[0].SetError(nil)
+	time.Sleep(50 * time.Millisecond)
+	if !autoSeal.Healthy() {
+		t.Fatal("Expected seals to be healthy")
+	}
+}
+
+func TestAutoSeal_BarrierSealConfigType(t *testing.T) {
+	singleWrapperAccess, _ := seal.NewTestSeal(&seal.TestSealOpts{WrapperCount: 1})
+	multipleWrapperAccess, _ := seal.NewTestSeal(&seal.TestSealOpts{WrapperCount: 2})
+
+	require.Equalf(t, singleWrapperAccess.GetAllSealWrappersByPriority()[0].SealConfigType, NewAutoSeal(singleWrapperAccess).BarrierSealConfigType().String(),
+		"autoseals that have a single seal wrapper report that wrapper's as the barrier seal type")
+
+	require.Equalf(t, SealConfigTypeMultiseal, NewAutoSeal(multipleWrapperAccess).BarrierSealConfigType(),
+		"autoseals that have a multiple seal wrappers report the barrier seal type as Multiseal")
+}
diff --git a/ui/lib/pki/addon/components/pki-generate-root.hbs b/ui/lib/pki/addon/components/pki-generate-root.hbs
index f94cfb58e4ed..75562431823a 100644
--- a/ui/lib/pki/addon/components/pki-generate-root.hbs
+++ b/ui/lib/pki/addon/components/pki-generate-root.hbs
@@ -1,115 +1,145 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{! Show results if model has an ID, which is only generated after save }}
-{{#if @model.id}}
-  <main class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    {{#each this.returnedFields as |field|}}
-      {{#let (find-by "name" field @model.allFields) as |attr|}}
-        {{#if attr.options.detailLinkTo}}
-          <InfoTableRow
-            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
-            @value={{get @model attr.name}}
-            @addCopyButton={{or (eq attr.name "issuerId") (eq attr.name "keyId")}}
-          >
-            <LinkTo @route={{attr.options.detailLinkTo}} @model={{get @model attr.name}}>{{get @model attr.name}}</LinkTo>
-          </InfoTableRow>
-        {{else if attr.options.isCertificate}}
-          <InfoTableRow
-            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
-          >
-            <CertificateCard @data={{get @model attr.name}} />
-          </InfoTableRow>
-        {{else}}
-          <InfoTableRow
-            @label={{capitalize (or attr.options.detailsLabel attr.options.label (humanize (dasherize attr.name)))}}
-            @value={{get @model attr.name}}
-          />
-        {{/if}}
-      {{/let}}
-    {{/each}}
-    <InfoTableRow @label="Private key">
-      {{#if @model.privateKey}}
-        <CertificateCard @data={{@model.privateKey}} />
-      {{else}}
-        <span class="tag">internal</span>
-      {{/if}}
-    </InfoTableRow>
-    <InfoTableRow @label="Private key type" @value={{@model.privateKeyType}}>
-      <span class="{{unless @model.privateKeyType 'tag'}}">{{or @model.privateKeyType "internal"}}</span>
-    </InfoTableRow>
-    <ParsedCertificateInfoRows @model={{@model.parsedCertificate}} />
-  </main>
-  <footer>
-    <div class="field is-grouped is-fullwidth has-top-margin-l">
-      <Hds::Button @text="Done" {{on "click" @onComplete}} data-test-done />
-    </div>
-  </footer>
-{{else}}
-  <form {{on "submit" (perform this.save)}} data-test-pki-config-generate-root-form>
-    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-    <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-generate-root-title="Root parameters">
-      Root parameters
-    </h2>
-    {{#each this.defaultFields as |field|}}
-      {{#let (find-by "name" field @model.allFields) as |attr|}}
-        <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} data-test-field>
-          {{#if (eq field "customTtl")}}
-            {{! customTtl attr has editType yield, which will render this }}
-            <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
-          {{/if}}
-        </FormField>
-      {{/let}}
-    {{/each}}
-
-    <PkiGenerateToggleGroups @model={{@model}} @modelValidations={{this.modelValidations}} />
-
-    {{#if @urls}}
-      <fieldset class="box is-shadowless is-marginless is-borderless is-fullwidth" data-test-urls-section>
-        <h2
-          class="title is-size-5 page-header {{if @urls.canCreate 'has-border-bottom-light' 'is-borderless'}}"
-          data-test-generate-root-title="Issuer URLs"
-        >
-          Issuer URLs
-        </h2>
-        {{#if @urls.canSet}}
-          {{#each @urls.allFields as |attr|}}
-            {{#if (not-eq attr.name "mountPath")}}
-              <FormField
-                @attr={{attr}}
-                @mode="create"
-                @model={{@urls}}
-                @showHelpText={{attr.options.showHelpText}}
-                data-test-urls-field
-              />
-            {{/if}}
-          {{/each}}
-        {{else}}
-          <EmptyState
-            @title="You do not have permissions to set URLs."
-            @message="These are not required but will need to be configured later. You can do this via the CLI or by changing your permissions and returning to this form."
-          />
-        {{/if}}
-      </fieldset>
-    {{/if}}
-
-    <hr class="has-background-gray-100" />
-    <Hds::ButtonSet>
-      <Hds::Button @text="Done" type="submit" data-test-pki-generate-root-save />
-      <Hds::Button @text="Cancel" @color="secondary" {{on "click" @onCancel}} data-test-pki-generate-root-cancel />
-    </Hds::ButtonSet>
-    {{#if this.invalidFormAlert}}
-      <div class="control">
-        <AlertInline
-          @type="danger"
-          @paddingTop={{true}}
-          @message={{this.invalidFormAlert}}
-          @mimicRefresh={{true}}
-          data-test-pki-generate-root-validation-error
-        />
-      </div>
-    {{/if}}
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package seal
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+)
+
+func Test_keyIdSet(t *testing.T) {
+	type args struct {
+		value *MultiWrapValue
+	}
+	tests := []struct {
+		name      string
+		idsToSet  []string
+		idsToTest []string
+		want      bool
+	}{
+		{
+			name:      "a single ID",
+			idsToSet:  []string{"Nexus 6"},
+			idsToTest: []string{"Nexus 6"},
+			want:      true,
+		},
+		{
+			name:      "two sets of equal IDs",
+			idsToSet:  []string{"A", "B"},
+			idsToTest: []string{"A", "B"},
+			want:      true,
+		},
+		{
+			name:      "two sets of equal IDs, with duplicated ids set",
+			idsToSet:  []string{"A", "B", "A"},
+			idsToTest: []string{"A", "B"},
+			want:      true,
+		},
+		{
+			name:      "two sets of equal IDs, with duplicated ids tested",
+			idsToSet:  []string{"A", "B"},
+			idsToTest: []string{"A", "B", "A"},
+			want:      true,
+		},
+		{
+			name:      "two sets of equal IDs in different order",
+			idsToSet:  []string{"A", "B"},
+			idsToTest: []string{"B", "A"},
+			want:      true,
+		},
+		{
+			name:      "two sets of different IDs",
+			idsToSet:  []string{"A", "B"},
+			idsToTest: []string{"B", "C"},
+			want:      false,
+		},
+	}
+	for _, tt := range tests {
+		useSetIds := func(s *keyIdSet) {
+			s.setIds(tt.idsToSet)
+		}
+		useSet := func(s *keyIdSet) {
+			mwv := &MultiWrapValue{Generation: 6}
+			for _, id := range tt.idsToSet {
+				mwv.Slots = append(mwv.Slots, &wrapping.BlobInfo{
+					KeyInfo: &wrapping.KeyInfo{
+						KeyId: id,
+					},
+				})
+			}
+			s.set(mwv)
+		}
+
+		runTest := func(name string, setter func(*keyIdSet)) {
+			t.Run(name, func(t *testing.T) {
+				s := &keyIdSet{}
+				setter(s)
+
+				mwv := &MultiWrapValue{Generation: 6}
+				for _, id := range tt.idsToTest {
+					mwv.Slots = append(mwv.Slots, &wrapping.BlobInfo{
+						KeyInfo: &wrapping.KeyInfo{
+							KeyId: id,
+						},
+					})
+				}
+				if got := s.equal(mwv); got != tt.want {
+					t.Errorf("equal() = %v, want %v, IDs set: %v, IDs tested: %v",
+						got, tt.want, tt.idsToSet, tt.idsToTest)
+				}
+			})
+		}
+		runTest(tt.name+".set()", useSet)
+		runTest(tt.name+".setIDs", useSetIds)
+	}
+}
+
+// Test_Encrypt_duplicate_keyIds verifies that if two seal wrappers produce the same Key ID, an error
+// will be returned for both.
+func Test_Encrypt_duplicate_keyIds(t *testing.T) {
+	ctx := context.Background()
+
+	setId := func(w *SealWrapper, keyId string) {
+		testWrapper := w.Wrapper.(*ToggleableWrapper).Wrapper.(*wrapping.TestWrapper)
+		testWrapper.SetKeyId(keyId)
+	}
+
+	getId := func(w *SealWrapper) string {
+		id, err := w.Wrapper.KeyId(ctx)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return id
+	}
+
+	access, _ := NewTestSeal(&TestSealOpts{WrapperCount: 3})
+
+	// Set up - make the key IDs the same for the last two wrappers
+	wrappers := access.GetAllSealWrappersByPriority()
+	setId(wrappers[1], "this-key-is-duplicated")
+	setId(wrappers[2], "this-key-is-duplicated")
+
+	// Some sanity checks
+	require.NotEqual(t, wrappers[0].Name, wrappers[1].Name)
+	require.NotEqual(t, wrappers[1].Name, wrappers[2].Name)
+	require.NotEqual(t, getId(wrappers[0]), getId(wrappers[1]))
+	require.Equal(t, getId(wrappers[1]), getId(wrappers[2]))
+
+	// Encrypt a value
+	mwv, errorMap := access.Encrypt(ctx, []byte("Rinconete y Cortadillo"))
+
+	// Assertions
+	require.NotNilf(t, mwv, "seal 0 should have succeeded")
+
+	requireDuplicateErr := func(w *SealWrapper) {
+		require.ErrorContains(t, errorMap[w.Name], fmt.Sprintf("seal %v has returned duplicate key ID", w.Name))
+	}
+	requireDuplicateErr(wrappers[1])
+	requireDuplicateErr(wrappers[2])
+}
diff --git a/ui/lib/pki/addon/components/pki-key-form.hbs b/ui/lib/pki/addon/components/pki-key-form.hbs
index 9dcd62dc264b..db3a77ee79bb 100644
--- a/ui/lib/pki/addon/components/pki-key-form.hbs
+++ b/ui/lib/pki/addon/components/pki-key-form.hbs
@@ -1,65 +1,157 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-    <NamespaceReminder @mode={{if @model.isNew "generate" "update"}} @noun="PKI key" />
-    {{#if @model.isNew}}
-      {{#each @model.formFieldGroups as |fieldGroup|}}
-        {{#each-in fieldGroup as |group fields|}}
-          {{#if (eq group "Key parameters")}}
-            <PkiKeyParameters @model={{@model}} @fields={{fields}} @modelValidations={{this.modelValidations}} />
-          {{else}}
-            {{#each fields as |attr|}}
-              <FormField
-                data-test-field={{attr}}
-                @attr={{attr}}
-                @model={{@model}}
-                @modelValidations={{this.modelValidations}}
-                @showHelpText={{false}}
-              />
-            {{/each}}
-          {{/if}}
-        {{/each-in}}
-      {{/each}}
-    {{else}}
-      {{! only key name is edit-able }}
-      {{#let (find-by "name" "keyName" @model.formFields) as |keyName|}}
-        <FormField data-test-field={{keyName}} @attr={{keyName}} @model={{@model}} @showHelpText={{false}} />
-      {{/let}}
-      {{#let (find-by "name" "keyType" @model.formFields) as |keyType|}}
-        <ReadonlyFormField @attr={{keyType}} @value={{@model.keyType}} />
-      {{/let}}
-    {{/if}}
-  </div>
-  <Hds::ButtonSet class="has-top-padding-s">
-    <Hds::Button
-      @text={{if @model.isNew "Generate key" "Edit key"}}
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-pki-key-save
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      disabled={{this.save.isRunning}}
-      {{on "click" @onCancel}}
-      data-test-pki-key-cancel
-    />
-  </Hds::ButtonSet>
-  {{#if this.invalidFormAlert}}
-    <div class="control">
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message={{this.invalidFormAlert}}
-        @mimicRefresh={{true}}
-        data-test-pki-key-validation-error
-      />
-    </div>
-  {{/if}}
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package seal
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	UUID "github.com/hashicorp/go-uuid"
+
+	"github.com/hashicorp/vault/sdk/helper/logging"
+
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+)
+
+type TestSealOpts struct {
+	Logger       hclog.Logger
+	StoredKeys   StoredKeysSupport
+	Secrets      [][]byte
+	Name         wrapping.WrapperType
+	WrapperCount int
+	Generation   uint64
+}
+
+func NewTestSealOpts(opts *TestSealOpts) *TestSealOpts {
+	if opts == nil {
+		opts = new(TestSealOpts)
+	}
+	if opts.WrapperCount == 0 {
+		opts.WrapperCount = 1
+	}
+	if opts.Logger == nil {
+		opts.Logger = logging.NewVaultLogger(hclog.Debug)
+	}
+	if opts.Generation == 0 {
+		// we might at some point need to allow Generation == 0
+		opts.Generation = 1
+	}
+	switch len(opts.Secrets) {
+	case opts.WrapperCount:
+		// all good, each wrapper has its own secret
+
+	case 0:
+		if opts.WrapperCount == 1 {
+			// If there is only one wrapper, the default TestWrapper behaviour of reversing
+			// the bytes slice is fine.
+			opts.Secrets = [][]byte{nil}
+		} else {
+			// If there is more than one wrapper, each one needs a different secret
+			for i := 0; i < opts.WrapperCount; i++ {
+				uuid, err := UUID.GenerateUUID()
+				if err != nil {
+					panic(fmt.Sprintf("error generating secret: %v", err))
+				}
+				opts.Secrets = append(opts.Secrets, []byte(uuid))
+			}
+		}
+
+	default:
+		panic(fmt.Sprintf("wrong number of secrets %d vs %d wrappers", len(opts.Secrets), opts.WrapperCount))
+	}
+	return opts
+}
+
+func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) {
+	opts = NewTestSealOpts(opts)
+	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
+	sealWrappers := make([]*SealWrapper, opts.WrapperCount)
+	ctx := context.Background()
+	for i := 0; i < opts.WrapperCount; i++ {
+		wrapperName := fmt.Sprintf("%s-%d", opts.Name, i+1)
+		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secrets[i])}
+		_, err := wrappers[i].Wrapper.SetConfig(context.Background(), wrapping.WithKeyId(wrapperName))
+		if err != nil {
+			panic(err)
+		}
+		wrapperType, err := wrappers[i].Type(ctx)
+		if err != nil {
+			panic(err)
+		}
+		sealWrappers[i] = NewSealWrapper(
+			wrappers[i],
+			i+1,
+			wrapperName,
+			wrapperType.String(),
+			false,
+			true,
+		)
+	}
+
+	sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers)
+	if err != nil {
+		panic(err)
+	}
+	return sealAccess, wrappers
+}
+
+type TestSealWrapperOpts struct {
+	Logger       hclog.Logger
+	Secret       []byte
+	Name         wrapping.WrapperType
+	WrapperCount int
+}
+
+type ToggleableWrapper struct {
+	wrapping.Wrapper
+	wrapperType  *wrapping.WrapperType
+	error        error
+	encryptError error
+	l            sync.RWMutex
+}
+
+func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, opts ...wrapping.Option) (*wrapping.BlobInfo, error) {
+	t.l.RLock()
+	defer t.l.RUnlock()
+	if t.error != nil {
+		return nil, t.error
+	}
+	if t.encryptError != nil {
+		return nil, t.encryptError
+	}
+	return t.Wrapper.Encrypt(ctx, bytes, opts...)
+}
+
+func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.BlobInfo, opts ...wrapping.Option) ([]byte, error) {
+	t.l.RLock()
+	defer t.l.RUnlock()
+	if t.error != nil {
+		return nil, t.error
+	}
+	return t.Wrapper.Decrypt(ctx, info, opts...)
+}
+
+func (t *ToggleableWrapper) SetError(err error) {
+	t.l.Lock()
+	defer t.l.Unlock()
+	t.error = err
+}
+
+// An error only occuring on encrypt
+func (t *ToggleableWrapper) SetEncryptError(err error) {
+	t.l.Lock()
+	defer t.l.Unlock()
+	t.encryptError = err
+}
+
+func (t *ToggleableWrapper) Type(ctx context.Context) (wrapping.WrapperType, error) {
+	if t.wrapperType != nil {
+		return *t.wrapperType, nil
+	}
+	return t.Wrapper.Type(ctx)
+}
+
+var _ wrapping.Wrapper = &ToggleableWrapper{}
diff --git a/ui/lib/pki/addon/components/pki-key-import.hbs b/ui/lib/pki/addon/components/pki-key-import.hbs
index aa3859b946e8..ea735b087505 100644
--- a/ui/lib/pki/addon/components/pki-key-import.hbs
+++ b/ui/lib/pki/addon/components/pki-key-import.hbs
@@ -1,47 +1,78 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{on "submit" (perform this.submitForm)}} data-test-pki-key-import-form>
-  <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <p class="has-bottom-margin-l">
-      Use this form to import a single pem encoded rsa, ec, or ed25519 key.
-      <DocLink @path="/vault/api-docs/secret/pki#import-key">
-        Importing a PKI key
-      </DocLink>
-    </p>
-    {{#let (find-by "name" "keyName" @model.formFields) as |attr|}}
-      <FormField data-test-field={{attr}} @attr={{attr}} @model={{@model}} @showHelpText={{false}} />
-    {{/let}}
-    <TextFile @onChange={{this.onFileUploaded}} @label="PEM Bundle" data-test-pki-key-file />
-  </div>
-  <Hds::ButtonSet class="has-top-padding-s">
-    <Hds::Button
-      @text="Import key"
-      @icon={{if this.submitForm.isRunning "loading"}}
-      type="submit"
-      disabled={{this.submitForm.isRunning}}
-      data-test-pki-key-import
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      disabled={{this.submitForm.isRunning}}
-      {{on "click" this.cancel}}
-      data-test-pki-key-cancel
-    />
-  </Hds::ButtonSet>
-  {{#if this.invalidFormAlert}}
-    <div class="control">
-      <AlertInline
-        @type="danger"
-        @paddingTop={{true}}
-        @message={{this.invalidFormAlert}}
-        @mimicRefresh={{true}}
-        data-test-pki-key-validation-error
-      />
-    </div>
-  {{/if}}
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/vault/seal"
+	testing "github.com/mitchellh/go-testing-interface"
+)
+
+// NewTestSeal creates a new seal for testing. If you want to use the same seal multiple times, such as for
+// a cluster, use NewTestSealFunc instead.
+func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
+	t.Helper()
+	opts = seal.NewTestSealOpts(opts)
+	logger := corehelpers.NewTestLogger(t).Named("sealAccess")
+
+	switch opts.StoredKeys {
+	case seal.StoredKeysSupportedShamirRoot:
+		sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []*seal.SealWrapper{
+			seal.NewSealWrapper(aead.NewShamirWrapper(), 1, "shamir", "shamir", false, true),
+		})
+		if err != nil {
+			t.Fatal("error creating test seal", err)
+		}
+		newSeal := NewDefaultSeal(sealAccess)
+		// Need StoredShares set or this will look like a legacy shamir seal.
+		newSeal.SetCachedBarrierConfig(&SealConfig{
+			StoredShares:    1,
+			SecretThreshold: 1,
+			SecretShares:    1,
+		})
+		return newSeal
+	case seal.StoredKeysNotSupported:
+		sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []*seal.SealWrapper{
+			seal.NewSealWrapper(aead.NewShamirWrapper(), 1, "shamir", "shamir", false, true),
+		})
+		if err != nil {
+			t.Fatal("error creating test seal", err)
+		}
+		newSeal := NewDefaultSeal(sealAccess)
+		newSeal.SetCachedBarrierConfig(&SealConfig{
+			StoredShares:    0,
+			SecretThreshold: 1,
+			SecretShares:    1,
+		})
+		return newSeal
+	default:
+		access, _ := seal.NewTestSeal(opts)
+		return NewAutoSeal(access)
+	}
+}
+
+// NewTestSealFunc returns a function that creates seals. All such seals will have TestWrappers that
+// share the same secret, thus making them equivalent.
+func NewTestSealFunc(t testing.T, opts *seal.TestSealOpts) func() Seal {
+	testSeal := NewTestSeal(t, opts)
+
+	return func() Seal {
+		return cloneTestSeal(t, testSeal)
+	}
+}
+
+// CloneTestSeal creates a new test seal that shares the same seal wrappers as `testSeal`.
+func cloneTestSeal(t testing.T, testSeal Seal) Seal {
+	logger := corehelpers.NewTestLogger(t).Named("sealAccess")
+
+	access, err := seal.NewAccessFromSealWrappers(logger, testSeal.GetAccess().Generation(), testSeal.GetAccess().GetSealGenerationInfo().IsRewrapped(), testSeal.GetAccess().GetAllSealWrappersByPriority())
+	if err != nil {
+		t.Fatal("error cloning seal %v", err)
+	}
+	if testSeal.StoredKeysSupported() == seal.StoredKeysNotSupported {
+		return NewDefaultSeal(access)
+	}
+	return NewAutoSeal(access)
+}
diff --git a/ui/lib/pki/addon/components/pki-role-form.hbs b/ui/lib/pki/addon/components/pki-role-form.hbs
index 2b8d2cbdff6b..4ba94f6a98c6 100644
--- a/ui/lib/pki/addon/components/pki-role-form.hbs
+++ b/ui/lib/pki/addon/components/pki-role-form.hbs
@@ -1,144 +1,242 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{on "submit" (perform this.save)}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
-    <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-    <NamespaceReminder @mode={{if @role.isNew "create" "update"}} @noun="PKI role" />
-    {{#each @role.formFieldGroups as |fieldGroup|}}
-      {{#each-in fieldGroup as |group fields|}}
-        {{! DEFAULT VIEW }}
-        {{#if (eq group "default")}}
-          {{#each fields as |attr|}}
-            {{#if (and (eq attr.name "issuerRef") @issuers)}}
-              <div class="has-top-margin-m {{unless this.showDefaultIssuer 'has-bottom-margin-xs' 'has-bottom-margin-m'}}">
-                <FormFieldLabel
-                  for={{attr.name}}
-                  @label="Issuer ref"
-                  @helpText={{(if this.showHelpText attr.options.helpText)}}
-                  @subText={{attr.options.subText}}
-                />
-                <Toggle
-                  @name={{concat attr.name "-toggle"}}
-                  @checked={{this.showDefaultIssuer}}
-                  @onChange={{this.toggleShowDefaultIssuer}}
-                >
-                  <span class="has-text-grey">Use default issuer</span>
-                </Toggle>
-              </div>
-              {{#unless this.showDefaultIssuer}}
-                <div class="has-top-margin-xs has-bottom-margin-l">
-                  <div class="select is-fullwidth">
-                    <Select
-                      @name={{attr.name}}
-                      @options={{this.issuers}}
-                      @valueAttribute={{"issuerDisplayName"}}
-                      @labelAttribute={{"issuerDisplayName"}}
-                      @isFullwidth={{true}}
-                      @selectedValue={{@role.issuerRef}}
-                      @onChange={{action (mut @role.issuerRef)}}
-                    />
-                  </div>
-                </div>
-              {{/unless}}
-            {{else}}
-              <FormField
-                data-test-field={{attr}}
-                @attr={{attr}}
-                @model={{@role}}
-                @modelValidations={{this.modelValidations}}
-                @showHelpText={{false}}
-              >
-                <PkiNotValidAfterForm @attr={{attr}} @model={{@role}} />
-              </FormField>
-            {{/if}}
-          {{/each}}
-        {{else}}
-          {{#let (camelize (concat "show" group)) as |prop|}}
-            <ToggleButton
-              @isOpen={{get @role prop}}
-              @openLabel={{concat "Hide " group}}
-              @closedLabel={{group}}
-              @onClick={{fn (mut (get @role prop))}}
-              class="is-block"
-              data-test-toggle-group={{group}}
-            />
-            {{#if (get @role prop)}}
-              <div class="box is-tall is-marginless" data-test-toggle-div={{group}}>
-                {{#let (get @role.fieldGroupsInfo group) as |toggleGroup|}}
-                  {{! HEADER }}
-                  {{#if toggleGroup.header}}
-                    <div class="has-bottom-margin-s">
-                      <FormFieldLabel
-                        for={{toggleGroup.header.name}}
-                        @label={{toggleGroup.header.label}}
-                        @subText={{toggleGroup.header.text}}
-                        @docLink={{toggleGroup.header.docLink}}
-                      />
-                    </div>
-                  {{/if}}
-                  {{! FIELDS }}
-                  {{#if (eq group "Key usage")}}
-                    <PkiKeyUsage @model={{@role}} />
-                  {{else if (eq group "Key parameters")}}
-                    <PkiKeyParameters @model={{@role}} @fields={{fields}} />
-                  {{else}}
-                    {{#each fields as |attr|}}
-                      <FormField
-                        data-test-field={{true}}
-                        @attr={{attr}}
-                        @model={{@role}}
-                        @modelValidations={{@roleValidations}}
-                        @showHelpText={{false}}
-                      >
-                        {{yield attr}}
-                      </FormField>
-                    {{/each}}
-                  {{/if}}
-                  {{! FOOTER }}
-                  {{#if toggleGroup.footer}}
-                    <p class="sub-text">
-                      <Icon @name="info" />
-                      {{toggleGroup.footer.text}}
-                      {{#if toggleGroup.footer.docLink}}
-                        <DocLink @path={{toggleGroup.footer.docLink}}>
-                          {{toggleGroup.footer.docText}}
-                        </DocLink>
-                      {{/if}}
-                    </p>
-                  {{/if}}
-                {{/let}}
-              </div>
-            {{/if}}
-          {{/let}}
-        {{/if}}
-      {{/each-in}}
-    {{/each}}
-  </div>
-  <Hds::ButtonSet class="has-top-padding-s">
-    <Hds::Button
-      @text={{if @role.isNew "Create" "Update"}}
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-pki-role-save
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      disabled={{this.save.isRunning}}
-      {{on "click" @onCancel}}
-      data-test-pki-role-cancel
-    />
-  </Hds::ButtonSet>
-  {{#if this.modelValidations.targets.errors}}
-    <AlertInline @type="danger" @message={{join ", " this.modelValidations.targets.errors}} @paddingTop={{true}} />
-  {{/if}}
-  {{#if this.invalidFormAlert}}
-    <div class="control">
-      <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-    </div>
-  {{/if}}
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/golang/protobuf/proto"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Seal Wrapping
+
+type PartialWrapFailCallback func(context.Context, map[string]error) error
+
+// Helper function to use for partial wrap fail callbacks where we don't want to allow a partial failure.  See
+// for example barrier or recovery key wrapping.  Just don't allow for those risky scenarios
+var DisallowPartialSealWrap = func(ctx context.Context, errs map[string]error) error {
+	return &seal.PartialSealWrapError{seal.JoinSealWrapErrors("not allowing operation to proceed without full wrapping involving all configured seals", errs)}
+}
+
+// SealWrapValue creates a SealWrappedValue wrapper with the entryValue being optionally encrypted with the give seal Access.
+func SealWrapValue(ctx context.Context, access seal.Access, encrypt bool, entryValue []byte, wrapFailCallback PartialWrapFailCallback) (*SealWrappedValue, error) {
+	if access == nil {
+		return newTransitorySealWrappedValue(&wrapping.BlobInfo{
+			Wrapped:    false,
+			Ciphertext: entryValue,
+		}), nil
+	}
+	if !encrypt {
+		// Maybe this should also be a transitory value, since we want to encrypt
+		// as soon as we can?
+		return NewPlaintextSealWrappedValue(access.Generation(), entryValue), nil
+	}
+
+	multiWrapValue, errs := access.Encrypt(ctx, entryValue, nil)
+	if multiWrapValue == nil {
+		// no seal encryption was successful
+		return nil, seal.JoinSealWrapErrors("error seal wrapping value: encryption generated no results", errs)
+	}
+
+	if len(errs) > 0 {
+		// Partial failure, note this by calling the provided callback, if present
+		if err := wrapFailCallback(ctx, errs); err != nil {
+			// If the callback returns an error, caller is indicating it doesn't want this to proceed
+			return nil, err
+		}
+	}
+
+	// Why are we "cleaning up" the blob infos?
+	var ret []*wrapping.BlobInfo
+	for _, blobInfo := range multiWrapValue.Slots {
+		ret = append(ret, &wrapping.BlobInfo{
+			Wrapped:    true,
+			Ciphertext: blobInfo.Ciphertext,
+			Iv:         blobInfo.Iv,
+			Hmac:       blobInfo.Hmac,
+			KeyInfo:    blobInfo.KeyInfo,
+		})
+	}
+
+	return NewSealWrappedValue(&seal.MultiWrapValue{
+		Generation: multiWrapValue.Generation,
+		Slots:      ret,
+	}), nil
+}
+
+// UnsealWrapValue uses the seal Access to decrypt the wrappedEntryValue. It returns the decrypted value
+// and a flag indicating whether the wrappedEntryValue is current (according to Access.IsUpToDate).
+// migration is in progress.
+func UnsealWrapValue(ctx context.Context, access seal.Access, entryKey string, wrappedEntryValue *SealWrappedValue) (entryValue []byte, uptodate bool, err error) {
+	multiWrapValue := &seal.MultiWrapValue{
+		Generation: wrappedEntryValue.GetGeneration(),
+	}
+	for _, blobInfo := range wrappedEntryValue.GetSlots() {
+		// TODO(SEALHA): Why doesn't sealWrapValue() set ValuePath? Could it be a migration issue? Can we stop setting it?
+		blobInfoWithValuePath := &wrapping.BlobInfo{
+			ValuePath:  entryKey,
+			Ciphertext: blobInfo.Ciphertext,
+			Iv:         blobInfo.Iv,
+			Hmac:       blobInfo.Hmac,
+			KeyInfo:    blobInfo.KeyInfo,
+		}
+		multiWrapValue.Slots = append(multiWrapValue.Slots, blobInfoWithValuePath)
+	}
+
+	entryValue, uptodate, err = access.Decrypt(ctx, multiWrapValue, nil)
+	if err != nil {
+		if isSealOldKeyError(err) {
+			uptodate = false
+		} else {
+			return nil, false, err
+		}
+	}
+
+	return entryValue, uptodate, nil
+}
+
+// MarshalSealWrappedValue marshals a SealWrappedValue into a byte slice. If the seal wrapped value contains
+// a single wrapping.BlobInfo, the BlobInfo will be marshalled directly; otherwise the SealWrappedValue
+// will be.
+func MarshalSealWrappedValue(wrappedEntryValue *SealWrappedValue) ([]byte, error) {
+	if len(wrappedEntryValue.value.Slots) > 1 {
+		return wrappedEntryValue.marshal()
+	}
+
+	return proto.Marshal(wrappedEntryValue.value.Slots[0])
+}
+
+// UnmarshalSealWrappedValue attempts to unmarshal a SealWrappedValue. This method can unmarshal marshalled
+// SealWrappedValues as well as wrapping.BlobInfos. When a BlobInfo is encountered, a "transitory"
+// SealWrappedValue will be returned.
+func UnmarshalSealWrappedValue(value []byte) (*SealWrappedValue, error) {
+	swv := &SealWrappedValue{}
+	swvErr := swv.unmarshal(value)
+	if swvErr == nil {
+		return swv, nil
+	}
+
+	blobInfo := &wrapping.BlobInfo{}
+	blobInfoErr := proto.Unmarshal(value, blobInfo)
+	if blobInfoErr == nil {
+		return newTransitorySealWrappedValue(blobInfo), nil
+	}
+
+	return nil, fmt.Errorf("error unmarshalling seal wrapped value: %w, %w", swvErr, blobInfoErr)
+}
+
+// UnmarshalSealWrappedValueWithCanary unmarshalls a byte array into a SealWrappedValue, taking care of
+// removing the 's' canary value.
+// This method returns true if a SealWrappedValue was successfully unmarshaled.
+func UnmarshalSealWrappedValueWithCanary(value []byte) (*SealWrappedValue, bool) {
+	eLen := len(value)
+	if eLen > 0 && value[eLen-1] == 's' {
+		if wrappedEntryValue, err := UnmarshalSealWrappedValue(value[:eLen-1]); err == nil {
+			return wrappedEntryValue, true
+		}
+		// Else, note that having the canary value present is not a guarantee that
+		// the value is wrapped, so if there is an error we will simply return a nil BlobInfo.
+	}
+	return nil, false
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Stored Barrier Keys (a.k.a. Root Key)
+
+// SealWrapStoredBarrierKeys takes the barrier (root) keys, encrypts them using the seal access,
+// and returns a physical.Entry for storage.
+func SealWrapStoredBarrierKeys(ctx context.Context, access seal.Access, keys [][]byte) (*physical.Entry, error) {
+	// Note that even though keys is a slice, it seems to always contain a single key.
+	buf, err := json.Marshal(keys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode keys for storage: %w", err)
+	}
+
+	wrappedEntryValue, err := SealWrapValue(ctx, access, true, buf, DisallowPartialSealWrap)
+	if err != nil {
+		return nil, &ErrEncrypt{Err: fmt.Errorf("failed to encrypt keys for storage: %w", err)}
+	}
+
+	// Watch out, Wrapped has to be false for StoredBarrierKeysPath, since it used to be that the BlobInfo
+	// returned by access.Encrypt() was marshalled directly. It probably would not matter if the value
+	// was true, but setting if to false here makes TestSealWrapBackend_StorageBarrierKeyUpgrade_FromIVEntry
+	// pass (maybe other tests as well?).
+	for _, blobInfo := range wrappedEntryValue.GetSlots() {
+		blobInfo.Wrapped = false
+	}
+
+	wrappedValue, err := MarshalSealWrappedValue(wrappedEntryValue)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal value for storage: %w", err)
+	}
+	return &physical.Entry{
+		Key:   StoredBarrierKeysPath,
+		Value: wrappedValue,
+	}, nil
+}
+
+// UnsealWrapStoredBarrierKeys is the counterpart to SealWrapStoredBarrierKeys.
+func UnsealWrapStoredBarrierKeys(ctx context.Context, access seal.Access, pe *physical.Entry) ([][]byte, error) {
+	wrappedEntryValue, err := UnmarshalSealWrappedValue(pe.Value)
+	if err != nil {
+		return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
+	}
+
+	return decodeBarrierKeys(ctx, access, &wrappedEntryValue.value)
+}
+
+func decodeBarrierKeys(ctx context.Context, access seal.Access, multiWrapValue *seal.MultiWrapValue) ([][]byte, error) {
+	pt, _, err := access.Decrypt(ctx, multiWrapValue, nil)
+	if err != nil {
+		if strings.Contains(err.Error(), "message authentication failed") {
+			return nil, &ErrInvalidKey{Reason: fmt.Sprintf("failed to decrypt keys from storage: %v", err)}
+		}
+		return nil, &ErrDecrypt{Err: fmt.Errorf("failed to decrypt keys from storage: %w", err)}
+	}
+
+	// Decode the barrier entry
+	var keys [][]byte
+	if err := json.Unmarshal(pt, &keys); err != nil {
+		return nil, fmt.Errorf("failed to decode stored keys: %v", err)
+	}
+	return keys, nil
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Recovery Key
+
+// SealWrapRecoveryKey encrypts the recovery key using the given seal access and returns a physical.Entry for storage.
+func SealWrapRecoveryKey(ctx context.Context, access seal.Access, key []byte) (*physical.Entry, error) {
+	wrappedEntryValue, err := SealWrapValue(ctx, access, true, key, DisallowPartialSealWrap)
+	if err != nil {
+		return nil, &ErrEncrypt{Err: fmt.Errorf("failed to encrypt recovery key for storage: %w", err)}
+	}
+
+	wrappedValue, err := MarshalSealWrappedValue(wrappedEntryValue)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal value for storage: %w", err)
+	}
+	return &physical.Entry{
+		Key:   recoveryKeyPath,
+		Value: wrappedValue,
+	}, nil
+}
+
+// UnsealWrapRecoveryKey is the counterpart to SealWrapRecoveryKey.
+func UnsealWrapRecoveryKey(ctx context.Context, access seal.Access, pe *physical.Entry) ([]byte, error) {
+	wrappedEntryValue, err := UnmarshalSealWrappedValue(pe.Value)
+	if err != nil {
+		return nil, fmt.Errorf("failed to proto decode recevory key: %w", err)
+	}
+
+	pt, _, err := UnsealWrapValue(ctx, access, pe.Key, wrappedEntryValue)
+	return pt, err
+}
diff --git a/ui/lib/pki/addon/components/pki-role-generate.hbs b/ui/lib/pki/addon/components/pki-role-generate.hbs
index e1bebc7e31d8..421024c7e8a1 100644
--- a/ui/lib/pki/addon/components/pki-role-generate.hbs
+++ b/ui/lib/pki/addon/components/pki-role-generate.hbs
@@ -1,52 +1,146 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if @model.serialNumber}}
-  <Page::PkiCertificateDetails @model={{@model}} @onBack={{this.cancel}} />
-{{else}}
-  <form {{on "submit" (perform this.save)}} data-test-pki-generate-cert-form>
-    <div class="box is-bottomless is-fullwidth is-marginless">
-      <MessageError @errorMessage={{this.errorBanner}} />
-      <NamespaceReminder @mode="create" @noun="certificate" />
-      {{#let (get @model.formFieldGroups "0") as |defaultGroup|}}
-        {{#each defaultGroup.default as |attr|}}
-          <FormField @model={{@model}} @attr={{attr}} @modelValidations={{this.modelValidations}}>
-            <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
-          </FormField>
-        {{/each}}
-      {{/let}}
-      <FormFieldGroups
-        @model={{@model}}
-        @renderGroup="Subject Alternative Name (SAN) Options"
-        @groupName="formFieldGroups"
-        @showHelpText={{false}}
-      />
-    </div>
-    <hr class="has-background-gray-100" />
-    <Hds::ButtonSet>
-      <Hds::Button
-        @text={{capitalize this.verb}}
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-pki-generate-button
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
-        data-test-pki-generate-cancel
-      />
-    </Hds::ButtonSet>
-
-    {{#if this.invalidFormAlert}}
-      <div class="control" data-test-alert>
-        <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-      </div>
-    {{/if}}
-
-  </form>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package seal
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	mathrand "math/rand"
+	"sync"
+	"time"
+
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+)
+
+type PartialSealWrapError struct {
+	Err error
+}
+
+func (p *PartialSealWrapError) Error() string {
+	return p.Err.Error()
+}
+
+// SealWrapper contains a Wrapper and related information needed by the seal that uses it.
+// Use NewSealWrapper to construct new instances, do not do it directly.
+type SealWrapper struct {
+	Wrapper  wrapping.Wrapper
+	Priority int
+	Name     string
+
+	// sealConfigType is the KMS.Type of this wrapper. It is a string rather than a SealConfigType
+	// to avoid a circular go package depency
+	SealConfigType string
+
+	// Disabled indicates, when true indicates that this wrapper should only be used for decryption.
+	Disabled bool
+
+	// Configured indicates the wrapper was successfully configured at initialization
+	Configured bool
+
+	// hcLock protects lastHealthy, lastSeenHealthy, and healthy.
+	// Do not modify those fields directly, use setHealth instead.
+	// Do not access these fields directly, use getHealth instead.
+	hcLock          sync.RWMutex
+	lastHealthCheck time.Time
+	lastSeenHealthy time.Time
+	healthy         bool
+}
+
+func NewSealWrapper(wrapper wrapping.Wrapper, priority int, name string, sealConfigType string, disabled bool, configured bool) *SealWrapper {
+	ret := &SealWrapper{
+		Wrapper:        wrapper,
+		Priority:       priority,
+		Name:           name,
+		SealConfigType: sealConfigType,
+		Disabled:       disabled,
+		Configured:     configured,
+	}
+
+	if configured {
+		setHealth(ret, true, time.Now(), ret.lastHealthCheck)
+	} else {
+		setHealth(ret, false, time.Now(), ret.lastHealthCheck)
+	}
+
+	return ret
+}
+
+func (sw *SealWrapper) SetHealthy(healthy bool, checkTime time.Time) {
+	if healthy {
+		setHealth(sw, true, checkTime, checkTime)
+	} else {
+		// do not update lastSeenHealthy
+		setHealth(sw, false, sw.lastHealthCheck, checkTime)
+	}
+}
+
+func (sw *SealWrapper) IsHealthy() bool {
+	healthy, _, _ := getHealth(sw)
+
+	return healthy
+}
+
+func (sw *SealWrapper) LastSeenHealthy() time.Time {
+	_, lastSeenHealthy, _ := getHealth(sw)
+
+	return lastSeenHealthy
+}
+
+func (sw *SealWrapper) LastHealthCheck() time.Time {
+	_, _, lastHealthCheck := getHealth(sw)
+
+	return lastHealthCheck
+}
+
+var (
+	// vars for unit testing
+	HealthTestIntervalNominal   = 10 * time.Minute
+	HealthTestIntervalUnhealthy = 1 * time.Minute
+	HealthTestTimeout           = 1 * time.Minute
+)
+
+func (sw *SealWrapper) CheckHealth(ctx context.Context, checkTime time.Time) error {
+	testVal := fmt.Sprintf("Heartbeat %d", mathrand.Intn(1000))
+	ciphertext, err := sw.Wrapper.Encrypt(ctx, []byte(testVal), nil)
+	if err != nil {
+		sw.SetHealthy(false, checkTime)
+		return fmt.Errorf("failed to encrypt test value, seal wrapper may be unreachable: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, HealthTestTimeout)
+	defer cancel()
+	plaintext, err := sw.Wrapper.Decrypt(ctx, ciphertext, nil)
+	if err != nil && !IsOldKeyError(err) {
+		sw.SetHealthy(false, checkTime)
+		return fmt.Errorf("failed to decrypt test value, seal wrapper may be unreachable: %w", err)
+	}
+	if !bytes.Equal([]byte(testVal), plaintext) {
+		sw.SetHealthy(false, checkTime)
+		return errors.New("failed to decrypt health test value to expected result")
+	}
+
+	sw.SetHealthy(true, checkTime)
+
+	return nil
+}
+
+// getHealth is the only function allowed to inspect the health fields directly
+func getHealth(sw *SealWrapper) (healthy bool, lastSeenHealthy time.Time, lastHealthCheck time.Time) {
+	sw.hcLock.RLock()
+	defer sw.hcLock.RUnlock()
+
+	return sw.healthy, sw.lastSeenHealthy, sw.lastHealthCheck
+}
+
+// setHealth is the only function allowed to mutate the health fields
+func setHealth(sw *SealWrapper, healthy bool, lastSeenHealthy, lastHealthCheck time.Time) {
+	sw.hcLock.Lock()
+	defer sw.hcLock.Unlock()
+
+	sw.healthy = healthy
+	sw.lastSeenHealthy = lastSeenHealthy
+	sw.lastHealthCheck = lastHealthCheck
+}
diff --git a/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs b/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
index c49c9471993d..8650d73fdab7 100644
--- a/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
+++ b/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
@@ -3,85 +3,220 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if @model.id}}
-  {{! Model only has ID once form has been submitted and saved }}
-  <Toolbar />
-  <main data-test-sign-intermediate-result>
-    <div class="box is-sideless is-fullwidth is-shadowless">
-      <Hds::Alert @type="inline" @color="highlight" class="has-bottom-margin-s" as |A|>
-        <A.Title>Next steps</A.Title>
-        <A.Description>
-          The CA Chain and Issuing CA values will only be available once. Make sure you copy and save it now.
-        </A.Description>
-      </Hds::Alert>
-      {{#each this.showFields as |fieldName|}}
-        {{#let (find-by "name" fieldName @model.allFields) as |attr|}}
-          <InfoTableRow @label={{or attr.options.label (humanize (dasherize attr.name))}} @value={{get @model attr.name}}>
-            {{#if (and attr.options.isCertificate (get @model attr.name))}}
-              <CertificateCard @data={{get @model attr.name}} />
-            {{else if (eq attr.name "serialNumber")}}
-              <LinkTo
-                @route="certificates.certificate.details"
-                @model={{@model.serialNumber}}
-              >{{@model.serialNumber}}</LinkTo>
-            {{else}}
-              <Icon @name="minus" />
-            {{/if}}
-          </InfoTableRow>
-        {{/let}}
-      {{/each}}
-      <ParsedCertificateInfoRows @model={{@model.parsedCertificate}} />
-    </div>
-  </main>
-{{else}}
-  <form {{on "submit" (perform this.save)}} data-test-sign-intermediate-form>
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-      <NamespaceReminder @mode={{"create"}} @noun="signed intermediate" />
-      {{#each @model.formFields as |attr|}}
-        <FormField
-          data-test-field={{attr}}
-          @attr={{attr}}
-          @model={{@model}}
-          @modelValidations={{this.modelValidations}}
-          @showHelpText={{false}}
+{{#if (eq @mode "create")}}
+  <form
+    class={{if @showAdvancedMode "advanced-edit" "simple-edit"}}
+    {{on "submit" (fn this.createOrUpdateKey @mode)}}
+    aria-label="secret create form"
+    {{did-insert this.setup @secretData @mode}}
+  >
+    <div class="field box is-fullwidth is-sideless is-marginless">
+      <NamespaceReminder @mode="create" @noun="secret" />
+      <MessageError @model={{@modelForData}} @errorMessage={{this.error}} />
+      <label class="is-label" for="kv-key">Path for this secret</label>
+      <p class="control is-expanded">
+        <Input
+          autocomplete="off"
+          spellcheck="false"
+          data-test-secret-path="true"
+          id="kv-key"
+          class="input {{if (get this.validationMessages 'path') 'has-error-border'}}"
+          @value={{get @modelForData @modelForData.pathAttr}}
+          {{on "keyup" (perform this.waitForKeyUp "path" value="target.value")}}
+        />
+      </p>
+      {{#if (get this.validationMessages "path")}}
+        <AlertInline @type="danger" @message={{capitalize (get this.validationMessages "path")}} class="has-top-padding-s" />
+      {{/if}}
+      {{#if @modelForData.isFolder}}
+        <p class="help has-text-danger">
+          The secret path may not end in
+          <code>/</code>
+        </p>
+      {{/if}}
+      {{#if this.pathWhiteSpaceWarning}}
+        <Hds::Alert
+          @type="inline"
+          @color="warning"
+          class="has-top-margin-m has-bottom-margin-s"
+          data-test-whitespace-warning
+          as |A|
         >
-          {{! attr customTtl has editType yield and will show this component }}
-          <PkiNotValidAfterForm @attr={{attr}} @model={{@model}} />
-        </FormField>
-      {{/each}}
-
-      <PkiGenerateToggleGroups @model={{@model}} @groups={{this.groups}} />
+          <A.Title>Warning</A.Title>
+          <A.Description>
+            Your secret path contains whitespace. If this is desired, you'll need to encode it with %20 in API calls.
+          </A.Description>
+        </Hds::Alert>
+      {{/if}}
     </div>
-
-    <Hds::ButtonSet class="has-top-padding-s">
-      <Hds::Button
-        @text="Save"
-        @icon={{if this.save.isRunning "loading"}}
-        type="submit"
-        disabled={{this.save.isRunning}}
-        data-test-pki-sign-intermediate-save
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
-        data-test-pki-sign-intermediate-cancel
-      />
-    </Hds::ButtonSet>
-    {{#if this.inlineFormAlert}}
-      <div class="control">
-        <AlertInline
-          @type="danger"
-          @paddingTop={{true}}
-          @message={{this.inlineFormAlert}}
-          @mimicRefresh={{true}}
-          data-test-form-error
+    {{#if @showAdvancedMode}}
+      <div class="form-section">
+        <JsonEditor
+          @title="Secret Data"
+          @value={{this.codemirrorString}}
+          @valueUpdated={{this.codemirrorUpdated}}
+          @onFocusOut={{this.formatJSON}}
         />
       </div>
+    {{else}}
+      <div class="form-section">
+        <label class="title is-5">
+          Secret data
+        </label>
+        {{#each @secretData as |secret index|}}
+          <div class="info-table-row">
+            <div class="column is-one-quarter info-table-row-edit">
+              <Input
+                data-test-secret-key={{true}}
+                @value={{secret.name}}
+                placeholder="key"
+                {{on "change" this.handleChange}}
+                class="input"
+                autocomplete="off"
+                spellcheck="false"
+              />
+            </div>
+            <div class="column info-table-row-edit">
+              <MaskedInput
+                @name={{secret.name}}
+                @onChange={{fn this.handleMaskedInputChange secret index}}
+                @value={{secret.value}}
+                data-test-secret-value="true"
+              />
+            </div>
+            <div class="column is-narrow info-table-row-edit">
+              {{#if (eq @secretData.length (inc index))}}
+                <Hds::Button @text="Add" @color="secondary" {{on "click" this.addRow}} data-test-secret-add-row="true" />
+              {{else}}
+                <Hds::Button
+                  @text="Delete row"
+                  @icon="trash"
+                  @isIconOnly={{true}}
+                  @color="secondary"
+                  {{on "click" (fn this.deleteRow secret.name)}}
+                />
+              {{/if}}
+            </div>
+          </div>
+          {{#if this.validationMessages.key}}
+            <AlertInline @type="danger" @message={{this.validationMessages.key}} class="has-top-padding-s" />
+          {{/if}}
+        {{/each}}
+      </div>
     {{/if}}
 
+    <div class="field is-grouped box is-fullwidth is-bottomless">
+      <Hds::ButtonSet>
+        <Hds::Button @text="Save" type="submit" disabled={{@buttonDisabled}} data-test-secret-save={{true}} />
+        {{#if @model.path}}
+          <Hds::Button
+            @text="Cancel"
+            @color="secondary"
+            @route="vault.cluster.secrets.backend.list"
+            @model={{@model.path}}
+          />
+        {{else}}
+          <Hds::Button @text="Cancel" @color="secondary" @route="vault.cluster.secrets.backend.list-root" />
+        {{/if}}
+      </Hds::ButtonSet>
+    </div>
+  </form>
+{{/if}}
+
+{{#if (eq @mode "edit")}}
+  <form
+    {{on "submit" (fn this.createOrUpdateKey "edit")}}
+    aria-label="secret edit form"
+    {{did-insert this.setup @secretData @mode}}
+  >
+    <div class="box is-sideless is-fullwidth is-marginless padding-top">
+      <MessageError @model={{@modelForData}} @errorMessage={{this.error}} />
+      <NamespaceReminder @mode="edit" @noun="secret" />
+      {{#if (eq @canReadSecret false)}}
+        <Hds::Alert @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
+          <A.Title>Warning</A.Title>
+          <A.Description>
+            <ul class={{if (eq @canReadSecret false) "bullet"}}>
+              {{#if (eq @canReadSecret false)}}
+                <li data-test-warning-no-read-permissions>
+                  You do not have read permissions. If a secret exists at this path creating a new secret will overwrite it.
+                </li>
+              {{/if}}
+            </ul>
+          </A.Description>
+        </Hds::Alert>
+      {{/if}}
+      {{#if @showAdvancedMode}}
+        <div class="form-section">
+          <JsonEditor
+            @title="Secret Data"
+            @value={{this.codemirrorString}}
+            @valueUpdated={{this.codemirrorUpdated}}
+            @onFocusOut={{this.formatJSON}}
+          />
+        </div>
+      {{else}}
+        <div class="form-section">
+          <label class="title is-5">
+            Secret data
+          </label>
+          {{#each @secretData as |secret index|}}
+            <div class="columns is-variable has-no-shadow">
+              <div class="column is-one-quarter">
+                <Input
+                  data-test-secret-key={{true}}
+                  @value={{secret.name}}
+                  placeholder="key"
+                  {{on "change" this.handleChange}}
+                  class="input"
+                  autocomplete="off"
+                  spellcheck="false"
+                />
+              </div>
+              <div class="column">
+                <MaskedInput
+                  @name={{secret.name}}
+                  @onChange={{fn this.handleMaskedInputChange secret index}}
+                  @value={{secret.value}}
+                  data-test-secret-value="true"
+                />
+              </div>
+              <div class="column is-narrow">
+                {{#if (eq @secretData.length (inc index))}}
+                  <Hds::Button @text="Add" @color="secondary" {{on "click" this.addRow}} data-test-secret-add-row="true" />
+                {{else}}
+                  <Hds::Button
+                    @text="Delete row"
+                    @icon="trash"
+                    @isIconOnly={{true}}
+                    @color="secondary"
+                    {{on "click" (fn this.deleteRow secret.name)}}
+                  />
+                {{/if}}
+              </div>
+            </div>
+          {{/each}}
+        </div>
+      {{/if}}
+    </div>
+    <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
+      <div class="field is-grouped">
+        <Hds::ButtonSet>
+          <Hds::Button
+            @text="Save"
+            data-test-secret-save
+            type="submit"
+            disabled={{or @buttonDisabled this.validationErrorCount}}
+          />
+          <Hds::Button
+            @text="Cancel"
+            @color="secondary"
+            @route="vault.cluster.secrets.backend.show"
+            @model={{@model.id}}
+            @query={{hash version=@modelForData.version}}
+          />
+        </Hds::ButtonSet>
+      </div>
+    </div>
   </form>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/pki-tidy-form.hbs b/ui/lib/pki/addon/components/pki-tidy-form.hbs
index e5daca47cfd6..beb52f137fa2 100644
--- a/ui/lib/pki/addon/components/pki-tidy-form.hbs
+++ b/ui/lib/pki/addon/components/pki-tidy-form.hbs
@@ -1,81 +1,761 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<hr class="is-marginless has-background-gray-200" />
-
-<p class="has-top-margin-m has-bottom-margin-l">Tidying cleans up the storage backend and/or CRL by removing certificates
-  that have expired and are past a certain buffer period beyond their expiration time.
-  <DocLink @path="/vault/api-docs/secret/pki#{{if (eq @tidyType 'manual') 'tidy' 'configure-automatic-tidy'}}">Learn more</DocLink>
-</p>
-
-<MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
-
-<form class="has-bottom-margin-s" {{on "submit" (perform this.save)}} data-test-tidy-form={{@tidyType}}>
-  {{#if (and (eq @tidyType "auto") this.intervalDurationAttr)}}
-    {{#let this.intervalDurationAttr as |attr|}}
-      <TtlPicker
-        data-test-input={{attr.name}}
-        @onChange={{fn this.handleTtl attr}}
-        @label={{attr.options.label}}
-        @labelDisabled={{attr.options.labelDisabled}}
-        @helperTextDisabled={{attr.options.helperTextDisabled}}
-        @helperTextEnabled={{attr.options.helperTextEnabled}}
-        @initialEnabled={{get @tidy attr.options.mapToBoolean}}
-        @initialValue={{get @tidy attr.name}}
-      />
-    {{/let}}
-  {{/if}}
-  {{#each @tidy.formFieldGroups as |fieldGroup|}}
-    {{#each-in fieldGroup as |group fields|}}
-      {{#if (or (eq @tidyType "manual") @tidy.enabled)}}
-        <h2 class="title is-size-5 has-border-bottom-light page-header" data-test-tidy-header={{group}}>
-          {{group}}
-        </h2>
-        {{#each fields as |attr|}}
-          {{#if (eq attr.name "acmeAccountSafetyBuffer")}}
-            <TtlPicker
-              data-test-input={{attr.name}}
-              @onChange={{fn this.handleTtl attr}}
-              @label={{attr.options.label}}
-              @labelDisabled={{attr.options.labelDisabled}}
-              @helperTextDisabled={{attr.options.helperTextDisabled}}
-              @helperTextEnabled={{attr.options.helperTextEnabled}}
-              @initialEnabled={{get @tidy attr.options.mapToBoolean}}
-              @initialValue={{get @tidy attr.name}}
-            />
-          {{else}}
-            {{! tidyAcme is handled by the ttl above }}
-            {{#if (not-eq attr.name "tidyAcme")}}
-              <FormField @attr={{attr}} @model={{@tidy}} />
-            {{/if}}
-          {{/if}}
-        {{/each}}
-      {{/if}}
-    {{/each-in}}
-  {{/each}}
-
-  <hr class="is-marginless has-background-gray-200" />
-  <Hds::ButtonSet class="has-top-margin-m">
-    <Hds::Button
-      @text={{if (eq @tidyType "manual") "Perform tidy" "Save"}}
-      @icon={{if this.save.isRunning "loading"}}
-      type="submit"
-      disabled={{this.save.isRunning}}
-      data-test-pki-tidy-button
-    />
-    <Hds::Button
-      @text="Cancel"
-      @color="secondary"
-      disabled={{this.save.isRunning}}
-      {{on "click" @onCancel}}
-      data-test-pki-tidy-cancel
-    />
-  </Hds::ButtonSet>
-  {{#if this.invalidFormAlert}}
-    <div class="control">
-      <AlertInline @type="danger" @paddingTop={{true}} @message={{this.invalidFormAlert}} @mimicRefresh={{true}} />
-    </div>
-  {{/if}}
-</form>
\ No newline at end of file
+---
+layout: api
+page_title: /sys/sync - HTTP API
+description: The `/sys/sync` endpoints are used to configure destinations and associate secrets to sync with these destinations.
+---
+
+# `/sys/sync`
+
+The `/sys/sync` endpoints are used to configure destinations and associate secrets to sync with these destinations.
+
+Each destination type has its own endpoint for creation & update operations, but share the same endpoints for read &
+delete operations.
+
+## Configuration
+
+The `sys/sync/config` endpoint is used to set configuration parameters for the sync system as a whole.
+
+@include 'alerts/restricted-root.mdx'
+
+| Method  | Path              |
+|:--------|:------------------|
+| `PATCH` | `sys/sync/config` |
+
+### Parameters
+
+- `disabled` `(bool: false)` - Disables sync operations from sending secrets in Vault to external destinations when
+set to true. While disabled, actions performed in Vault which trigger a sync operation will instead get queued to be
+processed once syncing is reactivated. Queued operations will have a status of `PENDING` until they are completed.
+This is provided as a safety mechanism for emergencies.
+
+### Sample payload
+```json
+{
+    "disabled": "true"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PATCH \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/config
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "lease_duration": 0,
+    "renewable": false,
+    "data": {
+        "disabled": true
+    },
+    "warnings": null,
+    "mount_type": "system"
+}
+```
+
+## List destinations
+
+This endpoint lists all configured sync destination names regrouped by destination type.
+
+| Method | Path                     |
+|:-------|:-------------------------|
+| `LIST` | `/sys/sync/destinations` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/sync/destinations
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "key_info": {
+            "aws-sm/": [
+                "my-dest-1"
+            ],
+            "gh/": [
+                "my-dest-1"
+            ]
+        },
+        "keys": [
+            "aws-sm/",
+            "gh/"
+        ],
+        "total_destinations": 2
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## List destinations by type
+
+This endpoint lists all configured sync destination names for a given type.
+
+| Method | Path                           |
+|:-------|:-------------------------------|
+| `LIST` | `/sys/sync/destinations/:type` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "keys": [
+            "my-dest-1"
+        ],
+        "total_destinations": 1
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Read destination
+
+This endpoint retrieves information about the destination of a given type and name. Sensitive information from the
+connection details are obfuscated.
+
+| Method | Path                                 |
+|:-------|:-------------------------------------|
+| `GET`  | `/sys/sync/destinations/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "connection_details": {
+            "access_key_id": "*****",
+            "secret_access_key": "*****",
+            "region": "us-west-1"
+        },
+        "name": "my-store-1",
+        "type": "aws-sm"
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Delete destination
+
+This endpoint deletes information about the destination of a given type and name if it exists. Destinations still managing
+associations cannot be deleted.
+
+| Method   | Path                                 |
+|:---------|:-------------------------------------|
+| `DELETE` | `/sys/sync/destinations/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1
+```
+
+## Create/Update AWS Secrets Manager destination
+
+This endpoint creates a destination to synchronize secrets with the AWS Secrets manager.
+
+| Method | Path                                  |
+|:-------|:--------------------------------------|
+| `POST` | `/sys/sync/destinations/aws-sm/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `access_key_id` `(string: "")` - Access key id to authenticate against the AWS secrets manager. If omitted, authentication
+fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
+
+- `secret_access_key` `(string: "")` - Secret access key to authenticate against the AWS secrets manager. If omitted,
+authentication fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
+
+- `region` `(string: "")` - Region where to manage the secrets manager entries. If omitted, configuration fallbacks on
+the AWS credentials provider chain and tries to infer region from the environment.
+
+### Sample payload
+```json
+{
+    "access_key_id": "AKI***",
+    "secret_access_key": "ktri****",
+    "region": "us-west-1"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "connection_details": {
+            "access_key_id": "*****",
+            "secret_access_key": "*****",
+            "region": "us-west-1"
+        },
+        "name": "my-store-1",
+        "type": "aws-sm"
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Create/Update Azure Key Vault destination
+
+This endpoint creates a destination to synchronize secrets with an Azure Key Vault instance.
+
+| Method | Path                                    |
+|:-------|:----------------------------------------|
+| `POST` | `/sys/sync/destinations/azure-kv/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `key_vault_uri` `(string: <required>)` - URI of an existing Azure Key Vault instance.
+
+- `client_id` `(string: <required>)` - Client ID of an Azure app registration.
+
+- `client_secret` `(string: <required>)` - Client secret of an Azure app registration.
+
+- `tenant_id` `(string: <required>)` - ID of the target Azure tenant.
+
+- `cloud` `(string: "cloud")` - Specifies a cloud for the client. The default is Azure Public Cloud.
+
+
+### Sample payload
+```json
+{
+    "key_vault_uri": "https://keyvault-1234abcd.vault.azure.net",
+    "tenant_id": "uuid",
+    "client_id": "uuid",
+    "client_secret": "90y8Q***"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1
+```
+
+## Create/Update GCP Secret Manager destination
+
+This endpoint creates a destination to synchronize secrets with the GCP Secret Manager.
+
+| Method | Path                                  |
+|:-------|:--------------------------------------|
+| `POST` | `/sys/sync/destinations/gcp-sm/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `credentials` `(string: <required>)` - JSON credentials (either file contents or '@path/to/file')
+See docs for [alternative ways](/vault/docs/secrets/gcp#authentication) to pass in to this parameter
+
+### Sample payload
+```json
+{
+    "credentials": "<JSON string>"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/destinations/gcp-sm/my-store-1
+```
+
+## Create/Update GitHub Repository Action destination
+
+This endpoint creates a destination to synchronize action secrets with a GitHub repository.
+
+| Method | Path                              |
+|:-------|:----------------------------------|
+| `POST` | `/sys/sync/destinations/gh/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `access_token` `(string: <required>)` - Fine-grained or personal access token.
+
+- `repository_owner` `(string: <required>)` - GitHub organization or username that owns the repository. For example, if a repository is located at https://github.com/hashicorp/vault.git the owner is hashicorp.
+
+- `repository_name` `(string: <required>)` - Name of the repository. For example, if a repository is located at https://github.com/hashicorp/vault.git the name is vault.
+
+### Sample payload
+```json
+{
+    "access_token": "github_pat_12345",
+    "repository_owner": "my-organization-or-username",
+    "repository_name": "my-repository"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/destinations/gh/my-store-1
+```
+
+## Create/Update Vercel Project destination
+
+This endpoint creates a destination to synchronize secrets with the GCP Secret Manager.
+
+| Method | Path                                          |
+|:-------|:----------------------------------------------|
+| `POST` | `/sys/sync/destinations/vercel-project/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `access_token` `(string: <required>)` - Vercel API access token with the permissions to manage environment variables.
+
+- `project_id` `(string: <required>)` - Project ID where to manage environment variables.
+
+- `team_id` `(string: "")` - Team ID the project belongs to. Optional.
+
+- `deployment_environments` `(string: <required>)` - Deployment environments where the environment variables are available. Accepts 'development', 'preview' & 'production'.
+
+### Sample payload
+```json
+{
+    "access_token": "<token>>",
+    "project_id": "prj_12345",
+    "deployment_environments": ["development", "preview", "production"]
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/destinations/vercel-project/my-store-1
+```
+
+## Read associations
+
+This endpoint returns all existing associations for a given destination. An association references the mount via its accessor.
+Associations also contain the latest sync status for the secret they represent.
+
+<Note>
+
+  In the event a synchronization operation does not succeed, the sync status will indicate the cause
+  of the error and is a useful tool when troubleshooting.
+
+</Note>
+
+| Method | Path                                              |
+|:-------|:--------------------------------------------------|
+| `GET`  | `/sys/sync/destinations/:type/:name/associations` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1/associations
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "associated_secrets": {
+            "kv_eb4acbae/my-secret-1": {
+                "accessor": "kv_eb4acbae",
+                "secret_name": "my-secret-1",
+                "sync_status": "SYNCED",
+                "updated_at": "2023-09-20T10:51:53.961861096-04:00"
+            }
+        },
+        "store_name": "my-store-1",
+        "store_type": "aws-sm"
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Set association
+
+The set endpoint links a secret to an existing destination using the secret name
+and mount path and triggers a sync operation. If the secret is already
+associated with the destination, Vault performs a refresh without recreating the
+link. Triggering a refresh is useful to push the secret to external systems
+or retry a failed sync operation if the underlying problem that caused the
+failure has been resolved.
+
+<Note>
+
+  Only KV-v2 secrets are supported at the moment.
+
+</Note>
+
+| Method | Path                                                  |
+|:-------|:------------------------------------------------------|
+| `POST` | `/sys/sync/destinations/:type/:name/associations/set` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `mount` `(string: <required>)` - Specifies the mount where the secret is located. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the mount name is `my-kv`.
+
+- `secret_name` `(string: <required>)` - Specifies the name of the secret to synchronize. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the secret name is `my-secret-1`.
+
+### Sample payload
+```json
+{
+    "mount": "my-kv",
+    "secret_name": "my-secret-1"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1/associations/set
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "associated_secrets": {
+            "kv_eb4acbae/my-secret-1": {
+                "accessor": "kv_eb4acbae",
+                "secret_name": "my-secret-1",
+                "sync_status": "SYNCED",
+                "updated_at": "2023-09-20T10:51:53.961861096-04:00"
+            }
+        },
+        "store_name": "my-store-1",
+        "store_type": "aws-sm"
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Remove association
+
+The remove endpoint unlinks a secret from an existing destination based on the
+secret name and mount path, and triggers an unsync operation. Unsync
+operations delete the secret from the external system. The unsync operation
+reports success if the targeted association is removed, does not exist, or the
+secret was already removed from the external system.
+
+| Method | Path                                                     |
+|:-------|:---------------------------------------------------------|
+| `POST` | `/sys/sync/destinations/:type/:name/associations/remove` |
+
+### Parameters
+
+- `type` `(string: <required>)` - Specifies the destination type. This is specified as part of the URL.
+
+- `name` `(string: <required>)` - Specifies the name for this destination. This is specified as part of the URL.
+
+- `mount` `(string: <required>)` - Specifies the mount where the secret is located. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the mount name is `my-kv`.
+
+- `name` `(string: <required>)` - Specifies the name of the secret to synchronize. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the secret name is `my-secret-1`.
+
+### Sample payload
+```json
+{
+    "mount": "my-kv",
+    "secret_name": "my-secret-1"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/sync/destinations/aws-sm/my-store-1/associations/remove
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "associated_secrets": {
+            "kv_eb4acbae/my-secret-1": {
+                "accessor": "kv_eb4acbae",
+                "secret_name": "my-secret-1",
+                "sync_status": "UNSYNCED",
+                "updated_at": "2023-09-20T10:51:53.961861096-04:00"
+            }
+        },
+        "store_name": "my-store-1",
+        "store_type": "aws-sm"
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## List associations
+
+This endpoint lists all secrets referenced by at least one association. Each secret can be associated with multiple
+destinations, so the total number of associations can be greater than the total number of synced secrets.
+
+| Method | Path                     |
+|:-------|:-------------------------|
+| `LIST` | `/sys/sync/associations` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/sync/associations
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "key_info": {
+            "my-kv-1/my-secret-1": [
+                {
+                    "mount": "my-kv-1/",
+                    "secret_path": "my-secret-1"
+                }
+            ],
+            "my/kv/1/my/secret/1": [
+                {
+                    "mount": "my/kv/1/",
+                    "secret_path": "my/secret/1"
+                }
+            ]
+        },
+        "keys": [
+            "my/kv/1/my/secret/1",
+            "my-kv-1/my-secret-1"
+        ],
+        "total_associations": 4,
+        "total_secrets": 2
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
+
+## Read destinations by secret
+
+This endpoint returns all destinations associated with the provided secret reference.
+
+<Note>
+
+  The request is available either with path parameters or request parameters to support
+  mounts or secrets with forward slash characters (`/`).
+
+</Note>
+
+| Method | Path                                  |
+|:-------|:--------------------------------------|
+| `GET`  | `/sys/sync/associations/:mount/:name` |
+
+| Method | Path                                                                 |
+|:-------|:---------------------------------------------------------------------|
+| `GET`  | `/sys/sync/associations/destinations?mount=:mount&secret_name=:name` |
+
+### Parameters
+
+- `mount` `(string: <required>)` - Specifies the mount where the secret is located. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the mount name is `my-kv`.
+
+- `name` `(string: <required>)` - Specifies the name of the synchronized secret. For example, if you can read a secret
+with `vault kv get -mount=my-kv my-secret-1`, the secret name is `my-secret-1`.
+
+### Sample requests
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/sync/associations/my-kv-1/my-secret-1
+```
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/sync/associations/destinations?mount=my-kv-1&secret_name=my-secret-1
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "renewable": false,
+    "lease_duration": 0,
+    "data": {
+        "associated_destinations": {
+            "aws-sm/my-dest-1": {
+                "type": "aws-sm",
+                "name": "my-dest-1",
+                "sync_status": "UNSYNCED",
+                "updated_at": "2023-11-02T14:24:24.07391144-04:00"
+            },
+            "gh/my-dest-1": {
+                "type": "gh",
+                "name": "my-dest-1",
+                "sync_status": "SYNCED",
+                "updated_at": "2023-11-02T14:24:28.719833506-04:00"
+            }
+        }
+    },
+    "wrap_info": null,
+    "warnings": null,
+    "auth": null
+}
+```
diff --git a/ui/lib/replication/addon/engine.js b/ui/lib/replication/addon/engine.js
index 2347738d9366..a205aae17443 100644
--- a/ui/lib/replication/addon/engine.js
+++ b/ui/lib/replication/addon/engine.js
@@ -1,24 +1,46 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Engine from 'ember-engines/engine';
-import loadInitializers from 'ember-load-initializers';
-import Resolver from './resolver';
-import config from './config/environment';
-
-const { modulePrefix } = config;
-/* eslint-disable ember/avoid-leaking-state-in-ember-objects */
-const Eng = Engine.extend({
-  modulePrefix,
-  Resolver,
-  dependencies: {
-    services: ['auth', 'flash-messages', 'namespace', 'replication-mode', 'router', 'store', 'version'],
-    externalRoutes: ['replication'],
-  },
-});
-
-loadInitializers(Eng, modulePrefix);
-
-export default Eng;
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*SecretsCommand)(nil)
+
+type SecretsCommand struct {
+	*BaseCommand
+}
+
+func (c *SecretsCommand) Synopsis() string {
+	return "Interact with secrets engines"
+}
+
+func (c *SecretsCommand) Help() string {
+	helpText := `
+Usage: vault secrets <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault's secrets engines.
+  Each secret engine behaves differently. Please see the documentation for
+  more information.
+
+  List all enabled secrets engines:
+
+      $ vault secrets list
+
+  Enable a new secrets engine:
+
+      $ vault secrets enable database
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/lib/replication/addon/routes/application.js b/ui/lib/replication/addon/routes/application.js
index 26e4ec261020..163af4a785c7 100644
--- a/ui/lib/replication/addon/routes/application.js
+++ b/ui/lib/replication/addon/routes/application.js
@@ -1,48 +1,89 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { inject as service } from '@ember/service';
-import { setProperties } from '@ember/object';
-import { hash } from 'rsvp';
-import Route from '@ember/routing/route';
-import ClusterRoute from 'vault/mixins/cluster-route';
-
-export default Route.extend(ClusterRoute, {
-  version: service(),
-  store: service(),
-  auth: service(),
-
-  beforeModel() {
-    return this.version.fetchFeatures().then(() => {
-      return this._super(...arguments);
-    });
-  },
-
-  model() {
-    return this.auth.activeCluster;
-  },
-
-  afterModel(model) {
-    return hash({
-      canEnablePrimary: this.store
-        .findRecord('capabilities', 'sys/replication/primary/enable')
-        .then((c) => c.get('canUpdate')),
-      canEnableSecondary: this.store
-        .findRecord('capabilities', 'sys/replication/secondary/enable')
-        .then((c) => c.get('canUpdate')),
-    }).then(({ canEnablePrimary, canEnableSecondary }) => {
-      setProperties(model, {
-        canEnablePrimary,
-        canEnableSecondary,
-      });
-      return model;
-    });
-  },
-  actions: {
-    refresh() {
-      this.refresh();
-    },
-  },
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SecretsDisableCommand)(nil)
+	_ cli.CommandAutocomplete = (*SecretsDisableCommand)(nil)
+)
+
+type SecretsDisableCommand struct {
+	*BaseCommand
+}
+
+func (c *SecretsDisableCommand) Synopsis() string {
+	return "Disable a secret engine"
+}
+
+func (c *SecretsDisableCommand) Help() string {
+	helpText := `
+Usage: vault secrets disable [options] PATH
+
+  Disables a secrets engine at the given PATH. The argument corresponds to
+  the enabled PATH of the engine, not the TYPE! All secrets created by this
+  engine are revoked and its Vault data is removed.
+
+  Disable the secrets engine enabled at aws/:
+
+      $ vault secrets disable aws/
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsDisableCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *SecretsDisableCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultMounts()
+}
+
+func (c *SecretsDisableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *SecretsDisableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	path := ensureTrailingSlash(sanitizePath(args[0]))
+
+	if err := client.Sys().Unmount(path); err != nil {
+		c.UI.Error(fmt.Sprintf("Error disabling secrets engine at %s: %s", path, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Disabled the secrets engine (if it existed) at: %s", path))
+	return 0
+}
diff --git a/ui/lib/replication/addon/templates/application.hbs b/ui/lib/replication/addon/templates/application.hbs
index 11a06fba0089..253107136430 100644
--- a/ui/lib/replication/addon/templates/application.hbs
+++ b/ui/lib/replication/addon/templates/application.hbs
@@ -1,6 +1,155 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-{{outlet}}
\ No newline at end of file
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+)
+
+func testSecretsDisableCommand(tb testing.TB) (*cli.MockUi, *SecretsDisableCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SecretsDisableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSecretsDisableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_real",
+			[]string{"not_real"},
+			"Success! Disabled the secrets engine (if it existed) at: not_real/",
+			0,
+		},
+		{
+			"default",
+			[]string{"secret"},
+			"Success! Disabled the secrets engine (if it existed) at: secret/",
+			0,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsDisableCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		if err := client.Sys().Mount("my-secret/", &api.MountInput{
+			Type: "generic",
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		ui, cmd := testSecretsDisableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"my-secret/",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Disabled the secrets engine (if it existed) at: my-secret/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		mounts, err := client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if _, ok := mounts["integration_unmount"]; ok {
+			t.Errorf("expected mount to not exist: %#v", mounts)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testSecretsDisableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"pki/",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error disabling secrets engine at pki/: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testSecretsDisableCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/replication/addon/templates/components/known-secondaries-card.hbs b/ui/lib/replication/addon/templates/components/known-secondaries-card.hbs
index 5cd2c244200e..9e06392b2d39 100644
--- a/ui/lib/replication/addon/templates/components/known-secondaries-card.hbs
+++ b/ui/lib/replication/addon/templates/components/known-secondaries-card.hbs
@@ -1,31 +1,353 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Hds::Card::Container
-  @hasBorder={{true}}
-  class="has-padding-m known-secondaries-card {{if this.hasErrorClass 'has-error-border'}}"
->
-  <div class="level">
-    <h3 class="card-title title is-5">{{this.replicationAttrs.secondaries.length}} Known secondaries</h3>
-    <ToolbarLink @route="mode.secondaries" @model={{this.cluster.replicationMode}} data-test-manage-link>
-      View all
-    </ToolbarLink>
-  </div>
-  <div class="secondaries-table">
-    {{#if this.replicationAttrs.secondaries}}
-      <KnownSecondariesTable @secondaries={{this.replicationAttrs.secondaries}} />
-    {{else}}
-      <EmptyState
-        @title="No known {{this.cluster.replicationMode}} secondary clusters associated with this cluster"
-        @message="Associated secondary clusters will be listed here. Add your first secondary cluster to get started."
-      />
-    {{/if}}
-  </div>
-  {{#if this.cluster.canAddSecondary}}
-    <LinkTo @route="mode.secondaries.add" @model={{this.cluster.replicationMode}} class="link add-secondaries">
-      Add secondary
-    </LinkTo>
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"flag"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SecretsEnableCommand)(nil)
+	_ cli.CommandAutocomplete = (*SecretsEnableCommand)(nil)
+)
+
+type SecretsEnableCommand struct {
+	*BaseCommand
+
+	flagDescription               string
+	flagPath                      string
+	flagDefaultLeaseTTL           time.Duration
+	flagMaxLeaseTTL               time.Duration
+	flagAuditNonHMACRequestKeys   []string
+	flagAuditNonHMACResponseKeys  []string
+	flagListingVisibility         string
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
+	flagForceNoCache              bool
+	flagPluginName                string
+	flagPluginVersion             string
+	flagOptions                   map[string]string
+	flagLocal                     bool
+	flagSealWrap                  bool
+	flagExternalEntropyAccess     bool
+	flagVersion                   int
+	flagAllowedManagedKeys        []string
+}
+
+func (c *SecretsEnableCommand) Synopsis() string {
+	return "Enable a secrets engine"
+}
+
+func (c *SecretsEnableCommand) Help() string {
+	helpText := `
+Usage: vault secrets enable [options] TYPE
+
+  Enables a secrets engine. By default, secrets engines are enabled at the path
+  corresponding to their TYPE, but users can customize the path using the
+  -path option.
+
+  Once enabled, Vault will route all requests which begin with the path to the
+  secrets engine.
+
+  Enable the AWS secrets engine at aws/:
+
+      $ vault secrets enable aws
+
+  Enable the SSH secrets engine at ssh-prod/:
+
+      $ vault secrets enable -path=ssh-prod ssh
+
+  Enable the database secrets engine with an explicit maximum TTL of 30m:
+
+      $ vault secrets enable -max-lease-ttl=30m database
+
+  Enable a custom plugin (after it is registered in the plugin registry):
+
+      $ vault secrets enable -path=my-secrets -plugin-name=my-plugin plugin
+
+  OR (preferred way):
+
+      $ vault secrets enable -path=my-secrets my-plugin
+
+  For a full list of secrets engines and examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsEnableCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "description",
+		Target:     &c.flagDescription,
+		Completion: complete.PredictAnything,
+		Usage:      "Human-friendly description for the purpose of this engine.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "path",
+		Target:     &c.flagPath,
+		Default:    "", // The default is complex, so we have to manually document
+		Completion: complete.PredictAnything,
+		Usage: "Place where the secrets engine will be accessible. This must be " +
+			"unique cross all secrets engines. This defaults to the \"type\" of the " +
+			"secrets engine.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "default-lease-ttl",
+		Target:     &c.flagDefaultLeaseTTL,
+		Completion: complete.PredictAnything,
+		Usage: "The default lease TTL for this secrets engine. If unspecified, " +
+			"this defaults to the Vault server's globally configured default lease " +
+			"TTL.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "max-lease-ttl",
+		Target:     &c.flagMaxLeaseTTL,
+		Completion: complete.PredictAnything,
+		Usage: "The maximum lease TTL for this secrets engine. If unspecified, " +
+			"this defaults to the Vault server's globally configured maximum lease " +
+			"TTL.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACRequestKeys,
+		Target: &c.flagAuditNonHMACRequestKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the request data object. " +
+			"To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACResponseKeys,
+		Target: &c.flagAuditNonHMACResponseKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the response data object. " +
+			"To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameListingVisibility,
+		Target: &c.flagListingVisibility,
+		Usage:  "Determines the visibility of the mount in the UI-specific listing endpoint.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Request header value that will be sent to the plugins. To specify multiple " +
+			"values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Response header value that plugins will be allowed to set. To specify multiple " +
+			"values, specify this flag multiple times.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "force-no-cache",
+		Target:  &c.flagForceNoCache,
+		Default: false,
+		Usage: "Force the secrets engine to disable caching. If unspecified, this " +
+			"defaults to the Vault server's globally configured cache settings. " +
+			"This does not affect caching of the underlying encrypted data storage.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "plugin-name",
+		Target:     &c.flagPluginName,
+		Completion: c.PredictVaultPlugins(api.PluginTypeSecrets, api.PluginTypeDatabase),
+		Usage: "Name of the secrets engine plugin. This plugin name must already " +
+			"exist in Vault's plugin catalog.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    flagNamePluginVersion,
+		Target:  &c.flagPluginVersion,
+		Default: "",
+		Usage:   "Select the semantic version of the plugin to enable.",
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:       "options",
+		Target:     &c.flagOptions,
+		Completion: complete.PredictAnything,
+		Usage: "Key-value pair provided as key=value for the mount options. " +
+			"This can be specified multiple times.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "local",
+		Target:  &c.flagLocal,
+		Default: false,
+		Usage: "Mark the secrets engine as local-only. Local engines are not " +
+			"replicated or removed by replication.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "seal-wrap",
+		Target:  &c.flagSealWrap,
+		Default: false,
+		Usage:   "Enable seal wrapping of critical values in the secrets engine.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "external-entropy-access",
+		Target:  &c.flagExternalEntropyAccess,
+		Default: false,
+		Usage:   "Enable secrets engine to access Vault's external entropy source.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "version",
+		Target:  &c.flagVersion,
+		Default: 0,
+		Usage:   "Select the version of the engine to run. Not supported by all engines.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedManagedKeys,
+		Target: &c.flagAllowedManagedKeys,
+		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
+			"Note that multiple keys may be specified by providing this option multiple times, " +
+			"each time with 1 key.",
+	})
+
+	return set
+}
+
+func (c *SecretsEnableCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultAvailableMounts()
+}
+
+func (c *SecretsEnableCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *SecretsEnableCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	// Get the engine type type (first arg)
+	engineType := strings.TrimSpace(args[0])
+	if engineType == "plugin" {
+		engineType = c.flagPluginName
+	}
+
+	// If no path is specified, we default the path to the backend type
+	// or use the plugin name if it's a plugin backend
+	mountPath := c.flagPath
+	if mountPath == "" {
+		if engineType == "plugin" {
+			mountPath = c.flagPluginName
+		} else {
+			mountPath = engineType
+		}
+	}
+
+	if c.flagVersion > 0 {
+		if c.flagOptions == nil {
+			c.flagOptions = make(map[string]string)
+		}
+		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+	}
+
+	// Append a trailing slash to indicate it's a path in output
+	mountPath = ensureTrailingSlash(mountPath)
+
+	// Build mount input
+	mountInput := &api.MountInput{
+		Type:                  engineType,
+		Description:           c.flagDescription,
+		Local:                 c.flagLocal,
+		SealWrap:              c.flagSealWrap,
+		ExternalEntropyAccess: c.flagExternalEntropyAccess,
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: c.flagDefaultLeaseTTL.String(),
+			MaxLeaseTTL:     c.flagMaxLeaseTTL.String(),
+			ForceNoCache:    c.flagForceNoCache,
+		},
+		Options: c.flagOptions,
+	}
+
+	// Set these values only if they are provided in the CLI
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAuditNonHMACRequestKeys {
+			mountInput.Config.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
+		}
+
+		if fl.Name == flagNameAuditNonHMACResponseKeys {
+			mountInput.Config.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
+		}
+
+		if fl.Name == flagNameListingVisibility {
+			mountInput.Config.ListingVisibility = c.flagListingVisibility
+		}
+
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			mountInput.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
+
+		if fl.Name == flagNameAllowedManagedKeys {
+			mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
+		}
+
+		if fl.Name == flagNamePluginVersion {
+			mountInput.Config.PluginVersion = c.flagPluginVersion
+		}
+	})
+
+	if err := client.Sys().Mount(mountPath, mountInput); err != nil {
+		c.UI.Error(fmt.Sprintf("Error enabling: %s", err))
+		return 2
+	}
+
+	thing := engineType + " secrets engine"
+	if engineType == "plugin" {
+		thing = c.flagPluginName + " plugin"
+	}
+	if c.flagPluginVersion != "" {
+		thing += " version " + c.flagPluginVersion
+	}
+	c.UI.Output(fmt.Sprintf("Success! Enabled the %s at: %s", thing, mountPath))
+	return 0
+}
diff --git a/ui/lib/replication/addon/templates/components/known-secondaries-table.hbs b/ui/lib/replication/addon/templates/components/known-secondaries-table.hbs
index 39479f3b54a1..10fd0c5c9c80 100644
--- a/ui/lib/replication/addon/templates/components/known-secondaries-table.hbs
+++ b/ui/lib/replication/addon/templates/components/known-secondaries-table.hbs
@@ -1,56 +1,275 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="replication vlt-table sticky-header" data-test-known-secondaries-table>
-  <table class="is-fullwidth">
-    <caption class="is-collapsed">
-      Known Secondaries
-    </caption>
-    <thead class="has-text-weight-semibold">
-      <tr>
-        <th scope="col">
-          Secondary ID
-        </th>
-        <th scope="col">
-          URL
-        </th>
-        <th scope="col">
-          Connected?
-        </th>
-      </tr>
-    </thead>
-    <tbody>
-      {{#each this.secondaries as |secondary|}}
-        <tr>
-          <th scope="row">
-            <code data-test-secondaries={{concat "row-for-" secondary.node_id}}>
-              {{secondary.node_id}}
-            </code>
-          </th>
-          <td>
-            {{#if secondary.api_address}}
-              <a
-                class="link"
-                href={{concat secondary.api_address "/ui/"}}
-                target="_blank"
-                rel="noopener noreferrer"
-                data-test-secondaries={{concat "api-address-for-" secondary.node_id}}
-              >
-                <p class="is-word-break">{{secondary.api_address}}</p>
-              </a>
-            {{else}}
-              <p class="is-word-break">{{secondary.api_address}}</p>
-            {{/if}}
-          </td>
-          <td>
-            <code data-test-secondaries={{concat "connection-status-for-" (or secondary.node_id secondary)}}>
-              {{secondary.connection_status}}
-            </code>
-          </td>
-        </tr>
-      {{/each}}
-    </tbody>
-  </table>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func testSecretsEnableCommand(tb testing.TB) (*cli.MockUi, *SecretsEnableCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SecretsEnableCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSecretsEnableCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"not_a_valid_mount",
+			[]string{"nope_definitely_not_a_valid_mount_like_ever"},
+			"",
+			2,
+		},
+		{
+			"mount",
+			[]string{"transit"},
+			"Success! Enabled the transit secrets engine at: transit/",
+			0,
+		},
+		{
+			"mount_path",
+			[]string{
+				"-path", "transit_mount_point",
+				"transit",
+			},
+			"Success! Enabled the transit secrets engine at: transit_mount_point/",
+			0,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testSecretsEnableCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testSecretsEnableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-path", "mount_integration/",
+			"-description", "The best kind of test",
+			"-default-lease-ttl", "30m",
+			"-max-lease-ttl", "1h",
+			"-audit-non-hmac-request-keys", "foo,bar",
+			"-audit-non-hmac-response-keys", "foo,bar",
+			"-passthrough-request-headers", "authorization,authentication",
+			"-passthrough-request-headers", "www-authentication",
+			"-allowed-response-headers", "authorization",
+			"-allowed-managed-keys", "key1,key2",
+			"-force-no-cache",
+			"pki",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Enabled the pki secrets engine at: mount_integration/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		mounts, err := client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		mountInfo, ok := mounts["mount_integration/"]
+		if !ok {
+			t.Fatalf("expected mount to exist")
+		}
+		if exp := "pki"; mountInfo.Type != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
+		}
+		if exp := "The best kind of test"; mountInfo.Description != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+		}
+		if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
+			t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
+		}
+		if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
+			t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
+		}
+		if exp := true; mountInfo.Config.ForceNoCache != exp {
+			t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp)
+		}
+		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testSecretsEnableCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"pki",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error enabling: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testSecretsEnableCommand(t)
+		assertNoTabs(t, cmd)
+	})
+
+	t.Run("mount_all", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerAllBackends(t)
+		defer closer()
+
+		files, err := ioutil.ReadDir("../builtin/logical")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		var backends []string
+		for _, f := range files {
+			if f.IsDir() {
+				if f.Name() == "plugin" || f.Name() == "database" {
+					continue
+				}
+				if _, err := os.Stat("../builtin/logical/" + f.Name() + "/backend.go"); errors.Is(err, os.ErrNotExist) {
+					// Skip ext test packages (fake plugins without backends).
+					continue
+				}
+				backends = append(backends, f.Name())
+			}
+		}
+
+		modFile, err := ioutil.ReadFile("../go.mod")
+		if err != nil {
+			t.Fatal(err)
+		}
+		modLines := strings.Split(string(modFile), "\n")
+		for _, p := range modLines {
+			splitLine := strings.Split(strings.TrimSpace(p), " ")
+			if len(splitLine) == 0 {
+				continue
+			}
+			potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
+			if strings.HasPrefix(potPlug, "vault-plugin-secrets-") {
+				backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-secrets-"))
+			}
+		}
+
+		regkeys := strutil.StrListDelete(builtinplugins.Registry.Keys(consts.PluginTypeSecrets), "ldap")
+		sort.Strings(regkeys)
+		sort.Strings(backends)
+
+		if d := cmp.Diff(regkeys, backends); len(d) > 0 {
+			t.Fatalf("found logical registry mismatch: %v", d)
+		}
+
+		for _, b := range backends {
+			expectedResult := 0
+
+			ui, cmd := testSecretsEnableCommand(t)
+			cmd.client = client
+
+			actualResult := cmd.Run([]string{
+				b,
+			})
+
+			// Need to handle deprecated builtins specially
+			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeSecrets)
+			if status == consts.PendingRemoval || status == consts.Removed {
+				expectedResult = 2
+			}
+
+			if actualResult != expectedResult {
+				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
+			}
+		}
+	})
+}
diff --git a/ui/lib/replication/addon/templates/components/replication-summary.hbs b/ui/lib/replication/addon/templates/components/replication-summary.hbs
index c32a365a53e6..2819e2a1d390 100644
--- a/ui/lib/replication/addon/templates/components/replication-summary.hbs
+++ b/ui/lib/replication/addon/templates/components/replication-summary.hbs
@@ -1,375 +1,189 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-{{#if (not (has-feature "DR Replication"))}}
-  <UpgradePage @title="Replication" />
-{{else if (or this.cluster.allReplicationDisabled this.cluster.replicationAttrs.replicationDisabled)}}
-  <PageHeader as |p|>
-    <p.levelLeft>
-      <h1 class="title is-3">
-        {{#if this.initialReplicationMode}}
-          {{#if (eq this.initialReplicationMode "dr")}}
-            Enable Disaster Recovery Replication
-          {{else if (eq this.initialReplicationMode "performance")}}
-            Enable Performance Replication
-          {{/if}}
-        {{else}}
-          Enable Replication
-        {{/if}}
-      </h1>
-    </p.levelLeft>
-  </PageHeader>
-
-  <form
-    onsubmit={{action
-      "onSubmit"
-      "enable"
-      (or this.mode "primary")
-      (hash
-        token=this.token
-        primary_cluster_addr=this.primary_cluster_addr
-        primary_api_addr=this.primary_api_addr
-        ca_file=this.ca_file
-        ca_path=this.ca_path
-        replicationMode=this.replicationMode
-      )
-    }}
-  >
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @errors={{this.errors}} />
-      {{#if this.initialReplicationMode}}
-        {{#if (eq this.initialReplicationMode "dr")}}
-          <h3 class="title is-flex-center is-5 is-marginless">
-            <Icon @size="24" @name="replication-direct" />
-            Disaster Recovery (DR) Replication
-          </h3>
-          <p class="help has-text-grey-dark">
-            {{replication-mode-description "dr"}}
-          </p>
-        {{else if (eq this.initialReplicationMode "performance")}}
-          <h3 class="title is-flex-center is-5 is-marginless">
-            <Icon @size="24" @name="replication-perf" />
-            Performance Replication
-          </h3>
-          {{#if (has-feature "Performance Replication")}}
-            <p class="help has-text-grey-dark">
-              {{replication-mode-description "performance"}}
-            </p>
-          {{else}}
-            <p class="help has-text-grey-dark">
-              Performance Replication is a feature of Vault Enterprise Premium
-            </p>
-          {{/if}}
-        {{/if}}
-      {{else}}
-        <p class="has-text-grey-dark box is-shadowless is-fullwidth has-slim-padding">
-          <label for="replication-mode" class="is-label is-block">
-            Type of replication
-          </label>
-          In both Performance and Disaster Recovery (DR) Replication, secondaries share the underlying configuration,
-          policies, and supporting secrets as their primary cluster.
-        </p>
-        <div class="columns">
-          <div class="column is-flex">
-            <label for="dr" class="box-label is-column {{if (eq this.replicationMode 'dr') 'is-selected'}}">
-              <div>
-                <h3 class="box-label-header title is-6">
-                  <Icon @size="24" @name="replication-direct" />
-                  Disaster Recovery (DR)
-                </h3>
-                <p class="help has-text-grey-dark">
-                  {{replication-mode-description "dr"}}
-                </p>
-              </div>
-              <div>
-                <RadioButton
-                  id="dr"
-                  name="replication-mode"
-                  @value="dr"
-                  @groupValue={{this.replicationMode}}
-                  @onChange={{fn (mut this.replicationMode)}}
-                />
-                <label for="dr" data-test-replication-type-select="dr"></label>
-              </div>
-            </label>
-          </div>
-          <div class="column is-flex">
-            <label
-              for="performance"
-              class="box-label is-column {{if (eq this.replicationMode 'performance') 'is-selected'}}"
-            >
-              <div>
-                <h3 class="box-label-header title is-6">
-                  <Icon @size="24" @name="replication-perf" />
-                  Performance
-                </h3>
-                {{#if (not (has-feature "Performance Replication"))}}
-                  <p class="help has-text-grey-dark">
-                    Performance Replication is a feature of Vault Enterprise Premium
-                  </p>
-                {{else}}
-                  <p class="help has-text-grey-dark">
-                    {{replication-mode-description "performance"}}
-                  </p>
-                {{/if}}
-              </div>
-              <div>
-                {{#if (has-feature "Performance Replication")}}
-                  <RadioButton
-                    id="performance"
-                    name="replication-mode"
-                    @value="performance"
-                    @groupValue={{this.replicationMode}}
-                    @onChange={{fn (mut this.replicationMode)}}
-                  />
-                  <label for="performance" data-test-replication-type-select="performance"></label>
-                {{/if}}
-              </div>
-            </label>
-          </div>
-        </div>
-      {{/if}}
-    </div>
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <label for="replication-mode" class="is-label">
-        Cluster mode
-      </label>
-      <div class="field is-expanded">
-        <div class="control select is-fullwidth">
-          <select
-            onchange={{action (mut this.mode) value="target.value"}}
-            id="replication-mode"
-            name="replication-mode"
-            data-test-replication-cluster-mode-select={{true}}
-          >
-            {{#each (array "primary" "secondary") as |modeOption|}}
-              <option selected={{if this.mode (eq this.mode modeOption) (eq modeOption "primary")}} value={{modeOption}}>
-                {{modeOption}}
-              </option>
-            {{/each}}
-          </select>
-        </div>
-        {{#if (eq this.mode "secondary")}}
-          <AlertInline @class="has-top" @type="warning" @message="This will immediately clear all data in this cluster!" />
-        {{/if}}
-      </div>
-      {{#if (eq this.mode "primary")}}
-        {{#if this.cluster.canEnablePrimary}}
-          <div class="field">
-            <label for="primary_cluster_addr" class="is-label">
-              Primary cluster address
-              <em class="is-optional">(optional)</em>
-            </label>
-            <div class="control">
-              <Input
-                class="input"
-                id="primary_cluster_addr"
-                name="primary_cluster_addr"
-                @value={{this.primary_cluster_addr}}
-              />
-            </div>
-            <p class="help has-text-grey">
-              Overrides the cluster address that the primary gives to secondary nodes.
-            </p>
-          </div>
-        {{else}}
-          <p>
-            The token you are using is not authorized to enable primary replication.
-          </p>
-        {{/if}}
-      {{else}}
-        {{#if this.cluster.canEnableSecondary}}
-          {{#if
-            (and
-              (eq this.replicationMode "dr")
-              (not this.cluster.performance.replicationDisabled)
-              (has-feature "Performance Replication")
-            )
-          }}
-            <div>
-              <ToggleButton
-                @isOpen={{this.showExplanation}}
-                @openLabel="Disable Performance Replication in order to enable this cluster as a DR secondary."
-                @closedLabel="Disable Performance Replication in order to enable this cluster as a DR secondary."
-                @onClick={{fn (mut this.showExplanation)}}
-                class="has-text-danger"
-              />
-              {{#if this.showExplanation}}
-                <p>
-                  When running as a DR Secondary Vault is read only. For this reason, we don't allow other Replication modes
-                  to operate at the same time. This cluster is also currently operating as a Performance
-                  {{capitalize this.cluster.performance.modeForUrl}}.
-                </p>
-              {{/if}}
-            </div>
-          {{else}}
-            <div class="field">
-              <label for="secondary-token" class="is-label">
-                Secondary activation token
-              </label>
-              <div class="control">
-                <Textarea @value={{this.token}} id="secondary-token" name="secondary-token" class="textarea" />
-              </div>
-            </div>
-            <div class="field">
-              <label for="primary_api_addr" class="is-label">
-                Primary API address
-                {{#if (not (and this.token (not this.tokenIncludesAPIAddr)))}}
-                  <em class="is-optional">(optional)</em>
-                {{/if}}
-              </label>
-              <div class="control">
-                <Input @value={{this.primary_api_addr}} id="primary_api_addr" name="primary_api_addr" class="input" />
-              </div>
-              <p class="help {{if (and this.token (not this.tokenIncludesAPIAddr)) 'is-danger' 'has-text-grey'}}">
-                {{#if (and this.token (not this.tokenIncludesAPIAddr))}}
-                  The supplied token does not contain an embedded address for the primary cluster. Please enter the primary
-                  cluster's API address (normal Vault address).
-                {{else}}
-                  Set this to the API address (normal Vault address) to override the value embedded in the token.
-                {{/if}}
-              </p>
-            </div>
-            <div class="field">
-              <label for="ca_file" class="is-label">
-                CA file
-                <em class="is-optional">(optional)</em>
-              </label>
-              <div class="control">
-                <Input @value={{this.ca_file}} id="ca_file" name="ca_file" class="input" />
-              </div>
-              <p class="help has-text-grey">
-                Specifies the path to a CA root file (PEM format) that the secondary can use when unwrapping the token from
-                the primary.
-              </p>
-            </div>
-            <div class="field">
-              <label for="ca_path" class="is-label">
-                CA path
-                <em class="is-optional">(optional)</em>
-              </label>
-              <div class="control">
-                <Input @value={{this.ca_path}} id="ca_path" name="ca_file" class="input" />
-              </div>
-              <p class="help has-text-grey">
-                Specifies the path to a CA root directory containing PEM-format files that the secondary can use when
-                unwrapping the token from the primary.
-              </p>
-            </div>
-            <p>
-              Note: If both
-              <code>CA file</code>
-              and
-              <code>CA path</code>
-              are not given, they default to system CA roots.
-            </p>
-          {{/if}}
-        {{else}}
-          <p>The token you are using is not authorized to enable secondary replication.</p>
-        {{/if}}
-      {{/if}}
-    </div>
-    {{#if
-      (or
-        (and (eq this.mode "primary") this.cluster.canEnablePrimary)
-        (and (eq this.mode "secondary") this.cluster.canEnableSecondary)
-      )
-    }}
-      <div class="field is-grouped box is-fullwidth is-bottomless">
-        <div class="control">
-          <button type="submit" class="button is-primary" disabled={{this.disallowEnable}} data-test-replication-enable>
-            Enable Replication
-          </button>
-        </div>
-      </div>
-    {{/if}}
-  </form>
-{{else if this.showModeSummary}}
-  {{#if (not (and this.cluster.dr.replicationEnabled this.cluster.performance.replicationEnabled))}}
-    <PageHeader as |p|>
-      <p.levelLeft>
-        <h1 class="title is-3">
-          Replication
-        </h1>
-      </p.levelLeft>
-    </PageHeader>
-  {{/if}}
-
-  {{#if (and (eq this.cluster.dr.mode "primary") (eq this.cluster.performance.mode "primary"))}}
-    <ReplicationPage @model={{this.cluster}} as |Page|>
-      <Page.header @showTabs={{true}} />
-      <Page.dashboard @componentToRender="replication-summary-card" as |Dashboard|>
-        <Dashboard.card @title="Disaster Recovery" />
-        <Dashboard.card @title="Performance" />
-      </Page.dashboard>
-    </ReplicationPage>
-  {{else}}
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <h3 class="title is-flex-center is-5 is-marginless">
-        <Icon @size="24" @name="replication-direct" />
-        Disaster Recovery (DR)
-      </h3>
-      {{#if this.cluster.dr.replicationEnabled}}
-        {{#if this.submit.isRunning}}
-          <LayoutLoading />
-        {{else}}
-          <LinkTo @route="mode.index" @model="dr" class="link-plain">
-            <ReplicationModeSummary @mode="dr" @cluster={{this.cluster}} @tagName="span" />
-          </LinkTo>
-        {{/if}}
-      {{else}}
-        <ReplicationModeSummary @mode="dr" @cluster={{this.cluster}} @tagName="div" />
-      {{/if}}
-    </div>
-    {{#if (not (and this.submit.isRunning (eq this.cluster.dr.mode "bootstrapping")))}}
-      <div class="box is-bottomless is-fullwidth is-marginless">
-        <h3 class="title is-flex-center is-5 is-marginless">
-          <Icon @size="24" @name="replication-perf" />
-          Performance
-        </h3>
-        <LinkTo @route="mode.index" @model="performance" class="link-plain">
-          <ReplicationModeSummary @mode="performance" @cluster={{this.cluster}} @tagName="span" />
-        </LinkTo>
-      </div>
-    {{/if}}
-  {{/if}}
-{{else}}
-  {{#if (eq this.replicationAttrs.mode "initializing")}}
-    The cluster is initializing replication. This may take some time.
-  {{else}}
-    <p>{{this.cluster.replicationModeStatus.cluster_id}}</p>
-    <div class="replication">
-      <ReplicationPage @model={{this.cluster}} as |Page|>
-        <Page.dashboard
-          @data={{this.cluster}}
-          @componentToRender={{if
-            (eq this.replicationAttrs.mode "secondary")
-            "replication-secondary-card"
-            "replication-primary-card"
-          }}
-          as |Dashboard|
-        >
-          {{#if (eq this.replicationAttrs.mode "secondary")}}
-            <Dashboard.card @title="Status" />
-            <Dashboard.card @title="Primary cluster" />
-          {{else}}
-            <Dashboard.card
-              @title="State"
-              @description="The cluster’s current operating state."
-              @glyph={{get (cluster-states this.replicationAttrs.state) "glyph"}}
-              @metric={{this.replicationAttrs.state}}
-            />
-            <Dashboard.card
-              @title="Last WAL entry"
-              @description="Index of last Write Ahead Logs entry written on local storage. Updates every ten seconds."
-              @metric={{format-number this.replicationAttrs.lastWAL}}
-            />
-            <Dashboard.secondaryCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />
-          {{/if}}
-        </Page.dashboard>
-      </ReplicationPage>
-    </div>
-  {{/if}}
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SecretsListCommand)(nil)
+	_ cli.CommandAutocomplete = (*SecretsListCommand)(nil)
+)
+
+type SecretsListCommand struct {
+	*BaseCommand
+
+	flagDetailed bool
+}
+
+func (c *SecretsListCommand) Synopsis() string {
+	return "List enabled secrets engines"
+}
+
+func (c *SecretsListCommand) Help() string {
+	helpText := `
+Usage: vault secrets list [options]
+
+  Lists the enabled secret engines on the Vault server. This command also
+  outputs information about the enabled path including configured TTLs and
+  human-friendly descriptions. A TTL of "system" indicates that the system
+  default is in use.
+
+  List all enabled secrets engines:
+
+      $ vault secrets list
+
+  List all enabled secrets engines with detailed output:
+
+      $ vault secrets list -detailed
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsListCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:    "detailed",
+		Target:  &c.flagDetailed,
+		Default: false,
+		Usage: "Print detailed information such as TTLs and replication status " +
+			"about each secrets engine.",
+	})
+
+	return set
+}
+
+func (c *SecretsListCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *SecretsListCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *SecretsListCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	mounts, err := client.Sys().ListMounts()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing secrets engines: %s", err))
+		return 2
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		if c.flagDetailed {
+			c.UI.Output(tableOutput(c.detailedMounts(mounts), nil))
+			return 0
+		}
+		c.UI.Output(tableOutput(c.simpleMounts(mounts), nil))
+		return 0
+	default:
+		return OutputData(c.UI, mounts)
+	}
+}
+
+func (c *SecretsListCommand) simpleMounts(mounts map[string]*api.MountOutput) []string {
+	paths := make([]string, 0, len(mounts))
+	for path := range mounts {
+		paths = append(paths, path)
+	}
+	sort.Strings(paths)
+
+	out := []string{"Path | Type | Accessor | Description"}
+	for _, path := range paths {
+		mount := mounts[path]
+		out = append(out, fmt.Sprintf("%s | %s | %s | %s", path, mount.Type, mount.Accessor, mount.Description))
+	}
+
+	return out
+}
+
+func (c *SecretsListCommand) detailedMounts(mounts map[string]*api.MountOutput) []string {
+	paths := make([]string, 0, len(mounts))
+	for path := range mounts {
+		paths = append(paths, path)
+	}
+	sort.Strings(paths)
+
+	calcTTL := func(typ string, ttl int) string {
+		switch {
+		case typ == "system", typ == "cubbyhole":
+			return ""
+		case ttl != 0:
+			return strconv.Itoa(ttl)
+		default:
+			return "system"
+		}
+	}
+
+	out := []string{"Path | Plugin | Accessor | Default TTL | Max TTL | Force No Cache | Replication | Seal Wrap | External Entropy Access | Options | Description | UUID | Version | Running Version | Running SHA256 | Deprecation Status"}
+	for _, path := range paths {
+		mount := mounts[path]
+
+		defaultTTL := calcTTL(mount.Type, mount.Config.DefaultLeaseTTL)
+		maxTTL := calcTTL(mount.Type, mount.Config.MaxLeaseTTL)
+
+		replication := "replicated"
+		if mount.Local {
+			replication = "local"
+		}
+
+		pluginName := mount.Type
+		if pluginName == "plugin" {
+			pluginName = mount.Config.PluginName
+		}
+
+		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %t | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
+			path,
+			pluginName,
+			mount.Accessor,
+			defaultTTL,
+			maxTTL,
+			mount.Config.ForceNoCache,
+			replication,
+			mount.SealWrap,
+			mount.ExternalEntropyAccess,
+			mount.Options,
+			mount.Description,
+			mount.UUID,
+			mount.PluginVersion,
+			mount.RunningVersion,
+			mount.RunningSha256,
+			mount.DeprecationStatus,
+		))
+	}
+
+	return out
+}
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/add.hbs b/ui/lib/replication/addon/templates/mode/secondaries/add.hbs
index 838af13f4442..dcc51eb01892 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/add.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/add.hbs
@@ -1,114 +1,108 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<form {{action "onSubmit" "secondary-token" "primary" (hash ttl=this.ttl id=this.id) on="submit"}}>
-  <div class="box is-fullwidth is-shadowless is-marginless">
-    <h4 class="title is-5">
-      Generate a secondary token
-    </h4>
-    <p>
-      Generate a token to enable
-      {{this.model.replicationModeForDisplay}}
-      replication or change primaries on secondary cluster.
-    </p>
-  </div>
-  <MessageError @errors={{this.errors}} />
-  <div class="field">
-    <label for="activation-token-id" class="is-label">
-      Secondary ID
-    </label>
-    <div class="control">
-      <Input
-        class="input"
-        name="activation-token-id"
-        id="activation-token-id"
-        @value={{this.id}}
-        data-test-replication-secondary-id={{true}}
-      />
-    </div>
-    <p class="help has-text-grey">
-      This will be used to identify a secondary cluster once a connection has been established with the primary.
-    </p>
-  </div>
-  <div class="field">
-    <TtlPicker
-      @initialValue="30m"
-      @label="Time to Live (TTL) for generated secondary token"
-      @helperTextDisabled="If not set, the default value (30 minutes) will be used"
-      @helperTextEnabled="After this period, the generated token will no longer be valid."
-      @onChange={{action "updateTtl"}}
-      @changeOnInit={{true}}
-    />
-  </div>
-  {{#if (eq this.replicationMode "performance")}}
-    <PathFilterConfigList @paths={{this.paths}} @config={{this.filterConfig}} @id={{this.id}} />
-  {{/if}}
-  <div class="field is-grouped box is-fullwidth is-bottomless">
-    <div class="control">
-      <button type="submit" class="button is-primary" data-test-secondary-add={{true}}>
-        Generate token
-      </button>
-    </div>
-    <div class="control">
-      <LinkTo @route="mode.secondaries" @model={{this.replicationMode}} class="button">
-        Cancel
-      </LinkTo>
-    </div>
-  </div>
-</form>
-
-{{#if this.isModalActive}}
-  <Hds::Modal
-    id="replication-copy-token-modal"
-    @onClose={{action "closeTokenModal"}}
-    @isDismissDisabled={{not this.isTokenCopied}}
-    as |M|
-  >
-    <M.Header>
-      Copy your token
-    </M.Header>
-    <M.Body>
-      <p>
-        This token can be used to enable
-        {{this.model.replicationModeForDisplay}}
-        replication or change primaries on the secondary cluster.
-      </p>
-      <div class="box is-shadowless is-fullwidth is-sideless">
-        <h2 class="title is-6">Activation token</h2>
-        <div class="copy-text level">
-          <div class="is-fullwidth">
-            <textarea readonly value={{this.token}} id="token-textarea" class="textarea level-left"></textarea>
-          </div>
-        </div>
-        <div class="has-top-margin-xl has-bottom-margin-s">
-          <InfoTableRow @label="TTL" @value={{this.ttl}} />
-          <InfoTableRow @label="Expires" @value={{date-format this.expirationDate "MMM dd, yyyy hh:mm:ss a"}} />
-        </div>
-      </div>
-    </M.Body>
-    <M.Footer>
-      <Hds::ButtonSet>
-        <Hds::Copy::Button
-          data-test-modal-copy
-          @text="Copy token"
-          @textToCopy={{this.token}}
-          class="primary"
-          @container=".hds-modal"
-          {{on "click" (action "onCopy")}}
-        />
-        <Hds::Button
-          data-test-modal-close
-          disabled={{not this.isTokenCopied}}
-          @text="Close"
-          @color="secondary"
-          {{on "click" (action "closeTokenModal")}}
-        />
-        {{#unless this.isTokenCopied}}
-          <AlertInline @type="warning" @message="Copy token to dismiss modal" />
-        {{/unless}}
-      </Hds::ButtonSet>
-    </M.Footer>
-  </Hds::Modal>
-{{/if}}
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testSecretsListCommand(tb testing.TB) (*cli.MockUi, *SecretsListCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SecretsListCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSecretsListCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"lists",
+			nil,
+			"Path",
+			0,
+		},
+		{
+			"detailed",
+			[]string{"-detailed"},
+			"Deprecation Status",
+			0,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsListCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testSecretsListCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error listing secrets engines: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testSecretsListCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/config-create.hbs b/ui/lib/replication/addon/templates/mode/secondaries/config-create.hbs
index 3fbf861065d3..bd4062969a49 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/config-create.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/config-create.hbs
@@ -1,26 +1,131 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="box is-fullwidth is-shadowless is-marginless">
-  <h4 class="title is-5 is-marginless">
-    Create a path filter config for
-    <code>{{this.model.config.id}}</code>
-  </h4>
-</div>
-<form {{action "saveConfig" this.model.config on="submit"}}>
-  <PathFilterConfigList @paths={{this.model.paths}} @config={{this.model.config}} />
-  <div class="field is-grouped box is-fullwidth is-shadowless">
-    <div class="control">
-      <button type="submit" class="button is-primary">
-        Create
-      </button>
-    </div>
-    <div class="control">
-      <LinkTo @route="mode.secondaries.config-show" @model={{this.model.config.id}} class="button">
-        Cancel
-      </LinkTo>
-    </div>
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SecretsMoveCommand)(nil)
+	_ cli.CommandAutocomplete = (*SecretsMoveCommand)(nil)
+)
+
+const (
+	MountMigrationStatusSuccess = "success"
+	MountMigrationStatusFailure = "failure"
+)
+
+type SecretsMoveCommand struct {
+	*BaseCommand
+}
+
+func (c *SecretsMoveCommand) Synopsis() string {
+	return "Move a secrets engine to a new path"
+}
+
+func (c *SecretsMoveCommand) Help() string {
+	helpText := `
+Usage: vault secrets move [options] SOURCE DESTINATION
+
+  Moves an existing secrets engine to a new path. Any leases from the old
+  secrets engine are revoked, but all configuration associated with the engine
+  is preserved. It initiates the migration and intermittently polls its status,
+  exiting if a final state is reached.
+
+  This command works within or across namespaces, both source and destination paths
+  can be prefixed with a namespace heirarchy relative to the current namespace.
+
+  WARNING! Moving a secrets engine will revoke any leases from the
+  old engine.
+
+  Move the secrets engine at secret/ to generic/:
+
+      $ vault secrets move secret/ generic/
+
+  Move the secrets engine at ns1/secret/ across namespaces to ns2/generic/, 
+  where ns1 and ns2 are child namespaces of the current namespace:
+
+      $ vault secrets move ns1/secret/ ns2/generic/
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsMoveCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *SecretsMoveCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultMounts()
+}
+
+func (c *SecretsMoveCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *SecretsMoveCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 2:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
+		return 1
+	case len(args) > 2:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
+		return 1
+	}
+
+	// Grab the source and destination
+	source := ensureTrailingSlash(args[0])
+	destination := ensureTrailingSlash(args[1])
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	remountResp, err := client.Sys().StartRemount(source, destination)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error moving secrets engine %s to %s: %s", source, destination, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Started moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+
+	// Poll the status endpoint with the returned migration ID
+	// Exit if a terminal status is reached, else wait and retry
+	for {
+		remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error checking migration status of secrets engine %s to %s: %s", source, destination, err))
+			return 2
+		}
+		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
+			c.UI.Output(fmt.Sprintf("Success! Finished moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+			return 0
+		}
+		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
+			c.UI.Error(fmt.Sprintf("Failure! Error encountered moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+			return 0
+		}
+		c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
+		time.Sleep(10 * time.Second)
+	}
+
+	return 0
+}
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/config-edit.hbs b/ui/lib/replication/addon/templates/mode/secondaries/config-edit.hbs
index 77a4b57f33d4..ed7a5a5c629c 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/config-edit.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/config-edit.hbs
@@ -1,29 +1,142 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<Toolbar />
-<div class="box is-fullwidth is-shadowless is-marginless">
-  <h4 class="title is-5 is-marginless">
-    Edit path filter config for
-    <code>{{this.model.config.id}}</code>
-  </h4>
-</div>
-<form {{action "saveConfig" this.model.config on="submit"}}>
-  <PathFilterConfigList @paths={{this.model.paths}} @config={{this.model.config}} />
-  <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
-    <div class="field is-grouped">
-      <div class="control">
-        <button type="submit" class="button is-primary" data-test-config-save>
-          Update
-        </button>
-      </div>
-      <div class="control">
-        <LinkTo @route="mode.secondaries.config-show" @model={{this.model.config.id}} class="button">
-          Cancel
-        </LinkTo>
-      </div>
-    </div>
-  </div>
-</form>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testSecretsMoveCommand(tb testing.TB) (*cli.MockUi, *SecretsMoveCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SecretsMoveCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSecretsMoveCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"non_existent",
+			[]string{"not_real", "over_here"},
+			"Error moving secrets engine not_real/ to over_here/",
+			2,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsMoveCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testSecretsMoveCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/", "generic/",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Finished moving secrets engine secret/ to generic/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		mounts, err := client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if _, ok := mounts["generic/"]; !ok {
+			t.Errorf("expected mount at generic/: %#v", mounts)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testSecretsMoveCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/", "generic/",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error moving secrets engine secret/ to generic/:"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testSecretsMoveCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/revoke.hbs b/ui/lib/replication/addon/templates/mode/secondaries/revoke.hbs
index fa52a6becde6..7dcf3feb9293 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/revoke.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/revoke.hbs
@@ -1,40 +1,267 @@
-{{!
-  Copyright (c) HashiCorp, Inc.
-  SPDX-License-Identifier: BUSL-1.1
-~}}
-
-<div class="box is-fullwidth is-shadowless is-marginless">
-  <h4 class="title is-5">
-    Revoke a secondary token
-  </h4>
-</div>
-<MessageError @errors={{this.errors}} />
-<div class="field">
-  <label for="activation-token-id" class="is-label">
-    Secondary ID
-  </label>
-  <div class="control">
-    <Input class="input" name="activation-token-id" id="activation-token-id" @value={{this.id}} />
-  </div>
-  <p class="help has-text-grey">
-    The secondary id to revoke; given initially to generate a secondary token.
-  </p>
-</div>
-<div class="field is-grouped box is-fullwidth is-bottomless">
-  <div class="control">
-    <ConfirmAction
-      @buttonText="Revoke"
-      @confirmTitle="Revoke token?"
-      @confirmMessage="This will revoke this secondary token."
-      @disabledMessage={{unless this.id "A secondary ID is required perform revocation."}}
-      @onConfirmAction={{action "onSubmit" "revoke-secondary" "primary" (hash id=this.id)}}
-    />
-  </div>
-  <div class="control">
-    {{#unless this.isRevoking}}
-      <LinkTo @route="mode.secondaries" @model={{this.replicationMode}} class="button">
-        Cancel
-      </LinkTo>
-    {{/unless}}
-  </div>
-</div>
\ No newline at end of file
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"flag"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SecretsTuneCommand)(nil)
+	_ cli.CommandAutocomplete = (*SecretsTuneCommand)(nil)
+)
+
+type SecretsTuneCommand struct {
+	*BaseCommand
+
+	flagAuditNonHMACRequestKeys   []string
+	flagAuditNonHMACResponseKeys  []string
+	flagDefaultLeaseTTL           time.Duration
+	flagDescription               string
+	flagListingVisibility         string
+	flagMaxLeaseTTL               time.Duration
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
+	flagOptions                   map[string]string
+	flagVersion                   int
+	flagPluginVersion             string
+	flagAllowedManagedKeys        []string
+	flagDelegatedAuthAccessors    []string
+}
+
+func (c *SecretsTuneCommand) Synopsis() string {
+	return "Tune a secrets engine configuration"
+}
+
+func (c *SecretsTuneCommand) Help() string {
+	helpText := `
+Usage: vault secrets tune [options] PATH
+
+  Tunes the configuration options for the secrets engine at the given PATH.
+  The argument corresponds to the PATH where the secrets engine is enabled,
+  not the TYPE!
+
+  Tune the default lease for the PKI secrets engine:
+
+      $ vault secrets tune -default-lease-ttl=72h pki/
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SecretsTuneCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACRequestKeys,
+		Target: &c.flagAuditNonHMACRequestKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the request data " +
+			"object. To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAuditNonHMACResponseKeys,
+		Target: &c.flagAuditNonHMACResponseKeys,
+		Usage: "Key that will not be HMAC'd by audit devices in the response data " +
+			"object. To specify multiple values, specify this flag multiple times.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "default-lease-ttl",
+		Target:     &c.flagDefaultLeaseTTL,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "The default lease TTL for this secrets engine. If unspecified, " +
+			"this defaults to the Vault server's globally configured default lease " +
+			"TTL, or a previously configured value for the secrets engine.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameDescription,
+		Target: &c.flagDescription,
+		Usage: "Human-friendly description of this secret engine. This overrides the " +
+			"current stored value, if any.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:   flagNameListingVisibility,
+		Target: &c.flagListingVisibility,
+		Usage: "Determines the visibility of the mount in the UI-specific listing " +
+			"endpoint.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "max-lease-ttl",
+		Target:     &c.flagMaxLeaseTTL,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "The maximum lease TTL for this secrets engine. If unspecified, " +
+			"this defaults to the Vault server's globally configured maximum lease " +
+			"TTL, or a previously configured value for the secrets engine.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Request header value that will be sent to the plugin. To specify " +
+			"multiple values, specify this flag multiple times.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Response header value that plugins will be allowed to set. To " +
+			"specify multiple values, specify this flag multiple times.",
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:       "options",
+		Target:     &c.flagOptions,
+		Completion: complete.PredictAnything,
+		Usage: "Key-value pair provided as key=value for the mount options. " +
+			"This can be specified multiple times.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "version",
+		Target:  &c.flagVersion,
+		Default: 0,
+		Usage:   "Select the version of the engine to run. Not supported by all engines.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedManagedKeys,
+		Target: &c.flagAllowedManagedKeys,
+		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
+			"Note that multiple keys may be specified by providing this option multiple times, " +
+			"each time with 1 key.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    flagNamePluginVersion,
+		Target:  &c.flagPluginVersion,
+		Default: "",
+		Usage: "Select the semantic version of the plugin to run. The new version must be registered in " +
+			"the plugin catalog, and will not start running until the plugin is reloaded.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameDelegatedAuthAccessors,
+		Target: &c.flagDelegatedAuthAccessors,
+		Usage: "A list of permitted authentication accessors this backend can delegate authentication to. " +
+			"Note that multiple values may be specified by providing this option multiple times, " +
+			"each time with 1 accessor.",
+	})
+
+	return set
+}
+
+func (c *SecretsTuneCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultMounts()
+}
+
+func (c *SecretsTuneCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *SecretsTuneCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	if c.flagVersion > 0 {
+		if c.flagOptions == nil {
+			c.flagOptions = make(map[string]string)
+		}
+		c.flagOptions["version"] = strconv.Itoa(c.flagVersion)
+	}
+
+	// Append a trailing slash to indicate it's a path in output
+	mountPath := ensureTrailingSlash(sanitizePath(args[0]))
+
+	mountConfigInput := api.MountConfigInput{
+		DefaultLeaseTTL: ttlToAPI(c.flagDefaultLeaseTTL),
+		MaxLeaseTTL:     ttlToAPI(c.flagMaxLeaseTTL),
+		Options:         c.flagOptions,
+	}
+
+	// Set these values only if they are provided in the CLI
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAuditNonHMACRequestKeys {
+			mountConfigInput.AuditNonHMACRequestKeys = c.flagAuditNonHMACRequestKeys
+		}
+
+		if fl.Name == flagNameAuditNonHMACResponseKeys {
+			mountConfigInput.AuditNonHMACResponseKeys = c.flagAuditNonHMACResponseKeys
+		}
+
+		if fl.Name == flagNameDescription {
+			mountConfigInput.Description = &c.flagDescription
+		}
+
+		if fl.Name == flagNameListingVisibility {
+			mountConfigInput.ListingVisibility = c.flagListingVisibility
+		}
+
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
+
+		if fl.Name == flagNameAllowedManagedKeys {
+			mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
+		}
+
+		if fl.Name == flagNamePluginVersion {
+			mountConfigInput.PluginVersion = c.flagPluginVersion
+		}
+
+		if fl.Name == flagNameDelegatedAuthAccessors {
+			mountConfigInput.DelegatedAuthAccessors = c.flagDelegatedAuthAccessors
+		}
+	})
+
+	if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
+		c.UI.Error(fmt.Sprintf("Error tuning secrets engine %s: %s", mountPath, err))
+		return 2
+	}
+
+	c.UI.Output(fmt.Sprintf("Success! Tuned the secrets engine at: %s", mountPath))
+	return 0
+}
diff --git a/ui/mirage/handlers/base.js b/ui/mirage/handlers/base.js
index 2693f4a7592b..5c1670db92d7 100644
--- a/ui/mirage/handlers/base.js
+++ b/ui/mirage/handlers/base.js
@@ -1,87 +1,370 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-// base handlers used in mirage config when a specific handler is not specified
-const EXPIRY_DATE = '2021-05-12T23:20:50.52Z';
-
-export default function (server) {
-  server.get('/sys/internal/ui/feature-flags', (db) => {
-    const featuresResponse = db.features.first();
-    return {
-      data: {
-        feature_flags: featuresResponse ? featuresResponse.feature_flags : null,
-      },
-    };
-  });
-
-  server.get('/sys/health', function () {
-    return {
-      initialized: true,
-      sealed: false,
-      standby: false,
-      license: {
-        expiry: '2021-05-12T23:20:50.52Z',
-        state: 'stored',
-      },
-      performance_standby: false,
-      replication_performance_mode: 'disabled',
-      replication_dr_mode: 'disabled',
-      server_time_utc: 1622562585,
-      version: '1.9.0+ent',
-      cluster_name: 'vault-cluster-e779cd7c',
-      cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
-      last_wal: 121,
-    };
-  });
-
-  server.get('/sys/license/status', function () {
-    return {
-      data: {
-        autoloading_used: false,
-        persisted_autoload: {
-          expiration_time: EXPIRY_DATE,
-          features: ['DR Replication', 'Namespaces', 'Lease Count Quotas', 'Automated Snapshots'],
-          license_id: '0eca7ef8-ebc0-f875-315e-3cc94a7870cf',
-          performance_standby_count: 0,
-          start_time: '2020-04-28T00:00:00Z',
-        },
-        autoloaded: {
-          expiration_time: EXPIRY_DATE,
-          features: ['DR Replication', 'Namespaces', 'Lease Count Quotas', 'Automated Snapshots'],
-          license_id: '0eca7ef8-ebc0-f875-315e-3cc94a7870cf',
-          performance_standby_count: 0,
-          start_time: '2020-04-28T00:00:00Z',
-        },
-      },
-    };
-  });
-
-  server.get('sys/namespaces', function () {
-    return {
-      data: {
-        keys: [
-          'ns1/',
-          'ns2/',
-          'ns3/',
-          'ns4/',
-          'ns5/',
-          'ns6/',
-          'ns7/',
-          'ns8/',
-          'ns9/',
-          'ns10/',
-          'ns11/',
-          'ns12/',
-          'ns13/',
-          'ns14/',
-          'ns15/',
-          'ns16/',
-          'ns17/',
-          'ns18/',
-        ],
-      },
-    };
-  });
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/go-test/deep"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+)
+
+func testSecretsTuneCommand(tb testing.TB) (*cli.MockUi, *SecretsTuneCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SecretsTuneCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSecretsTuneCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsTuneCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("protect_downgrade", func(t *testing.T) {
+		t.Parallel()
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testSecretsTuneCommand(t)
+		cmd.client = client
+
+		// Mount
+		if err := client.Sys().Mount("kv", &api.MountInput{
+			Type: "kv",
+			Options: map[string]string{
+				"version": "2",
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		// confirm default max_versions
+		mounts, err := client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		mountInfo, ok := mounts["kv/"]
+		if !ok {
+			t.Fatalf("expected mount to exist")
+		}
+		if exp := "kv"; mountInfo.Type != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
+		}
+		if exp := "2"; mountInfo.Options["version"] != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Options["version"], exp)
+		}
+
+		if exp := ""; mountInfo.Options["max_versions"] != exp {
+			t.Errorf("expected %s to be empty", mountInfo.Options["max_versions"])
+		}
+
+		// omitting the version should not cause a downgrade
+		code := cmd.Run([]string{
+			"-options", "max_versions=2",
+			"kv/",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Tuned the secrets engine at: kv/"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		mounts, err = client.Sys().ListMounts()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		mountInfo, ok = mounts["kv/"]
+		if !ok {
+			t.Fatalf("expected mount to exist")
+		}
+		if exp := "2"; mountInfo.Options["version"] != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Options["version"], exp)
+		}
+		if exp := "kv"; mountInfo.Type != exp {
+			t.Errorf("expected %q to be %q", mountInfo.Type, exp)
+		}
+		if exp := "2"; mountInfo.Options["max_versions"] != exp {
+			t.Errorf("expected %s to be %s", mountInfo.Options["max_versions"], exp)
+		}
+	})
+
+	t.Run("integration", func(t *testing.T) {
+		t.Run("flags_all", func(t *testing.T) {
+			t.Parallel()
+			pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
+			defer cleanup(t)
+
+			client, _, closer := testVaultServerPluginDir(t, pluginDir)
+			defer closer()
+
+			ui, cmd := testSecretsTuneCommand(t)
+			cmd.client = client
+
+			// Mount
+			if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
+				Type: "pki",
+			}); err != nil {
+				t.Fatal(err)
+			}
+
+			mounts, err := client.Sys().ListMounts()
+			if err != nil {
+				t.Fatal(err)
+			}
+			mountInfo, ok := mounts["mount_tune_integration/"]
+			if !ok {
+				t.Fatalf("expected mount to exist")
+			}
+
+			if exp := ""; mountInfo.PluginVersion != exp {
+				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
+			}
+
+			_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, "pki", api.PluginTypeSecrets)
+
+			code := cmd.Run([]string{
+				"-description", "new description",
+				"-default-lease-ttl", "30m",
+				"-max-lease-ttl", "1h",
+				"-audit-non-hmac-request-keys", "foo,bar",
+				"-audit-non-hmac-response-keys", "foo,bar",
+				"-passthrough-request-headers", "authorization",
+				"-passthrough-request-headers", "www-authentication",
+				"-allowed-response-headers", "authorization,www-authentication",
+				"-allowed-managed-keys", "key1,key2",
+				"-listing-visibility", "unauth",
+				"-plugin-version", version,
+				"mount_tune_integration/",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d", code, exp)
+			}
+
+			expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, expected) {
+				t.Errorf("expected %q to contain %q", combined, expected)
+			}
+
+			mounts, err = client.Sys().ListMounts()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			mountInfo, ok = mounts["mount_tune_integration/"]
+			if !ok {
+				t.Fatalf("expected mount to exist")
+			}
+			if exp := "new description"; mountInfo.Description != exp {
+				t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+			}
+			if exp := "pki"; mountInfo.Type != exp {
+				t.Errorf("expected %q to be %q", mountInfo.Type, exp)
+			}
+			if exp := version; mountInfo.PluginVersion != exp {
+				t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
+			}
+			if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
+				t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
+			}
+			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
+				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
+			}
+			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
+			}
+		})
+
+		t.Run("flags_description", func(t *testing.T) {
+			t.Parallel()
+			t.Run("not_provided", func(t *testing.T) {
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsTuneCommand(t)
+				cmd.client = client
+
+				// Mount
+				if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
+					Type:        "pki",
+					Description: "initial description",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				code := cmd.Run([]string{
+					"-default-lease-ttl", "30m",
+					"mount_tune_integration/",
+				})
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d", code, exp)
+				}
+
+				expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, expected) {
+					t.Errorf("expected %q to contain %q", combined, expected)
+				}
+
+				mounts, err := client.Sys().ListMounts()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				mountInfo, ok := mounts["mount_tune_integration/"]
+				if !ok {
+					t.Fatalf("expected mount to exist")
+				}
+				if exp := "initial description"; mountInfo.Description != exp {
+					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				}
+			})
+
+			t.Run("provided_empty", func(t *testing.T) {
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testSecretsTuneCommand(t)
+				cmd.client = client
+
+				// Mount
+				if err := client.Sys().Mount("mount_tune_integration", &api.MountInput{
+					Type:        "pki",
+					Description: "initial description",
+				}); err != nil {
+					t.Fatal(err)
+				}
+
+				code := cmd.Run([]string{
+					"-description", "",
+					"mount_tune_integration/",
+				})
+				if exp := 0; code != exp {
+					t.Errorf("expected %d to be %d", code, exp)
+				}
+
+				expected := "Success! Tuned the secrets engine at: mount_tune_integration/"
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, expected) {
+					t.Errorf("expected %q to contain %q", combined, expected)
+				}
+
+				mounts, err := client.Sys().ListMounts()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				mountInfo, ok := mounts["mount_tune_integration/"]
+				if !ok {
+					t.Fatalf("expected mount to exist")
+				}
+				if exp := ""; mountInfo.Description != exp {
+					t.Errorf("expected %q to be %q", mountInfo.Description, exp)
+				}
+			})
+		})
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testSecretsTuneCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"pki/",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error tuning secrets engine pki/: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testSecretsTuneCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/ui/mirage/handlers/reduced-disclosure.js b/ui/mirage/handlers/reduced-disclosure.js
index c0be1b072bfb..0b760bd86646 100644
--- a/ui/mirage/handlers/reduced-disclosure.js
+++ b/ui/mirage/handlers/reduced-disclosure.js
@@ -1,18 +1,3410 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import modifyPassthroughResponse from '../helpers/modify-passthrough-response';
-
-export default function (server) {
-  server.get('/sys/health', (schema, req) =>
-    modifyPassthroughResponse(req, { version: '', cluster_name: '' })
-  );
-  server.get('/sys/seal-status', (schema, req) =>
-    modifyPassthroughResponse(req, { version: '', cluster_name: '', build_date: '' })
-  );
-  server.get('sys/replication/status', () => new Response(404));
-  server.get('sys/replication/dr/status', () => new Response(404));
-  server.get('sys/replication/performance/status', () => new Response(404));
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"runtime/pprof"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	systemd "github.com/coreos/go-systemd/daemon"
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-kms-wrapping/entropy/v2"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
+	"github.com/hashicorp/go-secure-stdlib/mlock"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	"github.com/hashicorp/vault/audit"
+	config2 "github.com/hashicorp/vault/command/config"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/experiments"
+	loghelper "github.com/hashicorp/vault/helper/logging"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
+	"github.com/hashicorp/vault/helper/useragent"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	sr "github.com/hashicorp/vault/serviceregistration"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/hcp_link"
+	vaultseal "github.com/hashicorp/vault/vault/seal"
+	"github.com/hashicorp/vault/version"
+	"github.com/mitchellh/go-testing-interface"
+	"github.com/posener/complete"
+	"github.com/sasha-s/go-deadlock"
+	"go.uber.org/atomic"
+	"golang.org/x/net/http/httpproxy"
+	"google.golang.org/grpc/grpclog"
+)
+
+var (
+	_ cli.Command             = (*ServerCommand)(nil)
+	_ cli.CommandAutocomplete = (*ServerCommand)(nil)
+)
+
+var memProfilerEnabled = false
+
+const (
+	storageMigrationLock = "core/migration"
+
+	// Even though there are more types than the ones below, the following consts
+	// are declared internally for value comparison and reusability.
+	storageTypeRaft   = "raft"
+	storageTypeConsul = "consul"
+)
+
+type ServerCommand struct {
+	*BaseCommand
+	logFlags logFlags
+
+	AuditBackends      map[string]audit.Factory
+	CredentialBackends map[string]logical.Factory
+	LogicalBackends    map[string]logical.Factory
+	PhysicalBackends   map[string]physical.Factory
+
+	ServiceRegistrations map[string]sr.Factory
+
+	ShutdownCh chan struct{}
+	SighupCh   chan struct{}
+	SigUSR2Ch  chan struct{}
+
+	WaitGroup *sync.WaitGroup
+
+	logWriter io.Writer
+	logGate   *gatedwriter.Writer
+	logger    hclog.InterceptLogger
+
+	cleanupGuard sync.Once
+
+	reloadFuncsLock   *sync.RWMutex
+	reloadFuncs       *map[string][]reloadutil.ReloadFunc
+	startedCh         chan (struct{}) // for tests
+	reloadedCh        chan (struct{}) // for tests
+	licenseReloadedCh chan (error)    // for tests
+
+	allLoggers []hclog.Logger
+
+	flagConfigs            []string
+	flagRecovery           bool
+	flagExperiments        []string
+	flagDev                bool
+	flagDevTLS             bool
+	flagDevTLSCertDir      string
+	flagDevTLSSANs         []string
+	flagDevRootTokenID     string
+	flagDevListenAddr      string
+	flagDevNoStoreToken    bool
+	flagDevPluginDir       string
+	flagDevPluginInit      bool
+	flagDevHA              bool
+	flagDevLatency         int
+	flagDevLatencyJitter   int
+	flagDevLeasedKV        bool
+	flagDevKVV1            bool
+	flagDevSkipInit        bool
+	flagDevThreeNode       bool
+	flagDevFourCluster     bool
+	flagDevTransactional   bool
+	flagDevAutoSeal        bool
+	flagDevClusterJson     string
+	flagTestVerifyOnly     bool
+	flagTestServerConfig   bool
+	flagDevConsul          bool
+	flagExitOnCoreShutdown bool
+}
+
+func (c *ServerCommand) Synopsis() string {
+	return "Start a Vault server"
+}
+
+func (c *ServerCommand) Help() string {
+	helpText := `
+Usage: vault server [options]
+
+  This command starts a Vault server that responds to API requests. By default,
+  Vault will start in a "sealed" state. The Vault cluster must be initialized
+  before use, usually by the "vault operator init" command. Each Vault server must
+  also be unsealed using the "vault operator unseal" command or the API before the
+  server can respond to requests.
+
+  Start a server with a configuration file:
+
+      $ vault server -config=/etc/vault/config.hcl
+
+  Run in "dev" mode:
+
+      $ vault server -dev -dev-root-token-id="root"
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
+
+func (c *ServerCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	// Augment with the log flags
+	f.addLogFlags(&c.logFlags)
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   "config",
+		Target: &c.flagConfigs,
+		Completion: complete.PredictOr(
+			complete.PredictFiles("*.hcl"),
+			complete.PredictFiles("*.json"),
+			complete.PredictDirs("*"),
+		),
+		Usage: "Path to a configuration file or directory of configuration " +
+			"files. This flag can be specified multiple times to load multiple " +
+			"configurations. If the path is a directory, all files which end in " +
+			".hcl or .json are loaded.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "exit-on-core-shutdown",
+		Target:  &c.flagExitOnCoreShutdown,
+		Default: false,
+		Usage:   "Exit the vault server if the vault core is shutdown.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:   "recovery",
+		Target: &c.flagRecovery,
+		Usage: "Enable recovery mode. In this mode, Vault is used to perform recovery actions. " +
+			"Using a recovery token, \"sys/raw\" API can be used to manipulate the storage.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "experiment",
+		Target:     &c.flagExperiments,
+		Completion: complete.PredictSet(experiments.ValidExperiments()...),
+		Usage: "Name of an experiment to enable. Experiments should NOT be used in production, and " +
+			"the associated APIs may have backwards incompatible changes between releases. This " +
+			"flag can be specified multiple times to specify multiple experiments. This can also be " +
+			fmt.Sprintf("specified via the %s environment variable as a comma-separated list. ", EnvVaultExperiments) +
+			"Valid experiments are: " + strings.Join(experiments.ValidExperiments(), ", "),
+	})
+
+	f = set.NewFlagSet("Dev Options")
+
+	f.BoolVar(&BoolVar{
+		Name:   "dev",
+		Target: &c.flagDev,
+		Usage: "Enable development mode. In this mode, Vault runs in-memory and " +
+			"starts unsealed. As the name implies, do not run \"dev\" mode in " +
+			"production.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:   "dev-tls",
+		Target: &c.flagDevTLS,
+		Usage: "Enable TLS development mode. In this mode, Vault runs in-memory and " +
+			"starts unsealed, with a generated TLS CA, certificate and key. " +
+			"As the name implies, do not run \"dev-tls\" mode in " +
+			"production.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "dev-tls-cert-dir",
+		Target:  &c.flagDevTLSCertDir,
+		Default: "",
+		Usage: "Directory where generated TLS files are created if `-dev-tls` is " +
+			"specified. If left unset, files are generated in a temporary directory.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:    "dev-tls-san",
+		Target:  &c.flagDevTLSSANs,
+		Default: nil,
+		Usage: "Additional Subject Alternative Name (as a DNS name or IP address) " +
+			"to generate the certificate with if `-dev-tls` is specified. The " +
+			"certificate will always use localhost, localhost4, localhost6, " +
+			"localhost.localdomain, and the host name as alternate DNS names, " +
+			"and 127.0.0.1 as an alternate IP address. This flag can be specified " +
+			"multiple times to specify multiple SANs.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "dev-root-token-id",
+		Target:  &c.flagDevRootTokenID,
+		Default: "",
+		EnvVar:  "VAULT_DEV_ROOT_TOKEN_ID",
+		Usage: "Initial root token. This only applies when running in \"dev\" " +
+			"mode.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "dev-listen-address",
+		Target:  &c.flagDevListenAddr,
+		Default: "127.0.0.1:8200",
+		EnvVar:  "VAULT_DEV_LISTEN_ADDRESS",
+		Usage:   "Address to bind to in \"dev\" mode.",
+	})
+	f.BoolVar(&BoolVar{
+		Name:    "dev-no-store-token",
+		Target:  &c.flagDevNoStoreToken,
+		Default: false,
+		Usage: "Do not persist the dev root token to the token helper " +
+			"(usually the local filesystem) for use in future requests. " +
+			"The token will only be displayed in the command output.",
+	})
+
+	// Internal-only flags to follow.
+	//
+	// Why hello there little source code reader! Welcome to the Vault source
+	// code. The remaining options are intentionally undocumented and come with
+	// no warranty or backwards-compatibility promise. Do not use these flags
+	// in production. Do not build automation using these flags. Unless you are
+	// developing against Vault, you should not need any of these flags.
+
+	f.StringVar(&StringVar{
+		Name:       "dev-plugin-dir",
+		Target:     &c.flagDevPluginDir,
+		Default:    "",
+		Completion: complete.PredictDirs("*"),
+		Hidden:     true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-plugin-init",
+		Target:  &c.flagDevPluginInit,
+		Default: true,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-ha",
+		Target:  &c.flagDevHA,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-transactional",
+		Target:  &c.flagDevTransactional,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.IntVar(&IntVar{
+		Name:   "dev-latency",
+		Target: &c.flagDevLatency,
+		Hidden: true,
+	})
+
+	f.IntVar(&IntVar{
+		Name:   "dev-latency-jitter",
+		Target: &c.flagDevLatencyJitter,
+		Hidden: true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-leased-kv",
+		Target:  &c.flagDevLeasedKV,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-kv-v1",
+		Target:  &c.flagDevKVV1,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-auto-seal",
+		Target:  &c.flagDevAutoSeal,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-skip-init",
+		Target:  &c.flagDevSkipInit,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-three-node",
+		Target:  &c.flagDevThreeNode,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-four-cluster",
+		Target:  &c.flagDevFourCluster,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "dev-consul",
+		Target:  &c.flagDevConsul,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.StringVar(&StringVar{
+		Name:   "dev-cluster-json",
+		Target: &c.flagDevClusterJson,
+		Usage:  "File to write cluster definition to",
+	})
+
+	// TODO: should the below flags be public?
+	f.BoolVar(&BoolVar{
+		Name:    "test-verify-only",
+		Target:  &c.flagTestVerifyOnly,
+		Default: false,
+		Hidden:  true,
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "test-server-config",
+		Target:  &c.flagTestServerConfig,
+		Default: false,
+		Hidden:  true,
+	})
+
+	// End internal-only flags.
+
+	return set
+}
+
+func (c *ServerCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *ServerCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *ServerCommand) flushLog() {
+	c.logger.(hclog.OutputResettable).ResetOutputWithFlush(&hclog.LoggerOptions{
+		Output: c.logWriter,
+	}, c.logGate)
+}
+
+func (c *ServerCommand) parseConfig() (*server.Config, []configutil.ConfigError, error) {
+	var configErrors []configutil.ConfigError
+	// Load the configuration
+	var config *server.Config
+	for _, path := range c.flagConfigs {
+		current, err := server.LoadConfig(path)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error loading configuration from %s: %w", path, err)
+		}
+
+		configErrors = append(configErrors, current.Validate(path)...)
+
+		if config == nil {
+			config = current
+		} else {
+			config = config.Merge(current)
+		}
+	}
+
+	if config != nil && config.Entropy != nil && config.Entropy.Mode == configutil.EntropyAugmentation && constants.IsFIPS() {
+		c.UI.Warn("WARNING: Entropy Augmentation is not supported in FIPS 140-2 Inside mode; disabling from server configuration!\n")
+		config.Entropy = nil
+	}
+
+	return config, configErrors, nil
+}
+
+func (c *ServerCommand) runRecoveryMode() int {
+	config, configErrors, err := c.parseConfig()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Ensure at least one config was found.
+	if config == nil {
+		c.UI.Output(wrapAtLength(
+			"No configuration files found. Please provide configurations with the " +
+				"-config flag. If you are supplying the path to a directory, please " +
+				"ensure the directory contains files with the .hcl or .json " +
+				"extension."))
+		return 1
+	}
+
+	// Update the 'log' related aspects of shared config based on config/env var/cli
+	c.flags.applyLogConfigOverrides(config.SharedConfig)
+	l, err := c.configureLogging(config)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	c.logger = l
+	c.allLoggers = append(c.allLoggers, l)
+
+	// reporting Errors found in the config
+	for _, cErr := range configErrors {
+		c.logger.Warn(cErr.String())
+	}
+
+	// Ensure logging is flushed if initialization fails
+	defer c.flushLog()
+
+	// create GRPC logger
+	namedGRPCLogFaker := c.logger.Named("grpclogfaker")
+	grpclog.SetLogger(&grpclogFaker{
+		logger: namedGRPCLogFaker,
+		log:    os.Getenv("VAULT_GRPC_LOGGING") != "",
+	})
+
+	if config.Storage == nil {
+		c.UI.Output("A storage backend must be specified")
+		return 1
+	}
+
+	if config.DefaultMaxRequestDuration != 0 {
+		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
+	}
+
+	logProxyEnvironmentVariables(c.logger)
+
+	// Initialize the storage backend
+	factory, exists := c.PhysicalBackends[config.Storage.Type]
+	if !exists {
+		c.UI.Error(fmt.Sprintf("Unknown storage type %s", config.Storage.Type))
+		return 1
+	}
+	if config.Storage.Type == storageTypeRaft || (config.HAStorage != nil && config.HAStorage.Type == storageTypeRaft) {
+		if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
+			config.ClusterAddr = envCA
+		}
+
+		if len(config.ClusterAddr) == 0 {
+			c.UI.Error("Cluster address must be set when using raft storage")
+			return 1
+		}
+	}
+
+	namedStorageLogger := c.logger.Named("storage." + config.Storage.Type)
+	backend, err := factory(config.Storage.Config, namedStorageLogger)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing storage of type %s: %s", config.Storage.Type, err))
+		return 1
+	}
+
+	infoKeys := make([]string, 0, 10)
+	info := make(map[string]string)
+	info["log level"] = config.LogLevel
+	infoKeys = append(infoKeys, "log level")
+
+	var barrierSeal vault.Seal
+	var sealConfigError error
+
+	if len(config.Seals) == 0 {
+		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
+	}
+
+	if len(config.Seals) > 1 {
+		c.UI.Error("Only one seal block is accepted in recovery mode")
+		return 1
+	}
+
+	ctx := context.Background()
+	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(ctx, backend)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error getting seal generation info: %v", err))
+		return 1
+	}
+
+	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Cannot determine if there are partially seal wrapped entries in storage: %v", err))
+		return 1
+	}
+	setSealResponse, err := setSeal(c, config, infoKeys, info, existingSealGenerationInfo, hasPartialPaths)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	if setSealResponse.barrierSeal == nil {
+		c.UI.Error(fmt.Sprintf("Error setting up seal: %v", setSealResponse.sealConfigError))
+		return 1
+	}
+	barrierSeal = setSealResponse.barrierSeal
+
+	// Ensure that the seal finalizer is called, even if using verify-only
+	defer func() {
+		err = barrierSeal.Finalize(ctx)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error finalizing seals: %v", err))
+		}
+	}()
+
+	coreConfig := &vault.CoreConfig{
+		Physical:     backend,
+		StorageType:  config.Storage.Type,
+		Seal:         barrierSeal,
+		LogLevel:     config.LogLevel,
+		Logger:       c.logger,
+		DisableMlock: config.DisableMlock,
+		RecoveryMode: c.flagRecovery,
+		ClusterAddr:  config.ClusterAddr,
+	}
+
+	core, newCoreError := vault.NewCore(coreConfig)
+	if newCoreError != nil {
+		if vault.IsFatalError(newCoreError) {
+			c.UI.Error(fmt.Sprintf("Error initializing core: %s", newCoreError))
+			return 1
+		}
+	}
+
+	if err := core.InitializeRecovery(ctx); err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing core in recovery mode: %s", err))
+		return 1
+	}
+
+	// Compile server information for output later
+	infoKeys = append(infoKeys, "storage")
+	info["storage"] = config.Storage.Type
+
+	if coreConfig.ClusterAddr != "" {
+		info["cluster address"] = coreConfig.ClusterAddr
+		infoKeys = append(infoKeys, "cluster address")
+	}
+
+	// Initialize the listeners
+	lns := make([]listenerutil.Listener, 0, len(config.Listeners))
+	for _, lnConfig := range config.Listeners {
+		ln, _, _, err := server.NewListener(lnConfig, c.logGate, c.UI)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error initializing listener of type %s: %s", lnConfig.Type, err))
+			return 1
+		}
+
+		lns = append(lns, listenerutil.Listener{
+			Listener: ln,
+			Config:   lnConfig,
+		})
+	}
+
+	listenerCloseFunc := func() {
+		for _, ln := range lns {
+			ln.Listener.Close()
+		}
+	}
+
+	defer c.cleanupGuard.Do(listenerCloseFunc)
+
+	infoKeys = append(infoKeys, "version")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber(false)
+
+	if verInfo.Revision != "" {
+		info["version sha"] = strings.Trim(verInfo.Revision, "'")
+		infoKeys = append(infoKeys, "version sha")
+	}
+
+	infoKeys = append(infoKeys, "recovery mode")
+	info["recovery mode"] = "true"
+
+	infoKeys = append(infoKeys, "go version")
+	info["go version"] = runtime.Version()
+
+	fipsStatus := entGetFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
+	// Server configuration output
+	padding := 24
+
+	sort.Strings(infoKeys)
+	c.UI.Output("==> Vault server configuration:\n")
+
+	for _, k := range infoKeys {
+		c.UI.Output(fmt.Sprintf(
+			"%s%s: %s",
+			strings.Repeat(" ", padding-len(k)),
+			strings.Title(k),
+			info[k]))
+	}
+
+	c.UI.Output("")
+
+	// Tests might not want to start a vault server and just want to verify
+	// the configuration.
+	if c.flagTestVerifyOnly {
+		return 0
+	}
+
+	for _, ln := range lns {
+		handler := vaulthttp.Handler.Handler(&vault.HandlerProperties{
+			Core:                  core,
+			ListenerConfig:        ln.Config,
+			DisablePrintableCheck: config.DisablePrintableCheck,
+			RecoveryMode:          c.flagRecovery,
+			RecoveryToken:         atomic.NewString(""),
+		})
+
+		server := &http.Server{
+			Handler:           handler,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			IdleTimeout:       5 * time.Minute,
+			ErrorLog:          c.logger.StandardLogger(nil),
+		}
+
+		go server.Serve(ln.Listener)
+	}
+
+	if sealConfigError != nil {
+		init, err := core.InitializedLocally(ctx)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error checking if core is initialized: %v", err))
+			return 1
+		}
+		if init {
+			c.UI.Error("Vault is initialized but no Seal key could be loaded")
+			return 1
+		}
+	}
+
+	if newCoreError != nil {
+		c.UI.Warn(wrapAtLength(
+			"WARNING! A non-fatal error occurred during initialization. Please " +
+				"check the logs for more information."))
+		c.UI.Warn("")
+	}
+
+	if !c.logFlags.flagCombineLogs {
+		c.UI.Output("==> Vault server started! Log data will stream in below:\n")
+	}
+
+	c.flushLog()
+
+	for {
+		select {
+		case <-c.ShutdownCh:
+			c.UI.Output("==> Vault shutdown triggered")
+
+			c.cleanupGuard.Do(listenerCloseFunc)
+
+			if err := core.Shutdown(); err != nil {
+				c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
+			}
+
+			return 0
+
+		case <-c.SigUSR2Ch:
+			buf := make([]byte, 32*1024*1024)
+			n := runtime.Stack(buf[:], true)
+			c.logger.Info("goroutine trace", "stack", string(buf[:n]))
+		}
+	}
+}
+
+func logProxyEnvironmentVariables(logger hclog.Logger) {
+	proxyCfg := httpproxy.FromEnvironment()
+	cfgMap := map[string]string{
+		"http_proxy":  proxyCfg.HTTPProxy,
+		"https_proxy": proxyCfg.HTTPSProxy,
+		"no_proxy":    proxyCfg.NoProxy,
+	}
+	for k, v := range cfgMap {
+		u, err := url.Parse(v)
+		if err != nil {
+			// Env vars may contain URLs or host:port values.  We only care
+			// about the former.
+			continue
+		}
+		if _, ok := u.User.Password(); ok {
+			u.User = url.UserPassword("redacted-username", "redacted-password")
+		} else if user := u.User.Username(); user != "" {
+			u.User = url.User("redacted-username")
+		}
+		cfgMap[k] = u.String()
+	}
+	logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],
+		"https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])
+}
+
+type quiescenceSink struct {
+	t *time.Timer
+}
+
+func (q quiescenceSink) Accept(name string, level hclog.Level, msg string, args ...interface{}) {
+	q.t.Reset(100 * time.Millisecond)
+}
+
+func (c *ServerCommand) setupStorage(config *server.Config) (physical.Backend, error) {
+	// Ensure that a backend is provided
+	if config.Storage == nil {
+		return nil, errors.New("A storage backend must be specified")
+	}
+
+	// Initialize the backend
+	factory, exists := c.PhysicalBackends[config.Storage.Type]
+	if !exists {
+		return nil, fmt.Errorf("Unknown storage type %s", config.Storage.Type)
+	}
+
+	// Do any custom configuration needed per backend
+	switch config.Storage.Type {
+	case storageTypeConsul:
+		if config.ServiceRegistration == nil {
+			// If Consul is configured for storage and service registration is unconfigured,
+			// use Consul for service registration without requiring additional configuration.
+			// This maintains backward-compatibility.
+			config.ServiceRegistration = &server.ServiceRegistration{
+				Type:   "consul",
+				Config: config.Storage.Config,
+			}
+		}
+	case storageTypeRaft:
+		if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
+			config.ClusterAddr = envCA
+		}
+		if len(config.ClusterAddr) == 0 {
+			return nil, errors.New("Cluster address must be set when using raft storage")
+		}
+	}
+
+	namedStorageLogger := c.logger.Named("storage." + config.Storage.Type)
+	c.allLoggers = append(c.allLoggers, namedStorageLogger)
+	backend, err := factory(config.Storage.Config, namedStorageLogger)
+	if err != nil {
+		return nil, fmt.Errorf("Error initializing storage of type %s: %w", config.Storage.Type, err)
+	}
+
+	return backend, nil
+}
+
+func beginServiceRegistration(c *ServerCommand, config *server.Config) (sr.ServiceRegistration, error) {
+	sdFactory, ok := c.ServiceRegistrations[config.ServiceRegistration.Type]
+	if !ok {
+		return nil, fmt.Errorf("Unknown service_registration type %s", config.ServiceRegistration.Type)
+	}
+
+	namedSDLogger := c.logger.Named("service_registration." + config.ServiceRegistration.Type)
+	c.allLoggers = append(c.allLoggers, namedSDLogger)
+
+	// Since we haven't even begun starting Vault's core yet,
+	// we know that Vault is in its pre-running state.
+	state := sr.State{
+		VaultVersion:         version.GetVersion().VersionNumber(),
+		IsInitialized:        false,
+		IsSealed:             true,
+		IsActive:             false,
+		IsPerformanceStandby: false,
+	}
+	var err error
+	configSR, err := sdFactory(config.ServiceRegistration.Config, namedSDLogger, state)
+	if err != nil {
+		return nil, fmt.Errorf("Error initializing service_registration of type %s: %s", config.ServiceRegistration.Type, err)
+	}
+
+	return configSR, nil
+}
+
+// InitListeners returns a response code, error message, Listeners, and a TCP Address list.
+func (c *ServerCommand) InitListeners(config *server.Config, disableClustering bool, infoKeys *[]string, info *map[string]string) (int, []listenerutil.Listener, []*net.TCPAddr, error) {
+	clusterAddrs := []*net.TCPAddr{}
+
+	// Initialize the listeners
+	lns := make([]listenerutil.Listener, 0, len(config.Listeners))
+
+	c.reloadFuncsLock.Lock()
+
+	defer c.reloadFuncsLock.Unlock()
+
+	var errMsg error
+	for i, lnConfig := range config.Listeners {
+		ln, props, reloadFunc, err := server.NewListener(lnConfig, c.logGate, c.UI)
+		if err != nil {
+			errMsg = fmt.Errorf("Error initializing listener of type %s: %s", lnConfig.Type, err)
+			return 1, nil, nil, errMsg
+		}
+
+		if reloadFunc != nil {
+			relSlice := (*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)]
+			relSlice = append(relSlice, reloadFunc)
+			(*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)] = relSlice
+		}
+
+		if !disableClustering && lnConfig.Type == "tcp" {
+			addr := lnConfig.ClusterAddress
+			if addr != "" {
+				tcpAddr, err := net.ResolveTCPAddr("tcp", lnConfig.ClusterAddress)
+				if err != nil {
+					errMsg = fmt.Errorf("Error resolving cluster_address: %s", err)
+					return 1, nil, nil, errMsg
+				}
+				clusterAddrs = append(clusterAddrs, tcpAddr)
+			} else {
+				tcpAddr, ok := ln.Addr().(*net.TCPAddr)
+				if !ok {
+					errMsg = fmt.Errorf("Failed to parse tcp listener")
+					return 1, nil, nil, errMsg
+				}
+				clusterAddr := &net.TCPAddr{
+					IP:   tcpAddr.IP,
+					Port: tcpAddr.Port + 1,
+				}
+				clusterAddrs = append(clusterAddrs, clusterAddr)
+				addr = clusterAddr.String()
+			}
+			props["cluster address"] = addr
+		}
+
+		if lnConfig.MaxRequestSize == 0 {
+			lnConfig.MaxRequestSize = vaulthttp.DefaultMaxRequestSize
+		}
+		props["max_request_size"] = fmt.Sprintf("%d", lnConfig.MaxRequestSize)
+
+		if lnConfig.MaxRequestDuration == 0 {
+			lnConfig.MaxRequestDuration = vault.DefaultMaxRequestDuration
+		}
+		props["max_request_duration"] = lnConfig.MaxRequestDuration.String()
+
+		if lnConfig.ChrootNamespace != "" {
+			props["chroot_namespace"] = lnConfig.ChrootNamespace
+		}
+
+		lns = append(lns, listenerutil.Listener{
+			Listener: ln,
+			Config:   lnConfig,
+		})
+
+		// Store the listener props for output later
+		key := fmt.Sprintf("listener %d", i+1)
+		propsList := make([]string, 0, len(props))
+		for k, v := range props {
+			propsList = append(propsList, fmt.Sprintf(
+				"%s: %q", k, v))
+		}
+		sort.Strings(propsList)
+		*infoKeys = append(*infoKeys, key)
+		(*info)[key] = fmt.Sprintf(
+			"%s (%s)", lnConfig.Type, strings.Join(propsList, ", "))
+
+	}
+	if !disableClustering {
+		if c.logger.IsDebug() {
+			c.logger.Debug("cluster listener addresses synthesized", "cluster_addresses", clusterAddrs)
+		}
+	}
+	return 0, lns, clusterAddrs, nil
+}
+
+func configureDevTLS(c *ServerCommand) (func(), *server.Config, string, error) {
+	var devStorageType string
+
+	switch {
+	case c.flagDevConsul:
+		devStorageType = "consul"
+	case c.flagDevHA && c.flagDevTransactional:
+		devStorageType = "inmem_transactional_ha"
+	case !c.flagDevHA && c.flagDevTransactional:
+		devStorageType = "inmem_transactional"
+	case c.flagDevHA && !c.flagDevTransactional:
+		devStorageType = "inmem_ha"
+	default:
+		devStorageType = "inmem"
+	}
+
+	var certDir string
+	var err error
+	var config *server.Config
+	var f func()
+
+	if c.flagDevTLS {
+		if c.flagDevTLSCertDir != "" {
+			if _, err = os.Stat(c.flagDevTLSCertDir); err != nil {
+				return nil, nil, "", err
+			}
+
+			certDir = c.flagDevTLSCertDir
+		} else {
+			if certDir, err = os.MkdirTemp("", "vault-tls"); err != nil {
+				return nil, nil, certDir, err
+			}
+		}
+		extraSANs := c.flagDevTLSSANs
+		host, _, err := net.SplitHostPort(c.flagDevListenAddr)
+		if err == nil {
+			// 127.0.0.1 is the default, and already included in the SANs.
+			// Empty host means listen on all interfaces, but users should use the
+			// -dev-tls-san flag to get the right SANs in that case.
+			if host != "" && host != "127.0.0.1" {
+				extraSANs = append(extraSANs, host)
+			}
+		}
+		config, err = server.DevTLSConfig(devStorageType, certDir, extraSANs)
+
+		f = func() {
+			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevCAFilename)); err != nil {
+				c.UI.Error(err.Error())
+			}
+
+			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevCertFilename)); err != nil {
+				c.UI.Error(err.Error())
+			}
+
+			if err := os.Remove(fmt.Sprintf("%s/%s", certDir, server.VaultDevKeyFilename)); err != nil {
+				c.UI.Error(err.Error())
+			}
+
+			// Only delete temp directories we made.
+			if c.flagDevTLSCertDir == "" {
+				if err := os.Remove(certDir); err != nil {
+					c.UI.Error(err.Error())
+				}
+			}
+		}
+
+	} else {
+		config, err = server.DevConfig(devStorageType)
+	}
+
+	return f, config, certDir, err
+}
+
+func (c *ServerCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Don't exit just because we saw a potential deadlock.
+	deadlock.Opts.OnPotentialDeadlock = func() {}
+
+	c.logGate = gatedwriter.NewWriter(os.Stderr)
+	c.logWriter = c.logGate
+
+	if c.logFlags.flagCombineLogs {
+		c.logWriter = os.Stdout
+	}
+
+	if c.flagRecovery {
+		return c.runRecoveryMode()
+	}
+
+	// Automatically enable dev mode if other dev flags are provided.
+	if c.flagDevConsul || c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster || c.flagDevAutoSeal || c.flagDevKVV1 || c.flagDevTLS {
+		c.flagDev = true
+	}
+
+	// Validation
+	if !c.flagDev {
+		switch {
+		case len(c.flagConfigs) == 0:
+			c.UI.Error("Must specify at least one config path using -config")
+			return 1
+		case c.flagDevRootTokenID != "":
+			c.UI.Warn(wrapAtLength(
+				"You cannot specify a custom root token ID outside of \"dev\" mode. " +
+					"Your request has been ignored."))
+			c.flagDevRootTokenID = ""
+		}
+	}
+
+	// Load the configuration
+	var config *server.Config
+	var certDir string
+	if c.flagDev {
+		df, cfg, dir, err := configureDevTLS(c)
+		if df != nil {
+			defer df()
+		}
+
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 1
+		}
+
+		config = cfg
+		certDir = dir
+
+		if c.flagDevListenAddr != "" {
+			config.Listeners[0].Address = c.flagDevListenAddr
+		}
+		config.Listeners[0].Telemetry.UnauthenticatedMetricsAccess = true
+	}
+
+	parsedConfig, configErrors, err := c.parseConfig()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	if config == nil {
+		config = parsedConfig
+	} else {
+		config = config.Merge(parsedConfig)
+	}
+
+	// Ensure at least one config was found.
+	if config == nil {
+		c.UI.Output(wrapAtLength(
+			"No configuration files found. Please provide configurations with the " +
+				"-config flag. If you are supplying the path to a directory, please " +
+				"ensure the directory contains files with the .hcl or .json " +
+				"extension."))
+		return 1
+	}
+
+	f.applyLogConfigOverrides(config.SharedConfig)
+
+	// Set 'trace' log level for the following 'dev' clusters
+	if c.flagDevThreeNode || c.flagDevFourCluster {
+		config.LogLevel = "trace"
+	}
+
+	l, err := c.configureLogging(config)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	c.logger = l
+	c.allLoggers = append(c.allLoggers, l)
+
+	// reporting Errors found in the config
+	for _, cErr := range configErrors {
+		c.logger.Warn(cErr.String())
+	}
+
+	// Ensure logging is flushed if initialization fails
+	defer c.flushLog()
+
+	// create GRPC logger
+	namedGRPCLogFaker := c.logger.Named("grpclogfaker")
+	c.allLoggers = append(c.allLoggers, namedGRPCLogFaker)
+	grpclog.SetLogger(&grpclogFaker{
+		logger: namedGRPCLogFaker,
+		log:    os.Getenv("VAULT_GRPC_LOGGING") != "",
+	})
+
+	if memProfilerEnabled {
+		c.startMemProfiler()
+	}
+
+	if config.DefaultMaxRequestDuration != 0 {
+		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
+	}
+
+	logProxyEnvironmentVariables(c.logger)
+
+	if envMlock := os.Getenv("VAULT_DISABLE_MLOCK"); envMlock != "" {
+		var err error
+		config.DisableMlock, err = strconv.ParseBool(envMlock)
+		if err != nil {
+			c.UI.Output("Error parsing the environment variable VAULT_DISABLE_MLOCK")
+			return 1
+		}
+	}
+
+	if envLicensePath := os.Getenv(EnvVaultLicensePath); envLicensePath != "" {
+		config.LicensePath = envLicensePath
+	}
+	if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" {
+		config.License = envLicense
+	}
+
+	if err := server.ExperimentsFromEnvAndCLI(config, EnvVaultExperiments, c.flagExperiments); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	for _, experiment := range config.Experiments {
+		if experiments.IsUnused(experiment) {
+			c.UI.Warn(fmt.Sprintf("WARNING! Experiment %s is no longer used", experiment))
+		}
+	}
+
+	// If mlockall(2) isn't supported, show a warning. We disable this in dev
+	// because it is quite scary to see when first using Vault. We also disable
+	// this if the user has explicitly disabled mlock in configuration.
+	if !c.flagDev && !config.DisableMlock && !mlock.Supported() {
+		c.UI.Warn(wrapAtLength(
+			"WARNING! mlock is not supported on this system! An mlockall(2)-like " +
+				"syscall to prevent memory from being swapped to disk is not " +
+				"supported on this system. For better security, only run Vault on " +
+				"systems where this call is supported. If you are running Vault " +
+				"in a Docker container, provide the IPC_LOCK cap to the container."))
+	}
+
+	inmemMetrics, metricSink, prometheusEnabled, err := configutil.SetupTelemetry(&configutil.SetupTelemetryOpts{
+		Config:      config.Telemetry,
+		Ui:          c.UI,
+		ServiceName: "vault",
+		DisplayName: "Vault",
+		UserAgent:   useragent.String(),
+		ClusterName: config.ClusterName,
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error initializing telemetry: %s", err))
+		return 1
+	}
+	metricsHelper := metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
+
+	// Initialize the storage backend
+	var backend physical.Backend
+	if !c.flagDev || config.Storage != nil {
+		backend, err = c.setupStorage(config)
+		if err != nil {
+			c.UI.Error(err.Error())
+			return 1
+		}
+		// Prevent server startup if migration is active
+		// TODO: Use OpenTelemetry to integrate this into Diagnose
+		if c.storageMigrationActive(backend) {
+			return 1
+		}
+	}
+
+	// Initialize the Service Discovery, if there is one
+	var configSR sr.ServiceRegistration
+	if config.ServiceRegistration != nil {
+		configSR, err = beginServiceRegistration(c, config)
+		if err != nil {
+			c.UI.Output(err.Error())
+			return 1
+		}
+	}
+
+	infoKeys := make([]string, 0, 10)
+	info := make(map[string]string)
+	info["log level"] = config.LogLevel
+	infoKeys = append(infoKeys, "log level")
+
+	// returns a slice of env vars formatted as "key=value"
+	envVars := os.Environ()
+	var envVarKeys []string
+	for _, v := range envVars {
+		splitEnvVars := strings.Split(v, "=")
+		envVarKeys = append(envVarKeys, splitEnvVars[0])
+	}
+
+	sort.Strings(envVarKeys)
+
+	key := "environment variables"
+	info[key] = strings.Join(envVarKeys, ", ")
+	infoKeys = append(infoKeys, key)
+
+	if len(config.Experiments) != 0 {
+		expKey := "experiments"
+		info[expKey] = strings.Join(config.Experiments, ", ")
+		infoKeys = append(infoKeys, expKey)
+	}
+
+	ctx := context.Background()
+
+	setSealResponse, secureRandomReader, err := c.configureSeals(ctx, config, backend, infoKeys, info)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	currentSeals := setSealResponse.getCreatedSeals()
+	defer c.finalizeSeals(ctx, &currentSeals)
+
+	coreConfig := createCoreConfig(c, config, backend, configSR, setSealResponse.barrierSeal, setSealResponse.unwrapSeal, metricsHelper, metricSink, secureRandomReader)
+	if c.flagDevThreeNode {
+		return c.enableThreeNodeDevCluster(&coreConfig, info, infoKeys, c.flagDevListenAddr, os.Getenv("VAULT_DEV_TEMP_DIR"))
+	}
+
+	if c.flagDevFourCluster {
+		return entEnableFourClusterDev(c, &coreConfig, info, infoKeys, os.Getenv("VAULT_DEV_TEMP_DIR"))
+	}
+
+	if allowPendingRemoval := os.Getenv(consts.EnvVaultAllowPendingRemovalMounts); allowPendingRemoval != "" {
+		var err error
+		coreConfig.PendingRemovalMountsAllowed, err = strconv.ParseBool(allowPendingRemoval)
+		if err != nil {
+			c.UI.Warn(wrapAtLength("WARNING! failed to parse " +
+				consts.EnvVaultAllowPendingRemovalMounts + " env var: " +
+				"defaulting to false."))
+		}
+	}
+
+	// Initialize the separate HA storage backend, if it exists
+	disableClustering, err := initHaBackend(c, config, &coreConfig, backend)
+	if err != nil {
+		c.UI.Output(err.Error())
+		return 1
+	}
+
+	// Determine the redirect address from environment variables
+	err = determineRedirectAddr(c, &coreConfig, config)
+	if err != nil {
+		c.UI.Output(err.Error())
+	}
+
+	// After the redirect bits are sorted out, if no cluster address was
+	// explicitly given, derive one from the redirect addr
+	err = findClusterAddress(c, &coreConfig, config, disableClustering)
+	if err != nil {
+		c.UI.Output(err.Error())
+		return 1
+	}
+
+	// Override the UI enabling config by the environment variable
+	if enableUI := os.Getenv("VAULT_UI"); enableUI != "" {
+		var err error
+		coreConfig.EnableUI, err = strconv.ParseBool(enableUI)
+		if err != nil {
+			c.UI.Output("Error parsing the environment variable VAULT_UI")
+			return 1
+		}
+	}
+
+	// If ServiceRegistration is configured, then the backend must support HA
+	isBackendHA := coreConfig.HAPhysical != nil && coreConfig.HAPhysical.HAEnabled()
+	if !c.flagDev && (coreConfig.GetServiceRegistration() != nil) && !isBackendHA {
+		c.UI.Output("service_registration is configured, but storage does not support HA")
+		return 1
+	}
+
+	// Apply any enterprise configuration onto the coreConfig.
+	entAdjustCoreConfig(config, &coreConfig)
+
+	if !entCheckStorageType(&coreConfig) {
+		c.UI.Warn("")
+		c.UI.Warn(wrapAtLength(fmt.Sprintf("WARNING: storage configured to use %q which is not supported for Vault Enterprise, must be \"raft\" or \"consul\"", coreConfig.StorageType)))
+		c.UI.Warn("")
+	}
+
+	if !c.flagDev {
+		inMemStorageTypes := []string{
+			"inmem", "inmem_ha", "inmem_transactional", "inmem_transactional_ha",
+		}
+
+		if strutil.StrListContains(inMemStorageTypes, coreConfig.StorageType) {
+			c.UI.Warn("")
+			c.UI.Warn(wrapAtLength(fmt.Sprintf("WARNING: storage configured to use %q which should NOT be used in production", coreConfig.StorageType)))
+			c.UI.Warn("")
+		}
+	}
+
+	// Initialize the core
+	core, newCoreError := vault.NewCore(&coreConfig)
+	if newCoreError != nil {
+		if vault.IsFatalError(newCoreError) {
+			c.UI.Error(fmt.Sprintf("Error initializing core: %s", newCoreError))
+			return 1
+		}
+		c.UI.Warn(wrapAtLength(
+			"WARNING! A non-fatal error occurred during initialization. Please " +
+				"check the logs for more information."))
+		c.UI.Warn("")
+
+	}
+
+	// Copy the reload funcs pointers back
+	c.reloadFuncs = coreConfig.ReloadFuncs
+	c.reloadFuncsLock = coreConfig.ReloadFuncsLock
+
+	// Compile server information for output later
+	info["storage"] = config.Storage.Type
+	info["mlock"] = fmt.Sprintf(
+		"supported: %v, enabled: %v",
+		mlock.Supported(), !config.DisableMlock && mlock.Supported())
+	infoKeys = append(infoKeys, "mlock", "storage")
+
+	if coreConfig.ClusterAddr != "" {
+		info["cluster address"] = coreConfig.ClusterAddr
+		infoKeys = append(infoKeys, "cluster address")
+	}
+	if coreConfig.RedirectAddr != "" {
+		info["api address"] = coreConfig.RedirectAddr
+		infoKeys = append(infoKeys, "api address")
+	}
+
+	if config.HAStorage != nil {
+		info["HA storage"] = config.HAStorage.Type
+		infoKeys = append(infoKeys, "HA storage")
+	} else {
+		// If the storage supports HA, then note it
+		if coreConfig.HAPhysical != nil {
+			if coreConfig.HAPhysical.HAEnabled() {
+				info["storage"] += " (HA available)"
+			} else {
+				info["storage"] += " (HA disabled)"
+			}
+		}
+	}
+
+	status, lns, clusterAddrs, errMsg := c.InitListeners(config, disableClustering, &infoKeys, &info)
+
+	if status != 0 {
+		c.UI.Output("Error parsing listener configuration.")
+		c.UI.Error(errMsg.Error())
+		return 1
+	}
+
+	// Make sure we close all listeners from this point on
+	listenerCloseFunc := func() {
+		for _, ln := range lns {
+			ln.Listener.Close()
+		}
+	}
+
+	defer c.cleanupGuard.Do(listenerCloseFunc)
+
+	infoKeys = append(infoKeys, "version")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber(false)
+	if verInfo.Revision != "" {
+		info["version sha"] = strings.Trim(verInfo.Revision, "'")
+		infoKeys = append(infoKeys, "version sha")
+	}
+
+	infoKeys = append(infoKeys, "cgo")
+	info["cgo"] = "disabled"
+	if version.CgoEnabled {
+		info["cgo"] = "enabled"
+	}
+
+	infoKeys = append(infoKeys, "recovery mode")
+	info["recovery mode"] = "false"
+
+	infoKeys = append(infoKeys, "go version")
+	info["go version"] = runtime.Version()
+
+	fipsStatus := entGetFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
+	if config.HCPLinkConf != nil {
+		infoKeys = append(infoKeys, "HCP organization")
+		info["HCP organization"] = config.HCPLinkConf.Resource.Organization
+
+		infoKeys = append(infoKeys, "HCP project")
+		info["HCP project"] = config.HCPLinkConf.Resource.Project
+
+		infoKeys = append(infoKeys, "HCP resource ID")
+		info["HCP resource ID"] = config.HCPLinkConf.Resource.ID
+	}
+
+	infoKeys = append(infoKeys, "administrative namespace")
+	info["administrative namespace"] = config.AdministrativeNamespacePath
+
+	sort.Strings(infoKeys)
+	c.UI.Output("==> Vault server configuration:\n")
+
+	for _, k := range infoKeys {
+		c.UI.Output(fmt.Sprintf(
+			"%24s: %s",
+			strings.Title(k),
+			info[k]))
+	}
+
+	c.UI.Output("")
+
+	// Tests might not want to start a vault server and just want to verify
+	// the configuration.
+	if c.flagTestVerifyOnly {
+		return 0
+	}
+
+	// This needs to happen before we first unseal, so before we trigger dev
+	// mode if it's set
+	core.SetClusterListenerAddrs(clusterAddrs)
+	core.SetClusterHandler(vaulthttp.Handler.Handler(&vault.HandlerProperties{
+		Core:           core,
+		ListenerConfig: &configutil.Listener{},
+	}))
+
+	// Attempt unsealing in a background goroutine. This is needed for when a
+	// Vault cluster with multiple servers is configured with auto-unseal but is
+	// uninitialized. Once one server initializes the storage backend, this
+	// goroutine will pick up the unseal keys and unseal this instance.
+	if !core.IsInSealMigrationMode(true) {
+		go runUnseal(c, core, ctx)
+	}
+
+	// When the underlying storage is raft, kick off retry join if it was specified
+	// in the configuration
+	// TODO: Should we also support retry_join for ha_storage?
+	if config.Storage.Type == storageTypeRaft {
+		if err := core.InitiateRetryJoin(ctx); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to initiate raft retry join, %q", err.Error()))
+			return 1
+		}
+	}
+
+	// Perform initialization of HTTP server after the verifyOnly check.
+
+	// Instantiate the wait group
+	c.WaitGroup = &sync.WaitGroup{}
+
+	// If service discovery is available, run service discovery
+	err = runListeners(c, &coreConfig, config, configSR)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// If we're in Dev mode, then initialize the core
+	clusterJson := &testcluster.ClusterJson{}
+	err = initDevCore(c, &coreConfig, config, core, certDir, clusterJson)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Initialize the HTTP servers
+	err = startHttpServers(c, core, config, lns)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	hcpLogger := c.logger.Named("hcp-connectivity")
+	hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, core, hcpLogger)
+	if err != nil {
+		c.logger.Error("failed to establish HCP connection", "error", err)
+	} else if hcpLink != nil {
+		c.logger.Trace("established HCP connection")
+	}
+
+	if c.flagTestServerConfig {
+		return 0
+	}
+
+	if setSealResponse.sealConfigError != nil {
+		init, err := core.InitializedLocally(ctx)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error checking if core is initialized: %v", err))
+			return 1
+		}
+		if init {
+			c.UI.Error("Vault is initialized but no Seal key could be loaded")
+			return 1
+		}
+	}
+
+	// Output the header that the server has started
+	if !c.logFlags.flagCombineLogs {
+		c.UI.Output("==> Vault server started! Log data will stream in below:\n")
+	}
+
+	// Inform any tests that the server is ready
+	select {
+	case c.startedCh <- struct{}{}:
+	default:
+	}
+
+	// Release the log gate.
+	c.flushLog()
+
+	// Write out the PID to the file now that server has successfully started
+	if err := c.storePidFile(config.PidFile); err != nil {
+		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
+		return 1
+	}
+
+	// Notify systemd that the server is ready (if applicable)
+	c.notifySystemd(systemd.SdNotifyReady)
+
+	if c.flagDev {
+		protocol := "http://"
+		if c.flagDevTLS {
+			protocol = "https://"
+		}
+		clusterJson.Nodes = []testcluster.ClusterNode{
+			{
+				APIAddress: protocol + config.Listeners[0].Address,
+			},
+		}
+		if c.flagDevTLS {
+			clusterJson.CACertPath = fmt.Sprintf("%s/%s", certDir, server.VaultDevCAFilename)
+		}
+
+		if c.flagDevClusterJson != "" && !c.flagDevThreeNode {
+			b, err := jsonutil.EncodeJSON(clusterJson)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error encoding cluster.json: %s", err))
+				return 1
+			}
+			err = os.WriteFile(c.flagDevClusterJson, b, 0o600)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error writing cluster.json %q: %s", c.flagDevClusterJson, err))
+				return 1
+			}
+		}
+	}
+
+	defer func() {
+		if err := c.removePidFile(config.PidFile); err != nil {
+			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
+		}
+	}()
+
+	var coreShutdownDoneCh <-chan struct{}
+	if c.flagExitOnCoreShutdown {
+		coreShutdownDoneCh = core.ShutdownDone()
+	}
+
+	// Wait for shutdown
+	shutdownTriggered := false
+	retCode := 0
+
+	for !shutdownTriggered {
+		select {
+		case <-coreShutdownDoneCh:
+			c.UI.Output("==> Vault core was shut down")
+			retCode = 1
+			shutdownTriggered = true
+		case <-c.ShutdownCh:
+			c.UI.Output("==> Vault shutdown triggered")
+			shutdownTriggered = true
+		case <-c.SighupCh:
+			c.UI.Output("==> Vault reload triggered")
+
+			// Notify systemd that the server is reloading config
+			c.notifySystemd(systemd.SdNotifyReloading)
+
+			// Check for new log level
+			var config *server.Config
+			var configErrors []configutil.ConfigError
+			for _, path := range c.flagConfigs {
+				current, err := server.LoadConfig(path)
+				if err != nil {
+					c.logger.Error("could not reload config", "path", path, "error", err)
+					goto RUNRELOADFUNCS
+				}
+
+				configErrors = append(configErrors, current.Validate(path)...)
+
+				if config == nil {
+					config = current
+				} else {
+					config = config.Merge(current)
+				}
+			}
+
+			// Ensure at least one config was found.
+			if config == nil {
+				c.logger.Error("no config found at reload time")
+				goto RUNRELOADFUNCS
+			}
+
+			// reporting Errors found in the config
+			for _, cErr := range configErrors {
+				c.logger.Warn(cErr.String())
+			}
+
+			if !cmp.Equal(core.GetCoreConfigInternal().Seals, config.Seals) {
+				setSealResponse, err = c.reloadSeals(ctx, core, config)
+				if err != nil {
+					c.UI.Error(fmt.Errorf("error reloading seal config: %s", err).Error())
+					config.Seals = core.GetCoreConfigInternal().Seals
+				} else {
+					// finalize the old seals and set the new seals as the current ones
+					c.finalizeSeals(ctx, &currentSeals)
+					currentSeals = setSealResponse.getCreatedSeals()
+				}
+			}
+
+			core.SetConfig(config)
+
+			// reloading custom response headers to make sure we have
+			// the most up to date headers after reloading the config file
+			if err = core.ReloadCustomResponseHeaders(); err != nil {
+				c.logger.Error(err.Error())
+			}
+
+			// Setting log request with the new value in the config after reload
+			core.ReloadLogRequestsLevel()
+
+			// reloading HCP link
+			hcpLink, err = c.reloadHCPLink(hcpLink, config, core, hcpLogger)
+			if err != nil {
+				c.logger.Error(err.Error())
+			}
+
+			// Reload log level for loggers
+			if config.LogLevel != "" {
+				level, err := loghelper.ParseLogLevel(config.LogLevel)
+				if err != nil {
+					c.logger.Error("unknown log level found on reload", "level", config.LogLevel)
+					goto RUNRELOADFUNCS
+				}
+				core.SetLogLevel(level)
+			}
+
+		RUNRELOADFUNCS:
+			if err := c.Reload(c.reloadFuncsLock, c.reloadFuncs, c.flagConfigs, core); err != nil {
+				c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
+			}
+
+			// Reload license file
+			if err = core.EntReloadLicense(); err != nil {
+				c.UI.Error(err.Error())
+			}
+
+			if err := core.ReloadCensus(); err != nil {
+				c.UI.Error(err.Error())
+			}
+			select {
+			case c.licenseReloadedCh <- err:
+			default:
+			}
+
+			// Let the managedKeyRegistry react to configuration changes (i.e.
+			// changes in kms_libraries)
+			core.ReloadManagedKeyRegistryConfig()
+
+			// Notify systemd that the server has completed reloading config
+			c.notifySystemd(systemd.SdNotifyReady)
+
+		case <-c.SigUSR2Ch:
+			logWriter := c.logger.StandardWriter(&hclog.StandardLoggerOptions{})
+			pprof.Lookup("goroutine").WriteTo(logWriter, 2)
+
+			if os.Getenv("VAULT_STACKTRACE_WRITE_TO_FILE") != "" {
+				c.logger.Info("Writing stacktrace to file")
+
+				dir := ""
+				path := os.Getenv("VAULT_STACKTRACE_FILE_PATH")
+				if path != "" {
+					if _, err := os.Stat(path); err != nil {
+						c.logger.Error("Checking stacktrace path failed", "error", err)
+						continue
+					}
+					dir = path
+				} else {
+					dir, err = os.MkdirTemp("", "vault-stacktrace")
+					if err != nil {
+						c.logger.Error("Could not create temporary directory for stacktrace", "error", err)
+						continue
+					}
+				}
+
+				f, err := os.CreateTemp(dir, "stacktrace")
+				if err != nil {
+					c.logger.Error("Could not create stacktrace file", "error", err)
+					continue
+				}
+
+				if err := pprof.Lookup("goroutine").WriteTo(f, 2); err != nil {
+					f.Close()
+					c.logger.Error("Could not write stacktrace to file", "error", err)
+					continue
+				}
+
+				c.logger.Info(fmt.Sprintf("Wrote stacktrace to: %s", f.Name()))
+				f.Close()
+			}
+
+			// We can only get pprof outputs via the API but sometimes Vault can get
+			// into a state where it cannot process requests so we can get pprof outputs
+			// via SIGUSR2.
+			if os.Getenv("VAULT_PPROF_WRITE_TO_FILE") != "" {
+				dir := ""
+				path := os.Getenv("VAULT_PPROF_FILE_PATH")
+				if path != "" {
+					if _, err := os.Stat(path); err != nil {
+						c.logger.Error("Checking pprof path failed", "error", err)
+						continue
+					}
+					dir = path
+				} else {
+					dir, err = os.MkdirTemp("", "vault-pprof")
+					if err != nil {
+						c.logger.Error("Could not create temporary directory for pprof", "error", err)
+						continue
+					}
+				}
+
+				dumps := []string{"goroutine", "heap", "allocs", "threadcreate"}
+				for _, dump := range dumps {
+					pFile, err := os.Create(filepath.Join(dir, dump))
+					if err != nil {
+						c.logger.Error("error creating pprof file", "name", dump, "error", err)
+						break
+					}
+
+					err = pprof.Lookup(dump).WriteTo(pFile, 0)
+					if err != nil {
+						c.logger.Error("error generating pprof data", "name", dump, "error", err)
+						pFile.Close()
+						break
+					}
+					pFile.Close()
+				}
+
+				c.logger.Info(fmt.Sprintf("Wrote pprof files to: %s", dir))
+			}
+		}
+	}
+	// Notify systemd that the server is shutting down
+	c.notifySystemd(systemd.SdNotifyStopping)
+
+	// Stop the listeners so that we don't process further client requests.
+	c.cleanupGuard.Do(listenerCloseFunc)
+
+	if hcpLink != nil {
+		if err := hcpLink.Shutdown(); err != nil {
+			c.UI.Error(fmt.Sprintf("Error with HCP Link shutdown: %v", err.Error()))
+		}
+	}
+
+	// Finalize will wait until after Vault is sealed, which means the
+	// request forwarding listeners will also be closed (and also
+	// waited for).
+	if err := core.Shutdown(); err != nil {
+		c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
+	}
+
+	// Wait for dependent goroutines to complete
+	c.WaitGroup.Wait()
+	return retCode
+}
+
+func (c *ServerCommand) configureSeals(ctx context.Context, config *server.Config, backend physical.Backend, infoKeys []string, info map[string]string) (*SetSealResponse, io.Reader, error) {
+	existingSealGenerationInfo, err := vault.PhysicalSealGenInfo(ctx, backend)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Error getting seal generation info: %v", err)
+	}
+
+	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot determine if there are partially seal wrapped entries in storage: %v", err)
+	}
+	setSealResponse, err := setSeal(c, config, infoKeys, info, existingSealGenerationInfo, hasPartialPaths)
+	if err != nil {
+		return nil, nil, err
+	}
+	if setSealResponse.sealConfigWarning != nil {
+		c.UI.Warn(fmt.Sprintf("Warnings during seal configuration: %v", setSealResponse.sealConfigWarning))
+	}
+
+	if setSealResponse.barrierSeal == nil {
+		return nil, nil, errors.New("Could not create barrier seal! Most likely proper Seal configuration information was not set, but no error was generated.")
+	}
+
+	// prepare a secure random reader for core
+	entropyAugLogger := c.logger.Named("entropy-augmentation")
+	var entropySources []*configutil.EntropySourcerInfo
+	for _, sealWrapper := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
+		if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
+			entropySources = append(entropySources, &configutil.EntropySourcerInfo{
+				Sourcer: s,
+				Name:    sealWrapper.Name,
+			})
+		}
+	}
+	secureRandomReader, err := configutil.CreateSecureRandomReaderFunc(config.SharedConfig, entropySources, entropyAugLogger)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return setSealResponse, secureRandomReader, nil
+}
+
+func (c *ServerCommand) finalizeSeals(ctx context.Context, seals *[]*vault.Seal) {
+	for _, seal := range *seals {
+		// Ensure that the seal finalizer is called, even if using verify-only
+		err := (*seal).Finalize(ctx)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error finalizing seals: %v", err))
+		}
+	}
+}
+
+// configureLogging takes the configuration and attempts to parse config values into 'log' friendly configuration values
+// If all goes to plan, a logger is created and setup.
+func (c *ServerCommand) configureLogging(config *server.Config) (hclog.InterceptLogger, error) {
+	// Parse all the log related config
+	logLevel, err := loghelper.ParseLogLevel(config.LogLevel)
+	if err != nil {
+		return nil, err
+	}
+
+	logFormat, err := loghelper.ParseLogFormat(config.LogFormat)
+	if err != nil {
+		return nil, err
+	}
+
+	logRotateDuration, err := parseutil.ParseDurationSecond(config.LogRotateDuration)
+	if err != nil {
+		return nil, err
+	}
+
+	logCfg, err := loghelper.NewLogConfig("vault")
+	if err != nil {
+		return nil, err
+	}
+	logCfg.LogLevel = logLevel
+	logCfg.LogFormat = logFormat
+	logCfg.LogFilePath = config.LogFile
+	logCfg.LogRotateDuration = logRotateDuration
+	logCfg.LogRotateBytes = config.LogRotateBytes
+	logCfg.LogRotateMaxFiles = config.LogRotateMaxFiles
+
+	return loghelper.Setup(logCfg, c.logWriter)
+}
+
+func (c *ServerCommand) reloadHCPLink(hcpLinkVault *hcp_link.HCPLinkVault, conf *server.Config, core *vault.Core, hcpLogger hclog.Logger) (*hcp_link.HCPLinkVault, error) {
+	// trigger a shutdown
+	if hcpLinkVault != nil {
+		err := hcpLinkVault.Shutdown()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if conf.HCPLinkConf == nil {
+		// if cloud stanza is not configured, we should not show anything
+		// in the seal-status related to HCP link
+		core.SetHCPLinkStatus("", "")
+		return nil, nil
+	}
+
+	// starting HCP link
+	hcpLink, err := hcp_link.NewHCPLink(conf.HCPLinkConf, core, hcpLogger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to restart HCP Link and it is no longer running, %w", err)
+	}
+
+	return hcpLink, nil
+}
+
+func (c *ServerCommand) notifySystemd(status string) {
+	sent, err := systemd.SdNotify(false, status)
+	if err != nil {
+		c.logger.Error("error notifying systemd", "error", err)
+	} else {
+		if sent {
+			c.logger.Debug("sent systemd notification", "notification", status)
+		} else {
+			c.logger.Debug("would have sent systemd notification (systemd not present)", "notification", status)
+		}
+	}
+}
+
+func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig) (*vault.InitResult, error) {
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+
+	var recoveryConfig *vault.SealConfig
+	barrierConfig := &vault.SealConfig{
+		SecretShares:    1,
+		SecretThreshold: 1,
+		Name:            "shamir",
+	}
+
+	if core.SealAccess().RecoveryKeySupported() {
+		recoveryConfig = &vault.SealConfig{
+			SecretShares:    1,
+			SecretThreshold: 1,
+		}
+	}
+
+	if core.SealAccess().StoredKeysSupported() != vaultseal.StoredKeysNotSupported {
+		barrierConfig.StoredShares = 1
+	}
+
+	// Initialize it with a basic single key
+	init, err := core.Initialize(ctx, &vault.InitParams{
+		BarrierConfig:  barrierConfig,
+		RecoveryConfig: recoveryConfig,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Handle unseal with stored keys
+	if core.SealAccess().StoredKeysSupported() == vaultseal.StoredKeysSupportedGeneric {
+		err := core.UnsealWithStoredKeys(ctx)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Copy the key so that it can be zeroed
+		key := make([]byte, len(init.SecretShares[0]))
+		copy(key, init.SecretShares[0])
+
+		// Unseal the core
+		unsealed, err := core.Unseal(key)
+		if err != nil {
+			return nil, err
+		}
+		if !unsealed {
+			return nil, fmt.Errorf("failed to unseal Vault for dev mode")
+		}
+	}
+
+	isLeader, _, _, err := core.Leader()
+	if err != nil && err != vault.ErrHANotEnabled {
+		return nil, fmt.Errorf("failed to check active status: %w", err)
+	}
+	if err == nil {
+		leaderCount := 5
+		for !isLeader {
+			if leaderCount == 0 {
+				buf := make([]byte, 1<<16)
+				runtime.Stack(buf, true)
+				return nil, fmt.Errorf("failed to get active status after five seconds; call stack is\n%s", buf)
+			}
+			time.Sleep(1 * time.Second)
+			isLeader, _, _, err = core.Leader()
+			if err != nil {
+				return nil, fmt.Errorf("failed to check active status: %w", err)
+			}
+			leaderCount--
+		}
+	}
+
+	// Generate a dev root token if one is provided in the flag
+	if coreConfig.DevToken != "" {
+		req := &logical.Request{
+			ID:          "dev-gen-root",
+			Operation:   logical.UpdateOperation,
+			ClientToken: init.RootToken,
+			Path:        "auth/token/create",
+			Data: map[string]interface{}{
+				"id":                coreConfig.DevToken,
+				"policies":          []string{"root"},
+				"no_parent":         true,
+				"no_default_policy": true,
+			},
+		}
+		resp, err := core.HandleRequest(ctx, req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create root token with ID %q: %w", coreConfig.DevToken, err)
+		}
+		if resp == nil {
+			return nil, fmt.Errorf("nil response when creating root token with ID %q", coreConfig.DevToken)
+		}
+		if resp.Auth == nil {
+			return nil, fmt.Errorf("nil auth when creating root token with ID %q", coreConfig.DevToken)
+		}
+
+		init.RootToken = resp.Auth.ClientToken
+
+		req.ID = "dev-revoke-init-root"
+		req.Path = "auth/token/revoke-self"
+		req.Data = nil
+		_, err = core.HandleRequest(ctx, req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to revoke initial root token: %w", err)
+		}
+	}
+
+	// Set the token
+	if !c.flagDevNoStoreToken {
+		tokenHelper, err := c.TokenHelper()
+		if err != nil {
+			return nil, err
+		}
+		if err := tokenHelper.Store(init.RootToken); err != nil {
+			return nil, err
+		}
+	}
+
+	kvVer := "2"
+	if c.flagDevKVV1 || c.flagDevLeasedKV {
+		kvVer = "1"
+	}
+	req := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		ClientToken: init.RootToken,
+		Path:        "sys/mounts/secret",
+		Data: map[string]interface{}{
+			"type":        "kv",
+			"path":        "secret/",
+			"description": "key/value secret storage",
+			"options": map[string]string{
+				"version": kvVer,
+			},
+		},
+	}
+	resp, err := core.HandleRequest(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("error creating default K/V store: %w", err)
+	}
+	if resp.IsError() {
+		return nil, fmt.Errorf("failed to create default K/V store: %w", resp.Error())
+	}
+
+	return init, nil
+}
+
+func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info map[string]string, infoKeys []string, devListenAddress, tempDir string) int {
+	conf, opts := teststorage.ClusterSetup(base, &vault.TestClusterOptions{
+		HandlerFunc:       vaulthttp.Handler,
+		BaseListenAddress: c.flagDevListenAddr,
+		Logger:            c.logger,
+		TempDir:           tempDir,
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{
+				Profiling: configutil.ListenerProfiling{
+					UnauthenticatedPProfAccess: true,
+				},
+				Telemetry: configutil.ListenerTelemetry{
+					UnauthenticatedMetricsAccess: true,
+				},
+			},
+		},
+	}, nil)
+	testCluster := vault.NewTestCluster(&testing.RuntimeT{}, conf, opts)
+	defer c.cleanupGuard.Do(testCluster.Cleanup)
+
+	if constants.IsEnterprise {
+		err := testcluster.WaitForActiveNodeAndPerfStandbys(context.Background(), testCluster)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("perf standbys didn't become ready: %v", err))
+			return 1
+		}
+	}
+
+	info["cluster parameters path"] = testCluster.TempDir
+	infoKeys = append(infoKeys, "cluster parameters path")
+
+	for i, core := range testCluster.Cores {
+		info[fmt.Sprintf("node %d api address", i)] = fmt.Sprintf("https://%s", core.Listeners[0].Address.String())
+		infoKeys = append(infoKeys, fmt.Sprintf("node %d api address", i))
+	}
+
+	infoKeys = append(infoKeys, "version")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber(false)
+	if verInfo.Revision != "" {
+		info["version sha"] = strings.Trim(verInfo.Revision, "'")
+		infoKeys = append(infoKeys, "version sha")
+	}
+
+	infoKeys = append(infoKeys, "cgo")
+	info["cgo"] = "disabled"
+	if version.CgoEnabled {
+		info["cgo"] = "enabled"
+	}
+
+	infoKeys = append(infoKeys, "go version")
+	info["go version"] = runtime.Version()
+
+	fipsStatus := entGetFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
+	// Server configuration output
+	padding := 24
+
+	sort.Strings(infoKeys)
+	c.UI.Output("==> Vault server configuration:\n")
+
+	for _, k := range infoKeys {
+		c.UI.Output(fmt.Sprintf(
+			"%s%s: %s",
+			strings.Repeat(" ", padding-len(k)),
+			strings.Title(k),
+			info[k]))
+	}
+
+	c.UI.Output("")
+
+	for _, core := range testCluster.Cores {
+		core.Server.Handler = vaulthttp.Handler.Handler(&vault.HandlerProperties{
+			Core:           core.Core,
+			ListenerConfig: &configutil.Listener{},
+		})
+		core.SetClusterHandler(core.Server.Handler)
+	}
+
+	testCluster.Start()
+
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+
+	if base.DevToken != "" {
+		req := &logical.Request{
+			ID:          "dev-gen-root",
+			Operation:   logical.UpdateOperation,
+			ClientToken: testCluster.RootToken,
+			Path:        "auth/token/create",
+			Data: map[string]interface{}{
+				"id":                base.DevToken,
+				"policies":          []string{"root"},
+				"no_parent":         true,
+				"no_default_policy": true,
+			},
+		}
+		resp, err := testCluster.Cores[0].HandleRequest(ctx, req)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("failed to create root token with ID %s: %s", base.DevToken, err))
+			return 1
+		}
+		if resp == nil {
+			c.UI.Error(fmt.Sprintf("nil response when creating root token with ID %s", base.DevToken))
+			return 1
+		}
+		if resp.Auth == nil {
+			c.UI.Error(fmt.Sprintf("nil auth when creating root token with ID %s", base.DevToken))
+			return 1
+		}
+
+		testCluster.RootToken = resp.Auth.ClientToken
+
+		req.ID = "dev-revoke-init-root"
+		req.Path = "auth/token/revoke-self"
+		req.Data = nil
+		_, err = testCluster.Cores[0].HandleRequest(ctx, req)
+		if err != nil {
+			c.UI.Output(fmt.Sprintf("failed to revoke initial root token: %s", err))
+			return 1
+		}
+	}
+
+	// Set the token
+	tokenHelper, err := c.TokenHelper()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error getting token helper: %s", err))
+		return 1
+	}
+	if err := tokenHelper.Store(testCluster.RootToken); err != nil {
+		c.UI.Error(fmt.Sprintf("Error storing in token helper: %s", err))
+		return 1
+	}
+
+	if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err))
+		return 1
+	}
+
+	c.UI.Output(fmt.Sprintf(
+		"==> Three node dev mode is enabled\n\n" +
+			"The unseal key and root token are reproduced below in case you\n" +
+			"want to seal/unseal the Vault or play with authentication.\n",
+	))
+
+	for i, key := range testCluster.BarrierKeys {
+		c.UI.Output(fmt.Sprintf(
+			"Unseal Key %d: %s",
+			i+1, base64.StdEncoding.EncodeToString(key),
+		))
+	}
+
+	c.UI.Output(fmt.Sprintf(
+		"\nRoot Token: %s\n", testCluster.RootToken,
+	))
+
+	c.UI.Output(fmt.Sprintf(
+		"\nUseful env vars:\n"+
+			"VAULT_TOKEN=%s\n"+
+			"VAULT_ADDR=%s\n"+
+			"VAULT_CACERT=%s/ca_cert.pem\n",
+		testCluster.RootToken,
+		testCluster.Cores[0].Client.Address(),
+		testCluster.TempDir,
+	))
+
+	if c.flagDevClusterJson != "" {
+		clusterJson := testcluster.ClusterJson{
+			Nodes:      []testcluster.ClusterNode{},
+			CACertPath: filepath.Join(testCluster.TempDir, "ca_cert.pem"),
+			RootToken:  testCluster.RootToken,
+		}
+		for _, core := range testCluster.Cores {
+			clusterJson.Nodes = append(clusterJson.Nodes, testcluster.ClusterNode{
+				APIAddress: core.Client.Address(),
+			})
+		}
+		b, err := jsonutil.EncodeJSON(clusterJson)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error encoding cluster.json: %s", err))
+			return 1
+		}
+		err = os.WriteFile(c.flagDevClusterJson, b, 0o600)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error writing cluster.json %q: %s", c.flagDevClusterJson, err))
+			return 1
+		}
+	}
+
+	// Output the header that the server has started
+	c.UI.Output("==> Vault server started! Log data will stream in below:\n")
+
+	// Inform any tests that the server is ready
+	select {
+	case c.startedCh <- struct{}{}:
+	default:
+	}
+
+	// Release the log gate.
+	c.flushLog()
+
+	// Wait for shutdown
+	shutdownTriggered := false
+
+	for !shutdownTriggered {
+		select {
+		case <-c.ShutdownCh:
+			c.UI.Output("==> Vault shutdown triggered")
+
+			// Stop the listeners so that we don't process further client requests.
+			c.cleanupGuard.Do(testCluster.Cleanup)
+
+			// Finalize will wait until after Vault is sealed, which means the
+			// request forwarding listeners will also be closed (and also
+			// waited for).
+			for _, core := range testCluster.Cores {
+				if err := core.Shutdown(); err != nil {
+					c.UI.Error(fmt.Sprintf("Error with core shutdown: %s", err))
+				}
+			}
+
+			shutdownTriggered = true
+
+		case <-c.SighupCh:
+			c.UI.Output("==> Vault reload triggered")
+			for _, core := range testCluster.Cores {
+				if err := c.Reload(core.ReloadFuncsLock, core.ReloadFuncs, nil, core.Core); err != nil {
+					c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
+				}
+			}
+		}
+	}
+
+	return 0
+}
+
+// addPlugin adds any plugins to the catalog
+func (c *ServerCommand) addPlugin(path, token string, core *vault.Core) error {
+	// Get the sha256 of the file at the given path.
+	pluginSum := func(p string) (string, error) {
+		hasher := sha256.New()
+		f, err := os.Open(p)
+		if err != nil {
+			return "", err
+		}
+		defer f.Close()
+		if _, err := io.Copy(hasher, f); err != nil {
+			return "", err
+		}
+		return hex.EncodeToString(hasher.Sum(nil)), nil
+	}
+
+	// Mount any test plugins. We do this explicitly before we inform tests of
+	// a completely booted server intentionally.
+	sha256sum, err := pluginSum(path)
+	if err != nil {
+		return err
+	}
+
+	// Default the name to the basename of the binary
+	name := filepath.Base(path)
+
+	// File a request against core to enable the plugin
+	req := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		ClientToken: token,
+		Path:        fmt.Sprintf("sys/plugins/catalog/%s", name),
+		Data: map[string]interface{}{
+			"sha256":  sha256sum,
+			"command": name,
+		},
+	}
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+	if _, err := core.HandleRequest(ctx, req); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// detectRedirect is used to attempt redirect address detection
+func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
+	config *server.Config,
+) (string, error) {
+	// Get the hostname
+	host, err := detect.DetectHostAddr()
+	if err != nil {
+		return "", err
+	}
+
+	// set [] for ipv6 addresses
+	if strings.Contains(host, ":") && !strings.Contains(host, "]") {
+		host = "[" + host + "]"
+	}
+
+	// Default the port and scheme
+	scheme := "https"
+	port := 8200
+
+	// Attempt to detect overrides
+	for _, list := range config.Listeners {
+		// Only attempt TCP
+		if list.Type != "tcp" {
+			continue
+		}
+
+		// Check if TLS is disabled
+		if list.TLSDisable {
+			scheme = "http"
+		}
+
+		// Check for address override
+		addr := list.Address
+		if addr == "" {
+			addr = "127.0.0.1:8200"
+		}
+
+		// Check for localhost
+		hostStr, portStr, err := net.SplitHostPort(addr)
+		if err != nil {
+			continue
+		}
+		if hostStr == "127.0.0.1" {
+			host = hostStr
+		}
+
+		// Check for custom port
+		listPort, err := strconv.Atoi(portStr)
+		if err != nil {
+			continue
+		}
+		port = listPort
+	}
+
+	// Build a URL
+	url := &url.URL{
+		Scheme: scheme,
+		Host:   fmt.Sprintf("%s:%d", host, port),
+	}
+
+	// Return the URL string
+	return url.String(), nil
+}
+
+func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string, core *vault.Core) error {
+	lock.RLock()
+	defer lock.RUnlock()
+
+	var reloadErrors *multierror.Error
+
+	for k, relFuncs := range *reloadFuncs {
+		switch {
+		case strings.HasPrefix(k, "listener|"):
+			for _, relFunc := range relFuncs {
+				if relFunc != nil {
+					if err := relFunc(); err != nil {
+						reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("error encountered reloading listener: %w", err))
+					}
+				}
+			}
+
+		case strings.HasPrefix(k, "audit_file|"):
+			for _, relFunc := range relFuncs {
+				if relFunc != nil {
+					if err := relFunc(); err != nil {
+						reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("error encountered reloading file audit device at path %q: %w", strings.TrimPrefix(k, "audit_file|"), err))
+					}
+				}
+			}
+		}
+	}
+
+	// Set Introspection Endpoint to enabled with new value in the config after reload
+	core.ReloadIntrospectionEndpointEnabled()
+
+	// Send a message that we reloaded. This prevents "guessing" sleep times
+	// in tests.
+	select {
+	case c.reloadedCh <- struct{}{}:
+	default:
+	}
+
+	return reloadErrors.ErrorOrNil()
+}
+
+// storePidFile is used to write out our PID to a file if necessary
+func (c *ServerCommand) storePidFile(pidPath string) error {
+	// Quit fast if no pidfile
+	if pidPath == "" {
+		return nil
+	}
+
+	// Open the PID file
+	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
+	if err != nil {
+		return fmt.Errorf("could not open pid file: %w", err)
+	}
+	defer pidFile.Close()
+
+	// Write out the PID
+	pid := os.Getpid()
+	_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
+	if err != nil {
+		return fmt.Errorf("could not write to pid file: %w", err)
+	}
+	return nil
+}
+
+// removePidFile is used to cleanup the PID file if necessary
+func (c *ServerCommand) removePidFile(pidPath string) error {
+	if pidPath == "" {
+		return nil
+	}
+	return os.Remove(pidPath)
+}
+
+// storageMigrationActive checks and warns against in-progress storage migrations.
+// This function will block until storage is available.
+func (c *ServerCommand) storageMigrationActive(backend physical.Backend) bool {
+	first := true
+
+	for {
+		migrationStatus, err := CheckStorageMigration(backend)
+		if err == nil {
+			if migrationStatus != nil {
+				startTime := migrationStatus.Start.Format(time.RFC3339)
+				c.UI.Error(wrapAtLength(fmt.Sprintf("ERROR! Storage migration in progress (started: %s). "+
+					"Server startup is prevented until the migration completes. Use 'vault operator migrate -reset' "+
+					"to force clear the migration lock.", startTime)))
+				return true
+			}
+			return false
+		}
+		if first {
+			first = false
+			c.UI.Warn("\nWARNING! Unable to read storage migration status.")
+
+			// unexpected state, so stop buffering log messages
+			c.flushLog()
+		}
+		c.logger.Warn("storage migration check error", "error", err.Error())
+
+		timer := time.NewTimer(2 * time.Second)
+		select {
+		case <-timer.C:
+		case <-c.ShutdownCh:
+			timer.Stop()
+			return true
+		}
+	}
+}
+
+type StorageMigrationStatus struct {
+	Start time.Time `json:"start"`
+}
+
+func CheckStorageMigration(b physical.Backend) (*StorageMigrationStatus, error) {
+	entry, err := b.Get(context.Background(), storageMigrationLock)
+	if err != nil {
+		return nil, err
+	}
+
+	if entry == nil {
+		return nil, nil
+	}
+
+	var status StorageMigrationStatus
+	if err := jsonutil.DecodeJSON(entry.Value, &status); err != nil {
+		return nil, err
+	}
+
+	return &status, nil
+}
+
+type SetSealResponse struct {
+	barrierSeal vault.Seal
+	unwrapSeal  vault.Seal
+
+	// sealConfigError is present if there was an error configuring wrappers, other than KeyNotFound.
+	sealConfigError   error
+	sealConfigWarning error
+}
+
+func (r *SetSealResponse) getCreatedSeals() []*vault.Seal {
+	var ret []*vault.Seal
+	if r.barrierSeal != nil {
+		ret = append(ret, &r.barrierSeal)
+	}
+	if r.unwrapSeal != nil {
+		ret = append(ret, &r.unwrapSeal)
+	}
+	return ret
+}
+
+// setSeal return barrierSeal, barrierWrapper, unwrapSeal, all the created seals, and all the provided seals from the configs so we can close them in Run
+// The two errors are the sealConfigError and the regular error
+func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info map[string]string, existingSealGenerationInfo *vaultseal.SealGenerationInfo, hasPartiallyWrappedPaths bool) (*SetSealResponse, error) {
+	if c.flagDevAutoSeal {
+		access, _ := vaultseal.NewTestSeal(nil)
+		barrierSeal := vault.NewAutoSeal(access)
+
+		return &SetSealResponse{barrierSeal: barrierSeal}, nil
+	}
+
+	// Handle the case where no seal is provided
+	switch len(config.Seals) {
+	case 0:
+		config.Seals = append(config.Seals, &configutil.KMS{
+			Type:     vault.SealConfigTypeShamir.String(),
+			Priority: 1,
+			Name:     "shamir",
+		})
+	default:
+		allSealsDisabled := true
+		for _, c := range config.Seals {
+			if !c.Disabled {
+				allSealsDisabled = false
+			} else if c.Type == vault.SealConfigTypeShamir.String() {
+				return nil, errors.New("shamir seals cannot be set disabled (they should simply not be set)")
+			}
+		}
+		// If all seals are disabled assume they want to
+		// migrate to a shamir seal and simply didn't provide it
+		if allSealsDisabled {
+			config.Seals = append(config.Seals, &configutil.KMS{
+				Type:     vault.SealConfigTypeShamir.String(),
+				Priority: 1,
+				Name:     "shamir",
+			})
+		}
+	}
+
+	var sealConfigError error
+	var sealConfigWarning error
+	recordSealConfigError := func(err error) {
+		sealConfigError = errors.Join(sealConfigError, err)
+	}
+	recordSealConfigWarning := func(err error) {
+		sealConfigWarning = errors.Join(sealConfigWarning, err)
+	}
+	enabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
+	disabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
+	allSealKmsConfigs := make([]*configutil.KMS, 0)
+
+	type infoKeysAndMap struct {
+		keys   []string
+		theMap map[string]string
+	}
+	sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap)
+
+	configuredSeals := 0
+	for _, configSeal := range config.Seals {
+		sealTypeEnvVarName := "VAULT_SEAL_TYPE"
+		if configSeal.Priority > 1 {
+			sealTypeEnvVarName = sealTypeEnvVarName + "_" + configSeal.Name
+		}
+
+		if !configSeal.Disabled && os.Getenv(sealTypeEnvVarName) != "" {
+			sealType := os.Getenv(sealTypeEnvVarName)
+			configSeal.Type = sealType
+		}
+
+		sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", configSeal.Type))
+		c.allLoggers = append(c.allLoggers, sealLogger)
+
+		allSealKmsConfigs = append(allSealKmsConfigs, configSeal)
+		var wrapperInfoKeys []string
+		wrapperInfoMap := map[string]string{}
+		wrapper, wrapperConfigError := configutil.ConfigureWrapper(configSeal, &wrapperInfoKeys, &wrapperInfoMap, sealLogger)
+		if wrapperConfigError == nil {
+			// for some reason configureWrapper in kms.go returns nil wrapper and nil error for wrapping.WrapperTypeShamir
+			if wrapper == nil {
+				wrapper = aeadwrapper.NewShamirWrapper()
+			}
+			configuredSeals++
+		} else if server.IsMultisealSupported() {
+			recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError))
+		} else {
+			// It seems that we are checking for this particular error here is to distinguish between a
+			// mis-configured seal vs one that fails for another reason. Apparently the only other reason is
+			// a key not found error. It seems the intention is for the key not found error to be returned
+			// as a seal specific error later
+			if !errwrap.ContainsType(wrapperConfigError, new(logical.KeyNotFoundError)) {
+				return nil, fmt.Errorf("error parsing Seal configuration: %s", wrapperConfigError)
+			} else {
+				sealLogger.Error("error configuring seal", "name", configSeal.Name, "err", wrapperConfigError)
+				recordSealConfigError(wrapperConfigError)
+			}
+		}
+
+		sealWrapper := vaultseal.NewSealWrapper(
+			wrapper,
+			configSeal.Priority,
+			configSeal.Name,
+			configSeal.Type,
+			configSeal.Disabled,
+			wrapperConfigError == nil,
+		)
+
+		if configSeal.Disabled {
+			disabledSealWrappers = append(disabledSealWrappers, sealWrapper)
+		} else {
+			enabledSealWrappers = append(enabledSealWrappers, sealWrapper)
+		}
+
+		sealWrapperInfoKeysMap[sealWrapper.Name] = infoKeysAndMap{
+			keys:   wrapperInfoKeys,
+			theMap: wrapperInfoMap,
+		}
+	}
+
+	if len(enabledSealWrappers) == 0 && len(disabledSealWrappers) == 0 && sealConfigWarning != nil {
+		// All of them errored out, so warnings are now errors
+		recordSealConfigError(sealConfigWarning)
+		sealConfigWarning = nil
+	}
+
+	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+	// Set the info keys, this modifies the function arguments `info` and `infoKeys`
+	// TODO(SEALHA): Why are we doing this? What is its use?
+	appendWrapperInfoKeys := func(prefix string, sealWrappers []*vaultseal.SealWrapper) {
+		if len(sealWrappers) == 0 {
+			return
+		}
+		useName := false
+		if len(sealWrappers) > 1 {
+			useName = true
+		}
+		for _, sealWrapper := range sealWrappers {
+			if useName {
+				prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name)
+			}
+			for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys {
+				infoKeys = append(infoKeys, prefix+k)
+				info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k]
+			}
+		}
+	}
+	appendWrapperInfoKeys("", enabledSealWrappers)
+	appendWrapperInfoKeys("Old", disabledSealWrappers)
+
+	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+	// Compute seal generation
+	sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths)
+	if err != nil {
+		return nil, err
+	}
+
+	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+	// Create the Seals
+
+	containsShamir := func(sealWrappers []*vaultseal.SealWrapper) bool {
+		for _, si := range sealWrappers {
+			if vault.SealConfigTypeShamir.IsSameAs(si.SealConfigType) {
+				return true
+			}
+		}
+		return false
+	}
+
+	var barrierSeal vault.Seal
+	var unwrapSeal vault.Seal
+
+	sealLogger := c.logger
+	switch {
+	case len(enabledSealWrappers) == 0:
+		return nil, errors.Join(sealConfigWarning, errors.New("no enabled Seals in configuration"))
+	case configuredSeals == 0:
+		return nil, errors.Join(sealConfigWarning, errors.New("no seals were successfully initialized"))
+	case len(enabledSealWrappers) == 1 && containsShamir(enabledSealWrappers):
+		// The barrier seal is Shamir. If there are any disabled seals, then we put them all in the same
+		// autoSeal.
+		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
+		if err != nil {
+			return nil, err
+		}
+		barrierSeal = vault.NewDefaultSeal(a)
+		if len(disabledSealWrappers) > 0 {
+			a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
+			if err != nil {
+				return nil, err
+			}
+			unwrapSeal = vault.NewAutoSeal(a)
+		}
+
+	case len(disabledSealWrappers) == 1 && containsShamir(disabledSealWrappers):
+		// The unwrap seal is Shamir, we are migrating to an autoSeal.
+		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
+		if err != nil {
+			return nil, err
+		}
+		barrierSeal = vault.NewAutoSeal(a)
+		a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
+		if err != nil {
+			return nil, err
+		}
+		unwrapSeal = vault.NewDefaultSeal(a)
+
+	case server.IsMultisealSupported():
+		// We know we are not using Shamir seal, that we are not migrating away from one, and multi seal is supported,
+		// so just put enabled and disabled wrappers on the same seal Access
+		allSealWrappers := append(enabledSealWrappers, disabledSealWrappers...)
+		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealWrappers)
+		if err != nil {
+			return nil, err
+		}
+		barrierSeal = vault.NewAutoSeal(a)
+		if configuredSeals < len(enabledSealWrappers) {
+			c.UI.Warn("WARNING: running with fewer than all configured seals during unseal.  Will not be fully highly available until errors are corrected and Vault restarted.")
+		}
+	case len(enabledSealWrappers) == 1:
+		// We may have multiple seals disabled, but we know Shamir is not one of them.
+		a, err := vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)
+		if err != nil {
+			return nil, err
+		}
+		barrierSeal = vault.NewAutoSeal(a)
+		if len(disabledSealWrappers) > 0 {
+			a, err = vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)
+			if err != nil {
+				return nil, err
+			}
+			unwrapSeal = vault.NewAutoSeal(a)
+		}
+
+	default:
+		// We know there are multiple enabled seals but multi seal is not supported.
+		return nil, errors.Join(sealConfigWarning, errors.New("error: more than one enabled seal found"))
+	}
+
+	return &SetSealResponse{
+		barrierSeal:       barrierSeal,
+		unwrapSeal:        unwrapSeal,
+		sealConfigError:   sealConfigError,
+		sealConfigWarning: sealConfigWarning,
+	}, nil
+}
+
+func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal.SealGenerationInfo, sealConfigs []*configutil.KMS, hasPartiallyWrappedPaths bool) (*vaultseal.SealGenerationInfo, error) {
+	generation := uint64(1)
+
+	if existingSealGenInfo != nil {
+		// This forces a seal re-wrap on all seal related config changes, as we can't
+		// be sure what effect the config change might do. This is purposefully different
+		// from within the Validate call below that just matches on seal configs based
+		// on name/type.
+		if cmp.Equal(existingSealGenInfo.Seals, sealConfigs) {
+			return existingSealGenInfo, nil
+		}
+		generation = existingSealGenInfo.Generation + 1
+	}
+	c.logger.Info("incrementing seal generation", "generation", generation)
+
+	// If the stored copy doesn't match the current configuration, we introduce a new generation
+	// which keeps track if a rewrap of all CSPs and seal wrapped values has completed (initially false).
+	newSealGenInfo := &vaultseal.SealGenerationInfo{
+		Generation: generation,
+		Seals:      sealConfigs,
+	}
+
+	if server.IsMultisealSupported() {
+		err := newSealGenInfo.Validate(existingSealGenInfo, hasPartiallyWrappedPaths)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return newSealGenInfo, nil
+}
+
+func hasPartiallyWrappedPaths(ctx context.Context, backend physical.Backend) (bool, error) {
+	paths, err := vault.GetPartiallySealWrappedPaths(ctx, backend)
+	if err != nil {
+		return false, err
+	}
+
+	return len(paths) > 0, nil
+}
+
+func initHaBackend(c *ServerCommand, config *server.Config, coreConfig *vault.CoreConfig, backend physical.Backend) (bool, error) {
+	// Initialize the separate HA storage backend, if it exists
+	var ok bool
+	if config.HAStorage != nil {
+		if config.Storage.Type == storageTypeRaft && config.HAStorage.Type == storageTypeRaft {
+			return false, fmt.Errorf("Raft cannot be set both as 'storage' and 'ha_storage'. Setting 'storage' to 'raft' will automatically set it up for HA operations as well")
+		}
+
+		if config.Storage.Type == storageTypeRaft {
+			return false, fmt.Errorf("HA storage cannot be declared when Raft is the storage type")
+		}
+
+		factory, exists := c.PhysicalBackends[config.HAStorage.Type]
+		if !exists {
+			return false, fmt.Errorf("Unknown HA storage type %s", config.HAStorage.Type)
+		}
+
+		namedHALogger := c.logger.Named("ha." + config.HAStorage.Type)
+		c.allLoggers = append(c.allLoggers, namedHALogger)
+		habackend, err := factory(config.HAStorage.Config, namedHALogger)
+		if err != nil {
+			return false, fmt.Errorf("Error initializing HA storage of type %s: %s", config.HAStorage.Type, err)
+		}
+
+		if coreConfig.HAPhysical, ok = habackend.(physical.HABackend); !ok {
+			return false, fmt.Errorf("Specified HA storage does not support HA")
+		}
+
+		if !coreConfig.HAPhysical.HAEnabled() {
+			return false, fmt.Errorf("Specified HA storage has HA support disabled; please consult documentation")
+		}
+
+		coreConfig.RedirectAddr = config.HAStorage.RedirectAddr
+		disableClustering := config.HAStorage.DisableClustering
+
+		if config.HAStorage.Type == storageTypeRaft && disableClustering {
+			return disableClustering, fmt.Errorf("Disable clustering cannot be set to true when Raft is the HA storage type")
+		}
+
+		if !disableClustering {
+			coreConfig.ClusterAddr = config.HAStorage.ClusterAddr
+		}
+	} else {
+		if coreConfig.HAPhysical, ok = backend.(physical.HABackend); ok {
+			coreConfig.RedirectAddr = config.Storage.RedirectAddr
+			disableClustering := config.Storage.DisableClustering
+
+			if (config.Storage.Type == storageTypeRaft) && disableClustering {
+				return disableClustering, fmt.Errorf("Disable clustering cannot be set to true when Raft is the storage type")
+			}
+
+			if !disableClustering {
+				coreConfig.ClusterAddr = config.Storage.ClusterAddr
+			}
+		}
+	}
+	return config.DisableClustering, nil
+}
+
+func determineRedirectAddr(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config) error {
+	var retErr error
+	if envRA := os.Getenv("VAULT_API_ADDR"); envRA != "" {
+		coreConfig.RedirectAddr = envRA
+	} else if envRA := os.Getenv("VAULT_REDIRECT_ADDR"); envRA != "" {
+		coreConfig.RedirectAddr = envRA
+	} else if envAA := os.Getenv("VAULT_ADVERTISE_ADDR"); envAA != "" {
+		coreConfig.RedirectAddr = envAA
+	}
+
+	// Attempt to detect the redirect address, if possible
+	if coreConfig.RedirectAddr == "" {
+		c.logger.Warn("no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set")
+	}
+
+	var ok bool
+	var detect physical.RedirectDetect
+	if coreConfig.HAPhysical != nil && coreConfig.HAPhysical.HAEnabled() {
+		detect, ok = coreConfig.HAPhysical.(physical.RedirectDetect)
+	} else {
+		detect, ok = coreConfig.Physical.(physical.RedirectDetect)
+	}
+	if ok && coreConfig.RedirectAddr == "" {
+		redirect, err := c.detectRedirect(detect, config)
+		// the following errors did not cause Run to return, so I'm not returning these
+		// as errors.
+		if err != nil {
+			retErr = fmt.Errorf("Error detecting api address: %s", err)
+		} else if redirect == "" {
+			retErr = fmt.Errorf("Failed to detect api address")
+		} else {
+			coreConfig.RedirectAddr = redirect
+		}
+	}
+	if coreConfig.RedirectAddr == "" && c.flagDev {
+		protocol := "http"
+		if c.flagDevTLS {
+			protocol = "https"
+		}
+		coreConfig.RedirectAddr = fmt.Sprintf("%s://%s", protocol, config.Listeners[0].Address)
+	}
+	return retErr
+}
+
+func findClusterAddress(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, disableClustering bool) error {
+	if disableClustering {
+		coreConfig.ClusterAddr = ""
+	} else if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
+		coreConfig.ClusterAddr = envCA
+	} else {
+		var addrToUse string
+		switch {
+		case coreConfig.ClusterAddr == "" && coreConfig.RedirectAddr != "":
+			addrToUse = coreConfig.RedirectAddr
+		case c.flagDev:
+			addrToUse = fmt.Sprintf("http://%s", config.Listeners[0].Address)
+		default:
+			goto CLUSTER_SYNTHESIS_COMPLETE
+		}
+		u, err := url.ParseRequestURI(addrToUse)
+		if err != nil {
+			return fmt.Errorf("Error parsing synthesized cluster address %s: %v", addrToUse, err)
+		}
+		host, port, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			// This sucks, as it's a const in the function but not exported in the package
+			if strings.Contains(err.Error(), "missing port in address") {
+				host = u.Host
+				port = "443"
+			} else {
+				return fmt.Errorf("Error parsing api address: %v", err)
+			}
+		}
+		nPort, err := strconv.Atoi(port)
+		if err != nil {
+			return fmt.Errorf("Error parsing synthesized address; failed to convert %q to a numeric: %v", port, err)
+		}
+		u.Host = net.JoinHostPort(host, strconv.Itoa(nPort+1))
+		// Will always be TLS-secured
+		u.Scheme = "https"
+		coreConfig.ClusterAddr = u.String()
+	}
+
+CLUSTER_SYNTHESIS_COMPLETE:
+
+	if coreConfig.RedirectAddr == coreConfig.ClusterAddr && len(coreConfig.RedirectAddr) != 0 {
+		return fmt.Errorf("Address %q used for both API and cluster addresses", coreConfig.RedirectAddr)
+	}
+
+	if coreConfig.ClusterAddr != "" {
+		rendered, err := configutil.ParseSingleIPTemplate(coreConfig.ClusterAddr)
+		if err != nil {
+			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
+		}
+		coreConfig.ClusterAddr = rendered
+		// Force https as we'll always be TLS-secured
+		u, err := url.ParseRequestURI(coreConfig.ClusterAddr)
+		if err != nil {
+			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
+		}
+		u.Scheme = "https"
+		coreConfig.ClusterAddr = u.String()
+	}
+	return nil
+}
+
+func runUnseal(c *ServerCommand, core *vault.Core, ctx context.Context) {
+	for {
+		err := core.UnsealWithStoredKeys(ctx)
+		if err == nil {
+			return
+		}
+
+		if vault.IsFatalError(err) {
+			c.logger.Error("error unsealing core", "error", err)
+			return
+		}
+		c.logger.Warn("failed to unseal core", "error", err)
+
+		timer := time.NewTimer(5 * time.Second)
+		select {
+		case <-c.ShutdownCh:
+			timer.Stop()
+			return
+		case <-timer.C:
+		}
+	}
+}
+
+func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.Backend, configSR sr.ServiceRegistration, barrierSeal, unwrapSeal vault.Seal,
+	metricsHelper *metricsutil.MetricsHelper, metricSink *metricsutil.ClusterMetricSink, secureRandomReader io.Reader,
+) vault.CoreConfig {
+	coreConfig := &vault.CoreConfig{
+		RawConfig:                      config,
+		Physical:                       backend,
+		RedirectAddr:                   config.Storage.RedirectAddr,
+		StorageType:                    config.Storage.Type,
+		HAPhysical:                     nil,
+		ServiceRegistration:            configSR,
+		Seal:                           barrierSeal,
+		UnwrapSeal:                     unwrapSeal,
+		AuditBackends:                  c.AuditBackends,
+		CredentialBackends:             c.CredentialBackends,
+		LogicalBackends:                c.LogicalBackends,
+		LogLevel:                       config.LogLevel,
+		Logger:                         c.logger,
+		DetectDeadlocks:                config.DetectDeadlocks,
+		ImpreciseLeaseRoleTracking:     config.ImpreciseLeaseRoleTracking,
+		DisableSentinelTrace:           config.DisableSentinelTrace,
+		DisableCache:                   config.DisableCache,
+		DisableMlock:                   config.DisableMlock,
+		MaxLeaseTTL:                    config.MaxLeaseTTL,
+		DefaultLeaseTTL:                config.DefaultLeaseTTL,
+		ClusterName:                    config.ClusterName,
+		CacheSize:                      config.CacheSize,
+		PluginDirectory:                config.PluginDirectory,
+		PluginFileUid:                  config.PluginFileUid,
+		PluginFilePermissions:          config.PluginFilePermissions,
+		EnableUI:                       config.EnableUI,
+		EnableRaw:                      config.EnableRawEndpoint,
+		EnableIntrospection:            config.EnableIntrospectionEndpoint,
+		DisableSealWrap:                config.DisableSealWrap,
+		DisablePerformanceStandby:      config.DisablePerformanceStandby,
+		DisableIndexing:                config.DisableIndexing,
+		AllLoggers:                     c.allLoggers,
+		BuiltinRegistry:                builtinplugins.Registry,
+		DisableKeyEncodingChecks:       config.DisablePrintableCheck,
+		MetricsHelper:                  metricsHelper,
+		MetricSink:                     metricSink,
+		SecureRandomReader:             secureRandomReader,
+		EnableResponseHeaderHostname:   config.EnableResponseHeaderHostname,
+		EnableResponseHeaderRaftNodeID: config.EnableResponseHeaderRaftNodeID,
+		License:                        config.License,
+		LicensePath:                    config.LicensePath,
+		DisableSSCTokens:               config.DisableSSCTokens,
+		Experiments:                    config.Experiments,
+		AdministrativeNamespacePath:    config.AdministrativeNamespacePath,
+	}
+
+	if c.flagDev {
+		coreConfig.EnableRaw = true
+		coreConfig.EnableIntrospection = true
+		coreConfig.DevToken = c.flagDevRootTokenID
+		if c.flagDevLeasedKV {
+			coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory
+		}
+		if c.flagDevPluginDir != "" {
+			coreConfig.PluginDirectory = c.flagDevPluginDir
+		}
+		if c.flagDevLatency > 0 {
+			injectLatency := time.Duration(c.flagDevLatency) * time.Millisecond
+			if _, txnOK := backend.(physical.Transactional); txnOK {
+				coreConfig.Physical = physical.NewTransactionalLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
+			} else {
+				coreConfig.Physical = physical.NewLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
+			}
+		}
+	}
+	return *coreConfig
+}
+
+func runListeners(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, configSR sr.ServiceRegistration) error {
+	if sd := coreConfig.GetServiceRegistration(); sd != nil {
+		if err := configSR.Run(c.ShutdownCh, c.WaitGroup, coreConfig.RedirectAddr); err != nil {
+			return fmt.Errorf("Error running service_registration of type %s: %s", config.ServiceRegistration.Type, err)
+		}
+	}
+	return nil
+}
+
+func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config, core *vault.Core, certDir string, clusterJSON *testcluster.ClusterJson) error {
+	if c.flagDev && !c.flagDevSkipInit {
+
+		init, err := c.enableDev(core, coreConfig)
+		if err != nil {
+			return fmt.Errorf("Error initializing Dev mode: %s", err)
+		}
+
+		if clusterJSON != nil {
+			clusterJSON.RootToken = init.RootToken
+		}
+
+		var plugins, pluginsNotLoaded []string
+		if c.flagDevPluginDir != "" && c.flagDevPluginInit {
+
+			f, err := os.Open(c.flagDevPluginDir)
+			if err != nil {
+				return fmt.Errorf("Error reading plugin dir: %s", err)
+			}
+
+			list, err := f.Readdirnames(0)
+			f.Close()
+			if err != nil {
+				return fmt.Errorf("Error listing plugins: %s", err)
+			}
+
+			for _, name := range list {
+				path := filepath.Join(f.Name(), name)
+				if err := c.addPlugin(path, init.RootToken, core); err != nil {
+					if !errwrap.Contains(err, vault.ErrPluginBadType.Error()) {
+						return fmt.Errorf("Error enabling plugin %s: %s", name, err)
+					}
+					pluginsNotLoaded = append(pluginsNotLoaded, name)
+					continue
+				}
+				plugins = append(plugins, name)
+			}
+
+			sort.Strings(plugins)
+		}
+
+		var qw *quiescenceSink
+		var qwo sync.Once
+		qw = &quiescenceSink{
+			t: time.AfterFunc(100*time.Millisecond, func() {
+				qwo.Do(func() {
+					c.logger.DeregisterSink(qw)
+
+					// Print the big dev mode warning!
+					c.UI.Warn(wrapAtLength(
+						"WARNING! dev mode is enabled! In this mode, Vault runs entirely " +
+							"in-memory and starts unsealed with a single unseal key. The root " +
+							"token is already authenticated to the CLI, so you can immediately " +
+							"begin using Vault."))
+					c.UI.Warn("")
+					c.UI.Warn("You may need to set the following environment variables:")
+					c.UI.Warn("")
+
+					protocol := "http://"
+					if c.flagDevTLS {
+						protocol = "https://"
+					}
+
+					endpointURL := protocol + config.Listeners[0].Address
+					if runtime.GOOS == "windows" {
+						c.UI.Warn("PowerShell:")
+						c.UI.Warn(fmt.Sprintf("    $env:VAULT_ADDR=\"%s\"", endpointURL))
+						c.UI.Warn("cmd.exe:")
+						c.UI.Warn(fmt.Sprintf("    set VAULT_ADDR=%s", endpointURL))
+					} else {
+						c.UI.Warn(fmt.Sprintf("    $ export VAULT_ADDR='%s'", endpointURL))
+					}
+
+					if c.flagDevTLS {
+						if runtime.GOOS == "windows" {
+							c.UI.Warn("PowerShell:")
+							c.UI.Warn(fmt.Sprintf("    $env:VAULT_CACERT=\"%s/vault-ca.pem\"", certDir))
+							c.UI.Warn("cmd.exe:")
+							c.UI.Warn(fmt.Sprintf("    set VAULT_CACERT=%s/vault-ca.pem", certDir))
+						} else {
+							c.UI.Warn(fmt.Sprintf("    $ export VAULT_CACERT='%s/vault-ca.pem'", certDir))
+						}
+						c.UI.Warn("")
+					}
+
+					// Unseal key is not returned if stored shares is supported
+					if len(init.SecretShares) > 0 {
+						c.UI.Warn("")
+						c.UI.Warn(wrapAtLength(
+							"The unseal key and root token are displayed below in case you want " +
+								"to seal/unseal the Vault or re-authenticate."))
+						c.UI.Warn("")
+						c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.SecretShares[0])))
+					}
+
+					if len(init.RecoveryShares) > 0 {
+						c.UI.Warn("")
+						c.UI.Warn(wrapAtLength(
+							"The recovery key and root token are displayed below in case you want " +
+								"to seal/unseal the Vault or re-authenticate."))
+						c.UI.Warn("")
+						c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
+					}
+
+					c.UI.Warn(fmt.Sprintf("Root Token: %s", init.RootToken))
+
+					if len(plugins) > 0 {
+						c.UI.Warn("")
+						c.UI.Warn(wrapAtLength(
+							"The following dev plugins are registered in the catalog:"))
+						for _, p := range plugins {
+							c.UI.Warn(fmt.Sprintf("    - %s", p))
+						}
+					}
+
+					if len(pluginsNotLoaded) > 0 {
+						c.UI.Warn("")
+						c.UI.Warn(wrapAtLength(
+							"The following dev plugins FAILED to be registered in the catalog due to unknown type:"))
+						for _, p := range pluginsNotLoaded {
+							c.UI.Warn(fmt.Sprintf("    - %s", p))
+						}
+					}
+
+					c.UI.Warn("")
+					c.UI.Warn(wrapAtLength(
+						"Development mode should NOT be used in production installations!"))
+					c.UI.Warn("")
+				})
+			}),
+		}
+		c.logger.RegisterSink(qw)
+	}
+	return nil
+}
+
+// Initialize the HTTP servers
+func startHttpServers(c *ServerCommand, core *vault.Core, config *server.Config, lns []listenerutil.Listener) error {
+	for _, ln := range lns {
+		if ln.Config == nil {
+			return fmt.Errorf("Found nil listener config after parsing")
+		}
+
+		if err := config2.IsValidListener(ln.Config); err != nil {
+			return err
+		}
+
+		handler := vaulthttp.Handler.Handler(&vault.HandlerProperties{
+			Core:                  core,
+			ListenerConfig:        ln.Config,
+			DisablePrintableCheck: config.DisablePrintableCheck,
+			RecoveryMode:          c.flagRecovery,
+		})
+
+		if len(ln.Config.XForwardedForAuthorizedAddrs) > 0 {
+			handler = vaulthttp.WrapForwardedForHandler(handler, ln.Config)
+		}
+
+		// server defaults
+		server := &http.Server{
+			Handler:           handler,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			IdleTimeout:       5 * time.Minute,
+			ErrorLog:          c.logger.StandardLogger(nil),
+		}
+
+		// override server defaults with config values for read/write/idle timeouts if configured
+		if ln.Config.HTTPReadHeaderTimeout > 0 {
+			server.ReadHeaderTimeout = ln.Config.HTTPReadHeaderTimeout
+		}
+		if ln.Config.HTTPReadTimeout > 0 {
+			server.ReadTimeout = ln.Config.HTTPReadTimeout
+		}
+		if ln.Config.HTTPWriteTimeout > 0 {
+			server.WriteTimeout = ln.Config.HTTPWriteTimeout
+		}
+		if ln.Config.HTTPIdleTimeout > 0 {
+			server.IdleTimeout = ln.Config.HTTPIdleTimeout
+		}
+
+		// server config tests can exit now
+		if c.flagTestServerConfig {
+			continue
+		}
+
+		go server.Serve(ln.Listener)
+	}
+	return nil
+}
+
+func (c *ServerCommand) reloadSeals(ctx context.Context, core *vault.Core, config *server.Config) (*SetSealResponse, error) {
+	if len(config.Seals) == 1 && config.Seals[0].Disabled {
+		return nil, errors.New("moving from autoseal to shamir requires seal migration")
+	}
+
+	if core.SealAccess().BarrierSealConfigType() == vault.SealConfigTypeShamir {
+		return nil, errors.New("moving from shamir to autoseal requires seal migration")
+	}
+
+	infoKeysReload := make([]string, 0)
+	infoReload := make(map[string]string)
+
+	setSealResponse, secureRandomReader, err := c.configureSeals(ctx, config, core.PhysicalAccess(), infoKeysReload, infoReload)
+	if err != nil {
+		return nil, err
+	}
+	if setSealResponse.sealConfigError != nil {
+		return nil, err
+	}
+
+	err = core.SetSeals(setSealResponse.barrierSeal, secureRandomReader)
+	if err != nil {
+		return nil, fmt.Errorf("error setting seal: %s", err)
+	}
+
+	newGen := setSealResponse.barrierSeal.GetAccess().GetSealGenerationInfo()
+
+	if err := core.SetPhysicalSealGenInfo(ctx, newGen); err != nil {
+		c.logger.Warn("could not update seal information in storage", "err", err)
+	}
+
+	return setSealResponse, nil
+}
+
+func SetStorageMigration(b physical.Backend, active bool) error {
+	if !active {
+		return b.Delete(context.Background(), storageMigrationLock)
+	}
+
+	status := StorageMigrationStatus{
+		Start: time.Now(),
+	}
+
+	enc, err := jsonutil.EncodeJSON(status)
+	if err != nil {
+		return err
+	}
+
+	entry := &physical.Entry{
+		Key:   storageMigrationLock,
+		Value: enc,
+	}
+
+	return b.Put(context.Background(), entry)
+}
+
+type grpclogFaker struct {
+	logger hclog.Logger
+	log    bool
+}
+
+func (g *grpclogFaker) Fatal(args ...interface{}) {
+	g.logger.Error(fmt.Sprint(args...))
+	os.Exit(1)
+}
+
+func (g *grpclogFaker) Fatalf(format string, args ...interface{}) {
+	g.logger.Error(fmt.Sprintf(format, args...))
+	os.Exit(1)
+}
+
+func (g *grpclogFaker) Fatalln(args ...interface{}) {
+	g.logger.Error(fmt.Sprintln(args...))
+	os.Exit(1)
+}
+
+func (g *grpclogFaker) Print(args ...interface{}) {
+	if g.log && g.logger.IsDebug() {
+		g.logger.Debug(fmt.Sprint(args...))
+	}
+}
+
+func (g *grpclogFaker) Printf(format string, args ...interface{}) {
+	if g.log && g.logger.IsDebug() {
+		g.logger.Debug(fmt.Sprintf(format, args...))
+	}
+}
+
+func (g *grpclogFaker) Println(args ...interface{}) {
+	if g.log && g.logger.IsDebug() {
+		g.logger.Debug(fmt.Sprintln(args...))
+	}
 }
diff --git a/ui/package.json b/ui/package.json
index ed538813d665..8a12a738aa23 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -1,259 +1,129 @@
-{
-  "name": "vault",
-  "version": "0.0.0",
-  "description": "The official UI for Vault by HashiCorp",
-  "repository": "",
-  "author": "",
-  "directories": {
-    "doc": "doc",
-    "test": "tests"
-  },
-  "scripts": {
-    "build": "ember build --environment=production && cp metadata.json ../http/web_ui/metadata.json",
-    "build:dev": "ember build",
-    "lint:css": "stylelint \"**/*.css\"",
-    "lint:css:fix": "yarn lint:css --fix",
-    "lint:fix": "npm-run-all --print-name --aggregate-output --continue-on-error --parallel \"lint:*:fix\"",
-    "lint:hbs": "ember-template-lint '**/*.hbs'",
-    "lint:hbs:quiet": "ember-template-lint '**/*.hbs' --quiet",
-    "lint:hbs:fix": "ember-template-lint . --fix",
-    "lint:js": "eslint . --cache",
-    "lint:js:quiet": "eslint . --cache --quiet",
-    "lint:js:fix": "eslint . --fix",
-    "fmt": "npm-run-all --aggregate-output --continue-on-error --parallel fmt:*",
-    "fmt:js": "prettier --config .prettierrc.js --write '{app,tests,config,lib}/**/*.js'",
-    "fmt:hbs": "prettier --config .prettierrc.js --write '**/*.hbs'",
-    "fmt:styles": "prettier --write app/styles/**/*.*",
-    "start": "VAULT_ADDR=http://localhost:8200; ember server --proxy=$VAULT_ADDR",
-    "start2": "ember server --proxy=http://localhost:8202 --port=4202",
-    "start:chroot": "ember server --proxy=http://localhost:8300 --port=4300",
-    "start:mirage": "start () { MIRAGE_DEV_HANDLER=$1 yarn run start; }; start",
-    "test": "npm-run-all --print-name lint:js:quiet lint:hbs:quiet && node scripts/start-vault.js",
-    "test:enos": "npm-run-all lint:js:quiet lint:hbs:quiet && node scripts/enos-test-ember.js",
-    "test:oss": "yarn run test -f='!enterprise'",
-    "test:quick": "node scripts/start-vault.js",
-    "test:quick-oss": "yarn test:quick -f='!enterprise'",
-    "types:declare": "declare () { yarn tsc $1 --declaration --allowJs --emitDeclarationOnly --experimentalDecorators --outDir $2; }; declare",
-    "vault": "VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 vault server -log-level=error -dev -dev-root-token-id=root -dev-ha -dev-transactional",
-    "vault:cluster": "VAULT_REDIRECT_ADDR=http://127.0.0.1:8202 vault server -log-level=error -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8202 -dev-ha -dev-transactional"
-  },
-  "lint-staged": {
-    "*.js": [
-      "prettier --config .prettierrc.js --write",
-      "eslint --quiet",
-      "git add"
-    ],
-    "*.hbs": [
-      "prettier --config .prettierrc.js --write",
-      "ember-template-lint --quiet",
-      "git add"
-    ],
-    "*.scss": [
-      "prettier --write",
-      "git add"
-    ]
-  },
-  "devDependencies": {
-    "@babel/eslint-parser": "^7.21.3",
-    "@babel/plugin-proposal-decorators": "^7.21.0",
-    "@babel/plugin-proposal-object-rest-spread": "^7.12.1",
-    "@babel/plugin-transform-block-scoping": "^7.12.1",
-    "@ember/legacy-built-in-components": "^0.4.1",
-    "@ember/optional-features": "^2.0.0",
-    "@ember/render-modifiers": "^1.0.2",
-    "@ember/string": "^3.0.1",
-    "@ember/test-helpers": "2.9.3",
-    "@ember/test-waiters": "^3.0.0",
-    "@glimmer/component": "^1.1.2",
-    "@glimmer/tracking": "^1.1.2",
-    "@hashicorp/structure-icons": "^1.3.0",
-    "@icholy/duration": "^5.1.0",
-    "@tsconfig/ember": "^1.0.1",
-    "@types/ember": "^4.0.2",
-    "@types/ember-data": "^4.4.6",
-    "@types/ember-data__adapter": "^4.0.1",
-    "@types/ember-data__model": "^4.0.0",
-    "@types/ember-data__serializer": "^4.0.1",
-    "@types/ember-data__store": "^4.0.2",
-    "@types/ember-qunit": "^5.0.2",
-    "@types/ember-resolver": "^5.0.13",
-    "@types/ember__application": "^4.0.4",
-    "@types/ember__array": "^4.0.3",
-    "@types/ember__component": "^4.0.11",
-    "@types/ember__controller": "^4.0.3",
-    "@types/ember__debug": "^4.0.3",
-    "@types/ember__destroyable": "^4.0.1",
-    "@types/ember__engine": "^4.0.4",
-    "@types/ember__error": "^4.0.1",
-    "@types/ember__object": "^4.0.5",
-    "@types/ember__polyfills": "^4.0.1",
-    "@types/ember__routing": "^4.0.12",
-    "@types/ember__runloop": "^4.0.2",
-    "@types/ember__service": "^4.0.1",
-    "@types/ember__string": "^3.0.10",
-    "@types/ember__template": "^4.0.1",
-    "@types/ember__test": "^4.0.1",
-    "@types/ember__test-helpers": "^2.8.2",
-    "@types/ember__utils": "^4.0.2",
-    "@types/qunit": "^2.19.3",
-    "@types/rsvp": "^4.0.4",
-    "@types/shell-quote": "^1.7.1",
-    "@typescript-eslint/eslint-plugin": "^5.19.0",
-    "@typescript-eslint/parser": "^5.19.0",
-    "asn1js": "^2.2.0",
-    "autosize": "^4.0.0",
-    "babel-plugin-inline-json-import": "^0.3.2",
-    "base64-js": "^1.3.1",
-    "broccoli-asset-rev": "^3.0.0",
-    "broccoli-sri-hash": "meirish/broccoli-sri-hash#rooturl",
-    "codemirror": "^5.58.2",
-    "columnify": "^1.5.4",
-    "d3-axis": "^1.0.8",
-    "d3-ease": "^1.0.5",
-    "d3-scale": "^1.0.7",
-    "d3-selection": "^1.3.0",
-    "d3-time-format": "^2.1.1",
-    "d3-tip": "^0.9.1",
-    "d3-transition": "^1.2.0",
-    "date-fns": "^2.16.1",
-    "date-fns-tz": "^1.2.2",
-    "deepmerge": "^4.0.0",
-    "doctoc": "^2.2.0",
-    "dompurify": "^3.0.2",
-    "ember-auto-import": "2.6.3",
-    "ember-basic-dropdown": "6.0.1",
-    "ember-cli": "~4.12.1",
-    "ember-cli-autoprefixer": "^0.8.1",
-    "ember-cli-babel": "^7.26.11",
-    "ember-cli-content-security-policy": "2.0.3",
-    "ember-cli-dependency-checker": "^3.3.1",
-    "ember-cli-deprecation-workflow": "^2.1.0",
-    "ember-cli-flash": "4.0.0",
-    "ember-cli-htmlbars": "^6.2.0",
-    "ember-cli-inject-live-reload": "^2.1.0",
-    "ember-cli-mirage": "2.4.0",
-    "ember-cli-page-object": "1.17.10",
-    "ember-cli-sass": "11.0.1",
-    "ember-cli-sri": "meirish/ember-cli-sri#rooturl",
-    "ember-cli-string-helpers": "6.1.0",
-    "ember-cli-terser": "^4.0.2",
-    "ember-cli-typescript": "^5.2.1",
-    "ember-composable-helpers": "5.0.0",
-    "ember-concurrency": "2.3.4",
-    "ember-copy": "2.0.1",
-    "ember-d3": "^0.5.1",
-    "ember-data": "~4.11.3",
-    "ember-engines": "0.8.23",
-    "ember-fetch": "^8.1.2",
-    "ember-inflector": "4.0.2",
-    "ember-load-initializers": "^2.1.2",
-    "ember-maybe-in-element": "^2.0.3",
-    "ember-modal-dialog": "^4.0.1",
-    "ember-modifier": "^4.1.0",
-    "ember-page-title": "^7.0.0",
-    "ember-power-select": "6.0.1",
-    "ember-qrcode-shim": "^0.4.0",
-    "ember-qunit": "6.0.0",
-    "ember-resolver": "^10.0.0",
-    "ember-responsive": "5.0.0",
-    "ember-router-helpers": "^0.4.0",
-    "ember-service-worker": "meirish/ember-service-worker#configurable-scope",
-    "ember-sinon": "^4.0.0",
-    "ember-source": "~4.12.0",
-    "ember-svg-jar": "2.4.0",
-    "ember-template-lint": "5.7.2",
-    "ember-template-lint-plugin-prettier": "4.0.0",
-    "ember-test-selectors": "6.0.0",
-    "ember-tether": "^2.0.1",
-    "ember-truth-helpers": "3.0.0",
-    "escape-string-regexp": "^2.0.0",
-    "eslint": "^8.37.0",
-    "eslint-config-prettier": "^8.8.0",
-    "eslint-plugin-compat": "4.0.2",
-    "eslint-plugin-ember": "^11.5.0",
-    "eslint-plugin-n": "^15.7.0",
-    "eslint-plugin-prettier": "^4.2.1",
-    "eslint-plugin-qunit": "^7.3.4",
-    "filesize": "^4.2.1",
-    "flat": "^6.0.1",
-    "jsondiffpatch": "^0.4.1",
-    "jsonlint": "^1.6.3",
-    "lint-staged": "^10.5.1",
-    "loader.js": "^4.7.0",
-    "normalize.css": "4.1.1",
-    "npm-run-all": "^4.1.5",
-    "pkijs": "^2.2.2",
-    "pretender": "^3.4.3",
-    "prettier": "2.8.7",
-    "prettier-eslint-cli": "^7.1.0",
-    "pvutils": "^1.0.17",
-    "qunit": "^2.19.4",
-    "qunit-dom": "^2.0.0",
-    "sass": "^1.58.3",
-    "sass-svg-uri": "^1.0.0",
-    "shell-quote": "^1.8.1",
-    "string.prototype.endswith": "^0.2.0",
-    "string.prototype.startswith": "^0.2.0",
-    "stylelint": "^15.4.0",
-    "stylelint-config-standard": "^32.0.0",
-    "stylelint-prettier": "^3.0.0",
-    "swagger-ui-dist": "^5.9.0",
-    "text-encoder-lite": "2.0.0",
-    "tracked-built-ins": "^3.1.1",
-    "typescript": "^4.8.4",
-    "walk-sync": "^2.0.2",
-    "webpack": "5.78.0",
-    "xstate": "^3.3.3"
-  },
-  "resolutions": {
-    "cryptiles": "^4.1.2",
-    "eslint-utils": "^1.4.1",
-    "ember-basic-dropdown": "6.0.1",
-    "growl": "^1.10.0",
-    "highlight.js": "^10.4.1",
-    "https-proxy-agent": "^2.2.3",
-    "ini": "^1.3.6",
-    "kind-of": "^6.0.3",
-    "minimatch": "^3.0.2",
-    "node-notifier": "^8.0.1",
-    "prismjs": "^1.21.0",
-    "qs": "^6.3.0",
-    "serialize-javascript": "^3.1.0",
-    "underscore": "^1.12.1",
-    "trim": "^0.0.3",
-    "xmlhttprequest-ssl": "^1.6.2",
-    "@embroider/macros": "^1.0.0"
-  },
-  "engines": {
-    "node": "16"
-  },
-  "ember": {
-    "edition": "octane"
-  },
-  "private": true,
-  "ember-addon": {
-    "paths": [
-      "lib/core",
-      "lib/css",
-      "lib/keep-gitkeep",
-      "lib/kmip",
-      "lib/kubernetes",
-      "lib/ldap",
-      "lib/kv",
-      "lib/open-api-explorer",
-      "lib/pki",
-      "lib/replication",
-      "lib/service-worker-authenticated-download",
-      "lib/sync"
-    ]
-  },
-  "dependencies": {
-    "@hashicorp/design-system-components": "^2.13.0",
-    "@hashicorp/ember-flight-icons": "^3.1.3",
-    "handlebars": "4.7.7",
-    "highlight.js": "^10.4.1",
-    "node-notifier": "^8.0.1",
-    "uuid": "^9.0.0"
-  },
-  "packageManager": "yarn@3.5.0"
-}
+---
+layout: docs
+page_title: server - Command
+description: |-
+  The "server" command starts a Vault server that responds to API requests. By
+  default, Vault will start in a "sealed" state. The Vault cluster must be
+  initialized before use.
+---
+
+# server
+
+The `server` command starts a Vault server that responds to API requests. By
+default, Vault will start in a "sealed" state. The Vault cluster must be
+initialized before use, usually by the `vault operator init` command. Each Vault
+server must also be unsealed using the `vault operator unseal` command or the
+API before the server can respond to requests.
+
+For more information, please see:
+
+- [`operator init` command](/vault/docs/commands/operator/init) for information
+  on initializing a Vault server.
+
+- [`operator unseal` command](/vault/docs/commands/operator/unseal) for
+  information on providing unseal keys.
+
+- [Vault configuration](/vault/docs/configuration) for the syntax and
+  various configuration options for a Vault server.
+
+## Examples
+
+Start a server with a configuration file:
+
+```shell-session
+$ vault server -config=/etc/vault/config.hcl
+```
+
+Run in "dev" mode with a custom initial root token:
+
+```shell-session
+$ vault server -dev -dev-root-token-id="root"
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/vault/docs/commands) included on all commands.
+
+### Command options
+
+- `-config` `(string: "")` - Path to a configuration file or directory of
+  configuration files. This flag can be specified multiple times to load
+  multiple configurations. If the path is a directory, all files which end in
+  .hcl or .json are loaded.
+
+- `-log-level` ((#\_log_level)) `(string: "info")` - Log verbosity level. Supported values (in
+  order of descending detail) are `trace`, `debug`, `info`, `warn`, and `error`. This can
+  also be specified via the `VAULT_LOG_LEVEL` environment variable.
+
+- `-log-format` ((#\_log_format)) `(string: "standard")` - Log format. Supported values
+  are `standard` and `json`. This can also be specified via the
+  `VAULT_LOG_FORMAT` environment variable.
+
+- `-log-file` ((#\_log_file)) - the absolute path where Vault should save log
+  messages in addition to other, existing outputs like journald / stdout. Paths
+  that end with a path separator use the default file name, `vault.log`. Paths
+  that do not end with a file extension use the default `.log` extension. If the
+  log file rotates, Vault appends the current timestamp to the file name
+  at the time of rotation. For example:
+
+  `log-file` | Full log file | Rotated log file
+  ---------- | ------------- | ----------------
+  `/var/log` | `/var/log/vault.log` | `/var/log/vault-{timestamp}.log`
+  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
+  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`
+
+- `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
+  bytes that should be written to a log before it needs to be rotated. Unless specified,
+  there is no limit to the number of bytes that can be written to a log file.
+
+- `-log-rotate-duration` ((#\_log_rotate_duration)) - to specify the maximum
+  duration a log should be written to before it needs to be rotated. Must be a duration
+  value such as 30s. Defaults to 24h.
+
+- `-log-rotate-max-files` ((#\_log_rotate_max_files)) - to specify the maximum
+  number of older log file archives to keep. Defaults to 0 (no files are ever deleted).
+  Set to -1 to discard old log files when a new one is created.
+
+- `-experiment` `(string array: [])` - The name of an experiment to enable for this node.
+  This flag can be specified multiple times to enable multiple experiments. Experiments
+  should NOT be used in production, and the associated APIs may have backwards incompatible
+  changes between releases. Additional experiments can also be specified via the
+  `VAULT_EXPERIMENTS` environment variable as a comma-separated list, or via the
+  [`experiments`](/vault/docs/configuration#experiments) config key.
+
+- `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` `(bool: false)` - (environment variable)
+  Allow Vault to be started with builtin engines which have the `Pending Removal`
+  deprecation state. This is a temporary stopgap in place in order to perform an
+  upgrade and disable these engines. Once these engines are marked `Removed` (in
+  the next major release of Vault), the environment variable will no longer work
+  and a downgrade must be performed in order to remove the offending engines. For
+  more information, see the [deprecation faq](/vault/docs/deprecation/faq/#q-what-are-the-phases-of-deprecation).
+
+### Dev options
+
+- `-dev` `(bool: false)` - Enable development mode. In this mode, Vault runs
+  in-memory and starts unsealed. As the name implies, do not run "dev" mode in
+  production.
+
+- `-dev-tls` `(bool: false)` - Enable TLS development mode. In this mode, Vault runs
+  in-memory and starts unsealed with a generated TLS CA, certificate and key.
+  As the name implies, do not run "dev" mode in production.
+
+- `-dev-tls-cert-dir` `(string: "")` - Directory where generated TLS files are created if `-dev-tls` is specified. If left unset, files are generated in a temporary directory.
+
+- `-dev-listen-address` `(string: "127.0.0.1:8200")` - Address to bind to in
+  "dev" mode. This can also be specified via the `VAULT_DEV_LISTEN_ADDRESS`
+  environment variable.
+
+- `-dev-root-token-id` `(string: "")` - Initial root token. This only applies
+  when running in "dev" mode. This can also be specified via the
+  `VAULT_DEV_ROOT_TOKEN_ID` environment variable.
+
+  _Note:_ The token ID should not start with the `s.` prefix.
+
+- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
+  the token helper (usually the local filesystem) for use in future requests.
+  The token will only be displayed in the command output.
+
+- `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.
diff --git a/ui/tests/acceptance/enterprise-license-banner-test.js b/ui/tests/acceptance/enterprise-license-banner-test.js
index d7c252c7e52d..e46d5bedba3f 100644
--- a/ui/tests/acceptance/enterprise-license-banner-test.js
+++ b/ui/tests/acceptance/enterprise-license-banner-test.js
@@ -1,110 +1,450 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import sinon from 'sinon';
-import { visit } from '@ember/test-helpers';
-import { setupApplicationTest } from 'ember-qunit';
-import Pretender from 'pretender';
-import formatRFC3339 from 'date-fns/formatRFC3339';
-import { addDays, subDays } from 'date-fns';
-import timestamp from 'core/utils/timestamp';
-
-const generateHealthResponse = (now, state) => {
-  let expiry;
-  switch (state) {
-    case 'expired':
-      expiry = subDays(now, 2);
-      break;
-    case 'expiring':
-      expiry = addDays(now, 10);
-      break;
-    default:
-      expiry = addDays(now, 33);
-      break;
-  }
-  return {
-    initialized: true,
-    sealed: false,
-    standby: false,
-    license: {
-      expiry_time: formatRFC3339(expiry),
-      state: 'stored',
-    },
-    performance_standby: false,
-    replication_performance_mode: 'disabled',
-    replication_dr_mode: 'disabled',
-    server_time_utc: 1622562585,
-    version: '1.9.0+ent',
-    cluster_name: 'vault-cluster-e779cd7c',
-    cluster_id: '5f20f5ab-acea-0481-787e-71ec2ff5a60b',
-    last_wal: 121,
-  };
-};
-
-module('Acceptance | Enterprise | License banner warnings', function (hooks) {
-  setupApplicationTest(hooks);
-
-  hooks.before(function () {
-    sinon.stub(timestamp, 'now').callsFake(() => new Date('2018-04-03T14:15:30'));
-  });
-  hooks.beforeEach(function () {
-    this.now = timestamp.now();
-  });
-  hooks.afterEach(function () {
-    this.server.shutdown();
-  });
-  hooks.after(function () {
-    timestamp.now.restore();
-  });
-
-  test('it shows no license banner if license expires in > 30 days', async function (assert) {
-    const healthResp = generateHealthResponse(this.now);
-    this.server = new Pretender(function () {
-      this.get('/v1/sys/health', (response) => {
-        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
-      });
-      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
-      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
-      this.get('/v1/sys/seal-status', this.passthrough);
-      this.get('/v1/sys/license/features', this.passthrough);
-    });
-    await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-expired]').doesNotExist('expired banner does not show');
-    assert.dom('[data-test-license-banner-warning]').doesNotExist('warning banner does not show');
-    this.server.shutdown();
-  });
-  test('it shows license banner warning if license expires within 30 days', async function (assert) {
-    const healthResp = generateHealthResponse(this.now, 'expiring');
-    this.server = new Pretender(function () {
-      this.get('/v1/sys/health', (response) => {
-        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
-      });
-      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
-      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
-      this.get('/v1/sys/seal-status', this.passthrough);
-      this.get('/v1/sys/license/features', this.passthrough);
-    });
-    await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-warning]').exists('license warning shows');
-    this.server.shutdown();
-  });
-
-  test('it shows license banner alert if license has already expired', async function (assert) {
-    const healthResp = generateHealthResponse(this.now, 'expired');
-    this.server = new Pretender(function () {
-      this.get('/v1/sys/health', (response) => {
-        return [response, { 'Content-Type': 'application/json' }, JSON.stringify(healthResp)];
-      });
-      this.get('/v1/sys/internal/ui/feature-flags', this.passthrough);
-      this.get('/v1/sys/internal/ui/mounts', this.passthrough);
-      this.get('/v1/sys/seal-status', this.passthrough);
-      this.get('/v1/sys/license/features', this.passthrough);
-    });
-    await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-expired]').exists('expired license message shows');
-    this.server.shutdown();
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !race && !hsm && !fips_140_3
+
+// NOTE: we can't use this with HSM. We can't set testing mode on and it's not
+// safe to use env vars since that provides an attack vector in the real world.
+//
+// The server tests have a go-metrics/exp manager race condition :(.
+
+package command
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/physical"
+	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	if signed := os.Getenv("VAULT_LICENSE_CI"); signed != "" {
+		os.Setenv(EnvVaultLicense, signed)
+	}
+}
+
+func testBaseHCL(tb testing.TB, listenerExtras string) string {
+	tb.Helper()
+
+	return strings.TrimSpace(fmt.Sprintf(`
+		disable_mlock = true
+		listener "tcp" {
+			address     = "127.0.0.1:%d"
+			tls_disable = "true"
+			%s
+		}
+	`, 0, listenerExtras))
+}
+
+const (
+	goodListenerTimeouts = `http_read_header_timeout = 12
+			http_read_timeout = "34s"
+			http_write_timeout = "56m"
+			http_idle_timeout = "78h"`
+
+	badListenerReadHeaderTimeout = `http_read_header_timeout = "12km"`
+	badListenerReadTimeout       = `http_read_timeout = "34日"`
+	badListenerWriteTimeout      = `http_write_timeout = "56lbs"`
+	badListenerIdleTimeout       = `http_idle_timeout = "78gophers"`
+
+	inmemHCL = `
+backend "inmem_ha" {
+  advertise_addr       = "http://127.0.0.1:8200"
+}
+`
+	haInmemHCL = `
+ha_backend "inmem_ha" {
+  redirect_addr        = "http://127.0.0.1:8200"
+}
+`
+
+	badHAInmemHCL = `
+ha_backend "inmem" {}
+`
+
+	reloadHCL = `
+backend "inmem" {}
+disable_mlock = true
+listener "tcp" {
+  address       = "127.0.0.1:8203"
+  tls_cert_file = "TMPDIR/reload_cert.pem"
+  tls_key_file  = "TMPDIR/reload_key.pem"
+}
+`
+	cloudHCL = `
+cloud {
+      resource_id = "organization/bc58b3d0-2eab-4ab8-abf4-f61d3c9975ff/project/1c78e888-2142-4000-8918-f933bbbc7690/hashicorp.example.resource/example"
+    client_id = "J2TtcSYOyPUkPV2z0mSyDtvitxLVjJmu"
+    client_secret = "N9JtHZyOnHrIvJZs82pqa54vd4jnkyU3xCcqhFXuQKJZZuxqxxbP1xCfBZVB82vY"
+}
+`
+)
+
+func testServerCommand(tb testing.TB) (*cli.MockUi, *ServerCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &ServerCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+		ShutdownCh: MakeShutdownCh(),
+		SighupCh:   MakeSighupCh(),
+		SigUSR2Ch:  MakeSigUSR2Ch(),
+		PhysicalBackends: map[string]physical.Factory{
+			"inmem":    physInmem.NewInmem,
+			"inmem_ha": physInmem.NewInmemHA,
+		},
+
+		// These prevent us from random sleep guessing...
+		startedCh:         make(chan struct{}, 5),
+		reloadedCh:        make(chan struct{}, 5),
+		licenseReloadedCh: make(chan error),
+	}
+}
+
+func TestServer_ReloadListener(t *testing.T) {
+	t.Parallel()
+
+	wd, _ := os.Getwd()
+	wd += "/server/test-fixtures/reload/"
+
+	td, err := ioutil.TempDir("", "vault-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(td)
+
+	wg := &sync.WaitGroup{}
+	// Setup initial certs
+	inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")
+	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0o777)
+	inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")
+	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0o777)
+
+	relhcl := strings.ReplaceAll(reloadHCL, "TMPDIR", td)
+	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0o777)
+
+	inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")
+	certPool := x509.NewCertPool()
+	ok := certPool.AppendCertsFromPEM(inBytes)
+	if !ok {
+		t.Fatal("not ok when appending CA cert")
+	}
+
+	ui, cmd := testServerCommand(t)
+	_ = ui
+
+	wg.Add(1)
+	args := []string{"-config", td + "/reload.hcl"}
+	go func() {
+		if code := cmd.Run(args); code != 0 {
+			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+			t.Errorf("got a non-zero exit status: %s", output)
+		}
+		wg.Done()
+	}()
+
+	testCertificateName := func(cn string) error {
+		conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{
+			RootCAs: certPool,
+		})
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		if err = conn.Handshake(); err != nil {
+			return err
+		}
+		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
+		if servName != cn {
+			return fmt.Errorf("expected %s, got %s", cn, servName)
+		}
+		return nil
+	}
+
+	select {
+	case <-cmd.startedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("foo.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	relhcl = strings.ReplaceAll(reloadHCL, "TMPDIR", td)
+	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")
+	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0o777)
+	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")
+	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0o777)
+	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0o777)
+
+	cmd.SighupCh <- struct{}{}
+	select {
+	case <-cmd.reloadedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	if err := testCertificateName("bar.example.com"); err != nil {
+		t.Fatalf("certificate name didn't check out: %s", err)
+	}
+
+	cmd.ShutdownCh <- struct{}{}
+
+	wg.Wait()
+}
+
+func TestServer(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name     string
+		contents string
+		exp      string
+		code     int
+		args     []string
+	}{
+		{
+			"common_ha",
+			testBaseHCL(t, "") + inmemHCL,
+			"(HA available)",
+			0,
+			[]string{"-test-verify-only"},
+		},
+		{
+			"separate_ha",
+			testBaseHCL(t, "") + inmemHCL + haInmemHCL,
+			"HA Storage:",
+			0,
+			[]string{"-test-verify-only"},
+		},
+		{
+			"bad_separate_ha",
+			testBaseHCL(t, "") + inmemHCL + badHAInmemHCL,
+			"Specified HA storage does not support HA",
+			1,
+			[]string{"-test-verify-only"},
+		},
+		{
+			"good_listener_timeout_config",
+			testBaseHCL(t, goodListenerTimeouts) + inmemHCL,
+			"",
+			0,
+			[]string{"-test-server-config"},
+		},
+		{
+			"bad_listener_read_header_timeout_config",
+			testBaseHCL(t, badListenerReadHeaderTimeout) + inmemHCL,
+			"unknown unit \"km\" in duration \"12km\"",
+			1,
+			[]string{"-test-server-config"},
+		},
+		{
+			"bad_listener_read_timeout_config",
+			testBaseHCL(t, badListenerReadTimeout) + inmemHCL,
+			"unknown unit \"\\xe6\\x97\\xa5\" in duration",
+			1,
+			[]string{"-test-server-config"},
+		},
+		{
+			"bad_listener_write_timeout_config",
+			testBaseHCL(t, badListenerWriteTimeout) + inmemHCL,
+			"unknown unit \"lbs\" in duration \"56lbs\"",
+			1,
+			[]string{"-test-server-config"},
+		},
+		{
+			"bad_listener_idle_timeout_config",
+			testBaseHCL(t, badListenerIdleTimeout) + inmemHCL,
+			"unknown unit \"gophers\" in duration \"78gophers\"",
+			1,
+			[]string{"-test-server-config"},
+		},
+		{
+			"environment_variables_logged",
+			testBaseHCL(t, "") + inmemHCL,
+			"Environment Variables",
+			0,
+			[]string{"-test-verify-only"},
+		},
+		{
+			"cloud_config",
+			testBaseHCL(t, "") + inmemHCL + cloudHCL,
+			"HCP Organization: bc58b3d0-2eab-4ab8-abf4-f61d3c9975ff",
+			0,
+			[]string{"-test-verify-only"},
+		},
+		{
+			"recovery_mode",
+			testBaseHCL(t, "") + inmemHCL,
+			"",
+			0,
+			[]string{"-test-verify-only", "-recovery"},
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			ui, cmd := testServerCommand(t)
+
+			f, err := os.CreateTemp(t.TempDir(), "")
+			require.NoErrorf(t, err, "error creating temp dir: %v", err)
+
+			_, err = f.WriteString(tc.contents)
+			require.NoErrorf(t, err, "cannot write temp file contents")
+
+			err = f.Close()
+			require.NoErrorf(t, err, "unable to close temp file")
+
+			args := append(tc.args, "-config", f.Name())
+			code := cmd.Run(args)
+			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+			require.Equal(t, tc.code, code, "expected %d to be %d: %s", code, tc.code, output)
+			require.Contains(t, output, tc.exp, "expected %q to contain %q", output, tc.exp)
+		})
+	}
+}
+
+// TestServer_DevTLS verifies that a vault server starts up correctly with the -dev-tls flag
+func TestServer_DevTLS(t *testing.T) {
+	ui, cmd := testServerCommand(t)
+	args := []string{"-dev-tls", "-dev-listen-address=127.0.0.1:0", "-test-server-config"}
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+	require.Equal(t, 0, retCode, output)
+	require.Contains(t, output, `tls: "enabled"`)
+}
+
+// TestConfigureDevTLS verifies the various logic paths that flow through the
+// configureDevTLS function.
+func TestConfigureDevTLS(t *testing.T) {
+	testcases := []struct {
+		ServerCommand   *ServerCommand
+		DeferFuncNotNil bool
+		ConfigNotNil    bool
+		TLSDisable      bool
+		CertPathEmpty   bool
+		ErrNotNil       bool
+		TestDescription string
+	}{
+		{
+			ServerCommand: &ServerCommand{
+				flagDevTLS: false,
+			},
+			ConfigNotNil:    true,
+			TLSDisable:      true,
+			CertPathEmpty:   true,
+			ErrNotNil:       false,
+			TestDescription: "flagDev is false, nothing will be configured",
+		},
+		{
+			ServerCommand: &ServerCommand{
+				flagDevTLS:        true,
+				flagDevTLSCertDir: "",
+			},
+			DeferFuncNotNil: true,
+			ConfigNotNil:    true,
+			ErrNotNil:       false,
+			TestDescription: "flagDevTLSCertDir is empty",
+		},
+		{
+			ServerCommand: &ServerCommand{
+				flagDevTLS:        true,
+				flagDevTLSCertDir: "@/#",
+			},
+			CertPathEmpty:   true,
+			ErrNotNil:       true,
+			TestDescription: "flagDevTLSCertDir is set to something invalid",
+		},
+	}
+
+	for _, testcase := range testcases {
+		fun, cfg, certPath, err := configureDevTLS(testcase.ServerCommand)
+		if fun != nil {
+			// If a function is returned, call it right away to clean up
+			// files created in the temporary directory before anything else has
+			// a chance to fail this test.
+			fun()
+		}
+
+		t.Run(testcase.TestDescription, func(t *testing.T) {
+			assert.Equal(t, testcase.DeferFuncNotNil, (fun != nil))
+			assert.Equal(t, testcase.ConfigNotNil, cfg != nil)
+			if testcase.ConfigNotNil && cfg != nil {
+				assert.True(t, len(cfg.Listeners) > 0)
+				assert.Equal(t, testcase.TLSDisable, cfg.Listeners[0].TLSDisable)
+			}
+			assert.Equal(t, testcase.CertPathEmpty, len(certPath) == 0)
+			if testcase.ErrNotNil {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestConfigureSeals(t *testing.T) {
+	testConfig := server.Config{SharedConfig: &configutil.SharedConfig{}}
+	_, testCommand := testServerCommand(t)
+
+	logger := corehelpers.NewTestLogger(t)
+	backend, err := physInmem.NewInmem(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testCommand.logger = logger
+
+	setSealResponse, _, err := testCommand.configureSeals(context.Background(), &testConfig, backend, []string{}, map[string]string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(setSealResponse.barrierSeal.GetAccess().GetAllSealWrappersByPriority()) != 1 {
+		t.Fatalf("expected 1 seal, got %d", len(setSealResponse.barrierSeal.GetAccess().GetAllSealWrappersByPriority()))
+	}
+
+	if setSealResponse.barrierSeal.BarrierSealConfigType() != vault.SealConfigTypeShamir {
+		t.Fatalf("expected shamir seal, got seal type %s", setSealResponse.barrierSeal.BarrierSealConfigType())
+	}
+}
+
+func TestReloadSeals(t *testing.T) {
+	testCore := vault.TestCoreWithSeal(t, vault.NewTestSeal(t, &seal.TestSealOpts{StoredKeys: seal.StoredKeysSupportedShamirRoot}), false)
+	_, testCommand := testServerCommand(t)
+	testConfig := server.Config{SharedConfig: &configutil.SharedConfig{}}
+
+	_, err := testCommand.reloadSeals(context.Background(), testCore, &testConfig)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+
+	testConfig = server.Config{SharedConfig: &configutil.SharedConfig{Seals: []*configutil.KMS{{Disabled: true}}}}
+	_, err = testCommand.reloadSeals(context.Background(), testCore, &testConfig)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+}
diff --git a/ui/tests/acceptance/enterprise-reduced-disclosure-test.js b/ui/tests/acceptance/enterprise-reduced-disclosure-test.js
new file mode 100644
index 000000000000..b32688ca022b
--- /dev/null
+++ b/ui/tests/acceptance/enterprise-reduced-disclosure-test.js
@@ -0,0 +1,432 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pkcs7
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"math/big"
+	"time"
+)
+
+// SignedData is an opaque data structure for creating signed data payloads
+type SignedData struct {
+	sd                  signedData
+	certs               []*x509.Certificate
+	data, messageDigest []byte
+	digestOid           asn1.ObjectIdentifier
+	encryptionOid       asn1.ObjectIdentifier
+}
+
+// NewSignedData takes data and initializes a PKCS7 SignedData struct that is
+// ready to be signed via AddSigner. The digest algorithm is set to SHA-256 by default
+// and can be changed by calling SetDigestAlgorithm.
+func NewSignedData(data []byte) (*SignedData, error) {
+	content, err := asn1.Marshal(data)
+	if err != nil {
+		return nil, err
+	}
+	ci := contentInfo{
+		ContentType: OIDData,
+		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: content, IsCompound: true},
+	}
+	sd := signedData{
+		ContentInfo: ci,
+		Version:     1,
+	}
+	return &SignedData{sd: sd, data: data, digestOid: OIDDigestAlgorithmSHA256}, nil
+}
+
+// SignerInfoConfig are optional values to include when adding a signer
+type SignerInfoConfig struct {
+	ExtraSignedAttributes   []Attribute
+	ExtraUnsignedAttributes []Attribute
+}
+
+type signedData struct {
+	Version                    int                        `asn1:"default:1"`
+	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
+	ContentInfo                contentInfo
+	Certificates               rawCertificates        `asn1:"optional,tag:0"`
+	CRLs                       []pkix.CertificateList `asn1:"optional,tag:1"`
+	SignerInfos                []signerInfo           `asn1:"set"`
+}
+
+type signerInfo struct {
+	Version                   int `asn1:"default:1"`
+	IssuerAndSerialNumber     issuerAndSerial
+	DigestAlgorithm           pkix.AlgorithmIdentifier
+	AuthenticatedAttributes   []attribute `asn1:"optional,omitempty,tag:0"`
+	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier
+	EncryptedDigest           []byte
+	UnauthenticatedAttributes []attribute `asn1:"optional,omitempty,tag:1"`
+}
+
+type attribute struct {
+	Type  asn1.ObjectIdentifier
+	Value asn1.RawValue `asn1:"set"`
+}
+
+func marshalAttributes(attrs []attribute) ([]byte, error) {
+	encodedAttributes, err := asn1.Marshal(struct {
+		A []attribute `asn1:"set"`
+	}{A: attrs})
+	if err != nil {
+		return nil, err
+	}
+
+	// Remove the leading sequence octets
+	var raw asn1.RawValue
+	asn1.Unmarshal(encodedAttributes, &raw)
+	return raw.Bytes, nil
+}
+
+type rawCertificates struct {
+	Raw asn1.RawContent
+}
+
+type issuerAndSerial struct {
+	IssuerName   asn1.RawValue
+	SerialNumber *big.Int
+}
+
+// SetDigestAlgorithm sets the digest algorithm to be used in the signing process.
+//
+// This should be called before adding signers
+func (sd *SignedData) SetDigestAlgorithm(d asn1.ObjectIdentifier) {
+	sd.digestOid = d
+}
+
+// SetEncryptionAlgorithm sets the encryption algorithm to be used in the signing process.
+//
+// This should be called before adding signers
+func (sd *SignedData) SetEncryptionAlgorithm(d asn1.ObjectIdentifier) {
+	sd.encryptionOid = d
+}
+
+// AddSigner is a wrapper around AddSignerChain() that adds a signer without any parent.
+func (sd *SignedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error {
+	var parents []*x509.Certificate
+	return sd.AddSignerChain(ee, pkey, parents, config)
+}
+
+// AddSignerChain signs attributes about the content and adds certificates
+// and signers infos to the Signed Data. The certificate and private key
+// of the end-entity signer are used to issue the signature, and any
+// parent of that end-entity that need to be added to the list of
+// certifications can be specified in the parents slice.
+//
+// The signature algorithm used to hash the data is the one of the end-entity
+// certificate.
+func (sd *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error {
+	// Following RFC 2315, 9.2 SignerInfo type, the distinguished name of
+	// the issuer of the end-entity signer is stored in the issuerAndSerialNumber
+	// section of the SignedData.SignerInfo, alongside the serial number of
+	// the end-entity.
+	var ias issuerAndSerial
+	ias.SerialNumber = ee.SerialNumber
+	if len(parents) == 0 {
+		// no parent, the issuer is the end-entity cert itself
+		ias.IssuerName = asn1.RawValue{FullBytes: ee.RawIssuer}
+	} else {
+		err := verifyPartialChain(ee, parents)
+		if err != nil {
+			return err
+		}
+		// the first parent is the issuer
+		ias.IssuerName = asn1.RawValue{FullBytes: parents[0].RawSubject}
+	}
+	sd.sd.DigestAlgorithmIdentifiers = append(sd.sd.DigestAlgorithmIdentifiers,
+		pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
+	)
+	hash, err := getHashForOID(sd.digestOid)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
+	h.Write(sd.data)
+	sd.messageDigest = h.Sum(nil)
+	encryptionOid, err := getOIDForEncryptionAlgorithm(pkey, sd.digestOid)
+	if err != nil {
+		return err
+	}
+	attrs := &attributes{}
+	attrs.Add(OIDAttributeContentType, sd.sd.ContentInfo.ContentType)
+	attrs.Add(OIDAttributeMessageDigest, sd.messageDigest)
+	attrs.Add(OIDAttributeSigningTime, time.Now().UTC())
+	for _, attr := range config.ExtraSignedAttributes {
+		attrs.Add(attr.Type, attr.Value)
+	}
+	finalAttrs, err := attrs.ForMarshalling()
+	if err != nil {
+		return err
+	}
+	unsignedAttrs := &attributes{}
+	for _, attr := range config.ExtraUnsignedAttributes {
+		unsignedAttrs.Add(attr.Type, attr.Value)
+	}
+	finalUnsignedAttrs, err := unsignedAttrs.ForMarshalling()
+	if err != nil {
+		return err
+	}
+	// create signature of signed attributes
+	signature, err := signAttributes(finalAttrs, pkey, hash)
+	if err != nil {
+		return err
+	}
+	signer := signerInfo{
+		AuthenticatedAttributes:   finalAttrs,
+		UnauthenticatedAttributes: finalUnsignedAttrs,
+		DigestAlgorithm:           pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
+		DigestEncryptionAlgorithm: pkix.AlgorithmIdentifier{Algorithm: encryptionOid},
+		IssuerAndSerialNumber:     ias,
+		EncryptedDigest:           signature,
+		Version:                   1,
+	}
+	sd.certs = append(sd.certs, ee)
+	if len(parents) > 0 {
+		sd.certs = append(sd.certs, parents...)
+	}
+	sd.sd.SignerInfos = append(sd.sd.SignerInfos, signer)
+	return nil
+}
+
+// SignWithoutAttr issues a signature on the content of the pkcs7 SignedData.
+// Unlike AddSigner/AddSignerChain, it calculates the digest on the data alone
+// and does not include any signed attributes like timestamp and so on.
+//
+// This function is needed to sign old Android APKs, something you probably
+// shouldn't do unless you're maintaining backward compatibility for old
+// applications.
+func (sd *SignedData) SignWithoutAttr(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error {
+	var signature []byte
+	sd.sd.DigestAlgorithmIdentifiers = append(sd.sd.DigestAlgorithmIdentifiers, pkix.AlgorithmIdentifier{Algorithm: sd.digestOid})
+	hash, err := getHashForOID(sd.digestOid)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
+	h.Write(sd.data)
+	sd.messageDigest = h.Sum(nil)
+	switch pkey := pkey.(type) {
+	case *dsa.PrivateKey:
+		// dsa doesn't implement crypto.Signer so we make a special case
+		// https://github.com/golang/go/issues/27889
+		r, s, err := dsa.Sign(rand.Reader, pkey, sd.messageDigest)
+		if err != nil {
+			return err
+		}
+		signature, err = asn1.Marshal(dsaSignature{r, s})
+		if err != nil {
+			return err
+		}
+	default:
+		key, ok := pkey.(crypto.Signer)
+		if !ok {
+			return errors.New("pkcs7: private key does not implement crypto.Signer")
+		}
+		signature, err = key.Sign(rand.Reader, sd.messageDigest, hash)
+		if err != nil {
+			return err
+		}
+	}
+	var ias issuerAndSerial
+	ias.SerialNumber = ee.SerialNumber
+	// no parent, the issue is the end-entity cert itself
+	ias.IssuerName = asn1.RawValue{FullBytes: ee.RawIssuer}
+	if sd.encryptionOid == nil {
+		// if the encryption algorithm wasn't set by SetEncryptionAlgorithm,
+		// infer it from the digest algorithm
+		sd.encryptionOid, err = getOIDForEncryptionAlgorithm(pkey, sd.digestOid)
+	}
+	if err != nil {
+		return err
+	}
+	signer := signerInfo{
+		DigestAlgorithm:           pkix.AlgorithmIdentifier{Algorithm: sd.digestOid},
+		DigestEncryptionAlgorithm: pkix.AlgorithmIdentifier{Algorithm: sd.encryptionOid},
+		IssuerAndSerialNumber:     ias,
+		EncryptedDigest:           signature,
+		Version:                   1,
+	}
+	// create signature of signed attributes
+	sd.certs = append(sd.certs, ee)
+	sd.sd.SignerInfos = append(sd.sd.SignerInfos, signer)
+	return nil
+}
+
+func (si *signerInfo) SetUnauthenticatedAttributes(extraUnsignedAttrs []Attribute) error {
+	unsignedAttrs := &attributes{}
+	for _, attr := range extraUnsignedAttrs {
+		unsignedAttrs.Add(attr.Type, attr.Value)
+	}
+	finalUnsignedAttrs, err := unsignedAttrs.ForMarshalling()
+	if err != nil {
+		return err
+	}
+
+	si.UnauthenticatedAttributes = finalUnsignedAttrs
+
+	return nil
+}
+
+// AddCertificate adds the certificate to the payload. Useful for parent certificates
+func (sd *SignedData) AddCertificate(cert *x509.Certificate) {
+	sd.certs = append(sd.certs, cert)
+}
+
+// Detach removes content from the signed data struct to make it a detached signature.
+// This must be called right before Finish()
+func (sd *SignedData) Detach() {
+	sd.sd.ContentInfo = contentInfo{ContentType: OIDData}
+}
+
+// GetSignedData returns the private Signed Data
+func (sd *SignedData) GetSignedData() *signedData {
+	return &sd.sd
+}
+
+// Finish marshals the content and its signers
+func (sd *SignedData) Finish() ([]byte, error) {
+	sd.sd.Certificates = marshalCertificates(sd.certs)
+	inner, err := asn1.Marshal(sd.sd)
+	if err != nil {
+		return nil, err
+	}
+	outer := contentInfo{
+		ContentType: OIDSignedData,
+		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: inner, IsCompound: true},
+	}
+	return asn1.Marshal(outer)
+}
+
+// RemoveAuthenticatedAttributes removes authenticated attributes from signedData
+// similar to OpenSSL's PKCS7_NOATTR or -noattr flags
+func (sd *SignedData) RemoveAuthenticatedAttributes() {
+	for i := range sd.sd.SignerInfos {
+		sd.sd.SignerInfos[i].AuthenticatedAttributes = nil
+	}
+}
+
+// RemoveUnauthenticatedAttributes removes unauthenticated attributes from signedData
+func (sd *SignedData) RemoveUnauthenticatedAttributes() {
+	for i := range sd.sd.SignerInfos {
+		sd.sd.SignerInfos[i].UnauthenticatedAttributes = nil
+	}
+}
+
+// verifyPartialChain checks that a given cert is issued by the first parent in the list,
+// then continue down the path. It doesn't require the last parent to be a root CA,
+// or to be trusted in any truststore. It simply verifies that the chain provided, albeit
+// partial, makes sense.
+func verifyPartialChain(cert *x509.Certificate, parents []*x509.Certificate) error {
+	if len(parents) == 0 {
+		return fmt.Errorf("pkcs7: zero parents provided to verify the signature of certificate %q", cert.Subject.CommonName)
+	}
+	err := cert.CheckSignatureFrom(parents[0])
+	if err != nil {
+		return fmt.Errorf("pkcs7: certificate signature from parent is invalid: %v", err)
+	}
+	if len(parents) == 1 {
+		// there is no more parent to check, return
+		return nil
+	}
+	return verifyPartialChain(parents[0], parents[1:])
+}
+
+func cert2issuerAndSerial(cert *x509.Certificate) (issuerAndSerial, error) {
+	var ias issuerAndSerial
+	// The issuer RDNSequence has to match exactly the sequence in the certificate
+	// We cannot use cert.Issuer.ToRDNSequence() here since it mangles the sequence
+	ias.IssuerName = asn1.RawValue{FullBytes: cert.RawIssuer}
+	ias.SerialNumber = cert.SerialNumber
+
+	return ias, nil
+}
+
+// signs the DER encoded form of the attributes with the private key
+func signAttributes(attrs []attribute, pkey crypto.PrivateKey, digestAlg crypto.Hash) ([]byte, error) {
+	attrBytes, err := marshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+	h := digestAlg.New()
+	h.Write(attrBytes)
+	hash := h.Sum(nil)
+
+	// dsa doesn't implement crypto.Signer so we make a special case
+	// https://github.com/golang/go/issues/27889
+	switch pkey := pkey.(type) {
+	case *dsa.PrivateKey:
+		r, s, err := dsa.Sign(rand.Reader, pkey, hash)
+		if err != nil {
+			return nil, err
+		}
+		return asn1.Marshal(dsaSignature{r, s})
+	}
+
+	key, ok := pkey.(crypto.Signer)
+	if !ok {
+		return nil, errors.New("pkcs7: private key does not implement crypto.Signer")
+	}
+	return key.Sign(rand.Reader, hash, digestAlg)
+}
+
+type dsaSignature struct {
+	R, S *big.Int
+}
+
+// concats and wraps the certificates in the RawValue structure
+func marshalCertificates(certs []*x509.Certificate) rawCertificates {
+	var buf bytes.Buffer
+	for _, cert := range certs {
+		buf.Write(cert.Raw)
+	}
+	rawCerts, _ := marshalCertificateBytes(buf.Bytes())
+	return rawCerts
+}
+
+// Even though, the tag & length are stripped out during marshalling the
+// RawContent, we have to encode it into the RawContent. If its missing,
+// then `asn1.Marshal()` will strip out the certificate wrapper instead.
+func marshalCertificateBytes(certs []byte) (rawCertificates, error) {
+	val := asn1.RawValue{Bytes: certs, Class: 2, Tag: 0, IsCompound: true}
+	b, err := asn1.Marshal(val)
+	if err != nil {
+		return rawCertificates{}, err
+	}
+	return rawCertificates{Raw: b}, nil
+}
+
+// DegenerateCertificate creates a signed data structure containing only the
+// provided certificate or certificate chain.
+func DegenerateCertificate(cert []byte) ([]byte, error) {
+	rawCert, err := marshalCertificateBytes(cert)
+	if err != nil {
+		return nil, err
+	}
+	emptyContent := contentInfo{ContentType: OIDData}
+	sd := signedData{
+		Version:      1,
+		ContentInfo:  emptyContent,
+		Certificates: rawCert,
+		CRLs:         []pkix.CertificateList{},
+	}
+	content, err := asn1.Marshal(sd)
+	if err != nil {
+		return nil, err
+	}
+	signedContent := contentInfo{
+		ContentType: OIDSignedData,
+		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: content, IsCompound: true},
+	}
+	return asn1.Marshal(signedContent)
+}
diff --git a/ui/tests/acceptance/enterprise-replication-modes-test.js b/ui/tests/acceptance/enterprise-replication-modes-test.js
new file mode 100644
index 000000000000..3484f783de59
--- /dev/null
+++ b/ui/tests/acceptance/enterprise-replication-modes-test.js
@@ -0,0 +1,128 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.top>
+    <nav class="breadcrumb">
+      <ul>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          <LinkTo @route="vault.cluster.secrets.backend" @model={{this.backend.id}}>
+            ssh
+          </LinkTo>
+        </li>
+        <li class="is-active">
+          <span class="sep">&#x0002f;</span>
+          <LinkTo @route="vault.cluster.secrets.backend" @model={{this.backend.id}}>
+            sign
+          </LinkTo>
+        </li>
+        <li>
+          <span class="sep">&#x0002f;</span>
+          <LinkTo @route="vault.cluster.secrets.backend.show" @model={{this.model.role.name}}>
+            {{this.model.role.name}}
+          </LinkTo>
+        </li>
+      </ul>
+    </nav>
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3">
+      Sign SSH Key
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+{{#if this.model.signedKey}}
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <Hds::Alert @type="inline" @color="warning" class="has-top-margin-s has-bottom-margin-s" as |A|>
+      <A.Title>Warning</A.Title>
+      <A.Description>
+        You will not be able to access this information later, so please copy the information below.
+      </A.Description>
+    </Hds::Alert>
+    {{#each this.model.attrs as |attr|}}
+      {{#if (eq attr.type "object")}}
+        <InfoTableRow
+          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
+          @value={{stringify (get this.model attr.name)}}
+        />
+      {{else}}
+        <InfoTableRow
+          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
+          @value={{get this.model attr.name}}
+        />
+      {{/if}}
+    {{/each}}
+  </div>
+  <div class="field is-grouped box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Copy::Button @text="Copy key" @textToCopy={{this.model.signedKey}} class="primary" />
+    </div>
+    {{#if this.model.leaseId}}
+      <div class="control">
+        <Hds::Copy::Button @text="Copy lease ID" @textToCopy={{this.model.leaseId}} class="secondary" />
+      </div>
+    {{/if}}
+    <div class="control">
+      <Hds::Button
+        @text="Back"
+        @color="secondary"
+        {{on "click" (action "newModel")}}
+        data-test-secret-generate-back={{true}}
+      />
+    </div>
+  </div>
+{{else}}
+  <form {{action "sign" on="submit"}} data-test-secret-generate-form="true">
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <MessageError @model={{this.model}} />
+      <NamespaceReminder @mode="sign" @noun="SSH key" />
+      {{#if this.model.attrs}}
+        {{#each (take 1 this.model.attrs) as |attr|}}
+          <FormFieldFromModel
+            @attr={{attr}}
+            @model={{this.model}}
+            @updateTtl={{action "updateTtl" attr.name}}
+            @emptyData={{this.emptyData}}
+            @codemirrorUpdated={{action "codemirrorUpdated" attr.name}}
+          />
+        {{/each}}
+        <ToggleButton @isOpen={{this.showOptions}} @onClick={{fn (mut this.showOptions)}} data-test-toggle-button />
+        {{#if this.showOptions}}
+          <div class="box is-marginless">
+            {{#each (drop 1 this.model.attrs) as |attr|}}
+              <FormFieldFromModel
+                @attr={{attr}}
+                @model={{this.model}}
+                @updateTtl={{action "updateTtl" attr.name}}
+                @emptyData={{this.emptyData}}
+                @codemirrorUpdated={{action "codemirrorUpdated" attr.name}}
+              />
+            {{/each}}
+          </div>
+        {{/if}}
+      {{/if}}
+    </div>
+    <div class="field is-grouped box is-fullwidth is-bottomless">
+      <Hds::ButtonSet>
+        <Hds::Button
+          @text="Sign"
+          @icon={{if this.loading "loading"}}
+          type="submit"
+          disabled={{this.loading}}
+          data-test-secret-generate
+        />
+        <Hds::Button
+          @text="Cancel"
+          @color="secondary"
+          @route="vault.cluster.secrets.backend.list-root"
+          @model={{this.backend.id}}
+          data-test-secret-generate-cancel
+        />
+      </Hds::ButtonSet>
+    </div>
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/tests/acceptance/enterprise-replication-test.js b/ui/tests/acceptance/enterprise-replication-test.js
index ea70e3b97639..7a24b2f5bdb5 100644
--- a/ui/tests/acceptance/enterprise-replication-test.js
+++ b/ui/tests/acceptance/enterprise-replication-test.js
@@ -1,363 +1,50 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { clickTrigger } from 'ember-power-select/test-support/helpers';
-import { click, fillIn, findAll, currentURL, find, visit, settled, waitUntil } from '@ember/test-helpers';
-import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import authPage from 'vault/tests/pages/auth';
-import { pollCluster } from 'vault/tests/helpers/poll-cluster';
-import { create } from 'ember-cli-page-object';
-import flashMessage from 'vault/tests/pages/components/flash-message';
-import ss from 'vault/tests/pages/components/search-select';
-import { disableReplication } from 'vault/tests/helpers/replication';
-const searchSelect = create(ss);
-const flash = create(flashMessage);
-
-module('Acceptance | Enterprise | replication', function (hooks) {
-  setupApplicationTest(hooks);
-
-  hooks.beforeEach(async function () {
-    await authPage.login();
-    await settled();
-    await disableReplication('dr');
-    await settled();
-    await disableReplication('performance');
-    await settled();
-  });
-
-  hooks.afterEach(async function () {
-    await disableReplication('dr');
-    await settled();
-    await disableReplication('performance');
-    await settled();
-  });
-
-  test('replication', async function (assert) {
-    assert.expect(17);
-    const secondaryName = 'firstSecondary';
-    const mode = 'deny';
-
-    // confirm unable to visit dr secondary details page when both replications are disabled
-    await visit('/vault/replication-dr-promote/details');
-
-    assert.dom('[data-test-component="empty-state"]').exists();
-    assert
-      .dom('[data-test-empty-state-title]')
-      .includesText('Disaster Recovery secondary not set up', 'shows the correct title of the empty state');
-
-    assert
-      .dom('[data-test-empty-state-message]')
-      .hasText(
-        'This cluster has not been enabled as a Disaster Recovery Secondary. You can do so by enabling replication and adding a secondary from the Disaster Recovery Primary.',
-        'renders default message specific to when no replication is enabled'
-      );
-
-    await visit('/vault/replication');
-
-    assert.strictEqual(currentURL(), '/vault/replication');
-
-    // enable perf replication
-    await click('[data-test-replication-type-select="performance"]');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-
-    // confirm that the details dashboard shows
-    assert.ok(await waitUntil(() => find('[data-test-replication-dashboard]')), 'details dashboard is shown');
-
-    // add a secondary with a mount filter config
-    await click('[data-test-replication-link="secondaries"]');
-
-    await click('[data-test-secondary-add]');
-
-    await fillIn('[data-test-replication-secondary-id]', secondaryName);
-
-    await click('#deny');
-    await clickTrigger();
-    const mountPath = searchSelect.options.objectAt(0).text;
-    await searchSelect.options.objectAt(0).click();
-    await click('[data-test-secondary-add]');
-
-    await pollCluster(this.owner);
-    // click into the added secondary's mount filter config
-    await click('[data-test-replication-link="secondaries"]');
-
-    await click('[data-test-popup-menu-trigger]');
-
-    await click('[data-test-replication-path-filter-link]');
-
-    assert.strictEqual(
-      currentURL(),
-      `/vault/replication/performance/secondaries/config/show/${secondaryName}`
-    );
-    assert.dom('[data-test-mount-config-mode]').includesText(mode, 'show page renders the correct mode');
-    assert
-      .dom('[data-test-mount-config-paths]')
-      .includesText(mountPath, 'show page renders the correct mount path');
-
-    // delete config by choosing "no filter" in the edit screen
-    await click('[data-test-replication-link="edit-mount-config"]');
-
-    await click('#no-filtering');
-
-    await click('[data-test-config-save]');
-    await settled(); // eslint-disable-line
-
-    assert.strictEqual(
-      flash.latestMessage,
-      `The performance mount filter config for the secondary ${secondaryName} was successfully deleted.`,
-      'renders success flash upon deletion'
-    );
-    assert.strictEqual(
-      currentURL(),
-      `/vault/replication/performance/secondaries`,
-      'redirects to the secondaries page'
-    );
-    // nav back to details page and confirm secondary is in the known secondaries table
-    await click('[data-test-replication-link="details"]');
-
-    assert
-      .dom(`[data-test-secondaries=row-for-${secondaryName}]`)
-      .exists('shows a table row the recently added secondary');
-
-    // nav to DR
-    await visit('/vault/replication/dr');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'secondary');
-    assert
-      .dom('[data-test-replication-enable]')
-      .isDisabled('dr secondary enable is disabled when other replication modes are on');
-
-    // disable performance replication
-    await disableReplication('performance', assert);
-    await settled();
-    await pollCluster(this.owner);
-
-    // enable dr replication
-    await visit('vault/replication/dr');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('button[type="submit"]');
-
-    await pollCluster(this.owner);
-    await waitUntil(() => find('[data-test-empty-state-title]'));
-    // empty state inside of know secondaries table
-    assert
-      .dom('[data-test-empty-state-title]')
-      .includesText(
-        'No known dr secondary clusters associated with this cluster',
-        'shows the correct title of the empty state'
-      );
-
-    assert.ok(
-      find('[data-test-replication-title]').textContent.includes('Disaster Recovery'),
-      'it displays the replication type correctly'
-    );
-    assert.ok(
-      find('[data-test-replication-mode-display]').textContent.includes('primary'),
-      'it displays the cluster mode correctly'
-    );
-
-    // add dr secondary
-    await click('[data-test-replication-link="secondaries"]');
-
-    await click('[data-test-secondary-add]');
-
-    await fillIn('[data-test-replication-secondary-id]', secondaryName);
-
-    await click('[data-test-secondary-add]');
-
-    await pollCluster(this.owner);
-    await click('[data-test-replication-link="secondaries"]');
-
-    assert
-      .dom('[data-test-secondary-name]')
-      .includesText(secondaryName, 'it displays the secondary in the list of known secondaries');
-  });
-
-  test('disabling dr primary when perf replication is enabled', async function (assert) {
-    await visit('vault/replication/performance');
-
-    // enable perf replication
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-
-    // enable dr replication
-    await visit('/vault/replication/dr');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-    await visit('/vault/replication/dr/manage');
-
-    await click('[data-test-demote-replication] [data-test-replication-action-trigger]');
-
-    assert.ok(findAll('[data-test-demote-warning]').length, 'displays the demotion warning');
-  });
-
-  test('navigating to dr secondary details page when dr secondary is not enabled', async function (assert) {
-    // enable dr replication
-
-    await visit('/vault/replication/dr');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('[data-test-replication-enable]');
-    await settled(); // eslint-disable-line
-    await pollCluster(this.owner);
-    await visit('/vault/replication-dr-promote/details');
-
-    assert.dom('[data-test-component="empty-state"]').exists();
-    assert
-      .dom('[data-test-empty-state-message]')
-      .hasText(
-        'This Disaster Recovery secondary has not been enabled. You can do so from the Disaster Recovery Primary.',
-        'renders message when replication is enabled'
-      );
-  });
-
-  test('add secondary and navigate through token generation modal', async function (assert) {
-    const secondaryNameFirst = 'firstSecondary';
-    const secondaryNameSecond = 'secondSecondary';
-    await visit('/vault/replication');
-
-    // enable perf replication
-    await click('[data-test-replication-type-select="performance"]');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-    await settled();
-
-    // add a secondary with default TTL
-    await click('[data-test-replication-link="secondaries"]');
-
-    await click('[data-test-secondary-add]');
-
-    await fillIn('[data-test-replication-secondary-id]', secondaryNameFirst);
-    await click('[data-test-secondary-add]');
-
-    await pollCluster(this.owner);
-    await settled();
-    const modalDefaultTtl = document.querySelector('[data-test-row-value="TTL"]').innerText;
-
-    // checks on secondary token modal
-    assert.dom('#replication-copy-token-modal').exists();
-    assert.dom('[data-test-inline-error-message]').hasText('Copy token to dismiss modal');
-    assert.strictEqual(modalDefaultTtl, '1800s', 'shows the correct TTL of 1800s');
-    // click off the modal to make sure you don't just have to click on the copy-close button to copy the token
-    assert.dom('[data-test-modal-close]').isDisabled('cancel is disabled');
-    await click('[data-test-modal-copy]');
-    assert.dom('[data-test-modal-close]').isEnabled('cancel is enabled after token is copied');
-    await click('[data-test-modal-close]');
-
-    // add another secondary not using the default ttl
-    await click('[data-test-secondary-add]');
-
-    await fillIn('[data-test-replication-secondary-id]', secondaryNameSecond);
-    await click('[data-test-toggle-input]');
-
-    await fillIn('[data-test-ttl-value]', 3);
-    await click('[data-test-secondary-add]');
-
-    await pollCluster(this.owner);
-    await settled();
-    const modalTtl = document.querySelector('[data-test-row-value="TTL"]').innerText;
-    assert.strictEqual(modalTtl, '180s', 'shows the correct TTL of 180s');
-    await click('[data-test-modal-copy]');
-    await click('[data-test-modal-close]');
-
-    // confirm you were redirected to the secondaries page
-    assert.strictEqual(
-      currentURL(),
-      `/vault/replication/performance/secondaries`,
-      'redirects to the secondaries page'
-    );
-    assert
-      .dom('[data-test-secondary-name]')
-      .includesText(secondaryNameFirst, 'it displays the secondary in the list of secondaries');
-  });
-
-  test('render performance and dr primary and navigate to details page', async function (assert) {
-    // enable perf primary replication
-    await visit('/vault/replication');
-    await click('[data-test-replication-type-select="performance"]');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-    await settled();
-
-    await visit('/vault/replication');
-
-    assert
-      .dom(`[data-test-replication-summary-card]`)
-      .doesNotExist(`does not render replication summary card when both modes are not enabled as primary`);
-
-    // enable DR primary replication
-    await click('[data-test-replication-promote-secondary]');
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-    await settled();
-
-    // navigate using breadcrumbs back to replication.index
-    await click('[data-test-replication-breadcrumb]');
-
-    assert
-      .dom('[data-test-replication-summary-card]')
-      .exists({ count: 2 }, 'renders two replication-summary-card components');
-
-    // navigate to details page using the "Details" link
-    await click('[data-test-manage-link="Disaster Recovery"]');
-
-    assert
-      .dom('[data-test-selectable-card-container="primary"]')
-      .exists('shows the correct card on the details dashboard');
-    assert.strictEqual(currentURL(), '/vault/replication/dr');
-  });
-
-  test('render performance secondary and navigate to the details page', async function (assert) {
-    // enable perf replication
-    await visit('/vault/replication');
-
-    await click('[data-test-replication-type-select="performance"]');
-
-    await fillIn('[data-test-replication-cluster-mode-select]', 'primary');
-    await click('[data-test-replication-enable]');
-
-    await pollCluster(this.owner);
-    await settled();
-
-    // demote perf primary to a secondary
-    await click('[data-test-replication-link="manage"]');
-
-    // open demote modal
-    await click('[data-test-demote-replication] [data-test-replication-action-trigger]');
-
-    // enter confirmation text
-    await fillIn('[data-test-confirmation-modal-input="Demote to secondary?"]', 'Performance');
-    // Click confirm button
-    await click('[data-test-confirm-button="Demote to secondary?"]');
-
-    await click('[data-test-replication-link="details"]');
-
-    assert.dom('[data-test-replication-dashboard]').exists();
-    assert.dom('[data-test-selectable-card-container="secondary"]').exists();
-    assert.ok(
-      find('[data-test-replication-mode-display]').textContent.includes('secondary'),
-      'it displays the cluster mode correctly'
-    );
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package cluster
+
+import (
+	"io"
+	"net"
+	"time"
+
+	uberAtomic "go.uber.org/atomic"
+)
+
+type delayedConn struct {
+	net.Conn
+	dr *delayedReader
+}
+
+func newDelayedConn(conn net.Conn, delay time.Duration) net.Conn {
+	dr := &delayedReader{
+		r:     conn,
+		delay: uberAtomic.NewDuration(delay),
+	}
+	return &delayedConn{
+		dr:   dr,
+		Conn: conn,
+	}
+}
+
+func (conn *delayedConn) Read(data []byte) (int, error) {
+	return conn.dr.Read(data)
+}
+
+func (conn *delayedConn) SetDelay(delay time.Duration) {
+	conn.dr.delay.Store(delay)
+}
+
+type delayedReader struct {
+	r     io.Reader
+	delay *uberAtomic.Duration
+}
+
+func (dr *delayedReader) Read(data []byte) (int, error) {
+	// Sleep for the delay period prior to reading
+	if delay := dr.delay.Load(); delay != 0 {
+		time.Sleep(delay)
+	}
+
+	return dr.r.Read(data)
+}
diff --git a/ui/tests/acceptance/enterprise-replication-unsupported-test.js b/ui/tests/acceptance/enterprise-replication-unsupported-test.js
index cfcb2a73c273..adcfac4e1c44 100644
--- a/ui/tests/acceptance/enterprise-replication-unsupported-test.js
+++ b/ui/tests/acceptance/enterprise-replication-unsupported-test.js
@@ -1,33 +1,538 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import authPage from 'vault/tests/pages/auth';
-import { visit } from '@ember/test-helpers';
-
-module('Acceptance | Enterprise | replication unsupported', function (hooks) {
-  setupApplicationTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(async function () {
-    this.server.get('/sys/replication/status', function () {
-      return {
-        data: {
-          mode: 'unsupported',
-        },
-      };
-    });
-    return authPage.login();
-  });
-
-  test('replication page when unsupported', async function (assert) {
-    await visit('/vault/replication');
-    assert
-      .dom('[data-test-replication-title]')
-      .hasText('Replication unsupported', 'it shows the unsupported view');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package raft
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"math"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/golang/protobuf/proto"
+	bolt "github.com/hashicorp-forge/bbolt"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/sdk/plugin/pb"
+	"github.com/rboyer/safeio"
+	"go.uber.org/atomic"
+
+	"github.com/hashicorp/raft"
+)
+
+const (
+	// boltSnapshotID is the stable ID for any boltDB snapshot. Keeping the ID
+	// stable means there is only ever one bolt snapshot in the system
+	boltSnapshotID = "bolt-snapshot"
+	tmpSuffix      = ".tmp"
+	snapPath       = "snapshots"
+)
+
+// BoltSnapshotStore implements the SnapshotStore interface and allows snapshots
+// to be stored in BoltDB files on local disk. Since we always have an up to
+// date FSM we use a special snapshot ID to indicate that the snapshot can be
+// pulled from the BoltDB file that is currently backing the FSM. This allows us
+// to provide just-in-time snapshots without doing incremental data dumps.
+//
+// When a snapshot is being installed on the node we will Create and Write data
+// to it. This will cause the snapshot store to create a new BoltDB file and
+// write the snapshot data to it. Then, we can simply rename the snapshot to the
+// FSM's filename. This allows us to atomically install the snapshot and
+// reduces the amount of disk i/o. Older snapshots are reaped on startup and
+// before each subsequent snapshot write. This ensures we only have one snapshot
+// on disk at a time.
+type BoltSnapshotStore struct {
+	// path is the directory in which to store file based snapshots
+	path string
+
+	// We hold a copy of the FSM so we can stream snapshots straight out of the
+	// database.
+	fsm *FSM
+
+	logger log.Logger
+}
+
+// BoltSnapshotSink implements SnapshotSink optionally choosing to write to a
+// file.
+type BoltSnapshotSink struct {
+	store  *BoltSnapshotStore
+	logger log.Logger
+	meta   raft.SnapshotMeta
+	trans  raft.Transport
+
+	// These fields will be used if we are writing a snapshot (vs. reading
+	// one)
+	written       atomic.Bool
+	writer        io.WriteCloser
+	writeError    error
+	dir           string
+	parentDir     string
+	doneWritingCh chan struct{}
+
+	l      sync.Mutex
+	closed bool
+}
+
+// NewBoltSnapshotStore creates a new BoltSnapshotStore based
+// on a base directory.
+func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapshotStore, error) {
+	if logger == nil {
+		return nil, fmt.Errorf("no logger provided")
+	}
+
+	// Ensure our path exists
+	path := filepath.Join(base, snapPath)
+	if err := os.MkdirAll(path, 0o700); err != nil && !os.IsExist(err) {
+		return nil, fmt.Errorf("snapshot path not accessible: %v", err)
+	}
+
+	// Setup the store
+	store := &BoltSnapshotStore{
+		logger: logger,
+		fsm:    fsm,
+		path:   path,
+	}
+
+	// Cleanup any old or failed snapshots on startup.
+	if err := store.ReapSnapshots(); err != nil {
+		return nil, err
+	}
+
+	return store, nil
+}
+
+// Create is used to start a new snapshot
+func (f *BoltSnapshotStore) Create(version raft.SnapshotVersion, index, term uint64, configuration raft.Configuration, configurationIndex uint64, trans raft.Transport) (raft.SnapshotSink, error) {
+	// We only support version 1 snapshots at this time.
+	if version != 1 {
+		return nil, fmt.Errorf("unsupported snapshot version %d", version)
+	}
+
+	// Create the sink
+	sink := &BoltSnapshotSink{
+		store:  f,
+		logger: f.logger,
+		meta: raft.SnapshotMeta{
+			Version:            version,
+			ID:                 boltSnapshotID,
+			Index:              index,
+			Term:               term,
+			Configuration:      configuration,
+			ConfigurationIndex: configurationIndex,
+		},
+		trans: trans,
+	}
+
+	return sink, nil
+}
+
+// List returns available snapshots in the store. It only returns bolt
+// snapshots. No snapshot will be returned if there are no indexes in the
+// FSM.
+func (f *BoltSnapshotStore) List() ([]*raft.SnapshotMeta, error) {
+	meta, err := f.getMetaFromFSM()
+	if err != nil {
+		return nil, err
+	}
+
+	// If we haven't seen any data yet do not return a snapshot
+	if meta.Index == 0 {
+		return nil, nil
+	}
+
+	return []*raft.SnapshotMeta{meta}, nil
+}
+
+// getBoltSnapshotMeta returns the fsm's latest state and configuration.
+func (f *BoltSnapshotStore) getMetaFromFSM() (*raft.SnapshotMeta, error) {
+	latestIndex, latestConfig := f.fsm.LatestState()
+	meta := &raft.SnapshotMeta{
+		Version: 1,
+		ID:      boltSnapshotID,
+		Index:   latestIndex.Index,
+		Term:    latestIndex.Term,
+	}
+
+	if latestConfig != nil {
+		meta.ConfigurationIndex, meta.Configuration = protoConfigurationToRaftConfiguration(latestConfig)
+	}
+
+	return meta, nil
+}
+
+// Open takes a snapshot ID and returns a ReadCloser for that snapshot.
+func (f *BoltSnapshotStore) Open(id string) (*raft.SnapshotMeta, io.ReadCloser, error) {
+	if id == boltSnapshotID {
+		return f.openFromFSM()
+	}
+
+	return f.openFromFile(id)
+}
+
+func (f *BoltSnapshotStore) openFromFSM() (*raft.SnapshotMeta, io.ReadCloser, error) {
+	meta, err := f.getMetaFromFSM()
+	if err != nil {
+		return nil, nil, err
+	}
+	// If we don't have any data return an error
+	if meta.Index == 0 {
+		return nil, nil, errors.New("no snapshot data")
+	}
+
+	// Stream data out of the FSM to calculate the size
+	readCloser, writeCloser := io.Pipe()
+	metaReadCloser, metaWriteCloser := io.Pipe()
+	go func() {
+		f.fsm.writeTo(context.Background(), metaWriteCloser, writeCloser)
+	}()
+
+	// Compute the size
+	n, err := io.Copy(ioutil.Discard, metaReadCloser)
+	if err != nil {
+		f.logger.Error("failed to read state file", "error", err)
+		metaReadCloser.Close()
+		readCloser.Close()
+		return nil, nil, err
+	}
+
+	meta.Size = n
+	metaReadCloser.Close()
+
+	return meta, readCloser, nil
+}
+
+func (f *BoltSnapshotStore) getMetaFromDB(id string) (*raft.SnapshotMeta, error) {
+	if len(id) == 0 {
+		return nil, errors.New("can not open empty snapshot ID")
+	}
+
+	filename := filepath.Join(f.path, id, databaseFilename)
+	boltDB, err := bolt.Open(filename, 0o600, &bolt.Options{Timeout: 1 * time.Second})
+	if err != nil {
+		return nil, err
+	}
+	defer boltDB.Close()
+
+	meta := &raft.SnapshotMeta{
+		Version: 1,
+		ID:      id,
+	}
+
+	err = boltDB.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket(configBucketName)
+		val := b.Get(latestIndexKey)
+		if val != nil {
+			var snapshotIndexes IndexValue
+			err := proto.Unmarshal(val, &snapshotIndexes)
+			if err != nil {
+				return err
+			}
+
+			meta.Index = snapshotIndexes.Index
+			meta.Term = snapshotIndexes.Term
+		}
+
+		// Read in our latest config and populate it inmemory
+		val = b.Get(latestConfigKey)
+		if val != nil {
+			var config ConfigurationValue
+			err := proto.Unmarshal(val, &config)
+			if err != nil {
+				return err
+			}
+
+			meta.ConfigurationIndex, meta.Configuration = protoConfigurationToRaftConfiguration(&config)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return meta, nil
+}
+
+func (f *BoltSnapshotStore) openFromFile(id string) (*raft.SnapshotMeta, io.ReadCloser, error) {
+	meta, err := f.getMetaFromDB(id)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	filename := filepath.Join(f.path, id, databaseFilename)
+	installer := &boltSnapshotInstaller{
+		meta:       meta,
+		ReadCloser: ioutil.NopCloser(strings.NewReader(filename)),
+		filename:   filename,
+	}
+
+	return meta, installer, nil
+}
+
+// ReapSnapshots reaps all snapshots.
+func (f *BoltSnapshotStore) ReapSnapshots() error {
+	snapshots, err := ioutil.ReadDir(f.path)
+	switch {
+	case err == nil:
+	case os.IsNotExist(err):
+		return nil
+	default:
+		f.logger.Error("failed to scan snapshot directory", "error", err)
+		return err
+	}
+
+	for _, snap := range snapshots {
+		// Ignore any files
+		if !snap.IsDir() {
+			continue
+		}
+
+		// Warn about temporary snapshots, this indicates a previously failed
+		// snapshot attempt. We still want to clean these up.
+		dirName := snap.Name()
+		if strings.HasSuffix(dirName, tmpSuffix) {
+			f.logger.Warn("found temporary snapshot", "name", dirName)
+		}
+
+		path := filepath.Join(f.path, dirName)
+		f.logger.Info("reaping snapshot", "path", path)
+		if err := os.RemoveAll(path); err != nil {
+			f.logger.Error("failed to reap snapshot", "path", snap.Name(), "error", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ID returns the ID of the snapshot, can be used with Open()
+// after the snapshot is finalized.
+func (s *BoltSnapshotSink) ID() string {
+	s.l.Lock()
+	defer s.l.Unlock()
+
+	return s.meta.ID
+}
+
+func (s *BoltSnapshotSink) writeBoltDBFile() error {
+	// Create a new path
+	name := snapshotName(s.meta.Term, s.meta.Index)
+	path := filepath.Join(s.store.path, name+tmpSuffix)
+	s.logger.Info("creating new snapshot", "path", path)
+
+	// Make the directory
+	if err := os.MkdirAll(path, 0o700); err != nil {
+		s.logger.Error("failed to make snapshot directory", "error", err)
+		return err
+	}
+
+	// Create the BoltDB file
+	dbPath := filepath.Join(path, databaseFilename)
+	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
+	if err != nil {
+		return err
+	}
+
+	// Write the snapshot metadata
+	if err := writeSnapshotMetaToDB(&s.meta, boltDB); err != nil {
+		return err
+	}
+
+	// Set the snapshot ID to the generated name.
+	s.meta.ID = name
+
+	// Create the done channel
+	s.doneWritingCh = make(chan struct{})
+
+	// Store the directories so we can commit the changes on success or abort
+	// them on failure.
+	s.dir = path
+	s.parentDir = s.store.path
+
+	// Create a pipe so we pipe writes into the go routine below.
+	reader, writer := io.Pipe()
+	s.writer = writer
+
+	// Start a go routine in charge of piping data from the snapshot's Write
+	// call to the delimtedreader and the BoltDB file.
+	go func() {
+		defer close(s.doneWritingCh)
+		defer boltDB.Close()
+
+		// The delimted reader will parse full proto messages from the snapshot
+		// data.
+		protoReader := NewDelimitedReader(reader, math.MaxInt32)
+		defer protoReader.Close()
+
+		var done bool
+		var keys int
+		entry := new(pb.StorageEntry)
+		for !done {
+			err := boltDB.Update(func(tx *bolt.Tx) error {
+				b, err := tx.CreateBucketIfNotExists(dataBucketName)
+				if err != nil {
+					return err
+				}
+
+				// Commit in batches of 50k. Bolt holds all the data in memory and
+				// doesn't split the pages until commit so we do incremental writes.
+				for i := 0; i < 50000; i++ {
+					err := protoReader.ReadMsg(entry)
+					if err != nil {
+						if err == io.EOF {
+							done = true
+							return nil
+						}
+						return err
+					}
+
+					err = b.Put([]byte(entry.Key), entry.Value)
+					if err != nil {
+						return err
+					}
+					keys += 1
+				}
+
+				return nil
+			})
+			if err != nil {
+				s.logger.Error("snapshot write: failed to write transaction", "error", err)
+				s.writeError = err
+				return
+			}
+
+			s.logger.Trace("snapshot write: writing keys", "num_written", keys)
+		}
+	}()
+
+	return nil
+}
+
+// Write is used to append to the bolt file. The first call to write ensures we
+// have the file created.
+func (s *BoltSnapshotSink) Write(b []byte) (int, error) {
+	s.l.Lock()
+	defer s.l.Unlock()
+
+	// If this is the first call to Write we need to setup the boltDB file and
+	// kickoff the pipeline write
+	if previouslyWritten := s.written.Swap(true); !previouslyWritten {
+		// Reap any old snapshots
+		if err := s.store.ReapSnapshots(); err != nil {
+			return 0, err
+		}
+
+		if err := s.writeBoltDBFile(); err != nil {
+			return 0, err
+		}
+	}
+
+	return s.writer.Write(b)
+}
+
+// Close is used to indicate a successful end.
+func (s *BoltSnapshotSink) Close() error {
+	s.l.Lock()
+	defer s.l.Unlock()
+
+	// Make sure close is idempotent
+	if s.closed {
+		return nil
+	}
+	s.closed = true
+
+	if s.writer != nil {
+		s.writer.Close()
+		<-s.doneWritingCh
+
+		if s.writeError != nil {
+			// If we encountered an error while writing then we should remove
+			// the directory and return the error
+			_ = os.RemoveAll(s.dir)
+			return s.writeError
+		}
+
+		// Move the directory into place
+		newPath := strings.TrimSuffix(s.dir, tmpSuffix)
+
+		var err error
+		if runtime.GOOS != "windows" {
+			err = safeio.Rename(s.dir, newPath)
+		} else {
+			err = os.Rename(s.dir, newPath)
+		}
+
+		if err != nil {
+			s.logger.Error("failed to move snapshot into place", "error", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Cancel is used to indicate an unsuccessful end.
+func (s *BoltSnapshotSink) Cancel() error {
+	s.l.Lock()
+	defer s.l.Unlock()
+
+	// Make sure close is idempotent
+	if s.closed {
+		return nil
+	}
+	s.closed = true
+
+	if s.writer != nil {
+		s.writer.Close()
+		<-s.doneWritingCh
+
+		// Attempt to remove all artifacts
+		return os.RemoveAll(s.dir)
+	}
+
+	return nil
+}
+
+type boltSnapshotInstaller struct {
+	io.ReadCloser
+	meta     *raft.SnapshotMeta
+	filename string
+}
+
+func (i *boltSnapshotInstaller) Filename() string {
+	return i.filename
+}
+
+func (i *boltSnapshotInstaller) Metadata() *raft.SnapshotMeta {
+	return i.meta
+}
+
+func (i *boltSnapshotInstaller) Install(filename string) error {
+	if len(i.filename) == 0 {
+		return errors.New("snapshot filename empty")
+	}
+
+	if len(filename) == 0 {
+		return errors.New("fsm filename empty")
+	}
+
+	// Rename the snapshot to the FSM location
+	if runtime.GOOS != "windows" {
+		return safeio.Rename(i.filename, filename)
+	} else {
+		return os.Rename(i.filename, filename)
+	}
+}
+
+// snapshotName generates a name for the snapshot.
+func snapshotName(term, index uint64) string {
+	now := time.Now()
+	msec := now.UnixNano() / int64(time.Millisecond)
+	return fmt.Sprintf("%d-%d-%d", term, index, msec)
+}
diff --git a/ui/tests/acceptance/enterprise-sidebar-nav-test.js b/ui/tests/acceptance/enterprise-sidebar-nav-test.js
index 1414e3d1fdc3..82ddef0c9e93 100644
--- a/ui/tests/acceptance/enterprise-sidebar-nav-test.js
+++ b/ui/tests/acceptance/enterprise-sidebar-nav-test.js
@@ -4,67 +4,34 @@
  */
 
 import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import { click, currentURL, fillIn } from '@ember/test-helpers';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import authPage from 'vault/tests/pages/auth';
-
-const link = (label) => `[data-test-sidebar-nav-link="${label}"]`;
-const panel = (label) => `[data-test-sidebar-nav-panel="${label}"]`;
-
-module('Acceptance | Enterprise | sidebar navigation', function (hooks) {
-  setupApplicationTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    return authPage.login();
-  });
-
-  // common links are tested in the sidebar-nav test and will not be covered here
-  test('it should render enterprise only navigation links', async function (assert) {
-    assert.dom(panel('Cluster')).exists('Cluster nav panel renders');
-
-    await click(link('Secrets Sync'));
-    assert.strictEqual(currentURL(), '/vault/sync/secrets/overview', 'Sync route renders');
-
-    await click(link('Replication'));
-    assert.strictEqual(currentURL(), '/vault/replication', 'Replication route renders');
-    await click('[data-test-replication-enable]');
-
-    await click(link('Performance'));
-    assert.strictEqual(
-      currentURL(),
-      '/vault/replication/performance',
-      'Replication performance route renders'
-    );
-
-    await click(link('Disaster Recovery'));
-    assert.strictEqual(currentURL(), '/vault/replication/dr', 'Replication dr route renders');
-    // disable replication now that we have checked the links
-    await click('[data-test-replication-link="manage"]');
-    await click('[data-test-replication-action-trigger]');
-    await fillIn('[data-test-confirmation-modal-input="Disable Replication?"]', 'Disaster Recovery');
-    await click('[data-test-confirm-button="Disable Replication?"]');
-
-    await click(link('Client Count'));
-    assert.strictEqual(currentURL(), '/vault/clients/dashboard', 'Client counts route renders');
-
-    await click(link('License'));
-    assert.strictEqual(currentURL(), '/vault/license', 'License route renders');
-
-    await click(link('Access'));
-    await click(link('Control Groups'));
-    assert.strictEqual(currentURL(), '/vault/access/control-groups', 'Control groups route renders');
-
-    await click(link('Namespaces'));
-    assert.strictEqual(currentURL(), '/vault/access/namespaces?page=1', 'Replication route renders');
-
-    await click(link('Back to main navigation'));
-    await click(link('Policies'));
-    await click(link('Role-Governing Policies'));
-    assert.strictEqual(currentURL(), '/vault/policies/rgp', 'Role-Governing Policies route renders');
-
-    await click(link('Endpoint Governing Policies'));
-    assert.strictEqual(currentURL(), '/vault/policies/egp', 'Endpoint Governing Policies route renders');
+import { setupRenderingTest } from 'ember-qunit';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+
+module('Integration | Component | splash-page', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it should render', async function (assert) {
+    assert.expect(4);
+    await render(hbs`<SplashPage>
+    <:header>
+      Header here
+    </:header>
+    <:subHeader>
+      sub header
+    </:subHeader>
+    <:content>
+      content
+    </:content>
+    <:footer>
+      <div data-test-footer>footer</div>
+    </:footer>
+
+    </SplashPage>
+      `);
+    assert.dom('[data-test-splash-page-header]').includesText('Header here', 'Header renders');
+    assert.dom('[data-test-splash-page-sub-header]').includesText('sub header', 'SubHeader renders');
+    assert.dom('[data-test-splash-page-content]').includesText('content', 'Content renders');
+    assert.dom('[data-test-footer]').includesText('footer', 'Footer renders');
   });
 });
diff --git a/ui/tests/acceptance/pki/pki-cross-sign-test.js b/ui/tests/acceptance/pki/pki-cross-sign-test.js
index 6403cc0bcb32..187687ac4071 100644
--- a/ui/tests/acceptance/pki/pki-cross-sign-test.js
+++ b/ui/tests/acceptance/pki/pki-cross-sign-test.js
@@ -1,109 +1,21 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { visit, click, fillIn, find } from '@ember/test-helpers';
-import { setupApplicationTest } from 'vault/tests/helpers';
-import { v4 as uuidv4 } from 'uuid';
-
-import authPage from 'vault/tests/pages/auth';
-import enablePage from 'vault/tests/pages/settings/mount-secret-backend';
-import { runCommands } from 'vault/tests/helpers/pki/pki-run-commands';
-import { SELECTORS } from 'vault/tests/helpers/pki/pki-issuer-cross-sign';
-import { verifyCertificates } from 'vault/utils/parse-pki-cert';
-module('Acceptance | pki/pki cross sign', function (hooks) {
-  setupApplicationTest(hooks);
-
-  hooks.beforeEach(async function () {
-    await authPage.login();
-    this.parentMountPath = `parent-mount-${uuidv4()}`;
-    this.oldParentIssuerName = 'old-parent-issuer'; // old parent issuer we're transferring from
-    this.parentIssuerName = 'new-parent-issuer'; // issuer where cross-signing action will begin
-    this.intMountPath = `intermediate-mount-${uuidv4()}`; // first input box in cross-signing page
-    this.intIssuerName = 'my-intermediate-issuer'; // second input box in cross-signing page
-    this.newlySignedIssuer = 'my-newly-signed-int'; // third input
-    await enablePage.enable('pki', this.parentMountPath);
-    await enablePage.enable('pki', this.intMountPath);
-
-    await runCommands([
-      `write "${this.parentMountPath}/root/generate/internal" common_name="Long-Lived Root X1" ttl=8960h issuer_name="${this.oldParentIssuerName}"`,
-      `write "${this.parentMountPath}/root/generate/internal" common_name="Long-Lived Root X2" ttl=8960h issuer_name="${this.parentIssuerName}"`,
-      `write "${this.parentMountPath}/config/issuers" default="${this.parentIssuerName}"`,
-    ]);
-  });
-
-  hooks.afterEach(async function () {
-    // Cleanup engine
-    await runCommands([`delete sys/mounts/${this.intMountPath}`]);
-    await runCommands([`delete sys/mounts/${this.parentMountPath}`]);
-  });
-
-  test('it cross-signs an issuer', async function (assert) {
-    // configure parent and intermediate mounts to make them cross-signable
-    await visit(`/vault/secrets/${this.intMountPath}/pki/configuration/create`);
-    await click(SELECTORS.configure.optionByKey('generate-csr'));
-    await fillIn(SELECTORS.inputByName('type'), 'internal');
-    await fillIn(SELECTORS.inputByName('commonName'), 'Short-Lived Int R1');
-    await click('[data-test-save]');
-    const csr = find(SELECTORS.copyButton('CSR')).getAttribute('data-clipboard-text');
-    await visit(`vault/secrets/${this.parentMountPath}/pki/issuers/${this.oldParentIssuerName}/sign`);
-    await fillIn(SELECTORS.inputByName('csr'), csr);
-    await fillIn(SELECTORS.inputByName('format'), 'pem_bundle');
-    await click('[data-test-pki-sign-intermediate-save]');
-    const pemBundle = find(SELECTORS.copyButton('CA Chain'))
-      .getAttribute('data-clipboard-text')
-      .replace(/,/, '\n');
-    await visit(`vault/secrets/${this.intMountPath}/pki/configuration/create`);
-    await click(SELECTORS.configure.optionByKey('import'));
-    await click('[data-test-text-toggle]');
-    await fillIn('[data-test-text-file-textarea]', pemBundle);
-    await click(SELECTORS.configure.importSubmit);
-    await visit(`vault/secrets/${this.intMountPath}/pki/issuers`);
-    await click('[data-test-is-default]');
-    // name default issuer of intermediate
-    const oldIntIssuerId = find(SELECTORS.rowValue('Issuer ID')).innerText;
-    const oldIntCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-clipboard-text');
-    await click(SELECTORS.details.configure);
-    await fillIn(SELECTORS.inputByName('issuerName'), this.intIssuerName);
-    await click('[data-test-save]');
-
-    // perform cross-sign
-    await visit(`vault/secrets/${this.parentMountPath}/pki/issuers/${this.parentIssuerName}/cross-sign`);
-    await fillIn(SELECTORS.objectListInput('intermediateMount'), this.intMountPath);
-    await fillIn(SELECTORS.objectListInput('intermediateIssuer'), this.intIssuerName);
-    await fillIn(SELECTORS.objectListInput('newCrossSignedIssuer'), this.newlySignedIssuer);
-    await click(SELECTORS.submitButton);
-    assert
-      .dom(`${SELECTORS.signedIssuerCol('intermediateMount')} a`)
-      .hasAttribute('href', `/ui/vault/secrets/${this.intMountPath}/pki/overview`);
-    assert
-      .dom(`${SELECTORS.signedIssuerCol('intermediateIssuer')} a`)
-      .hasAttribute('href', `/ui/vault/secrets/${this.intMountPath}/pki/issuers/${oldIntIssuerId}/details`);
-
-    // get certificate data of newly signed issuer
-    await click(`${SELECTORS.signedIssuerCol('newCrossSignedIssuer')} a`);
-    const newIntCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-clipboard-text');
-
-    // verify cross-sign was accurate by creating a role to issue a leaf certificate
-    const myRole = 'some-role';
-    await runCommands([
-      `write ${this.intMountPath}/roles/${myRole} \
-    issuer_ref=${this.newlySignedIssuer}\
-    allow_any_name=true \
-    max_ttl="720h"`,
-    ]);
-    await visit(`vault/secrets/${this.intMountPath}/pki/roles/${myRole}/generate`);
-    await fillIn(SELECTORS.inputByName('commonName'), 'my-leaf');
-    await fillIn('[data-test-ttl-value="TTL"]', '3600');
-    await click('[data-test-pki-generate-button]');
-    const myLeafCert = find(SELECTORS.copyButton('Certificate')).getAttribute('data-clipboard-text');
-
-    // see comments in utils/parse-pki-cert.js for step-by-step explanation of of verifyCertificates method
-    assert.true(
-      await verifyCertificates(oldIntCert, newIntCert, myLeafCert),
-      'the leaf certificate validates against both intermediate certificates'
-    );
-  });
-});
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div class="splash-page-container section is-flex-v-centered-tablet is-flex-grow-1 is-fullwidth">
+  <div class="columns is-centered is-gapless is-fullwidth">
+    <div class="column is-4-desktop is-6-tablet">
+      <div class="splash-page-header" data-test-splash-page-header>
+        {{yield to="header"}}
+      </div>
+      <div class="splash-page-sub-header" data-test-splash-page-sub-header>
+        {{yield to="subHeader"}}
+      </div>
+      <div class="login-form box is-paddingless is-relative" data-test-splash-page-content>
+        {{yield to="content"}}
+      </div>
+      {{yield to="footer"}}
+    </div>
+  </div>
+</div>
\ No newline at end of file
diff --git a/ui/tests/acceptance/raft-storage-test.js b/ui/tests/acceptance/raft-storage-test.js
index 35ddc099aa87..cd39ad45782d 100644
--- a/ui/tests/acceptance/raft-storage-test.js
+++ b/ui/tests/acceptance/raft-storage-test.js
@@ -1,74 +1,893 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { click, visit } from '@ember/test-helpers';
-import authPage from 'vault/tests/pages/auth';
-
-module('Acceptance | raft storage', function (hooks) {
-  setupApplicationTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(async function () {
-    this.config = this.server.create('configuration', 'withRaft');
-    this.server.get('/sys/internal/ui/resultant-acl', () =>
-      this.server.create('configuration', { data: { root: true } })
-    );
-    this.server.get('/sys/license/features', () => ({}));
-    await authPage.login();
-  });
-
-  test('it should render correct number of raft peers', async function (assert) {
-    assert.expect(3);
-
-    let didRemovePeer = false;
-    this.server.get('/sys/storage/raft/configuration', () => {
-      if (didRemovePeer) {
-        this.config.data.config.servers.pop();
-      } else {
-        // consider peer removed by external means (cli) after initial request
-        didRemovePeer = true;
-      }
-      return this.config;
-    });
-
-    await visit('/vault/storage/raft');
-    assert.dom('[data-raft-row]').exists({ count: 2 }, '2 raft peers render in table');
-    // leave route and return to trigger config fetch
-    await visit('/vault/secrets');
-    await visit('/vault/storage/raft');
-    const store = this.owner.lookup('service:store');
-    assert.strictEqual(
-      store.peekAll('server').length,
-      2,
-      'Store contains 2 server records since remove peer was triggered externally'
-    );
-    assert.dom('[data-raft-row]').exists({ count: 1 }, 'Only raft nodes from response are rendered');
-  });
-
-  test('it should remove raft peer', async function (assert) {
-    assert.expect(3);
-
-    this.server.get('/sys/storage/raft/configuration', () => this.config);
-    this.server.post('/sys/storage/raft/remove-peer', (schema, req) => {
-      const body = JSON.parse(req.requestBody);
-      assert.strictEqual(
-        body.server_id,
-        this.config.data.config.servers[1].node_id,
-        'Remove peer request made with node id'
-      );
-      return {};
-    });
-
-    await visit('/vault/storage/raft');
-    assert.dom('[data-raft-row]').exists({ count: 2 }, '2 raft peers render in table');
-    await click('[data-raft-row]:nth-child(2) [data-test-popup-menu-trigger]');
-    await click('[data-test-confirm-action-trigger]');
-    await click('[data-test-confirm-button]');
-    assert.dom('[data-raft-row]').exists({ count: 1 }, 'Raft peer successfully removed');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/exec"
+	"os/user"
+	"strings"
+	"syscall"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/builtin/logical/ssh"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*SSHCommand)(nil)
+	_ cli.CommandAutocomplete = (*SSHCommand)(nil)
+)
+
+type SSHCommand struct {
+	*BaseCommand
+
+	// Common SSH options
+	flagMode                  string
+	flagRole                  string
+	flagNoExec                bool
+	flagMountPoint            string
+	flagStrictHostKeyChecking string
+	flagSSHExecutable         string
+	flagUserKnownHostsFile    string
+
+	// SSH CA Mode options
+	flagPublicKeyPath     string
+	flagPrivateKeyPath    string
+	flagHostKeyMountPoint string
+	flagHostKeyHostnames  string
+	flagValidPrincipals   string
+}
+
+func (c *SSHCommand) Synopsis() string {
+	return "Initiate an SSH session"
+}
+
+func (c *SSHCommand) Help() string {
+	helpText := `
+Usage: vault ssh [options] username@ip [ssh options]
+
+  Establishes an SSH connection with the target machine.
+
+  This command uses one of the SSH secrets engines to authenticate and
+  automatically establish an SSH connection to a host. This operation requires
+  that the SSH secrets engine is mounted and configured.
+
+  SSH using the OTP mode (requires sshpass for full automation):
+
+      $ vault ssh -mode=otp -role=my-role user@1.2.3.4
+
+  SSH using the CA mode:
+
+      $ vault ssh -mode=ca -role=my-role user@1.2.3.4
+
+  SSH using CA mode with host key verification:
+
+      $ vault ssh \
+          -mode=ca \
+          -role=my-role \
+          -host-key-mount-point=host-signer \
+          -host-key-hostnames=example.com \
+          user@example.com
+
+  For the full list of options and arguments, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *SSHCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("SSH Options")
+
+	// TODO: doc field?
+
+	// General
+	f.StringVar(&StringVar{
+		Name:       "mode",
+		Target:     &c.flagMode,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictSet("ca", "dynamic", "otp"),
+		Usage:      "Name of the authentication mode (ca, dynamic, otp).",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "role",
+		Target:     &c.flagRole,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "Name of the role to use to generate the key.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:       "no-exec",
+		Target:     &c.flagNoExec,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Print the generated credentials, but do not establish a " +
+			"connection.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "mount-point",
+		Target:     &c.flagMountPoint,
+		Default:    "ssh/",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "Mount point to the SSH secrets engine.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "strict-host-key-checking",
+		Target:     &c.flagStrictHostKeyChecking,
+		Default:    "ask",
+		EnvVar:     "VAULT_SSH_STRICT_HOST_KEY_CHECKING",
+		Completion: complete.PredictSet("ask", "no", "yes"),
+		Usage: "Value to use for the SSH configuration option " +
+			"\"StrictHostKeyChecking\".",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "user-known-hosts-file",
+		Target:     &c.flagUserKnownHostsFile,
+		Default:    "",
+		EnvVar:     "VAULT_SSH_USER_KNOWN_HOSTS_FILE",
+		Completion: complete.PredictFiles("*"),
+		Usage: "Value to use for the SSH configuration option " +
+			"\"UserKnownHostsFile\".",
+	})
+
+	// SSH CA
+	f = set.NewFlagSet("CA Mode Options")
+
+	f.StringVar(&StringVar{
+		Name:       "public-key-path",
+		Target:     &c.flagPublicKeyPath,
+		Default:    "~/.ssh/id_rsa.pub",
+		EnvVar:     "",
+		Completion: complete.PredictFiles("*"),
+		Usage:      "Path to the SSH public key to send to Vault for signing.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "private-key-path",
+		Target:     &c.flagPrivateKeyPath,
+		Default:    "~/.ssh/id_rsa",
+		EnvVar:     "",
+		Completion: complete.PredictFiles("*"),
+		Usage: "Path to the SSH private key to use for authentication. This must " +
+			"be the corresponding private key to -public-key-path.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "host-key-mount-point",
+		Target:     &c.flagHostKeyMountPoint,
+		Default:    "",
+		EnvVar:     "VAULT_SSH_HOST_KEY_MOUNT_POINT",
+		Completion: complete.PredictAnything,
+		Usage: "Mount point to the SSH secrets engine where host keys are signed. " +
+			"When given a value, Vault will generate a custom \"known_hosts\" file " +
+			"with delegation to the CA at the provided mount point to verify the " +
+			"SSH connection's host keys against the provided CA. By default, host " +
+			"keys are validated against the user's local \"known_hosts\" file. " +
+			"This flag forces strict key host checking and ignores a custom user " +
+			"known hosts file.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "host-key-hostnames",
+		Target:     &c.flagHostKeyHostnames,
+		Default:    "*",
+		EnvVar:     "VAULT_SSH_HOST_KEY_HOSTNAMES",
+		Completion: complete.PredictAnything,
+		Usage: "List of hostnames to delegate for the CA. The default value " +
+			"allows all domains and IPs. This is specified as a comma-separated " +
+			"list of values.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "valid-principals",
+		Target:     &c.flagValidPrincipals,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "List of valid principal names to include in the generated " +
+			"user certificate. This is specified as a comma-separated list of values.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "ssh-executable",
+		Target:     &c.flagSSHExecutable,
+		Default:    "ssh",
+		EnvVar:     "VAULT_SSH_EXECUTABLE",
+		Completion: complete.PredictAnything,
+		Usage:      "Path to the SSH executable to use when connecting to the host",
+	})
+
+	return set
+}
+
+func (c *SSHCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *SSHCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+// Structure to hold the fields returned when asked for a credential from SSH
+// secrets engine.
+type SSHCredentialResp struct {
+	KeyType  string `mapstructure:"key_type"`
+	Key      string `mapstructure:"key"`
+	Username string `mapstructure:"username"`
+	IP       string `mapstructure:"ip"`
+	Port     string `mapstructure:"port"`
+}
+
+func (c *SSHCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args, DisableDisplayFlagWarning(true)); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Use homedir to expand any relative paths such as ~/.ssh
+	c.flagUserKnownHostsFile = expandPath(c.flagUserKnownHostsFile)
+	c.flagPublicKeyPath = expandPath(c.flagPublicKeyPath)
+	c.flagPrivateKeyPath = expandPath(c.flagPrivateKeyPath)
+
+	args = f.Args()
+	if len(args) < 1 {
+		c.UI.Error(fmt.Sprintf("Not enough arguments, (expected 1-n, got %d)", len(args)))
+		return 1
+	}
+
+	// Extract the hostname, username and port from the ssh command
+	hostname, username, port, err := c.parseSSHCommand(args)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error parsing the ssh command: %q", err))
+		return 1
+	}
+
+	// Use the current user if no user was specified in the ssh command
+	if username == "" {
+		u, err := user.Current()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error getting the current user: %q", err))
+			return 1
+		}
+		username = u.Username
+	}
+
+	ip, err := c.resolveHostname(hostname)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error resolving the ssh hostname: %q", err))
+		return 1
+	}
+
+	// Set the client in the command
+	_, err = c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	// Credentials are generated only against a registered role. If user
+	// does not specify a role with the SSH command, then lookup API is used
+	// to fetch all the roles with which this IP is associated. If there is
+	// only one role associated with it, use it to establish the connection.
+	//
+	// TODO: remove in 0.9.0, convert to validation error
+	if c.flagRole == "" {
+		c.UI.Warn(wrapAtLength(
+			"WARNING: No -role specified. Use -role to tell Vault which ssh role " +
+				"to use for authentication. In the future, you will need to tell " +
+				"Vault which role to use. For now, Vault will attempt to guess based " +
+				"on the API response. This will be removed in the Vault 1.1."))
+
+		role, err := c.defaultRole(c.flagMountPoint, ip)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error choosing role: %v", err))
+			return 1
+		}
+		// Print the default role chosen so that user knows the role name
+		// if something doesn't work. If the role chosen is not allowed to
+		// be used by the user (ACL enforcement), then user should see an
+		// error message accordingly.
+		c.UI.Output(fmt.Sprintf("Vault SSH: Role: %q", role))
+		c.flagRole = role
+	}
+
+	// If no mode was given, perform the old-school lookup. Keep this now for
+	// backwards-compatibility, but print a warning.
+	//
+	// TODO: remove in 0.9.0, convert to validation error
+	if c.flagMode == "" {
+		c.UI.Warn(wrapAtLength(
+			"WARNING: No -mode specified. Use -mode to tell Vault which ssh " +
+				"authentication mode to use. In the future, you will need to tell " +
+				"Vault which mode to use. For now, Vault will attempt to guess based " +
+				"on the API response. This guess involves creating a temporary " +
+				"credential, reading its type, and then revoking it. To reduce the " +
+				"number of API calls and surface area, specify -mode directly. This " +
+				"will be removed in Vault 1.1."))
+		secret, cred, err := c.generateCredential(username, ip)
+		if err != nil {
+			// This is _very_ hacky, but is the only sane backwards-compatible way
+			// to do this. If the error is "key type unknown", we just assume the
+			// type is "ca". In the future, mode will be required as an option.
+			if strings.Contains(err.Error(), "key type unknown") {
+				c.flagMode = ssh.KeyTypeCA
+			} else {
+				c.UI.Error(fmt.Sprintf("Error getting credential: %s", err))
+				return 1
+			}
+		} else {
+			c.flagMode = cred.KeyType
+		}
+
+		// Revoke the secret, since the child functions will generate their own
+		// credential. Users wishing to avoid this should specify -mode.
+		if secret != nil {
+			if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
+				c.UI.Warn(fmt.Sprintf("Failed to revoke temporary key: %s", err))
+			}
+		}
+	}
+
+	switch strings.ToLower(c.flagMode) {
+	case ssh.KeyTypeCA:
+		return c.handleTypeCA(username, ip, port, args)
+	case ssh.KeyTypeOTP:
+		return c.handleTypeOTP(username, ip, port, args)
+	case ssh.KeyTypeDynamic:
+		return c.handleTypeDynamic(username, ip, port, args)
+	default:
+		c.UI.Error(fmt.Sprintf("Unknown SSH mode: %s", c.flagMode))
+		return 1
+	}
+}
+
+// handleTypeCA is used to handle SSH logins using the "CA" key type.
+func (c *SSHCommand) handleTypeCA(username, ip, port string, sshArgs []string) int {
+	// Read the key from disk
+	publicKey, err := ioutil.ReadFile(c.flagPublicKeyPath)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to read public key %s: %s",
+			c.flagPublicKeyPath, err))
+		return 1
+	}
+
+	sshClient := c.client.SSHWithMountPoint(c.flagMountPoint)
+
+	principals := username
+	if c.flagValidPrincipals != "" {
+		principals = c.flagValidPrincipals
+	}
+
+	// Attempt to sign the public key
+	secret, err := sshClient.SignKey(c.flagRole, map[string]interface{}{
+		// WARNING: publicKey is []byte, which is b64 encoded on JSON upload. We
+		// have to convert it to a string. SV lost many hours to this...
+		"public_key":       string(publicKey),
+		"valid_principals": principals,
+		"cert_type":        "user",
+
+		// TODO: let the user configure these. In the interim, if users want to
+		// customize these values, they can produce the key themselves.
+		"extensions": map[string]string{
+			"permit-X11-forwarding":   "",
+			"permit-agent-forwarding": "",
+			"permit-port-forwarding":  "",
+			"permit-pty":              "",
+			"permit-user-rc":          "",
+		},
+	})
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to sign public key %s: %s",
+			c.flagPublicKeyPath, err))
+		return 2
+	}
+	if secret == nil || secret.Data == nil {
+		c.UI.Error("missing signed key")
+		return 2
+	}
+
+	// Handle no-exec
+	if c.flagNoExec {
+		if c.flagField != "" {
+			return PrintRawField(c.UI, secret, c.flagField)
+		}
+		return OutputSecret(c.UI, secret)
+	}
+
+	// Extract public key
+	key, ok := secret.Data["signed_key"].(string)
+	if !ok || key == "" {
+		c.UI.Error("signed key is empty")
+		return 2
+	}
+
+	// Capture the current value - this could be overwritten later if the user
+	// enabled host key signing verification.
+	userKnownHostsFile := c.flagUserKnownHostsFile
+	strictHostKeyChecking := c.flagStrictHostKeyChecking
+
+	// Handle host key signing verification. If the user specified a mount point,
+	// download the public key, trust it with the given domains, and use that
+	// instead of the user's regular known_hosts file.
+	if c.flagHostKeyMountPoint != "" {
+		secret, err := c.client.Logical().Read(c.flagHostKeyMountPoint + "/config/ca")
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("failed to get host signing key: %s", err))
+			return 2
+		}
+		if secret == nil || secret.Data == nil {
+			c.UI.Error("missing host signing key")
+			return 2
+		}
+		publicKey, ok := secret.Data["public_key"].(string)
+		if !ok || publicKey == "" {
+			c.UI.Error("host signing key is empty")
+			return 2
+		}
+
+		// Write the known_hosts file
+		name := fmt.Sprintf("vault_ssh_ca_known_hosts_%s_%s", username, ip)
+		data := fmt.Sprintf("@cert-authority %s %s", c.flagHostKeyHostnames, publicKey)
+		knownHosts, err, closer := c.writeTemporaryFile(name, []byte(data), 0o644)
+		defer closer()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("failed to write host public key: %s", err))
+			return 1
+		}
+
+		// Update the variables
+		userKnownHostsFile = knownHosts
+		strictHostKeyChecking = "yes"
+	}
+
+	// Write the signed public key to disk
+	name := fmt.Sprintf("vault_ssh_ca_%s_%s", username, ip)
+	signedPublicKeyPath, err, closer := c.writeTemporaryKey(name, []byte(key))
+	defer closer()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to write signed public key: %s", err))
+		return 2
+	}
+
+	args := []string{
+		"-i", c.flagPrivateKeyPath,
+		"-i", signedPublicKeyPath,
+		"-o StrictHostKeyChecking=" + strictHostKeyChecking,
+	}
+
+	if userKnownHostsFile != "" {
+		args = append(args,
+			"-o UserKnownHostsFile="+userKnownHostsFile,
+		)
+	}
+
+	// Add extra user defined ssh arguments
+	args = append(args, sshArgs...)
+
+	cmd := exec.Command(c.flagSSHExecutable, args...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		exitCode := 2
+
+		if exitError, ok := err.(*exec.ExitError); ok {
+			if exitError.Success() {
+				return 0
+			}
+			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
+				exitCode = ws.ExitStatus()
+			}
+		}
+
+		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
+		return exitCode
+	}
+
+	// There is no secret to revoke, since it's a certificate signing
+	return 0
+}
+
+// handleTypeOTP is used to handle SSH logins using the "otp" key type.
+func (c *SSHCommand) handleTypeOTP(username, ip, port string, sshArgs []string) int {
+	secret, cred, err := c.generateCredential(username, ip)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
+		return 2
+	}
+
+	// Handle no-exec
+	if c.flagNoExec {
+		if c.flagField != "" {
+			return PrintRawField(c.UI, secret, c.flagField)
+		}
+		return OutputSecret(c.UI, secret)
+	}
+
+	var cmd *exec.Cmd
+
+	// Check if the application 'sshpass' is installed in the client machine. If
+	// it is then, use it to automate typing in OTP to the prompt. Unfortunately,
+	// it was not possible to automate it without a third-party application, with
+	// only the Go libraries. Feel free to try and remove this dependency.
+	args := make([]string, 0)
+	env := os.Environ()
+	sshCmd := c.flagSSHExecutable
+
+	sshpassPath, err := exec.LookPath("sshpass")
+	if err != nil {
+		// No sshpass available so using normal ssh client
+		c.UI.Warn(wrapAtLength(
+			"Vault could not locate \"sshpass\". The OTP code for the session is " +
+				"displayed below. Enter this code in the SSH password prompt. If you " +
+				"install sshpass, Vault can automatically perform this step for you."))
+		c.UI.Output("OTP for the session is: " + cred.Key)
+	} else {
+		// sshpass is available so lets use it instead
+		sshCmd = sshpassPath
+		args = append(args,
+			"-e", // Read password for SSHPASS environment variable
+			c.flagSSHExecutable,
+		)
+		env = append(env, fmt.Sprintf("SSHPASS=%s", string(cred.Key)))
+	}
+
+	// Only harcode the knownhostsfile path if it has been set
+	if c.flagUserKnownHostsFile != "" {
+		args = append(args,
+			"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
+		)
+	}
+
+	// If a port wasn't specified in the ssh arguments lets use the port we got back from vault
+	if port == "" {
+		args = append(args, "-p", cred.Port)
+	}
+
+	args = append(args,
+		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
+	)
+
+	// Add the rest of the ssh args appended by the user
+	args = append(args, sshArgs...)
+
+	cmd = exec.Command(sshCmd, args...)
+	cmd.Env = env
+
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		exitCode := 2
+
+		if exitError, ok := err.(*exec.ExitError); ok {
+			if exitError.Success() {
+				return 0
+			}
+			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
+				exitCode = ws.ExitStatus()
+			}
+		}
+
+		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
+		return exitCode
+	}
+
+	// Revoke the key if it's longer than expected
+	if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
+		c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
+		return 2
+	}
+
+	return 0
+}
+
+// handleTypeDynamic is used to handle SSH logins using the "dyanmic" key type.
+func (c *SSHCommand) handleTypeDynamic(username, ip, port string, sshArgs []string) int {
+	// Generate the credential
+	secret, cred, err := c.generateCredential(username, ip)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
+		return 2
+	}
+
+	// Handle no-exec
+	if c.flagNoExec {
+		if c.flagField != "" {
+			return PrintRawField(c.UI, secret, c.flagField)
+		}
+		return OutputSecret(c.UI, secret)
+	}
+
+	// Write the dynamic key to disk
+	name := fmt.Sprintf("vault_ssh_dynamic_%s_%s", username, ip)
+	keyPath, err, closer := c.writeTemporaryKey(name, []byte(cred.Key))
+	defer closer()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to write dynamic key: %s", err))
+		return 1
+	}
+
+	args := make([]string, 0)
+	// If a port wasn't specified in the ssh arguments lets use the port we got back from vault
+	if port == "" {
+		args = append(args, "-p", cred.Port)
+	}
+
+	args = append(args,
+		"-i", keyPath,
+		"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
+		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
+	)
+
+	// Add extra user defined ssh arguments
+	args = append(args, sshArgs...)
+
+	cmd := exec.Command(c.flagSSHExecutable, args...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		exitCode := 2
+
+		if exitError, ok := err.(*exec.ExitError); ok {
+			if exitError.Success() {
+				return 0
+			}
+			if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
+				exitCode = ws.ExitStatus()
+			}
+		}
+
+		c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
+		return exitCode
+	}
+
+	// Revoke the key if it's longer than expected
+	if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
+		c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
+		return 2
+	}
+
+	return 0
+}
+
+// generateCredential generates a credential for the given role and returns the
+// decoded secret data.
+func (c *SSHCommand) generateCredential(username, ip string) (*api.Secret, *SSHCredentialResp, error) {
+	sshClient := c.client.SSHWithMountPoint(c.flagMountPoint)
+
+	// Attempt to generate the credential.
+	secret, err := sshClient.Credential(c.flagRole, map[string]interface{}{
+		"username": username,
+		"ip":       ip,
+	})
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to get credentials")
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, nil, fmt.Errorf("vault returned empty credentials")
+	}
+
+	// Port comes back as a json.Number which mapstructure doesn't like, so
+	// convert it
+	if d, ok := secret.Data["port"].(json.Number); ok {
+		secret.Data["port"] = d.String()
+	}
+
+	// Use mapstructure to decode the response
+	var resp SSHCredentialResp
+	if err := mapstructure.Decode(secret.Data, &resp); err != nil {
+		return nil, nil, errors.Wrap(err, "failed to decode credential")
+	}
+
+	// Check for an empty key response
+	if len(resp.Key) == 0 {
+		return nil, nil, fmt.Errorf("vault returned an invalid key")
+	}
+
+	return secret, &resp, nil
+}
+
+// writeTemporaryFile writes a file to a temp location with the given data and
+// file permissions.
+func (c *SSHCommand) writeTemporaryFile(name string, data []byte, perms os.FileMode) (string, error, func() error) {
+	// default closer to prevent panic
+	closer := func() error { return nil }
+
+	f, err := ioutil.TempFile("", name)
+	if err != nil {
+		return "", errors.Wrap(err, "creating temporary file"), closer
+	}
+
+	closer = func() error { return os.Remove(f.Name()) }
+
+	if err := ioutil.WriteFile(f.Name(), data, perms); err != nil {
+		return "", errors.Wrap(err, "writing temporary key"), closer
+	}
+
+	if err := f.Close(); err != nil {
+		return "", errors.Wrap(err, "closing temporary key"), closer
+	}
+
+	return f.Name(), nil, closer
+}
+
+// writeTemporaryKey writes the key to a temporary file and returns the path.
+// The caller should defer the closer to cleanup the key.
+func (c *SSHCommand) writeTemporaryKey(name string, data []byte) (string, error, func() error) {
+	return c.writeTemporaryFile(name, data, 0o600)
+}
+
+// If user did not provide the role with which SSH connection has
+// to be established and if there is only one role associated with
+// the IP, it is used by default.
+func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
+	data := map[string]interface{}{
+		"ip": ip,
+	}
+	secret, err := c.client.Logical().Write(mountPoint+"/lookup", data)
+	if err != nil {
+		return "", fmt.Errorf("error finding roles for IP %q: %w", ip, err)
+	}
+	if secret == nil || secret.Data == nil {
+		return "", fmt.Errorf("error finding roles for IP %q: %w", ip, err)
+	}
+
+	if secret.Data["roles"] == nil {
+		return "", fmt.Errorf("no matching roles found for IP %q", ip)
+	}
+
+	if len(secret.Data["roles"].([]interface{})) == 1 {
+		return secret.Data["roles"].([]interface{})[0].(string), nil
+	} else {
+		var roleNames string
+		for _, item := range secret.Data["roles"].([]interface{}) {
+			roleNames += item.(string) + ", "
+		}
+		roleNames = strings.TrimRight(roleNames, ", ")
+		return "", fmt.Errorf("Roles: %q. "+`
+			Multiple roles are registered for this IP.
+			Select a role using '-role' option.
+			Note that all roles may not be permitted, based on ACLs.`, roleNames)
+	}
+}
+
+func (c *SSHCommand) isSingleSSHArg(arg string) bool {
+	// list of single SSH arguments is taken from
+	// https://github.com/openssh/openssh-portable/blob/28013759f09ed3ebf7e8335e83a62936bd7a7f47/ssh.c#L204
+	singleArgs := []string{
+		"4", "6", "A", "a", "C", "f", "G", "g", "K", "k", "M", "N", "n", "q",
+		"s", "T", "t", "V", "v", "X", "x", "Y", "y",
+	}
+
+	// We want to get the first character after the dash. This is so args like -vvv are picked up as just being -v
+	flag := string(arg[1])
+
+	for _, a := range singleArgs {
+		if flag == a {
+			return true
+		}
+	}
+	return false
+}
+
+// Finds the hostname, username (optional) and port (optional) from any valid ssh command
+// Supports usrname@hostname but also specifying valid ssh flags like -o User=username,
+// -o Port=2222 and -p 2222 anywhere in the command
+func (c *SSHCommand) parseSSHCommand(args []string) (hostname string, username string, port string, err error) {
+	lastArg := ""
+	for _, i := range args {
+		arg := lastArg
+		lastArg = ""
+
+		// If -p has been specified then this is our ssh port
+		if arg == "-p" {
+			port = i
+			continue
+		}
+
+		// this is an ssh option, lets see if User or Port have been set and use it
+		if arg == "-o" {
+			split := strings.Split(i, "=")
+			key := split[0]
+			// Incase the value contains = signs we want to get all of them
+			value := strings.Join(split[1:], " ")
+
+			if key == "User" {
+				// Don't overwrite the user if it is already set by username@hostname
+				// This matches the behaviour for how regular ssh reponds when both are specified
+				if username == "" {
+					username = value
+				}
+			}
+
+			if key == "Port" {
+				// Don't overwrite the port if it is already set by -p
+				// This matches the behaviour for how regular ssh reponds when both are specified
+				if port == "" {
+					port = value
+				}
+			}
+			continue
+		}
+
+		// This isn't an ssh argument that we care about. Lets keep on parsing the command
+		if arg != "" {
+			continue
+		}
+
+		// If this is an ssh argument with a value we want to look at it in the next loop
+		if strings.HasPrefix(i, "-") {
+			// If this isn't a single SSH arg we want to store the flag to we can look at the value next loop
+			if !c.isSingleSSHArg(i) {
+				lastArg = i
+			}
+			continue
+		}
+
+		// If we have gotten this far it means this is a bare argument
+		// The first bare argument is the hostname
+		// The second bare argument is the command to run on the remote host
+
+		// If the hostname hasn't been set yet than it means we have found the first bare argument
+		if hostname == "" {
+			if strings.Contains(i, "@") {
+				split := strings.Split(i, "@")
+				username = split[0]
+				hostname = split[1]
+			} else {
+				hostname = i
+			}
+			continue
+		} else {
+			// The second bare argument is the command to run on the remote host.
+			// We need to break out and stop parsing arguments now
+			break
+		}
+
+	}
+	if hostname == "" {
+		return "", "", "", errors.Wrap(
+			err,
+			fmt.Sprintf("failed to find a hostname in ssh command %q", strings.Join(args, " ")),
+		)
+	}
+	return hostname, username, port, nil
+}
+
+func (c *SSHCommand) resolveHostname(hostname string) (ip string, err error) {
+	// Resolving domain names to IP address on the client side.
+	// Vault only deals with IP addresses.
+	ipAddr, err := net.ResolveIPAddr("ip", hostname)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to resolve IP address")
+	}
+	ip = ipAddr.String()
+	return ip, nil
+}
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
index c92914102ba9..b6dfd563d242 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
@@ -1,454 +1,235 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { v4 as uuidv4 } from 'uuid';
-import { click, currentURL, fillIn, findAll, setupOnerror, typeIn, visit } from '@ember/test-helpers';
-import { setupApplicationTest } from 'vault/tests/helpers';
-import authPage from 'vault/tests/pages/auth';
-import {
-  createPolicyCmd,
-  deleteEngineCmd,
-  mountEngineCmd,
-  runCmd,
-  createTokenCmd,
-} from 'vault/tests/helpers/commands';
-import {
-  dataPolicy,
-  deleteVersionsPolicy,
-  destroyVersionsPolicy,
-  metadataListPolicy,
-  metadataPolicy,
-} from 'vault/tests/helpers/policy-generator/kv';
-import { clearRecords, writeSecret, writeVersionedSecret } from 'vault/tests/helpers/kv/kv-run-commands';
-import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
-
-/**
- * This test set is for testing edge cases, such as specific bug fixes or reported user workflows
- */
-module('Acceptance | kv-v2 workflow | edge cases', function (hooks) {
-  setupApplicationTest(hooks);
-
-  hooks.beforeEach(async function () {
-    const uid = uuidv4();
-    this.backend = `kv-edge-${uid}`;
-    this.rootSecret = 'root-directory';
-    this.fullSecretPath = `${this.rootSecret}/nested/child-secret`;
-    await authPage.login();
-    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
-    await writeSecret(this.backend, this.fullSecretPath, 'foo', 'bar');
-    await writeSecret(this.backend, 'edge/one', 'foo', 'bar');
-    await writeSecret(this.backend, 'edge/two', 'foo', 'bar');
-    return;
-  });
-
-  hooks.afterEach(async function () {
-    await authPage.login();
-    await runCmd(deleteEngineCmd(this.backend));
-    return;
-  });
-
-  module('persona with read and list access on the secret level', function (hooks) {
-    // see github issue for more details https://github.com/hashicorp/vault/issues/5362
-    hooks.beforeEach(async function () {
-      const secretPath = `${this.rootSecret}/*`; // user has LIST and READ access within this root secret directory
-      const capabilities = ['list', 'read'];
-      const backend = this.backend;
-      const token = await runCmd([
-        createPolicyCmd(
-          'nested-secret-list-reader',
-          metadataPolicy({ backend, secretPath, capabilities }) +
-            dataPolicy({ backend, secretPath, capabilities })
-        ),
-        createTokenCmd('nested-secret-list-reader'),
-      ]);
-      await authPage.login(token);
-    });
-
-    test('it can navigate to secrets within a secret directory', async function (assert) {
-      assert.expect(21);
-      const backend = this.backend;
-      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
-
-      await visit(`/vault/secrets/${backend}/kv/list`);
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-
-      await typeIn(PAGE.list.overviewInput, `${root}/no-access/`);
-      assert
-        .dom(PAGE.list.overviewButton)
-        .hasText('View list', 'shows list and not secret because search is a directory');
-      await click(PAGE.list.overviewButton);
-      assert.dom(PAGE.emptyStateTitle).hasText(`There are no secrets matching "${root}/no-access/".`);
-
-      await visit(`/vault/secrets/${backend}/kv/list`);
-      await typeIn(PAGE.list.overviewInput, `${root}/`); // add slash because this is a directory
-      await click(PAGE.list.overviewButton);
-
-      // URL correct
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list/${root}/`,
-        'visits list-directory of root'
-      );
-
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbarAction).exists({ count: 1 }, 'toolbar only renders create secret action');
-      assert.dom(PAGE.list.filter).hasValue(`${root}/`);
-      // List content correct
-      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
-      await click(PAGE.list.item(`${subdirectory}/`));
-      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
-      await click(PAGE.list.item(secret));
-      // Secret details visible
-      assert.dom(PAGE.title).hasText(this.fullSecretPath);
-      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
-      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
-      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
-      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
-      assert.dom(PAGE.secretTab('Version History')).hasText('Version History');
-      assert.dom(PAGE.secretTab('Version History')).doesNotHaveClass('active');
-      assert.dom(PAGE.toolbarAction).exists({ count: 5 }, 'toolbar renders all actions');
-    });
-
-    test('it navigates back to engine index route via breadcrumbs from secret details', async function (assert) {
-      assert.expect(6);
-      const backend = this.backend;
-      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
-
-      await visit(`vault/secrets/${backend}/kv/${encodeURIComponent(this.fullSecretPath)}/details?version=1`);
-      // navigate back through crumbs
-      let previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
-      await click(PAGE.breadcrumbAtIdx(previousCrumb));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list/${root}/${subdirectory}/`,
-        'goes back to subdirectory list'
-      );
-      assert.dom(PAGE.list.filter).hasValue(`${root}/${subdirectory}/`);
-      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
-
-      // back again
-      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
-      await click(PAGE.breadcrumbAtIdx(previousCrumb));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list/${root}/`,
-        'goes back to root directory'
-      );
-      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
-
-      // and back to the engine list view
-      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
-      await click(PAGE.breadcrumbAtIdx(previousCrumb));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list`,
-        'navigates back to engine list from crumbs'
-      );
-    });
-
-    test('it handles errors when attempting to view details of a secret that is a directory', async function (assert) {
-      assert.expect(7);
-      const backend = this.backend;
-      const [root, subdirectory] = this.fullSecretPath.split('/');
-      setupOnerror((error) => assert.strictEqual(error.httpStatus, 404), '404 error is thrown'); // catches error so qunit test doesn't fail
-
-      await visit(`/vault/secrets/${backend}/kv/list`);
-      await typeIn(PAGE.list.overviewInput, `${root}/${subdirectory}`); // intentionally leave out trailing slash
-      await click(PAGE.list.overviewButton);
-      assert.dom(PAGE.error.title).hasText('404 Not Found');
-      assert
-        .dom(PAGE.error.message)
-        .hasText(`Sorry, we were unable to find any content at /v1/${backend}/data/${root}/${subdirectory}.`);
-
-      assert.dom(PAGE.breadcrumbAtIdx(0)).hasText('secrets');
-      assert.dom(PAGE.breadcrumbAtIdx(1)).hasText(backend);
-      assert.dom(PAGE.secretTab('Secrets')).doesNotHaveClass('is-active');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('is-active');
-    });
-  });
-
-  module('destruction without read', function (hooks) {
-    hooks.beforeEach(async function () {
-      const backend = this.backend;
-      const testSecrets = [
-        'data-delete-only',
-        'delete-version-only',
-        'destroy-version-only',
-        'destroy-metadata-only',
-      ];
-
-      // user has different permissions for each secret path
-      const token = await runCmd([
-        createPolicyCmd(
-          'destruction-no-read',
-          dataPolicy({ backend, secretPath: 'data-delete-only', capabilities: ['delete'] }) +
-            deleteVersionsPolicy({ backend, secretPath: 'delete-version-only' }) +
-            destroyVersionsPolicy({ backend, secretPath: 'destroy-version-only' }) +
-            metadataPolicy({ backend, secretPath: 'destroy-metadata-only', capabilities: ['delete'] }) +
-            metadataListPolicy(backend)
-        ),
-        createTokenCmd('destruction-no-read'),
-      ]);
-      for (const secret of testSecrets) {
-        await writeVersionedSecret(backend, secret, 'foo', 'bar', 2);
-      }
-      await authPage.login(token);
-    });
-
-    test('it renders the delete action and disables delete this version option', async function (assert) {
-      assert.expect(4);
-      const testSecret = 'data-delete-only';
-      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
-
-      assert.dom(PAGE.detail.delete).exists('renders delete button');
-      await click(PAGE.detail.delete);
-      assert
-        .dom(PAGE.detail.deleteModal)
-        .hasTextContaining('Delete this version This deletes a specific version of the secret');
-      assert.dom(PAGE.detail.deleteOption).isDisabled('disables version specific option');
-      assert.dom(PAGE.detail.deleteOptionLatest).isEnabled('enables version specific option');
-    });
-
-    test('it renders the delete action and disables delete latest version option', async function (assert) {
-      assert.expect(4);
-      const testSecret = 'delete-version-only';
-      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
-
-      assert.dom(PAGE.detail.delete).exists('renders delete button');
-      await click(PAGE.detail.delete);
-      assert
-        .dom(PAGE.detail.deleteModal)
-        .hasTextContaining('Delete this version This deletes a specific version of the secret');
-
-      assert.dom(PAGE.detail.deleteOption).isEnabled('enables version specific option');
-      assert.dom(PAGE.detail.deleteOptionLatest).isDisabled('disables version specific option');
-    });
-
-    test('it hides destroy option without version number', async function (assert) {
-      assert.expect(1);
-      const testSecret = 'destroy-version-only';
-      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/details`);
-
-      assert.dom(PAGE.detail.destroy).doesNotExist();
-    });
-
-    test('it renders the destroy metadata action and expected modal copy', async function (assert) {
-      assert.expect(2);
-
-      const testSecret = 'destroy-metadata-only';
-      await visit(`/vault/secrets/${this.backend}/kv/${testSecret}/metadata`);
-      assert.dom(PAGE.metadata.deleteMetadata).exists('renders delete metadata button');
-      await click(PAGE.metadata.deleteMetadata);
-      assert
-        .dom(PAGE.detail.deleteModal)
-        .hasText(
-          'Delete metadata and secret data? This will permanently delete the metadata and versions of the secret. All version history will be removed. This cannot be undone. Confirm Cancel'
-        );
-    });
-  });
-
-  test('no ghost item after editing metadata', async function (assert) {
-    await visit(`/vault/secrets/${this.backend}/kv/list/edge/`);
-    assert.dom(PAGE.list.item()).exists({ count: 2 }, 'two secrets are listed');
-    await click(PAGE.list.item('two'));
-    await click(PAGE.secretTab('Metadata'));
-    await click(PAGE.metadata.editBtn);
-    await fillIn(FORM.keyInput(), 'foo');
-    await fillIn(FORM.valueInput(), 'bar');
-    await click(FORM.saveBtn);
-    await click(PAGE.breadcrumbAtIdx(2));
-    assert.dom(PAGE.list.item()).exists({ count: 2 }, 'two secrets are listed');
-  });
-});
-
-// NAMESPACE TESTS
-module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks) {
-  setupApplicationTest(hooks);
-
-  const navToEngine = async (backend) => {
-    await click('[data-test-sidebar-nav-link="Secrets Engines"]');
-    return await click(PAGE.backends.link(backend));
-  };
-
-  const assertDeleteActions = (assert, expected = ['delete', 'destroy']) => {
-    ['delete', 'destroy', 'undelete'].forEach((toolbar) => {
-      if (expected.includes(toolbar)) {
-        assert.dom(PAGE.detail[toolbar]).exists(`${toolbar} toolbar action exists`);
-      } else {
-        assert.dom(PAGE.detail[toolbar]).doesNotExist(`${toolbar} toolbar action not rendered`);
-      }
-    });
-  };
-
-  const assertVersionDropdown = async (assert, deleted = [], versions = [2, 1]) => {
-    assert.dom(PAGE.detail.versionDropdown).hasText(`Version ${versions[0]}`);
-    await click(PAGE.detail.versionDropdown);
-    versions.forEach((num) => {
-      assert.dom(PAGE.detail.version(num)).exists(`renders version ${num} link in dropdown`);
-    });
-    // also asserts destroyed icon
-    deleted.forEach((num) => {
-      assert.dom(`${PAGE.detail.version(num)} [data-test-icon="x-square"]`);
-    });
-  };
-
-  // each test uses a different secret path
-  hooks.beforeEach(async function () {
-    const uid = uuidv4();
-    this.store = this.owner.lookup('service:store');
-    this.backend = `kv-enterprise-edge-${uid}`;
-    this.namespace = `ns-${uid}`;
-    await authPage.login();
-    await runCmd([`write sys/namespaces/${this.namespace} -force`]);
-    return;
-  });
-
-  hooks.afterEach(async function () {
-    await authPage.login();
-    await runCmd([`delete /sys/auth/${this.namespace}`]);
-    await runCmd(deleteEngineCmd(this.backend));
-    return;
-  });
-
-  module('admin persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      await authPage.loginNs(this.namespace);
-      // mount engine within namespace
-      await runCmd(mountEngineCmd('kv-v2', this.backend), false);
-      clearRecords(this.store);
-      return;
-    });
-    hooks.afterEach(async function () {
-      // visit logout with namespace query param because we're transitioning from within an engine
-      // and navigating directly to /vault/auth caused test context routing problems :(
-      await visit(`/vault/logout?namespace=${this.namespace}`);
-      await authPage.namespaceInput(''); // clear login form namespace input
-    });
-
-    test('namespace: it can create a secret and new secret version', async function (assert) {
-      assert.expect(15);
-      const backend = this.backend;
-      const ns = this.namespace;
-      const secret = 'my-create-secret';
-      await navToEngine(backend);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list?namespace=${ns}`,
-        'navigates to list'
-      );
-      // Create first version of secret
-      await click(PAGE.list.createSecret);
-      await fillIn(FORM.inputByAttr('path'), secret);
-      assert.dom(FORM.toggleMetadata).exists('Shows metadata toggle when creating new secret');
-      await fillIn(FORM.keyInput(), 'foo');
-      await fillIn(FORM.maskedValueInput(), 'woahsecret');
-      await click(FORM.saveBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=1`,
-        'navigates to details'
-      );
-
-      // Create a new version
-      await click(PAGE.detail.createNewVersion);
-      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
-      assert.dom(FORM.inputByAttr('path')).hasValue(secret);
-      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
-      assert.dom(FORM.keyInput()).hasValue('foo');
-      assert.dom(FORM.maskedValueInput()).hasValue('woahsecret');
-      await fillIn(FORM.keyInput(1), 'foo-two');
-      await fillIn(FORM.maskedValueInput(1), 'supersecret');
-      await click(FORM.saveBtn);
-
-      // Check details
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=2`,
-        'navigates to details'
-      );
-      await assertVersionDropdown(assert);
-      assert
-        .dom(`${PAGE.detail.version(2)} [data-test-icon="check-circle"]`)
-        .exists('renders current version icon');
-      assert.dom(PAGE.infoRowValue('foo-two')).hasText('***********');
-      await click(PAGE.infoRowToggleMasked('foo-two'));
-      assert.dom(PAGE.infoRowValue('foo-two')).hasText('supersecret', 'secret value shows after toggle');
-    });
-
-    test('namespace: it manages state throughout delete, destroy and undelete operations', async function (assert) {
-      assert.expect(34);
-      const backend = this.backend;
-      const ns = this.namespace;
-      const secret = 'my-delete-secret';
-      await writeVersionedSecret(backend, secret, 'foo', 'bar', 2, ns);
-      await navToEngine(backend);
-
-      await click(PAGE.list.item(secret));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secret}/details?namespace=${ns}&version=2`,
-        'navigates to details'
-      );
-
-      // correct toolbar options & details show
-      assertDeleteActions(assert);
-      await assertVersionDropdown(assert);
-      // delete flow
-      await click(PAGE.detail.delete);
-      await click(PAGE.detail.deleteOption);
-      await click(PAGE.detail.deleteConfirm);
-      // check empty state and toolbar
-      assertDeleteActions(assert, ['undelete', 'destroy']);
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .hasText('Version 2 of this secret has been deleted', 'Shows deleted message');
-      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 deleted');
-      await assertVersionDropdown(assert, [2]); // important to test dropdown versions are accurate
-
-      // navigate to sibling route to make sure empty state remains for details tab
-      await click(PAGE.secretTab('Version History'));
-      assert.dom(PAGE.versions.linkedBlock()).exists({ count: 2 });
-
-      // back to secret tab to confirm deleted state
-      await click(PAGE.secretTab('Secret'));
-      // if this assertion fails, the view is rendering a stale model
-      assert.dom(PAGE.emptyStateTitle).exists('still renders empty state!!');
-      await assertVersionDropdown(assert, [2]);
-
-      // undelete flow
-      await click(PAGE.detail.undelete);
-      // details update accordingly
-      assertDeleteActions(assert, ['delete', 'destroy']);
-      assert.dom(PAGE.infoRow).exists('shows secret data');
-      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 created');
-
-      // destroy flow
-      await click(PAGE.detail.destroy);
-      await click(PAGE.detail.deleteConfirm);
-      assertDeleteActions(assert, []);
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .hasText('Version 2 of this secret has been permanently destroyed', 'Shows destroyed message');
-
-      // navigate to sibling route to make sure empty state remains for details tab
-      await click(PAGE.secretTab('Version History'));
-      assert.dom(PAGE.versions.linkedBlock()).exists({ count: 2 });
-
-      // back to secret tab to confirm destroyed state
-      await click(PAGE.secretTab('Secret'));
-      // if this assertion fails, the view is rendering a stale model
-      assert.dom(PAGE.emptyStateTitle).exists('still renders empty state!!');
-      await assertVersionDropdown(assert, [2]);
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testSSHCommand(tb testing.TB) (*cli.MockUi, *SSHCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &SSHCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestSSHCommand_Run(t *testing.T) {
+	t.Parallel()
+	t.Skip("Need a way to setup target infrastructure")
+}
+
+func TestParseSSHCommand(t *testing.T) {
+	t.Parallel()
+
+	_, cmd := testSSHCommand(t)
+	tests := []struct {
+		name     string
+		args     []string
+		hostname string
+		username string
+		port     string
+		err      error
+	}{
+		{
+			"Parse just a hostname",
+			[]string{
+				"hostname",
+			},
+			"hostname",
+			"",
+			"",
+			nil,
+		},
+		{
+			"Parse the standard username@hostname",
+			[]string{
+				"username@hostname",
+			},
+			"hostname",
+			"username",
+			"",
+			nil,
+		},
+		{
+			"Parse the username out of -o User=username",
+			[]string{
+				"-o", "User=username",
+				"hostname",
+			},
+			"hostname",
+			"username",
+			"",
+			nil,
+		},
+		{
+			"If the username is specified with -o User=username and realname@hostname prefer realname@",
+			[]string{
+				"-o", "User=username",
+				"realname@hostname",
+			},
+			"hostname",
+			"realname",
+			"",
+			nil,
+		},
+		{
+			"Parse the port out of -o Port=2222",
+			[]string{
+				"-o", "Port=2222",
+				"hostname",
+			},
+			"hostname",
+			"",
+			"2222",
+			nil,
+		},
+		{
+			"Parse the port out of -p 2222",
+			[]string{
+				"-p", "2222",
+				"hostname",
+			},
+			"hostname",
+			"",
+			"2222",
+			nil,
+		},
+		{
+			"If port is defined with -o Port=2222 and -p 2244 prefer -p",
+			[]string{
+				"-p", "2244",
+				"-o", "Port=2222",
+				"hostname",
+			},
+			"hostname",
+			"",
+			"2244",
+			nil,
+		},
+		{
+			"Ssh args with a command",
+			[]string{
+				"hostname",
+				"command",
+			},
+			"hostname",
+			"",
+			"",
+			nil,
+		},
+		{
+			"Flags after the ssh command are not passed because they are part of the command",
+			[]string{
+				"username@hostname",
+				"command",
+				"-p 22",
+			},
+			"hostname",
+			"username",
+			"",
+			nil,
+		},
+		{
+			"Allow single args which don't have a value",
+			[]string{
+				"-v",
+				"hostname",
+			},
+			"hostname",
+			"",
+			"",
+			nil,
+		},
+		{
+			"Allow single args before and after the hostname and command",
+			[]string{
+				"-v",
+				"hostname",
+				"-v",
+				"command",
+				"-v",
+			},
+			"hostname",
+			"",
+			"",
+			nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			hostname, username, port, err := cmd.parseSSHCommand(test.args)
+			if err != test.err {
+				t.Errorf("got error: %q want %q", err, test.err)
+			}
+			if hostname != test.hostname {
+				t.Errorf("got hostname: %q want %q", hostname, test.hostname)
+			}
+			if username != test.username {
+				t.Errorf("got username: %q want %q", username, test.username)
+			}
+			if port != test.port {
+				t.Errorf("got port: %q want %q", port, test.port)
+			}
+		})
+	}
+}
+
+func TestIsSingleSSHArg(t *testing.T) {
+	t.Parallel()
+
+	_, cmd := testSSHCommand(t)
+	tests := []struct {
+		name string
+		arg  string
+		want bool
+	}{
+		{
+			"-v is a single ssh arg",
+			"-v",
+			true,
+		},
+		{
+			"-o is NOT a single ssh arg",
+			"-o",
+			false,
+		},
+		{
+			"Repeated args like -vvv is still a single ssh arg",
+			"-vvv",
+			true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := cmd.isSingleSSHArg(test.arg)
+			if got != test.want {
+				t.Errorf("arg %q got %v want %v", test.arg, got, test.want)
+			}
+		})
+	}
+}
+
+// TestSSHCommandOmitFlagWarning checks if flags warning messages are printed
+// in the output of the CLI command or not. If so, it will fail.
+func TestSSHCommandOmitFlagWarning(t *testing.T) {
+	t.Parallel()
+
+	ui, cmd := testSSHCommand(t)
+
+	_ = cmd.Run([]string{"-mode", "ca", "-role", "otp_key_role", "user@1.2.3.4", "-extraFlag", "bug"})
+
+	combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+	if strings.Contains(combined, "Command flags must be provided before positional arguments. The following arguments will not be parsed as flags") {
+		t.Fatalf("ssh command displayed flag warnings")
+	}
+}
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
index 54327e8d350c..3ce3fb96bb3b 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
@@ -1,1270 +1,114 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { v4 as uuidv4 } from 'uuid';
-import { click, currentRouteName, currentURL, typeIn, visit, waitUntil } from '@ember/test-helpers';
-import { setupApplicationTest } from 'vault/tests/helpers';
-import authPage from 'vault/tests/pages/auth';
-import {
-  createPolicyCmd,
-  deleteEngineCmd,
-  mountEngineCmd,
-  runCmd,
-  createTokenCmd,
-  tokenWithPolicyCmd,
-} from 'vault/tests/helpers/commands';
-import { personas } from 'vault/tests/helpers/policy-generator/kv';
-import {
-  addSecretMetadataCmd,
-  clearRecords,
-  writeSecret,
-  writeVersionedSecret,
-} from 'vault/tests/helpers/kv/kv-run-commands';
-import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
-import { setupControlGroup, grantAccess } from 'vault/tests/helpers/control-groups';
-
-const secretPath = `my-#:$=?-secret`;
-// This doesn't encode in a normal way, so hardcoding it here until we sort that out
-const secretPathUrlEncoded = `my-%23:$=%3F-secret`;
-const navToBackend = async (backend) => {
-  await visit(`/vault/secrets`);
-  return click(PAGE.backends.link(backend));
-};
-const assertCorrectBreadcrumbs = (assert, expected) => {
-  assert.dom(PAGE.breadcrumb).exists({ count: expected.length }, 'correct number of breadcrumbs');
-  const breadcrumbs = document.querySelectorAll(PAGE.breadcrumb);
-  expected.forEach((text, idx) => {
-    assert.dom(breadcrumbs[idx]).includesText(text, `position ${idx} breadcrumb includes text ${text}`);
-  });
-};
-const assertDetailTabs = (assert, current, hidden = []) => {
-  const allTabs = ['Secret', 'Metadata', 'Paths', 'Version History'];
-  allTabs.forEach((tab) => {
-    if (hidden.includes(tab)) {
-      assert.dom(PAGE.secretTab(tab)).doesNotExist(`${tab} tab does not render`);
-      return;
-    }
-    assert.dom(PAGE.secretTab(tab)).hasText(tab);
-    if (current === tab) {
-      assert.dom(PAGE.secretTab(tab)).hasClass('active');
-    } else {
-      assert.dom(PAGE.secretTab(tab)).doesNotHaveClass('active');
-    }
-  });
-};
-const DETAIL_TOOLBARS = ['delete', 'destroy', 'copy', 'versionDropdown', 'createNewVersion'];
-const assertDetailsToolbar = (assert, expected = DETAIL_TOOLBARS) => {
-  assert
-    .dom(PAGE.toolbarAction)
-    .exists({ count: expected.length }, 'correct number of toolbar actions render');
-  DETAIL_TOOLBARS.forEach((toolbar) => {
-    if (expected.includes(toolbar)) {
-      assert.dom(PAGE.detail[toolbar]).exists(`${toolbar} toolbar action exists`);
-    } else {
-      assert.dom(PAGE.detail[toolbar]).doesNotExist(`${toolbar} toolbar action not rendered`);
-    }
-  });
-};
-
-/**
- * This test set is for testing the navigation, breadcrumbs, and tabs.
- * Letter(s) in parenthesis at the end are shorthand for the persona,
- * for ease of tracking down specific tests failures from CI
- */
-module('Acceptance | kv-v2 workflow | navigation', function (hooks) {
-  setupApplicationTest(hooks);
-
-  hooks.beforeEach(async function () {
-    const uid = uuidv4();
-    this.store = this.owner.lookup('service:store');
-    this.emptyBackend = `kv-empty-${uid}`;
-    this.backend = `kv-nav-${uid}`;
-    await authPage.login();
-    await runCmd(mountEngineCmd('kv-v2', this.emptyBackend), false);
-    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
-    await writeSecret(this.backend, 'app/nested/secret', 'foo', 'bar');
-    await writeVersionedSecret(this.backend, secretPath, 'foo', 'bar', 3);
-    await runCmd(addSecretMetadataCmd(this.backend, secretPath, { max_versions: 5, cas_required: true }));
-    return;
-  });
-
-  hooks.afterEach(async function () {
-    await authPage.login();
-    await runCmd(deleteEngineCmd(this.backend));
-    await runCmd(deleteEngineCmd(this.emptyBackend));
-    return;
-  });
-
-  module('admin persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      const token = await runCmd(
-        tokenWithPolicyCmd('admin', personas.admin(this.backend) + personas.admin(this.emptyBackend))
-      );
-      await authPage.login(token);
-      clearRecords(this.store);
-      return;
-    });
-    test('empty backend - breadcrumbs, title, tabs, emptyState (a)', async function (assert) {
-      assert.expect(18);
-      const backend = this.emptyBackend;
-      await navToBackend(backend);
-
-      // URL correct
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-      // Breadcrumbs correct
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
-      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
-      // Page content correct
-      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
-      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
-      assert.dom(PAGE.list.createSecret).hasText('Create secret');
-
-      // Click empty state CTA
-      await click(`${PAGE.emptyStateActions} a`);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-
-      // click toolbar CTA
-      await click(PAGE.list.createSecret);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-    });
-    test('can access nested secret (a)', async function (assert) {
-      assert.expect(40);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
-
-      // Navigate through list items
-      await click(PAGE.list.item('app/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
-
-      await click(PAGE.list.item('nested/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
-
-      await click(PAGE.list.item('secret'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert);
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('versioned secret nav, tabs, breadcrumbs (a)', async function (assert) {
-      assert.expect(45);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.list.item(secretPath));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
-        'Url includes version query param'
-      );
-      assert.dom(PAGE.title).hasText(secretPath, 'title is correct on detail view');
-      assertDetailTabs(assert, 'Secret');
-      assert.dom(PAGE.detail.versionDropdown).hasText('Version 3', 'Version dropdown shows current version');
-      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
-      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
-
-      await click(PAGE.detail.createNewVersion);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=3`,
-        'Url includes version query param'
-      );
-      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
-      assert.dom(FORM.inputByAttr('path')).isDisabled();
-
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
-        'Goes back to detail view'
-      );
-
-      await click(PAGE.detail.versionDropdown);
-      await click(`${PAGE.detail.version(1)} a`);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
-        'Goes to detail view for version 1'
-      );
-      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
-      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
-
-      await click(PAGE.detail.createNewVersion);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
-        'Url includes version query param'
-      );
-      assert.dom(FORM.inputByAttr('path')).isDisabled();
-      assert.dom(FORM.keyInput()).hasValue('key-1', 'pre-populates form with selected version data');
-      assert.dom(FORM.maskedValueInput()).hasValue('val-1', 'pre-populates form with selected version data');
-      assert.dom(FORM.versionAlert).exists('Shows version alert');
-      await click(FORM.cancelBtn);
-
-      await click(PAGE.secretTab('Metadata'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `goes to metadata page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath);
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('No custom metadata');
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
-        .hasText('Add metadata', 'empty state has metadata CTA');
-      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
-
-      await click(PAGE.metadata.editBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
-        `goes to metadata edit page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `cancel btn goes back to metadata page`
-      );
-    });
-    test('breadcrumbs & page titles are correct (a)', async function (assert) {
-      assert.expect(45);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
-
-      await click(PAGE.list.item(secretPath));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
-
-      await click(PAGE.detail.createNewVersion);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
-      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
-
-      await click(PAGE.metadata.editBtn);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
-      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
-
-      await click(PAGE.secretTab('Version History'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
-    });
-  });
-
-  module('data-reader persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      const token = await runCmd([
-        createPolicyCmd(
-          'data-reader',
-          personas.dataReader(this.backend) + personas.dataReader(this.emptyBackend)
-        ),
-        createTokenCmd('data-reader'),
-      ]);
-      await authPage.login(token);
-      clearRecords(this.store);
-      return;
-    });
-    test('empty backend - breadcrumbs, title, tabs, emptyState (dr)', async function (assert) {
-      assert.expect(16);
-      const backend = this.emptyBackend;
-      await navToBackend(backend);
-
-      // URL correct
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-      // Breadcrumbs correct
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
-      assert
-        .dom(PAGE.list.filter)
-        .doesNotExist('list filter input does not render because no list capabilities');
-      // Page content correct
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .doesNotExist('empty state does not render because no metadata access to list');
-      assert.dom(PAGE.list.overviewCard).exists('renders overview card');
-
-      await typeIn(PAGE.list.overviewInput, 'directory/');
-      await click(PAGE.list.overviewButton);
-      assert
-        .dom('[data-test-inline-error-message]')
-        .hasText('You do not have the required permissions or the directory does not exist.');
-
-      // click toolbar CTA
-      await visit(`/vault/secrets/${backend}/kv/list`);
-      await click(PAGE.list.createSecret);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/create`,
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list`,
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-    });
-    test('can access nested secret (dr)', async function (assert) {
-      assert.expect(23);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert
-        .dom(PAGE.list.filter)
-        .doesNotExist('List filter input does not render because no list capabilities');
-
-      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
-      await click(PAGE.list.overviewButton);
-
-      // Goes to correct detail view
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert, ['copy']);
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('versioned secret nav, tabs, breadcrumbs (dr)', async function (assert) {
-      assert.expect(28);
-      const backend = this.backend;
-      await navToBackend(backend);
-
-      // Navigate to secret
-      await typeIn(PAGE.list.overviewInput, secretPath);
-      await click(PAGE.list.overviewButton);
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
-        'Url includes version query param'
-      );
-      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
-      assertDetailTabs(assert, 'Secret', ['Version History']);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown hidden');
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
-      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
-
-      // data-reader can't navigate to older versions, but they can go to page directly
-      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
-      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
-
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
-
-      await click(PAGE.secretTab('Metadata'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `goes to metadata page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath);
-      assert.dom(PAGE.toolbarAction).doesNotExist('no toolbar actions available on metadata');
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('No custom metadata');
-      assert
-        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('You do not have access to secret metadata');
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
-    });
-    test('breadcrumbs & page titles are correct (dr)', async function (assert) {
-      assert.expect(35);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on config page');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on secrets list');
-
-      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
-      await click(PAGE.list.overviewButton);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on secret detail');
-
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
-
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret', 'metadata']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on metadata');
-
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
-
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret', 'paths']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'correct page title for paths');
-
-      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
-    });
-  });
-
-  module('data-list-reader persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      const token = await runCmd([
-        createPolicyCmd(
-          'data-reader-list',
-          personas.dataListReader(this.backend) + personas.dataListReader(this.emptyBackend)
-        ),
-        createTokenCmd('data-reader-list'),
-      ]);
-
-      await authPage.login(token);
-      clearRecords(this.store);
-      return;
-    });
-    test('empty backend - breadcrumbs, title, tabs, emptyState (dlr)', async function (assert) {
-      assert.expect(18);
-      const backend = this.emptyBackend;
-      await navToBackend(backend);
-
-      // URL correct
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-      // Breadcrumbs correct
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
-      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
-      // Page content correct
-      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
-      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
-      assert.dom(PAGE.list.createSecret).hasText('Create secret');
-
-      // Click empty state CTA
-      await click(`${PAGE.emptyStateActions} a`);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-
-      // click toolbar CTA
-      await click(PAGE.list.createSecret);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-    });
-    test('can access nested secret (dlr)', async function (assert) {
-      assert.expect(31);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
-
-      // Navigate through list items
-      await click(PAGE.list.item('app/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).doesNotExist('List filter hidden since no nested list access');
-
-      assert
-        .dom(PAGE.list.overviewInput)
-        .hasValue('app/', 'overview card is pre-filled with directory param');
-      await typeIn(PAGE.list.overviewInput, 'nested/secret');
-      await click(PAGE.list.overviewButton);
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert, ['delete', 'copy']);
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('versioned secret nav, tabs, breadcrumbs (dlr)', async function (assert) {
-      assert.expect(28);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.list.item(secretPath));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
-        'Url includes version query param'
-      );
-      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
-      assertDetailTabs(assert, 'Secret', ['Version History']);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('does not show version dropdown');
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
-      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
-
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
-
-      // data-list-reader can't navigate to older versions, but they can go to page directly
-      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('no version dropdown');
-      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
-      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
-
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version from old version');
-
-      await click(PAGE.secretTab('Metadata'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `goes to metadata page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath);
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('No custom metadata');
-      assert
-        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('You do not have access to secret metadata');
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
-    });
-    test('breadcrumbs & page titles are correct (dlr)', async function (assert) {
-      assert.expect(29);
-      const backend = this.backend;
-      await navToBackend(backend);
-
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
-
-      await click(PAGE.list.item(secretPath));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
-
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
-
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
-
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
-
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
-
-      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
-    });
-  });
-
-  module('metadata-maintainer persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      const token = await runCmd([
-        createPolicyCmd(
-          'metadata-maintainer',
-          personas.metadataMaintainer(this.backend) + personas.metadataMaintainer(this.emptyBackend)
-        ),
-        createTokenCmd('metadata-maintainer'),
-      ]);
-      await authPage.login(token);
-      clearRecords(this.store);
-      return;
-    });
-    test('empty backend - breadcrumbs, title, tabs, emptyState (mm)', async function (assert) {
-      assert.expect(18);
-      const backend = this.emptyBackend;
-      await navToBackend(backend);
-
-      // URL correct
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-      // Breadcrumbs correct
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
-      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
-      // Page content correct
-      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
-      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
-      assert.dom(PAGE.list.createSecret).hasText('Create secret');
-
-      // Click empty state CTA
-      await click(`${PAGE.emptyStateActions} a`);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-
-      // click toolbar CTA
-      await click(PAGE.list.createSecret);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
-        `url includes /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-    });
-    test('can access nested secret (mm)', async function (assert) {
-      assert.expect(41);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
-
-      // Navigate through list items
-      await click(PAGE.list.item('app/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
-
-      await click(PAGE.list.item('nested/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
-
-      await click(PAGE.list.item('secret'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
-        `Goes to URL with version`
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert, ['delete', 'destroy', 'versionDropdown']);
-      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Shows version timestamp');
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('versioned secret nav, tabs, breadcrumbs (mm)', async function (assert) {
-      assert.expect(37);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.list.item(secretPath));
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
-        'Url includes version query param'
-      );
-      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
-      assertDetailTabs(assert, 'Secret');
-      assert.dom(PAGE.detail.versionDropdown).hasText('Version 3', 'Version dropdown shows current version');
-      assert.dom(PAGE.detail.createNewVersion).doesNotExist('Create new version button not shown');
-      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created text not shown');
-      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('does not render current data');
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .hasText('You do not have permission to read this secret', 'Shows empty state on secret detail');
-
-      await click(PAGE.detail.versionDropdown);
-      await click(`${PAGE.detail.version(1)} a`);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
-        'Goes to detail view for version 1'
-      );
-      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
-
-      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .hasText(
-          'You do not have permission to read this secret',
-          'Shows empty state on secret detail for older version'
-        );
-
-      await click(PAGE.secretTab('Metadata'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `goes to metadata page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath);
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('No custom metadata');
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
-        .hasText('Add metadata', 'empty state has metadata CTA');
-      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
-
-      await click(PAGE.metadata.editBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
-        `goes to metadata edit page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `cancel btn goes back to metadata page`
-      );
-    });
-    test('breadcrumbs & page titles are correct (mm)', async function (assert) {
-      assert.expect(39);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
-
-      await click(PAGE.list.item(secretPath));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
-
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
-
-      await click(PAGE.metadata.editBtn);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
-      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
-
-      await click(PAGE.secretTab('Version History'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
-    });
-  });
-
-  module('secret-creator persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      const token = await runCmd([
-        createPolicyCmd(
-          'secret-creator',
-          personas.secretCreator(this.backend) + personas.secretCreator(this.emptyBackend)
-        ),
-        createTokenCmd('secret-creator'),
-      ]);
-      await authPage.login(token);
-      clearRecords(this.store);
-      return;
-    });
-    test('empty backend - breadcrumbs, title, tabs, emptyState (sc)', async function (assert) {
-      assert.expect(15);
-      const backend = this.emptyBackend;
-      await navToBackend(backend);
-
-      // URL correct
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
-      // Breadcrumbs correct
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      // Title correct
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      // Tabs correct
-      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
-      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
-      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
-      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
-      // Toolbar correct
-      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
-      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
-      // Page content correct
-      assert.dom(PAGE.list.overviewCard).exists('Overview card renders');
-      assert.dom(PAGE.list.createSecret).hasText('Create secret');
-
-      // click toolbar CTA
-      await click(PAGE.list.createSecret);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/create`,
-        `goes to /vault/secrets/${backend}/kv/create`
-      );
-
-      // Click cancel btn
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list`,
-        `url includes /vault/secrets/${backend}/kv/list`
-      );
-    });
-    test('can access nested secret (sc)', async function (assert) {
-      assert.expect(23);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
-
-      // Navigate to secret
-      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
-      await click(PAGE.list.overviewButton);
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
-        'goes to secret detail page'
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert, ['createNewVersion']);
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('versioned secret nav, tabs, breadcrumbs (sc)', async function (assert) {
-      assert.expect(36);
-      const backend = this.backend;
-      await navToBackend(backend);
-
-      await typeIn(PAGE.list.overviewInput, secretPath);
-      await click(PAGE.list.overviewButton);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
-        'Goes to detail view'
-      );
-      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
-      assertDetailTabs(assert, 'Secret', ['Version History']);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not render');
-      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
-      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created info is not rendered');
-      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('current data not rendered');
-      assert
-        .dom(PAGE.emptyStateTitle)
-        .hasText('You do not have permission to read this secret', 'empty state shows');
-
-      await click(PAGE.detail.createNewVersion);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit`,
-        'Goes to edit page'
-      );
-      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
-      assert
-        .dom(FORM.noReadAlert)
-        .hasText(
-          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
-          'Shows warning about no read permissions'
-        );
-      assert.dom(FORM.inputByAttr('path')).isDisabled();
-
-      await click(FORM.cancelBtn);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
-        'Goes back to detail view'
-      );
-
-      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
-      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
-      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('version created data not rendered');
-      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
-
-      await click(PAGE.detail.createNewVersion);
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
-        'Url includes version query param'
-      );
-      assert.dom(FORM.inputByAttr('path')).isDisabled();
-      assert.dom(FORM.keyInput()).hasValue('', 'form does not pre-populate');
-      assert.dom(FORM.maskedValueInput()).hasValue('', 'form does not pre-populate');
-      assert.dom(FORM.noReadAlert).exists('Shows no read alert');
-      await click(FORM.cancelBtn);
-
-      await click(PAGE.secretTab('Metadata'));
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
-        `goes to metadata page`
-      );
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath);
-      assert
-        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
-        .hasText('You do not have access to read custom metadata', 'shows correct empty state');
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit metadata button does not render');
-    });
-    test('breadcrumbs & page titles are correct (sc)', async function (assert) {
-      assert.expect(34);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
-
-      await typeIn(PAGE.list.overviewInput, secretPath);
-      await click(PAGE.list.overviewButton);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
-
-      await click(PAGE.detail.createNewVersion);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
-      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
-
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
-
-      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
-    });
-  });
-
-  module('enterprise controlled access persona', function (hooks) {
-    hooks.beforeEach(async function () {
-      // Set up control group scenario
-      const userPolicy = `
-path "${this.backend}/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-  control_group = {
-    max_ttl = "24h"
-    factor "ops_manager" {
-      controlled_capabilities = ["read"]
-      identity {
-          group_names = ["managers"]
-          approvals = 1
-      }
-    }
-  }
-}
-
-path "${this.backend}/*" {
-  capabilities = ["list"]
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package standby
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/cluster"
+)
+
+// Test_Echo_Duration_Skew tests that the sys/health and sys/ha-status endpoints
+// report reasonable values for echo duration and clock skew.
+func Test_Echo_Duration_Skew(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name        string
+		perfstandby bool
+	}{
+		{"standby", false},
+		{"perfstandby", true},
+	}
+	for i := range cases {
+		perfstandby := cases[i].perfstandby
+		if perfstandby && !constants.IsEnterprise {
+			continue
+		}
+		t.Run(cases[i].name, func(t *testing.T) {
+			t.Parallel()
+			conf, opts := teststorage.ClusterSetup(nil, nil, nil)
+			name := strings.Replace(t.Name(), "/", "_", -1)
+			logger := corehelpers.NewTestLogger(t)
+			layers, err := cluster.NewInmemLayerCluster(name, 3, logger)
+			if err != nil {
+				t.Fatal(err)
+			}
+			opts.ClusterLayers = layers
+			opts.Logger = logger
+			conf.DisablePerformanceStandby = !perfstandby
+			cluster := vault.NewTestCluster(t, conf, opts)
+			defer cluster.Cleanup()
+
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			leaderIdx, err := testcluster.WaitForActiveNodeAndStandbys(ctx, cluster)
+			if err != nil {
+				t.Fatal(err)
+			}
+			leader := cluster.Nodes()[leaderIdx]
+
+			// The delay applies in both directions, hence a 0.25s delay implies a 0.5s roundtrip delay
+			layers.SetReaderDelay(time.Second / 4)
+
+			check := func(echoDuration int64, clockSkew int64) error {
+				if echoDuration < time.Second.Milliseconds()/2 {
+					return fmt.Errorf("echo duration must exceed 0.5s, got: %dms", echoDuration)
+				}
+				// Because we're using the same clock for all nodes, any clock skew will
+				// be negative, as it's based on the delta of server time across both nodes,
+				// but it doesn't factor in the round-trip time of the echo request.
+				if clockSkew == 0 || -clockSkew < time.Second.Milliseconds()/2 {
+					return fmt.Errorf("clock skew must be nonzero and exceed -0.5s, got: %dms", clockSkew)
+				}
+
+				return nil
+			}
+
+			// We need to wait for at least 2 heartbeats to happen (2s intervals)
+			corehelpers.RetryUntil(t, 5*time.Second, func() error {
+				haStatus, err := leader.APIClient().Sys().HAStatus()
+				if err != nil {
+					t.Fatal(err)
+				}
+				if len(haStatus.Nodes) < 3 {
+					return fmt.Errorf("expected 3 nodes, got %d", len(haStatus.Nodes))
+				}
+				for _, node := range haStatus.Nodes {
+					if node.ActiveNode {
+						continue
+					}
+
+					if err := check(node.EchoDurationMillis, node.ClockSkewMillis); err != nil {
+						return fmt.Errorf("ha-status node %s: %w", node.Hostname, err)
+					}
+				}
+
+				for i, node := range cluster.Nodes() {
+					if i == leaderIdx {
+						continue
+					}
+
+					h, err := node.APIClient().Sys().Health()
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					if err := check(h.EchoDurationMillis, h.ClockSkewMillis); err != nil {
+						return fmt.Errorf("health node %s: %w", node.APIClient().Address(), err)
+					}
+				}
+				return nil
+			})
+		})
+	}
 }
-`;
-      const { userToken } = await setupControlGroup({ userPolicy });
-      this.userToken = userToken;
-      await authPage.login(userToken);
-      clearRecords(this.store);
-      return;
-    });
-    test('can access nested secret (cg)', async function (assert) {
-      assert.expect(42);
-      const backend = this.backend;
-      await navToBackend(backend);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
-      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
-      assertCorrectBreadcrumbs(assert, ['secret', backend]);
-      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
-
-      // Navigate through list items
-      await click(PAGE.list.item('app/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
-
-      await click(PAGE.list.item('nested/'));
-      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list/app/nested/`);
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
-      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
-      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
-
-      // For some reason when we click on the item in tests it throws a global control group error
-      // But not when we visit the page directly
-      await visit(`/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`);
-      assert.ok(
-        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
-        'redirects to access control group route'
-      );
-      await grantAccess({
-        apiPath: `${backend}/data/app/nested/secret`,
-        originUrl: `/vault/secrets/${backend}/kv/list/app/nested/`,
-        userToken: this.userToken,
-      });
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list/app/nested/`,
-        'navigates to list url where secret is'
-      );
-      await click(PAGE.list.item('secret'));
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`,
-        'goes to secret details'
-      );
-      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
-      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
-      assertDetailsToolbar(assert, ['delete', 'copy', 'createNewVersion']);
-
-      await click(PAGE.breadcrumbAtIdx(3));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/nested/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      assert.ok(
-        currentURL().startsWith(`/vault/secrets/${backend}/kv/list/app/`),
-        'links back to list directory'
-      );
-
-      await click(PAGE.breadcrumbAtIdx(1));
-      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
-    });
-    test('breadcrumbs & page titles are correct (cg)', async function (assert) {
-      assert.expect(36);
-      const backend = this.backend;
-      await navToBackend(backend);
-      await click(PAGE.secretTab('Configuration'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
-
-      await click(PAGE.secretTab('Secrets'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
-      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
-
-      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`);
-
-      assert.ok(
-        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
-        'redirects to access control group route'
-      );
-
-      await grantAccess({
-        apiPath: `${backend}/data/${encodeURIComponent(secretPath)}`,
-        originUrl: `/vault/secrets/${backend}/kv/list`,
-        userToken: this.userToken,
-      });
-
-      assert.strictEqual(
-        currentURL(),
-        `/vault/secrets/${backend}/kv/list`,
-        'navigates back to list url after authorized'
-      );
-      await click(PAGE.list.item(secretPath));
-
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
-
-      await click(PAGE.secretTab('Metadata'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
-
-      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
-
-      await click(PAGE.breadcrumbAtIdx(2));
-      await click(PAGE.secretTab('Paths'));
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'paths']);
-      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for paths');
-
-      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
-
-      await click(PAGE.secretTab('Secret'));
-      await click(PAGE.detail.createNewVersion);
-      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
-      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
-    });
-  });
-});
diff --git a/ui/tests/helpers/openapi/auth-model-attributes.js b/ui/tests/helpers/openapi/auth-model-attributes.js
index 50c86000057d..3a16a1a9b919 100644
--- a/ui/tests/helpers/openapi/auth-model-attributes.js
+++ b/ui/tests/helpers/openapi/auth-model-attributes.js
@@ -1,1294 +1,183 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+---
+layout: docs
+page_title: Vault Proxy Static Secret Caching
+description: |-
+  Vault Proxy's static secret caching functionality allows you to cache KVv1 and KVv2 secrets for calling clients.
+  The secrets will be automatically updated by Proxy, minimizing requests made to Vault, and offering resiliency.
+---
 
-const userpass = {
-  user: {
-    username: {
-      editType: 'string',
-      helpText: 'Username for this user.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Username',
-      type: 'string',
-    },
-    password: {
-      editType: 'string',
-      helpText: 'Password for this user.',
-      fieldGroup: 'default',
-      sensitive: true,
-      type: 'string',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-  },
-};
+# Vault Proxy static secret caching
 
-const azure = {
-  'auth-config/azure': {
-    clientId: {
-      editType: 'string',
-      fieldGroup: 'default',
-      helpText:
-        'The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.',
-      label: 'Client ID',
-      type: 'string',
-    },
-    clientSecret: {
-      editType: 'string',
-      fieldGroup: 'default',
-      helpText:
-        'The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.',
-      type: 'string',
-    },
-    environment: {
-      editType: 'string',
-      fieldGroup: 'default',
-      helpText:
-        'The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.',
-      type: 'string',
-    },
-    maxRetries: {
-      editType: 'number',
-      fieldGroup: 'default',
-      helpText:
-        'The maximum number of attempts a failed operation will be retried before producing an error.',
-      type: 'number',
-    },
-    maxRetryDelay: {
-      editType: 'ttl',
-      fieldGroup: 'default',
-      helpText: 'The maximum delay allowed before retrying an operation.',
-    },
-    resource: {
-      editType: 'string',
-      fieldGroup: 'default',
-      helpText:
-        'The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.',
-      type: 'string',
-    },
-    retryDelay: {
-      editType: 'ttl',
-      fieldGroup: 'default',
-      helpText: 'The initial amount of delay to use before retrying an operation, increasing exponentially.',
-    },
-    rootPasswordTtl: {
-      editType: 'ttl',
-      fieldGroup: 'default',
-      helpText:
-        'The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)',
-    },
-    tenantId: {
-      editType: 'string',
-      fieldGroup: 'default',
-      helpText:
-        'The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.',
-      label: 'Tenant ID',
-      type: 'string',
-    },
-  },
-};
+Use static secret caching with Vault Proxy to cache KVv1 and KVv2 secrets to
+minimize requests made to Vault and provide resilient connections for clients.
 
-const cert = {
-  'auth-config/cert': {
-    disableBinding: {
-      editType: 'boolean',
-      helpText:
-        'If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    enableIdentityAliasMetadata: {
-      editType: 'boolean',
-      helpText:
-        'If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias. Defaults to false.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    ocspCacheSize: {
-      editType: 'number',
-      helpText: 'The size of the in memory OCSP response cache, shared by all configured certs',
-      fieldGroup: 'default',
-      type: 'number',
-    },
-  },
-  cert: {
-    name: {
-      editType: 'string',
-      helpText: 'The name of the certificate',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    allowedCommonNames: {
-      editType: 'stringArray',
-      helpText: 'A list of names. At least one must exist in the Common Name. Supports globbing.',
-      fieldGroup: 'Constraints',
-    },
-    allowedDnsSans: {
-      editType: 'stringArray',
-      helpText: 'A list of DNS names. At least one must exist in the SANs. Supports globbing.',
-      fieldGroup: 'Constraints',
-      label: 'Allowed DNS SANs',
-    },
-    allowedEmailSans: {
-      editType: 'stringArray',
-      helpText: 'A list of Email Addresses. At least one must exist in the SANs. Supports globbing.',
-      fieldGroup: 'Constraints',
-      label: 'Allowed Email SANs',
-    },
-    allowedMetadataExtensions: {
-      editType: 'stringArray',
-      helpText:
-        'A list of OID extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the OID numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.',
-      fieldGroup: 'default',
-    },
-    allowedNames: {
-      editType: 'stringArray',
-      helpText:
-        'A list of names. At least one must exist in either the Common Name or SANs. Supports globbing. This parameter is deprecated, please use allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans.',
-      fieldGroup: 'Constraints',
-    },
-    allowedOrganizationalUnits: {
-      editType: 'stringArray',
-      helpText: 'A list of Organizational Units names. At least one must exist in the OU field.',
-      fieldGroup: 'Constraints',
-    },
-    allowedUriSans: {
-      editType: 'stringArray',
-      helpText: 'A list of URIs. At least one must exist in the SANs. Supports globbing.',
-      fieldGroup: 'Constraints',
-      label: 'Allowed URI SANs',
-    },
-    certificate: {
-      editType: 'file',
-      helpText: 'The public certificate that should be trusted. Must be x509 PEM encoded.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    displayName: {
-      editType: 'string',
-      helpText: 'The display name to use for clients using this certificate.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    ocspCaCertificates: {
-      editType: 'file',
-      helpText: 'Any additional CA certificates needed to communicate with OCSP servers',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    ocspEnabled: {
-      editType: 'boolean',
-      helpText: 'Whether to attempt OCSP verification of certificates at login',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    ocspFailOpen: {
-      editType: 'boolean',
-      helpText:
-        'If set to true, if an OCSP revocation cannot be made successfully, login will proceed rather than failing. If false, failing to get an OCSP status fails the request.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    ocspQueryAllServers: {
-      editType: 'boolean',
-      helpText:
-        'If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    ocspServersOverride: {
-      editType: 'stringArray',
-      helpText:
-        'A list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.',
-      fieldGroup: 'default',
-    },
-    requiredExtensions: {
-      editType: 'stringArray',
-      helpText:
-        "A list of extensions formatted as 'oid:value'. Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on 'value'.",
-      fieldGroup: 'default',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-  },
-};
+## Step 1: Subscribe Vault Proxy to KV events
 
-const gcp = {
-  'auth-config/gcp': {
-    credentials: {
-      editType: 'string',
-      helpText:
-        'Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials',
-      fieldGroup: 'default',
-      label: 'Credentials',
-      type: 'string',
-    },
-    customEndpoint: {
-      editType: 'object',
-      helpText: 'Specifies overrides for various Google API Service Endpoints used in requests.',
-      fieldGroup: 'default',
-      type: 'object',
-    },
-    gceAlias: {
-      editType: 'string',
-      helpText: 'Indicates what value to use when generating an alias for GCE authentications.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    gceMetadata: {
-      editType: 'stringArray',
-      helpText:
-        "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: instance_creation_timestamp, instance_id, instance_name, project_id, project_number, role, service_account_id, service_account_email, zone. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.",
-      fieldGroup: 'default',
-      defaultValue: 'field1,field2',
-      label: 'gce_metadata',
-    },
-    iamAlias: {
-      editType: 'string',
-      helpText: 'Indicates what value to use when generating an alias for IAM authentications.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    iamMetadata: {
-      editType: 'stringArray',
-      helpText:
-        "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: project_id, role, service_account_id, service_account_email. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.",
-      fieldGroup: 'default',
-      defaultValue: 'field1,field2',
-      label: 'iam_metadata',
-    },
-  },
-};
+Vault Proxy uses Vault events and auto-auth to monitor secret status and make
+appropriate cache updates.
+1. Enable [auto-auth](/vault/docs/agent-and-proxy/autoauth).
+1. Create an auto-auth token with permission to subscribe to KV event updates
+with the [Vault event system](/vault/docs/concepts/events). For example, to
+create a policy that grants access to static secret (KVv1 and KVv2) events,
+we need permission to subscribe to the `events` endpoint, as well as the
+`list` and `subscribe` permissions on KV secrets we want to get secrets
+from:
+ ```hcl
+  path "sys/events/subscribe/kv*" {
+    capabilities = ["read"]
+  }
 
-const github = {
-  'auth-config/github': {
-    baseUrl: {
-      editType: 'string',
-      helpText:
-        'The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.',
-      fieldGroup: 'GitHub Options',
-      label: 'Base URL',
-      type: 'string',
-    },
-    organization: {
-      editType: 'string',
-      helpText: 'The organization users must be part of',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    organizationId: {
-      editType: 'number',
-      helpText: 'The ID of the organization users must be part of',
-      fieldGroup: 'default',
-      type: 'number',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-  },
-};
+  path "*" {
+    capabilities = ["list", "subscribe"]
+    subscribe_event_types = ["kv*"]
+  }
+   ```
 
-const jwt = {
-  'auth-config/jwt': {
-    boundIssuer: {
-      editType: 'string',
-      helpText: "The value against which to match the 'iss' claim in a JWT. Optional.",
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    defaultRole: {
-      editType: 'string',
-      helpText:
-        'The default role to use if none is provided during login. If not set, a role is required during login.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    jwksCaPem: {
-      editType: 'string',
-      helpText:
-        'The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    jwksUrl: {
-      editType: 'string',
-      helpText:
-        'JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    jwtSupportedAlgs: {
-      editType: 'stringArray',
-      helpText: 'A list of supported signing algorithms. Defaults to RS256.',
-      fieldGroup: 'default',
-    },
-    jwtValidationPubkeys: {
-      editType: 'stringArray',
-      helpText:
-        'A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".',
-      fieldGroup: 'default',
-    },
-    namespaceInState: {
-      editType: 'boolean',
-      helpText:
-        'Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.',
-      fieldGroup: 'default',
-      defaultValue: true,
-      label: 'Namespace in OIDC state',
-      type: 'boolean',
-    },
-    oidcClientId: {
-      editType: 'string',
-      helpText: 'The OAuth Client ID configured with your OIDC provider.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    oidcClientSecret: {
-      editType: 'string',
-      helpText: 'The OAuth Client Secret configured with your OIDC provider.',
-      fieldGroup: 'default',
-      sensitive: true,
-      type: 'string',
-    },
-    oidcDiscoveryCaPem: {
-      editType: 'string',
-      helpText:
-        'The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    oidcDiscoveryUrl: {
-      editType: 'string',
-      helpText:
-        'OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    oidcResponseMode: {
-      editType: 'string',
-      helpText:
-        "The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'.",
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    oidcResponseTypes: {
-      editType: 'stringArray',
-      helpText:
-        "The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'.",
-      fieldGroup: 'default',
-    },
-    providerConfig: {
-      editType: 'object',
-      helpText: 'Provider-specific configuration. Optional.',
-      fieldGroup: 'default',
-      label: 'Provider Config',
-      type: 'object',
-    },
-  },
-};
+Subscribing to KV events means that Proxy receives updates as soon as a secret
+changes, which reduces staleness in the cache. Vault Proxy only checks for a
+secret update if an event notification indicates that the related secret was
+updated.
 
-const kubernetes = {
-  'auth-config/kubernetes': {
-    disableLocalCaJwt: {
-      editType: 'boolean',
-      helpText:
-        'Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod',
-      fieldGroup: 'default',
-      label: 'Disable use of local CA and service account JWT',
-      type: 'boolean',
-    },
-    kubernetesCaCert: {
-      editType: 'string',
-      helpText: 'PEM encoded CA cert for use by the TLS client used to talk with the API.',
-      fieldGroup: 'default',
-      label: 'Kubernetes CA Certificate',
-      type: 'string',
-    },
-    kubernetesHost: {
-      editType: 'string',
-      helpText:
-        'Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    pemKeys: {
-      editType: 'stringArray',
-      helpText:
-        'Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.',
-      fieldGroup: 'default',
-      label: 'Service account verification keys',
-    },
-    tokenReviewerJwt: {
-      editType: 'string',
-      helpText:
-        'A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.',
-      fieldGroup: 'default',
-      label: 'Token Reviewer JWT',
-      type: 'string',
-    },
-  },
-  role: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the role.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    aliasNameSource: {
-      editType: 'string',
-      helpText:
-        'Source to use when deriving the Alias name. valid choices: "serviceaccount_uid" : <token.uid> e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) "serviceaccount_name" : <namespace>/<serviceaccount> e.g. vault/vault-agent default: "serviceaccount_uid"',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    audience: {
-      editType: 'string',
-      helpText: 'Optional Audience claim to verify in the jwt.',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    boundServiceAccountNames: {
-      editType: 'stringArray',
-      helpText:
-        'List of service account names able to access this role. If set to "*" all names are allowed.',
-      fieldGroup: 'default',
-    },
-    boundServiceAccountNamespaces: {
-      editType: 'stringArray',
-      helpText: 'List of namespaces allowed to access this role. If set to "*" all namespaces are allowed.',
-      fieldGroup: 'default',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-  },
-};
+## Step 2: Ensure tokens have `capabilities-self` access
 
-const ldap = {
-  'auth-config/ldap': {
-    anonymousGroupSearch: {
-      editType: 'boolean',
-      helpText:
-        'Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).',
-      fieldGroup: 'default',
-      label: 'Anonymous group search',
-      type: 'boolean',
-    },
-    binddn: {
-      editType: 'string',
-      helpText: 'LDAP DN for searching for the user DN (optional)',
-      fieldGroup: 'default',
-      label: 'Name of Object to bind (binddn)',
-      type: 'string',
-    },
-    bindpass: {
-      editType: 'string',
-      helpText: 'LDAP password for searching for the user DN (optional)',
-      fieldGroup: 'default',
-      sensitive: true,
-      type: 'string',
-    },
-    caseSensitiveNames: {
-      editType: 'boolean',
-      helpText:
-        'If true, case sensitivity will be used when comparing usernames and groups for matching policies.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    certificate: {
-      editType: 'file',
-      helpText:
-        'CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)',
-      fieldGroup: 'default',
-      label: 'CA certificate',
-      type: 'string',
-    },
-    clientTlsCert: {
-      editType: 'file',
-      helpText: 'Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)',
-      fieldGroup: 'default',
-      label: 'Client certificate',
-      type: 'string',
-    },
-    clientTlsKey: {
-      editType: 'file',
-      helpText: 'Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)',
-      fieldGroup: 'default',
-      label: 'Client key',
-      type: 'string',
-    },
-    connectionTimeout: {
-      editType: 'ttl',
-      helpText:
-        'Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.',
-      fieldGroup: 'default',
-    },
-    denyNullBind: {
-      editType: 'boolean',
-      helpText:
-        "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    dereferenceAliases: {
-      editType: 'string',
-      helpText:
-        "When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.",
-      possibleValues: ['never', 'finding', 'searching', 'always'],
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    discoverdn: {
-      editType: 'boolean',
-      helpText: 'Use anonymous bind to discover the bind DN of a user (optional)',
-      fieldGroup: 'default',
-      label: 'Discover DN',
-      type: 'boolean',
-    },
-    groupattr: {
-      editType: 'string',
-      helpText:
-        'LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn',
-      fieldGroup: 'default',
-      defaultValue: 'cn',
-      label: 'Group Attribute',
-      type: 'string',
-    },
-    groupdn: {
-      editType: 'string',
-      helpText: 'LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)',
-      fieldGroup: 'default',
-      label: 'Group DN',
-      type: 'string',
-    },
-    groupfilter: {
-      editType: 'string',
-      helpText:
-        'Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))',
-      fieldGroup: 'default',
-      label: 'Group Filter',
-      type: 'string',
-    },
-    insecureTls: {
-      editType: 'boolean',
-      helpText: 'Skip LDAP server SSL Certificate verification - VERY insecure (optional)',
-      fieldGroup: 'default',
-      label: 'Insecure TLS',
-      type: 'boolean',
-    },
-    maxPageSize: {
-      editType: 'number',
-      helpText:
-        "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
-      fieldGroup: 'default',
-      type: 'number',
-    },
-    requestTimeout: {
-      editType: 'ttl',
-      helpText:
-        'Timeout, in seconds, for the connection when making requests against the server before returning back an error.',
-      fieldGroup: 'default',
-    },
-    starttls: {
-      editType: 'boolean',
-      helpText: 'Issue a StartTLS command after establishing unencrypted connection (optional)',
-      fieldGroup: 'default',
-      label: 'Issue StartTLS',
-      type: 'boolean',
-    },
-    tlsMaxVersion: {
-      editType: 'string',
-      helpText:
-        "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'",
-      possibleValues: ['tls10', 'tls11', 'tls12', 'tls13'],
-      fieldGroup: 'default',
-      label: 'Maximum TLS Version',
-      type: 'string',
-    },
-    tlsMinVersion: {
-      editType: 'string',
-      helpText:
-        "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'",
-      possibleValues: ['tls10', 'tls11', 'tls12', 'tls13'],
-      fieldGroup: 'default',
-      label: 'Minimum TLS Version',
-      type: 'string',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-    upndomain: {
-      editType: 'string',
-      helpText: 'Enables userPrincipalDomain login with [username]@UPNDomain (optional)',
-      fieldGroup: 'default',
-      label: 'User Principal (UPN) Domain',
-      type: 'string',
-    },
-    url: {
-      editType: 'string',
-      helpText:
-        'LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.',
-      fieldGroup: 'default',
-      label: 'URL',
-      type: 'string',
-    },
-    usePre111GroupCnBehavior: {
-      editType: 'boolean',
-      helpText:
-        'In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    useTokenGroups: {
-      editType: 'boolean',
-      helpText:
-        'If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-    userattr: {
-      editType: 'string',
-      helpText: 'Attribute used for users (default: cn)',
-      fieldGroup: 'default',
-      defaultValue: 'cn',
-      label: 'User Attribute',
-      type: 'string',
-    },
-    userdn: {
-      editType: 'string',
-      helpText: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)',
-      fieldGroup: 'default',
-      label: 'User DN',
-      type: 'string',
-    },
-    userfilter: {
-      editType: 'string',
-      helpText:
-        'Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})',
-      fieldGroup: 'default',
-      label: 'User Search Filter',
-      type: 'string',
-    },
-    usernameAsAlias: {
-      editType: 'boolean',
-      helpText: 'If true, sets the alias name to the username',
-      fieldGroup: 'default',
-      type: 'boolean',
-    },
-  },
-  group: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the LDAP group.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    policies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies associated to the group.',
-      fieldGroup: 'default',
-    },
-  },
-  user: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the LDAP user.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    groups: {
-      editType: 'stringArray',
-      helpText: 'A list of additional groups associated with the user.',
-      fieldGroup: 'default',
-    },
-    policies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies associated with the user.',
-      fieldGroup: 'default',
-    },
-  },
-};
+Tokens require `update` access to the
+[`sys/capabilies-self`](/vault/api-docs/system/capabilities-self) endpoint to
+request cached secrets. Vault tokens receive `update` permissions
+[by default](/vault/docs/concepts/policies#default-policy). If you have modified
+or removed the default policy, you must explicitly create a policy with the
+appropriate permissions. For example:
+```hcl
+  path "sys/capabilities-self" {
+    capabilities = ["update"]
+  }
+```
 
-const okta = {
-  'auth-config/okta': {
-    apiToken: {
-      editType: 'string',
-      helpText: 'Okta API key.',
-      fieldGroup: 'default',
-      label: 'API Token',
-      type: 'string',
-    },
-    baseUrl: {
-      editType: 'string',
-      helpText:
-        'The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.',
-      fieldGroup: 'default',
-      label: 'Base URL',
-      type: 'string',
-    },
-    bypassOktaMfa: {
-      editType: 'boolean',
-      helpText:
-        'When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.',
-      fieldGroup: 'default',
-      label: 'Bypass Okta MFA',
-      type: 'boolean',
-    },
-    orgName: {
-      editType: 'string',
-      helpText: 'Name of the organization to be used in the Okta API.',
-      fieldGroup: 'default',
-      label: 'Organization Name',
-      type: 'string',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-  },
-  group: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the Okta group.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    policies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies associated to the group.',
-      fieldGroup: 'default',
-    },
-  },
-  user: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the user.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    groups: {
-      editType: 'stringArray',
-      helpText: 'List of groups associated with the user.',
-      fieldGroup: 'default',
-    },
-    policies: {
-      editType: 'stringArray',
-      helpText: 'List of policies associated with the user.',
-      fieldGroup: 'default',
-    },
-  },
-};
+## Step 3: Configure an appropriate refresh interval
+By default, Vault Proxy refreshes tokens every five minutes. You can change the
+default behavior and configure Proxy to verify and update cached token
+capabilities with the `static_secret_token_capability_refresh_interval`
+parameter in the `cache` configuration stanza. For example, to set a refresh
+interval of one minute:
+```hcl
+cache {
+  cache_static_secrets = true
+  static_secret_token_capability_refresh_interval = "1m"
+}
+```
 
-const radius = {
-  'auth-config/radius': {
-    dialTimeout: {
-      editType: 'ttl',
-      helpText: 'Number of seconds before connect times out (default: 10)',
-      fieldGroup: 'default',
-      defaultValue: 10,
-    },
-    host: {
-      editType: 'string',
-      helpText: 'RADIUS server host',
-      fieldGroup: 'default',
-      label: 'Host',
-      type: 'string',
-    },
-    nasIdentifier: {
-      editType: 'string',
-      helpText: 'RADIUS NAS Identifier field (optional)',
-      fieldGroup: 'default',
-      label: 'NAS Identifier',
-      type: 'string',
-    },
-    nasPort: {
-      editType: 'number',
-      helpText: 'RADIUS NAS port field (default: 10)',
-      fieldGroup: 'default',
-      defaultValue: 10,
-      label: 'NAS Port',
-      type: 'number',
-    },
-    port: {
-      editType: 'number',
-      helpText: 'RADIUS server port (default: 1812)',
-      fieldGroup: 'default',
-      defaultValue: 1812,
-      type: 'number',
-    },
-    readTimeout: {
-      editType: 'ttl',
-      helpText: 'Number of seconds before response times out (default: 10)',
-      fieldGroup: 'default',
-      defaultValue: 10,
-    },
-    secret: {
-      editType: 'string',
-      helpText: 'Secret shared with the RADIUS server',
-      fieldGroup: 'default',
-      type: 'string',
-    },
-    tokenBoundCidrs: {
-      editType: 'stringArray',
-      helpText:
-        'A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Bound CIDRs",
-    },
-    tokenExplicitMaxTtl: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Explicit Maximum TTL",
-    },
-    tokenMaxTtl: {
-      editType: 'ttl',
-      helpText: 'The maximum lifetime of the generated token',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Maximum TTL",
-    },
-    tokenNoDefaultPolicy: {
-      editType: 'boolean',
-      helpText: "If true, the 'default' policy will not automatically be added to generated tokens",
-      fieldGroup: 'Tokens',
-      label: "Do Not Attach 'default' Policy To Generated Tokens",
-      type: 'boolean',
-    },
-    tokenNumUses: {
-      editType: 'number',
-      helpText: 'The maximum number of times a token may be used, a value of zero means unlimited',
-      fieldGroup: 'Tokens',
-      label: 'Maximum Uses of Generated Tokens',
-      type: 'number',
-    },
-    tokenPeriod: {
-      editType: 'ttl',
-      helpText:
-        'If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h").',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Period",
-    },
-    tokenPolicies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies that will apply to the generated token for this user.',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Policies",
-    },
-    tokenTtl: {
-      editType: 'ttl',
-      helpText: 'The initial ttl of the token to generate',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Initial TTL",
-    },
-    tokenType: {
-      editType: 'string',
-      helpText: 'The type of token to generate, service or batch',
-      fieldGroup: 'Tokens',
-      label: "Generated Token's Type",
-      type: 'string',
-    },
-    unregisteredUserPolicies: {
-      editType: 'string',
-      helpText:
-        'List of policies to grant upon successful RADIUS authentication of an unregistered user (default: empty)',
-      fieldGroup: 'default',
-      label: 'Policies for unregistered users',
-      type: 'string',
-    },
-  },
-  user: {
-    name: {
-      editType: 'string',
-      helpText: 'Name of the RADIUS user.',
-      fieldValue: 'mutableId',
-      fieldGroup: 'default',
-      readOnly: true,
-      label: 'Name',
-      type: 'string',
-    },
-    policies: {
-      editType: 'stringArray',
-      helpText: 'A list of policies associated to the user.',
-      fieldGroup: 'default',
-    },
-  },
-};
+## Functionality
 
-export default {
-  azure,
-  userpass,
-  cert,
-  gcp,
-  github,
-  jwt,
-  kubernetes,
-  ldap,
-  okta,
-  radius,
-  // aws is the only method that doesn't leverage OpenApi in practice
-};
+With static secret caching, Vault Proxy caches `GET` requests for KVv1 and KVv2
+endpoints.
+
+When a client sends a `GET` request for a new KV secret, Proxy forwards the
+request to Vault but caches the response before forwarding it to the client. If
+that client makes subsequent `GET` requests for the same secret, Vault Proxy
+serves the cached response rather than forwarding the request to Vault.
+
+Similarly, when a token requests access to a KV secret, it must complete a
+success `GET` request. If the request is successful, Proxy caches the fact that
+the token was successful in addition to the result. Subsequent requests by the
+same token can then access this secret from the cache instead of Vault.
+
+Vault Proxy uses the [event system](/vault/docs/concepts/events) to keep the
+cache up to date. It monitors the KV event feed for events related to any secret
+currently stored in the cache, including modification events like updates and
+deletes. When Proxy detects a change in a cached secret, it will update or
+evict the cache entry as appropriate.
+
+Vault Proxy also checks and refreshes the access permissions of known tokens
+according to the window set with `static_secret_token_capability_refresh_interval`.
+By default, the refresh interval is five minutes.
+
+Every interval, Proxy calls [`sys/capabilies-self`](/vault/api-docs/system/capabilities-self) on
+behalf of every token in the cache to confirm the token still has permission to
+access the cached secret. If the result from Vault indicates that permission (or
+the token itself) was revoked, Proxy updates the cache entry so that the affected
+token can no longer access the relevant paths from the cache. The refresh interval
+is essentially the maximum period after which permission to read a KV secret is
+fully revoked for the relevant token.
+
+For token refresh to work, any token that will access the cache also needs
+`update` permission for [`sys/capabilies-self`](/vault/api-docs/system/capabilities-self).
+Having `update` permission for the token lets Proxy test capabilities for the
+token against multiple paths with a single request instead of testing for a `403`
+response for each path explicitly.
+
+<Tip title="Refresh is per token, not per secret">
+
+  If Proxy's API proxy is configured to use auto-authentication for tokens, and **all**
+  requests that pass through Vault Proxy use the same token, Proxy only
+  makes a single request to Vault every refresh interval, no matter how many
+  secrets are currently cached.
+
+</Tip>
+
+When static secret caching is enabled, Proxy returns `HIT` or `MISS` in the `X-Cache`
+response header for requests so client can tell if the response was served from
+the cache or forwarded from Vault. In the event of a hit, Proxy also sets the
+`Age` header to indicate, in seconds, how old the cache entry is.
+
+<Tip title="Old does not mean stale">
+
+  The fact that a cache entry is old, does not necessarily mean that the
+  information is out of date. Vault Proxy continually monitors KV events for
+  updates. A large value for `Age` may simply mean that the secret has not been
+  rotated recently.
+
+</Tip>
+
+## Configuration
+
+The top level `cache` block has the following configuration entries relating to static secret caching:
+
+- `cache_static_secrets` `(bool: false)` - Enables static secret caching when
+set to `true`. When `cache_static_secrets` and `auth_auth` are both enabled,
+Vault Proxy serves KV secrets directly from the cache to clients with
+sufficient permission.
+
+- `static_secret_token_capability_refresh_interval` `(duration: "5m", optional)` -
+Sets the interval as a [duration format string](/vault/docs/concepts/duration-format)
+at which Vault Proxy rechecks the permissions of tokens used to access cached
+secrets. The refresh interval is the maximum period after which permission to
+read a cached KV secret is fully revoked. Ignored when `cache_static_secrets`
+is `false`.
+
+### Example configuration
+
+The following example Vault Proxy configuration:
+- Defines a TCP listener (`listener`) with TLS disabled.
+- Forces clients using API proxy (`api_proxy`) to identify with an auto-auth token.
+- Configures auto-authentication (`auto-auth`) for `approle`.
+- Enables static secret caching with `cache_static_secrets`.
+- Sets an explicit token capability refresh window of 1 hour with `static_secret_token_capability_refresh_interval`.
+
+```hcl
+# Other Vault Proxy configuration blocks
+# ...
+
+cache {
+  cache_static_secrets = true
+  static_secret_token_capability_refresh_interval = "1h"
+}
+
+api_proxy {
+  use_auto_auth_token = "force"
+}
+
+listener "tcp" {
+    address = "127.0.0.1:8100"
+    tls_disable = true
+}
+
+auto_auth {
+  method {
+    type = "approle"
+    config = {
+      role_id_file_path = "roleid"
+      secret_id_file_path = "secretid"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+```
+[event-system]: /vault/docs/concepts/events
diff --git a/ui/tests/helpers/replication.js b/ui/tests/helpers/replication.js
index be3cc8ab0d32..9f7c7010f86d 100644
--- a/ui/tests/helpers/replication.js
+++ b/ui/tests/helpers/replication.js
@@ -1,36 +1,99 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { click, fillIn, findAll, currentURL, visit, settled, waitUntil } from '@ember/test-helpers';
-
-export const disableReplication = async (type, assert) => {
-  // disable performance replication
-  await visit(`/vault/replication/${type}`);
-
-  if (findAll('[data-test-replication-link="manage"]').length) {
-    await click('[data-test-replication-link="manage"]');
-
-    await click('[data-test-disable-replication] button');
-
-    const typeDisplay = type === 'dr' ? 'Disaster Recovery' : 'Performance';
-    await fillIn('[data-test-confirmation-modal-input="Disable Replication?"]', typeDisplay);
-    await click('[data-test-confirm-button]');
-    await settled(); // eslint-disable-line
-
-    if (assert) {
-      // bypassing for now -- remove if tests pass reliably
-      // assert.strictEqual(
-      //   flash.latestMessage,
-      //   'This cluster is having replication disabled. Vault will be unavailable for a brief period and will resume service shortly.',
-      //   'renders info flash when disabled'
-      // );
-      assert.ok(
-        await waitUntil(() => currentURL() === '/vault/replication'),
-        'redirects to the replication page'
-      );
-    }
-    await settled();
-  }
-};
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*StatusCommand)(nil)
+	_ cli.CommandAutocomplete = (*StatusCommand)(nil)
+)
+
+type StatusCommand struct {
+	*BaseCommand
+}
+
+func (c *StatusCommand) Synopsis() string {
+	return "Print seal and HA status"
+}
+
+func (c *StatusCommand) Help() string {
+	helpText := `
+Usage: vault status [options]
+
+  Prints the current state of Vault including whether it is sealed and if HA
+  mode is enabled. This command prints regardless of whether the Vault is
+  sealed.
+
+  The exit code reflects the seal status:
+
+      - 0 - unsealed
+      - 1 - error
+      - 2 - sealed
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *StatusCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *StatusCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
+
+func (c *StatusCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *StatusCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		// We return 2 everywhere else, but 2 is reserved for "sealed" here
+		return 1
+	}
+
+	// Always query in the root namespace.
+	// Although seal-status is present in other namespaces, it will not
+	// be available until Vault is unsealed.
+	client.SetNamespace("")
+
+	status, err := client.Sys().SealStatus()
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error checking seal status: %s", err))
+		return 1
+	}
+
+	// Do not return the int here yet, since we may want to return a custom error
+	// code depending on the seal status.
+	code := OutputSealStatus(c.UI, client, status)
+
+	if status.Sealed {
+		return 2
+	}
+
+	return code
+}
diff --git a/ui/tests/integration/components/alert-inline-test.js b/ui/tests/integration/components/alert-inline-test.js
index 50be71efbc95..47a2803d66cb 100644
--- a/ui/tests/integration/components/alert-inline-test.js
+++ b/ui/tests/integration/components/alert-inline-test.js
@@ -1,89 +1,118 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, settled, find, waitUntil } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-module('Integration | Component | alert-inline', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.set('message', 'some very important alert');
-    this.set('type', 'warning');
-  });
-
-  test('it renders alert message with correct class args', async function (assert) {
-    await render(hbs`
-    <AlertInline
-      @paddingTop={{true}}
-      @isMarginless={{true}}
-      @sizeSmall={{true}}
-      @message={{this.message}}
-      @type={{this.type}}
-    />
-    `);
-    assert.dom('[data-test-inline-error-message]').hasText('some very important alert');
-    assert
-      .dom('[data-test-inline-alert]')
-      .hasAttribute('class', 'is-flex-center has-top-padding-xs is-marginless size-small');
-  });
-
-  test('it yields to block text', async function (assert) {
-    await render(hbs`
-    <AlertInline @message={{this.message}} @type={{this.type}}>
-      A much more important alert
-    </AlertInline>
-    `);
-    assert.dom('[data-test-inline-error-message]').hasText('A much more important alert');
-  });
-
-  test('it renders correctly for type=danger', async function (assert) {
-    this.set('type', 'danger');
-    await render(hbs`
-    <AlertInline
-      @type={{this.type}}
-      @message={{this.message}}
-    />
-    `);
-    assert
-      .dom('[data-test-inline-error-message]')
-      .hasAttribute('class', 'has-text-danger', 'has danger text');
-    assert.dom('[data-test-icon="x-square-fill"]').exists('danger icon exists');
-  });
-
-  test('it renders correctly for type=warning', async function (assert) {
-    await render(hbs`
-    <AlertInline
-      @type={{this.type}}
-      @message={{this.message}}
-    />
-    `);
-    assert.dom('[data-test-inline-error-message]').doesNotHaveAttribute('class', 'does not have styled text');
-    assert.dom('[data-test-icon="alert-triangle-fill"]').exists('warning icon exists');
-  });
-
-  test('it mimics loading when message changes', async function (assert) {
-    await render(hbs`
-    <AlertInline
-      @message={{this.message}}
-      @mimicRefresh={{true}}
-      @type={{this.type}}
-    />
-    `);
-    assert
-      .dom('[data-test-inline-error-message]')
-      .hasText('some very important alert', 'it renders original message');
-
-    this.set('message', 'some changed alert!!!');
-    await waitUntil(() => find('[data-test-icon="loading"]'));
-    assert.ok(find('[data-test-icon="loading"]'), 'it shows loading icon when message changes');
-    await settled();
-    assert
-      .dom('[data-test-inline-error-message]')
-      .hasText('some changed alert!!!', 'it shows updated message');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testStatusCommand(tb testing.TB) (*cli.MockUi, *StatusCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &StatusCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestStatusCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name   string
+		args   []string
+		sealed bool
+		out    string
+		code   int
+	}{
+		{
+			"unsealed",
+			nil,
+			false,
+			"Sealed          false",
+			0,
+		},
+		{
+			"sealed",
+			nil,
+			true,
+			"Sealed             true",
+			2,
+		},
+		{
+			"args",
+			[]string{"foo"},
+			false,
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				if tc.sealed {
+					if err := client.Sys().Seal(); err != nil {
+						t.Fatal(err)
+					}
+				}
+
+				ui, cmd := testStatusCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testStatusCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error checking seal status: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testStatusCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/app-footer-test.js b/ui/tests/integration/components/app-footer-test.js
new file mode 100644
index 000000000000..b838f29efdf9
--- /dev/null
+++ b/ui/tests/integration/components/app-footer-test.js
@@ -0,0 +1,67 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div
+  class="field string-list form-section"
+  data-test-component="string-list"
+  {{did-insert this.autoSize}}
+  {{did-update this.autoSizeUpdate}}
+  data-test-input
+  ...attributes
+>
+  {{#if @label}}
+    <label class="is-label" data-test-string-list-label="true">
+      {{@label}}
+      {{#if @helpText}}
+        <InfoTooltip>{{@helpText}}</InfoTooltip>
+      {{/if}}
+    </label>
+    {{#if @subText}}
+      <p class="sub-text">
+        {{@subText}}
+      </p>
+    {{/if}}
+  {{/if}}
+  {{#each this.inputList as |data index|}}
+    <div class="field is-grouped" data-test-string-list-row={{index}}>
+      <div class="control is-expanded">
+        <Textarea
+          data-test-string-list-input={{index}}
+          class="input {{if (includes index this.indicesWithComma) 'has-warning-border'}}"
+          @value={{data.value}}
+          name={{concat this.elementId "-" index}}
+          id={{concat this.elementId "-" index}}
+          {{on "keyup" (action "inputChanged" index)}}
+          {{on "change" (action "inputChanged" index)}}
+        />
+      </div>
+      <div class="control is-narrow">
+        {{#if (eq (inc index) this.inputList.length)}}
+          <Hds::Button @text="Add" data-test-string-list-button="add" {{on "click" this.addInput}} @isFullWidth={{true}} />
+        {{else}}
+          <Hds::Button
+            @text="delete row"
+            @icon="trash"
+            @isIconOnly={{true}}
+            @color="secondary"
+            @isFullWidth={{true}}
+            data-test-string-list-button="delete"
+            {{on "click" (fn this.removeInput index)}}
+          />
+        {{/if}}
+      </div>
+      {{#if (includes index this.indicesWithComma)}}
+        <FlightIcon @name="alert-triangle" @color="var(--token-color-foreground-warning)" @size="24" />
+      {{/if}}
+    </div>
+  {{/each}}
+  {{#if this.indicesWithComma}}
+    <Hds::Alert @type="inline" @color="warning" as |A|>
+      <A.Description>
+        Input contains a comma. Please separate values into individual rows.
+      </A.Description>
+    </Hds::Alert>
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/ui/tests/integration/components/certificate-card-test.js b/ui/tests/integration/components/certificate-card-test.js
index e54fcbb3d08a..50cccf8579ad 100644
--- a/ui/tests/integration/components/certificate-card-test.js
+++ b/ui/tests/integration/components/certificate-card-test.js
@@ -1,64 +1,122 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { rootPem } from 'vault/tests/helpers/pki/values';
-import { rootDer } from 'vault/tests/helpers/pki/values';
-
-const SELECTORS = {
-  label: '[data-test-certificate-label]',
-  value: '[data-test-certificate-value]',
-  icon: '[data-test-certificate-icon]',
-  copyButton: '[data-test-copy-button]',
-};
-
-module('Integration | Component | certificate-card', function (hooks) {
-  setupRenderingTest(hooks);
-
-  test('it renders', async function (assert) {
-    await render(hbs`<CertificateCard />`);
-
-    assert.dom(SELECTORS.label).hasNoText('There is no label because there is no value');
-    assert.dom(SELECTORS.value).hasNoText('There is no value because none was provided');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
-    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
-  });
-
-  test('it renders with an example PEM Certificate', async function (assert) {
-    const certificate = rootPem;
-    this.set('certificate', certificate);
-    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
-
-    assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
-    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
-    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
-  });
-
-  test('it renders with an example DER Certificate', async function (assert) {
-    const certificate = rootDer;
-    this.set('certificate', certificate);
-    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
-
-    assert.dom(SELECTORS.label).hasText('DER Format', 'The label text is DER Format');
-    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
-    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
-  });
-
-  test('it renders with the PEM Format label regardless of the value provided when @isPem is true', async function (assert) {
-    const certificate = 'example-certificate-text';
-    this.set('certificate', certificate);
-    await render(hbs`<CertificateCard @data={{this.certificate}} @isPem={{true}}/>`);
-
-    assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
-    assert.dom(SELECTORS.value).hasText(certificate, 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
-    assert.dom(SELECTORS.copyButton).exists('The copy button exists');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package api
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/helper/builtinplugins"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+)
+
+const sudoKey = "x-vault-sudo"
+
+// Tests that the static list of sudo paths in the api package matches what's in the current OpenAPI spec.
+func TestSudoPaths(t *testing.T) {
+	t.Parallel()
+
+	coreConfig := &vault.CoreConfig{
+		EnableRaw:           true,
+		EnableIntrospection: true,
+		BuiltinRegistry:     builtinplugins.Registry,
+		LogicalBackends: map[string]logical.Factory{
+			"pki": pki.Factory,
+		},
+	}
+
+	cluster := minimal.NewTestSoloCluster(t, coreConfig)
+	client := cluster.Cores[0].Client
+
+	// NOTE: At present there are no auth methods with sudo paths, except for the
+	// automatically mounted token backend. If this changes this test should be
+	// updated to iterate over the auth methods and test them as we are doing below.
+
+	// Each secrets engine that contains sudo paths (other than automatically mounted ones) must be mounted here
+	for _, logicalBackendName := range []string{"pki"} {
+		err := client.Sys().Mount(logicalBackendName, &api.MountInput{
+			Type: logicalBackendName,
+		})
+		if err != nil {
+			t.Fatalf("error enabling logical backend for test: %v", err)
+		}
+	}
+
+	sudoPathsFromSpec, err := getSudoPathsFromSpec(client)
+	if err != nil {
+		t.Fatalf("error getting list of paths that require sudo from OpenAPI endpoint: %v", err)
+	}
+
+	sudoPathsInCode := api.SudoPaths()
+
+	// check for missing paths
+	for path := range sudoPathsFromSpec {
+		pathTrimmed := strings.TrimRight(path, "/")
+		if _, ok := sudoPathsInCode[pathTrimmed]; !ok {
+			t.Fatalf(
+				"A path in the OpenAPI spec is missing from the static list of "+
+					"sudo paths in the api module (%s). Please reconcile the two "+
+					"accordingly.", pathTrimmed)
+		}
+	}
+
+	// check for extra paths
+	for path := range sudoPathsInCode {
+		if _, ok := sudoPathsFromSpec[path]; !ok {
+			if _, ok := sudoPathsFromSpec[path+"/"]; !ok {
+				t.Fatalf(
+					"A path in the static list of sudo paths in the api module "+
+						"is not marked as a sudo path in the OpenAPI spec (%s). Please reconcile the two "+
+						"accordingly.", path)
+			}
+		}
+	}
+}
+
+func getSudoPathsFromSpec(client *api.Client) (map[string]struct{}, error) {
+	resp, err := client.Logical().ReadRaw("sys/internal/specs/openapi")
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve sudo endpoints: %v", err)
+	}
+	if resp != nil {
+		defer resp.Body.Close()
+	}
+
+	oasInfo := make(map[string]interface{})
+	if err := jsonutil.DecodeJSONFromReader(resp.Body, &oasInfo); err != nil {
+		return nil, fmt.Errorf("unable to decode JSON from OpenAPI response: %v", err)
+	}
+
+	paths, ok := oasInfo["paths"]
+	if !ok {
+		return nil, fmt.Errorf("OpenAPI response did not include paths")
+	}
+
+	pathsMap, ok := paths.(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("OpenAPI response did not return valid paths")
+	}
+
+	sudoPaths := make(map[string]struct{})
+	for pathName, pathInfo := range pathsMap {
+		pathInfoMap, ok := pathInfo.(map[string]interface{})
+		if !ok {
+			continue
+		}
+
+		if sudo, ok := pathInfoMap[sudoKey]; ok {
+			if sudo == true {
+				sudoPaths[pathName] = struct{}{}
+			}
+		}
+	}
+
+	return sudoPaths, nil
+}
diff --git a/ui/tests/integration/components/confirm-action-test.js b/ui/tests/integration/components/confirm-action-test.js
index 839840e5f3ed..58a73b89cbb7 100644
--- a/ui/tests/integration/components/confirm-action-test.js
+++ b/ui/tests/integration/components/confirm-action-test.js
@@ -1,159 +1,48 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, click, find } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import sinon from 'sinon';
-
-const SELECTORS = {
-  modalToggle: '[data-test-confirm-action-trigger]',
-  title: '[data-test-confirm-action-title]',
-  message: '[data-test-confirm-action-message]',
-  confirm: '[data-test-confirm-button]',
-  cancel: '[data-test-confirm-cancel-button]',
-};
-module('Integration | Component | confirm-action', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.onConfirm = sinon.spy();
-  });
-
-  test('it renders defaults and calls onConfirmAction', async function (assert) {
-    await render(hbs`
-      <ConfirmAction
-        @buttonText="DELETE"
-        @onConfirmAction={{this.onConfirm}}
-      />
-      `);
-
-    assert.dom(SELECTORS.modalToggle).hasText('DELETE', 'renders button text');
-    await click(SELECTORS.modalToggle);
-    // hasClass assertion wasn't working so this is the workaround
-    assert.strictEqual(
-      find('#confirm-action-modal').className,
-      'hds-modal hds-modal--size-small hds-modal--color-critical',
-      'renders critical modal color by default'
-    );
-    assert.strictEqual(
-      find(SELECTORS.confirm).className,
-      'hds-button hds-button--size-medium hds-button--color-critical',
-      'renders critical confirm button'
-    );
-    assert.dom(SELECTORS.title).hasText('Are you sure?', 'renders default title');
-    assert
-      .dom(SELECTORS.message)
-      .hasText('You will not be able to recover it later.', 'renders default body text');
-    await click(SELECTORS.cancel);
-    assert.false(this.onConfirm.called, 'does not call the action when Cancel is clicked');
-    await click(SELECTORS.modalToggle);
-    await click(SELECTORS.confirm);
-    assert.true(this.onConfirm.called, 'calls the action when Confirm is clicked');
-    assert.dom(SELECTORS.title).doesNotExist('modal closes after confirm is clicked');
-  });
-
-  test('it renders isInDropdown defaults and calls onConfirmAction', async function (assert) {
-    await render(hbs`
-      <ConfirmAction
-        @buttonText="DELETE"
-        @onConfirmAction={{this.onConfirm}}
-        @isInDropdown={{true}}
-      />
-      `);
-
-    assert.dom(`li ${SELECTORS.modalToggle}`).exists('element renders inside <li>');
-    assert.dom(SELECTORS.modalToggle).hasClass('hds-confirm-action-critical', 'button has dropdown styling');
-    await click(SELECTORS.modalToggle);
-    assert.dom(SELECTORS.title).hasText('Are you sure?', 'renders default title');
-    assert
-      .dom(SELECTORS.message)
-      .hasText('You will not be able to recover it later.', 'renders default body text');
-    await click('[data-test-confirm-cancel-button]');
-    assert.false(this.onConfirm.called, 'does not call the action when Cancel is clicked');
-    await click(SELECTORS.modalToggle);
-    await click(SELECTORS.confirm);
-    assert.true(this.onConfirm.called, 'calls the action when Confirm is clicked');
-    assert.dom(SELECTORS.title).doesNotExist('modal closes after confirm is clicked');
-  });
-
-  test('it renders loading state', async function (assert) {
-    await render(hbs`
-      <ConfirmAction
-        @buttonText="Open!"
-        @onConfirmAction={{this.onConfirm}}
-        @isRunning={{true}}
-      />
-      `);
-
-    await click(SELECTORS.modalToggle);
-
-    assert.dom(SELECTORS.confirm).isDisabled('disables confirm button when loading');
-    assert.dom('[data-test-confirm-button] [data-test-icon="loading"]').exists('it renders loading icon');
-  });
-
-  test('it renders disabledMessage modal', async function (assert) {
-    this.condition = true;
-    await render(hbs`
-      <ConfirmAction
-        @buttonText="Open!"
-        @onConfirmAction={{this.onConfirm}}
-        @confirmTitle="Do this?"
-        @confirmMessage="Are you really, really sure?"
-        @disabledMessage={{if this.condition "This is the reason you cannot do the thing"}}
-      />
-      `);
-
-    await click(SELECTORS.modalToggle);
-    assert.strictEqual(
-      find('#confirm-action-modal').className,
-      'hds-modal hds-modal--size-small hds-modal--color-neutral',
-      'renders critical modal color by default'
-    );
-    assert.dom(SELECTORS.title).hasText('Not allowed', 'renders disabled title');
-    assert
-      .dom(SELECTORS.message)
-      .hasText('This is the reason you cannot do the thing', 'renders disabled message as body text');
-    assert.dom(SELECTORS.confirm).doesNotExist('does not render confirm action button');
-    assert.dom(SELECTORS.cancel).hasText('Close');
-  });
-
-  test('it renders passed args', async function (assert) {
-    this.condition = false;
-    await render(hbs`
-      <ConfirmAction
-        @buttonText="Open!"
-        @onConfirmAction={{this.onConfirm}}
-        @modalColor="warning"
-        @buttonColor="secondary"
-        @confirmTitle="Do this?"
-        @confirmMessage="Are you really, really sure?"
-        @disabledMessage={{if this.condition "This is the reason you cannot do the thing"}}
-      />
-      `);
-
-    // hasClass assertion wasn't working so this is the workaround
-    assert.strictEqual(
-      find(SELECTORS.modalToggle).className,
-      'hds-button hds-button--size-medium hds-button--color-secondary',
-      'renders @buttonColor classes'
-    );
-    await click(SELECTORS.modalToggle);
-    assert.strictEqual(
-      find('#confirm-action-modal').className,
-      'hds-modal hds-modal--size-small hds-modal--color-warning',
-      'renders warning modal'
-    );
-    assert.strictEqual(
-      find(SELECTORS.confirm).className,
-      'hds-button hds-button--size-medium hds-button--color-primary',
-      'renders primary confirm button'
-    );
-    assert.dom(SELECTORS.title).hasText('Do this?', 'renders passed title');
-    assert.dom(SELECTORS.message).hasText('Are you really, really sure?', 'renders passed body text');
-    assert.dom(SELECTORS.confirm).hasText('Confirm');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"context"
+	"net/http"
+	"time"
+)
+
+func (c *Sys) HAStatus() (*HAStatusResponse, error) {
+	return c.HAStatusWithContext(context.Background())
+}
+
+func (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, "/v1/sys/ha-status")
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var result HAStatusResponse
+	err = resp.DecodeJSON(&result)
+	return &result, err
+}
+
+type HAStatusResponse struct {
+	Nodes []HANode
+}
+
+type HANode struct {
+	Hostname           string     `json:"hostname"`
+	APIAddress         string     `json:"api_address"`
+	ClusterAddress     string     `json:"cluster_address"`
+	ActiveNode         bool       `json:"active_node"`
+	LastEcho           *time.Time `json:"last_echo"`
+	EchoDurationMillis int64      `json:"echo_duration_ms"`
+	ClockSkewMillis    int64      `json:"clock_skew_ms"`
+	Version            string     `json:"version"`
+	UpgradeVersion     string     `json:"upgrade_version,omitempty"`
+	RedundancyZone     string     `json:"redundancy_zone,omitempty"`
+}
diff --git a/ui/tests/integration/components/copy-secret-dropdown-test.js b/ui/tests/integration/components/copy-secret-dropdown-test.js
index 26c88dd9c4bd..0e1f0ff24728 100644
--- a/ui/tests/integration/components/copy-secret-dropdown-test.js
+++ b/ui/tests/integration/components/copy-secret-dropdown-test.js
@@ -1,93 +1,259 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { click, render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-
-const SELECTORS = {
-  dropdown: '[data-test-copy-menu-trigger]',
-  copyButton: '[data-test-copy-button]',
-  clipboard: 'data-clipboard-text',
-  wrapButton: '[data-test-wrap-button]',
-  masked: '[data-test-masked-input]',
-};
-
-module('Integration | Component | copy-secret-dropdown', function (hooks) {
-  setupRenderingTest(hooks);
-  hooks.beforeEach(function () {
-    this.onWrap = () => {};
-    this.onClose = () => {};
-  });
-
-  test('it renders and fires callback functions', async function (assert) {
-    assert.expect(5);
-    this.data = `{ foo: 'bar' }`;
-    this.onWrap = () => assert.ok(true, 'onWrap callback fires Wrap secret is clicked');
-    this.onClose = () => assert.ok(true, 'onClose callback fires when dropdown closes');
-
-    await render(
-      hbs`<ToolbarActions>
-  <CopySecretDropdown
-    @clipboardText={{this.data}}
-    @onWrap={{this.onWrap}}
-    @onClose={{this.onClose}}
-  />
-</ToolbarActions>`
-    );
-
-    await click(SELECTORS.dropdown);
-    assert.dom(SELECTORS.copyButton).hasText('Copy JSON');
-    assert.dom(SELECTORS.wrapButton).hasText('Wrap secret');
-    assert
-      .dom(SELECTORS.copyButton)
-      .hasAttribute('data-clipboard-text', `${this.data}`, 'it renders copyable data');
-
-    await click(SELECTORS.wrapButton);
-    await click(SELECTORS.dropdown);
-  });
-
-  test('it renders loading wrap button', async function (assert) {
-    assert.expect(2);
-    await render(
-      hbs`<ToolbarActions>
-  <CopySecretDropdown
-    @clipboardText={{this.data}}
-    @onWrap={{this.onWrap}}
-    @isWrapping={{true}}
-    @wrappedData={{this.wrappedData}}
-    @onClose={{this.onClose}}
-  />
-</ToolbarActions>`
-    );
-
-    await click(SELECTORS.dropdown);
-    assert.dom(`${SELECTORS.wrapButton} [data-test-icon="loading"]`).exists('renders loading icon');
-    assert.dom(SELECTORS.wrapButton).isDisabled();
-  });
-
-  test('it wrapped data', async function (assert) {
-    assert.expect(1);
-    this.wrappedData = 'my-token';
-
-    await render(
-      hbs`<ToolbarActions>
-  <CopySecretDropdown
-    @clipboardText={{this.data}}
-    @onWrap={{this.onWrap}}
-    @isWrapping={{false}}
-    @wrappedData={{this.wrappedData}}
-    @onClose={{this.onClose}}
-  />
-</ToolbarActions>`
-    );
-
-    await click(SELECTORS.dropdown);
-    assert
-      .dom(`${SELECTORS.masked} ${SELECTORS.copyButton}`)
-      .hasAttribute('data-clipboard-text', this.wrappedData, 'it renders wrapped data');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package http
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/version"
+)
+
+func handleSysHealth(core *vault.Core, opt ...ListenerConfigOption) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case "GET":
+			handleSysHealthGet(core, w, r, opt...)
+		case "HEAD":
+			handleSysHealthHead(core, w, r)
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+		}
+	})
+}
+
+func fetchStatusCode(r *http.Request, field string) (int, bool, bool) {
+	var err error
+	statusCode := http.StatusOK
+	if statusCodeStr, statusCodeOk := r.URL.Query()[field]; statusCodeOk {
+		statusCode, err = strconv.Atoi(statusCodeStr[0])
+		if err != nil || len(statusCodeStr) < 1 {
+			return http.StatusBadRequest, false, false
+		}
+		return statusCode, true, true
+	}
+	return statusCode, false, true
+}
+
+func handleSysHealthGet(core *vault.Core, w http.ResponseWriter, r *http.Request, opt ...ListenerConfigOption) {
+	code, body, err := getSysHealth(core, r)
+	if err != nil {
+		core.Logger().Error("error checking health", "error", err)
+		respondError(w, code, nil)
+		return
+	}
+
+	if body == nil {
+		respondError(w, code, nil)
+		return
+	}
+
+	opts, err := getOpts(opt...)
+
+	if opts.withRedactVersion {
+		body.Version = opts.withRedactionValue
+	}
+
+	if opts.withRedactClusterName {
+		body.ClusterName = opts.withRedactionValue
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+
+	// Generate the response
+	enc := json.NewEncoder(w)
+	enc.Encode(body)
+}
+
+func handleSysHealthHead(core *vault.Core, w http.ResponseWriter, r *http.Request) {
+	code, body, _ := getSysHealth(core, r)
+
+	if body != nil {
+		w.Header().Set("Content-Type", "application/json")
+	}
+	w.WriteHeader(code)
+}
+
+func getSysHealth(core *vault.Core, r *http.Request) (int, *HealthResponse, error) {
+	var err error
+
+	// Check if being a standby is allowed for the purpose of a 200 OK
+	standbyOKStr, standbyOK := r.URL.Query()["standbyok"]
+	if standbyOK {
+		standbyOK, err = parseutil.ParseBool(standbyOKStr[0])
+		if err != nil {
+			return http.StatusBadRequest, nil, fmt.Errorf("bad value for standbyok parameter: %w", err)
+		}
+	}
+	perfStandbyOKStr, perfStandbyOK := r.URL.Query()["perfstandbyok"]
+	if perfStandbyOK {
+		perfStandbyOK, err = parseutil.ParseBool(perfStandbyOKStr[0])
+		if err != nil {
+			return http.StatusBadRequest, nil, fmt.Errorf("bad value for perfstandbyok parameter: %w", err)
+		}
+	}
+
+	uninitCode := http.StatusNotImplemented
+	if code, found, ok := fetchStatusCode(r, "uninitcode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		uninitCode = code
+	}
+
+	sealedCode := http.StatusServiceUnavailable
+	if code, found, ok := fetchStatusCode(r, "sealedcode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		sealedCode = code
+	}
+
+	standbyCode := http.StatusTooManyRequests // Consul warning code
+	if code, found, ok := fetchStatusCode(r, "standbycode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		standbyCode = code
+	}
+
+	activeCode := http.StatusOK
+	if code, found, ok := fetchStatusCode(r, "activecode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		activeCode = code
+	}
+
+	drSecondaryCode := 472 // unofficial 4xx status code
+	if code, found, ok := fetchStatusCode(r, "drsecondarycode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		drSecondaryCode = code
+	}
+
+	perfStandbyCode := 473 // unofficial 4xx status code
+	if code, found, ok := fetchStatusCode(r, "performancestandbycode"); !ok {
+		return http.StatusBadRequest, nil, nil
+	} else if found {
+		perfStandbyCode = code
+	}
+
+	ctx := context.Background()
+
+	// Check system status
+	sealed := core.Sealed()
+	standby, perfStandby := core.StandbyStates()
+	var replicationState consts.ReplicationState
+	if standby {
+		replicationState = core.ActiveNodeReplicationState()
+	} else {
+		replicationState = core.ReplicationState()
+	}
+
+	init, err := core.Initialized(ctx)
+	if err != nil {
+		return http.StatusInternalServerError, nil, err
+	}
+
+	// Determine the status code
+	code := activeCode
+	switch {
+	case !init:
+		code = uninitCode
+	case sealed:
+		code = sealedCode
+	case replicationState.HasState(consts.ReplicationDRSecondary):
+		code = drSecondaryCode
+	case perfStandby:
+		if !perfStandbyOK {
+			code = perfStandbyCode
+		}
+	case standby:
+		if !standbyOK {
+			code = standbyCode
+		}
+	}
+
+	// Fetch the local cluster name and identifier
+	var clusterName, clusterID string
+	if !sealed {
+		cluster, err := core.Cluster(ctx)
+		if err != nil {
+			return http.StatusInternalServerError, nil, err
+		}
+		if cluster == nil {
+			return http.StatusInternalServerError, nil, fmt.Errorf("failed to fetch cluster details")
+		}
+		clusterName = cluster.Name
+		clusterID = cluster.ID
+	}
+
+	// Format the body
+	body := &HealthResponse{
+		Initialized:                init,
+		Sealed:                     sealed,
+		Standby:                    standby,
+		PerformanceStandby:         perfStandby,
+		ReplicationPerformanceMode: replicationState.GetPerformanceString(),
+		ReplicationDRMode:          replicationState.GetDRString(),
+		ServerTimeUTC:              time.Now().UTC().Unix(),
+		Version:                    version.GetVersion().VersionNumber(),
+		Enterprise:                 constants.IsEnterprise,
+		ClusterName:                clusterName,
+		ClusterID:                  clusterID,
+		ClockSkewMillis:            core.ActiveNodeClockSkewMillis(),
+		EchoDurationMillis:         core.EchoDuration().Milliseconds(),
+	}
+
+	licenseState, err := core.EntGetLicenseState()
+	if err != nil {
+		return http.StatusInternalServerError, nil, err
+	}
+
+	if licenseState != nil {
+		body.License = &HealthResponseLicense{
+			State:      licenseState.State,
+			Terminated: licenseState.Terminated,
+		}
+		if !licenseState.ExpiryTime.IsZero() {
+			body.License.ExpiryTime = licenseState.ExpiryTime.Format(time.RFC3339)
+		}
+	}
+
+	if init && !sealed && !standby {
+		body.LastWAL = core.EntLastWAL()
+	}
+
+	return code, body, nil
+}
+
+type HealthResponseLicense struct {
+	State      string `json:"state"`
+	ExpiryTime string `json:"expiry_time"`
+	Terminated bool   `json:"terminated"`
+}
+
+type HealthResponse struct {
+	Initialized                bool                   `json:"initialized"`
+	Sealed                     bool                   `json:"sealed"`
+	Standby                    bool                   `json:"standby"`
+	PerformanceStandby         bool                   `json:"performance_standby"`
+	ReplicationPerformanceMode string                 `json:"replication_performance_mode"`
+	ReplicationDRMode          string                 `json:"replication_dr_mode"`
+	ServerTimeUTC              int64                  `json:"server_time_utc"`
+	Version                    string                 `json:"version"`
+	Enterprise                 bool                   `json:"enterprise"`
+	ClusterName                string                 `json:"cluster_name,omitempty"`
+	ClusterID                  string                 `json:"cluster_id,omitempty"`
+	LastWAL                    uint64                 `json:"last_wal,omitempty"`
+	License                    *HealthResponseLicense `json:"license,omitempty"`
+	EchoDurationMillis         int64                  `json:"echo_duration_ms"`
+	ClockSkewMillis            int64                  `json:"clock_skew_ms"`
+}
diff --git a/ui/tests/integration/components/dashboard/overview-test.js b/ui/tests/integration/components/dashboard/overview-test.js
index 9e661595c574..bd64ea853232 100644
--- a/ui/tests/integration/components/dashboard/overview-test.js
+++ b/ui/tests/integration/components/dashboard/overview-test.js
@@ -1,256 +1,217 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { SELECTORS } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
-
-module('Integration | Component | dashboard/overview', function (hooks) {
-  setupRenderingTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-
-    this.replication = {
-      dr: {
-        clusterId: '123',
-        state: 'running',
-      },
-      performance: {
-        clusterId: 'abc-1',
-        state: 'running',
-        isPrimary: true,
-      },
-    };
-    this.store.pushPayload('secret-engine', {
-      modelName: 'secret-engine',
-      data: {
-        accessor: 'kv_f3400dee',
-        path: 'kv-test/',
-        type: 'kv',
-      },
-    });
-    this.store.pushPayload('secret-engine', {
-      modelName: 'secret-engine',
-      data: {
-        accessor: 'kv_f3300dee',
-        path: 'kv-1/',
-        type: 'kv',
-      },
-    });
-    this.secretsEngines = this.store.peekAll('secret-engine', {});
-    this.vaultConfiguration = {
-      api_addr: 'http://127.0.0.1:8200',
-      default_lease_ttl: 0,
-      max_lease_ttl: 0,
-      listeners: [
-        {
-          config: {
-            address: '127.0.0.1:8200',
-            tls_disable: 1,
-          },
-          type: 'tcp',
-        },
-      ],
-    };
-    this.refreshModel = () => {};
-  });
-
-  test('it should show dashboard empty states', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1';
-    this.isRootNamespace = true;
-    await render(
-      hbs`
-        <Dashboard::Overview
-          @version={{this.version}}
-          @isRootNamespace={{this.isRootNamespace}}
-          @refreshModel={{this.refreshModel}} />
-      `
-    );
-    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
-    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
-    assert.dom(SELECTORS.emptyState('secrets-engines')).exists();
-    assert.dom(SELECTORS.cardName('learn-more')).exists();
-    assert.dom(SELECTORS.cardName('quick-actions')).exists();
-    assert.dom(SELECTORS.emptyState('quick-actions')).exists();
-    assert.dom(SELECTORS.cardName('configuration-details')).doesNotExist();
-    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
-    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
-  });
-
-  test('it should hide client count and replication card on community', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1';
-    this.isRootNamespace = true;
-
-    await render(
-      hbs`
-        <Dashboard::Overview
-          @secretsEngines={{this.secretsEngines}}
-          @vaultConfiguration={{this.vaultConfiguration}}
-          @replication={{this.replication}}
-          @version={{this.version}}
-          @isRootNamespace={{this.isRootNamespace}}
-          @refreshModel={{this.refreshModel}} />
-      `
-    );
-
-    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
-    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
-    assert.dom(SELECTORS.cardName('learn-more')).exists();
-    assert.dom(SELECTORS.cardName('quick-actions')).exists();
-    assert.dom(SELECTORS.cardName('configuration-details')).exists();
-    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
-    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
-  });
-
-  test('it should show client count on enterprise w/ license', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-    this.license = {
-      autoloaded: {
-        license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
-      },
-    };
-
-    await render(
-      hbs`
-      <Dashboard::Overview
-      @secretsEngines={{this.secretsEngines}}
-      @vaultConfiguration={{this.vaultConfiguration}}
-      @replication={{this.replication}}
-      @version={{this.version}}
-      @isRootNamespace={{true}}
-      @license={{this.license}}
-      @refreshModel={{this.refreshModel}} />`
-    );
-    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
-    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
-    assert.dom(SELECTORS.cardName('learn-more')).exists();
-    assert.dom(SELECTORS.cardName('quick-actions')).exists();
-    assert.dom(SELECTORS.cardName('configuration-details')).exists();
-    assert.dom(SELECTORS.cardName('client-count')).exists();
-  });
-
-  test('it should hide client count on enterprise w/o license ', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-    this.isRootNamespace = true;
-
-    await render(
-      hbs`
-      <Dashboard::Overview
-        @secretsEngines={{this.secretsEngines}}
-        @vaultConfiguration={{this.vaultConfiguration}}
-        @replication={{this.replication}}
-        @version={{this.version}}
-        @isRootNamespace={{this.isRootNamespace}}
-        @refreshModel={{this.refreshModel}}
-      />`
-    );
-
-    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
-    assert.dom('[data-test-badge-namespace]').exists();
-    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
-    assert.dom(SELECTORS.cardName('learn-more')).exists();
-    assert.dom(SELECTORS.cardName('quick-actions')).exists();
-    assert.dom(SELECTORS.cardName('configuration-details')).exists();
-    assert.dom(SELECTORS.cardName('client-count')).doesNotExist();
-  });
-
-  test('it should hide replication on enterprise not on root namespace', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-    this.isRootNamespace = false;
-    this.license = {
-      autoloaded: {
-        license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
-      },
-    };
-
-    await render(
-      hbs`
-      <Dashboard::Overview
-        @version={{this.version}}
-        @isRootNamespace={{this.isRootNamespace}}
-        @secretsEngines={{this.secretsEngines}}
-        @vaultConfiguration={{this.vaultConfiguration}}
-        @replication={{this.replication}}
-        @license={{this.license}}
-        @refreshModel={{this.refreshModel}} />`
-    );
-
-    assert.dom(SELECTORS.cardHeader('Vault version')).exists();
-    assert.dom('[data-test-badge-namespace]').exists();
-    assert.dom(SELECTORS.cardName('secrets-engines')).exists();
-    assert.dom(SELECTORS.cardName('learn-more')).exists();
-    assert.dom(SELECTORS.cardName('quick-actions')).exists();
-    assert.dom(SELECTORS.cardName('configuration-details')).exists();
-    assert.dom(SELECTORS.cardName('replication')).doesNotExist();
-    assert.dom(SELECTORS.cardName('client-count')).exists();
-  });
-
-  module('learn more card', function () {
-    test('shows the learn more card on community', async function (assert) {
-      await render(
-        hbs`<Dashboard::Overview @secretsEngines={{this.secretsEngines}} @vaultConfiguration={{this.vaultConfiguration}} @replication={{this.replication}} @refreshModel={{this.refreshModel}} />`
-      );
-
-      assert.dom('[data-test-learn-more-title]').hasText('Learn more');
-      assert
-        .dom('[data-test-learn-more-subtext]')
-        .hasText(
-          'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
-        );
-      assert.dom('[data-test-learn-more-links] a').exists({ count: 3 });
-      assert
-        .dom('[data-test-feedback-form]')
-        .hasText("Don't see what you're looking for on this page? Let us know via our feedback form .");
-    });
-    test('shows the learn more card on enterprise', async function (assert) {
-      this.version = this.owner.lookup('service:version');
-      this.version.version = '1.13.1+ent';
-      this.version.features = [
-        'Performance Replication',
-        'DR Replication',
-        'Namespaces',
-        'Transform Secrets Engine',
-      ];
-      this.isRootNamespace = true;
-      this.license = {
-        autoloaded: {
-          license_id: '7adbf1f4-56ef-35cd-3a6c-50ef2627865d',
-        },
-      };
-      await render(
-        hbs`
-          <Dashboard::Overview
-            @version={{this.version}}
-            @isRootNamespace={{this.isRootNamespace}}
-            @license={{this.license}}
-            @secretsEngines={{this.secretsEngines}}
-            @vaultConfiguration={{this.vaultConfiguration}}
-            @replication={{this.replication}}
-            @refreshModel={{this.refreshModel}} />
-        `
-      );
-      assert.dom('[data-test-learn-more-title]').hasText('Learn more');
-      assert
-        .dom('[data-test-learn-more-subtext]')
-        .hasText(
-          'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
-        );
-      assert.dom('[data-test-learn-more-links] a').exists({ count: 4 });
-      assert
-        .dom('[data-test-feedback-form]')
-        .hasText("Don't see what you're looking for on this page? Let us know via our feedback form .");
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package http
+
+import (
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/vault"
+)
+
+func TestSysHealth_get(t *testing.T) {
+	core := vault.TestCore(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	// Test without the client first since we want to verify the response code
+	raw, err := http.Get(addr + "/v1/sys/health")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 501)
+
+	// Test with the client because it's a bit easier to work with structs
+	config := api.DefaultConfig()
+	config.Address = addr
+	client, err := api.NewClient(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	expected := &api.HealthResponse{
+		Enterprise:                 constants.IsEnterprise,
+		Initialized:                false,
+		Sealed:                     true,
+		Standby:                    true,
+		PerformanceStandby:         false,
+		ReplicationPerformanceMode: consts.ReplicationUnknown.GetPerformanceString(),
+		ReplicationDRMode:          consts.ReplicationUnknown.GetDRString(),
+	}
+	ignore := cmpopts.IgnoreFields(*expected, "ClusterName", "ClusterID", "ServerTimeUTC", "Version")
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	keys, _ := vault.TestCoreInit(t, core)
+	raw, err = http.Get(addr + "/v1/sys/health")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 503)
+
+	resp, err = client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	expected.Initialized = true
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	for _, key := range keys {
+		if _, err := vault.TestCoreUnseal(core, vault.TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+	raw, err = http.Get(addr + "/v1/sys/health")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 200)
+
+	resp, err = client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	expected.Sealed = false
+	expected.Standby = false
+	expected.ReplicationPerformanceMode = consts.ReplicationPerformanceDisabled.GetPerformanceString()
+	expected.ReplicationDRMode = consts.ReplicationDRDisabled.GetDRString()
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+}
+
+func TestSysHealth_customcodes(t *testing.T) {
+	core := vault.TestCore(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	queryurl, err := url.Parse(addr + "/v1/sys/health?uninitcode=581&sealedcode=523&activecode=202")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	raw, err := http.Get(queryurl.String())
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 581)
+
+	// Test with the client because it's a bit easier to work with structs
+	config := api.DefaultConfig()
+	config.Address = addr
+	client, err := api.NewClient(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	expected := &api.HealthResponse{
+		Enterprise:                 constants.IsEnterprise,
+		Initialized:                false,
+		Sealed:                     true,
+		Standby:                    true,
+		PerformanceStandby:         false,
+		ReplicationPerformanceMode: consts.ReplicationUnknown.GetPerformanceString(),
+		ReplicationDRMode:          consts.ReplicationUnknown.GetDRString(),
+	}
+	ignore := cmpopts.IgnoreFields(*expected, "ClusterName", "ClusterID", "ServerTimeUTC", "Version")
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	keys, _ := vault.TestCoreInit(t, core)
+	raw, err = http.Get(queryurl.String())
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 523)
+
+	resp, err = client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	expected.Initialized = true
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	for _, key := range keys {
+		if _, err := vault.TestCoreUnseal(core, vault.TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+	raw, err = http.Get(queryurl.String())
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	testResponseStatus(t, raw, 202)
+
+	resp, err = client.Sys().Health()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	expected.Sealed = false
+	expected.Standby = false
+	expected.ReplicationPerformanceMode = consts.ReplicationPerformanceDisabled.GetPerformanceString()
+	expected.ReplicationDRMode = consts.ReplicationDRDisabled.GetDRString()
+	if diff := cmp.Diff(resp, expected, ignore); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+}
+
+func TestSysHealth_head(t *testing.T) {
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	testData := []struct {
+		uri  string
+		code int
+	}{
+		{"", 200},
+		{"?activecode=503", 503},
+		{"?activecode=notacode", 400},
+	}
+
+	for _, tt := range testData {
+		queryurl, err := url.Parse(addr + "/v1/sys/health" + tt.uri)
+		if err != nil {
+			t.Fatalf("err on %v: %s", queryurl, err)
+		}
+		resp, err := http.Head(queryurl.String())
+		if err != nil {
+			t.Fatalf("err on %v: %s", queryurl, err)
+		}
+
+		if resp.StatusCode != tt.code {
+			t.Fatalf("HEAD %v expected code %d, got %d.", queryurl, tt.code, resp.StatusCode)
+		}
+
+		data, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("err on %v: %s", queryurl, err)
+		}
+		if len(data) > 0 {
+			t.Fatalf("HEAD %v expected no body, received \"%v\".", queryurl, data)
+		}
+	}
+}
diff --git a/ui/tests/integration/components/info-table-row-test.js b/ui/tests/integration/components/info-table-row-test.js
index 238c019e2dd3..16aedcce4750 100644
--- a/ui/tests/integration/components/info-table-row-test.js
+++ b/ui/tests/integration/components/info-table-row-test.js
@@ -1,294 +1,340 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { resolve } from 'rsvp';
-import Service from '@ember/service';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, triggerEvent } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-const VALUE = 'test value';
-const LABEL = 'test label';
-const TYPE = 'array';
-const DEFAULT = 'some default value';
-
-const routerService = Service.extend({
-  transitionTo() {
-    return {
-      followRedirects() {
-        return resolve();
-      },
-    };
-  },
-  replaceWith() {
-    return resolve();
-  },
-});
-
-module('Integration | Component | InfoTableRow', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.set('value', VALUE);
-    this.set('label', LABEL);
-    this.set('type', TYPE);
-    this.set('default', DEFAULT);
-    this.owner.register('service:router', routerService);
-    this.router = this.owner.lookup('service:router');
-  });
-
-  hooks.afterEach(function () {
-    this.owner.unregister('service:store');
-  });
-
-  test('it renders', async function (assert) {
-    await render(hbs`<InfoTableRow
-        @value={{this.value}}
-        @label={{this.label}}
-        @defaultShown={{this.default}}
-      />`);
-
-    assert.dom('[data-test-component="info-table-row"]').exists();
-    assert.dom('[data-test-row-value]').hasText(VALUE, 'renders value as passed through');
-
-    this.set('value', '');
-    assert
-      .dom('[data-test-label-div]')
-      .doesNotExist('does not render if no value and alwaysRender is false (even if default exists)');
-  });
-
-  test('it renders a tooltip', async function (assert) {
-    this.set('tooltipText', 'Tooltip text!');
-
-    await render(hbs`<InfoTableRow
-        @value={{this.value}}
-        @label={{this.label}}
-        @tooltipText={{this.tooltipText}}
-      />`);
-
-    await triggerEvent('[data-test-value-div="test label"] .ember-basic-dropdown-trigger', 'mouseenter');
-
-    const tooltip = document.querySelector('div.box').textContent.trim();
-    assert.strictEqual(tooltip, 'Tooltip text!', 'renders tooltip text');
-  });
-
-  test('it should copy tooltip', async function (assert) {
-    assert.expect(3);
-
-    this.set('isCopyable', false);
-
-    await render(hbs`
-      <InfoTableRow
-        @label={{this.label}}
-        @value={{this.value}}
-        @tooltipText="Foo bar"
-        @isTooltipCopyable={{this.isCopyable}}
-      />
-    `);
-
-    await triggerEvent('[data-test-value-div="test label"] .ember-basic-dropdown-trigger', 'mouseenter');
-
-    assert.dom('[data-test-tooltip-copy]').doesNotExist('Tooltip has no copy button');
-    this.set('isCopyable', true);
-    assert.dom('[data-test-tooltip-copy]').exists('Tooltip has copy button');
-    assert
-      .dom('[data-test-tooltip-copy]')
-      .hasAttribute('data-clipboard-text', 'Foo bar', 'Copy button will copy the tooltip text');
-  });
-
-  test('it renders a string with no link if isLink is true and the item type is not an array.', async function (assert) {
-    // This could be changed in the component so that it adds a link for any item type, but right now it should only add a link if item type is an array.
-    await render(hbs`<InfoTableRow
-        @value={{this.value}}
-        @label={{this.label}}
-        @isLink={{true}}
-      />`);
-    assert.dom('[data-test-row-value]').hasText(VALUE, 'renders value in code element and not in a tag');
-  });
-
-  test('it renders links if isLink is true and type is array', async function (assert) {
-    this.set('valueArray', ['valueArray']);
-    await render(hbs`<InfoTableRow
-      @value={{this.valueArray}}
-      @label={{this.label}}
-      @isLink={{true}}
-      @type={{this.type}}
-    />`);
-
-    assert.dom('[data-test-item="valueArray"]').hasText('valueArray', 'Confirm link with item value exist');
-  });
-
-  test('it renders as expected if a label and/or value do not exist', async function (assert) {
-    this.set('value', VALUE);
-    this.set('label', '');
-    this.set('default', '');
-
-    await render(hbs`<InfoTableRow
-      @value={{this.value}}
-      @label={{this.label}}
-      @alwaysRender={{true}}
-      @defaultShown={{this.default}}
-    />`);
-
-    assert.dom('div.column.is-one-quarter .flight-icon').exists('Renders a dash (-) for the label');
-
-    this.set('value', '');
-    this.set('label', LABEL);
-    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for empty string value');
-
-    this.set('value', null);
-    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for null value');
-
-    this.set('value', undefined);
-    assert.dom('div.column.is-flex-center .flight-icon').exists('Renders a dash (-) for undefined value');
-
-    this.set('default', DEFAULT);
-    assert.dom('[data-test-value-div]').hasText(DEFAULT, 'Renders default text if value is empty');
-
-    this.set('value', '');
-    this.set('label', '');
-    this.set('default', '');
-    const dashCount = document.querySelectorAll('.flight-icon').length;
-    assert.strictEqual(
-      dashCount,
-      2,
-      'Renders dash (-) when both label and value do not exist (and no defaults)'
-    );
-  });
-
-  test('block content overrides any passed in value content', async function (assert) {
-    await render(hbs`<InfoTableRow
-      @value={{this.value}}
-      @label={{this.label}}
-      @alwaysRender={{true}}>
-      Block content is here
-      </InfoTableRow>`);
-
-    const block = document.querySelector('[data-test-value-div]').textContent.trim();
-    assert.strictEqual(block, 'Block content is here', 'renders block passed through');
-  });
-
-  test('Row renders when block content even if alwaysRender = false', async function (assert) {
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @alwaysRender={{false}}>
-      Block content
-    </InfoTableRow>`);
-    assert.dom('[data-test-value-div]').exists('renders block');
-    assert.dom('[data-test-value-div]').hasText('Block content', 'renders block');
-  });
-
-  test('Row does not render empty block content when alwaysRender = false', async function (assert) {
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @alwaysRender={{false}} />`);
-    assert.dom('[data-test-component="info-table-row"]').doesNotExist();
-  });
-
-  test('Has dashed label if none provided', async function (assert) {
-    await render(hbs`<InfoTableRow
-        @value={{this.value}}
-      />`);
-    assert.dom('[data-test-component="info-table-row"]').exists();
-    assert.dom('[data-test-icon="minus"]').exists('renders dash when no label');
-  });
-  test('Truncates the label if too long', async function (assert) {
-    this.set('label', 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz');
-    await render(hbs`<InfoTableRow
-        @label={{this.label}}
-        @value={{this.value}}
-      />`);
-    assert.dom('[data-test-component="info-table-row"]').exists('Row renders');
-    assert.dom('[data-test-label-div].label-overflow').exists('Label has class label-overflow');
-    await triggerEvent('[data-test-row-label]', 'mouseenter');
-    assert.dom('[data-test-label-tooltip]').exists('Label tooltip exists on hover');
-  });
-  test('Renders if block value and alwaysrender=false', async function (assert) {
-    await render(hbs`<InfoTableRow @alwaysRender={{false}}>{{this.value}}</InfoTableRow>`);
-    assert.dom('[data-test-component="info-table-row"]').exists();
-  });
-  test('Does not render if value is empty and alwaysrender=false', async function (assert) {
-    await render(hbs`<InfoTableRow @alwaysRender={{false}} @value="" />`);
-    assert.dom('[data-test-component="info-table-row"]').doesNotExist();
-  });
-  test('Renders dash for value if value empty and alwaysRender=true', async function (assert) {
-    await render(hbs`<InfoTableRow
-        @label={{this.label}}
-        @alwaysRender={{true}}
-      />`);
-    assert.dom('[data-test-component="info-table-row"]').exists();
-    assert.dom('[data-test-value-div] [data-test-icon="minus"]').exists('renders dash for value');
-  });
-  test('Renders block over @value or @defaultShown', async function (assert) {
-    await render(hbs`<InfoTableRow
-        @label={{this.label}}
-        @value="bar"
-        @defaultShown="baz"
-      >
-        foo
-      </InfoTableRow>`);
-    assert.dom('[data-test-component="info-table-row"]').exists();
-    assert.dom('[data-test-value-div]').hasText('foo', 'renders block value');
-  });
-  test('Renders icons if value is boolean', async function (assert) {
-    this.set('value', true);
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @value={{this.value}}
-    />`);
-
-    assert.dom('[data-test-boolean-true]').exists('check icon exists');
-    assert.dom('[data-test-value-div]').hasText('Yes', 'Renders yes text');
-    this.set('value', false);
-    assert.dom('[data-test-boolean-false]').exists('x icon exists');
-    assert.dom('[data-test-value-div]').hasText('No', 'renders no text');
-  });
-  test('Renders data-test attrs passed from parent', async function (assert) {
-    this.set('value', true);
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @value={{this.value}}
-      data-test-foo-bar
-    />`);
-
-    assert.dom('[data-test-foo-bar]').exists();
-  });
-
-  test('Formats the value as date when formatDate present', async function (assert) {
-    this.set('value', new Date('2018-04-03T14:15:30'));
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @value={{this.value}}
-      @formatDate={{'yyyy'}}
-    />`);
-
-    assert.dom('[data-test-value-div]').hasText('2018', 'Renders date with passed format');
-  });
-
-  test('Formats the value as TTL when formatTtl present', async function (assert) {
-    this.set('value', 6000);
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @value={{this.value}}
-      @formatTtl={{true}}
-    />`);
-
-    assert
-      .dom('[data-test-value-div]')
-      .hasText('1 hour 40 minutes', 'Translates number value to largest unit with carryover of minutes');
-  });
-
-  test('Formats string value when formatTtl present', async function (assert) {
-    this.set('value', '45m');
-    await render(hbs`<InfoTableRow
-      @label={{this.label}}
-      @value={{this.value}}
-      @formatTtl={{true}}
-    />`);
-
-    assert.dom('[data-test-value-div]').hasText('45 minutes', 'it formats string duration');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+func (c *Sys) ListMounts() (map[string]*MountOutput, error) {
+	return c.ListMountsWithContext(context.Background())
+}
+
+func (c *Sys) ListMountsWithContext(ctx context.Context) (map[string]*MountOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, "/v1/sys/mounts")
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	mounts := map[string]*MountOutput{}
+	err = mapstructure.Decode(secret.Data, &mounts)
+	if err != nil {
+		return nil, err
+	}
+
+	return mounts, nil
+}
+
+func (c *Sys) Mount(path string, mountInfo *MountInput) error {
+	return c.MountWithContext(context.Background(), path, mountInfo)
+}
+
+func (c *Sys) MountWithContext(ctx context.Context, path string, mountInfo *MountInput) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodPost, fmt.Sprintf("/v1/sys/mounts/%s", path))
+	if err := r.SetJSONBody(mountInfo); err != nil {
+		return err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
+func (c *Sys) Unmount(path string) error {
+	return c.UnmountWithContext(context.Background(), path)
+}
+
+func (c *Sys) UnmountWithContext(ctx context.Context, path string) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodDelete, fmt.Sprintf("/v1/sys/mounts/%s", path))
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	return err
+}
+
+// Remount wraps RemountWithContext using context.Background.
+func (c *Sys) Remount(from, to string) error {
+	return c.RemountWithContext(context.Background(), from, to)
+}
+
+// RemountWithContext kicks off a remount operation, polls the status endpoint using
+// the migration ID till either success or failure state is observed
+func (c *Sys) RemountWithContext(ctx context.Context, from, to string) error {
+	remountResp, err := c.StartRemountWithContext(ctx, from, to)
+	if err != nil {
+		return err
+	}
+
+	for {
+		remountStatusResp, err := c.RemountStatusWithContext(ctx, remountResp.MigrationID)
+		if err != nil {
+			return err
+		}
+		if remountStatusResp.MigrationInfo.MigrationStatus == "success" {
+			return nil
+		}
+		if remountStatusResp.MigrationInfo.MigrationStatus == "failure" {
+			return fmt.Errorf("Failure! Error encountered moving mount %s to %s, with migration ID %s", from, to, remountResp.MigrationID)
+		}
+		time.Sleep(1 * time.Second)
+	}
+}
+
+// StartRemount wraps StartRemountWithContext using context.Background.
+func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error) {
+	return c.StartRemountWithContext(context.Background(), from, to)
+}
+
+// StartRemountWithContext kicks off a mount migration and returns a response with the migration ID
+func (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	body := map[string]interface{}{
+		"from": from,
+		"to":   to,
+	}
+
+	r := c.c.NewRequest(http.MethodPost, "/v1/sys/remount")
+	if err := r.SetJSONBody(body); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var result MountMigrationOutput
+	err = mapstructure.Decode(secret.Data, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, err
+}
+
+// RemountStatus wraps RemountStatusWithContext using context.Background.
+func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error) {
+	return c.RemountStatusWithContext(context.Background(), migrationID)
+}
+
+// RemountStatusWithContext checks the status of a mount migration operation with the provided ID
+func (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/remount/status/%s", migrationID))
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var result MountMigrationStatusOutput
+	err = mapstructure.Decode(secret.Data, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, err
+}
+
+func (c *Sys) TuneMount(path string, config MountConfigInput) error {
+	return c.TuneMountWithContext(context.Background(), path, config)
+}
+
+func (c *Sys) TuneMountWithContext(ctx context.Context, path string, config MountConfigInput) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodPost, fmt.Sprintf("/v1/sys/mounts/%s/tune", path))
+	if err := r.SetJSONBody(config); err != nil {
+		return err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	return err
+}
+
+func (c *Sys) MountConfig(path string) (*MountConfigOutput, error) {
+	return c.MountConfigWithContext(context.Background(), path)
+}
+
+func (c *Sys) MountConfigWithContext(ctx context.Context, path string) (*MountConfigOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/%s/tune", path))
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var result MountConfigOutput
+	err = mapstructure.Decode(secret.Data, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, err
+}
+
+type MountInput struct {
+	Type                  string            `json:"type"`
+	Description           string            `json:"description"`
+	Config                MountConfigInput  `json:"config"`
+	Local                 bool              `json:"local"`
+	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
+	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
+	Options               map[string]string `json:"options"`
+
+	// Deprecated: Newer server responses should be returning this information in the
+	// Type field (json: "type") instead.
+	PluginName string `json:"plugin_name,omitempty"`
+}
+
+type MountConfigInput struct {
+	Options                   map[string]string       `json:"options" mapstructure:"options"`
+	DefaultLeaseTTL           string                  `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+	Description               *string                 `json:"description,omitempty" mapstructure:"description"`
+	MaxLeaseTTL               string                  `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+	ForceNoCache              bool                    `json:"force_no_cache" mapstructure:"force_no_cache"`
+	AuditNonHMACRequestKeys   []string                `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys  []string                `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
+	ListingVisibility         string                  `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
+	PassthroughRequestHeaders []string                `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string                `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
+	TokenType                 string                  `json:"token_type,omitempty" mapstructure:"token_type"`
+	AllowedManagedKeys        []string                `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
+	PluginVersion             string                  `json:"plugin_version,omitempty"`
+	UserLockoutConfig         *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
+	DelegatedAuthAccessors    []string                `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+	// Deprecated: This field will always be blank for newer server responses.
+	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
+}
+
+type MountOutput struct {
+	UUID                  string            `json:"uuid"`
+	Type                  string            `json:"type"`
+	Description           string            `json:"description"`
+	Accessor              string            `json:"accessor"`
+	Config                MountConfigOutput `json:"config"`
+	Options               map[string]string `json:"options"`
+	Local                 bool              `json:"local"`
+	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
+	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
+	PluginVersion         string            `json:"plugin_version" mapstructure:"plugin_version"`
+	RunningVersion        string            `json:"running_plugin_version" mapstructure:"running_plugin_version"`
+	RunningSha256         string            `json:"running_sha256" mapstructure:"running_sha256"`
+	DeprecationStatus     string            `json:"deprecation_status" mapstructure:"deprecation_status"`
+}
+
+type MountConfigOutput struct {
+	DefaultLeaseTTL           int                      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+	MaxLeaseTTL               int                      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+	ForceNoCache              bool                     `json:"force_no_cache" mapstructure:"force_no_cache"`
+	AuditNonHMACRequestKeys   []string                 `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys  []string                 `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
+	ListingVisibility         string                   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
+	PassthroughRequestHeaders []string                 `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string                 `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
+	TokenType                 string                   `json:"token_type,omitempty" mapstructure:"token_type"`
+	AllowedManagedKeys        []string                 `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
+	UserLockoutConfig         *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
+	DelegatedAuthAccessors    []string                 `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+
+	// Deprecated: This field will always be blank for newer server responses.
+	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
+}
+
+type UserLockoutConfigInput struct {
+	LockoutThreshold            string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+	LockoutDuration             string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
+	LockoutCounterResetDuration string `json:"lockout_counter_reset_duration,omitempty" structs:"lockout_counter_reset_duration" mapstructure:"lockout_counter_reset_duration"`
+	DisableLockout              *bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
+}
+
+type UserLockoutConfigOutput struct {
+	LockoutThreshold    uint  `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+	LockoutDuration     int   `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
+	LockoutCounterReset int   `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
+	DisableLockout      *bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
+}
+
+type MountMigrationOutput struct {
+	MigrationID string `mapstructure:"migration_id"`
+}
+
+type MountMigrationStatusOutput struct {
+	MigrationID   string                    `mapstructure:"migration_id"`
+	MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"`
+}
+
+type MountMigrationStatusInfo struct {
+	SourceMount     string `mapstructure:"source_mount"`
+	TargetMount     string `mapstructure:"target_mount"`
+	MigrationStatus string `mapstructure:"status"`
+}
diff --git a/ui/tests/integration/components/info-table-test.js b/ui/tests/integration/components/info-table-test.js
index 96e3e5ec27ec..b56a899f6507 100644
--- a/ui/tests/integration/components/info-table-test.js
+++ b/ui/tests/integration/components/info-table-test.js
@@ -1,42 +1,190 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-const TITLE = 'My Table';
-const HEADER = 'Cool Header';
-const ITEMS = ['https://127.0.0.1:8201', 'hello', '3'];
-
-module('Integration | Component | InfoTable', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.set('title', TITLE);
-    this.set('header', HEADER);
-    this.set('items', ITEMS);
-  });
-
-  test('it renders', async function (assert) {
-    assert.expect(6);
-    await render(hbs`<InfoTable
-        @title={{this.title}}
-        @header={{this.header}}
-        @items={{this.items}}
-      />`);
-
-    assert.dom('[data-test-info-table]').exists();
-    assert.dom('[data-test-info-table] th').includesText(HEADER, `shows the table header`);
-
-    const rows = document.querySelectorAll('.info-table-row');
-    assert.strictEqual(rows.length, ITEMS.length, 'renders an InfoTableRow for each item');
-
-    rows.forEach((row, i) => {
-      assert.strictEqual(row.innerText, ITEMS[i], 'handles strings and numbers as row values');
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+// GetPluginRuntimeInput is used as input to the GetPluginRuntime function.
+type GetPluginRuntimeInput struct {
+	Name string `json:"-"`
+
+	// Type of the plugin runtime. Required.
+	Type PluginRuntimeType `json:"type"`
+}
+
+// GetPluginRuntimeResponse is the response from the GetPluginRuntime call.
+type GetPluginRuntimeResponse struct {
+	Type         string `json:"type"`
+	Name         string `json:"name"`
+	OCIRuntime   string `json:"oci_runtime"`
+	CgroupParent string `json:"cgroup_parent"`
+	CPU          int64  `json:"cpu_nanos"`
+	Memory       int64  `json:"memory_bytes"`
+}
+
+// GetPluginRuntime retrieves information about the plugin.
+func (c *Sys) GetPluginRuntime(ctx context.Context, i *GetPluginRuntimeInput) (*GetPluginRuntimeResponse, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+	req := c.c.NewRequest(http.MethodGet, path)
+
+	resp, err := c.c.rawRequestWithContext(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		Data *GetPluginRuntimeResponse
+	}
+	err = resp.DecodeJSON(&result)
+	if err != nil {
+		return nil, err
+	}
+	return result.Data, err
+}
+
+// RegisterPluginRuntimeInput is used as input to the RegisterPluginRuntime function.
+type RegisterPluginRuntimeInput struct {
+	// Name is the name of the plugin. Required.
+	Name string `json:"-"`
+
+	// Type of the plugin. Required.
+	Type PluginRuntimeType `json:"type"`
+
+	OCIRuntime   string `json:"oci_runtime,omitempty"`
+	CgroupParent string `json:"cgroup_parent,omitempty"`
+	CPU          int64  `json:"cpu_nanos,omitempty"`
+	Memory       int64  `json:"memory_bytes,omitempty"`
+	Rootless     bool   `json:"rootless,omitempty"`
+}
+
+// RegisterPluginRuntime registers the plugin with the given information.
+func (c *Sys) RegisterPluginRuntime(ctx context.Context, i *RegisterPluginRuntimeInput) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+	req := c.c.NewRequest(http.MethodPut, path)
+
+	if err := req.SetJSONBody(i); err != nil {
+		return err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, req)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	return err
+}
+
+// DeregisterPluginRuntimeInput is used as input to the DeregisterPluginRuntime function.
+type DeregisterPluginRuntimeInput struct {
+	// Name is the name of the plugin runtime. Required.
+	Name string `json:"-"`
+
+	// Type of the plugin. Required.
+	Type PluginRuntimeType `json:"type"`
+}
+
+// DeregisterPluginRuntime removes the plugin with the given name from the plugin
+// catalog.
+func (c *Sys) DeregisterPluginRuntime(ctx context.Context, i *DeregisterPluginRuntimeInput) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+	req := c.c.NewRequest(http.MethodDelete, path)
+	resp, err := c.c.rawRequestWithContext(ctx, req)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	return err
+}
+
+type PluginRuntimeDetails struct {
+	Type         string `json:"type" mapstructure:"type"`
+	Name         string `json:"name" mapstructure:"name"`
+	OCIRuntime   string `json:"oci_runtime" mapstructure:"oci_runtime"`
+	CgroupParent string `json:"cgroup_parent" mapstructure:"cgroup_parent"`
+	CPU          int64  `json:"cpu_nanos" mapstructure:"cpu_nanos"`
+	Memory       int64  `json:"memory_bytes" mapstructure:"memory_bytes"`
+}
+
+// ListPluginRuntimesInput is used as input to the ListPluginRuntimes function.
+type ListPluginRuntimesInput struct {
+	// Type of the plugin. Required.
+	Type PluginRuntimeType `json:"type"`
+}
+
+// ListPluginRuntimesResponse is the response from the ListPluginRuntimes call.
+type ListPluginRuntimesResponse struct {
+	// RuntimesByType is the list of plugin runtimes by type.
+	Runtimes []PluginRuntimeDetails `json:"runtimes"`
+}
+
+// ListPluginRuntimes lists all plugin runtimes in the catalog and returns their names as a
+// list of strings.
+func (c *Sys) ListPluginRuntimes(ctx context.Context, input *ListPluginRuntimesInput) (*ListPluginRuntimesResponse, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	if input != nil && input.Type == PluginRuntimeTypeUnsupported {
+		return nil, fmt.Errorf("%q is not a supported runtime type", input.Type.String())
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, c.c.NewRequest(http.MethodGet, "/v1/sys/plugins/runtimes/catalog"))
+	if err != nil && resp == nil {
+		return nil, err
+	}
+	if resp == nil {
+		return nil, nil
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+	if _, ok := secret.Data["runtimes"]; !ok {
+		return nil, fmt.Errorf("data from server response does not contain runtimes")
+	}
+
+	var runtimes []PluginRuntimeDetails
+	if err = mapstructure.Decode(secret.Data["runtimes"], &runtimes); err != nil {
+		return nil, err
+	}
+
+	// return all runtimes in the catalog
+	if input == nil {
+		return &ListPluginRuntimesResponse{Runtimes: runtimes}, nil
+	}
+
+	result := &ListPluginRuntimesResponse{
+		Runtimes: []PluginRuntimeDetails{},
+	}
+	for _, runtime := range runtimes {
+		if runtime.Type == input.Type.String() {
+			result.Runtimes = append(result.Runtimes, runtime)
+		}
+	}
+	return result, nil
+}
+
+// pluginRuntimeCatalogPathByType is a helper to construct the proper API path by plugin type
+func pluginRuntimeCatalogPathByType(runtimeType PluginRuntimeType, name string) string {
+	return fmt.Sprintf("/v1/sys/plugins/runtimes/catalog/%s/%s", runtimeType, name)
+}
diff --git a/ui/tests/integration/components/known-secondaries-card-test.js b/ui/tests/integration/components/known-secondaries-card-test.js
index 40fcf2b6048b..2661987f14ce 100644
--- a/ui/tests/integration/components/known-secondaries-card-test.js
+++ b/ui/tests/integration/components/known-secondaries-card-test.js
@@ -1,86 +1,301 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import { setupEngine } from 'ember-engines/test-support';
-import hbs from 'htmlbars-inline-precompile';
-
-const CLUSTER = {
-  canAddSecondary: true,
-  replicationMode: 'dr',
-};
-
-const REPLICATION_ATTRS = {
-  secondaries: [
-    { node_id: 'secondary-1', api_address: 'https://stuff.com/', connection_status: 'connected' },
-    { node_id: '2nd', connection_status: 'disconnected' },
-    { node_id: '_three_', api_address: 'https://10.0.0.2:1000/', connection_status: 'connected' },
-  ],
-};
-
-module('Integration | Component | replication known-secondaries-card', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'replication');
-
-  hooks.beforeEach(function () {
-    this.context = { owner: this.engine }; // this.engine set by setupEngine
-    this.set('cluster', CLUSTER);
-    this.set('replicationAttrs', REPLICATION_ATTRS);
-  });
-
-  test('it renders with a table of known secondaries', async function (assert) {
-    await render(
-      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
-      this.context
-    );
-
-    assert
-      .dom('[data-test-known-secondaries-table]')
-      .exists('shows known secondaries table when there are known secondaries');
-    assert.dom('[data-test-manage-link]').exists('shows manage link');
-  });
-
-  test('it renders an empty state if there are no known secondaries', async function (assert) {
-    const noSecondaries = {
-      secondaries: [],
-    };
-    this.set('replicationAttrs', noSecondaries);
-    await render(
-      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
-      this.context
-    );
-
-    assert
-      .dom('[data-test-known-secondaries-table]')
-      .doesNotExist('does not show the known secondaries table');
-    assert
-      .dom('.empty-state')
-      .includesText('No known dr secondary clusters', 'has a message with the replication mode');
-  });
-
-  test('it renders an Add secondary link if user has capabilites', async function (assert) {
-    await render(
-      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
-      this.context
-    );
-
-    assert.dom('.add-secondaries').exists();
-  });
-
-  test('it does not render an Add secondary link if user does not have capabilites', async function (assert) {
-    const noCapabilities = {
-      canAddSecondary: false,
-    };
-    this.set('cluster', noCapabilities);
-    await render(
-      hbs`<KnownSecondariesCard @cluster={{this.cluster}} @replicationAttrs={{this.replicationAttrs}} />`,
-      this.context
-    );
-
-    assert.dom('.add-secondaries').doesNotExist();
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package api
+
+import (
+	"encoding/base64"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/go-hclog"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+func TestSysRekey_Verification(t *testing.T) {
+	testcases := []struct {
+		recovery     bool
+		legacyShamir bool
+	}{
+		{recovery: true, legacyShamir: false},
+		{recovery: false, legacyShamir: false},
+		{recovery: false, legacyShamir: true},
+	}
+
+	for _, tc := range testcases {
+		recovery, legacy := tc.recovery, tc.legacyShamir
+		t.Run(fmt.Sprintf("recovery=%v,legacyShamir=%v", recovery, legacy), func(t *testing.T) {
+			t.Parallel()
+			testSysRekey_Verification(t, recovery, legacy)
+		})
+	}
+}
+
+func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
+	opts := &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	}
+	switch {
+	case recovery:
+		if legacyShamir {
+			panic("invalid case")
+		}
+		opts.SealFunc = func() vault.Seal {
+			return vault.NewTestSeal(t, &seal.TestSealOpts{
+				StoredKeys: seal.StoredKeysSupportedGeneric,
+			})
+		}
+	case legacyShamir:
+		opts.SealFunc = func() vault.Seal {
+			return vault.NewTestSeal(t, &seal.TestSealOpts{
+				StoredKeys: seal.StoredKeysNotSupported,
+			})
+		}
+	}
+	inm, err := inmem.NewInmemHA(nil, logging.NewVaultLogger(hclog.Debug))
+	if err != nil {
+		t.Fatal(err)
+	}
+	conf := vault.CoreConfig{
+		Physical: inm,
+	}
+	cluster := vault.NewTestCluster(t, &conf, opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	client := cluster.Cores[0].Client
+	client.SetMaxRetries(0)
+
+	initFunc := client.Sys().RekeyInit
+	updateFunc := client.Sys().RekeyUpdate
+	verificationUpdateFunc := client.Sys().RekeyVerificationUpdate
+	verificationStatusFunc := client.Sys().RekeyVerificationStatus
+	verificationCancelFunc := client.Sys().RekeyVerificationCancel
+	if recovery {
+		initFunc = client.Sys().RekeyRecoveryKeyInit
+		updateFunc = client.Sys().RekeyRecoveryKeyUpdate
+		verificationUpdateFunc = client.Sys().RekeyRecoveryKeyVerificationUpdate
+		verificationStatusFunc = client.Sys().RekeyRecoveryKeyVerificationStatus
+		verificationCancelFunc = client.Sys().RekeyRecoveryKeyVerificationCancel
+	}
+
+	var verificationNonce string
+	var newKeys []string
+	doRekeyInitialSteps := func() {
+		status, err := initFunc(&api.RekeyInitRequest{
+			SecretShares:        5,
+			SecretThreshold:     3,
+			RequireVerification: true,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if status == nil {
+			t.Fatal("nil status")
+		}
+		if !status.VerificationRequired {
+			t.Fatal("expected verification required")
+		}
+
+		keys := cluster.BarrierKeys
+		if recovery {
+			keys = cluster.RecoveryKeys
+		}
+		var resp *api.RekeyUpdateResponse
+		for i := 0; i < 3; i++ {
+			resp, err = updateFunc(base64.StdEncoding.EncodeToString(keys[i]), status.Nonce)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		switch {
+		case !resp.Complete:
+			t.Fatal("expected completion")
+		case !resp.VerificationRequired:
+			t.Fatal("expected verification required")
+		case resp.VerificationNonce == "":
+			t.Fatal("verification nonce expected")
+		}
+		verificationNonce = resp.VerificationNonce
+		newKeys = resp.KeysB64
+		t.Logf("verification nonce: %q", verificationNonce)
+	}
+
+	doRekeyInitialSteps()
+
+	// We are still going, so should not be able to init again
+	_, err = initFunc(&api.RekeyInitRequest{
+		SecretShares:        5,
+		SecretThreshold:     3,
+		RequireVerification: true,
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	// Sealing should clear state, so after this we should be able to perform
+	// the above again
+	cluster.EnsureCoresSealed(t)
+	if err := cluster.UnsealCoresWithError(t, recovery); err != nil {
+		t.Fatal(err)
+	}
+	doRekeyInitialSteps()
+
+	doStartVerify := func() {
+		// Start the process
+		for i := 0; i < 2; i++ {
+			status, err := verificationUpdateFunc(newKeys[i], verificationNonce)
+			if err != nil {
+				t.Fatal(err)
+			}
+			switch {
+			case status.Nonce != verificationNonce:
+				t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, status.Nonce)
+			case status.Complete:
+				t.Fatal("unexpected completion")
+			}
+		}
+
+		// Check status
+		vStatus, err := verificationStatusFunc()
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch {
+		case vStatus.Nonce != verificationNonce:
+			t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, vStatus.Nonce)
+		case vStatus.T != 3:
+			t.Fatal("unexpected threshold")
+		case vStatus.N != 5:
+			t.Fatal("unexpected number of new keys")
+		case vStatus.Progress != 2:
+			t.Fatal("unexpected progress")
+		}
+	}
+
+	doStartVerify()
+
+	// Cancel; this should still keep the rekey process going but just cancel
+	// the verification operation
+	err = verificationCancelFunc()
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Verify cannot init again
+	_, err = initFunc(&api.RekeyInitRequest{
+		SecretShares:        5,
+		SecretThreshold:     3,
+		RequireVerification: true,
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	vStatus, err := verificationStatusFunc()
+	if err != nil {
+		t.Fatal(err)
+	}
+	switch {
+	case vStatus.Nonce == verificationNonce:
+		t.Fatalf("unexpected nonce, expected not-%q but got it", verificationNonce)
+	case vStatus.T != 3:
+		t.Fatal("unexpected threshold")
+	case vStatus.N != 5:
+		t.Fatal("unexpected number of new keys")
+	case vStatus.Progress != 0:
+		t.Fatal("unexpected progress")
+	}
+
+	verificationNonce = vStatus.Nonce
+	doStartVerify()
+
+	if !recovery {
+		// Sealing should clear state, but we never actually finished, so it should
+		// still be the old keys (which are still currently set)
+		cluster.EnsureCoresSealed(t)
+		cluster.UnsealCores(t)
+		vault.TestWaitActive(t, cluster.Cores[0].Core)
+
+		// Should be able to init again and get back to where we were
+		doRekeyInitialSteps()
+		doStartVerify()
+	} else {
+		// We haven't finished, so generating a root token should still be the
+		// old keys (which are still currently set)
+		testhelpers.GenerateRoot(t, cluster, testhelpers.GenerateRootRegular)
+	}
+
+	// Provide the final new key
+	vuStatus, err := verificationUpdateFunc(newKeys[2], verificationNonce)
+	if err != nil {
+		t.Fatal(err)
+	}
+	switch {
+	case vuStatus.Nonce != verificationNonce:
+		t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, vuStatus.Nonce)
+	case !vuStatus.Complete:
+		t.Fatal("expected completion")
+	}
+
+	if !recovery {
+		// Seal and unseal -- it should fail to unseal because the key has now been
+		// rotated
+		cluster.EnsureCoresSealed(t)
+
+		// Simulate restarting Vault rather than just a seal/unseal, because
+		// the standbys may not have had time to learn about the new key before
+		// we sealed them.  We could sleep, but that's unreliable.
+		oldKeys := cluster.BarrierKeys
+		opts.SkipInit = true
+		opts.SealFunc = nil // post rekey we should use the barrier config on disk
+		cluster = vault.NewTestCluster(t, &conf, opts)
+		cluster.BarrierKeys = oldKeys
+		cluster.Start()
+		defer cluster.Cleanup()
+
+		if err := cluster.UnsealCoresWithError(t, false); err == nil {
+			t.Fatal("expected error")
+		}
+
+		// Swap out the keys with our new ones and try again
+		var newKeyBytes [][]byte
+		for _, key := range newKeys {
+			val, err := base64.StdEncoding.DecodeString(key)
+			if err != nil {
+				t.Fatal(err)
+			}
+			newKeyBytes = append(newKeyBytes, val)
+		}
+		cluster.BarrierKeys = newKeyBytes
+		if err := cluster.UnsealCoresWithError(t, false); err != nil {
+			t.Fatal(err)
+		}
+	} else {
+		// The old keys should no longer work
+		_, err := testhelpers.GenerateRootWithError(t, cluster, testhelpers.GenerateRootRegular)
+		if err == nil {
+			t.Fatal("expected error")
+		}
+
+		// Put the new keys in place and run again
+		cluster.RecoveryKeys = nil
+		for _, key := range newKeys {
+			dec, err := base64.StdEncoding.DecodeString(key)
+			if err != nil {
+				t.Fatal(err)
+			}
+			cluster.RecoveryKeys = append(cluster.RecoveryKeys, dec)
+		}
+		if err := client.Sys().GenerateRootCancel(); err != nil {
+			t.Fatal(err)
+		}
+		testhelpers.GenerateRoot(t, cluster, testhelpers.GenerateRootRegular)
+	}
+}
diff --git a/ui/tests/integration/components/known-secondaries-table-test.js b/ui/tests/integration/components/known-secondaries-table-test.js
index 0a4fee2421cc..a17c6eb660b2 100644
--- a/ui/tests/integration/components/known-secondaries-table-test.js
+++ b/ui/tests/integration/components/known-secondaries-table-test.js
@@ -1,68 +1,217 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-/* eslint qunit/no-conditional-assertions: "warn" */
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import { setupEngine } from 'ember-engines/test-support';
-import hbs from 'htmlbars-inline-precompile';
-
-const SECONDARIES = [
-  { node_id: 'secondary-1', api_address: 'https://127.0.0.1:52304', connection_status: 'connected' },
-  { node_id: '2nd', connection_status: 'disconnected' },
-  { node_id: '_three_', api_address: 'http://127.0.0.1:8202', connection_status: 'connected' },
-];
-
-module('Integration | Component | replication known-secondaries-table', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'replication');
-
-  hooks.beforeEach(function () {
-    this.context = { owner: this.engine }; // this.engine set by setupEngine
-    this.set('secondaries', SECONDARIES);
-  });
-
-  test('it renders a table of known secondaries', async function (assert) {
-    await render(hbs`<KnownSecondariesTable @secondaries={{this.secondaries}} />`, this.context);
-
-    assert.dom('[data-test-known-secondaries-table]').exists();
-  });
-
-  test('it shows the secondary URL and connection_status', async function (assert) {
-    assert.expect(9);
-    await render(hbs`<KnownSecondariesTable @secondaries={{this.secondaries}} />`, this.context);
-
-    SECONDARIES.forEach((secondary) => {
-      assert.strictEqual(
-        this.element.querySelector(`[data-test-secondaries=row-for-${secondary.node_id}]`).innerHTML.trim(),
-        secondary.node_id,
-        'shows a table row and ID for each known secondary'
-      );
-
-      if (secondary.api_address) {
-        const expectedUrl = `${secondary.api_address}/ui/`;
-
-        assert.strictEqual(
-          this.element.querySelector(`[data-test-secondaries=api-address-for-${secondary.node_id}]`).href,
-          expectedUrl,
-          'renders a URL to the secondary UI'
-        );
-      } else {
-        assert.notOk(
-          this.element.querySelector(`[data-test-secondaries=api-address-for-${secondary.node_id}]`)
-        );
-      }
-
-      assert.strictEqual(
-        this.element
-          .querySelector(`[data-test-secondaries=connection-status-for-${secondary.node_id}]`)
-          .innerHTML.trim(),
-        secondary.connection_status,
-        'shows the connection status'
-      );
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package http
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"net/http"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+)
+
+func handleSysSeal(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		req, _, statusCode, err := buildLogicalRequest(core, w, r, "")
+		if err != nil || statusCode != 0 {
+			respondError(w, statusCode, err)
+			return
+		}
+
+		switch req.Operation {
+		case logical.UpdateOperation:
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		// Seal with the token above
+		// We use context.Background since there won't be a request context if the node isn't active
+		if err := core.SealWithRequest(r.Context(), req); err != nil {
+			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				respondError(w, http.StatusForbidden, err)
+				return
+			}
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+
+		respondOk(w, nil)
+	})
+}
+
+func handleSysStepDown(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		req, _, statusCode, err := buildLogicalRequest(core, w, r, "")
+		if err != nil || statusCode != 0 {
+			respondError(w, statusCode, err)
+			return
+		}
+
+		switch req.Operation {
+		case logical.UpdateOperation:
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		// Seal with the token above
+		if err := core.StepDown(r.Context(), req); err != nil {
+			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				respondError(w, http.StatusForbidden, err)
+				return
+			}
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+
+		respondOk(w, nil)
+	})
+}
+
+func handleSysUnseal(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case "PUT":
+		case "POST":
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		// Parse the request
+		var req UnsealRequest
+		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		if req.Reset {
+			if !core.Sealed() {
+				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
+				return
+			}
+			core.ResetUnsealProcess()
+			handleSysSealStatusRaw(core, w)
+			return
+		}
+
+		if req.Key == "" {
+			respondError(
+				w, http.StatusBadRequest,
+				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
+			return
+		}
+
+		// Decode the key, which is base64 or hex encoded
+		min, max := core.BarrierKeyLength()
+		key, err := hex.DecodeString(req.Key)
+		// We check min and max here to ensure that a string that is base64
+		// encoded but also valid hex will not be valid and we instead base64
+		// decode it
+		if err != nil || len(key) < min || len(key) > max {
+			key, err = base64.StdEncoding.DecodeString(req.Key)
+			if err != nil {
+				respondError(
+					w, http.StatusBadRequest,
+					errors.New("'key' must be a valid hex or base64 string"))
+				return
+			}
+		}
+
+		// Attempt the unseal.  If migrate was specified, the key should correspond
+		// to the old seal.
+		if req.Migrate {
+			_, err = core.UnsealMigrate(key)
+		} else {
+			_, err = core.Unseal(key)
+		}
+		if err != nil {
+			switch {
+			case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
+			case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
+			case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
+			case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
+			case errwrap.Contains(err, consts.ErrStandby.Error()):
+			default:
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		// Return the seal status
+		handleSysSealStatusRaw(core, w)
+	})
+}
+
+func handleSysSealStatus(core *vault.Core, opt ...ListenerConfigOption) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "GET" {
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		handleSysSealStatusRaw(core, w, opt...)
+	})
+}
+
+func handleSysSealBackendStatus(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "GET" {
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+
+		handleSysSealBackendStatusRaw(core, w, r)
+	})
+}
+
+func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, opt ...ListenerConfigOption) {
+	ctx := context.Background()
+	status, err := core.GetSealStatus(ctx, true)
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, err)
+		return
+	}
+
+	opts, err := getOpts(opt...)
+
+	if opts.withRedactVersion {
+		status.Version = opts.withRedactionValue
+		status.BuildDate = opts.withRedactionValue
+	}
+
+	if opts.withRedactClusterName {
+		status.ClusterName = opts.withRedactionValue
+	}
+
+	respondOk(w, status)
+}
+
+func handleSysSealBackendStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Request) {
+	ctx := context.Background()
+	status, err := core.GetSealBackendStatus(ctx)
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, err)
+		return
+	}
+
+	respondOk(w, status)
+}
+
+// Note: because we didn't provide explicit tagging in the past we can't do it
+// now because if it then no longer accepts capitalized versions it could break
+// clients
+type UnsealRequest struct {
+	Key     string
+	Reset   bool
+	Migrate bool
+}
diff --git a/ui/tests/integration/components/kubernetes/page/configure-test.js b/ui/tests/integration/components/kubernetes/page/configure-test.js
index 7d1b922e837a..964e03f0b9c8 100644
--- a/ui/tests/integration/components/kubernetes/page/configure-test.js
+++ b/ui/tests/integration/components/kubernetes/page/configure-test.js
@@ -1,278 +1,438 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { render, click, waitUntil, find, fillIn } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import { Response } from 'miragejs';
-import sinon from 'sinon';
-
-module('Integration | Component | kubernetes | Page::Configure', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'kubernetes');
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.newModel = this.store.createRecord('kubernetes/config', { backend: 'kubernetes-new' });
-    this.existingConfig = {
-      kubernetes_host: 'https://192.168.99.100:8443',
-      kubernetes_ca_cert: '-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----',
-      service_account_jwt: 'test-jwt',
-      disable_local_ca_jwt: true,
-    };
-    this.store.pushPayload('kubernetes/config', {
-      modelName: 'kubernetes/config',
-      backend: 'kubernetes-edit',
-      ...this.existingConfig,
-    });
-    this.editModel = this.store.peekRecord('kubernetes/config', 'kubernetes-edit');
-    this.breadcrumbs = [
-      { label: 'secrets', route: 'secrets', linkExternal: true },
-      { label: 'kubernetes', route: 'overview' },
-      { label: 'configure' },
-    ];
-    this.expectedInferred = {
-      disable_local_ca_jwt: false,
-      kubernetes_ca_cert: null,
-      kubernetes_host: null,
-      service_account_jwt: null,
-    };
-  });
-
-  test('it should display proper options when toggling radio cards', async function (assert) {
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-    assert
-      .dom('[data-test-radio-card="local"] input')
-      .isChecked('Local cluster radio card is checked by default');
-    assert
-      .dom('[data-test-config] p')
-      .hasText(
-        'Configuration values can be inferred from the pod and your local environment variables.',
-        'Inferred text is displayed'
-      );
-    assert.dom('[data-test-config] button').hasText('Get config values', 'Get config button renders');
-    assert
-      .dom('[data-test-config-save]')
-      .isDisabled('Save button is disabled when config values have not been inferred');
-    assert.dom('[data-test-config-cancel]').hasText('Back', 'Back button renders');
-
-    await click('[data-test-radio-card="manual"]');
-    assert.dom('[data-test-field]').exists({ count: 3 }, 'Form fields render');
-    assert.dom('[data-test-config-save]').isNotDisabled('Save button is enabled');
-    assert.dom('[data-test-config-cancel]').hasText('Back', 'Back button renders');
-  });
-
-  test('it should check for inferred config variables', async function (assert) {
-    assert.expect(8);
-
-    let status = 404;
-    this.server.get('/:path/check', () => {
-      assert.ok(
-        waitUntil(() => find('[data-test-config] button').disabled),
-        'Button is disabled while request is in flight'
-      );
-      return new Response(status, {});
-    });
-
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    await click('[data-test-config] button');
-    assert
-      .dom('[data-test-icon="x-square-fill"]')
-      .hasClass('has-text-danger', 'Icon is displayed for error state with correct styling');
-    const error =
-      'Vault could not infer a configuration from your environment variables. Check your configuration file to edit or delete them, or configure manually.';
-    assert.dom('[data-test-config] span').hasText(error, 'Error text is displayed');
-    assert.dom('[data-test-config-save]').isDisabled('Save button is disabled in error state');
-
-    status = 204;
-    await click('[data-test-radio-card="manual"]');
-    await click('[data-test-radio-card="local"]');
-    await click('[data-test-config] button');
-    assert
-      .dom('[data-test-icon="check-circle-fill"]')
-      .hasClass('has-text-success', 'Icon is displayed for success state with correct styling');
-    assert
-      .dom('[data-test-config] span')
-      .hasText('Configuration values were inferred successfully.', 'Success text is displayed');
-    assert.dom('[data-test-config-save]').isNotDisabled('Save button is enabled in success state');
-  });
-
-  test('it should create new manual config', async function (assert) {
-    assert.expect(2);
-
-    this.server.post('/:path/config', (schema, req) => {
-      const json = JSON.parse(req.requestBody);
-      assert.deepEqual(json, this.existingConfig, 'Values are passed to create endpoint');
-      return new Response(204, {});
-    });
-
-    const stub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
-
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    await click('[data-test-radio-card="manual"]');
-    await fillIn('[data-test-input="kubernetesHost"]', this.existingConfig.kubernetes_host);
-    await fillIn('[data-test-input="serviceAccountJwt"]', this.existingConfig.service_account_jwt);
-    await fillIn('[data-test-input="kubernetesCaCert"]', this.existingConfig.kubernetes_ca_cert);
-    await click('[data-test-config-save]');
-    assert.ok(
-      stub.calledWith('vault.cluster.secrets.backend.kubernetes.configuration'),
-      'Transitions to configuration route on save success'
-    );
-  });
-
-  test('it should edit existing manual config', async function (assert) {
-    assert.expect(6);
-
-    const stub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
-
-    await render(hbs`<Page::Configure @model={{this.editModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    assert.dom('[data-test-radio-card="manual"] input').isChecked('Manual config radio card is checked');
-    assert
-      .dom('[data-test-input="kubernetesHost"]')
-      .hasValue(this.existingConfig.kubernetes_host, 'Host field is populated');
-    assert
-      .dom('[data-test-input="serviceAccountJwt"]')
-      .hasValue(this.existingConfig.service_account_jwt, 'JWT field is populated');
-    assert
-      .dom('[data-test-input="kubernetesCaCert"]')
-      .hasValue(this.existingConfig.kubernetes_ca_cert, 'Cert field is populated');
-
-    await fillIn('[data-test-input="kubernetesHost"]', 'http://localhost:1212');
-    await click('[data-test-config-cancel]');
-
-    assert.ok(
-      stub.calledWith('vault.cluster.secrets.backend.kubernetes.configuration'),
-      'Transitions to configuration route when cancelling edit'
-    );
-    assert.strictEqual(
-      this.editModel.kubernetesHost,
-      this.existingConfig.kubernetes_host,
-      'Model values are rolled back on cancel'
-    );
-  });
-
-  test('it should display inferred success message when editing model using local values', async function (assert) {
-    this.store.pushPayload('kubernetes/config', {
-      modelName: 'kubernetes/config',
-      backend: 'kubernetes-edit-2',
-      disable_local_ca_jwt: false,
-    });
-    this.model = this.store.peekRecord('kubernetes/config', 'kubernetes-edit-2');
-
-    await render(hbs`<Page::Configure @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    assert.dom('[data-test-radio-card="local"] input').isChecked('Local cluster radio card is checked');
-    assert
-      .dom('[data-test-icon="check-circle-fill"]')
-      .hasClass('has-text-success', 'Icon is displayed for success state with correct styling');
-    assert
-      .dom('[data-test-config] span')
-      .hasText('Configuration values were inferred successfully.', 'Success text is displayed');
-  });
-
-  test('it should show confirmation modal when saving edits', async function (assert) {
-    assert.expect(2);
-
-    this.server.post('/:path/config', () => {
-      assert.ok(true, 'Save request made after confirmation');
-      return new Response(204, {});
-    });
-
-    await render(
-      hbs`
-            <Page::Configure @model={{this.editModel}} @breadcrumbs={{this.breadcrumbs}} />
-    `,
-      { owner: this.engine }
-    );
-    await click('[data-test-config-save]');
-    assert
-      .dom('[data-test-edit-config-body]')
-      .hasText(
-        'Making changes to your configuration may affect how Vault will reach the Kubernetes API and authenticate with it. Are you sure?',
-        'Confirm modal renders'
-      );
-    await click('[data-test-config-confirm]');
-  });
-
-  test('it should validate form and show errors', async function (assert) {
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    await click('[data-test-radio-card="manual"]');
-    await click('[data-test-config-save]');
-
-    assert
-      .dom('[data-test-inline-error-message]')
-      .hasText('Kubernetes host is required', 'Error renders for required field');
-    assert.dom('[data-test-alert] p').hasText('There is an error with this form.', 'Alert renders');
-  });
-
-  test('it should save inferred config', async function (assert) {
-    assert.expect(2);
-
-    this.server.get('/:path/check', () => new Response(204, {}));
-    this.server.post('/:path/config', (schema, req) => {
-      const json = JSON.parse(req.requestBody);
-      assert.deepEqual(json, this.expectedInferred, 'Values are passed to create endpoint');
-      return new Response(204, {});
-    });
-
-    const stub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
-
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    await click('[data-test-config] button');
-    await click('[data-test-config-save]');
-
-    assert.ok(
-      stub.calledWith('vault.cluster.secrets.backend.kubernetes.configuration'),
-      'Transitions to configuration route on save success'
-    );
-  });
-
-  test('it should unset manual config values when saving local cluster option', async function (assert) {
-    assert.expect(1);
-
-    this.server.get('/:path/check', () => new Response(204, {}));
-    this.server.post('/:path/config', (schema, req) => {
-      const json = JSON.parse(req.requestBody);
-      assert.deepEqual(json, this.expectedInferred, 'Manual config values are unset in server payload');
-      return new Response(204, {});
-    });
-
-    await render(hbs`<Page::Configure @model={{this.newModel}} @breadcrumbs={{this.breadcrumbs}} />`, {
-      owner: this.engine,
-    });
-
-    await click('[data-test-radio-card="manual"]');
-    await fillIn('[data-test-input="kubernetesHost"]', this.existingConfig.kubernetes_host);
-    await fillIn('[data-test-input="serviceAccountJwt"]', this.existingConfig.service_account_jwt);
-    await fillIn('[data-test-input="kubernetesCaCert"]', this.existingConfig.kubernetes_ca_cert);
-
-    await click('[data-test-radio-card="local"]');
-    await click('[data-test-config] button');
-    await click('[data-test-config-save]');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package configutil
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+
+	monitoring "cloud.google.com/go/monitoring/apiv3"
+	"github.com/armon/go-metrics"
+	"github.com/armon/go-metrics/circonus"
+	"github.com/armon/go-metrics/datadog"
+	"github.com/armon/go-metrics/prometheus"
+	stackdriver "github.com/google/go-metrics-stackdriver"
+	stackdrivervault "github.com/google/go-metrics-stackdriver/vault"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/hcl"
+	"github.com/hashicorp/hcl/hcl/ast"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"google.golang.org/api/option"
+)
+
+const (
+	PrometheusDefaultRetentionTime    = 24 * time.Hour
+	UsageGaugeDefaultPeriod           = 10 * time.Minute
+	MaximumGaugeCardinalityDefault    = 500
+	LeaseMetricsEpsilonDefault        = time.Hour
+	NumLeaseMetricsTimeBucketsDefault = 168
+)
+
+// Telemetry is the telemetry configuration for the server
+type Telemetry struct {
+	FoundKeys    []string     `hcl:",decodedFields"`
+	UnusedKeys   UnusedKeyMap `hcl:",unusedKeyPositions"`
+	StatsiteAddr string       `hcl:"statsite_address"`
+	StatsdAddr   string       `hcl:"statsd_address"`
+
+	DisableHostname     bool   `hcl:"disable_hostname"`
+	EnableHostnameLabel bool   `hcl:"enable_hostname_label"`
+	MetricsPrefix       string `hcl:"metrics_prefix"`
+	UsageGaugePeriod    time.Duration
+	UsageGaugePeriodRaw interface{} `hcl:"usage_gauge_period,alias:UsageGaugePeriod"`
+
+	MaximumGaugeCardinality int `hcl:"maximum_gauge_cardinality"`
+
+	// Circonus: see https://github.com/circonus-labs/circonus-gometrics
+	// for more details on the various configuration options.
+	// Valid configuration combinations:
+	//    - CirconusAPIToken
+	//      metric management enabled (search for existing check or create a new one)
+	//    - CirconusSubmissionUrl
+	//      metric management disabled (use check with specified submission_url,
+	//      broker must be using a public SSL certificate)
+	//    - CirconusAPIToken + CirconusCheckSubmissionURL
+	//      metric management enabled (use check with specified submission_url)
+	//    - CirconusAPIToken + CirconusCheckID
+	//      metric management enabled (use check with specified id)
+
+	// CirconusAPIToken is a valid API Token used to create/manage check. If provided,
+	// metric management is enabled.
+	// Default: none
+	CirconusAPIToken string `hcl:"circonus_api_token"`
+	// CirconusAPIApp is an app name associated with API token.
+	// Default: "consul"
+	CirconusAPIApp string `hcl:"circonus_api_app"`
+	// CirconusAPIURL is the base URL to use for contacting the Circonus API.
+	// Default: "https://api.circonus.com/v2"
+	CirconusAPIURL string `hcl:"circonus_api_url"`
+	// CirconusSubmissionInterval is the interval at which metrics are submitted to Circonus.
+	// Default: 10s
+	CirconusSubmissionInterval string `hcl:"circonus_submission_interval"`
+	// CirconusCheckSubmissionURL is the check.config.submission_url field from a
+	// previously created HTTPTRAP check.
+	// Default: none
+	CirconusCheckSubmissionURL string `hcl:"circonus_submission_url"`
+	// CirconusCheckID is the check id (not check bundle id) from a previously created
+	// HTTPTRAP check. The numeric portion of the check._cid field.
+	// Default: none
+	CirconusCheckID string `hcl:"circonus_check_id"`
+	// CirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
+	// if the metric already exists and is NOT active. If check management is enabled, the default
+	// behavior is to add new metrics as they are encountered. If the metric already exists in the
+	// check, it will *NOT* be activated. This setting overrides that behavior.
+	// Default: "false"
+	CirconusCheckForceMetricActivation string `hcl:"circonus_check_force_metric_activation"`
+	// CirconusCheckInstanceID serves to uniquely identify the metrics coming from this "instance".
+	// It can be used to maintain metric continuity with transient or ephemeral instances as
+	// they move around within an infrastructure.
+	// Default: hostname:app
+	CirconusCheckInstanceID string `hcl:"circonus_check_instance_id"`
+	// CirconusCheckSearchTag is a special tag which, when coupled with the instance id, helps to
+	// narrow down the search results when neither a Submission URL or Check ID is provided.
+	// Default: service:app (e.g. service:consul)
+	CirconusCheckSearchTag string `hcl:"circonus_check_search_tag"`
+	// CirconusCheckTags is a comma separated list of tags to apply to the check. Note that
+	// the value of CirconusCheckSearchTag will always be added to the check.
+	// Default: none
+	CirconusCheckTags string `hcl:"circonus_check_tags"`
+	// CirconusCheckDisplayName is the name for the check which will be displayed in the Circonus UI.
+	// Default: value of CirconusCheckInstanceID
+	CirconusCheckDisplayName string `hcl:"circonus_check_display_name"`
+	// CirconusBrokerID is an explicit broker to use when creating a new check. The numeric portion
+	// of broker._cid. If metric management is enabled and neither a Submission URL nor Check ID
+	// is provided, an attempt will be made to search for an existing check using Instance ID and
+	// Search Tag. If one is not found, a new HTTPTRAP check will be created.
+	// Default: use Select Tag if provided, otherwise, a random Enterprise Broker associated
+	// with the specified API token or the default Circonus Broker.
+	// Default: none
+	CirconusBrokerID string `hcl:"circonus_broker_id"`
+	// CirconusBrokerSelectTag is a special tag which will be used to select a broker when
+	// a Broker ID is not provided. The best use of this is to as a hint for which broker
+	// should be used based on *where* this particular instance is running.
+	// (e.g. a specific geo location or datacenter, dc:sfo)
+	// Default: none
+	CirconusBrokerSelectTag string `hcl:"circonus_broker_select_tag"`
+
+	// Dogstats:
+	// DogStatsdAddr is the address of a dogstatsd instance. If provided,
+	// metrics will be sent to that instance
+	DogStatsDAddr string `hcl:"dogstatsd_addr"`
+
+	// DogStatsdTags are the global tags that should be sent with each packet to dogstatsd
+	// It is a list of strings, where each string looks like "my_tag_name:my_tag_value"
+	DogStatsDTags []string `hcl:"dogstatsd_tags"`
+
+	// Prometheus:
+	// PrometheusRetentionTime is the retention time for prometheus metrics if greater than 0.
+	// Default: 24h
+	PrometheusRetentionTime    time.Duration `hcl:"-"`
+	PrometheusRetentionTimeRaw interface{}   `hcl:"prometheus_retention_time"`
+
+	// Stackdriver:
+	// StackdriverProjectID is the project to publish stackdriver metrics to.
+	StackdriverProjectID string `hcl:"stackdriver_project_id"`
+	// StackdriverLocation is the GCP or AWS region of the monitored resource.
+	StackdriverLocation string `hcl:"stackdriver_location"`
+	// StackdriverNamespace is the namespace identifier, such as a cluster name.
+	StackdriverNamespace string `hcl:"stackdriver_namespace"`
+	// StackdriverDebugLogs will write additional stackdriver related debug logs to stderr.
+	StackdriverDebugLogs bool `hcl:"stackdriver_debug_logs"`
+
+	// How often metrics for lease expiry will be aggregated
+	LeaseMetricsEpsilon    time.Duration
+	LeaseMetricsEpsilonRaw interface{} `hcl:"lease_metrics_epsilon"`
+
+	// Number of buckets by time that will be used in lease aggregation
+	NumLeaseMetricsTimeBuckets int `hcl:"num_lease_metrics_buckets"`
+
+	// Whether or not telemetry should add labels for namespaces
+	LeaseMetricsNameSpaceLabels bool `hcl:"add_lease_metrics_namespace_labels"`
+
+	// FilterDefault is the default for whether to allow a metric that's not
+	// covered by the prefix filter.
+	FilterDefault *bool `hcl:"filter_default"`
+
+	// PrefixFilter is a list of filter rules to apply for allowing
+	// or blocking metrics by prefix.
+	PrefixFilter []string `hcl:"prefix_filter"`
+
+	// Whether or not telemetry should include the mount point in the rollback
+	// metrics
+	RollbackMetricsIncludeMountPoint bool `hcl:"add_mount_point_rollback_metrics"`
+}
+
+func (t *Telemetry) Validate(source string) []ConfigError {
+	return ValidateUnusedFields(t.UnusedKeys, source)
+}
+
+func (t *Telemetry) GoString() string {
+	return fmt.Sprintf("*%#v", *t)
+}
+
+func parseTelemetry(result *SharedConfig, list *ast.ObjectList) error {
+	if len(list.Items) > 1 {
+		return fmt.Errorf("only one 'telemetry' block is permitted")
+	}
+
+	// Get our one item
+	item := list.Items[0]
+
+	if result.Telemetry == nil {
+		result.Telemetry = &Telemetry{}
+	}
+
+	if err := hcl.DecodeObject(&result.Telemetry, item.Val); err != nil {
+		return multierror.Prefix(err, "telemetry:")
+	}
+
+	if result.Telemetry.PrometheusRetentionTimeRaw != nil {
+		var err error
+		if result.Telemetry.PrometheusRetentionTime, err = parseutil.ParseDurationSecond(result.Telemetry.PrometheusRetentionTimeRaw); err != nil {
+			return err
+		}
+		result.Telemetry.PrometheusRetentionTimeRaw = nil
+	} else {
+		result.Telemetry.PrometheusRetentionTime = PrometheusDefaultRetentionTime
+	}
+
+	if result.Telemetry.UsageGaugePeriodRaw != nil {
+		if result.Telemetry.UsageGaugePeriodRaw == "none" {
+			result.Telemetry.UsageGaugePeriod = 0
+		} else {
+			var err error
+			if result.Telemetry.UsageGaugePeriod, err = parseutil.ParseDurationSecond(result.Telemetry.UsageGaugePeriodRaw); err != nil {
+				return err
+			}
+			result.Telemetry.UsageGaugePeriodRaw = nil
+		}
+	} else {
+		result.Telemetry.UsageGaugePeriod = UsageGaugeDefaultPeriod
+	}
+
+	if result.Telemetry.MaximumGaugeCardinality == 0 {
+		result.Telemetry.MaximumGaugeCardinality = MaximumGaugeCardinalityDefault
+	}
+
+	if result.Telemetry.LeaseMetricsEpsilonRaw != nil {
+		if result.Telemetry.LeaseMetricsEpsilonRaw == "none" {
+			result.Telemetry.LeaseMetricsEpsilonRaw = 0
+		} else {
+			var err error
+			if result.Telemetry.LeaseMetricsEpsilon, err = parseutil.ParseDurationSecond(result.Telemetry.LeaseMetricsEpsilonRaw); err != nil {
+				return err
+			}
+			result.Telemetry.LeaseMetricsEpsilonRaw = nil
+		}
+	} else {
+		result.Telemetry.LeaseMetricsEpsilon = LeaseMetricsEpsilonDefault
+	}
+
+	if result.Telemetry.NumLeaseMetricsTimeBuckets == 0 {
+		result.Telemetry.NumLeaseMetricsTimeBuckets = NumLeaseMetricsTimeBucketsDefault
+	}
+
+	return nil
+}
+
+type SetupTelemetryOpts struct {
+	Config      *Telemetry
+	Ui          cli.Ui
+	ServiceName string
+	DisplayName string
+	UserAgent   string
+	ClusterName string
+}
+
+// SetupTelemetry is used to setup the telemetry sub-systems and returns the
+// in-memory sink to be used in http configuration
+func SetupTelemetry(opts *SetupTelemetryOpts) (*metrics.InmemSink, *metricsutil.ClusterMetricSink, bool, error) {
+	if opts == nil {
+		return nil, nil, false, errors.New("nil opts passed into SetupTelemetry")
+	}
+
+	if opts.Config == nil {
+		opts.Config = &Telemetry{}
+	}
+
+	/* Setup telemetry
+	Aggregate on 10 second intervals for 1 minute. Expose the
+	metrics over stderr when there is a SIGUSR1 received.
+	*/
+	inm := metrics.NewInmemSink(10*time.Second, time.Minute)
+	metrics.DefaultInmemSignal(inm)
+
+	if opts.Config.MetricsPrefix != "" {
+		opts.ServiceName = opts.Config.MetricsPrefix
+	}
+
+	metricsConf := metrics.DefaultConfig(opts.ServiceName)
+	metricsConf.EnableHostname = !opts.Config.DisableHostname
+	metricsConf.EnableHostnameLabel = opts.Config.EnableHostnameLabel
+	if opts.Config.FilterDefault != nil {
+		metricsConf.FilterDefault = *opts.Config.FilterDefault
+	}
+
+	// Configure the statsite sink
+	var fanout metrics.FanoutSink
+	var prometheusEnabled bool
+
+	// Configure the Prometheus sink
+	if opts.Config.PrometheusRetentionTime != 0 {
+		prometheusEnabled = true
+		prometheusOpts := prometheus.PrometheusOpts{
+			Expiration: opts.Config.PrometheusRetentionTime,
+		}
+
+		sink, err := prometheus.NewPrometheusSinkFrom(prometheusOpts)
+		if err != nil {
+			return nil, nil, false, err
+		}
+		fanout = append(fanout, sink)
+	}
+
+	if opts.Config.StatsiteAddr != "" {
+		sink, err := metrics.NewStatsiteSink(opts.Config.StatsiteAddr)
+		if err != nil {
+			return nil, nil, false, err
+		}
+		fanout = append(fanout, sink)
+	}
+
+	// Configure the statsd sink
+	if opts.Config.StatsdAddr != "" {
+		sink, err := metrics.NewStatsdSink(opts.Config.StatsdAddr)
+		if err != nil {
+			return nil, nil, false, err
+		}
+		fanout = append(fanout, sink)
+	}
+
+	// Configure the Circonus sink
+	if opts.Config.CirconusAPIToken != "" || opts.Config.CirconusCheckSubmissionURL != "" {
+		cfg := &circonus.Config{}
+		cfg.Interval = opts.Config.CirconusSubmissionInterval
+		cfg.CheckManager.API.TokenKey = opts.Config.CirconusAPIToken
+		cfg.CheckManager.API.TokenApp = opts.Config.CirconusAPIApp
+		cfg.CheckManager.API.URL = opts.Config.CirconusAPIURL
+		cfg.CheckManager.Check.SubmissionURL = opts.Config.CirconusCheckSubmissionURL
+		cfg.CheckManager.Check.ID = opts.Config.CirconusCheckID
+		cfg.CheckManager.Check.ForceMetricActivation = opts.Config.CirconusCheckForceMetricActivation
+		cfg.CheckManager.Check.InstanceID = opts.Config.CirconusCheckInstanceID
+		cfg.CheckManager.Check.SearchTag = opts.Config.CirconusCheckSearchTag
+		cfg.CheckManager.Check.DisplayName = opts.Config.CirconusCheckDisplayName
+		cfg.CheckManager.Check.Tags = opts.Config.CirconusCheckTags
+		cfg.CheckManager.Broker.ID = opts.Config.CirconusBrokerID
+		cfg.CheckManager.Broker.SelectTag = opts.Config.CirconusBrokerSelectTag
+
+		if cfg.CheckManager.API.TokenApp == "" {
+			cfg.CheckManager.API.TokenApp = opts.ServiceName
+		}
+
+		if cfg.CheckManager.Check.DisplayName == "" {
+			cfg.CheckManager.Check.DisplayName = opts.DisplayName
+		}
+
+		if cfg.CheckManager.Check.SearchTag == "" {
+			cfg.CheckManager.Check.SearchTag = fmt.Sprintf("service:%s", opts.ServiceName)
+		}
+
+		sink, err := circonus.NewCirconusSink(cfg)
+		if err != nil {
+			return nil, nil, false, err
+		}
+		sink.Start()
+		fanout = append(fanout, sink)
+	}
+
+	if opts.Config.DogStatsDAddr != "" {
+		var tags []string
+
+		if opts.Config.DogStatsDTags != nil {
+			tags = opts.Config.DogStatsDTags
+		}
+
+		sink, err := datadog.NewDogStatsdSink(opts.Config.DogStatsDAddr, metricsConf.HostName)
+		if err != nil {
+			return nil, nil, false, fmt.Errorf("failed to start DogStatsD sink: %w", err)
+		}
+		sink.SetTags(tags)
+		fanout = append(fanout, sink)
+	}
+
+	// Configure the stackdriver sink
+	if opts.Config.StackdriverProjectID != "" {
+		client, err := monitoring.NewMetricClient(context.Background(), option.WithUserAgent(opts.UserAgent))
+		if err != nil {
+			return nil, nil, false, fmt.Errorf("Failed to create stackdriver client: %v", err)
+		}
+		sink := stackdriver.NewSink(client, &stackdriver.Config{
+			LabelExtractor: stackdrivervault.Extractor,
+			Bucketer:       stackdrivervault.Bucketer,
+			ProjectID:      opts.Config.StackdriverProjectID,
+			Location:       opts.Config.StackdriverLocation,
+			Namespace:      opts.Config.StackdriverNamespace,
+			DebugLogs:      opts.Config.StackdriverDebugLogs,
+		})
+		fanout = append(fanout, sink)
+	}
+
+	// Initialize the global sink
+	if len(fanout) > 1 {
+		// Hostname enabled will create poor quality metrics name for prometheus
+		if !opts.Config.DisableHostname {
+			opts.Ui.Warn("telemetry.disable_hostname has been set to false. Recommended setting is true for Prometheus to avoid poorly named metrics.")
+		}
+	} else {
+		metricsConf.EnableHostname = false
+	}
+	fanout = append(fanout, inm)
+	globalMetrics, err := metrics.NewGlobal(metricsConf, fanout)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	// Intialize a wrapper around the global sink; this will be passed to Core
+	// and to any backend.
+	wrapper := metricsutil.NewClusterMetricSink(opts.ClusterName, globalMetrics)
+	wrapper.MaxGaugeCardinality = opts.Config.MaximumGaugeCardinality
+	wrapper.GaugeInterval = opts.Config.UsageGaugePeriod
+	wrapper.TelemetryConsts.LeaseMetricsEpsilon = opts.Config.LeaseMetricsEpsilon
+	wrapper.TelemetryConsts.LeaseMetricsNameSpaceLabels = opts.Config.LeaseMetricsNameSpaceLabels
+	wrapper.TelemetryConsts.NumLeaseMetricsTimeBuckets = opts.Config.NumLeaseMetricsTimeBuckets
+	wrapper.TelemetryConsts.RollbackMetricsIncludeMountPoint = opts.Config.RollbackMetricsIncludeMountPoint
+
+	// Parse the metric filters
+	telemetryAllowedPrefixes, telemetryBlockedPrefixes, err := parsePrefixFilter(opts.Config.PrefixFilter)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	metrics.UpdateFilter(telemetryAllowedPrefixes, telemetryBlockedPrefixes)
+	return inm, wrapper, prometheusEnabled, nil
+}
+
+func parsePrefixFilter(prefixFilters []string) ([]string, []string, error) {
+	var telemetryAllowedPrefixes, telemetryBlockedPrefixes []string
+
+	for _, rule := range prefixFilters {
+		if rule == "" {
+			return nil, nil, fmt.Errorf("Cannot have empty filter rule in prefix_filter")
+		}
+		switch rule[0] {
+		case '+':
+			telemetryAllowedPrefixes = append(telemetryAllowedPrefixes, rule[1:])
+		case '-':
+			telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:])
+		default:
+			return nil, nil, fmt.Errorf("Filter rule must begin with either '+' or '-': %q", rule)
+		}
+	}
+	return telemetryAllowedPrefixes, telemetryBlockedPrefixes, nil
+}
diff --git a/ui/tests/integration/components/kv/kv-data-fields-test.js b/ui/tests/integration/components/kv/kv-data-fields-test.js
index 954e4d0e1fa7..7e803811b6ac 100644
--- a/ui/tests/integration/components/kv/kv-data-fields-test.js
+++ b/ui/tests/integration/components/kv/kv-data-fields-test.js
@@ -1,76 +1,524 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { hbs } from 'ember-cli-htmlbars';
-import { fillIn, render } from '@ember/test-helpers';
-import codemirror from 'vault/tests/helpers/codemirror';
-import { FORM } from 'vault/tests/helpers/kv/kv-selectors';
-
-module('Integration | Component | kv-v2 | KvDataFields', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'kv');
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.backend = 'my-kv-engine';
-    this.path = 'my-secret';
-    this.secret = this.store.createRecord('kv/data', { backend: this.backend });
-  });
-
-  test('it updates the secret model', async function (assert) {
-    assert.expect(2);
-
-    await render(hbs`<KvDataFields @showJson={{false}} @secret={{this.secret}} />`, { owner: this.engine });
-
-    await fillIn(FORM.inputByAttr('path'), this.path);
-    await fillIn(FORM.keyInput(), 'foo');
-    await fillIn(FORM.maskedValueInput(), 'bar');
-    assert.strictEqual(this.secret.path, this.path);
-    assert.propEqual(this.secret.secretData, { foo: 'bar' });
-  });
-
-  test('it JSON editor initializes with empty object and modifies secretData', async function (assert) {
-    assert.expect(3);
-
-    await render(hbs`<KvDataFields @showJson={{true}} @secret={{this.secret}} />`, { owner: this.engine });
-
-    assert.strictEqual(
-      codemirror().getValue(' '),
-      `{   \"\": \"\" }`, // eslint-disable-line no-useless-escape
-      'json editor initializes with empty object'
-    );
-    await fillIn(`${FORM.jsonEditor} textarea`, 'blah');
-    assert.strictEqual(codemirror().state.lint.marked.length, 1, 'codemirror lints input');
-    codemirror().setValue(`{ "hello": "there"}`);
-    assert.propEqual(this.secret.secretData, { hello: 'there' }, 'json editor updates secret data');
-  });
-
-  test('it disables path and prefills secret data when creating a new secret version', async function (assert) {
-    assert.expect(5);
-    this.secret.secretData = { foo: 'bar' };
-    this.secret.path = this.path;
-
-    this.newVersion = this.store.createRecord('kv/data', {
-      backend: this.backend,
-      path: this.path,
-      secretData: this.secret.secretData,
-    });
-
-    await render(hbs`<KvDataFields @showJson={{false}} @isEdit={{true}} @secret={{this.secret}} />`, {
-      owner: this.engine,
-    });
-
-    assert.dom(FORM.inputByAttr('path')).isDisabled();
-    assert.dom(FORM.inputByAttr('path')).hasValue(this.path);
-    assert.dom(FORM.keyInput()).hasValue('foo');
-    assert.dom(FORM.maskedValueInput()).hasValue('bar');
-    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Version data');
-  });
-});
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+on:
+  workflow_call:
+    inputs:
+      go-arch:
+        description: The execution architecture (arm, amd64, etc.)
+        required: true
+        type: string
+      enterprise:
+        description: A flag indicating if this workflow is executing for the enterprise repository.
+        required: true
+        type: string
+      total-runners:
+        description: Number of runners to use for executing non-binary tests.
+        required: true
+        type: string
+      binary-tests:
+        description: Whether to run the binary tests.
+        required: false
+        default: false
+        type: boolean
+      env-vars:
+        description: A map of environment variables as JSON.
+        required: false
+        type: string
+        default: '{}'
+      extra-flags:
+        description: A space-separated list of additional build flags.
+        required: false
+        type: string
+        default: ''
+      runs-on:
+        description: An expression indicating which kind of runners to use.
+        required: false
+        type: string
+        default: ubuntu-latest
+      go-tags:
+        description: A comma-separated list of additional build tags to consider satisfied during the build.
+        required: false
+        type: string
+      name:
+        description: A suffix to append to archived test results
+        required: false
+        default: ''
+        type: string
+      go-test-parallelism:
+        description: The parallelism parameter for Go tests
+        required: false
+        default: 20
+        type: number
+      timeout-minutes:
+        description: The maximum number of minutes that this workflow should run
+        required: false
+        default: 60
+        type: number
+      testonly:
+        description: Whether to run the tests tagged with testonly.
+        required: false
+        default: false
+        type: boolean
+      test-timing-cache-enabled:
+        description: Cache the gotestsum test timing data.
+        required: false
+        default: true
+        type: boolean
+      test-timing-cache-key:
+        description: The cache key to use for gotestsum test timing data.
+        required: false
+        default: go-test-reports
+        type: string
+      checkout-ref:
+        description: The ref to use for checkout.
+        required: false
+        default: ${{ github.ref }}
+        type: string
+
+env: ${{ fromJSON(inputs.env-vars) }}
+
+jobs:
+  test-matrix:
+    permissions:
+      id-token: write  # Note: this permission is explicitly required for Vault auth
+      contents: read
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ inputs.checkout-ref }}
+      - uses: ./.github/actions/set-up-go
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Authenticate to Vault
+        id: vault-auth
+        if: github.repository == 'hashicorp/vault-enterprise'
+        run: vault-auth
+      - name: Fetch Secrets
+        id: secrets
+        if: github.repository == 'hashicorp/vault-enterprise'
+        uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e
+        with:
+          url: ${{ steps.vault-auth.outputs.addr }}
+          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+          token: ${{ steps.vault-auth.outputs.token }}
+          secrets: |
+            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
+            kv/data/github/${{ github.repository }}/github-token username-and-token | github-token;
+            kv/data/github/${{ github.repository }}/license license_1 | VAULT_LICENSE_CI;
+            kv/data/github/${{ github.repository }}/license license_2 | VAULT_LICENSE_2;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_API_ADDRESS;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_AUTH_URL;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_ID;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_SECRET;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_RESOURCE_ID;
+      - id: setup-git-private
+        name: Setup Git configuration (private)
+        if: github.repository == 'hashicorp/vault-enterprise'
+        run: |
+          git config --global url."https://${{ steps.secrets.outputs.github-token }}@github.com".insteadOf https://github.com
+      - id: setup-git-public
+        name: Setup Git configuration (public)
+        if: github.repository != 'hashicorp/vault-enterprise'
+        run: |
+          git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
+      - uses: ./.github/actions/set-up-gotestsum
+      - run: mkdir -p test-results/go-test
+      - uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        if: inputs.test-timing-cache-enabled
+        with:
+          path: test-results/go-test
+          key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
+          restore-keys: |
+            ${{ inputs.test-timing-cache-key }}-
+            go-test-reports-
+      - name: Sanitize timing files
+        id: sanitize-timing-files
+        run: |
+          # Prune invalid timing files
+          find test-results/go-test -mindepth 1 -type f -name "*.json" -exec sh -c '
+            file="$1";
+            jq . "$file" || rm "$file"
+          ' shell {} \; > /dev/null 2>&1
+      - name: Build matrix excluding binary, integration, and testonly tests
+        id: build-non-binary
+        if: ${{ !inputs.testonly }}
+        env:
+          GOPRIVATE: github.com/hashicorp/*
+        run: |
+          # testonly tests need additional build tag though let's exclude them anyway for clarity
+          (
+            go list ./... | grep -v "_binary" | grep -v "vault/integ" | grep -v "testonly" | gotestsum tool ci-matrix --debug \
+              --partitions "${{ inputs.total-runners }}" \
+              --timing-files 'test-results/go-test/*.json' > matrix.json
+          )
+      - name: Build matrix for tests tagged with testonly
+        if: ${{ inputs.testonly }}
+        env:
+          GOPRIVATE: github.com/hashicorp/*
+        run: |
+          set -exo pipefail
+          # enable glob expansion
+          shopt -s nullglob
+          # testonly tagged tests need an additional tag to be included
+          # also running some extra tests for sanity checking with the testonly build tag
+          (
+            go list -tags=testonly ./vault/external_tests/{kv,token,*replication-perf*,*testonly*} ./vault/ | gotestsum tool ci-matrix --debug \
+              --partitions "${{ inputs.total-runners }}" \
+              --timing-files 'test-results/go-test/*.json' > matrix.json
+          )
+          # disable glob expansion
+          shopt -u nullglob
+      - name: Capture list of binary tests
+        if: inputs.binary-tests
+        id: list-binary-tests
+        run: |
+          LIST="$(go list ./... | grep "_binary" | xargs)"
+          echo "list=$LIST" >> "$GITHUB_OUTPUT"
+      - name: Build complete matrix
+        id: build
+        run: |
+            set -exo pipefail
+            matrix_file="matrix.json"
+            if [ "${{ inputs.binary-tests}}" == "true" ] && [ -n "${{ steps.list-binary-tests.outputs.list }}" ]; then
+              export BINARY_TESTS="${{ steps.list-binary-tests.outputs.list }}"
+              jq --arg BINARY "${BINARY_TESTS}" --arg BINARY_INDEX "${{ inputs.total-runners }}" \
+                '.include += [{
+                  "id": $BINARY_INDEX,
+                  "estimatedRuntime": "N/A",
+                  "packages": $BINARY,
+                  "description": "partition $BINARY_INDEX - binary test packages"
+              }]' matrix.json > new-matrix.json
+              matrix_file="new-matrix.json"
+            fi
+            # convert the json to a map keyed by id
+            (
+              echo -n "matrix="
+                jq -c \
+                '.include | map( { (.id|tostring): . } ) | add' "$matrix_file"
+            ) >> "$GITHUB_OUTPUT"
+            # extract an array of ids from the json
+            (
+              echo -n "matrix_ids="
+              jq -c \
+                '[ .include[].id | tostring ]' "$matrix_file"
+            ) >> "$GITHUB_OUTPUT"
+    outputs:
+      matrix: ${{ steps.build.outputs.matrix }}
+      matrix_ids: ${{ steps.build.outputs.matrix_ids }}
+
+  test-go:
+    needs: test-matrix
+    permissions:
+      actions: read
+      contents: read
+      id-token: write  # Note: this permission is explicitly required for Vault auth
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    strategy:
+      fail-fast: false
+      matrix:
+        id: ${{ fromJSON(needs.test-matrix.outputs.matrix_ids) }}
+    env:
+      GOPRIVATE: github.com/hashicorp/*
+      TIMEOUT_IN_MINUTES: ${{ inputs.timeout-minutes }}
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ inputs.checkout-ref }}
+      - uses: ./.github/actions/set-up-go
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Authenticate to Vault
+        id: vault-auth
+        if: github.repository == 'hashicorp/vault-enterprise'
+        run: vault-auth
+      - name: Fetch Secrets
+        id: secrets
+        if: github.repository == 'hashicorp/vault-enterprise'
+        uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e
+        with:
+          url: ${{ steps.vault-auth.outputs.addr }}
+          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+          token: ${{ steps.vault-auth.outputs.token }}
+          secrets: |
+            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
+            kv/data/github/${{ github.repository }}/github-token username-and-token | github-token;
+            kv/data/github/${{ github.repository }}/license license_1 | VAULT_LICENSE_CI;
+            kv/data/github/${{ github.repository }}/license license_2 | VAULT_LICENSE_2;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_API_ADDRESS;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_AUTH_URL;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_ID;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_CLIENT_SECRET;
+            kv/data/github/${{ github.repository }}/hcp-link HCP_RESOURCE_ID;
+      - id: setup-git-private
+        name: Setup Git configuration (private)
+        if: github.repository == 'hashicorp/vault-enterprise'
+        run: |
+          git config --global url."https://${{ steps.secrets.outputs.github-token }}@github.com".insteadOf https://github.com
+      - id: setup-git-public
+        name: Setup Git configuration (public)
+        if: github.repository != 'hashicorp/vault-enterprise'
+        run: |
+          git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
+      - id: build
+        if: inputs.binary-tests && matrix.id == inputs.total-runners
+        env:
+          GOPRIVATE: github.com/hashicorp/*
+        run: time make ci-bootstrap dev
+      - uses: ./.github/actions/set-up-gotestsum
+      - name: Install gVisor
+        # Enterprise repo runners do not allow sudo, so can't install gVisor there yet.
+        if: ${{ !inputs.enterprise }}
+        run: |
+          (
+            set -e
+            ARCH="$(uname -m)"
+            URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"
+            wget --quiet "${URL}/runsc" "${URL}/runsc.sha512" \
+              "${URL}/containerd-shim-runsc-v1" "${URL}/containerd-shim-runsc-v1.sha512"
+            sha512sum -c runsc.sha512 \
+              -c containerd-shim-runsc-v1.sha512
+            rm -f -- *.sha512
+            chmod a+rx runsc containerd-shim-runsc-v1
+            sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
+          )
+          sudo tee /etc/docker/daemon.json <<EOF
+          {
+            "runtimes": {
+              "runsc": {
+                "path": "/usr/local/bin/runsc",
+                "runtimeArgs": [
+                  "--host-uds=create"
+                ]
+              }
+            }
+          }
+          EOF
+          sudo systemctl reload docker
+      - name: Install rootless Docker
+        # Enterprise repo runners do not allow sudo, so can't system packages there yet.
+        if: ${{ !inputs.enterprise }}
+        run: |
+          sudo apt-get install -y uidmap dbus-user-session
+          export FORCE_ROOTLESS_INSTALL=1
+          curl -fsSL https://get.docker.com/rootless | sh
+          mkdir -p ~/.config/docker/
+          tee ~/.config/docker/daemon.json  <<EOF
+          {
+            "runtimes": {
+              "runsc": {
+                "path": "/usr/local/bin/runsc",
+                "runtimeArgs": [
+                  "--host-uds=create",
+                  "--ignore-cgroups"
+                ]
+              }
+            }
+          }
+          EOF
+          systemctl --user restart docker
+          # Ensure the original rootful Docker install is still the default.
+          docker context use default
+      - id: run-go-tests
+        name: Run Go tests
+        timeout-minutes: ${{ fromJSON(env.TIMEOUT_IN_MINUTES) }}
+        env:
+          COMMIT_SHA: ${{ github.sha }}
+        run: |
+          set -exo pipefail
+
+          # Build the dynamically generated source files.
+          make prep
+
+          packages=$(echo "${{ toJSON(needs.test-matrix.outputs.matrix) }}" | jq -c -r --arg id "${{ matrix.id }}" '.[$id] | .packages')
+
+          if [ -z "$packages" ]; then
+            echo "no test packages to run"
+            exit 1
+          fi
+          # We don't want VAULT_LICENSE set when running Go tests, because that's
+          # not what developers have in their environments and it could break some
+          # tests; it would be like setting VAULT_TOKEN.  However some non-Go
+          # CI commands, like the UI tests, shouldn't have to worry about licensing.
+          # So we provide the tests which want an externally supplied license with licenses
+          # via the VAULT_LICENSE_CI and VAULT_LICENSE_2 environment variables, and here we unset it.
+          # shellcheck disable=SC2034
+          VAULT_LICENSE=
+
+          # Assign test licenses to relevant variables if they aren't already
+          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
+            export VAULT_LICENSE_CI=${{ secrets.ci_license }}
+            export VAULT_LICENSE_2=${{ secrets.ci_license_2 }}
+            export HCP_API_ADDRESS=${{ secrets.HCP_API_ADDRESS }}
+            export HCP_AUTH_URL=${{ secrets.HCP_AUTH_URL }}
+            export HCP_CLIENT_ID=${{ secrets.HCP_CLIENT_ID }}
+            export HCP_CLIENT_SECRET=${{ secrets.HCP_CLIENT_SECRET }}
+            export HCP_RESOURCE_ID=${{ secrets.HCP_RESOURCE_ID }}
+            # Temporarily removing this variable to cause HCP Link tests
+            # to be skipped.
+            #export HCP_SCADA_ADDRESS=${{ secrets.HCP_SCADA_ADDRESS }}
+          fi
+
+          # The docker/binary tests are more expensive, and we've had problems with timeouts when running at full
+          # parallelism.  The default if -p isn't specified is to use NumCPUs, which seems fine for regular tests.
+          package_parallelism=""
+          
+          if [ -f bin/vault ]; then
+            VAULT_BINARY="$(pwd)/bin/vault"
+            export VAULT_BINARY
+          
+            package_parallelism="-p 2"
+          fi
+
+          # On a release branch, add a flag to rerun failed tests
+          # shellcheck disable=SC2193 # can get false positive for this comparision
+          if [[  "${{ github.base_ref }}" == release/* ]] || [[  -z "${{ github.base_ref }}" && "${{ github.ref_name }}" == release/* ]]
+          then
+            # TODO remove this extra condition once 1.15 is about to released GA
+            if [[  "${{ github.base_ref }}" != release/1.15* ]] || [[  -z "${{ github.base_ref }}" && "${{ github.ref_name }}" != release/1.15* ]]
+            then
+              RERUN_FAILS="--rerun-fails"
+            fi
+          fi
+
+          VAULT_TEST_LOG_DIR="$(pwd)/test-results/go-test/logs-${{ matrix.id }}"
+          export VAULT_TEST_LOG_DIR
+          mkdir -p "$VAULT_TEST_LOG_DIR"
+          
+          
+          # shellcheck disable=SC2086 # can't quote RERUN_FAILS
+          GOARCH=${{ inputs.go-arch }} \
+            gotestsum --format=short-verbose \
+              --junitfile test-results/go-test/results-${{ matrix.id }}.xml \
+              --jsonfile test-results/go-test/results-${{ matrix.id }}.json \
+              --jsonfile-timing-events failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{ inputs.name }}.json \
+              $RERUN_FAILS \
+              --packages "$packages" \
+              -- \
+              $package_parallelism \
+              -tags "${{ inputs.go-tags }}" \
+              -timeout=${{ env.TIMEOUT_IN_MINUTES }}m \
+              -parallel=${{ inputs.go-test-parallelism }} \
+              ${{ inputs.extra-flags }} \
+      - name: Prepare datadog-ci
+        if: github.repository == 'hashicorp/vault' && (success() || failure())
+        continue-on-error: true
+        run: |
+          curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+          chmod +x /usr/local/bin/datadog-ci
+      - name: Upload test results to DataDog
+        continue-on-error: true
+        env:
+          DD_ENV: ci
+        run: |
+          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
+            export DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
+          fi
+          datadog-ci junit upload --service "$GITHUB_REPOSITORY" test-results/go-test/results-${{ matrix.id }}.xml
+        if: success() || failure()
+      - name: Archive test results
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: test-results${{ inputs.name != '' && '-' || '' }}${{ inputs.name }}
+          path: test-results/go-test
+        if: success() || failure()
+      # GitHub Actions doesn't expose the job ID or the URL to the job execution,
+      # so we have to fetch it from the API
+      - name: Fetch job logs URL
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        if: success() || failure()
+        continue-on-error: true
+        with:
+          retries: 3
+          script: |
+            // We surround the whole script with a try-catch block, to avoid each of the matrix jobs
+            // displaying an error in the GHA workflow run annotations, which gets very noisy.
+            // If an error occurs, it will be logged so that we don't lose any information about the reason for failure.
+            try {
+              const fs = require("fs");
+              const result = await github.rest.actions.listJobsForWorkflowRun({
+                owner: context.repo.owner,
+                per_page: 100,
+                repo: context.repo.repo,
+                run_id: context.runId,
+              });
+
+              // Determine what job name to use for the query. These values are hardcoded, because GHA doesn't
+              // expose them in any of the contexts available within a workflow run.
+              let prefixToSearchFor;
+              switch ("${{ inputs.name }}") {
+                case "race":
+                  prefixToSearchFor = 'Run Go tests with data race detection / test-go (${{ matrix.id }})'
+                  break
+                case "fips":
+                  prefixToSearchFor = 'Run Go tests with FIPS configuration / test-go (${{ matrix.id }})'
+                  break
+                default:
+                  prefixToSearchFor = 'Run Go tests / test-go (${{ matrix.id }})'
+              }
+
+              const jobData = result.data.jobs.filter(
+                (job) => job.name.startsWith(prefixToSearchFor)
+              );
+              const url = jobData[0].html_url;
+              const envVarName = "GH_JOB_URL";
+              const envVar = envVarName + "=" + url;
+              const envFile = process.env.GITHUB_ENV;
+
+              fs.appendFile(envFile, envVar, (err) => {
+                if (err) throw err;
+                console.log("Successfully set " + envVarName + " to: " + url);
+              });
+            } catch (error) {
+              console.log("Error: " + error);
+              return
+            }
+      - name: Prepare failure summary
+        if: success() || failure()
+        continue-on-error: true
+        run: |
+          # This jq query filters out successful tests, leaving only the failures.
+          # Then, it formats the results into rows of a Markdown table.
+          # An example row will resemble this:
+          # | github.com/hashicorp/vault/package | TestName | fips | 0 | 2 | [view results](github.com/link-to-logs) |
+          jq -r -n 'inputs
+          | select(.Action == "fail")
+          | "| ${{inputs.name}} | \(.Package) | \(.Test // "-") | \(.Elapsed) | ${{ matrix.id }} | [view test results :scroll:](${{ env.GH_JOB_URL }}) |"' \
+          failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.json \
+          >> failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.md
+      - name: Upload failure summary
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if: success() || failure()
+        with:
+          name: failure-summary
+          path: failure-summary-${{ matrix.id }}${{ inputs.name != '' && '-' || '' }}${{inputs.name}}.md
+
+  test-collect-reports:
+    if: ${{ ! cancelled() && needs.test-go.result == 'success' && inputs.test-timing-cache-enabled }}
+    needs: test-go
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    steps:
+      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          path: test-results/go-test
+          key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
+          restore-keys: |
+            ${{ inputs.test-timing-cache-key }}-
+            go-test-reports-
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: test-results
+          path: test-results/go-test
+      - run: |
+          rm -rf test-results/go-test/logs
+          ls -lhR test-results/go-test
+          find test-results/go-test -mindepth 1 -mtime +3 -delete
+
+          # Prune invalid timing files
+          find test-results/go-test -mindepth 1 -type f -name "*.json" -exec sh -c '
+            file="$1";
+            jq . "$file" || rm "$file"
+          ' shell {} \; > /dev/null 2>&1
+
+          ls -lhR test-results/go-test
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
index a54b92a16a03..c80856b661c5 100644
--- a/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
@@ -1,223 +1,462 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { click, find, render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { kvDataPath, kvMetadataPath } from 'vault/utils/kv-path';
-import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
-import { FORM, PAGE, parseJsonEditor } from 'vault/tests/helpers/kv/kv-selectors';
-import { syncStatusResponse } from 'vault/mirage/handlers/sync';
-
-module('Integration | Component | kv-v2 | Page::Secret::Details', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'kv');
-  setupMirage(hooks);
-
-  hooks.beforeEach(async function () {
-    this.store = this.owner.lookup('service:store');
-    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
-    this.backend = 'kv-engine';
-    this.path = 'my-secret';
-    this.version = 2;
-    this.dataId = kvDataPath(this.backend, this.path);
-    this.metadataId = kvMetadataPath(this.backend, this.path);
-
-    this.secretData = { foo: 'bar' };
-    this.store.pushPayload('kv/data', {
-      modelName: 'kv/data',
-      id: this.dataId,
-      secret_data: this.secretData,
-      created_time: '2023-07-20T02:12:17.379762Z',
-      custom_metadata: null,
-      deletion_time: '',
-      destroyed: false,
-      version: this.version,
-      backend: this.backend,
-      path: this.path,
-    });
-
-    const metadata = this.server.create('kv-metadatum');
-    metadata.id = this.metadataId;
-    this.store.pushPayload('kv/metadata', {
-      modelName: 'kv/metadata',
-      ...metadata,
-    });
-
-    this.metadata = this.store.peekRecord('kv/metadata', this.metadataId);
-    this.secret = this.store.peekRecord('kv/data', this.dataId);
-
-    // this is the route model, not an ember data model
-    this.model = {
-      backend: this.backend,
-      path: this.path,
-      secret: this.secret,
-      metadata: this.metadata,
-    };
-    this.breadcrumbs = [
-      { label: 'secrets', route: 'secrets', linkExternal: true },
-      { label: this.model.backend, route: 'list' },
-      { label: this.model.path },
-    ];
-  });
-
-  test('it renders secret details and toggles json view', async function (assert) {
-    assert.expect(8);
-    this.server.get(`sys/sync/associations/:mount/*name`, (schema, req) => {
-      assert.ok(true, 'request made to fetch sync status');
-      // no records so response returns 404
-      return syncStatusResponse(schema, req);
-    });
-
-    await render(
-      hbs`
-       <Page::Secret::Details
-        @path={{this.model.path}}
-        @secret={{this.model.secret}}
-        @metadata={{this.model.metadata}}
-        @breadcrumbs={{this.breadcrumbs}}
-      />
-      `,
-      { owner: this.engine }
-    );
-
-    assert
-      .dom(PAGE.detail.syncAlert())
-      .doesNotExist('sync page alert banner does not render when sync status errors');
-    assert.dom(PAGE.title).includesText(this.model.path, 'renders secret path as page title');
-    assert.dom(PAGE.infoRowValue('foo')).exists('renders row for secret data');
-    assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
-    await click(FORM.toggleMasked);
-    assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'renders secret value');
-    await click(FORM.toggleJson);
-    assert.propEqual(parseJsonEditor(find), this.secretData, 'json editor renders secret data');
-    assert
-      .dom(PAGE.detail.versionTimestamp)
-      .includesText(`Version ${this.version} created`, 'renders version and time created');
-  });
-
-  test('it renders deleted empty state', async function (assert) {
-    assert.expect(3);
-    this.secret.deletionTime = '2023-07-23T02:12:17.379762Z';
-    await render(
-      hbs`
-       <Page::Secret::Details
-        @path={{this.model.path}}
-        @secret={{this.model.secret}}
-        @metadata={{this.model.metadata}}
-        @breadcrumbs={{this.breadcrumbs}}
-      />
-      `,
-      { owner: this.engine }
-    );
-    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been deleted');
-    assert
-      .dom(PAGE.emptyStateMessage)
-      .hasText(
-        'This version has been deleted but can be undeleted. View other versions of this secret by clicking the Version History tab above.'
-      );
-    assert
-      .dom(PAGE.detail.versionTimestamp)
-      .includesText(`Version ${this.version} deleted`, 'renders version and time deleted');
-  });
-
-  test('it renders destroyed empty state', async function (assert) {
-    assert.expect(2);
-    this.secret.destroyed = true;
-    await render(
-      hbs`
-       <Page::Secret::Details
-        @path={{this.model.path}}
-        @secret={{this.model.secret}}
-        @metadata={{this.model.metadata}}
-        @breadcrumbs={{this.breadcrumbs}}
-      />
-      `,
-      { owner: this.engine }
-    );
-    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been permanently destroyed');
-    assert
-      .dom(PAGE.emptyStateMessage)
-      .hasText(
-        'A version that has been permanently deleted cannot be restored. You can view other versions of this secret in the Version History tab above.'
-      );
-  });
-
-  test('it renders secret version dropdown', async function (assert) {
-    assert.expect(9);
-
-    await render(
-      hbs`
-       <Page::Secret::Details
-        @path={{this.model.path}}
-        @secret={{this.model.secret}}
-        @metadata={{this.model.metadata}}
-        @breadcrumbs={{this.breadcrumbs}}
-      />
-      `,
-      { owner: this.engine }
-    );
-
-    assert.dom(PAGE.detail.versionTimestamp).includesText(this.version, 'renders version');
-    assert.dom(PAGE.detail.versionDropdown).hasText(`Version ${this.secret.version}`);
-    await click(PAGE.detail.versionDropdown);
-
-    for (const version in this.metadata.versions) {
-      const data = this.metadata.versions[version];
-      assert.dom(PAGE.detail.version(version)).exists(`renders ${version} in dropdown menu`);
-
-      if (data.destroyed || data.deletion_time) {
-        assert
-          .dom(`${PAGE.detail.version(version)} [data-test-icon="x-square-fill"]`)
-          .hasClass(`${data.destroyed ? 'has-text-danger' : 'has-text-grey'}`);
-      }
-    }
-
-    assert
-      .dom(`${PAGE.detail.version(this.metadata.currentVersion)} [data-test-icon="check-circle"]`)
-      .exists('renders current version icon');
-  });
-
-  test('it renders sync status page alert', async function (assert) {
-    assert.expect(3); // assert count important because confirms request made to fetch sync status twice
-    const destinationName = 'my-destination';
-    this.server.create('sync-association', {
-      type: 'aws-sm',
-      name: destinationName,
-      mount: this.backend,
-      secret_name: this.path,
-    });
-    this.server.get('sys/sync/associations/:mount/*name', (schema, req) => {
-      // this assertion should be hit twice, once on init and again when the 'Refresh' button is clicked
-      assert.ok(true, 'request made to fetch sync status');
-      return syncStatusResponse(schema, req);
-    });
-
-    await render(
-      hbs`
-       <Page::Secret::Details
-        @path={{this.model.path}}
-        @secret={{this.model.secret}}
-        @metadata={{this.model.metadata}}
-        @breadcrumbs={{this.breadcrumbs}}
-      />
-      `,
-      { owner: this.engine }
-    );
-
-    assert
-      .dom(PAGE.detail.syncAlert(destinationName))
-      .hasTextContaining(
-        'Synced my-destination - last updated September',
-        'renders sync status alert banner'
-      );
-
-    // sync status refresh button
-    await click(`${PAGE.detail.syncAlert()} button`);
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"math"
+	"math/big"
+	http2 "net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ocsp"
+)
+
+// Setup helpers
+func CreateBackendWithStorage(t testing.TB) (*backend, logical.Storage) {
+	t.Helper()
+
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+
+	var err error
+	b := Backend(config)
+	err = b.Setup(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Assume for our tests we have performed the migration already.
+	b.pkiStorageVersion.Store(1)
+	return b, config.StorageView
+}
+
+func mountPKIEndpoint(t testing.TB, client *api.Client, path string) {
+	t.Helper()
+
+	err := client.Sys().Mount(path, &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "32h",
+		},
+	})
+	require.NoError(t, err, "failed mounting pki endpoint")
+}
+
+// Signing helpers
+func requireSignedBy(t *testing.T, cert *x509.Certificate, signingCert *x509.Certificate) {
+	t.Helper()
+
+	if err := cert.CheckSignatureFrom(signingCert); err != nil {
+		t.Fatalf("signature verification failed: %v", err)
+	}
+}
+
+func requireSignedByAtPath(t *testing.T, client *api.Client, leaf *x509.Certificate, path string) {
+	t.Helper()
+
+	resp, err := client.Logical().Read(path)
+	require.NoError(t, err, "got unexpected error fetching parent certificate")
+	require.NotNil(t, resp, "missing response when fetching parent certificate")
+	require.NotNil(t, resp.Data, "missing data from parent certificate response")
+	require.NotNil(t, resp.Data["certificate"], "missing certificate field on parent read response")
+
+	parentCert := resp.Data["certificate"].(string)
+	parent := parseCert(t, parentCert)
+
+	requireSignedBy(t, leaf, parent)
+}
+
+// Certificate helper
+func parseCert(t *testing.T, pemCert string) *x509.Certificate {
+	t.Helper()
+
+	block, _ := pem.Decode([]byte(pemCert))
+	require.NotNil(t, block, "failed to decode PEM block")
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	require.NoError(t, err)
+	return cert
+}
+
+func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto.PublicKey) {
+	t.Helper()
+
+	certPubKey := cert.PublicKey
+	areEqual, err := certutil.ComparePublicKeysAndType(certPubKey, key)
+	require.NoError(t, err, "failed comparing public keys: %#v", err)
+	require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key)
+}
+
+func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) {
+	t.Helper()
+	selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cert, err := x509.ParseCertificate(selfSigned)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pemSS := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: selfSigned,
+	})))
+	return pemSS, cert
+}
+
+// CRL related helpers
+func getCrlCertificateList(t *testing.T, client *api.Client, mountPoint string) pkix.TBSCertificateList {
+	t.Helper()
+
+	path := fmt.Sprintf("/v1/%s/crl", mountPoint)
+	return getParsedCrlAtPath(t, client, path).TBSCertList
+}
+
+func parseCrlPemBytes(t *testing.T, crlPem []byte) pkix.TBSCertificateList {
+	t.Helper()
+
+	certList, err := x509.ParseCRL(crlPem)
+	require.NoError(t, err)
+	return certList.TBSCertList
+}
+
+func requireSerialNumberInCRL(t *testing.T, revokeList pkix.TBSCertificateList, serialNum string) bool {
+	if t != nil {
+		t.Helper()
+	}
+
+	serialsInList := make([]string, 0, len(revokeList.RevokedCertificates))
+	for _, revokeEntry := range revokeList.RevokedCertificates {
+		formattedSerial := certutil.GetHexFormatted(revokeEntry.SerialNumber.Bytes(), ":")
+		serialsInList = append(serialsInList, formattedSerial)
+		if formattedSerial == serialNum {
+			return true
+		}
+	}
+
+	if t != nil {
+		t.Fatalf("the serial number %s, was not found in the CRL list containing: %v", serialNum, serialsInList)
+	}
+
+	return false
+}
+
+func getParsedCrl(t *testing.T, client *api.Client, mountPoint string) *pkix.CertificateList {
+	t.Helper()
+
+	path := fmt.Sprintf("/v1/%s/crl", mountPoint)
+	return getParsedCrlAtPath(t, client, path)
+}
+
+func getParsedCrlAtPath(t *testing.T, client *api.Client, path string) *pkix.CertificateList {
+	t.Helper()
+
+	req := client.NewRequest("GET", path)
+	resp, err := client.RawRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	crlBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if len(crlBytes) == 0 {
+		t.Fatalf("expected CRL in response body")
+	}
+
+	crl, err := x509.ParseDERCRL(crlBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return crl
+}
+
+func getParsedCrlFromBackend(t *testing.T, b *backend, s logical.Storage, path string) *pkix.CertificateList {
+	t.Helper()
+
+	resp, err := CBRead(b, s, path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	crl, err := x509.ParseDERCRL(resp.Data[logical.HTTPRawBody].([]byte))
+	if err != nil {
+		t.Fatal(err)
+	}
+	return crl
+}
+
+// Direct storage backend helpers (b, s := createBackendWithStorage(t)) which
+// are mostly compatible with client.Logical() operations. The main difference
+// is that the JSON round-tripping hasn't occurred, so values are as the
+// backend returns them (e.g., []string instead of []interface{}).
+func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error) {
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  operation,
+		Path:       path,
+		Data:       data,
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	if err != nil || resp == nil {
+		return resp, err
+	}
+
+	if msg, ok := resp.Data["error"]; ok && msg != nil && len(msg.(string)) > 0 {
+		return resp, fmt.Errorf("%s", msg)
+	}
+
+	return resp, nil
+}
+
+func CBHeader(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.HeaderOperation, path, make(map[string]interface{}))
+}
+
+func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.ReadOperation, path, make(map[string]interface{}))
+}
+
+func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
+	return CBReq(b, s, logical.UpdateOperation, path, data)
+}
+
+func CBPatch(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
+	return CBReq(b, s, logical.PatchOperation, path, data)
+}
+
+func CBList(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.ListOperation, path, make(map[string]interface{}))
+}
+
+func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.DeleteOperation, path, make(map[string]interface{}))
+}
+
+func requireFieldsSetInResp(t *testing.T, resp *logical.Response, fields ...string) {
+	t.Helper()
+
+	var missingFields []string
+	for _, field := range fields {
+		value, ok := resp.Data[field]
+		if !ok || value == nil {
+			missingFields = append(missingFields, field)
+		}
+	}
+
+	require.Empty(t, missingFields, "The following fields were required but missing from response:\n%v", resp.Data)
+}
+
+func requireSuccessNonNilResponse(t *testing.T, resp *logical.Response, err error, msgAndArgs ...interface{}) {
+	t.Helper()
+
+	require.NoError(t, err, msgAndArgs...)
+	if resp.IsError() {
+		errContext := fmt.Sprintf("Expected successful response but got error: %v", resp.Error())
+		require.Falsef(t, resp.IsError(), errContext, msgAndArgs...)
+	}
+	require.NotNil(t, resp, msgAndArgs...)
+}
+
+func requireSuccessNilResponse(t *testing.T, resp *logical.Response, err error, msgAndArgs ...interface{}) {
+	t.Helper()
+
+	require.NoError(t, err, msgAndArgs...)
+	if resp.IsError() {
+		errContext := fmt.Sprintf("Expected successful response but got error: %v", resp.Error())
+		require.Falsef(t, resp.IsError(), errContext, msgAndArgs...)
+	}
+	if resp != nil {
+		msg := fmt.Sprintf("expected nil response but got: %v", resp)
+		require.Nilf(t, resp, msg, msgAndArgs...)
+	}
+}
+
+func getCRLNumber(t *testing.T, crl pkix.TBSCertificateList) int {
+	t.Helper()
+
+	for _, extension := range crl.Extensions {
+		if extension.Id.Equal(certutil.CRLNumberOID) {
+			bigInt := new(big.Int)
+			leftOver, err := asn1.Unmarshal(extension.Value, &bigInt)
+			require.NoError(t, err, "Failed unmarshalling crl number extension")
+			require.Empty(t, leftOver, "leftover bytes from unmarshalling crl number extension")
+			require.True(t, bigInt.IsInt64(), "parsed crl number integer is not an int64")
+			require.False(t, math.MaxInt <= bigInt.Int64(), "parsed crl number integer can not fit in an int")
+			return int(bigInt.Int64())
+		}
+	}
+
+	t.Fatalf("failed to find crl number extension")
+	return 0
+}
+
+func getCrlReferenceFromDelta(t *testing.T, crl pkix.TBSCertificateList) int {
+	t.Helper()
+
+	for _, extension := range crl.Extensions {
+		if extension.Id.Equal(certutil.DeltaCRLIndicatorOID) {
+			bigInt := new(big.Int)
+			leftOver, err := asn1.Unmarshal(extension.Value, &bigInt)
+			require.NoError(t, err, "Failed unmarshalling delta crl indicator extension")
+			require.Empty(t, leftOver, "leftover bytes from unmarshalling delta crl indicator extension")
+			require.True(t, bigInt.IsInt64(), "parsed delta crl integer is not an int64")
+			require.False(t, math.MaxInt <= bigInt.Int64(), "parsed delta crl integer can not fit in an int")
+			return int(bigInt.Int64())
+		}
+	}
+
+	t.Fatalf("failed to find delta crl indicator extension")
+	return 0
+}
+
+// waitForUpdatedCrl will wait until the CRL at the provided path has been reloaded
+// up for a maxWait duration and gives up if the timeout has been reached. If a negative
+// value for lastSeenCRLNumber is provided, the method will load the current CRL and wait
+// for a newer CRL be generated.
+func waitForUpdatedCrl(t *testing.T, client *api.Client, crlPath string, lastSeenCRLNumber int, maxWait time.Duration) pkix.TBSCertificateList {
+	t.Helper()
+
+	newCrl, didTimeOut := waitForUpdatedCrlUntil(t, client, crlPath, lastSeenCRLNumber, maxWait)
+	if didTimeOut {
+		t.Fatalf("Timed out waiting for new CRL rebuild on path %s", crlPath)
+	}
+	return newCrl.TBSCertList
+}
+
+// waitForUpdatedCrlUntil is a helper method that will wait for a CRL to be updated up until maxWait duration
+// or give up and return the last CRL it loaded. It will not fail, if it does not see a new CRL within the
+// max duration unlike waitForUpdatedCrl. Returns the last loaded CRL at the provided path and a boolean
+// indicating if we hit maxWait duration or not.
+func waitForUpdatedCrlUntil(t *testing.T, client *api.Client, crlPath string, lastSeenCrlNumber int, maxWait time.Duration) (*pkix.CertificateList, bool) {
+	t.Helper()
+
+	crl := getParsedCrlAtPath(t, client, crlPath)
+	initialCrlRevision := getCRLNumber(t, crl.TBSCertList)
+	newCrlRevision := initialCrlRevision
+
+	// Short circuit the fetches if we have a version of the CRL we want
+	if lastSeenCrlNumber > 0 && getCRLNumber(t, crl.TBSCertList) > lastSeenCrlNumber {
+		return crl, false
+	}
+
+	start := time.Now()
+	iteration := 0
+	for {
+		iteration++
+
+		if time.Since(start) > maxWait {
+			t.Logf("Timed out waiting for new CRL on path %s after iteration %d, delay: %v",
+				crlPath, iteration, time.Now().Sub(start))
+			return crl, true
+		}
+
+		crl = getParsedCrlAtPath(t, client, crlPath)
+		newCrlRevision = getCRLNumber(t, crl.TBSCertList)
+		if newCrlRevision > initialCrlRevision {
+			t.Logf("Got new revision of CRL %s from %d to %d after iteration %d, delay %v",
+				crlPath, initialCrlRevision, newCrlRevision, iteration, time.Now().Sub(start))
+			return crl, false
+		}
+
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+// A quick CRL to string to provide better test error messages
+func summarizeCrl(t *testing.T, crl pkix.TBSCertificateList) string {
+	version := getCRLNumber(t, crl)
+	serials := []string{}
+	for _, cert := range crl.RevokedCertificates {
+		serials = append(serials, normalizeSerialFromBigInt(cert.SerialNumber))
+	}
+	return fmt.Sprintf("CRL Version: %d\n"+
+		"This Update: %s\n"+
+		"Next Update: %s\n"+
+		"Revoked Serial Count: %d\n"+
+		"Revoked Serials: %v", version, crl.ThisUpdate, crl.NextUpdate, len(serials), serials)
+}
+
+// OCSP helpers
+func generateRequest(t *testing.T, requestHash crypto.Hash, cert *x509.Certificate, issuer *x509.Certificate) []byte {
+	t.Helper()
+
+	opts := &ocsp.RequestOptions{Hash: requestHash}
+	ocspRequestDer, err := ocsp.CreateRequest(cert, issuer, opts)
+	require.NoError(t, err, "Failed generating OCSP request")
+	return ocspRequestDer
+}
+
+func requireOcspResponseSignedBy(t *testing.T, ocspResp *ocsp.Response, issuer *x509.Certificate) {
+	t.Helper()
+
+	err := ocspResp.CheckSignatureFrom(issuer)
+	require.NoError(t, err, "Failed signature verification of ocsp response: %w", err)
+}
+
+func performOcspPost(t *testing.T, cert *x509.Certificate, issuerCert *x509.Certificate, client *api.Client, ocspPath string) *ocsp.Response {
+	t.Helper()
+
+	baseClient := client.WithNamespace("")
+
+	ocspReq := generateRequest(t, crypto.SHA256, cert, issuerCert)
+	ocspPostReq := baseClient.NewRequest(http2.MethodPost, ocspPath)
+	ocspPostReq.Headers.Set("Content-Type", "application/ocsp-request")
+	ocspPostReq.BodyBytes = ocspReq
+	rawResp, err := baseClient.RawRequest(ocspPostReq)
+	require.NoError(t, err, "failed sending unified-ocsp post request")
+
+	require.Equal(t, 200, rawResp.StatusCode)
+	require.Equal(t, ocspResponseContentType, rawResp.Header.Get("Content-Type"))
+	bodyReader := rawResp.Body
+	respDer, err := io.ReadAll(bodyReader)
+	bodyReader.Close()
+	require.NoError(t, err, "failed reading response body")
+
+	ocspResp, err := ocsp.ParseResponse(respDer, issuerCert)
+	require.NoError(t, err, "parsing ocsp get response")
+	return ocspResp
+}
+
+func requireCertMissingFromStorage(t *testing.T, client *api.Client, cert *x509.Certificate) {
+	serial := serialFromCert(cert)
+	requireSerialMissingFromStorage(t, client, serial)
+}
+
+func requireSerialMissingFromStorage(t *testing.T, client *api.Client, serial string) {
+	resp, err := client.Logical().ReadWithContext(context.Background(), "pki/cert/"+serial)
+	require.NoErrorf(t, err, "failed reading certificate with serial %s", serial)
+	require.Nilf(t, resp, "expected a nil response looking up serial %s got: %v", serial, resp)
+}
+
+func requireCertInStorage(t *testing.T, client *api.Client, cert *x509.Certificate) {
+	serial := serialFromCert(cert)
+	requireSerialInStorage(t, client, serial)
+}
+
+func requireSerialInStorage(t *testing.T, client *api.Client, serial string) {
+	resp, err := client.Logical().ReadWithContext(context.Background(), "pki/cert/"+serial)
+	require.NoErrorf(t, err, "failed reading certificate with serial %s", serial)
+	require.NotNilf(t, resp, "reading certificate returned a nil response for serial: %s", serial)
+	require.NotNilf(t, resp.Data, "reading certificate returned a nil data response for serial: %s", serial)
+	require.NotEmpty(t, resp.Data["certificate"], "certificate field was empty for serial: %s", serial)
+}
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
index 342e7e90e6c2..c3499b8b6b0c 100644
--- a/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
@@ -1,148 +1,1062 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
-/* eslint-disable no-useless-escape */
-
-module('Integration | Component | kv-v2 | Page::Secret::Paths', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'kv');
-
-  hooks.beforeEach(async function () {
-    this.backend = 'kv-engine';
-    this.path = 'my-secret';
-    this.breadcrumbs = [
-      { label: 'secrets', route: 'secrets', linkExternal: true },
-      { label: this.backend, route: 'list' },
-      { label: this.path },
-    ];
-
-    this.assertClipboard = (assert, element, expected) => {
-      assert.dom(element).hasAttribute('data-clipboard-text', expected);
-    };
-  });
-
-  test('it renders copyable paths', async function (assert) {
-    assert.expect(6);
-
-    const paths = [
-      { label: 'API path', expected: `/v1/${this.backend}/data/${this.path}` },
-      { label: 'CLI path', expected: `-mount="${this.backend}" "${this.path}"` },
-      { label: 'API path for metadata', expected: `/v1/${this.backend}/metadata/${this.path}` },
-    ];
-
-    await render(
-      hbs`
-<Page::Secret::Paths
-  @path={{this.path}}
-  @backend={{this.backend}}
-  @breadcrumbs={{this.breadcrumbs}}
-/>
-      `,
-      { owner: this.engine }
-    );
-
-    for (const path of paths) {
-      assert.dom(PAGE.infoRowValue(path.label)).hasText(path.expected);
-      this.assertClipboard(assert, PAGE.paths.copyButton(path.label), path.expected);
-    }
-  });
-
-  test('it renders copyable encoded mount and secret paths', async function (assert) {
-    assert.expect(6);
-    this.path = `my spacey!"secret`;
-    this.backend = `my fancy!"backend`;
-    const backend = encodeURIComponent(this.backend);
-    const path = encodeURIComponent(this.path);
-    const paths = [
-      {
-        label: 'API path',
-        expected: `/v1/${backend}/data/${path}`,
-      },
-      { label: 'CLI path', expected: `-mount="${this.backend}" "${this.path}"` },
-      {
-        label: 'API path for metadata',
-        expected: `/v1/${backend}/metadata/${path}`,
-      },
-    ];
-
-    await render(
-      hbs`
-<Page::Secret::Paths
-  @path={{this.path}}
-  @backend={{this.backend}}
-  @breadcrumbs={{this.breadcrumbs}}
-/>
-      `,
-      { owner: this.engine }
-    );
-
-    for (const path of paths) {
-      assert.dom(PAGE.infoRowValue(path.label)).hasText(path.expected);
-      this.assertClipboard(assert, PAGE.paths.copyButton(path.label), path.expected);
-    }
-  });
-
-  test('it renders copyable commands', async function (assert) {
-    assert.expect(4);
-    const url = `https://127.0.0.1:8200/v1/${this.backend}/data/${this.path}`;
-    const expected = {
-      cli: `vault kv get -mount="${this.backend}" "${this.path}"`,
-      apiDisplay: `curl \\ --header \"X-Vault-Token: ...\" \\ --request GET \\ ${url}`,
-      apiCopy: `curl  --header \"X-Vault-Token: ...\"  --request GET \ ${url}`,
-    };
-    await render(
-      hbs`
-<Page::Secret::Paths
-  @path={{this.path}}
-  @backend={{this.backend}}
-  @breadcrumbs={{this.breadcrumbs}}
-/>
-      `,
-      { owner: this.engine }
-    );
-
-    assert.dom(PAGE.paths.codeSnippet('cli')).hasText(expected.cli);
-    assert.dom(PAGE.paths.snippetCopy('cli')).hasAttribute('data-clipboard-text', expected.cli);
-    assert.dom(PAGE.paths.codeSnippet('api')).hasText(expected.apiDisplay);
-    assert.dom(PAGE.paths.snippetCopy('api')).hasAttribute('data-clipboard-text', expected.apiCopy);
-  });
-
-  test('it renders copyable encoded mount and path commands', async function (assert) {
-    assert.expect(4);
-    this.path = `my spacey!"secret`;
-    this.backend = `my fancy!"backend`;
-
-    const backend = encodeURIComponent(this.backend);
-    const path = encodeURIComponent(this.path);
-    const url = `https://127.0.0.1:8200/v1/${backend}/data/${path}`;
-
-    const expected = {
-      cli: `vault kv get -mount="${this.backend}" "${this.path}"`,
-      apiDisplay: `curl \\ --header \"X-Vault-Token: ...\" \\ --request GET \\ ${url}`,
-      apiCopy: `curl  --header \"X-Vault-Token: ...\"  --request GET \ ${url}`,
-    };
-    await render(
-      hbs`
-<Page::Secret::Paths
-  @path={{this.path}}
-  @backend={{this.backend}}
-  @breadcrumbs={{this.breadcrumbs}}
-/>
-      `,
-      { owner: this.engine }
-    );
-
-    assert.dom(PAGE.paths.codeSnippet('cli')).hasText(expected.cli);
-    assert.dom(PAGE.paths.snippetCopy('cli')).hasAttribute('data-clipboard-text', expected.cli);
-    assert.dom(PAGE.paths.codeSnippet('api')).hasText(expected.apiDisplay);
-    assert.dom(PAGE.paths.snippetCopy('api')).hasAttribute('data-clipboard-text', expected.apiCopy);
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package testhelpers
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"net/url"
+	"os"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/armon/go-metrics"
+	raftlib "github.com/hashicorp/raft"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/sdk/helper/xor"
+	"github.com/hashicorp/vault/vault"
+	"github.com/mitchellh/go-testing-interface"
+)
+
+type GenerateRootKind int
+
+const (
+	GenerateRootRegular GenerateRootKind = iota
+	GenerateRootDR
+	GenerateRecovery
+)
+
+// GenerateRoot generates a root token on the target cluster.
+func GenerateRoot(t testing.T, cluster *vault.TestCluster, kind GenerateRootKind) string {
+	t.Helper()
+	token, err := GenerateRootWithError(t, cluster, kind)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return token
+}
+
+func GenerateRootWithError(t testing.T, cluster *vault.TestCluster, kind GenerateRootKind) (string, error) {
+	t.Helper()
+	// If recovery keys supported, use those to perform root token generation instead
+	var keys [][]byte
+	if cluster.Cores[0].SealAccess().RecoveryKeySupported() {
+		keys = cluster.RecoveryKeys
+	} else {
+		keys = cluster.BarrierKeys
+	}
+	client := cluster.Cores[0].Client
+	oldNS := client.Namespace()
+	defer client.SetNamespace(oldNS)
+	client.ClearNamespace()
+
+	var err error
+	var status *api.GenerateRootStatusResponse
+	switch kind {
+	case GenerateRootRegular:
+		status, err = client.Sys().GenerateRootInit("", "")
+	case GenerateRootDR:
+		status, err = client.Sys().GenerateDROperationTokenInit("", "")
+	case GenerateRecovery:
+		status, err = client.Sys().GenerateRecoveryOperationTokenInit("", "")
+	}
+	if err != nil {
+		return "", err
+	}
+
+	if status.Required > len(keys) {
+		return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))
+	}
+
+	otp := status.OTP
+
+	for i, key := range keys {
+		if i >= status.Required {
+			break
+		}
+
+		strKey := base64.StdEncoding.EncodeToString(key)
+		switch kind {
+		case GenerateRootRegular:
+			status, err = client.Sys().GenerateRootUpdate(strKey, status.Nonce)
+		case GenerateRootDR:
+			status, err = client.Sys().GenerateDROperationTokenUpdate(strKey, status.Nonce)
+		case GenerateRecovery:
+			status, err = client.Sys().GenerateRecoveryOperationTokenUpdate(strKey, status.Nonce)
+		}
+		if err != nil {
+			return "", err
+		}
+	}
+	if !status.Complete {
+		return "", errors.New("generate root operation did not end successfully")
+	}
+
+	tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)
+	if err != nil {
+		return "", err
+	}
+	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
+	if err != nil {
+		return "", err
+	}
+	return string(tokenBytes), nil
+}
+
+// RandomWithPrefix is used to generate a unique name with a prefix, for
+// randomizing names in acceptance tests
+func RandomWithPrefix(name string) string {
+	return fmt.Sprintf("%s-%d", name, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
+}
+
+func EnsureCoresSealed(t testing.T, c *vault.TestCluster) {
+	t.Helper()
+	for _, core := range c.Cores {
+		EnsureCoreSealed(t, core)
+	}
+}
+
+func EnsureCoreSealed(t testing.T, core *vault.TestClusterCore) {
+	t.Helper()
+	core.Seal(t)
+	timeout := time.Now().Add(60 * time.Second)
+	for {
+		if time.Now().After(timeout) {
+			t.Fatal("timeout waiting for core to seal")
+		}
+		if core.Core.Sealed() {
+			break
+		}
+		time.Sleep(250 * time.Millisecond)
+	}
+}
+
+func EnsureCoresUnsealed(t testing.T, c *vault.TestCluster) {
+	t.Helper()
+	for i, core := range c.Cores {
+		err := AttemptUnsealCore(c, core)
+		if err != nil {
+			t.Fatalf("failed to unseal core %d: %v", i, err)
+		}
+	}
+}
+
+func EnsureCoreUnsealed(t testing.T, c *vault.TestCluster, core *vault.TestClusterCore) {
+	t.Helper()
+	err := AttemptUnsealCore(c, core)
+	if err != nil {
+		t.Fatalf("failed to unseal core: %v", err)
+	}
+}
+
+func AttemptUnsealCores(c *vault.TestCluster) error {
+	for i, core := range c.Cores {
+		err := AttemptUnsealCore(c, core)
+		if err != nil {
+			return fmt.Errorf("failed to unseal core %d: %v", i, err)
+		}
+	}
+	return nil
+}
+
+func AttemptUnsealCore(c *vault.TestCluster, core *vault.TestClusterCore) error {
+	if !core.Sealed() {
+		return nil
+	}
+
+	core.SealAccess().ClearCaches(context.Background())
+	if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		return err
+	}
+
+	client := core.Client
+	oldNS := client.Namespace()
+	defer client.SetNamespace(oldNS)
+	client.ClearNamespace()
+
+	client.Sys().ResetUnsealProcess()
+	for j := 0; j < len(c.BarrierKeys); j++ {
+		statusResp, err := client.Sys().Unseal(base64.StdEncoding.EncodeToString(c.BarrierKeys[j]))
+		if err != nil {
+			// Sometimes when we get here it's already unsealed on its own
+			// and then this fails for DR secondaries so check again
+			if core.Sealed() {
+				return err
+			} else {
+				return nil
+			}
+		}
+		if statusResp == nil {
+			return fmt.Errorf("nil status response during unseal")
+		}
+		if !statusResp.Sealed {
+			break
+		}
+	}
+	if core.Sealed() {
+		return fmt.Errorf("core is still sealed")
+	}
+	return nil
+}
+
+func EnsureStableActiveNode(t testing.T, cluster *vault.TestCluster) {
+	t.Helper()
+	deriveStableActiveCore(t, cluster)
+}
+
+func DeriveStableActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
+	t.Helper()
+	return deriveStableActiveCore(t, cluster)
+}
+
+func deriveStableActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
+	t.Helper()
+	activeCore := DeriveActiveCore(t, cluster)
+	minDuration := time.NewTimer(3 * time.Second)
+
+	for i := 0; i < 60; i++ {
+		leaderResp, err := activeCore.Client.Sys().Leader()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !leaderResp.IsSelf {
+			minDuration.Reset(3 * time.Second)
+		}
+		time.Sleep(200 * time.Millisecond)
+	}
+
+	select {
+	case <-minDuration.C:
+	default:
+		if stopped := minDuration.Stop(); stopped {
+			t.Fatal("unstable active node")
+		}
+		// Drain the value
+		<-minDuration.C
+	}
+
+	return activeCore
+}
+
+func DeriveActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
+	t.Helper()
+	for i := 0; i < 60; i++ {
+		for _, core := range cluster.Cores {
+			oldNS := core.Client.Namespace()
+			core.Client.ClearNamespace()
+			leaderResp, err := core.Client.Sys().Leader()
+			core.Client.SetNamespace(oldNS)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if leaderResp.IsSelf {
+				return core
+			}
+		}
+		time.Sleep(1 * time.Second)
+	}
+	t.Fatal("could not derive the active core")
+	return nil
+}
+
+func DeriveStandbyCores(t testing.T, cluster *vault.TestCluster) []*vault.TestClusterCore {
+	t.Helper()
+	cores := make([]*vault.TestClusterCore, 0, 2)
+	for _, core := range cluster.Cores {
+		oldNS := core.Client.Namespace()
+		core.Client.ClearNamespace()
+		leaderResp, err := core.Client.Sys().Leader()
+		core.Client.SetNamespace(oldNS)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !leaderResp.IsSelf {
+			cores = append(cores, core)
+		}
+	}
+
+	return cores
+}
+
+func WaitForNCoresUnsealed(t testing.T, cluster *vault.TestCluster, n int) {
+	t.Helper()
+	for i := 0; i < 30; i++ {
+		unsealed := 0
+		for _, core := range cluster.Cores {
+			if !core.Core.Sealed() {
+				unsealed++
+			}
+		}
+
+		if unsealed >= n {
+			return
+		}
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("%d cores were not unsealed", n)
+}
+
+func SealCores(t testing.T, cluster *vault.TestCluster) {
+	t.Helper()
+	for _, core := range cluster.Cores {
+		if err := core.Shutdown(); err != nil {
+			t.Fatal(err)
+		}
+		timeout := time.Now().Add(3 * time.Second)
+		for {
+			if time.Now().After(timeout) {
+				t.Fatal("timeout waiting for core to seal")
+			}
+			if core.Sealed() {
+				break
+			}
+			time.Sleep(100 * time.Millisecond)
+		}
+	}
+}
+
+func WaitForNCoresSealed(t testing.T, cluster *vault.TestCluster, n int) {
+	t.Helper()
+	for i := 0; i < 60; i++ {
+		sealed := 0
+		for _, core := range cluster.Cores {
+			if core.Core.Sealed() {
+				sealed++
+			}
+		}
+
+		if sealed >= n {
+			return
+		}
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("%d cores were not sealed", n)
+}
+
+func WaitForActiveNode(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
+	t.Helper()
+	for i := 0; i < 60; i++ {
+		for _, core := range cluster.Cores {
+			if standby, _ := core.Core.Standby(); !standby {
+				return core
+			}
+		}
+
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("node did not become active")
+	return nil
+}
+
+func WaitForStandbyNode(t testing.T, core *vault.TestClusterCore) {
+	t.Helper()
+	for i := 0; i < 30; i++ {
+		if isLeader, _, clusterAddr, _ := core.Core.Leader(); isLeader != true && clusterAddr != "" {
+			return
+		}
+		if core.Core.ActiveNodeReplicationState() == 0 {
+			return
+		}
+
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("node did not become standby")
+}
+
+func RekeyCluster(t testing.T, cluster *vault.TestCluster, recovery bool) [][]byte {
+	t.Helper()
+	cluster.Logger.Info("rekeying cluster", "recovery", recovery)
+	client := cluster.Cores[0].Client
+
+	initFunc := client.Sys().RekeyInit
+	if recovery {
+		initFunc = client.Sys().RekeyRecoveryKeyInit
+	}
+	init, err := initFunc(&api.RekeyInitRequest{
+		SecretShares:    5,
+		SecretThreshold: 3,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var statusResp *api.RekeyUpdateResponse
+	keys := cluster.BarrierKeys
+	if cluster.Cores[0].Core.SealAccess().RecoveryKeySupported() {
+		keys = cluster.RecoveryKeys
+	}
+
+	updateFunc := client.Sys().RekeyUpdate
+	if recovery {
+		updateFunc = client.Sys().RekeyRecoveryKeyUpdate
+	}
+	for j := 0; j < len(keys); j++ {
+		statusResp, err = updateFunc(base64.StdEncoding.EncodeToString(keys[j]), init.Nonce)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if statusResp == nil {
+			t.Fatal("nil status response during unseal")
+		}
+		if statusResp.Complete {
+			break
+		}
+	}
+	cluster.Logger.Info("cluster rekeyed", "recovery", recovery)
+
+	if cluster.Cores[0].Core.SealAccess().RecoveryKeySupported() && !recovery {
+		return nil
+	}
+	if len(statusResp.KeysB64) != 5 {
+		t.Fatal("wrong number of keys")
+	}
+
+	newKeys := make([][]byte, 5)
+	for i, key := range statusResp.KeysB64 {
+		newKeys[i], err = base64.StdEncoding.DecodeString(key)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	return newKeys
+}
+
+// TestRaftServerAddressProvider is a ServerAddressProvider that uses the
+// ClusterAddr() of each node to provide raft addresses.
+//
+// Note that TestRaftServerAddressProvider should only be used in cases where
+// cores that are part of a raft configuration have already had
+// startClusterListener() called (via either unsealing or raft joining).
+type TestRaftServerAddressProvider struct {
+	Cluster *vault.TestCluster
+}
+
+func (p *TestRaftServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftlib.ServerAddress, error) {
+	for _, core := range p.Cluster.Cores {
+		if core.NodeID == string(id) {
+			parsed, err := url.Parse(core.ClusterAddr())
+			if err != nil {
+				return "", err
+			}
+
+			return raftlib.ServerAddress(parsed.Host), nil
+		}
+	}
+
+	return "", errors.New("could not find cluster addr")
+}
+
+func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
+	addressProvider := &TestRaftServerAddressProvider{Cluster: cluster}
+
+	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+
+	leader := cluster.Cores[0]
+
+	// Seal the leader so we can install an address provider
+	{
+		EnsureCoreSealed(t, leader)
+		leader.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		cluster.UnsealCore(t, leader)
+		vault.TestWaitActive(t, leader.Core)
+	}
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			LeaderAPIAddr: leader.Client.Address(),
+			TLSConfig:     leader.TLSConfig(),
+		},
+	}
+
+	// Join followers
+	for i := 1; i < len(cluster.Cores); i++ {
+		core := cluster.Cores[i]
+		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		cluster.UnsealCore(t, core)
+	}
+
+	WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+}
+
+// HardcodedServerAddressProvider is a ServerAddressProvider that uses
+// a hardcoded map of raft node addresses.
+//
+// It is useful in cases where the raft configuration is known ahead of time,
+// but some of the cores have not yet had startClusterListener() called (via
+// either unsealing or raft joining), and thus do not yet have a ClusterAddr()
+// assigned.
+type HardcodedServerAddressProvider struct {
+	Entries map[raftlib.ServerID]raftlib.ServerAddress
+}
+
+func (p *HardcodedServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftlib.ServerAddress, error) {
+	if addr, ok := p.Entries[id]; ok {
+		return addr, nil
+	}
+	return "", errors.New("could not find cluster addr")
+}
+
+// NewHardcodedServerAddressProvider is a convenience function that makes a
+// ServerAddressProvider from a given cluster address base port.
+func NewHardcodedServerAddressProvider(numCores, baseClusterPort int) raftlib.ServerAddressProvider {
+	entries := make(map[raftlib.ServerID]raftlib.ServerAddress)
+
+	for i := 0; i < numCores; i++ {
+		id := fmt.Sprintf("core-%d", i)
+		addr := fmt.Sprintf("127.0.0.1:%d", baseClusterPort+i)
+		entries[raftlib.ServerID(id)] = raftlib.ServerAddress(addr)
+	}
+
+	return &HardcodedServerAddressProvider{
+		entries,
+	}
+}
+
+// VerifyRaftConfiguration checks that we have a valid raft configuration, i.e.
+// the correct number of servers, having the correct NodeIDs, and exactly one
+// leader.
+func VerifyRaftConfiguration(core *vault.TestClusterCore, numCores int) error {
+	backend := core.UnderlyingRawStorage.(*raft.RaftBackend)
+	ctx := namespace.RootContext(context.Background())
+	config, err := backend.GetConfiguration(ctx)
+	if err != nil {
+		return err
+	}
+
+	servers := config.Servers
+	if len(servers) != numCores {
+		return fmt.Errorf("Found %d servers, not %d", len(servers), numCores)
+	}
+
+	leaders := 0
+	for i, s := range servers {
+		if s.NodeID != fmt.Sprintf("core-%d", i) {
+			return fmt.Errorf("Found unexpected node ID %q", s.NodeID)
+		}
+		if s.Leader {
+			leaders++
+		}
+	}
+
+	if leaders != 1 {
+		return fmt.Errorf("Found %d leaders", leaders)
+	}
+
+	return nil
+}
+
+func RaftAppliedIndex(core *vault.TestClusterCore) uint64 {
+	return core.UnderlyingRawStorage.(*raft.RaftBackend).AppliedIndex()
+}
+
+func WaitForRaftApply(t testing.T, core *vault.TestClusterCore, index uint64) {
+	t.Helper()
+
+	backend := core.UnderlyingRawStorage.(*raft.RaftBackend)
+	for i := 0; i < 30; i++ {
+		if backend.AppliedIndex() >= index {
+			return
+		}
+
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("node did not apply index")
+}
+
+// AwaitLeader waits for one of the cluster's nodes to become leader.
+func AwaitLeader(t testing.T, cluster *vault.TestCluster) (int, error) {
+	timeout := time.Now().Add(60 * time.Second)
+	for {
+		if time.Now().After(timeout) {
+			break
+		}
+
+		for i, core := range cluster.Cores {
+			if core.Core.Sealed() {
+				continue
+			}
+
+			isLeader, _, _, _ := core.Leader()
+			if isLeader {
+				return i, nil
+			}
+		}
+
+		time.Sleep(time.Second)
+	}
+
+	return 0, fmt.Errorf("timeout waiting leader")
+}
+
+func GenerateDebugLogs(t testing.T, client *api.Client) chan struct{} {
+	t.Helper()
+
+	stopCh := make(chan struct{})
+
+	go func() {
+		ticker := time.NewTicker(time.Second)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-stopCh:
+				return
+			case <-ticker.C:
+				err := client.Sys().Mount("foo", &api.MountInput{
+					Type: "kv",
+					Options: map[string]string{
+						"version": "1",
+					},
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				err = client.Sys().Unmount("foo")
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+		}
+	}()
+
+	return stopCh
+}
+
+// VerifyRaftPeers verifies that the raft configuration contains a given set of peers.
+// The `expected` contains a map of expected peers. Existing entries are deleted
+// from the map by removing entries whose keys are in the raft configuration.
+// Remaining entries result in an error return so that the caller can poll for
+// an expected configuration.
+func VerifyRaftPeers(t testing.T, client *api.Client, expected map[string]bool) error {
+	t.Helper()
+
+	resp, err := client.Logical().Read("sys/storage/raft/configuration")
+	if err != nil {
+		t.Fatalf("error reading raft config: %v", err)
+	}
+
+	if resp == nil || resp.Data == nil {
+		t.Fatal("missing response data")
+	}
+
+	config, ok := resp.Data["config"].(map[string]interface{})
+	if !ok {
+		t.Fatal("missing config in response data")
+	}
+
+	servers, ok := config["servers"].([]interface{})
+	if !ok {
+		t.Fatal("missing servers in response data config")
+	}
+
+	// Iterate through the servers and remove the node found in the response
+	// from the expected collection
+	for _, s := range servers {
+		server := s.(map[string]interface{})
+		delete(expected, server["node_id"].(string))
+	}
+
+	// If the collection is non-empty, it means that the peer was not found in
+	// the response.
+	if len(expected) != 0 {
+		return fmt.Errorf("failed to read configuration successfully, expected peers not found in configuration list: %v", expected)
+	}
+
+	return nil
+}
+
+func TestMetricSinkProvider(gaugeInterval time.Duration) func(string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper) {
+	return func(clusterName string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper) {
+		inm := metrics.NewInmemSink(1000000*time.Hour, 2000000*time.Hour)
+		clusterSink := metricsutil.NewClusterMetricSink(clusterName, inm)
+		clusterSink.GaugeInterval = gaugeInterval
+		return clusterSink, metricsutil.NewMetricsHelper(inm, false)
+	}
+}
+
+func SysMetricsReq(client *api.Client, cluster *vault.TestCluster, unauth bool) (*SysMetricsJSON, error) {
+	r := client.NewRequest("GET", "/v1/sys/metrics")
+	if !unauth {
+		r.Headers.Set("X-Vault-Token", cluster.RootToken)
+	}
+	var data SysMetricsJSON
+	resp, err := client.RawRequestWithContext(context.Background(), r)
+	if err != nil {
+		return nil, err
+	}
+	bodyBytes, err := ioutil.ReadAll(resp.Response.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if err := json.Unmarshal(bodyBytes, &data); err != nil {
+		return nil, errors.New("failed to unmarshal:" + err.Error())
+	}
+	return &data, nil
+}
+
+type SysMetricsJSON struct {
+	Gauges   []gaugeJSON   `json:"Gauges"`
+	Counters []counterJSON `json:"Counters"`
+
+	// note: this is referred to as a "Summary" type in our telemetry docs, but
+	// the field name in the JSON is "Samples"
+	Summaries []summaryJSON `json:"Samples"`
+}
+
+type baseInfoJSON struct {
+	Name   string                 `json:"Name"`
+	Labels map[string]interface{} `json:"Labels"`
+}
+
+type gaugeJSON struct {
+	baseInfoJSON
+	Value int `json:"Value"`
+}
+
+type counterJSON struct {
+	baseInfoJSON
+	Count  int     `json:"Count"`
+	Rate   float64 `json:"Rate"`
+	Sum    int     `json:"Sum"`
+	Min    int     `json:"Min"`
+	Max    int     `json:"Max"`
+	Mean   float64 `json:"Mean"`
+	Stddev float64 `json:"Stddev"`
+}
+
+type summaryJSON struct {
+	baseInfoJSON
+	Count  int     `json:"Count"`
+	Rate   float64 `json:"Rate"`
+	Sum    float64 `json:"Sum"`
+	Min    float64 `json:"Min"`
+	Max    float64 `json:"Max"`
+	Mean   float64 `json:"Mean"`
+	Stddev float64 `json:"Stddev"`
+}
+
+// SetNonRootToken sets a token on :client: with a fairly generic policy.
+// This is useful if a test needs to examine differing behavior based on if a
+// root token is passed with the request.
+func SetNonRootToken(client *api.Client) error {
+	policy := `path "*" { capabilities = ["create", "update", "read"] }`
+	if err := client.Sys().PutPolicy("policy", policy); err != nil {
+		return fmt.Errorf("error putting policy: %v", err)
+	}
+
+	secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"policy"},
+		TTL:      "30m",
+	})
+	if err != nil {
+		return fmt.Errorf("error creating token secret: %v", err)
+	}
+
+	if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+		return fmt.Errorf("missing token auth data")
+	}
+
+	client.SetToken(secret.Auth.ClientToken)
+	return nil
+}
+
+// RetryUntilAtCadence runs f until it returns a nil result or the timeout is reached.
+// If a nil result hasn't been obtained by timeout, calls t.Fatal.
+func RetryUntilAtCadence(t testing.T, timeout, sleepTime time.Duration, f func() error) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	var err error
+	for time.Now().Before(deadline) {
+		if err = f(); err == nil {
+			return
+		}
+		time.Sleep(sleepTime)
+	}
+	t.Fatalf("did not complete before deadline, err: %v", err)
+}
+
+// RetryUntil runs f until it returns a nil result or the timeout is reached.
+// If a nil result hasn't been obtained by timeout, calls t.Fatal.
+func RetryUntil(t testing.T, timeout time.Duration, f func() error) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	var err error
+	for time.Now().Before(deadline) {
+		if err = f(); err == nil {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	t.Fatalf("did not complete before deadline, err: %v", err)
+}
+
+// CreateEntityAndAlias clones an existing client and creates an entity/alias, uses userpass mount path
+// It returns the cloned client, entityID, and aliasID.
+func CreateEntityAndAlias(t testing.T, client *api.Client, mountAccessor, entityName, aliasName string) (*api.Client, string, string) {
+	return CreateEntityAndAliasWithinMount(t, client, mountAccessor, "userpass", entityName, aliasName)
+}
+
+// CreateEntityAndAliasWithinMount clones an existing client and creates an entity/alias, within the specified mountPath
+// It returns the cloned client, entityID, and aliasID.
+func CreateEntityAndAliasWithinMount(t testing.T, client *api.Client, mountAccessor, mountPath, entityName, aliasName string) (*api.Client, string, string) {
+	t.Helper()
+	userClient, err := client.Clone()
+	if err != nil {
+		t.Fatalf("failed to clone the client:%v", err)
+	}
+	userClient.SetToken(client.Token())
+
+	resp, err := client.Logical().WriteWithContext(context.Background(), "identity/entity", map[string]interface{}{
+		"name": entityName,
+	})
+	if err != nil {
+		t.Fatalf("failed to create an entity:%v", err)
+	}
+	entityID := resp.Data["id"].(string)
+
+	aliasResp, err := client.Logical().WriteWithContext(context.Background(), "identity/entity-alias", map[string]interface{}{
+		"name":           aliasName,
+		"canonical_id":   entityID,
+		"mount_accessor": mountAccessor,
+	})
+	if err != nil {
+		t.Fatalf("failed to create an entity alias:%v", err)
+	}
+	aliasID := aliasResp.Data["id"].(string)
+	if aliasID == "" {
+		t.Fatal("Alias ID not present in response")
+	}
+	path := fmt.Sprintf("auth/%s/users/%s", mountPath, aliasName)
+	_, err = client.Logical().WriteWithContext(context.Background(), path, map[string]interface{}{
+		"password": "testpassword",
+	})
+	if err != nil {
+		t.Fatalf("failed to configure userpass backend: %v", err)
+	}
+
+	return userClient, entityID, aliasID
+}
+
+// SetupTOTPMount enables the totp secrets engine by mounting it. This requires
+// that the test cluster has a totp backend available.
+func SetupTOTPMount(t testing.T, client *api.Client) {
+	t.Helper()
+	// Mount the TOTP backend
+	mountInfo := &api.MountInput{
+		Type: "totp",
+	}
+	if err := client.Sys().Mount("totp", mountInfo); err != nil {
+		t.Fatalf("failed to mount totp backend: %v", err)
+	}
+}
+
+// SetupTOTPMethod configures the TOTP secrets engine with a provided config map.
+func SetupTOTPMethod(t testing.T, client *api.Client, config map[string]interface{}) string {
+	t.Helper()
+
+	resp1, err := client.Logical().Write("identity/mfa/method/totp", config)
+
+	if err != nil || (resp1 == nil) {
+		t.Fatalf("bad: resp: %#v\n err: %v", resp1, err)
+	}
+
+	methodID := resp1.Data["method_id"].(string)
+	if methodID == "" {
+		t.Fatalf("method ID is empty")
+	}
+
+	return methodID
+}
+
+// SetupMFALoginEnforcement configures a single enforcement method using the
+// provided config map. "name" field is required in the config map.
+func SetupMFALoginEnforcement(t testing.T, client *api.Client, config map[string]interface{}) {
+	t.Helper()
+	enfName, ok := config["name"]
+	if !ok {
+		t.Fatalf("couldn't find name in login-enforcement config")
+	}
+	_, err := client.Logical().WriteWithContext(context.Background(), fmt.Sprintf("identity/mfa/login-enforcement/%s", enfName), config)
+	if err != nil {
+		t.Fatalf("failed to configure MFAEnforcementConfig: %v", err)
+	}
+}
+
+// SetupUserpassMountAccessor sets up userpass auth and returns its mount
+// accessor. This requires that the test cluster has a "userpass" auth method
+// available.
+func SetupUserpassMountAccessor(t testing.T, client *api.Client) string {
+	t.Helper()
+	// Enable Userpass authentication
+	err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	if err != nil {
+		t.Fatalf("failed to enable userpass auth: %v", err)
+	}
+
+	auths, err := client.Sys().ListAuthWithContext(context.Background())
+	if err != nil {
+		t.Fatalf("failed to list auth methods: %v", err)
+	}
+	if auths == nil || auths["userpass/"] == nil {
+		t.Fatalf("failed to get userpass mount accessor")
+	}
+
+	return auths["userpass/"].Accessor
+}
+
+// RegisterEntityInTOTPEngine registers an entity with a methodID and returns
+// the generated name.
+func RegisterEntityInTOTPEngine(t testing.T, client *api.Client, entityID, methodID string) string {
+	t.Helper()
+	totpGenName := fmt.Sprintf("%s-%s", entityID, methodID)
+	secret, err := client.Logical().WriteWithContext(context.Background(), "identity/mfa/method/totp/admin-generate", map[string]interface{}{
+		"entity_id": entityID,
+		"method_id": methodID,
+	})
+	if err != nil {
+		t.Fatalf("failed to generate a TOTP secret on an entity: %v", err)
+	}
+	totpURL := secret.Data["url"].(string)
+	if totpURL == "" {
+		t.Fatalf("failed to get TOTP url in secret response: %+v", secret)
+	}
+	_, err = client.Logical().WriteWithContext(context.Background(), fmt.Sprintf("totp/keys/%s", totpGenName), map[string]interface{}{
+		"url": totpURL,
+	})
+	if err != nil {
+		t.Fatalf("failed to register a TOTP URL: %v", err)
+	}
+	enfPath := fmt.Sprintf("identity/mfa/login-enforcement/%s", methodID[0:4])
+	_, err = client.Logical().WriteWithContext(context.Background(), enfPath, map[string]interface{}{
+		"name":                methodID[0:4],
+		"identity_entity_ids": []string{entityID},
+		"mfa_method_ids":      []string{methodID},
+	})
+	if err != nil {
+		t.Fatalf("failed to create login enforcement")
+	}
+
+	return totpGenName
+}
+
+// GetTOTPCodeFromEngine requests a TOTP code from the specified enginePath.
+func GetTOTPCodeFromEngine(t testing.T, client *api.Client, enginePath string) string {
+	t.Helper()
+	totpPath := fmt.Sprintf("totp/code/%s", enginePath)
+	secret, err := client.Logical().ReadWithContext(context.Background(), totpPath)
+	if err != nil {
+		t.Fatalf("failed to create totp passcode: %v", err)
+	}
+	if secret == nil || secret.Data == nil {
+		t.Fatalf("bad secret returned from %s", totpPath)
+	}
+	return secret.Data["code"].(string)
+}
+
+// SetupLoginMFATOTP setups up a TOTP MFA using some basic configuration and
+// returns all relevant information to the client.
+func SetupLoginMFATOTP(t testing.T, client *api.Client, methodName string, waitPeriod int) (*api.Client, string, string) {
+	t.Helper()
+	// Mount the totp secrets engine
+	SetupTOTPMount(t, client)
+
+	// Create a mount accessor to associate with an entity
+	mountAccessor := SetupUserpassMountAccessor(t, client)
+
+	// Create a test entity and alias
+	entityClient, entityID, _ := CreateEntityAndAlias(t, client, mountAccessor, "entity1", "testuser1")
+
+	// Configure a default TOTP method
+	totpConfig := map[string]interface{}{
+		"issuer":                  "yCorp",
+		"period":                  waitPeriod,
+		"algorithm":               "SHA256",
+		"digits":                  6,
+		"skew":                    1,
+		"key_size":                20,
+		"qr_size":                 200,
+		"max_validation_attempts": 5,
+		"method_name":             methodName,
+	}
+	methodID := SetupTOTPMethod(t, client, totpConfig)
+
+	// Configure a default login enforcement
+	enforcementConfig := map[string]interface{}{
+		"auth_method_types": []string{"userpass"},
+		"name":              methodID[0:4],
+		"mfa_method_ids":    []string{methodID},
+	}
+
+	SetupMFALoginEnforcement(t, client, enforcementConfig)
+	return entityClient, entityID, methodID
+}
+
+func SkipUnlessEnvVarsSet(t testing.T, envVars []string) {
+	t.Helper()
+
+	for _, i := range envVars {
+		if os.Getenv(i) == "" {
+			t.Skipf("%s must be set for this test to run", strings.Join(envVars, " "))
+		}
+	}
+}
+
+// WaitForNodesExcludingSelectedStandbys is variation on WaitForActiveNodeAndStandbys.
+// It waits for the active node before waiting for standby nodes, however
+// it will not wait for cores with indexes that match those specified as arguments.
+// Whilst you could specify index 0 which is likely to be the leader node, the function
+// checks for the leader first regardless of the indexes to skip, so it would be redundant to do so.
+// The intention/use case for this function is to allow a cluster to start and become active with one
+// or more nodes not joined, so that we can test scenarios where a node joins later.
+// e.g. 4 nodes in the cluster, only 3 nodes in cluster 'active', 1 node can be joined later in tests.
+func WaitForNodesExcludingSelectedStandbys(t testing.T, cluster *vault.TestCluster, indexesToSkip ...int) {
+	WaitForActiveNode(t, cluster)
+
+	contains := func(elems []int, e int) bool {
+		for _, v := range elems {
+			if v == e {
+				return true
+			}
+		}
+
+		return false
+	}
+	for i, core := range cluster.Cores {
+		if contains(indexesToSkip, i) {
+			continue
+		}
+
+		if standby, _ := core.Core.Standby(); standby {
+			WaitForStandbyNode(t, core)
+		}
+	}
+}
+
+// IsLocalOrRegressionTests returns true when the tests are running locally (not in CI), or when
+// the regression test env var (VAULT_REGRESSION_TESTS) is provided.
+func IsLocalOrRegressionTests() bool {
+	return os.Getenv("CI") == "" || os.Getenv("VAULT_REGRESSION_TESTS") == "true"
+}
diff --git a/ui/tests/integration/components/ldap/page/configure-test.js b/ui/tests/integration/components/ldap/page/configure-test.js
index f81ad8b491bd..ec3088e5b994 100644
--- a/ui/tests/integration/components/ldap/page/configure-test.js
+++ b/ui/tests/integration/components/ldap/page/configure-test.js
@@ -1,147 +1,2334 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { render, click, fillIn } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import { Response } from 'miragejs';
-import sinon from 'sinon';
-import { generateBreadcrumbs } from 'vault/tests/helpers/ldap';
-
-const selectors = {
-  radioCard: '[data-test-radio-card="OpenLDAP"]',
-  save: '[data-test-config-save]',
-  binddn: '[data-test-field="binddn"] input',
-  bindpass: '[data-test-field="bindpass"] input',
-};
-
-module('Integration | Component | ldap | Page::Configure', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'ldap');
-  setupMirage(hooks);
-
-  const fillAndSubmit = async (rotate) => {
-    await click(selectors.radioCard);
-    await fillIn(selectors.binddn, 'foo');
-    await fillIn(selectors.bindpass, 'bar');
-    await click(selectors.save);
-    await click(`[data-test-save-${rotate}-rotate]`);
-  };
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.newModel = this.store.createRecord('ldap/config', { backend: 'ldap-new' });
-    this.existingConfig = {
-      schema: 'openldap',
-      binddn: 'cn=vault,ou=Users,dc=hashicorp,dc=com',
-      bindpass: 'foobar',
-    };
-    this.store.pushPayload('ldap/config', {
-      modelName: 'ldap/config',
-      backend: 'ldap-edit',
-      ...this.existingConfig,
-    });
-    this.editModel = this.store.peekRecord('ldap/config', 'ldap-edit');
-    this.breadcrumbs = generateBreadcrumbs('ldap', 'configure');
-    this.model = this.newModel; // most of the tests use newModel but set this to editModel when needed
-    this.renderComponent = () => {
-      return render(hbs`<Page::Configure @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`, {
-        owner: this.engine,
-      });
-    };
-    this.transitionStub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
-  });
-
-  test('it should render empty state when schema is not selected', async function (assert) {
-    await this.renderComponent();
-
-    assert.dom('[data-test-empty-state-title]').hasText('Choose an option', 'Empty state title renders');
-    assert
-      .dom('[data-test-empty-state-message]')
-      .hasText('Pick an option above to see available configuration options', 'Empty state title renders');
-    assert.dom(selectors.save).isDisabled('Save button is disabled when schema is not selected');
-
-    await click(selectors.radioCard);
-    assert
-      .dom('[data-test-component="empty-state"]')
-      .doesNotExist('Empty state is hidden when schema is selected');
-  });
-
-  test('it should render validation messages for invalid form', async function (assert) {
-    await this.renderComponent();
-
-    await click(selectors.radioCard);
-    await click(selectors.save);
-
-    assert
-      .dom('[data-test-field="binddn"] [data-test-inline-error-message]')
-      .hasText('Administrator distinguished name is required.', 'Validation message renders for binddn');
-    assert
-      .dom('[data-test-field="bindpass"] [data-test-inline-error-message]')
-      .hasText('Administrator password is required.', 'Validation message renders for bindpass');
-    assert
-      .dom('[data-test-invalid-form-message] p')
-      .hasText('There are 2 errors with this form.', 'Invalid form message renders');
-  });
-
-  test('it should save new configuration without rotating root password', async function (assert) {
-    assert.expect(2);
-
-    this.server.post('/ldap-new/config', () => {
-      assert.ok(true, 'POST request made to save config');
-      return new Response(204, {});
-    });
-
-    await this.renderComponent();
-    await fillAndSubmit('without');
-
-    assert.ok(
-      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
-      'Transitions to configuration route on save success'
-    );
-  });
-
-  test('it should save new configuration and rotate root password', async function (assert) {
-    assert.expect(3);
-
-    this.server.post('/ldap-new/config', () => {
-      assert.ok(true, 'POST request made to save config');
-      return new Response(204, {});
-    });
-    this.server.post('/ldap-new/rotate-root', () => {
-      assert.ok(true, 'POST request made to rotate root password');
-      return new Response(204, {});
-    });
-
-    await this.renderComponent();
-    await fillAndSubmit('with');
-
-    assert.ok(
-      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
-      'Transitions to configuration route on save success'
-    );
-  });
-
-  test('it should populate fields when editing form', async function (assert) {
-    this.model = this.editModel;
-
-    await this.renderComponent();
-
-    assert.dom(selectors.radioCard).isChecked('Correct radio card is checked for schema value');
-    assert.dom(selectors.binddn).hasValue(this.existingConfig.binddn, 'binddn value renders');
-
-    await fillIn(selectors.binddn, 'foobar');
-    await click('[data-test-config-cancel]');
-
-    assert.strictEqual(this.model.binddn, this.existingConfig.binddn, 'Model is rolled back on cancel');
-    assert.ok(
-      this.transitionStub.calledWith('vault.cluster.secrets.backend.ldap.configuration'),
-      'Transitions to configuration route on save success'
-    );
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"bytes"
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"math/big"
+	mathrand "math/rand"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/go-cleanhttp"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-secure-stdlib/reloadutil"
+	raftlib "github.com/hashicorp/raft"
+	kv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/mitchellh/copystructure"
+	"github.com/mitchellh/go-testing-interface"
+	"golang.org/x/crypto/ed25519"
+	"golang.org/x/net/http2"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/audit"
+	auditFile "github.com/hashicorp/vault/builtin/audit/file"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
+	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
+	backendplugin "github.com/hashicorp/vault/sdk/plugin"
+	"github.com/hashicorp/vault/vault/cluster"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+// This file contains a number of methods that are useful for unit
+// tests within other packages.
+
+const (
+	testSharedPublicKey = `
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9i+hFxZHGo6KblVme4zrAcJstR6I0PTJozW286X4WyvPnkMYDQ5mnhEYC7UWCvjoTWbPEXPX7NjhRtwQTGD67bV+lrxgfyzK1JZbUXK4PwgKJvQD+XyyWYMzDgGSQY61KUSqCxymSm/9NZkPU3ElaQ9xQuTzPpztM4ROfb8f2Yv6/ZESZsTo0MTAkp8Pcy+WkioI/uJ1H7zqs0EA4OMY4aDJRu0UtP4rTVeYNEAuRXdX+eH4aW3KMvhzpFTjMbaJHJXlEeUm2SaX5TNQyTOvghCeQILfYIL/Ca2ij8iwCmulwdV6eQGfd4VDu40PvSnmfoaE38o6HaPnX0kUcnKiT
+`
+	testSharedPrivateKey = `
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvYvoRcWRxqOim5VZnuM6wHCbLUeiND0yaM1tvOl+Fsrz55DG
+A0OZp4RGAu1Fgr46E1mzxFz1+zY4UbcEExg+u21fpa8YH8sytSWW1FyuD8ICib0A
+/l8slmDMw4BkkGOtSlEqgscpkpv/TWZD1NxJWkPcULk8z6c7TOETn2/H9mL+v2RE
+mbE6NDEwJKfD3MvlpIqCP7idR+86rNBAODjGOGgyUbtFLT+K01XmDRALkV3V/nh+
+GltyjL4c6RU4zG2iRyV5RHlJtkml+UzUMkzr4IQnkCC32CC/wmtoo/IsAprpcHVe
+nkBn3eFQ7uND70p5n6GhN/KOh2j519JFHJyokwIDAQABAoIBAHX7VOvBC3kCN9/x
++aPdup84OE7Z7MvpX6w+WlUhXVugnmsAAVDczhKoUc/WktLLx2huCGhsmKvyVuH+
+MioUiE+vx75gm3qGx5xbtmOfALVMRLopjCnJYf6EaFA0ZeQ+NwowNW7Lu0PHmAU8
+Z3JiX8IwxTz14DU82buDyewO7v+cEr97AnERe3PUcSTDoUXNaoNxjNpEJkKREY6h
+4hAY676RT/GsRcQ8tqe/rnCqPHNd7JGqL+207FK4tJw7daoBjQyijWuB7K5chSal
+oPInylM6b13ASXuOAOT/2uSUBWmFVCZPDCmnZxy2SdnJGbsJAMl7Ma3MUlaGvVI+
+Tfh1aQkCgYEA4JlNOabTb3z42wz6mz+Nz3JRwbawD+PJXOk5JsSnV7DtPtfgkK9y
+6FTQdhnozGWShAvJvc+C4QAihs9AlHXoaBY5bEU7R/8UK/pSqwzam+MmxmhVDV7G
+IMQPV0FteoXTaJSikhZ88mETTegI2mik+zleBpVxvfdhE5TR+lq8Br0CgYEA2AwJ
+CUD5CYUSj09PluR0HHqamWOrJkKPFPwa+5eiTTCzfBBxImYZh7nXnWuoviXC0sg2
+AuvCW+uZ48ygv/D8gcz3j1JfbErKZJuV+TotK9rRtNIF5Ub7qysP7UjyI7zCssVM
+kuDd9LfRXaB/qGAHNkcDA8NxmHW3gpln4CFdSY8CgYANs4xwfercHEWaJ1qKagAe
+rZyrMpffAEhicJ/Z65lB0jtG4CiE6w8ZeUMWUVJQVcnwYD+4YpZbX4S7sJ0B8Ydy
+AhkSr86D/92dKTIt2STk6aCN7gNyQ1vW198PtaAWH1/cO2UHgHOy3ZUt5X/Uwxl9
+cex4flln+1Viumts2GgsCQKBgCJH7psgSyPekK5auFdKEr5+Gc/jB8I/Z3K9+g4X
+5nH3G1PBTCJYLw7hRzw8W/8oALzvddqKzEFHphiGXK94Lqjt/A4q1OdbCrhiE68D
+My21P/dAKB1UYRSs9Y8CNyHCjuZM9jSMJ8vv6vG/SOJPsnVDWVAckAbQDvlTHC9t
+O98zAoGAcbW6uFDkrv0XMCpB9Su3KaNXOR0wzag+WIFQRXCcoTvxVi9iYfUReQPi
+oOyBJU/HMVvBfv4g+OVFLVgSwwm6owwsouZ0+D/LasbuHqYyqYqdyPJQYzWA2Y+F
++B6f4RoPdSXj24JHPg/ioRxjaj094UXJxua2yfkcecGNEuBQHSs=
+-----END RSA PRIVATE KEY-----
+`
+)
+
+// TestCore returns a pure in-memory, uninitialized core for testing.
+func TestCore(t testing.T) *Core {
+	return TestCoreWithSeal(t, nil, false)
+}
+
+// TestCoreRaw returns a pure in-memory, uninitialized core for testing. The raw
+// storage endpoints are enabled with this core.
+func TestCoreRaw(t testing.T) *Core {
+	return TestCoreWithSeal(t, nil, true)
+}
+
+// TestCoreNewSeal returns a pure in-memory, uninitialized core with
+// the new seal configuration.
+func TestCoreNewSeal(t testing.T) *Core {
+	seal := NewTestSeal(t, nil)
+	return TestCoreWithSeal(t, seal, false)
+}
+
+// TestCoreWithConfig returns a pure in-memory, uninitialized core with the
+// specified core configurations overridden for testing.
+func TestCoreWithConfig(t testing.T, conf *CoreConfig) *Core {
+	return TestCoreWithSealAndUI(t, conf)
+}
+
+// TestCoreWithSeal returns a pure in-memory, uninitialized core with the
+// specified seal for testing.
+func TestCoreWithSeal(t testing.T, testSeal Seal, enableRaw bool) *Core {
+	conf := &CoreConfig{
+		Seal:            testSeal,
+		EnableUI:        false,
+		EnableRaw:       enableRaw,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	}
+	return TestCoreWithSealAndUI(t, conf)
+}
+
+func TestCoreWithDeadlockDetection(t testing.T, testSeal Seal, enableRaw bool) *Core {
+	conf := &CoreConfig{
+		Seal:            testSeal,
+		EnableUI:        false,
+		EnableRaw:       enableRaw,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+		DetectDeadlocks: "expiration,quotas,statelock",
+	}
+	return TestCoreWithSealAndUI(t, conf)
+}
+
+func TestCoreWithCustomResponseHeaderAndUI(t testing.T, CustomResponseHeaders map[string]map[string]string, enableUI bool) (*Core, [][]byte, string) {
+	confRaw := &server.Config{
+		SharedConfig: &configutil.SharedConfig{
+			Listeners: []*configutil.Listener{
+				{
+					Type:                  "tcp",
+					Address:               "127.0.0.1",
+					CustomResponseHeaders: CustomResponseHeaders,
+				},
+			},
+			DisableMlock: true,
+		},
+	}
+	conf := &CoreConfig{
+		RawConfig:       confRaw,
+		EnableUI:        enableUI,
+		EnableRaw:       true,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+	}
+	core := TestCoreWithSealAndUI(t, conf)
+	return testCoreUnsealed(t, core)
+}
+
+func TestCoreUI(t testing.T, enableUI bool) *Core {
+	conf := &CoreConfig{
+		EnableUI:        enableUI,
+		EnableRaw:       true,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+	}
+	return TestCoreWithSealAndUI(t, conf)
+}
+
+func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core {
+	c := TestCoreWithSealAndUINoCleanup(t, opts)
+
+	t.Cleanup(func() {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Log("panic closing core during cleanup", "panic", r)
+			}
+		}()
+		err := c.ShutdownWait()
+		if err != nil {
+			t.Logf("shutdown returned error: %v", err)
+		}
+		if tl, ok := c.Logger().(*corehelpers.TestLogger); ok {
+			tl.StopLogging()
+		}
+	})
+	return c
+}
+
+func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core {
+	logger := corehelpers.NewTestLogger(t)
+	physicalBackend, err := physInmem.NewInmem(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	errInjector := physical.NewErrorInjector(physicalBackend, 0, logger)
+
+	// Start off with base test core config
+	conf := testCoreConfig(t, errInjector, logger)
+
+	// Override config values with ones that gets passed in
+	conf.EnableUI = opts.EnableUI
+	conf.EnableRaw = opts.EnableRaw
+	conf.EnableIntrospection = opts.EnableIntrospection
+	conf.Seal = opts.Seal
+	conf.LicensingConfig = opts.LicensingConfig
+	conf.DisableKeyEncodingChecks = opts.DisableKeyEncodingChecks
+	conf.MetricsHelper = opts.MetricsHelper
+	conf.MetricSink = opts.MetricSink
+	conf.NumExpirationWorkers = numExpirationWorkersTest
+	conf.RawConfig = opts.RawConfig
+	conf.EnableResponseHeaderHostname = opts.EnableResponseHeaderHostname
+	conf.DisableSSCTokens = opts.DisableSSCTokens
+	conf.PluginDirectory = opts.PluginDirectory
+	conf.DetectDeadlocks = opts.DetectDeadlocks
+	conf.Experiments = opts.Experiments
+	conf.CensusAgent = opts.CensusAgent
+	conf.AdministrativeNamespacePath = opts.AdministrativeNamespacePath
+	conf.ImpreciseLeaseRoleTracking = opts.ImpreciseLeaseRoleTracking
+
+	if opts.Logger != nil {
+		conf.Logger = opts.Logger
+	}
+
+	if opts.RedirectAddr != "" {
+		conf.RedirectAddr = opts.RedirectAddr
+	}
+
+	for k, v := range opts.LogicalBackends {
+		conf.LogicalBackends[k] = v
+	}
+	for k, v := range opts.CredentialBackends {
+		conf.CredentialBackends[k] = v
+	}
+
+	for k, v := range opts.AuditBackends {
+		conf.AuditBackends[k] = v
+	}
+	if opts.RollbackPeriod != time.Duration(0) {
+		conf.RollbackPeriod = opts.RollbackPeriod
+	}
+	if opts.NumRollbackWorkers != 0 {
+		conf.NumRollbackWorkers = opts.NumRollbackWorkers
+	}
+
+	conf.ActivityLogConfig = opts.ActivityLogConfig
+	testApplyEntBaseConfig(conf, opts)
+
+	c, err := NewCore(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	return c
+}
+
+func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Logger) *CoreConfig {
+	t.Helper()
+	noopAudits := map[string]audit.Factory{
+		"noop": corehelpers.NoopAuditFactory(nil),
+	}
+
+	noopBackends := make(map[string]logical.Factory)
+	noopBackends["noop"] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		b := new(framework.Backend)
+		b.Setup(ctx, config)
+		b.BackendType = logical.TypeCredential
+		return b, nil
+	}
+	noopBackends["http"] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		return new(rawHTTP), nil
+	}
+
+	credentialBackends := make(map[string]logical.Factory)
+	for backendName, backendFactory := range noopBackends {
+		credentialBackends[backendName] = backendFactory
+	}
+	for backendName, backendFactory := range testCredentialBackends {
+		credentialBackends[backendName] = backendFactory
+	}
+
+	logicalBackends := make(map[string]logical.Factory)
+	for backendName, backendFactory := range noopBackends {
+		logicalBackends[backendName] = backendFactory
+	}
+
+	logicalBackends["kv"] = kv.Factory
+	for backendName, backendFactory := range testLogicalBackends {
+		logicalBackends[backendName] = backendFactory
+	}
+
+	conf := &CoreConfig{
+		Physical:           physicalBackend,
+		AuditBackends:      noopAudits,
+		LogicalBackends:    logicalBackends,
+		CredentialBackends: credentialBackends,
+		DisableMlock:       true,
+		Logger:             logger,
+		NumRollbackWorkers: 10,
+		BuiltinRegistry:    corehelpers.NewMockBuiltinRegistry(),
+	}
+
+	return conf
+}
+
+// TestCoreInit initializes the core with a single key, and returns
+// the key that must be used to unseal the core and a root token.
+func TestCoreInit(t testing.T, core *Core) ([][]byte, string) {
+	t.Helper()
+	secretShares, _, root := TestCoreInitClusterWrapperSetup(t, core, nil)
+	return secretShares, root
+}
+
+func TestCoreInitClusterWrapperSetup(t testing.T, core *Core, handler http.Handler) ([][]byte, [][]byte, string) {
+	t.Helper()
+	core.SetClusterHandler(handler)
+
+	barrierConfig := &SealConfig{
+		SecretShares:    3,
+		SecretThreshold: 3,
+	}
+
+	switch core.seal.StoredKeysSupported() {
+	case seal.StoredKeysNotSupported:
+		barrierConfig.StoredShares = 0
+	default:
+		barrierConfig.StoredShares = 1
+	}
+
+	recoveryConfig := &SealConfig{
+		SecretShares:    3,
+		SecretThreshold: 3,
+	}
+
+	initParams := &InitParams{
+		BarrierConfig:  barrierConfig,
+		RecoveryConfig: recoveryConfig,
+	}
+	if core.seal.StoredKeysSupported() == seal.StoredKeysNotSupported {
+		initParams.LegacyShamirSeal = true
+	}
+	result, err := core.Initialize(context.Background(), initParams)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	innerToken, err := core.DecodeSSCToken(result.RootToken)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	return result.SecretShares, result.RecoveryShares, innerToken
+}
+
+func TestCoreUnseal(core *Core, key []byte) (bool, error) {
+	return core.Unseal(key)
+}
+
+func TestCoreSeal(core *Core) error {
+	return core.sealInternal()
+}
+
+// TestCoreUnsealed returns a pure in-memory core that is already
+// initialized and unsealed.
+func TestCoreUnsealed(t testing.T) (*Core, [][]byte, string) {
+	t.Helper()
+	core := TestCore(t)
+	return testCoreUnsealed(t, core)
+}
+
+func SetupMetrics(conf *CoreConfig) *metrics.InmemSink {
+	inmemSink := metrics.NewInmemSink(1000000*time.Hour, 2000000*time.Hour)
+	conf.MetricSink = metricsutil.NewClusterMetricSink("test-cluster", inmemSink)
+	conf.MetricsHelper = metricsutil.NewMetricsHelper(inmemSink, false)
+	return inmemSink
+}
+
+func TestCoreUnsealedWithMetrics(t testing.T) (*Core, [][]byte, string, *metrics.InmemSink) {
+	t.Helper()
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+	}
+	sink := SetupMetrics(conf)
+	core, keys, root := testCoreUnsealed(t, TestCoreWithSealAndUI(t, conf))
+	return core, keys, root, sink
+}
+
+func TestCoreUnsealedWithMetricsAndConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string, *metrics.InmemSink) {
+	t.Helper()
+	conf.BuiltinRegistry = corehelpers.NewMockBuiltinRegistry()
+	sink := SetupMetrics(conf)
+	core, keys, root := TestCoreUnsealedWithConfig(t, conf)
+	return core, keys, root, sink
+}
+
+// TestCoreUnsealedRaw returns a pure in-memory core that is already
+// initialized, unsealed, and with raw endpoints enabled.
+func TestCoreUnsealedRaw(t testing.T) (*Core, [][]byte, string) {
+	t.Helper()
+	core := TestCoreRaw(t)
+	return testCoreUnsealed(t, core)
+}
+
+// TestCoreUnsealedWithConfig returns a pure in-memory core that is already
+// initialized, unsealed, with the any provided core config values overridden.
+func TestCoreUnsealedWithConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string) {
+	t.Helper()
+	core := TestCoreWithConfig(t, conf)
+	return testCoreUnsealed(t, core)
+}
+
+func testCoreUnsealed(t testing.T, core *Core) (*Core, [][]byte, string) {
+	t.Helper()
+	token, keys := TestInitUnsealCore(t, core)
+
+	testCoreAddSecretMount(t, core, token, "1")
+	return core, keys, token
+}
+
+func TestInitUnsealCore(t testing.T, core *Core) (string, [][]byte) {
+	keys, token := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	return token, keys
+}
+
+func testCoreAddSecretMount(t testing.T, core *Core, token, kvVersion string) {
+	kvReq := &logical.Request{
+		Operation:   logical.UpdateOperation,
+		ClientToken: token,
+		Path:        "sys/mounts/secret",
+		Data: map[string]interface{}{
+			"type":        "kv",
+			"path":        "secret/",
+			"description": "key/value secret storage",
+			"options": map[string]string{
+				"version": kvVersion,
+			},
+		},
+	}
+	resp, err := core.HandleRequest(namespace.RootContext(nil), kvReq)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.IsError() {
+		t.Fatal(err)
+	}
+}
+
+func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][]byte, string) {
+	t.Helper()
+	logger := corehelpers.NewTestLogger(t)
+	conf := testCoreConfig(t, backend, logger)
+	conf.Seal = NewTestSeal(t, nil)
+	conf.NumExpirationWorkers = numExpirationWorkersTest
+
+	core, err := NewCore(conf)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	keys, token := TestCoreInit(t, core)
+	for _, key := range keys {
+		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		t.Fatal(err)
+	}
+
+	if core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	t.Cleanup(func() {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Log("panic closing core during cleanup", "panic", r)
+			}
+		}()
+		err := core.ShutdownWait()
+		if err != nil {
+			t.Logf("shutdown returned error: %v", err)
+		}
+	})
+
+	return core, keys, token
+}
+
+// TestKeyCopy is a silly little function to just copy the key so that
+// it can be used with Unseal easily.
+func TestKeyCopy(key []byte) []byte {
+	result := make([]byte, len(key))
+	copy(result, key)
+	return result
+}
+
+func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView {
+	me := &MountEntry{
+		Config: MountConfig{
+			DefaultLeaseTTL: 24 * time.Hour,
+			MaxLeaseTTL:     2 * 24 * time.Hour,
+		},
+		NamespaceID: namespace.RootNamespace.ID,
+		namespace:   namespace.RootNamespace,
+	}
+
+	if ns != nil {
+		me.NamespaceID = ns.ID
+		me.namespace = ns
+	}
+
+	return &dynamicSystemView{c, me, c.perfStandby}
+}
+
+// TestAddTestPlugin registers the testFunc as part of the plugin command to the
+// plugin catalog. If provided, uses tmpDir as the plugin directory.
+// NB: The test func you pass in MUST be in the same package as the parent test,
+// or the test func won't be compiled into the test binary being run and the output
+// will be something like:
+// stderr (ignored by go-plugin): "testing: warning: no tests to run"
+// stdout: "PASS"
+func TestAddTestPlugin(t testing.T, c *Core, name string, pluginType consts.PluginType, version string, testFunc string, env []string, tempDir string) {
+	file, err := os.Open(os.Args[0])
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	dirPath := filepath.Dir(os.Args[0])
+	fileName := filepath.Base(os.Args[0])
+
+	if tempDir != "" {
+		fi, err := file.Stat()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Copy over the file to the temp dir
+		dst := filepath.Join(tempDir, fileName)
+
+		// delete the file first to avoid notary failures in macOS
+		_ = os.Remove(dst) // ignore error
+		out, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer out.Close()
+
+		if _, err = io.Copy(out, file); err != nil {
+			t.Fatal(err)
+		}
+		err = out.Sync()
+		if err != nil {
+			t.Fatal(err)
+		}
+		// Ensure that the file is closed and written. This seems to be
+		// necessary on Linux systems.
+		out.Close()
+
+		dirPath = tempDir
+	}
+
+	// Determine plugin directory full path, evaluating potential symlink path
+	fullPath, err := filepath.EvalSymlinks(dirPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	reader, err := os.Open(filepath.Join(fullPath, fileName))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer reader.Close()
+
+	// Find out the sha256
+	hash := sha256.New()
+
+	_, err = io.Copy(hash, reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sum := hash.Sum(nil)
+
+	// Set core's plugin directory and plugin catalog directory
+	c.pluginDirectory = fullPath
+	c.pluginCatalog.directory = fullPath
+
+	args := []string{fmt.Sprintf("--test.run=%s", testFunc)}
+	err = c.pluginCatalog.Set(context.Background(), pluginutil.SetPluginInput{
+		Name:    name,
+		Type:    pluginType,
+		Version: version,
+		Command: fileName,
+		Args:    args,
+		Env:     env,
+		Sha256:  sum,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestRunTestPlugin runs the testFunc which has already been registered to the
+// plugin catalog and returns a pluginClient. This can be called after calling
+// TestAddTestPlugin.
+func TestRunTestPlugin(t testing.T, c *Core, pluginType consts.PluginType, pluginName string) *pluginClient {
+	t.Helper()
+	config := TestPluginClientConfig(c, pluginType, pluginName)
+	client, err := c.pluginCatalog.NewPluginClient(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return client
+}
+
+func TestPluginClientConfig(c *Core, pluginType consts.PluginType, pluginName string) pluginutil.PluginClientConfig {
+	dsv := TestDynamicSystemView(c, nil)
+	switch pluginType {
+	case consts.PluginTypeCredential, consts.PluginTypeSecrets:
+		return pluginutil.PluginClientConfig{
+			Name:            pluginName,
+			PluginType:      pluginType,
+			PluginSets:      backendplugin.PluginSet,
+			HandshakeConfig: backendplugin.HandshakeConfig,
+			Logger:          log.NewNullLogger(),
+			AutoMTLS:        true,
+			IsMetadataMode:  false,
+			Wrapper:         dsv,
+		}
+	case consts.PluginTypeDatabase:
+		return pluginutil.PluginClientConfig{
+			Name:            pluginName,
+			PluginType:      pluginType,
+			PluginSets:      v5.PluginSets,
+			HandshakeConfig: v5.HandshakeConfig,
+			Logger:          log.NewNullLogger(),
+			AutoMTLS:        true,
+			IsMetadataMode:  false,
+			Wrapper:         dsv,
+		}
+	}
+	return pluginutil.PluginClientConfig{}
+}
+
+var (
+	testLogicalBackends    = map[string]logical.Factory{}
+	testCredentialBackends = map[string]logical.Factory{}
+)
+
+// This adds a credential backend for the test core. This needs to be
+// invoked before the test core is created.
+func AddTestCredentialBackend(name string, factory logical.Factory) error {
+	if name == "" {
+		return fmt.Errorf("missing backend name")
+	}
+	if factory == nil {
+		return fmt.Errorf("missing backend factory function")
+	}
+	testCredentialBackends[name] = factory
+	return nil
+}
+
+// This adds a logical backend for the test core. This needs to be
+// invoked before the test core is created.
+func AddTestLogicalBackend(name string, factory logical.Factory) error {
+	if name == "" {
+		return fmt.Errorf("missing backend name")
+	}
+	if factory == nil {
+		return fmt.Errorf("missing backend factory function")
+	}
+	testLogicalBackends[name] = factory
+	return nil
+}
+
+type rawHTTP struct{}
+
+func (n *rawHTTP) HandleRequest(ctx context.Context, req *logical.Request) (*logical.Response, error) {
+	return &logical.Response{
+		Data: map[string]interface{}{
+			logical.HTTPStatusCode:  200,
+			logical.HTTPContentType: "plain/text",
+			logical.HTTPRawBody:     []byte("hello world"),
+		},
+	}, nil
+}
+
+func (n *rawHTTP) HandleExistenceCheck(ctx context.Context, req *logical.Request) (bool, bool, error) {
+	return false, false, nil
+}
+
+func (n *rawHTTP) SpecialPaths() *logical.Paths {
+	return &logical.Paths{Unauthenticated: []string{"*"}}
+}
+
+func (n *rawHTTP) System() logical.SystemView {
+	return logical.StaticSystemView{
+		DefaultLeaseTTLVal: time.Hour * 24,
+		MaxLeaseTTLVal:     time.Hour * 24 * 32,
+	}
+}
+
+func (n *rawHTTP) Logger() log.Logger {
+	return logging.NewVaultLogger(log.Trace)
+}
+
+func (n *rawHTTP) Cleanup(ctx context.Context) {
+	// noop
+}
+
+func (n *rawHTTP) Initialize(ctx context.Context, req *logical.InitializationRequest) error {
+	return nil
+}
+
+func (n *rawHTTP) InvalidateKey(context.Context, string) {
+	// noop
+}
+
+func (n *rawHTTP) Setup(ctx context.Context, config *logical.BackendConfig) error {
+	// noop
+	return nil
+}
+
+func (n *rawHTTP) Type() logical.BackendType {
+	return logical.TypeLogical
+}
+
+func GenerateRandBytes(length int) ([]byte, error) {
+	if length < 0 {
+		return nil, fmt.Errorf("length must be >= 0")
+	}
+
+	buf := make([]byte, length)
+	if length == 0 {
+		return buf, nil
+	}
+
+	n, err := rand.Read(buf)
+	if err != nil {
+		return nil, err
+	}
+	if n != length {
+		return nil, fmt.Errorf("unable to read %d bytes; only read %d", length, n)
+	}
+
+	return buf, nil
+}
+
+func TestWaitActive(t testing.T, core *Core) {
+	t.Helper()
+	if err := TestWaitActiveWithError(core); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestWaitActiveForwardingReady(t testing.T, core *Core) {
+	TestWaitActive(t, core)
+
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		if _, ok := core.getClusterListener().Handler(consts.RequestForwardingALPN); ok {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	t.Fatal("timed out waiting for request forwarding handler to be registered")
+}
+
+func TestWaitActiveWithError(core *Core) error {
+	start := time.Now()
+	var standby bool
+	var err error
+	for time.Now().Sub(start) < 30*time.Second {
+		standby, err = core.Standby()
+		if err != nil {
+			return err
+		}
+		if !standby {
+			break
+		}
+	}
+	if standby {
+		return errors.New("should not be in standby mode")
+	}
+	return nil
+}
+
+type TestCluster struct {
+	BarrierKeys        [][]byte
+	RecoveryKeys       [][]byte
+	CACert             *x509.Certificate
+	CACertBytes        []byte
+	CACertPEM          []byte
+	CACertPEMFile      string
+	CAKey              *ecdsa.PrivateKey
+	CAKeyPEM           []byte
+	Cores              []*TestClusterCore
+	ID                 string
+	Plugins            []pluginhelpers.TestPlugin
+	RootToken          string
+	RootCAs            *x509.CertPool
+	TempDir            string
+	ClientAuthRequired bool
+	Logger             log.Logger
+	CleanupFunc        func()
+	SetupFunc          func()
+
+	cleanupFuncs      []func()
+	base              *CoreConfig
+	LicensePublicKey  ed25519.PublicKey
+	LicensePrivateKey ed25519.PrivateKey
+	opts              *TestClusterOptions
+}
+
+func (c *TestCluster) SetRootToken(token string) {
+	c.RootToken = token
+}
+
+func (c *TestCluster) Start() {
+}
+
+func (c *TestCluster) start(t testing.T) {
+	t.Helper()
+	for i, core := range c.Cores {
+		if core.Server != nil {
+			for _, ln := range core.Listeners {
+				c.Logger.Info("starting listener for test core", "core", i, "port", ln.Address.Port)
+				go core.Server.Serve(ln)
+			}
+		}
+	}
+	if c.SetupFunc != nil {
+		c.SetupFunc()
+	}
+
+	if c.opts != nil && c.opts.SkipInit {
+		// SkipInit implies that vault may not be ready to service requests, or that
+		// we're restarting a cluster from an existing storage.
+		return
+	}
+
+	activeCore := -1
+WAITACTIVE:
+	for i := 0; i < 600; i++ {
+		for i, core := range c.Cores {
+			if standby, _ := core.Core.Standby(); !standby {
+				activeCore = i
+				break WAITACTIVE
+			}
+		}
+
+		time.Sleep(100 * time.Millisecond)
+	}
+	if activeCore == -1 {
+		t.Fatalf("no core became active")
+	}
+
+	switch {
+	case c.opts == nil:
+	case c.opts.NoDefaultQuotas:
+	case c.opts.HandlerFunc == nil:
+	// If no HandlerFunc is provided that means that we can't actually do
+	// regular vault requests.
+	case reflect.TypeOf(c.opts.HandlerFunc).PkgPath() != "github.com/hashicorp/vault/http":
+	case reflect.TypeOf(c.opts.HandlerFunc).Name() != "Handler":
+	default:
+		cli := c.Cores[activeCore].Client
+		_, err := cli.Logical().Write("sys/quotas/rate-limit/rl-NewTestCluster", map[string]interface{}{
+			"rate": 1000000,
+		})
+		if err != nil {
+			t.Fatalf("error setting up global rate limit quota: %v", err)
+		}
+		if constants.IsEnterprise {
+			_, err = cli.Logical().Write("sys/quotas/lease-count/lc-NewTestCluster", map[string]interface{}{
+				"max_leases": 1000000,
+			})
+			if err != nil {
+				t.Fatalf("error setting up global lease count quota: %v", err)
+			}
+		}
+	}
+}
+
+// UnsealCores uses the cluster barrier keys to unseal the test cluster cores
+func (c *TestCluster) UnsealCores(t testing.T) {
+	t.Helper()
+	if err := c.UnsealCoresWithError(t, false); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (c *TestCluster) UnsealCoresWithError(t testing.T, useStoredKeys bool) error {
+	unseal := func(core *Core) error {
+		for _, key := range c.BarrierKeys {
+			if _, err := core.Unseal(TestKeyCopy(key)); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	if useStoredKeys {
+		unseal = func(core *Core) error {
+			return core.UnsealWithStoredKeys(context.Background())
+		}
+	}
+
+	// Unseal first core
+	if err := unseal(c.Cores[0].Core); err != nil {
+		return fmt.Errorf("unseal core %d err: %s", 0, err)
+	}
+
+	// Verify unsealed
+	if c.Cores[0].Sealed() {
+		return fmt.Errorf("should not be sealed")
+	}
+
+	if err := TestWaitActiveWithError(c.Cores[0].Core); err != nil {
+		return err
+	}
+
+	// Unseal other cores
+	for i := 1; i < len(c.Cores); i++ {
+		if err := unseal(c.Cores[i].Core); err != nil {
+			return fmt.Errorf("unseal core %d err: %s", i, err)
+		}
+	}
+
+	// Let them come fully up to standby
+	corehelpers.RetryUntil(t, 2*time.Second, func() error {
+		// Ensure cluster connection info is populated.
+		// Other cores should not come up as leaders.
+		for i := 1; i < len(c.Cores); i++ {
+			isLeader, _, _, err := c.Cores[i].Leader()
+			if err != nil {
+				return err
+			}
+			if isLeader {
+				return fmt.Errorf("core[%d] should not be leader", i)
+			}
+		}
+
+		return nil
+	})
+
+	return nil
+}
+
+func (c *TestCluster) UnsealCore(t testing.T, core *TestClusterCore) {
+	err := c.AttemptUnsealCore(core)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (c *TestCluster) AttemptUnsealCore(core *TestClusterCore) error {
+	var keys [][]byte
+	if core.seal.RecoveryKeySupported() {
+		keys = c.RecoveryKeys
+	} else {
+		keys = c.BarrierKeys
+	}
+	for _, key := range keys {
+		if _, err := core.Core.Unseal(TestKeyCopy(key)); err != nil {
+			return fmt.Errorf("unseal err: %w", err)
+		}
+	}
+	return nil
+}
+
+func (c *TestCluster) UnsealCoreWithStoredKeys(t testing.T, core *TestClusterCore) {
+	t.Helper()
+	if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (c *TestCluster) EnsureCoresSealed(t testing.T) {
+	t.Helper()
+	if err := c.ensureCoresSealed(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (c *TestClusterCore) Seal(t testing.T) {
+	t.Helper()
+	if err := c.Core.sealInternal(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (c *TestClusterCore) LogicalStorage() logical.Storage {
+	return c.barrier
+}
+
+func (c *TestClusterCore) stop() error {
+	c.Logger().Info("stopping vault test core")
+
+	if c.Listeners != nil {
+		for _, ln := range c.Listeners {
+			ln.Close()
+		}
+		c.Logger().Info("listeners successfully shut down")
+	}
+	if c.licensingStopCh != nil {
+		close(c.licensingStopCh)
+		c.licensingStopCh = nil
+	}
+
+	if err := c.Shutdown(); err != nil {
+		return err
+	}
+	timeout := time.Now().Add(60 * time.Second)
+	for {
+		if time.Now().After(timeout) {
+			return errors.New("timeout waiting for core to seal")
+		}
+		if c.Sealed() {
+			break
+		}
+		time.Sleep(250 * time.Millisecond)
+	}
+
+	c.Logger().Info("vault test core stopped")
+	return nil
+}
+
+func (c *TestClusterCore) StopAutomaticRollbacks() {
+	c.rollback.StopTicker()
+}
+
+func (c *TestClusterCore) GrabRollbackLock() {
+	// Ensure we don't hold this lock while there are in flight rollbacks.
+	c.rollback.inflightAll.Wait()
+	c.rollback.inflightLock.Lock()
+}
+
+func (c *TestClusterCore) ReleaseRollbackLock() {
+	c.rollback.inflightLock.Unlock()
+}
+
+func (c *TestClusterCore) TriggerRollbacks() {
+	c.rollback.triggerRollbacks()
+}
+
+func (c *TestClusterCore) TLSConfig() *tls.Config {
+	return c.tlsConfig.Clone()
+}
+
+func (c *TestClusterCore) ClusterListener() *cluster.Listener {
+	return c.getClusterListener()
+}
+
+func (c *TestCluster) Cleanup() {
+	c.Logger.Info("cleaning up vault cluster")
+	if tl, ok := c.Logger.(*corehelpers.TestLogger); ok {
+		tl.StopLogging()
+	}
+
+	wg := &sync.WaitGroup{}
+	for _, core := range c.Cores {
+		wg.Add(1)
+		lc := core
+
+		go func() {
+			defer wg.Done()
+			if err := lc.stop(); err != nil {
+				// Note that this log won't be seen if using TestLogger, due to
+				// the above call to StopLogging.
+				lc.Logger().Error("error during cleanup", "error", err)
+			}
+		}()
+	}
+
+	wg.Wait()
+
+	// Remove any temp dir that exists
+	if c.TempDir != "" {
+		os.RemoveAll(c.TempDir)
+	}
+
+	if c.CleanupFunc != nil {
+		c.CleanupFunc()
+	}
+}
+
+func (c *TestCluster) ensureCoresSealed() error {
+	for _, core := range c.Cores {
+		if err := core.Shutdown(); err != nil {
+			return err
+		}
+		timeout := time.Now().Add(60 * time.Second)
+		for {
+			if time.Now().After(timeout) {
+				return fmt.Errorf("timeout waiting for core to seal")
+			}
+			if core.Sealed() {
+				break
+			}
+			time.Sleep(250 * time.Millisecond)
+		}
+	}
+	return nil
+}
+
+func SetReplicationFailureMode(core *TestClusterCore, mode uint32) {
+	atomic.StoreUint32(core.Core.replicationFailure, mode)
+}
+
+type TestListener struct {
+	net.Listener
+	Address *net.TCPAddr
+}
+
+type TestClusterCore struct {
+	*Core
+	CoreConfig           *CoreConfig
+	Client               *api.Client
+	Handler              http.Handler
+	Address              *net.TCPAddr
+	Listeners            []*TestListener
+	ReloadFuncs          *map[string][]reloadutil.ReloadFunc
+	ReloadFuncsLock      *sync.RWMutex
+	Server               *http.Server
+	ServerCert           *x509.Certificate
+	ServerCertBytes      []byte
+	ServerCertPEM        []byte
+	ServerKey            *ecdsa.PrivateKey
+	ServerKeyPEM         []byte
+	tlsConfig            *tls.Config
+	UnderlyingStorage    physical.Backend
+	UnderlyingRawStorage physical.Backend
+	UnderlyingHAStorage  physical.HABackend
+	Barrier              SecurityBarrier
+	NodeID               string
+}
+
+type PhysicalBackendBundle struct {
+	Backend   physical.Backend
+	HABackend physical.HABackend
+	Cleanup   func()
+}
+
+type HandlerHandler interface {
+	Handler(*HandlerProperties) http.Handler
+}
+
+type TestClusterOptions struct {
+	KeepStandbysSealed       bool
+	SkipInit                 bool
+	HandlerFunc              HandlerHandler
+	DefaultHandlerProperties HandlerProperties
+
+	// BaseListenAddress is used to explicitly assign ports in sequence to the
+	// listener of each core.  It should be a string of the form
+	// "127.0.0.1:20000"
+	//
+	// WARNING: Using an explicitly assigned port above 30000 may clash with
+	// ephemeral ports that have been assigned by the OS in other tests.  The
+	// use of explicitly assigned ports below 30000 is strongly recommended.
+	// In addition, you should be careful to use explicitly assigned ports that
+	// do not clash with any other explicitly assigned ports in other tests.
+	BaseListenAddress string
+
+	// BaseClusterListenPort is used to explicitly assign ports in sequence to
+	// the cluster listener of each core.  If BaseClusterListenPort is
+	// specified, then BaseListenAddress must also be specified.  Each cluster
+	// listener will use the same host as the one specified in
+	// BaseListenAddress.
+	//
+	// WARNING: Using an explicitly assigned port above 30000 may clash with
+	// ephemeral ports that have been assigned by the OS in other tests.  The
+	// use of explicitly assigned ports below 30000 is strongly recommended.
+	// In addition, you should be careful to use explicitly assigned ports that
+	// do not clash with any other explicitly assigned ports in other tests.
+	BaseClusterListenPort int
+
+	NumCores       int
+	SealFunc       func() Seal
+	UnwrapSealFunc func() Seal
+	Logger         log.Logger
+	TempDir        string
+	CACert         []byte
+	CAKey          *ecdsa.PrivateKey
+	// PhysicalFactory is used to create backends.
+	// The int argument is the index of the core within the cluster, i.e. first
+	// core in cluster will have 0, second 1, etc.
+	// If the backend is shared across the cluster (i.e. is not Raft) then it
+	// should return nil when coreIdx != 0.
+	PhysicalFactory func(t testing.T, coreIdx int, logger log.Logger, conf map[string]interface{}) *PhysicalBackendBundle
+	// FirstCoreNumber is used to assign a unique number to each core within
+	// a multi-cluster setup.
+	FirstCoreNumber   int
+	RequireClientAuth bool
+	// SetupFunc is called after the cluster is started.
+	SetupFunc      func(t testing.T, c *TestCluster)
+	PR1103Disabled bool
+
+	// ClusterLayers are used to override the default cluster connection layer
+	ClusterLayers cluster.NetworkLayerSet
+	// InmemClusterLayers is a shorthand way of asking for ClusterLayers to be
+	// built using the inmem implementation.
+	InmemClusterLayers bool
+
+	// RaftAddressProvider is used to set the raft ServerAddressProvider on
+	// each core.
+	//
+	// If SkipInit is true, then RaftAddressProvider has no effect.
+	// RaftAddressProvider should only be specified if the underlying physical
+	// storage is Raft.
+	RaftAddressProvider raftlib.ServerAddressProvider
+
+	CoreMetricSinkProvider func(clusterName string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper)
+
+	PhysicalFactoryConfig map[string]interface{}
+	LicensePublicKey      ed25519.PublicKey
+	LicensePrivateKey     ed25519.PrivateKey
+
+	// this stores the vault version that should be used for each core config
+	VersionMap             map[int]string
+	RedundancyZoneMap      map[int]string
+	KVVersion              string
+	EffectiveSDKVersionMap map[int]string
+
+	NoDefaultQuotas bool
+
+	Plugins []*TestPluginConfig
+
+	// if populated, the callback is called for every request
+	RequestResponseCallback func(logical.Backend, *logical.Request, *logical.Response)
+
+	// ABCDLoggerNames names the loggers according to our ABCD convention when generating 4 clusters
+	ABCDLoggerNames bool
+}
+
+type TestPluginConfig struct {
+	Typ       consts.PluginType
+	Versions  []string
+	Container bool
+}
+
+var DefaultNumCores = 3
+
+type certInfo struct {
+	cert      *x509.Certificate
+	certPEM   []byte
+	certBytes []byte
+	key       *ecdsa.PrivateKey
+	keyPEM    []byte
+}
+
+// NewTestCluster creates a new test cluster based on the provided core config
+// and test cluster options.
+//
+// N.B. Even though a single base CoreConfig is provided, NewTestCluster will instantiate a
+// core config for each core it creates. If separate seal per core is desired, opts.SealFunc
+// can be provided to generate a seal for each one. Otherwise, the provided base.Seal will be
+// shared among cores. NewCore's default behavior is to generate a new DefaultSeal if the
+// provided Seal in coreConfig (i.e. base.Seal) is nil.
+//
+// If opts.Logger is provided, it takes precedence and will be used as the cluster
+// logger and will be the basis for each core's logger.  If no opts.Logger is
+// given, one will be generated based on t.Name() for the cluster logger, and if
+// no base.Logger is given will also be used as the basis for each core's logger.
+func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *TestCluster {
+	var err error
+
+	if opts == nil {
+		opts = &TestClusterOptions{}
+	}
+	if opts.DefaultHandlerProperties.ListenerConfig == nil {
+		opts.DefaultHandlerProperties.ListenerConfig = &configutil.Listener{}
+	}
+
+	var numCores int
+	if opts == nil || opts.NumCores == 0 {
+		numCores = DefaultNumCores
+	} else {
+		numCores = opts.NumCores
+	}
+
+	certIPs := []net.IP{
+		net.IPv6loopback,
+		net.ParseIP("127.0.0.1"),
+	}
+
+	baseAddr, certIPs := GenerateListenerAddr(t, opts, certIPs)
+	var testCluster TestCluster
+	testCluster.base = base
+
+	switch {
+	case opts != nil && opts.Logger != nil && !reflect.ValueOf(opts.Logger).IsNil():
+		testCluster.Logger = opts.Logger
+	default:
+		testCluster.Logger = corehelpers.NewTestLogger(t)
+	}
+
+	if opts != nil && opts.TempDir != "" {
+		if _, err := os.Stat(opts.TempDir); os.IsNotExist(err) {
+			if err := os.MkdirAll(opts.TempDir, 0o700); err != nil {
+				t.Fatal(err)
+			}
+		}
+		testCluster.TempDir = opts.TempDir
+	} else {
+		tempDir, err := os.MkdirTemp("", "vault-test-cluster-")
+		if err != nil {
+			t.Fatal(err)
+		}
+		testCluster.TempDir = tempDir
+	}
+
+	var caKey *ecdsa.PrivateKey
+	if opts != nil && opts.CAKey != nil {
+		caKey = opts.CAKey
+	} else {
+		caKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	testCluster.CAKey = caKey
+	var caBytes []byte
+	if opts != nil && len(opts.CACert) > 0 {
+		caBytes = opts.CACert
+	} else {
+		caCertTemplate := &x509.Certificate{
+			Subject: pkix.Name{
+				CommonName: "localhost",
+			},
+			DNSNames:              []string{"localhost"},
+			IPAddresses:           certIPs,
+			KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
+			SerialNumber:          big.NewInt(mathrand.Int63()),
+			NotBefore:             time.Now().Add(-30 * time.Second),
+			NotAfter:              time.Now().Add(262980 * time.Hour),
+			BasicConstraintsValid: true,
+			IsCA:                  true,
+		}
+		caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, caKey.Public(), caKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	caCert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testCluster.CACert = caCert
+	testCluster.CACertBytes = caBytes
+	testCluster.RootCAs = x509.NewCertPool()
+	testCluster.RootCAs.AddCert(caCert)
+	caCertPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	testCluster.CACertPEM = pem.EncodeToMemory(caCertPEMBlock)
+	testCluster.CACertPEMFile = filepath.Join(testCluster.TempDir, "ca_cert.pem")
+	err = os.WriteFile(testCluster.CACertPEMFile, testCluster.CACertPEM, 0o755)
+	if err != nil {
+		t.Fatal(err)
+	}
+	marshaledCAKey, err := x509.MarshalECPrivateKey(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: marshaledCAKey,
+	}
+	testCluster.CAKeyPEM = pem.EncodeToMemory(caKeyPEMBlock)
+	err = os.WriteFile(filepath.Join(testCluster.TempDir, "ca_key.pem"), testCluster.CAKeyPEM, 0o755)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var certInfoSlice []*certInfo
+
+	//
+	// Certs generation
+	//
+	for i := 0; i < numCores; i++ {
+		key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			t.Fatal(err)
+		}
+		certTemplate := &x509.Certificate{
+			Subject: pkix.Name{
+				CommonName: "localhost",
+			},
+			// Include host.docker.internal for the sake of benchmark-vault running on MacOS/Windows.
+			// This allows Prometheus running in docker to scrape the cluster for metrics.
+			DNSNames:    []string{"localhost", "host.docker.internal"},
+			IPAddresses: certIPs,
+			ExtKeyUsage: []x509.ExtKeyUsage{
+				x509.ExtKeyUsageServerAuth,
+				x509.ExtKeyUsageClientAuth,
+			},
+			KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+			SerialNumber: big.NewInt(mathrand.Int63()),
+			NotBefore:    time.Now().Add(-30 * time.Second),
+			NotAfter:     time.Now().Add(262980 * time.Hour),
+		}
+		certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, caCert, key.Public(), caKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		certPEMBlock := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: certBytes,
+		}
+		certPEM := pem.EncodeToMemory(certPEMBlock)
+		marshaledKey, err := x509.MarshalECPrivateKey(key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		keyPEMBlock := &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: marshaledKey,
+		}
+		keyPEM := pem.EncodeToMemory(keyPEMBlock)
+
+		certInfoSlice = append(certInfoSlice, &certInfo{
+			cert:      cert,
+			certPEM:   certPEM,
+			certBytes: certBytes,
+			key:       key,
+			keyPEM:    keyPEM,
+		})
+	}
+
+	//
+	// Listener setup
+	//
+	addresses := []*net.TCPAddr{}
+	listeners := [][]*TestListener{}
+	servers := []*http.Server{}
+	handlers := []http.Handler{}
+	tlsConfigs := []*tls.Config{}
+	certGetters := []*reloadutil.CertificateGetter{}
+	for i := 0; i < numCores; i++ {
+		addr := &net.TCPAddr{
+			IP:   baseAddr.IP,
+			Port: 0,
+		}
+		if baseAddr.Port != 0 {
+			addr.Port = baseAddr.Port + i
+		}
+
+		ln, err := net.ListenTCP("tcp", addr)
+		if err != nil {
+			t.Fatal(err)
+		}
+		addresses = append(addresses, addr)
+
+		certFile := filepath.Join(testCluster.TempDir, fmt.Sprintf("node%d_port_%d_cert.pem", i+1, ln.Addr().(*net.TCPAddr).Port))
+		keyFile := filepath.Join(testCluster.TempDir, fmt.Sprintf("node%d_port_%d_key.pem", i+1, ln.Addr().(*net.TCPAddr).Port))
+		err = os.WriteFile(certFile, certInfoSlice[i].certPEM, 0o755)
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = os.WriteFile(keyFile, certInfoSlice[i].keyPEM, 0o755)
+		if err != nil {
+			t.Fatal(err)
+		}
+		tlsCert, err := tls.X509KeyPair(certInfoSlice[i].certPEM, certInfoSlice[i].keyPEM)
+		if err != nil {
+			t.Fatal(err)
+		}
+		certGetter := reloadutil.NewCertificateGetter(certFile, keyFile, "")
+		certGetters = append(certGetters, certGetter)
+		certGetter.Reload()
+		tlsConfig := &tls.Config{
+			Certificates:   []tls.Certificate{tlsCert},
+			RootCAs:        testCluster.RootCAs,
+			ClientCAs:      testCluster.RootCAs,
+			ClientAuth:     tls.RequestClientCert,
+			NextProtos:     []string{"h2", "http/1.1"},
+			GetCertificate: certGetter.GetCertificate,
+		}
+		if opts != nil && opts.RequireClientAuth {
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			testCluster.ClientAuthRequired = true
+		}
+		tlsConfigs = append(tlsConfigs, tlsConfig)
+		lns := []*TestListener{
+			{
+				Listener: tls.NewListener(ln, tlsConfig),
+				Address:  ln.Addr().(*net.TCPAddr),
+			},
+		}
+		listeners = append(listeners, lns)
+		var handler http.Handler = http.NewServeMux()
+		handlers = append(handlers, handler)
+		server := &http.Server{
+			Handler:  handler,
+			ErrorLog: testCluster.Logger.StandardLogger(nil),
+		}
+		servers = append(servers, server)
+	}
+
+	// Create three cores with the same physical and different redirect/cluster
+	// addrs.
+	// N.B.: On OSX, instead of random ports, it assigns new ports to new
+	// listeners sequentially. Aside from being a bad idea in a security sense,
+	// it also broke tests that assumed it was OK to just use the port above
+	// the redirect addr. This has now been changed to 105 ports above, but if
+	// we ever do more than three nodes in a cluster it may need to be bumped.
+	// Note: it's 105 so that we don't conflict with a running Consul by
+	// default.
+	coreConfig := &CoreConfig{
+		LogicalBackends:    make(map[string]logical.Factory),
+		CredentialBackends: make(map[string]logical.Factory),
+		AuditBackends:      make(map[string]audit.Factory),
+		RedirectAddr:       fmt.Sprintf("https://127.0.0.1:%d", listeners[0][0].Address.Port),
+		ClusterAddr:        "https://127.0.0.1:0",
+		DisableMlock:       true,
+		EnableUI:           true,
+		EnableRaw:          true,
+		BuiltinRegistry:    corehelpers.NewMockBuiltinRegistry(),
+	}
+
+	if base != nil {
+		coreConfig.DetectDeadlocks = TestDeadlockDetection
+		coreConfig.RawConfig = base.RawConfig
+		coreConfig.DisableCache = base.DisableCache
+		coreConfig.EnableUI = base.EnableUI
+		coreConfig.DefaultLeaseTTL = base.DefaultLeaseTTL
+		coreConfig.MaxLeaseTTL = base.MaxLeaseTTL
+		coreConfig.CacheSize = base.CacheSize
+		coreConfig.PluginDirectory = base.PluginDirectory
+		coreConfig.Seal = base.Seal
+		coreConfig.UnwrapSeal = base.UnwrapSeal
+		coreConfig.DevToken = base.DevToken
+		coreConfig.EnableRaw = base.EnableRaw
+		coreConfig.DisableSealWrap = base.DisableSealWrap
+		coreConfig.DisableCache = base.DisableCache
+		coreConfig.LicensingConfig = base.LicensingConfig
+		coreConfig.License = base.License
+		coreConfig.LicensePath = base.LicensePath
+		coreConfig.DisablePerformanceStandby = base.DisablePerformanceStandby
+		coreConfig.MetricsHelper = base.MetricsHelper
+		coreConfig.MetricSink = base.MetricSink
+		coreConfig.SecureRandomReader = base.SecureRandomReader
+		coreConfig.DisableSentinelTrace = base.DisableSentinelTrace
+		coreConfig.ClusterName = base.ClusterName
+		coreConfig.DisableAutopilot = base.DisableAutopilot
+		coreConfig.AdministrativeNamespacePath = base.AdministrativeNamespacePath
+		coreConfig.ServiceRegistration = base.ServiceRegistration
+		coreConfig.ImpreciseLeaseRoleTracking = base.ImpreciseLeaseRoleTracking
+
+		if base.BuiltinRegistry != nil {
+			coreConfig.BuiltinRegistry = base.BuiltinRegistry
+		}
+
+		if !coreConfig.DisableMlock {
+			base.DisableMlock = false
+		}
+
+		if base.Physical != nil {
+			coreConfig.Physical = base.Physical
+		}
+
+		if base.HAPhysical != nil {
+			coreConfig.HAPhysical = base.HAPhysical
+		}
+
+		// Used to set something non-working to test fallback
+		switch base.ClusterAddr {
+		case "empty":
+			coreConfig.ClusterAddr = ""
+		case "":
+		default:
+			coreConfig.ClusterAddr = base.ClusterAddr
+		}
+
+		if base.LogicalBackends != nil {
+			for k, v := range base.LogicalBackends {
+				coreConfig.LogicalBackends[k] = v
+			}
+		}
+		if base.CredentialBackends != nil {
+			for k, v := range base.CredentialBackends {
+				coreConfig.CredentialBackends[k] = v
+			}
+		}
+		if base.AuditBackends != nil {
+			for k, v := range base.AuditBackends {
+				coreConfig.AuditBackends[k] = v
+			}
+		}
+		if base.Logger != nil {
+			coreConfig.Logger = base.Logger
+		}
+
+		coreConfig.ClusterCipherSuites = base.ClusterCipherSuites
+		coreConfig.DisableCache = base.DisableCache
+		coreConfig.DevToken = base.DevToken
+		coreConfig.RecoveryMode = base.RecoveryMode
+		coreConfig.ActivityLogConfig = base.ActivityLogConfig
+		coreConfig.EnableResponseHeaderHostname = base.EnableResponseHeaderHostname
+		coreConfig.EnableResponseHeaderRaftNodeID = base.EnableResponseHeaderRaftNodeID
+		coreConfig.RollbackPeriod = base.RollbackPeriod
+		coreConfig.PendingRemovalMountsAllowed = base.PendingRemovalMountsAllowed
+		coreConfig.ExpirationRevokeRetryBase = base.ExpirationRevokeRetryBase
+		testApplyEntBaseConfig(coreConfig, base)
+	}
+	if coreConfig.ClusterName == "" {
+		coreConfig.ClusterName = t.Name()
+	}
+
+	if coreConfig.ClusterName == "" {
+		coreConfig.ClusterName = t.Name()
+	}
+
+	if coreConfig.ClusterHeartbeatInterval == 0 {
+		// Set this lower so that state populates quickly to standby nodes
+		coreConfig.ClusterHeartbeatInterval = 2 * time.Second
+	}
+
+	if coreConfig.RawConfig == nil {
+		c := new(server.Config)
+		c.SharedConfig = &configutil.SharedConfig{LogFormat: logging.UnspecifiedFormat.String()}
+		coreConfig.RawConfig = c
+	}
+
+	addAuditBackend := len(coreConfig.AuditBackends) == 0
+	if addAuditBackend {
+		coreConfig.AuditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+	}
+
+	if coreConfig.Physical == nil && (opts == nil || opts.PhysicalFactory == nil) {
+		coreConfig.Physical, err = physInmem.NewInmem(nil, testCluster.Logger)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	if coreConfig.HAPhysical == nil && (opts == nil || opts.PhysicalFactory == nil) {
+		haPhys, err := physInmem.NewInmemHA(nil, testCluster.Logger)
+		if err != nil {
+			t.Fatal(err)
+		}
+		coreConfig.HAPhysical = haPhys.(physical.HABackend)
+	}
+
+	if testCluster.LicensePublicKey == nil {
+		pubKey, priKey, err := GenerateTestLicenseKeys()
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		testCluster.LicensePublicKey = pubKey
+		testCluster.LicensePrivateKey = priKey
+	}
+
+	if opts != nil && opts.InmemClusterLayers {
+		if opts.ClusterLayers != nil {
+			t.Fatalf("cannot specify ClusterLayers when InmemClusterLayers is true")
+		}
+		inmemCluster, err := cluster.NewInmemLayerCluster("inmem-cluster", numCores, testCluster.Logger.Named("inmem-cluster"))
+		if err != nil {
+			t.Fatal(err)
+		}
+		opts.ClusterLayers = inmemCluster
+	}
+
+	if opts != nil && len(opts.Plugins) != 0 {
+		var plugins []pluginhelpers.TestPlugin
+		for _, pluginType := range opts.Plugins {
+			if pluginType.Container && runtime.GOOS != "linux" {
+				t.Skip("Running plugins in containers is only supported on linux")
+			}
+
+			var pluginDir string
+			var cleanup func(t testing.T)
+
+			if coreConfig.PluginDirectory == "" {
+				pluginDir, cleanup = corehelpers.MakeTestPluginDir(t)
+				coreConfig.PluginDirectory = pluginDir
+				t.Cleanup(func() { cleanup(t) })
+			}
+
+			for _, version := range pluginType.Versions {
+				plugin := pluginhelpers.CompilePlugin(t, pluginType.Typ, version, coreConfig.PluginDirectory)
+				if pluginType.Container {
+					plugin.Image, plugin.ImageSha256 = pluginhelpers.BuildPluginContainerImage(t, plugin, coreConfig.PluginDirectory)
+				}
+				plugins = append(plugins, plugin)
+			}
+		}
+		testCluster.Plugins = plugins
+	}
+
+	// Create cores
+	testCluster.cleanupFuncs = []func(){}
+	cores := []*Core{}
+	coreConfigs := []*CoreConfig{}
+
+	for i := 0; i < numCores; i++ {
+		cleanup, c, localConfig, handler := testCluster.newCore(t, i, coreConfig, opts, listeners[i], testCluster.LicensePublicKey)
+
+		testCluster.cleanupFuncs = append(testCluster.cleanupFuncs, cleanup)
+		cores = append(cores, c)
+		coreConfigs = append(coreConfigs, &localConfig)
+
+		if handler != nil {
+			handlers[i] = handler
+			servers[i].Handler = handlers[i]
+		}
+	}
+
+	// Clustering setup
+	for i := 0; i < numCores; i++ {
+		testCluster.setupClusterListener(t, i, cores[i], coreConfigs[i], opts, listeners[i], handlers[i])
+	}
+
+	// Create TestClusterCores
+	var ret []*TestClusterCore
+	for i := 0; i < numCores; i++ {
+		tcc := &TestClusterCore{
+			Core:                 cores[i],
+			CoreConfig:           coreConfigs[i],
+			ServerKey:            certInfoSlice[i].key,
+			ServerKeyPEM:         certInfoSlice[i].keyPEM,
+			ServerCert:           certInfoSlice[i].cert,
+			ServerCertBytes:      certInfoSlice[i].certBytes,
+			ServerCertPEM:        certInfoSlice[i].certPEM,
+			Address:              addresses[i],
+			Listeners:            listeners[i],
+			Handler:              handlers[i],
+			Server:               servers[i],
+			tlsConfig:            tlsConfigs[i],
+			Barrier:              cores[i].barrier,
+			NodeID:               fmt.Sprintf("core-%d", i),
+			UnderlyingRawStorage: coreConfigs[i].Physical,
+			UnderlyingHAStorage:  coreConfigs[i].HAPhysical,
+		}
+		tcc.ReloadFuncs = &cores[i].reloadFuncs
+		tcc.ReloadFuncsLock = &cores[i].reloadFuncsLock
+		tcc.ReloadFuncsLock.Lock()
+		(*tcc.ReloadFuncs)["listener|tcp"] = []reloadutil.ReloadFunc{certGetters[i].Reload}
+		tcc.ReloadFuncsLock.Unlock()
+
+		testAdjustUnderlyingStorage(tcc)
+
+		ret = append(ret, tcc)
+	}
+	testCluster.Cores = ret
+
+	// Initialize cores
+	if opts == nil || !opts.SkipInit {
+		testCluster.initCores(t, opts, addAuditBackend)
+	}
+
+	// Assign clients
+	for i := 0; i < numCores; i++ {
+		testCluster.Cores[i].Client = testCluster.getAPIClient(t, opts, listeners[i][0].Address.Port, tlsConfigs[i])
+	}
+
+	// Extra Setup
+	for _, tcc := range testCluster.Cores {
+		testExtraTestCoreSetup(t, testCluster.LicensePrivateKey, tcc)
+	}
+
+	// Cleanup
+	testCluster.CleanupFunc = func() {
+		for _, c := range testCluster.cleanupFuncs {
+			c()
+		}
+	}
+
+	// Setup
+	if opts != nil {
+		if opts.SetupFunc != nil {
+			testCluster.SetupFunc = func() {
+				opts.SetupFunc(t, &testCluster)
+			}
+		}
+	}
+
+	testCluster.opts = opts
+	testCluster.start(t)
+	return &testCluster
+}
+
+// StopCore performs an orderly shutdown of a core.
+func (cluster *TestCluster) StopCore(t testing.T, idx int) {
+	t.Helper()
+
+	if idx < 0 || idx > len(cluster.Cores) {
+		t.Fatalf("invalid core index %d", idx)
+	}
+	tcc := cluster.Cores[idx]
+	tcc.Logger().Info("stopping core", "core", idx)
+
+	// Stop listeners and call Finalize()
+	if err := tcc.stop(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Run cleanup
+	cluster.cleanupFuncs[idx]()
+}
+
+func GenerateListenerAddr(t testing.T, opts *TestClusterOptions, certIPs []net.IP) (*net.TCPAddr, []net.IP) {
+	var baseAddr *net.TCPAddr
+	var err error
+
+	if opts != nil && opts.BaseListenAddress != "" {
+		baseAddr, err = net.ResolveTCPAddr("tcp", opts.BaseListenAddress)
+		if err != nil {
+			t.Fatal("could not parse given base IP")
+		}
+		certIPs = append(certIPs, baseAddr.IP)
+	} else {
+		baseAddr = &net.TCPAddr{
+			IP:   net.ParseIP("127.0.0.1"),
+			Port: 0,
+		}
+	}
+
+	return baseAddr, certIPs
+}
+
+// StartCore restarts a TestClusterCore that was stopped, by replacing the
+// underlying Core.
+func (cluster *TestCluster) StartCore(t testing.T, idx int, opts *TestClusterOptions) {
+	t.Helper()
+
+	if idx < 0 || idx > len(cluster.Cores) {
+		t.Fatalf("invalid core index %d", idx)
+	}
+	tcc := cluster.Cores[idx]
+	tcc.Logger().Info("restarting core", "core", idx)
+
+	// Set up listeners
+	ln, err := net.ListenTCP("tcp", tcc.Address)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tcc.Listeners = []*TestListener{
+		{
+			Listener: tls.NewListener(ln, tcc.tlsConfig),
+			Address:  ln.Addr().(*net.TCPAddr),
+		},
+	}
+
+	tcc.Handler = http.NewServeMux()
+	tcc.Server = &http.Server{
+		Handler:  tcc.Handler,
+		ErrorLog: cluster.Logger.StandardLogger(nil),
+	}
+
+	// Create a new Core
+	cleanup, newCore, localConfig, coreHandler := cluster.newCore(t, idx, tcc.CoreConfig, opts, tcc.Listeners, cluster.LicensePublicKey)
+	if coreHandler != nil {
+		tcc.Handler = coreHandler
+		tcc.Server.Handler = coreHandler
+	}
+
+	cluster.cleanupFuncs[idx] = cleanup
+	tcc.Core = newCore
+	tcc.CoreConfig = &localConfig
+	tcc.UnderlyingRawStorage = localConfig.Physical
+
+	cluster.setupClusterListener(
+		t, idx, newCore, tcc.CoreConfig,
+		opts, tcc.Listeners, tcc.Handler)
+
+	tcc.Client = cluster.getAPIClient(t, opts, tcc.Listeners[0].Address.Port, tcc.tlsConfig)
+
+	testAdjustUnderlyingStorage(tcc)
+	testExtraTestCoreSetup(t, cluster.LicensePrivateKey, tcc)
+
+	// Start listeners
+	for _, ln := range tcc.Listeners {
+		tcc.Logger().Info("starting listener for core", "port", ln.Address.Port)
+		go tcc.Server.Serve(ln)
+	}
+
+	tcc.Logger().Info("restarted test core", "core", idx)
+}
+
+func (testCluster *TestCluster) newCore(t testing.T, idx int, coreConfig *CoreConfig, opts *TestClusterOptions, listeners []*TestListener, pubKey ed25519.PublicKey) (func(), *Core, CoreConfig, http.Handler) {
+	localConfig := *coreConfig
+	cleanupFunc := func() {}
+	var handler http.Handler
+
+	var disablePR1103 bool
+	if opts != nil && opts.PR1103Disabled {
+		disablePR1103 = true
+	}
+
+	var firstCoreNumber int
+	if opts != nil {
+		firstCoreNumber = opts.FirstCoreNumber
+	}
+
+	localConfig.RedirectAddr = fmt.Sprintf("https://127.0.0.1:%d", listeners[0].Address.Port)
+
+	// if opts.SealFunc is provided, use that to generate a seal for the config instead
+	if opts != nil && opts.SealFunc != nil {
+		localConfig.Seal = opts.SealFunc()
+	}
+	if opts != nil && opts.UnwrapSealFunc != nil {
+		localConfig.UnwrapSeal = opts.UnwrapSealFunc()
+	}
+
+	if coreConfig.Logger == nil || (opts != nil && opts.Logger != nil) {
+		localConfig.Logger = testCluster.Logger.Named(fmt.Sprintf("core%d", idx))
+	}
+
+	if opts != nil && opts.EffectiveSDKVersionMap != nil {
+		localConfig.EffectiveSDKVersion = opts.EffectiveSDKVersionMap[idx]
+	}
+
+	if opts != nil && opts.PhysicalFactory != nil {
+		pfc := opts.PhysicalFactoryConfig
+		if pfc == nil {
+			pfc = make(map[string]interface{})
+		}
+		if len(opts.VersionMap) > 0 {
+			pfc["autopilot_upgrade_version"] = opts.VersionMap[idx]
+		}
+		if len(opts.RedundancyZoneMap) > 0 {
+			pfc["autopilot_redundancy_zone"] = opts.RedundancyZoneMap[idx]
+		}
+		physBundle := opts.PhysicalFactory(t, idx, localConfig.Logger, pfc)
+		switch {
+		case physBundle == nil && coreConfig.Physical != nil:
+		case physBundle == nil && coreConfig.Physical == nil:
+			t.Fatal("PhysicalFactory produced no physical and none in CoreConfig")
+		case physBundle != nil:
+			// Storage backend setup
+			if physBundle.Backend != nil {
+				testCluster.Logger.Info("created physical backend", "instance", idx)
+				coreConfig.Physical = physBundle.Backend
+				localConfig.Physical = physBundle.Backend
+			}
+
+			// HA Backend setup
+			haBackend := physBundle.HABackend
+			if haBackend == nil {
+				if ha, ok := physBundle.Backend.(physical.HABackend); ok {
+					haBackend = ha
+				}
+			}
+			coreConfig.HAPhysical = haBackend
+			localConfig.HAPhysical = haBackend
+
+			// Cleanup setup
+			if physBundle.Cleanup != nil {
+				cleanupFunc = physBundle.Cleanup
+			}
+		}
+	}
+
+	if opts != nil && opts.ClusterLayers != nil {
+		localConfig.ClusterNetworkLayer = opts.ClusterLayers.Layers()[idx]
+		localConfig.ClusterAddr = "https://" + localConfig.ClusterNetworkLayer.Listeners()[0].Addr().String()
+	}
+
+	switch {
+	case localConfig.LicensingConfig != nil:
+		if pubKey != nil {
+			localConfig.LicensingConfig.AdditionalPublicKeys = append(localConfig.LicensingConfig.AdditionalPublicKeys, pubKey)
+		}
+	default:
+		localConfig.LicensingConfig = testGetLicensingConfig(pubKey)
+	}
+
+	if localConfig.MetricsHelper == nil {
+		inm := metrics.NewInmemSink(10*time.Second, time.Minute)
+		metrics.DefaultInmemSignal(inm)
+		localConfig.MetricsHelper = metricsutil.NewMetricsHelper(inm, false)
+	}
+	if opts != nil && opts.CoreMetricSinkProvider != nil {
+		localConfig.MetricSink, localConfig.MetricsHelper = opts.CoreMetricSinkProvider(localConfig.ClusterName)
+	}
+
+	if opts != nil && opts.CoreMetricSinkProvider != nil {
+		localConfig.MetricSink, localConfig.MetricsHelper = opts.CoreMetricSinkProvider(localConfig.ClusterName)
+	}
+
+	localConfig.NumExpirationWorkers = numExpirationWorkersTest
+
+	c, err := NewCore(&localConfig)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	c.coreNumber = firstCoreNumber + idx
+	c.PR1103disabled = disablePR1103
+	if opts != nil && opts.HandlerFunc != nil {
+		props := opts.DefaultHandlerProperties
+		props.Core = c
+		if props.ListenerConfig != nil && props.ListenerConfig.MaxRequestDuration == 0 {
+			props.ListenerConfig.MaxRequestDuration = DefaultMaxRequestDuration
+		}
+		handler = opts.HandlerFunc.Handler(&props)
+	}
+
+	if opts != nil && opts.RequestResponseCallback != nil {
+		c.requestResponseCallback = opts.RequestResponseCallback
+	}
+
+	// Set this in case the Seal was manually set before the core was
+	// created
+	if localConfig.Seal != nil {
+		localConfig.Seal.SetCore(c)
+	}
+
+	return cleanupFunc, c, localConfig, handler
+}
+
+func (testCluster *TestCluster) setupClusterListener(
+	t testing.T, idx int, core *Core, coreConfig *CoreConfig,
+	opts *TestClusterOptions, listeners []*TestListener, handler http.Handler,
+) {
+	if coreConfig.ClusterAddr == "" {
+		return
+	}
+
+	clusterAddrGen := func(lns []*TestListener, port int) []*net.TCPAddr {
+		ret := make([]*net.TCPAddr, len(lns))
+		for i, ln := range lns {
+			ret[i] = &net.TCPAddr{
+				IP:   ln.Address.IP,
+				Port: port,
+			}
+		}
+		return ret
+	}
+
+	baseClusterListenPort := 0
+	if opts != nil && opts.BaseClusterListenPort != 0 {
+		if opts.BaseListenAddress == "" {
+			t.Fatal("BaseListenAddress is not specified")
+		}
+		baseClusterListenPort = opts.BaseClusterListenPort
+	}
+
+	port := 0
+	if baseClusterListenPort != 0 {
+		port = baseClusterListenPort + idx
+	}
+	core.Logger().Info("assigning cluster listener for test core", "core", idx, "port", port)
+	core.SetClusterListenerAddrs(clusterAddrGen(listeners, port))
+	core.SetClusterHandler(handler)
+}
+
+func (tc *TestCluster) InitCores(t testing.T, opts *TestClusterOptions, addAuditBackend bool) {
+	tc.initCores(t, opts, addAuditBackend)
+}
+
+func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAuditBackend bool) {
+	leader := tc.Cores[0]
+
+	bKeys, rKeys, root := TestCoreInitClusterWrapperSetup(t, leader.Core, leader.Handler)
+	barrierKeys, _ := copystructure.Copy(bKeys)
+	tc.BarrierKeys = barrierKeys.([][]byte)
+	recoveryKeys, _ := copystructure.Copy(rKeys)
+	tc.RecoveryKeys = recoveryKeys.([][]byte)
+	tc.RootToken = root
+
+	// Write root token and barrier keys
+	err := ioutil.WriteFile(filepath.Join(tc.TempDir, "root_token"), []byte(root), 0o755)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var buf bytes.Buffer
+	for i, key := range tc.BarrierKeys {
+		buf.WriteString(base64.StdEncoding.EncodeToString(key))
+		if i < len(tc.BarrierKeys)-1 {
+			buf.WriteRune('\n')
+		}
+	}
+	err = ioutil.WriteFile(filepath.Join(tc.TempDir, "barrier_keys"), buf.Bytes(), 0o755)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, key := range tc.RecoveryKeys {
+		buf.WriteString(base64.StdEncoding.EncodeToString(key))
+		if i < len(tc.RecoveryKeys)-1 {
+			buf.WriteRune('\n')
+		}
+	}
+	err = ioutil.WriteFile(filepath.Join(tc.TempDir, "recovery_keys"), buf.Bytes(), 0o755)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Unseal first core
+	for _, key := range bKeys {
+		if _, err := leader.Core.Unseal(TestKeyCopy(key)); err != nil {
+			t.Fatalf("unseal err: %s", err)
+		}
+	}
+
+	ctx := context.Background()
+
+	// If stored keys is supported, the above will no no-op, so trigger auto-unseal
+	// using stored keys to try to unseal
+	if err := leader.Core.UnsealWithStoredKeys(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify unsealed
+	if leader.Core.Sealed() {
+		t.Fatal("should not be sealed")
+	}
+
+	TestWaitActive(t, leader.Core)
+
+	kvVersion := "1"
+	if opts != nil {
+		kvVersion = opts.KVVersion
+	}
+
+	testCoreAddSecretMount(t, leader.Core, tc.RootToken, kvVersion)
+
+	cfg, err := leader.Core.seal.BarrierConfig(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Unseal other cores unless otherwise specified
+	numCores := len(tc.Cores)
+	if (opts == nil || !opts.KeepStandbysSealed) && numCores > 1 {
+		for i := 1; i < numCores; i++ {
+			tc.Cores[i].Core.seal.SetCachedBarrierConfig(cfg)
+			for _, key := range bKeys {
+				if _, err := tc.Cores[i].Core.Unseal(TestKeyCopy(key)); err != nil {
+					t.Fatalf("unseal err: %s", err)
+				}
+			}
+
+			// If stored keys is supported, the above will no no-op, so trigger auto-unseal
+			// using stored keys
+			if err := tc.Cores[i].Core.UnsealWithStoredKeys(ctx); err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		// Let them come fully up to standby
+		corehelpers.RetryUntil(t, 2*time.Second, func() error {
+			// Ensure cluster connection info is populated.
+			// Other cores should not come up as leaders.
+			for i := 1; i < numCores; i++ {
+				isLeader, _, _, err := tc.Cores[i].Core.Leader()
+				if err != nil {
+					return err
+				}
+				if isLeader {
+					return fmt.Errorf("core[%d] should not be leader", i)
+				}
+			}
+
+			return nil
+		})
+	}
+
+	//
+	// Set test cluster core(s) and test cluster
+	//
+	cluster, err := leader.Core.Cluster(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	tc.ID = cluster.ID
+
+	if addAuditBackend {
+		// Enable auditing.
+		auditReq := &logical.Request{
+			Operation:   logical.UpdateOperation,
+			ClientToken: tc.RootToken,
+			Path:        "sys/audit/noop",
+			Data: map[string]interface{}{
+				"type": "noop",
+			},
+		}
+		resp, err := leader.Core.HandleRequest(namespace.RootContext(ctx), auditReq)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if resp.IsError() {
+			t.Fatal(err)
+		}
+	}
+}
+
+func (testCluster *TestCluster) getAPIClient(
+	t testing.T, opts *TestClusterOptions,
+	port int, tlsConfig *tls.Config,
+) *api.Client {
+	transport := cleanhttp.DefaultPooledTransport()
+	transport.TLSClientConfig = tlsConfig.Clone()
+	if err := http2.ConfigureTransport(transport); err != nil {
+		t.Fatal(err)
+	}
+	client := &http.Client{
+		Transport: transport,
+		CheckRedirect: func(*http.Request, []*http.Request) error {
+			// This can of course be overridden per-test by using its own client
+			return fmt.Errorf("redirects not allowed in these tests")
+		},
+	}
+	config := api.DefaultConfig()
+	if config.Error != nil {
+		t.Fatal(config.Error)
+	}
+	config.Address = fmt.Sprintf("https://127.0.0.1:%d", port)
+	config.HttpClient = client
+	config.MaxRetries = 0
+	apiClient, err := api.NewClient(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if opts == nil || !opts.SkipInit {
+		apiClient.SetToken(testCluster.RootToken)
+	}
+	return apiClient
+}
+
+func (c *TestCluster) GetBarrierOrRecoveryKeys() [][]byte {
+	if c.Cores[0].SealAccess().RecoveryKeySupported() {
+		return c.GetRecoveryKeys()
+	} else {
+		return c.GetBarrierKeys()
+	}
+}
+
+func (c *TestCluster) GetCACertPEMFile() string {
+	return c.CACertPEMFile
+}
+
+func (c *TestCluster) ClusterID() string {
+	return c.ID
+}
+
+func (c *TestCluster) Nodes() []testcluster.VaultClusterNode {
+	ret := make([]testcluster.VaultClusterNode, len(c.Cores))
+	for i, core := range c.Cores {
+		ret[i] = core
+	}
+	return ret
+}
+
+func (c *TestCluster) SetBarrierKeys(keys [][]byte) {
+	c.BarrierKeys = make([][]byte, len(keys))
+	for i, k := range keys {
+		c.BarrierKeys[i] = TestKeyCopy(k)
+	}
+}
+
+func (c *TestCluster) SetRecoveryKeys(keys [][]byte) {
+	c.RecoveryKeys = make([][]byte, len(keys))
+	for i, k := range keys {
+		c.RecoveryKeys[i] = TestKeyCopy(k)
+	}
+}
+
+func (c *TestCluster) GetBarrierKeys() [][]byte {
+	ret := make([][]byte, len(c.BarrierKeys))
+	for i, k := range c.BarrierKeys {
+		ret[i] = TestKeyCopy(k)
+	}
+	return ret
+}
+
+func (c *TestCluster) GetRecoveryKeys() [][]byte {
+	ret := make([][]byte, len(c.RecoveryKeys))
+	for i, k := range c.RecoveryKeys {
+		ret[i] = TestKeyCopy(k)
+	}
+	return ret
+}
+
+func (c *TestCluster) NamedLogger(name string) log.Logger {
+	return c.Logger.Named(name)
+}
+
+func (c *TestCluster) GetRootToken() string {
+	return c.RootToken
+}
+
+func (c *TestClusterCore) Name() string {
+	return c.NodeID
+}
+
+func (c *TestClusterCore) APIClient() *api.Client {
+	return c.Client
+}
+
+var (
+	_ testcluster.VaultCluster     = &TestCluster{}
+	_ testcluster.VaultClusterNode = &TestClusterCore{}
+)
diff --git a/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js b/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
index 67c8721ce25e..f6ec26ddf27d 100644
--- a/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
+++ b/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
@@ -1,159 +1,888 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { render, click, fillIn } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import sinon from 'sinon';
-
-module('Integration | Component | ldap | Page::Library::CreateAndEdit', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'ldap');
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    const router = this.owner.lookup('service:router');
-    const routerStub = sinon.stub(router, 'transitionTo');
-    this.transitionCalledWith = (routeName, name) => {
-      const route = `vault.cluster.secrets.backend.ldap.${routeName}`;
-      const args = name ? [route, name] : [route];
-      return routerStub.calledWith(...args);
-    };
-
-    this.store = this.owner.lookup('service:store');
-    this.newModel = this.store.createRecord('ldap/library', { backend: 'ldap-test' });
-
-    this.libraryData = this.server.create('ldap-library', { name: 'test-library' });
-    this.store.pushPayload('ldap/library', {
-      modelName: 'ldap/library',
-      backend: 'ldap-test',
-      ...this.libraryData,
-    });
-
-    this.breadcrumbs = [
-      { label: 'ldap', route: 'overview' },
-      { label: 'libraries', route: 'libraries' },
-      { label: 'create' },
-    ];
-
-    this.renderComponent = () => {
-      return render(
-        hbs`<Page::Library::CreateAndEdit @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`,
-        { owner: this.engine }
-      );
-    };
-  });
-
-  test('it should populate form when editing', async function (assert) {
-    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
-
-    await this.renderComponent();
-
-    assert.dom('[data-test-input="name"]').hasValue(this.libraryData.name, 'Name renders');
-    assert.dom('[data-test-input="name"]').isDisabled('Name field is disabled when editing');
-    [(0, 1)].forEach((index) => {
-      assert
-        .dom(`[data-test-string-list-input="${index}"]`)
-        .hasValue(this.libraryData.service_account_names[index], 'Service account renders');
-    });
-    assert.dom('[data-test-ttl-value="Default lease TTL"]').hasAnyValue('Default lease ttl renders');
-    assert.dom('[data-test-ttl-value="Max lease TTL"]').hasAnyValue('Max lease ttl renders');
-    const checkInValue = this.libraryData.disable_check_in_enforcement ? 'Disabled' : 'Enabled';
-    assert
-      .dom(`[data-test-input="disable_check_in_enforcement"] input#${checkInValue}`)
-      .isChecked('Correct radio is checked for check-in enforcement');
-  });
-
-  test('it should go back to list route and clean up model on cancel', async function (assert) {
-    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
-    const spy = sinon.spy(this.model, 'rollbackAttributes');
-
-    await this.renderComponent();
-    await click('[data-test-cancel]');
-
-    assert.ok(spy.calledOnce, 'Model is rolled back on cancel');
-    assert.ok(this.transitionCalledWith('libraries'), 'Transitions to libraries list route on cancel');
-  });
-
-  test('it should validate form fields', async function (assert) {
-    this.model = this.newModel;
-
-    await this.renderComponent();
-    await click('[data-test-save]');
-
-    assert
-      .dom('[data-test-field-validation="name"] p')
-      .hasText('Library name is required.', 'Name validation error renders');
-    assert
-      .dom('[data-test-field-validation="service_account_names"] p')
-      .hasText('At least one service account is required.', 'Service account name validation error renders');
-    assert
-      .dom('[data-test-invalid-form-message] p')
-      .hasText('There are 2 errors with this form.', 'Invalid form message renders');
-  });
-
-  test('it should create new library', async function (assert) {
-    assert.expect(2);
-
-    this.server.post('/ldap-test/library/new-library', (schema, req) => {
-      const data = JSON.parse(req.requestBody);
-      const expected = {
-        service_account_names: 'foo@bar.com,bar@baz.com',
-        ttl: '24h',
-        max_ttl: '24h',
-        disable_check_in_enforcement: true,
-      };
-      assert.deepEqual(data, expected, 'POST request made with correct properties when creating library');
-    });
-
-    this.model = this.newModel;
-
-    await this.renderComponent();
-
-    await fillIn('[data-test-input="name"]', 'new-library');
-    await fillIn('[data-test-string-list-input="0"]', 'foo@bar.com');
-    await click('[data-test-string-list-button="add"]');
-    await fillIn('[data-test-string-list-input="1"]', 'bar@baz.com');
-    await click('[data-test-string-list-button="add"]');
-    await click('[data-test-input="disable_check_in_enforcement"] input#Disabled');
-    await click('[data-test-save]');
-
-    assert.ok(
-      this.transitionCalledWith('libraries.library.details', 'new-library'),
-      'Transitions to library details route on save success'
-    );
-  });
-
-  test('it should save edited library with correct properties', async function (assert) {
-    assert.expect(2);
-
-    this.server.post('/ldap-test/library/test-library', (schema, req) => {
-      const data = JSON.parse(req.requestBody);
-      const expected = {
-        service_account_names: this.libraryData.service_account_names[1],
-        ttl: this.libraryData.ttl,
-        max_ttl: this.libraryData.max_ttl,
-        disable_check_in_enforcement: true,
-      };
-      assert.deepEqual(expected, data, 'POST request made to save library with correct properties');
-    });
-
-    this.model = this.store.peekRecord('ldap/library', this.libraryData.name);
-
-    await this.renderComponent();
-
-    await click('[data-test-string-list-button="delete"]');
-    await click('[data-test-input="disable_check_in_enforcement"] input#Disabled');
-    await click('[data-test-save]');
-
-    assert.ok(
-      this.transitionCalledWith('libraries.library.details', 'test-library'),
-      'Transitions to library details route on save success'
-    );
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package sealmigration
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-test/deep"
+	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"
+	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
+	"github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/physical/raft"
+	"github.com/hashicorp/vault/vault"
+)
+
+const (
+	numTestCores = 3
+	keyShares    = 3
+	keyThreshold = 3
+
+	BasePort_ShamirToTransit_Pre14  = 20000
+	BasePort_TransitToShamir_Pre14  = 21000
+	BasePort_ShamirToTransit_Post14 = 22000
+	BasePort_TransitToShamir_Post14 = 23000
+	BasePort_TransitToTransit       = 24000
+)
+
+func ParamTestSealMigrationTransitToShamir_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
+	// Create the transit server.
+	tss := sealhelper.NewTransitSealServer(t, 0)
+	defer func() {
+		if tss != nil {
+			tss.Cleanup()
+		}
+	}()
+	sealKeyName := "transit-seal-key"
+	tss.MakeKey(t, sealKeyName)
+
+	// Initialize the backend with transit.
+	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss, sealKeyName)
+	rootToken, recoveryKeys := cluster.RootToken, cluster.RecoveryKeys
+	cluster.EnsureCoresSealed(t)
+	cluster.Cleanup()
+	storage.Cleanup(t, cluster)
+
+	// Migrate the backend from transit to shamir
+	migrateFromTransitToShamir_Pre14(t, logger, storage, basePort, tss, opts.SealFunc, rootToken, recoveryKeys)
+
+	// Now that migration is done, we can nuke the transit server, since we
+	// can unseal without it.
+	tss.Cleanup()
+	tss = nil
+
+	// Run the backend with shamir.  Note that the recovery keys are now the
+	// barrier keys.
+	runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)
+}
+
+func ParamTestSealMigrationShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
+	// Initialize the backend using shamir
+	cluster, _ := initializeShamir(t, logger, storage, basePort)
+	rootToken, barrierKeys := cluster.RootToken, cluster.BarrierKeys
+	cluster.Cleanup()
+	storage.Cleanup(t, cluster)
+
+	// Create the transit server.
+	tss := sealhelper.NewTransitSealServer(t, 0)
+	defer func() {
+		tss.EnsureCoresSealed(t)
+		tss.Cleanup()
+	}()
+	tss.MakeKey(t, "transit-seal-key-1")
+
+	// Migrate the backend from shamir to transit.  Note that the barrier keys
+	// are now the recovery keys.
+	sealFunc := migrateFromShamirToTransit_Pre14(t, logger, storage, basePort, tss, rootToken, barrierKeys)
+
+	// Run the backend with transit.
+	runAutoseal(t, logger, storage, basePort, rootToken, sealFunc)
+}
+
+func ParamTestSealMigrationTransitToShamir_Post14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
+	// Create the transit server.
+	tss := sealhelper.NewTransitSealServer(t, 0)
+	defer func() {
+		if tss != nil {
+			tss.Cleanup()
+		}
+	}()
+	sealKeyName := "transit-seal-key-1"
+	tss.MakeKey(t, sealKeyName)
+
+	// Initialize the backend with transit.
+	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss, sealKeyName)
+	rootToken, recoveryKeys := cluster.RootToken, cluster.RecoveryKeys
+
+	// Migrate the backend from transit to shamir
+	opts.UnwrapSealFunc = opts.SealFunc
+	opts.SealFunc = func() vault.Seal { return nil }
+	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
+	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigShamir)
+
+	cluster.Cleanup()
+	storage.Cleanup(t, cluster)
+
+	// Now that migration is done, we can nuke the transit server, since we
+	// can unseal without it.
+	tss.Cleanup()
+	tss = nil
+
+	// Run the backend with shamir.  Note that the recovery keys are now the
+	// barrier keys.
+	runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)
+}
+
+func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
+	// Initialize the backend using shamir
+	cluster, opts := initializeShamir(t, logger, storage, basePort)
+
+	// Create the transit server.
+	tss := sealhelper.NewTransitSealServer(t, 0)
+	defer tss.Cleanup()
+	sealKeyName := "transit-seal-key-1"
+	tss.MakeKey(t, sealKeyName)
+
+	// Migrate the backend from shamir to transit.
+	opts.SealFunc = func() vault.Seal {
+		seal, err := tss.MakeSeal(t, sealKeyName)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return seal
+	}
+
+	// Restart each follower with the new config, and migrate to Transit.
+	// Note that the barrier keys are being used as recovery keys.
+	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.BarrierKeys)
+	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
+	cluster.Cleanup()
+	storage.Cleanup(t, cluster)
+
+	// Run the backend with transit.
+	runAutoseal(t, logger, storage, basePort, cluster.RootToken, opts.SealFunc)
+}
+
+func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger,
+	storage teststorage.ReusableStorage, basePort int,
+) {
+	// Create the transit server.
+	tss1 := sealhelper.NewTransitSealServer(t, 0)
+	defer func() {
+		if tss1 != nil {
+			tss1.Cleanup()
+		}
+	}()
+	sealKeyName := "transit-seal-key-1"
+	tss1.MakeKey(t, sealKeyName)
+
+	// Initialize the backend with transit.
+	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss1, sealKeyName)
+	rootToken := cluster.RootToken
+
+	// Create the transit server.
+	tss2 := sealhelper.NewTransitSealServer(t, 1)
+	defer func() {
+		tss2.Cleanup()
+	}()
+	tss2.MakeKey(t, "transit-seal-key-2")
+
+	// Migrate the backend from transit to transit.
+	opts.UnwrapSealFunc = opts.SealFunc
+	opts.SealFunc = func() vault.Seal {
+		seal, err := tss2.MakeSeal(t, "transit-seal-key-2")
+		if err != nil {
+			t.Fatal(err)
+		}
+		return seal
+	}
+	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
+	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
+	cluster.Cleanup()
+	storage.Cleanup(t, cluster)
+
+	// Now that migration is done, we can nuke the transit server, since we
+	// can unseal without it.
+	tss1.Cleanup()
+	tss1 = nil
+
+	// Run the backend with transit.
+	runAutoseal(t, logger, storage, basePort, rootToken, opts.SealFunc)
+}
+
+func migrateFromTransitToShamir_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int,
+	tss *sealhelper.TransitSealServer, sealFunc func() vault.Seal, rootToken string, recoveryKeys [][]byte,
+) {
+	baseClusterPort := basePort + 10
+
+	var conf vault.CoreConfig
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("migrateFromTransitToShamir"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+		SkipInit:              true,
+		UnwrapSealFunc:        sealFunc,
+	}
+	storage.Setup(&conf, &opts)
+	conf.DisableAutopilot = true
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer func() {
+		cluster.Cleanup()
+		storage.Cleanup(t, cluster)
+	}()
+
+	leader := cluster.Cores[0]
+	client := leader.Client
+	client.SetToken(rootToken)
+
+	// Attempt to unseal while the transit server is unreachable.  Although
+	// we're unsealing using the recovery keys, this is still an
+	// autounseal, so it should fail.
+	tss.EnsureCoresSealed(t)
+	unsealMigrate(t, client, recoveryKeys, false)
+	tss.UnsealCores(t)
+	testhelpers.WaitForActiveNode(t, tss.TestCluster)
+
+	// Unseal and migrate to Shamir. Although we're unsealing using the
+	// recovery keys, this is still an autounseal.
+	unsealMigrate(t, client, recoveryKeys, true)
+	testhelpers.WaitForActiveNode(t, cluster)
+
+	// Wait for migration to finish.  Sadly there is no callback, and the
+	// test will fail later on if we don't do this.
+	time.Sleep(10 * time.Second)
+
+	// Read the secret
+	secret, err := client.Logical().Read("kv-wrapped/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	// Write a new secret
+	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
+		"zork": "quux",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Make sure the seal configs were updated correctly.
+	b, r, err := cluster.Cores[0].Core.PhysicalSealConfigs(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	verifyBarrierConfig(t, b, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 1)
+	if r != nil {
+		t.Fatalf("expected nil recovery config, got: %#v", r)
+	}
+
+	cluster.EnsureCoresSealed(t)
+}
+
+func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int, tss *sealhelper.TransitSealServer, rootToken string, recoveryKeys [][]byte) func() vault.Seal {
+	baseClusterPort := basePort + 10
+
+	conf := vault.CoreConfig{
+		DisableAutopilot: true,
+	}
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("migrateFromShamirToTransit"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+		SkipInit:              true,
+		// N.B. Providing a transit seal puts us in migration mode.
+		SealFunc: func() vault.Seal {
+			seal, err := tss.MakeSeal(t, "transit-seal-key")
+			if err != nil {
+				t.Fatal(err)
+			}
+			return seal
+		},
+	}
+	storage.Setup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer func() {
+		cluster.Cleanup()
+		storage.Cleanup(t, cluster)
+	}()
+
+	leader := cluster.Cores[0]
+	leader.Client.SetToken(rootToken)
+
+	// Unseal and migrate to Transit.
+	unsealMigrate(t, leader.Client, recoveryKeys, true)
+
+	// Wait for migration to finish.
+	awaitMigration(t, leader.Client)
+
+	verifySealConfigTransit(t, leader)
+
+	// Read the secrets
+	secret, err := leader.Client.Logical().Read("kv-wrapped/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	// Write a new secret
+	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
+		"zork": "quux",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return opts.SealFunc
+}
+
+func validateMigration(t *testing.T, storage teststorage.ReusableStorage,
+	cluster *vault.TestCluster, leaderIdx int, f func(t *testing.T, core *vault.TestClusterCore),
+) {
+	t.Helper()
+
+	leader := cluster.Cores[leaderIdx]
+
+	secret, err := leader.Client.Logical().Read("kv-wrapped/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+
+	var appliedIndex uint64
+	if storage.IsRaft {
+		appliedIndex = testhelpers.RaftAppliedIndex(leader)
+	}
+
+	for _, core := range cluster.Cores {
+		if storage.IsRaft {
+			testhelpers.WaitForRaftApply(t, core, appliedIndex)
+		}
+
+		f(t, core)
+	}
+}
+
+func migratePost14(t *testing.T, storage teststorage.ReusableStorage, cluster *vault.TestCluster,
+	opts *vault.TestClusterOptions, unsealKeys [][]byte,
+) int {
+	cluster.Logger = cluster.Logger.Named("migration")
+	// Restart each follower with the new config, and migrate.
+	for i := 1; i < len(cluster.Cores); i++ {
+		cluster.StopCore(t, i)
+		if storage.IsRaft {
+			teststorage.CloseRaftStorage(t, cluster, i)
+		}
+		cluster.StartCore(t, i, opts)
+
+		unsealMigrate(t, cluster.Cores[i].Client, unsealKeys, true)
+	}
+	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+	// Step down the active node which will kick off the migration on one of the
+	// other nodes.
+	err := cluster.Cores[0].Client.Sys().StepDown()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Wait for the followers to establish a new leader
+	var leaderIdx int
+	for i := 0; i < 30; i++ {
+		leaderIdx, err = testhelpers.AwaitLeader(t, cluster)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if leaderIdx != 0 {
+			break
+		}
+		time.Sleep(1 * time.Second)
+	}
+	if leaderIdx == 0 {
+		t.Fatalf("Core 0 cannot be the leader right now")
+	}
+	leader := cluster.Cores[leaderIdx]
+
+	// Wait for migration to occur on the leader
+	awaitMigration(t, leader.Client)
+
+	var appliedIndex uint64
+	if storage.IsRaft {
+		appliedIndex = testhelpers.RaftAppliedIndex(leader)
+		testhelpers.WaitForRaftApply(t, cluster.Cores[0], appliedIndex)
+	}
+
+	// Bring down the leader
+	cluster.StopCore(t, 0)
+	if storage.IsRaft {
+		teststorage.CloseRaftStorage(t, cluster, 0)
+	}
+
+	// Bring core 0 back up; we still have the seal migration config in place,
+	// but now that migration has been performed we should be able to unseal
+	// with the new seal and without using the `migrate` unseal option.
+	cluster.StartCore(t, 0, opts)
+	unseal(t, cluster.Cores[0].Client, unsealKeys)
+
+	// Write a new secret
+	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
+		"zork": "quux",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return leaderIdx
+}
+
+func unsealMigrate(t *testing.T, client *api.Client, keys [][]byte, transitServerAvailable bool) {
+	t.Helper()
+	if err := attemptUnseal(client, keys); err == nil {
+		t.Fatal("expected error due to lack of migrate parameter")
+	}
+	if err := attemptUnsealMigrate(client, keys, transitServerAvailable); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func attemptUnsealMigrate(client *api.Client, keys [][]byte, transitServerAvailable bool) error {
+	for i, key := range keys {
+		resp, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
+			Key:     base64.StdEncoding.EncodeToString(key),
+			Migrate: true,
+		})
+
+		if i < keyThreshold-1 {
+			// Not enough keys have been provided yet.
+			if err != nil {
+				return err
+			}
+		} else {
+			if transitServerAvailable {
+				// The transit server is running.
+				if err != nil {
+					return err
+				}
+				if resp == nil || resp.Sealed {
+					return fmt.Errorf("expected unsealed state; got %#v", resp)
+				}
+			} else {
+				// The transit server is stopped.
+				if err == nil {
+					return fmt.Errorf("expected error due to transit server being stopped.")
+				}
+			}
+			break
+		}
+	}
+	return nil
+}
+
+// awaitMigration waits for migration to finish.
+func awaitMigration(t *testing.T, client *api.Client) {
+	timeout := time.Now().Add(60 * time.Second)
+	for {
+		if time.Now().After(timeout) {
+			break
+		}
+
+		resp, err := client.Sys().SealStatus()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !resp.Migration {
+			return
+		}
+
+		time.Sleep(time.Second)
+	}
+
+	t.Fatalf("migration did not complete.")
+}
+
+func unseal(t *testing.T, client *api.Client, keys [][]byte) {
+	t.Helper()
+	if err := attemptUnseal(client, keys); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func attemptUnseal(client *api.Client, keys [][]byte) error {
+	for i, key := range keys {
+
+		resp, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
+			Key: base64.StdEncoding.EncodeToString(key),
+		})
+		if i < keyThreshold-1 {
+			// Not enough keys have been provided yet.
+			if err != nil {
+				return err
+			}
+		} else {
+			if err != nil {
+				return err
+			}
+			if resp == nil || resp.Sealed {
+				return fmt.Errorf("expected unsealed state; got %#v", resp)
+			}
+			break
+		}
+	}
+	return nil
+}
+
+func verifySealConfigShamir(t *testing.T, core *vault.TestClusterCore) {
+	t.Helper()
+	b, r, err := core.PhysicalSealConfigs(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	verifyBarrierConfig(t, b, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 1)
+	if r != nil {
+		t.Fatal("should not have recovery config for shamir")
+	}
+}
+
+func verifySealConfigTransit(t *testing.T, core *vault.TestClusterCore) {
+	t.Helper()
+	b, r, err := core.PhysicalSealConfigs(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	verifyBarrierConfig(t, b, wrapping.WrapperTypeTransit.String(), 1, 1, 1)
+	verifyBarrierConfig(t, r, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 0)
+}
+
+// verifyBarrierConfig verifies that a barrier configuration is correct.
+func verifyBarrierConfig(t *testing.T, cfg *vault.SealConfig, sealType string, shares, threshold, stored int) {
+	t.Helper()
+	if cfg.Type != sealType {
+		t.Fatalf("bad seal config: %#v, expected type=%q", cfg, sealType)
+	}
+	if cfg.SecretShares != shares {
+		t.Fatalf("bad seal config: %#v, expected SecretShares=%d", cfg, shares)
+	}
+	if cfg.SecretThreshold != threshold {
+		t.Fatalf("bad seal config: %#v, expected SecretThreshold=%d", cfg, threshold)
+	}
+	if cfg.StoredShares != stored {
+		t.Fatalf("bad seal config: %#v, expected StoredShares=%d", cfg, stored)
+	}
+}
+
+// initializeShamir initializes a brand new backend storage with Shamir.
+func initializeShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) (*vault.TestCluster, *vault.TestClusterOptions) {
+	t.Helper()
+
+	baseClusterPort := basePort + 10
+
+	// Start the cluster
+	conf := vault.CoreConfig{
+		DisableAutopilot: true,
+	}
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("initializeShamir"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+	}
+	storage.Setup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+
+	leader := cluster.Cores[0]
+	client := leader.Client
+
+	// Unseal
+	if storage.IsRaft {
+		joinRaftFollowers(t, cluster, false)
+		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
+			t.Fatal(err)
+		}
+	} else {
+		cluster.UnsealCores(t)
+	}
+	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+	err := client.Sys().Mount("kv-wrapped", &api.MountInput{
+		SealWrap: true,
+		Type:     "kv",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Write a secret that we will read back out later.
+	_, err = client.Logical().Write("kv-wrapped/foo", map[string]interface{}{
+		"zork": "quux",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return cluster, &opts
+}
+
+// runShamir uses a pre-populated backend storage with Shamir.
+func runShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int, rootToken string, barrierKeys [][]byte) {
+	t.Helper()
+	baseClusterPort := basePort + 10
+
+	// Start the cluster
+	conf := vault.CoreConfig{
+		DisableAutopilot: true,
+	}
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("runShamir"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+		SkipInit:              true,
+	}
+	storage.Setup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer func() {
+		cluster.Cleanup()
+		storage.Cleanup(t, cluster)
+	}()
+
+	leader := cluster.Cores[0]
+
+	// Unseal
+	cluster.BarrierKeys = barrierKeys
+	if storage.IsRaft {
+		for _, core := range cluster.Cores {
+			cluster.UnsealCore(t, core)
+		}
+		// This is apparently necessary for the raft cluster to get itself
+		// situated.
+		time.Sleep(15 * time.Second)
+		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
+			t.Fatal(err)
+		}
+	} else {
+		cluster.UnsealCores(t)
+	}
+	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+
+	// Ensure that we always use the leader's client for this read check
+	leaderIdx, err := testhelpers.AwaitLeader(t, cluster)
+	if err != nil {
+		t.Fatal(err)
+	}
+	client := cluster.Cores[leaderIdx].Client
+	client.SetToken(rootToken)
+
+	// Read the secrets
+	secret, err := client.Logical().Read("kv-wrapped/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+	secret, err = client.Logical().Read("kv-wrapped/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+}
+
+// initializeTransit initializes a brand new backend storage with Transit.
+func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int,
+	tss *sealhelper.TransitSealServer, sealKeyName string,
+) (*vault.TestCluster, *vault.TestClusterOptions) {
+	t.Helper()
+
+	baseClusterPort := basePort + 10
+
+	// Start the cluster
+	conf := vault.CoreConfig{
+		DisableAutopilot: true,
+	}
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("initializeTransit"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+		SealFunc: func() vault.Seal {
+			seal, err := tss.MakeSeal(t, sealKeyName)
+			if err != nil {
+				t.Fatal(err)
+			}
+			return seal
+		},
+	}
+	storage.Setup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+
+	leader := cluster.Cores[0]
+	client := leader.Client
+
+	// Join raft
+	if storage.IsRaft {
+		joinRaftFollowers(t, cluster, true)
+
+		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
+			t.Fatal(err)
+		}
+	}
+	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
+
+	err := client.Sys().Mount("kv-wrapped", &api.MountInput{
+		SealWrap: true,
+		Type:     "kv",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Write a secret that we will read back out later.
+	_, err = client.Logical().Write("kv-wrapped/foo", map[string]interface{}{
+		"zork": "quux",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return cluster, &opts
+}
+
+func runAutoseal(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage,
+	basePort int, rootToken string, sealFunc func() vault.Seal,
+) {
+	baseClusterPort := basePort + 10
+
+	// Start the cluster
+	conf := vault.CoreConfig{
+		DisableAutopilot: true,
+	}
+	opts := vault.TestClusterOptions{
+		Logger:                logger.Named("runTransit"),
+		HandlerFunc:           http.Handler,
+		NumCores:              numTestCores,
+		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
+		BaseClusterListenPort: baseClusterPort,
+		SkipInit:              true,
+		SealFunc:              sealFunc,
+	}
+	storage.Setup(&conf, &opts)
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer func() {
+		cluster.Cleanup()
+		storage.Cleanup(t, cluster)
+	}()
+
+	for _, c := range cluster.Cores {
+		c.Client.SetToken(rootToken)
+	}
+
+	// Unseal.  Even though we are using autounseal, we have to unseal
+	// explicitly because we are using SkipInit.
+	if storage.IsRaft {
+		for _, core := range cluster.Cores {
+			cluster.UnsealCoreWithStoredKeys(t, core)
+		}
+		// This is apparently necessary for the raft cluster to get itself
+		// situated.
+		time.Sleep(15 * time.Second)
+		// We're taking the first core, but we're not assuming it's the leader here.
+		if err := testhelpers.VerifyRaftConfiguration(cluster.Cores[0], len(cluster.Cores)); err != nil {
+			t.Fatal(err)
+		}
+	} else {
+		if err := cluster.UnsealCoresWithError(t, true); err != nil {
+			t.Fatal(err)
+		}
+	}
+	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+
+	// Preceding code may have stepped down the leader, so we're not sure who it is
+	// at this point.
+	leaderCore := testhelpers.DeriveActiveCore(t, cluster)
+	client := leaderCore.Client
+
+	// Read the secrets
+	secret, err := client.Logical().Read("kv-wrapped/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+	secret, err = client.Logical().Read("kv-wrapped/test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil {
+		t.Fatal("secret is nil")
+	}
+	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
+		t.Fatal(diff)
+	}
+}
+
+// joinRaftFollowers unseals the leader, and then joins-and-unseals the
+// followers one at a time.  We assume that the ServerAddressProvider has
+// already been installed on all the nodes.
+func joinRaftFollowers(t *testing.T, cluster *vault.TestCluster, useStoredKeys bool) {
+	leader := cluster.Cores[0]
+
+	cluster.UnsealCore(t, leader)
+	vault.TestWaitActive(t, leader.Core)
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			LeaderAPIAddr: leader.Client.Address(),
+			TLSConfig:     leader.TLSConfig(),
+		},
+	}
+
+	// Join followers
+	for i := 1; i < len(cluster.Cores); i++ {
+		core := cluster.Cores[i]
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if useStoredKeys {
+			// For autounseal, the raft backend is not initialized right away
+			// after the join.  We need to wait briefly before we can unseal.
+			awaitUnsealWithStoredKeys(t, core)
+		} else {
+			cluster.UnsealCore(t, core)
+		}
+	}
+
+	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+}
+
+func awaitUnsealWithStoredKeys(t *testing.T, core *vault.TestClusterCore) {
+	timeout := time.Now().Add(30 * time.Second)
+	for {
+		if time.Now().After(timeout) {
+			t.Fatal("raft join: timeout waiting for core to unseal")
+		}
+		// Its actually ok for an error to happen here the first couple of
+		// times -- it means the raft join hasn't gotten around to initializing
+		// the backend yet.
+		err := core.UnsealWithStoredKeys(context.Background())
+		if err == nil {
+			return
+		}
+		core.Logger().Warn("raft join: failed to unseal core", "error", err)
+		time.Sleep(time.Second)
+	}
+}
diff --git a/ui/tests/integration/components/license-banners-test.js b/ui/tests/integration/components/license-banners-test.js
index 3a3d2caa2b4a..6572357e82da 100644
--- a/ui/tests/integration/components/license-banners-test.js
+++ b/ui/tests/integration/components/license-banners-test.js
@@ -1,159 +1,65 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
 
-import { module, test } from 'qunit';
-import sinon from 'sinon';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, click } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import subDays from 'date-fns/subDays';
-import addDays from 'date-fns/addDays';
-import formatRFC3339 from 'date-fns/formatRFC3339';
-import timestamp from 'core/utils/timestamp';
-
-module('Integration | Component | license-banners', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.before(function () {
-    sinon.stub(timestamp, 'now').callsFake(() => new Date('2018-04-03T14:15:30'));
-  });
-  hooks.beforeEach(function () {
-    const mockNow = timestamp.now();
-    this.now = mockNow;
-    this.yesterday = subDays(mockNow, 1);
-    this.nextMonth = addDays(mockNow, 30);
-    this.outside30 = addDays(mockNow, 32);
-    this.tomorrow = addDays(mockNow, 1);
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-  });
-  hooks.after(function () {
-    timestamp.now.restore();
-  });
-
-  test('it does not render if no expiry', async function (assert) {
-    assert.expect(2);
-    await render(hbs`<LicenseBanners />`);
-    assert.dom('[data-test-license-banner-expired]').doesNotExist();
-    assert.dom('[data-test-license-banner-warning]').doesNotExist();
-  });
-
-  test('it renders an error if expiry is before now', async function (assert) {
-    assert.expect(2);
-    this.set('expiry', formatRFC3339(this.yesterday));
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    assert.dom('[data-test-license-banner-expired]').exists('Expired license banner renders');
-    assert
-      .dom('[data-test-license-banner-expired] .hds-alert__title')
-      .hasText('License expired', 'Shows correct title on alert');
-  });
-
-  test('it renders a warning if expiry is within 30 days', async function (assert) {
-    assert.expect(2);
-    this.set('expiry', formatRFC3339(this.nextMonth));
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    assert.dom('[data-test-license-banner-warning]').exists('Warning license banner renders');
-    assert
-      .dom('[data-test-license-banner-warning] .hds-alert__title')
-      .hasText('Vault license expiring', 'Shows correct title on alert');
-  });
-
-  test('it does not render a banner if expiry is outside 30 days', async function (assert) {
-    assert.expect(2);
-    this.set('expiry', formatRFC3339(this.outside30));
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    assert.dom('[data-test-license-banner-expired]').doesNotExist();
-    assert.dom('[data-test-license-banner-warning]').doesNotExist();
-  });
-
-  test('it does not render the expired banner if it has been dismissed', async function (assert) {
-    assert.expect(3);
-    this.set('expiry', formatRFC3339(this.yesterday));
-    const key = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    await click('[data-test-license-banner-expired] [data-test-icon="x"]');
-    assert.dom('[data-test-license-banner-expired]').doesNotExist('Expired license banner does not render');
-
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    const localStorageResult = JSON.parse(localStorage.getItem(key));
-    assert.strictEqual(localStorageResult, 'expired');
-    assert
-      .dom('[data-test-license-banner-expired]')
-      .doesNotExist('The expired banner still does not render after a re-render.');
-    localStorage.removeItem(key);
-  });
-
-  test('it does not render the warning banner if it has been dismissed', async function (assert) {
-    assert.expect(3);
-    this.set('expiry', formatRFC3339(this.nextMonth));
-    const key = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
-    assert.dom('[data-test-license-banner-warning]').doesNotExist('Warning license banner does not render');
-
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    const localStorageResult = JSON.parse(localStorage.getItem(key));
-    assert.strictEqual(localStorageResult, 'warning');
-    assert
-      .dom('[data-test-license-banner-warning]')
-      .doesNotExist('The warning banner still does not render after a re-render.');
-    localStorage.removeItem(key);
-  });
-
-  test('it renders a banner if the vault license has changed', async function (assert) {
-    assert.expect(3);
-    this.version.version = '1.12.1+ent';
-    this.set('expiry', formatRFC3339(this.nextMonth));
-    const keyOldVersion = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
-    this.version.version = '1.13.1+ent';
-    const keyNewVersion = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    assert
-      .dom('[data-test-license-banner-warning]')
-      .exists('The warning banner shows even though we have dismissed it earlier.');
-
-    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
-    const localStorageResultNewVersion = JSON.parse(localStorage.getItem(keyNewVersion));
-    const localStorageResultOldVersion = JSON.parse(localStorage.getItem(keyOldVersion));
-    // Check that localStorage was cleaned and no longer contains the old version storage key.
-    assert.strictEqual(localStorageResultOldVersion, null, 'local storage was cleared for the old version');
-    assert.strictEqual(
-      localStorageResultNewVersion,
-      'warning',
-      'local storage holds the new version with a warning'
-    );
-    // If debugging this test remember to clear localStorage if the test was not run to completion.
-    localStorage.removeItem(keyNewVersion);
-  });
-
-  test('it renders a banner if the vault expiry has changed', async function (assert) {
-    assert.expect(3);
-    this.set('expiry', formatRFC3339(this.tomorrow));
-    const keyOldExpiry = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
-    this.set('expiry', formatRFC3339(this.nextMonth));
-    const keyNewExpiry = `dismiss-license-banner-${this.version.version}-${this.expiry}`;
-    await render(hbs`<LicenseBanners @expiry={{this.expiry}} />`);
-    assert
-      .dom('[data-test-license-banner-warning]')
-      .exists('The warning banner shows even though we have dismissed it earlier.');
-
-    await click('[data-test-license-banner-warning] [data-test-icon="x"]');
-    const localStorageResultNewExpiry = JSON.parse(localStorage.getItem(keyNewExpiry));
-    const localStorageResultOldExpiry = JSON.parse(localStorage.getItem(keyOldExpiry));
-    // Check that localStorage was cleaned and no longer contains the old version storage key.
-    assert.strictEqual(localStorageResultOldExpiry, null, 'local storage was cleared for the old expiry');
-    assert.strictEqual(
-      localStorageResultNewExpiry,
-      'warning',
-      'local storage holds the new expiry with a warning'
-    );
-    // If debugging this test remember to clear localStorage if the test was not run to completion.
-    localStorage.removeItem(keyNewExpiry);
-  });
-});
+{{#unless @uploadOnly}}
+  <div class="level is-mobile">
+    <div class="level-left">
+      <label for="input-{{this.elementId}}" class="has-text-weight-semibold" data-test-text-file-label>
+        {{or @label "File"}}
+        {{#if @helpText}}
+          <InfoTooltip>
+            <span data-test-help-text>
+              {{@helpText}}
+            </span>
+          </InfoTooltip>
+        {{/if}}
+      </label>
+    </div>
+    <div class="level-right">
+      <Input
+        data-test-text-toggle
+        id="use-text-{{this.elementId}}"
+        class="toggle is-success is-small"
+        @type="checkbox"
+        @checked={{this.showTextArea}}
+        {{on "change" (fn (mut this.showTextArea) (not this.showTextArea))}}
+      />
+      <label for="use-text-{{this.elementId}}" class="has-text-weight-bold is-size-8">
+        Enter as text
+      </label>
+    </div>
+  </div>
+{{/unless}}
+<div class="field text-file box is-fullwidth is-marginless is-shadowless is-paddingless" data-test-component="text-file">
+  {{#if this.showTextArea}}
+    <Hds::Form::MaskedInput::Field
+      id="input-{{this.elementId}}"
+      @value={{this.content}}
+      @isMultiline={{true}}
+      {{on "input" this.handleTextInput}}
+      data-test-text-file-textarea
+      as |F|
+    >
+      <F.HelperText>Enter the value as text </F.HelperText>
+    </Hds::Form::MaskedInput::Field>
+  {{else}}
+    <Hds::Form::FileInput::Field
+      id="file-input-{{this.elementId}}"
+      {{on "change" this.handleFileUpload}}
+      data-test-text-file-input
+      as |F|
+    >
+      <F.HelperText>Select a file from your computer</F.HelperText>
+    </Hds::Form::FileInput::Field>
+    {{#if (or @validationError this.uploadError)}}
+      <AlertInline
+        @type="danger"
+        @message={{or @validationError this.uploadError}}
+        class="has-top-padding-s"
+        data-test-field-validation="text-file"
+      />
+    {{/if}}
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/ui/tests/integration/components/link-status-test.js b/ui/tests/integration/components/link-status-test.js
index 04bd942b9b4a..eb430b48daa0 100644
--- a/ui/tests/integration/components/link-status-test.js
+++ b/ui/tests/integration/components/link-status-test.js
@@ -1,118 +1,49 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { statuses } from '../../../mirage/handlers/hcp-link';
-
-const SELECTORS = {
-  modalOpen: '[data-test-link-status] button',
-  modalClose: '[data-test-icon="x"]',
-  bannerConnected: '.hds-alert [data-test-icon="info"]',
-  bannerWarning: '.hds-alert [data-test-icon="alert-triangle"]',
-  banner: '[data-test-link-status]',
-};
-
-module('Integration | Component | link-status', function (hooks) {
-  setupRenderingTest(hooks);
-  setupMirage(hooks);
-
-  // this can be removed once feature is released for OSS
-  hooks.beforeEach(function () {
-    this.owner.lookup('service:version').set('version', '1.13.0+ent');
-    this.statuses = statuses;
-  });
-
-  test('it does not render banner when status is not present', async function (assert) {
-    await render(hbs`
-      <LinkStatus @status={{undefined}} />
-    `);
-
-    assert.dom(SELECTORS.banner).doesNotExist('Banner is hidden for missing status message');
-  });
-
-  test('it does not render banner in oss version', async function (assert) {
-    this.owner.lookup('service:version').set('version', '1.13.0');
-
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 0}} />
-    `);
-
-    assert.dom(SELECTORS.banner).doesNotExist('Banner is hidden in oss');
-  });
-
-  test('it renders connected status', async function (assert) {
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 0}} />
-    `);
-
-    assert.dom(SELECTORS.bannerConnected).exists('Success banner renders for connected state');
-    assert
-      .dom('[data-test-link-status]')
-      .hasText('This self-managed Vault is linked to HCP.', 'Banner copy renders for connected state');
-    assert
-      .dom('[data-test-link-status] a')
-      .hasAttribute('href', 'https://portal.cloud.hashicorp.com/sign-in', 'HCP sign in link renders');
-  });
-
-  test('it should render error states', async function (assert) {
-    // disconnected error
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 1}} />
-    `);
-
-    assert.dom(SELECTORS.bannerWarning).exists('Warning banner renders for error state');
-    assert
-      .dom('[data-test-link-status]')
-      .hasText('Error connecting to HCP', 'Banner title renders for error state');
-    assert
-      .dom('[data-test-link-error]')
-      .hasText(
-        'Since 2022-09-21T11:25:02.196835-07:00, unable to establish a connection with HCP. Check the logs for more information.',
-        'Error renders for case 1'
-      );
-
-    // unable to establish connection error
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 2}} />
-    `);
-    assert
-      .dom('[data-test-link-error]')
-      .hasText(
-        'Since 2022-09-21T11:25:02.196835-07:00, unable to establish a connection with HCP. Check the logs for more information.',
-        'Error renders for case 2'
-      );
-
-    // no permissions error
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 3}} />
-    `);
-    assert
-      .dom('[data-test-link-error]')
-      .hasText(
-        'Since 2022-09-21T11:25:02.196835-07:00, principal does not have the permission to register as a provider. Check the logs for more information.',
-        'Error renders for case 3'
-      );
-
-    // could not obtain token error
-    await render(hbs`
-      <LinkStatus @status={{get this.statuses 4}} />
-    `);
-    assert
-      .dom('[data-test-link-error]')
-      .hasText(
-        'Since 2022-09-21T11:25:02.196835-07:00, could not obtain a token with the supplied credentials. Check the logs for more information.',
-        'Error renders for case 3'
-      );
-
-    await render(hbs`
-      <LinkStatus @status="connecting" />
-    `);
-    assert.dom('[data-test-link-error]').doesNotExist('No errors rendered when link is in connected state');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*TokenCommand)(nil)
+
+type TokenCommand struct {
+	*BaseCommand
+}
+
+func (c *TokenCommand) Synopsis() string {
+	return "Interact with tokens"
+}
+
+func (c *TokenCommand) Help() string {
+	helpText := `
+Usage: vault token <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with tokens. Users can
+  create, lookup, renew, and revoke tokens.
+
+  Create a new token:
+
+      $ vault token create
+
+  Revoke a token:
+
+      $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Renew a token:
+
+      $ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/tests/integration/components/mount-backend/type-form-test.js b/ui/tests/integration/components/mount-backend/type-form-test.js
index 9ab5b06a12c0..fc149b9611f7 100644
--- a/ui/tests/integration/components/mount-backend/type-form-test.js
+++ b/ui/tests/integration/components/mount-backend/type-form-test.js
@@ -1,68 +1,117 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { click, render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import sinon from 'sinon';
-import { allEngines, mountableEngines } from 'vault/helpers/mountable-secret-engines';
-import { allMethods, methods } from 'vault/helpers/mountable-auth-methods';
-
-const secretTypes = mountableEngines().map((engine) => engine.type);
-const allSecretTypes = allEngines().map((engine) => engine.type);
-const authTypes = methods().map((auth) => auth.type);
-const allAuthTypes = allMethods().map((auth) => auth.type);
-
-module('Integration | Component | mount-backend/type-form', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.setType = sinon.spy();
-  });
-
-  test('it calls secrets setMountType when type is selected', async function (assert) {
-    const spy = sinon.spy();
-    this.set('setType', spy);
-    await render(hbs`<MountBackend::TypeForm @mountType="secret" @setMountType={{this.setType}} />`);
-
-    assert
-      .dom('[data-test-mount-type]')
-      .exists({ count: secretTypes.length }, 'Renders all mountable engines');
-    await click(`[data-test-mount-type="ssh"]`);
-    assert.ok(spy.calledOnceWith('ssh'));
-  });
-
-  test('it calls auth setMountType when type is selected', async function (assert) {
-    const spy = sinon.spy();
-    this.set('setType', spy);
-    await render(hbs`<MountBackend::TypeForm @setMountType={{this.setType}} />`);
-
-    assert
-      .dom('[data-test-mount-type]')
-      .exists({ count: authTypes.length }, 'Renders all mountable auth methods');
-    await click(`[data-test-mount-type="okta"]`);
-    assert.ok(spy.calledOnceWith('okta'));
-  });
-
-  module('Enterprise', function (hooks) {
-    hooks.beforeEach(function () {
-      this.version = this.owner.lookup('service:version');
-      this.version.version = '1.12.1+ent';
-    });
-
-    test('it renders correct items for enterprise secrets', async function (assert) {
-      await render(hbs`<MountBackend::TypeForm @mountType="secret" @setMountType={{this.setType}} />`);
-      assert
-        .dom('[data-test-mount-type]')
-        .exists({ count: allSecretTypes.length }, 'Renders all secret engines');
-    });
-
-    test('it renders correct items for enterprise auth methods', async function (assert) {
-      await render(hbs`<MountBackend::TypeForm @mountType="auth" @setMountType={{this.setType}} />`);
-      assert.dom('[data-test-mount-type]').exists({ count: allAuthTypes.length }, 'Renders all auth methods');
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TokenCapabilitiesCommand)(nil)
+	_ cli.CommandAutocomplete = (*TokenCapabilitiesCommand)(nil)
+)
+
+type TokenCapabilitiesCommand struct {
+	*BaseCommand
+}
+
+func (c *TokenCapabilitiesCommand) Synopsis() string {
+	return "Print capabilities of a token on a path"
+}
+
+func (c *TokenCapabilitiesCommand) Help() string {
+	helpText := `
+Usage: vault token capabilities [options] [TOKEN] PATH
+
+  Fetches the capabilities of a token for a given path. If a TOKEN is provided
+  as an argument, the "/sys/capabilities" endpoint and permission is used. If
+  no TOKEN is provided, the "/sys/capabilities-self" endpoint and permission
+  is used with the locally authenticated token.
+
+  List capabilities for the local token on the "secret/foo" path:
+
+      $ vault token capabilities secret/foo
+
+  List capabilities for a token on the "cubbyhole/foo" path:
+
+      $ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 cubbyhole/foo
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenCapabilitiesCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+}
+
+func (c *TokenCapabilitiesCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TokenCapabilitiesCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TokenCapabilitiesCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	token := ""
+	path := ""
+	args = f.Args()
+	switch len(args) {
+	case 0:
+		c.UI.Error("Not enough arguments (expected 1-2, got 0)")
+		return 1
+	case 1:
+		path = args[0]
+	case 2:
+		token, path = args[0], args[1]
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1-2, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var capabilities []string
+	if token == "" {
+		capabilities, err = client.Sys().CapabilitiesSelf(path)
+	} else {
+		capabilities, err = client.Sys().Capabilities(token, path)
+	}
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error listing capabilities: %s", err))
+		return 2
+	}
+	if capabilities == nil {
+		c.UI.Error("No capabilities found")
+		return 1
+	}
+
+	switch Format(c.UI) {
+	case "table":
+		sort.Strings(capabilities)
+		c.UI.Output(strings.Join(capabilities, ", "))
+		return 0
+	default:
+		return OutputData(c.UI, capabilities)
+	}
+}
diff --git a/ui/tests/integration/components/oidc/scope-form-test.js b/ui/tests/integration/components/oidc/scope-form-test.js
index 866861428e34..a3e5b9525a7f 100644
--- a/ui/tests/integration/components/oidc/scope-form-test.js
+++ b/ui/tests/integration/components/oidc/scope-form-test.js
@@ -1,204 +1,194 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, fillIn, click, findAll } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { SELECTORS, OIDC_BASE_URL, overrideCapabilities } from 'vault/tests/helpers/oidc-config';
-
-module('Integration | Component | oidc/scope-form', function (hooks) {
-  setupRenderingTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-  });
-
-  test('it should save new scope', async function (assert) {
-    assert.expect(9);
-
-    this.server.post('/identity/oidc/scope/test', (schema, req) => {
-      assert.ok(true, 'Request made to save scope');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.model = this.store.createRecord('oidc/scope');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    assert.dom('[data-test-oidc-scope-title]').hasText('Create Scope', 'Form title renders');
-    assert.dom(SELECTORS.scopeSaveButton).hasText('Create', 'Save button has correct label');
-    await click(SELECTORS.scopeSaveButton);
-
-    // check validation errors
-    await click(SELECTORS.scopeSaveButton);
-
-    const validationErrors = findAll(SELECTORS.inlineAlert);
-    assert.dom(validationErrors[0]).hasText('Name is required.', 'Validation messages are shown for name');
-    assert.dom(validationErrors[1]).hasText('There is an error with this form.', 'Renders form error count');
-
-    assert
-      .dom('[data-test-inline-error-message]')
-      .hasText('Name is required.', 'Validation message is shown for name');
-    // json editor has test coverage so let's just confirm that it renders
-    assert
-      .dom('[data-test-input="template"] [data-test-component="json-editor-toolbar"]')
-      .exists('JsonEditor toolbar renders');
-    assert
-      .dom('[data-test-input="template"] [data-test-component="code-mirror-modifier"]')
-      .exists('Code mirror renders');
-
-    await fillIn('[data-test-input="name"]', 'test');
-    await fillIn('[data-test-input="description"]', 'this is a test');
-    await click(SELECTORS.scopeSaveButton);
-  });
-
-  test('it should update scope', async function (assert) {
-    assert.expect(9);
-
-    this.server.post('/identity/oidc/scope/test', (schema, req) => {
-      assert.ok(true, 'Request made to save scope');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/scope', {
-      modelName: 'oidc/scope',
-      name: 'test',
-      description: 'this is a test',
-    });
-    this.model = this.store.peekRecord('oidc/scope', 'test');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    assert.dom('[data-test-oidc-scope-title]').hasText('Edit Scope', 'Form title renders');
-    assert.dom(SELECTORS.scopeSaveButton).hasText('Update', 'Save button has correct label');
-    assert.dom('[data-test-input="name"]').isDisabled('Name input is disabled when editing');
-    assert.dom('[data-test-input="name"]').hasValue('test', 'Name input is populated with model value');
-    assert
-      .dom('[data-test-input="description"]')
-      .hasValue('this is a test', 'Description input is populated with model value');
-    // json editor has test coverage so let's just confirm that it renders
-    assert
-      .dom('[data-test-input="template"] [data-test-component="json-editor-toolbar"]')
-      .exists('JsonEditor toolbar renders');
-    assert
-      .dom('[data-test-input="template"] [data-test-component="code-mirror-modifier"]')
-      .exists('Code mirror renders');
-
-    await fillIn('[data-test-input="description"]', 'this is an edit test');
-    await click(SELECTORS.scopeSaveButton);
-  });
-
-  test('it should rollback attributes or unload record on cancel', async function (assert) {
-    assert.expect(4);
-
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
-
-    this.model = this.store.createRecord('oidc/scope');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await click(SELECTORS.scopeCancelButton);
-    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
-
-    this.store.pushPayload('oidc/scope', {
-      modelName: 'oidc/scope',
-      name: 'test',
-      description: 'this is a test',
-    });
-    this.model = this.store.peekRecord('oidc/scope', 'test');
-
-    await render(hbs`
-    <Oidc::ScopeForm
-      @model={{this.model}}
-      @onCancel={{this.onCancel}}
-      @onSave={{this.onSave}}
-    />
-      `);
-
-    await fillIn('[data-test-input="description"]', 'changed description attribute');
-    await click(SELECTORS.scopeCancelButton);
-    assert.strictEqual(
-      this.model.description,
-      'this is a test',
-      'Model attributes are rolled back on cancel'
-    );
-  });
-
-  test('it should show example template modal', async function (assert) {
-    assert.expect(5);
-    const MODAL = (e) => `[data-test-scope-modal="${e}"]`;
-    this.model = this.store.createRecord('oidc/scope');
-
-    // formatting here is purposeful so that it matches formatting in the template modal
-    const exampleTemplate = `{
-  "username": {{identity.entity.aliases.$MOUNT_ACCESSOR.name}},
-  "contact": {
-    "email": {{identity.entity.metadata.email}},
-    "phone_number": {{identity.entity.metadata.phone_number}}
-  },
-  "groups": {{identity.entity.groups.names}}
-}`;
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await click('[data-test-oidc-scope-example]');
-    assert.dom(MODAL('title')).hasText('Scope template', 'Modal title renders');
-    assert.dom(MODAL('text')).hasText('Example of a JSON template for scopes:', 'Modal text renders');
-    assert
-      .dom('#scope-template-modal [data-test-copy-button]')
-      .hasAttribute('data-clipboard-text', exampleTemplate, 'Modal copy button copies the example template');
-    assert.dom('.cm-string').hasText('"username"', 'Example template json renders');
-    await click('[data-test-close-modal]');
-    assert.dom('.hds#scope-template-modal').doesNotExist('Modal is hidden');
-  });
-
-  test('it should render error alerts when API returns an error', async function (assert) {
-    assert.expect(2);
-    this.model = this.store.createRecord('oidc/scope');
-    this.server.post('/sys/capabilities-self', () => overrideCapabilities(OIDC_BASE_URL + '/scopes'));
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-    await fillIn('[data-test-input="name"]', 'test-scope');
-    await click(SELECTORS.scopeSaveButton);
-    assert
-      .dom(SELECTORS.inlineAlert)
-      .hasText('There was an error submitting this form.', 'form error alert renders ');
-    assert.dom('[data-test-message-error]').exists('alert banner renders');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+)
+
+func testTokenCapabilitiesCommand(tb testing.TB) (*cli.MockUi, *TokenCapabilitiesCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &TokenCapabilitiesCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestTokenCapabilitiesCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "zip"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testTokenCapabilitiesCommand(t)
+			cmd.client = client
+
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("token", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		policy := `path "secret/foo" { capabilities = ["read"] }`
+		if err := client.Sys().PutPolicy("policy", policy); err != nil {
+			t.Error(err)
+		}
+
+		secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+			Policies: []string{"policy"},
+			TTL:      "30m",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+			t.Fatalf("missing auth data: %#v", secret)
+		}
+		token := secret.Auth.ClientToken
+
+		ui, cmd := testTokenCapabilitiesCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			token, "secret/foo",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "read"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("local", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		policy := `path "secret/foo" { capabilities = ["read"] }`
+		if err := client.Sys().PutPolicy("policy", policy); err != nil {
+			t.Error(err)
+		}
+
+		secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+			Policies: []string{"policy"},
+			TTL:      "30m",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
+			t.Fatalf("missing auth data: %#v", secret)
+		}
+		token := secret.Auth.ClientToken
+
+		client.SetToken(token)
+
+		ui, cmd := testTokenCapabilitiesCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/foo",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "read"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testTokenCapabilitiesCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"foo", "bar",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error listing capabilities: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("multiple_paths", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		_, cmd := testTokenCapabilitiesCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/foo,secret/bar",
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testTokenCapabilitiesCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/pki/page/pki-configuration-details-test.js b/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
index 3ee97db4c54e..3e49bb2ca72b 100644
--- a/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
+++ b/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
@@ -1,178 +1,262 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupEngine } from 'ember-engines/test-support';
-
-const SELECTORS = {
-  rowLabel: (attr) => `[data-test-row-label="${attr}"]`,
-  rowValue: (attr) => `[data-test-value-div="${attr}"]`,
-  rowIcon: (attr, icon) => `[data-test-row-value="${attr}"] [data-test-icon="${icon}"]`,
-};
-
-module('Integration | Component | Page::PkiConfigurationDetails', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'pki');
-
-  hooks.beforeEach(function () {
-    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
-    this.secretMountPath.currentPath = 'pki-test';
-
-    this.store = this.owner.lookup('service:store');
-    this.cluster = this.store.createRecord('pki/config/cluster', {
-      id: 'pki-test',
-      path: 'https://pr-a.vault.example.com/v1/ns1/pki-root',
-    });
-    this.urls = this.store.createRecord('pki/config/urls', {
-      id: 'pki-test',
-      issuingCertificates: 'example.com',
-    });
-    this.crl = this.store.createRecord('pki/config/crl', {
-      id: 'pki-test',
-      expiry: '20h',
-      disable: false,
-      autoRebuild: true,
-      autoRebuildGracePeriod: '13h',
-      enableDelta: true,
-      deltaRebuildInterval: '15m',
-      ocspExpiry: '77h',
-      ocspDisable: false,
-      crossClusterRevocation: true,
-      unifiedCrl: true,
-      unifiedCrlOnExistingPaths: true,
-    });
-  });
-
-  test('shows the correct information on cluster config', async function (assert) {
-    await render(hbs`<Page::PkiConfigurationDetails @cluster={{this.cluster}} @hasConfig={{true}} />,`, {
-      owner: this.engine,
-    });
-    assert
-      .dom(SELECTORS.rowValue("Mount's API path"))
-      .hasText('https://pr-a.vault.example.com/v1/ns1/pki-root', 'mount API path row renders');
-    assert.dom(SELECTORS.rowValue('AIA path')).hasText('None', "renders 'None' when no data");
-  });
-
-  test('shows the correct information on global urls section', async function (assert) {
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-
-    assert
-      .dom(SELECTORS.rowLabel('Issuing certificates'))
-      .hasText('Issuing certificates', 'issuing certificate row label renders');
-    assert
-      .dom(SELECTORS.rowValue('Issuing certificates'))
-      .hasText('example.com', 'issuing certificate value renders');
-    this.urls.issuingCertificates = null;
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-    assert
-      .dom(SELECTORS.rowValue('Issuing certificates'))
-      .hasText('None', 'issuing certificate value renders None if none is configured');
-    assert
-      .dom(SELECTORS.rowLabel('CRL distribution points'))
-      .hasText('CRL distribution points', 'crl distribution points row label renders');
-    assert
-      .dom(SELECTORS.rowValue('CRL distribution points'))
-      .hasText('None', 'crl distribution points value renders None if none is configured');
-  });
-
-  test('shows the correct information on crl section', async function (assert) {
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-
-    assert.dom(SELECTORS.rowLabel('CRL building')).hasText('CRL building', 'crl expiry row label renders');
-    assert.dom(SELECTORS.rowValue('CRL building')).hasText('Enabled', 'enabled renders');
-    assert.dom(SELECTORS.rowValue('Expiry')).hasText('20h', 'expiry value renders');
-    assert.dom(SELECTORS.rowLabel('Auto-rebuild')).hasText('Auto-rebuild', 'auto rebuild label renders');
-    assert.dom(SELECTORS.rowValue('Auto-rebuild')).hasText('On', 'it renders truthy auto build');
-    assert.dom(SELECTORS.rowIcon('Auto-rebuild', 'check-circle'));
-    assert
-      .dom(SELECTORS.rowValue('Auto-rebuild grace period'))
-      .hasText('13h', 'it renders auto build grace period');
-    assert.dom(SELECTORS.rowValue('Delta CRL building')).hasText('On', 'it renders truthy delta crl build');
-    assert.dom(SELECTORS.rowIcon('Delta CRL building', 'check-circle'));
-    assert
-      .dom(SELECTORS.rowValue('Delta rebuild interval'))
-      .hasText('15m', 'it renders delta build duration');
-    assert
-      .dom(SELECTORS.rowValue('Responder APIs'))
-      .hasText('Enabled', 'responder apis value renders Enabled if ocsp_disable=false');
-    assert.dom(SELECTORS.rowValue('Interval')).hasText('77h', 'interval value renders');
-    // check falsy aut_rebuild and _enable_delta hides duration values
-    this.crl.autoRebuild = false;
-    this.crl.enableDelta = false;
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.rowValue('Auto-rebuild')).hasText('Off', 'it renders falsy auto build');
-    assert.dom(SELECTORS.rowIcon('Auto-rebuild', 'x-square'));
-    assert
-      .dom(SELECTORS.rowValue('Auto-rebuild grace period'))
-      .doesNotExist('does not render auto-rebuild grace period');
-    assert.dom(SELECTORS.rowValue('Delta CRL building')).hasText('Off', 'it renders falsy delta cr build');
-    assert.dom(SELECTORS.rowIcon('Delta CRL building', 'x-square'));
-    assert
-      .dom(SELECTORS.rowValue('Delta rebuild interval'))
-      .doesNotExist('does not render delta rebuild duration');
-
-    // check falsy disable and ocsp_disable hides duration values and other params
-    this.crl.autoRebuild = true;
-    this.crl.enableDelta = true;
-    this.crl.disable = true;
-    this.crl.ocspDisable = true;
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.rowValue('CRL building')).hasText('Disabled', 'disabled renders');
-    assert.dom(SELECTORS.rowValue('Expiry')).doesNotExist();
-    assert
-      .dom(SELECTORS.rowValue('Responder APIs'))
-      .hasText('Disabled', 'responder apis value renders Disabled');
-    assert.dom(SELECTORS.rowValue('Interval')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Auto-rebuild')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Auto-rebuild grace period')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Delta CRL building')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Delta rebuild interval')).doesNotExist();
-  });
-
-  test('it renders enterprise params in crl section', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.rowValue('Cross-cluster revocation')).hasText('Yes');
-    assert.dom(SELECTORS.rowIcon('Cross-cluster revocation', 'check-circle'));
-    assert.dom(SELECTORS.rowValue('Unified CRL')).hasText('Yes');
-    assert.dom(SELECTORS.rowIcon('Unified CRL', 'check-circle'));
-    assert.dom(SELECTORS.rowValue('Unified CRL on existing paths')).hasText('Yes');
-    assert.dom(SELECTORS.rowIcon('Unified CRL on existing paths', 'check-circle'));
-  });
-
-  test('it does not render enterprise params in crl section', async function (assert) {
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1';
-    await render(
-      hbs`<Page::PkiConfigurationDetails @urls={{this.urls}} @crl={{this.crl}} @hasConfig={{true}} />,`,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.rowValue('Cross-cluster revocation')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Unified CRL')).doesNotExist();
-    assert.dom(SELECTORS.rowValue('Unified CRL on existing paths')).doesNotExist();
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TokenCreateCommand)(nil)
+	_ cli.CommandAutocomplete = (*TokenCreateCommand)(nil)
+)
+
+type TokenCreateCommand struct {
+	*BaseCommand
+
+	flagID              string
+	flagDisplayName     string
+	flagTTL             time.Duration
+	flagExplicitMaxTTL  time.Duration
+	flagPeriod          time.Duration
+	flagRenewable       bool
+	flagOrphan          bool
+	flagNoDefaultPolicy bool
+	flagUseLimit        int
+	flagRole            string
+	flagType            string
+	flagMetadata        map[string]string
+	flagPolicies        []string
+	flagEntityAlias     string
+}
+
+func (c *TokenCreateCommand) Synopsis() string {
+	return "Create a new token"
+}
+
+func (c *TokenCreateCommand) Help() string {
+	helpText := `
+Usage: vault token create [options]
+
+  Creates a new token that can be used for authentication. This token will be
+  created as a child of the currently authenticated token. The generated token
+  will inherit all policies and permissions of the currently authenticated
+  token unless you explicitly define a subset list policies to assign to the
+  token.
+
+  A ttl can also be associated with the token. If a ttl is not associated
+  with the token, then it cannot be renewed. If a ttl is associated with
+  the token, it will expire after that amount of time unless it is renewed.
+
+  Metadata associated with the token (specified with "-metadata") is written
+  to the audit log when the token is used.
+
+  If a role is specified, the role may override parameters specified here.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenCreateCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "id",
+		Target:     &c.flagID,
+		Completion: complete.PredictAnything,
+		Usage: "Value for the token. By default, this is an auto-generated " +
+			"string. Specifying this value requires sudo permissions.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "display-name",
+		Target:     &c.flagDisplayName,
+		Completion: complete.PredictAnything,
+		Usage: "Name to associate with this token. This is a non-sensitive value " +
+			"that can be used to help identify created secrets (e.g. prefixes).",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "ttl",
+		Target:     &c.flagTTL,
+		Completion: complete.PredictAnything,
+		Usage: "Initial TTL to associate with the token. Token renewals may be " +
+			"able to extend beyond this value, depending on the configured maximum " +
+			"TTLs. This is specified as a numeric string with suffix like \"30s\" " +
+			"or \"5m\".",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "explicit-max-ttl",
+		Target:     &c.flagExplicitMaxTTL,
+		Completion: complete.PredictAnything,
+		Usage: "Explicit maximum lifetime for the token. Unlike normal TTLs, the " +
+			"maximum TTL is a hard limit and cannot be exceeded. This is specified " +
+			"as a numeric string with suffix like \"30s\" or \"5m\".",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "period",
+		Target:     &c.flagPeriod,
+		Completion: complete.PredictAnything,
+		Usage: "If specified, every renewal will use the given period. Periodic " +
+			"tokens do not expire (unless -explicit-max-ttl is also provided). " +
+			"Setting this value requires sudo permissions. This is specified as a " +
+			"numeric string with suffix like \"30s\" or \"5m\".",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "renewable",
+		Target:  &c.flagRenewable,
+		Default: true,
+		Usage:   "Allow the token to be renewed up to it's maximum TTL.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "orphan",
+		Target:  &c.flagOrphan,
+		Default: false,
+		Usage: "Create the token with no parent. This prevents the token from " +
+			"being revoked when the token which created it expires. Setting this " +
+			"value requires root or sudo permissions.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:    "no-default-policy",
+		Target:  &c.flagNoDefaultPolicy,
+		Default: false,
+		Usage: "Detach the \"default\" policy from the policy set for this " +
+			"token.",
+	})
+
+	f.IntVar(&IntVar{
+		Name:    "use-limit",
+		Target:  &c.flagUseLimit,
+		Default: 0,
+		Usage: "Number of times this token can be used. After the last use, the " +
+			"token is automatically revoked. By default, tokens can be used an " +
+			"unlimited number of times until their expiration.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "role",
+		Target:  &c.flagRole,
+		Default: "",
+		Usage: "Name of the role to create the token against. Specifying -role " +
+			"may override other arguments. The locally authenticated Vault token " +
+			"must have permission for \"auth/token/create/<role>\".",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "type",
+		Target:  &c.flagType,
+		Default: "service",
+		Usage:   `The type of token to create. Can be "service" or "batch".`,
+	})
+
+	f.StringMapVar(&StringMapVar{
+		Name:       "metadata",
+		Target:     &c.flagMetadata,
+		Completion: complete.PredictAnything,
+		Usage: "Arbitrary key=value metadata to associate with the token. " +
+			"This metadata will show in the audit log when the token is used. " +
+			"This can be specified multiple times to add multiple pieces of " +
+			"metadata.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "policy",
+		Target:     &c.flagPolicies,
+		Completion: c.PredictVaultPolicies(),
+		Usage: "Name of a policy to associate with this token. This can be " +
+			"specified multiple times to attach multiple policies.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:    "entity-alias",
+		Target:  &c.flagEntityAlias,
+		Default: "",
+		Usage: "Name of the entity alias to associate with during token creation. " +
+			"Only works in combination with -role argument and used entity alias " +
+			"must be listed in allowed_entity_aliases. If this has been specified, " +
+			"the entity will not be inherited from the parent.",
+	})
+
+	return set
+}
+
+func (c *TokenCreateCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TokenCreateCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TokenCreateCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	if len(args) > 0 {
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0, got %d)", len(args)))
+		return 1
+	}
+
+	if c.flagType == "batch" {
+		c.flagRenewable = false
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	tcr := &api.TokenCreateRequest{
+		ID:              c.flagID,
+		Policies:        c.flagPolicies,
+		Metadata:        c.flagMetadata,
+		TTL:             c.flagTTL.String(),
+		NoParent:        c.flagOrphan,
+		NoDefaultPolicy: c.flagNoDefaultPolicy,
+		DisplayName:     c.flagDisplayName,
+		NumUses:         c.flagUseLimit,
+		Renewable:       &c.flagRenewable,
+		ExplicitMaxTTL:  c.flagExplicitMaxTTL.String(),
+		Period:          c.flagPeriod.String(),
+		Type:            c.flagType,
+		EntityAlias:     c.flagEntityAlias,
+	}
+
+	var secret *api.Secret
+	if c.flagRole != "" {
+		secret, err = client.Auth().Token().CreateWithRole(tcr, c.flagRole)
+	} else {
+		secret, err = client.Auth().Token().Create(tcr)
+	}
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error creating token: %s", err))
+		return 2
+	}
+
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
+	}
+
+	return OutputSecret(c.UI, secret)
+}
diff --git a/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js b/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
index 30cf39d0aca6..3acd2dd1474e 100644
--- a/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
+++ b/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
@@ -1,458 +1,236 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { click, fillIn, render } from '@ember/test-helpers';
-import { setupEngine } from 'ember-engines/test-support';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { Response } from 'miragejs';
-import { SELECTORS } from 'vault/tests/helpers/pki/page/pki-configuration-edit';
-import sinon from 'sinon';
-import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
-
-module('Integration | Component | page/pki-configuration-edit', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'pki');
-  setupMirage(hooks);
-
-  hooks.beforeEach(async function () {
-    // test context setup
-    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
-    this.context = { owner: this.engine }; // this.engine set by setupEngine
-    this.store = this.owner.lookup('service:store');
-    this.router = this.owner.lookup('service:router');
-    sinon.stub(this.router, 'transitionTo');
-
-    // component data setup
-    this.backend = 'pki-engine';
-    // both models only use findRecord. API parameters for pki/crl
-    // are set by default backend values when the engine is mounted
-    this.store.pushPayload('pki/config/cluster', {
-      modelName: 'pki/config/cluster',
-      id: this.backend,
-    });
-    this.store.pushPayload('pki/config/acme', {
-      modelName: 'pki/config/acme',
-      id: this.backend,
-    });
-    this.store.pushPayload('pki/config/crl', {
-      modelName: 'pki/config/crl',
-      id: this.backend,
-      auto_rebuild: false,
-      auto_rebuild_grace_period: '12h',
-      delta_rebuild_interval: '15m',
-      disable: false,
-      enable_delta: false,
-      expiry: '72h',
-      ocsp_disable: false,
-      ocsp_expiry: '12h',
-    });
-    this.store.pushPayload('pki/config/urls', {
-      modelName: 'pki/config/urls',
-      id: this.backend,
-      issuing_certificates: ['hashicorp.com'],
-      crl_distribution_points: ['some-crl-distribution.com'],
-      ocsp_servers: ['ocsp-stuff.com'],
-    });
-    this.acme = this.store.peekRecord('pki/config/acme', this.backend);
-    this.cluster = this.store.peekRecord('pki/config/cluster', this.backend);
-    this.crl = this.store.peekRecord('pki/config/crl', this.backend);
-    this.urls = this.store.peekRecord('pki/config/urls', this.backend);
-  });
-
-  hooks.afterEach(function () {
-    this.router.transitionTo.restore();
-  });
-
-  test('it renders with config data and updates config', async function (assert) {
-    assert.expect(32);
-    this.server.post(`/${this.backend}/config/acme`, (schema, req) => {
-      assert.ok(true, 'request made to save acme config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          allowed_issuers: ['*'],
-          allowed_roles: ['my-role'],
-          dns_resolver: 'some-dns',
-          eab_policy: 'new-account-required',
-          enabled: true,
-        },
-        'it updates acme config model attributes'
-      );
-    });
-    this.server.post(`/${this.backend}/config/cluster`, (schema, req) => {
-      assert.ok(true, 'request made to save cluster config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          path: 'https://pr-a.vault.example.com/v1/ns1/pki-root',
-          aia_path: 'http://another-path.com',
-        },
-        'it updates cluster config model attributes'
-      );
-    });
-    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
-      assert.ok(true, 'request made to save crl config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          auto_rebuild: true,
-          auto_rebuild_grace_period: '24h',
-          delta_rebuild_interval: '45m',
-          disable: false,
-          enable_delta: true,
-          expiry: '1152h',
-          ocsp_disable: false,
-          ocsp_expiry: '24h',
-        },
-        'it updates crl config model attributes'
-      );
-    });
-    this.server.post(`/${this.backend}/config/urls`, (schema, req) => {
-      assert.ok(true, 'request made to save urls config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          crl_distribution_points: ['test-crl.com'],
-          issuing_certificates: ['update-hashicorp.com'],
-          ocsp_servers: ['ocsp.com'],
-        },
-        'it updates url config model attributes'
-      );
-    });
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    assert.dom(SELECTORS.configEditSection).exists('renders config section');
-    assert.dom(SELECTORS.urlsEditSection).exists('renders urls section');
-    assert.dom(SELECTORS.crlEditSection).exists('renders crl section');
-    assert.dom(SELECTORS.cancelButton).exists();
-    this.urls.eachAttribute((name) => {
-      assert.dom(SELECTORS.urlFieldInput(name)).exists(`renders ${name} input`);
-    });
-    assert.dom(SELECTORS.urlFieldInput('issuingCertificates')).hasValue('hashicorp.com');
-    assert.dom(SELECTORS.urlFieldInput('crlDistributionPoints')).hasValue('some-crl-distribution.com');
-    assert.dom(SELECTORS.urlFieldInput('ocspServers')).hasValue('ocsp-stuff.com');
-
-    // cluster config
-    await fillIn(SELECTORS.configInput('path'), 'https://pr-a.vault.example.com/v1/ns1/pki-root');
-    await fillIn(SELECTORS.configInput('aiaPath'), 'http://another-path.com');
-
-    // acme config;
-    await click(SELECTORS.configInput('enabled'));
-    await fillIn(SELECTORS.stringListInput('allowedRoles'), 'my-role');
-    await fillIn(SELECTORS.stringListInput('allowedIssuers'), '*');
-    await fillIn(SELECTORS.configInput('eabPolicy'), 'new-account-required');
-    await fillIn(SELECTORS.configInput('dnsResolver'), 'some-dns');
-
-    // urls
-    await fillIn(SELECTORS.urlFieldInput('issuingCertificates'), 'update-hashicorp.com');
-    await fillIn(SELECTORS.urlFieldInput('crlDistributionPoints'), 'test-crl.com');
-    await fillIn(SELECTORS.urlFieldInput('ocspServers'), 'ocsp.com');
-
-    // confirm default toggle state and text
-    this.crl.eachAttribute((name, { options }) => {
-      if (['expiry', 'ocspExpiry'].includes(name)) {
-        assert.dom(SELECTORS.crlToggleInput(name)).isChecked(`${name} defaults to toggled on`);
-        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.label);
-        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.helperTextEnabled);
-      }
-      if (['autoRebuildGracePeriod', 'deltaRebuildInterval'].includes(name)) {
-        assert.dom(SELECTORS.crlToggleInput(name)).isNotChecked(`${name} defaults off`);
-        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.labelDisabled);
-        assert.dom(SELECTORS.crlFieldLabel(name)).hasTextContaining(options.helperTextDisabled);
-      }
-    });
-
-    // toggle everything on
-    await click(SELECTORS.crlToggleInput('autoRebuildGracePeriod'));
-    assert
-      .dom(SELECTORS.crlFieldLabel('autoRebuildGracePeriod'))
-      .hasTextContaining(
-        'Auto-rebuild on Vault will rebuild the CRL in the below grace period before expiration',
-        'it renders auto rebuild toggled on text'
-      );
-    await click(SELECTORS.crlToggleInput('deltaRebuildInterval'));
-    assert
-      .dom(SELECTORS.crlFieldLabel('deltaRebuildInterval'))
-      .hasTextContaining(
-        'Delta CRL building on Vault will rebuild the delta CRL at the interval below:',
-        'it renders delta crl build toggled on text'
-      );
-
-    // assert ttl values update model attributes
-    await fillIn(SELECTORS.crlTtlInput('Expiry'), '48');
-    await fillIn(SELECTORS.crlTtlInput('Auto-rebuild on'), '24');
-    await fillIn(SELECTORS.crlTtlInput('Delta CRL building on'), '45');
-    await fillIn(SELECTORS.crlTtlInput('OCSP responder APIs enabled'), '24');
-
-    await click(SELECTORS.saveButton);
-  });
-
-  test('it removes urls and sends false crl values', async function (assert) {
-    assert.expect(8);
-    this.server.post(`/${this.backend}/config/acme`, () => {});
-    this.server.post(`/${this.backend}/config/cluster`, () => {});
-    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
-      assert.ok(true, 'request made to save crl config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          auto_rebuild: false,
-          auto_rebuild_grace_period: '12h',
-          delta_rebuild_interval: '15m',
-          disable: true,
-          enable_delta: false,
-          expiry: '72h',
-          ocsp_disable: true,
-          ocsp_expiry: '12h',
-        },
-        'crl payload has correct data'
-      );
-    });
-    this.server.post(`/${this.backend}/config/urls`, (schema, req) => {
-      assert.ok(true, 'request made to save urls config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          crl_distribution_points: [],
-          issuing_certificates: [],
-          ocsp_servers: [],
-        },
-        'url payload has empty arrays'
-      );
-    });
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    await click(SELECTORS.deleteButton('issuingCertificates'));
-    await click(SELECTORS.deleteButton('crlDistributionPoints'));
-    await click(SELECTORS.deleteButton('ocspServers'));
-
-    // toggle everything off
-    await click(SELECTORS.crlToggleInput('expiry'));
-    assert.dom(SELECTORS.crlFieldLabel('expiry')).hasText('No expiry The CRL will not be built.');
-    assert
-      .dom(SELECTORS.crlToggleInput('autoRebuildGracePeriod'))
-      .doesNotExist('expiry off hides the auto rebuild toggle');
-    assert
-      .dom(SELECTORS.crlToggleInput('deltaRebuildInterval'))
-      .doesNotExist('expiry off hides delta crl toggle');
-    await click(SELECTORS.crlToggleInput('ocspExpiry'));
-    assert
-      .dom(SELECTORS.crlFieldLabel('ocspExpiry'))
-      .hasTextContaining(
-        'OCSP responder APIs disabled Requests cannot be made to check if an individual certificate is valid.',
-        'it renders correct toggled off text'
-      );
-
-    await click(SELECTORS.saveButton);
-  });
-
-  test('it renders enterprise only params', async function (assert) {
-    assert.expect(6);
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1+ent';
-    this.server.post(`/${this.backend}/config/acme`, () => {});
-    this.server.post(`/${this.backend}/config/cluster`, () => {});
-    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
-      assert.ok(true, 'request made to save crl config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          auto_rebuild: false,
-          auto_rebuild_grace_period: '12h',
-          delta_rebuild_interval: '15m',
-          disable: false,
-          enable_delta: false,
-          expiry: '72h',
-          ocsp_disable: false,
-          ocsp_expiry: '12h',
-          cross_cluster_revocation: true,
-          unified_crl: true,
-          unified_crl_on_existing_paths: true,
-        },
-        'crl payload includes enterprise params'
-      );
-    });
-    this.server.post(`/${this.backend}/config/urls`, () => {
-      assert.ok(true, 'request made to save urls config');
-    });
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    assert.dom(SELECTORS.groupHeader('Certificate Revocation List (CRL)')).exists();
-    assert.dom(SELECTORS.groupHeader('Online Certificate Status Protocol (OCSP)')).exists();
-    assert.dom(SELECTORS.groupHeader('Unified Revocation')).exists();
-    await click(SELECTORS.checkboxInput('crossClusterRevocation'));
-    await click(SELECTORS.checkboxInput('unifiedCrl'));
-    await click(SELECTORS.checkboxInput('unifiedCrlOnExistingPaths'));
-    await click(SELECTORS.saveButton);
-  });
-
-  test('it does not render enterprise only params for OSS', async function (assert) {
-    assert.expect(9);
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.13.1';
-    this.server.post(`/${this.backend}/config/acme`, () => {});
-    this.server.post(`/${this.backend}/config/cluster`, () => {});
-    this.server.post(`/${this.backend}/config/crl`, (schema, req) => {
-      assert.ok(true, 'request made to save crl config');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          auto_rebuild: false,
-          auto_rebuild_grace_period: '12h',
-          delta_rebuild_interval: '15m',
-          disable: false,
-          enable_delta: false,
-          expiry: '72h',
-          ocsp_disable: false,
-          ocsp_expiry: '12h',
-        },
-        'crl payload does not include enterprise params'
-      );
-    });
-    this.server.post(`/${this.backend}/config/urls`, () => {
-      assert.ok(true, 'request made to save urls config');
-    });
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    assert.dom(SELECTORS.checkboxInput('crossClusterRevocation')).doesNotExist();
-    assert.dom(SELECTORS.checkboxInput('unifiedCrl')).doesNotExist();
-    assert.dom(SELECTORS.checkboxInput('unifiedCrlOnExistingPaths')).doesNotExist();
-    assert.dom(SELECTORS.groupHeader('Certificate Revocation List (CRL)')).exists();
-    assert.dom(SELECTORS.groupHeader('Online Certificate Status Protocol (OCSP)')).exists();
-    assert.dom(SELECTORS.groupHeader('Unified Revocation')).doesNotExist();
-    await click(SELECTORS.saveButton);
-  });
-
-  test('it renders empty states if no update capabilities', async function (assert) {
-    assert.expect(4);
-    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub(['read']));
-
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    assert
-      .dom(`${SELECTORS.configEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's the cluster config Ask your administrator if you think you should have access to: POST /pki-engine/config/cluster"
-      );
-    assert
-      .dom(`${SELECTORS.acmeEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's ACME config Ask your administrator if you think you should have access to: POST /pki-engine/config/acme"
-      );
-    assert
-      .dom(`${SELECTORS.urlsEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's URLs Ask your administrator if you think you should have access to: POST /pki-engine/config/urls"
-      );
-    assert
-      .dom(`${SELECTORS.crlEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's revocation configuration Ask your administrator if you think you should have access to: POST /pki-engine/config/crl"
-      );
-  });
-
-  test('it renders alert banner and endpoint respective error', async function (assert) {
-    assert.expect(4);
-    this.server.post(`/${this.backend}/config/acme`, () => {
-      return new Response(500, {}, { errors: ['something wrong with acme'] });
-    });
-    this.server.post(`/${this.backend}/config/cluster`, () => {
-      return new Response(500, {}, { errors: ['something wrong with cluster'] });
-    });
-    this.server.post(`/${this.backend}/config/crl`, () => {
-      return new Response(500, {}, { errors: ['something wrong with crl'] });
-    });
-    this.server.post(`/${this.backend}/config/urls`, () => {
-      return new Response(500, {}, { errors: ['something wrong with urls'] });
-    });
-    await render(
-      hbs`
-      <Page::PkiConfigurationEdit
-        @acme={{this.acme}}
-        @cluster={{this.cluster}}
-        @urls={{this.urls}}
-        @crl={{this.crl}}
-        @backend={{this.backend}}
-      />
-    `,
-      this.context
-    );
-
-    await click(SELECTORS.saveButton);
-    assert
-      .dom(SELECTORS.errorBanner)
-      .hasText(
-        'Error POST config/cluster: something wrong with cluster POST config/acme: something wrong with acme POST config/urls: something wrong with urls POST config/crl: something wrong with crl'
-      );
-    assert.dom(`${SELECTORS.errorBanner} ul`).hasClass('bullet');
-
-    // change 3 out of 4 requests to be successful to assert single error renders correctly
-    this.server.post(`/${this.backend}/config/acme`, () => new Response(200));
-    this.server.post(`/${this.backend}/config/cluster`, () => new Response(200));
-    this.server.post(`/${this.backend}/config/crl`, () => new Response(200));
-
-    await click(SELECTORS.saveButton);
-    assert.dom(SELECTORS.errorBanner).hasText('Error POST config/urls: something wrong with urls');
-    assert.dom(`${SELECTORS.errorBanner} ul`).doesNotHaveClass('bullet');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testTokenCreateCommand(tb testing.TB) (*cli.MockUi, *TokenCreateCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &TokenCreateCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestTokenCreateCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"abcd1234"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"default",
+			nil,
+			"token",
+			0,
+		},
+		{
+			"metadata",
+			[]string{"-metadata", "foo=bar", "-metadata", "zip=zap"},
+			"token",
+			0,
+		},
+		{
+			"policies",
+			[]string{"-policy", "foo", "-policy", "bar"},
+			"token",
+			0,
+		},
+		{
+			"field",
+			[]string{
+				"-field", "token_renewable",
+			},
+			"false",
+			0,
+		},
+		{
+			"field_not_found",
+			[]string{
+				"-field", "not-a-real-field",
+			},
+			"not present in secret",
+			1,
+		},
+		{
+			"ttl",
+			[]string{"-ttl", "1d", "-explicit-max-ttl", "2d"},
+			"token",
+			0,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testTokenCreateCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("default", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testTokenCreateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-field", "token",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		token := strings.TrimSpace(ui.OutputWriter.String())
+		secret, err := client.Auth().Token().Lookup(token)
+		if secret == nil || err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("metadata", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testTokenCreateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-metadata", "foo=bar",
+			"-metadata", "zip=zap",
+			"-field", "token",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		token := strings.TrimSpace(ui.OutputWriter.String())
+		secret, err := client.Auth().Token().Lookup(token)
+		if secret == nil || err != nil {
+			t.Fatal(err)
+		}
+
+		meta, ok := secret.Data["meta"].(map[string]interface{})
+		if !ok {
+			t.Fatalf("missing meta: %#v", secret)
+		}
+		if _, ok := meta["foo"]; !ok {
+			t.Errorf("missing meta.foo: %#v", meta)
+		}
+		if _, ok := meta["zip"]; !ok {
+			t.Errorf("missing meta.bar: %#v", meta)
+		}
+	})
+
+	t.Run("policies", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testTokenCreateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-policy", "foo",
+			"-policy", "bar",
+			"-field", "token",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		token := strings.TrimSpace(ui.OutputWriter.String())
+		secret, err := client.Auth().Token().Lookup(token)
+		if secret == nil || err != nil {
+			t.Fatal(err)
+		}
+
+		raw, ok := secret.Data["policies"].([]interface{})
+		if !ok {
+			t.Fatalf("missing policies: %#v", secret)
+		}
+
+		policies := make([]string, len(raw))
+		for i := range raw {
+			policies[i] = raw[i].(string)
+		}
+
+		expected := []string{"bar", "default", "foo"}
+		if !reflect.DeepEqual(policies, expected) {
+			t.Errorf("expected %q to be %q", policies, expected)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testTokenCreateCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error creating token: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testTokenCreateCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/pki/pki-generate-csr-test.js b/ui/tests/integration/components/pki/pki-generate-csr-test.js
index 6f4706a5b410..afb622372b1e 100644
--- a/ui/tests/integration/components/pki/pki-generate-csr-test.js
+++ b/ui/tests/integration/components/pki/pki-generate-csr-test.js
@@ -1,157 +1,133 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { click, fillIn, render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-
-module('Integration | Component | pki-generate-csr', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'pki');
-  setupMirage(hooks);
-
-  hooks.beforeEach(async function () {
-    this.owner.lookup('service:secretMountPath').update('pki-test');
-    this.store = this.owner.lookup('service:store');
-    this.onComplete = () => {};
-    this.model = this.owner
-      .lookup('service:store')
-      .createRecord('pki/action', { actionType: 'generate-csr' });
-
-    this.server.post('/sys/capabilities-self', () => ({
-      data: {
-        capabilities: ['root'],
-        'pki-test/issuers/generate/intermediate/exported': ['root'],
-      },
-    }));
-  });
-
-  test('it should render fields and save', async function (assert) {
-    assert.expect(9);
-
-    this.server.post('/pki-test/issuers/generate/intermediate/exported', (schema, req) => {
-      const payload = JSON.parse(req.requestBody);
-      assert.strictEqual(payload.common_name, 'foo', 'Request made to correct endpoint on save');
-      return {
-        request_id: '123',
-        data: {},
-      };
-    });
-
-    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
-      owner: this.engine,
-    });
-
-    const fields = [
-      'type',
-      'commonName',
-      'excludeCnFromSans',
-      'format',
-      'subjectSerialNumber',
-      'addBasicConstraints',
-    ];
-    fields.forEach((key) => {
-      assert.dom(`[data-test-input="${key}"]`).exists(`${key} form field renders`);
-    });
-
-    assert.dom('[data-test-toggle-group]').exists({ count: 3 }, 'Toggle groups render');
-
-    await fillIn('[data-test-input="type"]', 'exported');
-    await fillIn('[data-test-input="commonName"]', 'foo');
-    await click('[data-test-save]');
-
-    const savedRecord = this.store.peekAll('pki/action').firstObject;
-    assert.false(savedRecord.isNew, 'record is saved');
-  });
-
-  test('it should display validation errors', async function (assert) {
-    assert.expect(4);
-
-    this.onCancel = () => assert.ok(true, 'onCancel action fires');
-
-    await render(
-      hbs`<PkiGenerateCsr @model={{this.model}} @onCancel={{this.onCancel}} @onComplete={{this.onComplete}} />`,
-      {
-        owner: this.engine,
-      }
-    );
-
-    await click('[data-test-save]');
-
-    assert
-      .dom('[data-test-field-validation="type"]')
-      .hasText('Type is required.', 'Type validation error renders');
-    assert
-      .dom('[data-test-field="commonName"] [data-test-inline-alert]')
-      .hasText('Common name is required.', 'Common name validation error renders');
-    assert.dom('[data-test-alert]').hasText('There are 2 errors with this form.', 'Alert renders');
-
-    await click('[data-test-cancel]');
-  });
-
-  test('it should show generated CSR for type=exported', async function (assert) {
-    assert.expect(6);
-    this.model.id = '1235-someId';
-    this.model.csr = '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----';
-    this.model.keyId = '9179de78-1275-a1cf-ebb0-a4eb2e376636';
-    this.model.privateKey = '-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----';
-    this.model.privateKeyType = 'rsa';
-    this.onComplete = () => assert.ok(true, 'onComplete action fires');
-
-    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
-      owner: this.engine,
-    });
-    assert
-      .dom('[data-test-next-steps-csr]')
-      .hasText(
-        'Next steps Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount. The private_key is only available once. Make sure you copy and save it now.',
-        'renders Next steps alert banner'
-      );
-    assert
-      .dom('[data-test-value-div="CSR"] [data-test-certificate-card] button')
-      .hasAttribute('data-clipboard-text', this.model.csr, 'it renders copyable csr');
-    assert
-      .dom('[data-test-value-div="Key ID"] button')
-      .hasAttribute('data-clipboard-text', this.model.keyId, 'it renders copyable key_id');
-    assert
-      .dom('[data-test-value-div="Private key"] [data-test-certificate-card] button')
-      .hasAttribute('data-clipboard-text', this.model.privateKey, 'it renders copyable private_key');
-    assert
-      .dom('[data-test-value-div="Private key type"]')
-      .hasText(this.model.privateKeyType, 'renders private_key_type');
-    await click('[data-test-done]');
-  });
-
-  test('it should show generated CSR for type=internal', async function (assert) {
-    assert.expect(5);
-    this.model.id = '1235-someId';
-    this.model.csr = '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----';
-    this.model.keyId = '9179de78-1275-a1cf-ebb0-a4eb2e376636';
-    this.onComplete = () => {};
-
-    await render(hbs`<PkiGenerateCsr @model={{this.model}} @onComplete={{this.onComplete}} />`, {
-      owner: this.engine,
-    });
-    assert
-      .dom('[data-test-next-steps-csr]')
-      .hasText(
-        'Next steps Copy the CSR below for a parent issuer to sign and then import the signed certificate back into this mount.',
-        'renders Next steps alert banner'
-      );
-    assert
-      .dom('[data-test-value-div="CSR"] [data-test-certificate-card] button')
-      .hasAttribute('data-clipboard-text', this.model.csr, 'it renders copyable csr');
-    assert
-      .dom('[data-test-value-div="Key ID"] button')
-      .hasAttribute('data-clipboard-text', this.model.keyId, 'it renders copyable key_id');
-    assert.dom('[data-test-value-div="Private key"]').hasText('internal', 'does not render private key');
-    assert
-      .dom('[data-test-value-div="Private key type"]')
-      .hasText('internal', 'does not render private key type');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TokenLookupCommand)(nil)
+	_ cli.CommandAutocomplete = (*TokenLookupCommand)(nil)
+)
+
+type TokenLookupCommand struct {
+	*BaseCommand
+
+	flagAccessor bool
+}
+
+func (c *TokenLookupCommand) Synopsis() string {
+	return "Display information about a token"
+}
+
+func (c *TokenLookupCommand) Help() string {
+	helpText := `
+Usage: vault token lookup [options] [TOKEN | ACCESSOR]
+
+  Displays information about a token or accessor. If a TOKEN is not provided,
+  the locally authenticated token is used.
+
+  Get information about the locally authenticated token (this uses the
+  /auth/token/lookup-self endpoint and permission):
+
+      $ vault token lookup
+
+  Get information about a particular token (this uses the /auth/token/lookup
+  endpoint and permission):
+
+      $ vault token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Get information about a token via its accessor:
+
+      $ vault token lookup -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenLookupCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:       "accessor",
+		Target:     &c.flagAccessor,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Treat the argument as an accessor instead of a token. When " +
+			"this option is selected, the output will NOT include the token.",
+	})
+
+	return set
+}
+
+func (c *TokenLookupCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *TokenLookupCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TokenLookupCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	token := ""
+
+	args = f.Args()
+	switch {
+	case c.flagAccessor && len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments with -accessor (expected 1, got %d)", len(args)))
+		return 1
+	case c.flagAccessor && len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments with -accessor (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) == 0:
+		// Use the local token
+	case len(args) == 1:
+		token = strings.TrimSpace(args[0])
+	case len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var secret *api.Secret
+	switch {
+	case token == "":
+		secret, err = client.Auth().Token().LookupSelf()
+	case c.flagAccessor:
+		secret, err = client.Auth().Token().LookupAccessor(token)
+	default:
+		secret, err = client.Auth().Token().Lookup(token)
+	}
+
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error looking up token: %s", err))
+		return 2
+	}
+
+	return OutputSecret(c.UI, secret)
+}
diff --git a/ui/tests/integration/components/pki/pki-tidy-form-test.js b/ui/tests/integration/components/pki/pki-tidy-form-test.js
index f13ff9f6e8a3..6a351f781c5a 100644
--- a/ui/tests/integration/components/pki/pki-tidy-form-test.js
+++ b/ui/tests/integration/components/pki/pki-tidy-form-test.js
@@ -1,315 +1,180 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { click, render, fillIn } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { SELECTORS } from 'vault/tests/helpers/pki/page/pki-tidy-form';
-
-module('Integration | Component | pki tidy form', function (hooks) {
-  setupRenderingTest(hooks);
-  setupEngine(hooks, 'pki');
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.version = this.owner.lookup('service:version');
-    this.version.version = '1.14.1+ent';
-    this.server.post('/sys/capabilities-self', () => {});
-    this.onSave = () => {};
-    this.onCancel = () => {};
-    this.manualTidy = this.store.createRecord('pki/tidy', { backend: 'pki-manual-tidy' });
-    this.store.pushPayload('pki/tidy', {
-      modelName: 'pki/tidy',
-      id: 'pki-auto-tidy',
-    });
-    this.autoTidy = this.store.peekRecord('pki/tidy', 'pki-auto-tidy');
-  });
-
-  test('it hides or shows fields depending on auto-tidy toggle', async function (assert) {
-    assert.expect(37);
-    this.version.version = '1.14.1+ent';
-    const sectionHeaders = [
-      'Universal operations',
-      'ACME operations',
-      'Issuer operations',
-      'Cross-cluster operations',
-    ];
-
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.autoTidy}}
-      @tidyType="auto"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.toggleInput('intervalDuration')).isNotChecked('Automatic tidy is disabled');
-    assert.dom(`[data-test-ttl-form-label="Automatic tidy disabled"]`).exists('renders disabled label text');
-
-    this.autoTidy.eachAttribute((attr) => {
-      if (attr === 'enabled' || attr === 'intervalDuration') return;
-      assert.dom(SELECTORS.inputByAttr(attr)).doesNotExist(`does not render ${attr} when auto tidy disabled`);
-    });
-
-    sectionHeaders.forEach((group) => {
-      assert.dom(SELECTORS.tidySectionHeader(group)).doesNotExist(`does not render ${group} header`);
-    });
-
-    // ENABLE AUTO TIDY
-    await click(SELECTORS.toggleInput('intervalDuration'));
-    assert.dom(SELECTORS.toggleInput('intervalDuration')).isChecked('Automatic tidy is enabled');
-    assert.dom(`[data-test-ttl-form-label="Automatic tidy enabled"]`).exists('renders enabled text');
-
-    this.autoTidy.eachAttribute((attr) => {
-      const skipFields = ['enabled', 'tidyAcme', 'intervalDuration'];
-      if (skipFields.includes(attr)) return; // combined with duration ttl or asserted elsewhere
-      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} when auto tidy enabled`);
-    });
-
-    sectionHeaders.forEach((group) => {
-      assert.dom(SELECTORS.tidySectionHeader(group)).exists(`renders ${group} header`);
-    });
-  });
-
-  test('it renders all attribute fields, including enterprise', async function (assert) {
-    assert.expect(25);
-    this.version.version = '1.14.1+ent';
-    this.autoTidy.enabled = true;
-    const skipFields = ['enabled', 'tidyAcme', 'intervalDuration']; // combined with duration ttl or asserted separately
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.autoTidy}}
-      @tidyType="auto"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-
-    this.autoTidy.eachAttribute((attr) => {
-      if (skipFields.includes(attr)) return;
-      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} for auto tidyType`);
-    });
-
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.manualTidy}}
-      @tidyType="manual"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-    assert.dom(SELECTORS.toggleInput('intervalDuration')).doesNotExist('hides automatic tidy toggle');
-
-    this.manualTidy.eachAttribute((attr) => {
-      if (skipFields.includes(attr)) return;
-      assert.dom(SELECTORS.inputByAttr(attr)).exists(`renders ${attr} for manual tidyType`);
-    });
-  });
-
-  test('it hides enterprise fields for OSS', async function (assert) {
-    assert.expect(7);
-    this.version.version = '1.14.1';
-    this.autoTidy.enabled = true;
-
-    const enterpriseFields = [
-      'tidyRevocationQueue',
-      'tidyCrossClusterRevokedCerts',
-      'revocationQueueSafetyBuffer',
-    ];
-
-    // tidyType = auto
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.autoTidy}}
-      @tidyType="auto"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-
-    assert
-      .dom(SELECTORS.tidySectionHeader('Cross-cluster operations'))
-      .doesNotExist(`does not render ent header`);
-
-    enterpriseFields.forEach((entAttr) => {
-      assert.dom(SELECTORS.inputByAttr(entAttr)).doesNotExist(`does not render ${entAttr} for auto tidyType`);
-    });
-
-    // tidyType = manual
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.manualTidy}}
-      @tidyType="manual"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-
-    enterpriseFields.forEach((entAttr) => {
-      assert
-        .dom(SELECTORS.inputByAttr(entAttr))
-        .doesNotExist(`does not render ${entAttr} for manual tidyType`);
-    });
-  });
-
-  test('it should change the attributes on the model', async function (assert) {
-    assert.expect(12);
-    this.server.post('/pki-auto-tidy/config/auto-tidy', (schema, req) => {
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          acme_account_safety_buffer: '60s',
-          enabled: true,
-          interval_duration: '10s',
-          issuer_safety_buffer: '20s',
-          pause_duration: '30s',
-          revocation_queue_safety_buffer: '40s',
-          safety_buffer: '50s',
-          tidy_acme: true,
-          tidy_cert_store: true,
-          tidy_cross_cluster_revoked_certs: true,
-          tidy_expired_issuers: true,
-          tidy_move_legacy_ca_bundle: true,
-          tidy_revocation_queue: true,
-          tidy_revoked_cert_issuer_associations: true,
-          tidy_revoked_certs: true,
-        },
-        'response contains updated model values'
-      );
-    });
-    await render(
-      hbs`
-      <PkiTidyForm
-      @tidy={{this.autoTidy}}
-      @tidyType="auto"
-      @onSave={{this.onSave}}
-      @onCancel={{this.onCancel}}
-    />
-    `,
-      { owner: this.engine }
-    );
-
-    assert.dom(SELECTORS.toggleInput('intervalDuration')).isNotChecked('Automatic tidy is disabled');
-    assert.dom(SELECTORS.toggleLabel('Automatic tidy disabled')).exists('auto tidy has disabled label');
-    assert.false(this.autoTidy.enabled, 'enabled is false on model');
-
-    // enable auto-tidy
-    await click(SELECTORS.toggleInput('intervalDuration'));
-    await fillIn(SELECTORS.intervalDuration, 10);
-
-    assert.dom(SELECTORS.toggleInput('intervalDuration')).isChecked('toggle enabled auto tidy');
-    assert.dom(SELECTORS.toggleLabel('Automatic tidy enabled')).exists('auto tidy has enabled label');
-
-    assert.dom(SELECTORS.toggleInput('acmeAccountSafetyBuffer')).isNotChecked('ACME tidy is disabled');
-    assert.dom(SELECTORS.toggleLabel('Tidy ACME disabled')).exists('ACME label has correct disabled text');
-    assert.false(this.autoTidy.tidyAcme, 'tidyAcme is false on model');
-
-    await click(SELECTORS.toggleInput('acmeAccountSafetyBuffer'));
-    await fillIn(SELECTORS.acmeAccountSafetyBuffer, 60);
-    assert.true(this.autoTidy.tidyAcme, 'tidyAcme toggles to true');
-
-    const fillInValues = {
-      issuerSafetyBuffer: 20,
-      pauseDuration: 30,
-      revocationQueueSafetyBuffer: 40,
-      safetyBuffer: 50,
-    };
-    this.autoTidy.eachAttribute(async (attr, { type }) => {
-      const skipFields = ['enabled', 'tidyAcme', 'intervalDuration', 'acmeAccountSafetyBuffer']; // combined with duration ttl or asserted separately
-      if (skipFields.includes(attr)) return;
-      if (type === 'boolean') {
-        await click(SELECTORS.inputByAttr(attr));
-      }
-      if (type === 'string') {
-        await fillIn(SELECTORS.toggleInput(attr), `${fillInValues[attr]}`);
-      }
-    });
-
-    assert.dom(SELECTORS.toggleInput('acmeAccountSafetyBuffer')).isChecked('ACME tidy is enabled');
-    assert.dom(SELECTORS.toggleLabel('Tidy ACME enabled')).exists('ACME label has correct enabled text');
-    await click(SELECTORS.tidySave);
-  });
-
-  test('it updates auto-tidy config', async function (assert) {
-    assert.expect(4);
-    this.server.post('/pki-auto-tidy/config/auto-tidy', (schema, req) => {
-      assert.ok(true, 'Request made to update auto-tidy');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        {
-          enabled: false,
-          tidy_acme: false,
-        },
-        'response contains auto-tidy params'
-      );
-    });
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires on save success');
-
-    await render(
-      hbs`
-      <PkiTidyForm
-        @tidy={{this.autoTidy}}
-        @tidyType="auto"
-        @onSave={{this.onSave}}
-        @onCancel={{this.onCancel}}
-      />
-    `,
-      { owner: this.engine }
-    );
-
-    await click(SELECTORS.tidySave);
-    await click(SELECTORS.tidyCancel);
-  });
-
-  test('it saves and performs manual tidy', async function (assert) {
-    assert.expect(4);
-
-    this.server.post('/pki-manual-tidy/tidy', (schema, req) => {
-      assert.ok(true, 'Request made to perform manual tidy');
-      assert.propEqual(
-        JSON.parse(req.requestBody),
-        { tidy_acme: false },
-        'response contains manual tidy params'
-      );
-    });
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires on save success');
-
-    await render(
-      hbs`
-      <PkiTidyForm
-        @tidy={{this.manualTidy}}
-        @tidyType="manual"
-        @onSave={{this.onSave}}
-        @onCancel={{this.onCancel}}
-      />
-    `,
-      { owner: this.engine }
-    );
-
-    await click(SELECTORS.tidySave);
-    await click(SELECTORS.tidyCancel);
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testTokenLookupCommand(tb testing.TB) (*cli.MockUi, *TokenLookupCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &TokenLookupCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestTokenLookupCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"accessor_no_args",
+			[]string{"-accessor"},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"accessor_too_many_args",
+			[]string{"-accessor", "abcd1234", "efgh5678"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"abcd1234", "efgh5678"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testTokenLookupCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("token", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, _ := testTokenAndAccessor(t, client)
+
+		ui, cmd := testTokenLookupCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			token,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := token
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("self", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testTokenLookupCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "display_name"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("accessor", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		_, accessor := testTokenAndAccessor(t, client)
+
+		ui, cmd := testTokenLookupCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-accessor",
+			accessor,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := accessor
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testTokenLookupCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error looking up token: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testTokenLookupCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/replication-secondary-card-test.js b/ui/tests/integration/components/replication-secondary-card-test.js
index d89d9a2a4c8f..c354b4e6a506 100644
--- a/ui/tests/integration/components/replication-secondary-card-test.js
+++ b/ui/tests/integration/components/replication-secondary-card-test.js
@@ -1,117 +1,144 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-const TITLE = 'Status';
-
-const REPLICATION_DETAILS = {
-  state: 'stream-wals',
-  connection_state: 'ready',
-  lastRemoteWAL: 10,
-  knownPrimaryClusterAddrs: ['https://127.0.0.1:8201', 'https://127.0.0.1:8202'],
-  primaries: [
-    {
-      api_address: 'http://127.0.0.1:8201',
-    },
-  ],
-};
-
-module('Integration | Component | replication-secondary-card', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.set('replicationDetails', REPLICATION_DETAILS);
-    this.set('title', TITLE);
-  });
-
-  test('it renders', async function (assert) {
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
-    );
-    assert.dom('[data-test-replication-secondary-card]').exists();
-    assert.dom('[data-test-state]').includesText(REPLICATION_DETAILS.state, `shows the correct state value`);
-    assert
-      .dom('[data-test-connection]')
-      .includesText(REPLICATION_DETAILS.connection_state, `shows the correct connection value`);
-  });
-
-  test('it renders the Primary Cluster card when title is not Status', async function (assert) {
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
-    );
-
-    assert.dom('[data-test-info-table]').exists('it shows the known primary cluster details');
-
-    const url = this.element.querySelector('[data-test-primary-link]').href;
-    const expectedUrl = `${REPLICATION_DETAILS.primaries[0].api_address}/ui/`;
-
-    assert.strictEqual(url, expectedUrl, 'it renders a link to the primary cluster UI');
-  });
-
-  test('it does not render a link to the primary cluster UI when the primary api address or known primaries are unknown', async function (assert) {
-    this.set('replicationDetails', {});
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
-    );
-
-    assert.dom('[data-test-primary-link]').doesNotExist();
-  });
-
-  test('it renders with emptyState if no knownPrimaryClusterAddrs are set', async function (assert) {
-    this.set('replicationDetails', []);
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title='Primary cluster'/>`
-    );
-    assert.dom('[data-test-component="empty-state"]').exists();
-  });
-
-  test('it renders tooltip with check-circle-outline when state is stream-wals', async function (assert) {
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
-    );
-    assert.dom('[data-test-glyph]').hasClass('has-text-success', `shows success icon`);
-  });
-
-  test('it renders hasErrorMessage when state is idle', async function (assert) {
-    const stateError = {
-      state: 'idle',
-      connection_state: 'ready',
-      lastRemoteWAL: 10,
-    };
-
-    this.set('stateError', stateError);
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.stateError}} @title={{this.title}} />`
-    );
-    assert.dom('[data-test-error]').includesText('state', 'show correct error title');
-    assert
-      .dom('[data-test-inline-error-message]')
-      .includesText('Please check your server logs.', 'show correct error message');
-  });
-
-  test('it renders hasErrorMessage when connection is transient_failure', async function (assert) {
-    const connectionError = {
-      state: 'stream-wals',
-      connection_state: 'transient_failure',
-      lastRemoteWAL: 10,
-    };
-
-    this.set('connectionError', connectionError);
-    await render(
-      hbs`<ReplicationSecondaryCard @replicationDetails={{this.connectionError}} @title={{this.title}} />`
-    );
-    assert.dom('[data-test-error]').includesText('connection_state', 'show correct error title');
-    assert
-      .dom('[data-test-inline-error-message]')
-      .includesText(
-        'There has been some transient failure. Your cluster will eventually switch back to connection and try to establish a connection again.',
-        'show correct error message'
-      );
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TokenRenewCommand)(nil)
+	_ cli.CommandAutocomplete = (*TokenRenewCommand)(nil)
+)
+
+type TokenRenewCommand struct {
+	*BaseCommand
+
+	flagAccessor  bool
+	flagIncrement time.Duration
+}
+
+func (c *TokenRenewCommand) Synopsis() string {
+	return "Renew a token lease"
+}
+
+func (c *TokenRenewCommand) Help() string {
+	helpText := `
+Usage: vault token renew [options] [TOKEN]
+
+  Renews a token's lease, extending the amount of time it can be used. If a
+  TOKEN is not provided, the locally authenticated token is used. A token
+  accessor can be used as well. Lease renewal will fail if the token is not
+  renewable, the token has already been revoked, or if the token has already
+  reached its maximum TTL.
+
+  Renew a token (this uses the /auth/token/renew endpoint and permission):
+
+      $ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Renew the currently authenticated token (this uses the /auth/token/renew-self
+  endpoint and permission):
+
+      $ vault token renew
+
+  Renew a token requesting a specific increment value:
+
+      $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenRenewCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:       "accessor",
+		Target:     &c.flagAccessor,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Treat the argument as an accessor instead of a token. When " +
+			"this option is selected, the output will NOT include the token.",
+	})
+
+	f.DurationVar(&DurationVar{
+		Name:       "increment",
+		Aliases:    []string{"i"},
+		Target:     &c.flagIncrement,
+		Default:    0,
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage: "Request a specific increment for renewal. This increment may " +
+			"not be honored, for instance in the case of periodic tokens. If not " +
+			"supplied, Vault will use the default TTL. This is specified as a " +
+			"numeric string with suffix like \"30s\" or \"5m\".",
+	})
+
+	return set
+}
+
+func (c *TokenRenewCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
+}
+
+func (c *TokenRenewCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TokenRenewCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	token := ""
+	increment := c.flagIncrement
+
+	args = f.Args()
+	switch len(args) {
+	case 0:
+		// Use the local token
+	case 1:
+		token = strings.TrimSpace(args[0])
+	default:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var secret *api.Secret
+	inc := truncateToSeconds(increment)
+	switch {
+	case token == "":
+		secret, err = client.Auth().Token().RenewSelf(inc)
+	case c.flagAccessor:
+		secret, err = client.Auth().Token().RenewAccessor(token, inc)
+	default:
+		secret, err = client.Auth().Token().Renew(token, inc)
+	}
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error renewing token: %s", err))
+		return 2
+	}
+
+	return OutputSecret(c.UI, secret)
+}
diff --git a/ui/tests/integration/components/replication-summary-card-test.js b/ui/tests/integration/components/replication-summary-card-test.js
index a8ca8dafdc0b..4fc469995b05 100644
--- a/ui/tests/integration/components/replication-summary-card-test.js
+++ b/ui/tests/integration/components/replication-summary-card-test.js
@@ -1,62 +1,230 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-const TITLE = 'Disaster Recovery';
-
-const REPLICATION_DETAILS = {
-  dr: {
-    state: 'running',
-    lastWAL: 10,
-    knownSecondaries: ['https://127.0.0.1:8201', 'https://127.0.0.1:8202'],
-  },
-  performance: {
-    state: 'running',
-    lastWAL: 20,
-    knownSecondaries: ['https://127.0.0.1:8201'],
-  },
-};
-
-module('Integration | Component | replication-summary-card', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.set('replicationDetails', REPLICATION_DETAILS);
-    this.set('title', TITLE);
-  });
-
-  test('it renders', async function (assert) {
-    await render(
-      hbs`<ReplicationSummaryCard @replicationDetails={{this.replicationDetails}} @title={{this.title}} />`
-    );
-    assert.dom('[data-test-replication-summary-card]').exists();
-    assert
-      .dom('[data-test-lastWAL]')
-      .includesText(REPLICATION_DETAILS.dr.lastWAL, `shows the correct lastWAL value`);
-
-    const knownSecondaries = REPLICATION_DETAILS.dr.knownSecondaries.length;
-    assert
-      .dom('[data-test-known-secondaries]')
-      .includesText(knownSecondaries, `shows the correct computed value of the known secondaries count`);
-  });
-
-  test('it shows the correct lastWAL and knownSecondaries when title is Performance', async function (assert) {
-    await render(
-      hbs`<ReplicationSummaryCard @replicationDetails={{this.replicationDetails}} @title="Performance" />`
-    );
-    assert
-      .dom('[data-test-lastWAL]')
-      .includesText(REPLICATION_DETAILS.performance.lastWAL, `shows the correct lastWAL value`);
-
-    const knownSecondaries = REPLICATION_DETAILS.performance.knownSecondaries.length;
-    assert
-      .dom('[data-test-known-secondaries]')
-      .includesText(knownSecondaries, `shows the correct computed value of the known secondaries count`);
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"encoding/json"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testTokenRenewCommand(tb testing.TB) (*cli.MockUi, *TokenRenewCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &TokenRenewCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestTokenRenewCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar", "baz"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"default",
+			nil,
+			"",
+			0,
+		},
+		{
+			"increment",
+			[]string{"-increment", "60s"},
+			"",
+			0,
+		},
+		{
+			"increment_no_suffix",
+			[]string{"-increment", "60"},
+			"",
+			0,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				// Login with the token so we can renew-self.
+				token, _ := testTokenAndAccessor(t, client)
+				client.SetToken(token)
+
+				ui, cmd := testTokenRenewCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("token", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, _ := testTokenAndAccessor(t, client)
+
+		_, cmd := testTokenRenewCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-increment", "30m",
+			token,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		secret, err := client.Auth().Token().Lookup(token)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		str := string(secret.Data["ttl"].(json.Number))
+		ttl, err := strconv.ParseInt(str, 10, 64)
+		if err != nil {
+			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
+		}
+		if exp := int64(1800); ttl > exp {
+			t.Errorf("expected %d to be <= to %d", ttl, exp)
+		}
+	})
+
+	t.Run("accessor", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, accessor := testTokenAndAccessor(t, client)
+
+		_, cmd := testTokenRenewCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-increment", "30m",
+			"-accessor",
+			accessor,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		secret, err := client.Auth().Token().Lookup(token)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		str := string(secret.Data["ttl"].(json.Number))
+		ttl, err := strconv.ParseInt(str, 10, 64)
+		if err != nil {
+			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
+		}
+		if exp := int64(1800); ttl > exp {
+			t.Errorf("expected %d to be <= to %d", ttl, exp)
+		}
+	})
+
+	t.Run("self", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, _ := testTokenAndAccessor(t, client)
+
+		// Get the old token and login as the new token. We need the old token
+		// to query after the lookup, but we need the new token on the client.
+		oldToken := client.Token()
+		client.SetToken(token)
+
+		_, cmd := testTokenRenewCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-increment", "30m",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		client.SetToken(oldToken)
+		secret, err := client.Auth().Token().Lookup(token)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		str := string(secret.Data["ttl"].(json.Number))
+		ttl, err := strconv.ParseInt(str, 10, 64)
+		if err != nil {
+			t.Fatalf("bad ttl: %#v", secret.Data["ttl"])
+		}
+		if exp := int64(1800); ttl > exp {
+			t.Errorf("expected %d to be <= to %d", ttl, exp)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testTokenRenewCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"foo/bar",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error renewing token: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testTokenRenewCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/sidebar/frame-test.js b/ui/tests/integration/components/sidebar/frame-test.js
index e310988a3f6f..c9f6a2b7f22f 100644
--- a/ui/tests/integration/components/sidebar/frame-test.js
+++ b/ui/tests/integration/components/sidebar/frame-test.js
@@ -1,73 +1,179 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, click } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import sinon from 'sinon';
-
-module('Integration | Component | sidebar-frame', function (hooks) {
-  setupRenderingTest(hooks);
-
-  test('it should hide and show sidebar', async function (assert) {
-    this.set('showSidebar', true);
-    await render(hbs`
-      <Sidebar::Frame @showSidebar={{this.showSidebar}} />
-    `);
-    assert.dom('[data-test-sidebar-nav]').exists('Sidebar renders');
-
-    this.set('showSidebar', false);
-    assert.dom('[data-test-sidebar-nav]').doesNotExist('Sidebar is hidden');
-  });
-
-  test('it should render link status, console ui panel and yield block for app content', async function (assert) {
-    const currentCluster = this.owner.lookup('service:currentCluster');
-    currentCluster.setCluster({ hcpLinkStatus: 'connected' });
-    const version = this.owner.lookup('service:version');
-    version.version = '1.13.0-dev1+ent';
-
-    await render(hbs`
-      <Sidebar::Frame @showSidebar={{true}}>
-        <div class="page-container">
-          App goes here!
-        </div>
-      </Sidebar::Frame>
-    `);
-
-    assert.dom('[data-test-link-status]').exists('Link status component renders');
-    assert.dom('[data-test-component="console/ui-panel"]').exists('Console UI panel renders');
-    assert.dom('.page-container').exists('Block yields for app content');
-  });
-
-  test('it should render logo and actions in sidebar header', async function (assert) {
-    this.owner.lookup('service:currentCluster').setCluster({ name: 'vault' });
-
-    await render(hbs`
-      <Sidebar::Frame @showSidebar={{true}} />
-    `);
-
-    assert.dom('[data-test-sidebar-logo]').exists('Vault logo renders in sidebar header');
-    assert.dom('[data-test-console-toggle]').exists('Console toggle button renders in sidebar header');
-    await click('[data-test-console-toggle]');
-    assert.dom('.panel-open').exists('Console ui panel opens');
-    await click('[data-test-console-toggle]');
-    assert.dom('.panel-open').doesNotExist('Console ui panel closes');
-    assert.dom('[data-test-user-menu]').exists('User menu renders');
-  });
-
-  test('it should render namespace picker in sidebar footer', async function (assert) {
-    const version = this.owner.lookup('service:version');
-    version.features = ['Namespaces'];
-    const auth = this.owner.lookup('service:auth');
-    sinon.stub(auth, 'authData').value({});
-
-    await render(hbs`
-      <Sidebar::Frame @showSidebar={{true}} />
-    `);
-
-    assert.dom('.namespace-picker').exists('Namespace picker renders in sidebar footer');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TokenRevokeCommand)(nil)
+	_ cli.CommandAutocomplete = (*TokenRevokeCommand)(nil)
+)
+
+type TokenRevokeCommand struct {
+	*BaseCommand
+
+	flagAccessor bool
+	flagSelf     bool
+	flagMode     string
+}
+
+func (c *TokenRevokeCommand) Synopsis() string {
+	return "Revoke a token and its children"
+}
+
+func (c *TokenRevokeCommand) Help() string {
+	helpText := `
+Usage: vault token revoke [options] [TOKEN | ACCESSOR]
+
+  Revokes authentication tokens and their children. If a TOKEN is not provided,
+  the locally authenticated token is used. The "-mode" flag can be used to
+  control the behavior of the revocation. See the "-mode" flag documentation
+  for more information.
+
+  Revoke a token and all the token's children:
+
+      $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Revoke a token leaving the token's children:
+
+      $ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017
+
+  Revoke a token by accessor:
+
+      $ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
+
+  For a full list of examples, please see the documentation.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TokenRevokeCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.BoolVar(&BoolVar{
+		Name:       "accessor",
+		Target:     &c.flagAccessor,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Treat the argument as an accessor instead of a token.",
+	})
+
+	f.BoolVar(&BoolVar{
+		Name:       "self",
+		Target:     &c.flagSelf,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Perform the revocation on the currently authenticated token.",
+	})
+
+	f.StringVar(&StringVar{
+		Name:       "mode",
+		Target:     &c.flagMode,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictSet("orphan", "path"),
+		Usage: "Type of revocation to perform. If unspecified, Vault will revoke " +
+			"the token and all of the token's children. If \"orphan\", Vault will " +
+			"revoke only the token, leaving the children as orphans. If \"path\", " +
+			"tokens created from the given authentication path prefix are deleted " +
+			"along with their children.",
+	})
+
+	return set
+}
+
+func (c *TokenRevokeCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TokenRevokeCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TokenRevokeCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = f.Args()
+	token := ""
+	if len(args) > 0 {
+		token = strings.TrimSpace(args[0])
+	}
+
+	switch c.flagMode {
+	case "", "orphan", "path":
+	default:
+		c.UI.Error(fmt.Sprintf("Invalid mode: %s", c.flagMode))
+		return 1
+	}
+
+	switch {
+	case c.flagSelf && len(args) > 0:
+		c.UI.Error(fmt.Sprintf("Too many arguments with -self (expected 0, got %d)", len(args)))
+		return 1
+	case !c.flagSelf && len(args) > 1:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or -self, got %d)", len(args)))
+		return 1
+	case !c.flagSelf && len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or -self, got %d)", len(args)))
+		return 1
+	case c.flagSelf && c.flagAccessor:
+		c.UI.Error("Cannot use -self with -accessor!")
+		return 1
+	case c.flagSelf && c.flagMode != "":
+		c.UI.Error("Cannot use -self with -mode!")
+		return 1
+	case c.flagAccessor && c.flagMode == "orphan":
+		c.UI.Error("Cannot use -accessor with -mode=orphan!")
+		return 1
+	case c.flagAccessor && c.flagMode == "path":
+		c.UI.Error("Cannot use -accessor with -mode=path!")
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	var revokeFn func(string) error
+	// Handle all 6 possible combinations
+	switch {
+	case !c.flagAccessor && c.flagSelf && c.flagMode == "":
+		revokeFn = client.Auth().Token().RevokeSelf
+	case !c.flagAccessor && !c.flagSelf && c.flagMode == "":
+		revokeFn = client.Auth().Token().RevokeTree
+	case !c.flagAccessor && !c.flagSelf && c.flagMode == "orphan":
+		revokeFn = client.Auth().Token().RevokeOrphan
+	case !c.flagAccessor && !c.flagSelf && c.flagMode == "path":
+		revokeFn = client.Sys().RevokePrefix
+	case c.flagAccessor && !c.flagSelf && c.flagMode == "":
+		revokeFn = client.Auth().Token().RevokeAccessor
+	}
+
+	if err := revokeFn(token); err != nil {
+		c.UI.Error(fmt.Sprintf("Error revoking token: %s", err))
+		return 2
+	}
+
+	c.UI.Output("Success! Revoked token (if it existed)")
+	return 0
+}
diff --git a/ui/tests/integration/components/sidebar/nav/cluster-test.js b/ui/tests/integration/components/sidebar/nav/cluster-test.js
index a8aa860ef0a4..3cdf13d615e8 100644
--- a/ui/tests/integration/components/sidebar/nav/cluster-test.js
+++ b/ui/tests/integration/components/sidebar/nav/cluster-test.js
@@ -1,102 +1,229 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
-
-const renderComponent = () => {
-  return render(hbs`
-    <Sidebar::Frame @isVisible={{true}}>
-      <Sidebar::Nav::Cluster />
-    </Sidebar::Frame>
-  `);
-};
-
-module('Integration | Component | sidebar-nav-cluster', function (hooks) {
-  setupRenderingTest(hooks);
-
-  test('it should render nav headings', async function (assert) {
-    const headings = ['Vault', 'Replication', 'Monitoring'];
-    stubFeaturesAndPermissions(this.owner, true, true);
-    await renderComponent();
-
-    assert
-      .dom('[data-test-sidebar-nav-heading]')
-      .exists({ count: headings.length }, 'Correct number of headings render');
-    headings.forEach((heading) => {
-      assert
-        .dom(`[data-test-sidebar-nav-heading="${heading}"]`)
-        .hasText(heading, `${heading} heading renders`);
-    });
-  });
-
-  test('it should hide links and headings user does not have access too', async function (assert) {
-    await renderComponent();
-    assert
-      .dom('[data-test-sidebar-nav-link]')
-      .exists({ count: 3 }, 'Nav links are hidden other than secrets, secrets sync and dashboard');
-    assert
-      .dom('[data-test-sidebar-nav-heading]')
-      .exists({ count: 1 }, 'Headings are hidden other than Vault');
-  });
-
-  test('it should render nav links', async function (assert) {
-    const links = [
-      'Dashboard',
-      'Secrets Engines',
-      'Secrets Sync',
-      'Access',
-      'Policies',
-      'Tools',
-      'Disaster Recovery',
-      'Performance',
-      'Replication',
-      'Raft Storage',
-      'Client Count',
-      'License',
-      'Seal Vault',
-    ];
-    stubFeaturesAndPermissions(this.owner, true, true);
-    await renderComponent();
-
-    assert
-      .dom('[data-test-sidebar-nav-link]')
-      .exists({ count: links.length }, 'Correct number of links render');
-    links.forEach((link) => {
-      assert.dom(`[data-test-sidebar-nav-link="${link}"]`).hasText(link, `${link} link renders`);
-    });
-  });
-
-  test('it should hide enterprise related links in child namespace', async function (assert) {
-    const links = [
-      'Disaster Recovery',
-      'Performance',
-      'Replication',
-      'Raft Storage',
-      'License',
-      'Seal Vault',
-    ];
-    this.owner.lookup('service:namespace').set('path', 'foo');
-    const stubs = stubFeaturesAndPermissions(this.owner, true, true);
-    stubs.hasNavPermission.callsFake((route) => route !== 'clients');
-
-    await renderComponent();
-
-    assert
-      .dom('[data-test-sidebar-nav-heading="Monitoring"]')
-      .doesNotExist(
-        'Monitoring heading is hidden in child namespace when user does not have access to Client Count'
-      );
-
-    links.forEach((link) => {
-      assert
-        .dom(`[data-test-sidebar-nav-link="${link}"]`)
-        .doesNotExist(`${link} is hidden in child namespace`);
-    });
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+)
+
+func testTokenRevokeCommand(tb testing.TB) (*cli.MockUi, *TokenRevokeCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &TokenRevokeCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestTokenRevokeCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	validations := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"bad_mode",
+			[]string{"-mode=banana"},
+			"Invalid mode",
+			1,
+		},
+		{
+			"empty",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"args_with_self",
+			[]string{"-self", "abcd1234"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"abcd1234", "efgh5678"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"self_and_accessor",
+			[]string{"-self", "-accessor"},
+			"Cannot use -self with -accessor",
+			1,
+		},
+		{
+			"self_and_mode",
+			[]string{"-self", "-mode=orphan"},
+			"Cannot use -self with -mode",
+			1,
+		},
+		{
+			"accessor_and_mode_orphan",
+			[]string{"-accessor", "-mode=orphan", "abcd1234"},
+			"Cannot use -accessor with -mode=orphan",
+			1,
+		},
+		{
+			"accessor_and_mode_path",
+			[]string{"-accessor", "-mode=path", "abcd1234"},
+			"Cannot use -accessor with -mode=path",
+			1,
+		},
+	}
+
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range validations {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				ui, cmd := testTokenRevokeCommand(t)
+				cmd.client = client
+
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("token", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, _ := testTokenAndAccessor(t, client)
+
+		ui, cmd := testTokenRevokeCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			token,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Revoked token"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		secret, err := client.Auth().Token().Lookup(token)
+		if secret != nil || err == nil {
+			t.Errorf("expected token to be revoked: %#v", secret)
+		}
+	})
+
+	t.Run("self", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		ui, cmd := testTokenRevokeCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-self",
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Revoked token"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		secret, err := client.Auth().Token().LookupSelf()
+		if secret != nil || err == nil {
+			t.Errorf("expected token to be revoked: %#v", secret)
+		}
+	})
+
+	t.Run("accessor", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		token, accessor := testTokenAndAccessor(t, client)
+
+		ui, cmd := testTokenRevokeCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"-accessor",
+			accessor,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Revoked token"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+		secret, err := client.Auth().Token().Lookup(token)
+		if secret != nil || err == nil {
+			t.Errorf("expected token to be revoked: %#v", secret)
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testTokenRevokeCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"abcd1234",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error revoking token: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testTokenRevokeCommand(t)
+		assertNoTabs(t, cmd)
+	})
+}
diff --git a/ui/tests/integration/components/sidebar/user-menu-test.js b/ui/tests/integration/components/sidebar/user-menu-test.js
index 0b5b0dfc382c..46129cd32e29 100644
--- a/ui/tests/integration/components/sidebar/user-menu-test.js
+++ b/ui/tests/integration/components/sidebar/user-menu-test.js
@@ -1,69 +1,44 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, click } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import sinon from 'sinon';
+package command
 
-module('Integration | Component | sidebar-user-menu', function (hooks) {
-  setupRenderingTest(hooks);
+import (
+	"strings"
 
-  hooks.beforeEach(function () {
-    this.auth = this.owner.lookup('service:auth');
-  });
+	"github.com/hashicorp/cli"
+)
 
-  test('it should render trigger and open menu', async function (assert) {
-    await render(hbs`<Sidebar::UserMenu />`);
+var _ cli.Command = (*TransformCommand)(nil)
 
-    assert
-      .dom('[data-test-user-menu-trigger] [data-test-icon="user"]')
-      .exists('Correct icon renders for menu trigger');
-    await click('[data-test-user-menu-trigger]');
-    assert.dom('[data-test-user-menu-content]').exists('User menu content renders');
-  });
+type TransformCommand struct {
+	*BaseCommand
+}
 
-  test('it should render default menu items', async function (assert) {
-    sinon.stub(this.auth, 'currentToken').value('root');
-    sinon.stub(this.auth, 'authData').value({ displayName: 'token' });
+func (c *TransformCommand) Synopsis() string {
+	return "Interact with Vault's Transform Secrets Engine"
+}
 
-    await render(hbs`<Sidebar::UserMenu />`);
-    await click('[data-test-user-menu-trigger]');
+func (c *TransformCommand) Help() string {
+	helpText := `
+Usage: vault transform <subcommand> [options] [args]
 
-    assert.dom('.menu-label').hasText('Token', 'Auth data display name renders');
-    assert.dom('li').exists({ count: 2 }, 'Correct number of menu items render');
-    assert.dom('[data-clipboard-text="root"]').exists('Copy token action renders');
-    assert.dom('#logout').hasText('Log out', 'Log out action renders');
-  });
+  This command has subcommands for interacting with Vault's Transform Secrets
+  Engine. Here are some simple examples, and more detailed examples are
+  available in the subcommands or the documentation.
 
-  test('it should render conditional menu items', async function (assert) {
-    const router = this.owner.lookup('service:router');
-    const transitionStub = sinon.stub(router, 'transitionTo');
-    const renewStub = sinon.stub(this.auth, 'renew').resolves();
-    const revokeStub = sinon.stub(this.auth, 'revokeCurrentToken').resolves();
-    const date = new Date();
-    sinon.stub(this.auth, 'tokenExpirationDate').value(date.setDate(date.getDate() + 1));
-    sinon.stub(this.auth, 'authData').value({ displayName: 'token', renewable: true, entity_id: 'foo' });
-    this.auth.set('allowExpiration', true);
+  To import a key into a new FPE transformation:
 
-    await render(hbs`<Sidebar::UserMenu />`);
-    await click('[data-test-user-menu-trigger]');
+  $ vault transform import transform/transformations/fpe/new-transformation @path/to/key \
+      template=identifier \
+	  allowed_roles=physical-access 
 
-    assert.dom('[data-test-user-menu-item="token alert"]').exists('Token expiration alert renders');
-    assert.dom('[data-test-user-menu-item="mfa"]').hasText('Multi-factor authentication', 'MFA link renders');
+  Please see the individual subcommand help for detailed usage information.
+`
 
-    await click('[data-test-user-menu-item="revoke token"]');
-    await click('[data-test-confirm-button]');
-    assert.true(revokeStub.calledOnce, 'Auth revoke token method called on revoke confirm');
-    assert.true(
-      transitionStub.calledWith('vault.cluster.logout'),
-      'Route transitions to log out on revoke success'
-    );
+	return strings.TrimSpace(helpText)
+}
 
-    await click('[data-test-user-menu-item="renew token"]');
-    assert.true(renewStub.calledOnce, 'Auth renew token method called');
-  });
-});
+func (c *TransformCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/tests/integration/components/splash-page-test.js b/ui/tests/integration/components/splash-page-test.js
new file mode 100644
index 000000000000..d01100acea04
--- /dev/null
+++ b/ui/tests/integration/components/splash-page-test.js
@@ -0,0 +1,79 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"errors"
+	"regexp"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_                cli.Command             = (*TransformImportCommand)(nil)
+	_                cli.CommandAutocomplete = (*TransformImportCommand)(nil)
+	transformKeyPath                         = regexp.MustCompile("^(.*)/transformations/(fpe|tokenization)/([^/]*)$")
+)
+
+type TransformImportCommand struct {
+	*BaseCommand
+}
+
+func (c *TransformImportCommand) Synopsis() string {
+	return "Import a key into the Transform secrets engines."
+}
+
+func (c *TransformImportCommand) Help() string {
+	helpText := `
+Usage: vault transform import PATH KEY [options...]
+
+  Using the Transform key wrapping system, imports key material from
+  the base64 encoded KEY (either directly on the CLI or via @path notation),
+  into a new FPE or tokenization transformation whose API path is PATH. 
+
+  To import a new key version into an existing tokenization transformation, 
+  use import_version. 
+  
+  The remaining options after KEY (key=value style) are passed on to 
+  Create/Update FPE Transformation or Create/Update Tokenization Transformation 
+  API endpoints.
+
+  For example:
+  $ vault transform import transform/transformations/tokenization/application-form @path/to/key \        
+       allowed_roles=legacy-system 
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TransformImportCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *TransformImportCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TransformImportCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TransformImportCommand) Run(args []string) int {
+	return ImportKey(c.BaseCommand, "import", transformImportKeyPath, c.Flags(), args)
+}
+
+func transformImportKeyPath(s string, operation string) (path string, apiPath string, err error) {
+	parts := transformKeyPath.FindStringSubmatch(s)
+	if len(parts) != 4 {
+		return "", "", errors.New("expected transform path and key name in the form :path:/transformations/fpe|tokenization/:name:")
+	}
+	path = parts[1]
+	transformation := parts[2]
+	keyName := parts[3]
+	apiPath = path + "/transformations/" + transformation + "/" + keyName + "/" + operation
+
+	return path, apiPath, nil
+}
diff --git a/ui/tests/pages/auth.js b/ui/tests/pages/auth.js
index f1e2cad69e46..61a6db45b674 100644
--- a/ui/tests/pages/auth.js
+++ b/ui/tests/pages/auth.js
@@ -1,69 +1,59 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
 
-import { create, visitable, fillable, clickable } from 'ember-cli-page-object';
-import { click, settled } from '@ember/test-helpers';
-import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
+package command
 
-const { rootToken } = VAULT_KEYS;
+import (
+	"strings"
 
-export default create({
-  visit: visitable('/vault/auth'),
-  logout: visitable('/vault/logout'),
-  submit: clickable('[data-test-auth-submit]'),
-  tokenInput: fillable('[data-test-token]'),
-  usernameInput: fillable('[data-test-username]'),
-  passwordInput: fillable('[data-test-password]'),
-  namespaceInput: fillable('[data-test-auth-form-ns-input]'),
-  optionsToggle: clickable('[data-test-auth-form-options-toggle]'),
-  mountPath: fillable('[data-test-auth-form-mount-path]'),
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
 
-  login: async function (token = rootToken) {
-    // make sure we're always logged out and logged back in
-    await this.logout();
-    await settled();
-    // clear session storage to ensure we have a clean state
-    window.localStorage.clear();
-    await this.visit({ with: 'token' });
-    await settled();
-    return this.tokenInput(token).submit();
-  },
-  loginUsername: async function (username, password, path) {
-    // make sure we're always logged out and logged back in
-    await this.logout();
-    await settled();
-    // clear local storage to ensure we have a clean state
-    window.localStorage.clear();
-    await this.visit({ with: 'userpass' });
-    await settled();
-    if (path) {
-      await this.optionsToggle();
-      await this.mountPath(path);
-    }
-    await this.usernameInput(username);
-    return this.passwordInput(password).submit();
-  },
-  loginNs: async function (ns) {
-    // make sure we're always logged out and logged back in
-    await this.logout();
-    await settled();
-    // clear session storage to ensure we have a clean state
-    window.localStorage.clear();
-    await this.visit({ with: 'token' });
-    await settled();
-    await this.namespaceInput(ns);
-    await settled();
-    await this.tokenInput(rootToken).submit();
-    return;
-  },
-  clickLogout: async function (clearNamespace = false) {
-    await click('[data-test-user-menu-trigger]');
-    await click('[data-test-user-menu-content] a#logout');
-    if (clearNamespace) {
-      await this.namespaceInput('');
-    }
-    return;
-  },
-});
+var (
+	_ cli.Command             = (*TransformImportVersionCommand)(nil)
+	_ cli.CommandAutocomplete = (*TransformImportVersionCommand)(nil)
+)
+
+type TransformImportVersionCommand struct {
+	*BaseCommand
+}
+
+func (c *TransformImportVersionCommand) Synopsis() string {
+	return "Import key material into a new key version in the Transform secrets engines."
+}
+
+func (c *TransformImportVersionCommand) Help() string {
+	helpText := `
+Usage: vault transform import-version PATH KEY [...]
+
+  Using the Transform key wrapping system, imports new key material from
+  the base64 encoded KEY (either directly on the CLI or via @path notation),
+  into an existing tokenization transformation whose API path is PATH. 
+
+  The remaining options after KEY (key=value style) are passed on to 
+  Create/Update Tokenization Transformation API endpoint.
+
+  For example:
+  $ vault transform import-version transform/transformations/tokenization/application-form @path/to/new_version \        
+       allowed_roles=legacy-system
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TransformImportVersionCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *TransformImportVersionCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TransformImportVersionCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TransformImportVersionCommand) Run(args []string) int {
+	return ImportKey(c.BaseCommand, "import_version", transformImportKeyPath, c.Flags(), args)
+}
diff --git a/ui/tests/unit/adapters/capabilities-test.js b/ui/tests/unit/adapters/capabilities-test.js
index bcd1f055b551..9b988d7e3c70 100644
--- a/ui/tests/unit/adapters/capabilities-test.js
+++ b/ui/tests/unit/adapters/capabilities-test.js
@@ -1,27 +1,42 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { resolve } from 'rsvp';
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-
-module('Unit | Adapter | capabilities', function (hooks) {
-  setupTest(hooks);
-
-  test('calls the correct url', function (assert) {
-    let url, method, options;
-    const adapter = this.owner.factoryFor('adapter:capabilities').create({
-      ajax: (...args) => {
-        [url, method, options] = args;
-        return resolve();
-      },
-    });
-
-    adapter.findRecord(null, 'capabilities', 'foo');
-    assert.strictEqual(url, '/v1/sys/capabilities-self', 'calls the correct URL');
-    assert.deepEqual({ paths: ['foo'] }, options.data, 'data params OK');
-    assert.strictEqual(method, 'POST', 'method OK');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+)
+
+var _ cli.Command = (*TransitCommand)(nil)
+
+type TransitCommand struct {
+	*BaseCommand
+}
+
+func (c *TransitCommand) Synopsis() string {
+	return "Interact with Vault's Transit Secrets Engine"
+}
+
+func (c *TransitCommand) Help() string {
+	helpText := `
+Usage: vault transit <subcommand> [options] [args]
+
+  This command has subcommands for interacting with Vault's Transit Secrets
+  Engine. Here are some simple examples, and more detailed examples are
+  available in the subcommands or the documentation.
+
+  To import a key into the specified Transit mount:
+
+  $ vault transit import transit/keys/newly-imported @path/to/key type=rsa-2048
+
+  Please see the individual subcommand help for detailed usage information.
+`
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TransitCommand) Run(args []string) int {
+	return cli.RunResultHelp
+}
diff --git a/ui/tests/unit/adapters/kv/data-test.js b/ui/tests/unit/adapters/kv/data-test.js
index ae67ccd3079e..350821b07612 100644
--- a/ui/tests/unit/adapters/kv/data-test.js
+++ b/ui/tests/unit/adapters/kv/data-test.js
@@ -1,367 +1,218 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: MPL-2.0
- */
-
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { kvDataPath } from 'vault/utils/kv-path';
-import { encodePath } from 'vault/utils/path-encoding-helpers';
-import { Response } from 'miragejs';
-
-const EXAMPLE_KV_DATA_CREATE_RESPONSE = {
-  request_id: 'foobar',
-  data: {
-    created_time: '2023-06-21T16:18:31.479993Z',
-    custom_metadata: null,
-    deletion_time: '',
-    destroyed: false,
-    version: 1,
-  },
-};
-
-const EXAMPLE_KV_DATA_GET_RESPONSE = {
-  request_id: 'foobar',
-  data: {
-    data: { foo: 'bar' },
-    metadata: {
-      created_time: '2023-06-20T21:26:47.592306Z',
-      custom_metadata: null,
-      deletion_time: '',
-      destroyed: false,
-      version: 2,
-    },
-  },
-};
-
-const EXAMPLE_CONTROL_GROUP_RESPONSE = {
-  data: null,
-  wrap_info: {
-    token: 'some-token',
-    accessor: 'some-accessor',
-    ttl: 86400,
-    creation_time: '2023-08-09T16:08:06-05:00',
-    creation_path: 'some/path/here',
-  },
-};
-
-const EXAMPLE_KV_DATA_DESTROYED = {
-  data: {
-    data: null,
-    metadata: {
-      created_time: '2023-08-09T20:10:24.4825Z',
-      custom_metadata: null,
-      deletion_time: '',
-      destroyed: true,
-      version: 2,
-    },
-  },
-};
-
-const EXAMPLE_KV_DATA_DELETED = {
-  data: {
-    data: null,
-    metadata: {
-      created_time: '2023-08-09T20:10:24.571332Z',
-      custom_metadata: null,
-      deletion_time: '2023-08-09T20:10:24.70176Z',
-      destroyed: false,
-      version: 2,
-    },
-  },
-};
-
-module('Unit | Adapter | kv/data', function (hooks) {
-  setupTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.version = this.owner.lookup('service:version');
-    this.version.version = 'example+ent'; // Required for testing control-group flow
-    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
-    this.backend = 'my/kv-back&end';
-    this.secretMountPath.currentPath = this.backend;
-    this.path = 'beep/bop/my secret';
-    this.version = '2';
-    this.id = kvDataPath(this.backend, this.path, this.version);
-    this.data = {
-      options: {
-        cas: 2,
-      },
-      data: {
-        foo: 'bar',
-      },
-    };
-    this.payload = {
-      backend: this.backend,
-      path: this.path,
-      version: 2,
-    };
-    this.endpoint = (noun) => `${encodePath(this.backend)}/${noun}/${encodePath(this.path)}`;
-  });
-
-  test('it should make request to correct endpoint on createRecord', async function (assert) {
-    assert.expect(8);
-    this.server.post(this.endpoint('data'), (schema, req) => {
-      assert.ok('POST request made to correct endpoint when creating new record');
-      const body = JSON.parse(req.requestBody);
-      assert.deepEqual(body, {
-        data: {
-          foo: 'bar',
-        },
-        options: {
-          cas: 0,
-        },
-      });
-      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
-    });
-    const record = this.store.createRecord('kv/data', {
-      backend: this.backend,
-      path: this.path,
-      secretData: { foo: 'bar' },
-      casVersion: 0,
-    });
-    await record.save();
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 1, 'record has correct version');
-    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
-    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
-      'record has correct id'
-    );
-  });
-
-  test('it should not send cas if casVersion is not a number', async function (assert) {
-    assert.expect(8);
-    this.server.post(this.endpoint('data'), (schema, req) => {
-      assert.ok('POST request made to correct endpoint when creating new record');
-      const body = JSON.parse(req.requestBody);
-      assert.deepEqual(body, {
-        data: {
-          foo: 'bar',
-        },
-      });
-      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
-    });
-    const record = this.store.createRecord('kv/data', {
-      backend: this.backend,
-      path: this.path,
-      secretData: { foo: 'bar' },
-    });
-    await record.save();
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 1, 'record has correct version');
-    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
-    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
-      'record has correct id'
-    );
-  });
-
-  test('it should make request to correct endpoint on queryRecord', async function (assert) {
-    assert.expect(8);
-    this.server.get(this.endpoint('data'), (schema, req) => {
-      assert.ok(true, 'request is made to correct url on queryRecord.');
-      assert.strictEqual(
-        req.queryParams.version,
-        this.version,
-        'request includes the version flag on queryRecord.'
-      );
-      return EXAMPLE_KV_DATA_GET_RESPONSE;
-    });
-
-    const record = await this.store.queryRecord('kv/data', this.payload);
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 2, 'record has correct version');
-    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
-    assert.strictEqual(record.createdTime, '2023-06-20T21:26:47.592306Z', 'record has correct createdTime');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
-      'record has correct id'
-    );
-  });
-
-  test('it should handle a 404 not found response properly', async function (assert) {
-    assert.expect(1);
-    this.server.get(this.endpoint('data'), () => {
-      // This is what the API currently returns for not found
-      return new Response(404, {}, { errors: [] });
-    });
-
-    try {
-      await this.store.queryRecord('kv/data', this.payload);
-    } catch (e) {
-      assert.ok('throws the error');
-    }
-  });
-
-  test('it should handle a 403 permission denied properly', async function (assert) {
-    assert.expect(8);
-    this.server.get(this.endpoint('data'), (schema, req) => {
-      assert.ok(true, 'request is made to correct url on queryRecord.');
-      assert.strictEqual(
-        req.queryParams.version,
-        this.version,
-        'request includes the version flag on queryRecord.'
-      );
-      return new Response(403, {}, { errors: ['1 error occurred:\n\t* permission denied\n\n'] });
-    });
-
-    const record = await this.store.queryRecord('kv/data', this.payload);
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 2, 'record has version based on request');
-    assert.strictEqual(record.secretData, undefined, 'record does not include data');
-    assert.strictEqual(record.failReadErrorCode, 403, 'record has error response recorded');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
-      'record has correct id'
-    );
-  });
-
-  test('it should handle a soft-deleted version properly', async function (assert) {
-    this.server.get(this.endpoint('data'), () => {
-      return new Response(404, {}, EXAMPLE_KV_DATA_DELETED);
-    });
-
-    const record = await this.store.queryRecord('kv/data', this.payload);
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 2, 'record has version based on request');
-    assert.strictEqual(record.deletionTime, '2023-08-09T20:10:24.70176Z', 'record includes deletion time');
-    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have failed error code');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
-      'record has correct id'
-    );
-  });
-
-  test('it should handle a destroyed version properly', async function (assert) {
-    this.server.get(this.endpoint('data'), () => {
-      return new Response(404, {}, EXAMPLE_KV_DATA_DESTROYED);
-    });
-
-    const record = await this.store.queryRecord('kv/data', this.payload);
-    assert.strictEqual(record.path, this.path, 'record has correct path');
-    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
-    assert.strictEqual(record.version, 2, 'record has version based on request');
-    assert.true(record.destroyed, 'record has destroyed value');
-    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have error code');
-    assert.strictEqual(
-      record.id,
-      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
-      'record has correct id'
-    );
-  });
-
-  test('it should handle a control group response properly', async function (assert) {
-    assert.expect(1);
-    this.server.get(this.endpoint('data'), () => {
-      return EXAMPLE_CONTROL_GROUP_RESPONSE;
-    });
-
-    try {
-      await this.store.queryRecord('kv/data', this.payload);
-    } catch (e) {
-      assert.ok('throws the error');
-    }
-  });
-
-  test('it should make request to correct endpoint on delete latest version', async function (assert) {
-    assert.expect(3);
-    this.server.delete(this.endpoint('data'), () => {
-      assert.ok(true, 'request made to correct endpoint on delete latest version.');
-      return new Response(204);
-    });
-
-    this.store.pushPayload('kv/data', {
-      modelName: 'kv/data',
-      id: this.id,
-      ...this.payload,
-    });
-    let record = await this.store.peekRecord('kv/data', this.id);
-    await record.destroyRecord({ adapterOptions: { deleteType: 'delete-latest-version' } });
-    assert.true(record.isDeleted, 'record is deleted');
-    record = await this.store.peekRecord('kv/data', this.id);
-    assert.strictEqual(record, null, 'record is no longer in store');
-  });
-
-  test('it should make request to correct endpoint on delete specific versions', async function (assert) {
-    assert.expect(4);
-    this.server.post(this.endpoint('delete'), (schema, req) => {
-      const { versions } = JSON.parse(req.requestBody);
-      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
-      assert.ok(true, 'request made to correct endpoint on delete specific version.');
-    });
-
-    this.store.pushPayload('kv/data', {
-      modelName: 'kv/data',
-      id: this.id,
-      ...this.payload,
-    });
-    let record = await this.store.peekRecord('kv/data', this.id);
-    await record.destroyRecord({
-      adapterOptions: { deleteType: 'delete-version', deleteVersions: 2 },
-    });
-    assert.true(record.isDeleted, 'record is deleted');
-    record = await this.store.peekRecord('kv/data', this.id);
-    assert.strictEqual(record, null, 'record is no longer in store');
-  });
-
-  test('it should make request to correct endpoint on undelete', async function (assert) {
-    assert.expect(4);
-    this.server.post(`${this.backend}/undelete/${this.path}`, (schema, req) => {
-      const { versions } = JSON.parse(req.requestBody);
-      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
-      assert.ok(true, 'request made to correct endpoint on undelete specific version.');
-    });
-
-    this.store.pushPayload('kv/data', {
-      modelName: 'kv/data',
-      id: this.id,
-      ...this.payload,
-    });
-    let record = await this.store.peekRecord('kv/data', this.id);
-
-    await record.destroyRecord({
-      adapterOptions: { deleteType: 'undelete', deleteVersions: 2 },
-    });
-    assert.true(record.isDeleted, 'record is deleted');
-    record = await this.store.peekRecord('kv/data', this.id);
-    assert.strictEqual(record, null, 'record is no longer in store');
-  });
-
-  test('it should make request to correct endpoint on destroy specific versions', async function (assert) {
-    assert.expect(4);
-    this.server.put(`${encodePath(this.backend)}/destroy/${encodePath(this.path)}`, (schema, req) => {
-      const { versions } = JSON.parse(req.requestBody);
-      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
-      assert.ok(true, 'request made to correct endpoint on destroy specific version.');
-    });
-
-    this.store.pushPayload('kv/data', {
-      modelName: 'kv/data',
-      id: this.id,
-      ...this.payload,
-    });
-    let record = await this.store.peekRecord('kv/data', this.id);
-    await record.destroyRecord({
-      adapterOptions: { deleteType: 'destroy', deleteVersions: 2 },
-    });
-    assert.true(record.isDeleted, 'record is deleted');
-    record = await this.store.peekRecord('kv/data', this.id);
-    assert.strictEqual(record, null, 'record is no longer in store');
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+
+	"github.com/hashicorp/vault/api"
+
+	"github.com/google/tink/go/kwp/subtle"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_       cli.Command             = (*TransitImportCommand)(nil)
+	_       cli.CommandAutocomplete = (*TransitImportCommand)(nil)
+	keyPath                         = regexp.MustCompile("^(.*)/keys/([^/]*)$")
+)
+
+type TransitImportCommand struct {
+	*BaseCommand
+}
+
+func (c *TransitImportCommand) Synopsis() string {
+	return "Import a key into the Transit secrets engines."
+}
+
+func (c *TransitImportCommand) Help() string {
+	helpText := `
+Usage: vault transit import PATH KEY [options...]
+
+  Using the Transit key wrapping system, imports key material from
+  the base64 encoded KEY (either directly on the CLI or via @path notation),
+  into a new key whose API path is PATH.  To import a new version into an
+  existing key, use import_version.  The remaining options after KEY (key=value
+  style) are passed on to the Transit create key endpoint.  If your
+  system or device natively supports the RSA AES key wrap mechanism (such as
+  the PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP), you should use it directly
+  rather than this command.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TransitImportCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *TransitImportCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TransitImportCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TransitImportCommand) Run(args []string) int {
+	return ImportKey(c.BaseCommand, "import", transitImportKeyPath, c.Flags(), args)
+}
+
+func transitImportKeyPath(s string, operation string) (path string, apiPath string, err error) {
+	parts := keyPath.FindStringSubmatch(s)
+	if len(parts) != 3 {
+		return "", "", errors.New("expected transit path and key name in the form :path:/keys/:name:")
+	}
+	path = parts[1]
+	keyName := parts[2]
+	apiPath = path + "/keys/" + keyName + "/" + operation
+
+	return path, apiPath, nil
+}
+
+type ImportKeyFunc func(s string, operation string) (path string, apiPath string, err error)
+
+// error codes: 1: user error, 2: internal computation error, 3: remote api call error
+func ImportKey(c *BaseCommand, operation string, pathFunc ImportKeyFunc, flags *FlagSets, args []string) int {
+	// Parse and validate the arguments.
+	if err := flags.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	args = flags.Args()
+	if len(args) < 2 {
+		c.UI.Error(fmt.Sprintf("Incorrect argument count (expected 2+, got %d). Wanted PATH to import into and KEY material.", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	ephemeralAESKey := make([]byte, 32)
+	_, err = rand.Read(ephemeralAESKey)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to generate ephemeral key: %v", err))
+	}
+	path, apiPath, err := pathFunc(args[0], operation)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+	keyMaterial := args[1]
+	if keyMaterial[0] == '@' {
+		keyMaterialBytes, err := os.ReadFile(keyMaterial[1:])
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("error reading key material file: %v", err))
+			return 1
+		}
+
+		keyMaterial = string(keyMaterialBytes)
+	}
+
+	key, err := base64.StdEncoding.DecodeString(keyMaterial)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("error base64 decoding source key material: %v", err))
+		return 1
+	}
+	// Fetch the wrapping key
+	c.UI.Output("Retrieving wrapping key.")
+	wrappingKey, err := fetchWrappingKey(client, path)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to fetch wrapping key: %v", err))
+		return 3
+	}
+	c.UI.Output("Wrapping source key with ephemeral key.")
+	wrapKWP, err := subtle.NewKWP(ephemeralAESKey)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failure building key wrapping key: %v", err))
+		return 2
+	}
+	wrappedTargetKey, err := wrapKWP.Wrap(key)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failure wrapping source key: %v", err))
+		return 2
+	}
+	c.UI.Output("Encrypting ephemeral key with wrapping key.")
+	wrappedAESKey, err := rsa.EncryptOAEP(
+		sha256.New(),
+		rand.Reader,
+		wrappingKey,
+		ephemeralAESKey,
+		[]byte{},
+	)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failure encrypting wrapped key: %v", err))
+		return 2
+	}
+	combinedCiphertext := append(wrappedAESKey, wrappedTargetKey...)
+	importCiphertext := base64.StdEncoding.EncodeToString(combinedCiphertext)
+
+	// Parse all the key options
+	data, err := parseArgsData(os.Stdin, args[2:])
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse extra K=V data: %s", err))
+		return 1
+	}
+	if data == nil {
+		data = make(map[string]interface{}, 1)
+	}
+
+	data["ciphertext"] = importCiphertext
+
+	c.UI.Output("Submitting wrapped key.")
+	// Finally, call import
+
+	_, err = client.Logical().Write(apiPath, data)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("failed to call import:%v", err))
+		return 3
+	} else {
+		c.UI.Output("Success!")
+		return 0
+	}
+}
+
+func fetchWrappingKey(client *api.Client, path string) (*rsa.PublicKey, error) {
+	resp, err := client.Logical().Read(path + "/wrapping_key")
+	if err != nil {
+		return nil, fmt.Errorf("error fetching wrapping key: %w", err)
+	}
+	if resp == nil {
+		return nil, fmt.Errorf("no mount found at %s: %v", path, err)
+	}
+	key, ok := resp.Data["public_key"]
+	if !ok {
+		return nil, fmt.Errorf("missing public_key field in response")
+	}
+	keyBlock, _ := pem.Decode([]byte(key.(string)))
+	if keyBlock == nil {
+		return nil, fmt.Errorf("failed to decode PEM information from public_key response field")
+	}
+	parsedKey, err := x509.ParsePKIXPublicKey(keyBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing wrapping key: %w", err)
+	}
+	rsaKey, ok := parsedKey.(*rsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("returned value was not an RSA public key but a %T", rsaKey)
+	}
+	return rsaKey, nil
+}
diff --git a/ui/tests/unit/services/control-group-test.js b/ui/tests/unit/services/control-group-test.js
index 6a477846702c..21884c0799ca 100644
--- a/ui/tests/unit/services/control-group-test.js
+++ b/ui/tests/unit/services/control-group-test.js
@@ -1,255 +1,200 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { set } from '@ember/object';
-import Service from '@ember/service';
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-import sinon from 'sinon';
-
-import { storageKey, CONTROL_GROUP_PREFIX, TOKEN_SEPARATOR } from 'vault/services/control-group';
-
-const versionStub = Service.extend();
-
-function storage() {
-  return {
-    items: {},
-    getItem(key) {
-      var item = this.items[key];
-      return item && JSON.parse(item);
-    },
-
-    setItem(key, val) {
-      return (this.items[key] = JSON.stringify(val));
-    },
-
-    removeItem(key) {
-      delete this.items[key];
-    },
-
-    keys() {
-      return Object.keys(this.items);
-    },
-  };
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Validate the `vault transit import` command works.
+func TestTransitImport(t *testing.T) {
+	t.Parallel()
+
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	if err := client.Sys().Mount("transit", &api.MountInput{
+		Type: "transit",
+	}); err != nil {
+		t.Fatalf("transit mount error: %#v", err)
+	}
+
+	// Force the generation of the Transit wrapping key now with a longer context
+	// to help the 32bit nightly tests. This creates a 4096-bit RSA key which can take
+	// a while on an overloaded system
+	genWrappingKeyCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+	if _, err := client.Logical().ReadWithContext(genWrappingKeyCtx, "transit/wrapping_key"); err != nil {
+		t.Fatalf("transit failed generating wrapping key: %#v", err)
+	}
+
+	rsa1, rsa2, aes128, aes256 := generateKeys(t)
+
+	type testCase struct {
+		variant    string
+		path       string
+		key        []byte
+		args       []string
+		shouldFail bool
+	}
+	tests := []testCase{
+		{
+			"import",
+			"transit/keys/rsa1",
+			rsa1,
+			[]string{"type=rsa-2048"},
+			false, /* first import */
+		},
+		{
+			"import",
+			"transit/keys/rsa1",
+			rsa2,
+			[]string{"type=rsa-2048"},
+			true, /* already exists */
+		},
+		{
+			"import-version",
+			"transit/keys/rsa1",
+			rsa2,
+			[]string{"type=rsa-2048"},
+			false, /* new version */
+		},
+		{
+			"import",
+			"transit/keys/rsa2",
+			rsa2,
+			[]string{"type=rsa-4096"},
+			true, /* wrong type */
+		},
+		{
+			"import",
+			"transit/keys/rsa2",
+			rsa2,
+			[]string{"type=rsa-2048"},
+			false, /* new name */
+		},
+		{
+			"import",
+			"transit/keys/aes1",
+			aes128,
+			[]string{"type=aes128-gcm96"},
+			false, /* first import */
+		},
+		{
+			"import",
+			"transit/keys/aes1",
+			aes256,
+			[]string{"type=aes256-gcm96"},
+			true, /* already exists */
+		},
+		{
+			"import-version",
+			"transit/keys/aes1",
+			aes256,
+			[]string{"type=aes256-gcm96"},
+			true, /* new version, different type */
+		},
+		{
+			"import-version",
+			"transit/keys/aes1",
+			aes128,
+			[]string{"type=aes128-gcm96"},
+			false, /* new version */
+		},
+		{
+			"import",
+			"transit/keys/aes2",
+			aes256,
+			[]string{"type=aes128-gcm96"},
+			true, /* wrong type */
+		},
+		{
+			"import",
+			"transit/keys/aes2",
+			aes256,
+			[]string{"type=aes256-gcm96"},
+			false, /* new name */
+		},
+	}
+
+	for index, tc := range tests {
+		t.Logf("Running test case %d: %v", index, tc)
+		execTransitImport(t, client, tc.variant, tc.path, tc.key, tc.args, tc.shouldFail)
+	}
 }
 
-module('Unit | Service | control group', function (hooks) {
-  setupTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.owner.register('service:version', versionStub);
-    this.version = this.owner.lookup('service:version');
-    this.router = this.owner.lookup('service:router');
-    this.router.reopen({
-      transitionTo: sinon.stub(),
-      urlFor: sinon.stub().returns('/ui/vault/foo'),
-      currentURL: '/vault/secrets/kv/show/foo',
-    });
-  });
-
-  hooks.afterEach(function () {});
-
-  const isOSS = (context) => set(context, 'version.isOSS', true);
-  const isEnt = (context) => set(context, 'version.isOSS', false);
-  const resolvesArgs = (assert, result, expectedArgs) => {
-    return result.then((...args) => {
-      return assert.deepEqual(args, expectedArgs, 'resolves with the passed args');
-    });
-  };
-
-  [
-    [
-      'it resolves isOSS:true, wrapTTL: true, response: has wrap_info',
-      isOSS,
-      [[{ one: 'two', three: 'four' }], { wrap_info: { token: 'foo', accessor: 'bar' } }, true],
-      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
-    ],
-    [
-      'it resolves isOSS:true, wrapTTL: false, response: has no wrap_info',
-      isOSS,
-      [[{ one: 'two', three: 'four' }], { wrap_info: null }, false],
-      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
-    ],
-    [
-      'it resolves isOSS: false and wrapTTL:true response: has wrap_info',
-      isEnt,
-      [[{ one: 'two', three: 'four' }], { wrap_info: { token: 'foo', accessor: 'bar' } }, true],
-      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
-    ],
-    [
-      'it resolves isOSS: false and wrapTTL:false response: has no wrap_info',
-      isEnt,
-      [[{ one: 'two', three: 'four' }], { wrap_info: null }, false],
-      (assert, result) => resolvesArgs(assert, result, [{ one: 'two', three: 'four' }]),
-    ],
-    [
-      'it rejects isOSS: false, wrapTTL:false, response: has wrap_info',
-      isEnt,
-      [
-        [{ one: 'two', three: 'four' }],
-        { foo: 'bar', wrap_info: { token: 'secret', accessor: 'lookup' } },
-        false,
-      ],
-      (assert, result) => {
-        // ensure failure if we ever don't reject
-        assert.expect(2);
-
-        return result.then(
-          () => {},
-          (err) => {
-            assert.strictEqual(err.token, 'secret');
-            assert.strictEqual(err.accessor, 'lookup');
-          }
-        );
-      },
-    ],
-  ].forEach(function ([name, setup, args, expectation]) {
-    test(`checkForControlGroup: ${name}`, function (assert) {
-      const assertCount = name === 'it rejects isOSS: false, wrapTTL:false, response: has wrap_info' ? 2 : 1;
-      assert.expect(assertCount);
-      if (setup) {
-        setup(this);
-      }
-      const service = this.owner.lookup('service:control-group');
-      const result = service.checkForControlGroup(...args);
-      return expectation(assert, result);
-    });
-  });
-
-  test(`handleError: transitions to accessor and stores control group token`, function (assert) {
-    const error = {
-      accessor: '12345',
-      token: 'token',
-      creation_path: 'kv/',
-      creation_time: '2022-03-17T20:00:25.594Z',
-      ttl: 400,
-    };
-    const expected = { ...error, uiParams: { url: '/vault/secrets/kv/show/foo' } };
-    const service = this.owner.factoryFor('service:control-group').create({
-      storeControlGroupToken: sinon.spy(),
-    });
-    service.handleError(error);
-    assert.ok(service.storeControlGroupToken.calledWith(expected), 'calls storeControlGroupToken');
-    assert.ok(
-      this.router.transitionTo.calledWith('vault.cluster.access.control-group-accessor', '12345'),
-      'calls router transitionTo'
-    );
-  });
-
-  test(`logFromError: returns correct content string`, function (assert) {
-    const error = {
-      accessor: '12345',
-      token: 'token',
-      creation_path: 'kv/',
-      creation_time: '2022-03-17T20:00:25.594Z',
-      ttl: 400,
-    };
-    const service = this.owner.factoryFor('service:control-group').create({
-      storeControlGroupToken: sinon.spy(),
-    });
-    const contentString = service.logFromError(error);
-    assert.ok(
-      this.router.urlFor.calledWith('vault.cluster.access.control-group-accessor', '12345'),
-      'calls urlFor with accessor'
-    );
-    assert.ok(service.storeControlGroupToken.calledWith(error), 'calls storeControlGroupToken');
-    assert.ok(contentString.content.includes('12345'), 'contains accessor');
-    assert.ok(contentString.content.includes('kv/'), 'contains creation path');
-    assert.ok(contentString.content.includes('token'), 'contains token');
-  });
-
-  test('storageKey', function (assert) {
-    const accessor = '12345';
-    const path = 'kv/foo/bar';
-    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
-    assert.strictEqual(storageKey(accessor, path), expectedKey, 'uses expected key');
-  });
-
-  test('keyFromAccessor', function (assert) {
-    const store = storage();
-    const accessor = '12345';
-    const path = 'kv/foo/bar';
-    const data = { foo: 'bar' };
-    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
-    const subject = this.owner.factoryFor('service:control-group').create({
-      storage() {
-        return store;
-      },
-    });
-
-    store.setItem(expectedKey, data);
-    store.setItem(`${CONTROL_GROUP_PREFIX}2345${TOKEN_SEPARATOR}${path}`, 'ok');
-
-    assert.strictEqual(subject.keyFromAccessor(accessor), expectedKey, 'finds key given the accessor');
-    assert.strictEqual(subject.keyFromAccessor('foo'), null, 'returns null if no key was found');
-  });
-
-  test('storeControlGroupToken', function (assert) {
-    const store = storage();
-    const subject = this.owner.factoryFor('service:control-group').create({
-      storage() {
-        return store;
-      },
-    });
-    const info = {
-      accessor: '12345',
-      creation_path: 'foo/',
-      creation_time: '2022-03-17T20:00:25.594Z',
-      ttl: 300,
-    };
-    const key = `${CONTROL_GROUP_PREFIX}${info.accessor}${TOKEN_SEPARATOR}${info.creation_path}`;
-
-    subject.storeControlGroupToken(info);
-    assert.deepEqual(store.items[key], JSON.stringify(info), 'stores the whole info object');
-  });
-
-  test('deleteControlGroupToken', function (assert) {
-    const store = storage();
-    const subject = this.owner.factoryFor('service:control-group').create({
-      storage() {
-        return store;
-      },
-    });
-    const accessor = 'foo';
-    const path = 'kv/one';
-
-    const expectedKey = `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
-    store.setItem(expectedKey, { one: '2' });
-    subject.deleteControlGroupToken(accessor);
-    assert.strictEqual(Object.keys(store.items).length, 0, 'there are no keys stored in storage');
-  });
-
-  test('deleteTokens', function (assert) {
-    const store = storage();
-    const subject = this.owner.factoryFor('service:control-group').create({
-      storage() {
-        return store;
-      },
-    });
-
-    const keyOne = `${CONTROL_GROUP_PREFIX}foo`;
-    const keyTwo = `${CONTROL_GROUP_PREFIX}bar`;
-    store.setItem(keyOne, { one: '2' });
-    store.setItem(keyTwo, { two: '2' });
-    store.setItem('value', 'one');
-    assert.strictEqual(Object.keys(store.items).length, 3, 'stores 3 values');
-    subject.deleteTokens();
-    assert.strictEqual(Object.keys(store.items).length, 1, 'removes tokens with control group prefix');
-    assert.strictEqual(store.getItem('value'), 'one', 'keeps the non-prefixed value');
-  });
-
-  test('wrapInfoForAccessor', function (assert) {
-    const store = storage();
-    const subject = this.owner.factoryFor('service:control-group').create({
-      storage() {
-        return store;
-      },
-    });
-
-    const keyOne = `${CONTROL_GROUP_PREFIX}foo`;
-    store.setItem(keyOne, { one: '2' });
-    assert.deepEqual(subject.wrapInfoForAccessor('foo'), { one: '2' });
-  });
-});
+func execTransitImport(t *testing.T, client *api.Client, method string, path string, key []byte, data []string, expectFailure bool) {
+	t.Helper()
+
+	keyBase64 := base64.StdEncoding.EncodeToString(key)
+
+	var args []string
+	args = append(args, "transit")
+	args = append(args, method)
+	args = append(args, path)
+	args = append(args, keyBase64)
+	args = append(args, data...)
+
+	stdout := bytes.NewBuffer(nil)
+	stderr := bytes.NewBuffer(nil)
+	runOpts := &RunOptions{
+		Stdout: stdout,
+		Stderr: stderr,
+		Client: client,
+	}
+
+	code := RunCustom(args, runOpts)
+	combined := stdout.String() + stderr.String()
+
+	if code != 0 {
+		if !expectFailure {
+			t.Fatalf("Got unexpected failure from test (ret %d): %v", code, combined)
+		}
+	} else {
+		if expectFailure {
+			t.Fatalf("Expected failure, got success from test (ret %d): %v", code, combined)
+		}
+	}
+}
+
+func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) {
+	t.Helper()
+
+	priv1, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NotNil(t, priv1, "failed generating RSA 1 key")
+	require.NoError(t, err, "failed generating RSA 1 key")
+
+	rsa1, err = x509.MarshalPKCS8PrivateKey(priv1)
+	require.NotNil(t, rsa1, "failed marshaling RSA 1 key")
+	require.NoError(t, err, "failed marshaling RSA 1 key")
+
+	priv2, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NotNil(t, priv2, "failed generating RSA 2 key")
+	require.NoError(t, err, "failed generating RSA 2 key")
+
+	rsa2, err = x509.MarshalPKCS8PrivateKey(priv2)
+	require.NotNil(t, rsa2, "failed marshaling RSA 2 key")
+	require.NoError(t, err, "failed marshaling RSA 2 key")
+
+	aes128 = make([]byte, 128/8)
+	_, err = rand.Read(aes128)
+	require.NoError(t, err, "failed generating AES 128 key")
+
+	aes256 = make([]byte, 256/8)
+	_, err = rand.Read(aes256)
+	require.NoError(t, err, "failed generating AES 256 key")
+
+	return
+}
diff --git a/ui/tests/unit/services/version-test.js b/ui/tests/unit/services/version-test.js
index 1bc1ca4d7785..cf248554f779 100644
--- a/ui/tests/unit/services/version-test.js
+++ b/ui/tests/unit/services/version-test.js
@@ -1,46 +1,58 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-
-module('Unit | Service | version', function (hooks) {
-  setupTest(hooks);
-
-  test('setting version computes isOSS properly', function (assert) {
-    const service = this.owner.lookup('service:version');
-    service.version = '0.9.5';
-    assert.true(service.isOSS);
-    assert.false(service.isEnterprise);
-  });
-
-  test('setting version computes isEnterprise properly', function (assert) {
-    const service = this.owner.lookup('service:version');
-    service.version = '0.9.5+ent';
-    assert.false(service.isOSS);
-    assert.true(service.isEnterprise);
-  });
-
-  test('setting version with hsm ending computes isEnterprise properly', function (assert) {
-    const service = this.owner.lookup('service:version');
-    service.version = '0.9.5+ent.hsm';
-    assert.false(service.isOSS);
-    assert.true(service.isEnterprise);
-  });
-
-  test('hasPerfReplication', function (assert) {
-    const service = this.owner.lookup('service:version');
-    assert.false(service.hasPerfReplication);
-    service.features = ['Performance Replication'];
-    assert.true(service.hasPerfReplication);
-  });
-
-  test('hasDRReplication', function (assert) {
-    const service = this.owner.lookup('service:version');
-    assert.false(service.hasDRReplication);
-    service.features = ['DR Replication'];
-    assert.true(service.hasDRReplication);
-  });
-});
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+)
+
+var (
+	_ cli.Command             = (*TransitImportVersionCommand)(nil)
+	_ cli.CommandAutocomplete = (*TransitImportVersionCommand)(nil)
+)
+
+type TransitImportVersionCommand struct {
+	*BaseCommand
+}
+
+func (c *TransitImportVersionCommand) Synopsis() string {
+	return "Import key material into a new key version in the Transit secrets engines."
+}
+
+func (c *TransitImportVersionCommand) Help() string {
+	helpText := `
+Usage: vault transit import-version PATH KEY [...]
+
+  Using the Transit key wrapping system, imports key material from
+  the base64 encoded KEY (either directly on the CLI or via @path notation),
+  into a new key whose API path is PATH.  To import a new Transit
+  key, use the import command instead.  The remaining options after KEY
+  (key=value style) are passed on to the Transit create key endpoint.
+  If your system or device natively supports the RSA AES key wrap mechanism
+  (such as the PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP), you should use it
+  directly rather than this command.
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *TransitImportVersionCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP)
+}
+
+func (c *TransitImportVersionCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *TransitImportVersionCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *TransitImportVersionCommand) Run(args []string) int {
+	return ImportKey(c.BaseCommand, "import_version", transitImportKeyPath, c.Flags(), args)
+}
diff --git a/ui/tests/unit/utils/sanitize-path-test.js b/ui/tests/unit/utils/sanitize-path-test.js
index cdde888100c9..d67841c371b9 100644
--- a/ui/tests/unit/utils/sanitize-path-test.js
+++ b/ui/tests/unit/utils/sanitize-path-test.js
@@ -4,20 +4,65 @@
  */
 
 import { module, test } from 'qunit';
-import { ensureTrailingSlash, sanitizePath } from 'core/utils/sanitize-path';
-
-module('Unit | Utility | sanitize-path', function () {
-  test('it removes spaces and slashes from either side', function (assert) {
-    assert.strictEqual(
-      sanitizePath(' /foo/bar/baz/ '),
-      'foo/bar/baz',
-      'removes spaces and slashes on either side'
-    );
-    assert.strictEqual(sanitizePath('//foo/bar/baz/'), 'foo/bar/baz', 'removes more than one slash');
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import sinon from 'sinon';
+import { allEngines, mountableEngines } from 'vault/helpers/mountable-secret-engines';
+import { allMethods, methods } from 'vault/helpers/mountable-auth-methods';
+
+const secretTypes = mountableEngines().map((engine) => engine.type);
+const allSecretTypes = allEngines().map((engine) => engine.type);
+const authTypes = methods().map((auth) => auth.type);
+const allAuthTypes = allMethods().map((auth) => auth.type);
+
+module('Integration | Component | mount-backend/type-form', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.setType = sinon.spy();
+  });
+
+  test('it calls secrets setMountType when type is selected', async function (assert) {
+    const spy = sinon.spy();
+    this.set('setType', spy);
+    await render(hbs`<MountBackend::TypeForm @mountType="secret" @setMountType={{this.setType}} />`);
+
+    assert
+      .dom('[data-test-mount-type]')
+      .exists({ count: secretTypes.length }, 'Renders all mountable engines');
+    await click(`[data-test-mount-type="ssh"]`);
+    assert.ok(spy.calledOnceWith('ssh'));
   });
 
-  test('#ensureTrailingSlash', function (assert) {
-    assert.strictEqual(ensureTrailingSlash('foo/bar'), 'foo/bar/', 'adds trailing slash');
-    assert.strictEqual(ensureTrailingSlash('baz/'), 'baz/', 'keeps trailing slash if there is one');
+  test('it calls auth setMountType when type is selected', async function (assert) {
+    const spy = sinon.spy();
+    this.set('setType', spy);
+    await render(hbs`<MountBackend::TypeForm @setMountType={{this.setType}} />`);
+
+    assert
+      .dom('[data-test-mount-type]')
+      .exists({ count: authTypes.length }, 'Renders all mountable auth methods');
+    await click(`[data-test-mount-type="okta"]`);
+    assert.ok(spy.calledOnceWith('okta'));
+  });
+
+  module('Enterprise', function (hooks) {
+    hooks.beforeEach(function () {
+      this.version = this.owner.lookup('service:version');
+      this.version.type = 'enterprise';
+    });
+
+    test('it renders correct items for enterprise secrets', async function (assert) {
+      await render(hbs`<MountBackend::TypeForm @mountType="secret" @setMountType={{this.setType}} />`);
+      assert
+        .dom('[data-test-mount-type]')
+        .exists({ count: allSecretTypes.length }, 'Renders all secret engines');
+    });
+
+    test('it renders correct items for enterprise auth methods', async function (assert) {
+      await render(hbs`<MountBackend::TypeForm @mountType="auth" @setMountType={{this.setType}} />`);
+      assert.dom('[data-test-mount-type]').exists({ count: allAuthTypes.length }, 'Renders all auth methods');
+    });
   });
 });
diff --git a/ui/yarn.lock b/ui/yarn.lock
index ee60cec2407d..ebaca1beae08 100644
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -1,26846 +1,73 @@
-# This file is generated by running "yarn install" inside your project.
-# Manual changes might be lost - proceed with caution!
-
-__metadata:
-  version: 6
-  cacheKey: 8
-
-"@aashutoshrathi/word-wrap@npm:^1.2.3":
-  version: 1.2.6
-  resolution: "@aashutoshrathi/word-wrap@npm:1.2.6"
-  checksum: ada901b9e7c680d190f1d012c84217ce0063d8f5c5a7725bb91ec3c5ed99bb7572680eb2d2938a531ccbaec39a95422fcd8a6b4a13110c7d98dd75402f66a0cd
-  languageName: node
-  linkType: hard
-
-"@ampproject/remapping@npm:^2.1.0":
-  version: 2.1.2
-  resolution: "@ampproject/remapping@npm:2.1.2"
-  dependencies:
-    "@jridgewell/trace-mapping": ^0.3.0
-  checksum: e023f92cdd9723f3042cde3b4d922adfeef0e198aa73486b0b6c034ad36af5f96e5c0cc72b335b30b2eb9852d907efc92af6bfcd3f4b4d286177ee32a189cf92
-  languageName: node
-  linkType: hard
-
-"@ampproject/remapping@npm:^2.2.0":
-  version: 2.2.1
-  resolution: "@ampproject/remapping@npm:2.2.1"
-  dependencies:
-    "@jridgewell/gen-mapping": ^0.3.0
-    "@jridgewell/trace-mapping": ^0.3.9
-  checksum: 03c04fd526acc64a1f4df22651186f3e5ef0a9d6d6530ce4482ec9841269cf7a11dbb8af79237c282d721c5312024ff17529cd72cc4768c11e999b58e2302079
-  languageName: node
-  linkType: hard
-
-"@babel/code-frame@npm:^7.0.0":
-  version: 7.12.13
-  resolution: "@babel/code-frame@npm:7.12.13"
-  dependencies:
-    "@babel/highlight": ^7.12.13
-  checksum: d0491bb59fb8d7a763cb175c5504818cfd3647321d8eedb9173336d5c47dccce248628ee68b3ed3586c5efc753d8d990ceafe956f707dcf92572a1661b92b1ef
-  languageName: node
-  linkType: hard
-
-"@babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/code-frame@npm:7.16.0"
-  dependencies:
-    "@babel/highlight": ^7.16.0
-  checksum: 8961d0302ec6b8c2e9751a11e06a17617425359fd1645e4dae56a90a03464c68a0916115100fbcd030961870313f21865d0b85858360a2c68aabdda744393607
-  languageName: node
-  linkType: hard
-
-"@babel/code-frame@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/code-frame@npm:7.16.7"
-  dependencies:
-    "@babel/highlight": ^7.16.7
-  checksum: db2f7faa31bc2c9cf63197b481b30ea57147a5fc1a6fab60e5d6c02cdfbf6de8e17b5121f99917b3dabb5eeb572da078312e70697415940383efc140d4e0808b
-  languageName: node
-  linkType: hard
-
-"@babel/code-frame@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/code-frame@npm:7.18.6"
-  dependencies:
-    "@babel/highlight": ^7.18.6
-  checksum: 195e2be3172d7684bf95cff69ae3b7a15a9841ea9d27d3c843662d50cdd7d6470fd9c8e64be84d031117e4a4083486effba39f9aef6bbb2c89f7f21bcfba33ba
-  languageName: node
-  linkType: hard
-
-"@babel/code-frame@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/code-frame@npm:7.22.5"
-  dependencies:
-    "@babel/highlight": ^7.22.5
-  checksum: cfe804f518f53faaf9a1d3e0f9f74127ab9a004912c3a16fda07fb6a633393ecb9918a053cb71804204c1b7ec3d49e1699604715e2cfb0c9f7bc4933d324ebb6
-  languageName: node
-  linkType: hard
-
-"@babel/compat-data@npm:^7.13.11, @babel/compat-data@npm:^7.13.8, @babel/compat-data@npm:^7.14.0, @babel/compat-data@npm:^7.16.0":
-  version: 7.16.4
-  resolution: "@babel/compat-data@npm:7.16.4"
-  checksum: 4949ce54eafc4b38d5623696a872acaaced1a523605708d81c2c483253941917d90dae0de40fc01e152ae56075dadd89c23014da5a632b09c001a716fa689cae
-  languageName: node
-  linkType: hard
-
-"@babel/compat-data@npm:^7.16.8, @babel/compat-data@npm:^7.17.0, @babel/compat-data@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/compat-data@npm:7.17.7"
-  checksum: bf13476676884ce9afc199747ff82f3bcd6d42a9cfb01ce91bdb762b83ea11ec619b6ec532d1a80469ab14f191f33b5d4b9f8796fa8be3bc728d42b0c5e737e3
-  languageName: node
-  linkType: hard
-
-"@babel/compat-data@npm:^7.17.10":
-  version: 7.17.10
-  resolution: "@babel/compat-data@npm:7.17.10"
-  checksum: e85051087cd4690de5061909a2dd2d7f8b6434a3c2e30be6c119758db2027ae1845bcd75a81127423dd568b706ac6994a1a3d7d701069a23bf5cfe900728290b
-  languageName: node
-  linkType: hard
-
-"@babel/compat-data@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/compat-data@npm:7.19.0"
-  checksum: f90d25a3779578c230ad0632e12ffd5ee1033614dee2786f7f1567823a78923da7185638eedd7166f31e4771a3398ae6a28ab8e680b96cc25bafb38a3b66ff11
-  languageName: node
-  linkType: hard
-
-"@babel/compat-data@npm:^7.22.9":
-  version: 7.22.9
-  resolution: "@babel/compat-data@npm:7.22.9"
-  checksum: bed77d9044ce948b4327b30dd0de0779fa9f3a7ed1f2d31638714ed00229fa71fc4d1617ae0eb1fad419338d3658d0e9a5a083297451e09e73e078d0347ff808
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.0.0, @babel/core@npm:^7.12.0, @babel/core@npm:^7.3.4":
-  version: 7.16.0
-  resolution: "@babel/core@npm:7.16.0"
-  dependencies:
-    "@babel/code-frame": ^7.16.0
-    "@babel/generator": ^7.16.0
-    "@babel/helper-compilation-targets": ^7.16.0
-    "@babel/helper-module-transforms": ^7.16.0
-    "@babel/helpers": ^7.16.0
-    "@babel/parser": ^7.16.0
-    "@babel/template": ^7.16.0
-    "@babel/traverse": ^7.16.0
-    "@babel/types": ^7.16.0
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.1.2
-    semver: ^6.3.0
-    source-map: ^0.5.0
-  checksum: a140f669daa90c774016a76b1f85641975333c1c219ae0a8e65d8b4c316836e918276e0dfd55613b14f8e578406a92393d4368a63bdd5d0708122976ee2ee8e3
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.1.6, @babel/core@npm:^7.12.3":
-  version: 7.14.0
-  resolution: "@babel/core@npm:7.14.0"
-  dependencies:
-    "@babel/code-frame": ^7.12.13
-    "@babel/generator": ^7.14.0
-    "@babel/helper-compilation-targets": ^7.13.16
-    "@babel/helper-module-transforms": ^7.14.0
-    "@babel/helpers": ^7.14.0
-    "@babel/parser": ^7.14.0
-    "@babel/template": ^7.12.13
-    "@babel/traverse": ^7.14.0
-    "@babel/types": ^7.14.0
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.1.2
-    semver: ^6.3.0
-    source-map: ^0.5.0
-  checksum: de02309584587690b6f184d808027676b7d827a502c0ccbfc0939fd168230ec5084b727a7de437216f9f20273cf04860b902ecf5edcfabcf876b5ac108be26d1
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.13.10":
-  version: 7.17.8
-  resolution: "@babel/core@npm:7.17.8"
-  dependencies:
-    "@ampproject/remapping": ^2.1.0
-    "@babel/code-frame": ^7.16.7
-    "@babel/generator": ^7.17.7
-    "@babel/helper-compilation-targets": ^7.17.7
-    "@babel/helper-module-transforms": ^7.17.7
-    "@babel/helpers": ^7.17.8
-    "@babel/parser": ^7.17.8
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.17.3
-    "@babel/types": ^7.17.0
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.1.2
-    semver: ^6.3.0
-  checksum: 0e686b1be444d25494424065238931f2b3df908bf072b72bab973acfd6d27a481fc280c9cd8a3c6fe2c46beee50e0d2307468d8b15b64dc4036f025e75f6609d
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.16.10":
-  version: 7.19.0
-  resolution: "@babel/core@npm:7.19.0"
-  dependencies:
-    "@ampproject/remapping": ^2.1.0
-    "@babel/code-frame": ^7.18.6
-    "@babel/generator": ^7.19.0
-    "@babel/helper-compilation-targets": ^7.19.0
-    "@babel/helper-module-transforms": ^7.19.0
-    "@babel/helpers": ^7.19.0
-    "@babel/parser": ^7.19.0
-    "@babel/template": ^7.18.10
-    "@babel/traverse": ^7.19.0
-    "@babel/types": ^7.19.0
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.2.1
-    semver: ^6.3.0
-  checksum: 0d5b52b552e215802d2fd7b266611c390d90b28dece09db8a142666c32928c5d404eb72a95630b4cb726c4d80a53fcdc2d6464cd7ad28bb26087475f1b2205e2
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.16.7":
-  version: 7.18.2
-  resolution: "@babel/core@npm:7.18.2"
-  dependencies:
-    "@ampproject/remapping": ^2.1.0
-    "@babel/code-frame": ^7.16.7
-    "@babel/generator": ^7.18.2
-    "@babel/helper-compilation-targets": ^7.18.2
-    "@babel/helper-module-transforms": ^7.18.0
-    "@babel/helpers": ^7.18.2
-    "@babel/parser": ^7.18.0
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.18.2
-    "@babel/types": ^7.18.2
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.2.1
-    semver: ^6.3.0
-  checksum: 14a4142c12e004cd2477b7610408d5788ee5dd821ee9e4de204cbb72d9c399d858d9deabc3d49914d5d7c2927548160c19bdc7524b1a9f6acc1ec96a8d9848dd
-  languageName: node
-  linkType: hard
-
-"@babel/core@npm:^7.20.2, @babel/core@npm:^7.21.0":
-  version: 7.22.9
-  resolution: "@babel/core@npm:7.22.9"
-  dependencies:
-    "@ampproject/remapping": ^2.2.0
-    "@babel/code-frame": ^7.22.5
-    "@babel/generator": ^7.22.9
-    "@babel/helper-compilation-targets": ^7.22.9
-    "@babel/helper-module-transforms": ^7.22.9
-    "@babel/helpers": ^7.22.6
-    "@babel/parser": ^7.22.7
-    "@babel/template": ^7.22.5
-    "@babel/traverse": ^7.22.8
-    "@babel/types": ^7.22.5
-    convert-source-map: ^1.7.0
-    debug: ^4.1.0
-    gensync: ^1.0.0-beta.2
-    json5: ^2.2.2
-    semver: ^6.3.1
-  checksum: 7bf069aeceb417902c4efdaefab1f7b94adb7dea694a9aed1bda2edf4135348a080820529b1a300c6f8605740a00ca00c19b2d5e74b5dd489d99d8c11d5e56d1
-  languageName: node
-  linkType: hard
-
-"@babel/eslint-parser@npm:^7.21.3":
-  version: 7.22.9
-  resolution: "@babel/eslint-parser@npm:7.22.9"
-  dependencies:
-    "@nicolo-ribaudo/eslint-scope-5-internals": 5.1.1-v1
-    eslint-visitor-keys: ^2.1.0
-    semver: ^6.3.1
-  peerDependencies:
-    "@babel/core": ">=7.11.0"
-    eslint: ^7.5.0 || ^8.0.0
-  checksum: 4f417796c803056aad2c8fa69b8a7a78a1fdacc307d95702f22894cab42b83554e47de7d0b3cfbee667f25014bca0179f859aa86ceb684b09803192e1200b48d
-  languageName: node
-  linkType: hard
-
-"@babel/generator@npm:^7.14.0, @babel/generator@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/generator@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-    jsesc: ^2.5.1
-    source-map: ^0.5.0
-  checksum: 9ff53e0db72a225c8783c4a277698b4efcead750542ebb9cff31732ba62d092090715a772df10a323446924712f6928ad60c03db4e7051bed3a9701b552d51fb
-  languageName: node
-  linkType: hard
-
-"@babel/generator@npm:^7.17.3, @babel/generator@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/generator@npm:7.17.7"
-  dependencies:
-    "@babel/types": ^7.17.0
-    jsesc: ^2.5.1
-    source-map: ^0.5.0
-  checksum: e7344b9b4559115f2754ecc2ae9508412ea6a8f617544cd3d3f17cabc727bd30630765f96c8a4ebc8901ded1492a3a6c23d695a4f1e8f3042f860b30c891985c
-  languageName: node
-  linkType: hard
-
-"@babel/generator@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/generator@npm:7.18.2"
-  dependencies:
-    "@babel/types": ^7.18.2
-    "@jridgewell/gen-mapping": ^0.3.0
-    jsesc: ^2.5.1
-  checksum: d0661e95532ddd97566d41fec26355a7b28d1cbc4df95fe80cc084c413342935911b48db20910708db39714844ddd614f61c2ec4cca3fb10181418bdcaa2e7a3
-  languageName: node
-  linkType: hard
-
-"@babel/generator@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/generator@npm:7.19.0"
-  dependencies:
-    "@babel/types": ^7.19.0
-    "@jridgewell/gen-mapping": ^0.3.2
-    jsesc: ^2.5.1
-  checksum: aa3d5785cf8f8e81672dcc61aef351188efeadb20d9f66d79113d82cbcf3bbbdeb829989fa14582108572ddbc4e4027bdceb06ccaf5ec40fa93c2dda8fbcd4aa
-  languageName: node
-  linkType: hard
-
-"@babel/generator@npm:^7.22.7, @babel/generator@npm:^7.22.9":
-  version: 7.22.9
-  resolution: "@babel/generator@npm:7.22.9"
-  dependencies:
-    "@babel/types": ^7.22.5
-    "@jridgewell/gen-mapping": ^0.3.2
-    "@jridgewell/trace-mapping": ^0.3.17
-    jsesc: ^2.5.1
-  checksum: 7c9d2c58b8d5ac5e047421a6ab03ec2ff5d9a5ff2c2212130a0055e063ac349e0b19d435537d6886c999771aef394832e4f54cd9fc810100a7f23d982f6af06b
-  languageName: node
-  linkType: hard
-
-"@babel/helper-annotate-as-pure@npm:^7.12.13, @babel/helper-annotate-as-pure@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-annotate-as-pure@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 0db76106983e10ffc482c5f01e89c3b4687d2474bea69c44470b2acb6bd37f362f9057d6e69c617255390b5d0063d9932a931e83c3e130445b688ca1fcdb5bcd
-  languageName: node
-  linkType: hard
-
-"@babel/helper-annotate-as-pure@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-annotate-as-pure@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: d235be963fed5d48a8a4cfabc41c3f03fad6a947810dbcab9cebed7f819811457e10d99b4b2e942ad71baa7ee8e3cd3f5f38a4e4685639ddfddb7528d9a07179
-  languageName: node
-  linkType: hard
-
-"@babel/helper-annotate-as-pure@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-annotate-as-pure@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: 88ccd15ced475ef2243fdd3b2916a29ea54c5db3cd0cfabf9d1d29ff6e63b7f7cd1c27264137d7a40ac2e978b9b9a542c332e78f40eb72abe737a7400788fc1b
-  languageName: node
-  linkType: hard
-
-"@babel/helper-annotate-as-pure@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-annotate-as-pure@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: 53da330f1835c46f26b7bf4da31f7a496dee9fd8696cca12366b94ba19d97421ce519a74a837f687749318f94d1a37f8d1abcbf35e8ed22c32d16373b2f6198d
-  languageName: node
-  linkType: hard
-
-"@babel/helper-builder-binary-assignment-operator-visitor@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-builder-binary-assignment-operator-visitor@npm:7.16.0"
-  dependencies:
-    "@babel/helper-explode-assignable-expression": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: 01beb9f3f2285b7b170cc167ec79b2fd657202cb25be9cb111951f94a04c97c5b446dd1498ede32f0052d67fc9f2f2ac2b7862351b364fe94f9b4de98488d863
-  languageName: node
-  linkType: hard
-
-"@babel/helper-builder-binary-assignment-operator-visitor@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-builder-binary-assignment-operator-visitor@npm:7.16.7"
-  dependencies:
-    "@babel/helper-explode-assignable-expression": ^7.16.7
-    "@babel/types": ^7.16.7
-  checksum: 1784f19a57ecfafca8e5c2e0f3eac53451cb13a857cbe0ca0cd9670922228d099ef8c3dd8cd318e2d7bce316fdb2ece3e527c30f3ecd83706e37ab6beb0c60eb
-  languageName: node
-  linkType: hard
-
-"@babel/helper-compilation-targets@npm:^7.12.0, @babel/helper-compilation-targets@npm:^7.13.0, @babel/helper-compilation-targets@npm:^7.13.16, @babel/helper-compilation-targets@npm:^7.13.8, @babel/helper-compilation-targets@npm:^7.16.0":
-  version: 7.16.3
-  resolution: "@babel/helper-compilation-targets@npm:7.16.3"
-  dependencies:
-    "@babel/compat-data": ^7.16.0
-    "@babel/helper-validator-option": ^7.14.5
-    browserslist: ^4.17.5
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 038bcd43ac914371c51bf6e72b5cedcae432f0d359285d74a9133c6a839bd625a7d5412d7471d50aa78a3e1c79b0a692b50a8d6a1299ebf69733b512ff199323
-  languageName: node
-  linkType: hard
-
-"@babel/helper-compilation-targets@npm:^7.16.7, @babel/helper-compilation-targets@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/helper-compilation-targets@npm:7.17.7"
-  dependencies:
-    "@babel/compat-data": ^7.17.7
-    "@babel/helper-validator-option": ^7.16.7
-    browserslist: ^4.17.5
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 24bf851539d5ec8e73779304b5d1ad5b0be09a74459ecc7d9baee9a0fa38ad016e9eaf4b5704504ae8da32f91ce0e31857bbbd9686854caeffd38f58226d3760
-  languageName: node
-  linkType: hard
-
-"@babel/helper-compilation-targets@npm:^7.17.10, @babel/helper-compilation-targets@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/helper-compilation-targets@npm:7.18.2"
-  dependencies:
-    "@babel/compat-data": ^7.17.10
-    "@babel/helper-validator-option": ^7.16.7
-    browserslist: ^4.20.2
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 4f02e79f20c0b3f8db5049ba8c35027c41ccb3fc7884835d04e49886538e0f55702959db1bb75213c94a5708fec2dc81a443047559a4f184abb884c72c0059b4
-  languageName: node
-  linkType: hard
-
-"@babel/helper-compilation-targets@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helper-compilation-targets@npm:7.19.0"
-  dependencies:
-    "@babel/compat-data": ^7.19.0
-    "@babel/helper-validator-option": ^7.18.6
-    browserslist: ^4.20.2
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 5f1be9811d53a5e43eb4b9b402517dec79bfa3a55e9fbc131a106914a78b435bc08a4b35591e424665c36c2c1eceb864ec2ca2c2f3dcf240a1551a28530428f9
-  languageName: node
-  linkType: hard
-
-"@babel/helper-compilation-targets@npm:^7.22.9":
-  version: 7.22.9
-  resolution: "@babel/helper-compilation-targets@npm:7.22.9"
-  dependencies:
-    "@babel/compat-data": ^7.22.9
-    "@babel/helper-validator-option": ^7.22.5
-    browserslist: ^4.21.9
-    lru-cache: ^5.1.1
-    semver: ^6.3.1
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: ea0006c6a93759025f4a35a25228ae260538c9f15023e8aac2a6d45ca68aef4cf86cfc429b19af9a402cbdd54d5de74ad3fbcf6baa7e48184dc079f1a791e178
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.13.0, @babel/helper-create-class-features-plugin@npm:^7.16.0, @babel/helper-create-class-features-plugin@npm:^7.8.3":
-  version: 7.16.0
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.16.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.0
-    "@babel/helper-function-name": ^7.16.0
-    "@babel/helper-member-expression-to-functions": ^7.16.0
-    "@babel/helper-optimise-call-expression": ^7.16.0
-    "@babel/helper-replace-supers": ^7.16.0
-    "@babel/helper-split-export-declaration": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 0f7d1b8d413e5fbd719c95e22e3b59749b4c6c652f20e0fa1fa954112145a134c22709f1325574632d7262aeeeaaf4fc7c2eb8117e0d521e42b36d05c3e5a885
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.16.10, @babel/helper-create-class-features-plugin@npm:^7.16.7, @babel/helper-create-class-features-plugin@npm:^7.17.6":
-  version: 7.17.6
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.17.6"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-function-name": ^7.16.7
-    "@babel/helper-member-expression-to-functions": ^7.16.7
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/helper-replace-supers": ^7.16.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: d85a5b3f9a18a661372d77462e6ea2a6a03f1083f8b3055ed165284214af9ea6ad677f6bcc4b5ce215da27f95fa93064580d4b6723b578c480ecf17dd31a4307
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.17.12, @babel/helper-create-class-features-plugin@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.18.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-function-name": ^7.17.9
-    "@babel/helper-member-expression-to-functions": ^7.17.7
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/helper-replace-supers": ^7.16.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 9a6ef175350f1cf87abe7a738e8c9b603da7fcdb153c74e49af509183f8705278020baddb62a12c7f9ca059487fef97d75a4adea6a1446598ad9901d010e4296
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.19.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.18.6
-    "@babel/helper-environment-visitor": ^7.18.9
-    "@babel/helper-function-name": ^7.19.0
-    "@babel/helper-member-expression-to-functions": ^7.18.9
-    "@babel/helper-optimise-call-expression": ^7.18.6
-    "@babel/helper-replace-supers": ^7.18.9
-    "@babel/helper-split-export-declaration": ^7.18.6
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: f0c6fb77b6f113d70f308e7093f60dd465b697818badf5df0519d8dd12b6bfb1f4ad300b923207ce9f9c1c940ef58bff12ac4270c0863eadf9e303b7dd6d01b6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.22.6":
-  version: 7.22.9
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.22.9"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.22.5
-    "@babel/helper-environment-visitor": ^7.22.5
-    "@babel/helper-function-name": ^7.22.5
-    "@babel/helper-member-expression-to-functions": ^7.22.5
-    "@babel/helper-optimise-call-expression": ^7.22.5
-    "@babel/helper-replace-supers": ^7.22.9
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
-    "@babel/helper-split-export-declaration": ^7.22.6
-    semver: ^6.3.1
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 6c2436d1a5a3f1ff24628d78fa8c6d3120c40285aa3eda7815b1adbf8c5951e0dd73d368cf845825888fa3dc2f207dadce53309825598d7c67953e5ed9dd51d2
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-class-features-plugin@npm:^7.5.5":
-  version: 7.14.0
-  resolution: "@babel/helper-create-class-features-plugin@npm:7.14.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.12.13
-    "@babel/helper-function-name": ^7.12.13
-    "@babel/helper-member-expression-to-functions": ^7.13.12
-    "@babel/helper-optimise-call-expression": ^7.12.13
-    "@babel/helper-replace-supers": ^7.13.12
-    "@babel/helper-split-export-declaration": ^7.12.13
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 8ef001212b06c4a1958249ec447f6a0993d928ace882cf509fcde8b4deb66673588a11ff53572b3ed55bf46982d012225ff8db9df65d0315af33d7ebfe21b740
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-regexp-features-plugin@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.16.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.0
-    regexpu-core: ^4.7.1
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: d6230477e1997ed1fa0aee9ab34d3ce96400e0df25101879fdaf90ea613adec68ec06a609d8c78787c02a6275ef5a7403a38aa8fd42fef1a4d27bcfe577c81d6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-regexp-features-plugin@npm:^7.16.7":
-  version: 7.17.0
-  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.17.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    regexpu-core: ^5.0.1
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: eb66d9241544c705e9ce96d2d122b595ef52d926e6e031653e09af8a01050bd9d7e7fee168bf33a863342774d7d6a8cc7e8e9e5a45b955e9c01121c7a2d51708
-  languageName: node
-  linkType: hard
-
-"@babel/helper-create-regexp-features-plugin@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.17.12"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    regexpu-core: ^5.0.1
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: fe49d26b0f6c58d4c1748a4d0e98b343882b428e6db43c4ba5e0aa7ff2296b3a557f0a88de9f000599bb95640a6c47c0b0c9a952b58c11f61aabb06bcc304329
-  languageName: node
-  linkType: hard
-
-"@babel/helper-define-polyfill-provider@npm:^0.2.2":
-  version: 0.2.3
-  resolution: "@babel/helper-define-polyfill-provider@npm:0.2.3"
-  dependencies:
-    "@babel/helper-compilation-targets": ^7.13.0
-    "@babel/helper-module-imports": ^7.12.13
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/traverse": ^7.13.0
-    debug: ^4.1.1
-    lodash.debounce: ^4.0.8
-    resolve: ^1.14.2
-    semver: ^6.1.2
-  peerDependencies:
-    "@babel/core": ^7.4.0-0
-  checksum: 797699fe870e45bdbc7c4128963427f7d6240609b700b3f2c0a2f2f187e5f848ba704bcfe58d7d91796cabc5001fae01746b3efda113beb5b5b824927cf59fdb
-  languageName: node
-  linkType: hard
-
-"@babel/helper-define-polyfill-provider@npm:^0.2.4":
-  version: 0.2.4
-  resolution: "@babel/helper-define-polyfill-provider@npm:0.2.4"
-  dependencies:
-    "@babel/helper-compilation-targets": ^7.13.0
-    "@babel/helper-module-imports": ^7.12.13
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/traverse": ^7.13.0
-    debug: ^4.1.1
-    lodash.debounce: ^4.0.8
-    resolve: ^1.14.2
-    semver: ^6.1.2
-  peerDependencies:
-    "@babel/core": ^7.4.0-0
-  checksum: 0b81df2fe8d4e7af1f0ed0f9c83bdb0fc1978e2cb2d4b5421dad7ee4afda79044d61de5b06026164ef52ee1afa59a15ee99bc7e532ad2b8a4bbe4341d3fa6b05
-  languageName: node
-  linkType: hard
-
-"@babel/helper-define-polyfill-provider@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "@babel/helper-define-polyfill-provider@npm:0.3.0"
-  dependencies:
-    "@babel/helper-compilation-targets": ^7.13.0
-    "@babel/helper-module-imports": ^7.12.13
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/traverse": ^7.13.0
-    debug: ^4.1.1
-    lodash.debounce: ^4.0.8
-    resolve: ^1.14.2
-    semver: ^6.1.2
-  peerDependencies:
-    "@babel/core": ^7.4.0-0
-  checksum: 372378ac4235c4fe135f1cd6d0f63697e7cb3ef63a884eb14f4b439984846bcaec0b7a32cf8df6756a21557ae3ebb3c2ee18d9a191260705a583333e5e60df7c
-  languageName: node
-  linkType: hard
-
-"@babel/helper-define-polyfill-provider@npm:^0.3.1":
-  version: 0.3.1
-  resolution: "@babel/helper-define-polyfill-provider@npm:0.3.1"
-  dependencies:
-    "@babel/helper-compilation-targets": ^7.13.0
-    "@babel/helper-module-imports": ^7.12.13
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/traverse": ^7.13.0
-    debug: ^4.1.1
-    lodash.debounce: ^4.0.8
-    resolve: ^1.14.2
-    semver: ^6.1.2
-  peerDependencies:
-    "@babel/core": ^7.4.0-0
-  checksum: e3e93cb22febfc0449a210cdafb278e5e1a038af2ca2b02f5dee71c7a49e8ba26e469d631ee11a4243885961a62bb2e5b0a4deb3ec1d7918a33c953d05c3e584
-  languageName: node
-  linkType: hard
-
-"@babel/helper-environment-visitor@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-environment-visitor@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: c03a10105d9ebd1fe632a77356b2e6e2f3c44edba9a93b0dc3591b6a66bd7a2e323dd9502f9ce96fc6401234abff1907aa877b6674f7826b61c953f7c8204bbe
-  languageName: node
-  linkType: hard
-
-"@babel/helper-environment-visitor@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/helper-environment-visitor@npm:7.18.2"
-  checksum: 1a9c8726fad454a082d077952a90f17188e92eabb3de236cb4782c49b39e3f69c327e272b965e9a20ff8abf37d30d03ffa6fd7974625a6c23946f70f7527f5e9
-  languageName: node
-  linkType: hard
-
-"@babel/helper-environment-visitor@npm:^7.18.9":
-  version: 7.18.9
-  resolution: "@babel/helper-environment-visitor@npm:7.18.9"
-  checksum: b25101f6162ddca2d12da73942c08ad203d7668e06663df685634a8fde54a98bc015f6f62938e8554457a592a024108d45b8f3e651fd6dcdb877275b73cc4420
-  languageName: node
-  linkType: hard
-
-"@babel/helper-environment-visitor@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-environment-visitor@npm:7.22.5"
-  checksum: 248532077d732a34cd0844eb7b078ff917c3a8ec81a7f133593f71a860a582f05b60f818dc5049c2212e5baa12289c27889a4b81d56ef409b4863db49646c4b1
-  languageName: node
-  linkType: hard
-
-"@babel/helper-explode-assignable-expression@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-explode-assignable-expression@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 563352b5e9b0b9584187176723ea65ea6ac9348d612c2bdc76701634eae445fd05d18f7b7555f5c6bbe4ec4d9d30172633a56bf4cfbb1333b798f58444057652
-  languageName: node
-  linkType: hard
-
-"@babel/helper-explode-assignable-expression@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-explode-assignable-expression@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: ea2135ba36da6a2be059ebc8f10fbbb291eb0e312da54c55c6f50f9cbd8601e2406ec497c5e985f7c07a97f31b3bef9b2be8df53f1d53b974043eaf74fe54bbc
-  languageName: node
-  linkType: hard
-
-"@babel/helper-function-name@npm:^7.12.13, @babel/helper-function-name@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-function-name@npm:7.16.0"
-  dependencies:
-    "@babel/helper-get-function-arity": ^7.16.0
-    "@babel/template": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: 8c02371d28678f3bb492e69d4635b2fe6b1c5a93ce129bf883f1fafde2005f4dbc0e643f52103ca558b698c0774bfb84a93f188d71db1c077f754b6220629b92
-  languageName: node
-  linkType: hard
-
-"@babel/helper-function-name@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-function-name@npm:7.16.7"
-  dependencies:
-    "@babel/helper-get-function-arity": ^7.16.7
-    "@babel/template": ^7.16.7
-    "@babel/types": ^7.16.7
-  checksum: fc77cbe7b10cfa2a262d7a37dca575c037f20419dfe0c5d9317f589599ca24beb5f5c1057748011159149eaec47fe32338c6c6412376fcded68200df470161e1
-  languageName: node
-  linkType: hard
-
-"@babel/helper-function-name@npm:^7.17.9":
-  version: 7.17.9
-  resolution: "@babel/helper-function-name@npm:7.17.9"
-  dependencies:
-    "@babel/template": ^7.16.7
-    "@babel/types": ^7.17.0
-  checksum: a59b2e5af56d8f43b9b0019939a43774754beb7cb01a211809ca8031c71890999d07739e955343135ec566c4d8ff725435f1f60fb0af3bb546837c1f9f84f496
-  languageName: node
-  linkType: hard
-
-"@babel/helper-function-name@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helper-function-name@npm:7.19.0"
-  dependencies:
-    "@babel/template": ^7.18.10
-    "@babel/types": ^7.19.0
-  checksum: eac1f5db428ba546270c2b8d750c24eb528b8fcfe50c81de2e0bdebf0e20f24bec688d4331533b782e4a907fad435244621ca2193cfcf80a86731299840e0f6e
-  languageName: node
-  linkType: hard
-
-"@babel/helper-function-name@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-function-name@npm:7.22.5"
-  dependencies:
-    "@babel/template": ^7.22.5
-    "@babel/types": ^7.22.5
-  checksum: 6b1f6ce1b1f4e513bf2c8385a557ea0dd7fa37971b9002ad19268ca4384bbe90c09681fe4c076013f33deabc63a53b341ed91e792de741b4b35e01c00238177a
-  languageName: node
-  linkType: hard
-
-"@babel/helper-get-function-arity@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-get-function-arity@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 1a68322c7b5fdffb1b51df32f7a53b1ff2268b5b99d698f0a1a426dcb355482a44ef3dae982a507907ba975314638dabb6d77ac1778098bdbe99707e6c29cae8
-  languageName: node
-  linkType: hard
-
-"@babel/helper-get-function-arity@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-get-function-arity@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: 25d969fb207ff2ad5f57a90d118f6c42d56a0171022e200aaa919ba7dc95ae7f92ec71cdea6c63ef3629a0dc962ab4c78e09ca2b437185ab44539193f796e0c3
-  languageName: node
-  linkType: hard
-
-"@babel/helper-hoist-variables@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-hoist-variables@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 2ee5b400c267c209a53c90eea406a8f09c30d4d7a2b13e304289d858a2e34a99272c062cfad6dad63705662943951c42ff20042ef539b2d3c4f8743183a28954
-  languageName: node
-  linkType: hard
-
-"@babel/helper-hoist-variables@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-hoist-variables@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: 6ae1641f4a751cd9045346e3f61c3d9ec1312fd779ab6d6fecfe2a96e59a481ad5d7e40d2a840894c13b3fd6114345b157f9e3062fc5f1580f284636e722de60
-  languageName: node
-  linkType: hard
-
-"@babel/helper-hoist-variables@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-hoist-variables@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: fd9c35bb435fda802bf9ff7b6f2df06308a21277c6dec2120a35b09f9de68f68a33972e2c15505c1a1a04b36ec64c9ace97d4a9e26d6097b76b4396b7c5fa20f
-  languageName: node
-  linkType: hard
-
-"@babel/helper-hoist-variables@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-hoist-variables@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: 394ca191b4ac908a76e7c50ab52102669efe3a1c277033e49467913c7ed6f7c64d7eacbeabf3bed39ea1f41731e22993f763b1edce0f74ff8563fd1f380d92cc
-  languageName: node
-  linkType: hard
-
-"@babel/helper-member-expression-to-functions@npm:^7.13.12, @babel/helper-member-expression-to-functions@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-member-expression-to-functions@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 58ef8e3a4af0c1dc43a2011f43f25502877ac1c5aa9a4a6586f0265ab857b65831f60560044bc9380df43c91ac21cad39a84095b91764b433d1acf18d27e38d6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-member-expression-to-functions@npm:^7.16.7, @babel/helper-member-expression-to-functions@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/helper-member-expression-to-functions@npm:7.17.7"
-  dependencies:
-    "@babel/types": ^7.17.0
-  checksum: 70f361bab627396c714c3938e94a569cb0da522179328477cdbc4318e4003c2666387ad4931d6bd5de103338c667c9e4bbe3e917fc8c527b3f3eb6175b888b7d
-  languageName: node
-  linkType: hard
-
-"@babel/helper-member-expression-to-functions@npm:^7.18.9":
-  version: 7.18.9
-  resolution: "@babel/helper-member-expression-to-functions@npm:7.18.9"
-  dependencies:
-    "@babel/types": ^7.18.9
-  checksum: fcf8184e3b55051c4286b2cbedf0eccc781d0f3c9b5cbaba582eca19bf0e8d87806cdb7efc8554fcb969ceaf2b187d5ea748d40022d06ec7739fbb18c1b19a7a
-  languageName: node
-  linkType: hard
-
-"@babel/helper-member-expression-to-functions@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-member-expression-to-functions@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: 4bd5791529c280c00743e8bdc669ef0d4cd1620d6e3d35e0d42b862f8262bc2364973e5968007f960780344c539a4b9cf92ab41f5b4f94560a9620f536de2a39
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-imports@npm:^7.12.13, @babel/helper-module-imports@npm:^7.13.12, @babel/helper-module-imports@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-module-imports@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 8e1eb9ac39440e52080b87c78d8d318e7c93658bdd0f3ce0019c908de88cbddafdc241f392898c0b0ba81fc52c8c6d2f9cc1b163ac5ed2a474d49b11646b7516
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-imports@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-module-imports@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: ddd2c4a600a2e9a4fee192ab92bf35a627c5461dbab4af31b903d9ba4d6b6e59e0ff3499fde4e2e9a0eebe24906f00b636f8b4d9bd72ff24d50e6618215c3212
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-imports@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-module-imports@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: f393f8a3b3304b1b7a288a38c10989de754f01d29caf62ce7c4e5835daf0a27b81f3ac687d9d2780d39685aae7b55267324b512150e7b2be967b0c493b6a1def
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-imports@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-module-imports@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: 9ac2b0404fa38b80bdf2653fbeaf8e8a43ccb41bd505f9741d820ed95d3c4e037c62a1bcdcb6c9527d7798d2e595924c4d025daed73283badc180ada2c9c49ad
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-transforms@npm:^7.14.0, @babel/helper-module-transforms@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-module-transforms@npm:7.16.0"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.0
-    "@babel/helper-replace-supers": ^7.16.0
-    "@babel/helper-simple-access": ^7.16.0
-    "@babel/helper-split-export-declaration": ^7.16.0
-    "@babel/helper-validator-identifier": ^7.15.7
-    "@babel/template": ^7.16.0
-    "@babel/traverse": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: a3d0e5556f26ebdf2ae422af3b9a1ba1848fead891f46bcd1c6a4be88ad8e9f348140f81d1843a3481574be1643a9c79b01469231f5b5801f5d5e691efdd11f3
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-transforms@npm:^7.16.7, @babel/helper-module-transforms@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/helper-module-transforms@npm:7.17.7"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-module-imports": ^7.16.7
-    "@babel/helper-simple-access": ^7.17.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-    "@babel/helper-validator-identifier": ^7.16.7
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.17.3
-    "@babel/types": ^7.17.0
-  checksum: 0b8f023aa7ff82dc4864349d54c4557865ad8ba54d78f6d78a86b05ca40f65c2d60acb4a54c5c309e7a4356beb9a89b876e54af4b3c4801ad25f62ec3721f0ae
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-transforms@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/helper-module-transforms@npm:7.18.0"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-module-imports": ^7.16.7
-    "@babel/helper-simple-access": ^7.17.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-    "@babel/helper-validator-identifier": ^7.16.7
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.18.0
-    "@babel/types": ^7.18.0
-  checksum: 824c3967c08d75bb36adc18c31dcafebcd495b75b723e2e17c6185e88daf5c6db62a6a75d9f791b5f38618a349e7cb32503e715a1b9a4e8bad4d0f43e3e6b523
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-transforms@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helper-module-transforms@npm:7.19.0"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.18.9
-    "@babel/helper-module-imports": ^7.18.6
-    "@babel/helper-simple-access": ^7.18.6
-    "@babel/helper-split-export-declaration": ^7.18.6
-    "@babel/helper-validator-identifier": ^7.18.6
-    "@babel/template": ^7.18.10
-    "@babel/traverse": ^7.19.0
-    "@babel/types": ^7.19.0
-  checksum: 4483276c66f56cf3b5b063634092ad9438c2593725de5c143ba277dda82f1501e6d73b311c1b28036f181dbe36eaeff29f24726cde37a599d4e735af294e5359
-  languageName: node
-  linkType: hard
-
-"@babel/helper-module-transforms@npm:^7.22.5, @babel/helper-module-transforms@npm:^7.22.9":
-  version: 7.22.9
-  resolution: "@babel/helper-module-transforms@npm:7.22.9"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.22.5
-    "@babel/helper-module-imports": ^7.22.5
-    "@babel/helper-simple-access": ^7.22.5
-    "@babel/helper-split-export-declaration": ^7.22.6
-    "@babel/helper-validator-identifier": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 2751f77660518cf4ff027514d6f4794f04598c6393be7b04b8e46c6e21606e11c19f3f57ab6129a9c21bacdf8b3ffe3af87bb401d972f34af2d0ffde02ac3001
-  languageName: node
-  linkType: hard
-
-"@babel/helper-optimise-call-expression@npm:^7.12.13, @babel/helper-optimise-call-expression@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-optimise-call-expression@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 121ae6054fcec76ed2c4dd83f0281b901c1e3cfac1bbff79adc3667983903ad1030a0ad9a8bea58e52b225e13881cf316f371c65276976e7a6762758a98be8f6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-optimise-call-expression@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-optimise-call-expression@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: 925feb877d5a30a71db56e2be498b3abbd513831311c0188850896c4c1ada865eea795dce5251a1539b0f883ef82493f057f84286dd01abccc4736acfafe15ea
-  languageName: node
-  linkType: hard
-
-"@babel/helper-optimise-call-expression@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-optimise-call-expression@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: e518fe8418571405e21644cfb39cf694f30b6c47b10b006609a92469ae8b8775cbff56f0b19732343e2ea910641091c5a2dc73b56ceba04e116a33b0f8bd2fbd
-  languageName: node
-  linkType: hard
-
-"@babel/helper-optimise-call-expression@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-optimise-call-expression@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: c70ef6cc6b6ed32eeeec4482127e8be5451d0e5282d5495d5d569d39eb04d7f1d66ec99b327f45d1d5842a9ad8c22d48567e93fc502003a47de78d122e355f7c
-  languageName: node
-  linkType: hard
-
-"@babel/helper-plugin-utils@npm:^7.0.0, @babel/helper-plugin-utils@npm:^7.10.4, @babel/helper-plugin-utils@npm:^7.12.13, @babel/helper-plugin-utils@npm:^7.13.0, @babel/helper-plugin-utils@npm:^7.14.5, @babel/helper-plugin-utils@npm:^7.8.0, @babel/helper-plugin-utils@npm:^7.8.3":
-  version: 7.14.5
-  resolution: "@babel/helper-plugin-utils@npm:7.14.5"
-  checksum: fe20e90a24d02770a60ebe80ab9f0dfd7258503cea8006c71709ac9af1aa3e47b0de569499673f11ea6c99597f8c0e4880ae1d505986e61101b69716820972fe
-  languageName: node
-  linkType: hard
-
-"@babel/helper-plugin-utils@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-plugin-utils@npm:7.16.7"
-  checksum: d08dd86554a186c2538547cd537552e4029f704994a9201d41d82015c10ed7f58f9036e8d1527c3760f042409163269d308b0b3706589039c5f1884619c6d4ce
-  languageName: node
-  linkType: hard
-
-"@babel/helper-plugin-utils@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/helper-plugin-utils@npm:7.17.12"
-  checksum: 4813cf0ddb0f143de032cb88d4207024a2334951db330f8216d6fa253ea320c02c9b2667429ef1a34b5e95d4cfbd085f6cb72d418999751c31d0baf2422cc61d
-  languageName: node
-  linkType: hard
-
-"@babel/helper-plugin-utils@npm:^7.18.6, @babel/helper-plugin-utils@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helper-plugin-utils@npm:7.19.0"
-  checksum: eedc996c633c8c207921c26ec2989eae0976336ecd9b9f1ac526498f52b5d136f7cd03c32b6fdf8d46a426f907c142de28592f383c42e5fba1e904cbffa05345
-  languageName: node
-  linkType: hard
-
-"@babel/helper-plugin-utils@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-plugin-utils@npm:7.22.5"
-  checksum: c0fc7227076b6041acd2f0e818145d2e8c41968cc52fb5ca70eed48e21b8fe6dd88a0a91cbddf4951e33647336eb5ae184747ca706817ca3bef5e9e905151ff5
-  languageName: node
-  linkType: hard
-
-"@babel/helper-remap-async-to-generator@npm:^7.16.0, @babel/helper-remap-async-to-generator@npm:^7.16.4":
-  version: 7.16.4
-  resolution: "@babel/helper-remap-async-to-generator@npm:7.16.4"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.0
-    "@babel/helper-wrap-function": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: debe997695fe2c11813e88b2fa4afc89d4543f72457dda00c7296a728cd5eeb81d4ef8607a5fef7823da410a8579407c631a430e5bfc78290172ff6fc430355c
-  languageName: node
-  linkType: hard
-
-"@babel/helper-remap-async-to-generator@npm:^7.16.8":
-  version: 7.16.8
-  resolution: "@babel/helper-remap-async-to-generator@npm:7.16.8"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-wrap-function": ^7.16.8
-    "@babel/types": ^7.16.8
-  checksum: 29282ee36872130085ca111539725abbf20210c2a1d674bee77f338a57c093c3154108d03a275f602e471f583bd2c7ae10d05534f87cbc22b95524fe2b569488
-  languageName: node
-  linkType: hard
-
-"@babel/helper-replace-supers@npm:^7.13.12, @babel/helper-replace-supers@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-replace-supers@npm:7.16.0"
-  dependencies:
-    "@babel/helper-member-expression-to-functions": ^7.16.0
-    "@babel/helper-optimise-call-expression": ^7.16.0
-    "@babel/traverse": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: 61f04bbe05ff0987d5a8d5253cb101d47004a27951d6c5cd95457e30fcb3adaca85f0bcaa7f31f4d934f22386b935ac7281398c68982d4a4768769d95c028460
-  languageName: node
-  linkType: hard
-
-"@babel/helper-replace-supers@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-replace-supers@npm:7.16.7"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-member-expression-to-functions": ^7.16.7
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/traverse": ^7.16.7
-    "@babel/types": ^7.16.7
-  checksum: e5c0b6eb3dad8410a6255f93b580dde9b3c1564646c6ef751de59d5b2a65b5caa80cc9e568155f04bbae895ad0f54305c2e833dbd971a4f641f970c90b3d892b
-  languageName: node
-  linkType: hard
-
-"@babel/helper-replace-supers@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/helper-replace-supers@npm:7.18.2"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.18.2
-    "@babel/helper-member-expression-to-functions": ^7.17.7
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/traverse": ^7.18.2
-    "@babel/types": ^7.18.2
-  checksum: c0083b7933672dd2aed50b79021c46401c83f41bc2132def19c5414cf8f944251f6d91dd959b2bedada9a7436a80fab629adb486e008566290c82293e89fec05
-  languageName: node
-  linkType: hard
-
-"@babel/helper-replace-supers@npm:^7.18.9":
-  version: 7.18.9
-  resolution: "@babel/helper-replace-supers@npm:7.18.9"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.18.9
-    "@babel/helper-member-expression-to-functions": ^7.18.9
-    "@babel/helper-optimise-call-expression": ^7.18.6
-    "@babel/traverse": ^7.18.9
-    "@babel/types": ^7.18.9
-  checksum: 2de8b29cc4bfa4e241da2de16abd5571709f6eb394206dc16e3a7816976d1691635dd4bc930881e9d798f44b48a5f1849dc7f51a62946f3e8270452be1ec5352
-  languageName: node
-  linkType: hard
-
-"@babel/helper-replace-supers@npm:^7.22.5, @babel/helper-replace-supers@npm:^7.22.9":
-  version: 7.22.9
-  resolution: "@babel/helper-replace-supers@npm:7.22.9"
-  dependencies:
-    "@babel/helper-environment-visitor": ^7.22.5
-    "@babel/helper-member-expression-to-functions": ^7.22.5
-    "@babel/helper-optimise-call-expression": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: d41471f56ff2616459d35a5df1900d5f0756ae78b1027040365325ef332d66e08e3be02a9489756d870887585ff222403a228546e93dd7019e19e59c0c0fe586
-  languageName: node
-  linkType: hard
-
-"@babel/helper-simple-access@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-simple-access@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 2d7155f318411788b42d2f4a3d406de12952ad620d0bd411a0f3b5803389692ad61d9e7fab5f93b23ad3d8a09db4a75ca9722b9873a606470f468bc301944af6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-simple-access@npm:^7.17.7":
-  version: 7.17.7
-  resolution: "@babel/helper-simple-access@npm:7.17.7"
-  dependencies:
-    "@babel/types": ^7.17.0
-  checksum: 58a9bfd054720024f6ff47fbb113c96061dc2bd31a5e5285756bd3c2e83918c6926900e00150d0fb175d899494fe7d69bf2a8b278c32ef6f6bea8d032e6a3831
-  languageName: node
-  linkType: hard
-
-"@babel/helper-simple-access@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/helper-simple-access@npm:7.18.2"
-  dependencies:
-    "@babel/types": ^7.18.2
-  checksum: c0862b56db7e120754d89273a039b128c27517389f6a4425ff24e49779791e8fe10061579171fb986be81fa076778acb847c709f6f5e396278d9c5e01360c375
-  languageName: node
-  linkType: hard
-
-"@babel/helper-simple-access@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-simple-access@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: 37cd36eef199e0517845763c1e6ff6ea5e7876d6d707a6f59c9267c547a50aa0e84260ba9285d49acfaf2cfa0a74a772d92967f32ac1024c961517d40b6c16a5
-  languageName: node
-  linkType: hard
-
-"@babel/helper-simple-access@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-simple-access@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: fe9686714caf7d70aedb46c3cce090f8b915b206e09225f1e4dbc416786c2fdbbee40b38b23c268b7ccef749dd2db35f255338fb4f2444429874d900dede5ad2
-  languageName: node
-  linkType: hard
-
-"@babel/helper-skip-transparent-expression-wrappers@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: b9ed2896eb253e6a85f472b0d4098ed80403758ad1a4e34b02b11e8276e3083297526758b1a3e6886e292987266f10622d7dbced3508cc22b296a74903b41cfb
-  languageName: node
-  linkType: hard
-
-"@babel/helper-skip-transparent-expression-wrappers@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.22.5"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: 1012ef2295eb12dc073f2b9edf3425661e9b8432a3387e62a8bc27c42963f1f216ab3124228015c748770b2257b4f1fda882ca8fa34c0bf485e929ae5bc45244
-  languageName: node
-  linkType: hard
-
-"@babel/helper-split-export-declaration@npm:^7.12.13, @babel/helper-split-export-declaration@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-split-export-declaration@npm:7.16.0"
-  dependencies:
-    "@babel/types": ^7.16.0
-  checksum: 8bd87b5ea2046b145f0f55bc75cbdb6df69eaeb32919ee3c1c758757025aebca03e567a4d48389eb4f16a55021adb6ed8fa58aa771e164b15fa5e0a0722f771d
-  languageName: node
-  linkType: hard
-
-"@babel/helper-split-export-declaration@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-split-export-declaration@npm:7.16.7"
-  dependencies:
-    "@babel/types": ^7.16.7
-  checksum: e10aaf135465c55114627951b79115f24bc7af72ecbb58d541d66daf1edaee5dde7cae3ec8c3639afaf74526c03ae3ce723444e3b5b3dc77140c456cd84bcaa1
-  languageName: node
-  linkType: hard
-
-"@babel/helper-split-export-declaration@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-split-export-declaration@npm:7.18.6"
-  dependencies:
-    "@babel/types": ^7.18.6
-  checksum: c6d3dede53878f6be1d869e03e9ffbbb36f4897c7cc1527dc96c56d127d834ffe4520a6f7e467f5b6f3c2843ea0e81a7819d66ae02f707f6ac057f3d57943a2b
-  languageName: node
-  linkType: hard
-
-"@babel/helper-split-export-declaration@npm:^7.22.6":
-  version: 7.22.6
-  resolution: "@babel/helper-split-export-declaration@npm:7.22.6"
-  dependencies:
-    "@babel/types": ^7.22.5
-  checksum: e141cace583b19d9195f9c2b8e17a3ae913b7ee9b8120246d0f9ca349ca6f03cb2c001fd5ec57488c544347c0bb584afec66c936511e447fd20a360e591ac921
-  languageName: node
-  linkType: hard
-
-"@babel/helper-string-parser@npm:^7.18.10":
-  version: 7.18.10
-  resolution: "@babel/helper-string-parser@npm:7.18.10"
-  checksum: d554a4393365b624916b5c00a4cc21c990c6617e7f3fe30be7d9731f107f12c33229a7a3db9d829bfa110d2eb9f04790745d421640e3bd245bb412dc0ea123c1
-  languageName: node
-  linkType: hard
-
-"@babel/helper-string-parser@npm:^7.19.4":
-  version: 7.19.4
-  resolution: "@babel/helper-string-parser@npm:7.19.4"
-  checksum: b2f8a3920b30dfac81ec282ac4ad9598ea170648f8254b10f475abe6d944808fb006aab325d3eb5a8ad3bea8dfa888cfa6ef471050dae5748497c110ec060943
-  languageName: node
-  linkType: hard
-
-"@babel/helper-string-parser@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-string-parser@npm:7.22.5"
-  checksum: 836851ca5ec813077bbb303acc992d75a360267aa3b5de7134d220411c852a6f17de7c0d0b8c8dcc0f567f67874c00f4528672b2a4f1bc978a3ada64c8c78467
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-identifier@npm:^7.14.0, @babel/helper-validator-identifier@npm:^7.15.7":
-  version: 7.15.7
-  resolution: "@babel/helper-validator-identifier@npm:7.15.7"
-  checksum: f041c28c531d1add5cc345b25d5df3c29c62bce3205b4d4a93dcd164ccf630350acba252d374fad8f5d8ea526995a215829f27183ba7ce7ce141843bf23068a6
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-identifier@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-validator-identifier@npm:7.16.7"
-  checksum: dbb3db9d184343152520a209b5684f5e0ed416109cde82b428ca9c759c29b10c7450657785a8b5c5256aa74acc6da491c1f0cf6b784939f7931ef82982051b69
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-identifier@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-validator-identifier@npm:7.18.6"
-  checksum: e295254d616bbe26e48c196a198476ab4d42a73b90478c9842536cf910ead887f5af6b5c4df544d3052a25ccb3614866fa808dc1e3a5a4291acd444e243c0648
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-identifier@npm:^7.19.1":
-  version: 7.19.1
-  resolution: "@babel/helper-validator-identifier@npm:7.19.1"
-  checksum: 0eca5e86a729162af569b46c6c41a63e18b43dbe09fda1d2a3c8924f7d617116af39cac5e4cd5d431bb760b4dca3c0970e0c444789b1db42bcf1fa41fbad0a3a
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-identifier@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-validator-identifier@npm:7.22.5"
-  checksum: 7f0f30113474a28298c12161763b49de5018732290ca4de13cdaefd4fd0d635a6fe3f6686c37a02905fb1e64f21a5ee2b55140cf7b070e729f1bd66866506aea
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-option@npm:^7.12.17, @babel/helper-validator-option@npm:^7.14.5":
-  version: 7.14.5
-  resolution: "@babel/helper-validator-option@npm:7.14.5"
-  checksum: 1b25c34a5cb3d8602280f33b9ab687d2a77895e3616458d0f70ddc450ada9b05e342c44f322bc741d51b252e84cff6ec44ae93d622a3354828579a643556b523
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-option@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/helper-validator-option@npm:7.16.7"
-  checksum: c5ccc451911883cc9f12125d47be69434f28094475c1b9d2ada7c3452e6ac98a1ee8ddd364ca9e3f9855fcdee96cdeafa32543ebd9d17fee7a1062c202e80570
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-option@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/helper-validator-option@npm:7.18.6"
-  checksum: f9cc6eb7cc5d759c5abf006402180f8d5e4251e9198197428a97e05d65eb2f8ae5a0ce73b1dfd2d35af41d0eb780627a64edf98a4e71f064eeeacef8de58f2cf
-  languageName: node
-  linkType: hard
-
-"@babel/helper-validator-option@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/helper-validator-option@npm:7.22.5"
-  checksum: bbeca8a85ee86990215c0424997438b388b8d642d69b9f86c375a174d3cdeb270efafd1ff128bc7a1d370923d13b6e45829ba8581c027620e83e3a80c5c414b3
-  languageName: node
-  linkType: hard
-
-"@babel/helper-wrap-function@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/helper-wrap-function@npm:7.16.0"
-  dependencies:
-    "@babel/helper-function-name": ^7.16.0
-    "@babel/template": ^7.16.0
-    "@babel/traverse": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: 2bb4e05f49cf217cc5890581284a051245ba0ddaccbe3ddd662010d7a6969f52d2027e310d26db2e030273c5fe9341448c7845fcb4795ad8eb56bdeabec148b8
-  languageName: node
-  linkType: hard
-
-"@babel/helper-wrap-function@npm:^7.16.8":
-  version: 7.16.8
-  resolution: "@babel/helper-wrap-function@npm:7.16.8"
-  dependencies:
-    "@babel/helper-function-name": ^7.16.7
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.16.8
-    "@babel/types": ^7.16.8
-  checksum: d8aae4bacaf138d47dca1421ba82b41eac954cbb0ad17ab1c782825c6f2afe20076fbed926ab265967758336de5112d193a363128cd1c6967c66e0151174f797
-  languageName: node
-  linkType: hard
-
-"@babel/helpers@npm:^7.14.0, @babel/helpers@npm:^7.16.0":
-  version: 7.16.3
-  resolution: "@babel/helpers@npm:7.16.3"
-  dependencies:
-    "@babel/template": ^7.16.0
-    "@babel/traverse": ^7.16.3
-    "@babel/types": ^7.16.0
-  checksum: b725b1aab734e9e1407247ee499880583855843fa2855377a2c26277bd9fbd7080219109189bc69b18d71cc30759666bfe66d534729b41452097866d1f5a66ef
-  languageName: node
-  linkType: hard
-
-"@babel/helpers@npm:^7.17.8":
-  version: 7.17.8
-  resolution: "@babel/helpers@npm:7.17.8"
-  dependencies:
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.17.3
-    "@babel/types": ^7.17.0
-  checksum: 463dad58119fefebf2d0201bfa53ec9607aa00356908895640fc07589747fb3c2e0dfee4019f3e8c9781e57c9aa5dff4c72ec8d1b031c4ed8349f90b6aefe99d
-  languageName: node
-  linkType: hard
-
-"@babel/helpers@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/helpers@npm:7.18.2"
-  dependencies:
-    "@babel/template": ^7.16.7
-    "@babel/traverse": ^7.18.2
-    "@babel/types": ^7.18.2
-  checksum: 94620242f23f6d5f9b83a02b1aa1632ffb05b0815e1bb53d3b46d64aa8e771066bba1db8bd267d9091fb00134cfaeda6a8d69d1d4cc2c89658631adfa077ae70
-  languageName: node
-  linkType: hard
-
-"@babel/helpers@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/helpers@npm:7.19.0"
-  dependencies:
-    "@babel/template": ^7.18.10
-    "@babel/traverse": ^7.19.0
-    "@babel/types": ^7.19.0
-  checksum: e50e78e0dbb0435075fa3f85021a6bcae529589800bca0292721afd7f7c874bea54508d6dc57eca16e5b8224f8142c6b0e32e3b0140029dc09865da747da4623
-  languageName: node
-  linkType: hard
-
-"@babel/helpers@npm:^7.22.6":
-  version: 7.22.6
-  resolution: "@babel/helpers@npm:7.22.6"
-  dependencies:
-    "@babel/template": ^7.22.5
-    "@babel/traverse": ^7.22.6
-    "@babel/types": ^7.22.5
-  checksum: 5c1f33241fe7bf7709868c2105134a0a86dca26a0fbd508af10a89312b1f77ca38ebae43e50be3b208613c5eacca1559618af4ca236f0abc55d294800faeff30
-  languageName: node
-  linkType: hard
-
-"@babel/highlight@npm:^7.12.13, @babel/highlight@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/highlight@npm:7.16.0"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.15.7
-    chalk: ^2.0.0
-    js-tokens: ^4.0.0
-  checksum: abf244c48fcff20ec87830e8b99c776f4dcdd9138e63decc195719a94148da35339639e0d8045eb9d1f3e67a39ab90a9c3f5ce2d579fb1a0368d911ddf29b4e5
-  languageName: node
-  linkType: hard
-
-"@babel/highlight@npm:^7.16.7":
-  version: 7.16.10
-  resolution: "@babel/highlight@npm:7.16.10"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.16.7
-    chalk: ^2.0.0
-    js-tokens: ^4.0.0
-  checksum: 1f1bdd752a90844f4efc22166a46303fb651ba0fd75a06daba3ebae2575ab3edc1da9827c279872a3aaf305f50a18473c5fa1966752726a2b253065fd4c0745e
-  languageName: node
-  linkType: hard
-
-"@babel/highlight@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/highlight@npm:7.18.6"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.18.6
-    chalk: ^2.0.0
-    js-tokens: ^4.0.0
-  checksum: 92d8ee61549de5ff5120e945e774728e5ccd57fd3b2ed6eace020ec744823d4a98e242be1453d21764a30a14769ecd62170fba28539b211799bbaf232bbb2789
-  languageName: node
-  linkType: hard
-
-"@babel/highlight@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/highlight@npm:7.22.5"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.22.5
-    chalk: ^2.0.0
-    js-tokens: ^4.0.0
-  checksum: f61ae6de6ee0ea8d9b5bcf2a532faec5ab0a1dc0f7c640e5047fc61630a0edb88b18d8c92eb06566d30da7a27db841aca11820ecd3ebe9ce514c9350fbed39c4
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.12.3, @babel/parser@npm:^7.4.5":
-  version: 7.14.0
-  resolution: "@babel/parser@npm:7.14.0"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: d1d82e6c2ecd1d66d873f3ae4f070bd687ee0d4e19ecf6b63a5daa735982ea0554a2ff7afd463d6754f8f28c9bc4b83264787d5a215b729f9552745ce76130f9
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.14.0, @babel/parser@npm:^7.16.0, @babel/parser@npm:^7.16.3":
-  version: 7.16.4
-  resolution: "@babel/parser@npm:7.16.4"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: ce0a8f92f440f2a12bc932f070a7b60c5133bf8a63f461841f9e39af0194f573707959d606c6fad1a2fd496a45148553afd9b74d3b8dd36cdb7861598d1f3e36
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.16.7, @babel/parser@npm:^7.17.3, @babel/parser@npm:^7.17.8":
-  version: 7.17.8
-  resolution: "@babel/parser@npm:7.17.8"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: 1771808491982cc47baa888a997aef6b58308e3844c8c00f730f8fd97defe57d32cdbf46075cd49aaee310fa31f3d2c80a0d41b41a4ee0ff336ee09e2ff6c222
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.18.0":
-  version: 7.18.4
-  resolution: "@babel/parser@npm:7.18.4"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: e05b2dc720c4b200e088258f3c2a2de5041c140444edc38181d1217b10074e881a7133162c5b62356061f26279f08df5a06ec14c5842996ee8601ad03c57a44f
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.18.10, @babel/parser@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/parser@npm:7.19.0"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: af86d829bfeb60e0dcf54a43489c2514674b6c8d9bb24cf112706772125752fcd517877ad30501d533fa85f70a439d02eebeec3be9c2e95499853367184e0da7
-  languageName: node
-  linkType: hard
-
-"@babel/parser@npm:^7.22.5, @babel/parser@npm:^7.22.7":
-  version: 7.22.7
-  resolution: "@babel/parser@npm:7.22.7"
-  bin:
-    parser: ./bin/babel-parser.js
-  checksum: 02209ddbd445831ee8bf966fdf7c29d189ed4b14343a68eb2479d940e7e3846340d7cc6bd654a5f3d87d19dc84f49f50a58cf9363bee249dc5409ff3ba3dab54
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: bbb0f82a4cf297bdbb9110eea570addd4b883fd1b61535558d849822b087aa340fe4e9c31f8a39b087595c8310b58d0f5548d6be0b72c410abefb23a5734b7bc
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 6ef739b3a2b0ac0b22b60ff472c118163ceb8d414dd08c8186cc563fddc2be62ad4d8681e02074a1c7f0056a72e7146493a85d12ded02e50904b0009ed85d8bf
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.13.12":
-  version: 7.16.0
-  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-proposal-optional-chaining": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.13.0
-  checksum: bb115479292e2c66671a62c46a64d8dae1fc8bbf604c83f82a421216e3d40632dbe86e8ba34e66318c215eddfc4f25e6e7fe19123517f1cf5b6003b1efbd911a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-proposal-optional-chaining": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.13.0
-  checksum: 81b372651a7d886a06596b02df7fb65ea90265a8bd60c9f0d5c1777590a598e6cccbdc3239033ee0719abf904813e69577eeb0ed5960b40e07978df023b17a6a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-proposal-optional-chaining": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.13.0
-  checksum: 68520a8f26e56bc8d90c22133537a9819e82598e3c82007f30bdaf8898b0e12a7bfa0cd3044aca35a7f362fd6bc04e4cd8052a571fc2eb40ad8f1cf24e0fc45f
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-async-generator-functions@npm:^7.13.15":
-  version: 7.16.4
-  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.16.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-remap-async-to-generator": ^7.16.4
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: dcd5a76ee12eacee93440e021a7e4a8e53b5d13d26c8fd7d412fc83341a1633a949bef1ef94301ae753164d39d303cb01b59234e6b48205377ca1d041f670ba5
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-async-generator-functions@npm:^7.16.8":
-  version: 7.16.8
-  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.16.8"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-remap-async-to-generator": ^7.16.8
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: abd2c2c67de262720d37c5509dafe2ce64d6cee2dc9a8e863bbba1796b77387214442f37618373c6a4521ca624bfc7dcdbeb1376300d16f2a474405ee0ca2e69
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-async-generator-functions@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-remap-async-to-generator": ^7.16.8
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 16a3c7f68a27031b4973b7c64ca009873c91b91afd7b3a4694ec7f1c6d8e91a6ee142eafd950113810fae122faa1031de71140333b2b1bd03d5367b1a05b1d91
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-properties@npm:^7.1.0":
-  version: 7.13.0
-  resolution: "@babel/plugin-proposal-class-properties@npm:7.13.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.13.0
-    "@babel/helper-plugin-utils": ^7.13.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e3cdfacb2d36c66204e3bf99b85feb521daed6e2c3d424f10eb3f722fe20ca0a2560fe9f5a01e5170a34a4f160e9ff02eb678bed81ee130f1c9d990ce8cd711c
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-properties@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-class-properties@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b1665ced553e5cdb95eec2fda321cb226c5f255edd1a94b226b9d81e97e026472184b6898af26f2bb9ee64101fad1afe215b6fc469d3103dec78c55e732e49aa
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-properties@npm:^7.16.5, @babel/plugin-proposal-class-properties@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-class-properties@npm:7.16.7"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3977e841e17b45b47be749b9a5b67b9e8b25ff0840f9fdad3f00cbcb35db4f5ff15f074939fe19b01207a29688c432cc2c682351959350834d62920b7881f803
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-properties@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-class-properties@npm:7.17.12"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.17.12
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 884df6a4617a18cdc2a630096b2a10954bcc94757c893bb01abd6702fdc73343ca5c611f4884c4634e0608f5e86c3093ea6b973ce00bf21b248ba54de92c837d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-static-block@npm:^7.13.11":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-class-static-block@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-class-static-block": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.12.0
-  checksum: 59c4bb3d6ad4828e7773fe1c63730c68bf646c3a8d042b9ed4062fd98a26c1656b7ee108c5f144fd8b24ff567baf3b2efa644be29c6c8bcfe60e09e485e22116
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-static-block@npm:^7.16.7":
-  version: 7.17.6
-  resolution: "@babel/plugin-proposal-class-static-block@npm:7.17.6"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.17.6
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-class-static-block": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.12.0
-  checksum: 0ef00d73b4a7667059f71614669fb5ec989a0a6d5fe58118310c892507f2556a6f3ae66f0c547cd06e50bdf3ff528ef486e611079d41ef321300c967d2c26e1d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-class-static-block@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-proposal-class-static-block@npm:7.18.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-class-static-block": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.12.0
-  checksum: 70fd622fd7c62cca2aa99c70532766340a5c30105e35cb3f1187b450580d43adc78b3fcb1142ed339bcfccf84be95ea03407adf467331b318ce6874432736c89
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-decorators@npm:^7.13.5":
-  version: 7.16.4
-  resolution: "@babel/plugin-proposal-decorators@npm:7.16.4"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-decorators": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: de4f3187c60d14fca37f4edf9d27c61b22e62609708bbaa48bd25b705ab4d5d09457b1011bf6fb55607b11c7a227310f3db5ced4802ded96a79202af7fad7101
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-decorators@npm:^7.16.7":
-  version: 7.18.2
-  resolution: "@babel/plugin-proposal-decorators@npm:7.18.2"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-replace-supers": ^7.18.2
-    "@babel/helper-split-export-declaration": ^7.16.7
-    "@babel/plugin-syntax-decorators": ^7.17.12
-    charcodes: ^0.2.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: cb40e31afe5c414d748d90943910ff7e8015f89f5845046bcdc8ae9b09882b183c550a6bc32969826680d9c41866d5f39097f1cd7b0a7c2101285ec4e38dbded
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-decorators@npm:^7.21.0":
-  version: 7.22.7
-  resolution: "@babel/plugin-proposal-decorators@npm:7.22.7"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.22.6
-    "@babel/helper-plugin-utils": ^7.22.5
-    "@babel/helper-replace-supers": ^7.22.5
-    "@babel/helper-split-export-declaration": ^7.22.6
-    "@babel/plugin-syntax-decorators": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d9d6f7cc8b3f1450963d3f26909af025836189b81e43c48ad455db5db2319beaf4ad2fda5aa12a1afcf856de11ecd5ee6894a9e906e8de8ee445c79102b50d26
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-dynamic-import@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-dynamic-import@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4027da640443d8fd4a20637d1dd67cce1c13207b8c19fa77796a08b9eec9881b95322c1a5c489128adf3a12e9bbc02b31de9ddd536c909d072577a74a2a70b67
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-dynamic-import@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-dynamic-import@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 5992012484fb8bda1451369350e475091954ed414dd9ef8654a3c4daa2db0205d4f29c94f5d3dedfbc5a434996375c8304586904337d6af938ac0f27a0033e23
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-export-namespace-from@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 0bdc166ac44d9a0579e6d14d07ed1364932b4b7852626f4ba0c0011464097ed23bec43a3e93793d888c2854918ce9937ac251a945abbe0d283eaa1df206e0b05
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-export-namespace-from@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 5016079a5305c1c130fea587b42cdce501574739cfefa5b63469dbc1f32d436df0ff42fabf04089fe8b6a00f4ea7563869e944744b457e186c677995983cb166
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-export-namespace-from@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 41c9cd4c0a5629b65725d2554867c15b199f534cea5538bd1ae379c0d13e7206d8590e23b23cb05a8b243e33e6eb88c1de3fd03a55cdbc6d4cf8634a6bebe43d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-json-strings@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-json-strings@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: fa93be8eff22ced96a68c9db8c0e930414a4ffb44cf68b473717309c06a4feee2bac6e41415a699c829f29928653d67b4b7d29a45861784d235264d829055a1e
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-json-strings@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-json-strings@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ea6487918f8d88322ac2a4e5273be6163b0d84a34330c31cee346e23525299de3b4f753bc987951300a79f55b8f4b1971b24d04c0cdfcb7ceb4d636975c215e8
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-json-strings@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-json-strings@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 8ed4ee3fbc28e44fac17c48bd95b5b8c3ffc852053a9fffd36ab498ec0b0ba069b8b2f5658edc18332748948433b9d3e1e376f564a1d65cb54592ba9943be09b
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-logical-assignment-operators@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7e6cd10248803f0c5801805ef1a357314940c3204c3d2f00994711f272c21276f181d0e83ada5bce6185ae2c97c4417e778331505ffc2e71a2b9c4425a5dcc6d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-logical-assignment-operators@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c4cf18e10f900d40eaa471c4adce4805e67bd845f997a4b9d5653eced4e653187b9950843b2bf7eab6c0c3e753aba222b1d38888e3e14e013f87295c5b014f19
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-logical-assignment-operators@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 0d48451836219b7beeca4be22a8aeb4a177a4944be4727afb94a4a11f201dde8b0b186dd2ad65b537d61e9af3fa1afda734f7096bec8602debd76d07aa342e21
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.13.8, @babel/plugin-proposal-nullish-coalescing-operator@npm:^7.4.4":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e50f94929970cdc5c6ee22ec4c95c46ae25cdd8c391baf601f7f3d3a3cec417efc663a3fafa9ae5bca82a6815d49687b07cab9857f5a10e9ea862438ecb81e4a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bfafc2701697b5c763dbbb65dd97b56979bfb0922e35be27733699a837aeff22316313ddfdd0fb45129efa3f86617219b77110d05338bc4dca4385d8ce83dd19
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7881d8005d0d4e17a94f3bfbfa4a0d8af016d2f62ed90912fabb8c5f8f0cc0a15fd412f09c230984c40b5c893086987d403c73198ef388ffcb3726ff72efc009
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-numeric-separator@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-numeric-separator@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-numeric-separator": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: eb7895a4f38263df644a0ded7042991190f23bdec4b53f3e2c8b40b82d2dbc537a6ca9afbfd490d1aa5dd33244e7a51bf1ae0c4c6890d9978bc1adc325b7e795
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-numeric-separator@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-numeric-separator@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-numeric-separator": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 8e2fb0b32845908c67f80bc637a0968e28a66727d7ffb22b9c801dc355d88e865dc24aec586b00c922c23833ae5d26301b443b53609ea73d8344733cd48a1eca
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-object-rest-spread@npm:^7.12.1":
-  version: 7.13.8
-  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.13.8"
-  dependencies:
-    "@babel/compat-data": ^7.13.8
-    "@babel/helper-compilation-targets": ^7.13.8
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-transform-parameters": ^7.13.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7ae92617c672e1d47979c809bd90b20c4e7d269769776dd705f519634a165d113de8ef05739a557b3aad0cb6884986b82d287dcb63211c07b66dca43ac66c8bb
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-object-rest-spread@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.16.0"
-  dependencies:
-    "@babel/compat-data": ^7.16.0
-    "@babel/helper-compilation-targets": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-transform-parameters": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c7716ba50e65aae613e553dd568d3f4b4c42fa8d9f1c3aca6cc227670fc792b600cd5a5c710451490f3d7d5916e77607cba45033e199534ca71feed451f63820
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-object-rest-spread@npm:^7.16.7":
-  version: 7.17.3
-  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.17.3"
-  dependencies:
-    "@babel/compat-data": ^7.17.0
-    "@babel/helper-compilation-targets": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-transform-parameters": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 02810f158db4aaf6883131621b5d2c7d901ea3c034df2c2b78663f8b26813795d78a346c37e56770a720c54773732fd1d7fe40947dbf11d1d8de0e9a38e856d3
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-object-rest-spread@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.18.0"
-  dependencies:
-    "@babel/compat-data": ^7.17.10
-    "@babel/helper-compilation-targets": ^7.17.10
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-transform-parameters": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2b49bcf9a6b11fd8b6a1d4962a64f3c846a63f8340eca9824c907f75bfcff7422ca35b135607fc3ef2d4e7e77ce6b6d955b772dc3c1c39f7ed24a0d8a560ec78
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-optional-catch-binding@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-optional-catch-binding@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 5003a1d48fb6bac1661b481681baf7941de518f1f773d9745e65a650e750b715cb69181a4b723e28f4e43b94143b7b0fe5d12ff1ceceda9731f073cd6bf4e195
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-optional-catch-binding@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-optional-catch-binding@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4a422bb19a23cf80a245c60bea7adbe5dac8ff3bc1a62f05d7155e1eb68d401b13339c94dfd1f3d272972feeb45746f30d52ca0f8d5c63edf6891340878403df
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-optional-chaining@npm:^7.13.12, @babel/plugin-proposal-optional-chaining@npm:^7.16.0, @babel/plugin-proposal-optional-chaining@npm:^7.6.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 8301e0829220327c8b969b711c5c4ee5aef88b391e5fb7838381bd18c0fd0cf360d3a307ad5c6113414470ae920504dc2c41983af0ddf3762f5c88957e0c3a94
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-optional-chaining@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e4a6c1ac7e6817b92a673ea52ab0b7dc1fb39d29fb0820cd414e10ae2cd132bd186b4238dcca881a29fc38fe9d38ed24fc111ba22ca20086481682d343f4f130
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-optional-chaining@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a27b220573441a0ad3eecf8ddcb249556a64de45add236791d76cfa164a8fd34181857528fa7d21d03d6b004e7c043bd929cce068e611ee1ac72aaf4d397aa12
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-methods@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-private-methods@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 6f648f54ea1219262b7a05f86f94de7cb466dc81ffd86e4f37ba536037762457ef13408083eb4325d44d2a5aae27c097756efe1067f5c1fbddb8078b923580f5
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-methods@npm:^7.16.11, @babel/plugin-proposal-private-methods@npm:^7.16.5":
-  version: 7.16.11
-  resolution: "@babel/plugin-proposal-private-methods@npm:7.16.11"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.10
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b333e5aa91c265bb394a57b5f4ae1a34fc8ee73a8d75506b12df258d8b5342107cbd9261f95e606bd3264a5b023db77f1f95be30c2e526683916c57f793f7943
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-methods@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-private-methods@npm:7.17.12"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.17.12
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a1e5bd6a0a541af55d133d7bcf51ff8eb4ac7417a30f518c2f38107d7d033a3d5b7128ea5b3a910b458d7ceb296179b6ff9d972be60d1c686113d25fede8bed3
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-property-in-object@npm:^7.14.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.16.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.0
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 9098fb34f4abac376ec5823bf6aaedacd46e6925a6fc62559a8086a110bf39310ee308bfbbed052f047ad803b7148b87e43b6d83a759be0aeab1149efd4b8eeb
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-property-in-object@npm:^7.16.5, @babel/plugin-proposal-private-property-in-object@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.16.7"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-create-class-features-plugin": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 666d668f51d8c01aaf0dd87b27a83fc0392884d2c8e9d8e17b3b7011c0d348865dee94b44dc2d7070726e58e3b579728dc2588aaa8140d563f7390743ee90f0a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-private-property-in-object@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.17.12"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-create-class-features-plugin": ^7.17.12
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 056cb77994b2ee367301cdf8c5b7ed71faf26d60859bbba1368b342977481b0884712a1b97fbd9b091750162923d0265bf901119d46002775aa66e4a9f30f411
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-unicode-property-regex@npm:^7.12.13, @babel/plugin-proposal-unicode-property-regex@npm:^7.4.4":
-  version: 7.16.0
-  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: f26b76c9aa680820fe693f768a36e3a2c4d969e72d7a362059fffad7c874eed8a89bde2be5bde650283a685bd879415f8937fb37a9a1397b287a81df0c6f7c23
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-unicode-property-regex@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.16.7"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2b8a33713d456183f0b7d011011e7bd932c08cc06216399a7b2015ab39284b511993dc10a89bbb15d1d728e6a2ef42ca08c3202619aa148cbd48052422ea3995
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-proposal-unicode-property-regex@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.17.12"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.17.12
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 0e4194510415ed11849f1617fcb32d996df746ba93cd05ebbabecb63cfc02c0e97b585c97da3dcf68acdd3c8b71cfae964abe5d5baba6bd3977a475d9225ad9e
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-async-generators@npm:^7.8.4":
-  version: 7.8.4
-  resolution: "@babel/plugin-syntax-async-generators@npm:7.8.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7ed1c1d9b9e5b64ef028ea5e755c0be2d4e5e4e3d6cf7df757b9a8c4cfa4193d268176d0f1f7fbecdda6fe722885c7fda681f480f3741d8a2d26854736f05367
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-class-properties@npm:^7.12.13":
-  version: 7.12.13
-  resolution: "@babel/plugin-syntax-class-properties@npm:7.12.13"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.12.13
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 24f34b196d6342f28d4bad303612d7ff566ab0a013ce89e775d98d6f832969462e7235f3e7eaf17678a533d4be0ba45d3ae34ab4e5a9dcbda5d98d49e5efa2fc
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-class-static-block@npm:^7.12.13, @babel/plugin-syntax-class-static-block@npm:^7.14.5":
-  version: 7.14.5
-  resolution: "@babel/plugin-syntax-class-static-block@npm:7.14.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3e80814b5b6d4fe17826093918680a351c2d34398a914ce6e55d8083d72a9bdde4fbaf6a2dcea0e23a03de26dc2917ae3efd603d27099e2b98380345703bf948
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-decorators@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-syntax-decorators@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: afee8cc796f4e8e7ab407420f25d6241932a988036d9b49db289f5e71346e8e7e93157d3c0305f3d95acf4c901cfd6d2ad2d951701e208457788427dc38319c2
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-decorators@npm:^7.16.7":
-  version: 7.19.0
-  resolution: "@babel/plugin-syntax-decorators@npm:7.19.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.19.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 105a13d581a8643ba145d4d0d31f34a492b352defa5b155e785702da6ce9c3ff0c1843ba9bee176e35f6e38afa19dc7bd12c120220af0495de4b128f1dd27f6e
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-decorators@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-syntax-decorators@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: cdbb7f92e43a85291845e38910aa1bed0c3e489ae2da187b2e9604d1f2769f72b712a5a8b5e45223c7f5856927557bc314e86f7f1832a47405fdf5e492baa164
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-decorators@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/plugin-syntax-decorators@npm:7.22.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 643c75a3b603320c499a0542ca97b5cced81e99de02ae9cbfca1a1ec6d938467546a65023b13df742e1b2f94ffe352ddfe908d14b9303fae7514ed9325886a97
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-dynamic-import@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-dynamic-import@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ce307af83cf433d4ec42932329fad25fa73138ab39c7436882ea28742e1c0066626d224e0ad2988724c82644e41601cef607b36194f695cb78a1fcdc959637bd
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-export-namespace-from@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-export-namespace-from@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 85740478be5b0de185228e7814451d74ab8ce0a26fcca7613955262a26e99e8e15e9da58f60c754b84515d4c679b590dbd3f2148f0f58025f4ae706f1c5a5d4a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-import-assertions@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-syntax-import-assertions@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: fef25c3247d18dc7b8e432ed07f4afb92d70113fcfc3db0ca52388f8083b4bd60f88fe9ec0085e8a5a6daf18a619042376e76e2b4bd9470cddb7362cd268bea5
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-json-strings@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-json-strings@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bf5aea1f3188c9a507e16efe030efb996853ca3cadd6512c51db7233cc58f3ac89ff8c6bdfb01d30843b161cfe7d321e1bf28da82f7ab8d7e6bc5464666f354a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-logical-assignment-operators@npm:^7.10.4":
-  version: 7.10.4
-  resolution: "@babel/plugin-syntax-logical-assignment-operators@npm:7.10.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: aff33577037e34e515911255cdbb1fd39efee33658aa00b8a5fd3a4b903585112d037cce1cc9e4632f0487dc554486106b79ccd5ea63a2e00df4363f6d4ff886
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-nullish-coalescing-operator@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-nullish-coalescing-operator@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 87aca4918916020d1fedba54c0e232de408df2644a425d153be368313fdde40d96088feed6c4e5ab72aac89be5d07fef2ddf329a15109c5eb65df006bf2580d1
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-numeric-separator@npm:^7.10.4":
-  version: 7.10.4
-  resolution: "@babel/plugin-syntax-numeric-separator@npm:7.10.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.10.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 01ec5547bd0497f76cc903ff4d6b02abc8c05f301c88d2622b6d834e33a5651aa7c7a3d80d8d57656a4588f7276eba357f6b7e006482f5b564b7a6488de493a1
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-object-rest-spread@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-object-rest-spread@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: fddcf581a57f77e80eb6b981b10658421bc321ba5f0a5b754118c6a92a5448f12a0c336f77b8abf734841e102e5126d69110a306eadb03ca3e1547cab31f5cbf
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-optional-catch-binding@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-optional-catch-binding@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 910d90e72bc90ea1ce698e89c1027fed8845212d5ab588e35ef91f13b93143845f94e2539d831dc8d8ededc14ec02f04f7bd6a8179edd43a326c784e7ed7f0b9
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-optional-chaining@npm:^7.8.3":
-  version: 7.8.3
-  resolution: "@babel/plugin-syntax-optional-chaining@npm:7.8.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.8.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: eef94d53a1453361553c1f98b68d17782861a04a392840341bc91780838dd4e695209c783631cf0de14c635758beafb6a3a65399846ffa4386bff90639347f30
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-private-property-in-object@npm:^7.14.0, @babel/plugin-syntax-private-property-in-object@npm:^7.14.5":
-  version: 7.14.5
-  resolution: "@babel/plugin-syntax-private-property-in-object@npm:7.14.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b317174783e6e96029b743ccff2a67d63d38756876e7e5d0ba53a322e38d9ca452c13354a57de1ad476b4c066dbae699e0ca157441da611117a47af88985ecda
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-top-level-await@npm:^7.12.13, @babel/plugin-syntax-top-level-await@npm:^7.14.5":
-  version: 7.14.5
-  resolution: "@babel/plugin-syntax-top-level-await@npm:7.14.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bbd1a56b095be7820029b209677b194db9b1d26691fe999856462e66b25b281f031f3dfd91b1619e9dcf95bebe336211833b854d0fb8780d618e35667c2d0d7e
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-typescript@npm:^7.16.0, @babel/plugin-syntax-typescript@npm:^7.8.3":
-  version: 7.16.0
-  resolution: "@babel/plugin-syntax-typescript@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2da3bdd031230e515615fe39c50d40064d04f64f1d2b60113adff2c112a27e4f9425425e604297d5c2af2b635e7980f3677e434dfeb1d7320ad2cd1ffc8e8c2a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-typescript@npm:^7.18.6":
-  version: 7.18.6
-  resolution: "@babel/plugin-syntax-typescript@npm:7.18.6"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.18.6
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2cde73725ec51118ebf410bf02d78781c03fa4d3185993fcc9d253b97443381b621c44810084c5dd68b92eb8bdfae0e5b163e91b32bebbb33852383d1815c05d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-syntax-typescript@npm:^7.2.0":
-  version: 7.12.13
-  resolution: "@babel/plugin-syntax-typescript@npm:7.12.13"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.12.13
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3bd08315a82c6cd292e95087f4e9635a92a593112f9bd9e5581dd555d8fa102b4871ece7c54d9fa89f9b0cbd6b2829c7118eaa6fb9a09a3c8edb96868446013f
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-arrow-functions@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-arrow-functions@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ff647300424968d1cd6c6b015fd72d332042a94c7b08f3e785f32d22364bfad49258a41c53675de08573af98da1a623efa03da13a653f06988f79a9d571f7030
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-arrow-functions@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-arrow-functions@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2a6aa982c6fc80f4de7ccd973507ce5464fab129987cb6661136a7b9b6a020c2b329b912cbc46a68d39b5a18451ba833dcc8d1ca8d615597fec98624ac2add54
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-arrow-functions@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-arrow-functions@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 48f99e74f523641696d5d9fb3f5f02497eca2e97bc0e9b8230a47f388e37dc5fd84b8b29e9f5a0c82d63403f7ba5f085a28e26939678f6e917d5c01afd884b50
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-async-to-generator@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-async-to-generator@npm:7.16.0"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-remap-async-to-generator": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2ebf505f43350d246007d754577477ddb0132c4ab39c9fd420d36ebb6e489b2b3eb48f27fe58f7ad0c742946a1e81e3b150666507abab03fe6bd649ff585ed45
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-async-to-generator@npm:^7.16.8":
-  version: 7.16.8
-  resolution: "@babel/plugin-transform-async-to-generator@npm:7.16.8"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-remap-async-to-generator": ^7.16.8
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3a2e781800e3dea1f526324ed259d1f9064c5ea3c9909c0c22b445d4c648ad489c579f358ae20ada11f7725ba67e0ddeb1e0241efadc734771e87dabd4c6820a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-async-to-generator@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-async-to-generator@npm:7.17.12"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-remap-async-to-generator": ^7.16.8
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 052dd56eb3b10bc31f5aaced0f75fc7307713f74049ccfb91cd087bebfc890a6d462b59445c5299faaca9030814172cac290c941c76b731a38dcb267377c9187
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoped-functions@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-block-scoped-functions@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: f7efc5d8ce9242e11c94c82d9c940d4c534a751ff3679839d2f7d7a300c29ac4c4a3c26c238b5f2828201cac8a848bfb6342c285460f6ce5bc267cbdc1bb070b
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoped-functions@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-block-scoped-functions@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 591e9f75437bb32ebf9506d28d5c9659c66c0e8e0c19b12924d808d898e68309050aadb783ccd70bb4956555067326ecfa17a402bc77eb3ece3c6863d40b9016
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoping@npm:^7.12.1":
-  version: 7.13.16
-  resolution: "@babel/plugin-transform-block-scoping@npm:7.13.16"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.13.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: f84f08c95654ca33962405c60f8109095405c3c6a8e126d09e3543675d1363a2ad4712bea1f6f878aee6a9f966dc627a8a5acd4ddf159c69a41b532ab610b324
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoping@npm:^7.13.16":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-block-scoping@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e5bcb9eeed7974ee6dd14c360c21ad2465f81342001e5468bbec5db483fffc78bb0e7f84155be6c32588bc0b43a6ca0050c7962400b33d134f6298c31c8073d4
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoping@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-block-scoping@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: f93b5441af573fc274655f1707aeb4f67a43e926b58f56d89cc35a27877ae0bf198648603cbc19f442579489138f93c3838905895f109aa356996dbc3ed97a68
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoping@npm:^7.17.12":
-  version: 7.18.4
-  resolution: "@babel/plugin-transform-block-scoping@npm:7.18.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 5fdc8fd2f56f43e275353123fa1cda3df475daf1e9d92c03d5aa1ae50d3a0ccabf80c6168356947d8eb8e6e29098c875bc27fda8c7d4fbca6ffc6eec5d5faa8d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-block-scoping@npm:^7.20.2, @babel/plugin-transform-block-scoping@npm:^7.20.5":
-  version: 7.22.5
-  resolution: "@babel/plugin-transform-block-scoping@npm:7.22.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 26987002cfe6e24544e60fa35f07052b6557f590c1a1cc5cf35d6dc341d7fea163c1222a2d70d5d2692f0b9860d942fd3ba979848b2995d4debffa387b9b19ae
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-classes@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-classes@npm:7.16.0"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.0
-    "@babel/helper-function-name": ^7.16.0
-    "@babel/helper-optimise-call-expression": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-replace-supers": ^7.16.0
-    "@babel/helper-split-export-declaration": ^7.16.0
-    globals: ^11.1.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7db47296045761b3f35a9075b4bcce99ad5aa93714cca235961fa596983ba6cfd4d84b29fa6745e4752bd2a60ac299b0dee3231ce20061b6798ae16a147e4992
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-classes@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-classes@npm:7.16.7"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-function-name": ^7.16.7
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-replace-supers": ^7.16.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-    globals: ^11.1.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 791526a1bf3c4659b94d619536e3181d3ad54887d50539066628c6e695789a3bb264dc1fbc8540169d62a222f623df54defb490c1811ae63bad1e3557d6b3bb0
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-classes@npm:^7.17.12":
-  version: 7.18.4
-  resolution: "@babel/plugin-transform-classes@npm:7.18.4"
-  dependencies:
-    "@babel/helper-annotate-as-pure": ^7.16.7
-    "@babel/helper-environment-visitor": ^7.18.2
-    "@babel/helper-function-name": ^7.17.9
-    "@babel/helper-optimise-call-expression": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-replace-supers": ^7.18.2
-    "@babel/helper-split-export-declaration": ^7.16.7
-    globals: ^11.1.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 968711024c2ed1c08ced754243edde3a663ab40c414ca6fcad1a75f27789f3f52cc78fbafe21c6337c4c6a0dfbeddd1527caff1558ed477790b600a1e6f99cda
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-computed-properties@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-computed-properties@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 0f86de419cf5daf28b01c5b2feafa426e5b0ec776290e731de3d7a6ec4ec742400e13436d67292e500ecd50e21ddab9ae34da79357a85a443d30dc94f2a4f6a3
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-computed-properties@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-computed-properties@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 28b17f7cfe643f45920b76dc040cab40d4e54eccf5074fba2658c484feacda9b4885b3854ffaf26292189783fdecc97211519c61831b6708fcbf739cfbcbf31c
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-computed-properties@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-computed-properties@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 5d05418617e0967bec4818556b7febb6f8c40813e32035f0bd6b7dbd7b9d63e9ab7c7c8fd7bd05bab2a599dad58e7b69957d9559b41079d112c219bbc3649aa1
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-destructuring@npm:^7.13.17":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-destructuring@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 0a499c9abd6b50d4da6a3c8416e3cdf305f8002fddb3bd9ddd0774ba17ab1b10134f79fe8edc495c94344e5ab387626fb0ee124d31810758968a92d573ff9034
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-destructuring@npm:^7.16.7":
-  version: 7.17.7
-  resolution: "@babel/plugin-transform-destructuring@npm:7.17.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 767ecf6640fea9a06a4859f0c34daa30ac7d146a96476caa1f77081d5b6e43699f45e14acd52682078f2b7c230ff0814312b41f61b21ca2b5f9c5a2cc93c2b58
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-destructuring@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-transform-destructuring@npm:7.18.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d85d60737c3b05c4db71bc94270e952122d360bd6ebf91b5f98cf16fb8564558b615d115354fe0ef41e2aae9c4540e6e16144284d881ecaef687693736cd2a79
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-dotall-regex@npm:^7.12.13, @babel/plugin-transform-dotall-regex@npm:^7.4.4":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-dotall-regex@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c1f381f0d44a1b33714a68ffd60f2b9efac1be95caf3c21192cc8233afde2fae1da268e26b3cb40764736f090793b66946574c3310cfdd4906a7e72310239ff9
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-dotall-regex@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-dotall-regex@npm:7.16.7"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 554570dddfd5bfd87ab307be520f69a3d4ed2d2db677c165971b400d4c96656d0c165b318e69f1735612dcd12e04c0ee257697dc26800e8a572ca73bc05fa0f4
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-duplicate-keys@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 66f09487fdf737aa280c780a609bafc9a771b34b5f9a8dccf69752c22110893763f6c105062776f084ed872a55d1656b3f14e2a9c2031f3dbdf31da20d9c827b
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-duplicate-keys@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b96f6e9f7b33a91ad0eb6b793e4da58b7a0108b58269109f391d57078d26e043b3872c95429b491894ae6400e72e44d9b744c9b112b8433c99e6969b767e30ed
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-duplicate-keys@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: fb6ad550538830b0dc5b1b547734359f2d782209570e9d61fe9b84a6929af570fcc38ab579a67ee7cd6a832147db91a527f4cceb1248974f006fe815980816bb
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-exponentiation-operator@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-exponentiation-operator@npm:7.16.0"
-  dependencies:
-    "@babel/helper-builder-binary-assignment-operator-visitor": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 22e1d4804a5fc522744a1cc13e2c35c5d81c2e303a634822fee59829477b3748dcf897a020c3083084350ab1d3b76752157b216971157763394021e2f2184094
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-exponentiation-operator@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-exponentiation-operator@npm:7.16.7"
-  dependencies:
-    "@babel/helper-builder-binary-assignment-operator-visitor": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 8082c79268f5b1552292bd3abbfed838a1131747e62000146e70670707b518602e907bbe3aef0fda824a2eebe995a9d897bd2336a039c5391743df01608673b0
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-for-of@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-for-of@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 504d967b30b00d3e1a2784f6a215963fc0036871f8fd6ca61e41e67cdb3319511e9148164428144469416b35b0e02c896c144402ace7cd7a6c45b0d1e8746ae6
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-for-of@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-for-of@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 35c9264ee4bef814818123d70afe8b2f0a85753a0a9dc7b73f93a71cadc5d7de852f1a3e300a7c69a491705805704611de1e2ccceb5686f7828d6bca2e5a7306
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-for-of@npm:^7.18.1":
-  version: 7.18.1
-  resolution: "@babel/plugin-transform-for-of@npm:7.18.1"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: cdc6e1f1170218cc6ac5b26b4b8f011ec5c36666101e00e0061aaa5772969b093bad5b2af8ce908c184126d5bb0c26b89dd4debb96b2375aba2e20e427a623a8
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-function-name@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-function-name@npm:7.16.0"
-  dependencies:
-    "@babel/helper-function-name": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 289f4fce26e8b3a81fcae752cecdb78b363eb29e400aa4dc8318484156d908ddc6dd5b274b8fbcdb80ea59a362834554c4a5d3454e974957dbd2b30c3d00ad3f
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-function-name@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-function-name@npm:7.16.7"
-  dependencies:
-    "@babel/helper-compilation-targets": ^7.16.7
-    "@babel/helper-function-name": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4d97d0b84461cdd5d5aa2d010cdaf30f1f83a92a0dedd3686cbc7e90dc1249a70246f5bac0c1f3cd3f1dbfb03f7aac437776525a0c90cafd459776ea4fcc6bde
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-literals@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-literals@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7291771c7626a27684053ceefc4e2e3e480a6ceab9f3c8abbdd9c90fcea63f035ace397e53bfc4b7311b835f7c79449be03226affa69e2e2a96c14b6da4d5db9
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-literals@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-literals@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a9565d999fc7a72a391ef843cf66028c38ca858537c7014d9ea8ea587a59e5f952d9754bdcca6ca0446e84653e297d417d4faedccb9e4221af1aa30f25d918e0
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-literals@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-literals@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 09280fc1ed23b81deafd4fcd7a35d6c0944668de2317f14c1b8b78c5c201f71a063bb8d174d2fc97d86df480ff23104c8919d3aacf19f33c2b5ada584203bf1c
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-member-expression-literals@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-member-expression-literals@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d5ed6cf840b9fd8b88f719dea46dc26a1778f10aeab6878b3eabf2350cfa813bfeff09d91c6afc93dd3536a48bc892a0afcf9f99f3bad6b54b41638f3ae80fa9
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-member-expression-literals@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-member-expression-literals@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: fdf5b22abab2b770e69348ce7f99796c3e0e1e7ce266afdbe995924284704930fa989323bdbda7070db8adb45a72f39eaa1dbebf18b67fc44035ec00c6ae3300
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-amd@npm:^7.13.0, @babel/plugin-transform-modules-amd@npm:^7.14.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-modules-amd@npm:7.16.0"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c37ccb8cd7a301123fb5590712d957bf9f82bb0d89a83441b570a9f9793af76b99449c93f1079ad187fb598a5eeb5571561ff4d71af9192c7d6e407a464d6aff
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-amd@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-modules-amd@npm:7.16.7"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 9ac251ee96183b10cf9b4ec8f9e8d52e14ec186a56103f6c07d0c69e99faa60391f6bac67da733412975e487bd36adb403e2fc99bae6b785bf1413e9d928bc71
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-amd@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-transform-modules-amd@npm:7.18.0"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bed3ff5cd81f236981360fc4a6fd2262685c1202772c657ce3ab95b7930437f8fa22361021b481c977b6f47988dfcc07c7782a1c91b90d3a5552c91401f4631a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-amd@npm:^7.20.11":
-  version: 7.22.5
-  resolution: "@babel/plugin-transform-modules-amd@npm:7.22.5"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.22.5
-    "@babel/helper-plugin-utils": ^7.22.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7da4c4ebbbcf7d182abb59b2046b22d86eee340caf8a22a39ef6a727da2d8acfec1f714fcdcd5054110b280e4934f735e80a6848d192b6834c5d4459a014f04d
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-commonjs@npm:^7.14.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.16.0"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-simple-access": ^7.16.0
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a7e43670f503b31d6ad42977ddefb7bffc23f700a24252859652aa03efd666698567b0817060dd6f84a6cd23e7aac7464bc0dc7f7f929cad212263abcac9d470
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-commonjs@npm:^7.16.8":
-  version: 7.17.7
-  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.17.7"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.17.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-simple-access": ^7.17.7
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d84385d89465f8241cbeed8069dc54fb15ee0465119a3326c65ee93ce93019b7a9953b23e22a67203aa2ebf81ac444eadf6d37912d453ec7ba2dce9872bb6490
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-commonjs@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.18.2"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-simple-access": ^7.18.2
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 99c1c5ce9c353e29eb680ebb5bdf27c076c6403e133a066999298de642423cc7f38cfbac02372d33ed73278da13be23c4be7d60169c3e27bd900a373e61a599a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-systemjs@npm:^7.13.8":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.16.0"
-  dependencies:
-    "@babel/helper-hoist-variables": ^7.16.0
-    "@babel/helper-module-transforms": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-validator-identifier": ^7.15.7
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4aa9bd45a4c1f79a4abd92482b4f9ac6492b5e727ee34316c80a30b6524281d39959a2d556b231eae4b1031f35e0133e60270f9e4bfa5f25a8cb68ef145dfcd2
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-systemjs@npm:^7.16.7":
-  version: 7.17.8
-  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.17.8"
-  dependencies:
-    "@babel/helper-hoist-variables": ^7.16.7
-    "@babel/helper-module-transforms": ^7.17.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-validator-identifier": ^7.16.7
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 058c0e7987aab64c4019bc9eab3f80c5dd05bec737e230e5c60e9222dfb3d01b2dfa3aa1db6cbb75a4095c40af3bba2e3a60170b1570a158d3e781376569ce49
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-systemjs@npm:^7.18.0":
-  version: 7.18.4
-  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.18.4"
-  dependencies:
-    "@babel/helper-hoist-variables": ^7.16.7
-    "@babel/helper-module-transforms": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-validator-identifier": ^7.16.7
-    babel-plugin-dynamic-import-node: ^2.3.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: abe6948a1548b20055bf1c56ceab5b17dc283e7cdbcc0525b297b726f0785f1169333b5e685add81337fc749588adb8d96ccba9269565031db006a710e7eaf02
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-umd@npm:^7.14.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-modules-umd@npm:7.16.0"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b07d41eae3a1163fdb2dca4bffb0de880981e6581163948a88b7665709e860612932f5a73e54d70057e834d3968e3b5f86222f1d302c9e1d34d95a764584af54
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-umd@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-modules-umd@npm:7.16.7"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d1433f8b0e0b3c9f892aa530f08fe3ba653a5e51fe1ed6034ac7d45d4d6f22c3ba99186b72e41ad9ce5d8dcf964104c3da2419f15fcdcf5ba05c5fda3ea2cefc
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-modules-umd@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-transform-modules-umd@npm:7.18.0"
-  dependencies:
-    "@babel/helper-module-transforms": ^7.18.0
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4081a79cfd4c6fda785c2137f9f2721e35c06a9d2f23c304172838d12e9317a24d3cb5b652a9db61e58319b370c57b1b44991429efe709679f98e114d98597fb
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 758a87aca66ea7944c5f94ed7a798220c3b2986da4c38dc3f63221065ec96534bf39b3b043dd9759dbdff4026d340bbe51082d5ad4505c19b08893663130675b
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.16.8":
-  version: 7.16.8
-  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.16.8"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 73e149f5ff690f5b8e3764a881e8e5240f12f394256e7d5217705d0cbeae074c3faff394783190fe1a41f9fc5a53b960b6021158b7e5174391b5fc38f4ba047a
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.17.12"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.17.12
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: cff9d91d0abd87871da6574583e79093ed75d5faecea45b6a13350ba243b1a595d349a6e7d906f5dfdf6c69c643cba9df662c3d01eaa187c5b1a01cb5838e848
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-new-target@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-new-target@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c741ba3e84c182f1af3174cb7f00c4e434080ff882e72c7b2743d1d636eebcf12c865772be051a323c823bd4ebdfbae19cb78e95218d6b14c338f27a64608e31
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-new-target@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-new-target@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7410c3e68abc835f87a98d40269e65fb1a05c131decbb6721a80ed49a01bd0c53abb6b8f7f52d5055815509022790e1accca32e975c02f2231ac3cf13d8af768
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-new-target@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-new-target@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bec26350fa49c9a9431d23b4ff234f8eb60554b8cdffca432a94038406aae5701014f343568c0e0cc8afae6f95d492f6bae0d0e2c101c1a484fb20eec75b2c07
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-object-super@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-object-super@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-replace-supers": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b6ed0a8f5a1231b4dadb5edb2cef8fba7957cbad943c0018002719d066fda93b805da961e42b38d625e43e7c79f5c07d5719d6d63f9cf178501882a4aa5d30da
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-object-super@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-object-super@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-replace-supers": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 46e3c879f4a93e904f2ecf83233d40c48c832bdbd82a67cab1f432db9aa51702e40d9e51e5800613e12299974f90f4ed3869e1273dbca8642984266320c5f341
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-parameters@npm:^7.13.0, @babel/plugin-transform-parameters@npm:^7.16.0":
-  version: 7.16.3
-  resolution: "@babel/plugin-transform-parameters@npm:7.16.3"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7c0154fa66f03f69f6767adc01e72ef00d50cae8eb87c65506adccccc1cf776730ecbb96a5de0127910554cc0e86e375bc437fa085f619783d368936736a4f58
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-parameters@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-parameters@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 4d6904376db82d0b35f0a6cce08f630daf8608d94e903d6c7aff5bd742b251651bd1f88cdf9f16cad98aba5fc7c61da8635199364865fad6367d5ae37cf56cc1
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-parameters@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-parameters@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d9ed5ec61dc460835bade8fa710b42ec9f207bd448ead7e8abd46b87db0afedbb3f51284700fd2a6892fdf6544ec9b949c505c6542c5ba0a41ca4e8749af00f0
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-property-literals@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-property-literals@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e9eb9355db4cf18dc82879174fc2de6590521afea04f1c80c5805d3f759bfa25946bcac1095b5fe0e4ad3f5eb330cd7e308467626a0212f07b9f41b9f00affa8
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-property-literals@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-property-literals@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b5674458991a9b0e8738989d70faa88c7f98ed3df923c119f1225069eed72fe5e0ce947b1adc91e378f5822fbdeb7a672f496fd1c75c4babcc88169e3a7c3229
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-regenerator@npm:^7.13.15":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-regenerator@npm:7.16.0"
-  dependencies:
-    regenerator-transform: ^0.14.2
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 32b1b43f8d55d9e78e87bbc6a19b0bb0ff968220e215e9a3984c0de140048c54c62cf46889bee16f987221eab112909318de391426df33cdbe3fd710480068f7
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-regenerator@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-regenerator@npm:7.16.7"
-  dependencies:
-    regenerator-transform: ^0.14.2
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 12b1f9a4f324027af69f49522fbe7feea2ac53285ca5c7e27a70de09f56c74938bfda8b09ac06e57fa1207e441f00efb7adbc462afc9be5e8abd0c2a07715e01
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-regenerator@npm:^7.18.0":
-  version: 7.18.0
-  resolution: "@babel/plugin-transform-regenerator@npm:7.18.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    regenerator-transform: ^0.15.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ebacf2bbe9e2fb6f2bd7996e19b41bfc9848628950ae06a1a832802a0b8e32a32003c6b89318da6ca521f79045c91324dcb4c97247ed56f86fa58d7401a7316f
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-reserved-words@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-reserved-words@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7a8288cfe2375e43579d3786d5f6654b36d8344b1be3df4fbafe81ae49bf634f85f68fe5a1a280f56aa7d626deaaa6ba89e586422b3d8b13f7d4b0e0617362d6
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-reserved-words@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-reserved-words@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 00218a646e99a97c1f10b77c41c178ca1b91d0e6cf18dd4ca3c59b8a5ad721db04ef508f49be4cd0dcca7742490dbb145307b706a2dbea1917d5e5f7ba2f31b7
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-reserved-words@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-reserved-words@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d8a617cb79ca5852ac2736a9f81c15a3b0760919720c3b9069a864e2288006ebcaab557dbb36a3eba936defd6699f82e3bf894915925aa9185f5d9bcbf3b29fd
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-runtime@npm:^7.12.1":
-  version: 7.13.15
-  resolution: "@babel/plugin-transform-runtime@npm:7.13.15"
-  dependencies:
-    "@babel/helper-module-imports": ^7.13.12
-    "@babel/helper-plugin-utils": ^7.13.0
-    babel-plugin-polyfill-corejs2: ^0.2.0
-    babel-plugin-polyfill-corejs3: ^0.2.0
-    babel-plugin-polyfill-regenerator: ^0.2.0
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d52bda711815a82674e390b8ef4887dbf8116eb66eca3c23b3ae4b3ed37022a09b80aed86b44d2a3399b281d8ca341329293e12d6f4aea9991459434537131ba
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-runtime@npm:^7.13.9":
-  version: 7.16.4
-  resolution: "@babel/plugin-transform-runtime@npm:7.16.4"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    babel-plugin-polyfill-corejs2: ^0.3.0
-    babel-plugin-polyfill-corejs3: ^0.4.0
-    babel-plugin-polyfill-regenerator: ^0.3.0
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3586fb1035a8233162c0dfb28f3466c3129b430bd351d7271894dc7dc29956cc2e6e348f5e21ae91f8b59ceddce02b32140e4bb629fdbbacad2ab04f6cec2ff5
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-shorthand-properties@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-shorthand-properties@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7ae0f218aaccd2f7e8b0027c558fbbc291f7df7c83749826075776de780d1ac421f9056c760c5eb2e486b7b1983a41cd8dc00589504904b833c810fdb80b3868
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-shorthand-properties@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-shorthand-properties@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ca381ecf8f48696512172deca40af46b1f64e3497186fdc2c9009286d8f06b468c4d61cdc392dc8b0c165298117dda67be9e2ff0e99d7691b0503f1240d4c62b
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-spread@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-spread@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c295ef5e329fc31bd78e0aac3d6d848475a26e40cffff207dfd450416a25478bedb03402a0cc569bc5b7d3e92c22bff8a7cf76f1a9d896070e3cdeae1aee0316
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-spread@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-spread@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 6e961af1a70586bb72dd85e8296cee857c5dadd73225fccd0fe261c0d98652a82d69c65f3e9dc31ce019a12e9677262678479b96bd2d9140ddf6514618362828
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-spread@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-spread@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 3a95e4f163d598c0efc9d983e5ce3e8716998dd2af62af8102b11cb8d6383c71b74c7106adbce73cda6e48d3d3e927627847d36d76c2eb688cd0e2e07f67fb51
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-sticky-regex@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-sticky-regex@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 80c7ccb797e4d31f112ace4614e8259ad0707eab3ed1c5a900ac0799dc23fded8bad57142ceb29222d6f0645f7b0d6a74fa133c945b8611d5db137b13ee68882
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-sticky-regex@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-sticky-regex@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d59e20121ff0a483e29364eff8bb42cd8a0b7a3158141eea5b6f219227e5b873ea70f317f65037c0f557887a692ac993b72f99641a37ea6ec0ae8000bfab1343
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-template-literals@npm:^7.13.0":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-template-literals@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 230638ee56bbe8c4237d2c3366d700eca1f66f93c37935f6d775f699c5d2593e3f176e81010cfb2d46f89e340c6c042649263c3b913ce269182fadfb4db01369
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-template-literals@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-template-literals@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: b55a519dd8b957247ebad3cab21918af5adca4f6e6c87819501cfe3d4d4bccda25bc296c7dfc8a30909b4ad905902aeb9d55ad955cb9f5cbc74b42dab32baa18
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-template-literals@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/plugin-transform-template-literals@npm:7.18.2"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: bc0102ed8c789e5bc01053088e2de85b82cebcd4d57af9fdc32ca62f559d3dd19c33e9d26caa71c5fd8e94152e5ce4fc4da19badc2d537620e6dea83bce7eb05
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typeof-symbol@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 60e91d57b3e5a5ca02cebbf9f6dacd06e8a3b7c92c54fd60616f01ac1c79b3ec5fd2e8c5fa5c86ffcd9da6fa811e6de8dc7602cf1e05da17def0ea06f1e8548e
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typeof-symbol@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 739a8c439dacbd9af62cfbfa0a7cbc3f220849e5fc774e5ef708a09186689a724c41a1d11323e7d36588d24f5481c8b702c86ff7be8da2e2fed69bed0175f625
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typeof-symbol@npm:^7.17.12":
-  version: 7.17.12
-  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.17.12"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.17.12
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e30bd03c8abc1b095f8b2a10289df6850e3bc3cd0aea1cbc29050aa3b421cbb77d0428b0cd012333632a7a930dc8301cd888e762b2dd601e7dc5dac50f4140c9
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typescript@npm:^7.13.0":
-  version: 7.16.1
-  resolution: "@babel/plugin-transform-typescript@npm:7.16.1"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-    "@babel/plugin-syntax-typescript": ^7.16.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 1b1efe62e8de828d52b996429718663705cbefb9a7382d2849725b6318051fcbe9671e9e8f761a94fddf46ea159810c97d1b6282c644f69c98ebf5d4d2687ef6
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typescript@npm:^7.16.8":
-  version: 7.19.0
-  resolution: "@babel/plugin-transform-typescript@npm:7.19.0"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.19.0
-    "@babel/helper-plugin-utils": ^7.19.0
-    "@babel/plugin-syntax-typescript": ^7.18.6
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d5ed076c1cd7a41efe0da7d9afdcb6281db574b4307243b9f0f96ae255d9efdca47b4aeed5c306d1ad296e683498965c01ecaa147217559e01eceadc350ca4c2
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typescript@npm:~7.4.0":
-  version: 7.4.5
-  resolution: "@babel/plugin-transform-typescript@npm:7.4.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.0.0
-    "@babel/plugin-syntax-typescript": ^7.2.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2c3aadfba8db8726a1e0c5341578e65ab8a2d46c79844509ccc74bff1c8eaa4943e94f458e4f006a7d21a2ea93025ae3629bdeb9858c7b53967b9f7aee154543
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typescript@npm:~7.5.0":
-  version: 7.5.5
-  resolution: "@babel/plugin-transform-typescript@npm:7.5.5"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.5.5
-    "@babel/helper-plugin-utils": ^7.0.0
-    "@babel/plugin-syntax-typescript": ^7.2.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a7a60f461e41db07dd04728c18b1ee9d5ba889f3666f8e209437b4007c2c02fe556ea03c70550077206ca3ac3f70f8da76d0f6a62eed1a9466249a5a1a316a81
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-typescript@npm:~7.8.0":
-  version: 7.8.7
-  resolution: "@babel/plugin-transform-typescript@npm:7.8.7"
-  dependencies:
-    "@babel/helper-create-class-features-plugin": ^7.8.3
-    "@babel/helper-plugin-utils": ^7.8.3
-    "@babel/plugin-syntax-typescript": ^7.8.3
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a6a0a85e79acd154573fddaa589da053109f334413c2bcc2fcac03b77385c174070b0ddcbe4d3086676b4ad7a9e4fb3ea27a499635e9472e244ccbef43d1ea08
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-unicode-escapes@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-unicode-escapes@npm:7.16.0"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 63ac80d6b7592a7a038cde0b7b8fd7fc8f478de107543fb20c0ee47e00c5cd4c12be936501f55e2fd9370056603d9c4e4c57cdf335674837475865f80b4ae734
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-unicode-escapes@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-unicode-escapes@npm:7.16.7"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: d10c3b5baa697ca2d9ecce2fd7705014d7e1ddd86ed684ccec378f7ad4d609ab970b5546d6cdbe242089ecfc7a79009d248cf4f8ee87d629485acfb20c0d9160
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-unicode-regex@npm:^7.12.13":
-  version: 7.16.0
-  resolution: "@babel/plugin-transform-unicode-regex@npm:7.16.0"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.0
-    "@babel/helper-plugin-utils": ^7.14.5
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 61e498425fb44951067e1d17cd66e97777a340118c06943cee9d1032a8bfec661f262738a9b2a00a498b0ad5ba56551ea81e76f0d6afe46c0301abc3a86bee22
-  languageName: node
-  linkType: hard
-
-"@babel/plugin-transform-unicode-regex@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/plugin-transform-unicode-regex@npm:7.16.7"
-  dependencies:
-    "@babel/helper-create-regexp-features-plugin": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ef7721cfb11b269809555b1c392732566c49f6ced58e0e990c0e81e58a934bbab3072dcbe92d3a20d60e3e41036ecf987bcc63a7cde90711a350ad774667e5e6
-  languageName: node
-  linkType: hard
-
-"@babel/polyfill@npm:^7.11.5":
-  version: 7.12.1
-  resolution: "@babel/polyfill@npm:7.12.1"
-  dependencies:
-    core-js: ^2.6.5
-    regenerator-runtime: ^0.13.4
-  checksum: 3f59a9d85a41b390b044a1be13e11ae6d8efbfcf4e07217964585c7cef337b828eecfc5e164083227189146d2b6efc1affae8f59c831438eb40b848ab6fe5f39
-  languageName: node
-  linkType: hard
-
-"@babel/preset-env@npm:^7.10.2":
-  version: 7.14.0
-  resolution: "@babel/preset-env@npm:7.14.0"
-  dependencies:
-    "@babel/compat-data": ^7.14.0
-    "@babel/helper-compilation-targets": ^7.13.16
-    "@babel/helper-plugin-utils": ^7.13.0
-    "@babel/helper-validator-option": ^7.12.17
-    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.13.12
-    "@babel/plugin-proposal-async-generator-functions": ^7.13.15
-    "@babel/plugin-proposal-class-properties": ^7.13.0
-    "@babel/plugin-proposal-class-static-block": ^7.13.11
-    "@babel/plugin-proposal-dynamic-import": ^7.13.8
-    "@babel/plugin-proposal-export-namespace-from": ^7.12.13
-    "@babel/plugin-proposal-json-strings": ^7.13.8
-    "@babel/plugin-proposal-logical-assignment-operators": ^7.13.8
-    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.13.8
-    "@babel/plugin-proposal-numeric-separator": ^7.12.13
-    "@babel/plugin-proposal-object-rest-spread": ^7.13.8
-    "@babel/plugin-proposal-optional-catch-binding": ^7.13.8
-    "@babel/plugin-proposal-optional-chaining": ^7.13.12
-    "@babel/plugin-proposal-private-methods": ^7.13.0
-    "@babel/plugin-proposal-private-property-in-object": ^7.14.0
-    "@babel/plugin-proposal-unicode-property-regex": ^7.12.13
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-    "@babel/plugin-syntax-class-properties": ^7.12.13
-    "@babel/plugin-syntax-class-static-block": ^7.12.13
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-    "@babel/plugin-syntax-numeric-separator": ^7.10.4
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.0
-    "@babel/plugin-syntax-top-level-await": ^7.12.13
-    "@babel/plugin-transform-arrow-functions": ^7.13.0
-    "@babel/plugin-transform-async-to-generator": ^7.13.0
-    "@babel/plugin-transform-block-scoped-functions": ^7.12.13
-    "@babel/plugin-transform-block-scoping": ^7.13.16
-    "@babel/plugin-transform-classes": ^7.13.0
-    "@babel/plugin-transform-computed-properties": ^7.13.0
-    "@babel/plugin-transform-destructuring": ^7.13.17
-    "@babel/plugin-transform-dotall-regex": ^7.12.13
-    "@babel/plugin-transform-duplicate-keys": ^7.12.13
-    "@babel/plugin-transform-exponentiation-operator": ^7.12.13
-    "@babel/plugin-transform-for-of": ^7.13.0
-    "@babel/plugin-transform-function-name": ^7.12.13
-    "@babel/plugin-transform-literals": ^7.12.13
-    "@babel/plugin-transform-member-expression-literals": ^7.12.13
-    "@babel/plugin-transform-modules-amd": ^7.14.0
-    "@babel/plugin-transform-modules-commonjs": ^7.14.0
-    "@babel/plugin-transform-modules-systemjs": ^7.13.8
-    "@babel/plugin-transform-modules-umd": ^7.14.0
-    "@babel/plugin-transform-named-capturing-groups-regex": ^7.12.13
-    "@babel/plugin-transform-new-target": ^7.12.13
-    "@babel/plugin-transform-object-super": ^7.12.13
-    "@babel/plugin-transform-parameters": ^7.13.0
-    "@babel/plugin-transform-property-literals": ^7.12.13
-    "@babel/plugin-transform-regenerator": ^7.13.15
-    "@babel/plugin-transform-reserved-words": ^7.12.13
-    "@babel/plugin-transform-shorthand-properties": ^7.12.13
-    "@babel/plugin-transform-spread": ^7.13.0
-    "@babel/plugin-transform-sticky-regex": ^7.12.13
-    "@babel/plugin-transform-template-literals": ^7.13.0
-    "@babel/plugin-transform-typeof-symbol": ^7.12.13
-    "@babel/plugin-transform-unicode-escapes": ^7.12.13
-    "@babel/plugin-transform-unicode-regex": ^7.12.13
-    "@babel/preset-modules": ^0.1.4
-    "@babel/types": ^7.14.0
-    babel-plugin-polyfill-corejs2: ^0.2.0
-    babel-plugin-polyfill-corejs3: ^0.2.0
-    babel-plugin-polyfill-regenerator: ^0.2.0
-    core-js-compat: ^3.9.0
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: e62fa4196bed7f8fb2248b3a5309314c5411214c61e4e28a2dc00cd91fc2c83c8e5110e928e7ee55d4a5833476fe50ac4fc65b63d6e47e6bde3ca26b39b2ddbd
-  languageName: node
-  linkType: hard
-
-"@babel/preset-env@npm:^7.16.5":
-  version: 7.16.11
-  resolution: "@babel/preset-env@npm:7.16.11"
-  dependencies:
-    "@babel/compat-data": ^7.16.8
-    "@babel/helper-compilation-targets": ^7.16.7
-    "@babel/helper-plugin-utils": ^7.16.7
-    "@babel/helper-validator-option": ^7.16.7
-    "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": ^7.16.7
-    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.16.7
-    "@babel/plugin-proposal-async-generator-functions": ^7.16.8
-    "@babel/plugin-proposal-class-properties": ^7.16.7
-    "@babel/plugin-proposal-class-static-block": ^7.16.7
-    "@babel/plugin-proposal-dynamic-import": ^7.16.7
-    "@babel/plugin-proposal-export-namespace-from": ^7.16.7
-    "@babel/plugin-proposal-json-strings": ^7.16.7
-    "@babel/plugin-proposal-logical-assignment-operators": ^7.16.7
-    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.16.7
-    "@babel/plugin-proposal-numeric-separator": ^7.16.7
-    "@babel/plugin-proposal-object-rest-spread": ^7.16.7
-    "@babel/plugin-proposal-optional-catch-binding": ^7.16.7
-    "@babel/plugin-proposal-optional-chaining": ^7.16.7
-    "@babel/plugin-proposal-private-methods": ^7.16.11
-    "@babel/plugin-proposal-private-property-in-object": ^7.16.7
-    "@babel/plugin-proposal-unicode-property-regex": ^7.16.7
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-    "@babel/plugin-syntax-class-properties": ^7.12.13
-    "@babel/plugin-syntax-class-static-block": ^7.14.5
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-    "@babel/plugin-syntax-numeric-separator": ^7.10.4
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
-    "@babel/plugin-syntax-top-level-await": ^7.14.5
-    "@babel/plugin-transform-arrow-functions": ^7.16.7
-    "@babel/plugin-transform-async-to-generator": ^7.16.8
-    "@babel/plugin-transform-block-scoped-functions": ^7.16.7
-    "@babel/plugin-transform-block-scoping": ^7.16.7
-    "@babel/plugin-transform-classes": ^7.16.7
-    "@babel/plugin-transform-computed-properties": ^7.16.7
-    "@babel/plugin-transform-destructuring": ^7.16.7
-    "@babel/plugin-transform-dotall-regex": ^7.16.7
-    "@babel/plugin-transform-duplicate-keys": ^7.16.7
-    "@babel/plugin-transform-exponentiation-operator": ^7.16.7
-    "@babel/plugin-transform-for-of": ^7.16.7
-    "@babel/plugin-transform-function-name": ^7.16.7
-    "@babel/plugin-transform-literals": ^7.16.7
-    "@babel/plugin-transform-member-expression-literals": ^7.16.7
-    "@babel/plugin-transform-modules-amd": ^7.16.7
-    "@babel/plugin-transform-modules-commonjs": ^7.16.8
-    "@babel/plugin-transform-modules-systemjs": ^7.16.7
-    "@babel/plugin-transform-modules-umd": ^7.16.7
-    "@babel/plugin-transform-named-capturing-groups-regex": ^7.16.8
-    "@babel/plugin-transform-new-target": ^7.16.7
-    "@babel/plugin-transform-object-super": ^7.16.7
-    "@babel/plugin-transform-parameters": ^7.16.7
-    "@babel/plugin-transform-property-literals": ^7.16.7
-    "@babel/plugin-transform-regenerator": ^7.16.7
-    "@babel/plugin-transform-reserved-words": ^7.16.7
-    "@babel/plugin-transform-shorthand-properties": ^7.16.7
-    "@babel/plugin-transform-spread": ^7.16.7
-    "@babel/plugin-transform-sticky-regex": ^7.16.7
-    "@babel/plugin-transform-template-literals": ^7.16.7
-    "@babel/plugin-transform-typeof-symbol": ^7.16.7
-    "@babel/plugin-transform-unicode-escapes": ^7.16.7
-    "@babel/plugin-transform-unicode-regex": ^7.16.7
-    "@babel/preset-modules": ^0.1.5
-    "@babel/types": ^7.16.8
-    babel-plugin-polyfill-corejs2: ^0.3.0
-    babel-plugin-polyfill-corejs3: ^0.5.0
-    babel-plugin-polyfill-regenerator: ^0.3.0
-    core-js-compat: ^3.20.2
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: c8029c272073df787309d983ae458dd094b57f87152b8ccad95c7c8b1e82b042c1077e169538aae5f98b7659de0632d10708d9c85acf21a5e9406d7dd3656d8c
-  languageName: node
-  linkType: hard
-
-"@babel/preset-env@npm:^7.16.7":
-  version: 7.18.2
-  resolution: "@babel/preset-env@npm:7.18.2"
-  dependencies:
-    "@babel/compat-data": ^7.17.10
-    "@babel/helper-compilation-targets": ^7.18.2
-    "@babel/helper-plugin-utils": ^7.17.12
-    "@babel/helper-validator-option": ^7.16.7
-    "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": ^7.17.12
-    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.17.12
-    "@babel/plugin-proposal-async-generator-functions": ^7.17.12
-    "@babel/plugin-proposal-class-properties": ^7.17.12
-    "@babel/plugin-proposal-class-static-block": ^7.18.0
-    "@babel/plugin-proposal-dynamic-import": ^7.16.7
-    "@babel/plugin-proposal-export-namespace-from": ^7.17.12
-    "@babel/plugin-proposal-json-strings": ^7.17.12
-    "@babel/plugin-proposal-logical-assignment-operators": ^7.17.12
-    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.17.12
-    "@babel/plugin-proposal-numeric-separator": ^7.16.7
-    "@babel/plugin-proposal-object-rest-spread": ^7.18.0
-    "@babel/plugin-proposal-optional-catch-binding": ^7.16.7
-    "@babel/plugin-proposal-optional-chaining": ^7.17.12
-    "@babel/plugin-proposal-private-methods": ^7.17.12
-    "@babel/plugin-proposal-private-property-in-object": ^7.17.12
-    "@babel/plugin-proposal-unicode-property-regex": ^7.17.12
-    "@babel/plugin-syntax-async-generators": ^7.8.4
-    "@babel/plugin-syntax-class-properties": ^7.12.13
-    "@babel/plugin-syntax-class-static-block": ^7.14.5
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
-    "@babel/plugin-syntax-import-assertions": ^7.17.12
-    "@babel/plugin-syntax-json-strings": ^7.8.3
-    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
-    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
-    "@babel/plugin-syntax-numeric-separator": ^7.10.4
-    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
-    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
-    "@babel/plugin-syntax-optional-chaining": ^7.8.3
-    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
-    "@babel/plugin-syntax-top-level-await": ^7.14.5
-    "@babel/plugin-transform-arrow-functions": ^7.17.12
-    "@babel/plugin-transform-async-to-generator": ^7.17.12
-    "@babel/plugin-transform-block-scoped-functions": ^7.16.7
-    "@babel/plugin-transform-block-scoping": ^7.17.12
-    "@babel/plugin-transform-classes": ^7.17.12
-    "@babel/plugin-transform-computed-properties": ^7.17.12
-    "@babel/plugin-transform-destructuring": ^7.18.0
-    "@babel/plugin-transform-dotall-regex": ^7.16.7
-    "@babel/plugin-transform-duplicate-keys": ^7.17.12
-    "@babel/plugin-transform-exponentiation-operator": ^7.16.7
-    "@babel/plugin-transform-for-of": ^7.18.1
-    "@babel/plugin-transform-function-name": ^7.16.7
-    "@babel/plugin-transform-literals": ^7.17.12
-    "@babel/plugin-transform-member-expression-literals": ^7.16.7
-    "@babel/plugin-transform-modules-amd": ^7.18.0
-    "@babel/plugin-transform-modules-commonjs": ^7.18.2
-    "@babel/plugin-transform-modules-systemjs": ^7.18.0
-    "@babel/plugin-transform-modules-umd": ^7.18.0
-    "@babel/plugin-transform-named-capturing-groups-regex": ^7.17.12
-    "@babel/plugin-transform-new-target": ^7.17.12
-    "@babel/plugin-transform-object-super": ^7.16.7
-    "@babel/plugin-transform-parameters": ^7.17.12
-    "@babel/plugin-transform-property-literals": ^7.16.7
-    "@babel/plugin-transform-regenerator": ^7.18.0
-    "@babel/plugin-transform-reserved-words": ^7.17.12
-    "@babel/plugin-transform-shorthand-properties": ^7.16.7
-    "@babel/plugin-transform-spread": ^7.17.12
-    "@babel/plugin-transform-sticky-regex": ^7.16.7
-    "@babel/plugin-transform-template-literals": ^7.18.2
-    "@babel/plugin-transform-typeof-symbol": ^7.17.12
-    "@babel/plugin-transform-unicode-escapes": ^7.16.7
-    "@babel/plugin-transform-unicode-regex": ^7.16.7
-    "@babel/preset-modules": ^0.1.5
-    "@babel/types": ^7.18.2
-    babel-plugin-polyfill-corejs2: ^0.3.0
-    babel-plugin-polyfill-corejs3: ^0.5.0
-    babel-plugin-polyfill-regenerator: ^0.3.0
-    core-js-compat: ^3.22.1
-    semver: ^6.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: f81892a7970cb34643b93917cbbc9b581d5066d892639867521f4a85ec258e69362a37bbb7b899b351e71d26095a97cd2d6e35e5f9ee110715146e0ccc19e700
-  languageName: node
-  linkType: hard
-
-"@babel/preset-modules@npm:^0.1.4, @babel/preset-modules@npm:^0.1.5":
-  version: 0.1.5
-  resolution: "@babel/preset-modules@npm:0.1.5"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.0.0
-    "@babel/plugin-proposal-unicode-property-regex": ^7.4.4
-    "@babel/plugin-transform-dotall-regex": ^7.4.4
-    "@babel/types": ^7.4.4
-    esutils: ^2.0.2
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 8430e0e9e9d520b53e22e8c4c6a5a080a12b63af6eabe559c2310b187bd62ae113f3da82ba33e9d1d0f3230930ca702843aae9dd226dec51f7d7114dc1f51c10
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:7.12.18":
-  version: 7.12.18
-  resolution: "@babel/runtime@npm:7.12.18"
-  dependencies:
-    regenerator-runtime: ^0.13.4
-  checksum: 0ba38dc8d478584b0b5fb15fc2b7855f9f20561917bd434a66429d55d1165199d6161bc5fb087b87254712827f63561ff5196df66701e5647d67c7d0f557569a
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.12.5":
-  version: 7.14.0
-  resolution: "@babel/runtime@npm:7.14.0"
-  dependencies:
-    regenerator-runtime: ^0.13.4
-  checksum: 257dc2594355dd8798455f25b6f2f9a00f162b427391265752933e0e3337b3b14661d09283187d5039ae3764f723890ffe767e995c73d662f1d515bdf48e5ade
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.14.0":
-  version: 7.19.0
-  resolution: "@babel/runtime@npm:7.19.0"
-  dependencies:
-    regenerator-runtime: ^0.13.4
-  checksum: fa69c351bb05e1db3ceb9a02fdcf620c234180af68cdda02152d3561015f6d55277265d3109815992f96d910f3db709458cae4f8df1c3def66f32e0867d82294
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.17.8":
-  version: 7.23.1
-  resolution: "@babel/runtime@npm:7.23.1"
-  dependencies:
-    regenerator-runtime: ^0.14.0
-  checksum: 0cd0d43e6e7dc7f9152fda8c8312b08321cda2f56ef53d6c22ebdd773abdc6f5d0a69008de90aa41908d00e2c1facb24715ff121274e689305c858355ff02c70
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.20.1":
-  version: 7.22.6
-  resolution: "@babel/runtime@npm:7.22.6"
-  dependencies:
-    regenerator-runtime: ^0.13.11
-  checksum: e585338287c4514a713babf4fdb8fc2a67adcebab3e7723a739fc62c79cfda875b314c90fd25f827afb150d781af97bc16c85bfdbfa2889f06053879a1ddb597
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.21.0":
-  version: 7.21.5
-  resolution: "@babel/runtime@npm:7.21.5"
-  dependencies:
-    regenerator-runtime: ^0.13.11
-  checksum: 358f2779d3187f5c67ad302e8f8d435412925d0b991d133c7d4a7b1ddd5a3fda1b6f34537cb64628dfd96a27ae46df105bed3895b8d754b88cacdded8d1129dd
-  languageName: node
-  linkType: hard
-
-"@babel/runtime@npm:^7.8.4":
-  version: 7.16.3
-  resolution: "@babel/runtime@npm:7.16.3"
-  dependencies:
-    regenerator-runtime: ^0.13.4
-  checksum: ab8ac887096d76185ddbf291d28fb976cd32473696dc497ad4905b784acbd5aa462533ad83a5c5104e10ead28c2e0e119840ee28ed8eff90dcdde9d57f916eda
-  languageName: node
-  linkType: hard
-
-"@babel/template@npm:^7.12.13, @babel/template@npm:^7.16.0":
-  version: 7.16.0
-  resolution: "@babel/template@npm:7.16.0"
-  dependencies:
-    "@babel/code-frame": ^7.16.0
-    "@babel/parser": ^7.16.0
-    "@babel/types": ^7.16.0
-  checksum: 940f105cc6a6aee638cd8cfae80b8b80811e0ddd53b6a11f3a68431ebb998564815fb26511b5d9cb4cff66ea67130ba7498555ee015375d32f5f89ceaa6662ea
-  languageName: node
-  linkType: hard
-
-"@babel/template@npm:^7.16.7":
-  version: 7.16.7
-  resolution: "@babel/template@npm:7.16.7"
-  dependencies:
-    "@babel/code-frame": ^7.16.7
-    "@babel/parser": ^7.16.7
-    "@babel/types": ^7.16.7
-  checksum: 10cd112e89276e00f8b11b55a51c8b2f1262c318283a980f4d6cdb0286dc05734b9aaeeb9f3ad3311900b09bc913e02343fcaa9d4a4f413964aaab04eb84ac4a
-  languageName: node
-  linkType: hard
-
-"@babel/template@npm:^7.18.10":
-  version: 7.18.10
-  resolution: "@babel/template@npm:7.18.10"
-  dependencies:
-    "@babel/code-frame": ^7.18.6
-    "@babel/parser": ^7.18.10
-    "@babel/types": ^7.18.10
-  checksum: 93a6aa094af5f355a72bd55f67fa1828a046c70e46f01b1606e6118fa1802b6df535ca06be83cc5a5e834022be95c7b714f0a268b5f20af984465a71e28f1473
-  languageName: node
-  linkType: hard
-
-"@babel/template@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/template@npm:7.22.5"
-  dependencies:
-    "@babel/code-frame": ^7.22.5
-    "@babel/parser": ^7.22.5
-    "@babel/types": ^7.22.5
-  checksum: c5746410164039aca61829cdb42e9a55410f43cace6f51ca443313f3d0bdfa9a5a330d0b0df73dc17ef885c72104234ae05efede37c1cc8a72dc9f93425977a3
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.1.6, @babel/traverse@npm:^7.12.1, @babel/traverse@npm:^7.4.5":
-  version: 7.14.0
-  resolution: "@babel/traverse@npm:7.14.0"
-  dependencies:
-    "@babel/code-frame": ^7.12.13
-    "@babel/generator": ^7.14.0
-    "@babel/helper-function-name": ^7.12.13
-    "@babel/helper-split-export-declaration": ^7.12.13
-    "@babel/parser": ^7.14.0
-    "@babel/types": ^7.14.0
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: 98cfb223facc13a67031a3619285c0d71acbc57a473b1213d2c70e53c57b390e9256a93bd05d93be4d3405ea235c4758a6cac2afcbf7e79815c6c96a913d246f
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.13.0, @babel/traverse@npm:^7.14.0, @babel/traverse@npm:^7.16.0, @babel/traverse@npm:^7.16.3":
-  version: 7.16.3
-  resolution: "@babel/traverse@npm:7.16.3"
-  dependencies:
-    "@babel/code-frame": ^7.16.0
-    "@babel/generator": ^7.16.0
-    "@babel/helper-function-name": ^7.16.0
-    "@babel/helper-hoist-variables": ^7.16.0
-    "@babel/helper-split-export-declaration": ^7.16.0
-    "@babel/parser": ^7.16.3
-    "@babel/types": ^7.16.0
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: abb14857b1104c73124612954865e28f95a86eb6741f35851369b4f9eabc17e394c9aa6f21fba6ce23813592353090d409772be828717cbe5154a5e981a753c1
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.16.7, @babel/traverse@npm:^7.16.8, @babel/traverse@npm:^7.17.3":
-  version: 7.17.3
-  resolution: "@babel/traverse@npm:7.17.3"
-  dependencies:
-    "@babel/code-frame": ^7.16.7
-    "@babel/generator": ^7.17.3
-    "@babel/helper-environment-visitor": ^7.16.7
-    "@babel/helper-function-name": ^7.16.7
-    "@babel/helper-hoist-variables": ^7.16.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-    "@babel/parser": ^7.17.3
-    "@babel/types": ^7.17.0
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: 780d7ecf711758174989794891af08d378f81febdb8932056c0d9979524bf0298e28f8e7708a872d7781151506c28f56c85c63ea3f1f654662c2fcb8a3eb9fdc
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.18.0, @babel/traverse@npm:^7.18.2":
-  version: 7.18.2
-  resolution: "@babel/traverse@npm:7.18.2"
-  dependencies:
-    "@babel/code-frame": ^7.16.7
-    "@babel/generator": ^7.18.2
-    "@babel/helper-environment-visitor": ^7.18.2
-    "@babel/helper-function-name": ^7.17.9
-    "@babel/helper-hoist-variables": ^7.16.7
-    "@babel/helper-split-export-declaration": ^7.16.7
-    "@babel/parser": ^7.18.0
-    "@babel/types": ^7.18.2
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: e21c2d550bf610406cf21ef6fbec525cb1d80b9d6d71af67552478a24ee371203cb4025b23b110ae7288a62a874ad5898daad19ad23daa95dfc8ab47a47a092f
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.18.9, @babel/traverse@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/traverse@npm:7.19.0"
-  dependencies:
-    "@babel/code-frame": ^7.18.6
-    "@babel/generator": ^7.19.0
-    "@babel/helper-environment-visitor": ^7.18.9
-    "@babel/helper-function-name": ^7.19.0
-    "@babel/helper-hoist-variables": ^7.18.6
-    "@babel/helper-split-export-declaration": ^7.18.6
-    "@babel/parser": ^7.19.0
-    "@babel/types": ^7.19.0
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: dcbd1316c9f4bf3cefee45b6f5194590563aa5d123500a60d3c8d714bef279205014c8e599ebafc469967199a7622e1444cd0235c16d4243da437e3f1281771e
-  languageName: node
-  linkType: hard
-
-"@babel/traverse@npm:^7.22.6, @babel/traverse@npm:^7.22.8":
-  version: 7.22.8
-  resolution: "@babel/traverse@npm:7.22.8"
-  dependencies:
-    "@babel/code-frame": ^7.22.5
-    "@babel/generator": ^7.22.7
-    "@babel/helper-environment-visitor": ^7.22.5
-    "@babel/helper-function-name": ^7.22.5
-    "@babel/helper-hoist-variables": ^7.22.5
-    "@babel/helper-split-export-declaration": ^7.22.6
-    "@babel/parser": ^7.22.7
-    "@babel/types": ^7.22.5
-    debug: ^4.1.0
-    globals: ^11.1.0
-  checksum: a381369bc3eedfd13ed5fef7b884657f1c29024ea7388198149f0edc34bd69ce3966e9f40188d15f56490a5e12ba250ccc485f2882b53d41b054fccefb233e33
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.1.6, @babel/types@npm:^7.7.2":
-  version: 7.14.0
-  resolution: "@babel/types@npm:7.14.0"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.14.0
-    to-fast-properties: ^2.0.0
-  checksum: e69829ade45feb140d5e146be5203533edff1ad41a892870e1c6e323a06cafaf5b7e4d83dcae1222deff3bff73cf095b48c2cbf8864b77140196879fafaaf859
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.12.1, @babel/types@npm:^7.14.0, @babel/types@npm:^7.16.0, @babel/types@npm:^7.4.4":
-  version: 7.16.0
-  resolution: "@babel/types@npm:7.16.0"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.15.7
-    to-fast-properties: ^2.0.0
-  checksum: 5b483da5c6e6f2394fba7ee1da8787a0c9cddd33491271c4da702e49e6faf95ce41d7c8bf9a4ee47f2ef06bdb35096f4d0f6ae4b5bea35ebefe16309d22344b7
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.12.13":
-  version: 7.19.3
-  resolution: "@babel/types@npm:7.19.3"
-  dependencies:
-    "@babel/helper-string-parser": ^7.18.10
-    "@babel/helper-validator-identifier": ^7.19.1
-    to-fast-properties: ^2.0.0
-  checksum: 34a5b3db3b99a1a80ec2a784c2bb0e48769a38f1526dc377a5753a3ac5e5704663c405a393117ecc7a9df9da07b01625be7c4c3fee43ae46aba23b0c40928d77
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.16.7, @babel/types@npm:^7.16.8, @babel/types@npm:^7.17.0":
-  version: 7.17.0
-  resolution: "@babel/types@npm:7.17.0"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.16.7
-    to-fast-properties: ^2.0.0
-  checksum: 12e5a287986fe557188e87b2c5202223f1dc83d9239a196ab936fdb9f8c1eb0be717ff19f934b5fad4e29a75586d5798f74bed209bccea1c20376b9952056f0e
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.18.0, @babel/types@npm:^7.18.2":
-  version: 7.18.4
-  resolution: "@babel/types@npm:7.18.4"
-  dependencies:
-    "@babel/helper-validator-identifier": ^7.16.7
-    to-fast-properties: ^2.0.0
-  checksum: 85df59beb99c1b95e9e41590442f2ffa1e5b1b558d025489db40c9f7c906bd03a17da26c3ec486e5800e80af27c42ca7eee9506d9212ab17766d2d68d30fbf52
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.18.10, @babel/types@npm:^7.18.6, @babel/types@npm:^7.18.9, @babel/types@npm:^7.19.0":
-  version: 7.19.0
-  resolution: "@babel/types@npm:7.19.0"
-  dependencies:
-    "@babel/helper-string-parser": ^7.18.10
-    "@babel/helper-validator-identifier": ^7.18.6
-    to-fast-properties: ^2.0.0
-  checksum: 9b346715a68aeede70ba9c685a144b0b26c53bcd595d448e24c8fa8df4d5956a5712e56ebadb7c85dcc32f218ee42788e37b93d50d3295c992072224cb3ef3fe
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.22.5":
-  version: 7.22.5
-  resolution: "@babel/types@npm:7.22.5"
-  dependencies:
-    "@babel/helper-string-parser": ^7.22.5
-    "@babel/helper-validator-identifier": ^7.22.5
-    to-fast-properties: ^2.0.0
-  checksum: c13a9c1dc7d2d1a241a2f8363540cb9af1d66e978e8984b400a20c4f38ba38ca29f06e26a0f2d49a70bad9e57615dac09c35accfddf1bb90d23cd3e0a0bab892
-  languageName: node
-  linkType: hard
-
-"@babel/types@npm:^7.8.3":
-  version: 7.21.4
-  resolution: "@babel/types@npm:7.21.4"
-  dependencies:
-    "@babel/helper-string-parser": ^7.19.4
-    "@babel/helper-validator-identifier": ^7.19.1
-    to-fast-properties: ^2.0.0
-  checksum: 587bc55a91ce003b0f8aa10d70070f8006560d7dc0360dc0406d306a2cb2a10154e2f9080b9c37abec76907a90b330a536406cb75e6bdc905484f37b75c73219
-  languageName: node
-  linkType: hard
-
-"@cnakazawa/watch@npm:^1.0.3":
-  version: 1.0.4
-  resolution: "@cnakazawa/watch@npm:1.0.4"
-  dependencies:
-    exec-sh: ^0.3.2
-    minimist: ^1.2.0
-  bin:
-    watch: cli.js
-  checksum: 88f395ca0af2f3c0665b8ce7bb29e83647ec5d141e8735712aeeee4117081555436712966b6957aa1c461f6f826a4d23b0034e379c443a10e919f81c8748bf29
-  languageName: node
-  linkType: hard
-
-"@csstools/css-parser-algorithms@npm:^2.3.0":
-  version: 2.3.0
-  resolution: "@csstools/css-parser-algorithms@npm:2.3.0"
-  peerDependencies:
-    "@csstools/css-tokenizer": ^2.1.1
-  checksum: 3be22a0cfcfe0dc4bb140e2f266590addf21c5052d9e69334da860b3839fbd4369c3d158cbc396032d5ed96d01d2b5d8ebdb5497f75c9830ed9ce99853e3f915
-  languageName: node
-  linkType: hard
-
-"@csstools/css-tokenizer@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "@csstools/css-tokenizer@npm:2.1.1"
-  checksum: d6ac4b08d7fdfc146755542f00b208af7248efd6cf2eb0f0f7d2ba3583a81f08ed9be6047d78b046925708b5bd0886f487edeeee2f90f0f34030dcbef4122d0e
-  languageName: node
-  linkType: hard
-
-"@csstools/media-query-list-parser@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "@csstools/media-query-list-parser@npm:2.1.2"
-  peerDependencies:
-    "@csstools/css-parser-algorithms": ^2.3.0
-    "@csstools/css-tokenizer": ^2.1.1
-  checksum: 04936573ba837f14d7d637e172342c473665679c6497bbc0d548d93d08cb22e22151bb19e0e20422954c0b2aa50c3f38c9fc5f45c136e31bc863c656cb79df1b
-  languageName: node
-  linkType: hard
-
-"@csstools/selector-specificity@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "@csstools/selector-specificity@npm:3.0.0"
-  peerDependencies:
-    postcss-selector-parser: ^6.0.13
-  checksum: 4a2dfe69998a499155d9dab4c2a0e7ae7594d8db98bb8a487d2d5347c0c501655051eb5eacad3fe323c86b0ba8212fe092c27fc883621e6ac2a27662edfc3528
-  languageName: node
-  linkType: hard
-
-"@ember-data/adapter@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/adapter@npm:4.11.3"
-  dependencies:
-    "@ember-data/private-build-infra": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cli-babel: ^7.26.11
-    ember-cli-test-info: ^1.0.0
-  peerDependencies:
-    "@ember-data/store": 4.11.3
-    "@ember/string": ^3.0.1
-    ember-inflector: ^4.0.2
-  checksum: 2fc2366b334eb1e0a722d97296df11dd41b31dcd3343c41a90a21d0aeecc949ccb23ee94101830b91b7c6c74127cf55e953d1d4da67c3668776c95c107cda831
-  languageName: node
-  linkType: hard
-
-"@ember-data/canary-features@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/canary-features@npm:4.11.3"
-  dependencies:
-    "@embroider/macros": ^1.10.0
-    ember-cli-babel: ^7.26.11
-  checksum: 24983d2aa36cdd2a071abc64c3bece4c031004e5160e90ea8d65486ac6430746f0669c3fc6f1315b85ed401c58b98e910d8da92bc8e84fa11e36b8c9b3fc93c8
-  languageName: node
-  linkType: hard
-
-"@ember-data/debug@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/debug@npm:4.11.3"
-  dependencies:
-    "@ember-data/private-build-infra": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cli-babel: ^7.26.11
-  peerDependencies:
-    "@ember/string": ^3.0.1
-  checksum: 9eac1c756e54e1a397ac7bb8442b2c621c1a6f6d9c07588e9bcaac160f19449fac6cfd2ce01358d4dfa80fdc72b1868f93b56ede9993339853c88b312e70198e
-  languageName: node
-  linkType: hard
-
-"@ember-data/model@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/model@npm:4.11.3"
-  dependencies:
-    "@ember-data/canary-features": 4.11.3
-    "@ember-data/private-build-infra": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cached-decorator-polyfill: ^1.0.1
-    ember-cli-babel: ^7.26.11
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-test-info: ^1.0.0
-    ember-compatibility-helpers: ^1.2.6
-    inflection: ~2.0.0
-  peerDependencies:
-    "@ember-data/record-data": 4.11.3
-    "@ember-data/store": 4.11.3
-    "@ember-data/tracking": 4.11.3
-    "@ember/string": ^3.0.1
-    ember-inflector: ^4.0.2
-  peerDependenciesMeta:
-    "@ember-data/record-data":
-      optional: true
-  checksum: 734fd60c6a5bf84d657a86e4aa89f965c5624caf478d0b87d517bec589e3e6db2cba45e46dfcfa5a6506733a94bcf4c2f43daecaa9ad6f06b62a408da2714d13
-  languageName: node
-  linkType: hard
-
-"@ember-data/private-build-infra@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/private-build-infra@npm:4.11.3"
-  dependencies:
-    "@babel/core": ^7.20.2
-    "@babel/plugin-transform-block-scoping": ^7.20.2
-    "@babel/runtime": ^7.20.1
-    "@ember-data/canary-features": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    babel-import-util: ^1.3.0
-    babel-plugin-debug-macros: ^0.3.4
-    babel-plugin-filter-imports: ^4.0.0
-    babel6-plugin-strip-class-callcheck: ^6.0.0
-    broccoli-debug: ^0.6.5
-    broccoli-file-creator: ^2.1.1
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^4.2.0
-    broccoli-rollup: ^5.0.0
-    calculate-cache-key-for-tree: ^2.0.0
-    chalk: ^4.1.2
-    ember-cli-babel: ^7.26.11
-    ember-cli-path-utils: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-version-checker: ^5.1.2
-    git-repo-info: ^2.1.1
-    glob: ^8.0.3
-    npm-git-info: ^1.0.3
-    rimraf: ^3.0.2
-    rsvp: ^4.8.5
-    semver: ^7.3.8
-    silent-error: ^1.1.1
-  checksum: a9a1e865de89f7b7fbf9461c511931b03309e41fe1fd32e5b2d4d4fa43fcb62bc89bada264f924fafd86373590cc4834d5052900bddecaa37f0b7fefa36a732d
-  languageName: node
-  linkType: hard
-
-"@ember-data/record-data@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/record-data@npm:4.11.3"
-  dependencies:
-    "@ember-data/canary-features": 4.11.3
-    "@ember-data/private-build-infra": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cli-babel: ^7.26.11
-  peerDependencies:
-    "@ember-data/store": 4.11.3
-  checksum: e49caa3e2279d119a9f3668980c8ac7ce49d7fb451d9630b395a4a5b5993ab96c5a6a8230cf08e03711b41027f174dbc0c1819f31489a738670670b2e751f25a
-  languageName: node
-  linkType: hard
-
-"@ember-data/rfc395-data@npm:^0.0.4":
-  version: 0.0.4
-  resolution: "@ember-data/rfc395-data@npm:0.0.4"
-  checksum: 59760b1f7b1cf131fe4a3b817b912e7e62e69e100acd813db37d11106a40c1b22da068cd7d4cdc1bb4c69b0dbde45c96ebff848b6b2380715eae7896bb2e109c
-  languageName: node
-  linkType: hard
-
-"@ember-data/serializer@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/serializer@npm:4.11.3"
-  dependencies:
-    "@ember-data/private-build-infra": 4.11.3
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cli-babel: ^7.26.11
-    ember-cli-test-info: ^1.0.0
-  peerDependencies:
-    "@ember-data/store": 4.11.3
-    "@ember/string": ^3.0.1
-    ember-inflector: ^4.0.2
-  checksum: a36dea451165e8bb3aa572366bb13b8af3377ab31239396b741b6912ee155099cb36df8349e69e585a2b12a7250c457e2973d95c43bb1578228e41afd254c0f6
-  languageName: node
-  linkType: hard
-
-"@ember-data/store@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/store@npm:4.11.3"
-  dependencies:
-    "@ember-data/canary-features": 4.11.3
-    "@ember-data/private-build-infra": 4.11.3
-    "@embroider/macros": ^1.10.0
-    ember-auto-import: ^2.4.3
-    ember-cached-decorator-polyfill: ^1.0.1
-    ember-cli-babel: ^7.26.11
-  peerDependencies:
-    "@ember-data/model": 4.11.3
-    "@ember-data/record-data": 4.11.3
-    "@ember-data/tracking": 4.11.3
-    "@ember/string": ^3.0.1
-    "@glimmer/tracking": ^1.1.2
-  peerDependenciesMeta:
-    "@ember-data/model":
-      optional: true
-    "@ember-data/record-data":
-      optional: true
-  checksum: 132384d5a3c02697f1e1c1599e10d5ffed6f4d73c79ab353cb89b5b533410a906bc238005cde702f57072f2a0a48f885de72d063d593ff7f3620b3bc58763092
-  languageName: node
-  linkType: hard
-
-"@ember-data/tracking@npm:4.11.3":
-  version: 4.11.3
-  resolution: "@ember-data/tracking@npm:4.11.3"
-  dependencies:
-    ember-cli-babel: ^7.26.11
-  checksum: c93f00f647769da12206bd4166b85c6bfcf37118acbcecac37357804451b3e9a5ee8bad9aa63c3ec1900013ceadcf2480b06656f0e9caff276ba046fc6be512f
-  languageName: node
-  linkType: hard
-
-"@ember-decorators/component@npm:^6.1.1":
-  version: 6.1.1
-  resolution: "@ember-decorators/component@npm:6.1.1"
-  dependencies:
-    "@ember-decorators/utils": ^6.1.1
-    ember-cli-babel: ^7.1.3
-  checksum: 0b731884ff2d84db32eae9c006179153ad1d7f93eee040260d0622101017f363caf38db98e536ffd4008312af91cc57a8dda0d0f2c71f80d3643d5456658bee6
-  languageName: node
-  linkType: hard
-
-"@ember-decorators/object@npm:^6.1.1":
-  version: 6.1.1
-  resolution: "@ember-decorators/object@npm:6.1.1"
-  dependencies:
-    "@ember-decorators/utils": ^6.1.1
-    ember-cli-babel: ^7.1.3
-  checksum: 806f753a58ecca5924da110efa614e9a33b4ed7734aa5e67ea41a8a5f555734852e50e78dadcd269407efe1cc08756e8dbc55c077183892f9dc38a0701b8641d
-  languageName: node
-  linkType: hard
-
-"@ember-decorators/utils@npm:^6.1.0, @ember-decorators/utils@npm:^6.1.1":
-  version: 6.1.1
-  resolution: "@ember-decorators/utils@npm:6.1.1"
-  dependencies:
-    ember-cli-babel: ^7.1.3
-  checksum: 979075021ce824a263859dc236285b37afee98b1583060cfab9c3583a4888612155bb66a23a4f4d24ab0ca9f459b38a458d32f825f0df073ca38a7f6e0187dc1
-  languageName: node
-  linkType: hard
-
-"@ember/edition-utils@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "@ember/edition-utils@npm:1.2.0"
-  checksum: eb1eeb08b66344054acb34a4695a80dbfaeb678d10cb11327eec4c0d03b2324ad7c05d0239a7d0298d5f8931e1698d85cba23dac37bff18ab52104f678a0e8c7
-  languageName: node
-  linkType: hard
-
-"@ember/legacy-built-in-components@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "@ember/legacy-built-in-components@npm:0.4.1"
-  dependencies:
-    "@embroider/macros": ^1.0.0
-    ember-cli-babel: ^7.26.6
-    ember-cli-htmlbars: ^5.7.1
-    ember-cli-typescript: ^4.1.0
-  peerDependencies:
-    ember-source: "*"
-  checksum: e4e872eb0776f29ee066556f3ae99a65ddb75fbfe44f838c807b35d8c51927aae4a28e408529f6a4c42f1445f8addc033a010343e7884c6344aeacb9c4304614
-  languageName: node
-  linkType: hard
-
-"@ember/optional-features@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "@ember/optional-features@npm:2.0.0"
-  dependencies:
-    chalk: ^4.1.0
-    ember-cli-version-checker: ^5.1.1
-    glob: ^7.1.6
-    inquirer: ^7.3.3
-    mkdirp: ^1.0.4
-    silent-error: ^1.1.1
-  checksum: 8fce4edc03b95c364770468398b5163791f36d2c305a7ed7221506558d13d114b79a5e5a58fe98d260b38cff4eece2c2fd87ccdff1bc10a7de8270ab3b3f49d1
-  languageName: node
-  linkType: hard
-
-"@ember/render-modifiers@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "@ember/render-modifiers@npm:1.0.2"
-  dependencies:
-    ember-cli-babel: ^7.10.0
-    ember-modifier-manager-polyfill: ^1.1.0
-  checksum: 74220450d3a8635f1ce6c3d9ce5d7f4d8e7336e48a20b1e28b6acf9f671f0938855dff60a06eb1ad5700fadb42e2c0ffa3adef404788966da99db8ab393e9944
-  languageName: node
-  linkType: hard
-
-"@ember/render-modifiers@npm:^2.0.0, @ember/render-modifiers@npm:^2.0.5":
-  version: 2.1.0
-  resolution: "@ember/render-modifiers@npm:2.1.0"
-  dependencies:
-    "@embroider/macros": ^1.0.0
-    ember-cli-babel: ^7.26.11
-    ember-modifier-manager-polyfill: ^1.2.0
-  peerDependencies:
-    "@glint/template": ^1.0.2
-    ember-source: ^3.8 || ^4.0.0 || ^5.0.0
-  peerDependenciesMeta:
-    "@glint/template":
-      optional: true
-  checksum: 6c4d617b67ee52e8e29e9a2b9f42a30e8ea333a7b7a4c5a61fdf5f15623da11f40d82218aeddfbe32bee1f508c569740e842a8233f4a372728d18b66bbc197d5
-  languageName: node
-  linkType: hard
-
-"@ember/render-modifiers@npm:^2.0.2, @ember/render-modifiers@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "@ember/render-modifiers@npm:2.0.4"
-  dependencies:
-    "@embroider/macros": ^1.0.0
-    ember-cli-babel: ^7.26.11
-    ember-modifier-manager-polyfill: ^1.2.0
-  peerDependencies:
-    ember-source: ^3.8 || 4
-  checksum: 6186a013349273f9eb0339a5b2ab7ccc7b9e6429d83b8cabba2842dfc35bd4b77b66979c2f2c25b062a7cdd359c6a500df27154880ac5f04a3ffa52ca6e343d6
-  languageName: node
-  linkType: hard
-
-"@ember/string@npm:^3.0.1":
-  version: 3.1.1
-  resolution: "@ember/string@npm:3.1.1"
-  dependencies:
-    ember-cli-babel: ^7.26.6
-  checksum: a2496735cb8cfc2d9484f7756fbb3e528db0a9bdf3acc8e86cc56491302777d806d1039186bf6c045aa3e40e464fd8d1cdac89fe97da274f3200844a7d3162c9
-  languageName: node
-  linkType: hard
-
-"@ember/test-helpers@npm:2.9.3":
-  version: 2.9.3
-  resolution: "@ember/test-helpers@npm:2.9.3"
-  dependencies:
-    "@ember/test-waiters": ^3.0.0
-    "@embroider/macros": ^1.10.0
-    "@embroider/util": ^1.9.0
-    broccoli-debug: ^0.6.5
-    broccoli-funnel: ^3.0.8
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.1.1
-    ember-destroyable-polyfill: ^2.0.3
-  peerDependencies:
-    ember-source: ">=3.8.0"
-  checksum: 4591d33275c6035d41aa95184200074a727cc660aa43e48e9ed63ba07881a12fa332360fe7e5ba3b7a466fd740d92aa9f97e5d3584e95e2337c9b57ee844da69
-  languageName: node
-  linkType: hard
-
-"@ember/test-waiters@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "@ember/test-waiters@npm:3.0.0"
-  dependencies:
-    calculate-cache-key-for-tree: ^2.0.0
-    ember-cli-babel: ^7.26.6
-    ember-cli-version-checker: ^5.1.2
-    semver: ^7.3.5
-  checksum: 4998a8213b8800633485eaca342bd6e9b388d974def70ab794612d0c691b68599b2377b9a5467bdddea699099fec2897821c9127443ddac3c69c82d73ea21fa5
-  languageName: node
-  linkType: hard
-
-"@ember/test-waiters@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "@ember/test-waiters@npm:3.0.2"
-  dependencies:
-    calculate-cache-key-for-tree: ^2.0.0
-    ember-cli-babel: ^7.26.6
-    ember-cli-version-checker: ^5.1.2
-    semver: ^7.3.5
-  checksum: 4ad673fd6c2edc45d7fe378c318dd7f86eabb74eabded5e36b073baa580e2fa2cbb74b52037a2af94a2de98777335129d236b9a33bd33efd30927b0f5e706eaf
-  languageName: node
-  linkType: hard
-
-"@embroider/addon-shim@npm:^1.0.0, @embroider/addon-shim@npm:^1.2.0, @embroider/addon-shim@npm:^1.8.3":
-  version: 1.8.6
-  resolution: "@embroider/addon-shim@npm:1.8.6"
-  dependencies:
-    "@embroider/shared-internals": ^2.2.3
-    broccoli-funnel: ^3.0.8
-    semver: ^7.3.8
-  checksum: 63214fbc1b3f333b052791cdfc0c278c348dd6ca4ec2b53c96183150e3d5fe9882cdd3065853e3d6a2c964c962d718b87f2fd8a17414b53fc3a3997d5eedb30e
-  languageName: node
-  linkType: hard
-
-"@embroider/addon-shim@npm:^1.8.4":
-  version: 1.8.4
-  resolution: "@embroider/addon-shim@npm:1.8.4"
-  dependencies:
-    "@embroider/shared-internals": ^2.0.0
-    broccoli-funnel: ^3.0.8
-    semver: ^7.3.8
-  checksum: 107220e97bbd46ead81dfbbfc6cf7daa61731096a6e81b989659a9a0b29b48b3c97ebdd446b6dc0636c4be369f3744e514b7f5e5c0fdc54c1c0e026f54404cc2
-  languageName: node
-  linkType: hard
-
-"@embroider/core@npm:^0.33.0":
-  version: 0.33.0
-  resolution: "@embroider/core@npm:0.33.0"
-  dependencies:
-    "@babel/core": ^7.12.3
-    "@babel/parser": ^7.12.3
-    "@babel/plugin-syntax-dynamic-import": ^7.8.3
-    "@babel/plugin-transform-runtime": ^7.12.1
-    "@babel/runtime": ^7.12.5
-    "@babel/traverse": ^7.12.1
-    "@babel/types": ^7.12.1
-    "@embroider/macros": 0.33.0
-    assert-never: ^1.1.0
-    babel-plugin-syntax-dynamic-import: ^6.18.0
-    broccoli-node-api: ^1.7.0
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.1
-    broccoli-source: ^3.0.0
-    debug: ^3.1.0
-    escape-string-regexp: ^4.0.0
-    fast-sourcemap-concat: ^1.4.0
-    filesize: ^4.1.2
-    fs-extra: ^7.0.1
-    fs-tree-diff: ^2.0.0
-    handlebars: ^4.4.2
-    js-string-escape: ^1.0.1
-    jsdom: ^16.4.0
-    json-stable-stringify: ^1.0.1
-    lodash: ^4.17.10
-    pkg-up: ^2.0.0
-    resolve: ^1.8.1
-    resolve-package-path: ^1.2.2
-    semver: ^7.3.2
-    strip-bom: ^3.0.0
-    typescript-memoize: ^1.0.0-alpha.3
-    walk-sync: ^1.1.3
-    wrap-legacy-hbs-plugin-if-needed: ^1.0.1
-  checksum: 8abe563e909461b18f9b86a616173a436a5cdaf3c455f0a46ab51cae24129d03bd2e5a06e26a4adba7eca10a1d34388ec5a51fcf790f2ac9fabafb7950668df1
-  languageName: node
-  linkType: hard
-
-"@embroider/macros@npm:^1.0.0":
-  version: 1.5.0
-  resolution: "@embroider/macros@npm:1.5.0"
-  dependencies:
-    "@embroider/shared-internals": 1.5.0
-    assert-never: ^1.2.1
-    babel-import-util: ^1.1.0
-    ember-cli-babel: ^7.26.6
-    find-up: ^5.0.0
-    lodash: ^4.17.21
-    resolve: ^1.20.0
-    semver: ^7.3.2
-  checksum: 5e0d5f8c89b0b31199b938848bb7afc5bcd8d3501cc8bfd3ad4a531d74c4e50e8648303e8adaf690c0f0f69a61025925ce55640d93aa3d1723c820efd9cecabc
-  languageName: node
-  linkType: hard
-
-"@embroider/shared-internals@npm:1.5.0, @embroider/shared-internals@npm:^1.0.0":
-  version: 1.5.0
-  resolution: "@embroider/shared-internals@npm:1.5.0"
-  dependencies:
-    babel-import-util: ^1.1.0
-    ember-rfc176-data: ^0.3.17
-    fs-extra: ^9.1.0
-    lodash: ^4.17.21
-    resolve-package-path: ^4.0.1
-    semver: ^7.3.5
-    typescript-memoize: ^1.0.1
-  checksum: 78f92e64f03f33a0d31489fe406ff58da8d5997b78156e3b8b73f6cd5ef14d8a810a7f65e3da96206a02a3c2277316ebdd5c6dae05abfe816eb9940d76e03004
-  languageName: node
-  linkType: hard
-
-"@embroider/shared-internals@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "@embroider/shared-internals@npm:2.0.0"
-  dependencies:
-    babel-import-util: ^1.1.0
-    ember-rfc176-data: ^0.3.17
-    fs-extra: ^9.1.0
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.21
-    resolve-package-path: ^4.0.1
-    semver: ^7.3.5
-    typescript-memoize: ^1.0.1
-  checksum: 19d2754182b9e1373177843a354852c82b35d71af66edcdf0662597442062e5f5f51adbdf7a63a263ee0052064c222ff33ddb983ec3f17b68b7275de8de3680e
-  languageName: node
-  linkType: hard
-
-"@embroider/shared-internals@npm:^2.2.3":
-  version: 2.2.3
-  resolution: "@embroider/shared-internals@npm:2.2.3"
-  dependencies:
-    babel-import-util: ^1.1.0
-    ember-rfc176-data: ^0.3.17
-    fs-extra: ^9.1.0
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.21
-    resolve-package-path: ^4.0.1
-    semver: ^7.3.5
-    typescript-memoize: ^1.0.1
-  checksum: bf9f3769af5a66b6e8935257c77fe49678ef0a24ec74b397134598c16f13cd791ac2107008b0ae5dc41d94810f5e15ad318100c03bf1fcb2209a62db966cc483
-  languageName: node
-  linkType: hard
-
-"@embroider/util@npm:^0.39.1 || ^0.40.0 || ^0.41.0 || ^1.0.0, @embroider/util@npm:^1.2.0":
-  version: 1.9.0
-  resolution: "@embroider/util@npm:1.9.0"
-  dependencies:
-    "@embroider/macros": ^1.9.0
-    broccoli-funnel: ^3.0.5
-    ember-cli-babel: ^7.23.1
-  peerDependencies:
-    ember-source: "*"
-  checksum: 0b2c45d11f633b30e36dc87b199ff9e6543597cce2e1c054c0392f9a7685e6845864ad57d404b9d67fb5dfcd4e93282ab8c3bbd7a491488b3ecdaaa7a0777d49
-  languageName: node
-  linkType: hard
-
-"@embroider/util@npm:^1.0.0":
-  version: 1.5.0
-  resolution: "@embroider/util@npm:1.5.0"
-  dependencies:
-    "@embroider/macros": 1.5.0
-    broccoli-funnel: ^3.0.5
-    ember-cli-babel: ^7.23.1
-  peerDependencies:
-    ember-source: "*"
-  checksum: f3656a8ae3df0d3b35a40c867258a621ef28311c5fbd3e8718593fd436e09816cc3331694695e40dcad384bda638986184dbe13d919314189ce31c154eebdd81
-  languageName: node
-  linkType: hard
-
-"@embroider/util@npm:^1.9.0":
-  version: 1.11.2
-  resolution: "@embroider/util@npm:1.11.2"
-  dependencies:
-    "@embroider/macros": ^1.12.3
-    broccoli-funnel: ^3.0.5
-    ember-cli-babel: ^7.26.11
-  peerDependencies:
-    "@glint/environment-ember-loose": ^1.0.0
-    "@glint/template": ^1.0.0
-    ember-source: "*"
-  peerDependenciesMeta:
-    "@glint/environment-ember-loose":
-      optional: true
-    "@glint/template":
-      optional: true
-  checksum: 1d9cc4e5b4d2f8bd3803460771665e251c88b1788791c8a2bb15baab33bb5ec4afd0da1203ed7f4797abb31d9565e5abb0aef2ba6dcfa20368f48dca191a9106
-  languageName: node
-  linkType: hard
-
-"@eslint-community/eslint-utils@npm:^4.2.0":
-  version: 4.4.0
-  resolution: "@eslint-community/eslint-utils@npm:4.4.0"
-  dependencies:
-    eslint-visitor-keys: ^3.3.0
-  peerDependencies:
-    eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
-  checksum: cdfe3ae42b4f572cbfb46d20edafe6f36fc5fb52bf2d90875c58aefe226892b9677fef60820e2832caf864a326fe4fc225714c46e8389ccca04d5f9288aabd22
-  languageName: node
-  linkType: hard
-
-"@eslint-community/regexpp@npm:^4.4.0":
-  version: 4.5.1
-  resolution: "@eslint-community/regexpp@npm:4.5.1"
-  checksum: 6d901166d64998d591fab4db1c2f872981ccd5f6fe066a1ad0a93d4e11855ecae6bfb76660869a469563e8882d4307228cebd41142adb409d182f2966771e57e
-  languageName: node
-  linkType: hard
-
-"@eslint/eslintrc@npm:^1.3.3":
-  version: 1.3.3
-  resolution: "@eslint/eslintrc@npm:1.3.3"
-  dependencies:
-    ajv: ^6.12.4
-    debug: ^4.3.2
-    espree: ^9.4.0
-    globals: ^13.15.0
-    ignore: ^5.2.0
-    import-fresh: ^3.2.1
-    js-yaml: ^4.1.0
-    minimatch: ^3.1.2
-    strip-json-comments: ^3.1.1
-  checksum: f03e9d6727efd3e0719da2051ea80c0c73d20e28c171121527dbb868cd34232ca9c1d0525a66e517a404afea26624b1e47895b6a92474678418c2f50c9566694
-  languageName: node
-  linkType: hard
-
-"@eslint/eslintrc@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "@eslint/eslintrc@npm:2.1.0"
-  dependencies:
-    ajv: ^6.12.4
-    debug: ^4.3.2
-    espree: ^9.6.0
-    globals: ^13.19.0
-    ignore: ^5.2.0
-    import-fresh: ^3.2.1
-    js-yaml: ^4.1.0
-    minimatch: ^3.1.2
-    strip-json-comments: ^3.1.1
-  checksum: d5ed0adbe23f6571d8c9bb0ca6edf7618dc6aed4046aa56df7139f65ae7b578874e0d9c796df784c25bda648ceb754b6320277d828c8b004876d7443b8dc018c
-  languageName: node
-  linkType: hard
-
-"@eslint/js@npm:8.44.0":
-  version: 8.44.0
-  resolution: "@eslint/js@npm:8.44.0"
-  checksum: fc539583226a28f5677356e9f00d2789c34253f076643d2e32888250e509a4e13aafe0880cb2425139051de0f3a48d25bfc5afa96b7304f203b706c17340e3cf
-  languageName: node
-  linkType: hard
-
-"@gar/promisify@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "@gar/promisify@npm:1.1.3"
-  checksum: 4059f790e2d07bf3c3ff3e0fec0daa8144fe35c1f6e0111c9921bd32106adaa97a4ab096ad7dab1e28ee6a9060083c4d1a4ada42a7f5f3f7a96b8812e2b757c1
-  languageName: node
-  linkType: hard
-
-"@glimmer/component@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "@glimmer/component@npm:1.0.4"
-  dependencies:
-    "@glimmer/di": ^0.1.9
-    "@glimmer/env": ^0.1.7
-    "@glimmer/util": ^0.44.0
-    broccoli-file-creator: ^2.1.1
-    broccoli-merge-trees: ^3.0.2
-    ember-cli-babel: ^7.7.3
-    ember-cli-get-component-path-option: ^1.0.0
-    ember-cli-is-package-missing: ^1.0.0
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-path-utils: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-typescript: 3.0.0
-    ember-cli-version-checker: ^3.1.3
-    ember-compatibility-helpers: ^1.1.2
-  checksum: 122009a24f06053647779dc79d4f5cd3ef6d2deac91c92bb3d1dd01a68dd5ef5002efaa48e4abba85287fd2a1aba711dee330cee9b82d283c05763391d10671d
-  languageName: node
-  linkType: hard
-
-"@glimmer/component@npm:^1.1.0, @glimmer/component@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@glimmer/component@npm:1.1.2"
-  dependencies:
-    "@glimmer/di": ^0.1.9
-    "@glimmer/env": ^0.1.7
-    "@glimmer/util": ^0.44.0
-    broccoli-file-creator: ^2.1.1
-    broccoli-merge-trees: ^3.0.2
-    ember-cli-babel: ^7.7.3
-    ember-cli-get-component-path-option: ^1.0.0
-    ember-cli-is-package-missing: ^1.0.0
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-path-utils: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-typescript: 3.0.0
-    ember-cli-version-checker: ^3.1.3
-    ember-compatibility-helpers: ^1.1.2
-  checksum: 853b998105c1f77cf382b6f6459709515d39d560f2022e948e7b7f6b298b14197e45b20c1cbfca52970c0fef1a80a1bce55aea98c4da2311330d5420291254b7
-  languageName: node
-  linkType: hard
-
-"@glimmer/di@npm:^0.1.9":
-  version: 0.1.11
-  resolution: "@glimmer/di@npm:0.1.11"
-  checksum: c93f6a511cf7f72f3a6824ce075e73952b8f451e4098eda2fc1f45b4b5b1016831459d32f3f298fdc21030cc03ebcc4561ca2780c59562e356519b2a296c5b48
-  languageName: node
-  linkType: hard
-
-"@glimmer/encoder@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/encoder@npm:0.42.2"
-  dependencies:
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/vm": ^0.42.2
-  checksum: 1e857e09176a6673c599a7b466b8cb20fde55df3dfd7e2d923ac2e065261ddf2ef82651a64c40c0209bb9fc684abcf6f79ea52e23b9f7463c7a244f0540bce50
-  languageName: node
-  linkType: hard
-
-"@glimmer/env@npm:0.1.7, @glimmer/env@npm:^0.1.7":
-  version: 0.1.7
-  resolution: "@glimmer/env@npm:0.1.7"
-  checksum: d46686da1b21615c177792794ed11f725fbb1c32936d69ca54a3ac40e2314638a529b81afb23759d35cdf36462a7a6b2c02604a366473cd6a8abadfe56e9c335
-  languageName: node
-  linkType: hard
-
-"@glimmer/global-context@npm:0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/global-context@npm:0.84.3"
-  dependencies:
-    "@glimmer/env": ^0.1.7
-  checksum: 89e699acfa1f23fe8ce8fd48455897781dfd935b7d1ef97d8d268ee38456a69a2ce09bcb18c250f17cb019a16cf0f2e4fdd5b178f9ddc233b42f1cc7e5c85157
-  languageName: node
-  linkType: hard
-
-"@glimmer/interfaces@npm:0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/interfaces@npm:0.84.3"
-  dependencies:
-    "@simple-dom/interface": ^1.4.0
-  checksum: f6a6757a2fc6fc0a8aeb9c1ce4acaec7adf03b31130c9c3149265a401d8fc4773dfb1ff6a567fc008c669cb3c5b9a94f505c68298f72f283d03a46bc0dcb1121
-  languageName: node
-  linkType: hard
-
-"@glimmer/interfaces@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/interfaces@npm:0.42.2"
-  checksum: c9dfcba6456955d797e5e0746ba69655c0d99a4962adb0de875e8de4e826767bce1c544966468bc9da40468286572966e59ce2c19b3f3879bfd23922b7d57cc6
-  languageName: node
-  linkType: hard
-
-"@glimmer/low-level@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/low-level@npm:0.42.2"
-  checksum: 7d7c5af8d127e588853ad590f4bfa4d06c545b27b86dfee102e036a5cf9a59971d735b8a13f7611cf8c4006c10349e93a15a7eb55e246cb2f047bf2d524b0f6d
-  languageName: node
-  linkType: hard
-
-"@glimmer/program@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/program@npm:0.42.2"
-  dependencies:
-    "@glimmer/encoder": ^0.42.2
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/util": ^0.42.2
-  checksum: 570c60a96b96c37c43bfae1fe9c5b29459d0c0c4eadc2da478ccfe38f1a3e3ab5d0dffa05d09ac4828899ccf610b9ff987e5cc76b5491570c16448b82db975aa
-  languageName: node
-  linkType: hard
-
-"@glimmer/reference@npm:^0.42.1, @glimmer/reference@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/reference@npm:0.42.2"
-  dependencies:
-    "@glimmer/util": ^0.42.2
-  checksum: b5b66e2210b429d69a3287fed79b4fb4036282da2f31ea2b8c0a200e452fd21bcb4dff39b031d2cc98646d9443b2b8fb0c910aaf30cc3b0597df0f07532b361d
-  languageName: node
-  linkType: hard
-
-"@glimmer/reference@npm:^0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/reference@npm:0.84.3"
-  dependencies:
-    "@glimmer/env": ^0.1.7
-    "@glimmer/global-context": 0.84.3
-    "@glimmer/interfaces": 0.84.3
-    "@glimmer/util": 0.84.3
-    "@glimmer/validator": 0.84.3
-  checksum: 856456c1211cb1c1ddc5c48b8aea924f1b1f19625be1984f2bc7147af49d89c70e3f356bf7d299aa519ee53a21ca4c7371277be14218c37d9206e4cac2f05b9e
-  languageName: node
-  linkType: hard
-
-"@glimmer/runtime@npm:^0.42.1":
-  version: 0.42.2
-  resolution: "@glimmer/runtime@npm:0.42.2"
-  dependencies:
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/low-level": ^0.42.2
-    "@glimmer/program": ^0.42.2
-    "@glimmer/reference": ^0.42.2
-    "@glimmer/util": ^0.42.2
-    "@glimmer/vm": ^0.42.2
-    "@glimmer/wire-format": ^0.42.2
-  checksum: 45345713e44033fac3fc8356ce5ab1b1e90ff998ed25bdd0b615a45f05574b65b8fc87dbc22ed79a7c8d448f1c634228ab5aa546ea50a2ba878a45453bfe4fe2
-  languageName: node
-  linkType: hard
-
-"@glimmer/syntax@npm:^0.42.1":
-  version: 0.42.2
-  resolution: "@glimmer/syntax@npm:0.42.2"
-  dependencies:
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/util": ^0.42.2
-    handlebars: ^4.0.13
-    simple-html-tokenizer: ^0.5.8
-  checksum: 7597a643b88a967fbb85c3c3e0a8f57a4e7a328f78b9605fb31a5ee678531ca0b7935971cab8755af33f2b3ea71836a38e10dffbec259c6ab1ca411c2f1ec80d
-  languageName: node
-  linkType: hard
-
-"@glimmer/syntax@npm:^0.84.2, @glimmer/syntax@npm:^0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/syntax@npm:0.84.3"
-  dependencies:
-    "@glimmer/interfaces": 0.84.3
-    "@glimmer/util": 0.84.3
-    "@handlebars/parser": ~2.0.0
-    simple-html-tokenizer: ^0.5.11
-  checksum: afadea62f1c54735df723120a94f4da3cb663d762be1c9b130f8d22584ccc93a037198b60759706d3cf0d3658268170eae687dfdc7cb21e5c0a9af7005ebc727
-  languageName: node
-  linkType: hard
-
-"@glimmer/tracking@npm:^1.0.0, @glimmer/tracking@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@glimmer/tracking@npm:1.1.2"
-  dependencies:
-    "@glimmer/env": ^0.1.7
-    "@glimmer/validator": ^0.44.0
-  checksum: a36aaf70c831fbfd9fb6f6e7b9cacb7130b0dbb87206234cd8e5fcbfa42070cab48d7d9b16eb6918f266ac3ae0414d968b1903b520a69f0eac2a8f303179f8ff
-  languageName: node
-  linkType: hard
-
-"@glimmer/tracking@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "@glimmer/tracking@npm:1.0.4"
-  dependencies:
-    "@glimmer/env": ^0.1.7
-    "@glimmer/validator": ^0.44.0
-  checksum: 5e6359c92a2937f9710d21ad5e2edf2ce579c18e4fc2905940088738cda2ddf1162279bb41248047ced3c948885db346c844556e784eb70ebadb349d0ab587a3
-  languageName: node
-  linkType: hard
-
-"@glimmer/util@npm:0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/util@npm:0.84.3"
-  dependencies:
-    "@glimmer/env": 0.1.7
-    "@glimmer/interfaces": 0.84.3
-    "@simple-dom/interface": ^1.4.0
-  checksum: d0f8d461a7653a113e630ee45aa57e4efbc33f78ab7b7ce12bdaa699b3513df93a7ffba96b1863883fafe566b650dfb01c4122f79207d6267d1655255b9baa4a
-  languageName: node
-  linkType: hard
-
-"@glimmer/util@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/util@npm:0.42.2"
-  checksum: 996a84c3db284e47202a7daeccce31870a413dd6817a88908ad18484f2cd4559d19c8bc98e921cc00db72db3a1efa52931725abe4c71d4a3bb1bb78a50fb739a
-  languageName: node
-  linkType: hard
-
-"@glimmer/util@npm:^0.44.0":
-  version: 0.44.0
-  resolution: "@glimmer/util@npm:0.44.0"
-  checksum: e1c5f74c265afb2ccdc10e183d6784dc29d2cb98f2aca10b068f3dce29e67a3967c760af750e88e0a2f1c80e2cfc0de5ee6e96bb90dcb97493a2e6f51d36b129
-  languageName: node
-  linkType: hard
-
-"@glimmer/validator@npm:0.84.3, @glimmer/validator@npm:^0.84.3":
-  version: 0.84.3
-  resolution: "@glimmer/validator@npm:0.84.3"
-  dependencies:
-    "@glimmer/env": ^0.1.7
-    "@glimmer/global-context": 0.84.3
-  checksum: 58ac3c49a1a601de8271cfcc0f27415fa2388283ae90dd2b4f785f5ab44fa12506c8b32cfc6c74d69bb60ca27745b4f6707fec07a8dff78f2d9da9f9aecc2afa
-  languageName: node
-  linkType: hard
-
-"@glimmer/validator@npm:^0.44.0":
-  version: 0.44.0
-  resolution: "@glimmer/validator@npm:0.44.0"
-  checksum: c68a169ee196a17a142b2375928d1b5b2bad2f1f7961a9a14b6a5ef0b8d5c66af7004d678502d2ae83f6b69c1745cbcecbf71607b140924dec9da96e413fd8d4
-  languageName: node
-  linkType: hard
-
-"@glimmer/vm-babel-plugins@npm:0.84.2":
-  version: 0.84.2
-  resolution: "@glimmer/vm-babel-plugins@npm:0.84.2"
-  dependencies:
-    babel-plugin-debug-macros: ^0.3.4
-  checksum: 708434ad7535c26592f51d9cbacbc101c379903638d371e1e20d3a3ba7a3932e3a80045a126927e95e553dd2fbde2b3cb4d4f23328e5ff938b39bbe1eb5bb891
-  languageName: node
-  linkType: hard
-
-"@glimmer/vm@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/vm@npm:0.42.2"
-  dependencies:
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/util": ^0.42.2
-  checksum: 3adb1963fb5cfe9ee795e10f144ec0ba1c5e9289525a95b3e506d05477da47247f36e01837dbfe5f728d74a6d44f4d62e1a59e7ec9ebdaabf5cbe955c643dc34
-  languageName: node
-  linkType: hard
-
-"@glimmer/wire-format@npm:^0.42.2":
-  version: 0.42.2
-  resolution: "@glimmer/wire-format@npm:0.42.2"
-  dependencies:
-    "@glimmer/interfaces": ^0.42.2
-    "@glimmer/util": ^0.42.2
-  checksum: f1778ba0ec24a41f15b55e328854d9e9dbd3371269bc6912b633b5487f52f725a8f12b0ef9ba4b9614633b89abdc2b02ee7a25a07b28ab2452ffe6b854589adb
-  languageName: node
-  linkType: hard
-
-"@handlebars/parser@npm:~2.0.0":
-  version: 2.0.0
-  resolution: "@handlebars/parser@npm:2.0.0"
-  checksum: add32d6678b18db73fb88266138bc358abf94c255f4464b936b5b66e3108205c6cc3b611a726e0a691633552b94c0f9f65aed43fd4c51ecbbfb562179c967d88
-  languageName: node
-  linkType: hard
-
-"@hashicorp/design-system-components@npm:^2.13.0":
-  version: 2.13.0
-  resolution: "@hashicorp/design-system-components@npm:2.13.0"
-  dependencies:
-    "@ember/render-modifiers": ^2.0.5
-    "@ember/test-waiters": ^3.0.2
-    "@hashicorp/design-system-tokens": ^1.9.0
-    "@hashicorp/ember-flight-icons": ^3.1.3
-    dialog-polyfill: ^0.5.6
-    ember-a11y-refocus: ^3.0.2
-    ember-auto-import: ^2.6.3
-    ember-cached-decorator-polyfill: ^0.1.4
-    ember-cli-babel: ^7.26.11
-    ember-cli-clipboard: ^1.0.0
-    ember-cli-htmlbars: ^6.2.0
-    ember-cli-sass: ^10.0.1
-    ember-composable-helpers: ^4.5.0
-    ember-focus-trap: ^1.0.2
-    ember-keyboard: ^8.2.0
-    ember-stargate: ^0.4.3
-    ember-style-modifier: ^3.0.1
-    ember-truth-helpers: ^3.1.1
-    sass: ^1.62.1
-    tippy.js: ^6.3.7
-  checksum: 20171b9c3f581214b36205a7a0f5b4a1e37866058a7bfd9d07d51269bcf413da551bcd0738a248de881671e918a32717ebbfd8bedb7534b11de96b5284e3beb9
-  languageName: node
-  linkType: hard
-
-"@hashicorp/design-system-tokens@npm:^1.9.0":
-  version: 1.9.0
-  resolution: "@hashicorp/design-system-tokens@npm:1.9.0"
-  checksum: 72da214205dfca9e49726745e18f8a19674d36d656bd2e4ff3fec42b2ce06fbbba0ad673e6ec2333128e1b9bf67bfac2e4dd792ea37a1534a5040e6a4481855e
-  languageName: node
-  linkType: hard
-
-"@hashicorp/ember-flight-icons@npm:^3.1.3":
-  version: 3.1.3
-  resolution: "@hashicorp/ember-flight-icons@npm:3.1.3"
-  dependencies:
-    "@hashicorp/flight-icons": ^2.20.0
-    ember-auto-import: ^2.6.3
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.2.0
-  checksum: 196dec75deb983cbfeae6738c5bba7482f645d8ad419b1ab79c0f12f64d0f06e9c7ffb01ce13540e80aabb5ceb490c05c6cd56a7b25ceb3413ebe8274889a298
-  languageName: node
-  linkType: hard
-
-"@hashicorp/flight-icons@npm:^2.20.0":
-  version: 2.20.0
-  resolution: "@hashicorp/flight-icons@npm:2.20.0"
-  checksum: 4ec750e46cd780f007a5046e4cd2cf9e69f946ef131d30b3090c24616c2c0a407f327d0135ebbb0af6578cfdbbb65ab59b18c6ab95599ec04ed2a04827aa24ec
-  languageName: node
-  linkType: hard
-
-"@hashicorp/structure-icons@npm:^1.3.0":
-  version: 1.8.1
-  resolution: "@hashicorp/structure-icons@npm:1.8.1"
-  checksum: 578afba4c884a32c196e87cfa22f66482faf0bd9ccf78591e8d16dedec1eff60e95d90858b0607e7a0136922c551f5649bcfc4d6557b27e2688f2c78434c12cd
-  languageName: node
-  linkType: hard
-
-"@humanwhocodes/config-array@npm:^0.11.10":
-  version: 0.11.10
-  resolution: "@humanwhocodes/config-array@npm:0.11.10"
-  dependencies:
-    "@humanwhocodes/object-schema": ^1.2.1
-    debug: ^4.1.1
-    minimatch: ^3.0.5
-  checksum: 1b1302e2403d0e35bc43e66d67a2b36b0ad1119efc704b5faff68c41f791a052355b010fb2d27ef022670f550de24cd6d08d5ecf0821c16326b7dcd0ee5d5d8a
-  languageName: node
-  linkType: hard
-
-"@humanwhocodes/config-array@npm:^0.11.6":
-  version: 0.11.7
-  resolution: "@humanwhocodes/config-array@npm:0.11.7"
-  dependencies:
-    "@humanwhocodes/object-schema": ^1.2.1
-    debug: ^4.1.1
-    minimatch: ^3.0.5
-  checksum: cf506dc45d9488af7fbf108ea6ac2151ba1a25e6d2b94b9b4fc36d2c1e4099b89ff560296dbfa13947e44604d4ca4a90d97a4fb167370bf8dd01a6ca2b6d83ac
-  languageName: node
-  linkType: hard
-
-"@humanwhocodes/module-importer@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "@humanwhocodes/module-importer@npm:1.0.1"
-  checksum: 0fd22007db8034a2cdf2c764b140d37d9020bbfce8a49d3ec5c05290e77d4b0263b1b972b752df8c89e5eaa94073408f2b7d977aed131faf6cf396ebb5d7fb61
-  languageName: node
-  linkType: hard
-
-"@humanwhocodes/object-schema@npm:^1.2.1":
-  version: 1.2.1
-  resolution: "@humanwhocodes/object-schema@npm:1.2.1"
-  checksum: a824a1ec31591231e4bad5787641f59e9633827d0a2eaae131a288d33c9ef0290bd16fda8da6f7c0fcb014147865d12118df10db57f27f41e20da92369fcb3f1
-  languageName: node
-  linkType: hard
-
-"@icholy/duration@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "@icholy/duration@npm:5.1.0"
-  checksum: 48c7c23697a510944bfc52cf0d354eba2b65d14633f910f2dc4c2a5e10e078d3b70bed9b310c37a574f0e6863084aa6cc65518cfc4af5cb2174605c7aad33352
-  languageName: node
-  linkType: hard
-
-"@jridgewell/gen-mapping@npm:^0.3.0":
-  version: 0.3.1
-  resolution: "@jridgewell/gen-mapping@npm:0.3.1"
-  dependencies:
-    "@jridgewell/set-array": ^1.0.0
-    "@jridgewell/sourcemap-codec": ^1.4.10
-    "@jridgewell/trace-mapping": ^0.3.9
-  checksum: e9e7bb3335dea9e60872089761d4e8e089597360cdb1af90370e9d53b7d67232c1e0a3ab65fbfef4fc785745193fbc56bff9f3a6cab6c6ce3f15e12b4191f86b
-  languageName: node
-  linkType: hard
-
-"@jridgewell/gen-mapping@npm:^0.3.2":
-  version: 0.3.2
-  resolution: "@jridgewell/gen-mapping@npm:0.3.2"
-  dependencies:
-    "@jridgewell/set-array": ^1.0.1
-    "@jridgewell/sourcemap-codec": ^1.4.10
-    "@jridgewell/trace-mapping": ^0.3.9
-  checksum: 1832707a1c476afebe4d0fbbd4b9434fdb51a4c3e009ab1e9938648e21b7a97049fa6009393bdf05cab7504108413441df26d8a3c12193996e65493a4efb6882
-  languageName: node
-  linkType: hard
-
-"@jridgewell/resolve-uri@npm:3.1.0":
-  version: 3.1.0
-  resolution: "@jridgewell/resolve-uri@npm:3.1.0"
-  checksum: b5ceaaf9a110fcb2780d1d8f8d4a0bfd216702f31c988d8042e5f8fbe353c55d9b0f55a1733afdc64806f8e79c485d2464680ac48a0d9fcadb9548ee6b81d267
-  languageName: node
-  linkType: hard
-
-"@jridgewell/resolve-uri@npm:^3.0.3":
-  version: 3.0.5
-  resolution: "@jridgewell/resolve-uri@npm:3.0.5"
-  checksum: 1ee652b693da7979ac4007926cc3f0a32b657ffeb913e111f44e5b67153d94a2f28a1d560101cc0cf8087625468293a69a00f634a2914e1a6d0817ba2039a913
-  languageName: node
-  linkType: hard
-
-"@jridgewell/set-array@npm:^1.0.0":
-  version: 1.1.1
-  resolution: "@jridgewell/set-array@npm:1.1.1"
-  checksum: cc5d91e0381c347e3edee4ca90b3c292df9e6e55f29acbe0dd97de8651b4730e9ab761406fd572effa79972a0edc55647b627f8c72315e276d959508853d9bf2
-  languageName: node
-  linkType: hard
-
-"@jridgewell/set-array@npm:^1.0.1":
-  version: 1.1.2
-  resolution: "@jridgewell/set-array@npm:1.1.2"
-  checksum: 69a84d5980385f396ff60a175f7177af0b8da4ddb81824cb7016a9ef914eee9806c72b6b65942003c63f7983d4f39a5c6c27185bbca88eb4690b62075602e28e
-  languageName: node
-  linkType: hard
-
-"@jridgewell/source-map@npm:^0.3.2":
-  version: 0.3.2
-  resolution: "@jridgewell/source-map@npm:0.3.2"
-  dependencies:
-    "@jridgewell/gen-mapping": ^0.3.0
-    "@jridgewell/trace-mapping": ^0.3.9
-  checksum: 1b83f0eb944e77b70559a394d5d3b3f98a81fcc186946aceb3ef42d036762b52ef71493c6c0a3b7c1d2f08785f53ba2df1277fe629a06e6109588ff4cdcf7482
-  languageName: node
-  linkType: hard
-
-"@jridgewell/sourcemap-codec@npm:1.4.14":
-  version: 1.4.14
-  resolution: "@jridgewell/sourcemap-codec@npm:1.4.14"
-  checksum: 61100637b6d173d3ba786a5dff019e1a74b1f394f323c1fee337ff390239f053b87266c7a948777f4b1ee68c01a8ad0ab61e5ff4abb5a012a0b091bec391ab97
-  languageName: node
-  linkType: hard
-
-"@jridgewell/sourcemap-codec@npm:^1.4.10":
-  version: 1.4.11
-  resolution: "@jridgewell/sourcemap-codec@npm:1.4.11"
-  checksum: 3b2afaf8400fb07a36db60e901fcce6a746cdec587310ee9035939d89878e57b2dec8173b0b8f63176f647efa352294049a53c49739098eb907ff81fec2547c8
-  languageName: node
-  linkType: hard
-
-"@jridgewell/sourcemap-codec@npm:^1.4.13":
-  version: 1.4.15
-  resolution: "@jridgewell/sourcemap-codec@npm:1.4.15"
-  checksum: b881c7e503db3fc7f3c1f35a1dd2655a188cc51a3612d76efc8a6eb74728bef5606e6758ee77423e564092b4a518aba569bbb21c9bac5ab7a35b0c6ae7e344c8
-  languageName: node
-  linkType: hard
-
-"@jridgewell/trace-mapping@npm:^0.3.0":
-  version: 0.3.4
-  resolution: "@jridgewell/trace-mapping@npm:0.3.4"
-  dependencies:
-    "@jridgewell/resolve-uri": ^3.0.3
-    "@jridgewell/sourcemap-codec": ^1.4.10
-  checksum: ab8bce84bbbc8c34f3ba8325ed926f8f2d3098983c10442a80c55764c4eb6e47d5b92d8ff20a0dd868c3e76a3535651fd8a0138182c290dbfc8396195685c37b
-  languageName: node
-  linkType: hard
-
-"@jridgewell/trace-mapping@npm:^0.3.17":
-  version: 0.3.18
-  resolution: "@jridgewell/trace-mapping@npm:0.3.18"
-  dependencies:
-    "@jridgewell/resolve-uri": 3.1.0
-    "@jridgewell/sourcemap-codec": 1.4.14
-  checksum: 0572669f855260808c16fe8f78f5f1b4356463b11d3f2c7c0b5580c8ba1cbf4ae53efe9f627595830856e57dbac2325ac17eb0c3dd0ec42102e6f227cc289c02
-  languageName: node
-  linkType: hard
-
-"@jridgewell/trace-mapping@npm:^0.3.7, @jridgewell/trace-mapping@npm:^0.3.9":
-  version: 0.3.13
-  resolution: "@jridgewell/trace-mapping@npm:0.3.13"
-  dependencies:
-    "@jridgewell/resolve-uri": ^3.0.3
-    "@jridgewell/sourcemap-codec": ^1.4.10
-  checksum: e38254e830472248ca10a6ed1ae75af5e8514f0680245a5e7b53bc3c030fd8691d4d3115d80595b45d3badead68269769ed47ecbbdd67db1343a11f05700e75a
-  languageName: node
-  linkType: hard
-
-"@lint-todo/utils@npm:^13.0.3":
-  version: 13.0.3
-  resolution: "@lint-todo/utils@npm:13.0.3"
-  dependencies:
-    "@types/eslint": ^7.2.13
-    find-up: ^5.0.0
-    fs-extra: ^9.1.0
-    proper-lockfile: ^4.1.2
-    slash: ^3.0.0
-    tslib: ^2.3.1
-    upath: ^2.0.1
-  checksum: be45ba795e166160a3cfb7fc5f5054cb7c9dd6fe0f5cd39cc15eff7fe70e3c78c8e12b26e97415f1f67e34c80a5d0fafec51b56e725919fabcc7abdf5dfc6244
-  languageName: node
-  linkType: hard
-
-"@mdn/browser-compat-data@npm:^3.3.14":
-  version: 3.3.14
-  resolution: "@mdn/browser-compat-data@npm:3.3.14"
-  checksum: 0363cc9cb3cef308b78b3ba82af0542ad928bacecc95ee1e849c134c3eb866f4771df9fb064fd4da42fdb28e2d6932e0abb6e47ed47fbc42a26a9b0a5aee1e9f
-  languageName: node
-  linkType: hard
-
-"@mdn/browser-compat-data@npm:^4.1.5":
-  version: 4.2.1
-  resolution: "@mdn/browser-compat-data@npm:4.2.1"
-  checksum: 76eaa7dafed154040e769ba6d23f2dcb58e805ed3ccb376a5c4b76326c92643753c20194faed363870800dc3c1af26c107b8562710c8bb37aaee8c5ffe2a89cd
-  languageName: node
-  linkType: hard
-
-"@messageformat/core@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "@messageformat/core@npm:3.0.1"
-  dependencies:
-    "@messageformat/date-skeleton": ^1.0.0
-    "@messageformat/number-skeleton": ^1.0.0
-    "@messageformat/parser": ^5.0.0
-    "@messageformat/runtime": ^3.0.1
-    make-plural: ^7.0.0
-    safe-identifier: ^0.4.1
-  checksum: f08c982d54ef2ddf32de2a3425746e6efd37ce63154f97ff038edb1e02eb4e3e4c39f2aa42ef3d036e2f1b61eee0a2589e76158b0b91510355ef8348f2f8252f
-  languageName: node
-  linkType: hard
-
-"@messageformat/date-skeleton@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "@messageformat/date-skeleton@npm:1.0.1"
-  checksum: 0832029a18ae54c81d4473eaa764cebbabe084d1a3253a6d4975e5802bff7416a51d43522aad9292eb9663735282a7667e2818efc92905c497ca87424d822ceb
-  languageName: node
-  linkType: hard
-
-"@messageformat/number-skeleton@npm:^1.0.0":
-  version: 1.1.0
-  resolution: "@messageformat/number-skeleton@npm:1.1.0"
-  checksum: 03cf337ef4b95782546e8e2c831f7d2f1310ee9f49635adeef1259c17256c91cb68a59fb97b76a59fddaac284ee739c0a0e0003bcec8d92f6ff156a240a6c23f
-  languageName: node
-  linkType: hard
-
-"@messageformat/parser@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "@messageformat/parser@npm:5.0.0"
-  dependencies:
-    moo: ^0.5.1
-  checksum: e595910e8801e17b1e762a1824e4fc97baf6ccc21f5f896d6eae3e537ca2eaed0f699ac20b44d03c38ad20340b57ef0f7c7cf056213d31dd156e65b4d030c8c0
-  languageName: node
-  linkType: hard
-
-"@messageformat/runtime@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "@messageformat/runtime@npm:3.0.1"
-  dependencies:
-    make-plural: ^7.0.0
-  checksum: e69c3b0b372e15af88c285f6884ac0e3ba5fc7227b8ddc7f4bef94cb5675057126dc0ae9001e2a623d7ec61727d9b5e69b8e61be8618afe0baf40081ad3b0568
-  languageName: node
-  linkType: hard
-
-"@miragejs/pretender-node-polyfill@npm:^0.1.0":
-  version: 0.1.2
-  resolution: "@miragejs/pretender-node-polyfill@npm:0.1.2"
-  checksum: bb55983a253dc0d4162acac090b062500595c9844bfbd21fe25bc1f926808d0070d710e622aa6285fa16c673a65cf3e05f4b32e888c469f1bde8888a7934ee44
-  languageName: node
-  linkType: hard
-
-"@nicolo-ribaudo/eslint-scope-5-internals@npm:5.1.1-v1":
-  version: 5.1.1-v1
-  resolution: "@nicolo-ribaudo/eslint-scope-5-internals@npm:5.1.1-v1"
-  dependencies:
-    eslint-scope: 5.1.1
-  checksum: f2e3b2d6a6e2d9f163ca22105910c9f850dc4897af0aea3ef0a5886b63d8e1ba6505b71c99cb78a3bba24a09557d601eb21c8dede3f3213753fcfef364eb0e57
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.scandir@npm:2.1.4":
-  version: 2.1.4
-  resolution: "@nodelib/fs.scandir@npm:2.1.4"
-  dependencies:
-    "@nodelib/fs.stat": 2.0.4
-    run-parallel: ^1.1.9
-  checksum: 18c2150ab52a042bd65babe5b70106e6586dc036644131c33d253ff99e5eeef2e65858ab40161530a6f22b512a65e7c7629f0f1e0f35c00ee4c606f960d375ba
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.scandir@npm:2.1.5":
-  version: 2.1.5
-  resolution: "@nodelib/fs.scandir@npm:2.1.5"
-  dependencies:
-    "@nodelib/fs.stat": 2.0.5
-    run-parallel: ^1.1.9
-  checksum: a970d595bd23c66c880e0ef1817791432dbb7acbb8d44b7e7d0e7a22f4521260d4a83f7f9fd61d44fda4610105577f8f58a60718105fb38352baed612fd79e59
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.stat@npm:2.0.4, @nodelib/fs.stat@npm:^2.0.2":
-  version: 2.0.4
-  resolution: "@nodelib/fs.stat@npm:2.0.4"
-  checksum: d0d9745f878816d041a8b36faf5797d88ba961274178f0ad1f7fe0efef8118ca9bd0e43e4d0d85a9af911bd35122ec1580e626a83d7595fc4d60f2c1c70e2665
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.stat@npm:2.0.5":
-  version: 2.0.5
-  resolution: "@nodelib/fs.stat@npm:2.0.5"
-  checksum: 012480b5ca9d97bff9261571dbbec7bbc6033f69cc92908bc1ecfad0792361a5a1994bc48674b9ef76419d056a03efadfce5a6cf6dbc0a36559571a7a483f6f0
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.walk@npm:^1.2.3":
-  version: 1.2.6
-  resolution: "@nodelib/fs.walk@npm:1.2.6"
-  dependencies:
-    "@nodelib/fs.scandir": 2.1.4
-    fastq: ^1.6.0
-  checksum: d156901823b3d3de368ad68047a964523e0ce5f796c0aa7712443b1f748d8e7fc24ce2c0f18d22a177e1f1c6092bca609ab5e4cb1792c41cdc8a6989bc391139
-  languageName: node
-  linkType: hard
-
-"@nodelib/fs.walk@npm:^1.2.8":
-  version: 1.2.8
-  resolution: "@nodelib/fs.walk@npm:1.2.8"
-  dependencies:
-    "@nodelib/fs.scandir": 2.1.5
-    fastq: ^1.6.0
-  checksum: 190c643f156d8f8f277bf2a6078af1ffde1fd43f498f187c2db24d35b4b4b5785c02c7dc52e356497b9a1b65b13edc996de08de0b961c32844364da02986dc53
-  languageName: node
-  linkType: hard
-
-"@npmcli/fs@npm:^2.1.0":
-  version: 2.1.2
-  resolution: "@npmcli/fs@npm:2.1.2"
-  dependencies:
-    "@gar/promisify": ^1.1.3
-    semver: ^7.3.5
-  checksum: 405074965e72d4c9d728931b64d2d38e6ea12066d4fad651ac253d175e413c06fe4350970c783db0d749181da8fe49c42d3880bd1cbc12cd68e3a7964d820225
-  languageName: node
-  linkType: hard
-
-"@npmcli/move-file@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "@npmcli/move-file@npm:2.0.1"
-  dependencies:
-    mkdirp: ^1.0.4
-    rimraf: ^3.0.2
-  checksum: 52dc02259d98da517fae4cb3a0a3850227bdae4939dda1980b788a7670636ca2b4a01b58df03dd5f65c1e3cb70c50fa8ce5762b582b3f499ec30ee5ce1fd9380
-  languageName: node
-  linkType: hard
-
-"@popperjs/core@npm:^2.9.0":
-  version: 2.11.8
-  resolution: "@popperjs/core@npm:2.11.8"
-  checksum: e5c69fdebf52a4012f6a1f14817ca8e9599cb1be73dd1387e1785e2ed5e5f0862ff817f420a87c7fc532add1f88a12e25aeb010ffcbdc98eace3d55ce2139cf0
-  languageName: node
-  linkType: hard
-
-"@prettier/eslint@npm:prettier-eslint@^15.0.1":
-  version: 15.0.1
-  resolution: "prettier-eslint@npm:15.0.1"
-  dependencies:
-    "@types/eslint": ^8.4.2
-    "@types/prettier": ^2.6.0
-    "@typescript-eslint/parser": ^5.10.0
-    common-tags: ^1.4.0
-    dlv: ^1.1.0
-    eslint: ^8.7.0
-    indent-string: ^4.0.0
-    lodash.merge: ^4.6.0
-    loglevel-colored-level-prefix: ^1.0.0
-    prettier: ^2.5.1
-    pretty-format: ^23.0.1
-    require-relative: ^0.8.7
-    typescript: ^4.5.4
-    vue-eslint-parser: ^8.0.1
-  checksum: fad92d666ab92f6c773faf507ee15f2c0de8c8ac2b692a57a7c0621202f90d9e577f2664d8a701ec3b96bec3ecba586e49c3d9170de9392c0ee7c3362fdddcae
-  languageName: node
-  linkType: hard
-
-"@rollup/plugin-replace@npm:2.3.0":
-  version: 2.3.0
-  resolution: "@rollup/plugin-replace@npm:2.3.0"
-  dependencies:
-    magic-string: ^0.25.2
-    rollup-pluginutils: ^2.6.0
-  peerDependencies:
-    rollup: ^1.20.0
-  checksum: 561e483398d15f594ebc87fda2760a5528da9abfa1fe1c3865280e18201fafb4e60587dc38e8b7781b15db10acc39da5f6ec700ac129fc931d31c060b304b96b
-  languageName: node
-  linkType: hard
-
-"@simple-dom/interface@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "@simple-dom/interface@npm:1.4.0"
-  checksum: e0ce8b6174208c5a369c2650094d16080230bf90cb95cc8258f9fd6b93be8afedbffb9d63da7f1d295a4e8d901f5fff907a69e1d55556db9e8544f2615b2f1d7
-  languageName: node
-  linkType: hard
-
-"@sinonjs/commons@npm:^1, @sinonjs/commons@npm:^1.3.0, @sinonjs/commons@npm:^1.4.0, @sinonjs/commons@npm:^1.7.0":
-  version: 1.8.3
-  resolution: "@sinonjs/commons@npm:1.8.3"
-  dependencies:
-    type-detect: 4.0.8
-  checksum: 6159726db5ce6bf9f2297f8427f7ca5b3dff45b31e5cee23496f1fa6ef0bb4eab878b23fb2c5e6446381f6a66aba4968ef2fc255c1180d753d4b8c271636a2e5
-  languageName: node
-  linkType: hard
-
-"@sinonjs/formatio@npm:^3.2.1":
-  version: 3.2.2
-  resolution: "@sinonjs/formatio@npm:3.2.2"
-  dependencies:
-    "@sinonjs/commons": ^1
-    "@sinonjs/samsam": ^3.1.0
-  checksum: ddc30698df9b0aa59204da93ca94fd04bc5672ac03c798c0a487c35d514d7d8e0ce0e4c72386fc80e29f59cb1cc54eeea3b7f804281b3c4e3dd2394de56c6e4a
-  languageName: node
-  linkType: hard
-
-"@sinonjs/samsam@npm:^3.1.0, @sinonjs/samsam@npm:^3.3.3":
-  version: 3.3.3
-  resolution: "@sinonjs/samsam@npm:3.3.3"
-  dependencies:
-    "@sinonjs/commons": ^1.3.0
-    array-from: ^2.1.1
-    lodash: ^4.17.15
-  checksum: 340f2f62dec3fa1e5e9300a75996bd12ab9d2da4f6b453fa5d1ee101cc5e58eb218af2e2584b496d41ba31c3c0854d47a691fd9a0d8b9092f3cb6a5c7a080856
-  languageName: node
-  linkType: hard
-
-"@sinonjs/text-encoding@npm:^0.7.1":
-  version: 0.7.1
-  resolution: "@sinonjs/text-encoding@npm:0.7.1"
-  checksum: 130de0bb568c5f8a611ec21d1a4e3f80ab0c5ec333010f49cfc1adc5cba6d8808699c8a587a46b0f0b016a1f4c1389bc96141e773e8460fcbb441875b2e91ba7
-  languageName: node
-  linkType: hard
-
-"@socket.io/component-emitter@npm:~3.1.0":
-  version: 3.1.0
-  resolution: "@socket.io/component-emitter@npm:3.1.0"
-  checksum: db069d95425b419de1514dffe945cc439795f6a8ef5b9465715acf5b8b50798e2c91b8719cbf5434b3fe7de179d6cdcd503c277b7871cb3dd03febb69bdd50fa
-  languageName: node
-  linkType: hard
-
-"@textlint/ast-node-types@npm:^12.1.1":
-  version: 12.1.1
-  resolution: "@textlint/ast-node-types@npm:12.1.1"
-  checksum: 6ccae9ac7f43cb172142098a3764c490feea311a741aa3fe981d6d3a1e06041d179e690b54b920dcaa067453f3220d46e6935728e4c9d72233f735f27410e86f
-  languageName: node
-  linkType: hard
-
-"@textlint/markdown-to-ast@npm:^12.1.1":
-  version: 12.1.1
-  resolution: "@textlint/markdown-to-ast@npm:12.1.1"
-  dependencies:
-    "@textlint/ast-node-types": ^12.1.1
-    debug: ^4.3.3
-    remark-footnotes: ^3.0.0
-    remark-frontmatter: ^3.0.0
-    remark-gfm: ^1.0.0
-    remark-parse: ^9.0.0
-    traverse: ^0.6.6
-    unified: ^9.2.2
-  checksum: c857a9e3b26fd96486cf96914c15c20d68d7d1b2f201295a75acec1ccc14725a54d76e9f9311170f56dd43a1666ac3a69b85f7e794af915bc6e23953cd5921a9
-  languageName: node
-  linkType: hard
-
-"@tootallnate/once@npm:2":
-  version: 2.0.0
-  resolution: "@tootallnate/once@npm:2.0.0"
-  checksum: ad87447820dd3f24825d2d947ebc03072b20a42bfc96cbafec16bff8bbda6c1a81fcb0be56d5b21968560c5359a0af4038a68ba150c3e1694fe4c109a063bed8
-  languageName: node
-  linkType: hard
-
-"@tsconfig/ember@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "@tsconfig/ember@npm:1.0.1"
-  checksum: e53968a3ebcb099f13da1377c3216a48af7e20d5489f7dbb2e3297def30b5cc5390db7b632fa6d0fa98e52e6e3c636c5fb2a2b6b1850c2475d5e87a26739b2e6
-  languageName: node
-  linkType: hard
-
-"@types/acorn@npm:^4.0.3":
-  version: 4.0.5
-  resolution: "@types/acorn@npm:4.0.5"
-  dependencies:
-    "@types/estree": "*"
-  checksum: 2079630adff1224120ac40c2f503fe602582d9d84f732a32550c7bbd0c87741a88bc5bc4cdba7888211d04bfa9fcb09c7c211889aa6c15ddb0150a30a36955ae
-  languageName: node
-  linkType: hard
-
-"@types/body-parser@npm:*":
-  version: 1.19.0
-  resolution: "@types/body-parser@npm:1.19.0"
-  dependencies:
-    "@types/connect": "*"
-    "@types/node": "*"
-  checksum: 15043566f1909e2a08dabb0a5d2642f8988545a1369bc5995fc40ee90c95200da2aa66f9240fcb19fc6af6ff4e27ff453f311b49363c14bb308c308c0751ca9b
-  languageName: node
-  linkType: hard
-
-"@types/broccoli-plugin@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "@types/broccoli-plugin@npm:3.0.0"
-  dependencies:
-    broccoli-plugin: "*"
-  checksum: c5daf3b3ff689a00fa18c90c08e2998c373b7ee11235fcd63ad5ad03ff5d9b844f2b84fca966682490853a443714db4d2f0b389208478a0c1d4e7666f85ca04f
-  languageName: node
-  linkType: hard
-
-"@types/chai-as-promised@npm:^7.1.2":
-  version: 7.1.3
-  resolution: "@types/chai-as-promised@npm:7.1.3"
-  dependencies:
-    "@types/chai": "*"
-  checksum: cf0232eb7bc450fc37c8f4688c91ef86528fb994f67036480cba4679299a99ad65a3a2dcaf34c748b30c0cf9f392761f11cee2a9f5c8e26d9ca07ae934aa4465
-  languageName: node
-  linkType: hard
-
-"@types/chai@npm:*, @types/chai@npm:^4.2.9":
-  version: 4.2.17
-  resolution: "@types/chai@npm:4.2.17"
-  checksum: a5657eea35d797d494cca1b479499ff129a051c7a74e4cbeb2a0660d9a263541c24f4bda9d827f806f36f90e0b46038069bad3eac7559c40f59f212ff09696f0
-  languageName: node
-  linkType: hard
-
-"@types/connect@npm:*":
-  version: 3.4.34
-  resolution: "@types/connect@npm:3.4.34"
-  dependencies:
-    "@types/node": "*"
-  checksum: c6e2aa299cf3979c00602f48ce9163700f0cbfec6ba2a8e1506d08f51da0279805a478ea094252fad7c369a563ee033b359c708ab34b1763397c58d7e2df07ad
-  languageName: node
-  linkType: hard
-
-"@types/cookie@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "@types/cookie@npm:0.4.1"
-  checksum: 3275534ed69a76c68eb1a77d547d75f99fedc80befb75a3d1d03662fb08d697e6f8b1274e12af1a74c6896071b11510631ba891f64d30c78528d0ec45a9c1a18
-  languageName: node
-  linkType: hard
-
-"@types/cors@npm:^2.8.12":
-  version: 2.8.12
-  resolution: "@types/cors@npm:2.8.12"
-  checksum: 8c45f112c7d1d2d831b4b266f2e6ed33a1887a35dcbfe2a18b28370751fababb7cd045e745ef84a523c33a25932678097bf79afaa367c6cb3fa0daa7a6438257
-  languageName: node
-  linkType: hard
-
-"@types/ember-data@npm:*, @types/ember-data@npm:^4.4.6":
-  version: 4.4.6
-  resolution: "@types/ember-data@npm:4.4.6"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__error": "*"
-    "@types/ember__object": "*"
-    "@types/rsvp": "*"
-  checksum: 641f43f5c82aab651ef00555ffe07cdf8c1e0ac581ade582479e48b3e89a258efbf083391b20b723c239eadac0418b1eb4c3ce14ec9a61477ac33f758379fae7
-  languageName: node
-  linkType: hard
-
-"@types/ember-data__adapter@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember-data__adapter@npm:4.0.1"
-  dependencies:
-    "@types/ember-data": "*"
-  checksum: 5636fc85c2b7496d608af5494d1c6b82a3bf7f0d88f9037824bf203b0e4e167805544eebef63e019991a5a388e567851b211a041f4b3d12ddb1881748e5a65a9
-  languageName: node
-  linkType: hard
-
-"@types/ember-data__model@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "@types/ember-data__model@npm:4.0.0"
-  dependencies:
-    "@types/ember-data": "*"
-  checksum: 6a46583608af66018c9ce88d2d3cbe21f5526f479f9a442d3d3a0ab69f282437b8478fbcca4bafa9236c9e5cbc4ffe7ddadd2e1a6a81d6b58ebe553011970485
-  languageName: node
-  linkType: hard
-
-"@types/ember-data__serializer@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember-data__serializer@npm:4.0.1"
-  dependencies:
-    "@types/ember-data": "*"
-  checksum: e2e14b8c99a3d33bff69aee1bdaf1b90fc5e87482fc49a22f4ff0aa9892494a0f8c72231ac600e8686d77598579c524587319f76520ce59b8a9ac3895a1de1e3
-  languageName: node
-  linkType: hard
-
-"@types/ember-data__store@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@types/ember-data__store@npm:4.0.2"
-  dependencies:
-    "@types/ember-data": "*"
-  checksum: 7b1ac271ab4fc327d495fd2abe32f780660c4daa5b2e3f720d61776dd235b7f9b8ea46d1b9b523f14975e0e2c7d3aa13990cd116a13440c8f43fa9e389393337
-  languageName: node
-  linkType: hard
-
-"@types/ember-qunit@npm:^5.0.2":
-  version: 5.0.2
-  resolution: "@types/ember-qunit@npm:5.0.2"
-  dependencies:
-    "@types/ember-resolver": "*"
-    "@types/ember__test": "*"
-    "@types/ember__test-helpers": "*"
-    "@types/qunit": "*"
-  checksum: f7c6e9e5721e0708e7290e68e2f14b55baa4dd5d27fd3bb760dc380e92aa03d3b7b93da090d40e34d47d85e6d4451a73e7a7f4398708047164bb10e46da60ad2
-  languageName: node
-  linkType: hard
-
-"@types/ember-resolver@npm:*, @types/ember-resolver@npm:^5.0.13":
-  version: 5.0.13
-  resolution: "@types/ember-resolver@npm:5.0.13"
-  dependencies:
-    "@types/ember__object": "*"
-    "@types/ember__owner": "*"
-  checksum: 3ece114d8368768d8198e3156b2df51b4be9d4f9ab8d60f2a1cb63a301b48ec485f51f5ddc8ad9b6f4d3739d252107463ff2508bec559efb7d8593e4975e3f48
-  languageName: node
-  linkType: hard
-
-"@types/ember@npm:*, @types/ember@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@types/ember@npm:4.0.2"
-  dependencies:
-    "@types/ember__application": "*"
-    "@types/ember__array": "*"
-    "@types/ember__component": "*"
-    "@types/ember__controller": "*"
-    "@types/ember__debug": "*"
-    "@types/ember__engine": "*"
-    "@types/ember__error": "*"
-    "@types/ember__object": "*"
-    "@types/ember__polyfills": "*"
-    "@types/ember__routing": "*"
-    "@types/ember__runloop": "*"
-    "@types/ember__service": "*"
-    "@types/ember__string": "*"
-    "@types/ember__template": "*"
-    "@types/ember__test": "*"
-    "@types/ember__utils": "*"
-    "@types/htmlbars-inline-precompile": "*"
-    "@types/rsvp": "*"
-  checksum: 94d3dfba4209ae66119bd1d1bd3aa00c04184d23393c1cffcaf325d984a9ddc0928956be48061d9ce4a6ab0ff371e917f0313b202aeda74c098a1528e6b8c741
-  languageName: node
-  linkType: hard
-
-"@types/ember__application@npm:*, @types/ember__application@npm:^4.0.4":
-  version: 4.0.4
-  resolution: "@types/ember__application@npm:4.0.4"
-  dependencies:
-    "@glimmer/component": ^1.1.0
-    "@types/ember": "*"
-    "@types/ember__application": "*"
-    "@types/ember__engine": "*"
-    "@types/ember__object": "*"
-    "@types/ember__owner": "*"
-    "@types/ember__routing": "*"
-  checksum: 4d5bd9793409d2814d1a068a1a9ee0db8036efb6975266703f5fcd5da21e4194602585e2343567f9f5dff47649a28e4174c7e6eb446f6285e80a2237344c391a
-  languageName: node
-  linkType: hard
-
-"@types/ember__array@npm:*, @types/ember__array@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "@types/ember__array@npm:4.0.3"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__array": "*"
-    "@types/ember__object": "*"
-  checksum: 682104300933d306be946d0d86821469800b9849a51b745b35872d3958dc9d0f6f7d1bd2e5da6d5c26bd0c3184639f94d7bde274a16bb8a6c58cef08ddb8a0a6
-  languageName: node
-  linkType: hard
-
-"@types/ember__component@npm:*, @types/ember__component@npm:^4.0.11":
-  version: 4.0.11
-  resolution: "@types/ember__component@npm:4.0.11"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__component": "*"
-    "@types/ember__object": "*"
-  checksum: 8b3a012ab6915f43e5d756883e1a05e5a75514d03e4666702bbfeebe1dfab9d0cebbd377ff38908d097bed977ed5a4c4d0fb709d7f657d31386c1f80bbc6d51c
-  languageName: node
-  linkType: hard
-
-"@types/ember__controller@npm:*, @types/ember__controller@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "@types/ember__controller@npm:4.0.3"
-  dependencies:
-    "@types/ember__object": "*"
-  checksum: 1648b656f4a0cc10a28351d893fa765234bf0d8ab123afe75ba2259b31296840ae00da0328bed19241bfa66c0a59a6d237041493440008cd0a8daf9ef8fd1fa3
-  languageName: node
-  linkType: hard
-
-"@types/ember__debug@npm:*, @types/ember__debug@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "@types/ember__debug@npm:4.0.3"
-  dependencies:
-    "@types/ember__debug": "*"
-    "@types/ember__object": "*"
-    "@types/ember__owner": "*"
-  checksum: 69a31777a6ba3dba0c8733b59e06e3f5eae0350cf9665421fd7adf23b8d9e43abfdc423d615b9ac91a4208c804e59c5d5f2b3000a7ed957bb9114a381536009c
-  languageName: node
-  linkType: hard
-
-"@types/ember__destroyable@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__destroyable@npm:4.0.1"
-  checksum: 5cd5f22cc9f76a841a11f805444af9717d964fe72ad7020cbc211a359b9e4a0447ef08aa3b9fb7b4caed593f7aebb4025bc77338afd3fe5e55a5ae20ca6be948
-  languageName: node
-  linkType: hard
-
-"@types/ember__engine@npm:*, @types/ember__engine@npm:^4.0.4":
-  version: 4.0.4
-  resolution: "@types/ember__engine@npm:4.0.4"
-  dependencies:
-    "@types/ember__engine": "*"
-    "@types/ember__object": "*"
-    "@types/ember__owner": "*"
-  checksum: 1b387a89206263ba26dfc0cc6417e8a3aecbb12af3d16522eeb09c78273da12851c5fca614099070920ec17c51ff50ba31e487d73259ab5673d143956b97d35a
-  languageName: node
-  linkType: hard
-
-"@types/ember__error@npm:*, @types/ember__error@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__error@npm:4.0.1"
-  checksum: b4cd081d0efe57c584fb031c8d2b26b16c1e79e4bd115f289a0db438a134ae6a787d03dbc13fe0d80eec5a87942053e5f4d663a9a86006862a4b131f5a0ffd8e
-  languageName: node
-  linkType: hard
-
-"@types/ember__object@npm:*, @types/ember__object@npm:^4.0.5":
-  version: 4.0.5
-  resolution: "@types/ember__object@npm:4.0.5"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__object": "*"
-    "@types/rsvp": "*"
-  checksum: 445b5eef70f37c9f06da284742758e4626a3421c1f2e425bdbc7c9952cff14d8ce539f93d1c83b2836f043d4f10c20524a0ca1c7d58dee5db8f68893c1fd9c1e
-  languageName: node
-  linkType: hard
-
-"@types/ember__owner@npm:*":
-  version: 4.0.2
-  resolution: "@types/ember__owner@npm:4.0.2"
-  checksum: fca38292256a423851231805b07f150a17ff7ab2cf74533507c016d85180d229fe75999bf8c138276c272a8ff74364a88bf77ae6ff322dc16c05598e7d71dcd9
-  languageName: node
-  linkType: hard
-
-"@types/ember__polyfills@npm:*, @types/ember__polyfills@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__polyfills@npm:4.0.1"
-  checksum: a2b6ed3b0637fdeb6d4c93a3a1d5b7902e57124c860bf9bf82f1ea4148264991b8f0311ea6a8a50f5b243804f93650fc2a5f97a53192e0687213b41a5499e4be
-  languageName: node
-  linkType: hard
-
-"@types/ember__routing@npm:*, @types/ember__routing@npm:^4.0.12":
-  version: 4.0.12
-  resolution: "@types/ember__routing@npm:4.0.12"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__controller": "*"
-    "@types/ember__object": "*"
-    "@types/ember__routing": "*"
-    "@types/ember__service": "*"
-  checksum: 8c14b6de35c9b370175dc342610729dba51b315a09f538ca5ad4e95d15ae0938efec8a6fd5675b862f2ca95da46528160896a417040654c621c8dbca34d8185b
-  languageName: node
-  linkType: hard
-
-"@types/ember__runloop@npm:*, @types/ember__runloop@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@types/ember__runloop@npm:4.0.2"
-  dependencies:
-    "@types/ember": "*"
-    "@types/ember__runloop": "*"
-  checksum: c207b35187d082be1330836dd120886ca86e14b029c7d89451fe4340ca4c500264f03a42558de62aa08e3e5743f7ac8aef84b668316d8f5db031eed109267aae
-  languageName: node
-  linkType: hard
-
-"@types/ember__service@npm:*, @types/ember__service@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__service@npm:4.0.1"
-  dependencies:
-    "@types/ember__object": "*"
-  checksum: f4b8c161e13148d6fa3930a4fcd80e454aad1bb2688ec2c2da6cbb9b6e20a8c3b78308dfa10cb4ec5c42696ca77930d7133093d3c2cf8f41c883d456e2d444cf
-  languageName: node
-  linkType: hard
-
-"@types/ember__string@npm:*, @types/ember__string@npm:^3.0.10":
-  version: 3.0.10
-  resolution: "@types/ember__string@npm:3.0.10"
-  checksum: 1ff40f641efbd91fc65da9d1cd8206b5ff3a7627fbbe5d00e00ba4ff116eee1863cff5d556e616d4896f5dd6fd4ae3d7f7191f8c726bdac44a568bd4fec4164f
-  languageName: node
-  linkType: hard
-
-"@types/ember__template@npm:*, @types/ember__template@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__template@npm:4.0.1"
-  checksum: 55c1bdccc1f11d428795da20832a1e52d76139af0a2378eb2ac6c18cf2406cd0b80007de4eafa5934a5b61cdf5979d9ad3e3ce27586b5908099e7535462d0b40
-  languageName: node
-  linkType: hard
-
-"@types/ember__test-helpers@npm:*, @types/ember__test-helpers@npm:^2.8.2":
-  version: 2.8.2
-  resolution: "@types/ember__test-helpers@npm:2.8.2"
-  dependencies:
-    "@types/ember-resolver": "*"
-    "@types/ember__application": "*"
-    "@types/ember__error": "*"
-    "@types/ember__owner": "*"
-    "@types/ember__test-helpers": "*"
-    "@types/htmlbars-inline-precompile": "*"
-  checksum: 8f89692d1808133b98e225b48ca5e3d94a781d539f092529f18ff525f898e914b3de6393fe7ed97567b5a04ca1fea6325325fd3e54a03b97c14c9ae4e8ee033b
-  languageName: node
-  linkType: hard
-
-"@types/ember__test@npm:*, @types/ember__test@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@types/ember__test@npm:4.0.1"
-  dependencies:
-    "@types/ember__application": "*"
-  checksum: e303ed97b0d63e9b2c91c8b7bd2445b8c013e485f458f0122c8a961593dafdc9428ffc055f51527032c970c2591094600f00233cda894e1775bc671bde67c570
-  languageName: node
-  linkType: hard
-
-"@types/ember__utils@npm:*, @types/ember__utils@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@types/ember__utils@npm:4.0.2"
-  dependencies:
-    "@types/ember": "*"
-  checksum: 8fc60ec9a902211502f33bba4c7cb774838f96fa21cfc798d42b8801f3654059eab96bae8b7fcb7ac60eb499363b263a97daf987bfd9f07feaf973046d1d39df
-  languageName: node
-  linkType: hard
-
-"@types/eslint-scope@npm:^3.7.3":
-  version: 3.7.3
-  resolution: "@types/eslint-scope@npm:3.7.3"
-  dependencies:
-    "@types/eslint": "*"
-    "@types/estree": "*"
-  checksum: 6772b05e1b92003d1f295e81bc847a61f4fbe8ddab77ffa49e84ed3f9552513bdde677eb53ef167753901282857dd1d604d9f82eddb34a233495932b2dc3dc17
-  languageName: node
-  linkType: hard
-
-"@types/eslint@npm:*":
-  version: 8.4.3
-  resolution: "@types/eslint@npm:8.4.3"
-  dependencies:
-    "@types/estree": "*"
-    "@types/json-schema": "*"
-  checksum: cc199be84e22754cc625b171c90852da2b563088d32f4161d310b70470eab47f9bc812774c61eab6530083a214fe634abc32d06ef38e0a5e29f68436331cfabb
-  languageName: node
-  linkType: hard
-
-"@types/eslint@npm:^7.2.13":
-  version: 7.29.0
-  resolution: "@types/eslint@npm:7.29.0"
-  dependencies:
-    "@types/estree": "*"
-    "@types/json-schema": "*"
-  checksum: df13991c554954353ce8f3bb03e19da6cc71916889443d68d178d4f858b561ba4cc4a4f291c6eb9eebb7f864b12b9b9313051b3a8dfea3e513dadf3188a77bdf
-  languageName: node
-  linkType: hard
-
-"@types/eslint@npm:^8.4.2":
-  version: 8.4.10
-  resolution: "@types/eslint@npm:8.4.10"
-  dependencies:
-    "@types/estree": "*"
-    "@types/json-schema": "*"
-  checksum: 21e009ed9ed9bc8920fdafc6e11ff321c4538b4cc18a56fdd59dc5184ea7bbf363c71638c9bdb59fc1254dddcdd567485136ed68b0ee4750948d4e32cb79c689
-  languageName: node
-  linkType: hard
-
-"@types/estree@npm:*":
-  version: 0.0.47
-  resolution: "@types/estree@npm:0.0.47"
-  checksum: aed5c940436250c25c5e140aa19e7199ba3452e72e1aecc515621507df9e5ed5076ddba84a1684c36d62be841ff3e2bafce8793f16fe6f69d10884449d4461e7
-  languageName: node
-  linkType: hard
-
-"@types/estree@npm:^0.0.51":
-  version: 0.0.51
-  resolution: "@types/estree@npm:0.0.51"
-  checksum: e56a3bcf759fd9185e992e7fdb3c6a5f81e8ff120e871641607581fb3728d16c811702a7d40fa5f869b7f7b4437ab6a87eb8d98ffafeee51e85bbe955932a189
-  languageName: node
-  linkType: hard
-
-"@types/express-serve-static-core@npm:*":
-  version: 4.17.30
-  resolution: "@types/express-serve-static-core@npm:4.17.30"
-  dependencies:
-    "@types/node": "*"
-    "@types/qs": "*"
-    "@types/range-parser": "*"
-  checksum: c40d9027884ab9e97fa29d9d41d1b75a5966109312e26594cf03c61b278b5bf8e095f53589e47899b34a2e224291a44043617695c3e8bd22284f988e48582ee6
-  languageName: node
-  linkType: hard
-
-"@types/express@npm:^4.17.2":
-  version: 4.17.2
-  resolution: "@types/express@npm:4.17.2"
-  dependencies:
-    "@types/body-parser": "*"
-    "@types/express-serve-static-core": "*"
-    "@types/serve-static": "*"
-  checksum: db8e85f84f040014a35b10f3f2e1d39b0f7b16c46cbe012ff2fa7eea7d49bc2a90e81ab81f052fd76f1790c02bf3f940571c406106d29f278f3259486ecc9ee9
-  languageName: node
-  linkType: hard
-
-"@types/fs-extra@npm:^5.0.5":
-  version: 5.1.0
-  resolution: "@types/fs-extra@npm:5.1.0"
-  dependencies:
-    "@types/node": "*"
-  checksum: 9b4abc891ad0dc3baa77b0ebcf91dff8e7a5936aa037de0bd6ded399ab38b5896be1ee02b5c0a18c0915cfc40ab590a915709e6f2beef8f6f7e16fd3759e469a
-  languageName: node
-  linkType: hard
-
-"@types/fs-extra@npm:^8.1.0":
-  version: 8.1.1
-  resolution: "@types/fs-extra@npm:8.1.1"
-  dependencies:
-    "@types/node": "*"
-  checksum: d7d564b84b86e51241984c9bec16f683056d45510e2c63e1bfe9282026685bd14e5ca406ee809453f1e2fd8c9aa76c5712a3019492eb946dd46de327ccb0e1b1
-  languageName: node
-  linkType: hard
-
-"@types/glob@npm:*":
-  version: 7.2.0
-  resolution: "@types/glob@npm:7.2.0"
-  dependencies:
-    "@types/minimatch": "*"
-    "@types/node": "*"
-  checksum: 6ae717fedfdfdad25f3d5a568323926c64f52ef35897bcac8aca8e19bc50c0bd84630bbd063e5d52078b2137d8e7d3c26eabebd1a2f03ff350fff8a91e79fc19
-  languageName: node
-  linkType: hard
-
-"@types/glob@npm:^7.1.1":
-  version: 7.1.3
-  resolution: "@types/glob@npm:7.1.3"
-  dependencies:
-    "@types/minimatch": "*"
-    "@types/node": "*"
-  checksum: e0eef12285f548f15d887145590594a04ccce7f7e645fb047cbac18cb093f25d507ffbcc725312294c224bb78cf980fce33e5807de8d6f8a868b4186253499d4
-  languageName: node
-  linkType: hard
-
-"@types/htmlbars-inline-precompile@npm:*":
-  version: 3.0.0
-  resolution: "@types/htmlbars-inline-precompile@npm:3.0.0"
-  checksum: dd7b1f0a0f9ec560c521673c436329e9edb0197b382520179008b11afe38c3d7a129dc91f303ca0509852f9e081a353b9f9aee9d7043529d70c439aafb7f9a2c
-  languageName: node
-  linkType: hard
-
-"@types/json-schema@npm:*, @types/json-schema@npm:^7.0.5":
-  version: 7.0.9
-  resolution: "@types/json-schema@npm:7.0.9"
-  checksum: 259d0e25f11a21ba5c708f7ea47196bd396e379fddb79c76f9f4f62c945879dc21657904914313ec2754e443c5018ea8372362f323f30e0792897fdb2098a705
-  languageName: node
-  linkType: hard
-
-"@types/json-schema@npm:^7.0.8, @types/json-schema@npm:^7.0.9":
-  version: 7.0.11
-  resolution: "@types/json-schema@npm:7.0.11"
-  checksum: 527bddfe62db9012fccd7627794bd4c71beb77601861055d87e3ee464f2217c85fca7a4b56ae677478367bbd248dbde13553312b7d4dbc702a2f2bbf60c4018d
-  languageName: node
-  linkType: hard
-
-"@types/mdast@npm:^3.0.0":
-  version: 3.0.10
-  resolution: "@types/mdast@npm:3.0.10"
-  dependencies:
-    "@types/unist": "*"
-  checksum: 3f587bfc0a9a2403ecadc220e61031b01734fedaf82e27eb4d5ba039c0eb54db8c85681ccc070ab4df3f7ec711b736a82b990e69caa14c74bf7ac0ccf2ac7313
-  languageName: node
-  linkType: hard
-
-"@types/mime@npm:^1":
-  version: 1.3.2
-  resolution: "@types/mime@npm:1.3.2"
-  checksum: 0493368244cced1a69cb791b485a260a422e6fcc857782e1178d1e6f219f1b161793e9f87f5fae1b219af0f50bee24fcbe733a18b4be8fdd07a38a8fb91146fd
-  languageName: node
-  linkType: hard
-
-"@types/minimatch@npm:*, @types/minimatch@npm:^3.0.3, @types/minimatch@npm:^3.0.4":
-  version: 3.0.5
-  resolution: "@types/minimatch@npm:3.0.5"
-  checksum: c41d136f67231c3131cf1d4ca0b06687f4a322918a3a5adddc87ce90ed9dbd175a3610adee36b106ae68c0b92c637c35e02b58c8a56c424f71d30993ea220b92
-  languageName: node
-  linkType: hard
-
-"@types/minimist@npm:^1.2.2":
-  version: 1.2.2
-  resolution: "@types/minimist@npm:1.2.2"
-  checksum: b8da83c66eb4aac0440e64674b19564d9d86c80ae273144db9681e5eeff66f238ade9515f5006ffbfa955ceff8b89ad2bd8ec577d7caee74ba101431fb07045d
-  languageName: node
-  linkType: hard
-
-"@types/node@npm:*":
-  version: 16.11.11
-  resolution: "@types/node@npm:16.11.11"
-  checksum: 1c472bd63f23ca0e4effc96e6e0c693b83b027f613a1f41b6d1bd7791f65ce171a351e0a5c92575cb59e84ad0a930875397bfbbb91a7c925ddbbb558f7461af8
-  languageName: node
-  linkType: hard
-
-"@types/node@npm:>=10.0.0":
-  version: 18.7.16
-  resolution: "@types/node@npm:18.7.16"
-  checksum: 01a3d35c764a3f0e7370b56e1ad4203731131883c65784e020009014171b3f53c4649cde6c7aa4f1026b907ee87ef6ae6ece2bc518151dc7b81100fe8b1db3ad
-  languageName: node
-  linkType: hard
-
-"@types/node@npm:^9.6.0":
-  version: 9.6.61
-  resolution: "@types/node@npm:9.6.61"
-  checksum: c8caed1010c5eb94697024606a5cbcb9905251166daed6ec1b47d3c70a57435aba72547adf347b8d17785df89dbfc0ac20e63b9f807bc44cc0e11a3705ae5a91
-  languageName: node
-  linkType: hard
-
-"@types/normalize-package-data@npm:^2.4.0":
-  version: 2.4.1
-  resolution: "@types/normalize-package-data@npm:2.4.1"
-  checksum: e87bccbf11f95035c89a132b52b79ce69a1e3652fe55962363063c9c0dae0fe2477ebc585e03a9652adc6f381d24ba5589cc5e51849df4ced3d3e004a7d40ed5
-  languageName: node
-  linkType: hard
-
-"@types/parse-json@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "@types/parse-json@npm:4.0.0"
-  checksum: fd6bce2b674b6efc3db4c7c3d336bd70c90838e8439de639b909ce22f3720d21344f52427f1d9e57b265fcb7f6c018699b99e5e0c208a1a4823014269a6bf35b
-  languageName: node
-  linkType: hard
-
-"@types/prettier@npm:^2.6.0":
-  version: 2.7.1
-  resolution: "@types/prettier@npm:2.7.1"
-  checksum: 5e3f58e229d6c73b5f5cae2e8f96c1c4a5b5805f83459e17a045ba8e96152b1d38e86b63e3172fb159dac923388699660862b75b2d37e54220805f0e691e26f1
-  languageName: node
-  linkType: hard
-
-"@types/q@npm:^1.5.1":
-  version: 1.5.4
-  resolution: "@types/q@npm:1.5.4"
-  checksum: 0842d7d71b5f102dcc2d78f893d0b42c1149f8cdc194d09e7a00be3187999ee3041e535357344818f8fee1b5e216b06bb7df7754d0fe08bd8aca38d3c45f1af6
-  languageName: node
-  linkType: hard
-
-"@types/qs@npm:*":
-  version: 6.9.6
-  resolution: "@types/qs@npm:6.9.6"
-  checksum: 01871b1cf7062717ec76fcb9b29ddae1e04fcfadc1c76d86ec2571e72f27bf09ff31b094b295be8d4ca664aeec9b8965563680b31fcab7aba1ed93afac5181cd
-  languageName: node
-  linkType: hard
-
-"@types/qunit@npm:*, @types/qunit@npm:^2.19.3":
-  version: 2.19.3
-  resolution: "@types/qunit@npm:2.19.3"
-  checksum: bbcea1082a2827f81ddb43f53abf6e6698cb690fa5a1cd59649eee5e9ecf0fe04fae7fb2aaf3015681ac8036f251f4d268819a4935ec5b38832056957ccfb265
-  languageName: node
-  linkType: hard
-
-"@types/range-parser@npm:*":
-  version: 1.2.3
-  resolution: "@types/range-parser@npm:1.2.3"
-  checksum: a0a4218214d2c599e2128a8965e9183d1f0b8fc614def43a2183cf80534d10fcf86357c823c7907e779df0ab048fd1fa3818b4c8f0f6f99ba150a3f99df7d03d
-  languageName: node
-  linkType: hard
-
-"@types/rimraf@npm:^2.0.2":
-  version: 2.0.5
-  resolution: "@types/rimraf@npm:2.0.5"
-  dependencies:
-    "@types/glob": "*"
-    "@types/node": "*"
-  checksum: e388f546840704a240fb31536498921623bca4ec1230925013d6b6d7c7d2211c8ec07fcbbd2606151d7549cbbc28a01c18fb0df502107a9293860a5ff64bc147
-  languageName: node
-  linkType: hard
-
-"@types/rimraf@npm:^2.0.3":
-  version: 2.0.4
-  resolution: "@types/rimraf@npm:2.0.4"
-  dependencies:
-    "@types/glob": "*"
-    "@types/node": "*"
-  checksum: 8304d3d98f654f6c7b6256f368832436dc1d807bb899007fa823702052642166da25f37e849f0bc4ba4ec312e5a8f81e7a4d4a81de9c68f305d28f7822464c0c
-  languageName: node
-  linkType: hard
-
-"@types/rsvp@npm:*, @types/rsvp@npm:^4.0.4":
-  version: 4.0.4
-  resolution: "@types/rsvp@npm:4.0.4"
-  checksum: ed59be8246325c3676e67237c00d84830f801710af864dbf7d22e80441892e9a7beee07afcbdcd74ee8fbe3a24f37e93826dac1208199ac5601b663b7293cbed
-  languageName: node
-  linkType: hard
-
-"@types/semver@npm:^7.3.12":
-  version: 7.3.13
-  resolution: "@types/semver@npm:7.3.13"
-  checksum: 00c0724d54757c2f4bc60b5032fe91cda6410e48689633d5f35ece8a0a66445e3e57fa1d6e07eb780f792e82ac542948ec4d0b76eb3484297b79bd18b8cf1cb0
-  languageName: node
-  linkType: hard
-
-"@types/serve-static@npm:*":
-  version: 1.13.9
-  resolution: "@types/serve-static@npm:1.13.9"
-  dependencies:
-    "@types/mime": ^1
-    "@types/node": "*"
-  checksum: 5c5f3b64e9fe7c51fb428ef70f1f2365b897fc3c8400be6d6afc8db0f152639182b360361ebd3d0cbaeb607b125dee03bf0c50bf7e08642ff150028f05bb7381
-  languageName: node
-  linkType: hard
-
-"@types/shell-quote@npm:^1.7.1":
-  version: 1.7.1
-  resolution: "@types/shell-quote@npm:1.7.1"
-  checksum: 51e58326b8c6dcb72846b94cebe3dc4c84f3514469a8e52bd29c52c601e784b427b851d7477acbeef47bfcccf25d2a5768684d27e7fc95fdd003393c1bbb7bc3
-  languageName: node
-  linkType: hard
-
-"@types/symlink-or-copy@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "@types/symlink-or-copy@npm:1.2.0"
-  checksum: 18fb73094b2cf6c84544939bd6344d7a8cd1ccf8496a1cfb1320f38491c8dfbea3248bb6e91495322a51a493e04a767582a214d5261f5c5b007aa6ef65fc8b50
-  languageName: node
-  linkType: hard
-
-"@types/tmp@npm:^0.0.33":
-  version: 0.0.33
-  resolution: "@types/tmp@npm:0.0.33"
-  checksum: b6963af74092bd56a1a9a7936a1a6de45ddbd5e774f9fc904f16b7e2ada79da8a769e0c5b9df083064b8080bb260c4973ba4307640b7b7a75ed1c47bda8c4110
-  languageName: node
-  linkType: hard
-
-"@types/unist@npm:*, @types/unist@npm:^2.0.0, @types/unist@npm:^2.0.2":
-  version: 2.0.6
-  resolution: "@types/unist@npm:2.0.6"
-  checksum: 25cb860ff10dde48b54622d58b23e66214211a61c84c0f15f88d38b61aa1b53d4d46e42b557924a93178c501c166aa37e28d7f6d994aba13d24685326272d5db
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/eslint-plugin@npm:^5.19.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/eslint-plugin@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/scope-manager": 5.44.0
-    "@typescript-eslint/type-utils": 5.44.0
-    "@typescript-eslint/utils": 5.44.0
-    debug: ^4.3.4
-    ignore: ^5.2.0
-    natural-compare-lite: ^1.4.0
-    regexpp: ^3.2.0
-    semver: ^7.3.7
-    tsutils: ^3.21.0
-  peerDependencies:
-    "@typescript-eslint/parser": ^5.0.0
-    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: 88784e77e8e35ea50ca9c49d46df94cabc3447f4b332f3ca53974d3b5370cb5dcd85cc9ee0e317b91083812012369209574725dcfc3b2b4056b60371b68ca854
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/parser@npm:^5.10.0":
-  version: 5.42.1
-  resolution: "@typescript-eslint/parser@npm:5.42.1"
-  dependencies:
-    "@typescript-eslint/scope-manager": 5.42.1
-    "@typescript-eslint/types": 5.42.1
-    "@typescript-eslint/typescript-estree": 5.42.1
-    debug: ^4.3.4
-  peerDependencies:
-    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: 7208a085102be5c569ac2be5799d05e080a9c0b9157ed3efa5d7eadb675185bddfa05f2f27e20c235910193a2bd835e5375fb9fc13561a6e20d110e444f37caa
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/parser@npm:^5.19.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/parser@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/scope-manager": 5.44.0
-    "@typescript-eslint/types": 5.44.0
-    "@typescript-eslint/typescript-estree": 5.44.0
-    debug: ^4.3.4
-  peerDependencies:
-    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: 2d09a1a1547a7ae3f76c9a33a54e11d79a194fbb9dbae69988e7aed3370bdf12bafde669211152769d89db822e0cdee4173affc126664fa6f17abba56daa7261
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/scope-manager@npm:5.42.1":
-  version: 5.42.1
-  resolution: "@typescript-eslint/scope-manager@npm:5.42.1"
-  dependencies:
-    "@typescript-eslint/types": 5.42.1
-    "@typescript-eslint/visitor-keys": 5.42.1
-  checksum: cfad5f04328fae4bb6d965a94c980ac2f6fa0eee6183e9bed6d7ebdb067f01a0a9a3b5500fc3638d5e287f46f4412aa462e238c610c1fb96b794b83c575c7fb4
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/scope-manager@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/scope-manager@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/types": 5.44.0
-    "@typescript-eslint/visitor-keys": 5.44.0
-  checksum: 4cfe4b55eb428eda740e6b967e3a87f3e1f9c4bbd8e1d6b8d64a11666abe33ffe7a21e4e614444ccde2da6930fa85f3e0ffca43d6e339943ff7a4fbccb09c8fc
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/type-utils@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/type-utils@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/typescript-estree": 5.44.0
-    "@typescript-eslint/utils": 5.44.0
-    debug: ^4.3.4
-    tsutils: ^3.21.0
-  peerDependencies:
-    eslint: "*"
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: 4c7b594f8afa52d57d0512951a874fa390eb791dcefcd0e1efff8817872293b2e4e04eff3c54d1595c1720a34d5fd315729af4e459882033d13cb6069ae9d28f
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/types@npm:5.42.1":
-  version: 5.42.1
-  resolution: "@typescript-eslint/types@npm:5.42.1"
-  checksum: b0eb3df3792dd0e447abcf2b4fd79b2eaa6f944242d00afa8ef2d9f892ea63e52f200e7cb1758ddbc46154aa6764cec8bc796ed96f7554457a20db976f9f2089
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/types@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/types@npm:5.44.0"
-  checksum: ced7d32abecfc62ccb67cf27e30c0785b9c153ec7b1a05153ced58fa5a2031ab3845bc2e477b83e4cebdcc5881c5845d23053c6739c62549d41ae6208e547e85
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/typescript-estree@npm:5.42.1":
-  version: 5.42.1
-  resolution: "@typescript-eslint/typescript-estree@npm:5.42.1"
-  dependencies:
-    "@typescript-eslint/types": 5.42.1
-    "@typescript-eslint/visitor-keys": 5.42.1
-    debug: ^4.3.4
-    globby: ^11.1.0
-    is-glob: ^4.0.3
-    semver: ^7.3.7
-    tsutils: ^3.21.0
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: dfd3e20d41ba4b574a52d82cc40b38708b8c2c4277d6304a8d914fe2a4a9ce8779f4d79fdac140e77a3afd3c6a2a7e3f31620dc427cabd04e4e906bb0ca3a468
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/typescript-estree@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/typescript-estree@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/types": 5.44.0
-    "@typescript-eslint/visitor-keys": 5.44.0
-    debug: ^4.3.4
-    globby: ^11.1.0
-    is-glob: ^4.0.3
-    semver: ^7.3.7
-    tsutils: ^3.21.0
-  peerDependenciesMeta:
-    typescript:
-      optional: true
-  checksum: 758731108497cca7ff81cf0a78d086b5a85757a983979d6bb25ad8252b7acbc738c642ecb5f5df82f925a45926b9846e431d5cf9fee5ed2613300b4d0c5d6c3f
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/utils@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/utils@npm:5.44.0"
-  dependencies:
-    "@types/json-schema": ^7.0.9
-    "@types/semver": ^7.3.12
-    "@typescript-eslint/scope-manager": 5.44.0
-    "@typescript-eslint/types": 5.44.0
-    "@typescript-eslint/typescript-estree": 5.44.0
-    eslint-scope: ^5.1.1
-    eslint-utils: ^3.0.0
-    semver: ^7.3.7
-  peerDependencies:
-    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-  checksum: bc5bb28e41898464d35b8eb47cc452103852541e3b6be56252c15a5a81c45e10aad3db4c749eb92d752b0c358df8074e23ec6f9e65f8089baadeda7f395c7e31
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/visitor-keys@npm:5.42.1":
-  version: 5.42.1
-  resolution: "@typescript-eslint/visitor-keys@npm:5.42.1"
-  dependencies:
-    "@typescript-eslint/types": 5.42.1
-    eslint-visitor-keys: ^3.3.0
-  checksum: d36c59da7bf3b3c150c12cbe4b0331edc15253f59599ec3d8b873b2a3d9fc7a4fea11490c1b20d972afcdc9c842deb5ada527ea9c538aa7e87555699d9a59f24
-  languageName: node
-  linkType: hard
-
-"@typescript-eslint/visitor-keys@npm:5.44.0":
-  version: 5.44.0
-  resolution: "@typescript-eslint/visitor-keys@npm:5.44.0"
-  dependencies:
-    "@typescript-eslint/types": 5.44.0
-    eslint-visitor-keys: ^3.3.0
-  checksum: a012c888209e1d6ae684b2a44fd460ae5a80f5faf07bca4bda6c9c0d8c063ad3297d4c53f7151ae86cf1a43dee09625dc3ee72183323c91089c7288fd573c6f4
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/ast@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/ast@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/helper-numbers": 1.11.1
-    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
-  checksum: 1eee1534adebeece635362f8e834ae03e389281972611408d64be7895fc49f48f98fddbbb5339bf8a72cb101bcb066e8bca3ca1bf1ef47dadf89def0395a8d87
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/ast@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/ast@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/helper-module-context": 1.9.0
-    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
-    "@webassemblyjs/wast-parser": 1.9.0
-  checksum: 8a9838dc7fdac358aee8daa75eefa35934ab18dafb594092ff7be79c467ebe9dabb2543e58313c905fd802bdcc3cb8320e4e19af7444e49853a7a24e25138f75
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/floating-point-hex-parser@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/floating-point-hex-parser@npm:1.11.1"
-  checksum: b8efc6fa08e4787b7f8e682182d84dfdf8da9d9c77cae5d293818bc4a55c1f419a87fa265ab85252b3e6c1fd323d799efea68d825d341a7c365c64bc14750e97
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/floating-point-hex-parser@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/floating-point-hex-parser@npm:1.9.0"
-  checksum: d3aeb19bc30da26f639698daa28e44e0c18d5aa135359ef3c54148e194eec46451a912d0506099d479a71a94bc3eef6ef52d6ec234799528a25a9744789852de
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-api-error@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/helper-api-error@npm:1.11.1"
-  checksum: 0792813f0ed4a0e5ee0750e8b5d0c631f08e927f4bdfdd9fe9105dc410c786850b8c61bff7f9f515fdfb149903bec3c976a1310573a4c6866a94d49bc7271959
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-api-error@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-api-error@npm:1.9.0"
-  checksum: 9179d3148639cc202e89a118145b485cf834613260679a99af6ec487bbc15f238566ca713207394b336160a41bf8c1b75cf2e853b3e96f0cc73c1e5c735b3f64
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-buffer@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/helper-buffer@npm:1.11.1"
-  checksum: a337ee44b45590c3a30db5a8b7b68a717526cf967ada9f10253995294dbd70a58b2da2165222e0b9830cd4fc6e4c833bf441a721128d1fe2e9a7ab26b36003ce
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-buffer@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-buffer@npm:1.9.0"
-  checksum: dcb85f630f8a2e22b7346ad4dd58c3237a2cad1457699423e8fd19592a0bd3eacbc2639178a1b9a873c3ac217bfc7a23a134ff440a099496b590e82c7a4968d5
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-code-frame@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-code-frame@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/wast-printer": 1.9.0
-  checksum: a28fa057f7beff0fd14bff716561520f8edb8c9c56c7a5559451e6765acfb70aaeb8af718ea2bd2262e7baeba597545af407e28eb2eff8329235afe8605f20d1
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-fsm@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-fsm@npm:1.9.0"
-  checksum: 374cc510c8f5a7a07d4fe9eb7036cc475a96a670b5d25c31f16757ac8295be8d03a2f29657ff53eaefa9e8315670a48824d430ed910e7c1835788ac79f93124e
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-module-context@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-module-context@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-  checksum: 55e8f89c7ea1beaa78fad88403f3753b8413b0f3b6bb32d898ce95078b3e1d1b48ade0919c00b82fc2e3813c0ab6901e415f7a4d4fa9be50944e2431adde75a5
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-numbers@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/helper-numbers@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/floating-point-hex-parser": 1.11.1
-    "@webassemblyjs/helper-api-error": 1.11.1
-    "@xtuc/long": 4.2.2
-  checksum: 44d2905dac2f14d1e9b5765cf1063a0fa3d57295c6d8930f6c59a36462afecc6e763e8a110b97b342a0f13376166c5d41aa928e6ced92e2f06b071fd0db59d3a
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-wasm-bytecode@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/helper-wasm-bytecode@npm:1.11.1"
-  checksum: eac400113127832c88f5826bcc3ad1c0db9b3dbd4c51a723cfdb16af6bfcbceb608170fdaac0ab7731a7e18b291be7af68a47fcdb41cfe0260c10857e7413d97
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-wasm-bytecode@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-wasm-bytecode@npm:1.9.0"
-  checksum: 280da4df3c556f73a1a02053277f8a4be481de32df4aa21050b015c8f4d27c46af89f0417eb88e486df117e5df4bccffae593f78cb1e79f212d3b3d4f3ed0f04
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-wasm-section@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/helper-wasm-section@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/helper-buffer": 1.11.1
-    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
-    "@webassemblyjs/wasm-gen": 1.11.1
-  checksum: 617696cfe8ecaf0532763162aaf748eb69096fb27950219bb87686c6b2e66e11cd0614d95d319d0ab1904bc14ebe4e29068b12c3e7c5e020281379741fe4bedf
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/helper-wasm-section@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/helper-wasm-section@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-buffer": 1.9.0
-    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
-    "@webassemblyjs/wasm-gen": 1.9.0
-  checksum: b8f7bb45d4194074c82210211a5d3e402a5b5fa63ecae26d2c356ae3978af5a530e91192fb260f32f9d561b18e2828b3da2e2f41c59efadb5f3c6d72446807f0
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/ieee754@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/ieee754@npm:1.11.1"
-  dependencies:
-    "@xtuc/ieee754": ^1.2.0
-  checksum: 23a0ac02a50f244471631802798a816524df17e56b1ef929f0c73e3cde70eaf105a24130105c60aff9d64a24ce3b640dad443d6f86e5967f922943a7115022ec
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/ieee754@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/ieee754@npm:1.9.0"
-  dependencies:
-    "@xtuc/ieee754": ^1.2.0
-  checksum: 7fe4a217ba0f7051e2cfef92919d4a64fac1a63c65411763779bd50907820f33f440255231a474fe3ba03bd1d9ee0328662d1eae3fce4c59b91549d6b62b839b
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/leb128@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/leb128@npm:1.11.1"
-  dependencies:
-    "@xtuc/long": 4.2.2
-  checksum: 33ccc4ade2f24de07bf31690844d0b1ad224304ee2062b0e464a610b0209c79e0b3009ac190efe0e6bd568b0d1578d7c3047fc1f9d0197c92fc061f56224ff4a
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/leb128@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/leb128@npm:1.9.0"
-  dependencies:
-    "@xtuc/long": 4.2.2
-  checksum: 4ca7cbb869530d78d42a414f34ae53249364cb1ecebbfb6ed5d562c2f209fce857502f088822ee82a23876f653a262ddc34ab64e45a7962510a263d39bb3f51a
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/utf8@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/utf8@npm:1.11.1"
-  checksum: 972c5cfc769d7af79313a6bfb96517253a270a4bf0c33ba486aa43cac43917184fb35e51dfc9e6b5601548cd5931479a42e42c89a13bb591ffabebf30c8a6a0b
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/utf8@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/utf8@npm:1.9.0"
-  checksum: e328a30ac8a503bbd015d32e75176e0dedcb45a21d4be051c25dfe89a00035ca7a6dbd8937b442dd5b4b334de3959d4f5fe0b330037bd226a28b9814cd49e84f
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-edit@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/wasm-edit@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/helper-buffer": 1.11.1
-    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
-    "@webassemblyjs/helper-wasm-section": 1.11.1
-    "@webassemblyjs/wasm-gen": 1.11.1
-    "@webassemblyjs/wasm-opt": 1.11.1
-    "@webassemblyjs/wasm-parser": 1.11.1
-    "@webassemblyjs/wast-printer": 1.11.1
-  checksum: 6d7d9efaec1227e7ef7585a5d7ff0be5f329f7c1c6b6c0e906b18ed2e9a28792a5635e450aca2d136770d0207225f204eff70a4b8fd879d3ac79e1dcc26dbeb9
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-edit@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wasm-edit@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-buffer": 1.9.0
-    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
-    "@webassemblyjs/helper-wasm-section": 1.9.0
-    "@webassemblyjs/wasm-gen": 1.9.0
-    "@webassemblyjs/wasm-opt": 1.9.0
-    "@webassemblyjs/wasm-parser": 1.9.0
-    "@webassemblyjs/wast-printer": 1.9.0
-  checksum: 1997e0c2f4051c33239587fb143242919320bc861a0af03a873c7150a27d6404bd2e063c658193288b0aa88c35aadbe0c4fde601fe642bae0743a8c8eda52717
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-gen@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/wasm-gen@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
-    "@webassemblyjs/ieee754": 1.11.1
-    "@webassemblyjs/leb128": 1.11.1
-    "@webassemblyjs/utf8": 1.11.1
-  checksum: 1f6921e640293bf99fb16b21e09acb59b340a79f986c8f979853a0ae9f0b58557534b81e02ea2b4ef11e929d946708533fd0693c7f3712924128fdafd6465f5b
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-gen@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wasm-gen@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
-    "@webassemblyjs/ieee754": 1.9.0
-    "@webassemblyjs/leb128": 1.9.0
-    "@webassemblyjs/utf8": 1.9.0
-  checksum: 2456e84e8e6bedb7ab47f6333a0ee170f7ef62842c90862ca787c08528ca8041061f3f8bc257fc2a01bf6e8d1a76fddaddd43418c738f681066e5b50f88fe7df
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-opt@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/wasm-opt@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/helper-buffer": 1.11.1
-    "@webassemblyjs/wasm-gen": 1.11.1
-    "@webassemblyjs/wasm-parser": 1.11.1
-  checksum: 21586883a20009e2b20feb67bdc451bbc6942252e038aae4c3a08e6f67b6bae0f5f88f20bfc7bd0452db5000bacaf5ab42b98cf9aa034a6c70e9fc616142e1db
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-opt@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wasm-opt@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-buffer": 1.9.0
-    "@webassemblyjs/wasm-gen": 1.9.0
-    "@webassemblyjs/wasm-parser": 1.9.0
-  checksum: 91242205bdbd1aa8045364a5338bfb34880cb2c65f56db8dd19382894209673699fb31a0e5279f25c7e5bcd8f3097d6c9ca84d8969d9613ef2cf166450cc3515
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-parser@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/wasm-parser@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/helper-api-error": 1.11.1
-    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
-    "@webassemblyjs/ieee754": 1.11.1
-    "@webassemblyjs/leb128": 1.11.1
-    "@webassemblyjs/utf8": 1.11.1
-  checksum: 1521644065c360e7b27fad9f4bb2df1802d134dd62937fa1f601a1975cde56bc31a57b6e26408b9ee0228626ff3ba1131ae6f74ffb7d718415b6528c5a6dbfc2
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wasm-parser@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wasm-parser@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-api-error": 1.9.0
-    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
-    "@webassemblyjs/ieee754": 1.9.0
-    "@webassemblyjs/leb128": 1.9.0
-    "@webassemblyjs/utf8": 1.9.0
-  checksum: 493f6cfc63a5e16073056c81ff0526a9936f461327379ef3c83cc841000e03623b6352704f6bf9f7cb5b3610f0032020a61f9cca78c91b15b8e995854b29c098
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wast-parser@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wast-parser@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/floating-point-hex-parser": 1.9.0
-    "@webassemblyjs/helper-api-error": 1.9.0
-    "@webassemblyjs/helper-code-frame": 1.9.0
-    "@webassemblyjs/helper-fsm": 1.9.0
-    "@xtuc/long": 4.2.2
-  checksum: 705dd48fbbceec7f6bed299b8813631b242fd9312f9594dbb2985dda86c9688048692357d684f6080fc2c5666287cefaa26b263d01abadb6a9049d4c8978b9db
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wast-printer@npm:1.11.1":
-  version: 1.11.1
-  resolution: "@webassemblyjs/wast-printer@npm:1.11.1"
-  dependencies:
-    "@webassemblyjs/ast": 1.11.1
-    "@xtuc/long": 4.2.2
-  checksum: f15ae4c2441b979a3b4fce78f3d83472fb22350c6dc3fd34bfe7c3da108e0b2360718734d961bba20e7716cb8578e964b870da55b035e209e50ec9db0378a3f7
-  languageName: node
-  linkType: hard
-
-"@webassemblyjs/wast-printer@npm:1.9.0":
-  version: 1.9.0
-  resolution: "@webassemblyjs/wast-printer@npm:1.9.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/wast-parser": 1.9.0
-    "@xtuc/long": 4.2.2
-  checksum: 3d1e1b2e84745a963f69acd1c02425b321dd2e608e11dabc467cae0c9a808962bc769ec9afc46fbcea7188cc1e47d72370da762d258f716fb367cb1a7865c54b
-  languageName: node
-  linkType: hard
-
-"@xmldom/xmldom@npm:^0.8.0":
-  version: 0.8.2
-  resolution: "@xmldom/xmldom@npm:0.8.2"
-  checksum: aeea8f670bfa52b3a1b2d355dab3bf4d58ef4969b1fd146a1ab91bf8acbb9d02953022e66e85279015a4e4027205620dfc001ed5d169b1711a09a0a079951e08
-  languageName: node
-  linkType: hard
-
-"@xtuc/ieee754@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "@xtuc/ieee754@npm:1.2.0"
-  checksum: ac56d4ca6e17790f1b1677f978c0c6808b1900a5b138885d3da21732f62e30e8f0d9120fcf8f6edfff5100ca902b46f8dd7c1e3f903728634523981e80e2885a
-  languageName: node
-  linkType: hard
-
-"@xtuc/long@npm:4.2.2":
-  version: 4.2.2
-  resolution: "@xtuc/long@npm:4.2.2"
-  checksum: 8ed0d477ce3bc9c6fe2bf6a6a2cc316bb9c4127c5a7827bae947fa8ec34c7092395c5a283cc300c05b5fa01cbbfa1f938f410a7bf75db7c7846fea41949989ec
-  languageName: node
-  linkType: hard
-
-"JSV@npm:^4.0.x":
-  version: 4.0.2
-  resolution: "JSV@npm:4.0.2"
-  checksum: 9e2e070b2149d4ffed6c135dedb5f8cebb870dc63c0ca6d3cb647067248c7ca15d1a934ee46e9d2ac0e468436d0f70bc1b63cd5f93e705ee9aa0669430e6e66f
-  languageName: node
-  linkType: hard
-
-"abab@npm:^2.0.3, abab@npm:^2.0.5":
-  version: 2.0.5
-  resolution: "abab@npm:2.0.5"
-  checksum: 0ec951b46d5418c2c2f923021ec193eaebdb4e802ffd5506286781b454be722a13a8430f98085cd3e204918401d9130ec6cc8f5ae19be315b3a0e857d83196e1
-  languageName: node
-  linkType: hard
-
-"abbrev@npm:1, abbrev@npm:^1.0.0":
-  version: 1.1.1
-  resolution: "abbrev@npm:1.1.1"
-  checksum: a4a97ec07d7ea112c517036882b2ac22f3109b7b19077dc656316d07d308438aac28e4d9746dc4d84bf6b1e75b4a7b0a5f3cb30592419f128ca9a8cee3bcfa17
-  languageName: node
-  linkType: hard
-
-"abortcontroller-polyfill@npm:^1.7.3":
-  version: 1.7.3
-  resolution: "abortcontroller-polyfill@npm:1.7.3"
-  checksum: 55739d7f0c9bd6afa2aabb3148778967c4dd4dcff91f6b9259df38da34f9882d3f7730b0954e9767a19cc16a8dd9a58915da4e8a50220300d45af3817d7557b1
-  languageName: node
-  linkType: hard
-
-"accepts@npm:~1.3.4, accepts@npm:~1.3.5, accepts@npm:~1.3.7":
-  version: 1.3.7
-  resolution: "accepts@npm:1.3.7"
-  dependencies:
-    mime-types: ~2.1.24
-    negotiator: 0.6.2
-  checksum: 27fc8060ffc69481ff6719cd3ee06387d2b88381cb0ce626f087781bbd02201a645a9febc8e7e7333558354b33b1d2f922ad13560be4ec1b7ba9e76fc1c1241d
-  languageName: node
-  linkType: hard
-
-"accepts@npm:~1.3.8":
-  version: 1.3.8
-  resolution: "accepts@npm:1.3.8"
-  dependencies:
-    mime-types: ~2.1.34
-    negotiator: 0.6.3
-  checksum: 50c43d32e7b50285ebe84b613ee4a3aa426715a7d131b65b786e2ead0fd76b6b60091b9916d3478a75f11f162628a2139991b6c03ab3f1d9ab7c86075dc8eab4
-  languageName: node
-  linkType: hard
-
-"acorn-dynamic-import@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "acorn-dynamic-import@npm:3.0.0"
-  dependencies:
-    acorn: ^5.0.0
-  checksum: 60ba19103fdaa87e048a9480238faefd451dc39e21cf079812acd5e59ca064619a8c905b274f095b7c686736605547b089c6a5b75e926202afb8a4392d012659
-  languageName: node
-  linkType: hard
-
-"acorn-globals@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "acorn-globals@npm:6.0.0"
-  dependencies:
-    acorn: ^7.1.1
-    acorn-walk: ^7.1.1
-  checksum: 72d95e5b5e585f9acd019b993ab8bbba68bb3cbc9d9b5c1ebb3c2f1fe5981f11deababfb4949f48e6262f9c57878837f5958c0cca396f81023814680ca878042
-  languageName: node
-  linkType: hard
-
-"acorn-import-assertions@npm:^1.7.6":
-  version: 1.8.0
-  resolution: "acorn-import-assertions@npm:1.8.0"
-  peerDependencies:
-    acorn: ^8
-  checksum: 5c4cf7c850102ba7ae0eeae0deb40fb3158c8ca5ff15c0bca43b5c47e307a1de3d8ef761788f881343680ea374631ae9e9615ba8876fee5268dbe068c98bcba6
-  languageName: node
-  linkType: hard
-
-"acorn-jsx@npm:^5.3.2":
-  version: 5.3.2
-  resolution: "acorn-jsx@npm:5.3.2"
-  peerDependencies:
-    acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
-  checksum: c3d3b2a89c9a056b205b69530a37b972b404ee46ec8e5b341666f9513d3163e2a4f214a71f4dfc7370f5a9c07472d2fd1c11c91c3f03d093e37637d95da98950
-  languageName: node
-  linkType: hard
-
-"acorn-walk@npm:^7.1.1":
-  version: 7.2.0
-  resolution: "acorn-walk@npm:7.2.0"
-  checksum: 9252158a79b9d92f1bc0dd6acc0fcfb87a67339e84bcc301bb33d6078936d27e35d606b4d35626d2962cd43c256d6f27717e70cbe15c04fff999ab0b2260b21f
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^5.0.0, acorn@npm:^5.1.1, acorn@npm:^5.5.3":
-  version: 5.7.4
-  resolution: "acorn@npm:5.7.4"
-  bin:
-    acorn: bin/acorn
-  checksum: f51392a4d25c7705fadb890f784c59cde4ac1c5452ccd569fa59bd2191b7951b4a6398348ab7ea08a54f0bc0a56c13776710f4e1bae9de441e4d33e2015ad1e0
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^6.4.1":
-  version: 6.4.2
-  resolution: "acorn@npm:6.4.2"
-  bin:
-    acorn: bin/acorn
-  checksum: 44b07053729db7f44d28343eed32247ed56dc4a6ec6dff2b743141ecd6b861406bbc1c20bf9d4f143ea7dd08add5dc8c290582756539bc03a8db605050ce2fb4
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^7.1.0, acorn@npm:^7.1.1":
-  version: 7.4.1
-  resolution: "acorn@npm:7.4.1"
-  bin:
-    acorn: bin/acorn
-  checksum: 1860f23c2107c910c6177b7b7be71be350db9e1080d814493fae143ae37605189504152d1ba8743ba3178d0b37269ce1ffc42b101547fdc1827078f82671e407
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^8.1.0":
-  version: 8.2.2
-  resolution: "acorn@npm:8.2.2"
-  bin:
-    acorn: bin/acorn
-  checksum: 46d3205ed296fa544b3d3f57880929ca7f7207e9aed7444ff1d73c21c7964e0c24a507799c334c0ab947cec3acb6dc9b831ec3ad01853e7db3da71ccdf4337f3
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^8.5.0":
-  version: 8.7.1
-  resolution: "acorn@npm:8.7.1"
-  bin:
-    acorn: bin/acorn
-  checksum: aca0aabf98826717920ac2583fdcad0a6fbe4e583fdb6e843af2594e907455aeafe30b1e14f1757cd83ce1776773cf8296ffc3a4acf13f0bd3dfebcf1db6ae80
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^8.7.1":
-  version: 8.8.2
-  resolution: "acorn@npm:8.8.2"
-  bin:
-    acorn: bin/acorn
-  checksum: f790b99a1bf63ef160c967e23c46feea7787e531292bb827126334612c234ed489a0dc2c7ba33156416f0ffa8d25bf2b0fdb7f35c2ba60eb3e960572bece4001
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^8.8.0":
-  version: 8.8.1
-  resolution: "acorn@npm:8.8.1"
-  bin:
-    acorn: bin/acorn
-  checksum: 4079b67283b94935157698831967642f24a075c52ce3feaaaafe095776dfbe15d86a1b33b1e53860fc0d062ed6c83f4284a5c87c85b9ad51853a01173da6097f
-  languageName: node
-  linkType: hard
-
-"acorn@npm:^8.9.0":
-  version: 8.10.0
-  resolution: "acorn@npm:8.10.0"
-  bin:
-    acorn: bin/acorn
-  checksum: 538ba38af0cc9e5ef983aee196c4b8b4d87c0c94532334fa7e065b2c8a1f85863467bb774231aae91613fcda5e68740c15d97b1967ae3394d20faddddd8af61d
-  languageName: node
-  linkType: hard
-
-"agent-base@npm:6, agent-base@npm:^6.0.2":
-  version: 6.0.2
-  resolution: "agent-base@npm:6.0.2"
-  dependencies:
-    debug: 4
-  checksum: f52b6872cc96fd5f622071b71ef200e01c7c4c454ee68bc9accca90c98cfb39f2810e3e9aa330435835eedc8c23f4f8a15267f67c6e245d2b33757575bdac49d
-  languageName: node
-  linkType: hard
-
-"agent-base@npm:^4.3.0":
-  version: 4.3.0
-  resolution: "agent-base@npm:4.3.0"
-  dependencies:
-    es6-promisify: ^5.0.0
-  checksum: 0c10891060e579c67efafd6b62223666c4b4129b521eac3e9ad272a137545bcedb54ce352273b7ad21a0024060e4f1360ae9a465ac87e2af18883c937d39979f
-  languageName: node
-  linkType: hard
-
-"agentkeepalive@npm:^4.2.1":
-  version: 4.3.0
-  resolution: "agentkeepalive@npm:4.3.0"
-  dependencies:
-    debug: ^4.1.0
-    depd: ^2.0.0
-    humanize-ms: ^1.2.1
-  checksum: 982453aa44c11a06826c836025e5162c846e1200adb56f2d075400da7d32d87021b3b0a58768d949d824811f5654223d5a8a3dad120921a2439625eb847c6260
-  languageName: node
-  linkType: hard
-
-"aggregate-error@npm:^3.0.0":
-  version: 3.1.0
-  resolution: "aggregate-error@npm:3.1.0"
-  dependencies:
-    clean-stack: ^2.0.0
-    indent-string: ^4.0.0
-  checksum: 1101a33f21baa27a2fa8e04b698271e64616b886795fd43c31068c07533c7b3facfcaf4e9e0cab3624bd88f729a592f1c901a1a229c9e490eafce411a8644b79
-  languageName: node
-  linkType: hard
-
-"ajv-errors@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "ajv-errors@npm:1.0.1"
-  peerDependencies:
-    ajv: ">=5.0.0"
-  checksum: 2c9fc02cf58f9aae5bace61ebd1b162e1ea372ae9db5999243ba5e32a9a78c0d635d29ae085f652c61c941a43af0b2b1acdb255e29d44dc43a6e021085716d8c
-  languageName: node
-  linkType: hard
-
-"ajv-formats@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "ajv-formats@npm:2.1.1"
-  dependencies:
-    ajv: ^8.0.0
-  peerDependencies:
-    ajv: ^8.0.0
-  peerDependenciesMeta:
-    ajv:
-      optional: true
-  checksum: 4a287d937f1ebaad4683249a4c40c0fa3beed30d9ddc0adba04859026a622da0d317851316ea64b3680dc60f5c3c708105ddd5d5db8fe595d9d0207fd19f90b7
-  languageName: node
-  linkType: hard
-
-"ajv-keywords@npm:^3.1.0, ajv-keywords@npm:^3.4.1, ajv-keywords@npm:^3.5.2":
-  version: 3.5.2
-  resolution: "ajv-keywords@npm:3.5.2"
-  peerDependencies:
-    ajv: ^6.9.1
-  checksum: 7dc5e5931677a680589050f79dcbe1fefbb8fea38a955af03724229139175b433c63c68f7ae5f86cf8f65d55eb7c25f75a046723e2e58296707617ca690feae9
-  languageName: node
-  linkType: hard
-
-"ajv-keywords@npm:^5.0.0":
-  version: 5.1.0
-  resolution: "ajv-keywords@npm:5.1.0"
-  dependencies:
-    fast-deep-equal: ^3.1.3
-  peerDependencies:
-    ajv: ^8.8.2
-  checksum: c35193940b853119242c6757787f09ecf89a2c19bcd36d03ed1a615e710d19d450cb448bfda407b939aba54b002368c8bff30529cc50a0536a8e10bcce300421
-  languageName: node
-  linkType: hard
-
-"ajv@npm:^6.1.0, ajv@npm:^6.10.0, ajv@npm:^6.10.2, ajv@npm:^6.12.3, ajv@npm:^6.12.4, ajv@npm:^6.12.5":
-  version: 6.12.6
-  resolution: "ajv@npm:6.12.6"
-  dependencies:
-    fast-deep-equal: ^3.1.1
-    fast-json-stable-stringify: ^2.0.0
-    json-schema-traverse: ^0.4.1
-    uri-js: ^4.2.2
-  checksum: 874972efe5c4202ab0a68379481fbd3d1b5d0a7bd6d3cc21d40d3536ebff3352a2a1fabb632d4fd2cc7fe4cbdcd5ed6782084c9bbf7f32a1536d18f9da5007d4
-  languageName: node
-  linkType: hard
-
-"ajv@npm:^8.0.0, ajv@npm:^8.8.0":
-  version: 8.11.0
-  resolution: "ajv@npm:8.11.0"
-  dependencies:
-    fast-deep-equal: ^3.1.1
-    json-schema-traverse: ^1.0.0
-    require-from-string: ^2.0.2
-    uri-js: ^4.2.2
-  checksum: 5e0ff226806763be73e93dd7805b634f6f5921e3e90ca04acdf8db81eed9d8d3f0d4c5f1213047f45ebbf8047ffe0c840fa1ef2ec42c3a644899f69aa72b5bef
-  languageName: node
-  linkType: hard
-
-"ajv@npm:^8.0.1":
-  version: 8.2.0
-  resolution: "ajv@npm:8.2.0"
-  dependencies:
-    fast-deep-equal: ^3.1.1
-    json-schema-traverse: ^1.0.0
-    require-from-string: ^2.0.2
-    uri-js: ^4.2.2
-  checksum: 36994bc227aac4c29ff967de5d53f087449ffab62d66f782f99c6aad8ac1d58db4eb7b0f78ce7961492eae00be51c2384b38b69e099d1021d41b2353dce91417
-  languageName: node
-  linkType: hard
-
-"amd-name-resolver@npm:1.2.0":
-  version: 1.2.0
-  resolution: "amd-name-resolver@npm:1.2.0"
-  dependencies:
-    ensure-posix-path: ^1.0.1
-  checksum: f84474670f4ee5c36f78ed0fe3ff64039ff5c489e6c9a1b595fac32ede3ca33ec3c20ab58361f6ae7f191e5bff0347ac9dcff480f17824482d458bed6f7db6b9
-  languageName: node
-  linkType: hard
-
-"amd-name-resolver@npm:1.3.1, amd-name-resolver@npm:^1.2.0, amd-name-resolver@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "amd-name-resolver@npm:1.3.1"
-  dependencies:
-    ensure-posix-path: ^1.0.1
-    object-hash: ^1.3.1
-  checksum: c48f68922f394078acaac97f1691a46dcb94fa3d5ee47b9a0c5b81bf66073005b75b5784f93ed6c1081b0afa92d41a5c581073960dbde9baa80b8abef4cccb2b
-  languageName: node
-  linkType: hard
-
-"amd-name-resolver@npm:^0.0.6":
-  version: 0.0.6
-  resolution: "amd-name-resolver@npm:0.0.6"
-  dependencies:
-    ensure-posix-path: ^1.0.1
-  checksum: f0e4f03654b2b523a35a3ba5ae5fc6c9f637242cea75ef6470baea5f997a9206e60e23489f7d1c5adc4c3ac88c25008ca7ec4a92cf21b23b253141e2962c990c
-  languageName: node
-  linkType: hard
-
-"amdefine@npm:>=0.0.4":
-  version: 1.0.1
-  resolution: "amdefine@npm:1.0.1"
-  checksum: 9d4e15b94641643a9385b2841b4cb2bcf4e8e2f741ea4bd475c93ad7bab261ad4ed827a32e9c549b38b98759c4526c173ae4e6dde8caeb75ee5cebedc9863762
-  languageName: node
-  linkType: hard
-
-"anchor-markdown-header@npm:^0.5.7":
-  version: 0.5.7
-  resolution: "anchor-markdown-header@npm:0.5.7"
-  dependencies:
-    emoji-regex: ~6.1.0
-  checksum: 97ed56c61ca8aacca635378de4959fd95929c4966f96e6483df06d5b22b541924e91569c819c49cbed8e8684b3b77eb5760216bc9bd11e54bb58389ce29cedaa
-  languageName: node
-  linkType: hard
-
-"ansi-colors@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "ansi-colors@npm:4.1.1"
-  checksum: 138d04a51076cb085da0a7e2d000c5c0bb09f6e772ed5c65c53cb118d37f6c5f1637506d7155fb5f330f0abcf6f12fa2e489ac3f8cdab9da393bf1bb4f9a32b0
-  languageName: node
-  linkType: hard
-
-"ansi-escapes@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "ansi-escapes@npm:3.2.0"
-  checksum: 0f94695b677ea742f7f1eed961f7fd8d05670f744c6ad1f8f635362f6681dcfbc1575cb05b43abc7bb6d67e25a75fb8c7ea8f2a57330eb2c76b33f18cb2cef0a
-  languageName: node
-  linkType: hard
-
-"ansi-escapes@npm:^4.2.1, ansi-escapes@npm:^4.3.0":
-  version: 4.3.2
-  resolution: "ansi-escapes@npm:4.3.2"
-  dependencies:
-    type-fest: ^0.21.3
-  checksum: 93111c42189c0a6bed9cdb4d7f2829548e943827ee8479c74d6e0b22ee127b2a21d3f8b5ca57723b8ef78ce011fbfc2784350eb2bde3ccfccf2f575fa8489815
-  languageName: node
-  linkType: hard
-
-"ansi-html@npm:^0.0.7":
-  version: 0.0.7
-  resolution: "ansi-html@npm:0.0.7"
-  bin:
-    ansi-html: ./bin/ansi-html
-  checksum: 9b839ce99650b4c2d83621d67d68622d27e7948b54f7a4386f2218a3997ee4e684e5a6e8d290880c3f3260e8d90c2613c59c7028f04992ad5c8d99d3a0fcc02c
-  languageName: node
-  linkType: hard
-
-"ansi-regex@npm:^2.0.0":
-  version: 2.1.1
-  resolution: "ansi-regex@npm:2.1.1"
-  checksum: 190abd03e4ff86794f338a31795d262c1dfe8c91f7e01d04f13f646f1dcb16c5800818f886047876f1272f065570ab86b24b99089f8b68a0e11ff19aed4ca8f1
-  languageName: node
-  linkType: hard
-
-"ansi-regex@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "ansi-regex@npm:3.0.0"
-  checksum: 2ad11c416f81c39f5c65eafc88cf1d71aa91d76a2f766e75e457c2a3c43e8a003aadbf2966b61c497aa6a6940a36412486c975b3270cdfc3f413b69826189ec3
-  languageName: node
-  linkType: hard
-
-"ansi-regex@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "ansi-regex@npm:4.1.0"
-  checksum: 97aa4659538d53e5e441f5ef2949a3cffcb838e57aeaad42c4194e9d7ddb37246a6526c4ca85d3940a9d1e19b11cc2e114530b54c9d700c8baf163c31779baf8
-  languageName: node
-  linkType: hard
-
-"ansi-regex@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "ansi-regex@npm:5.0.0"
-  checksum: b1bb4e992a5d96327bb4f72eaba9f8047f1d808d273ad19d399e266bfcc7fb19a4d1a127a32f7bc61fe46f1a94a4d04ec4c424e3fbe184929aa866323d8ed4ce
-  languageName: node
-  linkType: hard
-
-"ansi-regex@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "ansi-regex@npm:5.0.1"
-  checksum: 2aa4bb54caf2d622f1afdad09441695af2a83aa3fe8b8afa581d205e57ed4261c183c4d3877cee25794443fde5876417d859c108078ab788d6af7e4fe52eb66b
-  languageName: node
-  linkType: hard
-
-"ansi-styles@npm:^2.2.1":
-  version: 2.2.1
-  resolution: "ansi-styles@npm:2.2.1"
-  checksum: ebc0e00381f2a29000d1dac8466a640ce11943cef3bda3cd0020dc042e31e1058ab59bf6169cd794a54c3a7338a61ebc404b7c91e004092dd20e028c432c9c2c
-  languageName: node
-  linkType: hard
-
-"ansi-styles@npm:^3.0.0, ansi-styles@npm:^3.2.0, ansi-styles@npm:^3.2.1":
-  version: 3.2.1
-  resolution: "ansi-styles@npm:3.2.1"
-  dependencies:
-    color-convert: ^1.9.0
-  checksum: d85ade01c10e5dd77b6c89f34ed7531da5830d2cb5882c645f330079975b716438cd7ebb81d0d6e6b4f9c577f19ae41ab55f07f19786b02f9dfd9e0377395665
-  languageName: node
-  linkType: hard
-
-"ansi-styles@npm:^4.0.0, ansi-styles@npm:^4.1.0":
-  version: 4.3.0
-  resolution: "ansi-styles@npm:4.3.0"
-  dependencies:
-    color-convert: ^2.0.1
-  checksum: 513b44c3b2105dd14cc42a19271e80f386466c4be574bccf60b627432f9198571ebf4ab1e4c3ba17347658f4ee1711c163d574248c0c1cdc2d5917a0ad582ec4
-  languageName: node
-  linkType: hard
-
-"ansi-styles@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "ansi-styles@npm:1.0.0"
-  checksum: 6dd47dccb268b4cc1fd0dd6617067a7acd34ad2761f0438800fdd55c0d45f50a90787acd82806009c2bf467f4e2920166be03e19b23529038c1c4527d80f598b
-  languageName: node
-  linkType: hard
-
-"ansi-to-html@npm:^0.6.15, ansi-to-html@npm:^0.6.6":
-  version: 0.6.15
-  resolution: "ansi-to-html@npm:0.6.15"
-  dependencies:
-    entities: ^2.0.0
-  bin:
-    ansi-to-html: bin/ansi-to-html
-  checksum: c899362a29b92c8ae075b72168b826f7c233875b475719304942f80695e0ce4a6812845021192da5fb0ac80b10209b4fae5aede42620a1b1b3d3b30f3ef77a86
-  languageName: node
-  linkType: hard
-
-"ansicolors@npm:~0.2.1":
-  version: 0.2.1
-  resolution: "ansicolors@npm:0.2.1"
-  checksum: 7120ca45a780cf17d786070874776637adcc107cf2bb9b38934f92d88cb5c3d16e1e7092708ba0f64f2031e6c10844c26e8a13d9e27f7b058c36ad8950cbfd02
-  languageName: node
-  linkType: hard
-
-"anymatch@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "anymatch@npm:2.0.0"
-  dependencies:
-    micromatch: ^3.1.4
-    normalize-path: ^2.1.1
-  checksum: f7bb1929842b4585cdc28edbb385767d499ce7d673f96a8f11348d2b2904592ffffc594fe9229b9a1e9e4dccb9329b7692f9f45e6a11dcefbb76ecdc9ab740f6
-  languageName: node
-  linkType: hard
-
-"anymatch@npm:^3.1.1, anymatch@npm:~3.1.1":
-  version: 3.1.2
-  resolution: "anymatch@npm:3.1.2"
-  dependencies:
-    normalize-path: ^3.0.0
-    picomatch: ^2.0.4
-  checksum: 985163db2292fac9e5a1e072bf99f1b5baccf196e4de25a0b0b81865ebddeb3b3eb4480734ef0a2ac8c002845396b91aa89121f5b84f93981a4658164a9ec6e9
-  languageName: node
-  linkType: hard
-
-"anymatch@npm:~3.1.2":
-  version: 3.1.3
-  resolution: "anymatch@npm:3.1.3"
-  dependencies:
-    normalize-path: ^3.0.0
-    picomatch: ^2.0.4
-  checksum: 3e044fd6d1d26545f235a9fe4d7a534e2029d8e59fa7fd9f2a6eb21230f6b5380ea1eaf55136e60cbf8e613544b3b766e7a6fa2102e2a3a117505466e3025dc2
-  languageName: node
-  linkType: hard
-
-"aproba@npm:^1.0.3 || ^2.0.0":
-  version: 2.0.0
-  resolution: "aproba@npm:2.0.0"
-  checksum: 5615cadcfb45289eea63f8afd064ab656006361020e1735112e346593856f87435e02d8dcc7ff0d11928bc7d425f27bc7c2a84f6c0b35ab0ff659c814c138a24
-  languageName: node
-  linkType: hard
-
-"aproba@npm:^1.1.1":
-  version: 1.2.0
-  resolution: "aproba@npm:1.2.0"
-  checksum: 0fca141966559d195072ed047658b6e6c4fe92428c385dd38e288eacfc55807e7b4989322f030faff32c0f46bb0bc10f1e0ac32ec22d25315a1e5bbc0ebb76dc
-  languageName: node
-  linkType: hard
-
-"are-we-there-yet@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "are-we-there-yet@npm:3.0.1"
-  dependencies:
-    delegates: ^1.0.0
-    readable-stream: ^3.6.0
-  checksum: 52590c24860fa7173bedeb69a4c05fb573473e860197f618b9a28432ee4379049336727ae3a1f9c4cb083114601c1140cee578376164d0e651217a9843f9fe83
-  languageName: node
-  linkType: hard
-
-"argparse@npm:^1.0.7":
-  version: 1.0.10
-  resolution: "argparse@npm:1.0.10"
-  dependencies:
-    sprintf-js: ~1.0.2
-  checksum: 7ca6e45583a28de7258e39e13d81e925cfa25d7d4aacbf806a382d3c02fcb13403a07fb8aeef949f10a7cfe4a62da0e2e807b348a5980554cc28ee573ef95945
-  languageName: node
-  linkType: hard
-
-"argparse@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "argparse@npm:2.0.1"
-  checksum: 83644b56493e89a254bae05702abf3a1101b4fa4d0ca31df1c9985275a5a5bd47b3c27b7fa0b71098d41114d8ca000e6ed90cad764b306f8a503665e4d517ced
-  languageName: node
-  linkType: hard
-
-"aria-query@npm:^5.0.2":
-  version: 5.1.3
-  resolution: "aria-query@npm:5.1.3"
-  dependencies:
-    deep-equal: ^2.0.5
-  checksum: 929ff95f02857b650fb4cbcd2f41072eee2f46159a6605ea03bf63aa572e35ffdff43d69e815ddc462e16e07de8faba3978afc2813650b4448ee18c9895d982b
-  languageName: node
-  linkType: hard
-
-"arr-diff@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "arr-diff@npm:4.0.0"
-  checksum: ea7c8834842ad3869297f7915689bef3494fd5b102ac678c13ffccab672d3d1f35802b79e90c4cfec2f424af3392e44112d1ccf65da34562ed75e049597276a0
-  languageName: node
-  linkType: hard
-
-"arr-flatten@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "arr-flatten@npm:1.1.0"
-  checksum: 963fe12564fca2f72c055f3f6c206b9e031f7c433a0c66ca9858b484821f248c5b1e5d53c8e4989d80d764cd776cf6d9b160ad05f47bdc63022bfd63b5455e22
-  languageName: node
-  linkType: hard
-
-"arr-union@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "arr-union@npm:3.1.0"
-  checksum: b5b0408c6eb7591143c394f3be082fee690ddd21f0fdde0a0a01106799e847f67fcae1b7e56b0a0c173290e29c6aca9562e82b300708a268bc8f88f3d6613cb9
-  languageName: node
-  linkType: hard
-
-"array-buffer-byte-length@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "array-buffer-byte-length@npm:1.0.0"
-  dependencies:
-    call-bind: ^1.0.2
-    is-array-buffer: ^3.0.1
-  checksum: 044e101ce150f4804ad19c51d6c4d4cfa505c5b2577bd179256e4aa3f3f6a0a5e9874c78cd428ee566ac574c8a04d7ce21af9fe52e844abfdccb82b33035a7c3
-  languageName: node
-  linkType: hard
-
-"array-equal@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "array-equal@npm:1.0.0"
-  checksum: 3f68045806357db9b2fa1ad583e42a659de030633118a0cd35ee4975cb20db3b9a3d36bbec9b5afe70011cf989eefd215c12fe0ce08c498f770859ca6e70688a
-  languageName: node
-  linkType: hard
-
-"array-flatten@npm:1.1.1":
-  version: 1.1.1
-  resolution: "array-flatten@npm:1.1.1"
-  checksum: a9925bf3512d9dce202112965de90c222cd59a4fbfce68a0951d25d965cf44642931f40aac72309c41f12df19afa010ecadceb07cfff9ccc1621e99d89ab5f3b
-  languageName: node
-  linkType: hard
-
-"array-from@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "array-from@npm:2.1.1"
-  checksum: 4cd5fa27aa6133b99a57c2881d2a8a66ec59b8e17a0c900f7e8ac9a0a2fae450ed682b67435467bfa71ac9328d025a760c5c46a95586a352180c5a79fc13015d
-  languageName: node
-  linkType: hard
-
-"array-to-error@npm:^1.0.0":
-  version: 1.1.1
-  resolution: "array-to-error@npm:1.1.1"
-  dependencies:
-    array-to-sentence: ^1.1.0
-  checksum: c476c79249b4852f4ae6e2cff1463c3343986d1324e273c6404ccea1748a5b1900d05e774fc84f3f29c964aa4d36702d5c0426034856197da73557797c947e0f
-  languageName: node
-  linkType: hard
-
-"array-to-sentence@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "array-to-sentence@npm:1.1.0"
-  checksum: 7252ed7b93c6c5f07afcc67feef34b68f9b0b744f00fc7317e6d12f2c3320dc5417cedfc0c23497cc867ebdeca0573486ca8e6b09a515c5e6a90e860c668f2b6
-  languageName: node
-  linkType: hard
-
-"array-union@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "array-union@npm:2.1.0"
-  checksum: 5bee12395cba82da674931df6d0fea23c4aa4660cb3b338ced9f828782a65caa232573e6bf3968f23e0c5eb301764a382cef2f128b170a9dc59de0e36c39f98d
-  languageName: node
-  linkType: hard
-
-"array-unique@npm:^0.3.2":
-  version: 0.3.2
-  resolution: "array-unique@npm:0.3.2"
-  checksum: da344b89cfa6b0a5c221f965c21638bfb76b57b45184a01135382186924f55973cd9b171d4dad6bf606c6d9d36b0d721d091afdc9791535ead97ccbe78f8a888
-  languageName: node
-  linkType: hard
-
-"arrify@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "arrify@npm:1.0.1"
-  checksum: 745075dd4a4624ff0225c331dacb99be501a515d39bcb7c84d24660314a6ec28e68131b137e6f7e16318170842ce97538cd298fc4cd6b2cc798e0b957f2747e7
-  languageName: node
-  linkType: hard
-
-"arrify@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "arrify@npm:2.0.1"
-  checksum: 067c4c1afd182806a82e4c1cb8acee16ab8b5284fbca1ce29408e6e91281c36bb5b612f6ddfbd40a0f7a7e0c75bf2696eb94c027f6e328d6e9c52465c98e4209
-  languageName: node
-  linkType: hard
-
-"asn1.js@npm:^5.2.0":
-  version: 5.4.1
-  resolution: "asn1.js@npm:5.4.1"
-  dependencies:
-    bn.js: ^4.0.0
-    inherits: ^2.0.1
-    minimalistic-assert: ^1.0.0
-    safer-buffer: ^2.1.0
-  checksum: 3786a101ac6f304bd4e9a7df79549a7561950a13d4bcaec0c7790d44c80d147c1a94ba3d4e663673406064642a40b23fcd6c82a9952468e386c1a1376d747f9a
-  languageName: node
-  linkType: hard
-
-"asn1@npm:~0.2.3":
-  version: 0.2.4
-  resolution: "asn1@npm:0.2.4"
-  dependencies:
-    safer-buffer: ~2.1.0
-  checksum: aa5d6f77b1e0597df53824c68cfe82d1d89ce41cb3520148611f025fbb3101b2d25dd6a40ad34e4fac10f6b19ed5e8628cd4b7d212261e80e83f02b39ee5663c
-  languageName: node
-  linkType: hard
-
-"asn1js@npm:^2.1.1, asn1js@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "asn1js@npm:2.2.0"
-  dependencies:
-    pvutils: latest
-  checksum: 936e233b7453d7e9805c1637f02da7145d73d5158105710f9bc79efaf51aa935a8bce87b0efed59da4c32fc304bfe28eb22fad1e1bf2f926478e110c6f3da240
-  languageName: node
-  linkType: hard
-
-"assert-never@npm:^1.1.0, assert-never@npm:^1.2.1":
-  version: 1.2.1
-  resolution: "assert-never@npm:1.2.1"
-  checksum: ea4f1756d90f55254c4dc7a20d6c5d5bc169160562aefe3d8756b598c10e695daf568f21b6d6b12245d7f3782d3ff83ef6a01ab75d487adfc6909470a813bf8c
-  languageName: node
-  linkType: hard
-
-"assert-plus@npm:1.0.0, assert-plus@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "assert-plus@npm:1.0.0"
-  checksum: 19b4340cb8f0e6a981c07225eacac0e9d52c2644c080198765d63398f0075f83bbc0c8e95474d54224e297555ad0d631c1dcd058adb1ddc2437b41a6b424ac64
-  languageName: node
-  linkType: hard
-
-"assert@npm:^1.1.1":
-  version: 1.5.0
-  resolution: "assert@npm:1.5.0"
-  dependencies:
-    object-assign: ^4.1.1
-    util: 0.10.3
-  checksum: 9be48435f726029ae7020c5888a3566bf4d617687aab280827f2e4029644b6515a9519ea10d018b342147c02faf73d9e9419e780e8937b3786ee4945a0ca71e5
-  languageName: node
-  linkType: hard
-
-"assign-symbols@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "assign-symbols@npm:1.0.0"
-  checksum: c0eb895911d05b6b2d245154f70461c5e42c107457972e5ebba38d48967870dee53bcdf6c7047990586daa80fab8dab3cc6300800fbd47b454247fdedd859a2c
-  languageName: node
-  linkType: hard
-
-"ast-metadata-inferer@npm:^0.7.0":
-  version: 0.7.0
-  resolution: "ast-metadata-inferer@npm:0.7.0"
-  dependencies:
-    "@mdn/browser-compat-data": ^3.3.14
-  checksum: 9bb633b680d537cd6d5066e48ed6ae68d7ddae663a380bdba78d4f40b53d4c03845dc3a7307d55ecf1248b447ee28d62bb20ade8b880abc2df629cda9414e32e
-  languageName: node
-  linkType: hard
-
-"ast-types@npm:0.13.3":
-  version: 0.13.3
-  resolution: "ast-types@npm:0.13.3"
-  checksum: 23d08bc589aacb787e22ac7efc086ebcc158e739c057dac74de409a97e26ec9c5bcb2d0709f5678bd5d90f67d93f62fba0e5fe98161a0a3a7534d55a155544d8
-  languageName: node
-  linkType: hard
-
-"astral-regex@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "astral-regex@npm:2.0.0"
-  checksum: 876231688c66400473ba505731df37ea436e574dd524520294cc3bbc54ea40334865e01fa0d074d74d036ee874ee7e62f486ea38bc421ee8e6a871c06f011766
-  languageName: node
-  linkType: hard
-
-"async-disk-cache@npm:^1.2.1":
-  version: 1.3.5
-  resolution: "async-disk-cache@npm:1.3.5"
-  dependencies:
-    debug: ^2.1.3
-    heimdalljs: ^0.2.3
-    istextorbinary: 2.1.0
-    mkdirp: ^0.5.0
-    rimraf: ^2.5.3
-    rsvp: ^3.0.18
-    username-sync: ^1.0.2
-  checksum: 1844554469dc4a0abc855ad3c46296ccf105923186a662c47a85e5fa6a818a2693f2f941b903f2e28ab29895bd41596a81b42f670b71772a8134374f7459f51e
-  languageName: node
-  linkType: hard
-
-"async-disk-cache@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "async-disk-cache@npm:2.1.0"
-  dependencies:
-    debug: ^4.1.1
-    heimdalljs: ^0.2.3
-    istextorbinary: ^2.5.1
-    mkdirp: ^0.5.0
-    rimraf: ^3.0.0
-    rsvp: ^4.8.5
-    username-sync: ^1.0.2
-  checksum: 08dbea2062961885d646d97f46a4309d8ca5254d326a7dd119c8769d31ccab063fa24acf08bce82e38e789997933e6480bcbf97be8e015023cd6685929b93bfb
-  languageName: node
-  linkType: hard
-
-"async-each@npm:^1.0.1":
-  version: 1.0.3
-  resolution: "async-each@npm:1.0.3"
-  checksum: 868651cfeb209970b367fbb96df1e1c8dc0b22c681cda7238417005ab2a5fbd944ee524b43f2692977259a57b7cc2547e03ff68f2b5113dbdf953d48cc078dc3
-  languageName: node
-  linkType: hard
-
-"async-promise-queue@npm:^1.0.3, async-promise-queue@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "async-promise-queue@npm:1.0.5"
-  dependencies:
-    async: ^2.4.1
-    debug: ^2.6.8
-  checksum: 6f18b65e4bac8c12822d66c532aba6c8a8d81ee6e7d790bc7c399e882ff55b642a86379a58df9129db8560f57f76dea0af39b065f43568fb4bec4edf40e415a9
-  languageName: node
-  linkType: hard
-
-"async@npm:^2.4.1":
-  version: 2.6.3
-  resolution: "async@npm:2.6.3"
-  dependencies:
-    lodash: ^4.17.14
-  checksum: 5e5561ff8fca807e88738533d620488ac03a5c43fce6c937451f7e35f943d33ad06c24af3f681a48cca3d2b0002b3118faff0a128dc89438a9bf0226f712c499
-  languageName: node
-  linkType: hard
-
-"async@npm:^2.6.4":
-  version: 2.6.4
-  resolution: "async@npm:2.6.4"
-  dependencies:
-    lodash: ^4.17.14
-  checksum: a52083fb32e1ebe1d63e5c5624038bb30be68ff07a6c8d7dfe35e47c93fc144bd8652cbec869e0ac07d57dde387aa5f1386be3559cdee799cb1f789678d88e19
-  languageName: node
-  linkType: hard
-
-"async@npm:~0.2.9":
-  version: 0.2.10
-  resolution: "async@npm:0.2.10"
-  checksum: 9ea83419ba67dc4ecf42d4eb0d93ce0ac80a67cabb612f160ed096aef5d001e3184ec9e9be5d4dc39b2c51a34e2ae16f9b21d737068b0f615fccb4eea16d0138
-  languageName: node
-  linkType: hard
-
-"asynckit@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "asynckit@npm:0.4.0"
-  checksum: 7b78c451df768adba04e2d02e63e2d0bf3b07adcd6e42b4cf665cb7ce899bedd344c69a1dcbce355b5f972d597b25aaa1c1742b52cffd9caccb22f348114f6be
-  languageName: node
-  linkType: hard
-
-"at-least-node@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "at-least-node@npm:1.0.0"
-  checksum: 463e2f8e43384f1afb54bc68485c436d7622acec08b6fad269b421cb1d29cebb5af751426793d0961ed243146fe4dc983402f6d5a51b720b277818dbf6f2e49e
-  languageName: node
-  linkType: hard
-
-"atob@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "atob@npm:2.1.2"
-  bin:
-    atob: bin/atob.js
-  checksum: dfeeeb70090c5ebea7be4b9f787f866686c645d9f39a0d184c817252d0cf08455ed25267d79c03254d3be1f03ac399992a792edcd5ffb9c91e097ab5ef42833a
-  languageName: node
-  linkType: hard
-
-"autoprefixer@npm:^7.0.0":
-  version: 7.2.6
-  resolution: "autoprefixer@npm:7.2.6"
-  dependencies:
-    browserslist: ^2.11.3
-    caniuse-lite: ^1.0.30000805
-    normalize-range: ^0.1.2
-    num2fraction: ^1.2.2
-    postcss: ^6.0.17
-    postcss-value-parser: ^3.2.3
-  bin:
-    autoprefixer-info: ./bin/autoprefixer-info
-  checksum: 7ad12a58ca128d3e6b6dc5e4b3d83f2a12151216d30bcea1f1f2f8a91d2a019c58dd62fd039a6c1cf218f2ab557b03224703a4396c1b4f01b5c0818bc6ba4dd9
-  languageName: node
-  linkType: hard
-
-"autosize@npm:^4.0.0":
-  version: 4.0.2
-  resolution: "autosize@npm:4.0.2"
-  checksum: e19f1e64742cfd17d8dcd24b878871e36f1b295e4184ad7c5e036204b54c7a6346dd460e7c0b1562244632deb651394e79e656a144aa6fbc69803892713d550d
-  languageName: node
-  linkType: hard
-
-"available-typed-arrays@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "available-typed-arrays@npm:1.0.5"
-  checksum: 20eb47b3cefd7db027b9bbb993c658abd36d4edd3fe1060e83699a03ee275b0c9b216cc076ff3f2db29073225fb70e7613987af14269ac1fe2a19803ccc97f1a
-  languageName: node
-  linkType: hard
-
-"aws-sign2@npm:~0.7.0":
-  version: 0.7.0
-  resolution: "aws-sign2@npm:0.7.0"
-  checksum: b148b0bb0778098ad8cf7e5fc619768bcb51236707ca1d3e5b49e41b171166d8be9fdc2ea2ae43d7decf02989d0aaa3a9c4caa6f320af95d684de9b548a71525
-  languageName: node
-  linkType: hard
-
-"aws4@npm:^1.8.0":
-  version: 1.11.0
-  resolution: "aws4@npm:1.11.0"
-  checksum: 5a00d045fd0385926d20ebebcfba5ec79d4482fe706f63c27b324d489a04c68edb0db99ed991e19eda09cb8c97dc2452059a34d97545cebf591d7a2b5a10999f
-  languageName: node
-  linkType: hard
-
-"babel-code-frame@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-code-frame@npm:6.26.0"
-  dependencies:
-    chalk: ^1.1.3
-    esutils: ^2.0.2
-    js-tokens: ^3.0.2
-  checksum: 9410c3d5a921eb02fa409675d1a758e493323a49e7b9dddb7a2a24d47e61d39ab1129dd29f9175836eac9ce8b1d4c0a0718fcdc57ce0b865b529fd250dbab313
-  languageName: node
-  linkType: hard
-
-"babel-core@npm:^6.26.0, babel-core@npm:^6.26.3":
-  version: 6.26.3
-  resolution: "babel-core@npm:6.26.3"
-  dependencies:
-    babel-code-frame: ^6.26.0
-    babel-generator: ^6.26.0
-    babel-helpers: ^6.24.1
-    babel-messages: ^6.23.0
-    babel-register: ^6.26.0
-    babel-runtime: ^6.26.0
-    babel-template: ^6.26.0
-    babel-traverse: ^6.26.0
-    babel-types: ^6.26.0
-    babylon: ^6.18.0
-    convert-source-map: ^1.5.1
-    debug: ^2.6.9
-    json5: ^0.5.1
-    lodash: ^4.17.4
-    minimatch: ^3.0.4
-    path-is-absolute: ^1.0.1
-    private: ^0.1.8
-    slash: ^1.0.0
-    source-map: ^0.5.7
-  checksum: 3d6a37e5c69ea7f7d66c2a261cbd7219197f2f938700e6ebbabb6d84a03f2bf86691ffa066866dcb49ba6c4bd702d347c9e0e147660847d709705cf43c964752
-  languageName: node
-  linkType: hard
-
-"babel-generator@npm:^6.26.0":
-  version: 6.26.1
-  resolution: "babel-generator@npm:6.26.1"
-  dependencies:
-    babel-messages: ^6.23.0
-    babel-runtime: ^6.26.0
-    babel-types: ^6.26.0
-    detect-indent: ^4.0.0
-    jsesc: ^1.3.0
-    lodash: ^4.17.4
-    source-map: ^0.5.7
-    trim-right: ^1.0.1
-  checksum: 5397f4d4d1243e7157e3336be96c10fcb1f29f73bf2d9842229c71764d9a6431397d249483a38c4d8b1581459e67be4df6f32d26b1666f02d0f5bfc2c2f25193
-  languageName: node
-  linkType: hard
-
-"babel-helper-builder-binary-assignment-operator-visitor@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-builder-binary-assignment-operator-visitor@npm:6.24.1"
-  dependencies:
-    babel-helper-explode-assignable-expression: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 6ef49597837d042980e78284df014972daac7f1f1f2635d978bb2d13990304322f5135f27b8f2d6eb8c4c2459b496ec76e21544e26afbb5dec88f53089e17476
-  languageName: node
-  linkType: hard
-
-"babel-helper-call-delegate@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-call-delegate@npm:6.24.1"
-  dependencies:
-    babel-helper-hoist-variables: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: b6277d6e48c10cf416632f6dfbac77bdf6ba8ec4ac2f6359a77d6b731dae941c2a3ec7f35e1eba78aad2a7e0838197731d1ef75af529055096c4cb7d96432c88
-  languageName: node
-  linkType: hard
-
-"babel-helper-define-map@npm:^6.24.1":
-  version: 6.26.0
-  resolution: "babel-helper-define-map@npm:6.26.0"
-  dependencies:
-    babel-helper-function-name: ^6.24.1
-    babel-runtime: ^6.26.0
-    babel-types: ^6.26.0
-    lodash: ^4.17.4
-  checksum: 08e201eb009a7dbd020232fb7468ac772ebb8cfd33ec9a41113a54f4c90fd1e3474497783d635b8f87d797706323ca0c1758c516a630b0c95277112fc2fe4f13
-  languageName: node
-  linkType: hard
-
-"babel-helper-explode-assignable-expression@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-explode-assignable-expression@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: 1bafdb51ce3dd95cf25d712d24a0c3c2ae02ff58118c77462f14ede4d8161aaee42c5c759c3d3a3344a5851b8b0f8d16b395713413b8194e1c3264fc5b12b754
-  languageName: node
-  linkType: hard
-
-"babel-helper-function-name@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-function-name@npm:6.24.1"
-  dependencies:
-    babel-helper-get-function-arity: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: d651db9e0b29e135877e90e7858405750a684220d22a6f7c78bb163305a1b322cc1c8bea1bc617625c34d92d0927fdbaa49ee46822e2f86b524eced4c88c7ff0
-  languageName: node
-  linkType: hard
-
-"babel-helper-get-function-arity@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-get-function-arity@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 37e344d6c5c00b67a3b378490a5d7ba924bab1c2ccd6ecf1b7da96ca679be12d75fbec6279366ae9772e482fb06a7b48293954dd79cbeba9b947e2db67252fbd
-  languageName: node
-  linkType: hard
-
-"babel-helper-hoist-variables@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-hoist-variables@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 6af1c165d5f0ad192df07daa194d13de77572bd914d2fc9a270d56b93b2705d98eebabf412b1211505535af131fbe95886fcfad8b3a07b4d501c24b9cb8e57fe
-  languageName: node
-  linkType: hard
-
-"babel-helper-optimise-call-expression@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-optimise-call-expression@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 16e6aba819b473dbf013391f759497df9f57bc7060bc4e5f7f6b60fb03670eb1dec65dd2227601d58f151e9d647e1f676a12466f5e6674379978820fa02c0fbb
-  languageName: node
-  linkType: hard
-
-"babel-helper-regex@npm:^6.24.1":
-  version: 6.26.0
-  resolution: "babel-helper-regex@npm:6.26.0"
-  dependencies:
-    babel-runtime: ^6.26.0
-    babel-types: ^6.26.0
-    lodash: ^4.17.4
-  checksum: ab949a4c90ab255abaafd9ec11a4a6dc77dba360875af2bb0822b699c058858773792c1e969c425c396837f61009f30c9ee5ba4b9a8ca87b0779ae1622f89fb3
-  languageName: node
-  linkType: hard
-
-"babel-helper-remap-async-to-generator@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-remap-async-to-generator@npm:6.24.1"
-  dependencies:
-    babel-helper-function-name: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: f330943104b61e7f9248d222bd5fe5d3238904ee20643b76197571e14a724723d64a8096b292a60f64788f0efe30176882c376eeebde00657925678e304324f0
-  languageName: node
-  linkType: hard
-
-"babel-helper-replace-supers@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helper-replace-supers@npm:6.24.1"
-  dependencies:
-    babel-helper-optimise-call-expression: ^6.24.1
-    babel-messages: ^6.23.0
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: ca1d216c5c6afc6af2ef55ea16777ba99e108780ea25da61d93edb09fd85f5e96c756306e2a21e737c3b0c7a16c99762b62a0e5f529d3865b14029fef7351cba
-  languageName: node
-  linkType: hard
-
-"babel-helpers@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-helpers@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-  checksum: 751c6010e18648eebae422adfea5f3b5eff70d592d693bfe0f53346227d74b38e6cd2553c4c18de1e64faac585de490eccbd3ab86ba0885bdac42ed4478bc6b0
-  languageName: node
-  linkType: hard
-
-"babel-import-util@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "babel-import-util@npm:0.2.0"
-  checksum: 32a71d1de47cfbf99dba552e87c11798ef6116643f24429a654b09cb7d365db0dd5bbfe318eb1b63f0c9eae3a4a0c2aefd9c1e21f2b21f1e24ad703693429f95
-  languageName: node
-  linkType: hard
-
-"babel-import-util@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "babel-import-util@npm:1.1.0"
-  checksum: d4e965a18ebeee78cd69f1735ab10b64e693b5d837cd887c7ce9f03756d55a49a9f434e29077eafc5bb1f15589dad5ceb1efece78a750d4fc2f0451d5a69da9d
-  languageName: node
-  linkType: hard
-
-"babel-import-util@npm:^1.2.2":
-  version: 1.4.1
-  resolution: "babel-import-util@npm:1.4.1"
-  checksum: a7f43a10141f62f05c0b4b3c80ee31f5f362d5f7a7d614fcef836f3eca2ec3ae0a732f8550674542d1821e87c3fd3d986fea94ed12e2a283a1571b6d1249380a
-  languageName: node
-  linkType: hard
-
-"babel-import-util@npm:^1.3.0":
-  version: 1.3.0
-  resolution: "babel-import-util@npm:1.3.0"
-  checksum: 41c6b4276ceefd2263f59be97a99bf8d948899c76587b273d115e91fa9067b0d9cc80ba727a795732052e078c30a3665649c725aed966826bf7c0a258a5fcf03
-  languageName: node
-  linkType: hard
-
-"babel-import-util@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "babel-import-util@npm:2.0.0"
-  checksum: 8d9f62dcf522634ac340fb1380f45382d782f7202c98f7b0a6ad9e1aba50edef1f31f1e61e487953e35bcda98759aed7236398a9bb9798b68b6def697925293d
-  languageName: node
-  linkType: hard
-
-"babel-loader@npm:^8.0.6":
-  version: 8.2.2
-  resolution: "babel-loader@npm:8.2.2"
-  dependencies:
-    find-cache-dir: ^3.3.1
-    loader-utils: ^1.4.0
-    make-dir: ^3.1.0
-    schema-utils: ^2.6.5
-  peerDependencies:
-    "@babel/core": ^7.0.0
-    webpack: ">=2"
-  checksum: df5092ef9886bb49aacb7c58ac40ed0681ced031c8d91e49d680cedace2aa1703390a31fbe7c0e409f739836e911c5c991119133d90d9289f681c0a8ff2447a1
-  languageName: node
-  linkType: hard
-
-"babel-messages@npm:^6.23.0":
-  version: 6.23.0
-  resolution: "babel-messages@npm:6.23.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: c8075c17587a33869e1a5bd0a5b73bbe395b68188362dacd5418debbc7c8fd784bcd3295e81ee7e410dc2c2655755add6af03698c522209f6a68334c15e6d6ca
-  languageName: node
-  linkType: hard
-
-"babel-plugin-check-es2015-constants@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-check-es2015-constants@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 39168cb4ff078911726bfaf9d111d1e18f3e99d8b6f6101d343249b28346c3869e415c97fe7e857e7f34b913f8a052634b2b9dcfb4c0272e5f64ed22df69c735
-  languageName: node
-  linkType: hard
-
-"babel-plugin-compact-reexports@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "babel-plugin-compact-reexports@npm:1.1.0"
-  checksum: b2e56896a53a010f96f90f3e13d8bb5485bbe8ebc7203d01d1360ec1a5e374f7bffe9c02a244d946ebff384611533e0b349c93f5da4c1a9c08b9e676fc76b22f
-  languageName: node
-  linkType: hard
-
-"babel-plugin-debug-macros@npm:^0.2.0, babel-plugin-debug-macros@npm:^0.2.0-beta.6":
-  version: 0.2.0
-  resolution: "babel-plugin-debug-macros@npm:0.2.0"
-  dependencies:
-    semver: ^5.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-beta.42
-  checksum: 6ea36c7893940df58f08f9d0c72d2e02cf77a763084572d6f6c1291c462108af318eaa737549f96ba332b624efe0cdab6fcb49afa6466388012dbecd749f713c
-  languageName: node
-  linkType: hard
-
-"babel-plugin-debug-macros@npm:^0.3.4":
-  version: 0.3.4
-  resolution: "babel-plugin-debug-macros@npm:0.3.4"
-  dependencies:
-    semver: ^5.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0
-  checksum: 77762b945a4d4a24d973b659938e4ff9fe485f08c4ad5c8459f184669d946f5883870a6f05a39f09773bcd0923162dcad5fbf8773cf38b3176d71ca415e9e869
-  languageName: node
-  linkType: hard
-
-"babel-plugin-dynamic-import-node@npm:^2.3.3":
-  version: 2.3.3
-  resolution: "babel-plugin-dynamic-import-node@npm:2.3.3"
-  dependencies:
-    object.assign: ^4.1.0
-  checksum: c9d24415bcc608d0db7d4c8540d8002ac2f94e2573d2eadced137a29d9eab7e25d2cbb4bc6b9db65cf6ee7430f7dd011d19c911a9a778f0533b4a05ce8292c9b
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-data-packages-polyfill@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "babel-plugin-ember-data-packages-polyfill@npm:0.1.2"
-  dependencies:
-    "@ember-data/rfc395-data": ^0.0.4
-  checksum: c61f9d70898db94feefea7a8cc958c52015fc23b17957eac2f360324b32b4d5b36aa7c2725102b44ee592e1e16b35fd8ee6cdfa949ffc0b11686387251226190
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-modules-api-polyfill@npm:^2.6.0":
-  version: 2.13.4
-  resolution: "babel-plugin-ember-modules-api-polyfill@npm:2.13.4"
-  dependencies:
-    ember-rfc176-data: ^0.3.13
-  checksum: 6d647183bc4ab14a7eb80361970fc0050c320af865ca88921e8e1406b2be13ccd318805e9e59c3b3485abe89f1ce34e1ef530e5a78880747103409cc48b3abc0
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-modules-api-polyfill@npm:^3.5.0":
-  version: 3.5.0
-  resolution: "babel-plugin-ember-modules-api-polyfill@npm:3.5.0"
-  dependencies:
-    ember-rfc176-data: ^0.3.17
-  checksum: 70a4926fe9c9a6553b877ecf09cd6a077e3c73ac13b5e269fee116c7dcaceaff28b317a7b68c16a9cb6d0470079fbbb3265c2cf755061341c9ccbde28c58d684
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-template-compilation@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "babel-plugin-ember-template-compilation@npm:1.0.1"
-  dependencies:
-    babel-import-util: ^0.2.0
-    line-column: ^1.0.2
-    magic-string: ^0.25.7
-    string.prototype.matchall: ^4.0.5
-  checksum: 4eeb31754025fb4b88413028b3d71aa1e50e10cf873c939a314b694a51f5c2771476db6270c5e4cf1863f5ae9d94b696b3c692747ff691078437170a65f2f9ea
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-template-compilation@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "babel-plugin-ember-template-compilation@npm:2.0.0"
-  dependencies:
-    babel-import-util: ^1.3.0
-  checksum: 8abe8d6b3f20574ef824a1b6d04694892dae85055ff7aa370a183b383c9322ace64c1bbc4b9ccd54d8b8507e3bd673df10e9f1331ed2d7f23d8f719943f23660
-  languageName: node
-  linkType: hard
-
-"babel-plugin-ember-template-compilation@npm:^2.0.1":
-  version: 2.1.1
-  resolution: "babel-plugin-ember-template-compilation@npm:2.1.1"
-  dependencies:
-    "@glimmer/syntax": ^0.84.3
-    babel-import-util: ^2.0.0
-  checksum: 68ee924151b2081472690fcb6178b884af350b97584431a8648cfff69bf267a0923b3f1575ca265c822355e2aa4bb99b0c3500a98bef54f2fc0b67509215eb5b
-  languageName: node
-  linkType: hard
-
-"babel-plugin-filter-imports@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "babel-plugin-filter-imports@npm:4.0.0"
-  dependencies:
-    "@babel/types": ^7.7.2
-    lodash: ^4.17.15
-  checksum: 757522ac26c3f9f957a1c94c7eaca7abc2c493072b17f8af713589a2b56e1b8321d9c26ca5d0f1060e7be22f55c89a09bde771f8708f0f672d240eb2640fd9d1
-  languageName: node
-  linkType: hard
-
-"babel-plugin-htmlbars-inline-precompile@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "babel-plugin-htmlbars-inline-precompile@npm:3.2.0"
-  checksum: 87793c975af74fd02cabc3a652a0694c15389bc24a1eecd4f2e78b6094be194a6d6e220f0a0489561ea123c052be86544ad96839bf7d78fb6867ffb16dc42ca0
-  languageName: node
-  linkType: hard
-
-"babel-plugin-htmlbars-inline-precompile@npm:^5.0.0, babel-plugin-htmlbars-inline-precompile@npm:^5.2.1, babel-plugin-htmlbars-inline-precompile@npm:^5.3.0":
-  version: 5.3.1
-  resolution: "babel-plugin-htmlbars-inline-precompile@npm:5.3.1"
-  dependencies:
-    babel-plugin-ember-modules-api-polyfill: ^3.5.0
-    line-column: ^1.0.2
-    magic-string: ^0.25.7
-    parse-static-imports: ^1.1.0
-    string.prototype.matchall: ^4.0.5
-  checksum: 8c486d44037b9d87628f15823d93fdf03bf532f9456bb7012de0d6e3791b5fdc61a339400a71acd517d30d57e9812fa6fea83a3185447aac16d05054bf669de0
-  languageName: node
-  linkType: hard
-
-"babel-plugin-inline-json-import@npm:^0.3.2":
-  version: 0.3.2
-  resolution: "babel-plugin-inline-json-import@npm:0.3.2"
-  dependencies:
-    decache: ^4.5.1
-  checksum: cf0cf9802a01e506e4aab44202ce01b8277da22503a2c0f4d60f3cf924f0900bb9e9b3782bffb90a8a25193af923484a5b115e68f6c94a5c5e4c9e058d868394
-  languageName: node
-  linkType: hard
-
-"babel-plugin-module-resolver@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "babel-plugin-module-resolver@npm:3.2.0"
-  dependencies:
-    find-babel-config: ^1.1.0
-    glob: ^7.1.2
-    pkg-up: ^2.0.0
-    reselect: ^3.0.1
-    resolve: ^1.4.0
-  checksum: ef4f7fdb6db97b8c5d7f70b85f54876a1bead35ee360b85a4153d02ce32eba4571afcc71ae11d43b2b6d4c5eeae865fc2127012f9534cfab07f998e2692671e5
-  languageName: node
-  linkType: hard
-
-"babel-plugin-module-resolver@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "babel-plugin-module-resolver@npm:4.1.0"
-  dependencies:
-    find-babel-config: ^1.2.0
-    glob: ^7.1.6
-    pkg-up: ^3.1.0
-    reselect: ^4.0.0
-    resolve: ^1.13.1
-  checksum: 3907fba21ca3c66a081e01fbd16bb09c84781749db16aa57805becc376bb5ee8dc373d4b209613e1453d30ea6c836d13073e9e7b6d239ff1806dd1763a9ab18f
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-corejs2@npm:^0.2.0":
-  version: 0.2.3
-  resolution: "babel-plugin-polyfill-corejs2@npm:0.2.3"
-  dependencies:
-    "@babel/compat-data": ^7.13.11
-    "@babel/helper-define-polyfill-provider": ^0.2.4
-    semver: ^6.1.1
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: a379fdb5aa046fb96516796afb50888bd22de1590fbdaed15c613910f3208500e705dd2a605fb30c0bb8b3191ee9ba9c10b3f46121e0507bf396186941056090
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-corejs2@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "babel-plugin-polyfill-corejs2@npm:0.3.0"
-  dependencies:
-    "@babel/compat-data": ^7.13.11
-    "@babel/helper-define-polyfill-provider": ^0.3.0
-    semver: ^6.1.1
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ffede597982066221291fe7c48ec1f1dda2b4ed3ee3e715436320697f35368223e1275bf095769d0b0c1115b90031dc525dd81b8ee9f6c8972cf1d2e10ad2b7d
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-corejs3@npm:^0.2.0":
-  version: 0.2.5
-  resolution: "babel-plugin-polyfill-corejs3@npm:0.2.5"
-  dependencies:
-    "@babel/helper-define-polyfill-provider": ^0.2.2
-    core-js-compat: ^3.16.2
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 7d464001f6cecc6b85aef71307e3ef17980b15aae4b2ae75d38a3fc3166005f6354932f9c694566970a3fb428f8fbc44f94c46e055a5a85b7fe8820ca16f85b6
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-corejs3@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "babel-plugin-polyfill-corejs3@npm:0.4.0"
-  dependencies:
-    "@babel/helper-define-polyfill-provider": ^0.3.0
-    core-js-compat: ^3.18.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 18dce9a09a608b4844bce468a1d7b3abfc8a2a4c0df317ad6eb5951c0c95f3d1cc99699d8e67642cdd629f5074499d481481ae5e203ce85b8ed73e8295e25da8
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-corejs3@npm:^0.5.0":
-  version: 0.5.2
-  resolution: "babel-plugin-polyfill-corejs3@npm:0.5.2"
-  dependencies:
-    "@babel/helper-define-polyfill-provider": ^0.3.1
-    core-js-compat: ^3.21.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 2f3184c73f80f00ac876a5ebcad945fd8d2ae70e5f85b7ab6cc3bc69bc74025f4f7070de7abbb2a7274c78e130bd34fc13f4c85342da28205930364a1ef0aa21
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-regenerator@npm:^0.2.0":
-  version: 0.2.3
-  resolution: "babel-plugin-polyfill-regenerator@npm:0.2.3"
-  dependencies:
-    "@babel/helper-define-polyfill-provider": ^0.2.4
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: 81be5914f241d785abdfa3b5fc9005792b1b675e3e0a48bbc12db25b49e965985a500fc2008c8026ec7625a757d6d43aa44a75369fece1a413bd9863369e5a9c
-  languageName: node
-  linkType: hard
-
-"babel-plugin-polyfill-regenerator@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "babel-plugin-polyfill-regenerator@npm:0.3.0"
-  dependencies:
-    "@babel/helper-define-polyfill-provider": ^0.3.0
-  peerDependencies:
-    "@babel/core": ^7.0.0-0
-  checksum: ecca4389fd557554efc6de834f84f7c85e83c348d5283de2032d35429bc7121ed6f336553d3d704021f9bef22fca339fbee560d3b0fb8bb1d4eca2fecaaeebcb
-  languageName: node
-  linkType: hard
-
-"babel-plugin-syntax-async-functions@npm:^6.8.0":
-  version: 6.13.0
-  resolution: "babel-plugin-syntax-async-functions@npm:6.13.0"
-  checksum: e982d9756869fa83eb6a4502490a90b0d31e8a41e2ee582045934f022ac8ff5fa6a3386366976fab3a391d5a7ab8ea5f9da623f35ed8ab328b8ab6d9b2feb1d3
-  languageName: node
-  linkType: hard
-
-"babel-plugin-syntax-dynamic-import@npm:^6.18.0":
-  version: 6.18.0
-  resolution: "babel-plugin-syntax-dynamic-import@npm:6.18.0"
-  checksum: 0a7a98ecb63878d65d4fd35e5435b0a7ad8e5c43b394389ce82298733c7a5d95c4373f1dd68566694214dad64abd0fec1e4eb7ee9ca7d1ee06d502e630d61600
-  languageName: node
-  linkType: hard
-
-"babel-plugin-syntax-exponentiation-operator@npm:^6.8.0":
-  version: 6.13.0
-  resolution: "babel-plugin-syntax-exponentiation-operator@npm:6.13.0"
-  checksum: cbcb3aeae7005240325f72d55c3c90575033123e8a1ddfa6bf9eac4ee7e246c2a23f5b5ab1144879590d947a3ed1d88838169d125e5d7c4f53678526482b020e
-  languageName: node
-  linkType: hard
-
-"babel-plugin-syntax-trailing-function-commas@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-syntax-trailing-function-commas@npm:6.22.0"
-  checksum: d8b9039ded835bb128e8e14eeeb6e0ac2a876b85250924bdc3a8dc2a6984d3bfade4de04d40fb15ea04a86d561ac280ae0d7306d7d4ef7a8c52c43b6a23909c6
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-async-to-generator@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-async-to-generator@npm:6.24.1"
-  dependencies:
-    babel-helper-remap-async-to-generator: ^6.24.1
-    babel-plugin-syntax-async-functions: ^6.8.0
-    babel-runtime: ^6.22.0
-  checksum: ffe8b4b2ed6db1f413ede385bd1a36f39e02a64ed79ce02779440049af75215c98f8debdc70eb01430bfd889f792682b0136576fe966f7f9e1b30e2a54695a8d
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-arrow-functions@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-transform-es2015-arrow-functions@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 746e2be0fed20771c07f0984ba79ef0bab37d6e98434267ec96cef57272014fe53a180bfb9047bf69ed149d367a2c97baad54d6057531cd037684f371aab2333
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-block-scoped-functions@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-transform-es2015-block-scoped-functions@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: f251611f723d94b4068d2a873a2783e019bd81bd7144cfdbcfc31ef166f4d82fa2f1efba64342ba2630dab93a2b12284067725c0aa08315712419a2bc3b92a75
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-block-scoping@npm:^6.23.0":
-  version: 6.26.0
-  resolution: "babel-plugin-transform-es2015-block-scoping@npm:6.26.0"
-  dependencies:
-    babel-runtime: ^6.26.0
-    babel-template: ^6.26.0
-    babel-traverse: ^6.26.0
-    babel-types: ^6.26.0
-    lodash: ^4.17.4
-  checksum: 5e4dee33bf4aab0ce7751a9ae845c25d3bf03944ffdfc8d784e1de2123a3eec19657dd59274c9969461757f5e2ab75c517e978bafe5309a821a41e278ad38a63
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-classes@npm:^6.23.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-classes@npm:6.24.1"
-  dependencies:
-    babel-helper-define-map: ^6.24.1
-    babel-helper-function-name: ^6.24.1
-    babel-helper-optimise-call-expression: ^6.24.1
-    babel-helper-replace-supers: ^6.24.1
-    babel-messages: ^6.23.0
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: 999392b47a83cf9297e49fbde00bc9b15fb6d71bc041f7b3d621ac45361486ec4b66f55c47f98dca6c398ceaa8bfc9f3c21257854822c4523e7475a92e6c000a
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-computed-properties@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-computed-properties@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-  checksum: 34e466bfd4b021aa3861db66cf10a9093fa6a4fcedbc8c82a55f6ca1fcbd212a9967f2df6c5f9e9a20046fa43c8967633a476f2bbc15cb8d3769cbba948a5c16
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-destructuring@npm:^6.23.0":
-  version: 6.23.0
-  resolution: "babel-plugin-transform-es2015-destructuring@npm:6.23.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 1343d27f09846e6e1e48da7b83d0d4f2d5571559c468ad8ad4c3715b8ff3e21b2d553e90ad420dc6840de260b7f3b9f9c057606d527e3d838a52a3a7c5fffdbe
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-duplicate-keys@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-duplicate-keys@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 756a7a13517c3e80c8312137b9872b9bc32fbfbb905e9f1e45bf321e2b464d0e6a6e6deca22c61b62377225bd8136b73580897cccb394995d6e00bc8ce882ba4
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-for-of@npm:^6.23.0":
-  version: 6.23.0
-  resolution: "babel-plugin-transform-es2015-for-of@npm:6.23.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 0124e320c32b25de84ddaba951a6f0ad031fa5019de54de32bd317d2a97b3f967026008f32e8c88728330c1cce7c4f1d0ecb15007020d50bd5ca1438a882e205
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-function-name@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-function-name@npm:6.24.1"
-  dependencies:
-    babel-helper-function-name: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 629ecd824d53ec973a3ef85e74d9fd8c710203084ca2f7ac833879ddfa3b83a28f0270fe2ee5f3b8c078bb4b3e4b843173a646a7cd4abc49e8c1c563d31fb711
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-literals@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-transform-es2015-literals@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 40e270580a0236990f2555f5dc7ae24b4db9f4709ca455ed1a6724b0078592482274be7448579b14122bd06481641a38e7b2e48d0b49b8c81c88e154a26865b4
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-modules-amd@npm:^6.22.0, babel-plugin-transform-es2015-modules-amd@npm:^6.24.0, babel-plugin-transform-es2015-modules-amd@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-modules-amd@npm:6.24.1"
-  dependencies:
-    babel-plugin-transform-es2015-modules-commonjs: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-  checksum: 084c7a1ef3bd0b2b9f4851b27cfb65f8ea1408349af05b4d88f994c23844a0754abfa4799bbc5f3f0ec94232b3a54a2e46d7f1dff1bdd40fa66a46f645197dfa
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-modules-commonjs@npm:^6.23.0, babel-plugin-transform-es2015-modules-commonjs@npm:^6.24.1":
-  version: 6.26.2
-  resolution: "babel-plugin-transform-es2015-modules-commonjs@npm:6.26.2"
-  dependencies:
-    babel-plugin-transform-strict-mode: ^6.24.1
-    babel-runtime: ^6.26.0
-    babel-template: ^6.26.0
-    babel-types: ^6.26.0
-  checksum: 9cd93a84037855c1879bcc100229bee25b44c4805a9a9f040e8927f772c4732fa17a0706c81ea0db77b357dd9baf84388eec03ceb36597932c48fe32fb3d4171
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-modules-systemjs@npm:^6.23.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-modules-systemjs@npm:6.24.1"
-  dependencies:
-    babel-helper-hoist-variables: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-  checksum: b34877e201d7b4d293d87c04962a3575fe7727a9593e99ce3a7f8deea3da8883a08bd87a6a12927083ac26f47f6944a31cdbfe3d6eb4d18dd884cb2d304ee943
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-modules-umd@npm:^6.23.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-modules-umd@npm:6.24.1"
-  dependencies:
-    babel-plugin-transform-es2015-modules-amd: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-  checksum: 735857b9f2ad0c41ceda31a1594fe2a063025f4428f9e243885a437b5bd415aca445a5e8495ff34b7120617735b1c3a2158033f0be23f1f5a90e655fff742a01
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-object-super@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-object-super@npm:6.24.1"
-  dependencies:
-    babel-helper-replace-supers: ^6.24.1
-    babel-runtime: ^6.22.0
-  checksum: 97b2968f699ac94cb55f4f1e7ea53dc9e4264ec99cab826f40f181da9f6db5980cd8b4985f05c7b6f1e19fbc31681e6e63894dfc5ecf4b3a673d736c4ef0f9db
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-parameters@npm:^6.23.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-parameters@npm:6.24.1"
-  dependencies:
-    babel-helper-call-delegate: ^6.24.1
-    babel-helper-get-function-arity: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-template: ^6.24.1
-    babel-traverse: ^6.24.1
-    babel-types: ^6.24.1
-  checksum: bb6c047dc10499be8ccebdffac22c77f14aee5d3106da8f2e96c801d2746403c809d8c6922e8ebd2eb31d8827b4bb2321ba43378fcdc9dca206417bb345c4f93
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-shorthand-properties@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-shorthand-properties@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 9302c5de158a28432e932501a783560094c624c3659f4e0a472b6b2e9d6e8ab2634f82ef74d3e75363d46ccff6aad119267dbc34f67464c70625e24a651ad9e5
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-spread@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-transform-es2015-spread@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 8694a8a7802d905503194ab81c155354b36d39fc819ad2148f83146518dd37d2c6926c8568712f5aa890169afc9353fd4bcc49397959c6dc9da3480b449c0ae9
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-sticky-regex@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-sticky-regex@npm:6.24.1"
-  dependencies:
-    babel-helper-regex: ^6.24.1
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: d9c45401caf0d74779a1170e886976d4c865b7de2e90dfffc7557481b9e73b6e37e9f1028aa07b813896c4df88f4d7e89968249a74547c7875e6c499c90c801d
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-template-literals@npm:^6.22.0":
-  version: 6.22.0
-  resolution: "babel-plugin-transform-es2015-template-literals@npm:6.22.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 4fad2b7b383a2e784858ee7bf837419ee8ff9602afe218e1472f8c33a0c008f01d06f23ff2f2322fb23e1ed17e37237a818575fe88ecc5417d85331973b0ea4d
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-typeof-symbol@npm:^6.23.0":
-  version: 6.23.0
-  resolution: "babel-plugin-transform-es2015-typeof-symbol@npm:6.23.0"
-  dependencies:
-    babel-runtime: ^6.22.0
-  checksum: 68a1609c6abcddf5f138c56bafcd9fad7c6b3b404fe40910148ab70eb21d6c7807a343a64eb81ce45daf4b70c384c528c55fad45e0d581e4b09efa4d574a6a1b
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-es2015-unicode-regex@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-es2015-unicode-regex@npm:6.24.1"
-  dependencies:
-    babel-helper-regex: ^6.24.1
-    babel-runtime: ^6.22.0
-    regexpu-core: ^2.0.0
-  checksum: 739ddb02e5f77904f83ea45323c9a636e3aed34b2a49c7c68208b5f2834eecb6b655e772f870f16a7aaf09ac8219f754ad69d61741d088f5b681d13cda69265d
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-exponentiation-operator@npm:^6.22.0":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-exponentiation-operator@npm:6.24.1"
-  dependencies:
-    babel-helper-builder-binary-assignment-operator-visitor: ^6.24.1
-    babel-plugin-syntax-exponentiation-operator: ^6.8.0
-    babel-runtime: ^6.22.0
-  checksum: 533ad53ba2cd6ff3c0f751563e1beea429c620038dc2efeeb8348ab4752ebcc95d1521857abfd08047400f1921b2d4df5e0cd266e65ddbe4c3edc58b9ad6fd3c
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-regenerator@npm:^6.22.0":
-  version: 6.26.0
-  resolution: "babel-plugin-transform-regenerator@npm:6.26.0"
-  dependencies:
-    regenerator-transform: ^0.10.0
-  checksum: 41a51d8f692bf4a5cbd705fa70f3cb6abebae66d9ba3dccfb5921da262f8c30f630e1fe9f7b132e29b96fe0d99385a801f6aa204278c5bd0af4284f7f93a665a
-  languageName: node
-  linkType: hard
-
-"babel-plugin-transform-strict-mode@npm:^6.24.1":
-  version: 6.24.1
-  resolution: "babel-plugin-transform-strict-mode@npm:6.24.1"
-  dependencies:
-    babel-runtime: ^6.22.0
-    babel-types: ^6.24.1
-  checksum: 32d70ce9d8c8918a6a840e46df03dfe1e265eb9b25df5a800fedb5065ef1b4b5f24d7c62d92fca0e374db8b0b9b6f84e68edd02ad21883d48f608583ec29f638
-  languageName: node
-  linkType: hard
-
-"babel-polyfill@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-polyfill@npm:6.26.0"
-  dependencies:
-    babel-runtime: ^6.26.0
-    core-js: ^2.5.0
-    regenerator-runtime: ^0.10.5
-  checksum: 6fb1a3c0bfe1b6fc56ce1afcf531878aa629b309277a05fbf3fe950589b24cb4052a6e487db21d318eb5336b68730a21f5ef62166b6cc8aea3406261054d1118
-  languageName: node
-  linkType: hard
-
-"babel-preset-env@npm:^1.7.0":
-  version: 1.7.0
-  resolution: "babel-preset-env@npm:1.7.0"
-  dependencies:
-    babel-plugin-check-es2015-constants: ^6.22.0
-    babel-plugin-syntax-trailing-function-commas: ^6.22.0
-    babel-plugin-transform-async-to-generator: ^6.22.0
-    babel-plugin-transform-es2015-arrow-functions: ^6.22.0
-    babel-plugin-transform-es2015-block-scoped-functions: ^6.22.0
-    babel-plugin-transform-es2015-block-scoping: ^6.23.0
-    babel-plugin-transform-es2015-classes: ^6.23.0
-    babel-plugin-transform-es2015-computed-properties: ^6.22.0
-    babel-plugin-transform-es2015-destructuring: ^6.23.0
-    babel-plugin-transform-es2015-duplicate-keys: ^6.22.0
-    babel-plugin-transform-es2015-for-of: ^6.23.0
-    babel-plugin-transform-es2015-function-name: ^6.22.0
-    babel-plugin-transform-es2015-literals: ^6.22.0
-    babel-plugin-transform-es2015-modules-amd: ^6.22.0
-    babel-plugin-transform-es2015-modules-commonjs: ^6.23.0
-    babel-plugin-transform-es2015-modules-systemjs: ^6.23.0
-    babel-plugin-transform-es2015-modules-umd: ^6.23.0
-    babel-plugin-transform-es2015-object-super: ^6.22.0
-    babel-plugin-transform-es2015-parameters: ^6.23.0
-    babel-plugin-transform-es2015-shorthand-properties: ^6.22.0
-    babel-plugin-transform-es2015-spread: ^6.22.0
-    babel-plugin-transform-es2015-sticky-regex: ^6.22.0
-    babel-plugin-transform-es2015-template-literals: ^6.22.0
-    babel-plugin-transform-es2015-typeof-symbol: ^6.23.0
-    babel-plugin-transform-es2015-unicode-regex: ^6.22.0
-    babel-plugin-transform-exponentiation-operator: ^6.22.0
-    babel-plugin-transform-regenerator: ^6.22.0
-    browserslist: ^3.2.6
-    invariant: ^2.2.2
-    semver: ^5.3.0
-  checksum: 6e459a6c76086a2a377707680148b94c3d0aba425b039b427ca01171ebada7f5db5d336b309548462f6ba015e13176a4724f912875c15084d4aa88d77020d185
-  languageName: node
-  linkType: hard
-
-"babel-register@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-register@npm:6.26.0"
-  dependencies:
-    babel-core: ^6.26.0
-    babel-runtime: ^6.26.0
-    core-js: ^2.5.0
-    home-or-tmp: ^2.0.0
-    lodash: ^4.17.4
-    mkdirp: ^0.5.1
-    source-map-support: ^0.4.15
-  checksum: 75d5fe060e4850dbdbd5f56db2928cd0b6b6c93a65ba5f2a991465af4dc3f4adf46d575138f228b2169b1e25e3b4a7cdd16515a355fea41b873321bf56467583
-  languageName: node
-  linkType: hard
-
-"babel-runtime@npm:^6.18.0, babel-runtime@npm:^6.22.0, babel-runtime@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-runtime@npm:6.26.0"
-  dependencies:
-    core-js: ^2.4.0
-    regenerator-runtime: ^0.11.0
-  checksum: 8aeade94665e67a73c1ccc10f6fd42ba0c689b980032b70929de7a6d9a12eb87ef51902733f8fefede35afea7a5c3ef7e916a64d503446c1eedc9e3284bd3d50
-  languageName: node
-  linkType: hard
-
-"babel-template@npm:^6.24.1, babel-template@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-template@npm:6.26.0"
-  dependencies:
-    babel-runtime: ^6.26.0
-    babel-traverse: ^6.26.0
-    babel-types: ^6.26.0
-    babylon: ^6.18.0
-    lodash: ^4.17.4
-  checksum: 028dd57380f09b5641b74874a19073c53c4fb3f1696e849575aae18f8c80eaf21db75209057db862f3b893ce2cd9b795d539efa591b58f4a0fb011df0a56fbed
-  languageName: node
-  linkType: hard
-
-"babel-traverse@npm:^6.24.1, babel-traverse@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-traverse@npm:6.26.0"
-  dependencies:
-    babel-code-frame: ^6.26.0
-    babel-messages: ^6.23.0
-    babel-runtime: ^6.26.0
-    babel-types: ^6.26.0
-    babylon: ^6.18.0
-    debug: ^2.6.8
-    globals: ^9.18.0
-    invariant: ^2.2.2
-    lodash: ^4.17.4
-  checksum: fca037588d2791ae0409f1b7aa56075b798699cccc53ea04d82dd1c0f97b9e7ab17065f7dd3ecd69101d7874c9c8fd5e0f88fa53abbae1fe94e37e6b81ebcb8d
-  languageName: node
-  linkType: hard
-
-"babel-types@npm:^6.19.0, babel-types@npm:^6.24.1, babel-types@npm:^6.26.0":
-  version: 6.26.0
-  resolution: "babel-types@npm:6.26.0"
-  dependencies:
-    babel-runtime: ^6.26.0
-    esutils: ^2.0.2
-    lodash: ^4.17.4
-    to-fast-properties: ^1.0.3
-  checksum: d16b0fa86e9b0e4c2623be81d0a35679faff24dd2e43cde4ca58baf49f3e39415a011a889e6c2259ff09e1228e4c3a3db6449a62de59e80152fe1ce7398fde76
-  languageName: node
-  linkType: hard
-
-"babel6-plugin-strip-class-callcheck@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "babel6-plugin-strip-class-callcheck@npm:6.0.0"
-  checksum: e765ff21f9aee4e488a270cd8515a456c0de4f56739c2c285a7d8c72712fcca10cd89d24eec47dec0ce8b77a7e27257ece2674c781169a01a90bcb18c825b369
-  languageName: node
-  linkType: hard
-
-"babylon@npm:^6.18.0":
-  version: 6.18.0
-  resolution: "babylon@npm:6.18.0"
-  bin:
-    babylon: ./bin/babylon.js
-  checksum: 0777ae0c735ce1cbfc856d627589ed9aae212b84fb0c03c368b55e6c5d3507841780052808d0ad46e18a2ba516e93d55eeed8cd967f3b2938822dfeccfb2a16d
-  languageName: node
-  linkType: hard
-
-"backbone@npm:^1.1.2":
-  version: 1.4.0
-  resolution: "backbone@npm:1.4.0"
-  dependencies:
-    underscore: ">=1.8.3"
-  checksum: 09abdf184c485a4cd2c68218298cf772fbefeaa166ef8eb795cdb0159b4ad1d2f6823dde089352eaf0be929e5bbef67c57555722f4d1886f969d954f77814870
-  languageName: node
-  linkType: hard
-
-"bail@npm:^1.0.0":
-  version: 1.0.5
-  resolution: "bail@npm:1.0.5"
-  checksum: 6c334940d7eaa4e656a12fb12407b6555649b6deb6df04270fa806e0da82684ebe4a4e47815b271c794b40f8d6fa286e0c248b14ddbabb324a917fab09b7301a
-  languageName: node
-  linkType: hard
-
-"balanced-match@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "balanced-match@npm:1.0.2"
-  checksum: 9706c088a283058a8a99e0bf91b0a2f75497f185980d9ffa8b304de1d9e58ebda7c72c07ebf01dadedaac5b2907b2c6f566f660d62bd336c3468e960403b9d65
-  languageName: node
-  linkType: hard
-
-"balanced-match@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "balanced-match@npm:2.0.0"
-  checksum: 9a5caad6a292c5df164cc6d0c38e0eedf9a1413f42e5fece733640949d74d0052cfa9587c1a1681f772147fb79be495121325a649526957fd75b3a216d1fbc68
-  languageName: node
-  linkType: hard
-
-"base64-js@npm:^1.0.2, base64-js@npm:^1.3.1":
-  version: 1.5.1
-  resolution: "base64-js@npm:1.5.1"
-  checksum: 669632eb3745404c2f822a18fc3a0122d2f9a7a13f7fb8b5823ee19d1d2ff9ee5b52c53367176ea4ad093c332fd5ab4bd0ebae5a8e27917a4105a4cfc86b1005
-  languageName: node
-  linkType: hard
-
-"base64id@npm:2.0.0, base64id@npm:~2.0.0":
-  version: 2.0.0
-  resolution: "base64id@npm:2.0.0"
-  checksum: 581b1d37e6cf3738b7ccdd4d14fe2bfc5c238e696e2720ee6c44c183b838655842e22034e53ffd783f872a539915c51b0d4728a49c7cc678ac5a758e00d62168
-  languageName: node
-  linkType: hard
-
-"base@npm:^0.11.1":
-  version: 0.11.2
-  resolution: "base@npm:0.11.2"
-  dependencies:
-    cache-base: ^1.0.1
-    class-utils: ^0.3.5
-    component-emitter: ^1.2.1
-    define-property: ^1.0.0
-    isobject: ^3.0.1
-    mixin-deep: ^1.2.0
-    pascalcase: ^0.1.1
-  checksum: a4a146b912e27eea8f66d09cb0c9eab666f32ce27859a7dfd50f38cd069a2557b39f16dba1bc2aecb3b44bf096738dd207b7970d99b0318423285ab1b1994edd
-  languageName: node
-  linkType: hard
-
-"basic-auth@npm:~2.0.1":
-  version: 2.0.1
-  resolution: "basic-auth@npm:2.0.1"
-  dependencies:
-    safe-buffer: 5.1.2
-  checksum: 3419b805d5dfc518f3a05dcf42aa53aa9ce820e50b6df5097f9e186322e1bc733c36722b624802cd37e791035aa73b828ed814d8362333d42d7f5cd04d7a5e48
-  languageName: node
-  linkType: hard
-
-"bcrypt-pbkdf@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "bcrypt-pbkdf@npm:1.0.2"
-  dependencies:
-    tweetnacl: ^0.14.3
-  checksum: 4edfc9fe7d07019609ccf797a2af28351736e9d012c8402a07120c4453a3b789a15f2ee1530dc49eee8f7eb9379331a8dd4b3766042b9e502f74a68e7f662291
-  languageName: node
-  linkType: hard
-
-"big.js@npm:^5.2.2":
-  version: 5.2.2
-  resolution: "big.js@npm:5.2.2"
-  checksum: b89b6e8419b097a8fb4ed2399a1931a68c612bce3cfd5ca8c214b2d017531191070f990598de2fc6f3f993d91c0f08aa82697717f6b3b8732c9731866d233c9e
-  languageName: node
-  linkType: hard
-
-"binary-extensions@npm:^1.0.0":
-  version: 1.13.1
-  resolution: "binary-extensions@npm:1.13.1"
-  checksum: ad7747f33c07e94ba443055de130b50c8b8b130a358bca064c580d91769ca6a69c7ac65ca008ff044ed4541d2c6ad45496e1fadbef5218a68770996b6a2194d7
-  languageName: node
-  linkType: hard
-
-"binary-extensions@npm:^2.0.0":
-  version: 2.2.0
-  resolution: "binary-extensions@npm:2.2.0"
-  checksum: ccd267956c58d2315f5d3ea6757cf09863c5fc703e50fbeb13a7dc849b812ef76e3cf9ca8f35a0c48498776a7478d7b4a0418e1e2b8cb9cb9731f2922aaad7f8
-  languageName: node
-  linkType: hard
-
-"binaryextensions@npm:1 || 2, binaryextensions@npm:^2.1.2":
-  version: 2.3.0
-  resolution: "binaryextensions@npm:2.3.0"
-  checksum: e64e4658a611a753e0320b047a0045a063c6f2dd92d7a7fc06c25f7e72fb3700dabcf328e319c79f1038e6d0ea46edb0644686603d5f36bff3350d0e7eb198a9
-  languageName: node
-  linkType: hard
-
-"bindings@npm:^1.5.0":
-  version: 1.5.0
-  resolution: "bindings@npm:1.5.0"
-  dependencies:
-    file-uri-to-path: 1.0.0
-  checksum: 65b6b48095717c2e6105a021a7da4ea435aa8d3d3cd085cb9e85bcb6e5773cf318c4745c3f7c504412855940b585bdf9b918236612a1c7a7942491de176f1ae7
-  languageName: node
-  linkType: hard
-
-"bl@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "bl@npm:4.1.0"
-  dependencies:
-    buffer: ^5.5.0
-    inherits: ^2.0.4
-    readable-stream: ^3.4.0
-  checksum: 9e8521fa7e83aa9427c6f8ccdcba6e8167ef30cc9a22df26effcc5ab682ef91d2cbc23a239f945d099289e4bbcfae7a192e9c28c84c6202e710a0dfec3722662
-  languageName: node
-  linkType: hard
-
-"blank-object@npm:^1.0.1":
-  version: 1.0.2
-  resolution: "blank-object@npm:1.0.2"
-  checksum: 0d9aff57f4438c3dce6513ac77874fb74f3419e3e8384d4a520b9a3e9cfc8bee6be0f39f77c079da4e6e3fd8e347c125fb618816e730c34804c3092e5c3c5404
-  languageName: node
-  linkType: hard
-
-"bluebird@npm:^3.4.6, bluebird@npm:^3.5.5, bluebird@npm:^3.7.2":
-  version: 3.7.2
-  resolution: "bluebird@npm:3.7.2"
-  checksum: 869417503c722e7dc54ca46715f70e15f4d9c602a423a02c825570862d12935be59ed9c7ba34a9b31f186c017c23cac6b54e35446f8353059c101da73eac22ef
-  languageName: node
-  linkType: hard
-
-"bn.js@npm:^4.0.0, bn.js@npm:^4.1.0, bn.js@npm:^4.11.9":
-  version: 4.12.0
-  resolution: "bn.js@npm:4.12.0"
-  checksum: 39afb4f15f4ea537b55eaf1446c896af28ac948fdcf47171961475724d1bb65118cca49fa6e3d67706e4790955ec0e74de584e45c8f1ef89f46c812bee5b5a12
-  languageName: node
-  linkType: hard
-
-"bn.js@npm:^5.0.0, bn.js@npm:^5.1.1":
-  version: 5.2.0
-  resolution: "bn.js@npm:5.2.0"
-  checksum: 6117170393200f68b35a061ecbf55d01dd989302e7b3c798a3012354fa638d124f0b2f79e63f77be5556be80322a09c40339eda6413ba7468524c0b6d4b4cb7a
-  languageName: node
-  linkType: hard
-
-"body-parser@npm:1.19.0, body-parser@npm:^1.17.0":
-  version: 1.19.0
-  resolution: "body-parser@npm:1.19.0"
-  dependencies:
-    bytes: 3.1.0
-    content-type: ~1.0.4
-    debug: 2.6.9
-    depd: ~1.1.2
-    http-errors: 1.7.2
-    iconv-lite: 0.4.24
-    on-finished: ~2.3.0
-    qs: 6.7.0
-    raw-body: 2.4.0
-    type-is: ~1.6.17
-  checksum: 490231b4c89bbd43112762f7ba8e5342c174a6c9f64284a3b0fcabf63277e332f8316765596f1e5b15e4f3a6cf0422e005f4bb3149ed3a224bb025b7a36b9ac1
-  languageName: node
-  linkType: hard
-
-"body-parser@npm:1.20.1":
-  version: 1.20.1
-  resolution: "body-parser@npm:1.20.1"
-  dependencies:
-    bytes: 3.1.2
-    content-type: ~1.0.4
-    debug: 2.6.9
-    depd: 2.0.0
-    destroy: 1.2.0
-    http-errors: 2.0.0
-    iconv-lite: 0.4.24
-    on-finished: 2.4.1
-    qs: 6.11.0
-    raw-body: 2.5.1
-    type-is: ~1.6.18
-    unpipe: 1.0.0
-  checksum: f1050dbac3bede6a78f0b87947a8d548ce43f91ccc718a50dd774f3c81f2d8b04693e52acf62659fad23101827dd318da1fb1363444ff9a8482b886a3e4a5266
-  languageName: node
-  linkType: hard
-
-"body@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "body@npm:5.1.0"
-  dependencies:
-    continuable-cache: ^0.3.1
-    error: ^7.0.0
-    raw-body: ~1.1.0
-    safe-json-parse: ~1.0.1
-  checksum: 58a5a46b6de80c82ee2f6e00bdc0084be1697d50e47cfa0d53ff6daf70b0e5ec20359c134d41710d0fa8046ecd67e06128c134c821f090e40a31ed452a9b6b7f
-  languageName: node
-  linkType: hard
-
-"boolbase@npm:^1.0.0, boolbase@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "boolbase@npm:1.0.0"
-  checksum: 3e25c80ef626c3a3487c73dbfc70ac322ec830666c9ad915d11b701142fab25ec1e63eff2c450c74347acfd2de854ccde865cd79ef4db1683f7c7b046ea43bb0
-  languageName: node
-  linkType: hard
-
-"boolify@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "boolify@npm:1.0.1"
-  checksum: 972bde1e4a35fad8fc18761a7fcef7358008e125ba9daee9bc5dc8f49cba3c635ea70b2f8c3b5bfd3167865e6c0662d6c338767de981a44f3e604df86f47fcc5
-  languageName: node
-  linkType: hard
-
-"bower-config@npm:^1.4.3":
-  version: 1.4.3
-  resolution: "bower-config@npm:1.4.3"
-  dependencies:
-    graceful-fs: ^4.1.3
-    minimist: ^0.2.1
-    mout: ^1.0.0
-    osenv: ^0.1.3
-    untildify: ^2.1.0
-    wordwrap: ^0.0.3
-  checksum: 195d829d32b99a6c88d58f0e77b3aad2d32c5ecb913e6a078be5a540f0fc3d34888c8c2e3d7cf268e389711a7b231ef4397ac3cd02053fdd115db58a5c8b19a3
-  languageName: node
-  linkType: hard
-
-"bower-endpoint-parser@npm:0.2.2":
-  version: 0.2.2
-  resolution: "bower-endpoint-parser@npm:0.2.2"
-  checksum: e5752ae90a7950da4aa32448105fd50e050cf47042f89db79bbaf64e0cf4342b39dae450353848ea8a766c969e7b760afb4de85d2e808eedd7d1340b4251cda0
-  languageName: node
-  linkType: hard
-
-"brace-expansion@npm:^1.1.7":
-  version: 1.1.11
-  resolution: "brace-expansion@npm:1.1.11"
-  dependencies:
-    balanced-match: ^1.0.0
-    concat-map: 0.0.1
-  checksum: faf34a7bb0c3fcf4b59c7808bc5d2a96a40988addf2e7e09dfbb67a2251800e0d14cd2bfc1aa79174f2f5095c54ff27f46fb1289fe2d77dac755b5eb3434cc07
-  languageName: node
-  linkType: hard
-
-"braces@npm:^2.3.1, braces@npm:^2.3.2":
-  version: 2.3.2
-  resolution: "braces@npm:2.3.2"
-  dependencies:
-    arr-flatten: ^1.1.0
-    array-unique: ^0.3.2
-    extend-shallow: ^2.0.1
-    fill-range: ^4.0.0
-    isobject: ^3.0.1
-    repeat-element: ^1.1.2
-    snapdragon: ^0.8.1
-    snapdragon-node: ^2.0.1
-    split-string: ^3.0.2
-    to-regex: ^3.0.1
-  checksum: e30dcb6aaf4a31c8df17d848aa283a65699782f75ad61ae93ec25c9729c66cf58e66f0000a9fec84e4add1135bb7da40f7cb9601b36bebcfa9ca58e8d5c07de0
-  languageName: node
-  linkType: hard
-
-"braces@npm:^3.0.1, braces@npm:^3.0.2, braces@npm:~3.0.2":
-  version: 3.0.2
-  resolution: "braces@npm:3.0.2"
-  dependencies:
-    fill-range: ^7.0.1
-  checksum: e2a8e769a863f3d4ee887b5fe21f63193a891c68b612ddb4b68d82d1b5f3ff9073af066c343e9867a393fe4c2555dcb33e89b937195feb9c1613d259edfcd459
-  languageName: node
-  linkType: hard
-
-"broccoli-amd-funnel@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "broccoli-amd-funnel@npm:2.0.1"
-  dependencies:
-    broccoli-plugin: ^1.3.0
-    symlink-or-copy: ^1.2.0
-  checksum: 1f9327d1291fbdd00366da710091fc3c4d1c3f5a5c697cc2eb9e1f29d8b906ba9eb93ab612c9c1367b91d64b9a2f7a446cfa8a1e6faf4ce05315ff0f2ebdadf6
-  languageName: node
-  linkType: hard
-
-"broccoli-asset-rev@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "broccoli-asset-rev@npm:3.0.0"
-  dependencies:
-    broccoli-asset-rewrite: ^2.0.0
-    broccoli-filter: ^1.2.2
-    broccoli-persistent-filter: ^1.4.3
-    json-stable-stringify: ^1.0.0
-    minimatch: ^3.0.4
-    rsvp: ^3.0.6
-  checksum: 92822588babb5d82d3a09ce6e3646f59400566138c3a3824c93cdff568cbf74a318900a41be64bb39b322ec8442099ccc11932f335e877637823c1bf0a6de0d6
-  languageName: node
-  linkType: hard
-
-"broccoli-asset-rewrite@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "broccoli-asset-rewrite@npm:2.0.0"
-  dependencies:
-    broccoli-filter: ^1.2.3
-  checksum: 05a8d882ca6e3f2fd073650acb65e0f2c0945529c09a47b1b220455a0a67099e0d5bed7a0c52b7aaee40ad5f07f8e6db20b641aceb5330256b801fe1b8e39952
-  languageName: node
-  linkType: hard
-
-"broccoli-autoprefixer@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "broccoli-autoprefixer@npm:5.0.0"
-  dependencies:
-    autoprefixer: ^7.0.0
-    broccoli-persistent-filter: ^1.1.6
-    postcss: ^6.0.1
-  checksum: 468df300b679e2afa3d14091f42313300424218d74911dba8dd61a16ce4b0888c76c517ac524f043c01304b3bb78d6e87927e931c96446f9921e4504f5361654
-  languageName: node
-  linkType: hard
-
-"broccoli-babel-transpiler@npm:^6.5.0":
-  version: 6.5.1
-  resolution: "broccoli-babel-transpiler@npm:6.5.1"
-  dependencies:
-    babel-core: ^6.26.0
-    broccoli-funnel: ^2.0.1
-    broccoli-merge-trees: ^2.0.0
-    broccoli-persistent-filter: ^1.4.3
-    clone: ^2.0.0
-    hash-for-dep: ^1.2.3
-    heimdalljs-logger: ^0.1.7
-    json-stable-stringify: ^1.0.0
-    rsvp: ^4.8.2
-    workerpool: ^2.3.0
-  checksum: 2e5273f2026dc27ca8ab984c49c00b967aa94f491b7e5059fc249e4c624a4901fd26c19c56f889b61eee1f2c1cb101944b2fd48e00156e503c7a3495cc7e270a
-  languageName: node
-  linkType: hard
-
-"broccoli-babel-transpiler@npm:^7.2.0, broccoli-babel-transpiler@npm:^7.8.0":
-  version: 7.8.0
-  resolution: "broccoli-babel-transpiler@npm:7.8.0"
-  dependencies:
-    "@babel/core": ^7.12.0
-    "@babel/polyfill": ^7.11.5
-    broccoli-funnel: ^2.0.2
-    broccoli-merge-trees: ^3.0.2
-    broccoli-persistent-filter: ^2.2.1
-    clone: ^2.1.2
-    hash-for-dep: ^1.4.7
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.9
-    json-stable-stringify: ^1.0.1
-    rsvp: ^4.8.4
-    workerpool: ^3.1.1
-  checksum: 07fd89cc58bab2d6dd435b04b047d2bb843298761068cf7ae768819d1c8d8d4ac26746b0eb40e99ebceec6dfd1af97a25a7f1b00bd05136fa963b9c04033ca52
-  languageName: node
-  linkType: hard
-
-"broccoli-babel-transpiler@npm:^7.8.1":
-  version: 7.8.1
-  resolution: "broccoli-babel-transpiler@npm:7.8.1"
-  dependencies:
-    "@babel/core": ^7.12.0
-    "@babel/polyfill": ^7.11.5
-    broccoli-funnel: ^2.0.2
-    broccoli-merge-trees: ^3.0.2
-    broccoli-persistent-filter: ^2.2.1
-    clone: ^2.1.2
-    hash-for-dep: ^1.4.7
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.9
-    json-stable-stringify: ^1.0.1
-    rsvp: ^4.8.4
-    workerpool: ^3.1.1
-  checksum: cd1d798e38dfc285082b1b114017639b1951f529436dd47c7b56d995ad5adb897084dadaf6da94cf2b7af6cc118099f1b5411b58b5ec72f5247bd9e820ac9ff6
-  languageName: node
-  linkType: hard
-
-"broccoli-builder@npm:^0.18.14":
-  version: 0.18.14
-  resolution: "broccoli-builder@npm:0.18.14"
-  dependencies:
-    broccoli-node-info: ^1.1.0
-    heimdalljs: ^0.2.0
-    promise-map-series: ^0.2.1
-    quick-temp: ^0.1.2
-    rimraf: ^2.2.8
-    rsvp: ^3.0.17
-    silent-error: ^1.0.1
-  checksum: 06721fdc65f97ec331126d3fca329ac287c879cffd748b4c536acca16376995d3200d26af22b9a4fef464476202f83bb3a9dbdcdec8939914600ee1e8760f995
-  languageName: node
-  linkType: hard
-
-"broccoli-caching-writer@npm:^2.2.0":
-  version: 2.3.1
-  resolution: "broccoli-caching-writer@npm:2.3.1"
-  dependencies:
-    broccoli-kitchen-sink-helpers: ^0.2.5
-    broccoli-plugin: 1.1.0
-    debug: ^2.1.1
-    rimraf: ^2.2.8
-    rsvp: ^3.0.17
-    walk-sync: ^0.2.5
-  checksum: 3ee20d818f1a833c41499fd2d7abc09c75951a4ea7522d6ec1cd853351a03a5cfd283e50efd068705104e3825401165dff3438fa723e5b6760072a280c42fa61
-  languageName: node
-  linkType: hard
-
-"broccoli-caching-writer@npm:^3.0.3":
-  version: 3.0.3
-  resolution: "broccoli-caching-writer@npm:3.0.3"
-  dependencies:
-    broccoli-kitchen-sink-helpers: ^0.3.1
-    broccoli-plugin: ^1.2.1
-    debug: ^2.1.1
-    rimraf: ^2.2.8
-    rsvp: ^3.0.17
-    walk-sync: ^0.3.0
-  checksum: 30b002bb2050b0f51ece58e088b26212784779205184021acf5fc807e2619820daa95b56a390da10de3b49defa76f525f095b980c009fb4c7cb30d3d18875117
-  languageName: node
-  linkType: hard
-
-"broccoli-clean-css@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "broccoli-clean-css@npm:1.1.0"
-  dependencies:
-    broccoli-persistent-filter: ^1.1.6
-    clean-css-promise: ^0.1.0
-    inline-source-map-comment: ^1.0.5
-    json-stable-stringify: ^1.0.0
-  checksum: 7b1739c9e12ccbf9e86b0f98be97b2c2f0ef8ac831e87f7e478ca4dc8fce3e93db4e625ad53ddb48bab4efbe8d0d2304ee77bdd015aab84d71250d9fb8ff44c7
-  languageName: node
-  linkType: hard
-
-"broccoli-concat@npm:^4.2.5":
-  version: 4.2.5
-  resolution: "broccoli-concat@npm:4.2.5"
-  dependencies:
-    broccoli-debug: ^0.6.5
-    broccoli-kitchen-sink-helpers: ^0.3.1
-    broccoli-plugin: ^4.0.2
-    ensure-posix-path: ^1.0.2
-    fast-sourcemap-concat: ^2.1.0
-    find-index: ^1.1.0
-    fs-extra: ^8.1.0
-    fs-tree-diff: ^2.0.1
-    lodash.merge: ^4.6.2
-    lodash.omit: ^4.1.0
-    lodash.uniq: ^4.2.0
-  checksum: a8eb7394863d7ba3dd9b8011ef37ef746182bea42c50c61bc5cf25767bcd0edec1dac9c37dcf8ba34d24568fdc3e69ce88b414316eedbbecf9deae13f349cc7e
-  languageName: node
-  linkType: hard
-
-"broccoli-config-loader@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "broccoli-config-loader@npm:1.0.1"
-  dependencies:
-    broccoli-caching-writer: ^3.0.3
-  checksum: 92543dee0b8e3da15533262190a34287c53dad913190d14306d706ef8f2594106c240fe2c4eff026af0730e79dd77990271bf74cfd37051040b7dc177cea49e4
-  languageName: node
-  linkType: hard
-
-"broccoli-config-replace@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "broccoli-config-replace@npm:1.1.2"
-  dependencies:
-    broccoli-kitchen-sink-helpers: ^0.3.1
-    broccoli-plugin: ^1.2.0
-    debug: ^2.2.0
-    fs-extra: ^0.24.0
-  checksum: 578471fb135e00d914334eaa8e1305ba2183f6be26833eff941c3c30bd002d157054a45ed16afb96784c25aa2a3f5bad73cd9c21a005acb61be7a960739b3725
-  languageName: node
-  linkType: hard
-
-"broccoli-debug@npm:^0.6.4, broccoli-debug@npm:^0.6.5":
-  version: 0.6.5
-  resolution: "broccoli-debug@npm:0.6.5"
-  dependencies:
-    broccoli-plugin: ^1.2.1
-    fs-tree-diff: ^0.5.2
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    symlink-or-copy: ^1.1.8
-    tree-sync: ^1.2.2
-  checksum: 03cd34dea7cc6c1cb4d2b0aa564449e44bf4a0a874dc8ca28ffc22bc7ab062ccbe8bb08a7d4e44639f532f392d4a56913a372e75f1bde7763b20898da852aeba
-  languageName: node
-  linkType: hard
-
-"broccoli-dependency-funnel@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "broccoli-dependency-funnel@npm:2.1.2"
-  dependencies:
-    broccoli-plugin: ^1.3.1
-    fs-tree-diff: ^0.5.9
-    heimdalljs: ^0.2.5
-    heimdalljs-logger: ^0.1.9
-    mkdirp: ^0.5.1
-    mr-dep-walk: ^1.4.0
-    path-posix: ^1.0.0
-    rimraf: ^2.6.2
-    symlink-or-copy: ^1.2.0
-  checksum: b62bdd3d8c422082d05408742be796b64d1dfcff8f8952d4a2289a95d03b2850f64d157bcb40150ae865a9850d457e0a7209b0875962f09410a28582fe242bda
-  languageName: node
-  linkType: hard
-
-"broccoli-file-creator@npm:^1.1.1":
-  version: 1.2.0
-  resolution: "broccoli-file-creator@npm:1.2.0"
-  dependencies:
-    broccoli-plugin: ^1.1.0
-    mkdirp: ^0.5.1
-  checksum: 591be2b9a9e2aadd0f5c07fb85a2125eebf29a50ca8dbed4c67f8b75d7e5a296f7740f41e1a441d3861bb2b298a76201995ca2df59c34e1c641521e4f3555d50
-  languageName: node
-  linkType: hard
-
-"broccoli-file-creator@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "broccoli-file-creator@npm:2.1.1"
-  dependencies:
-    broccoli-plugin: ^1.1.0
-    mkdirp: ^0.5.1
-  checksum: aab1bd06e55f805e3c52235a7294a8f008255d178ef236e2966c59f943090a55bca44e9d26fcf176f4e0f94033af5c1fd038a85c6950bf36ff41a0c0787fe938
-  languageName: node
-  linkType: hard
-
-"broccoli-filter@npm:^1.2.2, broccoli-filter@npm:^1.2.3":
-  version: 1.3.0
-  resolution: "broccoli-filter@npm:1.3.0"
-  dependencies:
-    broccoli-kitchen-sink-helpers: ^0.3.1
-    broccoli-plugin: ^1.0.0
-    copy-dereference: ^1.0.0
-    debug: ^2.2.0
-    mkdirp: ^0.5.1
-    promise-map-series: ^0.2.1
-    rsvp: ^3.0.18
-    symlink-or-copy: ^1.0.1
-    walk-sync: ^0.3.1
-  checksum: 4908af4844c166adfd61def33c21a152870e7cc319fa16d50caa906ad68c46e5abbc6fb9c3373e3b7bc494473d4972461ef0a0fa0d2ae82c0f0d44ec0fe3cfc5
-  languageName: node
-  linkType: hard
-
-"broccoli-funnel-reducer@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "broccoli-funnel-reducer@npm:1.0.0"
-  checksum: 3a924dc63136168325ea202d05139ad238290eff649cb6a2570f3faeccbbf0d904792525100fc41da34a1fd0946d951bdb247ecd1e4d7d99f29f82583b94ce7b
-  languageName: node
-  linkType: hard
-
-"broccoli-funnel@npm:2.0.1":
-  version: 2.0.1
-  resolution: "broccoli-funnel@npm:2.0.1"
-  dependencies:
-    array-equal: ^1.0.0
-    blank-object: ^1.0.1
-    broccoli-plugin: ^1.3.0
-    debug: ^2.2.0
-    fast-ordered-set: ^1.0.0
-    fs-tree-diff: ^0.5.3
-    heimdalljs: ^0.2.0
-    minimatch: ^3.0.0
-    mkdirp: ^0.5.0
-    path-posix: ^1.0.0
-    rimraf: ^2.4.3
-    symlink-or-copy: ^1.0.0
-    walk-sync: ^0.3.1
-  checksum: 415257006360c6015835a513c7946f1bc356ea5ed6bd960382bad1f511d81758539690ccbd7cecdc740b7e91f1719088b5bb8f5c024ca4dda089efec229ce0b7
-  languageName: node
-  linkType: hard
-
-"broccoli-funnel@npm:^1.0.1, broccoli-funnel@npm:^1.1.0":
-  version: 1.2.0
-  resolution: "broccoli-funnel@npm:1.2.0"
-  dependencies:
-    array-equal: ^1.0.0
-    blank-object: ^1.0.1
-    broccoli-plugin: ^1.3.0
-    debug: ^2.2.0
-    exists-sync: 0.0.4
-    fast-ordered-set: ^1.0.0
-    fs-tree-diff: ^0.5.3
-    heimdalljs: ^0.2.0
-    minimatch: ^3.0.0
-    mkdirp: ^0.5.0
-    path-posix: ^1.0.0
-    rimraf: ^2.4.3
-    symlink-or-copy: ^1.0.0
-    walk-sync: ^0.3.1
-  checksum: dacd261a6ddbdd9ffa3bc6d6dd7653eace0896e1b7e281ed9cead4c5b5a4e04b0f1be5b9b09ccd576288d3a15a2dbace1920c7de17a9bba9e5564f7580f8f19a
-  languageName: node
-  linkType: hard
-
-"broccoli-funnel@npm:^2.0.0, broccoli-funnel@npm:^2.0.1, broccoli-funnel@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "broccoli-funnel@npm:2.0.2"
-  dependencies:
-    array-equal: ^1.0.0
-    blank-object: ^1.0.1
-    broccoli-plugin: ^1.3.0
-    debug: ^2.2.0
-    fast-ordered-set: ^1.0.0
-    fs-tree-diff: ^0.5.3
-    heimdalljs: ^0.2.0
-    minimatch: ^3.0.0
-    mkdirp: ^0.5.0
-    path-posix: ^1.0.0
-    rimraf: ^2.4.3
-    symlink-or-copy: ^1.0.0
-    walk-sync: ^0.3.1
-  checksum: e039c07f7a69d538a2a60e66167ccff8e00e14f053e6e0e5ce6d446c5a6d351e55cc9be57aad1a9e9d684b444bea81cd2eade387c5764fa9355b9f30fcc4bd48
-  languageName: node
-  linkType: hard
-
-"broccoli-funnel@npm:^3.0.3, broccoli-funnel@npm:^3.0.5, broccoli-funnel@npm:^3.0.8":
-  version: 3.0.8
-  resolution: "broccoli-funnel@npm:3.0.8"
-  dependencies:
-    array-equal: ^1.0.0
-    broccoli-plugin: ^4.0.7
-    debug: ^4.1.1
-    fs-tree-diff: ^2.0.1
-    heimdalljs: ^0.2.0
-    minimatch: ^3.0.0
-    walk-sync: ^2.0.2
-  checksum: 125b0bda1bf63779528f97d153cab2c2d47d3783e26037d0f1acaf9f528a04397f2538d66662efaedd4627bfbae7713a2f8248017c81d518319b3c8cbe3b31d9
-  languageName: node
-  linkType: hard
-
-"broccoli-kitchen-sink-helpers@npm:^0.2.5":
-  version: 0.2.9
-  resolution: "broccoli-kitchen-sink-helpers@npm:0.2.9"
-  dependencies:
-    glob: ^5.0.10
-    mkdirp: ^0.5.1
-  checksum: cf67d77f4ee028c90c4917626eda636b736a3fdd11f84ba2c9b00708222c8878909c1b30d824b4b9d946c6c975b6e3bd08cc218ed3cfbe6f9436808e9023a941
-  languageName: node
-  linkType: hard
-
-"broccoli-kitchen-sink-helpers@npm:^0.3.1":
-  version: 0.3.1
-  resolution: "broccoli-kitchen-sink-helpers@npm:0.3.1"
-  dependencies:
-    glob: ^5.0.10
-    mkdirp: ^0.5.1
-  checksum: c3af1f4a902ab69fa6e576430c2829cceaa2c34e6f6ff68eb5f6305c10835123b4644bfcb036452c7222d6853c720bf83ec1e5e125db7915d849c7968d0e652e
-  languageName: node
-  linkType: hard
-
-"broccoli-merge-trees@npm:^1.1.1":
-  version: 1.2.4
-  resolution: "broccoli-merge-trees@npm:1.2.4"
-  dependencies:
-    broccoli-plugin: ^1.3.0
-    can-symlink: ^1.0.0
-    fast-ordered-set: ^1.0.2
-    fs-tree-diff: ^0.5.4
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    rimraf: ^2.4.3
-    symlink-or-copy: ^1.0.0
-  checksum: 7d5ae0c12582bcca4c6a697bd768b45f38b19d3b89f580ded973bf1c4ee2d581c2a50d1914eeab96d2c3502ccb792eb806298ce99bf0bcd9bf98f87c916390a5
-  languageName: node
-  linkType: hard
-
-"broccoli-merge-trees@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "broccoli-merge-trees@npm:2.0.1"
-  dependencies:
-    broccoli-plugin: ^1.3.0
-    merge-trees: ^1.0.1
-  checksum: cf58d11761a3a362d80634e0f3b1b5fdb87572c9e54740fbc24803d79b44f2246b12b76aecb2f783d92c0cef55f7a3b7eb5314bc463fd94cb6d29f1b370a4289
-  languageName: node
-  linkType: hard
-
-"broccoli-merge-trees@npm:^3.0.0, broccoli-merge-trees@npm:^3.0.1, broccoli-merge-trees@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "broccoli-merge-trees@npm:3.0.2"
-  dependencies:
-    broccoli-plugin: ^1.3.0
-    merge-trees: ^2.0.0
-  checksum: 4239955a72f9e9547d3b8af27784e7b4931d88bc83c80b48eaae5819a839e3ab3973ccd459502459fcbc9b69749bbc89e9f06e0025fe5483b1704c6dbe0dd61c
-  languageName: node
-  linkType: hard
-
-"broccoli-merge-trees@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "broccoli-merge-trees@npm:4.2.0"
-  dependencies:
-    broccoli-plugin: ^4.0.2
-    merge-trees: ^2.0.0
-  checksum: 8e5371bf41d8b95dd3d600a35d159e185fe0ce0a558cb7b35cdfbb0e3cf2941ee92745dafa7452be0034929459c84acdb55bf762d8c2ca5e59fd124fb219e559
-  languageName: node
-  linkType: hard
-
-"broccoli-middleware@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "broccoli-middleware@npm:2.1.1"
-  dependencies:
-    ansi-html: ^0.0.7
-    handlebars: ^4.0.4
-    has-ansi: ^3.0.0
-    mime-types: ^2.1.18
-  checksum: d32e8d871869737d554bb0913491f2cf80b975eac43f7c1cde1334468d4610830b6a4f2d75a310b3d113d0e513e3b8b966b5d58789a9d396b52a40d279587a1f
-  languageName: node
-  linkType: hard
-
-"broccoli-node-api@npm:^1.6.0, broccoli-node-api@npm:^1.7.0":
-  version: 1.7.0
-  resolution: "broccoli-node-api@npm:1.7.0"
-  checksum: 37b83c81549294d0c843bb4c07ef5330a5493f5e8204e4f7eda716c4f5175f5ccf0f10f0957a18321324b5ff3d4fe2a2cd6cd8e598d6f9e7986c45b8dd200b99
-  languageName: node
-  linkType: hard
-
-"broccoli-node-info@npm:1.1.0, broccoli-node-info@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "broccoli-node-info@npm:1.1.0"
-  checksum: f3e552f3e2ba05d9bb73f5d9ba0e27961851744e3a1a70de3f712598746e6214a7b8b8a7ceafc8235f81973a2e9dca58e022a9f150b4c5963aed5bf90d496b96
-  languageName: node
-  linkType: hard
-
-"broccoli-node-info@npm:^2.1.0":
-  version: 2.2.0
-  resolution: "broccoli-node-info@npm:2.2.0"
-  checksum: e5d68ebb35aa4406dc7dd9e90f15f68fb58c2026696bda2a67045f993261e856fbfec35b3d424c835af7873bd7de00f15630a5b2626c8c0929365035ade9cddd
-  languageName: node
-  linkType: hard
-
-"broccoli-output-wrapper@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "broccoli-output-wrapper@npm:2.0.0"
-  dependencies:
-    heimdalljs-logger: ^0.1.10
-  checksum: 9e2abb307e7d852827548fecfb2b5daa6efea70bcc23d39f1ad51494477a38d8049a3592f7a0e18aa20cb9bcad7b49389ec5052f3a368cbcdb94a4dbe0650381
-  languageName: node
-  linkType: hard
-
-"broccoli-output-wrapper@npm:^3.2.5":
-  version: 3.2.5
-  resolution: "broccoli-output-wrapper@npm:3.2.5"
-  dependencies:
-    fs-extra: ^8.1.0
-    heimdalljs-logger: ^0.1.10
-    symlink-or-copy: ^1.2.0
-  checksum: c23d875544bfdd4cf0767fb9080a6a16bf938497a1a6601fe9ea2e0e5cce26f1a4f4ab81f80e50376b0d86b622cef848d0ffba3f5fa4f2e3c4b531539383eddb
-  languageName: node
-  linkType: hard
-
-"broccoli-persistent-filter@npm:^1.1.5, broccoli-persistent-filter@npm:^1.1.6, broccoli-persistent-filter@npm:^1.4.3":
-  version: 1.4.6
-  resolution: "broccoli-persistent-filter@npm:1.4.6"
-  dependencies:
-    async-disk-cache: ^1.2.1
-    async-promise-queue: ^1.0.3
-    broccoli-plugin: ^1.0.0
-    fs-tree-diff: ^0.5.2
-    hash-for-dep: ^1.0.2
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    mkdirp: ^0.5.1
-    promise-map-series: ^0.2.1
-    rimraf: ^2.6.1
-    rsvp: ^3.0.18
-    symlink-or-copy: ^1.0.1
-    walk-sync: ^0.3.1
-  checksum: 42adb04ba99ccbd943299d37d40fc87f5c9629ec98d0774c43695590ec7ad9392ba6c5bef5e089e1bc208d49de820d13aa46dc0d80d71444f00f9b0df9811df9
-  languageName: node
-  linkType: hard
-
-"broccoli-persistent-filter@npm:^2.2.1, broccoli-persistent-filter@npm:^2.3.0, broccoli-persistent-filter@npm:^2.3.1":
-  version: 2.3.1
-  resolution: "broccoli-persistent-filter@npm:2.3.1"
-  dependencies:
-    async-disk-cache: ^1.2.1
-    async-promise-queue: ^1.0.3
-    broccoli-plugin: ^1.0.0
-    fs-tree-diff: ^2.0.0
-    hash-for-dep: ^1.5.0
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    mkdirp: ^0.5.1
-    promise-map-series: ^0.2.1
-    rimraf: ^2.6.1
-    rsvp: ^4.7.0
-    symlink-or-copy: ^1.0.1
-    sync-disk-cache: ^1.3.3
-    walk-sync: ^1.0.0
-  checksum: 35228d15267f6b08e7e572698c6ef2fc4623701f97604a6bce4826c0dbc3074e743cf583f56d014051d64d3cf72f26dd29f26f9ff8e79f907d762fad9481da36
-  languageName: node
-  linkType: hard
-
-"broccoli-persistent-filter@npm:^3.1.2":
-  version: 3.1.2
-  resolution: "broccoli-persistent-filter@npm:3.1.2"
-  dependencies:
-    async-disk-cache: ^2.0.0
-    async-promise-queue: ^1.0.3
-    broccoli-plugin: ^4.0.3
-    fs-tree-diff: ^2.0.0
-    hash-for-dep: ^1.5.0
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    promise-map-series: ^0.2.1
-    rimraf: ^3.0.0
-    symlink-or-copy: ^1.0.1
-    sync-disk-cache: ^2.0.0
-  checksum: 15adca88e26cd8a105c786dc7d2ba57c2c98d4a43079c94753826c000c879fad627ec280e57f7d890be8583ea66967579db4c9e19ef73ccb2ef887a09e36fb85
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:*, broccoli-plugin@npm:^4.0.1, broccoli-plugin@npm:^4.0.2, broccoli-plugin@npm:^4.0.3, broccoli-plugin@npm:^4.0.5, broccoli-plugin@npm:^4.0.7":
-  version: 4.0.7
-  resolution: "broccoli-plugin@npm:4.0.7"
-  dependencies:
-    broccoli-node-api: ^1.7.0
-    broccoli-output-wrapper: ^3.2.5
-    fs-merger: ^3.2.1
-    promise-map-series: ^0.3.0
-    quick-temp: ^0.1.8
-    rimraf: ^3.0.2
-    symlink-or-copy: ^1.3.1
-  checksum: 49d6a55ebfe1880e73956dc8bf23104ad81c1272d4a06755823e6e1eec5255583d2913de99427b3e0a620e3b56178fdd8ea03c832b7452f0440c166044aa555c
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:1.1.0":
-  version: 1.1.0
-  resolution: "broccoli-plugin@npm:1.1.0"
-  dependencies:
-    promise-map-series: ^0.2.1
-    quick-temp: ^0.1.3
-    rimraf: ^2.3.4
-    symlink-or-copy: ^1.0.1
-  checksum: 3f660605a82e9661378d64cfaa079ef549e3c389e12ce8114329e0c5268e68e07c8e3c9fe1c7762c30cfd639aa7c5f484c8e134ddffb49f0b04113818a06a5d8
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:^1.0.0, broccoli-plugin@npm:^1.1.0, broccoli-plugin@npm:^1.2.0, broccoli-plugin@npm:^1.2.1, broccoli-plugin@npm:^1.3.0, broccoli-plugin@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "broccoli-plugin@npm:1.3.1"
-  dependencies:
-    promise-map-series: ^0.2.1
-    quick-temp: ^0.1.3
-    rimraf: ^2.3.4
-    symlink-or-copy: ^1.1.8
-  checksum: 53ddfa2f419feb1b30e2b16d29d7b0877ac56ec97a16b07075ce6ec065d4382e20e94ce992a836942f24aee12a1fbff4f93f711d470e5614a786b4b29d0e215d
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:^2.0.0, broccoli-plugin@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "broccoli-plugin@npm:2.1.0"
-  dependencies:
-    promise-map-series: ^0.2.1
-    quick-temp: ^0.1.3
-    rimraf: ^2.3.4
-    symlink-or-copy: ^1.1.8
-  checksum: c5481d7d3a0d2f481bdaa7d18cbf7f88edc40ae363eb28c97856955991f0c44671433bb925f841efcce7e32a5eebc26c48f8ca361e8ce2725aae2bc86ba5b948
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "broccoli-plugin@npm:3.1.0"
-  dependencies:
-    broccoli-node-api: ^1.6.0
-    broccoli-output-wrapper: ^2.0.0
-    fs-merger: ^3.0.1
-    promise-map-series: ^0.2.1
-    quick-temp: ^0.1.3
-    rimraf: ^2.3.4
-    symlink-or-copy: ^1.1.8
-  checksum: 6ae0eecb8f894de66445a8d7000a5f7fc6f0c07250ee788706ef7a6f9846c10e473be120999353b0ed89a0e60f96332586da01f40325d5df7d79e02a9f01d154
-  languageName: node
-  linkType: hard
-
-"broccoli-plugin@npm:^4.0.0":
-  version: 4.0.5
-  resolution: "broccoli-plugin@npm:4.0.5"
-  dependencies:
-    broccoli-node-api: ^1.7.0
-    broccoli-output-wrapper: ^3.2.5
-    fs-merger: ^3.1.0
-    promise-map-series: ^0.3.0
-    quick-temp: ^0.1.8
-    rimraf: ^3.0.2
-    symlink-or-copy: ^1.3.1
-  checksum: 1e459b3f03929fc9515f905d2bc033ac23ab869d837fa4ca68fc47062aea61fb3c11f2e3604ad1c4bef38b22cb1e0c4d5d0d88715ae1cdc7f064f30fc11093c9
-  languageName: node
-  linkType: hard
-
-"broccoli-rollup@npm:4.0.0":
-  version: 4.0.0
-  resolution: "broccoli-rollup@npm:4.0.0"
-  dependencies:
-    "@types/node": "*"
-    broccoli-plugin: ^2.0.0
-    fs-tree-diff: ^2.0.1
-    heimdalljs: ^0.2.6
-    heimdalljs-logger: ^0.1.10
-    magic-string: ^0.25.2
-    node-modules-path: ^1.0.1
-    rollup: ^1.12.0
-    symlink-or-copy: ^1.2.0
-    walk-sync: ^1.1.3
-  checksum: 89ac42aaf952674b0b81500551b4eccd96a51a1485d9b0cb89c690cc8cfbda9b82860147e810ec3012fceaf79af12cdf35e08c57ee1bac69d805072fdd87220d
-  languageName: node
-  linkType: hard
-
-"broccoli-rollup@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "broccoli-rollup@npm:2.1.1"
-  dependencies:
-    "@types/node": ^9.6.0
-    amd-name-resolver: ^1.2.0
-    broccoli-plugin: ^1.2.1
-    fs-tree-diff: ^0.5.2
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    magic-string: ^0.24.0
-    node-modules-path: ^1.0.1
-    rollup: ^0.57.1
-    symlink-or-copy: ^1.1.8
-    walk-sync: ^0.3.1
-  checksum: 6ddce6266854494da4875f6a1bd274c690b14fd7a82b47735118daaf5081304ef79fb781270ed6c09f312896c872fdbdf5619a77d50eb769bf977745242284d2
-  languageName: node
-  linkType: hard
-
-"broccoli-rollup@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "broccoli-rollup@npm:5.0.0"
-  dependencies:
-    "@types/broccoli-plugin": ^3.0.0
-    broccoli-plugin: ^4.0.7
-    fs-tree-diff: ^2.0.1
-    heimdalljs: ^0.2.6
-    node-modules-path: ^1.0.1
-    rollup: ^2.50.0
-    rollup-pluginutils: ^2.8.1
-    symlink-or-copy: ^1.2.0
-    walk-sync: ^2.2.0
-  checksum: 752725e1b78b8dc6b228b0156b44e293feb948c00bf3b505254ba1f9a706a14334727eb1505c8e01ee22500387cc3059f8cb0ecf7857935346768bdcf1939b1e
-  languageName: node
-  linkType: hard
-
-"broccoli-sass-source-maps@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "broccoli-sass-source-maps@npm:4.0.0"
-  dependencies:
-    broccoli-caching-writer: ^3.0.3
-    include-path-searcher: ^0.1.0
-    mkdirp: ^0.3.5
-    object-assign: ^2.0.0
-    rsvp: ^3.0.6
-  checksum: a90b04901782d4a903b491b0eb0660d6dde7ce6d39479675e61a7a98ec93172d3bc6960b21f3540d41209fe8eeddd25c52fc1bae5012c22bdcfaf54097131c0a
-  languageName: node
-  linkType: hard
-
-"broccoli-slow-trees@npm:^3.0.1, broccoli-slow-trees@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "broccoli-slow-trees@npm:3.1.0"
-  dependencies:
-    heimdalljs: ^0.2.1
-  checksum: 13c03939279e547484ee404a01a2f026eb518ddfdf7bc5376b5b7fa1c22be6fea2a1bb5aaa4d1d7bbc4fc0d3cab1083ae419d230bde90553e424957197cf9296
-  languageName: node
-  linkType: hard
-
-"broccoli-source@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "broccoli-source@npm:1.1.0"
-  checksum: 6c9421e44033df4ebd5ad7a3329599e40377f1b36629637d904ca7593ab721c99e6e4cc46b774bf4c2c6b24bcec0a0a3b327c7af42e768c1855378589ac3d796
-  languageName: node
-  linkType: hard
-
-"broccoli-source@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "broccoli-source@npm:2.1.2"
-  checksum: b8dfacce8a442a7a6af6f127663830387c88e4584be02854815959422598610557d3d8fc1f01c93f3f1b0afa7ffd8f151fead4377fb3e711adecd0d0c0e39e67
-  languageName: node
-  linkType: hard
-
-"broccoli-source@npm:^3.0.0, broccoli-source@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "broccoli-source@npm:3.0.1"
-  dependencies:
-    broccoli-node-api: ^1.6.0
-  checksum: e47d16d269b616f12d525629d85e71e2d91b2daaf2e59a367c81f8db8cc324d7c9259de43dfa5130358ba6333fd0b620016895947dbc969c92d2ea94c2b755ea
-  languageName: node
-  linkType: hard
-
-"broccoli-sri-hash@meirish/broccoli-sri-hash#rooturl, broccoli-sri-hash@npm:^2.1.0":
-  version: 2.1.2
-  resolution: "broccoli-sri-hash@https://github.com/meirish/broccoli-sri-hash.git#commit=5ebad6f345c38d45461676c7a298a0b61be4a39d"
-  dependencies:
-    broccoli-caching-writer: ^2.2.0
-    mkdirp: ^0.5.1
-    rsvp: ^3.1.0
-    sri-toolbox: ^0.2.0
-    symlink-or-copy: ^1.0.1
-  checksum: bcf5fc1096d4c3c862bfc2ec3248edd5ee3bb13edcdc07a5f357587a9ea4ff48d8b97b73f11da3794a122ef1a0c1e2ef1181e59c03a955f9f24dfeb9adecef7e
-  languageName: node
-  linkType: hard
-
-"broccoli-stew@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "broccoli-stew@npm:3.0.0"
-  dependencies:
-    broccoli-debug: ^0.6.5
-    broccoli-funnel: ^2.0.0
-    broccoli-merge-trees: ^3.0.1
-    broccoli-persistent-filter: ^2.3.0
-    broccoli-plugin: ^2.1.0
-    chalk: ^2.4.1
-    debug: ^4.1.1
-    ensure-posix-path: ^1.0.1
-    fs-extra: ^8.0.1
-    minimatch: ^3.0.4
-    resolve: ^1.11.1
-    rsvp: ^4.8.5
-    symlink-or-copy: ^1.2.0
-    walk-sync: ^1.1.3
-  checksum: c5fc1f024d0ccc9a31b4fd9a70e34c0320b487ec86cfeaf66b6d7a06936b352fd65be59dccc200b9ffc17e528e6f9a5b2525b59169d17cd3e36daf8ce5f1deed
-  languageName: node
-  linkType: hard
-
-"broccoli-string-replace@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "broccoli-string-replace@npm:0.1.2"
-  dependencies:
-    broccoli-persistent-filter: ^1.1.5
-    minimatch: ^3.0.3
-  checksum: 853c89a2e764d4577a5f28b71a63cf47f23c226d57a7521b07617758d5d69bdf4d8667a46abeceee53b39bbcfd1f61edf365e678665577d3d0b08b25fceceaf1
-  languageName: node
-  linkType: hard
-
-"broccoli-svg-optimizer@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "broccoli-svg-optimizer@npm:2.1.0"
-  dependencies:
-    broccoli-persistent-filter: ^3.1.2
-    safe-stable-stringify: ^2.2.0
-    svgo: 1.3.0
-  checksum: a39f487a5eb5b3af2bed055d0da494f1cdc5670e20892901b702e7bbe60407f76e96f2ebd3c73bf1effb4d8411097628552ce628dc5c529a9660898811cf4d74
-  languageName: node
-  linkType: hard
-
-"broccoli-templater@npm:^2.0.1":
-  version: 2.0.2
-  resolution: "broccoli-templater@npm:2.0.2"
-  dependencies:
-    broccoli-plugin: ^1.3.1
-    fs-tree-diff: ^0.5.9
-    lodash.template: ^4.4.0
-    rimraf: ^2.6.2
-    walk-sync: ^0.3.3
-  checksum: 802e1e357dc4522b5f157dff2ab3b9b132b07639fffd3249f2ad22792f1eb225e86b7624c3a45af5b1063628049d16a53d6bf37358fe4c4b54bad6a776b503c3
-  languageName: node
-  linkType: hard
-
-"broccoli-terser-sourcemap@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "broccoli-terser-sourcemap@npm:4.1.0"
-  dependencies:
-    async-promise-queue: ^1.0.5
-    broccoli-plugin: ^4.0.3
-    debug: ^4.1.0
-    lodash.defaultsdeep: ^4.6.1
-    matcher-collection: ^2.0.1
-    source-map-url: ^0.4.0
-    symlink-or-copy: ^1.3.1
-    terser: ^5.3.0
-    walk-sync: ^2.2.0
-    workerpool: ^6.0.0
-  checksum: 5251dd242487d92164f0453e618d67e92700892b282c99e6b7944295edce338b005edcb46e8da4e95d8d5771637c1e289c5c22abb979c2460bc4f9a1179944fe
-  languageName: node
-  linkType: hard
-
-"broccoli-test-helper@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "broccoli-test-helper@npm:2.0.0"
-  dependencies:
-    "@types/tmp": ^0.0.33
-    broccoli: ^2.0.0
-    fixturify: ^0.3.2
-    fs-tree-diff: ^0.5.9
-    tmp: ^0.0.33
-    walk-sync: ^0.3.3
-  checksum: 1f3806c458f653b09936e901405b1393497f6112c0a1b5e8d150c810edfc75a8aa46ba463ec68a70033d225e497b1dbfe8f4b26d948276c9a1f12304fea99571
-  languageName: node
-  linkType: hard
-
-"broccoli-uglify-sourcemap@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "broccoli-uglify-sourcemap@npm:3.2.0"
-  dependencies:
-    async-promise-queue: ^1.0.5
-    broccoli-plugin: ^1.2.1
-    debug: ^4.1.0
-    lodash.defaultsdeep: ^4.6.1
-    matcher-collection: ^2.0.0
-    mkdirp: ^0.5.0
-    source-map-url: ^0.4.0
-    symlink-or-copy: ^1.0.1
-    terser: ^4.3.9
-    walk-sync: ^1.1.3
-    workerpool: ^5.0.1
-  checksum: be2c06a4ee14a78c8fbb0afea00ede69c63933b34d38c855454e27b344fa02b03888cb5e2a15ddd344d3dec420145cfec94ddab3d4a3c957d6f67e5ebee8577d
-  languageName: node
-  linkType: hard
-
-"broccoli@npm:^2.0.0":
-  version: 2.3.0
-  resolution: "broccoli@npm:2.3.0"
-  dependencies:
-    broccoli-node-info: 1.1.0
-    broccoli-slow-trees: ^3.0.1
-    broccoli-source: ^1.1.0
-    commander: ^2.15.1
-    connect: ^3.6.6
-    esm: ^3.2.4
-    findup-sync: ^2.0.0
-    handlebars: ^4.0.11
-    heimdalljs: ^0.2.6
-    heimdalljs-logger: ^0.1.9
-    mime-types: ^2.1.19
-    promise.prototype.finally: ^3.1.0
-    resolve-path: ^1.4.0
-    rimraf: ^2.6.2
-    sane: ^4.0.0
-    tmp: 0.0.33
-    tree-sync: ^1.2.2
-    underscore.string: ^3.2.2
-    watch-detector: ^0.1.0
-  checksum: 34117904ae15bacd9780960b972f3549bad821aca9dc649cbc8e98bf3a89073d55c39f24d27a00303ce0be0e834315113667d7e117315a473b2fee4449b35634
-  languageName: node
-  linkType: hard
-
-"broccoli@npm:^3.5.2":
-  version: 3.5.2
-  resolution: "broccoli@npm:3.5.2"
-  dependencies:
-    "@types/chai": ^4.2.9
-    "@types/chai-as-promised": ^7.1.2
-    "@types/express": ^4.17.2
-    ansi-html: ^0.0.7
-    broccoli-node-info: ^2.1.0
-    broccoli-slow-trees: ^3.0.1
-    broccoli-source: ^3.0.0
-    commander: ^4.1.1
-    connect: ^3.6.6
-    console-ui: ^3.0.4
-    esm: ^3.2.4
-    findup-sync: ^4.0.0
-    handlebars: ^4.7.3
-    heimdalljs: ^0.2.6
-    heimdalljs-logger: ^0.1.9
-    https: ^1.0.0
-    mime-types: ^2.1.26
-    resolve-path: ^1.4.0
-    rimraf: ^3.0.2
-    sane: ^4.0.0
-    tmp: ^0.0.33
-    tree-sync: ^2.0.0
-    underscore.string: ^3.2.2
-    watch-detector: ^1.0.0
-  checksum: 765fa5c409d0d14a7429472989f311b51c46fb15b0fa0a8eb8b9be8cb3b957bf253172d61fd3c202597db573d40f8b5c7557e8416a93b6c99ce0b46962d46ccd
-  languageName: node
-  linkType: hard
-
-"brorand@npm:^1.0.1, brorand@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "brorand@npm:1.1.0"
-  checksum: 8a05c9f3c4b46572dec6ef71012b1946db6cae8c7bb60ccd4b7dd5a84655db49fe043ecc6272e7ef1f69dc53d6730b9e2a3a03a8310509a3d797a618cbee52be
-  languageName: node
-  linkType: hard
-
-"browser-process-hrtime@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "browser-process-hrtime@npm:1.0.0"
-  checksum: e30f868cdb770b1201afb714ad1575dd86366b6e861900884665fb627109b3cc757c40067d3bfee1ff2a29c835257ea30725a8018a9afd02ac1c24b408b1e45f
-  languageName: node
-  linkType: hard
-
-"browserify-aes@npm:^1.0.0, browserify-aes@npm:^1.0.4":
-  version: 1.2.0
-  resolution: "browserify-aes@npm:1.2.0"
-  dependencies:
-    buffer-xor: ^1.0.3
-    cipher-base: ^1.0.0
-    create-hash: ^1.1.0
-    evp_bytestokey: ^1.0.3
-    inherits: ^2.0.1
-    safe-buffer: ^5.0.1
-  checksum: 4a17c3eb55a2aa61c934c286f34921933086bf6d67f02d4adb09fcc6f2fc93977b47d9d884c25619144fccd47b3b3a399e1ad8b3ff5a346be47270114bcf7104
-  languageName: node
-  linkType: hard
-
-"browserify-cipher@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "browserify-cipher@npm:1.0.1"
-  dependencies:
-    browserify-aes: ^1.0.4
-    browserify-des: ^1.0.0
-    evp_bytestokey: ^1.0.0
-  checksum: 2d8500acf1ee535e6bebe808f7a20e4c3a9e2ed1a6885fff1facbfd201ac013ef030422bec65ca9ece8ffe82b03ca580421463f9c45af6c8415fd629f4118c13
-  languageName: node
-  linkType: hard
-
-"browserify-des@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "browserify-des@npm:1.0.2"
-  dependencies:
-    cipher-base: ^1.0.1
-    des.js: ^1.0.0
-    inherits: ^2.0.1
-    safe-buffer: ^5.1.2
-  checksum: b15a3e358a1d78a3b62ddc06c845d02afde6fc826dab23f1b9c016e643e7b1fda41de628d2110b712f6a44fb10cbc1800bc6872a03ddd363fb50768e010395b7
-  languageName: node
-  linkType: hard
-
-"browserify-rsa@npm:^4.0.0, browserify-rsa@npm:^4.0.1":
-  version: 4.1.0
-  resolution: "browserify-rsa@npm:4.1.0"
-  dependencies:
-    bn.js: ^5.0.0
-    randombytes: ^2.0.1
-  checksum: 155f0c135873efc85620571a33d884aa8810e40176125ad424ec9d85016ff105a07f6231650914a760cca66f29af0494087947b7be34880dd4599a0cd3c38e54
-  languageName: node
-  linkType: hard
-
-"browserify-sign@npm:^4.0.0":
-  version: 4.2.1
-  resolution: "browserify-sign@npm:4.2.1"
-  dependencies:
-    bn.js: ^5.1.1
-    browserify-rsa: ^4.0.1
-    create-hash: ^1.2.0
-    create-hmac: ^1.1.7
-    elliptic: ^6.5.3
-    inherits: ^2.0.4
-    parse-asn1: ^5.1.5
-    readable-stream: ^3.6.0
-    safe-buffer: ^5.2.0
-  checksum: 0221f190e3f5b2d40183fa51621be7e838d9caa329fe1ba773406b7637855f37b30f5d83e52ff8f244ed12ffe6278dd9983638609ed88c841ce547e603855707
-  languageName: node
-  linkType: hard
-
-"browserify-zlib@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "browserify-zlib@npm:0.2.0"
-  dependencies:
-    pako: ~1.0.5
-  checksum: 5cd9d6a665190fedb4a97dfbad8dabc8698d8a507298a03f42c734e96d58ca35d3c7d4085e283440bbca1cd1938cff85031728079bedb3345310c58ab1ec92d6
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^2.11.3":
-  version: 2.11.3
-  resolution: "browserslist@npm:2.11.3"
-  dependencies:
-    caniuse-lite: ^1.0.30000792
-    electron-to-chromium: ^1.3.30
-  bin:
-    browserslist: ./cli.js
-  checksum: 2ff908162669461e881bad516885b703fd594a0b7a139bf150c1952a74fe4ed8668ac46367a0d136d39a717de65e51c867316951e9fe0f92664c65b205eb9d93
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^3.2.6":
-  version: 3.2.8
-  resolution: "browserslist@npm:3.2.8"
-  dependencies:
-    caniuse-lite: ^1.0.30000844
-    electron-to-chromium: ^1.3.47
-  bin:
-    browserslist: ./cli.js
-  checksum: 74d9ab1089a3813f54a7c4f9f6612faa6256799c8e42c7e00e4aae626c17f199049a01707a525a05b1673cd1493936583e51aad295e25249166e7e8fbd0273ba
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.0.0":
-  version: 4.16.6
-  resolution: "browserslist@npm:4.16.6"
-  dependencies:
-    caniuse-lite: ^1.0.30001219
-    colorette: ^1.2.2
-    electron-to-chromium: ^1.3.723
-    escalade: ^3.1.1
-    node-releases: ^1.1.71
-  bin:
-    browserslist: cli.js
-  checksum: 3dffc86892d2dcfcfc66b52519b7e5698ae070b4fc92ab047e760efc4cae0474e9e70bbe10d769c8d3491b655ef3a2a885b88e7196c83cc5dc0a46dfdba8b70c
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.14.5, browserslist@npm:^4.16.8, browserslist@npm:^4.20.2, browserslist@npm:^4.20.3":
-  version: 4.20.4
-  resolution: "browserslist@npm:4.20.4"
-  dependencies:
-    caniuse-lite: ^1.0.30001349
-    electron-to-chromium: ^1.4.147
-    escalade: ^3.1.1
-    node-releases: ^2.0.5
-    picocolors: ^1.0.0
-  bin:
-    browserslist: cli.js
-  checksum: 0e56c42da765524e5c31bc9a1f08afaa8d5dba085071137cf21e56dc78d0cf0283764143df4c7d1c0cd18c3187fc9494e1d93fa0255004f0be493251a28635f9
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.17.3":
-  version: 4.17.3
-  resolution: "browserslist@npm:4.17.3"
-  dependencies:
-    caniuse-lite: ^1.0.30001264
-    electron-to-chromium: ^1.3.857
-    escalade: ^3.1.1
-    node-releases: ^1.1.77
-    picocolors: ^0.2.1
-  bin:
-    browserslist: cli.js
-  checksum: 9295bdff6e054fdbb131275f88d282dddda7e8d54ddc1571b24374d6ba85e6d1f7cb72280543ea44a9726bb5076ded644d943b38cdc5610249699254ca951f46
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.17.5, browserslist@npm:^4.17.6, browserslist@npm:^4.18.1":
-  version: 4.18.1
-  resolution: "browserslist@npm:4.18.1"
-  dependencies:
-    caniuse-lite: ^1.0.30001280
-    electron-to-chromium: ^1.3.896
-    escalade: ^3.1.1
-    node-releases: ^2.0.1
-    picocolors: ^1.0.0
-  bin:
-    browserslist: cli.js
-  checksum: ae58322deef15960fc2e601d71bc081b571cfab6705999a3d24db5325b9cfadf5f676615f4460207a93e600549c33d60d37b4502007fe9e737b3cc19e20575d5
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.19.1":
-  version: 4.20.2
-  resolution: "browserslist@npm:4.20.2"
-  dependencies:
-    caniuse-lite: ^1.0.30001317
-    electron-to-chromium: ^1.4.84
-    escalade: ^3.1.1
-    node-releases: ^2.0.2
-    picocolors: ^1.0.0
-  bin:
-    browserslist: cli.js
-  checksum: 18e09beeae32e69fea45fc3642240fb63027b1460d90e24da86377177dca3d82c80f8fa44469d95109e3962f08eb2a23e03037bd5e1f1ec38e4866e2a8572435
-  languageName: node
-  linkType: hard
-
-"browserslist@npm:^4.21.9":
-  version: 4.21.9
-  resolution: "browserslist@npm:4.21.9"
-  dependencies:
-    caniuse-lite: ^1.0.30001503
-    electron-to-chromium: ^1.4.431
-    node-releases: ^2.0.12
-    update-browserslist-db: ^1.0.11
-  bin:
-    browserslist: cli.js
-  checksum: 80d3820584e211484ad1b1a5cfdeca1dd00442f47be87e117e1dda34b628c87e18b81ae7986fa5977b3e6a03154f6d13cd763baa6b8bf5dd9dd19f4926603698
-  languageName: node
-  linkType: hard
-
-"bser@npm:2.1.1":
-  version: 2.1.1
-  resolution: "bser@npm:2.1.1"
-  dependencies:
-    node-int64: ^0.4.0
-  checksum: 9ba4dc58ce86300c862bffc3ae91f00b2a03b01ee07f3564beeeaf82aa243b8b03ba53f123b0b842c190d4399b94697970c8e7cf7b1ea44b61aa28c3526a4449
-  languageName: node
-  linkType: hard
-
-"buffer-from@npm:^1.0.0":
-  version: 1.1.1
-  resolution: "buffer-from@npm:1.1.1"
-  checksum: ccc53b69736008bff764497367c4d24879ba7122bc619ee499ff47eef3a5b885ca496e87272e7ebffa0bec3804c83f84041c616f6e3318f40624e27c1d80f045
-  languageName: node
-  linkType: hard
-
-"buffer-xor@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "buffer-xor@npm:1.0.3"
-  checksum: 10c520df29d62fa6e785e2800e586a20fc4f6dfad84bcdbd12e1e8a83856de1cb75c7ebd7abe6d036bbfab738a6cf18a3ae9c8e5a2e2eb3167ca7399ce65373a
-  languageName: node
-  linkType: hard
-
-"buffer@npm:^4.3.0":
-  version: 4.9.2
-  resolution: "buffer@npm:4.9.2"
-  dependencies:
-    base64-js: ^1.0.2
-    ieee754: ^1.1.4
-    isarray: ^1.0.0
-  checksum: 8801bc1ba08539f3be70eee307a8b9db3d40f6afbfd3cf623ab7ef41dffff1d0a31de0addbe1e66e0ca5f7193eeb667bfb1ecad3647f8f1b0750de07c13295c3
-  languageName: node
-  linkType: hard
-
-"buffer@npm:^5.5.0":
-  version: 5.7.1
-  resolution: "buffer@npm:5.7.1"
-  dependencies:
-    base64-js: ^1.3.1
-    ieee754: ^1.1.13
-  checksum: e2cf8429e1c4c7b8cbd30834ac09bd61da46ce35f5c22a78e6c2f04497d6d25541b16881e30a019c6fd3154150650ccee27a308eff3e26229d788bbdeb08ab84
-  languageName: node
-  linkType: hard
-
-"builtin-status-codes@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "builtin-status-codes@npm:3.0.0"
-  checksum: 1119429cf4b0d57bf76b248ad6f529167d343156ebbcc4d4e4ad600484f6bc63002595cbb61b67ad03ce55cd1d3c4711c03bbf198bf24653b8392420482f3773
-  languageName: node
-  linkType: hard
-
-"builtins@npm:^5.0.0, builtins@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "builtins@npm:5.0.1"
-  dependencies:
-    semver: ^7.0.0
-  checksum: 66d204657fe36522822a95b288943ad11b58f5eaede235b11d8c4edaa28ce4800087d44a2681524c340494aadb120a0068011acabe99d30e8f11a7d826d83515
-  languageName: node
-  linkType: hard
-
-"bytes@npm:1":
-  version: 1.0.0
-  resolution: "bytes@npm:1.0.0"
-  checksum: 6e475440d7e32971611d2bc592695fee484ee91ca1cd49f99c855560131f71670d3d185210f6cdd1704f12281f0cfcee5cb1c1f6788cb2f676b410464b7d6885
-  languageName: node
-  linkType: hard
-
-"bytes@npm:3.0.0":
-  version: 3.0.0
-  resolution: "bytes@npm:3.0.0"
-  checksum: a2b386dd8188849a5325f58eef69c3b73c51801c08ffc6963eddc9be244089ba32d19347caf6d145c86f315ae1b1fc7061a32b0c1aa6379e6a719090287ed101
-  languageName: node
-  linkType: hard
-
-"bytes@npm:3.1.0":
-  version: 3.1.0
-  resolution: "bytes@npm:3.1.0"
-  checksum: 7c3b21c5d9d44ed455460d5d36a31abc6fa2ce3807964ba60a4b03fd44454c8cf07bb0585af83bfde1c5cc2ea4bbe5897bc3d18cd15e0acf25a3615a35aba2df
-  languageName: node
-  linkType: hard
-
-"bytes@npm:3.1.2":
-  version: 3.1.2
-  resolution: "bytes@npm:3.1.2"
-  checksum: e4bcd3948d289c5127591fbedf10c0b639ccbf00243504e4e127374a15c3bc8eed0d28d4aaab08ff6f1cf2abc0cce6ba3085ed32f4f90e82a5683ce0014e1b6e
-  languageName: node
-  linkType: hard
-
-"bytestreamjs@npm:^1.0.29":
-  version: 1.0.29
-  resolution: "bytestreamjs@npm:1.0.29"
-  checksum: 0fd5e74ad0c6694e53f5fcf303f2124c128e4f837249e4361be8c3e022208558a27c353b03b3157a9d1ff15455e09041faa1134e03bcc914bbe6816eafc0362b
-  languageName: node
-  linkType: hard
-
-"cacache@npm:^12.0.2":
-  version: 12.0.4
-  resolution: "cacache@npm:12.0.4"
-  dependencies:
-    bluebird: ^3.5.5
-    chownr: ^1.1.1
-    figgy-pudding: ^3.5.1
-    glob: ^7.1.4
-    graceful-fs: ^4.1.15
-    infer-owner: ^1.0.3
-    lru-cache: ^5.1.1
-    mississippi: ^3.0.0
-    mkdirp: ^0.5.1
-    move-concurrently: ^1.0.1
-    promise-inflight: ^1.0.1
-    rimraf: ^2.6.3
-    ssri: ^6.0.1
-    unique-filename: ^1.1.1
-    y18n: ^4.0.0
-  checksum: c88a72f36939b2523533946ffb27828443db5bf5995d761b35ae17af1eb6c8e20ac55b00b74c2ca900b2e1e917f0afba6847bf8cc16bee05ccca6aa150e0830c
-  languageName: node
-  linkType: hard
-
-"cacache@npm:^16.1.0":
-  version: 16.1.3
-  resolution: "cacache@npm:16.1.3"
-  dependencies:
-    "@npmcli/fs": ^2.1.0
-    "@npmcli/move-file": ^2.0.0
-    chownr: ^2.0.0
-    fs-minipass: ^2.1.0
-    glob: ^8.0.1
-    infer-owner: ^1.0.4
-    lru-cache: ^7.7.1
-    minipass: ^3.1.6
-    minipass-collect: ^1.0.2
-    minipass-flush: ^1.0.5
-    minipass-pipeline: ^1.2.4
-    mkdirp: ^1.0.4
-    p-map: ^4.0.0
-    promise-inflight: ^1.0.1
-    rimraf: ^3.0.2
-    ssri: ^9.0.0
-    tar: ^6.1.11
-    unique-filename: ^2.0.0
-  checksum: d91409e6e57d7d9a3a25e5dcc589c84e75b178ae8ea7de05cbf6b783f77a5fae938f6e8fda6f5257ed70000be27a681e1e44829251bfffe4c10216002f8f14e6
-  languageName: node
-  linkType: hard
-
-"cache-base@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "cache-base@npm:1.0.1"
-  dependencies:
-    collection-visit: ^1.0.0
-    component-emitter: ^1.2.1
-    get-value: ^2.0.6
-    has-value: ^1.0.0
-    isobject: ^3.0.1
-    set-value: ^2.0.0
-    to-object-path: ^0.3.0
-    union-value: ^1.0.0
-    unset-value: ^1.0.0
-  checksum: 9114b8654fe2366eedc390bad0bcf534e2f01b239a888894e2928cb58cdc1e6ea23a73c6f3450dcfd2058aa73a8a981e723cd1e7c670c047bf11afdc65880107
-  languageName: node
-  linkType: hard
-
-"calculate-cache-key-for-tree@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "calculate-cache-key-for-tree@npm:2.0.0"
-  dependencies:
-    json-stable-stringify: ^1.0.1
-  checksum: 8b7434417be8ba7efad7b783d0e31d757ff26e1edb7586ccd829347cc7860b738c1595194f7cc63b1b23975c07845d53023ded6a160d22e27898f695d2cf3c63
-  languageName: node
-  linkType: hard
-
-"call-bind@npm:^1.0.0, call-bind@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "call-bind@npm:1.0.2"
-  dependencies:
-    function-bind: ^1.1.1
-    get-intrinsic: ^1.0.2
-  checksum: f8e31de9d19988a4b80f3e704788c4a2d6b6f3d17cfec4f57dc29ced450c53a49270dc66bf0fbd693329ee948dd33e6c90a329519aef17474a4d961e8d6426b0
-  languageName: node
-  linkType: hard
-
-"callsite@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "callsite@npm:1.0.0"
-  checksum: 569686d622a288a4f0a827466c2f967b6d7a98f2ee1e6ada9dcf5a6802267a5e2a995d40f07113b5f95c7b2b2d5cbff4fdde590195f2a8bed24b829d048688f8
-  languageName: node
-  linkType: hard
-
-"callsites@npm:^3.0.0, callsites@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "callsites@npm:3.1.0"
-  checksum: 072d17b6abb459c2ba96598918b55868af677154bec7e73d222ef95a8fdb9bbf7dae96a8421085cdad8cd190d86653b5b6dc55a4484f2e5b2e27d5e0c3fc15b3
-  languageName: node
-  linkType: hard
-
-"camelcase-keys@npm:^7.0.0, camelcase-keys@npm:^7.0.2":
-  version: 7.0.2
-  resolution: "camelcase-keys@npm:7.0.2"
-  dependencies:
-    camelcase: ^6.3.0
-    map-obj: ^4.1.0
-    quick-lru: ^5.1.1
-    type-fest: ^1.2.1
-  checksum: b5821cc48dd00e8398a30c5d6547f06837ab44de123f1b3a603d0a03399722b2fc67a485a7e47106eb02ef543c3b50c5ebaabc1242cde4b63a267c3258d2365b
-  languageName: node
-  linkType: hard
-
-"camelcase@npm:^5.0.0":
-  version: 5.3.1
-  resolution: "camelcase@npm:5.3.1"
-  checksum: e6effce26b9404e3c0f301498184f243811c30dfe6d0b9051863bd8e4034d09c8c2923794f280d6827e5aa055f6c434115ff97864a16a963366fb35fd673024b
-  languageName: node
-  linkType: hard
-
-"camelcase@npm:^6.3.0":
-  version: 6.3.0
-  resolution: "camelcase@npm:6.3.0"
-  checksum: 8c96818a9076434998511251dcb2761a94817ea17dbdc37f47ac080bd088fc62c7369429a19e2178b993497132c8cbcf5cc1f44ba963e76782ba469c0474938d
-  languageName: node
-  linkType: hard
-
-"can-symlink@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "can-symlink@npm:1.0.0"
-  dependencies:
-    tmp: 0.0.28
-  bin:
-    can-symlink: ./can-symlink.js
-  checksum: 02bc43799685ab0fe42af8a7b697ef3918baaf77b1fff0417392b933cfb6bddb8cf93b3afd83983bea21922c9312c6047a58718f5a30d1232ce09540b52f78a4
-  languageName: node
-  linkType: hard
-
-"caniuse-api@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "caniuse-api@npm:3.0.0"
-  dependencies:
-    browserslist: ^4.0.0
-    caniuse-lite: ^1.0.0
-    lodash.memoize: ^4.1.2
-    lodash.uniq: ^4.5.0
-  checksum: db2a229383b20d0529b6b589dde99d7b6cb56ba371366f58cbbfa2929c9f42c01f873e2b6ef641d4eda9f0b4118de77dbb2805814670bdad4234bf08e720b0b4
-  languageName: node
-  linkType: hard
-
-"caniuse-lite@npm:^1.0.0, caniuse-lite@npm:^1.0.30000792, caniuse-lite@npm:^1.0.30000805, caniuse-lite@npm:^1.0.30001219, caniuse-lite@npm:^1.0.30001264, caniuse-lite@npm:^1.0.30001280, caniuse-lite@npm:^1.0.30001304, caniuse-lite@npm:^1.0.30001317, caniuse-lite@npm:^1.0.30001349":
-  version: 1.0.30001487
-  resolution: "caniuse-lite@npm:1.0.30001487"
-  checksum: b5a9e72ec165765fb3e07913cc389685ce8a30ac48967f99baec773a4353d2037fb534241e87b3c95d40a5081079be2263710b784883183bb2998b73f7202233
-  languageName: node
-  linkType: hard
-
-"caniuse-lite@npm:^1.0.30000844, caniuse-lite@npm:^1.0.30001503":
-  version: 1.0.30001516
-  resolution: "caniuse-lite@npm:1.0.30001516"
-  checksum: 044adf3493b734a356a2922445a30095a0f6de6b9194695cdf74deafe7bef658e85858a31177762c2813f6e1ed2722d832d59eee0ecb2151e93a611ee18cb21f
-  languageName: node
-  linkType: hard
-
-"capture-exit@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "capture-exit@npm:2.0.0"
-  dependencies:
-    rsvp: ^4.8.4
-  checksum: 0b9f10daca09e521da9599f34c8e7af14ad879c336e2bdeb19955b375398ae1c5bcc91ac9f2429944343057ee9ed028b1b2fb28816c384e0e55d70c439b226f4
-  languageName: node
-  linkType: hard
-
-"cardinal@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "cardinal@npm:1.0.0"
-  dependencies:
-    ansicolors: ~0.2.1
-    redeyed: ~1.0.0
-  bin:
-    cdl: ./bin/cdl.js
-  checksum: c77852b228c2be38cfa66b43ec3bfaee021954f621328def00e2fba364160bbbafadbad560485da29d6deb87042268d7a23f91a460058308a14c5d18a329ab57
-  languageName: node
-  linkType: hard
-
-"caseless@npm:~0.12.0":
-  version: 0.12.0
-  resolution: "caseless@npm:0.12.0"
-  checksum: b43bd4c440aa1e8ee6baefee8063b4850fd0d7b378f6aabc796c9ec8cb26d27fb30b46885350777d9bd079c5256c0e1329ad0dc7c2817e0bb466810ebb353751
-  languageName: node
-  linkType: hard
-
-"ccount@npm:^1.0.0":
-  version: 1.1.0
-  resolution: "ccount@npm:1.1.0"
-  checksum: b335a79d0aa4308919cf7507babcfa04ac63d389ebed49dbf26990d4607c8a4713cde93cc83e707d84571ddfe1e7615dad248be9bc422ae4c188210f71b08b78
-  languageName: node
-  linkType: hard
-
-"ceibo@npm:~2.0.0":
-  version: 2.0.0
-  resolution: "ceibo@npm:2.0.0"
-  checksum: 5b61580221b8b145442b5076fe2d9389104899e712dce21bfabe907276e86cfc36f8aae68a4af592300db6eeedc53e885019475f0ffb41cf9c9217f500d9c9cf
-  languageName: node
-  linkType: hard
-
-"chalk@npm:^1.0.0, chalk@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "chalk@npm:1.1.3"
-  dependencies:
-    ansi-styles: ^2.2.1
-    escape-string-regexp: ^1.0.2
-    has-ansi: ^2.0.0
-    strip-ansi: ^3.0.0
-    supports-color: ^2.0.0
-  checksum: 9d2ea6b98fc2b7878829eec223abcf404622db6c48396a9b9257f6d0ead2acf18231ae368d6a664a83f272b0679158da12e97b5229f794939e555cc574478acd
-  languageName: node
-  linkType: hard
-
-"chalk@npm:^2.0.0, chalk@npm:^2.0.1, chalk@npm:^2.1.0, chalk@npm:^2.3.0, chalk@npm:^2.4.1, chalk@npm:^2.4.2":
-  version: 2.4.2
-  resolution: "chalk@npm:2.4.2"
-  dependencies:
-    ansi-styles: ^3.2.1
-    escape-string-regexp: ^1.0.5
-    supports-color: ^5.3.0
-  checksum: ec3661d38fe77f681200f878edbd9448821924e0f93a9cefc0e26a33b145f1027a2084bf19967160d11e1f03bfe4eaffcabf5493b89098b2782c3fe0b03d80c2
-  languageName: node
-  linkType: hard
-
-"chalk@npm:^4.0.0, chalk@npm:^4.1.0, chalk@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "chalk@npm:4.1.1"
-  dependencies:
-    ansi-styles: ^4.1.0
-    supports-color: ^7.1.0
-  checksum: 036e973e665ba1a32c975e291d5f3d549bceeb7b1b983320d4598fb75d70fe20c5db5d62971ec0fe76cdbce83985a00ee42372416abfc3a5584465005a7855ed
-  languageName: node
-  linkType: hard
-
-"chalk@npm:^4.1.2":
-  version: 4.1.2
-  resolution: "chalk@npm:4.1.2"
-  dependencies:
-    ansi-styles: ^4.1.0
-    supports-color: ^7.1.0
-  checksum: fe75c9d5c76a7a98d45495b91b2172fa3b7a09e0cc9370e5c8feb1c567b85c4288e2b3fded7cfdd7359ac28d6b3844feb8b82b8686842e93d23c827c417e83fc
-  languageName: node
-  linkType: hard
-
-"chalk@npm:^5.2.0":
-  version: 5.3.0
-  resolution: "chalk@npm:5.3.0"
-  checksum: 623922e077b7d1e9dedaea6f8b9e9352921f8ae3afe739132e0e00c275971bdd331268183b2628cf4ab1727c45ea1f28d7e24ac23ce1db1eb653c414ca8a5a80
-  languageName: node
-  linkType: hard
-
-"chalk@npm:~0.4.0":
-  version: 0.4.0
-  resolution: "chalk@npm:0.4.0"
-  dependencies:
-    ansi-styles: ~1.0.0
-    has-color: ~0.1.0
-    strip-ansi: ~0.1.0
-  checksum: e8f04f387b9fbf746fdce4b61a633f8a0d28224d8b022603db0f2d137471a18c5bc0bc33b243df09c361688f12bd3ab8a9dd1f8b4450d5a361bfe83aadbde739
-  languageName: node
-  linkType: hard
-
-"character-entities-legacy@npm:^1.0.0":
-  version: 1.1.4
-  resolution: "character-entities-legacy@npm:1.1.4"
-  checksum: fe03a82c154414da3a0c8ab3188e4237ec68006cbcd681cf23c7cfb9502a0e76cd30ab69a2e50857ca10d984d57de3b307680fff5328ccd427f400e559c3a811
-  languageName: node
-  linkType: hard
-
-"character-entities@npm:^1.0.0":
-  version: 1.2.4
-  resolution: "character-entities@npm:1.2.4"
-  checksum: e1545716571ead57beac008433c1ff69517cd8ca5b336889321c5b8ff4a99c29b65589a701e9c086cda8a5e346a67295e2684f6c7ea96819fe85cbf49bf8686d
-  languageName: node
-  linkType: hard
-
-"character-reference-invalid@npm:^1.0.0":
-  version: 1.1.4
-  resolution: "character-reference-invalid@npm:1.1.4"
-  checksum: 20274574c70e05e2f81135f3b93285536bc8ff70f37f0809b0d17791a832838f1e49938382899ed4cb444e5bbd4314ca1415231344ba29f4222ce2ccf24fea0b
-  languageName: node
-  linkType: hard
-
-"charcodes@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "charcodes@npm:0.2.0"
-  checksum: 972443ed359d54382e721b9db0a298eb95c4c454386f7e98886586f433e1e6686225416114e6f6bb2e6ef3facc9ba3b4ab9946a56a180fe64ef67816a05d4fe4
-  languageName: node
-  linkType: hard
-
-"chardet@npm:^0.7.0":
-  version: 0.7.0
-  resolution: "chardet@npm:0.7.0"
-  checksum: 6fd5da1f5d18ff5712c1e0aed41da200d7c51c28f11b36ee3c7b483f3696dabc08927fc6b227735eb8f0e1215c9a8abd8154637f3eff8cada5959df7f58b024d
-  languageName: node
-  linkType: hard
-
-"charm@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "charm@npm:1.0.2"
-  dependencies:
-    inherits: ^2.0.1
-  checksum: 767e4ea65014c3a93ed6943d230150b80bea8842b3a19890a30a477f47c8dfb68687d754f5a538bd628fc3a0a6b84c4986c9c3f9c541c4956239d8d280472614
-  languageName: node
-  linkType: hard
-
-"cheerio-select@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "cheerio-select@npm:2.1.0"
-  dependencies:
-    boolbase: ^1.0.0
-    css-select: ^5.1.0
-    css-what: ^6.1.0
-    domelementtype: ^2.3.0
-    domhandler: ^5.0.3
-    domutils: ^3.0.1
-  checksum: 843d6d479922f28a6c5342c935aff1347491156814de63c585a6eb73baf7bb4185c1b4383a1195dca0f12e3946d737c7763bcef0b9544c515d905c5c44c5308b
-  languageName: node
-  linkType: hard
-
-"cheerio@npm:^1.0.0-rc.12":
-  version: 1.0.0-rc.12
-  resolution: "cheerio@npm:1.0.0-rc.12"
-  dependencies:
-    cheerio-select: ^2.1.0
-    dom-serializer: ^2.0.0
-    domhandler: ^5.0.3
-    domutils: ^3.0.1
-    htmlparser2: ^8.0.1
-    parse5: ^7.0.0
-    parse5-htmlparser2-tree-adapter: ^7.0.0
-  checksum: 5d4c1b7a53cf22d3a2eddc0aff70cf23cbb30d01a4c79013e703a012475c02461aa1fcd99127e8d83a02216386ed6942b2c8103845fd0812300dd199e6e7e054
-  languageName: node
-  linkType: hard
-
-"chokidar@npm:>=3.0.0 <4.0.0":
-  version: 3.5.3
-  resolution: "chokidar@npm:3.5.3"
-  dependencies:
-    anymatch: ~3.1.2
-    braces: ~3.0.2
-    fsevents: ~2.3.2
-    glob-parent: ~5.1.2
-    is-binary-path: ~2.1.0
-    is-glob: ~4.0.1
-    normalize-path: ~3.0.0
-    readdirp: ~3.6.0
-  dependenciesMeta:
-    fsevents:
-      optional: true
-  checksum: b49fcde40176ba007ff361b198a2d35df60d9bb2a5aab228279eb810feae9294a6b4649ab15981304447afe1e6ffbf4788ad5db77235dc770ab777c6e771980c
-  languageName: node
-  linkType: hard
-
-"chokidar@npm:^2.1.8":
-  version: 2.1.8
-  resolution: "chokidar@npm:2.1.8"
-  dependencies:
-    anymatch: ^2.0.0
-    async-each: ^1.0.1
-    braces: ^2.3.2
-    fsevents: ^1.2.7
-    glob-parent: ^3.1.0
-    inherits: ^2.0.3
-    is-binary-path: ^1.0.0
-    is-glob: ^4.0.0
-    normalize-path: ^3.0.0
-    path-is-absolute: ^1.0.0
-    readdirp: ^2.2.1
-    upath: ^1.1.1
-  dependenciesMeta:
-    fsevents:
-      optional: true
-  checksum: 0c43e89cbf0268ef1e1f41ce8ec5233c7ba022c6f3282c2ef6530e351d42396d389a1148c5a040f291cf1f4083a4c6b2f51dad3f31c726442ea9a337de316bcf
-  languageName: node
-  linkType: hard
-
-"chokidar@npm:^3.4.1":
-  version: 3.5.1
-  resolution: "chokidar@npm:3.5.1"
-  dependencies:
-    anymatch: ~3.1.1
-    braces: ~3.0.2
-    fsevents: ~2.3.1
-    glob-parent: ~5.1.0
-    is-binary-path: ~2.1.0
-    is-glob: ~4.0.1
-    normalize-path: ~3.0.0
-    readdirp: ~3.5.0
-  dependenciesMeta:
-    fsevents:
-      optional: true
-  checksum: b7774e6e3aeca084d39e8542041555a11452414c744122436101243f89580fad97154ae11525e46bfa816313ae32533e2a88e8587e4d50b14ea716a9e6538978
-  languageName: node
-  linkType: hard
-
-"chownr@npm:^1.1.1":
-  version: 1.1.4
-  resolution: "chownr@npm:1.1.4"
-  checksum: 115648f8eb38bac5e41c3857f3e663f9c39ed6480d1349977c4d96c95a47266fcacc5a5aabf3cb6c481e22d72f41992827db47301851766c4fd77ac21a4f081d
-  languageName: node
-  linkType: hard
-
-"chownr@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "chownr@npm:2.0.0"
-  checksum: c57cf9dd0791e2f18a5ee9c1a299ae6e801ff58fee96dc8bfd0dcb4738a6ce58dd252a3605b1c93c6418fe4f9d5093b28ffbf4d66648cb2a9c67eaef9679be2f
-  languageName: node
-  linkType: hard
-
-"chrome-trace-event@npm:^1.0.2":
-  version: 1.0.3
-  resolution: "chrome-trace-event@npm:1.0.3"
-  checksum: cb8b1fc7e881aaef973bd0c4a43cd353c2ad8323fb471a041e64f7c2dd849cde4aad15f8b753331a32dda45c973f032c8a03b8177fc85d60eaa75e91e08bfb97
-  languageName: node
-  linkType: hard
-
-"ci-info@npm:^3.7.0, ci-info@npm:^3.8.0":
-  version: 3.8.0
-  resolution: "ci-info@npm:3.8.0"
-  checksum: d0a4d3160497cae54294974a7246202244fff031b0a6ea20dd57b10ec510aa17399c41a1b0982142c105f3255aff2173e5c0dd7302ee1b2f28ba3debda375098
-  languageName: node
-  linkType: hard
-
-"cipher-base@npm:^1.0.0, cipher-base@npm:^1.0.1, cipher-base@npm:^1.0.3":
-  version: 1.0.4
-  resolution: "cipher-base@npm:1.0.4"
-  dependencies:
-    inherits: ^2.0.1
-    safe-buffer: ^5.0.1
-  checksum: 47d3568dbc17431a339bad1fe7dff83ac0891be8206911ace3d3b818fc695f376df809bea406e759cdea07fff4b454fa25f1013e648851bec790c1d75763032e
-  languageName: node
-  linkType: hard
-
-"class-utils@npm:^0.3.5":
-  version: 0.3.6
-  resolution: "class-utils@npm:0.3.6"
-  dependencies:
-    arr-union: ^3.1.0
-    define-property: ^0.2.5
-    isobject: ^3.0.0
-    static-extend: ^0.1.1
-  checksum: be108900801e639e50f96a7e4bfa8867c753a7750a7603879f3981f8b0a89cba657497a2d5f40cd4ea557ff15d535a100818bb486baf6e26fe5d7872e75f1078
-  languageName: node
-  linkType: hard
-
-"clean-base-url@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "clean-base-url@npm:1.0.0"
-  checksum: df819e54595b0c04cadfd1a5485216591d4b68d80a3603b657e7e50ac6b34539ef8a6e2100531131d67da325603b26a96a80cfd7c2fc24702ce1db0e1e39dde0
-  languageName: node
-  linkType: hard
-
-"clean-css-promise@npm:^0.1.0":
-  version: 0.1.1
-  resolution: "clean-css-promise@npm:0.1.1"
-  dependencies:
-    array-to-error: ^1.0.0
-    clean-css: ^3.4.5
-    pinkie-promise: ^2.0.0
-  checksum: 5d2a4ad633453c4e6f3d865f7f19f1a821d20985309f914307a87c36c0ef79674ccb24f61195ff45506b50c12b49ec0448581b0f60c31472925d77fc923129ea
-  languageName: node
-  linkType: hard
-
-"clean-css@npm:^3.4.5":
-  version: 3.4.28
-  resolution: "clean-css@npm:3.4.28"
-  dependencies:
-    commander: 2.8.x
-    source-map: 0.4.x
-  bin:
-    cleancss: ./bin/cleancss
-  checksum: eacc573e5ba118aa59bb44a3d188e54d390b7482cad7941559b3865e4946c677afb2deab50bcf8e97592532935f684a53b3abff1d5c55e95e21ded1e93b69132
-  languageName: node
-  linkType: hard
-
-"clean-stack@npm:^2.0.0, clean-stack@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "clean-stack@npm:2.2.0"
-  checksum: 2ac8cd2b2f5ec986a3c743935ec85b07bc174d5421a5efc8017e1f146a1cf5f781ae962618f416352103b32c9cd7e203276e8c28241bbe946160cab16149fb68
-  languageName: node
-  linkType: hard
-
-"clean-up-path@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "clean-up-path@npm:1.0.0"
-  checksum: a4182d6126d897b326b4918e9931c359ae64c7a8fcf2eab4554f9eabf7820c78e3d917b8e0ddb6589837f905ff1b4158a10504664727b0ade67f55815020b41f
-  languageName: node
-  linkType: hard
-
-"cli-cursor@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "cli-cursor@npm:2.1.0"
-  dependencies:
-    restore-cursor: ^2.0.0
-  checksum: d88e97bfdac01046a3ffe7d49f06757b3126559d7e44aa2122637eb179284dc6cd49fca2fac4f67c19faaf7e6dab716b6fe1dfcd309977407d8c7578ec2d044d
-  languageName: node
-  linkType: hard
-
-"cli-cursor@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "cli-cursor@npm:3.1.0"
-  dependencies:
-    restore-cursor: ^3.1.0
-  checksum: 2692784c6cd2fd85cfdbd11f53aea73a463a6d64a77c3e098b2b4697a20443f430c220629e1ca3b195ea5ac4a97a74c2ee411f3807abf6df2b66211fec0c0a29
-  languageName: node
-  linkType: hard
-
-"cli-spinners@npm:^2.0.0, cli-spinners@npm:^2.5.0":
-  version: 2.6.0
-  resolution: "cli-spinners@npm:2.6.0"
-  checksum: bc5d06af9f896e95d0c277e2a5ee0adc5876767decca6b3c22e212934b96033453268cb59be904eccb6d59119e57dbb3fc8ca9bdf5f8476506283b3dd8728748
-  languageName: node
-  linkType: hard
-
-"cli-table@npm:^0.3.1":
-  version: 0.3.6
-  resolution: "cli-table@npm:0.3.6"
-  dependencies:
-    colors: 1.0.3
-  checksum: b0cd08578c810240920438cc2b3ffb4b4f5106b29f3362707f1d8cfc0c0440ad2afb70b96e30ce37f72f0ffe1e844ae7341dde4df17d51ad345eb186a5903af2
-  languageName: node
-  linkType: hard
-
-"cli-truncate@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "cli-truncate@npm:2.1.0"
-  dependencies:
-    slice-ansi: ^3.0.0
-    string-width: ^4.2.0
-  checksum: bf1e4e6195392dc718bf9cd71f317b6300dc4a9191d052f31046b8773230ece4fa09458813bf0e3455a5e68c0690d2ea2c197d14a8b85a7b5e01c97f4b5feb5d
-  languageName: node
-  linkType: hard
-
-"cli-width@npm:^2.0.0":
-  version: 2.2.1
-  resolution: "cli-width@npm:2.2.1"
-  checksum: 3c21b897a2ff551ae5b3c3ab32c866ed2965dcf7fb442f81adf0e27f4a397925c8f84619af7bcc6354821303f6ee9b2aa31d248306174f32c287986158cf4eed
-  languageName: node
-  linkType: hard
-
-"cli-width@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "cli-width@npm:3.0.0"
-  checksum: 4c94af3769367a70e11ed69aa6095f1c600c0ff510f3921ab4045af961820d57c0233acfa8b6396037391f31b4c397e1f614d234294f979ff61430a6c166c3f6
-  languageName: node
-  linkType: hard
-
-"clipboard@npm:^2.0.11":
-  version: 2.0.11
-  resolution: "clipboard@npm:2.0.11"
-  dependencies:
-    good-listener: ^1.2.2
-    select: ^1.1.2
-    tiny-emitter: ^2.0.0
-  checksum: 413055a6038e43898e0e895216b58ed54fbf386f091cb00188875ef35b186cefbd258acdf4cb4b0ac87cbc00de936f41b45dde9fe1fd1a57f7babb28363b8748
-  languageName: node
-  linkType: hard
-
-"cliui@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "cliui@npm:5.0.0"
-  dependencies:
-    string-width: ^3.1.0
-    strip-ansi: ^5.2.0
-    wrap-ansi: ^5.1.0
-  checksum: 0bb8779efe299b8f3002a73619eaa8add4081eb8d1c17bc4fedc6240557fb4eacdc08fe87c39b002eacb6cfc117ce736b362dbfd8bf28d90da800e010ee97df4
-  languageName: node
-  linkType: hard
-
-"cliui@npm:^8.0.1":
-  version: 8.0.1
-  resolution: "cliui@npm:8.0.1"
-  dependencies:
-    string-width: ^4.2.0
-    strip-ansi: ^6.0.1
-    wrap-ansi: ^7.0.0
-  checksum: 79648b3b0045f2e285b76fb2e24e207c6db44323581e421c3acbd0e86454cba1b37aea976ab50195a49e7384b871e6dfb2247ad7dec53c02454ac6497394cb56
-  languageName: node
-  linkType: hard
-
-"clone@npm:^1.0.2":
-  version: 1.0.4
-  resolution: "clone@npm:1.0.4"
-  checksum: d06418b7335897209e77bdd430d04f882189582e67bd1f75a04565f3f07f5b3f119a9d670c943b6697d0afb100f03b866b3b8a1f91d4d02d72c4ecf2bb64b5dd
-  languageName: node
-  linkType: hard
-
-"clone@npm:^2.0.0, clone@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "clone@npm:2.1.2"
-  checksum: aaf106e9bc025b21333e2f4c12da539b568db4925c0501a1bf4070836c9e848c892fa22c35548ce0d1132b08bbbfa17a00144fe58fccdab6fa900fec4250f67d
-  languageName: node
-  linkType: hard
-
-"coa@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "coa@npm:2.0.2"
-  dependencies:
-    "@types/q": ^1.5.1
-    chalk: ^2.4.1
-    q: ^1.1.2
-  checksum: 44736914aac2160d3d840ed64432a90a3bb72285a0cd6a688eb5cabdf15d15a85eee0915b3f6f2a4659d5075817b1cb577340d3c9cbb47d636d59ab69f819552
-  languageName: node
-  linkType: hard
-
-"codemirror@npm:^5.58.2":
-  version: 5.61.0
-  resolution: "codemirror@npm:5.61.0"
-  checksum: d9081d4937fc237c972e12538721b47817a08557a30d692b32e09849977e5d91ca6c8984cdea417cf11a163fdbc3c7139fd66cefc6fcf32047c8cbecd21d2715
-  languageName: node
-  linkType: hard
-
-"collection-visit@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "collection-visit@npm:1.0.0"
-  dependencies:
-    map-visit: ^1.0.0
-    object-visit: ^1.0.0
-  checksum: 15d9658fe6eb23594728346adad5433b86bb7a04fd51bbab337755158722f9313a5376ef479de5b35fbc54140764d0d39de89c339f5d25b959ed221466981da9
-  languageName: node
-  linkType: hard
-
-"color-convert@npm:^1.9.0":
-  version: 1.9.3
-  resolution: "color-convert@npm:1.9.3"
-  dependencies:
-    color-name: 1.1.3
-  checksum: fd7a64a17cde98fb923b1dd05c5f2e6f7aefda1b60d67e8d449f9328b4e53b228a428fd38bfeaeb2db2ff6b6503a776a996150b80cdf224062af08a5c8a3a203
-  languageName: node
-  linkType: hard
-
-"color-convert@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "color-convert@npm:2.0.1"
-  dependencies:
-    color-name: ~1.1.4
-  checksum: 79e6bdb9fd479a205c71d89574fccfb22bd9053bd98c6c4d870d65c132e5e904e6034978e55b43d69fcaa7433af2016ee203ce76eeba9cfa554b373e7f7db336
-  languageName: node
-  linkType: hard
-
-"color-name@npm:1.1.3":
-  version: 1.1.3
-  resolution: "color-name@npm:1.1.3"
-  checksum: 09c5d3e33d2105850153b14466501f2bfb30324a2f76568a408763a3b7433b0e50e5b4ab1947868e65cb101bb7cb75029553f2c333b6d4b8138a73fcc133d69d
-  languageName: node
-  linkType: hard
-
-"color-name@npm:~1.1.4":
-  version: 1.1.4
-  resolution: "color-name@npm:1.1.4"
-  checksum: b0445859521eb4021cd0fb0cc1a75cecf67fceecae89b63f62b201cca8d345baf8b952c966862a9d9a2632987d4f6581f0ec8d957dfacece86f0a7919316f610
-  languageName: node
-  linkType: hard
-
-"color-support@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "color-support@npm:1.1.3"
-  bin:
-    color-support: bin.js
-  checksum: 9b7356817670b9a13a26ca5af1c21615463b500783b739b7634a0c2047c16cef4b2865d7576875c31c3cddf9dd621fa19285e628f20198b233a5cfdda6d0793b
-  languageName: node
-  linkType: hard
-
-"colord@npm:^2.9.3":
-  version: 2.9.3
-  resolution: "colord@npm:2.9.3"
-  checksum: 95d909bfbcfd8d5605cbb5af56f2d1ce2b323990258fd7c0d2eb0e6d3bb177254d7fb8213758db56bb4ede708964f78c6b992b326615f81a18a6aaf11d64c650
-  languageName: node
-  linkType: hard
-
-"colorette@npm:^1.2.2":
-  version: 1.4.0
-  resolution: "colorette@npm:1.4.0"
-  checksum: 01c3c16058b182a4ab4c126a65a75faa4d38a20fa7c845090b25453acec6c371bb2c5dceb0a2338511f17902b9d1a9af0cadd8509c9403894b79311032c256c3
-  languageName: node
-  linkType: hard
-
-"colors@npm:1.0.3":
-  version: 1.0.3
-  resolution: "colors@npm:1.0.3"
-  checksum: 234e8d3ab7e4003851cdd6a1f02eaa16dabc502ee5f4dc576ad7959c64b7477b15bd21177bab4055a4c0a66aa3d919753958030445f87c39a253d73b7a3637f5
-  languageName: node
-  linkType: hard
-
-"colors@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "colors@npm:1.4.0"
-  checksum: 98aa2c2418ad87dedf25d781be69dc5fc5908e279d9d30c34d8b702e586a0474605b3a189511482b9d5ed0d20c867515d22749537f7bc546256c6014f3ebdcec
-  languageName: node
-  linkType: hard
-
-"columnify@npm:^1.5.4":
-  version: 1.5.4
-  resolution: "columnify@npm:1.5.4"
-  dependencies:
-    strip-ansi: ^3.0.0
-    wcwidth: ^1.0.0
-  checksum: f0693937412ec41d387f8ae89ff8cd5811a07ad636f753f0276ba8394fd76c0f610621ebeb379d6adcb30d98696919546dbbf93a28bd4e546efc7e30d905edc2
-  languageName: node
-  linkType: hard
-
-"combined-stream@npm:^1.0.6, combined-stream@npm:~1.0.6":
-  version: 1.0.8
-  resolution: "combined-stream@npm:1.0.8"
-  dependencies:
-    delayed-stream: ~1.0.0
-  checksum: 49fa4aeb4916567e33ea81d088f6584749fc90c7abec76fd516bf1c5aa5c79f3584b5ba3de6b86d26ddd64bae5329c4c7479343250cfe71c75bb366eae53bb7c
-  languageName: node
-  linkType: hard
-
-"commander@npm:2, commander@npm:^2.15.1, commander@npm:^2.20.0, commander@npm:^2.6.0":
-  version: 2.20.3
-  resolution: "commander@npm:2.20.3"
-  checksum: ab8c07884e42c3a8dbc5dd9592c606176c7eb5c1ca5ff274bcf907039b2c41de3626f684ea75ccf4d361ba004bbaff1f577d5384c155f3871e456bdf27becf9e
-  languageName: node
-  linkType: hard
-
-"commander@npm:2.8.x":
-  version: 2.8.1
-  resolution: "commander@npm:2.8.1"
-  dependencies:
-    graceful-readlink: ">= 1.0.0"
-  checksum: 9552028af84683cf2b20397c54fa4dd5b18fb69555e201a8edc3880b344f5aadd8857f777da97ce0c99e50fc133adf356f0299e9958b9b4e95b96c45f0696dfd
-  languageName: node
-  linkType: hard
-
-"commander@npm:7.2.0":
-  version: 7.2.0
-  resolution: "commander@npm:7.2.0"
-  checksum: 53501cbeee61d5157546c0bef0fedb6cdfc763a882136284bed9a07225f09a14b82d2a84e7637edfd1a679fb35ed9502fd58ef1d091e6287f60d790147f68ddc
-  languageName: node
-  linkType: hard
-
-"commander@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "commander@npm:4.1.1"
-  checksum: d7b9913ff92cae20cb577a4ac6fcc121bd6223319e54a40f51a14740a681ad5c574fd29a57da478a5f234a6fa6c52cbf0b7c641353e03c648b1ae85ba670b977
-  languageName: node
-  linkType: hard
-
-"commander@npm:^6.2.0":
-  version: 6.2.1
-  resolution: "commander@npm:6.2.1"
-  checksum: d7090410c0de6bc5c67d3ca41c41760d6d268f3c799e530aafb73b7437d1826bbf0d2a3edac33f8b57cc9887b4a986dce307fa5557e109be40eadb7c43b21742
-  languageName: node
-  linkType: hard
-
-"commander@npm:^8.3.0":
-  version: 8.3.0
-  resolution: "commander@npm:8.3.0"
-  checksum: 0f82321821fc27b83bd409510bb9deeebcfa799ff0bf5d102128b500b7af22872c0c92cb6a0ebc5a4cf19c6b550fba9cedfa7329d18c6442a625f851377bacf0
-  languageName: node
-  linkType: hard
-
-"common-tags@npm:^1.4.0":
-  version: 1.8.0
-  resolution: "common-tags@npm:1.8.0"
-  checksum: fb0cc9420d149176f2bd2b1fc9e6df622cd34eccaca60b276aa3253a7c9241e8a8ed1ec0702b2679eba7e47aeef721869c686bbd7257b75b5c44993c8462cd7f
-  languageName: node
-  linkType: hard
-
-"common-tags@npm:^1.8.0, common-tags@npm:^1.8.2":
-  version: 1.8.2
-  resolution: "common-tags@npm:1.8.2"
-  checksum: 767a6255a84bbc47df49a60ab583053bb29a7d9687066a18500a516188a062c4e4cd52de341f22de0b07062e699b1b8fe3cfa1cb55b241cb9301aeb4f45b4dff
-  languageName: node
-  linkType: hard
-
-"commondir@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "commondir@npm:1.0.1"
-  checksum: 59715f2fc456a73f68826285718503340b9f0dd89bfffc42749906c5cf3d4277ef11ef1cca0350d0e79204f00f1f6d83851ececc9095dc88512a697ac0b9bdcb
-  languageName: node
-  linkType: hard
-
-"component-emitter@npm:^1.2.1":
-  version: 1.3.0
-  resolution: "component-emitter@npm:1.3.0"
-  checksum: b3c46de38ffd35c57d1c02488355be9f218e582aec72d72d1b8bbec95a3ac1b38c96cd6e03ff015577e68f550fbb361a3bfdbd9bb248be9390b7b3745691be6b
-  languageName: node
-  linkType: hard
-
-"compressible@npm:~2.0.16":
-  version: 2.0.18
-  resolution: "compressible@npm:2.0.18"
-  dependencies:
-    mime-db: ">= 1.43.0 < 2"
-  checksum: 58321a85b375d39230405654721353f709d0c1442129e9a17081771b816302a012471a9b8f4864c7dbe02eef7f2aaac3c614795197092262e94b409c9be108f0
-  languageName: node
-  linkType: hard
-
-"compression@npm:^1.7.4":
-  version: 1.7.4
-  resolution: "compression@npm:1.7.4"
-  dependencies:
-    accepts: ~1.3.5
-    bytes: 3.0.0
-    compressible: ~2.0.16
-    debug: 2.6.9
-    on-headers: ~1.0.2
-    safe-buffer: 5.1.2
-    vary: ~1.1.2
-  checksum: 35c0f2eb1f28418978615dc1bc02075b34b1568f7f56c62d60f4214d4b7cc00d0f6d282b5f8a954f59872396bd770b6b15ffd8aa94c67d4bce9b8887b906999b
-  languageName: node
-  linkType: hard
-
-"concat-map@npm:0.0.1":
-  version: 0.0.1
-  resolution: "concat-map@npm:0.0.1"
-  checksum: 902a9f5d8967a3e2faf138d5cb784b9979bad2e6db5357c5b21c568df4ebe62bcb15108af1b2253744844eb964fc023fbd9afbbbb6ddd0bcc204c6fb5b7bf3af
-  languageName: node
-  linkType: hard
-
-"concat-stream@npm:^1.5.0":
-  version: 1.6.2
-  resolution: "concat-stream@npm:1.6.2"
-  dependencies:
-    buffer-from: ^1.0.0
-    inherits: ^2.0.3
-    readable-stream: ^2.2.2
-    typedarray: ^0.0.6
-  checksum: 1ef77032cb4459dcd5187bd710d6fc962b067b64ec6a505810de3d2b8cc0605638551b42f8ec91edf6fcd26141b32ef19ad749239b58fae3aba99187adc32285
-  languageName: node
-  linkType: hard
-
-"configstore@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "configstore@npm:5.0.1"
-  dependencies:
-    dot-prop: ^5.2.0
-    graceful-fs: ^4.1.2
-    make-dir: ^3.0.0
-    unique-string: ^2.0.0
-    write-file-atomic: ^3.0.0
-    xdg-basedir: ^4.0.0
-  checksum: 60ef65d493b63f96e14b11ba7ec072fdbf3d40110a94fb7199d1c287761bdea5c5244e76b2596325f30c1b652213aa75de96ea20afd4a5f82065e61ea090988e
-  languageName: node
-  linkType: hard
-
-"connect@npm:^3.6.6":
-  version: 3.7.0
-  resolution: "connect@npm:3.7.0"
-  dependencies:
-    debug: 2.6.9
-    finalhandler: 1.1.2
-    parseurl: ~1.3.3
-    utils-merge: 1.0.1
-  checksum: 96e1c4effcf219b065c7823e57351c94366d2e2a6952fa95e8212bffb35c86f1d5a3f9f6c5796d4cd3a5fdda628368b1c3cc44bf19c66cfd68fe9f9cab9177e2
-  languageName: node
-  linkType: hard
-
-"console-browserify@npm:^1.1.0":
-  version: 1.2.0
-  resolution: "console-browserify@npm:1.2.0"
-  checksum: 226591eeff8ed68e451dffb924c1fb750c654d54b9059b3b261d360f369d1f8f70650adecf2c7136656236a4bfeb55c39281b5d8a55d792ebbb99efd3d848d52
-  languageName: node
-  linkType: hard
-
-"console-control-strings@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "console-control-strings@npm:1.1.0"
-  checksum: 8755d76787f94e6cf79ce4666f0c5519906d7f5b02d4b884cf41e11dcd759ed69c57da0670afd9236d229a46e0f9cf519db0cd829c6dca820bb5a5c3def584ed
-  languageName: node
-  linkType: hard
-
-"console-ui@npm:^3.0.4, console-ui@npm:^3.1.1, console-ui@npm:^3.1.2":
-  version: 3.1.2
-  resolution: "console-ui@npm:3.1.2"
-  dependencies:
-    chalk: ^2.1.0
-    inquirer: ^6
-    json-stable-stringify: ^1.0.1
-    ora: ^3.4.0
-    through2: ^3.0.1
-  checksum: f475401147c5f1205a39dcd0ca9e196e053285a357fe10d4233947e7288f8412bca1ac5666446cced5aab0bd6309ff6715efd395cd285225836c72d27c821008
-  languageName: node
-  linkType: hard
-
-"consolidate@npm:^0.16.0":
-  version: 0.16.0
-  resolution: "consolidate@npm:0.16.0"
-  dependencies:
-    bluebird: ^3.7.2
-  checksum: f17164ffb2c4f79b4cbf685f1c76a49f59d329a40954b436425498861dc137b46fe821b2aadafa2dcfeb7eebd46846f35bd2c36b4a704d38521b4210a22a7515
-  languageName: node
-  linkType: hard
-
-"constants-browserify@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "constants-browserify@npm:1.0.0"
-  checksum: f7ac8c6d0b6e4e0c77340a1d47a3574e25abd580bfd99ad707b26ff7618596cf1a5e5ce9caf44715e9e01d4a5d12cb3b4edaf1176f34c19adb2874815a56e64f
-  languageName: node
-  linkType: hard
-
-"content-disposition@npm:0.5.3":
-  version: 0.5.3
-  resolution: "content-disposition@npm:0.5.3"
-  dependencies:
-    safe-buffer: 5.1.2
-  checksum: 95bf164c0b0b8199d3f44b7631e51b37f683c6a90b9baa4315bd3d405a6d1bc81b7346f0981046aa004331fb3d7a28b629514d01fc209a5251573fc7e4d33380
-  languageName: node
-  linkType: hard
-
-"content-disposition@npm:0.5.4":
-  version: 0.5.4
-  resolution: "content-disposition@npm:0.5.4"
-  dependencies:
-    safe-buffer: 5.2.1
-  checksum: afb9d545e296a5171d7574fcad634b2fdf698875f4006a9dd04a3e1333880c5c0c98d47b560d01216fb6505a54a2ba6a843ee3a02ec86d7e911e8315255f56c3
-  languageName: node
-  linkType: hard
-
-"content-type@npm:~1.0.4":
-  version: 1.0.4
-  resolution: "content-type@npm:1.0.4"
-  checksum: 3d93585fda985d1554eca5ebd251994327608d2e200978fdbfba21c0c679914d5faf266d17027de44b34a72c7b0745b18584ecccaa7e1fdfb6a68ac7114f12e0
-  languageName: node
-  linkType: hard
-
-"continuable-cache@npm:^0.3.1":
-  version: 0.3.1
-  resolution: "continuable-cache@npm:0.3.1"
-  checksum: d88b9891cdc76533bf018613ec80c7f8f3ce7159fa8c1402dae7be546c4b0566ef0c18e488b08da66b8a8f5aab7c91ce9910e4c32d965d902ffe34e095ccc2cb
-  languageName: node
-  linkType: hard
-
-"convert-source-map@npm:^1.5.1, convert-source-map@npm:^1.7.0":
-  version: 1.8.0
-  resolution: "convert-source-map@npm:1.8.0"
-  dependencies:
-    safe-buffer: ~5.1.1
-  checksum: 985d974a2d33e1a2543ada51c93e1ba2f73eaed608dc39f229afc78f71dcc4c8b7d7c684aa647e3c6a3a204027444d69e53e169ce94e8d1fa8d7dee80c9c8fed
-  languageName: node
-  linkType: hard
-
-"cookie-signature@npm:1.0.6":
-  version: 1.0.6
-  resolution: "cookie-signature@npm:1.0.6"
-  checksum: f4e1b0a98a27a0e6e66fd7ea4e4e9d8e038f624058371bf4499cfcd8f3980be9a121486995202ba3fca74fbed93a407d6d54d43a43f96fd28d0bd7a06761591a
-  languageName: node
-  linkType: hard
-
-"cookie@npm:0.4.0":
-  version: 0.4.0
-  resolution: "cookie@npm:0.4.0"
-  checksum: 760384ba0aef329c52523747e36a452b5e51bc49b34160363a6934e7b7df3f93fcc88b35e33450361535d40a92a96412da870e1816aba9aa6cc556a9fedd8492
-  languageName: node
-  linkType: hard
-
-"cookie@npm:0.5.0":
-  version: 0.5.0
-  resolution: "cookie@npm:0.5.0"
-  checksum: 1f4bd2ca5765f8c9689a7e8954183f5332139eb72b6ff783d8947032ec1fdf43109852c178e21a953a30c0dd42257828185be01b49d1eb1a67fd054ca588a180
-  languageName: node
-  linkType: hard
-
-"cookie@npm:~0.4.1":
-  version: 0.4.1
-  resolution: "cookie@npm:0.4.1"
-  checksum: bd7c47f5d94ab70ccdfe8210cde7d725880d2fcda06d8e375afbdd82de0c8d3b73541996e9ce57d35f67f672c4ee6d60208adec06b3c5fc94cebb85196084cf8
-  languageName: node
-  linkType: hard
-
-"copy-concurrently@npm:^1.0.0":
-  version: 1.0.5
-  resolution: "copy-concurrently@npm:1.0.5"
-  dependencies:
-    aproba: ^1.1.1
-    fs-write-stream-atomic: ^1.0.8
-    iferr: ^0.1.5
-    mkdirp: ^0.5.1
-    rimraf: ^2.5.4
-    run-queue: ^1.0.0
-  checksum: 63c169f582e09445260988f697b2d07793d439dfc31e97c8999707bd188dd94d1c7f2ca3533c7786fb75f03a3f2f54ad1ee08055f95f61bb8d2e862498c1d460
-  languageName: node
-  linkType: hard
-
-"copy-dereference@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "copy-dereference@npm:1.0.0"
-  checksum: ffa946e4d3ab77e53e7543fb58b89ffffebc29cc1560adcfd09ad521e2c5b8f087a4639ac98a2d3945a173f0defad444ce1873f3d1104c1978d83c54dd888caf
-  languageName: node
-  linkType: hard
-
-"copy-descriptor@npm:^0.1.0":
-  version: 0.1.1
-  resolution: "copy-descriptor@npm:0.1.1"
-  checksum: d4b7b57b14f1d256bb9aa0b479241048afd7f5bcf22035fc7b94e8af757adeae247ea23c1a774fe44869fd5694efba4a969b88d966766c5245fdee59837fe45b
-  languageName: node
-  linkType: hard
-
-"core-js-compat@npm:^3.16.2":
-  version: 3.18.2
-  resolution: "core-js-compat@npm:3.18.2"
-  dependencies:
-    browserslist: ^4.17.3
-    semver: 7.0.0
-  checksum: 8358d4a14725b68ccb5fcdd590e603f08933c1f89b0fc5415054048771d6ae9182dca89d0280ed44535ce7a5f6f2f6280774aa0b0410842c940a9a2149ab83d2
-  languageName: node
-  linkType: hard
-
-"core-js-compat@npm:^3.18.0":
-  version: 3.19.2
-  resolution: "core-js-compat@npm:3.19.2"
-  dependencies:
-    browserslist: ^4.18.1
-    semver: 7.0.0
-  checksum: 6b9cca0dc341512c3494955ab87cf7e091dd98503af2b432979c6467385804d03cec9598691c0560c5ede992c0b8ee2ce3fc1af4062c31f5731da70211b61544
-  languageName: node
-  linkType: hard
-
-"core-js-compat@npm:^3.20.2, core-js-compat@npm:^3.21.0":
-  version: 3.21.1
-  resolution: "core-js-compat@npm:3.21.1"
-  dependencies:
-    browserslist: ^4.19.1
-    semver: 7.0.0
-  checksum: 6af1bcbc94ede50b109e54bf3f5a9ca28b8a303124e07c2bf76c2257a8a94a0b550cf4a318f6ec0594b351b6f9a5453fd4516e3681560b6d984b95d1988baf13
-  languageName: node
-  linkType: hard
-
-"core-js-compat@npm:^3.22.1":
-  version: 3.22.8
-  resolution: "core-js-compat@npm:3.22.8"
-  dependencies:
-    browserslist: ^4.20.3
-    semver: 7.0.0
-  checksum: 0c82d9110dcb267c2f5547c61b62f8043793d203523048169176b8badf0b73f3792624342b85d9c923df8eb8971b4aa468b160abb81a023d183c5951e4f05a66
-  languageName: node
-  linkType: hard
-
-"core-js-compat@npm:^3.9.0":
-  version: 3.19.1
-  resolution: "core-js-compat@npm:3.19.1"
-  dependencies:
-    browserslist: ^4.17.6
-    semver: 7.0.0
-  checksum: ed302c99814bd7227b549f639fe5f1a3b9d885c0f878c1203f10be0a33c7d0b199931cb904074cc988ab48411132d4f41adf1603e4eebe5c5d42bdc62a3f5c5d
-  languageName: node
-  linkType: hard
-
-"core-js@npm:^2.4.0, core-js@npm:^2.5.0, core-js@npm:^2.6.5":
-  version: 2.6.12
-  resolution: "core-js@npm:2.6.12"
-  checksum: 44fa9934a85f8c78d61e0c8b7b22436330471ffe59ec5076fe7f324d6e8cf7f824b14b1c81ca73608b13bdb0fef035bd820989bf059767ad6fa13123bb8bd016
-  languageName: node
-  linkType: hard
-
-"core-js@npm:^3.16.2":
-  version: 3.22.8
-  resolution: "core-js@npm:3.22.8"
-  checksum: c79bcfea37920a5da880ad1fc8336355e833c83998bb28cd45cc59eef4d9824dd8d59ccd24d6b18ff88f284d53d9eef021ddbd2b5ab1c6305b01e98c1402e510
-  languageName: node
-  linkType: hard
-
-"core-js@npm:^3.24.1":
-  version: 3.26.0
-  resolution: "core-js@npm:3.26.0"
-  checksum: 0149eb9d3909fde9c17626af3a6e625c326e8598d0bb5e6c5b48a18e5fcd4eaf48d4964d873667d8148542ff590fb98eb3f93618da114ca54999d6bc0349734b
-  languageName: node
-  linkType: hard
-
-"core-object@npm:^3.1.5":
-  version: 3.1.5
-  resolution: "core-object@npm:3.1.5"
-  dependencies:
-    chalk: ^2.0.0
-  checksum: d53022008fa9da9db3ac5d2636750300da114b58432a28bcde4cbb099e60208e3b0ae2b8a05cec2d2ec70bdcad72bfac18134ab60e435aec3117b3edad00235d
-  languageName: node
-  linkType: hard
-
-"core-util-is@npm:1.0.2":
-  version: 1.0.2
-  resolution: "core-util-is@npm:1.0.2"
-  checksum: 7a4c925b497a2c91421e25bf76d6d8190f0b2359a9200dbeed136e63b2931d6294d3b1893eda378883ed363cd950f44a12a401384c609839ea616befb7927dab
-  languageName: node
-  linkType: hard
-
-"core-util-is@npm:~1.0.0":
-  version: 1.0.3
-  resolution: "core-util-is@npm:1.0.3"
-  checksum: 9de8597363a8e9b9952491ebe18167e3b36e7707569eed0ebf14f8bba773611376466ae34575bca8cfe3c767890c859c74056084738f09d4e4a6f902b2ad7d99
-  languageName: node
-  linkType: hard
-
-"cors@npm:~2.8.5":
-  version: 2.8.5
-  resolution: "cors@npm:2.8.5"
-  dependencies:
-    object-assign: ^4
-    vary: ^1
-  checksum: ced838404ccd184f61ab4fdc5847035b681c90db7ac17e428f3d81d69e2989d2b680cc254da0e2554f5ed4f8a341820a1ce3d1c16b499f6e2f47a1b9b07b5006
-  languageName: node
-  linkType: hard
-
-"cosmiconfig@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "cosmiconfig@npm:7.0.0"
-  dependencies:
-    "@types/parse-json": ^4.0.0
-    import-fresh: ^3.2.1
-    parse-json: ^5.0.0
-    path-type: ^4.0.0
-    yaml: ^1.10.0
-  checksum: 6801feaa0249e9b9fdde5b3d70dc33b4f9c69095bec94d67e3fe08b66eac24dc7e2099f053597cfbc94b743de269aa5d2cfa7da3fde765433423b06bd122941a
-  languageName: node
-  linkType: hard
-
-"cosmiconfig@npm:^8.2.0":
-  version: 8.2.0
-  resolution: "cosmiconfig@npm:8.2.0"
-  dependencies:
-    import-fresh: ^3.2.1
-    js-yaml: ^4.1.0
-    parse-json: ^5.0.0
-    path-type: ^4.0.0
-  checksum: 836d5d8efa750f3fb17b03d6ca74cd3154ed025dffd045304b3ef59637f662bde1e5dc88f8830080d180ec60841719cf4ea2ce73fb21ec694b16865c478ff297
-  languageName: node
-  linkType: hard
-
-"create-ecdh@npm:^4.0.0":
-  version: 4.0.4
-  resolution: "create-ecdh@npm:4.0.4"
-  dependencies:
-    bn.js: ^4.1.0
-    elliptic: ^6.5.3
-  checksum: 0dd7fca9711d09e152375b79acf1e3f306d1a25ba87b8ff14c2fd8e68b83aafe0a7dd6c4e540c9ffbdd227a5fa1ad9b81eca1f233c38bb47770597ba247e614b
-  languageName: node
-  linkType: hard
-
-"create-hash@npm:^1.1.0, create-hash@npm:^1.1.2, create-hash@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "create-hash@npm:1.2.0"
-  dependencies:
-    cipher-base: ^1.0.1
-    inherits: ^2.0.1
-    md5.js: ^1.3.4
-    ripemd160: ^2.0.1
-    sha.js: ^2.4.0
-  checksum: 02a6ae3bb9cd4afee3fabd846c1d8426a0e6b495560a977ba46120c473cb283be6aa1cace76b5f927cf4e499c6146fb798253e48e83d522feba807d6b722eaa9
-  languageName: node
-  linkType: hard
-
-"create-hmac@npm:^1.1.0, create-hmac@npm:^1.1.4, create-hmac@npm:^1.1.7":
-  version: 1.1.7
-  resolution: "create-hmac@npm:1.1.7"
-  dependencies:
-    cipher-base: ^1.0.3
-    create-hash: ^1.1.0
-    inherits: ^2.0.1
-    ripemd160: ^2.0.0
-    safe-buffer: ^5.0.1
-    sha.js: ^2.4.8
-  checksum: ba12bb2257b585a0396108c72830e85f882ab659c3320c83584b1037f8ab72415095167ced80dc4ce8e446a8ecc4b2acf36d87befe0707d73b26cf9dc77440ed
-  languageName: node
-  linkType: hard
-
-"cross-spawn@npm:^6.0.0, cross-spawn@npm:^6.0.5":
-  version: 6.0.5
-  resolution: "cross-spawn@npm:6.0.5"
-  dependencies:
-    nice-try: ^1.0.4
-    path-key: ^2.0.1
-    semver: ^5.5.0
-    shebang-command: ^1.2.0
-    which: ^1.2.9
-  checksum: f893bb0d96cd3d5751d04e67145bdddf25f99449531a72e82dcbbd42796bbc8268c1076c6b3ea51d4d455839902804b94bc45dfb37ecbb32ea8e54a6741c3ab9
-  languageName: node
-  linkType: hard
-
-"cross-spawn@npm:^7.0.0, cross-spawn@npm:^7.0.2, cross-spawn@npm:^7.0.3":
-  version: 7.0.3
-  resolution: "cross-spawn@npm:7.0.3"
-  dependencies:
-    path-key: ^3.1.0
-    shebang-command: ^2.0.0
-    which: ^2.0.1
-  checksum: 671cc7c7288c3a8406f3c69a3ae2fc85555c04169e9d611def9a675635472614f1c0ed0ef80955d5b6d4e724f6ced67f0ad1bb006c2ea643488fcfef994d7f52
-  languageName: node
-  linkType: hard
-
-"crypto-browserify@npm:^3.11.0":
-  version: 3.12.0
-  resolution: "crypto-browserify@npm:3.12.0"
-  dependencies:
-    browserify-cipher: ^1.0.0
-    browserify-sign: ^4.0.0
-    create-ecdh: ^4.0.0
-    create-hash: ^1.1.0
-    create-hmac: ^1.1.0
-    diffie-hellman: ^5.0.0
-    inherits: ^2.0.1
-    pbkdf2: ^3.0.3
-    public-encrypt: ^4.0.0
-    randombytes: ^2.0.0
-    randomfill: ^1.0.3
-  checksum: c1609af82605474262f3eaa07daa0b2140026bd264ab316d4bf1170272570dbe02f0c49e29407fe0d3634f96c507c27a19a6765fb856fed854a625f9d15618e2
-  languageName: node
-  linkType: hard
-
-"crypto-random-string@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "crypto-random-string@npm:2.0.0"
-  checksum: 0283879f55e7c16fdceacc181f87a0a65c53bc16ffe1d58b9d19a6277adcd71900d02bb2c4843dd55e78c51e30e89b0fec618a7f170ebcc95b33182c28f05fd6
-  languageName: node
-  linkType: hard
-
-"css-functions-list@npm:^3.1.0":
-  version: 3.2.0
-  resolution: "css-functions-list@npm:3.2.0"
-  checksum: fe912ea852fad500aef9a4f04db9a0371c7b0eb1ac1a45fbd8df0156ae0538cee7492ebd620b9bb502fe5bf2b5ed3bf3c16b6659cf67c7144eff0b597bcc3891
-  languageName: node
-  linkType: hard
-
-"css-loader@npm:^5.2.0":
-  version: 5.2.7
-  resolution: "css-loader@npm:5.2.7"
-  dependencies:
-    icss-utils: ^5.1.0
-    loader-utils: ^2.0.0
-    postcss: ^8.2.15
-    postcss-modules-extract-imports: ^3.0.0
-    postcss-modules-local-by-default: ^4.0.0
-    postcss-modules-scope: ^3.0.0
-    postcss-modules-values: ^4.0.0
-    postcss-value-parser: ^4.1.0
-    schema-utils: ^3.0.0
-    semver: ^7.3.5
-  peerDependencies:
-    webpack: ^4.27.0 || ^5.0.0
-  checksum: fb0742b30ac0919f94b99a323bdefe6d48ae46d66c7d966aae59031350532f368f8bba5951fcd268f2e053c5e6e4655551076268e9073ccb58e453f98ae58f8e
-  languageName: node
-  linkType: hard
-
-"css-select-base-adapter@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "css-select-base-adapter@npm:0.1.1"
-  checksum: c107e9cfa53a23427e4537451a67358375e656baa3322345a982d3c2751fb3904002aae7e5d72386c59f766fe6b109d1ffb43eeab1c16f069f7a3828eb17851c
-  languageName: node
-  linkType: hard
-
-"css-select@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "css-select@npm:2.1.0"
-  dependencies:
-    boolbase: ^1.0.0
-    css-what: ^3.2.1
-    domutils: ^1.7.0
-    nth-check: ^1.0.2
-  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36e5f16cb863211c901320618b24ace74da6333442d82995cafd5040077307de462
-  languageName: node
-  linkType: hard
-
-"css-select@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "css-select@npm:5.1.0"
-  dependencies:
-    boolbase: ^1.0.0
-    css-what: ^6.1.0
-    domhandler: ^5.0.2
-    domutils: ^3.0.1
-    nth-check: ^2.0.1
-  checksum: 2772c049b188d3b8a8159907192e926e11824aea525b8282981f72ba3f349cf9ecd523fdf7734875ee2cb772246c22117fc062da105b6d59afe8dcd5c99c9bda
-  languageName: node
-  linkType: hard
-
-"css-tree@npm:1.0.0-alpha.29":
-  version: 1.0.0-alpha.29
-  resolution: "css-tree@npm:1.0.0-alpha.29"
-  dependencies:
-    mdn-data: ~1.1.0
-    source-map: ^0.5.3
-  checksum: 1693a0ddb85fe6f94c5d1b4c79a5dbc67d0c4a10e9992d9c6685bfc84b9d40380799e30b22bca42e15e60d927ac54ac500dec785e8c9245ee782c89eb4d924f4
-  languageName: node
-  linkType: hard
-
-"css-tree@npm:1.0.0-alpha.33":
-  version: 1.0.0-alpha.33
-  resolution: "css-tree@npm:1.0.0-alpha.33"
-  dependencies:
-    mdn-data: 2.0.4
-    source-map: ^0.5.3
-  checksum: b7d1584d855ac01dd2fd7898869f8de90b6cd5b284ffc3d538cbf40891f65f82011964ab360314175bcec3d08838976f4a68823df51d74a456879f62cdf63026
-  languageName: node
-  linkType: hard
-
-"css-tree@npm:^2.0.4":
-  version: 2.1.0
-  resolution: "css-tree@npm:2.1.0"
-  dependencies:
-    mdn-data: 2.0.27
-    source-map-js: ^1.0.1
-  checksum: 254c66a76f6a01d5161605162b17c1792fb3f96966d1cabec3435c551372707c02f6ca6c15f967bee7699f0b254437037c3fdb5eea0cd76ac2377cc8ac1f1d1d
-  languageName: node
-  linkType: hard
-
-"css-tree@npm:^2.3.1":
-  version: 2.3.1
-  resolution: "css-tree@npm:2.3.1"
-  dependencies:
-    mdn-data: 2.0.30
-    source-map-js: ^1.0.1
-  checksum: 493cc24b5c22b05ee5314b8a0d72d8a5869491c1458017ae5ed75aeb6c3596637dbe1b11dac2548974624adec9f7a1f3a6cf40593dc1f9185eb0e8279543fbc0
-  languageName: node
-  linkType: hard
-
-"css-what@npm:^3.2.1":
-  version: 3.4.2
-  resolution: "css-what@npm:3.4.2"
-  checksum: 26bb5ec3ae718393d418016365c849fa14bd0de408c735dea3ddf58146b6cc54f3b336fb4afd31d95c06ca79583acbcdfec7ee93d31ff5c1a697df135b38dfeb
-  languageName: node
-  linkType: hard
-
-"css-what@npm:^6.1.0":
-  version: 6.1.0
-  resolution: "css-what@npm:6.1.0"
-  checksum: b975e547e1e90b79625918f84e67db5d33d896e6de846c9b584094e529f0c63e2ab85ee33b9daffd05bff3a146a1916bec664e18bb76dd5f66cbff9fc13b2bbe
-  languageName: node
-  linkType: hard
-
-"cssesc@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "cssesc@npm:3.0.0"
-  bin:
-    cssesc: bin/cssesc
-  checksum: f8c4ababffbc5e2ddf2fa9957dda1ee4af6048e22aeda1869d0d00843223c1b13ad3f5d88b51caa46c994225eacb636b764eb807a8883e2fb6f99b4f4e8c48b2
-  languageName: node
-  linkType: hard
-
-"csso@npm:^3.5.1":
-  version: 3.5.1
-  resolution: "csso@npm:3.5.1"
-  dependencies:
-    css-tree: 1.0.0-alpha.29
-  checksum: f5cca58d7b0a50cdab52c634d967f822c18aaa5f50dd1e145bb755f7ca4b32a029b72269a8a7e253e338e59833e6a934beca187172fb00efc6d096dba0d635b1
-  languageName: node
-  linkType: hard
-
-"cssom@npm:^0.4.4":
-  version: 0.4.4
-  resolution: "cssom@npm:0.4.4"
-  checksum: e3bc1076e7ee4213d4fef05e7ae03bfa83dc05f32611d8edc341f4ecc3d9647b89c8245474c7dd2cdcdb797a27c462e99da7ad00a34399694559f763478ff53f
-  languageName: node
-  linkType: hard
-
-"cssom@npm:~0.3.6":
-  version: 0.3.8
-  resolution: "cssom@npm:0.3.8"
-  checksum: 24beb3087c76c0d52dd458be9ee1fbc80ac771478a9baef35dd258cdeb527c68eb43204dd439692bb2b1ae5272fa5f2946d10946edab0d04f1078f85e06bc7f6
-  languageName: node
-  linkType: hard
-
-"cssstyle@npm:^2.3.0":
-  version: 2.3.0
-  resolution: "cssstyle@npm:2.3.0"
-  dependencies:
-    cssom: ~0.3.6
-  checksum: 5f05e6fd2e3df0b44695c2f08b9ef38b011862b274e320665176467c0725e44a53e341bc4959a41176e83b66064ab786262e7380fd1cabeae6efee0d255bb4e3
-  languageName: node
-  linkType: hard
-
-"cyclist@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "cyclist@npm:1.0.1"
-  checksum: 3cc2fdeb358599ca0ea96f5ecf2fc530ccab7ed1f8aa1a894aebfacd2009281bd7380cb9b30db02a18cdd00b3ed1d7ce81a3b11fe56e33a6a0fe4424dc592fbe
-  languageName: node
-  linkType: hard
-
-"d3-array@npm:1, d3-array@npm:^1.1.1, d3-array@npm:^1.2.0":
-  version: 1.2.4
-  resolution: "d3-array@npm:1.2.4"
-  checksum: d0be1fa7d72dbfac8a3bcffbb669d42bcb9128d8818d84d2b1df0c60bbe4c8e54a798be0457c55a219b399e2c2fabcbd581cbb130eb638b5436b0618d7e56000
-  languageName: node
-  linkType: hard
-
-"d3-axis@npm:1, d3-axis@npm:^1.0.8":
-  version: 1.0.12
-  resolution: "d3-axis@npm:1.0.12"
-  checksum: b1cf820fb6e95cc3371b340353b05272dba16ce6ad4fe9a0992d075ab48a08810f87f5e6c7cbb6c63fca1ee1e9b7c822307a1590187daa7627f45728a747c746
-  languageName: node
-  linkType: hard
-
-"d3-brush@npm:1":
-  version: 1.1.6
-  resolution: "d3-brush@npm:1.1.6"
-  dependencies:
-    d3-dispatch: 1
-    d3-drag: 1
-    d3-interpolate: 1
-    d3-selection: 1
-    d3-transition: 1
-  checksum: ffa23a5543699cc1199f45ac87d4e1293167c4bab0833657d77172d84d910448893569393290dba3689af1e5a1fc77503d94a2dec3976de8a7bc68ed0e32413a
-  languageName: node
-  linkType: hard
-
-"d3-chord@npm:1":
-  version: 1.0.6
-  resolution: "d3-chord@npm:1.0.6"
-  dependencies:
-    d3-array: 1
-    d3-path: 1
-  checksum: e4ca95ffff089f0eccf796d16a5574121e0ecbe658dcd9d5fa760af3573c3349264ce325c0adf1f32bcad67038d3938edd109712166cfb5b3bbe068e27c012e9
-  languageName: node
-  linkType: hard
-
-"d3-collection@npm:1, d3-collection@npm:^1.0.4":
-  version: 1.0.7
-  resolution: "d3-collection@npm:1.0.7"
-  checksum: 9c6b910a9da0efb021e294509f98263ca4f62d10b997bb30ccfb6edd582b703da36e176b968b5bac815fbb0f328e49643c38cf93b5edf8572a179ba55cf4a09d
-  languageName: node
-  linkType: hard
-
-"d3-color@npm:1":
-  version: 1.4.1
-  resolution: "d3-color@npm:1.4.1"
-  checksum: a214b61458b5fcb7ad1a84faed0e02918037bab6be37f2d437bf0e2915cbd854d89fbf93754f17b0781c89e39d46704633d05a2bfae77e6209f0f4b140f9894b
-  languageName: node
-  linkType: hard
-
-"d3-contour@npm:1":
-  version: 1.3.2
-  resolution: "d3-contour@npm:1.3.2"
-  dependencies:
-    d3-array: ^1.1.1
-  checksum: c18a099a7f4af2adf788e96d07bfc7236661a6e40c017ef8e172fe0142561f3722f71263075c565a17b72e6cd6a2a05de3868fcc5420eb77b00d3a0179a69a0d
-  languageName: node
-  linkType: hard
-
-"d3-dispatch@npm:1":
-  version: 1.0.6
-  resolution: "d3-dispatch@npm:1.0.6"
-  checksum: b4ecb016b6dda8b99aa4263b2d0a0c7b12e7dea93e4b0ce3013c94dca4d360d9ba00f5bdc15dc944cc4543af8e341067bd628f061f7b8deb642257e2ac90d06c
-  languageName: node
-  linkType: hard
-
-"d3-drag@npm:1":
-  version: 1.2.5
-  resolution: "d3-drag@npm:1.2.5"
-  dependencies:
-    d3-dispatch: 1
-    d3-selection: 1
-  checksum: 6e86e89aa8d511979eea1b5326709c05c2a3c2d43a93a82ed6b6f98528b2ab03b2f58f5e4f66582f2f1c0ae44f9c19f6f4f857249eb66aabc46e4942295fa0a7
-  languageName: node
-  linkType: hard
-
-"d3-dsv@npm:1":
-  version: 1.2.0
-  resolution: "d3-dsv@npm:1.2.0"
-  dependencies:
-    commander: 2
-    iconv-lite: 0.4
-    rw: 1
-  bin:
-    csv2json: bin/dsv2json
-    csv2tsv: bin/dsv2dsv
-    dsv2dsv: bin/dsv2dsv
-    dsv2json: bin/dsv2json
-    json2csv: bin/json2dsv
-    json2dsv: bin/json2dsv
-    json2tsv: bin/json2dsv
-    tsv2csv: bin/dsv2dsv
-    tsv2json: bin/dsv2json
-  checksum: 96c6e3d5ca1566624ca613b5941bc6fa916082cbe4b2b71cb6c5978c471db58c489b17206e3e31fbe30719dbd75e9c8ed8ab12a9d353cff90a35102690de7823
-  languageName: node
-  linkType: hard
-
-"d3-ease@npm:1, d3-ease@npm:^1.0.5":
-  version: 1.0.7
-  resolution: "d3-ease@npm:1.0.7"
-  checksum: 117811d51dfc4a126e8d23d249252df792fbbe30a93615e1d67158c482eff69b900e45a4cc92746fe65b1143287455406a89aae04eb4ca1ba5b1dc2a42af5b85
-  languageName: node
-  linkType: hard
-
-"d3-fetch@npm:1":
-  version: 1.2.0
-  resolution: "d3-fetch@npm:1.2.0"
-  dependencies:
-    d3-dsv: 1
-  checksum: 00f091945bff4afbd06e6ce9ad762f0e91b7aac912c1ae7fe0efdbcce3a997d4fa2a93c254a3ba9b3f53f2134d606b20fb13791adbf5c6ed5c0be329a775945f
-  languageName: node
-  linkType: hard
-
-"d3-force@npm:1":
-  version: 1.2.1
-  resolution: "d3-force@npm:1.2.1"
-  dependencies:
-    d3-collection: 1
-    d3-dispatch: 1
-    d3-quadtree: 1
-    d3-timer: 1
-  checksum: b73fe29d6c9a9c432ae65166d71238d14578a3a9537df095bebff87b7814161cd2822aff54a38d2400edb98b7f6d9221a810dcad7a53c6e8ddff0973f44ab3fa
-  languageName: node
-  linkType: hard
-
-"d3-format@npm:1":
-  version: 1.4.5
-  resolution: "d3-format@npm:1.4.5"
-  checksum: 1b8b2c0bca182173bccd290a43e8b635a83fc8cfe52ec878c7bdabb997d47daac11f2b175cebbe73f807f782ad655f542bdfe18180ca5eb3498a3a82da1e06ab
-  languageName: node
-  linkType: hard
-
-"d3-geo@npm:1":
-  version: 1.12.1
-  resolution: "d3-geo@npm:1.12.1"
-  dependencies:
-    d3-array: 1
-  checksum: 8ede498e5fce65c127403646f5cc6181a858a1e401e23e2856ce50ad27e6fdf8b49aeb88d2fad02696879d5825a45420ca1b5db9fa9c935ee413fe15b5bc37c4
-  languageName: node
-  linkType: hard
-
-"d3-hierarchy@npm:1":
-  version: 1.1.9
-  resolution: "d3-hierarchy@npm:1.1.9"
-  checksum: 5fd8761c302252cb9abe9ce2a0934fc97104dd0df8d1b5de6472532903416f40e13b4b58d03ce215a0b816d7129c4ed4503bd4fdbc00a130fdcf46a63d734a52
-  languageName: node
-  linkType: hard
-
-"d3-interpolate@npm:1":
-  version: 1.4.0
-  resolution: "d3-interpolate@npm:1.4.0"
-  dependencies:
-    d3-color: 1
-  checksum: d98988bd1e2f59d01f100d0a19315ad8f82ef022aa09a65aff76f747a44f9b52f2d64c6578b8f47e01f2b14a8f0ef88f5460d11173c0dd2d58238c217ac0ec03
-  languageName: node
-  linkType: hard
-
-"d3-path@npm:1":
-  version: 1.0.9
-  resolution: "d3-path@npm:1.0.9"
-  checksum: d4382573baf9509a143f40944baeff9fead136926aed6872f7ead5b3555d68925f8a37935841dd51f1d70b65a294fe35c065b0906fb6e42109295f6598fc16d0
-  languageName: node
-  linkType: hard
-
-"d3-polygon@npm:1":
-  version: 1.0.6
-  resolution: "d3-polygon@npm:1.0.6"
-  checksum: 4a9764c2064d15e9f4fc9018c975f127540f6e701c18442e2a2e9339e743726f40e017d5213982d983cac3c23802321c257f2a10e686c803ec5533c6ff42bb7a
-  languageName: node
-  linkType: hard
-
-"d3-quadtree@npm:1":
-  version: 1.0.7
-  resolution: "d3-quadtree@npm:1.0.7"
-  checksum: 32181f578cbd69eed6b240073fed7f977f8039a121a3b9fc58ea1eea0c3c14d1237ef48cb4f80abb833063f8b0e7b885ef6de734e7bcc4e5b37e53ec444830f8
-  languageName: node
-  linkType: hard
-
-"d3-random@npm:1":
-  version: 1.1.2
-  resolution: "d3-random@npm:1.1.2"
-  checksum: a27326319fa61d59b6ce8d5ce7547cc823dee1bc6dda35e9c233d709f43f76488c09353862463c9c5da99081482b0f7ea4177d78721b67bb677bb12354bffe42
-  languageName: node
-  linkType: hard
-
-"d3-scale-chromatic@npm:1":
-  version: 1.5.0
-  resolution: "d3-scale-chromatic@npm:1.5.0"
-  dependencies:
-    d3-color: 1
-    d3-interpolate: 1
-  checksum: 3bff7717f6e6b309b3347d48d6532e2295037a280bc5174f908ce5fc0e17a9470f6b202e49499b01a17a1f28cb76a61aae870a6c13c57195a362847f33747501
-  languageName: node
-  linkType: hard
-
-"d3-scale@npm:2":
-  version: 2.2.2
-  resolution: "d3-scale@npm:2.2.2"
-  dependencies:
-    d3-array: ^1.2.0
-    d3-collection: 1
-    d3-format: 1
-    d3-interpolate: 1
-    d3-time: 1
-    d3-time-format: 2
-  checksum: 42086d4b9db9f8492a99dbbdacf546983faef1bb6260fe875c0c1884f1ca9cf5fd233de3702c2f9e24145b1c5383945e929c8682d80fa57ab515ef2c4f2c61f6
-  languageName: node
-  linkType: hard
-
-"d3-scale@npm:^1.0.7":
-  version: 1.0.7
-  resolution: "d3-scale@npm:1.0.7"
-  dependencies:
-    d3-array: ^1.2.0
-    d3-collection: 1
-    d3-color: 1
-    d3-format: 1
-    d3-interpolate: 1
-    d3-time: 1
-    d3-time-format: 2
-  checksum: c889c510aa0380b23e3a595be6b143b7053351ab6fe212918aa1ae80353a9ccde81064c2afa95dbdcd936fbb0c69dd560de291cbbea80d068a4390a3f67596aa
-  languageName: node
-  linkType: hard
-
-"d3-selection-multi@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "d3-selection-multi@npm:1.0.1"
-  dependencies:
-    d3-selection: 1
-    d3-transition: 1
-  checksum: 16d94d1dc5fc9a86302c613ad4f4e008beaae92bb22d6d1cee066c02efa35ba9795f9544c7465e129467e34611417fc3a082d5d7cc6ab1fd7c8404b83378555e
-  languageName: node
-  linkType: hard
-
-"d3-selection@npm:1, d3-selection@npm:^1.1.0, d3-selection@npm:^1.3.0":
-  version: 1.4.2
-  resolution: "d3-selection@npm:1.4.2"
-  checksum: 2484b392259b087a98f546f2610e6a11c90f38dae6b6b20a3fc85171038fcab4c72e702788b1960a4fece88bed2e36f268096358b5b48d3c7f0d35cfbe305da6
-  languageName: node
-  linkType: hard
-
-"d3-shape@npm:1":
-  version: 1.3.7
-  resolution: "d3-shape@npm:1.3.7"
-  dependencies:
-    d3-path: 1
-  checksum: 46566a3ab64a25023653bf59d64e81e9e6c987e95be985d81c5cedabae5838bd55f4a201a6b69069ca862eb63594cd263cac9034afc2b0e5664dfe286c866129
-  languageName: node
-  linkType: hard
-
-"d3-time-format@npm:2, d3-time-format@npm:^2.1.1":
-  version: 2.3.0
-  resolution: "d3-time-format@npm:2.3.0"
-  dependencies:
-    d3-time: 1
-  checksum: 5445eaaf2b3b2095cdc1fa75dfd2f361a61c39b677dcc1c2ba4cb6bc0442953de0fbaaa397d7d7a9325ad99c63d869f162a713e150e826ff8af482615664cb3f
-  languageName: node
-  linkType: hard
-
-"d3-time@npm:1":
-  version: 1.1.0
-  resolution: "d3-time@npm:1.1.0"
-  checksum: 33fcfff94ff093dde2048c190ecca8b39fe0ec8b3c61e9fc39c5f6072ce5b86dd2b91823f086366995422bbbac7f74fd9abdb7efe4f292a73b1c6197c699cc78
-  languageName: node
-  linkType: hard
-
-"d3-timer@npm:1":
-  version: 1.0.10
-  resolution: "d3-timer@npm:1.0.10"
-  checksum: f7040953672deb2dfa03830ace80dbbcb212f80890218eba15dcca6f33f74102d943023ccc2a563295195cd8c63639bb2410ef1691c8fecff4a114fdf5c666f4
-  languageName: node
-  linkType: hard
-
-"d3-tip@npm:^0.9.1":
-  version: 0.9.1
-  resolution: "d3-tip@npm:0.9.1"
-  dependencies:
-    d3-collection: ^1.0.4
-    d3-selection: ^1.3.0
-  checksum: 876711ec01a049c6864dcdeab095d4c6d55554a862d426446ec03bf707a0d65dcc2e8cfee87bb0f922cdea33a350fb0be471afdeef5363accf7ac6cf61f02f31
-  languageName: node
-  linkType: hard
-
-"d3-transition@npm:1, d3-transition@npm:^1.2.0":
-  version: 1.3.2
-  resolution: "d3-transition@npm:1.3.2"
-  dependencies:
-    d3-color: 1
-    d3-dispatch: 1
-    d3-ease: 1
-    d3-interpolate: 1
-    d3-selection: ^1.1.0
-    d3-timer: 1
-  checksum: 1b4a0cfa7aeb4033ab20e26a310488cfac989de44c6c2bf10e9f0808af915a33add6dca23fbafcefe8c08613fd0d6a933e48b4de24c0779163c2852a1c7c16f4
-  languageName: node
-  linkType: hard
-
-"d3-voronoi@npm:1":
-  version: 1.1.4
-  resolution: "d3-voronoi@npm:1.1.4"
-  checksum: d28a74bc62f2b936b0d3b51d5be8d2366afca4fd7026d7ee8f655600650bf0c985da38a8c3ae46bfa315b5f524f3ca1c5211437cf1c8c737cc1da681e015baee
-  languageName: node
-  linkType: hard
-
-"d3-zoom@npm:1":
-  version: 1.8.3
-  resolution: "d3-zoom@npm:1.8.3"
-  dependencies:
-    d3-dispatch: 1
-    d3-drag: 1
-    d3-interpolate: 1
-    d3-selection: 1
-    d3-transition: 1
-  checksum: de408e5dc6df1481ef6854a3d495f8e963dbf5b0de41bcbd35def0602abda55b3f2c1fa751c75c2f0a9bafd3b278f30795c27503fe609b3dbe06a0720d01d5be
-  languageName: node
-  linkType: hard
-
-"d3@npm:^5.0.0":
-  version: 5.16.0
-  resolution: "d3@npm:5.16.0"
-  dependencies:
-    d3-array: 1
-    d3-axis: 1
-    d3-brush: 1
-    d3-chord: 1
-    d3-collection: 1
-    d3-color: 1
-    d3-contour: 1
-    d3-dispatch: 1
-    d3-drag: 1
-    d3-dsv: 1
-    d3-ease: 1
-    d3-fetch: 1
-    d3-force: 1
-    d3-format: 1
-    d3-geo: 1
-    d3-hierarchy: 1
-    d3-interpolate: 1
-    d3-path: 1
-    d3-polygon: 1
-    d3-quadtree: 1
-    d3-random: 1
-    d3-scale: 2
-    d3-scale-chromatic: 1
-    d3-selection: 1
-    d3-shape: 1
-    d3-time: 1
-    d3-time-format: 2
-    d3-timer: 1
-    d3-transition: 1
-    d3-voronoi: 1
-    d3-zoom: 1
-  checksum: 1462789c421c3ea3930a18b91be6c02c7b976fa4d714200ee2a042c62cbfb349448c79f1ae3dbaf186f79edb734b7aa7b734ee6ad61d81ab4305e6663623ab8e
-  languageName: node
-  linkType: hard
-
-"dag-map@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "dag-map@npm:2.0.2"
-  checksum: c15b70127c32b5f674ce43d17ee2268d757777df88883468550b946fdd29cee59c3faff1ec6d3ce05a4cb220a708426ac33b2f0a3bb6654541e7295e2d3a654a
-  languageName: node
-  linkType: hard
-
-"dashdash@npm:^1.12.0":
-  version: 1.14.1
-  resolution: "dashdash@npm:1.14.1"
-  dependencies:
-    assert-plus: ^1.0.0
-  checksum: 3634c249570f7f34e3d34f866c93f866c5b417f0dd616275decae08147dcdf8fccfaa5947380ccfb0473998ea3a8057c0b4cd90c875740ee685d0624b2983598
-  languageName: node
-  linkType: hard
-
-"data-urls@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "data-urls@npm:2.0.0"
-  dependencies:
-    abab: ^2.0.3
-    whatwg-mimetype: ^2.3.0
-    whatwg-url: ^8.0.0
-  checksum: 97caf828aac25e25e04ba6869db0f99c75e6859bb5b424ada28d3e7841941ebf08ddff3c1b1bb4585986bd507a5d54c2a716853ea6cb98af877400e637393e71
-  languageName: node
-  linkType: hard
-
-"date-fns-tz@npm:^1.2.2":
-  version: 1.2.2
-  resolution: "date-fns-tz@npm:1.2.2"
-  peerDependencies:
-    date-fns: ">=2.0.0"
-  checksum: 90c5145499570736cd004cfb13f8a9bbc9de514ceb92224ccd6fd2e0d88e0d55ab1d4e279500653d2df7cca0002c88a1ce0768c8531cbf6063cce91a1e4e78d4
-  languageName: node
-  linkType: hard
-
-"date-fns@npm:^2.16.1":
-  version: 2.21.1
-  resolution: "date-fns@npm:2.21.1"
-  checksum: 4ff90f6ab6b9e92d4605530704303aa269f40a4a2fe3624628e2a0310b06bd36d8a18867c2ddf88844afa54bc71a33b5b93c97c927da8989e9d05d32471dbd75
-  languageName: node
-  linkType: hard
-
-"date-fns@npm:^2.29.2":
-  version: 2.30.0
-  resolution: "date-fns@npm:2.30.0"
-  dependencies:
-    "@babel/runtime": ^7.21.0
-  checksum: f7be01523282e9bb06c0cd2693d34f245247a29098527d4420628966a2d9aad154bd0e90a6b1cf66d37adcb769cd108cf8a7bd49d76db0fb119af5cdd13644f4
-  languageName: node
-  linkType: hard
-
-"date-time@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "date-time@npm:2.1.0"
-  dependencies:
-    time-zone: ^1.0.0
-  checksum: 3eefeb2954b8a5a8a01f7935ef4b53f948eeecd6105f652cbeafec384cf80924247797e51eb517af1e18b356d2c94561ac0a29a60d8ba56c88376bd5b5a08c3c
-  languageName: node
-  linkType: hard
-
-"debug@npm:2.6.9, debug@npm:^2.1.0, debug@npm:^2.1.1, debug@npm:^2.1.3, debug@npm:^2.2.0, debug@npm:^2.3.3, debug@npm:^2.6.8, debug@npm:^2.6.9":
-  version: 2.6.9
-  resolution: "debug@npm:2.6.9"
-  dependencies:
-    ms: 2.0.0
-  checksum: d2f51589ca66df60bf36e1fa6e4386b318c3f1e06772280eea5b1ae9fd3d05e9c2b7fd8a7d862457d00853c75b00451aa2d7459b924629ee385287a650f58fe6
-  languageName: node
-  linkType: hard
-
-"debug@npm:4, debug@npm:^4.3.2, debug@npm:^4.3.3, debug@npm:^4.3.4, debug@npm:~4.3.1, debug@npm:~4.3.2":
-  version: 4.3.4
-  resolution: "debug@npm:4.3.4"
-  dependencies:
-    ms: 2.1.2
-  peerDependenciesMeta:
-    supports-color:
-      optional: true
-  checksum: 3dbad3f94ea64f34431a9cbf0bafb61853eda57bff2880036153438f50fb5a84f27683ba0d8e5426bf41a8c6ff03879488120cf5b3a761e77953169c0600a708
-  languageName: node
-  linkType: hard
-
-"debug@npm:^3.0.1, debug@npm:^3.1.0, debug@npm:^3.2.7":
-  version: 3.2.7
-  resolution: "debug@npm:3.2.7"
-  dependencies:
-    ms: ^2.1.1
-  checksum: b3d8c5940799914d30314b7c3304a43305fd0715581a919dacb8b3176d024a782062368405b47491516d2091d6462d4d11f2f4974a405048094f8bfebfa3071c
-  languageName: node
-  linkType: hard
-
-"debug@npm:^4.0.0, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1":
-  version: 4.3.3
-  resolution: "debug@npm:4.3.3"
-  dependencies:
-    ms: 2.1.2
-  peerDependenciesMeta:
-    supports-color:
-      optional: true
-  checksum: 14472d56fe4a94dbcfaa6dbed2dd3849f1d72ba78104a1a328047bb564643ca49df0224c3a17fa63533fd11dd3d4c8636cd861191232a2c6735af00cc2d4de16
-  languageName: node
-  linkType: hard
-
-"debug@npm:^4.2.0":
-  version: 4.3.1
-  resolution: "debug@npm:4.3.1"
-  dependencies:
-    ms: 2.1.2
-  peerDependenciesMeta:
-    supports-color:
-      optional: true
-  checksum: 2c3352e37d5c46b0d203317cd45ea0e26b2c99f2d9dfec8b128e6ceba90dfb65425f5331bf3020fe9929d7da8c16758e737f4f3bfc0fce6b8b3d503bae03298b
-  languageName: node
-  linkType: hard
-
-"decache@npm:^4.5.1":
-  version: 4.6.0
-  resolution: "decache@npm:4.6.0"
-  dependencies:
-    callsite: ^1.0.0
-  checksum: 65bd86440a84aeb7cf76a8dbd22d207e561eac621bc73500347a9a0802f14e72222fd794b4b778a419e3d736a01ec263124e1ba39db6778c3b86a42f487a279c
-  languageName: node
-  linkType: hard
-
-"decamelize-keys@npm:^1.1.0":
-  version: 1.1.1
-  resolution: "decamelize-keys@npm:1.1.1"
-  dependencies:
-    decamelize: ^1.1.0
-    map-obj: ^1.0.0
-  checksum: fc645fe20b7bda2680bbf9481a3477257a7f9304b1691036092b97ab04c0ab53e3bf9fcc2d2ae382536568e402ec41fb11e1d4c3836a9abe2d813dd9ef4311e0
-  languageName: node
-  linkType: hard
-
-"decamelize@npm:^1.1.0, decamelize@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "decamelize@npm:1.2.0"
-  checksum: ad8c51a7e7e0720c70ec2eeb1163b66da03e7616d7b98c9ef43cce2416395e84c1e9548dd94f5f6ffecfee9f8b94251fc57121a8b021f2ff2469b2bae247b8aa
-  languageName: node
-  linkType: hard
-
-"decamelize@npm:^5.0.0":
-  version: 5.0.1
-  resolution: "decamelize@npm:5.0.1"
-  checksum: 7c3b1ed4b3e60e7fbc00a35fb248298527c1cdfe603e41dfcf05e6c4a8cb9efbee60630deb677ed428908fb4e74e322966c687a094d1478ddc9c3a74e9dc7140
-  languageName: node
-  linkType: hard
-
-"decimal.js@npm:^10.2.1":
-  version: 10.2.1
-  resolution: "decimal.js@npm:10.2.1"
-  checksum: d2421adf209422d520c8f1a4d1fceffc2ccd0c041aa179f8d18a315ebda6a7be918f2634ac850df299dccccae6a3567c5761301a1c3693461fdef3d1de23b000
-  languageName: node
-  linkType: hard
-
-"decode-uri-component@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "decode-uri-component@npm:0.2.0"
-  checksum: f3749344ab9305ffcfe4bfe300e2dbb61fc6359e2b736812100a3b1b6db0a5668cba31a05e4b45d4d63dbf1a18dfa354cd3ca5bb3ededddabb8cd293f4404f94
-  languageName: node
-  linkType: hard
-
-"dedent@npm:^0.7.0":
-  version: 0.7.0
-  resolution: "dedent@npm:0.7.0"
-  checksum: 87de191050d9a40dd70cad01159a0bcf05ecb59750951242070b6abf9569088684880d00ba92a955b4058804f16eeaf91d604f283929b4f614d181cd7ae633d2
-  languageName: node
-  linkType: hard
-
-"deep-equal@npm:^2.0.5":
-  version: 2.2.1
-  resolution: "deep-equal@npm:2.2.1"
-  dependencies:
-    array-buffer-byte-length: ^1.0.0
-    call-bind: ^1.0.2
-    es-get-iterator: ^1.1.3
-    get-intrinsic: ^1.2.0
-    is-arguments: ^1.1.1
-    is-array-buffer: ^3.0.2
-    is-date-object: ^1.0.5
-    is-regex: ^1.1.4
-    is-shared-array-buffer: ^1.0.2
-    isarray: ^2.0.5
-    object-is: ^1.1.5
-    object-keys: ^1.1.1
-    object.assign: ^4.1.4
-    regexp.prototype.flags: ^1.5.0
-    side-channel: ^1.0.4
-    which-boxed-primitive: ^1.0.2
-    which-collection: ^1.0.1
-    which-typed-array: ^1.1.9
-  checksum: 561f0e001a07b2f1b80ff914d0b3d76964bbfc102f34c2128bc8039c0050e63b1a504a8911910e011d8cd1cd4b600a9686c049e327f4ef94420008efc42d25f4
-  languageName: node
-  linkType: hard
-
-"deep-is@npm:^0.1.3, deep-is@npm:~0.1.3":
-  version: 0.1.3
-  resolution: "deep-is@npm:0.1.3"
-  checksum: c15b04c3848a89880c94e25b077c19b47d9a30dd99048e70e5f95d943e7b246bee1da0c1376b56b01bc045be2cae7d9b1c856e68e47e9805634327de7c6cb6d5
-  languageName: node
-  linkType: hard
-
-"deepmerge@npm:^4.0.0":
-  version: 4.2.2
-  resolution: "deepmerge@npm:4.2.2"
-  checksum: a8c43a1ed8d6d1ed2b5bf569fa4c8eb9f0924034baf75d5d406e47e157a451075c4db353efea7b6bcc56ec48116a8ce72fccf867b6e078e7c561904b5897530b
-  languageName: node
-  linkType: hard
-
-"defaults@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "defaults@npm:1.0.3"
-  dependencies:
-    clone: ^1.0.2
-  checksum: 96e2112da6553d376afd5265ea7cbdb2a3b45535965d71ab8bb1da10c8126d168fdd5268799625324b368356d21ba2a7b3d4ec50961f11a47b7feb9de3d4413e
-  languageName: node
-  linkType: hard
-
-"define-properties@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "define-properties@npm:1.1.3"
-  dependencies:
-    object-keys: ^1.0.12
-  checksum: da80dba55d0cd76a5a7ab71ef6ea0ebcb7b941f803793e4e0257b384cb772038faa0c31659d244e82c4342edef841c1a1212580006a05a5068ee48223d787317
-  languageName: node
-  linkType: hard
-
-"define-properties@npm:^1.1.4, define-properties@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "define-properties@npm:1.2.0"
-  dependencies:
-    has-property-descriptors: ^1.0.0
-    object-keys: ^1.1.1
-  checksum: e60aee6a19b102df4e2b1f301816804e81ab48bb91f00d0d935f269bf4b3f79c88b39e4f89eaa132890d23267335fd1140dfcd8d5ccd61031a0a2c41a54e33a6
-  languageName: node
-  linkType: hard
-
-"define-property@npm:^0.2.5":
-  version: 0.2.5
-  resolution: "define-property@npm:0.2.5"
-  dependencies:
-    is-descriptor: ^0.1.0
-  checksum: 85af107072b04973b13f9e4128ab74ddfda48ec7ad2e54b193c0ffb57067c4ce5b7786a7b4ae1f24bd03e87c5d18766b094571810b314d7540f86d4354dbd394
-  languageName: node
-  linkType: hard
-
-"define-property@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "define-property@npm:1.0.0"
-  dependencies:
-    is-descriptor: ^1.0.0
-  checksum: 5fbed11dace44dd22914035ba9ae83ad06008532ca814d7936a53a09e897838acdad5b108dd0688cc8d2a7cf0681acbe00ee4136cf36743f680d10517379350a
-  languageName: node
-  linkType: hard
-
-"define-property@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "define-property@npm:2.0.2"
-  dependencies:
-    is-descriptor: ^1.0.2
-    isobject: ^3.0.1
-  checksum: 3217ed53fc9eed06ba8da6f4d33e28c68a82e2f2a8ab4d562c4920d8169a166fe7271453675e6c69301466f36a65d7f47edf0cf7f474b9aa52a5ead9c1b13c99
-  languageName: node
-  linkType: hard
-
-"delayed-stream@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "delayed-stream@npm:1.0.0"
-  checksum: 46fe6e83e2cb1d85ba50bd52803c68be9bd953282fa7096f51fc29edd5d67ff84ff753c51966061e5ba7cb5e47ef6d36a91924eddb7f3f3483b1c560f77a0020
-  languageName: node
-  linkType: hard
-
-"delegate@npm:^3.1.2":
-  version: 3.2.0
-  resolution: "delegate@npm:3.2.0"
-  checksum: d943058fe05897228b158cbd1bab05164df28c8f54127873231d6b03b0a5acc1b3ee1f98ac70ccc9b79cd84aa47118a7de111fee2923753491583905069da27d
-  languageName: node
-  linkType: hard
-
-"delegates@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "delegates@npm:1.0.0"
-  checksum: a51744d9b53c164ba9c0492471a1a2ffa0b6727451bdc89e31627fdf4adda9d51277cfcbfb20f0a6f08ccb3c436f341df3e92631a3440226d93a8971724771fd
-  languageName: node
-  linkType: hard
-
-"depd@npm:2.0.0, depd@npm:^2.0.0, depd@npm:~2.0.0":
-  version: 2.0.0
-  resolution: "depd@npm:2.0.0"
-  checksum: abbe19c768c97ee2eed6282d8ce3031126662252c58d711f646921c9623f9052e3e1906443066beec1095832f534e57c523b7333f8e7e0d93051ab6baef5ab3a
-  languageName: node
-  linkType: hard
-
-"depd@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "depd@npm:1.1.2"
-  checksum: 6b406620d269619852885ce15965272b829df6f409724415e0002c8632ab6a8c0a08ec1f0bd2add05dc7bd7507606f7e2cc034fa24224ab829580040b835ecd9
-  languageName: node
-  linkType: hard
-
-"des.js@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "des.js@npm:1.0.1"
-  dependencies:
-    inherits: ^2.0.1
-    minimalistic-assert: ^1.0.0
-  checksum: 1ec2eedd7ed6bd61dd5e0519fd4c96124e93bb22de8a9d211b02d63e5dd152824853d919bb2090f965cc0e3eb9c515950a9836b332020d810f9c71feb0fd7df4
-  languageName: node
-  linkType: hard
-
-"destroy@npm:1.2.0":
-  version: 1.2.0
-  resolution: "destroy@npm:1.2.0"
-  checksum: 0acb300b7478a08b92d810ab229d5afe0d2f4399272045ab22affa0d99dbaf12637659411530a6fcd597a9bdac718fc94373a61a95b4651bbc7b83684a565e38
-  languageName: node
-  linkType: hard
-
-"destroy@npm:~1.0.4":
-  version: 1.0.4
-  resolution: "destroy@npm:1.0.4"
-  checksum: da9ab4961dc61677c709da0c25ef01733042614453924d65636a7db37308fef8a24cd1e07172e61173d471ca175371295fbc984b0af5b2b4ff47cd57bd784c03
-  languageName: node
-  linkType: hard
-
-"detect-file@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "detect-file@npm:1.0.0"
-  checksum: 1861e4146128622e847abe0e1ed80fef01e78532665858a792267adf89032b7a9c698436137707fcc6f02956c2a6a0052d6a0cef5be3d4b76b1ff0da88e2158a
-  languageName: node
-  linkType: hard
-
-"detect-indent@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "detect-indent@npm:4.0.0"
-  dependencies:
-    repeating: ^2.0.0
-  checksum: 328f273915c1610899bc7d4784ce874413d0a698346364cd3ee5d79afba1c5cf4dbc97b85a801e20f4d903c0598bd5096af32b800dfb8696b81464ccb3dfda2c
-  languageName: node
-  linkType: hard
-
-"detect-indent@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "detect-indent@npm:6.0.0"
-  checksum: 0c38f362016e2d07af1c65b1ecd6ad8a91f06bfdd11383887c867a495ad286d04be2ab44027ac42444704d523982013115bd748c1541df7c9396ad76b22aaf5d
-  languageName: node
-  linkType: hard
-
-"detect-newline@npm:3.1.0":
-  version: 3.1.0
-  resolution: "detect-newline@npm:3.1.0"
-  checksum: ae6cd429c41ad01b164c59ea36f264a2c479598e61cba7c99da24175a7ab80ddf066420f2bec9a1c57a6bead411b4655ff15ad7d281c000a89791f48cbe939e7
-  languageName: node
-  linkType: hard
-
-"dialog-polyfill@npm:^0.5.6":
-  version: 0.5.6
-  resolution: "dialog-polyfill@npm:0.5.6"
-  checksum: dde8d4b6a62b63b710e0d0d70b615d92ff08f3cb2b521e1f99b17e8220d9d55d0fdf9fc17fbe77b0ff1be817094e14b60c4c4bacd5456fba427ede48d2d90230
-  languageName: node
-  linkType: hard
-
-"diff-match-patch@npm:^1.0.0":
-  version: 1.0.5
-  resolution: "diff-match-patch@npm:1.0.5"
-  checksum: 841522d01b09cccbc4e4402cf61514a81b906349a7d97b67222390f2d35cf5df277cb23959eeed212d5e46afb5629cebab41b87918672c5a05c11c73688630e3
-  languageName: node
-  linkType: hard
-
-"diff@npm:^3.5.0":
-  version: 3.5.0
-  resolution: "diff@npm:3.5.0"
-  checksum: 00842950a6551e26ce495bdbce11047e31667deea546527902661f25cc2e73358967ebc78cf86b1a9736ec3e14286433225f9970678155753a6291c3bca5227b
-  languageName: node
-  linkType: hard
-
-"diff@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "diff@npm:5.1.0"
-  checksum: c7bf0df7c9bfbe1cf8a678fd1b2137c4fb11be117a67bc18a0e03ae75105e8533dbfb1cda6b46beb3586ef5aed22143ef9d70713977d5fb1f9114e21455fba90
-  languageName: node
-  linkType: hard
-
-"diffie-hellman@npm:^5.0.0":
-  version: 5.0.3
-  resolution: "diffie-hellman@npm:5.0.3"
-  dependencies:
-    bn.js: ^4.1.0
-    miller-rabin: ^4.0.0
-    randombytes: ^2.0.0
-  checksum: 0e620f322170c41076e70181dd1c24e23b08b47dbb92a22a644f3b89b6d3834b0f8ee19e37916164e5eb1ee26d2aa836d6129f92723995267250a0b541811065
-  languageName: node
-  linkType: hard
-
-"dir-glob@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "dir-glob@npm:3.0.1"
-  dependencies:
-    path-type: ^4.0.0
-  checksum: fa05e18324510d7283f55862f3161c6759a3f2f8dbce491a2fc14c8324c498286c54282c1f0e933cb930da8419b30679389499b919122952a4f8592362ef4615
-  languageName: node
-  linkType: hard
-
-"dlv@npm:^1.1.0":
-  version: 1.1.3
-  resolution: "dlv@npm:1.1.3"
-  checksum: d7381bca22ed11933a1ccf376db7a94bee2c57aa61e490f680124fa2d1cd27e94eba641d9f45be57caab4f9a6579de0983466f620a2cd6230d7ec93312105ae7
-  languageName: node
-  linkType: hard
-
-"doctoc@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "doctoc@npm:2.2.0"
-  dependencies:
-    "@textlint/markdown-to-ast": ^12.1.1
-    anchor-markdown-header: ^0.5.7
-    htmlparser2: ^7.2.0
-    minimist: ^1.2.6
-    underscore: ^1.13.2
-    update-section: ^0.3.3
-  bin:
-    doctoc: doctoc.js
-  checksum: 78973a1275f056c044263d60546cf518beb15b79bd95a93dc5875d6dd46fa0873568661d74830b68e908c8a4465e9fd602eb49468e4d686e43ce4471d34012c3
-  languageName: node
-  linkType: hard
-
-"doctrine@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "doctrine@npm:3.0.0"
-  dependencies:
-    esutils: ^2.0.2
-  checksum: fd7673ca77fe26cd5cba38d816bc72d641f500f1f9b25b83e8ce28827fe2da7ad583a8da26ab6af85f834138cf8dae9f69b0cd6ab925f52ddab1754db44d99ce
-  languageName: node
-  linkType: hard
-
-"dom-serializer@npm:0":
-  version: 0.2.2
-  resolution: "dom-serializer@npm:0.2.2"
-  dependencies:
-    domelementtype: ^2.0.1
-    entities: ^2.0.0
-  checksum: 376344893e4feccab649a14ca1a46473e9961f40fe62479ea692d4fee4d9df1c00ca8654811a79c1ca7b020096987e1ca4fb4d7f8bae32c1db800a680a0e5d5e
-  languageName: node
-  linkType: hard
-
-"dom-serializer@npm:^1.0.1":
-  version: 1.4.1
-  resolution: "dom-serializer@npm:1.4.1"
-  dependencies:
-    domelementtype: ^2.0.1
-    domhandler: ^4.2.0
-    entities: ^2.0.0
-  checksum: fbb0b01f87a8a2d18e6e5a388ad0f7ec4a5c05c06d219377da1abc7bb0f674d804f4a8a94e3f71ff15f6cb7dcfc75704a54b261db672b9b3ab03da6b758b0b22
-  languageName: node
-  linkType: hard
-
-"dom-serializer@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "dom-serializer@npm:2.0.0"
-  dependencies:
-    domelementtype: ^2.3.0
-    domhandler: ^5.0.2
-    entities: ^4.2.0
-  checksum: cd1810544fd8cdfbd51fa2c0c1128ec3a13ba92f14e61b7650b5de421b88205fd2e3f0cc6ace82f13334114addb90ed1c2f23074a51770a8e9c1273acbc7f3e6
-  languageName: node
-  linkType: hard
-
-"domain-browser@npm:^1.1.1":
-  version: 1.2.0
-  resolution: "domain-browser@npm:1.2.0"
-  checksum: 8f1235c7f49326fb762f4675795246a6295e7dd566b4697abec24afdba2460daa7dfbd1a73d31efbf5606b3b7deadb06ce47cf06f0a476e706153d62a4ff2b90
-  languageName: node
-  linkType: hard
-
-"domelementtype@npm:1":
-  version: 1.3.1
-  resolution: "domelementtype@npm:1.3.1"
-  checksum: 7893da40218ae2106ec6ffc146b17f203487a52f5228b032ea7aa470e41dfe03e1bd762d0ee0139e792195efda765434b04b43cddcf63207b098f6ae44b36ad6
-  languageName: node
-  linkType: hard
-
-"domelementtype@npm:^2.0.1, domelementtype@npm:^2.2.0, domelementtype@npm:^2.3.0":
-  version: 2.3.0
-  resolution: "domelementtype@npm:2.3.0"
-  checksum: ee837a318ff702622f383409d1f5b25dd1024b692ef64d3096ff702e26339f8e345820f29a68bcdcea8cfee3531776b3382651232fbeae95612d6f0a75efb4f6
-  languageName: node
-  linkType: hard
-
-"domexception@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "domexception@npm:2.0.1"
-  dependencies:
-    webidl-conversions: ^5.0.0
-  checksum: d638e9cb05c52999f1b2eb87c374b03311ea5b1d69c2f875bc92da73e17db60c12142b45c950228642ff7f845c536b65305483350d080df59003a653da80b691
-  languageName: node
-  linkType: hard
-
-"domhandler@npm:^4.2.0, domhandler@npm:^4.2.2":
-  version: 4.3.1
-  resolution: "domhandler@npm:4.3.1"
-  dependencies:
-    domelementtype: ^2.2.0
-  checksum: 4c665ceed016e1911bf7d1dadc09dc888090b64dee7851cccd2fcf5442747ec39c647bb1cb8c8919f8bbdd0f0c625a6bafeeed4b2d656bbecdbae893f43ffaaa
-  languageName: node
-  linkType: hard
-
-"domhandler@npm:^5.0.1, domhandler@npm:^5.0.2, domhandler@npm:^5.0.3":
-  version: 5.0.3
-  resolution: "domhandler@npm:5.0.3"
-  dependencies:
-    domelementtype: ^2.3.0
-  checksum: 0f58f4a6af63e6f3a4320aa446d28b5790a009018707bce2859dcb1d21144c7876482b5188395a188dfa974238c019e0a1e610d2fc269a12b2c192ea2b0b131c
-  languageName: node
-  linkType: hard
-
-"dompurify@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "dompurify@npm:3.0.2"
-  checksum: 768c3bb2f139ce1e1a53faf81aae6abe03e24d0b043e2fda0b70e91ef15bb1df854a35e82d8c519adfe5b81c24bfdad3e0b1085534bfbf427137cb742406c47f
-  languageName: node
-  linkType: hard
-
-"domutils@npm:^1.7.0":
-  version: 1.7.0
-  resolution: "domutils@npm:1.7.0"
-  dependencies:
-    dom-serializer: 0
-    domelementtype: 1
-  checksum: f60a725b1f73c1ae82f4894b691601ecc6ecb68320d87923ac3633137627c7865725af813ae5d188ad3954283853bcf46779eb50304ec5d5354044569fcefd2b
-  languageName: node
-  linkType: hard
-
-"domutils@npm:^2.8.0":
-  version: 2.8.0
-  resolution: "domutils@npm:2.8.0"
-  dependencies:
-    dom-serializer: ^1.0.1
-    domelementtype: ^2.2.0
-    domhandler: ^4.2.0
-  checksum: abf7434315283e9aadc2a24bac0e00eab07ae4313b40cc239f89d84d7315ebdfd2fb1b5bf750a96bc1b4403d7237c7b2ebf60459be394d625ead4ca89b934391
-  languageName: node
-  linkType: hard
-
-"domutils@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "domutils@npm:3.0.1"
-  dependencies:
-    dom-serializer: ^2.0.0
-    domelementtype: ^2.3.0
-    domhandler: ^5.0.1
-  checksum: 23aa7a840572d395220e173cb6263b0d028596e3950100520870a125af33ff819e6f609e1606d6f7d73bd9e7feb03bb404286e57a39063b5384c62b724d987b3
-  languageName: node
-  linkType: hard
-
-"dot-case@npm:^3.0.4":
-  version: 3.0.4
-  resolution: "dot-case@npm:3.0.4"
-  dependencies:
-    no-case: ^3.0.4
-    tslib: ^2.0.3
-  checksum: a65e3519414856df0228b9f645332f974f2bf5433370f544a681122eab59e66038fc3349b4be1cdc47152779dac71a5864f1ccda2f745e767c46e9c6543b1169
-  languageName: node
-  linkType: hard
-
-"dot-prop@npm:^5.2.0":
-  version: 5.3.0
-  resolution: "dot-prop@npm:5.3.0"
-  dependencies:
-    is-obj: ^2.0.0
-  checksum: d5775790093c234ef4bfd5fbe40884ff7e6c87573e5339432870616331189f7f5d86575c5b5af2dcf0f61172990f4f734d07844b1f23482fff09e3c4bead05ea
-  languageName: node
-  linkType: hard
-
-"duplexify@npm:^3.4.2, duplexify@npm:^3.6.0":
-  version: 3.7.1
-  resolution: "duplexify@npm:3.7.1"
-  dependencies:
-    end-of-stream: ^1.0.0
-    inherits: ^2.0.1
-    readable-stream: ^2.0.0
-    stream-shift: ^1.0.0
-  checksum: 3c2ed2223d956a5da713dae12ba8295acb61d9acd966ccbba938090d04f4574ca4dca75cca089b5077c2d7e66101f32e6ea9b36a78ca213eff574e7a8b8accf2
-  languageName: node
-  linkType: hard
-
-"ecc-jsbn@npm:~0.1.1":
-  version: 0.1.2
-  resolution: "ecc-jsbn@npm:0.1.2"
-  dependencies:
-    jsbn: ~0.1.0
-    safer-buffer: ^2.1.0
-  checksum: 22fef4b6203e5f31d425f5b711eb389e4c6c2723402e389af394f8411b76a488fa414d309d866e2b577ce3e8462d344205545c88a8143cc21752a5172818888a
-  languageName: node
-  linkType: hard
-
-"editions@npm:^1.1.1":
-  version: 1.3.4
-  resolution: "editions@npm:1.3.4"
-  checksum: 8c2041459816db2cacac53598a9bca7928a7de2c5eb0dae532c2273a60ef83acbd807ce33ff1cd5cf7aa547737c55f7f4b52436752df0f13f5936efa329c13f7
-  languageName: node
-  linkType: hard
-
-"editions@npm:^2.2.0":
-  version: 2.3.1
-  resolution: "editions@npm:2.3.1"
-  dependencies:
-    errlop: ^2.0.0
-    semver: ^6.3.0
-  checksum: 0b08a2b50c30e7b046a3096ee66ea326158a147daac5f8c134b4bdfe4d2fe02f9916c8b92d8e86887f2379c3528df2150cc9eb3d5bc25c442b4b380d6d7a754e
-  languageName: node
-  linkType: hard
-
-"ee-first@npm:1.1.1":
-  version: 1.1.1
-  resolution: "ee-first@npm:1.1.1"
-  checksum: 1b4cac778d64ce3b582a7e26b218afe07e207a0f9bfe13cc7395a6d307849cfe361e65033c3251e00c27dd060cab43014c2d6b2647676135e18b77d2d05b3f4f
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.3.30":
-  version: 1.3.725
-  resolution: "electron-to-chromium@npm:1.3.725"
-  checksum: 90801f5cc30f76495412ce86cef141cd22924ec75c88c276eaa42435d09370d9df5d8127060dae4fdb96a3ea0b0a726ee228788affb997e7f4172f4e54001c5d
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.3.47":
-  version: 1.4.462
-  resolution: "electron-to-chromium@npm:1.4.462"
-  checksum: ee6e0318ca1144077131036ad87630f8b68c9c4d2c2ce97359731dc676df3518cb88223dc8057187d97e018983e08c003b64d03fba27f98fa53698e758672771
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.3.723":
-  version: 1.3.906
-  resolution: "electron-to-chromium@npm:1.3.906"
-  checksum: 087330249a424066cbdb882890164b3cb944f0ea293838a1445274428549e5b6c5edd25c353fed733d20d055ba276d4e3b069554b5e06ebfe511134c4f68cf87
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.3.857":
-  version: 1.3.866
-  resolution: "electron-to-chromium@npm:1.3.866"
-  checksum: 03b4cf46baf631d9022d7d2f1c058899152941a7d3b3e9df02c2fc48d2eb52362637337b3e2e793a533fa30ed9ec844b4a1d56a55c421d64e39cf8080b980d52
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.3.896":
-  version: 1.4.10
-  resolution: "electron-to-chromium@npm:1.4.10"
-  checksum: 00b9ca97267fc3c865f9888a490e2c1bc2eef80805d8b4337661901d498bf4c771a237f5f7beec294dc847f9096b3a58910da431e4e8cc8dc08871d4630a5860
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.4.147":
-  version: 1.4.148
-  resolution: "electron-to-chromium@npm:1.4.148"
-  checksum: 3730c2eb46c7d0602b418a5a80e8d37e673c61d7cdc6a431a0d23bf08b6db6375c5f842d9e4285549ef2c5bad9189da34f05f28993fdb43920df5befc72db87a
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.4.431":
-  version: 1.4.461
-  resolution: "electron-to-chromium@npm:1.4.461"
-  checksum: 84960b8fe41a1a97f47962f7ec509d94efffc8361286d55f360f81ce0804029af886796c576eb2c0a6011347ba0903c551476808f0614dc94b4564abaf415e70
-  languageName: node
-  linkType: hard
-
-"electron-to-chromium@npm:^1.4.84":
-  version: 1.4.99
-  resolution: "electron-to-chromium@npm:1.4.99"
-  checksum: 7efb73368db78b55bc1c9563364f69f2715f085ac2a0e9b8dab0f319025fbd6464e0eaf47eb5e447f1d4e76f9de919bec5e338bf87443ad8dcb34b2829fc82b7
-  languageName: node
-  linkType: hard
-
-"elliptic@npm:^6.5.3":
-  version: 6.5.4
-  resolution: "elliptic@npm:6.5.4"
-  dependencies:
-    bn.js: ^4.11.9
-    brorand: ^1.1.0
-    hash.js: ^1.0.0
-    hmac-drbg: ^1.0.1
-    inherits: ^2.0.4
-    minimalistic-assert: ^1.0.1
-    minimalistic-crypto-utils: ^1.0.1
-  checksum: d56d21fd04e97869f7ffcc92e18903b9f67f2d4637a23c860492fbbff5a3155fd9ca0184ce0c865dd6eb2487d234ce9551335c021c376cd2d3b7cb749c7d10f4
-  languageName: node
-  linkType: hard
-
-"ember-a11y-refocus@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "ember-a11y-refocus@npm:3.0.2"
-  dependencies:
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.0.1
-  checksum: c192e80514adad4928207f4025975f225fde0b135a9156f257999dc49a8eb16b84d6f7a8c489b33a87a17c5b6325e48fc152055e6d4ecee45cdddfd2cd4d2c0a
-  languageName: node
-  linkType: hard
-
-"ember-arg-types@npm:^1.0.0":
-  version: 1.1.0
-  resolution: "ember-arg-types@npm:1.1.0"
-  dependencies:
-    "@embroider/macros": ^1.8.1
-    ember-auto-import: ^2.4.2
-    ember-cli-babel: ^7.26.11
-    ember-cli-typescript: ^5.1.1
-    ember-get-config: ^2.1.1
-    prop-types: ^15.8.1
-  checksum: f31733f7749c51f1751673afd450106faac3cad61cc0406abc0ef2938d7623416e35794a80636f02a082aac047e4321a037c5f61796ec30baaf156216ba6d87b
-  languageName: node
-  linkType: hard
-
-"ember-asset-loader@npm:^0.6.1":
-  version: 0.6.1
-  resolution: "ember-asset-loader@npm:0.6.1"
-  dependencies:
-    broccoli-caching-writer: ^3.0.3
-    broccoli-funnel: ^2.0.2
-    broccoli-merge-trees: ^3.0.2
-    ember-cli-babel: ^7.5.0
-    fs-extra: ^7.0.1
-    object-assign: ^4.1.0
-    walk-sync: ^1.1.3
-  checksum: 1854fb6499e52f59752e8636c21c92105beb2d77b332c30ce310b5f9d51c9239e79f77959fd61aeea53d04c02334cd1d00806ee2d7c3bd27b37a8e6fcff667fc
-  languageName: node
-  linkType: hard
-
-"ember-assign-helper@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "ember-assign-helper@npm:0.4.0"
-  dependencies:
-    ember-cli-babel: ^7.26.0
-    ember-cli-htmlbars: ^6.0.0
-  checksum: 32bbec384c8f78c919d7a6e24cc36c7a48bd0244d3b38c4aa8a17fc1f1b68822f4805a838fec7e1fe35dfcd2832eb9afa146606f625e737ea258127254a5b9d4
-  languageName: node
-  linkType: hard
-
-"ember-auto-import@npm:2.6.3, ember-auto-import@npm:^2.4.2, ember-auto-import@npm:^2.4.3, ember-auto-import@npm:^2.5.0, ember-auto-import@npm:^2.6.3":
-  version: 2.6.3
-  resolution: "ember-auto-import@npm:2.6.3"
-  dependencies:
-    "@babel/core": ^7.16.7
-    "@babel/plugin-proposal-class-properties": ^7.16.7
-    "@babel/plugin-proposal-decorators": ^7.16.7
-    "@babel/preset-env": ^7.16.7
-    "@embroider/macros": ^1.0.0
-    "@embroider/shared-internals": ^2.0.0
-    babel-loader: ^8.0.6
-    babel-plugin-ember-modules-api-polyfill: ^3.5.0
-    babel-plugin-ember-template-compilation: ^2.0.1
-    babel-plugin-htmlbars-inline-precompile: ^5.2.1
-    babel-plugin-syntax-dynamic-import: ^6.18.0
-    broccoli-debug: ^0.6.4
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^4.2.0
-    broccoli-plugin: ^4.0.0
-    broccoli-source: ^3.0.0
-    css-loader: ^5.2.0
-    debug: ^4.3.1
-    fs-extra: ^10.0.0
-    fs-tree-diff: ^2.0.0
-    handlebars: ^4.3.1
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.19
-    mini-css-extract-plugin: ^2.5.2
-    parse5: ^6.0.1
-    resolve: ^1.20.0
-    resolve-package-path: ^4.0.3
-    semver: ^7.3.4
-    style-loader: ^2.0.0
-    typescript-memoize: ^1.0.0-alpha.3
-    walk-sync: ^3.0.0
-  checksum: e42c0f9dee74c94a16c8b4d701707f457e8955ad340e68be32375ff32fba030fcaa53aa4e4fd2d482fabe0a320ceabc034520c73601c8d69caa6268093dd0f65
-  languageName: node
-  linkType: hard
-
-"ember-auto-import@npm:^1.12.0":
-  version: 1.12.1
-  resolution: "ember-auto-import@npm:1.12.1"
-  dependencies:
-    "@babel/core": ^7.1.6
-    "@babel/preset-env": ^7.10.2
-    "@babel/traverse": ^7.1.6
-    "@babel/types": ^7.1.6
-    "@embroider/shared-internals": ^1.0.0
-    babel-core: ^6.26.3
-    babel-loader: ^8.0.6
-    babel-plugin-syntax-dynamic-import: ^6.18.0
-    babylon: ^6.18.0
-    broccoli-debug: ^0.6.4
-    broccoli-node-api: ^1.7.0
-    broccoli-plugin: ^4.0.0
-    broccoli-source: ^3.0.0
-    debug: ^3.1.0
-    ember-cli-babel: ^7.0.0
-    enhanced-resolve: ^4.0.0
-    fs-extra: ^6.0.1
-    fs-tree-diff: ^2.0.0
-    handlebars: ^4.3.1
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.19
-    mkdirp: ^0.5.1
-    resolve-package-path: ^3.1.0
-    rimraf: ^2.6.2
-    semver: ^7.3.4
-    symlink-or-copy: ^1.2.0
-    typescript-memoize: ^1.0.0-alpha.3
-    walk-sync: ^0.3.3
-    webpack: ^4.43.0
-  checksum: 8230c3ff6fd222eee7179e0e5c2ea0268702b66400a4b51de4dbc608bdfa8d2236125999b7bfa25dc36acb51d9eb93bcc45aea5783bdf95ad74f7e898014013d
-  languageName: node
-  linkType: hard
-
-"ember-auto-import@npm:^1.2.19":
-  version: 1.11.3
-  resolution: "ember-auto-import@npm:1.11.3"
-  dependencies:
-    "@babel/core": ^7.1.6
-    "@babel/preset-env": ^7.10.2
-    "@babel/traverse": ^7.1.6
-    "@babel/types": ^7.1.6
-    "@embroider/core": ^0.33.0
-    babel-core: ^6.26.3
-    babel-loader: ^8.0.6
-    babel-plugin-syntax-dynamic-import: ^6.18.0
-    babylon: ^6.18.0
-    broccoli-debug: ^0.6.4
-    broccoli-node-api: ^1.7.0
-    broccoli-plugin: ^4.0.0
-    broccoli-source: ^3.0.0
-    debug: ^3.1.0
-    ember-cli-babel: ^7.0.0
-    enhanced-resolve: ^4.0.0
-    fs-extra: ^6.0.1
-    fs-tree-diff: ^2.0.0
-    handlebars: ^4.3.1
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.19
-    mkdirp: ^0.5.1
-    resolve-package-path: ^3.1.0
-    rimraf: ^2.6.2
-    semver: ^7.3.4
-    symlink-or-copy: ^1.2.0
-    typescript-memoize: ^1.0.0-alpha.3
-    walk-sync: ^0.3.3
-    webpack: ^4.43.0
-  checksum: 2ac4e08696f46b4e9e1ada49c068d5ca7a338e063ea47e332f81e72613ae287479504b1246e97b31bed7ca6a84ec7928d250e0de6f5bc7c6412a7e537532684b
-  languageName: node
-  linkType: hard
-
-"ember-auto-import@npm:^2.4.1":
-  version: 2.4.2
-  resolution: "ember-auto-import@npm:2.4.2"
-  dependencies:
-    "@babel/core": ^7.16.7
-    "@babel/plugin-proposal-class-properties": ^7.16.7
-    "@babel/plugin-proposal-decorators": ^7.16.7
-    "@babel/preset-env": ^7.16.7
-    "@embroider/macros": ^1.0.0
-    "@embroider/shared-internals": ^1.0.0
-    babel-loader: ^8.0.6
-    babel-plugin-ember-modules-api-polyfill: ^3.5.0
-    babel-plugin-htmlbars-inline-precompile: ^5.2.1
-    babel-plugin-syntax-dynamic-import: ^6.18.0
-    broccoli-debug: ^0.6.4
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^4.2.0
-    broccoli-plugin: ^4.0.0
-    broccoli-source: ^3.0.0
-    css-loader: ^5.2.0
-    debug: ^4.3.1
-    fs-extra: ^10.0.0
-    fs-tree-diff: ^2.0.0
-    handlebars: ^4.3.1
-    js-string-escape: ^1.0.1
-    lodash: ^4.17.19
-    mini-css-extract-plugin: ^2.5.2
-    parse5: ^6.0.1
-    resolve: ^1.20.0
-    resolve-package-path: ^4.0.3
-    semver: ^7.3.4
-    style-loader: ^2.0.0
-    typescript-memoize: ^1.0.0-alpha.3
-    walk-sync: ^3.0.0
-  checksum: f7c4e4bab62b124c03955b8b382d6bf9c170c1ad5605bb019cbb1baf63065b482b8767a2e4922682fbc54c701f0296601e7ed50965bd4c741dab6cfff43c6de5
-  languageName: node
-  linkType: hard
-
-"ember-basic-dropdown@npm:6.0.1":
-  version: 6.0.1
-  resolution: "ember-basic-dropdown@npm:6.0.1"
-  dependencies:
-    "@ember/render-modifiers": ^2.0.4
-    "@embroider/macros": ^1.2.0
-    "@embroider/util": ^1.2.0
-    "@glimmer/component": ^1.0.4
-    "@glimmer/tracking": ^1.0.4
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.0.1
-    ember-cli-typescript: ^4.2.1
-    ember-element-helper: ^0.6.0
-    ember-get-config: ^1.0.2 || ^2.0.0
-    ember-maybe-in-element: ^2.0.3
-    ember-modifier: ^3.2.7
-    ember-style-modifier: ^0.8.0
-    ember-truth-helpers: ^2.1.0 || ^3.0.0
-  checksum: d6f00f202140d09a0c3d62d9104c5f63eb6b0f7228a17a3f2f9e37da66c82d6ba01503261ed886190ebb0afc3d737f6bc6ad609115528176bd81f72e5930508f
-  languageName: node
-  linkType: hard
-
-"ember-cache-primitive-polyfill@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "ember-cache-primitive-polyfill@npm:1.0.1"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-    ember-cli-version-checker: ^5.1.1
-    ember-compatibility-helpers: ^1.2.1
-    silent-error: ^1.1.1
-  checksum: d0b091e940837e276364d14758d7149fb7b9e5eb99e271f97012f9b92952cf6854132195dc9c36b9fcd40d8495608e7044f9d6179f2f9e15003d9a4cbcf73b49
-  languageName: node
-  linkType: hard
-
-"ember-cached-decorator-polyfill@npm:^0.1.4":
-  version: 0.1.4
-  resolution: "ember-cached-decorator-polyfill@npm:0.1.4"
-  dependencies:
-    "@glimmer/tracking": ^1.0.4
-    ember-cache-primitive-polyfill: ^1.0.1
-    ember-cli-babel: ^7.21.0
-    ember-cli-babel-plugin-helpers: ^1.1.1
-  checksum: 8f8228e8fe578a78045c00cfd9ffc124dd287e45908e912dba9823ba48a14c1cb7e15fce64f4a034b68edcf6987c51c0500fbab7825e982ea4708672b019780a
-  languageName: node
-  linkType: hard
-
-"ember-cached-decorator-polyfill@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "ember-cached-decorator-polyfill@npm:1.0.1"
-  dependencies:
-    "@embroider/macros": ^1.8.3
-    "@glimmer/tracking": ^1.1.2
-    babel-import-util: ^1.2.2
-    ember-cache-primitive-polyfill: ^1.0.1
-    ember-cli-babel: ^7.26.11
-    ember-cli-babel-plugin-helpers: ^1.1.1
-  peerDependencies:
-    ember-source: ^3.13.0 || ^4.0.0
-  checksum: b2589490d897da9f560abc1858c2090fc027a54267dfaa5780ee376e00cec1183b84400df9125f6c25bd7d2b465818d63abb98bb07b3eec0a18b3206a918b804
-  languageName: node
-  linkType: hard
-
-"ember-cli-autoprefixer@npm:^0.8.1":
-  version: 0.8.1
-  resolution: "ember-cli-autoprefixer@npm:0.8.1"
-  dependencies:
-    broccoli-autoprefixer: ^5.0.0
-    lodash: ^4.0.0
-  checksum: b756a311abe4d3e91cd170fa801d0cb5601f7e6d2b9d7406018719636479ee80e1ec3ca633ca1419971ec56bf5417bc6000fc2a128bd3e3f2ddbe4e22d8ea8da
-  languageName: node
-  linkType: hard
-
-"ember-cli-babel-plugin-helpers@npm:^1.0.0, ember-cli-babel-plugin-helpers@npm:^1.1.0, ember-cli-babel-plugin-helpers@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "ember-cli-babel-plugin-helpers@npm:1.1.1"
-  checksum: 3dc684317dbc4728d41a61de13d2fb1de5227105c1ba9194005647d2724b469d43aba3b1fa73622f2b5cd04c8283a15568b3a0044ec7a5036c17f336ac098ff5
-  languageName: node
-  linkType: hard
-
-"ember-cli-babel@npm:^6.6.0":
-  version: 6.18.0
-  resolution: "ember-cli-babel@npm:6.18.0"
-  dependencies:
-    amd-name-resolver: 1.2.0
-    babel-plugin-debug-macros: ^0.2.0-beta.6
-    babel-plugin-ember-modules-api-polyfill: ^2.6.0
-    babel-plugin-transform-es2015-modules-amd: ^6.24.0
-    babel-polyfill: ^6.26.0
-    babel-preset-env: ^1.7.0
-    broccoli-babel-transpiler: ^6.5.0
-    broccoli-debug: ^0.6.4
-    broccoli-funnel: ^2.0.0
-    broccoli-source: ^1.1.0
-    clone: ^2.0.0
-    ember-cli-version-checker: ^2.1.2
-    semver: ^5.5.0
-  checksum: 01f216a964f03660ee1d95ef73a7c07b315d7407b553d01410854f9421638fee084cec50fb7464c7bace72a7cf07053f95b377fd8399f69c7e0bbcba77e9655d
-  languageName: node
-  linkType: hard
-
-"ember-cli-babel@npm:^7.0.0, ember-cli-babel@npm:^7.1.2, ember-cli-babel@npm:^7.1.3, ember-cli-babel@npm:^7.10.0, ember-cli-babel@npm:^7.13.0, ember-cli-babel@npm:^7.13.2, ember-cli-babel@npm:^7.18.0, ember-cli-babel@npm:^7.19.0, ember-cli-babel@npm:^7.20.0, ember-cli-babel@npm:^7.21.0, ember-cli-babel@npm:^7.22.1, ember-cli-babel@npm:^7.23.0, ember-cli-babel@npm:^7.23.1, ember-cli-babel@npm:^7.26.0, ember-cli-babel@npm:^7.26.1, ember-cli-babel@npm:^7.26.11, ember-cli-babel@npm:^7.26.3, ember-cli-babel@npm:^7.26.4, ember-cli-babel@npm:^7.26.5, ember-cli-babel@npm:^7.26.6, ember-cli-babel@npm:^7.26.8, ember-cli-babel@npm:^7.5.0, ember-cli-babel@npm:^7.7.3":
-  version: 7.26.11
-  resolution: "ember-cli-babel@npm:7.26.11"
-  dependencies:
-    "@babel/core": ^7.12.0
-    "@babel/helper-compilation-targets": ^7.12.0
-    "@babel/plugin-proposal-class-properties": ^7.16.5
-    "@babel/plugin-proposal-decorators": ^7.13.5
-    "@babel/plugin-proposal-private-methods": ^7.16.5
-    "@babel/plugin-proposal-private-property-in-object": ^7.16.5
-    "@babel/plugin-transform-modules-amd": ^7.13.0
-    "@babel/plugin-transform-runtime": ^7.13.9
-    "@babel/plugin-transform-typescript": ^7.13.0
-    "@babel/polyfill": ^7.11.5
-    "@babel/preset-env": ^7.16.5
-    "@babel/runtime": 7.12.18
-    amd-name-resolver: ^1.3.1
-    babel-plugin-debug-macros: ^0.3.4
-    babel-plugin-ember-data-packages-polyfill: ^0.1.2
-    babel-plugin-ember-modules-api-polyfill: ^3.5.0
-    babel-plugin-module-resolver: ^3.2.0
-    broccoli-babel-transpiler: ^7.8.0
-    broccoli-debug: ^0.6.4
-    broccoli-funnel: ^2.0.2
-    broccoli-source: ^2.1.2
-    calculate-cache-key-for-tree: ^2.0.0
-    clone: ^2.1.2
-    ember-cli-babel-plugin-helpers: ^1.1.1
-    ember-cli-version-checker: ^4.1.0
-    ensure-posix-path: ^1.0.2
-    fixturify-project: ^1.10.0
-    resolve-package-path: ^3.1.0
-    rimraf: ^3.0.1
-    semver: ^5.5.0
-  checksum: 72b2819018d4d29b5250284cab5fa992a7fd6b0cf958a1fc4abed4a4f6394c0aca4ee32d4c8981d8643fef7280763fadf70ebd807f262967899f4898679bcb90
-  languageName: node
-  linkType: hard
-
-"ember-cli-clipboard@npm:^1.0.0":
-  version: 1.1.0
-  resolution: "ember-cli-clipboard@npm:1.1.0"
-  dependencies:
-    "@embroider/macros": ^1.10.0
-    clipboard: ^2.0.11
-    ember-arg-types: ^1.0.0
-    ember-auto-import: ^2.4.2
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.1.0
-    ember-modifier: ^3.2.7 || ^4.1.0
-    prop-types: ^15.8.1
-  checksum: 8977ddf744de59662012421feed13e2cd14f6658bc2742504dd5972d0c1181abd8be30085f8dfaaa4f8478fac162eb6ede912ef5c69159d03dac9cb5a6c0bd31
-  languageName: node
-  linkType: hard
-
-"ember-cli-content-security-policy@npm:2.0.3":
-  version: 2.0.3
-  resolution: "ember-cli-content-security-policy@npm:2.0.3"
-  dependencies:
-    body-parser: ^1.17.0
-    chalk: ^4.1.1
-    debug: ^4.3.1
-    ember-cli-babel: ^7.26.3
-    ember-cli-version-checker: ^5.0.2
-  checksum: d628b8e4ee603471182118b5cde23928f5d13f3d93c031625f960de133391e121d1022706dbf3682ace52187f5df9c6aebdd228104a220a11669d34989ac5f63
-  languageName: node
-  linkType: hard
-
-"ember-cli-dependency-checker@npm:^3.3.1":
-  version: 3.3.1
-  resolution: "ember-cli-dependency-checker@npm:3.3.1"
-  dependencies:
-    chalk: ^2.3.0
-    find-yarn-workspace-root: ^1.1.0
-    is-git-url: ^1.0.0
-    resolve: ^1.5.0
-    semver: ^5.3.0
-  peerDependencies:
-    ember-cli: ^3.2.0 || ^4.0.0
-  checksum: 41d27cb4ccd056b9013ef00fa0f4e9133a5769b82bef8427ceaca3d9b773f901a4fbea6ad87748a6ae456d0051ed12f4e664212ca3c290d14704c3a2d710ad72
-  languageName: node
-  linkType: hard
-
-"ember-cli-deprecation-workflow@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "ember-cli-deprecation-workflow@npm:2.1.0"
-  dependencies:
-    broccoli-funnel: ^3.0.3
-    broccoli-merge-trees: ^4.2.0
-    broccoli-plugin: ^4.0.5
-    ember-cli-htmlbars: ^5.3.2
-  checksum: 3382d34001db61fa04069d0f5f143b39fbeeac124d961dbef932c5a15b67669b8124c504018c7333b2716e2d7a5b299eae53591d8e55bafe447fda7aefaa2deb
-  languageName: node
-  linkType: hard
-
-"ember-cli-flash@npm:4.0.0":
-  version: 4.0.0
-  resolution: "ember-cli-flash@npm:4.0.0"
-  dependencies:
-    "@ember/render-modifiers": ^2.0.2
-    "@glimmer/component": ^1.1.2
-    "@glimmer/tracking": ^1.1.2
-    ember-auto-import: ^2.4.1
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.0.1
-  checksum: 30cc3c18bae61332688eafe6af4d1ee8e6cd545b08ce276cf1ab761ed6dc1a172265ab01648bbf11d087d7896e3245a6679037a51a0c7eff4e44b942c125ecbd
-  languageName: node
-  linkType: hard
-
-"ember-cli-get-component-path-option@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-cli-get-component-path-option@npm:1.0.0"
-  checksum: 4a4d9b2b0cb05c69fad962b1787b65d9bca0c64aa161c2f12d172b9af6ef951d33dd1ac38bfa7468a4a11a08a17dda2912fd47cb92cbfd8795fe2e8008e155e4
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^4.3.1":
-  version: 4.5.0
-  resolution: "ember-cli-htmlbars@npm:4.5.0"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-htmlbars-inline-precompile: ^3.2.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^2.3.1
-    broccoli-plugin: ^3.1.0
-    common-tags: ^1.8.0
-    ember-cli-babel-plugin-helpers: ^1.1.0
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    json-stable-stringify: ^1.0.1
-    semver: ^6.3.0
-    strip-bom: ^4.0.0
-    walk-sync: ^2.0.2
-  checksum: 4cecd9e5df64fc9df22ea944b2ab86dd88d3bd105b22b46e810856a050d617f73610645c1e91ff018836e73f4b488a14217a3d767557c1fa663494b54de93af6
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^5.2.0, ember-cli-htmlbars@npm:^5.3.2":
-  version: 5.7.2
-  resolution: "ember-cli-htmlbars@npm:5.7.2"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-htmlbars-inline-precompile: ^5.0.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.3
-    common-tags: ^1.8.0
-    ember-cli-babel-plugin-helpers: ^1.1.1
-    ember-cli-version-checker: ^5.1.2
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    json-stable-stringify: ^1.0.1
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-    strip-bom: ^4.0.0
-    walk-sync: ^2.2.0
-  checksum: 57cfba7311969f2f6ae463cb7be153b10d1384469e7e61fc645bf6eca5c8bb7dbdf42cab757adf05299971b426a19ad6cc3f045d2cbf72304405eb93cc1af998
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^5.3.1, ember-cli-htmlbars@npm:^5.7.1":
-  version: 5.7.1
-  resolution: "ember-cli-htmlbars@npm:5.7.1"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-htmlbars-inline-precompile: ^5.0.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.3
-    common-tags: ^1.8.0
-    ember-cli-babel-plugin-helpers: ^1.1.1
-    ember-cli-version-checker: ^5.1.2
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    json-stable-stringify: ^1.0.1
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-    strip-bom: ^4.0.0
-    walk-sync: ^2.2.0
-  checksum: 6212c33dfc5c99fdac8bbd5381a9fd8cd855eb2f3e9c03e3cf3f9466bbc0163c7d4472593611de221e785eb19124330c01ba1f16224bd94a3804527b2a5d2efb
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^6.0.0, ember-cli-htmlbars@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "ember-cli-htmlbars@npm:6.0.1"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-ember-template-compilation: ^1.0.0
-    babel-plugin-htmlbars-inline-precompile: ^5.3.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.3
-    ember-cli-version-checker: ^5.1.2
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    json-stable-stringify: ^1.0.1
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-    strip-bom: ^4.0.0
-    walk-sync: ^2.2.0
-  checksum: ba5593c7ce2db52ac7171a6e7a9ebbcf5b9d3dc0f4e357acbb59f1eca1a6b4d16c00be7f8370c6fa95f364f4f3863b81d9477cfd461e0fd9ba56abbc527b6a14
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^6.1.0":
-  version: 6.1.1
-  resolution: "ember-cli-htmlbars@npm:6.1.1"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-ember-template-compilation: ^1.0.0
-    babel-plugin-htmlbars-inline-precompile: ^5.3.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.3
-    ember-cli-version-checker: ^5.1.2
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    js-string-escape: ^1.0.1
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-    walk-sync: ^2.2.0
-  checksum: d75fbe973196bdc1df6a04a11310064125108eb105e903a842698f0dd6c133d2e1699860ea1c8237d0c62f92b01da4ebc7b672e862b2e572922f0f86f243a9a1
-  languageName: node
-  linkType: hard
-
-"ember-cli-htmlbars@npm:^6.1.1, ember-cli-htmlbars@npm:^6.2.0":
-  version: 6.2.0
-  resolution: "ember-cli-htmlbars@npm:6.2.0"
-  dependencies:
-    "@ember/edition-utils": ^1.2.0
-    babel-plugin-ember-template-compilation: ^2.0.0
-    babel-plugin-htmlbars-inline-precompile: ^5.3.0
-    broccoli-debug: ^0.6.5
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.3
-    ember-cli-version-checker: ^5.1.2
-    fs-tree-diff: ^2.0.1
-    hash-for-dep: ^1.5.1
-    heimdalljs-logger: ^0.1.10
-    js-string-escape: ^1.0.1
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-    walk-sync: ^2.2.0
-  checksum: 1a0f94152ae381aed4c0300f4d8e756d60bfc4dfd1357fd49a0d36d420d65d6dc3f5761e604976f63edd11bc264959dddbd1b4c8401e9922711eafc748f4df92
-  languageName: node
-  linkType: hard
-
-"ember-cli-inject-live-reload@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "ember-cli-inject-live-reload@npm:2.1.0"
-  dependencies:
-    clean-base-url: ^1.0.0
-    ember-cli-version-checker: ^3.1.3
-  checksum: 423bd479d29e58c19d3d8232b1d025fdd070006b2a59b2b14fc252372aa227da7ac56fdea7fbf4c518b37705b328190c58e4ffacb8f6ce81f6cfb42c1262c591
-  languageName: node
-  linkType: hard
-
-"ember-cli-is-package-missing@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-cli-is-package-missing@npm:1.0.0"
-  checksum: a2c4950a644827ae9236c39cf27d6e79d3cb06ee50154f64a1bd72f4abda8dcd542759a45ed47f77731baea9edb7d672145d1faf38b29aab287b281713e14760
-  languageName: node
-  linkType: hard
-
-"ember-cli-lodash-subset@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "ember-cli-lodash-subset@npm:2.0.1"
-  checksum: 2667cd59443a67a04cf6f9cc402ffd7f6dac1c987b4908e3178481fd6ea0d492706f7999f8e6a2d4b97b136fe42e62457b569e96e91af78a1b096aa69d14984e
-  languageName: node
-  linkType: hard
-
-"ember-cli-mirage@npm:2.4.0":
-  version: 2.4.0
-  resolution: "ember-cli-mirage@npm:2.4.0"
-  dependencies:
-    "@embroider/macros": ^0.41.0
-    broccoli-file-creator: ^2.1.1
-    broccoli-funnel: ^3.0.3
-    broccoli-merge-trees: ^4.2.0
-    ember-auto-import: ^1.12.0
-    ember-cli-babel: ^7.26.6
-    ember-destroyable-polyfill: ^2.0.3
-    ember-get-config: 0.2.4 - 0.5.0
-    ember-inflector: ^2.0.0 || ^3.0.0 || ^4.0.2
-    lodash-es: ^4.17.11
-    miragejs: ^0.1.43
-  peerDependencies:
-    "@ember/test-helpers": "*"
-    ember-data: "*"
-    ember-qunit: "*"
-  peerDependenciesMeta:
-    "@ember/test-helpers":
-      optional: true
-    ember-data:
-      optional: true
-    ember-qunit:
-      optional: true
-  checksum: 459aed2d946ebb9d378e30b3b902157df4378ffc2f1686fa7179ee031240a1733d0b516c5813855ef701c2cc7359b2dccc7a60ddad87f7a5140a4057b5645b5a
-  languageName: node
-  linkType: hard
-
-"ember-cli-node-assets@npm:^0.2.2":
-  version: 0.2.2
-  resolution: "ember-cli-node-assets@npm:0.2.2"
-  dependencies:
-    broccoli-funnel: ^1.0.1
-    broccoli-merge-trees: ^1.1.1
-    broccoli-source: ^1.1.0
-    debug: ^2.2.0
-    lodash: ^4.5.1
-    resolve: ^1.1.7
-  checksum: 860abfe536ad951286b86f04d1700529b371396d4e742ba6cbdd371144ff018b91907e2997e8486423bbe1e086f2ab97169e648c5360cd0949d70050e84919be
-  languageName: node
-  linkType: hard
-
-"ember-cli-normalize-entity-name@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-cli-normalize-entity-name@npm:1.0.0"
-  dependencies:
-    silent-error: ^1.0.0
-  checksum: 0f56d4714e59f7b2f40b9e070f5ad69be1171c48e614348d4e15bcb43e3495e7c5dc91b51b7a59fb88683b8a599010716fc2ca3ded3d7e201290efbae91a1bc5
-  languageName: node
-  linkType: hard
-
-"ember-cli-page-object@npm:1.17.10":
-  version: 1.17.10
-  resolution: "ember-cli-page-object@npm:1.17.10"
-  dependencies:
-    broccoli-file-creator: ^2.1.1
-    broccoli-merge-trees: ^2.0.0
-    ceibo: ~2.0.0
-    ember-cli-babel: ^7.26.1
-    ember-cli-node-assets: ^0.2.2
-    ember-native-dom-helpers: ^0.7.0
-    jquery: ^3.4.1
-    rsvp: ^4.7.0
-  checksum: 214e8358b92d04875ce6f5c90d3f4fbf9aaddabcf096f1c4380a03259c4c8c62b043cb49748b4c29acf1295731ba27a270a2e01f16993c086f0166e8dbff34cd
-  languageName: node
-  linkType: hard
-
-"ember-cli-path-utils@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-cli-path-utils@npm:1.0.0"
-  checksum: 15652e41e040bb1c204705d6502f2f499686fba068ccddb7871fd4db7c0e71a93768480f1fe2cdef62470bdd1ce41c49c99699f5fff1c6b5abc3c875368cadae
-  languageName: node
-  linkType: hard
-
-"ember-cli-preprocess-registry@npm:^3.3.0":
-  version: 3.3.0
-  resolution: "ember-cli-preprocess-registry@npm:3.3.0"
-  dependencies:
-    broccoli-clean-css: ^1.1.0
-    broccoli-funnel: ^2.0.1
-    debug: ^3.0.1
-    process-relative-require: ^1.0.0
-  checksum: 7b0a19b0842b6283a3ce7b0ccb77aa08ea3134bb8ada5952b4fb43e0a46a583c178e815e6573869fcaeccb4530fb975986b80d8a9d365811c471bcbf9cd98c95
-  languageName: node
-  linkType: hard
-
-"ember-cli-sass@npm:11.0.1":
-  version: 11.0.1
-  resolution: "ember-cli-sass@npm:11.0.1"
-  dependencies:
-    broccoli-funnel: ^2.0.1
-    broccoli-merge-trees: ^3.0.1
-    broccoli-sass-source-maps: ^4.0.0
-    ember-cli-version-checker: ^2.1.0
-  checksum: 5f690b60be6b0d49b542c89c4ee51d17798c2ddee1dfa0d28fd3e92bc5ebf16df522f5c799abf247f1bf6190f0c75cf6cc0560400db0f004606c2b6e5631f0de
-  languageName: node
-  linkType: hard
-
-"ember-cli-sass@npm:^10.0.1":
-  version: 10.0.1
-  resolution: "ember-cli-sass@npm:10.0.1"
-  dependencies:
-    broccoli-funnel: ^2.0.1
-    broccoli-merge-trees: ^3.0.1
-    broccoli-sass-source-maps: ^4.0.0
-    ember-cli-version-checker: ^2.1.0
-  checksum: 99eb9045b19c82851a90435df14b4ab4108ee0fd57a9e78d085c225a9d3dfb72bae8118707cf2f1a2d4d37abc2c40ad0dd95c0079f43d051ec90526448189ac3
-  languageName: node
-  linkType: hard
-
-"ember-cli-sri@meirish/ember-cli-sri#rooturl":
-  version: 2.1.0
-  resolution: "ember-cli-sri@https://github.com/meirish/ember-cli-sri.git#commit=1c0ff776a61f09121d1ea69ce16e4653da5e1efa"
-  dependencies:
-    broccoli-sri-hash: ^2.1.0
-  checksum: cc1b5544c653db43a92c0b1a2b2b0cc17fb7d67e17e90efef0f1b069b9ae39a3154d8c63bea0aacc8d02202935719dc3ecd3123bf0007c068a18ed52972badd1
-  languageName: node
-  linkType: hard
-
-"ember-cli-string-helpers@npm:6.1.0":
-  version: 6.1.0
-  resolution: "ember-cli-string-helpers@npm:6.1.0"
-  dependencies:
-    "@babel/core": ^7.13.10
-    broccoli-funnel: ^3.0.3
-    ember-cli-babel: ^7.7.3
-    resolve: ^1.20.0
-  checksum: 13ccce5297232ce801ddc88e83d7327b5e17ae6359f658b633d09d1595d9241d3e1f3fc1240f515ac2bf01e732e59d2b29ba004f218fc18227fa9f0ab3fd8964
-  languageName: node
-  linkType: hard
-
-"ember-cli-string-utils@npm:^1.0.0, ember-cli-string-utils@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "ember-cli-string-utils@npm:1.1.0"
-  checksum: cb833925596b1fedc5e8ad0d05d1dcb3db7305d4a73f1a3332ba3eb2bfa7a4f0e7674afc8dd5ac474cc526ee3129158b0e26c49d6392e5ea579a927b2af7f3e9
-  languageName: node
-  linkType: hard
-
-"ember-cli-terser@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "ember-cli-terser@npm:4.0.2"
-  dependencies:
-    broccoli-terser-sourcemap: ^4.1.0
-  checksum: ab2209731ae8f5d85c4c85e0496309d4f8fbb44157e6164bbc6a5edc9a5a2754441fbd383c4856e1c3df9462215fa2708cdd77b62b85b52243af4ba4882564ae
-  languageName: node
-  linkType: hard
-
-"ember-cli-test-info@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-cli-test-info@npm:1.0.0"
-  dependencies:
-    ember-cli-string-utils: ^1.0.0
-  checksum: 4a1de83a847c050037b485b2a2e3d0c4b24281f4d3fd14a10f593f793f38b9ad6d8f9cf4bf15e10c6d850ae1a89e9734f7f3e91afacdb1b03dfa8b785e4b296c
-  languageName: node
-  linkType: hard
-
-"ember-cli-test-loader@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "ember-cli-test-loader@npm:3.0.0"
-  dependencies:
-    ember-cli-babel: ^7.13.2
-  checksum: 1de13e06af31b3543e779f69b7d06cda0e1683cdfce7923e313d9cffcb33f4e979af75baf12f3988f8a2186db5d063d204e294f522ef517d845b19ce25cb9cdc
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript-blueprint-polyfill@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "ember-cli-typescript-blueprint-polyfill@npm:0.1.0"
-  dependencies:
-    chalk: ^4.0.0
-    remove-types: ^1.0.0
-  checksum: e631d97836512565c04ca5693656e810d3d6992914c60bc671aca0c6ad62f06b80d6a671cc337c347e968cd6b29ca38ee4dea98e79250800bbc0ed12b0911eb5
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:3.0.0":
-  version: 3.0.0
-  resolution: "ember-cli-typescript@npm:3.0.0"
-  dependencies:
-    "@babel/plugin-transform-typescript": ~7.5.0
-    ansi-to-html: ^0.6.6
-    debug: ^4.0.0
-    ember-cli-babel-plugin-helpers: ^1.0.0
-    execa: ^2.0.0
-    fs-extra: ^8.0.0
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^6.0.0
-    stagehand: ^1.0.0
-    walk-sync: ^2.0.0
-  checksum: 4ef2732a0743113aa0167365afb972239e51ca227ca0858b1e240f8e449a34c02462973e1669eb7cd1982b0c1db225f1537f1d41360dc3945b6c2b54e566f96a
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "ember-cli-typescript@npm:2.0.2"
-  dependencies:
-    "@babel/plugin-proposal-class-properties": ^7.1.0
-    "@babel/plugin-transform-typescript": ~7.4.0
-    ansi-to-html: ^0.6.6
-    debug: ^4.0.0
-    ember-cli-babel-plugin-helpers: ^1.0.0
-    execa: ^1.0.0
-    fs-extra: ^7.0.0
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^6.0.0
-    stagehand: ^1.0.0
-    walk-sync: ^1.0.0
-  checksum: a1eecb5733df78de96eee3d75f1d0425c8e2638fddcdfb4b2fa46b70131df78216fc341419ccdcf4c32ca480c2bc3d91c0390b81b5ad738a409335ae5ff7f993
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:^3.1.4":
-  version: 3.1.4
-  resolution: "ember-cli-typescript@npm:3.1.4"
-  dependencies:
-    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.4.4
-    "@babel/plugin-proposal-optional-chaining": ^7.6.0
-    "@babel/plugin-transform-typescript": ~7.8.0
-    ansi-to-html: ^0.6.6
-    broccoli-stew: ^3.0.0
-    debug: ^4.0.0
-    ember-cli-babel-plugin-helpers: ^1.0.0
-    execa: ^3.0.0
-    fs-extra: ^8.0.0
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^6.3.0
-    stagehand: ^1.0.0
-    walk-sync: ^2.0.0
-  checksum: 775c20caadcca5a071728bad1a388297e3c9acfea342b654901c334a2d158fc2d78ebac7b785e718051f1ed8de584741545d2c6c35c4a72b4ddb3fbc1618666f
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:^4.1.0, ember-cli-typescript@npm:^4.2.0, ember-cli-typescript@npm:^4.2.1":
-  version: 4.2.1
-  resolution: "ember-cli-typescript@npm:4.2.1"
-  dependencies:
-    ansi-to-html: ^0.6.15
-    broccoli-stew: ^3.0.0
-    debug: ^4.0.0
-    execa: ^4.0.0
-    fs-extra: ^9.0.1
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^7.3.2
-    stagehand: ^1.0.0
-    walk-sync: ^2.2.0
-  checksum: bd31698536c0df7fc03b47aa1c7d3f9c6f7e34fae1500c88bdbbc4c0b98b2a7e69230dd71a01d7cd7f563484cf895333f559af68f91527d95e198924e3cb2c24
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "ember-cli-typescript@npm:5.0.0"
-  dependencies:
-    ansi-to-html: ^0.6.15
-    broccoli-stew: ^3.0.0
-    debug: ^4.0.0
-    execa: ^4.0.0
-    fs-extra: ^9.0.1
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^7.3.2
-    stagehand: ^1.0.0
-    walk-sync: ^2.2.0
-  checksum: ac0d6088cd7e5bb17792e0db44e05f198eaea1484fd45f725b8caac8322b072d9d3dcf4d0d7a88fe66699ca88fe3ab564cc6dde98b63be92129c7acdb73c3da4
-  languageName: node
-  linkType: hard
-
-"ember-cli-typescript@npm:^5.1.1, ember-cli-typescript@npm:^5.2.1":
-  version: 5.2.1
-  resolution: "ember-cli-typescript@npm:5.2.1"
-  dependencies:
-    ansi-to-html: ^0.6.15
-    broccoli-stew: ^3.0.0
-    debug: ^4.0.0
-    execa: ^4.0.0
-    fs-extra: ^9.0.1
-    resolve: ^1.5.0
-    rsvp: ^4.8.1
-    semver: ^7.3.2
-    stagehand: ^1.0.0
-    walk-sync: ^2.2.0
-  checksum: b4306b37e9a9e070cc61a67acf404b30636ad2681379589fbc349c7e83158a7b634d792ab5af4cd4dd0770eecb8a901fa84d29a15167826db9c97b664a115df0
-  languageName: node
-  linkType: hard
-
-"ember-cli-version-checker@npm:^2.1.0, ember-cli-version-checker@npm:^2.1.2":
-  version: 2.2.0
-  resolution: "ember-cli-version-checker@npm:2.2.0"
-  dependencies:
-    resolve: ^1.3.3
-    semver: ^5.3.0
-  checksum: 2e2db30c0276df207e5921ff57574299ff027a528d52932ba42d9ddc6078da62dc3f34e6dc2ac647f5e07245d64c6acf4a395d453acccd819756f137fc4ec529
-  languageName: node
-  linkType: hard
-
-"ember-cli-version-checker@npm:^3.1.3":
-  version: 3.1.3
-  resolution: "ember-cli-version-checker@npm:3.1.3"
-  dependencies:
-    resolve-package-path: ^1.2.6
-    semver: ^5.6.0
-  checksum: 07a8b579272d4bd489b658b7dce3f6eefb0c9358a06b064fd59d2faf82defe60ade662fcc22bd009e3de6ac7ff602d88cdeb3b4e29c3669a09adb9a751d987a5
-  languageName: node
-  linkType: hard
-
-"ember-cli-version-checker@npm:^4.1.0":
-  version: 4.1.1
-  resolution: "ember-cli-version-checker@npm:4.1.1"
-  dependencies:
-    resolve-package-path: ^2.0.0
-    semver: ^6.3.0
-    silent-error: ^1.1.1
-  checksum: 43beddcef0e26c159721e61cea0bc606c901a5f1b4ce21c83418d7ee30d3c7b0f073310e5db03bde3ca76c082309358766d7bacd3655bad1745fc458f5ffe4a1
-  languageName: node
-  linkType: hard
-
-"ember-cli-version-checker@npm:^5.0.2, ember-cli-version-checker@npm:^5.1.1, ember-cli-version-checker@npm:^5.1.2":
-  version: 5.1.2
-  resolution: "ember-cli-version-checker@npm:5.1.2"
-  dependencies:
-    resolve-package-path: ^3.1.0
-    semver: ^7.3.4
-    silent-error: ^1.1.1
-  checksum: 95e98e11c5fdd31659d67b67abc7c781f3463e1da7a3642d5cae4717262e6382ba0d3487fe29e1bef1d5c3d03a2687fca9cd169445845abe2e486397ff92feef
-  languageName: node
-  linkType: hard
-
-"ember-cli@npm:~4.12.1":
-  version: 4.12.1
-  resolution: "ember-cli@npm:4.12.1"
-  dependencies:
-    "@babel/core": ^7.21.0
-    "@babel/plugin-transform-modules-amd": ^7.20.11
-    amd-name-resolver: ^1.3.1
-    babel-plugin-module-resolver: ^4.1.0
-    bower-config: ^1.4.3
-    bower-endpoint-parser: 0.2.2
-    broccoli: ^3.5.2
-    broccoli-amd-funnel: ^2.0.1
-    broccoli-babel-transpiler: ^7.8.1
-    broccoli-builder: ^0.18.14
-    broccoli-concat: ^4.2.5
-    broccoli-config-loader: ^1.0.1
-    broccoli-config-replace: ^1.1.2
-    broccoli-debug: ^0.6.5
-    broccoli-funnel: ^3.0.8
-    broccoli-funnel-reducer: ^1.0.0
-    broccoli-merge-trees: ^4.2.0
-    broccoli-middleware: ^2.1.1
-    broccoli-slow-trees: ^3.1.0
-    broccoli-source: ^3.0.1
-    broccoli-stew: ^3.0.0
-    calculate-cache-key-for-tree: ^2.0.0
-    capture-exit: ^2.0.0
-    chalk: ^4.1.2
-    ci-info: ^3.7.0
-    clean-base-url: ^1.0.0
-    compression: ^1.7.4
-    configstore: ^5.0.1
-    console-ui: ^3.1.2
-    core-object: ^3.1.5
-    dag-map: ^2.0.2
-    diff: ^5.1.0
-    ember-cli-is-package-missing: ^1.0.0
-    ember-cli-lodash-subset: ^2.0.1
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-preprocess-registry: ^3.3.0
-    ember-cli-string-utils: ^1.1.0
-    ensure-posix-path: ^1.1.1
-    execa: ^5.1.1
-    exit: ^0.1.2
-    express: ^4.18.1
-    filesize: ^10.0.5
-    find-up: ^5.0.0
-    find-yarn-workspace-root: ^2.0.0
-    fixturify-project: ^2.1.1
-    fs-extra: ^11.1.0
-    fs-tree-diff: ^2.0.1
-    get-caller-file: ^2.0.5
-    git-repo-info: ^2.1.1
-    glob: ^8.1.0
-    heimdalljs: ^0.2.6
-    heimdalljs-fs-monitor: ^1.1.1
-    heimdalljs-graph: ^1.0.0
-    heimdalljs-logger: ^0.1.10
-    http-proxy: ^1.18.1
-    inflection: ^2.0.1
-    inquirer: ^8.2.1
-    is-git-url: ^1.0.0
-    is-language-code: ^3.1.0
-    isbinaryfile: ^5.0.0
-    js-yaml: ^4.1.0
-    leek: 0.0.24
-    lodash.template: ^4.5.0
-    markdown-it: ^13.0.1
-    markdown-it-terminal: ^0.4.0
-    minimatch: ^7.4.1
-    morgan: ^1.10.0
-    nopt: ^3.0.6
-    npm-package-arg: ^10.1.0
-    os-locale: ^5.0.0
-    p-defer: ^3.0.0
-    portfinder: ^1.0.32
-    promise-map-series: ^0.3.0
-    promise.hash.helper: ^1.0.8
-    quick-temp: ^0.1.8
-    remove-types: ^1.0.0
-    resolve: ^1.22.1
-    resolve-package-path: ^4.0.3
-    safe-stable-stringify: ^2.4.2
-    sane: ^5.0.1
-    semver: ^7.3.5
-    silent-error: ^1.1.1
-    sort-package-json: ^1.57.0
-    symlink-or-copy: ^1.3.1
-    temp: 0.9.4
-    testem: ^3.10.1
-    tiny-lr: ^2.0.0
-    tree-sync: ^2.1.0
-    uuid: ^9.0.0
-    walk-sync: ^3.0.0
-    watch-detector: ^1.0.2
-    workerpool: ^6.4.0
-    yam: ^1.0.0
-  bin:
-    ember: bin/ember
-  checksum: 3e6066637211d98994b44b85b33070cc4614f6f1500eebfdc64886880300602a49220b788c4359548d6f305c47844b18ef5bbe0b64d4d61d6865811a15a712b0
-  languageName: node
-  linkType: hard
-
-"ember-compatibility-helpers@npm:^1.1.2":
-  version: 1.2.4
-  resolution: "ember-compatibility-helpers@npm:1.2.4"
-  dependencies:
-    babel-plugin-debug-macros: ^0.2.0
-    ember-cli-version-checker: ^5.1.1
-    fs-extra: ^9.1.0
-    semver: ^5.4.1
-  checksum: f220953b2357173486e6d76f76253bce2d8b420d64f2517be41db39612c1becd9e0d078603d5c4445b73df7ff4bf039e777f0bcac8c67e7015abd2409417c819
-  languageName: node
-  linkType: hard
-
-"ember-compatibility-helpers@npm:^1.2.0, ember-compatibility-helpers@npm:^1.2.1":
-  version: 1.2.5
-  resolution: "ember-compatibility-helpers@npm:1.2.5"
-  dependencies:
-    babel-plugin-debug-macros: ^0.2.0
-    ember-cli-version-checker: ^5.1.1
-    fs-extra: ^9.1.0
-    semver: ^5.4.1
-  checksum: ee8625d240daa2ef6c6d14048d38808cb4c7054547c73715130817e3e226300fdf3489be9112205022543fc1d713bcbdea17b03b29480481e04d964e31fb3e86
-  languageName: node
-  linkType: hard
-
-"ember-compatibility-helpers@npm:^1.2.5, ember-compatibility-helpers@npm:^1.2.6":
-  version: 1.2.6
-  resolution: "ember-compatibility-helpers@npm:1.2.6"
-  dependencies:
-    babel-plugin-debug-macros: ^0.2.0
-    ember-cli-version-checker: ^5.1.1
-    find-up: ^5.0.0
-    fs-extra: ^9.1.0
-    semver: ^5.4.1
-  checksum: 1ab8ea51c8d010e02f06668820f1a5ee572ffc0d0ca8eb8b740641e736c8ed67f294d3321876eb9d5dc994c789cd9432632dd748b040c256eabe87e3b941fafc
-  languageName: node
-  linkType: hard
-
-"ember-composable-helpers@npm:5.0.0":
-  version: 5.0.0
-  resolution: "ember-composable-helpers@npm:5.0.0"
-  dependencies:
-    "@babel/core": ^7.0.0
-    broccoli-funnel: 2.0.1
-    ember-cli-babel: ^7.26.3
-    resolve: ^1.10.0
-  checksum: 8fdceade42f025cb75cb3718de4a6f3836b1a74eca8d30ca7a8c0313fccdce6663ce6fa5e5bd14fd905ecac2a330d55c169f21f559f092a5900d08ddc290fff6
-  languageName: node
-  linkType: hard
-
-"ember-composable-helpers@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "ember-composable-helpers@npm:4.5.0"
-  dependencies:
-    "@babel/core": ^7.0.0
-    broccoli-funnel: 2.0.1
-    ember-cli-babel: ^7.26.3
-    resolve: ^1.10.0
-  checksum: 39bc86701eee2c8afde0cd912b757fd7f26b06c25df182fc6bc833722bea86a2c4cc4e51659c489dfdcea5630ed87794010584e68b4c52e6049aee8a8c87808b
-  languageName: node
-  linkType: hard
-
-"ember-concurrency-decorators@npm:^2.0.0":
-  version: 2.0.3
-  resolution: "ember-concurrency-decorators@npm:2.0.3"
-  dependencies:
-    "@ember-decorators/utils": ^6.1.0
-    ember-cli-babel: ^7.19.0
-    ember-cli-htmlbars: ^4.3.1
-    ember-cli-typescript: ^3.1.4
-  checksum: c231097d74208759ee4e60fd10828693b41b3ab4dd77f280bd7559cd20c607fe518dcd49f347e91e9a5052126abb2414efa405dc54619a330b1b832b39871c95
-  languageName: node
-  linkType: hard
-
-"ember-concurrency@npm:2.3.4":
-  version: 2.3.4
-  resolution: "ember-concurrency@npm:2.3.4"
-  dependencies:
-    "@babel/helper-plugin-utils": ^7.12.13
-    "@babel/types": ^7.12.13
-    "@glimmer/tracking": ^1.0.4
-    ember-cli-babel: ^7.26.11
-    ember-cli-babel-plugin-helpers: ^1.1.1
-    ember-cli-htmlbars: ^5.7.1
-    ember-compatibility-helpers: ^1.2.0
-    ember-destroyable-polyfill: ^2.0.2
-  checksum: 14b68d1da5575b14dc038af8146b8de29f5b0b961ca57275d1930cf77f8b0d8ba20105d40a5755b79c3f8ad65449195beb94029a687c72a07486c5024ab98154
-  languageName: node
-  linkType: hard
-
-"ember-concurrency@npm:>=1.0.0 <3":
-  version: 2.2.0
-  resolution: "ember-concurrency@npm:2.2.0"
-  dependencies:
-    "@glimmer/tracking": ^1.0.4
-    ember-cli-babel: ^7.26.6
-    ember-cli-htmlbars: ^5.7.1
-    ember-compatibility-helpers: ^1.2.0
-    ember-destroyable-polyfill: ^2.0.2
-  checksum: 3a9bb4c098b4407125e63bd1e25b598c0fae491db240dea2332e7116e5b6538ca2fb71e124b6da31a5f953a78fe7ebe03a7881c53e950203e808456997c7d187
-  languageName: node
-  linkType: hard
-
-"ember-copy@npm:2.0.1":
-  version: 2.0.1
-  resolution: "ember-copy@npm:2.0.1"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-  checksum: addeba5ce864c1dcea4ec475bab51c4996dcd575adab28fb3a5fb082fa1db1f8530236ccfbb2c66fd594d8b11410f17eece6651957bd6b0804eaa870915e84ba
-  languageName: node
-  linkType: hard
-
-"ember-d3@npm:^0.5.1":
-  version: 0.5.1
-  resolution: "ember-d3@npm:0.5.1"
-  dependencies:
-    broccoli-funnel: ^2.0.0
-    broccoli-merge-trees: ^3.0.0
-    d3: ^5.0.0
-    d3-selection-multi: ^1.0.1
-    ember-cli-babel: ^7.1.2
-  checksum: 81256d9a3f7647c5b9689a2e9973fdbcc29fe03ff795a66a3fc6202fd978c6207d1655b44f9a1379f8d4c997283813f25acaf310a1005cc90b74344bf5ef04b5
-  languageName: node
-  linkType: hard
-
-"ember-data@npm:~4.11.3":
-  version: 4.11.3
-  resolution: "ember-data@npm:4.11.3"
-  dependencies:
-    "@ember-data/adapter": 4.11.3
-    "@ember-data/debug": 4.11.3
-    "@ember-data/model": 4.11.3
-    "@ember-data/private-build-infra": 4.11.3
-    "@ember-data/record-data": 4.11.3
-    "@ember-data/serializer": 4.11.3
-    "@ember-data/store": 4.11.3
-    "@ember-data/tracking": 4.11.3
-    "@ember/edition-utils": ^1.2.0
-    "@embroider/macros": ^1.10.0
-    "@glimmer/env": ^0.1.7
-    broccoli-merge-trees: ^4.2.0
-    ember-auto-import: ^2.4.3
-    ember-cli-babel: ^7.26.11
-    ember-inflector: ^4.0.2
-  peerDependencies:
-    "@ember/string": ^3.0.1
-  checksum: b9a9450b7567ec68a64ed4bac9878a2fc603f18a3adba657e04f476f4cef38fc9cdd71838203274f677af0c403a522a70838e9580526ff198e82229da9d7c326
-  languageName: node
-  linkType: hard
-
-"ember-decorators@npm:^6.1.1":
-  version: 6.1.1
-  resolution: "ember-decorators@npm:6.1.1"
-  dependencies:
-    "@ember-decorators/component": ^6.1.1
-    "@ember-decorators/object": ^6.1.1
-    ember-cli-babel: ^7.7.3
-  checksum: ffe95d41dae393586190340c0e65d772c2132ff50269ef21a408d999e10fff79214ac9e14a49e1a94bf3fdd18c660759bc23c79de9ca41375f0e9ba8204b5168
-  languageName: node
-  linkType: hard
-
-"ember-destroyable-polyfill@npm:^2.0.2, ember-destroyable-polyfill@npm:^2.0.3":
-  version: 2.0.3
-  resolution: "ember-destroyable-polyfill@npm:2.0.3"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-    ember-cli-version-checker: ^5.1.1
-    ember-compatibility-helpers: ^1.2.1
-  checksum: 1c96c453a7be71a76a117421a5571a073cd85c56525a2de146728091f2c639fff93216eedae2baf437576d62906e885adce996619104bcc28c3af66bdf720099
-  languageName: node
-  linkType: hard
-
-"ember-element-helper@npm:^0.6.0":
-  version: 0.6.1
-  resolution: "ember-element-helper@npm:0.6.1"
-  dependencies:
-    "@embroider/util": ^0.39.1 || ^0.40.0 || ^0.41.0 || ^1.0.0
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.0.1
-  peerDependencies:
-    ember-source: ^3.8 || 4
-  checksum: 36110a5b5a504169abe80d004f8ad9eba56c0d8b602211606ad6ab88d541b93f7621a740c0a4a972036d5b390e42f59d638575dd4748b184e1d6f33586851e03
-  languageName: node
-  linkType: hard
-
-"ember-engines@npm:0.8.23":
-  version: 0.8.23
-  resolution: "ember-engines@npm:0.8.23"
-  dependencies:
-    "@embroider/macros": ^1.3.0
-    amd-name-resolver: 1.3.1
-    babel-plugin-compact-reexports: ^1.1.0
-    broccoli-babel-transpiler: ^7.2.0
-    broccoli-concat: ^4.2.5
-    broccoli-debug: ^0.6.5
-    broccoli-dependency-funnel: ^2.1.2
-    broccoli-file-creator: ^2.1.1
-    broccoli-funnel: ^2.0.2
-    broccoli-merge-trees: ^3.0.2
-    broccoli-test-helper: ^2.0.0
-    calculate-cache-key-for-tree: ^2.0.0
-    ember-asset-loader: ^0.6.1
-    ember-cli-babel: ^7.18.0
-    ember-cli-preprocess-registry: ^3.3.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-version-checker: ^5.1.2
-    lodash: ^4.17.11
-  peerDependencies:
-    "@ember/legacy-built-in-components": "*"
-    ember-source: ^3.12 || 4
-  checksum: 167b8101b1254c8bc5d5c88623f3d34e95284003674dccefadf006db4a3c42172a2512b198489a7b50be233b09b3617e67bfde3c6f2daf56acbd2ceda416808e
-  languageName: node
-  linkType: hard
-
-"ember-fetch@npm:^8.1.2":
-  version: 8.1.2
-  resolution: "ember-fetch@npm:8.1.2"
-  dependencies:
-    abortcontroller-polyfill: ^1.7.3
-    broccoli-concat: ^4.2.5
-    broccoli-debug: ^0.6.5
-    broccoli-merge-trees: ^4.2.0
-    broccoli-rollup: ^2.1.1
-    broccoli-stew: ^3.0.0
-    broccoli-templater: ^2.0.1
-    calculate-cache-key-for-tree: ^2.0.0
-    caniuse-api: ^3.0.0
-    ember-cli-babel: ^7.23.1
-    ember-cli-typescript: ^4.1.0
-    ember-cli-version-checker: ^5.1.2
-    node-fetch: ^2.6.1
-    whatwg-fetch: ^3.6.2
-  checksum: 00b864c04776493d7c6e06c71709edb9045d4fa6c25392988dad218487d5440a8b00e994e951c6279da2522c6bb12e0780983d0083f93524e68fcdcd77dec62b
-  languageName: node
-  linkType: hard
-
-"ember-focus-trap@npm:^1.0.2":
-  version: 1.1.0
-  resolution: "ember-focus-trap@npm:1.1.0"
-  dependencies:
-    "@embroider/addon-shim": ^1.0.0
-    focus-trap: ^6.7.1
-  peerDependencies:
-    ember-source: ^4.0.0 || ^5.0.0
-  checksum: 1f19c50b92c56f04681cd59ac3a88a520a53403278105aab2f4edc64df6ce3d0ceb53409e3309822bd4ced60063d9e8657117c708f90da9038c8140737e8d831
-  languageName: node
-  linkType: hard
-
-"ember-get-config@npm:0.2.4 - 0.5.0":
-  version: 0.5.0
-  resolution: "ember-get-config@npm:0.5.0"
-  dependencies:
-    broccoli-file-creator: ^1.1.1
-    ember-cli-babel: ^7.26.6
-    ember-cli-htmlbars: ^5.7.1
-  checksum: c9ca75a44764705ea62324dba90770ae608d8614c1222ddc9f22ede506f056e65d0e2e518fbc3aa2665ea32e2d4c2735fff9fe4e031d1827c3ebaad3b03bfea2
-  languageName: node
-  linkType: hard
-
-"ember-get-config@npm:^1.0.2 || ^2.0.0, ember-get-config@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "ember-get-config@npm:2.1.1"
-  dependencies:
-    "@embroider/macros": ^0.50.0 || ^1.0.0
-    ember-cli-babel: ^7.26.6
-  checksum: 850bc718ad2df98ab08e566f14b857fcad3aa5f31aac2a114bcbde27000dfd727a7af3c428c73a383d1f7243819486c28f0a69a31b44027e50c4f51d8602ef19
-  languageName: node
-  linkType: hard
-
-"ember-in-element-polyfill@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "ember-in-element-polyfill@npm:1.0.1"
-  dependencies:
-    debug: ^4.3.1
-    ember-cli-babel: ^7.23.1
-    ember-cli-htmlbars: ^5.3.1
-    ember-cli-version-checker: ^5.1.2
-  checksum: fda95b1bd56dd2eefea014e9131eb03d5e3f34aa08c4f7b2fd4e717d001aa3a029c7a9d1725975085641924be7924c43f12ecade5642677d405f9566776c1507
-  languageName: node
-  linkType: hard
-
-"ember-inflector@npm:4.0.2, ember-inflector@npm:^2.0.0 || ^3.0.0 || ^4.0.2, ember-inflector@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "ember-inflector@npm:4.0.2"
-  dependencies:
-    ember-cli-babel: ^7.26.5
-  checksum: 0433146a7a093cf0f5e1454f3820c773d5f4ee7ca069df0eddc712f39d45a52bb699f8e44cd163815fb0c5abe75480b8511a947647b0f3cb38768147f457adae
-  languageName: node
-  linkType: hard
-
-"ember-keyboard@npm:^8.2.0":
-  version: 8.2.1
-  resolution: "ember-keyboard@npm:8.2.1"
-  dependencies:
-    "@embroider/addon-shim": ^1.8.4
-    ember-destroyable-polyfill: ^2.0.3
-    ember-modifier: ^2.1.2 || ^3.1.0 || ^4.0.0
-    ember-modifier-manager-polyfill: ^1.2.0
-  peerDependencies:
-    "@ember/test-helpers": ^2.6.0 || ^3.0.0
-  peerDependenciesMeta:
-    "@ember/test-helpers":
-      optional: true
-  checksum: cfb4120aaf3b1ff3aba8ba1619b0597c6738abde31d1e0719d8bbf69512fb9967fc76bc85557351ec42856bb9b6c47354634f22f0accab0e15743d9f0e3f2be4
-  languageName: node
-  linkType: hard
-
-"ember-load-initializers@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "ember-load-initializers@npm:2.1.2"
-  dependencies:
-    ember-cli-babel: ^7.13.0
-    ember-cli-typescript: ^2.0.2
-  checksum: 104b38cb4b755894b65d39ab94f316bdb1b571884b8e52118ced0bfeb06de8e3e7685dcc4579fd8dae57fc6c62e2e50df042e782e960565e05a4cf4eaf6db337
-  languageName: node
-  linkType: hard
-
-"ember-maybe-in-element@npm:^2.0.3":
-  version: 2.0.3
-  resolution: "ember-maybe-in-element@npm:2.0.3"
-  dependencies:
-    ember-cli-babel: ^7.21.0
-    ember-cli-htmlbars: ^5.2.0
-    ember-cli-version-checker: ^5.1.1
-    ember-in-element-polyfill: ^1.0.1
-  checksum: 4bd0e66f748eac053dc2fed2b19a227bd159eb84cb1084bea2941af454a1135969a6efb36c298a9c06c36a7697e34819e9ff0ef1dcb18fa64d11dce09b75b523
-  languageName: node
-  linkType: hard
-
-"ember-modal-dialog@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "ember-modal-dialog@npm:4.0.1"
-  dependencies:
-    "@embroider/macros": ^1.0.0
-    "@embroider/util": ^1.0.0
-    ember-cli-babel: ^7.26.8
-    ember-cli-htmlbars: ^6.0.1
-    ember-cli-version-checker: ^2.1.0
-    ember-decorators: ^6.1.1
-    ember-wormhole: ^0.6.0
-  peerDependencies:
-    ember-tether: ^2.0.1
-  peerDependenciesMeta:
-    ember-tether:
-      optional: true
-  checksum: d8005d3f9e0aab6fc4ce3f16a8bfb5ff9308e8ab9292b7e1be84e657f179f749414c9b0c029bf5c060526de0058fcb0acb38c3d19c80ad67e9ceb034de4b4e0c
-  languageName: node
-  linkType: hard
-
-"ember-modifier-manager-polyfill@npm:^1.1.0, ember-modifier-manager-polyfill@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "ember-modifier-manager-polyfill@npm:1.2.0"
-  dependencies:
-    ember-cli-babel: ^7.10.0
-    ember-cli-version-checker: ^2.1.2
-    ember-compatibility-helpers: ^1.2.0
-  checksum: 70b0d1c8601766e2d8356bd61b1ebd9ffbdec180eb42e7d0ed9dccd79513a84aedde9f9c13357ea3b063733a63d9ea1996de73b2d09d3f6a0bce3674a92fde18
-  languageName: node
-  linkType: hard
-
-"ember-modifier@npm:^2.1.2 || ^3.1.0 || ^4.0.0, ember-modifier@npm:^3.2.7 || ^4.0.0, ember-modifier@npm:^3.2.7 || ^4.1.0, ember-modifier@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "ember-modifier@npm:4.1.0"
-  dependencies:
-    "@embroider/addon-shim": ^1.8.4
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-  peerDependencies:
-    ember-source: "*"
-  peerDependenciesMeta:
-    ember-source:
-      optional: true
-  checksum: 5e14a864de2184c07e59fb9bc76a09ae25d1bd37722a94751a3cef6165df22027007696c4dda03e1862cb3bbeefb046772810dda3104d05c7fe8476389c34a77
-  languageName: node
-  linkType: hard
-
-"ember-modifier@npm:^3.2.7":
-  version: 3.2.7
-  resolution: "ember-modifier@npm:3.2.7"
-  dependencies:
-    ember-cli-babel: ^7.26.6
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-typescript: ^5.0.0
-    ember-compatibility-helpers: ^1.2.5
-  checksum: 2e96d9ec3939de178a9ce704d5a9360fd73f0276ffa4a9cce9f100a4087fdc8fae4a8b28bf1be22b05a4d1c61e1bb1ab93ca60576810c6556bc4d9323864c66a
-  languageName: node
-  linkType: hard
-
-"ember-native-dom-helpers@npm:^0.7.0":
-  version: 0.7.0
-  resolution: "ember-native-dom-helpers@npm:0.7.0"
-  dependencies:
-    broccoli-funnel: ^1.1.0
-    ember-cli-babel: ^6.6.0
-  checksum: 958ed8ff1b1d31c598ba73dfb53d551448fcb377a02ed224e93360d39369c0937063fce1da72f1c2329d85b77701fc84646b248fb2bee83e0b8535566a9fa436
-  languageName: node
-  linkType: hard
-
-"ember-page-title@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "ember-page-title@npm:7.0.0"
-  dependencies:
-    ember-cli-babel: ^7.26.6
-  checksum: 2533d6fa3aaeb37950f44dc8e50ce2e30008106fbded78136fb4bbfc8bc3240b24ccf0cfadb71154744b0483ae06a9d9b557edfbdbe397c0e8096448c76095ed
-  languageName: node
-  linkType: hard
-
-"ember-power-select@npm:6.0.1":
-  version: 6.0.1
-  resolution: "ember-power-select@npm:6.0.1"
-  dependencies:
-    "@embroider/util": ^1.0.0
-    "@glimmer/component": ^1.1.2
-    "@glimmer/tracking": ^1.1.2
-    ember-assign-helper: ^0.4.0
-    ember-basic-dropdown: ^6.0.0
-    ember-cli-babel: ^7.26.11
-    ember-cli-htmlbars: ^6.1.0
-    ember-cli-typescript: ^4.2.0
-    ember-concurrency: ">=1.0.0 <3"
-    ember-concurrency-decorators: ^2.0.0
-    ember-text-measurer: ^0.6.0
-    ember-truth-helpers: ^3.0.0
-  checksum: 3cefce209966a3d419796275f89252216e66c265186f22572962be961d071cfa46548ba067ec9af9c0e100c1979f845d71d2d86bfde46796ce56840e0d8eeedf
-  languageName: node
-  linkType: hard
-
-"ember-qrcode-shim@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "ember-qrcode-shim@npm:0.4.0"
-  dependencies:
-    ember-cli-babel: ^7.1.2
-  checksum: eb25f33c4559d3810a6473a98a4d4fa73e209d59e1d2a05837f7538aa6451f06954dcbae1a9ebedd379d837ab36a7f677909c1fe264a9361be72a89b3b7a5e23
-  languageName: node
-  linkType: hard
-
-"ember-qunit@npm:6.0.0":
-  version: 6.0.0
-  resolution: "ember-qunit@npm:6.0.0"
-  dependencies:
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^3.0.2
-    common-tags: ^1.8.0
-    ember-auto-import: ^2.4.2
-    ember-cli-babel: ^7.26.6
-    ember-cli-test-loader: ^3.0.0
-    resolve-package-path: ^4.0.3
-    silent-error: ^1.1.1
-    validate-peer-dependencies: ^2.1.0
-  peerDependencies:
-    "@ember/test-helpers": ^2.4.0
-    qunit: ^2.13.0
-  checksum: 74c4c9316ff509a195e7961bae9aa1da6e6260d1a5e0ce153dff76302d23f974fa652dfc9d484fbe78d64623ba0d837b68d437d56745531118b88b950c6a5608
-  languageName: node
-  linkType: hard
-
-"ember-resolver@npm:^10.0.0":
-  version: 10.1.1
-  resolution: "ember-resolver@npm:10.1.1"
-  dependencies:
-    ember-cli-babel: ^7.26.11
-  peerDependencies:
-    "@ember/string": ^3.0.1
-    ember-source: ^4.8.3 || >= 5.0.0
-  peerDependenciesMeta:
-    ember-source:
-      optional: true
-  checksum: 3ffbc0789f651d834455aeef4a248840dfea0ca6ab9192bbab66e4bff2f5f5e33c51c24e35d41bfeb08d980e1e7b287eecef9e73c39baee57468e5edc798fa29
-  languageName: node
-  linkType: hard
-
-"ember-resources@npm:^5.0.1":
-  version: 5.6.4
-  resolution: "ember-resources@npm:5.6.4"
-  dependencies:
-    "@babel/runtime": ^7.17.8
-    "@embroider/addon-shim": ^1.2.0
-    "@embroider/macros": ^1.2.0
-  peerDependencies:
-    "@ember/test-waiters": ^3.0.0
-    "@glimmer/component": ^1.1.2
-    "@glimmer/tracking": ^1.1.2
-    "@glint/template": ">= 0.8.3"
-    ember-concurrency: ^2.0.0
-    ember-source: ">= 3.28.0"
-  peerDependenciesMeta:
-    "@ember/test-waiters":
-      optional: true
-    "@glimmer/component":
-      optional: true
-    ember-concurrency:
-      optional: true
-  checksum: 9edb126ee307251080380d421aba42f330f76c6e295046ae59b48c3162d27e83223732e398f8373f933d120f38831e791e0fd31e63c70315982166db399d2b33
-  languageName: node
-  linkType: hard
-
-"ember-responsive@npm:5.0.0":
-  version: 5.0.0
-  resolution: "ember-responsive@npm:5.0.0"
-  dependencies:
-    ember-cli-babel: ^7.26.11
-  checksum: 6d36a773e3a682ab8252a4f6416a95eb4c7fa76b72ac0cdc8ca6cd17adb764f59f39cba98f8227f52f42044a1c1073763e2689d34948b6207a0ca17f398b0a55
-  languageName: node
-  linkType: hard
-
-"ember-rfc176-data@npm:^0.3.13":
-  version: 0.3.18
-  resolution: "ember-rfc176-data@npm:0.3.18"
-  checksum: 897ac88b54fae39b3bda1c3aefb807f5ffc394c34e33c47b20b8b983e090716492a7d61acadc06771988285fe4e2b18c22faaf0b3b340d810dbbce2fe1a2a3e5
-  languageName: node
-  linkType: hard
-
-"ember-rfc176-data@npm:^0.3.15, ember-rfc176-data@npm:^0.3.17":
-  version: 0.3.17
-  resolution: "ember-rfc176-data@npm:0.3.17"
-  checksum: bc35da90149178d4c0e67097446d46ab69910571fcd02308dead097ca21c6d86767c4031d2bba4df267213ce6c43d1fe5660ded9e061051c1d84ba171fd02366
-  languageName: node
-  linkType: hard
-
-"ember-router-generator@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "ember-router-generator@npm:2.0.0"
-  dependencies:
-    "@babel/parser": ^7.4.5
-    "@babel/traverse": ^7.4.5
-    recast: ^0.18.1
-  checksum: e163e0d68e49a942658aee7c05638dd5c2db939753b51efc9c6d9f0e582953be185daf4cdd569c1b8a35ed47f35f4cb18067a6a1db68e135d7464bbad6ef9d93
-  languageName: node
-  linkType: hard
-
-"ember-router-helpers@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "ember-router-helpers@npm:0.4.0"
-  dependencies:
-    ember-cli-babel: ^7.20.0
-  checksum: e847ceb1061f87416d6bb5d72ef539fda738a24086051bc94d740117c6353b3406c65247ac8190b8572df008a70d9f801e224d38489170129c5ca6c4ec7f206e
-  languageName: node
-  linkType: hard
-
-"ember-service-worker@meirish/ember-service-worker#configurable-scope":
-  version: 9.0.1
-  resolution: "ember-service-worker@https://github.com/meirish/ember-service-worker.git#commit=dda14187aace0d73ecdb6a55beac2194a3aec01b"
-  dependencies:
-    "@rollup/plugin-replace": 2.3.0
-    broccoli-caching-writer: ^3.0.3
-    broccoli-file-creator: ^2.1.1
-    broccoli-funnel: ^2.0.2
-    broccoli-merge-trees: ^3.0.1
-    broccoli-rollup: 4.0.0
-    broccoli-uglify-sourcemap: ^3.2.0
-    clone: ^2.1.2
-    ember-cli-babel: ^7.22.1
-    glob: ^7.1.6
-    hash-for-dep: ^1.5.1
-  checksum: 17e2f2a03cdf0ae9c5f4b0bd25a1b631849392b31e7bc4d376253511d1d6bc7338253fb36a4d7323ceb6b0eb319399a7e964a50ad9df381e64c4ac0d5b07a0b6
-  languageName: node
-  linkType: hard
-
-"ember-sinon@npm:^4.0.0":
-  version: 4.1.1
-  resolution: "ember-sinon@npm:4.1.1"
-  dependencies:
-    broccoli-funnel: ^2.0.0
-    broccoli-merge-trees: ^3.0.0
-    ember-cli-babel: ^7.7.3
-    sinon: ^7.4.2
-  checksum: 8781e420e1495728264599a770d786290a46eceb841ea6a0b86cf196efd9155e78931ea3c88bfd546bd4b9c1627c0bd0edb6cdd957abbe6faa71247de8184443
-  languageName: node
-  linkType: hard
-
-"ember-source@npm:~4.12.0":
-  version: 4.12.3
-  resolution: "ember-source@npm:4.12.3"
-  dependencies:
-    "@babel/helper-module-imports": ^7.16.7
-    "@babel/plugin-transform-block-scoping": ^7.20.5
-    "@ember/edition-utils": ^1.2.0
-    "@glimmer/vm-babel-plugins": 0.84.2
-    "@simple-dom/interface": ^1.4.0
-    babel-plugin-debug-macros: ^0.3.4
-    babel-plugin-filter-imports: ^4.0.0
-    broccoli-concat: ^4.2.5
-    broccoli-debug: ^0.6.4
-    broccoli-file-creator: ^2.1.1
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^4.2.0
-    chalk: ^4.0.0
-    ember-auto-import: ^2.5.0
-    ember-cli-babel: ^7.26.11
-    ember-cli-get-component-path-option: ^1.0.0
-    ember-cli-is-package-missing: ^1.0.0
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-path-utils: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-typescript-blueprint-polyfill: ^0.1.0
-    ember-cli-version-checker: ^5.1.2
-    ember-router-generator: ^2.0.0
-    inflection: ^1.13.2
-    resolve: ^1.22.0
-    semver: ^7.3.8
-    silent-error: ^1.1.1
-  peerDependencies:
-    "@glimmer/component": ^1.1.2
-  checksum: bd055bc4a4e3923fdd64065076f0443ef327db14e54f8ee4e801a19a7fcd9f283be617bb27a6ff20968069d58fce01d8dd07b395999537d4a286278f1e3863e9
-  languageName: node
-  linkType: hard
-
-"ember-stargate@npm:^0.4.3":
-  version: 0.4.3
-  resolution: "ember-stargate@npm:0.4.3"
-  dependencies:
-    "@ember/render-modifiers": ^2.0.0
-    "@embroider/addon-shim": ^1.0.0
-    "@glimmer/component": ^1.1.2
-    ember-resources: ^5.0.1
-    tracked-maps-and-sets: ^3.0.1
-  checksum: b41c0dd65c59e298d0a9f9b31fd5035b7824d8ebc0a92b47d52dc559b553ade3e9126bc4f647521138f09b34f80ed297300b6d428583b9a294de5071d5890bf6
-  languageName: node
-  linkType: hard
-
-"ember-style-modifier@npm:^0.8.0":
-  version: 0.8.0
-  resolution: "ember-style-modifier@npm:0.8.0"
-  dependencies:
-    ember-cli-babel: ^7.26.6
-    ember-modifier: ^3.2.7
-  checksum: ae105c24d05be275d47eff3563f0df9d59c4047c4b6afcc2903dbbfa87d5833ccd66bf5e6bee6244505cba404289f5f302112bb4d83f4edf9400507bb4ffe877
-  languageName: node
-  linkType: hard
-
-"ember-style-modifier@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "ember-style-modifier@npm:3.0.1"
-  dependencies:
-    ember-auto-import: ^2.5.0
-    ember-cli-babel: ^7.26.11
-    ember-modifier: ^3.2.7 || ^4.0.0
-  peerDependencies:
-    "@ember/string": ^3.0.1
-  checksum: 093a9affaaa7b3f1c782fa46616bd3f9a02f518c3eff22f1f4c2582f2411cc9d1eecb95d483aaeabf6ce050d95ff928201cd5287e950027b96cbe702e56ae68d
-  languageName: node
-  linkType: hard
-
-"ember-svg-jar@npm:2.4.0":
-  version: 2.4.0
-  resolution: "ember-svg-jar@npm:2.4.0"
-  dependencies:
-    broccoli-caching-writer: ^3.0.3
-    broccoli-concat: ^4.2.5
-    broccoli-funnel: ^3.0.8
-    broccoli-merge-trees: ^4.2.0
-    broccoli-persistent-filter: ^3.1.2
-    broccoli-plugin: ^4.0.7
-    broccoli-string-replace: ^0.1.2
-    broccoli-svg-optimizer: ^2.1.0
-    cheerio: ^1.0.0-rc.12
-    console-ui: ^3.1.1
-    ember-cli-babel: ^7.26.6
-    ember-cli-htmlbars: ^5.7.1
-    lodash: ^4.17.15
-    safe-stable-stringify: ^2.2.0
-  checksum: d2c7eb54c3aab45fe80775470e52d5db93e4fe60c9ecd95d614897cb2275bce92a0b5389914b40ad84509dcf400e1ec384ea192a25a325f30f6b848d8637d145
-  languageName: node
-  linkType: hard
-
-"ember-template-imports@npm:^3.4.1, ember-template-imports@npm:^3.4.2":
-  version: 3.4.2
-  resolution: "ember-template-imports@npm:3.4.2"
-  dependencies:
-    babel-import-util: ^0.2.0
-    broccoli-stew: ^3.0.0
-    ember-cli-babel-plugin-helpers: ^1.1.1
-    ember-cli-version-checker: ^5.1.2
-    line-column: ^1.0.2
-    magic-string: ^0.25.7
-    parse-static-imports: ^1.1.0
-    string.prototype.matchall: ^4.0.6
-    validate-peer-dependencies: ^1.1.0
-  checksum: de7a3d455a3174f681d99d1467c6bbb9f6a00e130932106cfd9be7e04476d2e26c5151fa0ed4ba7084ef2b82863bb5d390a0340b108935e8d5f0c5a6215a9b49
-  languageName: node
-  linkType: hard
-
-"ember-template-lint-plugin-prettier@npm:4.0.0":
-  version: 4.0.0
-  resolution: "ember-template-lint-plugin-prettier@npm:4.0.0"
-  dependencies:
-    prettier-linter-helpers: ^1.0.0
-  peerDependencies:
-    ember-template-lint: ^4.0.0
-    prettier: ">=1.18.1"
-  checksum: 1b6d94803a51991f952a7a426578a677cbd04402c8236073b6b4bc0fd27871b07088463566e77ddd2ed381b4368dd8a1258af8d17f2cf4102e429d946448e3c1
-  languageName: node
-  linkType: hard
-
-"ember-template-lint@npm:5.7.2":
-  version: 5.7.2
-  resolution: "ember-template-lint@npm:5.7.2"
-  dependencies:
-    "@lint-todo/utils": ^13.0.3
-    aria-query: ^5.0.2
-    chalk: ^5.2.0
-    ci-info: ^3.8.0
-    date-fns: ^2.29.2
-    ember-template-imports: ^3.4.1
-    ember-template-recast: ^6.1.4
-    eslint-formatter-kakoune: ^1.0.0
-    find-up: ^6.3.0
-    fuse.js: ^6.5.3
-    get-stdin: ^9.0.0
-    globby: ^13.1.3
-    is-glob: ^4.0.3
-    language-tags: ^1.0.8
-    micromatch: ^4.0.5
-    resolve: ^1.22.1
-    v8-compile-cache: ^2.3.0
-    yargs: ^17.7.1
-  bin:
-    ember-template-lint: bin/ember-template-lint.js
-  checksum: 7f3848994cb73b3004ca21e726ad460fc54a6039a12c26b3fd787729211ed3d6ad34a1c30a4c8fb40581a61c0795dfdc5fe0e014369afcdea25f81c21a4e6f98
-  languageName: node
-  linkType: hard
-
-"ember-template-recast@npm:^6.1.4":
-  version: 6.1.4
-  resolution: "ember-template-recast@npm:6.1.4"
-  dependencies:
-    "@glimmer/reference": ^0.84.3
-    "@glimmer/syntax": ^0.84.3
-    "@glimmer/validator": ^0.84.3
-    async-promise-queue: ^1.0.5
-    colors: ^1.4.0
-    commander: ^8.3.0
-    globby: ^11.0.3
-    ora: ^5.4.0
-    slash: ^3.0.0
-    tmp: ^0.2.1
-    workerpool: ^6.4.0
-  bin:
-    ember-template-recast: lib/bin.js
-  checksum: a492e19c99080e0808fb7b4e3e3e9af47906a4a0b628c1c317414725e82b0c984fe327e1b7265718dc06e3f57b759bf432ef5b7a857cd68b571a7ed1d73d0225
-  languageName: node
-  linkType: hard
-
-"ember-test-selectors@npm:6.0.0":
-  version: 6.0.0
-  resolution: "ember-test-selectors@npm:6.0.0"
-  dependencies:
-    calculate-cache-key-for-tree: ^2.0.0
-    ember-cli-babel: ^7.26.4
-    ember-cli-version-checker: ^5.1.2
-  checksum: f03bd35caca4390613f68192b257b8edb836cec847ed966e75cd19ce58e5cf62c6a6107575feea0da9b6885cbf4141842b4de05a14edbf3e4164bd93d0c05601
-  languageName: node
-  linkType: hard
-
-"ember-tether@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "ember-tether@npm:2.0.1"
-  dependencies:
-    ember-auto-import: ^1.2.19
-    ember-cli-babel: ^7.1.2
-    tether: ^1.4.0
-  checksum: bfe7d52129b67a6dda79e67cf82d49e3fe5039b9bb8694c1c8f1ba48a7993b2355c4b624d0d95a2497263b8c1ab37d75a1bf650b72e1336c663c43ede9ddf7b0
-  languageName: node
-  linkType: hard
-
-"ember-text-measurer@npm:^0.6.0":
-  version: 0.6.0
-  resolution: "ember-text-measurer@npm:0.6.0"
-  dependencies:
-    ember-cli-babel: ^7.19.0
-    ember-cli-htmlbars: ^4.3.1
-  checksum: 27991766045bba77515ecf6e9609f580ee38b2e53026206d18155cbeac87e57979e613a73ca2fae51ed79e00ab6bf71aff7ce07e1e7a15851e2f013ff8c06c97
-  languageName: node
-  linkType: hard
-
-"ember-tracked-storage-polyfill@npm:1.0.0, ember-tracked-storage-polyfill@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "ember-tracked-storage-polyfill@npm:1.0.0"
-  dependencies:
-    ember-cli-babel: ^7.26.3
-    ember-cli-htmlbars: ^5.7.1
-  checksum: f0e1df126b17cd58a78e81cf73e6a3fa8b7052e3e7058537cce9f658463b0e7f5c3fa1baebff85e19617f5eab1fa762a9dd1f17738b7baca50ef5481dc20d672
-  languageName: node
-  linkType: hard
-
-"ember-truth-helpers@npm:3.0.0, ember-truth-helpers@npm:^2.1.0 || ^3.0.0":
-  version: 3.0.0
-  resolution: "ember-truth-helpers@npm:3.0.0"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-  checksum: 2848f30eb35046be4d5c4ae6ab36aa374d860ba37dbd6f529467182ead80166e2fc881f615f3fa0b25fd2ecf73e237c6f61e67bd182149776240d9ee3852a343
-  languageName: node
-  linkType: hard
-
-"ember-truth-helpers@npm:^3.0.0, ember-truth-helpers@npm:^3.1.1":
-  version: 3.1.1
-  resolution: "ember-truth-helpers@npm:3.1.1"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-  checksum: 6f3a779ae714cec543b39ca93caa98121e65046e48929e1890aa24b2592c4e90a703148694bae9d7ca9bfc68d9ae1f7e00392f0f288158ee962aefbae1f3c0b0
-  languageName: node
-  linkType: hard
-
-"ember-wormhole@npm:^0.6.0":
-  version: 0.6.0
-  resolution: "ember-wormhole@npm:0.6.0"
-  dependencies:
-    ember-cli-babel: ^7.22.1
-    ember-cli-htmlbars: ^5.3.1
-  checksum: e49975babc0d9b79b18bca00916fe2bbb77253948e1074c291e0a2f22b97f049c68a6d5e4ddef703a69e7a390c56fa6e52c128848c75da7507af3f022debb3db
-  languageName: node
-  linkType: hard
-
-"emoji-regex@npm:^7.0.1":
-  version: 7.0.3
-  resolution: "emoji-regex@npm:7.0.3"
-  checksum: 9159b2228b1511f2870ac5920f394c7e041715429a68459ebe531601555f11ea782a8e1718f969df2711d38c66268174407cbca57ce36485544f695c2dfdc96e
-  languageName: node
-  linkType: hard
-
-"emoji-regex@npm:^8.0.0":
-  version: 8.0.0
-  resolution: "emoji-regex@npm:8.0.0"
-  checksum: d4c5c39d5a9868b5fa152f00cada8a936868fd3367f33f71be515ecee4c803132d11b31a6222b2571b1e5f7e13890156a94880345594d0ce7e3c9895f560f192
-  languageName: node
-  linkType: hard
-
-"emoji-regex@npm:~6.1.0":
-  version: 6.1.3
-  resolution: "emoji-regex@npm:6.1.3"
-  checksum: 348c4808cdc614e5522023c1f102eb06093ca24c693c7aa074fac93d3880c51948e9468bf91554d2e77ce47f0053411767aae21dd58fed12fdc54c2352a07976
-  languageName: node
-  linkType: hard
-
-"emojis-list@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "emojis-list@npm:3.0.0"
-  checksum: ddaaa02542e1e9436c03970eeed445f4ed29a5337dfba0fe0c38dfdd2af5da2429c2a0821304e8a8d1cadf27fdd5b22ff793571fa803ae16852a6975c65e8e70
-  languageName: node
-  linkType: hard
-
-"encodeurl@npm:~1.0.2":
-  version: 1.0.2
-  resolution: "encodeurl@npm:1.0.2"
-  checksum: e50e3d508cdd9c4565ba72d2012e65038e5d71bdc9198cb125beb6237b5b1ade6c0d343998da9e170fb2eae52c1bed37d4d6d98a46ea423a0cddbed5ac3f780c
-  languageName: node
-  linkType: hard
-
-"encoding@npm:^0.1.13":
-  version: 0.1.13
-  resolution: "encoding@npm:0.1.13"
-  dependencies:
-    iconv-lite: ^0.6.2
-  checksum: bb98632f8ffa823996e508ce6a58ffcf5856330fde839ae42c9e1f436cc3b5cc651d4aeae72222916545428e54fd0f6aa8862fd8d25bdbcc4589f1e3f3715e7f
-  languageName: node
-  linkType: hard
-
-"end-of-stream@npm:^1.0.0, end-of-stream@npm:^1.1.0":
-  version: 1.4.4
-  resolution: "end-of-stream@npm:1.4.4"
-  dependencies:
-    once: ^1.4.0
-  checksum: 530a5a5a1e517e962854a31693dbb5c0b2fc40b46dad2a56a2deec656ca040631124f4795823acc68238147805f8b021abbe221f4afed5ef3c8e8efc2024908b
-  languageName: node
-  linkType: hard
-
-"engine.io-parser@npm:~5.0.3":
-  version: 5.0.4
-  resolution: "engine.io-parser@npm:5.0.4"
-  checksum: d4ad0cef6ff63c350e35696da9bb3dbd180f67b56e93e90375010cc40393e6c0639b780d5680807e1d93a7e2e3d7b4a1c3b27cf75db28eb8cbf605bc1497da03
-  languageName: node
-  linkType: hard
-
-"engine.io@npm:~6.2.0":
-  version: 6.2.0
-  resolution: "engine.io@npm:6.2.0"
-  dependencies:
-    "@types/cookie": ^0.4.1
-    "@types/cors": ^2.8.12
-    "@types/node": ">=10.0.0"
-    accepts: ~1.3.4
-    base64id: 2.0.0
-    cookie: ~0.4.1
-    cors: ~2.8.5
-    debug: ~4.3.1
-    engine.io-parser: ~5.0.3
-    ws: ~8.2.3
-  checksum: cc485c5ba2e0c4f6ca02dcafd192b22f9dad89d01dc815005298780d3fb910db4cebab4696e8615290c473c2eeb259e8bee2a1fb7ab594d9c80f9f3485771911
-  languageName: node
-  linkType: hard
-
-"enhanced-resolve@npm:^4.0.0, enhanced-resolve@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "enhanced-resolve@npm:4.5.0"
-  dependencies:
-    graceful-fs: ^4.1.2
-    memory-fs: ^0.5.0
-    tapable: ^1.0.0
-  checksum: 4d87488584c4d67d356ef4ba04978af4b2d4d18190cb859efac8e8475a34d5d6c069df33faa5a0a22920b0586dbf330f6a08d52bb15a8771a9ce4d70a2da74ba
-  languageName: node
-  linkType: hard
-
-"enhanced-resolve@npm:^5.10.0":
-  version: 5.14.0
-  resolution: "enhanced-resolve@npm:5.14.0"
-  dependencies:
-    graceful-fs: ^4.2.4
-    tapable: ^2.2.0
-  checksum: fff1aaebbf376371e5df4502e111967f6247c37611ad3550e4e7fca657f6dcb29ef7ffe88bf14e5010b78997f1ddd984a8db97af87ee0a5477771398fd326f5b
-  languageName: node
-  linkType: hard
-
-"enquirer@npm:^2.3.6":
-  version: 2.3.6
-  resolution: "enquirer@npm:2.3.6"
-  dependencies:
-    ansi-colors: ^4.1.1
-  checksum: 1c0911e14a6f8d26721c91e01db06092a5f7675159f0261d69c403396a385afd13dd76825e7678f66daffa930cfaa8d45f506fb35f818a2788463d022af1b884
-  languageName: node
-  linkType: hard
-
-"ensure-posix-path@npm:^1.0.0, ensure-posix-path@npm:^1.0.1, ensure-posix-path@npm:^1.0.2, ensure-posix-path@npm:^1.1.0, ensure-posix-path@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "ensure-posix-path@npm:1.1.1"
-  checksum: 90ac69f48a08003abe6f194b75bad78c3320762bd193a063eb76cd8f696be6a34e1524f16435eeee09ccbe3a719a7fb76409dead3ccedd10e32d906ff050457b
-  languageName: node
-  linkType: hard
-
-"entities@npm:^2.0.0":
-  version: 2.2.0
-  resolution: "entities@npm:2.2.0"
-  checksum: 19010dacaf0912c895ea262b4f6128574f9ccf8d4b3b65c7e8334ad0079b3706376360e28d8843ff50a78aabcb8f08f0a32dbfacdc77e47ed77ca08b713669b3
-  languageName: node
-  linkType: hard
-
-"entities@npm:^3.0.1, entities@npm:~3.0.1":
-  version: 3.0.1
-  resolution: "entities@npm:3.0.1"
-  checksum: aaf7f12033f0939be91f5161593f853f2da55866db55ccbf72f45430b8977e2b79dbd58c53d0fdd2d00bd7d313b75b0968d09f038df88e308aa97e39f9456572
-  languageName: node
-  linkType: hard
-
-"entities@npm:^4.2.0, entities@npm:^4.3.0, entities@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "entities@npm:4.4.0"
-  checksum: 84d250329f4b56b40fa93ed067b194db21e8815e4eb9b59f43a086f0ecd342814f6bc483de8a77da5d64e0f626033192b1b4f1792232a7ea6b970ebe0f3187c2
-  languageName: node
-  linkType: hard
-
-"env-paths@npm:^2.2.0":
-  version: 2.2.1
-  resolution: "env-paths@npm:2.2.1"
-  checksum: 65b5df55a8bab92229ab2b40dad3b387fad24613263d103a97f91c9fe43ceb21965cd3392b1ccb5d77088021e525c4e0481adb309625d0cb94ade1d1fb8dc17e
-  languageName: node
-  linkType: hard
-
-"err-code@npm:^2.0.2":
-  version: 2.0.3
-  resolution: "err-code@npm:2.0.3"
-  checksum: 8b7b1be20d2de12d2255c0bc2ca638b7af5171142693299416e6a9339bd7d88fc8d7707d913d78e0993176005405a236b066b45666b27b797252c771156ace54
-  languageName: node
-  linkType: hard
-
-"errlop@npm:^2.0.0":
-  version: 2.2.0
-  resolution: "errlop@npm:2.2.0"
-  checksum: 9bce5eba67866b168cfbc98de46df4d7ad7a8e75fb12a40ade886d801dbe4c9d5d640a0bb6a41552a47aeda00c26db97182732213d7d523439e10dc6a853bd7d
-  languageName: node
-  linkType: hard
-
-"errno@npm:^0.1.3, errno@npm:~0.1.7":
-  version: 0.1.8
-  resolution: "errno@npm:0.1.8"
-  dependencies:
-    prr: ~1.0.1
-  bin:
-    errno: cli.js
-  checksum: 1271f7b9fbb3bcbec76ffde932485d1e3561856d21d847ec613a9722ee924cdd4e523a62dc71a44174d91e898fe21fdc8d5b50823f4b5e0ce8c35c8271e6ef4a
-  languageName: node
-  linkType: hard
-
-"error-ex@npm:^1.3.1":
-  version: 1.3.2
-  resolution: "error-ex@npm:1.3.2"
-  dependencies:
-    is-arrayish: ^0.2.1
-  checksum: c1c2b8b65f9c91b0f9d75f0debaa7ec5b35c266c2cac5de412c1a6de86d4cbae04ae44e510378cb14d032d0645a36925d0186f8bb7367bcc629db256b743a001
-  languageName: node
-  linkType: hard
-
-"error@npm:^7.0.0":
-  version: 7.2.1
-  resolution: "error@npm:7.2.1"
-  dependencies:
-    string-template: ~0.2.1
-  checksum: 9c790d20a386947acfeabb0d1c39173efe8e5a38cb732b5f06c11a25c23ce8ac4dafbb7aa240565e034580a49aba0703e743d0274c6228500ddf947a1b998568
-  languageName: node
-  linkType: hard
-
-"es-abstract@npm:^1.17.2":
-  version: 1.18.0
-  resolution: "es-abstract@npm:1.18.0"
-  dependencies:
-    call-bind: ^1.0.2
-    es-to-primitive: ^1.2.1
-    function-bind: ^1.1.1
-    get-intrinsic: ^1.1.1
-    has: ^1.0.3
-    has-symbols: ^1.0.2
-    is-callable: ^1.2.3
-    is-negative-zero: ^2.0.1
-    is-regex: ^1.1.2
-    is-string: ^1.0.5
-    object-inspect: ^1.9.0
-    object-keys: ^1.1.1
-    object.assign: ^4.1.2
-    string.prototype.trimend: ^1.0.4
-    string.prototype.trimstart: ^1.0.4
-    unbox-primitive: ^1.0.0
-  checksum: 6783bea97f372fd4f1fc77e4e294d024b9f40559a83b40c46b69565511cf13d462a6189b822228c6bb818bd09d2f23b33500206d39bbdc69f7cc7ffebf6640a1
-  languageName: node
-  linkType: hard
-
-"es-abstract@npm:^1.18.0-next.2, es-abstract@npm:^1.19.1":
-  version: 1.19.1
-  resolution: "es-abstract@npm:1.19.1"
-  dependencies:
-    call-bind: ^1.0.2
-    es-to-primitive: ^1.2.1
-    function-bind: ^1.1.1
-    get-intrinsic: ^1.1.1
-    get-symbol-description: ^1.0.0
-    has: ^1.0.3
-    has-symbols: ^1.0.2
-    internal-slot: ^1.0.3
-    is-callable: ^1.2.4
-    is-negative-zero: ^2.0.1
-    is-regex: ^1.1.4
-    is-shared-array-buffer: ^1.0.1
-    is-string: ^1.0.7
-    is-weakref: ^1.0.1
-    object-inspect: ^1.11.0
-    object-keys: ^1.1.1
-    object.assign: ^4.1.2
-    string.prototype.trimend: ^1.0.4
-    string.prototype.trimstart: ^1.0.4
-    unbox-primitive: ^1.0.1
-  checksum: b6be8410672c5364db3fb01eb786e30c7b4bb32b4af63d381c08840f4382c4a168e7855cd338bf59d4f1a1a1138f4d748d1fd40ec65aaa071876f9e9fbfed949
-  languageName: node
-  linkType: hard
-
-"es-abstract@npm:^1.19.0, es-abstract@npm:^1.20.4":
-  version: 1.21.2
-  resolution: "es-abstract@npm:1.21.2"
-  dependencies:
-    array-buffer-byte-length: ^1.0.0
-    available-typed-arrays: ^1.0.5
-    call-bind: ^1.0.2
-    es-set-tostringtag: ^2.0.1
-    es-to-primitive: ^1.2.1
-    function.prototype.name: ^1.1.5
-    get-intrinsic: ^1.2.0
-    get-symbol-description: ^1.0.0
-    globalthis: ^1.0.3
-    gopd: ^1.0.1
-    has: ^1.0.3
-    has-property-descriptors: ^1.0.0
-    has-proto: ^1.0.1
-    has-symbols: ^1.0.3
-    internal-slot: ^1.0.5
-    is-array-buffer: ^3.0.2
-    is-callable: ^1.2.7
-    is-negative-zero: ^2.0.2
-    is-regex: ^1.1.4
-    is-shared-array-buffer: ^1.0.2
-    is-string: ^1.0.7
-    is-typed-array: ^1.1.10
-    is-weakref: ^1.0.2
-    object-inspect: ^1.12.3
-    object-keys: ^1.1.1
-    object.assign: ^4.1.4
-    regexp.prototype.flags: ^1.4.3
-    safe-regex-test: ^1.0.0
-    string.prototype.trim: ^1.2.7
-    string.prototype.trimend: ^1.0.6
-    string.prototype.trimstart: ^1.0.6
-    typed-array-length: ^1.0.4
-    unbox-primitive: ^1.0.2
-    which-typed-array: ^1.1.9
-  checksum: 037f55ee5e1cdf2e5edbab5524095a4f97144d95b94ea29e3611b77d852fd8c8a40e7ae7101fa6a759a9b9b1405f188c3c70928f2d3cd88d543a07fc0d5ad41a
-  languageName: node
-  linkType: hard
-
-"es-get-iterator@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "es-get-iterator@npm:1.1.3"
-  dependencies:
-    call-bind: ^1.0.2
-    get-intrinsic: ^1.1.3
-    has-symbols: ^1.0.3
-    is-arguments: ^1.1.1
-    is-map: ^2.0.2
-    is-set: ^2.0.2
-    is-string: ^1.0.7
-    isarray: ^2.0.5
-    stop-iteration-iterator: ^1.0.0
-  checksum: 8fa118da42667a01a7c7529f8a8cca514feeff243feec1ce0bb73baaa3514560bd09d2b3438873cf8a5aaec5d52da248131de153b28e2638a061b6e4df13267d
-  languageName: node
-  linkType: hard
-
-"es-module-lexer@npm:^0.9.0":
-  version: 0.9.3
-  resolution: "es-module-lexer@npm:0.9.3"
-  checksum: 84bbab23c396281db2c906c766af58b1ae2a1a2599844a504df10b9e8dc77ec800b3211fdaa133ff700f5703d791198807bba25d9667392d27a5e9feda344da8
-  languageName: node
-  linkType: hard
-
-"es-set-tostringtag@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "es-set-tostringtag@npm:2.0.1"
-  dependencies:
-    get-intrinsic: ^1.1.3
-    has: ^1.0.3
-    has-tostringtag: ^1.0.0
-  checksum: ec416a12948cefb4b2a5932e62093a7cf36ddc3efd58d6c58ca7ae7064475ace556434b869b0bbeb0c365f1032a8ccd577211101234b69837ad83ad204fff884
-  languageName: node
-  linkType: hard
-
-"es-to-primitive@npm:^1.2.1":
-  version: 1.2.1
-  resolution: "es-to-primitive@npm:1.2.1"
-  dependencies:
-    is-callable: ^1.1.4
-    is-date-object: ^1.0.1
-    is-symbol: ^1.0.2
-  checksum: 4ead6671a2c1402619bdd77f3503991232ca15e17e46222b0a41a5d81aebc8740a77822f5b3c965008e631153e9ef0580540007744521e72de8e33599fca2eed
-  languageName: node
-  linkType: hard
-
-"es6-promise@npm:^4.0.3":
-  version: 4.2.8
-  resolution: "es6-promise@npm:4.2.8"
-  checksum: 95614a88873611cb9165a85d36afa7268af5c03a378b35ca7bda9508e1d4f1f6f19a788d4bc755b3fd37c8ebba40782018e02034564ff24c9d6fa37e959ad57d
-  languageName: node
-  linkType: hard
-
-"es6-promisify@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "es6-promisify@npm:5.0.0"
-  dependencies:
-    es6-promise: ^4.0.3
-  checksum: fbed9d791598831413be84a5374eca8c24800ec71a16c1c528c43a98e2dadfb99331483d83ae6094ddb9b87e6f799a15d1553cebf756047e0865c753bc346b92
-  languageName: node
-  linkType: hard
-
-"escalade@npm:^3.1.1":
-  version: 3.1.1
-  resolution: "escalade@npm:3.1.1"
-  checksum: a3e2a99f07acb74b3ad4989c48ca0c3140f69f923e56d0cba0526240ee470b91010f9d39001f2a4a313841d237ede70a729e92125191ba5d21e74b106800b133
-  languageName: node
-  linkType: hard
-
-"escape-html@npm:~1.0.3":
-  version: 1.0.3
-  resolution: "escape-html@npm:1.0.3"
-  checksum: 6213ca9ae00d0ab8bccb6d8d4e0a98e76237b2410302cf7df70aaa6591d509a2a37ce8998008cbecae8fc8ffaadf3fb0229535e6a145f3ce0b211d060decbb24
-  languageName: node
-  linkType: hard
-
-"escape-string-regexp@npm:^1.0.2, escape-string-regexp@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "escape-string-regexp@npm:1.0.5"
-  checksum: 6092fda75c63b110c706b6a9bfde8a612ad595b628f0bd2147eea1d3406723020810e591effc7db1da91d80a71a737a313567c5abb3813e8d9c71f4aa595b410
-  languageName: node
-  linkType: hard
-
-"escape-string-regexp@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "escape-string-regexp@npm:2.0.0"
-  checksum: 9f8a2d5743677c16e85c810e3024d54f0c8dea6424fad3c79ef6666e81dd0846f7437f5e729dfcdac8981bc9e5294c39b4580814d114076b8d36318f46ae4395
-  languageName: node
-  linkType: hard
-
-"escape-string-regexp@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "escape-string-regexp@npm:4.0.0"
-  checksum: 98b48897d93060f2322108bf29db0feba7dd774be96cd069458d1453347b25ce8682ecc39859d4bca2203cc0ab19c237bcc71755eff49a0f8d90beadeeba5cc5
-  languageName: node
-  linkType: hard
-
-"escodegen@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "escodegen@npm:2.0.0"
-  dependencies:
-    esprima: ^4.0.1
-    estraverse: ^5.2.0
-    esutils: ^2.0.2
-    optionator: ^0.8.1
-    source-map: ~0.6.1
-  dependenciesMeta:
-    source-map:
-      optional: true
-  bin:
-    escodegen: bin/escodegen.js
-    esgenerate: bin/esgenerate.js
-  checksum: 5aa6b2966fafe0545e4e77936300cc94ad57cfe4dc4ebff9950492eaba83eef634503f12d7e3cbd644ecc1bab388ad0e92b06fd32222c9281a75d1cf02ec6cef
-  languageName: node
-  linkType: hard
-
-"eslint-config-prettier@npm:^8.8.0":
-  version: 8.8.0
-  resolution: "eslint-config-prettier@npm:8.8.0"
-  peerDependencies:
-    eslint: ">=7.0.0"
-  bin:
-    eslint-config-prettier: bin/cli.js
-  checksum: 1e94c3882c4d5e41e1dcfa2c368dbccbfe3134f6ac7d40101644d3bfbe3eb2f2ffac757f3145910b5eacf20c0e85e02b91293d3126d770cbf3dc390b3564681c
-  languageName: node
-  linkType: hard
-
-"eslint-formatter-kakoune@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "eslint-formatter-kakoune@npm:1.0.0"
-  checksum: 6e83dbd4774f7b7f5d6c6f304d705f9e5d7082b5151d2bb2fb92a8cd3bc1ead0d64f8d05190d08a7442d86e1fe5eca15515f324857f612e4b34994fa5cae0512
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-compat@npm:4.0.2":
-  version: 4.0.2
-  resolution: "eslint-plugin-compat@npm:4.0.2"
-  dependencies:
-    "@mdn/browser-compat-data": ^4.1.5
-    ast-metadata-inferer: ^0.7.0
-    browserslist: ^4.16.8
-    caniuse-lite: ^1.0.30001304
-    core-js: ^3.16.2
-    find-up: ^5.0.0
-    lodash.memoize: 4.1.2
-    semver: 7.3.5
-  peerDependencies:
-    eslint: ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0
-  checksum: 2a1c1ebfd2d9a0e94064417f0f582b183d95bad08014e1f39dd1b4b599c1e909872ea344e016ec8fb297fcf8ab5d0c0b10032f1c2d6d4f9fb57a8a9fad67130e
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-ember@npm:^11.5.0":
-  version: 11.10.0
-  resolution: "eslint-plugin-ember@npm:11.10.0"
-  dependencies:
-    "@ember-data/rfc395-data": ^0.0.4
-    "@glimmer/syntax": ^0.84.2
-    css-tree: ^2.0.4
-    ember-rfc176-data: ^0.3.15
-    ember-template-imports: ^3.4.2
-    ember-template-recast: ^6.1.4
-    eslint-utils: ^3.0.0
-    estraverse: ^5.2.0
-    lodash.camelcase: ^4.1.1
-    lodash.kebabcase: ^4.1.1
-    magic-string: ^0.30.0
-    requireindex: ^1.2.0
-    snake-case: ^3.0.3
-  peerDependencies:
-    eslint: ">= 7"
-  checksum: d547ae89d05376d0a852861668fb9c2e119ea892c6b7631a833045146a4ee9f7beb3fe0da03e0edfee4061f90ea7479e7de85a1b29c6e27e958c965280f52807
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-es@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "eslint-plugin-es@npm:4.1.0"
-  dependencies:
-    eslint-utils: ^2.0.0
-    regexpp: ^3.0.0
-  peerDependencies:
-    eslint: ">=4.19.1"
-  checksum: 26b87a216d3625612b1d3ca8653ac8a1d261046d2a973bb0eb2759070267d2bfb0509051facdeb5ae03dc8dfb51a434be23aff7309a752ca901d637da535677f
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-n@npm:^15.7.0":
-  version: 15.7.0
-  resolution: "eslint-plugin-n@npm:15.7.0"
-  dependencies:
-    builtins: ^5.0.1
-    eslint-plugin-es: ^4.1.0
-    eslint-utils: ^3.0.0
-    ignore: ^5.1.1
-    is-core-module: ^2.11.0
-    minimatch: ^3.1.2
-    resolve: ^1.22.1
-    semver: ^7.3.8
-  peerDependencies:
-    eslint: ">=7.0.0"
-  checksum: cfbcc67e62adf27712afdeadf13223cb9717f95d4af8442056d9d4c97a8b88af76b7969f75deaac26fa98481023d6b7c9e43a28909e7f0468f40b3024b7bcfae
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-prettier@npm:^4.2.1":
-  version: 4.2.1
-  resolution: "eslint-plugin-prettier@npm:4.2.1"
-  dependencies:
-    prettier-linter-helpers: ^1.0.0
-  peerDependencies:
-    eslint: ">=7.28.0"
-    prettier: ">=2.0.0"
-  peerDependenciesMeta:
-    eslint-config-prettier:
-      optional: true
-  checksum: b9e839d2334ad8ec7a5589c5cb0f219bded260839a857d7a486997f9870e95106aa59b8756ff3f37202085ebab658de382b0267cae44c3a7f0eb0bcc03a4f6d6
-  languageName: node
-  linkType: hard
-
-"eslint-plugin-qunit@npm:^7.3.4":
-  version: 7.3.4
-  resolution: "eslint-plugin-qunit@npm:7.3.4"
-  dependencies:
-    eslint-utils: ^3.0.0
-    requireindex: ^1.2.0
-  checksum: 078dae3d93b7e395c3409cf5855281cca994cbeaacd3e956697cf0ca14c4b45275e20d846173fe76d77655e5e7382b2287a5a324c190a425e4631b745312d5b7
-  languageName: node
-  linkType: hard
-
-"eslint-scope@npm:5.1.1, eslint-scope@npm:^5.1.1":
-  version: 5.1.1
-  resolution: "eslint-scope@npm:5.1.1"
-  dependencies:
-    esrecurse: ^4.3.0
-    estraverse: ^4.1.1
-  checksum: 47e4b6a3f0cc29c7feedee6c67b225a2da7e155802c6ea13bbef4ac6b9e10c66cd2dcb987867ef176292bf4e64eccc680a49e35e9e9c669f4a02bac17e86abdb
-  languageName: node
-  linkType: hard
-
-"eslint-scope@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "eslint-scope@npm:4.0.3"
-  dependencies:
-    esrecurse: ^4.1.0
-    estraverse: ^4.1.1
-  checksum: c5f835f681884469991fe58d76a554688d9c9e50811299ccd4a8f79993a039f5bcb0ee6e8de2b0017d97c794b5832ef3b21c9aac66228e3aa0f7a0485bcfb65b
-  languageName: node
-  linkType: hard
-
-"eslint-scope@npm:^7.0.0, eslint-scope@npm:^7.1.1":
-  version: 7.1.1
-  resolution: "eslint-scope@npm:7.1.1"
-  dependencies:
-    esrecurse: ^4.3.0
-    estraverse: ^5.2.0
-  checksum: 9f6e974ab2db641ca8ab13508c405b7b859e72afe9f254e8131ff154d2f40c99ad4545ce326fd9fde3212ff29707102562a4834f1c48617b35d98c71a97fbf3e
-  languageName: node
-  linkType: hard
-
-"eslint-scope@npm:^7.2.0":
-  version: 7.2.1
-  resolution: "eslint-scope@npm:7.2.1"
-  dependencies:
-    esrecurse: ^4.3.0
-    estraverse: ^5.2.0
-  checksum: dccda5c8909216f6261969b72c77b95e385f9086bed4bc09d8a6276df8439d8f986810fd9ac3bd02c94c0572cefc7fdbeae392c69df2e60712ab8263986522c5
-  languageName: node
-  linkType: hard
-
-"eslint-utils@npm:^1.4.1":
-  version: 1.4.3
-  resolution: "eslint-utils@npm:1.4.3"
-  dependencies:
-    eslint-visitor-keys: ^1.1.0
-  checksum: a20630e686034107138272f245c460f6d77705d1f4bb0628c1a1faf59fc800f441188916b3ec3b957394dc405aa200a3017dfa2b0fff0976e307a4e645a18d1e
-  languageName: node
-  linkType: hard
-
-"eslint-visitor-keys@npm:^1.1.0":
-  version: 1.3.0
-  resolution: "eslint-visitor-keys@npm:1.3.0"
-  checksum: 37a19b712f42f4c9027e8ba98c2b06031c17e0c0a4c696cd429bd9ee04eb43889c446f2cd545e1ff51bef9593fcec94ecd2c2ef89129fcbbf3adadbef520376a
-  languageName: node
-  linkType: hard
-
-"eslint-visitor-keys@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "eslint-visitor-keys@npm:2.1.0"
-  checksum: e3081d7dd2611a35f0388bbdc2f5da60b3a3c5b8b6e928daffff7391146b434d691577aa95064c8b7faad0b8a680266bcda0a42439c18c717b80e6718d7e267d
-  languageName: node
-  linkType: hard
-
-"eslint-visitor-keys@npm:^3.1.0, eslint-visitor-keys@npm:^3.3.0":
-  version: 3.3.0
-  resolution: "eslint-visitor-keys@npm:3.3.0"
-  checksum: d59e68a7c5a6d0146526b0eec16ce87fbf97fe46b8281e0d41384224375c4e52f5ffb9e16d48f4ea50785cde93f766b0c898e31ab89978d88b0e1720fbfb7808
-  languageName: node
-  linkType: hard
-
-"eslint-visitor-keys@npm:^3.4.1":
-  version: 3.4.1
-  resolution: "eslint-visitor-keys@npm:3.4.1"
-  checksum: f05121d868202736b97de7d750847a328fcfa8593b031c95ea89425333db59676ac087fa905eba438d0a3c5769632f828187e0c1a0d271832a2153c1d3661c2c
-  languageName: node
-  linkType: hard
-
-"eslint@npm:^8.21.0, eslint@npm:^8.7.0":
-  version: 8.27.0
-  resolution: "eslint@npm:8.27.0"
-  dependencies:
-    "@eslint/eslintrc": ^1.3.3
-    "@humanwhocodes/config-array": ^0.11.6
-    "@humanwhocodes/module-importer": ^1.0.1
-    "@nodelib/fs.walk": ^1.2.8
-    ajv: ^6.10.0
-    chalk: ^4.0.0
-    cross-spawn: ^7.0.2
-    debug: ^4.3.2
-    doctrine: ^3.0.0
-    escape-string-regexp: ^4.0.0
-    eslint-scope: ^7.1.1
-    eslint-utils: ^3.0.0
-    eslint-visitor-keys: ^3.3.0
-    espree: ^9.4.0
-    esquery: ^1.4.0
-    esutils: ^2.0.2
-    fast-deep-equal: ^3.1.3
-    file-entry-cache: ^6.0.1
-    find-up: ^5.0.0
-    glob-parent: ^6.0.2
-    globals: ^13.15.0
-    grapheme-splitter: ^1.0.4
-    ignore: ^5.2.0
-    import-fresh: ^3.0.0
-    imurmurhash: ^0.1.4
-    is-glob: ^4.0.0
-    is-path-inside: ^3.0.3
-    js-sdsl: ^4.1.4
-    js-yaml: ^4.1.0
-    json-stable-stringify-without-jsonify: ^1.0.1
-    levn: ^0.4.1
-    lodash.merge: ^4.6.2
-    minimatch: ^3.1.2
-    natural-compare: ^1.4.0
-    optionator: ^0.9.1
-    regexpp: ^3.2.0
-    strip-ansi: ^6.0.1
-    strip-json-comments: ^3.1.0
-    text-table: ^0.2.0
-  bin:
-    eslint: bin/eslint.js
-  checksum: 153b022d309e1b647a73b1bb0fa98912add699b06e279084155f23c6f2b5fc5abd05411fc1ba81608a24bbfaf044ca079544c16fffa6fc987b8f676c9960a2c4
-  languageName: node
-  linkType: hard
-
-"eslint@npm:^8.37.0":
-  version: 8.45.0
-  resolution: "eslint@npm:8.45.0"
-  dependencies:
-    "@eslint-community/eslint-utils": ^4.2.0
-    "@eslint-community/regexpp": ^4.4.0
-    "@eslint/eslintrc": ^2.1.0
-    "@eslint/js": 8.44.0
-    "@humanwhocodes/config-array": ^0.11.10
-    "@humanwhocodes/module-importer": ^1.0.1
-    "@nodelib/fs.walk": ^1.2.8
-    ajv: ^6.10.0
-    chalk: ^4.0.0
-    cross-spawn: ^7.0.2
-    debug: ^4.3.2
-    doctrine: ^3.0.0
-    escape-string-regexp: ^4.0.0
-    eslint-scope: ^7.2.0
-    eslint-visitor-keys: ^3.4.1
-    espree: ^9.6.0
-    esquery: ^1.4.2
-    esutils: ^2.0.2
-    fast-deep-equal: ^3.1.3
-    file-entry-cache: ^6.0.1
-    find-up: ^5.0.0
-    glob-parent: ^6.0.2
-    globals: ^13.19.0
-    graphemer: ^1.4.0
-    ignore: ^5.2.0
-    imurmurhash: ^0.1.4
-    is-glob: ^4.0.0
-    is-path-inside: ^3.0.3
-    js-yaml: ^4.1.0
-    json-stable-stringify-without-jsonify: ^1.0.1
-    levn: ^0.4.1
-    lodash.merge: ^4.6.2
-    minimatch: ^3.1.2
-    natural-compare: ^1.4.0
-    optionator: ^0.9.3
-    strip-ansi: ^6.0.1
-    text-table: ^0.2.0
-  bin:
-    eslint: bin/eslint.js
-  checksum: 3e6dcce5cc43c5e301662db88ee26d1d188b22c177b9f104d7eefd1191236980bd953b3670fe2fac287114b26d7c5420ab48407d7ea1c3a446d6313c000009da
-  languageName: node
-  linkType: hard
-
-"esm@npm:^3.2.4":
-  version: 3.2.25
-  resolution: "esm@npm:3.2.25"
-  checksum: 978aabe2de83541c105605a6d60a26ed8e627ef6bb0a7605fe15a95bbdea6b8348bd045255cb22219c054dd09a81a94823df00843d9e97f42419c92015ce3a64
-  languageName: node
-  linkType: hard
-
-"espree@npm:^9.0.0, espree@npm:^9.4.0":
-  version: 9.4.1
-  resolution: "espree@npm:9.4.1"
-  dependencies:
-    acorn: ^8.8.0
-    acorn-jsx: ^5.3.2
-    eslint-visitor-keys: ^3.3.0
-  checksum: 4d266b0cf81c7dfe69e542c7df0f246e78d29f5b04dda36e514eb4c7af117ee6cfbd3280e560571ed82ff6c9c3f0003c05b82583fc7a94006db7497c4fe4270e
-  languageName: node
-  linkType: hard
-
-"espree@npm:^9.6.0":
-  version: 9.6.1
-  resolution: "espree@npm:9.6.1"
-  dependencies:
-    acorn: ^8.9.0
-    acorn-jsx: ^5.3.2
-    eslint-visitor-keys: ^3.4.1
-  checksum: eb8c149c7a2a77b3f33a5af80c10875c3abd65450f60b8af6db1bfcfa8f101e21c1e56a561c6dc13b848e18148d43469e7cd208506238554fb5395a9ea5a1ab9
-  languageName: node
-  linkType: hard
-
-"esprima@npm:^4.0.0, esprima@npm:^4.0.1, esprima@npm:~4.0.0":
-  version: 4.0.1
-  resolution: "esprima@npm:4.0.1"
-  bin:
-    esparse: ./bin/esparse.js
-    esvalidate: ./bin/esvalidate.js
-  checksum: b45bc805a613dbea2835278c306b91aff6173c8d034223fa81498c77dcbce3b2931bf6006db816f62eacd9fd4ea975dfd85a5b7f3c6402cfd050d4ca3c13a628
-  languageName: node
-  linkType: hard
-
-"esprima@npm:~3.0.0":
-  version: 3.0.0
-  resolution: "esprima@npm:3.0.0"
-  bin:
-    esparse: ./bin/esparse.js
-    esvalidate: ./bin/esvalidate.js
-  checksum: d6d65bc4ec29f1278357013117f944742e06905989d4fd023c4378d11e631c1a990ecea9c3dc394091ab183d8f23b5e9b3ab7f7816643d8dffb35b1bcef9d334
-  languageName: node
-  linkType: hard
-
-"esquery@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "esquery@npm:1.4.0"
-  dependencies:
-    estraverse: ^5.1.0
-  checksum: a0807e17abd7fbe5fbd4fab673038d6d8a50675cdae6b04fbaa520c34581be0c5fa24582990e8acd8854f671dd291c78bb2efb9e0ed5b62f33bac4f9cf820210
-  languageName: node
-  linkType: hard
-
-"esquery@npm:^1.4.2":
-  version: 1.5.0
-  resolution: "esquery@npm:1.5.0"
-  dependencies:
-    estraverse: ^5.1.0
-  checksum: aefb0d2596c230118656cd4ec7532d447333a410a48834d80ea648b1e7b5c9bc9ed8b5e33a89cb04e487b60d622f44cf5713bf4abed7c97343edefdc84a35900
-  languageName: node
-  linkType: hard
-
-"esrecurse@npm:^4.1.0, esrecurse@npm:^4.3.0":
-  version: 4.3.0
-  resolution: "esrecurse@npm:4.3.0"
-  dependencies:
-    estraverse: ^5.2.0
-  checksum: ebc17b1a33c51cef46fdc28b958994b1dc43cd2e86237515cbc3b4e5d2be6a811b2315d0a1a4d9d340b6d2308b15322f5c8291059521cc5f4802f65e7ec32837
-  languageName: node
-  linkType: hard
-
-"estraverse@npm:^4.1.1":
-  version: 4.3.0
-  resolution: "estraverse@npm:4.3.0"
-  checksum: a6299491f9940bb246124a8d44b7b7a413a8336f5436f9837aaa9330209bd9ee8af7e91a654a3545aee9c54b3308e78ee360cef1d777d37cfef77d2fa33b5827
-  languageName: node
-  linkType: hard
-
-"estraverse@npm:^5.1.0, estraverse@npm:^5.2.0":
-  version: 5.2.0
-  resolution: "estraverse@npm:5.2.0"
-  checksum: ec11b70d946bf5d7f76f91db38ef6f08109ac1b36cda293a26e678e58df4719f57f67b9ec87042afdd1f0267cee91865be3aa48d2161765a93defab5431be7b8
-  languageName: node
-  linkType: hard
-
-"estree-walker@npm:^0.6.1":
-  version: 0.6.1
-  resolution: "estree-walker@npm:0.6.1"
-  checksum: 9d6f82a4921f11eec18f8089fb3cce6e53bcf45a8e545c42a2674d02d055fb30f25f90495f8be60803df6c39680c80dcee7f944526867eb7aa1fc9254883b23d
-  languageName: node
-  linkType: hard
-
-"esutils@npm:^2.0.2":
-  version: 2.0.3
-  resolution: "esutils@npm:2.0.3"
-  checksum: 22b5b08f74737379a840b8ed2036a5fb35826c709ab000683b092d9054e5c2a82c27818f12604bfc2a9a76b90b6834ef081edbc1c7ae30d1627012e067c6ec87
-  languageName: node
-  linkType: hard
-
-"etag@npm:~1.8.1":
-  version: 1.8.1
-  resolution: "etag@npm:1.8.1"
-  checksum: 571aeb3dbe0f2bbd4e4fadbdb44f325fc75335cd5f6f6b6a091e6a06a9f25ed5392f0863c5442acb0646787446e816f13cbfc6edce5b07658541dff573cab1ff
-  languageName: node
-  linkType: hard
-
-"eventemitter3@npm:^4.0.0":
-  version: 4.0.7
-  resolution: "eventemitter3@npm:4.0.7"
-  checksum: 1875311c42fcfe9c707b2712c32664a245629b42bb0a5a84439762dd0fd637fc54d078155ea83c2af9e0323c9ac13687e03cfba79b03af9f40c89b4960099374
-  languageName: node
-  linkType: hard
-
-"events-to-array@npm:^1.0.1":
-  version: 1.1.2
-  resolution: "events-to-array@npm:1.1.2"
-  checksum: c4f5f0f6d0c8658b96f940f703ac9c8c99effca1dd7b1f8eb030be7a940725b42a72fa5eb405961c171c2e9e1d5b7efa9a75be5cdaba88f3fc0fcce59d0e6a0f
-  languageName: node
-  linkType: hard
-
-"events@npm:^3.0.0, events@npm:^3.2.0":
-  version: 3.3.0
-  resolution: "events@npm:3.3.0"
-  checksum: f6f487ad2198aa41d878fa31452f1a3c00958f46e9019286ff4787c84aac329332ab45c9cdc8c445928fc6d7ded294b9e005a7fce9426488518017831b272780
-  languageName: node
-  linkType: hard
-
-"evp_bytestokey@npm:^1.0.0, evp_bytestokey@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "evp_bytestokey@npm:1.0.3"
-  dependencies:
-    md5.js: ^1.3.4
-    node-gyp: latest
-    safe-buffer: ^5.1.1
-  checksum: ad4e1577f1a6b721c7800dcc7c733fe01f6c310732bb5bf2240245c2a5b45a38518b91d8be2c610611623160b9d1c0e91f1ce96d639f8b53e8894625cf20fa45
-  languageName: node
-  linkType: hard
-
-"exec-sh@npm:^0.3.2, exec-sh@npm:^0.3.4":
-  version: 0.3.6
-  resolution: "exec-sh@npm:0.3.6"
-  checksum: 0be4f06929c8e4834ea4812f29fe59e2dfcc1bc3fc4b4bb71acb38a500c3b394628a05ef7ba432520bc6c5ec4fadab00cc9c513c4ff6a32104965af302e998e0
-  languageName: node
-  linkType: hard
-
-"execa@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "execa@npm:1.0.0"
-  dependencies:
-    cross-spawn: ^6.0.0
-    get-stream: ^4.0.0
-    is-stream: ^1.1.0
-    npm-run-path: ^2.0.0
-    p-finally: ^1.0.0
-    signal-exit: ^3.0.0
-    strip-eof: ^1.0.0
-  checksum: ddf1342c1c7d02dd93b41364cd847640f6163350d9439071abf70bf4ceb1b9b2b2e37f54babb1d8dc1df8e0d8def32d0e81e74a2e62c3e1d70c303eb4c306bc4
-  languageName: node
-  linkType: hard
-
-"execa@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "execa@npm:2.1.0"
-  dependencies:
-    cross-spawn: ^7.0.0
-    get-stream: ^5.0.0
-    is-stream: ^2.0.0
-    merge-stream: ^2.0.0
-    npm-run-path: ^3.0.0
-    onetime: ^5.1.0
-    p-finally: ^2.0.0
-    signal-exit: ^3.0.2
-    strip-final-newline: ^2.0.0
-  checksum: 93af9b816a555d0944e0876f4ccd97e0f4593d2049e713518fd5458a7699836449c516c6bb7e6357e11431ec40cce3150625b86d1b1254180faaa0d744265eca
-  languageName: node
-  linkType: hard
-
-"execa@npm:^3.0.0":
-  version: 3.4.0
-  resolution: "execa@npm:3.4.0"
-  dependencies:
-    cross-spawn: ^7.0.0
-    get-stream: ^5.0.0
-    human-signals: ^1.1.1
-    is-stream: ^2.0.0
-    merge-stream: ^2.0.0
-    npm-run-path: ^4.0.0
-    onetime: ^5.1.0
-    p-finally: ^2.0.0
-    signal-exit: ^3.0.2
-    strip-final-newline: ^2.0.0
-  checksum: 72832ff72f79f9082dc3567775cbb52f4682452f7d8015714d924e476a37c36a98183fd669317327ed2e7800ffe7ec2a7be4bfe704a2173ef22ae00109fe9123
-  languageName: node
-  linkType: hard
-
-"execa@npm:^4.0.0, execa@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "execa@npm:4.1.0"
-  dependencies:
-    cross-spawn: ^7.0.0
-    get-stream: ^5.0.0
-    human-signals: ^1.1.1
-    is-stream: ^2.0.0
-    merge-stream: ^2.0.0
-    npm-run-path: ^4.0.0
-    onetime: ^5.1.0
-    signal-exit: ^3.0.2
-    strip-final-newline: ^2.0.0
-  checksum: e30d298934d9c52f90f3847704fd8224e849a081ab2b517bbc02f5f7732c24e56a21f14cb96a08256deffeb2d12b2b7cb7e2b014a12fb36f8d3357e06417ed55
-  languageName: node
-  linkType: hard
-
-"execa@npm:^5.1.1":
-  version: 5.1.1
-  resolution: "execa@npm:5.1.1"
-  dependencies:
-    cross-spawn: ^7.0.3
-    get-stream: ^6.0.0
-    human-signals: ^2.1.0
-    is-stream: ^2.0.0
-    merge-stream: ^2.0.0
-    npm-run-path: ^4.0.1
-    onetime: ^5.1.2
-    signal-exit: ^3.0.3
-    strip-final-newline: ^2.0.0
-  checksum: fba9022c8c8c15ed862847e94c252b3d946036d7547af310e344a527e59021fd8b6bb0723883ea87044dc4f0201f949046993124a42ccb0855cae5bf8c786343
-  languageName: node
-  linkType: hard
-
-"exists-sync@npm:0.0.4":
-  version: 0.0.4
-  resolution: "exists-sync@npm:0.0.4"
-  checksum: bb80d4570253bd1f932f3d62adada3acd7df9dddeba1c19181ed2f77111cad48e02913c341cac5079ad97e03b718f92a69b8e427946d7939c9487299a62035b4
-  languageName: node
-  linkType: hard
-
-"exit@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "exit@npm:0.1.2"
-  checksum: abc407f07a875c3961e4781dfcb743b58d6c93de9ab263f4f8c9d23bb6da5f9b7764fc773f86b43dd88030444d5ab8abcb611cb680fba8ca075362b77114bba3
-  languageName: node
-  linkType: hard
-
-"expand-brackets@npm:^2.1.4":
-  version: 2.1.4
-  resolution: "expand-brackets@npm:2.1.4"
-  dependencies:
-    debug: ^2.3.3
-    define-property: ^0.2.5
-    extend-shallow: ^2.0.1
-    posix-character-classes: ^0.1.0
-    regex-not: ^1.0.0
-    snapdragon: ^0.8.1
-    to-regex: ^3.0.1
-  checksum: 1781d422e7edfa20009e2abda673cadb040a6037f0bd30fcd7357304f4f0c284afd420d7622722ca4a016f39b6d091841ab57b401c1f7e2e5131ac65b9f14fa1
-  languageName: node
-  linkType: hard
-
-"expand-tilde@npm:^2.0.0, expand-tilde@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "expand-tilde@npm:2.0.2"
-  dependencies:
-    homedir-polyfill: ^1.0.1
-  checksum: 2efe6ed407d229981b1b6ceb552438fbc9e5c7d6a6751ad6ced3e0aa5cf12f0b299da695e90d6c2ac79191b5c53c613e508f7149e4573abfbb540698ddb7301a
-  languageName: node
-  linkType: hard
-
-"express@npm:^4.10.7":
-  version: 4.17.1
-  resolution: "express@npm:4.17.1"
-  dependencies:
-    accepts: ~1.3.7
-    array-flatten: 1.1.1
-    body-parser: 1.19.0
-    content-disposition: 0.5.3
-    content-type: ~1.0.4
-    cookie: 0.4.0
-    cookie-signature: 1.0.6
-    debug: 2.6.9
-    depd: ~1.1.2
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    etag: ~1.8.1
-    finalhandler: ~1.1.2
-    fresh: 0.5.2
-    merge-descriptors: 1.0.1
-    methods: ~1.1.2
-    on-finished: ~2.3.0
-    parseurl: ~1.3.3
-    path-to-regexp: 0.1.7
-    proxy-addr: ~2.0.5
-    qs: 6.7.0
-    range-parser: ~1.2.1
-    safe-buffer: 5.1.2
-    send: 0.17.1
-    serve-static: 1.14.1
-    setprototypeof: 1.1.1
-    statuses: ~1.5.0
-    type-is: ~1.6.18
-    utils-merge: 1.0.1
-    vary: ~1.1.2
-  checksum: d964e9e17af331ea6fa2f84999b063bc47189dd71b4a735df83f9126d3bb2b92e830f1cb1d7c2742530eb625e2689d7a9a9c71f0c3cc4dd6015c3cd32a01abd5
-  languageName: node
-  linkType: hard
-
-"express@npm:^4.18.1":
-  version: 4.18.2
-  resolution: "express@npm:4.18.2"
-  dependencies:
-    accepts: ~1.3.8
-    array-flatten: 1.1.1
-    body-parser: 1.20.1
-    content-disposition: 0.5.4
-    content-type: ~1.0.4
-    cookie: 0.5.0
-    cookie-signature: 1.0.6
-    debug: 2.6.9
-    depd: 2.0.0
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    etag: ~1.8.1
-    finalhandler: 1.2.0
-    fresh: 0.5.2
-    http-errors: 2.0.0
-    merge-descriptors: 1.0.1
-    methods: ~1.1.2
-    on-finished: 2.4.1
-    parseurl: ~1.3.3
-    path-to-regexp: 0.1.7
-    proxy-addr: ~2.0.7
-    qs: 6.11.0
-    range-parser: ~1.2.1
-    safe-buffer: 5.2.1
-    send: 0.18.0
-    serve-static: 1.15.0
-    setprototypeof: 1.2.0
-    statuses: 2.0.1
-    type-is: ~1.6.18
-    utils-merge: 1.0.1
-    vary: ~1.1.2
-  checksum: 3c4b9b076879442f6b968fe53d85d9f1eeacbb4f4c41e5f16cc36d77ce39a2b0d81b3f250514982110d815b2f7173f5561367f9110fcc541f9371948e8c8b037
-  languageName: node
-  linkType: hard
-
-"extend-shallow@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "extend-shallow@npm:2.0.1"
-  dependencies:
-    is-extendable: ^0.1.0
-  checksum: 8fb58d9d7a511f4baf78d383e637bd7d2e80843bd9cd0853649108ea835208fb614da502a553acc30208e1325240bb7cc4a68473021612496bb89725483656d8
-  languageName: node
-  linkType: hard
-
-"extend-shallow@npm:^3.0.0, extend-shallow@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "extend-shallow@npm:3.0.2"
-  dependencies:
-    assign-symbols: ^1.0.0
-    is-extendable: ^1.0.1
-  checksum: a920b0cd5838a9995ace31dfd11ab5e79bf6e295aa566910ce53dff19f4b1c0fda2ef21f26b28586c7a2450ca2b42d97bd8c0f5cec9351a819222bf861e02461
-  languageName: node
-  linkType: hard
-
-"extend@npm:^3.0.0, extend@npm:~3.0.2":
-  version: 3.0.2
-  resolution: "extend@npm:3.0.2"
-  checksum: a50a8309ca65ea5d426382ff09f33586527882cf532931cb08ca786ea3146c0553310bda688710ff61d7668eba9f96b923fe1420cdf56a2c3eaf30fcab87b515
-  languageName: node
-  linkType: hard
-
-"external-editor@npm:^3.0.3":
-  version: 3.1.0
-  resolution: "external-editor@npm:3.1.0"
-  dependencies:
-    chardet: ^0.7.0
-    iconv-lite: ^0.4.24
-    tmp: ^0.0.33
-  checksum: 1c2a616a73f1b3435ce04030261bed0e22d4737e14b090bb48e58865da92529c9f2b05b893de650738d55e692d071819b45e1669259b2b354bc3154d27a698c7
-  languageName: node
-  linkType: hard
-
-"extglob@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "extglob@npm:2.0.4"
-  dependencies:
-    array-unique: ^0.3.2
-    define-property: ^1.0.0
-    expand-brackets: ^2.1.4
-    extend-shallow: ^2.0.1
-    fragment-cache: ^0.2.1
-    regex-not: ^1.0.0
-    snapdragon: ^0.8.1
-    to-regex: ^3.0.1
-  checksum: a41531b8934735b684cef5e8c5a01d0f298d7d384500ceca38793a9ce098125aab04ee73e2d75d5b2901bc5dddd2b64e1b5e3bf19139ea48bac52af4a92f1d00
-  languageName: node
-  linkType: hard
-
-"extract-stack@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "extract-stack@npm:2.0.0"
-  checksum: 16a45ae6cfe7fe105061f192124cb7d98653728d81827426c4f900763f9fda56c13dd9048de6838107898536b969d1c6f98028fcf4092e542fa2616d4dacb34d
-  languageName: node
-  linkType: hard
-
-"extsprintf@npm:1.3.0":
-  version: 1.3.0
-  resolution: "extsprintf@npm:1.3.0"
-  checksum: cee7a4a1e34cffeeec18559109de92c27517e5641991ec6bab849aa64e3081022903dd53084f2080d0d2530803aa5ee84f1e9de642c365452f9e67be8f958ce2
-  languageName: node
-  linkType: hard
-
-"extsprintf@npm:^1.2.0":
-  version: 1.4.0
-  resolution: "extsprintf@npm:1.4.0"
-  checksum: 184dc8a413eb4b1ff16bdce797340e7ded4d28511d56a1c9afa5a95bcff6ace154063823eaf0206dbbb0d14059d74f382a15c34b7c0636fa74a7e681295eb67e
-  languageName: node
-  linkType: hard
-
-"fake-xml-http-request@npm:^2.1.1, fake-xml-http-request@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "fake-xml-http-request@npm:2.1.2"
-  checksum: 7b1ebea1955c46cbda0e0c3308716cc82beca7bb6c549f1d1c2a8134203c9d6c5a21194e2c1e17650ff073ecbcd3e56cf1e21f248a86cbcb3567fd7a9ca4850e
-  languageName: node
-  linkType: hard
-
-"fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3":
-  version: 3.1.3
-  resolution: "fast-deep-equal@npm:3.1.3"
-  checksum: e21a9d8d84f53493b6aa15efc9cfd53dd5b714a1f23f67fb5dc8f574af80df889b3bce25dc081887c6d25457cce704e636395333abad896ccdec03abaf1f3f9d
-  languageName: node
-  linkType: hard
-
-"fast-diff@npm:^1.1.2":
-  version: 1.2.0
-  resolution: "fast-diff@npm:1.2.0"
-  checksum: 1b5306eaa9e826564d9e5ffcd6ebd881eb5f770b3f977fcbf38f05c824e42172b53c79920e8429c54eb742ce15a0caf268b0fdd5b38f6de52234c4a8368131ae
-  languageName: node
-  linkType: hard
-
-"fast-glob@npm:^3.0.3, fast-glob@npm:^3.1.1":
-  version: 3.2.5
-  resolution: "fast-glob@npm:3.2.5"
-  dependencies:
-    "@nodelib/fs.stat": ^2.0.2
-    "@nodelib/fs.walk": ^1.2.3
-    glob-parent: ^5.1.0
-    merge2: ^1.3.0
-    micromatch: ^4.0.2
-    picomatch: ^2.2.1
-  checksum: 5d6772c9b63dbb739d60b5630851e1f2cbf9744119e0968eac44c9f8cbc2d3d5cb4f2f0c74715ccb23daa336c87bea42186ed367e6c991afee61cd3d967320eb
-  languageName: node
-  linkType: hard
-
-"fast-glob@npm:^3.2.9":
-  version: 3.2.12
-  resolution: "fast-glob@npm:3.2.12"
-  dependencies:
-    "@nodelib/fs.stat": ^2.0.2
-    "@nodelib/fs.walk": ^1.2.3
-    glob-parent: ^5.1.2
-    merge2: ^1.3.0
-    micromatch: ^4.0.4
-  checksum: 0b1990f6ce831c7e28c4d505edcdaad8e27e88ab9fa65eedadb730438cfc7cde4910d6c975d6b7b8dc8a73da4773702ebcfcd6e3518e73938bb1383badfe01c2
-  languageName: node
-  linkType: hard
-
-"fast-glob@npm:^3.3.0":
-  version: 3.3.0
-  resolution: "fast-glob@npm:3.3.0"
-  dependencies:
-    "@nodelib/fs.stat": ^2.0.2
-    "@nodelib/fs.walk": ^1.2.3
-    glob-parent: ^5.1.2
-    merge2: ^1.3.0
-    micromatch: ^4.0.4
-  checksum: 20df62be28eb5426fe8e40e0d05601a63b1daceb7c3d87534afcad91bdcf1e4b1743cf2d5247d6e225b120b46df0b9053a032b2691ba34ee121e033acd81f547
-  languageName: node
-  linkType: hard
-
-"fast-json-stable-stringify@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "fast-json-stable-stringify@npm:2.1.0"
-  checksum: b191531e36c607977e5b1c47811158733c34ccb3bfde92c44798929e9b4154884378536d26ad90dfecd32e1ffc09c545d23535ad91b3161a27ddbb8ebe0cbecb
-  languageName: node
-  linkType: hard
-
-"fast-levenshtein@npm:^2.0.6, fast-levenshtein@npm:~2.0.6":
-  version: 2.0.6
-  resolution: "fast-levenshtein@npm:2.0.6"
-  checksum: 92cfec0a8dfafd9c7a15fba8f2cc29cd0b62b85f056d99ce448bbcd9f708e18ab2764bda4dd5158364f4145a7c72788538994f0d1787b956ef0d1062b0f7c24c
-  languageName: node
-  linkType: hard
-
-"fast-ordered-set@npm:^1.0.0, fast-ordered-set@npm:^1.0.2":
-  version: 1.0.3
-  resolution: "fast-ordered-set@npm:1.0.3"
-  dependencies:
-    blank-object: ^1.0.1
-  checksum: c94a229e1c005746cd5cc920ff48003afade14210c0b7453d1d35542b46ed6e4111b94ae3673a664ff2a46835f75d73fa577a98a44e6a4624387735990454f6e
-  languageName: node
-  linkType: hard
-
-"fast-sourcemap-concat@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "fast-sourcemap-concat@npm:1.4.0"
-  dependencies:
-    chalk: ^2.0.0
-    fs-extra: ^5.0.0
-    heimdalljs-logger: ^0.1.9
-    memory-streams: ^0.1.3
-    mkdirp: ^0.5.0
-    source-map: ^0.4.2
-    source-map-url: ^0.3.0
-    sourcemap-validator: ^1.1.0
-  checksum: d657d8cf5bf23a41a77014e795babfbca77a025ec3840437c42efa882f23f6fad023fdf6108672adc0f7e183c1b619b8dc28de7e297beebebb28aee3bb43be75
-  languageName: node
-  linkType: hard
-
-"fast-sourcemap-concat@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "fast-sourcemap-concat@npm:2.1.0"
-  dependencies:
-    chalk: ^2.0.0
-    fs-extra: ^5.0.0
-    heimdalljs-logger: ^0.1.9
-    memory-streams: ^0.1.3
-    mkdirp: ^0.5.0
-    source-map: ^0.4.2
-    source-map-url: ^0.3.0
-    sourcemap-validator: ^1.1.0
-  checksum: d8ee2f37ec483f4ff30988186497652e065df81f2286c3f11e2934209736d3662d9f8140d8d1d41cfb9529aff9f1a9a7960d08ac2d92f6fb2ffba3358f32f4d4
-  languageName: node
-  linkType: hard
-
-"fastest-levenshtein@npm:^1.0.16":
-  version: 1.0.16
-  resolution: "fastest-levenshtein@npm:1.0.16"
-  checksum: a78d44285c9e2ae2c25f3ef0f8a73f332c1247b7ea7fb4a191e6bb51aa6ee1ef0dfb3ed113616dcdc7023e18e35a8db41f61c8d88988e877cf510df8edafbc71
-  languageName: node
-  linkType: hard
-
-"fastq@npm:^1.6.0":
-  version: 1.11.0
-  resolution: "fastq@npm:1.11.0"
-  dependencies:
-    reusify: ^1.0.4
-  checksum: 9db0ceea9280c5f207da40c562a4e574913c18933cd74b880b01bf8e81a9a6e368ec71e89c9c1b9f4066d0275cc22600efd6dde87f713217acbf67076481734b
-  languageName: node
-  linkType: hard
-
-"fault@npm:^1.0.0":
-  version: 1.0.4
-  resolution: "fault@npm:1.0.4"
-  dependencies:
-    format: ^0.2.0
-  checksum: 5ac610d8b09424e0f2fa8cf913064372f2ee7140a203a79957f73ed557c0e79b1a3d096064d7f40bde8132a69204c1fe25ec23634c05c6da2da2039cff26c4e7
-  languageName: node
-  linkType: hard
-
-"faye-websocket@npm:^0.11.3":
-  version: 0.11.3
-  resolution: "faye-websocket@npm:0.11.3"
-  dependencies:
-    websocket-driver: ">=0.5.1"
-  checksum: d7b2d68546812ea24e3079bd1e08bf1d79cd6d6137bfcea565d1cb1f6a5fc8fc29b689df2c1aff8b8b291d60fc808e1b27aa2896b86ba77ded10f1d9734c8e9f
-  languageName: node
-  linkType: hard
-
-"fb-watchman@npm:^2.0.0, fb-watchman@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "fb-watchman@npm:2.0.1"
-  dependencies:
-    bser: 2.1.1
-  checksum: 8510230778ab3a51c27dffb1b76ef2c24fab672a42742d3c0a45c2e9d1e5f20210b1fbca33486088da4a9a3958bde96b5aec0a63aac9894b4e9df65c88b2cbd6
-  languageName: node
-  linkType: hard
-
-"figgy-pudding@npm:^3.5.1":
-  version: 3.5.2
-  resolution: "figgy-pudding@npm:3.5.2"
-  checksum: 4090bd66193693dcda605e44d6b8715d8fb5c92a67acd57826e55cf816a342f550d57e5638f822b39366e1b2fdb244e99b3068a37213aa1d6c1bf602b8fde5ae
-  languageName: node
-  linkType: hard
-
-"figures@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "figures@npm:2.0.0"
-  dependencies:
-    escape-string-regexp: ^1.0.5
-  checksum: 081beb16ea57d1716f8447c694f637668322398b57017b20929376aaf5def9823b35245b734cdd87e4832dc96e9c6f46274833cada77bfe15e5f980fea1fd21f
-  languageName: node
-  linkType: hard
-
-"figures@npm:^3.0.0, figures@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "figures@npm:3.2.0"
-  dependencies:
-    escape-string-regexp: ^1.0.5
-  checksum: 85a6ad29e9aca80b49b817e7c89ecc4716ff14e3779d9835af554db91bac41c0f289c418923519392a1e582b4d10482ad282021330cd045bb7b80c84152f2a2b
-  languageName: node
-  linkType: hard
-
-"file-entry-cache@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "file-entry-cache@npm:6.0.1"
-  dependencies:
-    flat-cache: ^3.0.4
-  checksum: f49701feaa6314c8127c3c2f6173cfefff17612f5ed2daaafc6da13b5c91fd43e3b2a58fd0d63f9f94478a501b167615931e7200e31485e320f74a33885a9c74
-  languageName: node
-  linkType: hard
-
-"file-uri-to-path@npm:1.0.0":
-  version: 1.0.0
-  resolution: "file-uri-to-path@npm:1.0.0"
-  checksum: b648580bdd893a008c92c7ecc96c3ee57a5e7b6c4c18a9a09b44fb5d36d79146f8e442578bc0e173dc027adf3987e254ba1dfd6e3ec998b7c282873010502144
-  languageName: node
-  linkType: hard
-
-"filesize@npm:^10.0.5":
-  version: 10.0.7
-  resolution: "filesize@npm:10.0.7"
-  checksum: acabe6ddcf0c06eb86a9b2ac0a93db48d2438037dce4f7ec5cf6ee32284a8d961b1efc251af1c05e7316ccf1e78c68cdc32655511745cc2580f9b8c309b523ce
-  languageName: node
-  linkType: hard
-
-"filesize@npm:^4.1.2, filesize@npm:^4.2.1":
-  version: 4.2.1
-  resolution: "filesize@npm:4.2.1"
-  checksum: 3179f5852519cfe140bdd1e35852d552654e1e232f45b76d5a0df7cefa810b66b4808650cd1705ab00821c5709520bf01fbf7bf74872bd2652a420bfdcbb1a82
-  languageName: node
-  linkType: hard
-
-"fill-range@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "fill-range@npm:4.0.0"
-  dependencies:
-    extend-shallow: ^2.0.1
-    is-number: ^3.0.0
-    repeat-string: ^1.6.1
-    to-regex-range: ^2.1.0
-  checksum: dbb5102467786ab42bc7a3ec7380ae5d6bfd1b5177b2216de89e4a541193f8ba599a6db84651bd2c58c8921db41b8cc3d699ea83b477342d3ce404020f73c298
-  languageName: node
-  linkType: hard
-
-"fill-range@npm:^7.0.1":
-  version: 7.0.1
-  resolution: "fill-range@npm:7.0.1"
-  dependencies:
-    to-regex-range: ^5.0.1
-  checksum: cc283f4e65b504259e64fd969bcf4def4eb08d85565e906b7d36516e87819db52029a76b6363d0f02d0d532f0033c9603b9e2d943d56ee3b0d4f7ad3328ff917
-  languageName: node
-  linkType: hard
-
-"finalhandler@npm:1.1.2, finalhandler@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "finalhandler@npm:1.1.2"
-  dependencies:
-    debug: 2.6.9
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    on-finished: ~2.3.0
-    parseurl: ~1.3.3
-    statuses: ~1.5.0
-    unpipe: ~1.0.0
-  checksum: 617880460c5138dd7ccfd555cb5dde4d8f170f4b31b8bd51e4b646bb2946c30f7db716428a1f2882d730d2b72afb47d1f67cc487b874cb15426f95753a88965e
-  languageName: node
-  linkType: hard
-
-"finalhandler@npm:1.2.0":
-  version: 1.2.0
-  resolution: "finalhandler@npm:1.2.0"
-  dependencies:
-    debug: 2.6.9
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    on-finished: 2.4.1
-    parseurl: ~1.3.3
-    statuses: 2.0.1
-    unpipe: ~1.0.0
-  checksum: 92effbfd32e22a7dff2994acedbd9bcc3aa646a3e919ea6a53238090e87097f8ef07cced90aa2cc421abdf993aefbdd5b00104d55c7c5479a8d00ed105b45716
-  languageName: node
-  linkType: hard
-
-"find-babel-config@npm:^1.1.0, find-babel-config@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "find-babel-config@npm:1.2.0"
-  dependencies:
-    json5: ^0.5.1
-    path-exists: ^3.0.0
-  checksum: 0a1785d3da9f38637885d9d65f183aaa072f51a834f733035e9694e4d0f6983ae8c8e75cd4e08b92af6f595b3b490ee813a1c5a9b14740685aa836fa1e878583
-  languageName: node
-  linkType: hard
-
-"find-cache-dir@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "find-cache-dir@npm:2.1.0"
-  dependencies:
-    commondir: ^1.0.1
-    make-dir: ^2.0.0
-    pkg-dir: ^3.0.0
-  checksum: 60ad475a6da9f257df4e81900f78986ab367d4f65d33cf802c5b91e969c28a8762f098693d7a571b6e4dd4c15166c2da32ae2d18b6766a18e2071079448fdce4
-  languageName: node
-  linkType: hard
-
-"find-cache-dir@npm:^3.3.1":
-  version: 3.3.2
-  resolution: "find-cache-dir@npm:3.3.2"
-  dependencies:
-    commondir: ^1.0.1
-    make-dir: ^3.0.2
-    pkg-dir: ^4.1.0
-  checksum: 1e61c2e64f5c0b1c535bd85939ae73b0e5773142713273818cc0b393ee3555fb0fd44e1a5b161b8b6c3e03e98c2fcc9c227d784850a13a90a8ab576869576817
-  languageName: node
-  linkType: hard
-
-"find-index@npm:^1.1.0":
-  version: 1.1.1
-  resolution: "find-index@npm:1.1.1"
-  checksum: 02bb296389021b6126198f87bf5306450359cac8a1332140091ae6968a9b0859d6da7257d2b06012780ea269a0673f2c2945b57fdf0342da339fb48cebea7fd1
-  languageName: node
-  linkType: hard
-
-"find-up@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "find-up@npm:2.1.0"
-  dependencies:
-    locate-path: ^2.0.0
-  checksum: 43284fe4da09f89011f08e3c32cd38401e786b19226ea440b75386c1b12a4cb738c94969808d53a84f564ede22f732c8409e3cfc3f7fb5b5c32378ad0bbf28bd
-  languageName: node
-  linkType: hard
-
-"find-up@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "find-up@npm:3.0.0"
-  dependencies:
-    locate-path: ^3.0.0
-  checksum: 38eba3fe7a66e4bc7f0f5a1366dc25508b7cfc349f852640e3678d26ad9a6d7e2c43eff0a472287de4a9753ef58f066a0ea892a256fa3636ad51b3fe1e17fae9
-  languageName: node
-  linkType: hard
-
-"find-up@npm:^4.0.0":
-  version: 4.1.0
-  resolution: "find-up@npm:4.1.0"
-  dependencies:
-    locate-path: ^5.0.0
-    path-exists: ^4.0.0
-  checksum: 4c172680e8f8c1f78839486e14a43ef82e9decd0e74145f40707cc42e7420506d5ec92d9a11c22bd2c48fb0c384ea05dd30e10dd152fefeec6f2f75282a8b844
-  languageName: node
-  linkType: hard
-
-"find-up@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "find-up@npm:5.0.0"
-  dependencies:
-    locate-path: ^6.0.0
-    path-exists: ^4.0.0
-  checksum: 07955e357348f34660bde7920783204ff5a26ac2cafcaa28bace494027158a97b9f56faaf2d89a6106211a8174db650dd9f503f9c0d526b1202d5554a00b9095
-  languageName: node
-  linkType: hard
-
-"find-up@npm:^6.3.0":
-  version: 6.3.0
-  resolution: "find-up@npm:6.3.0"
-  dependencies:
-    locate-path: ^7.1.0
-    path-exists: ^5.0.0
-  checksum: 9a21b7f9244a420e54c6df95b4f6fc3941efd3c3e5476f8274eb452f6a85706e7a6a90de71353ee4f091fcb4593271a6f92810a324ec542650398f928783c280
-  languageName: node
-  linkType: hard
-
-"find-yarn-workspace-root@npm:^1.1.0":
-  version: 1.2.1
-  resolution: "find-yarn-workspace-root@npm:1.2.1"
-  dependencies:
-    fs-extra: ^4.0.3
-    micromatch: ^3.1.4
-  checksum: a8f4565fb1ead6122acc0d324fa3257c20f7b0c91b7b266dab9eee7251fb5558fcff5b35dbfd301bfd1cbb91c1cdd1799b28ffa5b9a92efd8c7ded3663652bbe
-  languageName: node
-  linkType: hard
-
-"find-yarn-workspace-root@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "find-yarn-workspace-root@npm:2.0.0"
-  dependencies:
-    micromatch: ^4.0.2
-  checksum: fa5ca8f9d08fe7a54ce7c0a5931ff9b7e36f9ee7b9475fb13752bcea80ec6b5f180fa5102d60b376d5526ce924ea3fc6b19301262efa0a5d248dd710f3644242
-  languageName: node
-  linkType: hard
-
-"findup-sync@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "findup-sync@npm:2.0.0"
-  dependencies:
-    detect-file: ^1.0.0
-    is-glob: ^3.1.0
-    micromatch: ^3.0.4
-    resolve-dir: ^1.0.1
-  checksum: af2849f4006208c7c0940ab87a5f816187becf30c430a735377f6163cff8e95f405db504f5435728663099878f2e8002da1bf1976132458c23f5d73f540b1fcc
-  languageName: node
-  linkType: hard
-
-"findup-sync@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "findup-sync@npm:4.0.0"
-  dependencies:
-    detect-file: ^1.0.0
-    is-glob: ^4.0.0
-    micromatch: ^4.0.2
-    resolve-dir: ^1.0.1
-  checksum: 94131e1107ad63790ed00c4c39ca131a93ea602607bd97afeffd92b69a9a63cf2c6f57d6db88cb753fe748ac7fde79e1e76768ff784247026b7c5ebf23ede3a0
-  languageName: node
-  linkType: hard
-
-"fireworm@npm:^0.7.0":
-  version: 0.7.1
-  resolution: "fireworm@npm:0.7.1"
-  dependencies:
-    async: ~0.2.9
-    is-type: 0.0.1
-    lodash.debounce: ^3.1.1
-    lodash.flatten: ^3.0.2
-    minimatch: ^3.0.2
-  checksum: 118ac822c5594f832db082475ac40e3d5532a84ed1aa74c04aee6827e3940b62cde5551308643afdead594f07aa5fb24a140eec51d4fa63945729d4c0fa6c401
-  languageName: node
-  linkType: hard
-
-"fixturify-project@npm:^1.10.0":
-  version: 1.10.0
-  resolution: "fixturify-project@npm:1.10.0"
-  dependencies:
-    fixturify: ^1.2.0
-    tmp: ^0.0.33
-  checksum: e92bd6c565005dbdd91ddda2f27f5278587e85601603697960066e8e436828535638f522691db3d640e7bf38e2ae9eb382df243f3eb9a3bc552926da6c8ef5fb
-  languageName: node
-  linkType: hard
-
-"fixturify-project@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "fixturify-project@npm:2.1.1"
-  dependencies:
-    fixturify: ^2.1.0
-    tmp: ^0.0.33
-    type-fest: ^0.11.0
-  checksum: 60a435eeba234fa1332f8eb9d6384229a37883b6a175153b8ee0c723a17fad3577cd72777aac21085dd94b6d264ff3e2a77c33675dc75b3dd65c5ea7ec31867f
-  languageName: node
-  linkType: hard
-
-"fixturify@npm:^0.3.2":
-  version: 0.3.4
-  resolution: "fixturify@npm:0.3.4"
-  dependencies:
-    fs-extra: ^0.30.0
-    matcher-collection: ^1.0.4
-  checksum: ba73d10c82fc7686904ccab45a0d1fd4b0f184a9f877c8789f3dc7cdc176ee58283cc89b43f398f21bff8b449fb4b9ac6c6b1e4b05fab2603db6430c9ac8de64
-  languageName: node
-  linkType: hard
-
-"fixturify@npm:^1.2.0":
-  version: 1.3.0
-  resolution: "fixturify@npm:1.3.0"
-  dependencies:
-    "@types/fs-extra": ^5.0.5
-    "@types/minimatch": ^3.0.3
-    "@types/rimraf": ^2.0.2
-    fs-extra: ^7.0.1
-    matcher-collection: ^2.0.0
-  checksum: e0fd2bcd3c27c40ba080243847f8941b27c377bee9ac24275784ac5612c87dfa0bcb897d661cef3c401c965c7e8d754b63f3c46d10320eaa0a61d539ef450fd6
-  languageName: node
-  linkType: hard
-
-"fixturify@npm:^2.1.0":
-  version: 2.1.1
-  resolution: "fixturify@npm:2.1.1"
-  dependencies:
-    "@types/fs-extra": ^8.1.0
-    "@types/minimatch": ^3.0.3
-    "@types/rimraf": ^2.0.3
-    fs-extra: ^8.1.0
-    matcher-collection: ^2.0.1
-    walk-sync: ^2.0.2
-  checksum: ac66ae40302bc6beed1dfb81eab009ba6aee23ddddc0c043a1b01b65c07a7eada8b6edc3e76beb6ea01e6083c8b6e5686459286137e9c9bca7a7dfcd650eb125
-  languageName: node
-  linkType: hard
-
-"flat-cache@npm:^3.0.4":
-  version: 3.0.4
-  resolution: "flat-cache@npm:3.0.4"
-  dependencies:
-    flatted: ^3.1.0
-    rimraf: ^3.0.2
-  checksum: 4fdd10ecbcbf7d520f9040dd1340eb5dfe951e6f0ecf2252edeec03ee68d989ec8b9a20f4434270e71bcfd57800dc09b3344fca3966b2eb8f613072c7d9a2365
-  languageName: node
-  linkType: hard
-
-"flat@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "flat@npm:6.0.1"
-  bin:
-    flat: cli.js
-  checksum: c7a5f2e7e3ba0bec28b9c3aca27e68ff74df446df15cdb77ddef9e3d4fd0e9321ca52e49ca8b861c46157215006666b0dad25457f231083fc7bd2f7fcb67d7eb
-  languageName: node
-  linkType: hard
-
-"flatted@npm:^3.1.0":
-  version: 3.1.1
-  resolution: "flatted@npm:3.1.1"
-  checksum: 508935e3366d95444131f0aaa801a4301f24ea5bcb900d12764e7335b46b910730cc1b5bcfcfb8eccb7c8db261ba0671c6a7ca30d10870ff7a7756dc7e731a7a
-  languageName: node
-  linkType: hard
-
-"flush-write-stream@npm:^1.0.0":
-  version: 1.1.1
-  resolution: "flush-write-stream@npm:1.1.1"
-  dependencies:
-    inherits: ^2.0.3
-    readable-stream: ^2.3.6
-  checksum: 42e07747f83bcd4e799da802e621d6039787749ffd41f5517f8c4f786ee967e31ba32b09f8b28a9c6f67bd4f5346772e604202df350e8d99f4141771bae31279
-  languageName: node
-  linkType: hard
-
-"focus-trap@npm:^6.7.1":
-  version: 6.9.4
-  resolution: "focus-trap@npm:6.9.4"
-  dependencies:
-    tabbable: ^5.3.3
-  checksum: 0b4cebcc11010bd9397731092bd59a981e838c710c6497374ba70571875a14ab27c0db7d60f36005ec01bdabc3b9cfeda11d30ddf5b8874596dcc95e18913b3b
-  languageName: node
-  linkType: hard
-
-"follow-redirects@npm:^1.0.0":
-  version: 1.14.0
-  resolution: "follow-redirects@npm:1.14.0"
-  peerDependenciesMeta:
-    debug:
-      optional: true
-  checksum: a6568930fb97f6f4c12eac52acc109e8677d4b26fcae463bab7de50c43e44886b94784be6608dd8f2ab4b015328377fb4be2e83abd2c8d6bc39ffe1cf11f7b5a
-  languageName: node
-  linkType: hard
-
-"for-each@npm:^0.3.3":
-  version: 0.3.3
-  resolution: "for-each@npm:0.3.3"
-  dependencies:
-    is-callable: ^1.1.3
-  checksum: 6c48ff2bc63362319c65e2edca4a8e1e3483a2fabc72fbe7feaf8c73db94fc7861bd53bc02c8a66a0c1dd709da6b04eec42e0abdd6b40ce47305ae92a25e5d28
-  languageName: node
-  linkType: hard
-
-"for-in@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "for-in@npm:1.0.2"
-  checksum: 09f4ae93ce785d253ac963d94c7f3432d89398bf25ac7a24ed034ca393bf74380bdeccc40e0f2d721a895e54211b07c8fad7132e8157827f6f7f059b70b4043d
-  languageName: node
-  linkType: hard
-
-"forever-agent@npm:~0.6.1":
-  version: 0.6.1
-  resolution: "forever-agent@npm:0.6.1"
-  checksum: 766ae6e220f5fe23676bb4c6a99387cec5b7b62ceb99e10923376e27bfea72f3c3aeec2ba5f45f3f7ba65d6616965aa7c20b15002b6860833bb6e394dea546a8
-  languageName: node
-  linkType: hard
-
-"form-data@npm:~2.3.2":
-  version: 2.3.3
-  resolution: "form-data@npm:2.3.3"
-  dependencies:
-    asynckit: ^0.4.0
-    combined-stream: ^1.0.6
-    mime-types: ^2.1.12
-  checksum: 10c1780fa13dbe1ff3100114c2ce1f9307f8be10b14bf16e103815356ff567b6be39d70fc4a40f8990b9660012dc24b0f5e1dde1b6426166eb23a445ba068ca3
-  languageName: node
-  linkType: hard
-
-"format@npm:^0.2.0":
-  version: 0.2.2
-  resolution: "format@npm:0.2.2"
-  checksum: 646a60e1336250d802509cf24fb801e43bd4a70a07510c816fa133aa42cdbc9c21e66e9cc0801bb183c5b031c9d68be62e7fbb6877756e52357850f92aa28799
-  languageName: node
-  linkType: hard
-
-"forwarded@npm:0.2.0":
-  version: 0.2.0
-  resolution: "forwarded@npm:0.2.0"
-  checksum: fd27e2394d8887ebd16a66ffc889dc983fbbd797d5d3f01087c020283c0f019a7d05ee85669383d8e0d216b116d720fc0cef2f6e9b7eb9f4c90c6e0bc7fd28e6
-  languageName: node
-  linkType: hard
-
-"forwarded@npm:~0.1.2":
-  version: 0.1.2
-  resolution: "forwarded@npm:0.1.2"
-  checksum: 54695c574292f9bc6bfa52111844337bc2e61cfcc5ec82f16b816d721a67a0c76b4849a34b57e38e51d64ddbb81aef974f393579f610ed1b990470e75abad2e0
-  languageName: node
-  linkType: hard
-
-"fragment-cache@npm:^0.2.1":
-  version: 0.2.1
-  resolution: "fragment-cache@npm:0.2.1"
-  dependencies:
-    map-cache: ^0.2.2
-  checksum: 1cbbd0b0116b67d5790175de0038a11df23c1cd2e8dcdbade58ebba5594c2d641dade6b4f126d82a7b4a6ffc2ea12e3d387dbb64ea2ae97cf02847d436f60fdc
-  languageName: node
-  linkType: hard
-
-"fresh@npm:0.5.2":
-  version: 0.5.2
-  resolution: "fresh@npm:0.5.2"
-  checksum: 13ea8b08f91e669a64e3ba3a20eb79d7ca5379a81f1ff7f4310d54e2320645503cc0c78daedc93dfb6191287295f6479544a649c64d8e41a1c0fb0c221552346
-  languageName: node
-  linkType: hard
-
-"from2@npm:^2.1.0":
-  version: 2.3.0
-  resolution: "from2@npm:2.3.0"
-  dependencies:
-    inherits: ^2.0.1
-    readable-stream: ^2.0.0
-  checksum: 6080eba0793dce32f475141fb3d54cc15f84ee52e420ee22ac3ab0ad639dc95a1875bc6eb9c0e1140e94972a36a89dc5542491b85f1ab8df0c126241e0f1a61b
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^0.24.0":
-  version: 0.24.0
-  resolution: "fs-extra@npm:0.24.0"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^2.1.0
-    path-is-absolute: ^1.0.0
-    rimraf: ^2.2.8
-  checksum: 7addd3f7f1df95f0c7d61d87c16531db96e683a8f3ef693a21ba45af4d0fdaf7a6c9799248a4f63ae47f31d631672a05c3178aad2247139a6d2b9363de09c63d
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^0.30.0":
-  version: 0.30.0
-  resolution: "fs-extra@npm:0.30.0"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^2.1.0
-    klaw: ^1.0.0
-    path-is-absolute: ^1.0.0
-    rimraf: ^2.2.8
-  checksum: 6edfd65fc813baa27f1603778c0f5ec11f8c5006a20b920437813ee2023eba18aeec8bef1c89b2e6c84f9fc90fdc7c916f4a700466c8c69d22a35d018f2570f0
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^10.0.0":
-  version: 10.1.0
-  resolution: "fs-extra@npm:10.1.0"
-  dependencies:
-    graceful-fs: ^4.2.0
-    jsonfile: ^6.0.1
-    universalify: ^2.0.0
-  checksum: dc94ab37096f813cc3ca12f0f1b5ad6744dfed9ed21e953d72530d103cea193c2f81584a39e9dee1bea36de5ee66805678c0dddc048e8af1427ac19c00fffc50
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^11.1.0":
-  version: 11.1.1
-  resolution: "fs-extra@npm:11.1.1"
-  dependencies:
-    graceful-fs: ^4.2.0
-    jsonfile: ^6.0.1
-    universalify: ^2.0.0
-  checksum: fb883c68245b2d777fbc1f2082c9efb084eaa2bbf9fddaa366130d196c03608eebef7fb490541276429ee1ca99f317e2d73e96f5ca0999eefedf5a624ae1edfd
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "fs-extra@npm:3.0.1"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^3.0.0
-    universalify: ^0.1.0
-  checksum: 8957f9ee33a032b12f786158077dbd2a6b3b843449b36ce37bb3922200bbf12f0412aaebe10e3ce3e46e1f0dd37904e4053b4cfa2a717c80eca3af6dc840ba8b
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^4.0.2, fs-extra@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "fs-extra@npm:4.0.3"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^4.0.0
-    universalify: ^0.1.0
-  checksum: c5ae3c7043ad7187128e619c0371da01b58694c1ffa02c36fb3f5b459925d9c27c3cb1e095d9df0a34a85ca993d8b8ff6f6ecef868fd5ebb243548afa7fc0936
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "fs-extra@npm:5.0.0"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^4.0.0
-    universalify: ^0.1.0
-  checksum: b3dcaf1d545097013c4fa649951c85cad1b845316ab473cc3440254a45e9b0b17d8ca9355af477e982c7d126f1a30417bcf78b1f744593ce77a0f43165f2d5e5
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "fs-extra@npm:6.0.1"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^4.0.0
-    universalify: ^0.1.0
-  checksum: 133dbd765e05c1cdaaf723308e00ffbe746da5ad516ad890ae2da2a538982c1175371055c778fbe68d1fca1da9ed4003ba55c4a14e070372eabf6a7c48062759
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^7.0.0, fs-extra@npm:^7.0.1":
-  version: 7.0.1
-  resolution: "fs-extra@npm:7.0.1"
-  dependencies:
-    graceful-fs: ^4.1.2
-    jsonfile: ^4.0.0
-    universalify: ^0.1.0
-  checksum: 141b9dccb23b66a66cefdd81f4cda959ff89282b1d721b98cea19ba08db3dcbe6f862f28841f3cf24bb299e0b7e6c42303908f65093cb7e201708e86ea5a8dcf
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^8.0.0, fs-extra@npm:^8.0.1, fs-extra@npm:^8.1.0":
-  version: 8.1.0
-  resolution: "fs-extra@npm:8.1.0"
-  dependencies:
-    graceful-fs: ^4.2.0
-    jsonfile: ^4.0.0
-    universalify: ^0.1.0
-  checksum: bf44f0e6cea59d5ce071bba4c43ca76d216f89e402dc6285c128abc0902e9b8525135aa808adad72c9d5d218e9f4bcc63962815529ff2f684ad532172a284880
-  languageName: node
-  linkType: hard
-
-"fs-extra@npm:^9.0.1, fs-extra@npm:^9.1.0":
-  version: 9.1.0
-  resolution: "fs-extra@npm:9.1.0"
-  dependencies:
-    at-least-node: ^1.0.0
-    graceful-fs: ^4.2.0
-    jsonfile: ^6.0.1
-    universalify: ^2.0.0
-  checksum: ba71ba32e0faa74ab931b7a0031d1523c66a73e225de7426e275e238e312d07313d2da2d33e34a52aa406c8763ade5712eb3ec9ba4d9edce652bcacdc29e6b20
-  languageName: node
-  linkType: hard
-
-"fs-merger@npm:^3.0.1, fs-merger@npm:^3.1.0, fs-merger@npm:^3.2.1":
-  version: 3.2.1
-  resolution: "fs-merger@npm:3.2.1"
-  dependencies:
-    broccoli-node-api: ^1.7.0
-    broccoli-node-info: ^2.1.0
-    fs-extra: ^8.0.1
-    fs-tree-diff: ^2.0.1
-    walk-sync: ^2.2.0
-  checksum: bfb93b537919407d947ab89c44f6d85f7cb58d1337aaa9115de0bd38178165b158809ad83c4f5d610d42ce0ee2f81ac7ad0ae5b573a69784b676a8a6ce506500
-  languageName: node
-  linkType: hard
-
-"fs-minipass@npm:^2.0.0, fs-minipass@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "fs-minipass@npm:2.1.0"
-  dependencies:
-    minipass: ^3.0.0
-  checksum: 1b8d128dae2ac6cc94230cc5ead341ba3e0efaef82dab46a33d171c044caaa6ca001364178d42069b2809c35a1c3c35079a32107c770e9ffab3901b59af8c8b1
-  languageName: node
-  linkType: hard
-
-"fs-tree-diff@npm:^0.5.2, fs-tree-diff@npm:^0.5.3, fs-tree-diff@npm:^0.5.4, fs-tree-diff@npm:^0.5.6, fs-tree-diff@npm:^0.5.9":
-  version: 0.5.9
-  resolution: "fs-tree-diff@npm:0.5.9"
-  dependencies:
-    heimdalljs-logger: ^0.1.7
-    object-assign: ^4.1.0
-    path-posix: ^1.0.0
-    symlink-or-copy: ^1.1.8
-  checksum: 5221dee3baa76d597c471aa8786d552452ee2a58de63f0fcc38dd618cafd5d776760f8afcd19ab796c2a8cc584191c46431464096ea347b4158e1a14cb690ed1
-  languageName: node
-  linkType: hard
-
-"fs-tree-diff@npm:^2.0.0, fs-tree-diff@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "fs-tree-diff@npm:2.0.1"
-  dependencies:
-    "@types/symlink-or-copy": ^1.2.0
-    heimdalljs-logger: ^0.1.7
-    object-assign: ^4.1.0
-    path-posix: ^1.0.0
-    symlink-or-copy: ^1.1.8
-  checksum: ea7927af283b1db3994b98e4c636ed7f8ecfcfb39dc205b57841b22f8ebf39e97649dca07b16ae2e421b000d81b6d96449f32d4dc78742ccb22dfd19db160a45
-  languageName: node
-  linkType: hard
-
-"fs-updater@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "fs-updater@npm:1.0.4"
-  dependencies:
-    can-symlink: ^1.0.0
-    clean-up-path: ^1.0.0
-    heimdalljs: ^0.2.5
-    heimdalljs-logger: ^0.1.9
-    rimraf: ^2.6.2
-  checksum: 8c46798de408fbb1c7da339de2a82334261c120aef235bc30ef66e617fd1a735d0279654fc27373597d4826c325fb08a299e3b05252e0289d8d9e749c67dd96d
-  languageName: node
-  linkType: hard
-
-"fs-write-stream-atomic@npm:^1.0.8":
-  version: 1.0.10
-  resolution: "fs-write-stream-atomic@npm:1.0.10"
-  dependencies:
-    graceful-fs: ^4.1.2
-    iferr: ^0.1.5
-    imurmurhash: ^0.1.4
-    readable-stream: 1 || 2
-  checksum: 43c2d6817b72127793abc811ebf87a135b03ac7cbe41cdea9eeacf59b23e6e29b595739b083e9461303d525687499a1aaefcec3e5ff9bc82b170edd3dc467ccc
-  languageName: node
-  linkType: hard
-
-"fs.realpath@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "fs.realpath@npm:1.0.0"
-  checksum: 99ddea01a7e75aa276c250a04eedeffe5662bce66c65c07164ad6264f9de18fb21be9433ead460e54cff20e31721c811f4fb5d70591799df5f85dce6d6746fd0
-  languageName: node
-  linkType: hard
-
-"fsevents@npm:^1.2.7":
-  version: 1.2.13
-  resolution: "fsevents@npm:1.2.13"
-  dependencies:
-    bindings: ^1.5.0
-    nan: ^2.12.1
-  checksum: ae855aa737aaa2f9167e9f70417cf6e45a5cd11918e1fee9923709a0149be52416d765433b4aeff56c789b1152e718cd1b13ddec6043b78cdda68260d86383c1
-  conditions: os=darwin
-  languageName: node
-  linkType: hard
-
-"fsevents@npm:~2.3.1, fsevents@npm:~2.3.2":
-  version: 2.3.2
-  resolution: "fsevents@npm:2.3.2"
-  dependencies:
-    node-gyp: latest
-  checksum: 97ade64e75091afee5265e6956cb72ba34db7819b4c3e94c431d4be2b19b8bb7a2d4116da417950c3425f17c8fe693d25e20212cac583ac1521ad066b77ae31f
-  conditions: os=darwin
-  languageName: node
-  linkType: hard
-
-"fsevents@patch:fsevents@^1.2.7#~builtin<compat/fsevents>":
-  version: 1.2.13
-  resolution: "fsevents@patch:fsevents@npm%3A1.2.13#~builtin<compat/fsevents>::version=1.2.13&hash=d11327"
-  dependencies:
-    bindings: ^1.5.0
-    nan: ^2.12.1
-  conditions: os=darwin
-  languageName: node
-  linkType: hard
-
-"fsevents@patch:fsevents@~2.3.1#~builtin<compat/fsevents>, fsevents@patch:fsevents@~2.3.2#~builtin<compat/fsevents>":
-  version: 2.3.2
-  resolution: "fsevents@patch:fsevents@npm%3A2.3.2#~builtin<compat/fsevents>::version=2.3.2&hash=df0bf1"
-  dependencies:
-    node-gyp: latest
-  conditions: os=darwin
-  languageName: node
-  linkType: hard
-
-"function-bind@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "function-bind@npm:1.1.1"
-  checksum: b32fbaebb3f8ec4969f033073b43f5c8befbb58f1a79e12f1d7490358150359ebd92f49e72ff0144f65f2c48ea2a605bff2d07965f548f6474fd8efd95bf361a
-  languageName: node
-  linkType: hard
-
-"function.prototype.name@npm:^1.1.5":
-  version: 1.1.5
-  resolution: "function.prototype.name@npm:1.1.5"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-    es-abstract: ^1.19.0
-    functions-have-names: ^1.2.2
-  checksum: acd21d733a9b649c2c442f067567743214af5fa248dbeee69d8278ce7df3329ea5abac572be9f7470b4ec1cd4d8f1040e3c5caccf98ebf2bf861a0deab735c27
-  languageName: node
-  linkType: hard
-
-"functions-have-names@npm:^1.2.2, functions-have-names@npm:^1.2.3":
-  version: 1.2.3
-  resolution: "functions-have-names@npm:1.2.3"
-  checksum: c3f1f5ba20f4e962efb71344ce0a40722163e85bee2101ce25f88214e78182d2d2476aa85ef37950c579eb6cf6ee811c17b3101bb84004bb75655f3e33f3fdb5
-  languageName: node
-  linkType: hard
-
-"fuse.js@npm:^6.5.3":
-  version: 6.5.3
-  resolution: "fuse.js@npm:6.5.3"
-  checksum: f7c14f4422000e7f7e3515c66f7cefdfc38adec4cf380097f4146a201ea438af60b67dc5849b3c0de0115ce3f9bc5afad6fc6570c08dcfcef5bf6e95eb8e6d6f
-  languageName: node
-  linkType: hard
-
-"gauge@npm:^4.0.3":
-  version: 4.0.4
-  resolution: "gauge@npm:4.0.4"
-  dependencies:
-    aproba: ^1.0.3 || ^2.0.0
-    color-support: ^1.1.3
-    console-control-strings: ^1.1.0
-    has-unicode: ^2.0.1
-    signal-exit: ^3.0.7
-    string-width: ^4.2.3
-    strip-ansi: ^6.0.1
-    wide-align: ^1.1.5
-  checksum: 788b6bfe52f1dd8e263cda800c26ac0ca2ff6de0b6eee2fe0d9e3abf15e149b651bd27bf5226be10e6e3edb5c4e5d5985a5a1a98137e7a892f75eff76467ad2d
-  languageName: node
-  linkType: hard
-
-"gensync@npm:^1.0.0-beta.2":
-  version: 1.0.0-beta.2
-  resolution: "gensync@npm:1.0.0-beta.2"
-  checksum: a7437e58c6be12aa6c90f7730eac7fa9833dc78872b4ad2963d2031b00a3367a93f98aec75f9aaac7220848e4026d67a8655e870b24f20a543d103c0d65952ec
-  languageName: node
-  linkType: hard
-
-"get-caller-file@npm:^2.0.1, get-caller-file@npm:^2.0.5":
-  version: 2.0.5
-  resolution: "get-caller-file@npm:2.0.5"
-  checksum: b9769a836d2a98c3ee734a88ba712e62703f1df31b94b784762c433c27a386dd6029ff55c2a920c392e33657d80191edbf18c61487e198844844516f843496b9
-  languageName: node
-  linkType: hard
-
-"get-intrinsic@npm:^1.0.2, get-intrinsic@npm:^1.1.0, get-intrinsic@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "get-intrinsic@npm:1.1.1"
-  dependencies:
-    function-bind: ^1.1.1
-    has: ^1.0.3
-    has-symbols: ^1.0.1
-  checksum: a9fe2ca8fa3f07f9b0d30fb202bcd01f3d9b9b6b732452e79c48e79f7d6d8d003af3f9e38514250e3553fdc83c61650851cb6870832ac89deaaceb08e3721a17
-  languageName: node
-  linkType: hard
-
-"get-intrinsic@npm:^1.1.3, get-intrinsic@npm:^1.2.0":
-  version: 1.2.1
-  resolution: "get-intrinsic@npm:1.2.1"
-  dependencies:
-    function-bind: ^1.1.1
-    has: ^1.0.3
-    has-proto: ^1.0.1
-    has-symbols: ^1.0.3
-  checksum: 5b61d88552c24b0cf6fa2d1b3bc5459d7306f699de060d76442cce49a4721f52b8c560a33ab392cf5575b7810277d54ded9d4d39a1ea61855619ebc005aa7e5f
-  languageName: node
-  linkType: hard
-
-"get-own-enumerable-property-symbols@npm:^3.0.0":
-  version: 3.0.2
-  resolution: "get-own-enumerable-property-symbols@npm:3.0.2"
-  checksum: 8f0331f14159f939830884799f937343c8c0a2c330506094bc12cbee3665d88337fe97a4ea35c002cc2bdba0f5d9975ad7ec3abb925015cdf2a93e76d4759ede
-  languageName: node
-  linkType: hard
-
-"get-stdin@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "get-stdin@npm:4.0.1"
-  checksum: 4f73d3fe0516bc1f3dc7764466a68ad7c2ba809397a02f56c2a598120e028430fcff137a648a01876b2adfb486b4bc164119f98f1f7d7c0abd63385bdaa0113f
-  languageName: node
-  linkType: hard
-
-"get-stdin@npm:^8.0.0":
-  version: 8.0.0
-  resolution: "get-stdin@npm:8.0.0"
-  checksum: 40128b6cd25781ddbd233344f1a1e4006d4284906191ed0a7d55ec2c1a3e44d650f280b2c9eeab79c03ac3037da80257476c0e4e5af38ddfb902d6ff06282d77
-  languageName: node
-  linkType: hard
-
-"get-stdin@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "get-stdin@npm:9.0.0"
-  checksum: 5972bc34d05932b45512c8e2d67b040f1c1ca8afb95c56cbc480985f2d761b7e37fe90dc8abd22527f062cc5639a6930ff346e9952ae4c11a2d4275869459594
-  languageName: node
-  linkType: hard
-
-"get-stream@npm:^4.0.0":
-  version: 4.1.0
-  resolution: "get-stream@npm:4.1.0"
-  dependencies:
-    pump: ^3.0.0
-  checksum: 443e1914170c15bd52ff8ea6eff6dfc6d712b031303e36302d2778e3de2506af9ee964d6124010f7818736dcfde05c04ba7ca6cc26883106e084357a17ae7d73
-  languageName: node
-  linkType: hard
-
-"get-stream@npm:^5.0.0":
-  version: 5.2.0
-  resolution: "get-stream@npm:5.2.0"
-  dependencies:
-    pump: ^3.0.0
-  checksum: 8bc1a23174a06b2b4ce600df38d6c98d2ef6d84e020c1ddad632ad75bac4e092eeb40e4c09e0761c35fc2dbc5e7fff5dab5e763a383582c4a167dd69a905bd12
-  languageName: node
-  linkType: hard
-
-"get-stream@npm:^6.0.0":
-  version: 6.0.1
-  resolution: "get-stream@npm:6.0.1"
-  checksum: e04ecece32c92eebf5b8c940f51468cd53554dcbb0ea725b2748be583c9523d00128137966afce410b9b051eb2ef16d657cd2b120ca8edafcf5a65e81af63cad
-  languageName: node
-  linkType: hard
-
-"get-symbol-description@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "get-symbol-description@npm:1.0.0"
-  dependencies:
-    call-bind: ^1.0.2
-    get-intrinsic: ^1.1.1
-  checksum: 9ceff8fe968f9270a37a1f73bf3f1f7bda69ca80f4f80850670e0e7b9444ff99323f7ac52f96567f8b5f5fbe7ac717a0d81d3407c7313e82810c6199446a5247
-  languageName: node
-  linkType: hard
-
-"get-value@npm:^2.0.3, get-value@npm:^2.0.6":
-  version: 2.0.6
-  resolution: "get-value@npm:2.0.6"
-  checksum: 5c3b99cb5398ea8016bf46ff17afc5d1d286874d2ad38ca5edb6e87d75c0965b0094cb9a9dddef2c59c23d250702323539a7fbdd870620db38c7e7d7ec87c1eb
-  languageName: node
-  linkType: hard
-
-"getpass@npm:^0.1.1":
-  version: 0.1.7
-  resolution: "getpass@npm:0.1.7"
-  dependencies:
-    assert-plus: ^1.0.0
-  checksum: ab18d55661db264e3eac6012c2d3daeafaab7a501c035ae0ccb193c3c23e9849c6e29b6ac762b9c2adae460266f925d55a3a2a3a3c8b94be2f222df94d70c046
-  languageName: node
-  linkType: hard
-
-"git-hooks-list@npm:1.0.3":
-  version: 1.0.3
-  resolution: "git-hooks-list@npm:1.0.3"
-  checksum: a1dd03d39c1d727ba08a35dbdbdcc6e96de8c4170c942dc95bf787ca6e34998d39fb5295a00242b58a3d265de0b69a0686d0cf583baa6b7830f268542c4576b9
-  languageName: node
-  linkType: hard
-
-"git-repo-info@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "git-repo-info@npm:2.1.1"
-  checksum: 58cedacae81bbe8fedc81d226346c472d11357d1758140ab0ee5d0c3360ad5b7a9d8613ca6e8b50d089d073e5b3f2e2893536d0cb57bced5f558dc913d5e21c6
-  languageName: node
-  linkType: hard
-
-"glob-parent@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "glob-parent@npm:3.1.0"
-  dependencies:
-    is-glob: ^3.1.0
-    path-dirname: ^1.0.0
-  checksum: 653d559237e89a11b9934bef3f392ec42335602034c928590544d383ff5ef449f7b12f3cfa539708e74bc0a6c28ab1fe51d663cc07463cdf899ba92afd85a855
-  languageName: node
-  linkType: hard
-
-"glob-parent@npm:^5.1.0, glob-parent@npm:^5.1.2, glob-parent@npm:~5.1.0, glob-parent@npm:~5.1.2":
-  version: 5.1.2
-  resolution: "glob-parent@npm:5.1.2"
-  dependencies:
-    is-glob: ^4.0.1
-  checksum: f4f2bfe2425296e8a47e36864e4f42be38a996db40420fe434565e4480e3322f18eb37589617a98640c5dc8fdec1a387007ee18dbb1f3f5553409c34d17f425e
-  languageName: node
-  linkType: hard
-
-"glob-parent@npm:^6.0.2":
-  version: 6.0.2
-  resolution: "glob-parent@npm:6.0.2"
-  dependencies:
-    is-glob: ^4.0.3
-  checksum: c13ee97978bef4f55106b71e66428eb1512e71a7466ba49025fc2aec59a5bfb0954d5abd58fc5ee6c9b076eef4e1f6d3375c2e964b88466ca390da4419a786a8
-  languageName: node
-  linkType: hard
-
-"glob-to-regexp@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "glob-to-regexp@npm:0.4.1"
-  checksum: e795f4e8f06d2a15e86f76e4d92751cf8bbfcf0157cea5c2f0f35678a8195a750b34096b1256e436f0cebc1883b5ff0888c47348443e69546a5a87f9e1eb1167
-  languageName: node
-  linkType: hard
-
-"glob@npm:^5.0.10":
-  version: 5.0.15
-  resolution: "glob@npm:5.0.15"
-  dependencies:
-    inflight: ^1.0.4
-    inherits: 2
-    minimatch: 2 || 3
-    once: ^1.3.0
-    path-is-absolute: ^1.0.0
-  checksum: f9742448303460672607e569457f1b57e486a79a985e269b69465834d2075b243378225f65dc54c09fcd4b75e4fb34442aec88f33f8c65fa4abccc8ee2dc2f5d
-  languageName: node
-  linkType: hard
-
-"glob@npm:^7.0.4, glob@npm:^7.1.4, glob@npm:^7.1.6":
-  version: 7.1.6
-  resolution: "glob@npm:7.1.6"
-  dependencies:
-    fs.realpath: ^1.0.0
-    inflight: ^1.0.4
-    inherits: 2
-    minimatch: ^3.0.4
-    once: ^1.3.0
-    path-is-absolute: ^1.0.0
-  checksum: 351d549dd90553b87c2d3f90ce11aed9e1093c74130440e7ae0592e11bbcd2ce7f0ebb8ba6bfe63aaf9b62166a7f4c80cb84490ae5d78408bb2572bf7d4ee0a6
-  languageName: node
-  linkType: hard
-
-"glob@npm:^7.1.2, glob@npm:^7.1.3":
-  version: 7.2.0
-  resolution: "glob@npm:7.2.0"
-  dependencies:
-    fs.realpath: ^1.0.0
-    inflight: ^1.0.4
-    inherits: 2
-    minimatch: ^3.0.4
-    once: ^1.3.0
-    path-is-absolute: ^1.0.0
-  checksum: 78a8ea942331f08ed2e055cb5b9e40fe6f46f579d7fd3d694f3412fe5db23223d29b7fee1575440202e9a7ff9a72ab106a39fee39934c7bedafe5e5f8ae20134
-  languageName: node
-  linkType: hard
-
-"glob@npm:^7.2.3":
-  version: 7.2.3
-  resolution: "glob@npm:7.2.3"
-  dependencies:
-    fs.realpath: ^1.0.0
-    inflight: ^1.0.4
-    inherits: 2
-    minimatch: ^3.1.1
-    once: ^1.3.0
-    path-is-absolute: ^1.0.0
-  checksum: 29452e97b38fa704dabb1d1045350fb2467cf0277e155aa9ff7077e90ad81d1ea9d53d3ee63bd37c05b09a065e90f16aec4a65f5b8de401d1dac40bc5605d133
-  languageName: node
-  linkType: hard
-
-"glob@npm:^8.0.1, glob@npm:^8.0.3, glob@npm:^8.1.0":
-  version: 8.1.0
-  resolution: "glob@npm:8.1.0"
-  dependencies:
-    fs.realpath: ^1.0.0
-    inflight: ^1.0.4
-    inherits: 2
-    minimatch: ^5.0.1
-    once: ^1.3.0
-  checksum: 92fbea3221a7d12075f26f0227abac435de868dd0736a17170663783296d0dd8d3d532a5672b4488a439bf5d7fb85cdd07c11185d6cd39184f0385cbdfb86a47
-  languageName: node
-  linkType: hard
-
-"global-modules@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "global-modules@npm:1.0.0"
-  dependencies:
-    global-prefix: ^1.0.1
-    is-windows: ^1.0.1
-    resolve-dir: ^1.0.0
-  checksum: 10be68796c1e1abc1e2ba87ec4ea507f5629873b119ab0cd29c07284ef2b930f1402d10df01beccb7391dedd9cd479611dd6a24311c71be58937beaf18edf85e
-  languageName: node
-  linkType: hard
-
-"global-modules@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "global-modules@npm:2.0.0"
-  dependencies:
-    global-prefix: ^3.0.0
-  checksum: d6197f25856c878c2fb5f038899f2dca7cbb2f7b7cf8999660c0104972d5cfa5c68b5a0a77fa8206bb536c3903a4615665acb9709b4d80846e1bb47eaef65430
-  languageName: node
-  linkType: hard
-
-"global-prefix@npm:^1.0.1":
-  version: 1.0.2
-  resolution: "global-prefix@npm:1.0.2"
-  dependencies:
-    expand-tilde: ^2.0.2
-    homedir-polyfill: ^1.0.1
-    ini: ^1.3.4
-    is-windows: ^1.0.1
-    which: ^1.2.14
-  checksum: 061b43470fe498271bcd514e7746e8a8535032b17ab9570517014ae27d700ff0dca749f76bbde13ba384d185be4310d8ba5712cb0e74f7d54d59390db63dd9a0
-  languageName: node
-  linkType: hard
-
-"global-prefix@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "global-prefix@npm:3.0.0"
-  dependencies:
-    ini: ^1.3.5
-    kind-of: ^6.0.2
-    which: ^1.3.1
-  checksum: 8a82fc1d6f22c45484a4e34656cc91bf021a03e03213b0035098d605bfc612d7141f1e14a21097e8a0413b4884afd5b260df0b6a25605ce9d722e11f1df2881d
-  languageName: node
-  linkType: hard
-
-"globals@npm:^11.1.0":
-  version: 11.12.0
-  resolution: "globals@npm:11.12.0"
-  checksum: 67051a45eca3db904aee189dfc7cd53c20c7d881679c93f6146ddd4c9f4ab2268e68a919df740d39c71f4445d2b38ee360fc234428baea1dbdfe68bbcb46979e
-  languageName: node
-  linkType: hard
-
-"globals@npm:^13.15.0":
-  version: 13.17.0
-  resolution: "globals@npm:13.17.0"
-  dependencies:
-    type-fest: ^0.20.2
-  checksum: fbaf4112e59b92c9f5575e85ce65e9e17c0b82711196ec5f58beb08599bbd92fd72703d6dfc9b080381fd35b644e1b11dcf25b38cc2341ec21df942594cbc8ce
-  languageName: node
-  linkType: hard
-
-"globals@npm:^13.19.0":
-  version: 13.20.0
-  resolution: "globals@npm:13.20.0"
-  dependencies:
-    type-fest: ^0.20.2
-  checksum: ad1ecf914bd051325faad281d02ea2c0b1df5d01bd94d368dcc5513340eac41d14b3c61af325768e3c7f8d44576e72780ec0b6f2d366121f8eec6e03c3a3b97a
-  languageName: node
-  linkType: hard
-
-"globals@npm:^9.18.0":
-  version: 9.18.0
-  resolution: "globals@npm:9.18.0"
-  checksum: e9c066aecfdc5ea6f727344a4246ecc243aaf66ede3bffee10ddc0c73351794c25e727dd046090dcecd821199a63b9de6af299a6e3ba292c8b22f0a80ea32073
-  languageName: node
-  linkType: hard
-
-"globalthis@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "globalthis@npm:1.0.3"
-  dependencies:
-    define-properties: ^1.1.3
-  checksum: fbd7d760dc464c886d0196166d92e5ffb4c84d0730846d6621a39fbbc068aeeb9c8d1421ad330e94b7bca4bb4ea092f5f21f3d36077812af5d098b4dc006c998
-  languageName: node
-  linkType: hard
-
-"globalyzer@npm:0.1.0":
-  version: 0.1.0
-  resolution: "globalyzer@npm:0.1.0"
-  checksum: 419a0f95ba542534fac0842964d31b3dc2936a479b2b1a8a62bad7e8b61054faa9b0a06ad9f2e12593396b9b2621cac93358d9b3071d33723fb1778608d358a1
-  languageName: node
-  linkType: hard
-
-"globby@npm:10.0.0":
-  version: 10.0.0
-  resolution: "globby@npm:10.0.0"
-  dependencies:
-    "@types/glob": ^7.1.1
-    array-union: ^2.1.0
-    dir-glob: ^3.0.1
-    fast-glob: ^3.0.3
-    glob: ^7.1.3
-    ignore: ^5.1.1
-    merge2: ^1.2.3
-    slash: ^3.0.0
-  checksum: fbff58d2fcaedd9207901f6e3b5341ff885b6d499c3a095f7befde0fd03ec1ea634452a82f81e894e46f6a5d704da44b842ba93066f90dced52adf84d4b8d1cc
-  languageName: node
-  linkType: hard
-
-"globby@npm:^11.0.3":
-  version: 11.0.4
-  resolution: "globby@npm:11.0.4"
-  dependencies:
-    array-union: ^2.1.0
-    dir-glob: ^3.0.1
-    fast-glob: ^3.1.1
-    ignore: ^5.1.4
-    merge2: ^1.3.0
-    slash: ^3.0.0
-  checksum: d3e02d5e459e02ffa578b45f040381c33e3c0538ed99b958f0809230c423337999867d7b0dbf752ce93c46157d3bbf154d3fff988a93ccaeb627df8e1841775b
-  languageName: node
-  linkType: hard
-
-"globby@npm:^11.1.0":
-  version: 11.1.0
-  resolution: "globby@npm:11.1.0"
-  dependencies:
-    array-union: ^2.1.0
-    dir-glob: ^3.0.1
-    fast-glob: ^3.2.9
-    ignore: ^5.2.0
-    merge2: ^1.4.1
-    slash: ^3.0.0
-  checksum: b4be8885e0cfa018fc783792942d53926c35c50b3aefd3fdcfb9d22c627639dc26bd2327a40a0b74b074100ce95bb7187bfeae2f236856aa3de183af7a02aea6
-  languageName: node
-  linkType: hard
-
-"globby@npm:^13.1.3":
-  version: 13.2.2
-  resolution: "globby@npm:13.2.2"
-  dependencies:
-    dir-glob: ^3.0.1
-    fast-glob: ^3.3.0
-    ignore: ^5.2.4
-    merge2: ^1.4.1
-    slash: ^4.0.0
-  checksum: f3d84ced58a901b4fcc29c846983108c426631fe47e94872868b65565495f7bee7b3defd68923bd480582771fd4bbe819217803a164a618ad76f1d22f666f41e
-  languageName: node
-  linkType: hard
-
-"globjoin@npm:^0.1.4":
-  version: 0.1.4
-  resolution: "globjoin@npm:0.1.4"
-  checksum: 0a47d88d566122d9e42da946453ee38b398e0021515ac6a95d13f980ba8c1e42954e05ee26cfcbffce1ac1ee094d0524b16ce1dd874ca52408d6db5c6d39985b
-  languageName: node
-  linkType: hard
-
-"globrex@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "globrex@npm:0.1.2"
-  checksum: adca162494a176ce9ecf4dd232f7b802956bb1966b37f60c15e49d2e7d961b66c60826366dc2649093cad5a0d69970cfa8875bd1695b5a1a2f33dcd2aa88da3c
-  languageName: node
-  linkType: hard
-
-"good-listener@npm:^1.2.2":
-  version: 1.2.2
-  resolution: "good-listener@npm:1.2.2"
-  dependencies:
-    delegate: ^3.1.2
-  checksum: f39fb82c4e41524f56104cfd2d7aef1a88e72f3f75139115fbdf98cc7d844e0c1b39218b2e83438c6188727bf904ed78c7f0f2feff67b32833bc3af7f0202b33
-  languageName: node
-  linkType: hard
-
-"gopd@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "gopd@npm:1.0.1"
-  dependencies:
-    get-intrinsic: ^1.1.3
-  checksum: a5ccfb8806e0917a94e0b3de2af2ea4979c1da920bc381667c260e00e7cafdbe844e2cb9c5bcfef4e5412e8bf73bab837285bc35c7ba73aaaf0134d4583393a6
-  languageName: node
-  linkType: hard
-
-"graceful-fs@npm:^4.1.11, graceful-fs@npm:^4.1.15, graceful-fs@npm:^4.1.3":
-  version: 4.2.6
-  resolution: "graceful-fs@npm:4.2.6"
-  checksum: 792e64aafda05a151289f83eaa16aff34ef259658cefd65393883d959409f5a2389b0ec9ebf28f3d21f1b0ddc8f594a1162ae9b18e2b507a6799a70706ec573d
-  languageName: node
-  linkType: hard
-
-"graceful-fs@npm:^4.1.2, graceful-fs@npm:^4.1.6, graceful-fs@npm:^4.1.9, graceful-fs@npm:^4.2.0, graceful-fs@npm:^4.2.4":
-  version: 4.2.8
-  resolution: "graceful-fs@npm:4.2.8"
-  checksum: 5d224c8969ad0581d551dfabdb06882706b31af2561bd5e2034b4097e67cc27d05232849b8643866585fd0a41c7af152950f8776f4dd5579e9853733f31461c6
-  languageName: node
-  linkType: hard
-
-"graceful-fs@npm:^4.2.6":
-  version: 4.2.11
-  resolution: "graceful-fs@npm:4.2.11"
-  checksum: ac85f94da92d8eb6b7f5a8b20ce65e43d66761c55ce85ac96df6865308390da45a8d3f0296dd3a663de65d30ba497bd46c696cc1e248c72b13d6d567138a4fc7
-  languageName: node
-  linkType: hard
-
-"graceful-fs@npm:^4.2.9":
-  version: 4.2.10
-  resolution: "graceful-fs@npm:4.2.10"
-  checksum: 3f109d70ae123951905d85032ebeae3c2a5a7a997430df00ea30df0e3a6c60cf6689b109654d6fdacd28810a053348c4d14642da1d075049e6be1ba5216218da
-  languageName: node
-  linkType: hard
-
-"graceful-readlink@npm:>= 1.0.0":
-  version: 1.0.1
-  resolution: "graceful-readlink@npm:1.0.1"
-  checksum: 4c1889ca0a6fc0bb9585b55c26a99719be132cbc4b7d84036193b70608059b9783e52e2a866d5a8e39821b16a69e899644ca75c6206563f1319b6720836b9ab2
-  languageName: node
-  linkType: hard
-
-"grapheme-splitter@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "grapheme-splitter@npm:1.0.4"
-  checksum: 0c22ec54dee1b05cd480f78cf14f732cb5b108edc073572c4ec205df4cd63f30f8db8025afc5debc8835a8ddeacf648a1c7992fe3dcd6ad38f9a476d84906620
-  languageName: node
-  linkType: hard
-
-"graphemer@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "graphemer@npm:1.4.0"
-  checksum: bab8f0be9b568857c7bec9fda95a89f87b783546d02951c40c33f84d05bb7da3fd10f863a9beb901463669b6583173a8c8cc6d6b306ea2b9b9d5d3d943c3a673
-  languageName: node
-  linkType: hard
-
-"growly@npm:^1.3.0":
-  version: 1.3.0
-  resolution: "growly@npm:1.3.0"
-  checksum: 53cdecd4c16d7d9154a9061a9ccb87d602e957502ca69b529d7d1b2436c2c0b700ec544fc6b3e4cd115d59b81e62e44ce86bd0521403b579d3a2a97d7ce72a44
-  languageName: node
-  linkType: hard
-
-"handlebars@npm:4.7.7, handlebars@npm:^4.0.11, handlebars@npm:^4.0.13, handlebars@npm:^4.0.4, handlebars@npm:^4.3.1, handlebars@npm:^4.4.2, handlebars@npm:^4.7.3":
-  version: 4.7.7
-  resolution: "handlebars@npm:4.7.7"
-  dependencies:
-    minimist: ^1.2.5
-    neo-async: ^2.6.0
-    source-map: ^0.6.1
-    uglify-js: ^3.1.4
-    wordwrap: ^1.0.0
-  dependenciesMeta:
-    uglify-js:
-      optional: true
-  bin:
-    handlebars: bin/handlebars
-  checksum: 1e79a43f5e18d15742977cb987923eab3e2a8f44f2d9d340982bcb69e1735ed049226e534d7c1074eaddaf37e4fb4f471a8adb71cddd5bc8cf3f894241df5cee
-  languageName: node
-  linkType: hard
-
-"har-schema@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "har-schema@npm:2.0.0"
-  checksum: d8946348f333fb09e2bf24cc4c67eabb47c8e1d1aa1c14184c7ffec1140a49ec8aa78aa93677ae452d71d5fc0fdeec20f0c8c1237291fc2bcb3f502a5d204f9b
-  languageName: node
-  linkType: hard
-
-"har-validator@npm:~5.1.3":
-  version: 5.1.5
-  resolution: "har-validator@npm:5.1.5"
-  dependencies:
-    ajv: ^6.12.3
-    har-schema: ^2.0.0
-  checksum: b998a7269ca560d7f219eedc53e2c664cd87d487e428ae854a6af4573fc94f182fe9d2e3b92ab968249baec7ebaf9ead69cf975c931dc2ab282ec182ee988280
-  languageName: node
-  linkType: hard
-
-"hard-rejection@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "hard-rejection@npm:2.1.0"
-  checksum: 7baaf80a0c7fff4ca79687b4060113f1529589852152fa935e6787a2bc96211e784ad4588fb3048136ff8ffc9dfcf3ae385314a5b24db32de20bea0d1597f9dc
-  languageName: node
-  linkType: hard
-
-"has-ansi@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "has-ansi@npm:2.0.0"
-  dependencies:
-    ansi-regex: ^2.0.0
-  checksum: 1b51daa0214440db171ff359d0a2d17bc20061164c57e76234f614c91dbd2a79ddd68dfc8ee73629366f7be45a6df5f2ea9de83f52e1ca24433f2cc78c35d8ec
-  languageName: node
-  linkType: hard
-
-"has-ansi@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "has-ansi@npm:3.0.0"
-  dependencies:
-    ansi-regex: ^3.0.0
-  checksum: d52ff546c982fb8646e6aa6a4e3741c123a29dcd0342db0e98cd17561356fc47fb03cc0cab9ad2000887facc39b8e7ce385089bdce548e6ff5463858ed5c12c1
-  languageName: node
-  linkType: hard
-
-"has-bigints@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "has-bigints@npm:1.0.1"
-  checksum: 44ab55868174470065d2e0f8f6def1c990d12b82162a8803c679699fa8a39f966e336f2a33c185092fe8aea7e8bf2e85f1c26add5f29d98f2318bd270096b183
-  languageName: node
-  linkType: hard
-
-"has-bigints@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "has-bigints@npm:1.0.2"
-  checksum: 390e31e7be7e5c6fe68b81babb73dfc35d413604d7ee5f56da101417027a4b4ce6a27e46eff97ad040c835b5d228676eae99a9b5c3bc0e23c8e81a49241ff45b
-  languageName: node
-  linkType: hard
-
-"has-color@npm:~0.1.0":
-  version: 0.1.7
-  resolution: "has-color@npm:0.1.7"
-  checksum: 5753d76b1330bc1f5a07171f222ed0718f5ec2d64d5677800e434f183a99f7042f5cda43c9625a2d0f0204063aa03499a66f1c15283d789773b3544f18f93f58
-  languageName: node
-  linkType: hard
-
-"has-flag@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "has-flag@npm:3.0.0"
-  checksum: 4a15638b454bf086c8148979aae044dd6e39d63904cd452d970374fa6a87623423da485dfb814e7be882e05c096a7ccf1ebd48e7e7501d0208d8384ff4dea73b
-  languageName: node
-  linkType: hard
-
-"has-flag@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "has-flag@npm:4.0.0"
-  checksum: 261a1357037ead75e338156b1f9452c016a37dcd3283a972a30d9e4a87441ba372c8b81f818cd0fbcd9c0354b4ae7e18b9e1afa1971164aef6d18c2b6095a8ad
-  languageName: node
-  linkType: hard
-
-"has-property-descriptors@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "has-property-descriptors@npm:1.0.0"
-  dependencies:
-    get-intrinsic: ^1.1.1
-  checksum: a6d3f0a266d0294d972e354782e872e2fe1b6495b321e6ef678c9b7a06a40408a6891817350c62e752adced73a94ac903c54734fee05bf65b1905ee1368194bb
-  languageName: node
-  linkType: hard
-
-"has-proto@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "has-proto@npm:1.0.1"
-  checksum: febc5b5b531de8022806ad7407935e2135f1cc9e64636c3916c6842bd7995994ca3b29871ecd7954bd35f9e2986c17b3b227880484d22259e2f8e6ce63fd383e
-  languageName: node
-  linkType: hard
-
-"has-symbols@npm:^1.0.1, has-symbols@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "has-symbols@npm:1.0.2"
-  checksum: 2309c426071731be792b5be43b3da6fb4ed7cbe8a9a6bcfca1862587709f01b33d575ce8f5c264c1eaad09fca2f9a8208c0a2be156232629daa2dd0c0740976b
-  languageName: node
-  linkType: hard
-
-"has-symbols@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "has-symbols@npm:1.0.3"
-  checksum: a054c40c631c0d5741a8285010a0777ea0c068f99ed43e5d6eb12972da223f8af553a455132fdb0801bdcfa0e0f443c0c03a68d8555aa529b3144b446c3f2410
-  languageName: node
-  linkType: hard
-
-"has-tostringtag@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "has-tostringtag@npm:1.0.0"
-  dependencies:
-    has-symbols: ^1.0.2
-  checksum: cc12eb28cb6ae22369ebaad3a8ab0799ed61270991be88f208d508076a1e99abe4198c965935ce85ea90b60c94ddda73693b0920b58e7ead048b4a391b502c1c
-  languageName: node
-  linkType: hard
-
-"has-unicode@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "has-unicode@npm:2.0.1"
-  checksum: 1eab07a7436512db0be40a710b29b5dc21fa04880b7f63c9980b706683127e3c1b57cb80ea96d47991bdae2dfe479604f6a1ba410106ee1046a41d1bd0814400
-  languageName: node
-  linkType: hard
-
-"has-value@npm:^0.3.1":
-  version: 0.3.1
-  resolution: "has-value@npm:0.3.1"
-  dependencies:
-    get-value: ^2.0.3
-    has-values: ^0.1.4
-    isobject: ^2.0.0
-  checksum: 29e2a1e6571dad83451b769c7ce032fce6009f65bccace07c2962d3ad4d5530b6743d8f3229e4ecf3ea8e905d23a752c5f7089100c1f3162039fa6dc3976558f
-  languageName: node
-  linkType: hard
-
-"has-value@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "has-value@npm:1.0.0"
-  dependencies:
-    get-value: ^2.0.6
-    has-values: ^1.0.0
-    isobject: ^3.0.0
-  checksum: b9421d354e44f03d3272ac39fd49f804f19bc1e4fa3ceef7745df43d6b402053f828445c03226b21d7d934a21ac9cf4bc569396dc312f496ddff873197bbd847
-  languageName: node
-  linkType: hard
-
-"has-values@npm:^0.1.4":
-  version: 0.1.4
-  resolution: "has-values@npm:0.1.4"
-  checksum: ab1c4bcaf811ccd1856c11cfe90e62fca9e2b026ebe474233a3d282d8d67e3b59ed85b622c7673bac3db198cb98bd1da2b39300a2f98e453729b115350af49bc
-  languageName: node
-  linkType: hard
-
-"has-values@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "has-values@npm:1.0.0"
-  dependencies:
-    is-number: ^3.0.0
-    kind-of: ^4.0.0
-  checksum: 77e6693f732b5e4cf6c38dfe85fdcefad0fab011af74995c3e83863fabf5e3a836f406d83565816baa0bc0a523c9410db8b990fe977074d61aeb6d8f4fcffa11
-  languageName: node
-  linkType: hard
-
-"has@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "has@npm:1.0.3"
-  dependencies:
-    function-bind: ^1.1.1
-  checksum: b9ad53d53be4af90ce5d1c38331e712522417d017d5ef1ebd0507e07c2fbad8686fffb8e12ddecd4c39ca9b9b47431afbb975b8abf7f3c3b82c98e9aad052792
-  languageName: node
-  linkType: hard
-
-"hash-base@npm:^3.0.0":
-  version: 3.1.0
-  resolution: "hash-base@npm:3.1.0"
-  dependencies:
-    inherits: ^2.0.4
-    readable-stream: ^3.6.0
-    safe-buffer: ^5.2.0
-  checksum: 26b7e97ac3de13cb23fc3145e7e3450b0530274a9562144fc2bf5c1e2983afd0e09ed7cc3b20974ba66039fad316db463da80eb452e7373e780cbee9a0d2f2dc
-  languageName: node
-  linkType: hard
-
-"hash-for-dep@npm:^1.0.2, hash-for-dep@npm:^1.2.3, hash-for-dep@npm:^1.4.7, hash-for-dep@npm:^1.5.0, hash-for-dep@npm:^1.5.1":
-  version: 1.5.1
-  resolution: "hash-for-dep@npm:1.5.1"
-  dependencies:
-    broccoli-kitchen-sink-helpers: ^0.3.1
-    heimdalljs: ^0.2.3
-    heimdalljs-logger: ^0.1.7
-    path-root: ^0.1.1
-    resolve: ^1.10.0
-    resolve-package-path: ^1.0.11
-  checksum: ea9854cfeaedc5e3b7ba38f902a9173919f3f1abef13ee27ddc15b5ec8768be340762ed502e9d16b3ffbeb8e8af0f099cb0348215f9de39c31bb722af52895d9
-  languageName: node
-  linkType: hard
-
-"hash.js@npm:^1.0.0, hash.js@npm:^1.0.3":
-  version: 1.1.7
-  resolution: "hash.js@npm:1.1.7"
-  dependencies:
-    inherits: ^2.0.3
-    minimalistic-assert: ^1.0.1
-  checksum: e350096e659c62422b85fa508e4b3669017311aa4c49b74f19f8e1bc7f3a54a584fdfd45326d4964d6011f2b2d882e38bea775a96046f2a61b7779a979629d8f
-  languageName: node
-  linkType: hard
-
-"heimdalljs-fs-monitor@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "heimdalljs-fs-monitor@npm:1.1.1"
-  dependencies:
-    callsites: ^3.1.0
-    clean-stack: ^2.2.0
-    extract-stack: ^2.0.0
-    heimdalljs: ^0.2.3
-    heimdalljs-logger: ^0.1.7
-  checksum: 0932adf032888bcc22c9ff8b5d832c708f1303b04e5a8c34b88dac09948bf6a45e4ea7d34bfdf30a3aaa41eabb0311d0e00e0fad1da862e16cc0950db50101cd
-  languageName: node
-  linkType: hard
-
-"heimdalljs-graph@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "heimdalljs-graph@npm:1.0.0"
-  checksum: eef4a3de227fa4b3e6b20f634b7c1bbb3c7ae9a83639444ce7f5f8ffbc979e205021538452ecd92804d49013245ed9a989075c8c9147cca8666f4d7a1983da93
-  languageName: node
-  linkType: hard
-
-"heimdalljs-logger@npm:^0.1.10, heimdalljs-logger@npm:^0.1.7, heimdalljs-logger@npm:^0.1.9":
-  version: 0.1.10
-  resolution: "heimdalljs-logger@npm:0.1.10"
-  dependencies:
-    debug: ^2.2.0
-    heimdalljs: ^0.2.6
-  checksum: 40a698843aa4773e3376f4e000c87599460971f4411b402985526a8f82563f5486fc85bfde90ce3e63d25381cf417289e870242321ce92ade32ea3b91585cfad
-  languageName: node
-  linkType: hard
-
-"heimdalljs@npm:^0.2.0, heimdalljs@npm:^0.2.1, heimdalljs@npm:^0.2.3, heimdalljs@npm:^0.2.5, heimdalljs@npm:^0.2.6":
-  version: 0.2.6
-  resolution: "heimdalljs@npm:0.2.6"
-  dependencies:
-    rsvp: ~3.2.1
-  checksum: 5b28d3df4e77ea94293b43c29f0a358381aa811079817f780a1dafc9d244c891a0a713691a3c53d0d2dc31a76484fb36d998e7ae5040ef4b52e8c4a00d2173ae
-  languageName: node
-  linkType: hard
-
-"highlight.js@npm:^10.4.1":
-  version: 10.7.2
-  resolution: "highlight.js@npm:10.7.2"
-  checksum: af09b434070c81ed154b4c990bee61a8c1295887554abc7884eb2544c48bff208e237e7ce1b324ebe94abe0f942e15e2c11dff1b1ed22a79a3c4a0d8a900a921
-  languageName: node
-  linkType: hard
-
-"hmac-drbg@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "hmac-drbg@npm:1.0.1"
-  dependencies:
-    hash.js: ^1.0.3
-    minimalistic-assert: ^1.0.0
-    minimalistic-crypto-utils: ^1.0.1
-  checksum: bd30b6a68d7f22d63f10e1888aee497d7c2c5c0bb469e66bbdac99f143904d1dfe95f8131f95b3e86c86dd239963c9d972fcbe147e7cffa00e55d18585c43fe0
-  languageName: node
-  linkType: hard
-
-"home-or-tmp@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "home-or-tmp@npm:2.0.0"
-  dependencies:
-    os-homedir: ^1.0.0
-    os-tmpdir: ^1.0.1
-  checksum: b783c6ffd22f716d82f53e8c781cbe49bc9f4109a89ea86a27951e54c0bd335caf06bd828be2958cd9f4681986df1739558ae786abda6298cdd6d3edc2c362f1
-  languageName: node
-  linkType: hard
-
-"homedir-polyfill@npm:^1.0.1":
-  version: 1.0.3
-  resolution: "homedir-polyfill@npm:1.0.3"
-  dependencies:
-    parse-passwd: ^1.0.0
-  checksum: 18dd4db87052c6a2179d1813adea0c4bfcfa4f9996f0e226fefb29eb3d548e564350fa28ec46b0bf1fbc0a1d2d6922ceceb80093115ea45ff8842a4990139250
-  languageName: node
-  linkType: hard
-
-"hosted-git-info@npm:^2.1.4":
-  version: 2.8.9
-  resolution: "hosted-git-info@npm:2.8.9"
-  checksum: c955394bdab888a1e9bb10eb33029e0f7ce5a2ac7b3f158099dc8c486c99e73809dca609f5694b223920ca2174db33d32b12f9a2a47141dc59607c29da5a62dd
-  languageName: node
-  linkType: hard
-
-"hosted-git-info@npm:^4.0.1":
-  version: 4.1.0
-  resolution: "hosted-git-info@npm:4.1.0"
-  dependencies:
-    lru-cache: ^6.0.0
-  checksum: c3f87b3c2f7eb8c2748c8f49c0c2517c9a95f35d26f4bf54b2a8cba05d2e668f3753548b6ea366b18ec8dadb4e12066e19fa382a01496b0ffa0497eb23cbe461
-  languageName: node
-  linkType: hard
-
-"hosted-git-info@npm:^6.0.0":
-  version: 6.1.1
-  resolution: "hosted-git-info@npm:6.1.1"
-  dependencies:
-    lru-cache: ^7.5.1
-  checksum: fcd3ca2eaa05f3201425ccbb8aa47f88cdda4a3a6d79453f8e269f7171356278bd1db08f059d8439eb5eaa91c6a8a20800fc49cca6e9e4e899b202a332d5ba6b
-  languageName: node
-  linkType: hard
-
-"html-encoding-sniffer@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "html-encoding-sniffer@npm:2.0.1"
-  dependencies:
-    whatwg-encoding: ^1.0.5
-  checksum: bf30cce461015ed7e365736fcd6a3063c7bc016a91f74398ef6158886970a96333938f7c02417ab3c12aa82e3e53b40822145facccb9ddfbcdc15a879ae4d7ba
-  languageName: node
-  linkType: hard
-
-"html-tags@npm:^3.3.1":
-  version: 3.3.1
-  resolution: "html-tags@npm:3.3.1"
-  checksum: b4ef1d5a76b678e43cce46e3783d563607b1d550cab30b4f511211564574770aa8c658a400b100e588bc60b8234e59b35ff72c7851cc28f3b5403b13a2c6cbce
-  languageName: node
-  linkType: hard
-
-"htmlparser2@npm:^7.2.0":
-  version: 7.2.0
-  resolution: "htmlparser2@npm:7.2.0"
-  dependencies:
-    domelementtype: ^2.0.1
-    domhandler: ^4.2.2
-    domutils: ^2.8.0
-    entities: ^3.0.1
-  checksum: 96563d9965729cfcb3f5f19c26d013c6831b4cb38d79d8c185e9cd669ea6a9ffe8fb9ccc74d29a068c9078aa0e2767053ed6b19aa32723c41550340d0094bea0
-  languageName: node
-  linkType: hard
-
-"htmlparser2@npm:^8.0.1":
-  version: 8.0.1
-  resolution: "htmlparser2@npm:8.0.1"
-  dependencies:
-    domelementtype: ^2.3.0
-    domhandler: ^5.0.2
-    domutils: ^3.0.1
-    entities: ^4.3.0
-  checksum: 06d5c71e8313597722bc429ae2a7a8333d77bd3ab07ccb916628384b37332027b047f8619448d8f4a3312b6609c6ea3302a4e77435d859e9e686999e6699ca39
-  languageName: node
-  linkType: hard
-
-"http-cache-semantics@npm:^4.1.0":
-  version: 4.1.1
-  resolution: "http-cache-semantics@npm:4.1.1"
-  checksum: 83ac0bc60b17a3a36f9953e7be55e5c8f41acc61b22583060e8dedc9dd5e3607c823a88d0926f9150e571f90946835c7fe150732801010845c72cd8bbff1a236
-  languageName: node
-  linkType: hard
-
-"http-errors@npm:1.7.2":
-  version: 1.7.2
-  resolution: "http-errors@npm:1.7.2"
-  dependencies:
-    depd: ~1.1.2
-    inherits: 2.0.3
-    setprototypeof: 1.1.1
-    statuses: ">= 1.5.0 < 2"
-    toidentifier: 1.0.0
-  checksum: 5534b0ae08e77f5a45a2380f500e781f6580c4ff75b816cb1f09f99a290b57e78a518be6d866db1b48cca6b052c09da2c75fc91fb16a2fe3da3c44d9acbb9972
-  languageName: node
-  linkType: hard
-
-"http-errors@npm:2.0.0":
-  version: 2.0.0
-  resolution: "http-errors@npm:2.0.0"
-  dependencies:
-    depd: 2.0.0
-    inherits: 2.0.4
-    setprototypeof: 1.2.0
-    statuses: 2.0.1
-    toidentifier: 1.0.1
-  checksum: 9b0a3782665c52ce9dc658a0d1560bcb0214ba5699e4ea15aefb2a496e2ca83db03ebc42e1cce4ac1f413e4e0d2d736a3fd755772c556a9a06853ba2a0b7d920
-  languageName: node
-  linkType: hard
-
-"http-errors@npm:~1.6.2":
-  version: 1.6.3
-  resolution: "http-errors@npm:1.6.3"
-  dependencies:
-    depd: ~1.1.2
-    inherits: 2.0.3
-    setprototypeof: 1.1.0
-    statuses: ">= 1.4.0 < 2"
-  checksum: a9654ee027e3d5de305a56db1d1461f25709ac23267c6dc28cdab8323e3f96caa58a9a6a5e93ac15d7285cee0c2f019378c3ada9026e7fe19c872d695f27de7c
-  languageName: node
-  linkType: hard
-
-"http-errors@npm:~1.7.2":
-  version: 1.7.3
-  resolution: "http-errors@npm:1.7.3"
-  dependencies:
-    depd: ~1.1.2
-    inherits: 2.0.4
-    setprototypeof: 1.1.1
-    statuses: ">= 1.5.0 < 2"
-    toidentifier: 1.0.0
-  checksum: a59f359473f4b3ea78305beee90d186268d6075432622a46fb7483059068a2dd4c854a20ac8cd438883127e06afb78c1309168bde6cdfeed1e3700eb42487d99
-  languageName: node
-  linkType: hard
-
-"http-parser-js@npm:>=0.5.1":
-  version: 0.5.3
-  resolution: "http-parser-js@npm:0.5.3"
-  checksum: 6f3142c5f60ad995a6895a1dc4f70f8cef0910745366e97cbcb99caa604590dbcc11006b00989ad306837d6b820e9bfc6e801c4060ed19a0e4df83caa8577cb5
-  languageName: node
-  linkType: hard
-
-"http-proxy-agent@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "http-proxy-agent@npm:5.0.0"
-  dependencies:
-    "@tootallnate/once": 2
-    agent-base: 6
-    debug: 4
-  checksum: e2ee1ff1656a131953839b2a19cd1f3a52d97c25ba87bd2559af6ae87114abf60971e498021f9b73f9fd78aea8876d1fb0d4656aac8a03c6caa9fc175f22b786
-  languageName: node
-  linkType: hard
-
-"http-proxy@npm:^1.13.1, http-proxy@npm:^1.18.1":
-  version: 1.18.1
-  resolution: "http-proxy@npm:1.18.1"
-  dependencies:
-    eventemitter3: ^4.0.0
-    follow-redirects: ^1.0.0
-    requires-port: ^1.0.0
-  checksum: f5bd96bf83e0b1e4226633dbb51f8b056c3e6321917df402deacec31dd7fe433914fc7a2c1831cf7ae21e69c90b3a669b8f434723e9e8b71fd68afe30737b6a5
-  languageName: node
-  linkType: hard
-
-"http-signature@npm:~1.2.0":
-  version: 1.2.0
-  resolution: "http-signature@npm:1.2.0"
-  dependencies:
-    assert-plus: ^1.0.0
-    jsprim: ^1.2.2
-    sshpk: ^1.7.0
-  checksum: 3324598712266a9683585bb84a75dec4fd550567d5e0dd4a0fff6ff3f74348793404d3eeac4918fa0902c810eeee1a86419e4a2e92a164132dfe6b26743fb47c
-  languageName: node
-  linkType: hard
-
-"https-browserify@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "https-browserify@npm:1.0.0"
-  checksum: 09b35353e42069fde2435760d13f8a3fb7dd9105e358270e2e225b8a94f811b461edd17cb57594e5f36ec1218f121c160ddceeec6e8be2d55e01dcbbbed8cbae
-  languageName: node
-  linkType: hard
-
-"https-proxy-agent@npm:^2.2.3":
-  version: 2.2.4
-  resolution: "https-proxy-agent@npm:2.2.4"
-  dependencies:
-    agent-base: ^4.3.0
-    debug: ^3.1.0
-  checksum: 5fa8eab256b117a8badb5747bedf8b3a9de1fbabdccb26ff3132385426fdc3ad3c8b092ce52a1b74c70229b971df623f4f5a0c17f78e6a8fe5d10fc65d6ed8b8
-  languageName: node
-  linkType: hard
-
-"https@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "https@npm:1.0.0"
-  checksum: ccea8a8363a018d4b241db7748cff3a85c9f5b71bf80639e9c37dc6823f590f35dda098b80b726930e9f945387c8bfd6b1461df25cab5bf65a31903d81875b5d
-  languageName: node
-  linkType: hard
-
-"human-signals@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "human-signals@npm:1.1.1"
-  checksum: d587647c9e8ec24e02821b6be7de5a0fc37f591f6c4e319b3054b43fd4c35a70a94c46fc74d8c1a43c47fde157d23acd7421f375e1c1365b09a16835b8300205
-  languageName: node
-  linkType: hard
-
-"human-signals@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "human-signals@npm:2.1.0"
-  checksum: b87fd89fce72391625271454e70f67fe405277415b48bcc0117ca73d31fa23a4241787afdc8d67f5a116cf37258c052f59ea82daffa72364d61351423848e3b8
-  languageName: node
-  linkType: hard
-
-"humanize-ms@npm:^1.2.1":
-  version: 1.2.1
-  resolution: "humanize-ms@npm:1.2.1"
-  dependencies:
-    ms: ^2.0.0
-  checksum: 9c7a74a2827f9294c009266c82031030eae811ca87b0da3dceb8d6071b9bde22c9f3daef0469c3c533cc67a97d8a167cd9fc0389350e5f415f61a79b171ded16
-  languageName: node
-  linkType: hard
-
-"iconv-lite@npm:0.4, iconv-lite@npm:0.4.24, iconv-lite@npm:^0.4.24":
-  version: 0.4.24
-  resolution: "iconv-lite@npm:0.4.24"
-  dependencies:
-    safer-buffer: ">= 2.1.2 < 3"
-  checksum: bd9f120f5a5b306f0bc0b9ae1edeb1577161503f5f8252a20f1a9e56ef8775c9959fd01c55f2d3a39d9a8abaf3e30c1abeb1895f367dcbbe0a8fd1c9ca01c4f6
-  languageName: node
-  linkType: hard
-
-"iconv-lite@npm:^0.6.2":
-  version: 0.6.3
-  resolution: "iconv-lite@npm:0.6.3"
-  dependencies:
-    safer-buffer: ">= 2.1.2 < 3.0.0"
-  checksum: 3f60d47a5c8fc3313317edfd29a00a692cc87a19cac0159e2ce711d0ebc9019064108323b5e493625e25594f11c6236647d8e256fbe7a58f4a3b33b89e6d30bf
-  languageName: node
-  linkType: hard
-
-"icss-utils@npm:^5.0.0, icss-utils@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "icss-utils@npm:5.1.0"
-  peerDependencies:
-    postcss: ^8.1.0
-  checksum: 5c324d283552b1269cfc13a503aaaa172a280f914e5b81544f3803bc6f06a3b585fb79f66f7c771a2c052db7982c18bf92d001e3b47282e3abbbb4c4cc488d68
-  languageName: node
-  linkType: hard
-
-"ieee754@npm:^1.1.13, ieee754@npm:^1.1.4":
-  version: 1.2.1
-  resolution: "ieee754@npm:1.2.1"
-  checksum: 5144c0c9815e54ada181d80a0b810221a253562422e7c6c3a60b1901154184f49326ec239d618c416c1c5945a2e197107aee8d986a3dd836b53dffefd99b5e7e
-  languageName: node
-  linkType: hard
-
-"iferr@npm:^0.1.5":
-  version: 0.1.5
-  resolution: "iferr@npm:0.1.5"
-  checksum: a18d19b6ad06a2d5412c0d37f6364869393ef6d1688d59d00082c1f35c92399094c031798340612458cd832f4f2e8b13bc9615934a7d8b0c53061307a3816aa1
-  languageName: node
-  linkType: hard
-
-"ignore@npm:^5.1.1, ignore@npm:^5.1.4":
-  version: 5.1.8
-  resolution: "ignore@npm:5.1.8"
-  checksum: 967abadb61e2cb0e5c5e8c4e1686ab926f91bc1a4680d994b91947d3c65d04c3ae126dcdf67f08e0feeb8ff8407d453e641aeeddcc47a3a3cca359f283cf6121
-  languageName: node
-  linkType: hard
-
-"ignore@npm:^5.2.0":
-  version: 5.2.0
-  resolution: "ignore@npm:5.2.0"
-  checksum: 6b1f926792d614f64c6c83da3a1f9c83f6196c2839aa41e1e32dd7b8d174cef2e329d75caabb62cb61ce9dc432f75e67d07d122a037312db7caa73166a1bdb77
-  languageName: node
-  linkType: hard
-
-"ignore@npm:^5.2.4":
-  version: 5.2.4
-  resolution: "ignore@npm:5.2.4"
-  checksum: 3d4c309c6006e2621659311783eaea7ebcd41fe4ca1d78c91c473157ad6666a57a2df790fe0d07a12300d9aac2888204d7be8d59f9aaf665b1c7fcdb432517ef
-  languageName: node
-  linkType: hard
-
-"immutable@npm:^4.0.0":
-  version: 4.2.4
-  resolution: "immutable@npm:4.2.4"
-  checksum: 3be84eded37b05e65cad57bfba630bc1bf170c498b7472144bc02d2650cc9baef79daf03574a9c2e41d195ebb55a1c12c9b312f41ee324b653927b24ad8bcaa7
-  languageName: node
-  linkType: hard
-
-"import-fresh@npm:^3.0.0, import-fresh@npm:^3.2.1":
-  version: 3.3.0
-  resolution: "import-fresh@npm:3.3.0"
-  dependencies:
-    parent-module: ^1.0.0
-    resolve-from: ^4.0.0
-  checksum: 2cacfad06e652b1edc50be650f7ec3be08c5e5a6f6d12d035c440a42a8cc028e60a5b99ca08a77ab4d6b1346da7d971915828f33cdab730d3d42f08242d09baa
-  languageName: node
-  linkType: hard
-
-"import-lazy@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "import-lazy@npm:4.0.0"
-  checksum: 22f5e51702134aef78890156738454f620e5fe7044b204ebc057c614888a1dd6fdf2ede0fdcca44d5c173fd64f65c985f19a51775b06967ef58cc3d26898df07
-  languageName: node
-  linkType: hard
-
-"imurmurhash@npm:^0.1.4":
-  version: 0.1.4
-  resolution: "imurmurhash@npm:0.1.4"
-  checksum: 7cae75c8cd9a50f57dadd77482359f659eaebac0319dd9368bcd1714f55e65badd6929ca58569da2b6494ef13fdd5598cd700b1eba23f8b79c5f19d195a3ecf7
-  languageName: node
-  linkType: hard
-
-"include-path-searcher@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "include-path-searcher@npm:0.1.0"
-  checksum: c391eea6047851c926bfc4231b104d33a3b6b465c2c55fff2e8af964a1a1c1aa1d20e77fdb2f288df6ffa3b9bbbda2cfb5cbf01cda2394c856a4988ce05b7bb7
-  languageName: node
-  linkType: hard
-
-"indent-string@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "indent-string@npm:4.0.0"
-  checksum: 824cfb9929d031dabf059bebfe08cf3137365e112019086ed3dcff6a0a7b698cb80cf67ccccde0e25b9e2d7527aa6cc1fed1ac490c752162496caba3e6699612
-  languageName: node
-  linkType: hard
-
-"indent-string@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "indent-string@npm:5.0.0"
-  checksum: e466c27b6373440e6d84fbc19e750219ce25865cb82d578e41a6053d727e5520dc5725217d6eb1cc76005a1bb1696a0f106d84ce7ebda3033b963a38583fb3b3
-  languageName: node
-  linkType: hard
-
-"infer-owner@npm:^1.0.3, infer-owner@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "infer-owner@npm:1.0.4"
-  checksum: 181e732764e4a0611576466b4b87dac338972b839920b2a8cde43642e4ed6bd54dc1fb0b40874728f2a2df9a1b097b8ff83b56d5f8f8e3927f837fdcb47d8a89
-  languageName: node
-  linkType: hard
-
-"inflected@npm:^2.0.4":
-  version: 2.1.0
-  resolution: "inflected@npm:2.1.0"
-  checksum: 1e3fb2d24ec6c774977dd5ed884c6097b6525f66edecfdca0845ab4023d35f02af1057de50cd69cdc5829d0bd5ba69fd7fb41d4d8abdf85ee243bf2bbf65995d
-  languageName: node
-  linkType: hard
-
-"inflection@npm:^1.13.2":
-  version: 1.13.2
-  resolution: "inflection@npm:1.13.2"
-  checksum: e7ad0559384ed7c526813404bde843f8f17941d47625ad60fc3b09e46efde873dd9840818007c6bd4dbe388e6248fa033d5a8c405c5fc62738c51b118a0e940f
-  languageName: node
-  linkType: hard
-
-"inflection@npm:^2.0.1, inflection@npm:~2.0.0":
-  version: 2.0.1
-  resolution: "inflection@npm:2.0.1"
-  checksum: bb095b495e10a77afc043cc349ae0f7c8c53e4d1fbcd7781111c18d17bde87ce31ea08bd883774bcbb2ff50c301dd4835b5448c80eb50b5e4e080165b6030f3b
-  languageName: node
-  linkType: hard
-
-"inflight@npm:^1.0.4":
-  version: 1.0.6
-  resolution: "inflight@npm:1.0.6"
-  dependencies:
-    once: ^1.3.0
-    wrappy: 1
-  checksum: f4f76aa072ce19fae87ce1ef7d221e709afb59d445e05d47fba710e85470923a75de35bfae47da6de1b18afc3ce83d70facf44cfb0aff89f0a3f45c0a0244dfd
-  languageName: node
-  linkType: hard
-
-"inherits@npm:2, inherits@npm:2.0.4, inherits@npm:^2.0.1, inherits@npm:^2.0.3, inherits@npm:^2.0.4, inherits@npm:~2.0.1, inherits@npm:~2.0.3":
-  version: 2.0.4
-  resolution: "inherits@npm:2.0.4"
-  checksum: 4a48a733847879d6cf6691860a6b1e3f0f4754176e4d71494c41f3475553768b10f84b5ce1d40fbd0e34e6bfbb864ee35858ad4dd2cf31e02fc4a154b724d7f1
-  languageName: node
-  linkType: hard
-
-"inherits@npm:2.0.1":
-  version: 2.0.1
-  resolution: "inherits@npm:2.0.1"
-  checksum: 6536b9377296d4ce8ee89c5c543cb75030934e61af42dba98a428e7d026938c5985ea4d1e3b87743a5b834f40ed1187f89c2d7479e9d59e41d2d1051aefba07b
-  languageName: node
-  linkType: hard
-
-"inherits@npm:2.0.3":
-  version: 2.0.3
-  resolution: "inherits@npm:2.0.3"
-  checksum: 78cb8d7d850d20a5e9a7f3620db31483aa00ad5f722ce03a55b110e5a723539b3716a3b463e2b96ce3fe286f33afc7c131fa2f91407528ba80cea98a7545d4c0
-  languageName: node
-  linkType: hard
-
-"ini@npm:^1.3.6":
-  version: 1.3.8
-  resolution: "ini@npm:1.3.8"
-  checksum: dfd98b0ca3a4fc1e323e38a6c8eb8936e31a97a918d3b377649ea15bdb15d481207a0dda1021efbd86b464cae29a0d33c1d7dcaf6c5672bee17fa849bc50a1b3
-  languageName: node
-  linkType: hard
-
-"inline-source-map-comment@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "inline-source-map-comment@npm:1.0.5"
-  dependencies:
-    chalk: ^1.0.0
-    get-stdin: ^4.0.1
-    minimist: ^1.1.1
-    sum-up: ^1.0.1
-    xtend: ^4.0.0
-  bin:
-    inline-source-map-comment: cli.js
-  checksum: 0eedf1c77d35cddc89e17d5b738c273471a50521c2103dde056e36460a1bcb747bc2eb5a7de052ded5e26f23154064232d1a29f5116dd273610ed6ab03179ede
-  languageName: node
-  linkType: hard
-
-"inquirer@npm:^6":
-  version: 6.5.2
-  resolution: "inquirer@npm:6.5.2"
-  dependencies:
-    ansi-escapes: ^3.2.0
-    chalk: ^2.4.2
-    cli-cursor: ^2.1.0
-    cli-width: ^2.0.0
-    external-editor: ^3.0.3
-    figures: ^2.0.0
-    lodash: ^4.17.12
-    mute-stream: 0.0.7
-    run-async: ^2.2.0
-    rxjs: ^6.4.0
-    string-width: ^2.1.0
-    strip-ansi: ^5.1.0
-    through: ^2.3.6
-  checksum: 175ad4cd1ebed493b231b240185f1da5afeace5f4e8811dfa83cf55dcae59c3255eaed990aa71871b0fd31aa9dc212f43c44c50ed04fb529364405e72f484d28
-  languageName: node
-  linkType: hard
-
-"inquirer@npm:^7.3.3":
-  version: 7.3.3
-  resolution: "inquirer@npm:7.3.3"
-  dependencies:
-    ansi-escapes: ^4.2.1
-    chalk: ^4.1.0
-    cli-cursor: ^3.1.0
-    cli-width: ^3.0.0
-    external-editor: ^3.0.3
-    figures: ^3.0.0
-    lodash: ^4.17.19
-    mute-stream: 0.0.8
-    run-async: ^2.4.0
-    rxjs: ^6.6.0
-    string-width: ^4.1.0
-    strip-ansi: ^6.0.0
-    through: ^2.3.6
-  checksum: 4d387fc1eb6126acbd58cbdb9ad99d2887d181df86ab0c2b9abdf734e751093e2d5882c2b6dc7144d9ab16b7ab30a78a1d7f01fb6a2850a44aeb175d1e3f8778
-  languageName: node
-  linkType: hard
-
-"inquirer@npm:^8.2.1":
-  version: 8.2.5
-  resolution: "inquirer@npm:8.2.5"
-  dependencies:
-    ansi-escapes: ^4.2.1
-    chalk: ^4.1.1
-    cli-cursor: ^3.1.0
-    cli-width: ^3.0.0
-    external-editor: ^3.0.3
-    figures: ^3.0.0
-    lodash: ^4.17.21
-    mute-stream: 0.0.8
-    ora: ^5.4.1
-    run-async: ^2.4.0
-    rxjs: ^7.5.5
-    string-width: ^4.1.0
-    strip-ansi: ^6.0.0
-    through: ^2.3.6
-    wrap-ansi: ^7.0.0
-  checksum: f13ee4c444187786fb393609dedf6b30870115a57b603f2e6424f29a99abc13446fd45ee22461c33c9c40a92a60a8df62d0d6b25d74fc6676fa4cb211de55b55
-  languageName: node
-  linkType: hard
-
-"internal-slot@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "internal-slot@npm:1.0.3"
-  dependencies:
-    get-intrinsic: ^1.1.0
-    has: ^1.0.3
-    side-channel: ^1.0.4
-  checksum: 1944f92e981e47aebc98a88ff0db579fd90543d937806104d0b96557b10c1f170c51fb777b97740a8b6ddeec585fca8c39ae99fd08a8e058dfc8ab70937238bf
-  languageName: node
-  linkType: hard
-
-"internal-slot@npm:^1.0.4, internal-slot@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "internal-slot@npm:1.0.5"
-  dependencies:
-    get-intrinsic: ^1.2.0
-    has: ^1.0.3
-    side-channel: ^1.0.4
-  checksum: 97e84046bf9e7574d0956bd98d7162313ce7057883b6db6c5c7b5e5f05688864b0978ba07610c726d15d66544ffe4b1050107d93f8a39ebc59b15d8b429b497a
-  languageName: node
-  linkType: hard
-
-"invariant@npm:^2.2.2":
-  version: 2.2.4
-  resolution: "invariant@npm:2.2.4"
-  dependencies:
-    loose-envify: ^1.0.0
-  checksum: cc3182d793aad82a8d1f0af697b462939cb46066ec48bbf1707c150ad5fad6406137e91a262022c269702e01621f35ef60269f6c0d7fd178487959809acdfb14
-  languageName: node
-  linkType: hard
-
-"invert-kv@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "invert-kv@npm:3.0.1"
-  checksum: 782c44c97f8b693006f5ba0995301754bf68d2160ec98fc34d96b266e2c28cc0c91d86c341ca058fe993bc3dd91f104f776a40f04b6c75254a9a1a0d716ac814
-  languageName: node
-  linkType: hard
-
-"ip@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "ip@npm:2.0.0"
-  checksum: cfcfac6b873b701996d71ec82a7dd27ba92450afdb421e356f44044ed688df04567344c36cbacea7d01b1c39a4c732dc012570ebe9bebfb06f27314bca625349
-  languageName: node
-  linkType: hard
-
-"ipaddr.js@npm:1.9.1":
-  version: 1.9.1
-  resolution: "ipaddr.js@npm:1.9.1"
-  checksum: f88d3825981486f5a1942414c8d77dd6674dd71c065adcfa46f578d677edcb99fda25af42675cb59db492fdf427b34a5abfcde3982da11a8fd83a500b41cfe77
-  languageName: node
-  linkType: hard
-
-"is-accessor-descriptor@npm:^0.1.6":
-  version: 0.1.6
-  resolution: "is-accessor-descriptor@npm:0.1.6"
-  dependencies:
-    kind-of: ^3.0.2
-  checksum: 3d629a086a9585bc16a83a8e8a3416f400023301855cafb7ccc9a1d63145b7480f0ad28877dcc2cce09492c4ec1c39ef4c071996f24ee6ac626be4217b8ffc8a
-  languageName: node
-  linkType: hard
-
-"is-accessor-descriptor@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "is-accessor-descriptor@npm:1.0.0"
-  dependencies:
-    kind-of: ^6.0.0
-  checksum: 8e475968e9b22f9849343c25854fa24492dbe8ba0dea1a818978f9f1b887339190b022c9300d08c47fe36f1b913d70ce8cbaca00369c55a56705fdb7caed37fe
-  languageName: node
-  linkType: hard
-
-"is-alphabetical@npm:^1.0.0":
-  version: 1.0.4
-  resolution: "is-alphabetical@npm:1.0.4"
-  checksum: 6508cce44fd348f06705d377b260974f4ce68c74000e7da4045f0d919e568226dc3ce9685c5a2af272195384df6930f748ce9213fc9f399b5d31b362c66312cb
-  languageName: node
-  linkType: hard
-
-"is-alphanumerical@npm:^1.0.0":
-  version: 1.0.4
-  resolution: "is-alphanumerical@npm:1.0.4"
-  dependencies:
-    is-alphabetical: ^1.0.0
-    is-decimal: ^1.0.0
-  checksum: e2e491acc16fcf5b363f7c726f666a9538dba0a043665740feb45bba1652457a73441e7c5179c6768a638ed396db3437e9905f403644ec7c468fb41f4813d03f
-  languageName: node
-  linkType: hard
-
-"is-arguments@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "is-arguments@npm:1.1.1"
-  dependencies:
-    call-bind: ^1.0.2
-    has-tostringtag: ^1.0.0
-  checksum: 7f02700ec2171b691ef3e4d0e3e6c0ba408e8434368504bb593d0d7c891c0dbfda6d19d30808b904a6cb1929bca648c061ba438c39f296c2a8ca083229c49f27
-  languageName: node
-  linkType: hard
-
-"is-array-buffer@npm:^3.0.1, is-array-buffer@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "is-array-buffer@npm:3.0.2"
-  dependencies:
-    call-bind: ^1.0.2
-    get-intrinsic: ^1.2.0
-    is-typed-array: ^1.1.10
-  checksum: dcac9dda66ff17df9cabdc58214172bf41082f956eab30bb0d86bc0fab1e44b690fc8e1f855cf2481245caf4e8a5a006a982a71ddccec84032ed41f9d8da8c14
-  languageName: node
-  linkType: hard
-
-"is-arrayish@npm:^0.2.1":
-  version: 0.2.1
-  resolution: "is-arrayish@npm:0.2.1"
-  checksum: eef4417e3c10e60e2c810b6084942b3ead455af16c4509959a27e490e7aee87cfb3f38e01bbde92220b528a0ee1a18d52b787e1458ee86174d8c7f0e58cd488f
-  languageName: node
-  linkType: hard
-
-"is-bigint@npm:^1.0.1":
-  version: 1.0.4
-  resolution: "is-bigint@npm:1.0.4"
-  dependencies:
-    has-bigints: ^1.0.1
-  checksum: c56edfe09b1154f8668e53ebe8252b6f185ee852a50f9b41e8d921cb2bed425652049fbe438723f6cb48a63ca1aa051e948e7e401e093477c99c84eba244f666
-  languageName: node
-  linkType: hard
-
-"is-binary-path@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "is-binary-path@npm:1.0.1"
-  dependencies:
-    binary-extensions: ^1.0.0
-  checksum: a803c99e9d898170c3b44a86fbdc0736d3d7fcbe737345433fb78e810b9fe30c982657782ad0e676644ba4693ddf05601a7423b5611423218663d6b533341ac9
-  languageName: node
-  linkType: hard
-
-"is-binary-path@npm:~2.1.0":
-  version: 2.1.0
-  resolution: "is-binary-path@npm:2.1.0"
-  dependencies:
-    binary-extensions: ^2.0.0
-  checksum: 84192eb88cff70d320426f35ecd63c3d6d495da9d805b19bc65b518984b7c0760280e57dbf119b7e9be6b161784a5a673ab2c6abe83abb5198a432232ad5b35c
-  languageName: node
-  linkType: hard
-
-"is-boolean-object@npm:^1.1.0":
-  version: 1.1.2
-  resolution: "is-boolean-object@npm:1.1.2"
-  dependencies:
-    call-bind: ^1.0.2
-    has-tostringtag: ^1.0.0
-  checksum: c03b23dbaacadc18940defb12c1c0e3aaece7553ef58b162a0f6bba0c2a7e1551b59f365b91e00d2dbac0522392d576ef322628cb1d036a0fe51eb466db67222
-  languageName: node
-  linkType: hard
-
-"is-buffer@npm:^2.0.0":
-  version: 2.0.5
-  resolution: "is-buffer@npm:2.0.5"
-  checksum: 764c9ad8b523a9f5a32af29bdf772b08eb48c04d2ad0a7240916ac2688c983bf5f8504bf25b35e66240edeb9d9085461f9b5dae1f3d2861c6b06a65fe983de42
-  languageName: node
-  linkType: hard
-
-"is-callable@npm:^1.1.3, is-callable@npm:^1.2.7":
-  version: 1.2.7
-  resolution: "is-callable@npm:1.2.7"
-  checksum: 61fd57d03b0d984e2ed3720fb1c7a897827ea174bd44402878e059542ea8c4aeedee0ea0985998aa5cc2736b2fa6e271c08587addb5b3959ac52cf665173d1ac
-  languageName: node
-  linkType: hard
-
-"is-callable@npm:^1.1.4, is-callable@npm:^1.2.3, is-callable@npm:^1.2.4":
-  version: 1.2.4
-  resolution: "is-callable@npm:1.2.4"
-  checksum: 1a28d57dc435797dae04b173b65d6d1e77d4f16276e9eff973f994eadcfdc30a017e6a597f092752a083c1103cceb56c91e3dadc6692fedb9898dfaba701575f
-  languageName: node
-  linkType: hard
-
-"is-core-module@npm:^2.11.0, is-core-module@npm:^2.12.0, is-core-module@npm:^2.5.0":
-  version: 2.12.1
-  resolution: "is-core-module@npm:2.12.1"
-  dependencies:
-    has: ^1.0.3
-  checksum: f04ea30533b5e62764e7b2e049d3157dc0abd95ef44275b32489ea2081176ac9746ffb1cdb107445cf1ff0e0dfcad522726ca27c27ece64dadf3795428b8e468
-  languageName: node
-  linkType: hard
-
-"is-core-module@npm:^2.2.0":
-  version: 2.8.0
-  resolution: "is-core-module@npm:2.8.0"
-  dependencies:
-    has: ^1.0.3
-  checksum: f8b52714891e1a6c6577fcb8d5e057bab064a7a30954aab6beb5092e311473eb8da57afd334de4981dc32409ffca998412efc3a2edceb9e397cef6098d21dd91
-  languageName: node
-  linkType: hard
-
-"is-core-module@npm:^2.8.1":
-  version: 2.8.1
-  resolution: "is-core-module@npm:2.8.1"
-  dependencies:
-    has: ^1.0.3
-  checksum: 418b7bc10768a73c41c7ef497e293719604007f88934a6ffc5f7c78702791b8528102fb4c9e56d006d69361549b3d9519440214a74aefc7e0b79e5e4411d377f
-  languageName: node
-  linkType: hard
-
-"is-data-descriptor@npm:^0.1.4":
-  version: 0.1.4
-  resolution: "is-data-descriptor@npm:0.1.4"
-  dependencies:
-    kind-of: ^3.0.2
-  checksum: 5c622e078ba933a78338ae398a3d1fc5c23332b395312daf4f74bab4afb10d061cea74821add726cb4db8b946ba36217ee71a24fe71dd5bca4632edb7f6aad87
-  languageName: node
-  linkType: hard
-
-"is-data-descriptor@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "is-data-descriptor@npm:1.0.0"
-  dependencies:
-    kind-of: ^6.0.0
-  checksum: e705e6816241c013b05a65dc452244ee378d1c3e3842bd140beabe6e12c0d700ef23c91803f971aa7b091fb0573c5da8963af34a2b573337d87bc3e1f53a4e6d
-  languageName: node
-  linkType: hard
-
-"is-date-object@npm:^1.0.1, is-date-object@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "is-date-object@npm:1.0.5"
-  dependencies:
-    has-tostringtag: ^1.0.0
-  checksum: baa9077cdf15eb7b58c79398604ca57379b2fc4cf9aa7a9b9e295278648f628c9b201400c01c5e0f7afae56507d741185730307cbe7cad3b9f90a77e5ee342fc
-  languageName: node
-  linkType: hard
-
-"is-decimal@npm:^1.0.0":
-  version: 1.0.4
-  resolution: "is-decimal@npm:1.0.4"
-  checksum: ed483a387517856dc395c68403a10201fddcc1b63dc56513fbe2fe86ab38766120090ecdbfed89223d84ca8b1cd28b0641b93cb6597b6e8f4c097a7c24e3fb96
-  languageName: node
-  linkType: hard
-
-"is-descriptor@npm:^0.1.0":
-  version: 0.1.6
-  resolution: "is-descriptor@npm:0.1.6"
-  dependencies:
-    is-accessor-descriptor: ^0.1.6
-    is-data-descriptor: ^0.1.4
-    kind-of: ^5.0.0
-  checksum: 0f780c1b46b465f71d970fd7754096ffdb7b69fd8797ca1f5069c163eaedcd6a20ec4a50af669075c9ebcfb5266d2e53c8b227e485eefdb0d1fee09aa1dd8ab6
-  languageName: node
-  linkType: hard
-
-"is-descriptor@npm:^1.0.0, is-descriptor@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "is-descriptor@npm:1.0.2"
-  dependencies:
-    is-accessor-descriptor: ^1.0.0
-    is-data-descriptor: ^1.0.0
-    kind-of: ^6.0.2
-  checksum: 2ed623560bee035fb67b23e32ce885700bef8abe3fbf8c909907d86507b91a2c89a9d3a4d835a4d7334dd5db0237a0aeae9ca109c1e4ef1c0e7b577c0846ab5a
-  languageName: node
-  linkType: hard
-
-"is-docker@npm:^2.0.0":
-  version: 2.2.1
-  resolution: "is-docker@npm:2.2.1"
-  bin:
-    is-docker: cli.js
-  checksum: 3fef7ddbf0be25958e8991ad941901bf5922ab2753c46980b60b05c1bf9c9c2402d35e6dc32e4380b980ef5e1970a5d9d5e5aa2e02d77727c3b6b5e918474c56
-  languageName: node
-  linkType: hard
-
-"is-extendable@npm:^0.1.0, is-extendable@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "is-extendable@npm:0.1.1"
-  checksum: 3875571d20a7563772ecc7a5f36cb03167e9be31ad259041b4a8f73f33f885441f778cee1f1fe0085eb4bc71679b9d8c923690003a36a6a5fdf8023e6e3f0672
-  languageName: node
-  linkType: hard
-
-"is-extendable@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "is-extendable@npm:1.0.1"
-  dependencies:
-    is-plain-object: ^2.0.4
-  checksum: db07bc1e9de6170de70eff7001943691f05b9d1547730b11be01c0ebfe67362912ba743cf4be6fd20a5e03b4180c685dad80b7c509fe717037e3eee30ad8e84f
-  languageName: node
-  linkType: hard
-
-"is-extglob@npm:^2.1.0, is-extglob@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "is-extglob@npm:2.1.1"
-  checksum: df033653d06d0eb567461e58a7a8c9f940bd8c22274b94bf7671ab36df5719791aae15eef6d83bbb5e23283967f2f984b8914559d4449efda578c775c4be6f85
-  languageName: node
-  linkType: hard
-
-"is-finite@npm:^1.0.0":
-  version: 1.1.0
-  resolution: "is-finite@npm:1.1.0"
-  checksum: 532b97ed3d03e04c6bd203984d9e4ba3c0c390efee492bad5d1d1cd1802a68ab27adbd3ef6382f6312bed6c8bb1bd3e325ea79a8dc8fe080ed7a06f5f97b93e7
-  languageName: node
-  linkType: hard
-
-"is-fullwidth-code-point@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "is-fullwidth-code-point@npm:2.0.0"
-  checksum: eef9c6e15f68085fec19ff6a978a6f1b8f48018fd1265035552078ee945573594933b09bbd6f562553e2a241561439f1ef5339276eba68d272001343084cfab8
-  languageName: node
-  linkType: hard
-
-"is-fullwidth-code-point@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "is-fullwidth-code-point@npm:3.0.0"
-  checksum: 44a30c29457c7fb8f00297bce733f0a64cd22eca270f83e58c105e0d015e45c019491a4ab2faef91ab51d4738c670daff901c799f6a700e27f7314029e99e348
-  languageName: node
-  linkType: hard
-
-"is-git-url@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "is-git-url@npm:1.0.0"
-  checksum: 77d8a147ca57cca1544e3a363400bece8e1d765d3da245e38262654281aeb4c97a3c798868cf8931a2ed51bb413611f98c113d3ce5d4f8eb9e98139e2fb435c1
-  languageName: node
-  linkType: hard
-
-"is-glob@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "is-glob@npm:3.1.0"
-  dependencies:
-    is-extglob: ^2.1.0
-  checksum: 9d483bca84f16f01230f7c7c8c63735248fe1064346f292e0f6f8c76475fd20c6f50fc19941af5bec35f85d6bf26f4b7768f39a48a5f5fdc72b408dc74e07afc
-  languageName: node
-  linkType: hard
-
-"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:~4.0.1":
-  version: 4.0.1
-  resolution: "is-glob@npm:4.0.1"
-  dependencies:
-    is-extglob: ^2.1.1
-  checksum: 84627cad11b4e745f5db5a163f32c47b711585a5ff6e14f8f8d026db87f4cdd3e2c95f6fa1f94ad22e469f36d819ae2814f03f9c668b164422ac3354a94672d3
-  languageName: node
-  linkType: hard
-
-"is-glob@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "is-glob@npm:4.0.3"
-  dependencies:
-    is-extglob: ^2.1.1
-  checksum: d381c1319fcb69d341cc6e6c7cd588e17cd94722d9a32dbd60660b993c4fb7d0f19438674e68dfec686d09b7c73139c9166b47597f846af387450224a8101ab4
-  languageName: node
-  linkType: hard
-
-"is-hexadecimal@npm:^1.0.0":
-  version: 1.0.4
-  resolution: "is-hexadecimal@npm:1.0.4"
-  checksum: a452e047587b6069332d83130f54d30da4faf2f2ebaa2ce6d073c27b5703d030d58ed9e0b729c8e4e5b52c6f1dab26781bb77b7bc6c7805f14f320e328ff8cd5
-  languageName: node
-  linkType: hard
-
-"is-interactive@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "is-interactive@npm:1.0.0"
-  checksum: 824808776e2d468b2916cdd6c16acacebce060d844c35ca6d82267da692e92c3a16fdba624c50b54a63f38bdc4016055b6f443ce57d7147240de4f8cdabaf6f9
-  languageName: node
-  linkType: hard
-
-"is-lambda@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "is-lambda@npm:1.0.1"
-  checksum: 93a32f01940220532e5948538699ad610d5924ac86093fcee83022252b363eb0cc99ba53ab084a04e4fb62bf7b5731f55496257a4c38adf87af9c4d352c71c35
-  languageName: node
-  linkType: hard
-
-"is-language-code@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "is-language-code@npm:3.1.0"
-  dependencies:
-    "@babel/runtime": ^7.14.0
-  checksum: 97d2cd7ce00c32721bd1c6b4dccbe775c145612f70f57f384400ee18c49697ab810893a64daf73a9baf07f5f373f241c90fad0e7c8e99c104add114ae5604ee5
-  languageName: node
-  linkType: hard
-
-"is-map@npm:^2.0.1, is-map@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "is-map@npm:2.0.2"
-  checksum: ace3d0ecd667bbdefdb1852de601268f67f2db725624b1958f279316e13fecb8fa7df91fd60f690d7417b4ec180712f5a7ee967008e27c65cfd475cc84337728
-  languageName: node
-  linkType: hard
-
-"is-negative-zero@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "is-negative-zero@npm:2.0.1"
-  checksum: a46f2e0cb5e16fdb8f2011ed488979386d7e68d381966682e3f4c98fc126efe47f26827912baca2d06a02a644aee458b9cba307fb389f6b161e759125db7a3b8
-  languageName: node
-  linkType: hard
-
-"is-negative-zero@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "is-negative-zero@npm:2.0.2"
-  checksum: f3232194c47a549da60c3d509c9a09be442507616b69454716692e37ae9f37c4dea264fb208ad0c9f3efd15a796a46b79df07c7e53c6227c32170608b809149a
-  languageName: node
-  linkType: hard
-
-"is-number-object@npm:^1.0.4":
-  version: 1.0.6
-  resolution: "is-number-object@npm:1.0.6"
-  dependencies:
-    has-tostringtag: ^1.0.0
-  checksum: c697704e8fc2027fc41cb81d29805de4e8b6dc9c3efee93741dbf126a8ecc8443fef85adbc581415ae7e55d325e51d0a942324ae35c829131748cce39cba55f3
-  languageName: node
-  linkType: hard
-
-"is-number@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "is-number@npm:3.0.0"
-  dependencies:
-    kind-of: ^3.0.2
-  checksum: 0c62bf8e9d72c4dd203a74d8cfc751c746e75513380fef420cda8237e619a988ee43e678ddb23c87ac24d91ac0fe9f22e4ffb1301a50310c697e9d73ca3994e9
-  languageName: node
-  linkType: hard
-
-"is-number@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "is-number@npm:7.0.0"
-  checksum: 456ac6f8e0f3111ed34668a624e45315201dff921e5ac181f8ec24923b99e9f32ca1a194912dc79d539c97d33dba17dc635202ff0b2cf98326f608323276d27a
-  languageName: node
-  linkType: hard
-
-"is-obj@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "is-obj@npm:1.0.1"
-  checksum: 3ccf0efdea12951e0b9c784e2b00e77e87b2f8bd30b42a498548a8afcc11b3287342a2030c308e473e93a7a19c9ea7854c99a8832a476591c727df2a9c79796c
-  languageName: node
-  linkType: hard
-
-"is-obj@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "is-obj@npm:2.0.0"
-  checksum: c9916ac8f4621962a42f5e80e7ffdb1d79a3fab7456ceaeea394cd9e0858d04f985a9ace45be44433bf605673c8be8810540fe4cc7f4266fc7526ced95af5a08
-  languageName: node
-  linkType: hard
-
-"is-path-inside@npm:^3.0.3":
-  version: 3.0.3
-  resolution: "is-path-inside@npm:3.0.3"
-  checksum: abd50f06186a052b349c15e55b182326f1936c89a78bf6c8f2b707412517c097ce04bc49a0ca221787bc44e1049f51f09a2ffb63d22899051988d3a618ba13e9
-  languageName: node
-  linkType: hard
-
-"is-plain-obj@npm:2.1.0, is-plain-obj@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "is-plain-obj@npm:2.1.0"
-  checksum: cec9100678b0a9fe0248a81743041ed990c2d4c99f893d935545cfbc42876cbe86d207f3b895700c690ad2fa520e568c44afc1605044b535a7820c1d40e38daa
-  languageName: node
-  linkType: hard
-
-"is-plain-obj@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "is-plain-obj@npm:1.1.0"
-  checksum: 0ee04807797aad50859652a7467481816cbb57e5cc97d813a7dcd8915da8195dc68c436010bf39d195226cde6a2d352f4b815f16f26b7bf486a5754290629931
-  languageName: node
-  linkType: hard
-
-"is-plain-object@npm:^2.0.3, is-plain-object@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "is-plain-object@npm:2.0.4"
-  dependencies:
-    isobject: ^3.0.1
-  checksum: 2a401140cfd86cabe25214956ae2cfee6fbd8186809555cd0e84574f88de7b17abacb2e477a6a658fa54c6083ecbda1e6ae404c7720244cd198903848fca70ca
-  languageName: node
-  linkType: hard
-
-"is-plain-object@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "is-plain-object@npm:5.0.0"
-  checksum: e32d27061eef62c0847d303125440a38660517e586f2f3db7c9d179ae5b6674ab0f469d519b2e25c147a1a3bc87156d0d5f4d8821e0ce4a9ee7fe1fcf11ce45c
-  languageName: node
-  linkType: hard
-
-"is-potential-custom-element-name@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "is-potential-custom-element-name@npm:1.0.1"
-  checksum: ced7bbbb6433a5b684af581872afe0e1767e2d1146b2207ca0068a648fb5cab9d898495d1ac0583524faaf24ca98176a7d9876363097c2d14fee6dd324f3a1ab
-  languageName: node
-  linkType: hard
-
-"is-reference@npm:^1.1.0":
-  version: 1.2.1
-  resolution: "is-reference@npm:1.2.1"
-  dependencies:
-    "@types/estree": "*"
-  checksum: e7b48149f8abda2c10849ea51965904d6a714193d68942ad74e30522231045acf06cbfae5a4be2702fede5d232e61bf50b3183acdc056e6e3afe07fcf4f4b2bc
-  languageName: node
-  linkType: hard
-
-"is-regex@npm:^1.1.2, is-regex@npm:^1.1.4":
-  version: 1.1.4
-  resolution: "is-regex@npm:1.1.4"
-  dependencies:
-    call-bind: ^1.0.2
-    has-tostringtag: ^1.0.0
-  checksum: 362399b33535bc8f386d96c45c9feb04cf7f8b41c182f54174c1a45c9abbbe5e31290bbad09a458583ff6bf3b2048672cdb1881b13289569a7c548370856a652
-  languageName: node
-  linkType: hard
-
-"is-regexp@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "is-regexp@npm:1.0.0"
-  checksum: be692828e24cba479ec33644326fa98959ec68ba77965e0291088c1a741feaea4919d79f8031708f85fd25e39de002b4520622b55460660b9c369e6f7187faef
-  languageName: node
-  linkType: hard
-
-"is-set@npm:^2.0.1, is-set@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "is-set@npm:2.0.2"
-  checksum: b64343faf45e9387b97a6fd32be632ee7b269bd8183701f3b3f5b71a7cf00d04450ed8669d0bd08753e08b968beda96fca73a10fd0ff56a32603f64deba55a57
-  languageName: node
-  linkType: hard
-
-"is-shared-array-buffer@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "is-shared-array-buffer@npm:1.0.1"
-  checksum: 2ffb92533e64e2876e6cfe6906871d28400b6f1a53130fe652ec8007bc0e5044d05e7af8e31bdc992fbba520bd92938cfbeedd0f286be92f250c7c76191c4d90
-  languageName: node
-  linkType: hard
-
-"is-shared-array-buffer@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "is-shared-array-buffer@npm:1.0.2"
-  dependencies:
-    call-bind: ^1.0.2
-  checksum: 9508929cf14fdc1afc9d61d723c6e8d34f5e117f0bffda4d97e7a5d88c3a8681f633a74f8e3ad1fe92d5113f9b921dc5ca44356492079612f9a247efbce7032a
-  languageName: node
-  linkType: hard
-
-"is-stream@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "is-stream@npm:1.1.0"
-  checksum: 063c6bec9d5647aa6d42108d4c59723d2bd4ae42135a2d4db6eadbd49b7ea05b750fd69d279e5c7c45cf9da753ad2c00d8978be354d65aa9f6bb434969c6a2ae
-  languageName: node
-  linkType: hard
-
-"is-stream@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "is-stream@npm:2.0.1"
-  checksum: b8e05ccdf96ac330ea83c12450304d4a591f9958c11fd17bed240af8d5ffe08aedafa4c0f4cfccd4d28dc9d4d129daca1023633d5c11601a6cbc77521f6fae66
-  languageName: node
-  linkType: hard
-
-"is-string@npm:^1.0.5, is-string@npm:^1.0.7":
-  version: 1.0.7
-  resolution: "is-string@npm:1.0.7"
-  dependencies:
-    has-tostringtag: ^1.0.0
-  checksum: 323b3d04622f78d45077cf89aab783b2f49d24dc641aa89b5ad1a72114cfeff2585efc8c12ef42466dff32bde93d839ad321b26884cf75e5a7892a938b089989
-  languageName: node
-  linkType: hard
-
-"is-symbol@npm:^1.0.2, is-symbol@npm:^1.0.3":
-  version: 1.0.4
-  resolution: "is-symbol@npm:1.0.4"
-  dependencies:
-    has-symbols: ^1.0.2
-  checksum: 92805812ef590738d9de49d677cd17dfd486794773fb6fa0032d16452af46e9b91bb43ffe82c983570f015b37136f4b53b28b8523bfb10b0ece7a66c31a54510
-  languageName: node
-  linkType: hard
-
-"is-type@npm:0.0.1":
-  version: 0.0.1
-  resolution: "is-type@npm:0.0.1"
-  dependencies:
-    core-util-is: ~1.0.0
-  checksum: c0ea697d42775270b0eefbe31f01f40e4ab1c86c31580d846b7f3b5a46f744b89248c7bcbb9e2e51325592bdf5d24e0dd265e1cdabd052241a5f3f0c72fd58e1
-  languageName: node
-  linkType: hard
-
-"is-typed-array@npm:^1.1.10, is-typed-array@npm:^1.1.9":
-  version: 1.1.10
-  resolution: "is-typed-array@npm:1.1.10"
-  dependencies:
-    available-typed-arrays: ^1.0.5
-    call-bind: ^1.0.2
-    for-each: ^0.3.3
-    gopd: ^1.0.1
-    has-tostringtag: ^1.0.0
-  checksum: aac6ecb59d4c56a1cdeb69b1f129154ef462bbffe434cb8a8235ca89b42f258b7ae94073c41b3cb7bce37f6a1733ad4499f07882d5d5093a7ba84dfc4ebb8017
-  languageName: node
-  linkType: hard
-
-"is-typedarray@npm:^1.0.0, is-typedarray@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "is-typedarray@npm:1.0.0"
-  checksum: 3508c6cd0a9ee2e0df2fa2e9baabcdc89e911c7bd5cf64604586697212feec525aa21050e48affb5ffc3df20f0f5d2e2cf79b08caa64e1ccc9578e251763aef7
-  languageName: node
-  linkType: hard
-
-"is-unicode-supported@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "is-unicode-supported@npm:0.1.0"
-  checksum: a2aab86ee7712f5c2f999180daaba5f361bdad1efadc9610ff5b8ab5495b86e4f627839d085c6530363c6d6d4ecbde340fb8e54bdb83da4ba8e0865ed5513c52
-  languageName: node
-  linkType: hard
-
-"is-weakmap@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "is-weakmap@npm:2.0.1"
-  checksum: 1222bb7e90c32bdb949226e66d26cb7bce12e1e28e3e1b40bfa6b390ba3e08192a8664a703dff2a00a84825f4e022f9cd58c4599ff9981ab72b1d69479f4f7f6
-  languageName: node
-  linkType: hard
-
-"is-weakref@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "is-weakref@npm:1.0.1"
-  dependencies:
-    call-bind: ^1.0.0
-  checksum: fdafb7b955671dd2f9658ff47c86e4025c0650fc68a3542a40e5a75898a763b1abd6b1e1f9f13207eed49541cdd76af67d73c44989ea358b201b70274cf8f6c1
-  languageName: node
-  linkType: hard
-
-"is-weakref@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "is-weakref@npm:1.0.2"
-  dependencies:
-    call-bind: ^1.0.2
-  checksum: 95bd9a57cdcb58c63b1c401c60a474b0f45b94719c30f548c891860f051bc2231575c290a6b420c6bc6e7ed99459d424c652bd5bf9a1d5259505dc35b4bf83de
-  languageName: node
-  linkType: hard
-
-"is-weakset@npm:^2.0.1":
-  version: 2.0.2
-  resolution: "is-weakset@npm:2.0.2"
-  dependencies:
-    call-bind: ^1.0.2
-    get-intrinsic: ^1.1.1
-  checksum: 5d8698d1fa599a0635d7ca85be9c26d547b317ed8fd83fc75f03efbe75d50001b5eececb1e9971de85fcde84f69ae6f8346bc92d20d55d46201d328e4c74a367
-  languageName: node
-  linkType: hard
-
-"is-windows@npm:^1.0.1, is-windows@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "is-windows@npm:1.0.2"
-  checksum: 438b7e52656fe3b9b293b180defb4e448088e7023a523ec21a91a80b9ff8cdb3377ddb5b6e60f7c7de4fa8b63ab56e121b6705fe081b3cf1b828b0a380009ad7
-  languageName: node
-  linkType: hard
-
-"is-wsl@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "is-wsl@npm:1.1.0"
-  checksum: ea157d232351e68c92bd62fc541771096942fe72f69dff452dd26dcc31466258c570a3b04b8cda2e01cd2968255b02951b8670d08ea4ed76d6b1a646061ac4fe
-  languageName: node
-  linkType: hard
-
-"is-wsl@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "is-wsl@npm:2.2.0"
-  dependencies:
-    is-docker: ^2.0.0
-  checksum: 20849846ae414997d290b75e16868e5261e86ff5047f104027026fd61d8b5a9b0b3ade16239f35e1a067b3c7cc02f70183cb661010ed16f4b6c7c93dad1b19d8
-  languageName: node
-  linkType: hard
-
-"isarray@npm:0.0.1":
-  version: 0.0.1
-  resolution: "isarray@npm:0.0.1"
-  checksum: 49191f1425681df4a18c2f0f93db3adb85573bcdd6a4482539d98eac9e705d8961317b01175627e860516a2fc45f8f9302db26e5a380a97a520e272e2a40a8d4
-  languageName: node
-  linkType: hard
-
-"isarray@npm:1.0.0, isarray@npm:^1.0.0, isarray@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "isarray@npm:1.0.0"
-  checksum: f032df8e02dce8ec565cf2eb605ea939bdccea528dbcf565cdf92bfa2da9110461159d86a537388ef1acef8815a330642d7885b29010e8f7eac967c9993b65ab
-  languageName: node
-  linkType: hard
-
-"isarray@npm:^2.0.5":
-  version: 2.0.5
-  resolution: "isarray@npm:2.0.5"
-  checksum: bd5bbe4104438c4196ba58a54650116007fa0262eccef13a4c55b2e09a5b36b59f1e75b9fcc49883dd9d4953892e6fc007eef9e9155648ceea036e184b0f930a
-  languageName: node
-  linkType: hard
-
-"isbinaryfile@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "isbinaryfile@npm:5.0.0"
-  checksum: 25cc27388d51b8322c103f5894f9e72ec04e017734e57c4b70be2666501ec7e7f6cbb4a5fcfd15260a7cac979bd1ddb7f5231f5a3098c0695c4e7c049513dfaf
-  languageName: node
-  linkType: hard
-
-"isexe@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "isexe@npm:2.0.0"
-  checksum: 26bf6c5480dda5161c820c5b5c751ae1e766c587b1f951ea3fcfc973bafb7831ae5b54a31a69bd670220e42e99ec154475025a468eae58ea262f813fdc8d1c62
-  languageName: node
-  linkType: hard
-
-"isobject@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "isobject@npm:2.1.0"
-  dependencies:
-    isarray: 1.0.0
-  checksum: 811c6f5a866877d31f0606a88af4a45f282544de886bf29f6a34c46616a1ae2ed17076cc6bf34c0128f33eecf7e1fcaa2c82cf3770560d3e26810894e96ae79f
-  languageName: node
-  linkType: hard
-
-"isobject@npm:^3.0.0, isobject@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "isobject@npm:3.0.1"
-  checksum: db85c4c970ce30693676487cca0e61da2ca34e8d4967c2e1309143ff910c207133a969f9e4ddb2dc6aba670aabce4e0e307146c310350b298e74a31f7d464703
-  languageName: node
-  linkType: hard
-
-"isstream@npm:~0.1.2":
-  version: 0.1.2
-  resolution: "isstream@npm:0.1.2"
-  checksum: 1eb2fe63a729f7bdd8a559ab552c69055f4f48eb5c2f03724430587c6f450783c8f1cd936c1c952d0a927925180fcc892ebd5b174236cf1065d4bd5bdb37e963
-  languageName: node
-  linkType: hard
-
-"istextorbinary@npm:2.1.0":
-  version: 2.1.0
-  resolution: "istextorbinary@npm:2.1.0"
-  dependencies:
-    binaryextensions: 1 || 2
-    editions: ^1.1.1
-    textextensions: 1 || 2
-  checksum: f07e2c8648663ffa609ee89fa6a50157bcd4d99b8fee3c99c5d5114c068d733e3b5ba16f0c9b704cbf7fd8a1cab0836b1451b40de56c790a283fbabf34d52167
-  languageName: node
-  linkType: hard
-
-"istextorbinary@npm:^2.5.1":
-  version: 2.6.0
-  resolution: "istextorbinary@npm:2.6.0"
-  dependencies:
-    binaryextensions: ^2.1.2
-    editions: ^2.2.0
-    textextensions: ^2.5.0
-  checksum: 964915aa9533df46a7142d36263e9e1a0940d63b58e2ee1ca1ecc9088239a2499b8153d9746225cfe71b9a7a0ab40565bf23c0a8cfed3a4bce7465303b9fb237
-  languageName: node
-  linkType: hard
-
-"jest-worker@npm:^27.4.5":
-  version: 27.5.1
-  resolution: "jest-worker@npm:27.5.1"
-  dependencies:
-    "@types/node": "*"
-    merge-stream: ^2.0.0
-    supports-color: ^8.0.0
-  checksum: 98cd68b696781caed61c983a3ee30bf880b5bd021c01d98f47b143d4362b85d0737f8523761e2713d45e18b4f9a2b98af1eaee77afade4111bb65c77d6f7c980
-  languageName: node
-  linkType: hard
-
-"jquery@npm:^3.4.1":
-  version: 3.7.0
-  resolution: "jquery@npm:3.7.0"
-  checksum: 907785e133afc427650a131af5fccef66a404885037513b3d4d7d63aee6409bcc32a39836868c60e59b05aa0fb8ace8961c18b2ee3ffdf6ffdb571d6d7cd88ff
-  languageName: node
-  linkType: hard
-
-"js-sdsl@npm:^4.1.4":
-  version: 4.1.5
-  resolution: "js-sdsl@npm:4.1.5"
-  checksum: 695f657ddc5be462b97cac4e8e60f37de28d628ee0e23016baecff0bb584a18dddb5caeac537a775030f180b5afd62133ac4481e7024c8d03a62d73e4da0713e
-  languageName: node
-  linkType: hard
-
-"js-string-escape@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "js-string-escape@npm:1.0.1"
-  checksum: f11e0991bf57e0c183b55c547acec85bd2445f043efc9ea5aa68b41bd2a3e7d3ce94636cb233ae0d84064ba4c1a505d32e969813c5b13f81e7d4be12c59256fe
-  languageName: node
-  linkType: hard
-
-"js-tokens@npm:^3.0.0 || ^4.0.0, js-tokens@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "js-tokens@npm:4.0.0"
-  checksum: 8a95213a5a77deb6cbe94d86340e8d9ace2b93bc367790b260101d2f36a2eaf4e4e22d9fa9cf459b38af3a32fb4190e638024cf82ec95ef708680e405ea7cc78
-  languageName: node
-  linkType: hard
-
-"js-tokens@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "js-tokens@npm:3.0.2"
-  checksum: ff24cf90e6e4ac446eba56e604781c1aaf3bdaf9b13a00596a0ebd972fa3b25dc83c0f0f67289c33252abb4111e0d14e952a5d9ffb61f5c22532d555ebd8d8a9
-  languageName: node
-  linkType: hard
-
-"js-yaml@npm:^3.13.1, js-yaml@npm:^3.2.5, js-yaml@npm:^3.2.7":
-  version: 3.14.1
-  resolution: "js-yaml@npm:3.14.1"
-  dependencies:
-    argparse: ^1.0.7
-    esprima: ^4.0.0
-  bin:
-    js-yaml: bin/js-yaml.js
-  checksum: bef146085f472d44dee30ec34e5cf36bf89164f5d585435a3d3da89e52622dff0b188a580e4ad091c3341889e14cb88cac6e4deb16dc5b1e9623bb0601fc255c
-  languageName: node
-  linkType: hard
-
-"js-yaml@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "js-yaml@npm:4.1.0"
-  dependencies:
-    argparse: ^2.0.1
-  bin:
-    js-yaml: bin/js-yaml.js
-  checksum: c7830dfd456c3ef2c6e355cc5a92e6700ceafa1d14bba54497b34a99f0376cecbb3e9ac14d3e5849b426d5a5140709a66237a8c991c675431271c4ce5504151a
-  languageName: node
-  linkType: hard
-
-"jsbn@npm:~0.1.0":
-  version: 0.1.1
-  resolution: "jsbn@npm:0.1.1"
-  checksum: e5ff29c1b8d965017ef3f9c219dacd6e40ad355c664e277d31246c90545a02e6047018c16c60a00f36d561b3647215c41894f5d869ada6908a2e0ce4200c88f2
-  languageName: node
-  linkType: hard
-
-"jsdom@npm:^16.4.0":
-  version: 16.5.3
-  resolution: "jsdom@npm:16.5.3"
-  dependencies:
-    abab: ^2.0.5
-    acorn: ^8.1.0
-    acorn-globals: ^6.0.0
-    cssom: ^0.4.4
-    cssstyle: ^2.3.0
-    data-urls: ^2.0.0
-    decimal.js: ^10.2.1
-    domexception: ^2.0.1
-    escodegen: ^2.0.0
-    html-encoding-sniffer: ^2.0.1
-    is-potential-custom-element-name: ^1.0.0
-    nwsapi: ^2.2.0
-    parse5: 6.0.1
-    request: ^2.88.2
-    request-promise-native: ^1.0.9
-    saxes: ^5.0.1
-    symbol-tree: ^3.2.4
-    tough-cookie: ^4.0.0
-    w3c-hr-time: ^1.0.2
-    w3c-xmlserializer: ^2.0.0
-    webidl-conversions: ^6.1.0
-    whatwg-encoding: ^1.0.5
-    whatwg-mimetype: ^2.3.0
-    whatwg-url: ^8.5.0
-    ws: ^7.4.4
-    xml-name-validator: ^3.0.0
-  peerDependencies:
-    canvas: ^2.5.0
-  peerDependenciesMeta:
-    canvas:
-      optional: true
-  checksum: 19d107eeaa2b67cb9288b313d12af9df4c633526bbbaf222b0d97c1cfd4b9f23294f168dd80c39ee6bd344dde336b9a57ed24136639fea7dc5e24e88f4d5f79f
-  languageName: node
-  linkType: hard
-
-"jsesc@npm:^1.3.0":
-  version: 1.3.0
-  resolution: "jsesc@npm:1.3.0"
-  bin:
-    jsesc: bin/jsesc
-  checksum: 9384cc72bf8ef7f2eb75fea64176b8b0c1c5e77604854c72cb4670b7072e112e3baaa69ef134be98cb078834a7812b0bfe676ad441ccd749a59427f5ed2127f1
-  languageName: node
-  linkType: hard
-
-"jsesc@npm:^2.5.1":
-  version: 2.5.2
-  resolution: "jsesc@npm:2.5.2"
-  bin:
-    jsesc: bin/jsesc
-  checksum: 4dc190771129e12023f729ce20e1e0bfceac84d73a85bc3119f7f938843fe25a4aeccb54b6494dce26fcf263d815f5f31acdefac7cc9329efb8422a4f4d9fa9d
-  languageName: node
-  linkType: hard
-
-"jsesc@npm:~0.3.x":
-  version: 0.3.0
-  resolution: "jsesc@npm:0.3.0"
-  bin:
-    jsesc: bin/jsesc
-  checksum: a5222fb2a599e874461ca384b59ecdc6449d52b6dd9d6ce0e878917e49ac6eb304e549cd69cb80bcf710d65aba130b31c795d1f1cd59f490d78e93d743bb6a4b
-  languageName: node
-  linkType: hard
-
-"jsesc@npm:~0.5.0":
-  version: 0.5.0
-  resolution: "jsesc@npm:0.5.0"
-  bin:
-    jsesc: bin/jsesc
-  checksum: b8b44cbfc92f198ad972fba706ee6a1dfa7485321ee8c0b25f5cedd538dcb20cde3197de16a7265430fce8277a12db066219369e3d51055038946039f6e20e17
-  languageName: node
-  linkType: hard
-
-"json-parse-better-errors@npm:^1.0.1, json-parse-better-errors@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "json-parse-better-errors@npm:1.0.2"
-  checksum: ff2b5ba2a70e88fd97a3cb28c1840144c5ce8fae9cbeeddba15afa333a5c407cf0e42300cd0a2885dbb055227fe68d405070faad941beeffbfde9cf3b2c78c5d
-  languageName: node
-  linkType: hard
-
-"json-parse-even-better-errors@npm:^2.3.0, json-parse-even-better-errors@npm:^2.3.1":
-  version: 2.3.1
-  resolution: "json-parse-even-better-errors@npm:2.3.1"
-  checksum: 798ed4cf3354a2d9ccd78e86d2169515a0097a5c133337807cdf7f1fc32e1391d207ccfc276518cc1d7d8d4db93288b8a50ba4293d212ad1336e52a8ec0a941f
-  languageName: node
-  linkType: hard
-
-"json-schema-traverse@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "json-schema-traverse@npm:0.4.1"
-  checksum: 7486074d3ba247769fda17d5181b345c9fb7d12e0da98b22d1d71a5db9698d8b4bd900a3ec1a4ffdd60846fc2556274a5c894d0c48795f14cb03aeae7b55260b
-  languageName: node
-  linkType: hard
-
-"json-schema-traverse@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "json-schema-traverse@npm:1.0.0"
-  checksum: 02f2f466cdb0362558b2f1fd5e15cce82ef55d60cd7f8fa828cf35ba74330f8d767fcae5c5c2adb7851fa811766c694b9405810879bc4e1ddd78a7c0e03658ad
-  languageName: node
-  linkType: hard
-
-"json-schema@npm:0.2.3":
-  version: 0.2.3
-  resolution: "json-schema@npm:0.2.3"
-  checksum: bbc2070988fb5f2a2266a31b956f1b5660e03ea7eaa95b33402901274f625feb586ae0c485e1df854fde40a7f0dc679f3b3ca8e5b8d31f8ea07a0d834de785c7
-  languageName: node
-  linkType: hard
-
-"json-stable-stringify-without-jsonify@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "json-stable-stringify-without-jsonify@npm:1.0.1"
-  checksum: cff44156ddce9c67c44386ad5cddf91925fe06b1d217f2da9c4910d01f358c6e3989c4d5a02683c7a5667f9727ff05831f7aa8ae66c8ff691c556f0884d49215
-  languageName: node
-  linkType: hard
-
-"json-stable-stringify@npm:^1.0.0, json-stable-stringify@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "json-stable-stringify@npm:1.0.1"
-  dependencies:
-    jsonify: ~0.0.0
-  checksum: 65d6cbf0fca72a4136999f65f4401cf39a129f7aeff0fdd987ac3d3423a2113659294045fb8377e6e20d865cac32b1b8d70f3d87346c9786adcee60661d96ca5
-  languageName: node
-  linkType: hard
-
-"json-stringify-safe@npm:~5.0.1":
-  version: 5.0.1
-  resolution: "json-stringify-safe@npm:5.0.1"
-  checksum: 48ec0adad5280b8a96bb93f4563aa1667fd7a36334f79149abd42446d0989f2ddc58274b479f4819f1f00617957e6344c886c55d05a4e15ebb4ab931e4a6a8ee
-  languageName: node
-  linkType: hard
-
-"json5@npm:^0.5.1":
-  version: 0.5.1
-  resolution: "json5@npm:0.5.1"
-  bin:
-    json5: lib/cli.js
-  checksum: 9b85bf06955b23eaa4b7328aa8892e3887e81ca731dd27af04a5f5f1458fbc5e1de57a24442e3272f8a888dd1abe1cb68eb693324035f6b3aeba4fcab7667d62
-  languageName: node
-  linkType: hard
-
-"json5@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "json5@npm:1.0.1"
-  dependencies:
-    minimist: ^1.2.0
-  bin:
-    json5: lib/cli.js
-  checksum: e76ea23dbb8fc1348c143da628134a98adf4c5a4e8ea2adaa74a80c455fc2cdf0e2e13e6398ef819bfe92306b610ebb2002668ed9fc1af386d593691ef346fc3
-  languageName: node
-  linkType: hard
-
-"json5@npm:^2.1.2":
-  version: 2.2.0
-  resolution: "json5@npm:2.2.0"
-  dependencies:
-    minimist: ^1.2.5
-  bin:
-    json5: lib/cli.js
-  checksum: e88fc5274bb58fc99547baa777886b069d2dd96d9cfc4490b305fd16d711dabd5979e35a4f90873cefbeb552e216b041a304fe56702bedba76e19bc7845f208d
-  languageName: node
-  linkType: hard
-
-"json5@npm:^2.2.1":
-  version: 2.2.1
-  resolution: "json5@npm:2.2.1"
-  bin:
-    json5: lib/cli.js
-  checksum: 74b8a23b102a6f2bf2d224797ae553a75488b5adbaee9c9b6e5ab8b510a2fc6e38f876d4c77dea672d4014a44b2399e15f2051ac2b37b87f74c0c7602003543b
-  languageName: node
-  linkType: hard
-
-"json5@npm:^2.2.2":
-  version: 2.2.3
-  resolution: "json5@npm:2.2.3"
-  bin:
-    json5: lib/cli.js
-  checksum: 2a7436a93393830bce797d4626275152e37e877b265e94ca69c99e3d20c2b9dab021279146a39cdb700e71b2dd32a4cebd1514cd57cee102b1af906ce5040349
-  languageName: node
-  linkType: hard
-
-"jsondiffpatch@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "jsondiffpatch@npm:0.4.1"
-  dependencies:
-    chalk: ^2.3.0
-    diff-match-patch: ^1.0.0
-  bin:
-    jsondiffpatch: ./bin/jsondiffpatch
-  checksum: 2062d188cc7f60f9d84e7bf497a7d89233d2f8ec21d085c26cdb24c2b7c5f4f7231ad9b978355e319c00820de0863499ba881c6c6b1bd92313db1a7d16d6ab1d
-  languageName: node
-  linkType: hard
-
-"jsonfile@npm:^2.1.0":
-  version: 2.4.0
-  resolution: "jsonfile@npm:2.4.0"
-  dependencies:
-    graceful-fs: ^4.1.6
-  dependenciesMeta:
-    graceful-fs:
-      optional: true
-  checksum: f5064aabbc9e35530dc471d8b203ae1f40dbe949ddde4391c6f6a6d310619a15f0efdae5587df594d1d70c555193aaeee9d2ed4aec9ffd5767bd5e4e62d49c3d
-  languageName: node
-  linkType: hard
-
-"jsonfile@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "jsonfile@npm:3.0.1"
-  dependencies:
-    graceful-fs: ^4.1.6
-  dependenciesMeta:
-    graceful-fs:
-      optional: true
-  checksum: f2935da339462fe6489c3b8961b637e4eeebd42bcbbe1c8d88f4e937fe19d2d9bc222167281ada2e2f6ddc0324edb43b18107a9b12c743b350326d83ba4db5ef
-  languageName: node
-  linkType: hard
-
-"jsonfile@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "jsonfile@npm:4.0.0"
-  dependencies:
-    graceful-fs: ^4.1.6
-  dependenciesMeta:
-    graceful-fs:
-      optional: true
-  checksum: 6447d6224f0d31623eef9b51185af03ac328a7553efcee30fa423d98a9e276ca08db87d71e17f2310b0263fd3ffa6c2a90a6308367f661dc21580f9469897c9e
-  languageName: node
-  linkType: hard
-
-"jsonfile@npm:^6.0.1":
-  version: 6.1.0
-  resolution: "jsonfile@npm:6.1.0"
-  dependencies:
-    graceful-fs: ^4.1.6
-    universalify: ^2.0.0
-  dependenciesMeta:
-    graceful-fs:
-      optional: true
-  checksum: 7af3b8e1ac8fe7f1eccc6263c6ca14e1966fcbc74b618d3c78a0a2075579487547b94f72b7a1114e844a1e15bb00d440e5d1720bfc4612d790a6f285d5ea8354
-  languageName: node
-  linkType: hard
-
-"jsonify@npm:~0.0.0":
-  version: 0.0.0
-  resolution: "jsonify@npm:0.0.0"
-  checksum: d8d4ed476c116e6987a460dcb82f22284686caae9f498ac87b0502c1765ac1522f4f450a4cad4cc368d202fd3b27a3860735140a82867fc6d558f5f199c38bce
-  languageName: node
-  linkType: hard
-
-"jsonlint@npm:^1.6.3":
-  version: 1.6.3
-  resolution: "jsonlint@npm:1.6.3"
-  dependencies:
-    JSV: ^4.0.x
-    nomnom: ^1.5.x
-  bin:
-    jsonlint: lib/cli.js
-  checksum: be0972cf552ff1ec589db5d7b20ff31064561fbe4605708f5a260e2dcc18e26acd5bf842ba10dd157706232aca6d6c9116d21005cb3e8fb5ec9d9b01c8869677
-  languageName: node
-  linkType: hard
-
-"jsprim@npm:^1.2.2":
-  version: 1.4.1
-  resolution: "jsprim@npm:1.4.1"
-  dependencies:
-    assert-plus: 1.0.0
-    extsprintf: 1.3.0
-    json-schema: 0.2.3
-    verror: 1.10.0
-  checksum: 6bcb20ec265ae18bb48e540a6da2c65f9c844f7522712d6dfcb01039527a49414816f4869000493363f1e1ea96cbad00e46188d5ecc78257a19f152467587373
-  languageName: node
-  linkType: hard
-
-"just-extend@npm:^4.0.2":
-  version: 4.2.1
-  resolution: "just-extend@npm:4.2.1"
-  checksum: ff9fdede240fad313efeeeb68a660b942e5586d99c0058064c78884894a2690dc09bba44c994ad4e077e45d913fef01a9240c14a72c657b53687ac58de53b39c
-  languageName: node
-  linkType: hard
-
-"kind-of@npm:^6.0.3":
-  version: 6.0.3
-  resolution: "kind-of@npm:6.0.3"
-  checksum: 3ab01e7b1d440b22fe4c31f23d8d38b4d9b91d9f291df683476576493d5dfd2e03848a8b05813dd0c3f0e835bc63f433007ddeceb71f05cb25c45ae1b19c6d3b
-  languageName: node
-  linkType: hard
-
-"klaw@npm:^1.0.0":
-  version: 1.3.1
-  resolution: "klaw@npm:1.3.1"
-  dependencies:
-    graceful-fs: ^4.1.9
-  dependenciesMeta:
-    graceful-fs:
-      optional: true
-  checksum: 8f69e4797c26e7c3f2426bfa85f38a3da3c2cb1b4c6bd850d2377aed440d41ce9d806f2885c2e2e224372c56af4b1d43b8a499adecf9a05e7373dc6b8b7c52e4
-  languageName: node
-  linkType: hard
-
-"known-css-properties@npm:^0.27.0":
-  version: 0.27.0
-  resolution: "known-css-properties@npm:0.27.0"
-  checksum: 8584fcf0526f984fe5a358af20200dec3b944373dd005dc23a3ce988895e1acd03e7d69c49533dda07d6d9b6d53990ed1119bd9d3e927f17545f8764c434a5cd
-  languageName: node
-  linkType: hard
-
-"language-subtag-registry@npm:^0.3.20":
-  version: 0.3.22
-  resolution: "language-subtag-registry@npm:0.3.22"
-  checksum: 8ab70a7e0e055fe977ac16ea4c261faec7205ac43db5e806f72e5b59606939a3b972c4bd1e10e323b35d6ffa97c3e1c4c99f6553069dad2dfdd22020fa3eb56a
-  languageName: node
-  linkType: hard
-
-"language-tags@npm:^1.0.8":
-  version: 1.0.8
-  resolution: "language-tags@npm:1.0.8"
-  dependencies:
-    language-subtag-registry: ^0.3.20
-  checksum: 95d200a4c23ae58ec1c2224e264162ca95e71b3a1104a9cf9d2fd39ab807fa766b37827905a44c84763accc8223aedccebd4cd7807c16876cbe2af769e7a487b
-  languageName: node
-  linkType: hard
-
-"lcid@npm:^3.0.0":
-  version: 3.1.1
-  resolution: "lcid@npm:3.1.1"
-  dependencies:
-    invert-kv: ^3.0.0
-  checksum: 7ebab7a2696a3cc6c6c9f25d957ef81dd2a8a2f48b7e2a9185e4bbcfc36d70cb633acf5fa5c9508f3d30badf23a303b1b6afe0bba8f0bb7d353d0f5d59c9ec1b
-  languageName: node
-  linkType: hard
-
-"leek@npm:0.0.24":
-  version: 0.0.24
-  resolution: "leek@npm:0.0.24"
-  dependencies:
-    debug: ^2.1.0
-    lodash.assign: ^3.2.0
-    rsvp: ^3.0.21
-  checksum: da2c554c7ea37c6e5ef680ce1940f7be2c2eef5661dc7f74e1bc86ac65136525fdb11e1d1f8f5c582ea8b9e4c8a31ba61d82e1192495a8f91bf1ca702b8d19f2
-  languageName: node
-  linkType: hard
-
-"levn@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "levn@npm:0.4.1"
-  dependencies:
-    prelude-ls: ^1.2.1
-    type-check: ~0.4.0
-  checksum: 12c5021c859bd0f5248561bf139121f0358285ec545ebf48bb3d346820d5c61a4309535c7f387ed7d84361cf821e124ce346c6b7cef8ee09a67c1473b46d0fc4
-  languageName: node
-  linkType: hard
-
-"levn@npm:~0.3.0":
-  version: 0.3.0
-  resolution: "levn@npm:0.3.0"
-  dependencies:
-    prelude-ls: ~1.1.2
-    type-check: ~0.3.2
-  checksum: 0d084a524231a8246bb10fec48cdbb35282099f6954838604f3c7fc66f2e16fa66fd9cc2f3f20a541a113c4dafdf181e822c887c8a319c9195444e6c64ac395e
-  languageName: node
-  linkType: hard
-
-"line-column@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "line-column@npm:1.0.2"
-  dependencies:
-    isarray: ^1.0.0
-    isobject: ^2.0.0
-  checksum: 7b71b3aaebf629cf79bea9b8356d5c3d3cc36129619f8248a95409206f26cd1cad9d758ea873cbf262fce780e31c1aa50ec85ee48dbd539bd3356523d535c8f5
-  languageName: node
-  linkType: hard
-
-"lines-and-columns@npm:^1.1.6":
-  version: 1.1.6
-  resolution: "lines-and-columns@npm:1.1.6"
-  checksum: 198a5436b1fa5cf703bae719c01c686b076f0ad7e1aafd95a58d626cabff302dc0414822126f2f80b58a8c3d66cda8a7b6da064f27130f87e1d3506d6dfd0d68
-  languageName: node
-  linkType: hard
-
-"linkify-it@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "linkify-it@npm:4.0.1"
-  dependencies:
-    uc.micro: ^1.0.1
-  checksum: 3e0a29921269c14eb7ac6f5db2da68d4854ea9acca6e9014a323f75f2dd39b197ffab57c1fbd6a906ceb021aad3ee6d7ba7d0181236dd9630ffc452b392f7f71
-  languageName: node
-  linkType: hard
-
-"lint-staged@npm:^10.5.1":
-  version: 10.5.4
-  resolution: "lint-staged@npm:10.5.4"
-  dependencies:
-    chalk: ^4.1.0
-    cli-truncate: ^2.1.0
-    commander: ^6.2.0
-    cosmiconfig: ^7.0.0
-    debug: ^4.2.0
-    dedent: ^0.7.0
-    enquirer: ^2.3.6
-    execa: ^4.1.0
-    listr2: ^3.2.2
-    log-symbols: ^4.0.0
-    micromatch: ^4.0.2
-    normalize-path: ^3.0.0
-    please-upgrade-node: ^3.2.0
-    string-argv: 0.3.1
-    stringify-object: ^3.3.0
-  bin:
-    lint-staged: bin/lint-staged.js
-  checksum: 4cc65f6c0a22dc091d0bbdfa6c15cd6e9b7d0d1e7603f5441bf9ac62f3a760fa36b0bda2db4c31b4084f28ba47cd4d0a176c3c3b314a97de8326e050d20b1635
-  languageName: node
-  linkType: hard
-
-"listr2@npm:^3.2.2":
-  version: 3.8.2
-  resolution: "listr2@npm:3.8.2"
-  dependencies:
-    chalk: ^4.1.1
-    cli-truncate: ^2.1.0
-    figures: ^3.2.0
-    indent-string: ^4.0.0
-    log-update: ^4.0.0
-    p-map: ^4.0.0
-    rxjs: ^6.6.7
-    through: ^2.3.8
-    wrap-ansi: ^7.0.0
-  peerDependencies:
-    enquirer: ">= 2.3.0 < 3"
-  checksum: f0930780daf525015fb6e0568c69b36e23a1b5c74c00b802ed911e2d9b2eacc6fb9f498e90669b1a0f51c987fab5dfe7d95f5bbddddf5f3d9d42d99d373ea700
-  languageName: node
-  linkType: hard
-
-"livereload-js@npm:^3.3.1":
-  version: 3.3.2
-  resolution: "livereload-js@npm:3.3.2"
-  checksum: 72121395b54f338f0aaf33542a062b7ecfd886f472cb8acb174635011bf29ccc689e5861427431c115d445239498dbbcd070a37c0c8b9561606ebc90c579afbd
-  languageName: node
-  linkType: hard
-
-"load-json-file@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "load-json-file@npm:4.0.0"
-  dependencies:
-    graceful-fs: ^4.1.2
-    parse-json: ^4.0.0
-    pify: ^3.0.0
-    strip-bom: ^3.0.0
-  checksum: 8f5d6d93ba64a9620445ee9bde4d98b1eac32cf6c8c2d20d44abfa41a6945e7969456ab5f1ca2fb06ee32e206c9769a20eec7002fe290de462e8c884b6b8b356
-  languageName: node
-  linkType: hard
-
-"loader-runner@npm:^2.4.0":
-  version: 2.4.0
-  resolution: "loader-runner@npm:2.4.0"
-  checksum: e27eebbca5347a03f6b1d1bce5b2736a4984fb742f872c0a4d68e62de10f7637613e79a464d3bcd77c246d9c70fcac112bb4a3123010eb527e8b203a614647db
-  languageName: node
-  linkType: hard
-
-"loader-runner@npm:^4.2.0":
-  version: 4.3.0
-  resolution: "loader-runner@npm:4.3.0"
-  checksum: a90e00dee9a16be118ea43fec3192d0b491fe03a32ed48a4132eb61d498f5536a03a1315531c19d284392a8726a4ecad71d82044c28d7f22ef62e029bf761569
-  languageName: node
-  linkType: hard
-
-"loader-utils@npm:^1.2.3, loader-utils@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "loader-utils@npm:1.4.0"
-  dependencies:
-    big.js: ^5.2.2
-    emojis-list: ^3.0.0
-    json5: ^1.0.1
-  checksum: d150b15e7a42ac47d935c8b484b79e44ff6ab4c75df7cc4cb9093350cf014ec0b17bdb60c5d6f91a37b8b218bd63b973e263c65944f58ca2573e402b9a27e717
-  languageName: node
-  linkType: hard
-
-"loader-utils@npm:^2.0.0":
-  version: 2.0.2
-  resolution: "loader-utils@npm:2.0.2"
-  dependencies:
-    big.js: ^5.2.2
-    emojis-list: ^3.0.0
-    json5: ^2.1.2
-  checksum: 9078d1ed47cadc57f4c6ddbdb2add324ee7da544cea41de3b7f1128e8108fcd41cd3443a85b7ee8d7d8ac439148aa221922774efe4cf87506d4fb054d5889303
-  languageName: node
-  linkType: hard
-
-"loader.js@npm:^4.7.0":
-  version: 4.7.0
-  resolution: "loader.js@npm:4.7.0"
-  checksum: 947412e7665e47ed1fefcd5c07b8fbcfd9991ccc4f39aa3ad631fc0be301c4410f57a2ed762e710450643210072fbbb54ea00128f9c449d76ee79fe5b8481ec6
-  languageName: node
-  linkType: hard
-
-"locate-character@npm:^2.0.5":
-  version: 2.0.5
-  resolution: "locate-character@npm:2.0.5"
-  checksum: dbc4c62bb98ba95626d5533c6d45d480b2536bb500d1453efdd19d0797e75ba92abf8d0432966990a1567a3b591b0fa6067f0ce93808cbf8b55beedd7bd28a78
-  languageName: node
-  linkType: hard
-
-"locate-path@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "locate-path@npm:2.0.0"
-  dependencies:
-    p-locate: ^2.0.0
-    path-exists: ^3.0.0
-  checksum: 02d581edbbbb0fa292e28d96b7de36b5b62c2fa8b5a7e82638ebb33afa74284acf022d3b1e9ae10e3ffb7658fbc49163fcd5e76e7d1baaa7801c3e05a81da755
-  languageName: node
-  linkType: hard
-
-"locate-path@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "locate-path@npm:3.0.0"
-  dependencies:
-    p-locate: ^3.0.0
-    path-exists: ^3.0.0
-  checksum: 53db3996672f21f8b0bf2a2c645ae2c13ffdae1eeecfcd399a583bce8516c0b88dcb4222ca6efbbbeb6949df7e46860895be2c02e8d3219abd373ace3bfb4e11
-  languageName: node
-  linkType: hard
-
-"locate-path@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "locate-path@npm:5.0.0"
-  dependencies:
-    p-locate: ^4.1.0
-  checksum: 83e51725e67517287d73e1ded92b28602e3ae5580b301fe54bfb76c0c723e3f285b19252e375712316774cf52006cb236aed5704692c32db0d5d089b69696e30
-  languageName: node
-  linkType: hard
-
-"locate-path@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "locate-path@npm:6.0.0"
-  dependencies:
-    p-locate: ^5.0.0
-  checksum: 72eb661788a0368c099a184c59d2fee760b3831c9c1c33955e8a19ae4a21b4116e53fa736dc086cdeb9fce9f7cc508f2f92d2d3aae516f133e16a2bb59a39f5a
-  languageName: node
-  linkType: hard
-
-"locate-path@npm:^7.1.0":
-  version: 7.1.0
-  resolution: "locate-path@npm:7.1.0"
-  dependencies:
-    p-locate: ^6.0.0
-  checksum: 17d5eb6c04ff31856f8a6ae4ee3e3091d41485657428d1a91bd5f66aa1fcd7a90db3de6e8ffb905c2ff1a0014b77509b98dd6410424505efc08b1726d50bcbfc
-  languageName: node
-  linkType: hard
-
-"lodash-es@npm:^4.17.11":
-  version: 4.17.21
-  resolution: "lodash-es@npm:4.17.21"
-  checksum: 05cbffad6e2adbb331a4e16fbd826e7faee403a1a04873b82b42c0f22090f280839f85b95393f487c1303c8a3d2a010048bf06151a6cbe03eee4d388fb0a12d2
-  languageName: node
-  linkType: hard
-
-"lodash._baseassign@npm:^3.0.0":
-  version: 3.2.0
-  resolution: "lodash._baseassign@npm:3.2.0"
-  dependencies:
-    lodash._basecopy: ^3.0.0
-    lodash.keys: ^3.0.0
-  checksum: 27155048736d02dc384f97af303ba66bb5f768aedd5191dddf25acbd13a0733c530d4258df2136440fce7e28c8240561ecd94e769ce4cbb0115dbfd9ab5c4203
-  languageName: node
-  linkType: hard
-
-"lodash._basecopy@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "lodash._basecopy@npm:3.0.1"
-  checksum: 4ccbeef09f53cb1a0cdf1cafeaea2d445ec2184337e1389eb3b81649a3e30f33c377d79027fbce06dae199a6f8ffb4fbd32f1ce07bddbdfae14f51f8340ae68c
-  languageName: node
-  linkType: hard
-
-"lodash._baseflatten@npm:^3.0.0":
-  version: 3.1.4
-  resolution: "lodash._baseflatten@npm:3.1.4"
-  dependencies:
-    lodash.isarguments: ^3.0.0
-    lodash.isarray: ^3.0.0
-  checksum: 7637d1105ce272c5df5c552879dccdbae48da8b8e613d303c3bc1bbee9e1443fd1c934f7c8c0049b96e54df14d9cfd1bab5522412ad6952bb13cbdff1b37a20c
-  languageName: node
-  linkType: hard
-
-"lodash._bindcallback@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "lodash._bindcallback@npm:3.0.1"
-  checksum: 3916fd72bc02de3643a52d46cf5aaeab4c0b21cd7cb2fb801a8bf9dacdc8532e89b30a4ebafdf65da5fe09d8b0bf898a7416402704fd7262a976703e1c59e549
-  languageName: node
-  linkType: hard
-
-"lodash._createassigner@npm:^3.0.0":
-  version: 3.1.1
-  resolution: "lodash._createassigner@npm:3.1.1"
-  dependencies:
-    lodash._bindcallback: ^3.0.0
-    lodash._isiterateecall: ^3.0.0
-    lodash.restparam: ^3.0.0
-  checksum: ca9e08350914c279560b8930a3f7aa065b061a7e2b0bf13b33af1f782be8b5356f623ce01e89248212cc6099b1bc6c39e03ed9ffc9e0c2fd7169b1b7c447c01e
-  languageName: node
-  linkType: hard
-
-"lodash._getnative@npm:^3.0.0":
-  version: 3.9.1
-  resolution: "lodash._getnative@npm:3.9.1"
-  checksum: ba2152bb10bf44beb54fcd273598197972c989c2181b54e533cec1ff1ebebdf8bb02d4ffc3d5a648480a48beb3026db191f5de99adecd7eac36bbd6025c9b048
-  languageName: node
-  linkType: hard
-
-"lodash._isiterateecall@npm:^3.0.0":
-  version: 3.0.9
-  resolution: "lodash._isiterateecall@npm:3.0.9"
-  checksum: 95ace291d07f2930d9f038ec3c662f88cef48ccebd508665ce08a3251f126b2a645234ab734a6dff0987e1ae9ef74dad706e0d9a2bf26828e50d19c7a6238cab
-  languageName: node
-  linkType: hard
-
-"lodash._reinterpolate@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "lodash._reinterpolate@npm:3.0.0"
-  checksum: 06d2d5f33169604fa5e9f27b6067ed9fb85d51a84202a656901e5ffb63b426781a601508466f039c720af111b0c685d12f1a5c14ff8df5d5f27e491e562784b2
-  languageName: node
-  linkType: hard
-
-"lodash.assign@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "lodash.assign@npm:3.2.0"
-  dependencies:
-    lodash._baseassign: ^3.0.0
-    lodash._createassigner: ^3.0.0
-    lodash.keys: ^3.0.0
-  checksum: 135351c0e376e2963ec785d4ad4efce55cd7f1d5e3d34387e940c1de6c5f92d6f91d3e415218bc37657f34aae823bc9ecf2fb38bd4734dc69f7d659582cc4178
-  languageName: node
-  linkType: hard
-
-"lodash.assign@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "lodash.assign@npm:4.2.0"
-  checksum: 75bbc6733c9f577c448031b4051f990f068802708891f94be9d4c2faffd6a9ec67a2c49671dafc908a068d35687765464853282842b4560b662e6c903d11cc90
-  languageName: node
-  linkType: hard
-
-"lodash.assignin@npm:^4.1.0":
-  version: 4.2.0
-  resolution: "lodash.assignin@npm:4.2.0"
-  checksum: 4b55bc1d65ccd7648fdba8a4316d10546929bf0beb5950830d86c559948cf170f0e65b77c95e66b45b511b85a31161714de8b2008d2537627ef3c7759afe36a6
-  languageName: node
-  linkType: hard
-
-"lodash.camelcase@npm:^4.1.1, lodash.camelcase@npm:^4.3.0":
-  version: 4.3.0
-  resolution: "lodash.camelcase@npm:4.3.0"
-  checksum: cb9227612f71b83e42de93eccf1232feeb25e705bdb19ba26c04f91e885bfd3dd5c517c4a97137658190581d3493ea3973072ca010aab7e301046d90740393d1
-  languageName: node
-  linkType: hard
-
-"lodash.castarray@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "lodash.castarray@npm:4.4.0"
-  checksum: fca8c7047e0ae2738b0b2503fb00157ae0ff6d8a1b716f87ed715b22560e09de438c75b65e01a7e44ceb41c5b31dce2eb576e46db04beb9c699c498e03cbd00f
-  languageName: node
-  linkType: hard
-
-"lodash.clonedeep@npm:^4.4.1, lodash.clonedeep@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "lodash.clonedeep@npm:4.5.0"
-  checksum: 92c46f094b064e876a23c97f57f81fbffd5d760bf2d8a1c61d85db6d1e488c66b0384c943abee4f6af7debf5ad4e4282e74ff83177c9e63d8ff081a4837c3489
-  languageName: node
-  linkType: hard
-
-"lodash.compact@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "lodash.compact@npm:3.0.1"
-  checksum: 75039eddfa5ef2ea0da1fc3d36515e92227241f94258b3dcf771196e741c878698ce5b79c0cb7fe758841c9dfd0e6fa222888985aadc0384fd79bbc9680dd829
-  languageName: node
-  linkType: hard
-
-"lodash.debounce@npm:^3.1.1":
-  version: 3.1.1
-  resolution: "lodash.debounce@npm:3.1.1"
-  dependencies:
-    lodash._getnative: ^3.0.0
-  checksum: 8d9dcd6f66246c3e92a25420881714b68f6d7a794db9ffcedb4a2c0f9005f4c6fd59c80ff801eca3ef8aa7fc227d62ae301f37854a73db6d064bd8dcaa93355d
-  languageName: node
-  linkType: hard
-
-"lodash.debounce@npm:^4.0.8":
-  version: 4.0.8
-  resolution: "lodash.debounce@npm:4.0.8"
-  checksum: a3f527d22c548f43ae31c861ada88b2637eb48ac6aa3eb56e82d44917971b8aa96fbb37aa60efea674dc4ee8c42074f90f7b1f772e9db375435f6c83a19b3bc6
-  languageName: node
-  linkType: hard
-
-"lodash.defaultsdeep@npm:^4.6.1":
-  version: 4.6.1
-  resolution: "lodash.defaultsdeep@npm:4.6.1"
-  checksum: 1f346f16158b760545ca99553cb13e907a28b281425751af6bfe681387b9e5685438a7ddbfd36a8d5cc8bda066867a134aa31416f17e318db8c461c377810a76
-  languageName: node
-  linkType: hard
-
-"lodash.find@npm:^4.5.1, lodash.find@npm:^4.6.0":
-  version: 4.6.0
-  resolution: "lodash.find@npm:4.6.0"
-  checksum: b737f849a4fe36f5c3664ea636780dda2fde18335021faf80cdfdcb300ed75441da6f55cfd6de119092d8bb2ddbc4433f4a8de4b99c0b9c8640465b0901c717c
-  languageName: node
-  linkType: hard
-
-"lodash.flatten@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "lodash.flatten@npm:3.0.2"
-  dependencies:
-    lodash._baseflatten: ^3.0.0
-    lodash._isiterateecall: ^3.0.0
-  checksum: 7d2dc97c02ad305cf8d4d8761fbc41f3bde6a8f7f1c4d720d5b234c4e81f6a00c1f0afd8f84d7fb7330fdd799a734f1fab4191a806f3629e28e3ba00eb4b9e26
-  languageName: node
-  linkType: hard
-
-"lodash.flatten@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "lodash.flatten@npm:4.4.0"
-  checksum: 0ac34a393d4b795d4b7421153d27c13ae67e08786c9cbb60ff5b732210d46f833598eee3fb3844bb10070e8488efe390ea53bb567377e0cb47e9e630bf0811cb
-  languageName: node
-  linkType: hard
-
-"lodash.foreach@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "lodash.foreach@npm:4.5.0"
-  checksum: a940386b158ca0d62994db41fc16529eb8ae67138f29ced38e91f912cb5435d1b0ed34b18e6f7b9ddfc32ab676afc6dfec60d1e22633d8e3e4b33413402ab4ad
-  languageName: node
-  linkType: hard
-
-"lodash.forin@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "lodash.forin@npm:4.4.0"
-  checksum: c9c8e6c3204029fe0610efb8c74113b00a3d5a92b1d8defbf3f5cbc2d0f7663c680dff62e2950ed9406bb6d06e882fa39568c607bc44229d53fd93a9fd6c07b7
-  languageName: node
-  linkType: hard
-
-"lodash.get@npm:^4.4.2":
-  version: 4.4.2
-  resolution: "lodash.get@npm:4.4.2"
-  checksum: e403047ddb03181c9d0e92df9556570e2b67e0f0a930fcbbbd779370972368f5568e914f913e93f3b08f6d492abc71e14d4e9b7a18916c31fa04bd2306efe545
-  languageName: node
-  linkType: hard
-
-"lodash.has@npm:^4.5.2":
-  version: 4.5.2
-  resolution: "lodash.has@npm:4.5.2"
-  checksum: b3ec829a86852331d48b3730ff06088a283d128a3965aa521ffd942bcf5c82e06bed3164ff7a7751d11e768d88f0d7bab316192091489caf20f452d42f7055d5
-  languageName: node
-  linkType: hard
-
-"lodash.invokemap@npm:^4.6.0":
-  version: 4.6.0
-  resolution: "lodash.invokemap@npm:4.6.0"
-  checksum: 646ceebbefbcb6da301f8c2868254680fd0bcdc6ada470495d9ae49c9c32938829c1b38a38c95d0258409a9655f85db404b16e648381c7450b7ed3d9c52d8808
-  languageName: node
-  linkType: hard
-
-"lodash.isarguments@npm:^3.0.0":
-  version: 3.1.0
-  resolution: "lodash.isarguments@npm:3.1.0"
-  checksum: ae1526f3eb5c61c77944b101b1f655f846ecbedcb9e6b073526eba6890dc0f13f09f72e11ffbf6540b602caee319af9ac363d6cdd6be41f4ee453436f04f13b5
-  languageName: node
-  linkType: hard
-
-"lodash.isarray@npm:^3.0.0":
-  version: 3.0.4
-  resolution: "lodash.isarray@npm:3.0.4"
-  checksum: 3b298fb76ff16981353f7d0695d8680be9451b74d2e76714ddbd903a90fbaa8e1d84979d0ae99325f5a9033776771154b19e05027ab23de83202251c8abe81b5
-  languageName: node
-  linkType: hard
-
-"lodash.isempty@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "lodash.isempty@npm:4.4.0"
-  checksum: a8118f23f7ed72a1dbd176bf27f297d1e71aa1926288449cb8f7cef99ba1bc7527eab52fe7899ab080fa1dc150aba6e4a6367bf49fa4e0b78da1ecc095f8d8c5
-  languageName: node
-  linkType: hard
-
-"lodash.isequal@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "lodash.isequal@npm:4.5.0"
-  checksum: da27515dc5230eb1140ba65ff8de3613649620e8656b19a6270afe4866b7bd461d9ba2ac8a48dcc57f7adac4ee80e1de9f965d89d4d81a0ad52bb3eec2609644
-  languageName: node
-  linkType: hard
-
-"lodash.isfunction@npm:^3.0.9":
-  version: 3.0.9
-  resolution: "lodash.isfunction@npm:3.0.9"
-  checksum: 99e54c34b1e8a9ba75c034deb39cedbd2aca7af685815e67a2a8ec4f73ec9748cda6ebee5a07d7de4b938e90d421fd280e9c385cc190f903ac217ac8aff30314
-  languageName: node
-  linkType: hard
-
-"lodash.isinteger@npm:^4.0.4":
-  version: 4.0.4
-  resolution: "lodash.isinteger@npm:4.0.4"
-  checksum: 6034821b3fc61a2ffc34e7d5644bb50c5fd8f1c0121c554c21ac271911ee0c0502274852845005f8651d51e199ee2e0cfebfe40aaa49c7fe617f603a8a0b1691
-  languageName: node
-  linkType: hard
-
-"lodash.isplainobject@npm:^4.0.6":
-  version: 4.0.6
-  resolution: "lodash.isplainobject@npm:4.0.6"
-  checksum: 29c6351f281e0d9a1d58f1a4c8f4400924b4c79f18dfc4613624d7d54784df07efaff97c1ff2659f3e085ecf4fff493300adc4837553104cef2634110b0d5337
-  languageName: node
-  linkType: hard
-
-"lodash.kebabcase@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "lodash.kebabcase@npm:4.1.1"
-  checksum: 5a6c59161914e1bae23438a298c7433e83d935e0f59853fa862e691164696bc07f6dfa4c313d499fbf41ba8d53314e9850416502376705a357d24ee6ca33af78
-  languageName: node
-  linkType: hard
-
-"lodash.keys@npm:^3.0.0":
-  version: 3.1.2
-  resolution: "lodash.keys@npm:3.1.2"
-  dependencies:
-    lodash._getnative: ^3.0.0
-    lodash.isarguments: ^3.0.0
-    lodash.isarray: ^3.0.0
-  checksum: ac7c02c793334c48161a8e8a1f12576c73ee50d1371e75680afc6c2d3740d5e9bdc899517e6c0034014eaa2512c5f433a2e6985c9e16cf28b5c9013ec81bd35e
-  languageName: node
-  linkType: hard
-
-"lodash.lowerfirst@npm:^4.3.1":
-  version: 4.3.1
-  resolution: "lodash.lowerfirst@npm:4.3.1"
-  checksum: e1688e18873777d394db4994d150dfc14cf01bf450169cf8296af4d84ecd7c3c4ae4dab3746f77f8719a093e4fff58bee3ae73ae7e23ef508b7d970b189d9952
-  languageName: node
-  linkType: hard
-
-"lodash.map@npm:^4.6.0":
-  version: 4.6.0
-  resolution: "lodash.map@npm:4.6.0"
-  checksum: 7369a41d7d24d15ce3bbd02a7faa3a90f6266c38184e64932571b9b21b758bd10c04ffd117d1859be1a44156f29b94df5045eff172bf8a97fddf68bf1002d12f
-  languageName: node
-  linkType: hard
-
-"lodash.mapvalues@npm:^4.6.0":
-  version: 4.6.0
-  resolution: "lodash.mapvalues@npm:4.6.0"
-  checksum: 0ff1b252fda318fc36e47c296984925e98fbb0fc5a2ecc4ef458f3c739a9476d47e40c95ac653e8314d132aa59c746d4276527b99d6e271940555c6e12d2babd
-  languageName: node
-  linkType: hard
-
-"lodash.memoize@npm:4.1.2, lodash.memoize@npm:^4.1.2":
-  version: 4.1.2
-  resolution: "lodash.memoize@npm:4.1.2"
-  checksum: 9ff3942feeccffa4f1fafa88d32f0d24fdc62fd15ded5a74a5f950ff5f0c6f61916157246744c620173dddf38d37095a92327d5fd3861e2063e736a5c207d089
-  languageName: node
-  linkType: hard
-
-"lodash.merge@npm:^4.6.0, lodash.merge@npm:^4.6.2":
-  version: 4.6.2
-  resolution: "lodash.merge@npm:4.6.2"
-  checksum: ad580b4bdbb7ca1f7abf7e1bce63a9a0b98e370cf40194b03380a46b4ed799c9573029599caebc1b14e3f24b111aef72b96674a56cfa105e0f5ac70546cdc005
-  languageName: node
-  linkType: hard
-
-"lodash.omit@npm:^4.1.0":
-  version: 4.5.0
-  resolution: "lodash.omit@npm:4.5.0"
-  checksum: 434645e49fe84ab315719bd5a9a3a585a0f624aa4160bc09157dd041a414bcc287c15840365c1379476a3f3eda41fbe838976c3f7bdecbbf4c5478e86c471a30
-  languageName: node
-  linkType: hard
-
-"lodash.pick@npm:^4.4.0":
-  version: 4.4.0
-  resolution: "lodash.pick@npm:4.4.0"
-  checksum: 2c36cab7da6b999a20bd3373b40e31a3ef81fa264f34a6979c852c5bc8ac039379686b27380f0cb8e3781610844fafec6949c6fbbebc059c98f8fa8570e3675f
-  languageName: node
-  linkType: hard
-
-"lodash.restparam@npm:^3.0.0":
-  version: 3.6.1
-  resolution: "lodash.restparam@npm:3.6.1"
-  checksum: 8bda0c7aaeac93da2b7e856bfeec8e6fdefb4d7eadfe6fd84775312a729fc1cb985636d922fe33b49f41aba135204962f4b853d7946105b7704102edb2bf6082
-  languageName: node
-  linkType: hard
-
-"lodash.snakecase@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "lodash.snakecase@npm:4.1.1"
-  checksum: 1685ed3e83dda6eae5a4dcaee161a51cd210aabb3e1c09c57150e7dd8feda19e4ca0d27d0631eabe8d0f4eaa51e376da64e8c018ae5415417c5890d42feb72a8
-  languageName: node
-  linkType: hard
-
-"lodash.template@npm:^4.4.0, lodash.template@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "lodash.template@npm:4.5.0"
-  dependencies:
-    lodash._reinterpolate: ^3.0.0
-    lodash.templatesettings: ^4.0.0
-  checksum: ca64e5f07b6646c9d3dbc0fe3aaa995cb227c4918abd1cef7a9024cd9c924f2fa389a0ec4296aa6634667e029bc81d4bbdb8efbfde11df76d66085e6c529b450
-  languageName: node
-  linkType: hard
-
-"lodash.templatesettings@npm:^4.0.0":
-  version: 4.2.0
-  resolution: "lodash.templatesettings@npm:4.2.0"
-  dependencies:
-    lodash._reinterpolate: ^3.0.0
-  checksum: 863e025478b092997e11a04e9d9e735875eeff1ffcd6c61742aa8272e3c2cddc89ce795eb9726c4e74cef5991f722897ff37df7738a125895f23fc7d12a7bb59
-  languageName: node
-  linkType: hard
-
-"lodash.truncate@npm:^4.4.2":
-  version: 4.4.2
-  resolution: "lodash.truncate@npm:4.4.2"
-  checksum: b463d8a382cfb5f0e71c504dcb6f807a7bd379ff1ea216669aa42c52fc28c54e404bfbd96791aa09e6df0de2c1d7b8f1b7f4b1a61f324d38fe98bc535aeee4f5
-  languageName: node
-  linkType: hard
-
-"lodash.uniq@npm:^4.2.0, lodash.uniq@npm:^4.5.0":
-  version: 4.5.0
-  resolution: "lodash.uniq@npm:4.5.0"
-  checksum: a4779b57a8d0f3c441af13d9afe7ecff22dd1b8ce1129849f71d9bbc8e8ee4e46dfb4b7c28f7ad3d67481edd6e51126e4e2a6ee276e25906d10f7140187c392d
-  languageName: node
-  linkType: hard
-
-"lodash.uniqby@npm:^4.7.0":
-  version: 4.7.0
-  resolution: "lodash.uniqby@npm:4.7.0"
-  checksum: 659264545a95726d1493123345aad8cbf56e17810fa9a0b029852c6d42bc80517696af09d99b23bef1845d10d95e01b8b4a1da578f22aeba7a30d3e0022a4938
-  languageName: node
-  linkType: hard
-
-"lodash.values@npm:^4.3.0":
-  version: 4.3.0
-  resolution: "lodash.values@npm:4.3.0"
-  checksum: 857e122ddf6edb50137887f0b834d471f96d66692ebb5de8b048ed277c8a3dd1bc8f85d82cf31b0f5c6dbc5b72c036a591205f76eec86bb11818a1a6f7e5a28c
-  languageName: node
-  linkType: hard
-
-"lodash@npm:^4.0.0, lodash@npm:^4.17.10, lodash@npm:^4.17.11, lodash@npm:^4.17.12, lodash@npm:^4.17.14, lodash@npm:^4.17.15, lodash@npm:^4.17.19, lodash@npm:^4.17.21, lodash@npm:^4.17.4, lodash@npm:^4.5.1, lodash@npm:^4.7.0":
-  version: 4.17.21
-  resolution: "lodash@npm:4.17.21"
-  checksum: eb835a2e51d381e561e508ce932ea50a8e5a68f4ebdd771ea240d3048244a8d13658acbd502cd4829768c56f2e16bdd4340b9ea141297d472517b83868e677f7
-  languageName: node
-  linkType: hard
-
-"log-symbols@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "log-symbols@npm:2.2.0"
-  dependencies:
-    chalk: ^2.0.1
-  checksum: 4c95e3b65f0352dbe91dc4989c10baf7a44e2ef5b0db7e6721e1476268e2b6f7090c3aa880d4f833a05c5c3ff18f4ec5215a09bd0099986d64a8186cfeb48ac8
-  languageName: node
-  linkType: hard
-
-"log-symbols@npm:^4.0.0, log-symbols@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "log-symbols@npm:4.1.0"
-  dependencies:
-    chalk: ^4.1.0
-    is-unicode-supported: ^0.1.0
-  checksum: fce1497b3135a0198803f9f07464165e9eb83ed02ceb2273930a6f8a508951178d8cf4f0378e9d28300a2ed2bc49050995d2bd5f53ab716bb15ac84d58c6ef74
-  languageName: node
-  linkType: hard
-
-"log-update@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "log-update@npm:4.0.0"
-  dependencies:
-    ansi-escapes: ^4.3.0
-    cli-cursor: ^3.1.0
-    slice-ansi: ^4.0.0
-    wrap-ansi: ^6.2.0
-  checksum: ae2f85bbabc1906034154fb7d4c4477c79b3e703d22d78adee8b3862fa913942772e7fa11713e3d96fb46de4e3cabefbf5d0a544344f03b58d3c4bff52aa9eb2
-  languageName: node
-  linkType: hard
-
-"loglevel-colored-level-prefix@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "loglevel-colored-level-prefix@npm:1.0.0"
-  dependencies:
-    chalk: ^1.1.3
-    loglevel: ^1.4.1
-  checksum: 146aa7d0ea900d6d8523e945b2265be240e4c7c4752dae678983764dd756c44194684af1ee8ea721feff4c4f8c5771544a02a6cd8b269a663cffe9b4fcf955f1
-  languageName: node
-  linkType: hard
-
-"loglevel@npm:^1.4.1":
-  version: 1.7.1
-  resolution: "loglevel@npm:1.7.1"
-  checksum: 715a4ae69ad75d4d3bd04e4f6e9edbc4cae4db34d1e7f54f426d8cebe2dd9fef891ca3789e839d927cdbc5fad73d789e998db0af2f11f4c40219c272bc923823
-  languageName: node
-  linkType: hard
-
-"lolex@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "lolex@npm:4.2.0"
-  checksum: 0a83bfe1748fc745515dff9b3f722422918f5f6975104d7e576fc32c06b5398ee0c58525684068d4de49cdd49874e00b5e2b2d72ce8c5d829dab86c8c08ca31f
-  languageName: node
-  linkType: hard
-
-"lolex@npm:^5.0.1":
-  version: 5.1.2
-  resolution: "lolex@npm:5.1.2"
-  dependencies:
-    "@sinonjs/commons": ^1.7.0
-  checksum: 7eb468d4ef4746c024d23cb2b75f679f79449a9d5cbe11abadf2f3b147c1d7ffe28816438bedfb8a75c58357a625c2f9ba197b050c226d2b3f0c4a956cf556fb
-  languageName: node
-  linkType: hard
-
-"longest-streak@npm:^2.0.0":
-  version: 2.0.4
-  resolution: "longest-streak@npm:2.0.4"
-  checksum: 28b8234a14963002c5c71035dee13a0a11e9e9d18ffa320fdc8796ed7437399204495702ed69cd2a7087b0af041a2a8b562829b7c1e2042e73a3374d1ecf6580
-  languageName: node
-  linkType: hard
-
-"loose-envify@npm:^1.0.0, loose-envify@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "loose-envify@npm:1.4.0"
-  dependencies:
-    js-tokens: ^3.0.0 || ^4.0.0
-  bin:
-    loose-envify: cli.js
-  checksum: 6517e24e0cad87ec9888f500c5b5947032cdfe6ef65e1c1936a0c48a524b81e65542c9c3edc91c97d5bddc806ee2a985dbc79be89215d613b1de5db6d1cfe6f4
-  languageName: node
-  linkType: hard
-
-"lower-case@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "lower-case@npm:2.0.2"
-  dependencies:
-    tslib: ^2.0.3
-  checksum: 83a0a5f159ad7614bee8bf976b96275f3954335a84fad2696927f609ddae902802c4f3312d86668722e668bef41400254807e1d3a7f2e8c3eede79691aa1f010
-  languageName: node
-  linkType: hard
-
-"lru-cache@npm:^5.1.1":
-  version: 5.1.1
-  resolution: "lru-cache@npm:5.1.1"
-  dependencies:
-    yallist: ^3.0.2
-  checksum: c154ae1cbb0c2206d1501a0e94df349653c92c8cbb25236d7e85190bcaf4567a03ac6eb43166fabfa36fd35623694da7233e88d9601fbf411a9a481d85dbd2cb
-  languageName: node
-  linkType: hard
-
-"lru-cache@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "lru-cache@npm:6.0.0"
-  dependencies:
-    yallist: ^4.0.0
-  checksum: f97f499f898f23e4585742138a22f22526254fdba6d75d41a1c2526b3b6cc5747ef59c5612ba7375f42aca4f8461950e925ba08c991ead0651b4918b7c978297
-  languageName: node
-  linkType: hard
-
-"lru-cache@npm:^7.5.1, lru-cache@npm:^7.7.1":
-  version: 7.18.3
-  resolution: "lru-cache@npm:7.18.3"
-  checksum: e550d772384709deea3f141af34b6d4fa392e2e418c1498c078de0ee63670f1f46f5eee746e8ef7e69e1c895af0d4224e62ee33e66a543a14763b0f2e74c1356
-  languageName: node
-  linkType: hard
-
-"magic-string@npm:^0.24.0":
-  version: 0.24.1
-  resolution: "magic-string@npm:0.24.1"
-  dependencies:
-    sourcemap-codec: ^1.4.1
-  checksum: 335a4992a75b5869acf054216acf430bc587986500c495cb2f0d42d47364c7677c5a2db5a8465fac380ce5e87d33225e7f2e1cd8f586e7e5ceaf34d366650606
-  languageName: node
-  linkType: hard
-
-"magic-string@npm:^0.25.2, magic-string@npm:^0.25.7":
-  version: 0.25.7
-  resolution: "magic-string@npm:0.25.7"
-  dependencies:
-    sourcemap-codec: ^1.4.4
-  checksum: 727a1fb70f9610304fe384f1df0251eb7d1d9dd779c07ef1225690361b71b216f26f5d934bfb11c919b5b0e7ba50f6240c823a6f2e44cfd33d4a07d7747ca829
-  languageName: node
-  linkType: hard
-
-"magic-string@npm:^0.30.0":
-  version: 0.30.0
-  resolution: "magic-string@npm:0.30.0"
-  dependencies:
-    "@jridgewell/sourcemap-codec": ^1.4.13
-  checksum: 7bdf22e27334d8a393858a16f5f840af63a7c05848c000fd714da5aa5eefa09a1bc01d8469362f25cc5c4a14ec01b46557b7fff8751365522acddf21e57c488d
-  languageName: node
-  linkType: hard
-
-"make-dir@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "make-dir@npm:2.1.0"
-  dependencies:
-    pify: ^4.0.1
-    semver: ^5.6.0
-  checksum: 043548886bfaf1820323c6a2997e6d2fa51ccc2586ac14e6f14634f7458b4db2daf15f8c310e2a0abd3e0cddc64df1890d8fc7263033602c47bb12cbfcf86aab
-  languageName: node
-  linkType: hard
-
-"make-dir@npm:^3.0.0, make-dir@npm:^3.0.2, make-dir@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "make-dir@npm:3.1.0"
-  dependencies:
-    semver: ^6.0.0
-  checksum: 484200020ab5a1fdf12f393fe5f385fc8e4378824c940fba1729dcd198ae4ff24867bc7a5646331e50cead8abff5d9270c456314386e629acec6dff4b8016b78
-  languageName: node
-  linkType: hard
-
-"make-fetch-happen@npm:^10.0.3":
-  version: 10.2.1
-  resolution: "make-fetch-happen@npm:10.2.1"
-  dependencies:
-    agentkeepalive: ^4.2.1
-    cacache: ^16.1.0
-    http-cache-semantics: ^4.1.0
-    http-proxy-agent: ^5.0.0
-    https-proxy-agent: ^5.0.0
-    is-lambda: ^1.0.1
-    lru-cache: ^7.7.1
-    minipass: ^3.1.6
-    minipass-collect: ^1.0.2
-    minipass-fetch: ^2.0.3
-    minipass-flush: ^1.0.5
-    minipass-pipeline: ^1.2.4
-    negotiator: ^0.6.3
-    promise-retry: ^2.0.1
-    socks-proxy-agent: ^7.0.0
-    ssri: ^9.0.0
-  checksum: 2332eb9a8ec96f1ffeeea56ccefabcb4193693597b132cd110734d50f2928842e22b84cfa1508e921b8385cdfd06dda9ad68645fed62b50fff629a580f5fb72c
-  languageName: node
-  linkType: hard
-
-"make-plural@npm:^7.0.0":
-  version: 7.1.0
-  resolution: "make-plural@npm:7.1.0"
-  checksum: d0ef253e508c8cdbddcc37288d25e0944eb2bf800008bf178a1c37b101c3202d89609ddb577a10515bd2499c7665159594704682cc9c159cc20491da6b7ac09e
-  languageName: node
-  linkType: hard
-
-"makeerror@npm:1.0.12":
-  version: 1.0.12
-  resolution: "makeerror@npm:1.0.12"
-  dependencies:
-    tmpl: 1.0.5
-  checksum: b38a025a12c8146d6eeea5a7f2bf27d51d8ad6064da8ca9405fcf7bf9b54acd43e3b30ddd7abb9b1bfa4ddb266019133313482570ddb207de568f71ecfcf6060
-  languageName: node
-  linkType: hard
-
-"map-age-cleaner@npm:^0.1.3":
-  version: 0.1.3
-  resolution: "map-age-cleaner@npm:0.1.3"
-  dependencies:
-    p-defer: ^1.0.0
-  checksum: cb2804a5bcb3cbdfe4b59066ea6d19f5e7c8c196cd55795ea4c28f792b192e4c442426ae52524e5e1acbccf393d3bddacefc3d41f803e66453f6c4eda3650bc1
-  languageName: node
-  linkType: hard
-
-"map-cache@npm:^0.2.2":
-  version: 0.2.2
-  resolution: "map-cache@npm:0.2.2"
-  checksum: 3067cea54285c43848bb4539f978a15dedc63c03022abeec6ef05c8cb6829f920f13b94bcaf04142fc6a088318e564c4785704072910d120d55dbc2e0c421969
-  languageName: node
-  linkType: hard
-
-"map-obj@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "map-obj@npm:1.0.1"
-  checksum: 9949e7baec2a336e63b8d4dc71018c117c3ce6e39d2451ccbfd3b8350c547c4f6af331a4cbe1c83193d7c6b786082b6256bde843db90cb7da2a21e8fcc28afed
-  languageName: node
-  linkType: hard
-
-"map-obj@npm:^4.1.0":
-  version: 4.3.0
-  resolution: "map-obj@npm:4.3.0"
-  checksum: fbc554934d1a27a1910e842bc87b177b1a556609dd803747c85ece420692380827c6ae94a95cce4407c054fa0964be3bf8226f7f2cb2e9eeee432c7c1985684e
-  languageName: node
-  linkType: hard
-
-"map-visit@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "map-visit@npm:1.0.0"
-  dependencies:
-    object-visit: ^1.0.0
-  checksum: c27045a5021c344fc19b9132eb30313e441863b2951029f8f8b66f79d3d8c1e7e5091578075a996f74e417479506fe9ede28c44ca7bc351a61c9d8073daec36a
-  languageName: node
-  linkType: hard
-
-"markdown-it-terminal@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "markdown-it-terminal@npm:0.4.0"
-  dependencies:
-    ansi-styles: ^3.0.0
-    cardinal: ^1.0.0
-    cli-table: ^0.3.1
-    lodash.merge: ^4.6.2
-  peerDependencies:
-    markdown-it: ">= 13.0.0"
-  checksum: 45512555a4ffbad82d84d62c39c72a49e3c8f6553f79bebdb48fb75033abee019c90f0a13bee418cd1ea8e2f4bfa02011839afdac92c17c8381715c7de7dec87
-  languageName: node
-  linkType: hard
-
-"markdown-it@npm:^13.0.1":
-  version: 13.0.1
-  resolution: "markdown-it@npm:13.0.1"
-  dependencies:
-    argparse: ^2.0.1
-    entities: ~3.0.1
-    linkify-it: ^4.0.1
-    mdurl: ^1.0.1
-    uc.micro: ^1.0.5
-  bin:
-    markdown-it: bin/markdown-it.js
-  checksum: faf5891d389dc433bcf21d3fbff2009beb044b42b117c92f4848899780ca1a2282a209e3ff4672db4afed726a7248304ec473e6e242a7d6498af7113d31974e7
-  languageName: node
-  linkType: hard
-
-"markdown-table@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "markdown-table@npm:2.0.0"
-  dependencies:
-    repeat-string: ^1.0.0
-  checksum: 9bb634a9300016cbb41216c1eab44c74b6b7083ac07872e296f900a29449cf0e260ece03fa10c3e9784ab94c61664d1d147da0315f95e1336e2bdcc025615c90
-  languageName: node
-  linkType: hard
-
-"matcher-collection@npm:^1.0.0, matcher-collection@npm:^1.0.4, matcher-collection@npm:^1.1.1":
-  version: 1.1.2
-  resolution: "matcher-collection@npm:1.1.2"
-  dependencies:
-    minimatch: ^3.0.2
-  checksum: 9aaf90944fa185187a099000b5df9542b85c4fd330c66f1747578c945b78242376066d1a1bc74fcd6d48375ab11dd2dbb5619c6f1c00e7720cf1f4f5df9d291b
-  languageName: node
-  linkType: hard
-
-"matcher-collection@npm:^2.0.0, matcher-collection@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "matcher-collection@npm:2.0.1"
-  dependencies:
-    "@types/minimatch": ^3.0.3
-    minimatch: ^3.0.2
-  checksum: f6d4f94bdcf773f9cbd4b7b10199a7632c434833a4c01bfb29c373e118647bb3b748aa3f20c70d6c3a715915fcc44ad4a77a9f8d5f059f3a0d15c984c0acc83d
-  languageName: node
-  linkType: hard
-
-"mathml-tag-names@npm:^2.1.3":
-  version: 2.1.3
-  resolution: "mathml-tag-names@npm:2.1.3"
-  checksum: 1201a25a137d6b9e328facd67912058b8b45b19a6c4cc62641c9476195da28a275ca6e0eca070af5378b905c2b11abc1114676ba703411db0b9ce007de921ad0
-  languageName: node
-  linkType: hard
-
-"md5.js@npm:^1.3.4":
-  version: 1.3.5
-  resolution: "md5.js@npm:1.3.5"
-  dependencies:
-    hash-base: ^3.0.0
-    inherits: ^2.0.1
-    safe-buffer: ^5.1.2
-  checksum: 098494d885684bcc4f92294b18ba61b7bd353c23147fbc4688c75b45cb8590f5a95fd4584d742415dcc52487f7a1ef6ea611cfa1543b0dc4492fe026357f3f0c
-  languageName: node
-  linkType: hard
-
-"mdast-util-find-and-replace@npm:^1.1.0":
-  version: 1.1.1
-  resolution: "mdast-util-find-and-replace@npm:1.1.1"
-  dependencies:
-    escape-string-regexp: ^4.0.0
-    unist-util-is: ^4.0.0
-    unist-util-visit-parents: ^3.0.0
-  checksum: e4c9e50d9bce5ae4c728a925bd60080b94d16aaa312c27e2b70b16ddc29a5d0a0844d6e18efaef08aeb22c68303ec528f20183d1b0420504a0c2c1710cebd76f
-  languageName: node
-  linkType: hard
-
-"mdast-util-footnote@npm:^0.1.0":
-  version: 0.1.7
-  resolution: "mdast-util-footnote@npm:0.1.7"
-  dependencies:
-    mdast-util-to-markdown: ^0.6.0
-    micromark: ~2.11.0
-  checksum: 6d05396a9497c289fecf844d68d3210968750b215cf1df3fd1962c77d73560d8598cc4d79cef36a750d5b43f30b71fec079e0563f267b65072cfc38548d39eda
-  languageName: node
-  linkType: hard
-
-"mdast-util-from-markdown@npm:^0.8.0":
-  version: 0.8.5
-  resolution: "mdast-util-from-markdown@npm:0.8.5"
-  dependencies:
-    "@types/mdast": ^3.0.0
-    mdast-util-to-string: ^2.0.0
-    micromark: ~2.11.0
-    parse-entities: ^2.0.0
-    unist-util-stringify-position: ^2.0.0
-  checksum: 5a9d0d753a42db763761e874c22365d0c7c9934a5a18b5ff76a0643610108a208a041ffdb2f3d3dd1863d3d915225a4020a0aade282af0facfd0df110601eee6
-  languageName: node
-  linkType: hard
-
-"mdast-util-frontmatter@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "mdast-util-frontmatter@npm:0.2.0"
-  dependencies:
-    micromark-extension-frontmatter: ^0.2.0
-  checksum: 6dbed31233b34b41dd09da4756bbe3bd674fa3033c58f771f419e56675b8c7a601a18838d027fdb9cbef3b958346c661f7926ca401e154e63c071ecb2a3596a2
-  languageName: node
-  linkType: hard
-
-"mdast-util-gfm-autolink-literal@npm:^0.1.0":
-  version: 0.1.3
-  resolution: "mdast-util-gfm-autolink-literal@npm:0.1.3"
-  dependencies:
-    ccount: ^1.0.0
-    mdast-util-find-and-replace: ^1.1.0
-    micromark: ^2.11.3
-  checksum: 9f7b888678631fd8c0a522b0689a750aead2b05d57361dbdf02c10381557f1ce874f746226141f3ace1e0e7952495e8d5ce8f9af423a7a66bb300d4635a918eb
-  languageName: node
-  linkType: hard
-
-"mdast-util-gfm-strikethrough@npm:^0.2.0":
-  version: 0.2.3
-  resolution: "mdast-util-gfm-strikethrough@npm:0.2.3"
-  dependencies:
-    mdast-util-to-markdown: ^0.6.0
-  checksum: 51aa11ca8f1a5745f1eb9ccddb0eca797b3ede6f0c7bf355d594ad57c02c98d95260f00b1c4b07504018e0b22708531eabb76037841f09ce8465444706a06522
-  languageName: node
-  linkType: hard
-
-"mdast-util-gfm-table@npm:^0.1.0":
-  version: 0.1.6
-  resolution: "mdast-util-gfm-table@npm:0.1.6"
-  dependencies:
-    markdown-table: ^2.0.0
-    mdast-util-to-markdown: ~0.6.0
-  checksum: eeb43faf833753315b4ccf8d7bc8a6845b31562b2d2dd12a92aa40f9cee1b1954643c7515399a98f9b2e143c95cf6b5c0aac5941a4f609d6a57335587cee99ac
-  languageName: node
-  linkType: hard
-
-"mdast-util-gfm-task-list-item@npm:^0.1.0":
-  version: 0.1.6
-  resolution: "mdast-util-gfm-task-list-item@npm:0.1.6"
-  dependencies:
-    mdast-util-to-markdown: ~0.6.0
-  checksum: c10480c0ae86547980b38b49fba2ecd36a50bf1f3478d3f12810a0d8e8f821585c2bd7d805dd735518e84493b5eef314afdb8d59807021e2d9aa22d077eb7588
-  languageName: node
-  linkType: hard
-
-"mdast-util-gfm@npm:^0.1.0":
-  version: 0.1.2
-  resolution: "mdast-util-gfm@npm:0.1.2"
-  dependencies:
-    mdast-util-gfm-autolink-literal: ^0.1.0
-    mdast-util-gfm-strikethrough: ^0.2.0
-    mdast-util-gfm-table: ^0.1.0
-    mdast-util-gfm-task-list-item: ^0.1.0
-    mdast-util-to-markdown: ^0.6.1
-  checksum: 368ed535b2c2e0f33d0225a9e9c985468bf4825a06896815369aea585f6defaccb555ac40ba911e02c8e8c47e79f7efb4348de532de50bca2638a1e568f2d3c9
-  languageName: node
-  linkType: hard
-
-"mdast-util-to-markdown@npm:^0.6.0, mdast-util-to-markdown@npm:^0.6.1, mdast-util-to-markdown@npm:~0.6.0":
-  version: 0.6.5
-  resolution: "mdast-util-to-markdown@npm:0.6.5"
-  dependencies:
-    "@types/unist": ^2.0.0
-    longest-streak: ^2.0.0
-    mdast-util-to-string: ^2.0.0
-    parse-entities: ^2.0.0
-    repeat-string: ^1.0.0
-    zwitch: ^1.0.0
-  checksum: 7ebc47533bff6e8669f85ae124dc521ea570e9df41c0d9e4f0f43c19ef4a8c9928d741f3e4afa62fcca1927479b714582ff5fd684ef240d84ee5b75ab9d863cf
-  languageName: node
-  linkType: hard
-
-"mdast-util-to-string@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "mdast-util-to-string@npm:2.0.0"
-  checksum: 0b2113ada10e002fbccb014170506dabe2f2ddacaacbe4bc1045c33f986652c5a162732a2c057c5335cdb58419e2ad23e368e5be226855d4d4e280b81c4e9ec2
-  languageName: node
-  linkType: hard
-
-"mdn-data@npm:2.0.27":
-  version: 2.0.27
-  resolution: "mdn-data@npm:2.0.27"
-  checksum: df94012b7b50d5ac7b862dd603c0cd2712c47e5a7b8a1d914054989d6d798320459319dd99d17ba6d0ff39a9fb50b117c9e8bf88a767635849719ff44912614e
-  languageName: node
-  linkType: hard
-
-"mdn-data@npm:2.0.30":
-  version: 2.0.30
-  resolution: "mdn-data@npm:2.0.30"
-  checksum: d6ac5ac7439a1607df44b22738ecf83f48e66a0874e4482d6424a61c52da5cde5750f1d1229b6f5fa1b80a492be89465390da685b11f97d62b8adcc6e88189aa
-  languageName: node
-  linkType: hard
-
-"mdn-data@npm:2.0.4":
-  version: 2.0.4
-  resolution: "mdn-data@npm:2.0.4"
-  checksum: add3c95e6d03d301b8a8bcfee3de33f4d07e4c5eee5b79f18d6d737de717e22472deadf67c1a8563983c0b603e10d7df40aa8e5fddf18884dfe118ccec7ae329
-  languageName: node
-  linkType: hard
-
-"mdn-data@npm:~1.1.0":
-  version: 1.1.4
-  resolution: "mdn-data@npm:1.1.4"
-  checksum: 146dbea4c8bd68547f6ffec22868f099f82cead2a7a55eb70f80cf1a4958e3504c2d9bf17f3f0675f76f2b5a396b4ef2a5e9998af6c070625e9650771101c139
-  languageName: node
-  linkType: hard
-
-"mdurl@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "mdurl@npm:1.0.1"
-  checksum: 71731ecba943926bfbf9f9b51e28b5945f9411c4eda80894221b47cc105afa43ba2da820732b436f0798fd3edbbffcd1fc1415843c41a87fea08a41cc1e3d02b
-  languageName: node
-  linkType: hard
-
-"media-typer@npm:0.3.0":
-  version: 0.3.0
-  resolution: "media-typer@npm:0.3.0"
-  checksum: af1b38516c28ec95d6b0826f6c8f276c58aec391f76be42aa07646b4e39d317723e869700933ca6995b056db4b09a78c92d5440dc23657e6764be5d28874bba1
-  languageName: node
-  linkType: hard
-
-"mem@npm:^5.0.0":
-  version: 5.1.1
-  resolution: "mem@npm:5.1.1"
-  dependencies:
-    map-age-cleaner: ^0.1.3
-    mimic-fn: ^2.1.0
-    p-is-promise: ^2.1.0
-  checksum: 134ec3af9a290ca0ba3fcf0c21c344bdfd097073874ffebb9345f250a028e67a7bd81df1c6b8daa73498f995d55e4d8d4cb718132b23959609f0e8865f7551de
-  languageName: node
-  linkType: hard
-
-"memory-fs@npm:^0.4.1":
-  version: 0.4.1
-  resolution: "memory-fs@npm:0.4.1"
-  dependencies:
-    errno: ^0.1.3
-    readable-stream: ^2.0.1
-  checksum: 6db6c8682eff836664ca9b5b6052ae38d21713dda9d0ef4700fa5c0599a8bc16b2093bee75ac3dedbe59fb2222d368f25bafaa62ba143c41051359cbcb005044
-  languageName: node
-  linkType: hard
-
-"memory-fs@npm:^0.5.0":
-  version: 0.5.0
-  resolution: "memory-fs@npm:0.5.0"
-  dependencies:
-    errno: ^0.1.3
-    readable-stream: ^2.0.1
-  checksum: a9f25b0a8ecfb7324277393f19ef68e6ba53b9e6e4b526bbf2ba23055c5440fbf61acc7bf66bfd980e9eb4951a4790f6f777a9a3abd36603f22c87e8a64d3d6b
-  languageName: node
-  linkType: hard
-
-"memory-streams@npm:^0.1.3":
-  version: 0.1.3
-  resolution: "memory-streams@npm:0.1.3"
-  dependencies:
-    readable-stream: ~1.0.2
-  checksum: aebb6dc54c35ff8e7fcbbffc736ae95938d9bb7ed66735b693ed18743fcc6268f64eaa80b2580a49c3c73ddc00cd880d5847f318997affe6d2a46b75365715f8
-  languageName: node
-  linkType: hard
-
-"memorystream@npm:^0.3.1":
-  version: 0.3.1
-  resolution: "memorystream@npm:0.3.1"
-  checksum: f18b42440d24d09516d01466c06adf797df7873f0d40aa7db02e5fb9ed83074e5e65412d0720901d7069363465f82dc4f8bcb44f0cde271567a61426ce6ca2e9
-  languageName: node
-  linkType: hard
-
-"meow@npm:^10.1.5":
-  version: 10.1.5
-  resolution: "meow@npm:10.1.5"
-  dependencies:
-    "@types/minimist": ^1.2.2
-    camelcase-keys: ^7.0.0
-    decamelize: ^5.0.0
-    decamelize-keys: ^1.1.0
-    hard-rejection: ^2.1.0
-    minimist-options: 4.1.0
-    normalize-package-data: ^3.0.2
-    read-pkg-up: ^8.0.0
-    redent: ^4.0.0
-    trim-newlines: ^4.0.2
-    type-fest: ^1.2.2
-    yargs-parser: ^20.2.9
-  checksum: dd5f0caa4af18517813547dc66741dcbf52c4c23def5062578d39b11189fd9457aee5c1f2263a5cd6592a465023df8357e8ac876b685b64dbcf545e3f66c23a7
-  languageName: node
-  linkType: hard
-
-"merge-descriptors@npm:1.0.1":
-  version: 1.0.1
-  resolution: "merge-descriptors@npm:1.0.1"
-  checksum: 5abc259d2ae25bb06d19ce2b94a21632583c74e2a9109ee1ba7fd147aa7362b380d971e0251069f8b3eb7d48c21ac839e21fa177b335e82c76ec172e30c31a26
-  languageName: node
-  linkType: hard
-
-"merge-stream@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "merge-stream@npm:2.0.0"
-  checksum: 6fa4dcc8d86629705cea944a4b88ef4cb0e07656ebf223fa287443256414283dd25d91c1cd84c77987f2aec5927af1a9db6085757cb43d90eb170ebf4b47f4f4
-  languageName: node
-  linkType: hard
-
-"merge-trees@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "merge-trees@npm:1.0.1"
-  dependencies:
-    can-symlink: ^1.0.0
-    fs-tree-diff: ^0.5.4
-    heimdalljs: ^0.2.1
-    heimdalljs-logger: ^0.1.7
-    rimraf: ^2.4.3
-    symlink-or-copy: ^1.0.0
-  checksum: d32b06a9b18ab6963718c99b38fbe010e91f54a16f6f5555b32d48be0938c7f33ea81b8f0411846c43e6a5cfdbbf9aa2817fccc0186c2aa071944fe76bdc0372
-  languageName: node
-  linkType: hard
-
-"merge-trees@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "merge-trees@npm:2.0.0"
-  dependencies:
-    fs-updater: ^1.0.4
-    heimdalljs: ^0.2.5
-  checksum: 8e315ac6838192a7e61fecd003cca465b135b60d9d74e37501eef01e29a6f403850359b28a7b8696f369127caf28a5ff6d22493f11dc9cf5f7bbdfa11836cd7e
-  languageName: node
-  linkType: hard
-
-"merge2@npm:^1.2.3, merge2@npm:^1.3.0, merge2@npm:^1.4.1":
-  version: 1.4.1
-  resolution: "merge2@npm:1.4.1"
-  checksum: 7268db63ed5169466540b6fb947aec313200bcf6d40c5ab722c22e242f651994619bcd85601602972d3c85bd2cc45a358a4c61937e9f11a061919a1da569b0c2
-  languageName: node
-  linkType: hard
-
-"methods@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "methods@npm:1.1.2"
-  checksum: 0917ff4041fa8e2f2fda5425a955fe16ca411591fbd123c0d722fcf02b73971ed6f764d85f0a6f547ce49ee0221ce2c19a5fa692157931cecb422984f1dcd13a
-  languageName: node
-  linkType: hard
-
-"micromark-extension-footnote@npm:^0.3.0":
-  version: 0.3.2
-  resolution: "micromark-extension-footnote@npm:0.3.2"
-  dependencies:
-    micromark: ~2.11.0
-  checksum: 476c7f7ae86d7b3c33a07cbf7286d2cce06aa9b348eed79867fd6abc98c37519464c335c522e85208c99e573c1abbbcb72a0a27897f2a0b505d993c76df7bd1d
-  languageName: node
-  linkType: hard
-
-"micromark-extension-frontmatter@npm:^0.2.0":
-  version: 0.2.2
-  resolution: "micromark-extension-frontmatter@npm:0.2.2"
-  dependencies:
-    fault: ^1.0.0
-  checksum: b591494c2910162a47b4413b43d80b1e3f148c0d92955576737ff36525f34deb6cc784cdbede76c4ce6a9d06c75586c7198ffb84f97efee894cafabcc86716e4
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm-autolink-literal@npm:~0.5.0":
-  version: 0.5.7
-  resolution: "micromark-extension-gfm-autolink-literal@npm:0.5.7"
-  dependencies:
-    micromark: ~2.11.3
-  checksum: 319ec793c2e374e4cc0cbbb07326c1affb78819e507c7c1577f9d14b972852a6bb55e664332ec51f7cca24bdddd43429c5dd55f11e9200b1a00bab1bf494fb2d
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm-strikethrough@npm:~0.6.5":
-  version: 0.6.5
-  resolution: "micromark-extension-gfm-strikethrough@npm:0.6.5"
-  dependencies:
-    micromark: ~2.11.0
-  checksum: 67711633590d3e688759a46aaed9f9d04bcaf29b6615eec17af082eabe1059fbca4beb41ba13db418ae7be3ac90198742fbabe519a70f9b6bb615598c5d6ef1a
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm-table@npm:~0.4.0":
-  version: 0.4.3
-  resolution: "micromark-extension-gfm-table@npm:0.4.3"
-  dependencies:
-    micromark: ~2.11.0
-  checksum: 12c78de985944dd66aae409871c45d801cc65704f55ea5cc8afac422042c6d3b5e777b154c079ae81298b30b83434b257b54981bda51c220a102042dd2524a63
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm-tagfilter@npm:~0.3.0":
-  version: 0.3.0
-  resolution: "micromark-extension-gfm-tagfilter@npm:0.3.0"
-  checksum: 9369736a203836b2933dfdeacab863e7a4976139b9dd46fa5bd6c2feeef50c7dbbcdd641ae95f0481f577d8aa22396bfa7ed9c38515647d4cf3f2c727cc094a3
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm-task-list-item@npm:~0.3.0":
-  version: 0.3.3
-  resolution: "micromark-extension-gfm-task-list-item@npm:0.3.3"
-  dependencies:
-    micromark: ~2.11.0
-  checksum: e4ccbe6b440234c8ee05d89315e1204c78773724241af31ac328194470a8a61bc6606eab3ce2d9a83da4401b06e07936038654493da715d40522133d1556dda4
-  languageName: node
-  linkType: hard
-
-"micromark-extension-gfm@npm:^0.3.0":
-  version: 0.3.3
-  resolution: "micromark-extension-gfm@npm:0.3.3"
-  dependencies:
-    micromark: ~2.11.0
-    micromark-extension-gfm-autolink-literal: ~0.5.0
-    micromark-extension-gfm-strikethrough: ~0.6.5
-    micromark-extension-gfm-table: ~0.4.0
-    micromark-extension-gfm-tagfilter: ~0.3.0
-    micromark-extension-gfm-task-list-item: ~0.3.0
-  checksum: 7957a1afd8c92daa0fc165342902729334b22d59feacd85b20a0d9cc453c90bbdd5b5ba85a3d177c01802060aeb3326daf05d3e6d95932fcbc8371827c98336e
-  languageName: node
-  linkType: hard
-
-"micromark@npm:^2.11.3, micromark@npm:~2.11.0, micromark@npm:~2.11.3":
-  version: 2.11.4
-  resolution: "micromark@npm:2.11.4"
-  dependencies:
-    debug: ^4.0.0
-    parse-entities: ^2.0.0
-  checksum: f8a5477d394908a5d770227aea71657a76423d420227c67ea0699e659a5f62eb39d504c1f7d69ec525a6af5aaeb6a7bffcdba95614968c03d41d3851edecb0d6
-  languageName: node
-  linkType: hard
-
-"micromatch@npm:^3.0.4, micromatch@npm:^3.1.10, micromatch@npm:^3.1.4":
-  version: 3.1.10
-  resolution: "micromatch@npm:3.1.10"
-  dependencies:
-    arr-diff: ^4.0.0
-    array-unique: ^0.3.2
-    braces: ^2.3.1
-    define-property: ^2.0.2
-    extend-shallow: ^3.0.2
-    extglob: ^2.0.4
-    fragment-cache: ^0.2.1
-    kind-of: ^6.0.2
-    nanomatch: ^1.2.9
-    object.pick: ^1.3.0
-    regex-not: ^1.0.0
-    snapdragon: ^0.8.1
-    to-regex: ^3.0.2
-  checksum: ad226cba4daa95b4eaf47b2ca331c8d2e038d7b41ae7ed0697cde27f3f1d6142881ab03d4da51b65d9d315eceb5e4cdddb3fbb55f5f72cfa19cf3ea469d054dc
-  languageName: node
-  linkType: hard
-
-"micromatch@npm:^4.0.2, micromatch@npm:^4.0.4":
-  version: 4.0.4
-  resolution: "micromatch@npm:4.0.4"
-  dependencies:
-    braces: ^3.0.1
-    picomatch: ^2.2.3
-  checksum: ef3d1c88e79e0a68b0e94a03137676f3324ac18a908c245a9e5936f838079fcc108ac7170a5fadc265a9c2596963462e402841406bda1a4bb7b68805601d631c
-  languageName: node
-  linkType: hard
-
-"micromatch@npm:^4.0.5":
-  version: 4.0.5
-  resolution: "micromatch@npm:4.0.5"
-  dependencies:
-    braces: ^3.0.2
-    picomatch: ^2.3.1
-  checksum: 02a17b671c06e8fefeeb6ef996119c1e597c942e632a21ef589154f23898c9c6a9858526246abb14f8bca6e77734aa9dcf65476fca47cedfb80d9577d52843fc
-  languageName: node
-  linkType: hard
-
-"miller-rabin@npm:^4.0.0":
-  version: 4.0.1
-  resolution: "miller-rabin@npm:4.0.1"
-  dependencies:
-    bn.js: ^4.0.0
-    brorand: ^1.0.1
-  bin:
-    miller-rabin: bin/miller-rabin
-  checksum: 00cd1ab838ac49b03f236cc32a14d29d7d28637a53096bf5c6246a032a37749c9bd9ce7360cbf55b41b89b7d649824949ff12bc8eee29ac77c6b38eada619ece
-  languageName: node
-  linkType: hard
-
-"mime-db@npm:1.47.0, mime-db@npm:>= 1.43.0 < 2":
-  version: 1.47.0
-  resolution: "mime-db@npm:1.47.0"
-  checksum: 6808235243c39b3142e677af86972cf32de8ebbec81178491475a79aa07caf67646cd9b559972d22c3c372ddca4a093e58bb0ba10376d75a1efbd0e07be82de2
-  languageName: node
-  linkType: hard
-
-"mime-db@npm:1.51.0":
-  version: 1.51.0
-  resolution: "mime-db@npm:1.51.0"
-  checksum: 613b1ac9d6e725cc24444600b124a7f1ce6c60b1baa654f39a3e260d0995a6dffc5693190217e271af7e2a5612dae19f2a73f3e316707d797a7391165f7ef423
-  languageName: node
-  linkType: hard
-
-"mime-db@npm:1.52.0":
-  version: 1.52.0
-  resolution: "mime-db@npm:1.52.0"
-  checksum: 0d99a03585f8b39d68182803b12ac601d9c01abfa28ec56204fa330bc9f3d1c5e14beb049bafadb3dbdf646dfb94b87e24d4ec7b31b7279ef906a8ea9b6a513f
-  languageName: node
-  linkType: hard
-
-"mime-types@npm:^2.1.12, mime-types@npm:^2.1.18, mime-types@npm:^2.1.26, mime-types@npm:~2.1.19, mime-types@npm:~2.1.24":
-  version: 2.1.30
-  resolution: "mime-types@npm:2.1.30"
-  dependencies:
-    mime-db: 1.47.0
-  checksum: 53c36729b1c4f6029fd5957d5859e62eff4b86311a6e1dce87937583dc8971fec9f359ffcff4be93d26bb5ddd03f1b5ffc7626912031ce0a63510d7896521b2e
-  languageName: node
-  linkType: hard
-
-"mime-types@npm:^2.1.19":
-  version: 2.1.34
-  resolution: "mime-types@npm:2.1.34"
-  dependencies:
-    mime-db: 1.51.0
-  checksum: 67013de9e9d6799bde6d669d18785b7e18bcd212e710d3e04a4727f92f67a8ad4e74aee24be28b685adb794944814bde649119b58ee3282ffdbee58f9278d9f3
-  languageName: node
-  linkType: hard
-
-"mime-types@npm:^2.1.27, mime-types@npm:~2.1.34":
-  version: 2.1.35
-  resolution: "mime-types@npm:2.1.35"
-  dependencies:
-    mime-db: 1.52.0
-  checksum: 89a5b7f1def9f3af5dad6496c5ed50191ae4331cc5389d7c521c8ad28d5fdad2d06fd81baf38fed813dc4e46bb55c8145bb0ff406330818c9cf712fb2e9b3836
-  languageName: node
-  linkType: hard
-
-"mime@npm:1.6.0":
-  version: 1.6.0
-  resolution: "mime@npm:1.6.0"
-  bin:
-    mime: cli.js
-  checksum: fef25e39263e6d207580bdc629f8872a3f9772c923c7f8c7e793175cee22777bbe8bba95e5d509a40aaa292d8974514ce634ae35769faa45f22d17edda5e8557
-  languageName: node
-  linkType: hard
-
-"mimic-fn@npm:^1.0.0":
-  version: 1.2.0
-  resolution: "mimic-fn@npm:1.2.0"
-  checksum: 69c08205156a1f4906d9c46f9b4dc08d18a50176352e77fdeb645cedfe9f20c0b19865d465bd2dec27a5c432347f24dc07fc3695e11159d193f892834233e939
-  languageName: node
-  linkType: hard
-
-"mimic-fn@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "mimic-fn@npm:2.1.0"
-  checksum: d2421a3444848ce7f84bd49115ddacff29c15745db73f54041edc906c14b131a38d05298dae3081667627a59b2eb1ca4b436ff2e1b80f69679522410418b478a
-  languageName: node
-  linkType: hard
-
-"min-indent@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "min-indent@npm:1.0.1"
-  checksum: bfc6dd03c5eaf623a4963ebd94d087f6f4bbbfd8c41329a7f09706b0cb66969c4ddd336abeb587bc44bc6f08e13bf90f0b374f9d71f9f01e04adc2cd6f083ef1
-  languageName: node
-  linkType: hard
-
-"mini-css-extract-plugin@npm:^2.5.2":
-  version: 2.6.0
-  resolution: "mini-css-extract-plugin@npm:2.6.0"
-  dependencies:
-    schema-utils: ^4.0.0
-  peerDependencies:
-    webpack: ^5.0.0
-  checksum: ea73bd66558de7a37db094fe68fa130e7a725ab15f880ff8467a75d9c4c2f1576d20720088ea22af9922a94b8600bbfef0c6acaf10d12a32a9bd20a90ba3c35f
-  languageName: node
-  linkType: hard
-
-"minimalistic-assert@npm:^1.0.0, minimalistic-assert@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "minimalistic-assert@npm:1.0.1"
-  checksum: cc7974a9268fbf130fb055aff76700d7e2d8be5f761fb5c60318d0ed010d839ab3661a533ad29a5d37653133385204c503bfac995aaa4236f4e847461ea32ba7
-  languageName: node
-  linkType: hard
-
-"minimalistic-crypto-utils@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "minimalistic-crypto-utils@npm:1.0.1"
-  checksum: 6e8a0422b30039406efd4c440829ea8f988845db02a3299f372fceba56ffa94994a9c0f2fd70c17f9969eedfbd72f34b5070ead9656a34d3f71c0bd72583a0ed
-  languageName: node
-  linkType: hard
-
-"minimatch@npm:^3.0.2":
-  version: 3.0.4
-  resolution: "minimatch@npm:3.0.4"
-  dependencies:
-    brace-expansion: ^1.1.7
-  checksum: 66ac295f8a7b59788000ea3749938b0970344c841750abd96694f80269b926ebcafad3deeb3f1da2522978b119e6ae3a5869b63b13a7859a456b3408bd18a078
-  languageName: node
-  linkType: hard
-
-"minimist-options@npm:4.1.0":
-  version: 4.1.0
-  resolution: "minimist-options@npm:4.1.0"
-  dependencies:
-    arrify: ^1.0.1
-    is-plain-obj: ^1.1.0
-    kind-of: ^6.0.3
-  checksum: 8c040b3068811e79de1140ca2b708d3e203c8003eb9a414c1ab3cd467fc5f17c9ca02a5aef23bedc51a7f8bfbe77f87e9a7e31ec81fba304cda675b019496f4e
-  languageName: node
-  linkType: hard
-
-"minimist@npm:^0.2.1":
-  version: 0.2.4
-  resolution: "minimist@npm:0.2.4"
-  checksum: 52ab5922f5fd4f2d17410619c5e8c2df79327e7d94a59a9d1e7c567c5ef991c5385f7adb5c090d213fe5701e1fa1b6bb3d89a319e3b1b656b5a17308c87e2513
-  languageName: node
-  linkType: hard
-
-"minimist@npm:^1.1.1, minimist@npm:^1.2.0, minimist@npm:^1.2.5, minimist@npm:^1.2.6":
-  version: 1.2.6
-  resolution: "minimist@npm:1.2.6"
-  checksum: d15428cd1e11eb14e1233bcfb88ae07ed7a147de251441d61158619dfb32c4d7e9061d09cab4825fdee18ecd6fce323228c8c47b5ba7cd20af378ca4048fb3fb
-  languageName: node
-  linkType: hard
-
-"minipass-collect@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "minipass-collect@npm:1.0.2"
-  dependencies:
-    minipass: ^3.0.0
-  checksum: 14df761028f3e47293aee72888f2657695ec66bd7d09cae7ad558da30415fdc4752bbfee66287dcc6fd5e6a2fa3466d6c484dc1cbd986525d9393b9523d97f10
-  languageName: node
-  linkType: hard
-
-"minipass-fetch@npm:^2.0.3":
-  version: 2.1.2
-  resolution: "minipass-fetch@npm:2.1.2"
-  dependencies:
-    encoding: ^0.1.13
-    minipass: ^3.1.6
-    minipass-sized: ^1.0.3
-    minizlib: ^2.1.2
-  dependenciesMeta:
-    encoding:
-      optional: true
-  checksum: 3f216be79164e915fc91210cea1850e488793c740534985da017a4cbc7a5ff50506956d0f73bb0cb60e4fe91be08b6b61ef35101706d3ef5da2c8709b5f08f91
-  languageName: node
-  linkType: hard
-
-"minipass-flush@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "minipass-flush@npm:1.0.5"
-  dependencies:
-    minipass: ^3.0.0
-  checksum: 56269a0b22bad756a08a94b1ffc36b7c9c5de0735a4dd1ab2b06c066d795cfd1f0ac44a0fcae13eece5589b908ecddc867f04c745c7009be0b566421ea0944cf
-  languageName: node
-  linkType: hard
-
-"minipass-pipeline@npm:^1.2.4":
-  version: 1.2.4
-  resolution: "minipass-pipeline@npm:1.2.4"
-  dependencies:
-    minipass: ^3.0.0
-  checksum: b14240dac0d29823c3d5911c286069e36d0b81173d7bdf07a7e4a91ecdef92cdff4baaf31ea3746f1c61e0957f652e641223970870e2353593f382112257971b
-  languageName: node
-  linkType: hard
-
-"minipass-sized@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "minipass-sized@npm:1.0.3"
-  dependencies:
-    minipass: ^3.0.0
-  checksum: 79076749fcacf21b5d16dd596d32c3b6bf4d6e62abb43868fac21674078505c8b15eaca4e47ed844985a4514854f917d78f588fcd029693709417d8f98b2bd60
-  languageName: node
-  linkType: hard
-
-"minipass@npm:^2.2.0":
-  version: 2.9.0
-  resolution: "minipass@npm:2.9.0"
-  dependencies:
-    safe-buffer: ^5.1.2
-    yallist: ^3.0.0
-  checksum: 077b66f31ba44fd5a0d27d12a9e6a86bff8f97a4978dedb0373167156b5599fadb6920fdde0d9f803374164d810e05e8462ce28e86abbf7f0bea293a93711fc6
-  languageName: node
-  linkType: hard
-
-"minipass@npm:^3.0.0, minipass@npm:^3.1.1, minipass@npm:^3.1.6":
-  version: 3.3.6
-  resolution: "minipass@npm:3.3.6"
-  dependencies:
-    yallist: ^4.0.0
-  checksum: a30d083c8054cee83cdcdc97f97e4641a3f58ae743970457b1489ce38ee1167b3aaf7d815cd39ec7a99b9c40397fd4f686e83750e73e652b21cb516f6d845e48
-  languageName: node
-  linkType: hard
-
-"minipass@npm:^4.0.0":
-  version: 4.2.8
-  resolution: "minipass@npm:4.2.8"
-  checksum: 7f4914d5295a9a30807cae5227a37a926e6d910c03f315930fde52332cf0575dfbc20295318f91f0baf0e6bb11a6f668e30cde8027dea7a11b9d159867a3c830
-  languageName: node
-  linkType: hard
-
-"minizlib@npm:^2.1.1, minizlib@npm:^2.1.2":
-  version: 2.1.2
-  resolution: "minizlib@npm:2.1.2"
-  dependencies:
-    minipass: ^3.0.0
-    yallist: ^4.0.0
-  checksum: f1fdeac0b07cf8f30fcf12f4b586795b97be856edea22b5e9072707be51fc95d41487faec3f265b42973a304fe3a64acd91a44a3826a963e37b37bafde0212c3
-  languageName: node
-  linkType: hard
-
-"miragejs@npm:^0.1.43":
-  version: 0.1.43
-  resolution: "miragejs@npm:0.1.43"
-  dependencies:
-    "@miragejs/pretender-node-polyfill": ^0.1.0
-    inflected: ^2.0.4
-    lodash.assign: ^4.2.0
-    lodash.camelcase: ^4.3.0
-    lodash.clonedeep: ^4.5.0
-    lodash.compact: ^3.0.1
-    lodash.find: ^4.6.0
-    lodash.flatten: ^4.4.0
-    lodash.forin: ^4.4.0
-    lodash.get: ^4.4.2
-    lodash.has: ^4.5.2
-    lodash.invokemap: ^4.6.0
-    lodash.isempty: ^4.4.0
-    lodash.isequal: ^4.5.0
-    lodash.isfunction: ^3.0.9
-    lodash.isinteger: ^4.0.4
-    lodash.isplainobject: ^4.0.6
-    lodash.lowerfirst: ^4.3.1
-    lodash.map: ^4.6.0
-    lodash.mapvalues: ^4.6.0
-    lodash.pick: ^4.4.0
-    lodash.snakecase: ^4.1.1
-    lodash.uniq: ^4.5.0
-    lodash.uniqby: ^4.7.0
-    lodash.values: ^4.3.0
-    pretender: ^3.4.7
-  checksum: 11da61a83fc816748f635b4a4792a56a82dc6a0b7f5049c5337864948697b76eec421f3ca459fbbd35d8bb8e373e59bff9a773d20ae700977088a1f29857360d
-  languageName: node
-  linkType: hard
-
-"mississippi@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "mississippi@npm:3.0.0"
-  dependencies:
-    concat-stream: ^1.5.0
-    duplexify: ^3.4.2
-    end-of-stream: ^1.1.0
-    flush-write-stream: ^1.0.0
-    from2: ^2.1.0
-    parallel-transform: ^1.1.0
-    pump: ^3.0.0
-    pumpify: ^1.3.3
-    stream-each: ^1.1.0
-    through2: ^2.0.0
-  checksum: 84b3d9889621d293f9a596bafe60df863b330c88fc19215ced8f603c605fc7e1bf06f8e036edf301bd630a03fd5d9d7d23d5d6b9a4802c30ca864d800f0bd9f8
-  languageName: node
-  linkType: hard
-
-"mixin-deep@npm:^1.2.0":
-  version: 1.3.2
-  resolution: "mixin-deep@npm:1.3.2"
-  dependencies:
-    for-in: ^1.0.2
-    is-extendable: ^1.0.1
-  checksum: 820d5a51fcb7479f2926b97f2c3bb223546bc915e6b3a3eb5d906dda871bba569863595424a76682f2b15718252954644f3891437cb7e3f220949bed54b1750d
-  languageName: node
-  linkType: hard
-
-"mkdirp@npm:^0.3.5":
-  version: 0.3.5
-  resolution: "mkdirp@npm:0.3.5"
-  checksum: 5b7db0f7db199b87f5b0e563b919ad214d1a2c55c3896db332ef1e66c2192b2077112a4733b2c6ff99c833a6f85ba5686f05a768c411fe461b667a17421d37a8
-  languageName: node
-  linkType: hard
-
-"mkdirp@npm:^0.5.0, mkdirp@npm:^0.5.1, mkdirp@npm:^0.5.3, mkdirp@npm:^0.5.5, mkdirp@npm:~0.5.1":
-  version: 0.5.5
-  resolution: "mkdirp@npm:0.5.5"
-  dependencies:
-    minimist: ^1.2.5
-  bin:
-    mkdirp: bin/cmd.js
-  checksum: 3bce20ea525f9477befe458ab85284b0b66c8dc3812f94155af07c827175948cdd8114852ac6c6d82009b13c1048c37f6d98743eb019651ee25c39acc8aabe7d
-  languageName: node
-  linkType: hard
-
-"mkdirp@npm:^0.5.6":
-  version: 0.5.6
-  resolution: "mkdirp@npm:0.5.6"
-  dependencies:
-    minimist: ^1.2.6
-  bin:
-    mkdirp: bin/cmd.js
-  checksum: 0c91b721bb12c3f9af4b77ebf73604baf350e64d80df91754dc509491ae93bf238581e59c7188360cec7cb62fc4100959245a42cfe01834efedc5e9d068376c2
-  languageName: node
-  linkType: hard
-
-"mkdirp@npm:^1.0.3, mkdirp@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "mkdirp@npm:1.0.4"
-  bin:
-    mkdirp: bin/cmd.js
-  checksum: a96865108c6c3b1b8e1d5e9f11843de1e077e57737602de1b82030815f311be11f96f09cce59bd5b903d0b29834733e5313f9301e3ed6d6f6fba2eae0df4298f
-  languageName: node
-  linkType: hard
-
-"mktemp@npm:~0.4.0":
-  version: 0.4.0
-  resolution: "mktemp@npm:0.4.0"
-  checksum: f67d8b1ed599807a4ec154efc6a50d61b28f4183fa740c4fe3bd75ce8442d84a3b8fca382fb3cb4e20bb883cb14478a7fe549c4eab6135cd213163ca5083f0fe
-  languageName: node
-  linkType: hard
-
-"moo@npm:^0.5.1":
-  version: 0.5.2
-  resolution: "moo@npm:0.5.2"
-  checksum: 5a41ddf1059fd0feb674d917c4774e41c877f1ca980253be4d3aae1a37f4bc513f88815041243f36f5cf67a62fb39324f3f997cf7fb17b6cb00767c165e7c499
-  languageName: node
-  linkType: hard
-
-"morgan@npm:^1.10.0":
-  version: 1.10.0
-  resolution: "morgan@npm:1.10.0"
-  dependencies:
-    basic-auth: ~2.0.1
-    debug: 2.6.9
-    depd: ~2.0.0
-    on-finished: ~2.3.0
-    on-headers: ~1.0.2
-  checksum: fb41e226ab5a1abf7e8909e486b387076534716d60207e361acfb5df78b84d703a7b7ea58f3046a9fd0b83d3c94bfabde32323341a1f1b26ce50680abd2ea5dd
-  languageName: node
-  linkType: hard
-
-"mout@npm:^1.0.0":
-  version: 1.2.2
-  resolution: "mout@npm:1.2.2"
-  checksum: e6c4249e9a5e603af8b4ae7172572e266f7cbd2edbf27824e2e06dd288adc66e67170f4a061ecc388429046aa93a7e3946e35139fd0767f76dd10d075fbca74f
-  languageName: node
-  linkType: hard
-
-"move-concurrently@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "move-concurrently@npm:1.0.1"
-  dependencies:
-    aproba: ^1.1.1
-    copy-concurrently: ^1.0.0
-    fs-write-stream-atomic: ^1.0.8
-    mkdirp: ^0.5.1
-    rimraf: ^2.5.4
-    run-queue: ^1.0.3
-  checksum: 4ea3296c150b09e798177847f673eb5783f8ca417ba806668d2c631739f653e1a735f19fb9b6e2f5e25ee2e4c0a6224732237a8e4f84c764e99d7462d258209e
-  languageName: node
-  linkType: hard
-
-"mr-dep-walk@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "mr-dep-walk@npm:1.4.0"
-  dependencies:
-    acorn: ^5.1.1
-    amd-name-resolver: ^0.0.6
-    fs-extra: ^3.0.1
-  checksum: f8146a1a7280ef1b2792efb842846e504303944a3ff82e7fecaefc04aa124834f0e4a596fbad6077de4272c1d6836a4d8d39bf3d46530ae7a7d70fa0baf50f2a
-  languageName: node
-  linkType: hard
-
-"ms@npm:2.0.0":
-  version: 2.0.0
-  resolution: "ms@npm:2.0.0"
-  checksum: 0e6a22b8b746d2e0b65a430519934fefd41b6db0682e3477c10f60c76e947c4c0ad06f63ffdf1d78d335f83edee8c0aa928aa66a36c7cd95b69b26f468d527f4
-  languageName: node
-  linkType: hard
-
-"ms@npm:2.1.1":
-  version: 2.1.1
-  resolution: "ms@npm:2.1.1"
-  checksum: 0078a23cd916a9a7435c413caa14c57d4b4f6e2470e0ab554b6964163c8a4436448ac7ae020e883685475da6b6796cc396b670f579cb275db288a21e3e57721e
-  languageName: node
-  linkType: hard
-
-"ms@npm:2.1.2":
-  version: 2.1.2
-  resolution: "ms@npm:2.1.2"
-  checksum: 673cdb2c3133eb050c745908d8ce632ed2c02d85640e2edb3ace856a2266a813b30c613569bf3354fdf4ea7d1a1494add3bfa95e2713baa27d0c2c71fc44f58f
-  languageName: node
-  linkType: hard
-
-"ms@npm:2.1.3, ms@npm:^2.0.0, ms@npm:^2.1.1":
-  version: 2.1.3
-  resolution: "ms@npm:2.1.3"
-  checksum: aa92de608021b242401676e35cfa5aa42dd70cbdc082b916da7fb925c542173e36bce97ea3e804923fe92c0ad991434e4a38327e15a1b5b5f945d66df615ae6d
-  languageName: node
-  linkType: hard
-
-"mustache@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "mustache@npm:4.2.0"
-  bin:
-    mustache: bin/mustache
-  checksum: 928fcb63e3aa44a562bfe9b59ba202cccbe40a46da50be6f0dd831b495be1dd7e38ca4657f0ecab2c1a89dc7bccba0885eab7ee7c1b215830da765758c7e0506
-  languageName: node
-  linkType: hard
-
-"mute-stream@npm:0.0.7":
-  version: 0.0.7
-  resolution: "mute-stream@npm:0.0.7"
-  checksum: a9d4772c1c84206aa37c218ed4751cd060239bf1d678893124f51e037f6f22f4a159b2918c030236c93252638a74beb29c9b1fd3267c9f24d4b3253cf1eaa86f
-  languageName: node
-  linkType: hard
-
-"mute-stream@npm:0.0.8":
-  version: 0.0.8
-  resolution: "mute-stream@npm:0.0.8"
-  checksum: ff48d251fc3f827e5b1206cda0ffdaec885e56057ee86a3155e1951bc940fd5f33531774b1cc8414d7668c10a8907f863f6561875ee6e8768931a62121a531a1
-  languageName: node
-  linkType: hard
-
-"nan@npm:^2.12.1":
-  version: 2.14.2
-  resolution: "nan@npm:2.14.2"
-  dependencies:
-    node-gyp: latest
-  checksum: 7a269139b66a7d37470effb7fb36a8de8cc3b5ffba6e40bb8e0545307911fe5ebf94797ec62f655ecde79c237d169899f8bd28256c66a32cbc8284faaf94c3f4
-  languageName: node
-  linkType: hard
-
-"nanoid@npm:^3.3.4":
-  version: 3.3.4
-  resolution: "nanoid@npm:3.3.4"
-  bin:
-    nanoid: bin/nanoid.cjs
-  checksum: 2fddd6dee994b7676f008d3ffa4ab16035a754f4bb586c61df5a22cf8c8c94017aadd360368f47d653829e0569a92b129979152ff97af23a558331e47e37cd9c
-  languageName: node
-  linkType: hard
-
-"nanoid@npm:^3.3.6":
-  version: 3.3.6
-  resolution: "nanoid@npm:3.3.6"
-  bin:
-    nanoid: bin/nanoid.cjs
-  checksum: 7d0eda657002738aa5206107bd0580aead6c95c460ef1bdd0b1a87a9c7ae6277ac2e9b945306aaa5b32c6dcb7feaf462d0f552e7f8b5718abfc6ead5c94a71b3
-  languageName: node
-  linkType: hard
-
-"nanomatch@npm:^1.2.9":
-  version: 1.2.13
-  resolution: "nanomatch@npm:1.2.13"
-  dependencies:
-    arr-diff: ^4.0.0
-    array-unique: ^0.3.2
-    define-property: ^2.0.2
-    extend-shallow: ^3.0.2
-    fragment-cache: ^0.2.1
-    is-windows: ^1.0.2
-    kind-of: ^6.0.2
-    object.pick: ^1.3.0
-    regex-not: ^1.0.0
-    snapdragon: ^0.8.1
-    to-regex: ^3.0.1
-  checksum: 54d4166d6ef08db41252eb4e96d4109ebcb8029f0374f9db873bd91a1f896c32ec780d2a2ea65c0b2d7caf1f28d5e1ea33746a470f32146ac8bba821d80d38d8
-  languageName: node
-  linkType: hard
-
-"natural-compare-lite@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "natural-compare-lite@npm:1.4.0"
-  checksum: 5222ac3986a2b78dd6069ac62cbb52a7bf8ffc90d972ab76dfe7b01892485d229530ed20d0c62e79a6b363a663b273db3bde195a1358ce9e5f779d4453887225
-  languageName: node
-  linkType: hard
-
-"natural-compare@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "natural-compare@npm:1.4.0"
-  checksum: 23ad088b08f898fc9b53011d7bb78ec48e79de7627e01ab5518e806033861bef68d5b0cd0e2205c2f36690ac9571ff6bcb05eb777ced2eeda8d4ac5b44592c3d
-  languageName: node
-  linkType: hard
-
-"negotiator@npm:0.6.2":
-  version: 0.6.2
-  resolution: "negotiator@npm:0.6.2"
-  checksum: dfddaff6c06792f1c4c3809e29a427b8daef8cd437c83b08dd51d7ee11bbd1c29d9512d66b801144d6c98e910ffd8723f2432e0cbf8b18d41d2a09599c975ab3
-  languageName: node
-  linkType: hard
-
-"negotiator@npm:0.6.3, negotiator@npm:^0.6.3":
-  version: 0.6.3
-  resolution: "negotiator@npm:0.6.3"
-  checksum: b8ffeb1e262eff7968fc90a2b6767b04cfd9842582a9d0ece0af7049537266e7b2506dfb1d107a32f06dd849ab2aea834d5830f7f4d0e5cb7d36e1ae55d021d9
-  languageName: node
-  linkType: hard
-
-"neo-async@npm:^2.5.0, neo-async@npm:^2.6.0, neo-async@npm:^2.6.1, neo-async@npm:^2.6.2":
-  version: 2.6.2
-  resolution: "neo-async@npm:2.6.2"
-  checksum: deac9f8d00eda7b2e5cd1b2549e26e10a0faa70adaa6fdadca701cc55f49ee9018e427f424bac0c790b7c7e2d3068db97f3093f1093975f2acb8f8818b936ed9
-  languageName: node
-  linkType: hard
-
-"nice-try@npm:^1.0.4":
-  version: 1.0.5
-  resolution: "nice-try@npm:1.0.5"
-  checksum: 0b4af3b5bb5d86c289f7a026303d192a7eb4417231fe47245c460baeabae7277bcd8fd9c728fb6bd62c30b3e15cd6620373e2cf33353b095d8b403d3e8a15aff
-  languageName: node
-  linkType: hard
-
-"nise@npm:^1.5.2":
-  version: 1.5.3
-  resolution: "nise@npm:1.5.3"
-  dependencies:
-    "@sinonjs/formatio": ^3.2.1
-    "@sinonjs/text-encoding": ^0.7.1
-    just-extend: ^4.0.2
-    lolex: ^5.0.1
-    path-to-regexp: ^1.7.0
-  checksum: ec3af21345dcaf34650a6f5420a11e0fd21a836ac5960f5e8523c301ee98465abf88b958f7b3084ecc6e0a7133e5cf7963f4df176b90b423c4da4984f1ebd75e
-  languageName: node
-  linkType: hard
-
-"no-case@npm:^3.0.4":
-  version: 3.0.4
-  resolution: "no-case@npm:3.0.4"
-  dependencies:
-    lower-case: ^2.0.2
-    tslib: ^2.0.3
-  checksum: 0b2ebc113dfcf737d48dde49cfebf3ad2d82a8c3188e7100c6f375e30eafbef9e9124aadc3becef237b042fd5eb0aad2fd78669c20972d045bbe7fea8ba0be5c
-  languageName: node
-  linkType: hard
-
-"node-fetch@npm:^2.6.1":
-  version: 2.6.1
-  resolution: "node-fetch@npm:2.6.1"
-  checksum: 91075bedd57879117e310fbcc36983ad5d699e522edb1ebcdc4ee5294c982843982652925c3532729fdc86b2d64a8a827797a745f332040d91823c8752ee4d7c
-  languageName: node
-  linkType: hard
-
-"node-gyp@npm:latest":
-  version: 9.3.1
-  resolution: "node-gyp@npm:9.3.1"
-  dependencies:
-    env-paths: ^2.2.0
-    glob: ^7.1.4
-    graceful-fs: ^4.2.6
-    make-fetch-happen: ^10.0.3
-    nopt: ^6.0.0
-    npmlog: ^6.0.0
-    rimraf: ^3.0.2
-    semver: ^7.3.5
-    tar: ^6.1.2
-    which: ^2.0.2
-  bin:
-    node-gyp: bin/node-gyp.js
-  checksum: b860e9976fa645ca0789c69e25387401b4396b93c8375489b5151a6c55cf2640a3b6183c212b38625ef7c508994930b72198338e3d09b9d7ade5acc4aaf51ea7
-  languageName: node
-  linkType: hard
-
-"node-int64@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "node-int64@npm:0.4.0"
-  checksum: d0b30b1ee6d961851c60d5eaa745d30b5c95d94bc0e74b81e5292f7c42a49e3af87f1eb9e89f59456f80645d679202537de751b7d72e9e40ceea40c5e449057e
-  languageName: node
-  linkType: hard
-
-"node-libs-browser@npm:^2.2.1":
-  version: 2.2.1
-  resolution: "node-libs-browser@npm:2.2.1"
-  dependencies:
-    assert: ^1.1.1
-    browserify-zlib: ^0.2.0
-    buffer: ^4.3.0
-    console-browserify: ^1.1.0
-    constants-browserify: ^1.0.0
-    crypto-browserify: ^3.11.0
-    domain-browser: ^1.1.1
-    events: ^3.0.0
-    https-browserify: ^1.0.0
-    os-browserify: ^0.3.0
-    path-browserify: 0.0.1
-    process: ^0.11.10
-    punycode: ^1.2.4
-    querystring-es3: ^0.2.0
-    readable-stream: ^2.3.3
-    stream-browserify: ^2.0.1
-    stream-http: ^2.7.2
-    string_decoder: ^1.0.0
-    timers-browserify: ^2.0.4
-    tty-browserify: 0.0.0
-    url: ^0.11.0
-    util: ^0.11.0
-    vm-browserify: ^1.0.1
-  checksum: 41fa7927378edc0cb98a8cc784d3f4a47e43378d3b42ec57a23f81125baa7287c4b54d6d26d062072226160a3ce4d8b7a62e873d2fb637aceaddf71f5a26eca0
-  languageName: node
-  linkType: hard
-
-"node-modules-path@npm:^1.0.0, node-modules-path@npm:^1.0.1":
-  version: 1.0.2
-  resolution: "node-modules-path@npm:1.0.2"
-  checksum: 1cee65591a65a71e420b72d011e313bd938ffced368c6b6ca2bfd5a741cea9af5200417afb49272bbdac1cee1350c0f56e0a80b611d6694de914959c1ddfc9f3
-  languageName: node
-  linkType: hard
-
-"node-notifier@npm:^8.0.1":
-  version: 8.0.2
-  resolution: "node-notifier@npm:8.0.2"
-  dependencies:
-    growly: ^1.3.0
-    is-wsl: ^2.2.0
-    semver: ^7.3.2
-    shellwords: ^0.1.1
-    uuid: ^8.3.0
-    which: ^2.0.2
-  checksum: 7db1683003f6aaa4324959dfa663cd56e301ccc0165977a9e7737989ffe3b4763297f9fc85f44d0662b63a4fd85516eda43411b492a4d2fae207afb23773f912
-  languageName: node
-  linkType: hard
-
-"node-releases@npm:^1.1.71, node-releases@npm:^1.1.77":
-  version: 1.1.77
-  resolution: "node-releases@npm:1.1.77"
-  checksum: eb2fcb45310e7d77f82bfdadeca546a698d258e011f15d88ad9a452a5e838a672ec532906581096ca19c66284a788330c3b09227ffc540e67228730f41b9c2e2
-  languageName: node
-  linkType: hard
-
-"node-releases@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "node-releases@npm:2.0.1"
-  checksum: b20dd8d4bced11f75060f0387e05e76b9dc4a0451f7bb3516eade6f50499ea7768ba95d8a60d520c193402df1e58cb3fe301510cc1c1ad68949c3d57b5149866
-  languageName: node
-  linkType: hard
-
-"node-releases@npm:^2.0.12":
-  version: 2.0.13
-  resolution: "node-releases@npm:2.0.13"
-  checksum: 17ec8f315dba62710cae71a8dad3cd0288ba943d2ece43504b3b1aa8625bf138637798ab470b1d9035b0545996f63000a8a926e0f6d35d0996424f8b6d36dda3
-  languageName: node
-  linkType: hard
-
-"node-releases@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "node-releases@npm:2.0.2"
-  checksum: da858bf86b4d512842379749f5a5e4196ddab05ba18ffcf29f05bf460beceaca927f070f4430bb5046efec18941ddbc85e4c5fdbb83afc28a38dd6069a2f255e
-  languageName: node
-  linkType: hard
-
-"node-releases@npm:^2.0.5":
-  version: 2.0.5
-  resolution: "node-releases@npm:2.0.5"
-  checksum: e85d949addd19f8827f32569d2be5751e7812ccf6cc47879d49f79b5234ff4982225e39a3929315f96370823b070640fb04d79fc0ddec8b515a969a03493a42f
-  languageName: node
-  linkType: hard
-
-"node-watch@npm:0.7.3":
-  version: 0.7.3
-  resolution: "node-watch@npm:0.7.3"
-  checksum: c745482f720613415153b9065383b77d21f2ef60ceabf64f779c1452b1dcbb8d08c71f650b93f3c1d84524371321f92a15fda468745872cacffec8289741d51a
-  languageName: node
-  linkType: hard
-
-"nomnom@npm:^1.5.x":
-  version: 1.8.1
-  resolution: "nomnom@npm:1.8.1"
-  dependencies:
-    chalk: ~0.4.0
-    underscore: ~1.6.0
-  checksum: cc6f538062741e8914b65352499c444a754d18a95f8c4b336b9183367c44335f00a9d3beb54648f6a76d5434702a3d71bf37c23ef4c960d39595ed72d376c6fd
-  languageName: node
-  linkType: hard
-
-"nopt@npm:^3.0.6":
-  version: 3.0.6
-  resolution: "nopt@npm:3.0.6"
-  dependencies:
-    abbrev: 1
-  bin:
-    nopt: ./bin/nopt.js
-  checksum: 7f8579029a0d7cb3341c6b1610b31e363f708b7aaaaf3580e3ec5ae8528d1f3a79d350d8bfa331776e6c6703a5a148b72edd9b9b4c1dd55874d8e70e963d1e20
-  languageName: node
-  linkType: hard
-
-"nopt@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "nopt@npm:6.0.0"
-  dependencies:
-    abbrev: ^1.0.0
-  bin:
-    nopt: bin/nopt.js
-  checksum: 82149371f8be0c4b9ec2f863cc6509a7fd0fa729929c009f3a58e4eb0c9e4cae9920e8f1f8eb46e7d032fec8fb01bede7f0f41a67eb3553b7b8e14fa53de1dac
-  languageName: node
-  linkType: hard
-
-"normalize-package-data@npm:^2.3.2":
-  version: 2.5.0
-  resolution: "normalize-package-data@npm:2.5.0"
-  dependencies:
-    hosted-git-info: ^2.1.4
-    resolve: ^1.10.0
-    semver: 2 || 3 || 4 || 5
-    validate-npm-package-license: ^3.0.1
-  checksum: 7999112efc35a6259bc22db460540cae06564aa65d0271e3bdfa86876d08b0e578b7b5b0028ee61b23f1cae9fc0e7847e4edc0948d3068a39a2a82853efc8499
-  languageName: node
-  linkType: hard
-
-"normalize-package-data@npm:^3.0.2":
-  version: 3.0.3
-  resolution: "normalize-package-data@npm:3.0.3"
-  dependencies:
-    hosted-git-info: ^4.0.1
-    is-core-module: ^2.5.0
-    semver: ^7.3.4
-    validate-npm-package-license: ^3.0.1
-  checksum: bbcee00339e7c26fdbc760f9b66d429258e2ceca41a5df41f5df06cc7652de8d82e8679ff188ca095cad8eff2b6118d7d866af2b68400f74602fbcbce39c160a
-  languageName: node
-  linkType: hard
-
-"normalize-path@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "normalize-path@npm:2.1.1"
-  dependencies:
-    remove-trailing-separator: ^1.0.1
-  checksum: 7e9cbdcf7f5b8da7aa191fbfe33daf290cdcd8c038f422faf1b8a83c972bf7a6d94c5be34c4326cb00fb63bc0fd97d9fbcfaf2e5d6142332c2cd36d2e1b86cea
-  languageName: node
-  linkType: hard
-
-"normalize-path@npm:^3.0.0, normalize-path@npm:~3.0.0":
-  version: 3.0.0
-  resolution: "normalize-path@npm:3.0.0"
-  checksum: 88eeb4da891e10b1318c4b2476b6e2ecbeb5ff97d946815ffea7794c31a89017c70d7f34b3c2ebf23ef4e9fc9fb99f7dffe36da22011b5b5c6ffa34f4873ec20
-  languageName: node
-  linkType: hard
-
-"normalize-range@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "normalize-range@npm:0.1.2"
-  checksum: 9b2f14f093593f367a7a0834267c24f3cb3e887a2d9809c77d8a7e5fd08738bcd15af46f0ab01cc3a3d660386f015816b5c922cea8bf2ee79777f40874063184
-  languageName: node
-  linkType: hard
-
-"normalize.css@npm:4.1.1":
-  version: 4.1.1
-  resolution: "normalize.css@npm:4.1.1"
-  checksum: 48500b12c63141286b637a0ed771d23e95872469eb9726171aea4fa90c9e9fe97870ee52c81dc42ef391733423bf0887dc0fdadae0e5f6020b6eb04e60ffcd68
-  languageName: node
-  linkType: hard
-
-"npm-git-info@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "npm-git-info@npm:1.0.3"
-  checksum: 1f2218004e109db649580f023ae2b6eb690efae0e47ec26216a01751325b45788430428b12478d91583e18bd8f4bc933d02a1f42984b8d4977f1c35ddef1bad2
-  languageName: node
-  linkType: hard
-
-"npm-package-arg@npm:^10.1.0":
-  version: 10.1.0
-  resolution: "npm-package-arg@npm:10.1.0"
-  dependencies:
-    hosted-git-info: ^6.0.0
-    proc-log: ^3.0.0
-    semver: ^7.3.5
-    validate-npm-package-name: ^5.0.0
-  checksum: 8fe4b6a742502345e4836ed42fdf26c544c9f75563c476c67044a481ada6e81f71b55462489c7e1899d516e4347150e58028036a90fa11d47e320bcc9365fd30
-  languageName: node
-  linkType: hard
-
-"npm-run-all@npm:^4.1.5":
-  version: 4.1.5
-  resolution: "npm-run-all@npm:4.1.5"
-  dependencies:
-    ansi-styles: ^3.2.1
-    chalk: ^2.4.1
-    cross-spawn: ^6.0.5
-    memorystream: ^0.3.1
-    minimatch: ^3.0.4
-    pidtree: ^0.3.0
-    read-pkg: ^3.0.0
-    shell-quote: ^1.6.1
-    string.prototype.padend: ^3.0.0
-  bin:
-    npm-run-all: bin/npm-run-all/index.js
-    run-p: bin/run-p/index.js
-    run-s: bin/run-s/index.js
-  checksum: 373b72c6a36564da13c1642c1fd9bb4dcc756bce7a3648f883772f02661095319820834ff813762d2fee403e9b40c1cd27c8685807c107440f10eb19c006d4a0
-  languageName: node
-  linkType: hard
-
-"npm-run-path@npm:^2.0.0":
-  version: 2.0.2
-  resolution: "npm-run-path@npm:2.0.2"
-  dependencies:
-    path-key: ^2.0.0
-  checksum: acd5ad81648ba4588ba5a8effb1d98d2b339d31be16826a118d50f182a134ac523172101b82eab1d01cb4c2ba358e857d54cfafd8163a1ffe7bd52100b741125
-  languageName: node
-  linkType: hard
-
-"npm-run-path@npm:^3.0.0":
-  version: 3.1.0
-  resolution: "npm-run-path@npm:3.1.0"
-  dependencies:
-    path-key: ^3.0.0
-  checksum: 141e0b8f0e3b137347a2896572c9a84701754dda0670d3ceb8c56a87702ee03c26227e4517ab93f2904acfc836547315e740b8289bb24ca0cd8ba2b198043b0f
-  languageName: node
-  linkType: hard
-
-"npm-run-path@npm:^4.0.0, npm-run-path@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "npm-run-path@npm:4.0.1"
-  dependencies:
-    path-key: ^3.0.0
-  checksum: 5374c0cea4b0bbfdfae62da7bbdf1e1558d338335f4cacf2515c282ff358ff27b2ecb91ffa5330a8b14390ac66a1e146e10700440c1ab868208430f56b5f4d23
-  languageName: node
-  linkType: hard
-
-"npmlog@npm:^6.0.0":
-  version: 6.0.2
-  resolution: "npmlog@npm:6.0.2"
-  dependencies:
-    are-we-there-yet: ^3.0.0
-    console-control-strings: ^1.1.0
-    gauge: ^4.0.3
-    set-blocking: ^2.0.0
-  checksum: ae238cd264a1c3f22091cdd9e2b106f684297d3c184f1146984ecbe18aaa86343953f26b9520dedd1b1372bc0316905b736c1932d778dbeb1fcf5a1001390e2a
-  languageName: node
-  linkType: hard
-
-"nth-check@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "nth-check@npm:1.0.2"
-  dependencies:
-    boolbase: ~1.0.0
-  checksum: 59e115fdd75b971d0030f42ada3aac23898d4c03aa13371fa8b3339d23461d1badf3fde5aad251fb956aaa75c0a3b9bfcd07c08a34a83b4f9dadfdce1d19337c
-  languageName: node
-  linkType: hard
-
-"nth-check@npm:^2.0.1":
-  version: 2.1.1
-  resolution: "nth-check@npm:2.1.1"
-  dependencies:
-    boolbase: ^1.0.0
-  checksum: 5afc3dafcd1573b08877ca8e6148c52abd565f1d06b1eb08caf982e3fa289a82f2cae697ffb55b5021e146d60443f1590a5d6b944844e944714a5b549675bcd3
-  languageName: node
-  linkType: hard
-
-"num2fraction@npm:^1.2.2":
-  version: 1.2.2
-  resolution: "num2fraction@npm:1.2.2"
-  checksum: 1da9c6797b505d3f5b17c7f694c4fa31565bdd5c0e5d669553253aed848a580804cd285280e8a73148bd9628839267daee4967f24b53d4e893e44b563e412635
-  languageName: node
-  linkType: hard
-
-"nwsapi@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "nwsapi@npm:2.2.0"
-  checksum: 5ef4a9bc0c1a5b7f2e014aa6a4b359a257503b796618ed1ef0eb852098f77e772305bb0e92856e4bbfa3e6c75da48c0113505c76f144555ff38867229c2400a7
-  languageName: node
-  linkType: hard
-
-"oauth-sign@npm:~0.9.0":
-  version: 0.9.0
-  resolution: "oauth-sign@npm:0.9.0"
-  checksum: 8f5497a127967866a3c67094c21efd295e46013a94e6e828573c62220e9af568cc1d2d04b16865ba583e430510fa168baf821ea78f355146d8ed7e350fc44c64
-  languageName: node
-  linkType: hard
-
-"object-assign@npm:4.1.1, object-assign@npm:^4, object-assign@npm:^4.1.0, object-assign@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "object-assign@npm:4.1.1"
-  checksum: fcc6e4ea8c7fe48abfbb552578b1c53e0d194086e2e6bbbf59e0a536381a292f39943c6e9628af05b5528aa5e3318bb30d6b2e53cadaf5b8fe9e12c4b69af23f
-  languageName: node
-  linkType: hard
-
-"object-assign@npm:^2.0.0":
-  version: 2.1.1
-  resolution: "object-assign@npm:2.1.1"
-  checksum: d37a7d7173408e07ee225116437592d92b584b2a5f38cafe608400b43efd9b78878dbd545b524aff5b4118d88e39466b9038b2d3de8885e212adad497d656c46
-  languageName: node
-  linkType: hard
-
-"object-copy@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "object-copy@npm:0.1.0"
-  dependencies:
-    copy-descriptor: ^0.1.0
-    define-property: ^0.2.5
-    kind-of: ^3.0.3
-  checksum: a9e35f07e3a2c882a7e979090360d1a20ab51d1fa19dfdac3aa8873b328a7c4c7683946ee97c824ae40079d848d6740a3788fa14f2185155dab7ed970a72c783
-  languageName: node
-  linkType: hard
-
-"object-hash@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "object-hash@npm:1.3.1"
-  checksum: fdcb957a2f15a9060e30655a9f683ba1fc25dfb8809a73d32e9634bec385a2f1d686c707ac1e5f69fb773bc12df03fb64c77ce3faeed83e35f4eb1946cb1989e
-  languageName: node
-  linkType: hard
-
-"object-inspect@npm:^1.11.0, object-inspect@npm:^1.9.0":
-  version: 1.11.0
-  resolution: "object-inspect@npm:1.11.0"
-  checksum: 8c64f89ce3a7b96b6925879ad5f6af71d498abc217e136660efecd97452991216f375a7eb47cb1cb50643df939bf0c7cc391567b7abc6a924d04679705e58e27
-  languageName: node
-  linkType: hard
-
-"object-inspect@npm:^1.12.3":
-  version: 1.12.3
-  resolution: "object-inspect@npm:1.12.3"
-  checksum: dabfd824d97a5f407e6d5d24810d888859f6be394d8b733a77442b277e0808860555176719c5905e765e3743a7cada6b8b0a3b85e5331c530fd418cc8ae991db
-  languageName: node
-  linkType: hard
-
-"object-is@npm:^1.1.5":
-  version: 1.1.5
-  resolution: "object-is@npm:1.1.5"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-  checksum: 989b18c4cba258a6b74dc1d74a41805c1a1425bce29f6cabb50dcb1a6a651ea9104a1b07046739a49a5bb1bc49727bcb00efd5c55f932f6ea04ec8927a7901fe
-  languageName: node
-  linkType: hard
-
-"object-keys@npm:^1.0.12, object-keys@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "object-keys@npm:1.1.1"
-  checksum: b363c5e7644b1e1b04aa507e88dcb8e3a2f52b6ffd0ea801e4c7a62d5aa559affe21c55a07fd4b1fd55fc03a33c610d73426664b20032405d7b92a1414c34d6a
-  languageName: node
-  linkType: hard
-
-"object-visit@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "object-visit@npm:1.0.1"
-  dependencies:
-    isobject: ^3.0.0
-  checksum: b0ee07f5bf3bb881b881ff53b467ebbde2b37ebb38649d6944a6cd7681b32eedd99da9bd1e01c55facf81f54ed06b13af61aba6ad87f0052982995e09333f790
-  languageName: node
-  linkType: hard
-
-"object.assign@npm:^4.1.0, object.assign@npm:^4.1.2":
-  version: 4.1.2
-  resolution: "object.assign@npm:4.1.2"
-  dependencies:
-    call-bind: ^1.0.0
-    define-properties: ^1.1.3
-    has-symbols: ^1.0.1
-    object-keys: ^1.1.1
-  checksum: d621d832ed7b16ac74027adb87196804a500d80d9aca536fccb7ba48d33a7e9306a75f94c1d29cbfa324bc091bfc530bc24789568efdaee6a47fcfa298993814
-  languageName: node
-  linkType: hard
-
-"object.assign@npm:^4.1.4":
-  version: 4.1.4
-  resolution: "object.assign@npm:4.1.4"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    has-symbols: ^1.0.3
-    object-keys: ^1.1.1
-  checksum: 76cab513a5999acbfe0ff355f15a6a125e71805fcf53de4e9d4e082e1989bdb81d1e329291e1e4e0ae7719f0e4ef80e88fb2d367ae60500d79d25a6224ac8864
-  languageName: node
-  linkType: hard
-
-"object.getownpropertydescriptors@npm:^2.1.0":
-  version: 2.1.2
-  resolution: "object.getownpropertydescriptors@npm:2.1.2"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-    es-abstract: ^1.18.0-next.2
-  checksum: 6c1c0162a2bea912f092dbf48699998d6f4b788a9884ee99ba41ddf25c3f0924ec56c6a55738c4ae3bd91d1203813a9a8e18e6fff1f477e2626cdbcd1a5f3ca8
-  languageName: node
-  linkType: hard
-
-"object.pick@npm:^1.3.0":
-  version: 1.3.0
-  resolution: "object.pick@npm:1.3.0"
-  dependencies:
-    isobject: ^3.0.1
-  checksum: 77fb6eed57c67adf75e9901187e37af39f052ef601cb4480386436561357eb9e459e820762f01fd02c5c1b42ece839ad393717a6d1850d848ee11fbabb3e580a
-  languageName: node
-  linkType: hard
-
-"object.values@npm:^1.1.0":
-  version: 1.1.3
-  resolution: "object.values@npm:1.1.3"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-    es-abstract: ^1.18.0-next.2
-    has: ^1.0.3
-  checksum: 8b29bd0936a32c2c5dfeb39389f65c7c3f32253a2ad3e4605726cac6bda8f642b4f8ab1ef58279851b86b7ae7322b3cf9a464c346498a7deb8f0c3a0554015f0
-  languageName: node
-  linkType: hard
-
-"on-finished@npm:2.4.1":
-  version: 2.4.1
-  resolution: "on-finished@npm:2.4.1"
-  dependencies:
-    ee-first: 1.1.1
-  checksum: d20929a25e7f0bb62f937a425b5edeb4e4cde0540d77ba146ec9357f00b0d497cdb3b9b05b9c8e46222407d1548d08166bff69cc56dfa55ba0e4469228920ff0
-  languageName: node
-  linkType: hard
-
-"on-finished@npm:~2.3.0":
-  version: 2.3.0
-  resolution: "on-finished@npm:2.3.0"
-  dependencies:
-    ee-first: 1.1.1
-  checksum: 1db595bd963b0124d6fa261d18320422407b8f01dc65863840f3ddaaf7bcad5b28ff6847286703ca53f4ec19595bd67a2f1253db79fc4094911ec6aa8df1671b
-  languageName: node
-  linkType: hard
-
-"on-headers@npm:~1.0.2":
-  version: 1.0.2
-  resolution: "on-headers@npm:1.0.2"
-  checksum: 2bf13467215d1e540a62a75021e8b318a6cfc5d4fc53af8e8f84ad98dbcea02d506c6d24180cd62e1d769c44721ba542f3154effc1f7579a8288c9f7873ed8e5
-  languageName: node
-  linkType: hard
-
-"once@npm:^1.3.0, once@npm:^1.3.1, once@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "once@npm:1.4.0"
-  dependencies:
-    wrappy: 1
-  checksum: cd0a88501333edd640d95f0d2700fbde6bff20b3d4d9bdc521bdd31af0656b5706570d6c6afe532045a20bb8dc0849f8332d6f2a416e0ba6d3d3b98806c7db68
-  languageName: node
-  linkType: hard
-
-"onetime@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "onetime@npm:2.0.1"
-  dependencies:
-    mimic-fn: ^1.0.0
-  checksum: bb44015ac7a525d0fb43b029a583d4ad359834632b4424ca209b438aacf6d669dda81b5edfbdb42c22636e607b276ba5589f46694a729e3bc27948ce26f4cc1a
-  languageName: node
-  linkType: hard
-
-"onetime@npm:^5.1.0, onetime@npm:^5.1.2":
-  version: 5.1.2
-  resolution: "onetime@npm:5.1.2"
-  dependencies:
-    mimic-fn: ^2.1.0
-  checksum: 2478859ef817fc5d4e9c2f9e5728512ddd1dbc9fb7829ad263765bb6d3b91ce699d6e2332eef6b7dff183c2f490bd3349f1666427eaba4469fba0ac38dfd0d34
-  languageName: node
-  linkType: hard
-
-"optionator@npm:^0.8.1":
-  version: 0.8.3
-  resolution: "optionator@npm:0.8.3"
-  dependencies:
-    deep-is: ~0.1.3
-    fast-levenshtein: ~2.0.6
-    levn: ~0.3.0
-    prelude-ls: ~1.1.2
-    type-check: ~0.3.2
-    word-wrap: ~1.2.3
-  checksum: b8695ddf3d593203e25ab0900e265d860038486c943ff8b774f596a310f8ceebdb30c6832407a8198ba3ec9debe1abe1f51d4aad94843612db3b76d690c61d34
-  languageName: node
-  linkType: hard
-
-"optionator@npm:^0.9.1":
-  version: 0.9.1
-  resolution: "optionator@npm:0.9.1"
-  dependencies:
-    deep-is: ^0.1.3
-    fast-levenshtein: ^2.0.6
-    levn: ^0.4.1
-    prelude-ls: ^1.2.1
-    type-check: ^0.4.0
-    word-wrap: ^1.2.3
-  checksum: dbc6fa065604b24ea57d734261914e697bd73b69eff7f18e967e8912aa2a40a19a9f599a507fa805be6c13c24c4eae8c71306c239d517d42d4c041c942f508a0
-  languageName: node
-  linkType: hard
-
-"optionator@npm:^0.9.3":
-  version: 0.9.3
-  resolution: "optionator@npm:0.9.3"
-  dependencies:
-    "@aashutoshrathi/word-wrap": ^1.2.3
-    deep-is: ^0.1.3
-    fast-levenshtein: ^2.0.6
-    levn: ^0.4.1
-    prelude-ls: ^1.2.1
-    type-check: ^0.4.0
-  checksum: 09281999441f2fe9c33a5eeab76700795365a061563d66b098923eb719251a42bdbe432790d35064d0816ead9296dbeb1ad51a733edf4167c96bd5d0882e428a
-  languageName: node
-  linkType: hard
-
-"ora@npm:^3.4.0":
-  version: 3.4.0
-  resolution: "ora@npm:3.4.0"
-  dependencies:
-    chalk: ^2.4.2
-    cli-cursor: ^2.1.0
-    cli-spinners: ^2.0.0
-    log-symbols: ^2.2.0
-    strip-ansi: ^5.2.0
-    wcwidth: ^1.0.1
-  checksum: f1f8e7f290b766276dcd19ddf2159a1971b1ec37eec4a5556b8f5e4afbe513a965ed65c183d38956724263b6a20989b3d8fb71b95ac4a2d6a01db2f1ed8899e4
-  languageName: node
-  linkType: hard
-
-"ora@npm:^5.4.0, ora@npm:^5.4.1":
-  version: 5.4.1
-  resolution: "ora@npm:5.4.1"
-  dependencies:
-    bl: ^4.1.0
-    chalk: ^4.1.0
-    cli-cursor: ^3.1.0
-    cli-spinners: ^2.5.0
-    is-interactive: ^1.0.0
-    is-unicode-supported: ^0.1.0
-    log-symbols: ^4.1.0
-    strip-ansi: ^6.0.0
-    wcwidth: ^1.0.1
-  checksum: 28d476ee6c1049d68368c0dc922e7225e3b5600c3ede88fade8052837f9ed342625fdaa84a6209302587c8ddd9b664f71f0759833cbdb3a4cf81344057e63c63
-  languageName: node
-  linkType: hard
-
-"os-browserify@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "os-browserify@npm:0.3.0"
-  checksum: 16e37ba3c0e6a4c63443c7b55799ce4066d59104143cb637ecb9fce586d5da319cdca786ba1c867abbe3890d2cbf37953f2d51eea85e20dd6c4570d6c54bfebf
-  languageName: node
-  linkType: hard
-
-"os-homedir@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "os-homedir@npm:1.0.2"
-  checksum: af609f5a7ab72de2f6ca9be6d6b91a599777afc122ac5cad47e126c1f67c176fe9b52516b9eeca1ff6ca0ab8587fe66208bc85e40a3940125f03cdb91408e9d2
-  languageName: node
-  linkType: hard
-
-"os-locale@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "os-locale@npm:5.0.0"
-  dependencies:
-    execa: ^4.0.0
-    lcid: ^3.0.0
-    mem: ^5.0.0
-  checksum: 294bbb412f87a93bdbf271905cb05223a0365957ebc941af6e68e1df9f380cd69fcba62c623a0f31e913e48d009863cb9b9749deae81501d5d3b2e2d0e33b712
-  languageName: node
-  linkType: hard
-
-"os-tmpdir@npm:^1.0.0, os-tmpdir@npm:^1.0.1, os-tmpdir@npm:~1.0.1, os-tmpdir@npm:~1.0.2":
-  version: 1.0.2
-  resolution: "os-tmpdir@npm:1.0.2"
-  checksum: 5666560f7b9f10182548bf7013883265be33620b1c1b4a4d405c25be2636f970c5488ff3e6c48de75b55d02bde037249fe5dbfbb4c0fb7714953d56aed062e6d
-  languageName: node
-  linkType: hard
-
-"osenv@npm:^0.1.3":
-  version: 0.1.5
-  resolution: "osenv@npm:0.1.5"
-  dependencies:
-    os-homedir: ^1.0.0
-    os-tmpdir: ^1.0.0
-  checksum: 779d261920f2a13e5e18cf02446484f12747d3f2ff82280912f52b213162d43d312647a40c332373cbccd5e3fb8126915d3bfea8dde4827f70f82da76e52d359
-  languageName: node
-  linkType: hard
-
-"p-defer@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "p-defer@npm:1.0.0"
-  checksum: 4271b935c27987e7b6f229e5de4cdd335d808465604644cb7b4c4c95bef266735859a93b16415af8a41fd663ee9e3b97a1a2023ca9def613dba1bad2a0da0c7b
-  languageName: node
-  linkType: hard
-
-"p-defer@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "p-defer@npm:3.0.0"
-  checksum: ac3b0976a1c76b67cca1a34e00f7299b0cc230891f820749686aa84f8947326bbe0f8e3b7d9ca511578ee06f0c1a6e0ff68c8e9c325eac455f09d99f91697161
-  languageName: node
-  linkType: hard
-
-"p-finally@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "p-finally@npm:1.0.0"
-  checksum: 93a654c53dc805dd5b5891bab16eb0ea46db8f66c4bfd99336ae929323b1af2b70a8b0654f8f1eae924b2b73d037031366d645f1fd18b3d30cbd15950cc4b1d4
-  languageName: node
-  linkType: hard
-
-"p-finally@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "p-finally@npm:2.0.1"
-  checksum: 6306a2851c3b28f8b603624f395ae84dce76970498fed8aa6aae2d930595053746edf1e4ee0c4b78a97410d84aa4504d63179f5310d555511ecd226f53ed1e8e
-  languageName: node
-  linkType: hard
-
-"p-is-promise@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "p-is-promise@npm:2.1.0"
-  checksum: c9a8248c8b5e306475a5d55ce7808dbce4d4da2e3d69526e4991a391a7809bfd6cfdadd9bf04f1c96a3db366c93d9a0f5ee81d949e7b1684c4e0f61f747199ef
-  languageName: node
-  linkType: hard
-
-"p-limit@npm:^1.1.0":
-  version: 1.3.0
-  resolution: "p-limit@npm:1.3.0"
-  dependencies:
-    p-try: ^1.0.0
-  checksum: 281c1c0b8c82e1ac9f81acd72a2e35d402bf572e09721ce5520164e9de07d8274451378a3470707179ad13240535558f4b277f02405ad752e08c7d5b0d54fbfd
-  languageName: node
-  linkType: hard
-
-"p-limit@npm:^2.0.0, p-limit@npm:^2.2.0":
-  version: 2.3.0
-  resolution: "p-limit@npm:2.3.0"
-  dependencies:
-    p-try: ^2.0.0
-  checksum: 84ff17f1a38126c3314e91ecfe56aecbf36430940e2873dadaa773ffe072dc23b7af8e46d4b6485d302a11673fe94c6b67ca2cfbb60c989848b02100d0594ac1
-  languageName: node
-  linkType: hard
-
-"p-limit@npm:^3.0.2":
-  version: 3.1.0
-  resolution: "p-limit@npm:3.1.0"
-  dependencies:
-    yocto-queue: ^0.1.0
-  checksum: 7c3690c4dbf62ef625671e20b7bdf1cbc9534e83352a2780f165b0d3ceba21907e77ad63401708145ca4e25bfc51636588d89a8c0aeb715e6c37d1c066430360
-  languageName: node
-  linkType: hard
-
-"p-limit@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "p-limit@npm:4.0.0"
-  dependencies:
-    yocto-queue: ^1.0.0
-  checksum: 01d9d70695187788f984226e16c903475ec6a947ee7b21948d6f597bed788e3112cc7ec2e171c1d37125057a5f45f3da21d8653e04a3a793589e12e9e80e756b
-  languageName: node
-  linkType: hard
-
-"p-locate@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "p-locate@npm:2.0.0"
-  dependencies:
-    p-limit: ^1.1.0
-  checksum: e2dceb9b49b96d5513d90f715780f6f4972f46987dc32a0e18bc6c3fc74a1a5d73ec5f81b1398af5e58b99ea1ad03fd41e9181c01fa81b4af2833958696e3081
-  languageName: node
-  linkType: hard
-
-"p-locate@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "p-locate@npm:3.0.0"
-  dependencies:
-    p-limit: ^2.0.0
-  checksum: 83991734a9854a05fe9dbb29f707ea8a0599391f52daac32b86f08e21415e857ffa60f0e120bfe7ce0cc4faf9274a50239c7895fc0d0579d08411e513b83a4ae
-  languageName: node
-  linkType: hard
-
-"p-locate@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "p-locate@npm:4.1.0"
-  dependencies:
-    p-limit: ^2.2.0
-  checksum: 513bd14a455f5da4ebfcb819ef706c54adb09097703de6aeaa5d26fe5ea16df92b48d1ac45e01e3944ce1e6aa2a66f7f8894742b8c9d6e276e16cd2049a2b870
-  languageName: node
-  linkType: hard
-
-"p-locate@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "p-locate@npm:5.0.0"
-  dependencies:
-    p-limit: ^3.0.2
-  checksum: 1623088f36cf1cbca58e9b61c4e62bf0c60a07af5ae1ca99a720837356b5b6c5ba3eb1b2127e47a06865fee59dd0453cad7cc844cda9d5a62ac1a5a51b7c86d3
-  languageName: node
-  linkType: hard
-
-"p-locate@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "p-locate@npm:6.0.0"
-  dependencies:
-    p-limit: ^4.0.0
-  checksum: 2bfe5234efa5e7a4e74b30a5479a193fdd9236f8f6b4d2f3f69e3d286d9a7d7ab0c118a2a50142efcf4e41625def635bd9332d6cbf9cc65d85eb0718c579ab38
-  languageName: node
-  linkType: hard
-
-"p-map@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "p-map@npm:4.0.0"
-  dependencies:
-    aggregate-error: ^3.0.0
-  checksum: cb0ab21ec0f32ddffd31dfc250e3afa61e103ef43d957cc45497afe37513634589316de4eb88abdfd969fe6410c22c0b93ab24328833b8eb1ccc087fc0442a1c
-  languageName: node
-  linkType: hard
-
-"p-try@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "p-try@npm:1.0.0"
-  checksum: 3b5303f77eb7722144154288bfd96f799f8ff3e2b2b39330efe38db5dd359e4fb27012464cd85cb0a76e9b7edd1b443568cb3192c22e7cffc34989df0bafd605
-  languageName: node
-  linkType: hard
-
-"p-try@npm:^2.0.0":
-  version: 2.2.0
-  resolution: "p-try@npm:2.2.0"
-  checksum: f8a8e9a7693659383f06aec604ad5ead237c7a261c18048a6e1b5b85a5f8a067e469aa24f5bc009b991ea3b058a87f5065ef4176793a200d4917349881216cae
-  languageName: node
-  linkType: hard
-
-"pako@npm:~1.0.5":
-  version: 1.0.11
-  resolution: "pako@npm:1.0.11"
-  checksum: 1be2bfa1f807608c7538afa15d6f25baa523c30ec870a3228a89579e474a4d992f4293859524e46d5d87fd30fa17c5edf34dbef0671251d9749820b488660b16
-  languageName: node
-  linkType: hard
-
-"parallel-transform@npm:^1.1.0":
-  version: 1.2.0
-  resolution: "parallel-transform@npm:1.2.0"
-  dependencies:
-    cyclist: ^1.0.1
-    inherits: ^2.0.3
-    readable-stream: ^2.1.5
-  checksum: ab6ddc1a662cefcfb3d8d546a111763d3b223f484f2e9194e33aefd8f6760c319d0821fd22a00a3adfbd45929b50d2c84cc121389732f013c2ae01c226269c27
-  languageName: node
-  linkType: hard
-
-"parent-module@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "parent-module@npm:1.0.1"
-  dependencies:
-    callsites: ^3.0.0
-  checksum: 6ba8b255145cae9470cf5551eb74be2d22281587af787a2626683a6c20fbb464978784661478dd2a3f1dad74d1e802d403e1b03c1a31fab310259eec8ac560ff
-  languageName: node
-  linkType: hard
-
-"parse-asn1@npm:^5.0.0, parse-asn1@npm:^5.1.5":
-  version: 5.1.6
-  resolution: "parse-asn1@npm:5.1.6"
-  dependencies:
-    asn1.js: ^5.2.0
-    browserify-aes: ^1.0.0
-    evp_bytestokey: ^1.0.0
-    pbkdf2: ^3.0.3
-    safe-buffer: ^5.1.1
-  checksum: 9243311d1f88089bc9f2158972aa38d1abd5452f7b7cabf84954ed766048fe574d434d82c6f5a39b988683e96fb84cd933071dda38927e03469dc8c8d14463c7
-  languageName: node
-  linkType: hard
-
-"parse-entities@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "parse-entities@npm:2.0.0"
-  dependencies:
-    character-entities: ^1.0.0
-    character-entities-legacy: ^1.0.0
-    character-reference-invalid: ^1.0.0
-    is-alphanumerical: ^1.0.0
-    is-decimal: ^1.0.0
-    is-hexadecimal: ^1.0.0
-  checksum: 7addfd3e7d747521afac33c8121a5f23043c6973809756920d37e806639b4898385d386fcf4b3c8e2ecf1bc28aac5ae97df0b112d5042034efbe80f44081ebce
-  languageName: node
-  linkType: hard
-
-"parse-json@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "parse-json@npm:4.0.0"
-  dependencies:
-    error-ex: ^1.3.1
-    json-parse-better-errors: ^1.0.1
-  checksum: 0fe227d410a61090c247e34fa210552b834613c006c2c64d9a05cfe9e89cf8b4246d1246b1a99524b53b313e9ac024438d0680f67e33eaed7e6f38db64cfe7b5
-  languageName: node
-  linkType: hard
-
-"parse-json@npm:^5.0.0, parse-json@npm:^5.2.0":
-  version: 5.2.0
-  resolution: "parse-json@npm:5.2.0"
-  dependencies:
-    "@babel/code-frame": ^7.0.0
-    error-ex: ^1.3.1
-    json-parse-even-better-errors: ^2.3.0
-    lines-and-columns: ^1.1.6
-  checksum: 62085b17d64da57f40f6afc2ac1f4d95def18c4323577e1eced571db75d9ab59b297d1d10582920f84b15985cbfc6b6d450ccbf317644cfa176f3ed982ad87e2
-  languageName: node
-  linkType: hard
-
-"parse-ms@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "parse-ms@npm:1.0.1"
-  checksum: 93fa7921554fe16bc73272a94bf812d1db6a144964fb57692f6de4fccf14bd771a232e8dcdcd4bbaa4aa477796cd3f35374d65596cca12323f2664bc023b4b4c
-  languageName: node
-  linkType: hard
-
-"parse-passwd@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "parse-passwd@npm:1.0.0"
-  checksum: 4e55e0231d58f828a41d0f1da2bf2ff7bcef8f4cb6146e69d16ce499190de58b06199e6bd9b17fbf0d4d8aef9052099cdf8c4f13a6294b1a522e8e958073066e
-  languageName: node
-  linkType: hard
-
-"parse-static-imports@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "parse-static-imports@npm:1.1.0"
-  checksum: 8af1fc58ae27837715735aa471cc0559bf4cfdab59d4c4ae5c41e218fd841aaa702d18fef62659ff03ed1b42ae936db94d8d2bc0ad07430d19ca9727f721d55c
-  languageName: node
-  linkType: hard
-
-"parse5-htmlparser2-tree-adapter@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "parse5-htmlparser2-tree-adapter@npm:7.0.0"
-  dependencies:
-    domhandler: ^5.0.2
-    parse5: ^7.0.0
-  checksum: fc5d01e07733142a1baf81de5c2a9c41426c04b7ab29dd218acb80cd34a63177c90aff4a4aee66cf9f1d0aeecff1389adb7452ad6f8af0a5888e3e9ad6ef733d
-  languageName: node
-  linkType: hard
-
-"parse5@npm:6.0.1, parse5@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "parse5@npm:6.0.1"
-  checksum: 7d569a176c5460897f7c8f3377eff640d54132b9be51ae8a8fa4979af940830b2b0c296ce75e5bd8f4041520aadde13170dbdec44889975f906098ea0002f4bd
-  languageName: node
-  linkType: hard
-
-"parse5@npm:^7.0.0":
-  version: 7.1.1
-  resolution: "parse5@npm:7.1.1"
-  dependencies:
-    entities: ^4.4.0
-  checksum: 8f72fbfa6df83a3f29f58e1818f7bd46b47ff3e26d79c74e10b8fc7ef7ee76163f205113f1b2f6a5b8dc4e31e726f490444f04890cead6e974dbcbe8172b1321
-  languageName: node
-  linkType: hard
-
-"parseurl@npm:~1.3.3":
-  version: 1.3.3
-  resolution: "parseurl@npm:1.3.3"
-  checksum: 407cee8e0a3a4c5cd472559bca8b6a45b82c124e9a4703302326e9ab60fc1081442ada4e02628efef1eb16197ddc7f8822f5a91fd7d7c86b51f530aedb17dfa2
-  languageName: node
-  linkType: hard
-
-"pascalcase@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "pascalcase@npm:0.1.1"
-  checksum: f83681c3c8ff75fa473a2bb2b113289952f802ff895d435edd717e7cb898b0408cbdb247117a938edcbc5d141020909846cc2b92c47213d764e2a94d2ad2b925
-  languageName: node
-  linkType: hard
-
-"path-browserify@npm:0.0.1":
-  version: 0.0.1
-  resolution: "path-browserify@npm:0.0.1"
-  checksum: ae8dcd45d0d3cfbaf595af4f206bf3ed82d77f72b4877ae7e77328079e1468c84f9386754bb417d994d5a19bf47882fd253565c18441cd5c5c90ae5187599e35
-  languageName: node
-  linkType: hard
-
-"path-dirname@npm:^1.0.0":
-  version: 1.0.2
-  resolution: "path-dirname@npm:1.0.2"
-  checksum: 0d2f6604ae05a252a0025318685f290e2764ecf9c5436f203cdacfc8c0b17c24cdedaa449d766beb94ab88cc7fc70a09ec21e7933f31abc2b719180883e5e33f
-  languageName: node
-  linkType: hard
-
-"path-exists@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "path-exists@npm:3.0.0"
-  checksum: 96e92643aa34b4b28d0de1cd2eba52a1c5313a90c6542d03f62750d82480e20bfa62bc865d5cfc6165f5fcd5aeb0851043c40a39be5989646f223300021bae0a
-  languageName: node
-  linkType: hard
-
-"path-exists@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "path-exists@npm:4.0.0"
-  checksum: 505807199dfb7c50737b057dd8d351b82c033029ab94cb10a657609e00c1bc53b951cfdbccab8de04c5584d5eff31128ce6afd3db79281874a5ef2adbba55ed1
-  languageName: node
-  linkType: hard
-
-"path-exists@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "path-exists@npm:5.0.0"
-  checksum: 8ca842868cab09423994596eb2c5ec2a971c17d1a3cb36dbf060592c730c725cd524b9067d7d2a1e031fef9ba7bd2ac6dc5ec9fb92aa693265f7be3987045254
-  languageName: node
-  linkType: hard
-
-"path-is-absolute@npm:1.0.1, path-is-absolute@npm:^1.0.0, path-is-absolute@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "path-is-absolute@npm:1.0.1"
-  checksum: 060840f92cf8effa293bcc1bea81281bd7d363731d214cbe5c227df207c34cd727430f70c6037b5159c8a870b9157cba65e775446b0ab06fd5ecc7e54615a3b8
-  languageName: node
-  linkType: hard
-
-"path-key@npm:^2.0.0, path-key@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "path-key@npm:2.0.1"
-  checksum: f7ab0ad42fe3fb8c7f11d0c4f849871e28fbd8e1add65c370e422512fc5887097b9cf34d09c1747d45c942a8c1e26468d6356e2df3f740bf177ab8ca7301ebfd
-  languageName: node
-  linkType: hard
-
-"path-key@npm:^3.0.0, path-key@npm:^3.1.0":
-  version: 3.1.1
-  resolution: "path-key@npm:3.1.1"
-  checksum: 55cd7a9dd4b343412a8386a743f9c746ef196e57c823d90ca3ab917f90ab9f13dd0ded27252ba49dbdfcab2b091d998bc446f6220cd3cea65db407502a740020
-  languageName: node
-  linkType: hard
-
-"path-parse@npm:^1.0.6, path-parse@npm:^1.0.7":
-  version: 1.0.7
-  resolution: "path-parse@npm:1.0.7"
-  checksum: 49abf3d81115642938a8700ec580da6e830dde670be21893c62f4e10bd7dd4c3742ddc603fe24f898cba7eb0c6bc1777f8d9ac14185d34540c6d4d80cd9cae8a
-  languageName: node
-  linkType: hard
-
-"path-posix@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "path-posix@npm:1.0.0"
-  checksum: 4f64ad212de6ad8d0dbfa440cac8b924303c25c30301769ad0501e29e83a5b9d469e8133753f999ad37482c9c8d3511129e4d83db55d2e4b1555b183c9749ae8
-  languageName: node
-  linkType: hard
-
-"path-root-regex@npm:^0.1.0":
-  version: 0.1.2
-  resolution: "path-root-regex@npm:0.1.2"
-  checksum: dcd75d1f8e93faabe35a58e875b0f636839b3658ff2ad8c289463c40bc1a844debe0dab73c3398ef9dc8f6ec6c319720aff390cf4633763ddcf3cf4b1bbf7e8b
-  languageName: node
-  linkType: hard
-
-"path-root@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "path-root@npm:0.1.1"
-  dependencies:
-    path-root-regex: ^0.1.0
-  checksum: ff88aebfc1c59ace510cc06703d67692a11530989920427625e52b66a303ca9b3d4059b0b7d0b2a73248d1ad29bcb342b8b786ec00592f3101d38a45fd3b2e08
-  languageName: node
-  linkType: hard
-
-"path-to-regexp@npm:0.1.7":
-  version: 0.1.7
-  resolution: "path-to-regexp@npm:0.1.7"
-  checksum: 69a14ea24db543e8b0f4353305c5eac6907917031340e5a8b37df688e52accd09e3cebfe1660b70d76b6bd89152f52183f28c74813dbf454ba1a01c82a38abce
-  languageName: node
-  linkType: hard
-
-"path-to-regexp@npm:^1.7.0":
-  version: 1.8.0
-  resolution: "path-to-regexp@npm:1.8.0"
-  dependencies:
-    isarray: 0.0.1
-  checksum: 709f6f083c0552514ef4780cb2e7e4cf49b0cc89a97439f2b7cc69a608982b7690fb5d1720a7473a59806508fc2dae0be751ba49f495ecf89fd8fbc62abccbcd
-  languageName: node
-  linkType: hard
-
-"path-type@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "path-type@npm:3.0.0"
-  dependencies:
-    pify: ^3.0.0
-  checksum: 735b35e256bad181f38fa021033b1c33cfbe62ead42bb2222b56c210e42938eecb272ae1949f3b6db4ac39597a61b44edd8384623ec4d79bfdc9a9c0f12537a6
-  languageName: node
-  linkType: hard
-
-"path-type@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "path-type@npm:4.0.0"
-  checksum: 5b1e2daa247062061325b8fdbfd1fb56dde0a448fb1455453276ea18c60685bdad23a445dc148cf87bc216be1573357509b7d4060494a6fd768c7efad833ee45
-  languageName: node
-  linkType: hard
-
-"pbkdf2@npm:^3.0.3":
-  version: 3.1.2
-  resolution: "pbkdf2@npm:3.1.2"
-  dependencies:
-    create-hash: ^1.1.2
-    create-hmac: ^1.1.4
-    ripemd160: ^2.0.1
-    safe-buffer: ^5.0.1
-    sha.js: ^2.4.8
-  checksum: 2c950a100b1da72123449208e231afc188d980177d021d7121e96a2de7f2abbc96ead2b87d03d8fe5c318face097f203270d7e27908af9f471c165a4e8e69c92
-  languageName: node
-  linkType: hard
-
-"performance-now@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "performance-now@npm:2.1.0"
-  checksum: 534e641aa8f7cba160f0afec0599b6cecefbb516a2e837b512be0adbe6c1da5550e89c78059c7fabc5c9ffdf6627edabe23eb7c518c4500067a898fa65c2b550
-  languageName: node
-  linkType: hard
-
-"picocolors@npm:^0.2.1":
-  version: 0.2.1
-  resolution: "picocolors@npm:0.2.1"
-  checksum: 3b0f441f0062def0c0f39e87b898ae7461c3a16ffc9f974f320b44c799418cabff17780ee647fda42b856a1dc45897e2c62047e1b546d94d6d5c6962f45427b2
-  languageName: node
-  linkType: hard
-
-"picocolors@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "picocolors@npm:1.0.0"
-  checksum: a2e8092dd86c8396bdba9f2b5481032848525b3dc295ce9b57896f931e63fc16f79805144321f72976383fc249584672a75cc18d6777c6b757603f372f745981
-  languageName: node
-  linkType: hard
-
-"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3":
-  version: 2.2.3
-  resolution: "picomatch@npm:2.2.3"
-  checksum: 45e2b882b5265d3a322c6b7b854c1fdc33d5083011b9730296e9ad26332824ac356529f1ce1b0c1111f08a84c02e8525ea121d17c4bbe2970ca6665e587921fa
-  languageName: node
-  linkType: hard
-
-"picomatch@npm:^2.3.1":
-  version: 2.3.1
-  resolution: "picomatch@npm:2.3.1"
-  checksum: 050c865ce81119c4822c45d3c84f1ced46f93a0126febae20737bd05ca20589c564d6e9226977df859ed5e03dc73f02584a2b0faad36e896936238238b0446cf
-  languageName: node
-  linkType: hard
-
-"pidtree@npm:^0.3.0":
-  version: 0.3.1
-  resolution: "pidtree@npm:0.3.1"
-  bin:
-    pidtree: bin/pidtree.js
-  checksum: eb49025099f1af89a4696f7673351421f13420f3397b963c901fe23a1c9c2ff50f4750321970d4472c0ffbb065e4a6c3c27f75e226cc62284b19e21d32ce7012
-  languageName: node
-  linkType: hard
-
-"pify@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "pify@npm:3.0.0"
-  checksum: 6cdcbc3567d5c412450c53261a3f10991665d660961e06605decf4544a61a97a54fefe70a68d5c37080ff9d6f4cf51444c90198d1ba9f9309a6c0d6e9f5c4fde
-  languageName: node
-  linkType: hard
-
-"pify@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "pify@npm:4.0.1"
-  checksum: 9c4e34278cb09987685fa5ef81499c82546c033713518f6441778fbec623fc708777fe8ac633097c72d88470d5963094076c7305cafc7ad340aae27cfacd856b
-  languageName: node
-  linkType: hard
-
-"pinkie-promise@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "pinkie-promise@npm:2.0.1"
-  dependencies:
-    pinkie: ^2.0.0
-  checksum: b53a4a2e73bf56b6f421eef711e7bdcb693d6abb474d57c5c413b809f654ba5ee750c6a96dd7225052d4b96c4d053cdcb34b708a86fceed4663303abee52fcca
-  languageName: node
-  linkType: hard
-
-"pinkie@npm:^2.0.0":
-  version: 2.0.4
-  resolution: "pinkie@npm:2.0.4"
-  checksum: b12b10afea1177595aab036fc220785488f67b4b0fc49e7a27979472592e971614fa1c728e63ad3e7eb748b4ec3c3dbd780819331dad6f7d635c77c10537b9db
-  languageName: node
-  linkType: hard
-
-"pkg-dir@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "pkg-dir@npm:3.0.0"
-  dependencies:
-    find-up: ^3.0.0
-  checksum: 70c9476ffefc77552cc6b1880176b71ad70bfac4f367604b2b04efd19337309a4eec985e94823271c7c0e83946fa5aeb18cd360d15d10a5d7533e19344bfa808
-  languageName: node
-  linkType: hard
-
-"pkg-dir@npm:^4.1.0":
-  version: 4.2.0
-  resolution: "pkg-dir@npm:4.2.0"
-  dependencies:
-    find-up: ^4.0.0
-  checksum: 9863e3f35132bf99ae1636d31ff1e1e3501251d480336edb1c211133c8d58906bed80f154a1d723652df1fda91e01c7442c2eeaf9dc83157c7ae89087e43c8d6
-  languageName: node
-  linkType: hard
-
-"pkg-up@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "pkg-up@npm:2.0.0"
-  dependencies:
-    find-up: ^2.1.0
-  checksum: de4b418175281a082e366ce1a919f032520ee53cf421578b35173f03816f6ec4c19e1552066840bb0988c3e1215859653948efd6ca3507a23f4f44229269500d
-  languageName: node
-  linkType: hard
-
-"pkg-up@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "pkg-up@npm:3.1.0"
-  dependencies:
-    find-up: ^3.0.0
-  checksum: 5bac346b7c7c903613c057ae3ab722f320716199d753f4a7d053d38f2b5955460f3e6ab73b4762c62fd3e947f58e04f1343e92089e7bb6091c90877406fcd8c8
-  languageName: node
-  linkType: hard
-
-"pkijs@npm:^2.2.2":
-  version: 2.2.2
-  resolution: "pkijs@npm:2.2.2"
-  dependencies:
-    asn1js: ^2.1.1
-    bytestreamjs: ^1.0.29
-    pvutils: ^1.0.17
-  checksum: 92664bc4b7378200f74d7faf32a80365058d79f22b27f9a83b10e1e7684892a17657ff65c106e7c48be6d79b76545149e949229ae42a6456d0e447b9872a26e5
-  languageName: node
-  linkType: hard
-
-"please-upgrade-node@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "please-upgrade-node@npm:3.2.0"
-  dependencies:
-    semver-compare: ^1.0.0
-  checksum: d87c41581a2a022fbe25965a97006238cd9b8cbbf49b39f78d262548149a9d30bd2bdf35fec3d810e0001e630cd46ef13c7e19c389dea8de7e64db271a2381bb
-  languageName: node
-  linkType: hard
-
-"portfinder@npm:^1.0.32":
-  version: 1.0.32
-  resolution: "portfinder@npm:1.0.32"
-  dependencies:
-    async: ^2.6.4
-    debug: ^3.2.7
-    mkdirp: ^0.5.6
-  checksum: 116b4aed1b9e16f6d5503823d966d9ffd41b1c2339e27f54c06cd2f3015a9d8ef53e2a53b57bc0a25af0885977b692007353aa28f9a0a98a44335cb50487240d
-  languageName: node
-  linkType: hard
-
-"posix-character-classes@npm:^0.1.0":
-  version: 0.1.1
-  resolution: "posix-character-classes@npm:0.1.1"
-  checksum: dedb99913c60625a16050cfed2fb5c017648fc075be41ac18474e1c6c3549ef4ada201c8bd9bd006d36827e289c571b6092e1ef6e756cdbab2fd7046b25c6442
-  languageName: node
-  linkType: hard
-
-"postcss-modules-extract-imports@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "postcss-modules-extract-imports@npm:3.0.0"
-  peerDependencies:
-    postcss: ^8.1.0
-  checksum: 4b65f2f1382d89c4bc3c0a1bdc5942f52f3cb19c110c57bd591ffab3a5fee03fcf831604168205b0c1b631a3dce2255c70b61aaae3ef39d69cd7eb450c2552d2
-  languageName: node
-  linkType: hard
-
-"postcss-modules-local-by-default@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "postcss-modules-local-by-default@npm:4.0.0"
-  dependencies:
-    icss-utils: ^5.0.0
-    postcss-selector-parser: ^6.0.2
-    postcss-value-parser: ^4.1.0
-  peerDependencies:
-    postcss: ^8.1.0
-  checksum: 6cf570badc7bc26c265e073f3ff9596b69bb954bc6ac9c5c1b8cba2995b80834226b60e0a3cbb87d5f399dbb52e6466bba8aa1d244f6218f99d834aec431a69d
-  languageName: node
-  linkType: hard
-
-"postcss-modules-scope@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "postcss-modules-scope@npm:3.0.0"
-  dependencies:
-    postcss-selector-parser: ^6.0.4
-  peerDependencies:
-    postcss: ^8.1.0
-  checksum: 330b9398dbd44c992c92b0dc612c0626135e2cc840fee41841eb61247a6cfed95af2bd6f67ead9dd9d0bb41f5b0367129d93c6e434fa3e9c58ade391d9a5a138
-  languageName: node
-  linkType: hard
-
-"postcss-modules-values@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "postcss-modules-values@npm:4.0.0"
-  dependencies:
-    icss-utils: ^5.0.0
-  peerDependencies:
-    postcss: ^8.1.0
-  checksum: f7f2cdf14a575b60e919ad5ea52fed48da46fe80db2733318d71d523fc87db66c835814940d7d05b5746b0426e44661c707f09bdb83592c16aea06e859409db6
-  languageName: node
-  linkType: hard
-
-"postcss-resolve-nested-selector@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "postcss-resolve-nested-selector@npm:0.1.1"
-  checksum: b08fb76ab092a09ee01328bad620a01dcb445ac5eb02dd0ed9ed75217c2f779ecb3bf99a361c46e695689309c08c09f1a1ad7354c8d58c2c2c40d364657fcb08
-  languageName: node
-  linkType: hard
-
-"postcss-safe-parser@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "postcss-safe-parser@npm:6.0.0"
-  peerDependencies:
-    postcss: ^8.3.3
-  checksum: 06c733eaad83a3954367e7ee02ddfe3796e7a44d4299ccf9239f40964a4daac153c7d77613f32964b5a86c0c6c2f6167738f31d578b73b17cb69d0c4446f0ebe
-  languageName: node
-  linkType: hard
-
-"postcss-selector-parser@npm:^6.0.13":
-  version: 6.0.13
-  resolution: "postcss-selector-parser@npm:6.0.13"
-  dependencies:
-    cssesc: ^3.0.0
-    util-deprecate: ^1.0.2
-  checksum: f89163338a1ce3b8ece8e9055cd5a3165e79a15e1c408e18de5ad8f87796b61ec2d48a2902d179ae0c4b5de10fccd3a325a4e660596549b040bc5ad1b465f096
-  languageName: node
-  linkType: hard
-
-"postcss-selector-parser@npm:^6.0.2, postcss-selector-parser@npm:^6.0.4":
-  version: 6.0.10
-  resolution: "postcss-selector-parser@npm:6.0.10"
-  dependencies:
-    cssesc: ^3.0.0
-    util-deprecate: ^1.0.2
-  checksum: 46afaa60e3d1998bd7adf6caa374baf857cc58d3ff944e29459c9a9e4680a7fe41597bd5b755fc81d7c388357e9bf67c0251d047c640a09f148e13606b8a8608
-  languageName: node
-  linkType: hard
-
-"postcss-value-parser@npm:^3.2.3":
-  version: 3.3.1
-  resolution: "postcss-value-parser@npm:3.3.1"
-  checksum: 62cd26e1cdbcf2dcc6bcedf3d9b409c9027bc57a367ae20d31dd99da4e206f730689471fd70a2abe866332af83f54dc1fa444c589e2381bf7f8054c46209ce16
-  languageName: node
-  linkType: hard
-
-"postcss-value-parser@npm:^4.1.0, postcss-value-parser@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "postcss-value-parser@npm:4.2.0"
-  checksum: 819ffab0c9d51cf0acbabf8996dffbfafbafa57afc0e4c98db88b67f2094cb44488758f06e5da95d7036f19556a4a732525e84289a425f4f6fd8e412a9d7442f
-  languageName: node
-  linkType: hard
-
-"postcss@npm:^6.0.1, postcss@npm:^6.0.17":
-  version: 6.0.23
-  resolution: "postcss@npm:6.0.23"
-  dependencies:
-    chalk: ^2.4.1
-    source-map: ^0.6.1
-    supports-color: ^5.4.0
-  checksum: cc6cb2c1dbcdefa6f57a71d67fe535c9e96543298bbe28f9a6a64c4f1e21b6127113890dd4cda8873d3f4e6613a0566b7b4bbb230204f3a9a309190bda065d81
-  languageName: node
-  linkType: hard
-
-"postcss@npm:^8.2.15":
-  version: 8.4.14
-  resolution: "postcss@npm:8.4.14"
-  dependencies:
-    nanoid: ^3.3.4
-    picocolors: ^1.0.0
-    source-map-js: ^1.0.2
-  checksum: fe58766ff32e4becf65a7d57678995cfd239df6deed2fe0557f038b47c94e4132e7e5f68b5aa820c13adfec32e523b693efaeb65798efb995ce49ccd83953816
-  languageName: node
-  linkType: hard
-
-"postcss@npm:^8.4.24":
-  version: 8.4.26
-  resolution: "postcss@npm:8.4.26"
-  dependencies:
-    nanoid: ^3.3.6
-    picocolors: ^1.0.0
-    source-map-js: ^1.0.2
-  checksum: 1cf08ee10d58cbe98f94bf12ac49a5e5ed1588507d333d2642aacc24369ca987274e1f60ff4cbf0081f70d2ab18a5cd3a4a273f188d835b8e7f3ba381b184e57
-  languageName: node
-  linkType: hard
-
-"prelude-ls@npm:^1.2.1":
-  version: 1.2.1
-  resolution: "prelude-ls@npm:1.2.1"
-  checksum: cd192ec0d0a8e4c6da3bb80e4f62afe336df3f76271ac6deb0e6a36187133b6073a19e9727a1ff108cd8b9982e4768850d413baa71214dd80c7979617dca827a
-  languageName: node
-  linkType: hard
-
-"prelude-ls@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "prelude-ls@npm:1.1.2"
-  checksum: c4867c87488e4a0c233e158e4d0d5565b609b105d75e4c05dc760840475f06b731332eb93cc8c9cecb840aa8ec323ca3c9a56ad7820ad2e63f0261dadcb154e4
-  languageName: node
-  linkType: hard
-
-"pretender@npm:^3.4.3":
-  version: 3.4.3
-  resolution: "pretender@npm:3.4.3"
-  dependencies:
-    fake-xml-http-request: ^2.1.1
-    route-recognizer: ^0.3.3
-  checksum: 2ac03977f489eb79882f1fd4bcfb949f6ca6226fd95f366ec35a73590bd76b52fc283e7d8e5a8e649982619097849a4240dce138afad9089b407b1feba5df4a3
-  languageName: node
-  linkType: hard
-
-"pretender@npm:^3.4.7":
-  version: 3.4.7
-  resolution: "pretender@npm:3.4.7"
-  dependencies:
-    fake-xml-http-request: ^2.1.2
-    route-recognizer: ^0.3.3
-  checksum: ca767dfa3fdb5e49cec8f272de1c7d489f53986a9f58dd0caf379b6365b1f1241bbb03bea6fe4421ce3e2aaa894d6c7349a5ef603283710be2babca49f1ad6fb
-  languageName: node
-  linkType: hard
-
-"prettier-eslint-cli@npm:^7.1.0":
-  version: 7.1.0
-  resolution: "prettier-eslint-cli@npm:7.1.0"
-  dependencies:
-    "@messageformat/core": ^3.0.1
-    "@prettier/eslint": "npm:prettier-eslint@^15.0.1"
-    arrify: ^2.0.1
-    boolify: ^1.0.1
-    camelcase-keys: ^7.0.2
-    chalk: ^4.1.2
-    common-tags: ^1.8.2
-    core-js: ^3.24.1
-    eslint: ^8.21.0
-    find-up: ^5.0.0
-    get-stdin: ^8.0.0
-    glob: ^7.2.3
-    ignore: ^5.2.0
-    indent-string: ^4.0.0
-    lodash.memoize: ^4.1.2
-    loglevel-colored-level-prefix: ^1.0.0
-    rxjs: ^7.5.6
-    yargs: ^13.1.1
-  peerDependencies:
-    prettier-eslint: "*"
-  peerDependenciesMeta:
-    prettier-eslint:
-      optional: true
-  bin:
-    prettier-eslint: dist/index.js
-  checksum: 7c948d748ec5c34c1d1fb3d47cffe55629141a2383a099af15b2887db87908fe8edd6f1328b922521b531c9403d6a3924b4484b36622ca8889c90351e47d4ec5
-  languageName: node
-  linkType: hard
-
-"prettier-linter-helpers@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "prettier-linter-helpers@npm:1.0.0"
-  dependencies:
-    fast-diff: ^1.1.2
-  checksum: 00ce8011cf6430158d27f9c92cfea0a7699405633f7f1d4a45f07e21bf78e99895911cbcdc3853db3a824201a7c745bd49bfea8abd5fb9883e765a90f74f8392
-  languageName: node
-  linkType: hard
-
-"prettier@npm:2.8.7":
-  version: 2.8.7
-  resolution: "prettier@npm:2.8.7"
-  bin:
-    prettier: bin-prettier.js
-  checksum: fdc8f2616f099f5f0d685907f4449a70595a0fc1d081a88919604375989e0d5e9168d6121d8cc6861f21990b31665828e00472544d785d5940ea08a17660c3a6
-  languageName: node
-  linkType: hard
-
-"prettier@npm:^2.5.1":
-  version: 2.7.1
-  resolution: "prettier@npm:2.7.1"
-  bin:
-    prettier: bin-prettier.js
-  checksum: 55a4409182260866ab31284d929b3cb961e5fdb91fe0d2e099dac92eaecec890f36e524b4c19e6ceae839c99c6d7195817579cdffc8e2c80da0cb794463a748b
-  languageName: node
-  linkType: hard
-
-"pretty-format@npm:^23.0.1":
-  version: 23.6.0
-  resolution: "pretty-format@npm:23.6.0"
-  dependencies:
-    ansi-regex: ^3.0.0
-    ansi-styles: ^3.2.0
-  checksum: b668eac9fb19d12cf27098206d587b0be8da9f7fdc56998ace9bad9b6b6f5a5be5004d9fec3c2dc215d4128ef3db901e7329e0e8e081b0732a781bddfa9e2b66
-  languageName: node
-  linkType: hard
-
-"pretty-ms@npm:^3.1.0":
-  version: 3.2.0
-  resolution: "pretty-ms@npm:3.2.0"
-  dependencies:
-    parse-ms: ^1.0.0
-  checksum: 705030a262353abfeda1c765bd1f5269c06dc7777536bdd5f8cebc84f0d012aaca679ca6fc5ea4a84c915e967dce4ab4b6489693abb05dd58e7a9802747736a3
-  languageName: node
-  linkType: hard
-
-"printf@npm:^0.6.1":
-  version: 0.6.1
-  resolution: "printf@npm:0.6.1"
-  checksum: 7643279e5e4e2032b86b61babb21e60b99eac71491556a0fc3f01a443f61f90f1701f9912be41a1e44e1164a69fa349b907719716b983e3a222ad9a978ba06f9
-  languageName: node
-  linkType: hard
-
-"private@npm:^0.1.6, private@npm:^0.1.8":
-  version: 0.1.8
-  resolution: "private@npm:0.1.8"
-  checksum: a00abd713d25389f6de7294f0e7879b8a5d09a9ec5fd81cc2f21b29d4f9a80ec53bc4222927d3a281d4aadd4cd373d9a28726fca3935921950dc75fd71d1fdbb
-  languageName: node
-  linkType: hard
-
-"proc-log@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "proc-log@npm:3.0.0"
-  checksum: 02b64e1b3919e63df06f836b98d3af002b5cd92655cab18b5746e37374bfb73e03b84fe305454614b34c25b485cc687a9eebdccf0242cda8fda2475dd2c97e02
-  languageName: node
-  linkType: hard
-
-"process-nextick-args@npm:~2.0.0":
-  version: 2.0.1
-  resolution: "process-nextick-args@npm:2.0.1"
-  checksum: 1d38588e520dab7cea67cbbe2efdd86a10cc7a074c09657635e34f035277b59fbb57d09d8638346bf7090f8e8ebc070c96fa5fd183b777fff4f5edff5e9466cf
-  languageName: node
-  linkType: hard
-
-"process-relative-require@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "process-relative-require@npm:1.0.0"
-  dependencies:
-    node-modules-path: ^1.0.0
-  checksum: 659265a7dad2329edd0483d36b7e25f61f8663901b74dd672ebd0bb5248494156b2892f0860ef0574049a235423183996656bee052ce2212fef2fbc61034df7e
-  languageName: node
-  linkType: hard
-
-"process@npm:^0.11.10":
-  version: 0.11.10
-  resolution: "process@npm:0.11.10"
-  checksum: bfcce49814f7d172a6e6a14d5fa3ac92cc3d0c3b9feb1279774708a719e19acd673995226351a082a9ae99978254e320ccda4240ddc474ba31a76c79491ca7c3
-  languageName: node
-  linkType: hard
-
-"promise-inflight@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "promise-inflight@npm:1.0.1"
-  checksum: 22749483091d2c594261517f4f80e05226d4d5ecc1fc917e1886929da56e22b5718b7f2a75f3807e7a7d471bc3be2907fe92e6e8f373ddf5c64bae35b5af3981
-  languageName: node
-  linkType: hard
-
-"promise-map-series@npm:^0.2.1":
-  version: 0.2.3
-  resolution: "promise-map-series@npm:0.2.3"
-  dependencies:
-    rsvp: ^3.0.14
-  checksum: 3f63265f596580388c025742492e379b54470fb94a1b05626723092e412f722ec8fe8e2be78cbf1c788887a307bf6cd0fedd071bec1d409a2972aec5238ea35a
-  languageName: node
-  linkType: hard
-
-"promise-map-series@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "promise-map-series@npm:0.3.0"
-  checksum: a1c992562e68a3e14c39d010bd6335166e4a0469763fd161a8b1e15f972033fce5207722edb9c16ecc9324b44ef45e42674f7015e6a8922972f45a85849bbeef
-  languageName: node
-  linkType: hard
-
-"promise-retry@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "promise-retry@npm:2.0.1"
-  dependencies:
-    err-code: ^2.0.2
-    retry: ^0.12.0
-  checksum: f96a3f6d90b92b568a26f71e966cbbc0f63ab85ea6ff6c81284dc869b41510e6cdef99b6b65f9030f0db422bf7c96652a3fff9f2e8fb4a0f069d8f4430359429
-  languageName: node
-  linkType: hard
-
-"promise.hash.helper@npm:^1.0.8":
-  version: 1.0.8
-  resolution: "promise.hash.helper@npm:1.0.8"
-  checksum: 88844dd1dd9d95a3d3b9c27f092dee938da02f9c9f3bd62a6b7b20e16c51c64a0db33edf09d25615055a1cb7ad96b5edcc837680cde88de09a12c466adfaf435
-  languageName: node
-  linkType: hard
-
-"promise.prototype.finally@npm:^3.1.0":
-  version: 3.1.3
-  resolution: "promise.prototype.finally@npm:3.1.3"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-    es-abstract: ^1.19.1
-  checksum: aba8af6ae8d076e2c344d2674409b44c8f98b3aba98b78619739aeb4a74ebac80dbba5f9338da7cf0108a34384799d3996c46697d2e21c6e998c04d68041213c
-  languageName: node
-  linkType: hard
-
-"prop-types@npm:^15.8.1":
-  version: 15.8.1
-  resolution: "prop-types@npm:15.8.1"
-  dependencies:
-    loose-envify: ^1.4.0
-    object-assign: ^4.1.1
-    react-is: ^16.13.1
-  checksum: c056d3f1c057cb7ff8344c645450e14f088a915d078dcda795041765047fa080d38e5d626560ccaac94a4e16e3aa15f3557c1a9a8d1174530955e992c675e459
-  languageName: node
-  linkType: hard
-
-"proper-lockfile@npm:^4.1.2":
-  version: 4.1.2
-  resolution: "proper-lockfile@npm:4.1.2"
-  dependencies:
-    graceful-fs: ^4.2.4
-    retry: ^0.12.0
-    signal-exit: ^3.0.2
-  checksum: 00078ee6a61c216a56a6140c7d2a98c6c733b3678503002dc073ab8beca5d50ca271de4c85fca13b9b8ee2ff546c36674d1850509b84a04a5d0363bcb8638939
-  languageName: node
-  linkType: hard
-
-"proxy-addr@npm:~2.0.5":
-  version: 2.0.6
-  resolution: "proxy-addr@npm:2.0.6"
-  dependencies:
-    forwarded: ~0.1.2
-    ipaddr.js: 1.9.1
-  checksum: 2bad9b7a56b847faf606a19328aaaf5fca3e561ebb4e933969a580d94a20f77e74fb21196028a6e417851b3d9d95a0c704732a3362e3ef515d45d96859ac7eb9
-  languageName: node
-  linkType: hard
-
-"proxy-addr@npm:~2.0.7":
-  version: 2.0.7
-  resolution: "proxy-addr@npm:2.0.7"
-  dependencies:
-    forwarded: 0.2.0
-    ipaddr.js: 1.9.1
-  checksum: 29c6990ce9364648255454842f06f8c46fcd124d3e6d7c5066df44662de63cdc0bad032e9bf5a3d653ff72141cc7b6019873d685708ac8210c30458ad99f2b74
-  languageName: node
-  linkType: hard
-
-"prr@npm:~1.0.1":
-  version: 1.0.1
-  resolution: "prr@npm:1.0.1"
-  checksum: 3bca2db0479fd38f8c4c9439139b0c42dcaadcc2fbb7bb8e0e6afaa1383457f1d19aea9e5f961d5b080f1cfc05bfa1fe9e45c97a1d3fd6d421950a73d3108381
-  languageName: node
-  linkType: hard
-
-"psl@npm:^1.1.28, psl@npm:^1.1.33":
-  version: 1.8.0
-  resolution: "psl@npm:1.8.0"
-  checksum: 6150048ed2da3f919478bee8a82f3828303bc0fc730fb015a48f83c9977682c7b28c60ab01425a72d82a2891a1681627aa530a991d50c086b48a3be27744bde7
-  languageName: node
-  linkType: hard
-
-"public-encrypt@npm:^4.0.0":
-  version: 4.0.3
-  resolution: "public-encrypt@npm:4.0.3"
-  dependencies:
-    bn.js: ^4.1.0
-    browserify-rsa: ^4.0.0
-    create-hash: ^1.1.0
-    parse-asn1: ^5.0.0
-    randombytes: ^2.0.1
-    safe-buffer: ^5.1.2
-  checksum: 215d446e43cef021a20b67c1df455e5eea134af0b1f9b8a35f9e850abf32991b0c307327bc5b9bc07162c288d5cdb3d4a783ea6c6640979ed7b5017e3e0c9935
-  languageName: node
-  linkType: hard
-
-"pump@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "pump@npm:2.0.1"
-  dependencies:
-    end-of-stream: ^1.1.0
-    once: ^1.3.1
-  checksum: e9f26a17be00810bff37ad0171edb35f58b242487b0444f92fb7d78bc7d61442fa9b9c5bd93a43fd8fd8ddd3cc75f1221f5e04c790f42907e5baab7cf5e2b931
-  languageName: node
-  linkType: hard
-
-"pump@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "pump@npm:3.0.0"
-  dependencies:
-    end-of-stream: ^1.1.0
-    once: ^1.3.1
-  checksum: e42e9229fba14732593a718b04cb5e1cfef8254544870997e0ecd9732b189a48e1256e4e5478148ecb47c8511dca2b09eae56b4d0aad8009e6fac8072923cfc9
-  languageName: node
-  linkType: hard
-
-"pumpify@npm:^1.3.3":
-  version: 1.5.1
-  resolution: "pumpify@npm:1.5.1"
-  dependencies:
-    duplexify: ^3.6.0
-    inherits: ^2.0.3
-    pump: ^2.0.0
-  checksum: 26ca412ec8d665bd0d5e185c1b8f627728eff603440d75d22a58e421e3c66eaf86ec6fc6a6efc54808ecef65979279fa8e99b109a23ec1fa8d79f37e6978c9bd
-  languageName: node
-  linkType: hard
-
-"punycode@npm:1.3.2":
-  version: 1.3.2
-  resolution: "punycode@npm:1.3.2"
-  checksum: b8807fd594b1db33335692d1f03e8beeddde6fda7fbb4a2e32925d88d20a3aa4cd8dcc0c109ccaccbd2ba761c208dfaaada83007087ea8bfb0129c9ef1b99ed6
-  languageName: node
-  linkType: hard
-
-"punycode@npm:^1.2.4":
-  version: 1.4.1
-  resolution: "punycode@npm:1.4.1"
-  checksum: fa6e698cb53db45e4628559e557ddaf554103d2a96a1d62892c8f4032cd3bc8871796cae9eabc1bc700e2b6677611521ce5bb1d9a27700086039965d0cf34518
-  languageName: node
-  linkType: hard
-
-"punycode@npm:^2.1.0, punycode@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "punycode@npm:2.1.1"
-  checksum: 823bf443c6dd14f669984dea25757b37993f67e8d94698996064035edd43bed8a5a17a9f12e439c2b35df1078c6bec05a6c86e336209eb1061e8025c481168e8
-  languageName: node
-  linkType: hard
-
-"pvutils@latest, pvutils@npm:^1.0.17":
-  version: 1.0.17
-  resolution: "pvutils@npm:1.0.17"
-  checksum: 370cc6c7ed2cddeb97e85339f4cac06cc07e3195774b0b8707a7994db0acd73451745cc57209a2bc6d4138b9b14d5ab0335e3614743a91010a74db597428dfe8
-  languageName: node
-  linkType: hard
-
-"q@npm:^1.1.2":
-  version: 1.5.1
-  resolution: "q@npm:1.5.1"
-  checksum: 147baa93c805bc1200ed698bdf9c72e9e42c05f96d007e33a558b5fdfd63e5ea130e99313f28efc1783e90e6bdb4e48b67a36fcc026b7b09202437ae88a1fb12
-  languageName: node
-  linkType: hard
-
-"qs@npm:^6.3.0":
-  version: 6.10.1
-  resolution: "qs@npm:6.10.1"
-  dependencies:
-    side-channel: ^1.0.4
-  checksum: 00e390dbf98eff4d8ff121b61ab2fe32106852290de99ecd0e40fc76651c4101f43fc6cc8313cb69423563876fc532951b11dda55d2917def05f292258263480
-  languageName: node
-  linkType: hard
-
-"querystring-es3@npm:^0.2.0":
-  version: 0.2.1
-  resolution: "querystring-es3@npm:0.2.1"
-  checksum: 691e8d6b8b157e7cd49ae8e83fcf86de39ab3ba948c25abaa94fba84c0986c641aa2f597770848c64abce290ed17a39c9df6df737dfa7e87c3b63acc7d225d61
-  languageName: node
-  linkType: hard
-
-"querystring@npm:0.2.0":
-  version: 0.2.0
-  resolution: "querystring@npm:0.2.0"
-  checksum: 8258d6734f19be27e93f601758858c299bdebe71147909e367101ba459b95446fbe5b975bf9beb76390156a592b6f4ac3a68b6087cea165c259705b8b4e56a69
-  languageName: node
-  linkType: hard
-
-"queue-microtask@npm:^1.2.2":
-  version: 1.2.3
-  resolution: "queue-microtask@npm:1.2.3"
-  checksum: b676f8c040cdc5b12723ad2f91414d267605b26419d5c821ff03befa817ddd10e238d22b25d604920340fd73efd8ba795465a0377c4adf45a4a41e4234e42dc4
-  languageName: node
-  linkType: hard
-
-"quick-lru@npm:^5.1.1":
-  version: 5.1.1
-  resolution: "quick-lru@npm:5.1.1"
-  checksum: a516faa25574be7947969883e6068dbe4aa19e8ef8e8e0fd96cddd6d36485e9106d85c0041a27153286b0770b381328f4072aa40d3b18a19f5f7d2b78b94b5ed
-  languageName: node
-  linkType: hard
-
-"quick-temp@npm:^0.1.2, quick-temp@npm:^0.1.3, quick-temp@npm:^0.1.5, quick-temp@npm:^0.1.8":
-  version: 0.1.8
-  resolution: "quick-temp@npm:0.1.8"
-  dependencies:
-    mktemp: ~0.4.0
-    rimraf: ^2.5.4
-    underscore.string: ~3.3.4
-  checksum: b9a60934301afd5cb67a10946f8124e63ccb0cd305d35e2d8e5fe7be80df4d29b8414605ee1e55a714c3b87468856fa92526737569fc5e4a11e056ee192b72c8
-  languageName: node
-  linkType: hard
-
-"qunit-dom@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "qunit-dom@npm:2.0.0"
-  dependencies:
-    broccoli-funnel: ^3.0.3
-    broccoli-merge-trees: ^4.2.0
-    ember-cli-babel: ^7.23.0
-    ember-cli-version-checker: ^5.1.1
-  checksum: f9f06ad19adaaa4f8f107f28fd3feacd65b26d4de647d08b11a844b750ebbed2adbeabab52edc9d8cda2b0b7a0e08812425a5d4698b34f1b2a9af7b6f53b8413
-  languageName: node
-  linkType: hard
-
-"qunit@npm:^2.19.4":
-  version: 2.19.4
-  resolution: "qunit@npm:2.19.4"
-  dependencies:
-    commander: 7.2.0
-    node-watch: 0.7.3
-    tiny-glob: 0.2.9
-  bin:
-    qunit: bin/qunit.js
-  checksum: 626001f82881e91f3bff2688bc55948a570bd8bf7aea7c9e7836285f1ab0a7a3577296f3b37cce21e182dcd724d14ee439fa39961348a603fbe5a6d5ffc144ef
-  languageName: node
-  linkType: hard
-
-"randombytes@npm:^2.0.0, randombytes@npm:^2.0.1, randombytes@npm:^2.0.5, randombytes@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "randombytes@npm:2.1.0"
-  dependencies:
-    safe-buffer: ^5.1.0
-  checksum: d779499376bd4cbb435ef3ab9a957006c8682f343f14089ed5f27764e4645114196e75b7f6abf1cbd84fd247c0cb0651698444df8c9bf30e62120fbbc52269d6
-  languageName: node
-  linkType: hard
-
-"randomfill@npm:^1.0.3":
-  version: 1.0.4
-  resolution: "randomfill@npm:1.0.4"
-  dependencies:
-    randombytes: ^2.0.5
-    safe-buffer: ^5.1.0
-  checksum: 33734bb578a868d29ee1b8555e21a36711db084065d94e019a6d03caa67debef8d6a1bfd06a2b597e32901ddc761ab483a85393f0d9a75838f1912461d4dbfc7
-  languageName: node
-  linkType: hard
-
-"range-parser@npm:~1.2.1":
-  version: 1.2.1
-  resolution: "range-parser@npm:1.2.1"
-  checksum: 0a268d4fea508661cf5743dfe3d5f47ce214fd6b7dec1de0da4d669dd4ef3d2144468ebe4179049eff253d9d27e719c88dae55be64f954e80135a0cada804ec9
-  languageName: node
-  linkType: hard
-
-"raw-body@npm:2.4.0":
-  version: 2.4.0
-  resolution: "raw-body@npm:2.4.0"
-  dependencies:
-    bytes: 3.1.0
-    http-errors: 1.7.2
-    iconv-lite: 0.4.24
-    unpipe: 1.0.0
-  checksum: 6343906939e018c6e633a34a938a5d6d1e93ffcfa48646e00207d53b418e941953b521473950c079347220944dc75ba10e7b3c08bf97e3ac72c7624882db09bb
-  languageName: node
-  linkType: hard
-
-"raw-body@npm:2.5.1":
-  version: 2.5.1
-  resolution: "raw-body@npm:2.5.1"
-  dependencies:
-    bytes: 3.1.2
-    http-errors: 2.0.0
-    iconv-lite: 0.4.24
-    unpipe: 1.0.0
-  checksum: 5362adff1575d691bb3f75998803a0ffed8c64eabeaa06e54b4ada25a0cd1b2ae7f4f5ec46565d1bec337e08b5ac90c76eaa0758de6f72a633f025d754dec29e
-  languageName: node
-  linkType: hard
-
-"raw-body@npm:~1.1.0":
-  version: 1.1.7
-  resolution: "raw-body@npm:1.1.7"
-  dependencies:
-    bytes: 1
-    string_decoder: 0.10
-  checksum: 75ab1815ac54992abccccdffb27bd9ad9f5b6f5fb66e740474ad0d1bd3c1425e407b2be5eb34e0bef3da2c66bfa6a2c2b77498596f5b9999ead2d449fff0226f
-  languageName: node
-  linkType: hard
-
-"react-is@npm:^16.13.1":
-  version: 16.13.1
-  resolution: "react-is@npm:16.13.1"
-  checksum: f7a19ac3496de32ca9ae12aa030f00f14a3d45374f1ceca0af707c831b2a6098ef0d6bdae51bd437b0a306d7f01d4677fcc8de7c0d331eb47ad0f46130e53c5f
-  languageName: node
-  linkType: hard
-
-"read-pkg-up@npm:^8.0.0":
-  version: 8.0.0
-  resolution: "read-pkg-up@npm:8.0.0"
-  dependencies:
-    find-up: ^5.0.0
-    read-pkg: ^6.0.0
-    type-fest: ^1.0.1
-  checksum: fe4c80401656b40b408884457fffb5a8015c03b1018cfd8e48f8d82a5e9023e24963603aeb2755608d964593e046c15b34d29b07d35af9c7aa478be81805209c
-  languageName: node
-  linkType: hard
-
-"read-pkg@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "read-pkg@npm:3.0.0"
-  dependencies:
-    load-json-file: ^4.0.0
-    normalize-package-data: ^2.3.2
-    path-type: ^3.0.0
-  checksum: 398903ebae6c7e9965419a1062924436cc0b6f516c42c4679a90290d2f87448ed8f977e7aa2dbba4aa1ac09248628c43e493ac25b2bc76640e946035200e34c6
-  languageName: node
-  linkType: hard
-
-"read-pkg@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "read-pkg@npm:6.0.0"
-  dependencies:
-    "@types/normalize-package-data": ^2.4.0
-    normalize-package-data: ^3.0.2
-    parse-json: ^5.2.0
-    type-fest: ^1.0.1
-  checksum: 0cebdff381128e923815c643074a87011070e5fc352bee575d327d6485da3317fab6d802a7b03deeb0be7be8d3ad1640397b3d5d2f044452caf4e8d1736bf94f
-  languageName: node
-  linkType: hard
-
-"readable-stream@npm:1 || 2, readable-stream@npm:^2.0.0, readable-stream@npm:^2.0.1, readable-stream@npm:^2.0.2, readable-stream@npm:^2.1.5, readable-stream@npm:^2.2.2, readable-stream@npm:^2.3.3, readable-stream@npm:^2.3.6, readable-stream@npm:~2.3.6":
-  version: 2.3.7
-  resolution: "readable-stream@npm:2.3.7"
-  dependencies:
-    core-util-is: ~1.0.0
-    inherits: ~2.0.3
-    isarray: ~1.0.0
-    process-nextick-args: ~2.0.0
-    safe-buffer: ~5.1.1
-    string_decoder: ~1.1.1
-    util-deprecate: ~1.0.1
-  checksum: e4920cf7549a60f8aaf694d483a0e61b2a878b969d224f89b3bc788b8d920075132c4b55a7494ee944c7b6a9a0eada28a7f6220d80b0312ece70bbf08eeca755
-  languageName: node
-  linkType: hard
-
-"readable-stream@npm:2 || 3, readable-stream@npm:^3.4.0, readable-stream@npm:^3.6.0":
-  version: 3.6.0
-  resolution: "readable-stream@npm:3.6.0"
-  dependencies:
-    inherits: ^2.0.3
-    string_decoder: ^1.1.1
-    util-deprecate: ^1.0.1
-  checksum: d4ea81502d3799439bb955a3a5d1d808592cf3133350ed352aeaa499647858b27b1c4013984900238b0873ec8d0d8defce72469fb7a83e61d53f5ad61cb80dc8
-  languageName: node
-  linkType: hard
-
-"readable-stream@npm:~1.0.2":
-  version: 1.0.34
-  resolution: "readable-stream@npm:1.0.34"
-  dependencies:
-    core-util-is: ~1.0.0
-    inherits: ~2.0.1
-    isarray: 0.0.1
-    string_decoder: ~0.10.x
-  checksum: 85042c537e4f067daa1448a7e257a201070bfec3dd2706abdbd8ebc7f3418eb4d3ed4b8e5af63e2544d69f88ab09c28d5da3c0b77dc76185fddd189a59863b60
-  languageName: node
-  linkType: hard
-
-"readdirp@npm:^2.2.1":
-  version: 2.2.1
-  resolution: "readdirp@npm:2.2.1"
-  dependencies:
-    graceful-fs: ^4.1.11
-    micromatch: ^3.1.10
-    readable-stream: ^2.0.2
-  checksum: 3879b20f1a871e0e004a14fbf1776e65ee0b746a62f5a416010808b37c272ac49b023c47042c7b1e281cba75a449696635bc64c397ed221ea81d853a8f2ed79a
-  languageName: node
-  linkType: hard
-
-"readdirp@npm:~3.5.0":
-  version: 3.5.0
-  resolution: "readdirp@npm:3.5.0"
-  dependencies:
-    picomatch: ^2.2.1
-  checksum: 6b1a9341e295e15d4fb40c010216cbcb6266587cd0b3ce7defabd66fa1b4e35f9fba3d64c2187fd38fadd01ccbfc5f1b33fdfb1da63b3cbf66224b7c6d75ce5a
-  languageName: node
-  linkType: hard
-
-"readdirp@npm:~3.6.0":
-  version: 3.6.0
-  resolution: "readdirp@npm:3.6.0"
-  dependencies:
-    picomatch: ^2.2.1
-  checksum: 1ced032e6e45670b6d7352d71d21ce7edf7b9b928494dcaba6f11fba63180d9da6cd7061ebc34175ffda6ff529f481818c962952004d273178acd70f7059b320
-  languageName: node
-  linkType: hard
-
-"recast@npm:^0.18.1":
-  version: 0.18.10
-  resolution: "recast@npm:0.18.10"
-  dependencies:
-    ast-types: 0.13.3
-    esprima: ~4.0.0
-    private: ^0.1.8
-    source-map: ~0.6.1
-  checksum: bb6b3083153301985511ed2ae1dd244a6b8e6a1b799ce1e0db49e57162247eec98f38dc7322d13a3680e5ab85be7cdff7edc28b0be11a689f2cb5fd925d6adbb
-  languageName: node
-  linkType: hard
-
-"redent@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "redent@npm:4.0.0"
-  dependencies:
-    indent-string: ^5.0.0
-    strip-indent: ^4.0.0
-  checksum: 6944e7b1d8f3fd28c2515f5c605b9f7f0ea0f4edddf41890bbbdd4d9ee35abb7540c3b278f03ff827bd278bb6ff4a5bd8692ca406b748c5c1c3ce7355e9fbf8f
-  languageName: node
-  linkType: hard
-
-"redeyed@npm:~1.0.0":
-  version: 1.0.1
-  resolution: "redeyed@npm:1.0.1"
-  dependencies:
-    esprima: ~3.0.0
-  checksum: fb189829954ce9dfa1647b38e2fdcbe53857dd6d37d2c66feea3a3f7cf22dafa74b66cef5f3d3d3deb5fe1614aa6966d21372374af5685c0a0e437ee68370d64
-  languageName: node
-  linkType: hard
-
-"regenerate-unicode-properties@npm:^10.0.1":
-  version: 10.0.1
-  resolution: "regenerate-unicode-properties@npm:10.0.1"
-  dependencies:
-    regenerate: ^1.4.2
-  checksum: 1b638b7087d8143e5be3e20e2cda197ea0440fa0bc2cc49646b2f50c5a2b1acdc54b21e4215805a5a2dd487c686b2291accd5ad00619534098d2667e76247754
-  languageName: node
-  linkType: hard
-
-"regenerate-unicode-properties@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "regenerate-unicode-properties@npm:9.0.0"
-  dependencies:
-    regenerate: ^1.4.2
-  checksum: 62df21c274259a68c6fa1373e5ddb4d6f6374ad72c08dd488b7802880bc1c3b6de716303ec56c9f793a73d01815e9d81f03a8fbe3f32bc0f7fdf8d70d4841b64
-  languageName: node
-  linkType: hard
-
-"regenerate@npm:^1.2.1, regenerate@npm:^1.4.2":
-  version: 1.4.2
-  resolution: "regenerate@npm:1.4.2"
-  checksum: 3317a09b2f802da8db09aa276e469b57a6c0dd818347e05b8862959c6193408242f150db5de83c12c3fa99091ad95fb42a6db2c3329bfaa12a0ea4cbbeb30cb0
-  languageName: node
-  linkType: hard
-
-"regenerator-runtime@npm:^0.10.5":
-  version: 0.10.5
-  resolution: "regenerator-runtime@npm:0.10.5"
-  checksum: 35b33dbe5381d268b2be98f4ee4b028702acb38b012bff90723df067f915a337e5c979cce4dab4ed23febb223bbebb8820d46902f897742c55818c22c14e2a7c
-  languageName: node
-  linkType: hard
-
-"regenerator-runtime@npm:^0.11.0":
-  version: 0.11.1
-  resolution: "regenerator-runtime@npm:0.11.1"
-  checksum: 3c97bd2c7b2b3247e6f8e2147a002eb78c995323732dad5dc70fac8d8d0b758d0295e7015b90d3d444446ae77cbd24b9f9123ec3a77018e81d8999818301b4f4
-  languageName: node
-  linkType: hard
-
-"regenerator-runtime@npm:^0.13.11":
-  version: 0.13.11
-  resolution: "regenerator-runtime@npm:0.13.11"
-  checksum: 27481628d22a1c4e3ff551096a683b424242a216fee44685467307f14d58020af1e19660bf2e26064de946bad7eff28950eae9f8209d55723e2d9351e632bbb4
-  languageName: node
-  linkType: hard
-
-"regenerator-runtime@npm:^0.13.4":
-  version: 0.13.9
-  resolution: "regenerator-runtime@npm:0.13.9"
-  checksum: 65ed455fe5afd799e2897baf691ca21c2772e1a969d19bb0c4695757c2d96249eb74ee3553ea34a91062b2a676beedf630b4c1551cc6299afb937be1426ec55e
-  languageName: node
-  linkType: hard
-
-"regenerator-runtime@npm:^0.14.0":
-  version: 0.14.0
-  resolution: "regenerator-runtime@npm:0.14.0"
-  checksum: 1c977ad82a82a4412e4f639d65d22be376d3ebdd30da2c003eeafdaaacd03fc00c2320f18120007ee700900979284fc78a9f00da7fb593f6e6eeebc673fba9a3
-  languageName: node
-  linkType: hard
-
-"regenerator-transform@npm:^0.10.0":
-  version: 0.10.1
-  resolution: "regenerator-transform@npm:0.10.1"
-  dependencies:
-    babel-runtime: ^6.18.0
-    babel-types: ^6.19.0
-    private: ^0.1.6
-  checksum: bd366a3b0fa0d0975c48fb9eff250363a9ab28c25b472ecdc397bb19a836746640a30d8f641718a895f9178564bd8a01a0179a9c8e5813f76fc29e62a115d9d7
-  languageName: node
-  linkType: hard
-
-"regenerator-transform@npm:^0.14.2":
-  version: 0.14.5
-  resolution: "regenerator-transform@npm:0.14.5"
-  dependencies:
-    "@babel/runtime": ^7.8.4
-  checksum: a467a3b652b4ec26ff964e9c5f1817523a73fc44cb928b8d21ff11aebeac5d10a84d297fe02cea9f282bcec81a0b0d562237da69ef0f40a0160b30a4fa98bc94
-  languageName: node
-  linkType: hard
-
-"regenerator-transform@npm:^0.15.0":
-  version: 0.15.0
-  resolution: "regenerator-transform@npm:0.15.0"
-  dependencies:
-    "@babel/runtime": ^7.8.4
-  checksum: 86e54849ab1167618d28bb56d214c52a983daf29b0d115c976d79840511420049b6b42c9ebdf187defa8e7129bdd74b6dd266420d0d3868c9fa7f793b5d15d49
-  languageName: node
-  linkType: hard
-
-"regex-not@npm:^1.0.0, regex-not@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "regex-not@npm:1.0.2"
-  dependencies:
-    extend-shallow: ^3.0.2
-    safe-regex: ^1.1.0
-  checksum: 3081403de79559387a35ef9d033740e41818a559512668cef3d12da4e8a29ef34ee13c8ed1256b07e27ae392790172e8a15c8a06b72962fd4550476cde3d8f77
-  languageName: node
-  linkType: hard
-
-"regexp.prototype.flags@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "regexp.prototype.flags@npm:1.3.1"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-  checksum: 343595db5a6bbbb3bfbda881f9c74832cfa9fc0039e64a43843f6bb9158b78b921055266510800ed69d4997638890b17a46d55fd9f32961f53ae56ac3ec4dd05
-  languageName: node
-  linkType: hard
-
-"regexp.prototype.flags@npm:^1.4.3, regexp.prototype.flags@npm:^1.5.0":
-  version: 1.5.0
-  resolution: "regexp.prototype.flags@npm:1.5.0"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.2.0
-    functions-have-names: ^1.2.3
-  checksum: c541687cdbdfff1b9a07f6e44879f82c66bbf07665f9a7544c5fd16acdb3ec8d1436caab01662d2fbcad403f3499d49ab0b77fbc7ef29ef961d98cc4bc9755b4
-  languageName: node
-  linkType: hard
-
-"regexpp@npm:^3.0.0":
-  version: 3.1.0
-  resolution: "regexpp@npm:3.1.0"
-  checksum: 63bcb2c98d63274774c79bef256e03f716d25f1fa8427267d0302d1436a83fa0d905f4e8a172fdfa99fb4d84833df2fb3bf7da2a1a868f156e913174c32b1139
-  languageName: node
-  linkType: hard
-
-"regexpp@npm:^3.2.0":
-  version: 3.2.0
-  resolution: "regexpp@npm:3.2.0"
-  checksum: a78dc5c7158ad9ddcfe01aa9144f46e192ddbfa7b263895a70a5c6c73edd9ce85faf7c0430e59ac38839e1734e275b9c3de5c57ee3ab6edc0e0b1bdebefccef8
-  languageName: node
-  linkType: hard
-
-"regexpu-core@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "regexpu-core@npm:2.0.0"
-  dependencies:
-    regenerate: ^1.2.1
-    regjsgen: ^0.2.0
-    regjsparser: ^0.1.4
-  checksum: 14a78eb4608fa991ded6a1433ee6a570f95a4cfb7fe312145a44d6ecbb3dc8c707016a099494c741aa0ac75a1329b40814d30ff134c0d67679c80187029c7d2d
-  languageName: node
-  linkType: hard
-
-"regexpu-core@npm:^4.7.1":
-  version: 4.8.0
-  resolution: "regexpu-core@npm:4.8.0"
-  dependencies:
-    regenerate: ^1.4.2
-    regenerate-unicode-properties: ^9.0.0
-    regjsgen: ^0.5.2
-    regjsparser: ^0.7.0
-    unicode-match-property-ecmascript: ^2.0.0
-    unicode-match-property-value-ecmascript: ^2.0.0
-  checksum: df92e3e6482409f0a0de162ca1b4e17897e9b0b0687caead6804f04e9b89847e47abbfd0bfc62f52a0b833acf764ea5bdb7b707bb088034824a675ee95d31dec
-  languageName: node
-  linkType: hard
-
-"regexpu-core@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "regexpu-core@npm:5.0.1"
-  dependencies:
-    regenerate: ^1.4.2
-    regenerate-unicode-properties: ^10.0.1
-    regjsgen: ^0.6.0
-    regjsparser: ^0.8.2
-    unicode-match-property-ecmascript: ^2.0.0
-    unicode-match-property-value-ecmascript: ^2.0.0
-  checksum: 6151a9700dad512fadb5564ad23246d54c880eb9417efa5e5c3658b910c1ff894d622dfd159af2ed527ffd44751bfe98682ae06c717155c254d8e2b4bab62785
-  languageName: node
-  linkType: hard
-
-"regjsgen@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "regjsgen@npm:0.2.0"
-  checksum: 1f3ae570151e2c29193cdc5a5890c0b83cd8c5029ed69315b0ea303bc2644f9ab5d536d2288fd9b70293fd351d7dd7fc1fc99ebe24554015c894dbce883bcf2b
-  languageName: node
-  linkType: hard
-
-"regjsgen@npm:^0.5.2":
-  version: 0.5.2
-  resolution: "regjsgen@npm:0.5.2"
-  checksum: 87c83d8488affae2493a823904de1a29a1867a07433c5e1142ad749b5606c5589b305fe35bfcc0972cf5a3b0d66b1f7999009e541be39a5d42c6041c59e2fb52
-  languageName: node
-  linkType: hard
-
-"regjsgen@npm:^0.6.0":
-  version: 0.6.0
-  resolution: "regjsgen@npm:0.6.0"
-  checksum: c5158ebd735e75074e41292ade1ff05d85566d205426cc61501e360c450a63baced8512ee3ae238e5c0a0e42969563c7875b08fa69d6f0402daf36bcb3e4d348
-  languageName: node
-  linkType: hard
-
-"regjsparser@npm:^0.1.4":
-  version: 0.1.5
-  resolution: "regjsparser@npm:0.1.5"
-  dependencies:
-    jsesc: ~0.5.0
-  bin:
-    regjsparser: bin/parser
-  checksum: 1feba2f3f2d4f1ef9f5f4e0f20c827cf866d4f65c51502eb64db4d4dd9c656f8c70f6c79537c892bf0fc9592c96f732519f7d8ad4a82f3b622756118ac737970
-  languageName: node
-  linkType: hard
-
-"regjsparser@npm:^0.7.0":
-  version: 0.7.0
-  resolution: "regjsparser@npm:0.7.0"
-  dependencies:
-    jsesc: ~0.5.0
-  bin:
-    regjsparser: bin/parser
-  checksum: fefff9adcab47650817d2c492aac774f11a44b824a4a814e466ebc76313e03e79c50d2babde7e04888296f6ec0fd094e3eeeafa8122c60184de92cdb30636a57
-  languageName: node
-  linkType: hard
-
-"regjsparser@npm:^0.8.2":
-  version: 0.8.4
-  resolution: "regjsparser@npm:0.8.4"
-  dependencies:
-    jsesc: ~0.5.0
-  bin:
-    regjsparser: bin/parser
-  checksum: d069b932491761cda127ce11f6bd2729c3b1b394a35200ec33f1199e937423db28ceb86cf33f0a97c76ecd7c0f8db996476579eaf0d80a1f74c1934f4ca8b27a
-  languageName: node
-  linkType: hard
-
-"remark-footnotes@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "remark-footnotes@npm:3.0.0"
-  dependencies:
-    mdast-util-footnote: ^0.1.0
-    micromark-extension-footnote: ^0.3.0
-  checksum: 5e84afb47b57e512171f8af5146e8ba49817faff761c6cdd14abf26c9f018b497e69e79378d94b3ba529e491d3f0615c60851d3db86de785aa37641bf5bf7f8a
-  languageName: node
-  linkType: hard
-
-"remark-frontmatter@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "remark-frontmatter@npm:3.0.0"
-  dependencies:
-    mdast-util-frontmatter: ^0.2.0
-    micromark-extension-frontmatter: ^0.2.0
-  checksum: 33bbcf36a51ee4c3813106b933766e0dc4b2b50f8eb4da3a4c577ea0278335589b36b182fb2722c9857d0ea9932ac75368a5dff70c8cf2b74f4747c244068976
-  languageName: node
-  linkType: hard
-
-"remark-gfm@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "remark-gfm@npm:1.0.0"
-  dependencies:
-    mdast-util-gfm: ^0.1.0
-    micromark-extension-gfm: ^0.3.0
-  checksum: 877b0f6472a90a490b5d5a1393f46d22c4ab7451b1e83ebd7362e5be9c661b6ed03e76c28f76894f460bedf23345c589d3f412c273ce0d4d442c6a4d65b0eae4
-  languageName: node
-  linkType: hard
-
-"remark-parse@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "remark-parse@npm:9.0.0"
-  dependencies:
-    mdast-util-from-markdown: ^0.8.0
-  checksum: 50104880549639b7dd7ae6f1e23c214915fe9c054f02f3328abdaee3f6de6d7282bf4357c3c5b106958fe75e644a3c248c2197755df34f9955e8e028fc74868f
-  languageName: node
-  linkType: hard
-
-"remove-trailing-separator@npm:^1.0.1":
-  version: 1.1.0
-  resolution: "remove-trailing-separator@npm:1.1.0"
-  checksum: d3c20b5a2d987db13e1cca9385d56ecfa1641bae143b620835ac02a6b70ab88f68f117a0021838db826c57b31373d609d52e4f31aca75fc490c862732d595419
-  languageName: node
-  linkType: hard
-
-"remove-types@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "remove-types@npm:1.0.0"
-  dependencies:
-    "@babel/core": ^7.16.10
-    "@babel/plugin-syntax-decorators": ^7.16.7
-    "@babel/plugin-transform-typescript": ^7.16.8
-    prettier: ^2.5.1
-  checksum: 7665e649c762b4880a4e67a982a8bab0db7d4538c18470736854baf9d8fd0fd22273dccf7263b4d6bf9c3d5145cfa085cb15f700e99c51081891c8eaeee2d137
-  languageName: node
-  linkType: hard
-
-"repeat-element@npm:^1.1.2":
-  version: 1.1.4
-  resolution: "repeat-element@npm:1.1.4"
-  checksum: 1edd0301b7edad71808baad226f0890ba709443f03a698224c9ee4f2494c317892dc5211b2ba8cbea7194a9ddbcac01e283bd66de0467ab24ee1fc1a3711d8a9
-  languageName: node
-  linkType: hard
-
-"repeat-string@npm:^1.0.0, repeat-string@npm:^1.6.1":
-  version: 1.6.1
-  resolution: "repeat-string@npm:1.6.1"
-  checksum: 1b809fc6db97decdc68f5b12c4d1a671c8e3f65ec4a40c238bc5200e44e85bcc52a54f78268ab9c29fcf5fe4f1343e805420056d1f30fa9a9ee4c2d93e3cc6c0
-  languageName: node
-  linkType: hard
-
-"repeating@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "repeating@npm:2.0.1"
-  dependencies:
-    is-finite: ^1.0.0
-  checksum: d2db0b69c5cb0c14dd750036e0abcd6b3c3f7b2da3ee179786b755cf737ca15fa0fff417ca72de33d6966056f4695440e680a352401fc02c95ade59899afbdd0
-  languageName: node
-  linkType: hard
-
-"request-promise-core@npm:1.1.4":
-  version: 1.1.4
-  resolution: "request-promise-core@npm:1.1.4"
-  dependencies:
-    lodash: ^4.17.19
-  peerDependencies:
-    request: ^2.34
-  checksum: c798bafd552961e36fbf5023b1d081e81c3995ab390f1bc8ef38a711ba3fe4312eb94dbd61887073d7356c3499b9380947d7f62faa805797c0dc50f039425699
-  languageName: node
-  linkType: hard
-
-"request-promise-native@npm:^1.0.9":
-  version: 1.0.9
-  resolution: "request-promise-native@npm:1.0.9"
-  dependencies:
-    request-promise-core: 1.1.4
-    stealthy-require: ^1.1.1
-    tough-cookie: ^2.3.3
-  peerDependencies:
-    request: ^2.34
-  checksum: 3e2c694eefac88cb20beef8911ad57a275ab3ccbae0c4ca6c679fffb09d5fd502458aab08791f0814ca914b157adab2d4e472597c97a73be702918e41725ed69
-  languageName: node
-  linkType: hard
-
-"request@npm:^2.88.2":
-  version: 2.88.2
-  resolution: "request@npm:2.88.2"
-  dependencies:
-    aws-sign2: ~0.7.0
-    aws4: ^1.8.0
-    caseless: ~0.12.0
-    combined-stream: ~1.0.6
-    extend: ~3.0.2
-    forever-agent: ~0.6.1
-    form-data: ~2.3.2
-    har-validator: ~5.1.3
-    http-signature: ~1.2.0
-    is-typedarray: ~1.0.0
-    isstream: ~0.1.2
-    json-stringify-safe: ~5.0.1
-    mime-types: ~2.1.19
-    oauth-sign: ~0.9.0
-    performance-now: ^2.1.0
-    qs: ~6.5.2
-    safe-buffer: ^5.1.2
-    tough-cookie: ~2.5.0
-    tunnel-agent: ^0.6.0
-    uuid: ^3.3.2
-  checksum: 4e112c087f6eabe7327869da2417e9d28fcd0910419edd2eb17b6acfc4bfa1dad61954525949c228705805882d8a98a86a0ea12d7f739c01ee92af7062996983
-  languageName: node
-  linkType: hard
-
-"require-directory@npm:^2.1.1":
-  version: 2.1.1
-  resolution: "require-directory@npm:2.1.1"
-  checksum: fb47e70bf0001fdeabdc0429d431863e9475e7e43ea5f94ad86503d918423c1543361cc5166d713eaa7029dd7a3d34775af04764bebff99ef413111a5af18c80
-  languageName: node
-  linkType: hard
-
-"require-from-string@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "require-from-string@npm:2.0.2"
-  checksum: a03ef6895445f33a4015300c426699bc66b2b044ba7b670aa238610381b56d3f07c686251740d575e22f4c87531ba662d06937508f0f3c0f1ddc04db3130560b
-  languageName: node
-  linkType: hard
-
-"require-main-filename@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "require-main-filename@npm:2.0.0"
-  checksum: e9e294695fea08b076457e9ddff854e81bffbe248ed34c1eec348b7abbd22a0d02e8d75506559e2265e96978f3c4720bd77a6dad84755de8162b357eb6c778c7
-  languageName: node
-  linkType: hard
-
-"require-relative@npm:^0.8.7":
-  version: 0.8.7
-  resolution: "require-relative@npm:0.8.7"
-  checksum: f1c3be06977823bba43600344d9ea6fbf8a55bdb81ec76533126849ab4024e6c31c6666f37fa4b5cfeda9c41dee89b8e19597cac02bdefaab42255c6708661ab
-  languageName: node
-  linkType: hard
-
-"requireindex@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "requireindex@npm:1.2.0"
-  checksum: 50d8b10a1ff1fdf6aea7a1870bc7bd238b0fb1917d8d7ca17fd03afc38a65dcd7a8a4eddd031f89128b5f0065833d5c92c4fef67f2c04e8624057fe626c9cf94
-  languageName: node
-  linkType: hard
-
-"requires-port@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "requires-port@npm:1.0.0"
-  checksum: eee0e303adffb69be55d1a214e415cf42b7441ae858c76dfc5353148644f6fd6e698926fc4643f510d5c126d12a705e7c8ed7e38061113bdf37547ab356797ff
-  languageName: node
-  linkType: hard
-
-"reselect@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "reselect@npm:3.0.1"
-  checksum: c7ce544bae92db2dc6e768bc2dcc1248f9a21ada22ab5906c5e3c472e1dbc5f080889e5a715b8a2535e652d74c599dd090f5a68bcbe7e6f88053b7599ef4e8d3
-  languageName: node
-  linkType: hard
-
-"reselect@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "reselect@npm:4.0.0"
-  checksum: ac7dfc9ef2cdb42b6fc87a856f3ce904c2e4363a2bc1e6fb7eea5f78902a6f506e4388e6509752984877c6dbfe501100c076671d334799eb5a1bfe9936cb2c12
-  languageName: node
-  linkType: hard
-
-"resolve-dir@npm:^1.0.0, resolve-dir@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "resolve-dir@npm:1.0.1"
-  dependencies:
-    expand-tilde: ^2.0.0
-    global-modules: ^1.0.0
-  checksum: ef736b8ed60d6645c3b573da17d329bfb50ec4e1d6c5ffd6df49e3497acef9226f9810ea6823b8ece1560e01dcb13f77a9f6180d4f242d00cc9a8f4de909c65c
-  languageName: node
-  linkType: hard
-
-"resolve-from@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "resolve-from@npm:4.0.0"
-  checksum: f4ba0b8494846a5066328ad33ef8ac173801a51739eb4d63408c847da9a2e1c1de1e6cbbf72699211f3d13f8fc1325648b169bd15eb7da35688e30a5fb0e4a7f
-  languageName: node
-  linkType: hard
-
-"resolve-from@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "resolve-from@npm:5.0.0"
-  checksum: 4ceeb9113e1b1372d0cd969f3468fa042daa1dd9527b1b6bb88acb6ab55d8b9cd65dbf18819f9f9ddf0db804990901dcdaade80a215e7b2c23daae38e64f5bdf
-  languageName: node
-  linkType: hard
-
-"resolve-package-path@npm:^1.0.11, resolve-package-path@npm:^1.2.2, resolve-package-path@npm:^1.2.6":
-  version: 1.2.7
-  resolution: "resolve-package-path@npm:1.2.7"
-  dependencies:
-    path-root: ^0.1.1
-    resolve: ^1.10.0
-  checksum: 554855963c8599ef7ce4c29629356891f36652834d0ba39555459009918474fa28bd75332139223e3fb297455f103ae0c880233fa51603c1bc1ba3e2e280b7ec
-  languageName: node
-  linkType: hard
-
-"resolve-package-path@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "resolve-package-path@npm:2.0.0"
-  dependencies:
-    path-root: ^0.1.1
-    resolve: ^1.13.1
-  checksum: 606fab28e752d863bdeef9cef1e67e92830d8e7e0f038f40fbff94f9808a57cb2a810bd70c387c5b438bee626c1753cd11a0d953a7fd28e9dba190910cd6783a
-  languageName: node
-  linkType: hard
-
-"resolve-package-path@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "resolve-package-path@npm:3.1.0"
-  dependencies:
-    path-root: ^0.1.1
-    resolve: ^1.17.0
-  checksum: 9d1d170db3b01e5439bc0918344e7b539c4dece53f68ff2b6c13e3c941bb10c2553b7ea837fef8aee25ce3dd5f404d83eac91a5f5b651a42578bd2df5a301a7e
-  languageName: node
-  linkType: hard
-
-"resolve-package-path@npm:^4.0.1, resolve-package-path@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "resolve-package-path@npm:4.0.3"
-  dependencies:
-    path-root: ^0.1.1
-  checksum: ac68180c66036c8d8b75a747592f7aeb5fd1efbbec10256b535f53e8bbc95e242145338d7d309cd665f509435662b530ece0afbc3a10a13ed2d4ce9d24905a20
-  languageName: node
-  linkType: hard
-
-"resolve-path@npm:^1.4.0":
-  version: 1.4.0
-  resolution: "resolve-path@npm:1.4.0"
-  dependencies:
-    http-errors: ~1.6.2
-    path-is-absolute: 1.0.1
-  checksum: 1a39f569ee54dd5f8ee8576ef8671c9724bea65d9f9982fbb5352af9fb4e500e1e459c1bfb1ae3ebfd8d43a709c3a01dfa4f46cf5b831e45e2caed4f1a208300
-  languageName: node
-  linkType: hard
-
-"resolve-url@npm:^0.2.1":
-  version: 0.2.1
-  resolution: "resolve-url@npm:0.2.1"
-  checksum: 7b7035b9ed6e7bc7d289e90aef1eab5a43834539695dac6416ca6e91f1a94132ae4796bbd173cdacfdc2ade90b5f38a3fb6186bebc1b221cd157777a23b9ad14
-  languageName: node
-  linkType: hard
-
-"resolve@npm:^1.1.7, resolve@npm:^1.22.1":
-  version: 1.22.3
-  resolution: "resolve@npm:1.22.3"
-  dependencies:
-    is-core-module: ^2.12.0
-    path-parse: ^1.0.7
-    supports-preserve-symlinks-flag: ^1.0.0
-  bin:
-    resolve: bin/resolve
-  checksum: fb834b81348428cb545ff1b828a72ea28feb5a97c026a1cf40aa1008352c72811ff4d4e71f2035273dc536dcfcae20c13604ba6283c612d70fa0b6e44519c374
-  languageName: node
-  linkType: hard
-
-"resolve@npm:^1.10.0, resolve@npm:^1.11.1, resolve@npm:^1.13.1, resolve@npm:^1.14.2, resolve@npm:^1.17.0, resolve@npm:^1.20.0, resolve@npm:^1.3.3, resolve@npm:^1.4.0, resolve@npm:^1.5.0, resolve@npm:^1.8.1":
-  version: 1.20.0
-  resolution: "resolve@npm:1.20.0"
-  dependencies:
-    is-core-module: ^2.2.0
-    path-parse: ^1.0.6
-  checksum: 40cf70b2cde00ef57f99daf2dc63c6a56d6c14a1b7fc51735d06a6f0a3b97cb67b4fb7ef6c747b4e13a7baba83b0ef625d7c4ce92a483cd5af923c3b65fd16fe
-  languageName: node
-  linkType: hard
-
-"resolve@npm:^1.22.0":
-  version: 1.22.0
-  resolution: "resolve@npm:1.22.0"
-  dependencies:
-    is-core-module: ^2.8.1
-    path-parse: ^1.0.7
-    supports-preserve-symlinks-flag: ^1.0.0
-  bin:
-    resolve: bin/resolve
-  checksum: a2d14cc437b3a23996f8c7367eee5c7cf8149c586b07ca2ae00e96581ce59455555a1190be9aa92154785cf9f2042646c200d0e00e0bbd2b8a995a93a0ed3e4e
-  languageName: node
-  linkType: hard
-
-"resolve@patch:resolve@^1.1.7#~builtin<compat/resolve>, resolve@patch:resolve@^1.22.1#~builtin<compat/resolve>":
-  version: 1.22.3
-  resolution: "resolve@patch:resolve@npm%3A1.22.3#~builtin<compat/resolve>::version=1.22.3&hash=c3c19d"
-  dependencies:
-    is-core-module: ^2.12.0
-    path-parse: ^1.0.7
-    supports-preserve-symlinks-flag: ^1.0.0
-  bin:
-    resolve: bin/resolve
-  checksum: ad59734723b596d0891321c951592ed9015a77ce84907f89c9d9307dd0c06e11a67906a3e628c4cae143d3e44898603478af0ddeb2bba3f229a9373efe342665
-  languageName: node
-  linkType: hard
-
-"resolve@patch:resolve@^1.10.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.11.1#~builtin<compat/resolve>, resolve@patch:resolve@^1.13.1#~builtin<compat/resolve>, resolve@patch:resolve@^1.14.2#~builtin<compat/resolve>, resolve@patch:resolve@^1.17.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.20.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.3.3#~builtin<compat/resolve>, resolve@patch:resolve@^1.4.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.5.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.8.1#~builtin<compat/resolve>":
-  version: 1.20.0
-  resolution: "resolve@patch:resolve@npm%3A1.20.0#~builtin<compat/resolve>::version=1.20.0&hash=c3c19d"
-  dependencies:
-    is-core-module: ^2.2.0
-    path-parse: ^1.0.6
-  checksum: a0dd7d16a8e47af23afa9386df2dff10e3e0debb2c7299a42e581d9d9b04d7ad5d2c53f24f1e043f7b3c250cbdc71150063e53d0b6559683d37f790b7c8c3cd5
-  languageName: node
-  linkType: hard
-
-"resolve@patch:resolve@^1.22.0#~builtin<compat/resolve>":
-  version: 1.22.0
-  resolution: "resolve@patch:resolve@npm%3A1.22.0#~builtin<compat/resolve>::version=1.22.0&hash=c3c19d"
-  dependencies:
-    is-core-module: ^2.8.1
-    path-parse: ^1.0.7
-    supports-preserve-symlinks-flag: ^1.0.0
-  bin:
-    resolve: bin/resolve
-  checksum: c79ecaea36c872ee4a79e3db0d3d4160b593f2ca16e031d8283735acd01715a203607e9ded3f91f68899c2937fa0d49390cddbe0fb2852629212f3cda283f4a7
-  languageName: node
-  linkType: hard
-
-"restore-cursor@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "restore-cursor@npm:2.0.0"
-  dependencies:
-    onetime: ^2.0.0
-    signal-exit: ^3.0.2
-  checksum: 482e13d02d834b6e5e3aa90304a8b5e840775d6f06916cc92a50038adf9f098dcc72405b567da8a37e137ae40ad3e31896fa3136ae62f7a426c2fbf53d036536
-  languageName: node
-  linkType: hard
-
-"restore-cursor@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "restore-cursor@npm:3.1.0"
-  dependencies:
-    onetime: ^5.1.0
-    signal-exit: ^3.0.2
-  checksum: f877dd8741796b909f2a82454ec111afb84eb45890eb49ac947d87991379406b3b83ff9673a46012fca0d7844bb989f45cc5b788254cf1a39b6b5a9659de0630
-  languageName: node
-  linkType: hard
-
-"ret@npm:~0.1.10":
-  version: 0.1.15
-  resolution: "ret@npm:0.1.15"
-  checksum: d76a9159eb8c946586567bd934358dfc08a36367b3257f7a3d7255fdd7b56597235af23c6afa0d7f0254159e8051f93c918809962ebd6df24ca2a83dbe4d4151
-  languageName: node
-  linkType: hard
-
-"retry@npm:^0.12.0":
-  version: 0.12.0
-  resolution: "retry@npm:0.12.0"
-  checksum: 623bd7d2e5119467ba66202d733ec3c2e2e26568074923bc0585b6b99db14f357e79bdedb63cab56cec47491c4a0da7e6021a7465ca6dc4f481d3898fdd3158c
-  languageName: node
-  linkType: hard
-
-"reusify@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "reusify@npm:1.0.4"
-  checksum: c3076ebcc22a6bc252cb0b9c77561795256c22b757f40c0d8110b1300723f15ec0fc8685e8d4ea6d7666f36c79ccc793b1939c748bf36f18f542744a4e379fcc
-  languageName: node
-  linkType: hard
-
-"rimraf@npm:^2.2.8, rimraf@npm:^2.3.4, rimraf@npm:^2.4.3, rimraf@npm:^2.5.3, rimraf@npm:^2.5.4, rimraf@npm:^2.6.1, rimraf@npm:^2.6.2, rimraf@npm:^2.6.3":
-  version: 2.7.1
-  resolution: "rimraf@npm:2.7.1"
-  dependencies:
-    glob: ^7.1.3
-  bin:
-    rimraf: ./bin.js
-  checksum: cdc7f6eacb17927f2a075117a823e1c5951792c6498ebcce81ca8203454a811d4cf8900314154d3259bb8f0b42ab17f67396a8694a54cae3283326e57ad250cd
-  languageName: node
-  linkType: hard
-
-"rimraf@npm:^3.0.0, rimraf@npm:^3.0.1, rimraf@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "rimraf@npm:3.0.2"
-  dependencies:
-    glob: ^7.1.3
-  bin:
-    rimraf: bin.js
-  checksum: 87f4164e396f0171b0a3386cc1877a817f572148ee13a7e113b238e48e8a9f2f31d009a92ec38a591ff1567d9662c6b67fd8818a2dbbaed74bc26a87a2a4a9a0
-  languageName: node
-  linkType: hard
-
-"rimraf@npm:~2.6.2":
-  version: 2.6.3
-  resolution: "rimraf@npm:2.6.3"
-  dependencies:
-    glob: ^7.1.3
-  bin:
-    rimraf: ./bin.js
-  checksum: 3ea587b981a19016297edb96d1ffe48af7e6af69660e3b371dbfc73722a73a0b0e9be5c88089fbeeb866c389c1098e07f64929c7414290504b855f54f901ab10
-  languageName: node
-  linkType: hard
-
-"ripemd160@npm:^2.0.0, ripemd160@npm:^2.0.1":
-  version: 2.0.2
-  resolution: "ripemd160@npm:2.0.2"
-  dependencies:
-    hash-base: ^3.0.0
-    inherits: ^2.0.1
-  checksum: 006accc40578ee2beae382757c4ce2908a826b27e2b079efdcd2959ee544ddf210b7b5d7d5e80467807604244e7388427330f5c6d4cd61e6edaddc5773ccc393
-  languageName: node
-  linkType: hard
-
-"rollup-pluginutils@npm:^2.0.1, rollup-pluginutils@npm:^2.6.0, rollup-pluginutils@npm:^2.8.1":
-  version: 2.8.2
-  resolution: "rollup-pluginutils@npm:2.8.2"
-  dependencies:
-    estree-walker: ^0.6.1
-  checksum: 339fdf866d8f4ff6e408fa274c0525412f7edb01dc46b5ccda51f575b7e0d20ad72965773376fb5db95a77a7fcfcab97bf841ec08dbadf5d6b08af02b7a2cf5e
-  languageName: node
-  linkType: hard
-
-"rollup@npm:^0.57.1":
-  version: 0.57.1
-  resolution: "rollup@npm:0.57.1"
-  dependencies:
-    "@types/acorn": ^4.0.3
-    acorn: ^5.5.3
-    acorn-dynamic-import: ^3.0.0
-    date-time: ^2.1.0
-    is-reference: ^1.1.0
-    locate-character: ^2.0.5
-    pretty-ms: ^3.1.0
-    require-relative: ^0.8.7
-    rollup-pluginutils: ^2.0.1
-    signal-exit: ^3.0.2
-    sourcemap-codec: ^1.4.1
-  bin:
-    rollup: ./bin/rollup
-  checksum: 602691dfa734baec73a1988f34287e802a5498555a7fbe607135de4489cdb6ec49eea5902a850a25b96bf3a862e8cadbbffbd6ddf9986663d3f5ce4a0cb38519
-  languageName: node
-  linkType: hard
-
-"rollup@npm:^1.12.0":
-  version: 1.32.1
-  resolution: "rollup@npm:1.32.1"
-  dependencies:
-    "@types/estree": "*"
-    "@types/node": "*"
-    acorn: ^7.1.0
-  bin:
-    rollup: dist/bin/rollup
-  checksum: 3a02731c20c71321fae647c9c9cab0febee0580c6af029fdcd5dd6f424b8c85119d92c8554c6837327fd323c2458e92d955bbebc90ca6bed87cc626695e7c31f
-  languageName: node
-  linkType: hard
-
-"rollup@npm:^2.50.0":
-  version: 2.70.1
-  resolution: "rollup@npm:2.70.1"
-  dependencies:
-    fsevents: ~2.3.2
-  dependenciesMeta:
-    fsevents:
-      optional: true
-  bin:
-    rollup: dist/bin/rollup
-  checksum: 06c62933e6e81a1c8c684d7d576e507081aabdb63cc0c91bca86b7348b66df03b77827068e4990b8b6c738bd3ef66dcc8c7ed7e0ea40b736068e7618f693133e
-  languageName: node
-  linkType: hard
-
-"route-recognizer@npm:^0.3.3":
-  version: 0.3.4
-  resolution: "route-recognizer@npm:0.3.4"
-  checksum: 9586704491b26716eba1bdbb4a386893ecaab80c6dbf34e394957063b941ebf336ca09222f0892c9d118c609fa9b972d6e73e454abd4382acdc34dbb878e87f2
-  languageName: node
-  linkType: hard
-
-"rsvp@npm:^3.0.14, rsvp@npm:^3.0.17, rsvp@npm:^3.0.18, rsvp@npm:^3.0.21, rsvp@npm:^3.0.6, rsvp@npm:^3.1.0":
-  version: 3.6.2
-  resolution: "rsvp@npm:3.6.2"
-  checksum: 08504ea7ab3dba0349ff820011a460da69de08edf7149ee672f4511310ee4bd3767bfa83b6db019fa99b144125e1e93e6fba122d75a702a005360393f4352864
-  languageName: node
-  linkType: hard
-
-"rsvp@npm:^4.7.0, rsvp@npm:^4.8.1, rsvp@npm:^4.8.2, rsvp@npm:^4.8.4, rsvp@npm:^4.8.5":
-  version: 4.8.5
-  resolution: "rsvp@npm:4.8.5"
-  checksum: 2d8ef30d8febdf05bdf856ccca38001ae3647e41835ca196bc1225333f79b94ae44def733121ca549ccc36209c9b689f6586905e2a043873262609744da8efc1
-  languageName: node
-  linkType: hard
-
-"rsvp@npm:~3.2.1":
-  version: 3.2.1
-  resolution: "rsvp@npm:3.2.1"
-  checksum: e2ac49cbe35b8c2701b07698066d7cd8004115b070f3352d45759dfcd820fa57e687230331ba41f5a40e1871789cbf122de6e73559598777a0b18b66953dc09b
-  languageName: node
-  linkType: hard
-
-"run-async@npm:^2.2.0, run-async@npm:^2.4.0":
-  version: 2.4.1
-  resolution: "run-async@npm:2.4.1"
-  checksum: a2c88aa15df176f091a2878eb840e68d0bdee319d8d97bbb89112223259cebecb94bc0defd735662b83c2f7a30bed8cddb7d1674eb48ae7322dc602b22d03797
-  languageName: node
-  linkType: hard
-
-"run-parallel@npm:^1.1.9":
-  version: 1.2.0
-  resolution: "run-parallel@npm:1.2.0"
-  dependencies:
-    queue-microtask: ^1.2.2
-  checksum: cb4f97ad25a75ebc11a8ef4e33bb962f8af8516bb2001082ceabd8902e15b98f4b84b4f8a9b222e5d57fc3bd1379c483886ed4619367a7680dad65316993021d
-  languageName: node
-  linkType: hard
-
-"run-queue@npm:^1.0.0, run-queue@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "run-queue@npm:1.0.3"
-  dependencies:
-    aproba: ^1.1.1
-  checksum: c4541e18b5e056af60f398f2f1b3d89aae5c093d1524bf817c5ee68bcfa4851ad9976f457a9aea135b1d0d72ee9a91c386e3d136bcd95b699c367cd09c70be53
-  languageName: node
-  linkType: hard
-
-"rw@npm:1":
-  version: 1.3.3
-  resolution: "rw@npm:1.3.3"
-  checksum: c20d82421f5a71c86a13f76121b751553a99cd4a70ea27db86f9b23f33db941f3f06019c30f60d50c356d0bd674c8e74764ac146ea55e217c091bde6fba82aa3
-  languageName: node
-  linkType: hard
-
-"rxjs@npm:^6.4.0, rxjs@npm:^6.6.0, rxjs@npm:^6.6.7":
-  version: 6.6.7
-  resolution: "rxjs@npm:6.6.7"
-  dependencies:
-    tslib: ^1.9.0
-  checksum: bc334edef1bb8bbf56590b0b25734ba0deaf8825b703256a93714308ea36dff8a11d25533671adf8e104e5e8f256aa6fdfe39b2e248cdbd7a5f90c260acbbd1b
-  languageName: node
-  linkType: hard
-
-"rxjs@npm:^7.5.5":
-  version: 7.8.1
-  resolution: "rxjs@npm:7.8.1"
-  dependencies:
-    tslib: ^2.1.0
-  checksum: de4b53db1063e618ec2eca0f7965d9137cabe98cf6be9272efe6c86b47c17b987383df8574861bcced18ebd590764125a901d5506082be84a8b8e364bf05f119
-  languageName: node
-  linkType: hard
-
-"rxjs@npm:^7.5.6":
-  version: 7.5.7
-  resolution: "rxjs@npm:7.5.7"
-  dependencies:
-    tslib: ^2.1.0
-  checksum: edabcdb73b0f7e0f5f6e05c2077aff8c52222ac939069729704357d6406438acca831c24210db320aba269e86dbe1a400f3769c89101791885121a342fb15d9c
-  languageName: node
-  linkType: hard
-
-"safe-buffer@npm:5.1.2, safe-buffer@npm:~5.1.0, safe-buffer@npm:~5.1.1":
-  version: 5.1.2
-  resolution: "safe-buffer@npm:5.1.2"
-  checksum: f2f1f7943ca44a594893a852894055cf619c1fbcb611237fc39e461ae751187e7baf4dc391a72125e0ac4fb2d8c5c0b3c71529622e6a58f46b960211e704903c
-  languageName: node
-  linkType: hard
-
-"safe-buffer@npm:5.2.1, safe-buffer@npm:>=5.1.0, safe-buffer@npm:^5.0.1, safe-buffer@npm:^5.1.0, safe-buffer@npm:^5.1.1, safe-buffer@npm:^5.1.2, safe-buffer@npm:^5.2.0, safe-buffer@npm:~5.2.0":
-  version: 5.2.1
-  resolution: "safe-buffer@npm:5.2.1"
-  checksum: b99c4b41fdd67a6aaf280fcd05e9ffb0813654894223afb78a31f14a19ad220bba8aba1cb14eddce1fcfb037155fe6de4e861784eb434f7d11ed58d1e70dd491
-  languageName: node
-  linkType: hard
-
-"safe-identifier@npm:^0.4.1":
-  version: 0.4.2
-  resolution: "safe-identifier@npm:0.4.2"
-  checksum: 67e28ed89a74cf20b827419003d3cb60a0ebaec0771c2c818f4b2239bf4f96e01ad90aa8db6dc57ee90c0c438b6f46323e4b5a3d955d18d8c4e158ea035cabdd
-  languageName: node
-  linkType: hard
-
-"safe-json-parse@npm:~1.0.1":
-  version: 1.0.1
-  resolution: "safe-json-parse@npm:1.0.1"
-  checksum: aea585d967fb373903aae99e6e31157a68ebebdc9d0011bc86732b6c700994768349e30d4fb6dfdc346106004a85104187d0b48964fe1caff90b0886df5827eb
-  languageName: node
-  linkType: hard
-
-"safe-regex-test@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "safe-regex-test@npm:1.0.0"
-  dependencies:
-    call-bind: ^1.0.2
-    get-intrinsic: ^1.1.3
-    is-regex: ^1.1.4
-  checksum: bc566d8beb8b43c01b94e67de3f070fd2781685e835959bbbaaec91cc53381145ca91f69bd837ce6ec244817afa0a5e974fc4e40a2957f0aca68ac3add1ddd34
-  languageName: node
-  linkType: hard
-
-"safe-regex@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "safe-regex@npm:1.1.0"
-  dependencies:
-    ret: ~0.1.10
-  checksum: 9a8bba57c87a841f7997b3b951e8e403b1128c1a4fd1182f40cc1a20e2d490593d7c2a21030fadfea320c8e859219019e136f678c6689ed5960b391b822f01d5
-  languageName: node
-  linkType: hard
-
-"safe-stable-stringify@npm:^2.2.0":
-  version: 2.4.0
-  resolution: "safe-stable-stringify@npm:2.4.0"
-  checksum: 5c9e4b2b2423470becafe232244948e7ce9545baaa65d67965e8c36536c93d2f7b4c1ddeb4bba8a912d0325e02c7691f24dd4de6935a9c1221402c17582ae1c1
-  languageName: node
-  linkType: hard
-
-"safe-stable-stringify@npm:^2.4.2":
-  version: 2.4.3
-  resolution: "safe-stable-stringify@npm:2.4.3"
-  checksum: 3aeb64449706ee1f5ad2459fc99648b131d48e7a1fbb608d7c628020177512dc9d94108a5cb61bbc953985d313d0afea6566d243237743e02870490afef04b43
-  languageName: node
-  linkType: hard
-
-"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.0.2, safer-buffer@npm:^2.1.0, safer-buffer@npm:~2.1.0":
-  version: 2.1.2
-  resolution: "safer-buffer@npm:2.1.2"
-  checksum: cab8f25ae6f1434abee8d80023d7e72b598cf1327164ddab31003c51215526801e40b66c5e65d658a0af1e9d6478cadcb4c745f4bd6751f97d8644786c0978b0
-  languageName: node
-  linkType: hard
-
-"sane@npm:^4.0.0":
-  version: 4.1.0
-  resolution: "sane@npm:4.1.0"
-  dependencies:
-    "@cnakazawa/watch": ^1.0.3
-    anymatch: ^2.0.0
-    capture-exit: ^2.0.0
-    exec-sh: ^0.3.2
-    execa: ^1.0.0
-    fb-watchman: ^2.0.0
-    micromatch: ^3.1.4
-    minimist: ^1.1.1
-    walker: ~1.0.5
-  bin:
-    sane: ./src/cli.js
-  checksum: 97716502d456c0d38670a902a4ea943d196dcdf998d1e40532d8f3e24e25d7eddfd4c3579025a1eee8eac09a48dfd05fba61a2156c56704e7feaa450eb249f7c
-  languageName: node
-  linkType: hard
-
-"sane@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "sane@npm:5.0.1"
-  dependencies:
-    "@cnakazawa/watch": ^1.0.3
-    anymatch: ^3.1.1
-    capture-exit: ^2.0.0
-    exec-sh: ^0.3.4
-    execa: ^4.0.0
-    fb-watchman: ^2.0.1
-    micromatch: ^4.0.2
-    minimist: ^1.1.1
-    walker: ~1.0.5
-  bin:
-    sane: src/cli.js
-  checksum: 137c419e28dea9f8fc31c1817012d335d511dd8d5a1527f87742b7a4e904e009f62d52fab933d565c10c2fcf6113aa5c30a99d2eb651b63e835ea73de6267615
-  languageName: node
-  linkType: hard
-
-"sass-svg-uri@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "sass-svg-uri@npm:1.0.0"
-  checksum: 75a2af6cc4ac44c262309f51c290a1a5120ab5cd45cabafd0faabd9ad3bb6898417d3993fdfdf65efbf0ff9878d105d2bb8e1502db29f13c41974fb4adaa3f1a
-  languageName: node
-  linkType: hard
-
-"sass@npm:^1.58.3":
-  version: 1.58.3
-  resolution: "sass@npm:1.58.3"
-  dependencies:
-    chokidar: ">=3.0.0 <4.0.0"
-    immutable: ^4.0.0
-    source-map-js: ">=0.6.2 <2.0.0"
-  bin:
-    sass: sass.js
-  checksum: 35a2b98c037ef80fdc93c9b0be846e6ccc7d75596351a37ee79c397e66666d0a754c52c4696e746c0aff32327471e185343ca349e998a58340411adc9d0489a5
-  languageName: node
-  linkType: hard
-
-"sass@npm:^1.62.1":
-  version: 1.68.0
-  resolution: "sass@npm:1.68.0"
-  dependencies:
-    chokidar: ">=3.0.0 <4.0.0"
-    immutable: ^4.0.0
-    source-map-js: ">=0.6.2 <2.0.0"
-  bin:
-    sass: sass.js
-  checksum: 65ccede83c96768beeb8dcaf67957b7c76b12ff1276bfd2849d7be151d46ba1400048a67717e6e5e4969bc75e87348e5530f5f272833f2e60a891c21a33d8ab0
-  languageName: node
-  linkType: hard
-
-"sax@npm:~1.2.4":
-  version: 1.2.4
-  resolution: "sax@npm:1.2.4"
-  checksum: d3df7d32b897a2c2f28e941f732c71ba90e27c24f62ee918bd4d9a8cfb3553f2f81e5493c7f0be94a11c1911b643a9108f231dd6f60df3fa9586b5d2e3e9e1fe
-  languageName: node
-  linkType: hard
-
-"saxes@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "saxes@npm:5.0.1"
-  dependencies:
-    xmlchars: ^2.2.0
-  checksum: 5636b55cf15f7cf0baa73f2797bf992bdcf75d1b39d82c0aa4608555c774368f6ac321cb641fd5f3d3ceb87805122cd47540da6a7b5960fe0dbdb8f8c263f000
-  languageName: node
-  linkType: hard
-
-"schema-utils@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "schema-utils@npm:1.0.0"
-  dependencies:
-    ajv: ^6.1.0
-    ajv-errors: ^1.0.0
-    ajv-keywords: ^3.1.0
-  checksum: e8273b4f6eff9ddf4a4f4c11daf7b96b900237bf8859c86fa1e9b4fab416b72d7ea92468f8db89c18a3499a1070206e1c8a750c83b42d5325fc659cbb55eee88
-  languageName: node
-  linkType: hard
-
-"schema-utils@npm:^2.6.5":
-  version: 2.7.1
-  resolution: "schema-utils@npm:2.7.1"
-  dependencies:
-    "@types/json-schema": ^7.0.5
-    ajv: ^6.12.4
-    ajv-keywords: ^3.5.2
-  checksum: 32c62fc9e28edd101e1bd83453a4216eb9bd875cc4d3775e4452b541908fa8f61a7bbac8ffde57484f01d7096279d3ba0337078e85a918ecbeb72872fb09fb2b
-  languageName: node
-  linkType: hard
-
-"schema-utils@npm:^3.0.0, schema-utils@npm:^3.1.0, schema-utils@npm:^3.1.1":
-  version: 3.1.1
-  resolution: "schema-utils@npm:3.1.1"
-  dependencies:
-    "@types/json-schema": ^7.0.8
-    ajv: ^6.12.5
-    ajv-keywords: ^3.5.2
-  checksum: fb73f3d759d43ba033c877628fe9751620a26879f6301d3dbeeb48cf2a65baec5cdf99da65d1bf3b4ff5444b2e59cbe4f81c2456b5e0d2ba7d7fd4aed5da29ce
-  languageName: node
-  linkType: hard
-
-"schema-utils@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "schema-utils@npm:4.0.0"
-  dependencies:
-    "@types/json-schema": ^7.0.9
-    ajv: ^8.8.0
-    ajv-formats: ^2.1.1
-    ajv-keywords: ^5.0.0
-  checksum: c843e92fdd1a5c145dbb6ffdae33e501867f9703afac67bdf35a685e49f85b1dcc10ea250033175a64bd9d31f0555bc6785b8359da0c90bcea30cf6dfbb55a8f
-  languageName: node
-  linkType: hard
-
-"select@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "select@npm:1.1.2"
-  checksum: 4346151e94f226ea6131e44e68e6d837f3fdee64831b756dd657cc0b02f4cb5107f867cb34a1d1216ab7737d0bf0645d44546afb030bbd8d64e891f5e4c4814e
-  languageName: node
-  linkType: hard
-
-"semver-compare@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "semver-compare@npm:1.0.0"
-  checksum: dd1d7e2909744cf2cf71864ac718efc990297f9de2913b68e41a214319e70174b1d1793ac16e31183b128c2b9812541300cb324db8168e6cf6b570703b171c68
-  languageName: node
-  linkType: hard
-
-"semver@npm:2 || 3 || 4 || 5":
-  version: 5.7.2
-  resolution: "semver@npm:5.7.2"
-  bin:
-    semver: bin/semver
-  checksum: fb4ab5e0dd1c22ce0c937ea390b4a822147a9c53dbd2a9a0132f12fe382902beef4fbf12cf51bb955248d8d15874ce8cd89532569756384f994309825f10b686
-  languageName: node
-  linkType: hard
-
-"semver@npm:7.0.0":
-  version: 7.0.0
-  resolution: "semver@npm:7.0.0"
-  bin:
-    semver: bin/semver.js
-  checksum: 272c11bf8d083274ef79fe40a81c55c184dff84dd58e3c325299d0927ba48cece1f020793d138382b85f89bab5002a35a5ba59a3a68a7eebbb597eb733838778
-  languageName: node
-  linkType: hard
-
-"semver@npm:7.3.5, semver@npm:^7.3.2, semver@npm:^7.3.4, semver@npm:^7.3.5":
-  version: 7.3.5
-  resolution: "semver@npm:7.3.5"
-  dependencies:
-    lru-cache: ^6.0.0
-  bin:
-    semver: bin/semver.js
-  checksum: 5eafe6102bea2a7439897c1856362e31cc348ccf96efd455c8b5bc2c61e6f7e7b8250dc26b8828c1d76a56f818a7ee907a36ae9fb37a599d3d24609207001d60
-  languageName: node
-  linkType: hard
-
-"semver@npm:^5.3.0, semver@npm:^5.4.1, semver@npm:^5.5.0, semver@npm:^5.6.0":
-  version: 5.7.1
-  resolution: "semver@npm:5.7.1"
-  bin:
-    semver: ./bin/semver
-  checksum: 57fd0acfd0bac382ee87cd52cd0aaa5af086a7dc8d60379dfe65fea491fb2489b6016400813930ecd61fd0952dae75c115287a1b16c234b1550887117744dfaf
-  languageName: node
-  linkType: hard
-
-"semver@npm:^6.0.0, semver@npm:^6.1.1, semver@npm:^6.1.2, semver@npm:^6.3.0":
-  version: 6.3.0
-  resolution: "semver@npm:6.3.0"
-  bin:
-    semver: ./bin/semver.js
-  checksum: 1b26ecf6db9e8292dd90df4e781d91875c0dcc1b1909e70f5d12959a23c7eebb8f01ea581c00783bbee72ceeaad9505797c381756326073850dc36ed284b21b9
-  languageName: node
-  linkType: hard
-
-"semver@npm:^6.3.1":
-  version: 6.3.1
-  resolution: "semver@npm:6.3.1"
-  bin:
-    semver: bin/semver.js
-  checksum: ae47d06de28836adb9d3e25f22a92943477371292d9b665fb023fae278d345d508ca1958232af086d85e0155aee22e313e100971898bbb8d5d89b8b1d4054ca2
-  languageName: node
-  linkType: hard
-
-"semver@npm:^7.0.0":
-  version: 7.5.1
-  resolution: "semver@npm:7.5.1"
-  dependencies:
-    lru-cache: ^6.0.0
-  bin:
-    semver: bin/semver.js
-  checksum: d16dbedad53c65b086f79524b9ef766bf38670b2395bdad5c957f824dcc566b624988013564f4812bcace3f9d405355c3635e2007396a39d1bffc71cfec4a2fc
-  languageName: node
-  linkType: hard
-
-"semver@npm:^7.3.7":
-  version: 7.3.7
-  resolution: "semver@npm:7.3.7"
-  dependencies:
-    lru-cache: ^6.0.0
-  bin:
-    semver: bin/semver.js
-  checksum: 2fa3e877568cd6ce769c75c211beaed1f9fce80b28338cadd9d0b6c40f2e2862bafd62c19a6cff42f3d54292b7c623277bcab8816a2b5521cf15210d43e75232
-  languageName: node
-  linkType: hard
-
-"semver@npm:^7.3.8":
-  version: 7.3.8
-  resolution: "semver@npm:7.3.8"
-  dependencies:
-    lru-cache: ^6.0.0
-  bin:
-    semver: bin/semver.js
-  checksum: ba9c7cbbf2b7884696523450a61fee1a09930d888b7a8d7579025ad93d459b2d1949ee5bbfeb188b2be5f4ac163544c5e98491ad6152df34154feebc2cc337c1
-  languageName: node
-  linkType: hard
-
-"send@npm:0.17.1":
-  version: 0.17.1
-  resolution: "send@npm:0.17.1"
-  dependencies:
-    debug: 2.6.9
-    depd: ~1.1.2
-    destroy: ~1.0.4
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    etag: ~1.8.1
-    fresh: 0.5.2
-    http-errors: ~1.7.2
-    mime: 1.6.0
-    ms: 2.1.1
-    on-finished: ~2.3.0
-    range-parser: ~1.2.1
-    statuses: ~1.5.0
-  checksum: d214c2fa42e7fae3f8fc1aa3931eeb3e6b78c2cf141574e09dbe159915c1e3a337269fc6b7512e7dfddcd7d6ff5974cb62f7c3637ba86a55bde20a92c18bdca0
-  languageName: node
-  linkType: hard
-
-"send@npm:0.18.0":
-  version: 0.18.0
-  resolution: "send@npm:0.18.0"
-  dependencies:
-    debug: 2.6.9
-    depd: 2.0.0
-    destroy: 1.2.0
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    etag: ~1.8.1
-    fresh: 0.5.2
-    http-errors: 2.0.0
-    mime: 1.6.0
-    ms: 2.1.3
-    on-finished: 2.4.1
-    range-parser: ~1.2.1
-    statuses: 2.0.1
-  checksum: 74fc07ebb58566b87b078ec63e5a3e41ecd987e4272ba67b7467e86c6ad51bc6b0b0154133b6d8b08a2ddda360464f71382f7ef864700f34844a76c8027817a8
-  languageName: node
-  linkType: hard
-
-"serialize-javascript@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "serialize-javascript@npm:3.1.0"
-  dependencies:
-    randombytes: ^2.1.0
-  checksum: 0fc0131a78168d6237cfe1b21564f20a3b9b72e8ceebb21935baacf026631ed636912c20c7e9fa721a8f27a247e6f9849e705f27032d19863333c2cfab16d1c9
-  languageName: node
-  linkType: hard
-
-"serve-static@npm:1.14.1":
-  version: 1.14.1
-  resolution: "serve-static@npm:1.14.1"
-  dependencies:
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    parseurl: ~1.3.3
-    send: 0.17.1
-  checksum: c6b268e8486d39ecd54b86c7f2d0ee4a38cd7514ddd9c92c8d5793bb005afde5e908b12395898ae206782306ccc848193d93daa15b86afb3cbe5a8414806abe8
-  languageName: node
-  linkType: hard
-
-"serve-static@npm:1.15.0":
-  version: 1.15.0
-  resolution: "serve-static@npm:1.15.0"
-  dependencies:
-    encodeurl: ~1.0.2
-    escape-html: ~1.0.3
-    parseurl: ~1.3.3
-    send: 0.18.0
-  checksum: af57fc13be40d90a12562e98c0b7855cf6e8bd4c107fe9a45c212bf023058d54a1871b1c89511c3958f70626fff47faeb795f5d83f8cf88514dbaeb2b724464d
-  languageName: node
-  linkType: hard
-
-"set-blocking@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "set-blocking@npm:2.0.0"
-  checksum: 6e65a05f7cf7ebdf8b7c75b101e18c0b7e3dff4940d480efed8aad3a36a4005140b660fa1d804cb8bce911cac290441dc728084a30504d3516ac2ff7ad607b02
-  languageName: node
-  linkType: hard
-
-"set-value@npm:^2.0.0, set-value@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "set-value@npm:2.0.1"
-  dependencies:
-    extend-shallow: ^2.0.1
-    is-extendable: ^0.1.1
-    is-plain-object: ^2.0.3
-    split-string: ^3.0.1
-  checksum: 09a4bc72c94641aeae950eb60dc2755943b863780fcc32e441eda964b64df5e3f50603d5ebdd33394ede722528bd55ed43aae26e9df469b4d32e2292b427b601
-  languageName: node
-  linkType: hard
-
-"setimmediate@npm:^1.0.4":
-  version: 1.0.5
-  resolution: "setimmediate@npm:1.0.5"
-  checksum: c9a6f2c5b51a2dabdc0247db9c46460152ffc62ee139f3157440bd48e7c59425093f42719ac1d7931f054f153e2d26cf37dfeb8da17a794a58198a2705e527fd
-  languageName: node
-  linkType: hard
-
-"setprototypeof@npm:1.1.0":
-  version: 1.1.0
-  resolution: "setprototypeof@npm:1.1.0"
-  checksum: 27cb44304d6c9e1a23bc6c706af4acaae1a7aa1054d4ec13c05f01a99fd4887109a83a8042b67ad90dbfcd100d43efc171ee036eb080667172079213242ca36e
-  languageName: node
-  linkType: hard
-
-"setprototypeof@npm:1.1.1":
-  version: 1.1.1
-  resolution: "setprototypeof@npm:1.1.1"
-  checksum: a8bee29c1c64c245d460ce53f7460af8cbd0aceac68d66e5215153992cc8b3a7a123416353e0c642060e85cc5fd4241c92d1190eec97eda0dcb97436e8fcca3b
-  languageName: node
-  linkType: hard
-
-"setprototypeof@npm:1.2.0":
-  version: 1.2.0
-  resolution: "setprototypeof@npm:1.2.0"
-  checksum: be18cbbf70e7d8097c97f713a2e76edf84e87299b40d085c6bf8b65314e994cc15e2e317727342fa6996e38e1f52c59720b53fe621e2eb593a6847bf0356db89
-  languageName: node
-  linkType: hard
-
-"sha.js@npm:^2.4.0, sha.js@npm:^2.4.8":
-  version: 2.4.11
-  resolution: "sha.js@npm:2.4.11"
-  dependencies:
-    inherits: ^2.0.1
-    safe-buffer: ^5.0.1
-  bin:
-    sha.js: ./bin.js
-  checksum: ebd3f59d4b799000699097dadb831c8e3da3eb579144fd7eb7a19484cbcbb7aca3c68ba2bb362242eb09e33217de3b4ea56e4678184c334323eca24a58e3ad07
-  languageName: node
-  linkType: hard
-
-"shebang-command@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "shebang-command@npm:1.2.0"
-  dependencies:
-    shebang-regex: ^1.0.0
-  checksum: 9eed1750301e622961ba5d588af2212505e96770ec376a37ab678f965795e995ade7ed44910f5d3d3cb5e10165a1847f52d3348c64e146b8be922f7707958908
-  languageName: node
-  linkType: hard
-
-"shebang-command@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "shebang-command@npm:2.0.0"
-  dependencies:
-    shebang-regex: ^3.0.0
-  checksum: 6b52fe87271c12968f6a054e60f6bde5f0f3d2db483a1e5c3e12d657c488a15474121a1d55cd958f6df026a54374ec38a4a963988c213b7570e1d51575cea7fa
-  languageName: node
-  linkType: hard
-
-"shebang-regex@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "shebang-regex@npm:1.0.0"
-  checksum: 404c5a752cd40f94591dfd9346da40a735a05139dac890ffc229afba610854d8799aaa52f87f7e0c94c5007f2c6af55bdcaeb584b56691926c5eaf41dc8f1372
-  languageName: node
-  linkType: hard
-
-"shebang-regex@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "shebang-regex@npm:3.0.0"
-  checksum: 1a2bcae50de99034fcd92ad4212d8e01eedf52c7ec7830eedcf886622804fe36884278f2be8be0ea5fde3fd1c23911643a4e0f726c8685b61871c8908af01222
-  languageName: node
-  linkType: hard
-
-"shell-quote@npm:^1.6.1":
-  version: 1.7.2
-  resolution: "shell-quote@npm:1.7.2"
-  checksum: efad426fb25d8a54d06363f1f45774aa9e195f62f14fa696d542b44bfe418ab41206448b63af18d726c62e099e66d9a3f4f44858b9ea2ce4b794b41b802672d1
-  languageName: node
-  linkType: hard
-
-"shell-quote@npm:^1.8.1":
-  version: 1.8.1
-  resolution: "shell-quote@npm:1.8.1"
-  checksum: 5f01201f4ef504d4c6a9d0d283fa17075f6770bfbe4c5850b074974c68062f37929ca61700d95ad2ac8822e14e8c4b990ca0e6e9272e64befd74ce5e19f0736b
-  languageName: node
-  linkType: hard
-
-"shellwords@npm:^0.1.1":
-  version: 0.1.1
-  resolution: "shellwords@npm:0.1.1"
-  checksum: 8d73a5e9861f5e5f1068e2cfc39bc0002400fe58558ab5e5fa75630d2c3adf44ca1fac81957609c8320d5533e093802fcafc72904bf1a32b95de3c19a0b1c0d4
-  languageName: node
-  linkType: hard
-
-"side-channel@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "side-channel@npm:1.0.4"
-  dependencies:
-    call-bind: ^1.0.0
-    get-intrinsic: ^1.0.2
-    object-inspect: ^1.9.0
-  checksum: 351e41b947079c10bd0858364f32bb3a7379514c399edb64ab3dce683933483fc63fb5e4efe0a15a2e8a7e3c436b6a91736ddb8d8c6591b0460a24bb4a1ee245
-  languageName: node
-  linkType: hard
-
-"signal-exit@npm:^3.0.0, signal-exit@npm:^3.0.2":
-  version: 3.0.6
-  resolution: "signal-exit@npm:3.0.6"
-  checksum: b819ac81ba757af559dad0804233ae31bf6f054591cd8a671e9cbcf09f21c72ec3076fe87d1e04861f5b33b47d63f0694b568de99c99cd733ee2060515beb6d5
-  languageName: node
-  linkType: hard
-
-"signal-exit@npm:^3.0.3, signal-exit@npm:^3.0.7":
-  version: 3.0.7
-  resolution: "signal-exit@npm:3.0.7"
-  checksum: a2f098f247adc367dffc27845853e9959b9e88b01cb301658cfe4194352d8d2bb32e18467c786a7fe15f1d44b233ea35633d076d5e737870b7139949d1ab6318
-  languageName: node
-  linkType: hard
-
-"signal-exit@npm:^4.0.1":
-  version: 4.0.2
-  resolution: "signal-exit@npm:4.0.2"
-  checksum: 41f5928431cc6e91087bf0343db786a6313dd7c6fd7e551dbc141c95bb5fb26663444fd9df8ea47c5d7fc202f60aa7468c3162a9365cbb0615fc5e1b1328fe31
-  languageName: node
-  linkType: hard
-
-"silent-error@npm:^1.0.0, silent-error@npm:^1.0.1, silent-error@npm:^1.1.0, silent-error@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "silent-error@npm:1.1.1"
-  dependencies:
-    debug: ^2.2.0
-  checksum: 4b35a081351acf5610bca231f8788fde72de17e0ab35b6d54a3090dac16ecec56becdbc619da756eee84b134f2030f806a105c70f8fcc6544738654b8aceefd7
-  languageName: node
-  linkType: hard
-
-"simple-html-tokenizer@npm:^0.5.11, simple-html-tokenizer@npm:^0.5.8":
-  version: 0.5.11
-  resolution: "simple-html-tokenizer@npm:0.5.11"
-  checksum: f834a5a0b169ffe10f74bd479a071a7161e0186669e28a1cd662efacdaedd27667469e2b965d5a8538d9d8e7373cb741ea8d748259221f40fa3e4bda2efbdbfc
-  languageName: node
-  linkType: hard
-
-"sinon@npm:^7.4.2":
-  version: 7.5.0
-  resolution: "sinon@npm:7.5.0"
-  dependencies:
-    "@sinonjs/commons": ^1.4.0
-    "@sinonjs/formatio": ^3.2.1
-    "@sinonjs/samsam": ^3.3.3
-    diff: ^3.5.0
-    lolex: ^4.2.0
-    nise: ^1.5.2
-    supports-color: ^5.5.0
-  checksum: e8cf6b3dd16e9c1ed1a2b9560c396a2d6205a4f32293b1762cb6ebb8f88cfa47db6aba45b0c1709ec396efb41d171d88c9b1ab8f32f35512eb9e5d0d0d15d307
-  languageName: node
-  linkType: hard
-
-"slash@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "slash@npm:1.0.0"
-  checksum: 4b6e21b1fba6184a7e2efb1dd173f692d8a845584c1bbf9dc818ff86f5a52fc91b413008223d17cc684604ee8bb9263a420b1182027ad9762e35388434918860
-  languageName: node
-  linkType: hard
-
-"slash@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "slash@npm:3.0.0"
-  checksum: 94a93fff615f25a999ad4b83c9d5e257a7280c90a32a7cb8b4a87996e4babf322e469c42b7f649fd5796edd8687652f3fb452a86dc97a816f01113183393f11c
-  languageName: node
-  linkType: hard
-
-"slash@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "slash@npm:4.0.0"
-  checksum: da8e4af73712253acd21b7853b7e0dbba776b786e82b010a5bfc8b5051a1db38ed8aba8e1e8f400dd2c9f373be91eb1c42b66e91abb407ff42b10feece5e1d2d
-  languageName: node
-  linkType: hard
-
-"slice-ansi@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "slice-ansi@npm:3.0.0"
-  dependencies:
-    ansi-styles: ^4.0.0
-    astral-regex: ^2.0.0
-    is-fullwidth-code-point: ^3.0.0
-  checksum: 5ec6d022d12e016347e9e3e98a7eb2a592213a43a65f1b61b74d2c78288da0aded781f665807a9f3876b9daa9ad94f64f77d7633a0458876c3a4fdc4eb223f24
-  languageName: node
-  linkType: hard
-
-"slice-ansi@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "slice-ansi@npm:4.0.0"
-  dependencies:
-    ansi-styles: ^4.0.0
-    astral-regex: ^2.0.0
-    is-fullwidth-code-point: ^3.0.0
-  checksum: 4a82d7f085b0e1b070e004941ada3c40d3818563ac44766cca4ceadd2080427d337554f9f99a13aaeb3b4a94d9964d9466c807b3d7b7541d1ec37ee32d308756
-  languageName: node
-  linkType: hard
-
-"smart-buffer@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "smart-buffer@npm:4.2.0"
-  checksum: b5167a7142c1da704c0e3af85c402002b597081dd9575031a90b4f229ca5678e9a36e8a374f1814c8156a725d17008ae3bde63b92f9cfd132526379e580bec8b
-  languageName: node
-  linkType: hard
-
-"snake-case@npm:^3.0.3":
-  version: 3.0.4
-  resolution: "snake-case@npm:3.0.4"
-  dependencies:
-    dot-case: ^3.0.4
-    tslib: ^2.0.3
-  checksum: 0a7a79900bbb36f8aaa922cf111702a3647ac6165736d5dc96d3ef367efc50465cac70c53cd172c382b022dac72ec91710608e5393de71f76d7142e6fd80e8a3
-  languageName: node
-  linkType: hard
-
-"snapdragon-node@npm:^2.0.1":
-  version: 2.1.1
-  resolution: "snapdragon-node@npm:2.1.1"
-  dependencies:
-    define-property: ^1.0.0
-    isobject: ^3.0.0
-    snapdragon-util: ^3.0.1
-  checksum: 9bb57d759f9e2a27935dbab0e4a790137adebace832b393e350a8bf5db461ee9206bb642d4fe47568ee0b44080479c8b4a9ad0ebe3712422d77edf9992a672fd
-  languageName: node
-  linkType: hard
-
-"snapdragon-util@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "snapdragon-util@npm:3.0.1"
-  dependencies:
-    kind-of: ^3.2.0
-  checksum: 684997dbe37ec995c03fd3f412fba2b711fc34cb4010452b7eb668be72e8811a86a12938b511e8b19baf853b325178c56d8b78d655305e5cfb0bb8b21677e7b7
-  languageName: node
-  linkType: hard
-
-"snapdragon@npm:^0.8.1":
-  version: 0.8.2
-  resolution: "snapdragon@npm:0.8.2"
-  dependencies:
-    base: ^0.11.1
-    debug: ^2.2.0
-    define-property: ^0.2.5
-    extend-shallow: ^2.0.1
-    map-cache: ^0.2.2
-    source-map: ^0.5.6
-    source-map-resolve: ^0.5.0
-    use: ^3.1.0
-  checksum: a197f242a8f48b11036563065b2487e9b7068f50a20dd81d9161eca6af422174fc158b8beeadbe59ce5ef172aa5718143312b3aebaae551c124b7824387c8312
-  languageName: node
-  linkType: hard
-
-"socket.io-adapter@npm:~2.4.0":
-  version: 2.4.0
-  resolution: "socket.io-adapter@npm:2.4.0"
-  checksum: a84639946dce13547b95f6e09fe167cdcd5d80941afc2e46790cc23384e0fd3c901e690ecc9bdd600939ce6292261ee15094a0b486f797ed621cfc8783d87a0c
-  languageName: node
-  linkType: hard
-
-"socket.io-parser@npm:~4.2.0":
-  version: 4.2.1
-  resolution: "socket.io-parser@npm:4.2.1"
-  dependencies:
-    "@socket.io/component-emitter": ~3.1.0
-    debug: ~4.3.1
-  checksum: 2582202f22538d7e6b4436991378cb4cea3b2f8219cda24923ae35afd291ab5ad6120e7d093e41738256b6c6ad10c667dd25753c2d9a2340fead04e9286f152d
-  languageName: node
-  linkType: hard
-
-"socket.io@npm:^4.1.2":
-  version: 4.5.2
-  resolution: "socket.io@npm:4.5.2"
-  dependencies:
-    accepts: ~1.3.4
-    base64id: ~2.0.0
-    debug: ~4.3.2
-    engine.io: ~6.2.0
-    socket.io-adapter: ~2.4.0
-    socket.io-parser: ~4.2.0
-  checksum: 8527dd78fa3cf483a2cf0f09f64c4591186931b6765e5d8456dd3022b8786407952e3b931a83a86513c9f56852442e12f3497c761a113113e32b0c867c5ad5a7
-  languageName: node
-  linkType: hard
-
-"socks-proxy-agent@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "socks-proxy-agent@npm:7.0.0"
-  dependencies:
-    agent-base: ^6.0.2
-    debug: ^4.3.3
-    socks: ^2.6.2
-  checksum: 720554370154cbc979e2e9ce6a6ec6ced205d02757d8f5d93fe95adae454fc187a5cbfc6b022afab850a5ce9b4c7d73e0f98e381879cf45f66317a4895953846
-  languageName: node
-  linkType: hard
-
-"socks@npm:^2.6.2":
-  version: 2.7.1
-  resolution: "socks@npm:2.7.1"
-  dependencies:
-    ip: ^2.0.0
-    smart-buffer: ^4.2.0
-  checksum: 259d9e3e8e1c9809a7f5c32238c3d4d2a36b39b83851d0f573bfde5f21c4b1288417ce1af06af1452569cd1eb0841169afd4998f0e04ba04656f6b7f0e46d748
-  languageName: node
-  linkType: hard
-
-"sort-object-keys@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "sort-object-keys@npm:1.1.3"
-  checksum: abea944d6722a1710a1aa6e4f9509da085d93d5fc0db23947cb411eedc7731f80022ce8fa68ed83a53dd2ac7441fcf72a3f38c09b3d9bbc4ff80546aa2e151ad
-  languageName: node
-  linkType: hard
-
-"sort-package-json@npm:^1.57.0":
-  version: 1.57.0
-  resolution: "sort-package-json@npm:1.57.0"
-  dependencies:
-    detect-indent: ^6.0.0
-    detect-newline: 3.1.0
-    git-hooks-list: 1.0.3
-    globby: 10.0.0
-    is-plain-obj: 2.1.0
-    sort-object-keys: ^1.1.3
-  bin:
-    sort-package-json: cli.js
-  checksum: 15758ba6b1033ae136863eabd4b8c8a28e79dd68b71327f6803c2ea740dc149dc9ad708b006d07ee9de56b6dc7cadb7c697801ad50c01348aa91022c6ff6e21d
-  languageName: node
-  linkType: hard
-
-"source-list-map@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "source-list-map@npm:2.0.1"
-  checksum: 806efc6f75e7cd31e4815e7a3aaf75a45c704871ea4075cb2eb49882c6fca28998f44fc5ac91adb6de03b2882ee6fb02f951fdc85e6a22b338c32bfe19557938
-  languageName: node
-  linkType: hard
-
-"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1, source-map-js@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "source-map-js@npm:1.0.2"
-  checksum: c049a7fc4deb9a7e9b481ae3d424cc793cb4845daa690bc5a05d428bf41bf231ced49b4cf0c9e77f9d42fdb3d20d6187619fc586605f5eabe995a316da8d377c
-  languageName: node
-  linkType: hard
-
-"source-map-resolve@npm:^0.5.0":
-  version: 0.5.3
-  resolution: "source-map-resolve@npm:0.5.3"
-  dependencies:
-    atob: ^2.1.2
-    decode-uri-component: ^0.2.0
-    resolve-url: ^0.2.1
-    source-map-url: ^0.4.0
-    urix: ^0.1.0
-  checksum: c73fa44ac00783f025f6ad9e038ab1a2e007cd6a6b86f47fe717c3d0765b4a08d264f6966f3bd7cd9dbcd69e4832783d5472e43247775b2a550d6f2155d24bae
-  languageName: node
-  linkType: hard
-
-"source-map-support@npm:^0.4.15":
-  version: 0.4.18
-  resolution: "source-map-support@npm:0.4.18"
-  dependencies:
-    source-map: ^0.5.6
-  checksum: 669aa7e992fec586fac0ba9a8dea8ce81b7328f92806335f018ffac5709afb2920e3870b4e56c68164282607229f04b8bbcf5d0e5c845eb1b5119b092e7585c0
-  languageName: node
-  linkType: hard
-
-"source-map-support@npm:~0.5.12, source-map-support@npm:~0.5.19":
-  version: 0.5.19
-  resolution: "source-map-support@npm:0.5.19"
-  dependencies:
-    buffer-from: ^1.0.0
-    source-map: ^0.6.0
-  checksum: c72802fdba9cb62b92baef18cc14cc4047608b77f0353e6c36dd993444149a466a2845332c5540d4a6630957254f0f68f4ef5a0120c33d2e83974c51a05afbac
-  languageName: node
-  linkType: hard
-
-"source-map-support@npm:~0.5.20":
-  version: 0.5.21
-  resolution: "source-map-support@npm:0.5.21"
-  dependencies:
-    buffer-from: ^1.0.0
-    source-map: ^0.6.0
-  checksum: 43e98d700d79af1d36f859bdb7318e601dfc918c7ba2e98456118ebc4c4872b327773e5a1df09b0524e9e5063bb18f0934538eace60cca2710d1fa687645d137
-  languageName: node
-  linkType: hard
-
-"source-map-url@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "source-map-url@npm:0.3.0"
-  checksum: 9ed12e3fd1b09cd6506c6197129c062e02451f474dcd7ef6419f20fe86ba969c74ba10c37fb4ea5e1f2265e62fde8d31946596d7971e3251a0c75fbf411c5f1b
-  languageName: node
-  linkType: hard
-
-"source-map-url@npm:^0.4.0":
-  version: 0.4.1
-  resolution: "source-map-url@npm:0.4.1"
-  checksum: 64c5c2c77aff815a6e61a4120c309ae4cac01298d9bcbb3deb1b46a4dd4c46d4a1eaeda79ec9f684766ae80e8dc86367b89326ce9dd2b89947bd9291fc1ac08c
-  languageName: node
-  linkType: hard
-
-"source-map@npm:0.4.x, source-map@npm:^0.4.2":
-  version: 0.4.4
-  resolution: "source-map@npm:0.4.4"
-  dependencies:
-    amdefine: ">=0.0.4"
-  checksum: b31992fcb4a2a6c335617f187bd36f392896dfcc111830ebdb8b716923cf6554b665833b975fc998bdf3a63881b2c8b4c5c34fda0280357b8c18fe6aa5d148ea
-  languageName: node
-  linkType: hard
-
-"source-map@npm:^0.5.0, source-map@npm:^0.5.3, source-map@npm:^0.5.6, source-map@npm:^0.5.7":
-  version: 0.5.7
-  resolution: "source-map@npm:0.5.7"
-  checksum: 5dc2043b93d2f194142c7f38f74a24670cd7a0063acdaf4bf01d2964b402257ae843c2a8fa822ad5b71013b5fcafa55af7421383da919752f22ff488bc553f4d
-  languageName: node
-  linkType: hard
-
-"source-map@npm:^0.6.0, source-map@npm:^0.6.1, source-map@npm:~0.6.1":
-  version: 0.6.1
-  resolution: "source-map@npm:0.6.1"
-  checksum: 59ce8640cf3f3124f64ac289012c2b8bd377c238e316fb323ea22fbfe83da07d81e000071d7242cad7a23cd91c7de98e4df8830ec3f133cb6133a5f6e9f67bc2
-  languageName: node
-  linkType: hard
-
-"source-map@npm:~0.1.x":
-  version: 0.1.43
-  resolution: "source-map@npm:0.1.43"
-  dependencies:
-    amdefine: ">=0.0.4"
-  checksum: 0a230f8cae8a8ea70bd36701c33d01fb0c437b798508a561c896a99b42f5af81a206176a250fc654c7c57a736b8081c4b4a6c9887455f7d2724f847451f1d7d9
-  languageName: node
-  linkType: hard
-
-"source-map@npm:~0.7.2":
-  version: 0.7.3
-  resolution: "source-map@npm:0.7.3"
-  checksum: cd24efb3b8fa69b64bf28e3c1b1a500de77e84260c5b7f2b873f88284df17974157cc88d386ee9b6d081f08fdd8242f3fc05c953685a6ad81aad94c7393dedea
-  languageName: node
-  linkType: hard
-
-"sourcemap-codec@npm:^1.4.1, sourcemap-codec@npm:^1.4.4":
-  version: 1.4.8
-  resolution: "sourcemap-codec@npm:1.4.8"
-  checksum: b57981c05611afef31605732b598ccf65124a9fcb03b833532659ac4d29ac0f7bfacbc0d6c5a28a03e84c7510e7e556d758d0bb57786e214660016fb94279316
-  languageName: node
-  linkType: hard
-
-"sourcemap-validator@npm:^1.1.0":
-  version: 1.1.1
-  resolution: "sourcemap-validator@npm:1.1.1"
-  dependencies:
-    jsesc: ~0.3.x
-    lodash.foreach: ^4.5.0
-    lodash.template: ^4.5.0
-    source-map: ~0.1.x
-  checksum: 51b704c08d6899dcb3abbf42cdcf39ccc2199a4c1be201935dd366f15ee8c2e43f684b1eef3c84e08f209280616943fd17feef2542873ca37471205288f13467
-  languageName: node
-  linkType: hard
-
-"spawn-args@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "spawn-args@npm:0.2.0"
-  checksum: bfae0a52166bf4b0b18388220532aa48c436413e970f8c404ca249e541ad63b5e5371f54f1db9b0fd57517ea333a1356d71209783a7686f08c883338e75ae0ac
-  languageName: node
-  linkType: hard
-
-"spdx-correct@npm:^3.0.0":
-  version: 3.1.1
-  resolution: "spdx-correct@npm:3.1.1"
-  dependencies:
-    spdx-expression-parse: ^3.0.0
-    spdx-license-ids: ^3.0.0
-  checksum: 77ce438344a34f9930feffa61be0eddcda5b55fc592906ef75621d4b52c07400a97084d8701557b13f7d2aae0cb64f808431f469e566ef3fe0a3a131dcb775a6
-  languageName: node
-  linkType: hard
-
-"spdx-exceptions@npm:^2.1.0":
-  version: 2.3.0
-  resolution: "spdx-exceptions@npm:2.3.0"
-  checksum: cb69a26fa3b46305637123cd37c85f75610e8c477b6476fa7354eb67c08128d159f1d36715f19be6f9daf4b680337deb8c65acdcae7f2608ba51931540687ac0
-  languageName: node
-  linkType: hard
-
-"spdx-expression-parse@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "spdx-expression-parse@npm:3.0.1"
-  dependencies:
-    spdx-exceptions: ^2.1.0
-    spdx-license-ids: ^3.0.0
-  checksum: a1c6e104a2cbada7a593eaa9f430bd5e148ef5290d4c0409899855ce8b1c39652bcc88a725259491a82601159d6dc790bedefc9016c7472f7de8de7361f8ccde
-  languageName: node
-  linkType: hard
-
-"spdx-license-ids@npm:^3.0.0":
-  version: 3.0.7
-  resolution: "spdx-license-ids@npm:3.0.7"
-  checksum: b52a88aebc19b4c69049349939e1948014c4d10f52a11870431fc1cc6551de411d19e4570f5f1df2d8b7089bec921df9017a3d5199ae2468b2b432171945278e
-  languageName: node
-  linkType: hard
-
-"split-string@npm:^3.0.1, split-string@npm:^3.0.2":
-  version: 3.1.0
-  resolution: "split-string@npm:3.1.0"
-  dependencies:
-    extend-shallow: ^3.0.0
-  checksum: ae5af5c91bdc3633628821bde92fdf9492fa0e8a63cf6a0376ed6afde93c701422a1610916f59be61972717070119e848d10dfbbd5024b7729d6a71972d2a84c
-  languageName: node
-  linkType: hard
-
-"sprintf-js@npm:^1.0.3":
-  version: 1.1.2
-  resolution: "sprintf-js@npm:1.1.2"
-  checksum: d4bb46464632b335e5faed381bd331157e0af64915a98ede833452663bc672823db49d7531c32d58798e85236581fb7342fd0270531ffc8f914e186187bf1c90
-  languageName: node
-  linkType: hard
-
-"sprintf-js@npm:~1.0.2":
-  version: 1.0.3
-  resolution: "sprintf-js@npm:1.0.3"
-  checksum: 19d79aec211f09b99ec3099b5b2ae2f6e9cdefe50bc91ac4c69144b6d3928a640bb6ae5b3def70c2e85a2c3d9f5ec2719921e3a59d3ca3ef4b2fd1a4656a0df3
-  languageName: node
-  linkType: hard
-
-"sri-toolbox@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "sri-toolbox@npm:0.2.0"
-  checksum: 945af49e38f8481e28d02e71e9c23ac1eea008da4328f9c98610cb44eeed83c74e4fa64de7f7264b1385dccb8acabc25ac0a9bb6dbe67ef6261cf18f9e308d01
-  languageName: node
-  linkType: hard
-
-"sshpk@npm:^1.7.0":
-  version: 1.16.1
-  resolution: "sshpk@npm:1.16.1"
-  dependencies:
-    asn1: ~0.2.3
-    assert-plus: ^1.0.0
-    bcrypt-pbkdf: ^1.0.0
-    dashdash: ^1.12.0
-    ecc-jsbn: ~0.1.1
-    getpass: ^0.1.1
-    jsbn: ~0.1.0
-    safer-buffer: ^2.0.2
-    tweetnacl: ~0.14.0
-  bin:
-    sshpk-conv: bin/sshpk-conv
-    sshpk-sign: bin/sshpk-sign
-    sshpk-verify: bin/sshpk-verify
-  checksum: 5e76afd1cedc780256f688b7c09327a8a650902d18e284dfeac97489a735299b03c3e72c6e8d22af03dbbe4d6f123fdfd5f3c4ed6bedbec72b9529a55051b857
-  languageName: node
-  linkType: hard
-
-"ssri@npm:^6.0.1":
-  version: 6.0.2
-  resolution: "ssri@npm:6.0.2"
-  dependencies:
-    figgy-pudding: ^3.5.1
-  checksum: 7c2e5d442f6252559c8987b7114bcf389fe5614bf65de09ba3e6f9a57b9b65b2967de348fcc3acccff9c069adb168140dd2c5fc2f6f4a779e604a27ef1f7d551
-  languageName: node
-  linkType: hard
-
-"ssri@npm:^9.0.0":
-  version: 9.0.1
-  resolution: "ssri@npm:9.0.1"
-  dependencies:
-    minipass: ^3.1.1
-  checksum: fb58f5e46b6923ae67b87ad5ef1c5ab6d427a17db0bead84570c2df3cd50b4ceb880ebdba2d60726588272890bae842a744e1ecce5bd2a2a582fccd5068309eb
-  languageName: node
-  linkType: hard
-
-"stable@npm:^0.1.8":
-  version: 0.1.8
-  resolution: "stable@npm:0.1.8"
-  checksum: 2ff482bb100285d16dd75cd8f7c60ab652570e8952c0bfa91828a2b5f646a0ff533f14596ea4eabd48bb7f4aeea408dce8f8515812b975d958a4cc4fa6b9dfeb
-  languageName: node
-  linkType: hard
-
-"stagehand@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "stagehand@npm:1.0.0"
-  dependencies:
-    debug: ^4.1.0
-  checksum: 262ca2bfff9e505588a7595a24792814d9df27e54f8703aa5f2aa451df7f499b23a6860d42d9cd7462e37f45421365d430680705edca1ffe04d1cce481ed782a
-  languageName: node
-  linkType: hard
-
-"static-extend@npm:^0.1.1":
-  version: 0.1.2
-  resolution: "static-extend@npm:0.1.2"
-  dependencies:
-    define-property: ^0.2.5
-    object-copy: ^0.1.0
-  checksum: 8657485b831f79e388a437260baf22784540417a9b29e11572c87735df24c22b84eda42107403a64b30861b2faf13df9f7fc5525d51f9d1d2303aba5cbf4e12c
-  languageName: node
-  linkType: hard
-
-"statuses@npm:2.0.1":
-  version: 2.0.1
-  resolution: "statuses@npm:2.0.1"
-  checksum: 18c7623fdb8f646fb213ca4051be4df7efb3484d4ab662937ca6fbef7ced9b9e12842709872eb3020cc3504b93bde88935c9f6417489627a7786f24f8031cbcb
-  languageName: node
-  linkType: hard
-
-"statuses@npm:>= 1.4.0 < 2, statuses@npm:>= 1.5.0 < 2, statuses@npm:~1.5.0":
-  version: 1.5.0
-  resolution: "statuses@npm:1.5.0"
-  checksum: c469b9519de16a4bb19600205cffb39ee471a5f17b82589757ca7bd40a8d92ebb6ed9f98b5a540c5d302ccbc78f15dc03cc0280dd6e00df1335568a5d5758a5c
-  languageName: node
-  linkType: hard
-
-"stealthy-require@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "stealthy-require@npm:1.1.1"
-  checksum: 6805b857a9f3a6a1079fc6652278038b81011f2a5b22cbd559f71a6c02087e6f1df941eb10163e3fdc5391ab5807aa46758d4258547c1f5ede31e6d9bfda8dd3
-  languageName: node
-  linkType: hard
-
-"stop-iteration-iterator@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "stop-iteration-iterator@npm:1.0.0"
-  dependencies:
-    internal-slot: ^1.0.4
-  checksum: d04173690b2efa40e24ab70e5e51a3ff31d56d699550cfad084104ab3381390daccb36652b25755e420245f3b0737de66c1879eaa2a8d4fc0a78f9bf892fcb42
-  languageName: node
-  linkType: hard
-
-"stream-browserify@npm:^2.0.1":
-  version: 2.0.2
-  resolution: "stream-browserify@npm:2.0.2"
-  dependencies:
-    inherits: ~2.0.1
-    readable-stream: ^2.0.2
-  checksum: 8de7bcab5582e9a931ae1a4768be7efe8fa4b0b95fd368d16d8cf3e494b897d6b0a7238626de5d71686e53bddf417fd59d106cfa3af0ec055f61a8d1f8fc77b3
-  languageName: node
-  linkType: hard
-
-"stream-each@npm:^1.1.0":
-  version: 1.2.3
-  resolution: "stream-each@npm:1.2.3"
-  dependencies:
-    end-of-stream: ^1.1.0
-    stream-shift: ^1.0.0
-  checksum: f243de78e9fcc60757994efc4e8ecae9f01a4b2c6a505d786b11fcaa68b1a75ca54afc1669eac9e08f19ff0230792fc40d0f3e3e2935d76971b4903af18b76ab
-  languageName: node
-  linkType: hard
-
-"stream-http@npm:^2.7.2":
-  version: 2.8.3
-  resolution: "stream-http@npm:2.8.3"
-  dependencies:
-    builtin-status-codes: ^3.0.0
-    inherits: ^2.0.1
-    readable-stream: ^2.3.6
-    to-arraybuffer: ^1.0.0
-    xtend: ^4.0.0
-  checksum: f57dfaa21a015f72e6ce6b199cf1762074cfe8acf0047bba8f005593754f1743ad0a91788f95308d9f3829ad55742399ad27b4624432f2752a08e62ef4346e05
-  languageName: node
-  linkType: hard
-
-"stream-shift@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "stream-shift@npm:1.0.1"
-  checksum: 59b82b44b29ec3699b5519a49b3cedcc6db58c72fb40c04e005525dfdcab1c75c4e0c180b923c380f204bed78211b9bad8faecc7b93dece4d004c3f6ec75737b
-  languageName: node
-  linkType: hard
-
-"string-argv@npm:0.3.1":
-  version: 0.3.1
-  resolution: "string-argv@npm:0.3.1"
-  checksum: efbd0289b599bee808ce80820dfe49c9635610715429c6b7cc50750f0437e3c2f697c81e5c390208c13b5d5d12d904a1546172a88579f6ee5cbaaaa4dc9ec5cf
-  languageName: node
-  linkType: hard
-
-"string-template@npm:~0.2.1":
-  version: 0.2.1
-  resolution: "string-template@npm:0.2.1"
-  checksum: 042cdcf4d4832378f12fbf45b42f479990f330cc409e6dc184838801efbc8352ccf9428fe169f8f8cfff2b864879d4ba1ef8b5f41d63d1d71844c48005a1683f
-  languageName: node
-  linkType: hard
-
-"string-width@npm:^1.0.2 || 2 || 3 || 4, string-width@npm:^4.2.3":
-  version: 4.2.3
-  resolution: "string-width@npm:4.2.3"
-  dependencies:
-    emoji-regex: ^8.0.0
-    is-fullwidth-code-point: ^3.0.0
-    strip-ansi: ^6.0.1
-  checksum: e52c10dc3fbfcd6c3a15f159f54a90024241d0f149cf8aed2982a2d801d2e64df0bf1dc351cf8e95c3319323f9f220c16e740b06faecd53e2462df1d2b5443fb
-  languageName: node
-  linkType: hard
-
-"string-width@npm:^2.1.0":
-  version: 2.1.1
-  resolution: "string-width@npm:2.1.1"
-  dependencies:
-    is-fullwidth-code-point: ^2.0.0
-    strip-ansi: ^4.0.0
-  checksum: d6173abe088c615c8dffaf3861dc5d5906ed3dc2d6fd67ff2bd2e2b5dce7fd683c5240699cf0b1b8aa679a3b3bd6b28b5053c824cb89b813d7f6541d8f89064a
-  languageName: node
-  linkType: hard
-
-"string-width@npm:^3.0.0, string-width@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "string-width@npm:3.1.0"
-  dependencies:
-    emoji-regex: ^7.0.1
-    is-fullwidth-code-point: ^2.0.0
-    strip-ansi: ^5.1.0
-  checksum: 57f7ca73d201682816d573dc68bd4bb8e1dff8dc9fcf10470fdfc3474135c97175fec12ea6a159e67339b41e86963112355b64529489af6e7e70f94a7caf08b2
-  languageName: node
-  linkType: hard
-
-"string-width@npm:^4.1.0, string-width@npm:^4.2.0":
-  version: 4.2.2
-  resolution: "string-width@npm:4.2.2"
-  dependencies:
-    emoji-regex: ^8.0.0
-    is-fullwidth-code-point: ^3.0.0
-    strip-ansi: ^6.0.0
-  checksum: 343e089b0e66e0f72aab4ad1d9b6f2c9cc5255844b0c83fd9b53f2a3b3fd0421bdd6cb05be96a73117eb012db0887a6c1d64ca95aaa50c518e48980483fea0ab
-  languageName: node
-  linkType: hard
-
-"string.prototype.endswith@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "string.prototype.endswith@npm:0.2.0"
-  checksum: ee0d1619878a7525a6613da16b3a1d7f6d84a8d4414f78a8a1d24aef9789d4bd774d9e93eeb922a78e7f67d804e60f4cba314beb8f55327bff6e83ba39b91f24
-  languageName: node
-  linkType: hard
-
-"string.prototype.matchall@npm:^4.0.5":
-  version: 4.0.6
-  resolution: "string.prototype.matchall@npm:4.0.6"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-    es-abstract: ^1.19.1
-    get-intrinsic: ^1.1.1
-    has-symbols: ^1.0.2
-    internal-slot: ^1.0.3
-    regexp.prototype.flags: ^1.3.1
-    side-channel: ^1.0.4
-  checksum: 07aca53ddd8a096a8bd0560eb8574386c6b3887a6a06b40a98abd42c94dadeed3296261fca22fec59a1ed970d199bdeb450fcb6a7390193588d9c6b5f48fe842
-  languageName: node
-  linkType: hard
-
-"string.prototype.matchall@npm:^4.0.6":
-  version: 4.0.8
-  resolution: "string.prototype.matchall@npm:4.0.8"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    es-abstract: ^1.20.4
-    get-intrinsic: ^1.1.3
-    has-symbols: ^1.0.3
-    internal-slot: ^1.0.3
-    regexp.prototype.flags: ^1.4.3
-    side-channel: ^1.0.4
-  checksum: 952da3a818de42ad1c10b576140a5e05b4de7b34b8d9dbf00c3ac8c1293e9c0f533613a39c5cda53e0a8221f2e710bc2150e730b1c2278d60004a8a35726efb6
-  languageName: node
-  linkType: hard
-
-"string.prototype.padend@npm:^3.0.0":
-  version: 3.1.4
-  resolution: "string.prototype.padend@npm:3.1.4"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    es-abstract: ^1.20.4
-  checksum: 76e07238fe31dc12177428f0436b7ed6985f6a7ba97470fd53e4f0a6d9860bfee127d81957f3073cc879b434233df143825d140581e1340278053ad993c92f6c
-  languageName: node
-  linkType: hard
-
-"string.prototype.startswith@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "string.prototype.startswith@npm:0.2.0"
-  checksum: b4224e2454c276baf0609c76f5db0ee6355a89a649041df9a2e49b4cdf4b424dbebbe2c070a3b5f6f00594f8f8fa98415799c7211e873e13f6ee007daae73516
-  languageName: node
-  linkType: hard
-
-"string.prototype.trim@npm:^1.2.7":
-  version: 1.2.7
-  resolution: "string.prototype.trim@npm:1.2.7"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    es-abstract: ^1.20.4
-  checksum: 05b7b2d6af63648e70e44c4a8d10d8cc457536df78b55b9d6230918bde75c5987f6b8604438c4c8652eb55e4fc9725d2912789eb4ec457d6995f3495af190c09
-  languageName: node
-  linkType: hard
-
-"string.prototype.trimend@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "string.prototype.trimend@npm:1.0.4"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-  checksum: 17e5aa45c3983f582693161f972c1c1fa4bbbdf22e70e582b00c91b6575f01680dc34e83005b98e31abe4d5d29e0b21fcc24690239c106c7b2315aade6a898ac
-  languageName: node
-  linkType: hard
-
-"string.prototype.trimend@npm:^1.0.6":
-  version: 1.0.6
-  resolution: "string.prototype.trimend@npm:1.0.6"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    es-abstract: ^1.20.4
-  checksum: 0fdc34645a639bd35179b5a08227a353b88dc089adf438f46be8a7c197fc3f22f8514c1c9be4629b3cd29c281582730a8cbbad6466c60f76b5f99cf2addb132e
-  languageName: node
-  linkType: hard
-
-"string.prototype.trimstart@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "string.prototype.trimstart@npm:1.0.4"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.3
-  checksum: 3fb06818d3cccac5fa3f5f9873d984794ca0e9f6616fae6fcc745885d9efed4e17fe15f832515d9af5e16c279857fdbffdfc489ca4ed577811b017721b30302f
-  languageName: node
-  linkType: hard
-
-"string.prototype.trimstart@npm:^1.0.6":
-  version: 1.0.6
-  resolution: "string.prototype.trimstart@npm:1.0.6"
-  dependencies:
-    call-bind: ^1.0.2
-    define-properties: ^1.1.4
-    es-abstract: ^1.20.4
-  checksum: 89080feef416621e6ef1279588994305477a7a91648d9436490d56010a1f7adc39167cddac7ce0b9884b8cdbef086987c4dcb2960209f2af8bac0d23ceff4f41
-  languageName: node
-  linkType: hard
-
-"string_decoder@npm:0.10, string_decoder@npm:~0.10.x":
-  version: 0.10.31
-  resolution: "string_decoder@npm:0.10.31"
-  checksum: fe00f8e303647e5db919948ccb5ce0da7dea209ab54702894dd0c664edd98e5d4df4b80d6fabf7b9e92b237359d21136c95bf068b2f7760b772ca974ba970202
-  languageName: node
-  linkType: hard
-
-"string_decoder@npm:^1.0.0, string_decoder@npm:^1.1.1":
-  version: 1.3.0
-  resolution: "string_decoder@npm:1.3.0"
-  dependencies:
-    safe-buffer: ~5.2.0
-  checksum: 8417646695a66e73aefc4420eb3b84cc9ffd89572861fe004e6aeb13c7bc00e2f616247505d2dbbef24247c372f70268f594af7126f43548565c68c117bdeb56
-  languageName: node
-  linkType: hard
-
-"string_decoder@npm:~1.1.1":
-  version: 1.1.1
-  resolution: "string_decoder@npm:1.1.1"
-  dependencies:
-    safe-buffer: ~5.1.0
-  checksum: 9ab7e56f9d60a28f2be697419917c50cac19f3e8e6c28ef26ed5f4852289fe0de5d6997d29becf59028556f2c62983790c1d9ba1e2a3cc401768ca12d5183a5b
-  languageName: node
-  linkType: hard
-
-"stringify-object@npm:^3.3.0":
-  version: 3.3.0
-  resolution: "stringify-object@npm:3.3.0"
-  dependencies:
-    get-own-enumerable-property-symbols: ^3.0.0
-    is-obj: ^1.0.1
-    is-regexp: ^1.0.0
-  checksum: 6827a3f35975cfa8572e8cd3ed4f7b262def260af18655c6fde549334acdac49ddba69f3c861ea5a6e9c5a4990fe4ae870b9c0e6c31019430504c94a83b7a154
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:^3.0.0":
-  version: 3.0.1
-  resolution: "strip-ansi@npm:3.0.1"
-  dependencies:
-    ansi-regex: ^2.0.0
-  checksum: 9b974de611ce5075c70629c00fa98c46144043db92ae17748fb780f706f7a789e9989fd10597b7c2053ae8d1513fd707816a91f1879b2f71e6ac0b6a863db465
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "strip-ansi@npm:4.0.0"
-  dependencies:
-    ansi-regex: ^3.0.0
-  checksum: d9186e6c0cf78f25274f6750ee5e4a5725fb91b70fdd79aa5fe648eab092a0ec5b9621b22d69d4534a56319f75d8944efbd84e3afa8d4ad1b9a9491f12c84eca
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:^5.0.0, strip-ansi@npm:^5.1.0, strip-ansi@npm:^5.2.0":
-  version: 5.2.0
-  resolution: "strip-ansi@npm:5.2.0"
-  dependencies:
-    ansi-regex: ^4.1.0
-  checksum: bdb5f76ade97062bd88e7723aa019adbfacdcba42223b19ccb528ffb9fb0b89a5be442c663c4a3fb25268eaa3f6ea19c7c3fbae830bd1562d55adccae1fcec46
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:^6.0.0":
-  version: 6.0.0
-  resolution: "strip-ansi@npm:6.0.0"
-  dependencies:
-    ansi-regex: ^5.0.0
-  checksum: 04c3239ede44c4d195b0e66c0ad58b932f08bec7d05290416d361ff908ad282ecdaf5d9731e322c84f151d427436bde01f05b7422c3ec26dd927586736b0e5d0
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:^6.0.1":
-  version: 6.0.1
-  resolution: "strip-ansi@npm:6.0.1"
-  dependencies:
-    ansi-regex: ^5.0.1
-  checksum: f3cd25890aef3ba6e1a74e20896c21a46f482e93df4a06567cebf2b57edabb15133f1f94e57434e0a958d61186087b1008e89c94875d019910a213181a14fc8c
-  languageName: node
-  linkType: hard
-
-"strip-ansi@npm:~0.1.0":
-  version: 0.1.1
-  resolution: "strip-ansi@npm:0.1.1"
-  bin:
-    strip-ansi: cli.js
-  checksum: 31f1d4d3b86e6d968aa568bf47d712626dd748aff7d576a98ba2ed378dd60dfb1475898254b62479779231e50a38f0b7ea0b66d3b22d14cde38b769c1c747d33
-  languageName: node
-  linkType: hard
-
-"strip-bom@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "strip-bom@npm:3.0.0"
-  checksum: 8d50ff27b7ebe5ecc78f1fe1e00fcdff7af014e73cf724b46fb81ef889eeb1015fc5184b64e81a2efe002180f3ba431bdd77e300da5c6685d702780fbf0c8d5b
-  languageName: node
-  linkType: hard
-
-"strip-bom@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "strip-bom@npm:4.0.0"
-  checksum: 9dbcfbaf503c57c06af15fe2c8176fb1bf3af5ff65003851a102749f875a6dbe0ab3b30115eccf6e805e9d756830d3e40ec508b62b3f1ddf3761a20ebe29d3f3
-  languageName: node
-  linkType: hard
-
-"strip-eof@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "strip-eof@npm:1.0.0"
-  checksum: 40bc8ddd7e072f8ba0c2d6d05267b4e0a4800898c3435b5fb5f5a21e6e47dfaff18467e7aa0d1844bb5d6274c3097246595841fbfeb317e541974ee992cac506
-  languageName: node
-  linkType: hard
-
-"strip-final-newline@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "strip-final-newline@npm:2.0.0"
-  checksum: 69412b5e25731e1938184b5d489c32e340605bb611d6140344abc3421b7f3c6f9984b21dff296dfcf056681b82caa3bb4cc996a965ce37bcfad663e92eae9c64
-  languageName: node
-  linkType: hard
-
-"strip-indent@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "strip-indent@npm:4.0.0"
-  dependencies:
-    min-indent: ^1.0.1
-  checksum: 06cbcd93da721c46bc13caeb1c00af93a9b18146a1c95927672d2decab6a25ad83662772417cea9317a2507fb143253ecc23c4415b64f5828cef9b638a744598
-  languageName: node
-  linkType: hard
-
-"strip-json-comments@npm:^3.1.0, strip-json-comments@npm:^3.1.1":
-  version: 3.1.1
-  resolution: "strip-json-comments@npm:3.1.1"
-  checksum: 492f73e27268f9b1c122733f28ecb0e7e8d8a531a6662efbd08e22cccb3f9475e90a1b82cab06a392f6afae6d2de636f977e231296400d0ec5304ba70f166443
-  languageName: node
-  linkType: hard
-
-"style-loader@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "style-loader@npm:2.0.0"
-  dependencies:
-    loader-utils: ^2.0.0
-    schema-utils: ^3.0.0
-  peerDependencies:
-    webpack: ^4.0.0 || ^5.0.0
-  checksum: 21425246a5a8f14d1625a657a3a56f8a323193fa341a71af818a2ed2a429efa2385a328b4381cf2f12c2d0e6380801eb9e0427ed9c3a10ff95c86e383184d632
-  languageName: node
-  linkType: hard
-
-"style-search@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "style-search@npm:0.1.0"
-  checksum: 3cfefe335033aad6d47da0725cb48f5db91a73935954c77eab77d9e415e6668cdb406da4a4f7ef9f1aca77853cf5ba7952c45e869caa5bd6439691d88098d468
-  languageName: node
-  linkType: hard
-
-"styled_string@npm:0.0.1":
-  version: 0.0.1
-  resolution: "styled_string@npm:0.0.1"
-  checksum: cc01e28ec5b7559e66cfb88b2a712beb3af91dc932df2bbe09e32d9bd5ae915bfe9dc1c1d3f5f9fcfe80acbe1ec2d741fa300a1a9032859c0f20856f5ef0e32a
-  languageName: node
-  linkType: hard
-
-"stylelint-config-recommended@npm:^11.0.0":
-  version: 11.0.0
-  resolution: "stylelint-config-recommended@npm:11.0.0"
-  peerDependencies:
-    stylelint: ^15.3.0
-  checksum: f6bed5995235d61a2b4bcae086fab925df3b824c77ef585f9f0f9b891b1409c0aa8ae49e8f53d6a2f851be8f7928a7d95e2b17ee876f248ce88f718a3892bf6f
-  languageName: node
-  linkType: hard
-
-"stylelint-config-standard@npm:^32.0.0":
-  version: 32.0.0
-  resolution: "stylelint-config-standard@npm:32.0.0"
-  dependencies:
-    stylelint-config-recommended: ^11.0.0
-  peerDependencies:
-    stylelint: ^15.4.0
-  checksum: 05f7481f93e0fd3d2e69ba6ef3b3b8347c2340fcc6732e3f4289cc1067ae74e87f6474b4385b8936a0ff062cc3dd08c5cc50e27d96994c6176a69d055a75537a
-  languageName: node
-  linkType: hard
-
-"stylelint-prettier@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "stylelint-prettier@npm:3.0.0"
-  dependencies:
-    prettier-linter-helpers: ^1.0.0
-  peerDependencies:
-    prettier: ">=2.0.0"
-    stylelint: ">=14.0.0"
-  checksum: 094f53ef5dbe3806524db7f580b9312ceca444651803fc08c8baa48cd9a270985c709fa4f083681a685310dc347b8e55aa93d462554ba7d4ae6258a3bdf6a278
-  languageName: node
-  linkType: hard
-
-"stylelint@npm:^15.4.0":
-  version: 15.10.1
-  resolution: "stylelint@npm:15.10.1"
-  dependencies:
-    "@csstools/css-parser-algorithms": ^2.3.0
-    "@csstools/css-tokenizer": ^2.1.1
-    "@csstools/media-query-list-parser": ^2.1.2
-    "@csstools/selector-specificity": ^3.0.0
-    balanced-match: ^2.0.0
-    colord: ^2.9.3
-    cosmiconfig: ^8.2.0
-    css-functions-list: ^3.1.0
-    css-tree: ^2.3.1
-    debug: ^4.3.4
-    fast-glob: ^3.3.0
-    fastest-levenshtein: ^1.0.16
-    file-entry-cache: ^6.0.1
-    global-modules: ^2.0.0
-    globby: ^11.1.0
-    globjoin: ^0.1.4
-    html-tags: ^3.3.1
-    ignore: ^5.2.4
-    import-lazy: ^4.0.0
-    imurmurhash: ^0.1.4
-    is-plain-object: ^5.0.0
-    known-css-properties: ^0.27.0
-    mathml-tag-names: ^2.1.3
-    meow: ^10.1.5
-    micromatch: ^4.0.5
-    normalize-path: ^3.0.0
-    picocolors: ^1.0.0
-    postcss: ^8.4.24
-    postcss-resolve-nested-selector: ^0.1.1
-    postcss-safe-parser: ^6.0.0
-    postcss-selector-parser: ^6.0.13
-    postcss-value-parser: ^4.2.0
-    resolve-from: ^5.0.0
-    string-width: ^4.2.3
-    strip-ansi: ^6.0.1
-    style-search: ^0.1.0
-    supports-hyperlinks: ^3.0.0
-    svg-tags: ^1.0.0
-    table: ^6.8.1
-    write-file-atomic: ^5.0.1
-  bin:
-    stylelint: bin/stylelint.mjs
-  checksum: 8eeae81fe4ed2dfc580d7c401806dbb058c14631abfafd0821db32f1e649aee62e3d39dda3462c6122826df91bd9799409be926e91b55b007622f51e44eb94c1
-  languageName: node
-  linkType: hard
-
-"sum-up@npm:^1.0.1":
-  version: 1.0.3
-  resolution: "sum-up@npm:1.0.3"
-  dependencies:
-    chalk: ^1.0.0
-  checksum: bd08f404c83464f4e7a880340e84ad4aeb271a1b0a5ee8d084dd511988f96f7e321fb64442c7ca21249990c7562476f929ec8bd1cf6f4514ca25e6aae5281ee6
-  languageName: node
-  linkType: hard
-
-"supports-color@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "supports-color@npm:2.0.0"
-  checksum: 602538c5812b9006404370b5a4b885d3e2a1f6567d314f8b4a41974ffe7d08e525bf92ae0f9c7030e3b4c78e4e34ace55d6a67a74f1571bc205959f5972f88f0
-  languageName: node
-  linkType: hard
-
-"supports-color@npm:^5.3.0, supports-color@npm:^5.4.0, supports-color@npm:^5.5.0":
-  version: 5.5.0
-  resolution: "supports-color@npm:5.5.0"
-  dependencies:
-    has-flag: ^3.0.0
-  checksum: 95f6f4ba5afdf92f495b5a912d4abee8dcba766ae719b975c56c084f5004845f6f5a5f7769f52d53f40e21952a6d87411bafe34af4a01e65f9926002e38e1dac
-  languageName: node
-  linkType: hard
-
-"supports-color@npm:^7.0.0, supports-color@npm:^7.1.0":
-  version: 7.2.0
-  resolution: "supports-color@npm:7.2.0"
-  dependencies:
-    has-flag: ^4.0.0
-  checksum: 3dda818de06ebbe5b9653e07842d9479f3555ebc77e9a0280caf5a14fb877ffee9ed57007c3b78f5a6324b8dbeec648d9e97a24e2ed9fdb81ddc69ea07100f4a
-  languageName: node
-  linkType: hard
-
-"supports-color@npm:^8.0.0":
-  version: 8.1.1
-  resolution: "supports-color@npm:8.1.1"
-  dependencies:
-    has-flag: ^4.0.0
-  checksum: c052193a7e43c6cdc741eb7f378df605636e01ad434badf7324f17fb60c69a880d8d8fcdcb562cf94c2350e57b937d7425ab5b8326c67c2adc48f7c87c1db406
-  languageName: node
-  linkType: hard
-
-"supports-hyperlinks@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "supports-hyperlinks@npm:3.0.0"
-  dependencies:
-    has-flag: ^4.0.0
-    supports-color: ^7.0.0
-  checksum: 41021305de5255b10d821bf93c7a781f783e1693d0faec293d7fc7ccf17011b90bde84b0295fa92ba75c6c390351fe84fdd18848cad4bf656e464a958243c3e7
-  languageName: node
-  linkType: hard
-
-"supports-preserve-symlinks-flag@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "supports-preserve-symlinks-flag@npm:1.0.0"
-  checksum: 53b1e247e68e05db7b3808b99b892bd36fb096e6fba213a06da7fab22045e97597db425c724f2bbd6c99a3c295e1e73f3e4de78592289f38431049e1277ca0ae
-  languageName: node
-  linkType: hard
-
-"svg-tags@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "svg-tags@npm:1.0.0"
-  checksum: 407e5ef87cfa2fb81c61d738081c2decd022ce13b922d035b214b49810630bf5d1409255a4beb3a940b77b32f6957806deff16f1bf0ce1ab11c7a184115a0b7f
-  languageName: node
-  linkType: hard
-
-"svgo@npm:1.3.0":
-  version: 1.3.0
-  resolution: "svgo@npm:1.3.0"
-  dependencies:
-    chalk: ^2.4.1
-    coa: ^2.0.2
-    css-select: ^2.0.0
-    css-select-base-adapter: ^0.1.1
-    css-tree: 1.0.0-alpha.33
-    csso: ^3.5.1
-    js-yaml: ^3.13.1
-    mkdirp: ~0.5.1
-    object.values: ^1.1.0
-    sax: ~1.2.4
-    stable: ^0.1.8
-    unquote: ~1.1.1
-    util.promisify: ~1.0.0
-  bin:
-    svgo: ./bin/svgo
-  checksum: 813880c96af74a90d5f52c477c71b5dda62b2a215807eab05757d6a0e0886d4e3fda564241d985d856dba225dad0b5d7409208e681fccfaa48ac90c53441238e
-  languageName: node
-  linkType: hard
-
-"swagger-ui-dist@npm:^5.9.0":
-  version: 5.9.0
-  resolution: "swagger-ui-dist@npm:5.9.0"
-  checksum: 722f5d81adf0c0a940559952f48f7cd20a3f2a53aee8771c896eee8e3bed6f78c2f231960a7c30a4dca390d1205c0b2909d84062978013bb60febc478b9fc3d9
-  languageName: node
-  linkType: hard
-
-"symbol-tree@npm:^3.2.4":
-  version: 3.2.4
-  resolution: "symbol-tree@npm:3.2.4"
-  checksum: 6e8fc7e1486b8b54bea91199d9535bb72f10842e40c79e882fc94fb7b14b89866adf2fd79efa5ebb5b658bc07fb459ccce5ac0e99ef3d72f474e74aaf284029d
-  languageName: node
-  linkType: hard
-
-"symlink-or-copy@npm:^1.0.0, symlink-or-copy@npm:^1.0.1, symlink-or-copy@npm:^1.1.8, symlink-or-copy@npm:^1.2.0, symlink-or-copy@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "symlink-or-copy@npm:1.3.1"
-  checksum: 430c32ab5606f7b7c946a5a29ea17ce6cb0b34d8cb8394234b7abe710c8c029bf41030df79406cf49c4fc1e49aa979ca950b836767e3b8702acf9efe922a2f74
-  languageName: node
-  linkType: hard
-
-"sync-disk-cache@npm:^1.3.3":
-  version: 1.3.4
-  resolution: "sync-disk-cache@npm:1.3.4"
-  dependencies:
-    debug: ^2.1.3
-    heimdalljs: ^0.2.3
-    mkdirp: ^0.5.0
-    rimraf: ^2.2.8
-    username-sync: ^1.0.2
-  checksum: b828cf52b43500d83f4d98b626463227a773743cb14a5a1b5fc4f437ef85170e2a5259c6a1686e569cc231557a9a7b4278fa0cf16cef976329b18154d88215bd
-  languageName: node
-  linkType: hard
-
-"sync-disk-cache@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "sync-disk-cache@npm:2.1.0"
-  dependencies:
-    debug: ^4.1.1
-    heimdalljs: ^0.2.6
-    mkdirp: ^0.5.0
-    rimraf: ^3.0.0
-    username-sync: ^1.0.2
-  checksum: 02f02d2842c69da088c28f5c6e39df7f22b68b06fd309a91eee9266a561d1a50759a8ba058df51017b89f3e70608dc884ec086b572fc9ae51165de0585029abb
-  languageName: node
-  linkType: hard
-
-"tabbable@npm:^5.3.3":
-  version: 5.3.3
-  resolution: "tabbable@npm:5.3.3"
-  checksum: 1aa56e1bb617cc10616c407f4e756f0607f3e2d30f9803664d70b85db037ca27e75918ed1c71443f3dc902e21dc9f991ce4b52d63a538c9b69b3218d3babcd70
-  languageName: node
-  linkType: hard
-
-"table@npm:^6.8.1":
-  version: 6.8.1
-  resolution: "table@npm:6.8.1"
-  dependencies:
-    ajv: ^8.0.1
-    lodash.truncate: ^4.4.2
-    slice-ansi: ^4.0.0
-    string-width: ^4.2.3
-    strip-ansi: ^6.0.1
-  checksum: 08249c7046125d9d0a944a6e96cfe9ec66908d6b8a9db125531be6eb05fa0de047fd5542e9d43b4f987057f00a093b276b8d3e19af162a9c40db2681058fd306
-  languageName: node
-  linkType: hard
-
-"tap-parser@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "tap-parser@npm:7.0.0"
-  dependencies:
-    events-to-array: ^1.0.1
-    js-yaml: ^3.2.7
-    minipass: ^2.2.0
-  bin:
-    tap-parser: bin/cmd.js
-  checksum: 9970c8e797b97bcdb91d92eb0847e8d550e64b914800c4485bea0a28756f9c4e4cbbfe429e7d05c2140b1a83ae092b5636e191360c8fc3f817e60acb96658147
-  languageName: node
-  linkType: hard
-
-"tapable@npm:^1.0.0, tapable@npm:^1.1.3":
-  version: 1.1.3
-  resolution: "tapable@npm:1.1.3"
-  checksum: 53ff4e7c3900051c38cc4faab428ebfd7e6ad0841af5a7ac6d5f3045c5b50e88497bfa8295b4b3fbcadd94993c9e358868b78b9fb249a76cb8b018ac8dccafd7
-  languageName: node
-  linkType: hard
-
-"tapable@npm:^2.1.1, tapable@npm:^2.2.0":
-  version: 2.2.1
-  resolution: "tapable@npm:2.2.1"
-  checksum: 3b7a1b4d86fa940aad46d9e73d1e8739335efd4c48322cb37d073eb6f80f5281889bf0320c6d8ffcfa1a0dd5bfdbd0f9d037e252ef972aca595330538aac4d51
-  languageName: node
-  linkType: hard
-
-"tar@npm:^6.1.11, tar@npm:^6.1.2":
-  version: 6.1.13
-  resolution: "tar@npm:6.1.13"
-  dependencies:
-    chownr: ^2.0.0
-    fs-minipass: ^2.0.0
-    minipass: ^4.0.0
-    minizlib: ^2.1.1
-    mkdirp: ^1.0.3
-    yallist: ^4.0.0
-  checksum: 8a278bed123aa9f53549b256a36b719e317c8b96fe86a63406f3c62887f78267cea9b22dc6f7007009738509800d4a4dccc444abd71d762287c90f35b002eb1c
-  languageName: node
-  linkType: hard
-
-"temp@npm:0.9.4":
-  version: 0.9.4
-  resolution: "temp@npm:0.9.4"
-  dependencies:
-    mkdirp: ^0.5.1
-    rimraf: ~2.6.2
-  checksum: 8709d4d63278bd309ca0e49e80a268308dea543a949e71acd427b3314cd9417da9a2cc73425dd9c21c6780334dbffd67e05e7be5aaa73e9affe8479afc6f20e3
-  languageName: node
-  linkType: hard
-
-"terser-webpack-plugin@npm:^1.4.3":
-  version: 1.4.5
-  resolution: "terser-webpack-plugin@npm:1.4.5"
-  dependencies:
-    cacache: ^12.0.2
-    find-cache-dir: ^2.1.0
-    is-wsl: ^1.1.0
-    schema-utils: ^1.0.0
-    serialize-javascript: ^4.0.0
-    source-map: ^0.6.1
-    terser: ^4.1.2
-    webpack-sources: ^1.4.0
-    worker-farm: ^1.7.0
-  peerDependencies:
-    webpack: ^4.0.0
-  checksum: 02aada80927d3c8105d69cb00384d307b73aed67d180db5d20023a8d649149f3803ad50f9cd2ef9eb2622005de87e677198ecc5088f51422bfac5d4d57472d0e
-  languageName: node
-  linkType: hard
-
-"terser-webpack-plugin@npm:^5.1.3":
-  version: 5.3.3
-  resolution: "terser-webpack-plugin@npm:5.3.3"
-  dependencies:
-    "@jridgewell/trace-mapping": ^0.3.7
-    jest-worker: ^27.4.5
-    schema-utils: ^3.1.1
-    serialize-javascript: ^6.0.0
-    terser: ^5.7.2
-  peerDependencies:
-    webpack: ^5.1.0
-  peerDependenciesMeta:
-    "@swc/core":
-      optional: true
-    esbuild:
-      optional: true
-    uglify-js:
-      optional: true
-  checksum: 4b8d508d8a0f6e604addb286975f1fa670f8c3964a67abc03a7cfcfd4cdeca4b07dda6655e1c4425427fb62e4d2b0ca59d84f1b2cd83262ff73616d5d3ccdeb5
-  languageName: node
-  linkType: hard
-
-"terser@npm:^4.1.2, terser@npm:^4.3.9":
-  version: 4.8.0
-  resolution: "terser@npm:4.8.0"
-  dependencies:
-    commander: ^2.20.0
-    source-map: ~0.6.1
-    source-map-support: ~0.5.12
-  bin:
-    terser: bin/terser
-  checksum: f980789097d4f856c1ef4b9a7ada37beb0bb022fb8aa3057968862b5864ad7c244253b3e269c9eb0ab7d0caf97b9521273f2d1cf1e0e942ff0016e0583859c71
-  languageName: node
-  linkType: hard
-
-"terser@npm:^5.3.0":
-  version: 5.7.0
-  resolution: "terser@npm:5.7.0"
-  dependencies:
-    commander: ^2.20.0
-    source-map: ~0.7.2
-    source-map-support: ~0.5.19
-  bin:
-    terser: bin/terser
-  checksum: 3abeb551865079b27e2890dbec866054967d1963fc80a81e5e14e414c43db88ff53a5e88844c145df11bed01b28040aa96afd82113c6d1a6ad28409b6cae4fde
-  languageName: node
-  linkType: hard
-
-"terser@npm:^5.7.2":
-  version: 5.14.0
-  resolution: "terser@npm:5.14.0"
-  dependencies:
-    "@jridgewell/source-map": ^0.3.2
-    acorn: ^8.5.0
-    commander: ^2.20.0
-    source-map-support: ~0.5.20
-  bin:
-    terser: bin/terser
-  checksum: 9bce919c17cf028b1b41a3aca9f7e05354ff46701de39e733d6d7a43ebd9c6042d33cfa3e7ef84e5f4c17f1c429c7f40381a38c6e6d6ab1cdc46a1bf8f4e8985
-  languageName: node
-  linkType: hard
-
-"testem@npm:^3.10.1":
-  version: 3.10.1
-  resolution: "testem@npm:3.10.1"
-  dependencies:
-    "@xmldom/xmldom": ^0.8.0
-    backbone: ^1.1.2
-    bluebird: ^3.4.6
-    charm: ^1.0.0
-    commander: ^2.6.0
-    compression: ^1.7.4
-    consolidate: ^0.16.0
-    execa: ^1.0.0
-    express: ^4.10.7
-    fireworm: ^0.7.0
-    glob: ^7.0.4
-    http-proxy: ^1.13.1
-    js-yaml: ^3.2.5
-    lodash.assignin: ^4.1.0
-    lodash.castarray: ^4.4.0
-    lodash.clonedeep: ^4.4.1
-    lodash.find: ^4.5.1
-    lodash.uniqby: ^4.7.0
-    mkdirp: ^1.0.4
-    mustache: ^4.2.0
-    node-notifier: ^10.0.0
-    npmlog: ^6.0.0
-    printf: ^0.6.1
-    rimraf: ^3.0.2
-    socket.io: ^4.1.2
-    spawn-args: ^0.2.0
-    styled_string: 0.0.1
-    tap-parser: ^7.0.0
-    tmp: 0.0.33
-  bin:
-    testem: testem.js
-  checksum: d6f05dc22186484efff4fe251af2c4af5b86f39e2430390ee5616b6d3bb3b0216d5ab3d5d31ac41e49545745e228af88c8131c54ea548c7d7f33e23234b9430d
-  languageName: node
-  linkType: hard
-
-"tether@npm:^1.4.0":
-  version: 1.4.7
-  resolution: "tether@npm:1.4.7"
-  checksum: 766ac802654064b05e5785584a109101fc184266a0df99581a3ac45d33706c39d9fed314bd28daddf3532bfa0c41f81ebc133ce2c51995101ac922d3fb0477b8
-  languageName: node
-  linkType: hard
-
-"text-encoder-lite@npm:2.0.0":
-  version: 2.0.0
-  resolution: "text-encoder-lite@npm:2.0.0"
-  checksum: 25c3cb8b894c84ec3c2b8c66bcf6267e207d502e16385ca2c4ddca9b59194b5c36aa536a82923d3026be96f5c31121fb8f089cdf6e83768650a74c55416295af
-  languageName: node
-  linkType: hard
-
-"text-table@npm:^0.2.0":
-  version: 0.2.0
-  resolution: "text-table@npm:0.2.0"
-  checksum: b6937a38c80c7f84d9c11dd75e49d5c44f71d95e810a3250bd1f1797fc7117c57698204adf676b71497acc205d769d65c16ae8fa10afad832ae1322630aef10a
-  languageName: node
-  linkType: hard
-
-"textextensions@npm:1 || 2, textextensions@npm:^2.5.0":
-  version: 2.6.0
-  resolution: "textextensions@npm:2.6.0"
-  checksum: e28781f092d0172b78974fd22d5c007cc43ac50be666b36bbf10125d961775faf309a70b51697a2debc074c8f23cc923f1386b1e4661e11b128cee292060034c
-  languageName: node
-  linkType: hard
-
-"through2@npm:^2.0.0":
-  version: 2.0.5
-  resolution: "through2@npm:2.0.5"
-  dependencies:
-    readable-stream: ~2.3.6
-    xtend: ~4.0.1
-  checksum: beb0f338aa2931e5660ec7bf3ad949e6d2e068c31f4737b9525e5201b824ac40cac6a337224856b56bd1ddd866334bbfb92a9f57cd6f66bc3f18d3d86fc0fe50
-  languageName: node
-  linkType: hard
-
-"through2@npm:^3.0.1":
-  version: 3.0.2
-  resolution: "through2@npm:3.0.2"
-  dependencies:
-    inherits: ^2.0.4
-    readable-stream: 2 || 3
-  checksum: 47c9586c735e7d9cbbc1029f3ff422108212f7cc42e06d5cc9fff7901e659c948143c790e0d0d41b1b5f89f1d1200bdd200c7b72ad34f42f9edbeb32ea49e8b7
-  languageName: node
-  linkType: hard
-
-"through@npm:^2.3.6, through@npm:^2.3.8":
-  version: 2.3.8
-  resolution: "through@npm:2.3.8"
-  checksum: a38c3e059853c494af95d50c072b83f8b676a9ba2818dcc5b108ef252230735c54e0185437618596c790bbba8fcdaef5b290405981ffa09dce67b1f1bf190cbd
-  languageName: node
-  linkType: hard
-
-"time-zone@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "time-zone@npm:1.0.0"
-  checksum: e46f5a69b8c236dcd8e91e29d40d4e7a3495ed4f59888c3f84ce1d9678e20461421a6ba41233509d47dd94bc18f1a4377764838b21b584663f942b3426dcbce8
-  languageName: node
-  linkType: hard
-
-"timers-browserify@npm:^2.0.4":
-  version: 2.0.12
-  resolution: "timers-browserify@npm:2.0.12"
-  dependencies:
-    setimmediate: ^1.0.4
-  checksum: ec37ae299066bef6c464dcac29c7adafba1999e7227a9bdc4e105a459bee0f0b27234a46bfd7ab4041da79619e06a58433472867a913d01c26f8a203f87cee70
-  languageName: node
-  linkType: hard
-
-"tiny-emitter@npm:^2.0.0":
-  version: 2.1.0
-  resolution: "tiny-emitter@npm:2.1.0"
-  checksum: fbcfb5145751a0e3b109507a828eb6d6d4501352ab7bb33eccef46e22e9d9ad3953158870a6966a59e57ab7c3f9cfac7cab8521db4de6a5e757012f4677df2dd
-  languageName: node
-  linkType: hard
-
-"tiny-glob@npm:0.2.9":
-  version: 0.2.9
-  resolution: "tiny-glob@npm:0.2.9"
-  dependencies:
-    globalyzer: 0.1.0
-    globrex: ^0.1.2
-  checksum: aea5801eb6663ddf77ebb74900b8f8bd9dfcfc9b6a1cc8018cb7421590c00bf446109ff45e4b64a98e6c95ddb1255a337a5d488fb6311930e2a95334151ec9c6
-  languageName: node
-  linkType: hard
-
-"tiny-lr@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "tiny-lr@npm:2.0.0"
-  dependencies:
-    body: ^5.1.0
-    debug: ^3.1.0
-    faye-websocket: ^0.11.3
-    livereload-js: ^3.3.1
-    object-assign: ^4.1.0
-    qs: ^6.4.0
-  checksum: d1804c15727e741aa6eccdee6171548fce8d2865b0f18b3e1b6ac9f80048c2e099eeec2540a49380a1fd6f3eb6cafe1cb5adc76dfec2c9dceee3e014a4f25991
-  languageName: node
-  linkType: hard
-
-"tippy.js@npm:^6.3.7":
-  version: 6.3.7
-  resolution: "tippy.js@npm:6.3.7"
-  dependencies:
-    "@popperjs/core": ^2.9.0
-  checksum: cac955318a65288e8d2dca05059878b003c6e66f92c94f7810f5bc5448eb6646abdf7dacc9bd00020e2611592598d0aae3a28ec9a45349a159603c3fdddce5fb
-  languageName: node
-  linkType: hard
-
-"tmp@npm:0.0.28":
-  version: 0.0.28
-  resolution: "tmp@npm:0.0.28"
-  dependencies:
-    os-tmpdir: ~1.0.1
-  checksum: 8167d2471b650f88fde1515bbf6c62d2adef07972d06531569f789863a2436c32027b6d5fbe3102ed2c430b86043dffd337db12494f1f982534862d9487e4eff
-  languageName: node
-  linkType: hard
-
-"tmp@npm:0.0.33, tmp@npm:^0.0.33":
-  version: 0.0.33
-  resolution: "tmp@npm:0.0.33"
-  dependencies:
-    os-tmpdir: ~1.0.2
-  checksum: 902d7aceb74453ea02abbf58c203f4a8fc1cead89b60b31e354f74ed5b3fb09ea817f94fb310f884a5d16987dd9fa5a735412a7c2dd088dd3d415aa819ae3a28
-  languageName: node
-  linkType: hard
-
-"tmp@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "tmp@npm:0.1.0"
-  dependencies:
-    rimraf: ^2.6.3
-  checksum: 6bab8431de9d245d4264bd8cd6bb216f9d22f179f935dada92a11d1315572c8eb7c3334201e00594b4708608bd536fad3a63bfb037e7804d827d66aa53a1afcd
-  languageName: node
-  linkType: hard
-
-"tmp@npm:^0.2.1":
-  version: 0.2.1
-  resolution: "tmp@npm:0.2.1"
-  dependencies:
-    rimraf: ^3.0.0
-  checksum: 8b1214654182575124498c87ca986ac53dc76ff36e8f0e0b67139a8d221eaecfdec108c0e6ec54d76f49f1f72ab9325500b246f562b926f85bcdfca8bf35df9e
-  languageName: node
-  linkType: hard
-
-"tmpl@npm:1.0.5":
-  version: 1.0.5
-  resolution: "tmpl@npm:1.0.5"
-  checksum: cd922d9b853c00fe414c5a774817be65b058d54a2d01ebb415840960406c669a0fc632f66df885e24cb022ec812739199ccbdb8d1164c3e513f85bfca5ab2873
-  languageName: node
-  linkType: hard
-
-"to-arraybuffer@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "to-arraybuffer@npm:1.0.1"
-  checksum: 31433c10b388722729f5da04c6b2a06f40dc84f797bb802a5a171ced1e599454099c6c5bc5118f4b9105e7d049d3ad9d0f71182b77650e4fdb04539695489941
-  languageName: node
-  linkType: hard
-
-"to-fast-properties@npm:^1.0.3":
-  version: 1.0.3
-  resolution: "to-fast-properties@npm:1.0.3"
-  checksum: bd0abb58c4722851df63419de3f6d901d5118f0440d3f71293ed776dd363f2657edaaf2dc470e3f6b7b48eb84aa411193b60db8a4a552adac30de9516c5cc580
-  languageName: node
-  linkType: hard
-
-"to-fast-properties@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "to-fast-properties@npm:2.0.0"
-  checksum: be2de62fe58ead94e3e592680052683b1ec986c72d589e7b21e5697f8744cdbf48c266fa72f6c15932894c10187b5f54573a3bcf7da0bfd964d5caf23d436168
-  languageName: node
-  linkType: hard
-
-"to-object-path@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "to-object-path@npm:0.3.0"
-  dependencies:
-    kind-of: ^3.0.2
-  checksum: 9425effee5b43e61d720940fa2b889623f77473d459c2ce3d4a580a4405df4403eec7be6b857455908070566352f9e2417304641ed158dda6f6a365fe3e66d70
-  languageName: node
-  linkType: hard
-
-"to-regex-range@npm:^2.1.0":
-  version: 2.1.1
-  resolution: "to-regex-range@npm:2.1.1"
-  dependencies:
-    is-number: ^3.0.0
-    repeat-string: ^1.6.1
-  checksum: 46093cc14be2da905cc931e442d280b2e544e2bfdb9a24b3cf821be8d342f804785e5736c108d5be026021a05d7b38144980a61917eee3c88de0a5e710e10320
-  languageName: node
-  linkType: hard
-
-"to-regex-range@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "to-regex-range@npm:5.0.1"
-  dependencies:
-    is-number: ^7.0.0
-  checksum: f76fa01b3d5be85db6a2a143e24df9f60dd047d151062d0ba3df62953f2f697b16fe5dad9b0ac6191c7efc7b1d9dcaa4b768174b7b29da89d4428e64bc0a20ed
-  languageName: node
-  linkType: hard
-
-"to-regex@npm:^3.0.1, to-regex@npm:^3.0.2":
-  version: 3.0.2
-  resolution: "to-regex@npm:3.0.2"
-  dependencies:
-    define-property: ^2.0.2
-    extend-shallow: ^3.0.2
-    regex-not: ^1.0.2
-    safe-regex: ^1.1.0
-  checksum: 4ed4a619059b64e204aad84e4e5f3ea82d97410988bcece7cf6cbfdbf193d11bff48cf53842d88b8bb00b1bfc0d048f61f20f0709e6f393fd8fe0122662d9db4
-  languageName: node
-  linkType: hard
-
-"toidentifier@npm:1.0.0":
-  version: 1.0.0
-  resolution: "toidentifier@npm:1.0.0"
-  checksum: 199e6bfca1531d49b3506cff02353d53ec987c9ee10ee272ca6484ed97f1fc10fb77c6c009079ca16d5c5be4a10378178c3cacdb41ce9ec954c3297c74c6053e
-  languageName: node
-  linkType: hard
-
-"toidentifier@npm:1.0.1":
-  version: 1.0.1
-  resolution: "toidentifier@npm:1.0.1"
-  checksum: 952c29e2a85d7123239b5cfdd889a0dde47ab0497f0913d70588f19c53f7e0b5327c95f4651e413c74b785147f9637b17410ac8c846d5d4a20a5a33eb6dc3a45
-  languageName: node
-  linkType: hard
-
-"tough-cookie@npm:^2.3.3, tough-cookie@npm:~2.5.0":
-  version: 2.5.0
-  resolution: "tough-cookie@npm:2.5.0"
-  dependencies:
-    psl: ^1.1.28
-    punycode: ^2.1.1
-  checksum: 16a8cd090224dd176eee23837cbe7573ca0fa297d7e468ab5e1c02d49a4e9a97bb05fef11320605eac516f91d54c57838a25864e8680e27b069a5231d8264977
-  languageName: node
-  linkType: hard
-
-"tough-cookie@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "tough-cookie@npm:4.0.0"
-  dependencies:
-    psl: ^1.1.33
-    punycode: ^2.1.1
-    universalify: ^0.1.2
-  checksum: 0891b37eb7d17faa3479d47f0dce2e3007f2583094ad272f2670d120fbcc3df3b0b0a631ba96ecad49f9e2297d93ff8995ce0d3292d08dd7eabe162f5b224d69
-  languageName: node
-  linkType: hard
-
-"tr46@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "tr46@npm:2.0.2"
-  dependencies:
-    punycode: ^2.1.1
-  checksum: 2b2b3dfa6bc65d027b2fac729fba0fb5b9d98af7b69ad6876c0f088ebf127f2d53e5a4d4464e5de40380cf721f392262c9183d2a05cea4967a890e8801c842f6
-  languageName: node
-  linkType: hard
-
-"tracked-built-ins@npm:^3.1.1":
-  version: 3.2.0
-  resolution: "tracked-built-ins@npm:3.2.0"
-  dependencies:
-    "@embroider/addon-shim": ^1.8.3
-    ember-tracked-storage-polyfill: ^1.0.0
-  checksum: 262c8df5cfa2911a9b2288e1d34aa9b07b6e5673d0138531445e86426253176f51f4c96083f60e564a380df1f489cdd0bc522b75a9b04fdadfe374f543bbed85
-  languageName: node
-  linkType: hard
-
-"tracked-maps-and-sets@npm:^3.0.1":
-  version: 3.0.2
-  resolution: "tracked-maps-and-sets@npm:3.0.2"
-  dependencies:
-    "@glimmer/tracking": ^1.0.0
-    ember-cli-babel: ^7.26.6
-    ember-cli-typescript: ^4.2.1
-    ember-tracked-storage-polyfill: 1.0.0
-  checksum: 3bcd53d27c751d4d7355457d7639fb6c9cf93f8d3b9a955b04805809b628b2fdb62b1899313c2bc7a92b64817a26d2fc648452d5f662de967767351439b70f11
-  languageName: node
-  linkType: hard
-
-"traverse@npm:^0.6.6":
-  version: 0.6.6
-  resolution: "traverse@npm:0.6.6"
-  checksum: e2afa72f11efa9ba31ed763d2d9d2aa244612f22015d16c0ea3ba5f6ca8bf071de87f8108b721885cce06ea4a36ef4605d9228c67e431d9015ea4685cb364420
-  languageName: node
-  linkType: hard
-
-"tree-sync@npm:^1.2.2":
-  version: 1.4.0
-  resolution: "tree-sync@npm:1.4.0"
-  dependencies:
-    debug: ^2.2.0
-    fs-tree-diff: ^0.5.6
-    mkdirp: ^0.5.1
-    quick-temp: ^0.1.5
-    walk-sync: ^0.3.3
-  checksum: af76c496653dea16c125cf16a7313814d453ce51d7d9ac3aafc9b4d60150c25477c7228a9821b8479951ef70d7bf2f7950c206cbc2e9843e57692d69c2221503
-  languageName: node
-  linkType: hard
-
-"tree-sync@npm:^2.0.0, tree-sync@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "tree-sync@npm:2.1.0"
-  dependencies:
-    debug: ^4.1.1
-    fs-tree-diff: ^2.0.1
-    mkdirp: ^0.5.5
-    quick-temp: ^0.1.5
-    walk-sync: ^0.3.3
-  checksum: 6454ca6021cf7ab9220764b7577370af4601d4172085b55f45ab6f414639281f95deb2e10cb46007b6f04dba5189cb11e48fb43be908f78369a93a6b680c9342
-  languageName: node
-  linkType: hard
-
-"trim-newlines@npm:^4.0.2":
-  version: 4.1.1
-  resolution: "trim-newlines@npm:4.1.1"
-  checksum: 5b09f8e329e8f33c1111ef26906332ba7ba7248cde3e26fc054bb3d69f2858bf5feedca9559c572ff91f33e52977c28e0d41c387df6a02a633cbb8c2d8238627
-  languageName: node
-  linkType: hard
-
-"trim-right@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "trim-right@npm:1.0.1"
-  checksum: 9120af534e006a7424a4f9358710e6e707887b6ccf7ea69e50d6ac6464db1fe22268400def01752f09769025d480395159778153fb98d4a2f6f40d4cf5d4f3b6
-  languageName: node
-  linkType: hard
-
-"trough@npm:^1.0.0":
-  version: 1.0.5
-  resolution: "trough@npm:1.0.5"
-  checksum: d6c8564903ed00e5258bab92134b020724dbbe83148dc72e4bf6306c03ed8843efa1bcc773fa62410dd89161ecb067432dd5916501793508a9506cacbc408e25
-  languageName: node
-  linkType: hard
-
-"tslib@npm:^1.8.1, tslib@npm:^1.9.0":
-  version: 1.14.1
-  resolution: "tslib@npm:1.14.1"
-  checksum: dbe628ef87f66691d5d2959b3e41b9ca0045c3ee3c7c7b906cc1e328b39f199bb1ad9e671c39025bd56122ac57dfbf7385a94843b1cc07c60a4db74795829acd
-  languageName: node
-  linkType: hard
-
-"tslib@npm:^2.0.3":
-  version: 2.2.0
-  resolution: "tslib@npm:2.2.0"
-  checksum: a48c9639f7496fa701ea8ffe0561070fcb44c104a59632f7f845c0af00825c99b6373575ec59b2b5cdbfd7505875086dbe5dc83312304d8979f22ce571218ca3
-  languageName: node
-  linkType: hard
-
-"tslib@npm:^2.1.0":
-  version: 2.4.1
-  resolution: "tslib@npm:2.4.1"
-  checksum: 19480d6e0313292bd6505d4efe096a6b31c70e21cf08b5febf4da62e95c265c8f571f7b36fcc3d1a17e068032f59c269fab3459d6cd3ed6949eafecf64315fca
-  languageName: node
-  linkType: hard
-
-"tslib@npm:^2.3.1":
-  version: 2.3.1
-  resolution: "tslib@npm:2.3.1"
-  checksum: de17a98d4614481f7fcb5cd53ffc1aaf8654313be0291e1bfaee4b4bb31a20494b7d218ff2e15017883e8ea9626599b3b0e0229c18383ba9dce89da2adf15cb9
-  languageName: node
-  linkType: hard
-
-"tsutils@npm:^3.21.0":
-  version: 3.21.0
-  resolution: "tsutils@npm:3.21.0"
-  dependencies:
-    tslib: ^1.8.1
-  peerDependencies:
-    typescript: ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
-  checksum: 1843f4c1b2e0f975e08c4c21caa4af4f7f65a12ac1b81b3b8489366826259323feb3fc7a243123453d2d1a02314205a7634e048d4a8009921da19f99755cdc48
-  languageName: node
-  linkType: hard
-
-"tty-browserify@npm:0.0.0":
-  version: 0.0.0
-  resolution: "tty-browserify@npm:0.0.0"
-  checksum: a06f746acc419cb2527ba19b6f3bd97b4a208c03823bfb37b2982629d2effe30ebd17eaed0d7e2fc741f3c4f2a0c43455bd5fb4194354b378e78cfb7ca687f59
-  languageName: node
-  linkType: hard
-
-"tunnel-agent@npm:^0.6.0":
-  version: 0.6.0
-  resolution: "tunnel-agent@npm:0.6.0"
-  dependencies:
-    safe-buffer: ^5.0.1
-  checksum: 05f6510358f8afc62a057b8b692f05d70c1782b70db86d6a1e0d5e28a32389e52fa6e7707b6c5ecccacc031462e4bc35af85ecfe4bbc341767917b7cf6965711
-  languageName: node
-  linkType: hard
-
-"tweetnacl@npm:^0.14.3, tweetnacl@npm:~0.14.0":
-  version: 0.14.5
-  resolution: "tweetnacl@npm:0.14.5"
-  checksum: 6061daba1724f59473d99a7bb82e13f211cdf6e31315510ae9656fefd4779851cb927adad90f3b488c8ed77c106adc0421ea8055f6f976ff21b27c5c4e918487
-  languageName: node
-  linkType: hard
-
-"type-check@npm:^0.4.0, type-check@npm:~0.4.0":
-  version: 0.4.0
-  resolution: "type-check@npm:0.4.0"
-  dependencies:
-    prelude-ls: ^1.2.1
-  checksum: ec688ebfc9c45d0c30412e41ca9c0cdbd704580eb3a9ccf07b9b576094d7b86a012baebc95681999dd38f4f444afd28504cb3a89f2ef16b31d4ab61a0739025a
-  languageName: node
-  linkType: hard
-
-"type-check@npm:~0.3.2":
-  version: 0.3.2
-  resolution: "type-check@npm:0.3.2"
-  dependencies:
-    prelude-ls: ~1.1.2
-  checksum: dd3b1495642731bc0e1fc40abe5e977e0263005551ac83342ecb6f4f89551d106b368ec32ad3fb2da19b3bd7b2d1f64330da2ea9176d8ddbfe389fb286eb5124
-  languageName: node
-  linkType: hard
-
-"type-detect@npm:4.0.8":
-  version: 4.0.8
-  resolution: "type-detect@npm:4.0.8"
-  checksum: 62b5628bff67c0eb0b66afa371bd73e230399a8d2ad30d852716efcc4656a7516904570cd8631a49a3ce57c10225adf5d0cbdcb47f6b0255fe6557c453925a15
-  languageName: node
-  linkType: hard
-
-"type-fest@npm:^0.11.0":
-  version: 0.11.0
-  resolution: "type-fest@npm:0.11.0"
-  checksum: 8e7589e1eb5ced6c8e1d3051553b59b9f525c41e58baa898229915781c7bf55db8cb2f74e56d8031f6af5af2eecc7cb8da9ca3af7e5b80b49d8ca5a81891f3f9
-  languageName: node
-  linkType: hard
-
-"type-fest@npm:^0.20.2":
-  version: 0.20.2
-  resolution: "type-fest@npm:0.20.2"
-  checksum: 4fb3272df21ad1c552486f8a2f8e115c09a521ad7a8db3d56d53718d0c907b62c6e9141ba5f584af3f6830d0872c521357e512381f24f7c44acae583ad517d73
-  languageName: node
-  linkType: hard
-
-"type-fest@npm:^0.21.3":
-  version: 0.21.3
-  resolution: "type-fest@npm:0.21.3"
-  checksum: e6b32a3b3877f04339bae01c193b273c62ba7bfc9e325b8703c4ee1b32dc8fe4ef5dfa54bf78265e069f7667d058e360ae0f37be5af9f153b22382cd55a9afe0
-  languageName: node
-  linkType: hard
-
-"type-fest@npm:^1.0.1, type-fest@npm:^1.2.1, type-fest@npm:^1.2.2":
-  version: 1.4.0
-  resolution: "type-fest@npm:1.4.0"
-  checksum: b011c3388665b097ae6a109a437a04d6f61d81b7357f74cbcb02246f2f5bd72b888ae33631b99871388122ba0a87f4ff1c94078e7119ff22c70e52c0ff828201
-  languageName: node
-  linkType: hard
-
-"type-is@npm:~1.6.17, type-is@npm:~1.6.18":
-  version: 1.6.18
-  resolution: "type-is@npm:1.6.18"
-  dependencies:
-    media-typer: 0.3.0
-    mime-types: ~2.1.24
-  checksum: 2c8e47675d55f8b4e404bcf529abdf5036c537a04c2b20177bcf78c9e3c1da69da3942b1346e6edb09e823228c0ee656ef0e033765ec39a70d496ef601a0c657
-  languageName: node
-  linkType: hard
-
-"typed-array-length@npm:^1.0.4":
-  version: 1.0.4
-  resolution: "typed-array-length@npm:1.0.4"
-  dependencies:
-    call-bind: ^1.0.2
-    for-each: ^0.3.3
-    is-typed-array: ^1.1.9
-  checksum: 2228febc93c7feff142b8c96a58d4a0d7623ecde6c7a24b2b98eb3170e99f7c7eff8c114f9b283085cd59dcd2bd43aadf20e25bba4b034a53c5bb292f71f8956
-  languageName: node
-  linkType: hard
-
-"typedarray-to-buffer@npm:^3.1.5":
-  version: 3.1.5
-  resolution: "typedarray-to-buffer@npm:3.1.5"
-  dependencies:
-    is-typedarray: ^1.0.0
-  checksum: 99c11aaa8f45189fcfba6b8a4825fd684a321caa9bd7a76a27cf0c7732c174d198b99f449c52c3818107430b5f41c0ccbbfb75cb2ee3ca4a9451710986d61a60
-  languageName: node
-  linkType: hard
-
-"typedarray@npm:^0.0.6":
-  version: 0.0.6
-  resolution: "typedarray@npm:0.0.6"
-  checksum: 33b39f3d0e8463985eeaeeacc3cb2e28bc3dfaf2a5ed219628c0b629d5d7b810b0eb2165f9f607c34871d5daa92ba1dc69f49051cf7d578b4cbd26c340b9d1b1
-  languageName: node
-  linkType: hard
-
-"typescript-memoize@npm:^1.0.0-alpha.3, typescript-memoize@npm:^1.0.1":
-  version: 1.1.0
-  resolution: "typescript-memoize@npm:1.1.0"
-  checksum: a7d3357adbf421972619397c5db562664f3d440629a5afbb510c09e23e3a176424f600c3c853addc2234a9b7be3e61dae984771c057a76980fab67fb30c70d64
-  languageName: node
-  linkType: hard
-
-"typescript@npm:^4.5.4, typescript@npm:^4.8.4":
-  version: 4.8.4
-  resolution: "typescript@npm:4.8.4"
-  bin:
-    tsc: bin/tsc
-    tsserver: bin/tsserver
-  checksum: 3e4f061658e0c8f36c820802fa809e0fd812b85687a9a2f5430bc3d0368e37d1c9605c3ce9b39df9a05af2ece67b1d844f9f6ea8ff42819f13bcb80f85629af0
-  languageName: node
-  linkType: hard
-
-"typescript@patch:typescript@^4.5.4#~builtin<compat/typescript>, typescript@patch:typescript@^4.8.4#~builtin<compat/typescript>":
-  version: 4.8.4
-  resolution: "typescript@patch:typescript@npm%3A4.8.4#~builtin<compat/typescript>::version=4.8.4&hash=1a91c8"
-  bin:
-    tsc: bin/tsc
-    tsserver: bin/tsserver
-  checksum: c981e82b77a5acdcc4e69af9c56cdecf5b934a87a08e7b52120596701e389a878b8e3f860e73ffb287bf649cc47a8c741262ce058148f71de4cdd88bb9c75153
-  languageName: node
-  linkType: hard
-
-"uc.micro@npm:^1.0.1, uc.micro@npm:^1.0.5":
-  version: 1.0.6
-  resolution: "uc.micro@npm:1.0.6"
-  checksum: 6898bb556319a38e9cf175e3628689347bd26fec15fc6b29fa38e0045af63075ff3fea4cf1fdba9db46c9f0cbf07f2348cd8844889dd31ebd288c29fe0d27e7a
-  languageName: node
-  linkType: hard
-
-"uglify-js@npm:^3.1.4":
-  version: 3.14.3
-  resolution: "uglify-js@npm:3.14.3"
-  bin:
-    uglifyjs: bin/uglifyjs
-  checksum: eef57b4fec031f687bef46182c33de5eff6bc40fec8d46152f3b92bb044602dd524a04e33ca5f7391f82db969b92ef6aded860f8a4ee5f4bf796d7420b030236
-  languageName: node
-  linkType: hard
-
-"unbox-primitive@npm:^1.0.0, unbox-primitive@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "unbox-primitive@npm:1.0.1"
-  dependencies:
-    function-bind: ^1.1.1
-    has-bigints: ^1.0.1
-    has-symbols: ^1.0.2
-    which-boxed-primitive: ^1.0.2
-  checksum: 89d950e18fb45672bc6b3c961f1e72c07beb9640c7ceed847b571ba6f7d2af570ae1a2584cfee268b9d9ea1e3293f7e33e0bc29eaeb9f8e8a0bab057ff9e6bba
-  languageName: node
-  linkType: hard
-
-"unbox-primitive@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "unbox-primitive@npm:1.0.2"
-  dependencies:
-    call-bind: ^1.0.2
-    has-bigints: ^1.0.2
-    has-symbols: ^1.0.3
-    which-boxed-primitive: ^1.0.2
-  checksum: b7a1cf5862b5e4b5deb091672ffa579aa274f648410009c81cca63fed3b62b610c4f3b773f912ce545bb4e31edc3138975b5bc777fc6e4817dca51affb6380e9
-  languageName: node
-  linkType: hard
-
-"underscore.string@npm:^3.2.2, underscore.string@npm:~3.3.4":
-  version: 3.3.5
-  resolution: "underscore.string@npm:3.3.5"
-  dependencies:
-    sprintf-js: ^1.0.3
-    util-deprecate: ^1.0.2
-  checksum: 86c60f4e9c3176ae77a548ec2ac659cc3cf48b93c7cff7d548f7c91569fc15885c90816245bf4d6925241f64b54508fc60aac562246ea2de2e50d0411e82a702
-  languageName: node
-  linkType: hard
-
-"underscore@npm:^1.12.1":
-  version: 1.13.1
-  resolution: "underscore@npm:1.13.1"
-  checksum: 69bb4e6dd92c387ad322dd5b105f496fa64896d92ff1eea987610920d452667a12bca0938def4c4d60acd12da62410540fd268e7ca4f2480d89324498382fcac
-  languageName: node
-  linkType: hard
-
-"unicode-canonical-property-names-ecmascript@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "unicode-canonical-property-names-ecmascript@npm:2.0.0"
-  checksum: 39be078afd014c14dcd957a7a46a60061bc37c4508ba146517f85f60361acf4c7539552645ece25de840e17e293baa5556268d091ca6762747fdd0c705001a45
-  languageName: node
-  linkType: hard
-
-"unicode-match-property-ecmascript@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "unicode-match-property-ecmascript@npm:2.0.0"
-  dependencies:
-    unicode-canonical-property-names-ecmascript: ^2.0.0
-    unicode-property-aliases-ecmascript: ^2.0.0
-  checksum: 1f34a7434a23df4885b5890ac36c5b2161a809887000be560f56ad4b11126d433c0c1c39baf1016bdabed4ec54829a6190ee37aa24919aa116dc1a5a8a62965a
-  languageName: node
-  linkType: hard
-
-"unicode-match-property-value-ecmascript@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "unicode-match-property-value-ecmascript@npm:2.0.0"
-  checksum: 8fe6a09d9085a625cabcead5d95bdbc1a2d5d481712856092ce0347231e81a60b93a68f1b69e82b3076a07e415a72c708044efa2aa40ae23e2e7b5c99ed4a9ea
-  languageName: node
-  linkType: hard
-
-"unicode-property-aliases-ecmascript@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "unicode-property-aliases-ecmascript@npm:2.0.0"
-  checksum: dda4d39128cbbede2ac60fbb85493d979ec65913b8a486bf7cb7a375a2346fa48cbf9dc6f1ae23376e7e8e684c2b411434891e151e865a661b40a85407db51d0
-  languageName: node
-  linkType: hard
-
-"unified@npm:^9.2.2":
-  version: 9.2.2
-  resolution: "unified@npm:9.2.2"
-  dependencies:
-    bail: ^1.0.0
-    extend: ^3.0.0
-    is-buffer: ^2.0.0
-    is-plain-obj: ^2.0.0
-    trough: ^1.0.0
-    vfile: ^4.0.0
-  checksum: 7c24461be7de4145939739ce50d18227c5fbdf9b3bc5a29dabb1ce26dd3e8bd4a1c385865f6f825f3b49230953ee8b591f23beab3bb3643e3e9dc37aa8a089d5
-  languageName: node
-  linkType: hard
-
-"union-value@npm:^1.0.0":
-  version: 1.0.1
-  resolution: "union-value@npm:1.0.1"
-  dependencies:
-    arr-union: ^3.1.0
-    get-value: ^2.0.6
-    is-extendable: ^0.1.1
-    set-value: ^2.0.1
-  checksum: a3464097d3f27f6aa90cf103ed9387541bccfc006517559381a10e0dffa62f465a9d9a09c9b9c3d26d0f4cbe61d4d010e2fbd710fd4bf1267a768ba8a774b0ba
-  languageName: node
-  linkType: hard
-
-"unique-filename@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "unique-filename@npm:1.1.1"
-  dependencies:
-    unique-slug: ^2.0.0
-  checksum: cf4998c9228cc7647ba7814e255dec51be43673903897b1786eff2ac2d670f54d4d733357eb08dea969aa5e6875d0e1bd391d668fbdb5a179744e7c7551a6f80
-  languageName: node
-  linkType: hard
-
-"unique-filename@npm:^2.0.0":
-  version: 2.0.1
-  resolution: "unique-filename@npm:2.0.1"
-  dependencies:
-    unique-slug: ^3.0.0
-  checksum: 807acf3381aff319086b64dc7125a9a37c09c44af7620bd4f7f3247fcd5565660ac12d8b80534dcbfd067e6fe88a67e621386dd796a8af828d1337a8420a255f
-  languageName: node
-  linkType: hard
-
-"unique-slug@npm:^2.0.0":
-  version: 2.0.2
-  resolution: "unique-slug@npm:2.0.2"
-  dependencies:
-    imurmurhash: ^0.1.4
-  checksum: 5b6876a645da08d505dedb970d1571f6cebdf87044cb6b740c8dbb24f0d6e1dc8bdbf46825fd09f994d7cf50760e6f6e063cfa197d51c5902c00a861702eb75a
-  languageName: node
-  linkType: hard
-
-"unique-slug@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "unique-slug@npm:3.0.0"
-  dependencies:
-    imurmurhash: ^0.1.4
-  checksum: 49f8d915ba7f0101801b922062ee46b7953256c93ceca74303bd8e6413ae10aa7e8216556b54dc5382895e8221d04f1efaf75f945c2e4a515b4139f77aa6640c
-  languageName: node
-  linkType: hard
-
-"unique-string@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "unique-string@npm:2.0.0"
-  dependencies:
-    crypto-random-string: ^2.0.0
-  checksum: ef68f639136bcfe040cf7e3cd7a8dff076a665288122855148a6f7134092e6ed33bf83a7f3a9185e46c98dddc445a0da6ac25612afa1a7c38b8b654d6c02498e
-  languageName: node
-  linkType: hard
-
-"unist-util-is@npm:^4.0.0":
-  version: 4.1.0
-  resolution: "unist-util-is@npm:4.1.0"
-  checksum: 726484cd2adc9be75a939aeedd48720f88294899c2e4a3143da413ae593f2b28037570730d5cf5fd910ff41f3bc1501e3d636b6814c478d71126581ef695f7ea
-  languageName: node
-  linkType: hard
-
-"unist-util-stringify-position@npm:^2.0.0":
-  version: 2.0.3
-  resolution: "unist-util-stringify-position@npm:2.0.3"
-  dependencies:
-    "@types/unist": ^2.0.2
-  checksum: f755cadc959f9074fe999578a1a242761296705a7fe87f333a37c00044de74ab4b184b3812989a57d4cd12211f0b14ad397b327c3a594c7af84361b1c25a7f09
-  languageName: node
-  linkType: hard
-
-"unist-util-visit-parents@npm:^3.0.0":
-  version: 3.1.1
-  resolution: "unist-util-visit-parents@npm:3.1.1"
-  dependencies:
-    "@types/unist": ^2.0.0
-    unist-util-is: ^4.0.0
-  checksum: 1170e397dff88fab01e76d5154981666eb0291019d2462cff7a2961a3e76d3533b42eaa16b5b7e2d41ad42a5ea7d112301458283d255993e660511387bf67bc3
-  languageName: node
-  linkType: hard
-
-"universalify@npm:^0.1.0, universalify@npm:^0.1.2":
-  version: 0.1.2
-  resolution: "universalify@npm:0.1.2"
-  checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff
-  languageName: node
-  linkType: hard
-
-"universalify@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "universalify@npm:2.0.0"
-  checksum: 2406a4edf4a8830aa6813278bab1f953a8e40f2f63a37873ffa9a3bc8f9745d06cc8e88f3572cb899b7e509013f7f6fcc3e37e8a6d914167a5381d8440518c44
-  languageName: node
-  linkType: hard
-
-"unpipe@npm:1.0.0, unpipe@npm:~1.0.0":
-  version: 1.0.0
-  resolution: "unpipe@npm:1.0.0"
-  checksum: 4fa18d8d8d977c55cb09715385c203197105e10a6d220087ec819f50cb68870f02942244f1017565484237f1f8c5d3cd413631b1ae104d3096f24fdfde1b4aa2
-  languageName: node
-  linkType: hard
-
-"unquote@npm:~1.1.1":
-  version: 1.1.1
-  resolution: "unquote@npm:1.1.1"
-  checksum: 71745867d09cba44ba2d26cb71d6dda7045a98b14f7405df4faaf2b0c90d24703ad027a9d90ba9a6e0d096de2c8d56f864fd03f1c0498c0b7a3990f73b4c8f5f
-  languageName: node
-  linkType: hard
-
-"unset-value@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "unset-value@npm:1.0.0"
-  dependencies:
-    has-value: ^0.3.1
-    isobject: ^3.0.0
-  checksum: 5990ecf660672be2781fc9fb322543c4aa592b68ed9a3312fa4df0e9ba709d42e823af090fc8f95775b4cd2c9a5169f7388f0cec39238b6d0d55a69fc2ab6b29
-  languageName: node
-  linkType: hard
-
-"untildify@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "untildify@npm:2.1.0"
-  dependencies:
-    os-homedir: ^1.0.0
-  checksum: 071b394053fc94747d9df8c7f7ca50af41355c1207c8a0bf9f35f52b0d9ad5142a1920b018bc2b6ff04340a4f9c599ad50c9b8f4ff2c689ae52b1463ebbda94e
-  languageName: node
-  linkType: hard
-
-"upath@npm:^1.1.1":
-  version: 1.2.0
-  resolution: "upath@npm:1.2.0"
-  checksum: 4c05c094797cb733193a0784774dbea5b1889d502fc9f0572164177e185e4a59ba7099bf0b0adf945b232e2ac60363f9bf18aac9b2206fb99cbef971a8455445
-  languageName: node
-  linkType: hard
-
-"upath@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "upath@npm:2.0.1"
-  checksum: 2db04f24a03ef72204c7b969d6991abec9e2cb06fb4c13a1fd1c59bc33b46526b16c3325e55930a11ff86a77a8cbbcda8f6399bf914087028c5beae21ecdb33c
-  languageName: node
-  linkType: hard
-
-"update-browserslist-db@npm:^1.0.11":
-  version: 1.0.11
-  resolution: "update-browserslist-db@npm:1.0.11"
-  dependencies:
-    escalade: ^3.1.1
-    picocolors: ^1.0.0
-  peerDependencies:
-    browserslist: ">= 4.21.0"
-  bin:
-    update-browserslist-db: cli.js
-  checksum: b98327518f9a345c7cad5437afae4d2ae7d865f9779554baf2a200fdf4bac4969076b679b1115434bd6557376bdd37ca7583d0f9b8f8e302d7d4cc1e91b5f231
-  languageName: node
-  linkType: hard
-
-"update-section@npm:^0.3.3":
-  version: 0.3.3
-  resolution: "update-section@npm:0.3.3"
-  checksum: 77176459493af2565eccdff16f126a7cec1636ec16a458554bac128631129e734884a0f889d9579cd59739c04c047d46ca19dbe5550e0894736e5bc524fceb18
-  languageName: node
-  linkType: hard
-
-"uri-js@npm:^4.2.2":
-  version: 4.4.1
-  resolution: "uri-js@npm:4.4.1"
-  dependencies:
-    punycode: ^2.1.0
-  checksum: 7167432de6817fe8e9e0c9684f1d2de2bb688c94388f7569f7dbdb1587c9f4ca2a77962f134ec90be0cc4d004c939ff0d05acc9f34a0db39a3c797dada262633
-  languageName: node
-  linkType: hard
-
-"urix@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "urix@npm:0.1.0"
-  checksum: 4c076ecfbf3411e888547fe844e52378ab5ada2d2f27625139011eada79925e77f7fbf0e4016d45e6a9e9adb6b7e64981bd49b22700c7c401c5fc15f423303b3
-  languageName: node
-  linkType: hard
-
-"url@npm:^0.11.0":
-  version: 0.11.0
-  resolution: "url@npm:0.11.0"
-  dependencies:
-    punycode: 1.3.2
-    querystring: 0.2.0
-  checksum: 50d100d3dd2d98b9fe3ada48cadb0b08aa6be6d3ac64112b867b56b19be4bfcba03c2a9a0d7922bfd7ac17d4834e88537749fe182430dfd9b68e520175900d90
-  languageName: node
-  linkType: hard
-
-"use@npm:^3.1.0":
-  version: 3.1.1
-  resolution: "use@npm:3.1.1"
-  checksum: 08a130289f5238fcbf8f59a18951286a6e660d17acccc9d58d9b69dfa0ee19aa038e8f95721b00b432c36d1629a9e32a464bf2e7e0ae6a244c42ddb30bdd8b33
-  languageName: node
-  linkType: hard
-
-"username-sync@npm:^1.0.2":
-  version: 1.0.3
-  resolution: "username-sync@npm:1.0.3"
-  checksum: 1a2aaa8629d018daebd8500272a3064041e18ed157eb32d098dab6ea7dc111b2904222c61bb50f25340d378f003aacbefb3fd6313dd42586137532bc38befe8e
-  languageName: node
-  linkType: hard
-
-"util-deprecate@npm:^1.0.1, util-deprecate@npm:^1.0.2, util-deprecate@npm:~1.0.1":
-  version: 1.0.2
-  resolution: "util-deprecate@npm:1.0.2"
-  checksum: 474acf1146cb2701fe3b074892217553dfcf9a031280919ba1b8d651a068c9b15d863b7303cb15bd00a862b498e6cf4ad7b4a08fb134edd5a6f7641681cb54a2
-  languageName: node
-  linkType: hard
-
-"util.promisify@npm:~1.0.0":
-  version: 1.0.1
-  resolution: "util.promisify@npm:1.0.1"
-  dependencies:
-    define-properties: ^1.1.3
-    es-abstract: ^1.17.2
-    has-symbols: ^1.0.1
-    object.getownpropertydescriptors: ^2.1.0
-  checksum: d823c75b3fc66510018596f128a6592c98991df38bc0464a633bdf9134e2de0a1a33199c5c21cc261048a3982d7a19e032ecff8835b3c587f843deba96063e37
-  languageName: node
-  linkType: hard
-
-"util@npm:0.10.3":
-  version: 0.10.3
-  resolution: "util@npm:0.10.3"
-  dependencies:
-    inherits: 2.0.1
-  checksum: bd800f5d237a82caddb61723a6cbe45297d25dd258651a31335a4d5d981fd033cb4771f82db3d5d59b582b187cb69cfe727dc6f4d8d7826f686ee6c07ce611e0
-  languageName: node
-  linkType: hard
-
-"util@npm:^0.11.0":
-  version: 0.11.1
-  resolution: "util@npm:0.11.1"
-  dependencies:
-    inherits: 2.0.3
-  checksum: 80bee6a2edf5ab08dcb97bfe55ca62289b4e66f762ada201f2c5104cb5e46474c8b334f6504d055c0e6a8fda10999add9bcbd81ba765e7f37b17dc767331aa55
-  languageName: node
-  linkType: hard
-
-"utils-merge@npm:1.0.1":
-  version: 1.0.1
-  resolution: "utils-merge@npm:1.0.1"
-  checksum: c81095493225ecfc28add49c106ca4f09cdf56bc66731aa8dabc2edbbccb1e1bfe2de6a115e5c6a380d3ea166d1636410b62ef216bb07b3feb1cfde1d95d5080
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^3.3.2":
-  version: 3.4.0
-  resolution: "uuid@npm:3.4.0"
-  bin:
-    uuid: ./bin/uuid
-  checksum: 58de2feed61c59060b40f8203c0e4ed7fd6f99d42534a499f1741218a1dd0c129f4aa1de797bcf822c8ea5da7e4137aa3673431a96dae729047f7aca7b27866f
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^8.3.0":
-  version: 8.3.2
-  resolution: "uuid@npm:8.3.2"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 5575a8a75c13120e2f10e6ddc801b2c7ed7d8f3c8ac22c7ed0c7b2ba6383ec0abda88c905085d630e251719e0777045ae3236f04c812184b7c765f63a70e58df
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "uuid@npm:9.0.0"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 8dd2c83c43ddc7e1c71e36b60aea40030a6505139af6bee0f382ebcd1a56f6cd3028f7f06ffb07f8cf6ced320b76aea275284b224b002b289f89fe89c389b028
-  languageName: node
-  linkType: hard
-
-"v8-compile-cache@npm:^2.3.0":
-  version: 2.3.0
-  resolution: "v8-compile-cache@npm:2.3.0"
-  checksum: adb0a271eaa2297f2f4c536acbfee872d0dd26ec2d76f66921aa7fc437319132773483344207bdbeee169225f4739016d8d2dbf0553913a52bb34da6d0334f8e
-  languageName: node
-  linkType: hard
-
-"validate-npm-package-license@npm:^3.0.1":
-  version: 3.0.4
-  resolution: "validate-npm-package-license@npm:3.0.4"
-  dependencies:
-    spdx-correct: ^3.0.0
-    spdx-expression-parse: ^3.0.0
-  checksum: 35703ac889d419cf2aceef63daeadbe4e77227c39ab6287eeb6c1b36a746b364f50ba22e88591f5d017bc54685d8137bc2d328d0a896e4d3fd22093c0f32a9ad
-  languageName: node
-  linkType: hard
-
-"validate-npm-package-name@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "validate-npm-package-name@npm:5.0.0"
-  dependencies:
-    builtins: ^5.0.0
-  checksum: 5342a994986199b3c28e53a8452a14b2bb5085727691ea7aa0d284a6606b127c371e0925ae99b3f1ef7cc7d2c9de75f52eb61a3d1cc45e39bca1e3a9444cbb4e
-  languageName: node
-  linkType: hard
-
-"validate-peer-dependencies@npm:^1.1.0":
-  version: 1.2.0
-  resolution: "validate-peer-dependencies@npm:1.2.0"
-  dependencies:
-    resolve-package-path: ^3.1.0
-    semver: ^7.3.2
-  checksum: a48f4841ff87edf1c0b3dd6e49d197169d654d6206495714ba687112fc30136674c1f0d44d89b935cf15aeb7692024a268af78c6c9ca0a1dad08e72cc7118566
-  languageName: node
-  linkType: hard
-
-"validate-peer-dependencies@npm:^2.1.0":
-  version: 2.2.0
-  resolution: "validate-peer-dependencies@npm:2.2.0"
-  dependencies:
-    resolve-package-path: ^4.0.3
-    semver: ^7.3.8
-  checksum: 0f025e34d9d469c03cf221c34da7e6b53a463ba11bb69294da63a08de67776384e3ef15e3bb479318f304593ae40f502c3e17a9cb671df4d73a9d1005b8b4774
-  languageName: node
-  linkType: hard
-
-"vary@npm:^1, vary@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "vary@npm:1.1.2"
-  checksum: ae0123222c6df65b437669d63dfa8c36cee20a504101b2fcd97b8bf76f91259c17f9f2b4d70a1e3c6bbcee7f51b28392833adb6b2770b23b01abec84e369660b
-  languageName: node
-  linkType: hard
-
-"vault@workspace:.":
-  version: 0.0.0-use.local
-  resolution: "vault@workspace:."
-  dependencies:
-    "@babel/eslint-parser": ^7.21.3
-    "@babel/plugin-proposal-decorators": ^7.21.0
-    "@babel/plugin-proposal-object-rest-spread": ^7.12.1
-    "@babel/plugin-transform-block-scoping": ^7.12.1
-    "@ember/legacy-built-in-components": ^0.4.1
-    "@ember/optional-features": ^2.0.0
-    "@ember/render-modifiers": ^1.0.2
-    "@ember/string": ^3.0.1
-    "@ember/test-helpers": 2.9.3
-    "@ember/test-waiters": ^3.0.0
-    "@glimmer/component": ^1.1.2
-    "@glimmer/tracking": ^1.1.2
-    "@hashicorp/design-system-components": ^2.13.0
-    "@hashicorp/ember-flight-icons": ^3.1.3
-    "@hashicorp/structure-icons": ^1.3.0
-    "@icholy/duration": ^5.1.0
-    "@tsconfig/ember": ^1.0.1
-    "@types/ember": ^4.0.2
-    "@types/ember-data": ^4.4.6
-    "@types/ember-data__adapter": ^4.0.1
-    "@types/ember-data__model": ^4.0.0
-    "@types/ember-data__serializer": ^4.0.1
-    "@types/ember-data__store": ^4.0.2
-    "@types/ember-qunit": ^5.0.2
-    "@types/ember-resolver": ^5.0.13
-    "@types/ember__application": ^4.0.4
-    "@types/ember__array": ^4.0.3
-    "@types/ember__component": ^4.0.11
-    "@types/ember__controller": ^4.0.3
-    "@types/ember__debug": ^4.0.3
-    "@types/ember__destroyable": ^4.0.1
-    "@types/ember__engine": ^4.0.4
-    "@types/ember__error": ^4.0.1
-    "@types/ember__object": ^4.0.5
-    "@types/ember__polyfills": ^4.0.1
-    "@types/ember__routing": ^4.0.12
-    "@types/ember__runloop": ^4.0.2
-    "@types/ember__service": ^4.0.1
-    "@types/ember__string": ^3.0.10
-    "@types/ember__template": ^4.0.1
-    "@types/ember__test": ^4.0.1
-    "@types/ember__test-helpers": ^2.8.2
-    "@types/ember__utils": ^4.0.2
-    "@types/qunit": ^2.19.3
-    "@types/rsvp": ^4.0.4
-    "@types/shell-quote": ^1.7.1
-    "@typescript-eslint/eslint-plugin": ^5.19.0
-    "@typescript-eslint/parser": ^5.19.0
-    asn1js: ^2.2.0
-    autosize: ^4.0.0
-    babel-plugin-inline-json-import: ^0.3.2
-    base64-js: ^1.3.1
-    broccoli-asset-rev: ^3.0.0
-    broccoli-sri-hash: "meirish/broccoli-sri-hash#rooturl"
-    codemirror: ^5.58.2
-    columnify: ^1.5.4
-    d3-axis: ^1.0.8
-    d3-ease: ^1.0.5
-    d3-scale: ^1.0.7
-    d3-selection: ^1.3.0
-    d3-time-format: ^2.1.1
-    d3-tip: ^0.9.1
-    d3-transition: ^1.2.0
-    date-fns: ^2.16.1
-    date-fns-tz: ^1.2.2
-    deepmerge: ^4.0.0
-    doctoc: ^2.2.0
-    dompurify: ^3.0.2
-    ember-auto-import: 2.6.3
-    ember-basic-dropdown: 6.0.1
-    ember-cli: ~4.12.1
-    ember-cli-autoprefixer: ^0.8.1
-    ember-cli-babel: ^7.26.11
-    ember-cli-content-security-policy: 2.0.3
-    ember-cli-dependency-checker: ^3.3.1
-    ember-cli-deprecation-workflow: ^2.1.0
-    ember-cli-flash: 4.0.0
-    ember-cli-htmlbars: ^6.2.0
-    ember-cli-inject-live-reload: ^2.1.0
-    ember-cli-mirage: 2.4.0
-    ember-cli-page-object: 1.17.10
-    ember-cli-sass: 11.0.1
-    ember-cli-sri: "meirish/ember-cli-sri#rooturl"
-    ember-cli-string-helpers: 6.1.0
-    ember-cli-terser: ^4.0.2
-    ember-cli-typescript: ^5.2.1
-    ember-composable-helpers: 5.0.0
-    ember-concurrency: 2.3.4
-    ember-copy: 2.0.1
-    ember-d3: ^0.5.1
-    ember-data: ~4.11.3
-    ember-engines: 0.8.23
-    ember-fetch: ^8.1.2
-    ember-inflector: 4.0.2
-    ember-load-initializers: ^2.1.2
-    ember-maybe-in-element: ^2.0.3
-    ember-modal-dialog: ^4.0.1
-    ember-modifier: ^4.1.0
-    ember-page-title: ^7.0.0
-    ember-power-select: 6.0.1
-    ember-qrcode-shim: ^0.4.0
-    ember-qunit: 6.0.0
-    ember-resolver: ^10.0.0
-    ember-responsive: 5.0.0
-    ember-router-helpers: ^0.4.0
-    ember-service-worker: "meirish/ember-service-worker#configurable-scope"
-    ember-sinon: ^4.0.0
-    ember-source: ~4.12.0
-    ember-svg-jar: 2.4.0
-    ember-template-lint: 5.7.2
-    ember-template-lint-plugin-prettier: 4.0.0
-    ember-test-selectors: 6.0.0
-    ember-tether: ^2.0.1
-    ember-truth-helpers: 3.0.0
-    escape-string-regexp: ^2.0.0
-    eslint: ^8.37.0
-    eslint-config-prettier: ^8.8.0
-    eslint-plugin-compat: 4.0.2
-    eslint-plugin-ember: ^11.5.0
-    eslint-plugin-n: ^15.7.0
-    eslint-plugin-prettier: ^4.2.1
-    eslint-plugin-qunit: ^7.3.4
-    filesize: ^4.2.1
-    flat: ^6.0.1
-    handlebars: 4.7.7
-    highlight.js: ^10.4.1
-    jsondiffpatch: ^0.4.1
-    jsonlint: ^1.6.3
-    lint-staged: ^10.5.1
-    loader.js: ^4.7.0
-    node-notifier: ^8.0.1
-    normalize.css: 4.1.1
-    npm-run-all: ^4.1.5
-    pkijs: ^2.2.2
-    pretender: ^3.4.3
-    prettier: 2.8.7
-    prettier-eslint-cli: ^7.1.0
-    pvutils: ^1.0.17
-    qunit: ^2.19.4
-    qunit-dom: ^2.0.0
-    sass: ^1.58.3
-    sass-svg-uri: ^1.0.0
-    shell-quote: ^1.8.1
-    string.prototype.endswith: ^0.2.0
-    string.prototype.startswith: ^0.2.0
-    stylelint: ^15.4.0
-    stylelint-config-standard: ^32.0.0
-    stylelint-prettier: ^3.0.0
-    swagger-ui-dist: ^5.9.0
-    text-encoder-lite: 2.0.0
-    tracked-built-ins: ^3.1.1
-    typescript: ^4.8.4
-    uuid: ^9.0.0
-    walk-sync: ^2.0.2
-    webpack: 5.78.0
-    xstate: ^3.3.3
-  languageName: unknown
-  linkType: soft
-
-"verror@npm:1.10.0":
-  version: 1.10.0
-  resolution: "verror@npm:1.10.0"
-  dependencies:
-    assert-plus: ^1.0.0
-    core-util-is: 1.0.2
-    extsprintf: ^1.2.0
-  checksum: c431df0bedf2088b227a4e051e0ff4ca54df2c114096b0c01e1cbaadb021c30a04d7dd5b41ab277bcd51246ca135bf931d4c4c796ecae7a4fef6d744ecef36ea
-  languageName: node
-  linkType: hard
-
-"vfile-message@npm:^2.0.0":
-  version: 2.0.4
-  resolution: "vfile-message@npm:2.0.4"
-  dependencies:
-    "@types/unist": ^2.0.0
-    unist-util-stringify-position: ^2.0.0
-  checksum: 1bade499790f46ca5aba04bdce07a1e37c2636a8872e05cf32c26becc912826710b7eb063d30c5754fdfaeedc8a7658e78df10b3bc535c844890ec8a184f5643
-  languageName: node
-  linkType: hard
-
-"vfile@npm:^4.0.0":
-  version: 4.2.1
-  resolution: "vfile@npm:4.2.1"
-  dependencies:
-    "@types/unist": ^2.0.0
-    is-buffer: ^2.0.0
-    unist-util-stringify-position: ^2.0.0
-    vfile-message: ^2.0.0
-  checksum: ee5726e10d170472cde778fc22e0f7499caa096eb85babea5d0ce0941455b721037ee1c9e6ae506ca2803250acd313d0f464328ead0b55cfe7cb6315f1b462d6
-  languageName: node
-  linkType: hard
-
-"vm-browserify@npm:^1.0.1":
-  version: 1.1.2
-  resolution: "vm-browserify@npm:1.1.2"
-  checksum: 10a1c50aab54ff8b4c9042c15fc64aefccce8d2fb90c0640403242db0ee7fb269f9b102bdb69cfb435d7ef3180d61fd4fb004a043a12709abaf9056cfd7e039d
-  languageName: node
-  linkType: hard
-
-"vue-eslint-parser@npm:^8.0.1":
-  version: 8.3.0
-  resolution: "vue-eslint-parser@npm:8.3.0"
-  dependencies:
-    debug: ^4.3.2
-    eslint-scope: ^7.0.0
-    eslint-visitor-keys: ^3.1.0
-    espree: ^9.0.0
-    esquery: ^1.4.0
-    lodash: ^4.17.21
-    semver: ^7.3.5
-  peerDependencies:
-    eslint: ">=6.0.0"
-  checksum: 8cc751e9fc2bfba93664ad8945732ab1c97791f9123e703de8669b65670d1e01906d80436bf4932d7ee6fa6174ed4545e8abb059206c88f4bd71957ca6cf7ba8
-  languageName: node
-  linkType: hard
-
-"w3c-hr-time@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "w3c-hr-time@npm:1.0.2"
-  dependencies:
-    browser-process-hrtime: ^1.0.0
-  checksum: ec3c2dacbf8050d917bbf89537a101a08c2e333b4c19155f7d3bedde43529d4339db6b3d049d9610789cb915f9515f8be037e0c54c079e9d4735c50b37ed52b9
-  languageName: node
-  linkType: hard
-
-"w3c-xmlserializer@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "w3c-xmlserializer@npm:2.0.0"
-  dependencies:
-    xml-name-validator: ^3.0.0
-  checksum: ae25c51cf71f1fb2516df1ab33a481f83461a117565b95e3d0927432522323f93b1b2846cbb60196d337970c421adb604fc2d0d180c6a47a839da01db5b9973b
-  languageName: node
-  linkType: hard
-
-"walk-sync@npm:^0.2.5":
-  version: 0.2.7
-  resolution: "walk-sync@npm:0.2.7"
-  dependencies:
-    ensure-posix-path: ^1.0.0
-    matcher-collection: ^1.0.0
-  checksum: dd5ee5de5504a4e45f86ee6c3ba6af02728a788e43b929a14fc13f19d06faaddc39692a23fba61ace4ff552b5d98b6c56fe207770bb09d87caa85a7e64bf384e
-  languageName: node
-  linkType: hard
-
-"walk-sync@npm:^0.3.0, walk-sync@npm:^0.3.1, walk-sync@npm:^0.3.3":
-  version: 0.3.4
-  resolution: "walk-sync@npm:0.3.4"
-  dependencies:
-    ensure-posix-path: ^1.0.0
-    matcher-collection: ^1.0.0
-  checksum: 07e45a065421d504d305c70d385e37f192600dfd714ba35bb5c2664682e87bfb8be9640212df160b58ae78b506479aa437267f36d6c2f54f1dd800a84d229d86
-  languageName: node
-  linkType: hard
-
-"walk-sync@npm:^1.0.0, walk-sync@npm:^1.1.3":
-  version: 1.1.4
-  resolution: "walk-sync@npm:1.1.4"
-  dependencies:
-    "@types/minimatch": ^3.0.3
-    ensure-posix-path: ^1.1.0
-    matcher-collection: ^1.1.1
-  checksum: 21ce5bfdca01b8ccf3a088e22b7634f1d045f70aac7577728d9797cbdabd4a4cdb1341145a1d5a7fe07c4a15ae106ae2625a319cb6aab3e260fdbf48719e3cc5
-  languageName: node
-  linkType: hard
-
-"walk-sync@npm:^2.0.0, walk-sync@npm:^2.0.2, walk-sync@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "walk-sync@npm:2.2.0"
-  dependencies:
-    "@types/minimatch": ^3.0.3
-    ensure-posix-path: ^1.1.0
-    matcher-collection: ^2.0.0
-    minimatch: ^3.0.4
-  checksum: e579b574f769977a739607d4feba40ded8931ff641f26964ea5a10a280d648d1c1aca260e9ab60288f16d69500ff33687d3ba5fa4dbd427090123189f0f0c9b6
-  languageName: node
-  linkType: hard
-
-"walk-sync@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "walk-sync@npm:3.0.0"
-  dependencies:
-    "@types/minimatch": ^3.0.4
-    ensure-posix-path: ^1.1.0
-    matcher-collection: ^2.0.1
-    minimatch: ^3.0.4
-  checksum: b8701fc893003e4dac62d4fae8e7f411081fb18a9350632e078e9b61880e9a0c7b532385162c8e0b0fb3070f022cf70ac64518bde709b0dec58c13a833182cbc
-  languageName: node
-  linkType: hard
-
-"walker@npm:~1.0.5":
-  version: 1.0.8
-  resolution: "walker@npm:1.0.8"
-  dependencies:
-    makeerror: 1.0.12
-  checksum: ad7a257ea1e662e57ef2e018f97b3c02a7240ad5093c392186ce0bcf1f1a60bbadd520d073b9beb921ed99f64f065efb63dfc8eec689a80e569f93c1c5d5e16c
-  languageName: node
-  linkType: hard
-
-"watch-detector@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "watch-detector@npm:0.1.0"
-  dependencies:
-    heimdalljs-logger: ^0.1.9
-    quick-temp: ^0.1.8
-    rsvp: ^4.7.0
-    semver: ^5.4.1
-    silent-error: ^1.1.0
-  checksum: 024a8eeeeca18fcd8e907f6687508773304b47feb751ac97fa5a4068f6213e7d4cdb8207ee8b688055c20f794fa047d4adba884a3fcf32a965e0ed2cbac0fa18
-  languageName: node
-  linkType: hard
-
-"watch-detector@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "watch-detector@npm:1.0.0"
-  dependencies:
-    heimdalljs-logger: ^0.1.10
-    semver: ^6.3.0
-    silent-error: ^1.1.1
-    tmp: ^0.1.0
-  checksum: da3ab7804890663a07b36c53c27a15bad086021f195941141c0b7153f5b3e269e925a2fb3b65377bd0f5606891e67213a10d31fedd3feed21aef604a30053b26
-  languageName: node
-  linkType: hard
-
-"watch-detector@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "watch-detector@npm:1.0.2"
-  dependencies:
-    heimdalljs-logger: ^0.1.10
-    silent-error: ^1.1.1
-    tmp: ^0.1.0
-  checksum: 1c3bb68ba4ad5e0cdec1daf4d9dc3ff80cacebcc598ad162e2436be06adf5ce5626d4c0bcec84bff9c9ee27add9ff98d6ed4e29cdff2c86a7c4d8120b5f50c1d
-  languageName: node
-  linkType: hard
-
-"watchpack-chokidar2@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "watchpack-chokidar2@npm:2.0.1"
-  dependencies:
-    chokidar: ^2.1.8
-  checksum: acf0f9ebca0c0b2fd1fe87ba557670477a6c0410bf1a653a726e68eb0620aa94fd9a43027a160a76bc793a21ea12e215e1e87dafe762682c13ef92ad4daf7b58
-  languageName: node
-  linkType: hard
-
-"watchpack@npm:^1.7.4":
-  version: 1.7.5
-  resolution: "watchpack@npm:1.7.5"
-  dependencies:
-    chokidar: ^3.4.1
-    graceful-fs: ^4.1.2
-    neo-async: ^2.5.0
-    watchpack-chokidar2: ^2.0.1
-  dependenciesMeta:
-    chokidar:
-      optional: true
-    watchpack-chokidar2:
-      optional: true
-  checksum: 8b7cb8c8df8f4dd0e8ac47693c0141c4f020a4b031411247d600eca31522fde6f1f9a3a6f6518b46e71f7971b0ed5734c08c60d7fdd2530e7262776286f69236
-  languageName: node
-  linkType: hard
-
-"watchpack@npm:^2.4.0":
-  version: 2.4.0
-  resolution: "watchpack@npm:2.4.0"
-  dependencies:
-    glob-to-regexp: ^0.4.1
-    graceful-fs: ^4.1.2
-  checksum: 23d4bc58634dbe13b86093e01c6a68d8096028b664ab7139d58f0c37d962d549a940e98f2f201cecdabd6f9c340338dc73ef8bf094a2249ef582f35183d1a131
-  languageName: node
-  linkType: hard
-
-"wcwidth@npm:^1.0.0, wcwidth@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "wcwidth@npm:1.0.1"
-  dependencies:
-    defaults: ^1.0.3
-  checksum: 814e9d1ddcc9798f7377ffa448a5a3892232b9275ebb30a41b529607691c0491de47cba426e917a4d08ded3ee7e9ba2f3fe32e62ee3cd9c7d3bafb7754bd553c
-  languageName: node
-  linkType: hard
-
-"webidl-conversions@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "webidl-conversions@npm:5.0.0"
-  checksum: ccf1ec2ca7c0b5671e5440ace4a66806ae09c49016ab821481bec0c05b1b82695082dc0a27d1fe9d804d475a408ba0c691e6803fd21be608e710955d4589cd69
-  languageName: node
-  linkType: hard
-
-"webidl-conversions@npm:^6.1.0":
-  version: 6.1.0
-  resolution: "webidl-conversions@npm:6.1.0"
-  checksum: 1f526507aa491f972a0c1409d07f8444e1d28778dfa269a9971f2e157182f3d496dc33296e4ed45b157fdb3bf535bb90c90bf10c50dcf1dd6caacb2a34cc84fb
-  languageName: node
-  linkType: hard
-
-"webpack-sources@npm:^1.4.0, webpack-sources@npm:^1.4.1":
-  version: 1.4.3
-  resolution: "webpack-sources@npm:1.4.3"
-  dependencies:
-    source-list-map: ^2.0.0
-    source-map: ~0.6.1
-  checksum: 37463dad8d08114930f4bc4882a9602941f07c9f0efa9b6bc78738cd936275b990a596d801ef450d022bb005b109b9f451dd087db2f3c9baf53e8e22cf388f79
-  languageName: node
-  linkType: hard
-
-"webpack-sources@npm:^3.2.3":
-  version: 3.2.3
-  resolution: "webpack-sources@npm:3.2.3"
-  checksum: 989e401b9fe3536529e2a99dac8c1bdc50e3a0a2c8669cbafad31271eadd994bc9405f88a3039cd2e29db5e6d9d0926ceb7a1a4e7409ece021fe79c37d9c4607
-  languageName: node
-  linkType: hard
-
-"webpack@npm:5.78.0":
-  version: 5.78.0
-  resolution: "webpack@npm:5.78.0"
-  dependencies:
-    "@types/eslint-scope": ^3.7.3
-    "@types/estree": ^0.0.51
-    "@webassemblyjs/ast": 1.11.1
-    "@webassemblyjs/wasm-edit": 1.11.1
-    "@webassemblyjs/wasm-parser": 1.11.1
-    acorn: ^8.7.1
-    acorn-import-assertions: ^1.7.6
-    browserslist: ^4.14.5
-    chrome-trace-event: ^1.0.2
-    enhanced-resolve: ^5.10.0
-    es-module-lexer: ^0.9.0
-    eslint-scope: 5.1.1
-    events: ^3.2.0
-    glob-to-regexp: ^0.4.1
-    graceful-fs: ^4.2.9
-    json-parse-even-better-errors: ^2.3.1
-    loader-runner: ^4.2.0
-    mime-types: ^2.1.27
-    neo-async: ^2.6.2
-    schema-utils: ^3.1.0
-    tapable: ^2.1.1
-    terser-webpack-plugin: ^5.1.3
-    watchpack: ^2.4.0
-    webpack-sources: ^3.2.3
-  peerDependenciesMeta:
-    webpack-cli:
-      optional: true
-  bin:
-    webpack: bin/webpack.js
-  checksum: 4213e5bcc23e54c2f2a589e8e96f1fb71a2c05d5033ffda6dd8bae32284abfa0eb6b6d0707806e8dcfa48a8fcda2448d3af6c4539061679251d94c0996bebf99
-  languageName: node
-  linkType: hard
-
-"webpack@npm:^4.43.0":
-  version: 4.46.0
-  resolution: "webpack@npm:4.46.0"
-  dependencies:
-    "@webassemblyjs/ast": 1.9.0
-    "@webassemblyjs/helper-module-context": 1.9.0
-    "@webassemblyjs/wasm-edit": 1.9.0
-    "@webassemblyjs/wasm-parser": 1.9.0
-    acorn: ^6.4.1
-    ajv: ^6.10.2
-    ajv-keywords: ^3.4.1
-    chrome-trace-event: ^1.0.2
-    enhanced-resolve: ^4.5.0
-    eslint-scope: ^4.0.3
-    json-parse-better-errors: ^1.0.2
-    loader-runner: ^2.4.0
-    loader-utils: ^1.2.3
-    memory-fs: ^0.4.1
-    micromatch: ^3.1.10
-    mkdirp: ^0.5.3
-    neo-async: ^2.6.1
-    node-libs-browser: ^2.2.1
-    schema-utils: ^1.0.0
-    tapable: ^1.1.3
-    terser-webpack-plugin: ^1.4.3
-    watchpack: ^1.7.4
-    webpack-sources: ^1.4.1
-  peerDependenciesMeta:
-    webpack-cli:
-      optional: true
-    webpack-command:
-      optional: true
-  bin:
-    webpack: bin/webpack.js
-  checksum: 013fa24c00d4261e16ebca60353fa6f848e417b5a44bdf28c16ebebd67fa61e960420bb314c8df05cfe2dad9b90efabcf38fd6875f2361922769a0384085ef1e
-  languageName: node
-  linkType: hard
-
-"websocket-driver@npm:>=0.5.1":
-  version: 0.7.4
-  resolution: "websocket-driver@npm:0.7.4"
-  dependencies:
-    http-parser-js: ">=0.5.1"
-    safe-buffer: ">=5.1.0"
-    websocket-extensions: ">=0.1.1"
-  checksum: fffe5a33fe8eceafd21d2a065661d09e38b93877eae1de6ab5d7d2734c6ed243973beae10ae48c6613cfd675f200e5a058d1e3531bc9e6c5d4f1396ff1f0bfb9
-  languageName: node
-  linkType: hard
-
-"websocket-extensions@npm:>=0.1.1":
-  version: 0.1.4
-  resolution: "websocket-extensions@npm:0.1.4"
-  checksum: 5976835e68a86afcd64c7a9762ed85f2f27d48c488c707e67ba85e717b90fa066b98ab33c744d64255c9622d349eedecf728e65a5f921da71b58d0e9591b9038
-  languageName: node
-  linkType: hard
-
-"whatwg-encoding@npm:^1.0.5":
-  version: 1.0.5
-  resolution: "whatwg-encoding@npm:1.0.5"
-  dependencies:
-    iconv-lite: 0.4.24
-  checksum: 5be4efe111dce29ddee3448d3915477fcc3b28f991d9cf1300b4e50d6d189010d47bca2f51140a844cf9b726e8f066f4aee72a04d687bfe4f2ee2767b2f5b1e6
-  languageName: node
-  linkType: hard
-
-"whatwg-fetch@npm:^3.6.2":
-  version: 3.6.2
-  resolution: "whatwg-fetch@npm:3.6.2"
-  checksum: ee976b7249e7791edb0d0a62cd806b29006ad7ec3a3d89145921ad8c00a3a67e4be8f3fb3ec6bc7b58498724fd568d11aeeeea1f7827e7e1e5eae6c8a275afed
-  languageName: node
-  linkType: hard
-
-"whatwg-mimetype@npm:^2.3.0":
-  version: 2.3.0
-  resolution: "whatwg-mimetype@npm:2.3.0"
-  checksum: 23eb885940bcbcca4ff841c40a78e9cbb893ec42743993a42bf7aed16085b048b44b06f3402018931687153550f9a32d259dfa524e4f03577ab898b6965e5383
-  languageName: node
-  linkType: hard
-
-"whatwg-url@npm:^8.0.0, whatwg-url@npm:^8.5.0":
-  version: 8.5.0
-  resolution: "whatwg-url@npm:8.5.0"
-  dependencies:
-    lodash: ^4.7.0
-    tr46: ^2.0.2
-    webidl-conversions: ^6.1.0
-  checksum: 3bda9bfd98be7a86761bc629d848526ae246b34bce6b1037254752bade6fb610fc696c1d4ba477d0fdd57c86b6fad0128f68203527d94cee13997cc91ecf2bb7
-  languageName: node
-  linkType: hard
-
-"which-boxed-primitive@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "which-boxed-primitive@npm:1.0.2"
-  dependencies:
-    is-bigint: ^1.0.1
-    is-boolean-object: ^1.1.0
-    is-number-object: ^1.0.4
-    is-string: ^1.0.5
-    is-symbol: ^1.0.3
-  checksum: 53ce774c7379071729533922adcca47220228405e1895f26673bbd71bdf7fb09bee38c1d6399395927c6289476b5ae0629863427fd151491b71c4b6cb04f3a5e
-  languageName: node
-  linkType: hard
-
-"which-collection@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "which-collection@npm:1.0.1"
-  dependencies:
-    is-map: ^2.0.1
-    is-set: ^2.0.1
-    is-weakmap: ^2.0.1
-    is-weakset: ^2.0.1
-  checksum: c815bbd163107ef9cb84f135e6f34453eaf4cca994e7ba85ddb0d27cea724c623fae2a473ceccfd5549c53cc65a5d82692de418166df3f858e1e5dc60818581c
-  languageName: node
-  linkType: hard
-
-"which-module@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "which-module@npm:2.0.0"
-  checksum: 809f7fd3dfcb2cdbe0180b60d68100c88785084f8f9492b0998c051d7a8efe56784492609d3f09ac161635b78ea29219eb1418a98c15ce87d085bce905705c9c
-  languageName: node
-  linkType: hard
-
-"which-typed-array@npm:^1.1.9":
-  version: 1.1.9
-  resolution: "which-typed-array@npm:1.1.9"
-  dependencies:
-    available-typed-arrays: ^1.0.5
-    call-bind: ^1.0.2
-    for-each: ^0.3.3
-    gopd: ^1.0.1
-    has-tostringtag: ^1.0.0
-    is-typed-array: ^1.1.10
-  checksum: fe0178ca44c57699ca2c0e657b64eaa8d2db2372a4e2851184f568f98c478ae3dc3fdb5f7e46c384487046b0cf9e23241423242b277e03e8ba3dabc7c84c98ef
-  languageName: node
-  linkType: hard
-
-"which@npm:^1.2.14, which@npm:^1.2.9, which@npm:^1.3.1":
-  version: 1.3.1
-  resolution: "which@npm:1.3.1"
-  dependencies:
-    isexe: ^2.0.0
-  bin:
-    which: ./bin/which
-  checksum: f2e185c6242244b8426c9df1510e86629192d93c1a986a7d2a591f2c24869e7ffd03d6dac07ca863b2e4c06f59a4cc9916c585b72ee9fa1aa609d0124df15e04
-  languageName: node
-  linkType: hard
-
-"which@npm:^2.0.1, which@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "which@npm:2.0.2"
-  dependencies:
-    isexe: ^2.0.0
-  bin:
-    node-which: ./bin/node-which
-  checksum: 1a5c563d3c1b52d5f893c8b61afe11abc3bab4afac492e8da5bde69d550de701cf9806235f20a47b5c8fa8a1d6a9135841de2596535e998027a54589000e66d1
-  languageName: node
-  linkType: hard
-
-"wide-align@npm:^1.1.5":
-  version: 1.1.5
-  resolution: "wide-align@npm:1.1.5"
-  dependencies:
-    string-width: ^1.0.2 || 2 || 3 || 4
-  checksum: d5fc37cd561f9daee3c80e03b92ed3e84d80dde3365a8767263d03dacfc8fa06b065ffe1df00d8c2a09f731482fcacae745abfbb478d4af36d0a891fad4834d3
-  languageName: node
-  linkType: hard
-
-"word-wrap@npm:^1.2.3, word-wrap@npm:~1.2.3":
-  version: 1.2.3
-  resolution: "word-wrap@npm:1.2.3"
-  checksum: 30b48f91fcf12106ed3186ae4fa86a6a1842416df425be7b60485de14bec665a54a68e4b5156647dec3a70f25e84d270ca8bc8cd23182ed095f5c7206a938c1f
-  languageName: node
-  linkType: hard
-
-"wordwrap@npm:^0.0.3":
-  version: 0.0.3
-  resolution: "wordwrap@npm:0.0.3"
-  checksum: dfc2d3512e857ae4b3bc2e8d4e5d2c285c28a4b87cd1d81c977ce9a1a99152d355807e046851a3d61148f39d877fbb889352e07b65a9cbdd2256aa928e159026
-  languageName: node
-  linkType: hard
-
-"wordwrap@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "wordwrap@npm:1.0.0"
-  checksum: 2a44b2788165d0a3de71fd517d4880a8e20ea3a82c080ce46e294f0b68b69a2e49cff5f99c600e275c698a90d12c5ea32aff06c311f0db2eb3f1201f3e7b2a04
-  languageName: node
-  linkType: hard
-
-"worker-farm@npm:^1.7.0":
-  version: 1.7.0
-  resolution: "worker-farm@npm:1.7.0"
-  dependencies:
-    errno: ~0.1.7
-  checksum: eab917530e1feddf157ec749e9c91b73a886142daa7fdf3490bccbf7b548b2576c43ab8d0a98e72ac755cbc101ca8647a7b1ff2485fddb9e8f53c40c77f5a719
-  languageName: node
-  linkType: hard
-
-"workerpool@npm:^2.3.0":
-  version: 2.3.4
-  resolution: "workerpool@npm:2.3.4"
-  dependencies:
-    object-assign: 4.1.1
-  checksum: 34793e88505ca6638372791d401a27d17674efdd34d5535b76ce6579b35a0cb1780156b113a3790405eefc447160d6e255e4887bfbf0c42edbae8fdf475ccc93
-  languageName: node
-  linkType: hard
-
-"workerpool@npm:^3.1.1":
-  version: 3.1.2
-  resolution: "workerpool@npm:3.1.2"
-  dependencies:
-    "@babel/core": ^7.3.4
-    object-assign: 4.1.1
-    rsvp: ^4.8.4
-  checksum: 7b382021ca70310926662b40c489ce78d391fb15a3aa7cf1d03eb7578e49eec777b1f332155b5f654118c03b53367ef96f66a42b128e5ca48b25164de9ef2a99
-  languageName: node
-  linkType: hard
-
-"workerpool@npm:^5.0.1":
-  version: 5.0.4
-  resolution: "workerpool@npm:5.0.4"
-  checksum: 735a9b19a3dce3c6391c88ee85ca7a952d48d1e1e4c32ec208adb9f29920eb052755737e04d1c44f32614d5a81c26387f3a2cfb7e96f15c87cfa01c7b1218958
-  languageName: node
-  linkType: hard
-
-"workerpool@npm:^6.0.0":
-  version: 6.1.4
-  resolution: "workerpool@npm:6.1.4"
-  checksum: 0927dd4302fc39be132e829f6bdca1c675a50d285858d3f0b233b75724030d7c10a618a5e8f5623c991121073306c10af73e750ec9ea366e1d2d76d8b5d3422c
-  languageName: node
-  linkType: hard
-
-"workerpool@npm:^6.4.0":
-  version: 6.4.0
-  resolution: "workerpool@npm:6.4.0"
-  checksum: 5fc010dbec44c69e1758cb2ccf924dfd286a86062a934f9e69a81cbad66f9be541441b2399debc2b024ae3dfc33a34a4c9ad61058af2ed8d53dcdeffb22b7b40
-  languageName: node
-  linkType: hard
-
-"wrap-ansi@npm:^5.1.0":
-  version: 5.1.0
-  resolution: "wrap-ansi@npm:5.1.0"
-  dependencies:
-    ansi-styles: ^3.2.0
-    string-width: ^3.0.0
-    strip-ansi: ^5.0.0
-  checksum: 9b48c862220e541eb0daa22661b38b947973fc57054e91be5b0f2dcc77741a6875ccab4ebe970a394b4682c8dfc17e888266a105fb8b0a9b23c19245e781ceae
-  languageName: node
-  linkType: hard
-
-"wrap-ansi@npm:^6.2.0":
-  version: 6.2.0
-  resolution: "wrap-ansi@npm:6.2.0"
-  dependencies:
-    ansi-styles: ^4.0.0
-    string-width: ^4.1.0
-    strip-ansi: ^6.0.0
-  checksum: 6cd96a410161ff617b63581a08376f0cb9162375adeb7956e10c8cd397821f7eb2a6de24eb22a0b28401300bf228c86e50617cd568209b5f6775b93c97d2fe3a
-  languageName: node
-  linkType: hard
-
-"wrap-ansi@npm:^7.0.0":
-  version: 7.0.0
-  resolution: "wrap-ansi@npm:7.0.0"
-  dependencies:
-    ansi-styles: ^4.0.0
-    string-width: ^4.1.0
-    strip-ansi: ^6.0.0
-  checksum: a790b846fd4505de962ba728a21aaeda189b8ee1c7568ca5e817d85930e06ef8d1689d49dbf0e881e8ef84436af3a88bc49115c2e2788d841ff1b8b5b51a608b
-  languageName: node
-  linkType: hard
-
-"wrap-legacy-hbs-plugin-if-needed@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "wrap-legacy-hbs-plugin-if-needed@npm:1.0.1"
-  dependencies:
-    "@glimmer/reference": ^0.42.1
-    "@glimmer/runtime": ^0.42.1
-    "@glimmer/syntax": ^0.42.1
-    "@simple-dom/interface": ^1.4.0
-  checksum: b273f53b92fa26041e6cf8f3b712a0267a3cc75c8def3370e556428e72ef38deea605897c8d42b2a3b90f04d810c432b1de470db983b0c131030b29dc46aa1bd
-  languageName: node
-  linkType: hard
-
-"wrappy@npm:1":
-  version: 1.0.2
-  resolution: "wrappy@npm:1.0.2"
-  checksum: 159da4805f7e84a3d003d8841557196034155008f817172d4e986bd591f74aa82aa7db55929a54222309e01079a65a92a9e6414da5a6aa4b01ee44a511ac3ee5
-  languageName: node
-  linkType: hard
-
-"write-file-atomic@npm:^3.0.0":
-  version: 3.0.3
-  resolution: "write-file-atomic@npm:3.0.3"
-  dependencies:
-    imurmurhash: ^0.1.4
-    is-typedarray: ^1.0.0
-    signal-exit: ^3.0.2
-    typedarray-to-buffer: ^3.1.5
-  checksum: c55b24617cc61c3a4379f425fc62a386cc51916a9b9d993f39734d005a09d5a4bb748bc251f1304e7abd71d0a26d339996c275955f527a131b1dcded67878280
-  languageName: node
-  linkType: hard
-
-"write-file-atomic@npm:^5.0.1":
-  version: 5.0.1
-  resolution: "write-file-atomic@npm:5.0.1"
-  dependencies:
-    imurmurhash: ^0.1.4
-    signal-exit: ^4.0.1
-  checksum: 8dbb0e2512c2f72ccc20ccedab9986c7d02d04039ed6e8780c987dc4940b793339c50172a1008eed7747001bfacc0ca47562668a069a7506c46c77d7ba3926a9
-  languageName: node
-  linkType: hard
-
-"ws@npm:^7.4.4":
-  version: 7.4.5
-  resolution: "ws@npm:7.4.5"
-  peerDependencies:
-    bufferutil: ^4.0.1
-    utf-8-validate: ^5.0.2
-  peerDependenciesMeta:
-    bufferutil:
-      optional: true
-    utf-8-validate:
-      optional: true
-  checksum: 5c7d1527f93ef27f9306aaf52db76315e8ff84174d1df717196527c50334c80bc10307dcaf6674a9aca4bb73aac3f77c23d3d9b1800e8aa810a5ee7f52d67cfb
-  languageName: node
-  linkType: hard
-
-"ws@npm:~8.2.3":
-  version: 8.2.3
-  resolution: "ws@npm:8.2.3"
-  peerDependencies:
-    bufferutil: ^4.0.1
-    utf-8-validate: ^5.0.2
-  peerDependenciesMeta:
-    bufferutil:
-      optional: true
-    utf-8-validate:
-      optional: true
-  checksum: c869296ccb45f218ac6d32f8f614cd85b50a21fd434caf11646008eef92173be53490810c5c23aea31bc527902261fbfd7b062197eea341b26128d4be56a85e4
-  languageName: node
-  linkType: hard
-
-"xdg-basedir@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "xdg-basedir@npm:4.0.0"
-  checksum: 0073d5b59a37224ed3a5ac0dd2ec1d36f09c49f0afd769008a6e9cd3cd666bd6317bd1c7ce2eab47e1de285a286bad11a9b038196413cd753b79770361855f3c
-  languageName: node
-  linkType: hard
-
-"xml-name-validator@npm:^3.0.0":
-  version: 3.0.0
-  resolution: "xml-name-validator@npm:3.0.0"
-  checksum: b3ac459afed783c285bb98e4960bd1f3ba12754fd4f2320efa0f9181ca28928c53cc75ca660d15d205e81f92304419afe94c531c7cfb3e0649aa6d140d53ecb0
-  languageName: node
-  linkType: hard
-
-"xmlchars@npm:^2.2.0":
-  version: 2.2.0
-  resolution: "xmlchars@npm:2.2.0"
-  checksum: 8c70ac94070ccca03f47a81fcce3b271bd1f37a591bf5424e787ae313fcb9c212f5f6786e1fa82076a2c632c0141552babcd85698c437506dfa6ae2d58723062
-  languageName: node
-  linkType: hard
-
-"xstate@npm:^3.3.3":
-  version: 3.3.3
-  resolution: "xstate@npm:3.3.3"
-  checksum: b659cf8c7ac5f48ef68bd55d8b5a60fb3b34686222c8d4e8966b9e8d7fd59569cf02e135fba5969d1f7b96cd3f617b1131b38970b90930371e668af7f6b4d2f6
-  languageName: node
-  linkType: hard
-
-"xtend@npm:^4.0.0, xtend@npm:~4.0.1":
-  version: 4.0.2
-  resolution: "xtend@npm:4.0.2"
-  checksum: ac5dfa738b21f6e7f0dd6e65e1b3155036d68104e67e5d5d1bde74892e327d7e5636a076f625599dc394330a731861e87343ff184b0047fef1360a7ec0a5a36a
-  languageName: node
-  linkType: hard
-
-"y18n@npm:^4.0.0":
-  version: 4.0.3
-  resolution: "y18n@npm:4.0.3"
-  checksum: 014dfcd9b5f4105c3bb397c1c8c6429a9df004aa560964fb36732bfb999bfe83d45ae40aeda5b55d21b1ee53d8291580a32a756a443e064317953f08025b1aa4
-  languageName: node
-  linkType: hard
-
-"y18n@npm:^5.0.5":
-  version: 5.0.8
-  resolution: "y18n@npm:5.0.8"
-  checksum: 54f0fb95621ee60898a38c572c515659e51cc9d9f787fb109cef6fde4befbe1c4602dc999d30110feee37456ad0f1660fa2edcfde6a9a740f86a290999550d30
-  languageName: node
-  linkType: hard
-
-"yallist@npm:^3.0.0, yallist@npm:^3.0.2":
-  version: 3.1.1
-  resolution: "yallist@npm:3.1.1"
-  checksum: 48f7bb00dc19fc635a13a39fe547f527b10c9290e7b3e836b9a8f1ca04d4d342e85714416b3c2ab74949c9c66f9cebb0473e6bc353b79035356103b47641285d
-  languageName: node
-  linkType: hard
-
-"yallist@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "yallist@npm:4.0.0"
-  checksum: 343617202af32df2a15a3be36a5a8c0c8545208f3d3dfbc6bb7c3e3b7e8c6f8e7485432e4f3b88da3031a6e20afa7c711eded32ddfb122896ac5d914e75848d5
-  languageName: node
-  linkType: hard
-
-"yam@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "yam@npm:1.0.0"
-  dependencies:
-    fs-extra: ^4.0.2
-    lodash.merge: ^4.6.0
-  checksum: b954d6fedeb19525ff559e25ce8bd38033ffe75f11a13a71fa960b3c36055c0e4a57910aac441ffd8ae9513ef3461ed1a9f91c767825546f3ea3831b39bdb5c9
-  languageName: node
-  linkType: hard
-
-"yaml@npm:^1.10.0":
-  version: 1.10.2
-  resolution: "yaml@npm:1.10.2"
-  checksum: ce4ada136e8a78a0b08dc10b4b900936912d15de59905b2bf415b4d33c63df1d555d23acb2a41b23cf9fb5da41c256441afca3d6509de7247daa062fd2c5ea5f
-  languageName: node
-  linkType: hard
-
-"yargs-parser@npm:^13.1.2":
-  version: 13.1.2
-  resolution: "yargs-parser@npm:13.1.2"
-  dependencies:
-    camelcase: ^5.0.0
-    decamelize: ^1.2.0
-  checksum: c8bb6f44d39a4acd94462e96d4e85469df865de6f4326e0ab1ac23ae4a835e5dd2ddfe588317ebf80c3a7e37e741bd5cb0dc8d92bcc5812baefb7df7c885e86b
-  languageName: node
-  linkType: hard
-
-"yargs-parser@npm:^20.2.9":
-  version: 20.2.9
-  resolution: "yargs-parser@npm:20.2.9"
-  checksum: 8bb69015f2b0ff9e17b2c8e6bfe224ab463dd00ca211eece72a4cd8a906224d2703fb8a326d36fdd0e68701e201b2a60ed7cf81ce0fd9b3799f9fe7745977ae3
-  languageName: node
-  linkType: hard
-
-"yargs-parser@npm:^21.1.1":
-  version: 21.1.1
-  resolution: "yargs-parser@npm:21.1.1"
-  checksum: ed2d96a616a9e3e1cc7d204c62ecc61f7aaab633dcbfab2c6df50f7f87b393993fe6640d017759fe112d0cb1e0119f2b4150a87305cc873fd90831c6a58ccf1c
-  languageName: node
-  linkType: hard
-
-"yargs@npm:^13.1.1":
-  version: 13.3.2
-  resolution: "yargs@npm:13.3.2"
-  dependencies:
-    cliui: ^5.0.0
-    find-up: ^3.0.0
-    get-caller-file: ^2.0.1
-    require-directory: ^2.1.1
-    require-main-filename: ^2.0.0
-    set-blocking: ^2.0.0
-    string-width: ^3.0.0
-    which-module: ^2.0.0
-    y18n: ^4.0.0
-    yargs-parser: ^13.1.2
-  checksum: 75c13e837eb2bb25717957ba58d277e864efc0cca7f945c98bdf6477e6ec2f9be6afa9ed8a876b251a21423500c148d7b91e88dee7adea6029bdec97af1ef3e8
-  languageName: node
-  linkType: hard
-
-"yargs@npm:^17.7.1":
-  version: 17.7.2
-  resolution: "yargs@npm:17.7.2"
-  dependencies:
-    cliui: ^8.0.1
-    escalade: ^3.1.1
-    get-caller-file: ^2.0.5
-    require-directory: ^2.1.1
-    string-width: ^4.2.3
-    y18n: ^5.0.5
-    yargs-parser: ^21.1.1
-  checksum: 73b572e863aa4a8cbef323dd911d79d193b772defd5a51aab0aca2d446655216f5002c42c5306033968193bdbf892a7a4c110b0d77954a7fdf563e653967b56a
-  languageName: node
-  linkType: hard
-
-"yocto-queue@npm:^0.1.0":
-  version: 0.1.0
-  resolution: "yocto-queue@npm:0.1.0"
-  checksum: f77b3d8d00310def622123df93d4ee654fc6a0096182af8bd60679ddcdfb3474c56c6c7190817c84a2785648cdee9d721c0154eb45698c62176c322fb46fc700
-  languageName: node
-  linkType: hard
-
-"yocto-queue@npm:^1.0.0":
-  version: 1.0.0
-  resolution: "yocto-queue@npm:1.0.0"
-  checksum: 2cac84540f65c64ccc1683c267edce396b26b1e931aa429660aefac8fbe0188167b7aee815a3c22fa59a28a58d898d1a2b1825048f834d8d629f4c2a5d443801
-  languageName: node
-  linkType: hard
-
-"zwitch@npm:^1.0.0":
-  version: 1.0.5
-  resolution: "zwitch@npm:1.0.5"
-  checksum: 28a1bebacab3bc60150b6b0a2ba1db2ad033f068e81f05e4892ec0ea13ae63f5d140a1d692062ac0657840c8da076f35b94433b5f1c329d7803b247de80f064a
-  languageName: node
-  linkType: hard
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{#if this.showLicenseError}}
+  <div class="section is-flex-v-centered-tablet is-flex-grow-1 is-fullwidth">
+    <div class="columns is-centered is-gapless is-fullwidth">
+      <EmptyState
+        class="empty-state-transparent"
+        @title="License required"
+        @subTitle="Vault license has terminated"
+        @icon="skip"
+        @bottomBorder={{true}}
+        @message="Your Vault license has terminated and Vault is sealed. To unseal, add a current license to your configuration and restart Vault."
+      >
+        <p class="align-right">
+          <DocLink @path="/vault/tutorials/enterprise/hashicorp-enterprise-license">
+            License documentation
+          </DocLink>
+        </p>
+      </EmptyState>
+    </div>
+  </div>
+{{else}}
+  <SplashPage>
+    <:header>
+      <h1 class="title is-3">
+        Unseal Vault
+      </h1>
+    </:header>
+
+    <:content>
+      <div class="box is-borderless is-shadowless is-marginless">
+        <p class="title is-5">
+          {{capitalize this.model.name}}
+          is
+          {{if this.model.unsealed "unsealed" "sealed"}}
+        </p>
+        {{#if this.model.unsealed}}
+          <p>Please wait while we redirect you.</p>
+        {{else}}
+          <p>
+            Unseal Vault by entering portions of the unseal key. This can be done via multiple mechanisms on multiple
+            computers. Once all portions are entered, the root key will be decrypted and Vault will unseal.
+          </p>
+          <Shamir::Flow
+            @action="unseal"
+            @threshold={{this.model.sealThreshold}}
+            @progress={{this.model.sealProgress}}
+            @updateProgress={{action "reloadCluster"}}
+            @inputLabel="Unseal Key Portion"
+            @buttonText="Unseal"
+            @onLicenseError={{action "handleLicenseError"}}
+            @checkComplete={{action "isUnsealed"}}
+            @onShamirSuccess={{action "transitionToCluster"}}
+            class="has-top-margin-m"
+          />
+        {{/if}}
+      </div>
+    </:content>
+
+    <:footer>
+      <div class="box is-borderless is-shadowless">
+        <p>
+          <ExternalLink @href="https://developer.hashicorp.com/vault/docs/concepts/seal">
+            Seal/unseal documentation
+          </ExternalLink>
+        </p>
+      </div>
+    </:footer>
+  </SplashPage>
+{{/if}}
\ No newline at end of file
diff --git a/vault/audit_broker.go b/vault/audit_broker.go
index 7fcce78e29f7..c01f8ce00627 100644
--- a/vault/audit_broker.go
+++ b/vault/audit_broker.go
@@ -1,318 +1,32 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package vault
-
-import (
-	"context"
-	"fmt"
-	"runtime/debug"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/vault/internal/observability/event"
-
-	metrics "github.com/armon/go-metrics"
-	"github.com/hashicorp/eventlogger"
-	log "github.com/hashicorp/go-hclog"
-	multierror "github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-type backendEntry struct {
-	backend audit.Backend
-	local   bool
-}
-
-// AuditBroker is used to provide a single ingest interface to auditable
-// events given that multiple backends may be configured.
-type AuditBroker struct {
-	sync.RWMutex
-	backends map[string]backendEntry
-	logger   log.Logger
-
-	broker *eventlogger.Broker
-}
-
-// NewAuditBroker creates a new audit broker
-func NewAuditBroker(log log.Logger, useEventLogger bool) (*AuditBroker, error) {
-	var eventBroker *eventlogger.Broker
-	var err error
-
-	if useEventLogger {
-		eventBroker, err = eventlogger.NewBroker(eventlogger.WithNodeRegistrationPolicy(eventlogger.DenyOverwrite), eventlogger.WithPipelineRegistrationPolicy(eventlogger.DenyOverwrite))
-		if err != nil {
-			return nil, fmt.Errorf("error creating event broker for audit events: %w", err)
-		}
-	}
-
-	b := &AuditBroker{
-		backends: make(map[string]backendEntry),
-		logger:   log,
-		broker:   eventBroker,
-	}
-	return b, nil
-}
-
-// Register is used to add new audit backend to the broker
-func (a *AuditBroker) Register(name string, b audit.Backend, local bool) error {
-	a.Lock()
-	defer a.Unlock()
-
-	a.backends[name] = backendEntry{
-		backend: b,
-		local:   local,
-	}
-
-	if a.broker != nil {
-		err := a.broker.SetSuccessThresholdSinks(eventlogger.EventType(event.AuditType.String()), 1)
-		if err != nil {
-			return err
-		}
-
-		err = b.RegisterNodesAndPipeline(a.broker, name)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// Deregister is used to remove an audit backend from the broker
-func (a *AuditBroker) Deregister(ctx context.Context, name string) error {
-	a.Lock()
-	defer a.Unlock()
-
-	// Remove the Backend from the map first, so that if an error occurs while
-	// removing the pipeline and nodes, we can quickly exit this method with
-	// the error.
-	delete(a.backends, name)
-
-	if a.broker != nil {
-		if len(a.backends) == 0 {
-			err := a.broker.SetSuccessThresholdSinks(eventlogger.EventType(event.AuditType.String()), 0)
-			if err != nil {
-				return err
-			}
-		}
-
-		// The first return value, a bool, indicates whether
-		// RemovePipelineAndNodes encountered the error while evaluating
-		// pre-conditions (false) or once it started removing the pipeline and
-		// the nodes (true). This code doesn't care either way.
-		_, err := a.broker.RemovePipelineAndNodes(ctx, eventlogger.EventType(event.AuditType.String()), eventlogger.PipelineID(name))
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// IsRegistered is used to check if a given audit backend is registered
-func (a *AuditBroker) IsRegistered(name string) bool {
-	a.RLock()
-	defer a.RUnlock()
-
-	_, ok := a.backends[name]
-	return ok
-}
-
-// IsLocal is used to check if a given audit backend is registered
-func (a *AuditBroker) IsLocal(name string) (bool, error) {
-	a.RLock()
-	defer a.RUnlock()
-	be, ok := a.backends[name]
-	if ok {
-		return be.local, nil
-	}
-	return false, fmt.Errorf("unknown audit backend %q", name)
-}
-
-// GetHash returns a hash using the salt of the given backend
-func (a *AuditBroker) GetHash(ctx context.Context, name string, input string) (string, error) {
-	a.RLock()
-	defer a.RUnlock()
-	be, ok := a.backends[name]
-	if !ok {
-		return "", fmt.Errorf("unknown audit backend %q", name)
-	}
-
-	return audit.HashString(ctx, be.backend, input)
-}
-
-// LogRequest is used to ensure all the audit backends have an opportunity to
-// log the given request and that *at least one* succeeds.
-func (a *AuditBroker) LogRequest(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error) {
-	defer metrics.MeasureSince([]string{"audit", "log_request"}, time.Now())
-
-	a.RLock()
-	defer a.RUnlock()
-
-	if in.Request.InboundSSCToken != "" {
-		if in.Auth != nil {
-			reqAuthToken := in.Auth.ClientToken
-			in.Auth.ClientToken = in.Request.InboundSSCToken
-			defer func() {
-				in.Auth.ClientToken = reqAuthToken
-			}()
-		}
-	}
-
-	var retErr *multierror.Error
-
-	defer func() {
-		if r := recover(); r != nil {
-			a.logger.Error("panic during logging", "request_path", in.Request.Path, "error", r, "stacktrace", string(debug.Stack()))
-			retErr = multierror.Append(retErr, fmt.Errorf("panic generating audit log"))
-		}
-
-		ret = retErr.ErrorOrNil()
-		failure := float32(0.0)
-		if ret != nil {
-			failure = 1.0
-		}
-		metrics.IncrCounter([]string{"audit", "log_request_failure"}, failure)
-	}()
-
-	headers := in.Request.Headers
-	defer func() {
-		in.Request.Headers = headers
-	}()
-
-	// Old behavior (no events)
-	if a.broker == nil {
-		// Ensure at least one backend logs
-		anyLogged := false
-		for name, be := range a.backends {
-			in.Request.Headers = nil
-			transHeaders, thErr := headersConfig.ApplyConfig(ctx, headers, be.backend)
-			if thErr != nil {
-				a.logger.Error("backend failed to include headers", "backend", name, "error", thErr)
-				continue
-			}
-			in.Request.Headers = transHeaders
-
-			start := time.Now()
-			lrErr := be.backend.LogRequest(ctx, in)
-			metrics.MeasureSince([]string{"audit", name, "log_request"}, start)
-			if lrErr != nil {
-				a.logger.Error("backend failed to log request", "backend", name, "error", lrErr)
-			} else {
-				anyLogged = true
-			}
-		}
-		if !anyLogged && len(a.backends) > 0 {
-			retErr = multierror.Append(retErr, fmt.Errorf("no audit backend succeeded in logging the request"))
-		}
-	} else {
-		if len(a.backends) > 0 {
-			e, err := audit.NewEvent(audit.RequestType)
-			if err != nil {
-				retErr = multierror.Append(retErr, err)
-			}
-
-			e.Data = in
-
-			status, err := a.broker.Send(ctx, eventlogger.EventType(event.AuditType.String()), e)
-			if err != nil {
-				retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...))
-			}
-		}
-	}
-
-	return retErr.ErrorOrNil()
-}
-
-// LogResponse is used to ensure all the audit backends have an opportunity to
-// log the given response and that *at least one* succeeds.
-func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error) {
-	defer metrics.MeasureSince([]string{"audit", "log_response"}, time.Now())
-	a.RLock()
-	defer a.RUnlock()
-	if in.Request.InboundSSCToken != "" {
-		if in.Auth != nil {
-			reqAuthToken := in.Auth.ClientToken
-			in.Auth.ClientToken = in.Request.InboundSSCToken
-			defer func() {
-				in.Auth.ClientToken = reqAuthToken
-			}()
-		}
-	}
-
-	var retErr *multierror.Error
-
-	defer func() {
-		if r := recover(); r != nil {
-			a.logger.Error("panic during logging", "request_path", in.Request.Path, "error", r, "stacktrace", string(debug.Stack()))
-			retErr = multierror.Append(retErr, fmt.Errorf("panic generating audit log"))
-		}
-
-		ret = retErr.ErrorOrNil()
-
-		failure := float32(0.0)
-		if ret != nil {
-			failure = 1.0
-		}
-		metrics.IncrCounter([]string{"audit", "log_response_failure"}, failure)
-	}()
-
-	headers := in.Request.Headers
-	defer func() {
-		in.Request.Headers = headers
-	}()
-
-	// Ensure at least one backend logs
-	if a.broker == nil {
-		anyLogged := false
-		for name, be := range a.backends {
-			in.Request.Headers = nil
-			transHeaders, thErr := headersConfig.ApplyConfig(ctx, headers, be.backend)
-			if thErr != nil {
-				a.logger.Error("backend failed to include headers", "backend", name, "error", thErr)
-				continue
-			}
-			in.Request.Headers = transHeaders
-
-			start := time.Now()
-			lrErr := be.backend.LogResponse(ctx, in)
-			metrics.MeasureSince([]string{"audit", name, "log_response"}, start)
-			if lrErr != nil {
-				a.logger.Error("backend failed to log response", "backend", name, "error", lrErr)
-			} else {
-				anyLogged = true
-			}
-		}
-		if !anyLogged && len(a.backends) > 0 {
-			retErr = multierror.Append(retErr, fmt.Errorf("no audit backend succeeded in logging the response"))
-		}
-	} else {
-		if len(a.backends) > 0 {
-			e, err := audit.NewEvent(audit.ResponseType)
-			if err != nil {
-				return multierror.Append(retErr, err)
-			}
-
-			e.Data = in
-
-			status, err := a.broker.Send(ctx, eventlogger.EventType(event.AuditType.String()), e)
-			if err != nil {
-				retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...))
-			}
-		}
-	}
-
-	return retErr.ErrorOrNil()
-}
-
-func (a *AuditBroker) Invalidate(ctx context.Context, key string) {
-	// For now, we ignore the key as this would only apply to salts. We just
-	// sort of brute force it on each one.
-	a.Lock()
-	defer a.Unlock()
-	for _, be := range a.backends {
-		be.backend.Invalidate(ctx)
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Controller from '@ember/controller';
+import { inject as service } from '@ember/service';
+
+export default Controller.extend({
+  router: service(),
+  showLicenseError: false,
+
+  actions: {
+    transitionToCluster() {
+      return this.model.reload().then(() => {
+        return this.router.transitionTo('vault.cluster', this.model.name);
+      });
+    },
+
+    reloadCluster() {
+      return this.model.reload();
+    },
+
+    isUnsealed(data) {
+      return data.sealed === false;
+    },
+
+    handleLicenseError() {
+      this.set('showLicenseError', true);
+    },
+  },
+});
diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go
index 5145146b66b6..a671071c15a0 100644
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@@ -1,1253 +1,113 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package vault
+package command
 
 import (
-	"context"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
 	"fmt"
-	"io"
-	"math"
-	"strconv"
 	"strings"
-	"sync"
-	"time"
 
-	"github.com/armon/go-metrics"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	"go.uber.org/atomic"
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
 )
 
-const (
-	// initialKeyTerm is the hard coded initial key term. This is
-	// used only for values that are not encrypted with the keyring.
-	initialKeyTerm = 1
-
-	// termSize the number of bytes used for the key term.
-	termSize = 4
-
-	autoRotateCheckInterval = 5 * time.Minute
-	legacyRotateReason      = "legacy rotation"
-)
-
-// Versions of the AESGCM storage methodology
-const (
-	AESGCMVersion1 = 0x1
-	AESGCMVersion2 = 0x2
-)
-
-// barrierInit is the JSON encoded value stored
-type barrierInit struct {
-	Version int    // Version is the current format version
-	Key     []byte // Key is the primary encryption key
-}
-
-// Validate AESGCMBarrier satisfies SecurityBarrier interface
 var (
-	_                      SecurityBarrier = &AESGCMBarrier{}
-	barrierEncryptsMetric                  = []string{"barrier", "estimated_encryptions"}
-	barrierRotationsMetric                 = []string{"barrier", "auto_rotation"}
+	_ cli.Command             = (*UnwrapCommand)(nil)
+	_ cli.CommandAutocomplete = (*UnwrapCommand)(nil)
 )
 
-// AESGCMBarrier is a SecurityBarrier implementation that uses the AES
-// cipher core and the Galois Counter Mode block mode. It defaults to
-// the golang NONCE default value of 12 and a key size of 256
-// bit. AES-GCM is high performance, and provides both confidentiality
-// and integrity.
-type AESGCMBarrier struct {
-	backend physical.Backend
-
-	l      sync.RWMutex
-	sealed bool
-
-	// keyring is used to maintain all of the encryption keys, including
-	// the active key used for encryption, but also prior keys to allow
-	// decryption of keys encrypted under previous terms.
-	keyring *Keyring
-
-	// cache is used to reduce the number of AEAD constructions we do
-	cache     map[uint32]cipher.AEAD
-	cacheLock sync.RWMutex
-
-	// currentAESGCMVersionByte is prefixed to a message to allow for
-	// future versioning of barrier implementations. It's var instead
-	// of const to allow for testing
-	currentAESGCMVersionByte byte
-
-	initialized atomic.Bool
-
-	UnaccountedEncryptions *atomic.Int64
-	// Used only for testing
-	RemoteEncryptions     *atomic.Int64
-	totalLocalEncryptions *atomic.Int64
-}
-
-func (b *AESGCMBarrier) RotationConfig() (kc KeyRotationConfig, err error) {
-	if b.keyring == nil {
-		return kc, errors.New("keyring not yet present")
-	}
-	return b.keyring.rotationConfig.Clone(), nil
-}
-
-func (b *AESGCMBarrier) SetRotationConfig(ctx context.Context, rotConfig KeyRotationConfig) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-	rotConfig.Sanitize()
-	if !rotConfig.Equals(b.keyring.rotationConfig) {
-		b.keyring.rotationConfig = rotConfig
-
-		return b.persistKeyring(ctx, b.keyring)
-	}
-	return nil
-}
-
-// NewAESGCMBarrier is used to construct a new barrier that uses
-// the provided physical backend for storage.
-func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error) {
-	b := &AESGCMBarrier{
-		backend:                  physical,
-		sealed:                   true,
-		cache:                    make(map[uint32]cipher.AEAD),
-		currentAESGCMVersionByte: byte(AESGCMVersion2),
-		UnaccountedEncryptions:   atomic.NewInt64(0),
-		RemoteEncryptions:        atomic.NewInt64(0),
-		totalLocalEncryptions:    atomic.NewInt64(0),
-	}
-	return b, nil
-}
-
-// Initialized checks if the barrier has been initialized
-// and has a root key set.
-func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error) {
-	if b.initialized.Load() {
-		return true, nil
-	}
-
-	// Read the keyring file
-	keys, err := b.backend.List(ctx, keyringPrefix)
-	if err != nil {
-		return false, fmt.Errorf("failed to check for initialization: %w", err)
-	}
-	if strutil.StrListContains(keys, "keyring") {
-		b.initialized.Store(true)
-		return true, nil
-	}
-
-	// Fallback, check for the old sentinel file
-	out, err := b.backend.Get(ctx, barrierInitPath)
-	if err != nil {
-		return false, fmt.Errorf("failed to check for initialization: %w", err)
-	}
-	b.initialized.Store(out != nil)
-	return out != nil, nil
-}
-
-// Initialize works only if the barrier has not been initialized
-// and makes use of the given root key.
-func (b *AESGCMBarrier) Initialize(ctx context.Context, key []byte, sealKey []byte, reader io.Reader) error {
-	// Verify the key size
-	min, max := b.KeyLength()
-	if len(key) < min || len(key) > max {
-		return fmt.Errorf("key size must be %d or %d", min, max)
-	}
-
-	// Check if already initialized
-	if alreadyInit, err := b.Initialized(ctx); err != nil {
-		return err
-	} else if alreadyInit {
-		return ErrBarrierAlreadyInit
-	}
-
-	// Generate encryption key
-	encryptionKey, err := b.GenerateKey(reader)
-	if err != nil {
-		return fmt.Errorf("failed to generate encryption key: %w", err)
-	}
-
-	// Create a new keyring, install the keys
-	keyring := NewKeyring()
-	keyring = keyring.SetRootKey(key)
-	keyring, err = keyring.AddKey(&Key{
-		Term:    1,
-		Version: 1,
-		Value:   encryptionKey,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to create keyring: %w", err)
-	}
-
-	err = b.persistKeyring(ctx, keyring)
-	if err != nil {
-		return err
-	}
-
-	if len(sealKey) > 0 {
-		primary, err := b.aeadFromKey(encryptionKey)
-		if err != nil {
-			return err
-		}
-
-		err = b.putInternal(ctx, 1, primary, &logical.StorageEntry{
-			Key:   shamirKekPath,
-			Value: sealKey,
-		})
-		if err != nil {
-			return fmt.Errorf("failed to store new seal key: %w", err)
-		}
-	}
-
-	return nil
-}
-
-// persistKeyring is used to write out the keyring using the
-// root key to encrypt it.
-func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) error {
-	const (
-		// The keyring is persisted before the root key.
-		keyringTimeout = 1 * time.Second
-	)
-
-	// Create the keyring entry
-	keyringBuf, err := keyring.Serialize()
-	defer memzero(keyringBuf)
-	if err != nil {
-		return fmt.Errorf("failed to serialize keyring: %w", err)
-	}
-
-	// Create the AES-GCM
-	gcm, err := b.aeadFromKey(keyring.RootKey())
-	if err != nil {
-		return fmt.Errorf("failed to retrieve AES-GCM AEAD from root key: %w", err)
-	}
-
-	// Encrypt the barrier init value
-	value, err := b.encrypt(keyringPath, initialKeyTerm, gcm, keyringBuf)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt barrier initial value: %w", err)
-	}
-
-	// Create the keyring physical entry
-	pe := &physical.Entry{
-		Key:   keyringPath,
-		Value: value,
-	}
-
-	// We reduce the timeout on the initial 'put' but if this succeeds we will
-	// allow longer later on when we try to persist the root key .
-	ctxKeyring, cancelKeyring := context.WithTimeout(ctx, keyringTimeout)
-	defer cancelKeyring()
-	if err := b.backend.Put(ctxKeyring, pe); err != nil {
-		return fmt.Errorf("failed to persist keyring: %w", err)
-	}
-
-	// Serialize the root key value
-	key := &Key{
-		Term:    1,
-		Version: 1,
-		Value:   keyring.RootKey(),
-	}
-	keyBuf, err := key.Serialize()
-	defer memzero(keyBuf)
-	if err != nil {
-		return fmt.Errorf("failed to serialize root key: %w", err)
-	}
-
-	// Encrypt the root key
-	activeKey := keyring.ActiveKey()
-	aead, err := b.aeadFromKey(activeKey.Value)
-	if err != nil {
-		return fmt.Errorf("failed to retrieve AES-GCM AEAD from active key: %w", err)
-	}
-	value, err = b.encryptTracked(rootKeyPath, activeKey.Term, aead, keyBuf)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt and track active key value: %w", err)
-	}
-
-	// Update the rootKeyPath for standby instances
-	pe = &physical.Entry{
-		Key:   rootKeyPath,
-		Value: value,
-	}
-
-	// Use the longer timeout from the original context, for the follow-up write
-	// to persist the root key, as the initial storage of the keyring was successful.
-	if err := b.backend.Put(ctx, pe); err != nil {
-		return fmt.Errorf("failed to persist root key: %w", err)
-	}
-	return nil
-}
-
-// GenerateKey is used to generate a new key
-func (b *AESGCMBarrier) GenerateKey(reader io.Reader) ([]byte, error) {
-	// Generate a 256bit key
-	buf := make([]byte, 2*aes.BlockSize)
-	_, err := reader.Read(buf)
-
-	return buf, err
-}
-
-// KeyLength is used to sanity check a key
-func (b *AESGCMBarrier) KeyLength() (int, int) {
-	return aes.BlockSize, 2 * aes.BlockSize
-}
-
-// Sealed checks if the barrier has been unlocked yet. The Barrier
-// is not expected to be able to perform any CRUD until it is unsealed.
-func (b *AESGCMBarrier) Sealed() (bool, error) {
-	b.l.RLock()
-	sealed := b.sealed
-	b.l.RUnlock()
-	return sealed, nil
-}
-
-// VerifyRoot is used to check if the given key matches the root key
-func (b *AESGCMBarrier) VerifyRoot(key []byte) error {
-	b.l.RLock()
-	defer b.l.RUnlock()
-	if b.sealed {
-		return ErrBarrierSealed
-	}
-	if subtle.ConstantTimeCompare(key, b.keyring.RootKey()) != 1 {
-		return ErrBarrierInvalidKey
-	}
-	return nil
-}
-
-// ReloadKeyring is used to re-read the underlying keyring.
-// This is used for HA deployments to ensure the latest keyring
-// is present in the leader.
-func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	// Create the AES-GCM
-	gcm, err := b.aeadFromKey(b.keyring.RootKey())
-	if err != nil {
-		return err
-	}
-
-	// Read in the keyring
-	out, err := b.backend.Get(ctx, keyringPath)
-	if err != nil {
-		return fmt.Errorf("failed to check for keyring: %w", err)
-	}
-
-	// Ensure that the keyring exists. This should never happen,
-	// and indicates something really bad has happened.
-	if out == nil {
-		return errors.New("keyring unexpectedly missing")
-	}
-
-	// Verify the term is always just one
-	term := binary.BigEndian.Uint32(out.Value[:4])
-	if term != initialKeyTerm {
-		return errors.New("term mis-match")
-	}
-
-	// Decrypt the barrier init key
-	plain, err := b.decrypt(keyringPath, gcm, out.Value)
-	defer memzero(plain)
-	if err != nil {
-		if strings.Contains(err.Error(), "message authentication failed") {
-			return ErrBarrierInvalidKey
-		}
-		return err
-	}
-
-	// Reset enc. counters, this may be a leadership change
-	b.totalLocalEncryptions.Store(0)
-	b.totalLocalEncryptions.Store(0)
-	b.UnaccountedEncryptions.Store(0)
-	b.RemoteEncryptions.Store(0)
-
-	return b.recoverKeyring(plain)
-}
-
-func (b *AESGCMBarrier) recoverKeyring(plaintext []byte) error {
-	keyring, err := DeserializeKeyring(plaintext)
-	if err != nil {
-		return fmt.Errorf("keyring deserialization failed: %w", err)
-	}
-
-	// Setup the keyring and finish
-	b.cache = make(map[uint32]cipher.AEAD)
-	b.keyring = keyring
-	return nil
-}
-
-// ReloadRootKey is used to re-read the underlying root key.
-// This is used for HA deployments to ensure the latest root key
-// is available for keyring reloading.
-func (b *AESGCMBarrier) ReloadRootKey(ctx context.Context) error {
-	// Read the rootKeyPath upgrade
-	out, err := b.Get(ctx, rootKeyPath)
-	if err != nil {
-		return fmt.Errorf("failed to read root key path: %w", err)
-	}
-
-	// The rootKeyPath could be missing (backwards incompatible),
-	// we can ignore this and attempt to make progress with the current
-	// root key.
-	if out == nil {
-		return nil
-	}
-
-	// Grab write lock and refetch
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	out, err = b.lockSwitchedGet(ctx, rootKeyPath, false)
-	if err != nil {
-		return fmt.Errorf("failed to read root key path: %w", err)
-	}
-
-	if out == nil {
-		return nil
-	}
-
-	// Deserialize the root key
-	key, err := DeserializeKey(out.Value)
-	memzero(out.Value)
-	if err != nil {
-		return fmt.Errorf("failed to deserialize key: %w", err)
-	}
-
-	// Check if the root key is the same
-	if subtle.ConstantTimeCompare(b.keyring.RootKey(), key.Value) == 1 {
-		return nil
-	}
-
-	// Update the root key
-	oldKeyring := b.keyring
-	b.keyring = b.keyring.SetRootKey(key.Value)
-	oldKeyring.Zeroize(false)
-	return nil
-}
-
-// Unseal is used to provide the root key which permits the barrier
-// to be unsealed. If the key is not correct, the barrier remains sealed.
-func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	// Do nothing if already unsealed
-	if !b.sealed {
-		return nil
-	}
-
-	// Create the AES-GCM
-	gcm, err := b.aeadFromKey(key)
-	if err != nil {
-		return err
-	}
-
-	// Read in the keyring
-	out, err := b.backend.Get(ctx, keyringPath)
-	if err != nil {
-		return fmt.Errorf("failed to check for keyring: %w", err)
-	}
-	if out != nil {
-		// Verify the term is always just one
-		term := binary.BigEndian.Uint32(out.Value[:4])
-		if term != initialKeyTerm {
-			return errors.New("term mis-match")
-		}
-
-		// Decrypt the barrier init key
-		plain, err := b.decrypt(keyringPath, gcm, out.Value)
-		defer memzero(plain)
-		if err != nil {
-			if strings.Contains(err.Error(), "message authentication failed") {
-				return ErrBarrierInvalidKey
-			}
-			return err
-		}
-
-		// Recover the keyring
-		err = b.recoverKeyring(plain)
-		if err != nil {
-			return fmt.Errorf("keyring deserialization failed: %w", err)
-		}
-
-		b.sealed = false
-
-		return nil
-	}
-
-	// Read the barrier initialization key
-	out, err = b.backend.Get(ctx, barrierInitPath)
-	if err != nil {
-		return fmt.Errorf("failed to check for initialization: %w", err)
-	}
-	if out == nil {
-		return ErrBarrierNotInit
-	}
-
-	// Verify the term is always just one
-	term := binary.BigEndian.Uint32(out.Value[:4])
-	if term != initialKeyTerm {
-		return errors.New("term mis-match")
-	}
-
-	// Decrypt the barrier init key
-	plain, err := b.decrypt(barrierInitPath, gcm, out.Value)
-	if err != nil {
-		if strings.Contains(err.Error(), "message authentication failed") {
-			return ErrBarrierInvalidKey
-		}
-		return err
-	}
-	defer memzero(plain)
-
-	// Unmarshal the barrier init
-	var init barrierInit
-	if err := jsonutil.DecodeJSON(plain, &init); err != nil {
-		return fmt.Errorf("failed to unmarshal barrier init file")
-	}
-
-	// Setup a new keyring, this is for backwards compatibility
-	keyringNew := NewKeyring()
-	keyring := keyringNew.SetRootKey(key)
-
-	// AddKey reuses the root, so we are only zeroizing after this call
-	defer keyringNew.Zeroize(false)
-
-	keyring, err = keyring.AddKey(&Key{
-		Term:    1,
-		Version: 1,
-		Value:   init.Key,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to create keyring: %w", err)
-	}
-	if err := b.persistKeyring(ctx, keyring); err != nil {
-		return err
-	}
-
-	// Delete the old barrier entry
-	if err := b.backend.Delete(ctx, barrierInitPath); err != nil {
-		return fmt.Errorf("failed to delete barrier init file: %w", err)
-	}
-
-	// Set the vault as unsealed
-	b.keyring = keyring
-	b.sealed = false
-
-	return nil
-}
-
-// Seal is used to re-seal the barrier. This requires the barrier to
-// be unsealed again to perform any further operations.
-func (b *AESGCMBarrier) Seal() error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	// Remove the primary key, and seal the vault
-	b.cache = make(map[uint32]cipher.AEAD)
-	b.keyring.Zeroize(true)
-	b.keyring = nil
-	b.sealed = true
-	return nil
-}
-
-// Rotate is used to create a new encryption key. All future writes
-// should use the new key, while old values should still be decryptable.
-func (b *AESGCMBarrier) Rotate(ctx context.Context, randomSource io.Reader) (uint32, error) {
-	b.l.Lock()
-	defer b.l.Unlock()
-	if b.sealed {
-		return 0, ErrBarrierSealed
-	}
-
-	// Generate a new key
-	encrypt, err := b.GenerateKey(randomSource)
-	if err != nil {
-		return 0, fmt.Errorf("failed to generate encryption key: %w", err)
-	}
-
-	// Get the next term
-	term := b.keyring.ActiveTerm()
-	newTerm := term + 1
-
-	// Add a new encryption key
-	newKeyring, err := b.keyring.AddKey(&Key{
-		Term:    newTerm,
-		Version: 1,
-		Value:   encrypt,
-	})
-	if err != nil {
-		return 0, fmt.Errorf("failed to add new encryption key: %w", err)
-	}
-
-	// Persist the new keyring
-	if err := b.persistKeyring(ctx, newKeyring); err != nil {
-		return 0, err
-	}
-
-	// Clear encryption tracking
-	b.RemoteEncryptions.Store(0)
-	b.totalLocalEncryptions.Store(0)
-	b.UnaccountedEncryptions.Store(0)
-
-	// Swap the keyrings
-	b.keyring = newKeyring
-
-	return newTerm, nil
-}
-
-// CreateUpgrade creates an upgrade path key to the given term from the previous term
-func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error {
-	b.l.RLock()
-	if b.sealed {
-		b.l.RUnlock()
-		return ErrBarrierSealed
-	}
-
-	// Get the key for this term
-	termKey := b.keyring.TermKey(term)
-	buf, err := termKey.Serialize()
-	defer memzero(buf)
-	if err != nil {
-		b.l.RUnlock()
-		return err
-	}
-
-	// Get the AEAD for the previous term
-	prevTerm := term - 1
-	primary, err := b.aeadForTerm(prevTerm)
-	if err != nil {
-		b.l.RUnlock()
-		return err
-	}
-
-	key := fmt.Sprintf("%s%d", keyringUpgradePrefix, prevTerm)
-	value, err := b.encryptTracked(key, prevTerm, primary, buf)
-	b.l.RUnlock()
-	if err != nil {
-		return err
-	}
-	// Create upgrade key
-	pe := &physical.Entry{
-		Key:   key,
-		Value: value,
-	}
-	return b.backend.Put(ctx, pe)
+// UnwrapCommand is a Command that behaves like ReadCommand but specifically for
+// unwrapping cubbyhole-wrapped secrets
+type UnwrapCommand struct {
+	*BaseCommand
 }
 
-// DestroyUpgrade destroys the upgrade path key to the given term
-func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error {
-	path := fmt.Sprintf("%s%d", keyringUpgradePrefix, term-1)
-	return b.Delete(ctx, path)
-}
-
-// CheckUpgrade looks for an upgrade to the current term and installs it
-func (b *AESGCMBarrier) CheckUpgrade(ctx context.Context) (bool, uint32, error) {
-	b.l.RLock()
-	if b.sealed {
-		b.l.RUnlock()
-		return false, 0, ErrBarrierSealed
-	}
-
-	// Get the current term
-	activeTerm := b.keyring.ActiveTerm()
-
-	// Check for an upgrade key
-	upgrade := fmt.Sprintf("%s%d", keyringUpgradePrefix, activeTerm)
-	entry, err := b.lockSwitchedGet(ctx, upgrade, false)
-	if err != nil {
-		b.l.RUnlock()
-		return false, 0, err
-	}
-
-	// Nothing to do if no upgrade
-	if entry == nil {
-		b.l.RUnlock()
-		return false, 0, nil
-	}
-
-	// Upgrade from read lock to write lock
-	b.l.RUnlock()
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	// Validate base cases and refetch values again
-
-	if b.sealed {
-		return false, 0, ErrBarrierSealed
-	}
-
-	activeTerm = b.keyring.ActiveTerm()
-
-	upgrade = fmt.Sprintf("%s%d", keyringUpgradePrefix, activeTerm)
-	entry, err = b.lockSwitchedGet(ctx, upgrade, false)
-	if err != nil {
-		return false, 0, err
-	}
-
-	if entry == nil {
-		return false, 0, nil
-	}
-
-	// Deserialize the key
-	key, err := DeserializeKey(entry.Value)
-	memzero(entry.Value)
-	if err != nil {
-		return false, 0, err
-	}
-
-	// Update the keyring
-	newKeyring, err := b.keyring.AddKey(key)
-	if err != nil {
-		return false, 0, fmt.Errorf("failed to add new encryption key: %w", err)
-	}
-	b.keyring = newKeyring
-
-	// Done!
-	return true, key.Term, nil
-}
-
-// ActiveKeyInfo is used to inform details about the active key
-func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-	if b.sealed {
-		return nil, ErrBarrierSealed
-	}
-
-	// Determine the key install time
-	term := b.keyring.ActiveTerm()
-	key := b.keyring.TermKey(term)
-
-	// Return the key info
-	info := &KeyInfo{
-		Term:        int(term),
-		InstallTime: key.InstallTime,
-		Encryptions: b.encryptions(),
-	}
-	return info, nil
+func (c *UnwrapCommand) Synopsis() string {
+	return "Unwrap a wrapped secret"
 }
 
-// Rekey is used to change the root key used to protect the keyring
-func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error {
-	b.l.Lock()
-	defer b.l.Unlock()
-
-	newKeyring, err := b.updateRootKeyCommon(key)
-	if err != nil {
-		return err
-	}
+func (c *UnwrapCommand) Help() string {
+	helpText := `
+Usage: vault unwrap [options] [TOKEN]
 
-	// Persist the new keyring
-	if err := b.persistKeyring(ctx, newKeyring); err != nil {
-		return err
-	}
+  Unwraps a wrapped secret from Vault by the given token. The result is the
+  same as the "vault read" operation on the non-wrapped secret. If no token
+  is given, the data in the currently authenticated token is unwrapped.
 
-	// Swap the keyrings
-	oldKeyring := b.keyring
-	b.keyring = newKeyring
-	oldKeyring.Zeroize(false)
-	return nil
-}
+  Unwrap the data in the cubbyhole secrets engine for a token:
 
-// SetRootKey updates the keyring's in-memory root key but does not persist
-// anything to storage
-func (b *AESGCMBarrier) SetRootKey(key []byte) error {
-	b.l.Lock()
-	defer b.l.Unlock()
+      $ vault unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
 
-	newKeyring, err := b.updateRootKeyCommon(key)
-	if err != nil {
-		return err
-	}
+  Unwrap the data in the active token:
 
-	// Swap the keyrings
-	oldKeyring := b.keyring
-	b.keyring = newKeyring
-	oldKeyring.Zeroize(false)
-	return nil
-}
+      $ vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
+      $ vault unwrap # unwraps 848f9ccf...
 
-// Performs common tasks related to updating the root key; note that the lock
-// must be held before calling this function
-func (b *AESGCMBarrier) updateRootKeyCommon(key []byte) (*Keyring, error) {
-	if b.sealed {
-		return nil, ErrBarrierSealed
-	}
+  For a full list of examples and paths, please see the online documentation.
 
-	// Verify the key size
-	min, max := b.KeyLength()
-	if len(key) < min || len(key) > max {
-		return nil, fmt.Errorf("key size must be %d or %d", min, max)
-	}
+` + c.Flags().Help()
 
-	return b.keyring.SetRootKey(key), nil
+	return strings.TrimSpace(helpText)
 }
 
-// Put is used to insert or update an entry
-func (b *AESGCMBarrier) Put(ctx context.Context, entry *logical.StorageEntry) error {
-	defer metrics.MeasureSince([]string{"barrier", "put"}, time.Now())
-	b.l.RLock()
-	if b.sealed {
-		b.l.RUnlock()
-		return ErrBarrierSealed
-	}
-
-	term := b.keyring.ActiveTerm()
-	primary, err := b.aeadForTerm(term)
-	b.l.RUnlock()
-	if err != nil {
-		return err
-	}
-
-	return b.putInternal(ctx, term, primary, entry)
+func (c *UnwrapCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
 }
 
-func (b *AESGCMBarrier) putInternal(ctx context.Context, term uint32, primary cipher.AEAD, entry *logical.StorageEntry) error {
-	value, err := b.encryptTracked(entry.Key, term, primary, entry.Value)
-	if err != nil {
-		return err
-	}
-	pe := &physical.Entry{
-		Key:      entry.Key,
-		Value:    value,
-		SealWrap: entry.SealWrap,
-	}
-	return b.backend.Put(ctx, pe)
+func (c *UnwrapCommand) AutocompleteArgs() complete.Predictor {
+	return c.PredictVaultFiles()
 }
 
-// Get is used to fetch an entry
-func (b *AESGCMBarrier) Get(ctx context.Context, key string) (*logical.StorageEntry, error) {
-	return b.lockSwitchedGet(ctx, key, true)
+func (c *UnwrapCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func (b *AESGCMBarrier) lockSwitchedGet(ctx context.Context, key string, getLock bool) (*logical.StorageEntry, error) {
-	defer metrics.MeasureSince([]string{"barrier", "get"}, time.Now())
-	if getLock {
-		b.l.RLock()
-	}
-	if b.sealed {
-		if getLock {
-			b.l.RUnlock()
-		}
-		return nil, ErrBarrierSealed
-	}
+func (c *UnwrapCommand) Run(args []string) int {
+	f := c.Flags()
 
-	// Read the key from the backend
-	pe, err := b.backend.Get(ctx, key)
-	if err != nil {
-		if getLock {
-			b.l.RUnlock()
-		}
-		return nil, err
-	} else if pe == nil {
-		if getLock {
-			b.l.RUnlock()
-		}
-		return nil, nil
-	}
-
-	if len(pe.Value) < 4 {
-		if getLock {
-			b.l.RUnlock()
-		}
-		return nil, errors.New("invalid value")
-	}
-
-	// Verify the term
-	term := binary.BigEndian.Uint32(pe.Value[:4])
-
-	// Get the GCM by term
-	// It is expensive to do this first but it is not a
-	// normal case that this won't match
-	gcm, err := b.aeadForTerm(term)
-	if getLock {
-		b.l.RUnlock()
-	}
-	if err != nil {
-		return nil, err
-	}
-	if gcm == nil {
-		return nil, fmt.Errorf("no decryption key available for term %d", term)
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
 
-	// Decrypt the ciphertext
-	plain, err := b.decrypt(key, gcm, pe.Value)
-	if err != nil {
-		return nil, fmt.Errorf("decryption failed: %w", err)
-	}
-
-	// Wrap in a logical entry
-	entry := &logical.StorageEntry{
-		Key:      key,
-		Value:    plain,
-		SealWrap: pe.SealWrap,
-	}
-	return entry, nil
-}
-
-// Delete is used to permanently delete an entry
-func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error {
-	defer metrics.MeasureSince([]string{"barrier", "delete"}, time.Now())
-	b.l.RLock()
-	sealed := b.sealed
-	b.l.RUnlock()
-	if sealed {
-		return ErrBarrierSealed
-	}
-
-	return b.backend.Delete(ctx, key)
-}
-
-// List is used ot list all the keys under a given
-// prefix, up to the next prefix.
-func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error) {
-	defer metrics.MeasureSince([]string{"barrier", "list"}, time.Now())
-	b.l.RLock()
-	sealed := b.sealed
-	b.l.RUnlock()
-	if sealed {
-		return nil, ErrBarrierSealed
-	}
-
-	return b.backend.List(ctx, prefix)
-}
-
-// aeadForTerm returns the AES-GCM AEAD for the given term
-func (b *AESGCMBarrier) aeadForTerm(term uint32) (cipher.AEAD, error) {
-	// Check for the keyring
-	keyring := b.keyring
-	if keyring == nil {
-		return nil, nil
-	}
-
-	// Check the cache for the aead
-	b.cacheLock.RLock()
-	aead, ok := b.cache[term]
-	b.cacheLock.RUnlock()
-	if ok {
-		return aead, nil
-	}
-
-	// Read the underlying key
-	key := keyring.TermKey(term)
-	if key == nil {
-		return nil, nil
-	}
-
-	// Create a new aead
-	aead, err := b.aeadFromKey(key.Value)
-	if err != nil {
-		return nil, err
-	}
-
-	// Update the cache
-	b.cacheLock.Lock()
-	b.cache[term] = aead
-	b.cacheLock.Unlock()
-	return aead, nil
-}
-
-// aeadFromKey returns an AES-GCM AEAD using the given key.
-func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
-	// Create the AES cipher
-	aesCipher, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create cipher: %w", err)
-	}
-
-	// Create the GCM mode AEAD
-	gcm, err := cipher.NewGCM(aesCipher)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize GCM mode")
-	}
-	return gcm, nil
-}
-
-// encrypt is used to encrypt a value
-func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
-	// Allocate the output buffer with room for term, version byte,
-	// nonce, GCM tag and the plaintext
-
-	extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
-	if len(plain) > math.MaxInt-extra {
-		return nil, ErrPlaintextTooLarge
-	}
-
-	capacity := len(plain) + extra
-	size := termSize + 1 + gcm.NonceSize()
-	out := make([]byte, size, capacity)
-
-	// Set the key term
-	binary.BigEndian.PutUint32(out[:4], term)
-
-	// Set the version byte
-	out[4] = b.currentAESGCMVersionByte
-
-	// Generate a random nonce
-	nonce := out[5 : 5+gcm.NonceSize()]
-	n, err := rand.Read(nonce)
-	if err != nil {
-		return nil, err
-	}
-	if n != len(nonce) {
-		return nil, errors.New("unable to read enough random bytes to fill gcm nonce")
-	}
-
-	// Seal the output
-	switch b.currentAESGCMVersionByte {
-	case AESGCMVersion1:
-		out = gcm.Seal(out, nonce, plain, nil)
-	case AESGCMVersion2:
-		aad := []byte(nil)
-		if path != "" {
-			aad = []byte(path)
-		}
-		out = gcm.Seal(out, nonce, plain, aad)
+	args = f.Args()
+	token := ""
+	switch len(args) {
+	case 0:
+		// Leave token as "", that will use the local token
+	case 1:
+		token = strings.TrimSpace(args[0])
 	default:
-		panic("Unknown AESGCM version")
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
+		return 1
 	}
 
-	return out, nil
-}
-
-func termLabel(term uint32) []metrics.Label {
-	return []metrics.Label{
-		{
-			Name:  "term",
-			Value: strconv.FormatUint(uint64(term), 10),
-		},
-	}
-}
-
-// decrypt is used to decrypt a value using the keyring
-func (b *AESGCMBarrier) decrypt(path string, gcm cipher.AEAD, cipher []byte) ([]byte, error) {
-	if len(cipher) < 5+gcm.NonceSize() {
-		return nil, fmt.Errorf("invalid cipher length")
-	}
-	// Capture the parts
-	nonce := cipher[5 : 5+gcm.NonceSize()]
-	raw := cipher[5+gcm.NonceSize():]
-	out := make([]byte, 0, len(raw)-gcm.NonceSize())
-
-	// Attempt to open
-	switch cipher[4] {
-	case AESGCMVersion1:
-		return gcm.Open(out, nonce, raw, nil)
-	case AESGCMVersion2:
-		aad := []byte(nil)
-		if path != "" {
-			aad = []byte(path)
-		}
-		return gcm.Open(out, nonce, raw, aad)
-	default:
-		return nil, fmt.Errorf("version bytes mis-match")
-	}
-}
-
-// Encrypt is used to encrypt in-memory for the BarrierEncryptor interface
-func (b *AESGCMBarrier) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error) {
-	b.l.RLock()
-	if b.sealed {
-		b.l.RUnlock()
-		return nil, ErrBarrierSealed
-	}
-
-	term := b.keyring.ActiveTerm()
-	primary, err := b.aeadForTerm(term)
-	b.l.RUnlock()
+	client, err := c.Client()
 	if err != nil {
-		return nil, err
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	ciphertext, err := b.encryptTracked(key, term, primary, plaintext)
+	secret, err := client.Logical().Unwrap(token)
 	if err != nil {
-		return nil, err
+		c.UI.Error(fmt.Sprintf("Error unwrapping: %s", err))
+		return 2
 	}
-
-	return ciphertext, nil
-}
-
-// Decrypt is used to decrypt in-memory for the BarrierEncryptor interface
-func (b *AESGCMBarrier) Decrypt(_ context.Context, key string, ciphertext []byte) ([]byte, error) {
-	b.l.RLock()
-	if b.sealed {
-		b.l.RUnlock()
-		return nil, ErrBarrierSealed
-	}
-
-	if len(ciphertext) == 0 {
-		b.l.RUnlock()
-		return nil, fmt.Errorf("empty ciphertext")
-	}
-
-	// Verify the term
-	if len(ciphertext) < 4 {
-		b.l.RUnlock()
-		return nil, fmt.Errorf("invalid ciphertext term")
-	}
-	term := binary.BigEndian.Uint32(ciphertext[:4])
-
-	// Get the GCM by term
-	// It is expensive to do this first but it is not a
-	// normal case that this won't match
-	gcm, err := b.aeadForTerm(term)
-	b.l.RUnlock()
-	if err != nil {
-		return nil, err
-	}
-	if gcm == nil {
-		return nil, fmt.Errorf("no decryption key available for term %d", term)
-	}
-
-	// Decrypt the ciphertext
-	plain, err := b.decrypt(key, gcm, ciphertext)
-	if err != nil {
-		return nil, fmt.Errorf("decryption failed: %w", err)
-	}
-
-	return plain, nil
-}
-
-func (b *AESGCMBarrier) Keyring() (*Keyring, error) {
-	b.l.RLock()
-	defer b.l.RUnlock()
-	if b.sealed {
-		return nil, ErrBarrierSealed
-	}
-
-	return b.keyring.Clone(), nil
-}
-
-func (b *AESGCMBarrier) ConsumeEncryptionCount(consumer func(int64) error) error {
-	if b.keyring != nil {
-		// Lock to prevent replacement of the key while we consume the encryptions
-		b.l.RLock()
-		defer b.l.RUnlock()
-
-		c := b.UnaccountedEncryptions.Load()
-		err := consumer(c)
-		if err == nil && c > 0 {
-			// Consumer succeeded, remove those from local encryptions
-			b.UnaccountedEncryptions.Sub(c)
-		}
-		return err
-	}
-	return nil
-}
-
-func (b *AESGCMBarrier) AddRemoteEncryptions(encryptions int64) {
-	// For rollup and persistence
-	b.UnaccountedEncryptions.Add(encryptions)
-	// For testing
-	b.RemoteEncryptions.Add(encryptions)
-}
-
-func (b *AESGCMBarrier) encryptTracked(path string, term uint32, gcm cipher.AEAD, buf []byte) ([]byte, error) {
-	ct, err := b.encrypt(path, term, gcm, buf)
-	if err != nil {
-		return nil, err
-	}
-	// Increment the local encryption count, and track metrics
-	b.UnaccountedEncryptions.Add(1)
-	b.totalLocalEncryptions.Add(1)
-	metrics.IncrCounterWithLabels(barrierEncryptsMetric, 1, termLabel(term))
-
-	return ct, nil
-}
-
-// UnaccountedEncryptions returns the number of encryptions made on the local instance only for the current key term
-func (b *AESGCMBarrier) TotalLocalEncryptions() int64 {
-	return b.totalLocalEncryptions.Load()
-}
-
-func (b *AESGCMBarrier) CheckBarrierAutoRotate(ctx context.Context) (string, error) {
-	const oneYear = 24 * 365 * time.Hour
-	reason, err := func() (string, error) {
-		b.l.RLock()
-		defer b.l.RUnlock()
-		if b.keyring != nil {
-			// Rotation Checks
-			var reason string
-
-			rc, err := b.RotationConfig()
-			if err != nil {
-				return "", err
-			}
-
-			if !rc.Disabled {
-				activeKey := b.keyring.ActiveKey()
-				ops := b.encryptions()
-				switch {
-				case activeKey.Encryptions == 0 && !activeKey.InstallTime.IsZero() && time.Since(activeKey.InstallTime) > oneYear:
-					reason = legacyRotateReason
-				case ops > rc.MaxOperations:
-					reason = "reached max operations"
-				case rc.Interval > 0 && time.Since(activeKey.InstallTime) > rc.Interval:
-					reason = "rotation interval reached"
-				}
-			}
-			return reason, nil
+	if secret == nil {
+		if Format(c.UI) == "table" {
+			c.UI.Info("Successfully unwrapped. There was no data in the wrapped secret.")
 		}
-		return "", nil
-	}()
-	if err != nil {
-		return "", err
-	}
-	if reason != "" {
-		return reason, nil
+		return 0
 	}
 
-	b.l.Lock()
-	defer b.l.Unlock()
-	if b.keyring != nil {
-		err := b.persistEncryptions(ctx)
-		if err != nil {
-			return "", err
-		}
+	// Handle single field output
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
 	}
-	return reason, nil
-}
 
-// Must be called with lock held
-func (b *AESGCMBarrier) persistEncryptions(ctx context.Context) error {
-	if !b.sealed {
-		// Encryption count persistence
-		upe := b.UnaccountedEncryptions.Load()
-		if upe > 0 {
-			activeKey := b.keyring.ActiveKey()
-			// Move local (unpersisted) encryptions to the key and persist.  This prevents us from needing to persist if
-			// there has been no activity. Since persistence performs an encryption, perversely we zero out after
-			// persistence and add 1 to the count to avoid this operation guaranteeing we need another
-			// autoRotateCheckInterval later.
-			newEncs := upe + 1
-			activeKey.Encryptions += uint64(newEncs)
-			newKeyring := b.keyring.Clone()
-			err := b.persistKeyring(ctx, newKeyring)
-			if err != nil {
-				return err
-			}
-			b.UnaccountedEncryptions.Sub(newEncs)
-		}
-	}
-	return nil
-}
-
-// Mostly for testing, returns the total number of encryption operations performed on the active term
-func (b *AESGCMBarrier) encryptions() int64 {
-	if b.keyring != nil {
-		activeKey := b.keyring.ActiveKey()
-		if activeKey != nil {
-			return b.UnaccountedEncryptions.Load() + int64(activeKey.Encryptions)
-		}
+	// Check if the original was a list response and format as a list
+	if _, ok := extractListData(secret); ok {
+		return OutputList(c.UI, secret)
 	}
-	return 0
+	return OutputSecret(c.UI, secret)
 }
diff --git a/vault/cluster/simulations.go b/vault/cluster/simulations.go
index 4e4896090dce..518d32fb12d6 100644
--- a/vault/cluster/simulations.go
+++ b/vault/cluster/simulations.go
@@ -1,47 +1,163 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package cluster
+package command
 
 import (
-	"io"
-	"net"
-	"time"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/api"
 )
 
-type delayedConn struct {
-	net.Conn
-	dr *delayedReader
-}
+func testUnwrapCommand(tb testing.TB) (*cli.MockUi, *UnwrapCommand) {
+	tb.Helper()
 
-func newDelayedConn(conn net.Conn, delay time.Duration) net.Conn {
-	return &delayedConn{
-		Conn: conn,
-		dr: &delayedReader{
-			r:     conn,
-			delay: delay,
+	ui := cli.NewMockUi()
+	return ui, &UnwrapCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
 		},
 	}
 }
 
-func (conn *delayedConn) Read(data []byte) (int, error) {
-	return conn.dr.Read(data)
-}
+func testUnwrapWrappedToken(tb testing.TB, client *api.Client, data map[string]interface{}) string {
+	tb.Helper()
 
-func (conn *delayedConn) SetDelay(delay time.Duration) {
-	conn.dr.delay = delay
+	wrapped, err := client.Logical().Write("sys/wrapping/wrap", data)
+	if err != nil {
+		tb.Fatal(err)
+	}
+	if wrapped == nil || wrapped.WrapInfo == nil || wrapped.WrapInfo.Token == "" {
+		tb.Fatalf("missing wrap info: %v", wrapped)
+	}
+	return wrapped.WrapInfo.Token
 }
 
-type delayedReader struct {
-	r     io.Reader
-	delay time.Duration
-}
+func TestUnwrapCommand_Run(t *testing.T) {
+	t.Parallel()
 
-func (dr *delayedReader) Read(data []byte) (int, error) {
-	// Sleep for the delay period prior to reading
-	if dr.delay > 0 {
-		time.Sleep(dr.delay)
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"too_many_args",
+			[]string{"foo", "bar"},
+			"Too many arguments",
+			1,
+		},
+		{
+			"default",
+			nil, // Token comes in the test func
+			"bar",
+			0,
+		},
+		{
+			"field",
+			[]string{"-field", "foo"},
+			"bar",
+			0,
+		},
+		{
+			"field_not_found",
+			[]string{"-field", "not-a-real-field"},
+			"not present in secret",
+			1,
+		},
 	}
 
-	return dr.r.Read(data)
+	t.Run("validations", func(t *testing.T) {
+		t.Parallel()
+
+		for _, tc := range cases {
+			tc := tc
+
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, closer := testVaultServer(t)
+				defer closer()
+
+				wrappedToken := testUnwrapWrappedToken(t, client, map[string]interface{}{
+					"foo": "bar",
+				})
+
+				ui, cmd := testUnwrapCommand(t)
+				cmd.client = client
+
+				tc.args = append(tc.args, wrappedToken)
+				code := cmd.Run(tc.args)
+				if code != tc.code {
+					t.Errorf("expected %d to be %d", code, tc.code)
+				}
+
+				combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+				if !strings.Contains(combined, tc.out) {
+					t.Errorf("expected %q to contain %q", combined, tc.out)
+				}
+			})
+		}
+	})
+
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServerBad(t)
+		defer closer()
+
+		ui, cmd := testUnwrapCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"foo",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Error unwrapping: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
+	// This test needs its own client and server because it modifies the client
+	// to the wrapping token
+	t.Run("local_token", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		wrappedToken := testUnwrapWrappedToken(t, client, map[string]interface{}{
+			"foo": "bar",
+		})
+
+		ui, cmd := testUnwrapCommand(t)
+		cmd.client = client
+		cmd.client.SetToken(wrappedToken)
+
+		// Intentionally don't pass the token here - it should use the local token
+		code := cmd.Run([]string{})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, "bar") {
+			t.Errorf("expected %q to contain %q", combined, "bar")
+		}
+	})
+
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
+
+		_, cmd := testUnwrapCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/vault/core.go b/vault/core.go
index 73a29f03ccfe..f43a948c26b3 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -1,4255 +1,69 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package vault
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/subtle"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	paths "path"
-	"path/filepath"
-	"runtime"
-	"slices"
-	"strconv"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	kv "github.com/hashicorp/vault-plugin-secrets-kv"
-
-	"github.com/armon/go-metrics"
-	"github.com/hashicorp/errwrap"
-	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
-	"github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/go-secure-stdlib/mlock"
-	"github.com/hashicorp/go-secure-stdlib/parseutil"
-	"github.com/hashicorp/go-secure-stdlib/reloadutil"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/go-secure-stdlib/tlsutil"
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/helper/identity/mfa"
-	"github.com/hashicorp/vault/helper/locking"
-	"github.com/hashicorp/vault/helper/metricsutil"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/osutil"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/helper/certutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/helper/pathmanager"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	sr "github.com/hashicorp/vault/serviceregistration"
-	"github.com/hashicorp/vault/shamir"
-	"github.com/hashicorp/vault/vault/cluster"
-	"github.com/hashicorp/vault/vault/eventbus"
-	"github.com/hashicorp/vault/vault/quotas"
-	vaultseal "github.com/hashicorp/vault/vault/seal"
-	"github.com/hashicorp/vault/version"
-	"github.com/patrickmn/go-cache"
-	uberAtomic "go.uber.org/atomic"
-	"google.golang.org/grpc"
-)
-
-const (
-	// CoreLockPath is the path used to acquire a coordinating lock
-	// for a highly-available deploy.
-	CoreLockPath = "core/lock"
-
-	// The poison pill is used as a check during certain scenarios to indicate
-	// to standby nodes that they should seal
-	poisonPillPath   = "core/poison-pill"
-	poisonPillDRPath = "core/poison-pill-dr"
-
-	// coreLeaderPrefix is the prefix used for the UUID that contains
-	// the currently elected leader.
-	coreLeaderPrefix = "core/leader/"
-
-	// coreKeyringCanaryPath is used as a canary to indicate to replicated
-	// clusters that they need to perform a rekey operation synchronously; this
-	// isn't keyring-canary to avoid ignoring it when ignoring core/keyring
-	coreKeyringCanaryPath = "core/canary-keyring"
-
-	// coreGroupPolicyApplicationPath is used to store the behaviour for
-	// how policies should be applied
-	coreGroupPolicyApplicationPath = "core/group-policy-application-mode"
-
-	// groupPolicyApplicationModeWithinNamespaceHierarchy is a configuration option for group
-	// policy application modes, which allows only in-namespace-hierarchy policy application
-	groupPolicyApplicationModeWithinNamespaceHierarchy = "within_namespace_hierarchy"
-
-	// groupPolicyApplicationModeAny is a configuration option for group
-	// policy application modes, which allows policy application irrespective of namespaces
-	groupPolicyApplicationModeAny = "any"
-
-	indexHeaderHMACKeyPath = "core/index-header-hmac-key"
-
-	// defaultMFAAuthResponseTTL is the default duration that Vault caches the
-	// MfaAuthResponse when the value is not specified in the server config
-	defaultMFAAuthResponseTTL = 300 * time.Second
-
-	// defaultMaxTOTPValidateAttempts is the default value for the number
-	// of failed attempts to validate a request subject to TOTP MFA. If the
-	// number of failed totp passcode validations exceeds this max value, the
-	// user needs to wait until a fresh totp passcode is generated.
-	defaultMaxTOTPValidateAttempts = 5
-
-	// ForwardSSCTokenToActive is the value that must be set in the
-	// forwardToActive to trigger forwarding if a perf standby encounters
-	// an SSC Token that it does not have the WAL state for.
-	ForwardSSCTokenToActive = "new_token"
-
-	WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")
-
-	// undoLogsAreSafeStoragePath is a storage path that we write once we know undo logs are
-	// safe, so we don't have to keep checking all the time.
-	undoLogsAreSafeStoragePath = "core/raft/undo_logs_are_safe"
-
-	ErrMlockFailedTemplate = "Failed to lock memory: %v\n\n" +
-		"This usually means that the mlock syscall is not available.\n" +
-		"Vault uses mlock to prevent memory from being swapped to\n" +
-		"disk. This requires root privileges as well as a machine\n" +
-		"that supports mlock. Please enable mlock on your system or\n" +
-		"disable Vault from using it. To disable Vault from using it,\n" +
-		"set the `disable_mlock` configuration option in your configuration\n" +
-		"file."
-
-	WellKnownPrefix = "/.well-known/"
-)
-
-var (
-	// ErrAlreadyInit is returned if the core is already
-	// initialized. This prevents a re-initialization.
-	ErrAlreadyInit = errors.New("Vault is already initialized")
-
-	// ErrNotInit is returned if a non-initialized barrier
-	// is attempted to be unsealed.
-	ErrNotInit = errors.New("Vault is not initialized")
-
-	// ErrInternalError is returned when we don't want to leak
-	// any information about an internal error
-	ErrInternalError = errors.New("internal error")
-
-	// ErrHANotEnabled is returned if the operation only makes sense
-	// in an HA setting
-	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")
-
-	// ErrIntrospectionNotEnabled is returned if "introspection_endpoint" is not
-	// enabled in the configuration file
-	ErrIntrospectionNotEnabled = errors.New("The Vault configuration must set \"introspection_endpoint\" to true to enable this endpoint")
-
-	// manualStepDownSleepPeriod is how long to sleep after a user-initiated
-	// step down of the active node, to prevent instantly regrabbing the lock.
-	// It's var not const so that tests can manipulate it.
-	manualStepDownSleepPeriod = 10 * time.Second
-)
-
-// NonFatalError is an error that can be returned during NewCore that should be
-// displayed but not cause a program exit
-type NonFatalError struct {
-	Err error
-}
-
-func (e *NonFatalError) WrappedErrors() []error {
-	return []error{e.Err}
-}
-
-func (e *NonFatalError) Error() string {
-	return e.Err.Error()
-}
-
-// NewNonFatalError returns a new non-fatal error.
-func NewNonFatalError(err error) *NonFatalError {
-	return &NonFatalError{Err: err}
-}
-
-// IsFatalError returns true if the given error is a fatal error.
-func IsFatalError(err error) bool {
-	return !errwrap.ContainsType(err, new(NonFatalError))
-}
-
-// ErrInvalidKey is returned if there is a user-based error with a provided
-// unseal key. This will be shown to the user, so should not contain
-// information that is sensitive.
-type ErrInvalidKey struct {
-	Reason string
-}
-
-func (e *ErrInvalidKey) Error() string {
-	return fmt.Sprintf("invalid key: %v", e.Reason)
-}
-
-type RegisterAuthFunc func(context.Context, time.Duration, string, *logical.Auth, string) error
-
-type activeAdvertisement struct {
-	RedirectAddr     string                     `json:"redirect_addr"`
-	ClusterAddr      string                     `json:"cluster_addr,omitempty"`
-	ClusterCert      []byte                     `json:"cluster_cert,omitempty"`
-	ClusterKeyParams *certutil.ClusterKeyParams `json:"cluster_key_params,omitempty"`
-}
-
-type unlockInformation struct {
-	Parts [][]byte
-	Nonce string
-}
-
-type raftInformation struct {
-	challenge           *wrapping.BlobInfo
-	leaderClient        *api.Client
-	leaderBarrierConfig *SealConfig
-	nonVoter            bool
-	joinInProgress      bool
-}
-
-type migrationInformation struct {
-	// seal to use during a migration operation. It is the
-	// seal we're migrating *from*.
-	seal Seal
-
-	// unsealKey was the unseal key provided for the migration seal.
-	// This will be set as the recovery key when migrating from shamir to auto-seal.
-	// We don't need to do anything with it when migrating auto->shamir because
-	// we don't store the shamir combined key for shamir seals, nor when
-	// migrating auto->auto because then the recovery key doesn't change.
-	unsealKey []byte
-}
-
-// Core is used as the central manager of Vault activity. It is the primary point of
-// interface for API handlers and is responsible for managing the logical and physical
-// backends, router, security barrier, and audit trails.
-type Core struct {
-	entCore
-
-	// The registry of builtin plugins is passed in here as an interface because
-	// if it's used directly, it results in import cycles.
-	builtinRegistry BuiltinRegistry
-
-	// N.B.: This is used to populate a dev token down replication, as
-	// otherwise, after replication is started, a dev would have to go through
-	// the generate-root process simply to talk to the new follower cluster.
-	devToken string
-
-	// HABackend may be available depending on the physical backend
-	ha physical.HABackend
-
-	// storageType is the the storage type set in the storage configuration
-	storageType string
-
-	// redirectAddr is the address we advertise as leader if held
-	redirectAddr string
-
-	// clusterAddr is the address we use for clustering
-	clusterAddr *atomic.Value
-
-	// physical backend is the un-trusted backend with durable data
-	physical physical.Backend
-
-	// serviceRegistration is the ServiceRegistration network
-	serviceRegistration sr.ServiceRegistration
-
-	// hcpLinkStatus is a string describing the status of HCP link connection
-	hcpLinkStatus HCPLinkStatus
-
-	// underlyingPhysical will always point to the underlying backend
-	// implementation. This is an un-trusted backend with durable data
-	underlyingPhysical physical.Backend
-
-	// seal is our seal, for seal configuration information
-	seal Seal
-
-	// raftJoinDoneCh is used by the raft retry join routine to inform unseal process
-	// that the join is complete
-	raftJoinDoneCh chan struct{}
-
-	// postUnsealStarted informs the raft retry join routine that unseal key
-	// validation is completed and post unseal has started so that it can complete
-	// the join process when Shamir seal is in use
-	postUnsealStarted *uint32
-
-	// raftInfo will contain information required for this node to join as a
-	// peer to an existing raft cluster. This is marked atomic to prevent data
-	// races and casted to raftInformation wherever it is used.
-	raftInfo *atomic.Value
-
-	// migrationInfo is used during (and possibly after) a seal migration.
-	// This contains information about the seal we are migrating *from*.  Even
-	// post seal migration, provided the old seal is still in configuration
-	// migrationInfo will be populated, which on enterprise may be necessary for
-	// seal rewrap.
-	migrationInfo     *migrationInformation
-	sealMigrationDone *uint32
-
-	// barrier is the security barrier wrapping the physical backend
-	barrier SecurityBarrier
-
-	// router is responsible for managing the mount points for logical backends.
-	router *Router
-
-	// logicalBackends is the mapping of backends to use for this core
-	logicalBackends map[string]logical.Factory
-
-	// credentialBackends is the mapping of backends to use for this core
-	credentialBackends map[string]logical.Factory
-
-	// auditBackends is the mapping of backends to use for this core
-	auditBackends map[string]audit.Factory
-
-	// stateLock protects mutable state
-	stateLock locking.RWMutex
-	sealed    *uint32
-
-	standby              bool
-	perfStandby          bool
-	standbyDoneCh        chan struct{}
-	standbyStopCh        *atomic.Value
-	manualStepDownCh     chan struct{}
-	keepHALockOnStepDown *uint32
-	heldHALock           physical.Lock
-
-	// shutdownDoneCh is used to notify when core.Shutdown() completes.
-	// core.Shutdown() is typically issued in a goroutine to allow Vault to
-	// release the stateLock. This channel is marked atomic to prevent race
-	// conditions.
-	shutdownDoneCh *atomic.Value
-
-	// unlockInfo has the keys provided to Unseal until the threshold number of parts is available, as well as the operation nonce
-	unlockInfo *unlockInformation
-
-	// generateRootProgress holds the shares until we reach enough
-	// to verify the master key
-	generateRootConfig   *GenerateRootConfig
-	generateRootProgress [][]byte
-	generateRootLock     sync.Mutex
-
-	// These variables holds the config and shares we have until we reach
-	// enough to verify the appropriate master key. Note that the same lock is
-	// used; this isn't time-critical so this shouldn't be a problem.
-	barrierRekeyConfig  *SealConfig
-	recoveryRekeyConfig *SealConfig
-	rekeyLock           sync.RWMutex
-
-	// mounts is loaded after unseal since it is a protected
-	// configuration
-	mounts *MountTable
-
-	// mountsLock is used to ensure that the mounts table does not
-	// change underneath a calling function
-	mountsLock locking.DeadlockRWMutex
-
-	// mountMigrationTracker tracks past and ongoing remount operations
-	// against their migration ids
-	mountMigrationTracker *sync.Map
-
-	// auth is loaded after unseal since it is a protected
-	// configuration
-	auth *MountTable
-
-	// authLock is used to ensure that the auth table does not
-	// change underneath a calling function
-	authLock locking.DeadlockRWMutex
-
-	// audit is loaded after unseal since it is a protected
-	// configuration
-	audit *MountTable
-
-	// auditLock is used to ensure that the audit table does not
-	// change underneath a calling function
-	auditLock sync.RWMutex
-
-	// auditBroker is used to ingest the audit events and fan
-	// out into the configured audit backends
-	auditBroker *AuditBroker
-
-	// auditedHeaders is used to configure which http headers
-	// can be output in the audit logs
-	auditedHeaders *AuditedHeadersConfig
-
-	// systemBackend is the backend which is used to manage internal operations
-	systemBackend   *SystemBackend
-	loginMFABackend *LoginMFABackend
-
-	// cubbyholeBackend is the backend which manages the per-token storage
-	cubbyholeBackend *CubbyholeBackend
-
-	// systemBarrierView is the barrier view for the system backend
-	systemBarrierView *BarrierView
-
-	// expiration manager is used for managing LeaseIDs,
-	// renewal, expiration and revocation
-	expiration *ExpirationManager
-
-	// rollback manager is used to run rollbacks periodically
-	rollback *RollbackManager
-
-	// policy store is used to manage named ACL policies
-	policyStore *PolicyStore
-
-	// token store is used to manage authentication tokens
-	tokenStore *TokenStore
-
-	// identityStore is used to manage client entities
-	identityStore *IdentityStore
-
-	// activityLog is used to track active client count
-	activityLog *ActivityLog
-	// activityLogLock protects the activityLog and activityLogConfig
-	activityLogLock sync.RWMutex
-
-	// metricsCh is used to stop the metrics streaming
-	metricsCh chan struct{}
-
-	// metricsMutex is used to prevent a race condition between
-	// metrics emission and sealing leading to a nil pointer
-	metricsMutex sync.Mutex
-
-	// inFlightReqMap is used to store info about in-flight requests
-	inFlightReqData *InFlightRequests
-
-	// mfaResponseAuthQueue is used to cache the auth response per request ID
-	mfaResponseAuthQueue     *LoginMFAPriorityQueue
-	mfaResponseAuthQueueLock sync.Mutex
-
-	// metricSink is the destination for all metrics that have
-	// a cluster label.
-	metricSink *metricsutil.ClusterMetricSink
-
-	defaultLeaseTTL time.Duration
-	maxLeaseTTL     time.Duration
-
-	// baseLogger is used to avoid ResetNamed as it strips useful prefixes in
-	// e.g. testing
-	baseLogger log.Logger
-	logger     log.Logger
-
-	// log level provided by config, CLI flag, or env
-	logLevel string
-
-	// Disables the trace display for Sentinel checks
-	sentinelTraceDisabled bool
-
-	// cachingDisabled indicates whether caches are disabled
-	cachingDisabled bool
-	// Cache stores the actual cache; we always have this but may bypass it if
-	// disabled
-	physicalCache physical.ToggleablePurgemonster
-
-	// logRequestsLevel indicates at which level requests should be logged
-	logRequestsLevel *uberAtomic.Int32
-
-	// reloadFuncs is a map containing reload functions
-	reloadFuncs map[string][]reloadutil.ReloadFunc
-
-	// reloadFuncsLock controls access to the funcs
-	reloadFuncsLock sync.RWMutex
-
-	// wrappingJWTKey is the key used for generating JWTs containing response
-	// wrapping information
-	wrappingJWTKey *ecdsa.PrivateKey
-
-	//
-	// Cluster information
-	//
-	// Name
-	clusterName string
-	// ID
-	clusterID uberAtomic.String
-	// Specific cipher suites to use for clustering, if any
-	clusterCipherSuites []uint16
-	// Used to modify cluster parameters
-	clusterParamsLock sync.RWMutex
-	// The private key stored in the barrier used for establishing
-	// mutually-authenticated connections between Vault cluster members
-	localClusterPrivateKey *atomic.Value
-	// The local cluster cert
-	localClusterCert *atomic.Value
-	// The parsed form of the local cluster cert
-	localClusterParsedCert *atomic.Value
-	// The TCP addresses we should use for clustering
-	clusterListenerAddrs []*net.TCPAddr
-	// The handler to use for request forwarding
-	clusterHandler http.Handler
-	// Write lock used to ensure that we don't have multiple connections adjust
-	// this value at the same time
-	requestForwardingConnectionLock sync.RWMutex
-	// Lock for the leader values, ensuring we don't run the parts of Leader()
-	// that change things concurrently
-	leaderParamsLock sync.RWMutex
-	// Current cluster leader values
-	clusterLeaderParams *atomic.Value
-	// Info on cluster members
-	clusterPeerClusterAddrsCache *cache.Cache
-	// The context for the client
-	rpcClientConnContext context.Context
-	// The function for canceling the client connection
-	rpcClientConnCancelFunc context.CancelFunc
-	// The grpc ClientConn for RPC calls
-	rpcClientConn *grpc.ClientConn
-	// The grpc forwarding client
-	rpcForwardingClient *forwardingClient
-	// The UUID used to hold the leader lock. Only set on active node
-	leaderUUID string
-
-	// CORS Information
-	corsConfig *CORSConfig
-
-	// replicationState keeps the current replication state cached for quick
-	// lookup; activeNodeReplicationState stores the active value on standbys
-	replicationState           *uint32
-	activeNodeReplicationState *uint32
-
-	// uiConfig contains UI configuration
-	uiConfig *UIConfig
-
-	// rawEnabled indicates whether the Raw endpoint is enabled
-	rawEnabled bool
-
-	// inspectableEnabled indicates whether the Inspect endpoint is enabled
-	introspectionEnabled     bool
-	introspectionEnabledLock sync.Mutex
-
-	// pluginDirectory is the location vault will look for plugin binaries
-	pluginDirectory string
-
-	// pluginFileUid is the uid of the plugin files and directory
-	pluginFileUid int
-
-	// pluginFilePermissions is the permissions of the plugin files and directory
-	pluginFilePermissions int
-
-	// pluginCatalog is used to manage plugin configurations
-	pluginCatalog *PluginCatalog
-
-	// pluginRuntimeCatalog is used to manage plugin runtime configurations
-	pluginRuntimeCatalog *PluginRuntimeCatalog
-
-	// The userFailedLoginInfo map has user failed login information.
-	// It has user information (alias-name and mount accessor) as a key
-	// and login counter, last failed login time as value
-	userFailedLoginInfo map[FailedLoginUser]*FailedLoginInfo
-
-	// userFailedLoginInfoLock controls access to the userFailedLoginInfoMap
-	userFailedLoginInfoLock sync.RWMutex
-
-	enableMlock bool
-
-	// This can be used to trigger operations to stop running when Vault is
-	// going to be shut down, stepped down, or sealed
-	activeContext           context.Context
-	activeContextCancelFunc *atomic.Value
-
-	// Stores the sealunwrapper for downgrade needs
-	sealUnwrapper physical.Backend
-
-	// unsealwithStoredKeysLock is a mutex that prevents multiple processes from
-	// unsealing with stored keys are the same time.
-	unsealWithStoredKeysLock sync.Mutex
-
-	// Stores any funcs that should be run on successful postUnseal
-	postUnsealFuncs []func()
-
-	// Stores any funcs that should be run on successful barrier unseal in
-	// recovery mode
-	postRecoveryUnsealFuncs []func() error
-
-	// replicationFailure is used to mark when replication has entered an
-	// unrecoverable failure.
-	replicationFailure *uint32
-
-	// disablePerfStanby is used to tell a standby not to attempt to become a
-	// perf standby
-	disablePerfStandby bool
-
-	licensingStopCh chan struct{}
-
-	// Stores loggers so we can reset the level
-	allLoggers     []log.Logger
-	allLoggersLock sync.RWMutex
-
-	// Can be toggled atomically to cause the core to never try to become
-	// active, or give up active as soon as it gets it
-	neverBecomeActive *uint32
-
-	// clusterListener starts up and manages connections on the cluster ports
-	clusterListener *atomic.Value
-
-	// customListenerHeader holds custom response headers for a listener
-	customListenerHeader *atomic.Value
-
-	// Telemetry objects
-	metricsHelper *metricsutil.MetricsHelper
-
-	// raftFollowerStates tracks information about all the raft follower nodes.
-	raftFollowerStates *raft.FollowerStates
-	// Stop channel for raft TLS rotations
-	raftTLSRotationStopCh chan struct{}
-	// Stores the pending peers we are waiting to give answers
-	pendingRaftPeers *sync.Map
-
-	// rawConfig stores the config as-is from the provided server configuration.
-	rawConfig *atomic.Value
-
-	coreNumber int
-
-	// secureRandomReader is the reader used for CSP operations
-	secureRandomReader io.Reader
-
-	recoveryMode bool
-
-	clusterNetworkLayer cluster.NetworkLayer
-
-	// PR1103disabled is used to test upgrade workflows: when set to true,
-	// the correct behaviour for namespaced cubbyholes is disabled, so we
-	// can test an upgrade to a version that includes the fixes from
-	// https://github.com/hashicorp/vault-enterprise/pull/1103
-	PR1103disabled bool
-
-	quotaManager *quotas.Manager
-
-	clusterHeartbeatInterval time.Duration
-
-	// activityLogConfig contains override values for the activity log
-	// it is protected by activityLogLock
-	activityLogConfig ActivityLogCoreConfig
-
-	censusConfig atomic.Value
-
-	// activeTime is set on active nodes indicating the time at which this node
-	// became active.
-	activeTime time.Time
-
-	// KeyRotateGracePeriod is how long we allow an upgrade path
-	// for standby instances before we delete the upgrade keys
-	keyRotateGracePeriod *int64
-
-	autoRotateCancel context.CancelFunc
-
-	updateLockedUserEntriesCancel context.CancelFunc
-
-	// number of workers to use for lease revocation in the expiration manager
-	numExpirationWorkers int
-
-	IndexHeaderHMACKey uberAtomic.Value
-
-	// disableAutopilot is used to disable the autopilot subsystem in raft storage
-	disableAutopilot bool
-
-	// enable/disable identifying response headers
-	enableResponseHeaderHostname   bool
-	enableResponseHeaderRaftNodeID bool
-
-	// disableSSCTokens is used to disable server side consistent token creation/usage
-	disableSSCTokens bool
-
-	// versionHistory is a map of vault versions to VaultVersion. The
-	// VaultVersion.TimestampInstalled when the version will denote when the version
-	// was first run. Note that because perf standbys should be upgraded first, and
-	// only the active node will actually write the new version timestamp, a perf
-	// standby shouldn't rely on the stored version timestamps being present.
-	versionHistory map[string]VaultVersion
-
-	// effectiveSDKVersion contains the SDK version that standby nodes should use when
-	// heartbeating with the active node. Default to the current SDK version.
-	effectiveSDKVersion string
-
-	numRollbackWorkers       int
-	rollbackPeriod           time.Duration
-	rollbackMountPathMetrics bool
-
-	experiments []string
-
-	pendingRemovalMountsAllowed bool
-	expirationRevokeRetryBase   time.Duration
-
-	events *eventbus.EventBus
-
-	// writeForwardedPaths are a set of storage paths which are GRPC forwarded
-	// to the active node of the primary cluster, when present. This PathManager
-	// contains absolute paths that we intend to forward (and template) when
-	// we're on a secondary cluster.
-	writeForwardedPaths *pathmanager.PathManager
-
-	// if populated, the callback is called for every request
-	// for testing purposes
-	requestResponseCallback func(logical.Backend, *logical.Request, *logical.Response)
-
-	// If any role based quota (LCQ or RLQ) is enabled, don't track lease counts by role
-	impreciseLeaseRoleTracking bool
-
-	WellKnownRedirects *wellKnownRedirectRegistry // RFC 5785
-	// Config value for "detect_deadlocks".
-	detectDeadlocks []string
-}
-
-// c.stateLock needs to be held in read mode before calling this function.
-func (c *Core) HAState() consts.HAState {
-	switch {
-	case c.perfStandby:
-		return consts.PerfStandby
-	case c.standby:
-		return consts.Standby
-	default:
-		return consts.Active
-	}
-}
-
-func (c *Core) HAStateWithLock() consts.HAState {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
-
-	return c.HAState()
-}
-
-// CoreConfig is used to parameterize a core
-type CoreConfig struct {
-	entCoreConfig
-
-	DevToken string
-
-	BuiltinRegistry BuiltinRegistry
-
-	LogicalBackends map[string]logical.Factory
-
-	CredentialBackends map[string]logical.Factory
-
-	AuditBackends map[string]audit.Factory
-
-	Physical physical.Backend
-
-	StorageType string
-
-	// May be nil, which disables HA operations
-	HAPhysical physical.HABackend
-
-	ServiceRegistration sr.ServiceRegistration
-
-	// Seal is the configured seal, or if none is configured explicitly, a
-	// shamir seal.  In migration scenarios this is the new seal.
-	Seal Seal
-
-	// Unwrap seal is the optional seal marked "disabled"; this is the old
-	// seal in migration scenarios.
-	UnwrapSeal Seal
-
-	SecureRandomReader io.Reader
-
-	LogLevel string
-
-	Logger log.Logger
-
-	// Use the deadlocks library to detect deadlocks
-	DetectDeadlocks string
-
-	// If any role based quota (LCQ or RLQ) is enabled, don't track lease counts by role
-	ImpreciseLeaseRoleTracking bool
-
-	// Disables the trace display for Sentinel checks
-	DisableSentinelTrace bool
-
-	// Disables the LRU cache on the physical backend
-	DisableCache bool
-
-	// Disables mlock syscall
-	DisableMlock bool
-
-	// Custom cache size for the LRU cache on the physical backend, or zero for default
-	CacheSize int
-
-	// Set as the leader address for HA
-	RedirectAddr string
-
-	// Set as the cluster address for HA
-	ClusterAddr string
-
-	DefaultLeaseTTL time.Duration
-
-	MaxLeaseTTL time.Duration
-
-	ClusterName string
-
-	ClusterCipherSuites string
-
-	EnableUI bool
-
-	// Enable the raw endpoint
-	EnableRaw bool
-
-	// Enable the introspection endpoint
-	EnableIntrospection bool
-
-	PluginDirectory string
-
-	PluginFileUid int
-
-	PluginFilePermissions int
-
-	DisableSealWrap bool
-
-	RawConfig *server.Config
-
-	ReloadFuncs     *map[string][]reloadutil.ReloadFunc
-	ReloadFuncsLock *sync.RWMutex
-
-	// Licensing
-	License         string
-	LicensePath     string
-	LicensingConfig *LicensingConfig
-
-	// Configured Census Agent
-	CensusAgent CensusReporter
-
-	DisablePerformanceStandby bool
-	DisableIndexing           bool
-	DisableKeyEncodingChecks  bool
-
-	AllLoggers []log.Logger
-
-	// Telemetry objects
-	MetricsHelper *metricsutil.MetricsHelper
-	MetricSink    *metricsutil.ClusterMetricSink
-
-	RecoveryMode bool
-
-	ClusterNetworkLayer cluster.NetworkLayer
-
-	ClusterHeartbeatInterval time.Duration
-
-	// Activity log controls
-	ActivityLogConfig ActivityLogCoreConfig
-
-	// number of workers to use for lease revocation in the expiration manager
-	NumExpirationWorkers int
-
-	// DisableAutopilot is used to disable autopilot subsystem in raft storage
-	DisableAutopilot bool
-
-	// Whether to send headers in the HTTP response showing hostname or raft node ID
-	EnableResponseHeaderHostname   bool
-	EnableResponseHeaderRaftNodeID bool
-
-	// DisableSSCTokens is used to disable the use of server side consistent tokens
-	DisableSSCTokens bool
-
-	EffectiveSDKVersion string
-
-	RollbackPeriod time.Duration
-
-	Experiments []string
-
-	PendingRemovalMountsAllowed bool
-
-	ExpirationRevokeRetryBase time.Duration
-
-	// AdministrativeNamespacePath is used to configure the administrative namespace, which has access to some sys endpoints that are
-	// only accessible in the root namespace, currently sys/audit-hash and sys/monitor.
-	AdministrativeNamespacePath string
-
-	NumRollbackWorkers int
-}
-
-// GetServiceRegistration returns the config's ServiceRegistration, or nil if it does
-// not exist.
-func (c *CoreConfig) GetServiceRegistration() sr.ServiceRegistration {
-	// Check whether there is a ServiceRegistration explicitly configured
-	if c.ServiceRegistration != nil {
-		return c.ServiceRegistration
-	}
-
-	// Check if HAPhysical is configured and implements ServiceRegistration
-	if c.HAPhysical != nil && c.HAPhysical.HAEnabled() {
-		if disc, ok := c.HAPhysical.(sr.ServiceRegistration); ok {
-			return disc
-		}
-	}
-
-	// No service discovery is available.
-	return nil
-}
-
-// CreateCore conducts static validations on the Core Config
-// and returns an uninitialized core.
-func CreateCore(conf *CoreConfig) (*Core, error) {
-	if conf.HAPhysical != nil && conf.HAPhysical.HAEnabled() {
-		if conf.RedirectAddr == "" {
-			return nil, fmt.Errorf("missing API address, please set in configuration or via environment")
-		}
-	}
-
-	if conf.DefaultLeaseTTL == 0 {
-		conf.DefaultLeaseTTL = defaultLeaseTTL
-	}
-	if conf.MaxLeaseTTL == 0 {
-		conf.MaxLeaseTTL = maxLeaseTTL
-	}
-	if conf.DefaultLeaseTTL > conf.MaxLeaseTTL {
-		return nil, fmt.Errorf("cannot have DefaultLeaseTTL larger than MaxLeaseTTL")
-	}
-
-	// Validate the advertise addr if its given to us
-	if conf.RedirectAddr != "" {
-		u, err := url.Parse(conf.RedirectAddr)
-		if err != nil {
-			return nil, fmt.Errorf("redirect address is not valid url: %w", err)
-		}
-
-		if u.Scheme == "" {
-			return nil, fmt.Errorf("redirect address must include scheme (ex. 'http')")
-		}
-	}
-
-	// Make a default logger if not provided
-	if conf.Logger == nil {
-		conf.Logger = logging.NewVaultLogger(log.Trace)
-	}
-
-	// Make a default metric sink if not provided
-	if conf.MetricSink == nil {
-		conf.MetricSink = metricsutil.BlackholeSink()
-	}
-
-	// Instantiate a non-nil raw config if none is provided
-	if conf.RawConfig == nil {
-		conf.RawConfig = new(server.Config)
-	}
-
-	// secureRandomReader cannot be nil
-	if conf.SecureRandomReader == nil {
-		conf.SecureRandomReader = rand.Reader
-	}
-
-	clusterHeartbeatInterval := conf.ClusterHeartbeatInterval
-	if clusterHeartbeatInterval == 0 {
-		clusterHeartbeatInterval = 5 * time.Second
-	}
-
-	if conf.NumExpirationWorkers == 0 {
-		conf.NumExpirationWorkers = numExpirationWorkersDefault
-	}
-
-	if conf.NumRollbackWorkers == 0 {
-		conf.NumRollbackWorkers = RollbackDefaultNumWorkers
-	}
-
-	effectiveSDKVersion := conf.EffectiveSDKVersion
-	if effectiveSDKVersion == "" {
-		effectiveSDKVersion = version.GetVersion().Version
-	}
-
-	var detectDeadlocks []string
-	if conf.DetectDeadlocks != "" {
-		detectDeadlocks = strings.Split(conf.DetectDeadlocks, ",")
-		for k, v := range detectDeadlocks {
-			detectDeadlocks[k] = strings.ToLower(strings.TrimSpace(v))
-		}
-	}
-
-	// Use imported logging deadlock if requested
-	var stateLock locking.RWMutex
-	stateLock = &locking.SyncRWMutex{}
-
-	if slices.Contains(detectDeadlocks, "statelock") {
-		stateLock = &locking.DeadlockRWMutex{}
-	}
-
-	// Setup the core
-	c := &Core{
-		entCore:              entCore{},
-		devToken:             conf.DevToken,
-		physical:             conf.Physical,
-		serviceRegistration:  conf.GetServiceRegistration(),
-		underlyingPhysical:   conf.Physical,
-		storageType:          conf.StorageType,
-		redirectAddr:         conf.RedirectAddr,
-		clusterAddr:          new(atomic.Value),
-		clusterListener:      new(atomic.Value),
-		customListenerHeader: new(atomic.Value),
-		seal:                 conf.Seal,
-		stateLock:            stateLock,
-		router:               NewRouter(),
-		sealed:               new(uint32),
-		sealMigrationDone:    new(uint32),
-		standby:              true,
-		standbyStopCh:        new(atomic.Value),
-		baseLogger:           conf.Logger,
-		logger:               conf.Logger.Named("core"),
-		logLevel:             conf.LogLevel,
-
-		defaultLeaseTTL:                conf.DefaultLeaseTTL,
-		maxLeaseTTL:                    conf.MaxLeaseTTL,
-		sentinelTraceDisabled:          conf.DisableSentinelTrace,
-		cachingDisabled:                conf.DisableCache,
-		clusterName:                    conf.ClusterName,
-		clusterNetworkLayer:            conf.ClusterNetworkLayer,
-		clusterPeerClusterAddrsCache:   cache.New(3*clusterHeartbeatInterval, time.Second),
-		enableMlock:                    !conf.DisableMlock,
-		rawEnabled:                     conf.EnableRaw,
-		introspectionEnabled:           conf.EnableIntrospection,
-		shutdownDoneCh:                 new(atomic.Value),
-		replicationState:               new(uint32),
-		localClusterPrivateKey:         new(atomic.Value),
-		localClusterCert:               new(atomic.Value),
-		localClusterParsedCert:         new(atomic.Value),
-		activeNodeReplicationState:     new(uint32),
-		keepHALockOnStepDown:           new(uint32),
-		replicationFailure:             new(uint32),
-		disablePerfStandby:             true,
-		activeContextCancelFunc:        new(atomic.Value),
-		allLoggers:                     conf.AllLoggers,
-		builtinRegistry:                conf.BuiltinRegistry,
-		neverBecomeActive:              new(uint32),
-		clusterLeaderParams:            new(atomic.Value),
-		metricsHelper:                  conf.MetricsHelper,
-		metricSink:                     conf.MetricSink,
-		secureRandomReader:             conf.SecureRandomReader,
-		rawConfig:                      new(atomic.Value),
-		recoveryMode:                   conf.RecoveryMode,
-		postUnsealStarted:              new(uint32),
-		raftInfo:                       new(atomic.Value),
-		raftJoinDoneCh:                 make(chan struct{}),
-		clusterHeartbeatInterval:       clusterHeartbeatInterval,
-		activityLogConfig:              conf.ActivityLogConfig,
-		keyRotateGracePeriod:           new(int64),
-		numExpirationWorkers:           conf.NumExpirationWorkers,
-		raftFollowerStates:             raft.NewFollowerStates(),
-		disableAutopilot:               conf.DisableAutopilot,
-		enableResponseHeaderHostname:   conf.EnableResponseHeaderHostname,
-		enableResponseHeaderRaftNodeID: conf.EnableResponseHeaderRaftNodeID,
-		mountMigrationTracker:          &sync.Map{},
-		disableSSCTokens:               conf.DisableSSCTokens,
-		effectiveSDKVersion:            effectiveSDKVersion,
-		userFailedLoginInfo:            make(map[FailedLoginUser]*FailedLoginInfo),
-		experiments:                    conf.Experiments,
-		pendingRemovalMountsAllowed:    conf.PendingRemovalMountsAllowed,
-		expirationRevokeRetryBase:      conf.ExpirationRevokeRetryBase,
-		rollbackMountPathMetrics:       conf.MetricSink.TelemetryConsts.RollbackMetricsIncludeMountPoint,
-		numRollbackWorkers:             conf.NumRollbackWorkers,
-		impreciseLeaseRoleTracking:     conf.ImpreciseLeaseRoleTracking,
-		WellKnownRedirects:             NewWellKnownRedirects(),
-		detectDeadlocks:                detectDeadlocks,
-	}
-
-	c.standbyStopCh.Store(make(chan struct{}))
-	atomic.StoreUint32(c.sealed, 1)
-	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 0, nil)
-
-	c.shutdownDoneCh.Store(make(chan struct{}))
-
-	c.allLoggers = append(c.allLoggers, c.logger)
-
-	c.router.logger = c.logger.Named("router")
-	c.allLoggers = append(c.allLoggers, c.router.logger)
-
-	c.router.rollbackMetricsMountName = c.rollbackMountPathMetrics
-
-	c.inFlightReqData = &InFlightRequests{
-		InFlightReqMap:   &sync.Map{},
-		InFlightReqCount: uberAtomic.NewUint64(0),
-	}
-
-	c.SetConfig(conf.RawConfig)
-
-	atomic.StoreUint32(c.replicationState, uint32(consts.ReplicationDRDisabled|consts.ReplicationPerformanceDisabled))
-	c.localClusterCert.Store(([]byte)(nil))
-	c.localClusterParsedCert.Store((*x509.Certificate)(nil))
-	c.localClusterPrivateKey.Store((*ecdsa.PrivateKey)(nil))
-
-	c.clusterLeaderParams.Store((*ClusterLeaderParams)(nil))
-	c.clusterAddr.Store(conf.ClusterAddr)
-	c.activeContextCancelFunc.Store((context.CancelFunc)(nil))
-	atomic.StoreInt64(c.keyRotateGracePeriod, int64(2*time.Minute))
-
-	c.hcpLinkStatus = HCPLinkStatus{
-		lock:             sync.RWMutex{},
-		ConnectionStatus: "disconnected",
-	}
-
-	c.raftInfo.Store((*raftInformation)(nil))
-
-	switch conf.ClusterCipherSuites {
-	case "tls13", "tls12":
-		// Do nothing, let Go use the default
-
-	case "":
-		// Add in forward compatible TLS 1.3 suites, followed by handpicked 1.2 suites
-		c.clusterCipherSuites = []uint16{
-			// 1.3
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			// 1.2
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		}
-
-	default:
-		suites, err := tlsutil.ParseCiphers(conf.ClusterCipherSuites)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing cluster cipher suites: %w", err)
-		}
-		c.clusterCipherSuites = suites
-	}
-
-	// Load CORS config and provide a value for the core field.
-	c.corsConfig = &CORSConfig{
-		core:    c,
-		Enabled: new(uint32),
-	}
-
-	// Load write-forwarded path manager.
-	c.writeForwardedPaths = pathmanager.New()
-
-	// Load seal information.
-	if c.seal == nil {
-		wrapper := aeadwrapper.NewShamirWrapper()
-		wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
-
-		access, err := vaultseal.NewAccessFromWrapper(c.logger, wrapper, SealConfigTypeShamir.String())
-		if err != nil {
-			return nil, err
-		}
-		c.seal = NewDefaultSeal(access)
-	}
-	c.seal.SetCore(c)
-	return c, nil
-}
-
-// NewCore creates, initializes and configures a Vault node (core).
-func NewCore(conf *CoreConfig) (*Core, error) {
-	// NOTE: The order of configuration of the core has some importance, as we can
-	// make use of an early return if we are running this new core in recovery mode.
-	c, err := CreateCore(conf)
-	if err != nil {
-		return nil, err
-	}
-
-	err = coreInit(c, conf)
-	if err != nil {
-		return nil, err
-	}
-
-	switch {
-	case conf.DisableMlock:
-		// User configured that memory lock should be disabled on unix systems.
-	default:
-		err = mlock.LockMemory()
-		if err != nil {
-			return nil, fmt.Errorf(ErrMlockFailedTemplate, err)
-		}
-	}
-
-	// Construct a new AES-GCM barrier
-	c.barrier, err = NewAESGCMBarrier(c.physical)
-	if err != nil {
-		return nil, fmt.Errorf("barrier setup failed: %w", err)
-	}
-
-	err = c.entCheckStoredLicense(conf)
-	if err != nil {
-		return nil, err
-	}
-
-	// We create the funcs here, then populate the given config with it so that
-	// the caller can share state
-	conf.ReloadFuncsLock = &c.reloadFuncsLock
-	c.reloadFuncsLock.Lock()
-	c.reloadFuncs = make(map[string][]reloadutil.ReloadFunc)
-	c.reloadFuncsLock.Unlock()
-	conf.ReloadFuncs = &c.reloadFuncs
-
-	c.rollbackPeriod = conf.RollbackPeriod
-	if c.rollbackPeriod == 0 {
-		// Default to 1 minute
-		c.rollbackPeriod = 1 * time.Minute
-	}
-
-	// For recovery mode we've now configured enough to return early.
-	if c.recoveryMode {
-		return c, nil
-	}
-
-	if conf.PluginDirectory != "" {
-		c.pluginDirectory, err = filepath.Abs(conf.PluginDirectory)
-		if err != nil {
-			return nil, fmt.Errorf("core setup failed, could not verify plugin directory: %w", err)
-		}
-	}
-
-	if conf.PluginFileUid != 0 {
-		c.pluginFileUid = conf.PluginFileUid
-	}
-	if conf.PluginFilePermissions != 0 {
-		c.pluginFilePermissions = conf.PluginFilePermissions
-	}
-
-	// Create secondaries (this will only impact Enterprise versions of Vault)
-	c.createSecondaries(conf.Logger)
-
-	if conf.HAPhysical != nil && conf.HAPhysical.HAEnabled() {
-		c.ha = conf.HAPhysical
-	}
-
-	// MFA method
-	c.loginMFABackend = NewLoginMFABackend(c, conf.Logger)
-	if c.loginMFABackend.mfaLogger != nil {
-		c.AddLogger(c.loginMFABackend.mfaLogger)
-	}
-
-	// Logical backends
-	c.configureLogicalBackends(conf.LogicalBackends, conf.Logger, conf.AdministrativeNamespacePath)
-
-	// Credentials backends
-	c.configureCredentialsBackends(conf.CredentialBackends, conf.Logger)
-
-	// Audit backends
-	c.configureAuditBackends(conf.AuditBackends)
-
-	// UI
-	uiStoragePrefix := systemBarrierPrefix + "ui"
-	c.uiConfig = NewUIConfig(conf.EnableUI, physical.NewView(c.physical, uiStoragePrefix), NewBarrierView(c.barrier, uiStoragePrefix))
-
-	// Listeners
-	err = c.configureListeners(conf)
-	if err != nil {
-		return nil, err
-	}
-
-	// Log requests level
-	c.configureLogRequestsLevel(conf.RawConfig.LogRequestsLevel)
-
-	// Quotas
-	quotasLogger := conf.Logger.Named("quotas")
-	c.allLoggers = append(c.allLoggers, quotasLogger)
-
-	detectDeadlocks := slices.Contains(c.detectDeadlocks, "quotas")
-	c.quotaManager, err = quotas.NewManager(quotasLogger, c.quotaLeaseWalker, c.metricSink, detectDeadlocks)
-	if err != nil {
-		return nil, err
-	}
-
-	err = c.adjustForSealMigration(conf.UnwrapSeal)
-	if err != nil {
-		return nil, err
-	}
-
-	// Version history
-	if c.versionHistory == nil {
-		c.logger.Info("Initializing version history cache for core")
-		c.versionHistory = make(map[string]VaultVersion)
-	}
-
-	// Events
-	eventsLogger := conf.Logger.Named("events")
-	c.allLoggers = append(c.allLoggers, eventsLogger)
-	// start the event system
-	events, err := eventbus.NewEventBus(eventsLogger)
-	if err != nil {
-		return nil, err
-	}
-	c.events = events
-	c.events.Start()
-
-	return c, nil
-}
-
-// configureListeners configures the Core with the listeners from the CoreConfig.
-func (c *Core) configureListeners(conf *CoreConfig) error {
-	c.clusterListener.Store((*cluster.Listener)(nil))
-
-	if conf.RawConfig.Listeners == nil {
-		c.customListenerHeader.Store(([]*ListenerCustomHeaders)(nil))
-		return nil
-	}
-
-	uiHeaders, err := c.UIHeaders()
-	if err != nil {
-		return err
-	}
-
-	c.customListenerHeader.Store(NewListenerCustomHeader(conf.RawConfig.Listeners, c.logger, uiHeaders))
-
-	return nil
-}
-
-// configureLogRequestsLevel configures the Core with the supplied log requests level.
-func (c *Core) configureLogRequestsLevel(level string) {
-	c.logRequestsLevel = uberAtomic.NewInt32(0)
-
-	lvl := log.LevelFromString(level)
-
-	switch {
-	case lvl > log.NoLevel && lvl < log.Off:
-		c.logRequestsLevel.Store(int32(lvl))
-	case level != "":
-		c.logger.Warn("invalid log_requests_level", "level", level)
-	}
-}
-
-// configureAuditBackends configures the Core with the ability to create audit
-// backends for various types.
-func (c *Core) configureAuditBackends(backends map[string]audit.Factory) {
-	auditBackends := make(map[string]audit.Factory, len(backends))
-
-	for k, f := range backends {
-		auditBackends[k] = f
-	}
-
-	c.auditBackends = auditBackends
-}
-
-// configureCredentialsBackends configures the Core with the ability to create
-// credential backends for various types.
-func (c *Core) configureCredentialsBackends(backends map[string]logical.Factory, logger log.Logger) {
-	credentialBackends := make(map[string]logical.Factory, len(backends))
-
-	for k, f := range backends {
-		credentialBackends[k] = f
-	}
-
-	credentialBackends[mountTypeToken] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
-		tsLogger := logger.Named("token")
-		c.AddLogger(tsLogger)
-		return NewTokenStore(ctx, tsLogger, c, config)
-	}
-
-	c.credentialBackends = credentialBackends
-
-	c.addExtraCredentialBackends()
-}
-
-// configureLogicalBackends configures the Core with the ability to create
-// logical backends for various types.
-func (c *Core) configureLogicalBackends(backends map[string]logical.Factory, logger log.Logger, adminNamespacePath string) {
-	logicalBackends := make(map[string]logical.Factory, len(backends))
-
-	for k, f := range backends {
-		logicalBackends[k] = f
-	}
-
-	// KV
-	_, ok := logicalBackends[mountTypeKV]
-	if !ok {
-		logicalBackends[mountTypeKV] = kv.Factory
-	}
-
-	// Cubbyhole
-	logicalBackends[mountTypeCubbyhole] = CubbyholeBackendFactory
-
-	// System
-	logicalBackends[mountTypeSystem] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
-		sysBackendLogger := logger.Named("system")
-		c.AddLogger(sysBackendLogger)
-		b := NewSystemBackend(c, sysBackendLogger, config)
-		if err := b.Setup(ctx, config); err != nil {
-			return nil, err
-		}
-		return b, nil
-	}
-
-	// Identity
-	logicalBackends[mountTypeIdentity] = func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
-		identityLogger := logger.Named("identity")
-		c.AddLogger(identityLogger)
-		return NewIdentityStore(ctx, c, config, identityLogger)
-	}
-
-	c.logicalBackends = logicalBackends
-
-	c.addExtraLogicalBackends(adminNamespacePath)
-}
-
-// handleVersionTimeStamps stores the current version at the current time to
-// storage, and then loads all versions and upgrade timestamps out from storage.
-func (c *Core) handleVersionTimeStamps(ctx context.Context) error {
-	currentTime := time.Now().UTC()
-
-	vaultVersion := &VaultVersion{
-		TimestampInstalled: currentTime,
-		Version:            version.Version,
-		BuildDate:          version.BuildDate,
-	}
-
-	isUpdated, err := c.storeVersionEntry(ctx, vaultVersion, false)
-	if err != nil {
-		return fmt.Errorf("error storing vault version: %w", err)
-	}
-	if isUpdated {
-		c.logger.Info("Recorded vault version", "vault version", version.Version, "upgrade time", currentTime, "build date", version.BuildDate)
-	}
-
-	// Finally, repopulate the version history cache
-	err = c.loadVersionHistory(ctx)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// HostnameHeaderEnabled determines whether to add the X-Vault-Hostname header
-// to HTTP responses.
-func (c *Core) HostnameHeaderEnabled() bool {
-	return c.enableResponseHeaderHostname
-}
-
-// RaftNodeIDHeaderEnabled determines whether to add the X-Vault-Raft-Node-ID header
-// to HTTP responses.
-func (c *Core) RaftNodeIDHeaderEnabled() bool {
-	return c.enableResponseHeaderRaftNodeID
-}
-
-// DisableSSCTokens determines whether to use server side consistent tokens or not.
-func (c *Core) DisableSSCTokens() bool {
-	return c.disableSSCTokens
-}
-
-// ShutdownCoreError logs a shutdown error and shuts down the Vault core.
-func (c *Core) ShutdownCoreError(err error) {
-	c.Logger().Error("shutting down core", "error", err)
-	if shutdownErr := c.ShutdownWait(); shutdownErr != nil {
-		c.Logger().Error("failed to shutdown core", "error", shutdownErr)
-	}
-}
-
-// Shutdown is invoked when the Vault instance is about to be terminated. It
-// should not be accessible as part of an API call as it will cause an availability
-// problem. It is only used to gracefully quit in the case of HA so that failover
-// happens as quickly as possible.
-func (c *Core) Shutdown() error {
-	c.logger.Debug("shutdown called")
-	err := c.sealInternal()
-
-	c.stateLock.Lock()
-	defer c.stateLock.Unlock()
-
-	doneCh := c.shutdownDoneCh.Load().(chan struct{})
-	if doneCh != nil {
-		close(doneCh)
-		c.shutdownDoneCh.Store((chan struct{})(nil))
-	}
-
-	return err
-}
-
-func (c *Core) ShutdownWait() error {
-	donech := c.ShutdownDone()
-	err := c.Shutdown()
-	if donech != nil {
-		<-donech
-	}
-	return err
-}
-
-// ShutdownDone returns a channel that will be closed after Shutdown completes
-func (c *Core) ShutdownDone() <-chan struct{} {
-	return c.shutdownDoneCh.Load().(chan struct{})
-}
-
-// CORSConfig returns the current CORS configuration
-func (c *Core) CORSConfig() *CORSConfig {
-	return c.corsConfig
-}
-
-func (c *Core) GetContext() (context.Context, context.CancelFunc) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
-
-	return context.WithCancel(namespace.RootContext(c.activeContext))
-}
-
-// Sealed checks if the Vault is current sealed
-func (c *Core) Sealed() bool {
-	return atomic.LoadUint32(c.sealed) == 1
-}
-
-// SecretProgress returns the number of keys provided so far. Lock
-// should only be false if the caller is already holding the read
-// statelock (such as calls originating from switchedLockHandleRequest).
-func (c *Core) SecretProgress(lock bool) (int, string) {
-	if lock {
-		c.stateLock.RLock()
-		defer c.stateLock.RUnlock()
-	}
-	switch c.unlockInfo {
-	case nil:
-		return 0, ""
-	default:
-		return len(c.unlockInfo.Parts), c.unlockInfo.Nonce
-	}
-}
-
-// ResetUnsealProcess removes the current unlock parts from memory, to reset
-// the unsealing process
-func (c *Core) ResetUnsealProcess() {
-	c.stateLock.Lock()
-	defer c.stateLock.Unlock()
-	c.unlockInfo = nil
-}
-
-func (c *Core) UnsealMigrate(key []byte) (bool, error) {
-	err := c.unsealFragment(key, true)
-	return !c.Sealed(), err
-}
-
-// Unseal is used to provide one of the key parts to unseal the Vault.
-func (c *Core) Unseal(key []byte) (bool, error) {
-	err := c.unsealFragment(key, false)
-	return !c.Sealed(), err
-}
-
-// unseal takes a key fragment and attempts to use it to unseal Vault.
-// Vault may remain sealed afterwards even when no error is returned,
-// depending on whether enough key fragments were provided to meet the
-// target threshold.
-//
-// The provided key should be a recovery key fragment if the seal
-// is an autoseal, or a regular seal key fragment for shamir.  In
-// migration scenarios "seal" in the preceding sentence refers to
-// the migration seal in c.migrationInfo.seal.
-//
-// We use getUnsealKey to work out if we have enough fragments,
-// and if we don't have enough we return early.  Otherwise we get
-// back the combined key.
-//
-// For legacy shamir the combined key *is* the master key.  For
-// shamir the combined key is used to decrypt the master key
-// read from storage.  For autoseal the combined key isn't used
-// except to verify that the stored recovery key matches.
-//
-// In migration scenarios a side-effect of unsealing is that
-// the members of c.migrationInfo are populated (excluding
-// .seal, which must already be populated before unseal is called.)
-func (c *Core) unsealFragment(key []byte, migrate bool) error {
-	defer metrics.MeasureSince([]string{"core", "unseal"}, time.Now())
-
-	c.stateLock.Lock()
-	defer c.stateLock.Unlock()
-
-	ctx := context.Background()
-
-	if migrate && c.migrationInfo == nil {
-		return fmt.Errorf("can't perform a seal migration, no migration seal found")
-	}
-	if migrate && c.isRaftUnseal() {
-		return fmt.Errorf("can't perform a seal migration while joining a raft cluster")
-	}
-	if !migrate && c.migrationInfo != nil {
-		done, err := c.sealMigrated(ctx)
-		if err != nil {
-			return fmt.Errorf("error checking to see if seal is migrated: %w", err)
-		}
-		if !done {
-			return fmt.Errorf("migrate option not provided and seal migration is pending")
-		}
-	}
-
-	c.logger.Debug("unseal key supplied", "migrate", migrate)
-
-	// Explicitly check for init status. This also checks if the seal
-	// configuration is valid (i.e. non-nil).
-	init, err := c.Initialized(ctx)
-	if err != nil {
-		return err
-	}
-	if !init && !c.isRaftUnseal() {
-		return ErrNotInit
-	}
-
-	// Verify the key length
-	min, max := c.barrier.KeyLength()
-	max += shamir.ShareOverhead
-	if len(key) < min {
-		return &ErrInvalidKey{fmt.Sprintf("key is shorter than minimum %d bytes", min)}
-	}
-	if len(key) > max {
-		return &ErrInvalidKey{fmt.Sprintf("key is longer than maximum %d bytes", max)}
-	}
-
-	// Check if already unsealed
-	if !c.Sealed() {
-		return nil
-	}
-
-	sealToUse := c.seal
-	if migrate {
-		c.logger.Info("unsealing using migration seal")
-		sealToUse = c.migrationInfo.seal
-	}
-
-	newKey, err := c.recordUnsealPart(key)
-	if !newKey || err != nil {
-		return err
-	}
-
-	// getUnsealKey returns either a recovery key (in the case of an autoseal)
-	// or a master key (legacy shamir) or an unseal key (new-style shamir).
-	combinedKey, err := c.getUnsealKey(ctx, sealToUse)
-	if err != nil || combinedKey == nil {
-		return err
-	}
-	if migrate {
-		c.migrationInfo.unsealKey = combinedKey
-	}
-
-	if c.isRaftUnseal() {
-		return c.unsealWithRaft(combinedKey)
-	}
-	masterKey, err := c.unsealKeyToMasterKeyPreUnseal(ctx, sealToUse, combinedKey)
-	if err != nil {
-		return err
-	}
-	return c.unsealInternal(ctx, masterKey)
-}
-
-func (c *Core) unsealWithRaft(combinedKey []byte) error {
-	ctx := context.Background()
-
-	if c.seal.BarrierSealConfigType() == SealConfigTypeShamir {
-		// If this is a legacy shamir seal this serves no purpose but it
-		// doesn't hurt.
-		err := c.seal.GetAccess().SetShamirSealKey(combinedKey)
-		if err != nil {
-			return err
-		}
-	}
-
-	raftInfo := c.raftInfo.Load().(*raftInformation)
-
-	switch raftInfo.joinInProgress {
-	case true:
-		// JoinRaftCluster is already trying to perform a join based on retry_join configuration.
-		// Inform that routine that unseal key validation is complete so that it can continue to
-		// try and join possible leader nodes, and wait for it to complete.
-
-		atomic.StoreUint32(c.postUnsealStarted, 1)
-
-		c.logger.Info("waiting for raft retry join process to complete")
-		<-c.raftJoinDoneCh
-
-	default:
-		// This is the case for manual raft join. Send the answer to the leader node and
-		// wait for data to start streaming in.
-		if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
-			return err
-		}
-		// Reset the state
-		c.raftInfo.Store((*raftInformation)(nil))
-	}
-
-	go func() {
-		var masterKey []byte
-		keyringFound := false
-
-		// Wait until we at least have the keyring before we attempt to
-		// unseal the node.
-		for {
-			if !keyringFound {
-				keys, err := c.underlyingPhysical.List(ctx, keyringPrefix)
-				if err != nil {
-					c.logger.Error("failed to list physical keys", "error", err)
-					return
-				}
-				if strutil.StrListContains(keys, "keyring") {
-					keyringFound = true
-				}
-			}
-			if keyringFound && len(masterKey) == 0 {
-				var err error
-				masterKey, err = c.unsealKeyToMasterKeyPreUnseal(ctx, c.seal, combinedKey)
-				if err != nil {
-					c.logger.Error("failed to read master key", "error", err)
-					return
-				}
-			}
-			if keyringFound && len(masterKey) > 0 {
-				err := c.unsealInternal(ctx, masterKey)
-				if err != nil {
-					c.logger.Error("failed to unseal", "error", err)
-				}
-				return
-			}
-			time.Sleep(1 * time.Second)
-		}
-	}()
-
-	return nil
-}
-
-// recordUnsealPart takes in a key fragment, and returns true if it's a new fragment.
-func (c *Core) recordUnsealPart(key []byte) (bool, error) {
-	// Check if we already have this piece
-	if c.unlockInfo != nil {
-		for _, existing := range c.unlockInfo.Parts {
-			if subtle.ConstantTimeCompare(existing, key) == 1 {
-				return false, nil
-			}
-		}
-	} else {
-		uuid, err := uuid.GenerateUUID()
-		if err != nil {
-			return false, err
-		}
-		c.unlockInfo = &unlockInformation{
-			Nonce: uuid,
-		}
-	}
-
-	// Store this key
-	c.unlockInfo.Parts = append(c.unlockInfo.Parts, key)
-	return true, nil
-}
-
-// getUnsealKey uses key fragments recorded by recordUnsealPart and
-// returns the combined key if the key share threshold is met.
-// If the key fragments are part of a recovery key, also verify that
-// it matches the stored recovery key on disk.
-func (c *Core) getUnsealKey(ctx context.Context, seal Seal) ([]byte, error) {
-	var config *SealConfig
-	var err error
-
-	raftInfo := c.raftInfo.Load().(*raftInformation)
-
-	switch {
-	case seal.RecoveryKeySupported():
-		config, err = seal.RecoveryConfig(ctx)
-	case c.isRaftUnseal():
-		// Ignore follower's seal config and refer to leader's barrier
-		// configuration.
-		config = raftInfo.leaderBarrierConfig
-	default:
-		config, err = seal.BarrierConfig(ctx)
-	}
-	if err != nil {
-		return nil, err
-	}
-	if config == nil {
-		return nil, fmt.Errorf("failed to obtain seal/recovery configuration")
-	}
-
-	// Check if we don't have enough keys to unlock, proceed through the rest of
-	// the call only if we have met the threshold
-	if len(c.unlockInfo.Parts) < config.SecretThreshold {
-		if c.logger.IsDebug() {
-			c.logger.Debug("cannot unseal, not enough keys", "keys", len(c.unlockInfo.Parts), "threshold", config.SecretThreshold, "nonce", c.unlockInfo.Nonce)
-		}
-		return nil, nil
-	}
-
-	defer func() {
-		c.unlockInfo = nil
-	}()
-
-	// Recover the split key. recoveredKey is the shamir combined
-	// key, or the single provided key if the threshold is 1.
-	var unsealKey []byte
-	if config.SecretThreshold == 1 {
-		unsealKey = make([]byte, len(c.unlockInfo.Parts[0]))
-		copy(unsealKey, c.unlockInfo.Parts[0])
-	} else {
-		unsealKey, err = shamir.Combine(c.unlockInfo.Parts)
-		if err != nil {
-			return nil, &ErrInvalidKey{fmt.Sprintf("failed to compute combined key: %v", err)}
-		}
-	}
-
-	if seal.RecoveryKeySupported() {
-		if err := seal.VerifyRecoveryKey(ctx, unsealKey); err != nil {
-			return nil, &ErrInvalidKey{fmt.Sprintf("failed to verify recovery key: %v", err)}
-		}
-	}
-
-	return unsealKey, nil
-}
-
-// sealMigrated must be called with the stateLock held.  It returns true if
-// the seal configured in HCL and the seal configured in storage match.
-// For the auto->auto same seal migration scenario, it will return false even
-// if the preceding conditions are true but we cannot decrypt the master key
-// in storage using the configured seal.
-func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
-	if atomic.LoadUint32(c.sealMigrationDone) == 1 {
-		return true, nil
-	}
-
-	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
-	if err != nil {
-		return false, err
-	}
-
-	if !c.seal.BarrierSealConfigType().IsSameAs(existBarrierSealConfig.Type) {
-		return false, nil
-	}
-	if c.seal.RecoveryKeySupported() && !SealConfigTypeRecovery.IsSameAs(existRecoverySealConfig.Type) {
-		return false, nil
-	}
-
-	if c.seal.BarrierSealConfigType() != c.migrationInfo.seal.BarrierSealConfigType() {
-		return true, nil
-	}
-
-	// The above checks can handle the auto->shamir and shamir->auto
-	// and auto1->auto2 cases.  For auto1->auto1, we need to actually try
-	// to read and decrypt the keys.
-
-	keysMig, errMig := c.migrationInfo.seal.GetStoredKeys(ctx)
-	keys, err := c.seal.GetStoredKeys(ctx)
-
-	switch {
-	case len(keys) > 0 && err == nil:
-		return true, nil
-	case len(keysMig) > 0 && errMig == nil:
-		return false, nil
-	case errors.Is(err, &ErrDecrypt{}) && errors.Is(errMig, &ErrDecrypt{}):
-		return false, fmt.Errorf("decrypt error, neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
-	default:
-		return false, fmt.Errorf("neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
-	}
-}
-
-// migrateSeal must be called with the stateLock held.
-func (c *Core) migrateSeal(ctx context.Context) error {
-	if c.migrationInfo == nil {
-		// There is no defaultSeal <-> autoSeal migration, but we may need to
-		// migrate seal configuration from single <-> multi autoSeal
-		return c.migrateMultiSealConfig(ctx)
-	}
-
-	ok, err := c.sealMigrated(ctx)
-	if err != nil {
-		return fmt.Errorf("error checking if seal is migrated or not: %w", err)
-	}
-
-	if ok {
-		c.logger.Info("migration is already performed")
-		return nil
-	}
-
-	c.logger.Info("seal migration initiated")
-
-	switch {
-	case c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
-		c.logger.Info("migrating from one auto-unseal to another", "from",
-			c.migrationInfo.seal.BarrierSealConfigType(), "to", c.seal.BarrierSealConfigType())
-
-		// Set the recovery and barrier keys to be the same.
-		recoveryKey, err := c.migrationInfo.seal.RecoveryKey(ctx)
-		if err != nil {
-			return fmt.Errorf("error getting recovery key to set on new seal: %w", err)
-		}
-
-		if err := c.seal.SetRecoveryKey(ctx, recoveryKey); err != nil {
-			return fmt.Errorf("error setting new recovery key information during migrate: %w", err)
-		}
-
-		barrierKeys, err := c.migrationInfo.seal.GetStoredKeys(ctx)
-		if err != nil {
-			return fmt.Errorf("error getting stored keys to set on new seal: %w", err)
-		}
-
-		if err := c.seal.SetStoredKeys(ctx, barrierKeys); err != nil {
-			return fmt.Errorf("error setting new barrier key information during migrate: %w", err)
-		}
-
-	case c.migrationInfo.seal.RecoveryKeySupported():
-		c.logger.Info("migrating from one auto-unseal to shamir", "from", c.migrationInfo.seal.BarrierSealConfigType())
-		// Auto to Shamir, since recovery key isn't supported on new seal
-
-		recoveryKey, err := c.migrationInfo.seal.RecoveryKey(ctx)
-		if err != nil {
-			return fmt.Errorf("error getting recovery key to set on new seal: %w", err)
-		}
-
-		// We have recovery keys; we're going to use them as the new shamir KeK.
-		err = c.seal.GetAccess().SetShamirSealKey(recoveryKey)
-		if err != nil {
-			return fmt.Errorf("failed to set master key in seal: %w", err)
-		}
-
-		barrierKeys, err := c.migrationInfo.seal.GetStoredKeys(ctx)
-		if err != nil {
-			return fmt.Errorf("error getting stored keys to set on new seal: %w", err)
-		}
-
-		if err := c.seal.SetStoredKeys(ctx, barrierKeys); err != nil {
-			return fmt.Errorf("error setting new barrier key information during migrate: %w", err)
-		}
-
-	case c.seal.RecoveryKeySupported():
-		c.logger.Info("migrating from shamir to auto-unseal", "to", c.seal.BarrierSealConfigType())
-		// Migration is happening from shamir -> auto. In this case use the shamir
-		// combined key that was used to store the master key as the new recovery key.
-		if err := c.seal.SetRecoveryKey(ctx, c.migrationInfo.unsealKey); err != nil {
-			return fmt.Errorf("error setting new recovery key information: %w", err)
-		}
-
-		// Generate a new master key
-		newMasterKey, err := c.barrier.GenerateKey(c.secureRandomReader)
-		if err != nil {
-			return fmt.Errorf("error generating new master key: %w", err)
-		}
-
-		// Rekey the barrier.  This handles the case where the shamir seal we're
-		// migrating from was a legacy seal without a stored master key.
-		if err := c.barrier.Rekey(ctx, newMasterKey); err != nil {
-			return fmt.Errorf("error rekeying barrier during migration: %w", err)
-		}
-
-		// Store the new master key
-		if err := c.seal.SetStoredKeys(ctx, [][]byte{newMasterKey}); err != nil {
-			return fmt.Errorf("error storing new master key: %w", err)
-		}
-
-	default:
-		return errors.New("unhandled migration case (shamir to shamir)")
-	}
-
-	err = c.migrateSealConfig(ctx)
-	if err != nil {
-		return fmt.Errorf("error storing new seal configs: %w", err)
-	}
-
-	// Flag migration performed for seal-rewrap later
-	atomic.StoreUint32(c.sealMigrationDone, 1)
-
-	c.logger.Info("seal migration complete")
-	return nil
-}
-
-// unsealInternal takes in the master key and attempts to unseal the barrier.
-// N.B.: This must be called with the state write lock held.
-func (c *Core) unsealInternal(ctx context.Context, masterKey []byte) error {
-	// Attempt to unlock
-	if err := c.barrier.Unseal(ctx, masterKey); err != nil {
-		return err
-	}
-
-	if err := preUnsealInternal(ctx, c); err != nil {
-		return err
-	}
-
-	if err := c.startClusterListener(ctx); err != nil {
-		return err
-	}
-
-	if err := c.startRaftBackend(ctx); err != nil {
-		return err
-	}
-
-	if err := c.setupReplicationResolverHandler(); err != nil {
-		c.logger.Warn("failed to start replication resolver server", "error", err)
-	}
-
-	// Do post-unseal setup if HA is not enabled
-	if c.ha == nil {
-		// We still need to set up cluster info even if it's not part of a
-		// cluster right now. This also populates the cached cluster object.
-		if err := c.setupCluster(ctx); err != nil {
-			c.logger.Error("cluster setup failed", "error", err)
-			c.barrier.Seal()
-			c.logger.Warn("vault is sealed")
-			return err
-		}
-
-		if err := c.migrateSeal(ctx); err != nil {
-			c.logger.Error("seal migration error", "error", err)
-			c.barrier.Seal()
-			c.logger.Warn("vault is sealed")
-			return err
-		}
-
-		ctx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
-		if err := c.postUnseal(ctx, ctxCancel, standardUnsealStrategy{}); err != nil {
-			c.logger.Error("post-unseal setup failed", "error", err)
-			c.barrier.Seal()
-			c.logger.Warn("vault is sealed")
-			return err
-		}
-
-		// Force a cache bust here, which will also run migration code
-		if c.seal.RecoveryKeySupported() {
-			c.seal.ClearRecoveryConfig(ctx)
-		}
-
-		c.standby = false
-	} else {
-		// Go to standby mode, wait until we are active to unseal
-		c.standbyDoneCh = make(chan struct{})
-		c.manualStepDownCh = make(chan struct{}, 1)
-		c.standbyStopCh.Store(make(chan struct{}))
-		go c.runStandby(c.standbyDoneCh, c.manualStepDownCh, c.standbyStopCh.Load().(chan struct{}))
-	}
-
-	// Success!
-	atomic.StoreUint32(c.sealed, 0)
-	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 1, nil)
-
-	if c.logger.IsInfo() {
-		c.logger.Info("vault is unsealed")
-	}
-
-	if c.serviceRegistration != nil {
-		if err := c.serviceRegistration.NotifySealedStateChange(false); err != nil {
-			if c.logger.IsWarn() {
-				c.logger.Warn("failed to notify unsealed status", "error", err)
-			}
-		}
-		if err := c.serviceRegistration.NotifyInitializedStateChange(true); err != nil {
-			if c.logger.IsWarn() {
-				c.logger.Warn("failed to notify initialized status", "error", err)
-			}
-		}
-	}
-	return nil
-}
-
-// SealWithRequest takes in a logical.Request, acquires the lock, and passes
-// through to sealInternal
-func (c *Core) SealWithRequest(httpCtx context.Context, req *logical.Request) error {
-	defer metrics.MeasureSince([]string{"core", "seal-with-request"}, time.Now())
-
-	if c.Sealed() {
-		return nil
-	}
-
-	c.stateLock.RLock()
-
-	// This will unlock the read lock
-	// We use background context since we may not be active
-	ctx, cancel := context.WithCancel(namespace.RootContext(nil))
-	defer cancel()
-
-	go func() {
-		select {
-		case <-ctx.Done():
-		case <-httpCtx.Done():
-			cancel()
-		}
-	}()
-
-	// This will unlock the read lock
-	return c.sealInitCommon(ctx, req)
-}
-
-// Seal takes in a token and creates a logical.Request, acquires the lock, and
-// passes through to sealInternal
-func (c *Core) Seal(token string) error {
-	defer metrics.MeasureSince([]string{"core", "seal"}, time.Now())
-
-	if c.Sealed() {
-		return nil
-	}
-
-	c.stateLock.RLock()
-
-	req := &logical.Request{
-		Operation:   logical.UpdateOperation,
-		Path:        "sys/seal",
-		ClientToken: token,
-	}
-
-	// This will unlock the read lock
-	// We use background context since we may not be active
-	return c.sealInitCommon(namespace.RootContext(nil), req)
-}
-
-// sealInitCommon is common logic for Seal and SealWithRequest and is used to
-// re-seal the Vault. This requires the Vault to be unsealed again to perform
-// any further operations. Note: this function will read-unlock the state lock.
-func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr error) {
-	defer metrics.MeasureSince([]string{"core", "seal-internal"}, time.Now())
-
-	var unlocked bool
-	defer func() {
-		if !unlocked {
-			c.stateLock.RUnlock()
-		}
-	}()
-
-	if req == nil {
-		return errors.New("nil request to seal")
-	}
-
-	// Since there is no token store in standby nodes, sealing cannot be done.
-	// Ideally, the request has to be forwarded to leader node for validation
-	// and the operation should be performed. But for now, just returning with
-	// an error and recommending a vault restart, which essentially does the
-	// same thing.
-	if c.standby {
-		c.logger.Error("vault cannot seal when in standby mode; please restart instead")
-		return errors.New("vault cannot seal when in standby mode; please restart instead")
-	}
-
-	err := c.PopulateTokenEntry(ctx, req)
-	if err != nil {
-		if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-			return logical.ErrPermissionDenied
-		}
-		return logical.ErrInvalidRequest
-	}
-	acl, te, entity, identityPolicies, err := c.fetchACLTokenEntryAndEntity(ctx, req)
-	if err != nil {
-		return err
-	}
-
-	// Audit-log the request before going any further
-	auth := &logical.Auth{
-		ClientToken: req.ClientToken,
-		Accessor:    req.ClientTokenAccessor,
-	}
-	if te != nil {
-		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
-		delete(identityPolicies, te.NamespaceID)
-		auth.ExternalNamespacePolicies = identityPolicies
-		auth.TokenPolicies = te.Policies
-		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
-		auth.Metadata = te.Meta
-		auth.DisplayName = te.DisplayName
-		auth.EntityID = te.EntityID
-		auth.TokenType = te.Type
-	}
-
-	logInput := &logical.LogInput{
-		Auth:    auth,
-		Request: req,
-	}
-	if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
-		c.logger.Error("failed to audit request", "request_path", req.Path, "error", err)
-		return errors.New("failed to audit request, cannot continue")
-	}
-
-	if entity != nil && entity.Disabled {
-		c.logger.Warn("permission denied as the entity on the token is disabled")
-		return logical.ErrPermissionDenied
-	}
-	if te != nil && te.EntityID != "" && entity == nil {
-		c.logger.Warn("permission denied as the entity on the token is invalid")
-		return logical.ErrPermissionDenied
-	}
-
-	// Attempt to use the token (decrement num_uses)
-	// On error bail out; if the token has been revoked, bail out too
-	if te != nil {
-		te, err = c.tokenStore.UseToken(ctx, te)
-		if err != nil {
-			c.logger.Error("failed to use token", "error", err)
-			return ErrInternalError
-		}
-		if te == nil {
-			// Token is no longer valid
-			return logical.ErrPermissionDenied
-		}
-	}
-
-	// Verify that this operation is allowed
-	authResults := c.performPolicyChecks(ctx, acl, te, req, entity, &PolicyCheckOpts{
-		RootPrivsRequired: true,
-	})
-	if !authResults.Allowed {
-		retErr = multierror.Append(retErr, authResults.Error)
-		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
-			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
-		}
-		return retErr
-	}
-
-	if te != nil && te.NumUses == tokenRevocationPending {
-		// Token needs to be revoked. We do this immediately here because
-		// we won't have a token store after sealing.
-		leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
-		if err == nil {
-			err = c.expiration.Revoke(c.activeContext, leaseID)
-		}
-		if err != nil {
-			c.logger.Error("token needed revocation before seal but failed to revoke", "error", err)
-			retErr = multierror.Append(retErr, ErrInternalError)
-		}
-	}
-
-	// Unlock; sealing will grab the lock when needed
-	unlocked = true
-	c.stateLock.RUnlock()
-
-	sealErr := c.sealInternal()
-
-	if sealErr != nil {
-		retErr = multierror.Append(retErr, sealErr)
-	}
-
-	return
-}
-
-// UIEnabled returns if the UI is enabled
-func (c *Core) UIEnabled() bool {
-	return c.uiConfig.Enabled()
-}
-
-// UIHeaders returns configured UI headers
-func (c *Core) UIHeaders() (http.Header, error) {
-	return c.uiConfig.Headers(context.Background())
-}
-
-// sealInternal is an internal method used to seal the vault.  It does not do
-// any authorization checking.
-func (c *Core) sealInternal() error {
-	return c.sealInternalWithOptions(true, false, true)
-}
-
-func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, performCleanup bool) error {
-	// Mark sealed, and if already marked return
-	if swapped := atomic.CompareAndSwapUint32(c.sealed, 0, 1); !swapped {
-		return nil
-	}
-	c.metricSink.SetGaugeWithLabels([]string{"core", "unsealed"}, 0, nil)
-
-	c.logger.Info("marked as sealed")
-
-	// Clear forwarding clients
-	c.requestForwardingConnectionLock.Lock()
-	c.clearForwardingClients()
-	c.requestForwardingConnectionLock.Unlock()
-
-	activeCtxCancel := c.activeContextCancelFunc.Load().(context.CancelFunc)
-	cancelCtxAndLock := func() {
-		doneCh := make(chan struct{})
-		go func() {
-			select {
-			case <-doneCh:
-			// Attempt to drain any inflight requests
-			case <-time.After(DefaultMaxRequestDuration):
-				if activeCtxCancel != nil {
-					activeCtxCancel()
-				}
-			}
-		}()
-
-		c.stateLock.Lock()
-		close(doneCh)
-		// Stop requests from processing
-		if activeCtxCancel != nil {
-			activeCtxCancel()
-		}
-	}
-
-	// Do pre-seal teardown if HA is not enabled
-	if c.ha == nil {
-		if grabStateLock {
-			cancelCtxAndLock()
-			defer c.stateLock.Unlock()
-		}
-		// Even in a non-HA context we key off of this for some things
-		c.standby = true
-
-		// Stop requests from processing
-		if activeCtxCancel != nil {
-			activeCtxCancel()
-		}
-
-		if err := c.preSeal(); err != nil {
-			c.logger.Error("pre-seal teardown failed", "error", err)
-			return fmt.Errorf("internal error")
-		}
-	} else {
-		// If we are keeping the lock we already have the state write lock
-		// held. Otherwise grab it here so that when stopCh is triggered we are
-		// locked.
-		if keepHALock {
-			atomic.StoreUint32(c.keepHALockOnStepDown, 1)
-		}
-		if grabStateLock {
-			cancelCtxAndLock()
-			defer c.stateLock.Unlock()
-		}
-
-		// If we are trying to acquire the lock, force it to return with nil so
-		// runStandby will exit
-		// If we are active, signal the standby goroutine to shut down and wait
-		// for completion. We have the state lock here so nothing else should
-		// be toggling standby status.
-		close(c.standbyStopCh.Load().(chan struct{}))
-		c.logger.Debug("finished triggering standbyStopCh for runStandby")
-
-		// Wait for runStandby to stop
-		<-c.standbyDoneCh
-		atomic.StoreUint32(c.keepHALockOnStepDown, 0)
-		c.logger.Debug("runStandby done")
-	}
-
-	c.teardownReplicationResolverHandler()
-
-	// Perform additional cleanup upon sealing.
-	if performCleanup {
-		if raftBackend := c.getRaftBackend(); raftBackend != nil {
-			if err := raftBackend.TeardownCluster(c.getClusterListener()); err != nil {
-				c.logger.Error("error stopping storage cluster", "error", err)
-				return err
-			}
-		}
-
-		// Stop the cluster listener
-		c.stopClusterListener()
-	}
-
-	c.logger.Debug("sealing barrier")
-	if err := c.barrier.Seal(); err != nil {
-		c.logger.Error("error sealing barrier", "error", err)
-		return err
-	}
-
-	if c.serviceRegistration != nil {
-		if err := c.serviceRegistration.NotifySealedStateChange(true); err != nil {
-			if c.logger.IsWarn() {
-				c.logger.Warn("failed to notify sealed status", "error", err)
-			}
-		}
-	}
-
-	if c.quotaManager != nil {
-		if err := c.quotaManager.Reset(); err != nil {
-			c.logger.Error("error resetting quota manager", "error", err)
-		}
-	}
-
-	postSealInternal(c)
-
-	c.logger.Info("vault is sealed")
-
-	return nil
-}
-
-type UnsealStrategy interface {
-	unseal(context.Context, log.Logger, *Core) error
-}
-
-type standardUnsealStrategy struct{}
-
-func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c *Core) error {
-	// Clear forwarding clients; we're active
-	c.requestForwardingConnectionLock.Lock()
-	c.clearForwardingClients()
-	c.requestForwardingConnectionLock.Unlock()
-
-	// Mark the active time. We do this first so it can be correlated to the logs
-	// for the active startup.
-	c.activeTime = time.Now().UTC()
-
-	if err := postUnsealPhysical(c); err != nil {
-		return err
-	}
-
-	if err := c.entPostUnseal(false); err != nil {
-		return err
-	}
-	if !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary) {
-		// Only perf primarys should write feature flags, but we do it by
-		// excluding other states so that we don't have to change it when
-		// a non-replicated cluster becomes a primary.
-		if err := c.persistFeatureFlags(ctx); err != nil {
-			return err
-		}
-	}
-
-	if c.autoRotateCancel == nil {
-		var autoRotateCtx context.Context
-		autoRotateCtx, c.autoRotateCancel = context.WithCancel(c.activeContext)
-		go c.autoRotateBarrierLoop(autoRotateCtx)
-	}
-
-	if !c.IsDRSecondary() {
-		if err := c.ensureWrappingKey(ctx); err != nil {
-			return err
-		}
-	}
-	if err := c.setupPluginRuntimeCatalog(ctx); err != nil {
-		return err
-	}
-	if err := c.setupPluginCatalog(ctx); err != nil {
-		return err
-	}
-	if err := c.loadMounts(ctx); err != nil {
-		return err
-	}
-	if err := c.entSetupFilteredPaths(); err != nil {
-		return err
-	}
-	if err := c.setupMounts(ctx); err != nil {
-		return err
-	}
-	if err := c.entSetupAPILock(ctx); err != nil {
-		return err
-	}
-	if err := c.setupPolicyStore(ctx); err != nil {
-		return err
-	}
-	if err := c.setupManagedKeyRegistry(); err != nil {
-		return err
-	}
-	if err := c.loadCORSConfig(ctx); err != nil {
-		return err
-	}
-	if err := c.loadCredentials(ctx); err != nil {
-		return err
-	}
-	if err := c.entSetupFilteredPaths(); err != nil {
-		return err
-	}
-	if err := c.setupCredentials(ctx); err != nil {
-		return err
-	}
-	if err := c.setupQuotas(ctx, false); err != nil {
-		return err
-	}
-	if err := c.setupHeaderHMACKey(ctx, false); err != nil {
-		return err
-	}
-	if !c.IsDRSecondary() {
-		c.updateLockedUserEntries()
-
-		if err := c.startRollback(); err != nil {
-			return err
-		}
-		if err := c.setupExpiration(expireLeaseStrategyFairsharing); err != nil {
-			return err
-		}
-		if err := c.loadAudits(ctx); err != nil {
-			return err
-		}
-		if err := c.setupAuditedHeadersConfig(ctx); err != nil {
-			return err
-		}
-
-		if err := c.setupAudits(ctx); err != nil {
-			return err
-		}
-		if err := c.loadIdentityStoreArtifacts(ctx); err != nil {
-			return err
-		}
-		if err := loadPolicyMFAConfigs(ctx, c); err != nil {
-			return err
-		}
-		c.setupCachedMFAResponseAuth()
-		if err := c.loadLoginMFAConfigs(ctx); err != nil {
-			return err
-		}
-
-		if err := c.setupCensusAgent(); err != nil {
-			c.logger.Error("skipping reporting for nil agent", "error", err)
-		}
-
-		// not waiting on wg to avoid changing existing behavior
-		var wg sync.WaitGroup
-		if err := c.setupActivityLog(ctx, &wg); err != nil {
-			return err
-		}
-	} else {
-		var err error
-		disableEventLogger, err := parseutil.ParseBool(os.Getenv(featureFlagDisableEventLogger))
-		if err != nil {
-			return fmt.Errorf("unable to parse feature flag: %q: %w", featureFlagDisableEventLogger, err)
-		}
-		c.auditBroker, err = NewAuditBroker(c.logger, !disableEventLogger)
-		if err != nil {
-			return err
-		}
-	}
-
-	if !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary) {
-		// Cannot do this above, as we need other resources like mounts to be setup
-		if err := c.setupPluginReload(); err != nil {
-			return err
-		}
-
-		// Retrieve the seal generation information from storage
-		existingGenerationInfo, err := PhysicalSealGenInfo(ctx, c.physical)
-		if err != nil {
-			c.logger.Error("cannot read existing seal generation info from storage", "error", err)
-			return err
-		}
-
-		sealGenerationInfo := c.seal.GetAccess().GetSealGenerationInfo()
-
-		switch {
-		case existingGenerationInfo == nil:
-			// This is the first time we store seal generation information
-			fallthrough
-		case existingGenerationInfo.Generation < sealGenerationInfo.Generation:
-			// We have incremented the seal generation
-			if err := c.SetPhysicalSealGenInfo(ctx, sealGenerationInfo); err != nil {
-				c.logger.Error("failed to store seal generation info", "error", err)
-				return err
-			}
-
-		case existingGenerationInfo.Generation == sealGenerationInfo.Generation:
-			// Same generation, update the rewrapped flag in case the previous active node
-			// changed its value. In other words, a rewrap may have happened, or a rewrap may have been
-			// started but not completed.
-			c.seal.GetAccess().GetSealGenerationInfo().SetRewrapped(existingGenerationInfo.IsRewrapped())
-
-		case existingGenerationInfo.Generation > sealGenerationInfo.Generation:
-			// Our seal information is out of date. The previous active node used a newer generation.
-			c.logger.Error("A newer seal generation was found in storage. The seal configuration in this node should be updated to match that of the previous active node, and this node should be restarted.")
-			return errors.New("newer seal generation found in storage, in memory seal configuration is out of date")
-		}
-
-		if server.IsMultisealSupported() && !sealGenerationInfo.IsRewrapped() {
-			// Set the migration done flag so that a seal-rewrap gets triggered later.
-			// Note that in the case where multi seal is not supported, Core.migrateSeal() takes care of
-			// triggering the rewrap when necessary.
-			c.logger.Trace("seal generation information indicates that a seal-rewrap is needed", "generation", sealGenerationInfo.Generation)
-			atomic.StoreUint32(c.sealMigrationDone, 1)
-		}
-
-		startPartialSealRewrapping(c)
-	}
-
-	if c.getClusterListener() != nil && (c.ha != nil || shouldStartClusterListener(c)) {
-		if err := c.setupRaftActiveNode(ctx); err != nil {
-			return err
-		}
-
-		if err := c.startForwarding(ctx); err != nil {
-			return err
-		}
-
-	}
-
-	c.clusterParamsLock.Lock()
-	defer c.clusterParamsLock.Unlock()
-	if err := c.entStartReplication(); err != nil {
-		return err
-	}
-
-	c.metricsCh = make(chan struct{})
-	go c.emitMetricsActiveNode(c.metricsCh)
-
-	// Establish version timestamps at the end of unseal on active nodes only.
-	if err := c.handleVersionTimeStamps(ctx); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// postUnseal is invoked on the active node, and performance standby nodes,
-// after the barrier is unsealed, but before
-// allowing any user operations. This allows us to setup any state that
-// requires the Vault to be unsealed such as mount tables, logical backends,
-// credential stores, etc.
-func (c *Core) postUnseal(ctx context.Context, ctxCancelFunc context.CancelFunc, unsealer UnsealStrategy) (retErr error) {
-	defer metrics.MeasureSince([]string{"core", "post_unseal"}, time.Now())
-
-	// Clear any out
-	c.postUnsealFuncs = nil
-
-	// Create a new request context
-	c.activeContext = ctx
-	c.activeContextCancelFunc.Store(ctxCancelFunc)
-
-	defer func() {
-		if retErr != nil {
-			ctxCancelFunc()
-			_ = c.preSeal()
-		}
-	}()
-	c.logger.Info("post-unseal setup starting")
-
-	// Enable the cache
-	c.physicalCache.Purge(ctx)
-	if !c.cachingDisabled {
-		c.physicalCache.SetEnabled(true)
-	}
-
-	// Purge these for safety in case of a rekey
-	_ = c.seal.ClearBarrierConfig(ctx)
-	if c.seal.RecoveryKeySupported() {
-		_ = c.seal.ClearRecoveryConfig(ctx)
-	}
-
-	// Load prior un-updated store into version history cache to compare
-	// previous state.
-	if err := c.loadVersionHistory(ctx); err != nil {
-		return err
-	}
-
-	if err := unsealer.unseal(ctx, c.logger, c); err != nil {
-		return err
-	}
-
-	// Automatically re-encrypt the keys used for auto unsealing when the
-	// seal's encryption key changes. The regular rotation of cryptographic
-	// keys is a NIST recommendation. Access to prior keys for decryption
-	// is normally supported for a configurable time period. Re-encrypting
-	// the keys used for auto unsealing ensures Vault and its data will
-	// continue to be accessible even after prior seal keys are destroyed.
-	if seal, ok := c.seal.(*autoSeal); ok {
-		if err := seal.UpgradeKeys(c.activeContext); err != nil {
-			c.logger.Warn("post-unseal upgrade seal keys failed", "error", err)
-		}
-
-		// Start a periodic but infrequent heartbeat to detect auto-seal backend outages at runtime rather than being
-		// surprised by this at the next need to unseal.
-		seal.StartHealthCheck()
-	}
-
-	// This is intentionally the last block in this function. We want to allow
-	// writes just before allowing client requests, to ensure everything has
-	// been set up properly before any writes can have happened.
-	//
-	// Use a small temporary worker pool to run postUnsealFuncs in parallel
-	postUnsealFuncConcurrency := runtime.NumCPU() * 2
-	if v := os.Getenv("VAULT_POSTUNSEAL_FUNC_CONCURRENCY"); v != "" {
-		pv, err := strconv.Atoi(v)
-		if err != nil || pv < 1 {
-			c.logger.Warn("invalid value for VAULT_POSTUNSEAL_FUNC_CURRENCY, must be a positive integer", "error", err, "value", pv)
-		} else {
-			postUnsealFuncConcurrency = pv
-		}
-	}
-	if postUnsealFuncConcurrency <= 1 {
-		// Out of paranoia, keep the old logic for parallism=1
-		for _, v := range c.postUnsealFuncs {
-			v()
-		}
-	} else {
-		jobs := make(chan func())
-		var wg sync.WaitGroup
-		for i := 0; i < postUnsealFuncConcurrency; i++ {
-			go func() {
-				for v := range jobs {
-					v()
-					wg.Done()
-				}
-			}()
-		}
-		for _, v := range c.postUnsealFuncs {
-			wg.Add(1)
-			jobs <- v
-		}
-		wg.Wait()
-		close(jobs)
-	}
-
-	if atomic.LoadUint32(c.sealMigrationDone) == 1 {
-		if err := c.postSealMigration(ctx); err != nil {
-			c.logger.Warn("post-unseal post seal migration failed", "error", err)
-		}
-	}
-
-	if os.Getenv(EnvVaultDisableLocalAuthMountEntities) != "" {
-		c.logger.Warn("disabling entities for local auth mounts through env var", "env", EnvVaultDisableLocalAuthMountEntities)
-	}
-	c.loginMFABackend.usedCodes = cache.New(0, 30*time.Second)
-	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
-		c.systemBackend.mfaBackend.usedCodes = cache.New(0, 30*time.Second)
-	}
-	c.logger.Info("post-unseal setup complete")
-	return nil
-}
-
-// preSeal is invoked before the barrier is sealed, allowing
-// for any state teardown required.
-func (c *Core) preSeal() error {
-	defer metrics.MeasureSince([]string{"core", "pre_seal"}, time.Now())
-	c.logger.Info("pre-seal teardown starting")
-
-	if seal, ok := c.seal.(*autoSeal); ok {
-		seal.StopHealthCheck()
-	}
-	// Clear any pending funcs
-	c.postUnsealFuncs = nil
-	c.activeTime = time.Time{}
-
-	// Clear any rekey progress
-	c.barrierRekeyConfig = nil
-	c.recoveryRekeyConfig = nil
-
-	if c.metricsCh != nil {
-		close(c.metricsCh)
-		c.metricsCh = nil
-	}
-	var result error
-
-	c.stopForwarding()
-
-	c.stopRaftActiveNode()
-
-	c.clusterParamsLock.Lock()
-	if err := c.entStopReplication(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error stopping replication: %w", err))
-	}
-	c.clusterParamsLock.Unlock()
-
-	if err := c.teardownAudits(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error tearing down audits: %w", err))
-	}
-	if err := c.stopExpiration(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error stopping expiration: %w", err))
-	}
-	c.stopActivityLog()
-	// Clean up the censusAgent on seal
-	if err := c.teardownCensusAgent(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error tearing down reporting agent: %w", err))
-	}
-
-	if err := c.teardownCredentials(context.Background()); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error tearing down credentials: %w", err))
-	}
-	if err := c.teardownPolicyStore(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error tearing down policy store: %w", err))
-	}
-	if err := c.stopRollback(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error stopping rollback: %w", err))
-	}
-	if err := c.unloadMounts(context.Background()); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error unloading mounts: %w", err))
-	}
-
-	if err := c.entPreSeal(); err != nil {
-		result = multierror.Append(result, err)
-	}
-
-	if c.autoRotateCancel != nil {
-		c.autoRotateCancel()
-		c.autoRotateCancel = nil
-	}
-
-	if c.updateLockedUserEntriesCancel != nil {
-		c.updateLockedUserEntriesCancel()
-		c.updateLockedUserEntriesCancel = nil
-	}
-
-	if seal, ok := c.seal.(*autoSeal); ok {
-		seal.StopHealthCheck()
-	}
-
-	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
-		c.systemBackend.mfaBackend.usedCodes = nil
-	}
-	if err := c.teardownLoginMFA(); err != nil {
-		result = multierror.Append(result, fmt.Errorf("error tearing down login MFA, error: %w", err))
-	}
-
-	preSealPhysical(c)
-
-	c.logger.Info("pre-seal teardown complete")
-	return result
-}
-
-func (c *Core) ReplicationState() consts.ReplicationState {
-	return consts.ReplicationState(atomic.LoadUint32(c.replicationState))
-}
-
-func (c *Core) ActiveNodeReplicationState() consts.ReplicationState {
-	return consts.ReplicationState(atomic.LoadUint32(c.activeNodeReplicationState))
-}
-
-func (c *Core) SealAccess() *SealAccess {
-	return NewSealAccess(c.seal)
-}
-
-// StorageType returns a string equal to the storage configuration's type.
-func (c *Core) StorageType() string {
-	return c.storageType
-}
-
-func (c *Core) Logger() log.Logger {
-	return c.logger
-}
-
-func (c *Core) BarrierKeyLength() (min, max int) {
-	min, max = c.barrier.KeyLength()
-	max += shamir.ShareOverhead
-	return
-}
-
-func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig {
-	return c.auditedHeaders
-}
-
-// physicalBarrierSealConfig reads the storage entry at configPath and parses and validates it as SealConfig.
-func physicalSealConfig(ctx context.Context, c *Core, label, configPath string) (*SealConfig, error) {
-	pe, err := c.physical.Get(ctx, configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch %s seal configuration: %w", label, err)
-	}
-	if pe == nil {
-		return nil, nil
-	}
-
-	config := new(SealConfig)
-
-	if err := jsonutil.DecodeJSON(pe.Value, config); err != nil {
-		return nil, fmt.Errorf("failed to decode %s seal configuration: %w", label, err)
-	}
-	err = config.Validate()
-	if err != nil {
-		return nil, fmt.Errorf("failed to validate %s seal configuration: %w", label, err)
-	}
-	// In older versions of vault the default seal would not store a type. This
-	// is here to offer backwards compatibility for older seal configs.
-	if config.Type == "" {
-		config.Type = SealConfigTypeShamir.String()
-	}
-
-	return config, nil
-}
-
-func (c *Core) PhysicalBarrierSealConfig(ctx context.Context) (*SealConfig, error) {
-	return physicalSealConfig(ctx, c, "barrier", barrierSealConfigPath)
-}
-
-func (c *Core) PhysicalRecoverySealConfig(ctx context.Context) (*SealConfig, error) {
-	return physicalSealConfig(ctx, c, "recovery", recoverySealConfigPlaintextPath)
-}
-
-func (c *Core) PhysicalRecoverySealConfigOldPath(ctx context.Context) (*SealConfig, error) {
-	return physicalSealConfig(ctx, c, "recovery", recoverySealConfigPath)
-}
-
-func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfig, error) {
-	barrierConf, err := c.PhysicalBarrierSealConfig(ctx)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get barrier seal configuration at migration check time: %w", err)
-	}
-	if barrierConf == nil {
-		return nil, nil, nil
-	}
-
-	recoveryConf, err := c.PhysicalRecoverySealConfig(ctx)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get recovery seal configuration at migration check time: %w", err)
-	}
-
-	return barrierConf, recoveryConf, nil
-}
-
-func (c *Core) SetPhysicalBarrierSealConfig(ctx context.Context, barrierSealConfig *SealConfig) error {
-	return setPhysicalSealConfig(ctx, c, "barrier", barrierSealConfigPath, barrierSealConfig)
-}
-
-func (c *Core) SetPhysicalRecoverySealConfig(ctx context.Context, recoverySealConfig *SealConfig) error {
-	return setPhysicalSealConfig(ctx, c, "recovery", recoverySealConfigPlaintextPath, recoverySealConfig)
-}
-
-func setPhysicalSealConfig(ctx context.Context, c *Core, label, configPath string, sealConfig *SealConfig) error {
-	// Encode the seal configuration
-	buf, err := json.Marshal(sealConfig)
-	if err != nil {
-		return fmt.Errorf("failed to encode %s seal configuration: %w", label, err)
-	}
-
-	// Store the seal configuration
-	pe := &physical.Entry{
-		Key:   configPath,
-		Value: buf,
-	}
-
-	if err := c.physical.Put(ctx, pe); err != nil {
-		c.logger.Error(fmt.Sprintf("failed to write %s seal configuration", label), "error", err)
-		return fmt.Errorf("failed to write %s seal configuration: %w", label, err)
-	}
-
-	return nil
-}
-
-// adjustForSealMigration takes the unwrapSeal, which is nil if (a) we're not
-// configured for seal migration or (b) we might be doing a seal migration away
-// from shamir.  It will only be non-nil if there is a configured seal with
-// the config key disabled=true, which implies a migration away from autoseal.
-//
-// For case (a), the common case, we expect that the stored barrier
-// config matches the seal type, in which case we simply return nil.  If they
-// don't match, and the stored seal config is of type Shamir but the configured
-// seal is not Shamir, that is case (b) and we make an unwrapSeal of type Shamir.
-// Any other unwrapSeal=nil scenario is treated as an error.
-//
-// Given a non-nil unwrapSeal or case (b), we setup c.migrationInfo to prepare
-// for a migration upon receiving a valid migration unseal request.  We cannot
-// check at this time for already performed (or incomplete) migrations because
-// we haven't yet been unsealed, so we have no way of checking whether a
-// shamir seal works to read stored seal-encrypted data.
-//
-// The assumption throughout is that the very last step of seal migration is
-// to write the new barrier/recovery stored seal config.
-func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
-	ctx := context.Background()
-	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
-	if err != nil {
-		return fmt.Errorf("Error checking for existing seal: %s", err)
-	}
-
-	// If we don't have an existing config or if it's the deprecated auto seal
-	// which needs an upgrade, skip out
-	if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
-		return nil
-	}
-
-	if unwrapSeal == nil {
-		// With unwrapSeal==nil, either we're not migrating, or we're migrating
-		// from shamir.
-
-		storedType := SealConfigType(existBarrierSealConfig.Type)
-		configuredType := c.seal.BarrierSealConfigType()
-
-		switch {
-		case storedType == configuredType:
-			// We have the same barrier type and the unwrap seal is nil so we're not
-			// migrating from same to same, IOW we assume it's not a migration.
-			return nil
-		case configuredType == SealConfigTypeShamir:
-			// The stored barrier config is not shamir, there is no disabled seal
-			// in config, and either no configured seal (which equates to Shamir)
-			// or an explicitly configured Shamir seal.
-			return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
-				existBarrierSealConfig.Type)
-		case storedType == SealConfigTypeShamir:
-			// The configured seal is not Shamir, the stored seal config is Shamir.
-			// This is a migration away from Shamir.
-
-			// See note about creating a SealGenerationInfo for the unwrap seal in
-			// function setSeal in server.go.
-			sealAccess, err := vaultseal.NewAccessFromWrapper(c.logger, aeadwrapper.NewShamirWrapper(), SealConfigTypeShamir.String())
-			if err != nil {
-				return err
-			}
-			unwrapSeal = NewDefaultSeal(sealAccess)
-		case configuredType == SealConfigTypeMultiseal && server.IsMultisealSupported():
-			// We are going from a single non-shamir seal to multiseal, and multi seal is supported.
-			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
-			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
-
-			return nil
-		case configuredType == SealConfigTypeMultiseal:
-			// The configured seal is multiseal and we know the stored type is not shamir, thus
-			// we are going from auto seal to multiseal.
-			return fmt.Errorf("cannot seal migrate from %q to %q, multiple seals are not supported",
-				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
-		case storedType == SealConfigTypeMultiseal:
-			// The stored type is multiseal and we know the type the configured type is not shamir,
-			// thus we are going from multiseal to autoseal.
-			//
-			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
-			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
-
-			return nil
-		default:
-			// We know at this point that there is a configured non-Shamir seal,
-			// that it does not match the stored non-Shamir seal config, and that
-			// there is no explicitly disabled seal stanza.
-			return fmt.Errorf("cannot seal migrate from %q to %q, no disabled seal in configuration",
-				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
-		}
-	} else {
-		// If we're not coming from Shamir we expect the previous seal to be
-		// in the config and disabled.
-
-		if unwrapSeal.BarrierSealConfigType() == SealConfigTypeShamir {
-			return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
-		}
-	}
-
-	// If we've reached this point it's a migration attempt and we should have both
-	// c.migrationInfo.seal (old seal) and c.seal (new seal) populated.
-	unwrapSeal.SetCore(c)
-
-	// No stored recovery seal config found, what about the legacy recovery config?
-	if existBarrierSealConfig.Type != SealConfigTypeShamir.String() && existRecoverySealConfig == nil {
-		entry, err := c.physical.Get(ctx, recoverySealConfigPath)
-		if err != nil {
-			return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err)
-		}
-		if entry == nil {
-			return errors.New("Recovery seal configuration not found for existing seal")
-		}
-		return errors.New("Cannot migrate seals while using a legacy recovery seal config")
-	}
-
-	c.migrationInfo = &migrationInformation{
-		seal: unwrapSeal,
-	}
-	if existBarrierSealConfig.Type != c.seal.BarrierSealConfigType().String() {
-		// It's unnecessary to call this when doing an auto->auto
-		// same-seal-type migration, since they'll have the same configs before
-		// and after migration.
-		c.adjustSealConfigDuringMigration(existBarrierSealConfig, existRecoverySealConfig)
-	}
-	c.initSealsForMigration()
-	c.logger.Warn("entering seal migration mode; Vault will not automatically unseal even if using an autoseal", "from_barrier_type", c.migrationInfo.seal.BarrierSealConfigType(), "to_barrier_type", c.seal.BarrierSealConfigType())
-
-	return nil
-}
-
-func (c *Core) migrateMultiSealConfig(ctx context.Context) error {
-	barrierSealConfig, err := c.PhysicalBarrierSealConfig(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to read existing seal configuration during multi seal migration: %v", err)
-	}
-
-	switch {
-	case c.seal.BarrierSealConfigType().IsSameAs(barrierSealConfig.Type):
-		return nil
-	case c.seal.BarrierSealConfigType() == SealConfigTypeMultiseal:
-		// needs update
-	case SealConfigTypeMultiseal.IsSameAs(barrierSealConfig.Type):
-		// needs update
-	default:
-		return nil
-	}
-
-	// Note that SetBarrierConfig updates SealConfig.Type to the correct value.
-	if err := c.seal.SetBarrierConfig(ctx, barrierSealConfig); err != nil {
-		return fmt.Errorf("error storing barrier config during multi seal migration: %w", err)
-	}
-
-	// Note that we don't need to trigger a seal rewrap here, since we'll do that when
-	// we update the SealGenerationInfo. See standardUnsealStrategy.unseal().
-
-	return nil
-}
-
-func (c *Core) migrateSealConfig(ctx context.Context) error {
-	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to read existing seal configuration during migration: %v", err)
-	}
-
-	var bc, rc *SealConfig
-
-	switch {
-	case c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
-		// Migrating from auto->auto, copy the configs over
-		bc, rc = existBarrierSealConfig, existRecoverySealConfig
-	case c.migrationInfo.seal.RecoveryKeySupported():
-		// Migrating from auto->shamir, clone auto's recovery config and set
-		// stored keys to 1.
-		bc = existRecoverySealConfig.Clone()
-		bc.StoredShares = 1
-	case c.seal.RecoveryKeySupported():
-		// Migrating from shamir->auto, set a new barrier config and set
-		// recovery config to a clone of shamir's barrier config with stored
-		// keys set to 0.
-		bc = &SealConfig{
-			Type:            c.seal.BarrierSealConfigType().String(),
-			SecretShares:    1,
-			SecretThreshold: 1,
-			StoredShares:    1,
-		}
-
-		rc = existBarrierSealConfig.Clone()
-		rc.StoredShares = 0
-	}
-
-	if err := c.seal.SetBarrierConfig(ctx, bc); err != nil {
-		return fmt.Errorf("error storing barrier config after migration: %w", err)
-	}
-
-	if c.seal.RecoveryKeySupported() {
-		if err := c.seal.SetRecoveryConfig(ctx, rc); err != nil {
-			return fmt.Errorf("error storing recovery config after migration: %w", err)
-		}
-	} else if err := c.physical.Delete(ctx, recoverySealConfigPlaintextPath); err != nil {
-		return fmt.Errorf("failed to delete old recovery seal configuration during migration: %w", err)
-	}
-
-	return nil
-}
-
-func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existRecoverySealConfig *SealConfig) {
-	switch {
-	case c.migrationInfo.seal.RecoveryKeySupported() && existRecoverySealConfig != nil:
-		// Migrating from auto->shamir, clone auto's recovery config and set
-		// stored keys to 1.  Unless the recover config doesn't exist, in which
-		// case the migration is assumed to already have been performed.
-		newSealConfig := existRecoverySealConfig.Clone()
-		newSealConfig.StoredShares = 1
-		c.seal.SetCachedBarrierConfig(newSealConfig)
-	case !c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
-		// Migrating from shamir->auto, set a new barrier config and set
-		// recovery config to a clone of shamir's barrier config with stored
-		// keys set to 0.
-		newBarrierSealConfig := &SealConfig{
-			Type:            c.seal.BarrierSealConfigType().String(),
-			SecretShares:    1,
-			SecretThreshold: 1,
-			StoredShares:    1,
-		}
-		c.seal.SetCachedBarrierConfig(newBarrierSealConfig)
-
-		newRecoveryConfig := existBarrierSealConfig.Clone()
-		newRecoveryConfig.StoredShares = 0
-		c.seal.SetCachedRecoveryConfig(newRecoveryConfig)
-	}
-}
-
-func (c *Core) unsealKeyToRootKeyPostUnseal(ctx context.Context, combinedKey []byte) ([]byte, error) {
-	return c.unsealKeyToRootKey(ctx, c.seal, combinedKey, true, false)
-}
-
-func (c *Core) unsealKeyToMasterKeyPreUnseal(ctx context.Context, seal Seal, combinedKey []byte) ([]byte, error) {
-	return c.unsealKeyToRootKey(ctx, seal, combinedKey, false, true)
-}
-
-// unsealKeyToRootKey takes a key provided by the user, either a recovery key
-// if using an autoseal or an unseal key with Shamir.  It returns a nil error
-// if the key is valid and an error otherwise. It also returns the master key
-// that can be used to unseal the barrier.
-// If useTestSeal is true, seal will not be modified; this is used when not
-// invoked as part of an unseal process.  Otherwise in the non-legacy shamir
-// case the combinedKey will be set in the seal, which means subsequent attempts
-// to use the seal to read the master key will succeed, assuming combinedKey is
-// valid.
-// If allowMissing is true, a failure to find the master key in storage results
-// in a nil error and a nil master key being returned.
-func (c *Core) unsealKeyToRootKey(ctx context.Context, seal Seal, combinedKey []byte, useTestSeal bool, allowMissing bool) ([]byte, error) {
-	switch seal.StoredKeysSupported() {
-	case vaultseal.StoredKeysSupportedGeneric:
-		if err := seal.VerifyRecoveryKey(ctx, combinedKey); err != nil {
-			return nil, fmt.Errorf("recovery key verification failed: %w", err)
-		}
-
-		storedKeys, err := seal.GetStoredKeys(ctx)
-		if storedKeys == nil && err == nil && allowMissing {
-			return nil, nil
-		}
-
-		if err == nil && len(storedKeys) != 1 {
-			err = fmt.Errorf("expected exactly one stored key, got %d", len(storedKeys))
-		}
-		if err != nil {
-			return nil, fmt.Errorf("unable to retrieve stored keys: %w", err)
-		}
-		return storedKeys[0], nil
-
-	case vaultseal.StoredKeysSupportedShamirRoot:
-		if useTestSeal {
-			// Note that the seal generation should not matter, since the only thing we are doing with
-			// this seal is calling GetStoredKeys (i.e. we are not encrypting anything).
-			sealAccess, err := vaultseal.NewAccessFromWrapper(c.logger, aeadwrapper.NewShamirWrapper(), SealConfigTypeShamir.String())
-			if err != nil {
-				return nil, fmt.Errorf("failed to setup seal wrapper for test barrier config: %w", err)
-			}
-			testseal := NewDefaultSeal(sealAccess)
-			testseal.SetCore(c)
-			cfg, err := seal.BarrierConfig(ctx)
-			if err != nil {
-				return nil, fmt.Errorf("failed to setup test barrier config: %w", err)
-			}
-			testseal.SetCachedBarrierConfig(cfg)
-			seal = testseal
-		}
-
-		err := seal.GetAccess().SetShamirSealKey(combinedKey)
-		if err != nil {
-			return nil, &ErrInvalidKey{fmt.Sprintf("failed to setup unseal key: %v", err)}
-		}
-		storedKeys, err := seal.GetStoredKeys(ctx)
-		if storedKeys == nil && err == nil && allowMissing {
-			return nil, nil
-		}
-		if err == nil && len(storedKeys) != 1 {
-			err = fmt.Errorf("expected exactly one stored key, got %d", len(storedKeys))
-		}
-		if err != nil {
-			return nil, fmt.Errorf("unable to retrieve stored keys: %w", err)
-		}
-		return storedKeys[0], nil
-
-	case vaultseal.StoredKeysNotSupported:
-		return combinedKey, nil
-	}
-	return nil, fmt.Errorf("invalid seal")
-}
-
-// IsInSealMigrationMode returns true if we're configured to perform a seal migration,
-// meaning either that we have a disabled seal in HCL configuration or the seal
-// configuration in storage is Shamir but the seal in HCL is not.  In this
-// mode we should not auto-unseal (even if the migration is done) and we will
-// accept unseal requests with and without the `migrate` option, though the migrate
-// option is required if we haven't yet performed the seal migration. Lock
-// should only be false if the caller is already holding the read
-// statelock (such as calls originating from switchedLockHandleRequest).
-func (c *Core) IsInSealMigrationMode(lock bool) bool {
-	if lock {
-		c.stateLock.RLock()
-		defer c.stateLock.RUnlock()
-	}
-	return c.migrationInfo != nil
-}
-
-// IsSealMigrated returns true if we're in seal migration mode but migration
-// has already been performed (possibly by another node, or prior to this node's
-// current invocation). Lock should only be false if the caller is already
-// holding the read statelock (such as calls originating from switchedLockHandleRequest).
-func (c *Core) IsSealMigrated(lock bool) bool {
-	if !c.IsInSealMigrationMode(lock) {
-		return false
-	}
-
-	if lock {
-		c.stateLock.RLock()
-		defer c.stateLock.RUnlock()
-	}
-	done, _ := c.sealMigrated(context.Background())
-	return done
-}
-
-func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess {
-	return NewBarrierEncryptorAccess(c.barrier)
-}
-
-func (c *Core) PhysicalAccess() *physical.PhysicalAccess {
-	return physical.NewPhysicalAccess(c.physical)
-}
-
-func (c *Core) RouterAccess() *RouterAccess {
-	return NewRouterAccess(c)
-}
-
-// IsDRSecondary returns if the current cluster state is a DR secondary.
-func (c *Core) IsDRSecondary() bool {
-	return c.ReplicationState().HasState(consts.ReplicationDRSecondary)
-}
-
-func (c *Core) IsPerfSecondary() bool {
-	return c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary)
-}
-
-func (c *Core) AddLogger(logger log.Logger) {
-	c.allLoggersLock.Lock()
-	defer c.allLoggersLock.Unlock()
-	c.allLoggers = append(c.allLoggers, logger)
-}
-
-// SetLogLevel sets logging level for all tracked loggers to the level provided
-func (c *Core) SetLogLevel(level log.Level) {
-	c.allLoggersLock.RLock()
-	defer c.allLoggersLock.RUnlock()
-	for _, logger := range c.allLoggers {
-		logger.SetLevel(level)
-	}
-}
-
-// SetLogLevelByName sets the logging level of named logger to level provided
-// if it exists. Core.allLoggers is a slice and as such it is entirely possible
-// that multiple entries exist for the same name. Each instance will be modified.
-func (c *Core) SetLogLevelByName(name string, level log.Level) bool {
-	c.allLoggersLock.RLock()
-	defer c.allLoggersLock.RUnlock()
-
-	found := false
-	for _, logger := range c.allLoggers {
-		if logger.Name() == name {
-			logger.SetLevel(level)
-			found = true
-		}
-	}
-
-	return found
-}
-
-// SetConfig sets core's config object to the newly provided config.
-func (c *Core) SetConfig(conf *server.Config) {
-	c.rawConfig.Store(conf)
-	bz, err := json.Marshal(c.SanitizedConfig())
-	if err != nil {
-		c.logger.Error("error serializing sanitized config", "error", err)
-		return
-	}
-
-	c.logger.Debug("set config", "sanitized config", string(bz))
-}
-
-func (c *Core) GetListenerCustomResponseHeaders(listenerAdd string) *ListenerCustomHeaders {
-	customHeaders := c.customListenerHeader.Load()
-	if customHeaders == nil {
-		return nil
-	}
-
-	customHeadersList, ok := customHeaders.([]*ListenerCustomHeaders)
-	if customHeadersList == nil || !ok {
-		return nil
-	}
-
-	for _, l := range customHeadersList {
-		if l.Address == listenerAdd {
-			return l
-		}
-	}
-	return nil
-}
-
-// ExistCustomResponseHeader checks if a custom header is configured in any
-// listener's stanza
-func (c *Core) ExistCustomResponseHeader(header string) bool {
-	customHeaders := c.customListenerHeader.Load()
-	if customHeaders == nil {
-		return false
-	}
-
-	customHeadersList, ok := customHeaders.([]*ListenerCustomHeaders)
-	if customHeadersList == nil || !ok {
-		return false
-	}
-
-	for _, l := range customHeadersList {
-		exist := l.ExistCustomResponseHeader(header)
-		if exist {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (c *Core) ReloadCustomResponseHeaders() error {
-	conf := c.rawConfig.Load()
-	if conf == nil {
-		return fmt.Errorf("failed to load core raw config")
-	}
-	lns := conf.(*server.Config).Listeners
-	if lns == nil {
-		return fmt.Errorf("no listener configured")
-	}
-
-	uiHeaders, err := c.UIHeaders()
-	if err != nil {
-		return err
-	}
-	c.customListenerHeader.Store(NewListenerCustomHeader(lns, c.logger, uiHeaders))
-
-	return nil
-}
-
-// SanitizedConfig returns a sanitized version of the current config.
-// See server.Config.Sanitized for specific values omitted.
-func (c *Core) SanitizedConfig() map[string]interface{} {
-	conf := c.rawConfig.Load()
-	if conf == nil {
-		return nil
-	}
-	return conf.(*server.Config).Sanitized()
-}
-
-// LogFormat returns the log format current in use.
-func (c *Core) LogFormat() string {
-	conf := c.rawConfig.Load()
-	return conf.(*server.Config).LogFormat
-}
-
-// LogLevel returns the log level provided by level provided by config, CLI flag, or env
-func (c *Core) LogLevel() string {
-	return c.logLevel
-}
-
-// MetricsHelper returns the global metrics helper which allows external
-// packages to access Vault's internal metrics.
-func (c *Core) MetricsHelper() *metricsutil.MetricsHelper {
-	return c.metricsHelper
-}
-
-// MetricSink returns the metrics wrapper with which Core has been configured.
-func (c *Core) MetricSink() *metricsutil.ClusterMetricSink {
-	return c.metricSink
-}
-
-// BuiltinRegistry is an interface that allows the "vault" package to use
-// the registry of builtin plugins without getting an import cycle. It
-// also allows for mocking the registry easily.
-type BuiltinRegistry interface {
-	Contains(name string, pluginType consts.PluginType) bool
-	Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool)
-	Keys(pluginType consts.PluginType) []string
-	DeprecationStatus(name string, pluginType consts.PluginType) (consts.DeprecationStatus, bool)
-	IsBuiltinEntPlugin(name string, pluginType consts.PluginType) bool
-}
-
-func (c *Core) AuditLogger() AuditLogger {
-	return &basicAuditor{c: c}
-}
-
-type FeatureFlags struct {
-	NamespacesCubbyholesLocal bool `json:"namespace_cubbyholes_local"`
-}
-
-func (c *Core) persistFeatureFlags(ctx context.Context) error {
-	if !c.PR1103disabled {
-		c.logger.Debug("persisting feature flags")
-		json, err := jsonutil.EncodeJSON(&FeatureFlags{NamespacesCubbyholesLocal: !c.PR1103disabled})
-		if err != nil {
-			return err
-		}
-		return c.barrier.Put(ctx, &logical.StorageEntry{
-			Key:   consts.CoreFeatureFlagPath,
-			Value: json,
-		})
-	}
-	return nil
-}
-
-func (c *Core) readFeatureFlags(ctx context.Context) (*FeatureFlags, error) {
-	entry, err := c.barrier.Get(ctx, consts.CoreFeatureFlagPath)
-	if err != nil {
-		return nil, err
-	}
-	var flags FeatureFlags
-	if entry != nil {
-		err = jsonutil.DecodeJSON(entry.Value, &flags)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &flags, nil
-}
-
-// isMountable tells us whether or not we can continue mounting a plugin-based
-// mount entry after failing to instantiate a backend. We do this to preserve
-// the storage and path when a plugin is missing or has otherwise been
-// misconfigured. This allows users to recover from errors when starting Vault
-// with misconfigured plugins. It should not be possible for existing builtins
-// to be misconfigured, so that is a fatal error.
-func (c *Core) isMountable(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) bool {
-	return !c.isMountEntryBuiltin(ctx, entry, pluginType)
-}
-
-// isMountEntryBuiltin determines whether a mount entry is associated with a
-// builtin of the specified plugin type.
-func (c *Core) isMountEntryBuiltin(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) bool {
-	// Prevent a panic early on
-	if entry == nil || c.pluginCatalog == nil {
-		return false
-	}
-
-	// Allow type to be determined from mount entry when not otherwise specified
-	if pluginType == consts.PluginTypeUnknown {
-		pluginType = c.builtinTypeFromMountEntry(ctx, entry)
-	}
-
-	// Handle aliases
-	pluginName := entry.Type
-	if alias, ok := mountAliases[pluginName]; ok {
-		pluginName = alias
-	}
-
-	plug, err := c.pluginCatalog.Get(ctx, pluginName, pluginType, entry.Version)
-	if err != nil || plug == nil {
-		return false
-	}
-
-	return plug.Builtin
-}
-
-// MatchingMount returns the path of the mount that will be responsible for
-// handling the given request path.
-func (c *Core) MatchingMount(ctx context.Context, reqPath string) string {
-	return c.router.MatchingMount(ctx, reqPath)
-}
-
-func (c *Core) setupQuotas(ctx context.Context, isPerfStandby bool) error {
-	if c.quotaManager == nil {
-		return nil
-	}
-
-	return c.quotaManager.Setup(ctx, c.systemBarrierView, isPerfStandby, c.IsDRSecondary())
-}
-
-// ApplyRateLimitQuota checks the request against all the applicable quota rules.
-// If the given request's path is exempt, no rate limiting will be applied.
-func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error) {
-	req.Type = quotas.TypeRateLimit
-
-	resp := quotas.Response{
-		Allowed: true,
-		Headers: make(map[string]string),
-	}
-
-	if c.quotaManager != nil {
-		// skip rate limit checks for paths that are exempt from rate limiting
-		if c.quotaManager.RateLimitPathExempt(req.Path, req.NamespacePath) {
-			return resp, nil
-		}
-
-		return c.quotaManager.ApplyQuota(ctx, req)
-	}
-
-	return resp, nil
-}
-
-// RateLimitAuditLoggingEnabled returns if the quota configuration allows audit
-// logging of request rejections due to rate limiting quota rule violations.
-func (c *Core) RateLimitAuditLoggingEnabled() bool {
-	if c.quotaManager != nil {
-		return c.quotaManager.RateLimitAuditLoggingEnabled()
-	}
-
-	return false
-}
-
-// RateLimitResponseHeadersEnabled returns if the quota configuration allows for
-// rate limit quota HTTP headers to be added to responses.
-func (c *Core) RateLimitResponseHeadersEnabled() bool {
-	if c.quotaManager != nil {
-		return c.quotaManager.RateLimitResponseHeadersEnabled()
-	}
-
-	return false
-}
-
-func (c *Core) KeyRotateGracePeriod() time.Duration {
-	return time.Duration(atomic.LoadInt64(c.keyRotateGracePeriod))
-}
-
-func (c *Core) SetKeyRotateGracePeriod(t time.Duration) {
-	atomic.StoreInt64(c.keyRotateGracePeriod, int64(t))
-}
-
-// Periodically test whether to automatically rotate the barrier key
-func (c *Core) autoRotateBarrierLoop(ctx context.Context) {
-	t := time.NewTicker(autoRotateCheckInterval)
-	for {
-		select {
-		case <-t.C:
-			c.checkBarrierAutoRotate(ctx)
-		case <-ctx.Done():
-			t.Stop()
-			return
-		}
-	}
-}
-
-func (c *Core) checkBarrierAutoRotate(ctx context.Context) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
-	if c.isPrimary() {
-		reason, err := c.barrier.CheckBarrierAutoRotate(ctx)
-		if err != nil {
-			lf := c.logger.Error
-			if strings.HasSuffix(err.Error(), "context canceled") {
-				lf = c.logger.Debug
-			}
-			lf("error in barrier auto rotation", "error", err)
-			return
-		}
-		if reason != "" {
-			// Time to rotate.  Invoke the rotation handler in order to both rotate and create
-			// the replication canary
-			c.logger.Info("automatic barrier key rotation triggered", "reason", reason)
-
-			_, err := c.systemBackend.handleRotate(ctx, nil, nil)
-			if err != nil {
-				c.logger.Error("error automatically rotating barrier key", "error", err)
-			} else {
-				metrics.IncrCounter(barrierRotationsMetric, 1)
-			}
-		}
-	}
-}
-
-func (c *Core) isPrimary() bool {
-	return !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary)
-}
-
-type LicenseState struct {
-	State      string
-	ExpiryTime time.Time
-	Terminated bool
-}
-
-func (c *Core) loadLoginMFAConfigs(ctx context.Context) error {
-	eConfigs := make([]*mfa.MFAEnforcementConfig, 0)
-	allNamespaces := c.collectNamespaces()
-	for _, ns := range allNamespaces {
-		err := c.loginMFABackend.loadMFAMethodConfigs(ctx, ns)
-		if err != nil {
-			return fmt.Errorf("error loading MFA method Config, namespaceid %s, error: %w", ns.ID, err)
-		}
-
-		loadedConfigs, err := c.loginMFABackend.loadMFAEnforcementConfigs(ctx, ns)
-		if err != nil {
-			return fmt.Errorf("error loading MFA enforcement Config, namespaceid %s, error: %w", ns.ID, err)
-		}
-
-		eConfigs = append(eConfigs, loadedConfigs...)
-	}
-
-	for _, conf := range eConfigs {
-		if err := c.loginMFABackend.loginMFAMethodExistenceCheck(conf); err != nil {
-			c.loginMFABackend.mfaLogger.Error("failed to find all MFA methods that exist in MFA enforcement configs", "configID", conf.ID, "namespaceID", conf.NamespaceID, "error", err.Error())
-		}
-	}
-	return nil
-}
-
-type MFACachedAuthResponse struct {
-	CachedAuth            *logical.Auth
-	RequestPath           string
-	RequestNSID           string
-	RequestNSPath         string
-	RequestConnRemoteAddr string
-	TimeOfStorage         time.Time
-	RequestID             string
-}
-
-func (c *Core) setupCachedMFAResponseAuth() {
-	c.mfaResponseAuthQueueLock.Lock()
-	c.mfaResponseAuthQueue = NewLoginMFAPriorityQueue()
-	mfaQueue := c.mfaResponseAuthQueue
-	c.mfaResponseAuthQueueLock.Unlock()
-
-	ctx := c.activeContext
-
-	go func() {
-		ticker := time.Tick(5 * time.Second)
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker:
-				err := mfaQueue.RemoveExpiredMfaAuthResponse(defaultMFAAuthResponseTTL, time.Now())
-				if err != nil {
-					c.Logger().Error("failed to remove stale MFA auth response", "error", err)
-				}
-			}
-		}
-	}()
-	return
-}
-
-// updateLockedUserEntries runs every 15 mins to remove stale user entries from storage
-// it also updates the userFailedLoginInfo map with correct information for locked users if incorrect
-func (c *Core) updateLockedUserEntries() {
-	if c.updateLockedUserEntriesCancel != nil {
-		return
-	}
-
-	var updateLockedUserEntriesCtx context.Context
-	updateLockedUserEntriesCtx, c.updateLockedUserEntriesCancel = context.WithCancel(c.activeContext)
-
-	if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
-		c.Logger().Error("failed to run locked user entry updates", "error", err)
-	}
-
-	go func() {
-		ticker := time.NewTicker(15 * time.Minute)
-		for {
-			select {
-			case <-updateLockedUserEntriesCtx.Done():
-				ticker.Stop()
-				return
-			case <-ticker.C:
-				if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
-					c.Logger().Error("failed to run locked user entry updates", "error", err)
-				}
-			}
-		}
-	}()
-	return
-}
-
-// runLockedUserEntryUpdates runs updates for locked user storage entries and userFailedLoginInfo map
-func (c *Core) runLockedUserEntryUpdates(ctx context.Context) error {
-	// check environment variable to see if user lockout workflow is disabled
-	var disableUserLockout bool
-	if disableUserLockoutEnv := os.Getenv(consts.VaultDisableUserLockout); disableUserLockoutEnv != "" {
-		var err error
-		disableUserLockout, err = strconv.ParseBool(disableUserLockoutEnv)
-		if err != nil {
-			c.Logger().Error("Error parsing the environment variable VAULT_DISABLE_USER_LOCKOUT", "error", err)
-		}
-	}
-	if disableUserLockout {
-		return nil
-	}
-
-	// get the list of namespaces of locked users from locked users path in storage
-	nsIDs, err := c.barrier.List(ctx, coreLockedUsersPath)
-	if err != nil {
-		return err
-	}
-
-	totalLockedUsersCount := 0
-	for _, nsID := range nsIDs {
-		// get the list of mount accessors of locked users for each namespace
-		mountAccessors, err := c.barrier.List(ctx, coreLockedUsersPath+nsID)
-		if err != nil {
-			return err
-		}
-
-		// update the entries for locked users for each mount accessor
-		// if storage entry is stale i.e; the lockout duration has passed
-		// remove this entry from storage and userFailedLoginInfo map
-		// else check if the userFailedLoginInfo map has correct failed login information
-		// if incorrect, update the entry in userFailedLoginInfo map
-		for _, mountAccessorPath := range mountAccessors {
-			mountAccessor := strings.TrimSuffix(mountAccessorPath, "/")
-			lockedAliasesCount, err := c.runLockedUserEntryUpdatesForMountAccessor(ctx, mountAccessor, coreLockedUsersPath+nsID+mountAccessorPath)
-			if err != nil {
-				return err
-			}
-			totalLockedUsersCount = totalLockedUsersCount + lockedAliasesCount
-		}
-	}
-
-	// emit locked user count metrics
-	metrics.SetGaugeWithLabels([]string{"core", "locked_users"}, float32(totalLockedUsersCount), nil)
-	return nil
-}
-
-// runLockedUserEntryUpdatesForMountAccessor updates the storage entry for each locked user (alias name)
-// if the entry is stale, it removes it from storage and userFailedLoginInfo map if present
-// if the entry is not stale, it updates the userFailedLoginInfo map with correct values for entry if incorrect
-func (c *Core) runLockedUserEntryUpdatesForMountAccessor(ctx context.Context, mountAccessor string, path string) (int, error) {
-	// get mount entry for mountAccessor
-	mountEntry := c.router.MatchingMountByAccessor(mountAccessor)
-	if mountEntry == nil {
-		mountEntry = &MountEntry{}
-	}
-	// get configuration for mount entry
-	userLockoutConfiguration := c.getUserLockoutConfiguration(mountEntry)
-
-	// get the list of aliases for mount accessor
-	aliases, err := c.barrier.List(ctx, path)
-	if err != nil {
-		return 0, err
-	}
-
-	lockedAliasesCount := len(aliases)
-
-	// check storage entry for each alias to update
-	for _, alias := range aliases {
-		loginUserInfoKey := FailedLoginUser{
-			aliasName:     alias,
-			mountAccessor: mountAccessor,
-		}
-
-		existingEntry, err := c.barrier.Get(ctx, path+alias)
-		if err != nil {
-			return 0, err
-		}
-
-		if existingEntry == nil {
-			continue
-		}
-
-		var lastLoginTime int
-		err = jsonutil.DecodeJSON(existingEntry.Value, &lastLoginTime)
-		if err != nil {
-			return 0, err
-		}
-
-		lastFailedLoginTimeFromStorageEntry := time.Unix(int64(lastLoginTime), 0)
-		lockoutDurationFromConfiguration := userLockoutConfiguration.LockoutDuration
-
-		// get the entry for the locked user from userFailedLoginInfo map
-		failedLoginInfoFromMap := c.LocalGetUserFailedLoginInfo(ctx, loginUserInfoKey)
-
-		// check if the storage entry for locked user is stale
-		if time.Now().After(lastFailedLoginTimeFromStorageEntry.Add(lockoutDurationFromConfiguration)) {
-			// stale entry, remove from storage
-			// leaving this as it is as this happens on the active node
-			// also handles case where namespace is deleted
-			if err := c.barrier.Delete(ctx, path+alias); err != nil {
-				return 0, err
-			}
-			// remove entry for this user from userFailedLoginInfo map if present as the user is not locked
-			if failedLoginInfoFromMap != nil {
-				if err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true); err != nil {
-					return 0, err
-				}
-			}
-			lockedAliasesCount -= 1
-			continue
-		}
-
-		// this is not a stale entry
-		// update the map with actual failed login information
-		actualFailedLoginInfo := FailedLoginInfo{
-			lastFailedLoginTime: lastLoginTime,
-			count:               uint(userLockoutConfiguration.LockoutThreshold),
-		}
-
-		if failedLoginInfoFromMap != &actualFailedLoginInfo {
-			// entry is invalid, updating the entry in userFailedLoginMap with correct information
-			if err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, &actualFailedLoginInfo, false); err != nil {
-				return 0, err
-			}
-		}
-	}
-	return lockedAliasesCount, nil
-}
-
-// PopMFAResponseAuthByID pops an item from the mfaResponseAuthQueue by ID
-// it returns the cached auth response or an error
-func (c *Core) PopMFAResponseAuthByID(reqID string) (*MFACachedAuthResponse, error) {
-	c.mfaResponseAuthQueueLock.Lock()
-	defer c.mfaResponseAuthQueueLock.Unlock()
-	return c.mfaResponseAuthQueue.PopByKey(reqID)
-}
-
-// SaveMFAResponseAuth pushes an MFACachedAuthResponse to the mfaResponseAuthQueue.
-// it returns an error in case of failure
-func (c *Core) SaveMFAResponseAuth(respAuth *MFACachedAuthResponse) error {
-	c.mfaResponseAuthQueueLock.Lock()
-	defer c.mfaResponseAuthQueueLock.Unlock()
-	return c.mfaResponseAuthQueue.Push(respAuth)
-}
-
-type InFlightRequests struct {
-	InFlightReqMap   *sync.Map
-	InFlightReqCount *uberAtomic.Uint64
-}
-
-type InFlightReqData struct {
-	StartTime        time.Time `json:"start_time"`
-	ClientRemoteAddr string    `json:"client_remote_address"`
-	ReqPath          string    `json:"request_path"`
-	Method           string    `json:"request_method"`
-	ClientID         string    `json:"client_id"`
-}
-
-func (c *Core) StoreInFlightReqData(reqID string, data InFlightReqData) {
-	c.inFlightReqData.InFlightReqMap.Store(reqID, data)
-	c.inFlightReqData.InFlightReqCount.Inc()
-}
-
-// FinalizeInFlightReqData is going log the completed request if the
-// corresponding server config option is enabled. It also removes the
-// request from the inFlightReqMap and decrement the number of in-flight
-// requests by one.
-func (c *Core) FinalizeInFlightReqData(reqID string, statusCode int) {
-	if c.logRequestsLevel != nil && c.logRequestsLevel.Load() != 0 {
-		c.LogCompletedRequests(reqID, statusCode)
-	}
-
-	c.inFlightReqData.InFlightReqMap.Delete(reqID)
-	c.inFlightReqData.InFlightReqCount.Dec()
-}
-
-// LoadInFlightReqData creates a snapshot map of the current
-// in-flight requests
-func (c *Core) LoadInFlightReqData() map[string]InFlightReqData {
-	currentInFlightReqMap := make(map[string]InFlightReqData)
-	c.inFlightReqData.InFlightReqMap.Range(func(key, value interface{}) bool {
-		// there is only one writer to this map, so skip checking for errors
-		v := value.(InFlightReqData)
-		currentInFlightReqMap[key.(string)] = v
-		return true
-	})
-
-	return currentInFlightReqMap
-}
-
-// UpdateInFlightReqData updates the data for a specific reqID with
-// the clientID
-func (c *Core) UpdateInFlightReqData(reqID, clientID string) {
-	v, ok := c.inFlightReqData.InFlightReqMap.Load(reqID)
-	if !ok {
-		c.Logger().Trace("failed to retrieve request with ID", "request_id", reqID)
-		return
-	}
-
-	// there is only one writer to this map, so skip checking for errors
-	reqData := v.(InFlightReqData)
-	reqData.ClientID = clientID
-	c.inFlightReqData.InFlightReqMap.Store(reqID, reqData)
-}
-
-// LogCompletedRequests Logs the completed request to the server logs
-func (c *Core) LogCompletedRequests(reqID string, statusCode int) {
-	logLevel := log.Level(c.logRequestsLevel.Load())
-	v, ok := c.inFlightReqData.InFlightReqMap.Load(reqID)
-	if !ok {
-		c.logger.Log(logLevel, fmt.Sprintf("failed to retrieve request with ID %v", reqID))
-		return
-	}
-
-	// there is only one writer to this map, so skip checking for errors
-	reqData := v.(InFlightReqData)
-	c.logger.Log(logLevel, "completed_request",
-		"start_time", reqData.StartTime.Format(time.RFC3339),
-		"duration", fmt.Sprintf("%dms", time.Now().Sub(reqData.StartTime).Milliseconds()),
-		"client_id", reqData.ClientID,
-		"client_address", reqData.ClientRemoteAddr, "status_code", statusCode, "request_path", reqData.ReqPath,
-		"request_method", reqData.Method)
-}
-
-func (c *Core) ReloadLogRequestsLevel() {
-	conf := c.rawConfig.Load()
-	if conf == nil {
-		return
-	}
-
-	infoLevel := conf.(*server.Config).LogRequestsLevel
-	switch {
-	case log.LevelFromString(infoLevel) > log.NoLevel && log.LevelFromString(infoLevel) < log.Off:
-		c.logRequestsLevel.Store(int32(log.LevelFromString(infoLevel)))
-	case infoLevel != "":
-		c.logger.Warn("invalid log_requests_level", "level", infoLevel)
-	}
-}
-
-func (c *Core) ReloadIntrospectionEndpointEnabled() {
-	conf := c.rawConfig.Load()
-	if conf == nil {
-		return
-	}
-	c.introspectionEnabledLock.Lock()
-	defer c.introspectionEnabledLock.Unlock()
-	c.introspectionEnabled = conf.(*server.Config).EnableIntrospectionEndpoint
-}
-
-type PeerNode struct {
-	Hostname       string    `json:"hostname"`
-	APIAddress     string    `json:"api_address"`
-	ClusterAddress string    `json:"cluster_address"`
-	Version        string    `json:"version"`
-	LastEcho       time.Time `json:"last_echo"`
-	UpgradeVersion string    `json:"upgrade_version,omitempty"`
-	RedundancyZone string    `json:"redundancy_zone,omitempty"`
-}
-
-// GetHAPeerNodesCached returns the nodes that've sent us Echo requests recently.
-func (c *Core) GetHAPeerNodesCached() []PeerNode {
-	var nodes []PeerNode
-	for itemClusterAddr, item := range c.clusterPeerClusterAddrsCache.Items() {
-		info := item.Object.(nodeHAConnectionInfo)
-		nodes = append(nodes, PeerNode{
-			Hostname:       info.nodeInfo.Hostname,
-			APIAddress:     info.nodeInfo.ApiAddr,
-			ClusterAddress: itemClusterAddr,
-			LastEcho:       info.lastHeartbeat,
-			Version:        info.version,
-			UpgradeVersion: info.upgradeVersion,
-			RedundancyZone: info.redundancyZone,
-		})
-	}
-	return nodes
-}
-
-func (c *Core) CheckPluginPerms(pluginName string) (err error) {
-	var enableFilePermissionsCheck bool
-	if enableFilePermissionsCheckEnv := os.Getenv(consts.VaultEnableFilePermissionsCheckEnv); enableFilePermissionsCheckEnv != "" {
-		var err error
-		enableFilePermissionsCheck, err = strconv.ParseBool(enableFilePermissionsCheckEnv)
-		if err != nil {
-			return errors.New("Error parsing the environment variable VAULT_ENABLE_FILE_PERMISSIONS_CHECK")
-		}
-	}
-
-	if c.pluginDirectory != "" && enableFilePermissionsCheck {
-		err = osutil.OwnerPermissionsMatch(c.pluginDirectory, c.pluginFileUid, c.pluginFilePermissions)
-		if err != nil {
-			return err
-		}
-		fullPath := filepath.Join(c.pluginDirectory, pluginName)
-		err = osutil.OwnerPermissionsMatch(fullPath, c.pluginFileUid, c.pluginFilePermissions)
-		if err != nil {
-			return err
-		}
-	}
-	return err
-}
-
-func (c *Core) LoadNodeID() (string, error) {
-	raftNodeID := c.GetRaftNodeID()
-	if raftNodeID != "" {
-		return raftNodeID, nil
-	}
-	hostname, err := os.Hostname()
-	if err != nil {
-		return "", err
-	}
-	return hostname, nil
-}
-
-// DetermineRoleFromLoginRequestFromBytes will determine the role that should be applied to a quota for a given
-// login request, accepting a byte payload
-func (c *Core) DetermineRoleFromLoginRequestFromBytes(ctx context.Context, mountPoint string, payload []byte) string {
-	data := make(map[string]interface{})
-	err := jsonutil.DecodeJSON(payload, &data)
-	if err != nil {
-		// Cannot discern a role from a request we cannot parse
-		return ""
-	}
-
-	return c.DetermineRoleFromLoginRequest(ctx, mountPoint, data)
-}
-
-// DetermineRoleFromLoginRequest will determine the role that should be applied to a quota for a given
-// login request
-func (c *Core) DetermineRoleFromLoginRequest(ctx context.Context, mountPoint string, data map[string]interface{}) string {
-	c.authLock.RLock()
-	defer c.authLock.RUnlock()
-	matchingBackend := c.router.MatchingBackend(ctx, mountPoint)
-	if matchingBackend == nil || matchingBackend.Type() != logical.TypeCredential {
-		// Role based quotas do not apply to this request
-		return ""
-	}
-
-	resp, err := matchingBackend.HandleRequest(ctx, &logical.Request{
-		MountPoint: mountPoint,
-		Path:       "login",
-		Operation:  logical.ResolveRoleOperation,
-		Data:       data,
-		Storage:    c.router.MatchingStorageByAPIPath(ctx, mountPoint+"login"),
-	})
-	if err != nil || resp.Data["role"] == nil {
-		return ""
-	}
-
-	return resp.Data["role"].(string)
-}
-
-// ResolveRoleForQuotas looks for any quotas requiring a role for early
-// computation in the RateLimitQuotaWrapping handler.
-func (c *Core) ResolveRoleForQuotas(ctx context.Context, req *quotas.Request) (bool, error) {
-	if c.quotaManager == nil {
-		return false, nil
-	}
-	return c.quotaManager.QueryResolveRoleQuotas(req)
-}
-
-// aliasNameFromLoginRequest will determine the aliasName from the login Request
-func (c *Core) aliasNameFromLoginRequest(ctx context.Context, req *logical.Request) (string, error) {
-	c.authLock.RLock()
-	defer c.authLock.RUnlock()
-	ns, err := namespace.FromContext(ctx)
-	if err != nil {
-		return "", err
-	}
-
-	// ns path is added while checking matching backend
-	mountPath := strings.TrimPrefix(req.MountPoint, ns.Path)
-
-	matchingBackend := c.router.MatchingBackend(ctx, mountPath)
-	if matchingBackend == nil || matchingBackend.Type() != logical.TypeCredential {
-		// pathLoginAliasLookAhead operation does not apply to this request
-		return "", nil
-	}
-
-	path := strings.ReplaceAll(req.Path, mountPath, "")
-
-	resp, err := matchingBackend.HandleRequest(ctx, &logical.Request{
-		MountPoint: req.MountPoint,
-		Path:       path,
-		Operation:  logical.AliasLookaheadOperation,
-		Data:       req.Data,
-		Storage:    c.router.MatchingStorageByAPIPath(ctx, req.Path),
-	})
-	if err != nil || resp.Auth.Alias == nil {
-		return "", nil
-	}
-	return resp.Auth.Alias.Name, nil
-}
-
-// ListMounts will provide a slice containing a deep copy each mount entry
-func (c *Core) ListMounts() ([]*MountEntry, error) {
-	if c.Sealed() {
-		return nil, fmt.Errorf("vault is sealed")
-	}
-
-	c.mountsLock.RLock()
-	defer c.mountsLock.RUnlock()
-
-	var entries []*MountEntry
-
-	for _, entry := range c.mounts.Entries {
-		clone, err := entry.Clone()
-		if err != nil {
-			return nil, err
-		}
-
-		entries = append(entries, clone)
-	}
-
-	return entries, nil
-}
-
-// ListAuths will provide a slice containing a deep copy each auth entry
-func (c *Core) ListAuths() ([]*MountEntry, error) {
-	if c.Sealed() {
-		return nil, fmt.Errorf("vault is sealed")
-	}
-
-	c.authLock.RLock()
-	defer c.authLock.RUnlock()
-
-	var entries []*MountEntry
-
-	for _, entry := range c.auth.Entries {
-		clone, err := entry.Clone()
-		if err != nil {
-			return nil, err
-		}
-
-		entries = append(entries, clone)
-	}
-
-	return entries, nil
-}
-
-type GroupPolicyApplicationMode struct {
-	GroupPolicyApplicationMode string `json:"group_policy_application_mode"`
-}
-
-func (c *Core) GetGroupPolicyApplicationMode(ctx context.Context) (string, error) {
-	se, err := c.barrier.Get(ctx, coreGroupPolicyApplicationPath)
-	if err != nil {
-		return "", err
-	}
-	if se == nil {
-		return groupPolicyApplicationModeWithinNamespaceHierarchy, nil
-	}
-
-	var modeStruct GroupPolicyApplicationMode
-
-	err = jsonutil.DecodeJSON(se.Value, &modeStruct)
-	if err != nil {
-		return "", err
-	}
-	mode := modeStruct.GroupPolicyApplicationMode
-	if mode == "" {
-		mode = groupPolicyApplicationModeWithinNamespaceHierarchy
-	}
-
-	return mode, nil
-}
-
-func (c *Core) SetGroupPolicyApplicationMode(ctx context.Context, mode string) error {
-	json, err := jsonutil.EncodeJSON(&GroupPolicyApplicationMode{GroupPolicyApplicationMode: mode})
-	if err != nil {
-		return err
-	}
-	return c.barrier.Put(ctx, &logical.StorageEntry{
-		Key:   coreGroupPolicyApplicationPath,
-		Value: json,
-	})
-}
-
-type HCPLinkStatus struct {
-	lock             sync.RWMutex
-	ConnectionStatus string `json:"hcp_link_status,omitempty"`
-	ResourceIDOnHCP  string `json:"resource_ID_on_hcp,omitempty"`
-}
-
-func (c *Core) SetHCPLinkStatus(status, resourceID string) {
-	c.hcpLinkStatus.lock.Lock()
-	defer c.hcpLinkStatus.lock.Unlock()
-	c.hcpLinkStatus.ConnectionStatus = status
-	c.hcpLinkStatus.ResourceIDOnHCP = resourceID
-}
-
-func (c *Core) GetHCPLinkStatus() (string, string) {
-	c.hcpLinkStatus.lock.RLock()
-	defer c.hcpLinkStatus.lock.RUnlock()
-
-	status := c.hcpLinkStatus.ConnectionStatus
-	resourceID := c.hcpLinkStatus.ResourceIDOnHCP
-
-	return status, resourceID
-}
-
-// IsExperimentEnabled is true if the experiment is enabled in the core.
-func (c *Core) IsExperimentEnabled(experiment string) bool {
-	return strutil.StrListContains(c.experiments, experiment)
-}
-
-// ListenerAddresses provides a slice of configured listener addresses
-func (c *Core) ListenerAddresses() ([]string, error) {
-	addresses := make([]string, 0)
-
-	conf := c.rawConfig.Load()
-	if conf == nil {
-		return nil, fmt.Errorf("failed to load core raw config")
-	}
-
-	listeners := conf.(*server.Config).Listeners
-	if listeners == nil {
-		return nil, fmt.Errorf("no listener configured")
-	}
-
-	for _, listener := range listeners {
-		addresses = append(addresses, listener.Address)
-	}
-
-	return addresses, nil
-}
-
-// IsRaftVoter specifies whether the node is a raft voter which is
-// always false if raft storage is not in use.
-func (c *Core) IsRaftVoter() bool {
-	raftInfo := c.raftInfo.Load().(*raftInformation)
-
-	if raftInfo == nil {
-		return false
-	}
-
-	return !raftInfo.nonVoter
-}
-
-func (c *Core) HAEnabled() bool {
-	return c.ha != nil && c.ha.HAEnabled()
-}
-
-func (c *Core) GetRaftConfiguration(ctx context.Context) (*raft.RaftConfigurationResponse, error) {
-	raftBackend := c.getRaftBackend()
-
-	if raftBackend == nil {
-		return nil, nil
-	}
-
-	return raftBackend.GetConfiguration(ctx)
-}
-
-func (c *Core) GetRaftAutopilotState(ctx context.Context) (*raft.AutopilotState, error) {
-	raftBackend := c.getRaftBackend()
-	if raftBackend == nil {
-		return nil, nil
-	}
-
-	return raftBackend.GetAutopilotServerState(ctx)
-}
-
-// Events returns a reference to the common event bus for sending and subscribint to events.
-func (c *Core) Events() *eventbus.EventBus {
-	return c.events
-}
-
-func (c *Core) GetWellKnownRedirect(ctx context.Context, path string) (string, error) {
-	if c.WellKnownRedirects == nil {
-		return "", nil
-	}
-	path = strings.TrimPrefix(path, WellKnownPrefix)
-	redir, remaining := c.WellKnownRedirects.Find(path)
-	if redir != nil {
-		dest, err := redir.Destination(remaining)
-		if err != nil {
-			return "", err
-		}
-		return paths.Join("/v1", dest), nil
-	}
-	return "", nil
-}
-
-func (c *Core) DetectStateLockDeadlocks() bool {
-	if _, ok := c.stateLock.(*locking.DeadlockRWMutex); ok {
-		return true
-	}
-	return false
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { render, click } from '@ember/test-helpers';
+import hbs from 'htmlbars-inline-precompile';
+import sinon from 'sinon';
+
+module('Integration | Component | sidebar-user-menu', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.auth = this.owner.lookup('service:auth');
+  });
+
+  test('it should render trigger and open menu', async function (assert) {
+    await render(hbs`<Sidebar::UserMenu />`);
+
+    assert
+      .dom('[data-test-user-menu-trigger] [data-test-icon="user"]')
+      .exists('Correct icon renders for menu trigger');
+    await click('[data-test-user-menu-trigger]');
+    assert.dom('[data-test-user-menu-content]').exists('User menu content renders');
+  });
+
+  test('it should render default menu items', async function (assert) {
+    sinon.stub(this.auth, 'currentToken').value('root');
+    sinon.stub(this.auth, 'authData').value({ displayName: 'token' });
+
+    await render(hbs`<Sidebar::UserMenu />`);
+    await click('[data-test-user-menu-trigger]');
+
+    assert.dom('.menu-label').hasText('Token', 'Auth data display name renders');
+    assert.dom('li').exists({ count: 2 }, 'Correct number of menu items render');
+    assert.dom('[data-test-copy-button="root"]').exists('Copy token action renders');
+    assert.dom('#logout').hasText('Log out', 'Log out action renders');
+  });
+
+  test('it should render conditional menu items', async function (assert) {
+    const router = this.owner.lookup('service:router');
+    const transitionStub = sinon.stub(router, 'transitionTo');
+    const renewStub = sinon.stub(this.auth, 'renew').resolves();
+    const revokeStub = sinon.stub(this.auth, 'revokeCurrentToken').resolves();
+    const date = new Date();
+    sinon.stub(this.auth, 'tokenExpirationDate').value(date.setDate(date.getDate() + 1));
+    sinon.stub(this.auth, 'authData').value({ displayName: 'token', renewable: true, entity_id: 'foo' });
+    this.auth.set('allowExpiration', true);
+
+    await render(hbs`<Sidebar::UserMenu />`);
+    await click('[data-test-user-menu-trigger]');
+
+    assert.dom('[data-test-user-menu-item="token alert"]').exists('Token expiration alert renders');
+    assert.dom('[data-test-user-menu-item="mfa"]').hasText('Multi-factor authentication', 'MFA link renders');
+
+    await click('[data-test-user-menu-item="revoke token"]');
+    await click('[data-test-confirm-button]');
+    assert.true(revokeStub.calledOnce, 'Auth revoke token method called on revoke confirm');
+    assert.true(
+      transitionStub.calledWith('vault.cluster.logout'),
+      'Route transitions to log out on revoke success'
+    );
+
+    await click('[data-test-user-menu-item="renew token"]');
+    assert.true(renewStub.calledOnce, 'Auth renew token method called');
+  });
+});
diff --git a/vault/core_stubs_oss.go b/vault/core_stubs_oss.go
index 6ffdb4b2a581..b391b2d736e4 100644
--- a/vault/core_stubs_oss.go
+++ b/vault/core_stubs_oss.go
@@ -1,98 +1,93 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-//go:build !enterprise
-
-package vault
-
-import "context"
-
-//go:generate go run github.com/hashicorp/vault/tools/stubmaker
-
-func (c *Core) entInitWALPassThrough() func() {
-	return nil
-}
-
-func (c *Core) entCheckStoredLicense(conf *CoreConfig) error {
-	return nil
-}
-
-func (c *Core) entIsLicenseAutoloaded() bool {
-	return false
-}
-
-func (c *Core) entCheckLicenseInit() error {
-	return nil
-}
-
-func (c *Core) EntGetLicenseState() (*LicenseState, error) {
-	return nil, nil
-}
-
-func (c *Core) EntReloadLicense() error {
-	return nil
-}
-
-func (c *Core) entPostUnseal(isStandby bool) error {
-	return nil
-}
-
-func (c *Core) entPreSeal() error {
-	return nil
-}
-
-func (c *Core) entSetupFilteredPaths() error {
-	return nil
-}
-
-func (c *Core) entSetupQuotas(ctx context.Context) error {
-	return nil
-}
-
-func (c *Core) entSetupAPILock(ctx context.Context) error {
-	return nil
-}
-
-func (c *Core) entBlockRequestIfError(nsPath, requestPath string) error {
-	return nil
-}
-
-func (c *Core) entStartReplication() error {
-	return nil
-}
-
-func (c *Core) entStopReplication() error {
-	return nil
-}
-
-func (c *Core) EntLastWAL() uint64 {
-	return 0
-}
-
-func (c *Core) EntLastPerformanceWAL() uint64 {
-	return 0
-}
-
-func (c *Core) EntLastDRWAL() uint64 {
-	return 0
-}
-
-func (c *Core) EntDRMerkleRoot() string {
-	return ""
-}
-
-func (c *Core) EntPerformanceMerkleRoot() string {
-	return ""
-}
-
-func (c *Core) EntLastRemoteWAL() uint64 {
-	return 0
-}
-
-func (c *Core) entLastRemoteUpstreamWAL() uint64 {
-	return 0
-}
-
-func (c *Core) EntWaitUntilWALShipped(ctx context.Context, index uint64) bool {
-	return true
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<BasicDropdown
+  @horizontalPosition="right"
+  @verticalPosition="below"
+  @renderInPlace={{true}}
+  class="sidebar-user-menu"
+  data-test-user-menu
+  as |Dropdown|
+>
+  <Dropdown.Trigger data-test-user-menu-trigger>
+    <Hds::SideNav::Header::IconButton @icon="user" @ariaLabel="User menu" />
+  </Dropdown.Trigger>
+  <Dropdown.Content>
+    <div class="popup-menu-content" data-test-user-menu-content>
+      <div class="box">
+        <div class="menu-label">
+          {{capitalize this.auth.authData.displayName}}
+        </div>
+        <nav class="menu">
+          <ul class="menu-list">
+            {{#if this.auth.allowExpiration}}
+              <li class="token-alert is-flex" data-test-user-menu-item="token alert">
+                <span><Icon @name="alert-triangle-fill" class="has-text-highlight" /></span>
+                <span class="is-size-8 has-text-semibold">
+                  We've stopped auto-renewing your token due to inactivity. It will expire on
+                  {{date-format this.auth.tokenExpirationDate "MMMM do yyyy, h:mm:ss a"}}.
+                </span>
+              </li>
+            {{/if}}
+            {{#if this.hasEntityId}}
+              <li class="action">
+                <LinkTo @route="vault.cluster.mfa-setup" data-test-user-menu-item="mfa">
+                  Multi-factor authentication
+                </LinkTo>
+              </li>
+            {{/if}}
+            {{#if this.isUserpass}}
+              <li class="action">
+                <LinkTo @route="vault.cluster.access.reset-password" data-test-user-menu-item="reset-password">
+                  Reset password
+                </LinkTo>
+              </li>
+            {{/if}}
+            <li class="action" id="container">
+              {{! container is required in navbar collapsed state }}
+              <Hds::Copy::Button
+                @text="Copy token"
+                @textToCopy={{this.auth.currentToken}}
+                @isFullWidth={{true}}
+                @container="#container"
+                class="in-dropdown link is-flex-start"
+                {{on "click" (fn (set-flash-message "Token copied!"))}}
+                data-test-copy-button={{this.auth.currentToken}}
+              />
+            </li>
+            {{#if (is-before (now interval=1000) this.auth.tokenExpirationDate)}}
+              {{#if this.auth.authData.renewable}}
+                <li class="action">
+                  {{! TODO Hds::Button replacement skipped in favor of updating it when there is a Hds::Dropdown swapout }}
+                  <button
+                    type="button"
+                    {{on "click" this.renewToken}}
+                    class="link button {{if this.isRenewing 'is-loading'}}"
+                    data-test-user-menu-item="renew token"
+                  >
+                    Renew token
+                  </button>
+                </li>
+              {{/if}}
+              <ConfirmAction
+                @isInDropdown={{true}}
+                @confirmTitle="Revoke {{get this.auth 'authData.displayName'}}?"
+                @onConfirmAction={{action "revokeToken"}}
+                @buttonText="Revoke token"
+                @confirmMessage="You will not be able to log in again with this token."
+                data-test-user-menu-item="revoke token"
+              />
+            {{/if}}
+            <li class="action">
+              <LinkTo @route="vault.cluster.logout" @model={{this.currentCluster.cluster.name}} id="logout">
+                Log out
+              </LinkTo>
+            </li>
+          </ul>
+        </nav>
+      </div>
+    </div>
+  </Dropdown.Content>
+</BasicDropdown>
\ No newline at end of file
diff --git a/vault/core_test.go b/vault/core_test.go
index 983235a24036..b2a123556cd7 100644
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -1,3411 +1,454 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
-package vault
+package testcluster
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/hex"
 	"fmt"
-	"reflect"
-	"strings"
-	"sync"
 	"sync/atomic"
-	"testing"
 	"time"
 
-	"github.com/hashicorp/vault/command/server"
-
-	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
-	logicalDb "github.com/hashicorp/vault/builtin/logical/database"
-
-	"github.com/hashicorp/vault/builtin/plugin"
-
-	"github.com/hashicorp/vault/builtin/audit/syslog"
-
-	"github.com/hashicorp/vault/builtin/audit/file"
-	"github.com/hashicorp/vault/builtin/audit/socket"
-	"github.com/stretchr/testify/require"
-
-	"github.com/go-test/deep"
-	"github.com/hashicorp/errwrap"
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/physical"
-	"github.com/hashicorp/vault/sdk/physical/inmem"
-	"github.com/hashicorp/vault/version"
-	"github.com/sasha-s/go-deadlock"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/xor"
 )
 
-// invalidKey is used to test Unseal
-var invalidKey = []byte("abcdefghijklmnopqrstuvwxyz")[:17]
-
-// TestNewCore_configureAuditBackends ensures that we are able to configure the
-// supplied audit backends when getting a NewCore.
-func TestNewCore_configureAuditBackends(t *testing.T) {
-	t.Parallel()
-
-	tests := map[string]struct {
-		backends map[string]audit.Factory
-	}{
-		"none": {
-			backends: nil,
-		},
-		"file": {
-			backends: map[string]audit.Factory{
-				"file": file.Factory,
-			},
-		},
-		"socket": {
-			backends: map[string]audit.Factory{
-				"socket": socket.Factory,
-			},
-		},
-		"syslog": {
-			backends: map[string]audit.Factory{
-				"syslog": syslog.Factory,
-			},
-		},
-		"all": {
-			backends: map[string]audit.Factory{
-				"file":   file.Factory,
-				"socket": socket.Factory,
-				"syslog": syslog.Factory,
-			},
-		},
-	}
-
-	for name, tc := range tests {
-		name := name
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			core := &Core{}
-			require.Len(t, core.auditBackends, 0)
-			core.configureAuditBackends(tc.backends)
-			require.Len(t, core.auditBackends, len(tc.backends))
-			for k := range tc.backends {
-				require.Contains(t, core.auditBackends, k)
-			}
-		})
-	}
-}
-
-// TestNewCore_configureCredentialsBackends ensures that we are able to configure the
-// supplied credential backends, in addition to defaults, when getting a NewCore.
-func TestNewCore_configureCredentialsBackends(t *testing.T) {
-	t.Parallel()
-
-	tests := map[string]struct {
-		backends map[string]logical.Factory
-	}{
-		"none": {
-			backends: nil,
-		},
-		"plugin": {
-			backends: map[string]logical.Factory{
-				"plugin": plugin.Factory,
-			},
-		},
+// Note that OSS standbys will not accept seal requests.  And ent perf standbys
+// may fail it as well if they haven't yet been able to get "elected" as perf standbys.
+func SealNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
 	}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
 
-	for name, tc := range tests {
-		name := name
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			core := &Core{}
-			require.Len(t, core.credentialBackends, 0)
-			core.configureCredentialsBackends(tc.backends, corehelpers.NewTestLogger(t))
-			require.GreaterOrEqual(t, len(core.credentialBackends), len(tc.backends)+1) // token + ent
-			for k := range tc.backends {
-				require.Contains(t, core.credentialBackends, k)
-			}
-		})
-	}
-}
-
-// TestNewCore_configureLogicalBackends ensures that we are able to configure the
-// supplied logical backends, in addition to defaults, when getting a NewCore.
-func TestNewCore_configureLogicalBackends(t *testing.T) {
-	t.Parallel()
-
-	// configureLogicalBackends will add some default backends for us:
-	// cubbyhole
-	// identity
-	// kv
-	// system
-	// In addition Enterprise versions of Vault may add additional engines.
-
-	tests := map[string]struct {
-		backends               map[string]logical.Factory
-		adminNamespacePath     string
-		expectedNonEntBackends int
-	}{
-		"none": {
-			backends:               nil,
-			expectedNonEntBackends: 0,
-		},
-		"database": {
-			backends: map[string]logical.Factory{
-				"database": logicalDb.Factory,
-			},
-			adminNamespacePath:     "foo",
-			expectedNonEntBackends: 5, // database + defaults
-		},
-		"kv": {
-			backends: map[string]logical.Factory{
-				"kv": logicalKv.Factory,
-			},
-			adminNamespacePath:     "foo",
-			expectedNonEntBackends: 4, // kv + defaults (kv is a default)
-		},
-		"plugin": {
-			backends: map[string]logical.Factory{
-				"plugin": plugin.Factory,
-			},
-			adminNamespacePath:     "foo",
-			expectedNonEntBackends: 5, // plugin + defaults
-		},
-		"all": {
-			backends: map[string]logical.Factory{
-				"database": logicalDb.Factory,
-				"kv":       logicalKv.Factory,
-				"plugin":   plugin.Factory,
-			},
-			adminNamespacePath:     "foo",
-			expectedNonEntBackends: 6, // database, plugin + defaults
-		},
+	err := client.Sys().SealWithContext(ctx)
+	if err != nil {
+		return err
 	}
 
-	for name, tc := range tests {
-		name := name
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			core := &Core{}
-			require.Len(t, core.logicalBackends, 0)
-			core.configureLogicalBackends(tc.backends, corehelpers.NewTestLogger(t), tc.adminNamespacePath)
-			require.GreaterOrEqual(t, len(core.logicalBackends), tc.expectedNonEntBackends)
-			require.Contains(t, core.logicalBackends, mountTypeKV)
-			require.Contains(t, core.logicalBackends, mountTypeCubbyhole)
-			require.Contains(t, core.logicalBackends, mountTypeSystem)
-			require.Contains(t, core.logicalBackends, mountTypeIdentity)
-			for k := range tc.backends {
-				require.Contains(t, core.logicalBackends, k)
-			}
-		})
-	}
+	return NodeSealed(ctx, cluster, nodeIdx)
 }
 
-// TestNewCore_configureLogRequestLevel ensures that we are able to configure the
-// supplied logging level when getting a NewCore.
-func TestNewCore_configureLogRequestLevel(t *testing.T) {
-	t.Parallel()
-
-	tests := map[string]struct {
-		level         string
-		expectedLevel log.Level
-	}{
-		"none": {
-			level:         "",
-			expectedLevel: log.NoLevel,
-		},
-		"trace": {
-			level:         "trace",
-			expectedLevel: log.Trace,
-		},
-		"debug": {
-			level:         "debug",
-			expectedLevel: log.Debug,
-		},
-		"info": {
-			level:         "info",
-			expectedLevel: log.Info,
-		},
-		"warn": {
-			level:         "warn",
-			expectedLevel: log.Warn,
-		},
-		"error": {
-			level:         "error",
-			expectedLevel: log.Error,
-		},
-		"bad": {
-			level:         "foo",
-			expectedLevel: log.NoLevel,
-		},
-	}
-
-	for name, tc := range tests {
-		name := name
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			// We need to supply a logger, as configureLogRequestsLevel emits
-			// warnings to the logs in certain circumstances.
-			core := &Core{
-				logger: corehelpers.NewTestLogger(t),
-			}
-			core.configureLogRequestsLevel(tc.level)
-			require.Equal(t, tc.expectedLevel, log.Level(core.logRequestsLevel.Load()))
-		})
+func SealAllNodes(ctx context.Context, cluster VaultCluster) error {
+	for i := range cluster.Nodes() {
+		if err := SealNode(ctx, cluster, i); err != nil {
+			return err
+		}
 	}
+	return nil
 }
 
-// TestNewCore_configureListeners tests that we are able to configure listeners
-// on a NewCore via config.
-func TestNewCore_configureListeners(t *testing.T) {
-	// We would usually expect CoreConfig to come from server.NewConfig().
-	// However, we want to fiddle to give us some granular control over the config.
-	tests := map[string]struct {
-		config            *CoreConfig
-		expectedListeners []*ListenerCustomHeaders
-	}{
-		"nil-listeners": {
-			config: &CoreConfig{
-				RawConfig: &server.Config{
-					SharedConfig: &configutil.SharedConfig{},
-				},
-			},
-			expectedListeners: nil,
-		},
-		"listeners-empty": {
-			config: &CoreConfig{
-				RawConfig: &server.Config{
-					SharedConfig: &configutil.SharedConfig{
-						Listeners: []*configutil.Listener{},
-					},
-				},
-			},
-			expectedListeners: nil,
-		},
-		"listeners-some": {
-			config: &CoreConfig{
-				RawConfig: &server.Config{
-					SharedConfig: &configutil.SharedConfig{
-						Listeners: []*configutil.Listener{
-							{Address: "foo"},
-						},
-					},
-				},
-			},
-			expectedListeners: []*ListenerCustomHeaders{
-				{Address: "foo"},
-			},
-		},
-	}
-
-	for name, tc := range tests {
-		name := name
-		tc := tc
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			// We need to init some values ourselves, usually CreateCore does this for us.
-			logger := corehelpers.NewTestLogger(t)
-			backend, err := inmem.NewInmem(nil, logger)
-			require.NoError(t, err)
-			storage := &logical.InmemStorage{}
-			core := &Core{
-				clusterListener:      new(atomic.Value),
-				customListenerHeader: new(atomic.Value),
-				uiConfig:             NewUIConfig(false, backend, storage),
-			}
-
-			err = core.configureListeners(tc.config)
-			require.NoError(t, err)
-			switch tc.expectedListeners {
-			case nil:
-				require.Nil(t, core.customListenerHeader.Load())
-			default:
-				for i, v := range core.customListenerHeader.Load().([]*ListenerCustomHeaders) {
-					require.Equal(t, v.Address, tc.config.RawConfig.Listeners[i].Address)
-				}
-			}
-		})
+func UnsealNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
 	}
-}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
 
-func TestNewCore_badRedirectAddr(t *testing.T) {
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inm, err := inmem.NewInmem(nil, logger)
-	if err != nil {
-		t.Fatal(err)
+	for _, key := range cluster.GetBarrierOrRecoveryKeys() {
+		_, err := client.Sys().UnsealWithContext(ctx, hex.EncodeToString(key))
+		if err != nil {
+			return err
+		}
 	}
 
-	conf := &CoreConfig{
-		RedirectAddr: "127.0.0.1:8200",
-		Physical:     inm,
-		DisableMlock: true,
-	}
-	_, err = NewCore(conf)
-	if err == nil {
-		t.Fatal("should error")
-	}
+	return NodeHealthy(ctx, cluster, nodeIdx)
 }
 
-func TestSealConfig_Invalid(t *testing.T) {
-	s := &SealConfig{
-		SecretShares:    2,
-		SecretThreshold: 1,
-	}
-	err := s.Validate()
-	if err == nil {
-		t.Fatalf("expected err")
+func UnsealAllNodes(ctx context.Context, cluster VaultCluster) error {
+	for i := range cluster.Nodes() {
+		if err := UnsealNode(ctx, cluster, i); err != nil {
+			return err
+		}
 	}
+	return nil
 }
 
-// TestCore_HasVaultVersion checks that versionHistory is correct and initialized
-// after a core has been unsealed.
-func TestCore_HasVaultVersion(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-	if c.versionHistory == nil {
-		t.Fatalf("Version timestamps for core were not initialized for a new core")
-	}
-	versionEntry, ok := c.versionHistory[version.Version]
-	if !ok {
-		t.Fatalf("%s upgrade time not found", version.Version)
+func NodeSealed(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
 	}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
 
-	upgradeTime := versionEntry.TimestampInstalled
-
-	if upgradeTime.After(time.Now()) || upgradeTime.Before(time.Now().Add(-1*time.Hour)) {
-		t.Fatalf("upgrade time isn't within reasonable bounds of new core initialization. " +
-			fmt.Sprintf("time is: %+v, upgrade time is %+v", time.Now(), upgradeTime))
+	var health *api.HealthResponse
+	var err error
+	for ctx.Err() == nil {
+		health, err = client.Sys().HealthWithContext(ctx)
+		switch {
+		case err != nil:
+		case !health.Sealed:
+			err = fmt.Errorf("unsealed: %#v", health)
+		default:
+			return nil
+		}
+		time.Sleep(500 * time.Millisecond)
 	}
+	return fmt.Errorf("node %d is not sealed: %v", nodeIdx, err)
 }
 
-func TestCore_Unseal_MultiShare(t *testing.T) {
-	c := TestCore(t)
-
-	_, err := TestCoreUnseal(c, invalidKey)
-	if err != ErrNotInit {
-		t.Fatalf("err: %v", err)
-	}
-
-	sealConf := &SealConfig{
-		SecretShares:    5,
-		SecretThreshold: 3,
-	}
-	res, err := c.Initialize(namespace.RootContext(nil), &InitParams{
-		BarrierConfig:  sealConf,
-		RecoveryConfig: nil,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if !c.Sealed() {
-		t.Fatalf("should be sealed")
-	}
+func WaitForNCoresSealed(ctx context.Context, cluster VaultCluster, n int) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
 
-	if prog, _ := c.SecretProgress(true); prog != 0 {
-		t.Fatalf("bad progress: %d", prog)
+	errs := make(chan error)
+	for i := range cluster.Nodes() {
+		go func(i int) {
+			var err error
+			for ctx.Err() == nil {
+				err = NodeSealed(ctx, cluster, i)
+				if err == nil {
+					errs <- nil
+					return
+				}
+				time.Sleep(100 * time.Millisecond)
+			}
+			if err == nil {
+				err = ctx.Err()
+			}
+			errs <- err
+		}(i)
 	}
 
-	for i := 0; i < 5; i++ {
-		unseal, err := TestCoreUnseal(c, res.SecretShares[i])
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-
-		// Ignore redundant
-		_, err = TestCoreUnseal(c, res.SecretShares[i])
+	var merr *multierror.Error
+	var sealed int
+	for range cluster.Nodes() {
+		err := <-errs
 		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		if i >= 2 {
-			if !unseal {
-				t.Fatalf("should be unsealed")
-			}
-			if prog, _ := c.SecretProgress(true); prog != 0 {
-				t.Fatalf("bad progress: %d", prog)
-			}
+			merr = multierror.Append(merr, err)
 		} else {
-			if unseal {
-				t.Fatalf("should not be unsealed")
-			}
-			if prog, _ := c.SecretProgress(true); prog != i+1 {
-				t.Fatalf("bad progress: %d", prog)
+			sealed++
+			if sealed == n {
+				return nil
 			}
 		}
 	}
 
-	if c.Sealed() {
-		t.Fatalf("should not be sealed")
-	}
-
-	err = c.Seal(res.RootToken)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ignore redundant
-	err = c.Seal(res.RootToken)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if !c.Sealed() {
-		t.Fatalf("should be sealed")
-	}
-}
-
-// TestCore_UseSSCTokenToggleOn will check that the root SSC
-// token can be used even when disableSSCTokens is toggled on
-func TestCore_UseSSCTokenToggleOn(t *testing.T) {
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-	c.disableSSCTokens = true
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	ctx := namespace.RootContext(nil)
-	resp, err := c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Data == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-	if resp.Secret.TTL != time.Hour {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp.Data)
-	}
-}
-
-// TestCore_UseNonSSCTokenToggleOff will check that the root
-// non-SSC token can be used even when disableSSCTokens is toggled
-// off.
-func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
-	coreConfig := &CoreConfig{
-		DisableSSCTokens: true,
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-	if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) {
-		t.Fatalf("token is not an old token type: %s, %d", root, len(root))
-	}
-	c.disableSSCTokens = false
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	ctx := namespace.RootContext(nil)
-	resp, err := c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Data == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-	if resp.Secret.TTL != time.Hour {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp.Data)
-	}
+	return fmt.Errorf("%d cores were not sealed, errs: %v", n, merr.ErrorOrNil())
 }
 
-func TestCore_Unseal_Single(t *testing.T) {
-	c := TestCore(t)
-
-	_, err := TestCoreUnseal(c, invalidKey)
-	if err != ErrNotInit {
-		t.Fatalf("err: %v", err)
-	}
-
-	sealConf := &SealConfig{
-		SecretShares:    1,
-		SecretThreshold: 1,
-	}
-	res, err := c.Initialize(namespace.RootContext(nil), &InitParams{
-		BarrierConfig:  sealConf,
-		RecoveryConfig: nil,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if !c.Sealed() {
-		t.Fatalf("should be sealed")
-	}
-
-	if prog, _ := c.SecretProgress(true); prog != 0 {
-		t.Fatalf("bad progress: %d", prog)
-	}
-
-	unseal, err := TestCoreUnseal(c, res.SecretShares[0])
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if !unseal {
-		t.Fatalf("should be unsealed")
-	}
-	if prog, _ := c.SecretProgress(true); prog != 0 {
-		t.Fatalf("bad progress: %d", prog)
+func NodeHealthy(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
 	}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
 
-	if c.Sealed() {
-		t.Fatalf("should not be sealed")
+	var health *api.HealthResponse
+	var err error
+	for ctx.Err() == nil {
+		health, err = client.Sys().HealthWithContext(ctx)
+		switch {
+		case err != nil:
+		case health == nil:
+			err = fmt.Errorf("nil response to health check")
+		case health.Sealed:
+			err = fmt.Errorf("sealed: %#v", health)
+		default:
+			return nil
+		}
+		time.Sleep(500 * time.Millisecond)
 	}
+	return fmt.Errorf("node %d is unhealthy: %v", nodeIdx, err)
 }
 
-func TestCore_Route_Sealed(t *testing.T) {
-	c := TestCore(t)
-	sealConf := &SealConfig{
-		SecretShares:    1,
-		SecretThreshold: 1,
-	}
-
-	ctx := namespace.RootContext(nil)
-
-	// Should not route anything
-	req := &logical.Request{
-		Operation: logical.ReadOperation,
-		Path:      "sys/mounts",
-	}
-	_, err := c.HandleRequest(ctx, req)
-	if err != consts.ErrSealed {
-		t.Fatalf("err: %v", err)
-	}
-
-	res, err := c.Initialize(ctx, &InitParams{
-		BarrierConfig:  sealConf,
-		RecoveryConfig: nil,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	unseal, err := TestCoreUnseal(c, res.SecretShares[0])
-	if err != nil {
-		t.Fatalf("err: %v", err)
+func LeaderNode(ctx context.Context, cluster VaultCluster) (int, error) {
+	// Be robust to multiple nodes thinking they are active. This is possible in
+	// certain network partition situations where the old leader has not
+	// discovered it's lost leadership yet. In tests this is only likely to come
+	// up when we are specifically provoking it, but it's possible it could happen
+	// at any point if leadership flaps of connectivity suffers transient errors
+	// etc. so be robust against it. The best solution would be to have some sort
+	// of epoch like the raft term that is guaranteed to be monotonically
+	// increasing through elections, however we don't have that abstraction for
+	// all HABackends in general. The best we have is the ActiveTime. In a
+	// distributed systems text book this would be bad to rely on due to clock
+	// sync issues etc. but for our tests it's likely fine because even if we are
+	// running separate Vault containers, they are all using the same hardware
+	// clock in the system.
+	leaderActiveTimes := make(map[int]time.Time)
+	for i, node := range cluster.Nodes() {
+		client := node.APIClient()
+		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+		resp, err := client.Sys().LeaderWithContext(ctx)
+		cancel()
+		if err != nil || resp == nil || !resp.IsSelf {
+			continue
+		}
+		leaderActiveTimes[i] = resp.ActiveTime
 	}
-	if !unseal {
-		t.Fatalf("should be unsealed")
+	if len(leaderActiveTimes) == 0 {
+		return -1, fmt.Errorf("no leader found")
 	}
-
-	// Should not error after unseal
-	req.ClientToken = res.RootToken
-	_, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
+	// At least one node thinks it is active. If multiple, pick the one with the
+	// most recent ActiveTime. Note if there is only one then this just returns
+	// it.
+	var newestLeaderIdx int
+	var newestActiveTime time.Time
+	for i, at := range leaderActiveTimes {
+		if at.After(newestActiveTime) {
+			newestActiveTime = at
+			newestLeaderIdx = i
+		}
 	}
+	return newestLeaderIdx, nil
 }
 
-// Attempt to unseal after doing a first seal
-func TestCore_SealUnseal(t *testing.T) {
-	c, keys, root := TestCoreUnsealed(t)
-	if err := c.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(c, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
+func WaitForActiveNode(ctx context.Context, cluster VaultCluster) (int, error) {
+	for ctx.Err() == nil {
+		if idx, _ := LeaderNode(ctx, cluster); idx != -1 {
+			return idx, nil
 		}
+		time.Sleep(500 * time.Millisecond)
 	}
+	return -1, ctx.Err()
 }
 
-// TestCore_RunLockedUserUpdatesForStaleEntry tests that stale locked user entries
-// get deleted upon unseal
-func TestCore_RunLockedUserUpdatesForStaleEntry(t *testing.T) {
-	core, keys, root := TestCoreUnsealed(t)
-	storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath + "ns1/mountAccessor1/aliasName1")
-
-	// cleanup
-	defer core.barrier.Delete(context.Background(), storageUserLockoutPath)
-
-	// create invalid entry in storage to test stale entries get deleted on unseal
-	// last failed login time for this path is 1970-01-01 00:00:00 +0000 UTC
-	// since user lockout configurations are not configured, lockout duration will
-	// be set to default (15m) internally
-	compressedBytes, err := jsonutil.EncodeJSONAndCompress(int(time.Unix(0, 0).Unix()), nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create an entry
-	entry := &logical.StorageEntry{
-		Key:   storageUserLockoutPath,
-		Value: compressedBytes,
+func WaitForStandbyNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
 	}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
 
-	// Write to the physical backend
-	err = core.barrier.Put(context.Background(), entry)
-	if err != nil {
-		t.Fatalf("failed to write invalid locked user entry, err: %v", err)
-	}
+	var err error
+	for ctx.Err() == nil {
+		var resp *api.LeaderResponse
 
-	// seal and unseal vault
-	if err := core.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(core, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
+		resp, err = client.Sys().LeaderWithContext(ctx)
+		switch {
+		case err != nil:
+		case resp.IsSelf:
+			return fmt.Errorf("waiting for standby but node is leader")
+		case resp.LeaderAddress == "":
+			err = fmt.Errorf("node doesn't know leader address")
+		default:
+			return nil
 		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
-		}
-	}
 
-	// locked user entry must be deleted upon unseal as it is stale
-	lastFailedLoginRaw, err := core.barrier.Get(context.Background(), storageUserLockoutPath)
-	if err != nil {
-		t.Fatal(err)
+		time.Sleep(100 * time.Millisecond)
 	}
-	if lastFailedLoginRaw != nil {
-		t.Fatal("err: stale locked user entry exists")
+	if err == nil {
+		err = ctx.Err()
 	}
+	return err
 }
 
-// TestCore_RunLockedUserUpdatesForValidEntry tests that valid locked user entries
-// do not get removed on unseal
-// Also tests that the userFailedLoginInfo map gets updated with correct information
-func TestCore_RunLockedUserUpdatesForValidEntry(t *testing.T) {
-	core, keys, root := TestCoreUnsealed(t)
-	storageUserLockoutPath := fmt.Sprintf(coreLockedUsersPath + "ns1/mountAccessor1/aliasName1")
-
-	// cleanup
-	defer core.barrier.Delete(context.Background(), storageUserLockoutPath)
+func WaitForActiveNodeAndStandbys(ctx context.Context, cluster VaultCluster) (int, error) {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
 
-	// create valid storage entry for locked user
-	lastFailedLoginTime := int(time.Now().Unix())
-
-	compressedBytes, err := jsonutil.EncodeJSONAndCompress(lastFailedLoginTime, nil)
+	leaderIdx, err := WaitForActiveNode(ctx, cluster)
 	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create an entry
-	entry := &logical.StorageEntry{
-		Key:   storageUserLockoutPath,
-		Value: compressedBytes,
+		return 0, err
 	}
 
-	// Write to the physical backend
-	err = core.barrier.Put(context.Background(), entry)
-	if err != nil {
-		t.Fatalf("failed to write invalid locked user entry, err: %v", err)
+	if len(cluster.Nodes()) == 1 {
+		return 0, nil
 	}
 
-	// seal and unseal vault
-	if err := core.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(core, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
+	errs := make(chan error)
+	for i := range cluster.Nodes() {
+		if i == leaderIdx {
+			continue
 		}
+		go func(i int) {
+			errs <- WaitForStandbyNode(ctx, cluster, i)
+		}(i)
 	}
 
-	// locked user entry must exist as it is still valid
-	existingEntry, err := core.barrier.Get(context.Background(), storageUserLockoutPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if existingEntry == nil {
-		t.Fatalf("err: entry must exist for locked user in storage")
-	}
-
-	// userFailedLoginInfo map should have the correct information for locked user
-	loginUserInfoKey := FailedLoginUser{
-		aliasName:     "aliasName1",
-		mountAccessor: "mountAccessor1",
-	}
-
-	failedLoginInfoFromMap := core.LocalGetUserFailedLoginInfo(context.Background(), loginUserInfoKey)
-	if failedLoginInfoFromMap == nil {
-		t.Fatalf("err: entry must exist for locked user in userFailedLoginInfo map")
+	var merr *multierror.Error
+	expectedStandbys := len(cluster.Nodes()) - 1
+	for i := 0; i < expectedStandbys; i++ {
+		merr = multierror.Append(merr, <-errs)
 	}
-	if failedLoginInfoFromMap.lastFailedLoginTime != lastFailedLoginTime {
-		t.Fatalf("err: incorrect failed login time information for locked user updated in userFailedLoginInfo map")
-	}
-	if int(failedLoginInfoFromMap.count) != configutil.UserLockoutThresholdDefault {
-		t.Fatalf("err: incorrect failed login count information for locked user updated in userFailedLoginInfo map")
-	}
-}
 
-// Attempt to shutdown after unseal
-func TestCore_Shutdown(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-	if err := c.Shutdown(); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !c.Sealed() {
-		t.Fatal("wasn't sealed")
-	}
+	return leaderIdx, merr.ErrorOrNil()
 }
 
-// verify the channel returned by ShutdownDone is closed after Finalize
-func TestCore_ShutdownDone(t *testing.T) {
-	c := TestCoreWithSealAndUINoCleanup(t, &CoreConfig{})
-	testCoreUnsealed(t, c)
-	doneCh := c.ShutdownDone()
-	go func() {
-		time.Sleep(100 * time.Millisecond)
-		err := c.Shutdown()
-		if err != nil {
-			t.Fatal(err)
-		}
-	}()
-
-	select {
-	case <-doneCh:
-		if !c.Sealed() {
-			t.Fatalf("shutdown done called prematurely!")
-		}
-	case <-time.After(5 * time.Second):
-		t.Fatalf("shutdown notification not received")
+func WaitForActiveNodeAndPerfStandbys(ctx context.Context, cluster VaultCluster) error {
+	logger := cluster.NamedLogger("WaitForActiveNodeAndPerfStandbys")
+	// This WaitForActiveNode was added because after a Raft cluster is sealed
+	// and then unsealed, when it comes up it may have a different leader than
+	// Core0, making this helper fail.
+	// A sleep before calling WaitForActiveNodeAndPerfStandbys seems to sort
+	// things out, but so apparently does this.  We should be able to eliminate
+	// this call to WaitForActiveNode by reworking the logic in this method.
+	leaderIdx, err := WaitForActiveNode(ctx, cluster)
+	if err != nil {
+		return err
 	}
-}
 
-// Attempt to seal bad token
-func TestCore_Seal_BadToken(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-	if err := c.Seal("foo"); err == nil {
-		t.Fatalf("err: %v", err)
+	if len(cluster.Nodes()) == 1 {
+		return nil
 	}
-	if c.Sealed() {
-		t.Fatal("was sealed")
-	}
-}
-
-func TestCore_PreOneTen_BatchTokens(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-
-	// load up some versions and ensure that 1.9 is the most recent one by timestamp (even though this isn't realistic)
-	upgradeTimePlusEpsilon := time.Now().UTC()
 
-	versionEntries := []VaultVersion{
-		{Version: "1.10.1", TimestampInstalled: upgradeTimePlusEpsilon.Add(-4 * time.Hour)},
-		{Version: "1.9.2", TimestampInstalled: upgradeTimePlusEpsilon.Add(2 * time.Hour)},
-	}
+	expectedStandbys := len(cluster.Nodes()) - 1
 
-	for _, entry := range versionEntries {
-		_, err := c.storeVersionEntry(context.Background(), &entry, false)
-		if err != nil {
-			t.Fatalf("failed to write version entry %#v, err: %s", entry, err.Error())
-		}
+	mountPoint, err := uuid.GenerateUUID()
+	if err != nil {
+		return err
 	}
+	leaderClient := cluster.Nodes()[leaderIdx].APIClient()
 
-	err := c.loadVersionHistory(c.activeContext)
-	if err != nil {
-		t.Fatalf("failed to populate version history cache, err: %s", err.Error())
+	for ctx.Err() == nil {
+		err = leaderClient.Sys().MountWithContext(ctx, mountPoint, &api.MountInput{
+			Type:  "kv",
+			Local: true,
+		})
+		if err == nil {
+			break
+		}
+		time.Sleep(1 * time.Second)
+	}
+	if err != nil {
+		return fmt.Errorf("unable to mount KV engine: %v", err)
+	}
+	path := mountPoint + "/waitforactivenodeandperfstandbys"
+	var standbys, actives int64
+	errchan := make(chan error, len(cluster.Nodes()))
+	for i := range cluster.Nodes() {
+		go func(coreNo int) {
+			node := cluster.Nodes()[coreNo]
+			client := node.APIClient()
+			val := 1
+			var err error
+			defer func() {
+				errchan <- err
+			}()
+
+			var lastWAL uint64
+			for ctx.Err() == nil {
+				_, err = leaderClient.Logical().WriteWithContext(ctx, path, map[string]interface{}{
+					"bar": val,
+				})
+				val++
+				time.Sleep(250 * time.Millisecond)
+				if err != nil {
+					continue
+				}
+				var leader *api.LeaderResponse
+				leader, err = client.Sys().LeaderWithContext(ctx)
+				if err != nil {
+					logger.Trace("waiting for core", "core", coreNo, "err", err)
+					continue
+				}
+				switch {
+				case leader.IsSelf:
+					logger.Trace("waiting for core", "core", coreNo, "isLeader", true)
+					atomic.AddInt64(&actives, 1)
+					return
+				case leader.PerfStandby && leader.PerfStandbyLastRemoteWAL > 0:
+					switch {
+					case lastWAL == 0:
+						lastWAL = leader.PerfStandbyLastRemoteWAL
+						logger.Trace("waiting for core", "core", coreNo, "lastRemoteWAL", leader.PerfStandbyLastRemoteWAL, "lastWAL", lastWAL)
+					case lastWAL < leader.PerfStandbyLastRemoteWAL:
+						logger.Trace("waiting for core", "core", coreNo, "lastRemoteWAL", leader.PerfStandbyLastRemoteWAL, "lastWAL", lastWAL)
+						atomic.AddInt64(&standbys, 1)
+						return
+					}
+				default:
+					logger.Trace("waiting for core", "core", coreNo,
+						"ha_enabled", leader.HAEnabled,
+						"is_self", leader.IsSelf,
+						"perf_standby", leader.PerfStandby,
+						"perf_standby_remote_wal", leader.PerfStandbyLastRemoteWAL)
+				}
+			}
+		}(i)
 	}
 
-	// double check that we're working with 1.9
-	v, _, err := c.FindNewestVersionTimestamp()
-	if err != nil {
-		t.Fatal(err)
+	errs := make([]error, 0, len(cluster.Nodes()))
+	for range cluster.Nodes() {
+		errs = append(errs, <-errchan)
 	}
-	if v != "1.9.2" {
-		t.Fatalf("expected 1.9.2, found: %s", v)
+	if actives != 1 || int(standbys) != expectedStandbys {
+		return fmt.Errorf("expected 1 active core and %d standbys, got %d active and %d standbys, errs: %v",
+			expectedStandbys, actives, standbys, errs)
 	}
 
-	// generate a batch token
-	te := &logical.TokenEntry{
-		NumUses:     1,
-		Policies:    []string{"root"},
-		NamespaceID: namespace.RootNamespaceID,
-		Type:        logical.TokenTypeBatch,
+	for ctx.Err() == nil {
+		err = leaderClient.Sys().UnmountWithContext(ctx, mountPoint)
+		if err == nil {
+			break
+		}
+		time.Sleep(time.Second)
 	}
-	err = c.tokenStore.create(namespace.RootContext(nil), te)
 	if err != nil {
-		t.Fatal(err)
-	}
-
-	// verify it uses the legacy prefix
-	if !strings.HasPrefix(te.ID, consts.LegacyBatchTokenPrefix) {
-		t.Fatalf("expected 1.9 batch token IDs to start with b. but it didn't: %s", te.ID)
+		return fmt.Errorf("unable to unmount KV engine on primary")
 	}
+	return nil
 }
 
-func TestCore_OneTenPlus_BatchTokens(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
+type GenerateRootKind int
 
-	// load up some versions and ensure that 1.10 is the most recent version
-	upgradeTimePlusEpsilon := time.Now().UTC()
+const (
+	GenerateRootRegular GenerateRootKind = iota
+	GenerateRootDR
+	GenerateRecovery
+)
 
-	versionEntries := []VaultVersion{
-		{Version: "1.9.2", TimestampInstalled: upgradeTimePlusEpsilon.Add(-4 * time.Hour)},
-		{Version: "1.10.1", TimestampInstalled: upgradeTimePlusEpsilon.Add(2 * time.Hour)},
-	}
+func GenerateRoot(cluster VaultCluster, kind GenerateRootKind) (string, error) {
+	// If recovery keys supported, use those to perform root token generation instead
+	keys := cluster.GetBarrierOrRecoveryKeys()
 
-	for _, entry := range versionEntries {
-		_, err := c.storeVersionEntry(context.Background(), &entry, false)
-		if err != nil {
-			t.Fatalf("failed to write version entry %#v, err: %s", entry, err.Error())
-		}
-	}
+	client := cluster.Nodes()[0].APIClient()
 
-	err := c.loadVersionHistory(c.activeContext)
-	if err != nil {
-		t.Fatalf("failed to populate version history cache, err: %s", err.Error())
+	var err error
+	var status *api.GenerateRootStatusResponse
+	switch kind {
+	case GenerateRootRegular:
+		status, err = client.Sys().GenerateRootInit("", "")
+	case GenerateRootDR:
+		status, err = client.Sys().GenerateDROperationTokenInit("", "")
+	case GenerateRecovery:
+		status, err = client.Sys().GenerateRecoveryOperationTokenInit("", "")
 	}
-
-	// double check that we're working with 1.10
-	v, _, err := c.FindNewestVersionTimestamp()
 	if err != nil {
-		t.Fatal(err)
-	}
-	if v != "1.10.1" {
-		t.Fatalf("expected 1.10.1, found: %s", v)
+		return "", err
 	}
 
-	// generate a batch token
-	te := &logical.TokenEntry{
-		NumUses:     1,
-		Policies:    []string{"root"},
-		NamespaceID: namespace.RootNamespaceID,
-		Type:        logical.TokenTypeBatch,
-	}
-	err = c.tokenStore.create(namespace.RootContext(nil), te)
-	if err != nil {
-		t.Fatal(err)
+	if status.Required > len(keys) {
+		return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))
 	}
 
-	// verify it uses the legacy prefix
-	if !strings.HasPrefix(te.ID, consts.BatchTokenPrefix) {
-		t.Fatalf("expected 1.10 batch token IDs to start with hvb. but it didn't: %s", te.ID)
-	}
-}
+	otp := status.OTP
 
-// GH-3497
-func TestCore_Seal_SingleUse(t *testing.T) {
-	c, keys, _ := TestCoreUnsealed(t)
-	c.tokenStore.create(namespace.RootContext(nil), &logical.TokenEntry{
-		ID:          "foo",
-		NumUses:     1,
-		Policies:    []string{"root"},
-		NamespaceID: namespace.RootNamespaceID,
-	})
-	if err := c.Seal("foo"); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !c.Sealed() {
-		t.Fatal("not sealed")
-	}
 	for i, key := range keys {
-		unseal, err := TestCoreUnseal(c, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
+		if i >= status.Required {
+			break
 		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
-		}
-	}
-	if err := c.Seal("foo"); err == nil {
-		t.Fatal("expected error from revoked token")
-	}
-	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), "foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if te != nil {
-		t.Fatalf("expected nil token entry, got %#v", *te)
-	}
-}
-
-// Ensure we get a LeaseID
-func TestCore_HandleRequest_Lease(t *testing.T) {
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
 
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	ctx := namespace.RootContext(nil)
-	resp, err := c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
+		strKey := base64.StdEncoding.EncodeToString(key)
+		switch kind {
+		case GenerateRootRegular:
+			status, err = client.Sys().GenerateRootUpdate(strKey, status.Nonce)
+		case GenerateRootDR:
+			status, err = client.Sys().GenerateDROperationTokenUpdate(strKey, status.Nonce)
+		case GenerateRecovery:
+			status, err = client.Sys().GenerateRecoveryOperationTokenUpdate(strKey, status.Nonce)
+		}
+		if err != nil {
+			return "", err
+		}
 	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
+	if !status.Complete {
+		return "", fmt.Errorf("generate root operation did not end successfully")
 	}
 
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(ctx, req)
+	tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)
 	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Data == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-	if resp.Secret.TTL != time.Hour {
-		t.Fatalf("bad: %#v", resp.Secret)
+		return "", err
 	}
-	if resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp.Data)
-	}
-}
-
-func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1000h",
-		},
-		ClientToken: root,
-	}
-	ctx := namespace.RootContext(nil)
-	resp, err := c.HandleRequest(ctx, req)
+	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
 	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Data == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-	if resp.Secret.TTL != c.maxLeaseTTL {
-		t.Fatalf("bad: %#v, %d", resp.Secret, c.maxLeaseTTL)
-	}
-	if resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp.Data)
-	}
-}
-
-func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "0h",
-		},
-		ClientToken: root,
-	}
-	ctx := namespace.RootContext(nil)
-	resp, err := c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(ctx, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Data == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-	if resp.Secret.TTL != c.defaultLeaseTTL {
-		t.Fatalf("bad: %d, %d", resp.Secret.TTL/time.Second, c.defaultLeaseTTL/time.Second)
-	}
-	if resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp.Data)
-	}
-}
-
-func TestCore_HandleRequest_MissingToken(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-		t.Fatalf("err: %v", err)
-	}
-	if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
-		t.Fatalf("bad: %#v", resp)
-	}
-}
-
-func TestCore_HandleRequest_InvalidToken(t *testing.T) {
-	c, _, _ := TestCoreUnsealed(t)
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: "foobarbaz",
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-		t.Fatalf("err: %v", err)
-	}
-	if resp.Data["error"] != "permission denied" {
-		t.Fatalf("bad: %#v", resp)
-	}
-}
-
-// Check that standard permissions work
-func TestCore_HandleRequest_NoSlash(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	req := &logical.Request{
-		Operation:   logical.HelpOperation,
-		Path:        "secret",
-		ClientToken: root,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v, resp: %v", err, resp)
-	}
-	if _, ok := resp.Data["help"]; !ok {
-		t.Fatalf("resp: %v", resp)
-	}
-}
-
-// Test a root path is denied if non-root
-func TestCore_HandleRequest_RootPath(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
-
-	req := &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "sys/policy", // root protected!
-		ClientToken: "child",
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-		t.Fatalf("err: %v, resp: %v", err, resp)
-	}
-}
-
-// Test a root path is allowed if non-root but with sudo
-func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	// Set the 'test' policy object to permit access to sys/policy
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sys/policy/test", // root protected!
-		Data: map[string]interface{}{
-			"rules": `path "sys/policy" { policy = "sudo" }`,
-		},
-		ClientToken: root,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Child token (non-root) but with 'test' policy should have access
-	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
-	req = &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "sys/policy", // root protected!
-		ClientToken: "child",
-	}
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-}
-
-// Check that standard permissions work
-func TestCore_HandleRequest_PermissionDenied(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: "child",
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-		t.Fatalf("err: %v, resp: %v", err, resp)
-	}
-}
-
-// Check that standard permissions work
-func TestCore_HandleRequest_PermissionAllowed(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-	testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"})
-
-	// Set the 'test' policy object to permit access to secret/
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "sys/policy/test",
-		Data: map[string]interface{}{
-			"rules": `path "secret/*" { policy = "write" }`,
-		},
-		ClientToken: root,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Write should work now
-	req = &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: "child",
-	}
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-}
-
-func TestCore_HandleRequest_NoClientToken(t *testing.T) {
-	noop := &NoopBackend{
-		Response: &logical.Response{},
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the logical backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
-	req.Data["type"] = "noop"
-	req.Data["description"] = "foo"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to request with connection data
-	req = &logical.Request{
-		Path: "foo/login",
-	}
-	req.ClientToken = root
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	ct := noop.Requests[0].ClientToken
-	if ct == "" || ct == root {
-		t.Fatalf("bad: %#v", noop.Requests)
-	}
-}
-
-func TestCore_HandleRequest_ConnOnLogin(t *testing.T) {
-	noop := &NoopBackend{
-		Login:       []string{"login"},
-		Response:    &logical.Response{},
-		BackendType: logical.TypeCredential,
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to request with connection data
-	req = &logical.Request{
-		Path:       "auth/foo/login",
-		Connection: &logical.Connection{},
-	}
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if noop.Requests[0].Connection == nil {
-		t.Fatalf("bad: %#v", noop.Requests)
-	}
-}
-
-// Ensure we get a client token
-func TestCore_HandleLogin_Token(t *testing.T) {
-	noop := &NoopBackend{
-		Login: []string{"login"},
-		Response: &logical.Response{
-			Auth: &logical.Auth{
-				Policies: []string{"foo", "bar"},
-				Metadata: map[string]string{
-					"user": "armon",
-				},
-				DisplayName: "armon",
-			},
-		},
-		BackendType: logical.TypeCredential,
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to login
-	lreq := &logical.Request{
-		Path: "auth/foo/login",
-	}
-	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we got a client token back
-	clientToken := lresp.Auth.ClientToken
-	if clientToken == "" {
-		t.Fatalf("bad: %#v", lresp)
-	}
-
-	// Check the policy and metadata
-	innerToken, _ := c.DecodeSSCToken(clientToken)
-	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), innerToken)
-	if err != nil || te == nil {
-		t.Fatalf("tok: %s, err: %v", clientToken, err)
-	}
-
-	expectedID, _ := c.DecodeSSCToken(clientToken)
-	expect := &logical.TokenEntry{
-		ID:       expectedID,
-		Accessor: te.Accessor,
-		Parent:   "",
-		Policies: []string{"bar", "default", "foo"},
-		Path:     "auth/foo/login",
-		Meta: map[string]string{
-			"user": "armon",
-		},
-		DisplayName:  "foo-armon",
-		TTL:          time.Hour * 24,
-		CreationTime: te.CreationTime,
-		NamespaceID:  namespace.RootNamespaceID,
-		CubbyholeID:  te.CubbyholeID,
-		Type:         logical.TokenTypeService,
-	}
-
-	if diff := deep.Equal(te, expect); diff != nil {
-		t.Fatal(diff)
-	}
-
-	// Check that we have a lease with default duration
-	if lresp.Auth.TTL != noop.System().DefaultLeaseTTL() {
-		t.Fatalf("bad: %#v, defaultLeaseTTL: %#v", lresp.Auth, c.defaultLeaseTTL)
-	}
-}
-
-func TestCore_HandleRequest_AuditTrail(t *testing.T) {
-	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
-
-	// Create a noop audit backend
-	noop := &corehelpers.NoopAudit{}
-	c, _, root := TestCoreUnsealed(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
-
-	// Enable the audit backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Make a request
-	req = &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	req.ClientToken = root
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the audit trail on request and response
-	if len(noop.ReqAuth) != 1 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	auth := noop.ReqAuth[0]
-	if auth.ClientToken != root {
-		t.Fatalf("bad client token: %#v", auth)
-	}
-	if len(auth.Policies) != 1 || auth.Policies[0] != "root" {
-		t.Fatalf("bad: %#v", auth)
-	}
-	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) {
-		t.Fatalf("Bad: %#v", noop.Req[0])
-	}
-
-	if len(noop.RespAuth) != 2 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	if !reflect.DeepEqual(noop.RespAuth[1], auth) {
-		t.Fatalf("bad: %#v, vs %#v", auth, noop.RespAuth)
-	}
-	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) {
-		t.Fatalf("Bad: %#v", noop.RespReq[1])
-	}
-	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) {
-		t.Fatalf("Bad: %#v", noop.Resp[1])
-	}
-}
-
-func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
-	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
-
-	// Create a noop audit backend
-	var noop *corehelpers.NoopAudit
-	c, _, root := TestCoreUnsealed(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
-
-	// Specify some keys to not HMAC
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune")
-	req.Data["audit_non_hmac_request_keys"] = "foo"
-	req.ClientToken = root
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune")
-	req.Data["audit_non_hmac_response_keys"] = "baz"
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Enable the audit backend
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Make a request
-	req = &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo": "bar",
-		},
-		ClientToken: root,
-	}
-	req.ClientToken = root
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the audit trail on request and response
-	if len(noop.ReqAuth) != 1 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	auth := noop.ReqAuth[0]
-	if auth.ClientToken != root {
-		t.Fatalf("bad client token: %#v", auth)
-	}
-	if len(auth.Policies) != 1 || auth.Policies[0] != "root" {
-		t.Fatalf("bad: %#v", auth)
-	}
-	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) {
-		t.Fatalf("Bad: %#v", noop.Req[0])
-	}
-	if len(noop.ReqNonHMACKeys) != 1 || noop.ReqNonHMACKeys[0] != "foo" {
-		t.Fatalf("Bad: %#v", noop.ReqNonHMACKeys)
-	}
-	if len(noop.RespAuth) != 2 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	if !reflect.DeepEqual(noop.RespAuth[1], auth) {
-		t.Fatalf("bad: %#v", auth)
-	}
-	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) {
-		t.Fatalf("Bad: %#v", noop.RespReq[1])
-	}
-	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) {
-		t.Fatalf("Bad: %#v", noop.Resp[1])
-	}
-
-	// Test for response keys
-	// Make a request
-	req = &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "secret/test",
-		ClientToken: root,
-	}
-	req.ClientToken = root
-	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if len(noop.RespNonHMACKeys) != 1 || !strutil.EquivalentSlices(noop.RespNonHMACKeys[0], []string{"baz"}) {
-		t.Fatalf("Bad: %#v", noop.RespNonHMACKeys)
-	}
-	if len(noop.RespReqNonHMACKeys) != 1 || !strutil.EquivalentSlices(noop.RespReqNonHMACKeys[0], []string{"foo"}) {
-		t.Fatalf("Bad: %#v", noop.RespReqNonHMACKeys)
-	}
-}
-
-func TestCore_HandleLogin_AuditTrail(t *testing.T) {
-	t.Setenv("VAULT_AUDIT_DISABLE_EVENTLOGGER", "true")
-
-	// Create a badass credential backend that always logs in as armon
-	noop := &corehelpers.NoopAudit{}
-	noopBack := &NoopBackend{
-		Login: []string{"login"},
-		Response: &logical.Response{
-			Auth: &logical.Auth{
-				LeaseOptions: logical.LeaseOptions{
-					TTL: time.Hour,
-				},
-				Policies: []string{"foo", "bar"},
-				Metadata: map[string]string{
-					"user": "armon",
-				},
-			},
-		},
-		BackendType: logical.TypeCredential,
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noopBack, nil
-	}
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ bool, _ audit.HeaderFormatter) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Enable the audit backend
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to login
-	lreq := &logical.Request{
-		Path: "auth/foo/login",
-	}
-	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we got a client token back
-	clientToken := lresp.Auth.ClientToken
-	if clientToken == "" {
-		t.Fatalf("bad: %#v", lresp)
-	}
-
-	// Check the audit trail on request and response
-	if len(noop.ReqAuth) != 1 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], lreq) {
-		t.Fatalf("Bad: %#v %#v", noop.Req[0], lreq)
-	}
-
-	if len(noop.RespAuth) != 2 {
-		t.Fatalf("bad: %#v", noop)
-	}
-	auth := noop.RespAuth[1]
-	if auth.ClientToken != clientToken {
-		t.Fatalf("bad client token: %#v", auth)
-	}
-	if len(auth.Policies) != 3 || auth.Policies[0] != "bar" || auth.Policies[1] != "default" || auth.Policies[2] != "foo" {
-		t.Fatalf("bad: %#v", auth)
-	}
-	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], lreq) {
-		t.Fatalf("Bad: %#v", noop.RespReq[1])
-	}
-	if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], lresp) {
-		t.Fatalf("Bad: %#v %#v", noop.Resp[1], lresp)
-	}
-}
-
-// Check that we register a lease for new tokens
-func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	// Create a new credential
-	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
-	req.ClientToken = root
-	req.Data["policies"] = []string{"foo"}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we got a new client token back
-	if resp.IsError() {
-		t.Fatalf("err: %v %v", err, *resp)
-	}
-	clientToken := resp.Auth.ClientToken
-	if clientToken == "" {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Check the policy and metadata
-	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	expectedID, _ := c.DecodeSSCToken(clientToken)
-	expectedRootID, _ := c.DecodeSSCToken(root)
-
-	expect := &logical.TokenEntry{
-		ID:           expectedID,
-		Accessor:     te.Accessor,
-		Parent:       expectedRootID,
-		Policies:     []string{"default", "foo"},
-		Path:         "auth/token/create",
-		DisplayName:  "token",
-		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 32,
-		NamespaceID:  namespace.RootNamespaceID,
-		CubbyholeID:  te.CubbyholeID,
-		Type:         logical.TokenTypeService,
-	}
-	if diff := deep.Equal(te, expect); diff != nil {
-		t.Fatal(diff)
-	}
-
-	// Check that we have a lease with default duration
-	if resp.Auth.TTL != c.defaultLeaseTTL {
-		t.Fatalf("bad: %#v", resp.Auth)
-	}
-}
-
-// Check that we handle excluding the default policy
-func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	// Create a new credential
-	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
-	req.ClientToken = root
-	req.Data["policies"] = []string{"foo"}
-	req.Data["no_default_policy"] = true
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we got a new client token back
-	clientToken := resp.Auth.ClientToken
-	if clientToken == "" {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Check the policy and metadata
-	te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	expectedID, _ := c.DecodeSSCToken(clientToken)
-	expectedRootID, _ := c.DecodeSSCToken(root)
-
-	expect := &logical.TokenEntry{
-		ID:           expectedID,
-		Accessor:     te.Accessor,
-		Parent:       expectedRootID,
-		Policies:     []string{"foo"},
-		Path:         "auth/token/create",
-		DisplayName:  "token",
-		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 32,
-		NamespaceID:  namespace.RootNamespaceID,
-		CubbyholeID:  te.CubbyholeID,
-		Type:         logical.TokenTypeService,
-	}
-	if diff := deep.Equal(te, expect); diff != nil {
-		t.Fatal(diff)
-	}
-}
-
-func TestCore_LimitedUseToken(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	// Create a new credential
-	req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
-	req.ClientToken = root
-	req.Data["num_uses"] = "1"
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Put a secret
-	req = &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/foo",
-		Data: map[string]interface{}{
-			"foo": "bar",
-		},
-		ClientToken: resp.Auth.ClientToken,
-	}
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Second operation should fail
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-		t.Fatalf("err: %v", err)
-	}
-}
-
-func TestCore_Standby_Seal(t *testing.T) {
-	// Create the first core and initialize it
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inm, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	redirectOriginal := "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core.Shutdown()
-	keys, root := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	// Check the leader is local
-	isLeader, advertise, _, err := core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Create the second core and initialize it
-	redirectOriginal2 := "http://127.0.0.1:8500"
-	core2, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal2,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core2.Shutdown()
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core2.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Core2 should be in standby
-	standby, err := core2.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Seal the standby core with the correct token. Shouldn't go down
-	err = core2.Seal(root)
-	if err == nil {
-		t.Fatal("should not be sealed")
-	}
-
-	keyUUID, err := uuid.GenerateUUID()
-	if err != nil {
-		t.Fatal(err)
-	}
-	// Seal the standby core with an invalid token. Shouldn't go down
-	err = core2.Seal(keyUUID)
-	if err == nil {
-		t.Fatal("should not be sealed")
-	}
-}
-
-func TestCore_StepDown(t *testing.T) {
-	// Create the first core and initialize it
-	logger = logging.NewVaultLogger(log.Trace).Named(t.Name())
-
-	inm, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	redirectOriginal := "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal,
-		DisableMlock: true,
-		Logger:       logger.Named("core1"),
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core.Shutdown()
-	keys, root := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	// Check the leader is local
-	isLeader, advertise, _, err := core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Create the second core and initialize it
-	redirectOriginal2 := "http://127.0.0.1:8500"
-	core2, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal2,
-		DisableMlock: true,
-		Logger:       logger.Named("core2"),
-	})
-	defer core2.Shutdown()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core2.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Core2 should be in standby
-	standby, err := core2.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	req := &logical.Request{
-		ClientToken: root,
-		Path:        "sys/step-down",
-	}
-
-	// Create an identifier for the request
-	req.ID, err = uuid.GenerateUUID()
-	if err != nil {
-		t.Fatalf("failed to generate identifier for the request: path: %s err: %v", req.Path, err)
-	}
-
-	// Step down core
-	err = core.StepDown(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal("error stepping down core 1")
-	}
-
-	// Give time to switch leaders
-	time.Sleep(5 * time.Second)
-
-	// Core1 should be in standby
-	standby, err = core.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Check the leader is core2
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal2 {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal2 {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
-	}
-
-	// Step down core2
-	err = core2.StepDown(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal("error stepping down core 1")
-	}
-
-	// Give time to switch leaders -- core 1 will still be waiting on its
-	// cooling off period so give it a full 10 seconds to recover
-	time.Sleep(10 * time.Second)
-
-	// Core2 should be in standby
-	standby, err = core2.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Check the leader is core1
-	isLeader, advertise, _, err = core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-}
-
-func TestCore_CleanLeaderPrefix(t *testing.T) {
-	// Create the first core and initialize it
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inm, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	redirectOriginal := "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core.Shutdown()
-	keys, root := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	// Ensure that the original clean function has stopped running
-	time.Sleep(2 * time.Second)
-
-	// Put several random entries
-	for i := 0; i < 5; i++ {
-		keyUUID, err := uuid.GenerateUUID()
-		if err != nil {
-			t.Fatal(err)
-		}
-		valueUUID, err := uuid.GenerateUUID()
-		if err != nil {
-			t.Fatal(err)
-		}
-		core.barrier.Put(namespace.RootContext(nil), &logical.StorageEntry{
-			Key:   coreLeaderPrefix + keyUUID,
-			Value: []byte(valueUUID),
-		})
-	}
-
-	entries, err := core.barrier.List(namespace.RootContext(nil), coreLeaderPrefix)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if len(entries) != 6 {
-		t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries))
-	}
-
-	// Check the leader is local
-	isLeader, advertise, _, err := core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Create a second core, attached to same in-memory store
-	redirectOriginal2 := "http://127.0.0.1:8500"
-	core2, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal2,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core2.Shutdown()
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core2.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Core2 should be in standby
-	standby, err := core2.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Seal the first core, should step down
-	err = core.Seal(root)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Core should be in standby
-	standby, err = core.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Wait for core2 to become active
-	TestWaitActive(t, core2)
-
-	// Check the leader is local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal2 {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
-	}
-
-	// Give time for the entries to clear out; it is conservative at 1/second
-	time.Sleep(10 * leaderPrefixCleanDelay)
-
-	entries, err = core2.barrier.List(namespace.RootContext(nil), coreLeaderPrefix)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if len(entries) != 1 {
-		t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries))
-	}
-}
-
-func TestCore_Standby(t *testing.T) {
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	testCore_Standby_Common(t, inmha, inmha.(physical.HABackend))
-}
-
-func TestCore_Standby_SeparateHA(t *testing.T) {
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha2, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	testCore_Standby_Common(t, inmha, inmha2.(physical.HABackend))
-}
-
-func testCore_Standby_Common(t *testing.T, inm physical.Backend, inmha physical.HABackend) {
-	// Create the first core and initialize it
-	redirectOriginal := "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		Physical:        inm,
-		HAPhysical:      inmha,
-		RedirectAddr:    redirectOriginal,
-		DisableMlock:    true,
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core.Shutdown()
-	keys, root := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	testCoreAddSecretMount(t, core, root, "1")
-
-	// Put a secret
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/foo",
-		Data: map[string]interface{}{
-			"foo": "bar",
-		},
-		ClientToken: root,
-	}
-	_, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the leader is local
-	isLeader, advertise, _, err := core.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Create a second core, attached to same in-memory store
-	redirectOriginal2 := "http://127.0.0.1:8500"
-	core2, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha,
-		RedirectAddr: redirectOriginal2,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core2.Shutdown()
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Verify unsealed
-	if core2.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Core2 should be in standby
-	standby, err := core2.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Request should fail in standby mode
-	_, err = core2.HandleRequest(namespace.RootContext(nil), req)
-	if err != consts.ErrStandby {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the leader is not local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if isLeader {
-		t.Fatalf("should not be leader")
-	}
-	if advertise != redirectOriginal {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal)
-	}
-
-	// Seal the first core, should step down
-	err = core.Seal(root)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Core should be in standby
-	standby, err = core.Standby()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !standby {
-		t.Fatalf("should be standby")
-	}
-
-	// Wait for core2 to become active
-	TestWaitActive(t, core2)
-
-	// Read the secret
-	req = &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "secret/foo",
-		ClientToken: root,
-	}
-	resp, err := core2.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify the response
-	if resp.Data["foo"] != "bar" {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Check the leader is local
-	isLeader, advertise, _, err = core2.Leader()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !isLeader {
-		t.Fatalf("should be leader")
-	}
-	if advertise != redirectOriginal2 {
-		t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2)
-	}
-
-	if inm.(*inmem.InmemHABackend) == inmha.(*inmem.InmemHABackend) {
-		lockSize := inm.(*inmem.InmemHABackend).LockMapSize()
-		if lockSize == 0 {
-			t.Fatalf("locks not used with only one HA backend")
-		}
-	} else {
-		lockSize := inmha.(*inmem.InmemHABackend).LockMapSize()
-		if lockSize == 0 {
-			t.Fatalf("locks not used with expected HA backend")
-		}
-
-		lockSize = inm.(*inmem.InmemHABackend).LockMapSize()
-		if lockSize != 0 {
-			t.Fatalf("locks used with unexpected HA backend")
-		}
-	}
-}
-
-// Ensure that InternalData is never returned
-func TestCore_HandleRequest_Login_InternalData(t *testing.T) {
-	noop := &NoopBackend{
-		Login: []string{"login"},
-		Response: &logical.Response{
-			Auth: &logical.Auth{
-				Policies: []string{"foo", "bar"},
-				InternalData: map[string]interface{}{
-					"foo": "bar",
-				},
-			},
-		},
-		BackendType: logical.TypeCredential,
-	}
-
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to login
-	lreq := &logical.Request{
-		Path: "auth/foo/login",
-	}
-	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we do not get the internal data
-	if lresp.Auth.InternalData != nil {
-		t.Fatalf("bad: %#v", lresp)
-	}
-}
-
-// Ensure that InternalData is never returned
-func TestCore_HandleRequest_InternalData(t *testing.T) {
-	noop := &NoopBackend{
-		Response: &logical.Response{
-			Secret: &logical.Secret{
-				InternalData: map[string]interface{}{
-					"foo": "bar",
-				},
-			},
-			Data: map[string]interface{}{
-				"foo": "bar",
-			},
-		},
-	}
-
-	c, _, root := TestCoreUnsealed(t)
-	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to read
-	lreq := &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "foo/test",
-		ClientToken: root,
-	}
-	lreq.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
-	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Ensure we do not get the internal data
-	if lresp.Secret.InternalData != nil {
-		t.Fatalf("bad: %#v", lresp)
-	}
-}
-
-// Ensure login does not return a secret
-func TestCore_HandleLogin_ReturnSecret(t *testing.T) {
-	// Create a badass credential backend that always logs in as armon
-	noopBack := &NoopBackend{
-		Login: []string{"login"},
-		Response: &logical.Response{
-			Secret: &logical.Secret{},
-			Auth: &logical.Auth{
-				Policies: []string{"foo", "bar"},
-			},
-		},
-		BackendType: logical.TypeCredential,
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noopBack, nil
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to login
-	lreq := &logical.Request{
-		Path: "auth/foo/login",
-	}
-	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != ErrInternalError {
-		t.Fatalf("err: %v", err)
-	}
-}
-
-// Renew should return the same lease back
-func TestCore_RenewSameLease(t *testing.T) {
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-
-	// Create a leasable secret
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-	original := resp.Secret.LeaseID
-
-	// Renew the lease
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/renew/"+resp.Secret.LeaseID)
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify the lease did not change
-	if resp.Secret.LeaseID != original {
-		t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID)
-	}
-
-	// Renew the lease (alternate path)
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew/"+resp.Secret.LeaseID)
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify the lease did not change
-	if resp.Secret.LeaseID != original {
-		t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID)
-	}
-}
-
-// Renew of a token should not create a new lease
-func TestCore_RenewToken_SingleRegister(t *testing.T) {
-	c, _, root := TestCoreUnsealed(t)
-
-	// Create a new token
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "auth/token/create",
-		Data: map[string]interface{}{
-			"lease": "1h",
-		},
-		ClientToken: root,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	newClient := resp.Auth.ClientToken
-
-	// Renew the token
-	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/renew")
-	req.ClientToken = newClient
-	req.Data = map[string]interface{}{
-		"token": newClient,
-	}
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Revoke using the renew prefix
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/revoke-prefix/auth/token/renew/")
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify our token is still valid (e.g. we did not get invalidated by the revoke)
-	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup")
-	req.Data = map[string]interface{}{
-		"token": newClient,
-	}
-	req.ClientToken = newClient
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify the token exists
-	if newClient != resp.Data["id"].(string) {
-		t.Fatalf("bad: return IDs: expected %v, got %v",
-			resp.Data["id"], newClient)
-	}
-}
-
-// Based on bug GH-203, attempt to disable a credential backend with leased secrets
-func TestCore_EnableDisableCred_WithLease(t *testing.T) {
-	noopBack := &NoopBackend{
-		Login: []string{"login"},
-		Response: &logical.Response{
-			Auth: &logical.Auth{
-				Policies: []string{"root"},
-			},
-		},
-		BackendType: logical.TypeCredential,
-	}
-
-	coreConfig := &CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"kv": LeasedPassthroughBackendFactory,
-		},
-	}
-	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noopBack, nil
-	}
-
-	secretWritingPolicy := `
-name = "admins"
-path "secret/*" {
-	capabilities = ["update", "create", "read"]
-}
-`
-
-	ps := c.policyStore
-	policy, _ := ParseACLPolicy(namespace.RootNamespace, secretWritingPolicy)
-	if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable the credential backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to login -- should fail because we don't allow root to be returned
-	lreq := &logical.Request{
-		Path: "auth/foo/login",
-	}
-	lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err == nil || lresp == nil || !lresp.IsError() {
-		t.Fatalf("expected error trying to auth and receive root policy")
-	}
-
-	// Fix and try again
-	noopBack.Response.Auth.Policies = []string{"admins"}
-	lreq = &logical.Request{
-		Path: "auth/foo/login",
-	}
-	lresp, err = c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Create a leasable secret
-	req = &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "secret/test",
-		Data: map[string]interface{}{
-			"foo":   "bar",
-			"lease": "1h",
-		},
-		ClientToken: lresp.Auth.ClientToken,
-	}
-	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	// Read the key
-	req.Operation = logical.ReadOperation
-	req.Data = nil
-	err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
-		t.Fatalf("bad: %#v", resp.Secret)
-	}
-
-	// Renew the lease
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew")
-	req.Data = map[string]interface{}{
-		"lease_id": resp.Secret.LeaseID,
-	}
-	req.ClientToken = lresp.Auth.ClientToken
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Disable the credential backend
-	req = logical.TestRequest(t, logical.DeleteOperation, "sys/auth/foo")
-	req.ClientToken = root
-	resp, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v %#v", err, resp)
-	}
-}
-
-func TestCore_HandleRequest_MountPointType(t *testing.T) {
-	noop := &NoopBackend{
-		Response: &logical.Response{},
-	}
-	c, _, root := TestCoreUnsealed(t)
-	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the logical backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
-	req.Data["type"] = "noop"
-	req.Data["description"] = "foo"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to request
-	req = &logical.Request{
-		Operation:  logical.ReadOperation,
-		Path:       "foo/test",
-		Connection: &logical.Connection{},
-	}
-	req.ClientToken = root
-	if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify Path, MountPoint, and MountType
-	if noop.Requests[0].Path != "test" {
-		t.Fatalf("bad: %#v", noop.Requests)
-	}
-	if noop.Requests[0].MountPoint != "foo/" {
-		t.Fatalf("bad: %#v", noop.Requests)
-	}
-	if noop.Requests[0].MountType != "noop" {
-		t.Fatalf("bad: %#v", noop.Requests)
-	}
-}
-
-func TestCore_Standby_Rotate(t *testing.T) {
-	// Create the first core and initialize it
-	logger = logging.NewVaultLogger(log.Trace)
-
-	inm, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	redirectOriginal := "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core.Shutdown()
-	keys, root := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	// Create a second core, attached to same in-memory store
-	redirectOriginal2 := "http://127.0.0.1:8500"
-	core2, err := NewCore(&CoreConfig{
-		Physical:     inm,
-		HAPhysical:   inmha.(physical.HABackend),
-		RedirectAddr: redirectOriginal2,
-		DisableMlock: true,
-	})
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	defer core2.Shutdown()
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-
-	// Rotate the encryption key
-	req := &logical.Request{
-		Operation:   logical.UpdateOperation,
-		Path:        "sys/rotate",
-		ClientToken: root,
-	}
-	_, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Seal the first core, should step down
-	err = core.Seal(root)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Wait for core2 to become active
-	TestWaitActive(t, core2)
-
-	// Read the key status
-	req = &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "sys/key-status",
-		ClientToken: root,
-	}
-	resp, err := core2.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Verify the response
-	if resp.Data["term"] != 2 {
-		t.Fatalf("bad: %#v", resp)
-	}
-}
-
-func TestCore_HandleRequest_Headers(t *testing.T) {
-	noop := &NoopBackend{
-		Response: &logical.Response{
-			Data: map[string]interface{}{},
-		},
-	}
-
-	c, _, root := TestCoreUnsealed(t)
-	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Mount tune
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune")
-	req.Data["passthrough_request_headers"] = []string{"Should-Passthrough", "should-passthrough-case-insensitive"}
-	req.ClientToken = root
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to read
-	lreq := &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "foo/test",
-		ClientToken: root,
-		Headers: map[string][]string{
-			"Should-Passthrough":                  {"foo"},
-			"Should-Passthrough-Case-Insensitive": {"baz"},
-			"Should-Not-Passthrough":              {"bar"},
-			consts.AuthHeaderName:                 {"nope"},
-		},
-	}
-	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the headers
-	headers := noop.Requests[0].Headers
-
-	// Test passthrough values
-	if val, ok := headers["Should-Passthrough"]; ok {
-		expected := []string{"foo"}
-		if !reflect.DeepEqual(val, expected) {
-			t.Fatalf("expected: %v, got: %v", expected, val)
-		}
-	} else {
-		t.Fatalf("expected 'Should-Passthrough' to be present in the headers map")
-	}
-
-	if val, ok := headers["Should-Passthrough-Case-Insensitive"]; ok {
-		expected := []string{"baz"}
-		if !reflect.DeepEqual(val, expected) {
-			t.Fatalf("expected: %v, got: %v", expected, val)
-		}
-	} else {
-		t.Fatal("expected 'Should-Passthrough-Case-Insensitive' to be present in the headers map")
-	}
-
-	if _, ok := headers["Should-Not-Passthrough"]; ok {
-		t.Fatal("did not expect 'Should-Not-Passthrough' to be in the headers map")
-	}
-
-	if _, ok := headers[consts.AuthHeaderName]; ok {
-		t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName)
-	}
-}
-
-func TestCore_HandleRequest_Headers_denyList(t *testing.T) {
-	noop := &NoopBackend{
-		Response: &logical.Response{
-			Data: map[string]interface{}{},
-		},
-	}
-
-	c, _, root := TestCoreUnsealed(t)
-	c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noop, nil
-	}
-
-	// Enable the backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Mount tune
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune")
-	req.Data["passthrough_request_headers"] = []string{"Authorization", consts.AuthHeaderName}
-	req.ClientToken = root
-	_, err = c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Attempt to read
-	lreq := &logical.Request{
-		Operation:   logical.ReadOperation,
-		Path:        "foo/test",
-		ClientToken: root,
-		Headers: map[string][]string{
-			consts.AuthHeaderName: {"foo"},
-		},
-	}
-	_, err = c.HandleRequest(namespace.RootContext(nil), lreq)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Check the headers
-	headers := noop.Requests[0].Headers
-
-	// Test passthrough values, they should not be present in the backend
-	if _, ok := headers[consts.AuthHeaderName]; ok {
-		t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName)
-	}
-}
-
-func TestCore_HandleRequest_TokenCreate_RegisterAuthFailure(t *testing.T) {
-	core, _, root := TestCoreUnsealed(t)
-
-	// Create a root token and use that for subsequent requests
-	req := logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
-	req.Data = map[string]interface{}{
-		"policies": []string{"root"},
-	}
-	req.ClientToken = root
-	resp, err := core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil || resp.Auth == nil || resp.Auth.ClientToken == "" {
-		t.Fatalf("expected a response from token creation, got: %#v", resp)
-	}
-	tokenWithRootPolicy := resp.Auth.ClientToken
-
-	// Use new token to create yet a new token, this should succeed
-	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
-	req.ClientToken = tokenWithRootPolicy
-	_, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Try again but force failure on RegisterAuth to simulate a network failure
-	// when registering the lease (e.g. a storage failure). This should trigger
-	// an expiration manager cleanup on the newly created token
-	core.expiration.testRegisterAuthFailure.Store(true)
-	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
-	req.ClientToken = tokenWithRootPolicy
-	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil {
-		t.Fatalf("expected error, got a response: %#v", resp)
-	}
-	core.expiration.testRegisterAuthFailure.Store(false)
-
-	// Do a lookup against the client token that we used for the failed request.
-	// It should still be present
-	req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup")
-	req.Data = map[string]interface{}{
-		"token": tokenWithRootPolicy,
-	}
-	req.ClientToken = root
-	_, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Do a token creation request with the token to ensure that it's still
-	// valid, should succeed.
-	req = logical.TestRequest(t, logical.CreateOperation, "auth/token/create")
-	req.ClientToken = tokenWithRootPolicy
-	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-// mockServiceRegistration helps test whether standalone ServiceRegistration works
-type mockServiceRegistration struct {
-	notifyActiveCount int
-	notifySealedCount int
-	notifyPerfCount   int
-	notifyInitCount   int
-	runDiscoveryCount int
-}
-
-func (m *mockServiceRegistration) Run(shutdownCh <-chan struct{}, wait *sync.WaitGroup, redirectAddr string) error {
-	m.runDiscoveryCount++
-	return nil
-}
-
-func (m *mockServiceRegistration) NotifyActiveStateChange(isActive bool) error {
-	m.notifyActiveCount++
-	return nil
-}
-
-func (m *mockServiceRegistration) NotifySealedStateChange(isSealed bool) error {
-	m.notifySealedCount++
-	return nil
-}
-
-func (m *mockServiceRegistration) NotifyPerformanceStandbyStateChange(isStandby bool) error {
-	m.notifyPerfCount++
-	return nil
-}
-
-func (m *mockServiceRegistration) NotifyInitializedStateChange(isInitialized bool) error {
-	m.notifyInitCount++
-	return nil
-}
-
-// TestCore_ServiceRegistration tests whether standalone ServiceRegistration works
-func TestCore_ServiceRegistration(t *testing.T) {
-	// Make a mock service discovery
-	sr := &mockServiceRegistration{}
-
-	// Create the core
-	logger = logging.NewVaultLogger(log.Trace)
-	inm, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	inmha, err := inmem.NewInmemHA(nil, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-	const redirectAddr = "http://127.0.0.1:8200"
-	core, err := NewCore(&CoreConfig{
-		ServiceRegistration: sr,
-		Physical:            inm,
-		HAPhysical:          inmha.(physical.HABackend),
-		RedirectAddr:        redirectAddr,
-		DisableMlock:        true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer core.Shutdown()
-
-	// Vault should not yet be registered
-	if diff := deep.Equal(sr, &mockServiceRegistration{}); diff != nil {
-		t.Fatal(diff)
-	}
-
-	// Vault should be registered
-	if diff := deep.Equal(sr, &mockServiceRegistration{
-		runDiscoveryCount: 1,
-	}); diff != nil {
-		t.Fatal(diff)
-	}
-
-	// Initialize and unseal the core
-	keys, _ := TestCoreInit(t, core)
-	for _, key := range keys {
-		if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
-			t.Fatalf("unseal err: %s", err)
-		}
-	}
-	if core.Sealed() {
-		t.Fatal("should not be sealed")
-	}
-
-	// Wait for core to become active
-	TestWaitActive(t, core)
-
-	// Vault should be registered, unsealed, and active
-	if diff := deep.Equal(sr, &mockServiceRegistration{
-		runDiscoveryCount: 1,
-		notifyActiveCount: 1,
-		notifySealedCount: 1,
-		notifyInitCount:   1,
-	}); diff != nil {
-		t.Fatal(diff)
-	}
-}
-
-func TestDetectedDeadlock(t *testing.T) {
-	testCore, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{DetectDeadlocks: "statelock"})
-	InduceDeadlock(t, testCore, 1)
-}
-
-func TestDefaultDeadlock(t *testing.T) {
-	testCore, _, _ := TestCoreUnsealed(t)
-	InduceDeadlock(t, testCore, 0)
-}
-
-func RestoreDeadlockOpts() func() {
-	opts := deadlock.Opts
-	return func() {
-		deadlock.Opts = opts
-	}
-}
-
-func InduceDeadlock(t *testing.T, vaultcore *Core, expected uint32) {
-	defer RestoreDeadlockOpts()()
-	var deadlocks uint32
-	deadlock.Opts.OnPotentialDeadlock = func() {
-		atomic.AddUint32(&deadlocks, 1)
-	}
-	var mtx deadlock.Mutex
-	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		vaultcore.expiration.coreStateLock.Lock()
-		mtx.Lock()
-		mtx.Unlock()
-		vaultcore.expiration.coreStateLock.Unlock()
-	}()
-	wg.Wait()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		mtx.Lock()
-		vaultcore.expiration.coreStateLock.RLock()
-		vaultcore.expiration.coreStateLock.RUnlock()
-		mtx.Unlock()
-	}()
-	wg.Wait()
-	if atomic.LoadUint32(&deadlocks) != expected {
-		t.Fatalf("expected 1 deadlock, detected %d", deadlocks)
-	}
-}
-
-func TestExpiration_DeadlockDetection(t *testing.T) {
-	testCore := TestCore(t)
-	testCoreUnsealed(t, testCore)
-
-	if testCore.expiration.DetectDeadlocks() {
-		t.Fatal("expiration has deadlock detection enabled, it shouldn't")
-	}
-
-	testCore = TestCoreWithDeadlockDetection(t, nil, false)
-	testCoreUnsealed(t, testCore)
-
-	if !testCore.expiration.DetectDeadlocks() {
-		t.Fatal("expiration doesn't have deadlock detection enabled, it should")
-	}
-}
-
-func TestQuotas_DeadlockDetection(t *testing.T) {
-	testCore := TestCore(t)
-	testCoreUnsealed(t, testCore)
-
-	if testCore.quotaManager.DetectDeadlocks() {
-		t.Fatal("quotas has deadlock detection enabled, it shouldn't")
-	}
-
-	testCore = TestCoreWithDeadlockDetection(t, nil, false)
-	testCoreUnsealed(t, testCore)
-
-	if !testCore.quotaManager.DetectDeadlocks() {
-		t.Fatal("quotas doesn't have deadlock detection enabled, it should")
-	}
-}
-
-func TestStatelock_DeadlockDetection(t *testing.T) {
-	testCore := TestCore(t)
-	testCoreUnsealed(t, testCore)
-
-	if testCore.DetectStateLockDeadlocks() {
-		t.Fatal("statelock has deadlock detection enabled, it shouldn't")
-	}
-
-	testCore = TestCoreWithDeadlockDetection(t, nil, false)
-	testCoreUnsealed(t, testCore)
-
-	if !testCore.DetectStateLockDeadlocks() {
-		t.Fatal("statelock doesn't have deadlock detection enabled, it should")
+		return "", err
 	}
+	return string(tokenBytes), nil
 }
diff --git a/vault/eventbus/bus.go b/vault/eventbus/bus.go
index 0185e9fbadf4..8509f23eb088 100644
--- a/vault/eventbus/bus.go
+++ b/vault/eventbus/bus.go
@@ -1,374 +1,17 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package eventbus
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-	"path"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/armon/go-metrics"
-	"github.com/hashicorp/eventlogger"
-	"github.com/hashicorp/eventlogger/formatter_filters/cloudevents"
-	"github.com/hashicorp/go-bexpr"
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/ryanuber/go-glob"
-	"google.golang.org/protobuf/types/known/structpb"
-)
-
-const (
-	// eventTypeAll is purely internal to the event bus. We use it to send all
-	// events down one big firehose, and pipelines define their own filtering
-	// based on what each subscriber is interested in.
-	eventTypeAll   = "*"
-	defaultTimeout = 60 * time.Second
-)
-
-var (
-	ErrNotStarted              = errors.New("event broker has not been started")
-	cloudEventsFormatterFilter *cloudevents.FormatterFilter
-	subscriptions              atomic.Int64 // keeps track of event subscription count in all event buses
-
-	// these metadata fields will have the plugin mount path prepended to them
-	metadataPrependPathFields = []string{
-		"path",
-		logical.EventMetadataDataPath,
-	}
-)
-
-// EventBus contains the main logic of running an event broker for Vault.
-// Start() must be called before the EventBus will accept events for sending.
-type EventBus struct {
-	logger          hclog.Logger
-	broker          *eventlogger.Broker
-	started         atomic.Bool
-	formatterNodeID eventlogger.NodeID
-	timeout         time.Duration
-}
-
-type pluginEventBus struct {
-	bus        *EventBus
-	namespace  *namespace.Namespace
-	pluginInfo *logical.EventPluginInfo
-}
-
-type asyncChanNode struct {
-	// TODO: add bounded deque buffer of *EventReceived
-	ctx    context.Context
-	ch     chan *eventlogger.Event
-	logger hclog.Logger
-
-	// used to close the connection
-	closeOnce      sync.Once
-	cancelFunc     context.CancelFunc
-	pipelineID     eventlogger.PipelineID
-	removePipeline func(ctx context.Context, t eventlogger.EventType, id eventlogger.PipelineID) (bool, error)
-}
-
-var (
-	_ eventlogger.Node    = (*asyncChanNode)(nil)
-	_ logical.EventSender = (*pluginEventBus)(nil)
-)
-
-// Start starts the event bus, allowing events to be written.
-// It is not possible to stop or restart the event bus.
-// It is safe to call Start() multiple times.
-func (bus *EventBus) Start() {
-	wasStarted := bus.started.Swap(true)
-	if !wasStarted {
-		bus.logger.Info("Starting event system")
-	}
-}
-
-// patchMountPath patches the event data's metadata "secret_path" field, if present, to include the mount path prepended.
-func patchMountPath(data *logical.EventData, pluginInfo *logical.EventPluginInfo) *logical.EventData {
-	if pluginInfo == nil || pluginInfo.MountPath == "" || data.Metadata == nil {
-		return data
-	}
-
-	for _, field := range metadataPrependPathFields {
-		if data.Metadata.Fields[field] != nil {
-			newPath := path.Join(pluginInfo.MountPath, data.Metadata.Fields[field].GetStringValue())
-			if pluginInfo.MountClass == "auth" {
-				newPath = path.Join("auth", newPath)
-			}
-			data.Metadata.Fields[field] = structpb.NewStringValue(newPath)
-		}
-	}
-
-	return data
-}
-
-// SendEventInternal sends an event to the event bus and routes it to all relevant subscribers.
-// This function does *not* wait for all subscribers to acknowledge before returning.
-// This function is meant to be used by trusted internal code, so it can specify details like the namespace
-// and plugin info. Events from plugins should be routed through WithPlugin(), which will populate
-// the namespace and plugin info automatically.
-// The context passed in is currently ignored to ensure that the event is sent if the context is short-lived,
-// such as with an HTTP request context.
-func (bus *EventBus) SendEventInternal(_ context.Context, ns *namespace.Namespace, pluginInfo *logical.EventPluginInfo, eventType logical.EventType, data *logical.EventData) error {
-	if ns == nil {
-		return namespace.ErrNoNamespace
-	}
-	if !bus.started.Load() {
-		return ErrNotStarted
-	}
-	eventReceived := &logical.EventReceived{
-		Event:      patchMountPath(data, pluginInfo),
-		Namespace:  ns.Path,
-		EventType:  string(eventType),
-		PluginInfo: pluginInfo,
-	}
-
-	// We can't easily know when the SendEvent is complete, so we can't call the cancel function.
-	// But, it is called automatically after bus.timeout, so there won't be any leak as long as bus.timeout is not too long.
-	ctx, _ := context.WithTimeout(context.Background(), bus.timeout)
-	_, err := bus.broker.Send(ctx, eventTypeAll, eventReceived)
-	if err != nil {
-		// if no listeners for this event type are registered, that's okay, the event
-		// will just not be sent anywhere
-		if strings.Contains(strings.ToLower(err.Error()), "no graph for eventtype") {
-			return nil
-		}
-	}
-	return err
-}
-
-func (bus *EventBus) WithPlugin(ns *namespace.Namespace, eventPluginInfo *logical.EventPluginInfo) (*pluginEventBus, error) {
-	if ns == nil {
-		return nil, namespace.ErrNoNamespace
-	}
-	return &pluginEventBus{
-		bus:        bus,
-		namespace:  ns,
-		pluginInfo: eventPluginInfo,
-	}, nil
-}
-
-// SendEvent sends an event to the event bus and routes it to all relevant subscribers.
-// This function does *not* wait for all subscribers to acknowledge before returning.
-// The context passed in is currently ignored.
-func (bus *pluginEventBus) SendEvent(ctx context.Context, eventType logical.EventType, data *logical.EventData) error {
-	return bus.bus.SendEventInternal(ctx, bus.namespace, bus.pluginInfo, eventType, data)
-}
-
-func init() {
-	// TODO: maybe this should relate to the Vault core somehow?
-	sourceUrl, err := url.Parse("https://vaultproject.io/")
-	if err != nil {
-		panic(err)
-	}
-	cloudEventsFormatterFilter = &cloudevents.FormatterFilter{
-		Source: sourceUrl,
-		Predicate: func(_ context.Context, e interface{}) (bool, error) {
-			return true, nil
-		},
-	}
-}
-
-func NewEventBus(logger hclog.Logger) (*EventBus, error) {
-	broker, err := eventlogger.NewBroker()
-	if err != nil {
-		return nil, err
-	}
-
-	formatterID, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, err
-	}
-	formatterNodeID := eventlogger.NodeID(formatterID)
-
-	if logger == nil {
-		logger = hclog.Default().Named("events")
-	}
-
-	return &EventBus{
-		logger:          logger,
-		broker:          broker,
-		formatterNodeID: formatterNodeID,
-		timeout:         defaultTimeout,
-	}, nil
-}
-
-// Subscribe subscribes to events in the given namespace matching the event type pattern and after
-// applying the optional go-bexpr filter.
-func (bus *EventBus) Subscribe(ctx context.Context, ns *namespace.Namespace, pattern string, bexprFilter string) (<-chan *eventlogger.Event, context.CancelFunc, error) {
-	return bus.SubscribeMultipleNamespaces(ctx, []string{strings.Trim(ns.Path, "/")}, pattern, bexprFilter)
-}
-
-// SubscribeMultipleNamespaces subscribes to events in the given namespace matching the event type
-// pattern and after applying the optional go-bexpr filter.
-func (bus *EventBus) SubscribeMultipleNamespaces(ctx context.Context, namespacePathPatterns []string, pattern string, bexprFilter string) (<-chan *eventlogger.Event, context.CancelFunc, error) {
-	// subscriptions are still stored even if the bus has not been started
-	pipelineID, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	err = bus.broker.RegisterNode(bus.formatterNodeID, cloudEventsFormatterFilter)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	filterNodeID, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	filterNode, err := newFilterNode(namespacePathPatterns, pattern, bexprFilter)
-	if err != nil {
-		return nil, nil, err
-	}
-	err = bus.broker.RegisterNode(eventlogger.NodeID(filterNodeID), filterNode)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	sinkNodeID, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	ctx, cancel := context.WithCancel(ctx)
-	asyncNode := newAsyncNode(ctx, bus.logger, bus.broker)
-	err = bus.broker.RegisterNode(eventlogger.NodeID(sinkNodeID), asyncNode)
-	if err != nil {
-		defer cancel()
-		return nil, nil, err
-	}
-
-	nodes := []eventlogger.NodeID{eventlogger.NodeID(filterNodeID), bus.formatterNodeID, eventlogger.NodeID(sinkNodeID)}
-
-	pipeline := eventlogger.Pipeline{
-		PipelineID: eventlogger.PipelineID(pipelineID),
-		EventType:  eventTypeAll,
-		NodeIDs:    nodes,
-	}
-	err = bus.broker.RegisterPipeline(pipeline)
-	if err != nil {
-		defer cancel()
-		return nil, nil, err
-	}
-
-	addSubscriptions(1)
-	// add info needed to cancel the subscription
-	asyncNode.pipelineID = eventlogger.PipelineID(pipelineID)
-	asyncNode.cancelFunc = cancel
-	// Capture context in a closure for the cancel func
-	return asyncNode.ch, func() { asyncNode.Close(ctx) }, nil
-}
-
-// SetSendTimeout sets the timeout of sending events. If the events are not accepted by the
-// underlying channel before this timeout, then the channel closed.
-func (bus *EventBus) SetSendTimeout(timeout time.Duration) {
-	bus.timeout = timeout
-}
-
-func newFilterNode(namespacePatterns []string, pattern string, bexprFilter string) (*eventlogger.Filter, error) {
-	var evaluator *bexpr.Evaluator
-	if bexprFilter != "" {
-		var err error
-		evaluator, err = bexpr.CreateEvaluator(bexprFilter)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &eventlogger.Filter{
-		Predicate: func(e *eventlogger.Event) (bool, error) {
-			eventRecv := e.Payload.(*logical.EventReceived)
-			eventNs := strings.Trim(eventRecv.Namespace, "/")
-			// Drop if event is not in namespace patterns namespace.
-			if len(namespacePatterns) > 0 {
-				allow := false
-				for _, nsPattern := range namespacePatterns {
-					if glob.Glob(nsPattern, eventNs) {
-						allow = true
-						break
-					}
-				}
-				if !allow {
-					return false, nil
-				}
-			}
-
-			// Filter for correct event type, including wildcards.
-			if !glob.Glob(pattern, eventRecv.EventType) {
-				return false, nil
-			}
-
-			// apply go-bexpr filter
-			if evaluator != nil {
-				return evaluator.Evaluate(eventRecv.BexprDatum())
-			}
-			return true, nil
-		},
-	}, nil
-}
-
-func newAsyncNode(ctx context.Context, logger hclog.Logger, broker *eventlogger.Broker) *asyncChanNode {
-	return &asyncChanNode{
-		ctx:            ctx,
-		ch:             make(chan *eventlogger.Event),
-		logger:         logger,
-		removePipeline: broker.RemovePipelineAndNodes,
-	}
-}
-
-// Close tells the bus to stop sending us events.
-func (node *asyncChanNode) Close(ctx context.Context) {
-	node.closeOnce.Do(func() {
-		defer node.cancelFunc()
-		removed, err := node.removePipeline(ctx, eventTypeAll, node.pipelineID)
-
-		switch {
-		case err != nil && removed:
-			msg := fmt.Sprintf("Error removing nodes referenced by pipeline %q", node.pipelineID)
-			node.logger.Warn(msg, err)
-		case err != nil:
-			msg := fmt.Sprintf("Error removing pipeline %q", node.pipelineID)
-			node.logger.Warn(msg, err)
-		}
-		addSubscriptions(-1)
-	})
-}
-
-func (node *asyncChanNode) Process(ctx context.Context, e *eventlogger.Event) (*eventlogger.Event, error) {
-	// sends to the channel async in another goroutine
-	go func() {
-		var timeout bool
-		select {
-		case node.ch <- e:
-		case <-ctx.Done():
-			timeout = errors.Is(ctx.Err(), context.DeadlineExceeded)
-		case <-node.ctx.Done():
-			timeout = errors.Is(node.ctx.Err(), context.DeadlineExceeded)
-		}
-		if timeout {
-			node.logger.Info("Subscriber took too long to process event, closing", "ID", e.Payload.(*logical.EventReceived).Event.Id)
-			node.Close(ctx)
-		}
-	}()
-	return e, nil
-}
-
-func (node *asyncChanNode) Reopen() error {
-	return nil
-}
-
-func (node *asyncChanNode) Type() eventlogger.NodeType {
-	return eventlogger.NodeTypeSink
-}
-
-func addSubscriptions(delta int64) {
-	metrics.SetGauge([]string{"events", "subscriptions"}, float32(subscriptions.Add(delta)))
-}
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<PageHeader as |p|>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-dashboard-card-header="Vault version">
+      Vault
+      {{@version.versionDisplay}}
+      {{#if @version.isEnterprise}}
+        <Hds::Badge @text={{this.namespace.currentNamespace}} @icon="org" data-test-badge-namespace />
+      {{/if}}
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+<hr class="has-top-margin-xxs has-bottom-margin-l has-background-gray-200" />
\ No newline at end of file
diff --git a/vault/eventbus/bus_test.go b/vault/eventbus/bus_test.go
index d6e5c9c9cbaf..5c5cd075569d 100644
--- a/vault/eventbus/bus_test.go
+++ b/vault/eventbus/bus_test.go
@@ -1,696 +1,21 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package eventbus
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/hashicorp/eventlogger"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/stretchr/testify/assert"
-	"google.golang.org/protobuf/types/known/structpb"
-)
-
-// TestBusBasics tests that basic event sending and subscribing function.
-func TestBusBasics(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx := context.Background()
-
-	eventType := logical.EventType("someType")
-
-	event, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-	if !errors.Is(err, ErrNotStarted) {
-		t.Errorf("Expected not started error but got: %v", err)
-	}
-
-	bus.Start()
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-	if err != nil {
-		t.Errorf("Expected no error sending: %v", err)
-	}
-
-	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel()
-
-	event, err = logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
-			t.Errorf("Got unexpected message: %+v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for message")
-	}
-}
-
-// TestBusIgnoresSendContext tests that the context is ignored when sending to an event,
-// so that we do not give up too quickly.
-func TestBusIgnoresSendContext(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	eventType := logical.EventType("someType")
-
-	event, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	bus.Start()
-
-	ch, subCancel, err := bus.Subscribe(context.Background(), namespace.RootNamespace, string(eventType), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer subCancel()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel() // cancel immediately
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-	if err != nil {
-		t.Errorf("Expected no error sending: %v", err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
-			t.Errorf("Got unexpected message: %+v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for message")
-	}
-}
-
-// TestSubscribeNonRootNamespace verifies that events for non-root namespaces
-// aren't filtered out by the bus.
-func TestSubscribeNonRootNamespace(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	bus.Start()
-	ctx := context.Background()
-
-	eventType := logical.EventType("someType")
-
-	ns := &namespace.Namespace{
-		ID:   "abc",
-		Path: "abc/",
-	}
-
-	ch, cancel, err := bus.Subscribe(ctx, ns, string(eventType), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel()
-
-	event, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, ns, nil, eventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
-			t.Errorf("Got unexpected message: %+v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for message")
-	}
-}
-
-// TestNamespaceFiltering verifies that events for other namespaces are filtered out by the bus.
-func TestNamespaceFiltering(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	bus.Start()
-	ctx := context.Background()
-
-	eventType := logical.EventType("someType")
-
-	event, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel()
-
-	event, err = logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, &namespace.Namespace{
-		ID:   "abc",
-		Path: "/abc",
-	}, nil, eventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(100 * time.Millisecond)
-	select {
-	case <-ch:
-		t.Errorf("Got abc namespace message when root namespace was specified")
-	case <-timeout:
-		// okay
-	}
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout = time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		if message.Payload.(*logical.EventReceived).Event.Id != event.Id {
-			t.Errorf("Got unexpected message %+v but was waiting for %+v", message, event)
-		}
-
-	case <-timeout:
-		t.Error("Timed out waiting for message")
-	}
-}
-
-// TestBus2Subscriptions verifies that events of different types are successfully routed to the correct subscribers.
-func TestBus2Subscriptions(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx := context.Background()
-
-	eventType1 := logical.EventType("someType1")
-	eventType2 := logical.EventType("someType2")
-	bus.Start()
-
-	ch1, cancel1, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType1), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel1()
-
-	ch2, cancel2, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType2), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel2()
-
-	event1, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-	event2, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType2, event2)
-	if err != nil {
-		t.Error(err)
-	}
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType1, event1)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	select {
-	case message := <-ch1:
-		if message.Payload.(*logical.EventReceived).Event.Id != event1.Id {
-			t.Errorf("Got unexpected message: %v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for event1")
-	}
-	select {
-	case message := <-ch2:
-		if message.Payload.(*logical.EventReceived).Event.Id != event2.Id {
-			t.Errorf("Got unexpected message: %v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for event2")
-	}
-}
-
-// TestBusSubscriptionsCancel verifies that canceled subscriptions are cleaned up.
-func TestBusSubscriptionsCancel(t *testing.T) {
-	testCases := []struct {
-		cancel bool
-	}{
-		{cancel: true},
-		{cancel: false},
-	}
-
-	for _, tc := range testCases {
-		t.Run(fmt.Sprintf("cancel=%v", tc.cancel), func(t *testing.T) {
-			subscriptions.Store(0)
-			bus, err := NewEventBus(nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-			ctx := context.Background()
-			if !tc.cancel {
-				// set the timeout very short to make the test faster if we aren't canceling explicitly
-				bus.SetSendTimeout(100 * time.Millisecond)
-			}
-			bus.Start()
-
-			// create and stop a bunch of subscriptions
-			const create = 100
-			const stop = 50
-
-			eventType := logical.EventType("someType")
-
-			var channels []<-chan *eventlogger.Event
-			var cancels []context.CancelFunc
-			stopped := atomic.Int32{}
-
-			received := atomic.Int32{}
-
-			for i := 0; i < create; i++ {
-				ch, cancelFunc, err := bus.Subscribe(ctx, namespace.RootNamespace, string(eventType), "")
-				if err != nil {
-					t.Fatal(err)
-				}
-				t.Cleanup(cancelFunc)
-				channels = append(channels, ch)
-				cancels = append(cancels, cancelFunc)
-
-				go func(i int32) {
-					<-ch // always receive one message
-					received.Add(1)
-					// continue receiving messages as long as are not stopped
-					for i < int32(stop) {
-						<-ch
-						received.Add(1)
-					}
-					if tc.cancel {
-						cancelFunc() // stop explicitly to unsubscribe
-					}
-					stopped.Add(1)
-				}(int32(i))
-			}
-
-			// check that all channels receive a message
-			event, err := logical.NewEvent()
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-			if err != nil {
-				t.Error(err)
-			}
-			waitFor(t, 1*time.Second, func() bool { return received.Load() == int32(create) })
-			waitFor(t, 1*time.Second, func() bool { return stopped.Load() == int32(stop) })
-
-			// send another message, but half should stop receiving
-			event, err = logical.NewEvent()
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, eventType, event)
-			if err != nil {
-				t.Error(err)
-			}
-			waitFor(t, 1*time.Second, func() bool { return received.Load() == int32(create*2-stop) })
-			// the sends should time out and the subscriptions should drop when cancelFunc is called or the context cancels
-			waitFor(t, 1*time.Second, func() bool { return subscriptions.Load() == int64(create-stop) })
-		})
-	}
-}
-
-// waitFor waits for a condition to be true, up to the maximum timeout.
-// It waits with a capped exponential backoff starting at 1ms.
-// It is guaranteed to try f() at least once.
-func waitFor(t *testing.T, maxWait time.Duration, f func() bool) {
-	t.Helper()
-	start := time.Now()
-
-	if f() {
-		return
-	}
-	sleepAmount := 1 * time.Millisecond
-	for time.Now().Sub(start) <= maxWait {
-		left := time.Now().Sub(start)
-		sleepAmount = sleepAmount * 2
-		if sleepAmount > left {
-			sleepAmount = left
-		}
-		time.Sleep(sleepAmount)
-		if f() {
-			return
-		}
-	}
-	t.Error("Timeout waiting for condition")
-}
-
-// TestBusWildcardSubscriptions tests that a single subscription can receive
-// multiple event types using * for glob patterns.
-func TestBusWildcardSubscriptions(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx := context.Background()
-
-	fooEventType := logical.EventType("kv/foo")
-	barEventType := logical.EventType("kv/bar")
-	bus.Start()
-
-	ch1, cancel1, err := bus.Subscribe(ctx, namespace.RootNamespace, "kv/*", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel1()
-
-	ch2, cancel2, err := bus.Subscribe(ctx, namespace.RootNamespace, "*/bar", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel2()
-
-	event1, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-	event2, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, barEventType, event2)
-	if err != nil {
-		t.Error(err)
-	}
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, fooEventType, event1)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	// Expect to receive both events on ch1, which subscribed to kv/*
-	var ch1Seen []string
-	for i := 0; i < 2; i++ {
-		select {
-		case message := <-ch1:
-			ch1Seen = append(ch1Seen, message.Payload.(*logical.EventReceived).Event.Id)
-		case <-timeout:
-			t.Error("Timeout waiting for event1")
-		}
-	}
-	if len(ch1Seen) != 2 {
-		t.Errorf("Expected 2 events but got: %v", ch1Seen)
-	} else {
-		if !strutil.StrListContains(ch1Seen, event1.Id) {
-			t.Errorf("Did not find %s event1 ID in ch1seen", event1.Id)
-		}
-		if !strutil.StrListContains(ch1Seen, event2.Id) {
-			t.Errorf("Did not find %s event2 ID in ch1seen", event2.Id)
-		}
-	}
-	// Expect to receive just kv/bar on ch2, which subscribed to */bar
-	select {
-	case message := <-ch2:
-		if message.Payload.(*logical.EventReceived).Event.Id != event2.Id {
-			t.Errorf("Got unexpected message: %v", message)
-		}
-	case <-timeout:
-		t.Error("Timeout waiting for event2")
-	}
-}
-
-// TestDataPathIsPrependedWithMount tests that "data_path", if present in the
-// metadata, is prepended with the plugin's mount.
-func TestDataPathIsPrependedWithMount(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx := context.Background()
-
-	fooEventType := logical.EventType("kv/foo")
-	bus.Start()
-
-	ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, "kv/*", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cancel()
-
-	event, err := logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-	metadata := map[string]string{
-		logical.EventMetadataDataPath: "my/secret/path",
-		"not_touched":                 "xyz",
-	}
-	metadataBytes, err := json.Marshal(metadata)
-	if err != nil {
-		t.Fatal(err)
-	}
-	event.Metadata = &structpb.Struct{}
-	if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
-		t.Fatal(err)
-	}
-
-	// no plugin info means nothing should change
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, nil, fooEventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout := time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
-		assert.Contains(t, metadata, "not_touched")
-		assert.Equal(t, "xyz", metadata["not_touched"])
-		assert.Contains(t, metadata, "data_path")
-		assert.Equal(t, "my/secret/path", metadata["data_path"])
-	case <-timeout:
-		t.Error("Timeout waiting for event")
-	}
-
-	// send with a secrets plugin mounted
-	pluginInfo := logical.EventPluginInfo{
-		MountClass:    "secrets",
-		MountAccessor: "kv_abc",
-		MountPath:     "secret/",
-		Plugin:        "kv",
-		PluginVersion: "v1.13.1+builtin",
-		Version:       "2",
-	}
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, fooEventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout = time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
-		assert.Contains(t, metadata, "not_touched")
-		assert.Equal(t, "xyz", metadata["not_touched"])
-		assert.Contains(t, metadata, "data_path")
-		assert.Equal(t, "secret/my/secret/path", metadata["data_path"])
-	case <-timeout:
-		t.Error("Timeout waiting for event")
-	}
-
-	// send with an auth plugin mounted
-	pluginInfo = logical.EventPluginInfo{
-		MountClass:    "auth",
-		MountAccessor: "kubernetes_abc",
-		MountPath:     "kubernetes/",
-		Plugin:        "vault-plugin-auth-kubernetes",
-		PluginVersion: "v1.13.1+builtin",
-	}
-	event, err = logical.NewEvent()
-	if err != nil {
-		t.Fatal(err)
-	}
-	metadata = map[string]string{
-		logical.EventMetadataDataPath: "my/secret/path",
-		"not_touched":                 "xyz",
-	}
-	metadataBytes, err = json.Marshal(metadata)
-	if err != nil {
-		t.Fatal(err)
-	}
-	event.Metadata = &structpb.Struct{}
-	if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
-		t.Fatal(err)
-	}
-	err = bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, fooEventType, event)
-	if err != nil {
-		t.Error(err)
-	}
-
-	timeout = time.After(1 * time.Second)
-	select {
-	case message := <-ch:
-		metadata := message.Payload.(*logical.EventReceived).Event.Metadata.AsMap()
-		assert.Contains(t, metadata, "not_touched")
-		assert.Equal(t, "xyz", metadata["not_touched"])
-		assert.Contains(t, metadata, "data_path")
-		assert.Equal(t, "auth/kubernetes/my/secret/path", metadata["data_path"])
-	case <-timeout:
-		t.Error("Timeout waiting for event")
-	}
-}
-
-// TestBexpr tests go-bexpr filters are evaluated on an event.
-func TestBexpr(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx := context.Background()
-
-	bus.Start()
-
-	sendEvent := func(eventType string) error {
-		event, err := logical.NewEvent()
-		if err != nil {
-			return err
-		}
-		metadata := map[string]string{
-			logical.EventMetadataDataPath:  "my/secret/path",
-			logical.EventMetadataOperation: "write",
-		}
-		metadataBytes, err := json.Marshal(metadata)
-		if err != nil {
-			return err
-		}
-		event.Metadata = &structpb.Struct{}
-		if err := event.Metadata.UnmarshalJSON(metadataBytes); err != nil {
-			return err
-		}
-		// send with a secrets plugin mounted
-		pluginInfo := logical.EventPluginInfo{
-			MountClass:    "secrets",
-			MountAccessor: "kv_abc",
-			MountPath:     "secret/",
-			Plugin:        "kv",
-			PluginVersion: "v1.13.1+builtin",
-			Version:       "2",
-		}
-		return bus.SendEventInternal(ctx, namespace.RootNamespace, &pluginInfo, logical.EventType(eventType), event)
-	}
-
-	testCases := []struct {
-		name             string
-		filter           string
-		shouldPassFilter bool
-	}{
-		{"empty expression", "", true},
-		{"non-matching expression", "data_path == nothing", false},
-		{"matching expression", "data_path == secret/my/secret/path", true},
-		{"full matching expression", "data_path == secret/my/secret/path and operation != read and source_plugin_mount == secret/ and source_plugin_mount != somethingelse", true},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			eventType, err := uuid.GenerateUUID()
-			if err != nil {
-				t.Fatal(err)
-			}
-			ch, cancel, err := bus.Subscribe(ctx, namespace.RootNamespace, eventType, testCase.filter)
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer cancel()
-			err = sendEvent(eventType)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			timer := time.NewTimer(5 * time.Second)
-			defer timer.Stop()
-			got := false
-			select {
-			case <-ch:
-				got = true
-			case <-timer.C:
-			}
-			assert.Equal(t, testCase.shouldPassFilter, got)
-		})
-	}
-}
-
-// TestPipelineCleanedUp ensures pipelines are properly cleaned up after
-// subscriptions are closed.
-func TestPipelineCleanedUp(t *testing.T) {
-	bus, err := NewEventBus(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	eventType := logical.EventType("someType")
-	bus.Start()
-
-	_, cancel, err := bus.Subscribe(context.Background(), namespace.RootNamespace, string(eventType), "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !bus.broker.IsAnyPipelineRegistered(eventTypeAll) {
-		cancel()
-		t.Fatal()
-	}
-
-	cancel()
-
-	if bus.broker.IsAnyPipelineRegistered(eventTypeAll) {
-		t.Fatal()
-	}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { inject as service } from '@ember/service';
+
+/**
+ * @module DashboardVaultVersionTitle
+ * DashboardVaultVersionTitle component are use to display the vault version title and the badges
+ *
+ * @example
+ * ```js
+ * <Dashboard::VaultVersionTitle @version={{this.versionSvc}} />
+ * ```
+ */
+
+export default class DashboardVaultVersionTitle extends Component {
+  @service namespace;
 }
diff --git a/vault/eventbus/filter.go b/vault/eventbus/filter.go
new file mode 100644
index 000000000000..b26997c65a5d
--- /dev/null
+++ b/vault/eventbus/filter.go
@@ -0,0 +1,8 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+{{outlet}}
+
+<AppFooter />
\ No newline at end of file
diff --git a/vault/eventbus/filter_test.go b/vault/eventbus/filter_test.go
new file mode 100644
index 000000000000..f71dc7c3943b
--- /dev/null
+++ b/vault/eventbus/filter_test.go
@@ -0,0 +1,49 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { later } from '@ember/runloop';
+import { Promise } from 'rsvp';
+import { inject as service } from '@ember/service';
+import Route from '@ember/routing/route';
+import Ember from 'ember';
+
+const SPLASH_DELAY = 300;
+
+export default class VaultRoute extends Route {
+  @service router;
+  @service store;
+  @service version;
+
+  beforeModel() {
+    // So we can know what type (Enterprise/Community) we're running
+    return this.version.fetchType();
+  }
+
+  model() {
+    const delay = Ember.testing ? 0 : SPLASH_DELAY;
+    // hardcode single cluster
+    const fixture = {
+      data: {
+        id: '1',
+        type: 'cluster',
+        attributes: {
+          name: 'vault',
+        },
+      },
+    };
+    this.store.push(fixture);
+    return new Promise((resolve) => {
+      later(() => {
+        resolve(this.store.peekAll('cluster'));
+      }, delay);
+    });
+  }
+
+  redirect(model, transition) {
+    if (model.get('length') === 1 && transition.targetName === 'vault.index') {
+      return this.router.transitionTo('vault.cluster', model.get('firstObject.name'));
+    }
+  }
+}
diff --git a/vault/external_plugin_container_test.go b/vault/external_plugin_container_test.go
index 8133c13563e1..f7ebf7b2f2fd 100644
--- a/vault/external_plugin_container_test.go
+++ b/vault/external_plugin_container_test.go
@@ -1,189 +1,39 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package vault
-
-import (
-	"context"
-	"encoding/hex"
-	"fmt"
-	"os/exec"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
-	"github.com/hashicorp/vault/sdk/helper/pluginutil"
-	"github.com/hashicorp/vault/sdk/logical"
-)
-
-func testClusterWithContainerPlugin(t *testing.T, pluginType consts.PluginType, version string) (*Core, pluginhelpers.TestPlugin) {
-	coreConfig := &CoreConfig{
-		CredentialBackends: map[string]logical.Factory{},
-	}
-
-	cluster := NewTestCluster(t, coreConfig, &TestClusterOptions{
-		Plugins: &TestPluginConfig{
-			Typ:       pluginType,
-			Versions:  []string{version},
-			Container: true,
-		},
-	})
-
-	cluster.Start()
-	t.Cleanup(cluster.Cleanup)
-
-	c := cluster.Cores[0].Core
-	TestWaitActive(t, c)
-	plugins := cluster.Plugins
-
-	return c, plugins[0]
-}
-
-func TestExternalPluginInContainer_MountAndUnmount(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType consts.PluginType
-	}{
-		"auth": {
-			pluginType: consts.PluginTypeCredential,
-		},
-		"secrets": {
-			pluginType: consts.PluginTypeSecrets,
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugin := testClusterWithContainerPlugin(t, tc.pluginType, "v1.0.0")
-
-			t.Run("default", func(t *testing.T) {
-				if _, err := exec.LookPath("runsc"); err != nil {
-					t.Skip("Skipping test as runsc not found on path")
-				}
-				mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "")
-			})
-
-			t.Run("runc", func(t *testing.T) {
-				mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "runc")
-			})
-
-			t.Run("runsc", func(t *testing.T) {
-				if _, err := exec.LookPath("runsc"); err != nil {
-					t.Skip("Skipping test as runsc not found on path")
-				}
-				mountAndUnmountContainerPlugin_WithRuntime(t, c, plugin, "runsc")
-			})
-		})
-	}
-}
-
-func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *Core, plugin pluginhelpers.TestPlugin, ociRuntime string) {
-	if ociRuntime != "" {
-		registerPluginRuntime(t, c.systemBackend, ociRuntime, ociRuntime)
-	}
-	registerContainerPlugin(t, c.systemBackend, plugin.Name, plugin.Typ.String(), "1.0.0", plugin.ImageSha256, plugin.Image, ociRuntime)
-
-	mountPlugin(t, c.systemBackend, plugin.Name, plugin.Typ, "v1.0.0", "")
-
-	routeRequest := func(expectMatch bool) {
-		pluginPath := "foo/bar"
-		if plugin.Typ == consts.PluginTypeCredential {
-			pluginPath = "auth/foo/bar"
-		}
-		match := c.router.MatchingMount(namespace.RootContext(nil), pluginPath)
-		if expectMatch && match != strings.TrimSuffix(pluginPath, "bar") {
-			t.Fatalf("missing mount, match: %q", match)
-		}
-		if !expectMatch && match != "" {
-			t.Fatalf("expected no match for path, but got %q", match)
-		}
-	}
-
-	routeRequest(true)
-	unmountPlugin(t, c.systemBackend, plugin.Typ, "foo")
-	routeRequest(false)
-}
-
-func TestExternalPluginInContainer_GetBackendTypeVersion(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType        consts.PluginType
-		setRunningVersion string
-	}{
-		"external credential plugin": {
-			pluginType:        consts.PluginTypeCredential,
-			setRunningVersion: "v1.2.3",
-		},
-		"external secrets plugin": {
-			pluginType:        consts.PluginTypeSecrets,
-			setRunningVersion: "v1.2.3",
-		},
-		"external database plugin": {
-			pluginType:        consts.PluginTypeDatabase,
-			setRunningVersion: "v1.2.3",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugin := testClusterWithContainerPlugin(t, tc.pluginType, tc.setRunningVersion)
-			for _, ociRuntime := range []string{"runc", "runsc"} {
-				t.Run(ociRuntime, func(t *testing.T) {
-					if _, err := exec.LookPath(ociRuntime); err != nil {
-						t.Skipf("Skipping test as %s not found on path", ociRuntime)
-					}
-					shaBytes, _ := hex.DecodeString(plugin.ImageSha256)
-					entry := &pluginutil.PluginRunner{
-						Name:     plugin.Name,
-						OCIImage: plugin.Image,
-						Args:     nil,
-						Sha256:   shaBytes,
-						Builtin:  false,
-						Runtime:  ociRuntime,
-						RuntimeConfig: &pluginruntimeutil.PluginRuntimeConfig{
-							OCIRuntime: ociRuntime,
-						},
-					}
-
-					var version logical.PluginVersion
-					var err error
-					if tc.pluginType == consts.PluginTypeDatabase {
-						version, err = c.pluginCatalog.getDatabaseRunningVersion(context.Background(), entry)
-					} else {
-						version, err = c.pluginCatalog.getBackendRunningVersion(context.Background(), entry)
-					}
-					if err != nil {
-						t.Fatal(err)
-					}
-					if version.Version != tc.setRunningVersion {
-						t.Errorf("Expected to get version %v but got %v", tc.setRunningVersion, version.Version)
-					}
-				})
-			}
-		})
-	}
-}
-
-func registerContainerPlugin(t *testing.T, sys *SystemBackend, pluginName, pluginType, version, sha, image, runtime string) {
-	t.Helper()
-	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/catalog/%s/%s", pluginType, pluginName))
-	req.Data = map[string]interface{}{
-		"oci_image": image,
-		"sha256":    sha,
-		"version":   version,
-		"runtime":   runtime,
-	}
-	resp, err := sys.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
-}
-
-func registerPluginRuntime(t *testing.T, sys *SystemBackend, name, ociRuntime string) {
-	t.Helper()
-	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/runtimes/catalog/%s/%s", consts.PluginRuntimeTypeContainer, name))
-	req.Data = map[string]interface{}{
-		"oci_runtime": ociRuntime,
-	}
-	resp, err := sys.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
-}
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+
+module('Unit | Service | version', function (hooks) {
+  setupTest(hooks);
+
+  test('setting type computes isCommunity properly', function (assert) {
+    const service = this.owner.lookup('service:version');
+    service.type = 'community';
+    assert.true(service.isCommunity);
+    assert.false(service.isEnterprise);
+  });
+
+  test('setting type computes isEnterprise properly', function (assert) {
+    const service = this.owner.lookup('service:version');
+    service.type = 'enterprise';
+    assert.false(service.isCommunity);
+    assert.true(service.isEnterprise);
+  });
+
+  test('hasPerfReplication', function (assert) {
+    const service = this.owner.lookup('service:version');
+    assert.false(service.hasPerfReplication);
+    service.features = ['Performance Replication'];
+    assert.true(service.hasPerfReplication);
+  });
+
+  test('hasDRReplication', function (assert) {
+    const service = this.owner.lookup('service:version');
+    assert.false(service.hasDRReplication);
+    service.features = ['DR Replication'];
+    assert.true(service.hasDRReplication);
+  });
+});
diff --git a/vault/external_plugin_test.go b/vault/external_plugin_test.go
index 96f71b30fbc5..8b54511c099a 100644
--- a/vault/external_plugin_test.go
+++ b/vault/external_plugin_test.go
@@ -1,980 +1,66 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package vault
+package command
 
 import (
-	"context"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"os"
-	"path"
-	"path/filepath"
 	"strings"
-	"testing"
 
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
-	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/pluginutil"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/sdk/plugin"
-	"github.com/hashicorp/vault/sdk/plugin/mock"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/version"
+	"github.com/posener/complete"
 )
 
-const vaultTestingMockPluginEnv = "VAULT_TESTING_MOCK_PLUGIN"
-
-// version is used to override the plugin's self-reported version
-func testCoreWithPlugins(t *testing.T, typ consts.PluginType, versions ...string) (*Core, []pluginhelpers.TestPlugin) {
-	t.Helper()
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	var plugins []pluginhelpers.TestPlugin
-	for _, version := range versions {
-		plugins = append(plugins, pluginhelpers.CompilePlugin(t, typ, version, pluginDir))
-	}
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-	core := TestCoreWithSealAndUI(t, conf)
-	core, _, _ = testCoreUnsealed(t, core)
-	return core, plugins
-}
-
-func TestCore_EnableExternalPlugin(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType    consts.PluginType
-		routerPath    string
-		expectedMatch string
-	}{
-		"enable external credential plugin": {
-			pluginType:    consts.PluginTypeCredential,
-			routerPath:    "auth/foo/bar",
-			expectedMatch: "auth/foo/",
-		},
-		"enable external secrets plugin": {
-			pluginType:    consts.PluginTypeSecrets,
-			routerPath:    "foo/bar",
-			expectedMatch: "foo/",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			coreConfig := &CoreConfig{
-				CredentialBackends: map[string]logical.Factory{},
-			}
-
-			cluster := NewTestCluster(t, coreConfig, &TestClusterOptions{
-				Plugins: &TestPluginConfig{
-					Typ:      tc.pluginType,
-					Versions: []string{""},
-				},
-			})
-
-			cluster.Start()
-			defer cluster.Cleanup()
-
-			c := cluster.Cores[0].Core
-			TestWaitActive(t, c)
-
-			plugins := cluster.Plugins
-
-			registerPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType.String(), "1.0.0", plugins[0].Sha256, plugins[0].FileName)
-
-			mountPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType, "v1.0.0", "")
-
-			match := c.router.MatchingMount(namespace.RootContext(nil), tc.routerPath)
-			if match != tc.expectedMatch {
-				t.Fatalf("missing mount, match: %q", match)
-			}
-		})
-	}
-}
-
-func TestCore_EnableExternalPlugin_MultipleVersions(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType       consts.PluginType
-		registerVersions []string
-		mountVersion     string
-		expectedVersion  string
-		routerPath       string
-		expectedMatch    string
-	}{
-		"enable external credential plugin, multiple versions available": {
-			pluginType:       consts.PluginTypeCredential,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "v1.0.0",
-			expectedVersion:  "v1.0.0",
-			routerPath:       "auth/foo/bar",
-			expectedMatch:    "auth/foo/",
-		},
-		"enable external secrets plugin, multiple versions available": {
-			pluginType:       consts.PluginTypeSecrets,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "v1.0.0",
-			expectedVersion:  "v1.0.0",
-			routerPath:       "foo/bar",
-			expectedMatch:    "foo/",
-		},
-		"enable external credential plugin, multiple versions available, select other version": {
-			pluginType:       consts.PluginTypeCredential,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "v1.0.1",
-			expectedVersion:  "v1.0.1",
-			routerPath:       "auth/foo/bar",
-			expectedMatch:    "auth/foo/",
-		},
-		"enable external secrets plugin, multiple versions available, select other version": {
-			pluginType:       consts.PluginTypeSecrets,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "v1.0.1",
-			expectedVersion:  "v1.0.1",
-			routerPath:       "foo/bar",
-			expectedMatch:    "foo/",
-		},
-		"enable external credential plugin, selects latest when version not specified": {
-			pluginType:       consts.PluginTypeCredential,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "",
-			expectedVersion:  "v1.0.1",
-			routerPath:       "auth/foo/bar",
-			expectedMatch:    "auth/foo/",
-		},
-		"enable external secrets plugin, selects latest when version not specified": {
-			pluginType:       consts.PluginTypeSecrets,
-			registerVersions: []string{"v1.0.0", "v1.0.1"},
-			mountVersion:     "",
-			expectedVersion:  "v1.0.1",
-			routerPath:       "foo/bar",
-			expectedMatch:    "foo/",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, "")
-			for _, version := range tc.registerVersions {
-				registerPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType.String(), version, plugins[0].Sha256, plugins[0].FileName)
-			}
-
-			mountPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType, tc.mountVersion, "")
-
-			match := c.router.MatchingMount(namespace.RootContext(nil), tc.routerPath)
-			if match != tc.expectedMatch {
-				t.Fatalf("missing mount, match: %q", match)
-			}
-
-			raw, _ := c.router.root.Get(match)
-			if raw.(*routeEntry).mountEntry.Version != tc.expectedVersion {
-				t.Errorf("Expected mount to be version %s but got %s", tc.expectedVersion, raw.(*routeEntry).mountEntry.Version)
-			}
-
-			if raw.(*routeEntry).mountEntry.RunningVersion != tc.expectedVersion {
-				t.Errorf("Expected mount running version to be %s but got %s", tc.expectedVersion, raw.(*routeEntry).mountEntry.RunningVersion)
-			}
-
-			if raw.(*routeEntry).mountEntry.RunningSha256 == "" {
-				t.Errorf("Expected RunningSha256 to be present: %+v", raw.(*routeEntry).mountEntry.RunningSha256)
-			}
-		})
-	}
-}
-
-func TestCore_EnableExternalPlugin_Deregister_SealUnseal(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// create an external plugin to shadow the builtin "pending-removal-test-plugin"
-	pluginName := "therug"
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeCredential, "", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, pluginName))
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-
-	c := TestCoreWithSealAndUI(t, conf)
-	c, keys, root := testCoreUnsealed(t, c)
-
-	// Register a plugin
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "", plugin.Sha256, plugin.FileName)
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-	plugct := len(c.pluginCatalog.externalPlugins)
-	if plugct != 1 {
-		t.Fatalf("expected a single external plugin entry after registering, got: %d", plugct)
-	}
-
-	// Now pull the rug out from underneath us
-	deregisterPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "", "", "")
-
-	if err := c.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(c, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
-		}
-	}
-
-	plugct = len(c.pluginCatalog.externalPlugins)
-	if plugct != 0 {
-		t.Fatalf("expected no plugin entries after unseal, got: %d", plugct)
-	}
-
-	found := false
-	mounts, err := c.ListAuths()
-	if err != nil {
-		t.Fatal(err)
-	}
-	for _, mount := range mounts {
-		if mount.Type == pluginName {
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		t.Fatalf("expected to find %s mount, but got none", pluginName)
-	}
-}
-
-// TestCore_Unseal_isMajorVersionFirstMount_PendingRemoval_Plugin tests the
-// behavior of deprecated builtins when attempting to unseal Vault after a major
-// version upgrade. It simulates this behavior by instantiating a Vault cluster,
-// registering a shadow plugin to mount a builtin, and deregistering the shadow
-// plugin. The first unseal should work. Before sealing and unsealing again, the
-// version store is cleared.  Vault sees the next unseal as a major upgrade and
-// should immediately shut down.
-func TestCore_Unseal_isMajorVersionFirstMount_PendingRemoval_Plugin(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// create an external plugin to shadow the builtin "pending-removal-test-plugin"
-	pluginName := "pending-removal-test-plugin"
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeCredential, "", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, pluginName))
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-	c := TestCoreWithSealAndUI(t, conf)
-	c, keys, root := testCoreUnsealed(t, c)
-
-	// Register a shadow plugin
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "", plugin.Sha256, plugin.FileName)
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-
-	// Deregister shadow plugin
-	deregisterPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "", plugin.Sha256, plugin.FileName)
-
-	// Make sure this isn't the first mount for the current major version.
-	if c.isMajorVersionFirstMount(context.Background()) {
-		t.Fatalf("expected major version to register as mounted")
-	}
-
-	if err := c.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(c, key)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		if i+1 == len(keys) && !unseal {
-			t.Fatalf("err: should be unsealed")
-		}
-	}
-
-	// Now remove version history and try again
-	vaultVersionPath := "core/versions/"
-	key := vaultVersionPath + version.Version
-	if err := c.barrier.Delete(context.Background(), key); err != nil {
-		t.Fatal(err)
-	}
-
-	// loadVersionHistory doesn't care about invalidating old entries, since
-	// they shouldn't really be deleted from the version store. It just updates
-	// the map, so we need to manually delete the current entry.
-	delete(c.versionHistory, version.Version)
-
-	// Make sure this appears to be the first mount for the current major
-	// version.
-	if !c.isMajorVersionFirstMount(context.Background()) {
-		t.Fatalf("expected major version first mount")
-	}
-
-	// Seal again and check for unseal failure.
-	if err := c.Seal(root); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	for i, key := range keys {
-		unseal, err := TestCoreUnseal(c, key)
-		if i+1 == len(keys) {
-			if !errors.Is(err, errLoadAuthFailed) {
-				t.Fatalf("expected error: %q, got: %q", errLoadAuthFailed, err)
-			}
-
-			if unseal {
-				t.Fatalf("err: should not be unsealed")
-			}
-		}
-	}
-}
-
-func TestCore_EnableExternalPlugin_PendingRemoval(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// create an external plugin to shadow the builtin "pending-removal-test-plugin"
-	pluginName := "pending-removal-test-plugin"
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeCredential, "v1.2.3", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, pluginName))
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-
-	c := TestCoreWithSealAndUI(t, conf)
-	c, _, _ = testCoreUnsealed(t, c)
-
-	pendingRemovalString := "pending removal"
-
-	// Create a new auth method with builtin pending-removal-test-plugin
-	resp, err := mountPluginWithResponse(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-	if err == nil {
-		t.Fatalf("expected error when mounting deprecated backend")
-	}
-	if resp == nil || resp.Data == nil || !strings.Contains(resp.Data["error"].(string), pendingRemovalString) {
-		t.Fatalf("expected error response to contain %q but got %+v", pendingRemovalString, resp)
-	}
-
-	// Register a shadow plugin
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "v1.2.3", plugin.Sha256, plugin.FileName)
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-}
-
-func TestCore_EnableExternalPlugin_ShadowBuiltin(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// create an external plugin to shadow the builtin "approle"
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeCredential, "v1.2.3", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, "approle"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	pluginName := "approle"
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-	c := TestCoreWithSealAndUI(t, conf)
-	c, _, _ = testCoreUnsealed(t, c)
-
-	verifyAuthListDeprecationStatus := func(authName string, checkExists bool) error {
-		req := logical.TestRequest(t, logical.ReadOperation, mountTable(consts.PluginTypeCredential))
-		req.Data = map[string]interface{}{
-			"type": authName,
-		}
-		resp, err := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-		if err != nil {
-			return err
-		}
-		status := resp.Data["deprecation_status"]
-		if checkExists && status == nil {
-			return fmt.Errorf("expected deprecation status but found none")
-		} else if !checkExists && status != nil {
-			return fmt.Errorf("expected nil deprecation status but found %q", status)
-		}
-		return nil
-	}
-
-	// Create a new auth method with builtin approle
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-
-	// Read the auth table to verify deprecation status
-	if err := verifyAuthListDeprecationStatus(pluginName, true); err != nil {
-		t.Fatal(err)
-	}
-
-	// Register a shadow plugin
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "v1.2.3", plugin.Sha256, plugin.FileName)
-
-	// Verify auth table hasn't changed
-	if err := verifyAuthListDeprecationStatus(pluginName, true); err != nil {
-		t.Fatal(err)
-	}
-
-	// Remount auth method using registered shadow plugin
-	unmountPlugin(t, c.systemBackend, consts.PluginTypeCredential, "")
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-
-	// Verify auth table has changed
-	if err := verifyAuthListDeprecationStatus(pluginName, false); err != nil {
-		t.Fatal(err)
-	}
-
-	// Deregister shadow plugin
-	deregisterPlugin(t, c.systemBackend, pluginName, consts.PluginTypeSecrets.String(), "v1.2.3", plugin.Sha256, plugin.FileName)
-
-	// Verify auth table hasn't changed
-	if err := verifyAuthListDeprecationStatus(pluginName, false); err != nil {
-		t.Fatal(err)
-	}
-
-	// Remount auth method
-	unmountPlugin(t, c.systemBackend, consts.PluginTypeCredential, "")
-	mountPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential, "", "")
-
-	// Verify auth table has changed
-	if err := verifyAuthListDeprecationStatus(pluginName, false); err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestCore_EnableExternalKv_MultipleVersions(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// new kv plugin can be registered but not mounted
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeSecrets, "v1.2.3", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, "kv"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	pluginName := "kv"
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-	c := TestCoreWithSealAndUI(t, conf)
-	c, _, _ = testCoreUnsealed(t, c)
-
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeSecrets.String(), "v1.2.3", plugin.Sha256, plugin.FileName)
-	req := logical.TestRequest(t, logical.ReadOperation, "plugins/catalog")
-	resp, err := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Error() != nil {
-		t.Fatalf("%#v", resp)
-	}
-	found := false
-	for _, plugin := range resp.Data["detailed"].([]map[string]any) {
-		if plugin["name"] == pluginName && plugin["version"] == "v1.2.3" {
-			found = true
-			break
-		}
-	}
-	if !found {
-		t.Fatal("Expected to find v1.2.3 kv plugin but did not")
-	}
-	req = logical.TestRequest(t, logical.UpdateOperation, mountTable(consts.PluginTypeSecrets))
-	req.Data = map[string]interface{}{
-		"type": pluginName,
-	}
-	req.Data["config"] = map[string]interface{}{
-		"plugin_version": "v1.2.3",
-	}
-	resp, err = c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Error() == nil {
-		t.Fatal("Expected resp error but got successful response")
-	}
-}
-
-func TestCore_EnableExternalNoop_MultipleVersions(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-
-	// new noop plugin can be registered but not mounted
-	plugin := pluginhelpers.CompilePlugin(t, consts.PluginTypeCredential, "v1.2.3", pluginDir)
-	err := os.Link(path.Join(pluginDir, plugin.FileName), path.Join(pluginDir, "noop"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	pluginName := "noop"
-	conf := &CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
-		PluginDirectory: pluginDir,
-	}
-	c := TestCoreWithSealAndUI(t, conf)
-	c, _, _ = testCoreUnsealed(t, c)
-
-	registerPlugin(t, c.systemBackend, pluginName, consts.PluginTypeCredential.String(), "v1.2.3", plugin.Sha256, plugin.FileName)
-	req := logical.TestRequest(t, logical.ReadOperation, "plugins/catalog")
-	resp, err := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Error() != nil {
-		t.Fatalf("%#v", resp)
-	}
-	found := false
-	for _, plugin := range resp.Data["detailed"].([]map[string]any) {
-		if plugin["name"] == "noop" && plugin["version"] == "v1.2.3" {
-			found = true
-			break
-		}
-	}
-	if !found {
-		t.Fatal("Expected to find v1.2.3 noop plugin but did not")
-	}
-	req = logical.TestRequest(t, logical.UpdateOperation, mountTable(consts.PluginTypeCredential))
-	req.Data = map[string]interface{}{
-		"type": pluginName,
-	}
-	req.Data["config"] = map[string]interface{}{
-		"plugin_version": "v1.2.3",
-	}
-	resp, err = c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp.Error() == nil {
-		t.Fatal("Expected resp error but got successful response")
-	}
-}
-
-func TestCore_EnableExternalPlugin_NoVersionsOkay(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType    consts.PluginType
-		routerPath    string
-		expectedMatch string
-	}{
-		"enable external credential plugin with no version": {
-			pluginType:    consts.PluginTypeCredential,
-			routerPath:    "auth/foo/bar",
-			expectedMatch: "auth/foo/",
-		},
-		"enable external secrets plugin with no version": {
-			pluginType:    consts.PluginTypeSecrets,
-			routerPath:    "foo/bar",
-			expectedMatch: "foo/",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, "")
-			// When an unversioned plugin is registered, mounting a plugin with no
-			// version specified should mount the unversioned plugin even if there
-			// are versioned plugins available.
-			for _, version := range []string{"", "v1.0.0"} {
-				registerPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType.String(), version, plugins[0].Sha256, plugins[0].FileName)
-			}
-
-			mountPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType, "", "")
-
-			match := c.router.MatchingMount(namespace.RootContext(nil), tc.routerPath)
-			if match != tc.expectedMatch {
-				t.Fatalf("missing mount, match: %q", match)
-			}
-
-			raw, _ := c.router.root.Get(match)
-			if raw.(*routeEntry).mountEntry.Version != "" {
-				t.Errorf("Expected mount to be empty version but got %s", raw.(*routeEntry).mountEntry.Version)
-			}
-		})
-	}
-}
-
-func TestCore_EnableExternalCredentialPlugin_NoVersionOnRegister(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType    consts.PluginType
-		routerPath    string
-		expectedMatch string
-	}{
-		"enable external credential plugin with version, but no version was provided on registration": {
-			pluginType:    consts.PluginTypeCredential,
-			routerPath:    "auth/foo/bar",
-			expectedMatch: "auth/foo/",
-		},
-		"enable external secrets plugin with version, but no version was provided on registration": {
-			pluginType:    consts.PluginTypeSecrets,
-			routerPath:    "foo/bar",
-			expectedMatch: "foo/",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, "")
-			registerPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType.String(), "", plugins[0].Sha256, plugins[0].FileName)
-
-			req := logical.TestRequest(t, logical.UpdateOperation, mountTable(tc.pluginType))
-			req.Data = map[string]interface{}{
-				"type": plugins[0].Name,
-				"config": map[string]interface{}{
-					"plugin_version": "v1.0.0",
-				},
-			}
-			resp, _ := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-			if resp == nil || !resp.IsError() || !strings.Contains(resp.Error().Error(), ErrPluginNotFound.Error()) {
-				t.Fatalf("Expected to get plugin not found but got: %v", resp.Error())
-			}
-		})
-	}
-}
-
-func TestCore_EnableExternalCredentialPlugin_InvalidName(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType consts.PluginType
-	}{
-		"enable external credential plugin with the wrong name": {
-			pluginType: consts.PluginTypeCredential,
-		},
-		"enable external secrets plugin with the wrong name": {
-			pluginType: consts.PluginTypeSecrets,
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, "")
-			d := &framework.FieldData{
-				Raw: map[string]interface{}{
-					"name":    plugins[0].Name,
-					"sha256":  plugins[0].Sha256,
-					"version": "v1.0.0",
-					"command": plugins[0].Name + "xyz",
-				},
-				Schema: c.systemBackend.pluginsCatalogCRUDPath().Fields,
-			}
-			_, err := c.systemBackend.handlePluginCatalogUpdate(context.Background(), nil, d)
-			if err == nil || !strings.Contains(err.Error(), "no such file or directory") {
-				t.Fatalf("should have gotten a no such file or directory error inserting the plugin: %v", err)
-			}
-		})
-	}
-}
-
-func TestExternalPlugin_getBackendTypeVersion(t *testing.T) {
-	for name, tc := range map[string]struct {
-		pluginType        consts.PluginType
-		setRunningVersion string
-	}{
-		"external credential plugin": {
-			pluginType:        consts.PluginTypeCredential,
-			setRunningVersion: "v1.2.3",
-		},
-		"external secrets plugin": {
-			pluginType:        consts.PluginTypeSecrets,
-			setRunningVersion: "v1.2.3",
-		},
-		"external database plugin": {
-			pluginType:        consts.PluginTypeDatabase,
-			setRunningVersion: "v1.2.3",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, tc.setRunningVersion)
-			registerPlugin(t, c.systemBackend, plugins[0].Name, tc.pluginType.String(), tc.setRunningVersion, plugins[0].Sha256, plugins[0].FileName)
-
-			shaBytes, _ := hex.DecodeString(plugins[0].Sha256)
-			commandFull := filepath.Join(c.pluginCatalog.directory, plugins[0].FileName)
-			entry := &pluginutil.PluginRunner{
-				Name:    plugins[0].Name,
-				Command: commandFull,
-				Args:    nil,
-				Sha256:  shaBytes,
-				Builtin: false,
-			}
-
-			var version logical.PluginVersion
-			var err error
-			if tc.pluginType == consts.PluginTypeDatabase {
-				version, err = c.pluginCatalog.getDatabaseRunningVersion(context.Background(), entry)
-			} else {
-				version, err = c.pluginCatalog.getBackendRunningVersion(context.Background(), entry)
-			}
-			if err != nil {
-				t.Fatal(err)
-			}
-			if version.Version != tc.setRunningVersion {
-				t.Errorf("Expected to get version %v but got %v", tc.setRunningVersion, version.Version)
-			}
-		})
-	}
-}
-
-func TestExternalPlugin_CheckFilePermissions(t *testing.T) {
-	// Turn on the check.
-	if err := os.Setenv(consts.VaultEnableFilePermissionsCheckEnv, "true"); err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		if err := os.Unsetenv(consts.VaultEnableFilePermissionsCheckEnv); err != nil {
-			t.Fatal(err)
-		}
-	}()
-
-	for name, tc := range map[string]struct {
-		pluginNameFmt string
-		pluginType    consts.PluginType
-		pluginVersion string
-	}{
-		"plugin name and file name match": {
-			pluginNameFmt: "%s",
-			pluginType:    consts.PluginTypeCredential,
-		},
-		"plugin name and file name mismatch": {
-			pluginNameFmt: "%s-foo",
-			pluginType:    consts.PluginTypeSecrets,
-		},
-		"plugin name has slash": {
-			pluginNameFmt: "%s/foo",
-			pluginType:    consts.PluginTypeCredential,
-		},
-		"plugin with version": {
-			pluginNameFmt: "%s/foo",
-			pluginType:    consts.PluginTypeCredential,
-			pluginVersion: "v1.2.3",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			c, plugins := testCoreWithPlugins(t, tc.pluginType, tc.pluginVersion)
-			registeredPluginName := fmt.Sprintf(tc.pluginNameFmt, plugins[0].Name)
-
-			// Permissions will be checked once during registration.
-			req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/catalog/%s/%s", tc.pluginType.String(), registeredPluginName))
-			req.Data = map[string]interface{}{
-				"command": plugins[0].FileName,
-				"sha256":  plugins[0].Sha256,
-				"version": tc.pluginVersion,
-			}
-			resp, err := c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if resp.Error() != nil {
-				t.Fatal(resp.Error())
-			}
-
-			// Now attempt to mount the plugin, which should trigger checking the permissions again.
-			req = logical.TestRequest(t, logical.UpdateOperation, mountTable(tc.pluginType))
-			req.Data = map[string]interface{}{
-				"type": registeredPluginName,
-			}
-			if tc.pluginVersion != "" {
-				req.Data["config"] = map[string]interface{}{
-					"plugin_version": tc.pluginVersion,
-				}
-			}
-			resp, err = c.systemBackend.HandleRequest(namespace.RootContext(nil), req)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if resp.Error() != nil {
-				t.Fatal(resp.Error())
-			}
-		})
-	}
-}
-
-func TestExternalPlugin_DifferentVersionsAndArgs_AreNotMultiplexed(t *testing.T) {
-	env := []string{fmt.Sprintf("%s=yes", vaultTestingMockPluginEnv)}
-	core, _, _ := TestCoreUnsealed(t)
-
-	for i, tc := range []struct {
-		version  string
-		testName string
-	}{
-		{"v1.2.3", "TestBackend_PluginMain_Multiplexed_Logical_v123"},
-		{"v1.2.4", "TestBackend_PluginMain_Multiplexed_Logical_v124"},
-	} {
-		// Register and mount plugins.
-		TestAddTestPlugin(t, core, "mux-secret", consts.PluginTypeSecrets, tc.version, tc.testName, env, "")
-		mountPlugin(t, core.systemBackend, "mux-secret", consts.PluginTypeSecrets, tc.version, fmt.Sprintf("foo%d", i))
-	}
-
-	if len(core.pluginCatalog.externalPlugins) != 2 {
-		t.Fatalf("expected 2 external plugins, but got %d", len(core.pluginCatalog.externalPlugins))
-	}
-}
-
-func TestExternalPlugin_DifferentTypes_AreNotMultiplexed(t *testing.T) {
-	const version = "v1.2.3"
-	env := []string{fmt.Sprintf("%s=yes", vaultTestingMockPluginEnv)}
-	core, _, _ := TestCoreUnsealed(t)
-
-	// Register and mount plugins.
-	TestAddTestPlugin(t, core, "mux-aws", consts.PluginTypeSecrets, version, "TestBackend_PluginMain_Multiplexed_Logical_v123", env, "")
-	TestAddTestPlugin(t, core, "mux-aws", consts.PluginTypeCredential, version, "TestBackend_PluginMain_Multiplexed_Credential_v123", env, "")
-
-	mountPlugin(t, core.systemBackend, "mux-aws", consts.PluginTypeSecrets, version, "")
-	mountPlugin(t, core.systemBackend, "mux-aws", consts.PluginTypeCredential, version, "")
-
-	if len(core.pluginCatalog.externalPlugins) != 2 {
-		t.Fatalf("expected 2 external plugins, but got %d", len(core.pluginCatalog.externalPlugins))
-	}
-}
-
-func TestExternalPlugin_DifferentEnv_AreNotMultiplexed(t *testing.T) {
-	const version = "v1.2.3"
-	baseEnv := []string{
-		fmt.Sprintf("%s=yes", vaultTestingMockPluginEnv),
-	}
-	alteredEnv := []string{
-		fmt.Sprintf("%s=yes", vaultTestingMockPluginEnv),
-		"FOO=BAR",
-	}
-
-	core, _, _ := TestCoreUnsealed(t)
-
-	// Register and mount plugins.
-	for i, env := range [][]string{baseEnv, alteredEnv} {
-		TestAddTestPlugin(t, core, "mux-secret", consts.PluginTypeSecrets, version, "TestBackend_PluginMain_Multiplexed_Logical_v123", env, "")
-		mountPlugin(t, core.systemBackend, "mux-secret", consts.PluginTypeSecrets, version, fmt.Sprintf("foo%d", i))
-	}
-
-	if len(core.pluginCatalog.externalPlugins) != 2 {
-		t.Fatalf("expected 2 external plugins, but got %d", len(core.pluginCatalog.externalPlugins))
-	}
-}
-
-// Used to run a mock multiplexed secrets plugin
-func TestBackend_PluginMain_Multiplexed_Logical_v123(t *testing.T) {
-	if os.Getenv(vaultTestingMockPluginEnv) == "" {
-		return
-	}
+var (
+	_ cli.Command             = (*VersionCommand)(nil)
+	_ cli.CommandAutocomplete = (*VersionCommand)(nil)
+)
 
-	os.Setenv(mock.MockPluginVersionEnv, "v1.2.3")
+// VersionCommand is a Command implementation prints the version.
+type VersionCommand struct {
+	*BaseCommand
 
-	err := plugin.ServeMultiplex(&plugin.ServeOpts{
-		BackendFactoryFunc: mock.FactoryType(logical.TypeLogical),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	VersionInfo *version.VersionInfo
 }
 
-// Used to run a mock multiplexed secrets plugin
-func TestBackend_PluginMain_Multiplexed_Logical_v124(t *testing.T) {
-	if os.Getenv(vaultTestingMockPluginEnv) == "" {
-		return
-	}
-
-	os.Setenv(mock.MockPluginVersionEnv, "v1.2.4")
-
-	err := plugin.ServeMultiplex(&plugin.ServeOpts{
-		BackendFactoryFunc: mock.FactoryType(logical.TypeLogical),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+func (c *VersionCommand) Synopsis() string {
+	return "Prints the Vault CLI version"
 }
 
-// Used to run a mock multiplexed auth plugin
-func TestBackend_PluginMain_Multiplexed_Credential_v123(t *testing.T) {
-	if os.Getenv(vaultTestingMockPluginEnv) == "" {
-		return
-	}
-
-	os.Setenv(mock.MockPluginVersionEnv, "v1.2.3")
+func (c *VersionCommand) Help() string {
+	helpText := `
+Usage: vault version
 
-	err := plugin.ServeMultiplex(&plugin.ServeOpts{
-		BackendFactoryFunc: mock.FactoryType(logical.TypeCredential),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-}
+  Prints the version of this Vault CLI. This does not print the target Vault
+  server version.
 
-func registerPlugin(t *testing.T, sys *SystemBackend, pluginName, pluginType, version, sha, command string) {
-	t.Helper()
-	req := logical.TestRequest(t, logical.UpdateOperation, fmt.Sprintf("plugins/catalog/%s/%s", pluginType, pluginName))
-	req.Data = map[string]interface{}{
-		"command": command,
-		"sha256":  sha,
-		"version": version,
-	}
-	resp, err := sys.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
-}
+  Print the version:
 
-func mountPluginWithResponse(t *testing.T, sys *SystemBackend, pluginName string, pluginType consts.PluginType, version, path string) (*logical.Response, error) {
-	t.Helper()
-	var mountPath string
-	if path == "" {
-		mountPath = mountTable(pluginType)
-	} else {
-		mountPath = mountTableWithPath(consts.PluginTypeSecrets, path)
-	}
-	req := logical.TestRequest(t, logical.UpdateOperation, mountPath)
-	req.Data = map[string]interface{}{
-		"type": pluginName,
-	}
-	if version != "" {
-		req.Data["config"] = map[string]interface{}{
-			"plugin_version": version,
-		}
-	}
-	return sys.HandleRequest(namespace.RootContext(nil), req)
-}
+      $ vault version
 
-func mountPlugin(t *testing.T, sys *SystemBackend, pluginName string, pluginType consts.PluginType, version, path string) {
-	t.Helper()
-	resp, err := mountPluginWithResponse(t, sys, pluginName, pluginType, version, path)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
+  There are no arguments or flags to this command. Any additional arguments or
+  flags are ignored.
+`
+	return strings.TrimSpace(helpText)
 }
 
-func unmountPlugin(t *testing.T, sys *SystemBackend, pluginType consts.PluginType, path string) {
-	t.Helper()
-	var mountPath string
-	if path == "" {
-		mountPath = mountTable(pluginType)
-	} else {
-		mountPath = mountTableWithPath(pluginType, path)
-	}
-	req := logical.TestRequest(t, logical.DeleteOperation, mountPath)
-	resp, err := sys.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
+func (c *VersionCommand) Flags() *FlagSets {
+	return nil
 }
 
-func deregisterPlugin(t *testing.T, sys *SystemBackend, pluginName, pluginType, version, sha, command string) {
-	t.Helper()
-	req := logical.TestRequest(t, logical.DeleteOperation, fmt.Sprintf("plugins/catalog/%s/%s", pluginType, pluginName))
-	req.Data = map[string]interface{}{
-		"command": command,
-		"sha256":  sha,
-		"version": version,
-	}
-	resp, err := sys.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
+func (c *VersionCommand) AutocompleteArgs() complete.Predictor {
+	return nil
 }
 
-func mountTable(pluginType consts.PluginType) string {
-	return mountTableWithPath(pluginType, "foo")
+func (c *VersionCommand) AutocompleteFlags() complete.Flags {
+	return nil
 }
 
-func mountTableWithPath(pluginType consts.PluginType, path string) string {
-	switch pluginType {
-	case consts.PluginTypeCredential:
-		return "auth/" + path
-	case consts.PluginTypeSecrets:
-		return "mounts/" + path
-	default:
-		panic("test does not support mounting plugin type yet: " + pluginType.String())
+func (c *VersionCommand) Run(_ []string) int {
+	out := c.VersionInfo.FullVersionNumber(true)
+	if version.CgoEnabled {
+		out += " (cgo)"
 	}
+	c.UI.Output(out)
+	return 0
 }
diff --git a/vault/external_tests/api/sudo_paths_test.go b/vault/external_tests/api/sudo_paths_test.go
index 5d9e7516bbbd..7e3c7a2278ce 100644
--- a/vault/external_tests/api/sudo_paths_test.go
+++ b/vault/external_tests/api/sudo_paths_test.go
@@ -1,122 +1,96 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package api
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/builtinplugins"
-	"github.com/hashicorp/vault/sdk/helper/jsonutil"
-	"github.com/hashicorp/vault/vault"
-)
-
-const sudoKey = "x-vault-sudo"
-
-// Tests that the static list of sudo paths in the api package matches what's in the current OpenAPI spec.
-func TestSudoPaths(t *testing.T) {
-	t.Parallel()
-
-	coreConfig := &vault.CoreConfig{
-		EnableRaw:           true,
-		EnableIntrospection: true,
-		BuiltinRegistry:     builtinplugins.Registry,
-	}
-	client, _, closer := testVaultServerCoreConfig(t, coreConfig)
-	defer closer()
-
-	// At present there are no auth methods with sudo paths, except for the automatically mounted token backend
-	for _, credBackendName := range []string{} {
-		err := client.Sys().EnableAuthWithOptions(credBackendName, &api.EnableAuthOptions{
-			Type: credBackendName,
-		})
-		if err != nil {
-			t.Fatalf("error enabling auth backend for test: %v", err)
-		}
-	}
-
-	// Each secrets engine that contains sudo paths (other than automatically mounted ones) must be mounted here
-	for _, logicalBackendName := range []string{"pki"} {
-		err := client.Sys().Mount(logicalBackendName, &api.MountInput{
-			Type: logicalBackendName,
-		})
-		if err != nil {
-			t.Fatalf("error enabling logical backend for test: %v", err)
-		}
-	}
-
-	sudoPathsFromSpec, err := getSudoPathsFromSpec(client)
-	if err != nil {
-		t.Fatalf("error getting list of paths that require sudo from OpenAPI endpoint: %v", err)
-	}
-
-	sudoPathsInCode := api.SudoPaths()
-
-	// check for missing paths
-	for path := range sudoPathsFromSpec {
-		pathTrimmed := strings.TrimRight(path, "/")
-		if _, ok := sudoPathsInCode[pathTrimmed]; !ok {
-			t.Fatalf(
-				"A path in the OpenAPI spec is missing from the static list of "+
-					"sudo paths in the api module (%s). Please reconcile the two "+
-					"accordingly.", pathTrimmed)
-		}
-	}
-
-	// check for extra paths
-	for path := range sudoPathsInCode {
-		if _, ok := sudoPathsFromSpec[path]; !ok {
-			if _, ok := sudoPathsFromSpec[path+"/"]; !ok {
-				t.Fatalf(
-					"A path in the static list of sudo paths in the api module "+
-						"is not marked as a sudo path in the OpenAPI spec (%s). Please reconcile the two "+
-						"accordingly.", path)
-			}
-		}
-	}
-}
-
-func getSudoPathsFromSpec(client *api.Client) (map[string]struct{}, error) {
-	r := client.NewRequest("GET", "/v1/sys/internal/specs/openapi")
-	resp, err := client.RawRequest(r)
-	if err != nil {
-		return nil, fmt.Errorf("unable to retrieve sudo endpoints: %v", err)
-	}
-	if resp != nil {
-		defer resp.Body.Close()
-	}
-
-	oasInfo := make(map[string]interface{})
-	if err := jsonutil.DecodeJSONFromReader(resp.Body, &oasInfo); err != nil {
-		return nil, fmt.Errorf("unable to decode JSON from OpenAPI response: %v", err)
-	}
-
-	paths, ok := oasInfo["paths"]
-	if !ok {
-		return nil, fmt.Errorf("OpenAPI response did not include paths")
-	}
-
-	pathsMap, ok := paths.(map[string]interface{})
-	if !ok {
-		return nil, fmt.Errorf("OpenAPI response did not return valid paths")
-	}
-
-	sudoPaths := make(map[string]struct{})
-	for pathName, pathInfo := range pathsMap {
-		pathInfoMap, ok := pathInfo.(map[string]interface{})
-		if !ok {
-			continue
-		}
-
-		if sudo, ok := pathInfoMap[sudoKey]; ok {
-			if sudo == true {
-				sudoPaths[pathName] = struct{}{}
-			}
-		}
-	}
-
-	return sudoPaths, nil
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Service, { inject as service } from '@ember/service';
+import { keepLatestTask, task } from 'ember-concurrency';
+import { tracked } from '@glimmer/tracking';
+
+export default class VersionService extends Service {
+  @service store;
+  @tracked features = [];
+  @tracked version = null;
+  @tracked type = null;
+
+  get isEnterprise() {
+    return this.type === 'enterprise';
+  }
+
+  get isCommunity() {
+    return !this.isEnterprise;
+  }
+
+  /* Features */
+  get hasPerfReplication() {
+    return this.features.includes('Performance Replication');
+  }
+
+  get hasDRReplication() {
+    return this.features.includes('DR Replication');
+  }
+
+  get hasSentinel() {
+    return this.features.includes('Sentinel');
+  }
+
+  get hasNamespaces() {
+    return this.features.includes('Namespaces');
+  }
+
+  get hasControlGroups() {
+    return this.features.includes('Control Groups');
+  }
+
+  get versionDisplay() {
+    if (!this.version) {
+      return '';
+    }
+    return this.isEnterprise ? `v${this.version.slice(0, this.version.indexOf('+'))}` : `v${this.version}`;
+  }
+
+  @task({ drop: true })
+  *getVersion() {
+    if (this.version) return;
+    const response = yield this.store.adapterFor('cluster').fetchVersion();
+    this.version = response.data?.version;
+  }
+
+  @task
+  *getType() {
+    if (this.type !== null) return;
+    const response = yield this.store.adapterFor('cluster').health();
+    if (response.has_chroot_namespace) {
+      // chroot_namespace feature is only available in enterprise
+      this.type = 'enterprise';
+      return;
+    }
+    this.type = response.enterprise ? 'enterprise' : 'community';
+  }
+
+  @keepLatestTask
+  *getFeatures() {
+    if (this.features?.length || this.isCommunity) {
+      return;
+    }
+    try {
+      const response = yield this.store.adapterFor('cluster').features();
+      this.features = response.features;
+      return;
+    } catch (err) {
+      // if we fail here, we're likely in DR Secondary mode and don't need to worry about it
+    }
+  }
+
+  fetchVersion() {
+    return this.getVersion.perform();
+  }
+
+  fetchType() {
+    return this.getType.perform();
+  }
+
+  fetchFeatures() {
+    return this.getFeatures.perform();
+  }
 }
diff --git a/vault/external_tests/api/sys_rekey_ext_test.go b/vault/external_tests/api/sys_rekey_ext_test.go
index f1a63ed83920..7326bffdeddf 100644
--- a/vault/external_tests/api/sys_rekey_ext_test.go
+++ b/vault/external_tests/api/sys_rekey_ext_test.go
@@ -1,300 +1,134 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package api
+package command
 
 import (
-	"encoding/base64"
 	"fmt"
-	"testing"
-
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/physical/inmem"
-	"github.com/hashicorp/vault/vault"
-	"github.com/hashicorp/vault/vault/seal"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/posener/complete"
+	"github.com/ryanuber/columnize"
 )
 
-func TestSysRekey_Verification(t *testing.T) {
-	testcases := []struct {
-		recovery     bool
-		legacyShamir bool
-	}{
-		{recovery: true, legacyShamir: false},
-		{recovery: false, legacyShamir: false},
-		{recovery: false, legacyShamir: true},
-	}
+var (
+	_ cli.Command             = (*VersionHistoryCommand)(nil)
+	_ cli.CommandAutocomplete = (*VersionHistoryCommand)(nil)
+)
 
-	for _, tc := range testcases {
-		recovery, legacy := tc.recovery, tc.legacyShamir
-		t.Run(fmt.Sprintf("recovery=%v,legacyShamir=%v", recovery, legacy), func(t *testing.T) {
-			t.Parallel()
-			testSysRekey_Verification(t, recovery, legacy)
-		})
-	}
+// VersionHistoryCommand is a Command implementation prints the version.
+type VersionHistoryCommand struct {
+	*BaseCommand
 }
 
-func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
-	opts := &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	}
-	switch {
-	case recovery:
-		if legacyShamir {
-			panic("invalid case")
-		}
-		opts.SealFunc = func() vault.Seal {
-			return vault.NewTestSeal(t, &seal.TestSealOpts{
-				StoredKeys: seal.StoredKeysSupportedGeneric,
-			})
-		}
-	case legacyShamir:
-		opts.SealFunc = func() vault.Seal {
-			return vault.NewTestSeal(t, &seal.TestSealOpts{
-				StoredKeys: seal.StoredKeysNotSupported,
-			})
-		}
-	}
-	inm, err := inmem.NewInmemHA(nil, logging.NewVaultLogger(hclog.Debug))
-	if err != nil {
-		t.Fatal(err)
-	}
-	conf := vault.CoreConfig{
-		Physical: inm,
-	}
-	cluster := vault.NewTestCluster(t, &conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	client := cluster.Cores[0].Client
-	client.SetMaxRetries(0)
-
-	initFunc := client.Sys().RekeyInit
-	updateFunc := client.Sys().RekeyUpdate
-	verificationUpdateFunc := client.Sys().RekeyVerificationUpdate
-	verificationStatusFunc := client.Sys().RekeyVerificationStatus
-	verificationCancelFunc := client.Sys().RekeyVerificationCancel
-	if recovery {
-		initFunc = client.Sys().RekeyRecoveryKeyInit
-		updateFunc = client.Sys().RekeyRecoveryKeyUpdate
-		verificationUpdateFunc = client.Sys().RekeyRecoveryKeyVerificationUpdate
-		verificationStatusFunc = client.Sys().RekeyRecoveryKeyVerificationStatus
-		verificationCancelFunc = client.Sys().RekeyRecoveryKeyVerificationCancel
-	}
+func (c *VersionHistoryCommand) Synopsis() string {
+	return "Prints the version history of the target Vault server"
+}
 
-	var verificationNonce string
-	var newKeys []string
-	doRekeyInitialSteps := func() {
-		status, err := initFunc(&api.RekeyInitRequest{
-			SecretShares:        5,
-			SecretThreshold:     3,
-			RequireVerification: true,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		if status == nil {
-			t.Fatal("nil status")
-		}
-		if !status.VerificationRequired {
-			t.Fatal("expected verification required")
-		}
+func (c *VersionHistoryCommand) Help() string {
+	helpText := `
+Usage: vault version-history
 
-		keys := cluster.BarrierKeys
-		if recovery {
-			keys = cluster.RecoveryKeys
-		}
-		var resp *api.RekeyUpdateResponse
-		for i := 0; i < 3; i++ {
-			resp, err = updateFunc(base64.StdEncoding.EncodeToString(keys[i]), status.Nonce)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		switch {
-		case !resp.Complete:
-			t.Fatal("expected completion")
-		case !resp.VerificationRequired:
-			t.Fatal("expected verification required")
-		case resp.VerificationNonce == "":
-			t.Fatal("verification nonce expected")
-		}
-		verificationNonce = resp.VerificationNonce
-		newKeys = resp.KeysB64
-		t.Logf("verification nonce: %q", verificationNonce)
-	}
+  Prints the version history of the target Vault server.
 
-	doRekeyInitialSteps()
+  Print the version history:
 
-	// We are still going, so should not be able to init again
-	_, err = initFunc(&api.RekeyInitRequest{
-		SecretShares:        5,
-		SecretThreshold:     3,
-		RequireVerification: true,
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
+      $ vault version-history
+` + c.Flags().Help()
+	return strings.TrimSpace(helpText)
+}
 
-	// Sealing should clear state, so after this we should be able to perform
-	// the above again
-	cluster.EnsureCoresSealed(t)
-	if err := cluster.UnsealCoresWithError(recovery); err != nil {
-		t.Fatal(err)
-	}
-	doRekeyInitialSteps()
-
-	doStartVerify := func() {
-		// Start the process
-		for i := 0; i < 2; i++ {
-			status, err := verificationUpdateFunc(newKeys[i], verificationNonce)
-			if err != nil {
-				t.Fatal(err)
-			}
-			switch {
-			case status.Nonce != verificationNonce:
-				t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, status.Nonce)
-			case status.Complete:
-				t.Fatal("unexpected completion")
-			}
-		}
+func (c *VersionHistoryCommand) Flags() *FlagSets {
+	return c.flagSet(FlagSetOutputFormat)
+}
 
-		// Check status
-		vStatus, err := verificationStatusFunc()
-		if err != nil {
-			t.Fatal(err)
-		}
-		switch {
-		case vStatus.Nonce != verificationNonce:
-			t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, vStatus.Nonce)
-		case vStatus.T != 3:
-			t.Fatal("unexpected threshold")
-		case vStatus.N != 5:
-			t.Fatal("unexpected number of new keys")
-		case vStatus.Progress != 2:
-			t.Fatal("unexpected progress")
-		}
-	}
+func (c *VersionHistoryCommand) AutocompleteArgs() complete.Predictor {
+	return complete.PredictNothing
+}
 
-	doStartVerify()
+func (c *VersionHistoryCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
 
-	// Cancel; this should still keep the rekey process going but just cancel
-	// the verification operation
-	err = verificationCancelFunc()
-	if err != nil {
-		t.Fatal(err)
+const versionTrackingWarning = `Note:
+Use of this command requires a server running Vault 1.10.0 or greater.
+Version tracking was added in 1.9.0. Earlier versions have not been tracked.
+`
+
+func (c *VersionHistoryCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-	// Verify cannot init again
-	_, err = initFunc(&api.RekeyInitRequest{
-		SecretShares:        5,
-		SecretThreshold:     3,
-		RequireVerification: true,
-	})
-	if err == nil {
-		t.Fatal("expected error")
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
 	}
-	vStatus, err := verificationStatusFunc()
+
+	resp, err := client.Logical().List("sys/version-history")
 	if err != nil {
-		t.Fatal(err)
+		c.UI.Error(fmt.Sprintf("Error reading version history: %s", err))
+		return 2
 	}
-	switch {
-	case vStatus.Nonce == verificationNonce:
-		t.Fatalf("unexpected nonce, expected not-%q but got it", verificationNonce)
-	case vStatus.T != 3:
-		t.Fatal("unexpected threshold")
-	case vStatus.N != 5:
-		t.Fatal("unexpected number of new keys")
-	case vStatus.Progress != 0:
-		t.Fatal("unexpected progress")
+
+	if resp == nil || resp.Data == nil {
+		c.UI.Error("Invalid response returned from Vault")
+		return 2
 	}
 
-	verificationNonce = vStatus.Nonce
-	doStartVerify()
-
-	if !recovery {
-		// Sealing should clear state, but we never actually finished, so it should
-		// still be the old keys (which are still currently set)
-		cluster.EnsureCoresSealed(t)
-		cluster.UnsealCores(t)
-		vault.TestWaitActive(t, cluster.Cores[0].Core)
-
-		// Should be able to init again and get back to where we were
-		doRekeyInitialSteps()
-		doStartVerify()
-	} else {
-		// We haven't finished, so generating a root token should still be the
-		// old keys (which are still currently set)
-		testhelpers.GenerateRoot(t, cluster, testhelpers.GenerateRootRegular)
+	if c.flagFormat == "json" {
+		c.UI.Warn("")
+		c.UI.Warn(versionTrackingWarning)
+		c.UI.Warn("")
+
+		return OutputData(c.UI, resp)
 	}
 
-	// Provide the final new key
-	vuStatus, err := verificationUpdateFunc(newKeys[2], verificationNonce)
-	if err != nil {
-		t.Fatal(err)
+	var keyInfo map[string]interface{}
+
+	keys, ok := extractListData(resp)
+	if !ok {
+		c.UI.Error("Expected keys in response to be an array")
+		return 2
 	}
-	switch {
-	case vuStatus.Nonce != verificationNonce:
-		t.Fatalf("unexpected nonce, expected %q, got %q", verificationNonce, vuStatus.Nonce)
-	case !vuStatus.Complete:
-		t.Fatal("expected completion")
+
+	keyInfo, ok = resp.Data["key_info"].(map[string]interface{})
+	if !ok {
+		c.UI.Error("Expected key_info in response to be a map")
+		return 2
 	}
 
-	if !recovery {
-		// Seal and unseal -- it should fail to unseal because the key has now been
-		// rotated
-		cluster.EnsureCoresSealed(t)
-
-		// Simulate restarting Vault rather than just a seal/unseal, because
-		// the standbys may not have had time to learn about the new key before
-		// we sealed them.  We could sleep, but that's unreliable.
-		oldKeys := cluster.BarrierKeys
-		opts.SkipInit = true
-		opts.SealFunc = nil // post rekey we should use the barrier config on disk
-		cluster = vault.NewTestCluster(t, &conf, opts)
-		cluster.BarrierKeys = oldKeys
-		cluster.Start()
-		defer cluster.Cleanup()
-
-		if err := cluster.UnsealCoresWithError(false); err == nil {
-			t.Fatal("expected error")
-		}
+	table := []string{"Version | Installation Time | Build Date"}
+	columnConfig := columnize.DefaultConfig()
 
-		// Swap out the keys with our new ones and try again
-		var newKeyBytes [][]byte
-		for _, key := range newKeys {
-			val, err := base64.StdEncoding.DecodeString(key)
-			if err != nil {
-				t.Fatal(err)
-			}
-			newKeyBytes = append(newKeyBytes, val)
-		}
-		cluster.BarrierKeys = newKeyBytes
-		if err := cluster.UnsealCoresWithError(false); err != nil {
-			t.Fatal(err)
-		}
-	} else {
-		// The old keys should no longer work
-		_, err := testhelpers.GenerateRootWithError(t, cluster, testhelpers.GenerateRootRegular)
-		if err == nil {
-			t.Fatal("expected error")
-		}
+	for _, versionRaw := range keys {
+		version, ok := versionRaw.(string)
 
-		// Put the new keys in place and run again
-		cluster.RecoveryKeys = nil
-		for _, key := range newKeys {
-			dec, err := base64.StdEncoding.DecodeString(key)
-			if err != nil {
-				t.Fatal(err)
-			}
-			cluster.RecoveryKeys = append(cluster.RecoveryKeys, dec)
+		if !ok {
+			c.UI.Error("Expected version to be string")
+			return 2
 		}
-		if err := client.Sys().GenerateRootCancel(); err != nil {
-			t.Fatal(err)
+
+		versionInfoRaw := keyInfo[version]
+
+		versionInfo, ok := versionInfoRaw.(map[string]interface{})
+		if !ok {
+			c.UI.Error(fmt.Sprintf("Expected version info for %q to be map", version))
+			return 2
 		}
-		testhelpers.GenerateRoot(t, cluster, testhelpers.GenerateRootRegular)
+
+		table = append(table, fmt.Sprintf("%s | %s | %s", version, versionInfo["timestamp_installed"], versionInfo["build_date"]))
 	}
+
+	c.UI.Warn("")
+	c.UI.Warn(versionTrackingWarning)
+	c.UI.Warn("")
+	c.UI.Output(tableOutput(table, columnConfig))
+
+	return 0
 }
diff --git a/vault/external_tests/delegated_auth/delegated_auth_test.go b/vault/external_tests/delegated_auth/delegated_auth_test.go
new file mode 100644
index 000000000000..8d2e18445107
--- /dev/null
+++ b/vault/external_tests/delegated_auth/delegated_auth_test.go
@@ -0,0 +1,114 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package command
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/version"
+)
+
+func testVersionHistoryCommand(tb testing.TB) (*cli.MockUi, *VersionHistoryCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &VersionHistoryCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestVersionHistoryCommand_TableOutput(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	ui, cmd := testVersionHistoryCommand(t)
+	cmd.client = client
+
+	code := cmd.Run([]string{})
+
+	if expectedCode := 0; code != expectedCode {
+		t.Fatalf("expected %d to be %d: %s", code, expectedCode, ui.ErrorWriter.String())
+	}
+
+	if errorString := ui.ErrorWriter.String(); !strings.Contains(errorString, versionTrackingWarning) {
+		t.Errorf("expected %q to contain %q", errorString, versionTrackingWarning)
+	}
+
+	output := ui.OutputWriter.String()
+
+	if !strings.Contains(output, version.Version) {
+		t.Errorf("expected %q to contain version %q", output, version.Version)
+	}
+}
+
+func TestVersionHistoryCommand_JsonOutput(t *testing.T) {
+	client, closer := testVaultServer(t)
+	defer closer()
+
+	stdout := bytes.NewBuffer(nil)
+	stderr := bytes.NewBuffer(nil)
+	runOpts := &RunOptions{
+		Stdout: stdout,
+		Stderr: stderr,
+		Client: client,
+	}
+
+	args, format, _, _, _ := setupEnv([]string{"version-history", "-format", "json"})
+	if format != "json" {
+		t.Fatalf("expected format to be %q, actual %q", "json", format)
+	}
+
+	code := RunCustom(args, runOpts)
+
+	if expectedCode := 0; code != expectedCode {
+		t.Fatalf("expected %d to be %d: %s", code, expectedCode, stderr.String())
+	}
+
+	if stderrString := stderr.String(); !strings.Contains(stderrString, versionTrackingWarning) {
+		t.Errorf("expected %q to contain %q", stderrString, versionTrackingWarning)
+	}
+
+	stdoutBytes := stdout.Bytes()
+
+	if !json.Valid(stdoutBytes) {
+		t.Fatalf("expected output %q to be valid JSON", stdoutBytes)
+	}
+
+	var versionHistoryResp map[string]interface{}
+	err := json.Unmarshal(stdoutBytes, &versionHistoryResp)
+	if err != nil {
+		t.Fatalf("failed to unmarshal json from STDOUT, err: %s", err.Error())
+	}
+
+	var respData map[string]interface{}
+	var ok bool
+	var keys []interface{}
+	var keyInfo map[string]interface{}
+
+	if respData, ok = versionHistoryResp["data"].(map[string]interface{}); !ok {
+		t.Fatalf("expected data key to be map, actual: %#v", versionHistoryResp["data"])
+	}
+
+	if keys, ok = respData["keys"].([]interface{}); !ok {
+		t.Fatalf("expected keys to be array, actual: %#v", respData["keys"])
+	}
+
+	if keyInfo, ok = respData["key_info"].(map[string]interface{}); !ok {
+		t.Fatalf("expected key_info to be map, actual: %#v", respData["key_info"])
+	}
+
+	if len(keys) != 1 {
+		t.Fatalf("expected single version history entry for %q", version.Version)
+	}
+
+	if keyInfo[version.Version] == nil {
+		t.Fatalf("expected version %s to be present in key_info, actual: %#v", version.Version, keyInfo)
+	}
+}
diff --git a/vault/external_tests/plugin/external_plugin_test.go b/vault/external_tests/plugin/external_plugin_test.go
index d3de1afc3980..abacfd3662c0 100644
--- a/vault/external_tests/plugin/external_plugin_test.go
+++ b/vault/external_tests/plugin/external_plugin_test.go
@@ -1,1022 +1,56 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package plugin_test
+package command
 
 import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
+	"strings"
 	"testing"
-	"time"
 
-	"github.com/hashicorp/vault/audit"
-	auditFile "github.com/hashicorp/vault/builtin/audit/file"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/api/auth/approle"
-	"github.com/hashicorp/vault/builtin/logical/database"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/consul"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
-	postgreshelper "github.com/hashicorp/vault/helper/testhelpers/postgresql"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-
-	_ "github.com/jackc/pgx/v4/stdlib"
+	"github.com/hashicorp/cli"
+	"github.com/hashicorp/vault/version"
 )
 
-func getClusterWithFileAuditBackend(t *testing.T, typ consts.PluginType, numCores int) *vault.TestCluster {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-	coreConfig := &vault.CoreConfig{
-		PluginDirectory: pluginDir,
-		LogicalBackends: map[string]logical.Factory{
-			"database": database.Factory,
-		},
-		AuditBackends: map[string]audit.Factory{
-			"file": auditFile.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		TempDir:  pluginDir,
-		NumCores: numCores,
-		Plugins: &vault.TestPluginConfig{
-			Typ:      typ,
-			Versions: []string{""},
-		},
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-
-	return cluster
-}
-
-func getCluster(t *testing.T, typ consts.PluginType, numCores int) *vault.TestCluster {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-	coreConfig := &vault.CoreConfig{
-		PluginDirectory: pluginDir,
-		LogicalBackends: map[string]logical.Factory{
-			"database": database.Factory,
-		},
-	}
-
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		TempDir:  pluginDir,
-		NumCores: numCores,
-		Plugins: &vault.TestPluginConfig{
-			Typ:      typ,
-			Versions: []string{""},
-		},
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-
-	return cluster
-}
-
-// TestExternalPlugin_RollbackAndReload ensures that we can successfully
-// rollback and reload a plugin without triggering race conditions by the go
-// race detector
-func TestExternalPlugin_RollbackAndReload(t *testing.T) {
-	pluginDir, cleanup := corehelpers.MakeTestPluginDir(t)
-	t.Cleanup(func() { cleanup(t) })
-	coreConfig := &vault.CoreConfig{
-		// set rollback period to a short interval to make conditions more "racy"
-		RollbackPeriod:  1 * time.Second,
-		PluginDirectory: pluginDir,
-	}
+func testVersionCommand(tb testing.TB) (*cli.MockUi, *VersionCommand) {
+	tb.Helper()
 
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		TempDir:  pluginDir,
-		NumCores: 1,
-		Plugins: &vault.TestPluginConfig{
-			Typ:      consts.PluginTypeSecrets,
-			Versions: []string{""},
+	ui := cli.NewMockUi()
+	return ui, &VersionCommand{
+		VersionInfo: &version.VersionInfo{},
+		BaseCommand: &BaseCommand{
+			UI: ui,
 		},
-		HandlerFunc: vaulthttp.Handler,
-	})
-
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-
-	core := cluster.Cores[0]
-	plugin := cluster.Plugins[0]
-	client := core.Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
-		Plugin: plugin.Name,
-	}); err != nil {
-		t.Fatal(err)
 	}
 }
 
-func testRegisterAndEnable(t *testing.T, client *api.Client, plugin pluginhelpers.TestPlugin) {
-	t.Helper()
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Command: plugin.Name,
-		SHA256:  plugin.Sha256,
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
+func TestVersionCommand_Run(t *testing.T) {
+	t.Parallel()
 
-	switch plugin.Typ {
-	case consts.PluginTypeSecrets:
-		if err := client.Sys().Mount(plugin.Name, &api.MountInput{
-			Type: plugin.Name,
-		}); err != nil {
-			t.Fatal(err)
-		}
-	case consts.PluginTypeCredential:
-		if err := client.Sys().EnableAuthWithOptions(plugin.Name, &api.EnableAuthOptions{
-			Type: plugin.Name,
-		}); err != nil {
-			t.Fatal(err)
-		}
-	}
-}
-
-// TestExternalPlugin_ContinueOnError tests that vault can recover from a
-// sha256 mismatch or missing plugin binary scenario
-func TestExternalPlugin_ContinueOnError(t *testing.T) {
-	t.Run("secret", func(t *testing.T) {
-		t.Parallel()
-		t.Run("sha256_mismatch", func(t *testing.T) {
-			t.Parallel()
-			testExternalPlugin_ContinueOnError(t, true, consts.PluginTypeSecrets)
-		})
-
-		t.Run("missing_plugin", func(t *testing.T) {
-			t.Parallel()
-			testExternalPlugin_ContinueOnError(t, false, consts.PluginTypeSecrets)
-		})
-	})
-
-	t.Run("auth", func(t *testing.T) {
+	t.Run("output", func(t *testing.T) {
 		t.Parallel()
-		t.Run("sha256_mismatch", func(t *testing.T) {
-			t.Parallel()
-			testExternalPlugin_ContinueOnError(t, true, consts.PluginTypeCredential)
-		})
 
-		t.Run("missing_plugin", func(t *testing.T) {
-			t.Parallel()
-			testExternalPlugin_ContinueOnError(t, false, consts.PluginTypeCredential)
-		})
-	})
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func testExternalPlugin_ContinueOnError(t *testing.T, mismatch bool, pluginType consts.PluginType) {
-	cluster := getCluster(t, pluginType, 1)
-	defer cluster.Cleanup()
+		ui, cmd := testVersionCommand(t)
+		cmd.client = client
 
-	core := cluster.Cores[0]
-	plugin := cluster.Plugins[0]
-	client := core.Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-	pluginPath := fmt.Sprintf("sys/plugins/catalog/%s/%s", pluginType, plugin.Name)
-	// Get the registered plugin
-	req := logical.TestRequest(t, logical.ReadOperation, pluginPath)
-	req.ClientToken = core.Client.Token()
-	resp, err := core.HandleRequest(namespace.RootContext(testCtx), req)
-	if err != nil || resp == nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
-
-	command, ok := resp.Data["command"].(string)
-	if !ok || command == "" {
-		t.Fatal("invalid command")
-	}
-
-	// Trigger a sha256 mismatch or missing plugin error
-	if mismatch {
-		req = logical.TestRequest(t, logical.UpdateOperation, pluginPath)
-		req.Data = map[string]interface{}{
-			"sha256":  "d17bd7334758e53e6fbab15745d2520765c06e296f2ce8e25b7919effa0ac216",
-			"command": filepath.Base(command),
-		}
-		req.ClientToken = core.Client.Token()
-		resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
-		if err != nil || (resp != nil && resp.IsError()) {
-			t.Fatalf("err:%v resp:%#v", err, resp)
-		}
-	} else {
-		err := os.Remove(filepath.Join(cluster.TempDir, filepath.Base(command)))
-		if err != nil {
-			t.Fatal(err)
+		code := cmd.Run(nil)
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
-	}
-
-	// Seal the cluster
-	cluster.EnsureCoresSealed(t)
-
-	// Unseal the cluster
-	barrierKeys := cluster.BarrierKeys
-	for _, core := range cluster.Cores {
-		for _, key := range barrierKeys {
-			_, err := core.Unseal(vault.TestKeyCopy(key))
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		if core.Sealed() {
-			t.Fatal("should not be sealed")
-		}
-	}
-
-	// Wait for active so post-unseal takes place
-	// If it fails, it means unseal process failed
-	vault.TestWaitActive(t, core.Core)
 
-	// unmount
-	switch pluginType {
-	case consts.PluginTypeSecrets:
-		if err := client.Sys().Unmount(plugin.Name); err != nil {
-			t.Fatal(err)
-		}
-	case consts.PluginTypeCredential:
-		if err := client.Sys().DisableAuth(plugin.Name); err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// Re-compile plugin
-	var plugins []pluginhelpers.TestPlugin
-	plugins = append(plugins, pluginhelpers.CompilePlugin(t, pluginType, "", core.CoreConfig.PluginDirectory))
-	cluster.Plugins = plugins
-
-	// Re-add the plugin to the catalog
-	testRegisterAndEnable(t, client, plugin)
-
-	// Reload the plugin
-	req = logical.TestRequest(t, logical.UpdateOperation, "sys/plugins/reload/backend")
-	req.Data = map[string]interface{}{
-		"plugin": plugin.Name,
-	}
-	req.ClientToken = core.Client.Token()
-	resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%v resp:%#v", err, resp)
-	}
-
-	req = logical.TestRequest(t, logical.ReadOperation, pluginPath)
-	req.ClientToken = core.Client.Token()
-	resp, err = core.HandleRequest(namespace.RootContext(testCtx), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp == nil {
-		t.Fatalf("bad: response should not be nil")
-	}
-}
-
-// TestExternalPlugin_AuthMethod tests that we can build, register and use an
-// external auth method
-func TestExternalPlugin_AuthMethod(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeCredential, 5)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	// Register
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Command: plugin.Name,
-		SHA256:  plugin.Sha256,
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// define a group of parallel tests so we wait for their execution before
-	// continuing on to cleanup
-	// see: https://go.dev/blog/subtests
-	t.Run("parallel execution group", func(t *testing.T) {
-		// loop to mount 5 auth methods that will each share a single
-		// plugin process
-		for i := 0; i < 5; i++ {
-			i := i
-			pluginPath := fmt.Sprintf("%s-%d", plugin.Name, i)
-			client := cluster.Cores[i].Client
-			t.Run(pluginPath, func(t *testing.T) {
-				t.Parallel()
-				client.SetToken(cluster.RootToken)
-				// Enable
-				if err := client.Sys().EnableAuthWithOptions(pluginPath, &api.EnableAuthOptions{
-					Type: plugin.Name,
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Configure
-				_, err := client.Logical().Write("auth/"+pluginPath+"/role/role1", map[string]interface{}{
-					"bind_secret_id": "true",
-					"period":         "300",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				secret, err := client.Logical().Write("auth/"+pluginPath+"/role/role1/secret-id", nil)
-				if err != nil {
-					t.Fatal(err)
-				}
-				secretID := secret.Data["secret_id"].(string)
-
-				secret, err = client.Logical().Read("auth/" + pluginPath + "/role/role1/role-id")
-				if err != nil {
-					t.Fatal(err)
-				}
-				roleID := secret.Data["role_id"].(string)
-
-				// Login - expect SUCCESS
-				authMethod, err := approle.NewAppRoleAuth(
-					roleID,
-					&approle.SecretID{FromString: secretID},
-					approle.WithMountPath(pluginPath),
-				)
-				if err != nil {
-					t.Fatal(err)
-				}
-				_, err = client.Auth().Login(context.Background(), authMethod)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				// Renew
-				resp, err := client.Auth().Token().RenewSelf(30)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				// Login - expect SUCCESS
-				resp, err = client.Auth().Login(context.Background(), authMethod)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				revokeToken := resp.Auth.ClientToken
-				// Revoke
-				if err = client.Auth().Token().RevokeSelf(revokeToken); err != nil {
-					t.Fatal(err)
-				}
-
-				// Reset root token
-				client.SetToken(cluster.RootToken)
-
-				// Lookup - expect FAILURE
-				resp, err = client.Auth().Token().Lookup(revokeToken)
-				if err == nil {
-					t.Fatalf("expected error, got nil")
-				}
-
-				// Reset root token
-				client.SetToken(cluster.RootToken)
-			})
-		}
-	})
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_AuthMethodReload tests that we can use an external auth
-// method after reload
-func TestExternalPlugin_AuthMethodReload(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeCredential, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-
-	// Configure
-	_, err := client.Logical().Write("auth/"+plugin.Name+"/role/role1", map[string]interface{}{
-		"bind_secret_id": "true",
-		"period":         "300",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	secret, err := client.Logical().Write("auth/"+plugin.Name+"/role/role1/secret-id", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	secretID := secret.Data["secret_id"].(string)
-
-	secret, err = client.Logical().Read("auth/" + plugin.Name + "/role/role1/role-id")
-	if err != nil {
-		t.Fatal(err)
-	}
-	roleID := secret.Data["role_id"].(string)
-
-	// Login - expect SUCCESS
-	authMethod, err := approle.NewAppRoleAuth(
-		roleID,
-		&approle.SecretID{FromString: secretID},
-		approle.WithMountPath(plugin.Name),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = client.Auth().Login(context.Background(), authMethod)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Reset root token
-	client.SetToken(cluster.RootToken)
-
-	// Reload plugin
-	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
-		Plugin: plugin.Name,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Auth().Login(context.Background(), authMethod)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Reset root token
-	client.SetToken(cluster.RootToken)
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_SecretsEngine tests that we can build, register and use an
-// external secrets engine
-func TestExternalPlugin_SecretsEngine(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeSecrets, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	// Register
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Command: plugin.Name,
-		SHA256:  plugin.Sha256,
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// define a group of parallel tests so we wait for their execution before
-	// continuing on to cleanup
-	// see: https://go.dev/blog/subtests
-	t.Run("parallel execution group", func(t *testing.T) {
-		// loop to mount 5 secrets engines that will each share a single
-		// plugin process
-		for i := 0; i < 5; i++ {
-			pluginPath := fmt.Sprintf("%s-%d", plugin.Name, i)
-			t.Run(pluginPath, func(t *testing.T) {
-				t.Parallel()
-				// Enable
-				if err := client.Sys().Mount(pluginPath, &api.MountInput{
-					Type: plugin.Name,
-				}); err != nil {
-					t.Fatal(err)
-				}
-
-				// Configure
-				cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
-				defer cleanupConsul()
-
-				_, err := client.Logical().Write(pluginPath+"/config/access", map[string]interface{}{
-					"address": consulConfig.Address(),
-					"token":   consulConfig.Token,
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				_, err = client.Logical().Write(pluginPath+"/roles/test", map[string]interface{}{
-					"consul_policies": []string{"test"},
-					"ttl":             "6h",
-					"local":           false,
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				resp, err := client.Logical().Read(pluginPath + "/creds/test")
-				if err != nil {
-					t.Fatal(err)
-				}
-				if resp == nil {
-					t.Fatal("read creds response is nil")
-				}
-			})
+		expected := "Vault"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to equal %q", combined, expected)
 		}
 	})
 
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_SecretsEngineReload tests that we can use an external
-// secrets engine after reload
-func TestExternalPlugin_SecretsEngineReload(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeSecrets, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-
-	// Configure
-	cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
-	defer cleanupConsul()
-
-	_, err := client.Logical().Write(plugin.Name+"/config/access", map[string]interface{}{
-		"address": consulConfig.Address(),
-		"token":   consulConfig.Token,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write(plugin.Name+"/roles/test", map[string]interface{}{
-		"consul_policies": []string{"test"},
-		"ttl":             "6h",
-		"local":           false,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := client.Logical().Read(plugin.Name + "/creds/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("read creds response is nil")
-	}
-
-	// Reload plugin
-	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
-		Plugin: plugin.Name,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err = client.Logical().Read(plugin.Name + "/creds/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("read creds response is nil")
-	}
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_Database tests that we can build, register and use an
-// external database secrets engine
-func TestExternalPlugin_Database(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeDatabase, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	// Register
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(consts.PluginTypeDatabase),
-		Command: plugin.Name,
-		SHA256:  plugin.Sha256,
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable
-	if err := client.Sys().Mount(consts.PluginTypeDatabase.String(), &api.MountInput{
-		Type: consts.PluginTypeDatabase.String(),
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// define a group of parallel tests so we wait for their execution before
-	// continuing on to cleanup
-	// see: https://go.dev/blog/subtests
-	t.Run("parallel execution group", func(t *testing.T) {
-		// loop to mount 5 database connections that will each share a single
-		// plugin process
-		for i := 0; i < 5; i++ {
-			dbName := fmt.Sprintf("%s-%d", plugin.Name, i)
-			t.Run(dbName, func(t *testing.T) {
-				t.Parallel()
-				roleName := "test-role-" + dbName
-
-				cleanupContainer, connURL := postgreshelper.PrepareTestContainerWithVaultUser(t, context.Background(), "13.4-buster")
-				defer cleanupContainer()
-
-				_, err := client.Logical().Write("database/config/"+dbName, map[string]interface{}{
-					"connection_url": connURL,
-					"plugin_name":    plugin.Name,
-					"allowed_roles":  []string{roleName},
-					"username":       "vaultadmin",
-					"password":       "vaultpass",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				_, err = client.Logical().Write("database/rotate-root/"+dbName, map[string]interface{}{})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				_, err = client.Logical().Write("database/roles/"+roleName, map[string]interface{}{
-					"db_name":             dbName,
-					"creation_statements": testRole,
-					"max_ttl":             "10m",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				// Generate credentials
-				resp, err := client.Logical().Read("database/creds/" + roleName)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if resp == nil {
-					t.Fatal("read creds response is nil")
-				}
-
-				_, err = client.Logical().Write("database/reset/"+dbName, map[string]interface{}{})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				// Generate credentials
-				resp, err = client.Logical().Read("database/creds/" + roleName)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if resp == nil {
-					t.Fatal("read creds response is nil")
-				}
-
-				resp, err = client.Logical().Read("database/creds/" + roleName)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if resp == nil {
-					t.Fatal("read creds response is nil")
-				}
-
-				revokeLease := resp.LeaseID
-				// Lookup - expect SUCCESS
-				resp, err = client.Sys().Lookup(revokeLease)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if resp == nil {
-					t.Fatalf("lease lookup response is nil")
-				}
-
-				// Revoke
-				if err = client.Sys().Revoke(revokeLease); err != nil {
-					t.Fatal(err)
-				}
-
-				// Reset root token
-				client.SetToken(cluster.RootToken)
-
-				// Lookup - expect FAILURE
-				resp, err = client.Sys().Lookup(revokeLease)
-				if err == nil {
-					t.Fatalf("expected error, got nil")
-				}
-			})
-		}
-	})
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_DatabaseReload tests that we can use an external database
-// secrets engine after reload
-func TestExternalPlugin_DatabaseReload(t *testing.T) {
-	cluster := getCluster(t, consts.PluginTypeDatabase, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	// Register
-	if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(consts.PluginTypeDatabase),
-		Command: plugin.Name,
-		SHA256:  plugin.Sha256,
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// Enable
-	if err := client.Sys().Mount(consts.PluginTypeDatabase.String(), &api.MountInput{
-		Type: consts.PluginTypeDatabase.String(),
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	dbName := fmt.Sprintf("%s-%d", plugin.Name, 0)
-	roleName := "test-role-" + dbName
-
-	cleanupContainer, connURL := postgreshelper.PrepareTestContainerWithVaultUser(t, context.Background(), "13.4-buster")
-	defer cleanupContainer()
-
-	_, err := client.Logical().Write("database/config/"+dbName, map[string]interface{}{
-		"connection_url": connURL,
-		"plugin_name":    plugin.Name,
-		"allowed_roles":  []string{roleName},
-		"username":       "vaultadmin",
-		"password":       "vaultpass",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("database/roles/"+roleName, map[string]interface{}{
-		"db_name":             dbName,
-		"creation_statements": testRole,
-		"max_ttl":             "10m",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := client.Logical().Read("database/creds/" + roleName)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("read creds response is nil")
-	}
-
-	// Reload plugin
-	if _, err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
-		Plugin: plugin.Name,
-	}); err != nil {
-		t.Fatal(err)
-	}
-
-	// Generate credentials after reload
-	resp, err = client.Logical().Read("database/creds/" + roleName)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil {
-		t.Fatal("read creds response is nil")
-	}
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-const testRole = `
-CREATE ROLE "{{name}}" WITH
-  LOGIN
-  PASSWORD '{{password}}'
-  VALID UNTIL '{{expiration}}';
-GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}";
-`
-
-func testExternalPluginMetadataAuditLog(t *testing.T, log map[string]interface{}, expectedMountClass string) {
-	if mountClass, ok := log["mount_class"].(string); !ok {
-		t.Fatalf("mount_class should be a string, not %T", log["mount_class"])
-	} else if mountClass != expectedMountClass {
-		t.Fatalf("bad: mount_class should be %s, not %s", expectedMountClass, mountClass)
-	}
-
-	if mountIsExternalPlugin, ok := log["mount_is_external_plugin"].(bool); !ok {
-		t.Fatalf("mount_is_external_plugin should be a bool, not %T", log["mount_is_external_plugin"])
-	} else if !mountIsExternalPlugin {
-		t.Fatalf("bad: mount_is_external_plugin should be true, not %t", mountIsExternalPlugin)
-	}
-
-	if _, ok := log["mount_running_sha256"].(string); !ok {
-		t.Fatalf("mount_running_sha256 should be a string, not %T", log["mount_running_sha256"])
-	}
-}
-
-// TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth tests that we have plugin metadata of an auth plugin
-// in audit log when it is enabled
-func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
-	cluster := getClusterWithFileAuditBackend(t, consts.PluginTypeCredential, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-
-	// Enable the audit backend
-	tempDir := t.TempDir()
-	auditLogFile, err := os.CreateTemp(tempDir, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-		Type: "file",
-		Options: map[string]string{
-			"file_path": auditLogFile.Name(),
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("auth/"+plugin.Name+"/role/role1", map[string]interface{}{
-		"bind_secret_id": "true",
-		"period":         "300",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Check the audit trail on request and response
-	decoder := json.NewDecoder(auditLogFile)
-	var auditRecord map[string]interface{}
-	for decoder.Decode(&auditRecord) == nil {
-		auditRequest := map[string]interface{}{}
-		if req, ok := auditRecord["request"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditRequest["path"] != "auth/"+plugin.Name+"/role/role1" {
-				continue
-			}
-		}
-		testExternalPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeCredential.String())
-
-		auditResponse := map[string]interface{}{}
-		if req, ok := auditRecord["response"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditResponse["path"] != "auth/"+plugin.Name+"/role/role1" {
-				continue
-			}
-		}
-		testExternalPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeCredential.String())
-	}
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Secret tests that we have plugin metadata of a secret plugin
-// in audit log when it is enabled
-func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
-	cluster := getClusterWithFileAuditBackend(t, consts.PluginTypeSecrets, 1)
-	defer cluster.Cleanup()
-
-	plugin := cluster.Plugins[0]
-	client := cluster.Cores[0].Client
-	client.SetToken(cluster.RootToken)
-
-	testRegisterAndEnable(t, client, plugin)
-
-	// Enable the audit backend
-	tempDir := t.TempDir()
-	auditLogFile, err := os.CreateTemp(tempDir, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
-		Type: "file",
-		Options: map[string]string{
-			"file_path": auditLogFile.Name(),
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-	// Configure
-	cleanupConsul, consulConfig := consul.PrepareTestContainer(t, "", false, true)
-	defer cleanupConsul()
-	_, err = client.Logical().Write(plugin.Name+"/config/access", map[string]interface{}{
-		"address": consulConfig.Address(),
-		"token":   consulConfig.Token,
+		_, cmd := testVersionCommand(t)
+		assertNoTabs(t, cmd)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Check the audit trail on request and response
-	decoder := json.NewDecoder(auditLogFile)
-	var auditRecord map[string]interface{}
-	for decoder.Decode(&auditRecord) == nil {
-		auditRequest := map[string]interface{}{}
-		if req, ok := auditRecord["request"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditRequest["path"] != plugin.Name+"/config/access" {
-				continue
-			}
-		}
-		testExternalPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeSecrets.String())
-
-		auditResponse := map[string]interface{}{}
-		if req, ok := auditRecord["response"]; ok {
-			auditRequest = req.(map[string]interface{})
-			if auditResponse["path"] != plugin.Name+"/config/access" {
-				continue
-			}
-		}
-		testExternalPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeSecrets.String())
-	}
-
-	// Deregister
-	if err := client.Sys().DeregisterPlugin(&api.DeregisterPluginInput{
-		Name:    plugin.Name,
-		Type:    api.PluginType(plugin.Typ),
-		Version: plugin.Version,
-	}); err != nil {
-		t.Fatal(err)
-	}
 }
diff --git a/vault/external_tests/raft/raft_test.go b/vault/external_tests/raft/raft_test.go
index efe209c44e89..33ee3be0f242 100644
--- a/vault/external_tests/raft/raft_test.go
+++ b/vault/external_tests/raft/raft_test.go
@@ -1,1230 +1,186 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package rafttests
+package command
 
 import (
-	"bytes"
-	"context"
-	"crypto/md5"
-	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
-	"net/http"
+	"os"
 	"strings"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
 
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	"github.com/hashicorp/vault/helper/benchhelpers"
-	"github.com/hashicorp/vault/helper/constants"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
-	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
-	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/internalshared/configutil"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
-	vaultseal "github.com/hashicorp/vault/vault/seal"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/net/http2"
+	"github.com/posener/complete"
 )
 
-type RaftClusterOpts struct {
-	DisableFollowerJoins           bool
-	InmemCluster                   bool
-	EnableAutopilot                bool
-	PhysicalFactoryConfig          map[string]interface{}
-	DisablePerfStandby             bool
-	EnableResponseHeaderRaftNodeID bool
-	NumCores                       int
-	Seal                           vault.Seal
-	VersionMap                     map[int]string
-	RedundancyZoneMap              map[int]string
-	EffectiveSDKVersionMap         map[int]string
-}
-
-func raftCluster(t testing.TB, ropts *RaftClusterOpts) (*vault.TestCluster, *vault.TestClusterOptions) {
-	if ropts == nil {
-		ropts = &RaftClusterOpts{}
-	}
-
-	conf := &vault.CoreConfig{
-		CredentialBackends: map[string]logical.Factory{
-			"userpass": credUserpass.Factory,
-		},
-		DisableAutopilot:               !ropts.EnableAutopilot,
-		EnableResponseHeaderRaftNodeID: ropts.EnableResponseHeaderRaftNodeID,
-		Seal:                           ropts.Seal,
-	}
-
-	opts := vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	}
-	opts.InmemClusterLayers = ropts.InmemCluster
-	opts.PhysicalFactoryConfig = ropts.PhysicalFactoryConfig
-	conf.DisablePerformanceStandby = ropts.DisablePerfStandby
-	opts.NumCores = ropts.NumCores
-	opts.VersionMap = ropts.VersionMap
-	opts.RedundancyZoneMap = ropts.RedundancyZoneMap
-	opts.EffectiveSDKVersionMap = ropts.EffectiveSDKVersionMap
-
-	teststorage.RaftBackendSetup(conf, &opts)
-
-	if ropts.DisableFollowerJoins {
-		opts.SetupFunc = nil
-	}
+var (
+	_ cli.Command             = (*WriteCommand)(nil)
+	_ cli.CommandAutocomplete = (*WriteCommand)(nil)
+)
 
-	cluster := vault.NewTestCluster(benchhelpers.TBtoT(t), conf, &opts)
-	cluster.Start()
-	vault.TestWaitActive(benchhelpers.TBtoT(t), cluster.Cores[0].Core)
-	return cluster, &opts
+// MFAMethodInfo contains the information about an MFA method
+type MFAMethodInfo struct {
+	methodID    string
+	methodType  string
+	usePasscode bool
 }
 
-func TestRaft_BoltDBMetrics(t *testing.T) {
-	t.Parallel()
-	conf := vault.CoreConfig{}
-	opts := vault.TestClusterOptions{
-		HandlerFunc:            vaulthttp.Handler,
-		NumCores:               1,
-		CoreMetricSinkProvider: testhelpers.TestMetricSinkProvider(time.Minute),
-		DefaultHandlerProperties: vault.HandlerProperties{
-			ListenerConfig: &configutil.Listener{
-				Telemetry: configutil.ListenerTelemetry{
-					UnauthenticatedMetricsAccess: true,
-				},
-			},
-		},
-	}
-
-	teststorage.RaftBackendSetup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	leaderClient := cluster.Cores[0].Client
-
-	// Write a few keys
-	for i := 0; i < 50; i++ {
-		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-			fmt.Sprintf("foo%d", i): fmt.Sprintf("bar%d", i),
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// Even though there is a long delay between when we start the node and when we check for these metrics,
-	// the core metrics loop isn't started until postUnseal, which happens after said delay. This means we
-	// need a small artificial delay here as well, otherwise we won't see any metrics emitted.
-	time.Sleep(5 * time.Second)
-	data, err := testhelpers.SysMetricsReq(leaderClient, cluster, true)
-	if err != nil {
-		t.Fatal(err)
-	}
+// WriteCommand is a Command that puts data into the Vault.
+type WriteCommand struct {
+	*BaseCommand
 
-	noBoltDBMetrics := true
-	for _, g := range data.Gauges {
-		if strings.HasPrefix(g.Name, "raft_storage.bolt.") {
-			noBoltDBMetrics = false
-			break
-		}
-	}
+	flagForce bool
 
-	if noBoltDBMetrics {
-		t.Fatal("expected to find boltdb metrics being emitted from the raft backend, but there were none")
-	}
+	testStdin io.Reader // for tests
 }
 
-func TestRaft_RetryAutoJoin(t *testing.T) {
-	t.Parallel()
-
-	var (
-		conf vault.CoreConfig
-
-		opts = vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
-	)
-
-	teststorage.RaftBackendSetup(&conf, &opts)
-
-	opts.SetupFunc = nil
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
-	leaderCore := cluster.Cores[0]
-	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
-
-	{
-		testhelpers.EnsureCoreSealed(t, leaderCore)
-		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		cluster.UnsealCore(t, leaderCore)
-		vault.TestWaitActive(t, leaderCore.Core)
-	}
-
-	leaderInfos := []*raft.LeaderJoinInfo{
-		{
-			AutoJoin:  "provider=aws region=eu-west-1 tag_key=consul tag_value=tag access_key_id=a secret_access_key=a",
-			TLSConfig: leaderCore.TLSConfig(),
-			Retry:     true,
-		},
-	}
-
-	{
-		// expected to pass but not join as we're not actually discovering leader addresses
-		core := cluster.Cores[1]
-		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-
-		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
-		require.NoError(t, err)
-	}
-
-	err := testhelpers.VerifyRaftPeers(t, cluster.Cores[0].Client, map[string]bool{
-		"core-0": true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+func (c *WriteCommand) Synopsis() string {
+	return "Write data, configuration, and secrets"
 }
 
-func TestRaft_Retry_Join(t *testing.T) {
-	t.Parallel()
-	var conf vault.CoreConfig
-	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
-	teststorage.RaftBackendSetup(&conf, &opts)
-	opts.SetupFunc = nil
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
-
-	leaderCore := cluster.Cores[0]
-	leaderAPI := leaderCore.Client.Address()
-	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
-
-	{
-		testhelpers.EnsureCoreSealed(t, leaderCore)
-		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-	}
-
-	leaderInfos := []*raft.LeaderJoinInfo{
-		{
-			LeaderAPIAddr: leaderAPI,
-			TLSConfig:     leaderCore.TLSConfig(),
-			Retry:         true,
-		},
-	}
-
-	var wg sync.WaitGroup
-	for _, clusterCore := range cluster.Cores[1:] {
-		wg.Add(1)
-		go func(t *testing.T, core *vault.TestClusterCore) {
-			t.Helper()
-			defer wg.Done()
-			core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-			_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
-			if err != nil {
-				t.Error(err)
-			}
+func (c *WriteCommand) Help() string {
+	helpText := `
+Usage: vault write [options] PATH [DATA K=V...]
 
-			// Handle potential racy behavior with unseals. Retry the unseal until it succeeds.
-			corehelpers.RetryUntil(t, 10*time.Second, func() error {
-				return cluster.AttemptUnsealCore(core)
-			})
-		}(t, clusterCore)
-	}
+  Writes data to Vault at the given path. The data can be credentials, secrets,
+  configuration, or arbitrary data. The specific behavior of this command is
+  determined at the thing mounted at the path.
 
-	// Unseal the leader and wait for the other cores to unseal
-	cluster.UnsealCore(t, leaderCore)
-	wg.Wait()
+  Data is specified as "key=value" pairs. If the value begins with an "@", then
+  it is loaded from a file. If the value is "-", Vault will read the value from
+  stdin.
 
-	vault.TestWaitActive(t, leaderCore.Core)
+  Persist data in the generic secrets engine:
 
-	corehelpers.RetryUntil(t, 10*time.Second, func() error {
-		return testhelpers.VerifyRaftPeers(t, cluster.Cores[0].Client, map[string]bool{
-			"core-0": true,
-			"core-1": true,
-			"core-2": true,
-		})
-	})
-}
+      $ vault write secret/my-secret foo=bar
 
-func TestRaft_Join(t *testing.T) {
-	t.Parallel()
-	var conf vault.CoreConfig
-	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
-	teststorage.RaftBackendSetup(&conf, &opts)
-	opts.SetupFunc = nil
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer cluster.Cleanup()
+  Create a new encryption key in the transit secrets engine:
 
-	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+      $ vault write -f transit/keys/my-key
 
-	leaderCore := cluster.Cores[0]
-	leaderAPI := leaderCore.Client.Address()
-	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
+  Upload an AWS IAM policy from a file on disk:
 
-	// Seal the leader so we can install an address provider
-	{
-		testhelpers.EnsureCoreSealed(t, leaderCore)
-		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		cluster.UnsealCore(t, leaderCore)
-		vault.TestWaitActive(t, leaderCore.Core)
-	}
+      $ vault write aws/roles/ops policy=@policy.json
 
-	joinFunc := func(client *api.Client, addClientCerts bool) {
-		req := &api.RaftJoinRequest{
-			LeaderAPIAddr: leaderAPI,
-			LeaderCACert:  string(cluster.CACertPEM),
-		}
-		if addClientCerts {
-			req.LeaderClientCert = string(cluster.CACertPEM)
-			req.LeaderClientKey = string(cluster.CAKeyPEM)
-		}
-		resp, err := client.Sys().RaftJoin(req)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !resp.Joined {
-			t.Fatalf("failed to join raft cluster")
-		}
-	}
+  Configure access to Consul by providing an access token:
 
-	joinFunc(cluster.Cores[1].Client, false)
-	joinFunc(cluster.Cores[2].Client, false)
+      $ echo $MY_TOKEN | vault write consul/config/access token=-
 
-	_, err := cluster.Cores[0].Client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": "core-1",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+  For a full list of examples and paths, please see the documentation that
+  corresponds to the secret engines in use.
 
-	_, err = cluster.Cores[0].Client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": "core-2",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+` + c.Flags().Help()
 
-	joinFunc(cluster.Cores[1].Client, true)
-	joinFunc(cluster.Cores[2].Client, true)
+	return strings.TrimSpace(helpText)
 }
 
-func TestRaft_RemovePeer(t *testing.T) {
-	t.Parallel()
-	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
+func (c *WriteCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
 
-	for i, c := range cluster.Cores {
-		if c.Core.Sealed() {
-			t.Fatalf("failed to unseal core %d", i)
-		}
-	}
-
-	client := cluster.Cores[0].Client
-
-	err := testhelpers.VerifyRaftPeers(t, client, map[string]bool{
-		"core-0": true,
-		"core-1": true,
-		"core-2": true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": "core-2",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = testhelpers.VerifyRaftPeers(t, client, map[string]bool{
-		"core-0": true,
-		"core-1": true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": "core-1",
+	f.BoolVar(&BoolVar{
+		Name:       "force",
+		Aliases:    []string{"f"},
+		Target:     &c.flagForce,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage: "Allow the operation to continue with no key=value pairs. This " +
+			"allows writing to keys that do not need or expect data.",
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
 
-	err = testhelpers.VerifyRaftPeers(t, client, map[string]bool{
-		"core-0": true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	return set
 }
 
-func TestRaft_NodeIDHeader(t *testing.T) {
-	t.Parallel()
-	testCases := []struct {
-		description   string
-		ropts         *RaftClusterOpts
-		headerPresent bool
-	}{
-		{
-			description:   "with no header configured",
-			ropts:         nil,
-			headerPresent: false,
-		},
-		{
-			description: "with header configured",
-			ropts: &RaftClusterOpts{
-				EnableResponseHeaderRaftNodeID: true,
-			},
-			headerPresent: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			cluster, _ := raftCluster(t, tc.ropts)
-			defer cluster.Cleanup()
-
-			for i, c := range cluster.Cores {
-				if c.Core.Sealed() {
-					t.Fatalf("failed to unseal core %d", i)
-				}
-
-				client := c.Client
-				req := client.NewRequest("GET", "/v1/sys/seal-status")
-				resp, err := client.RawRequest(req)
-				if err != nil {
-					t.Fatalf("err: %s", err)
-				}
-				if resp == nil {
-					t.Fatalf("nil response")
-				}
-
-				rniHeader := resp.Header.Get("X-Vault-Raft-Node-ID")
-				nodeID := c.Core.GetRaftNodeID()
-
-				if tc.headerPresent && rniHeader == "" {
-					t.Fatal("missing 'X-Vault-Raft-Node-ID' header entry in response")
-				}
-				if tc.headerPresent && rniHeader != nodeID {
-					t.Fatalf("got the wrong raft node id. expected %s to equal %s", rniHeader, nodeID)
-				}
-				if !tc.headerPresent && rniHeader != "" {
-					t.Fatal("didn't expect 'X-Vault-Raft-Node-ID' header but it was present anyway")
-				}
-			}
-		})
-	}
+func (c *WriteCommand) AutocompleteArgs() complete.Predictor {
+	// Return an anything predictor here. Without a way to access help
+	// information, we don't know what paths we could write to.
+	return complete.PredictAnything
 }
 
-func TestRaft_Configuration(t *testing.T) {
-	t.Parallel()
-	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
-	Raft_Configuration_Test(t, cluster)
+func (c *WriteCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
 }
 
-func TestRaft_ShamirUnseal(t *testing.T) {
-	t.Parallel()
-	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
+func (c *WriteCommand) Run(args []string) int {
+	f := c.Flags()
 
-	for i, c := range cluster.Cores {
-		if c.Core.Sealed() {
-			t.Fatalf("failed to unseal core %d", i)
-		}
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
 	}
-}
-
-func TestRaft_SnapshotAPI(t *testing.T) {
-	t.Parallel()
-	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
-
-	leaderClient := cluster.Cores[0].Client
 
-	// Write a few keys
-	for i := 0; i < 10; i++ {
-		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-			"test": "data",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
+	args = f.Args()
+	switch {
+	case len(args) < 1:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case len(args) == 1 && !c.flagForce:
+		c.UI.Error("Must supply data or use -force")
+		return 1
 	}
 
-	// Take a snapshot
-	buf := new(bytes.Buffer)
-	err := leaderClient.Sys().RaftSnapshot(buf)
-	if err != nil {
-		t.Fatal(err)
-	}
-	snap, err := io.ReadAll(buf)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(snap) == 0 {
-		t.Fatal("no snapshot returned")
+	// Pull our fake stdin if needed
+	stdin := (io.Reader)(os.Stdin)
+	if c.testStdin != nil {
+		stdin = c.testStdin
 	}
 
-	// Write a few more keys
-	for i := 10; i < 20; i++ {
-		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-			"test": "data",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	// Restore snapshot
-	err = leaderClient.Sys().RaftSnapshotRestore(bytes.NewReader(snap), false)
-	if err != nil {
-		t.Fatal(err)
-	}
+	path := sanitizePath(args[0])
 
-	// List kv to make sure we removed the extra keys
-	secret, err := leaderClient.Logical().List("secret/")
+	data, err := parseArgsData(stdin, args[1:])
 	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(secret.Data["keys"].([]interface{})) != 10 {
-		t.Fatal("snapshot didn't apply correctly")
-	}
-}
-
-func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
-	// defer goleak.VerifyNone(t)
-	t.Parallel()
-
-	seal, setErr := vaultseal.NewToggleableTestSeal(nil)
-	autoSeal := vault.NewAutoSeal(seal)
-	cluster, _ := raftCluster(t, &RaftClusterOpts{
-		NumCores: 1,
-		Seal:     autoSeal,
-	})
-	defer cluster.Cleanup()
-
-	leaderClient := cluster.Cores[0].Client
-
-	// Write a bunch of keys; if too few, the detection code in api.RaftSnapshot
-	// will never make it into the tar part, it'll fail merely when trying to
-	// decompress the stream.
-	for i := 0; i < 1000; i++ {
-		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-			"test": "data",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	r, w := io.Pipe()
-	var snap []byte
-	var wg sync.WaitGroup
-	wg.Add(1)
-
-	var readErr error
-	go func() {
-		snap, readErr = ioutil.ReadAll(r)
-		wg.Done()
-	}()
-
-	setErr[0](errors.New("seal failure"))
-	// Take a snapshot
-	err := leaderClient.Sys().RaftSnapshot(w)
-	w.Close()
-	if err == nil || err != api.ErrIncompleteSnapshot {
-		t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err)
-	}
-	wg.Wait()
-	if len(snap) == 0 && readErr == nil {
-		readErr = errors.New("no bytes read")
-	}
-	if readErr != nil {
-		t.Fatal(readErr)
-	}
-}
-
-func TestRaft_SnapshotAPI_RekeyRotate_Backward(t *testing.T) {
-	t.Parallel()
-	type testCase struct {
-		Name               string
-		Rekey              bool
-		Rotate             bool
-		DisablePerfStandby bool
+		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
+		return 1
 	}
 
-	tCases := []testCase{
-		{
-			Name:               "rekey",
-			Rekey:              true,
-			Rotate:             false,
-			DisablePerfStandby: true,
-		},
-		{
-			Name:               "rotate",
-			Rekey:              false,
-			Rotate:             true,
-			DisablePerfStandby: true,
-		},
-		{
-			Name:               "both",
-			Rekey:              true,
-			Rotate:             true,
-			DisablePerfStandby: true,
-		},
-	}
-
-	if constants.IsEnterprise {
-		tCases = append(tCases, []testCase{
-			{
-				Name:               "rekey-with-perf-standby",
-				Rekey:              true,
-				Rotate:             false,
-				DisablePerfStandby: false,
-			},
-			{
-				Name:               "rotate-with-perf-standby",
-				Rekey:              false,
-				Rotate:             true,
-				DisablePerfStandby: false,
-			},
-			{
-				Name:               "both-with-perf-standby",
-				Rekey:              true,
-				Rotate:             true,
-				DisablePerfStandby: false,
-			},
-		}...)
-	}
-
-	for _, tCase := range tCases {
-		t.Run(tCase.Name, func(t *testing.T) {
-			// bind locally
-			tCaseLocal := tCase
-			t.Parallel()
-
-			cluster, _ := raftCluster(t, &RaftClusterOpts{DisablePerfStandby: tCaseLocal.DisablePerfStandby})
-			defer cluster.Cleanup()
-
-			leaderClient := cluster.Cores[0].Client
-
-			// Write a few keys
-			for i := 0; i < 10; i++ {
-				_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-					"test": "data",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-			}
-
-			transport := cleanhttp.DefaultPooledTransport()
-			transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
-			if err := http2.ConfigureTransport(transport); err != nil {
-				t.Fatal(err)
-			}
-			client := &http.Client{
-				Transport: transport,
-			}
-
-			// Take a snapshot
-			req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
-			httpReq, err := req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err := client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer resp.Body.Close()
-
-			snap, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if len(snap) == 0 {
-				t.Fatal("no snapshot returned")
-			}
-
-			// cache the original barrier keys
-			barrierKeys := cluster.BarrierKeys
-
-			if tCaseLocal.Rotate {
-				// Rotate
-				err = leaderClient.Sys().Rotate()
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				testhelpers.EnsureStableActiveNode(t, cluster)
-				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-			}
-
-			if tCaseLocal.Rekey {
-				// Rekey
-				cluster.BarrierKeys = testhelpers.RekeyCluster(t, cluster, false)
-
-				testhelpers.EnsureStableActiveNode(t, cluster)
-				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-			}
-
-			if tCaseLocal.Rekey {
-				// Restore snapshot, should fail.
-				req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
-				req.Body = bytes.NewBuffer(snap)
-				httpReq, err = req.ToHTTP()
-				if err != nil {
-					t.Fatal(err)
-				}
-				resp, err = client.Do(httpReq)
-				if err != nil {
-					t.Fatal(err)
-				}
-				// Parse Response
-				apiResp := api.Response{Response: resp}
-				if !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
-					t.Fatal(apiResp.Error())
-				}
-			}
-
-			// Restore snapshot force
-			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
-			req.Body = bytes.NewBuffer(snap)
-			httpReq, err = req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err = client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			testhelpers.EnsureStableActiveNode(t, cluster)
-			testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-			// Write some data so we can make sure we can read it later. This is testing
-			// that we correctly reload the keyring
-			_, err = leaderClient.Logical().Write("secret/foo", map[string]interface{}{
-				"test": "data",
-			})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			testhelpers.EnsureCoresSealed(t, cluster)
-
-			cluster.BarrierKeys = barrierKeys
-			testhelpers.EnsureCoresUnsealed(t, cluster)
-			testhelpers.WaitForActiveNode(t, cluster)
-			activeCore := testhelpers.DeriveStableActiveCore(t, cluster)
-
-			// Read the value.
-			data, err := activeCore.Client.Logical().Read("secret/foo")
-			if err != nil {
-				t.Fatal(err)
-			}
-			if data.Data["test"].(string) != "data" {
-				t.Fatal(data)
-			}
-		})
-	}
-}
-
-func TestRaft_SnapshotAPI_RekeyRotate_Forward(t *testing.T) {
-	t.Parallel()
-	type testCase struct {
-		Name               string
-		Rekey              bool
-		Rotate             bool
-		ShouldSeal         bool
-		DisablePerfStandby bool
-	}
-
-	tCases := []testCase{
-		{
-			Name:               "rekey",
-			Rekey:              true,
-			Rotate:             false,
-			ShouldSeal:         false,
-			DisablePerfStandby: true,
-		},
-		{
-			Name:   "rotate",
-			Rekey:  false,
-			Rotate: true,
-			// Rotate writes a new master key upgrade using the new term, which
-			// we can no longer decrypt. We must seal here.
-			ShouldSeal:         true,
-			DisablePerfStandby: true,
-		},
-		{
-			Name:   "both",
-			Rekey:  true,
-			Rotate: true,
-			// If we are moving forward and we have rekeyed and rotated there
-			// isn't any way to restore the latest keys so expect to seal.
-			ShouldSeal:         true,
-			DisablePerfStandby: true,
-		},
-	}
-
-	if constants.IsEnterprise {
-		tCases = append(tCases, []testCase{
-			{
-				Name:               "rekey-with-perf-standby",
-				Rekey:              true,
-				Rotate:             false,
-				ShouldSeal:         false,
-				DisablePerfStandby: false,
-			},
-			{
-				Name:   "rotate-with-perf-standby",
-				Rekey:  false,
-				Rotate: true,
-				// Rotate writes a new master key upgrade using the new term, which
-				// we can no longer decrypt. We must seal here.
-				ShouldSeal:         true,
-				DisablePerfStandby: false,
-			},
-			{
-				Name:   "both-with-perf-standby",
-				Rekey:  true,
-				Rotate: true,
-				// If we are moving forward and we have rekeyed and rotated there
-				// isn't any way to restore the latest keys so expect to seal.
-				ShouldSeal:         true,
-				DisablePerfStandby: false,
-			},
-		}...)
-	}
-
-	for _, tCase := range tCases {
-		t.Run(tCase.Name, func(t *testing.T) {
-			// bind locally
-			tCaseLocal := tCase
-			t.Parallel()
-
-			cluster, _ := raftCluster(t, &RaftClusterOpts{DisablePerfStandby: tCaseLocal.DisablePerfStandby})
-			defer cluster.Cleanup()
-
-			leaderClient := cluster.Cores[0].Client
-
-			// Write a few keys
-			for i := 0; i < 10; i++ {
-				_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-					"test": "data",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-			}
-
-			transport := cleanhttp.DefaultPooledTransport()
-			transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
-			if err := http2.ConfigureTransport(transport); err != nil {
-				t.Fatal(err)
-			}
-			client := &http.Client{
-				Transport: transport,
-			}
-
-			// Take a snapshot
-			req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
-			httpReq, err := req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err := client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			snap, err := ioutil.ReadAll(resp.Body)
-			resp.Body.Close()
-			if err != nil {
-				t.Fatal(err)
-			}
-			if len(snap) == 0 {
-				t.Fatal("no snapshot returned")
-			}
-
-			if tCaseLocal.Rekey {
-				// Rekey
-				cluster.BarrierKeys = testhelpers.RekeyCluster(t, cluster, false)
-
-				testhelpers.EnsureStableActiveNode(t, cluster)
-				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-			}
-			if tCaseLocal.Rotate {
-				// Set the key clean up to 0 so it's cleaned immediately. This
-				// will simulate that there are no ways to upgrade to the latest
-				// term.
-				for _, c := range cluster.Cores {
-					c.Core.SetKeyRotateGracePeriod(0)
-				}
-
-				// Rotate
-				err = leaderClient.Sys().Rotate()
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				if !tCaseLocal.DisablePerfStandby {
-					// Without the key upgrade the perf standby nodes will seal and
-					// raft will get into a failure state. Make sure we get the
-					// cluster back into a healthy state before moving forward.
-					testhelpers.WaitForNCoresSealed(t, cluster, 2)
-					testhelpers.EnsureCoresUnsealed(t, cluster)
-					testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-					active := testhelpers.DeriveActiveCore(t, cluster)
-					leaderClient = active.Client
-				}
-			}
-
-			// cache the new barrier keys
-			newBarrierKeys := cluster.BarrierKeys
-
-			// Take another snapshot for later use in "jumping" forward
-			req = leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
-			httpReq, err = req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err = client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			snap2, err := ioutil.ReadAll(resp.Body)
-			resp.Body.Close()
-			if err != nil {
-				t.Fatal(err)
-			}
-			if len(snap2) == 0 {
-				t.Fatal("no snapshot returned")
-			}
-
-			// Restore snapshot to move us back in time so we can test going
-			// forward
-			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
-			req.Body = bytes.NewBuffer(snap)
-			httpReq, err = req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err = client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			testhelpers.EnsureStableActiveNode(t, cluster)
-			testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-			if tCaseLocal.Rekey {
-				// Restore snapshot, should fail.
-				req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
-				req.Body = bytes.NewBuffer(snap2)
-				httpReq, err = req.ToHTTP()
-				if err != nil {
-					t.Fatal(err)
-				}
-				resp, err = client.Do(httpReq)
-				if err != nil {
-					t.Fatal(err)
-				}
-				// Parse Response
-				apiResp := api.Response{Response: resp}
-				if apiResp.Error() == nil || !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
-					t.Fatalf("expected error verifying hash file, got %v", apiResp.Error())
-				}
-
-			}
-
-			// Restore snapshot force
-			req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
-			req.Body = bytes.NewBuffer(snap2)
-			httpReq, err = req.ToHTTP()
-			if err != nil {
-				t.Fatal(err)
-			}
-			resp, err = client.Do(httpReq)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			switch tCaseLocal.ShouldSeal {
-			case true:
-				testhelpers.WaitForNCoresSealed(t, cluster, 3)
-
-			case false:
-				testhelpers.EnsureStableActiveNode(t, cluster)
-				testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-				// Write some data so we can make sure we can read it later. This is testing
-				// that we correctly reload the keyring
-				_, err = leaderClient.Logical().Write("secret/foo", map[string]interface{}{
-					"test": "data",
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				testhelpers.EnsureCoresSealed(t, cluster)
-
-				cluster.BarrierKeys = newBarrierKeys
-				testhelpers.EnsureCoresUnsealed(t, cluster)
-				testhelpers.WaitForActiveNode(t, cluster)
-				activeCore := testhelpers.DeriveStableActiveCore(t, cluster)
-
-				// Read the value.
-				data, err := activeCore.Client.Logical().Read("secret/foo")
-				if err != nil {
-					t.Fatal(err)
-				}
-				if data.Data["test"].(string) != "data" {
-					t.Fatal(data)
-				}
-			}
-		})
-	}
-}
-
-func TestRaft_SnapshotAPI_DifferentCluster(t *testing.T) {
-	t.Parallel()
-	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
-
-	leaderClient := cluster.Cores[0].Client
-
-	// Write a few keys
-	for i := 0; i < 10; i++ {
-		_, err := leaderClient.Logical().Write(fmt.Sprintf("secret/%d", i), map[string]interface{}{
-			"test": "data",
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	transport := cleanhttp.DefaultPooledTransport()
-	transport.TLSClientConfig = cluster.Cores[0].TLSConfig()
-	if err := http2.ConfigureTransport(transport); err != nil {
-		t.Fatal(err)
-	}
-	client := &http.Client{
-		Transport: transport,
-	}
-
-	// Take a snapshot
-	req := leaderClient.NewRequest("GET", "/v1/sys/storage/raft/snapshot")
-	httpReq, err := req.ToHTTP()
-	if err != nil {
-		t.Fatal(err)
-	}
-	resp, err := client.Do(httpReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	snap, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
+	client, err := c.Client()
 	if err != nil {
-		t.Fatal(err)
-	}
-	if len(snap) == 0 {
-		t.Fatal("no snapshot returned")
+		c.UI.Error(err.Error())
+		return 2
 	}
 
-	// Cluster 2
-	{
-		cluster2, _ := raftCluster(t, nil)
-		defer cluster2.Cleanup()
-
-		leaderClient := cluster2.Cores[0].Client
-
-		transport := cleanhttp.DefaultPooledTransport()
-		transport.TLSClientConfig = cluster2.Cores[0].TLSConfig()
-		if err := http2.ConfigureTransport(transport); err != nil {
-			t.Fatal(err)
-		}
-		client := &http.Client{
-			Transport: transport,
-		}
-		// Restore snapshot, should fail.
-		req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot")
-		req.Body = bytes.NewBuffer(snap)
-		httpReq, err = req.ToHTTP()
-		if err != nil {
-			t.Fatal(err)
-		}
-		resp, err = client.Do(httpReq)
-		if err != nil {
-			t.Fatal(err)
-		}
-		// Parse Response
-		apiResp := api.Response{Response: resp}
-		if !strings.Contains(apiResp.Error().Error(), "could not verify hash file, possibly the snapshot is using a different set of unseal keys") {
-			t.Fatal(apiResp.Error())
-		}
-
-		// Restore snapshot force
-		req = leaderClient.NewRequest("POST", "/v1/sys/storage/raft/snapshot-force")
-		req.Body = bytes.NewBuffer(snap)
-		httpReq, err = req.ToHTTP()
-		if err != nil {
-			t.Fatal(err)
-		}
-		resp, err = client.Do(httpReq)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		testhelpers.WaitForNCoresSealed(t, cluster2, 3)
-	}
+	secret, err := client.Logical().Write(path, data)
+	return handleWriteSecretOutput(c.BaseCommand, path, secret, err)
 }
 
-func BenchmarkRaft_SingleNode(b *testing.B) {
-	cluster, _ := raftCluster(b, nil)
-	defer cluster.Cleanup()
-
-	leaderClient := cluster.Cores[0].Client
-
-	bench := func(b *testing.B, dataSize int) {
-		data, err := uuid.GenerateRandomBytes(dataSize)
-		if err != nil {
-			b.Fatal(err)
-		}
-
-		testName := b.Name()
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			key := fmt.Sprintf("secret/%x", md5.Sum([]byte(fmt.Sprintf("%s-%d", testName, i))))
-			_, err := leaderClient.Logical().Write(key, map[string]interface{}{
-				"test": data,
-			})
-			if err != nil {
-				b.Fatal(err)
-			}
+func handleWriteSecretOutput(c *BaseCommand, path string, secret *api.Secret, err error) int {
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
 		}
+		return 2
 	}
-
-	b.Run("256b", func(b *testing.B) { bench(b, 25) })
-}
-
-func TestRaft_Join_InitStatus(t *testing.T) {
-	t.Parallel()
-	var conf vault.CoreConfig
-	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
-	teststorage.RaftBackendSetup(&conf, &opts)
-	opts.SetupFunc = nil
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
-
-	leaderCore := cluster.Cores[0]
-	leaderAPI := leaderCore.Client.Address()
-	atomic.StoreUint32(&vault.TestingUpdateClusterAddr, 1)
-
-	// Seal the leader so we can install an address provider
-	{
-		testhelpers.EnsureCoreSealed(t, leaderCore)
-		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		cluster.UnsealCore(t, leaderCore)
-		vault.TestWaitActive(t, leaderCore.Core)
-	}
-
-	joinFunc := func(client *api.Client) {
-		req := &api.RaftJoinRequest{
-			LeaderAPIAddr: leaderAPI,
-			LeaderCACert:  string(cluster.CACertPEM),
-		}
-		resp, err := client.Sys().RaftJoin(req)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !resp.Joined {
-			t.Fatalf("failed to join raft cluster")
+	if secret == nil {
+		// Don't output anything unless using the "table" format
+		// and even then, don't output anything if a specific field was requested
+		if c.flagField == "" && Format(c.UI) == "table" {
+			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
 		}
+		return 0
 	}
 
-	verifyInitStatus := func(coreIdx int, expected bool) {
-		t.Helper()
-		client := cluster.Cores[coreIdx].Client
-
-		initialized, err := client.Sys().InitStatus()
+	// Currently, if there is only one MFA method configured, the login
+	// request is validated interactively
+	methodInfo := c.getInteractiveMFAMethodInfo(secret)
+	if methodInfo != nil {
+		secret, err = c.validateMFA(secret.Auth.MFARequirement.MFARequestID, *methodInfo)
 		if err != nil {
-			t.Fatal(err)
-		}
-
-		if initialized != expected {
-			t.Errorf("core %d: expected init=%v, sys/init returned %v", coreIdx, expected, initialized)
-		}
-
-		status, err := client.Sys().SealStatus()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if status.Initialized != expected {
-			t.Errorf("core %d: expected init=%v, sys/seal-status returned %v", coreIdx, expected, status.Initialized)
-		}
-
-		health, err := client.Sys().Health()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if health.Initialized != expected {
-			t.Errorf("core %d: expected init=%v, sys/health returned %v", coreIdx, expected, health.Initialized)
+			c.UI.Error(err.Error())
+			return 2
 		}
+	} else if c.getMFAValidationRequired(secret) {
+		c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
+			"MFA validation. Please make sure to validate the login by sending another "+
+			"request to sys/mfa/validate endpoint.") + "\n")
 	}
 
-	for i := range cluster.Cores {
-		verifyInitStatus(i, i < 1)
+	// Handle single field output
+	if c.flagField != "" {
+		return PrintRawField(c.UI, secret, c.flagField)
 	}
 
-	joinFunc(cluster.Cores[1].Client)
-	for i, core := range cluster.Cores {
-		verifyInitStatus(i, i < 2)
-		if i == 1 {
-			cluster.UnsealCore(t, core)
-			verifyInitStatus(i, true)
-		}
-	}
-
-	joinFunc(cluster.Cores[2].Client)
-	for i, core := range cluster.Cores {
-		verifyInitStatus(i, true)
-		if i == 2 {
-			cluster.UnsealCore(t, core)
-			verifyInitStatus(i, true)
-		}
-	}
-
-	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-	for i := range cluster.Cores {
-		verifyInitStatus(i, true)
-	}
+	return OutputSecret(c.UI, secret)
 }
diff --git a/vault/external_tests/sealmigration/testshared.go b/vault/external_tests/sealmigration/testshared.go
index a50acced19d3..2e7a32833fa1 100644
--- a/vault/external_tests/sealmigration/testshared.go
+++ b/vault/external_tests/sealmigration/testshared.go
@@ -1,887 +1,307 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package sealmigration
+package command
 
 import (
-	"context"
-	"encoding/base64"
-	"fmt"
+	"io"
+	"strings"
 	"testing"
-	"time"
 
-	"github.com/go-test/deep"
-	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers"
-	sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"
-	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
-	"github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/physical/raft"
-	"github.com/hashicorp/vault/vault"
 )
 
-const (
-	numTestCores = 3
-	keyShares    = 3
-	keyThreshold = 3
+func testWriteCommand(tb testing.TB) (*cli.MockUi, *WriteCommand) {
+	tb.Helper()
 
-	BasePort_ShamirToTransit_Pre14  = 20000
-	BasePort_TransitToShamir_Pre14  = 21000
-	BasePort_ShamirToTransit_Post14 = 22000
-	BasePort_TransitToShamir_Post14 = 23000
-	BasePort_TransitToTransit       = 24000
-)
-
-func ParamTestSealMigrationTransitToShamir_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
-	// Create the transit server.
-	tss := sealhelper.NewTransitSealServer(t, 0)
-	defer func() {
-		if tss != nil {
-			tss.Cleanup()
-		}
-	}()
-	sealKeyName := "transit-seal-key"
-	tss.MakeKey(t, sealKeyName)
-
-	// Initialize the backend with transit.
-	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss, sealKeyName)
-	rootToken, recoveryKeys := cluster.RootToken, cluster.RecoveryKeys
-	cluster.EnsureCoresSealed(t)
-	cluster.Cleanup()
-	storage.Cleanup(t, cluster)
-
-	// Migrate the backend from transit to shamir
-	migrateFromTransitToShamir_Pre14(t, logger, storage, basePort, tss, opts.SealFunc, rootToken, recoveryKeys)
-
-	// Now that migration is done, we can nuke the transit server, since we
-	// can unseal without it.
-	tss.Cleanup()
-	tss = nil
-
-	// Run the backend with shamir.  Note that the recovery keys are now the
-	// barrier keys.
-	runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)
-}
-
-func ParamTestSealMigrationShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
-	// Initialize the backend using shamir
-	cluster, _ := initializeShamir(t, logger, storage, basePort)
-	rootToken, barrierKeys := cluster.RootToken, cluster.BarrierKeys
-	cluster.Cleanup()
-	storage.Cleanup(t, cluster)
-
-	// Create the transit server.
-	tss := sealhelper.NewTransitSealServer(t, 0)
-	defer func() {
-		tss.EnsureCoresSealed(t)
-		tss.Cleanup()
-	}()
-	tss.MakeKey(t, "transit-seal-key-1")
-
-	// Migrate the backend from shamir to transit.  Note that the barrier keys
-	// are now the recovery keys.
-	sealFunc := migrateFromShamirToTransit_Pre14(t, logger, storage, basePort, tss, rootToken, barrierKeys)
-
-	// Run the backend with transit.
-	runAutoseal(t, logger, storage, basePort, rootToken, sealFunc)
-}
-
-func ParamTestSealMigrationTransitToShamir_Post14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
-	// Create the transit server.
-	tss := sealhelper.NewTransitSealServer(t, 0)
-	defer func() {
-		if tss != nil {
-			tss.Cleanup()
-		}
-	}()
-	sealKeyName := "transit-seal-key-1"
-	tss.MakeKey(t, sealKeyName)
-
-	// Initialize the backend with transit.
-	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss, sealKeyName)
-	rootToken, recoveryKeys := cluster.RootToken, cluster.RecoveryKeys
-
-	// Migrate the backend from transit to shamir
-	opts.UnwrapSealFunc = opts.SealFunc
-	opts.SealFunc = func() vault.Seal { return nil }
-	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
-	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigShamir)
-
-	cluster.Cleanup()
-	storage.Cleanup(t, cluster)
-
-	// Now that migration is done, we can nuke the transit server, since we
-	// can unseal without it.
-	tss.Cleanup()
-	tss = nil
-
-	// Run the backend with shamir.  Note that the recovery keys are now the
-	// barrier keys.
-	runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)
-}
-
-func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) {
-	// Initialize the backend using shamir
-	cluster, opts := initializeShamir(t, logger, storage, basePort)
-
-	// Create the transit server.
-	tss := sealhelper.NewTransitSealServer(t, 0)
-	defer tss.Cleanup()
-	sealKeyName := "transit-seal-key-1"
-	tss.MakeKey(t, sealKeyName)
-
-	// Migrate the backend from shamir to transit.
-	opts.SealFunc = func() vault.Seal {
-		seal, err := tss.MakeSeal(t, sealKeyName)
-		if err != nil {
-			t.Fatal(err)
-		}
-		return seal
+	ui := cli.NewMockUi()
+	return ui, &WriteCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
 	}
-
-	// Restart each follower with the new config, and migrate to Transit.
-	// Note that the barrier keys are being used as recovery keys.
-	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.BarrierKeys)
-	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
-	cluster.Cleanup()
-	storage.Cleanup(t, cluster)
-
-	// Run the backend with transit.
-	runAutoseal(t, logger, storage, basePort, cluster.RootToken, opts.SealFunc)
 }
 
-func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger,
-	storage teststorage.ReusableStorage, basePort int,
-) {
-	// Create the transit server.
-	tss1 := sealhelper.NewTransitSealServer(t, 0)
-	defer func() {
-		if tss1 != nil {
-			tss1.Cleanup()
-		}
-	}()
-	sealKeyName := "transit-seal-key-1"
-	tss1.MakeKey(t, sealKeyName)
-
-	// Initialize the backend with transit.
-	cluster, opts := InitializeTransit(t, logger, storage, basePort, tss1, sealKeyName)
-	rootToken := cluster.RootToken
-
-	// Create the transit server.
-	tss2 := sealhelper.NewTransitSealServer(t, 1)
-	defer func() {
-		tss2.Cleanup()
-	}()
-	tss2.MakeKey(t, "transit-seal-key-2")
-
-	// Migrate the backend from transit to transit.
-	opts.UnwrapSealFunc = opts.SealFunc
-	opts.SealFunc = func() vault.Seal {
-		seal, err := tss2.MakeSeal(t, "transit-seal-key-2")
-		if err != nil {
-			t.Fatal(err)
-		}
-		return seal
-	}
-	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
-	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
-	cluster.Cleanup()
-	storage.Cleanup(t, cluster)
-
-	// Now that migration is done, we can nuke the transit server, since we
-	// can unseal without it.
-	tss1.Cleanup()
-	tss1 = nil
-
-	// Run the backend with transit.
-	runAutoseal(t, logger, storage, basePort, rootToken, opts.SealFunc)
-}
+func TestWriteCommand_Run(t *testing.T) {
+	t.Parallel()
 
-func migrateFromTransitToShamir_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int,
-	tss *sealhelper.TransitSealServer, sealFunc func() vault.Seal, rootToken string, recoveryKeys [][]byte,
-) {
-	baseClusterPort := basePort + 10
-
-	var conf vault.CoreConfig
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("migrateFromTransitToShamir"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-		SkipInit:              true,
-		UnwrapSealFunc:        sealFunc,
-	}
-	storage.Setup(&conf, &opts)
-	conf.DisableAutopilot = true
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer func() {
-		cluster.Cleanup()
-		storage.Cleanup(t, cluster)
-	}()
-
-	leader := cluster.Cores[0]
-	client := leader.Client
-	client.SetToken(rootToken)
-
-	// Attempt to unseal while the transit server is unreachable.  Although
-	// we're unsealing using the recovery keys, this is still an
-	// autounseal, so it should fail.
-	tss.EnsureCoresSealed(t)
-	unsealMigrate(t, client, recoveryKeys, false)
-	tss.UnsealCores(t)
-	testhelpers.WaitForActiveNode(t, tss.TestCluster)
-
-	// Unseal and migrate to Shamir. Although we're unsealing using the
-	// recovery keys, this is still an autounseal.
-	unsealMigrate(t, client, recoveryKeys, true)
-	testhelpers.WaitForActiveNode(t, cluster)
-
-	// Wait for migration to finish.  Sadly there is no callback, and the
-	// test will fail later on if we don't do this.
-	time.Sleep(10 * time.Second)
-
-	// Read the secret
-	secret, err := client.Logical().Read("kv-wrapped/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			[]string{},
+			"Not enough arguments",
+			1,
+		},
+		{
+			"empty_kvs",
+			[]string{"secret/write/foo"},
+			"Must supply data or use -force",
+			1,
+		},
+		{
+			"force_kvs",
+			[]string{"-force", "auth/token/create"},
+			"token",
+			0,
+		},
+		{
+			"force_f_kvs",
+			[]string{"-f", "auth/token/create"},
+			"token",
+			0,
+		},
+		{
+			"kvs_no_value",
+			[]string{"secret/write/foo", "foo"},
+			"Failed to parse K=V data",
+			1,
+		},
+		{
+			"single_value",
+			[]string{"secret/write/foo", "foo=bar"},
+			"Success!",
+			0,
+		},
+		{
+			"multi_value",
+			[]string{"secret/write/foo", "foo=bar", "zip=zap"},
+			"Success!",
+			0,
+		},
+		{
+			"field",
+			[]string{
+				"-field", "token_renewable",
+				"auth/token/create", "display_name=foo",
+			},
+			"false",
+			0,
+		},
+		{
+			"field_not_found",
+			[]string{
+				"-field", "not-a-real-field",
+				"auth/token/create", "display_name=foo",
+			},
+			"not present in secret",
+			1,
+		},
 	}
 
-	// Write a new secret
-	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
-		"zork": "quux",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	for _, tc := range cases {
+		tc := tc
 
-	// Make sure the seal configs were updated correctly.
-	b, r, err := cluster.Cores[0].Core.PhysicalSealConfigs(context.Background())
-	if err != nil {
-		t.Fatal(err)
-	}
-	verifyBarrierConfig(t, b, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 1)
-	if r != nil {
-		t.Fatalf("expected nil recovery config, got: %#v", r)
-	}
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	cluster.EnsureCoresSealed(t)
-}
+			client, closer := testVaultServer(t)
+			defer closer()
 
-func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int, tss *sealhelper.TransitSealServer, rootToken string, recoveryKeys [][]byte) func() vault.Seal {
-	baseClusterPort := basePort + 10
+			ui, cmd := testWriteCommand(t)
+			cmd.client = client
 
-	conf := vault.CoreConfig{
-		DisableAutopilot: true,
-	}
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("migrateFromShamirToTransit"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-		SkipInit:              true,
-		// N.B. Providing a transit seal puts us in migration mode.
-		SealFunc: func() vault.Seal {
-			seal, err := tss.MakeSeal(t, "transit-seal-key")
-			if err != nil {
-				t.Fatal(err)
+			code := cmd.Run(tc.args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
 			}
-			return seal
-		},
-	}
-	storage.Setup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer func() {
-		cluster.Cleanup()
-		storage.Cleanup(t, cluster)
-	}()
 
-	leader := cluster.Cores[0]
-	leader.Client.SetToken(rootToken)
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
 
-	// Unseal and migrate to Transit.
-	unsealMigrate(t, leader.Client, recoveryKeys, true)
+	// If we ask for a field and get an empty result, do not output "Success!" or anything else
+	t.Run("field_from_nothing", func(t *testing.T) {
+		t.Parallel()
 
-	// Wait for migration to finish.
-	awaitMigration(t, leader.Client)
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	verifySealConfigTransit(t, leader)
+		ui, cmd := testWriteCommand(t)
+		cmd.client = client
 
-	// Read the secrets
-	secret, err := leader.Client.Logical().Read("kv-wrapped/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
+		code := cmd.Run([]string{
+			"-field", "somefield",
+			"secret/write/foo", "foo=bar",
+		})
+		if exp := 0; code != exp {
+			t.Fatalf("expected %d to be %d: %q", code, exp, ui.ErrorWriter.String())
+		}
 
-	// Write a new secret
-	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
-		"zork": "quux",
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if combined != "" {
+			t.Errorf("expected %q to be empty", combined)
+		}
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return opts.SealFunc
-}
 
-func validateMigration(t *testing.T, storage teststorage.ReusableStorage,
-	cluster *vault.TestCluster, leaderIdx int, f func(t *testing.T, core *vault.TestClusterCore),
-) {
-	t.Helper()
+	t.Run("force", func(t *testing.T) {
+		t.Parallel()
 
-	leader := cluster.Cores[leaderIdx]
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	secret, err := leader.Client.Logical().Read("kv-wrapped/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-
-	var appliedIndex uint64
-	if storage.IsRaft {
-		appliedIndex = testhelpers.RaftAppliedIndex(leader)
-	}
-
-	for _, core := range cluster.Cores {
-		if storage.IsRaft {
-			testhelpers.WaitForRaftApply(t, core, appliedIndex)
+		if err := client.Sys().Mount("transit/", &api.MountInput{
+			Type: "transit",
+		}); err != nil {
+			t.Fatal(err)
 		}
 
-		f(t, core)
-	}
-}
+		ui, cmd := testWriteCommand(t)
+		cmd.client = client
 
-func migratePost14(t *testing.T, storage teststorage.ReusableStorage, cluster *vault.TestCluster,
-	opts *vault.TestClusterOptions, unsealKeys [][]byte,
-) int {
-	cluster.Logger = cluster.Logger.Named("migration")
-	// Restart each follower with the new config, and migrate.
-	for i := 1; i < len(cluster.Cores); i++ {
-		cluster.StopCore(t, i)
-		if storage.IsRaft {
-			teststorage.CloseRaftStorage(t, cluster, i)
+		code := cmd.Run([]string{
+			"-force",
+			"transit/keys/my-key",
+		})
+		if exp := 0; code != exp {
+			t.Fatalf("expected %d to be %d: %q", code, exp, ui.ErrorWriter.String())
 		}
-		cluster.StartCore(t, i, opts)
-
-		unsealMigrate(t, cluster.Cores[i].Client, unsealKeys, true)
-	}
-	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-	// Step down the active node which will kick off the migration on one of the
-	// other nodes.
-	err := cluster.Cores[0].Client.Sys().StepDown()
-	if err != nil {
-		t.Fatal(err)
-	}
 
-	// Wait for the followers to establish a new leader
-	var leaderIdx int
-	for i := 0; i < 30; i++ {
-		leaderIdx, err = testhelpers.AwaitLeader(t, cluster)
+		secret, err := client.Logical().Read("transit/keys/my-key")
 		if err != nil {
 			t.Fatal(err)
 		}
-		if leaderIdx != 0 {
-			break
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
-		time.Sleep(1 * time.Second)
-	}
-	if leaderIdx == 0 {
-		t.Fatalf("Core 0 cannot be the leader right now")
-	}
-	leader := cluster.Cores[leaderIdx]
-
-	// Wait for migration to occur on the leader
-	awaitMigration(t, leader.Client)
-
-	var appliedIndex uint64
-	if storage.IsRaft {
-		appliedIndex = testhelpers.RaftAppliedIndex(leader)
-		testhelpers.WaitForRaftApply(t, cluster.Cores[0], appliedIndex)
-	}
-
-	// Bring down the leader
-	cluster.StopCore(t, 0)
-	if storage.IsRaft {
-		teststorage.CloseRaftStorage(t, cluster, 0)
-	}
-
-	// Bring core 0 back up; we still have the seal migration config in place,
-	// but now that migration has been performed we should be able to unseal
-	// with the new seal and without using the `migrate` unseal option.
-	cluster.StartCore(t, 0, opts)
-	unseal(t, cluster.Cores[0].Client, unsealKeys)
-
-	// Write a new secret
-	_, err = leader.Client.Logical().Write("kv-wrapped/test", map[string]interface{}{
-		"zork": "quux",
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
 
-	return leaderIdx
-}
+	t.Run("stdin_full", func(t *testing.T) {
+		t.Parallel()
 
-func unsealMigrate(t *testing.T, client *api.Client, keys [][]byte, transitServerAvailable bool) {
-	t.Helper()
-	if err := attemptUnseal(client, keys); err == nil {
-		t.Fatal("expected error due to lack of migrate parameter")
-	}
-	if err := attemptUnsealMigrate(client, keys, transitServerAvailable); err != nil {
-		t.Fatal(err)
-	}
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func attemptUnsealMigrate(client *api.Client, keys [][]byte, transitServerAvailable bool) error {
-	for i, key := range keys {
-		resp, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
-			Key:     base64.StdEncoding.EncodeToString(key),
-			Migrate: true,
-		})
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(`{"foo":"bar"}`))
+			stdinW.Close()
+		}()
 
-		if i < keyThreshold-1 {
-			// Not enough keys have been provided yet.
-			if err != nil {
-				return err
-			}
-		} else {
-			if transitServerAvailable {
-				// The transit server is running.
-				if err != nil {
-					return err
-				}
-				if resp == nil || resp.Sealed {
-					return fmt.Errorf("expected unsealed state; got %#v", resp)
-				}
-			} else {
-				// The transit server is stopped.
-				if err == nil {
-					return fmt.Errorf("expected error due to transit server being stopped.")
-				}
-			}
-			break
-		}
-	}
-	return nil
-}
+		_, cmd := testWriteCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-// awaitMigration waits for migration to finish.
-func awaitMigration(t *testing.T, client *api.Client) {
-	timeout := time.Now().Add(60 * time.Second)
-	for {
-		if time.Now().After(timeout) {
-			break
+		code := cmd.Run([]string{
+			"secret/write/stdin_full", "-",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
 
-		resp, err := client.Sys().SealStatus()
+		secret, err := client.Logical().Read("secret/write/stdin_full")
 		if err != nil {
 			t.Fatal(err)
 		}
-		if !resp.Migration {
-			return
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
+		}
+	})
 
-		time.Sleep(time.Second)
-	}
+	t.Run("stdin_value", func(t *testing.T) {
+		t.Parallel()
 
-	t.Fatalf("migration did not complete.")
-}
+		client, closer := testVaultServer(t)
+		defer closer()
 
-func unseal(t *testing.T, client *api.Client, keys [][]byte) {
-	t.Helper()
-	if err := attemptUnseal(client, keys); err != nil {
-		t.Fatal(err)
-	}
-}
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte("bar"))
+			stdinW.Close()
+		}()
 
-func attemptUnseal(client *api.Client, keys [][]byte) error {
-	for i, key := range keys {
+		_, cmd := testWriteCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
 
-		resp, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
-			Key: base64.StdEncoding.EncodeToString(key),
+		code := cmd.Run([]string{
+			"secret/write/stdin_value", "foo=-",
 		})
-		if i < keyThreshold-1 {
-			// Not enough keys have been provided yet.
-			if err != nil {
-				return err
-			}
-		} else {
-			if err != nil {
-				return err
-			}
-			if resp == nil || resp.Sealed {
-				return fmt.Errorf("expected unsealed state; got %#v", resp)
-			}
-			break
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
 		}
-	}
-	return nil
-}
-
-func verifySealConfigShamir(t *testing.T, core *vault.TestClusterCore) {
-	t.Helper()
-	b, r, err := core.PhysicalSealConfigs(context.Background())
-	if err != nil {
-		t.Fatal(err)
-	}
-	verifyBarrierConfig(t, b, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 1)
-	if r != nil {
-		t.Fatal("should not have recovery config for shamir")
-	}
-}
-
-func verifySealConfigTransit(t *testing.T, core *vault.TestClusterCore) {
-	t.Helper()
-	b, r, err := core.PhysicalSealConfigs(context.Background())
-	if err != nil {
-		t.Fatal(err)
-	}
-	verifyBarrierConfig(t, b, wrapping.WrapperTypeTransit.String(), 1, 1, 1)
-	verifyBarrierConfig(t, r, wrapping.WrapperTypeShamir.String(), keyShares, keyThreshold, 0)
-}
-
-// verifyBarrierConfig verifies that a barrier configuration is correct.
-func verifyBarrierConfig(t *testing.T, cfg *vault.SealConfig, sealType string, shares, threshold, stored int) {
-	t.Helper()
-	if cfg.Type != sealType {
-		t.Fatalf("bad seal config: %#v, expected type=%q", cfg, sealType)
-	}
-	if cfg.SecretShares != shares {
-		t.Fatalf("bad seal config: %#v, expected SecretShares=%d", cfg, shares)
-	}
-	if cfg.SecretThreshold != threshold {
-		t.Fatalf("bad seal config: %#v, expected SecretThreshold=%d", cfg, threshold)
-	}
-	if cfg.StoredShares != stored {
-		t.Fatalf("bad seal config: %#v, expected StoredShares=%d", cfg, stored)
-	}
-}
-
-// initializeShamir initializes a brand new backend storage with Shamir.
-func initializeShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int) (*vault.TestCluster, *vault.TestClusterOptions) {
-	t.Helper()
-
-	baseClusterPort := basePort + 10
-
-	// Start the cluster
-	conf := vault.CoreConfig{
-		DisableAutopilot: true,
-	}
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("initializeShamir"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-	}
-	storage.Setup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-
-	leader := cluster.Cores[0]
-	client := leader.Client
 
-	// Unseal
-	if storage.IsRaft {
-		joinRaftFollowers(t, cluster, false)
-		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
+		secret, err := client.Logical().Read("secret/write/stdin_value")
+		if err != nil {
 			t.Fatal(err)
 		}
-	} else {
-		cluster.UnsealCores(t)
-	}
-	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-	err := client.Sys().Mount("kv-wrapped", &api.MountInput{
-		SealWrap: true,
-		Type:     "kv",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Write a secret that we will read back out later.
-	_, err = client.Logical().Write("kv-wrapped/foo", map[string]interface{}{
-		"zork": "quux",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return cluster, &opts
-}
-
-// runShamir uses a pre-populated backend storage with Shamir.
-func runShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int, rootToken string, barrierKeys [][]byte) {
-	t.Helper()
-	baseClusterPort := basePort + 10
-
-	// Start the cluster
-	conf := vault.CoreConfig{
-		DisableAutopilot: true,
-	}
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("runShamir"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-		SkipInit:              true,
-	}
-	storage.Setup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer func() {
-		cluster.Cleanup()
-		storage.Cleanup(t, cluster)
-	}()
-
-	leader := cluster.Cores[0]
-
-	// Unseal
-	cluster.BarrierKeys = barrierKeys
-	if storage.IsRaft {
-		for _, core := range cluster.Cores {
-			cluster.UnsealCore(t, core)
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
-		// This is apparently necessary for the raft cluster to get itself
-		// situated.
-		time.Sleep(15 * time.Second)
-		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
-			t.Fatal(err)
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
 		}
-	} else {
-		cluster.UnsealCores(t)
-	}
-	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
-
-	// Ensure that we always use the leader's client for this read check
-	leaderIdx, err := testhelpers.AwaitLeader(t, cluster)
-	if err != nil {
-		t.Fatal(err)
-	}
-	client := cluster.Cores[leaderIdx].Client
-	client.SetToken(rootToken)
-
-	// Read the secrets
-	secret, err := client.Logical().Read("kv-wrapped/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-	secret, err = client.Logical().Read("kv-wrapped/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-}
-
-// initializeTransit initializes a brand new backend storage with Transit.
-func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int,
-	tss *sealhelper.TransitSealServer, sealKeyName string,
-) (*vault.TestCluster, *vault.TestClusterOptions) {
-	t.Helper()
+	})
 
-	baseClusterPort := basePort + 10
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
 
-	// Start the cluster
-	conf := vault.CoreConfig{
-		DisableAutopilot: true,
-	}
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("initializeTransit"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-		SealFunc: func() vault.Seal {
-			seal, err := tss.MakeSeal(t, sealKeyName)
-			if err != nil {
-				t.Fatal(err)
-			}
-			return seal
-		},
-	}
-	storage.Setup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
+		client, closer := testVaultServer(t)
+		defer closer()
 
-	leader := cluster.Cores[0]
-	client := leader.Client
+		_, cmd := testWriteCommand(t)
+		cmd.client = client
 
-	// Join raft
-	if storage.IsRaft {
-		joinRaftFollowers(t, cluster, true)
+		code := cmd.Run([]string{
+			"secret/write/integration", "foo=bar", "zip=zap",
+		})
+		if code != 0 {
+			t.Fatalf("expected 0 to be %d", code)
+		}
 
-		if err := testhelpers.VerifyRaftConfiguration(leader, len(cluster.Cores)); err != nil {
+		secret, err := client.Logical().Read("secret/write/integration")
+		if err != nil {
 			t.Fatal(err)
 		}
-	}
-	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
-
-	err := client.Sys().Mount("kv-wrapped", &api.MountInput{
-		SealWrap: true,
-		Type:     "kv",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Write a secret that we will read back out later.
-	_, err = client.Logical().Write("kv-wrapped/foo", map[string]interface{}{
-		"zork": "quux",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return cluster, &opts
-}
-
-func runAutoseal(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage,
-	basePort int, rootToken string, sealFunc func() vault.Seal,
-) {
-	baseClusterPort := basePort + 10
-
-	// Start the cluster
-	conf := vault.CoreConfig{
-		DisableAutopilot: true,
-	}
-	opts := vault.TestClusterOptions{
-		Logger:                logger.Named("runTransit"),
-		HandlerFunc:           http.Handler,
-		NumCores:              numTestCores,
-		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
-		BaseClusterListenPort: baseClusterPort,
-		SkipInit:              true,
-		SealFunc:              sealFunc,
-	}
-	storage.Setup(&conf, &opts)
-	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
-	defer func() {
-		cluster.Cleanup()
-		storage.Cleanup(t, cluster)
-	}()
-
-	for _, c := range cluster.Cores {
-		c.Client.SetToken(rootToken)
-	}
-
-	// Unseal.  Even though we are using autounseal, we have to unseal
-	// explicitly because we are using SkipInit.
-	if storage.IsRaft {
-		for _, core := range cluster.Cores {
-			cluster.UnsealCoreWithStoredKeys(t, core)
+		if secret == nil || secret.Data == nil {
+			t.Fatal("expected secret to have data")
 		}
-		// This is apparently necessary for the raft cluster to get itself
-		// situated.
-		time.Sleep(15 * time.Second)
-		// We're taking the first core, but we're not assuming it's the leader here.
-		if err := testhelpers.VerifyRaftConfiguration(cluster.Cores[0], len(cluster.Cores)); err != nil {
-			t.Fatal(err)
+		if exp, act := "bar", secret.Data["foo"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
 		}
-	} else {
-		if err := cluster.UnsealCoresWithError(true); err != nil {
-			t.Fatal(err)
+		if exp, act := "zap", secret.Data["zip"].(string); exp != act {
+			t.Errorf("expected %q to be %q", act, exp)
 		}
-	}
-	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
+	})
 
-	// Preceding code may have stepped down the leader, so we're not sure who it is
-	// at this point.
-	leaderCore := testhelpers.DeriveActiveCore(t, cluster)
-	client := leaderCore.Client
+	t.Run("communication_failure", func(t *testing.T) {
+		t.Parallel()
 
-	// Read the secrets
-	secret, err := client.Logical().Read("kv-wrapped/foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-	secret, err = client.Logical().Read("kv-wrapped/test")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if secret == nil {
-		t.Fatal("secret is nil")
-	}
-	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
-		t.Fatal(diff)
-	}
-}
+		client, closer := testVaultServerBad(t)
+		defer closer()
 
-// joinRaftFollowers unseals the leader, and then joins-and-unseals the
-// followers one at a time.  We assume that the ServerAddressProvider has
-// already been installed on all the nodes.
-func joinRaftFollowers(t *testing.T, cluster *vault.TestCluster, useStoredKeys bool) {
-	leader := cluster.Cores[0]
+		ui, cmd := testWriteCommand(t)
+		cmd.client = client
 
-	cluster.UnsealCore(t, leader)
-	vault.TestWaitActive(t, leader.Core)
-
-	leaderInfos := []*raft.LeaderJoinInfo{
-		{
-			LeaderAPIAddr: leader.Client.Address(),
-			TLSConfig:     leader.TLSConfig(),
-		},
-	}
-
-	// Join followers
-	for i := 1; i < len(cluster.Cores); i++ {
-		core := cluster.Cores[i]
-		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
-		if err != nil {
-			t.Fatal(err)
+		code := cmd.Run([]string{
+			"foo/bar", "a=b",
+		})
+		if exp := 2; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		if useStoredKeys {
-			// For autounseal, the raft backend is not initialized right away
-			// after the join.  We need to wait briefly before we can unseal.
-			awaitUnsealWithStoredKeys(t, core)
-		} else {
-			cluster.UnsealCore(t, core)
+		expected := "Error writing data to foo/bar: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
 		}
-	}
+	})
 
-	testhelpers.WaitForNCoresUnsealed(t, cluster, len(cluster.Cores))
-}
+	t.Run("no_tabs", func(t *testing.T) {
+		t.Parallel()
 
-func awaitUnsealWithStoredKeys(t *testing.T, core *vault.TestClusterCore) {
-	timeout := time.Now().Add(30 * time.Second)
-	for {
-		if time.Now().After(timeout) {
-			t.Fatal("raft join: timeout waiting for core to unseal")
-		}
-		// Its actually ok for an error to happen here the first couple of
-		// times -- it means the raft join hasn't gotten around to initializing
-		// the backend yet.
-		err := core.UnsealWithStoredKeys(context.Background())
-		if err == nil {
-			return
-		}
-		core.Logger().Warn("raft join: failed to unseal core", "error", err)
-		time.Sleep(time.Second)
-	}
+		_, cmd := testWriteCommand(t)
+		assertNoTabs(t, cmd)
+	})
 }
diff --git a/vault/external_tests/standby/standby_test.go b/vault/external_tests/standby/standby_test.go
new file mode 100644
index 000000000000..85a24bfdc034
--- /dev/null
+++ b/vault/external_tests/standby/standby_test.go
@@ -0,0 +1,28143 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 6
+  cacheKey: 8
+
+"@aashutoshrathi/word-wrap@npm:^1.2.3":
+  version: 1.2.6
+  resolution: "@aashutoshrathi/word-wrap@npm:1.2.6"
+  checksum: ada901b9e7c680d190f1d012c84217ce0063d8f5c5a7725bb91ec3c5ed99bb7572680eb2d2938a531ccbaec39a95422fcd8a6b4a13110c7d98dd75402f66a0cd
+  languageName: node
+  linkType: hard
+
+"@ampproject/remapping@npm:^2.1.0":
+  version: 2.1.2
+  resolution: "@ampproject/remapping@npm:2.1.2"
+  dependencies:
+    "@jridgewell/trace-mapping": ^0.3.0
+  checksum: e023f92cdd9723f3042cde3b4d922adfeef0e198aa73486b0b6c034ad36af5f96e5c0cc72b335b30b2eb9852d907efc92af6bfcd3f4b4d286177ee32a189cf92
+  languageName: node
+  linkType: hard
+
+"@ampproject/remapping@npm:^2.2.0":
+  version: 2.2.1
+  resolution: "@ampproject/remapping@npm:2.2.1"
+  dependencies:
+    "@jridgewell/gen-mapping": ^0.3.0
+    "@jridgewell/trace-mapping": ^0.3.9
+  checksum: 03c04fd526acc64a1f4df22651186f3e5ef0a9d6d6530ce4482ec9841269cf7a11dbb8af79237c282d721c5312024ff17529cd72cc4768c11e999b58e2302079
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.0.0":
+  version: 7.12.13
+  resolution: "@babel/code-frame@npm:7.12.13"
+  dependencies:
+    "@babel/highlight": ^7.12.13
+  checksum: d0491bb59fb8d7a763cb175c5504818cfd3647321d8eedb9173336d5c47dccce248628ee68b3ed3586c5efc753d8d990ceafe956f707dcf92572a1661b92b1ef
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/code-frame@npm:7.16.0"
+  dependencies:
+    "@babel/highlight": ^7.16.0
+  checksum: 8961d0302ec6b8c2e9751a11e06a17617425359fd1645e4dae56a90a03464c68a0916115100fbcd030961870313f21865d0b85858360a2c68aabdda744393607
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/code-frame@npm:7.16.7"
+  dependencies:
+    "@babel/highlight": ^7.16.7
+  checksum: db2f7faa31bc2c9cf63197b481b30ea57147a5fc1a6fab60e5d6c02cdfbf6de8e17b5121f99917b3dabb5eeb572da078312e70697415940383efc140d4e0808b
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/code-frame@npm:7.18.6"
+  dependencies:
+    "@babel/highlight": ^7.18.6
+  checksum: 195e2be3172d7684bf95cff69ae3b7a15a9841ea9d27d3c843662d50cdd7d6470fd9c8e64be84d031117e4a4083486effba39f9aef6bbb2c89f7f21bcfba33ba
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.22.13":
+  version: 7.23.5
+  resolution: "@babel/code-frame@npm:7.23.5"
+  dependencies:
+    "@babel/highlight": ^7.23.4
+    chalk: ^2.4.2
+  checksum: d90981fdf56a2824a9b14d19a4c0e8db93633fd488c772624b4e83e0ceac6039a27cd298a247c3214faa952bf803ba23696172ae7e7235f3b97f43ba278c569a
+  languageName: node
+  linkType: hard
+
+"@babel/code-frame@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/code-frame@npm:7.22.5"
+  dependencies:
+    "@babel/highlight": ^7.22.5
+  checksum: cfe804f518f53faaf9a1d3e0f9f74127ab9a004912c3a16fda07fb6a633393ecb9918a053cb71804204c1b7ec3d49e1699604715e2cfb0c9f7bc4933d324ebb6
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.13.11, @babel/compat-data@npm:^7.13.8, @babel/compat-data@npm:^7.14.0, @babel/compat-data@npm:^7.16.0":
+  version: 7.16.4
+  resolution: "@babel/compat-data@npm:7.16.4"
+  checksum: 4949ce54eafc4b38d5623696a872acaaced1a523605708d81c2c483253941917d90dae0de40fc01e152ae56075dadd89c23014da5a632b09c001a716fa689cae
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.16.8, @babel/compat-data@npm:^7.17.0, @babel/compat-data@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/compat-data@npm:7.17.7"
+  checksum: bf13476676884ce9afc199747ff82f3bcd6d42a9cfb01ce91bdb762b83ea11ec619b6ec532d1a80469ab14f191f33b5d4b9f8796fa8be3bc728d42b0c5e737e3
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.17.10":
+  version: 7.17.10
+  resolution: "@babel/compat-data@npm:7.17.10"
+  checksum: e85051087cd4690de5061909a2dd2d7f8b6434a3c2e30be6c119758db2027ae1845bcd75a81127423dd568b706ac6994a1a3d7d701069a23bf5cfe900728290b
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/compat-data@npm:7.19.0"
+  checksum: f90d25a3779578c230ad0632e12ffd5ee1033614dee2786f7f1567823a78923da7185638eedd7166f31e4771a3398ae6a28ab8e680b96cc25bafb38a3b66ff11
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.22.6, @babel/compat-data@npm:^7.23.3, @babel/compat-data@npm:^7.23.5":
+  version: 7.23.5
+  resolution: "@babel/compat-data@npm:7.23.5"
+  checksum: 06ce244cda5763295a0ea924728c09bae57d35713b675175227278896946f922a63edf803c322f855a3878323d48d0255a2a3023409d2a123483c8a69ebb4744
+  languageName: node
+  linkType: hard
+
+"@babel/compat-data@npm:^7.22.9":
+  version: 7.22.9
+  resolution: "@babel/compat-data@npm:7.22.9"
+  checksum: bed77d9044ce948b4327b30dd0de0779fa9f3a7ed1f2d31638714ed00229fa71fc4d1617ae0eb1fad419338d3658d0e9a5a083297451e09e73e078d0347ff808
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.0.0, @babel/core@npm:^7.12.0, @babel/core@npm:^7.3.4":
+  version: 7.16.0
+  resolution: "@babel/core@npm:7.16.0"
+  dependencies:
+    "@babel/code-frame": ^7.16.0
+    "@babel/generator": ^7.16.0
+    "@babel/helper-compilation-targets": ^7.16.0
+    "@babel/helper-module-transforms": ^7.16.0
+    "@babel/helpers": ^7.16.0
+    "@babel/parser": ^7.16.0
+    "@babel/template": ^7.16.0
+    "@babel/traverse": ^7.16.0
+    "@babel/types": ^7.16.0
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.1.2
+    semver: ^6.3.0
+    source-map: ^0.5.0
+  checksum: a140f669daa90c774016a76b1f85641975333c1c219ae0a8e65d8b4c316836e918276e0dfd55613b14f8e578406a92393d4368a63bdd5d0708122976ee2ee8e3
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.1.6, @babel/core@npm:^7.12.3":
+  version: 7.14.0
+  resolution: "@babel/core@npm:7.14.0"
+  dependencies:
+    "@babel/code-frame": ^7.12.13
+    "@babel/generator": ^7.14.0
+    "@babel/helper-compilation-targets": ^7.13.16
+    "@babel/helper-module-transforms": ^7.14.0
+    "@babel/helpers": ^7.14.0
+    "@babel/parser": ^7.14.0
+    "@babel/template": ^7.12.13
+    "@babel/traverse": ^7.14.0
+    "@babel/types": ^7.14.0
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.1.2
+    semver: ^6.3.0
+    source-map: ^0.5.0
+  checksum: de02309584587690b6f184d808027676b7d827a502c0ccbfc0939fd168230ec5084b727a7de437216f9f20273cf04860b902ecf5edcfabcf876b5ac108be26d1
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.13.10":
+  version: 7.17.8
+  resolution: "@babel/core@npm:7.17.8"
+  dependencies:
+    "@ampproject/remapping": ^2.1.0
+    "@babel/code-frame": ^7.16.7
+    "@babel/generator": ^7.17.7
+    "@babel/helper-compilation-targets": ^7.17.7
+    "@babel/helper-module-transforms": ^7.17.7
+    "@babel/helpers": ^7.17.8
+    "@babel/parser": ^7.17.8
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.17.3
+    "@babel/types": ^7.17.0
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.1.2
+    semver: ^6.3.0
+  checksum: 0e686b1be444d25494424065238931f2b3df908bf072b72bab973acfd6d27a481fc280c9cd8a3c6fe2c46beee50e0d2307468d8b15b64dc4036f025e75f6609d
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.16.10":
+  version: 7.19.0
+  resolution: "@babel/core@npm:7.19.0"
+  dependencies:
+    "@ampproject/remapping": ^2.1.0
+    "@babel/code-frame": ^7.18.6
+    "@babel/generator": ^7.19.0
+    "@babel/helper-compilation-targets": ^7.19.0
+    "@babel/helper-module-transforms": ^7.19.0
+    "@babel/helpers": ^7.19.0
+    "@babel/parser": ^7.19.0
+    "@babel/template": ^7.18.10
+    "@babel/traverse": ^7.19.0
+    "@babel/types": ^7.19.0
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.2.1
+    semver: ^6.3.0
+  checksum: 0d5b52b552e215802d2fd7b266611c390d90b28dece09db8a142666c32928c5d404eb72a95630b4cb726c4d80a53fcdc2d6464cd7ad28bb26087475f1b2205e2
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.16.7":
+  version: 7.18.2
+  resolution: "@babel/core@npm:7.18.2"
+  dependencies:
+    "@ampproject/remapping": ^2.1.0
+    "@babel/code-frame": ^7.16.7
+    "@babel/generator": ^7.18.2
+    "@babel/helper-compilation-targets": ^7.18.2
+    "@babel/helper-module-transforms": ^7.18.0
+    "@babel/helpers": ^7.18.2
+    "@babel/parser": ^7.18.0
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.18.2
+    "@babel/types": ^7.18.2
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.2.1
+    semver: ^6.3.0
+  checksum: 14a4142c12e004cd2477b7610408d5788ee5dd821ee9e4de204cbb72d9c399d858d9deabc3d49914d5d7c2927548160c19bdc7524b1a9f6acc1ec96a8d9848dd
+  languageName: node
+  linkType: hard
+
+"@babel/core@npm:^7.20.2, @babel/core@npm:^7.21.0":
+  version: 7.22.9
+  resolution: "@babel/core@npm:7.22.9"
+  dependencies:
+    "@ampproject/remapping": ^2.2.0
+    "@babel/code-frame": ^7.22.5
+    "@babel/generator": ^7.22.9
+    "@babel/helper-compilation-targets": ^7.22.9
+    "@babel/helper-module-transforms": ^7.22.9
+    "@babel/helpers": ^7.22.6
+    "@babel/parser": ^7.22.7
+    "@babel/template": ^7.22.5
+    "@babel/traverse": ^7.22.8
+    "@babel/types": ^7.22.5
+    convert-source-map: ^1.7.0
+    debug: ^4.1.0
+    gensync: ^1.0.0-beta.2
+    json5: ^2.2.2
+    semver: ^6.3.1
+  checksum: 7bf069aeceb417902c4efdaefab1f7b94adb7dea694a9aed1bda2edf4135348a080820529b1a300c6f8605740a00ca00c19b2d5e74b5dd489d99d8c11d5e56d1
+  languageName: node
+  linkType: hard
+
+"@babel/eslint-parser@npm:^7.21.3":
+  version: 7.22.9
+  resolution: "@babel/eslint-parser@npm:7.22.9"
+  dependencies:
+    "@nicolo-ribaudo/eslint-scope-5-internals": 5.1.1-v1
+    eslint-visitor-keys: ^2.1.0
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ">=7.11.0"
+    eslint: ^7.5.0 || ^8.0.0
+  checksum: 4f417796c803056aad2c8fa69b8a7a78a1fdacc307d95702f22894cab42b83554e47de7d0b3cfbee667f25014bca0179f859aa86ceb684b09803192e1200b48d
+  languageName: node
+  linkType: hard
+
+"@babel/generator@npm:^7.14.0, @babel/generator@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/generator@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+    jsesc: ^2.5.1
+    source-map: ^0.5.0
+  checksum: 9ff53e0db72a225c8783c4a277698b4efcead750542ebb9cff31732ba62d092090715a772df10a323446924712f6928ad60c03db4e7051bed3a9701b552d51fb
+  languageName: node
+  linkType: hard
+
+"@babel/generator@npm:^7.17.3, @babel/generator@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/generator@npm:7.17.7"
+  dependencies:
+    "@babel/types": ^7.17.0
+    jsesc: ^2.5.1
+    source-map: ^0.5.0
+  checksum: e7344b9b4559115f2754ecc2ae9508412ea6a8f617544cd3d3f17cabc727bd30630765f96c8a4ebc8901ded1492a3a6c23d695a4f1e8f3042f860b30c891985c
+  languageName: node
+  linkType: hard
+
+"@babel/generator@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/generator@npm:7.18.2"
+  dependencies:
+    "@babel/types": ^7.18.2
+    "@jridgewell/gen-mapping": ^0.3.0
+    jsesc: ^2.5.1
+  checksum: d0661e95532ddd97566d41fec26355a7b28d1cbc4df95fe80cc084c413342935911b48db20910708db39714844ddd614f61c2ec4cca3fb10181418bdcaa2e7a3
+  languageName: node
+  linkType: hard
+
+"@babel/generator@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/generator@npm:7.19.0"
+  dependencies:
+    "@babel/types": ^7.19.0
+    "@jridgewell/gen-mapping": ^0.3.2
+    jsesc: ^2.5.1
+  checksum: aa3d5785cf8f8e81672dcc61aef351188efeadb20d9f66d79113d82cbcf3bbbdeb829989fa14582108572ddbc4e4027bdceb06ccaf5ec40fa93c2dda8fbcd4aa
+  languageName: node
+  linkType: hard
+
+"@babel/generator@npm:^7.22.7, @babel/generator@npm:^7.22.9":
+  version: 7.22.9
+  resolution: "@babel/generator@npm:7.22.9"
+  dependencies:
+    "@babel/types": ^7.22.5
+    "@jridgewell/gen-mapping": ^0.3.2
+    "@jridgewell/trace-mapping": ^0.3.17
+    jsesc: ^2.5.1
+  checksum: 7c9d2c58b8d5ac5e047421a6ab03ec2ff5d9a5ff2c2212130a0055e063ac349e0b19d435537d6886c999771aef394832e4f54cd9fc810100a7f23d982f6af06b
+  languageName: node
+  linkType: hard
+
+"@babel/helper-annotate-as-pure@npm:^7.12.13, @babel/helper-annotate-as-pure@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-annotate-as-pure@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 0db76106983e10ffc482c5f01e89c3b4687d2474bea69c44470b2acb6bd37f362f9057d6e69c617255390b5d0063d9932a931e83c3e130445b688ca1fcdb5bcd
+  languageName: node
+  linkType: hard
+
+"@babel/helper-annotate-as-pure@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-annotate-as-pure@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: d235be963fed5d48a8a4cfabc41c3f03fad6a947810dbcab9cebed7f819811457e10d99b4b2e942ad71baa7ee8e3cd3f5f38a4e4685639ddfddb7528d9a07179
+  languageName: node
+  linkType: hard
+
+"@babel/helper-annotate-as-pure@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-annotate-as-pure@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: 88ccd15ced475ef2243fdd3b2916a29ea54c5db3cd0cfabf9d1d29ff6e63b7f7cd1c27264137d7a40ac2e978b9b9a542c332e78f40eb72abe737a7400788fc1b
+  languageName: node
+  linkType: hard
+
+"@babel/helper-annotate-as-pure@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-annotate-as-pure@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: 53da330f1835c46f26b7bf4da31f7a496dee9fd8696cca12366b94ba19d97421ce519a74a837f687749318f94d1a37f8d1abcbf35e8ed22c32d16373b2f6198d
+  languageName: node
+  linkType: hard
+
+"@babel/helper-builder-binary-assignment-operator-visitor@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-builder-binary-assignment-operator-visitor@npm:7.16.0"
+  dependencies:
+    "@babel/helper-explode-assignable-expression": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: 01beb9f3f2285b7b170cc167ec79b2fd657202cb25be9cb111951f94a04c97c5b446dd1498ede32f0052d67fc9f2f2ac2b7862351b364fe94f9b4de98488d863
+  languageName: node
+  linkType: hard
+
+"@babel/helper-builder-binary-assignment-operator-visitor@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-builder-binary-assignment-operator-visitor@npm:7.16.7"
+  dependencies:
+    "@babel/helper-explode-assignable-expression": ^7.16.7
+    "@babel/types": ^7.16.7
+  checksum: 1784f19a57ecfafca8e5c2e0f3eac53451cb13a857cbe0ca0cd9670922228d099ef8c3dd8cd318e2d7bce316fdb2ece3e527c30f3ecd83706e37ab6beb0c60eb
+  languageName: node
+  linkType: hard
+
+"@babel/helper-builder-binary-assignment-operator-visitor@npm:^7.22.15":
+  version: 7.22.15
+  resolution: "@babel/helper-builder-binary-assignment-operator-visitor@npm:7.22.15"
+  dependencies:
+    "@babel/types": ^7.22.15
+  checksum: 639c697a1c729f9fafa2dd4c9af2e18568190299b5907bd4c2d0bc818fcbd1e83ffeecc2af24327a7faa7ac4c34edd9d7940510a5e66296c19bad17001cf5c7a
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.12.0, @babel/helper-compilation-targets@npm:^7.13.0, @babel/helper-compilation-targets@npm:^7.13.16, @babel/helper-compilation-targets@npm:^7.13.8, @babel/helper-compilation-targets@npm:^7.16.0":
+  version: 7.16.3
+  resolution: "@babel/helper-compilation-targets@npm:7.16.3"
+  dependencies:
+    "@babel/compat-data": ^7.16.0
+    "@babel/helper-validator-option": ^7.14.5
+    browserslist: ^4.17.5
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 038bcd43ac914371c51bf6e72b5cedcae432f0d359285d74a9133c6a839bd625a7d5412d7471d50aa78a3e1c79b0a692b50a8d6a1299ebf69733b512ff199323
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.16.7, @babel/helper-compilation-targets@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/helper-compilation-targets@npm:7.17.7"
+  dependencies:
+    "@babel/compat-data": ^7.17.7
+    "@babel/helper-validator-option": ^7.16.7
+    browserslist: ^4.17.5
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 24bf851539d5ec8e73779304b5d1ad5b0be09a74459ecc7d9baee9a0fa38ad016e9eaf4b5704504ae8da32f91ce0e31857bbbd9686854caeffd38f58226d3760
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.17.10, @babel/helper-compilation-targets@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/helper-compilation-targets@npm:7.18.2"
+  dependencies:
+    "@babel/compat-data": ^7.17.10
+    "@babel/helper-validator-option": ^7.16.7
+    browserslist: ^4.20.2
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 4f02e79f20c0b3f8db5049ba8c35027c41ccb3fc7884835d04e49886538e0f55702959db1bb75213c94a5708fec2dc81a443047559a4f184abb884c72c0059b4
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helper-compilation-targets@npm:7.19.0"
+  dependencies:
+    "@babel/compat-data": ^7.19.0
+    "@babel/helper-validator-option": ^7.18.6
+    browserslist: ^4.20.2
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 5f1be9811d53a5e43eb4b9b402517dec79bfa3a55e9fbc131a106914a78b435bc08a4b35591e424665c36c2c1eceb864ec2ca2c2f3dcf240a1551a28530428f9
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.20.7, @babel/helper-compilation-targets@npm:^7.22.15, @babel/helper-compilation-targets@npm:^7.22.6":
+  version: 7.22.15
+  resolution: "@babel/helper-compilation-targets@npm:7.22.15"
+  dependencies:
+    "@babel/compat-data": ^7.22.9
+    "@babel/helper-validator-option": ^7.22.15
+    browserslist: ^4.21.9
+    lru-cache: ^5.1.1
+    semver: ^6.3.1
+  checksum: ce85196769e091ae54dd39e4a80c2a9df1793da8588e335c383d536d54f06baf648d0a08fc873044f226398c4ded15c4ae9120ee18e7dfd7c639a68e3cdc9980
+  languageName: node
+  linkType: hard
+
+"@babel/helper-compilation-targets@npm:^7.22.9":
+  version: 7.22.9
+  resolution: "@babel/helper-compilation-targets@npm:7.22.9"
+  dependencies:
+    "@babel/compat-data": ^7.22.9
+    "@babel/helper-validator-option": ^7.22.5
+    browserslist: ^4.21.9
+    lru-cache: ^5.1.1
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: ea0006c6a93759025f4a35a25228ae260538c9f15023e8aac2a6d45ca68aef4cf86cfc429b19af9a402cbdd54d5de74ad3fbcf6baa7e48184dc079f1a791e178
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.13.0, @babel/helper-create-class-features-plugin@npm:^7.16.0, @babel/helper-create-class-features-plugin@npm:^7.8.3":
+  version: 7.16.0
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.16.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.0
+    "@babel/helper-function-name": ^7.16.0
+    "@babel/helper-member-expression-to-functions": ^7.16.0
+    "@babel/helper-optimise-call-expression": ^7.16.0
+    "@babel/helper-replace-supers": ^7.16.0
+    "@babel/helper-split-export-declaration": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 0f7d1b8d413e5fbd719c95e22e3b59749b4c6c652f20e0fa1fa954112145a134c22709f1325574632d7262aeeeaaf4fc7c2eb8117e0d521e42b36d05c3e5a885
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.16.10, @babel/helper-create-class-features-plugin@npm:^7.16.7, @babel/helper-create-class-features-plugin@npm:^7.17.6":
+  version: 7.17.6
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.17.6"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-function-name": ^7.16.7
+    "@babel/helper-member-expression-to-functions": ^7.16.7
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/helper-replace-supers": ^7.16.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: d85a5b3f9a18a661372d77462e6ea2a6a03f1083f8b3055ed165284214af9ea6ad677f6bcc4b5ce215da27f95fa93064580d4b6723b578c480ecf17dd31a4307
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.17.12, @babel/helper-create-class-features-plugin@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.18.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-function-name": ^7.17.9
+    "@babel/helper-member-expression-to-functions": ^7.17.7
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/helper-replace-supers": ^7.16.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 9a6ef175350f1cf87abe7a738e8c9b603da7fcdb153c74e49af509183f8705278020baddb62a12c7f9ca059487fef97d75a4adea6a1446598ad9901d010e4296
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.19.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.18.6
+    "@babel/helper-environment-visitor": ^7.18.9
+    "@babel/helper-function-name": ^7.19.0
+    "@babel/helper-member-expression-to-functions": ^7.18.9
+    "@babel/helper-optimise-call-expression": ^7.18.6
+    "@babel/helper-replace-supers": ^7.18.9
+    "@babel/helper-split-export-declaration": ^7.18.6
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: f0c6fb77b6f113d70f308e7093f60dd465b697818badf5df0519d8dd12b6bfb1f4ad300b923207ce9f9c1c940ef58bff12ac4270c0863eadf9e303b7dd6d01b6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.21.0, @babel/helper-create-class-features-plugin@npm:^7.22.15, @babel/helper-create-class-features-plugin@npm:^7.23.5":
+  version: 7.23.5
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.23.5"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-function-name": ^7.23.0
+    "@babel/helper-member-expression-to-functions": ^7.23.0
+    "@babel/helper-optimise-call-expression": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.20
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: fe7c6c0baca1838bba76ac1330df47b661d932354115ea9e2ea65b179f80b717987d3c3da7e1525fd648e5f2d86c620efc959cabda4d7562b125a27c3ac780d0
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.22.6":
+  version: 7.22.9
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.22.9"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-environment-visitor": ^7.22.5
+    "@babel/helper-function-name": ^7.22.5
+    "@babel/helper-member-expression-to-functions": ^7.22.5
+    "@babel/helper-optimise-call-expression": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.9
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 6c2436d1a5a3f1ff24628d78fa8c6d3120c40285aa3eda7815b1adbf8c5951e0dd73d368cf845825888fa3dc2f207dadce53309825598d7c67953e5ed9dd51d2
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-class-features-plugin@npm:^7.5.5":
+  version: 7.14.0
+  resolution: "@babel/helper-create-class-features-plugin@npm:7.14.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.12.13
+    "@babel/helper-function-name": ^7.12.13
+    "@babel/helper-member-expression-to-functions": ^7.13.12
+    "@babel/helper-optimise-call-expression": ^7.12.13
+    "@babel/helper-replace-supers": ^7.13.12
+    "@babel/helper-split-export-declaration": ^7.12.13
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 8ef001212b06c4a1958249ec447f6a0993d928ace882cf509fcde8b4deb66673588a11ff53572b3ed55bf46982d012225ff8db9df65d0315af33d7ebfe21b740
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-regexp-features-plugin@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.16.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.0
+    regexpu-core: ^4.7.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: d6230477e1997ed1fa0aee9ab34d3ce96400e0df25101879fdaf90ea613adec68ec06a609d8c78787c02a6275ef5a7403a38aa8fd42fef1a4d27bcfe577c81d6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-regexp-features-plugin@npm:^7.16.7":
+  version: 7.17.0
+  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.17.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    regexpu-core: ^5.0.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: eb66d9241544c705e9ce96d2d122b595ef52d926e6e031653e09af8a01050bd9d7e7fee168bf33a863342774d7d6a8cc7e8e9e5a45b955e9c01121c7a2d51708
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-regexp-features-plugin@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.17.12"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    regexpu-core: ^5.0.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: fe49d26b0f6c58d4c1748a4d0e98b343882b428e6db43c4ba5e0aa7ff2296b3a557f0a88de9f000599bb95640a6c47c0b0c9a952b58c11f61aabb06bcc304329
+  languageName: node
+  linkType: hard
+
+"@babel/helper-create-regexp-features-plugin@npm:^7.18.6, @babel/helper-create-regexp-features-plugin@npm:^7.22.15, @babel/helper-create-regexp-features-plugin@npm:^7.22.5":
+  version: 7.22.15
+  resolution: "@babel/helper-create-regexp-features-plugin@npm:7.22.15"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    regexpu-core: ^5.3.1
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 0243b8d4854f1dc8861b1029a46d3f6393ad72f366a5a08e36a4648aa682044f06da4c6e87a456260e1e1b33c999f898ba591a0760842c1387bcc93fbf2151a6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-define-polyfill-provider@npm:^0.2.2":
+  version: 0.2.3
+  resolution: "@babel/helper-define-polyfill-provider@npm:0.2.3"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.13.0
+    "@babel/helper-module-imports": ^7.12.13
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/traverse": ^7.13.0
+    debug: ^4.1.1
+    lodash.debounce: ^4.0.8
+    resolve: ^1.14.2
+    semver: ^6.1.2
+  peerDependencies:
+    "@babel/core": ^7.4.0-0
+  checksum: 797699fe870e45bdbc7c4128963427f7d6240609b700b3f2c0a2f2f187e5f848ba704bcfe58d7d91796cabc5001fae01746b3efda113beb5b5b824927cf59fdb
+  languageName: node
+  linkType: hard
+
+"@babel/helper-define-polyfill-provider@npm:^0.2.4":
+  version: 0.2.4
+  resolution: "@babel/helper-define-polyfill-provider@npm:0.2.4"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.13.0
+    "@babel/helper-module-imports": ^7.12.13
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/traverse": ^7.13.0
+    debug: ^4.1.1
+    lodash.debounce: ^4.0.8
+    resolve: ^1.14.2
+    semver: ^6.1.2
+  peerDependencies:
+    "@babel/core": ^7.4.0-0
+  checksum: 0b81df2fe8d4e7af1f0ed0f9c83bdb0fc1978e2cb2d4b5421dad7ee4afda79044d61de5b06026164ef52ee1afa59a15ee99bc7e532ad2b8a4bbe4341d3fa6b05
+  languageName: node
+  linkType: hard
+
+"@babel/helper-define-polyfill-provider@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "@babel/helper-define-polyfill-provider@npm:0.3.0"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.13.0
+    "@babel/helper-module-imports": ^7.12.13
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/traverse": ^7.13.0
+    debug: ^4.1.1
+    lodash.debounce: ^4.0.8
+    resolve: ^1.14.2
+    semver: ^6.1.2
+  peerDependencies:
+    "@babel/core": ^7.4.0-0
+  checksum: 372378ac4235c4fe135f1cd6d0f63697e7cb3ef63a884eb14f4b439984846bcaec0b7a32cf8df6756a21557ae3ebb3c2ee18d9a191260705a583333e5e60df7c
+  languageName: node
+  linkType: hard
+
+"@babel/helper-define-polyfill-provider@npm:^0.3.1":
+  version: 0.3.1
+  resolution: "@babel/helper-define-polyfill-provider@npm:0.3.1"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.13.0
+    "@babel/helper-module-imports": ^7.12.13
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/traverse": ^7.13.0
+    debug: ^4.1.1
+    lodash.debounce: ^4.0.8
+    resolve: ^1.14.2
+    semver: ^6.1.2
+  peerDependencies:
+    "@babel/core": ^7.4.0-0
+  checksum: e3e93cb22febfc0449a210cdafb278e5e1a038af2ca2b02f5dee71c7a49e8ba26e469d631ee11a4243885961a62bb2e5b0a4deb3ec1d7918a33c953d05c3e584
+  languageName: node
+  linkType: hard
+
+"@babel/helper-define-polyfill-provider@npm:^0.4.3":
+  version: 0.4.3
+  resolution: "@babel/helper-define-polyfill-provider@npm:0.4.3"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.22.6
+    "@babel/helper-plugin-utils": ^7.22.5
+    debug: ^4.1.1
+    lodash.debounce: ^4.0.8
+    resolve: ^1.14.2
+  peerDependencies:
+    "@babel/core": ^7.4.0 || ^8.0.0-0 <8.0.0
+  checksum: 5d21e3f47b320e4b5b644195ec405e7ebc3739e48e65899efc808c5fa9c3bf5b06ce0d8ff5246ca99d1411e368f4557bc66730196c5781a5c4e986ee703bee79
+  languageName: node
+  linkType: hard
+
+"@babel/helper-environment-visitor@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-environment-visitor@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: c03a10105d9ebd1fe632a77356b2e6e2f3c44edba9a93b0dc3591b6a66bd7a2e323dd9502f9ce96fc6401234abff1907aa877b6674f7826b61c953f7c8204bbe
+  languageName: node
+  linkType: hard
+
+"@babel/helper-environment-visitor@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/helper-environment-visitor@npm:7.18.2"
+  checksum: 1a9c8726fad454a082d077952a90f17188e92eabb3de236cb4782c49b39e3f69c327e272b965e9a20ff8abf37d30d03ffa6fd7974625a6c23946f70f7527f5e9
+  languageName: node
+  linkType: hard
+
+"@babel/helper-environment-visitor@npm:^7.18.9":
+  version: 7.18.9
+  resolution: "@babel/helper-environment-visitor@npm:7.18.9"
+  checksum: b25101f6162ddca2d12da73942c08ad203d7668e06663df685634a8fde54a98bc015f6f62938e8554457a592a024108d45b8f3e651fd6dcdb877275b73cc4420
+  languageName: node
+  linkType: hard
+
+"@babel/helper-environment-visitor@npm:^7.22.20":
+  version: 7.22.20
+  resolution: "@babel/helper-environment-visitor@npm:7.22.20"
+  checksum: d80ee98ff66f41e233f36ca1921774c37e88a803b2f7dca3db7c057a5fea0473804db9fb6729e5dbfd07f4bed722d60f7852035c2c739382e84c335661590b69
+  languageName: node
+  linkType: hard
+
+"@babel/helper-environment-visitor@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-environment-visitor@npm:7.22.5"
+  checksum: 248532077d732a34cd0844eb7b078ff917c3a8ec81a7f133593f71a860a582f05b60f818dc5049c2212e5baa12289c27889a4b81d56ef409b4863db49646c4b1
+  languageName: node
+  linkType: hard
+
+"@babel/helper-explode-assignable-expression@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-explode-assignable-expression@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 563352b5e9b0b9584187176723ea65ea6ac9348d612c2bdc76701634eae445fd05d18f7b7555f5c6bbe4ec4d9d30172633a56bf4cfbb1333b798f58444057652
+  languageName: node
+  linkType: hard
+
+"@babel/helper-explode-assignable-expression@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-explode-assignable-expression@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: ea2135ba36da6a2be059ebc8f10fbbb291eb0e312da54c55c6f50f9cbd8601e2406ec497c5e985f7c07a97f31b3bef9b2be8df53f1d53b974043eaf74fe54bbc
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.12.13, @babel/helper-function-name@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-function-name@npm:7.16.0"
+  dependencies:
+    "@babel/helper-get-function-arity": ^7.16.0
+    "@babel/template": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: 8c02371d28678f3bb492e69d4635b2fe6b1c5a93ce129bf883f1fafde2005f4dbc0e643f52103ca558b698c0774bfb84a93f188d71db1c077f754b6220629b92
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-function-name@npm:7.16.7"
+  dependencies:
+    "@babel/helper-get-function-arity": ^7.16.7
+    "@babel/template": ^7.16.7
+    "@babel/types": ^7.16.7
+  checksum: fc77cbe7b10cfa2a262d7a37dca575c037f20419dfe0c5d9317f589599ca24beb5f5c1057748011159149eaec47fe32338c6c6412376fcded68200df470161e1
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.17.9":
+  version: 7.17.9
+  resolution: "@babel/helper-function-name@npm:7.17.9"
+  dependencies:
+    "@babel/template": ^7.16.7
+    "@babel/types": ^7.17.0
+  checksum: a59b2e5af56d8f43b9b0019939a43774754beb7cb01a211809ca8031c71890999d07739e955343135ec566c4d8ff725435f1f60fb0af3bb546837c1f9f84f496
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helper-function-name@npm:7.19.0"
+  dependencies:
+    "@babel/template": ^7.18.10
+    "@babel/types": ^7.19.0
+  checksum: eac1f5db428ba546270c2b8d750c24eb528b8fcfe50c81de2e0bdebf0e20f24bec688d4331533b782e4a907fad435244621ca2193cfcf80a86731299840e0f6e
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-function-name@npm:7.22.5"
+  dependencies:
+    "@babel/template": ^7.22.5
+    "@babel/types": ^7.22.5
+  checksum: 6b1f6ce1b1f4e513bf2c8385a557ea0dd7fa37971b9002ad19268ca4384bbe90c09681fe4c076013f33deabc63a53b341ed91e792de741b4b35e01c00238177a
+  languageName: node
+  linkType: hard
+
+"@babel/helper-function-name@npm:^7.23.0":
+  version: 7.23.0
+  resolution: "@babel/helper-function-name@npm:7.23.0"
+  dependencies:
+    "@babel/template": ^7.22.15
+    "@babel/types": ^7.23.0
+  checksum: e44542257b2d4634a1f979244eb2a4ad8e6d75eb6761b4cfceb56b562f7db150d134bc538c8e6adca3783e3bc31be949071527aa8e3aab7867d1ad2d84a26e10
+  languageName: node
+  linkType: hard
+
+"@babel/helper-get-function-arity@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-get-function-arity@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 1a68322c7b5fdffb1b51df32f7a53b1ff2268b5b99d698f0a1a426dcb355482a44ef3dae982a507907ba975314638dabb6d77ac1778098bdbe99707e6c29cae8
+  languageName: node
+  linkType: hard
+
+"@babel/helper-get-function-arity@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-get-function-arity@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: 25d969fb207ff2ad5f57a90d118f6c42d56a0171022e200aaa919ba7dc95ae7f92ec71cdea6c63ef3629a0dc962ab4c78e09ca2b437185ab44539193f796e0c3
+  languageName: node
+  linkType: hard
+
+"@babel/helper-hoist-variables@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-hoist-variables@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 2ee5b400c267c209a53c90eea406a8f09c30d4d7a2b13e304289d858a2e34a99272c062cfad6dad63705662943951c42ff20042ef539b2d3c4f8743183a28954
+  languageName: node
+  linkType: hard
+
+"@babel/helper-hoist-variables@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-hoist-variables@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: 6ae1641f4a751cd9045346e3f61c3d9ec1312fd779ab6d6fecfe2a96e59a481ad5d7e40d2a840894c13b3fd6114345b157f9e3062fc5f1580f284636e722de60
+  languageName: node
+  linkType: hard
+
+"@babel/helper-hoist-variables@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-hoist-variables@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: fd9c35bb435fda802bf9ff7b6f2df06308a21277c6dec2120a35b09f9de68f68a33972e2c15505c1a1a04b36ec64c9ace97d4a9e26d6097b76b4396b7c5fa20f
+  languageName: node
+  linkType: hard
+
+"@babel/helper-hoist-variables@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-hoist-variables@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: 394ca191b4ac908a76e7c50ab52102669efe3a1c277033e49467913c7ed6f7c64d7eacbeabf3bed39ea1f41731e22993f763b1edce0f74ff8563fd1f380d92cc
+  languageName: node
+  linkType: hard
+
+"@babel/helper-member-expression-to-functions@npm:^7.13.12, @babel/helper-member-expression-to-functions@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-member-expression-to-functions@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 58ef8e3a4af0c1dc43a2011f43f25502877ac1c5aa9a4a6586f0265ab857b65831f60560044bc9380df43c91ac21cad39a84095b91764b433d1acf18d27e38d6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-member-expression-to-functions@npm:^7.16.7, @babel/helper-member-expression-to-functions@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/helper-member-expression-to-functions@npm:7.17.7"
+  dependencies:
+    "@babel/types": ^7.17.0
+  checksum: 70f361bab627396c714c3938e94a569cb0da522179328477cdbc4318e4003c2666387ad4931d6bd5de103338c667c9e4bbe3e917fc8c527b3f3eb6175b888b7d
+  languageName: node
+  linkType: hard
+
+"@babel/helper-member-expression-to-functions@npm:^7.18.9":
+  version: 7.18.9
+  resolution: "@babel/helper-member-expression-to-functions@npm:7.18.9"
+  dependencies:
+    "@babel/types": ^7.18.9
+  checksum: fcf8184e3b55051c4286b2cbedf0eccc781d0f3c9b5cbaba582eca19bf0e8d87806cdb7efc8554fcb969ceaf2b187d5ea748d40022d06ec7739fbb18c1b19a7a
+  languageName: node
+  linkType: hard
+
+"@babel/helper-member-expression-to-functions@npm:^7.22.15, @babel/helper-member-expression-to-functions@npm:^7.23.0":
+  version: 7.23.0
+  resolution: "@babel/helper-member-expression-to-functions@npm:7.23.0"
+  dependencies:
+    "@babel/types": ^7.23.0
+  checksum: 494659361370c979ada711ca685e2efe9460683c36db1b283b446122596602c901e291e09f2f980ecedfe6e0f2bd5386cb59768285446530df10c14df1024e75
+  languageName: node
+  linkType: hard
+
+"@babel/helper-member-expression-to-functions@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-member-expression-to-functions@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: 4bd5791529c280c00743e8bdc669ef0d4cd1620d6e3d35e0d42b862f8262bc2364973e5968007f960780344c539a4b9cf92ab41f5b4f94560a9620f536de2a39
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-imports@npm:^7.12.13, @babel/helper-module-imports@npm:^7.13.12, @babel/helper-module-imports@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-module-imports@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 8e1eb9ac39440e52080b87c78d8d318e7c93658bdd0f3ce0019c908de88cbddafdc241f392898c0b0ba81fc52c8c6d2f9cc1b163ac5ed2a474d49b11646b7516
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-imports@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-module-imports@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: ddd2c4a600a2e9a4fee192ab92bf35a627c5461dbab4af31b903d9ba4d6b6e59e0ff3499fde4e2e9a0eebe24906f00b636f8b4d9bd72ff24d50e6618215c3212
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-imports@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-module-imports@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: f393f8a3b3304b1b7a288a38c10989de754f01d29caf62ce7c4e5835daf0a27b81f3ac687d9d2780d39685aae7b55267324b512150e7b2be967b0c493b6a1def
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-imports@npm:^7.22.15":
+  version: 7.22.15
+  resolution: "@babel/helper-module-imports@npm:7.22.15"
+  dependencies:
+    "@babel/types": ^7.22.15
+  checksum: ecd7e457df0a46f889228f943ef9b4a47d485d82e030676767e6a2fdcbdaa63594d8124d4b55fd160b41c201025aec01fc27580352b1c87a37c9c6f33d116702
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-imports@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-module-imports@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: 9ac2b0404fa38b80bdf2653fbeaf8e8a43ccb41bd505f9741d820ed95d3c4e037c62a1bcdcb6c9527d7798d2e595924c4d025daed73283badc180ada2c9c49ad
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.14.0, @babel/helper-module-transforms@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-module-transforms@npm:7.16.0"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.0
+    "@babel/helper-replace-supers": ^7.16.0
+    "@babel/helper-simple-access": ^7.16.0
+    "@babel/helper-split-export-declaration": ^7.16.0
+    "@babel/helper-validator-identifier": ^7.15.7
+    "@babel/template": ^7.16.0
+    "@babel/traverse": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: a3d0e5556f26ebdf2ae422af3b9a1ba1848fead891f46bcd1c6a4be88ad8e9f348140f81d1843a3481574be1643a9c79b01469231f5b5801f5d5e691efdd11f3
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.16.7, @babel/helper-module-transforms@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/helper-module-transforms@npm:7.17.7"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-module-imports": ^7.16.7
+    "@babel/helper-simple-access": ^7.17.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+    "@babel/helper-validator-identifier": ^7.16.7
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.17.3
+    "@babel/types": ^7.17.0
+  checksum: 0b8f023aa7ff82dc4864349d54c4557865ad8ba54d78f6d78a86b05ca40f65c2d60acb4a54c5c309e7a4356beb9a89b876e54af4b3c4801ad25f62ec3721f0ae
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/helper-module-transforms@npm:7.18.0"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-module-imports": ^7.16.7
+    "@babel/helper-simple-access": ^7.17.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+    "@babel/helper-validator-identifier": ^7.16.7
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.18.0
+    "@babel/types": ^7.18.0
+  checksum: 824c3967c08d75bb36adc18c31dcafebcd495b75b723e2e17c6185e88daf5c6db62a6a75d9f791b5f38618a349e7cb32503e715a1b9a4e8bad4d0f43e3e6b523
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helper-module-transforms@npm:7.19.0"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.18.9
+    "@babel/helper-module-imports": ^7.18.6
+    "@babel/helper-simple-access": ^7.18.6
+    "@babel/helper-split-export-declaration": ^7.18.6
+    "@babel/helper-validator-identifier": ^7.18.6
+    "@babel/template": ^7.18.10
+    "@babel/traverse": ^7.19.0
+    "@babel/types": ^7.19.0
+  checksum: 4483276c66f56cf3b5b063634092ad9438c2593725de5c143ba277dda82f1501e6d73b311c1b28036f181dbe36eaeff29f24726cde37a599d4e735af294e5359
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.22.5, @babel/helper-module-transforms@npm:^7.22.9":
+  version: 7.22.9
+  resolution: "@babel/helper-module-transforms@npm:7.22.9"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.5
+    "@babel/helper-module-imports": ^7.22.5
+    "@babel/helper-simple-access": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    "@babel/helper-validator-identifier": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 2751f77660518cf4ff027514d6f4794f04598c6393be7b04b8e46c6e21606e11c19f3f57ab6129a9c21bacdf8b3ffe3af87bb401d972f34af2d0ffde02ac3001
+  languageName: node
+  linkType: hard
+
+"@babel/helper-module-transforms@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/helper-module-transforms@npm:7.23.3"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-module-imports": ^7.22.15
+    "@babel/helper-simple-access": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    "@babel/helper-validator-identifier": ^7.22.20
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 5d0895cfba0e16ae16f3aa92fee108517023ad89a855289c4eb1d46f7aef4519adf8e6f971e1d55ac20c5461610e17213f1144097a8f932e768a9132e2278d71
+  languageName: node
+  linkType: hard
+
+"@babel/helper-optimise-call-expression@npm:^7.12.13, @babel/helper-optimise-call-expression@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-optimise-call-expression@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 121ae6054fcec76ed2c4dd83f0281b901c1e3cfac1bbff79adc3667983903ad1030a0ad9a8bea58e52b225e13881cf316f371c65276976e7a6762758a98be8f6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-optimise-call-expression@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-optimise-call-expression@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: 925feb877d5a30a71db56e2be498b3abbd513831311c0188850896c4c1ada865eea795dce5251a1539b0f883ef82493f057f84286dd01abccc4736acfafe15ea
+  languageName: node
+  linkType: hard
+
+"@babel/helper-optimise-call-expression@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-optimise-call-expression@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: e518fe8418571405e21644cfb39cf694f30b6c47b10b006609a92469ae8b8775cbff56f0b19732343e2ea910641091c5a2dc73b56ceba04e116a33b0f8bd2fbd
+  languageName: node
+  linkType: hard
+
+"@babel/helper-optimise-call-expression@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-optimise-call-expression@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: c70ef6cc6b6ed32eeeec4482127e8be5451d0e5282d5495d5d569d39eb04d7f1d66ec99b327f45d1d5842a9ad8c22d48567e93fc502003a47de78d122e355f7c
+  languageName: node
+  linkType: hard
+
+"@babel/helper-plugin-utils@npm:^7.0.0, @babel/helper-plugin-utils@npm:^7.10.4, @babel/helper-plugin-utils@npm:^7.12.13, @babel/helper-plugin-utils@npm:^7.13.0, @babel/helper-plugin-utils@npm:^7.14.5, @babel/helper-plugin-utils@npm:^7.8.0, @babel/helper-plugin-utils@npm:^7.8.3":
+  version: 7.14.5
+  resolution: "@babel/helper-plugin-utils@npm:7.14.5"
+  checksum: fe20e90a24d02770a60ebe80ab9f0dfd7258503cea8006c71709ac9af1aa3e47b0de569499673f11ea6c99597f8c0e4880ae1d505986e61101b69716820972fe
+  languageName: node
+  linkType: hard
+
+"@babel/helper-plugin-utils@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-plugin-utils@npm:7.16.7"
+  checksum: d08dd86554a186c2538547cd537552e4029f704994a9201d41d82015c10ed7f58f9036e8d1527c3760f042409163269d308b0b3706589039c5f1884619c6d4ce
+  languageName: node
+  linkType: hard
+
+"@babel/helper-plugin-utils@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/helper-plugin-utils@npm:7.17.12"
+  checksum: 4813cf0ddb0f143de032cb88d4207024a2334951db330f8216d6fa253ea320c02c9b2667429ef1a34b5e95d4cfbd085f6cb72d418999751c31d0baf2422cc61d
+  languageName: node
+  linkType: hard
+
+"@babel/helper-plugin-utils@npm:^7.18.6, @babel/helper-plugin-utils@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helper-plugin-utils@npm:7.19.0"
+  checksum: eedc996c633c8c207921c26ec2989eae0976336ecd9b9f1ac526498f52b5d136f7cd03c32b6fdf8d46a426f907c142de28592f383c42e5fba1e904cbffa05345
+  languageName: node
+  linkType: hard
+
+"@babel/helper-plugin-utils@npm:^7.20.2, @babel/helper-plugin-utils@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-plugin-utils@npm:7.22.5"
+  checksum: c0fc7227076b6041acd2f0e818145d2e8c41968cc52fb5ca70eed48e21b8fe6dd88a0a91cbddf4951e33647336eb5ae184747ca706817ca3bef5e9e905151ff5
+  languageName: node
+  linkType: hard
+
+"@babel/helper-remap-async-to-generator@npm:^7.16.0, @babel/helper-remap-async-to-generator@npm:^7.16.4":
+  version: 7.16.4
+  resolution: "@babel/helper-remap-async-to-generator@npm:7.16.4"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.0
+    "@babel/helper-wrap-function": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: debe997695fe2c11813e88b2fa4afc89d4543f72457dda00c7296a728cd5eeb81d4ef8607a5fef7823da410a8579407c631a430e5bfc78290172ff6fc430355c
+  languageName: node
+  linkType: hard
+
+"@babel/helper-remap-async-to-generator@npm:^7.16.8":
+  version: 7.16.8
+  resolution: "@babel/helper-remap-async-to-generator@npm:7.16.8"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-wrap-function": ^7.16.8
+    "@babel/types": ^7.16.8
+  checksum: 29282ee36872130085ca111539725abbf20210c2a1d674bee77f338a57c093c3154108d03a275f602e471f583bd2c7ae10d05534f87cbc22b95524fe2b569488
+  languageName: node
+  linkType: hard
+
+"@babel/helper-remap-async-to-generator@npm:^7.22.20":
+  version: 7.22.20
+  resolution: "@babel/helper-remap-async-to-generator@npm:7.22.20"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-wrap-function": ^7.22.20
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 2fe6300a6f1b58211dffa0aed1b45d4958506d096543663dba83bd9251fe8d670fa909143a65b45e72acb49e7e20fbdb73eae315d9ddaced467948c3329986e7
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.13.12, @babel/helper-replace-supers@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-replace-supers@npm:7.16.0"
+  dependencies:
+    "@babel/helper-member-expression-to-functions": ^7.16.0
+    "@babel/helper-optimise-call-expression": ^7.16.0
+    "@babel/traverse": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: 61f04bbe05ff0987d5a8d5253cb101d47004a27951d6c5cd95457e30fcb3adaca85f0bcaa7f31f4d934f22386b935ac7281398c68982d4a4768769d95c028460
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-replace-supers@npm:7.16.7"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-member-expression-to-functions": ^7.16.7
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/traverse": ^7.16.7
+    "@babel/types": ^7.16.7
+  checksum: e5c0b6eb3dad8410a6255f93b580dde9b3c1564646c6ef751de59d5b2a65b5caa80cc9e568155f04bbae895ad0f54305c2e833dbd971a4f641f970c90b3d892b
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/helper-replace-supers@npm:7.18.2"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.18.2
+    "@babel/helper-member-expression-to-functions": ^7.17.7
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/traverse": ^7.18.2
+    "@babel/types": ^7.18.2
+  checksum: c0083b7933672dd2aed50b79021c46401c83f41bc2132def19c5414cf8f944251f6d91dd959b2bedada9a7436a80fab629adb486e008566290c82293e89fec05
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.18.9":
+  version: 7.18.9
+  resolution: "@babel/helper-replace-supers@npm:7.18.9"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.18.9
+    "@babel/helper-member-expression-to-functions": ^7.18.9
+    "@babel/helper-optimise-call-expression": ^7.18.6
+    "@babel/traverse": ^7.18.9
+    "@babel/types": ^7.18.9
+  checksum: 2de8b29cc4bfa4e241da2de16abd5571709f6eb394206dc16e3a7816976d1691635dd4bc930881e9d798f44b48a5f1849dc7f51a62946f3e8270452be1ec5352
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.22.20":
+  version: 7.22.20
+  resolution: "@babel/helper-replace-supers@npm:7.22.20"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-member-expression-to-functions": ^7.22.15
+    "@babel/helper-optimise-call-expression": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: a0008332e24daedea2e9498733e3c39b389d6d4512637e000f96f62b797e702ee24a407ccbcd7a236a551590a38f31282829a8ef35c50a3c0457d88218cae639
+  languageName: node
+  linkType: hard
+
+"@babel/helper-replace-supers@npm:^7.22.5, @babel/helper-replace-supers@npm:^7.22.9":
+  version: 7.22.9
+  resolution: "@babel/helper-replace-supers@npm:7.22.9"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.5
+    "@babel/helper-member-expression-to-functions": ^7.22.5
+    "@babel/helper-optimise-call-expression": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: d41471f56ff2616459d35a5df1900d5f0756ae78b1027040365325ef332d66e08e3be02a9489756d870887585ff222403a228546e93dd7019e19e59c0c0fe586
+  languageName: node
+  linkType: hard
+
+"@babel/helper-simple-access@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-simple-access@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 2d7155f318411788b42d2f4a3d406de12952ad620d0bd411a0f3b5803389692ad61d9e7fab5f93b23ad3d8a09db4a75ca9722b9873a606470f468bc301944af6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-simple-access@npm:^7.17.7":
+  version: 7.17.7
+  resolution: "@babel/helper-simple-access@npm:7.17.7"
+  dependencies:
+    "@babel/types": ^7.17.0
+  checksum: 58a9bfd054720024f6ff47fbb113c96061dc2bd31a5e5285756bd3c2e83918c6926900e00150d0fb175d899494fe7d69bf2a8b278c32ef6f6bea8d032e6a3831
+  languageName: node
+  linkType: hard
+
+"@babel/helper-simple-access@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/helper-simple-access@npm:7.18.2"
+  dependencies:
+    "@babel/types": ^7.18.2
+  checksum: c0862b56db7e120754d89273a039b128c27517389f6a4425ff24e49779791e8fe10061579171fb986be81fa076778acb847c709f6f5e396278d9c5e01360c375
+  languageName: node
+  linkType: hard
+
+"@babel/helper-simple-access@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-simple-access@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: 37cd36eef199e0517845763c1e6ff6ea5e7876d6d707a6f59c9267c547a50aa0e84260ba9285d49acfaf2cfa0a74a772d92967f32ac1024c961517d40b6c16a5
+  languageName: node
+  linkType: hard
+
+"@babel/helper-simple-access@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-simple-access@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: fe9686714caf7d70aedb46c3cce090f8b915b206e09225f1e4dbc416786c2fdbbee40b38b23c268b7ccef749dd2db35f255338fb4f2444429874d900dede5ad2
+  languageName: node
+  linkType: hard
+
+"@babel/helper-skip-transparent-expression-wrappers@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: b9ed2896eb253e6a85f472b0d4098ed80403758ad1a4e34b02b11e8276e3083297526758b1a3e6886e292987266f10622d7dbced3508cc22b296a74903b41cfb
+  languageName: node
+  linkType: hard
+
+"@babel/helper-skip-transparent-expression-wrappers@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.22.5"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: 1012ef2295eb12dc073f2b9edf3425661e9b8432a3387e62a8bc27c42963f1f216ab3124228015c748770b2257b4f1fda882ca8fa34c0bf485e929ae5bc45244
+  languageName: node
+  linkType: hard
+
+"@babel/helper-split-export-declaration@npm:^7.12.13, @babel/helper-split-export-declaration@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-split-export-declaration@npm:7.16.0"
+  dependencies:
+    "@babel/types": ^7.16.0
+  checksum: 8bd87b5ea2046b145f0f55bc75cbdb6df69eaeb32919ee3c1c758757025aebca03e567a4d48389eb4f16a55021adb6ed8fa58aa771e164b15fa5e0a0722f771d
+  languageName: node
+  linkType: hard
+
+"@babel/helper-split-export-declaration@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-split-export-declaration@npm:7.16.7"
+  dependencies:
+    "@babel/types": ^7.16.7
+  checksum: e10aaf135465c55114627951b79115f24bc7af72ecbb58d541d66daf1edaee5dde7cae3ec8c3639afaf74526c03ae3ce723444e3b5b3dc77140c456cd84bcaa1
+  languageName: node
+  linkType: hard
+
+"@babel/helper-split-export-declaration@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-split-export-declaration@npm:7.18.6"
+  dependencies:
+    "@babel/types": ^7.18.6
+  checksum: c6d3dede53878f6be1d869e03e9ffbbb36f4897c7cc1527dc96c56d127d834ffe4520a6f7e467f5b6f3c2843ea0e81a7819d66ae02f707f6ac057f3d57943a2b
+  languageName: node
+  linkType: hard
+
+"@babel/helper-split-export-declaration@npm:^7.22.6":
+  version: 7.22.6
+  resolution: "@babel/helper-split-export-declaration@npm:7.22.6"
+  dependencies:
+    "@babel/types": ^7.22.5
+  checksum: e141cace583b19d9195f9c2b8e17a3ae913b7ee9b8120246d0f9ca349ca6f03cb2c001fd5ec57488c544347c0bb584afec66c936511e447fd20a360e591ac921
+  languageName: node
+  linkType: hard
+
+"@babel/helper-string-parser@npm:^7.18.10":
+  version: 7.18.10
+  resolution: "@babel/helper-string-parser@npm:7.18.10"
+  checksum: d554a4393365b624916b5c00a4cc21c990c6617e7f3fe30be7d9731f107f12c33229a7a3db9d829bfa110d2eb9f04790745d421640e3bd245bb412dc0ea123c1
+  languageName: node
+  linkType: hard
+
+"@babel/helper-string-parser@npm:^7.19.4":
+  version: 7.19.4
+  resolution: "@babel/helper-string-parser@npm:7.19.4"
+  checksum: b2f8a3920b30dfac81ec282ac4ad9598ea170648f8254b10f475abe6d944808fb006aab325d3eb5a8ad3bea8dfa888cfa6ef471050dae5748497c110ec060943
+  languageName: node
+  linkType: hard
+
+"@babel/helper-string-parser@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-string-parser@npm:7.22.5"
+  checksum: 836851ca5ec813077bbb303acc992d75a360267aa3b5de7134d220411c852a6f17de7c0d0b8c8dcc0f567f67874c00f4528672b2a4f1bc978a3ada64c8c78467
+  languageName: node
+  linkType: hard
+
+"@babel/helper-string-parser@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/helper-string-parser@npm:7.23.4"
+  checksum: c0641144cf1a7e7dc93f3d5f16d5327465b6cf5d036b48be61ecba41e1eece161b48f46b7f960951b67f8c3533ce506b16dece576baef4d8b3b49f8c65410f90
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.14.0, @babel/helper-validator-identifier@npm:^7.15.7":
+  version: 7.15.7
+  resolution: "@babel/helper-validator-identifier@npm:7.15.7"
+  checksum: f041c28c531d1add5cc345b25d5df3c29c62bce3205b4d4a93dcd164ccf630350acba252d374fad8f5d8ea526995a215829f27183ba7ce7ce141843bf23068a6
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-validator-identifier@npm:7.16.7"
+  checksum: dbb3db9d184343152520a209b5684f5e0ed416109cde82b428ca9c759c29b10c7450657785a8b5c5256aa74acc6da491c1f0cf6b784939f7931ef82982051b69
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-validator-identifier@npm:7.18.6"
+  checksum: e295254d616bbe26e48c196a198476ab4d42a73b90478c9842536cf910ead887f5af6b5c4df544d3052a25ccb3614866fa808dc1e3a5a4291acd444e243c0648
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.19.1":
+  version: 7.19.1
+  resolution: "@babel/helper-validator-identifier@npm:7.19.1"
+  checksum: 0eca5e86a729162af569b46c6c41a63e18b43dbe09fda1d2a3c8924f7d617116af39cac5e4cd5d431bb760b4dca3c0970e0c444789b1db42bcf1fa41fbad0a3a
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.22.20":
+  version: 7.22.20
+  resolution: "@babel/helper-validator-identifier@npm:7.22.20"
+  checksum: 136412784d9428266bcdd4d91c32bcf9ff0e8d25534a9d94b044f77fe76bc50f941a90319b05aafd1ec04f7d127cd57a179a3716009ff7f3412ef835ada95bdc
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-identifier@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-validator-identifier@npm:7.22.5"
+  checksum: 7f0f30113474a28298c12161763b49de5018732290ca4de13cdaefd4fd0d635a6fe3f6686c37a02905fb1e64f21a5ee2b55140cf7b070e729f1bd66866506aea
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-option@npm:^7.12.17, @babel/helper-validator-option@npm:^7.14.5":
+  version: 7.14.5
+  resolution: "@babel/helper-validator-option@npm:7.14.5"
+  checksum: 1b25c34a5cb3d8602280f33b9ab687d2a77895e3616458d0f70ddc450ada9b05e342c44f322bc741d51b252e84cff6ec44ae93d622a3354828579a643556b523
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-option@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/helper-validator-option@npm:7.16.7"
+  checksum: c5ccc451911883cc9f12125d47be69434f28094475c1b9d2ada7c3452e6ac98a1ee8ddd364ca9e3f9855fcdee96cdeafa32543ebd9d17fee7a1062c202e80570
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-option@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/helper-validator-option@npm:7.18.6"
+  checksum: f9cc6eb7cc5d759c5abf006402180f8d5e4251e9198197428a97e05d65eb2f8ae5a0ce73b1dfd2d35af41d0eb780627a64edf98a4e71f064eeeacef8de58f2cf
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-option@npm:^7.22.15, @babel/helper-validator-option@npm:^7.23.5":
+  version: 7.23.5
+  resolution: "@babel/helper-validator-option@npm:7.23.5"
+  checksum: 537cde2330a8aede223552510e8a13e9c1c8798afee3757995a7d4acae564124fe2bf7e7c3d90d62d3657434a74340a274b3b3b1c6f17e9a2be1f48af29cb09e
+  languageName: node
+  linkType: hard
+
+"@babel/helper-validator-option@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/helper-validator-option@npm:7.22.5"
+  checksum: bbeca8a85ee86990215c0424997438b388b8d642d69b9f86c375a174d3cdeb270efafd1ff128bc7a1d370923d13b6e45829ba8581c027620e83e3a80c5c414b3
+  languageName: node
+  linkType: hard
+
+"@babel/helper-wrap-function@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/helper-wrap-function@npm:7.16.0"
+  dependencies:
+    "@babel/helper-function-name": ^7.16.0
+    "@babel/template": ^7.16.0
+    "@babel/traverse": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: 2bb4e05f49cf217cc5890581284a051245ba0ddaccbe3ddd662010d7a6969f52d2027e310d26db2e030273c5fe9341448c7845fcb4795ad8eb56bdeabec148b8
+  languageName: node
+  linkType: hard
+
+"@babel/helper-wrap-function@npm:^7.16.8":
+  version: 7.16.8
+  resolution: "@babel/helper-wrap-function@npm:7.16.8"
+  dependencies:
+    "@babel/helper-function-name": ^7.16.7
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.16.8
+    "@babel/types": ^7.16.8
+  checksum: d8aae4bacaf138d47dca1421ba82b41eac954cbb0ad17ab1c782825c6f2afe20076fbed926ab265967758336de5112d193a363128cd1c6967c66e0151174f797
+  languageName: node
+  linkType: hard
+
+"@babel/helper-wrap-function@npm:^7.22.20":
+  version: 7.22.20
+  resolution: "@babel/helper-wrap-function@npm:7.22.20"
+  dependencies:
+    "@babel/helper-function-name": ^7.22.5
+    "@babel/template": ^7.22.15
+    "@babel/types": ^7.22.19
+  checksum: 221ed9b5572612aeb571e4ce6a256f2dee85b3c9536f1dd5e611b0255e5f59a3d0ec392d8d46d4152149156a8109f92f20379b1d6d36abb613176e0e33f05fca
+  languageName: node
+  linkType: hard
+
+"@babel/helpers@npm:^7.14.0, @babel/helpers@npm:^7.16.0":
+  version: 7.16.3
+  resolution: "@babel/helpers@npm:7.16.3"
+  dependencies:
+    "@babel/template": ^7.16.0
+    "@babel/traverse": ^7.16.3
+    "@babel/types": ^7.16.0
+  checksum: b725b1aab734e9e1407247ee499880583855843fa2855377a2c26277bd9fbd7080219109189bc69b18d71cc30759666bfe66d534729b41452097866d1f5a66ef
+  languageName: node
+  linkType: hard
+
+"@babel/helpers@npm:^7.17.8":
+  version: 7.17.8
+  resolution: "@babel/helpers@npm:7.17.8"
+  dependencies:
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.17.3
+    "@babel/types": ^7.17.0
+  checksum: 463dad58119fefebf2d0201bfa53ec9607aa00356908895640fc07589747fb3c2e0dfee4019f3e8c9781e57c9aa5dff4c72ec8d1b031c4ed8349f90b6aefe99d
+  languageName: node
+  linkType: hard
+
+"@babel/helpers@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/helpers@npm:7.18.2"
+  dependencies:
+    "@babel/template": ^7.16.7
+    "@babel/traverse": ^7.18.2
+    "@babel/types": ^7.18.2
+  checksum: 94620242f23f6d5f9b83a02b1aa1632ffb05b0815e1bb53d3b46d64aa8e771066bba1db8bd267d9091fb00134cfaeda6a8d69d1d4cc2c89658631adfa077ae70
+  languageName: node
+  linkType: hard
+
+"@babel/helpers@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/helpers@npm:7.19.0"
+  dependencies:
+    "@babel/template": ^7.18.10
+    "@babel/traverse": ^7.19.0
+    "@babel/types": ^7.19.0
+  checksum: e50e78e0dbb0435075fa3f85021a6bcae529589800bca0292721afd7f7c874bea54508d6dc57eca16e5b8224f8142c6b0e32e3b0140029dc09865da747da4623
+  languageName: node
+  linkType: hard
+
+"@babel/helpers@npm:^7.22.6":
+  version: 7.22.6
+  resolution: "@babel/helpers@npm:7.22.6"
+  dependencies:
+    "@babel/template": ^7.22.5
+    "@babel/traverse": ^7.22.6
+    "@babel/types": ^7.22.5
+  checksum: 5c1f33241fe7bf7709868c2105134a0a86dca26a0fbd508af10a89312b1f77ca38ebae43e50be3b208613c5eacca1559618af4ca236f0abc55d294800faeff30
+  languageName: node
+  linkType: hard
+
+"@babel/highlight@npm:^7.12.13, @babel/highlight@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/highlight@npm:7.16.0"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.15.7
+    chalk: ^2.0.0
+    js-tokens: ^4.0.0
+  checksum: abf244c48fcff20ec87830e8b99c776f4dcdd9138e63decc195719a94148da35339639e0d8045eb9d1f3e67a39ab90a9c3f5ce2d579fb1a0368d911ddf29b4e5
+  languageName: node
+  linkType: hard
+
+"@babel/highlight@npm:^7.16.7":
+  version: 7.16.10
+  resolution: "@babel/highlight@npm:7.16.10"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.16.7
+    chalk: ^2.0.0
+    js-tokens: ^4.0.0
+  checksum: 1f1bdd752a90844f4efc22166a46303fb651ba0fd75a06daba3ebae2575ab3edc1da9827c279872a3aaf305f50a18473c5fa1966752726a2b253065fd4c0745e
+  languageName: node
+  linkType: hard
+
+"@babel/highlight@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/highlight@npm:7.18.6"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.18.6
+    chalk: ^2.0.0
+    js-tokens: ^4.0.0
+  checksum: 92d8ee61549de5ff5120e945e774728e5ccd57fd3b2ed6eace020ec744823d4a98e242be1453d21764a30a14769ecd62170fba28539b211799bbaf232bbb2789
+  languageName: node
+  linkType: hard
+
+"@babel/highlight@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/highlight@npm:7.22.5"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.22.5
+    chalk: ^2.0.0
+    js-tokens: ^4.0.0
+  checksum: f61ae6de6ee0ea8d9b5bcf2a532faec5ab0a1dc0f7c640e5047fc61630a0edb88b18d8c92eb06566d30da7a27db841aca11820ecd3ebe9ce514c9350fbed39c4
+  languageName: node
+  linkType: hard
+
+"@babel/highlight@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/highlight@npm:7.23.4"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.22.20
+    chalk: ^2.4.2
+    js-tokens: ^4.0.0
+  checksum: 643acecdc235f87d925979a979b539a5d7d1f31ae7db8d89047269082694122d11aa85351304c9c978ceeb6d250591ccadb06c366f358ccee08bb9c122476b89
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.12.3, @babel/parser@npm:^7.4.5":
+  version: 7.14.0
+  resolution: "@babel/parser@npm:7.14.0"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: d1d82e6c2ecd1d66d873f3ae4f070bd687ee0d4e19ecf6b63a5daa735982ea0554a2ff7afd463d6754f8f28c9bc4b83264787d5a215b729f9552745ce76130f9
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.14.0, @babel/parser@npm:^7.16.0, @babel/parser@npm:^7.16.3":
+  version: 7.16.4
+  resolution: "@babel/parser@npm:7.16.4"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: ce0a8f92f440f2a12bc932f070a7b60c5133bf8a63f461841f9e39af0194f573707959d606c6fad1a2fd496a45148553afd9b74d3b8dd36cdb7861598d1f3e36
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.16.7, @babel/parser@npm:^7.17.3, @babel/parser@npm:^7.17.8":
+  version: 7.17.8
+  resolution: "@babel/parser@npm:7.17.8"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: 1771808491982cc47baa888a997aef6b58308e3844c8c00f730f8fd97defe57d32cdbf46075cd49aaee310fa31f3d2c80a0d41b41a4ee0ff336ee09e2ff6c222
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.18.0":
+  version: 7.18.4
+  resolution: "@babel/parser@npm:7.18.4"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: e05b2dc720c4b200e088258f3c2a2de5041c140444edc38181d1217b10074e881a7133162c5b62356061f26279f08df5a06ec14c5842996ee8601ad03c57a44f
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.18.10, @babel/parser@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/parser@npm:7.19.0"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: af86d829bfeb60e0dcf54a43489c2514674b6c8d9bb24cf112706772125752fcd517877ad30501d533fa85f70a439d02eebeec3be9c2e95499853367184e0da7
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.22.15":
+  version: 7.23.5
+  resolution: "@babel/parser@npm:7.23.5"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: ea763629310f71580c4a3ea9d3705195b7ba994ada2cc98f9a584ebfdacf54e92b2735d351672824c2c2b03c7f19206899f4d95650d85ce514a822b19a8734c7
+  languageName: node
+  linkType: hard
+
+"@babel/parser@npm:^7.22.5, @babel/parser@npm:^7.22.7":
+  version: 7.22.7
+  resolution: "@babel/parser@npm:7.22.7"
+  bin:
+    parser: ./bin/babel-parser.js
+  checksum: 02209ddbd445831ee8bf966fdf7c29d189ed4b14343a68eb2479d940e7e3846340d7cc6bd654a5f3d87d19dc84f49f50a58cf9363bee249dc5409ff3ba3dab54
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: bbb0f82a4cf297bdbb9110eea570addd4b883fd1b61535558d849822b087aa340fe4e9c31f8a39b087595c8310b58d0f5548d6be0b72c410abefb23a5734b7bc
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 6ef739b3a2b0ac0b22b60ff472c118163ceb8d414dd08c8186cc563fddc2be62ad4d8681e02074a1c7f0056a72e7146493a85d12ded02e50904b0009ed85d8bf
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: ddbaf2c396b7780f15e80ee01d6dd790db076985f3dfeb6527d1a8d4cacf370e49250396a3aa005b2c40233cac214a106232f83703d5e8491848bde273938232
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.13.12":
+  version: 7.16.0
+  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-proposal-optional-chaining": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.13.0
+  checksum: bb115479292e2c66671a62c46a64d8dae1fc8bbf604c83f82a421216e3d40632dbe86e8ba34e66318c215eddfc4f25e6e7fe19123517f1cf5b6003b1efbd911a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-proposal-optional-chaining": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.13.0
+  checksum: 81b372651a7d886a06596b02df7fb65ea90265a8bd60c9f0d5c1777590a598e6cccbdc3239033ee0719abf904813e69577eeb0ed5960b40e07978df023b17a6a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-proposal-optional-chaining": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.13.0
+  checksum: 68520a8f26e56bc8d90c22133537a9819e82598e3c82007f30bdaf8898b0e12a7bfa0cd3044aca35a7f362fd6bc04e4cd8052a571fc2eb40ad8f1cf24e0fc45f
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
+    "@babel/plugin-transform-optional-chaining": ^7.23.3
+  peerDependencies:
+    "@babel/core": ^7.13.0
+  checksum: 434b9d710ae856fa1a456678cc304fbc93915af86d581ee316e077af746a709a741ea39d7e1d4f5b98861b629cc7e87f002d3138f5e836775632466d4c74aef2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@npm:7.23.3"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 4690123f0ef7c11d6bf1a9579e4f463ce363563b75ec3f6ca66cf68687e39d8d747a82c833847653962f79da367eca895d9095c60d8ebb224a1d4277003acc11
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-async-generator-functions@npm:^7.13.15":
+  version: 7.16.4
+  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.16.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-remap-async-to-generator": ^7.16.4
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: dcd5a76ee12eacee93440e021a7e4a8e53b5d13d26c8fd7d412fc83341a1633a949bef1ef94301ae753164d39d303cb01b59234e6b48205377ca1d041f670ba5
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-async-generator-functions@npm:^7.16.8":
+  version: 7.16.8
+  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.16.8"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-remap-async-to-generator": ^7.16.8
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: abd2c2c67de262720d37c5509dafe2ce64d6cee2dc9a8e863bbba1796b77387214442f37618373c6a4521ca624bfc7dcdbeb1376300d16f2a474405ee0ca2e69
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-async-generator-functions@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-async-generator-functions@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-remap-async-to-generator": ^7.16.8
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 16a3c7f68a27031b4973b7c64ca009873c91b91afd7b3a4694ec7f1c6d8e91a6ee142eafd950113810fae122faa1031de71140333b2b1bd03d5367b1a05b1d91
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-properties@npm:^7.1.0":
+  version: 7.13.0
+  resolution: "@babel/plugin-proposal-class-properties@npm:7.13.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.13.0
+    "@babel/helper-plugin-utils": ^7.13.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e3cdfacb2d36c66204e3bf99b85feb521daed6e2c3d424f10eb3f722fe20ca0a2560fe9f5a01e5170a34a4f160e9ff02eb678bed81ee130f1c9d990ce8cd711c
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-properties@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-class-properties@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b1665ced553e5cdb95eec2fda321cb226c5f255edd1a94b226b9d81e97e026472184b6898af26f2bb9ee64101fad1afe215b6fc469d3103dec78c55e732e49aa
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-properties@npm:^7.16.5, @babel/plugin-proposal-class-properties@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-class-properties@npm:7.16.7"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3977e841e17b45b47be749b9a5b67b9e8b25ff0840f9fdad3f00cbcb35db4f5ff15f074939fe19b01207a29688c432cc2c682351959350834d62920b7881f803
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-properties@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-class-properties@npm:7.17.12"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.17.12
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 884df6a4617a18cdc2a630096b2a10954bcc94757c893bb01abd6702fdc73343ca5c611f4884c4634e0608f5e86c3093ea6b973ce00bf21b248ba54de92c837d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-static-block@npm:^7.13.11":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-class-static-block@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.12.0
+  checksum: 59c4bb3d6ad4828e7773fe1c63730c68bf646c3a8d042b9ed4062fd98a26c1656b7ee108c5f144fd8b24ff567baf3b2efa644be29c6c8bcfe60e09e485e22116
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-static-block@npm:^7.16.7":
+  version: 7.17.6
+  resolution: "@babel/plugin-proposal-class-static-block@npm:7.17.6"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.17.6
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.12.0
+  checksum: 0ef00d73b4a7667059f71614669fb5ec989a0a6d5fe58118310c892507f2556a6f3ae66f0c547cd06e50bdf3ff528ef486e611079d41ef321300c967d2c26e1d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-class-static-block@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-proposal-class-static-block@npm:7.18.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.12.0
+  checksum: 70fd622fd7c62cca2aa99c70532766340a5c30105e35cb3f1187b450580d43adc78b3fcb1142ed339bcfccf84be95ea03407adf467331b318ce6874432736c89
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-decorators@npm:^7.13.5":
+  version: 7.16.4
+  resolution: "@babel/plugin-proposal-decorators@npm:7.16.4"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-decorators": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: de4f3187c60d14fca37f4edf9d27c61b22e62609708bbaa48bd25b705ab4d5d09457b1011bf6fb55607b11c7a227310f3db5ced4802ded96a79202af7fad7101
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-decorators@npm:^7.16.7":
+  version: 7.18.2
+  resolution: "@babel/plugin-proposal-decorators@npm:7.18.2"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-replace-supers": ^7.18.2
+    "@babel/helper-split-export-declaration": ^7.16.7
+    "@babel/plugin-syntax-decorators": ^7.17.12
+    charcodes: ^0.2.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: cb40e31afe5c414d748d90943910ff7e8015f89f5845046bcdc8ae9b09882b183c550a6bc32969826680d9c41866d5f39097f1cd7b0a7c2101285ec4e38dbded
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-decorators@npm:^7.20.13":
+  version: 7.23.5
+  resolution: "@babel/plugin-proposal-decorators@npm:7.23.5"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.23.5
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.20
+    "@babel/helper-split-export-declaration": ^7.22.6
+    "@babel/plugin-syntax-decorators": ^7.23.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e925fe7a82c03aa372b92b312e69a05453d55aaaf2fd48336c88f4fe2b7e81bf9e8e52b93d4f785a02f2b8deedee6964054153566b40c92886dcf795843a243e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-decorators@npm:^7.21.0":
+  version: 7.22.7
+  resolution: "@babel/plugin-proposal-decorators@npm:7.22.7"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.22.6
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    "@babel/plugin-syntax-decorators": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d9d6f7cc8b3f1450963d3f26909af025836189b81e43c48ad455db5db2319beaf4ad2fda5aa12a1afcf856de11ecd5ee6894a9e906e8de8ee445c79102b50d26
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-dynamic-import@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-dynamic-import@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4027da640443d8fd4a20637d1dd67cce1c13207b8c19fa77796a08b9eec9881b95322c1a5c489128adf3a12e9bbc02b31de9ddd536c909d072577a74a2a70b67
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-dynamic-import@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-dynamic-import@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5992012484fb8bda1451369350e475091954ed414dd9ef8654a3c4daa2db0205d4f29c94f5d3dedfbc5a434996375c8304586904337d6af938ac0f27a0033e23
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-export-namespace-from@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0bdc166ac44d9a0579e6d14d07ed1364932b4b7852626f4ba0c0011464097ed23bec43a3e93793d888c2854918ce9937ac251a945abbe0d283eaa1df206e0b05
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-export-namespace-from@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5016079a5305c1c130fea587b42cdce501574739cfefa5b63469dbc1f32d436df0ff42fabf04089fe8b6a00f4ea7563869e944744b457e186c677995983cb166
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-export-namespace-from@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-export-namespace-from@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 41c9cd4c0a5629b65725d2554867c15b199f534cea5538bd1ae379c0d13e7206d8590e23b23cb05a8b243e33e6eb88c1de3fd03a55cdbc6d4cf8634a6bebe43d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-json-strings@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-json-strings@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fa93be8eff22ced96a68c9db8c0e930414a4ffb44cf68b473717309c06a4feee2bac6e41415a699c829f29928653d67b4b7d29a45861784d235264d829055a1e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-json-strings@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-json-strings@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ea6487918f8d88322ac2a4e5273be6163b0d84a34330c31cee346e23525299de3b4f753bc987951300a79f55b8f4b1971b24d04c0cdfcb7ceb4d636975c215e8
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-json-strings@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-json-strings@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8ed4ee3fbc28e44fac17c48bd95b5b8c3ffc852053a9fffd36ab498ec0b0ba069b8b2f5658edc18332748948433b9d3e1e376f564a1d65cb54592ba9943be09b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-logical-assignment-operators@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7e6cd10248803f0c5801805ef1a357314940c3204c3d2f00994711f272c21276f181d0e83ada5bce6185ae2c97c4417e778331505ffc2e71a2b9c4425a5dcc6d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-logical-assignment-operators@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c4cf18e10f900d40eaa471c4adce4805e67bd845f997a4b9d5653eced4e653187b9950843b2bf7eab6c0c3e753aba222b1d38888e3e14e013f87295c5b014f19
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-logical-assignment-operators@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-logical-assignment-operators@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0d48451836219b7beeca4be22a8aeb4a177a4944be4727afb94a4a11f201dde8b0b186dd2ad65b537d61e9af3fa1afda734f7096bec8602debd76d07aa342e21
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.13.8, @babel/plugin-proposal-nullish-coalescing-operator@npm:^7.4.4":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e50f94929970cdc5c6ee22ec4c95c46ae25cdd8c391baf601f7f3d3a3cec417efc663a3fafa9ae5bca82a6815d49687b07cab9857f5a10e9ea862438ecb81e4a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bfafc2701697b5c763dbbb65dd97b56979bfb0922e35be27733699a837aeff22316313ddfdd0fb45129efa3f86617219b77110d05338bc4dca4385d8ce83dd19
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-nullish-coalescing-operator@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-nullish-coalescing-operator@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7881d8005d0d4e17a94f3bfbfa4a0d8af016d2f62ed90912fabb8c5f8f0cc0a15fd412f09c230984c40b5c893086987d403c73198ef388ffcb3726ff72efc009
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-numeric-separator@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-numeric-separator@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: eb7895a4f38263df644a0ded7042991190f23bdec4b53f3e2c8b40b82d2dbc537a6ca9afbfd490d1aa5dd33244e7a51bf1ae0c4c6890d9978bc1adc325b7e795
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-numeric-separator@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-numeric-separator@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8e2fb0b32845908c67f80bc637a0968e28a66727d7ffb22b9c801dc355d88e865dc24aec586b00c922c23833ae5d26301b443b53609ea73d8344733cd48a1eca
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-object-rest-spread@npm:^7.12.1":
+  version: 7.13.8
+  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.13.8"
+  dependencies:
+    "@babel/compat-data": ^7.13.8
+    "@babel/helper-compilation-targets": ^7.13.8
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-transform-parameters": ^7.13.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7ae92617c672e1d47979c809bd90b20c4e7d269769776dd705f519634a165d113de8ef05739a557b3aad0cb6884986b82d287dcb63211c07b66dca43ac66c8bb
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-object-rest-spread@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.16.0"
+  dependencies:
+    "@babel/compat-data": ^7.16.0
+    "@babel/helper-compilation-targets": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-transform-parameters": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c7716ba50e65aae613e553dd568d3f4b4c42fa8d9f1c3aca6cc227670fc792b600cd5a5c710451490f3d7d5916e77607cba45033e199534ca71feed451f63820
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-object-rest-spread@npm:^7.16.7":
+  version: 7.17.3
+  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.17.3"
+  dependencies:
+    "@babel/compat-data": ^7.17.0
+    "@babel/helper-compilation-targets": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-transform-parameters": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 02810f158db4aaf6883131621b5d2c7d901ea3c034df2c2b78663f8b26813795d78a346c37e56770a720c54773732fd1d7fe40947dbf11d1d8de0e9a38e856d3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-object-rest-spread@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-proposal-object-rest-spread@npm:7.18.0"
+  dependencies:
+    "@babel/compat-data": ^7.17.10
+    "@babel/helper-compilation-targets": ^7.17.10
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-transform-parameters": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2b49bcf9a6b11fd8b6a1d4962a64f3c846a63f8340eca9824c907f75bfcff7422ca35b135607fc3ef2d4e7e77ce6b6d955b772dc3c1c39f7ed24a0d8a560ec78
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-optional-catch-binding@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-optional-catch-binding@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5003a1d48fb6bac1661b481681baf7941de518f1f773d9745e65a650e750b715cb69181a4b723e28f4e43b94143b7b0fe5d12ff1ceceda9731f073cd6bf4e195
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-optional-catch-binding@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-optional-catch-binding@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4a422bb19a23cf80a245c60bea7adbe5dac8ff3bc1a62f05d7155e1eb68d401b13339c94dfd1f3d272972feeb45746f30d52ca0f8d5c63edf6891340878403df
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-optional-chaining@npm:^7.13.12, @babel/plugin-proposal-optional-chaining@npm:^7.16.0, @babel/plugin-proposal-optional-chaining@npm:^7.6.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8301e0829220327c8b969b711c5c4ee5aef88b391e5fb7838381bd18c0fd0cf360d3a307ad5c6113414470ae920504dc2c41983af0ddf3762f5c88957e0c3a94
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-optional-chaining@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e4a6c1ac7e6817b92a673ea52ab0b7dc1fb39d29fb0820cd414e10ae2cd132bd186b4238dcca881a29fc38fe9d38ed24fc111ba22ca20086481682d343f4f130
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-optional-chaining@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-optional-chaining@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a27b220573441a0ad3eecf8ddcb249556a64de45add236791d76cfa164a8fd34181857528fa7d21d03d6b004e7c043bd929cce068e611ee1ac72aaf4d397aa12
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-methods@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-private-methods@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 6f648f54ea1219262b7a05f86f94de7cb466dc81ffd86e4f37ba536037762457ef13408083eb4325d44d2a5aae27c097756efe1067f5c1fbddb8078b923580f5
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-methods@npm:^7.16.11, @babel/plugin-proposal-private-methods@npm:^7.16.5":
+  version: 7.16.11
+  resolution: "@babel/plugin-proposal-private-methods@npm:7.16.11"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.10
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b333e5aa91c265bb394a57b5f4ae1a34fc8ee73a8d75506b12df258d8b5342107cbd9261f95e606bd3264a5b023db77f1f95be30c2e526683916c57f793f7943
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-methods@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-private-methods@npm:7.17.12"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.17.12
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a1e5bd6a0a541af55d133d7bcf51ff8eb4ac7417a30f518c2f38107d7d033a3d5b7128ea5b3a910b458d7ceb296179b6ff9d972be60d1c686113d25fede8bed3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-property-in-object@npm:7.21.0-placeholder-for-preset-env.2":
+  version: 7.21.0-placeholder-for-preset-env.2
+  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.21.0-placeholder-for-preset-env.2"
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d97745d098b835d55033ff3a7fb2b895b9c5295b08a5759e4f20df325aa385a3e0bc9bd5ad8f2ec554a44d4e6525acfc257b8c5848a1345cb40f26a30e277e91
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-property-in-object@npm:^7.14.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.16.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.0
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9098fb34f4abac376ec5823bf6aaedacd46e6925a6fc62559a8086a110bf39310ee308bfbbed052f047ad803b7148b87e43b6d83a759be0aeab1149efd4b8eeb
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-property-in-object@npm:^7.16.5, @babel/plugin-proposal-private-property-in-object@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.16.7"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-create-class-features-plugin": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 666d668f51d8c01aaf0dd87b27a83fc0392884d2c8e9d8e17b3b7011c0d348865dee94b44dc2d7070726e58e3b579728dc2588aaa8140d563f7390743ee90f0a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-property-in-object@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.17.12"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-create-class-features-plugin": ^7.17.12
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 056cb77994b2ee367301cdf8c5b7ed71faf26d60859bbba1368b342977481b0884712a1b97fbd9b091750162923d0265bf901119d46002775aa66e4a9f30f411
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-private-property-in-object@npm:^7.20.5":
+  version: 7.21.11
+  resolution: "@babel/plugin-proposal-private-property-in-object@npm:7.21.11"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.18.6
+    "@babel/helper-create-class-features-plugin": ^7.21.0
+    "@babel/helper-plugin-utils": ^7.20.2
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 1b880543bc5f525b360b53d97dd30807302bb82615cd42bf931968f59003cac75629563d6b104868db50abd22235b3271fdf679fea5db59a267181a99cc0c265
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-unicode-property-regex@npm:^7.12.13, @babel/plugin-proposal-unicode-property-regex@npm:^7.4.4":
+  version: 7.16.0
+  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f26b76c9aa680820fe693f768a36e3a2c4d969e72d7a362059fffad7c874eed8a89bde2be5bde650283a685bd879415f8937fb37a9a1397b287a81df0c6f7c23
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-unicode-property-regex@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.16.7"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2b8a33713d456183f0b7d011011e7bd932c08cc06216399a7b2015ab39284b511993dc10a89bbb15d1d728e6a2ef42ca08c3202619aa148cbd48052422ea3995
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-proposal-unicode-property-regex@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-proposal-unicode-property-regex@npm:7.17.12"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.17.12
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0e4194510415ed11849f1617fcb32d996df746ba93cd05ebbabecb63cfc02c0e97b585c97da3dcf68acdd3c8b71cfae964abe5d5baba6bd3977a475d9225ad9e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-async-generators@npm:^7.8.4":
+  version: 7.8.4
+  resolution: "@babel/plugin-syntax-async-generators@npm:7.8.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7ed1c1d9b9e5b64ef028ea5e755c0be2d4e5e4e3d6cf7df757b9a8c4cfa4193d268176d0f1f7fbecdda6fe722885c7fda681f480f3741d8a2d26854736f05367
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-class-properties@npm:^7.12.13":
+  version: 7.12.13
+  resolution: "@babel/plugin-syntax-class-properties@npm:7.12.13"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.12.13
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 24f34b196d6342f28d4bad303612d7ff566ab0a013ce89e775d98d6f832969462e7235f3e7eaf17678a533d4be0ba45d3ae34ab4e5a9dcbda5d98d49e5efa2fc
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-class-static-block@npm:^7.12.13, @babel/plugin-syntax-class-static-block@npm:^7.14.5":
+  version: 7.14.5
+  resolution: "@babel/plugin-syntax-class-static-block@npm:7.14.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3e80814b5b6d4fe17826093918680a351c2d34398a914ce6e55d8083d72a9bdde4fbaf6a2dcea0e23a03de26dc2917ae3efd603d27099e2b98380345703bf948
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-decorators@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-syntax-decorators@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: afee8cc796f4e8e7ab407420f25d6241932a988036d9b49db289f5e71346e8e7e93157d3c0305f3d95acf4c901cfd6d2ad2d951701e208457788427dc38319c2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-decorators@npm:^7.16.7":
+  version: 7.19.0
+  resolution: "@babel/plugin-syntax-decorators@npm:7.19.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.19.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 105a13d581a8643ba145d4d0d31f34a492b352defa5b155e785702da6ce9c3ff0c1843ba9bee176e35f6e38afa19dc7bd12c120220af0495de4b128f1dd27f6e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-decorators@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-syntax-decorators@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: cdbb7f92e43a85291845e38910aa1bed0c3e489ae2da187b2e9604d1f2769f72b712a5a8b5e45223c7f5856927557bc314e86f7f1832a47405fdf5e492baa164
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-decorators@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/plugin-syntax-decorators@npm:7.22.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 643c75a3b603320c499a0542ca97b5cced81e99de02ae9cbfca1a1ec6d938467546a65023b13df742e1b2f94ffe352ddfe908d14b9303fae7514ed9325886a97
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-decorators@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-syntax-decorators@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 07f6e488df0a061428e02629af9a1908b2e8abdcac2e5cfaa267be66dc30897be6e29df7c7f952d33f3679f9585ac9fcf6318f9c827790ab0b0928d5514305cd
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-dynamic-import@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-dynamic-import@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ce307af83cf433d4ec42932329fad25fa73138ab39c7436882ea28742e1c0066626d224e0ad2988724c82644e41601cef607b36194f695cb78a1fcdc959637bd
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-export-namespace-from@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-export-namespace-from@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 85740478be5b0de185228e7814451d74ab8ce0a26fcca7613955262a26e99e8e15e9da58f60c754b84515d4c679b590dbd3f2148f0f58025f4ae706f1c5a5d4a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-import-assertions@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-syntax-import-assertions@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fef25c3247d18dc7b8e432ed07f4afb92d70113fcfc3db0ca52388f8083b4bd60f88fe9ec0085e8a5a6daf18a619042376e76e2b4bd9470cddb7362cd268bea5
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-import-assertions@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-syntax-import-assertions@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 883e6b35b2da205138caab832d54505271a3fee3fc1e8dc0894502434fc2b5d517cbe93bbfbfef8068a0fb6ec48ebc9eef3f605200a489065ba43d8cddc1c9a7
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-import-attributes@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-syntax-import-attributes@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9aed7661ffb920ca75df9f494757466ca92744e43072e0848d87fa4aa61a3f2ee5a22198ac1959856c036434b5614a8f46f1fb70298835dbe28220cdd1d4c11e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-import-meta@npm:^7.10.4":
+  version: 7.10.4
+  resolution: "@babel/plugin-syntax-import-meta@npm:7.10.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 166ac1125d10b9c0c430e4156249a13858c0366d38844883d75d27389621ebe651115cb2ceb6dc011534d5055719fa1727b59f39e1ab3ca97820eef3dcab5b9b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-json-strings@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-json-strings@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bf5aea1f3188c9a507e16efe030efb996853ca3cadd6512c51db7233cc58f3ac89ff8c6bdfb01d30843b161cfe7d321e1bf28da82f7ab8d7e6bc5464666f354a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-logical-assignment-operators@npm:^7.10.4":
+  version: 7.10.4
+  resolution: "@babel/plugin-syntax-logical-assignment-operators@npm:7.10.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: aff33577037e34e515911255cdbb1fd39efee33658aa00b8a5fd3a4b903585112d037cce1cc9e4632f0487dc554486106b79ccd5ea63a2e00df4363f6d4ff886
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-nullish-coalescing-operator@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-nullish-coalescing-operator@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 87aca4918916020d1fedba54c0e232de408df2644a425d153be368313fdde40d96088feed6c4e5ab72aac89be5d07fef2ddf329a15109c5eb65df006bf2580d1
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-numeric-separator@npm:^7.10.4":
+  version: 7.10.4
+  resolution: "@babel/plugin-syntax-numeric-separator@npm:7.10.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 01ec5547bd0497f76cc903ff4d6b02abc8c05f301c88d2622b6d834e33a5651aa7c7a3d80d8d57656a4588f7276eba357f6b7e006482f5b564b7a6488de493a1
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-object-rest-spread@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-object-rest-spread@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fddcf581a57f77e80eb6b981b10658421bc321ba5f0a5b754118c6a92a5448f12a0c336f77b8abf734841e102e5126d69110a306eadb03ca3e1547cab31f5cbf
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-optional-catch-binding@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-optional-catch-binding@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 910d90e72bc90ea1ce698e89c1027fed8845212d5ab588e35ef91f13b93143845f94e2539d831dc8d8ededc14ec02f04f7bd6a8179edd43a326c784e7ed7f0b9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-optional-chaining@npm:^7.8.3":
+  version: 7.8.3
+  resolution: "@babel/plugin-syntax-optional-chaining@npm:7.8.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.8.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: eef94d53a1453361553c1f98b68d17782861a04a392840341bc91780838dd4e695209c783631cf0de14c635758beafb6a3a65399846ffa4386bff90639347f30
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-private-property-in-object@npm:^7.14.0, @babel/plugin-syntax-private-property-in-object@npm:^7.14.5":
+  version: 7.14.5
+  resolution: "@babel/plugin-syntax-private-property-in-object@npm:7.14.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b317174783e6e96029b743ccff2a67d63d38756876e7e5d0ba53a322e38d9ca452c13354a57de1ad476b4c066dbae699e0ca157441da611117a47af88985ecda
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-top-level-await@npm:^7.12.13, @babel/plugin-syntax-top-level-await@npm:^7.14.5":
+  version: 7.14.5
+  resolution: "@babel/plugin-syntax-top-level-await@npm:7.14.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bbd1a56b095be7820029b209677b194db9b1d26691fe999856462e66b25b281f031f3dfd91b1619e9dcf95bebe336211833b854d0fb8780d618e35667c2d0d7e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-typescript@npm:^7.16.0, @babel/plugin-syntax-typescript@npm:^7.8.3":
+  version: 7.16.0
+  resolution: "@babel/plugin-syntax-typescript@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2da3bdd031230e515615fe39c50d40064d04f64f1d2b60113adff2c112a27e4f9425425e604297d5c2af2b635e7980f3677e434dfeb1d7320ad2cd1ffc8e8c2a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-typescript@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/plugin-syntax-typescript@npm:7.18.6"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.18.6
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2cde73725ec51118ebf410bf02d78781c03fa4d3185993fcc9d253b97443381b621c44810084c5dd68b92eb8bdfae0e5b163e91b32bebbb33852383d1815c05d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-typescript@npm:^7.2.0":
+  version: 7.12.13
+  resolution: "@babel/plugin-syntax-typescript@npm:7.12.13"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.12.13
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3bd08315a82c6cd292e95087f4e9635a92a593112f9bd9e5581dd555d8fa102b4871ece7c54d9fa89f9b0cbd6b2829c7118eaa6fb9a09a3c8edb96868446013f
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-typescript@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-syntax-typescript@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: abfad3a19290d258b028e285a1f34c9b8a0cbe46ef79eafed4ed7ffce11b5d0720b5e536c82f91cbd8442cde35a3dd8e861fa70366d87ff06fdc0d4756e30876
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-syntax-unicode-sets-regex@npm:^7.18.6":
+  version: 7.18.6
+  resolution: "@babel/plugin-syntax-unicode-sets-regex@npm:7.18.6"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.18.6
+    "@babel/helper-plugin-utils": ^7.18.6
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: a651d700fe63ff0ddfd7186f4ebc24447ca734f114433139e3c027bc94a900d013cf1ef2e2db8430425ba542e39ae160c3b05f06b59fd4656273a3df97679e9c
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-arrow-functions@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-arrow-functions@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ff647300424968d1cd6c6b015fd72d332042a94c7b08f3e785f32d22364bfad49258a41c53675de08573af98da1a623efa03da13a653f06988f79a9d571f7030
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-arrow-functions@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-arrow-functions@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2a6aa982c6fc80f4de7ccd973507ce5464fab129987cb6661136a7b9b6a020c2b329b912cbc46a68d39b5a18451ba833dcc8d1ca8d615597fec98624ac2add54
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-arrow-functions@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-arrow-functions@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 48f99e74f523641696d5d9fb3f5f02497eca2e97bc0e9b8230a47f388e37dc5fd84b8b29e9f5a0c82d63403f7ba5f085a28e26939678f6e917d5c01afd884b50
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-arrow-functions@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-arrow-functions@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 1e99118176e5366c2636064d09477016ab5272b2a92e78b8edb571d20bc3eaa881789a905b20042942c3c2d04efc530726cf703f937226db5ebc495f5d067e66
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-async-generator-functions@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-async-generator-functions@npm:7.23.4"
+  dependencies:
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-remap-async-to-generator": ^7.22.20
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e2fc132c9033711d55209f4781e1fc73f0f4da5e0ca80a2da73dec805166b73c92a6e83571a8994cd2c893a28302e24107e90856202b24781bab734f800102bb
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-async-to-generator@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-async-to-generator@npm:7.16.0"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-remap-async-to-generator": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2ebf505f43350d246007d754577477ddb0132c4ab39c9fd420d36ebb6e489b2b3eb48f27fe58f7ad0c742946a1e81e3b150666507abab03fe6bd649ff585ed45
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-async-to-generator@npm:^7.16.8":
+  version: 7.16.8
+  resolution: "@babel/plugin-transform-async-to-generator@npm:7.16.8"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-remap-async-to-generator": ^7.16.8
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3a2e781800e3dea1f526324ed259d1f9064c5ea3c9909c0c22b445d4c648ad489c579f358ae20ada11f7725ba67e0ddeb1e0241efadc734771e87dabd4c6820a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-async-to-generator@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-async-to-generator@npm:7.17.12"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-remap-async-to-generator": ^7.16.8
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 052dd56eb3b10bc31f5aaced0f75fc7307713f74049ccfb91cd087bebfc890a6d462b59445c5299faaca9030814172cac290c941c76b731a38dcb267377c9187
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-async-to-generator@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-async-to-generator@npm:7.23.3"
+  dependencies:
+    "@babel/helper-module-imports": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-remap-async-to-generator": ^7.22.20
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2e9d9795d4b3b3d8090332104e37061c677f29a1ce65bcbda4099a32d243e5d9520270a44bbabf0fb1fb40d463bd937685b1a1042e646979086c546d55319c3c
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoped-functions@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-block-scoped-functions@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f7efc5d8ce9242e11c94c82d9c940d4c534a751ff3679839d2f7d7a300c29ac4c4a3c26c238b5f2828201cac8a848bfb6342c285460f6ce5bc267cbdc1bb070b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoped-functions@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-block-scoped-functions@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 591e9f75437bb32ebf9506d28d5c9659c66c0e8e0c19b12924d808d898e68309050aadb783ccd70bb4956555067326ecfa17a402bc77eb3ece3c6863d40b9016
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoped-functions@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-block-scoped-functions@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e63b16d94ee5f4d917e669da3db5ea53d1e7e79141a2ec873c1e644678cdafe98daa556d0d359963c827863d6b3665d23d4938a94a4c5053a1619c4ebd01d020
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.12.1":
+  version: 7.13.16
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.13.16"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.13.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f84f08c95654ca33962405c60f8109095405c3c6a8e126d09e3543675d1363a2ad4712bea1f6f878aee6a9f966dc627a8a5acd4ddf159c69a41b532ab610b324
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.13.16":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e5bcb9eeed7974ee6dd14c360c21ad2465f81342001e5468bbec5db483fffc78bb0e7f84155be6c32588bc0b43a6ca0050c7962400b33d134f6298c31c8073d4
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f93b5441af573fc274655f1707aeb4f67a43e926b58f56d89cc35a27877ae0bf198648603cbc19f442579489138f93c3838905895f109aa356996dbc3ed97a68
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.17.12":
+  version: 7.18.4
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.18.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5fdc8fd2f56f43e275353123fa1cda3df475daf1e9d92c03d5aa1ae50d3a0ccabf80c6168356947d8eb8e6e29098c875bc27fda8c7d4fbca6ffc6eec5d5faa8d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.20.2, @babel/plugin-transform-block-scoping@npm:^7.20.5":
+  version: 7.22.5
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.22.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 26987002cfe6e24544e60fa35f07052b6557f590c1a1cc5cf35d6dc341d7fea163c1222a2d70d5d2692f0b9860d942fd3ba979848b2995d4debffa387b9b19ae
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-block-scoping@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-block-scoping@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fc4b2100dd9f2c47d694b4b35ae8153214ccb4e24ef545c259a9db17211b18b6a430f22799b56db8f6844deaeaa201af45a03331d0c80cc28b0c4e3c814570e4
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-class-properties@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-class-properties@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9c6f8366f667897541d360246de176dd29efc7a13d80a5b48361882f7173d9173be4646c3b7d9b003ccc0e01e25df122330308f33db921fa553aa17ad544b3fc
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-class-static-block@npm:^7.22.11, @babel/plugin-transform-class-static-block@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-class-static-block@npm:7.23.4"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.12.0
+  checksum: c8bfaba19a674fc2eb54edad71e958647360474e3163e8226f1acd63e4e2dbec32a171a0af596c1dc5359aee402cc120fea7abd1fb0e0354b6527f0fc9e8aa1e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-classes@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-classes@npm:7.16.0"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.0
+    "@babel/helper-function-name": ^7.16.0
+    "@babel/helper-optimise-call-expression": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-replace-supers": ^7.16.0
+    "@babel/helper-split-export-declaration": ^7.16.0
+    globals: ^11.1.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7db47296045761b3f35a9075b4bcce99ad5aa93714cca235961fa596983ba6cfd4d84b29fa6745e4752bd2a60ac299b0dee3231ce20061b6798ae16a147e4992
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-classes@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-classes@npm:7.16.7"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-function-name": ^7.16.7
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-replace-supers": ^7.16.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+    globals: ^11.1.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 791526a1bf3c4659b94d619536e3181d3ad54887d50539066628c6e695789a3bb264dc1fbc8540169d62a222f623df54defb490c1811ae63bad1e3557d6b3bb0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-classes@npm:^7.17.12":
+  version: 7.18.4
+  resolution: "@babel/plugin-transform-classes@npm:7.18.4"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.16.7
+    "@babel/helper-environment-visitor": ^7.18.2
+    "@babel/helper-function-name": ^7.17.9
+    "@babel/helper-optimise-call-expression": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-replace-supers": ^7.18.2
+    "@babel/helper-split-export-declaration": ^7.16.7
+    globals: ^11.1.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 968711024c2ed1c08ced754243edde3a663ab40c414ca6fcad1a75f27789f3f52cc78fbafe21c6337c4c6a0dfbeddd1527caff1558ed477790b600a1e6f99cda
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-classes@npm:^7.23.5":
+  version: 7.23.5
+  resolution: "@babel/plugin-transform-classes@npm:7.23.5"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-compilation-targets": ^7.22.15
+    "@babel/helper-environment-visitor": ^7.22.20
+    "@babel/helper-function-name": ^7.23.0
+    "@babel/helper-optimise-call-expression": ^7.22.5
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.20
+    "@babel/helper-split-export-declaration": ^7.22.6
+    globals: ^11.1.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 6d0dd3b0828e84a139a51b368f33f315edee5688ef72c68ba25e0175c68ea7357f9c8810b3f61713e368a3063cdcec94f3a2db952e453b0b14ef428a34aa8169
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-computed-properties@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-computed-properties@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0f86de419cf5daf28b01c5b2feafa426e5b0ec776290e731de3d7a6ec4ec742400e13436d67292e500ecd50e21ddab9ae34da79357a85a443d30dc94f2a4f6a3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-computed-properties@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-computed-properties@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 28b17f7cfe643f45920b76dc040cab40d4e54eccf5074fba2658c484feacda9b4885b3854ffaf26292189783fdecc97211519c61831b6708fcbf739cfbcbf31c
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-computed-properties@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-computed-properties@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5d05418617e0967bec4818556b7febb6f8c40813e32035f0bd6b7dbd7b9d63e9ab7c7c8fd7bd05bab2a599dad58e7b69957d9559b41079d112c219bbc3649aa1
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-computed-properties@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-computed-properties@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/template": ^7.22.15
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 80452661dc25a0956f89fe98cb562e8637a9556fb6c00d312c57653ce7df8798f58d138603c7e1aad96614ee9ccd10c47e50ab9ded6b6eded5adeb230d2a982e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-destructuring@npm:^7.13.17":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-destructuring@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0a499c9abd6b50d4da6a3c8416e3cdf305f8002fddb3bd9ddd0774ba17ab1b10134f79fe8edc495c94344e5ab387626fb0ee124d31810758968a92d573ff9034
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-destructuring@npm:^7.16.7":
+  version: 7.17.7
+  resolution: "@babel/plugin-transform-destructuring@npm:7.17.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 767ecf6640fea9a06a4859f0c34daa30ac7d146a96476caa1f77081d5b6e43699f45e14acd52682078f2b7c230ff0814312b41f61b21ca2b5f9c5a2cc93c2b58
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-destructuring@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-transform-destructuring@npm:7.18.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d85d60737c3b05c4db71bc94270e952122d360bd6ebf91b5f98cf16fb8564558b615d115354fe0ef41e2aae9c4540e6e16144284d881ecaef687693736cd2a79
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-destructuring@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-destructuring@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9e015099877272501162419bfe781689aec5c462cd2aec752ee22288f209eec65969ff11b8fdadca2eaddea71d705d3bba5b9c60752fcc1be67874fcec687105
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-dotall-regex@npm:^7.12.13, @babel/plugin-transform-dotall-regex@npm:^7.4.4":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-dotall-regex@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c1f381f0d44a1b33714a68ffd60f2b9efac1be95caf3c21192cc8233afde2fae1da268e26b3cb40764736f090793b66946574c3310cfdd4906a7e72310239ff9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-dotall-regex@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-dotall-regex@npm:7.16.7"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 554570dddfd5bfd87ab307be520f69a3d4ed2d2db677c165971b400d4c96656d0c165b318e69f1735612dcd12e04c0ee257697dc26800e8a572ca73bc05fa0f4
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-dotall-regex@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-dotall-regex@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a2dbbf7f1ea16a97948c37df925cb364337668c41a3948b8d91453f140507bd8a3429030c7ce66d09c299987b27746c19a2dd18b6f17dcb474854b14fd9159a3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-duplicate-keys@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 66f09487fdf737aa280c780a609bafc9a771b34b5f9a8dccf69752c22110893763f6c105062776f084ed872a55d1656b3f14e2a9c2031f3dbdf31da20d9c827b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-duplicate-keys@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b96f6e9f7b33a91ad0eb6b793e4da58b7a0108b58269109f391d57078d26e043b3872c95429b491894ae6400e72e44d9b744c9b112b8433c99e6969b767e30ed
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-duplicate-keys@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fb6ad550538830b0dc5b1b547734359f2d782209570e9d61fe9b84a6929af570fcc38ab579a67ee7cd6a832147db91a527f4cceb1248974f006fe815980816bb
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-duplicate-keys@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-duplicate-keys@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c2a21c34dc0839590cd945192cbc46fde541a27e140c48fe1808315934664cdbf18db64889e23c4eeb6bad9d3e049482efdca91d29de5734ffc887c4fbabaa16
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-dynamic-import@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-dynamic-import@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 57a722604c430d9f3dacff22001a5f31250e34785d4969527a2ae9160fa86858d0892c5b9ff7a06a04076f8c76c9e6862e0541aadca9c057849961343aab0845
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-exponentiation-operator@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-exponentiation-operator@npm:7.16.0"
+  dependencies:
+    "@babel/helper-builder-binary-assignment-operator-visitor": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 22e1d4804a5fc522744a1cc13e2c35c5d81c2e303a634822fee59829477b3748dcf897a020c3083084350ab1d3b76752157b216971157763394021e2f2184094
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-exponentiation-operator@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-exponentiation-operator@npm:7.16.7"
+  dependencies:
+    "@babel/helper-builder-binary-assignment-operator-visitor": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8082c79268f5b1552292bd3abbfed838a1131747e62000146e70670707b518602e907bbe3aef0fda824a2eebe995a9d897bd2336a039c5391743df01608673b0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-exponentiation-operator@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-exponentiation-operator@npm:7.23.3"
+  dependencies:
+    "@babel/helper-builder-binary-assignment-operator-visitor": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 00d05ab14ad0f299160fcf9d8f55a1cc1b740e012ab0b5ce30207d2365f091665115557af7d989cd6260d075a252d9e4283de5f2b247dfbbe0e42ae586e6bf66
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-export-namespace-from@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-export-namespace-from@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9f770a81bfd03b48d6ba155d452946fd56d6ffe5b7d871e9ec2a0b15e0f424273b632f3ed61838b90015b25bbda988896b7a46c7d964fbf8f6feb5820b309f93
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-for-of@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-for-of@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 504d967b30b00d3e1a2784f6a215963fc0036871f8fd6ca61e41e67cdb3319511e9148164428144469416b35b0e02c896c144402ace7cd7a6c45b0d1e8746ae6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-for-of@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-for-of@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 35c9264ee4bef814818123d70afe8b2f0a85753a0a9dc7b73f93a71cadc5d7de852f1a3e300a7c69a491705805704611de1e2ccceb5686f7828d6bca2e5a7306
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-for-of@npm:^7.18.1":
+  version: 7.18.1
+  resolution: "@babel/plugin-transform-for-of@npm:7.18.1"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: cdc6e1f1170218cc6ac5b26b4b8f011ec5c36666101e00e0061aaa5772969b093bad5b2af8ce908c184126d5bb0c26b89dd4debb96b2375aba2e20e427a623a8
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-for-of@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-for-of@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a6288122a5091d96c744b9eb23dc1b2d4cce25f109ac1e26a0ea03c4ea60330e6f3cc58530b33ba7369fa07163b71001399a145238b7e92bff6270ef3b9c32a0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-function-name@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-function-name@npm:7.16.0"
+  dependencies:
+    "@babel/helper-function-name": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 289f4fce26e8b3a81fcae752cecdb78b363eb29e400aa4dc8318484156d908ddc6dd5b274b8fbcdb80ea59a362834554c4a5d3454e974957dbd2b30c3d00ad3f
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-function-name@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-function-name@npm:7.16.7"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.16.7
+    "@babel/helper-function-name": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4d97d0b84461cdd5d5aa2d010cdaf30f1f83a92a0dedd3686cbc7e90dc1249a70246f5bac0c1f3cd3f1dbfb03f7aac437776525a0c90cafd459776ea4fcc6bde
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-function-name@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-function-name@npm:7.23.3"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.22.15
+    "@babel/helper-function-name": ^7.23.0
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 355c6dbe07c919575ad42b2f7e020f320866d72f8b79181a16f8e0cd424a2c761d979f03f47d583d9471b55dcd68a8a9d829b58e1eebcd572145b934b48975a6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-json-strings@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-json-strings@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f9019820233cf8955d8ba346df709a0683c120fe86a24ed1c9f003f2db51197b979efc88f010d558a12e1491210fc195a43cd1c7fee5e23b92da38f793a875de
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-literals@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-literals@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7291771c7626a27684053ceefc4e2e3e480a6ceab9f3c8abbdd9c90fcea63f035ace397e53bfc4b7311b835f7c79449be03226affa69e2e2a96c14b6da4d5db9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-literals@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-literals@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a9565d999fc7a72a391ef843cf66028c38ca858537c7014d9ea8ea587a59e5f952d9754bdcca6ca0446e84653e297d417d4faedccb9e4221af1aa30f25d918e0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-literals@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-literals@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 09280fc1ed23b81deafd4fcd7a35d6c0944668de2317f14c1b8b78c5c201f71a063bb8d174d2fc97d86df480ff23104c8919d3aacf19f33c2b5ada584203bf1c
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-literals@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-literals@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 519a544cd58586b9001c4c9b18da25a62f17d23c48600ff7a685d75ca9eb18d2c5e8f5476f067f0a8f1fea2a31107eff950b9864833061e6076dcc4bdc3e71ed
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-logical-assignment-operators@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-logical-assignment-operators@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2ae1dc9b4ff3bf61a990ff3accdecb2afe3a0ca649b3e74c010078d1cdf29ea490f50ac0a905306a2bcf9ac177889a39ac79bdcc3a0fdf220b3b75fac18d39b5
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-member-expression-literals@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-member-expression-literals@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d5ed6cf840b9fd8b88f719dea46dc26a1778f10aeab6878b3eabf2350cfa813bfeff09d91c6afc93dd3536a48bc892a0afcf9f99f3bad6b54b41638f3ae80fa9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-member-expression-literals@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-member-expression-literals@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fdf5b22abab2b770e69348ce7f99796c3e0e1e7ce266afdbe995924284704930fa989323bdbda7070db8adb45a72f39eaa1dbebf18b67fc44035ec00c6ae3300
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-member-expression-literals@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-member-expression-literals@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 95cec13c36d447c5aa6b8e4c778b897eeba66dcb675edef01e0d2afcec9e8cb9726baf4f81b4bbae7a782595aed72e6a0d44ffb773272c3ca180fada99bf92db
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-amd@npm:^7.13.0, @babel/plugin-transform-modules-amd@npm:^7.14.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-modules-amd@npm:7.16.0"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c37ccb8cd7a301123fb5590712d957bf9f82bb0d89a83441b570a9f9793af76b99449c93f1079ad187fb598a5eeb5571561ff4d71af9192c7d6e407a464d6aff
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-amd@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-modules-amd@npm:7.16.7"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 9ac251ee96183b10cf9b4ec8f9e8d52e14ec186a56103f6c07d0c69e99faa60391f6bac67da733412975e487bd36adb403e2fc99bae6b785bf1413e9d928bc71
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-amd@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-transform-modules-amd@npm:7.18.0"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bed3ff5cd81f236981360fc4a6fd2262685c1202772c657ce3ab95b7930437f8fa22361021b481c977b6f47988dfcc07c7782a1c91b90d3a5552c91401f4631a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-amd@npm:^7.20.11":
+  version: 7.22.5
+  resolution: "@babel/plugin-transform-modules-amd@npm:7.22.5"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.22.5
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7da4c4ebbbcf7d182abb59b2046b22d86eee340caf8a22a39ef6a727da2d8acfec1f714fcdcd5054110b280e4934f735e80a6848d192b6834c5d4459a014f04d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-amd@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-modules-amd@npm:7.23.3"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.23.3
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d163737b6a3d67ea579c9aa3b83d4df4b5c34d9dcdf25f415f027c0aa8cded7bac2750d2de5464081f67a042ad9e1c03930c2fab42acd79f9e57c00cf969ddff
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-commonjs@npm:^7.14.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.16.0"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-simple-access": ^7.16.0
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a7e43670f503b31d6ad42977ddefb7bffc23f700a24252859652aa03efd666698567b0817060dd6f84a6cd23e7aac7464bc0dc7f7f929cad212263abcac9d470
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-commonjs@npm:^7.16.8":
+  version: 7.17.7
+  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.17.7"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.17.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-simple-access": ^7.17.7
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d84385d89465f8241cbeed8069dc54fb15ee0465119a3326c65ee93ce93019b7a9953b23e22a67203aa2ebf81ac444eadf6d37912d453ec7ba2dce9872bb6490
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-commonjs@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.18.2"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-simple-access": ^7.18.2
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 99c1c5ce9c353e29eb680ebb5bdf27c076c6403e133a066999298de642423cc7f38cfbac02372d33ed73278da13be23c4be7d60169c3e27bd900a373e61a599a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-commonjs@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-modules-commonjs@npm:7.23.3"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.23.3
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-simple-access": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 720a231ceade4ae4d2632478db4e7fecf21987d444942b72d523487ac8d715ca97de6c8f415c71e939595e1a4776403e7dc24ed68fe9125ad4acf57753c9bff7
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-systemjs@npm:^7.13.8":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.16.0"
+  dependencies:
+    "@babel/helper-hoist-variables": ^7.16.0
+    "@babel/helper-module-transforms": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-validator-identifier": ^7.15.7
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4aa9bd45a4c1f79a4abd92482b4f9ac6492b5e727ee34316c80a30b6524281d39959a2d556b231eae4b1031f35e0133e60270f9e4bfa5f25a8cb68ef145dfcd2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-systemjs@npm:^7.16.7":
+  version: 7.17.8
+  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.17.8"
+  dependencies:
+    "@babel/helper-hoist-variables": ^7.16.7
+    "@babel/helper-module-transforms": ^7.17.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-validator-identifier": ^7.16.7
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 058c0e7987aab64c4019bc9eab3f80c5dd05bec737e230e5c60e9222dfb3d01b2dfa3aa1db6cbb75a4095c40af3bba2e3a60170b1570a158d3e781376569ce49
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-systemjs@npm:^7.18.0":
+  version: 7.18.4
+  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.18.4"
+  dependencies:
+    "@babel/helper-hoist-variables": ^7.16.7
+    "@babel/helper-module-transforms": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-validator-identifier": ^7.16.7
+    babel-plugin-dynamic-import-node: ^2.3.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: abe6948a1548b20055bf1c56ceab5b17dc283e7cdbcc0525b297b726f0785f1169333b5e685add81337fc749588adb8d96ccba9269565031db006a710e7eaf02
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-systemjs@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-modules-systemjs@npm:7.23.3"
+  dependencies:
+    "@babel/helper-hoist-variables": ^7.22.5
+    "@babel/helper-module-transforms": ^7.23.3
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-validator-identifier": ^7.22.20
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0d2fdd993c785aecac9e0850cd5ed7f7d448f0fbb42992a950cc0590167144df25d82af5aac9a5c99ef913d2286782afa44e577af30c10901c5ee8984910fa1f
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-umd@npm:^7.14.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-modules-umd@npm:7.16.0"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b07d41eae3a1163fdb2dca4bffb0de880981e6581163948a88b7665709e860612932f5a73e54d70057e834d3968e3b5f86222f1d302c9e1d34d95a764584af54
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-umd@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-modules-umd@npm:7.16.7"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d1433f8b0e0b3c9f892aa530f08fe3ba653a5e51fe1ed6034ac7d45d4d6f22c3ba99186b72e41ad9ce5d8dcf964104c3da2419f15fcdcf5ba05c5fda3ea2cefc
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-umd@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-transform-modules-umd@npm:7.18.0"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.18.0
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4081a79cfd4c6fda785c2137f9f2721e35c06a9d2f23c304172838d12e9317a24d3cb5b652a9db61e58319b370c57b1b44991429efe709679f98e114d98597fb
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-modules-umd@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-modules-umd@npm:7.23.3"
+  dependencies:
+    "@babel/helper-module-transforms": ^7.23.3
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 586a7a2241e8b4e753a37af9466a9ffa8a67b4ba9aa756ad7500712c05d8fa9a8c1ed4f7bd25fae2a8265e6cf8fe781ec85a8ee885dd34cf50d8955ee65f12dc
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 758a87aca66ea7944c5f94ed7a798220c3b2986da4c38dc3f63221065ec96534bf39b3b043dd9759dbdff4026d340bbe51082d5ad4505c19b08893663130675b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.16.8":
+  version: 7.16.8
+  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.16.8"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 73e149f5ff690f5b8e3764a881e8e5240f12f394256e7d5217705d0cbeae074c3faff394783190fe1a41f9fc5a53b960b6021158b7e5174391b5fc38f4ba047a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.17.12"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.17.12
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: cff9d91d0abd87871da6574583e79093ed75d5faecea45b6a13350ba243b1a595d349a6e7d906f5dfdf6c69c643cba9df662c3d01eaa187c5b1a01cb5838e848
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-named-capturing-groups-regex@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/plugin-transform-named-capturing-groups-regex@npm:7.22.5"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.22.5
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 3ee564ddee620c035b928fdc942c5d17e9c4b98329b76f9cefac65c111135d925eb94ed324064cd7556d4f5123beec79abea1d4b97d1c8a2a5c748887a2eb623
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-new-target@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-new-target@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c741ba3e84c182f1af3174cb7f00c4e434080ff882e72c7b2743d1d636eebcf12c865772be051a323c823bd4ebdfbae19cb78e95218d6b14c338f27a64608e31
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-new-target@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-new-target@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7410c3e68abc835f87a98d40269e65fb1a05c131decbb6721a80ed49a01bd0c53abb6b8f7f52d5055815509022790e1accca32e975c02f2231ac3cf13d8af768
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-new-target@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-new-target@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bec26350fa49c9a9431d23b4ff234f8eb60554b8cdffca432a94038406aae5701014f343568c0e0cc8afae6f95d492f6bae0d0e2c101c1a484fb20eec75b2c07
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-new-target@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-new-target@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e5053389316fce73ad5201b7777437164f333e24787fbcda4ae489cd2580dbbbdfb5694a7237bad91fabb46b591d771975d69beb1c740b82cb4761625379f00b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-nullish-coalescing-operator@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-nullish-coalescing-operator@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a27d73ea134d3d9560a6b2e26ab60012fba15f1db95865aa0153c18f5ec82cfef6a7b3d8df74e3c2fca81534fa5efeb6cacaf7b08bdb7d123e3dafdd079886a3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-numeric-separator@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-numeric-separator@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 6ba0e5db3c620a3ec81f9e94507c821f483c15f196868df13fa454cbac719a5449baf73840f5b6eb7d77311b24a2cf8e45db53700d41727f693d46f7caf3eec3
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-object-rest-spread@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-object-rest-spread@npm:7.23.4"
+  dependencies:
+    "@babel/compat-data": ^7.23.3
+    "@babel/helper-compilation-targets": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-transform-parameters": ^7.23.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 73fec495e327ca3959c1c03d07a621be09df00036c69fff0455af9a008291677ee9d368eec48adacdc6feac703269a649747568b4af4c4e9f134aa71cc5b378d
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-object-super@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-object-super@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-replace-supers": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b6ed0a8f5a1231b4dadb5edb2cef8fba7957cbad943c0018002719d066fda93b805da961e42b38d625e43e7c79f5c07d5719d6d63f9cf178501882a4aa5d30da
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-object-super@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-object-super@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-replace-supers": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 46e3c879f4a93e904f2ecf83233d40c48c832bdbd82a67cab1f432db9aa51702e40d9e51e5800613e12299974f90f4ed3869e1273dbca8642984266320c5f341
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-object-super@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-object-super@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-replace-supers": ^7.22.20
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e495497186f621fa79026e183b4f1fbb172fd9df812cbd2d7f02c05b08adbe58012b1a6eb6dd58d11a30343f6ec80d0f4074f9b501d70aa1c94df76d59164c53
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-optional-catch-binding@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-optional-catch-binding@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d50b5ee142cdb088d8b5de1ccf7cea85b18b85d85b52f86618f6e45226372f01ad4cdb29abd4fd35ea99a71fefb37009e0107db7a787dcc21d4d402f97470faf
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-optional-chaining@npm:^7.23.3, @babel/plugin-transform-optional-chaining@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-optional-chaining@npm:7.23.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e7a4c08038288057b7a08d68c4d55396ada9278095509ca51ed8dfb72a7f13f26bdd7c5185de21079fe0a9d60d22c227cb32e300d266c1bda40f70eee9f4bc1e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-parameters@npm:^7.13.0, @babel/plugin-transform-parameters@npm:^7.16.0":
+  version: 7.16.3
+  resolution: "@babel/plugin-transform-parameters@npm:7.16.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7c0154fa66f03f69f6767adc01e72ef00d50cae8eb87c65506adccccc1cf776730ecbb96a5de0127910554cc0e86e375bc437fa085f619783d368936736a4f58
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-parameters@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-parameters@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 4d6904376db82d0b35f0a6cce08f630daf8608d94e903d6c7aff5bd742b251651bd1f88cdf9f16cad98aba5fc7c61da8635199364865fad6367d5ae37cf56cc1
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-parameters@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-parameters@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d9ed5ec61dc460835bade8fa710b42ec9f207bd448ead7e8abd46b87db0afedbb3f51284700fd2a6892fdf6544ec9b949c505c6542c5ba0a41ca4e8749af00f0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-parameters@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-parameters@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a735b3e85316d17ec102e3d3d1b6993b429bdb3b494651c9d754e3b7d270462ee1f1a126ccd5e3d871af5e683727e9ef98c9d34d4a42204fffaabff91052ed16
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-private-methods@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-private-methods@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: cedc1285c49b5a6d9a3d0e5e413b756ac40b3ac2f8f68bdfc3ae268bc8d27b00abd8bb0861c72756ff5dd8bf1eb77211b7feb5baf4fdae2ebbaabe49b9adc1d0
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-private-property-in-object@npm:^7.23.4":
+  version: 7.23.4
+  resolution: "@babel/plugin-transform-private-property-in-object@npm:7.23.4"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-create-class-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: fb7adfe94ea97542f250a70de32bddbc3e0b802381c92be947fec83ebffda57e68533c4d0697152719a3496fdd3ebf3798d451c024cd4ac848fc15ac26b70aa7
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-property-literals@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-property-literals@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e9eb9355db4cf18dc82879174fc2de6590521afea04f1c80c5805d3f759bfa25946bcac1095b5fe0e4ad3f5eb330cd7e308467626a0212f07b9f41b9f00affa8
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-property-literals@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-property-literals@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b5674458991a9b0e8738989d70faa88c7f98ed3df923c119f1225069eed72fe5e0ce947b1adc91e378f5822fbdeb7a672f496fd1c75c4babcc88169e3a7c3229
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-property-literals@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-property-literals@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 16b048c8e87f25095f6d53634ab7912992f78e6997a6ff549edc3cf519db4fca01c7b4e0798530d7f6a05228ceee479251245cdd850a5531c6e6f404104d6cc9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-regenerator@npm:^7.13.15":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-regenerator@npm:7.16.0"
+  dependencies:
+    regenerator-transform: ^0.14.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 32b1b43f8d55d9e78e87bbc6a19b0bb0ff968220e215e9a3984c0de140048c54c62cf46889bee16f987221eab112909318de391426df33cdbe3fd710480068f7
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-regenerator@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-regenerator@npm:7.16.7"
+  dependencies:
+    regenerator-transform: ^0.14.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 12b1f9a4f324027af69f49522fbe7feea2ac53285ca5c7e27a70de09f56c74938bfda8b09ac06e57fa1207e441f00efb7adbc462afc9be5e8abd0c2a07715e01
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-regenerator@npm:^7.18.0":
+  version: 7.18.0
+  resolution: "@babel/plugin-transform-regenerator@npm:7.18.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    regenerator-transform: ^0.15.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ebacf2bbe9e2fb6f2bd7996e19b41bfc9848628950ae06a1a832802a0b8e32a32003c6b89318da6ca521f79045c91324dcb4c97247ed56f86fa58d7401a7316f
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-regenerator@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-regenerator@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    regenerator-transform: ^0.15.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7fdacc7b40008883871b519c9e5cdea493f75495118ccc56ac104b874983569a24edd024f0f5894ba1875c54ee2b442f295d6241c3280e61c725d0dd3317c8e6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-reserved-words@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-reserved-words@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7a8288cfe2375e43579d3786d5f6654b36d8344b1be3df4fbafe81ae49bf634f85f68fe5a1a280f56aa7d626deaaa6ba89e586422b3d8b13f7d4b0e0617362d6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-reserved-words@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-reserved-words@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 00218a646e99a97c1f10b77c41c178ca1b91d0e6cf18dd4ca3c59b8a5ad721db04ef508f49be4cd0dcca7742490dbb145307b706a2dbea1917d5e5f7ba2f31b7
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-reserved-words@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-reserved-words@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d8a617cb79ca5852ac2736a9f81c15a3b0760919720c3b9069a864e2288006ebcaab557dbb36a3eba936defd6699f82e3bf894915925aa9185f5d9bcbf3b29fd
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-reserved-words@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-reserved-words@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 298c4440ddc136784ff920127cea137168e068404e635dc946ddb5d7b2a27b66f1dd4c4acb01f7184478ff7d5c3e7177a127279479926519042948fb7fa0fa48
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-runtime@npm:^7.12.1":
+  version: 7.13.15
+  resolution: "@babel/plugin-transform-runtime@npm:7.13.15"
+  dependencies:
+    "@babel/helper-module-imports": ^7.13.12
+    "@babel/helper-plugin-utils": ^7.13.0
+    babel-plugin-polyfill-corejs2: ^0.2.0
+    babel-plugin-polyfill-corejs3: ^0.2.0
+    babel-plugin-polyfill-regenerator: ^0.2.0
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d52bda711815a82674e390b8ef4887dbf8116eb66eca3c23b3ae4b3ed37022a09b80aed86b44d2a3399b281d8ca341329293e12d6f4aea9991459434537131ba
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-runtime@npm:^7.13.9":
+  version: 7.16.4
+  resolution: "@babel/plugin-transform-runtime@npm:7.16.4"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    babel-plugin-polyfill-corejs2: ^0.3.0
+    babel-plugin-polyfill-corejs3: ^0.4.0
+    babel-plugin-polyfill-regenerator: ^0.3.0
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3586fb1035a8233162c0dfb28f3466c3129b430bd351d7271894dc7dc29956cc2e6e348f5e21ae91f8b59ceddce02b32140e4bb629fdbbacad2ab04f6cec2ff5
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-shorthand-properties@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-shorthand-properties@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7ae0f218aaccd2f7e8b0027c558fbbc291f7df7c83749826075776de780d1ac421f9056c760c5eb2e486b7b1983a41cd8dc00589504904b833c810fdb80b3868
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-shorthand-properties@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-shorthand-properties@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ca381ecf8f48696512172deca40af46b1f64e3497186fdc2c9009286d8f06b468c4d61cdc392dc8b0c165298117dda67be9e2ff0e99d7691b0503f1240d4c62b
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-shorthand-properties@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-shorthand-properties@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 5d677a03676f9fff969b0246c423d64d77502e90a832665dc872a5a5e05e5708161ce1effd56bb3c0f2c20a1112fca874be57c8a759d8b08152755519281f326
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-spread@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-spread@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c295ef5e329fc31bd78e0aac3d6d848475a26e40cffff207dfd450416a25478bedb03402a0cc569bc5b7d3e92c22bff8a7cf76f1a9d896070e3cdeae1aee0316
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-spread@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-spread@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 6e961af1a70586bb72dd85e8296cee857c5dadd73225fccd0fe261c0d98652a82d69c65f3e9dc31ce019a12e9677262678479b96bd2d9140ddf6514618362828
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-spread@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-spread@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 3a95e4f163d598c0efc9d983e5ce3e8716998dd2af62af8102b11cb8d6383c71b74c7106adbce73cda6e48d3d3e927627847d36d76c2eb688cd0e2e07f67fb51
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-spread@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-spread@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-skip-transparent-expression-wrappers": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8fd5cac201e77a0b4825745f4e07a25f923842f282f006b3a79223c00f61075c8868d12eafec86b2642cd0b32077cdd32314e27bcb75ee5e6a68c0144140dcf2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-sticky-regex@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-sticky-regex@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 80c7ccb797e4d31f112ace4614e8259ad0707eab3ed1c5a900ac0799dc23fded8bad57142ceb29222d6f0645f7b0d6a74fa133c945b8611d5db137b13ee68882
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-sticky-regex@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-sticky-regex@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d59e20121ff0a483e29364eff8bb42cd8a0b7a3158141eea5b6f219227e5b873ea70f317f65037c0f557887a692ac993b72f99641a37ea6ec0ae8000bfab1343
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-sticky-regex@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-sticky-regex@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 53e55eb2575b7abfdb4af7e503a2bf7ef5faf8bf6b92d2cd2de0700bdd19e934e5517b23e6dfed94ba50ae516b62f3f916773ef7d9bc81f01503f585051e2949
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-template-literals@npm:^7.13.0":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-template-literals@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 230638ee56bbe8c4237d2c3366d700eca1f66f93c37935f6d775f699c5d2593e3f176e81010cfb2d46f89e340c6c042649263c3b913ce269182fadfb4db01369
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-template-literals@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-template-literals@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b55a519dd8b957247ebad3cab21918af5adca4f6e6c87819501cfe3d4d4bccda25bc296c7dfc8a30909b4ad905902aeb9d55ad955cb9f5cbc74b42dab32baa18
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-template-literals@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/plugin-transform-template-literals@npm:7.18.2"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: bc0102ed8c789e5bc01053088e2de85b82cebcd4d57af9fdc32ca62f559d3dd19c33e9d26caa71c5fd8e94152e5ce4fc4da19badc2d537620e6dea83bce7eb05
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-template-literals@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-template-literals@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: b16c5cb0b8796be0118e9c144d15bdc0d20a7f3f59009c6303a6e9a8b74c146eceb3f05186f5b97afcba7cfa87e34c1585a22186e3d5b22f2fd3d27d959d92b2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typeof-symbol@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 60e91d57b3e5a5ca02cebbf9f6dacd06e8a3b7c92c54fd60616f01ac1c79b3ec5fd2e8c5fa5c86ffcd9da6fa811e6de8dc7602cf1e05da17def0ea06f1e8548e
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typeof-symbol@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 739a8c439dacbd9af62cfbfa0a7cbc3f220849e5fc774e5ef708a09186689a724c41a1d11323e7d36588d24f5481c8b702c86ff7be8da2e2fed69bed0175f625
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typeof-symbol@npm:^7.17.12":
+  version: 7.17.12
+  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.17.12"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.17.12
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e30bd03c8abc1b095f8b2a10289df6850e3bc3cd0aea1cbc29050aa3b421cbb77d0428b0cd012333632a7a930dc8301cd888e762b2dd601e7dc5dac50f4140c9
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typeof-symbol@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-typeof-symbol@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 0af7184379d43afac7614fc89b1bdecce4e174d52f4efaeee8ec1a4f2c764356c6dba3525c0685231f1cbf435b6dd4ee9e738d7417f3b10ce8bbe869c32f4384
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:^7.13.0":
+  version: 7.16.1
+  resolution: "@babel/plugin-transform-typescript@npm:7.16.1"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+    "@babel/plugin-syntax-typescript": ^7.16.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 1b1efe62e8de828d52b996429718663705cbefb9a7382d2849725b6318051fcbe9671e9e8f761a94fddf46ea159810c97d1b6282c644f69c98ebf5d4d2687ef6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:^7.16.8":
+  version: 7.19.0
+  resolution: "@babel/plugin-transform-typescript@npm:7.19.0"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.19.0
+    "@babel/helper-plugin-utils": ^7.19.0
+    "@babel/plugin-syntax-typescript": ^7.18.6
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d5ed076c1cd7a41efe0da7d9afdcb6281db574b4307243b9f0f96ae255d9efdca47b4aeed5c306d1ad296e683498965c01ecaa147217559e01eceadc350ca4c2
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:^7.20.13":
+  version: 7.23.5
+  resolution: "@babel/plugin-transform-typescript@npm:7.23.5"
+  dependencies:
+    "@babel/helper-annotate-as-pure": ^7.22.5
+    "@babel/helper-create-class-features-plugin": ^7.23.5
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/plugin-syntax-typescript": ^7.23.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d77b5cc22cf48fe461de07e4f058dc9c0d8c4e3ca49de0e3a336a94ab39bfa4f4732598e36c479bec0dd1bf4aff9154bc2dcbfbe3145a751e4771ccae5afaaf8
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:~7.4.0":
+  version: 7.4.5
+  resolution: "@babel/plugin-transform-typescript@npm:7.4.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.0.0
+    "@babel/plugin-syntax-typescript": ^7.2.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2c3aadfba8db8726a1e0c5341578e65ab8a2d46c79844509ccc74bff1c8eaa4943e94f458e4f006a7d21a2ea93025ae3629bdeb9858c7b53967b9f7aee154543
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:~7.5.0":
+  version: 7.5.5
+  resolution: "@babel/plugin-transform-typescript@npm:7.5.5"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.5.5
+    "@babel/helper-plugin-utils": ^7.0.0
+    "@babel/plugin-syntax-typescript": ^7.2.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a7a60f461e41db07dd04728c18b1ee9d5ba889f3666f8e209437b4007c2c02fe556ea03c70550077206ca3ac3f70f8da76d0f6a62eed1a9466249a5a1a316a81
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-typescript@npm:~7.8.0":
+  version: 7.8.7
+  resolution: "@babel/plugin-transform-typescript@npm:7.8.7"
+  dependencies:
+    "@babel/helper-create-class-features-plugin": ^7.8.3
+    "@babel/helper-plugin-utils": ^7.8.3
+    "@babel/plugin-syntax-typescript": ^7.8.3
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a6a0a85e79acd154573fddaa589da053109f334413c2bcc2fcac03b77385c174070b0ddcbe4d3086676b4ad7a9e4fb3ea27a499635e9472e244ccbef43d1ea08
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-escapes@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-unicode-escapes@npm:7.16.0"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 63ac80d6b7592a7a038cde0b7b8fd7fc8f478de107543fb20c0ee47e00c5cd4c12be936501f55e2fd9370056603d9c4e4c57cdf335674837475865f80b4ae734
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-escapes@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-unicode-escapes@npm:7.16.7"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: d10c3b5baa697ca2d9ecce2fd7705014d7e1ddd86ed684ccec378f7ad4d609ab970b5546d6cdbe242089ecfc7a79009d248cf4f8ee87d629485acfb20c0d9160
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-escapes@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-unicode-escapes@npm:7.23.3"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 561c429183a54b9e4751519a3dfba6014431e9cdc1484fad03bdaf96582dfc72c76a4f8661df2aeeae7c34efd0fa4d02d3b83a2f63763ecf71ecc925f9cc1f60
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-property-regex@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-unicode-property-regex@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2298461a194758086d17c23c26c7de37aa533af910f9ebf31ebd0893d4aa317468043d23f73edc782ec21151d3c46cf0ff8098a83b725c49a59de28a1d4d6225
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-regex@npm:^7.12.13":
+  version: 7.16.0
+  resolution: "@babel/plugin-transform-unicode-regex@npm:7.16.0"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.0
+    "@babel/helper-plugin-utils": ^7.14.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 61e498425fb44951067e1d17cd66e97777a340118c06943cee9d1032a8bfec661f262738a9b2a00a498b0ad5ba56551ea81e76f0d6afe46c0301abc3a86bee22
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-regex@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/plugin-transform-unicode-regex@npm:7.16.7"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ef7721cfb11b269809555b1c392732566c49f6ced58e0e990c0e81e58a934bbab3072dcbe92d3a20d60e3e41036ecf987bcc63a7cde90711a350ad774667e5e6
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-regex@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-unicode-regex@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c5f835d17483ba899787f92e313dfa5b0055e3deab332f1d254078a2bba27ede47574b6599fcf34d3763f0c048ae0779dc21d2d8db09295edb4057478dc80a9a
+  languageName: node
+  linkType: hard
+
+"@babel/plugin-transform-unicode-sets-regex@npm:^7.23.3":
+  version: 7.23.3
+  resolution: "@babel/plugin-transform-unicode-sets-regex@npm:7.23.3"
+  dependencies:
+    "@babel/helper-create-regexp-features-plugin": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 79d0b4c951955ca68235c87b91ab2b393c96285f8aeaa34d6db416d2ddac90000c9bd6e8c4d82b60a2b484da69930507245035f28ba63c6cae341cf3ba68fdef
+  languageName: node
+  linkType: hard
+
+"@babel/polyfill@npm:^7.11.5":
+  version: 7.12.1
+  resolution: "@babel/polyfill@npm:7.12.1"
+  dependencies:
+    core-js: ^2.6.5
+    regenerator-runtime: ^0.13.4
+  checksum: 3f59a9d85a41b390b044a1be13e11ae6d8efbfcf4e07217964585c7cef337b828eecfc5e164083227189146d2b6efc1affae8f59c831438eb40b848ab6fe5f39
+  languageName: node
+  linkType: hard
+
+"@babel/preset-env@npm:^7.10.2":
+  version: 7.14.0
+  resolution: "@babel/preset-env@npm:7.14.0"
+  dependencies:
+    "@babel/compat-data": ^7.14.0
+    "@babel/helper-compilation-targets": ^7.13.16
+    "@babel/helper-plugin-utils": ^7.13.0
+    "@babel/helper-validator-option": ^7.12.17
+    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.13.12
+    "@babel/plugin-proposal-async-generator-functions": ^7.13.15
+    "@babel/plugin-proposal-class-properties": ^7.13.0
+    "@babel/plugin-proposal-class-static-block": ^7.13.11
+    "@babel/plugin-proposal-dynamic-import": ^7.13.8
+    "@babel/plugin-proposal-export-namespace-from": ^7.12.13
+    "@babel/plugin-proposal-json-strings": ^7.13.8
+    "@babel/plugin-proposal-logical-assignment-operators": ^7.13.8
+    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.13.8
+    "@babel/plugin-proposal-numeric-separator": ^7.12.13
+    "@babel/plugin-proposal-object-rest-spread": ^7.13.8
+    "@babel/plugin-proposal-optional-catch-binding": ^7.13.8
+    "@babel/plugin-proposal-optional-chaining": ^7.13.12
+    "@babel/plugin-proposal-private-methods": ^7.13.0
+    "@babel/plugin-proposal-private-property-in-object": ^7.14.0
+    "@babel/plugin-proposal-unicode-property-regex": ^7.12.13
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+    "@babel/plugin-syntax-class-properties": ^7.12.13
+    "@babel/plugin-syntax-class-static-block": ^7.12.13
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.0
+    "@babel/plugin-syntax-top-level-await": ^7.12.13
+    "@babel/plugin-transform-arrow-functions": ^7.13.0
+    "@babel/plugin-transform-async-to-generator": ^7.13.0
+    "@babel/plugin-transform-block-scoped-functions": ^7.12.13
+    "@babel/plugin-transform-block-scoping": ^7.13.16
+    "@babel/plugin-transform-classes": ^7.13.0
+    "@babel/plugin-transform-computed-properties": ^7.13.0
+    "@babel/plugin-transform-destructuring": ^7.13.17
+    "@babel/plugin-transform-dotall-regex": ^7.12.13
+    "@babel/plugin-transform-duplicate-keys": ^7.12.13
+    "@babel/plugin-transform-exponentiation-operator": ^7.12.13
+    "@babel/plugin-transform-for-of": ^7.13.0
+    "@babel/plugin-transform-function-name": ^7.12.13
+    "@babel/plugin-transform-literals": ^7.12.13
+    "@babel/plugin-transform-member-expression-literals": ^7.12.13
+    "@babel/plugin-transform-modules-amd": ^7.14.0
+    "@babel/plugin-transform-modules-commonjs": ^7.14.0
+    "@babel/plugin-transform-modules-systemjs": ^7.13.8
+    "@babel/plugin-transform-modules-umd": ^7.14.0
+    "@babel/plugin-transform-named-capturing-groups-regex": ^7.12.13
+    "@babel/plugin-transform-new-target": ^7.12.13
+    "@babel/plugin-transform-object-super": ^7.12.13
+    "@babel/plugin-transform-parameters": ^7.13.0
+    "@babel/plugin-transform-property-literals": ^7.12.13
+    "@babel/plugin-transform-regenerator": ^7.13.15
+    "@babel/plugin-transform-reserved-words": ^7.12.13
+    "@babel/plugin-transform-shorthand-properties": ^7.12.13
+    "@babel/plugin-transform-spread": ^7.13.0
+    "@babel/plugin-transform-sticky-regex": ^7.12.13
+    "@babel/plugin-transform-template-literals": ^7.13.0
+    "@babel/plugin-transform-typeof-symbol": ^7.12.13
+    "@babel/plugin-transform-unicode-escapes": ^7.12.13
+    "@babel/plugin-transform-unicode-regex": ^7.12.13
+    "@babel/preset-modules": ^0.1.4
+    "@babel/types": ^7.14.0
+    babel-plugin-polyfill-corejs2: ^0.2.0
+    babel-plugin-polyfill-corejs3: ^0.2.0
+    babel-plugin-polyfill-regenerator: ^0.2.0
+    core-js-compat: ^3.9.0
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: e62fa4196bed7f8fb2248b3a5309314c5411214c61e4e28a2dc00cd91fc2c83c8e5110e928e7ee55d4a5833476fe50ac4fc65b63d6e47e6bde3ca26b39b2ddbd
+  languageName: node
+  linkType: hard
+
+"@babel/preset-env@npm:^7.16.5":
+  version: 7.16.11
+  resolution: "@babel/preset-env@npm:7.16.11"
+  dependencies:
+    "@babel/compat-data": ^7.16.8
+    "@babel/helper-compilation-targets": ^7.16.7
+    "@babel/helper-plugin-utils": ^7.16.7
+    "@babel/helper-validator-option": ^7.16.7
+    "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": ^7.16.7
+    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.16.7
+    "@babel/plugin-proposal-async-generator-functions": ^7.16.8
+    "@babel/plugin-proposal-class-properties": ^7.16.7
+    "@babel/plugin-proposal-class-static-block": ^7.16.7
+    "@babel/plugin-proposal-dynamic-import": ^7.16.7
+    "@babel/plugin-proposal-export-namespace-from": ^7.16.7
+    "@babel/plugin-proposal-json-strings": ^7.16.7
+    "@babel/plugin-proposal-logical-assignment-operators": ^7.16.7
+    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.16.7
+    "@babel/plugin-proposal-numeric-separator": ^7.16.7
+    "@babel/plugin-proposal-object-rest-spread": ^7.16.7
+    "@babel/plugin-proposal-optional-catch-binding": ^7.16.7
+    "@babel/plugin-proposal-optional-chaining": ^7.16.7
+    "@babel/plugin-proposal-private-methods": ^7.16.11
+    "@babel/plugin-proposal-private-property-in-object": ^7.16.7
+    "@babel/plugin-proposal-unicode-property-regex": ^7.16.7
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+    "@babel/plugin-syntax-class-properties": ^7.12.13
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+    "@babel/plugin-syntax-top-level-await": ^7.14.5
+    "@babel/plugin-transform-arrow-functions": ^7.16.7
+    "@babel/plugin-transform-async-to-generator": ^7.16.8
+    "@babel/plugin-transform-block-scoped-functions": ^7.16.7
+    "@babel/plugin-transform-block-scoping": ^7.16.7
+    "@babel/plugin-transform-classes": ^7.16.7
+    "@babel/plugin-transform-computed-properties": ^7.16.7
+    "@babel/plugin-transform-destructuring": ^7.16.7
+    "@babel/plugin-transform-dotall-regex": ^7.16.7
+    "@babel/plugin-transform-duplicate-keys": ^7.16.7
+    "@babel/plugin-transform-exponentiation-operator": ^7.16.7
+    "@babel/plugin-transform-for-of": ^7.16.7
+    "@babel/plugin-transform-function-name": ^7.16.7
+    "@babel/plugin-transform-literals": ^7.16.7
+    "@babel/plugin-transform-member-expression-literals": ^7.16.7
+    "@babel/plugin-transform-modules-amd": ^7.16.7
+    "@babel/plugin-transform-modules-commonjs": ^7.16.8
+    "@babel/plugin-transform-modules-systemjs": ^7.16.7
+    "@babel/plugin-transform-modules-umd": ^7.16.7
+    "@babel/plugin-transform-named-capturing-groups-regex": ^7.16.8
+    "@babel/plugin-transform-new-target": ^7.16.7
+    "@babel/plugin-transform-object-super": ^7.16.7
+    "@babel/plugin-transform-parameters": ^7.16.7
+    "@babel/plugin-transform-property-literals": ^7.16.7
+    "@babel/plugin-transform-regenerator": ^7.16.7
+    "@babel/plugin-transform-reserved-words": ^7.16.7
+    "@babel/plugin-transform-shorthand-properties": ^7.16.7
+    "@babel/plugin-transform-spread": ^7.16.7
+    "@babel/plugin-transform-sticky-regex": ^7.16.7
+    "@babel/plugin-transform-template-literals": ^7.16.7
+    "@babel/plugin-transform-typeof-symbol": ^7.16.7
+    "@babel/plugin-transform-unicode-escapes": ^7.16.7
+    "@babel/plugin-transform-unicode-regex": ^7.16.7
+    "@babel/preset-modules": ^0.1.5
+    "@babel/types": ^7.16.8
+    babel-plugin-polyfill-corejs2: ^0.3.0
+    babel-plugin-polyfill-corejs3: ^0.5.0
+    babel-plugin-polyfill-regenerator: ^0.3.0
+    core-js-compat: ^3.20.2
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: c8029c272073df787309d983ae458dd094b57f87152b8ccad95c7c8b1e82b042c1077e169538aae5f98b7659de0632d10708d9c85acf21a5e9406d7dd3656d8c
+  languageName: node
+  linkType: hard
+
+"@babel/preset-env@npm:^7.16.7":
+  version: 7.18.2
+  resolution: "@babel/preset-env@npm:7.18.2"
+  dependencies:
+    "@babel/compat-data": ^7.17.10
+    "@babel/helper-compilation-targets": ^7.18.2
+    "@babel/helper-plugin-utils": ^7.17.12
+    "@babel/helper-validator-option": ^7.16.7
+    "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": ^7.17.12
+    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.17.12
+    "@babel/plugin-proposal-async-generator-functions": ^7.17.12
+    "@babel/plugin-proposal-class-properties": ^7.17.12
+    "@babel/plugin-proposal-class-static-block": ^7.18.0
+    "@babel/plugin-proposal-dynamic-import": ^7.16.7
+    "@babel/plugin-proposal-export-namespace-from": ^7.17.12
+    "@babel/plugin-proposal-json-strings": ^7.17.12
+    "@babel/plugin-proposal-logical-assignment-operators": ^7.17.12
+    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.17.12
+    "@babel/plugin-proposal-numeric-separator": ^7.16.7
+    "@babel/plugin-proposal-object-rest-spread": ^7.18.0
+    "@babel/plugin-proposal-optional-catch-binding": ^7.16.7
+    "@babel/plugin-proposal-optional-chaining": ^7.17.12
+    "@babel/plugin-proposal-private-methods": ^7.17.12
+    "@babel/plugin-proposal-private-property-in-object": ^7.17.12
+    "@babel/plugin-proposal-unicode-property-regex": ^7.17.12
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+    "@babel/plugin-syntax-class-properties": ^7.12.13
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+    "@babel/plugin-syntax-import-assertions": ^7.17.12
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+    "@babel/plugin-syntax-top-level-await": ^7.14.5
+    "@babel/plugin-transform-arrow-functions": ^7.17.12
+    "@babel/plugin-transform-async-to-generator": ^7.17.12
+    "@babel/plugin-transform-block-scoped-functions": ^7.16.7
+    "@babel/plugin-transform-block-scoping": ^7.17.12
+    "@babel/plugin-transform-classes": ^7.17.12
+    "@babel/plugin-transform-computed-properties": ^7.17.12
+    "@babel/plugin-transform-destructuring": ^7.18.0
+    "@babel/plugin-transform-dotall-regex": ^7.16.7
+    "@babel/plugin-transform-duplicate-keys": ^7.17.12
+    "@babel/plugin-transform-exponentiation-operator": ^7.16.7
+    "@babel/plugin-transform-for-of": ^7.18.1
+    "@babel/plugin-transform-function-name": ^7.16.7
+    "@babel/plugin-transform-literals": ^7.17.12
+    "@babel/plugin-transform-member-expression-literals": ^7.16.7
+    "@babel/plugin-transform-modules-amd": ^7.18.0
+    "@babel/plugin-transform-modules-commonjs": ^7.18.2
+    "@babel/plugin-transform-modules-systemjs": ^7.18.0
+    "@babel/plugin-transform-modules-umd": ^7.18.0
+    "@babel/plugin-transform-named-capturing-groups-regex": ^7.17.12
+    "@babel/plugin-transform-new-target": ^7.17.12
+    "@babel/plugin-transform-object-super": ^7.16.7
+    "@babel/plugin-transform-parameters": ^7.17.12
+    "@babel/plugin-transform-property-literals": ^7.16.7
+    "@babel/plugin-transform-regenerator": ^7.18.0
+    "@babel/plugin-transform-reserved-words": ^7.17.12
+    "@babel/plugin-transform-shorthand-properties": ^7.16.7
+    "@babel/plugin-transform-spread": ^7.17.12
+    "@babel/plugin-transform-sticky-regex": ^7.16.7
+    "@babel/plugin-transform-template-literals": ^7.18.2
+    "@babel/plugin-transform-typeof-symbol": ^7.17.12
+    "@babel/plugin-transform-unicode-escapes": ^7.16.7
+    "@babel/plugin-transform-unicode-regex": ^7.16.7
+    "@babel/preset-modules": ^0.1.5
+    "@babel/types": ^7.18.2
+    babel-plugin-polyfill-corejs2: ^0.3.0
+    babel-plugin-polyfill-corejs3: ^0.5.0
+    babel-plugin-polyfill-regenerator: ^0.3.0
+    core-js-compat: ^3.22.1
+    semver: ^6.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: f81892a7970cb34643b93917cbbc9b581d5066d892639867521f4a85ec258e69362a37bbb7b899b351e71d26095a97cd2d6e35e5f9ee110715146e0ccc19e700
+  languageName: node
+  linkType: hard
+
+"@babel/preset-env@npm:^7.20.2":
+  version: 7.23.5
+  resolution: "@babel/preset-env@npm:7.23.5"
+  dependencies:
+    "@babel/compat-data": ^7.23.5
+    "@babel/helper-compilation-targets": ^7.22.15
+    "@babel/helper-plugin-utils": ^7.22.5
+    "@babel/helper-validator-option": ^7.23.5
+    "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": ^7.23.3
+    "@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining": ^7.23.3
+    "@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly": ^7.23.3
+    "@babel/plugin-proposal-private-property-in-object": 7.21.0-placeholder-for-preset-env.2
+    "@babel/plugin-syntax-async-generators": ^7.8.4
+    "@babel/plugin-syntax-class-properties": ^7.12.13
+    "@babel/plugin-syntax-class-static-block": ^7.14.5
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+    "@babel/plugin-syntax-export-namespace-from": ^7.8.3
+    "@babel/plugin-syntax-import-assertions": ^7.23.3
+    "@babel/plugin-syntax-import-attributes": ^7.23.3
+    "@babel/plugin-syntax-import-meta": ^7.10.4
+    "@babel/plugin-syntax-json-strings": ^7.8.3
+    "@babel/plugin-syntax-logical-assignment-operators": ^7.10.4
+    "@babel/plugin-syntax-nullish-coalescing-operator": ^7.8.3
+    "@babel/plugin-syntax-numeric-separator": ^7.10.4
+    "@babel/plugin-syntax-object-rest-spread": ^7.8.3
+    "@babel/plugin-syntax-optional-catch-binding": ^7.8.3
+    "@babel/plugin-syntax-optional-chaining": ^7.8.3
+    "@babel/plugin-syntax-private-property-in-object": ^7.14.5
+    "@babel/plugin-syntax-top-level-await": ^7.14.5
+    "@babel/plugin-syntax-unicode-sets-regex": ^7.18.6
+    "@babel/plugin-transform-arrow-functions": ^7.23.3
+    "@babel/plugin-transform-async-generator-functions": ^7.23.4
+    "@babel/plugin-transform-async-to-generator": ^7.23.3
+    "@babel/plugin-transform-block-scoped-functions": ^7.23.3
+    "@babel/plugin-transform-block-scoping": ^7.23.4
+    "@babel/plugin-transform-class-properties": ^7.23.3
+    "@babel/plugin-transform-class-static-block": ^7.23.4
+    "@babel/plugin-transform-classes": ^7.23.5
+    "@babel/plugin-transform-computed-properties": ^7.23.3
+    "@babel/plugin-transform-destructuring": ^7.23.3
+    "@babel/plugin-transform-dotall-regex": ^7.23.3
+    "@babel/plugin-transform-duplicate-keys": ^7.23.3
+    "@babel/plugin-transform-dynamic-import": ^7.23.4
+    "@babel/plugin-transform-exponentiation-operator": ^7.23.3
+    "@babel/plugin-transform-export-namespace-from": ^7.23.4
+    "@babel/plugin-transform-for-of": ^7.23.3
+    "@babel/plugin-transform-function-name": ^7.23.3
+    "@babel/plugin-transform-json-strings": ^7.23.4
+    "@babel/plugin-transform-literals": ^7.23.3
+    "@babel/plugin-transform-logical-assignment-operators": ^7.23.4
+    "@babel/plugin-transform-member-expression-literals": ^7.23.3
+    "@babel/plugin-transform-modules-amd": ^7.23.3
+    "@babel/plugin-transform-modules-commonjs": ^7.23.3
+    "@babel/plugin-transform-modules-systemjs": ^7.23.3
+    "@babel/plugin-transform-modules-umd": ^7.23.3
+    "@babel/plugin-transform-named-capturing-groups-regex": ^7.22.5
+    "@babel/plugin-transform-new-target": ^7.23.3
+    "@babel/plugin-transform-nullish-coalescing-operator": ^7.23.4
+    "@babel/plugin-transform-numeric-separator": ^7.23.4
+    "@babel/plugin-transform-object-rest-spread": ^7.23.4
+    "@babel/plugin-transform-object-super": ^7.23.3
+    "@babel/plugin-transform-optional-catch-binding": ^7.23.4
+    "@babel/plugin-transform-optional-chaining": ^7.23.4
+    "@babel/plugin-transform-parameters": ^7.23.3
+    "@babel/plugin-transform-private-methods": ^7.23.3
+    "@babel/plugin-transform-private-property-in-object": ^7.23.4
+    "@babel/plugin-transform-property-literals": ^7.23.3
+    "@babel/plugin-transform-regenerator": ^7.23.3
+    "@babel/plugin-transform-reserved-words": ^7.23.3
+    "@babel/plugin-transform-shorthand-properties": ^7.23.3
+    "@babel/plugin-transform-spread": ^7.23.3
+    "@babel/plugin-transform-sticky-regex": ^7.23.3
+    "@babel/plugin-transform-template-literals": ^7.23.3
+    "@babel/plugin-transform-typeof-symbol": ^7.23.3
+    "@babel/plugin-transform-unicode-escapes": ^7.23.3
+    "@babel/plugin-transform-unicode-property-regex": ^7.23.3
+    "@babel/plugin-transform-unicode-regex": ^7.23.3
+    "@babel/plugin-transform-unicode-sets-regex": ^7.23.3
+    "@babel/preset-modules": 0.1.6-no-external-plugins
+    babel-plugin-polyfill-corejs2: ^0.4.6
+    babel-plugin-polyfill-corejs3: ^0.8.5
+    babel-plugin-polyfill-regenerator: ^0.5.3
+    core-js-compat: ^3.31.0
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: adddd58d14fc1b2e5f8cf90995f522879362a0543e316afe9e5783f1bd715bb1e92300cd49d7ce3a95c64a96d60788d0089651e2cf4cac937f5469aac1087bb1
+  languageName: node
+  linkType: hard
+
+"@babel/preset-modules@npm:0.1.6-no-external-plugins":
+  version: 0.1.6-no-external-plugins
+  resolution: "@babel/preset-modules@npm:0.1.6-no-external-plugins"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.0.0
+    "@babel/types": ^7.4.4
+    esutils: ^2.0.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0 || ^8.0.0-0 <8.0.0
+  checksum: 4855e799bc50f2449fb5210f78ea9e8fd46cf4f242243f1e2ed838e2bd702e25e73e822e7f8447722a5f4baa5e67a8f7a0e403f3e7ce04540ff743a9c411c375
+  languageName: node
+  linkType: hard
+
+"@babel/preset-modules@npm:^0.1.4, @babel/preset-modules@npm:^0.1.5":
+  version: 0.1.5
+  resolution: "@babel/preset-modules@npm:0.1.5"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.0.0
+    "@babel/plugin-proposal-unicode-property-regex": ^7.4.4
+    "@babel/plugin-transform-dotall-regex": ^7.4.4
+    "@babel/types": ^7.4.4
+    esutils: ^2.0.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 8430e0e9e9d520b53e22e8c4c6a5a080a12b63af6eabe559c2310b187bd62ae113f3da82ba33e9d1d0f3230930ca702843aae9dd226dec51f7d7114dc1f51c10
+  languageName: node
+  linkType: hard
+
+"@babel/regjsgen@npm:^0.8.0":
+  version: 0.8.0
+  resolution: "@babel/regjsgen@npm:0.8.0"
+  checksum: 89c338fee774770e5a487382170711014d49a68eb281e74f2b5eac88f38300a4ad545516a7786a8dd5702e9cf009c94c2f582d200f077ac5decd74c56b973730
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:7.12.18":
+  version: 7.12.18
+  resolution: "@babel/runtime@npm:7.12.18"
+  dependencies:
+    regenerator-runtime: ^0.13.4
+  checksum: 0ba38dc8d478584b0b5fb15fc2b7855f9f20561917bd434a66429d55d1165199d6161bc5fb087b87254712827f63561ff5196df66701e5647d67c7d0f557569a
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.12.5":
+  version: 7.14.0
+  resolution: "@babel/runtime@npm:7.14.0"
+  dependencies:
+    regenerator-runtime: ^0.13.4
+  checksum: 257dc2594355dd8798455f25b6f2f9a00f162b427391265752933e0e3337b3b14661d09283187d5039ae3764f723890ffe767e995c73d662f1d515bdf48e5ade
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.14.0":
+  version: 7.19.0
+  resolution: "@babel/runtime@npm:7.19.0"
+  dependencies:
+    regenerator-runtime: ^0.13.4
+  checksum: fa69c351bb05e1db3ceb9a02fdcf620c234180af68cdda02152d3561015f6d55277265d3109815992f96d910f3db709458cae4f8df1c3def66f32e0867d82294
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.17.8":
+  version: 7.23.1
+  resolution: "@babel/runtime@npm:7.23.1"
+  dependencies:
+    regenerator-runtime: ^0.14.0
+  checksum: 0cd0d43e6e7dc7f9152fda8c8312b08321cda2f56ef53d6c22ebdd773abdc6f5d0a69008de90aa41908d00e2c1facb24715ff121274e689305c858355ff02c70
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.20.1":
+  version: 7.22.6
+  resolution: "@babel/runtime@npm:7.22.6"
+  dependencies:
+    regenerator-runtime: ^0.13.11
+  checksum: e585338287c4514a713babf4fdb8fc2a67adcebab3e7723a739fc62c79cfda875b314c90fd25f827afb150d781af97bc16c85bfdbfa2889f06053879a1ddb597
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.21.0":
+  version: 7.21.5
+  resolution: "@babel/runtime@npm:7.21.5"
+  dependencies:
+    regenerator-runtime: ^0.13.11
+  checksum: 358f2779d3187f5c67ad302e8f8d435412925d0b991d133c7d4a7b1ddd5a3fda1b6f34537cb64628dfd96a27ae46df105bed3895b8d754b88cacdded8d1129dd
+  languageName: node
+  linkType: hard
+
+"@babel/runtime@npm:^7.8.4":
+  version: 7.16.3
+  resolution: "@babel/runtime@npm:7.16.3"
+  dependencies:
+    regenerator-runtime: ^0.13.4
+  checksum: ab8ac887096d76185ddbf291d28fb976cd32473696dc497ad4905b784acbd5aa462533ad83a5c5104e10ead28c2e0e119840ee28ed8eff90dcdde9d57f916eda
+  languageName: node
+  linkType: hard
+
+"@babel/template@npm:^7.12.13, @babel/template@npm:^7.16.0":
+  version: 7.16.0
+  resolution: "@babel/template@npm:7.16.0"
+  dependencies:
+    "@babel/code-frame": ^7.16.0
+    "@babel/parser": ^7.16.0
+    "@babel/types": ^7.16.0
+  checksum: 940f105cc6a6aee638cd8cfae80b8b80811e0ddd53b6a11f3a68431ebb998564815fb26511b5d9cb4cff66ea67130ba7498555ee015375d32f5f89ceaa6662ea
+  languageName: node
+  linkType: hard
+
+"@babel/template@npm:^7.16.7":
+  version: 7.16.7
+  resolution: "@babel/template@npm:7.16.7"
+  dependencies:
+    "@babel/code-frame": ^7.16.7
+    "@babel/parser": ^7.16.7
+    "@babel/types": ^7.16.7
+  checksum: 10cd112e89276e00f8b11b55a51c8b2f1262c318283a980f4d6cdb0286dc05734b9aaeeb9f3ad3311900b09bc913e02343fcaa9d4a4f413964aaab04eb84ac4a
+  languageName: node
+  linkType: hard
+
+"@babel/template@npm:^7.18.10":
+  version: 7.18.10
+  resolution: "@babel/template@npm:7.18.10"
+  dependencies:
+    "@babel/code-frame": ^7.18.6
+    "@babel/parser": ^7.18.10
+    "@babel/types": ^7.18.10
+  checksum: 93a6aa094af5f355a72bd55f67fa1828a046c70e46f01b1606e6118fa1802b6df535ca06be83cc5a5e834022be95c7b714f0a268b5f20af984465a71e28f1473
+  languageName: node
+  linkType: hard
+
+"@babel/template@npm:^7.22.15":
+  version: 7.22.15
+  resolution: "@babel/template@npm:7.22.15"
+  dependencies:
+    "@babel/code-frame": ^7.22.13
+    "@babel/parser": ^7.22.15
+    "@babel/types": ^7.22.15
+  checksum: 1f3e7dcd6c44f5904c184b3f7fe280394b191f2fed819919ffa1e529c259d5b197da8981b6ca491c235aee8dbad4a50b7e31304aa531271cb823a4a24a0dd8fd
+  languageName: node
+  linkType: hard
+
+"@babel/template@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/template@npm:7.22.5"
+  dependencies:
+    "@babel/code-frame": ^7.22.5
+    "@babel/parser": ^7.22.5
+    "@babel/types": ^7.22.5
+  checksum: c5746410164039aca61829cdb42e9a55410f43cace6f51ca443313f3d0bdfa9a5a330d0b0df73dc17ef885c72104234ae05efede37c1cc8a72dc9f93425977a3
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.1.6, @babel/traverse@npm:^7.12.1, @babel/traverse@npm:^7.4.5":
+  version: 7.14.0
+  resolution: "@babel/traverse@npm:7.14.0"
+  dependencies:
+    "@babel/code-frame": ^7.12.13
+    "@babel/generator": ^7.14.0
+    "@babel/helper-function-name": ^7.12.13
+    "@babel/helper-split-export-declaration": ^7.12.13
+    "@babel/parser": ^7.14.0
+    "@babel/types": ^7.14.0
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: 98cfb223facc13a67031a3619285c0d71acbc57a473b1213d2c70e53c57b390e9256a93bd05d93be4d3405ea235c4758a6cac2afcbf7e79815c6c96a913d246f
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.13.0, @babel/traverse@npm:^7.14.0, @babel/traverse@npm:^7.16.0, @babel/traverse@npm:^7.16.3":
+  version: 7.16.3
+  resolution: "@babel/traverse@npm:7.16.3"
+  dependencies:
+    "@babel/code-frame": ^7.16.0
+    "@babel/generator": ^7.16.0
+    "@babel/helper-function-name": ^7.16.0
+    "@babel/helper-hoist-variables": ^7.16.0
+    "@babel/helper-split-export-declaration": ^7.16.0
+    "@babel/parser": ^7.16.3
+    "@babel/types": ^7.16.0
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: abb14857b1104c73124612954865e28f95a86eb6741f35851369b4f9eabc17e394c9aa6f21fba6ce23813592353090d409772be828717cbe5154a5e981a753c1
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.16.7, @babel/traverse@npm:^7.16.8, @babel/traverse@npm:^7.17.3":
+  version: 7.17.3
+  resolution: "@babel/traverse@npm:7.17.3"
+  dependencies:
+    "@babel/code-frame": ^7.16.7
+    "@babel/generator": ^7.17.3
+    "@babel/helper-environment-visitor": ^7.16.7
+    "@babel/helper-function-name": ^7.16.7
+    "@babel/helper-hoist-variables": ^7.16.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+    "@babel/parser": ^7.17.3
+    "@babel/types": ^7.17.0
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: 780d7ecf711758174989794891af08d378f81febdb8932056c0d9979524bf0298e28f8e7708a872d7781151506c28f56c85c63ea3f1f654662c2fcb8a3eb9fdc
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.18.0, @babel/traverse@npm:^7.18.2":
+  version: 7.18.2
+  resolution: "@babel/traverse@npm:7.18.2"
+  dependencies:
+    "@babel/code-frame": ^7.16.7
+    "@babel/generator": ^7.18.2
+    "@babel/helper-environment-visitor": ^7.18.2
+    "@babel/helper-function-name": ^7.17.9
+    "@babel/helper-hoist-variables": ^7.16.7
+    "@babel/helper-split-export-declaration": ^7.16.7
+    "@babel/parser": ^7.18.0
+    "@babel/types": ^7.18.2
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: e21c2d550bf610406cf21ef6fbec525cb1d80b9d6d71af67552478a24ee371203cb4025b23b110ae7288a62a874ad5898daad19ad23daa95dfc8ab47a47a092f
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.18.9, @babel/traverse@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/traverse@npm:7.19.0"
+  dependencies:
+    "@babel/code-frame": ^7.18.6
+    "@babel/generator": ^7.19.0
+    "@babel/helper-environment-visitor": ^7.18.9
+    "@babel/helper-function-name": ^7.19.0
+    "@babel/helper-hoist-variables": ^7.18.6
+    "@babel/helper-split-export-declaration": ^7.18.6
+    "@babel/parser": ^7.19.0
+    "@babel/types": ^7.19.0
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: dcbd1316c9f4bf3cefee45b6f5194590563aa5d123500a60d3c8d714bef279205014c8e599ebafc469967199a7622e1444cd0235c16d4243da437e3f1281771e
+  languageName: node
+  linkType: hard
+
+"@babel/traverse@npm:^7.22.6, @babel/traverse@npm:^7.22.8":
+  version: 7.22.8
+  resolution: "@babel/traverse@npm:7.22.8"
+  dependencies:
+    "@babel/code-frame": ^7.22.5
+    "@babel/generator": ^7.22.7
+    "@babel/helper-environment-visitor": ^7.22.5
+    "@babel/helper-function-name": ^7.22.5
+    "@babel/helper-hoist-variables": ^7.22.5
+    "@babel/helper-split-export-declaration": ^7.22.6
+    "@babel/parser": ^7.22.7
+    "@babel/types": ^7.22.5
+    debug: ^4.1.0
+    globals: ^11.1.0
+  checksum: a381369bc3eedfd13ed5fef7b884657f1c29024ea7388198149f0edc34bd69ce3966e9f40188d15f56490a5e12ba250ccc485f2882b53d41b054fccefb233e33
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.1.6, @babel/types@npm:^7.7.2":
+  version: 7.14.0
+  resolution: "@babel/types@npm:7.14.0"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.14.0
+    to-fast-properties: ^2.0.0
+  checksum: e69829ade45feb140d5e146be5203533edff1ad41a892870e1c6e323a06cafaf5b7e4d83dcae1222deff3bff73cf095b48c2cbf8864b77140196879fafaaf859
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.12.1, @babel/types@npm:^7.14.0, @babel/types@npm:^7.16.0, @babel/types@npm:^7.4.4":
+  version: 7.16.0
+  resolution: "@babel/types@npm:7.16.0"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.15.7
+    to-fast-properties: ^2.0.0
+  checksum: 5b483da5c6e6f2394fba7ee1da8787a0c9cddd33491271c4da702e49e6faf95ce41d7c8bf9a4ee47f2ef06bdb35096f4d0f6ae4b5bea35ebefe16309d22344b7
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.12.13":
+  version: 7.19.3
+  resolution: "@babel/types@npm:7.19.3"
+  dependencies:
+    "@babel/helper-string-parser": ^7.18.10
+    "@babel/helper-validator-identifier": ^7.19.1
+    to-fast-properties: ^2.0.0
+  checksum: 34a5b3db3b99a1a80ec2a784c2bb0e48769a38f1526dc377a5753a3ac5e5704663c405a393117ecc7a9df9da07b01625be7c4c3fee43ae46aba23b0c40928d77
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.16.7, @babel/types@npm:^7.16.8, @babel/types@npm:^7.17.0":
+  version: 7.17.0
+  resolution: "@babel/types@npm:7.17.0"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.16.7
+    to-fast-properties: ^2.0.0
+  checksum: 12e5a287986fe557188e87b2c5202223f1dc83d9239a196ab936fdb9f8c1eb0be717ff19f934b5fad4e29a75586d5798f74bed209bccea1c20376b9952056f0e
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.18.0, @babel/types@npm:^7.18.2":
+  version: 7.18.4
+  resolution: "@babel/types@npm:7.18.4"
+  dependencies:
+    "@babel/helper-validator-identifier": ^7.16.7
+    to-fast-properties: ^2.0.0
+  checksum: 85df59beb99c1b95e9e41590442f2ffa1e5b1b558d025489db40c9f7c906bd03a17da26c3ec486e5800e80af27c42ca7eee9506d9212ab17766d2d68d30fbf52
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.18.10, @babel/types@npm:^7.18.6, @babel/types@npm:^7.18.9, @babel/types@npm:^7.19.0":
+  version: 7.19.0
+  resolution: "@babel/types@npm:7.19.0"
+  dependencies:
+    "@babel/helper-string-parser": ^7.18.10
+    "@babel/helper-validator-identifier": ^7.18.6
+    to-fast-properties: ^2.0.0
+  checksum: 9b346715a68aeede70ba9c685a144b0b26c53bcd595d448e24c8fa8df4d5956a5712e56ebadb7c85dcc32f218ee42788e37b93d50d3295c992072224cb3ef3fe
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.22.15, @babel/types@npm:^7.22.19, @babel/types@npm:^7.23.0":
+  version: 7.23.5
+  resolution: "@babel/types@npm:7.23.5"
+  dependencies:
+    "@babel/helper-string-parser": ^7.23.4
+    "@babel/helper-validator-identifier": ^7.22.20
+    to-fast-properties: ^2.0.0
+  checksum: 3d21774480a459ef13b41c2e32700d927af649e04b70c5d164814d8e04ab584af66a93330602c2925e1a6925c2b829cc153418a613a4e7d79d011be1f29ad4b2
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.22.5":
+  version: 7.22.5
+  resolution: "@babel/types@npm:7.22.5"
+  dependencies:
+    "@babel/helper-string-parser": ^7.22.5
+    "@babel/helper-validator-identifier": ^7.22.5
+    to-fast-properties: ^2.0.0
+  checksum: c13a9c1dc7d2d1a241a2f8363540cb9af1d66e978e8984b400a20c4f38ba38ca29f06e26a0f2d49a70bad9e57615dac09c35accfddf1bb90d23cd3e0a0bab892
+  languageName: node
+  linkType: hard
+
+"@babel/types@npm:^7.8.3":
+  version: 7.21.4
+  resolution: "@babel/types@npm:7.21.4"
+  dependencies:
+    "@babel/helper-string-parser": ^7.19.4
+    "@babel/helper-validator-identifier": ^7.19.1
+    to-fast-properties: ^2.0.0
+  checksum: 587bc55a91ce003b0f8aa10d70070f8006560d7dc0360dc0406d306a2cb2a10154e2f9080b9c37abec76907a90b330a536406cb75e6bdc905484f37b75c73219
+  languageName: node
+  linkType: hard
+
+"@cnakazawa/watch@npm:^1.0.3":
+  version: 1.0.4
+  resolution: "@cnakazawa/watch@npm:1.0.4"
+  dependencies:
+    exec-sh: ^0.3.2
+    minimist: ^1.2.0
+  bin:
+    watch: cli.js
+  checksum: 88f395ca0af2f3c0665b8ce7bb29e83647ec5d141e8735712aeeee4117081555436712966b6957aa1c461f6f826a4d23b0034e379c443a10e919f81c8748bf29
+  languageName: node
+  linkType: hard
+
+"@csstools/css-parser-algorithms@npm:^2.3.0":
+  version: 2.3.0
+  resolution: "@csstools/css-parser-algorithms@npm:2.3.0"
+  peerDependencies:
+    "@csstools/css-tokenizer": ^2.1.1
+  checksum: 3be22a0cfcfe0dc4bb140e2f266590addf21c5052d9e69334da860b3839fbd4369c3d158cbc396032d5ed96d01d2b5d8ebdb5497f75c9830ed9ce99853e3f915
+  languageName: node
+  linkType: hard
+
+"@csstools/css-tokenizer@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "@csstools/css-tokenizer@npm:2.1.1"
+  checksum: d6ac4b08d7fdfc146755542f00b208af7248efd6cf2eb0f0f7d2ba3583a81f08ed9be6047d78b046925708b5bd0886f487edeeee2f90f0f34030dcbef4122d0e
+  languageName: node
+  linkType: hard
+
+"@csstools/media-query-list-parser@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "@csstools/media-query-list-parser@npm:2.1.2"
+  peerDependencies:
+    "@csstools/css-parser-algorithms": ^2.3.0
+    "@csstools/css-tokenizer": ^2.1.1
+  checksum: 04936573ba837f14d7d637e172342c473665679c6497bbc0d548d93d08cb22e22151bb19e0e20422954c0b2aa50c3f38c9fc5f45c136e31bc863c656cb79df1b
+  languageName: node
+  linkType: hard
+
+"@csstools/selector-specificity@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "@csstools/selector-specificity@npm:3.0.0"
+  peerDependencies:
+    postcss-selector-parser: ^6.0.13
+  checksum: 4a2dfe69998a499155d9dab4c2a0e7ae7594d8db98bb8a487d2d5347c0c501655051eb5eacad3fe323c86b0ba8212fe092c27fc883621e6ac2a27662edfc3528
+  languageName: node
+  linkType: hard
+
+"@ember-data/adapter@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/adapter@npm:4.11.3"
+  dependencies:
+    "@ember-data/private-build-infra": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cli-babel: ^7.26.11
+    ember-cli-test-info: ^1.0.0
+  peerDependencies:
+    "@ember-data/store": 4.11.3
+    "@ember/string": ^3.0.1
+    ember-inflector: ^4.0.2
+  checksum: 2fc2366b334eb1e0a722d97296df11dd41b31dcd3343c41a90a21d0aeecc949ccb23ee94101830b91b7c6c74127cf55e953d1d4da67c3668776c95c107cda831
+  languageName: node
+  linkType: hard
+
+"@ember-data/canary-features@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/canary-features@npm:4.11.3"
+  dependencies:
+    "@embroider/macros": ^1.10.0
+    ember-cli-babel: ^7.26.11
+  checksum: 24983d2aa36cdd2a071abc64c3bece4c031004e5160e90ea8d65486ac6430746f0669c3fc6f1315b85ed401c58b98e910d8da92bc8e84fa11e36b8c9b3fc93c8
+  languageName: node
+  linkType: hard
+
+"@ember-data/debug@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/debug@npm:4.11.3"
+  dependencies:
+    "@ember-data/private-build-infra": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cli-babel: ^7.26.11
+  peerDependencies:
+    "@ember/string": ^3.0.1
+  checksum: 9eac1c756e54e1a397ac7bb8442b2c621c1a6f6d9c07588e9bcaac160f19449fac6cfd2ce01358d4dfa80fdc72b1868f93b56ede9993339853c88b312e70198e
+  languageName: node
+  linkType: hard
+
+"@ember-data/model@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/model@npm:4.11.3"
+  dependencies:
+    "@ember-data/canary-features": 4.11.3
+    "@ember-data/private-build-infra": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cached-decorator-polyfill: ^1.0.1
+    ember-cli-babel: ^7.26.11
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-test-info: ^1.0.0
+    ember-compatibility-helpers: ^1.2.6
+    inflection: ~2.0.0
+  peerDependencies:
+    "@ember-data/record-data": 4.11.3
+    "@ember-data/store": 4.11.3
+    "@ember-data/tracking": 4.11.3
+    "@ember/string": ^3.0.1
+    ember-inflector: ^4.0.2
+  peerDependenciesMeta:
+    "@ember-data/record-data":
+      optional: true
+  checksum: 734fd60c6a5bf84d657a86e4aa89f965c5624caf478d0b87d517bec589e3e6db2cba45e46dfcfa5a6506733a94bcf4c2f43daecaa9ad6f06b62a408da2714d13
+  languageName: node
+  linkType: hard
+
+"@ember-data/private-build-infra@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/private-build-infra@npm:4.11.3"
+  dependencies:
+    "@babel/core": ^7.20.2
+    "@babel/plugin-transform-block-scoping": ^7.20.2
+    "@babel/runtime": ^7.20.1
+    "@ember-data/canary-features": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    babel-import-util: ^1.3.0
+    babel-plugin-debug-macros: ^0.3.4
+    babel-plugin-filter-imports: ^4.0.0
+    babel6-plugin-strip-class-callcheck: ^6.0.0
+    broccoli-debug: ^0.6.5
+    broccoli-file-creator: ^2.1.1
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^4.2.0
+    broccoli-rollup: ^5.0.0
+    calculate-cache-key-for-tree: ^2.0.0
+    chalk: ^4.1.2
+    ember-cli-babel: ^7.26.11
+    ember-cli-path-utils: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-version-checker: ^5.1.2
+    git-repo-info: ^2.1.1
+    glob: ^8.0.3
+    npm-git-info: ^1.0.3
+    rimraf: ^3.0.2
+    rsvp: ^4.8.5
+    semver: ^7.3.8
+    silent-error: ^1.1.1
+  checksum: a9a1e865de89f7b7fbf9461c511931b03309e41fe1fd32e5b2d4d4fa43fcb62bc89bada264f924fafd86373590cc4834d5052900bddecaa37f0b7fefa36a732d
+  languageName: node
+  linkType: hard
+
+"@ember-data/record-data@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/record-data@npm:4.11.3"
+  dependencies:
+    "@ember-data/canary-features": 4.11.3
+    "@ember-data/private-build-infra": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cli-babel: ^7.26.11
+  peerDependencies:
+    "@ember-data/store": 4.11.3
+  checksum: e49caa3e2279d119a9f3668980c8ac7ce49d7fb451d9630b395a4a5b5993ab96c5a6a8230cf08e03711b41027f174dbc0c1819f31489a738670670b2e751f25a
+  languageName: node
+  linkType: hard
+
+"@ember-data/rfc395-data@npm:^0.0.4":
+  version: 0.0.4
+  resolution: "@ember-data/rfc395-data@npm:0.0.4"
+  checksum: 59760b1f7b1cf131fe4a3b817b912e7e62e69e100acd813db37d11106a40c1b22da068cd7d4cdc1bb4c69b0dbde45c96ebff848b6b2380715eae7896bb2e109c
+  languageName: node
+  linkType: hard
+
+"@ember-data/serializer@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/serializer@npm:4.11.3"
+  dependencies:
+    "@ember-data/private-build-infra": 4.11.3
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cli-babel: ^7.26.11
+    ember-cli-test-info: ^1.0.0
+  peerDependencies:
+    "@ember-data/store": 4.11.3
+    "@ember/string": ^3.0.1
+    ember-inflector: ^4.0.2
+  checksum: a36dea451165e8bb3aa572366bb13b8af3377ab31239396b741b6912ee155099cb36df8349e69e585a2b12a7250c457e2973d95c43bb1578228e41afd254c0f6
+  languageName: node
+  linkType: hard
+
+"@ember-data/store@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/store@npm:4.11.3"
+  dependencies:
+    "@ember-data/canary-features": 4.11.3
+    "@ember-data/private-build-infra": 4.11.3
+    "@embroider/macros": ^1.10.0
+    ember-auto-import: ^2.4.3
+    ember-cached-decorator-polyfill: ^1.0.1
+    ember-cli-babel: ^7.26.11
+  peerDependencies:
+    "@ember-data/model": 4.11.3
+    "@ember-data/record-data": 4.11.3
+    "@ember-data/tracking": 4.11.3
+    "@ember/string": ^3.0.1
+    "@glimmer/tracking": ^1.1.2
+  peerDependenciesMeta:
+    "@ember-data/model":
+      optional: true
+    "@ember-data/record-data":
+      optional: true
+  checksum: 132384d5a3c02697f1e1c1599e10d5ffed6f4d73c79ab353cb89b5b533410a906bc238005cde702f57072f2a0a48f885de72d063d593ff7f3620b3bc58763092
+  languageName: node
+  linkType: hard
+
+"@ember-data/tracking@npm:4.11.3":
+  version: 4.11.3
+  resolution: "@ember-data/tracking@npm:4.11.3"
+  dependencies:
+    ember-cli-babel: ^7.26.11
+  checksum: c93f00f647769da12206bd4166b85c6bfcf37118acbcecac37357804451b3e9a5ee8bad9aa63c3ec1900013ceadcf2480b06656f0e9caff276ba046fc6be512f
+  languageName: node
+  linkType: hard
+
+"@ember-decorators/component@npm:^6.1.1":
+  version: 6.1.1
+  resolution: "@ember-decorators/component@npm:6.1.1"
+  dependencies:
+    "@ember-decorators/utils": ^6.1.1
+    ember-cli-babel: ^7.1.3
+  checksum: 0b731884ff2d84db32eae9c006179153ad1d7f93eee040260d0622101017f363caf38db98e536ffd4008312af91cc57a8dda0d0f2c71f80d3643d5456658bee6
+  languageName: node
+  linkType: hard
+
+"@ember-decorators/object@npm:^6.1.1":
+  version: 6.1.1
+  resolution: "@ember-decorators/object@npm:6.1.1"
+  dependencies:
+    "@ember-decorators/utils": ^6.1.1
+    ember-cli-babel: ^7.1.3
+  checksum: 806f753a58ecca5924da110efa614e9a33b4ed7734aa5e67ea41a8a5f555734852e50e78dadcd269407efe1cc08756e8dbc55c077183892f9dc38a0701b8641d
+  languageName: node
+  linkType: hard
+
+"@ember-decorators/utils@npm:^6.1.0, @ember-decorators/utils@npm:^6.1.1":
+  version: 6.1.1
+  resolution: "@ember-decorators/utils@npm:6.1.1"
+  dependencies:
+    ember-cli-babel: ^7.1.3
+  checksum: 979075021ce824a263859dc236285b37afee98b1583060cfab9c3583a4888612155bb66a23a4f4d24ab0ca9f459b38a458d32f825f0df073ca38a7f6e0187dc1
+  languageName: node
+  linkType: hard
+
+"@ember/edition-utils@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "@ember/edition-utils@npm:1.2.0"
+  checksum: eb1eeb08b66344054acb34a4695a80dbfaeb678d10cb11327eec4c0d03b2324ad7c05d0239a7d0298d5f8931e1698d85cba23dac37bff18ab52104f678a0e8c7
+  languageName: node
+  linkType: hard
+
+"@ember/legacy-built-in-components@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "@ember/legacy-built-in-components@npm:0.4.1"
+  dependencies:
+    "@embroider/macros": ^1.0.0
+    ember-cli-babel: ^7.26.6
+    ember-cli-htmlbars: ^5.7.1
+    ember-cli-typescript: ^4.1.0
+  peerDependencies:
+    ember-source: "*"
+  checksum: e4e872eb0776f29ee066556f3ae99a65ddb75fbfe44f838c807b35d8c51927aae4a28e408529f6a4c42f1445f8addc033a010343e7884c6344aeacb9c4304614
+  languageName: node
+  linkType: hard
+
+"@ember/optional-features@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "@ember/optional-features@npm:2.0.0"
+  dependencies:
+    chalk: ^4.1.0
+    ember-cli-version-checker: ^5.1.1
+    glob: ^7.1.6
+    inquirer: ^7.3.3
+    mkdirp: ^1.0.4
+    silent-error: ^1.1.1
+  checksum: 8fce4edc03b95c364770468398b5163791f36d2c305a7ed7221506558d13d114b79a5e5a58fe98d260b38cff4eece2c2fd87ccdff1bc10a7de8270ab3b3f49d1
+  languageName: node
+  linkType: hard
+
+"@ember/render-modifiers@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "@ember/render-modifiers@npm:1.0.2"
+  dependencies:
+    ember-cli-babel: ^7.10.0
+    ember-modifier-manager-polyfill: ^1.1.0
+  checksum: 74220450d3a8635f1ce6c3d9ce5d7f4d8e7336e48a20b1e28b6acf9f671f0938855dff60a06eb1ad5700fadb42e2c0ffa3adef404788966da99db8ab393e9944
+  languageName: node
+  linkType: hard
+
+"@ember/render-modifiers@npm:^2.0.0, @ember/render-modifiers@npm:^2.0.5":
+  version: 2.1.0
+  resolution: "@ember/render-modifiers@npm:2.1.0"
+  dependencies:
+    "@embroider/macros": ^1.0.0
+    ember-cli-babel: ^7.26.11
+    ember-modifier-manager-polyfill: ^1.2.0
+  peerDependencies:
+    "@glint/template": ^1.0.2
+    ember-source: ^3.8 || ^4.0.0 || ^5.0.0
+  peerDependenciesMeta:
+    "@glint/template":
+      optional: true
+  checksum: 6c4d617b67ee52e8e29e9a2b9f42a30e8ea333a7b7a4c5a61fdf5f15623da11f40d82218aeddfbe32bee1f508c569740e842a8233f4a372728d18b66bbc197d5
+  languageName: node
+  linkType: hard
+
+"@ember/render-modifiers@npm:^2.0.2, @ember/render-modifiers@npm:^2.0.4":
+  version: 2.0.4
+  resolution: "@ember/render-modifiers@npm:2.0.4"
+  dependencies:
+    "@embroider/macros": ^1.0.0
+    ember-cli-babel: ^7.26.11
+    ember-modifier-manager-polyfill: ^1.2.0
+  peerDependencies:
+    ember-source: ^3.8 || 4
+  checksum: 6186a013349273f9eb0339a5b2ab7ccc7b9e6429d83b8cabba2842dfc35bd4b77b66979c2f2c25b062a7cdd359c6a500df27154880ac5f04a3ffa52ca6e343d6
+  languageName: node
+  linkType: hard
+
+"@ember/string@npm:^3.0.1, @ember/string@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "@ember/string@npm:3.1.1"
+  dependencies:
+    ember-cli-babel: ^7.26.6
+  checksum: a2496735cb8cfc2d9484f7756fbb3e528db0a9bdf3acc8e86cc56491302777d806d1039186bf6c045aa3e40e464fd8d1cdac89fe97da274f3200844a7d3162c9
+  languageName: node
+  linkType: hard
+
+"@ember/test-helpers@npm:2.9.3":
+  version: 2.9.3
+  resolution: "@ember/test-helpers@npm:2.9.3"
+  dependencies:
+    "@ember/test-waiters": ^3.0.0
+    "@embroider/macros": ^1.10.0
+    "@embroider/util": ^1.9.0
+    broccoli-debug: ^0.6.5
+    broccoli-funnel: ^3.0.8
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.1.1
+    ember-destroyable-polyfill: ^2.0.3
+  peerDependencies:
+    ember-source: ">=3.8.0"
+  checksum: 4591d33275c6035d41aa95184200074a727cc660aa43e48e9ed63ba07881a12fa332360fe7e5ba3b7a466fd740d92aa9f97e5d3584e95e2337c9b57ee844da69
+  languageName: node
+  linkType: hard
+
+"@ember/test-waiters@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "@ember/test-waiters@npm:3.0.0"
+  dependencies:
+    calculate-cache-key-for-tree: ^2.0.0
+    ember-cli-babel: ^7.26.6
+    ember-cli-version-checker: ^5.1.2
+    semver: ^7.3.5
+  checksum: 4998a8213b8800633485eaca342bd6e9b388d974def70ab794612d0c691b68599b2377b9a5467bdddea699099fec2897821c9127443ddac3c69c82d73ea21fa5
+  languageName: node
+  linkType: hard
+
+"@ember/test-waiters@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "@ember/test-waiters@npm:3.1.0"
+  dependencies:
+    calculate-cache-key-for-tree: ^2.0.0
+    ember-cli-babel: ^7.26.6
+    ember-cli-version-checker: ^5.1.2
+    semver: ^7.3.5
+  checksum: f5d8c75ec060f01d038c4f8f419f844e50928b9d7af518b00318844238b43a7b740fc2ec941f45c61fdf698977f2f8a47b34898faa7da2d09e3a38a8137ac8cf
+  languageName: node
+  linkType: hard
+
+"@embroider/addon-shim@npm:1.8.3":
+  version: 1.8.3
+  resolution: "@embroider/addon-shim@npm:1.8.3"
+  dependencies:
+    "@embroider/shared-internals": ^1.8.3
+    semver: ^7.3.5
+  checksum: 11dfdb956631179656727599eb6d6223369f6a04f0e28ac04b793064338c577a89a77c59254a4a665acc46e174cf87196d0f335ab8049be7fe8a2c71ef695974
+  languageName: node
+  linkType: hard
+
+"@embroider/addon-shim@npm:^1.0.0, @embroider/addon-shim@npm:^1.2.0, @embroider/addon-shim@npm:^1.8.3":
+  version: 1.8.6
+  resolution: "@embroider/addon-shim@npm:1.8.6"
+  dependencies:
+    "@embroider/shared-internals": ^2.2.3
+    broccoli-funnel: ^3.0.8
+    semver: ^7.3.8
+  checksum: 63214fbc1b3f333b052791cdfc0c278c348dd6ca4ec2b53c96183150e3d5fe9882cdd3065853e3d6a2c964c962d718b87f2fd8a17414b53fc3a3997d5eedb30e
+  languageName: node
+  linkType: hard
+
+"@embroider/addon-shim@npm:^1.8.4":
+  version: 1.8.4
+  resolution: "@embroider/addon-shim@npm:1.8.4"
+  dependencies:
+    "@embroider/shared-internals": ^2.0.0
+    broccoli-funnel: ^3.0.8
+    semver: ^7.3.8
+  checksum: 107220e97bbd46ead81dfbbfc6cf7daa61731096a6e81b989659a9a0b29b48b3c97ebdd446b6dc0636c4be369f3744e514b7f5e5c0fdc54c1c0e026f54404cc2
+  languageName: node
+  linkType: hard
+
+"@embroider/core@npm:^0.33.0":
+  version: 0.33.0
+  resolution: "@embroider/core@npm:0.33.0"
+  dependencies:
+    "@babel/core": ^7.12.3
+    "@babel/parser": ^7.12.3
+    "@babel/plugin-syntax-dynamic-import": ^7.8.3
+    "@babel/plugin-transform-runtime": ^7.12.1
+    "@babel/runtime": ^7.12.5
+    "@babel/traverse": ^7.12.1
+    "@babel/types": ^7.12.1
+    "@embroider/macros": 0.33.0
+    assert-never: ^1.1.0
+    babel-plugin-syntax-dynamic-import: ^6.18.0
+    broccoli-node-api: ^1.7.0
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.1
+    broccoli-source: ^3.0.0
+    debug: ^3.1.0
+    escape-string-regexp: ^4.0.0
+    fast-sourcemap-concat: ^1.4.0
+    filesize: ^4.1.2
+    fs-extra: ^7.0.1
+    fs-tree-diff: ^2.0.0
+    handlebars: ^4.4.2
+    js-string-escape: ^1.0.1
+    jsdom: ^16.4.0
+    json-stable-stringify: ^1.0.1
+    lodash: ^4.17.10
+    pkg-up: ^2.0.0
+    resolve: ^1.8.1
+    resolve-package-path: ^1.2.2
+    semver: ^7.3.2
+    strip-bom: ^3.0.0
+    typescript-memoize: ^1.0.0-alpha.3
+    walk-sync: ^1.1.3
+    wrap-legacy-hbs-plugin-if-needed: ^1.0.1
+  checksum: 8abe563e909461b18f9b86a616173a436a5cdaf3c455f0a46ab51cae24129d03bd2e5a06e26a4adba7eca10a1d34388ec5a51fcf790f2ac9fabafb7950668df1
+  languageName: node
+  linkType: hard
+
+"@embroider/macros@npm:^1.0.0":
+  version: 1.5.0
+  resolution: "@embroider/macros@npm:1.5.0"
+  dependencies:
+    "@embroider/shared-internals": 1.5.0
+    assert-never: ^1.2.1
+    babel-import-util: ^1.1.0
+    ember-cli-babel: ^7.26.6
+    find-up: ^5.0.0
+    lodash: ^4.17.21
+    resolve: ^1.20.0
+    semver: ^7.3.2
+  checksum: 5e0d5f8c89b0b31199b938848bb7afc5bcd8d3501cc8bfd3ad4a531d74c4e50e8648303e8adaf690c0f0f69a61025925ce55640d93aa3d1723c820efd9cecabc
+  languageName: node
+  linkType: hard
+
+"@embroider/shared-internals@npm:1.5.0, @embroider/shared-internals@npm:^1.0.0":
+  version: 1.5.0
+  resolution: "@embroider/shared-internals@npm:1.5.0"
+  dependencies:
+    babel-import-util: ^1.1.0
+    ember-rfc176-data: ^0.3.17
+    fs-extra: ^9.1.0
+    lodash: ^4.17.21
+    resolve-package-path: ^4.0.1
+    semver: ^7.3.5
+    typescript-memoize: ^1.0.1
+  checksum: 78f92e64f03f33a0d31489fe406ff58da8d5997b78156e3b8b73f6cd5ef14d8a810a7f65e3da96206a02a3c2277316ebdd5c6dae05abfe816eb9940d76e03004
+  languageName: node
+  linkType: hard
+
+"@embroider/shared-internals@npm:^1.8.3":
+  version: 1.8.3
+  resolution: "@embroider/shared-internals@npm:1.8.3"
+  dependencies:
+    babel-import-util: ^1.1.0
+    ember-rfc176-data: ^0.3.17
+    fs-extra: ^9.1.0
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.21
+    resolve-package-path: ^4.0.1
+    semver: ^7.3.5
+    typescript-memoize: ^1.0.1
+  checksum: de636225b3e85379caad5bf4cb3c4f8cc8d95d1c9fab05668faf55654ae2cfe1ca2632c5cc4b81f0b52781d4fc5b80879e6cd143801976de46c591430957040f
+  languageName: node
+  linkType: hard
+
+"@embroider/shared-internals@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "@embroider/shared-internals@npm:2.0.0"
+  dependencies:
+    babel-import-util: ^1.1.0
+    ember-rfc176-data: ^0.3.17
+    fs-extra: ^9.1.0
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.21
+    resolve-package-path: ^4.0.1
+    semver: ^7.3.5
+    typescript-memoize: ^1.0.1
+  checksum: 19d2754182b9e1373177843a354852c82b35d71af66edcdf0662597442062e5f5f51adbdf7a63a263ee0052064c222ff33ddb983ec3f17b68b7275de8de3680e
+  languageName: node
+  linkType: hard
+
+"@embroider/shared-internals@npm:^2.2.3":
+  version: 2.2.3
+  resolution: "@embroider/shared-internals@npm:2.2.3"
+  dependencies:
+    babel-import-util: ^1.1.0
+    ember-rfc176-data: ^0.3.17
+    fs-extra: ^9.1.0
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.21
+    resolve-package-path: ^4.0.1
+    semver: ^7.3.5
+    typescript-memoize: ^1.0.1
+  checksum: bf9f3769af5a66b6e8935257c77fe49678ef0a24ec74b397134598c16f13cd791ac2107008b0ae5dc41d94810f5e15ad318100c03bf1fcb2209a62db966cc483
+  languageName: node
+  linkType: hard
+
+"@embroider/util@npm:^0.39.1 || ^0.40.0 || ^0.41.0 || ^1.0.0, @embroider/util@npm:^1.2.0":
+  version: 1.9.0
+  resolution: "@embroider/util@npm:1.9.0"
+  dependencies:
+    "@embroider/macros": ^1.9.0
+    broccoli-funnel: ^3.0.5
+    ember-cli-babel: ^7.23.1
+  peerDependencies:
+    ember-source: "*"
+  checksum: 0b2c45d11f633b30e36dc87b199ff9e6543597cce2e1c054c0392f9a7685e6845864ad57d404b9d67fb5dfcd4e93282ab8c3bbd7a491488b3ecdaaa7a0777d49
+  languageName: node
+  linkType: hard
+
+"@embroider/util@npm:^1.0.0":
+  version: 1.5.0
+  resolution: "@embroider/util@npm:1.5.0"
+  dependencies:
+    "@embroider/macros": 1.5.0
+    broccoli-funnel: ^3.0.5
+    ember-cli-babel: ^7.23.1
+  peerDependencies:
+    ember-source: "*"
+  checksum: f3656a8ae3df0d3b35a40c867258a621ef28311c5fbd3e8718593fd436e09816cc3331694695e40dcad384bda638986184dbe13d919314189ce31c154eebdd81
+  languageName: node
+  linkType: hard
+
+"@embroider/util@npm:^1.9.0":
+  version: 1.11.2
+  resolution: "@embroider/util@npm:1.11.2"
+  dependencies:
+    "@embroider/macros": ^1.12.3
+    broccoli-funnel: ^3.0.5
+    ember-cli-babel: ^7.26.11
+  peerDependencies:
+    "@glint/environment-ember-loose": ^1.0.0
+    "@glint/template": ^1.0.0
+    ember-source: "*"
+  peerDependenciesMeta:
+    "@glint/environment-ember-loose":
+      optional: true
+    "@glint/template":
+      optional: true
+  checksum: 1d9cc4e5b4d2f8bd3803460771665e251c88b1788791c8a2bb15baab33bb5ec4afd0da1203ed7f4797abb31d9565e5abb0aef2ba6dcfa20368f48dca191a9106
+  languageName: node
+  linkType: hard
+
+"@eslint-community/eslint-utils@npm:^4.2.0":
+  version: 4.4.0
+  resolution: "@eslint-community/eslint-utils@npm:4.4.0"
+  dependencies:
+    eslint-visitor-keys: ^3.3.0
+  peerDependencies:
+    eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
+  checksum: cdfe3ae42b4f572cbfb46d20edafe6f36fc5fb52bf2d90875c58aefe226892b9677fef60820e2832caf864a326fe4fc225714c46e8389ccca04d5f9288aabd22
+  languageName: node
+  linkType: hard
+
+"@eslint-community/regexpp@npm:^4.4.0":
+  version: 4.5.1
+  resolution: "@eslint-community/regexpp@npm:4.5.1"
+  checksum: 6d901166d64998d591fab4db1c2f872981ccd5f6fe066a1ad0a93d4e11855ecae6bfb76660869a469563e8882d4307228cebd41142adb409d182f2966771e57e
+  languageName: node
+  linkType: hard
+
+"@eslint/eslintrc@npm:^1.3.3":
+  version: 1.3.3
+  resolution: "@eslint/eslintrc@npm:1.3.3"
+  dependencies:
+    ajv: ^6.12.4
+    debug: ^4.3.2
+    espree: ^9.4.0
+    globals: ^13.15.0
+    ignore: ^5.2.0
+    import-fresh: ^3.2.1
+    js-yaml: ^4.1.0
+    minimatch: ^3.1.2
+    strip-json-comments: ^3.1.1
+  checksum: f03e9d6727efd3e0719da2051ea80c0c73d20e28c171121527dbb868cd34232ca9c1d0525a66e517a404afea26624b1e47895b6a92474678418c2f50c9566694
+  languageName: node
+  linkType: hard
+
+"@eslint/eslintrc@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "@eslint/eslintrc@npm:2.1.0"
+  dependencies:
+    ajv: ^6.12.4
+    debug: ^4.3.2
+    espree: ^9.6.0
+    globals: ^13.19.0
+    ignore: ^5.2.0
+    import-fresh: ^3.2.1
+    js-yaml: ^4.1.0
+    minimatch: ^3.1.2
+    strip-json-comments: ^3.1.1
+  checksum: d5ed0adbe23f6571d8c9bb0ca6edf7618dc6aed4046aa56df7139f65ae7b578874e0d9c796df784c25bda648ceb754b6320277d828c8b004876d7443b8dc018c
+  languageName: node
+  linkType: hard
+
+"@eslint/js@npm:8.44.0":
+  version: 8.44.0
+  resolution: "@eslint/js@npm:8.44.0"
+  checksum: fc539583226a28f5677356e9f00d2789c34253f076643d2e32888250e509a4e13aafe0880cb2425139051de0f3a48d25bfc5afa96b7304f203b706c17340e3cf
+  languageName: node
+  linkType: hard
+
+"@gar/promisify@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "@gar/promisify@npm:1.1.3"
+  checksum: 4059f790e2d07bf3c3ff3e0fec0daa8144fe35c1f6e0111c9921bd32106adaa97a4ab096ad7dab1e28ee6a9060083c4d1a4ada42a7f5f3f7a96b8812e2b757c1
+  languageName: node
+  linkType: hard
+
+"@glimmer/component@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "@glimmer/component@npm:1.0.4"
+  dependencies:
+    "@glimmer/di": ^0.1.9
+    "@glimmer/env": ^0.1.7
+    "@glimmer/util": ^0.44.0
+    broccoli-file-creator: ^2.1.1
+    broccoli-merge-trees: ^3.0.2
+    ember-cli-babel: ^7.7.3
+    ember-cli-get-component-path-option: ^1.0.0
+    ember-cli-is-package-missing: ^1.0.0
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-path-utils: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-typescript: 3.0.0
+    ember-cli-version-checker: ^3.1.3
+    ember-compatibility-helpers: ^1.1.2
+  checksum: 122009a24f06053647779dc79d4f5cd3ef6d2deac91c92bb3d1dd01a68dd5ef5002efaa48e4abba85287fd2a1aba711dee330cee9b82d283c05763391d10671d
+  languageName: node
+  linkType: hard
+
+"@glimmer/component@npm:^1.1.0, @glimmer/component@npm:^1.1.2":
+  version: 1.1.2
+  resolution: "@glimmer/component@npm:1.1.2"
+  dependencies:
+    "@glimmer/di": ^0.1.9
+    "@glimmer/env": ^0.1.7
+    "@glimmer/util": ^0.44.0
+    broccoli-file-creator: ^2.1.1
+    broccoli-merge-trees: ^3.0.2
+    ember-cli-babel: ^7.7.3
+    ember-cli-get-component-path-option: ^1.0.0
+    ember-cli-is-package-missing: ^1.0.0
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-path-utils: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-typescript: 3.0.0
+    ember-cli-version-checker: ^3.1.3
+    ember-compatibility-helpers: ^1.1.2
+  checksum: 853b998105c1f77cf382b6f6459709515d39d560f2022e948e7b7f6b298b14197e45b20c1cbfca52970c0fef1a80a1bce55aea98c4da2311330d5420291254b7
+  languageName: node
+  linkType: hard
+
+"@glimmer/di@npm:^0.1.9":
+  version: 0.1.11
+  resolution: "@glimmer/di@npm:0.1.11"
+  checksum: c93f6a511cf7f72f3a6824ce075e73952b8f451e4098eda2fc1f45b4b5b1016831459d32f3f298fdc21030cc03ebcc4561ca2780c59562e356519b2a296c5b48
+  languageName: node
+  linkType: hard
+
+"@glimmer/encoder@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/encoder@npm:0.42.2"
+  dependencies:
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/vm": ^0.42.2
+  checksum: 1e857e09176a6673c599a7b466b8cb20fde55df3dfd7e2d923ac2e065261ddf2ef82651a64c40c0209bb9fc684abcf6f79ea52e23b9f7463c7a244f0540bce50
+  languageName: node
+  linkType: hard
+
+"@glimmer/env@npm:0.1.7, @glimmer/env@npm:^0.1.7":
+  version: 0.1.7
+  resolution: "@glimmer/env@npm:0.1.7"
+  checksum: d46686da1b21615c177792794ed11f725fbb1c32936d69ca54a3ac40e2314638a529b81afb23759d35cdf36462a7a6b2c02604a366473cd6a8abadfe56e9c335
+  languageName: node
+  linkType: hard
+
+"@glimmer/global-context@npm:0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/global-context@npm:0.84.3"
+  dependencies:
+    "@glimmer/env": ^0.1.7
+  checksum: 89e699acfa1f23fe8ce8fd48455897781dfd935b7d1ef97d8d268ee38456a69a2ce09bcb18c250f17cb019a16cf0f2e4fdd5b178f9ddc233b42f1cc7e5c85157
+  languageName: node
+  linkType: hard
+
+"@glimmer/interfaces@npm:0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/interfaces@npm:0.84.3"
+  dependencies:
+    "@simple-dom/interface": ^1.4.0
+  checksum: f6a6757a2fc6fc0a8aeb9c1ce4acaec7adf03b31130c9c3149265a401d8fc4773dfb1ff6a567fc008c669cb3c5b9a94f505c68298f72f283d03a46bc0dcb1121
+  languageName: node
+  linkType: hard
+
+"@glimmer/interfaces@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/interfaces@npm:0.42.2"
+  checksum: c9dfcba6456955d797e5e0746ba69655c0d99a4962adb0de875e8de4e826767bce1c544966468bc9da40468286572966e59ce2c19b3f3879bfd23922b7d57cc6
+  languageName: node
+  linkType: hard
+
+"@glimmer/low-level@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/low-level@npm:0.42.2"
+  checksum: 7d7c5af8d127e588853ad590f4bfa4d06c545b27b86dfee102e036a5cf9a59971d735b8a13f7611cf8c4006c10349e93a15a7eb55e246cb2f047bf2d524b0f6d
+  languageName: node
+  linkType: hard
+
+"@glimmer/program@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/program@npm:0.42.2"
+  dependencies:
+    "@glimmer/encoder": ^0.42.2
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/util": ^0.42.2
+  checksum: 570c60a96b96c37c43bfae1fe9c5b29459d0c0c4eadc2da478ccfe38f1a3e3ab5d0dffa05d09ac4828899ccf610b9ff987e5cc76b5491570c16448b82db975aa
+  languageName: node
+  linkType: hard
+
+"@glimmer/reference@npm:^0.42.1, @glimmer/reference@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/reference@npm:0.42.2"
+  dependencies:
+    "@glimmer/util": ^0.42.2
+  checksum: b5b66e2210b429d69a3287fed79b4fb4036282da2f31ea2b8c0a200e452fd21bcb4dff39b031d2cc98646d9443b2b8fb0c910aaf30cc3b0597df0f07532b361d
+  languageName: node
+  linkType: hard
+
+"@glimmer/reference@npm:^0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/reference@npm:0.84.3"
+  dependencies:
+    "@glimmer/env": ^0.1.7
+    "@glimmer/global-context": 0.84.3
+    "@glimmer/interfaces": 0.84.3
+    "@glimmer/util": 0.84.3
+    "@glimmer/validator": 0.84.3
+  checksum: 856456c1211cb1c1ddc5c48b8aea924f1b1f19625be1984f2bc7147af49d89c70e3f356bf7d299aa519ee53a21ca4c7371277be14218c37d9206e4cac2f05b9e
+  languageName: node
+  linkType: hard
+
+"@glimmer/runtime@npm:^0.42.1":
+  version: 0.42.2
+  resolution: "@glimmer/runtime@npm:0.42.2"
+  dependencies:
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/low-level": ^0.42.2
+    "@glimmer/program": ^0.42.2
+    "@glimmer/reference": ^0.42.2
+    "@glimmer/util": ^0.42.2
+    "@glimmer/vm": ^0.42.2
+    "@glimmer/wire-format": ^0.42.2
+  checksum: 45345713e44033fac3fc8356ce5ab1b1e90ff998ed25bdd0b615a45f05574b65b8fc87dbc22ed79a7c8d448f1c634228ab5aa546ea50a2ba878a45453bfe4fe2
+  languageName: node
+  linkType: hard
+
+"@glimmer/syntax@npm:^0.42.1":
+  version: 0.42.2
+  resolution: "@glimmer/syntax@npm:0.42.2"
+  dependencies:
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/util": ^0.42.2
+    handlebars: ^4.0.13
+    simple-html-tokenizer: ^0.5.8
+  checksum: 7597a643b88a967fbb85c3c3e0a8f57a4e7a328f78b9605fb31a5ee678531ca0b7935971cab8755af33f2b3ea71836a38e10dffbec259c6ab1ca411c2f1ec80d
+  languageName: node
+  linkType: hard
+
+"@glimmer/syntax@npm:^0.84.2, @glimmer/syntax@npm:^0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/syntax@npm:0.84.3"
+  dependencies:
+    "@glimmer/interfaces": 0.84.3
+    "@glimmer/util": 0.84.3
+    "@handlebars/parser": ~2.0.0
+    simple-html-tokenizer: ^0.5.11
+  checksum: afadea62f1c54735df723120a94f4da3cb663d762be1c9b130f8d22584ccc93a037198b60759706d3cf0d3658268170eae687dfdc7cb21e5c0a9af7005ebc727
+  languageName: node
+  linkType: hard
+
+"@glimmer/tracking@npm:^1.0.0, @glimmer/tracking@npm:^1.1.2":
+  version: 1.1.2
+  resolution: "@glimmer/tracking@npm:1.1.2"
+  dependencies:
+    "@glimmer/env": ^0.1.7
+    "@glimmer/validator": ^0.44.0
+  checksum: a36aaf70c831fbfd9fb6f6e7b9cacb7130b0dbb87206234cd8e5fcbfa42070cab48d7d9b16eb6918f266ac3ae0414d968b1903b520a69f0eac2a8f303179f8ff
+  languageName: node
+  linkType: hard
+
+"@glimmer/tracking@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "@glimmer/tracking@npm:1.0.4"
+  dependencies:
+    "@glimmer/env": ^0.1.7
+    "@glimmer/validator": ^0.44.0
+  checksum: 5e6359c92a2937f9710d21ad5e2edf2ce579c18e4fc2905940088738cda2ddf1162279bb41248047ced3c948885db346c844556e784eb70ebadb349d0ab587a3
+  languageName: node
+  linkType: hard
+
+"@glimmer/util@npm:0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/util@npm:0.84.3"
+  dependencies:
+    "@glimmer/env": 0.1.7
+    "@glimmer/interfaces": 0.84.3
+    "@simple-dom/interface": ^1.4.0
+  checksum: d0f8d461a7653a113e630ee45aa57e4efbc33f78ab7b7ce12bdaa699b3513df93a7ffba96b1863883fafe566b650dfb01c4122f79207d6267d1655255b9baa4a
+  languageName: node
+  linkType: hard
+
+"@glimmer/util@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/util@npm:0.42.2"
+  checksum: 996a84c3db284e47202a7daeccce31870a413dd6817a88908ad18484f2cd4559d19c8bc98e921cc00db72db3a1efa52931725abe4c71d4a3bb1bb78a50fb739a
+  languageName: node
+  linkType: hard
+
+"@glimmer/util@npm:^0.44.0":
+  version: 0.44.0
+  resolution: "@glimmer/util@npm:0.44.0"
+  checksum: e1c5f74c265afb2ccdc10e183d6784dc29d2cb98f2aca10b068f3dce29e67a3967c760af750e88e0a2f1c80e2cfc0de5ee6e96bb90dcb97493a2e6f51d36b129
+  languageName: node
+  linkType: hard
+
+"@glimmer/validator@npm:0.84.3, @glimmer/validator@npm:^0.84.3":
+  version: 0.84.3
+  resolution: "@glimmer/validator@npm:0.84.3"
+  dependencies:
+    "@glimmer/env": ^0.1.7
+    "@glimmer/global-context": 0.84.3
+  checksum: 58ac3c49a1a601de8271cfcc0f27415fa2388283ae90dd2b4f785f5ab44fa12506c8b32cfc6c74d69bb60ca27745b4f6707fec07a8dff78f2d9da9f9aecc2afa
+  languageName: node
+  linkType: hard
+
+"@glimmer/validator@npm:^0.44.0":
+  version: 0.44.0
+  resolution: "@glimmer/validator@npm:0.44.0"
+  checksum: c68a169ee196a17a142b2375928d1b5b2bad2f1f7961a9a14b6a5ef0b8d5c66af7004d678502d2ae83f6b69c1745cbcecbf71607b140924dec9da96e413fd8d4
+  languageName: node
+  linkType: hard
+
+"@glimmer/vm-babel-plugins@npm:0.84.2":
+  version: 0.84.2
+  resolution: "@glimmer/vm-babel-plugins@npm:0.84.2"
+  dependencies:
+    babel-plugin-debug-macros: ^0.3.4
+  checksum: 708434ad7535c26592f51d9cbacbc101c379903638d371e1e20d3a3ba7a3932e3a80045a126927e95e553dd2fbde2b3cb4d4f23328e5ff938b39bbe1eb5bb891
+  languageName: node
+  linkType: hard
+
+"@glimmer/vm@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/vm@npm:0.42.2"
+  dependencies:
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/util": ^0.42.2
+  checksum: 3adb1963fb5cfe9ee795e10f144ec0ba1c5e9289525a95b3e506d05477da47247f36e01837dbfe5f728d74a6d44f4d62e1a59e7ec9ebdaabf5cbe955c643dc34
+  languageName: node
+  linkType: hard
+
+"@glimmer/wire-format@npm:^0.42.2":
+  version: 0.42.2
+  resolution: "@glimmer/wire-format@npm:0.42.2"
+  dependencies:
+    "@glimmer/interfaces": ^0.42.2
+    "@glimmer/util": ^0.42.2
+  checksum: f1778ba0ec24a41f15b55e328854d9e9dbd3371269bc6912b633b5487f52f725a8f12b0ef9ba4b9614633b89abdc2b02ee7a25a07b28ab2452ffe6b854589adb
+  languageName: node
+  linkType: hard
+
+"@handlebars/parser@npm:~2.0.0":
+  version: 2.0.0
+  resolution: "@handlebars/parser@npm:2.0.0"
+  checksum: add32d6678b18db73fb88266138bc358abf94c255f4464b936b5b66e3108205c6cc3b611a726e0a691633552b94c0f9f65aed43fd4c51ecbbfb562179c967d88
+  languageName: node
+  linkType: hard
+
+"@hashicorp/design-system-components@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "@hashicorp/design-system-components@npm:3.3.0"
+  dependencies:
+    "@ember/render-modifiers": ^2.0.5
+    "@ember/string": ^3.1.1
+    "@ember/test-waiters": ^3.1.0
+    "@hashicorp/design-system-tokens": ^1.9.0
+    "@hashicorp/ember-flight-icons": ^4.0.4
+    dialog-polyfill: ^0.5.6
+    ember-a11y-refocus: ^3.0.2
+    ember-auto-import: ^2.6.3
+    ember-cached-decorator-polyfill: ^1.0.2
+    ember-cli-babel: ^8.2.0
+    ember-cli-htmlbars: ^6.3.0
+    ember-cli-sass: ^11.0.1
+    ember-composable-helpers: ^5.0.0
+    ember-element-helper: ^0.8.5
+    ember-focus-trap: ^1.1.0
+    ember-keyboard: ^8.2.1
+    ember-stargate: ^0.4.3
+    ember-style-modifier: ^3.0.1
+    ember-truth-helpers: ^3.1.1
+    prismjs: ^1.29.0
+    sass: ^1.69.5
+    tippy.js: ^6.3.7
+  checksum: 47b3262ec9a31e03110309c80833e1b504baa126851106328b0f5668b7c4f312116e35a9f876aedea80ed71de7a32ee8b530498a947adc8f1fe3db8102a6a227
+  languageName: node
+  linkType: hard
+
+"@hashicorp/design-system-tokens@npm:^1.9.0":
+  version: 1.9.0
+  resolution: "@hashicorp/design-system-tokens@npm:1.9.0"
+  checksum: 72da214205dfca9e49726745e18f8a19674d36d656bd2e4ff3fec42b2ce06fbbba0ad673e6ec2333128e1b9bf67bfac2e4dd792ea37a1534a5040e6a4481855e
+  languageName: node
+  linkType: hard
+
+"@hashicorp/ember-flight-icons@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "@hashicorp/ember-flight-icons@npm:4.0.4"
+  dependencies:
+    "@hashicorp/flight-icons": ^2.23.0
+    ember-auto-import: ^2.6.3
+    ember-cli-babel: ^8.2.0
+    ember-cli-htmlbars: ^6.3.0
+    ember-get-config: ^2.1.1
+  checksum: fb0a0f26feb80d1dc663b6fd4e1b6849b8c93e4607f8d790f2fa646cee96b4f3df339951b8adddbf85c39052c72fdf54fc4b910baf2fd64c188d660635c8ba73
+  languageName: node
+  linkType: hard
+
+"@hashicorp/flight-icons@npm:^2.23.0":
+  version: 2.23.0
+  resolution: "@hashicorp/flight-icons@npm:2.23.0"
+  checksum: 0a216a868244bcb3220e13061e5353fd16a0296c1aa9f7444ba2a7148e78532698e7c36a1318573b8ec7fe0283c68c93e7bfbd79a19eb24b2f0006ab78d3b191
+  languageName: node
+  linkType: hard
+
+"@hashicorp/structure-icons@npm:^1.3.0":
+  version: 1.8.1
+  resolution: "@hashicorp/structure-icons@npm:1.8.1"
+  checksum: 578afba4c884a32c196e87cfa22f66482faf0bd9ccf78591e8d16dedec1eff60e95d90858b0607e7a0136922c551f5649bcfc4d6557b27e2688f2c78434c12cd
+  languageName: node
+  linkType: hard
+
+"@humanwhocodes/config-array@npm:^0.11.10":
+  version: 0.11.10
+  resolution: "@humanwhocodes/config-array@npm:0.11.10"
+  dependencies:
+    "@humanwhocodes/object-schema": ^1.2.1
+    debug: ^4.1.1
+    minimatch: ^3.0.5
+  checksum: 1b1302e2403d0e35bc43e66d67a2b36b0ad1119efc704b5faff68c41f791a052355b010fb2d27ef022670f550de24cd6d08d5ecf0821c16326b7dcd0ee5d5d8a
+  languageName: node
+  linkType: hard
+
+"@humanwhocodes/config-array@npm:^0.11.6":
+  version: 0.11.7
+  resolution: "@humanwhocodes/config-array@npm:0.11.7"
+  dependencies:
+    "@humanwhocodes/object-schema": ^1.2.1
+    debug: ^4.1.1
+    minimatch: ^3.0.5
+  checksum: cf506dc45d9488af7fbf108ea6ac2151ba1a25e6d2b94b9b4fc36d2c1e4099b89ff560296dbfa13947e44604d4ca4a90d97a4fb167370bf8dd01a6ca2b6d83ac
+  languageName: node
+  linkType: hard
+
+"@humanwhocodes/module-importer@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "@humanwhocodes/module-importer@npm:1.0.1"
+  checksum: 0fd22007db8034a2cdf2c764b140d37d9020bbfce8a49d3ec5c05290e77d4b0263b1b972b752df8c89e5eaa94073408f2b7d977aed131faf6cf396ebb5d7fb61
+  languageName: node
+  linkType: hard
+
+"@humanwhocodes/object-schema@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "@humanwhocodes/object-schema@npm:1.2.1"
+  checksum: a824a1ec31591231e4bad5787641f59e9633827d0a2eaae131a288d33c9ef0290bd16fda8da6f7c0fcb014147865d12118df10db57f27f41e20da92369fcb3f1
+  languageName: node
+  linkType: hard
+
+"@icholy/duration@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "@icholy/duration@npm:5.1.0"
+  checksum: 48c7c23697a510944bfc52cf0d354eba2b65d14633f910f2dc4c2a5e10e078d3b70bed9b310c37a574f0e6863084aa6cc65518cfc4af5cb2174605c7aad33352
+  languageName: node
+  linkType: hard
+
+"@jridgewell/gen-mapping@npm:^0.3.0":
+  version: 0.3.1
+  resolution: "@jridgewell/gen-mapping@npm:0.3.1"
+  dependencies:
+    "@jridgewell/set-array": ^1.0.0
+    "@jridgewell/sourcemap-codec": ^1.4.10
+    "@jridgewell/trace-mapping": ^0.3.9
+  checksum: e9e7bb3335dea9e60872089761d4e8e089597360cdb1af90370e9d53b7d67232c1e0a3ab65fbfef4fc785745193fbc56bff9f3a6cab6c6ce3f15e12b4191f86b
+  languageName: node
+  linkType: hard
+
+"@jridgewell/gen-mapping@npm:^0.3.2":
+  version: 0.3.2
+  resolution: "@jridgewell/gen-mapping@npm:0.3.2"
+  dependencies:
+    "@jridgewell/set-array": ^1.0.1
+    "@jridgewell/sourcemap-codec": ^1.4.10
+    "@jridgewell/trace-mapping": ^0.3.9
+  checksum: 1832707a1c476afebe4d0fbbd4b9434fdb51a4c3e009ab1e9938648e21b7a97049fa6009393bdf05cab7504108413441df26d8a3c12193996e65493a4efb6882
+  languageName: node
+  linkType: hard
+
+"@jridgewell/resolve-uri@npm:3.1.0":
+  version: 3.1.0
+  resolution: "@jridgewell/resolve-uri@npm:3.1.0"
+  checksum: b5ceaaf9a110fcb2780d1d8f8d4a0bfd216702f31c988d8042e5f8fbe353c55d9b0f55a1733afdc64806f8e79c485d2464680ac48a0d9fcadb9548ee6b81d267
+  languageName: node
+  linkType: hard
+
+"@jridgewell/resolve-uri@npm:^3.0.3":
+  version: 3.0.5
+  resolution: "@jridgewell/resolve-uri@npm:3.0.5"
+  checksum: 1ee652b693da7979ac4007926cc3f0a32b657ffeb913e111f44e5b67153d94a2f28a1d560101cc0cf8087625468293a69a00f634a2914e1a6d0817ba2039a913
+  languageName: node
+  linkType: hard
+
+"@jridgewell/set-array@npm:^1.0.0":
+  version: 1.1.1
+  resolution: "@jridgewell/set-array@npm:1.1.1"
+  checksum: cc5d91e0381c347e3edee4ca90b3c292df9e6e55f29acbe0dd97de8651b4730e9ab761406fd572effa79972a0edc55647b627f8c72315e276d959508853d9bf2
+  languageName: node
+  linkType: hard
+
+"@jridgewell/set-array@npm:^1.0.1":
+  version: 1.1.2
+  resolution: "@jridgewell/set-array@npm:1.1.2"
+  checksum: 69a84d5980385f396ff60a175f7177af0b8da4ddb81824cb7016a9ef914eee9806c72b6b65942003c63f7983d4f39a5c6c27185bbca88eb4690b62075602e28e
+  languageName: node
+  linkType: hard
+
+"@jridgewell/source-map@npm:^0.3.2":
+  version: 0.3.2
+  resolution: "@jridgewell/source-map@npm:0.3.2"
+  dependencies:
+    "@jridgewell/gen-mapping": ^0.3.0
+    "@jridgewell/trace-mapping": ^0.3.9
+  checksum: 1b83f0eb944e77b70559a394d5d3b3f98a81fcc186946aceb3ef42d036762b52ef71493c6c0a3b7c1d2f08785f53ba2df1277fe629a06e6109588ff4cdcf7482
+  languageName: node
+  linkType: hard
+
+"@jridgewell/sourcemap-codec@npm:1.4.14":
+  version: 1.4.14
+  resolution: "@jridgewell/sourcemap-codec@npm:1.4.14"
+  checksum: 61100637b6d173d3ba786a5dff019e1a74b1f394f323c1fee337ff390239f053b87266c7a948777f4b1ee68c01a8ad0ab61e5ff4abb5a012a0b091bec391ab97
+  languageName: node
+  linkType: hard
+
+"@jridgewell/sourcemap-codec@npm:^1.4.10":
+  version: 1.4.11
+  resolution: "@jridgewell/sourcemap-codec@npm:1.4.11"
+  checksum: 3b2afaf8400fb07a36db60e901fcce6a746cdec587310ee9035939d89878e57b2dec8173b0b8f63176f647efa352294049a53c49739098eb907ff81fec2547c8
+  languageName: node
+  linkType: hard
+
+"@jridgewell/sourcemap-codec@npm:^1.4.13":
+  version: 1.4.15
+  resolution: "@jridgewell/sourcemap-codec@npm:1.4.15"
+  checksum: b881c7e503db3fc7f3c1f35a1dd2655a188cc51a3612d76efc8a6eb74728bef5606e6758ee77423e564092b4a518aba569bbb21c9bac5ab7a35b0c6ae7e344c8
+  languageName: node
+  linkType: hard
+
+"@jridgewell/trace-mapping@npm:^0.3.0":
+  version: 0.3.4
+  resolution: "@jridgewell/trace-mapping@npm:0.3.4"
+  dependencies:
+    "@jridgewell/resolve-uri": ^3.0.3
+    "@jridgewell/sourcemap-codec": ^1.4.10
+  checksum: ab8bce84bbbc8c34f3ba8325ed926f8f2d3098983c10442a80c55764c4eb6e47d5b92d8ff20a0dd868c3e76a3535651fd8a0138182c290dbfc8396195685c37b
+  languageName: node
+  linkType: hard
+
+"@jridgewell/trace-mapping@npm:^0.3.17":
+  version: 0.3.18
+  resolution: "@jridgewell/trace-mapping@npm:0.3.18"
+  dependencies:
+    "@jridgewell/resolve-uri": 3.1.0
+    "@jridgewell/sourcemap-codec": 1.4.14
+  checksum: 0572669f855260808c16fe8f78f5f1b4356463b11d3f2c7c0b5580c8ba1cbf4ae53efe9f627595830856e57dbac2325ac17eb0c3dd0ec42102e6f227cc289c02
+  languageName: node
+  linkType: hard
+
+"@jridgewell/trace-mapping@npm:^0.3.7, @jridgewell/trace-mapping@npm:^0.3.9":
+  version: 0.3.13
+  resolution: "@jridgewell/trace-mapping@npm:0.3.13"
+  dependencies:
+    "@jridgewell/resolve-uri": ^3.0.3
+    "@jridgewell/sourcemap-codec": ^1.4.10
+  checksum: e38254e830472248ca10a6ed1ae75af5e8514f0680245a5e7b53bc3c030fd8691d4d3115d80595b45d3badead68269769ed47ecbbdd67db1343a11f05700e75a
+  languageName: node
+  linkType: hard
+
+"@lint-todo/utils@npm:^13.0.3":
+  version: 13.0.3
+  resolution: "@lint-todo/utils@npm:13.0.3"
+  dependencies:
+    "@types/eslint": ^7.2.13
+    find-up: ^5.0.0
+    fs-extra: ^9.1.0
+    proper-lockfile: ^4.1.2
+    slash: ^3.0.0
+    tslib: ^2.3.1
+    upath: ^2.0.1
+  checksum: be45ba795e166160a3cfb7fc5f5054cb7c9dd6fe0f5cd39cc15eff7fe70e3c78c8e12b26e97415f1f67e34c80a5d0fafec51b56e725919fabcc7abdf5dfc6244
+  languageName: node
+  linkType: hard
+
+"@mdn/browser-compat-data@npm:^3.3.14":
+  version: 3.3.14
+  resolution: "@mdn/browser-compat-data@npm:3.3.14"
+  checksum: 0363cc9cb3cef308b78b3ba82af0542ad928bacecc95ee1e849c134c3eb866f4771df9fb064fd4da42fdb28e2d6932e0abb6e47ed47fbc42a26a9b0a5aee1e9f
+  languageName: node
+  linkType: hard
+
+"@mdn/browser-compat-data@npm:^4.1.5":
+  version: 4.2.1
+  resolution: "@mdn/browser-compat-data@npm:4.2.1"
+  checksum: 76eaa7dafed154040e769ba6d23f2dcb58e805ed3ccb376a5c4b76326c92643753c20194faed363870800dc3c1af26c107b8562710c8bb37aaee8c5ffe2a89cd
+  languageName: node
+  linkType: hard
+
+"@messageformat/core@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "@messageformat/core@npm:3.0.1"
+  dependencies:
+    "@messageformat/date-skeleton": ^1.0.0
+    "@messageformat/number-skeleton": ^1.0.0
+    "@messageformat/parser": ^5.0.0
+    "@messageformat/runtime": ^3.0.1
+    make-plural: ^7.0.0
+    safe-identifier: ^0.4.1
+  checksum: f08c982d54ef2ddf32de2a3425746e6efd37ce63154f97ff038edb1e02eb4e3e4c39f2aa42ef3d036e2f1b61eee0a2589e76158b0b91510355ef8348f2f8252f
+  languageName: node
+  linkType: hard
+
+"@messageformat/date-skeleton@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "@messageformat/date-skeleton@npm:1.0.1"
+  checksum: 0832029a18ae54c81d4473eaa764cebbabe084d1a3253a6d4975e5802bff7416a51d43522aad9292eb9663735282a7667e2818efc92905c497ca87424d822ceb
+  languageName: node
+  linkType: hard
+
+"@messageformat/number-skeleton@npm:^1.0.0":
+  version: 1.1.0
+  resolution: "@messageformat/number-skeleton@npm:1.1.0"
+  checksum: 03cf337ef4b95782546e8e2c831f7d2f1310ee9f49635adeef1259c17256c91cb68a59fb97b76a59fddaac284ee739c0a0e0003bcec8d92f6ff156a240a6c23f
+  languageName: node
+  linkType: hard
+
+"@messageformat/parser@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "@messageformat/parser@npm:5.0.0"
+  dependencies:
+    moo: ^0.5.1
+  checksum: e595910e8801e17b1e762a1824e4fc97baf6ccc21f5f896d6eae3e537ca2eaed0f699ac20b44d03c38ad20340b57ef0f7c7cf056213d31dd156e65b4d030c8c0
+  languageName: node
+  linkType: hard
+
+"@messageformat/runtime@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "@messageformat/runtime@npm:3.0.1"
+  dependencies:
+    make-plural: ^7.0.0
+  checksum: e69c3b0b372e15af88c285f6884ac0e3ba5fc7227b8ddc7f4bef94cb5675057126dc0ae9001e2a623d7ec61727d9b5e69b8e61be8618afe0baf40081ad3b0568
+  languageName: node
+  linkType: hard
+
+"@miragejs/pretender-node-polyfill@npm:^0.1.0":
+  version: 0.1.2
+  resolution: "@miragejs/pretender-node-polyfill@npm:0.1.2"
+  checksum: bb55983a253dc0d4162acac090b062500595c9844bfbd21fe25bc1f926808d0070d710e622aa6285fa16c673a65cf3e05f4b32e888c469f1bde8888a7934ee44
+  languageName: node
+  linkType: hard
+
+"@nicolo-ribaudo/eslint-scope-5-internals@npm:5.1.1-v1":
+  version: 5.1.1-v1
+  resolution: "@nicolo-ribaudo/eslint-scope-5-internals@npm:5.1.1-v1"
+  dependencies:
+    eslint-scope: 5.1.1
+  checksum: f2e3b2d6a6e2d9f163ca22105910c9f850dc4897af0aea3ef0a5886b63d8e1ba6505b71c99cb78a3bba24a09557d601eb21c8dede3f3213753fcfef364eb0e57
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.scandir@npm:2.1.4":
+  version: 2.1.4
+  resolution: "@nodelib/fs.scandir@npm:2.1.4"
+  dependencies:
+    "@nodelib/fs.stat": 2.0.4
+    run-parallel: ^1.1.9
+  checksum: 18c2150ab52a042bd65babe5b70106e6586dc036644131c33d253ff99e5eeef2e65858ab40161530a6f22b512a65e7c7629f0f1e0f35c00ee4c606f960d375ba
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.scandir@npm:2.1.5":
+  version: 2.1.5
+  resolution: "@nodelib/fs.scandir@npm:2.1.5"
+  dependencies:
+    "@nodelib/fs.stat": 2.0.5
+    run-parallel: ^1.1.9
+  checksum: a970d595bd23c66c880e0ef1817791432dbb7acbb8d44b7e7d0e7a22f4521260d4a83f7f9fd61d44fda4610105577f8f58a60718105fb38352baed612fd79e59
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.stat@npm:2.0.4, @nodelib/fs.stat@npm:^2.0.2":
+  version: 2.0.4
+  resolution: "@nodelib/fs.stat@npm:2.0.4"
+  checksum: d0d9745f878816d041a8b36faf5797d88ba961274178f0ad1f7fe0efef8118ca9bd0e43e4d0d85a9af911bd35122ec1580e626a83d7595fc4d60f2c1c70e2665
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.stat@npm:2.0.5":
+  version: 2.0.5
+  resolution: "@nodelib/fs.stat@npm:2.0.5"
+  checksum: 012480b5ca9d97bff9261571dbbec7bbc6033f69cc92908bc1ecfad0792361a5a1994bc48674b9ef76419d056a03efadfce5a6cf6dbc0a36559571a7a483f6f0
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.walk@npm:^1.2.3":
+  version: 1.2.6
+  resolution: "@nodelib/fs.walk@npm:1.2.6"
+  dependencies:
+    "@nodelib/fs.scandir": 2.1.4
+    fastq: ^1.6.0
+  checksum: d156901823b3d3de368ad68047a964523e0ce5f796c0aa7712443b1f748d8e7fc24ce2c0f18d22a177e1f1c6092bca609ab5e4cb1792c41cdc8a6989bc391139
+  languageName: node
+  linkType: hard
+
+"@nodelib/fs.walk@npm:^1.2.8":
+  version: 1.2.8
+  resolution: "@nodelib/fs.walk@npm:1.2.8"
+  dependencies:
+    "@nodelib/fs.scandir": 2.1.5
+    fastq: ^1.6.0
+  checksum: 190c643f156d8f8f277bf2a6078af1ffde1fd43f498f187c2db24d35b4b4b5785c02c7dc52e356497b9a1b65b13edc996de08de0b961c32844364da02986dc53
+  languageName: node
+  linkType: hard
+
+"@npmcli/fs@npm:^2.1.0":
+  version: 2.1.2
+  resolution: "@npmcli/fs@npm:2.1.2"
+  dependencies:
+    "@gar/promisify": ^1.1.3
+    semver: ^7.3.5
+  checksum: 405074965e72d4c9d728931b64d2d38e6ea12066d4fad651ac253d175e413c06fe4350970c783db0d749181da8fe49c42d3880bd1cbc12cd68e3a7964d820225
+  languageName: node
+  linkType: hard
+
+"@npmcli/move-file@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "@npmcli/move-file@npm:2.0.1"
+  dependencies:
+    mkdirp: ^1.0.4
+    rimraf: ^3.0.2
+  checksum: 52dc02259d98da517fae4cb3a0a3850227bdae4939dda1980b788a7670636ca2b4a01b58df03dd5f65c1e3cb70c50fa8ce5762b582b3f499ec30ee5ce1fd9380
+  languageName: node
+  linkType: hard
+
+"@popperjs/core@npm:^2.9.0":
+  version: 2.11.8
+  resolution: "@popperjs/core@npm:2.11.8"
+  checksum: e5c69fdebf52a4012f6a1f14817ca8e9599cb1be73dd1387e1785e2ed5e5f0862ff817f420a87c7fc532add1f88a12e25aeb010ffcbdc98eace3d55ce2139cf0
+  languageName: node
+  linkType: hard
+
+"@prettier/eslint@npm:prettier-eslint@^15.0.1":
+  version: 15.0.1
+  resolution: "prettier-eslint@npm:15.0.1"
+  dependencies:
+    "@types/eslint": ^8.4.2
+    "@types/prettier": ^2.6.0
+    "@typescript-eslint/parser": ^5.10.0
+    common-tags: ^1.4.0
+    dlv: ^1.1.0
+    eslint: ^8.7.0
+    indent-string: ^4.0.0
+    lodash.merge: ^4.6.0
+    loglevel-colored-level-prefix: ^1.0.0
+    prettier: ^2.5.1
+    pretty-format: ^23.0.1
+    require-relative: ^0.8.7
+    typescript: ^4.5.4
+    vue-eslint-parser: ^8.0.1
+  checksum: fad92d666ab92f6c773faf507ee15f2c0de8c8ac2b692a57a7c0621202f90d9e577f2664d8a701ec3b96bec3ecba586e49c3d9170de9392c0ee7c3362fdddcae
+  languageName: node
+  linkType: hard
+
+"@rollup/plugin-replace@npm:2.3.0":
+  version: 2.3.0
+  resolution: "@rollup/plugin-replace@npm:2.3.0"
+  dependencies:
+    magic-string: ^0.25.2
+    rollup-pluginutils: ^2.6.0
+  peerDependencies:
+    rollup: ^1.20.0
+  checksum: 561e483398d15f594ebc87fda2760a5528da9abfa1fe1c3865280e18201fafb4e60587dc38e8b7781b15db10acc39da5f6ec700ac129fc931d31c060b304b96b
+  languageName: node
+  linkType: hard
+
+"@simple-dom/interface@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "@simple-dom/interface@npm:1.4.0"
+  checksum: e0ce8b6174208c5a369c2650094d16080230bf90cb95cc8258f9fd6b93be8afedbffb9d63da7f1d295a4e8d901f5fff907a69e1d55556db9e8544f2615b2f1d7
+  languageName: node
+  linkType: hard
+
+"@sinonjs/commons@npm:^1, @sinonjs/commons@npm:^1.3.0, @sinonjs/commons@npm:^1.4.0, @sinonjs/commons@npm:^1.7.0":
+  version: 1.8.3
+  resolution: "@sinonjs/commons@npm:1.8.3"
+  dependencies:
+    type-detect: 4.0.8
+  checksum: 6159726db5ce6bf9f2297f8427f7ca5b3dff45b31e5cee23496f1fa6ef0bb4eab878b23fb2c5e6446381f6a66aba4968ef2fc255c1180d753d4b8c271636a2e5
+  languageName: node
+  linkType: hard
+
+"@sinonjs/formatio@npm:^3.2.1":
+  version: 3.2.2
+  resolution: "@sinonjs/formatio@npm:3.2.2"
+  dependencies:
+    "@sinonjs/commons": ^1
+    "@sinonjs/samsam": ^3.1.0
+  checksum: ddc30698df9b0aa59204da93ca94fd04bc5672ac03c798c0a487c35d514d7d8e0ce0e4c72386fc80e29f59cb1cc54eeea3b7f804281b3c4e3dd2394de56c6e4a
+  languageName: node
+  linkType: hard
+
+"@sinonjs/samsam@npm:^3.1.0, @sinonjs/samsam@npm:^3.3.3":
+  version: 3.3.3
+  resolution: "@sinonjs/samsam@npm:3.3.3"
+  dependencies:
+    "@sinonjs/commons": ^1.3.0
+    array-from: ^2.1.1
+    lodash: ^4.17.15
+  checksum: 340f2f62dec3fa1e5e9300a75996bd12ab9d2da4f6b453fa5d1ee101cc5e58eb218af2e2584b496d41ba31c3c0854d47a691fd9a0d8b9092f3cb6a5c7a080856
+  languageName: node
+  linkType: hard
+
+"@sinonjs/text-encoding@npm:^0.7.1":
+  version: 0.7.1
+  resolution: "@sinonjs/text-encoding@npm:0.7.1"
+  checksum: 130de0bb568c5f8a611ec21d1a4e3f80ab0c5ec333010f49cfc1adc5cba6d8808699c8a587a46b0f0b016a1f4c1389bc96141e773e8460fcbb441875b2e91ba7
+  languageName: node
+  linkType: hard
+
+"@socket.io/component-emitter@npm:~3.1.0":
+  version: 3.1.0
+  resolution: "@socket.io/component-emitter@npm:3.1.0"
+  checksum: db069d95425b419de1514dffe945cc439795f6a8ef5b9465715acf5b8b50798e2c91b8719cbf5434b3fe7de179d6cdcd503c277b7871cb3dd03febb69bdd50fa
+  languageName: node
+  linkType: hard
+
+"@textlint/ast-node-types@npm:^12.1.1":
+  version: 12.1.1
+  resolution: "@textlint/ast-node-types@npm:12.1.1"
+  checksum: 6ccae9ac7f43cb172142098a3764c490feea311a741aa3fe981d6d3a1e06041d179e690b54b920dcaa067453f3220d46e6935728e4c9d72233f735f27410e86f
+  languageName: node
+  linkType: hard
+
+"@textlint/markdown-to-ast@npm:^12.1.1":
+  version: 12.1.1
+  resolution: "@textlint/markdown-to-ast@npm:12.1.1"
+  dependencies:
+    "@textlint/ast-node-types": ^12.1.1
+    debug: ^4.3.3
+    remark-footnotes: ^3.0.0
+    remark-frontmatter: ^3.0.0
+    remark-gfm: ^1.0.0
+    remark-parse: ^9.0.0
+    traverse: ^0.6.6
+    unified: ^9.2.2
+  checksum: c857a9e3b26fd96486cf96914c15c20d68d7d1b2f201295a75acec1ccc14725a54d76e9f9311170f56dd43a1666ac3a69b85f7e794af915bc6e23953cd5921a9
+  languageName: node
+  linkType: hard
+
+"@tootallnate/once@npm:2":
+  version: 2.0.0
+  resolution: "@tootallnate/once@npm:2.0.0"
+  checksum: ad87447820dd3f24825d2d947ebc03072b20a42bfc96cbafec16bff8bbda6c1a81fcb0be56d5b21968560c5359a0af4038a68ba150c3e1694fe4c109a063bed8
+  languageName: node
+  linkType: hard
+
+"@tsconfig/ember@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "@tsconfig/ember@npm:1.0.1"
+  checksum: e53968a3ebcb099f13da1377c3216a48af7e20d5489f7dbb2e3297def30b5cc5390db7b632fa6d0fa98e52e6e3c636c5fb2a2b6b1850c2475d5e87a26739b2e6
+  languageName: node
+  linkType: hard
+
+"@types/acorn@npm:^4.0.3":
+  version: 4.0.5
+  resolution: "@types/acorn@npm:4.0.5"
+  dependencies:
+    "@types/estree": "*"
+  checksum: 2079630adff1224120ac40c2f503fe602582d9d84f732a32550c7bbd0c87741a88bc5bc4cdba7888211d04bfa9fcb09c7c211889aa6c15ddb0150a30a36955ae
+  languageName: node
+  linkType: hard
+
+"@types/body-parser@npm:*":
+  version: 1.19.0
+  resolution: "@types/body-parser@npm:1.19.0"
+  dependencies:
+    "@types/connect": "*"
+    "@types/node": "*"
+  checksum: 15043566f1909e2a08dabb0a5d2642f8988545a1369bc5995fc40ee90c95200da2aa66f9240fcb19fc6af6ff4e27ff453f311b49363c14bb308c308c0751ca9b
+  languageName: node
+  linkType: hard
+
+"@types/broccoli-plugin@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "@types/broccoli-plugin@npm:3.0.0"
+  dependencies:
+    broccoli-plugin: "*"
+  checksum: c5daf3b3ff689a00fa18c90c08e2998c373b7ee11235fcd63ad5ad03ff5d9b844f2b84fca966682490853a443714db4d2f0b389208478a0c1d4e7666f85ca04f
+  languageName: node
+  linkType: hard
+
+"@types/chai-as-promised@npm:^7.1.2":
+  version: 7.1.3
+  resolution: "@types/chai-as-promised@npm:7.1.3"
+  dependencies:
+    "@types/chai": "*"
+  checksum: cf0232eb7bc450fc37c8f4688c91ef86528fb994f67036480cba4679299a99ad65a3a2dcaf34c748b30c0cf9f392761f11cee2a9f5c8e26d9ca07ae934aa4465
+  languageName: node
+  linkType: hard
+
+"@types/chai@npm:*, @types/chai@npm:^4.2.9":
+  version: 4.2.17
+  resolution: "@types/chai@npm:4.2.17"
+  checksum: a5657eea35d797d494cca1b479499ff129a051c7a74e4cbeb2a0660d9a263541c24f4bda9d827f806f36f90e0b46038069bad3eac7559c40f59f212ff09696f0
+  languageName: node
+  linkType: hard
+
+"@types/connect@npm:*":
+  version: 3.4.34
+  resolution: "@types/connect@npm:3.4.34"
+  dependencies:
+    "@types/node": "*"
+  checksum: c6e2aa299cf3979c00602f48ce9163700f0cbfec6ba2a8e1506d08f51da0279805a478ea094252fad7c369a563ee033b359c708ab34b1763397c58d7e2df07ad
+  languageName: node
+  linkType: hard
+
+"@types/cookie@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "@types/cookie@npm:0.4.1"
+  checksum: 3275534ed69a76c68eb1a77d547d75f99fedc80befb75a3d1d03662fb08d697e6f8b1274e12af1a74c6896071b11510631ba891f64d30c78528d0ec45a9c1a18
+  languageName: node
+  linkType: hard
+
+"@types/cors@npm:^2.8.12":
+  version: 2.8.12
+  resolution: "@types/cors@npm:2.8.12"
+  checksum: 8c45f112c7d1d2d831b4b266f2e6ed33a1887a35dcbfe2a18b28370751fababb7cd045e745ef84a523c33a25932678097bf79afaa367c6cb3fa0daa7a6438257
+  languageName: node
+  linkType: hard
+
+"@types/ember-data@npm:*, @types/ember-data@npm:^4.4.6":
+  version: 4.4.6
+  resolution: "@types/ember-data@npm:4.4.6"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__error": "*"
+    "@types/ember__object": "*"
+    "@types/rsvp": "*"
+  checksum: 641f43f5c82aab651ef00555ffe07cdf8c1e0ac581ade582479e48b3e89a258efbf083391b20b723c239eadac0418b1eb4c3ce14ec9a61477ac33f758379fae7
+  languageName: node
+  linkType: hard
+
+"@types/ember-data__adapter@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember-data__adapter@npm:4.0.1"
+  dependencies:
+    "@types/ember-data": "*"
+  checksum: 5636fc85c2b7496d608af5494d1c6b82a3bf7f0d88f9037824bf203b0e4e167805544eebef63e019991a5a388e567851b211a041f4b3d12ddb1881748e5a65a9
+  languageName: node
+  linkType: hard
+
+"@types/ember-data__model@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "@types/ember-data__model@npm:4.0.0"
+  dependencies:
+    "@types/ember-data": "*"
+  checksum: 6a46583608af66018c9ce88d2d3cbe21f5526f479f9a442d3d3a0ab69f282437b8478fbcca4bafa9236c9e5cbc4ffe7ddadd2e1a6a81d6b58ebe553011970485
+  languageName: node
+  linkType: hard
+
+"@types/ember-data__serializer@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember-data__serializer@npm:4.0.1"
+  dependencies:
+    "@types/ember-data": "*"
+  checksum: e2e14b8c99a3d33bff69aee1bdaf1b90fc5e87482fc49a22f4ff0aa9892494a0f8c72231ac600e8686d77598579c524587319f76520ce59b8a9ac3895a1de1e3
+  languageName: node
+  linkType: hard
+
+"@types/ember-data__store@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "@types/ember-data__store@npm:4.0.2"
+  dependencies:
+    "@types/ember-data": "*"
+  checksum: 7b1ac271ab4fc327d495fd2abe32f780660c4daa5b2e3f720d61776dd235b7f9b8ea46d1b9b523f14975e0e2c7d3aa13990cd116a13440c8f43fa9e389393337
+  languageName: node
+  linkType: hard
+
+"@types/ember-qunit@npm:^5.0.2":
+  version: 5.0.2
+  resolution: "@types/ember-qunit@npm:5.0.2"
+  dependencies:
+    "@types/ember-resolver": "*"
+    "@types/ember__test": "*"
+    "@types/ember__test-helpers": "*"
+    "@types/qunit": "*"
+  checksum: f7c6e9e5721e0708e7290e68e2f14b55baa4dd5d27fd3bb760dc380e92aa03d3b7b93da090d40e34d47d85e6d4451a73e7a7f4398708047164bb10e46da60ad2
+  languageName: node
+  linkType: hard
+
+"@types/ember-resolver@npm:*, @types/ember-resolver@npm:^5.0.13":
+  version: 5.0.13
+  resolution: "@types/ember-resolver@npm:5.0.13"
+  dependencies:
+    "@types/ember__object": "*"
+    "@types/ember__owner": "*"
+  checksum: 3ece114d8368768d8198e3156b2df51b4be9d4f9ab8d60f2a1cb63a301b48ec485f51f5ddc8ad9b6f4d3739d252107463ff2508bec559efb7d8593e4975e3f48
+  languageName: node
+  linkType: hard
+
+"@types/ember@npm:*, @types/ember@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "@types/ember@npm:4.0.2"
+  dependencies:
+    "@types/ember__application": "*"
+    "@types/ember__array": "*"
+    "@types/ember__component": "*"
+    "@types/ember__controller": "*"
+    "@types/ember__debug": "*"
+    "@types/ember__engine": "*"
+    "@types/ember__error": "*"
+    "@types/ember__object": "*"
+    "@types/ember__polyfills": "*"
+    "@types/ember__routing": "*"
+    "@types/ember__runloop": "*"
+    "@types/ember__service": "*"
+    "@types/ember__string": "*"
+    "@types/ember__template": "*"
+    "@types/ember__test": "*"
+    "@types/ember__utils": "*"
+    "@types/htmlbars-inline-precompile": "*"
+    "@types/rsvp": "*"
+  checksum: 94d3dfba4209ae66119bd1d1bd3aa00c04184d23393c1cffcaf325d984a9ddc0928956be48061d9ce4a6ab0ff371e917f0313b202aeda74c098a1528e6b8c741
+  languageName: node
+  linkType: hard
+
+"@types/ember__application@npm:*, @types/ember__application@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "@types/ember__application@npm:4.0.4"
+  dependencies:
+    "@glimmer/component": ^1.1.0
+    "@types/ember": "*"
+    "@types/ember__application": "*"
+    "@types/ember__engine": "*"
+    "@types/ember__object": "*"
+    "@types/ember__owner": "*"
+    "@types/ember__routing": "*"
+  checksum: 4d5bd9793409d2814d1a068a1a9ee0db8036efb6975266703f5fcd5da21e4194602585e2343567f9f5dff47649a28e4174c7e6eb446f6285e80a2237344c391a
+  languageName: node
+  linkType: hard
+
+"@types/ember__array@npm:*, @types/ember__array@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "@types/ember__array@npm:4.0.3"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__array": "*"
+    "@types/ember__object": "*"
+  checksum: 682104300933d306be946d0d86821469800b9849a51b745b35872d3958dc9d0f6f7d1bd2e5da6d5c26bd0c3184639f94d7bde274a16bb8a6c58cef08ddb8a0a6
+  languageName: node
+  linkType: hard
+
+"@types/ember__component@npm:*, @types/ember__component@npm:^4.0.11":
+  version: 4.0.11
+  resolution: "@types/ember__component@npm:4.0.11"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__component": "*"
+    "@types/ember__object": "*"
+  checksum: 8b3a012ab6915f43e5d756883e1a05e5a75514d03e4666702bbfeebe1dfab9d0cebbd377ff38908d097bed977ed5a4c4d0fb709d7f657d31386c1f80bbc6d51c
+  languageName: node
+  linkType: hard
+
+"@types/ember__controller@npm:*, @types/ember__controller@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "@types/ember__controller@npm:4.0.3"
+  dependencies:
+    "@types/ember__object": "*"
+  checksum: 1648b656f4a0cc10a28351d893fa765234bf0d8ab123afe75ba2259b31296840ae00da0328bed19241bfa66c0a59a6d237041493440008cd0a8daf9ef8fd1fa3
+  languageName: node
+  linkType: hard
+
+"@types/ember__debug@npm:*, @types/ember__debug@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "@types/ember__debug@npm:4.0.3"
+  dependencies:
+    "@types/ember__debug": "*"
+    "@types/ember__object": "*"
+    "@types/ember__owner": "*"
+  checksum: 69a31777a6ba3dba0c8733b59e06e3f5eae0350cf9665421fd7adf23b8d9e43abfdc423d615b9ac91a4208c804e59c5d5f2b3000a7ed957bb9114a381536009c
+  languageName: node
+  linkType: hard
+
+"@types/ember__destroyable@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__destroyable@npm:4.0.1"
+  checksum: 5cd5f22cc9f76a841a11f805444af9717d964fe72ad7020cbc211a359b9e4a0447ef08aa3b9fb7b4caed593f7aebb4025bc77338afd3fe5e55a5ae20ca6be948
+  languageName: node
+  linkType: hard
+
+"@types/ember__engine@npm:*, @types/ember__engine@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "@types/ember__engine@npm:4.0.4"
+  dependencies:
+    "@types/ember__engine": "*"
+    "@types/ember__object": "*"
+    "@types/ember__owner": "*"
+  checksum: 1b387a89206263ba26dfc0cc6417e8a3aecbb12af3d16522eeb09c78273da12851c5fca614099070920ec17c51ff50ba31e487d73259ab5673d143956b97d35a
+  languageName: node
+  linkType: hard
+
+"@types/ember__error@npm:*, @types/ember__error@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__error@npm:4.0.1"
+  checksum: b4cd081d0efe57c584fb031c8d2b26b16c1e79e4bd115f289a0db438a134ae6a787d03dbc13fe0d80eec5a87942053e5f4d663a9a86006862a4b131f5a0ffd8e
+  languageName: node
+  linkType: hard
+
+"@types/ember__object@npm:*, @types/ember__object@npm:^4.0.5":
+  version: 4.0.5
+  resolution: "@types/ember__object@npm:4.0.5"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__object": "*"
+    "@types/rsvp": "*"
+  checksum: 445b5eef70f37c9f06da284742758e4626a3421c1f2e425bdbc7c9952cff14d8ce539f93d1c83b2836f043d4f10c20524a0ca1c7d58dee5db8f68893c1fd9c1e
+  languageName: node
+  linkType: hard
+
+"@types/ember__owner@npm:*":
+  version: 4.0.2
+  resolution: "@types/ember__owner@npm:4.0.2"
+  checksum: fca38292256a423851231805b07f150a17ff7ab2cf74533507c016d85180d229fe75999bf8c138276c272a8ff74364a88bf77ae6ff322dc16c05598e7d71dcd9
+  languageName: node
+  linkType: hard
+
+"@types/ember__polyfills@npm:*, @types/ember__polyfills@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__polyfills@npm:4.0.1"
+  checksum: a2b6ed3b0637fdeb6d4c93a3a1d5b7902e57124c860bf9bf82f1ea4148264991b8f0311ea6a8a50f5b243804f93650fc2a5f97a53192e0687213b41a5499e4be
+  languageName: node
+  linkType: hard
+
+"@types/ember__routing@npm:*, @types/ember__routing@npm:^4.0.12":
+  version: 4.0.12
+  resolution: "@types/ember__routing@npm:4.0.12"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__controller": "*"
+    "@types/ember__object": "*"
+    "@types/ember__routing": "*"
+    "@types/ember__service": "*"
+  checksum: 8c14b6de35c9b370175dc342610729dba51b315a09f538ca5ad4e95d15ae0938efec8a6fd5675b862f2ca95da46528160896a417040654c621c8dbca34d8185b
+  languageName: node
+  linkType: hard
+
+"@types/ember__runloop@npm:*, @types/ember__runloop@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "@types/ember__runloop@npm:4.0.2"
+  dependencies:
+    "@types/ember": "*"
+    "@types/ember__runloop": "*"
+  checksum: c207b35187d082be1330836dd120886ca86e14b029c7d89451fe4340ca4c500264f03a42558de62aa08e3e5743f7ac8aef84b668316d8f5db031eed109267aae
+  languageName: node
+  linkType: hard
+
+"@types/ember__service@npm:*, @types/ember__service@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__service@npm:4.0.1"
+  dependencies:
+    "@types/ember__object": "*"
+  checksum: f4b8c161e13148d6fa3930a4fcd80e454aad1bb2688ec2c2da6cbb9b6e20a8c3b78308dfa10cb4ec5c42696ca77930d7133093d3c2cf8f41c883d456e2d444cf
+  languageName: node
+  linkType: hard
+
+"@types/ember__string@npm:*, @types/ember__string@npm:^3.0.10":
+  version: 3.0.10
+  resolution: "@types/ember__string@npm:3.0.10"
+  checksum: 1ff40f641efbd91fc65da9d1cd8206b5ff3a7627fbbe5d00e00ba4ff116eee1863cff5d556e616d4896f5dd6fd4ae3d7f7191f8c726bdac44a568bd4fec4164f
+  languageName: node
+  linkType: hard
+
+"@types/ember__template@npm:*, @types/ember__template@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__template@npm:4.0.1"
+  checksum: 55c1bdccc1f11d428795da20832a1e52d76139af0a2378eb2ac6c18cf2406cd0b80007de4eafa5934a5b61cdf5979d9ad3e3ce27586b5908099e7535462d0b40
+  languageName: node
+  linkType: hard
+
+"@types/ember__test-helpers@npm:*, @types/ember__test-helpers@npm:^2.8.2":
+  version: 2.8.2
+  resolution: "@types/ember__test-helpers@npm:2.8.2"
+  dependencies:
+    "@types/ember-resolver": "*"
+    "@types/ember__application": "*"
+    "@types/ember__error": "*"
+    "@types/ember__owner": "*"
+    "@types/ember__test-helpers": "*"
+    "@types/htmlbars-inline-precompile": "*"
+  checksum: 8f89692d1808133b98e225b48ca5e3d94a781d539f092529f18ff525f898e914b3de6393fe7ed97567b5a04ca1fea6325325fd3e54a03b97c14c9ae4e8ee033b
+  languageName: node
+  linkType: hard
+
+"@types/ember__test@npm:*, @types/ember__test@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "@types/ember__test@npm:4.0.1"
+  dependencies:
+    "@types/ember__application": "*"
+  checksum: e303ed97b0d63e9b2c91c8b7bd2445b8c013e485f458f0122c8a961593dafdc9428ffc055f51527032c970c2591094600f00233cda894e1775bc671bde67c570
+  languageName: node
+  linkType: hard
+
+"@types/ember__utils@npm:*, @types/ember__utils@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "@types/ember__utils@npm:4.0.2"
+  dependencies:
+    "@types/ember": "*"
+  checksum: 8fc60ec9a902211502f33bba4c7cb774838f96fa21cfc798d42b8801f3654059eab96bae8b7fcb7ac60eb499363b263a97daf987bfd9f07feaf973046d1d39df
+  languageName: node
+  linkType: hard
+
+"@types/eslint-scope@npm:^3.7.3":
+  version: 3.7.3
+  resolution: "@types/eslint-scope@npm:3.7.3"
+  dependencies:
+    "@types/eslint": "*"
+    "@types/estree": "*"
+  checksum: 6772b05e1b92003d1f295e81bc847a61f4fbe8ddab77ffa49e84ed3f9552513bdde677eb53ef167753901282857dd1d604d9f82eddb34a233495932b2dc3dc17
+  languageName: node
+  linkType: hard
+
+"@types/eslint@npm:*":
+  version: 8.4.3
+  resolution: "@types/eslint@npm:8.4.3"
+  dependencies:
+    "@types/estree": "*"
+    "@types/json-schema": "*"
+  checksum: cc199be84e22754cc625b171c90852da2b563088d32f4161d310b70470eab47f9bc812774c61eab6530083a214fe634abc32d06ef38e0a5e29f68436331cfabb
+  languageName: node
+  linkType: hard
+
+"@types/eslint@npm:^7.2.13":
+  version: 7.29.0
+  resolution: "@types/eslint@npm:7.29.0"
+  dependencies:
+    "@types/estree": "*"
+    "@types/json-schema": "*"
+  checksum: df13991c554954353ce8f3bb03e19da6cc71916889443d68d178d4f858b561ba4cc4a4f291c6eb9eebb7f864b12b9b9313051b3a8dfea3e513dadf3188a77bdf
+  languageName: node
+  linkType: hard
+
+"@types/eslint@npm:^8.4.2":
+  version: 8.4.10
+  resolution: "@types/eslint@npm:8.4.10"
+  dependencies:
+    "@types/estree": "*"
+    "@types/json-schema": "*"
+  checksum: 21e009ed9ed9bc8920fdafc6e11ff321c4538b4cc18a56fdd59dc5184ea7bbf363c71638c9bdb59fc1254dddcdd567485136ed68b0ee4750948d4e32cb79c689
+  languageName: node
+  linkType: hard
+
+"@types/estree@npm:*":
+  version: 0.0.47
+  resolution: "@types/estree@npm:0.0.47"
+  checksum: aed5c940436250c25c5e140aa19e7199ba3452e72e1aecc515621507df9e5ed5076ddba84a1684c36d62be841ff3e2bafce8793f16fe6f69d10884449d4461e7
+  languageName: node
+  linkType: hard
+
+"@types/estree@npm:^0.0.51":
+  version: 0.0.51
+  resolution: "@types/estree@npm:0.0.51"
+  checksum: e56a3bcf759fd9185e992e7fdb3c6a5f81e8ff120e871641607581fb3728d16c811702a7d40fa5f869b7f7b4437ab6a87eb8d98ffafeee51e85bbe955932a189
+  languageName: node
+  linkType: hard
+
+"@types/express-serve-static-core@npm:*":
+  version: 4.17.30
+  resolution: "@types/express-serve-static-core@npm:4.17.30"
+  dependencies:
+    "@types/node": "*"
+    "@types/qs": "*"
+    "@types/range-parser": "*"
+  checksum: c40d9027884ab9e97fa29d9d41d1b75a5966109312e26594cf03c61b278b5bf8e095f53589e47899b34a2e224291a44043617695c3e8bd22284f988e48582ee6
+  languageName: node
+  linkType: hard
+
+"@types/express@npm:^4.17.2":
+  version: 4.17.2
+  resolution: "@types/express@npm:4.17.2"
+  dependencies:
+    "@types/body-parser": "*"
+    "@types/express-serve-static-core": "*"
+    "@types/serve-static": "*"
+  checksum: db8e85f84f040014a35b10f3f2e1d39b0f7b16c46cbe012ff2fa7eea7d49bc2a90e81ab81f052fd76f1790c02bf3f940571c406106d29f278f3259486ecc9ee9
+  languageName: node
+  linkType: hard
+
+"@types/fs-extra@npm:^5.0.5":
+  version: 5.1.0
+  resolution: "@types/fs-extra@npm:5.1.0"
+  dependencies:
+    "@types/node": "*"
+  checksum: 9b4abc891ad0dc3baa77b0ebcf91dff8e7a5936aa037de0bd6ded399ab38b5896be1ee02b5c0a18c0915cfc40ab590a915709e6f2beef8f6f7e16fd3759e469a
+  languageName: node
+  linkType: hard
+
+"@types/fs-extra@npm:^8.1.0":
+  version: 8.1.1
+  resolution: "@types/fs-extra@npm:8.1.1"
+  dependencies:
+    "@types/node": "*"
+  checksum: d7d564b84b86e51241984c9bec16f683056d45510e2c63e1bfe9282026685bd14e5ca406ee809453f1e2fd8c9aa76c5712a3019492eb946dd46de327ccb0e1b1
+  languageName: node
+  linkType: hard
+
+"@types/glob@npm:*":
+  version: 7.2.0
+  resolution: "@types/glob@npm:7.2.0"
+  dependencies:
+    "@types/minimatch": "*"
+    "@types/node": "*"
+  checksum: 6ae717fedfdfdad25f3d5a568323926c64f52ef35897bcac8aca8e19bc50c0bd84630bbd063e5d52078b2137d8e7d3c26eabebd1a2f03ff350fff8a91e79fc19
+  languageName: node
+  linkType: hard
+
+"@types/glob@npm:^7.1.1":
+  version: 7.1.3
+  resolution: "@types/glob@npm:7.1.3"
+  dependencies:
+    "@types/minimatch": "*"
+    "@types/node": "*"
+  checksum: e0eef12285f548f15d887145590594a04ccce7f7e645fb047cbac18cb093f25d507ffbcc725312294c224bb78cf980fce33e5807de8d6f8a868b4186253499d4
+  languageName: node
+  linkType: hard
+
+"@types/htmlbars-inline-precompile@npm:*":
+  version: 3.0.0
+  resolution: "@types/htmlbars-inline-precompile@npm:3.0.0"
+  checksum: dd7b1f0a0f9ec560c521673c436329e9edb0197b382520179008b11afe38c3d7a129dc91f303ca0509852f9e081a353b9f9aee9d7043529d70c439aafb7f9a2c
+  languageName: node
+  linkType: hard
+
+"@types/json-schema@npm:*, @types/json-schema@npm:^7.0.5":
+  version: 7.0.9
+  resolution: "@types/json-schema@npm:7.0.9"
+  checksum: 259d0e25f11a21ba5c708f7ea47196bd396e379fddb79c76f9f4f62c945879dc21657904914313ec2754e443c5018ea8372362f323f30e0792897fdb2098a705
+  languageName: node
+  linkType: hard
+
+"@types/json-schema@npm:^7.0.8, @types/json-schema@npm:^7.0.9":
+  version: 7.0.11
+  resolution: "@types/json-schema@npm:7.0.11"
+  checksum: 527bddfe62db9012fccd7627794bd4c71beb77601861055d87e3ee464f2217c85fca7a4b56ae677478367bbd248dbde13553312b7d4dbc702a2f2bbf60c4018d
+  languageName: node
+  linkType: hard
+
+"@types/mdast@npm:^3.0.0":
+  version: 3.0.10
+  resolution: "@types/mdast@npm:3.0.10"
+  dependencies:
+    "@types/unist": "*"
+  checksum: 3f587bfc0a9a2403ecadc220e61031b01734fedaf82e27eb4d5ba039c0eb54db8c85681ccc070ab4df3f7ec711b736a82b990e69caa14c74bf7ac0ccf2ac7313
+  languageName: node
+  linkType: hard
+
+"@types/mime@npm:^1":
+  version: 1.3.2
+  resolution: "@types/mime@npm:1.3.2"
+  checksum: 0493368244cced1a69cb791b485a260a422e6fcc857782e1178d1e6f219f1b161793e9f87f5fae1b219af0f50bee24fcbe733a18b4be8fdd07a38a8fb91146fd
+  languageName: node
+  linkType: hard
+
+"@types/minimatch@npm:*, @types/minimatch@npm:^3.0.3, @types/minimatch@npm:^3.0.4":
+  version: 3.0.5
+  resolution: "@types/minimatch@npm:3.0.5"
+  checksum: c41d136f67231c3131cf1d4ca0b06687f4a322918a3a5adddc87ce90ed9dbd175a3610adee36b106ae68c0b92c637c35e02b58c8a56c424f71d30993ea220b92
+  languageName: node
+  linkType: hard
+
+"@types/minimist@npm:^1.2.2":
+  version: 1.2.2
+  resolution: "@types/minimist@npm:1.2.2"
+  checksum: b8da83c66eb4aac0440e64674b19564d9d86c80ae273144db9681e5eeff66f238ade9515f5006ffbfa955ceff8b89ad2bd8ec577d7caee74ba101431fb07045d
+  languageName: node
+  linkType: hard
+
+"@types/node@npm:*":
+  version: 16.11.11
+  resolution: "@types/node@npm:16.11.11"
+  checksum: 1c472bd63f23ca0e4effc96e6e0c693b83b027f613a1f41b6d1bd7791f65ce171a351e0a5c92575cb59e84ad0a930875397bfbbb91a7c925ddbbb558f7461af8
+  languageName: node
+  linkType: hard
+
+"@types/node@npm:>=10.0.0":
+  version: 18.7.16
+  resolution: "@types/node@npm:18.7.16"
+  checksum: 01a3d35c764a3f0e7370b56e1ad4203731131883c65784e020009014171b3f53c4649cde6c7aa4f1026b907ee87ef6ae6ece2bc518151dc7b81100fe8b1db3ad
+  languageName: node
+  linkType: hard
+
+"@types/node@npm:^9.6.0":
+  version: 9.6.61
+  resolution: "@types/node@npm:9.6.61"
+  checksum: c8caed1010c5eb94697024606a5cbcb9905251166daed6ec1b47d3c70a57435aba72547adf347b8d17785df89dbfc0ac20e63b9f807bc44cc0e11a3705ae5a91
+  languageName: node
+  linkType: hard
+
+"@types/normalize-package-data@npm:^2.4.0":
+  version: 2.4.1
+  resolution: "@types/normalize-package-data@npm:2.4.1"
+  checksum: e87bccbf11f95035c89a132b52b79ce69a1e3652fe55962363063c9c0dae0fe2477ebc585e03a9652adc6f381d24ba5589cc5e51849df4ced3d3e004a7d40ed5
+  languageName: node
+  linkType: hard
+
+"@types/parse-json@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "@types/parse-json@npm:4.0.0"
+  checksum: fd6bce2b674b6efc3db4c7c3d336bd70c90838e8439de639b909ce22f3720d21344f52427f1d9e57b265fcb7f6c018699b99e5e0c208a1a4823014269a6bf35b
+  languageName: node
+  linkType: hard
+
+"@types/prettier@npm:^2.6.0":
+  version: 2.7.1
+  resolution: "@types/prettier@npm:2.7.1"
+  checksum: 5e3f58e229d6c73b5f5cae2e8f96c1c4a5b5805f83459e17a045ba8e96152b1d38e86b63e3172fb159dac923388699660862b75b2d37e54220805f0e691e26f1
+  languageName: node
+  linkType: hard
+
+"@types/q@npm:^1.5.1":
+  version: 1.5.4
+  resolution: "@types/q@npm:1.5.4"
+  checksum: 0842d7d71b5f102dcc2d78f893d0b42c1149f8cdc194d09e7a00be3187999ee3041e535357344818f8fee1b5e216b06bb7df7754d0fe08bd8aca38d3c45f1af6
+  languageName: node
+  linkType: hard
+
+"@types/qs@npm:*":
+  version: 6.9.6
+  resolution: "@types/qs@npm:6.9.6"
+  checksum: 01871b1cf7062717ec76fcb9b29ddae1e04fcfadc1c76d86ec2571e72f27bf09ff31b094b295be8d4ca664aeec9b8965563680b31fcab7aba1ed93afac5181cd
+  languageName: node
+  linkType: hard
+
+"@types/qunit@npm:*, @types/qunit@npm:^2.19.3":
+  version: 2.19.3
+  resolution: "@types/qunit@npm:2.19.3"
+  checksum: bbcea1082a2827f81ddb43f53abf6e6698cb690fa5a1cd59649eee5e9ecf0fe04fae7fb2aaf3015681ac8036f251f4d268819a4935ec5b38832056957ccfb265
+  languageName: node
+  linkType: hard
+
+"@types/range-parser@npm:*":
+  version: 1.2.3
+  resolution: "@types/range-parser@npm:1.2.3"
+  checksum: a0a4218214d2c599e2128a8965e9183d1f0b8fc614def43a2183cf80534d10fcf86357c823c7907e779df0ab048fd1fa3818b4c8f0f6f99ba150a3f99df7d03d
+  languageName: node
+  linkType: hard
+
+"@types/rimraf@npm:^2.0.2":
+  version: 2.0.5
+  resolution: "@types/rimraf@npm:2.0.5"
+  dependencies:
+    "@types/glob": "*"
+    "@types/node": "*"
+  checksum: e388f546840704a240fb31536498921623bca4ec1230925013d6b6d7c7d2211c8ec07fcbbd2606151d7549cbbc28a01c18fb0df502107a9293860a5ff64bc147
+  languageName: node
+  linkType: hard
+
+"@types/rimraf@npm:^2.0.3":
+  version: 2.0.4
+  resolution: "@types/rimraf@npm:2.0.4"
+  dependencies:
+    "@types/glob": "*"
+    "@types/node": "*"
+  checksum: 8304d3d98f654f6c7b6256f368832436dc1d807bb899007fa823702052642166da25f37e849f0bc4ba4ec312e5a8f81e7a4d4a81de9c68f305d28f7822464c0c
+  languageName: node
+  linkType: hard
+
+"@types/rsvp@npm:*, @types/rsvp@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "@types/rsvp@npm:4.0.4"
+  checksum: ed59be8246325c3676e67237c00d84830f801710af864dbf7d22e80441892e9a7beee07afcbdcd74ee8fbe3a24f37e93826dac1208199ac5601b663b7293cbed
+  languageName: node
+  linkType: hard
+
+"@types/semver@npm:^7.3.12":
+  version: 7.3.13
+  resolution: "@types/semver@npm:7.3.13"
+  checksum: 00c0724d54757c2f4bc60b5032fe91cda6410e48689633d5f35ece8a0a66445e3e57fa1d6e07eb780f792e82ac542948ec4d0b76eb3484297b79bd18b8cf1cb0
+  languageName: node
+  linkType: hard
+
+"@types/serve-static@npm:*":
+  version: 1.13.9
+  resolution: "@types/serve-static@npm:1.13.9"
+  dependencies:
+    "@types/mime": ^1
+    "@types/node": "*"
+  checksum: 5c5f3b64e9fe7c51fb428ef70f1f2365b897fc3c8400be6d6afc8db0f152639182b360361ebd3d0cbaeb607b125dee03bf0c50bf7e08642ff150028f05bb7381
+  languageName: node
+  linkType: hard
+
+"@types/shell-quote@npm:^1.7.1":
+  version: 1.7.1
+  resolution: "@types/shell-quote@npm:1.7.1"
+  checksum: 51e58326b8c6dcb72846b94cebe3dc4c84f3514469a8e52bd29c52c601e784b427b851d7477acbeef47bfcccf25d2a5768684d27e7fc95fdd003393c1bbb7bc3
+  languageName: node
+  linkType: hard
+
+"@types/symlink-or-copy@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "@types/symlink-or-copy@npm:1.2.0"
+  checksum: 18fb73094b2cf6c84544939bd6344d7a8cd1ccf8496a1cfb1320f38491c8dfbea3248bb6e91495322a51a493e04a767582a214d5261f5c5b007aa6ef65fc8b50
+  languageName: node
+  linkType: hard
+
+"@types/tmp@npm:^0.0.33":
+  version: 0.0.33
+  resolution: "@types/tmp@npm:0.0.33"
+  checksum: b6963af74092bd56a1a9a7936a1a6de45ddbd5e774f9fc904f16b7e2ada79da8a769e0c5b9df083064b8080bb260c4973ba4307640b7b7a75ed1c47bda8c4110
+  languageName: node
+  linkType: hard
+
+"@types/unist@npm:*, @types/unist@npm:^2.0.0, @types/unist@npm:^2.0.2":
+  version: 2.0.6
+  resolution: "@types/unist@npm:2.0.6"
+  checksum: 25cb860ff10dde48b54622d58b23e66214211a61c84c0f15f88d38b61aa1b53d4d46e42b557924a93178c501c166aa37e28d7f6d994aba13d24685326272d5db
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/eslint-plugin@npm:^5.19.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/eslint-plugin@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/scope-manager": 5.44.0
+    "@typescript-eslint/type-utils": 5.44.0
+    "@typescript-eslint/utils": 5.44.0
+    debug: ^4.3.4
+    ignore: ^5.2.0
+    natural-compare-lite: ^1.4.0
+    regexpp: ^3.2.0
+    semver: ^7.3.7
+    tsutils: ^3.21.0
+  peerDependencies:
+    "@typescript-eslint/parser": ^5.0.0
+    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: 88784e77e8e35ea50ca9c49d46df94cabc3447f4b332f3ca53974d3b5370cb5dcd85cc9ee0e317b91083812012369209574725dcfc3b2b4056b60371b68ca854
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/parser@npm:^5.10.0":
+  version: 5.42.1
+  resolution: "@typescript-eslint/parser@npm:5.42.1"
+  dependencies:
+    "@typescript-eslint/scope-manager": 5.42.1
+    "@typescript-eslint/types": 5.42.1
+    "@typescript-eslint/typescript-estree": 5.42.1
+    debug: ^4.3.4
+  peerDependencies:
+    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: 7208a085102be5c569ac2be5799d05e080a9c0b9157ed3efa5d7eadb675185bddfa05f2f27e20c235910193a2bd835e5375fb9fc13561a6e20d110e444f37caa
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/parser@npm:^5.19.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/parser@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/scope-manager": 5.44.0
+    "@typescript-eslint/types": 5.44.0
+    "@typescript-eslint/typescript-estree": 5.44.0
+    debug: ^4.3.4
+  peerDependencies:
+    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: 2d09a1a1547a7ae3f76c9a33a54e11d79a194fbb9dbae69988e7aed3370bdf12bafde669211152769d89db822e0cdee4173affc126664fa6f17abba56daa7261
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/scope-manager@npm:5.42.1":
+  version: 5.42.1
+  resolution: "@typescript-eslint/scope-manager@npm:5.42.1"
+  dependencies:
+    "@typescript-eslint/types": 5.42.1
+    "@typescript-eslint/visitor-keys": 5.42.1
+  checksum: cfad5f04328fae4bb6d965a94c980ac2f6fa0eee6183e9bed6d7ebdb067f01a0a9a3b5500fc3638d5e287f46f4412aa462e238c610c1fb96b794b83c575c7fb4
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/scope-manager@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/scope-manager@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/types": 5.44.0
+    "@typescript-eslint/visitor-keys": 5.44.0
+  checksum: 4cfe4b55eb428eda740e6b967e3a87f3e1f9c4bbd8e1d6b8d64a11666abe33ffe7a21e4e614444ccde2da6930fa85f3e0ffca43d6e339943ff7a4fbccb09c8fc
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/type-utils@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/type-utils@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/typescript-estree": 5.44.0
+    "@typescript-eslint/utils": 5.44.0
+    debug: ^4.3.4
+    tsutils: ^3.21.0
+  peerDependencies:
+    eslint: "*"
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: 4c7b594f8afa52d57d0512951a874fa390eb791dcefcd0e1efff8817872293b2e4e04eff3c54d1595c1720a34d5fd315729af4e459882033d13cb6069ae9d28f
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/types@npm:5.42.1":
+  version: 5.42.1
+  resolution: "@typescript-eslint/types@npm:5.42.1"
+  checksum: b0eb3df3792dd0e447abcf2b4fd79b2eaa6f944242d00afa8ef2d9f892ea63e52f200e7cb1758ddbc46154aa6764cec8bc796ed96f7554457a20db976f9f2089
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/types@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/types@npm:5.44.0"
+  checksum: ced7d32abecfc62ccb67cf27e30c0785b9c153ec7b1a05153ced58fa5a2031ab3845bc2e477b83e4cebdcc5881c5845d23053c6739c62549d41ae6208e547e85
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/typescript-estree@npm:5.42.1":
+  version: 5.42.1
+  resolution: "@typescript-eslint/typescript-estree@npm:5.42.1"
+  dependencies:
+    "@typescript-eslint/types": 5.42.1
+    "@typescript-eslint/visitor-keys": 5.42.1
+    debug: ^4.3.4
+    globby: ^11.1.0
+    is-glob: ^4.0.3
+    semver: ^7.3.7
+    tsutils: ^3.21.0
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: dfd3e20d41ba4b574a52d82cc40b38708b8c2c4277d6304a8d914fe2a4a9ce8779f4d79fdac140e77a3afd3c6a2a7e3f31620dc427cabd04e4e906bb0ca3a468
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/typescript-estree@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/typescript-estree@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/types": 5.44.0
+    "@typescript-eslint/visitor-keys": 5.44.0
+    debug: ^4.3.4
+    globby: ^11.1.0
+    is-glob: ^4.0.3
+    semver: ^7.3.7
+    tsutils: ^3.21.0
+  peerDependenciesMeta:
+    typescript:
+      optional: true
+  checksum: 758731108497cca7ff81cf0a78d086b5a85757a983979d6bb25ad8252b7acbc738c642ecb5f5df82f925a45926b9846e431d5cf9fee5ed2613300b4d0c5d6c3f
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/utils@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/utils@npm:5.44.0"
+  dependencies:
+    "@types/json-schema": ^7.0.9
+    "@types/semver": ^7.3.12
+    "@typescript-eslint/scope-manager": 5.44.0
+    "@typescript-eslint/types": 5.44.0
+    "@typescript-eslint/typescript-estree": 5.44.0
+    eslint-scope: ^5.1.1
+    eslint-utils: ^3.0.0
+    semver: ^7.3.7
+  peerDependencies:
+    eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+  checksum: bc5bb28e41898464d35b8eb47cc452103852541e3b6be56252c15a5a81c45e10aad3db4c749eb92d752b0c358df8074e23ec6f9e65f8089baadeda7f395c7e31
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/visitor-keys@npm:5.42.1":
+  version: 5.42.1
+  resolution: "@typescript-eslint/visitor-keys@npm:5.42.1"
+  dependencies:
+    "@typescript-eslint/types": 5.42.1
+    eslint-visitor-keys: ^3.3.0
+  checksum: d36c59da7bf3b3c150c12cbe4b0331edc15253f59599ec3d8b873b2a3d9fc7a4fea11490c1b20d972afcdc9c842deb5ada527ea9c538aa7e87555699d9a59f24
+  languageName: node
+  linkType: hard
+
+"@typescript-eslint/visitor-keys@npm:5.44.0":
+  version: 5.44.0
+  resolution: "@typescript-eslint/visitor-keys@npm:5.44.0"
+  dependencies:
+    "@typescript-eslint/types": 5.44.0
+    eslint-visitor-keys: ^3.3.0
+  checksum: a012c888209e1d6ae684b2a44fd460ae5a80f5faf07bca4bda6c9c0d8c063ad3297d4c53f7151ae86cf1a43dee09625dc3ee72183323c91089c7288fd573c6f4
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/ast@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/ast@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/helper-numbers": 1.11.1
+    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
+  checksum: 1eee1534adebeece635362f8e834ae03e389281972611408d64be7895fc49f48f98fddbbb5339bf8a72cb101bcb066e8bca3ca1bf1ef47dadf89def0395a8d87
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/ast@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/ast@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/helper-module-context": 1.9.0
+    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
+    "@webassemblyjs/wast-parser": 1.9.0
+  checksum: 8a9838dc7fdac358aee8daa75eefa35934ab18dafb594092ff7be79c467ebe9dabb2543e58313c905fd802bdcc3cb8320e4e19af7444e49853a7a24e25138f75
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/floating-point-hex-parser@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/floating-point-hex-parser@npm:1.11.1"
+  checksum: b8efc6fa08e4787b7f8e682182d84dfdf8da9d9c77cae5d293818bc4a55c1f419a87fa265ab85252b3e6c1fd323d799efea68d825d341a7c365c64bc14750e97
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/floating-point-hex-parser@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/floating-point-hex-parser@npm:1.9.0"
+  checksum: d3aeb19bc30da26f639698daa28e44e0c18d5aa135359ef3c54148e194eec46451a912d0506099d479a71a94bc3eef6ef52d6ec234799528a25a9744789852de
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-api-error@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/helper-api-error@npm:1.11.1"
+  checksum: 0792813f0ed4a0e5ee0750e8b5d0c631f08e927f4bdfdd9fe9105dc410c786850b8c61bff7f9f515fdfb149903bec3c976a1310573a4c6866a94d49bc7271959
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-api-error@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-api-error@npm:1.9.0"
+  checksum: 9179d3148639cc202e89a118145b485cf834613260679a99af6ec487bbc15f238566ca713207394b336160a41bf8c1b75cf2e853b3e96f0cc73c1e5c735b3f64
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-buffer@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/helper-buffer@npm:1.11.1"
+  checksum: a337ee44b45590c3a30db5a8b7b68a717526cf967ada9f10253995294dbd70a58b2da2165222e0b9830cd4fc6e4c833bf441a721128d1fe2e9a7ab26b36003ce
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-buffer@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-buffer@npm:1.9.0"
+  checksum: dcb85f630f8a2e22b7346ad4dd58c3237a2cad1457699423e8fd19592a0bd3eacbc2639178a1b9a873c3ac217bfc7a23a134ff440a099496b590e82c7a4968d5
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-code-frame@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-code-frame@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/wast-printer": 1.9.0
+  checksum: a28fa057f7beff0fd14bff716561520f8edb8c9c56c7a5559451e6765acfb70aaeb8af718ea2bd2262e7baeba597545af407e28eb2eff8329235afe8605f20d1
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-fsm@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-fsm@npm:1.9.0"
+  checksum: 374cc510c8f5a7a07d4fe9eb7036cc475a96a670b5d25c31f16757ac8295be8d03a2f29657ff53eaefa9e8315670a48824d430ed910e7c1835788ac79f93124e
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-module-context@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-module-context@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+  checksum: 55e8f89c7ea1beaa78fad88403f3753b8413b0f3b6bb32d898ce95078b3e1d1b48ade0919c00b82fc2e3813c0ab6901e415f7a4d4fa9be50944e2431adde75a5
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-numbers@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/helper-numbers@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/floating-point-hex-parser": 1.11.1
+    "@webassemblyjs/helper-api-error": 1.11.1
+    "@xtuc/long": 4.2.2
+  checksum: 44d2905dac2f14d1e9b5765cf1063a0fa3d57295c6d8930f6c59a36462afecc6e763e8a110b97b342a0f13376166c5d41aa928e6ced92e2f06b071fd0db59d3a
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-wasm-bytecode@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/helper-wasm-bytecode@npm:1.11.1"
+  checksum: eac400113127832c88f5826bcc3ad1c0db9b3dbd4c51a723cfdb16af6bfcbceb608170fdaac0ab7731a7e18b291be7af68a47fcdb41cfe0260c10857e7413d97
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-wasm-bytecode@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-wasm-bytecode@npm:1.9.0"
+  checksum: 280da4df3c556f73a1a02053277f8a4be481de32df4aa21050b015c8f4d27c46af89f0417eb88e486df117e5df4bccffae593f78cb1e79f212d3b3d4f3ed0f04
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-wasm-section@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/helper-wasm-section@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/helper-buffer": 1.11.1
+    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
+    "@webassemblyjs/wasm-gen": 1.11.1
+  checksum: 617696cfe8ecaf0532763162aaf748eb69096fb27950219bb87686c6b2e66e11cd0614d95d319d0ab1904bc14ebe4e29068b12c3e7c5e020281379741fe4bedf
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/helper-wasm-section@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/helper-wasm-section@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-buffer": 1.9.0
+    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
+    "@webassemblyjs/wasm-gen": 1.9.0
+  checksum: b8f7bb45d4194074c82210211a5d3e402a5b5fa63ecae26d2c356ae3978af5a530e91192fb260f32f9d561b18e2828b3da2e2f41c59efadb5f3c6d72446807f0
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/ieee754@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/ieee754@npm:1.11.1"
+  dependencies:
+    "@xtuc/ieee754": ^1.2.0
+  checksum: 23a0ac02a50f244471631802798a816524df17e56b1ef929f0c73e3cde70eaf105a24130105c60aff9d64a24ce3b640dad443d6f86e5967f922943a7115022ec
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/ieee754@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/ieee754@npm:1.9.0"
+  dependencies:
+    "@xtuc/ieee754": ^1.2.0
+  checksum: 7fe4a217ba0f7051e2cfef92919d4a64fac1a63c65411763779bd50907820f33f440255231a474fe3ba03bd1d9ee0328662d1eae3fce4c59b91549d6b62b839b
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/leb128@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/leb128@npm:1.11.1"
+  dependencies:
+    "@xtuc/long": 4.2.2
+  checksum: 33ccc4ade2f24de07bf31690844d0b1ad224304ee2062b0e464a610b0209c79e0b3009ac190efe0e6bd568b0d1578d7c3047fc1f9d0197c92fc061f56224ff4a
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/leb128@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/leb128@npm:1.9.0"
+  dependencies:
+    "@xtuc/long": 4.2.2
+  checksum: 4ca7cbb869530d78d42a414f34ae53249364cb1ecebbfb6ed5d562c2f209fce857502f088822ee82a23876f653a262ddc34ab64e45a7962510a263d39bb3f51a
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/utf8@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/utf8@npm:1.11.1"
+  checksum: 972c5cfc769d7af79313a6bfb96517253a270a4bf0c33ba486aa43cac43917184fb35e51dfc9e6b5601548cd5931479a42e42c89a13bb591ffabebf30c8a6a0b
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/utf8@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/utf8@npm:1.9.0"
+  checksum: e328a30ac8a503bbd015d32e75176e0dedcb45a21d4be051c25dfe89a00035ca7a6dbd8937b442dd5b4b334de3959d4f5fe0b330037bd226a28b9814cd49e84f
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-edit@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/wasm-edit@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/helper-buffer": 1.11.1
+    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
+    "@webassemblyjs/helper-wasm-section": 1.11.1
+    "@webassemblyjs/wasm-gen": 1.11.1
+    "@webassemblyjs/wasm-opt": 1.11.1
+    "@webassemblyjs/wasm-parser": 1.11.1
+    "@webassemblyjs/wast-printer": 1.11.1
+  checksum: 6d7d9efaec1227e7ef7585a5d7ff0be5f329f7c1c6b6c0e906b18ed2e9a28792a5635e450aca2d136770d0207225f204eff70a4b8fd879d3ac79e1dcc26dbeb9
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-edit@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wasm-edit@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-buffer": 1.9.0
+    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
+    "@webassemblyjs/helper-wasm-section": 1.9.0
+    "@webassemblyjs/wasm-gen": 1.9.0
+    "@webassemblyjs/wasm-opt": 1.9.0
+    "@webassemblyjs/wasm-parser": 1.9.0
+    "@webassemblyjs/wast-printer": 1.9.0
+  checksum: 1997e0c2f4051c33239587fb143242919320bc861a0af03a873c7150a27d6404bd2e063c658193288b0aa88c35aadbe0c4fde601fe642bae0743a8c8eda52717
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-gen@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/wasm-gen@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
+    "@webassemblyjs/ieee754": 1.11.1
+    "@webassemblyjs/leb128": 1.11.1
+    "@webassemblyjs/utf8": 1.11.1
+  checksum: 1f6921e640293bf99fb16b21e09acb59b340a79f986c8f979853a0ae9f0b58557534b81e02ea2b4ef11e929d946708533fd0693c7f3712924128fdafd6465f5b
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-gen@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wasm-gen@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
+    "@webassemblyjs/ieee754": 1.9.0
+    "@webassemblyjs/leb128": 1.9.0
+    "@webassemblyjs/utf8": 1.9.0
+  checksum: 2456e84e8e6bedb7ab47f6333a0ee170f7ef62842c90862ca787c08528ca8041061f3f8bc257fc2a01bf6e8d1a76fddaddd43418c738f681066e5b50f88fe7df
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-opt@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/wasm-opt@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/helper-buffer": 1.11.1
+    "@webassemblyjs/wasm-gen": 1.11.1
+    "@webassemblyjs/wasm-parser": 1.11.1
+  checksum: 21586883a20009e2b20feb67bdc451bbc6942252e038aae4c3a08e6f67b6bae0f5f88f20bfc7bd0452db5000bacaf5ab42b98cf9aa034a6c70e9fc616142e1db
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-opt@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wasm-opt@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-buffer": 1.9.0
+    "@webassemblyjs/wasm-gen": 1.9.0
+    "@webassemblyjs/wasm-parser": 1.9.0
+  checksum: 91242205bdbd1aa8045364a5338bfb34880cb2c65f56db8dd19382894209673699fb31a0e5279f25c7e5bcd8f3097d6c9ca84d8969d9613ef2cf166450cc3515
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-parser@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/wasm-parser@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/helper-api-error": 1.11.1
+    "@webassemblyjs/helper-wasm-bytecode": 1.11.1
+    "@webassemblyjs/ieee754": 1.11.1
+    "@webassemblyjs/leb128": 1.11.1
+    "@webassemblyjs/utf8": 1.11.1
+  checksum: 1521644065c360e7b27fad9f4bb2df1802d134dd62937fa1f601a1975cde56bc31a57b6e26408b9ee0228626ff3ba1131ae6f74ffb7d718415b6528c5a6dbfc2
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wasm-parser@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wasm-parser@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-api-error": 1.9.0
+    "@webassemblyjs/helper-wasm-bytecode": 1.9.0
+    "@webassemblyjs/ieee754": 1.9.0
+    "@webassemblyjs/leb128": 1.9.0
+    "@webassemblyjs/utf8": 1.9.0
+  checksum: 493f6cfc63a5e16073056c81ff0526a9936f461327379ef3c83cc841000e03623b6352704f6bf9f7cb5b3610f0032020a61f9cca78c91b15b8e995854b29c098
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wast-parser@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wast-parser@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/floating-point-hex-parser": 1.9.0
+    "@webassemblyjs/helper-api-error": 1.9.0
+    "@webassemblyjs/helper-code-frame": 1.9.0
+    "@webassemblyjs/helper-fsm": 1.9.0
+    "@xtuc/long": 4.2.2
+  checksum: 705dd48fbbceec7f6bed299b8813631b242fd9312f9594dbb2985dda86c9688048692357d684f6080fc2c5666287cefaa26b263d01abadb6a9049d4c8978b9db
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wast-printer@npm:1.11.1":
+  version: 1.11.1
+  resolution: "@webassemblyjs/wast-printer@npm:1.11.1"
+  dependencies:
+    "@webassemblyjs/ast": 1.11.1
+    "@xtuc/long": 4.2.2
+  checksum: f15ae4c2441b979a3b4fce78f3d83472fb22350c6dc3fd34bfe7c3da108e0b2360718734d961bba20e7716cb8578e964b870da55b035e209e50ec9db0378a3f7
+  languageName: node
+  linkType: hard
+
+"@webassemblyjs/wast-printer@npm:1.9.0":
+  version: 1.9.0
+  resolution: "@webassemblyjs/wast-printer@npm:1.9.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/wast-parser": 1.9.0
+    "@xtuc/long": 4.2.2
+  checksum: 3d1e1b2e84745a963f69acd1c02425b321dd2e608e11dabc467cae0c9a808962bc769ec9afc46fbcea7188cc1e47d72370da762d258f716fb367cb1a7865c54b
+  languageName: node
+  linkType: hard
+
+"@xmldom/xmldom@npm:^0.8.0":
+  version: 0.8.2
+  resolution: "@xmldom/xmldom@npm:0.8.2"
+  checksum: aeea8f670bfa52b3a1b2d355dab3bf4d58ef4969b1fd146a1ab91bf8acbb9d02953022e66e85279015a4e4027205620dfc001ed5d169b1711a09a0a079951e08
+  languageName: node
+  linkType: hard
+
+"@xtuc/ieee754@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "@xtuc/ieee754@npm:1.2.0"
+  checksum: ac56d4ca6e17790f1b1677f978c0c6808b1900a5b138885d3da21732f62e30e8f0d9120fcf8f6edfff5100ca902b46f8dd7c1e3f903728634523981e80e2885a
+  languageName: node
+  linkType: hard
+
+"@xtuc/long@npm:4.2.2":
+  version: 4.2.2
+  resolution: "@xtuc/long@npm:4.2.2"
+  checksum: 8ed0d477ce3bc9c6fe2bf6a6a2cc316bb9c4127c5a7827bae947fa8ec34c7092395c5a283cc300c05b5fa01cbbfa1f938f410a7bf75db7c7846fea41949989ec
+  languageName: node
+  linkType: hard
+
+"JSV@npm:^4.0.x":
+  version: 4.0.2
+  resolution: "JSV@npm:4.0.2"
+  checksum: 9e2e070b2149d4ffed6c135dedb5f8cebb870dc63c0ca6d3cb647067248c7ca15d1a934ee46e9d2ac0e468436d0f70bc1b63cd5f93e705ee9aa0669430e6e66f
+  languageName: node
+  linkType: hard
+
+"abab@npm:^2.0.3, abab@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "abab@npm:2.0.5"
+  checksum: 0ec951b46d5418c2c2f923021ec193eaebdb4e802ffd5506286781b454be722a13a8430f98085cd3e204918401d9130ec6cc8f5ae19be315b3a0e857d83196e1
+  languageName: node
+  linkType: hard
+
+"abbrev@npm:1, abbrev@npm:^1.0.0":
+  version: 1.1.1
+  resolution: "abbrev@npm:1.1.1"
+  checksum: a4a97ec07d7ea112c517036882b2ac22f3109b7b19077dc656316d07d308438aac28e4d9746dc4d84bf6b1e75b4a7b0a5f3cb30592419f128ca9a8cee3bcfa17
+  languageName: node
+  linkType: hard
+
+"abortcontroller-polyfill@npm:^1.7.3":
+  version: 1.7.3
+  resolution: "abortcontroller-polyfill@npm:1.7.3"
+  checksum: 55739d7f0c9bd6afa2aabb3148778967c4dd4dcff91f6b9259df38da34f9882d3f7730b0954e9767a19cc16a8dd9a58915da4e8a50220300d45af3817d7557b1
+  languageName: node
+  linkType: hard
+
+"accepts@npm:~1.3.4, accepts@npm:~1.3.5, accepts@npm:~1.3.7":
+  version: 1.3.7
+  resolution: "accepts@npm:1.3.7"
+  dependencies:
+    mime-types: ~2.1.24
+    negotiator: 0.6.2
+  checksum: 27fc8060ffc69481ff6719cd3ee06387d2b88381cb0ce626f087781bbd02201a645a9febc8e7e7333558354b33b1d2f922ad13560be4ec1b7ba9e76fc1c1241d
+  languageName: node
+  linkType: hard
+
+"accepts@npm:~1.3.8":
+  version: 1.3.8
+  resolution: "accepts@npm:1.3.8"
+  dependencies:
+    mime-types: ~2.1.34
+    negotiator: 0.6.3
+  checksum: 50c43d32e7b50285ebe84b613ee4a3aa426715a7d131b65b786e2ead0fd76b6b60091b9916d3478a75f11f162628a2139991b6c03ab3f1d9ab7c86075dc8eab4
+  languageName: node
+  linkType: hard
+
+"acorn-dynamic-import@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "acorn-dynamic-import@npm:3.0.0"
+  dependencies:
+    acorn: ^5.0.0
+  checksum: 60ba19103fdaa87e048a9480238faefd451dc39e21cf079812acd5e59ca064619a8c905b274f095b7c686736605547b089c6a5b75e926202afb8a4392d012659
+  languageName: node
+  linkType: hard
+
+"acorn-globals@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "acorn-globals@npm:6.0.0"
+  dependencies:
+    acorn: ^7.1.1
+    acorn-walk: ^7.1.1
+  checksum: 72d95e5b5e585f9acd019b993ab8bbba68bb3cbc9d9b5c1ebb3c2f1fe5981f11deababfb4949f48e6262f9c57878837f5958c0cca396f81023814680ca878042
+  languageName: node
+  linkType: hard
+
+"acorn-import-assertions@npm:^1.7.6":
+  version: 1.8.0
+  resolution: "acorn-import-assertions@npm:1.8.0"
+  peerDependencies:
+    acorn: ^8
+  checksum: 5c4cf7c850102ba7ae0eeae0deb40fb3158c8ca5ff15c0bca43b5c47e307a1de3d8ef761788f881343680ea374631ae9e9615ba8876fee5268dbe068c98bcba6
+  languageName: node
+  linkType: hard
+
+"acorn-jsx@npm:^5.3.2":
+  version: 5.3.2
+  resolution: "acorn-jsx@npm:5.3.2"
+  peerDependencies:
+    acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
+  checksum: c3d3b2a89c9a056b205b69530a37b972b404ee46ec8e5b341666f9513d3163e2a4f214a71f4dfc7370f5a9c07472d2fd1c11c91c3f03d093e37637d95da98950
+  languageName: node
+  linkType: hard
+
+"acorn-walk@npm:^7.1.1":
+  version: 7.2.0
+  resolution: "acorn-walk@npm:7.2.0"
+  checksum: 9252158a79b9d92f1bc0dd6acc0fcfb87a67339e84bcc301bb33d6078936d27e35d606b4d35626d2962cd43c256d6f27717e70cbe15c04fff999ab0b2260b21f
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^5.0.0, acorn@npm:^5.1.1, acorn@npm:^5.5.3":
+  version: 5.7.4
+  resolution: "acorn@npm:5.7.4"
+  bin:
+    acorn: bin/acorn
+  checksum: f51392a4d25c7705fadb890f784c59cde4ac1c5452ccd569fa59bd2191b7951b4a6398348ab7ea08a54f0bc0a56c13776710f4e1bae9de441e4d33e2015ad1e0
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^6.4.1":
+  version: 6.4.2
+  resolution: "acorn@npm:6.4.2"
+  bin:
+    acorn: bin/acorn
+  checksum: 44b07053729db7f44d28343eed32247ed56dc4a6ec6dff2b743141ecd6b861406bbc1c20bf9d4f143ea7dd08add5dc8c290582756539bc03a8db605050ce2fb4
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^7.1.0, acorn@npm:^7.1.1":
+  version: 7.4.1
+  resolution: "acorn@npm:7.4.1"
+  bin:
+    acorn: bin/acorn
+  checksum: 1860f23c2107c910c6177b7b7be71be350db9e1080d814493fae143ae37605189504152d1ba8743ba3178d0b37269ce1ffc42b101547fdc1827078f82671e407
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^8.1.0":
+  version: 8.2.2
+  resolution: "acorn@npm:8.2.2"
+  bin:
+    acorn: bin/acorn
+  checksum: 46d3205ed296fa544b3d3f57880929ca7f7207e9aed7444ff1d73c21c7964e0c24a507799c334c0ab947cec3acb6dc9b831ec3ad01853e7db3da71ccdf4337f3
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^8.5.0":
+  version: 8.7.1
+  resolution: "acorn@npm:8.7.1"
+  bin:
+    acorn: bin/acorn
+  checksum: aca0aabf98826717920ac2583fdcad0a6fbe4e583fdb6e843af2594e907455aeafe30b1e14f1757cd83ce1776773cf8296ffc3a4acf13f0bd3dfebcf1db6ae80
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^8.7.1":
+  version: 8.8.2
+  resolution: "acorn@npm:8.8.2"
+  bin:
+    acorn: bin/acorn
+  checksum: f790b99a1bf63ef160c967e23c46feea7787e531292bb827126334612c234ed489a0dc2c7ba33156416f0ffa8d25bf2b0fdb7f35c2ba60eb3e960572bece4001
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^8.8.0":
+  version: 8.8.1
+  resolution: "acorn@npm:8.8.1"
+  bin:
+    acorn: bin/acorn
+  checksum: 4079b67283b94935157698831967642f24a075c52ce3feaaaafe095776dfbe15d86a1b33b1e53860fc0d062ed6c83f4284a5c87c85b9ad51853a01173da6097f
+  languageName: node
+  linkType: hard
+
+"acorn@npm:^8.9.0":
+  version: 8.10.0
+  resolution: "acorn@npm:8.10.0"
+  bin:
+    acorn: bin/acorn
+  checksum: 538ba38af0cc9e5ef983aee196c4b8b4d87c0c94532334fa7e065b2c8a1f85863467bb774231aae91613fcda5e68740c15d97b1967ae3394d20faddddd8af61d
+  languageName: node
+  linkType: hard
+
+"agent-base@npm:6, agent-base@npm:^6.0.2":
+  version: 6.0.2
+  resolution: "agent-base@npm:6.0.2"
+  dependencies:
+    debug: 4
+  checksum: f52b6872cc96fd5f622071b71ef200e01c7c4c454ee68bc9accca90c98cfb39f2810e3e9aa330435835eedc8c23f4f8a15267f67c6e245d2b33757575bdac49d
+  languageName: node
+  linkType: hard
+
+"agent-base@npm:^4.3.0":
+  version: 4.3.0
+  resolution: "agent-base@npm:4.3.0"
+  dependencies:
+    es6-promisify: ^5.0.0
+  checksum: 0c10891060e579c67efafd6b62223666c4b4129b521eac3e9ad272a137545bcedb54ce352273b7ad21a0024060e4f1360ae9a465ac87e2af18883c937d39979f
+  languageName: node
+  linkType: hard
+
+"agentkeepalive@npm:^4.2.1":
+  version: 4.3.0
+  resolution: "agentkeepalive@npm:4.3.0"
+  dependencies:
+    debug: ^4.1.0
+    depd: ^2.0.0
+    humanize-ms: ^1.2.1
+  checksum: 982453aa44c11a06826c836025e5162c846e1200adb56f2d075400da7d32d87021b3b0a58768d949d824811f5654223d5a8a3dad120921a2439625eb847c6260
+  languageName: node
+  linkType: hard
+
+"aggregate-error@npm:^3.0.0":
+  version: 3.1.0
+  resolution: "aggregate-error@npm:3.1.0"
+  dependencies:
+    clean-stack: ^2.0.0
+    indent-string: ^4.0.0
+  checksum: 1101a33f21baa27a2fa8e04b698271e64616b886795fd43c31068c07533c7b3facfcaf4e9e0cab3624bd88f729a592f1c901a1a229c9e490eafce411a8644b79
+  languageName: node
+  linkType: hard
+
+"ajv-errors@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "ajv-errors@npm:1.0.1"
+  peerDependencies:
+    ajv: ">=5.0.0"
+  checksum: 2c9fc02cf58f9aae5bace61ebd1b162e1ea372ae9db5999243ba5e32a9a78c0d635d29ae085f652c61c941a43af0b2b1acdb255e29d44dc43a6e021085716d8c
+  languageName: node
+  linkType: hard
+
+"ajv-formats@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "ajv-formats@npm:2.1.1"
+  dependencies:
+    ajv: ^8.0.0
+  peerDependencies:
+    ajv: ^8.0.0
+  peerDependenciesMeta:
+    ajv:
+      optional: true
+  checksum: 4a287d937f1ebaad4683249a4c40c0fa3beed30d9ddc0adba04859026a622da0d317851316ea64b3680dc60f5c3c708105ddd5d5db8fe595d9d0207fd19f90b7
+  languageName: node
+  linkType: hard
+
+"ajv-keywords@npm:^3.1.0, ajv-keywords@npm:^3.4.1, ajv-keywords@npm:^3.5.2":
+  version: 3.5.2
+  resolution: "ajv-keywords@npm:3.5.2"
+  peerDependencies:
+    ajv: ^6.9.1
+  checksum: 7dc5e5931677a680589050f79dcbe1fefbb8fea38a955af03724229139175b433c63c68f7ae5f86cf8f65d55eb7c25f75a046723e2e58296707617ca690feae9
+  languageName: node
+  linkType: hard
+
+"ajv-keywords@npm:^5.0.0":
+  version: 5.1.0
+  resolution: "ajv-keywords@npm:5.1.0"
+  dependencies:
+    fast-deep-equal: ^3.1.3
+  peerDependencies:
+    ajv: ^8.8.2
+  checksum: c35193940b853119242c6757787f09ecf89a2c19bcd36d03ed1a615e710d19d450cb448bfda407b939aba54b002368c8bff30529cc50a0536a8e10bcce300421
+  languageName: node
+  linkType: hard
+
+"ajv@npm:^6.1.0, ajv@npm:^6.10.0, ajv@npm:^6.10.2, ajv@npm:^6.12.3, ajv@npm:^6.12.4, ajv@npm:^6.12.5":
+  version: 6.12.6
+  resolution: "ajv@npm:6.12.6"
+  dependencies:
+    fast-deep-equal: ^3.1.1
+    fast-json-stable-stringify: ^2.0.0
+    json-schema-traverse: ^0.4.1
+    uri-js: ^4.2.2
+  checksum: 874972efe5c4202ab0a68379481fbd3d1b5d0a7bd6d3cc21d40d3536ebff3352a2a1fabb632d4fd2cc7fe4cbdcd5ed6782084c9bbf7f32a1536d18f9da5007d4
+  languageName: node
+  linkType: hard
+
+"ajv@npm:^8.0.0, ajv@npm:^8.8.0":
+  version: 8.11.0
+  resolution: "ajv@npm:8.11.0"
+  dependencies:
+    fast-deep-equal: ^3.1.1
+    json-schema-traverse: ^1.0.0
+    require-from-string: ^2.0.2
+    uri-js: ^4.2.2
+  checksum: 5e0ff226806763be73e93dd7805b634f6f5921e3e90ca04acdf8db81eed9d8d3f0d4c5f1213047f45ebbf8047ffe0c840fa1ef2ec42c3a644899f69aa72b5bef
+  languageName: node
+  linkType: hard
+
+"ajv@npm:^8.0.1":
+  version: 8.2.0
+  resolution: "ajv@npm:8.2.0"
+  dependencies:
+    fast-deep-equal: ^3.1.1
+    json-schema-traverse: ^1.0.0
+    require-from-string: ^2.0.2
+    uri-js: ^4.2.2
+  checksum: 36994bc227aac4c29ff967de5d53f087449ffab62d66f782f99c6aad8ac1d58db4eb7b0f78ce7961492eae00be51c2384b38b69e099d1021d41b2353dce91417
+  languageName: node
+  linkType: hard
+
+"amd-name-resolver@npm:1.2.0":
+  version: 1.2.0
+  resolution: "amd-name-resolver@npm:1.2.0"
+  dependencies:
+    ensure-posix-path: ^1.0.1
+  checksum: f84474670f4ee5c36f78ed0fe3ff64039ff5c489e6c9a1b595fac32ede3ca33ec3c20ab58361f6ae7f191e5bff0347ac9dcff480f17824482d458bed6f7db6b9
+  languageName: node
+  linkType: hard
+
+"amd-name-resolver@npm:1.3.1, amd-name-resolver@npm:^1.2.0, amd-name-resolver@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "amd-name-resolver@npm:1.3.1"
+  dependencies:
+    ensure-posix-path: ^1.0.1
+    object-hash: ^1.3.1
+  checksum: c48f68922f394078acaac97f1691a46dcb94fa3d5ee47b9a0c5b81bf66073005b75b5784f93ed6c1081b0afa92d41a5c581073960dbde9baa80b8abef4cccb2b
+  languageName: node
+  linkType: hard
+
+"amd-name-resolver@npm:^0.0.6":
+  version: 0.0.6
+  resolution: "amd-name-resolver@npm:0.0.6"
+  dependencies:
+    ensure-posix-path: ^1.0.1
+  checksum: f0e4f03654b2b523a35a3ba5ae5fc6c9f637242cea75ef6470baea5f997a9206e60e23489f7d1c5adc4c3ac88c25008ca7ec4a92cf21b23b253141e2962c990c
+  languageName: node
+  linkType: hard
+
+"amdefine@npm:>=0.0.4":
+  version: 1.0.1
+  resolution: "amdefine@npm:1.0.1"
+  checksum: 9d4e15b94641643a9385b2841b4cb2bcf4e8e2f741ea4bd475c93ad7bab261ad4ed827a32e9c549b38b98759c4526c173ae4e6dde8caeb75ee5cebedc9863762
+  languageName: node
+  linkType: hard
+
+"anchor-markdown-header@npm:^0.5.7":
+  version: 0.5.7
+  resolution: "anchor-markdown-header@npm:0.5.7"
+  dependencies:
+    emoji-regex: ~6.1.0
+  checksum: 97ed56c61ca8aacca635378de4959fd95929c4966f96e6483df06d5b22b541924e91569c819c49cbed8e8684b3b77eb5760216bc9bd11e54bb58389ce29cedaa
+  languageName: node
+  linkType: hard
+
+"ansi-colors@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "ansi-colors@npm:4.1.1"
+  checksum: 138d04a51076cb085da0a7e2d000c5c0bb09f6e772ed5c65c53cb118d37f6c5f1637506d7155fb5f330f0abcf6f12fa2e489ac3f8cdab9da393bf1bb4f9a32b0
+  languageName: node
+  linkType: hard
+
+"ansi-escapes@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "ansi-escapes@npm:3.2.0"
+  checksum: 0f94695b677ea742f7f1eed961f7fd8d05670f744c6ad1f8f635362f6681dcfbc1575cb05b43abc7bb6d67e25a75fb8c7ea8f2a57330eb2c76b33f18cb2cef0a
+  languageName: node
+  linkType: hard
+
+"ansi-escapes@npm:^4.2.1, ansi-escapes@npm:^4.3.0":
+  version: 4.3.2
+  resolution: "ansi-escapes@npm:4.3.2"
+  dependencies:
+    type-fest: ^0.21.3
+  checksum: 93111c42189c0a6bed9cdb4d7f2829548e943827ee8479c74d6e0b22ee127b2a21d3f8b5ca57723b8ef78ce011fbfc2784350eb2bde3ccfccf2f575fa8489815
+  languageName: node
+  linkType: hard
+
+"ansi-html@npm:^0.0.7":
+  version: 0.0.7
+  resolution: "ansi-html@npm:0.0.7"
+  bin:
+    ansi-html: ./bin/ansi-html
+  checksum: 9b839ce99650b4c2d83621d67d68622d27e7948b54f7a4386f2218a3997ee4e684e5a6e8d290880c3f3260e8d90c2613c59c7028f04992ad5c8d99d3a0fcc02c
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^2.0.0":
+  version: 2.1.1
+  resolution: "ansi-regex@npm:2.1.1"
+  checksum: 190abd03e4ff86794f338a31795d262c1dfe8c91f7e01d04f13f646f1dcb16c5800818f886047876f1272f065570ab86b24b99089f8b68a0e11ff19aed4ca8f1
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "ansi-regex@npm:3.0.0"
+  checksum: 2ad11c416f81c39f5c65eafc88cf1d71aa91d76a2f766e75e457c2a3c43e8a003aadbf2966b61c497aa6a6940a36412486c975b3270cdfc3f413b69826189ec3
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "ansi-regex@npm:4.1.0"
+  checksum: 97aa4659538d53e5e441f5ef2949a3cffcb838e57aeaad42c4194e9d7ddb37246a6526c4ca85d3940a9d1e19b11cc2e114530b54c9d700c8baf163c31779baf8
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "ansi-regex@npm:5.0.0"
+  checksum: b1bb4e992a5d96327bb4f72eaba9f8047f1d808d273ad19d399e266bfcc7fb19a4d1a127a32f7bc61fe46f1a94a4d04ec4c424e3fbe184929aa866323d8ed4ce
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "ansi-regex@npm:5.0.1"
+  checksum: 2aa4bb54caf2d622f1afdad09441695af2a83aa3fe8b8afa581d205e57ed4261c183c4d3877cee25794443fde5876417d859c108078ab788d6af7e4fe52eb66b
+  languageName: node
+  linkType: hard
+
+"ansi-styles@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "ansi-styles@npm:2.2.1"
+  checksum: ebc0e00381f2a29000d1dac8466a640ce11943cef3bda3cd0020dc042e31e1058ab59bf6169cd794a54c3a7338a61ebc404b7c91e004092dd20e028c432c9c2c
+  languageName: node
+  linkType: hard
+
+"ansi-styles@npm:^3.0.0, ansi-styles@npm:^3.2.0, ansi-styles@npm:^3.2.1":
+  version: 3.2.1
+  resolution: "ansi-styles@npm:3.2.1"
+  dependencies:
+    color-convert: ^1.9.0
+  checksum: d85ade01c10e5dd77b6c89f34ed7531da5830d2cb5882c645f330079975b716438cd7ebb81d0d6e6b4f9c577f19ae41ab55f07f19786b02f9dfd9e0377395665
+  languageName: node
+  linkType: hard
+
+"ansi-styles@npm:^4.0.0, ansi-styles@npm:^4.1.0":
+  version: 4.3.0
+  resolution: "ansi-styles@npm:4.3.0"
+  dependencies:
+    color-convert: ^2.0.1
+  checksum: 513b44c3b2105dd14cc42a19271e80f386466c4be574bccf60b627432f9198571ebf4ab1e4c3ba17347658f4ee1711c163d574248c0c1cdc2d5917a0ad582ec4
+  languageName: node
+  linkType: hard
+
+"ansi-styles@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "ansi-styles@npm:1.0.0"
+  checksum: 6dd47dccb268b4cc1fd0dd6617067a7acd34ad2761f0438800fdd55c0d45f50a90787acd82806009c2bf467f4e2920166be03e19b23529038c1c4527d80f598b
+  languageName: node
+  linkType: hard
+
+"ansi-to-html@npm:^0.6.15, ansi-to-html@npm:^0.6.6":
+  version: 0.6.15
+  resolution: "ansi-to-html@npm:0.6.15"
+  dependencies:
+    entities: ^2.0.0
+  bin:
+    ansi-to-html: bin/ansi-to-html
+  checksum: c899362a29b92c8ae075b72168b826f7c233875b475719304942f80695e0ce4a6812845021192da5fb0ac80b10209b4fae5aede42620a1b1b3d3b30f3ef77a86
+  languageName: node
+  linkType: hard
+
+"ansicolors@npm:~0.2.1":
+  version: 0.2.1
+  resolution: "ansicolors@npm:0.2.1"
+  checksum: 7120ca45a780cf17d786070874776637adcc107cf2bb9b38934f92d88cb5c3d16e1e7092708ba0f64f2031e6c10844c26e8a13d9e27f7b058c36ad8950cbfd02
+  languageName: node
+  linkType: hard
+
+"anymatch@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "anymatch@npm:2.0.0"
+  dependencies:
+    micromatch: ^3.1.4
+    normalize-path: ^2.1.1
+  checksum: f7bb1929842b4585cdc28edbb385767d499ce7d673f96a8f11348d2b2904592ffffc594fe9229b9a1e9e4dccb9329b7692f9f45e6a11dcefbb76ecdc9ab740f6
+  languageName: node
+  linkType: hard
+
+"anymatch@npm:^3.1.1, anymatch@npm:~3.1.1":
+  version: 3.1.2
+  resolution: "anymatch@npm:3.1.2"
+  dependencies:
+    normalize-path: ^3.0.0
+    picomatch: ^2.0.4
+  checksum: 985163db2292fac9e5a1e072bf99f1b5baccf196e4de25a0b0b81865ebddeb3b3eb4480734ef0a2ac8c002845396b91aa89121f5b84f93981a4658164a9ec6e9
+  languageName: node
+  linkType: hard
+
+"anymatch@npm:~3.1.2":
+  version: 3.1.3
+  resolution: "anymatch@npm:3.1.3"
+  dependencies:
+    normalize-path: ^3.0.0
+    picomatch: ^2.0.4
+  checksum: 3e044fd6d1d26545f235a9fe4d7a534e2029d8e59fa7fd9f2a6eb21230f6b5380ea1eaf55136e60cbf8e613544b3b766e7a6fa2102e2a3a117505466e3025dc2
+  languageName: node
+  linkType: hard
+
+"aproba@npm:^1.0.3 || ^2.0.0":
+  version: 2.0.0
+  resolution: "aproba@npm:2.0.0"
+  checksum: 5615cadcfb45289eea63f8afd064ab656006361020e1735112e346593856f87435e02d8dcc7ff0d11928bc7d425f27bc7c2a84f6c0b35ab0ff659c814c138a24
+  languageName: node
+  linkType: hard
+
+"aproba@npm:^1.1.1":
+  version: 1.2.0
+  resolution: "aproba@npm:1.2.0"
+  checksum: 0fca141966559d195072ed047658b6e6c4fe92428c385dd38e288eacfc55807e7b4989322f030faff32c0f46bb0bc10f1e0ac32ec22d25315a1e5bbc0ebb76dc
+  languageName: node
+  linkType: hard
+
+"are-we-there-yet@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "are-we-there-yet@npm:3.0.1"
+  dependencies:
+    delegates: ^1.0.0
+    readable-stream: ^3.6.0
+  checksum: 52590c24860fa7173bedeb69a4c05fb573473e860197f618b9a28432ee4379049336727ae3a1f9c4cb083114601c1140cee578376164d0e651217a9843f9fe83
+  languageName: node
+  linkType: hard
+
+"argparse@npm:^1.0.7":
+  version: 1.0.10
+  resolution: "argparse@npm:1.0.10"
+  dependencies:
+    sprintf-js: ~1.0.2
+  checksum: 7ca6e45583a28de7258e39e13d81e925cfa25d7d4aacbf806a382d3c02fcb13403a07fb8aeef949f10a7cfe4a62da0e2e807b348a5980554cc28ee573ef95945
+  languageName: node
+  linkType: hard
+
+"argparse@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "argparse@npm:2.0.1"
+  checksum: 83644b56493e89a254bae05702abf3a1101b4fa4d0ca31df1c9985275a5a5bd47b3c27b7fa0b71098d41114d8ca000e6ed90cad764b306f8a503665e4d517ced
+  languageName: node
+  linkType: hard
+
+"aria-query@npm:^5.0.2":
+  version: 5.1.3
+  resolution: "aria-query@npm:5.1.3"
+  dependencies:
+    deep-equal: ^2.0.5
+  checksum: 929ff95f02857b650fb4cbcd2f41072eee2f46159a6605ea03bf63aa572e35ffdff43d69e815ddc462e16e07de8faba3978afc2813650b4448ee18c9895d982b
+  languageName: node
+  linkType: hard
+
+"arr-diff@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "arr-diff@npm:4.0.0"
+  checksum: ea7c8834842ad3869297f7915689bef3494fd5b102ac678c13ffccab672d3d1f35802b79e90c4cfec2f424af3392e44112d1ccf65da34562ed75e049597276a0
+  languageName: node
+  linkType: hard
+
+"arr-flatten@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "arr-flatten@npm:1.1.0"
+  checksum: 963fe12564fca2f72c055f3f6c206b9e031f7c433a0c66ca9858b484821f248c5b1e5d53c8e4989d80d764cd776cf6d9b160ad05f47bdc63022bfd63b5455e22
+  languageName: node
+  linkType: hard
+
+"arr-union@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "arr-union@npm:3.1.0"
+  checksum: b5b0408c6eb7591143c394f3be082fee690ddd21f0fdde0a0a01106799e847f67fcae1b7e56b0a0c173290e29c6aca9562e82b300708a268bc8f88f3d6613cb9
+  languageName: node
+  linkType: hard
+
+"array-buffer-byte-length@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "array-buffer-byte-length@npm:1.0.0"
+  dependencies:
+    call-bind: ^1.0.2
+    is-array-buffer: ^3.0.1
+  checksum: 044e101ce150f4804ad19c51d6c4d4cfa505c5b2577bd179256e4aa3f3f6a0a5e9874c78cd428ee566ac574c8a04d7ce21af9fe52e844abfdccb82b33035a7c3
+  languageName: node
+  linkType: hard
+
+"array-equal@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "array-equal@npm:1.0.0"
+  checksum: 3f68045806357db9b2fa1ad583e42a659de030633118a0cd35ee4975cb20db3b9a3d36bbec9b5afe70011cf989eefd215c12fe0ce08c498f770859ca6e70688a
+  languageName: node
+  linkType: hard
+
+"array-flatten@npm:1.1.1":
+  version: 1.1.1
+  resolution: "array-flatten@npm:1.1.1"
+  checksum: a9925bf3512d9dce202112965de90c222cd59a4fbfce68a0951d25d965cf44642931f40aac72309c41f12df19afa010ecadceb07cfff9ccc1621e99d89ab5f3b
+  languageName: node
+  linkType: hard
+
+"array-from@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "array-from@npm:2.1.1"
+  checksum: 4cd5fa27aa6133b99a57c2881d2a8a66ec59b8e17a0c900f7e8ac9a0a2fae450ed682b67435467bfa71ac9328d025a760c5c46a95586a352180c5a79fc13015d
+  languageName: node
+  linkType: hard
+
+"array-to-error@npm:^1.0.0":
+  version: 1.1.1
+  resolution: "array-to-error@npm:1.1.1"
+  dependencies:
+    array-to-sentence: ^1.1.0
+  checksum: c476c79249b4852f4ae6e2cff1463c3343986d1324e273c6404ccea1748a5b1900d05e774fc84f3f29c964aa4d36702d5c0426034856197da73557797c947e0f
+  languageName: node
+  linkType: hard
+
+"array-to-sentence@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "array-to-sentence@npm:1.1.0"
+  checksum: 7252ed7b93c6c5f07afcc67feef34b68f9b0b744f00fc7317e6d12f2c3320dc5417cedfc0c23497cc867ebdeca0573486ca8e6b09a515c5e6a90e860c668f2b6
+  languageName: node
+  linkType: hard
+
+"array-union@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "array-union@npm:2.1.0"
+  checksum: 5bee12395cba82da674931df6d0fea23c4aa4660cb3b338ced9f828782a65caa232573e6bf3968f23e0c5eb301764a382cef2f128b170a9dc59de0e36c39f98d
+  languageName: node
+  linkType: hard
+
+"array-unique@npm:^0.3.2":
+  version: 0.3.2
+  resolution: "array-unique@npm:0.3.2"
+  checksum: da344b89cfa6b0a5c221f965c21638bfb76b57b45184a01135382186924f55973cd9b171d4dad6bf606c6d9d36b0d721d091afdc9791535ead97ccbe78f8a888
+  languageName: node
+  linkType: hard
+
+"arrify@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "arrify@npm:1.0.1"
+  checksum: 745075dd4a4624ff0225c331dacb99be501a515d39bcb7c84d24660314a6ec28e68131b137e6f7e16318170842ce97538cd298fc4cd6b2cc798e0b957f2747e7
+  languageName: node
+  linkType: hard
+
+"arrify@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "arrify@npm:2.0.1"
+  checksum: 067c4c1afd182806a82e4c1cb8acee16ab8b5284fbca1ce29408e6e91281c36bb5b612f6ddfbd40a0f7a7e0c75bf2696eb94c027f6e328d6e9c52465c98e4209
+  languageName: node
+  linkType: hard
+
+"asn1.js@npm:^5.2.0":
+  version: 5.4.1
+  resolution: "asn1.js@npm:5.4.1"
+  dependencies:
+    bn.js: ^4.0.0
+    inherits: ^2.0.1
+    minimalistic-assert: ^1.0.0
+    safer-buffer: ^2.1.0
+  checksum: 3786a101ac6f304bd4e9a7df79549a7561950a13d4bcaec0c7790d44c80d147c1a94ba3d4e663673406064642a40b23fcd6c82a9952468e386c1a1376d747f9a
+  languageName: node
+  linkType: hard
+
+"asn1@npm:~0.2.3":
+  version: 0.2.4
+  resolution: "asn1@npm:0.2.4"
+  dependencies:
+    safer-buffer: ~2.1.0
+  checksum: aa5d6f77b1e0597df53824c68cfe82d1d89ce41cb3520148611f025fbb3101b2d25dd6a40ad34e4fac10f6b19ed5e8628cd4b7d212261e80e83f02b39ee5663c
+  languageName: node
+  linkType: hard
+
+"asn1js@npm:^2.1.1, asn1js@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "asn1js@npm:2.2.0"
+  dependencies:
+    pvutils: latest
+  checksum: 936e233b7453d7e9805c1637f02da7145d73d5158105710f9bc79efaf51aa935a8bce87b0efed59da4c32fc304bfe28eb22fad1e1bf2f926478e110c6f3da240
+  languageName: node
+  linkType: hard
+
+"assert-never@npm:^1.1.0, assert-never@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "assert-never@npm:1.2.1"
+  checksum: ea4f1756d90f55254c4dc7a20d6c5d5bc169160562aefe3d8756b598c10e695daf568f21b6d6b12245d7f3782d3ff83ef6a01ab75d487adfc6909470a813bf8c
+  languageName: node
+  linkType: hard
+
+"assert-plus@npm:1.0.0, assert-plus@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "assert-plus@npm:1.0.0"
+  checksum: 19b4340cb8f0e6a981c07225eacac0e9d52c2644c080198765d63398f0075f83bbc0c8e95474d54224e297555ad0d631c1dcd058adb1ddc2437b41a6b424ac64
+  languageName: node
+  linkType: hard
+
+"assert@npm:^1.1.1":
+  version: 1.5.0
+  resolution: "assert@npm:1.5.0"
+  dependencies:
+    object-assign: ^4.1.1
+    util: 0.10.3
+  checksum: 9be48435f726029ae7020c5888a3566bf4d617687aab280827f2e4029644b6515a9519ea10d018b342147c02faf73d9e9419e780e8937b3786ee4945a0ca71e5
+  languageName: node
+  linkType: hard
+
+"assign-symbols@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "assign-symbols@npm:1.0.0"
+  checksum: c0eb895911d05b6b2d245154f70461c5e42c107457972e5ebba38d48967870dee53bcdf6c7047990586daa80fab8dab3cc6300800fbd47b454247fdedd859a2c
+  languageName: node
+  linkType: hard
+
+"ast-metadata-inferer@npm:^0.7.0":
+  version: 0.7.0
+  resolution: "ast-metadata-inferer@npm:0.7.0"
+  dependencies:
+    "@mdn/browser-compat-data": ^3.3.14
+  checksum: 9bb633b680d537cd6d5066e48ed6ae68d7ddae663a380bdba78d4f40b53d4c03845dc3a7307d55ecf1248b447ee28d62bb20ade8b880abc2df629cda9414e32e
+  languageName: node
+  linkType: hard
+
+"ast-types@npm:0.13.3":
+  version: 0.13.3
+  resolution: "ast-types@npm:0.13.3"
+  checksum: 23d08bc589aacb787e22ac7efc086ebcc158e739c057dac74de409a97e26ec9c5bcb2d0709f5678bd5d90f67d93f62fba0e5fe98161a0a3a7534d55a155544d8
+  languageName: node
+  linkType: hard
+
+"astral-regex@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "astral-regex@npm:2.0.0"
+  checksum: 876231688c66400473ba505731df37ea436e574dd524520294cc3bbc54ea40334865e01fa0d074d74d036ee874ee7e62f486ea38bc421ee8e6a871c06f011766
+  languageName: node
+  linkType: hard
+
+"async-disk-cache@npm:^1.2.1":
+  version: 1.3.5
+  resolution: "async-disk-cache@npm:1.3.5"
+  dependencies:
+    debug: ^2.1.3
+    heimdalljs: ^0.2.3
+    istextorbinary: 2.1.0
+    mkdirp: ^0.5.0
+    rimraf: ^2.5.3
+    rsvp: ^3.0.18
+    username-sync: ^1.0.2
+  checksum: 1844554469dc4a0abc855ad3c46296ccf105923186a662c47a85e5fa6a818a2693f2f941b903f2e28ab29895bd41596a81b42f670b71772a8134374f7459f51e
+  languageName: node
+  linkType: hard
+
+"async-disk-cache@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "async-disk-cache@npm:2.1.0"
+  dependencies:
+    debug: ^4.1.1
+    heimdalljs: ^0.2.3
+    istextorbinary: ^2.5.1
+    mkdirp: ^0.5.0
+    rimraf: ^3.0.0
+    rsvp: ^4.8.5
+    username-sync: ^1.0.2
+  checksum: 08dbea2062961885d646d97f46a4309d8ca5254d326a7dd119c8769d31ccab063fa24acf08bce82e38e789997933e6480bcbf97be8e015023cd6685929b93bfb
+  languageName: node
+  linkType: hard
+
+"async-each@npm:^1.0.1":
+  version: 1.0.3
+  resolution: "async-each@npm:1.0.3"
+  checksum: 868651cfeb209970b367fbb96df1e1c8dc0b22c681cda7238417005ab2a5fbd944ee524b43f2692977259a57b7cc2547e03ff68f2b5113dbdf953d48cc078dc3
+  languageName: node
+  linkType: hard
+
+"async-promise-queue@npm:^1.0.3, async-promise-queue@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "async-promise-queue@npm:1.0.5"
+  dependencies:
+    async: ^2.4.1
+    debug: ^2.6.8
+  checksum: 6f18b65e4bac8c12822d66c532aba6c8a8d81ee6e7d790bc7c399e882ff55b642a86379a58df9129db8560f57f76dea0af39b065f43568fb4bec4edf40e415a9
+  languageName: node
+  linkType: hard
+
+"async@npm:^2.4.1":
+  version: 2.6.3
+  resolution: "async@npm:2.6.3"
+  dependencies:
+    lodash: ^4.17.14
+  checksum: 5e5561ff8fca807e88738533d620488ac03a5c43fce6c937451f7e35f943d33ad06c24af3f681a48cca3d2b0002b3118faff0a128dc89438a9bf0226f712c499
+  languageName: node
+  linkType: hard
+
+"async@npm:^2.6.4":
+  version: 2.6.4
+  resolution: "async@npm:2.6.4"
+  dependencies:
+    lodash: ^4.17.14
+  checksum: a52083fb32e1ebe1d63e5c5624038bb30be68ff07a6c8d7dfe35e47c93fc144bd8652cbec869e0ac07d57dde387aa5f1386be3559cdee799cb1f789678d88e19
+  languageName: node
+  linkType: hard
+
+"async@npm:~0.2.9":
+  version: 0.2.10
+  resolution: "async@npm:0.2.10"
+  checksum: 9ea83419ba67dc4ecf42d4eb0d93ce0ac80a67cabb612f160ed096aef5d001e3184ec9e9be5d4dc39b2c51a34e2ae16f9b21d737068b0f615fccb4eea16d0138
+  languageName: node
+  linkType: hard
+
+"asynckit@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "asynckit@npm:0.4.0"
+  checksum: 7b78c451df768adba04e2d02e63e2d0bf3b07adcd6e42b4cf665cb7ce899bedd344c69a1dcbce355b5f972d597b25aaa1c1742b52cffd9caccb22f348114f6be
+  languageName: node
+  linkType: hard
+
+"at-least-node@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "at-least-node@npm:1.0.0"
+  checksum: 463e2f8e43384f1afb54bc68485c436d7622acec08b6fad269b421cb1d29cebb5af751426793d0961ed243146fe4dc983402f6d5a51b720b277818dbf6f2e49e
+  languageName: node
+  linkType: hard
+
+"atob@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "atob@npm:2.1.2"
+  bin:
+    atob: bin/atob.js
+  checksum: dfeeeb70090c5ebea7be4b9f787f866686c645d9f39a0d184c817252d0cf08455ed25267d79c03254d3be1f03ac399992a792edcd5ffb9c91e097ab5ef42833a
+  languageName: node
+  linkType: hard
+
+"autoprefixer@npm:^7.0.0":
+  version: 7.2.6
+  resolution: "autoprefixer@npm:7.2.6"
+  dependencies:
+    browserslist: ^2.11.3
+    caniuse-lite: ^1.0.30000805
+    normalize-range: ^0.1.2
+    num2fraction: ^1.2.2
+    postcss: ^6.0.17
+    postcss-value-parser: ^3.2.3
+  bin:
+    autoprefixer-info: ./bin/autoprefixer-info
+  checksum: 7ad12a58ca128d3e6b6dc5e4b3d83f2a12151216d30bcea1f1f2f8a91d2a019c58dd62fd039a6c1cf218f2ab557b03224703a4396c1b4f01b5c0818bc6ba4dd9
+  languageName: node
+  linkType: hard
+
+"autosize@npm:^4.0.0":
+  version: 4.0.2
+  resolution: "autosize@npm:4.0.2"
+  checksum: e19f1e64742cfd17d8dcd24b878871e36f1b295e4184ad7c5e036204b54c7a6346dd460e7c0b1562244632deb651394e79e656a144aa6fbc69803892713d550d
+  languageName: node
+  linkType: hard
+
+"available-typed-arrays@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "available-typed-arrays@npm:1.0.5"
+  checksum: 20eb47b3cefd7db027b9bbb993c658abd36d4edd3fe1060e83699a03ee275b0c9b216cc076ff3f2db29073225fb70e7613987af14269ac1fe2a19803ccc97f1a
+  languageName: node
+  linkType: hard
+
+"aws-sign2@npm:~0.7.0":
+  version: 0.7.0
+  resolution: "aws-sign2@npm:0.7.0"
+  checksum: b148b0bb0778098ad8cf7e5fc619768bcb51236707ca1d3e5b49e41b171166d8be9fdc2ea2ae43d7decf02989d0aaa3a9c4caa6f320af95d684de9b548a71525
+  languageName: node
+  linkType: hard
+
+"aws4@npm:^1.8.0":
+  version: 1.11.0
+  resolution: "aws4@npm:1.11.0"
+  checksum: 5a00d045fd0385926d20ebebcfba5ec79d4482fe706f63c27b324d489a04c68edb0db99ed991e19eda09cb8c97dc2452059a34d97545cebf591d7a2b5a10999f
+  languageName: node
+  linkType: hard
+
+"babel-code-frame@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-code-frame@npm:6.26.0"
+  dependencies:
+    chalk: ^1.1.3
+    esutils: ^2.0.2
+    js-tokens: ^3.0.2
+  checksum: 9410c3d5a921eb02fa409675d1a758e493323a49e7b9dddb7a2a24d47e61d39ab1129dd29f9175836eac9ce8b1d4c0a0718fcdc57ce0b865b529fd250dbab313
+  languageName: node
+  linkType: hard
+
+"babel-core@npm:^6.26.0, babel-core@npm:^6.26.3":
+  version: 6.26.3
+  resolution: "babel-core@npm:6.26.3"
+  dependencies:
+    babel-code-frame: ^6.26.0
+    babel-generator: ^6.26.0
+    babel-helpers: ^6.24.1
+    babel-messages: ^6.23.0
+    babel-register: ^6.26.0
+    babel-runtime: ^6.26.0
+    babel-template: ^6.26.0
+    babel-traverse: ^6.26.0
+    babel-types: ^6.26.0
+    babylon: ^6.18.0
+    convert-source-map: ^1.5.1
+    debug: ^2.6.9
+    json5: ^0.5.1
+    lodash: ^4.17.4
+    minimatch: ^3.0.4
+    path-is-absolute: ^1.0.1
+    private: ^0.1.8
+    slash: ^1.0.0
+    source-map: ^0.5.7
+  checksum: 3d6a37e5c69ea7f7d66c2a261cbd7219197f2f938700e6ebbabb6d84a03f2bf86691ffa066866dcb49ba6c4bd702d347c9e0e147660847d709705cf43c964752
+  languageName: node
+  linkType: hard
+
+"babel-generator@npm:^6.26.0":
+  version: 6.26.1
+  resolution: "babel-generator@npm:6.26.1"
+  dependencies:
+    babel-messages: ^6.23.0
+    babel-runtime: ^6.26.0
+    babel-types: ^6.26.0
+    detect-indent: ^4.0.0
+    jsesc: ^1.3.0
+    lodash: ^4.17.4
+    source-map: ^0.5.7
+    trim-right: ^1.0.1
+  checksum: 5397f4d4d1243e7157e3336be96c10fcb1f29f73bf2d9842229c71764d9a6431397d249483a38c4d8b1581459e67be4df6f32d26b1666f02d0f5bfc2c2f25193
+  languageName: node
+  linkType: hard
+
+"babel-helper-builder-binary-assignment-operator-visitor@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-builder-binary-assignment-operator-visitor@npm:6.24.1"
+  dependencies:
+    babel-helper-explode-assignable-expression: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 6ef49597837d042980e78284df014972daac7f1f1f2635d978bb2d13990304322f5135f27b8f2d6eb8c4c2459b496ec76e21544e26afbb5dec88f53089e17476
+  languageName: node
+  linkType: hard
+
+"babel-helper-call-delegate@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-call-delegate@npm:6.24.1"
+  dependencies:
+    babel-helper-hoist-variables: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: b6277d6e48c10cf416632f6dfbac77bdf6ba8ec4ac2f6359a77d6b731dae941c2a3ec7f35e1eba78aad2a7e0838197731d1ef75af529055096c4cb7d96432c88
+  languageName: node
+  linkType: hard
+
+"babel-helper-define-map@npm:^6.24.1":
+  version: 6.26.0
+  resolution: "babel-helper-define-map@npm:6.26.0"
+  dependencies:
+    babel-helper-function-name: ^6.24.1
+    babel-runtime: ^6.26.0
+    babel-types: ^6.26.0
+    lodash: ^4.17.4
+  checksum: 08e201eb009a7dbd020232fb7468ac772ebb8cfd33ec9a41113a54f4c90fd1e3474497783d635b8f87d797706323ca0c1758c516a630b0c95277112fc2fe4f13
+  languageName: node
+  linkType: hard
+
+"babel-helper-explode-assignable-expression@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-explode-assignable-expression@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: 1bafdb51ce3dd95cf25d712d24a0c3c2ae02ff58118c77462f14ede4d8161aaee42c5c759c3d3a3344a5851b8b0f8d16b395713413b8194e1c3264fc5b12b754
+  languageName: node
+  linkType: hard
+
+"babel-helper-function-name@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-function-name@npm:6.24.1"
+  dependencies:
+    babel-helper-get-function-arity: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: d651db9e0b29e135877e90e7858405750a684220d22a6f7c78bb163305a1b322cc1c8bea1bc617625c34d92d0927fdbaa49ee46822e2f86b524eced4c88c7ff0
+  languageName: node
+  linkType: hard
+
+"babel-helper-get-function-arity@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-get-function-arity@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 37e344d6c5c00b67a3b378490a5d7ba924bab1c2ccd6ecf1b7da96ca679be12d75fbec6279366ae9772e482fb06a7b48293954dd79cbeba9b947e2db67252fbd
+  languageName: node
+  linkType: hard
+
+"babel-helper-hoist-variables@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-hoist-variables@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 6af1c165d5f0ad192df07daa194d13de77572bd914d2fc9a270d56b93b2705d98eebabf412b1211505535af131fbe95886fcfad8b3a07b4d501c24b9cb8e57fe
+  languageName: node
+  linkType: hard
+
+"babel-helper-optimise-call-expression@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-optimise-call-expression@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 16e6aba819b473dbf013391f759497df9f57bc7060bc4e5f7f6b60fb03670eb1dec65dd2227601d58f151e9d647e1f676a12466f5e6674379978820fa02c0fbb
+  languageName: node
+  linkType: hard
+
+"babel-helper-regex@npm:^6.24.1":
+  version: 6.26.0
+  resolution: "babel-helper-regex@npm:6.26.0"
+  dependencies:
+    babel-runtime: ^6.26.0
+    babel-types: ^6.26.0
+    lodash: ^4.17.4
+  checksum: ab949a4c90ab255abaafd9ec11a4a6dc77dba360875af2bb0822b699c058858773792c1e969c425c396837f61009f30c9ee5ba4b9a8ca87b0779ae1622f89fb3
+  languageName: node
+  linkType: hard
+
+"babel-helper-remap-async-to-generator@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-remap-async-to-generator@npm:6.24.1"
+  dependencies:
+    babel-helper-function-name: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: f330943104b61e7f9248d222bd5fe5d3238904ee20643b76197571e14a724723d64a8096b292a60f64788f0efe30176882c376eeebde00657925678e304324f0
+  languageName: node
+  linkType: hard
+
+"babel-helper-replace-supers@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helper-replace-supers@npm:6.24.1"
+  dependencies:
+    babel-helper-optimise-call-expression: ^6.24.1
+    babel-messages: ^6.23.0
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: ca1d216c5c6afc6af2ef55ea16777ba99e108780ea25da61d93edb09fd85f5e96c756306e2a21e737c3b0c7a16c99762b62a0e5f529d3865b14029fef7351cba
+  languageName: node
+  linkType: hard
+
+"babel-helpers@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-helpers@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+  checksum: 751c6010e18648eebae422adfea5f3b5eff70d592d693bfe0f53346227d74b38e6cd2553c4c18de1e64faac585de490eccbd3ab86ba0885bdac42ed4478bc6b0
+  languageName: node
+  linkType: hard
+
+"babel-import-util@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "babel-import-util@npm:0.2.0"
+  checksum: 32a71d1de47cfbf99dba552e87c11798ef6116643f24429a654b09cb7d365db0dd5bbfe318eb1b63f0c9eae3a4a0c2aefd9c1e21f2b21f1e24ad703693429f95
+  languageName: node
+  linkType: hard
+
+"babel-import-util@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "babel-import-util@npm:1.1.0"
+  checksum: d4e965a18ebeee78cd69f1735ab10b64e693b5d837cd887c7ce9f03756d55a49a9f434e29077eafc5bb1f15589dad5ceb1efece78a750d4fc2f0451d5a69da9d
+  languageName: node
+  linkType: hard
+
+"babel-import-util@npm:^1.2.2":
+  version: 1.4.1
+  resolution: "babel-import-util@npm:1.4.1"
+  checksum: a7f43a10141f62f05c0b4b3c80ee31f5f362d5f7a7d614fcef836f3eca2ec3ae0a732f8550674542d1821e87c3fd3d986fea94ed12e2a283a1571b6d1249380a
+  languageName: node
+  linkType: hard
+
+"babel-import-util@npm:^1.3.0":
+  version: 1.3.0
+  resolution: "babel-import-util@npm:1.3.0"
+  checksum: 41c6b4276ceefd2263f59be97a99bf8d948899c76587b273d115e91fa9067b0d9cc80ba727a795732052e078c30a3665649c725aed966826bf7c0a258a5fcf03
+  languageName: node
+  linkType: hard
+
+"babel-import-util@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "babel-import-util@npm:2.0.0"
+  checksum: 8d9f62dcf522634ac340fb1380f45382d782f7202c98f7b0a6ad9e1aba50edef1f31f1e61e487953e35bcda98759aed7236398a9bb9798b68b6def697925293d
+  languageName: node
+  linkType: hard
+
+"babel-loader@npm:^8.0.6":
+  version: 8.2.2
+  resolution: "babel-loader@npm:8.2.2"
+  dependencies:
+    find-cache-dir: ^3.3.1
+    loader-utils: ^1.4.0
+    make-dir: ^3.1.0
+    schema-utils: ^2.6.5
+  peerDependencies:
+    "@babel/core": ^7.0.0
+    webpack: ">=2"
+  checksum: df5092ef9886bb49aacb7c58ac40ed0681ced031c8d91e49d680cedace2aa1703390a31fbe7c0e409f739836e911c5c991119133d90d9289f681c0a8ff2447a1
+  languageName: node
+  linkType: hard
+
+"babel-messages@npm:^6.23.0":
+  version: 6.23.0
+  resolution: "babel-messages@npm:6.23.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: c8075c17587a33869e1a5bd0a5b73bbe395b68188362dacd5418debbc7c8fd784bcd3295e81ee7e410dc2c2655755add6af03698c522209f6a68334c15e6d6ca
+  languageName: node
+  linkType: hard
+
+"babel-plugin-check-es2015-constants@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-check-es2015-constants@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 39168cb4ff078911726bfaf9d111d1e18f3e99d8b6f6101d343249b28346c3869e415c97fe7e857e7f34b913f8a052634b2b9dcfb4c0272e5f64ed22df69c735
+  languageName: node
+  linkType: hard
+
+"babel-plugin-compact-reexports@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "babel-plugin-compact-reexports@npm:1.1.0"
+  checksum: b2e56896a53a010f96f90f3e13d8bb5485bbe8ebc7203d01d1360ec1a5e374f7bffe9c02a244d946ebff384611533e0b349c93f5da4c1a9c08b9e676fc76b22f
+  languageName: node
+  linkType: hard
+
+"babel-plugin-debug-macros@npm:^0.2.0, babel-plugin-debug-macros@npm:^0.2.0-beta.6":
+  version: 0.2.0
+  resolution: "babel-plugin-debug-macros@npm:0.2.0"
+  dependencies:
+    semver: ^5.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-beta.42
+  checksum: 6ea36c7893940df58f08f9d0c72d2e02cf77a763084572d6f6c1291c462108af318eaa737549f96ba332b624efe0cdab6fcb49afa6466388012dbecd749f713c
+  languageName: node
+  linkType: hard
+
+"babel-plugin-debug-macros@npm:^0.3.4":
+  version: 0.3.4
+  resolution: "babel-plugin-debug-macros@npm:0.3.4"
+  dependencies:
+    semver: ^5.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0
+  checksum: 77762b945a4d4a24d973b659938e4ff9fe485f08c4ad5c8459f184669d946f5883870a6f05a39f09773bcd0923162dcad5fbf8773cf38b3176d71ca415e9e869
+  languageName: node
+  linkType: hard
+
+"babel-plugin-dynamic-import-node@npm:^2.3.3":
+  version: 2.3.3
+  resolution: "babel-plugin-dynamic-import-node@npm:2.3.3"
+  dependencies:
+    object.assign: ^4.1.0
+  checksum: c9d24415bcc608d0db7d4c8540d8002ac2f94e2573d2eadced137a29d9eab7e25d2cbb4bc6b9db65cf6ee7430f7dd011d19c911a9a778f0533b4a05ce8292c9b
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-data-packages-polyfill@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "babel-plugin-ember-data-packages-polyfill@npm:0.1.2"
+  dependencies:
+    "@ember-data/rfc395-data": ^0.0.4
+  checksum: c61f9d70898db94feefea7a8cc958c52015fc23b17957eac2f360324b32b4d5b36aa7c2725102b44ee592e1e16b35fd8ee6cdfa949ffc0b11686387251226190
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-modules-api-polyfill@npm:^2.6.0":
+  version: 2.13.4
+  resolution: "babel-plugin-ember-modules-api-polyfill@npm:2.13.4"
+  dependencies:
+    ember-rfc176-data: ^0.3.13
+  checksum: 6d647183bc4ab14a7eb80361970fc0050c320af865ca88921e8e1406b2be13ccd318805e9e59c3b3485abe89f1ce34e1ef530e5a78880747103409cc48b3abc0
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-modules-api-polyfill@npm:^3.5.0":
+  version: 3.5.0
+  resolution: "babel-plugin-ember-modules-api-polyfill@npm:3.5.0"
+  dependencies:
+    ember-rfc176-data: ^0.3.17
+  checksum: 70a4926fe9c9a6553b877ecf09cd6a077e3c73ac13b5e269fee116c7dcaceaff28b317a7b68c16a9cb6d0470079fbbb3265c2cf755061341c9ccbde28c58d684
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-template-compilation@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "babel-plugin-ember-template-compilation@npm:1.0.1"
+  dependencies:
+    babel-import-util: ^0.2.0
+    line-column: ^1.0.2
+    magic-string: ^0.25.7
+    string.prototype.matchall: ^4.0.5
+  checksum: 4eeb31754025fb4b88413028b3d71aa1e50e10cf873c939a314b694a51f5c2771476db6270c5e4cf1863f5ae9d94b696b3c692747ff691078437170a65f2f9ea
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-template-compilation@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "babel-plugin-ember-template-compilation@npm:2.0.0"
+  dependencies:
+    babel-import-util: ^1.3.0
+  checksum: 8abe8d6b3f20574ef824a1b6d04694892dae85055ff7aa370a183b383c9322ace64c1bbc4b9ccd54d8b8507e3bd673df10e9f1331ed2d7f23d8f719943f23660
+  languageName: node
+  linkType: hard
+
+"babel-plugin-ember-template-compilation@npm:^2.0.1":
+  version: 2.1.1
+  resolution: "babel-plugin-ember-template-compilation@npm:2.1.1"
+  dependencies:
+    "@glimmer/syntax": ^0.84.3
+    babel-import-util: ^2.0.0
+  checksum: 68ee924151b2081472690fcb6178b884af350b97584431a8648cfff69bf267a0923b3f1575ca265c822355e2aa4bb99b0c3500a98bef54f2fc0b67509215eb5b
+  languageName: node
+  linkType: hard
+
+"babel-plugin-filter-imports@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "babel-plugin-filter-imports@npm:4.0.0"
+  dependencies:
+    "@babel/types": ^7.7.2
+    lodash: ^4.17.15
+  checksum: 757522ac26c3f9f957a1c94c7eaca7abc2c493072b17f8af713589a2b56e1b8321d9c26ca5d0f1060e7be22f55c89a09bde771f8708f0f672d240eb2640fd9d1
+  languageName: node
+  linkType: hard
+
+"babel-plugin-htmlbars-inline-precompile@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "babel-plugin-htmlbars-inline-precompile@npm:3.2.0"
+  checksum: 87793c975af74fd02cabc3a652a0694c15389bc24a1eecd4f2e78b6094be194a6d6e220f0a0489561ea123c052be86544ad96839bf7d78fb6867ffb16dc42ca0
+  languageName: node
+  linkType: hard
+
+"babel-plugin-htmlbars-inline-precompile@npm:^5.0.0, babel-plugin-htmlbars-inline-precompile@npm:^5.2.1, babel-plugin-htmlbars-inline-precompile@npm:^5.3.0":
+  version: 5.3.1
+  resolution: "babel-plugin-htmlbars-inline-precompile@npm:5.3.1"
+  dependencies:
+    babel-plugin-ember-modules-api-polyfill: ^3.5.0
+    line-column: ^1.0.2
+    magic-string: ^0.25.7
+    parse-static-imports: ^1.1.0
+    string.prototype.matchall: ^4.0.5
+  checksum: 8c486d44037b9d87628f15823d93fdf03bf532f9456bb7012de0d6e3791b5fdc61a339400a71acd517d30d57e9812fa6fea83a3185447aac16d05054bf669de0
+  languageName: node
+  linkType: hard
+
+"babel-plugin-inline-json-import@npm:^0.3.2":
+  version: 0.3.2
+  resolution: "babel-plugin-inline-json-import@npm:0.3.2"
+  dependencies:
+    decache: ^4.5.1
+  checksum: cf0cf9802a01e506e4aab44202ce01b8277da22503a2c0f4d60f3cf924f0900bb9e9b3782bffb90a8a25193af923484a5b115e68f6c94a5c5e4c9e058d868394
+  languageName: node
+  linkType: hard
+
+"babel-plugin-module-resolver@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "babel-plugin-module-resolver@npm:3.2.0"
+  dependencies:
+    find-babel-config: ^1.1.0
+    glob: ^7.1.2
+    pkg-up: ^2.0.0
+    reselect: ^3.0.1
+    resolve: ^1.4.0
+  checksum: ef4f7fdb6db97b8c5d7f70b85f54876a1bead35ee360b85a4153d02ce32eba4571afcc71ae11d43b2b6d4c5eeae865fc2127012f9534cfab07f998e2692671e5
+  languageName: node
+  linkType: hard
+
+"babel-plugin-module-resolver@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "babel-plugin-module-resolver@npm:4.1.0"
+  dependencies:
+    find-babel-config: ^1.2.0
+    glob: ^7.1.6
+    pkg-up: ^3.1.0
+    reselect: ^4.0.0
+    resolve: ^1.13.1
+  checksum: 3907fba21ca3c66a081e01fbd16bb09c84781749db16aa57805becc376bb5ee8dc373d4b209613e1453d30ea6c836d13073e9e7b6d239ff1806dd1763a9ab18f
+  languageName: node
+  linkType: hard
+
+"babel-plugin-module-resolver@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "babel-plugin-module-resolver@npm:5.0.0"
+  dependencies:
+    find-babel-config: ^2.0.0
+    glob: ^8.0.3
+    pkg-up: ^3.1.0
+    reselect: ^4.1.7
+    resolve: ^1.22.1
+  checksum: d6880e49fc8e7bac509a2c183b4303ee054a47a80032a59a6f7844bb468ebe5e333b5dc5378443afdab5839e2da2b31a6c8d9a985a0047cd076b82bb9161cc78
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs2@npm:^0.2.0":
+  version: 0.2.3
+  resolution: "babel-plugin-polyfill-corejs2@npm:0.2.3"
+  dependencies:
+    "@babel/compat-data": ^7.13.11
+    "@babel/helper-define-polyfill-provider": ^0.2.4
+    semver: ^6.1.1
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: a379fdb5aa046fb96516796afb50888bd22de1590fbdaed15c613910f3208500e705dd2a605fb30c0bb8b3191ee9ba9c10b3f46121e0507bf396186941056090
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs2@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "babel-plugin-polyfill-corejs2@npm:0.3.0"
+  dependencies:
+    "@babel/compat-data": ^7.13.11
+    "@babel/helper-define-polyfill-provider": ^0.3.0
+    semver: ^6.1.1
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ffede597982066221291fe7c48ec1f1dda2b4ed3ee3e715436320697f35368223e1275bf095769d0b0c1115b90031dc525dd81b8ee9f6c8972cf1d2e10ad2b7d
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs2@npm:^0.4.6":
+  version: 0.4.6
+  resolution: "babel-plugin-polyfill-corejs2@npm:0.4.6"
+  dependencies:
+    "@babel/compat-data": ^7.22.6
+    "@babel/helper-define-polyfill-provider": ^0.4.3
+    semver: ^6.3.1
+  peerDependencies:
+    "@babel/core": ^7.4.0 || ^8.0.0-0 <8.0.0
+  checksum: 08896811df31530be6a9bcdd630cb9fd4b5ae5181039d18db3796efbc54e38d57a42af460845c10a04434e1bc45c0d47743c7e6c860383cc6b141083cde22030
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs3@npm:^0.2.0":
+  version: 0.2.5
+  resolution: "babel-plugin-polyfill-corejs3@npm:0.2.5"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.2.2
+    core-js-compat: ^3.16.2
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 7d464001f6cecc6b85aef71307e3ef17980b15aae4b2ae75d38a3fc3166005f6354932f9c694566970a3fb428f8fbc44f94c46e055a5a85b7fe8820ca16f85b6
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs3@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "babel-plugin-polyfill-corejs3@npm:0.4.0"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.3.0
+    core-js-compat: ^3.18.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 18dce9a09a608b4844bce468a1d7b3abfc8a2a4c0df317ad6eb5951c0c95f3d1cc99699d8e67642cdd629f5074499d481481ae5e203ce85b8ed73e8295e25da8
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs3@npm:^0.5.0":
+  version: 0.5.2
+  resolution: "babel-plugin-polyfill-corejs3@npm:0.5.2"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.3.1
+    core-js-compat: ^3.21.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 2f3184c73f80f00ac876a5ebcad945fd8d2ae70e5f85b7ab6cc3bc69bc74025f4f7070de7abbb2a7274c78e130bd34fc13f4c85342da28205930364a1ef0aa21
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-corejs3@npm:^0.8.5":
+  version: 0.8.6
+  resolution: "babel-plugin-polyfill-corejs3@npm:0.8.6"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.4.3
+    core-js-compat: ^3.33.1
+  peerDependencies:
+    "@babel/core": ^7.4.0 || ^8.0.0-0 <8.0.0
+  checksum: 36951c2edac42ac0f05b200502e90d77bf66ccee5b52e2937d23496c6ef2372cce31b8c64144da374b77bd3eb65e2721703a52eac56cad16a152326c092cbf77
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-regenerator@npm:^0.2.0":
+  version: 0.2.3
+  resolution: "babel-plugin-polyfill-regenerator@npm:0.2.3"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.2.4
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: 81be5914f241d785abdfa3b5fc9005792b1b675e3e0a48bbc12db25b49e965985a500fc2008c8026ec7625a757d6d43aa44a75369fece1a413bd9863369e5a9c
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-regenerator@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "babel-plugin-polyfill-regenerator@npm:0.3.0"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.3.0
+  peerDependencies:
+    "@babel/core": ^7.0.0-0
+  checksum: ecca4389fd557554efc6de834f84f7c85e83c348d5283de2032d35429bc7121ed6f336553d3d704021f9bef22fca339fbee560d3b0fb8bb1d4eca2fecaaeebcb
+  languageName: node
+  linkType: hard
+
+"babel-plugin-polyfill-regenerator@npm:^0.5.3":
+  version: 0.5.3
+  resolution: "babel-plugin-polyfill-regenerator@npm:0.5.3"
+  dependencies:
+    "@babel/helper-define-polyfill-provider": ^0.4.3
+  peerDependencies:
+    "@babel/core": ^7.4.0 || ^8.0.0-0 <8.0.0
+  checksum: 2bb546582cda1870d19e646a7183baeb2cccd56e0ef3e4eaeabd28e120daf17cb87399194a9ccdcf32506bcaa68d23e73440fc8ab990a7a0f8c5a77c12d5d4bc
+  languageName: node
+  linkType: hard
+
+"babel-plugin-syntax-async-functions@npm:^6.8.0":
+  version: 6.13.0
+  resolution: "babel-plugin-syntax-async-functions@npm:6.13.0"
+  checksum: e982d9756869fa83eb6a4502490a90b0d31e8a41e2ee582045934f022ac8ff5fa6a3386366976fab3a391d5a7ab8ea5f9da623f35ed8ab328b8ab6d9b2feb1d3
+  languageName: node
+  linkType: hard
+
+"babel-plugin-syntax-dynamic-import@npm:^6.18.0":
+  version: 6.18.0
+  resolution: "babel-plugin-syntax-dynamic-import@npm:6.18.0"
+  checksum: 0a7a98ecb63878d65d4fd35e5435b0a7ad8e5c43b394389ce82298733c7a5d95c4373f1dd68566694214dad64abd0fec1e4eb7ee9ca7d1ee06d502e630d61600
+  languageName: node
+  linkType: hard
+
+"babel-plugin-syntax-exponentiation-operator@npm:^6.8.0":
+  version: 6.13.0
+  resolution: "babel-plugin-syntax-exponentiation-operator@npm:6.13.0"
+  checksum: cbcb3aeae7005240325f72d55c3c90575033123e8a1ddfa6bf9eac4ee7e246c2a23f5b5ab1144879590d947a3ed1d88838169d125e5d7c4f53678526482b020e
+  languageName: node
+  linkType: hard
+
+"babel-plugin-syntax-trailing-function-commas@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-syntax-trailing-function-commas@npm:6.22.0"
+  checksum: d8b9039ded835bb128e8e14eeeb6e0ac2a876b85250924bdc3a8dc2a6984d3bfade4de04d40fb15ea04a86d561ac280ae0d7306d7d4ef7a8c52c43b6a23909c6
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-async-to-generator@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-async-to-generator@npm:6.24.1"
+  dependencies:
+    babel-helper-remap-async-to-generator: ^6.24.1
+    babel-plugin-syntax-async-functions: ^6.8.0
+    babel-runtime: ^6.22.0
+  checksum: ffe8b4b2ed6db1f413ede385bd1a36f39e02a64ed79ce02779440049af75215c98f8debdc70eb01430bfd889f792682b0136576fe966f7f9e1b30e2a54695a8d
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-arrow-functions@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-transform-es2015-arrow-functions@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 746e2be0fed20771c07f0984ba79ef0bab37d6e98434267ec96cef57272014fe53a180bfb9047bf69ed149d367a2c97baad54d6057531cd037684f371aab2333
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-block-scoped-functions@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-transform-es2015-block-scoped-functions@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: f251611f723d94b4068d2a873a2783e019bd81bd7144cfdbcfc31ef166f4d82fa2f1efba64342ba2630dab93a2b12284067725c0aa08315712419a2bc3b92a75
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-block-scoping@npm:^6.23.0":
+  version: 6.26.0
+  resolution: "babel-plugin-transform-es2015-block-scoping@npm:6.26.0"
+  dependencies:
+    babel-runtime: ^6.26.0
+    babel-template: ^6.26.0
+    babel-traverse: ^6.26.0
+    babel-types: ^6.26.0
+    lodash: ^4.17.4
+  checksum: 5e4dee33bf4aab0ce7751a9ae845c25d3bf03944ffdfc8d784e1de2123a3eec19657dd59274c9969461757f5e2ab75c517e978bafe5309a821a41e278ad38a63
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-classes@npm:^6.23.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-classes@npm:6.24.1"
+  dependencies:
+    babel-helper-define-map: ^6.24.1
+    babel-helper-function-name: ^6.24.1
+    babel-helper-optimise-call-expression: ^6.24.1
+    babel-helper-replace-supers: ^6.24.1
+    babel-messages: ^6.23.0
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: 999392b47a83cf9297e49fbde00bc9b15fb6d71bc041f7b3d621ac45361486ec4b66f55c47f98dca6c398ceaa8bfc9f3c21257854822c4523e7475a92e6c000a
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-computed-properties@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-computed-properties@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+  checksum: 34e466bfd4b021aa3861db66cf10a9093fa6a4fcedbc8c82a55f6ca1fcbd212a9967f2df6c5f9e9a20046fa43c8967633a476f2bbc15cb8d3769cbba948a5c16
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-destructuring@npm:^6.23.0":
+  version: 6.23.0
+  resolution: "babel-plugin-transform-es2015-destructuring@npm:6.23.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 1343d27f09846e6e1e48da7b83d0d4f2d5571559c468ad8ad4c3715b8ff3e21b2d553e90ad420dc6840de260b7f3b9f9c057606d527e3d838a52a3a7c5fffdbe
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-duplicate-keys@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-duplicate-keys@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 756a7a13517c3e80c8312137b9872b9bc32fbfbb905e9f1e45bf321e2b464d0e6a6e6deca22c61b62377225bd8136b73580897cccb394995d6e00bc8ce882ba4
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-for-of@npm:^6.23.0":
+  version: 6.23.0
+  resolution: "babel-plugin-transform-es2015-for-of@npm:6.23.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 0124e320c32b25de84ddaba951a6f0ad031fa5019de54de32bd317d2a97b3f967026008f32e8c88728330c1cce7c4f1d0ecb15007020d50bd5ca1438a882e205
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-function-name@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-function-name@npm:6.24.1"
+  dependencies:
+    babel-helper-function-name: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 629ecd824d53ec973a3ef85e74d9fd8c710203084ca2f7ac833879ddfa3b83a28f0270fe2ee5f3b8c078bb4b3e4b843173a646a7cd4abc49e8c1c563d31fb711
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-literals@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-transform-es2015-literals@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 40e270580a0236990f2555f5dc7ae24b4db9f4709ca455ed1a6724b0078592482274be7448579b14122bd06481641a38e7b2e48d0b49b8c81c88e154a26865b4
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-modules-amd@npm:^6.22.0, babel-plugin-transform-es2015-modules-amd@npm:^6.24.0, babel-plugin-transform-es2015-modules-amd@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-modules-amd@npm:6.24.1"
+  dependencies:
+    babel-plugin-transform-es2015-modules-commonjs: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+  checksum: 084c7a1ef3bd0b2b9f4851b27cfb65f8ea1408349af05b4d88f994c23844a0754abfa4799bbc5f3f0ec94232b3a54a2e46d7f1dff1bdd40fa66a46f645197dfa
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-modules-commonjs@npm:^6.23.0, babel-plugin-transform-es2015-modules-commonjs@npm:^6.24.1":
+  version: 6.26.2
+  resolution: "babel-plugin-transform-es2015-modules-commonjs@npm:6.26.2"
+  dependencies:
+    babel-plugin-transform-strict-mode: ^6.24.1
+    babel-runtime: ^6.26.0
+    babel-template: ^6.26.0
+    babel-types: ^6.26.0
+  checksum: 9cd93a84037855c1879bcc100229bee25b44c4805a9a9f040e8927f772c4732fa17a0706c81ea0db77b357dd9baf84388eec03ceb36597932c48fe32fb3d4171
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-modules-systemjs@npm:^6.23.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-modules-systemjs@npm:6.24.1"
+  dependencies:
+    babel-helper-hoist-variables: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+  checksum: b34877e201d7b4d293d87c04962a3575fe7727a9593e99ce3a7f8deea3da8883a08bd87a6a12927083ac26f47f6944a31cdbfe3d6eb4d18dd884cb2d304ee943
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-modules-umd@npm:^6.23.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-modules-umd@npm:6.24.1"
+  dependencies:
+    babel-plugin-transform-es2015-modules-amd: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+  checksum: 735857b9f2ad0c41ceda31a1594fe2a063025f4428f9e243885a437b5bd415aca445a5e8495ff34b7120617735b1c3a2158033f0be23f1f5a90e655fff742a01
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-object-super@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-object-super@npm:6.24.1"
+  dependencies:
+    babel-helper-replace-supers: ^6.24.1
+    babel-runtime: ^6.22.0
+  checksum: 97b2968f699ac94cb55f4f1e7ea53dc9e4264ec99cab826f40f181da9f6db5980cd8b4985f05c7b6f1e19fbc31681e6e63894dfc5ecf4b3a673d736c4ef0f9db
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-parameters@npm:^6.23.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-parameters@npm:6.24.1"
+  dependencies:
+    babel-helper-call-delegate: ^6.24.1
+    babel-helper-get-function-arity: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-template: ^6.24.1
+    babel-traverse: ^6.24.1
+    babel-types: ^6.24.1
+  checksum: bb6c047dc10499be8ccebdffac22c77f14aee5d3106da8f2e96c801d2746403c809d8c6922e8ebd2eb31d8827b4bb2321ba43378fcdc9dca206417bb345c4f93
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-shorthand-properties@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-shorthand-properties@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 9302c5de158a28432e932501a783560094c624c3659f4e0a472b6b2e9d6e8ab2634f82ef74d3e75363d46ccff6aad119267dbc34f67464c70625e24a651ad9e5
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-spread@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-transform-es2015-spread@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 8694a8a7802d905503194ab81c155354b36d39fc819ad2148f83146518dd37d2c6926c8568712f5aa890169afc9353fd4bcc49397959c6dc9da3480b449c0ae9
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-sticky-regex@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-sticky-regex@npm:6.24.1"
+  dependencies:
+    babel-helper-regex: ^6.24.1
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: d9c45401caf0d74779a1170e886976d4c865b7de2e90dfffc7557481b9e73b6e37e9f1028aa07b813896c4df88f4d7e89968249a74547c7875e6c499c90c801d
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-template-literals@npm:^6.22.0":
+  version: 6.22.0
+  resolution: "babel-plugin-transform-es2015-template-literals@npm:6.22.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 4fad2b7b383a2e784858ee7bf837419ee8ff9602afe218e1472f8c33a0c008f01d06f23ff2f2322fb23e1ed17e37237a818575fe88ecc5417d85331973b0ea4d
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-typeof-symbol@npm:^6.23.0":
+  version: 6.23.0
+  resolution: "babel-plugin-transform-es2015-typeof-symbol@npm:6.23.0"
+  dependencies:
+    babel-runtime: ^6.22.0
+  checksum: 68a1609c6abcddf5f138c56bafcd9fad7c6b3b404fe40910148ab70eb21d6c7807a343a64eb81ce45daf4b70c384c528c55fad45e0d581e4b09efa4d574a6a1b
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-es2015-unicode-regex@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-es2015-unicode-regex@npm:6.24.1"
+  dependencies:
+    babel-helper-regex: ^6.24.1
+    babel-runtime: ^6.22.0
+    regexpu-core: ^2.0.0
+  checksum: 739ddb02e5f77904f83ea45323c9a636e3aed34b2a49c7c68208b5f2834eecb6b655e772f870f16a7aaf09ac8219f754ad69d61741d088f5b681d13cda69265d
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-exponentiation-operator@npm:^6.22.0":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-exponentiation-operator@npm:6.24.1"
+  dependencies:
+    babel-helper-builder-binary-assignment-operator-visitor: ^6.24.1
+    babel-plugin-syntax-exponentiation-operator: ^6.8.0
+    babel-runtime: ^6.22.0
+  checksum: 533ad53ba2cd6ff3c0f751563e1beea429c620038dc2efeeb8348ab4752ebcc95d1521857abfd08047400f1921b2d4df5e0cd266e65ddbe4c3edc58b9ad6fd3c
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-regenerator@npm:^6.22.0":
+  version: 6.26.0
+  resolution: "babel-plugin-transform-regenerator@npm:6.26.0"
+  dependencies:
+    regenerator-transform: ^0.10.0
+  checksum: 41a51d8f692bf4a5cbd705fa70f3cb6abebae66d9ba3dccfb5921da262f8c30f630e1fe9f7b132e29b96fe0d99385a801f6aa204278c5bd0af4284f7f93a665a
+  languageName: node
+  linkType: hard
+
+"babel-plugin-transform-strict-mode@npm:^6.24.1":
+  version: 6.24.1
+  resolution: "babel-plugin-transform-strict-mode@npm:6.24.1"
+  dependencies:
+    babel-runtime: ^6.22.0
+    babel-types: ^6.24.1
+  checksum: 32d70ce9d8c8918a6a840e46df03dfe1e265eb9b25df5a800fedb5065ef1b4b5f24d7c62d92fca0e374db8b0b9b6f84e68edd02ad21883d48f608583ec29f638
+  languageName: node
+  linkType: hard
+
+"babel-polyfill@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-polyfill@npm:6.26.0"
+  dependencies:
+    babel-runtime: ^6.26.0
+    core-js: ^2.5.0
+    regenerator-runtime: ^0.10.5
+  checksum: 6fb1a3c0bfe1b6fc56ce1afcf531878aa629b309277a05fbf3fe950589b24cb4052a6e487db21d318eb5336b68730a21f5ef62166b6cc8aea3406261054d1118
+  languageName: node
+  linkType: hard
+
+"babel-preset-env@npm:^1.7.0":
+  version: 1.7.0
+  resolution: "babel-preset-env@npm:1.7.0"
+  dependencies:
+    babel-plugin-check-es2015-constants: ^6.22.0
+    babel-plugin-syntax-trailing-function-commas: ^6.22.0
+    babel-plugin-transform-async-to-generator: ^6.22.0
+    babel-plugin-transform-es2015-arrow-functions: ^6.22.0
+    babel-plugin-transform-es2015-block-scoped-functions: ^6.22.0
+    babel-plugin-transform-es2015-block-scoping: ^6.23.0
+    babel-plugin-transform-es2015-classes: ^6.23.0
+    babel-plugin-transform-es2015-computed-properties: ^6.22.0
+    babel-plugin-transform-es2015-destructuring: ^6.23.0
+    babel-plugin-transform-es2015-duplicate-keys: ^6.22.0
+    babel-plugin-transform-es2015-for-of: ^6.23.0
+    babel-plugin-transform-es2015-function-name: ^6.22.0
+    babel-plugin-transform-es2015-literals: ^6.22.0
+    babel-plugin-transform-es2015-modules-amd: ^6.22.0
+    babel-plugin-transform-es2015-modules-commonjs: ^6.23.0
+    babel-plugin-transform-es2015-modules-systemjs: ^6.23.0
+    babel-plugin-transform-es2015-modules-umd: ^6.23.0
+    babel-plugin-transform-es2015-object-super: ^6.22.0
+    babel-plugin-transform-es2015-parameters: ^6.23.0
+    babel-plugin-transform-es2015-shorthand-properties: ^6.22.0
+    babel-plugin-transform-es2015-spread: ^6.22.0
+    babel-plugin-transform-es2015-sticky-regex: ^6.22.0
+    babel-plugin-transform-es2015-template-literals: ^6.22.0
+    babel-plugin-transform-es2015-typeof-symbol: ^6.23.0
+    babel-plugin-transform-es2015-unicode-regex: ^6.22.0
+    babel-plugin-transform-exponentiation-operator: ^6.22.0
+    babel-plugin-transform-regenerator: ^6.22.0
+    browserslist: ^3.2.6
+    invariant: ^2.2.2
+    semver: ^5.3.0
+  checksum: 6e459a6c76086a2a377707680148b94c3d0aba425b039b427ca01171ebada7f5db5d336b309548462f6ba015e13176a4724f912875c15084d4aa88d77020d185
+  languageName: node
+  linkType: hard
+
+"babel-register@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-register@npm:6.26.0"
+  dependencies:
+    babel-core: ^6.26.0
+    babel-runtime: ^6.26.0
+    core-js: ^2.5.0
+    home-or-tmp: ^2.0.0
+    lodash: ^4.17.4
+    mkdirp: ^0.5.1
+    source-map-support: ^0.4.15
+  checksum: 75d5fe060e4850dbdbd5f56db2928cd0b6b6c93a65ba5f2a991465af4dc3f4adf46d575138f228b2169b1e25e3b4a7cdd16515a355fea41b873321bf56467583
+  languageName: node
+  linkType: hard
+
+"babel-runtime@npm:^6.18.0, babel-runtime@npm:^6.22.0, babel-runtime@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-runtime@npm:6.26.0"
+  dependencies:
+    core-js: ^2.4.0
+    regenerator-runtime: ^0.11.0
+  checksum: 8aeade94665e67a73c1ccc10f6fd42ba0c689b980032b70929de7a6d9a12eb87ef51902733f8fefede35afea7a5c3ef7e916a64d503446c1eedc9e3284bd3d50
+  languageName: node
+  linkType: hard
+
+"babel-template@npm:^6.24.1, babel-template@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-template@npm:6.26.0"
+  dependencies:
+    babel-runtime: ^6.26.0
+    babel-traverse: ^6.26.0
+    babel-types: ^6.26.0
+    babylon: ^6.18.0
+    lodash: ^4.17.4
+  checksum: 028dd57380f09b5641b74874a19073c53c4fb3f1696e849575aae18f8c80eaf21db75209057db862f3b893ce2cd9b795d539efa591b58f4a0fb011df0a56fbed
+  languageName: node
+  linkType: hard
+
+"babel-traverse@npm:^6.24.1, babel-traverse@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-traverse@npm:6.26.0"
+  dependencies:
+    babel-code-frame: ^6.26.0
+    babel-messages: ^6.23.0
+    babel-runtime: ^6.26.0
+    babel-types: ^6.26.0
+    babylon: ^6.18.0
+    debug: ^2.6.8
+    globals: ^9.18.0
+    invariant: ^2.2.2
+    lodash: ^4.17.4
+  checksum: fca037588d2791ae0409f1b7aa56075b798699cccc53ea04d82dd1c0f97b9e7ab17065f7dd3ecd69101d7874c9c8fd5e0f88fa53abbae1fe94e37e6b81ebcb8d
+  languageName: node
+  linkType: hard
+
+"babel-types@npm:^6.19.0, babel-types@npm:^6.24.1, babel-types@npm:^6.26.0":
+  version: 6.26.0
+  resolution: "babel-types@npm:6.26.0"
+  dependencies:
+    babel-runtime: ^6.26.0
+    esutils: ^2.0.2
+    lodash: ^4.17.4
+    to-fast-properties: ^1.0.3
+  checksum: d16b0fa86e9b0e4c2623be81d0a35679faff24dd2e43cde4ca58baf49f3e39415a011a889e6c2259ff09e1228e4c3a3db6449a62de59e80152fe1ce7398fde76
+  languageName: node
+  linkType: hard
+
+"babel6-plugin-strip-class-callcheck@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "babel6-plugin-strip-class-callcheck@npm:6.0.0"
+  checksum: e765ff21f9aee4e488a270cd8515a456c0de4f56739c2c285a7d8c72712fcca10cd89d24eec47dec0ce8b77a7e27257ece2674c781169a01a90bcb18c825b369
+  languageName: node
+  linkType: hard
+
+"babylon@npm:^6.18.0":
+  version: 6.18.0
+  resolution: "babylon@npm:6.18.0"
+  bin:
+    babylon: ./bin/babylon.js
+  checksum: 0777ae0c735ce1cbfc856d627589ed9aae212b84fb0c03c368b55e6c5d3507841780052808d0ad46e18a2ba516e93d55eeed8cd967f3b2938822dfeccfb2a16d
+  languageName: node
+  linkType: hard
+
+"backbone@npm:^1.1.2":
+  version: 1.4.0
+  resolution: "backbone@npm:1.4.0"
+  dependencies:
+    underscore: ">=1.8.3"
+  checksum: 09abdf184c485a4cd2c68218298cf772fbefeaa166ef8eb795cdb0159b4ad1d2f6823dde089352eaf0be929e5bbef67c57555722f4d1886f969d954f77814870
+  languageName: node
+  linkType: hard
+
+"bail@npm:^1.0.0":
+  version: 1.0.5
+  resolution: "bail@npm:1.0.5"
+  checksum: 6c334940d7eaa4e656a12fb12407b6555649b6deb6df04270fa806e0da82684ebe4a4e47815b271c794b40f8d6fa286e0c248b14ddbabb324a917fab09b7301a
+  languageName: node
+  linkType: hard
+
+"balanced-match@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "balanced-match@npm:1.0.2"
+  checksum: 9706c088a283058a8a99e0bf91b0a2f75497f185980d9ffa8b304de1d9e58ebda7c72c07ebf01dadedaac5b2907b2c6f566f660d62bd336c3468e960403b9d65
+  languageName: node
+  linkType: hard
+
+"balanced-match@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "balanced-match@npm:2.0.0"
+  checksum: 9a5caad6a292c5df164cc6d0c38e0eedf9a1413f42e5fece733640949d74d0052cfa9587c1a1681f772147fb79be495121325a649526957fd75b3a216d1fbc68
+  languageName: node
+  linkType: hard
+
+"base64-js@npm:^1.0.2, base64-js@npm:^1.3.1":
+  version: 1.5.1
+  resolution: "base64-js@npm:1.5.1"
+  checksum: 669632eb3745404c2f822a18fc3a0122d2f9a7a13f7fb8b5823ee19d1d2ff9ee5b52c53367176ea4ad093c332fd5ab4bd0ebae5a8e27917a4105a4cfc86b1005
+  languageName: node
+  linkType: hard
+
+"base64id@npm:2.0.0, base64id@npm:~2.0.0":
+  version: 2.0.0
+  resolution: "base64id@npm:2.0.0"
+  checksum: 581b1d37e6cf3738b7ccdd4d14fe2bfc5c238e696e2720ee6c44c183b838655842e22034e53ffd783f872a539915c51b0d4728a49c7cc678ac5a758e00d62168
+  languageName: node
+  linkType: hard
+
+"base@npm:^0.11.1":
+  version: 0.11.2
+  resolution: "base@npm:0.11.2"
+  dependencies:
+    cache-base: ^1.0.1
+    class-utils: ^0.3.5
+    component-emitter: ^1.2.1
+    define-property: ^1.0.0
+    isobject: ^3.0.1
+    mixin-deep: ^1.2.0
+    pascalcase: ^0.1.1
+  checksum: a4a146b912e27eea8f66d09cb0c9eab666f32ce27859a7dfd50f38cd069a2557b39f16dba1bc2aecb3b44bf096738dd207b7970d99b0318423285ab1b1994edd
+  languageName: node
+  linkType: hard
+
+"basic-auth@npm:~2.0.1":
+  version: 2.0.1
+  resolution: "basic-auth@npm:2.0.1"
+  dependencies:
+    safe-buffer: 5.1.2
+  checksum: 3419b805d5dfc518f3a05dcf42aa53aa9ce820e50b6df5097f9e186322e1bc733c36722b624802cd37e791035aa73b828ed814d8362333d42d7f5cd04d7a5e48
+  languageName: node
+  linkType: hard
+
+"bcrypt-pbkdf@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "bcrypt-pbkdf@npm:1.0.2"
+  dependencies:
+    tweetnacl: ^0.14.3
+  checksum: 4edfc9fe7d07019609ccf797a2af28351736e9d012c8402a07120c4453a3b789a15f2ee1530dc49eee8f7eb9379331a8dd4b3766042b9e502f74a68e7f662291
+  languageName: node
+  linkType: hard
+
+"big.js@npm:^5.2.2":
+  version: 5.2.2
+  resolution: "big.js@npm:5.2.2"
+  checksum: b89b6e8419b097a8fb4ed2399a1931a68c612bce3cfd5ca8c214b2d017531191070f990598de2fc6f3f993d91c0f08aa82697717f6b3b8732c9731866d233c9e
+  languageName: node
+  linkType: hard
+
+"binary-extensions@npm:^1.0.0":
+  version: 1.13.1
+  resolution: "binary-extensions@npm:1.13.1"
+  checksum: ad7747f33c07e94ba443055de130b50c8b8b130a358bca064c580d91769ca6a69c7ac65ca008ff044ed4541d2c6ad45496e1fadbef5218a68770996b6a2194d7
+  languageName: node
+  linkType: hard
+
+"binary-extensions@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "binary-extensions@npm:2.2.0"
+  checksum: ccd267956c58d2315f5d3ea6757cf09863c5fc703e50fbeb13a7dc849b812ef76e3cf9ca8f35a0c48498776a7478d7b4a0418e1e2b8cb9cb9731f2922aaad7f8
+  languageName: node
+  linkType: hard
+
+"binaryextensions@npm:1 || 2, binaryextensions@npm:^2.1.2":
+  version: 2.3.0
+  resolution: "binaryextensions@npm:2.3.0"
+  checksum: e64e4658a611a753e0320b047a0045a063c6f2dd92d7a7fc06c25f7e72fb3700dabcf328e319c79f1038e6d0ea46edb0644686603d5f36bff3350d0e7eb198a9
+  languageName: node
+  linkType: hard
+
+"bindings@npm:^1.5.0":
+  version: 1.5.0
+  resolution: "bindings@npm:1.5.0"
+  dependencies:
+    file-uri-to-path: 1.0.0
+  checksum: 65b6b48095717c2e6105a021a7da4ea435aa8d3d3cd085cb9e85bcb6e5773cf318c4745c3f7c504412855940b585bdf9b918236612a1c7a7942491de176f1ae7
+  languageName: node
+  linkType: hard
+
+"bl@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "bl@npm:4.1.0"
+  dependencies:
+    buffer: ^5.5.0
+    inherits: ^2.0.4
+    readable-stream: ^3.4.0
+  checksum: 9e8521fa7e83aa9427c6f8ccdcba6e8167ef30cc9a22df26effcc5ab682ef91d2cbc23a239f945d099289e4bbcfae7a192e9c28c84c6202e710a0dfec3722662
+  languageName: node
+  linkType: hard
+
+"blank-object@npm:^1.0.1":
+  version: 1.0.2
+  resolution: "blank-object@npm:1.0.2"
+  checksum: 0d9aff57f4438c3dce6513ac77874fb74f3419e3e8384d4a520b9a3e9cfc8bee6be0f39f77c079da4e6e3fd8e347c125fb618816e730c34804c3092e5c3c5404
+  languageName: node
+  linkType: hard
+
+"bluebird@npm:^3.4.6, bluebird@npm:^3.5.5, bluebird@npm:^3.7.2":
+  version: 3.7.2
+  resolution: "bluebird@npm:3.7.2"
+  checksum: 869417503c722e7dc54ca46715f70e15f4d9c602a423a02c825570862d12935be59ed9c7ba34a9b31f186c017c23cac6b54e35446f8353059c101da73eac22ef
+  languageName: node
+  linkType: hard
+
+"bn.js@npm:^4.0.0, bn.js@npm:^4.1.0, bn.js@npm:^4.11.9":
+  version: 4.12.0
+  resolution: "bn.js@npm:4.12.0"
+  checksum: 39afb4f15f4ea537b55eaf1446c896af28ac948fdcf47171961475724d1bb65118cca49fa6e3d67706e4790955ec0e74de584e45c8f1ef89f46c812bee5b5a12
+  languageName: node
+  linkType: hard
+
+"bn.js@npm:^5.0.0, bn.js@npm:^5.1.1":
+  version: 5.2.0
+  resolution: "bn.js@npm:5.2.0"
+  checksum: 6117170393200f68b35a061ecbf55d01dd989302e7b3c798a3012354fa638d124f0b2f79e63f77be5556be80322a09c40339eda6413ba7468524c0b6d4b4cb7a
+  languageName: node
+  linkType: hard
+
+"body-parser@npm:1.19.0, body-parser@npm:^1.17.0":
+  version: 1.19.0
+  resolution: "body-parser@npm:1.19.0"
+  dependencies:
+    bytes: 3.1.0
+    content-type: ~1.0.4
+    debug: 2.6.9
+    depd: ~1.1.2
+    http-errors: 1.7.2
+    iconv-lite: 0.4.24
+    on-finished: ~2.3.0
+    qs: 6.7.0
+    raw-body: 2.4.0
+    type-is: ~1.6.17
+  checksum: 490231b4c89bbd43112762f7ba8e5342c174a6c9f64284a3b0fcabf63277e332f8316765596f1e5b15e4f3a6cf0422e005f4bb3149ed3a224bb025b7a36b9ac1
+  languageName: node
+  linkType: hard
+
+"body-parser@npm:1.20.1":
+  version: 1.20.1
+  resolution: "body-parser@npm:1.20.1"
+  dependencies:
+    bytes: 3.1.2
+    content-type: ~1.0.4
+    debug: 2.6.9
+    depd: 2.0.0
+    destroy: 1.2.0
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    on-finished: 2.4.1
+    qs: 6.11.0
+    raw-body: 2.5.1
+    type-is: ~1.6.18
+    unpipe: 1.0.0
+  checksum: f1050dbac3bede6a78f0b87947a8d548ce43f91ccc718a50dd774f3c81f2d8b04693e52acf62659fad23101827dd318da1fb1363444ff9a8482b886a3e4a5266
+  languageName: node
+  linkType: hard
+
+"body@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "body@npm:5.1.0"
+  dependencies:
+    continuable-cache: ^0.3.1
+    error: ^7.0.0
+    raw-body: ~1.1.0
+    safe-json-parse: ~1.0.1
+  checksum: 58a5a46b6de80c82ee2f6e00bdc0084be1697d50e47cfa0d53ff6daf70b0e5ec20359c134d41710d0fa8046ecd67e06128c134c821f090e40a31ed452a9b6b7f
+  languageName: node
+  linkType: hard
+
+"boolbase@npm:^1.0.0, boolbase@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "boolbase@npm:1.0.0"
+  checksum: 3e25c80ef626c3a3487c73dbfc70ac322ec830666c9ad915d11b701142fab25ec1e63eff2c450c74347acfd2de854ccde865cd79ef4db1683f7c7b046ea43bb0
+  languageName: node
+  linkType: hard
+
+"boolify@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "boolify@npm:1.0.1"
+  checksum: 972bde1e4a35fad8fc18761a7fcef7358008e125ba9daee9bc5dc8f49cba3c635ea70b2f8c3b5bfd3167865e6c0662d6c338767de981a44f3e604df86f47fcc5
+  languageName: node
+  linkType: hard
+
+"bower-config@npm:^1.4.3":
+  version: 1.4.3
+  resolution: "bower-config@npm:1.4.3"
+  dependencies:
+    graceful-fs: ^4.1.3
+    minimist: ^0.2.1
+    mout: ^1.0.0
+    osenv: ^0.1.3
+    untildify: ^2.1.0
+    wordwrap: ^0.0.3
+  checksum: 195d829d32b99a6c88d58f0e77b3aad2d32c5ecb913e6a078be5a540f0fc3d34888c8c2e3d7cf268e389711a7b231ef4397ac3cd02053fdd115db58a5c8b19a3
+  languageName: node
+  linkType: hard
+
+"bower-endpoint-parser@npm:0.2.2":
+  version: 0.2.2
+  resolution: "bower-endpoint-parser@npm:0.2.2"
+  checksum: e5752ae90a7950da4aa32448105fd50e050cf47042f89db79bbaf64e0cf4342b39dae450353848ea8a766c969e7b760afb4de85d2e808eedd7d1340b4251cda0
+  languageName: node
+  linkType: hard
+
+"brace-expansion@npm:^1.1.7":
+  version: 1.1.11
+  resolution: "brace-expansion@npm:1.1.11"
+  dependencies:
+    balanced-match: ^1.0.0
+    concat-map: 0.0.1
+  checksum: faf34a7bb0c3fcf4b59c7808bc5d2a96a40988addf2e7e09dfbb67a2251800e0d14cd2bfc1aa79174f2f5095c54ff27f46fb1289fe2d77dac755b5eb3434cc07
+  languageName: node
+  linkType: hard
+
+"braces@npm:^2.3.1, braces@npm:^2.3.2":
+  version: 2.3.2
+  resolution: "braces@npm:2.3.2"
+  dependencies:
+    arr-flatten: ^1.1.0
+    array-unique: ^0.3.2
+    extend-shallow: ^2.0.1
+    fill-range: ^4.0.0
+    isobject: ^3.0.1
+    repeat-element: ^1.1.2
+    snapdragon: ^0.8.1
+    snapdragon-node: ^2.0.1
+    split-string: ^3.0.2
+    to-regex: ^3.0.1
+  checksum: e30dcb6aaf4a31c8df17d848aa283a65699782f75ad61ae93ec25c9729c66cf58e66f0000a9fec84e4add1135bb7da40f7cb9601b36bebcfa9ca58e8d5c07de0
+  languageName: node
+  linkType: hard
+
+"braces@npm:^3.0.1, braces@npm:^3.0.2, braces@npm:~3.0.2":
+  version: 3.0.2
+  resolution: "braces@npm:3.0.2"
+  dependencies:
+    fill-range: ^7.0.1
+  checksum: e2a8e769a863f3d4ee887b5fe21f63193a891c68b612ddb4b68d82d1b5f3ff9073af066c343e9867a393fe4c2555dcb33e89b937195feb9c1613d259edfcd459
+  languageName: node
+  linkType: hard
+
+"broccoli-amd-funnel@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "broccoli-amd-funnel@npm:2.0.1"
+  dependencies:
+    broccoli-plugin: ^1.3.0
+    symlink-or-copy: ^1.2.0
+  checksum: 1f9327d1291fbdd00366da710091fc3c4d1c3f5a5c697cc2eb9e1f29d8b906ba9eb93ab612c9c1367b91d64b9a2f7a446cfa8a1e6faf4ce05315ff0f2ebdadf6
+  languageName: node
+  linkType: hard
+
+"broccoli-asset-rev@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "broccoli-asset-rev@npm:3.0.0"
+  dependencies:
+    broccoli-asset-rewrite: ^2.0.0
+    broccoli-filter: ^1.2.2
+    broccoli-persistent-filter: ^1.4.3
+    json-stable-stringify: ^1.0.0
+    minimatch: ^3.0.4
+    rsvp: ^3.0.6
+  checksum: 92822588babb5d82d3a09ce6e3646f59400566138c3a3824c93cdff568cbf74a318900a41be64bb39b322ec8442099ccc11932f335e877637823c1bf0a6de0d6
+  languageName: node
+  linkType: hard
+
+"broccoli-asset-rewrite@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "broccoli-asset-rewrite@npm:2.0.0"
+  dependencies:
+    broccoli-filter: ^1.2.3
+  checksum: 05a8d882ca6e3f2fd073650acb65e0f2c0945529c09a47b1b220455a0a67099e0d5bed7a0c52b7aaee40ad5f07f8e6db20b641aceb5330256b801fe1b8e39952
+  languageName: node
+  linkType: hard
+
+"broccoli-autoprefixer@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "broccoli-autoprefixer@npm:5.0.0"
+  dependencies:
+    autoprefixer: ^7.0.0
+    broccoli-persistent-filter: ^1.1.6
+    postcss: ^6.0.1
+  checksum: 468df300b679e2afa3d14091f42313300424218d74911dba8dd61a16ce4b0888c76c517ac524f043c01304b3bb78d6e87927e931c96446f9921e4504f5361654
+  languageName: node
+  linkType: hard
+
+"broccoli-babel-transpiler@npm:^6.5.0":
+  version: 6.5.1
+  resolution: "broccoli-babel-transpiler@npm:6.5.1"
+  dependencies:
+    babel-core: ^6.26.0
+    broccoli-funnel: ^2.0.1
+    broccoli-merge-trees: ^2.0.0
+    broccoli-persistent-filter: ^1.4.3
+    clone: ^2.0.0
+    hash-for-dep: ^1.2.3
+    heimdalljs-logger: ^0.1.7
+    json-stable-stringify: ^1.0.0
+    rsvp: ^4.8.2
+    workerpool: ^2.3.0
+  checksum: 2e5273f2026dc27ca8ab984c49c00b967aa94f491b7e5059fc249e4c624a4901fd26c19c56f889b61eee1f2c1cb101944b2fd48e00156e503c7a3495cc7e270a
+  languageName: node
+  linkType: hard
+
+"broccoli-babel-transpiler@npm:^7.2.0, broccoli-babel-transpiler@npm:^7.8.0":
+  version: 7.8.0
+  resolution: "broccoli-babel-transpiler@npm:7.8.0"
+  dependencies:
+    "@babel/core": ^7.12.0
+    "@babel/polyfill": ^7.11.5
+    broccoli-funnel: ^2.0.2
+    broccoli-merge-trees: ^3.0.2
+    broccoli-persistent-filter: ^2.2.1
+    clone: ^2.1.2
+    hash-for-dep: ^1.4.7
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.9
+    json-stable-stringify: ^1.0.1
+    rsvp: ^4.8.4
+    workerpool: ^3.1.1
+  checksum: 07fd89cc58bab2d6dd435b04b047d2bb843298761068cf7ae768819d1c8d8d4ac26746b0eb40e99ebceec6dfd1af97a25a7f1b00bd05136fa963b9c04033ca52
+  languageName: node
+  linkType: hard
+
+"broccoli-babel-transpiler@npm:^7.8.1":
+  version: 7.8.1
+  resolution: "broccoli-babel-transpiler@npm:7.8.1"
+  dependencies:
+    "@babel/core": ^7.12.0
+    "@babel/polyfill": ^7.11.5
+    broccoli-funnel: ^2.0.2
+    broccoli-merge-trees: ^3.0.2
+    broccoli-persistent-filter: ^2.2.1
+    clone: ^2.1.2
+    hash-for-dep: ^1.4.7
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.9
+    json-stable-stringify: ^1.0.1
+    rsvp: ^4.8.4
+    workerpool: ^3.1.1
+  checksum: cd1d798e38dfc285082b1b114017639b1951f529436dd47c7b56d995ad5adb897084dadaf6da94cf2b7af6cc118099f1b5411b58b5ec72f5247bd9e820ac9ff6
+  languageName: node
+  linkType: hard
+
+"broccoli-babel-transpiler@npm:^8.0.0":
+  version: 8.0.0
+  resolution: "broccoli-babel-transpiler@npm:8.0.0"
+  dependencies:
+    broccoli-persistent-filter: ^3.0.0
+    clone: ^2.1.2
+    hash-for-dep: ^1.4.7
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.9
+    json-stable-stringify: ^1.0.1
+    rsvp: ^4.8.4
+    workerpool: ^6.0.2
+  peerDependencies:
+    "@babel/core": ^7.17.9
+  checksum: 5ca5f6664e5ef37e0927501256312ba66d0362180edcdbd9bf23fae2cf057294cc33e5c60e314c6d705c5f2c2dca5f5319b3fc1f1089589c7b16724a6f80e190
+  languageName: node
+  linkType: hard
+
+"broccoli-builder@npm:^0.18.14":
+  version: 0.18.14
+  resolution: "broccoli-builder@npm:0.18.14"
+  dependencies:
+    broccoli-node-info: ^1.1.0
+    heimdalljs: ^0.2.0
+    promise-map-series: ^0.2.1
+    quick-temp: ^0.1.2
+    rimraf: ^2.2.8
+    rsvp: ^3.0.17
+    silent-error: ^1.0.1
+  checksum: 06721fdc65f97ec331126d3fca329ac287c879cffd748b4c536acca16376995d3200d26af22b9a4fef464476202f83bb3a9dbdcdec8939914600ee1e8760f995
+  languageName: node
+  linkType: hard
+
+"broccoli-caching-writer@npm:^2.2.0":
+  version: 2.3.1
+  resolution: "broccoli-caching-writer@npm:2.3.1"
+  dependencies:
+    broccoli-kitchen-sink-helpers: ^0.2.5
+    broccoli-plugin: 1.1.0
+    debug: ^2.1.1
+    rimraf: ^2.2.8
+    rsvp: ^3.0.17
+    walk-sync: ^0.2.5
+  checksum: 3ee20d818f1a833c41499fd2d7abc09c75951a4ea7522d6ec1cd853351a03a5cfd283e50efd068705104e3825401165dff3438fa723e5b6760072a280c42fa61
+  languageName: node
+  linkType: hard
+
+"broccoli-caching-writer@npm:^3.0.3":
+  version: 3.0.3
+  resolution: "broccoli-caching-writer@npm:3.0.3"
+  dependencies:
+    broccoli-kitchen-sink-helpers: ^0.3.1
+    broccoli-plugin: ^1.2.1
+    debug: ^2.1.1
+    rimraf: ^2.2.8
+    rsvp: ^3.0.17
+    walk-sync: ^0.3.0
+  checksum: 30b002bb2050b0f51ece58e088b26212784779205184021acf5fc807e2619820daa95b56a390da10de3b49defa76f525f095b980c009fb4c7cb30d3d18875117
+  languageName: node
+  linkType: hard
+
+"broccoli-clean-css@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "broccoli-clean-css@npm:1.1.0"
+  dependencies:
+    broccoli-persistent-filter: ^1.1.6
+    clean-css-promise: ^0.1.0
+    inline-source-map-comment: ^1.0.5
+    json-stable-stringify: ^1.0.0
+  checksum: 7b1739c9e12ccbf9e86b0f98be97b2c2f0ef8ac831e87f7e478ca4dc8fce3e93db4e625ad53ddb48bab4efbe8d0d2304ee77bdd015aab84d71250d9fb8ff44c7
+  languageName: node
+  linkType: hard
+
+"broccoli-concat@npm:^4.2.5":
+  version: 4.2.5
+  resolution: "broccoli-concat@npm:4.2.5"
+  dependencies:
+    broccoli-debug: ^0.6.5
+    broccoli-kitchen-sink-helpers: ^0.3.1
+    broccoli-plugin: ^4.0.2
+    ensure-posix-path: ^1.0.2
+    fast-sourcemap-concat: ^2.1.0
+    find-index: ^1.1.0
+    fs-extra: ^8.1.0
+    fs-tree-diff: ^2.0.1
+    lodash.merge: ^4.6.2
+    lodash.omit: ^4.1.0
+    lodash.uniq: ^4.2.0
+  checksum: a8eb7394863d7ba3dd9b8011ef37ef746182bea42c50c61bc5cf25767bcd0edec1dac9c37dcf8ba34d24568fdc3e69ce88b414316eedbbecf9deae13f349cc7e
+  languageName: node
+  linkType: hard
+
+"broccoli-config-loader@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "broccoli-config-loader@npm:1.0.1"
+  dependencies:
+    broccoli-caching-writer: ^3.0.3
+  checksum: 92543dee0b8e3da15533262190a34287c53dad913190d14306d706ef8f2594106c240fe2c4eff026af0730e79dd77990271bf74cfd37051040b7dc177cea49e4
+  languageName: node
+  linkType: hard
+
+"broccoli-config-replace@npm:^1.1.2":
+  version: 1.1.2
+  resolution: "broccoli-config-replace@npm:1.1.2"
+  dependencies:
+    broccoli-kitchen-sink-helpers: ^0.3.1
+    broccoli-plugin: ^1.2.0
+    debug: ^2.2.0
+    fs-extra: ^0.24.0
+  checksum: 578471fb135e00d914334eaa8e1305ba2183f6be26833eff941c3c30bd002d157054a45ed16afb96784c25aa2a3f5bad73cd9c21a005acb61be7a960739b3725
+  languageName: node
+  linkType: hard
+
+"broccoli-debug@npm:^0.6.4, broccoli-debug@npm:^0.6.5":
+  version: 0.6.5
+  resolution: "broccoli-debug@npm:0.6.5"
+  dependencies:
+    broccoli-plugin: ^1.2.1
+    fs-tree-diff: ^0.5.2
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    symlink-or-copy: ^1.1.8
+    tree-sync: ^1.2.2
+  checksum: 03cd34dea7cc6c1cb4d2b0aa564449e44bf4a0a874dc8ca28ffc22bc7ab062ccbe8bb08a7d4e44639f532f392d4a56913a372e75f1bde7763b20898da852aeba
+  languageName: node
+  linkType: hard
+
+"broccoli-dependency-funnel@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "broccoli-dependency-funnel@npm:2.1.2"
+  dependencies:
+    broccoli-plugin: ^1.3.1
+    fs-tree-diff: ^0.5.9
+    heimdalljs: ^0.2.5
+    heimdalljs-logger: ^0.1.9
+    mkdirp: ^0.5.1
+    mr-dep-walk: ^1.4.0
+    path-posix: ^1.0.0
+    rimraf: ^2.6.2
+    symlink-or-copy: ^1.2.0
+  checksum: b62bdd3d8c422082d05408742be796b64d1dfcff8f8952d4a2289a95d03b2850f64d157bcb40150ae865a9850d457e0a7209b0875962f09410a28582fe242bda
+  languageName: node
+  linkType: hard
+
+"broccoli-file-creator@npm:^1.1.1":
+  version: 1.2.0
+  resolution: "broccoli-file-creator@npm:1.2.0"
+  dependencies:
+    broccoli-plugin: ^1.1.0
+    mkdirp: ^0.5.1
+  checksum: 591be2b9a9e2aadd0f5c07fb85a2125eebf29a50ca8dbed4c67f8b75d7e5a296f7740f41e1a441d3861bb2b298a76201995ca2df59c34e1c641521e4f3555d50
+  languageName: node
+  linkType: hard
+
+"broccoli-file-creator@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "broccoli-file-creator@npm:2.1.1"
+  dependencies:
+    broccoli-plugin: ^1.1.0
+    mkdirp: ^0.5.1
+  checksum: aab1bd06e55f805e3c52235a7294a8f008255d178ef236e2966c59f943090a55bca44e9d26fcf176f4e0f94033af5c1fd038a85c6950bf36ff41a0c0787fe938
+  languageName: node
+  linkType: hard
+
+"broccoli-filter@npm:^1.2.2, broccoli-filter@npm:^1.2.3":
+  version: 1.3.0
+  resolution: "broccoli-filter@npm:1.3.0"
+  dependencies:
+    broccoli-kitchen-sink-helpers: ^0.3.1
+    broccoli-plugin: ^1.0.0
+    copy-dereference: ^1.0.0
+    debug: ^2.2.0
+    mkdirp: ^0.5.1
+    promise-map-series: ^0.2.1
+    rsvp: ^3.0.18
+    symlink-or-copy: ^1.0.1
+    walk-sync: ^0.3.1
+  checksum: 4908af4844c166adfd61def33c21a152870e7cc319fa16d50caa906ad68c46e5abbc6fb9c3373e3b7bc494473d4972461ef0a0fa0d2ae82c0f0d44ec0fe3cfc5
+  languageName: node
+  linkType: hard
+
+"broccoli-funnel-reducer@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "broccoli-funnel-reducer@npm:1.0.0"
+  checksum: 3a924dc63136168325ea202d05139ad238290eff649cb6a2570f3faeccbbf0d904792525100fc41da34a1fd0946d951bdb247ecd1e4d7d99f29f82583b94ce7b
+  languageName: node
+  linkType: hard
+
+"broccoli-funnel@npm:2.0.1":
+  version: 2.0.1
+  resolution: "broccoli-funnel@npm:2.0.1"
+  dependencies:
+    array-equal: ^1.0.0
+    blank-object: ^1.0.1
+    broccoli-plugin: ^1.3.0
+    debug: ^2.2.0
+    fast-ordered-set: ^1.0.0
+    fs-tree-diff: ^0.5.3
+    heimdalljs: ^0.2.0
+    minimatch: ^3.0.0
+    mkdirp: ^0.5.0
+    path-posix: ^1.0.0
+    rimraf: ^2.4.3
+    symlink-or-copy: ^1.0.0
+    walk-sync: ^0.3.1
+  checksum: 415257006360c6015835a513c7946f1bc356ea5ed6bd960382bad1f511d81758539690ccbd7cecdc740b7e91f1719088b5bb8f5c024ca4dda089efec229ce0b7
+  languageName: node
+  linkType: hard
+
+"broccoli-funnel@npm:^1.0.1, broccoli-funnel@npm:^1.1.0":
+  version: 1.2.0
+  resolution: "broccoli-funnel@npm:1.2.0"
+  dependencies:
+    array-equal: ^1.0.0
+    blank-object: ^1.0.1
+    broccoli-plugin: ^1.3.0
+    debug: ^2.2.0
+    exists-sync: 0.0.4
+    fast-ordered-set: ^1.0.0
+    fs-tree-diff: ^0.5.3
+    heimdalljs: ^0.2.0
+    minimatch: ^3.0.0
+    mkdirp: ^0.5.0
+    path-posix: ^1.0.0
+    rimraf: ^2.4.3
+    symlink-or-copy: ^1.0.0
+    walk-sync: ^0.3.1
+  checksum: dacd261a6ddbdd9ffa3bc6d6dd7653eace0896e1b7e281ed9cead4c5b5a4e04b0f1be5b9b09ccd576288d3a15a2dbace1920c7de17a9bba9e5564f7580f8f19a
+  languageName: node
+  linkType: hard
+
+"broccoli-funnel@npm:^2.0.0, broccoli-funnel@npm:^2.0.1, broccoli-funnel@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "broccoli-funnel@npm:2.0.2"
+  dependencies:
+    array-equal: ^1.0.0
+    blank-object: ^1.0.1
+    broccoli-plugin: ^1.3.0
+    debug: ^2.2.0
+    fast-ordered-set: ^1.0.0
+    fs-tree-diff: ^0.5.3
+    heimdalljs: ^0.2.0
+    minimatch: ^3.0.0
+    mkdirp: ^0.5.0
+    path-posix: ^1.0.0
+    rimraf: ^2.4.3
+    symlink-or-copy: ^1.0.0
+    walk-sync: ^0.3.1
+  checksum: e039c07f7a69d538a2a60e66167ccff8e00e14f053e6e0e5ce6d446c5a6d351e55cc9be57aad1a9e9d684b444bea81cd2eade387c5764fa9355b9f30fcc4bd48
+  languageName: node
+  linkType: hard
+
+"broccoli-funnel@npm:^3.0.3, broccoli-funnel@npm:^3.0.5, broccoli-funnel@npm:^3.0.8":
+  version: 3.0.8
+  resolution: "broccoli-funnel@npm:3.0.8"
+  dependencies:
+    array-equal: ^1.0.0
+    broccoli-plugin: ^4.0.7
+    debug: ^4.1.1
+    fs-tree-diff: ^2.0.1
+    heimdalljs: ^0.2.0
+    minimatch: ^3.0.0
+    walk-sync: ^2.0.2
+  checksum: 125b0bda1bf63779528f97d153cab2c2d47d3783e26037d0f1acaf9f528a04397f2538d66662efaedd4627bfbae7713a2f8248017c81d518319b3c8cbe3b31d9
+  languageName: node
+  linkType: hard
+
+"broccoli-kitchen-sink-helpers@npm:^0.2.5":
+  version: 0.2.9
+  resolution: "broccoli-kitchen-sink-helpers@npm:0.2.9"
+  dependencies:
+    glob: ^5.0.10
+    mkdirp: ^0.5.1
+  checksum: cf67d77f4ee028c90c4917626eda636b736a3fdd11f84ba2c9b00708222c8878909c1b30d824b4b9d946c6c975b6e3bd08cc218ed3cfbe6f9436808e9023a941
+  languageName: node
+  linkType: hard
+
+"broccoli-kitchen-sink-helpers@npm:^0.3.1":
+  version: 0.3.1
+  resolution: "broccoli-kitchen-sink-helpers@npm:0.3.1"
+  dependencies:
+    glob: ^5.0.10
+    mkdirp: ^0.5.1
+  checksum: c3af1f4a902ab69fa6e576430c2829cceaa2c34e6f6ff68eb5f6305c10835123b4644bfcb036452c7222d6853c720bf83ec1e5e125db7915d849c7968d0e652e
+  languageName: node
+  linkType: hard
+
+"broccoli-merge-trees@npm:^1.1.1":
+  version: 1.2.4
+  resolution: "broccoli-merge-trees@npm:1.2.4"
+  dependencies:
+    broccoli-plugin: ^1.3.0
+    can-symlink: ^1.0.0
+    fast-ordered-set: ^1.0.2
+    fs-tree-diff: ^0.5.4
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    rimraf: ^2.4.3
+    symlink-or-copy: ^1.0.0
+  checksum: 7d5ae0c12582bcca4c6a697bd768b45f38b19d3b89f580ded973bf1c4ee2d581c2a50d1914eeab96d2c3502ccb792eb806298ce99bf0bcd9bf98f87c916390a5
+  languageName: node
+  linkType: hard
+
+"broccoli-merge-trees@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "broccoli-merge-trees@npm:2.0.1"
+  dependencies:
+    broccoli-plugin: ^1.3.0
+    merge-trees: ^1.0.1
+  checksum: cf58d11761a3a362d80634e0f3b1b5fdb87572c9e54740fbc24803d79b44f2246b12b76aecb2f783d92c0cef55f7a3b7eb5314bc463fd94cb6d29f1b370a4289
+  languageName: node
+  linkType: hard
+
+"broccoli-merge-trees@npm:^3.0.0, broccoli-merge-trees@npm:^3.0.1, broccoli-merge-trees@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "broccoli-merge-trees@npm:3.0.2"
+  dependencies:
+    broccoli-plugin: ^1.3.0
+    merge-trees: ^2.0.0
+  checksum: 4239955a72f9e9547d3b8af27784e7b4931d88bc83c80b48eaae5819a839e3ab3973ccd459502459fcbc9b69749bbc89e9f06e0025fe5483b1704c6dbe0dd61c
+  languageName: node
+  linkType: hard
+
+"broccoli-merge-trees@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "broccoli-merge-trees@npm:4.2.0"
+  dependencies:
+    broccoli-plugin: ^4.0.2
+    merge-trees: ^2.0.0
+  checksum: 8e5371bf41d8b95dd3d600a35d159e185fe0ce0a558cb7b35cdfbb0e3cf2941ee92745dafa7452be0034929459c84acdb55bf762d8c2ca5e59fd124fb219e559
+  languageName: node
+  linkType: hard
+
+"broccoli-middleware@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "broccoli-middleware@npm:2.1.1"
+  dependencies:
+    ansi-html: ^0.0.7
+    handlebars: ^4.0.4
+    has-ansi: ^3.0.0
+    mime-types: ^2.1.18
+  checksum: d32e8d871869737d554bb0913491f2cf80b975eac43f7c1cde1334468d4610830b6a4f2d75a310b3d113d0e513e3b8b966b5d58789a9d396b52a40d279587a1f
+  languageName: node
+  linkType: hard
+
+"broccoli-node-api@npm:^1.6.0, broccoli-node-api@npm:^1.7.0":
+  version: 1.7.0
+  resolution: "broccoli-node-api@npm:1.7.0"
+  checksum: 37b83c81549294d0c843bb4c07ef5330a5493f5e8204e4f7eda716c4f5175f5ccf0f10f0957a18321324b5ff3d4fe2a2cd6cd8e598d6f9e7986c45b8dd200b99
+  languageName: node
+  linkType: hard
+
+"broccoli-node-info@npm:1.1.0, broccoli-node-info@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "broccoli-node-info@npm:1.1.0"
+  checksum: f3e552f3e2ba05d9bb73f5d9ba0e27961851744e3a1a70de3f712598746e6214a7b8b8a7ceafc8235f81973a2e9dca58e022a9f150b4c5963aed5bf90d496b96
+  languageName: node
+  linkType: hard
+
+"broccoli-node-info@npm:^2.1.0":
+  version: 2.2.0
+  resolution: "broccoli-node-info@npm:2.2.0"
+  checksum: e5d68ebb35aa4406dc7dd9e90f15f68fb58c2026696bda2a67045f993261e856fbfec35b3d424c835af7873bd7de00f15630a5b2626c8c0929365035ade9cddd
+  languageName: node
+  linkType: hard
+
+"broccoli-output-wrapper@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "broccoli-output-wrapper@npm:2.0.0"
+  dependencies:
+    heimdalljs-logger: ^0.1.10
+  checksum: 9e2abb307e7d852827548fecfb2b5daa6efea70bcc23d39f1ad51494477a38d8049a3592f7a0e18aa20cb9bcad7b49389ec5052f3a368cbcdb94a4dbe0650381
+  languageName: node
+  linkType: hard
+
+"broccoli-output-wrapper@npm:^3.2.5":
+  version: 3.2.5
+  resolution: "broccoli-output-wrapper@npm:3.2.5"
+  dependencies:
+    fs-extra: ^8.1.0
+    heimdalljs-logger: ^0.1.10
+    symlink-or-copy: ^1.2.0
+  checksum: c23d875544bfdd4cf0767fb9080a6a16bf938497a1a6601fe9ea2e0e5cce26f1a4f4ab81f80e50376b0d86b622cef848d0ffba3f5fa4f2e3c4b531539383eddb
+  languageName: node
+  linkType: hard
+
+"broccoli-persistent-filter@npm:^1.1.5, broccoli-persistent-filter@npm:^1.1.6, broccoli-persistent-filter@npm:^1.4.3":
+  version: 1.4.6
+  resolution: "broccoli-persistent-filter@npm:1.4.6"
+  dependencies:
+    async-disk-cache: ^1.2.1
+    async-promise-queue: ^1.0.3
+    broccoli-plugin: ^1.0.0
+    fs-tree-diff: ^0.5.2
+    hash-for-dep: ^1.0.2
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    mkdirp: ^0.5.1
+    promise-map-series: ^0.2.1
+    rimraf: ^2.6.1
+    rsvp: ^3.0.18
+    symlink-or-copy: ^1.0.1
+    walk-sync: ^0.3.1
+  checksum: 42adb04ba99ccbd943299d37d40fc87f5c9629ec98d0774c43695590ec7ad9392ba6c5bef5e089e1bc208d49de820d13aa46dc0d80d71444f00f9b0df9811df9
+  languageName: node
+  linkType: hard
+
+"broccoli-persistent-filter@npm:^2.2.1, broccoli-persistent-filter@npm:^2.3.0, broccoli-persistent-filter@npm:^2.3.1":
+  version: 2.3.1
+  resolution: "broccoli-persistent-filter@npm:2.3.1"
+  dependencies:
+    async-disk-cache: ^1.2.1
+    async-promise-queue: ^1.0.3
+    broccoli-plugin: ^1.0.0
+    fs-tree-diff: ^2.0.0
+    hash-for-dep: ^1.5.0
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    mkdirp: ^0.5.1
+    promise-map-series: ^0.2.1
+    rimraf: ^2.6.1
+    rsvp: ^4.7.0
+    symlink-or-copy: ^1.0.1
+    sync-disk-cache: ^1.3.3
+    walk-sync: ^1.0.0
+  checksum: 35228d15267f6b08e7e572698c6ef2fc4623701f97604a6bce4826c0dbc3074e743cf583f56d014051d64d3cf72f26dd29f26f9ff8e79f907d762fad9481da36
+  languageName: node
+  linkType: hard
+
+"broccoli-persistent-filter@npm:^3.0.0":
+  version: 3.1.3
+  resolution: "broccoli-persistent-filter@npm:3.1.3"
+  dependencies:
+    async-disk-cache: ^2.0.0
+    async-promise-queue: ^1.0.3
+    broccoli-plugin: ^4.0.3
+    fs-tree-diff: ^2.0.0
+    hash-for-dep: ^1.5.0
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    promise-map-series: ^0.2.1
+    rimraf: ^3.0.0
+    symlink-or-copy: ^1.0.1
+    sync-disk-cache: ^2.0.0
+  checksum: c3d23e641d15fbb715b730d8f1b69fe5d6c4c66afdee7a57fb77aba3406d4d9026242ffcec6520fdfc55108d72ebcec411948721d8dc8be5d8bdb9c8c10a14ad
+  languageName: node
+  linkType: hard
+
+"broccoli-persistent-filter@npm:^3.1.2":
+  version: 3.1.2
+  resolution: "broccoli-persistent-filter@npm:3.1.2"
+  dependencies:
+    async-disk-cache: ^2.0.0
+    async-promise-queue: ^1.0.3
+    broccoli-plugin: ^4.0.3
+    fs-tree-diff: ^2.0.0
+    hash-for-dep: ^1.5.0
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    promise-map-series: ^0.2.1
+    rimraf: ^3.0.0
+    symlink-or-copy: ^1.0.1
+    sync-disk-cache: ^2.0.0
+  checksum: 15adca88e26cd8a105c786dc7d2ba57c2c98d4a43079c94753826c000c879fad627ec280e57f7d890be8583ea66967579db4c9e19ef73ccb2ef887a09e36fb85
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:*, broccoli-plugin@npm:^4.0.1, broccoli-plugin@npm:^4.0.2, broccoli-plugin@npm:^4.0.3, broccoli-plugin@npm:^4.0.5, broccoli-plugin@npm:^4.0.7":
+  version: 4.0.7
+  resolution: "broccoli-plugin@npm:4.0.7"
+  dependencies:
+    broccoli-node-api: ^1.7.0
+    broccoli-output-wrapper: ^3.2.5
+    fs-merger: ^3.2.1
+    promise-map-series: ^0.3.0
+    quick-temp: ^0.1.8
+    rimraf: ^3.0.2
+    symlink-or-copy: ^1.3.1
+  checksum: 49d6a55ebfe1880e73956dc8bf23104ad81c1272d4a06755823e6e1eec5255583d2913de99427b3e0a620e3b56178fdd8ea03c832b7452f0440c166044aa555c
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:1.1.0":
+  version: 1.1.0
+  resolution: "broccoli-plugin@npm:1.1.0"
+  dependencies:
+    promise-map-series: ^0.2.1
+    quick-temp: ^0.1.3
+    rimraf: ^2.3.4
+    symlink-or-copy: ^1.0.1
+  checksum: 3f660605a82e9661378d64cfaa079ef549e3c389e12ce8114329e0c5268e68e07c8e3c9fe1c7762c30cfd639aa7c5f484c8e134ddffb49f0b04113818a06a5d8
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:^1.0.0, broccoli-plugin@npm:^1.1.0, broccoli-plugin@npm:^1.2.0, broccoli-plugin@npm:^1.2.1, broccoli-plugin@npm:^1.3.0, broccoli-plugin@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "broccoli-plugin@npm:1.3.1"
+  dependencies:
+    promise-map-series: ^0.2.1
+    quick-temp: ^0.1.3
+    rimraf: ^2.3.4
+    symlink-or-copy: ^1.1.8
+  checksum: 53ddfa2f419feb1b30e2b16d29d7b0877ac56ec97a16b07075ce6ec065d4382e20e94ce992a836942f24aee12a1fbff4f93f711d470e5614a786b4b29d0e215d
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:^2.0.0, broccoli-plugin@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "broccoli-plugin@npm:2.1.0"
+  dependencies:
+    promise-map-series: ^0.2.1
+    quick-temp: ^0.1.3
+    rimraf: ^2.3.4
+    symlink-or-copy: ^1.1.8
+  checksum: c5481d7d3a0d2f481bdaa7d18cbf7f88edc40ae363eb28c97856955991f0c44671433bb925f841efcce7e32a5eebc26c48f8ca361e8ce2725aae2bc86ba5b948
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "broccoli-plugin@npm:3.1.0"
+  dependencies:
+    broccoli-node-api: ^1.6.0
+    broccoli-output-wrapper: ^2.0.0
+    fs-merger: ^3.0.1
+    promise-map-series: ^0.2.1
+    quick-temp: ^0.1.3
+    rimraf: ^2.3.4
+    symlink-or-copy: ^1.1.8
+  checksum: 6ae0eecb8f894de66445a8d7000a5f7fc6f0c07250ee788706ef7a6f9846c10e473be120999353b0ed89a0e60f96332586da01f40325d5df7d79e02a9f01d154
+  languageName: node
+  linkType: hard
+
+"broccoli-plugin@npm:^4.0.0":
+  version: 4.0.5
+  resolution: "broccoli-plugin@npm:4.0.5"
+  dependencies:
+    broccoli-node-api: ^1.7.0
+    broccoli-output-wrapper: ^3.2.5
+    fs-merger: ^3.1.0
+    promise-map-series: ^0.3.0
+    quick-temp: ^0.1.8
+    rimraf: ^3.0.2
+    symlink-or-copy: ^1.3.1
+  checksum: 1e459b3f03929fc9515f905d2bc033ac23ab869d837fa4ca68fc47062aea61fb3c11f2e3604ad1c4bef38b22cb1e0c4d5d0d88715ae1cdc7f064f30fc11093c9
+  languageName: node
+  linkType: hard
+
+"broccoli-rollup@npm:4.0.0":
+  version: 4.0.0
+  resolution: "broccoli-rollup@npm:4.0.0"
+  dependencies:
+    "@types/node": "*"
+    broccoli-plugin: ^2.0.0
+    fs-tree-diff: ^2.0.1
+    heimdalljs: ^0.2.6
+    heimdalljs-logger: ^0.1.10
+    magic-string: ^0.25.2
+    node-modules-path: ^1.0.1
+    rollup: ^1.12.0
+    symlink-or-copy: ^1.2.0
+    walk-sync: ^1.1.3
+  checksum: 89ac42aaf952674b0b81500551b4eccd96a51a1485d9b0cb89c690cc8cfbda9b82860147e810ec3012fceaf79af12cdf35e08c57ee1bac69d805072fdd87220d
+  languageName: node
+  linkType: hard
+
+"broccoli-rollup@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "broccoli-rollup@npm:2.1.1"
+  dependencies:
+    "@types/node": ^9.6.0
+    amd-name-resolver: ^1.2.0
+    broccoli-plugin: ^1.2.1
+    fs-tree-diff: ^0.5.2
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    magic-string: ^0.24.0
+    node-modules-path: ^1.0.1
+    rollup: ^0.57.1
+    symlink-or-copy: ^1.1.8
+    walk-sync: ^0.3.1
+  checksum: 6ddce6266854494da4875f6a1bd274c690b14fd7a82b47735118daaf5081304ef79fb781270ed6c09f312896c872fdbdf5619a77d50eb769bf977745242284d2
+  languageName: node
+  linkType: hard
+
+"broccoli-rollup@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "broccoli-rollup@npm:5.0.0"
+  dependencies:
+    "@types/broccoli-plugin": ^3.0.0
+    broccoli-plugin: ^4.0.7
+    fs-tree-diff: ^2.0.1
+    heimdalljs: ^0.2.6
+    node-modules-path: ^1.0.1
+    rollup: ^2.50.0
+    rollup-pluginutils: ^2.8.1
+    symlink-or-copy: ^1.2.0
+    walk-sync: ^2.2.0
+  checksum: 752725e1b78b8dc6b228b0156b44e293feb948c00bf3b505254ba1f9a706a14334727eb1505c8e01ee22500387cc3059f8cb0ecf7857935346768bdcf1939b1e
+  languageName: node
+  linkType: hard
+
+"broccoli-sass-source-maps@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "broccoli-sass-source-maps@npm:4.0.0"
+  dependencies:
+    broccoli-caching-writer: ^3.0.3
+    include-path-searcher: ^0.1.0
+    mkdirp: ^0.3.5
+    object-assign: ^2.0.0
+    rsvp: ^3.0.6
+  checksum: a90b04901782d4a903b491b0eb0660d6dde7ce6d39479675e61a7a98ec93172d3bc6960b21f3540d41209fe8eeddd25c52fc1bae5012c22bdcfaf54097131c0a
+  languageName: node
+  linkType: hard
+
+"broccoli-slow-trees@npm:^3.0.1, broccoli-slow-trees@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "broccoli-slow-trees@npm:3.1.0"
+  dependencies:
+    heimdalljs: ^0.2.1
+  checksum: 13c03939279e547484ee404a01a2f026eb518ddfdf7bc5376b5b7fa1c22be6fea2a1bb5aaa4d1d7bbc4fc0d3cab1083ae419d230bde90553e424957197cf9296
+  languageName: node
+  linkType: hard
+
+"broccoli-source@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "broccoli-source@npm:1.1.0"
+  checksum: 6c9421e44033df4ebd5ad7a3329599e40377f1b36629637d904ca7593ab721c99e6e4cc46b774bf4c2c6b24bcec0a0a3b327c7af42e768c1855378589ac3d796
+  languageName: node
+  linkType: hard
+
+"broccoli-source@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "broccoli-source@npm:2.1.2"
+  checksum: b8dfacce8a442a7a6af6f127663830387c88e4584be02854815959422598610557d3d8fc1f01c93f3f1b0afa7ffd8f151fead4377fb3e711adecd0d0c0e39e67
+  languageName: node
+  linkType: hard
+
+"broccoli-source@npm:^3.0.0, broccoli-source@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "broccoli-source@npm:3.0.1"
+  dependencies:
+    broccoli-node-api: ^1.6.0
+  checksum: e47d16d269b616f12d525629d85e71e2d91b2daaf2e59a367c81f8db8cc324d7c9259de43dfa5130358ba6333fd0b620016895947dbc969c92d2ea94c2b755ea
+  languageName: node
+  linkType: hard
+
+"broccoli-sri-hash@meirish/broccoli-sri-hash#rooturl, broccoli-sri-hash@npm:^2.1.0":
+  version: 2.1.2
+  resolution: "broccoli-sri-hash@https://github.com/meirish/broccoli-sri-hash.git#commit=5ebad6f345c38d45461676c7a298a0b61be4a39d"
+  dependencies:
+    broccoli-caching-writer: ^2.2.0
+    mkdirp: ^0.5.1
+    rsvp: ^3.1.0
+    sri-toolbox: ^0.2.0
+    symlink-or-copy: ^1.0.1
+  checksum: bcf5fc1096d4c3c862bfc2ec3248edd5ee3bb13edcdc07a5f357587a9ea4ff48d8b97b73f11da3794a122ef1a0c1e2ef1181e59c03a955f9f24dfeb9adecef7e
+  languageName: node
+  linkType: hard
+
+"broccoli-stew@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "broccoli-stew@npm:3.0.0"
+  dependencies:
+    broccoli-debug: ^0.6.5
+    broccoli-funnel: ^2.0.0
+    broccoli-merge-trees: ^3.0.1
+    broccoli-persistent-filter: ^2.3.0
+    broccoli-plugin: ^2.1.0
+    chalk: ^2.4.1
+    debug: ^4.1.1
+    ensure-posix-path: ^1.0.1
+    fs-extra: ^8.0.1
+    minimatch: ^3.0.4
+    resolve: ^1.11.1
+    rsvp: ^4.8.5
+    symlink-or-copy: ^1.2.0
+    walk-sync: ^1.1.3
+  checksum: c5fc1f024d0ccc9a31b4fd9a70e34c0320b487ec86cfeaf66b6d7a06936b352fd65be59dccc200b9ffc17e528e6f9a5b2525b59169d17cd3e36daf8ce5f1deed
+  languageName: node
+  linkType: hard
+
+"broccoli-string-replace@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "broccoli-string-replace@npm:0.1.2"
+  dependencies:
+    broccoli-persistent-filter: ^1.1.5
+    minimatch: ^3.0.3
+  checksum: 853c89a2e764d4577a5f28b71a63cf47f23c226d57a7521b07617758d5d69bdf4d8667a46abeceee53b39bbcfd1f61edf365e678665577d3d0b08b25fceceaf1
+  languageName: node
+  linkType: hard
+
+"broccoli-svg-optimizer@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "broccoli-svg-optimizer@npm:2.1.0"
+  dependencies:
+    broccoli-persistent-filter: ^3.1.2
+    safe-stable-stringify: ^2.2.0
+    svgo: 1.3.0
+  checksum: a39f487a5eb5b3af2bed055d0da494f1cdc5670e20892901b702e7bbe60407f76e96f2ebd3c73bf1effb4d8411097628552ce628dc5c529a9660898811cf4d74
+  languageName: node
+  linkType: hard
+
+"broccoli-templater@npm:^2.0.1":
+  version: 2.0.2
+  resolution: "broccoli-templater@npm:2.0.2"
+  dependencies:
+    broccoli-plugin: ^1.3.1
+    fs-tree-diff: ^0.5.9
+    lodash.template: ^4.4.0
+    rimraf: ^2.6.2
+    walk-sync: ^0.3.3
+  checksum: 802e1e357dc4522b5f157dff2ab3b9b132b07639fffd3249f2ad22792f1eb225e86b7624c3a45af5b1063628049d16a53d6bf37358fe4c4b54bad6a776b503c3
+  languageName: node
+  linkType: hard
+
+"broccoli-terser-sourcemap@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "broccoli-terser-sourcemap@npm:4.1.0"
+  dependencies:
+    async-promise-queue: ^1.0.5
+    broccoli-plugin: ^4.0.3
+    debug: ^4.1.0
+    lodash.defaultsdeep: ^4.6.1
+    matcher-collection: ^2.0.1
+    source-map-url: ^0.4.0
+    symlink-or-copy: ^1.3.1
+    terser: ^5.3.0
+    walk-sync: ^2.2.0
+    workerpool: ^6.0.0
+  checksum: 5251dd242487d92164f0453e618d67e92700892b282c99e6b7944295edce338b005edcb46e8da4e95d8d5771637c1e289c5c22abb979c2460bc4f9a1179944fe
+  languageName: node
+  linkType: hard
+
+"broccoli-test-helper@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "broccoli-test-helper@npm:2.0.0"
+  dependencies:
+    "@types/tmp": ^0.0.33
+    broccoli: ^2.0.0
+    fixturify: ^0.3.2
+    fs-tree-diff: ^0.5.9
+    tmp: ^0.0.33
+    walk-sync: ^0.3.3
+  checksum: 1f3806c458f653b09936e901405b1393497f6112c0a1b5e8d150c810edfc75a8aa46ba463ec68a70033d225e497b1dbfe8f4b26d948276c9a1f12304fea99571
+  languageName: node
+  linkType: hard
+
+"broccoli-uglify-sourcemap@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "broccoli-uglify-sourcemap@npm:3.2.0"
+  dependencies:
+    async-promise-queue: ^1.0.5
+    broccoli-plugin: ^1.2.1
+    debug: ^4.1.0
+    lodash.defaultsdeep: ^4.6.1
+    matcher-collection: ^2.0.0
+    mkdirp: ^0.5.0
+    source-map-url: ^0.4.0
+    symlink-or-copy: ^1.0.1
+    terser: ^4.3.9
+    walk-sync: ^1.1.3
+    workerpool: ^5.0.1
+  checksum: be2c06a4ee14a78c8fbb0afea00ede69c63933b34d38c855454e27b344fa02b03888cb5e2a15ddd344d3dec420145cfec94ddab3d4a3c957d6f67e5ebee8577d
+  languageName: node
+  linkType: hard
+
+"broccoli@npm:^2.0.0":
+  version: 2.3.0
+  resolution: "broccoli@npm:2.3.0"
+  dependencies:
+    broccoli-node-info: 1.1.0
+    broccoli-slow-trees: ^3.0.1
+    broccoli-source: ^1.1.0
+    commander: ^2.15.1
+    connect: ^3.6.6
+    esm: ^3.2.4
+    findup-sync: ^2.0.0
+    handlebars: ^4.0.11
+    heimdalljs: ^0.2.6
+    heimdalljs-logger: ^0.1.9
+    mime-types: ^2.1.19
+    promise.prototype.finally: ^3.1.0
+    resolve-path: ^1.4.0
+    rimraf: ^2.6.2
+    sane: ^4.0.0
+    tmp: 0.0.33
+    tree-sync: ^1.2.2
+    underscore.string: ^3.2.2
+    watch-detector: ^0.1.0
+  checksum: 34117904ae15bacd9780960b972f3549bad821aca9dc649cbc8e98bf3a89073d55c39f24d27a00303ce0be0e834315113667d7e117315a473b2fee4449b35634
+  languageName: node
+  linkType: hard
+
+"broccoli@npm:^3.5.2":
+  version: 3.5.2
+  resolution: "broccoli@npm:3.5.2"
+  dependencies:
+    "@types/chai": ^4.2.9
+    "@types/chai-as-promised": ^7.1.2
+    "@types/express": ^4.17.2
+    ansi-html: ^0.0.7
+    broccoli-node-info: ^2.1.0
+    broccoli-slow-trees: ^3.0.1
+    broccoli-source: ^3.0.0
+    commander: ^4.1.1
+    connect: ^3.6.6
+    console-ui: ^3.0.4
+    esm: ^3.2.4
+    findup-sync: ^4.0.0
+    handlebars: ^4.7.3
+    heimdalljs: ^0.2.6
+    heimdalljs-logger: ^0.1.9
+    https: ^1.0.0
+    mime-types: ^2.1.26
+    resolve-path: ^1.4.0
+    rimraf: ^3.0.2
+    sane: ^4.0.0
+    tmp: ^0.0.33
+    tree-sync: ^2.0.0
+    underscore.string: ^3.2.2
+    watch-detector: ^1.0.0
+  checksum: 765fa5c409d0d14a7429472989f311b51c46fb15b0fa0a8eb8b9be8cb3b957bf253172d61fd3c202597db573d40f8b5c7557e8416a93b6c99ce0b46962d46ccd
+  languageName: node
+  linkType: hard
+
+"brorand@npm:^1.0.1, brorand@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "brorand@npm:1.1.0"
+  checksum: 8a05c9f3c4b46572dec6ef71012b1946db6cae8c7bb60ccd4b7dd5a84655db49fe043ecc6272e7ef1f69dc53d6730b9e2a3a03a8310509a3d797a618cbee52be
+  languageName: node
+  linkType: hard
+
+"browser-process-hrtime@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "browser-process-hrtime@npm:1.0.0"
+  checksum: e30f868cdb770b1201afb714ad1575dd86366b6e861900884665fb627109b3cc757c40067d3bfee1ff2a29c835257ea30725a8018a9afd02ac1c24b408b1e45f
+  languageName: node
+  linkType: hard
+
+"browserify-aes@npm:^1.0.0, browserify-aes@npm:^1.0.4":
+  version: 1.2.0
+  resolution: "browserify-aes@npm:1.2.0"
+  dependencies:
+    buffer-xor: ^1.0.3
+    cipher-base: ^1.0.0
+    create-hash: ^1.1.0
+    evp_bytestokey: ^1.0.3
+    inherits: ^2.0.1
+    safe-buffer: ^5.0.1
+  checksum: 4a17c3eb55a2aa61c934c286f34921933086bf6d67f02d4adb09fcc6f2fc93977b47d9d884c25619144fccd47b3b3a399e1ad8b3ff5a346be47270114bcf7104
+  languageName: node
+  linkType: hard
+
+"browserify-cipher@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "browserify-cipher@npm:1.0.1"
+  dependencies:
+    browserify-aes: ^1.0.4
+    browserify-des: ^1.0.0
+    evp_bytestokey: ^1.0.0
+  checksum: 2d8500acf1ee535e6bebe808f7a20e4c3a9e2ed1a6885fff1facbfd201ac013ef030422bec65ca9ece8ffe82b03ca580421463f9c45af6c8415fd629f4118c13
+  languageName: node
+  linkType: hard
+
+"browserify-des@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "browserify-des@npm:1.0.2"
+  dependencies:
+    cipher-base: ^1.0.1
+    des.js: ^1.0.0
+    inherits: ^2.0.1
+    safe-buffer: ^5.1.2
+  checksum: b15a3e358a1d78a3b62ddc06c845d02afde6fc826dab23f1b9c016e643e7b1fda41de628d2110b712f6a44fb10cbc1800bc6872a03ddd363fb50768e010395b7
+  languageName: node
+  linkType: hard
+
+"browserify-rsa@npm:^4.0.0, browserify-rsa@npm:^4.0.1":
+  version: 4.1.0
+  resolution: "browserify-rsa@npm:4.1.0"
+  dependencies:
+    bn.js: ^5.0.0
+    randombytes: ^2.0.1
+  checksum: 155f0c135873efc85620571a33d884aa8810e40176125ad424ec9d85016ff105a07f6231650914a760cca66f29af0494087947b7be34880dd4599a0cd3c38e54
+  languageName: node
+  linkType: hard
+
+"browserify-sign@npm:^4.0.0":
+  version: 4.2.1
+  resolution: "browserify-sign@npm:4.2.1"
+  dependencies:
+    bn.js: ^5.1.1
+    browserify-rsa: ^4.0.1
+    create-hash: ^1.2.0
+    create-hmac: ^1.1.7
+    elliptic: ^6.5.3
+    inherits: ^2.0.4
+    parse-asn1: ^5.1.5
+    readable-stream: ^3.6.0
+    safe-buffer: ^5.2.0
+  checksum: 0221f190e3f5b2d40183fa51621be7e838d9caa329fe1ba773406b7637855f37b30f5d83e52ff8f244ed12ffe6278dd9983638609ed88c841ce547e603855707
+  languageName: node
+  linkType: hard
+
+"browserify-zlib@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "browserify-zlib@npm:0.2.0"
+  dependencies:
+    pako: ~1.0.5
+  checksum: 5cd9d6a665190fedb4a97dfbad8dabc8698d8a507298a03f42c734e96d58ca35d3c7d4085e283440bbca1cd1938cff85031728079bedb3345310c58ab1ec92d6
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^2.11.3":
+  version: 2.11.3
+  resolution: "browserslist@npm:2.11.3"
+  dependencies:
+    caniuse-lite: ^1.0.30000792
+    electron-to-chromium: ^1.3.30
+  bin:
+    browserslist: ./cli.js
+  checksum: 2ff908162669461e881bad516885b703fd594a0b7a139bf150c1952a74fe4ed8668ac46367a0d136d39a717de65e51c867316951e9fe0f92664c65b205eb9d93
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^3.2.6":
+  version: 3.2.8
+  resolution: "browserslist@npm:3.2.8"
+  dependencies:
+    caniuse-lite: ^1.0.30000844
+    electron-to-chromium: ^1.3.47
+  bin:
+    browserslist: ./cli.js
+  checksum: 74d9ab1089a3813f54a7c4f9f6612faa6256799c8e42c7e00e4aae626c17f199049a01707a525a05b1673cd1493936583e51aad295e25249166e7e8fbd0273ba
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.0.0":
+  version: 4.16.6
+  resolution: "browserslist@npm:4.16.6"
+  dependencies:
+    caniuse-lite: ^1.0.30001219
+    colorette: ^1.2.2
+    electron-to-chromium: ^1.3.723
+    escalade: ^3.1.1
+    node-releases: ^1.1.71
+  bin:
+    browserslist: cli.js
+  checksum: 3dffc86892d2dcfcfc66b52519b7e5698ae070b4fc92ab047e760efc4cae0474e9e70bbe10d769c8d3491b655ef3a2a885b88e7196c83cc5dc0a46dfdba8b70c
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.14.5, browserslist@npm:^4.16.8, browserslist@npm:^4.20.2, browserslist@npm:^4.20.3":
+  version: 4.20.4
+  resolution: "browserslist@npm:4.20.4"
+  dependencies:
+    caniuse-lite: ^1.0.30001349
+    electron-to-chromium: ^1.4.147
+    escalade: ^3.1.1
+    node-releases: ^2.0.5
+    picocolors: ^1.0.0
+  bin:
+    browserslist: cli.js
+  checksum: 0e56c42da765524e5c31bc9a1f08afaa8d5dba085071137cf21e56dc78d0cf0283764143df4c7d1c0cd18c3187fc9494e1d93fa0255004f0be493251a28635f9
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.17.3":
+  version: 4.17.3
+  resolution: "browserslist@npm:4.17.3"
+  dependencies:
+    caniuse-lite: ^1.0.30001264
+    electron-to-chromium: ^1.3.857
+    escalade: ^3.1.1
+    node-releases: ^1.1.77
+    picocolors: ^0.2.1
+  bin:
+    browserslist: cli.js
+  checksum: 9295bdff6e054fdbb131275f88d282dddda7e8d54ddc1571b24374d6ba85e6d1f7cb72280543ea44a9726bb5076ded644d943b38cdc5610249699254ca951f46
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.17.5, browserslist@npm:^4.17.6, browserslist@npm:^4.18.1":
+  version: 4.18.1
+  resolution: "browserslist@npm:4.18.1"
+  dependencies:
+    caniuse-lite: ^1.0.30001280
+    electron-to-chromium: ^1.3.896
+    escalade: ^3.1.1
+    node-releases: ^2.0.1
+    picocolors: ^1.0.0
+  bin:
+    browserslist: cli.js
+  checksum: ae58322deef15960fc2e601d71bc081b571cfab6705999a3d24db5325b9cfadf5f676615f4460207a93e600549c33d60d37b4502007fe9e737b3cc19e20575d5
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.19.1":
+  version: 4.20.2
+  resolution: "browserslist@npm:4.20.2"
+  dependencies:
+    caniuse-lite: ^1.0.30001317
+    electron-to-chromium: ^1.4.84
+    escalade: ^3.1.1
+    node-releases: ^2.0.2
+    picocolors: ^1.0.0
+  bin:
+    browserslist: cli.js
+  checksum: 18e09beeae32e69fea45fc3642240fb63027b1460d90e24da86377177dca3d82c80f8fa44469d95109e3962f08eb2a23e03037bd5e1f1ec38e4866e2a8572435
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.21.9":
+  version: 4.21.9
+  resolution: "browserslist@npm:4.21.9"
+  dependencies:
+    caniuse-lite: ^1.0.30001503
+    electron-to-chromium: ^1.4.431
+    node-releases: ^2.0.12
+    update-browserslist-db: ^1.0.11
+  bin:
+    browserslist: cli.js
+  checksum: 80d3820584e211484ad1b1a5cfdeca1dd00442f47be87e117e1dda34b628c87e18b81ae7986fa5977b3e6a03154f6d13cd763baa6b8bf5dd9dd19f4926603698
+  languageName: node
+  linkType: hard
+
+"browserslist@npm:^4.22.1":
+  version: 4.22.2
+  resolution: "browserslist@npm:4.22.2"
+  dependencies:
+    caniuse-lite: ^1.0.30001565
+    electron-to-chromium: ^1.4.601
+    node-releases: ^2.0.14
+    update-browserslist-db: ^1.0.13
+  bin:
+    browserslist: cli.js
+  checksum: 33ddfcd9145220099a7a1ac533cecfe5b7548ffeb29b313e1b57be6459000a1f8fa67e781cf4abee97268ac594d44134fcc4a6b2b4750ceddc9796e3a22076d9
+  languageName: node
+  linkType: hard
+
+"bser@npm:2.1.1":
+  version: 2.1.1
+  resolution: "bser@npm:2.1.1"
+  dependencies:
+    node-int64: ^0.4.0
+  checksum: 9ba4dc58ce86300c862bffc3ae91f00b2a03b01ee07f3564beeeaf82aa243b8b03ba53f123b0b842c190d4399b94697970c8e7cf7b1ea44b61aa28c3526a4449
+  languageName: node
+  linkType: hard
+
+"buffer-from@npm:^1.0.0":
+  version: 1.1.1
+  resolution: "buffer-from@npm:1.1.1"
+  checksum: ccc53b69736008bff764497367c4d24879ba7122bc619ee499ff47eef3a5b885ca496e87272e7ebffa0bec3804c83f84041c616f6e3318f40624e27c1d80f045
+  languageName: node
+  linkType: hard
+
+"buffer-xor@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "buffer-xor@npm:1.0.3"
+  checksum: 10c520df29d62fa6e785e2800e586a20fc4f6dfad84bcdbd12e1e8a83856de1cb75c7ebd7abe6d036bbfab738a6cf18a3ae9c8e5a2e2eb3167ca7399ce65373a
+  languageName: node
+  linkType: hard
+
+"buffer@npm:^4.3.0":
+  version: 4.9.2
+  resolution: "buffer@npm:4.9.2"
+  dependencies:
+    base64-js: ^1.0.2
+    ieee754: ^1.1.4
+    isarray: ^1.0.0
+  checksum: 8801bc1ba08539f3be70eee307a8b9db3d40f6afbfd3cf623ab7ef41dffff1d0a31de0addbe1e66e0ca5f7193eeb667bfb1ecad3647f8f1b0750de07c13295c3
+  languageName: node
+  linkType: hard
+
+"buffer@npm:^5.5.0":
+  version: 5.7.1
+  resolution: "buffer@npm:5.7.1"
+  dependencies:
+    base64-js: ^1.3.1
+    ieee754: ^1.1.13
+  checksum: e2cf8429e1c4c7b8cbd30834ac09bd61da46ce35f5c22a78e6c2f04497d6d25541b16881e30a019c6fd3154150650ccee27a308eff3e26229d788bbdeb08ab84
+  languageName: node
+  linkType: hard
+
+"builtin-status-codes@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "builtin-status-codes@npm:3.0.0"
+  checksum: 1119429cf4b0d57bf76b248ad6f529167d343156ebbcc4d4e4ad600484f6bc63002595cbb61b67ad03ce55cd1d3c4711c03bbf198bf24653b8392420482f3773
+  languageName: node
+  linkType: hard
+
+"builtins@npm:^5.0.0, builtins@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "builtins@npm:5.0.1"
+  dependencies:
+    semver: ^7.0.0
+  checksum: 66d204657fe36522822a95b288943ad11b58f5eaede235b11d8c4edaa28ce4800087d44a2681524c340494aadb120a0068011acabe99d30e8f11a7d826d83515
+  languageName: node
+  linkType: hard
+
+"bytes@npm:1":
+  version: 1.0.0
+  resolution: "bytes@npm:1.0.0"
+  checksum: 6e475440d7e32971611d2bc592695fee484ee91ca1cd49f99c855560131f71670d3d185210f6cdd1704f12281f0cfcee5cb1c1f6788cb2f676b410464b7d6885
+  languageName: node
+  linkType: hard
+
+"bytes@npm:3.0.0":
+  version: 3.0.0
+  resolution: "bytes@npm:3.0.0"
+  checksum: a2b386dd8188849a5325f58eef69c3b73c51801c08ffc6963eddc9be244089ba32d19347caf6d145c86f315ae1b1fc7061a32b0c1aa6379e6a719090287ed101
+  languageName: node
+  linkType: hard
+
+"bytes@npm:3.1.0":
+  version: 3.1.0
+  resolution: "bytes@npm:3.1.0"
+  checksum: 7c3b21c5d9d44ed455460d5d36a31abc6fa2ce3807964ba60a4b03fd44454c8cf07bb0585af83bfde1c5cc2ea4bbe5897bc3d18cd15e0acf25a3615a35aba2df
+  languageName: node
+  linkType: hard
+
+"bytes@npm:3.1.2":
+  version: 3.1.2
+  resolution: "bytes@npm:3.1.2"
+  checksum: e4bcd3948d289c5127591fbedf10c0b639ccbf00243504e4e127374a15c3bc8eed0d28d4aaab08ff6f1cf2abc0cce6ba3085ed32f4f90e82a5683ce0014e1b6e
+  languageName: node
+  linkType: hard
+
+"bytestreamjs@npm:^1.0.29":
+  version: 1.0.29
+  resolution: "bytestreamjs@npm:1.0.29"
+  checksum: 0fd5e74ad0c6694e53f5fcf303f2124c128e4f837249e4361be8c3e022208558a27c353b03b3157a9d1ff15455e09041faa1134e03bcc914bbe6816eafc0362b
+  languageName: node
+  linkType: hard
+
+"cacache@npm:^12.0.2":
+  version: 12.0.4
+  resolution: "cacache@npm:12.0.4"
+  dependencies:
+    bluebird: ^3.5.5
+    chownr: ^1.1.1
+    figgy-pudding: ^3.5.1
+    glob: ^7.1.4
+    graceful-fs: ^4.1.15
+    infer-owner: ^1.0.3
+    lru-cache: ^5.1.1
+    mississippi: ^3.0.0
+    mkdirp: ^0.5.1
+    move-concurrently: ^1.0.1
+    promise-inflight: ^1.0.1
+    rimraf: ^2.6.3
+    ssri: ^6.0.1
+    unique-filename: ^1.1.1
+    y18n: ^4.0.0
+  checksum: c88a72f36939b2523533946ffb27828443db5bf5995d761b35ae17af1eb6c8e20ac55b00b74c2ca900b2e1e917f0afba6847bf8cc16bee05ccca6aa150e0830c
+  languageName: node
+  linkType: hard
+
+"cacache@npm:^16.1.0":
+  version: 16.1.3
+  resolution: "cacache@npm:16.1.3"
+  dependencies:
+    "@npmcli/fs": ^2.1.0
+    "@npmcli/move-file": ^2.0.0
+    chownr: ^2.0.0
+    fs-minipass: ^2.1.0
+    glob: ^8.0.1
+    infer-owner: ^1.0.4
+    lru-cache: ^7.7.1
+    minipass: ^3.1.6
+    minipass-collect: ^1.0.2
+    minipass-flush: ^1.0.5
+    minipass-pipeline: ^1.2.4
+    mkdirp: ^1.0.4
+    p-map: ^4.0.0
+    promise-inflight: ^1.0.1
+    rimraf: ^3.0.2
+    ssri: ^9.0.0
+    tar: ^6.1.11
+    unique-filename: ^2.0.0
+  checksum: d91409e6e57d7d9a3a25e5dcc589c84e75b178ae8ea7de05cbf6b783f77a5fae938f6e8fda6f5257ed70000be27a681e1e44829251bfffe4c10216002f8f14e6
+  languageName: node
+  linkType: hard
+
+"cache-base@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "cache-base@npm:1.0.1"
+  dependencies:
+    collection-visit: ^1.0.0
+    component-emitter: ^1.2.1
+    get-value: ^2.0.6
+    has-value: ^1.0.0
+    isobject: ^3.0.1
+    set-value: ^2.0.0
+    to-object-path: ^0.3.0
+    union-value: ^1.0.0
+    unset-value: ^1.0.0
+  checksum: 9114b8654fe2366eedc390bad0bcf534e2f01b239a888894e2928cb58cdc1e6ea23a73c6f3450dcfd2058aa73a8a981e723cd1e7c670c047bf11afdc65880107
+  languageName: node
+  linkType: hard
+
+"calculate-cache-key-for-tree@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "calculate-cache-key-for-tree@npm:2.0.0"
+  dependencies:
+    json-stable-stringify: ^1.0.1
+  checksum: 8b7434417be8ba7efad7b783d0e31d757ff26e1edb7586ccd829347cc7860b738c1595194f7cc63b1b23975c07845d53023ded6a160d22e27898f695d2cf3c63
+  languageName: node
+  linkType: hard
+
+"call-bind@npm:^1.0.0, call-bind@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "call-bind@npm:1.0.2"
+  dependencies:
+    function-bind: ^1.1.1
+    get-intrinsic: ^1.0.2
+  checksum: f8e31de9d19988a4b80f3e704788c4a2d6b6f3d17cfec4f57dc29ced450c53a49270dc66bf0fbd693329ee948dd33e6c90a329519aef17474a4d961e8d6426b0
+  languageName: node
+  linkType: hard
+
+"callsite@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "callsite@npm:1.0.0"
+  checksum: 569686d622a288a4f0a827466c2f967b6d7a98f2ee1e6ada9dcf5a6802267a5e2a995d40f07113b5f95c7b2b2d5cbff4fdde590195f2a8bed24b829d048688f8
+  languageName: node
+  linkType: hard
+
+"callsites@npm:^3.0.0, callsites@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "callsites@npm:3.1.0"
+  checksum: 072d17b6abb459c2ba96598918b55868af677154bec7e73d222ef95a8fdb9bbf7dae96a8421085cdad8cd190d86653b5b6dc55a4484f2e5b2e27d5e0c3fc15b3
+  languageName: node
+  linkType: hard
+
+"camelcase-keys@npm:^7.0.0, camelcase-keys@npm:^7.0.2":
+  version: 7.0.2
+  resolution: "camelcase-keys@npm:7.0.2"
+  dependencies:
+    camelcase: ^6.3.0
+    map-obj: ^4.1.0
+    quick-lru: ^5.1.1
+    type-fest: ^1.2.1
+  checksum: b5821cc48dd00e8398a30c5d6547f06837ab44de123f1b3a603d0a03399722b2fc67a485a7e47106eb02ef543c3b50c5ebaabc1242cde4b63a267c3258d2365b
+  languageName: node
+  linkType: hard
+
+"camelcase@npm:^5.0.0":
+  version: 5.3.1
+  resolution: "camelcase@npm:5.3.1"
+  checksum: e6effce26b9404e3c0f301498184f243811c30dfe6d0b9051863bd8e4034d09c8c2923794f280d6827e5aa055f6c434115ff97864a16a963366fb35fd673024b
+  languageName: node
+  linkType: hard
+
+"camelcase@npm:^6.3.0":
+  version: 6.3.0
+  resolution: "camelcase@npm:6.3.0"
+  checksum: 8c96818a9076434998511251dcb2761a94817ea17dbdc37f47ac080bd088fc62c7369429a19e2178b993497132c8cbcf5cc1f44ba963e76782ba469c0474938d
+  languageName: node
+  linkType: hard
+
+"can-symlink@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "can-symlink@npm:1.0.0"
+  dependencies:
+    tmp: 0.0.28
+  bin:
+    can-symlink: ./can-symlink.js
+  checksum: 02bc43799685ab0fe42af8a7b697ef3918baaf77b1fff0417392b933cfb6bddb8cf93b3afd83983bea21922c9312c6047a58718f5a30d1232ce09540b52f78a4
+  languageName: node
+  linkType: hard
+
+"caniuse-api@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "caniuse-api@npm:3.0.0"
+  dependencies:
+    browserslist: ^4.0.0
+    caniuse-lite: ^1.0.0
+    lodash.memoize: ^4.1.2
+    lodash.uniq: ^4.5.0
+  checksum: db2a229383b20d0529b6b589dde99d7b6cb56ba371366f58cbbfa2929c9f42c01f873e2b6ef641d4eda9f0b4118de77dbb2805814670bdad4234bf08e720b0b4
+  languageName: node
+  linkType: hard
+
+"caniuse-lite@npm:^1.0.0, caniuse-lite@npm:^1.0.30000792, caniuse-lite@npm:^1.0.30000805, caniuse-lite@npm:^1.0.30001219, caniuse-lite@npm:^1.0.30001264, caniuse-lite@npm:^1.0.30001280, caniuse-lite@npm:^1.0.30001304, caniuse-lite@npm:^1.0.30001317, caniuse-lite@npm:^1.0.30001349":
+  version: 1.0.30001487
+  resolution: "caniuse-lite@npm:1.0.30001487"
+  checksum: b5a9e72ec165765fb3e07913cc389685ce8a30ac48967f99baec773a4353d2037fb534241e87b3c95d40a5081079be2263710b784883183bb2998b73f7202233
+  languageName: node
+  linkType: hard
+
+"caniuse-lite@npm:^1.0.30000844, caniuse-lite@npm:^1.0.30001503":
+  version: 1.0.30001516
+  resolution: "caniuse-lite@npm:1.0.30001516"
+  checksum: 044adf3493b734a356a2922445a30095a0f6de6b9194695cdf74deafe7bef658e85858a31177762c2813f6e1ed2722d832d59eee0ecb2151e93a611ee18cb21f
+  languageName: node
+  linkType: hard
+
+"caniuse-lite@npm:^1.0.30001565":
+  version: 1.0.30001566
+  resolution: "caniuse-lite@npm:1.0.30001566"
+  checksum: 0f9084bf9f7d5c0a9ddb200c2baddb25dd2ad5a2f205f01e7b971f3e98e9a7bb23c2d86bae48237e9bc9782b682cffaaf3406d936937ab9844987dbe2a6401f2
+  languageName: node
+  linkType: hard
+
+"capture-exit@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "capture-exit@npm:2.0.0"
+  dependencies:
+    rsvp: ^4.8.4
+  checksum: 0b9f10daca09e521da9599f34c8e7af14ad879c336e2bdeb19955b375398ae1c5bcc91ac9f2429944343057ee9ed028b1b2fb28816c384e0e55d70c439b226f4
+  languageName: node
+  linkType: hard
+
+"cardinal@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "cardinal@npm:1.0.0"
+  dependencies:
+    ansicolors: ~0.2.1
+    redeyed: ~1.0.0
+  bin:
+    cdl: ./bin/cdl.js
+  checksum: c77852b228c2be38cfa66b43ec3bfaee021954f621328def00e2fba364160bbbafadbad560485da29d6deb87042268d7a23f91a460058308a14c5d18a329ab57
+  languageName: node
+  linkType: hard
+
+"caseless@npm:~0.12.0":
+  version: 0.12.0
+  resolution: "caseless@npm:0.12.0"
+  checksum: b43bd4c440aa1e8ee6baefee8063b4850fd0d7b378f6aabc796c9ec8cb26d27fb30b46885350777d9bd079c5256c0e1329ad0dc7c2817e0bb466810ebb353751
+  languageName: node
+  linkType: hard
+
+"ccount@npm:^1.0.0":
+  version: 1.1.0
+  resolution: "ccount@npm:1.1.0"
+  checksum: b335a79d0aa4308919cf7507babcfa04ac63d389ebed49dbf26990d4607c8a4713cde93cc83e707d84571ddfe1e7615dad248be9bc422ae4c188210f71b08b78
+  languageName: node
+  linkType: hard
+
+"ceibo@npm:~2.0.0":
+  version: 2.0.0
+  resolution: "ceibo@npm:2.0.0"
+  checksum: 5b61580221b8b145442b5076fe2d9389104899e712dce21bfabe907276e86cfc36f8aae68a4af592300db6eeedc53e885019475f0ffb41cf9c9217f500d9c9cf
+  languageName: node
+  linkType: hard
+
+"chalk@npm:^1.0.0, chalk@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "chalk@npm:1.1.3"
+  dependencies:
+    ansi-styles: ^2.2.1
+    escape-string-regexp: ^1.0.2
+    has-ansi: ^2.0.0
+    strip-ansi: ^3.0.0
+    supports-color: ^2.0.0
+  checksum: 9d2ea6b98fc2b7878829eec223abcf404622db6c48396a9b9257f6d0ead2acf18231ae368d6a664a83f272b0679158da12e97b5229f794939e555cc574478acd
+  languageName: node
+  linkType: hard
+
+"chalk@npm:^2.0.0, chalk@npm:^2.0.1, chalk@npm:^2.1.0, chalk@npm:^2.3.0, chalk@npm:^2.4.1, chalk@npm:^2.4.2":
+  version: 2.4.2
+  resolution: "chalk@npm:2.4.2"
+  dependencies:
+    ansi-styles: ^3.2.1
+    escape-string-regexp: ^1.0.5
+    supports-color: ^5.3.0
+  checksum: ec3661d38fe77f681200f878edbd9448821924e0f93a9cefc0e26a33b145f1027a2084bf19967160d11e1f03bfe4eaffcabf5493b89098b2782c3fe0b03d80c2
+  languageName: node
+  linkType: hard
+
+"chalk@npm:^4.0.0, chalk@npm:^4.1.0, chalk@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "chalk@npm:4.1.1"
+  dependencies:
+    ansi-styles: ^4.1.0
+    supports-color: ^7.1.0
+  checksum: 036e973e665ba1a32c975e291d5f3d549bceeb7b1b983320d4598fb75d70fe20c5db5d62971ec0fe76cdbce83985a00ee42372416abfc3a5584465005a7855ed
+  languageName: node
+  linkType: hard
+
+"chalk@npm:^4.1.2":
+  version: 4.1.2
+  resolution: "chalk@npm:4.1.2"
+  dependencies:
+    ansi-styles: ^4.1.0
+    supports-color: ^7.1.0
+  checksum: fe75c9d5c76a7a98d45495b91b2172fa3b7a09e0cc9370e5c8feb1c567b85c4288e2b3fded7cfdd7359ac28d6b3844feb8b82b8686842e93d23c827c417e83fc
+  languageName: node
+  linkType: hard
+
+"chalk@npm:^5.2.0":
+  version: 5.3.0
+  resolution: "chalk@npm:5.3.0"
+  checksum: 623922e077b7d1e9dedaea6f8b9e9352921f8ae3afe739132e0e00c275971bdd331268183b2628cf4ab1727c45ea1f28d7e24ac23ce1db1eb653c414ca8a5a80
+  languageName: node
+  linkType: hard
+
+"chalk@npm:~0.4.0":
+  version: 0.4.0
+  resolution: "chalk@npm:0.4.0"
+  dependencies:
+    ansi-styles: ~1.0.0
+    has-color: ~0.1.0
+    strip-ansi: ~0.1.0
+  checksum: e8f04f387b9fbf746fdce4b61a633f8a0d28224d8b022603db0f2d137471a18c5bc0bc33b243df09c361688f12bd3ab8a9dd1f8b4450d5a361bfe83aadbde739
+  languageName: node
+  linkType: hard
+
+"character-entities-legacy@npm:^1.0.0":
+  version: 1.1.4
+  resolution: "character-entities-legacy@npm:1.1.4"
+  checksum: fe03a82c154414da3a0c8ab3188e4237ec68006cbcd681cf23c7cfb9502a0e76cd30ab69a2e50857ca10d984d57de3b307680fff5328ccd427f400e559c3a811
+  languageName: node
+  linkType: hard
+
+"character-entities@npm:^1.0.0":
+  version: 1.2.4
+  resolution: "character-entities@npm:1.2.4"
+  checksum: e1545716571ead57beac008433c1ff69517cd8ca5b336889321c5b8ff4a99c29b65589a701e9c086cda8a5e346a67295e2684f6c7ea96819fe85cbf49bf8686d
+  languageName: node
+  linkType: hard
+
+"character-reference-invalid@npm:^1.0.0":
+  version: 1.1.4
+  resolution: "character-reference-invalid@npm:1.1.4"
+  checksum: 20274574c70e05e2f81135f3b93285536bc8ff70f37f0809b0d17791a832838f1e49938382899ed4cb444e5bbd4314ca1415231344ba29f4222ce2ccf24fea0b
+  languageName: node
+  linkType: hard
+
+"charcodes@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "charcodes@npm:0.2.0"
+  checksum: 972443ed359d54382e721b9db0a298eb95c4c454386f7e98886586f433e1e6686225416114e6f6bb2e6ef3facc9ba3b4ab9946a56a180fe64ef67816a05d4fe4
+  languageName: node
+  linkType: hard
+
+"chardet@npm:^0.7.0":
+  version: 0.7.0
+  resolution: "chardet@npm:0.7.0"
+  checksum: 6fd5da1f5d18ff5712c1e0aed41da200d7c51c28f11b36ee3c7b483f3696dabc08927fc6b227735eb8f0e1215c9a8abd8154637f3eff8cada5959df7f58b024d
+  languageName: node
+  linkType: hard
+
+"charm@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "charm@npm:1.0.2"
+  dependencies:
+    inherits: ^2.0.1
+  checksum: 767e4ea65014c3a93ed6943d230150b80bea8842b3a19890a30a477f47c8dfb68687d754f5a538bd628fc3a0a6b84c4986c9c3f9c541c4956239d8d280472614
+  languageName: node
+  linkType: hard
+
+"cheerio-select@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "cheerio-select@npm:2.1.0"
+  dependencies:
+    boolbase: ^1.0.0
+    css-select: ^5.1.0
+    css-what: ^6.1.0
+    domelementtype: ^2.3.0
+    domhandler: ^5.0.3
+    domutils: ^3.0.1
+  checksum: 843d6d479922f28a6c5342c935aff1347491156814de63c585a6eb73baf7bb4185c1b4383a1195dca0f12e3946d737c7763bcef0b9544c515d905c5c44c5308b
+  languageName: node
+  linkType: hard
+
+"cheerio@npm:^1.0.0-rc.12":
+  version: 1.0.0-rc.12
+  resolution: "cheerio@npm:1.0.0-rc.12"
+  dependencies:
+    cheerio-select: ^2.1.0
+    dom-serializer: ^2.0.0
+    domhandler: ^5.0.3
+    domutils: ^3.0.1
+    htmlparser2: ^8.0.1
+    parse5: ^7.0.0
+    parse5-htmlparser2-tree-adapter: ^7.0.0
+  checksum: 5d4c1b7a53cf22d3a2eddc0aff70cf23cbb30d01a4c79013e703a012475c02461aa1fcd99127e8d83a02216386ed6942b2c8103845fd0812300dd199e6e7e054
+  languageName: node
+  linkType: hard
+
+"chokidar@npm:>=3.0.0 <4.0.0":
+  version: 3.5.3
+  resolution: "chokidar@npm:3.5.3"
+  dependencies:
+    anymatch: ~3.1.2
+    braces: ~3.0.2
+    fsevents: ~2.3.2
+    glob-parent: ~5.1.2
+    is-binary-path: ~2.1.0
+    is-glob: ~4.0.1
+    normalize-path: ~3.0.0
+    readdirp: ~3.6.0
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: b49fcde40176ba007ff361b198a2d35df60d9bb2a5aab228279eb810feae9294a6b4649ab15981304447afe1e6ffbf4788ad5db77235dc770ab777c6e771980c
+  languageName: node
+  linkType: hard
+
+"chokidar@npm:^2.1.8":
+  version: 2.1.8
+  resolution: "chokidar@npm:2.1.8"
+  dependencies:
+    anymatch: ^2.0.0
+    async-each: ^1.0.1
+    braces: ^2.3.2
+    fsevents: ^1.2.7
+    glob-parent: ^3.1.0
+    inherits: ^2.0.3
+    is-binary-path: ^1.0.0
+    is-glob: ^4.0.0
+    normalize-path: ^3.0.0
+    path-is-absolute: ^1.0.0
+    readdirp: ^2.2.1
+    upath: ^1.1.1
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: 0c43e89cbf0268ef1e1f41ce8ec5233c7ba022c6f3282c2ef6530e351d42396d389a1148c5a040f291cf1f4083a4c6b2f51dad3f31c726442ea9a337de316bcf
+  languageName: node
+  linkType: hard
+
+"chokidar@npm:^3.4.1":
+  version: 3.5.1
+  resolution: "chokidar@npm:3.5.1"
+  dependencies:
+    anymatch: ~3.1.1
+    braces: ~3.0.2
+    fsevents: ~2.3.1
+    glob-parent: ~5.1.0
+    is-binary-path: ~2.1.0
+    is-glob: ~4.0.1
+    normalize-path: ~3.0.0
+    readdirp: ~3.5.0
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: b7774e6e3aeca084d39e8542041555a11452414c744122436101243f89580fad97154ae11525e46bfa816313ae32533e2a88e8587e4d50b14ea716a9e6538978
+  languageName: node
+  linkType: hard
+
+"chownr@npm:^1.1.1":
+  version: 1.1.4
+  resolution: "chownr@npm:1.1.4"
+  checksum: 115648f8eb38bac5e41c3857f3e663f9c39ed6480d1349977c4d96c95a47266fcacc5a5aabf3cb6c481e22d72f41992827db47301851766c4fd77ac21a4f081d
+  languageName: node
+  linkType: hard
+
+"chownr@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "chownr@npm:2.0.0"
+  checksum: c57cf9dd0791e2f18a5ee9c1a299ae6e801ff58fee96dc8bfd0dcb4738a6ce58dd252a3605b1c93c6418fe4f9d5093b28ffbf4d66648cb2a9c67eaef9679be2f
+  languageName: node
+  linkType: hard
+
+"chrome-trace-event@npm:^1.0.2":
+  version: 1.0.3
+  resolution: "chrome-trace-event@npm:1.0.3"
+  checksum: cb8b1fc7e881aaef973bd0c4a43cd353c2ad8323fb471a041e64f7c2dd849cde4aad15f8b753331a32dda45c973f032c8a03b8177fc85d60eaa75e91e08bfb97
+  languageName: node
+  linkType: hard
+
+"ci-info@npm:^3.7.0, ci-info@npm:^3.8.0":
+  version: 3.8.0
+  resolution: "ci-info@npm:3.8.0"
+  checksum: d0a4d3160497cae54294974a7246202244fff031b0a6ea20dd57b10ec510aa17399c41a1b0982142c105f3255aff2173e5c0dd7302ee1b2f28ba3debda375098
+  languageName: node
+  linkType: hard
+
+"cipher-base@npm:^1.0.0, cipher-base@npm:^1.0.1, cipher-base@npm:^1.0.3":
+  version: 1.0.4
+  resolution: "cipher-base@npm:1.0.4"
+  dependencies:
+    inherits: ^2.0.1
+    safe-buffer: ^5.0.1
+  checksum: 47d3568dbc17431a339bad1fe7dff83ac0891be8206911ace3d3b818fc695f376df809bea406e759cdea07fff4b454fa25f1013e648851bec790c1d75763032e
+  languageName: node
+  linkType: hard
+
+"class-utils@npm:^0.3.5":
+  version: 0.3.6
+  resolution: "class-utils@npm:0.3.6"
+  dependencies:
+    arr-union: ^3.1.0
+    define-property: ^0.2.5
+    isobject: ^3.0.0
+    static-extend: ^0.1.1
+  checksum: be108900801e639e50f96a7e4bfa8867c753a7750a7603879f3981f8b0a89cba657497a2d5f40cd4ea557ff15d535a100818bb486baf6e26fe5d7872e75f1078
+  languageName: node
+  linkType: hard
+
+"clean-base-url@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "clean-base-url@npm:1.0.0"
+  checksum: df819e54595b0c04cadfd1a5485216591d4b68d80a3603b657e7e50ac6b34539ef8a6e2100531131d67da325603b26a96a80cfd7c2fc24702ce1db0e1e39dde0
+  languageName: node
+  linkType: hard
+
+"clean-css-promise@npm:^0.1.0":
+  version: 0.1.1
+  resolution: "clean-css-promise@npm:0.1.1"
+  dependencies:
+    array-to-error: ^1.0.0
+    clean-css: ^3.4.5
+    pinkie-promise: ^2.0.0
+  checksum: 5d2a4ad633453c4e6f3d865f7f19f1a821d20985309f914307a87c36c0ef79674ccb24f61195ff45506b50c12b49ec0448581b0f60c31472925d77fc923129ea
+  languageName: node
+  linkType: hard
+
+"clean-css@npm:^3.4.5":
+  version: 3.4.28
+  resolution: "clean-css@npm:3.4.28"
+  dependencies:
+    commander: 2.8.x
+    source-map: 0.4.x
+  bin:
+    cleancss: ./bin/cleancss
+  checksum: eacc573e5ba118aa59bb44a3d188e54d390b7482cad7941559b3865e4946c677afb2deab50bcf8e97592532935f684a53b3abff1d5c55e95e21ded1e93b69132
+  languageName: node
+  linkType: hard
+
+"clean-stack@npm:^2.0.0, clean-stack@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "clean-stack@npm:2.2.0"
+  checksum: 2ac8cd2b2f5ec986a3c743935ec85b07bc174d5421a5efc8017e1f146a1cf5f781ae962618f416352103b32c9cd7e203276e8c28241bbe946160cab16149fb68
+  languageName: node
+  linkType: hard
+
+"clean-up-path@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "clean-up-path@npm:1.0.0"
+  checksum: a4182d6126d897b326b4918e9931c359ae64c7a8fcf2eab4554f9eabf7820c78e3d917b8e0ddb6589837f905ff1b4158a10504664727b0ade67f55815020b41f
+  languageName: node
+  linkType: hard
+
+"cli-cursor@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "cli-cursor@npm:2.1.0"
+  dependencies:
+    restore-cursor: ^2.0.0
+  checksum: d88e97bfdac01046a3ffe7d49f06757b3126559d7e44aa2122637eb179284dc6cd49fca2fac4f67c19faaf7e6dab716b6fe1dfcd309977407d8c7578ec2d044d
+  languageName: node
+  linkType: hard
+
+"cli-cursor@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "cli-cursor@npm:3.1.0"
+  dependencies:
+    restore-cursor: ^3.1.0
+  checksum: 2692784c6cd2fd85cfdbd11f53aea73a463a6d64a77c3e098b2b4697a20443f430c220629e1ca3b195ea5ac4a97a74c2ee411f3807abf6df2b66211fec0c0a29
+  languageName: node
+  linkType: hard
+
+"cli-spinners@npm:^2.0.0, cli-spinners@npm:^2.5.0":
+  version: 2.6.0
+  resolution: "cli-spinners@npm:2.6.0"
+  checksum: bc5d06af9f896e95d0c277e2a5ee0adc5876767decca6b3c22e212934b96033453268cb59be904eccb6d59119e57dbb3fc8ca9bdf5f8476506283b3dd8728748
+  languageName: node
+  linkType: hard
+
+"cli-table@npm:^0.3.1":
+  version: 0.3.6
+  resolution: "cli-table@npm:0.3.6"
+  dependencies:
+    colors: 1.0.3
+  checksum: b0cd08578c810240920438cc2b3ffb4b4f5106b29f3362707f1d8cfc0c0440ad2afb70b96e30ce37f72f0ffe1e844ae7341dde4df17d51ad345eb186a5903af2
+  languageName: node
+  linkType: hard
+
+"cli-truncate@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "cli-truncate@npm:2.1.0"
+  dependencies:
+    slice-ansi: ^3.0.0
+    string-width: ^4.2.0
+  checksum: bf1e4e6195392dc718bf9cd71f317b6300dc4a9191d052f31046b8773230ece4fa09458813bf0e3455a5e68c0690d2ea2c197d14a8b85a7b5e01c97f4b5feb5d
+  languageName: node
+  linkType: hard
+
+"cli-width@npm:^2.0.0":
+  version: 2.2.1
+  resolution: "cli-width@npm:2.2.1"
+  checksum: 3c21b897a2ff551ae5b3c3ab32c866ed2965dcf7fb442f81adf0e27f4a397925c8f84619af7bcc6354821303f6ee9b2aa31d248306174f32c287986158cf4eed
+  languageName: node
+  linkType: hard
+
+"cli-width@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "cli-width@npm:3.0.0"
+  checksum: 4c94af3769367a70e11ed69aa6095f1c600c0ff510f3921ab4045af961820d57c0233acfa8b6396037391f31b4c397e1f614d234294f979ff61430a6c166c3f6
+  languageName: node
+  linkType: hard
+
+"cliui@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "cliui@npm:5.0.0"
+  dependencies:
+    string-width: ^3.1.0
+    strip-ansi: ^5.2.0
+    wrap-ansi: ^5.1.0
+  checksum: 0bb8779efe299b8f3002a73619eaa8add4081eb8d1c17bc4fedc6240557fb4eacdc08fe87c39b002eacb6cfc117ce736b362dbfd8bf28d90da800e010ee97df4
+  languageName: node
+  linkType: hard
+
+"cliui@npm:^8.0.1":
+  version: 8.0.1
+  resolution: "cliui@npm:8.0.1"
+  dependencies:
+    string-width: ^4.2.0
+    strip-ansi: ^6.0.1
+    wrap-ansi: ^7.0.0
+  checksum: 79648b3b0045f2e285b76fb2e24e207c6db44323581e421c3acbd0e86454cba1b37aea976ab50195a49e7384b871e6dfb2247ad7dec53c02454ac6497394cb56
+  languageName: node
+  linkType: hard
+
+"clone@npm:^1.0.2":
+  version: 1.0.4
+  resolution: "clone@npm:1.0.4"
+  checksum: d06418b7335897209e77bdd430d04f882189582e67bd1f75a04565f3f07f5b3f119a9d670c943b6697d0afb100f03b866b3b8a1f91d4d02d72c4ecf2bb64b5dd
+  languageName: node
+  linkType: hard
+
+"clone@npm:^2.0.0, clone@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "clone@npm:2.1.2"
+  checksum: aaf106e9bc025b21333e2f4c12da539b568db4925c0501a1bf4070836c9e848c892fa22c35548ce0d1132b08bbbfa17a00144fe58fccdab6fa900fec4250f67d
+  languageName: node
+  linkType: hard
+
+"coa@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "coa@npm:2.0.2"
+  dependencies:
+    "@types/q": ^1.5.1
+    chalk: ^2.4.1
+    q: ^1.1.2
+  checksum: 44736914aac2160d3d840ed64432a90a3bb72285a0cd6a688eb5cabdf15d15a85eee0915b3f6f2a4659d5075817b1cb577340d3c9cbb47d636d59ab69f819552
+  languageName: node
+  linkType: hard
+
+"codemirror@npm:^5.58.2":
+  version: 5.61.0
+  resolution: "codemirror@npm:5.61.0"
+  checksum: d9081d4937fc237c972e12538721b47817a08557a30d692b32e09849977e5d91ca6c8984cdea417cf11a163fdbc3c7139fd66cefc6fcf32047c8cbecd21d2715
+  languageName: node
+  linkType: hard
+
+"collection-visit@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "collection-visit@npm:1.0.0"
+  dependencies:
+    map-visit: ^1.0.0
+    object-visit: ^1.0.0
+  checksum: 15d9658fe6eb23594728346adad5433b86bb7a04fd51bbab337755158722f9313a5376ef479de5b35fbc54140764d0d39de89c339f5d25b959ed221466981da9
+  languageName: node
+  linkType: hard
+
+"color-convert@npm:^1.9.0":
+  version: 1.9.3
+  resolution: "color-convert@npm:1.9.3"
+  dependencies:
+    color-name: 1.1.3
+  checksum: fd7a64a17cde98fb923b1dd05c5f2e6f7aefda1b60d67e8d449f9328b4e53b228a428fd38bfeaeb2db2ff6b6503a776a996150b80cdf224062af08a5c8a3a203
+  languageName: node
+  linkType: hard
+
+"color-convert@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "color-convert@npm:2.0.1"
+  dependencies:
+    color-name: ~1.1.4
+  checksum: 79e6bdb9fd479a205c71d89574fccfb22bd9053bd98c6c4d870d65c132e5e904e6034978e55b43d69fcaa7433af2016ee203ce76eeba9cfa554b373e7f7db336
+  languageName: node
+  linkType: hard
+
+"color-name@npm:1.1.3":
+  version: 1.1.3
+  resolution: "color-name@npm:1.1.3"
+  checksum: 09c5d3e33d2105850153b14466501f2bfb30324a2f76568a408763a3b7433b0e50e5b4ab1947868e65cb101bb7cb75029553f2c333b6d4b8138a73fcc133d69d
+  languageName: node
+  linkType: hard
+
+"color-name@npm:~1.1.4":
+  version: 1.1.4
+  resolution: "color-name@npm:1.1.4"
+  checksum: b0445859521eb4021cd0fb0cc1a75cecf67fceecae89b63f62b201cca8d345baf8b952c966862a9d9a2632987d4f6581f0ec8d957dfacece86f0a7919316f610
+  languageName: node
+  linkType: hard
+
+"color-support@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "color-support@npm:1.1.3"
+  bin:
+    color-support: bin.js
+  checksum: 9b7356817670b9a13a26ca5af1c21615463b500783b739b7634a0c2047c16cef4b2865d7576875c31c3cddf9dd621fa19285e628f20198b233a5cfdda6d0793b
+  languageName: node
+  linkType: hard
+
+"colord@npm:^2.9.3":
+  version: 2.9.3
+  resolution: "colord@npm:2.9.3"
+  checksum: 95d909bfbcfd8d5605cbb5af56f2d1ce2b323990258fd7c0d2eb0e6d3bb177254d7fb8213758db56bb4ede708964f78c6b992b326615f81a18a6aaf11d64c650
+  languageName: node
+  linkType: hard
+
+"colorette@npm:^1.2.2":
+  version: 1.4.0
+  resolution: "colorette@npm:1.4.0"
+  checksum: 01c3c16058b182a4ab4c126a65a75faa4d38a20fa7c845090b25453acec6c371bb2c5dceb0a2338511f17902b9d1a9af0cadd8509c9403894b79311032c256c3
+  languageName: node
+  linkType: hard
+
+"colors@npm:1.0.3":
+  version: 1.0.3
+  resolution: "colors@npm:1.0.3"
+  checksum: 234e8d3ab7e4003851cdd6a1f02eaa16dabc502ee5f4dc576ad7959c64b7477b15bd21177bab4055a4c0a66aa3d919753958030445f87c39a253d73b7a3637f5
+  languageName: node
+  linkType: hard
+
+"colors@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "colors@npm:1.4.0"
+  checksum: 98aa2c2418ad87dedf25d781be69dc5fc5908e279d9d30c34d8b702e586a0474605b3a189511482b9d5ed0d20c867515d22749537f7bc546256c6014f3ebdcec
+  languageName: node
+  linkType: hard
+
+"columnify@npm:^1.5.4":
+  version: 1.5.4
+  resolution: "columnify@npm:1.5.4"
+  dependencies:
+    strip-ansi: ^3.0.0
+    wcwidth: ^1.0.0
+  checksum: f0693937412ec41d387f8ae89ff8cd5811a07ad636f753f0276ba8394fd76c0f610621ebeb379d6adcb30d98696919546dbbf93a28bd4e546efc7e30d905edc2
+  languageName: node
+  linkType: hard
+
+"combined-stream@npm:^1.0.6, combined-stream@npm:~1.0.6":
+  version: 1.0.8
+  resolution: "combined-stream@npm:1.0.8"
+  dependencies:
+    delayed-stream: ~1.0.0
+  checksum: 49fa4aeb4916567e33ea81d088f6584749fc90c7abec76fd516bf1c5aa5c79f3584b5ba3de6b86d26ddd64bae5329c4c7479343250cfe71c75bb366eae53bb7c
+  languageName: node
+  linkType: hard
+
+"commander@npm:2, commander@npm:^2.15.1, commander@npm:^2.20.0, commander@npm:^2.6.0":
+  version: 2.20.3
+  resolution: "commander@npm:2.20.3"
+  checksum: ab8c07884e42c3a8dbc5dd9592c606176c7eb5c1ca5ff274bcf907039b2c41de3626f684ea75ccf4d361ba004bbaff1f577d5384c155f3871e456bdf27becf9e
+  languageName: node
+  linkType: hard
+
+"commander@npm:2.8.x":
+  version: 2.8.1
+  resolution: "commander@npm:2.8.1"
+  dependencies:
+    graceful-readlink: ">= 1.0.0"
+  checksum: 9552028af84683cf2b20397c54fa4dd5b18fb69555e201a8edc3880b344f5aadd8857f777da97ce0c99e50fc133adf356f0299e9958b9b4e95b96c45f0696dfd
+  languageName: node
+  linkType: hard
+
+"commander@npm:7.2.0":
+  version: 7.2.0
+  resolution: "commander@npm:7.2.0"
+  checksum: 53501cbeee61d5157546c0bef0fedb6cdfc763a882136284bed9a07225f09a14b82d2a84e7637edfd1a679fb35ed9502fd58ef1d091e6287f60d790147f68ddc
+  languageName: node
+  linkType: hard
+
+"commander@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "commander@npm:4.1.1"
+  checksum: d7b9913ff92cae20cb577a4ac6fcc121bd6223319e54a40f51a14740a681ad5c574fd29a57da478a5f234a6fa6c52cbf0b7c641353e03c648b1ae85ba670b977
+  languageName: node
+  linkType: hard
+
+"commander@npm:^6.2.0":
+  version: 6.2.1
+  resolution: "commander@npm:6.2.1"
+  checksum: d7090410c0de6bc5c67d3ca41c41760d6d268f3c799e530aafb73b7437d1826bbf0d2a3edac33f8b57cc9887b4a986dce307fa5557e109be40eadb7c43b21742
+  languageName: node
+  linkType: hard
+
+"commander@npm:^8.3.0":
+  version: 8.3.0
+  resolution: "commander@npm:8.3.0"
+  checksum: 0f82321821fc27b83bd409510bb9deeebcfa799ff0bf5d102128b500b7af22872c0c92cb6a0ebc5a4cf19c6b550fba9cedfa7329d18c6442a625f851377bacf0
+  languageName: node
+  linkType: hard
+
+"common-tags@npm:^1.4.0":
+  version: 1.8.0
+  resolution: "common-tags@npm:1.8.0"
+  checksum: fb0cc9420d149176f2bd2b1fc9e6df622cd34eccaca60b276aa3253a7c9241e8a8ed1ec0702b2679eba7e47aeef721869c686bbd7257b75b5c44993c8462cd7f
+  languageName: node
+  linkType: hard
+
+"common-tags@npm:^1.8.0, common-tags@npm:^1.8.2":
+  version: 1.8.2
+  resolution: "common-tags@npm:1.8.2"
+  checksum: 767a6255a84bbc47df49a60ab583053bb29a7d9687066a18500a516188a062c4e4cd52de341f22de0b07062e699b1b8fe3cfa1cb55b241cb9301aeb4f45b4dff
+  languageName: node
+  linkType: hard
+
+"commondir@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "commondir@npm:1.0.1"
+  checksum: 59715f2fc456a73f68826285718503340b9f0dd89bfffc42749906c5cf3d4277ef11ef1cca0350d0e79204f00f1f6d83851ececc9095dc88512a697ac0b9bdcb
+  languageName: node
+  linkType: hard
+
+"component-emitter@npm:^1.2.1":
+  version: 1.3.0
+  resolution: "component-emitter@npm:1.3.0"
+  checksum: b3c46de38ffd35c57d1c02488355be9f218e582aec72d72d1b8bbec95a3ac1b38c96cd6e03ff015577e68f550fbb361a3bfdbd9bb248be9390b7b3745691be6b
+  languageName: node
+  linkType: hard
+
+"compressible@npm:~2.0.16":
+  version: 2.0.18
+  resolution: "compressible@npm:2.0.18"
+  dependencies:
+    mime-db: ">= 1.43.0 < 2"
+  checksum: 58321a85b375d39230405654721353f709d0c1442129e9a17081771b816302a012471a9b8f4864c7dbe02eef7f2aaac3c614795197092262e94b409c9be108f0
+  languageName: node
+  linkType: hard
+
+"compression@npm:^1.7.4":
+  version: 1.7.4
+  resolution: "compression@npm:1.7.4"
+  dependencies:
+    accepts: ~1.3.5
+    bytes: 3.0.0
+    compressible: ~2.0.16
+    debug: 2.6.9
+    on-headers: ~1.0.2
+    safe-buffer: 5.1.2
+    vary: ~1.1.2
+  checksum: 35c0f2eb1f28418978615dc1bc02075b34b1568f7f56c62d60f4214d4b7cc00d0f6d282b5f8a954f59872396bd770b6b15ffd8aa94c67d4bce9b8887b906999b
+  languageName: node
+  linkType: hard
+
+"concat-map@npm:0.0.1":
+  version: 0.0.1
+  resolution: "concat-map@npm:0.0.1"
+  checksum: 902a9f5d8967a3e2faf138d5cb784b9979bad2e6db5357c5b21c568df4ebe62bcb15108af1b2253744844eb964fc023fbd9afbbbb6ddd0bcc204c6fb5b7bf3af
+  languageName: node
+  linkType: hard
+
+"concat-stream@npm:^1.5.0":
+  version: 1.6.2
+  resolution: "concat-stream@npm:1.6.2"
+  dependencies:
+    buffer-from: ^1.0.0
+    inherits: ^2.0.3
+    readable-stream: ^2.2.2
+    typedarray: ^0.0.6
+  checksum: 1ef77032cb4459dcd5187bd710d6fc962b067b64ec6a505810de3d2b8cc0605638551b42f8ec91edf6fcd26141b32ef19ad749239b58fae3aba99187adc32285
+  languageName: node
+  linkType: hard
+
+"configstore@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "configstore@npm:5.0.1"
+  dependencies:
+    dot-prop: ^5.2.0
+    graceful-fs: ^4.1.2
+    make-dir: ^3.0.0
+    unique-string: ^2.0.0
+    write-file-atomic: ^3.0.0
+    xdg-basedir: ^4.0.0
+  checksum: 60ef65d493b63f96e14b11ba7ec072fdbf3d40110a94fb7199d1c287761bdea5c5244e76b2596325f30c1b652213aa75de96ea20afd4a5f82065e61ea090988e
+  languageName: node
+  linkType: hard
+
+"connect@npm:^3.6.6":
+  version: 3.7.0
+  resolution: "connect@npm:3.7.0"
+  dependencies:
+    debug: 2.6.9
+    finalhandler: 1.1.2
+    parseurl: ~1.3.3
+    utils-merge: 1.0.1
+  checksum: 96e1c4effcf219b065c7823e57351c94366d2e2a6952fa95e8212bffb35c86f1d5a3f9f6c5796d4cd3a5fdda628368b1c3cc44bf19c66cfd68fe9f9cab9177e2
+  languageName: node
+  linkType: hard
+
+"console-browserify@npm:^1.1.0":
+  version: 1.2.0
+  resolution: "console-browserify@npm:1.2.0"
+  checksum: 226591eeff8ed68e451dffb924c1fb750c654d54b9059b3b261d360f369d1f8f70650adecf2c7136656236a4bfeb55c39281b5d8a55d792ebbb99efd3d848d52
+  languageName: node
+  linkType: hard
+
+"console-control-strings@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "console-control-strings@npm:1.1.0"
+  checksum: 8755d76787f94e6cf79ce4666f0c5519906d7f5b02d4b884cf41e11dcd759ed69c57da0670afd9236d229a46e0f9cf519db0cd829c6dca820bb5a5c3def584ed
+  languageName: node
+  linkType: hard
+
+"console-ui@npm:^3.0.4, console-ui@npm:^3.1.1, console-ui@npm:^3.1.2":
+  version: 3.1.2
+  resolution: "console-ui@npm:3.1.2"
+  dependencies:
+    chalk: ^2.1.0
+    inquirer: ^6
+    json-stable-stringify: ^1.0.1
+    ora: ^3.4.0
+    through2: ^3.0.1
+  checksum: f475401147c5f1205a39dcd0ca9e196e053285a357fe10d4233947e7288f8412bca1ac5666446cced5aab0bd6309ff6715efd395cd285225836c72d27c821008
+  languageName: node
+  linkType: hard
+
+"consolidate@npm:^0.16.0":
+  version: 0.16.0
+  resolution: "consolidate@npm:0.16.0"
+  dependencies:
+    bluebird: ^3.7.2
+  checksum: f17164ffb2c4f79b4cbf685f1c76a49f59d329a40954b436425498861dc137b46fe821b2aadafa2dcfeb7eebd46846f35bd2c36b4a704d38521b4210a22a7515
+  languageName: node
+  linkType: hard
+
+"constants-browserify@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "constants-browserify@npm:1.0.0"
+  checksum: f7ac8c6d0b6e4e0c77340a1d47a3574e25abd580bfd99ad707b26ff7618596cf1a5e5ce9caf44715e9e01d4a5d12cb3b4edaf1176f34c19adb2874815a56e64f
+  languageName: node
+  linkType: hard
+
+"content-disposition@npm:0.5.3":
+  version: 0.5.3
+  resolution: "content-disposition@npm:0.5.3"
+  dependencies:
+    safe-buffer: 5.1.2
+  checksum: 95bf164c0b0b8199d3f44b7631e51b37f683c6a90b9baa4315bd3d405a6d1bc81b7346f0981046aa004331fb3d7a28b629514d01fc209a5251573fc7e4d33380
+  languageName: node
+  linkType: hard
+
+"content-disposition@npm:0.5.4":
+  version: 0.5.4
+  resolution: "content-disposition@npm:0.5.4"
+  dependencies:
+    safe-buffer: 5.2.1
+  checksum: afb9d545e296a5171d7574fcad634b2fdf698875f4006a9dd04a3e1333880c5c0c98d47b560d01216fb6505a54a2ba6a843ee3a02ec86d7e911e8315255f56c3
+  languageName: node
+  linkType: hard
+
+"content-type@npm:~1.0.4":
+  version: 1.0.4
+  resolution: "content-type@npm:1.0.4"
+  checksum: 3d93585fda985d1554eca5ebd251994327608d2e200978fdbfba21c0c679914d5faf266d17027de44b34a72c7b0745b18584ecccaa7e1fdfb6a68ac7114f12e0
+  languageName: node
+  linkType: hard
+
+"continuable-cache@npm:^0.3.1":
+  version: 0.3.1
+  resolution: "continuable-cache@npm:0.3.1"
+  checksum: d88b9891cdc76533bf018613ec80c7f8f3ce7159fa8c1402dae7be546c4b0566ef0c18e488b08da66b8a8f5aab7c91ce9910e4c32d965d902ffe34e095ccc2cb
+  languageName: node
+  linkType: hard
+
+"convert-source-map@npm:^1.5.1, convert-source-map@npm:^1.7.0":
+  version: 1.8.0
+  resolution: "convert-source-map@npm:1.8.0"
+  dependencies:
+    safe-buffer: ~5.1.1
+  checksum: 985d974a2d33e1a2543ada51c93e1ba2f73eaed608dc39f229afc78f71dcc4c8b7d7c684aa647e3c6a3a204027444d69e53e169ce94e8d1fa8d7dee80c9c8fed
+  languageName: node
+  linkType: hard
+
+"cookie-signature@npm:1.0.6":
+  version: 1.0.6
+  resolution: "cookie-signature@npm:1.0.6"
+  checksum: f4e1b0a98a27a0e6e66fd7ea4e4e9d8e038f624058371bf4499cfcd8f3980be9a121486995202ba3fca74fbed93a407d6d54d43a43f96fd28d0bd7a06761591a
+  languageName: node
+  linkType: hard
+
+"cookie@npm:0.4.0":
+  version: 0.4.0
+  resolution: "cookie@npm:0.4.0"
+  checksum: 760384ba0aef329c52523747e36a452b5e51bc49b34160363a6934e7b7df3f93fcc88b35e33450361535d40a92a96412da870e1816aba9aa6cc556a9fedd8492
+  languageName: node
+  linkType: hard
+
+"cookie@npm:0.5.0":
+  version: 0.5.0
+  resolution: "cookie@npm:0.5.0"
+  checksum: 1f4bd2ca5765f8c9689a7e8954183f5332139eb72b6ff783d8947032ec1fdf43109852c178e21a953a30c0dd42257828185be01b49d1eb1a67fd054ca588a180
+  languageName: node
+  linkType: hard
+
+"cookie@npm:~0.4.1":
+  version: 0.4.1
+  resolution: "cookie@npm:0.4.1"
+  checksum: bd7c47f5d94ab70ccdfe8210cde7d725880d2fcda06d8e375afbdd82de0c8d3b73541996e9ce57d35f67f672c4ee6d60208adec06b3c5fc94cebb85196084cf8
+  languageName: node
+  linkType: hard
+
+"copy-concurrently@npm:^1.0.0":
+  version: 1.0.5
+  resolution: "copy-concurrently@npm:1.0.5"
+  dependencies:
+    aproba: ^1.1.1
+    fs-write-stream-atomic: ^1.0.8
+    iferr: ^0.1.5
+    mkdirp: ^0.5.1
+    rimraf: ^2.5.4
+    run-queue: ^1.0.0
+  checksum: 63c169f582e09445260988f697b2d07793d439dfc31e97c8999707bd188dd94d1c7f2ca3533c7786fb75f03a3f2f54ad1ee08055f95f61bb8d2e862498c1d460
+  languageName: node
+  linkType: hard
+
+"copy-dereference@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "copy-dereference@npm:1.0.0"
+  checksum: ffa946e4d3ab77e53e7543fb58b89ffffebc29cc1560adcfd09ad521e2c5b8f087a4639ac98a2d3945a173f0defad444ce1873f3d1104c1978d83c54dd888caf
+  languageName: node
+  linkType: hard
+
+"copy-descriptor@npm:^0.1.0":
+  version: 0.1.1
+  resolution: "copy-descriptor@npm:0.1.1"
+  checksum: d4b7b57b14f1d256bb9aa0b479241048afd7f5bcf22035fc7b94e8af757adeae247ea23c1a774fe44869fd5694efba4a969b88d966766c5245fdee59837fe45b
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.16.2":
+  version: 3.18.2
+  resolution: "core-js-compat@npm:3.18.2"
+  dependencies:
+    browserslist: ^4.17.3
+    semver: 7.0.0
+  checksum: 8358d4a14725b68ccb5fcdd590e603f08933c1f89b0fc5415054048771d6ae9182dca89d0280ed44535ce7a5f6f2f6280774aa0b0410842c940a9a2149ab83d2
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.18.0":
+  version: 3.19.2
+  resolution: "core-js-compat@npm:3.19.2"
+  dependencies:
+    browserslist: ^4.18.1
+    semver: 7.0.0
+  checksum: 6b9cca0dc341512c3494955ab87cf7e091dd98503af2b432979c6467385804d03cec9598691c0560c5ede992c0b8ee2ce3fc1af4062c31f5731da70211b61544
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.20.2, core-js-compat@npm:^3.21.0":
+  version: 3.21.1
+  resolution: "core-js-compat@npm:3.21.1"
+  dependencies:
+    browserslist: ^4.19.1
+    semver: 7.0.0
+  checksum: 6af1bcbc94ede50b109e54bf3f5a9ca28b8a303124e07c2bf76c2257a8a94a0b550cf4a318f6ec0594b351b6f9a5453fd4516e3681560b6d984b95d1988baf13
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.22.1":
+  version: 3.22.8
+  resolution: "core-js-compat@npm:3.22.8"
+  dependencies:
+    browserslist: ^4.20.3
+    semver: 7.0.0
+  checksum: 0c82d9110dcb267c2f5547c61b62f8043793d203523048169176b8badf0b73f3792624342b85d9c923df8eb8971b4aa468b160abb81a023d183c5951e4f05a66
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.31.0, core-js-compat@npm:^3.33.1":
+  version: 3.33.3
+  resolution: "core-js-compat@npm:3.33.3"
+  dependencies:
+    browserslist: ^4.22.1
+  checksum: cb121e83f0f5f18b2b75428cdfb19524936a18459f1e0358f9124c8ff8b75d6a5901495cb996560cfde3a416103973f78eb5947777bb8b2fd877cdf84471465d
+  languageName: node
+  linkType: hard
+
+"core-js-compat@npm:^3.9.0":
+  version: 3.19.1
+  resolution: "core-js-compat@npm:3.19.1"
+  dependencies:
+    browserslist: ^4.17.6
+    semver: 7.0.0
+  checksum: ed302c99814bd7227b549f639fe5f1a3b9d885c0f878c1203f10be0a33c7d0b199931cb904074cc988ab48411132d4f41adf1603e4eebe5c5d42bdc62a3f5c5d
+  languageName: node
+  linkType: hard
+
+"core-js@npm:^2.4.0, core-js@npm:^2.5.0, core-js@npm:^2.6.5":
+  version: 2.6.12
+  resolution: "core-js@npm:2.6.12"
+  checksum: 44fa9934a85f8c78d61e0c8b7b22436330471ffe59ec5076fe7f324d6e8cf7f824b14b1c81ca73608b13bdb0fef035bd820989bf059767ad6fa13123bb8bd016
+  languageName: node
+  linkType: hard
+
+"core-js@npm:^3.16.2":
+  version: 3.22.8
+  resolution: "core-js@npm:3.22.8"
+  checksum: c79bcfea37920a5da880ad1fc8336355e833c83998bb28cd45cc59eef4d9824dd8d59ccd24d6b18ff88f284d53d9eef021ddbd2b5ab1c6305b01e98c1402e510
+  languageName: node
+  linkType: hard
+
+"core-js@npm:^3.24.1":
+  version: 3.26.0
+  resolution: "core-js@npm:3.26.0"
+  checksum: 0149eb9d3909fde9c17626af3a6e625c326e8598d0bb5e6c5b48a18e5fcd4eaf48d4964d873667d8148542ff590fb98eb3f93618da114ca54999d6bc0349734b
+  languageName: node
+  linkType: hard
+
+"core-object@npm:^3.1.5":
+  version: 3.1.5
+  resolution: "core-object@npm:3.1.5"
+  dependencies:
+    chalk: ^2.0.0
+  checksum: d53022008fa9da9db3ac5d2636750300da114b58432a28bcde4cbb099e60208e3b0ae2b8a05cec2d2ec70bdcad72bfac18134ab60e435aec3117b3edad00235d
+  languageName: node
+  linkType: hard
+
+"core-util-is@npm:1.0.2":
+  version: 1.0.2
+  resolution: "core-util-is@npm:1.0.2"
+  checksum: 7a4c925b497a2c91421e25bf76d6d8190f0b2359a9200dbeed136e63b2931d6294d3b1893eda378883ed363cd950f44a12a401384c609839ea616befb7927dab
+  languageName: node
+  linkType: hard
+
+"core-util-is@npm:~1.0.0":
+  version: 1.0.3
+  resolution: "core-util-is@npm:1.0.3"
+  checksum: 9de8597363a8e9b9952491ebe18167e3b36e7707569eed0ebf14f8bba773611376466ae34575bca8cfe3c767890c859c74056084738f09d4e4a6f902b2ad7d99
+  languageName: node
+  linkType: hard
+
+"cors@npm:~2.8.5":
+  version: 2.8.5
+  resolution: "cors@npm:2.8.5"
+  dependencies:
+    object-assign: ^4
+    vary: ^1
+  checksum: ced838404ccd184f61ab4fdc5847035b681c90db7ac17e428f3d81d69e2989d2b680cc254da0e2554f5ed4f8a341820a1ce3d1c16b499f6e2f47a1b9b07b5006
+  languageName: node
+  linkType: hard
+
+"cosmiconfig@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "cosmiconfig@npm:7.0.0"
+  dependencies:
+    "@types/parse-json": ^4.0.0
+    import-fresh: ^3.2.1
+    parse-json: ^5.0.0
+    path-type: ^4.0.0
+    yaml: ^1.10.0
+  checksum: 6801feaa0249e9b9fdde5b3d70dc33b4f9c69095bec94d67e3fe08b66eac24dc7e2099f053597cfbc94b743de269aa5d2cfa7da3fde765433423b06bd122941a
+  languageName: node
+  linkType: hard
+
+"cosmiconfig@npm:^8.2.0":
+  version: 8.2.0
+  resolution: "cosmiconfig@npm:8.2.0"
+  dependencies:
+    import-fresh: ^3.2.1
+    js-yaml: ^4.1.0
+    parse-json: ^5.0.0
+    path-type: ^4.0.0
+  checksum: 836d5d8efa750f3fb17b03d6ca74cd3154ed025dffd045304b3ef59637f662bde1e5dc88f8830080d180ec60841719cf4ea2ce73fb21ec694b16865c478ff297
+  languageName: node
+  linkType: hard
+
+"create-ecdh@npm:^4.0.0":
+  version: 4.0.4
+  resolution: "create-ecdh@npm:4.0.4"
+  dependencies:
+    bn.js: ^4.1.0
+    elliptic: ^6.5.3
+  checksum: 0dd7fca9711d09e152375b79acf1e3f306d1a25ba87b8ff14c2fd8e68b83aafe0a7dd6c4e540c9ffbdd227a5fa1ad9b81eca1f233c38bb47770597ba247e614b
+  languageName: node
+  linkType: hard
+
+"create-hash@npm:^1.1.0, create-hash@npm:^1.1.2, create-hash@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "create-hash@npm:1.2.0"
+  dependencies:
+    cipher-base: ^1.0.1
+    inherits: ^2.0.1
+    md5.js: ^1.3.4
+    ripemd160: ^2.0.1
+    sha.js: ^2.4.0
+  checksum: 02a6ae3bb9cd4afee3fabd846c1d8426a0e6b495560a977ba46120c473cb283be6aa1cace76b5f927cf4e499c6146fb798253e48e83d522feba807d6b722eaa9
+  languageName: node
+  linkType: hard
+
+"create-hmac@npm:^1.1.0, create-hmac@npm:^1.1.4, create-hmac@npm:^1.1.7":
+  version: 1.1.7
+  resolution: "create-hmac@npm:1.1.7"
+  dependencies:
+    cipher-base: ^1.0.3
+    create-hash: ^1.1.0
+    inherits: ^2.0.1
+    ripemd160: ^2.0.0
+    safe-buffer: ^5.0.1
+    sha.js: ^2.4.8
+  checksum: ba12bb2257b585a0396108c72830e85f882ab659c3320c83584b1037f8ab72415095167ced80dc4ce8e446a8ecc4b2acf36d87befe0707d73b26cf9dc77440ed
+  languageName: node
+  linkType: hard
+
+"cross-spawn@npm:^6.0.0, cross-spawn@npm:^6.0.5":
+  version: 6.0.5
+  resolution: "cross-spawn@npm:6.0.5"
+  dependencies:
+    nice-try: ^1.0.4
+    path-key: ^2.0.1
+    semver: ^5.5.0
+    shebang-command: ^1.2.0
+    which: ^1.2.9
+  checksum: f893bb0d96cd3d5751d04e67145bdddf25f99449531a72e82dcbbd42796bbc8268c1076c6b3ea51d4d455839902804b94bc45dfb37ecbb32ea8e54a6741c3ab9
+  languageName: node
+  linkType: hard
+
+"cross-spawn@npm:^7.0.0, cross-spawn@npm:^7.0.2, cross-spawn@npm:^7.0.3":
+  version: 7.0.3
+  resolution: "cross-spawn@npm:7.0.3"
+  dependencies:
+    path-key: ^3.1.0
+    shebang-command: ^2.0.0
+    which: ^2.0.1
+  checksum: 671cc7c7288c3a8406f3c69a3ae2fc85555c04169e9d611def9a675635472614f1c0ed0ef80955d5b6d4e724f6ced67f0ad1bb006c2ea643488fcfef994d7f52
+  languageName: node
+  linkType: hard
+
+"crypto-browserify@npm:^3.11.0":
+  version: 3.12.0
+  resolution: "crypto-browserify@npm:3.12.0"
+  dependencies:
+    browserify-cipher: ^1.0.0
+    browserify-sign: ^4.0.0
+    create-ecdh: ^4.0.0
+    create-hash: ^1.1.0
+    create-hmac: ^1.1.0
+    diffie-hellman: ^5.0.0
+    inherits: ^2.0.1
+    pbkdf2: ^3.0.3
+    public-encrypt: ^4.0.0
+    randombytes: ^2.0.0
+    randomfill: ^1.0.3
+  checksum: c1609af82605474262f3eaa07daa0b2140026bd264ab316d4bf1170272570dbe02f0c49e29407fe0d3634f96c507c27a19a6765fb856fed854a625f9d15618e2
+  languageName: node
+  linkType: hard
+
+"crypto-random-string@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "crypto-random-string@npm:2.0.0"
+  checksum: 0283879f55e7c16fdceacc181f87a0a65c53bc16ffe1d58b9d19a6277adcd71900d02bb2c4843dd55e78c51e30e89b0fec618a7f170ebcc95b33182c28f05fd6
+  languageName: node
+  linkType: hard
+
+"css-functions-list@npm:^3.1.0":
+  version: 3.2.0
+  resolution: "css-functions-list@npm:3.2.0"
+  checksum: fe912ea852fad500aef9a4f04db9a0371c7b0eb1ac1a45fbd8df0156ae0538cee7492ebd620b9bb502fe5bf2b5ed3bf3c16b6659cf67c7144eff0b597bcc3891
+  languageName: node
+  linkType: hard
+
+"css-loader@npm:^5.2.0":
+  version: 5.2.7
+  resolution: "css-loader@npm:5.2.7"
+  dependencies:
+    icss-utils: ^5.1.0
+    loader-utils: ^2.0.0
+    postcss: ^8.2.15
+    postcss-modules-extract-imports: ^3.0.0
+    postcss-modules-local-by-default: ^4.0.0
+    postcss-modules-scope: ^3.0.0
+    postcss-modules-values: ^4.0.0
+    postcss-value-parser: ^4.1.0
+    schema-utils: ^3.0.0
+    semver: ^7.3.5
+  peerDependencies:
+    webpack: ^4.27.0 || ^5.0.0
+  checksum: fb0742b30ac0919f94b99a323bdefe6d48ae46d66c7d966aae59031350532f368f8bba5951fcd268f2e053c5e6e4655551076268e9073ccb58e453f98ae58f8e
+  languageName: node
+  linkType: hard
+
+"css-select-base-adapter@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "css-select-base-adapter@npm:0.1.1"
+  checksum: c107e9cfa53a23427e4537451a67358375e656baa3322345a982d3c2751fb3904002aae7e5d72386c59f766fe6b109d1ffb43eeab1c16f069f7a3828eb17851c
+  languageName: node
+  linkType: hard
+
+"css-select@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "css-select@npm:2.1.0"
+  dependencies:
+    boolbase: ^1.0.0
+    css-what: ^3.2.1
+    domutils: ^1.7.0
+    nth-check: ^1.0.2
+  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36e5f16cb863211c901320618b24ace74da6333442d82995cafd5040077307de462
+  languageName: node
+  linkType: hard
+
+"css-select@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "css-select@npm:5.1.0"
+  dependencies:
+    boolbase: ^1.0.0
+    css-what: ^6.1.0
+    domhandler: ^5.0.2
+    domutils: ^3.0.1
+    nth-check: ^2.0.1
+  checksum: 2772c049b188d3b8a8159907192e926e11824aea525b8282981f72ba3f349cf9ecd523fdf7734875ee2cb772246c22117fc062da105b6d59afe8dcd5c99c9bda
+  languageName: node
+  linkType: hard
+
+"css-tree@npm:1.0.0-alpha.29":
+  version: 1.0.0-alpha.29
+  resolution: "css-tree@npm:1.0.0-alpha.29"
+  dependencies:
+    mdn-data: ~1.1.0
+    source-map: ^0.5.3
+  checksum: 1693a0ddb85fe6f94c5d1b4c79a5dbc67d0c4a10e9992d9c6685bfc84b9d40380799e30b22bca42e15e60d927ac54ac500dec785e8c9245ee782c89eb4d924f4
+  languageName: node
+  linkType: hard
+
+"css-tree@npm:1.0.0-alpha.33":
+  version: 1.0.0-alpha.33
+  resolution: "css-tree@npm:1.0.0-alpha.33"
+  dependencies:
+    mdn-data: 2.0.4
+    source-map: ^0.5.3
+  checksum: b7d1584d855ac01dd2fd7898869f8de90b6cd5b284ffc3d538cbf40891f65f82011964ab360314175bcec3d08838976f4a68823df51d74a456879f62cdf63026
+  languageName: node
+  linkType: hard
+
+"css-tree@npm:^2.0.4":
+  version: 2.1.0
+  resolution: "css-tree@npm:2.1.0"
+  dependencies:
+    mdn-data: 2.0.27
+    source-map-js: ^1.0.1
+  checksum: 254c66a76f6a01d5161605162b17c1792fb3f96966d1cabec3435c551372707c02f6ca6c15f967bee7699f0b254437037c3fdb5eea0cd76ac2377cc8ac1f1d1d
+  languageName: node
+  linkType: hard
+
+"css-tree@npm:^2.3.1":
+  version: 2.3.1
+  resolution: "css-tree@npm:2.3.1"
+  dependencies:
+    mdn-data: 2.0.30
+    source-map-js: ^1.0.1
+  checksum: 493cc24b5c22b05ee5314b8a0d72d8a5869491c1458017ae5ed75aeb6c3596637dbe1b11dac2548974624adec9f7a1f3a6cf40593dc1f9185eb0e8279543fbc0
+  languageName: node
+  linkType: hard
+
+"css-what@npm:^3.2.1":
+  version: 3.4.2
+  resolution: "css-what@npm:3.4.2"
+  checksum: 26bb5ec3ae718393d418016365c849fa14bd0de408c735dea3ddf58146b6cc54f3b336fb4afd31d95c06ca79583acbcdfec7ee93d31ff5c1a697df135b38dfeb
+  languageName: node
+  linkType: hard
+
+"css-what@npm:^6.1.0":
+  version: 6.1.0
+  resolution: "css-what@npm:6.1.0"
+  checksum: b975e547e1e90b79625918f84e67db5d33d896e6de846c9b584094e529f0c63e2ab85ee33b9daffd05bff3a146a1916bec664e18bb76dd5f66cbff9fc13b2bbe
+  languageName: node
+  linkType: hard
+
+"cssesc@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "cssesc@npm:3.0.0"
+  bin:
+    cssesc: bin/cssesc
+  checksum: f8c4ababffbc5e2ddf2fa9957dda1ee4af6048e22aeda1869d0d00843223c1b13ad3f5d88b51caa46c994225eacb636b764eb807a8883e2fb6f99b4f4e8c48b2
+  languageName: node
+  linkType: hard
+
+"csso@npm:^3.5.1":
+  version: 3.5.1
+  resolution: "csso@npm:3.5.1"
+  dependencies:
+    css-tree: 1.0.0-alpha.29
+  checksum: f5cca58d7b0a50cdab52c634d967f822c18aaa5f50dd1e145bb755f7ca4b32a029b72269a8a7e253e338e59833e6a934beca187172fb00efc6d096dba0d635b1
+  languageName: node
+  linkType: hard
+
+"cssom@npm:^0.4.4":
+  version: 0.4.4
+  resolution: "cssom@npm:0.4.4"
+  checksum: e3bc1076e7ee4213d4fef05e7ae03bfa83dc05f32611d8edc341f4ecc3d9647b89c8245474c7dd2cdcdb797a27c462e99da7ad00a34399694559f763478ff53f
+  languageName: node
+  linkType: hard
+
+"cssom@npm:~0.3.6":
+  version: 0.3.8
+  resolution: "cssom@npm:0.3.8"
+  checksum: 24beb3087c76c0d52dd458be9ee1fbc80ac771478a9baef35dd258cdeb527c68eb43204dd439692bb2b1ae5272fa5f2946d10946edab0d04f1078f85e06bc7f6
+  languageName: node
+  linkType: hard
+
+"cssstyle@npm:^2.3.0":
+  version: 2.3.0
+  resolution: "cssstyle@npm:2.3.0"
+  dependencies:
+    cssom: ~0.3.6
+  checksum: 5f05e6fd2e3df0b44695c2f08b9ef38b011862b274e320665176467c0725e44a53e341bc4959a41176e83b66064ab786262e7380fd1cabeae6efee0d255bb4e3
+  languageName: node
+  linkType: hard
+
+"cyclist@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "cyclist@npm:1.0.1"
+  checksum: 3cc2fdeb358599ca0ea96f5ecf2fc530ccab7ed1f8aa1a894aebfacd2009281bd7380cb9b30db02a18cdd00b3ed1d7ce81a3b11fe56e33a6a0fe4424dc592fbe
+  languageName: node
+  linkType: hard
+
+"d3-array@npm:1, d3-array@npm:^1.1.1, d3-array@npm:^1.2.0":
+  version: 1.2.4
+  resolution: "d3-array@npm:1.2.4"
+  checksum: d0be1fa7d72dbfac8a3bcffbb669d42bcb9128d8818d84d2b1df0c60bbe4c8e54a798be0457c55a219b399e2c2fabcbd581cbb130eb638b5436b0618d7e56000
+  languageName: node
+  linkType: hard
+
+"d3-axis@npm:1, d3-axis@npm:^1.0.8":
+  version: 1.0.12
+  resolution: "d3-axis@npm:1.0.12"
+  checksum: b1cf820fb6e95cc3371b340353b05272dba16ce6ad4fe9a0992d075ab48a08810f87f5e6c7cbb6c63fca1ee1e9b7c822307a1590187daa7627f45728a747c746
+  languageName: node
+  linkType: hard
+
+"d3-brush@npm:1":
+  version: 1.1.6
+  resolution: "d3-brush@npm:1.1.6"
+  dependencies:
+    d3-dispatch: 1
+    d3-drag: 1
+    d3-interpolate: 1
+    d3-selection: 1
+    d3-transition: 1
+  checksum: ffa23a5543699cc1199f45ac87d4e1293167c4bab0833657d77172d84d910448893569393290dba3689af1e5a1fc77503d94a2dec3976de8a7bc68ed0e32413a
+  languageName: node
+  linkType: hard
+
+"d3-chord@npm:1":
+  version: 1.0.6
+  resolution: "d3-chord@npm:1.0.6"
+  dependencies:
+    d3-array: 1
+    d3-path: 1
+  checksum: e4ca95ffff089f0eccf796d16a5574121e0ecbe658dcd9d5fa760af3573c3349264ce325c0adf1f32bcad67038d3938edd109712166cfb5b3bbe068e27c012e9
+  languageName: node
+  linkType: hard
+
+"d3-collection@npm:1, d3-collection@npm:^1.0.4":
+  version: 1.0.7
+  resolution: "d3-collection@npm:1.0.7"
+  checksum: 9c6b910a9da0efb021e294509f98263ca4f62d10b997bb30ccfb6edd582b703da36e176b968b5bac815fbb0f328e49643c38cf93b5edf8572a179ba55cf4a09d
+  languageName: node
+  linkType: hard
+
+"d3-color@npm:1":
+  version: 1.4.1
+  resolution: "d3-color@npm:1.4.1"
+  checksum: a214b61458b5fcb7ad1a84faed0e02918037bab6be37f2d437bf0e2915cbd854d89fbf93754f17b0781c89e39d46704633d05a2bfae77e6209f0f4b140f9894b
+  languageName: node
+  linkType: hard
+
+"d3-contour@npm:1":
+  version: 1.3.2
+  resolution: "d3-contour@npm:1.3.2"
+  dependencies:
+    d3-array: ^1.1.1
+  checksum: c18a099a7f4af2adf788e96d07bfc7236661a6e40c017ef8e172fe0142561f3722f71263075c565a17b72e6cd6a2a05de3868fcc5420eb77b00d3a0179a69a0d
+  languageName: node
+  linkType: hard
+
+"d3-dispatch@npm:1":
+  version: 1.0.6
+  resolution: "d3-dispatch@npm:1.0.6"
+  checksum: b4ecb016b6dda8b99aa4263b2d0a0c7b12e7dea93e4b0ce3013c94dca4d360d9ba00f5bdc15dc944cc4543af8e341067bd628f061f7b8deb642257e2ac90d06c
+  languageName: node
+  linkType: hard
+
+"d3-drag@npm:1":
+  version: 1.2.5
+  resolution: "d3-drag@npm:1.2.5"
+  dependencies:
+    d3-dispatch: 1
+    d3-selection: 1
+  checksum: 6e86e89aa8d511979eea1b5326709c05c2a3c2d43a93a82ed6b6f98528b2ab03b2f58f5e4f66582f2f1c0ae44f9c19f6f4f857249eb66aabc46e4942295fa0a7
+  languageName: node
+  linkType: hard
+
+"d3-dsv@npm:1":
+  version: 1.2.0
+  resolution: "d3-dsv@npm:1.2.0"
+  dependencies:
+    commander: 2
+    iconv-lite: 0.4
+    rw: 1
+  bin:
+    csv2json: bin/dsv2json
+    csv2tsv: bin/dsv2dsv
+    dsv2dsv: bin/dsv2dsv
+    dsv2json: bin/dsv2json
+    json2csv: bin/json2dsv
+    json2dsv: bin/json2dsv
+    json2tsv: bin/json2dsv
+    tsv2csv: bin/dsv2dsv
+    tsv2json: bin/dsv2json
+  checksum: 96c6e3d5ca1566624ca613b5941bc6fa916082cbe4b2b71cb6c5978c471db58c489b17206e3e31fbe30719dbd75e9c8ed8ab12a9d353cff90a35102690de7823
+  languageName: node
+  linkType: hard
+
+"d3-ease@npm:1, d3-ease@npm:^1.0.5":
+  version: 1.0.7
+  resolution: "d3-ease@npm:1.0.7"
+  checksum: 117811d51dfc4a126e8d23d249252df792fbbe30a93615e1d67158c482eff69b900e45a4cc92746fe65b1143287455406a89aae04eb4ca1ba5b1dc2a42af5b85
+  languageName: node
+  linkType: hard
+
+"d3-fetch@npm:1":
+  version: 1.2.0
+  resolution: "d3-fetch@npm:1.2.0"
+  dependencies:
+    d3-dsv: 1
+  checksum: 00f091945bff4afbd06e6ce9ad762f0e91b7aac912c1ae7fe0efdbcce3a997d4fa2a93c254a3ba9b3f53f2134d606b20fb13791adbf5c6ed5c0be329a775945f
+  languageName: node
+  linkType: hard
+
+"d3-force@npm:1":
+  version: 1.2.1
+  resolution: "d3-force@npm:1.2.1"
+  dependencies:
+    d3-collection: 1
+    d3-dispatch: 1
+    d3-quadtree: 1
+    d3-timer: 1
+  checksum: b73fe29d6c9a9c432ae65166d71238d14578a3a9537df095bebff87b7814161cd2822aff54a38d2400edb98b7f6d9221a810dcad7a53c6e8ddff0973f44ab3fa
+  languageName: node
+  linkType: hard
+
+"d3-format@npm:1":
+  version: 1.4.5
+  resolution: "d3-format@npm:1.4.5"
+  checksum: 1b8b2c0bca182173bccd290a43e8b635a83fc8cfe52ec878c7bdabb997d47daac11f2b175cebbe73f807f782ad655f542bdfe18180ca5eb3498a3a82da1e06ab
+  languageName: node
+  linkType: hard
+
+"d3-geo@npm:1":
+  version: 1.12.1
+  resolution: "d3-geo@npm:1.12.1"
+  dependencies:
+    d3-array: 1
+  checksum: 8ede498e5fce65c127403646f5cc6181a858a1e401e23e2856ce50ad27e6fdf8b49aeb88d2fad02696879d5825a45420ca1b5db9fa9c935ee413fe15b5bc37c4
+  languageName: node
+  linkType: hard
+
+"d3-hierarchy@npm:1":
+  version: 1.1.9
+  resolution: "d3-hierarchy@npm:1.1.9"
+  checksum: 5fd8761c302252cb9abe9ce2a0934fc97104dd0df8d1b5de6472532903416f40e13b4b58d03ce215a0b816d7129c4ed4503bd4fdbc00a130fdcf46a63d734a52
+  languageName: node
+  linkType: hard
+
+"d3-interpolate@npm:1":
+  version: 1.4.0
+  resolution: "d3-interpolate@npm:1.4.0"
+  dependencies:
+    d3-color: 1
+  checksum: d98988bd1e2f59d01f100d0a19315ad8f82ef022aa09a65aff76f747a44f9b52f2d64c6578b8f47e01f2b14a8f0ef88f5460d11173c0dd2d58238c217ac0ec03
+  languageName: node
+  linkType: hard
+
+"d3-path@npm:1":
+  version: 1.0.9
+  resolution: "d3-path@npm:1.0.9"
+  checksum: d4382573baf9509a143f40944baeff9fead136926aed6872f7ead5b3555d68925f8a37935841dd51f1d70b65a294fe35c065b0906fb6e42109295f6598fc16d0
+  languageName: node
+  linkType: hard
+
+"d3-polygon@npm:1":
+  version: 1.0.6
+  resolution: "d3-polygon@npm:1.0.6"
+  checksum: 4a9764c2064d15e9f4fc9018c975f127540f6e701c18442e2a2e9339e743726f40e017d5213982d983cac3c23802321c257f2a10e686c803ec5533c6ff42bb7a
+  languageName: node
+  linkType: hard
+
+"d3-quadtree@npm:1":
+  version: 1.0.7
+  resolution: "d3-quadtree@npm:1.0.7"
+  checksum: 32181f578cbd69eed6b240073fed7f977f8039a121a3b9fc58ea1eea0c3c14d1237ef48cb4f80abb833063f8b0e7b885ef6de734e7bcc4e5b37e53ec444830f8
+  languageName: node
+  linkType: hard
+
+"d3-random@npm:1":
+  version: 1.1.2
+  resolution: "d3-random@npm:1.1.2"
+  checksum: a27326319fa61d59b6ce8d5ce7547cc823dee1bc6dda35e9c233d709f43f76488c09353862463c9c5da99081482b0f7ea4177d78721b67bb677bb12354bffe42
+  languageName: node
+  linkType: hard
+
+"d3-scale-chromatic@npm:1":
+  version: 1.5.0
+  resolution: "d3-scale-chromatic@npm:1.5.0"
+  dependencies:
+    d3-color: 1
+    d3-interpolate: 1
+  checksum: 3bff7717f6e6b309b3347d48d6532e2295037a280bc5174f908ce5fc0e17a9470f6b202e49499b01a17a1f28cb76a61aae870a6c13c57195a362847f33747501
+  languageName: node
+  linkType: hard
+
+"d3-scale@npm:2":
+  version: 2.2.2
+  resolution: "d3-scale@npm:2.2.2"
+  dependencies:
+    d3-array: ^1.2.0
+    d3-collection: 1
+    d3-format: 1
+    d3-interpolate: 1
+    d3-time: 1
+    d3-time-format: 2
+  checksum: 42086d4b9db9f8492a99dbbdacf546983faef1bb6260fe875c0c1884f1ca9cf5fd233de3702c2f9e24145b1c5383945e929c8682d80fa57ab515ef2c4f2c61f6
+  languageName: node
+  linkType: hard
+
+"d3-scale@npm:^1.0.7":
+  version: 1.0.7
+  resolution: "d3-scale@npm:1.0.7"
+  dependencies:
+    d3-array: ^1.2.0
+    d3-collection: 1
+    d3-color: 1
+    d3-format: 1
+    d3-interpolate: 1
+    d3-time: 1
+    d3-time-format: 2
+  checksum: c889c510aa0380b23e3a595be6b143b7053351ab6fe212918aa1ae80353a9ccde81064c2afa95dbdcd936fbb0c69dd560de291cbbea80d068a4390a3f67596aa
+  languageName: node
+  linkType: hard
+
+"d3-selection-multi@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "d3-selection-multi@npm:1.0.1"
+  dependencies:
+    d3-selection: 1
+    d3-transition: 1
+  checksum: 16d94d1dc5fc9a86302c613ad4f4e008beaae92bb22d6d1cee066c02efa35ba9795f9544c7465e129467e34611417fc3a082d5d7cc6ab1fd7c8404b83378555e
+  languageName: node
+  linkType: hard
+
+"d3-selection@npm:1, d3-selection@npm:^1.1.0, d3-selection@npm:^1.3.0":
+  version: 1.4.2
+  resolution: "d3-selection@npm:1.4.2"
+  checksum: 2484b392259b087a98f546f2610e6a11c90f38dae6b6b20a3fc85171038fcab4c72e702788b1960a4fece88bed2e36f268096358b5b48d3c7f0d35cfbe305da6
+  languageName: node
+  linkType: hard
+
+"d3-shape@npm:1":
+  version: 1.3.7
+  resolution: "d3-shape@npm:1.3.7"
+  dependencies:
+    d3-path: 1
+  checksum: 46566a3ab64a25023653bf59d64e81e9e6c987e95be985d81c5cedabae5838bd55f4a201a6b69069ca862eb63594cd263cac9034afc2b0e5664dfe286c866129
+  languageName: node
+  linkType: hard
+
+"d3-time-format@npm:2, d3-time-format@npm:^2.1.1":
+  version: 2.3.0
+  resolution: "d3-time-format@npm:2.3.0"
+  dependencies:
+    d3-time: 1
+  checksum: 5445eaaf2b3b2095cdc1fa75dfd2f361a61c39b677dcc1c2ba4cb6bc0442953de0fbaaa397d7d7a9325ad99c63d869f162a713e150e826ff8af482615664cb3f
+  languageName: node
+  linkType: hard
+
+"d3-time@npm:1":
+  version: 1.1.0
+  resolution: "d3-time@npm:1.1.0"
+  checksum: 33fcfff94ff093dde2048c190ecca8b39fe0ec8b3c61e9fc39c5f6072ce5b86dd2b91823f086366995422bbbac7f74fd9abdb7efe4f292a73b1c6197c699cc78
+  languageName: node
+  linkType: hard
+
+"d3-timer@npm:1":
+  version: 1.0.10
+  resolution: "d3-timer@npm:1.0.10"
+  checksum: f7040953672deb2dfa03830ace80dbbcb212f80890218eba15dcca6f33f74102d943023ccc2a563295195cd8c63639bb2410ef1691c8fecff4a114fdf5c666f4
+  languageName: node
+  linkType: hard
+
+"d3-tip@npm:^0.9.1":
+  version: 0.9.1
+  resolution: "d3-tip@npm:0.9.1"
+  dependencies:
+    d3-collection: ^1.0.4
+    d3-selection: ^1.3.0
+  checksum: 876711ec01a049c6864dcdeab095d4c6d55554a862d426446ec03bf707a0d65dcc2e8cfee87bb0f922cdea33a350fb0be471afdeef5363accf7ac6cf61f02f31
+  languageName: node
+  linkType: hard
+
+"d3-transition@npm:1, d3-transition@npm:^1.2.0":
+  version: 1.3.2
+  resolution: "d3-transition@npm:1.3.2"
+  dependencies:
+    d3-color: 1
+    d3-dispatch: 1
+    d3-ease: 1
+    d3-interpolate: 1
+    d3-selection: ^1.1.0
+    d3-timer: 1
+  checksum: 1b4a0cfa7aeb4033ab20e26a310488cfac989de44c6c2bf10e9f0808af915a33add6dca23fbafcefe8c08613fd0d6a933e48b4de24c0779163c2852a1c7c16f4
+  languageName: node
+  linkType: hard
+
+"d3-voronoi@npm:1":
+  version: 1.1.4
+  resolution: "d3-voronoi@npm:1.1.4"
+  checksum: d28a74bc62f2b936b0d3b51d5be8d2366afca4fd7026d7ee8f655600650bf0c985da38a8c3ae46bfa315b5f524f3ca1c5211437cf1c8c737cc1da681e015baee
+  languageName: node
+  linkType: hard
+
+"d3-zoom@npm:1":
+  version: 1.8.3
+  resolution: "d3-zoom@npm:1.8.3"
+  dependencies:
+    d3-dispatch: 1
+    d3-drag: 1
+    d3-interpolate: 1
+    d3-selection: 1
+    d3-transition: 1
+  checksum: de408e5dc6df1481ef6854a3d495f8e963dbf5b0de41bcbd35def0602abda55b3f2c1fa751c75c2f0a9bafd3b278f30795c27503fe609b3dbe06a0720d01d5be
+  languageName: node
+  linkType: hard
+
+"d3@npm:^5.0.0":
+  version: 5.16.0
+  resolution: "d3@npm:5.16.0"
+  dependencies:
+    d3-array: 1
+    d3-axis: 1
+    d3-brush: 1
+    d3-chord: 1
+    d3-collection: 1
+    d3-color: 1
+    d3-contour: 1
+    d3-dispatch: 1
+    d3-drag: 1
+    d3-dsv: 1
+    d3-ease: 1
+    d3-fetch: 1
+    d3-force: 1
+    d3-format: 1
+    d3-geo: 1
+    d3-hierarchy: 1
+    d3-interpolate: 1
+    d3-path: 1
+    d3-polygon: 1
+    d3-quadtree: 1
+    d3-random: 1
+    d3-scale: 2
+    d3-scale-chromatic: 1
+    d3-selection: 1
+    d3-shape: 1
+    d3-time: 1
+    d3-time-format: 2
+    d3-timer: 1
+    d3-transition: 1
+    d3-voronoi: 1
+    d3-zoom: 1
+  checksum: 1462789c421c3ea3930a18b91be6c02c7b976fa4d714200ee2a042c62cbfb349448c79f1ae3dbaf186f79edb734b7aa7b734ee6ad61d81ab4305e6663623ab8e
+  languageName: node
+  linkType: hard
+
+"dag-map@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "dag-map@npm:2.0.2"
+  checksum: c15b70127c32b5f674ce43d17ee2268d757777df88883468550b946fdd29cee59c3faff1ec6d3ce05a4cb220a708426ac33b2f0a3bb6654541e7295e2d3a654a
+  languageName: node
+  linkType: hard
+
+"dashdash@npm:^1.12.0":
+  version: 1.14.1
+  resolution: "dashdash@npm:1.14.1"
+  dependencies:
+    assert-plus: ^1.0.0
+  checksum: 3634c249570f7f34e3d34f866c93f866c5b417f0dd616275decae08147dcdf8fccfaa5947380ccfb0473998ea3a8057c0b4cd90c875740ee685d0624b2983598
+  languageName: node
+  linkType: hard
+
+"data-urls@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "data-urls@npm:2.0.0"
+  dependencies:
+    abab: ^2.0.3
+    whatwg-mimetype: ^2.3.0
+    whatwg-url: ^8.0.0
+  checksum: 97caf828aac25e25e04ba6869db0f99c75e6859bb5b424ada28d3e7841941ebf08ddff3c1b1bb4585986bd507a5d54c2a716853ea6cb98af877400e637393e71
+  languageName: node
+  linkType: hard
+
+"date-fns-tz@npm:^1.2.2":
+  version: 1.2.2
+  resolution: "date-fns-tz@npm:1.2.2"
+  peerDependencies:
+    date-fns: ">=2.0.0"
+  checksum: 90c5145499570736cd004cfb13f8a9bbc9de514ceb92224ccd6fd2e0d88e0d55ab1d4e279500653d2df7cca0002c88a1ce0768c8531cbf6063cce91a1e4e78d4
+  languageName: node
+  linkType: hard
+
+"date-fns@npm:^2.16.1":
+  version: 2.21.1
+  resolution: "date-fns@npm:2.21.1"
+  checksum: 4ff90f6ab6b9e92d4605530704303aa269f40a4a2fe3624628e2a0310b06bd36d8a18867c2ddf88844afa54bc71a33b5b93c97c927da8989e9d05d32471dbd75
+  languageName: node
+  linkType: hard
+
+"date-fns@npm:^2.29.2":
+  version: 2.30.0
+  resolution: "date-fns@npm:2.30.0"
+  dependencies:
+    "@babel/runtime": ^7.21.0
+  checksum: f7be01523282e9bb06c0cd2693d34f245247a29098527d4420628966a2d9aad154bd0e90a6b1cf66d37adcb769cd108cf8a7bd49d76db0fb119af5cdd13644f4
+  languageName: node
+  linkType: hard
+
+"date-time@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "date-time@npm:2.1.0"
+  dependencies:
+    time-zone: ^1.0.0
+  checksum: 3eefeb2954b8a5a8a01f7935ef4b53f948eeecd6105f652cbeafec384cf80924247797e51eb517af1e18b356d2c94561ac0a29a60d8ba56c88376bd5b5a08c3c
+  languageName: node
+  linkType: hard
+
+"debug@npm:2.6.9, debug@npm:^2.1.0, debug@npm:^2.1.1, debug@npm:^2.1.3, debug@npm:^2.2.0, debug@npm:^2.3.3, debug@npm:^2.6.8, debug@npm:^2.6.9":
+  version: 2.6.9
+  resolution: "debug@npm:2.6.9"
+  dependencies:
+    ms: 2.0.0
+  checksum: d2f51589ca66df60bf36e1fa6e4386b318c3f1e06772280eea5b1ae9fd3d05e9c2b7fd8a7d862457d00853c75b00451aa2d7459b924629ee385287a650f58fe6
+  languageName: node
+  linkType: hard
+
+"debug@npm:4, debug@npm:^4.3.2, debug@npm:^4.3.3, debug@npm:^4.3.4, debug@npm:~4.3.1, debug@npm:~4.3.2":
+  version: 4.3.4
+  resolution: "debug@npm:4.3.4"
+  dependencies:
+    ms: 2.1.2
+  peerDependenciesMeta:
+    supports-color:
+      optional: true
+  checksum: 3dbad3f94ea64f34431a9cbf0bafb61853eda57bff2880036153438f50fb5a84f27683ba0d8e5426bf41a8c6ff03879488120cf5b3a761e77953169c0600a708
+  languageName: node
+  linkType: hard
+
+"debug@npm:^3.0.1, debug@npm:^3.1.0, debug@npm:^3.2.7":
+  version: 3.2.7
+  resolution: "debug@npm:3.2.7"
+  dependencies:
+    ms: ^2.1.1
+  checksum: b3d8c5940799914d30314b7c3304a43305fd0715581a919dacb8b3176d024a782062368405b47491516d2091d6462d4d11f2f4974a405048094f8bfebfa3071c
+  languageName: node
+  linkType: hard
+
+"debug@npm:^4.0.0, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1":
+  version: 4.3.3
+  resolution: "debug@npm:4.3.3"
+  dependencies:
+    ms: 2.1.2
+  peerDependenciesMeta:
+    supports-color:
+      optional: true
+  checksum: 14472d56fe4a94dbcfaa6dbed2dd3849f1d72ba78104a1a328047bb564643ca49df0224c3a17fa63533fd11dd3d4c8636cd861191232a2c6735af00cc2d4de16
+  languageName: node
+  linkType: hard
+
+"debug@npm:^4.2.0":
+  version: 4.3.1
+  resolution: "debug@npm:4.3.1"
+  dependencies:
+    ms: 2.1.2
+  peerDependenciesMeta:
+    supports-color:
+      optional: true
+  checksum: 2c3352e37d5c46b0d203317cd45ea0e26b2c99f2d9dfec8b128e6ceba90dfb65425f5331bf3020fe9929d7da8c16758e737f4f3bfc0fce6b8b3d503bae03298b
+  languageName: node
+  linkType: hard
+
+"decache@npm:^4.5.1":
+  version: 4.6.0
+  resolution: "decache@npm:4.6.0"
+  dependencies:
+    callsite: ^1.0.0
+  checksum: 65bd86440a84aeb7cf76a8dbd22d207e561eac621bc73500347a9a0802f14e72222fd794b4b778a419e3d736a01ec263124e1ba39db6778c3b86a42f487a279c
+  languageName: node
+  linkType: hard
+
+"decamelize-keys@npm:^1.1.0":
+  version: 1.1.1
+  resolution: "decamelize-keys@npm:1.1.1"
+  dependencies:
+    decamelize: ^1.1.0
+    map-obj: ^1.0.0
+  checksum: fc645fe20b7bda2680bbf9481a3477257a7f9304b1691036092b97ab04c0ab53e3bf9fcc2d2ae382536568e402ec41fb11e1d4c3836a9abe2d813dd9ef4311e0
+  languageName: node
+  linkType: hard
+
+"decamelize@npm:^1.1.0, decamelize@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "decamelize@npm:1.2.0"
+  checksum: ad8c51a7e7e0720c70ec2eeb1163b66da03e7616d7b98c9ef43cce2416395e84c1e9548dd94f5f6ffecfee9f8b94251fc57121a8b021f2ff2469b2bae247b8aa
+  languageName: node
+  linkType: hard
+
+"decamelize@npm:^5.0.0":
+  version: 5.0.1
+  resolution: "decamelize@npm:5.0.1"
+  checksum: 7c3b1ed4b3e60e7fbc00a35fb248298527c1cdfe603e41dfcf05e6c4a8cb9efbee60630deb677ed428908fb4e74e322966c687a094d1478ddc9c3a74e9dc7140
+  languageName: node
+  linkType: hard
+
+"decimal.js@npm:^10.2.1":
+  version: 10.2.1
+  resolution: "decimal.js@npm:10.2.1"
+  checksum: d2421adf209422d520c8f1a4d1fceffc2ccd0c041aa179f8d18a315ebda6a7be918f2634ac850df299dccccae6a3567c5761301a1c3693461fdef3d1de23b000
+  languageName: node
+  linkType: hard
+
+"decode-uri-component@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "decode-uri-component@npm:0.2.0"
+  checksum: f3749344ab9305ffcfe4bfe300e2dbb61fc6359e2b736812100a3b1b6db0a5668cba31a05e4b45d4d63dbf1a18dfa354cd3ca5bb3ededddabb8cd293f4404f94
+  languageName: node
+  linkType: hard
+
+"dedent@npm:^0.7.0":
+  version: 0.7.0
+  resolution: "dedent@npm:0.7.0"
+  checksum: 87de191050d9a40dd70cad01159a0bcf05ecb59750951242070b6abf9569088684880d00ba92a955b4058804f16eeaf91d604f283929b4f614d181cd7ae633d2
+  languageName: node
+  linkType: hard
+
+"deep-equal@npm:^2.0.5":
+  version: 2.2.1
+  resolution: "deep-equal@npm:2.2.1"
+  dependencies:
+    array-buffer-byte-length: ^1.0.0
+    call-bind: ^1.0.2
+    es-get-iterator: ^1.1.3
+    get-intrinsic: ^1.2.0
+    is-arguments: ^1.1.1
+    is-array-buffer: ^3.0.2
+    is-date-object: ^1.0.5
+    is-regex: ^1.1.4
+    is-shared-array-buffer: ^1.0.2
+    isarray: ^2.0.5
+    object-is: ^1.1.5
+    object-keys: ^1.1.1
+    object.assign: ^4.1.4
+    regexp.prototype.flags: ^1.5.0
+    side-channel: ^1.0.4
+    which-boxed-primitive: ^1.0.2
+    which-collection: ^1.0.1
+    which-typed-array: ^1.1.9
+  checksum: 561f0e001a07b2f1b80ff914d0b3d76964bbfc102f34c2128bc8039c0050e63b1a504a8911910e011d8cd1cd4b600a9686c049e327f4ef94420008efc42d25f4
+  languageName: node
+  linkType: hard
+
+"deep-is@npm:^0.1.3, deep-is@npm:~0.1.3":
+  version: 0.1.3
+  resolution: "deep-is@npm:0.1.3"
+  checksum: c15b04c3848a89880c94e25b077c19b47d9a30dd99048e70e5f95d943e7b246bee1da0c1376b56b01bc045be2cae7d9b1c856e68e47e9805634327de7c6cb6d5
+  languageName: node
+  linkType: hard
+
+"deepmerge@npm:^4.0.0":
+  version: 4.2.2
+  resolution: "deepmerge@npm:4.2.2"
+  checksum: a8c43a1ed8d6d1ed2b5bf569fa4c8eb9f0924034baf75d5d406e47e157a451075c4db353efea7b6bcc56ec48116a8ce72fccf867b6e078e7c561904b5897530b
+  languageName: node
+  linkType: hard
+
+"defaults@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "defaults@npm:1.0.3"
+  dependencies:
+    clone: ^1.0.2
+  checksum: 96e2112da6553d376afd5265ea7cbdb2a3b45535965d71ab8bb1da10c8126d168fdd5268799625324b368356d21ba2a7b3d4ec50961f11a47b7feb9de3d4413e
+  languageName: node
+  linkType: hard
+
+"define-properties@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "define-properties@npm:1.1.3"
+  dependencies:
+    object-keys: ^1.0.12
+  checksum: da80dba55d0cd76a5a7ab71ef6ea0ebcb7b941f803793e4e0257b384cb772038faa0c31659d244e82c4342edef841c1a1212580006a05a5068ee48223d787317
+  languageName: node
+  linkType: hard
+
+"define-properties@npm:^1.1.4, define-properties@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "define-properties@npm:1.2.0"
+  dependencies:
+    has-property-descriptors: ^1.0.0
+    object-keys: ^1.1.1
+  checksum: e60aee6a19b102df4e2b1f301816804e81ab48bb91f00d0d935f269bf4b3f79c88b39e4f89eaa132890d23267335fd1140dfcd8d5ccd61031a0a2c41a54e33a6
+  languageName: node
+  linkType: hard
+
+"define-property@npm:^0.2.5":
+  version: 0.2.5
+  resolution: "define-property@npm:0.2.5"
+  dependencies:
+    is-descriptor: ^0.1.0
+  checksum: 85af107072b04973b13f9e4128ab74ddfda48ec7ad2e54b193c0ffb57067c4ce5b7786a7b4ae1f24bd03e87c5d18766b094571810b314d7540f86d4354dbd394
+  languageName: node
+  linkType: hard
+
+"define-property@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "define-property@npm:1.0.0"
+  dependencies:
+    is-descriptor: ^1.0.0
+  checksum: 5fbed11dace44dd22914035ba9ae83ad06008532ca814d7936a53a09e897838acdad5b108dd0688cc8d2a7cf0681acbe00ee4136cf36743f680d10517379350a
+  languageName: node
+  linkType: hard
+
+"define-property@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "define-property@npm:2.0.2"
+  dependencies:
+    is-descriptor: ^1.0.2
+    isobject: ^3.0.1
+  checksum: 3217ed53fc9eed06ba8da6f4d33e28c68a82e2f2a8ab4d562c4920d8169a166fe7271453675e6c69301466f36a65d7f47edf0cf7f474b9aa52a5ead9c1b13c99
+  languageName: node
+  linkType: hard
+
+"delayed-stream@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "delayed-stream@npm:1.0.0"
+  checksum: 46fe6e83e2cb1d85ba50bd52803c68be9bd953282fa7096f51fc29edd5d67ff84ff753c51966061e5ba7cb5e47ef6d36a91924eddb7f3f3483b1c560f77a0020
+  languageName: node
+  linkType: hard
+
+"delegates@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "delegates@npm:1.0.0"
+  checksum: a51744d9b53c164ba9c0492471a1a2ffa0b6727451bdc89e31627fdf4adda9d51277cfcbfb20f0a6f08ccb3c436f341df3e92631a3440226d93a8971724771fd
+  languageName: node
+  linkType: hard
+
+"depd@npm:2.0.0, depd@npm:^2.0.0, depd@npm:~2.0.0":
+  version: 2.0.0
+  resolution: "depd@npm:2.0.0"
+  checksum: abbe19c768c97ee2eed6282d8ce3031126662252c58d711f646921c9623f9052e3e1906443066beec1095832f534e57c523b7333f8e7e0d93051ab6baef5ab3a
+  languageName: node
+  linkType: hard
+
+"depd@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "depd@npm:1.1.2"
+  checksum: 6b406620d269619852885ce15965272b829df6f409724415e0002c8632ab6a8c0a08ec1f0bd2add05dc7bd7507606f7e2cc034fa24224ab829580040b835ecd9
+  languageName: node
+  linkType: hard
+
+"des.js@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "des.js@npm:1.0.1"
+  dependencies:
+    inherits: ^2.0.1
+    minimalistic-assert: ^1.0.0
+  checksum: 1ec2eedd7ed6bd61dd5e0519fd4c96124e93bb22de8a9d211b02d63e5dd152824853d919bb2090f965cc0e3eb9c515950a9836b332020d810f9c71feb0fd7df4
+  languageName: node
+  linkType: hard
+
+"destroy@npm:1.2.0":
+  version: 1.2.0
+  resolution: "destroy@npm:1.2.0"
+  checksum: 0acb300b7478a08b92d810ab229d5afe0d2f4399272045ab22affa0d99dbaf12637659411530a6fcd597a9bdac718fc94373a61a95b4651bbc7b83684a565e38
+  languageName: node
+  linkType: hard
+
+"destroy@npm:~1.0.4":
+  version: 1.0.4
+  resolution: "destroy@npm:1.0.4"
+  checksum: da9ab4961dc61677c709da0c25ef01733042614453924d65636a7db37308fef8a24cd1e07172e61173d471ca175371295fbc984b0af5b2b4ff47cd57bd784c03
+  languageName: node
+  linkType: hard
+
+"detect-file@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "detect-file@npm:1.0.0"
+  checksum: 1861e4146128622e847abe0e1ed80fef01e78532665858a792267adf89032b7a9c698436137707fcc6f02956c2a6a0052d6a0cef5be3d4b76b1ff0da88e2158a
+  languageName: node
+  linkType: hard
+
+"detect-indent@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "detect-indent@npm:4.0.0"
+  dependencies:
+    repeating: ^2.0.0
+  checksum: 328f273915c1610899bc7d4784ce874413d0a698346364cd3ee5d79afba1c5cf4dbc97b85a801e20f4d903c0598bd5096af32b800dfb8696b81464ccb3dfda2c
+  languageName: node
+  linkType: hard
+
+"detect-indent@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "detect-indent@npm:6.0.0"
+  checksum: 0c38f362016e2d07af1c65b1ecd6ad8a91f06bfdd11383887c867a495ad286d04be2ab44027ac42444704d523982013115bd748c1541df7c9396ad76b22aaf5d
+  languageName: node
+  linkType: hard
+
+"detect-newline@npm:3.1.0":
+  version: 3.1.0
+  resolution: "detect-newline@npm:3.1.0"
+  checksum: ae6cd429c41ad01b164c59ea36f264a2c479598e61cba7c99da24175a7ab80ddf066420f2bec9a1c57a6bead411b4655ff15ad7d281c000a89791f48cbe939e7
+  languageName: node
+  linkType: hard
+
+"dialog-polyfill@npm:^0.5.6":
+  version: 0.5.6
+  resolution: "dialog-polyfill@npm:0.5.6"
+  checksum: dde8d4b6a62b63b710e0d0d70b615d92ff08f3cb2b521e1f99b17e8220d9d55d0fdf9fc17fbe77b0ff1be817094e14b60c4c4bacd5456fba427ede48d2d90230
+  languageName: node
+  linkType: hard
+
+"diff-match-patch@npm:^1.0.0":
+  version: 1.0.5
+  resolution: "diff-match-patch@npm:1.0.5"
+  checksum: 841522d01b09cccbc4e4402cf61514a81b906349a7d97b67222390f2d35cf5df277cb23959eeed212d5e46afb5629cebab41b87918672c5a05c11c73688630e3
+  languageName: node
+  linkType: hard
+
+"diff@npm:^3.5.0":
+  version: 3.5.0
+  resolution: "diff@npm:3.5.0"
+  checksum: 00842950a6551e26ce495bdbce11047e31667deea546527902661f25cc2e73358967ebc78cf86b1a9736ec3e14286433225f9970678155753a6291c3bca5227b
+  languageName: node
+  linkType: hard
+
+"diff@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "diff@npm:5.1.0"
+  checksum: c7bf0df7c9bfbe1cf8a678fd1b2137c4fb11be117a67bc18a0e03ae75105e8533dbfb1cda6b46beb3586ef5aed22143ef9d70713977d5fb1f9114e21455fba90
+  languageName: node
+  linkType: hard
+
+"diffie-hellman@npm:^5.0.0":
+  version: 5.0.3
+  resolution: "diffie-hellman@npm:5.0.3"
+  dependencies:
+    bn.js: ^4.1.0
+    miller-rabin: ^4.0.0
+    randombytes: ^2.0.0
+  checksum: 0e620f322170c41076e70181dd1c24e23b08b47dbb92a22a644f3b89b6d3834b0f8ee19e37916164e5eb1ee26d2aa836d6129f92723995267250a0b541811065
+  languageName: node
+  linkType: hard
+
+"dir-glob@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "dir-glob@npm:3.0.1"
+  dependencies:
+    path-type: ^4.0.0
+  checksum: fa05e18324510d7283f55862f3161c6759a3f2f8dbce491a2fc14c8324c498286c54282c1f0e933cb930da8419b30679389499b919122952a4f8592362ef4615
+  languageName: node
+  linkType: hard
+
+"dlv@npm:^1.1.0":
+  version: 1.1.3
+  resolution: "dlv@npm:1.1.3"
+  checksum: d7381bca22ed11933a1ccf376db7a94bee2c57aa61e490f680124fa2d1cd27e94eba641d9f45be57caab4f9a6579de0983466f620a2cd6230d7ec93312105ae7
+  languageName: node
+  linkType: hard
+
+"doctoc@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "doctoc@npm:2.2.0"
+  dependencies:
+    "@textlint/markdown-to-ast": ^12.1.1
+    anchor-markdown-header: ^0.5.7
+    htmlparser2: ^7.2.0
+    minimist: ^1.2.6
+    underscore: ^1.13.2
+    update-section: ^0.3.3
+  bin:
+    doctoc: doctoc.js
+  checksum: 78973a1275f056c044263d60546cf518beb15b79bd95a93dc5875d6dd46fa0873568661d74830b68e908c8a4465e9fd602eb49468e4d686e43ce4471d34012c3
+  languageName: node
+  linkType: hard
+
+"doctrine@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "doctrine@npm:3.0.0"
+  dependencies:
+    esutils: ^2.0.2
+  checksum: fd7673ca77fe26cd5cba38d816bc72d641f500f1f9b25b83e8ce28827fe2da7ad583a8da26ab6af85f834138cf8dae9f69b0cd6ab925f52ddab1754db44d99ce
+  languageName: node
+  linkType: hard
+
+"dom-serializer@npm:0":
+  version: 0.2.2
+  resolution: "dom-serializer@npm:0.2.2"
+  dependencies:
+    domelementtype: ^2.0.1
+    entities: ^2.0.0
+  checksum: 376344893e4feccab649a14ca1a46473e9961f40fe62479ea692d4fee4d9df1c00ca8654811a79c1ca7b020096987e1ca4fb4d7f8bae32c1db800a680a0e5d5e
+  languageName: node
+  linkType: hard
+
+"dom-serializer@npm:^1.0.1":
+  version: 1.4.1
+  resolution: "dom-serializer@npm:1.4.1"
+  dependencies:
+    domelementtype: ^2.0.1
+    domhandler: ^4.2.0
+    entities: ^2.0.0
+  checksum: fbb0b01f87a8a2d18e6e5a388ad0f7ec4a5c05c06d219377da1abc7bb0f674d804f4a8a94e3f71ff15f6cb7dcfc75704a54b261db672b9b3ab03da6b758b0b22
+  languageName: node
+  linkType: hard
+
+"dom-serializer@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "dom-serializer@npm:2.0.0"
+  dependencies:
+    domelementtype: ^2.3.0
+    domhandler: ^5.0.2
+    entities: ^4.2.0
+  checksum: cd1810544fd8cdfbd51fa2c0c1128ec3a13ba92f14e61b7650b5de421b88205fd2e3f0cc6ace82f13334114addb90ed1c2f23074a51770a8e9c1273acbc7f3e6
+  languageName: node
+  linkType: hard
+
+"domain-browser@npm:^1.1.1":
+  version: 1.2.0
+  resolution: "domain-browser@npm:1.2.0"
+  checksum: 8f1235c7f49326fb762f4675795246a6295e7dd566b4697abec24afdba2460daa7dfbd1a73d31efbf5606b3b7deadb06ce47cf06f0a476e706153d62a4ff2b90
+  languageName: node
+  linkType: hard
+
+"domelementtype@npm:1":
+  version: 1.3.1
+  resolution: "domelementtype@npm:1.3.1"
+  checksum: 7893da40218ae2106ec6ffc146b17f203487a52f5228b032ea7aa470e41dfe03e1bd762d0ee0139e792195efda765434b04b43cddcf63207b098f6ae44b36ad6
+  languageName: node
+  linkType: hard
+
+"domelementtype@npm:^2.0.1, domelementtype@npm:^2.2.0, domelementtype@npm:^2.3.0":
+  version: 2.3.0
+  resolution: "domelementtype@npm:2.3.0"
+  checksum: ee837a318ff702622f383409d1f5b25dd1024b692ef64d3096ff702e26339f8e345820f29a68bcdcea8cfee3531776b3382651232fbeae95612d6f0a75efb4f6
+  languageName: node
+  linkType: hard
+
+"domexception@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "domexception@npm:2.0.1"
+  dependencies:
+    webidl-conversions: ^5.0.0
+  checksum: d638e9cb05c52999f1b2eb87c374b03311ea5b1d69c2f875bc92da73e17db60c12142b45c950228642ff7f845c536b65305483350d080df59003a653da80b691
+  languageName: node
+  linkType: hard
+
+"domhandler@npm:^4.2.0, domhandler@npm:^4.2.2":
+  version: 4.3.1
+  resolution: "domhandler@npm:4.3.1"
+  dependencies:
+    domelementtype: ^2.2.0
+  checksum: 4c665ceed016e1911bf7d1dadc09dc888090b64dee7851cccd2fcf5442747ec39c647bb1cb8c8919f8bbdd0f0c625a6bafeeed4b2d656bbecdbae893f43ffaaa
+  languageName: node
+  linkType: hard
+
+"domhandler@npm:^5.0.1, domhandler@npm:^5.0.2, domhandler@npm:^5.0.3":
+  version: 5.0.3
+  resolution: "domhandler@npm:5.0.3"
+  dependencies:
+    domelementtype: ^2.3.0
+  checksum: 0f58f4a6af63e6f3a4320aa446d28b5790a009018707bce2859dcb1d21144c7876482b5188395a188dfa974238c019e0a1e610d2fc269a12b2c192ea2b0b131c
+  languageName: node
+  linkType: hard
+
+"dompurify@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "dompurify@npm:3.0.2"
+  checksum: 768c3bb2f139ce1e1a53faf81aae6abe03e24d0b043e2fda0b70e91ef15bb1df854a35e82d8c519adfe5b81c24bfdad3e0b1085534bfbf427137cb742406c47f
+  languageName: node
+  linkType: hard
+
+"domutils@npm:^1.7.0":
+  version: 1.7.0
+  resolution: "domutils@npm:1.7.0"
+  dependencies:
+    dom-serializer: 0
+    domelementtype: 1
+  checksum: f60a725b1f73c1ae82f4894b691601ecc6ecb68320d87923ac3633137627c7865725af813ae5d188ad3954283853bcf46779eb50304ec5d5354044569fcefd2b
+  languageName: node
+  linkType: hard
+
+"domutils@npm:^2.8.0":
+  version: 2.8.0
+  resolution: "domutils@npm:2.8.0"
+  dependencies:
+    dom-serializer: ^1.0.1
+    domelementtype: ^2.2.0
+    domhandler: ^4.2.0
+  checksum: abf7434315283e9aadc2a24bac0e00eab07ae4313b40cc239f89d84d7315ebdfd2fb1b5bf750a96bc1b4403d7237c7b2ebf60459be394d625ead4ca89b934391
+  languageName: node
+  linkType: hard
+
+"domutils@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "domutils@npm:3.0.1"
+  dependencies:
+    dom-serializer: ^2.0.0
+    domelementtype: ^2.3.0
+    domhandler: ^5.0.1
+  checksum: 23aa7a840572d395220e173cb6263b0d028596e3950100520870a125af33ff819e6f609e1606d6f7d73bd9e7feb03bb404286e57a39063b5384c62b724d987b3
+  languageName: node
+  linkType: hard
+
+"dot-case@npm:^3.0.4":
+  version: 3.0.4
+  resolution: "dot-case@npm:3.0.4"
+  dependencies:
+    no-case: ^3.0.4
+    tslib: ^2.0.3
+  checksum: a65e3519414856df0228b9f645332f974f2bf5433370f544a681122eab59e66038fc3349b4be1cdc47152779dac71a5864f1ccda2f745e767c46e9c6543b1169
+  languageName: node
+  linkType: hard
+
+"dot-prop@npm:^5.2.0":
+  version: 5.3.0
+  resolution: "dot-prop@npm:5.3.0"
+  dependencies:
+    is-obj: ^2.0.0
+  checksum: d5775790093c234ef4bfd5fbe40884ff7e6c87573e5339432870616331189f7f5d86575c5b5af2dcf0f61172990f4f734d07844b1f23482fff09e3c4bead05ea
+  languageName: node
+  linkType: hard
+
+"duplexify@npm:^3.4.2, duplexify@npm:^3.6.0":
+  version: 3.7.1
+  resolution: "duplexify@npm:3.7.1"
+  dependencies:
+    end-of-stream: ^1.0.0
+    inherits: ^2.0.1
+    readable-stream: ^2.0.0
+    stream-shift: ^1.0.0
+  checksum: 3c2ed2223d956a5da713dae12ba8295acb61d9acd966ccbba938090d04f4574ca4dca75cca089b5077c2d7e66101f32e6ea9b36a78ca213eff574e7a8b8accf2
+  languageName: node
+  linkType: hard
+
+"ecc-jsbn@npm:~0.1.1":
+  version: 0.1.2
+  resolution: "ecc-jsbn@npm:0.1.2"
+  dependencies:
+    jsbn: ~0.1.0
+    safer-buffer: ^2.1.0
+  checksum: 22fef4b6203e5f31d425f5b711eb389e4c6c2723402e389af394f8411b76a488fa414d309d866e2b577ce3e8462d344205545c88a8143cc21752a5172818888a
+  languageName: node
+  linkType: hard
+
+"editions@npm:^1.1.1":
+  version: 1.3.4
+  resolution: "editions@npm:1.3.4"
+  checksum: 8c2041459816db2cacac53598a9bca7928a7de2c5eb0dae532c2273a60ef83acbd807ce33ff1cd5cf7aa547737c55f7f4b52436752df0f13f5936efa329c13f7
+  languageName: node
+  linkType: hard
+
+"editions@npm:^2.2.0":
+  version: 2.3.1
+  resolution: "editions@npm:2.3.1"
+  dependencies:
+    errlop: ^2.0.0
+    semver: ^6.3.0
+  checksum: 0b08a2b50c30e7b046a3096ee66ea326158a147daac5f8c134b4bdfe4d2fe02f9916c8b92d8e86887f2379c3528df2150cc9eb3d5bc25c442b4b380d6d7a754e
+  languageName: node
+  linkType: hard
+
+"ee-first@npm:1.1.1":
+  version: 1.1.1
+  resolution: "ee-first@npm:1.1.1"
+  checksum: 1b4cac778d64ce3b582a7e26b218afe07e207a0f9bfe13cc7395a6d307849cfe361e65033c3251e00c27dd060cab43014c2d6b2647676135e18b77d2d05b3f4f
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.3.30":
+  version: 1.3.725
+  resolution: "electron-to-chromium@npm:1.3.725"
+  checksum: 90801f5cc30f76495412ce86cef141cd22924ec75c88c276eaa42435d09370d9df5d8127060dae4fdb96a3ea0b0a726ee228788affb997e7f4172f4e54001c5d
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.3.47":
+  version: 1.4.462
+  resolution: "electron-to-chromium@npm:1.4.462"
+  checksum: ee6e0318ca1144077131036ad87630f8b68c9c4d2c2ce97359731dc676df3518cb88223dc8057187d97e018983e08c003b64d03fba27f98fa53698e758672771
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.3.723":
+  version: 1.3.906
+  resolution: "electron-to-chromium@npm:1.3.906"
+  checksum: 087330249a424066cbdb882890164b3cb944f0ea293838a1445274428549e5b6c5edd25c353fed733d20d055ba276d4e3b069554b5e06ebfe511134c4f68cf87
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.3.857":
+  version: 1.3.866
+  resolution: "electron-to-chromium@npm:1.3.866"
+  checksum: 03b4cf46baf631d9022d7d2f1c058899152941a7d3b3e9df02c2fc48d2eb52362637337b3e2e793a533fa30ed9ec844b4a1d56a55c421d64e39cf8080b980d52
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.3.896":
+  version: 1.4.10
+  resolution: "electron-to-chromium@npm:1.4.10"
+  checksum: 00b9ca97267fc3c865f9888a490e2c1bc2eef80805d8b4337661901d498bf4c771a237f5f7beec294dc847f9096b3a58910da431e4e8cc8dc08871d4630a5860
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.4.147":
+  version: 1.4.148
+  resolution: "electron-to-chromium@npm:1.4.148"
+  checksum: 3730c2eb46c7d0602b418a5a80e8d37e673c61d7cdc6a431a0d23bf08b6db6375c5f842d9e4285549ef2c5bad9189da34f05f28993fdb43920df5befc72db87a
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.4.431":
+  version: 1.4.461
+  resolution: "electron-to-chromium@npm:1.4.461"
+  checksum: 84960b8fe41a1a97f47962f7ec509d94efffc8361286d55f360f81ce0804029af886796c576eb2c0a6011347ba0903c551476808f0614dc94b4564abaf415e70
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.4.601":
+  version: 1.4.602
+  resolution: "electron-to-chromium@npm:1.4.602"
+  checksum: a3e30fee47f377f180a99db26f1067acb72891fab720b6800221d74de0c962ac2f595bd977d1f1fd265e0b7f7258b4524c8f9053d17620d01bb8cfa2c0ae32de
+  languageName: node
+  linkType: hard
+
+"electron-to-chromium@npm:^1.4.84":
+  version: 1.4.99
+  resolution: "electron-to-chromium@npm:1.4.99"
+  checksum: 7efb73368db78b55bc1c9563364f69f2715f085ac2a0e9b8dab0f319025fbd6464e0eaf47eb5e447f1d4e76f9de919bec5e338bf87443ad8dcb34b2829fc82b7
+  languageName: node
+  linkType: hard
+
+"elliptic@npm:^6.5.3":
+  version: 6.5.4
+  resolution: "elliptic@npm:6.5.4"
+  dependencies:
+    bn.js: ^4.11.9
+    brorand: ^1.1.0
+    hash.js: ^1.0.0
+    hmac-drbg: ^1.0.1
+    inherits: ^2.0.4
+    minimalistic-assert: ^1.0.1
+    minimalistic-crypto-utils: ^1.0.1
+  checksum: d56d21fd04e97869f7ffcc92e18903b9f67f2d4637a23c860492fbbff5a3155fd9ca0184ce0c865dd6eb2487d234ce9551335c021c376cd2d3b7cb749c7d10f4
+  languageName: node
+  linkType: hard
+
+"ember-a11y-refocus@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "ember-a11y-refocus@npm:3.0.2"
+  dependencies:
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.0.1
+  checksum: c192e80514adad4928207f4025975f225fde0b135a9156f257999dc49a8eb16b84d6f7a8c489b33a87a17c5b6325e48fc152055e6d4ecee45cdddfd2cd4d2c0a
+  languageName: node
+  linkType: hard
+
+"ember-asset-loader@npm:^0.6.1":
+  version: 0.6.1
+  resolution: "ember-asset-loader@npm:0.6.1"
+  dependencies:
+    broccoli-caching-writer: ^3.0.3
+    broccoli-funnel: ^2.0.2
+    broccoli-merge-trees: ^3.0.2
+    ember-cli-babel: ^7.5.0
+    fs-extra: ^7.0.1
+    object-assign: ^4.1.0
+    walk-sync: ^1.1.3
+  checksum: 1854fb6499e52f59752e8636c21c92105beb2d77b332c30ce310b5f9d51c9239e79f77959fd61aeea53d04c02334cd1d00806ee2d7c3bd27b37a8e6fcff667fc
+  languageName: node
+  linkType: hard
+
+"ember-assign-helper@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "ember-assign-helper@npm:0.4.0"
+  dependencies:
+    ember-cli-babel: ^7.26.0
+    ember-cli-htmlbars: ^6.0.0
+  checksum: 32bbec384c8f78c919d7a6e24cc36c7a48bd0244d3b38c4aa8a17fc1f1b68822f4805a838fec7e1fe35dfcd2832eb9afa146606f625e737ea258127254a5b9d4
+  languageName: node
+  linkType: hard
+
+"ember-auto-import@npm:2.6.3, ember-auto-import@npm:^2.4.2, ember-auto-import@npm:^2.4.3, ember-auto-import@npm:^2.5.0, ember-auto-import@npm:^2.6.3":
+  version: 2.6.3
+  resolution: "ember-auto-import@npm:2.6.3"
+  dependencies:
+    "@babel/core": ^7.16.7
+    "@babel/plugin-proposal-class-properties": ^7.16.7
+    "@babel/plugin-proposal-decorators": ^7.16.7
+    "@babel/preset-env": ^7.16.7
+    "@embroider/macros": ^1.0.0
+    "@embroider/shared-internals": ^2.0.0
+    babel-loader: ^8.0.6
+    babel-plugin-ember-modules-api-polyfill: ^3.5.0
+    babel-plugin-ember-template-compilation: ^2.0.1
+    babel-plugin-htmlbars-inline-precompile: ^5.2.1
+    babel-plugin-syntax-dynamic-import: ^6.18.0
+    broccoli-debug: ^0.6.4
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^4.2.0
+    broccoli-plugin: ^4.0.0
+    broccoli-source: ^3.0.0
+    css-loader: ^5.2.0
+    debug: ^4.3.1
+    fs-extra: ^10.0.0
+    fs-tree-diff: ^2.0.0
+    handlebars: ^4.3.1
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.19
+    mini-css-extract-plugin: ^2.5.2
+    parse5: ^6.0.1
+    resolve: ^1.20.0
+    resolve-package-path: ^4.0.3
+    semver: ^7.3.4
+    style-loader: ^2.0.0
+    typescript-memoize: ^1.0.0-alpha.3
+    walk-sync: ^3.0.0
+  checksum: e42c0f9dee74c94a16c8b4d701707f457e8955ad340e68be32375ff32fba030fcaa53aa4e4fd2d482fabe0a320ceabc034520c73601c8d69caa6268093dd0f65
+  languageName: node
+  linkType: hard
+
+"ember-auto-import@npm:^1.12.0":
+  version: 1.12.1
+  resolution: "ember-auto-import@npm:1.12.1"
+  dependencies:
+    "@babel/core": ^7.1.6
+    "@babel/preset-env": ^7.10.2
+    "@babel/traverse": ^7.1.6
+    "@babel/types": ^7.1.6
+    "@embroider/shared-internals": ^1.0.0
+    babel-core: ^6.26.3
+    babel-loader: ^8.0.6
+    babel-plugin-syntax-dynamic-import: ^6.18.0
+    babylon: ^6.18.0
+    broccoli-debug: ^0.6.4
+    broccoli-node-api: ^1.7.0
+    broccoli-plugin: ^4.0.0
+    broccoli-source: ^3.0.0
+    debug: ^3.1.0
+    ember-cli-babel: ^7.0.0
+    enhanced-resolve: ^4.0.0
+    fs-extra: ^6.0.1
+    fs-tree-diff: ^2.0.0
+    handlebars: ^4.3.1
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.19
+    mkdirp: ^0.5.1
+    resolve-package-path: ^3.1.0
+    rimraf: ^2.6.2
+    semver: ^7.3.4
+    symlink-or-copy: ^1.2.0
+    typescript-memoize: ^1.0.0-alpha.3
+    walk-sync: ^0.3.3
+    webpack: ^4.43.0
+  checksum: 8230c3ff6fd222eee7179e0e5c2ea0268702b66400a4b51de4dbc608bdfa8d2236125999b7bfa25dc36acb51d9eb93bcc45aea5783bdf95ad74f7e898014013d
+  languageName: node
+  linkType: hard
+
+"ember-auto-import@npm:^1.2.19":
+  version: 1.11.3
+  resolution: "ember-auto-import@npm:1.11.3"
+  dependencies:
+    "@babel/core": ^7.1.6
+    "@babel/preset-env": ^7.10.2
+    "@babel/traverse": ^7.1.6
+    "@babel/types": ^7.1.6
+    "@embroider/core": ^0.33.0
+    babel-core: ^6.26.3
+    babel-loader: ^8.0.6
+    babel-plugin-syntax-dynamic-import: ^6.18.0
+    babylon: ^6.18.0
+    broccoli-debug: ^0.6.4
+    broccoli-node-api: ^1.7.0
+    broccoli-plugin: ^4.0.0
+    broccoli-source: ^3.0.0
+    debug: ^3.1.0
+    ember-cli-babel: ^7.0.0
+    enhanced-resolve: ^4.0.0
+    fs-extra: ^6.0.1
+    fs-tree-diff: ^2.0.0
+    handlebars: ^4.3.1
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.19
+    mkdirp: ^0.5.1
+    resolve-package-path: ^3.1.0
+    rimraf: ^2.6.2
+    semver: ^7.3.4
+    symlink-or-copy: ^1.2.0
+    typescript-memoize: ^1.0.0-alpha.3
+    walk-sync: ^0.3.3
+    webpack: ^4.43.0
+  checksum: 2ac4e08696f46b4e9e1ada49c068d5ca7a338e063ea47e332f81e72613ae287479504b1246e97b31bed7ca6a84ec7928d250e0de6f5bc7c6412a7e537532684b
+  languageName: node
+  linkType: hard
+
+"ember-auto-import@npm:^2.4.1":
+  version: 2.4.2
+  resolution: "ember-auto-import@npm:2.4.2"
+  dependencies:
+    "@babel/core": ^7.16.7
+    "@babel/plugin-proposal-class-properties": ^7.16.7
+    "@babel/plugin-proposal-decorators": ^7.16.7
+    "@babel/preset-env": ^7.16.7
+    "@embroider/macros": ^1.0.0
+    "@embroider/shared-internals": ^1.0.0
+    babel-loader: ^8.0.6
+    babel-plugin-ember-modules-api-polyfill: ^3.5.0
+    babel-plugin-htmlbars-inline-precompile: ^5.2.1
+    babel-plugin-syntax-dynamic-import: ^6.18.0
+    broccoli-debug: ^0.6.4
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^4.2.0
+    broccoli-plugin: ^4.0.0
+    broccoli-source: ^3.0.0
+    css-loader: ^5.2.0
+    debug: ^4.3.1
+    fs-extra: ^10.0.0
+    fs-tree-diff: ^2.0.0
+    handlebars: ^4.3.1
+    js-string-escape: ^1.0.1
+    lodash: ^4.17.19
+    mini-css-extract-plugin: ^2.5.2
+    parse5: ^6.0.1
+    resolve: ^1.20.0
+    resolve-package-path: ^4.0.3
+    semver: ^7.3.4
+    style-loader: ^2.0.0
+    typescript-memoize: ^1.0.0-alpha.3
+    walk-sync: ^3.0.0
+  checksum: f7c4e4bab62b124c03955b8b382d6bf9c170c1ad5605bb019cbb1baf63065b482b8767a2e4922682fbc54c701f0296601e7ed50965bd4c741dab6cfff43c6de5
+  languageName: node
+  linkType: hard
+
+"ember-basic-dropdown@npm:6.0.1":
+  version: 6.0.1
+  resolution: "ember-basic-dropdown@npm:6.0.1"
+  dependencies:
+    "@ember/render-modifiers": ^2.0.4
+    "@embroider/macros": ^1.2.0
+    "@embroider/util": ^1.2.0
+    "@glimmer/component": ^1.0.4
+    "@glimmer/tracking": ^1.0.4
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.0.1
+    ember-cli-typescript: ^4.2.1
+    ember-element-helper: ^0.6.0
+    ember-get-config: ^1.0.2 || ^2.0.0
+    ember-maybe-in-element: ^2.0.3
+    ember-modifier: ^3.2.7
+    ember-style-modifier: ^0.8.0
+    ember-truth-helpers: ^2.1.0 || ^3.0.0
+  checksum: d6f00f202140d09a0c3d62d9104c5f63eb6b0f7228a17a3f2f9e37da66c82d6ba01503261ed886190ebb0afc3d737f6bc6ad609115528176bd81f72e5930508f
+  languageName: node
+  linkType: hard
+
+"ember-cache-primitive-polyfill@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "ember-cache-primitive-polyfill@npm:1.0.1"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+    ember-cli-version-checker: ^5.1.1
+    ember-compatibility-helpers: ^1.2.1
+    silent-error: ^1.1.1
+  checksum: d0b091e940837e276364d14758d7149fb7b9e5eb99e271f97012f9b92952cf6854132195dc9c36b9fcd40d8495608e7044f9d6179f2f9e15003d9a4cbcf73b49
+  languageName: node
+  linkType: hard
+
+"ember-cached-decorator-polyfill@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "ember-cached-decorator-polyfill@npm:1.0.1"
+  dependencies:
+    "@embroider/macros": ^1.8.3
+    "@glimmer/tracking": ^1.1.2
+    babel-import-util: ^1.2.2
+    ember-cache-primitive-polyfill: ^1.0.1
+    ember-cli-babel: ^7.26.11
+    ember-cli-babel-plugin-helpers: ^1.1.1
+  peerDependencies:
+    ember-source: ^3.13.0 || ^4.0.0
+  checksum: b2589490d897da9f560abc1858c2090fc027a54267dfaa5780ee376e00cec1183b84400df9125f6c25bd7d2b465818d63abb98bb07b3eec0a18b3206a918b804
+  languageName: node
+  linkType: hard
+
+"ember-cached-decorator-polyfill@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "ember-cached-decorator-polyfill@npm:1.0.2"
+  dependencies:
+    "@embroider/macros": ^1.8.3
+    "@glimmer/tracking": ^1.1.2
+    babel-import-util: ^1.2.2
+    ember-cache-primitive-polyfill: ^1.0.1
+    ember-cli-babel: ^7.26.11
+    ember-cli-babel-plugin-helpers: ^1.1.1
+  peerDependencies:
+    ember-source: ^3.13.0 || ^4.0.0 || >= 5.0.0
+  checksum: bbfaeafdf89a7ab834d85502829d604e3eb439cb154652b21683492e3e59a918bbaf49d39703f1a896016521d7cf03dc05e89cf5cf06de88fd1489b8e00ef8bb
+  languageName: node
+  linkType: hard
+
+"ember-cli-autoprefixer@npm:^0.8.1":
+  version: 0.8.1
+  resolution: "ember-cli-autoprefixer@npm:0.8.1"
+  dependencies:
+    broccoli-autoprefixer: ^5.0.0
+    lodash: ^4.0.0
+  checksum: b756a311abe4d3e91cd170fa801d0cb5601f7e6d2b9d7406018719636479ee80e1ec3ca633ca1419971ec56bf5417bc6000fc2a128bd3e3f2ddbe4e22d8ea8da
+  languageName: node
+  linkType: hard
+
+"ember-cli-babel-plugin-helpers@npm:^1.0.0, ember-cli-babel-plugin-helpers@npm:^1.1.0, ember-cli-babel-plugin-helpers@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "ember-cli-babel-plugin-helpers@npm:1.1.1"
+  checksum: 3dc684317dbc4728d41a61de13d2fb1de5227105c1ba9194005647d2724b469d43aba3b1fa73622f2b5cd04c8283a15568b3a0044ec7a5036c17f336ac098ff5
+  languageName: node
+  linkType: hard
+
+"ember-cli-babel@npm:^6.6.0":
+  version: 6.18.0
+  resolution: "ember-cli-babel@npm:6.18.0"
+  dependencies:
+    amd-name-resolver: 1.2.0
+    babel-plugin-debug-macros: ^0.2.0-beta.6
+    babel-plugin-ember-modules-api-polyfill: ^2.6.0
+    babel-plugin-transform-es2015-modules-amd: ^6.24.0
+    babel-polyfill: ^6.26.0
+    babel-preset-env: ^1.7.0
+    broccoli-babel-transpiler: ^6.5.0
+    broccoli-debug: ^0.6.4
+    broccoli-funnel: ^2.0.0
+    broccoli-source: ^1.1.0
+    clone: ^2.0.0
+    ember-cli-version-checker: ^2.1.2
+    semver: ^5.5.0
+  checksum: 01f216a964f03660ee1d95ef73a7c07b315d7407b553d01410854f9421638fee084cec50fb7464c7bace72a7cf07053f95b377fd8399f69c7e0bbcba77e9655d
+  languageName: node
+  linkType: hard
+
+"ember-cli-babel@npm:^7.0.0, ember-cli-babel@npm:^7.1.2, ember-cli-babel@npm:^7.1.3, ember-cli-babel@npm:^7.10.0, ember-cli-babel@npm:^7.13.0, ember-cli-babel@npm:^7.13.2, ember-cli-babel@npm:^7.18.0, ember-cli-babel@npm:^7.19.0, ember-cli-babel@npm:^7.20.0, ember-cli-babel@npm:^7.21.0, ember-cli-babel@npm:^7.22.1, ember-cli-babel@npm:^7.23.0, ember-cli-babel@npm:^7.23.1, ember-cli-babel@npm:^7.26.0, ember-cli-babel@npm:^7.26.1, ember-cli-babel@npm:^7.26.11, ember-cli-babel@npm:^7.26.3, ember-cli-babel@npm:^7.26.4, ember-cli-babel@npm:^7.26.5, ember-cli-babel@npm:^7.26.6, ember-cli-babel@npm:^7.26.8, ember-cli-babel@npm:^7.5.0, ember-cli-babel@npm:^7.7.3":
+  version: 7.26.11
+  resolution: "ember-cli-babel@npm:7.26.11"
+  dependencies:
+    "@babel/core": ^7.12.0
+    "@babel/helper-compilation-targets": ^7.12.0
+    "@babel/plugin-proposal-class-properties": ^7.16.5
+    "@babel/plugin-proposal-decorators": ^7.13.5
+    "@babel/plugin-proposal-private-methods": ^7.16.5
+    "@babel/plugin-proposal-private-property-in-object": ^7.16.5
+    "@babel/plugin-transform-modules-amd": ^7.13.0
+    "@babel/plugin-transform-runtime": ^7.13.9
+    "@babel/plugin-transform-typescript": ^7.13.0
+    "@babel/polyfill": ^7.11.5
+    "@babel/preset-env": ^7.16.5
+    "@babel/runtime": 7.12.18
+    amd-name-resolver: ^1.3.1
+    babel-plugin-debug-macros: ^0.3.4
+    babel-plugin-ember-data-packages-polyfill: ^0.1.2
+    babel-plugin-ember-modules-api-polyfill: ^3.5.0
+    babel-plugin-module-resolver: ^3.2.0
+    broccoli-babel-transpiler: ^7.8.0
+    broccoli-debug: ^0.6.4
+    broccoli-funnel: ^2.0.2
+    broccoli-source: ^2.1.2
+    calculate-cache-key-for-tree: ^2.0.0
+    clone: ^2.1.2
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-version-checker: ^4.1.0
+    ensure-posix-path: ^1.0.2
+    fixturify-project: ^1.10.0
+    resolve-package-path: ^3.1.0
+    rimraf: ^3.0.1
+    semver: ^5.5.0
+  checksum: 72b2819018d4d29b5250284cab5fa992a7fd6b0cf958a1fc4abed4a4f6394c0aca4ee32d4c8981d8643fef7280763fadf70ebd807f262967899f4898679bcb90
+  languageName: node
+  linkType: hard
+
+"ember-cli-babel@npm:^8.2.0":
+  version: 8.2.0
+  resolution: "ember-cli-babel@npm:8.2.0"
+  dependencies:
+    "@babel/helper-compilation-targets": ^7.20.7
+    "@babel/plugin-proposal-class-properties": ^7.16.5
+    "@babel/plugin-proposal-decorators": ^7.20.13
+    "@babel/plugin-proposal-private-methods": ^7.16.5
+    "@babel/plugin-proposal-private-property-in-object": ^7.20.5
+    "@babel/plugin-transform-class-static-block": ^7.22.11
+    "@babel/plugin-transform-modules-amd": ^7.20.11
+    "@babel/plugin-transform-runtime": ^7.13.9
+    "@babel/plugin-transform-typescript": ^7.20.13
+    "@babel/preset-env": ^7.20.2
+    "@babel/runtime": 7.12.18
+    amd-name-resolver: ^1.3.1
+    babel-plugin-debug-macros: ^0.3.4
+    babel-plugin-ember-data-packages-polyfill: ^0.1.2
+    babel-plugin-ember-modules-api-polyfill: ^3.5.0
+    babel-plugin-module-resolver: ^5.0.0
+    broccoli-babel-transpiler: ^8.0.0
+    broccoli-debug: ^0.6.4
+    broccoli-funnel: ^3.0.8
+    broccoli-source: ^3.0.1
+    calculate-cache-key-for-tree: ^2.0.0
+    clone: ^2.1.2
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-version-checker: ^5.1.2
+    ensure-posix-path: ^1.0.2
+    resolve-package-path: ^4.0.3
+    semver: ^7.3.8
+  peerDependencies:
+    "@babel/core": ^7.12.0
+  checksum: 26a5abd3107ddfc76221894141b68cab79fb9cdf79ea0fa9646efe47c42f18bda49b854878118f8b57b3ebf5014828cf0ad640e77ffc209e3565f7eb792d1ef5
+  languageName: node
+  linkType: hard
+
+"ember-cli-content-security-policy@npm:2.0.3":
+  version: 2.0.3
+  resolution: "ember-cli-content-security-policy@npm:2.0.3"
+  dependencies:
+    body-parser: ^1.17.0
+    chalk: ^4.1.1
+    debug: ^4.3.1
+    ember-cli-babel: ^7.26.3
+    ember-cli-version-checker: ^5.0.2
+  checksum: d628b8e4ee603471182118b5cde23928f5d13f3d93c031625f960de133391e121d1022706dbf3682ace52187f5df9c6aebdd228104a220a11669d34989ac5f63
+  languageName: node
+  linkType: hard
+
+"ember-cli-dependency-checker@npm:^3.3.1":
+  version: 3.3.1
+  resolution: "ember-cli-dependency-checker@npm:3.3.1"
+  dependencies:
+    chalk: ^2.3.0
+    find-yarn-workspace-root: ^1.1.0
+    is-git-url: ^1.0.0
+    resolve: ^1.5.0
+    semver: ^5.3.0
+  peerDependencies:
+    ember-cli: ^3.2.0 || ^4.0.0
+  checksum: 41d27cb4ccd056b9013ef00fa0f4e9133a5769b82bef8427ceaca3d9b773f901a4fbea6ad87748a6ae456d0051ed12f4e664212ca3c290d14704c3a2d710ad72
+  languageName: node
+  linkType: hard
+
+"ember-cli-deprecation-workflow@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "ember-cli-deprecation-workflow@npm:2.1.0"
+  dependencies:
+    broccoli-funnel: ^3.0.3
+    broccoli-merge-trees: ^4.2.0
+    broccoli-plugin: ^4.0.5
+    ember-cli-htmlbars: ^5.3.2
+  checksum: 3382d34001db61fa04069d0f5f143b39fbeeac124d961dbef932c5a15b67669b8124c504018c7333b2716e2d7a5b299eae53591d8e55bafe447fda7aefaa2deb
+  languageName: node
+  linkType: hard
+
+"ember-cli-flash@npm:4.0.0":
+  version: 4.0.0
+  resolution: "ember-cli-flash@npm:4.0.0"
+  dependencies:
+    "@ember/render-modifiers": ^2.0.2
+    "@glimmer/component": ^1.1.2
+    "@glimmer/tracking": ^1.1.2
+    ember-auto-import: ^2.4.1
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.0.1
+  checksum: 30cc3c18bae61332688eafe6af4d1ee8e6cd545b08ce276cf1ab761ed6dc1a172265ab01648bbf11d087d7896e3245a6679037a51a0c7eff4e44b942c125ecbd
+  languageName: node
+  linkType: hard
+
+"ember-cli-get-component-path-option@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-cli-get-component-path-option@npm:1.0.0"
+  checksum: 4a4d9b2b0cb05c69fad962b1787b65d9bca0c64aa161c2f12d172b9af6ef951d33dd1ac38bfa7468a4a11a08a17dda2912fd47cb92cbfd8795fe2e8008e155e4
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^4.3.1":
+  version: 4.5.0
+  resolution: "ember-cli-htmlbars@npm:4.5.0"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-htmlbars-inline-precompile: ^3.2.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^2.3.1
+    broccoli-plugin: ^3.1.0
+    common-tags: ^1.8.0
+    ember-cli-babel-plugin-helpers: ^1.1.0
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    json-stable-stringify: ^1.0.1
+    semver: ^6.3.0
+    strip-bom: ^4.0.0
+    walk-sync: ^2.0.2
+  checksum: 4cecd9e5df64fc9df22ea944b2ab86dd88d3bd105b22b46e810856a050d617f73610645c1e91ff018836e73f4b488a14217a3d767557c1fa663494b54de93af6
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^5.2.0, ember-cli-htmlbars@npm:^5.3.2":
+  version: 5.7.2
+  resolution: "ember-cli-htmlbars@npm:5.7.2"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-htmlbars-inline-precompile: ^5.0.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    common-tags: ^1.8.0
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    json-stable-stringify: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    strip-bom: ^4.0.0
+    walk-sync: ^2.2.0
+  checksum: 57cfba7311969f2f6ae463cb7be153b10d1384469e7e61fc645bf6eca5c8bb7dbdf42cab757adf05299971b426a19ad6cc3f045d2cbf72304405eb93cc1af998
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^5.3.1, ember-cli-htmlbars@npm:^5.7.1":
+  version: 5.7.1
+  resolution: "ember-cli-htmlbars@npm:5.7.1"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-htmlbars-inline-precompile: ^5.0.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    common-tags: ^1.8.0
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    json-stable-stringify: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    strip-bom: ^4.0.0
+    walk-sync: ^2.2.0
+  checksum: 6212c33dfc5c99fdac8bbd5381a9fd8cd855eb2f3e9c03e3cf3f9466bbc0163c7d4472593611de221e785eb19124330c01ba1f16224bd94a3804527b2a5d2efb
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^6.0.0, ember-cli-htmlbars@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "ember-cli-htmlbars@npm:6.0.1"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-ember-template-compilation: ^1.0.0
+    babel-plugin-htmlbars-inline-precompile: ^5.3.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    json-stable-stringify: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    strip-bom: ^4.0.0
+    walk-sync: ^2.2.0
+  checksum: ba5593c7ce2db52ac7171a6e7a9ebbcf5b9d3dc0f4e357acbb59f1eca1a6b4d16c00be7f8370c6fa95f364f4f3863b81d9477cfd461e0fd9ba56abbc527b6a14
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^6.1.0":
+  version: 6.1.1
+  resolution: "ember-cli-htmlbars@npm:6.1.1"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-ember-template-compilation: ^1.0.0
+    babel-plugin-htmlbars-inline-precompile: ^5.3.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    js-string-escape: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    walk-sync: ^2.2.0
+  checksum: d75fbe973196bdc1df6a04a11310064125108eb105e903a842698f0dd6c133d2e1699860ea1c8237d0c62f92b01da4ebc7b672e862b2e572922f0f86f243a9a1
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^6.1.1, ember-cli-htmlbars@npm:^6.2.0":
+  version: 6.2.0
+  resolution: "ember-cli-htmlbars@npm:6.2.0"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-ember-template-compilation: ^2.0.0
+    babel-plugin-htmlbars-inline-precompile: ^5.3.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    js-string-escape: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    walk-sync: ^2.2.0
+  checksum: 1a0f94152ae381aed4c0300f4d8e756d60bfc4dfd1357fd49a0d36d420d65d6dc3f5761e604976f63edd11bc264959dddbd1b4c8401e9922711eafc748f4df92
+  languageName: node
+  linkType: hard
+
+"ember-cli-htmlbars@npm:^6.3.0":
+  version: 6.3.0
+  resolution: "ember-cli-htmlbars@npm:6.3.0"
+  dependencies:
+    "@ember/edition-utils": ^1.2.0
+    babel-plugin-ember-template-compilation: ^2.0.0
+    babel-plugin-htmlbars-inline-precompile: ^5.3.0
+    broccoli-debug: ^0.6.5
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.3
+    ember-cli-version-checker: ^5.1.2
+    fs-tree-diff: ^2.0.1
+    hash-for-dep: ^1.5.1
+    heimdalljs-logger: ^0.1.10
+    js-string-escape: ^1.0.1
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+    walk-sync: ^2.2.0
+  checksum: 30639ab2afd4cdf4edf677d6dfdef61865ee1be46449b123917c12a3119346f769573f55897ec3bb2a2dd05bd0e3a645ecc0090453d53545902fd21fbce3d057
+  languageName: node
+  linkType: hard
+
+"ember-cli-inject-live-reload@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "ember-cli-inject-live-reload@npm:2.1.0"
+  dependencies:
+    clean-base-url: ^1.0.0
+    ember-cli-version-checker: ^3.1.3
+  checksum: 423bd479d29e58c19d3d8232b1d025fdd070006b2a59b2b14fc252372aa227da7ac56fdea7fbf4c518b37705b328190c58e4ffacb8f6ce81f6cfb42c1262c591
+  languageName: node
+  linkType: hard
+
+"ember-cli-is-package-missing@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-cli-is-package-missing@npm:1.0.0"
+  checksum: a2c4950a644827ae9236c39cf27d6e79d3cb06ee50154f64a1bd72f4abda8dcd542759a45ed47f77731baea9edb7d672145d1faf38b29aab287b281713e14760
+  languageName: node
+  linkType: hard
+
+"ember-cli-lodash-subset@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "ember-cli-lodash-subset@npm:2.0.1"
+  checksum: 2667cd59443a67a04cf6f9cc402ffd7f6dac1c987b4908e3178481fd6ea0d492706f7999f8e6a2d4b97b136fe42e62457b569e96e91af78a1b096aa69d14984e
+  languageName: node
+  linkType: hard
+
+"ember-cli-mirage@npm:2.4.0":
+  version: 2.4.0
+  resolution: "ember-cli-mirage@npm:2.4.0"
+  dependencies:
+    "@embroider/macros": ^0.41.0
+    broccoli-file-creator: ^2.1.1
+    broccoli-funnel: ^3.0.3
+    broccoli-merge-trees: ^4.2.0
+    ember-auto-import: ^1.12.0
+    ember-cli-babel: ^7.26.6
+    ember-destroyable-polyfill: ^2.0.3
+    ember-get-config: 0.2.4 - 0.5.0
+    ember-inflector: ^2.0.0 || ^3.0.0 || ^4.0.2
+    lodash-es: ^4.17.11
+    miragejs: ^0.1.43
+  peerDependencies:
+    "@ember/test-helpers": "*"
+    ember-data: "*"
+    ember-qunit: "*"
+  peerDependenciesMeta:
+    "@ember/test-helpers":
+      optional: true
+    ember-data:
+      optional: true
+    ember-qunit:
+      optional: true
+  checksum: 459aed2d946ebb9d378e30b3b902157df4378ffc2f1686fa7179ee031240a1733d0b516c5813855ef701c2cc7359b2dccc7a60ddad87f7a5140a4057b5645b5a
+  languageName: node
+  linkType: hard
+
+"ember-cli-node-assets@npm:^0.2.2":
+  version: 0.2.2
+  resolution: "ember-cli-node-assets@npm:0.2.2"
+  dependencies:
+    broccoli-funnel: ^1.0.1
+    broccoli-merge-trees: ^1.1.1
+    broccoli-source: ^1.1.0
+    debug: ^2.2.0
+    lodash: ^4.5.1
+    resolve: ^1.1.7
+  checksum: 860abfe536ad951286b86f04d1700529b371396d4e742ba6cbdd371144ff018b91907e2997e8486423bbe1e086f2ab97169e648c5360cd0949d70050e84919be
+  languageName: node
+  linkType: hard
+
+"ember-cli-normalize-entity-name@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-cli-normalize-entity-name@npm:1.0.0"
+  dependencies:
+    silent-error: ^1.0.0
+  checksum: 0f56d4714e59f7b2f40b9e070f5ad69be1171c48e614348d4e15bcb43e3495e7c5dc91b51b7a59fb88683b8a599010716fc2ca3ded3d7e201290efbae91a1bc5
+  languageName: node
+  linkType: hard
+
+"ember-cli-page-object@npm:1.17.10":
+  version: 1.17.10
+  resolution: "ember-cli-page-object@npm:1.17.10"
+  dependencies:
+    broccoli-file-creator: ^2.1.1
+    broccoli-merge-trees: ^2.0.0
+    ceibo: ~2.0.0
+    ember-cli-babel: ^7.26.1
+    ember-cli-node-assets: ^0.2.2
+    ember-native-dom-helpers: ^0.7.0
+    jquery: ^3.4.1
+    rsvp: ^4.7.0
+  checksum: 214e8358b92d04875ce6f5c90d3f4fbf9aaddabcf096f1c4380a03259c4c8c62b043cb49748b4c29acf1295731ba27a270a2e01f16993c086f0166e8dbff34cd
+  languageName: node
+  linkType: hard
+
+"ember-cli-path-utils@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-cli-path-utils@npm:1.0.0"
+  checksum: 15652e41e040bb1c204705d6502f2f499686fba068ccddb7871fd4db7c0e71a93768480f1fe2cdef62470bdd1ce41c49c99699f5fff1c6b5abc3c875368cadae
+  languageName: node
+  linkType: hard
+
+"ember-cli-preprocess-registry@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "ember-cli-preprocess-registry@npm:3.3.0"
+  dependencies:
+    broccoli-clean-css: ^1.1.0
+    broccoli-funnel: ^2.0.1
+    debug: ^3.0.1
+    process-relative-require: ^1.0.0
+  checksum: 7b0a19b0842b6283a3ce7b0ccb77aa08ea3134bb8ada5952b4fb43e0a46a583c178e815e6573869fcaeccb4530fb975986b80d8a9d365811c471bcbf9cd98c95
+  languageName: node
+  linkType: hard
+
+"ember-cli-sass@npm:11.0.1, ember-cli-sass@npm:^11.0.1":
+  version: 11.0.1
+  resolution: "ember-cli-sass@npm:11.0.1"
+  dependencies:
+    broccoli-funnel: ^2.0.1
+    broccoli-merge-trees: ^3.0.1
+    broccoli-sass-source-maps: ^4.0.0
+    ember-cli-version-checker: ^2.1.0
+  checksum: 5f690b60be6b0d49b542c89c4ee51d17798c2ddee1dfa0d28fd3e92bc5ebf16df522f5c799abf247f1bf6190f0c75cf6cc0560400db0f004606c2b6e5631f0de
+  languageName: node
+  linkType: hard
+
+"ember-cli-sri@meirish/ember-cli-sri#rooturl":
+  version: 2.1.0
+  resolution: "ember-cli-sri@https://github.com/meirish/ember-cli-sri.git#commit=1c0ff776a61f09121d1ea69ce16e4653da5e1efa"
+  dependencies:
+    broccoli-sri-hash: ^2.1.0
+  checksum: cc1b5544c653db43a92c0b1a2b2b0cc17fb7d67e17e90efef0f1b069b9ae39a3154d8c63bea0aacc8d02202935719dc3ecd3123bf0007c068a18ed52972badd1
+  languageName: node
+  linkType: hard
+
+"ember-cli-string-helpers@npm:6.1.0":
+  version: 6.1.0
+  resolution: "ember-cli-string-helpers@npm:6.1.0"
+  dependencies:
+    "@babel/core": ^7.13.10
+    broccoli-funnel: ^3.0.3
+    ember-cli-babel: ^7.7.3
+    resolve: ^1.20.0
+  checksum: 13ccce5297232ce801ddc88e83d7327b5e17ae6359f658b633d09d1595d9241d3e1f3fc1240f515ac2bf01e732e59d2b29ba004f218fc18227fa9f0ab3fd8964
+  languageName: node
+  linkType: hard
+
+"ember-cli-string-utils@npm:^1.0.0, ember-cli-string-utils@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "ember-cli-string-utils@npm:1.1.0"
+  checksum: cb833925596b1fedc5e8ad0d05d1dcb3db7305d4a73f1a3332ba3eb2bfa7a4f0e7674afc8dd5ac474cc526ee3129158b0e26c49d6392e5ea579a927b2af7f3e9
+  languageName: node
+  linkType: hard
+
+"ember-cli-terser@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "ember-cli-terser@npm:4.0.2"
+  dependencies:
+    broccoli-terser-sourcemap: ^4.1.0
+  checksum: ab2209731ae8f5d85c4c85e0496309d4f8fbb44157e6164bbc6a5edc9a5a2754441fbd383c4856e1c3df9462215fa2708cdd77b62b85b52243af4ba4882564ae
+  languageName: node
+  linkType: hard
+
+"ember-cli-test-info@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-cli-test-info@npm:1.0.0"
+  dependencies:
+    ember-cli-string-utils: ^1.0.0
+  checksum: 4a1de83a847c050037b485b2a2e3d0c4b24281f4d3fd14a10f593f793f38b9ad6d8f9cf4bf15e10c6d850ae1a89e9734f7f3e91afacdb1b03dfa8b785e4b296c
+  languageName: node
+  linkType: hard
+
+"ember-cli-test-loader@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "ember-cli-test-loader@npm:3.0.0"
+  dependencies:
+    ember-cli-babel: ^7.13.2
+  checksum: 1de13e06af31b3543e779f69b7d06cda0e1683cdfce7923e313d9cffcb33f4e979af75baf12f3988f8a2186db5d063d204e294f522ef517d845b19ce25cb9cdc
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript-blueprint-polyfill@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "ember-cli-typescript-blueprint-polyfill@npm:0.1.0"
+  dependencies:
+    chalk: ^4.0.0
+    remove-types: ^1.0.0
+  checksum: e631d97836512565c04ca5693656e810d3d6992914c60bc671aca0c6ad62f06b80d6a671cc337c347e968cd6b29ca38ee4dea98e79250800bbc0ed12b0911eb5
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:3.0.0":
+  version: 3.0.0
+  resolution: "ember-cli-typescript@npm:3.0.0"
+  dependencies:
+    "@babel/plugin-transform-typescript": ~7.5.0
+    ansi-to-html: ^0.6.6
+    debug: ^4.0.0
+    ember-cli-babel-plugin-helpers: ^1.0.0
+    execa: ^2.0.0
+    fs-extra: ^8.0.0
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^6.0.0
+    stagehand: ^1.0.0
+    walk-sync: ^2.0.0
+  checksum: 4ef2732a0743113aa0167365afb972239e51ca227ca0858b1e240f8e449a34c02462973e1669eb7cd1982b0c1db225f1537f1d41360dc3945b6c2b54e566f96a
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "ember-cli-typescript@npm:2.0.2"
+  dependencies:
+    "@babel/plugin-proposal-class-properties": ^7.1.0
+    "@babel/plugin-transform-typescript": ~7.4.0
+    ansi-to-html: ^0.6.6
+    debug: ^4.0.0
+    ember-cli-babel-plugin-helpers: ^1.0.0
+    execa: ^1.0.0
+    fs-extra: ^7.0.0
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^6.0.0
+    stagehand: ^1.0.0
+    walk-sync: ^1.0.0
+  checksum: a1eecb5733df78de96eee3d75f1d0425c8e2638fddcdfb4b2fa46b70131df78216fc341419ccdcf4c32ca480c2bc3d91c0390b81b5ad738a409335ae5ff7f993
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:^3.1.4":
+  version: 3.1.4
+  resolution: "ember-cli-typescript@npm:3.1.4"
+  dependencies:
+    "@babel/plugin-proposal-nullish-coalescing-operator": ^7.4.4
+    "@babel/plugin-proposal-optional-chaining": ^7.6.0
+    "@babel/plugin-transform-typescript": ~7.8.0
+    ansi-to-html: ^0.6.6
+    broccoli-stew: ^3.0.0
+    debug: ^4.0.0
+    ember-cli-babel-plugin-helpers: ^1.0.0
+    execa: ^3.0.0
+    fs-extra: ^8.0.0
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^6.3.0
+    stagehand: ^1.0.0
+    walk-sync: ^2.0.0
+  checksum: 775c20caadcca5a071728bad1a388297e3c9acfea342b654901c334a2d158fc2d78ebac7b785e718051f1ed8de584741545d2c6c35c4a72b4ddb3fbc1618666f
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:^4.1.0, ember-cli-typescript@npm:^4.2.0, ember-cli-typescript@npm:^4.2.1":
+  version: 4.2.1
+  resolution: "ember-cli-typescript@npm:4.2.1"
+  dependencies:
+    ansi-to-html: ^0.6.15
+    broccoli-stew: ^3.0.0
+    debug: ^4.0.0
+    execa: ^4.0.0
+    fs-extra: ^9.0.1
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^7.3.2
+    stagehand: ^1.0.0
+    walk-sync: ^2.2.0
+  checksum: bd31698536c0df7fc03b47aa1c7d3f9c6f7e34fae1500c88bdbbc4c0b98b2a7e69230dd71a01d7cd7f563484cf895333f559af68f91527d95e198924e3cb2c24
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "ember-cli-typescript@npm:5.0.0"
+  dependencies:
+    ansi-to-html: ^0.6.15
+    broccoli-stew: ^3.0.0
+    debug: ^4.0.0
+    execa: ^4.0.0
+    fs-extra: ^9.0.1
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^7.3.2
+    stagehand: ^1.0.0
+    walk-sync: ^2.2.0
+  checksum: ac0d6088cd7e5bb17792e0db44e05f198eaea1484fd45f725b8caac8322b072d9d3dcf4d0d7a88fe66699ca88fe3ab564cc6dde98b63be92129c7acdb73c3da4
+  languageName: node
+  linkType: hard
+
+"ember-cli-typescript@npm:^5.2.1":
+  version: 5.2.1
+  resolution: "ember-cli-typescript@npm:5.2.1"
+  dependencies:
+    ansi-to-html: ^0.6.15
+    broccoli-stew: ^3.0.0
+    debug: ^4.0.0
+    execa: ^4.0.0
+    fs-extra: ^9.0.1
+    resolve: ^1.5.0
+    rsvp: ^4.8.1
+    semver: ^7.3.2
+    stagehand: ^1.0.0
+    walk-sync: ^2.2.0
+  checksum: b4306b37e9a9e070cc61a67acf404b30636ad2681379589fbc349c7e83158a7b634d792ab5af4cd4dd0770eecb8a901fa84d29a15167826db9c97b664a115df0
+  languageName: node
+  linkType: hard
+
+"ember-cli-version-checker@npm:^2.1.0, ember-cli-version-checker@npm:^2.1.2":
+  version: 2.2.0
+  resolution: "ember-cli-version-checker@npm:2.2.0"
+  dependencies:
+    resolve: ^1.3.3
+    semver: ^5.3.0
+  checksum: 2e2db30c0276df207e5921ff57574299ff027a528d52932ba42d9ddc6078da62dc3f34e6dc2ac647f5e07245d64c6acf4a395d453acccd819756f137fc4ec529
+  languageName: node
+  linkType: hard
+
+"ember-cli-version-checker@npm:^3.1.3":
+  version: 3.1.3
+  resolution: "ember-cli-version-checker@npm:3.1.3"
+  dependencies:
+    resolve-package-path: ^1.2.6
+    semver: ^5.6.0
+  checksum: 07a8b579272d4bd489b658b7dce3f6eefb0c9358a06b064fd59d2faf82defe60ade662fcc22bd009e3de6ac7ff602d88cdeb3b4e29c3669a09adb9a751d987a5
+  languageName: node
+  linkType: hard
+
+"ember-cli-version-checker@npm:^4.1.0":
+  version: 4.1.1
+  resolution: "ember-cli-version-checker@npm:4.1.1"
+  dependencies:
+    resolve-package-path: ^2.0.0
+    semver: ^6.3.0
+    silent-error: ^1.1.1
+  checksum: 43beddcef0e26c159721e61cea0bc606c901a5f1b4ce21c83418d7ee30d3c7b0f073310e5db03bde3ca76c082309358766d7bacd3655bad1745fc458f5ffe4a1
+  languageName: node
+  linkType: hard
+
+"ember-cli-version-checker@npm:^5.0.2, ember-cli-version-checker@npm:^5.1.1, ember-cli-version-checker@npm:^5.1.2":
+  version: 5.1.2
+  resolution: "ember-cli-version-checker@npm:5.1.2"
+  dependencies:
+    resolve-package-path: ^3.1.0
+    semver: ^7.3.4
+    silent-error: ^1.1.1
+  checksum: 95e98e11c5fdd31659d67b67abc7c781f3463e1da7a3642d5cae4717262e6382ba0d3487fe29e1bef1d5c3d03a2687fca9cd169445845abe2e486397ff92feef
+  languageName: node
+  linkType: hard
+
+"ember-cli@npm:~4.12.1":
+  version: 4.12.1
+  resolution: "ember-cli@npm:4.12.1"
+  dependencies:
+    "@babel/core": ^7.21.0
+    "@babel/plugin-transform-modules-amd": ^7.20.11
+    amd-name-resolver: ^1.3.1
+    babel-plugin-module-resolver: ^4.1.0
+    bower-config: ^1.4.3
+    bower-endpoint-parser: 0.2.2
+    broccoli: ^3.5.2
+    broccoli-amd-funnel: ^2.0.1
+    broccoli-babel-transpiler: ^7.8.1
+    broccoli-builder: ^0.18.14
+    broccoli-concat: ^4.2.5
+    broccoli-config-loader: ^1.0.1
+    broccoli-config-replace: ^1.1.2
+    broccoli-debug: ^0.6.5
+    broccoli-funnel: ^3.0.8
+    broccoli-funnel-reducer: ^1.0.0
+    broccoli-merge-trees: ^4.2.0
+    broccoli-middleware: ^2.1.1
+    broccoli-slow-trees: ^3.1.0
+    broccoli-source: ^3.0.1
+    broccoli-stew: ^3.0.0
+    calculate-cache-key-for-tree: ^2.0.0
+    capture-exit: ^2.0.0
+    chalk: ^4.1.2
+    ci-info: ^3.7.0
+    clean-base-url: ^1.0.0
+    compression: ^1.7.4
+    configstore: ^5.0.1
+    console-ui: ^3.1.2
+    core-object: ^3.1.5
+    dag-map: ^2.0.2
+    diff: ^5.1.0
+    ember-cli-is-package-missing: ^1.0.0
+    ember-cli-lodash-subset: ^2.0.1
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-preprocess-registry: ^3.3.0
+    ember-cli-string-utils: ^1.1.0
+    ensure-posix-path: ^1.1.1
+    execa: ^5.1.1
+    exit: ^0.1.2
+    express: ^4.18.1
+    filesize: ^10.0.5
+    find-up: ^5.0.0
+    find-yarn-workspace-root: ^2.0.0
+    fixturify-project: ^2.1.1
+    fs-extra: ^11.1.0
+    fs-tree-diff: ^2.0.1
+    get-caller-file: ^2.0.5
+    git-repo-info: ^2.1.1
+    glob: ^8.1.0
+    heimdalljs: ^0.2.6
+    heimdalljs-fs-monitor: ^1.1.1
+    heimdalljs-graph: ^1.0.0
+    heimdalljs-logger: ^0.1.10
+    http-proxy: ^1.18.1
+    inflection: ^2.0.1
+    inquirer: ^8.2.1
+    is-git-url: ^1.0.0
+    is-language-code: ^3.1.0
+    isbinaryfile: ^5.0.0
+    js-yaml: ^4.1.0
+    leek: 0.0.24
+    lodash.template: ^4.5.0
+    markdown-it: ^13.0.1
+    markdown-it-terminal: ^0.4.0
+    minimatch: ^7.4.1
+    morgan: ^1.10.0
+    nopt: ^3.0.6
+    npm-package-arg: ^10.1.0
+    os-locale: ^5.0.0
+    p-defer: ^3.0.0
+    portfinder: ^1.0.32
+    promise-map-series: ^0.3.0
+    promise.hash.helper: ^1.0.8
+    quick-temp: ^0.1.8
+    remove-types: ^1.0.0
+    resolve: ^1.22.1
+    resolve-package-path: ^4.0.3
+    safe-stable-stringify: ^2.4.2
+    sane: ^5.0.1
+    semver: ^7.3.5
+    silent-error: ^1.1.1
+    sort-package-json: ^1.57.0
+    symlink-or-copy: ^1.3.1
+    temp: 0.9.4
+    testem: ^3.10.1
+    tiny-lr: ^2.0.0
+    tree-sync: ^2.1.0
+    uuid: ^9.0.0
+    walk-sync: ^3.0.0
+    watch-detector: ^1.0.2
+    workerpool: ^6.4.0
+    yam: ^1.0.0
+  bin:
+    ember: bin/ember
+  checksum: 3e6066637211d98994b44b85b33070cc4614f6f1500eebfdc64886880300602a49220b788c4359548d6f305c47844b18ef5bbe0b64d4d61d6865811a15a712b0
+  languageName: node
+  linkType: hard
+
+"ember-compatibility-helpers@npm:^1.1.2":
+  version: 1.2.4
+  resolution: "ember-compatibility-helpers@npm:1.2.4"
+  dependencies:
+    babel-plugin-debug-macros: ^0.2.0
+    ember-cli-version-checker: ^5.1.1
+    fs-extra: ^9.1.0
+    semver: ^5.4.1
+  checksum: f220953b2357173486e6d76f76253bce2d8b420d64f2517be41db39612c1becd9e0d078603d5c4445b73df7ff4bf039e777f0bcac8c67e7015abd2409417c819
+  languageName: node
+  linkType: hard
+
+"ember-compatibility-helpers@npm:^1.2.0, ember-compatibility-helpers@npm:^1.2.1":
+  version: 1.2.5
+  resolution: "ember-compatibility-helpers@npm:1.2.5"
+  dependencies:
+    babel-plugin-debug-macros: ^0.2.0
+    ember-cli-version-checker: ^5.1.1
+    fs-extra: ^9.1.0
+    semver: ^5.4.1
+  checksum: ee8625d240daa2ef6c6d14048d38808cb4c7054547c73715130817e3e226300fdf3489be9112205022543fc1d713bcbdea17b03b29480481e04d964e31fb3e86
+  languageName: node
+  linkType: hard
+
+"ember-compatibility-helpers@npm:^1.2.5, ember-compatibility-helpers@npm:^1.2.6":
+  version: 1.2.6
+  resolution: "ember-compatibility-helpers@npm:1.2.6"
+  dependencies:
+    babel-plugin-debug-macros: ^0.2.0
+    ember-cli-version-checker: ^5.1.1
+    find-up: ^5.0.0
+    fs-extra: ^9.1.0
+    semver: ^5.4.1
+  checksum: 1ab8ea51c8d010e02f06668820f1a5ee572ffc0d0ca8eb8b740641e736c8ed67f294d3321876eb9d5dc994c789cd9432632dd748b040c256eabe87e3b941fafc
+  languageName: node
+  linkType: hard
+
+"ember-composable-helpers@npm:5.0.0, ember-composable-helpers@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "ember-composable-helpers@npm:5.0.0"
+  dependencies:
+    "@babel/core": ^7.0.0
+    broccoli-funnel: 2.0.1
+    ember-cli-babel: ^7.26.3
+    resolve: ^1.10.0
+  checksum: 8fdceade42f025cb75cb3718de4a6f3836b1a74eca8d30ca7a8c0313fccdce6663ce6fa5e5bd14fd905ecac2a330d55c169f21f559f092a5900d08ddc290fff6
+  languageName: node
+  linkType: hard
+
+"ember-concurrency-decorators@npm:^2.0.0":
+  version: 2.0.3
+  resolution: "ember-concurrency-decorators@npm:2.0.3"
+  dependencies:
+    "@ember-decorators/utils": ^6.1.0
+    ember-cli-babel: ^7.19.0
+    ember-cli-htmlbars: ^4.3.1
+    ember-cli-typescript: ^3.1.4
+  checksum: c231097d74208759ee4e60fd10828693b41b3ab4dd77f280bd7559cd20c607fe518dcd49f347e91e9a5052126abb2414efa405dc54619a330b1b832b39871c95
+  languageName: node
+  linkType: hard
+
+"ember-concurrency@npm:2.3.4":
+  version: 2.3.4
+  resolution: "ember-concurrency@npm:2.3.4"
+  dependencies:
+    "@babel/helper-plugin-utils": ^7.12.13
+    "@babel/types": ^7.12.13
+    "@glimmer/tracking": ^1.0.4
+    ember-cli-babel: ^7.26.11
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-htmlbars: ^5.7.1
+    ember-compatibility-helpers: ^1.2.0
+    ember-destroyable-polyfill: ^2.0.2
+  checksum: 14b68d1da5575b14dc038af8146b8de29f5b0b961ca57275d1930cf77f8b0d8ba20105d40a5755b79c3f8ad65449195beb94029a687c72a07486c5024ab98154
+  languageName: node
+  linkType: hard
+
+"ember-concurrency@npm:>=1.0.0 <3":
+  version: 2.2.0
+  resolution: "ember-concurrency@npm:2.2.0"
+  dependencies:
+    "@glimmer/tracking": ^1.0.4
+    ember-cli-babel: ^7.26.6
+    ember-cli-htmlbars: ^5.7.1
+    ember-compatibility-helpers: ^1.2.0
+    ember-destroyable-polyfill: ^2.0.2
+  checksum: 3a9bb4c098b4407125e63bd1e25b598c0fae491db240dea2332e7116e5b6538ca2fb71e124b6da31a5f953a78fe7ebe03a7881c53e950203e808456997c7d187
+  languageName: node
+  linkType: hard
+
+"ember-copy@npm:2.0.1":
+  version: 2.0.1
+  resolution: "ember-copy@npm:2.0.1"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+  checksum: addeba5ce864c1dcea4ec475bab51c4996dcd575adab28fb3a5fb082fa1db1f8530236ccfbb2c66fd594d8b11410f17eece6651957bd6b0804eaa870915e84ba
+  languageName: node
+  linkType: hard
+
+"ember-d3@npm:^0.5.1":
+  version: 0.5.1
+  resolution: "ember-d3@npm:0.5.1"
+  dependencies:
+    broccoli-funnel: ^2.0.0
+    broccoli-merge-trees: ^3.0.0
+    d3: ^5.0.0
+    d3-selection-multi: ^1.0.1
+    ember-cli-babel: ^7.1.2
+  checksum: 81256d9a3f7647c5b9689a2e9973fdbcc29fe03ff795a66a3fc6202fd978c6207d1655b44f9a1379f8d4c997283813f25acaf310a1005cc90b74344bf5ef04b5
+  languageName: node
+  linkType: hard
+
+"ember-data@npm:~4.11.3":
+  version: 4.11.3
+  resolution: "ember-data@npm:4.11.3"
+  dependencies:
+    "@ember-data/adapter": 4.11.3
+    "@ember-data/debug": 4.11.3
+    "@ember-data/model": 4.11.3
+    "@ember-data/private-build-infra": 4.11.3
+    "@ember-data/record-data": 4.11.3
+    "@ember-data/serializer": 4.11.3
+    "@ember-data/store": 4.11.3
+    "@ember-data/tracking": 4.11.3
+    "@ember/edition-utils": ^1.2.0
+    "@embroider/macros": ^1.10.0
+    "@glimmer/env": ^0.1.7
+    broccoli-merge-trees: ^4.2.0
+    ember-auto-import: ^2.4.3
+    ember-cli-babel: ^7.26.11
+    ember-inflector: ^4.0.2
+  peerDependencies:
+    "@ember/string": ^3.0.1
+  checksum: b9a9450b7567ec68a64ed4bac9878a2fc603f18a3adba657e04f476f4cef38fc9cdd71838203274f677af0c403a522a70838e9580526ff198e82229da9d7c326
+  languageName: node
+  linkType: hard
+
+"ember-decorators@npm:^6.1.1":
+  version: 6.1.1
+  resolution: "ember-decorators@npm:6.1.1"
+  dependencies:
+    "@ember-decorators/component": ^6.1.1
+    "@ember-decorators/object": ^6.1.1
+    ember-cli-babel: ^7.7.3
+  checksum: ffe95d41dae393586190340c0e65d772c2132ff50269ef21a408d999e10fff79214ac9e14a49e1a94bf3fdd18c660759bc23c79de9ca41375f0e9ba8204b5168
+  languageName: node
+  linkType: hard
+
+"ember-destroyable-polyfill@npm:^2.0.2, ember-destroyable-polyfill@npm:^2.0.3":
+  version: 2.0.3
+  resolution: "ember-destroyable-polyfill@npm:2.0.3"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+    ember-cli-version-checker: ^5.1.1
+    ember-compatibility-helpers: ^1.2.1
+  checksum: 1c96c453a7be71a76a117421a5571a073cd85c56525a2de146728091f2c639fff93216eedae2baf437576d62906e885adce996619104bcc28c3af66bdf720099
+  languageName: node
+  linkType: hard
+
+"ember-element-helper@npm:^0.6.0":
+  version: 0.6.1
+  resolution: "ember-element-helper@npm:0.6.1"
+  dependencies:
+    "@embroider/util": ^0.39.1 || ^0.40.0 || ^0.41.0 || ^1.0.0
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.0.1
+  peerDependencies:
+    ember-source: ^3.8 || 4
+  checksum: 36110a5b5a504169abe80d004f8ad9eba56c0d8b602211606ad6ab88d541b93f7621a740c0a4a972036d5b390e42f59d638575dd4748b184e1d6f33586851e03
+  languageName: node
+  linkType: hard
+
+"ember-element-helper@npm:^0.8.5":
+  version: 0.8.5
+  resolution: "ember-element-helper@npm:0.8.5"
+  dependencies:
+    "@embroider/addon-shim": 1.8.3
+    "@embroider/util": ^1.0.0
+  peerDependencies:
+    ember-source: ^3.8 || ^4.0.0 || >= 5.0.0
+  checksum: 7be5fa71b172dc74f24bd10bdc179d9e9dcbaaeab5c78763a24dd6f6d384768d6835291771839c6b530940c3ddd259bd7fdc8242576c9cc31e74d6bb35df435b
+  languageName: node
+  linkType: hard
+
+"ember-engines@npm:0.8.23":
+  version: 0.8.23
+  resolution: "ember-engines@npm:0.8.23"
+  dependencies:
+    "@embroider/macros": ^1.3.0
+    amd-name-resolver: 1.3.1
+    babel-plugin-compact-reexports: ^1.1.0
+    broccoli-babel-transpiler: ^7.2.0
+    broccoli-concat: ^4.2.5
+    broccoli-debug: ^0.6.5
+    broccoli-dependency-funnel: ^2.1.2
+    broccoli-file-creator: ^2.1.1
+    broccoli-funnel: ^2.0.2
+    broccoli-merge-trees: ^3.0.2
+    broccoli-test-helper: ^2.0.0
+    calculate-cache-key-for-tree: ^2.0.0
+    ember-asset-loader: ^0.6.1
+    ember-cli-babel: ^7.18.0
+    ember-cli-preprocess-registry: ^3.3.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-version-checker: ^5.1.2
+    lodash: ^4.17.11
+  peerDependencies:
+    "@ember/legacy-built-in-components": "*"
+    ember-source: ^3.12 || 4
+  checksum: 167b8101b1254c8bc5d5c88623f3d34e95284003674dccefadf006db4a3c42172a2512b198489a7b50be233b09b3617e67bfde3c6f2daf56acbd2ceda416808e
+  languageName: node
+  linkType: hard
+
+"ember-fetch@npm:^8.1.2":
+  version: 8.1.2
+  resolution: "ember-fetch@npm:8.1.2"
+  dependencies:
+    abortcontroller-polyfill: ^1.7.3
+    broccoli-concat: ^4.2.5
+    broccoli-debug: ^0.6.5
+    broccoli-merge-trees: ^4.2.0
+    broccoli-rollup: ^2.1.1
+    broccoli-stew: ^3.0.0
+    broccoli-templater: ^2.0.1
+    calculate-cache-key-for-tree: ^2.0.0
+    caniuse-api: ^3.0.0
+    ember-cli-babel: ^7.23.1
+    ember-cli-typescript: ^4.1.0
+    ember-cli-version-checker: ^5.1.2
+    node-fetch: ^2.6.1
+    whatwg-fetch: ^3.6.2
+  checksum: 00b864c04776493d7c6e06c71709edb9045d4fa6c25392988dad218487d5440a8b00e994e951c6279da2522c6bb12e0780983d0083f93524e68fcdcd77dec62b
+  languageName: node
+  linkType: hard
+
+"ember-focus-trap@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "ember-focus-trap@npm:1.1.0"
+  dependencies:
+    "@embroider/addon-shim": ^1.0.0
+    focus-trap: ^6.7.1
+  peerDependencies:
+    ember-source: ^4.0.0 || ^5.0.0
+  checksum: 1f19c50b92c56f04681cd59ac3a88a520a53403278105aab2f4edc64df6ce3d0ceb53409e3309822bd4ced60063d9e8657117c708f90da9038c8140737e8d831
+  languageName: node
+  linkType: hard
+
+"ember-get-config@npm:0.2.4 - 0.5.0":
+  version: 0.5.0
+  resolution: "ember-get-config@npm:0.5.0"
+  dependencies:
+    broccoli-file-creator: ^1.1.1
+    ember-cli-babel: ^7.26.6
+    ember-cli-htmlbars: ^5.7.1
+  checksum: c9ca75a44764705ea62324dba90770ae608d8614c1222ddc9f22ede506f056e65d0e2e518fbc3aa2665ea32e2d4c2735fff9fe4e031d1827c3ebaad3b03bfea2
+  languageName: node
+  linkType: hard
+
+"ember-get-config@npm:^1.0.2 || ^2.0.0, ember-get-config@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "ember-get-config@npm:2.1.1"
+  dependencies:
+    "@embroider/macros": ^0.50.0 || ^1.0.0
+    ember-cli-babel: ^7.26.6
+  checksum: 850bc718ad2df98ab08e566f14b857fcad3aa5f31aac2a114bcbde27000dfd727a7af3c428c73a383d1f7243819486c28f0a69a31b44027e50c4f51d8602ef19
+  languageName: node
+  linkType: hard
+
+"ember-in-element-polyfill@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "ember-in-element-polyfill@npm:1.0.1"
+  dependencies:
+    debug: ^4.3.1
+    ember-cli-babel: ^7.23.1
+    ember-cli-htmlbars: ^5.3.1
+    ember-cli-version-checker: ^5.1.2
+  checksum: fda95b1bd56dd2eefea014e9131eb03d5e3f34aa08c4f7b2fd4e717d001aa3a029c7a9d1725975085641924be7924c43f12ecade5642677d405f9566776c1507
+  languageName: node
+  linkType: hard
+
+"ember-inflector@npm:4.0.2, ember-inflector@npm:^2.0.0 || ^3.0.0 || ^4.0.2, ember-inflector@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "ember-inflector@npm:4.0.2"
+  dependencies:
+    ember-cli-babel: ^7.26.5
+  checksum: 0433146a7a093cf0f5e1454f3820c773d5f4ee7ca069df0eddc712f39d45a52bb699f8e44cd163815fb0c5abe75480b8511a947647b0f3cb38768147f457adae
+  languageName: node
+  linkType: hard
+
+"ember-keyboard@npm:^8.2.1":
+  version: 8.2.1
+  resolution: "ember-keyboard@npm:8.2.1"
+  dependencies:
+    "@embroider/addon-shim": ^1.8.4
+    ember-destroyable-polyfill: ^2.0.3
+    ember-modifier: ^2.1.2 || ^3.1.0 || ^4.0.0
+    ember-modifier-manager-polyfill: ^1.2.0
+  peerDependencies:
+    "@ember/test-helpers": ^2.6.0 || ^3.0.0
+  peerDependenciesMeta:
+    "@ember/test-helpers":
+      optional: true
+  checksum: cfb4120aaf3b1ff3aba8ba1619b0597c6738abde31d1e0719d8bbf69512fb9967fc76bc85557351ec42856bb9b6c47354634f22f0accab0e15743d9f0e3f2be4
+  languageName: node
+  linkType: hard
+
+"ember-load-initializers@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "ember-load-initializers@npm:2.1.2"
+  dependencies:
+    ember-cli-babel: ^7.13.0
+    ember-cli-typescript: ^2.0.2
+  checksum: 104b38cb4b755894b65d39ab94f316bdb1b571884b8e52118ced0bfeb06de8e3e7685dcc4579fd8dae57fc6c62e2e50df042e782e960565e05a4cf4eaf6db337
+  languageName: node
+  linkType: hard
+
+"ember-maybe-in-element@npm:^2.0.3":
+  version: 2.0.3
+  resolution: "ember-maybe-in-element@npm:2.0.3"
+  dependencies:
+    ember-cli-babel: ^7.21.0
+    ember-cli-htmlbars: ^5.2.0
+    ember-cli-version-checker: ^5.1.1
+    ember-in-element-polyfill: ^1.0.1
+  checksum: 4bd0e66f748eac053dc2fed2b19a227bd159eb84cb1084bea2941af454a1135969a6efb36c298a9c06c36a7697e34819e9ff0ef1dcb18fa64d11dce09b75b523
+  languageName: node
+  linkType: hard
+
+"ember-modal-dialog@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "ember-modal-dialog@npm:4.0.1"
+  dependencies:
+    "@embroider/macros": ^1.0.0
+    "@embroider/util": ^1.0.0
+    ember-cli-babel: ^7.26.8
+    ember-cli-htmlbars: ^6.0.1
+    ember-cli-version-checker: ^2.1.0
+    ember-decorators: ^6.1.1
+    ember-wormhole: ^0.6.0
+  peerDependencies:
+    ember-tether: ^2.0.1
+  peerDependenciesMeta:
+    ember-tether:
+      optional: true
+  checksum: d8005d3f9e0aab6fc4ce3f16a8bfb5ff9308e8ab9292b7e1be84e657f179f749414c9b0c029bf5c060526de0058fcb0acb38c3d19c80ad67e9ceb034de4b4e0c
+  languageName: node
+  linkType: hard
+
+"ember-modifier-manager-polyfill@npm:^1.1.0, ember-modifier-manager-polyfill@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "ember-modifier-manager-polyfill@npm:1.2.0"
+  dependencies:
+    ember-cli-babel: ^7.10.0
+    ember-cli-version-checker: ^2.1.2
+    ember-compatibility-helpers: ^1.2.0
+  checksum: 70b0d1c8601766e2d8356bd61b1ebd9ffbdec180eb42e7d0ed9dccd79513a84aedde9f9c13357ea3b063733a63d9ea1996de73b2d09d3f6a0bce3674a92fde18
+  languageName: node
+  linkType: hard
+
+"ember-modifier@npm:^2.1.2 || ^3.1.0 || ^4.0.0, ember-modifier@npm:^3.2.7 || ^4.0.0, ember-modifier@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "ember-modifier@npm:4.1.0"
+  dependencies:
+    "@embroider/addon-shim": ^1.8.4
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+  peerDependencies:
+    ember-source: "*"
+  peerDependenciesMeta:
+    ember-source:
+      optional: true
+  checksum: 5e14a864de2184c07e59fb9bc76a09ae25d1bd37722a94751a3cef6165df22027007696c4dda03e1862cb3bbeefb046772810dda3104d05c7fe8476389c34a77
+  languageName: node
+  linkType: hard
+
+"ember-modifier@npm:^3.2.7":
+  version: 3.2.7
+  resolution: "ember-modifier@npm:3.2.7"
+  dependencies:
+    ember-cli-babel: ^7.26.6
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-typescript: ^5.0.0
+    ember-compatibility-helpers: ^1.2.5
+  checksum: 2e96d9ec3939de178a9ce704d5a9360fd73f0276ffa4a9cce9f100a4087fdc8fae4a8b28bf1be22b05a4d1c61e1bb1ab93ca60576810c6556bc4d9323864c66a
+  languageName: node
+  linkType: hard
+
+"ember-native-dom-helpers@npm:^0.7.0":
+  version: 0.7.0
+  resolution: "ember-native-dom-helpers@npm:0.7.0"
+  dependencies:
+    broccoli-funnel: ^1.1.0
+    ember-cli-babel: ^6.6.0
+  checksum: 958ed8ff1b1d31c598ba73dfb53d551448fcb377a02ed224e93360d39369c0937063fce1da72f1c2329d85b77701fc84646b248fb2bee83e0b8535566a9fa436
+  languageName: node
+  linkType: hard
+
+"ember-page-title@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "ember-page-title@npm:7.0.0"
+  dependencies:
+    ember-cli-babel: ^7.26.6
+  checksum: 2533d6fa3aaeb37950f44dc8e50ce2e30008106fbded78136fb4bbfc8bc3240b24ccf0cfadb71154744b0483ae06a9d9b557edfbdbe397c0e8096448c76095ed
+  languageName: node
+  linkType: hard
+
+"ember-power-select@npm:6.0.1":
+  version: 6.0.1
+  resolution: "ember-power-select@npm:6.0.1"
+  dependencies:
+    "@embroider/util": ^1.0.0
+    "@glimmer/component": ^1.1.2
+    "@glimmer/tracking": ^1.1.2
+    ember-assign-helper: ^0.4.0
+    ember-basic-dropdown: ^6.0.0
+    ember-cli-babel: ^7.26.11
+    ember-cli-htmlbars: ^6.1.0
+    ember-cli-typescript: ^4.2.0
+    ember-concurrency: ">=1.0.0 <3"
+    ember-concurrency-decorators: ^2.0.0
+    ember-text-measurer: ^0.6.0
+    ember-truth-helpers: ^3.0.0
+  checksum: 3cefce209966a3d419796275f89252216e66c265186f22572962be961d071cfa46548ba067ec9af9c0e100c1979f845d71d2d86bfde46796ce56840e0d8eeedf
+  languageName: node
+  linkType: hard
+
+"ember-qrcode-shim@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "ember-qrcode-shim@npm:0.4.0"
+  dependencies:
+    ember-cli-babel: ^7.1.2
+  checksum: eb25f33c4559d3810a6473a98a4d4fa73e209d59e1d2a05837f7538aa6451f06954dcbae1a9ebedd379d837ab36a7f677909c1fe264a9361be72a89b3b7a5e23
+  languageName: node
+  linkType: hard
+
+"ember-qunit@npm:6.0.0":
+  version: 6.0.0
+  resolution: "ember-qunit@npm:6.0.0"
+  dependencies:
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^3.0.2
+    common-tags: ^1.8.0
+    ember-auto-import: ^2.4.2
+    ember-cli-babel: ^7.26.6
+    ember-cli-test-loader: ^3.0.0
+    resolve-package-path: ^4.0.3
+    silent-error: ^1.1.1
+    validate-peer-dependencies: ^2.1.0
+  peerDependencies:
+    "@ember/test-helpers": ^2.4.0
+    qunit: ^2.13.0
+  checksum: 74c4c9316ff509a195e7961bae9aa1da6e6260d1a5e0ce153dff76302d23f974fa652dfc9d484fbe78d64623ba0d837b68d437d56745531118b88b950c6a5608
+  languageName: node
+  linkType: hard
+
+"ember-resolver@npm:^10.0.0":
+  version: 10.1.1
+  resolution: "ember-resolver@npm:10.1.1"
+  dependencies:
+    ember-cli-babel: ^7.26.11
+  peerDependencies:
+    "@ember/string": ^3.0.1
+    ember-source: ^4.8.3 || >= 5.0.0
+  peerDependenciesMeta:
+    ember-source:
+      optional: true
+  checksum: 3ffbc0789f651d834455aeef4a248840dfea0ca6ab9192bbab66e4bff2f5f5e33c51c24e35d41bfeb08d980e1e7b287eecef9e73c39baee57468e5edc798fa29
+  languageName: node
+  linkType: hard
+
+"ember-resources@npm:^5.0.1":
+  version: 5.6.4
+  resolution: "ember-resources@npm:5.6.4"
+  dependencies:
+    "@babel/runtime": ^7.17.8
+    "@embroider/addon-shim": ^1.2.0
+    "@embroider/macros": ^1.2.0
+  peerDependencies:
+    "@ember/test-waiters": ^3.0.0
+    "@glimmer/component": ^1.1.2
+    "@glimmer/tracking": ^1.1.2
+    "@glint/template": ">= 0.8.3"
+    ember-concurrency: ^2.0.0
+    ember-source: ">= 3.28.0"
+  peerDependenciesMeta:
+    "@ember/test-waiters":
+      optional: true
+    "@glimmer/component":
+      optional: true
+    ember-concurrency:
+      optional: true
+  checksum: 9edb126ee307251080380d421aba42f330f76c6e295046ae59b48c3162d27e83223732e398f8373f933d120f38831e791e0fd31e63c70315982166db399d2b33
+  languageName: node
+  linkType: hard
+
+"ember-responsive@npm:5.0.0":
+  version: 5.0.0
+  resolution: "ember-responsive@npm:5.0.0"
+  dependencies:
+    ember-cli-babel: ^7.26.11
+  checksum: 6d36a773e3a682ab8252a4f6416a95eb4c7fa76b72ac0cdc8ca6cd17adb764f59f39cba98f8227f52f42044a1c1073763e2689d34948b6207a0ca17f398b0a55
+  languageName: node
+  linkType: hard
+
+"ember-rfc176-data@npm:^0.3.13":
+  version: 0.3.18
+  resolution: "ember-rfc176-data@npm:0.3.18"
+  checksum: 897ac88b54fae39b3bda1c3aefb807f5ffc394c34e33c47b20b8b983e090716492a7d61acadc06771988285fe4e2b18c22faaf0b3b340d810dbbce2fe1a2a3e5
+  languageName: node
+  linkType: hard
+
+"ember-rfc176-data@npm:^0.3.15, ember-rfc176-data@npm:^0.3.17":
+  version: 0.3.17
+  resolution: "ember-rfc176-data@npm:0.3.17"
+  checksum: bc35da90149178d4c0e67097446d46ab69910571fcd02308dead097ca21c6d86767c4031d2bba4df267213ce6c43d1fe5660ded9e061051c1d84ba171fd02366
+  languageName: node
+  linkType: hard
+
+"ember-router-generator@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "ember-router-generator@npm:2.0.0"
+  dependencies:
+    "@babel/parser": ^7.4.5
+    "@babel/traverse": ^7.4.5
+    recast: ^0.18.1
+  checksum: e163e0d68e49a942658aee7c05638dd5c2db939753b51efc9c6d9f0e582953be185daf4cdd569c1b8a35ed47f35f4cb18067a6a1db68e135d7464bbad6ef9d93
+  languageName: node
+  linkType: hard
+
+"ember-router-helpers@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "ember-router-helpers@npm:0.4.0"
+  dependencies:
+    ember-cli-babel: ^7.20.0
+  checksum: e847ceb1061f87416d6bb5d72ef539fda738a24086051bc94d740117c6353b3406c65247ac8190b8572df008a70d9f801e224d38489170129c5ca6c4ec7f206e
+  languageName: node
+  linkType: hard
+
+"ember-service-worker@meirish/ember-service-worker#configurable-scope":
+  version: 9.0.1
+  resolution: "ember-service-worker@https://github.com/meirish/ember-service-worker.git#commit=dda14187aace0d73ecdb6a55beac2194a3aec01b"
+  dependencies:
+    "@rollup/plugin-replace": 2.3.0
+    broccoli-caching-writer: ^3.0.3
+    broccoli-file-creator: ^2.1.1
+    broccoli-funnel: ^2.0.2
+    broccoli-merge-trees: ^3.0.1
+    broccoli-rollup: 4.0.0
+    broccoli-uglify-sourcemap: ^3.2.0
+    clone: ^2.1.2
+    ember-cli-babel: ^7.22.1
+    glob: ^7.1.6
+    hash-for-dep: ^1.5.1
+  checksum: 17e2f2a03cdf0ae9c5f4b0bd25a1b631849392b31e7bc4d376253511d1d6bc7338253fb36a4d7323ceb6b0eb319399a7e964a50ad9df381e64c4ac0d5b07a0b6
+  languageName: node
+  linkType: hard
+
+"ember-sinon@npm:^4.0.0":
+  version: 4.1.1
+  resolution: "ember-sinon@npm:4.1.1"
+  dependencies:
+    broccoli-funnel: ^2.0.0
+    broccoli-merge-trees: ^3.0.0
+    ember-cli-babel: ^7.7.3
+    sinon: ^7.4.2
+  checksum: 8781e420e1495728264599a770d786290a46eceb841ea6a0b86cf196efd9155e78931ea3c88bfd546bd4b9c1627c0bd0edb6cdd957abbe6faa71247de8184443
+  languageName: node
+  linkType: hard
+
+"ember-source@npm:~4.12.0":
+  version: 4.12.3
+  resolution: "ember-source@npm:4.12.3"
+  dependencies:
+    "@babel/helper-module-imports": ^7.16.7
+    "@babel/plugin-transform-block-scoping": ^7.20.5
+    "@ember/edition-utils": ^1.2.0
+    "@glimmer/vm-babel-plugins": 0.84.2
+    "@simple-dom/interface": ^1.4.0
+    babel-plugin-debug-macros: ^0.3.4
+    babel-plugin-filter-imports: ^4.0.0
+    broccoli-concat: ^4.2.5
+    broccoli-debug: ^0.6.4
+    broccoli-file-creator: ^2.1.1
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^4.2.0
+    chalk: ^4.0.0
+    ember-auto-import: ^2.5.0
+    ember-cli-babel: ^7.26.11
+    ember-cli-get-component-path-option: ^1.0.0
+    ember-cli-is-package-missing: ^1.0.0
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-path-utils: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-typescript-blueprint-polyfill: ^0.1.0
+    ember-cli-version-checker: ^5.1.2
+    ember-router-generator: ^2.0.0
+    inflection: ^1.13.2
+    resolve: ^1.22.0
+    semver: ^7.3.8
+    silent-error: ^1.1.1
+  peerDependencies:
+    "@glimmer/component": ^1.1.2
+  checksum: bd055bc4a4e3923fdd64065076f0443ef327db14e54f8ee4e801a19a7fcd9f283be617bb27a6ff20968069d58fce01d8dd07b395999537d4a286278f1e3863e9
+  languageName: node
+  linkType: hard
+
+"ember-stargate@npm:^0.4.3":
+  version: 0.4.3
+  resolution: "ember-stargate@npm:0.4.3"
+  dependencies:
+    "@ember/render-modifiers": ^2.0.0
+    "@embroider/addon-shim": ^1.0.0
+    "@glimmer/component": ^1.1.2
+    ember-resources: ^5.0.1
+    tracked-maps-and-sets: ^3.0.1
+  checksum: b41c0dd65c59e298d0a9f9b31fd5035b7824d8ebc0a92b47d52dc559b553ade3e9126bc4f647521138f09b34f80ed297300b6d428583b9a294de5071d5890bf6
+  languageName: node
+  linkType: hard
+
+"ember-style-modifier@npm:^0.8.0":
+  version: 0.8.0
+  resolution: "ember-style-modifier@npm:0.8.0"
+  dependencies:
+    ember-cli-babel: ^7.26.6
+    ember-modifier: ^3.2.7
+  checksum: ae105c24d05be275d47eff3563f0df9d59c4047c4b6afcc2903dbbfa87d5833ccd66bf5e6bee6244505cba404289f5f302112bb4d83f4edf9400507bb4ffe877
+  languageName: node
+  linkType: hard
+
+"ember-style-modifier@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "ember-style-modifier@npm:3.0.1"
+  dependencies:
+    ember-auto-import: ^2.5.0
+    ember-cli-babel: ^7.26.11
+    ember-modifier: ^3.2.7 || ^4.0.0
+  peerDependencies:
+    "@ember/string": ^3.0.1
+  checksum: 093a9affaaa7b3f1c782fa46616bd3f9a02f518c3eff22f1f4c2582f2411cc9d1eecb95d483aaeabf6ce050d95ff928201cd5287e950027b96cbe702e56ae68d
+  languageName: node
+  linkType: hard
+
+"ember-svg-jar@npm:2.4.0":
+  version: 2.4.0
+  resolution: "ember-svg-jar@npm:2.4.0"
+  dependencies:
+    broccoli-caching-writer: ^3.0.3
+    broccoli-concat: ^4.2.5
+    broccoli-funnel: ^3.0.8
+    broccoli-merge-trees: ^4.2.0
+    broccoli-persistent-filter: ^3.1.2
+    broccoli-plugin: ^4.0.7
+    broccoli-string-replace: ^0.1.2
+    broccoli-svg-optimizer: ^2.1.0
+    cheerio: ^1.0.0-rc.12
+    console-ui: ^3.1.1
+    ember-cli-babel: ^7.26.6
+    ember-cli-htmlbars: ^5.7.1
+    lodash: ^4.17.15
+    safe-stable-stringify: ^2.2.0
+  checksum: d2c7eb54c3aab45fe80775470e52d5db93e4fe60c9ecd95d614897cb2275bce92a0b5389914b40ad84509dcf400e1ec384ea192a25a325f30f6b848d8637d145
+  languageName: node
+  linkType: hard
+
+"ember-template-imports@npm:^3.4.1, ember-template-imports@npm:^3.4.2":
+  version: 3.4.2
+  resolution: "ember-template-imports@npm:3.4.2"
+  dependencies:
+    babel-import-util: ^0.2.0
+    broccoli-stew: ^3.0.0
+    ember-cli-babel-plugin-helpers: ^1.1.1
+    ember-cli-version-checker: ^5.1.2
+    line-column: ^1.0.2
+    magic-string: ^0.25.7
+    parse-static-imports: ^1.1.0
+    string.prototype.matchall: ^4.0.6
+    validate-peer-dependencies: ^1.1.0
+  checksum: de7a3d455a3174f681d99d1467c6bbb9f6a00e130932106cfd9be7e04476d2e26c5151fa0ed4ba7084ef2b82863bb5d390a0340b108935e8d5f0c5a6215a9b49
+  languageName: node
+  linkType: hard
+
+"ember-template-lint-plugin-prettier@npm:4.0.0":
+  version: 4.0.0
+  resolution: "ember-template-lint-plugin-prettier@npm:4.0.0"
+  dependencies:
+    prettier-linter-helpers: ^1.0.0
+  peerDependencies:
+    ember-template-lint: ^4.0.0
+    prettier: ">=1.18.1"
+  checksum: 1b6d94803a51991f952a7a426578a677cbd04402c8236073b6b4bc0fd27871b07088463566e77ddd2ed381b4368dd8a1258af8d17f2cf4102e429d946448e3c1
+  languageName: node
+  linkType: hard
+
+"ember-template-lint@npm:5.7.2":
+  version: 5.7.2
+  resolution: "ember-template-lint@npm:5.7.2"
+  dependencies:
+    "@lint-todo/utils": ^13.0.3
+    aria-query: ^5.0.2
+    chalk: ^5.2.0
+    ci-info: ^3.8.0
+    date-fns: ^2.29.2
+    ember-template-imports: ^3.4.1
+    ember-template-recast: ^6.1.4
+    eslint-formatter-kakoune: ^1.0.0
+    find-up: ^6.3.0
+    fuse.js: ^6.5.3
+    get-stdin: ^9.0.0
+    globby: ^13.1.3
+    is-glob: ^4.0.3
+    language-tags: ^1.0.8
+    micromatch: ^4.0.5
+    resolve: ^1.22.1
+    v8-compile-cache: ^2.3.0
+    yargs: ^17.7.1
+  bin:
+    ember-template-lint: bin/ember-template-lint.js
+  checksum: 7f3848994cb73b3004ca21e726ad460fc54a6039a12c26b3fd787729211ed3d6ad34a1c30a4c8fb40581a61c0795dfdc5fe0e014369afcdea25f81c21a4e6f98
+  languageName: node
+  linkType: hard
+
+"ember-template-recast@npm:^6.1.4":
+  version: 6.1.4
+  resolution: "ember-template-recast@npm:6.1.4"
+  dependencies:
+    "@glimmer/reference": ^0.84.3
+    "@glimmer/syntax": ^0.84.3
+    "@glimmer/validator": ^0.84.3
+    async-promise-queue: ^1.0.5
+    colors: ^1.4.0
+    commander: ^8.3.0
+    globby: ^11.0.3
+    ora: ^5.4.0
+    slash: ^3.0.0
+    tmp: ^0.2.1
+    workerpool: ^6.4.0
+  bin:
+    ember-template-recast: lib/bin.js
+  checksum: a492e19c99080e0808fb7b4e3e3e9af47906a4a0b628c1c317414725e82b0c984fe327e1b7265718dc06e3f57b759bf432ef5b7a857cd68b571a7ed1d73d0225
+  languageName: node
+  linkType: hard
+
+"ember-test-selectors@npm:6.0.0":
+  version: 6.0.0
+  resolution: "ember-test-selectors@npm:6.0.0"
+  dependencies:
+    calculate-cache-key-for-tree: ^2.0.0
+    ember-cli-babel: ^7.26.4
+    ember-cli-version-checker: ^5.1.2
+  checksum: f03bd35caca4390613f68192b257b8edb836cec847ed966e75cd19ce58e5cf62c6a6107575feea0da9b6885cbf4141842b4de05a14edbf3e4164bd93d0c05601
+  languageName: node
+  linkType: hard
+
+"ember-tether@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "ember-tether@npm:2.0.1"
+  dependencies:
+    ember-auto-import: ^1.2.19
+    ember-cli-babel: ^7.1.2
+    tether: ^1.4.0
+  checksum: bfe7d52129b67a6dda79e67cf82d49e3fe5039b9bb8694c1c8f1ba48a7993b2355c4b624d0d95a2497263b8c1ab37d75a1bf650b72e1336c663c43ede9ddf7b0
+  languageName: node
+  linkType: hard
+
+"ember-text-measurer@npm:^0.6.0":
+  version: 0.6.0
+  resolution: "ember-text-measurer@npm:0.6.0"
+  dependencies:
+    ember-cli-babel: ^7.19.0
+    ember-cli-htmlbars: ^4.3.1
+  checksum: 27991766045bba77515ecf6e9609f580ee38b2e53026206d18155cbeac87e57979e613a73ca2fae51ed79e00ab6bf71aff7ce07e1e7a15851e2f013ff8c06c97
+  languageName: node
+  linkType: hard
+
+"ember-tracked-storage-polyfill@npm:1.0.0, ember-tracked-storage-polyfill@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "ember-tracked-storage-polyfill@npm:1.0.0"
+  dependencies:
+    ember-cli-babel: ^7.26.3
+    ember-cli-htmlbars: ^5.7.1
+  checksum: f0e1df126b17cd58a78e81cf73e6a3fa8b7052e3e7058537cce9f658463b0e7f5c3fa1baebff85e19617f5eab1fa762a9dd1f17738b7baca50ef5481dc20d672
+  languageName: node
+  linkType: hard
+
+"ember-truth-helpers@npm:3.0.0, ember-truth-helpers@npm:^2.1.0 || ^3.0.0":
+  version: 3.0.0
+  resolution: "ember-truth-helpers@npm:3.0.0"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+  checksum: 2848f30eb35046be4d5c4ae6ab36aa374d860ba37dbd6f529467182ead80166e2fc881f615f3fa0b25fd2ecf73e237c6f61e67bd182149776240d9ee3852a343
+  languageName: node
+  linkType: hard
+
+"ember-truth-helpers@npm:^3.0.0, ember-truth-helpers@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "ember-truth-helpers@npm:3.1.1"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+  checksum: 6f3a779ae714cec543b39ca93caa98121e65046e48929e1890aa24b2592c4e90a703148694bae9d7ca9bfc68d9ae1f7e00392f0f288158ee962aefbae1f3c0b0
+  languageName: node
+  linkType: hard
+
+"ember-wormhole@npm:^0.6.0":
+  version: 0.6.0
+  resolution: "ember-wormhole@npm:0.6.0"
+  dependencies:
+    ember-cli-babel: ^7.22.1
+    ember-cli-htmlbars: ^5.3.1
+  checksum: e49975babc0d9b79b18bca00916fe2bbb77253948e1074c291e0a2f22b97f049c68a6d5e4ddef703a69e7a390c56fa6e52c128848c75da7507af3f022debb3db
+  languageName: node
+  linkType: hard
+
+"emoji-regex@npm:^7.0.1":
+  version: 7.0.3
+  resolution: "emoji-regex@npm:7.0.3"
+  checksum: 9159b2228b1511f2870ac5920f394c7e041715429a68459ebe531601555f11ea782a8e1718f969df2711d38c66268174407cbca57ce36485544f695c2dfdc96e
+  languageName: node
+  linkType: hard
+
+"emoji-regex@npm:^8.0.0":
+  version: 8.0.0
+  resolution: "emoji-regex@npm:8.0.0"
+  checksum: d4c5c39d5a9868b5fa152f00cada8a936868fd3367f33f71be515ecee4c803132d11b31a6222b2571b1e5f7e13890156a94880345594d0ce7e3c9895f560f192
+  languageName: node
+  linkType: hard
+
+"emoji-regex@npm:~6.1.0":
+  version: 6.1.3
+  resolution: "emoji-regex@npm:6.1.3"
+  checksum: 348c4808cdc614e5522023c1f102eb06093ca24c693c7aa074fac93d3880c51948e9468bf91554d2e77ce47f0053411767aae21dd58fed12fdc54c2352a07976
+  languageName: node
+  linkType: hard
+
+"emojis-list@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "emojis-list@npm:3.0.0"
+  checksum: ddaaa02542e1e9436c03970eeed445f4ed29a5337dfba0fe0c38dfdd2af5da2429c2a0821304e8a8d1cadf27fdd5b22ff793571fa803ae16852a6975c65e8e70
+  languageName: node
+  linkType: hard
+
+"encodeurl@npm:~1.0.2":
+  version: 1.0.2
+  resolution: "encodeurl@npm:1.0.2"
+  checksum: e50e3d508cdd9c4565ba72d2012e65038e5d71bdc9198cb125beb6237b5b1ade6c0d343998da9e170fb2eae52c1bed37d4d6d98a46ea423a0cddbed5ac3f780c
+  languageName: node
+  linkType: hard
+
+"encoding@npm:^0.1.13":
+  version: 0.1.13
+  resolution: "encoding@npm:0.1.13"
+  dependencies:
+    iconv-lite: ^0.6.2
+  checksum: bb98632f8ffa823996e508ce6a58ffcf5856330fde839ae42c9e1f436cc3b5cc651d4aeae72222916545428e54fd0f6aa8862fd8d25bdbcc4589f1e3f3715e7f
+  languageName: node
+  linkType: hard
+
+"end-of-stream@npm:^1.0.0, end-of-stream@npm:^1.1.0":
+  version: 1.4.4
+  resolution: "end-of-stream@npm:1.4.4"
+  dependencies:
+    once: ^1.4.0
+  checksum: 530a5a5a1e517e962854a31693dbb5c0b2fc40b46dad2a56a2deec656ca040631124f4795823acc68238147805f8b021abbe221f4afed5ef3c8e8efc2024908b
+  languageName: node
+  linkType: hard
+
+"engine.io-parser@npm:~5.0.3":
+  version: 5.0.4
+  resolution: "engine.io-parser@npm:5.0.4"
+  checksum: d4ad0cef6ff63c350e35696da9bb3dbd180f67b56e93e90375010cc40393e6c0639b780d5680807e1d93a7e2e3d7b4a1c3b27cf75db28eb8cbf605bc1497da03
+  languageName: node
+  linkType: hard
+
+"engine.io@npm:~6.2.0":
+  version: 6.2.0
+  resolution: "engine.io@npm:6.2.0"
+  dependencies:
+    "@types/cookie": ^0.4.1
+    "@types/cors": ^2.8.12
+    "@types/node": ">=10.0.0"
+    accepts: ~1.3.4
+    base64id: 2.0.0
+    cookie: ~0.4.1
+    cors: ~2.8.5
+    debug: ~4.3.1
+    engine.io-parser: ~5.0.3
+    ws: ~8.2.3
+  checksum: cc485c5ba2e0c4f6ca02dcafd192b22f9dad89d01dc815005298780d3fb910db4cebab4696e8615290c473c2eeb259e8bee2a1fb7ab594d9c80f9f3485771911
+  languageName: node
+  linkType: hard
+
+"enhanced-resolve@npm:^4.0.0, enhanced-resolve@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "enhanced-resolve@npm:4.5.0"
+  dependencies:
+    graceful-fs: ^4.1.2
+    memory-fs: ^0.5.0
+    tapable: ^1.0.0
+  checksum: 4d87488584c4d67d356ef4ba04978af4b2d4d18190cb859efac8e8475a34d5d6c069df33faa5a0a22920b0586dbf330f6a08d52bb15a8771a9ce4d70a2da74ba
+  languageName: node
+  linkType: hard
+
+"enhanced-resolve@npm:^5.10.0":
+  version: 5.14.0
+  resolution: "enhanced-resolve@npm:5.14.0"
+  dependencies:
+    graceful-fs: ^4.2.4
+    tapable: ^2.2.0
+  checksum: fff1aaebbf376371e5df4502e111967f6247c37611ad3550e4e7fca657f6dcb29ef7ffe88bf14e5010b78997f1ddd984a8db97af87ee0a5477771398fd326f5b
+  languageName: node
+  linkType: hard
+
+"enquirer@npm:^2.3.6":
+  version: 2.3.6
+  resolution: "enquirer@npm:2.3.6"
+  dependencies:
+    ansi-colors: ^4.1.1
+  checksum: 1c0911e14a6f8d26721c91e01db06092a5f7675159f0261d69c403396a385afd13dd76825e7678f66daffa930cfaa8d45f506fb35f818a2788463d022af1b884
+  languageName: node
+  linkType: hard
+
+"ensure-posix-path@npm:^1.0.0, ensure-posix-path@npm:^1.0.1, ensure-posix-path@npm:^1.0.2, ensure-posix-path@npm:^1.1.0, ensure-posix-path@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "ensure-posix-path@npm:1.1.1"
+  checksum: 90ac69f48a08003abe6f194b75bad78c3320762bd193a063eb76cd8f696be6a34e1524f16435eeee09ccbe3a719a7fb76409dead3ccedd10e32d906ff050457b
+  languageName: node
+  linkType: hard
+
+"entities@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "entities@npm:2.2.0"
+  checksum: 19010dacaf0912c895ea262b4f6128574f9ccf8d4b3b65c7e8334ad0079b3706376360e28d8843ff50a78aabcb8f08f0a32dbfacdc77e47ed77ca08b713669b3
+  languageName: node
+  linkType: hard
+
+"entities@npm:^3.0.1, entities@npm:~3.0.1":
+  version: 3.0.1
+  resolution: "entities@npm:3.0.1"
+  checksum: aaf7f12033f0939be91f5161593f853f2da55866db55ccbf72f45430b8977e2b79dbd58c53d0fdd2d00bd7d313b75b0968d09f038df88e308aa97e39f9456572
+  languageName: node
+  linkType: hard
+
+"entities@npm:^4.2.0, entities@npm:^4.3.0, entities@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "entities@npm:4.4.0"
+  checksum: 84d250329f4b56b40fa93ed067b194db21e8815e4eb9b59f43a086f0ecd342814f6bc483de8a77da5d64e0f626033192b1b4f1792232a7ea6b970ebe0f3187c2
+  languageName: node
+  linkType: hard
+
+"env-paths@npm:^2.2.0":
+  version: 2.2.1
+  resolution: "env-paths@npm:2.2.1"
+  checksum: 65b5df55a8bab92229ab2b40dad3b387fad24613263d103a97f91c9fe43ceb21965cd3392b1ccb5d77088021e525c4e0481adb309625d0cb94ade1d1fb8dc17e
+  languageName: node
+  linkType: hard
+
+"err-code@npm:^2.0.2":
+  version: 2.0.3
+  resolution: "err-code@npm:2.0.3"
+  checksum: 8b7b1be20d2de12d2255c0bc2ca638b7af5171142693299416e6a9339bd7d88fc8d7707d913d78e0993176005405a236b066b45666b27b797252c771156ace54
+  languageName: node
+  linkType: hard
+
+"errlop@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "errlop@npm:2.2.0"
+  checksum: 9bce5eba67866b168cfbc98de46df4d7ad7a8e75fb12a40ade886d801dbe4c9d5d640a0bb6a41552a47aeda00c26db97182732213d7d523439e10dc6a853bd7d
+  languageName: node
+  linkType: hard
+
+"errno@npm:^0.1.3, errno@npm:~0.1.7":
+  version: 0.1.8
+  resolution: "errno@npm:0.1.8"
+  dependencies:
+    prr: ~1.0.1
+  bin:
+    errno: cli.js
+  checksum: 1271f7b9fbb3bcbec76ffde932485d1e3561856d21d847ec613a9722ee924cdd4e523a62dc71a44174d91e898fe21fdc8d5b50823f4b5e0ce8c35c8271e6ef4a
+  languageName: node
+  linkType: hard
+
+"error-ex@npm:^1.3.1":
+  version: 1.3.2
+  resolution: "error-ex@npm:1.3.2"
+  dependencies:
+    is-arrayish: ^0.2.1
+  checksum: c1c2b8b65f9c91b0f9d75f0debaa7ec5b35c266c2cac5de412c1a6de86d4cbae04ae44e510378cb14d032d0645a36925d0186f8bb7367bcc629db256b743a001
+  languageName: node
+  linkType: hard
+
+"error@npm:^7.0.0":
+  version: 7.2.1
+  resolution: "error@npm:7.2.1"
+  dependencies:
+    string-template: ~0.2.1
+  checksum: 9c790d20a386947acfeabb0d1c39173efe8e5a38cb732b5f06c11a25c23ce8ac4dafbb7aa240565e034580a49aba0703e743d0274c6228500ddf947a1b998568
+  languageName: node
+  linkType: hard
+
+"es-abstract@npm:^1.17.2":
+  version: 1.18.0
+  resolution: "es-abstract@npm:1.18.0"
+  dependencies:
+    call-bind: ^1.0.2
+    es-to-primitive: ^1.2.1
+    function-bind: ^1.1.1
+    get-intrinsic: ^1.1.1
+    has: ^1.0.3
+    has-symbols: ^1.0.2
+    is-callable: ^1.2.3
+    is-negative-zero: ^2.0.1
+    is-regex: ^1.1.2
+    is-string: ^1.0.5
+    object-inspect: ^1.9.0
+    object-keys: ^1.1.1
+    object.assign: ^4.1.2
+    string.prototype.trimend: ^1.0.4
+    string.prototype.trimstart: ^1.0.4
+    unbox-primitive: ^1.0.0
+  checksum: 6783bea97f372fd4f1fc77e4e294d024b9f40559a83b40c46b69565511cf13d462a6189b822228c6bb818bd09d2f23b33500206d39bbdc69f7cc7ffebf6640a1
+  languageName: node
+  linkType: hard
+
+"es-abstract@npm:^1.18.0-next.2, es-abstract@npm:^1.19.1":
+  version: 1.19.1
+  resolution: "es-abstract@npm:1.19.1"
+  dependencies:
+    call-bind: ^1.0.2
+    es-to-primitive: ^1.2.1
+    function-bind: ^1.1.1
+    get-intrinsic: ^1.1.1
+    get-symbol-description: ^1.0.0
+    has: ^1.0.3
+    has-symbols: ^1.0.2
+    internal-slot: ^1.0.3
+    is-callable: ^1.2.4
+    is-negative-zero: ^2.0.1
+    is-regex: ^1.1.4
+    is-shared-array-buffer: ^1.0.1
+    is-string: ^1.0.7
+    is-weakref: ^1.0.1
+    object-inspect: ^1.11.0
+    object-keys: ^1.1.1
+    object.assign: ^4.1.2
+    string.prototype.trimend: ^1.0.4
+    string.prototype.trimstart: ^1.0.4
+    unbox-primitive: ^1.0.1
+  checksum: b6be8410672c5364db3fb01eb786e30c7b4bb32b4af63d381c08840f4382c4a168e7855cd338bf59d4f1a1a1138f4d748d1fd40ec65aaa071876f9e9fbfed949
+  languageName: node
+  linkType: hard
+
+"es-abstract@npm:^1.19.0, es-abstract@npm:^1.20.4":
+  version: 1.21.2
+  resolution: "es-abstract@npm:1.21.2"
+  dependencies:
+    array-buffer-byte-length: ^1.0.0
+    available-typed-arrays: ^1.0.5
+    call-bind: ^1.0.2
+    es-set-tostringtag: ^2.0.1
+    es-to-primitive: ^1.2.1
+    function.prototype.name: ^1.1.5
+    get-intrinsic: ^1.2.0
+    get-symbol-description: ^1.0.0
+    globalthis: ^1.0.3
+    gopd: ^1.0.1
+    has: ^1.0.3
+    has-property-descriptors: ^1.0.0
+    has-proto: ^1.0.1
+    has-symbols: ^1.0.3
+    internal-slot: ^1.0.5
+    is-array-buffer: ^3.0.2
+    is-callable: ^1.2.7
+    is-negative-zero: ^2.0.2
+    is-regex: ^1.1.4
+    is-shared-array-buffer: ^1.0.2
+    is-string: ^1.0.7
+    is-typed-array: ^1.1.10
+    is-weakref: ^1.0.2
+    object-inspect: ^1.12.3
+    object-keys: ^1.1.1
+    object.assign: ^4.1.4
+    regexp.prototype.flags: ^1.4.3
+    safe-regex-test: ^1.0.0
+    string.prototype.trim: ^1.2.7
+    string.prototype.trimend: ^1.0.6
+    string.prototype.trimstart: ^1.0.6
+    typed-array-length: ^1.0.4
+    unbox-primitive: ^1.0.2
+    which-typed-array: ^1.1.9
+  checksum: 037f55ee5e1cdf2e5edbab5524095a4f97144d95b94ea29e3611b77d852fd8c8a40e7ae7101fa6a759a9b9b1405f188c3c70928f2d3cd88d543a07fc0d5ad41a
+  languageName: node
+  linkType: hard
+
+"es-get-iterator@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "es-get-iterator@npm:1.1.3"
+  dependencies:
+    call-bind: ^1.0.2
+    get-intrinsic: ^1.1.3
+    has-symbols: ^1.0.3
+    is-arguments: ^1.1.1
+    is-map: ^2.0.2
+    is-set: ^2.0.2
+    is-string: ^1.0.7
+    isarray: ^2.0.5
+    stop-iteration-iterator: ^1.0.0
+  checksum: 8fa118da42667a01a7c7529f8a8cca514feeff243feec1ce0bb73baaa3514560bd09d2b3438873cf8a5aaec5d52da248131de153b28e2638a061b6e4df13267d
+  languageName: node
+  linkType: hard
+
+"es-module-lexer@npm:^0.9.0":
+  version: 0.9.3
+  resolution: "es-module-lexer@npm:0.9.3"
+  checksum: 84bbab23c396281db2c906c766af58b1ae2a1a2599844a504df10b9e8dc77ec800b3211fdaa133ff700f5703d791198807bba25d9667392d27a5e9feda344da8
+  languageName: node
+  linkType: hard
+
+"es-set-tostringtag@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "es-set-tostringtag@npm:2.0.1"
+  dependencies:
+    get-intrinsic: ^1.1.3
+    has: ^1.0.3
+    has-tostringtag: ^1.0.0
+  checksum: ec416a12948cefb4b2a5932e62093a7cf36ddc3efd58d6c58ca7ae7064475ace556434b869b0bbeb0c365f1032a8ccd577211101234b69837ad83ad204fff884
+  languageName: node
+  linkType: hard
+
+"es-to-primitive@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "es-to-primitive@npm:1.2.1"
+  dependencies:
+    is-callable: ^1.1.4
+    is-date-object: ^1.0.1
+    is-symbol: ^1.0.2
+  checksum: 4ead6671a2c1402619bdd77f3503991232ca15e17e46222b0a41a5d81aebc8740a77822f5b3c965008e631153e9ef0580540007744521e72de8e33599fca2eed
+  languageName: node
+  linkType: hard
+
+"es6-promise@npm:^4.0.3":
+  version: 4.2.8
+  resolution: "es6-promise@npm:4.2.8"
+  checksum: 95614a88873611cb9165a85d36afa7268af5c03a378b35ca7bda9508e1d4f1f6f19a788d4bc755b3fd37c8ebba40782018e02034564ff24c9d6fa37e959ad57d
+  languageName: node
+  linkType: hard
+
+"es6-promisify@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "es6-promisify@npm:5.0.0"
+  dependencies:
+    es6-promise: ^4.0.3
+  checksum: fbed9d791598831413be84a5374eca8c24800ec71a16c1c528c43a98e2dadfb99331483d83ae6094ddb9b87e6f799a15d1553cebf756047e0865c753bc346b92
+  languageName: node
+  linkType: hard
+
+"escalade@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "escalade@npm:3.1.1"
+  checksum: a3e2a99f07acb74b3ad4989c48ca0c3140f69f923e56d0cba0526240ee470b91010f9d39001f2a4a313841d237ede70a729e92125191ba5d21e74b106800b133
+  languageName: node
+  linkType: hard
+
+"escape-html@npm:~1.0.3":
+  version: 1.0.3
+  resolution: "escape-html@npm:1.0.3"
+  checksum: 6213ca9ae00d0ab8bccb6d8d4e0a98e76237b2410302cf7df70aaa6591d509a2a37ce8998008cbecae8fc8ffaadf3fb0229535e6a145f3ce0b211d060decbb24
+  languageName: node
+  linkType: hard
+
+"escape-string-regexp@npm:^1.0.2, escape-string-regexp@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "escape-string-regexp@npm:1.0.5"
+  checksum: 6092fda75c63b110c706b6a9bfde8a612ad595b628f0bd2147eea1d3406723020810e591effc7db1da91d80a71a737a313567c5abb3813e8d9c71f4aa595b410
+  languageName: node
+  linkType: hard
+
+"escape-string-regexp@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "escape-string-regexp@npm:2.0.0"
+  checksum: 9f8a2d5743677c16e85c810e3024d54f0c8dea6424fad3c79ef6666e81dd0846f7437f5e729dfcdac8981bc9e5294c39b4580814d114076b8d36318f46ae4395
+  languageName: node
+  linkType: hard
+
+"escape-string-regexp@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "escape-string-regexp@npm:4.0.0"
+  checksum: 98b48897d93060f2322108bf29db0feba7dd774be96cd069458d1453347b25ce8682ecc39859d4bca2203cc0ab19c237bcc71755eff49a0f8d90beadeeba5cc5
+  languageName: node
+  linkType: hard
+
+"escodegen@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "escodegen@npm:2.0.0"
+  dependencies:
+    esprima: ^4.0.1
+    estraverse: ^5.2.0
+    esutils: ^2.0.2
+    optionator: ^0.8.1
+    source-map: ~0.6.1
+  dependenciesMeta:
+    source-map:
+      optional: true
+  bin:
+    escodegen: bin/escodegen.js
+    esgenerate: bin/esgenerate.js
+  checksum: 5aa6b2966fafe0545e4e77936300cc94ad57cfe4dc4ebff9950492eaba83eef634503f12d7e3cbd644ecc1bab388ad0e92b06fd32222c9281a75d1cf02ec6cef
+  languageName: node
+  linkType: hard
+
+"eslint-config-prettier@npm:^8.8.0":
+  version: 8.8.0
+  resolution: "eslint-config-prettier@npm:8.8.0"
+  peerDependencies:
+    eslint: ">=7.0.0"
+  bin:
+    eslint-config-prettier: bin/cli.js
+  checksum: 1e94c3882c4d5e41e1dcfa2c368dbccbfe3134f6ac7d40101644d3bfbe3eb2f2ffac757f3145910b5eacf20c0e85e02b91293d3126d770cbf3dc390b3564681c
+  languageName: node
+  linkType: hard
+
+"eslint-formatter-kakoune@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "eslint-formatter-kakoune@npm:1.0.0"
+  checksum: 6e83dbd4774f7b7f5d6c6f304d705f9e5d7082b5151d2bb2fb92a8cd3bc1ead0d64f8d05190d08a7442d86e1fe5eca15515f324857f612e4b34994fa5cae0512
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-compat@npm:4.0.2":
+  version: 4.0.2
+  resolution: "eslint-plugin-compat@npm:4.0.2"
+  dependencies:
+    "@mdn/browser-compat-data": ^4.1.5
+    ast-metadata-inferer: ^0.7.0
+    browserslist: ^4.16.8
+    caniuse-lite: ^1.0.30001304
+    core-js: ^3.16.2
+    find-up: ^5.0.0
+    lodash.memoize: 4.1.2
+    semver: 7.3.5
+  peerDependencies:
+    eslint: ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0
+  checksum: 2a1c1ebfd2d9a0e94064417f0f582b183d95bad08014e1f39dd1b4b599c1e909872ea344e016ec8fb297fcf8ab5d0c0b10032f1c2d6d4f9fb57a8a9fad67130e
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-ember@npm:^11.5.0":
+  version: 11.10.0
+  resolution: "eslint-plugin-ember@npm:11.10.0"
+  dependencies:
+    "@ember-data/rfc395-data": ^0.0.4
+    "@glimmer/syntax": ^0.84.2
+    css-tree: ^2.0.4
+    ember-rfc176-data: ^0.3.15
+    ember-template-imports: ^3.4.2
+    ember-template-recast: ^6.1.4
+    eslint-utils: ^3.0.0
+    estraverse: ^5.2.0
+    lodash.camelcase: ^4.1.1
+    lodash.kebabcase: ^4.1.1
+    magic-string: ^0.30.0
+    requireindex: ^1.2.0
+    snake-case: ^3.0.3
+  peerDependencies:
+    eslint: ">= 7"
+  checksum: d547ae89d05376d0a852861668fb9c2e119ea892c6b7631a833045146a4ee9f7beb3fe0da03e0edfee4061f90ea7479e7de85a1b29c6e27e958c965280f52807
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-es@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "eslint-plugin-es@npm:4.1.0"
+  dependencies:
+    eslint-utils: ^2.0.0
+    regexpp: ^3.0.0
+  peerDependencies:
+    eslint: ">=4.19.1"
+  checksum: 26b87a216d3625612b1d3ca8653ac8a1d261046d2a973bb0eb2759070267d2bfb0509051facdeb5ae03dc8dfb51a434be23aff7309a752ca901d637da535677f
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-n@npm:^15.7.0":
+  version: 15.7.0
+  resolution: "eslint-plugin-n@npm:15.7.0"
+  dependencies:
+    builtins: ^5.0.1
+    eslint-plugin-es: ^4.1.0
+    eslint-utils: ^3.0.0
+    ignore: ^5.1.1
+    is-core-module: ^2.11.0
+    minimatch: ^3.1.2
+    resolve: ^1.22.1
+    semver: ^7.3.8
+  peerDependencies:
+    eslint: ">=7.0.0"
+  checksum: cfbcc67e62adf27712afdeadf13223cb9717f95d4af8442056d9d4c97a8b88af76b7969f75deaac26fa98481023d6b7c9e43a28909e7f0468f40b3024b7bcfae
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-prettier@npm:^4.2.1":
+  version: 4.2.1
+  resolution: "eslint-plugin-prettier@npm:4.2.1"
+  dependencies:
+    prettier-linter-helpers: ^1.0.0
+  peerDependencies:
+    eslint: ">=7.28.0"
+    prettier: ">=2.0.0"
+  peerDependenciesMeta:
+    eslint-config-prettier:
+      optional: true
+  checksum: b9e839d2334ad8ec7a5589c5cb0f219bded260839a857d7a486997f9870e95106aa59b8756ff3f37202085ebab658de382b0267cae44c3a7f0eb0bcc03a4f6d6
+  languageName: node
+  linkType: hard
+
+"eslint-plugin-qunit@npm:^7.3.4":
+  version: 7.3.4
+  resolution: "eslint-plugin-qunit@npm:7.3.4"
+  dependencies:
+    eslint-utils: ^3.0.0
+    requireindex: ^1.2.0
+  checksum: 078dae3d93b7e395c3409cf5855281cca994cbeaacd3e956697cf0ca14c4b45275e20d846173fe76d77655e5e7382b2287a5a324c190a425e4631b745312d5b7
+  languageName: node
+  linkType: hard
+
+"eslint-scope@npm:5.1.1, eslint-scope@npm:^5.1.1":
+  version: 5.1.1
+  resolution: "eslint-scope@npm:5.1.1"
+  dependencies:
+    esrecurse: ^4.3.0
+    estraverse: ^4.1.1
+  checksum: 47e4b6a3f0cc29c7feedee6c67b225a2da7e155802c6ea13bbef4ac6b9e10c66cd2dcb987867ef176292bf4e64eccc680a49e35e9e9c669f4a02bac17e86abdb
+  languageName: node
+  linkType: hard
+
+"eslint-scope@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "eslint-scope@npm:4.0.3"
+  dependencies:
+    esrecurse: ^4.1.0
+    estraverse: ^4.1.1
+  checksum: c5f835f681884469991fe58d76a554688d9c9e50811299ccd4a8f79993a039f5bcb0ee6e8de2b0017d97c794b5832ef3b21c9aac66228e3aa0f7a0485bcfb65b
+  languageName: node
+  linkType: hard
+
+"eslint-scope@npm:^7.0.0, eslint-scope@npm:^7.1.1":
+  version: 7.1.1
+  resolution: "eslint-scope@npm:7.1.1"
+  dependencies:
+    esrecurse: ^4.3.0
+    estraverse: ^5.2.0
+  checksum: 9f6e974ab2db641ca8ab13508c405b7b859e72afe9f254e8131ff154d2f40c99ad4545ce326fd9fde3212ff29707102562a4834f1c48617b35d98c71a97fbf3e
+  languageName: node
+  linkType: hard
+
+"eslint-scope@npm:^7.2.0":
+  version: 7.2.1
+  resolution: "eslint-scope@npm:7.2.1"
+  dependencies:
+    esrecurse: ^4.3.0
+    estraverse: ^5.2.0
+  checksum: dccda5c8909216f6261969b72c77b95e385f9086bed4bc09d8a6276df8439d8f986810fd9ac3bd02c94c0572cefc7fdbeae392c69df2e60712ab8263986522c5
+  languageName: node
+  linkType: hard
+
+"eslint-utils@npm:^1.4.1":
+  version: 1.4.3
+  resolution: "eslint-utils@npm:1.4.3"
+  dependencies:
+    eslint-visitor-keys: ^1.1.0
+  checksum: a20630e686034107138272f245c460f6d77705d1f4bb0628c1a1faf59fc800f441188916b3ec3b957394dc405aa200a3017dfa2b0fff0976e307a4e645a18d1e
+  languageName: node
+  linkType: hard
+
+"eslint-visitor-keys@npm:^1.1.0":
+  version: 1.3.0
+  resolution: "eslint-visitor-keys@npm:1.3.0"
+  checksum: 37a19b712f42f4c9027e8ba98c2b06031c17e0c0a4c696cd429bd9ee04eb43889c446f2cd545e1ff51bef9593fcec94ecd2c2ef89129fcbbf3adadbef520376a
+  languageName: node
+  linkType: hard
+
+"eslint-visitor-keys@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "eslint-visitor-keys@npm:2.1.0"
+  checksum: e3081d7dd2611a35f0388bbdc2f5da60b3a3c5b8b6e928daffff7391146b434d691577aa95064c8b7faad0b8a680266bcda0a42439c18c717b80e6718d7e267d
+  languageName: node
+  linkType: hard
+
+"eslint-visitor-keys@npm:^3.1.0, eslint-visitor-keys@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "eslint-visitor-keys@npm:3.3.0"
+  checksum: d59e68a7c5a6d0146526b0eec16ce87fbf97fe46b8281e0d41384224375c4e52f5ffb9e16d48f4ea50785cde93f766b0c898e31ab89978d88b0e1720fbfb7808
+  languageName: node
+  linkType: hard
+
+"eslint-visitor-keys@npm:^3.4.1":
+  version: 3.4.1
+  resolution: "eslint-visitor-keys@npm:3.4.1"
+  checksum: f05121d868202736b97de7d750847a328fcfa8593b031c95ea89425333db59676ac087fa905eba438d0a3c5769632f828187e0c1a0d271832a2153c1d3661c2c
+  languageName: node
+  linkType: hard
+
+"eslint@npm:^8.21.0, eslint@npm:^8.7.0":
+  version: 8.27.0
+  resolution: "eslint@npm:8.27.0"
+  dependencies:
+    "@eslint/eslintrc": ^1.3.3
+    "@humanwhocodes/config-array": ^0.11.6
+    "@humanwhocodes/module-importer": ^1.0.1
+    "@nodelib/fs.walk": ^1.2.8
+    ajv: ^6.10.0
+    chalk: ^4.0.0
+    cross-spawn: ^7.0.2
+    debug: ^4.3.2
+    doctrine: ^3.0.0
+    escape-string-regexp: ^4.0.0
+    eslint-scope: ^7.1.1
+    eslint-utils: ^3.0.0
+    eslint-visitor-keys: ^3.3.0
+    espree: ^9.4.0
+    esquery: ^1.4.0
+    esutils: ^2.0.2
+    fast-deep-equal: ^3.1.3
+    file-entry-cache: ^6.0.1
+    find-up: ^5.0.0
+    glob-parent: ^6.0.2
+    globals: ^13.15.0
+    grapheme-splitter: ^1.0.4
+    ignore: ^5.2.0
+    import-fresh: ^3.0.0
+    imurmurhash: ^0.1.4
+    is-glob: ^4.0.0
+    is-path-inside: ^3.0.3
+    js-sdsl: ^4.1.4
+    js-yaml: ^4.1.0
+    json-stable-stringify-without-jsonify: ^1.0.1
+    levn: ^0.4.1
+    lodash.merge: ^4.6.2
+    minimatch: ^3.1.2
+    natural-compare: ^1.4.0
+    optionator: ^0.9.1
+    regexpp: ^3.2.0
+    strip-ansi: ^6.0.1
+    strip-json-comments: ^3.1.0
+    text-table: ^0.2.0
+  bin:
+    eslint: bin/eslint.js
+  checksum: 153b022d309e1b647a73b1bb0fa98912add699b06e279084155f23c6f2b5fc5abd05411fc1ba81608a24bbfaf044ca079544c16fffa6fc987b8f676c9960a2c4
+  languageName: node
+  linkType: hard
+
+"eslint@npm:^8.37.0":
+  version: 8.45.0
+  resolution: "eslint@npm:8.45.0"
+  dependencies:
+    "@eslint-community/eslint-utils": ^4.2.0
+    "@eslint-community/regexpp": ^4.4.0
+    "@eslint/eslintrc": ^2.1.0
+    "@eslint/js": 8.44.0
+    "@humanwhocodes/config-array": ^0.11.10
+    "@humanwhocodes/module-importer": ^1.0.1
+    "@nodelib/fs.walk": ^1.2.8
+    ajv: ^6.10.0
+    chalk: ^4.0.0
+    cross-spawn: ^7.0.2
+    debug: ^4.3.2
+    doctrine: ^3.0.0
+    escape-string-regexp: ^4.0.0
+    eslint-scope: ^7.2.0
+    eslint-visitor-keys: ^3.4.1
+    espree: ^9.6.0
+    esquery: ^1.4.2
+    esutils: ^2.0.2
+    fast-deep-equal: ^3.1.3
+    file-entry-cache: ^6.0.1
+    find-up: ^5.0.0
+    glob-parent: ^6.0.2
+    globals: ^13.19.0
+    graphemer: ^1.4.0
+    ignore: ^5.2.0
+    imurmurhash: ^0.1.4
+    is-glob: ^4.0.0
+    is-path-inside: ^3.0.3
+    js-yaml: ^4.1.0
+    json-stable-stringify-without-jsonify: ^1.0.1
+    levn: ^0.4.1
+    lodash.merge: ^4.6.2
+    minimatch: ^3.1.2
+    natural-compare: ^1.4.0
+    optionator: ^0.9.3
+    strip-ansi: ^6.0.1
+    text-table: ^0.2.0
+  bin:
+    eslint: bin/eslint.js
+  checksum: 3e6dcce5cc43c5e301662db88ee26d1d188b22c177b9f104d7eefd1191236980bd953b3670fe2fac287114b26d7c5420ab48407d7ea1c3a446d6313c000009da
+  languageName: node
+  linkType: hard
+
+"esm@npm:^3.2.4":
+  version: 3.2.25
+  resolution: "esm@npm:3.2.25"
+  checksum: 978aabe2de83541c105605a6d60a26ed8e627ef6bb0a7605fe15a95bbdea6b8348bd045255cb22219c054dd09a81a94823df00843d9e97f42419c92015ce3a64
+  languageName: node
+  linkType: hard
+
+"espree@npm:^9.0.0, espree@npm:^9.4.0":
+  version: 9.4.1
+  resolution: "espree@npm:9.4.1"
+  dependencies:
+    acorn: ^8.8.0
+    acorn-jsx: ^5.3.2
+    eslint-visitor-keys: ^3.3.0
+  checksum: 4d266b0cf81c7dfe69e542c7df0f246e78d29f5b04dda36e514eb4c7af117ee6cfbd3280e560571ed82ff6c9c3f0003c05b82583fc7a94006db7497c4fe4270e
+  languageName: node
+  linkType: hard
+
+"espree@npm:^9.6.0":
+  version: 9.6.1
+  resolution: "espree@npm:9.6.1"
+  dependencies:
+    acorn: ^8.9.0
+    acorn-jsx: ^5.3.2
+    eslint-visitor-keys: ^3.4.1
+  checksum: eb8c149c7a2a77b3f33a5af80c10875c3abd65450f60b8af6db1bfcfa8f101e21c1e56a561c6dc13b848e18148d43469e7cd208506238554fb5395a9ea5a1ab9
+  languageName: node
+  linkType: hard
+
+"esprima@npm:^4.0.0, esprima@npm:^4.0.1, esprima@npm:~4.0.0":
+  version: 4.0.1
+  resolution: "esprima@npm:4.0.1"
+  bin:
+    esparse: ./bin/esparse.js
+    esvalidate: ./bin/esvalidate.js
+  checksum: b45bc805a613dbea2835278c306b91aff6173c8d034223fa81498c77dcbce3b2931bf6006db816f62eacd9fd4ea975dfd85a5b7f3c6402cfd050d4ca3c13a628
+  languageName: node
+  linkType: hard
+
+"esprima@npm:~3.0.0":
+  version: 3.0.0
+  resolution: "esprima@npm:3.0.0"
+  bin:
+    esparse: ./bin/esparse.js
+    esvalidate: ./bin/esvalidate.js
+  checksum: d6d65bc4ec29f1278357013117f944742e06905989d4fd023c4378d11e631c1a990ecea9c3dc394091ab183d8f23b5e9b3ab7f7816643d8dffb35b1bcef9d334
+  languageName: node
+  linkType: hard
+
+"esquery@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "esquery@npm:1.4.0"
+  dependencies:
+    estraverse: ^5.1.0
+  checksum: a0807e17abd7fbe5fbd4fab673038d6d8a50675cdae6b04fbaa520c34581be0c5fa24582990e8acd8854f671dd291c78bb2efb9e0ed5b62f33bac4f9cf820210
+  languageName: node
+  linkType: hard
+
+"esquery@npm:^1.4.2":
+  version: 1.5.0
+  resolution: "esquery@npm:1.5.0"
+  dependencies:
+    estraverse: ^5.1.0
+  checksum: aefb0d2596c230118656cd4ec7532d447333a410a48834d80ea648b1e7b5c9bc9ed8b5e33a89cb04e487b60d622f44cf5713bf4abed7c97343edefdc84a35900
+  languageName: node
+  linkType: hard
+
+"esrecurse@npm:^4.1.0, esrecurse@npm:^4.3.0":
+  version: 4.3.0
+  resolution: "esrecurse@npm:4.3.0"
+  dependencies:
+    estraverse: ^5.2.0
+  checksum: ebc17b1a33c51cef46fdc28b958994b1dc43cd2e86237515cbc3b4e5d2be6a811b2315d0a1a4d9d340b6d2308b15322f5c8291059521cc5f4802f65e7ec32837
+  languageName: node
+  linkType: hard
+
+"estraverse@npm:^4.1.1":
+  version: 4.3.0
+  resolution: "estraverse@npm:4.3.0"
+  checksum: a6299491f9940bb246124a8d44b7b7a413a8336f5436f9837aaa9330209bd9ee8af7e91a654a3545aee9c54b3308e78ee360cef1d777d37cfef77d2fa33b5827
+  languageName: node
+  linkType: hard
+
+"estraverse@npm:^5.1.0, estraverse@npm:^5.2.0":
+  version: 5.2.0
+  resolution: "estraverse@npm:5.2.0"
+  checksum: ec11b70d946bf5d7f76f91db38ef6f08109ac1b36cda293a26e678e58df4719f57f67b9ec87042afdd1f0267cee91865be3aa48d2161765a93defab5431be7b8
+  languageName: node
+  linkType: hard
+
+"estree-walker@npm:^0.6.1":
+  version: 0.6.1
+  resolution: "estree-walker@npm:0.6.1"
+  checksum: 9d6f82a4921f11eec18f8089fb3cce6e53bcf45a8e545c42a2674d02d055fb30f25f90495f8be60803df6c39680c80dcee7f944526867eb7aa1fc9254883b23d
+  languageName: node
+  linkType: hard
+
+"esutils@npm:^2.0.2":
+  version: 2.0.3
+  resolution: "esutils@npm:2.0.3"
+  checksum: 22b5b08f74737379a840b8ed2036a5fb35826c709ab000683b092d9054e5c2a82c27818f12604bfc2a9a76b90b6834ef081edbc1c7ae30d1627012e067c6ec87
+  languageName: node
+  linkType: hard
+
+"etag@npm:~1.8.1":
+  version: 1.8.1
+  resolution: "etag@npm:1.8.1"
+  checksum: 571aeb3dbe0f2bbd4e4fadbdb44f325fc75335cd5f6f6b6a091e6a06a9f25ed5392f0863c5442acb0646787446e816f13cbfc6edce5b07658541dff573cab1ff
+  languageName: node
+  linkType: hard
+
+"eventemitter3@npm:^4.0.0":
+  version: 4.0.7
+  resolution: "eventemitter3@npm:4.0.7"
+  checksum: 1875311c42fcfe9c707b2712c32664a245629b42bb0a5a84439762dd0fd637fc54d078155ea83c2af9e0323c9ac13687e03cfba79b03af9f40c89b4960099374
+  languageName: node
+  linkType: hard
+
+"events-to-array@npm:^1.0.1":
+  version: 1.1.2
+  resolution: "events-to-array@npm:1.1.2"
+  checksum: c4f5f0f6d0c8658b96f940f703ac9c8c99effca1dd7b1f8eb030be7a940725b42a72fa5eb405961c171c2e9e1d5b7efa9a75be5cdaba88f3fc0fcce59d0e6a0f
+  languageName: node
+  linkType: hard
+
+"events@npm:^3.0.0, events@npm:^3.2.0":
+  version: 3.3.0
+  resolution: "events@npm:3.3.0"
+  checksum: f6f487ad2198aa41d878fa31452f1a3c00958f46e9019286ff4787c84aac329332ab45c9cdc8c445928fc6d7ded294b9e005a7fce9426488518017831b272780
+  languageName: node
+  linkType: hard
+
+"evp_bytestokey@npm:^1.0.0, evp_bytestokey@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "evp_bytestokey@npm:1.0.3"
+  dependencies:
+    md5.js: ^1.3.4
+    node-gyp: latest
+    safe-buffer: ^5.1.1
+  checksum: ad4e1577f1a6b721c7800dcc7c733fe01f6c310732bb5bf2240245c2a5b45a38518b91d8be2c610611623160b9d1c0e91f1ce96d639f8b53e8894625cf20fa45
+  languageName: node
+  linkType: hard
+
+"exec-sh@npm:^0.3.2, exec-sh@npm:^0.3.4":
+  version: 0.3.6
+  resolution: "exec-sh@npm:0.3.6"
+  checksum: 0be4f06929c8e4834ea4812f29fe59e2dfcc1bc3fc4b4bb71acb38a500c3b394628a05ef7ba432520bc6c5ec4fadab00cc9c513c4ff6a32104965af302e998e0
+  languageName: node
+  linkType: hard
+
+"execa@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "execa@npm:1.0.0"
+  dependencies:
+    cross-spawn: ^6.0.0
+    get-stream: ^4.0.0
+    is-stream: ^1.1.0
+    npm-run-path: ^2.0.0
+    p-finally: ^1.0.0
+    signal-exit: ^3.0.0
+    strip-eof: ^1.0.0
+  checksum: ddf1342c1c7d02dd93b41364cd847640f6163350d9439071abf70bf4ceb1b9b2b2e37f54babb1d8dc1df8e0d8def32d0e81e74a2e62c3e1d70c303eb4c306bc4
+  languageName: node
+  linkType: hard
+
+"execa@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "execa@npm:2.1.0"
+  dependencies:
+    cross-spawn: ^7.0.0
+    get-stream: ^5.0.0
+    is-stream: ^2.0.0
+    merge-stream: ^2.0.0
+    npm-run-path: ^3.0.0
+    onetime: ^5.1.0
+    p-finally: ^2.0.0
+    signal-exit: ^3.0.2
+    strip-final-newline: ^2.0.0
+  checksum: 93af9b816a555d0944e0876f4ccd97e0f4593d2049e713518fd5458a7699836449c516c6bb7e6357e11431ec40cce3150625b86d1b1254180faaa0d744265eca
+  languageName: node
+  linkType: hard
+
+"execa@npm:^3.0.0":
+  version: 3.4.0
+  resolution: "execa@npm:3.4.0"
+  dependencies:
+    cross-spawn: ^7.0.0
+    get-stream: ^5.0.0
+    human-signals: ^1.1.1
+    is-stream: ^2.0.0
+    merge-stream: ^2.0.0
+    npm-run-path: ^4.0.0
+    onetime: ^5.1.0
+    p-finally: ^2.0.0
+    signal-exit: ^3.0.2
+    strip-final-newline: ^2.0.0
+  checksum: 72832ff72f79f9082dc3567775cbb52f4682452f7d8015714d924e476a37c36a98183fd669317327ed2e7800ffe7ec2a7be4bfe704a2173ef22ae00109fe9123
+  languageName: node
+  linkType: hard
+
+"execa@npm:^4.0.0, execa@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "execa@npm:4.1.0"
+  dependencies:
+    cross-spawn: ^7.0.0
+    get-stream: ^5.0.0
+    human-signals: ^1.1.1
+    is-stream: ^2.0.0
+    merge-stream: ^2.0.0
+    npm-run-path: ^4.0.0
+    onetime: ^5.1.0
+    signal-exit: ^3.0.2
+    strip-final-newline: ^2.0.0
+  checksum: e30d298934d9c52f90f3847704fd8224e849a081ab2b517bbc02f5f7732c24e56a21f14cb96a08256deffeb2d12b2b7cb7e2b014a12fb36f8d3357e06417ed55
+  languageName: node
+  linkType: hard
+
+"execa@npm:^5.1.1":
+  version: 5.1.1
+  resolution: "execa@npm:5.1.1"
+  dependencies:
+    cross-spawn: ^7.0.3
+    get-stream: ^6.0.0
+    human-signals: ^2.1.0
+    is-stream: ^2.0.0
+    merge-stream: ^2.0.0
+    npm-run-path: ^4.0.1
+    onetime: ^5.1.2
+    signal-exit: ^3.0.3
+    strip-final-newline: ^2.0.0
+  checksum: fba9022c8c8c15ed862847e94c252b3d946036d7547af310e344a527e59021fd8b6bb0723883ea87044dc4f0201f949046993124a42ccb0855cae5bf8c786343
+  languageName: node
+  linkType: hard
+
+"exists-sync@npm:0.0.4":
+  version: 0.0.4
+  resolution: "exists-sync@npm:0.0.4"
+  checksum: bb80d4570253bd1f932f3d62adada3acd7df9dddeba1c19181ed2f77111cad48e02913c341cac5079ad97e03b718f92a69b8e427946d7939c9487299a62035b4
+  languageName: node
+  linkType: hard
+
+"exit@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "exit@npm:0.1.2"
+  checksum: abc407f07a875c3961e4781dfcb743b58d6c93de9ab263f4f8c9d23bb6da5f9b7764fc773f86b43dd88030444d5ab8abcb611cb680fba8ca075362b77114bba3
+  languageName: node
+  linkType: hard
+
+"expand-brackets@npm:^2.1.4":
+  version: 2.1.4
+  resolution: "expand-brackets@npm:2.1.4"
+  dependencies:
+    debug: ^2.3.3
+    define-property: ^0.2.5
+    extend-shallow: ^2.0.1
+    posix-character-classes: ^0.1.0
+    regex-not: ^1.0.0
+    snapdragon: ^0.8.1
+    to-regex: ^3.0.1
+  checksum: 1781d422e7edfa20009e2abda673cadb040a6037f0bd30fcd7357304f4f0c284afd420d7622722ca4a016f39b6d091841ab57b401c1f7e2e5131ac65b9f14fa1
+  languageName: node
+  linkType: hard
+
+"expand-tilde@npm:^2.0.0, expand-tilde@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "expand-tilde@npm:2.0.2"
+  dependencies:
+    homedir-polyfill: ^1.0.1
+  checksum: 2efe6ed407d229981b1b6ceb552438fbc9e5c7d6a6751ad6ced3e0aa5cf12f0b299da695e90d6c2ac79191b5c53c613e508f7149e4573abfbb540698ddb7301a
+  languageName: node
+  linkType: hard
+
+"express@npm:^4.10.7":
+  version: 4.17.1
+  resolution: "express@npm:4.17.1"
+  dependencies:
+    accepts: ~1.3.7
+    array-flatten: 1.1.1
+    body-parser: 1.19.0
+    content-disposition: 0.5.3
+    content-type: ~1.0.4
+    cookie: 0.4.0
+    cookie-signature: 1.0.6
+    debug: 2.6.9
+    depd: ~1.1.2
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    finalhandler: ~1.1.2
+    fresh: 0.5.2
+    merge-descriptors: 1.0.1
+    methods: ~1.1.2
+    on-finished: ~2.3.0
+    parseurl: ~1.3.3
+    path-to-regexp: 0.1.7
+    proxy-addr: ~2.0.5
+    qs: 6.7.0
+    range-parser: ~1.2.1
+    safe-buffer: 5.1.2
+    send: 0.17.1
+    serve-static: 1.14.1
+    setprototypeof: 1.1.1
+    statuses: ~1.5.0
+    type-is: ~1.6.18
+    utils-merge: 1.0.1
+    vary: ~1.1.2
+  checksum: d964e9e17af331ea6fa2f84999b063bc47189dd71b4a735df83f9126d3bb2b92e830f1cb1d7c2742530eb625e2689d7a9a9c71f0c3cc4dd6015c3cd32a01abd5
+  languageName: node
+  linkType: hard
+
+"express@npm:^4.18.1":
+  version: 4.18.2
+  resolution: "express@npm:4.18.2"
+  dependencies:
+    accepts: ~1.3.8
+    array-flatten: 1.1.1
+    body-parser: 1.20.1
+    content-disposition: 0.5.4
+    content-type: ~1.0.4
+    cookie: 0.5.0
+    cookie-signature: 1.0.6
+    debug: 2.6.9
+    depd: 2.0.0
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    finalhandler: 1.2.0
+    fresh: 0.5.2
+    http-errors: 2.0.0
+    merge-descriptors: 1.0.1
+    methods: ~1.1.2
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    path-to-regexp: 0.1.7
+    proxy-addr: ~2.0.7
+    qs: 6.11.0
+    range-parser: ~1.2.1
+    safe-buffer: 5.2.1
+    send: 0.18.0
+    serve-static: 1.15.0
+    setprototypeof: 1.2.0
+    statuses: 2.0.1
+    type-is: ~1.6.18
+    utils-merge: 1.0.1
+    vary: ~1.1.2
+  checksum: 3c4b9b076879442f6b968fe53d85d9f1eeacbb4f4c41e5f16cc36d77ce39a2b0d81b3f250514982110d815b2f7173f5561367f9110fcc541f9371948e8c8b037
+  languageName: node
+  linkType: hard
+
+"extend-shallow@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "extend-shallow@npm:2.0.1"
+  dependencies:
+    is-extendable: ^0.1.0
+  checksum: 8fb58d9d7a511f4baf78d383e637bd7d2e80843bd9cd0853649108ea835208fb614da502a553acc30208e1325240bb7cc4a68473021612496bb89725483656d8
+  languageName: node
+  linkType: hard
+
+"extend-shallow@npm:^3.0.0, extend-shallow@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "extend-shallow@npm:3.0.2"
+  dependencies:
+    assign-symbols: ^1.0.0
+    is-extendable: ^1.0.1
+  checksum: a920b0cd5838a9995ace31dfd11ab5e79bf6e295aa566910ce53dff19f4b1c0fda2ef21f26b28586c7a2450ca2b42d97bd8c0f5cec9351a819222bf861e02461
+  languageName: node
+  linkType: hard
+
+"extend@npm:^3.0.0, extend@npm:~3.0.2":
+  version: 3.0.2
+  resolution: "extend@npm:3.0.2"
+  checksum: a50a8309ca65ea5d426382ff09f33586527882cf532931cb08ca786ea3146c0553310bda688710ff61d7668eba9f96b923fe1420cdf56a2c3eaf30fcab87b515
+  languageName: node
+  linkType: hard
+
+"external-editor@npm:^3.0.3":
+  version: 3.1.0
+  resolution: "external-editor@npm:3.1.0"
+  dependencies:
+    chardet: ^0.7.0
+    iconv-lite: ^0.4.24
+    tmp: ^0.0.33
+  checksum: 1c2a616a73f1b3435ce04030261bed0e22d4737e14b090bb48e58865da92529c9f2b05b893de650738d55e692d071819b45e1669259b2b354bc3154d27a698c7
+  languageName: node
+  linkType: hard
+
+"extglob@npm:^2.0.4":
+  version: 2.0.4
+  resolution: "extglob@npm:2.0.4"
+  dependencies:
+    array-unique: ^0.3.2
+    define-property: ^1.0.0
+    expand-brackets: ^2.1.4
+    extend-shallow: ^2.0.1
+    fragment-cache: ^0.2.1
+    regex-not: ^1.0.0
+    snapdragon: ^0.8.1
+    to-regex: ^3.0.1
+  checksum: a41531b8934735b684cef5e8c5a01d0f298d7d384500ceca38793a9ce098125aab04ee73e2d75d5b2901bc5dddd2b64e1b5e3bf19139ea48bac52af4a92f1d00
+  languageName: node
+  linkType: hard
+
+"extract-stack@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "extract-stack@npm:2.0.0"
+  checksum: 16a45ae6cfe7fe105061f192124cb7d98653728d81827426c4f900763f9fda56c13dd9048de6838107898536b969d1c6f98028fcf4092e542fa2616d4dacb34d
+  languageName: node
+  linkType: hard
+
+"extsprintf@npm:1.3.0":
+  version: 1.3.0
+  resolution: "extsprintf@npm:1.3.0"
+  checksum: cee7a4a1e34cffeeec18559109de92c27517e5641991ec6bab849aa64e3081022903dd53084f2080d0d2530803aa5ee84f1e9de642c365452f9e67be8f958ce2
+  languageName: node
+  linkType: hard
+
+"extsprintf@npm:^1.2.0":
+  version: 1.4.0
+  resolution: "extsprintf@npm:1.4.0"
+  checksum: 184dc8a413eb4b1ff16bdce797340e7ded4d28511d56a1c9afa5a95bcff6ace154063823eaf0206dbbb0d14059d74f382a15c34b7c0636fa74a7e681295eb67e
+  languageName: node
+  linkType: hard
+
+"fake-xml-http-request@npm:^2.1.1, fake-xml-http-request@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "fake-xml-http-request@npm:2.1.2"
+  checksum: 7b1ebea1955c46cbda0e0c3308716cc82beca7bb6c549f1d1c2a8134203c9d6c5a21194e2c1e17650ff073ecbcd3e56cf1e21f248a86cbcb3567fd7a9ca4850e
+  languageName: node
+  linkType: hard
+
+"fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3":
+  version: 3.1.3
+  resolution: "fast-deep-equal@npm:3.1.3"
+  checksum: e21a9d8d84f53493b6aa15efc9cfd53dd5b714a1f23f67fb5dc8f574af80df889b3bce25dc081887c6d25457cce704e636395333abad896ccdec03abaf1f3f9d
+  languageName: node
+  linkType: hard
+
+"fast-diff@npm:^1.1.2":
+  version: 1.2.0
+  resolution: "fast-diff@npm:1.2.0"
+  checksum: 1b5306eaa9e826564d9e5ffcd6ebd881eb5f770b3f977fcbf38f05c824e42172b53c79920e8429c54eb742ce15a0caf268b0fdd5b38f6de52234c4a8368131ae
+  languageName: node
+  linkType: hard
+
+"fast-glob@npm:^3.0.3, fast-glob@npm:^3.1.1":
+  version: 3.2.5
+  resolution: "fast-glob@npm:3.2.5"
+  dependencies:
+    "@nodelib/fs.stat": ^2.0.2
+    "@nodelib/fs.walk": ^1.2.3
+    glob-parent: ^5.1.0
+    merge2: ^1.3.0
+    micromatch: ^4.0.2
+    picomatch: ^2.2.1
+  checksum: 5d6772c9b63dbb739d60b5630851e1f2cbf9744119e0968eac44c9f8cbc2d3d5cb4f2f0c74715ccb23daa336c87bea42186ed367e6c991afee61cd3d967320eb
+  languageName: node
+  linkType: hard
+
+"fast-glob@npm:^3.2.9":
+  version: 3.2.12
+  resolution: "fast-glob@npm:3.2.12"
+  dependencies:
+    "@nodelib/fs.stat": ^2.0.2
+    "@nodelib/fs.walk": ^1.2.3
+    glob-parent: ^5.1.2
+    merge2: ^1.3.0
+    micromatch: ^4.0.4
+  checksum: 0b1990f6ce831c7e28c4d505edcdaad8e27e88ab9fa65eedadb730438cfc7cde4910d6c975d6b7b8dc8a73da4773702ebcfcd6e3518e73938bb1383badfe01c2
+  languageName: node
+  linkType: hard
+
+"fast-glob@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "fast-glob@npm:3.3.0"
+  dependencies:
+    "@nodelib/fs.stat": ^2.0.2
+    "@nodelib/fs.walk": ^1.2.3
+    glob-parent: ^5.1.2
+    merge2: ^1.3.0
+    micromatch: ^4.0.4
+  checksum: 20df62be28eb5426fe8e40e0d05601a63b1daceb7c3d87534afcad91bdcf1e4b1743cf2d5247d6e225b120b46df0b9053a032b2691ba34ee121e033acd81f547
+  languageName: node
+  linkType: hard
+
+"fast-json-stable-stringify@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "fast-json-stable-stringify@npm:2.1.0"
+  checksum: b191531e36c607977e5b1c47811158733c34ccb3bfde92c44798929e9b4154884378536d26ad90dfecd32e1ffc09c545d23535ad91b3161a27ddbb8ebe0cbecb
+  languageName: node
+  linkType: hard
+
+"fast-levenshtein@npm:^2.0.6, fast-levenshtein@npm:~2.0.6":
+  version: 2.0.6
+  resolution: "fast-levenshtein@npm:2.0.6"
+  checksum: 92cfec0a8dfafd9c7a15fba8f2cc29cd0b62b85f056d99ce448bbcd9f708e18ab2764bda4dd5158364f4145a7c72788538994f0d1787b956ef0d1062b0f7c24c
+  languageName: node
+  linkType: hard
+
+"fast-ordered-set@npm:^1.0.0, fast-ordered-set@npm:^1.0.2":
+  version: 1.0.3
+  resolution: "fast-ordered-set@npm:1.0.3"
+  dependencies:
+    blank-object: ^1.0.1
+  checksum: c94a229e1c005746cd5cc920ff48003afade14210c0b7453d1d35542b46ed6e4111b94ae3673a664ff2a46835f75d73fa577a98a44e6a4624387735990454f6e
+  languageName: node
+  linkType: hard
+
+"fast-sourcemap-concat@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "fast-sourcemap-concat@npm:1.4.0"
+  dependencies:
+    chalk: ^2.0.0
+    fs-extra: ^5.0.0
+    heimdalljs-logger: ^0.1.9
+    memory-streams: ^0.1.3
+    mkdirp: ^0.5.0
+    source-map: ^0.4.2
+    source-map-url: ^0.3.0
+    sourcemap-validator: ^1.1.0
+  checksum: d657d8cf5bf23a41a77014e795babfbca77a025ec3840437c42efa882f23f6fad023fdf6108672adc0f7e183c1b619b8dc28de7e297beebebb28aee3bb43be75
+  languageName: node
+  linkType: hard
+
+"fast-sourcemap-concat@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "fast-sourcemap-concat@npm:2.1.0"
+  dependencies:
+    chalk: ^2.0.0
+    fs-extra: ^5.0.0
+    heimdalljs-logger: ^0.1.9
+    memory-streams: ^0.1.3
+    mkdirp: ^0.5.0
+    source-map: ^0.4.2
+    source-map-url: ^0.3.0
+    sourcemap-validator: ^1.1.0
+  checksum: d8ee2f37ec483f4ff30988186497652e065df81f2286c3f11e2934209736d3662d9f8140d8d1d41cfb9529aff9f1a9a7960d08ac2d92f6fb2ffba3358f32f4d4
+  languageName: node
+  linkType: hard
+
+"fastest-levenshtein@npm:^1.0.16":
+  version: 1.0.16
+  resolution: "fastest-levenshtein@npm:1.0.16"
+  checksum: a78d44285c9e2ae2c25f3ef0f8a73f332c1247b7ea7fb4a191e6bb51aa6ee1ef0dfb3ed113616dcdc7023e18e35a8db41f61c8d88988e877cf510df8edafbc71
+  languageName: node
+  linkType: hard
+
+"fastq@npm:^1.6.0":
+  version: 1.11.0
+  resolution: "fastq@npm:1.11.0"
+  dependencies:
+    reusify: ^1.0.4
+  checksum: 9db0ceea9280c5f207da40c562a4e574913c18933cd74b880b01bf8e81a9a6e368ec71e89c9c1b9f4066d0275cc22600efd6dde87f713217acbf67076481734b
+  languageName: node
+  linkType: hard
+
+"fault@npm:^1.0.0":
+  version: 1.0.4
+  resolution: "fault@npm:1.0.4"
+  dependencies:
+    format: ^0.2.0
+  checksum: 5ac610d8b09424e0f2fa8cf913064372f2ee7140a203a79957f73ed557c0e79b1a3d096064d7f40bde8132a69204c1fe25ec23634c05c6da2da2039cff26c4e7
+  languageName: node
+  linkType: hard
+
+"faye-websocket@npm:^0.11.3":
+  version: 0.11.3
+  resolution: "faye-websocket@npm:0.11.3"
+  dependencies:
+    websocket-driver: ">=0.5.1"
+  checksum: d7b2d68546812ea24e3079bd1e08bf1d79cd6d6137bfcea565d1cb1f6a5fc8fc29b689df2c1aff8b8b291d60fc808e1b27aa2896b86ba77ded10f1d9734c8e9f
+  languageName: node
+  linkType: hard
+
+"fb-watchman@npm:^2.0.0, fb-watchman@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "fb-watchman@npm:2.0.1"
+  dependencies:
+    bser: 2.1.1
+  checksum: 8510230778ab3a51c27dffb1b76ef2c24fab672a42742d3c0a45c2e9d1e5f20210b1fbca33486088da4a9a3958bde96b5aec0a63aac9894b4e9df65c88b2cbd6
+  languageName: node
+  linkType: hard
+
+"figgy-pudding@npm:^3.5.1":
+  version: 3.5.2
+  resolution: "figgy-pudding@npm:3.5.2"
+  checksum: 4090bd66193693dcda605e44d6b8715d8fb5c92a67acd57826e55cf816a342f550d57e5638f822b39366e1b2fdb244e99b3068a37213aa1d6c1bf602b8fde5ae
+  languageName: node
+  linkType: hard
+
+"figures@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "figures@npm:2.0.0"
+  dependencies:
+    escape-string-regexp: ^1.0.5
+  checksum: 081beb16ea57d1716f8447c694f637668322398b57017b20929376aaf5def9823b35245b734cdd87e4832dc96e9c6f46274833cada77bfe15e5f980fea1fd21f
+  languageName: node
+  linkType: hard
+
+"figures@npm:^3.0.0, figures@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "figures@npm:3.2.0"
+  dependencies:
+    escape-string-regexp: ^1.0.5
+  checksum: 85a6ad29e9aca80b49b817e7c89ecc4716ff14e3779d9835af554db91bac41c0f289c418923519392a1e582b4d10482ad282021330cd045bb7b80c84152f2a2b
+  languageName: node
+  linkType: hard
+
+"file-entry-cache@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "file-entry-cache@npm:6.0.1"
+  dependencies:
+    flat-cache: ^3.0.4
+  checksum: f49701feaa6314c8127c3c2f6173cfefff17612f5ed2daaafc6da13b5c91fd43e3b2a58fd0d63f9f94478a501b167615931e7200e31485e320f74a33885a9c74
+  languageName: node
+  linkType: hard
+
+"file-uri-to-path@npm:1.0.0":
+  version: 1.0.0
+  resolution: "file-uri-to-path@npm:1.0.0"
+  checksum: b648580bdd893a008c92c7ecc96c3ee57a5e7b6c4c18a9a09b44fb5d36d79146f8e442578bc0e173dc027adf3987e254ba1dfd6e3ec998b7c282873010502144
+  languageName: node
+  linkType: hard
+
+"filesize@npm:^10.0.5":
+  version: 10.0.7
+  resolution: "filesize@npm:10.0.7"
+  checksum: acabe6ddcf0c06eb86a9b2ac0a93db48d2438037dce4f7ec5cf6ee32284a8d961b1efc251af1c05e7316ccf1e78c68cdc32655511745cc2580f9b8c309b523ce
+  languageName: node
+  linkType: hard
+
+"filesize@npm:^4.1.2, filesize@npm:^4.2.1":
+  version: 4.2.1
+  resolution: "filesize@npm:4.2.1"
+  checksum: 3179f5852519cfe140bdd1e35852d552654e1e232f45b76d5a0df7cefa810b66b4808650cd1705ab00821c5709520bf01fbf7bf74872bd2652a420bfdcbb1a82
+  languageName: node
+  linkType: hard
+
+"fill-range@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "fill-range@npm:4.0.0"
+  dependencies:
+    extend-shallow: ^2.0.1
+    is-number: ^3.0.0
+    repeat-string: ^1.6.1
+    to-regex-range: ^2.1.0
+  checksum: dbb5102467786ab42bc7a3ec7380ae5d6bfd1b5177b2216de89e4a541193f8ba599a6db84651bd2c58c8921db41b8cc3d699ea83b477342d3ce404020f73c298
+  languageName: node
+  linkType: hard
+
+"fill-range@npm:^7.0.1":
+  version: 7.0.1
+  resolution: "fill-range@npm:7.0.1"
+  dependencies:
+    to-regex-range: ^5.0.1
+  checksum: cc283f4e65b504259e64fd969bcf4def4eb08d85565e906b7d36516e87819db52029a76b6363d0f02d0d532f0033c9603b9e2d943d56ee3b0d4f7ad3328ff917
+  languageName: node
+  linkType: hard
+
+"finalhandler@npm:1.1.2, finalhandler@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "finalhandler@npm:1.1.2"
+  dependencies:
+    debug: 2.6.9
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    on-finished: ~2.3.0
+    parseurl: ~1.3.3
+    statuses: ~1.5.0
+    unpipe: ~1.0.0
+  checksum: 617880460c5138dd7ccfd555cb5dde4d8f170f4b31b8bd51e4b646bb2946c30f7db716428a1f2882d730d2b72afb47d1f67cc487b874cb15426f95753a88965e
+  languageName: node
+  linkType: hard
+
+"finalhandler@npm:1.2.0":
+  version: 1.2.0
+  resolution: "finalhandler@npm:1.2.0"
+  dependencies:
+    debug: 2.6.9
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    statuses: 2.0.1
+    unpipe: ~1.0.0
+  checksum: 92effbfd32e22a7dff2994acedbd9bcc3aa646a3e919ea6a53238090e87097f8ef07cced90aa2cc421abdf993aefbdd5b00104d55c7c5479a8d00ed105b45716
+  languageName: node
+  linkType: hard
+
+"find-babel-config@npm:^1.1.0, find-babel-config@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "find-babel-config@npm:1.2.0"
+  dependencies:
+    json5: ^0.5.1
+    path-exists: ^3.0.0
+  checksum: 0a1785d3da9f38637885d9d65f183aaa072f51a834f733035e9694e4d0f6983ae8c8e75cd4e08b92af6f595b3b490ee813a1c5a9b14740685aa836fa1e878583
+  languageName: node
+  linkType: hard
+
+"find-babel-config@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "find-babel-config@npm:2.0.0"
+  dependencies:
+    json5: ^2.1.1
+    path-exists: ^4.0.0
+  checksum: d110308b02fe6a6411a0cfb7fd50af6740fbf5093eada3d6ddacf99b07fc8eea4aa3475356484710a0032433029a21ce733bb3ef88fda1d6e35c29a3e4983014
+  languageName: node
+  linkType: hard
+
+"find-cache-dir@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "find-cache-dir@npm:2.1.0"
+  dependencies:
+    commondir: ^1.0.1
+    make-dir: ^2.0.0
+    pkg-dir: ^3.0.0
+  checksum: 60ad475a6da9f257df4e81900f78986ab367d4f65d33cf802c5b91e969c28a8762f098693d7a571b6e4dd4c15166c2da32ae2d18b6766a18e2071079448fdce4
+  languageName: node
+  linkType: hard
+
+"find-cache-dir@npm:^3.3.1":
+  version: 3.3.2
+  resolution: "find-cache-dir@npm:3.3.2"
+  dependencies:
+    commondir: ^1.0.1
+    make-dir: ^3.0.2
+    pkg-dir: ^4.1.0
+  checksum: 1e61c2e64f5c0b1c535bd85939ae73b0e5773142713273818cc0b393ee3555fb0fd44e1a5b161b8b6c3e03e98c2fcc9c227d784850a13a90a8ab576869576817
+  languageName: node
+  linkType: hard
+
+"find-index@npm:^1.1.0":
+  version: 1.1.1
+  resolution: "find-index@npm:1.1.1"
+  checksum: 02bb296389021b6126198f87bf5306450359cac8a1332140091ae6968a9b0859d6da7257d2b06012780ea269a0673f2c2945b57fdf0342da339fb48cebea7fd1
+  languageName: node
+  linkType: hard
+
+"find-up@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "find-up@npm:2.1.0"
+  dependencies:
+    locate-path: ^2.0.0
+  checksum: 43284fe4da09f89011f08e3c32cd38401e786b19226ea440b75386c1b12a4cb738c94969808d53a84f564ede22f732c8409e3cfc3f7fb5b5c32378ad0bbf28bd
+  languageName: node
+  linkType: hard
+
+"find-up@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "find-up@npm:3.0.0"
+  dependencies:
+    locate-path: ^3.0.0
+  checksum: 38eba3fe7a66e4bc7f0f5a1366dc25508b7cfc349f852640e3678d26ad9a6d7e2c43eff0a472287de4a9753ef58f066a0ea892a256fa3636ad51b3fe1e17fae9
+  languageName: node
+  linkType: hard
+
+"find-up@npm:^4.0.0":
+  version: 4.1.0
+  resolution: "find-up@npm:4.1.0"
+  dependencies:
+    locate-path: ^5.0.0
+    path-exists: ^4.0.0
+  checksum: 4c172680e8f8c1f78839486e14a43ef82e9decd0e74145f40707cc42e7420506d5ec92d9a11c22bd2c48fb0c384ea05dd30e10dd152fefeec6f2f75282a8b844
+  languageName: node
+  linkType: hard
+
+"find-up@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "find-up@npm:5.0.0"
+  dependencies:
+    locate-path: ^6.0.0
+    path-exists: ^4.0.0
+  checksum: 07955e357348f34660bde7920783204ff5a26ac2cafcaa28bace494027158a97b9f56faaf2d89a6106211a8174db650dd9f503f9c0d526b1202d5554a00b9095
+  languageName: node
+  linkType: hard
+
+"find-up@npm:^6.3.0":
+  version: 6.3.0
+  resolution: "find-up@npm:6.3.0"
+  dependencies:
+    locate-path: ^7.1.0
+    path-exists: ^5.0.0
+  checksum: 9a21b7f9244a420e54c6df95b4f6fc3941efd3c3e5476f8274eb452f6a85706e7a6a90de71353ee4f091fcb4593271a6f92810a324ec542650398f928783c280
+  languageName: node
+  linkType: hard
+
+"find-yarn-workspace-root@npm:^1.1.0":
+  version: 1.2.1
+  resolution: "find-yarn-workspace-root@npm:1.2.1"
+  dependencies:
+    fs-extra: ^4.0.3
+    micromatch: ^3.1.4
+  checksum: a8f4565fb1ead6122acc0d324fa3257c20f7b0c91b7b266dab9eee7251fb5558fcff5b35dbfd301bfd1cbb91c1cdd1799b28ffa5b9a92efd8c7ded3663652bbe
+  languageName: node
+  linkType: hard
+
+"find-yarn-workspace-root@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "find-yarn-workspace-root@npm:2.0.0"
+  dependencies:
+    micromatch: ^4.0.2
+  checksum: fa5ca8f9d08fe7a54ce7c0a5931ff9b7e36f9ee7b9475fb13752bcea80ec6b5f180fa5102d60b376d5526ce924ea3fc6b19301262efa0a5d248dd710f3644242
+  languageName: node
+  linkType: hard
+
+"findup-sync@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "findup-sync@npm:2.0.0"
+  dependencies:
+    detect-file: ^1.0.0
+    is-glob: ^3.1.0
+    micromatch: ^3.0.4
+    resolve-dir: ^1.0.1
+  checksum: af2849f4006208c7c0940ab87a5f816187becf30c430a735377f6163cff8e95f405db504f5435728663099878f2e8002da1bf1976132458c23f5d73f540b1fcc
+  languageName: node
+  linkType: hard
+
+"findup-sync@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "findup-sync@npm:4.0.0"
+  dependencies:
+    detect-file: ^1.0.0
+    is-glob: ^4.0.0
+    micromatch: ^4.0.2
+    resolve-dir: ^1.0.1
+  checksum: 94131e1107ad63790ed00c4c39ca131a93ea602607bd97afeffd92b69a9a63cf2c6f57d6db88cb753fe748ac7fde79e1e76768ff784247026b7c5ebf23ede3a0
+  languageName: node
+  linkType: hard
+
+"fireworm@npm:^0.7.0":
+  version: 0.7.1
+  resolution: "fireworm@npm:0.7.1"
+  dependencies:
+    async: ~0.2.9
+    is-type: 0.0.1
+    lodash.debounce: ^3.1.1
+    lodash.flatten: ^3.0.2
+    minimatch: ^3.0.2
+  checksum: 118ac822c5594f832db082475ac40e3d5532a84ed1aa74c04aee6827e3940b62cde5551308643afdead594f07aa5fb24a140eec51d4fa63945729d4c0fa6c401
+  languageName: node
+  linkType: hard
+
+"fixturify-project@npm:^1.10.0":
+  version: 1.10.0
+  resolution: "fixturify-project@npm:1.10.0"
+  dependencies:
+    fixturify: ^1.2.0
+    tmp: ^0.0.33
+  checksum: e92bd6c565005dbdd91ddda2f27f5278587e85601603697960066e8e436828535638f522691db3d640e7bf38e2ae9eb382df243f3eb9a3bc552926da6c8ef5fb
+  languageName: node
+  linkType: hard
+
+"fixturify-project@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "fixturify-project@npm:2.1.1"
+  dependencies:
+    fixturify: ^2.1.0
+    tmp: ^0.0.33
+    type-fest: ^0.11.0
+  checksum: 60a435eeba234fa1332f8eb9d6384229a37883b6a175153b8ee0c723a17fad3577cd72777aac21085dd94b6d264ff3e2a77c33675dc75b3dd65c5ea7ec31867f
+  languageName: node
+  linkType: hard
+
+"fixturify@npm:^0.3.2":
+  version: 0.3.4
+  resolution: "fixturify@npm:0.3.4"
+  dependencies:
+    fs-extra: ^0.30.0
+    matcher-collection: ^1.0.4
+  checksum: ba73d10c82fc7686904ccab45a0d1fd4b0f184a9f877c8789f3dc7cdc176ee58283cc89b43f398f21bff8b449fb4b9ac6c6b1e4b05fab2603db6430c9ac8de64
+  languageName: node
+  linkType: hard
+
+"fixturify@npm:^1.2.0":
+  version: 1.3.0
+  resolution: "fixturify@npm:1.3.0"
+  dependencies:
+    "@types/fs-extra": ^5.0.5
+    "@types/minimatch": ^3.0.3
+    "@types/rimraf": ^2.0.2
+    fs-extra: ^7.0.1
+    matcher-collection: ^2.0.0
+  checksum: e0fd2bcd3c27c40ba080243847f8941b27c377bee9ac24275784ac5612c87dfa0bcb897d661cef3c401c965c7e8d754b63f3c46d10320eaa0a61d539ef450fd6
+  languageName: node
+  linkType: hard
+
+"fixturify@npm:^2.1.0":
+  version: 2.1.1
+  resolution: "fixturify@npm:2.1.1"
+  dependencies:
+    "@types/fs-extra": ^8.1.0
+    "@types/minimatch": ^3.0.3
+    "@types/rimraf": ^2.0.3
+    fs-extra: ^8.1.0
+    matcher-collection: ^2.0.1
+    walk-sync: ^2.0.2
+  checksum: ac66ae40302bc6beed1dfb81eab009ba6aee23ddddc0c043a1b01b65c07a7eada8b6edc3e76beb6ea01e6083c8b6e5686459286137e9c9bca7a7dfcd650eb125
+  languageName: node
+  linkType: hard
+
+"flat-cache@npm:^3.0.4":
+  version: 3.0.4
+  resolution: "flat-cache@npm:3.0.4"
+  dependencies:
+    flatted: ^3.1.0
+    rimraf: ^3.0.2
+  checksum: 4fdd10ecbcbf7d520f9040dd1340eb5dfe951e6f0ecf2252edeec03ee68d989ec8b9a20f4434270e71bcfd57800dc09b3344fca3966b2eb8f613072c7d9a2365
+  languageName: node
+  linkType: hard
+
+"flat@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "flat@npm:6.0.1"
+  bin:
+    flat: cli.js
+  checksum: c7a5f2e7e3ba0bec28b9c3aca27e68ff74df446df15cdb77ddef9e3d4fd0e9321ca52e49ca8b861c46157215006666b0dad25457f231083fc7bd2f7fcb67d7eb
+  languageName: node
+  linkType: hard
+
+"flatted@npm:^3.1.0":
+  version: 3.1.1
+  resolution: "flatted@npm:3.1.1"
+  checksum: 508935e3366d95444131f0aaa801a4301f24ea5bcb900d12764e7335b46b910730cc1b5bcfcfb8eccb7c8db261ba0671c6a7ca30d10870ff7a7756dc7e731a7a
+  languageName: node
+  linkType: hard
+
+"flush-write-stream@npm:^1.0.0":
+  version: 1.1.1
+  resolution: "flush-write-stream@npm:1.1.1"
+  dependencies:
+    inherits: ^2.0.3
+    readable-stream: ^2.3.6
+  checksum: 42e07747f83bcd4e799da802e621d6039787749ffd41f5517f8c4f786ee967e31ba32b09f8b28a9c6f67bd4f5346772e604202df350e8d99f4141771bae31279
+  languageName: node
+  linkType: hard
+
+"focus-trap@npm:^6.7.1":
+  version: 6.9.4
+  resolution: "focus-trap@npm:6.9.4"
+  dependencies:
+    tabbable: ^5.3.3
+  checksum: 0b4cebcc11010bd9397731092bd59a981e838c710c6497374ba70571875a14ab27c0db7d60f36005ec01bdabc3b9cfeda11d30ddf5b8874596dcc95e18913b3b
+  languageName: node
+  linkType: hard
+
+"follow-redirects@npm:^1.0.0":
+  version: 1.14.0
+  resolution: "follow-redirects@npm:1.14.0"
+  peerDependenciesMeta:
+    debug:
+      optional: true
+  checksum: a6568930fb97f6f4c12eac52acc109e8677d4b26fcae463bab7de50c43e44886b94784be6608dd8f2ab4b015328377fb4be2e83abd2c8d6bc39ffe1cf11f7b5a
+  languageName: node
+  linkType: hard
+
+"for-each@npm:^0.3.3":
+  version: 0.3.3
+  resolution: "for-each@npm:0.3.3"
+  dependencies:
+    is-callable: ^1.1.3
+  checksum: 6c48ff2bc63362319c65e2edca4a8e1e3483a2fabc72fbe7feaf8c73db94fc7861bd53bc02c8a66a0c1dd709da6b04eec42e0abdd6b40ce47305ae92a25e5d28
+  languageName: node
+  linkType: hard
+
+"for-in@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "for-in@npm:1.0.2"
+  checksum: 09f4ae93ce785d253ac963d94c7f3432d89398bf25ac7a24ed034ca393bf74380bdeccc40e0f2d721a895e54211b07c8fad7132e8157827f6f7f059b70b4043d
+  languageName: node
+  linkType: hard
+
+"forever-agent@npm:~0.6.1":
+  version: 0.6.1
+  resolution: "forever-agent@npm:0.6.1"
+  checksum: 766ae6e220f5fe23676bb4c6a99387cec5b7b62ceb99e10923376e27bfea72f3c3aeec2ba5f45f3f7ba65d6616965aa7c20b15002b6860833bb6e394dea546a8
+  languageName: node
+  linkType: hard
+
+"form-data@npm:~2.3.2":
+  version: 2.3.3
+  resolution: "form-data@npm:2.3.3"
+  dependencies:
+    asynckit: ^0.4.0
+    combined-stream: ^1.0.6
+    mime-types: ^2.1.12
+  checksum: 10c1780fa13dbe1ff3100114c2ce1f9307f8be10b14bf16e103815356ff567b6be39d70fc4a40f8990b9660012dc24b0f5e1dde1b6426166eb23a445ba068ca3
+  languageName: node
+  linkType: hard
+
+"format@npm:^0.2.0":
+  version: 0.2.2
+  resolution: "format@npm:0.2.2"
+  checksum: 646a60e1336250d802509cf24fb801e43bd4a70a07510c816fa133aa42cdbc9c21e66e9cc0801bb183c5b031c9d68be62e7fbb6877756e52357850f92aa28799
+  languageName: node
+  linkType: hard
+
+"forwarded@npm:0.2.0":
+  version: 0.2.0
+  resolution: "forwarded@npm:0.2.0"
+  checksum: fd27e2394d8887ebd16a66ffc889dc983fbbd797d5d3f01087c020283c0f019a7d05ee85669383d8e0d216b116d720fc0cef2f6e9b7eb9f4c90c6e0bc7fd28e6
+  languageName: node
+  linkType: hard
+
+"forwarded@npm:~0.1.2":
+  version: 0.1.2
+  resolution: "forwarded@npm:0.1.2"
+  checksum: 54695c574292f9bc6bfa52111844337bc2e61cfcc5ec82f16b816d721a67a0c76b4849a34b57e38e51d64ddbb81aef974f393579f610ed1b990470e75abad2e0
+  languageName: node
+  linkType: hard
+
+"fragment-cache@npm:^0.2.1":
+  version: 0.2.1
+  resolution: "fragment-cache@npm:0.2.1"
+  dependencies:
+    map-cache: ^0.2.2
+  checksum: 1cbbd0b0116b67d5790175de0038a11df23c1cd2e8dcdbade58ebba5594c2d641dade6b4f126d82a7b4a6ffc2ea12e3d387dbb64ea2ae97cf02847d436f60fdc
+  languageName: node
+  linkType: hard
+
+"fresh@npm:0.5.2":
+  version: 0.5.2
+  resolution: "fresh@npm:0.5.2"
+  checksum: 13ea8b08f91e669a64e3ba3a20eb79d7ca5379a81f1ff7f4310d54e2320645503cc0c78daedc93dfb6191287295f6479544a649c64d8e41a1c0fb0c221552346
+  languageName: node
+  linkType: hard
+
+"from2@npm:^2.1.0":
+  version: 2.3.0
+  resolution: "from2@npm:2.3.0"
+  dependencies:
+    inherits: ^2.0.1
+    readable-stream: ^2.0.0
+  checksum: 6080eba0793dce32f475141fb3d54cc15f84ee52e420ee22ac3ab0ad639dc95a1875bc6eb9c0e1140e94972a36a89dc5542491b85f1ab8df0c126241e0f1a61b
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^0.24.0":
+  version: 0.24.0
+  resolution: "fs-extra@npm:0.24.0"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^2.1.0
+    path-is-absolute: ^1.0.0
+    rimraf: ^2.2.8
+  checksum: 7addd3f7f1df95f0c7d61d87c16531db96e683a8f3ef693a21ba45af4d0fdaf7a6c9799248a4f63ae47f31d631672a05c3178aad2247139a6d2b9363de09c63d
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^0.30.0":
+  version: 0.30.0
+  resolution: "fs-extra@npm:0.30.0"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^2.1.0
+    klaw: ^1.0.0
+    path-is-absolute: ^1.0.0
+    rimraf: ^2.2.8
+  checksum: 6edfd65fc813baa27f1603778c0f5ec11f8c5006a20b920437813ee2023eba18aeec8bef1c89b2e6c84f9fc90fdc7c916f4a700466c8c69d22a35d018f2570f0
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^10.0.0":
+  version: 10.1.0
+  resolution: "fs-extra@npm:10.1.0"
+  dependencies:
+    graceful-fs: ^4.2.0
+    jsonfile: ^6.0.1
+    universalify: ^2.0.0
+  checksum: dc94ab37096f813cc3ca12f0f1b5ad6744dfed9ed21e953d72530d103cea193c2f81584a39e9dee1bea36de5ee66805678c0dddc048e8af1427ac19c00fffc50
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^11.1.0":
+  version: 11.1.1
+  resolution: "fs-extra@npm:11.1.1"
+  dependencies:
+    graceful-fs: ^4.2.0
+    jsonfile: ^6.0.1
+    universalify: ^2.0.0
+  checksum: fb883c68245b2d777fbc1f2082c9efb084eaa2bbf9fddaa366130d196c03608eebef7fb490541276429ee1ca99f317e2d73e96f5ca0999eefedf5a624ae1edfd
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "fs-extra@npm:3.0.1"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^3.0.0
+    universalify: ^0.1.0
+  checksum: 8957f9ee33a032b12f786158077dbd2a6b3b843449b36ce37bb3922200bbf12f0412aaebe10e3ce3e46e1f0dd37904e4053b4cfa2a717c80eca3af6dc840ba8b
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^4.0.2, fs-extra@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "fs-extra@npm:4.0.3"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^4.0.0
+    universalify: ^0.1.0
+  checksum: c5ae3c7043ad7187128e619c0371da01b58694c1ffa02c36fb3f5b459925d9c27c3cb1e095d9df0a34a85ca993d8b8ff6f6ecef868fd5ebb243548afa7fc0936
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "fs-extra@npm:5.0.0"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^4.0.0
+    universalify: ^0.1.0
+  checksum: b3dcaf1d545097013c4fa649951c85cad1b845316ab473cc3440254a45e9b0b17d8ca9355af477e982c7d126f1a30417bcf78b1f744593ce77a0f43165f2d5e5
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "fs-extra@npm:6.0.1"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^4.0.0
+    universalify: ^0.1.0
+  checksum: 133dbd765e05c1cdaaf723308e00ffbe746da5ad516ad890ae2da2a538982c1175371055c778fbe68d1fca1da9ed4003ba55c4a14e070372eabf6a7c48062759
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^7.0.0, fs-extra@npm:^7.0.1":
+  version: 7.0.1
+  resolution: "fs-extra@npm:7.0.1"
+  dependencies:
+    graceful-fs: ^4.1.2
+    jsonfile: ^4.0.0
+    universalify: ^0.1.0
+  checksum: 141b9dccb23b66a66cefdd81f4cda959ff89282b1d721b98cea19ba08db3dcbe6f862f28841f3cf24bb299e0b7e6c42303908f65093cb7e201708e86ea5a8dcf
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^8.0.0, fs-extra@npm:^8.0.1, fs-extra@npm:^8.1.0":
+  version: 8.1.0
+  resolution: "fs-extra@npm:8.1.0"
+  dependencies:
+    graceful-fs: ^4.2.0
+    jsonfile: ^4.0.0
+    universalify: ^0.1.0
+  checksum: bf44f0e6cea59d5ce071bba4c43ca76d216f89e402dc6285c128abc0902e9b8525135aa808adad72c9d5d218e9f4bcc63962815529ff2f684ad532172a284880
+  languageName: node
+  linkType: hard
+
+"fs-extra@npm:^9.0.1, fs-extra@npm:^9.1.0":
+  version: 9.1.0
+  resolution: "fs-extra@npm:9.1.0"
+  dependencies:
+    at-least-node: ^1.0.0
+    graceful-fs: ^4.2.0
+    jsonfile: ^6.0.1
+    universalify: ^2.0.0
+  checksum: ba71ba32e0faa74ab931b7a0031d1523c66a73e225de7426e275e238e312d07313d2da2d33e34a52aa406c8763ade5712eb3ec9ba4d9edce652bcacdc29e6b20
+  languageName: node
+  linkType: hard
+
+"fs-merger@npm:^3.0.1, fs-merger@npm:^3.1.0, fs-merger@npm:^3.2.1":
+  version: 3.2.1
+  resolution: "fs-merger@npm:3.2.1"
+  dependencies:
+    broccoli-node-api: ^1.7.0
+    broccoli-node-info: ^2.1.0
+    fs-extra: ^8.0.1
+    fs-tree-diff: ^2.0.1
+    walk-sync: ^2.2.0
+  checksum: bfb93b537919407d947ab89c44f6d85f7cb58d1337aaa9115de0bd38178165b158809ad83c4f5d610d42ce0ee2f81ac7ad0ae5b573a69784b676a8a6ce506500
+  languageName: node
+  linkType: hard
+
+"fs-minipass@npm:^2.0.0, fs-minipass@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "fs-minipass@npm:2.1.0"
+  dependencies:
+    minipass: ^3.0.0
+  checksum: 1b8d128dae2ac6cc94230cc5ead341ba3e0efaef82dab46a33d171c044caaa6ca001364178d42069b2809c35a1c3c35079a32107c770e9ffab3901b59af8c8b1
+  languageName: node
+  linkType: hard
+
+"fs-tree-diff@npm:^0.5.2, fs-tree-diff@npm:^0.5.3, fs-tree-diff@npm:^0.5.4, fs-tree-diff@npm:^0.5.6, fs-tree-diff@npm:^0.5.9":
+  version: 0.5.9
+  resolution: "fs-tree-diff@npm:0.5.9"
+  dependencies:
+    heimdalljs-logger: ^0.1.7
+    object-assign: ^4.1.0
+    path-posix: ^1.0.0
+    symlink-or-copy: ^1.1.8
+  checksum: 5221dee3baa76d597c471aa8786d552452ee2a58de63f0fcc38dd618cafd5d776760f8afcd19ab796c2a8cc584191c46431464096ea347b4158e1a14cb690ed1
+  languageName: node
+  linkType: hard
+
+"fs-tree-diff@npm:^2.0.0, fs-tree-diff@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "fs-tree-diff@npm:2.0.1"
+  dependencies:
+    "@types/symlink-or-copy": ^1.2.0
+    heimdalljs-logger: ^0.1.7
+    object-assign: ^4.1.0
+    path-posix: ^1.0.0
+    symlink-or-copy: ^1.1.8
+  checksum: ea7927af283b1db3994b98e4c636ed7f8ecfcfb39dc205b57841b22f8ebf39e97649dca07b16ae2e421b000d81b6d96449f32d4dc78742ccb22dfd19db160a45
+  languageName: node
+  linkType: hard
+
+"fs-updater@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "fs-updater@npm:1.0.4"
+  dependencies:
+    can-symlink: ^1.0.0
+    clean-up-path: ^1.0.0
+    heimdalljs: ^0.2.5
+    heimdalljs-logger: ^0.1.9
+    rimraf: ^2.6.2
+  checksum: 8c46798de408fbb1c7da339de2a82334261c120aef235bc30ef66e617fd1a735d0279654fc27373597d4826c325fb08a299e3b05252e0289d8d9e749c67dd96d
+  languageName: node
+  linkType: hard
+
+"fs-write-stream-atomic@npm:^1.0.8":
+  version: 1.0.10
+  resolution: "fs-write-stream-atomic@npm:1.0.10"
+  dependencies:
+    graceful-fs: ^4.1.2
+    iferr: ^0.1.5
+    imurmurhash: ^0.1.4
+    readable-stream: 1 || 2
+  checksum: 43c2d6817b72127793abc811ebf87a135b03ac7cbe41cdea9eeacf59b23e6e29b595739b083e9461303d525687499a1aaefcec3e5ff9bc82b170edd3dc467ccc
+  languageName: node
+  linkType: hard
+
+"fs.realpath@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "fs.realpath@npm:1.0.0"
+  checksum: 99ddea01a7e75aa276c250a04eedeffe5662bce66c65c07164ad6264f9de18fb21be9433ead460e54cff20e31721c811f4fb5d70591799df5f85dce6d6746fd0
+  languageName: node
+  linkType: hard
+
+"fsevents@npm:^1.2.7":
+  version: 1.2.13
+  resolution: "fsevents@npm:1.2.13"
+  dependencies:
+    bindings: ^1.5.0
+    nan: ^2.12.1
+  checksum: ae855aa737aaa2f9167e9f70417cf6e45a5cd11918e1fee9923709a0149be52416d765433b4aeff56c789b1152e718cd1b13ddec6043b78cdda68260d86383c1
+  conditions: os=darwin
+  languageName: node
+  linkType: hard
+
+"fsevents@npm:~2.3.1, fsevents@npm:~2.3.2":
+  version: 2.3.2
+  resolution: "fsevents@npm:2.3.2"
+  dependencies:
+    node-gyp: latest
+  checksum: 97ade64e75091afee5265e6956cb72ba34db7819b4c3e94c431d4be2b19b8bb7a2d4116da417950c3425f17c8fe693d25e20212cac583ac1521ad066b77ae31f
+  conditions: os=darwin
+  languageName: node
+  linkType: hard
+
+"fsevents@patch:fsevents@^1.2.7#~builtin<compat/fsevents>":
+  version: 1.2.13
+  resolution: "fsevents@patch:fsevents@npm%3A1.2.13#~builtin<compat/fsevents>::version=1.2.13&hash=d11327"
+  dependencies:
+    bindings: ^1.5.0
+    nan: ^2.12.1
+  conditions: os=darwin
+  languageName: node
+  linkType: hard
+
+"fsevents@patch:fsevents@~2.3.1#~builtin<compat/fsevents>, fsevents@patch:fsevents@~2.3.2#~builtin<compat/fsevents>":
+  version: 2.3.2
+  resolution: "fsevents@patch:fsevents@npm%3A2.3.2#~builtin<compat/fsevents>::version=2.3.2&hash=df0bf1"
+  dependencies:
+    node-gyp: latest
+  conditions: os=darwin
+  languageName: node
+  linkType: hard
+
+"function-bind@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "function-bind@npm:1.1.1"
+  checksum: b32fbaebb3f8ec4969f033073b43f5c8befbb58f1a79e12f1d7490358150359ebd92f49e72ff0144f65f2c48ea2a605bff2d07965f548f6474fd8efd95bf361a
+  languageName: node
+  linkType: hard
+
+"function.prototype.name@npm:^1.1.5":
+  version: 1.1.5
+  resolution: "function.prototype.name@npm:1.1.5"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+    es-abstract: ^1.19.0
+    functions-have-names: ^1.2.2
+  checksum: acd21d733a9b649c2c442f067567743214af5fa248dbeee69d8278ce7df3329ea5abac572be9f7470b4ec1cd4d8f1040e3c5caccf98ebf2bf861a0deab735c27
+  languageName: node
+  linkType: hard
+
+"functions-have-names@npm:^1.2.2, functions-have-names@npm:^1.2.3":
+  version: 1.2.3
+  resolution: "functions-have-names@npm:1.2.3"
+  checksum: c3f1f5ba20f4e962efb71344ce0a40722163e85bee2101ce25f88214e78182d2d2476aa85ef37950c579eb6cf6ee811c17b3101bb84004bb75655f3e33f3fdb5
+  languageName: node
+  linkType: hard
+
+"fuse.js@npm:^6.5.3":
+  version: 6.5.3
+  resolution: "fuse.js@npm:6.5.3"
+  checksum: f7c14f4422000e7f7e3515c66f7cefdfc38adec4cf380097f4146a201ea438af60b67dc5849b3c0de0115ce3f9bc5afad6fc6570c08dcfcef5bf6e95eb8e6d6f
+  languageName: node
+  linkType: hard
+
+"gauge@npm:^4.0.3":
+  version: 4.0.4
+  resolution: "gauge@npm:4.0.4"
+  dependencies:
+    aproba: ^1.0.3 || ^2.0.0
+    color-support: ^1.1.3
+    console-control-strings: ^1.1.0
+    has-unicode: ^2.0.1
+    signal-exit: ^3.0.7
+    string-width: ^4.2.3
+    strip-ansi: ^6.0.1
+    wide-align: ^1.1.5
+  checksum: 788b6bfe52f1dd8e263cda800c26ac0ca2ff6de0b6eee2fe0d9e3abf15e149b651bd27bf5226be10e6e3edb5c4e5d5985a5a1a98137e7a892f75eff76467ad2d
+  languageName: node
+  linkType: hard
+
+"gensync@npm:^1.0.0-beta.2":
+  version: 1.0.0-beta.2
+  resolution: "gensync@npm:1.0.0-beta.2"
+  checksum: a7437e58c6be12aa6c90f7730eac7fa9833dc78872b4ad2963d2031b00a3367a93f98aec75f9aaac7220848e4026d67a8655e870b24f20a543d103c0d65952ec
+  languageName: node
+  linkType: hard
+
+"get-caller-file@npm:^2.0.1, get-caller-file@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "get-caller-file@npm:2.0.5"
+  checksum: b9769a836d2a98c3ee734a88ba712e62703f1df31b94b784762c433c27a386dd6029ff55c2a920c392e33657d80191edbf18c61487e198844844516f843496b9
+  languageName: node
+  linkType: hard
+
+"get-intrinsic@npm:^1.0.2, get-intrinsic@npm:^1.1.0, get-intrinsic@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "get-intrinsic@npm:1.1.1"
+  dependencies:
+    function-bind: ^1.1.1
+    has: ^1.0.3
+    has-symbols: ^1.0.1
+  checksum: a9fe2ca8fa3f07f9b0d30fb202bcd01f3d9b9b6b732452e79c48e79f7d6d8d003af3f9e38514250e3553fdc83c61650851cb6870832ac89deaaceb08e3721a17
+  languageName: node
+  linkType: hard
+
+"get-intrinsic@npm:^1.1.3, get-intrinsic@npm:^1.2.0":
+  version: 1.2.1
+  resolution: "get-intrinsic@npm:1.2.1"
+  dependencies:
+    function-bind: ^1.1.1
+    has: ^1.0.3
+    has-proto: ^1.0.1
+    has-symbols: ^1.0.3
+  checksum: 5b61d88552c24b0cf6fa2d1b3bc5459d7306f699de060d76442cce49a4721f52b8c560a33ab392cf5575b7810277d54ded9d4d39a1ea61855619ebc005aa7e5f
+  languageName: node
+  linkType: hard
+
+"get-own-enumerable-property-symbols@npm:^3.0.0":
+  version: 3.0.2
+  resolution: "get-own-enumerable-property-symbols@npm:3.0.2"
+  checksum: 8f0331f14159f939830884799f937343c8c0a2c330506094bc12cbee3665d88337fe97a4ea35c002cc2bdba0f5d9975ad7ec3abb925015cdf2a93e76d4759ede
+  languageName: node
+  linkType: hard
+
+"get-stdin@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "get-stdin@npm:4.0.1"
+  checksum: 4f73d3fe0516bc1f3dc7764466a68ad7c2ba809397a02f56c2a598120e028430fcff137a648a01876b2adfb486b4bc164119f98f1f7d7c0abd63385bdaa0113f
+  languageName: node
+  linkType: hard
+
+"get-stdin@npm:^8.0.0":
+  version: 8.0.0
+  resolution: "get-stdin@npm:8.0.0"
+  checksum: 40128b6cd25781ddbd233344f1a1e4006d4284906191ed0a7d55ec2c1a3e44d650f280b2c9eeab79c03ac3037da80257476c0e4e5af38ddfb902d6ff06282d77
+  languageName: node
+  linkType: hard
+
+"get-stdin@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "get-stdin@npm:9.0.0"
+  checksum: 5972bc34d05932b45512c8e2d67b040f1c1ca8afb95c56cbc480985f2d761b7e37fe90dc8abd22527f062cc5639a6930ff346e9952ae4c11a2d4275869459594
+  languageName: node
+  linkType: hard
+
+"get-stream@npm:^4.0.0":
+  version: 4.1.0
+  resolution: "get-stream@npm:4.1.0"
+  dependencies:
+    pump: ^3.0.0
+  checksum: 443e1914170c15bd52ff8ea6eff6dfc6d712b031303e36302d2778e3de2506af9ee964d6124010f7818736dcfde05c04ba7ca6cc26883106e084357a17ae7d73
+  languageName: node
+  linkType: hard
+
+"get-stream@npm:^5.0.0":
+  version: 5.2.0
+  resolution: "get-stream@npm:5.2.0"
+  dependencies:
+    pump: ^3.0.0
+  checksum: 8bc1a23174a06b2b4ce600df38d6c98d2ef6d84e020c1ddad632ad75bac4e092eeb40e4c09e0761c35fc2dbc5e7fff5dab5e763a383582c4a167dd69a905bd12
+  languageName: node
+  linkType: hard
+
+"get-stream@npm:^6.0.0":
+  version: 6.0.1
+  resolution: "get-stream@npm:6.0.1"
+  checksum: e04ecece32c92eebf5b8c940f51468cd53554dcbb0ea725b2748be583c9523d00128137966afce410b9b051eb2ef16d657cd2b120ca8edafcf5a65e81af63cad
+  languageName: node
+  linkType: hard
+
+"get-symbol-description@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "get-symbol-description@npm:1.0.0"
+  dependencies:
+    call-bind: ^1.0.2
+    get-intrinsic: ^1.1.1
+  checksum: 9ceff8fe968f9270a37a1f73bf3f1f7bda69ca80f4f80850670e0e7b9444ff99323f7ac52f96567f8b5f5fbe7ac717a0d81d3407c7313e82810c6199446a5247
+  languageName: node
+  linkType: hard
+
+"get-value@npm:^2.0.3, get-value@npm:^2.0.6":
+  version: 2.0.6
+  resolution: "get-value@npm:2.0.6"
+  checksum: 5c3b99cb5398ea8016bf46ff17afc5d1d286874d2ad38ca5edb6e87d75c0965b0094cb9a9dddef2c59c23d250702323539a7fbdd870620db38c7e7d7ec87c1eb
+  languageName: node
+  linkType: hard
+
+"getpass@npm:^0.1.1":
+  version: 0.1.7
+  resolution: "getpass@npm:0.1.7"
+  dependencies:
+    assert-plus: ^1.0.0
+  checksum: ab18d55661db264e3eac6012c2d3daeafaab7a501c035ae0ccb193c3c23e9849c6e29b6ac762b9c2adae460266f925d55a3a2a3a3c8b94be2f222df94d70c046
+  languageName: node
+  linkType: hard
+
+"git-hooks-list@npm:1.0.3":
+  version: 1.0.3
+  resolution: "git-hooks-list@npm:1.0.3"
+  checksum: a1dd03d39c1d727ba08a35dbdbdcc6e96de8c4170c942dc95bf787ca6e34998d39fb5295a00242b58a3d265de0b69a0686d0cf583baa6b7830f268542c4576b9
+  languageName: node
+  linkType: hard
+
+"git-repo-info@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "git-repo-info@npm:2.1.1"
+  checksum: 58cedacae81bbe8fedc81d226346c472d11357d1758140ab0ee5d0c3360ad5b7a9d8613ca6e8b50d089d073e5b3f2e2893536d0cb57bced5f558dc913d5e21c6
+  languageName: node
+  linkType: hard
+
+"glob-parent@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "glob-parent@npm:3.1.0"
+  dependencies:
+    is-glob: ^3.1.0
+    path-dirname: ^1.0.0
+  checksum: 653d559237e89a11b9934bef3f392ec42335602034c928590544d383ff5ef449f7b12f3cfa539708e74bc0a6c28ab1fe51d663cc07463cdf899ba92afd85a855
+  languageName: node
+  linkType: hard
+
+"glob-parent@npm:^5.1.0, glob-parent@npm:^5.1.2, glob-parent@npm:~5.1.0, glob-parent@npm:~5.1.2":
+  version: 5.1.2
+  resolution: "glob-parent@npm:5.1.2"
+  dependencies:
+    is-glob: ^4.0.1
+  checksum: f4f2bfe2425296e8a47e36864e4f42be38a996db40420fe434565e4480e3322f18eb37589617a98640c5dc8fdec1a387007ee18dbb1f3f5553409c34d17f425e
+  languageName: node
+  linkType: hard
+
+"glob-parent@npm:^6.0.2":
+  version: 6.0.2
+  resolution: "glob-parent@npm:6.0.2"
+  dependencies:
+    is-glob: ^4.0.3
+  checksum: c13ee97978bef4f55106b71e66428eb1512e71a7466ba49025fc2aec59a5bfb0954d5abd58fc5ee6c9b076eef4e1f6d3375c2e964b88466ca390da4419a786a8
+  languageName: node
+  linkType: hard
+
+"glob-to-regexp@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "glob-to-regexp@npm:0.4.1"
+  checksum: e795f4e8f06d2a15e86f76e4d92751cf8bbfcf0157cea5c2f0f35678a8195a750b34096b1256e436f0cebc1883b5ff0888c47348443e69546a5a87f9e1eb1167
+  languageName: node
+  linkType: hard
+
+"glob@npm:^5.0.10":
+  version: 5.0.15
+  resolution: "glob@npm:5.0.15"
+  dependencies:
+    inflight: ^1.0.4
+    inherits: 2
+    minimatch: 2 || 3
+    once: ^1.3.0
+    path-is-absolute: ^1.0.0
+  checksum: f9742448303460672607e569457f1b57e486a79a985e269b69465834d2075b243378225f65dc54c09fcd4b75e4fb34442aec88f33f8c65fa4abccc8ee2dc2f5d
+  languageName: node
+  linkType: hard
+
+"glob@npm:^7.0.4, glob@npm:^7.1.4, glob@npm:^7.1.6":
+  version: 7.1.6
+  resolution: "glob@npm:7.1.6"
+  dependencies:
+    fs.realpath: ^1.0.0
+    inflight: ^1.0.4
+    inherits: 2
+    minimatch: ^3.0.4
+    once: ^1.3.0
+    path-is-absolute: ^1.0.0
+  checksum: 351d549dd90553b87c2d3f90ce11aed9e1093c74130440e7ae0592e11bbcd2ce7f0ebb8ba6bfe63aaf9b62166a7f4c80cb84490ae5d78408bb2572bf7d4ee0a6
+  languageName: node
+  linkType: hard
+
+"glob@npm:^7.1.2, glob@npm:^7.1.3":
+  version: 7.2.0
+  resolution: "glob@npm:7.2.0"
+  dependencies:
+    fs.realpath: ^1.0.0
+    inflight: ^1.0.4
+    inherits: 2
+    minimatch: ^3.0.4
+    once: ^1.3.0
+    path-is-absolute: ^1.0.0
+  checksum: 78a8ea942331f08ed2e055cb5b9e40fe6f46f579d7fd3d694f3412fe5db23223d29b7fee1575440202e9a7ff9a72ab106a39fee39934c7bedafe5e5f8ae20134
+  languageName: node
+  linkType: hard
+
+"glob@npm:^7.2.3":
+  version: 7.2.3
+  resolution: "glob@npm:7.2.3"
+  dependencies:
+    fs.realpath: ^1.0.0
+    inflight: ^1.0.4
+    inherits: 2
+    minimatch: ^3.1.1
+    once: ^1.3.0
+    path-is-absolute: ^1.0.0
+  checksum: 29452e97b38fa704dabb1d1045350fb2467cf0277e155aa9ff7077e90ad81d1ea9d53d3ee63bd37c05b09a065e90f16aec4a65f5b8de401d1dac40bc5605d133
+  languageName: node
+  linkType: hard
+
+"glob@npm:^8.0.1, glob@npm:^8.0.3, glob@npm:^8.1.0":
+  version: 8.1.0
+  resolution: "glob@npm:8.1.0"
+  dependencies:
+    fs.realpath: ^1.0.0
+    inflight: ^1.0.4
+    inherits: 2
+    minimatch: ^5.0.1
+    once: ^1.3.0
+  checksum: 92fbea3221a7d12075f26f0227abac435de868dd0736a17170663783296d0dd8d3d532a5672b4488a439bf5d7fb85cdd07c11185d6cd39184f0385cbdfb86a47
+  languageName: node
+  linkType: hard
+
+"global-modules@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "global-modules@npm:1.0.0"
+  dependencies:
+    global-prefix: ^1.0.1
+    is-windows: ^1.0.1
+    resolve-dir: ^1.0.0
+  checksum: 10be68796c1e1abc1e2ba87ec4ea507f5629873b119ab0cd29c07284ef2b930f1402d10df01beccb7391dedd9cd479611dd6a24311c71be58937beaf18edf85e
+  languageName: node
+  linkType: hard
+
+"global-modules@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "global-modules@npm:2.0.0"
+  dependencies:
+    global-prefix: ^3.0.0
+  checksum: d6197f25856c878c2fb5f038899f2dca7cbb2f7b7cf8999660c0104972d5cfa5c68b5a0a77fa8206bb536c3903a4615665acb9709b4d80846e1bb47eaef65430
+  languageName: node
+  linkType: hard
+
+"global-prefix@npm:^1.0.1":
+  version: 1.0.2
+  resolution: "global-prefix@npm:1.0.2"
+  dependencies:
+    expand-tilde: ^2.0.2
+    homedir-polyfill: ^1.0.1
+    ini: ^1.3.4
+    is-windows: ^1.0.1
+    which: ^1.2.14
+  checksum: 061b43470fe498271bcd514e7746e8a8535032b17ab9570517014ae27d700ff0dca749f76bbde13ba384d185be4310d8ba5712cb0e74f7d54d59390db63dd9a0
+  languageName: node
+  linkType: hard
+
+"global-prefix@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "global-prefix@npm:3.0.0"
+  dependencies:
+    ini: ^1.3.5
+    kind-of: ^6.0.2
+    which: ^1.3.1
+  checksum: 8a82fc1d6f22c45484a4e34656cc91bf021a03e03213b0035098d605bfc612d7141f1e14a21097e8a0413b4884afd5b260df0b6a25605ce9d722e11f1df2881d
+  languageName: node
+  linkType: hard
+
+"globals@npm:^11.1.0":
+  version: 11.12.0
+  resolution: "globals@npm:11.12.0"
+  checksum: 67051a45eca3db904aee189dfc7cd53c20c7d881679c93f6146ddd4c9f4ab2268e68a919df740d39c71f4445d2b38ee360fc234428baea1dbdfe68bbcb46979e
+  languageName: node
+  linkType: hard
+
+"globals@npm:^13.15.0":
+  version: 13.17.0
+  resolution: "globals@npm:13.17.0"
+  dependencies:
+    type-fest: ^0.20.2
+  checksum: fbaf4112e59b92c9f5575e85ce65e9e17c0b82711196ec5f58beb08599bbd92fd72703d6dfc9b080381fd35b644e1b11dcf25b38cc2341ec21df942594cbc8ce
+  languageName: node
+  linkType: hard
+
+"globals@npm:^13.19.0":
+  version: 13.20.0
+  resolution: "globals@npm:13.20.0"
+  dependencies:
+    type-fest: ^0.20.2
+  checksum: ad1ecf914bd051325faad281d02ea2c0b1df5d01bd94d368dcc5513340eac41d14b3c61af325768e3c7f8d44576e72780ec0b6f2d366121f8eec6e03c3a3b97a
+  languageName: node
+  linkType: hard
+
+"globals@npm:^9.18.0":
+  version: 9.18.0
+  resolution: "globals@npm:9.18.0"
+  checksum: e9c066aecfdc5ea6f727344a4246ecc243aaf66ede3bffee10ddc0c73351794c25e727dd046090dcecd821199a63b9de6af299a6e3ba292c8b22f0a80ea32073
+  languageName: node
+  linkType: hard
+
+"globalthis@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "globalthis@npm:1.0.3"
+  dependencies:
+    define-properties: ^1.1.3
+  checksum: fbd7d760dc464c886d0196166d92e5ffb4c84d0730846d6621a39fbbc068aeeb9c8d1421ad330e94b7bca4bb4ea092f5f21f3d36077812af5d098b4dc006c998
+  languageName: node
+  linkType: hard
+
+"globalyzer@npm:0.1.0":
+  version: 0.1.0
+  resolution: "globalyzer@npm:0.1.0"
+  checksum: 419a0f95ba542534fac0842964d31b3dc2936a479b2b1a8a62bad7e8b61054faa9b0a06ad9f2e12593396b9b2621cac93358d9b3071d33723fb1778608d358a1
+  languageName: node
+  linkType: hard
+
+"globby@npm:10.0.0":
+  version: 10.0.0
+  resolution: "globby@npm:10.0.0"
+  dependencies:
+    "@types/glob": ^7.1.1
+    array-union: ^2.1.0
+    dir-glob: ^3.0.1
+    fast-glob: ^3.0.3
+    glob: ^7.1.3
+    ignore: ^5.1.1
+    merge2: ^1.2.3
+    slash: ^3.0.0
+  checksum: fbff58d2fcaedd9207901f6e3b5341ff885b6d499c3a095f7befde0fd03ec1ea634452a82f81e894e46f6a5d704da44b842ba93066f90dced52adf84d4b8d1cc
+  languageName: node
+  linkType: hard
+
+"globby@npm:^11.0.3":
+  version: 11.0.4
+  resolution: "globby@npm:11.0.4"
+  dependencies:
+    array-union: ^2.1.0
+    dir-glob: ^3.0.1
+    fast-glob: ^3.1.1
+    ignore: ^5.1.4
+    merge2: ^1.3.0
+    slash: ^3.0.0
+  checksum: d3e02d5e459e02ffa578b45f040381c33e3c0538ed99b958f0809230c423337999867d7b0dbf752ce93c46157d3bbf154d3fff988a93ccaeb627df8e1841775b
+  languageName: node
+  linkType: hard
+
+"globby@npm:^11.1.0":
+  version: 11.1.0
+  resolution: "globby@npm:11.1.0"
+  dependencies:
+    array-union: ^2.1.0
+    dir-glob: ^3.0.1
+    fast-glob: ^3.2.9
+    ignore: ^5.2.0
+    merge2: ^1.4.1
+    slash: ^3.0.0
+  checksum: b4be8885e0cfa018fc783792942d53926c35c50b3aefd3fdcfb9d22c627639dc26bd2327a40a0b74b074100ce95bb7187bfeae2f236856aa3de183af7a02aea6
+  languageName: node
+  linkType: hard
+
+"globby@npm:^13.1.3":
+  version: 13.2.2
+  resolution: "globby@npm:13.2.2"
+  dependencies:
+    dir-glob: ^3.0.1
+    fast-glob: ^3.3.0
+    ignore: ^5.2.4
+    merge2: ^1.4.1
+    slash: ^4.0.0
+  checksum: f3d84ced58a901b4fcc29c846983108c426631fe47e94872868b65565495f7bee7b3defd68923bd480582771fd4bbe819217803a164a618ad76f1d22f666f41e
+  languageName: node
+  linkType: hard
+
+"globjoin@npm:^0.1.4":
+  version: 0.1.4
+  resolution: "globjoin@npm:0.1.4"
+  checksum: 0a47d88d566122d9e42da946453ee38b398e0021515ac6a95d13f980ba8c1e42954e05ee26cfcbffce1ac1ee094d0524b16ce1dd874ca52408d6db5c6d39985b
+  languageName: node
+  linkType: hard
+
+"globrex@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "globrex@npm:0.1.2"
+  checksum: adca162494a176ce9ecf4dd232f7b802956bb1966b37f60c15e49d2e7d961b66c60826366dc2649093cad5a0d69970cfa8875bd1695b5a1a2f33dcd2aa88da3c
+  languageName: node
+  linkType: hard
+
+"gopd@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "gopd@npm:1.0.1"
+  dependencies:
+    get-intrinsic: ^1.1.3
+  checksum: a5ccfb8806e0917a94e0b3de2af2ea4979c1da920bc381667c260e00e7cafdbe844e2cb9c5bcfef4e5412e8bf73bab837285bc35c7ba73aaaf0134d4583393a6
+  languageName: node
+  linkType: hard
+
+"graceful-fs@npm:^4.1.11, graceful-fs@npm:^4.1.15, graceful-fs@npm:^4.1.3":
+  version: 4.2.6
+  resolution: "graceful-fs@npm:4.2.6"
+  checksum: 792e64aafda05a151289f83eaa16aff34ef259658cefd65393883d959409f5a2389b0ec9ebf28f3d21f1b0ddc8f594a1162ae9b18e2b507a6799a70706ec573d
+  languageName: node
+  linkType: hard
+
+"graceful-fs@npm:^4.1.2, graceful-fs@npm:^4.1.6, graceful-fs@npm:^4.1.9, graceful-fs@npm:^4.2.0, graceful-fs@npm:^4.2.4":
+  version: 4.2.8
+  resolution: "graceful-fs@npm:4.2.8"
+  checksum: 5d224c8969ad0581d551dfabdb06882706b31af2561bd5e2034b4097e67cc27d05232849b8643866585fd0a41c7af152950f8776f4dd5579e9853733f31461c6
+  languageName: node
+  linkType: hard
+
+"graceful-fs@npm:^4.2.6":
+  version: 4.2.11
+  resolution: "graceful-fs@npm:4.2.11"
+  checksum: ac85f94da92d8eb6b7f5a8b20ce65e43d66761c55ce85ac96df6865308390da45a8d3f0296dd3a663de65d30ba497bd46c696cc1e248c72b13d6d567138a4fc7
+  languageName: node
+  linkType: hard
+
+"graceful-fs@npm:^4.2.9":
+  version: 4.2.10
+  resolution: "graceful-fs@npm:4.2.10"
+  checksum: 3f109d70ae123951905d85032ebeae3c2a5a7a997430df00ea30df0e3a6c60cf6689b109654d6fdacd28810a053348c4d14642da1d075049e6be1ba5216218da
+  languageName: node
+  linkType: hard
+
+"graceful-readlink@npm:>= 1.0.0":
+  version: 1.0.1
+  resolution: "graceful-readlink@npm:1.0.1"
+  checksum: 4c1889ca0a6fc0bb9585b55c26a99719be132cbc4b7d84036193b70608059b9783e52e2a866d5a8e39821b16a69e899644ca75c6206563f1319b6720836b9ab2
+  languageName: node
+  linkType: hard
+
+"grapheme-splitter@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "grapheme-splitter@npm:1.0.4"
+  checksum: 0c22ec54dee1b05cd480f78cf14f732cb5b108edc073572c4ec205df4cd63f30f8db8025afc5debc8835a8ddeacf648a1c7992fe3dcd6ad38f9a476d84906620
+  languageName: node
+  linkType: hard
+
+"graphemer@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "graphemer@npm:1.4.0"
+  checksum: bab8f0be9b568857c7bec9fda95a89f87b783546d02951c40c33f84d05bb7da3fd10f863a9beb901463669b6583173a8c8cc6d6b306ea2b9b9d5d3d943c3a673
+  languageName: node
+  linkType: hard
+
+"growly@npm:^1.3.0":
+  version: 1.3.0
+  resolution: "growly@npm:1.3.0"
+  checksum: 53cdecd4c16d7d9154a9061a9ccb87d602e957502ca69b529d7d1b2436c2c0b700ec544fc6b3e4cd115d59b81e62e44ce86bd0521403b579d3a2a97d7ce72a44
+  languageName: node
+  linkType: hard
+
+"handlebars@npm:4.7.7, handlebars@npm:^4.0.11, handlebars@npm:^4.0.13, handlebars@npm:^4.0.4, handlebars@npm:^4.3.1, handlebars@npm:^4.4.2, handlebars@npm:^4.7.3":
+  version: 4.7.7
+  resolution: "handlebars@npm:4.7.7"
+  dependencies:
+    minimist: ^1.2.5
+    neo-async: ^2.6.0
+    source-map: ^0.6.1
+    uglify-js: ^3.1.4
+    wordwrap: ^1.0.0
+  dependenciesMeta:
+    uglify-js:
+      optional: true
+  bin:
+    handlebars: bin/handlebars
+  checksum: 1e79a43f5e18d15742977cb987923eab3e2a8f44f2d9d340982bcb69e1735ed049226e534d7c1074eaddaf37e4fb4f471a8adb71cddd5bc8cf3f894241df5cee
+  languageName: node
+  linkType: hard
+
+"har-schema@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "har-schema@npm:2.0.0"
+  checksum: d8946348f333fb09e2bf24cc4c67eabb47c8e1d1aa1c14184c7ffec1140a49ec8aa78aa93677ae452d71d5fc0fdeec20f0c8c1237291fc2bcb3f502a5d204f9b
+  languageName: node
+  linkType: hard
+
+"har-validator@npm:~5.1.3":
+  version: 5.1.5
+  resolution: "har-validator@npm:5.1.5"
+  dependencies:
+    ajv: ^6.12.3
+    har-schema: ^2.0.0
+  checksum: b998a7269ca560d7f219eedc53e2c664cd87d487e428ae854a6af4573fc94f182fe9d2e3b92ab968249baec7ebaf9ead69cf975c931dc2ab282ec182ee988280
+  languageName: node
+  linkType: hard
+
+"hard-rejection@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "hard-rejection@npm:2.1.0"
+  checksum: 7baaf80a0c7fff4ca79687b4060113f1529589852152fa935e6787a2bc96211e784ad4588fb3048136ff8ffc9dfcf3ae385314a5b24db32de20bea0d1597f9dc
+  languageName: node
+  linkType: hard
+
+"has-ansi@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "has-ansi@npm:2.0.0"
+  dependencies:
+    ansi-regex: ^2.0.0
+  checksum: 1b51daa0214440db171ff359d0a2d17bc20061164c57e76234f614c91dbd2a79ddd68dfc8ee73629366f7be45a6df5f2ea9de83f52e1ca24433f2cc78c35d8ec
+  languageName: node
+  linkType: hard
+
+"has-ansi@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "has-ansi@npm:3.0.0"
+  dependencies:
+    ansi-regex: ^3.0.0
+  checksum: d52ff546c982fb8646e6aa6a4e3741c123a29dcd0342db0e98cd17561356fc47fb03cc0cab9ad2000887facc39b8e7ce385089bdce548e6ff5463858ed5c12c1
+  languageName: node
+  linkType: hard
+
+"has-bigints@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "has-bigints@npm:1.0.1"
+  checksum: 44ab55868174470065d2e0f8f6def1c990d12b82162a8803c679699fa8a39f966e336f2a33c185092fe8aea7e8bf2e85f1c26add5f29d98f2318bd270096b183
+  languageName: node
+  linkType: hard
+
+"has-bigints@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "has-bigints@npm:1.0.2"
+  checksum: 390e31e7be7e5c6fe68b81babb73dfc35d413604d7ee5f56da101417027a4b4ce6a27e46eff97ad040c835b5d228676eae99a9b5c3bc0e23c8e81a49241ff45b
+  languageName: node
+  linkType: hard
+
+"has-color@npm:~0.1.0":
+  version: 0.1.7
+  resolution: "has-color@npm:0.1.7"
+  checksum: 5753d76b1330bc1f5a07171f222ed0718f5ec2d64d5677800e434f183a99f7042f5cda43c9625a2d0f0204063aa03499a66f1c15283d789773b3544f18f93f58
+  languageName: node
+  linkType: hard
+
+"has-flag@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "has-flag@npm:3.0.0"
+  checksum: 4a15638b454bf086c8148979aae044dd6e39d63904cd452d970374fa6a87623423da485dfb814e7be882e05c096a7ccf1ebd48e7e7501d0208d8384ff4dea73b
+  languageName: node
+  linkType: hard
+
+"has-flag@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "has-flag@npm:4.0.0"
+  checksum: 261a1357037ead75e338156b1f9452c016a37dcd3283a972a30d9e4a87441ba372c8b81f818cd0fbcd9c0354b4ae7e18b9e1afa1971164aef6d18c2b6095a8ad
+  languageName: node
+  linkType: hard
+
+"has-property-descriptors@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "has-property-descriptors@npm:1.0.0"
+  dependencies:
+    get-intrinsic: ^1.1.1
+  checksum: a6d3f0a266d0294d972e354782e872e2fe1b6495b321e6ef678c9b7a06a40408a6891817350c62e752adced73a94ac903c54734fee05bf65b1905ee1368194bb
+  languageName: node
+  linkType: hard
+
+"has-proto@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "has-proto@npm:1.0.1"
+  checksum: febc5b5b531de8022806ad7407935e2135f1cc9e64636c3916c6842bd7995994ca3b29871ecd7954bd35f9e2986c17b3b227880484d22259e2f8e6ce63fd383e
+  languageName: node
+  linkType: hard
+
+"has-symbols@npm:^1.0.1, has-symbols@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "has-symbols@npm:1.0.2"
+  checksum: 2309c426071731be792b5be43b3da6fb4ed7cbe8a9a6bcfca1862587709f01b33d575ce8f5c264c1eaad09fca2f9a8208c0a2be156232629daa2dd0c0740976b
+  languageName: node
+  linkType: hard
+
+"has-symbols@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "has-symbols@npm:1.0.3"
+  checksum: a054c40c631c0d5741a8285010a0777ea0c068f99ed43e5d6eb12972da223f8af553a455132fdb0801bdcfa0e0f443c0c03a68d8555aa529b3144b446c3f2410
+  languageName: node
+  linkType: hard
+
+"has-tostringtag@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "has-tostringtag@npm:1.0.0"
+  dependencies:
+    has-symbols: ^1.0.2
+  checksum: cc12eb28cb6ae22369ebaad3a8ab0799ed61270991be88f208d508076a1e99abe4198c965935ce85ea90b60c94ddda73693b0920b58e7ead048b4a391b502c1c
+  languageName: node
+  linkType: hard
+
+"has-unicode@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "has-unicode@npm:2.0.1"
+  checksum: 1eab07a7436512db0be40a710b29b5dc21fa04880b7f63c9980b706683127e3c1b57cb80ea96d47991bdae2dfe479604f6a1ba410106ee1046a41d1bd0814400
+  languageName: node
+  linkType: hard
+
+"has-value@npm:^0.3.1":
+  version: 0.3.1
+  resolution: "has-value@npm:0.3.1"
+  dependencies:
+    get-value: ^2.0.3
+    has-values: ^0.1.4
+    isobject: ^2.0.0
+  checksum: 29e2a1e6571dad83451b769c7ce032fce6009f65bccace07c2962d3ad4d5530b6743d8f3229e4ecf3ea8e905d23a752c5f7089100c1f3162039fa6dc3976558f
+  languageName: node
+  linkType: hard
+
+"has-value@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "has-value@npm:1.0.0"
+  dependencies:
+    get-value: ^2.0.6
+    has-values: ^1.0.0
+    isobject: ^3.0.0
+  checksum: b9421d354e44f03d3272ac39fd49f804f19bc1e4fa3ceef7745df43d6b402053f828445c03226b21d7d934a21ac9cf4bc569396dc312f496ddff873197bbd847
+  languageName: node
+  linkType: hard
+
+"has-values@npm:^0.1.4":
+  version: 0.1.4
+  resolution: "has-values@npm:0.1.4"
+  checksum: ab1c4bcaf811ccd1856c11cfe90e62fca9e2b026ebe474233a3d282d8d67e3b59ed85b622c7673bac3db198cb98bd1da2b39300a2f98e453729b115350af49bc
+  languageName: node
+  linkType: hard
+
+"has-values@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "has-values@npm:1.0.0"
+  dependencies:
+    is-number: ^3.0.0
+    kind-of: ^4.0.0
+  checksum: 77e6693f732b5e4cf6c38dfe85fdcefad0fab011af74995c3e83863fabf5e3a836f406d83565816baa0bc0a523c9410db8b990fe977074d61aeb6d8f4fcffa11
+  languageName: node
+  linkType: hard
+
+"has@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "has@npm:1.0.3"
+  dependencies:
+    function-bind: ^1.1.1
+  checksum: b9ad53d53be4af90ce5d1c38331e712522417d017d5ef1ebd0507e07c2fbad8686fffb8e12ddecd4c39ca9b9b47431afbb975b8abf7f3c3b82c98e9aad052792
+  languageName: node
+  linkType: hard
+
+"hash-base@npm:^3.0.0":
+  version: 3.1.0
+  resolution: "hash-base@npm:3.1.0"
+  dependencies:
+    inherits: ^2.0.4
+    readable-stream: ^3.6.0
+    safe-buffer: ^5.2.0
+  checksum: 26b7e97ac3de13cb23fc3145e7e3450b0530274a9562144fc2bf5c1e2983afd0e09ed7cc3b20974ba66039fad316db463da80eb452e7373e780cbee9a0d2f2dc
+  languageName: node
+  linkType: hard
+
+"hash-for-dep@npm:^1.0.2, hash-for-dep@npm:^1.2.3, hash-for-dep@npm:^1.4.7, hash-for-dep@npm:^1.5.0, hash-for-dep@npm:^1.5.1":
+  version: 1.5.1
+  resolution: "hash-for-dep@npm:1.5.1"
+  dependencies:
+    broccoli-kitchen-sink-helpers: ^0.3.1
+    heimdalljs: ^0.2.3
+    heimdalljs-logger: ^0.1.7
+    path-root: ^0.1.1
+    resolve: ^1.10.0
+    resolve-package-path: ^1.0.11
+  checksum: ea9854cfeaedc5e3b7ba38f902a9173919f3f1abef13ee27ddc15b5ec8768be340762ed502e9d16b3ffbeb8e8af0f099cb0348215f9de39c31bb722af52895d9
+  languageName: node
+  linkType: hard
+
+"hash.js@npm:^1.0.0, hash.js@npm:^1.0.3":
+  version: 1.1.7
+  resolution: "hash.js@npm:1.1.7"
+  dependencies:
+    inherits: ^2.0.3
+    minimalistic-assert: ^1.0.1
+  checksum: e350096e659c62422b85fa508e4b3669017311aa4c49b74f19f8e1bc7f3a54a584fdfd45326d4964d6011f2b2d882e38bea775a96046f2a61b7779a979629d8f
+  languageName: node
+  linkType: hard
+
+"heimdalljs-fs-monitor@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "heimdalljs-fs-monitor@npm:1.1.1"
+  dependencies:
+    callsites: ^3.1.0
+    clean-stack: ^2.2.0
+    extract-stack: ^2.0.0
+    heimdalljs: ^0.2.3
+    heimdalljs-logger: ^0.1.7
+  checksum: 0932adf032888bcc22c9ff8b5d832c708f1303b04e5a8c34b88dac09948bf6a45e4ea7d34bfdf30a3aaa41eabb0311d0e00e0fad1da862e16cc0950db50101cd
+  languageName: node
+  linkType: hard
+
+"heimdalljs-graph@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "heimdalljs-graph@npm:1.0.0"
+  checksum: eef4a3de227fa4b3e6b20f634b7c1bbb3c7ae9a83639444ce7f5f8ffbc979e205021538452ecd92804d49013245ed9a989075c8c9147cca8666f4d7a1983da93
+  languageName: node
+  linkType: hard
+
+"heimdalljs-logger@npm:^0.1.10, heimdalljs-logger@npm:^0.1.7, heimdalljs-logger@npm:^0.1.9":
+  version: 0.1.10
+  resolution: "heimdalljs-logger@npm:0.1.10"
+  dependencies:
+    debug: ^2.2.0
+    heimdalljs: ^0.2.6
+  checksum: 40a698843aa4773e3376f4e000c87599460971f4411b402985526a8f82563f5486fc85bfde90ce3e63d25381cf417289e870242321ce92ade32ea3b91585cfad
+  languageName: node
+  linkType: hard
+
+"heimdalljs@npm:^0.2.0, heimdalljs@npm:^0.2.1, heimdalljs@npm:^0.2.3, heimdalljs@npm:^0.2.5, heimdalljs@npm:^0.2.6":
+  version: 0.2.6
+  resolution: "heimdalljs@npm:0.2.6"
+  dependencies:
+    rsvp: ~3.2.1
+  checksum: 5b28d3df4e77ea94293b43c29f0a358381aa811079817f780a1dafc9d244c891a0a713691a3c53d0d2dc31a76484fb36d998e7ae5040ef4b52e8c4a00d2173ae
+  languageName: node
+  linkType: hard
+
+"highlight.js@npm:^10.4.1":
+  version: 10.7.2
+  resolution: "highlight.js@npm:10.7.2"
+  checksum: af09b434070c81ed154b4c990bee61a8c1295887554abc7884eb2544c48bff208e237e7ce1b324ebe94abe0f942e15e2c11dff1b1ed22a79a3c4a0d8a900a921
+  languageName: node
+  linkType: hard
+
+"hmac-drbg@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "hmac-drbg@npm:1.0.1"
+  dependencies:
+    hash.js: ^1.0.3
+    minimalistic-assert: ^1.0.0
+    minimalistic-crypto-utils: ^1.0.1
+  checksum: bd30b6a68d7f22d63f10e1888aee497d7c2c5c0bb469e66bbdac99f143904d1dfe95f8131f95b3e86c86dd239963c9d972fcbe147e7cffa00e55d18585c43fe0
+  languageName: node
+  linkType: hard
+
+"home-or-tmp@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "home-or-tmp@npm:2.0.0"
+  dependencies:
+    os-homedir: ^1.0.0
+    os-tmpdir: ^1.0.1
+  checksum: b783c6ffd22f716d82f53e8c781cbe49bc9f4109a89ea86a27951e54c0bd335caf06bd828be2958cd9f4681986df1739558ae786abda6298cdd6d3edc2c362f1
+  languageName: node
+  linkType: hard
+
+"homedir-polyfill@npm:^1.0.1":
+  version: 1.0.3
+  resolution: "homedir-polyfill@npm:1.0.3"
+  dependencies:
+    parse-passwd: ^1.0.0
+  checksum: 18dd4db87052c6a2179d1813adea0c4bfcfa4f9996f0e226fefb29eb3d548e564350fa28ec46b0bf1fbc0a1d2d6922ceceb80093115ea45ff8842a4990139250
+  languageName: node
+  linkType: hard
+
+"hosted-git-info@npm:^2.1.4":
+  version: 2.8.9
+  resolution: "hosted-git-info@npm:2.8.9"
+  checksum: c955394bdab888a1e9bb10eb33029e0f7ce5a2ac7b3f158099dc8c486c99e73809dca609f5694b223920ca2174db33d32b12f9a2a47141dc59607c29da5a62dd
+  languageName: node
+  linkType: hard
+
+"hosted-git-info@npm:^4.0.1":
+  version: 4.1.0
+  resolution: "hosted-git-info@npm:4.1.0"
+  dependencies:
+    lru-cache: ^6.0.0
+  checksum: c3f87b3c2f7eb8c2748c8f49c0c2517c9a95f35d26f4bf54b2a8cba05d2e668f3753548b6ea366b18ec8dadb4e12066e19fa382a01496b0ffa0497eb23cbe461
+  languageName: node
+  linkType: hard
+
+"hosted-git-info@npm:^6.0.0":
+  version: 6.1.1
+  resolution: "hosted-git-info@npm:6.1.1"
+  dependencies:
+    lru-cache: ^7.5.1
+  checksum: fcd3ca2eaa05f3201425ccbb8aa47f88cdda4a3a6d79453f8e269f7171356278bd1db08f059d8439eb5eaa91c6a8a20800fc49cca6e9e4e899b202a332d5ba6b
+  languageName: node
+  linkType: hard
+
+"html-encoding-sniffer@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "html-encoding-sniffer@npm:2.0.1"
+  dependencies:
+    whatwg-encoding: ^1.0.5
+  checksum: bf30cce461015ed7e365736fcd6a3063c7bc016a91f74398ef6158886970a96333938f7c02417ab3c12aa82e3e53b40822145facccb9ddfbcdc15a879ae4d7ba
+  languageName: node
+  linkType: hard
+
+"html-tags@npm:^3.3.1":
+  version: 3.3.1
+  resolution: "html-tags@npm:3.3.1"
+  checksum: b4ef1d5a76b678e43cce46e3783d563607b1d550cab30b4f511211564574770aa8c658a400b100e588bc60b8234e59b35ff72c7851cc28f3b5403b13a2c6cbce
+  languageName: node
+  linkType: hard
+
+"htmlparser2@npm:^7.2.0":
+  version: 7.2.0
+  resolution: "htmlparser2@npm:7.2.0"
+  dependencies:
+    domelementtype: ^2.0.1
+    domhandler: ^4.2.2
+    domutils: ^2.8.0
+    entities: ^3.0.1
+  checksum: 96563d9965729cfcb3f5f19c26d013c6831b4cb38d79d8c185e9cd669ea6a9ffe8fb9ccc74d29a068c9078aa0e2767053ed6b19aa32723c41550340d0094bea0
+  languageName: node
+  linkType: hard
+
+"htmlparser2@npm:^8.0.1":
+  version: 8.0.1
+  resolution: "htmlparser2@npm:8.0.1"
+  dependencies:
+    domelementtype: ^2.3.0
+    domhandler: ^5.0.2
+    domutils: ^3.0.1
+    entities: ^4.3.0
+  checksum: 06d5c71e8313597722bc429ae2a7a8333d77bd3ab07ccb916628384b37332027b047f8619448d8f4a3312b6609c6ea3302a4e77435d859e9e686999e6699ca39
+  languageName: node
+  linkType: hard
+
+"http-cache-semantics@npm:^4.1.0":
+  version: 4.1.1
+  resolution: "http-cache-semantics@npm:4.1.1"
+  checksum: 83ac0bc60b17a3a36f9953e7be55e5c8f41acc61b22583060e8dedc9dd5e3607c823a88d0926f9150e571f90946835c7fe150732801010845c72cd8bbff1a236
+  languageName: node
+  linkType: hard
+
+"http-errors@npm:1.7.2":
+  version: 1.7.2
+  resolution: "http-errors@npm:1.7.2"
+  dependencies:
+    depd: ~1.1.2
+    inherits: 2.0.3
+    setprototypeof: 1.1.1
+    statuses: ">= 1.5.0 < 2"
+    toidentifier: 1.0.0
+  checksum: 5534b0ae08e77f5a45a2380f500e781f6580c4ff75b816cb1f09f99a290b57e78a518be6d866db1b48cca6b052c09da2c75fc91fb16a2fe3da3c44d9acbb9972
+  languageName: node
+  linkType: hard
+
+"http-errors@npm:2.0.0":
+  version: 2.0.0
+  resolution: "http-errors@npm:2.0.0"
+  dependencies:
+    depd: 2.0.0
+    inherits: 2.0.4
+    setprototypeof: 1.2.0
+    statuses: 2.0.1
+    toidentifier: 1.0.1
+  checksum: 9b0a3782665c52ce9dc658a0d1560bcb0214ba5699e4ea15aefb2a496e2ca83db03ebc42e1cce4ac1f413e4e0d2d736a3fd755772c556a9a06853ba2a0b7d920
+  languageName: node
+  linkType: hard
+
+"http-errors@npm:~1.6.2":
+  version: 1.6.3
+  resolution: "http-errors@npm:1.6.3"
+  dependencies:
+    depd: ~1.1.2
+    inherits: 2.0.3
+    setprototypeof: 1.1.0
+    statuses: ">= 1.4.0 < 2"
+  checksum: a9654ee027e3d5de305a56db1d1461f25709ac23267c6dc28cdab8323e3f96caa58a9a6a5e93ac15d7285cee0c2f019378c3ada9026e7fe19c872d695f27de7c
+  languageName: node
+  linkType: hard
+
+"http-errors@npm:~1.7.2":
+  version: 1.7.3
+  resolution: "http-errors@npm:1.7.3"
+  dependencies:
+    depd: ~1.1.2
+    inherits: 2.0.4
+    setprototypeof: 1.1.1
+    statuses: ">= 1.5.0 < 2"
+    toidentifier: 1.0.0
+  checksum: a59f359473f4b3ea78305beee90d186268d6075432622a46fb7483059068a2dd4c854a20ac8cd438883127e06afb78c1309168bde6cdfeed1e3700eb42487d99
+  languageName: node
+  linkType: hard
+
+"http-parser-js@npm:>=0.5.1":
+  version: 0.5.3
+  resolution: "http-parser-js@npm:0.5.3"
+  checksum: 6f3142c5f60ad995a6895a1dc4f70f8cef0910745366e97cbcb99caa604590dbcc11006b00989ad306837d6b820e9bfc6e801c4060ed19a0e4df83caa8577cb5
+  languageName: node
+  linkType: hard
+
+"http-proxy-agent@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "http-proxy-agent@npm:5.0.0"
+  dependencies:
+    "@tootallnate/once": 2
+    agent-base: 6
+    debug: 4
+  checksum: e2ee1ff1656a131953839b2a19cd1f3a52d97c25ba87bd2559af6ae87114abf60971e498021f9b73f9fd78aea8876d1fb0d4656aac8a03c6caa9fc175f22b786
+  languageName: node
+  linkType: hard
+
+"http-proxy@npm:^1.13.1, http-proxy@npm:^1.18.1":
+  version: 1.18.1
+  resolution: "http-proxy@npm:1.18.1"
+  dependencies:
+    eventemitter3: ^4.0.0
+    follow-redirects: ^1.0.0
+    requires-port: ^1.0.0
+  checksum: f5bd96bf83e0b1e4226633dbb51f8b056c3e6321917df402deacec31dd7fe433914fc7a2c1831cf7ae21e69c90b3a669b8f434723e9e8b71fd68afe30737b6a5
+  languageName: node
+  linkType: hard
+
+"http-signature@npm:~1.2.0":
+  version: 1.2.0
+  resolution: "http-signature@npm:1.2.0"
+  dependencies:
+    assert-plus: ^1.0.0
+    jsprim: ^1.2.2
+    sshpk: ^1.7.0
+  checksum: 3324598712266a9683585bb84a75dec4fd550567d5e0dd4a0fff6ff3f74348793404d3eeac4918fa0902c810eeee1a86419e4a2e92a164132dfe6b26743fb47c
+  languageName: node
+  linkType: hard
+
+"https-browserify@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "https-browserify@npm:1.0.0"
+  checksum: 09b35353e42069fde2435760d13f8a3fb7dd9105e358270e2e225b8a94f811b461edd17cb57594e5f36ec1218f121c160ddceeec6e8be2d55e01dcbbbed8cbae
+  languageName: node
+  linkType: hard
+
+"https-proxy-agent@npm:^2.2.3":
+  version: 2.2.4
+  resolution: "https-proxy-agent@npm:2.2.4"
+  dependencies:
+    agent-base: ^4.3.0
+    debug: ^3.1.0
+  checksum: 5fa8eab256b117a8badb5747bedf8b3a9de1fbabdccb26ff3132385426fdc3ad3c8b092ce52a1b74c70229b971df623f4f5a0c17f78e6a8fe5d10fc65d6ed8b8
+  languageName: node
+  linkType: hard
+
+"https@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "https@npm:1.0.0"
+  checksum: ccea8a8363a018d4b241db7748cff3a85c9f5b71bf80639e9c37dc6823f590f35dda098b80b726930e9f945387c8bfd6b1461df25cab5bf65a31903d81875b5d
+  languageName: node
+  linkType: hard
+
+"human-signals@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "human-signals@npm:1.1.1"
+  checksum: d587647c9e8ec24e02821b6be7de5a0fc37f591f6c4e319b3054b43fd4c35a70a94c46fc74d8c1a43c47fde157d23acd7421f375e1c1365b09a16835b8300205
+  languageName: node
+  linkType: hard
+
+"human-signals@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "human-signals@npm:2.1.0"
+  checksum: b87fd89fce72391625271454e70f67fe405277415b48bcc0117ca73d31fa23a4241787afdc8d67f5a116cf37258c052f59ea82daffa72364d61351423848e3b8
+  languageName: node
+  linkType: hard
+
+"humanize-ms@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "humanize-ms@npm:1.2.1"
+  dependencies:
+    ms: ^2.0.0
+  checksum: 9c7a74a2827f9294c009266c82031030eae811ca87b0da3dceb8d6071b9bde22c9f3daef0469c3c533cc67a97d8a167cd9fc0389350e5f415f61a79b171ded16
+  languageName: node
+  linkType: hard
+
+"iconv-lite@npm:0.4, iconv-lite@npm:0.4.24, iconv-lite@npm:^0.4.24":
+  version: 0.4.24
+  resolution: "iconv-lite@npm:0.4.24"
+  dependencies:
+    safer-buffer: ">= 2.1.2 < 3"
+  checksum: bd9f120f5a5b306f0bc0b9ae1edeb1577161503f5f8252a20f1a9e56ef8775c9959fd01c55f2d3a39d9a8abaf3e30c1abeb1895f367dcbbe0a8fd1c9ca01c4f6
+  languageName: node
+  linkType: hard
+
+"iconv-lite@npm:^0.6.2":
+  version: 0.6.3
+  resolution: "iconv-lite@npm:0.6.3"
+  dependencies:
+    safer-buffer: ">= 2.1.2 < 3.0.0"
+  checksum: 3f60d47a5c8fc3313317edfd29a00a692cc87a19cac0159e2ce711d0ebc9019064108323b5e493625e25594f11c6236647d8e256fbe7a58f4a3b33b89e6d30bf
+  languageName: node
+  linkType: hard
+
+"icss-utils@npm:^5.0.0, icss-utils@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "icss-utils@npm:5.1.0"
+  peerDependencies:
+    postcss: ^8.1.0
+  checksum: 5c324d283552b1269cfc13a503aaaa172a280f914e5b81544f3803bc6f06a3b585fb79f66f7c771a2c052db7982c18bf92d001e3b47282e3abbbb4c4cc488d68
+  languageName: node
+  linkType: hard
+
+"ieee754@npm:^1.1.13, ieee754@npm:^1.1.4":
+  version: 1.2.1
+  resolution: "ieee754@npm:1.2.1"
+  checksum: 5144c0c9815e54ada181d80a0b810221a253562422e7c6c3a60b1901154184f49326ec239d618c416c1c5945a2e197107aee8d986a3dd836b53dffefd99b5e7e
+  languageName: node
+  linkType: hard
+
+"iferr@npm:^0.1.5":
+  version: 0.1.5
+  resolution: "iferr@npm:0.1.5"
+  checksum: a18d19b6ad06a2d5412c0d37f6364869393ef6d1688d59d00082c1f35c92399094c031798340612458cd832f4f2e8b13bc9615934a7d8b0c53061307a3816aa1
+  languageName: node
+  linkType: hard
+
+"ignore@npm:^5.1.1, ignore@npm:^5.1.4":
+  version: 5.1.8
+  resolution: "ignore@npm:5.1.8"
+  checksum: 967abadb61e2cb0e5c5e8c4e1686ab926f91bc1a4680d994b91947d3c65d04c3ae126dcdf67f08e0feeb8ff8407d453e641aeeddcc47a3a3cca359f283cf6121
+  languageName: node
+  linkType: hard
+
+"ignore@npm:^5.2.0":
+  version: 5.2.0
+  resolution: "ignore@npm:5.2.0"
+  checksum: 6b1f926792d614f64c6c83da3a1f9c83f6196c2839aa41e1e32dd7b8d174cef2e329d75caabb62cb61ce9dc432f75e67d07d122a037312db7caa73166a1bdb77
+  languageName: node
+  linkType: hard
+
+"ignore@npm:^5.2.4":
+  version: 5.2.4
+  resolution: "ignore@npm:5.2.4"
+  checksum: 3d4c309c6006e2621659311783eaea7ebcd41fe4ca1d78c91c473157ad6666a57a2df790fe0d07a12300d9aac2888204d7be8d59f9aaf665b1c7fcdb432517ef
+  languageName: node
+  linkType: hard
+
+"immutable@npm:^4.0.0":
+  version: 4.2.4
+  resolution: "immutable@npm:4.2.4"
+  checksum: 3be84eded37b05e65cad57bfba630bc1bf170c498b7472144bc02d2650cc9baef79daf03574a9c2e41d195ebb55a1c12c9b312f41ee324b653927b24ad8bcaa7
+  languageName: node
+  linkType: hard
+
+"import-fresh@npm:^3.0.0, import-fresh@npm:^3.2.1":
+  version: 3.3.0
+  resolution: "import-fresh@npm:3.3.0"
+  dependencies:
+    parent-module: ^1.0.0
+    resolve-from: ^4.0.0
+  checksum: 2cacfad06e652b1edc50be650f7ec3be08c5e5a6f6d12d035c440a42a8cc028e60a5b99ca08a77ab4d6b1346da7d971915828f33cdab730d3d42f08242d09baa
+  languageName: node
+  linkType: hard
+
+"import-lazy@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "import-lazy@npm:4.0.0"
+  checksum: 22f5e51702134aef78890156738454f620e5fe7044b204ebc057c614888a1dd6fdf2ede0fdcca44d5c173fd64f65c985f19a51775b06967ef58cc3d26898df07
+  languageName: node
+  linkType: hard
+
+"imurmurhash@npm:^0.1.4":
+  version: 0.1.4
+  resolution: "imurmurhash@npm:0.1.4"
+  checksum: 7cae75c8cd9a50f57dadd77482359f659eaebac0319dd9368bcd1714f55e65badd6929ca58569da2b6494ef13fdd5598cd700b1eba23f8b79c5f19d195a3ecf7
+  languageName: node
+  linkType: hard
+
+"include-path-searcher@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "include-path-searcher@npm:0.1.0"
+  checksum: c391eea6047851c926bfc4231b104d33a3b6b465c2c55fff2e8af964a1a1c1aa1d20e77fdb2f288df6ffa3b9bbbda2cfb5cbf01cda2394c856a4988ce05b7bb7
+  languageName: node
+  linkType: hard
+
+"indent-string@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "indent-string@npm:4.0.0"
+  checksum: 824cfb9929d031dabf059bebfe08cf3137365e112019086ed3dcff6a0a7b698cb80cf67ccccde0e25b9e2d7527aa6cc1fed1ac490c752162496caba3e6699612
+  languageName: node
+  linkType: hard
+
+"indent-string@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "indent-string@npm:5.0.0"
+  checksum: e466c27b6373440e6d84fbc19e750219ce25865cb82d578e41a6053d727e5520dc5725217d6eb1cc76005a1bb1696a0f106d84ce7ebda3033b963a38583fb3b3
+  languageName: node
+  linkType: hard
+
+"infer-owner@npm:^1.0.3, infer-owner@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "infer-owner@npm:1.0.4"
+  checksum: 181e732764e4a0611576466b4b87dac338972b839920b2a8cde43642e4ed6bd54dc1fb0b40874728f2a2df9a1b097b8ff83b56d5f8f8e3927f837fdcb47d8a89
+  languageName: node
+  linkType: hard
+
+"inflected@npm:^2.0.4":
+  version: 2.1.0
+  resolution: "inflected@npm:2.1.0"
+  checksum: 1e3fb2d24ec6c774977dd5ed884c6097b6525f66edecfdca0845ab4023d35f02af1057de50cd69cdc5829d0bd5ba69fd7fb41d4d8abdf85ee243bf2bbf65995d
+  languageName: node
+  linkType: hard
+
+"inflection@npm:^1.13.2":
+  version: 1.13.2
+  resolution: "inflection@npm:1.13.2"
+  checksum: e7ad0559384ed7c526813404bde843f8f17941d47625ad60fc3b09e46efde873dd9840818007c6bd4dbe388e6248fa033d5a8c405c5fc62738c51b118a0e940f
+  languageName: node
+  linkType: hard
+
+"inflection@npm:^2.0.1, inflection@npm:~2.0.0":
+  version: 2.0.1
+  resolution: "inflection@npm:2.0.1"
+  checksum: bb095b495e10a77afc043cc349ae0f7c8c53e4d1fbcd7781111c18d17bde87ce31ea08bd883774bcbb2ff50c301dd4835b5448c80eb50b5e4e080165b6030f3b
+  languageName: node
+  linkType: hard
+
+"inflight@npm:^1.0.4":
+  version: 1.0.6
+  resolution: "inflight@npm:1.0.6"
+  dependencies:
+    once: ^1.3.0
+    wrappy: 1
+  checksum: f4f76aa072ce19fae87ce1ef7d221e709afb59d445e05d47fba710e85470923a75de35bfae47da6de1b18afc3ce83d70facf44cfb0aff89f0a3f45c0a0244dfd
+  languageName: node
+  linkType: hard
+
+"inherits@npm:2, inherits@npm:2.0.4, inherits@npm:^2.0.1, inherits@npm:^2.0.3, inherits@npm:^2.0.4, inherits@npm:~2.0.1, inherits@npm:~2.0.3":
+  version: 2.0.4
+  resolution: "inherits@npm:2.0.4"
+  checksum: 4a48a733847879d6cf6691860a6b1e3f0f4754176e4d71494c41f3475553768b10f84b5ce1d40fbd0e34e6bfbb864ee35858ad4dd2cf31e02fc4a154b724d7f1
+  languageName: node
+  linkType: hard
+
+"inherits@npm:2.0.1":
+  version: 2.0.1
+  resolution: "inherits@npm:2.0.1"
+  checksum: 6536b9377296d4ce8ee89c5c543cb75030934e61af42dba98a428e7d026938c5985ea4d1e3b87743a5b834f40ed1187f89c2d7479e9d59e41d2d1051aefba07b
+  languageName: node
+  linkType: hard
+
+"inherits@npm:2.0.3":
+  version: 2.0.3
+  resolution: "inherits@npm:2.0.3"
+  checksum: 78cb8d7d850d20a5e9a7f3620db31483aa00ad5f722ce03a55b110e5a723539b3716a3b463e2b96ce3fe286f33afc7c131fa2f91407528ba80cea98a7545d4c0
+  languageName: node
+  linkType: hard
+
+"ini@npm:^1.3.6":
+  version: 1.3.8
+  resolution: "ini@npm:1.3.8"
+  checksum: dfd98b0ca3a4fc1e323e38a6c8eb8936e31a97a918d3b377649ea15bdb15d481207a0dda1021efbd86b464cae29a0d33c1d7dcaf6c5672bee17fa849bc50a1b3
+  languageName: node
+  linkType: hard
+
+"inline-source-map-comment@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "inline-source-map-comment@npm:1.0.5"
+  dependencies:
+    chalk: ^1.0.0
+    get-stdin: ^4.0.1
+    minimist: ^1.1.1
+    sum-up: ^1.0.1
+    xtend: ^4.0.0
+  bin:
+    inline-source-map-comment: cli.js
+  checksum: 0eedf1c77d35cddc89e17d5b738c273471a50521c2103dde056e36460a1bcb747bc2eb5a7de052ded5e26f23154064232d1a29f5116dd273610ed6ab03179ede
+  languageName: node
+  linkType: hard
+
+"inquirer@npm:^6":
+  version: 6.5.2
+  resolution: "inquirer@npm:6.5.2"
+  dependencies:
+    ansi-escapes: ^3.2.0
+    chalk: ^2.4.2
+    cli-cursor: ^2.1.0
+    cli-width: ^2.0.0
+    external-editor: ^3.0.3
+    figures: ^2.0.0
+    lodash: ^4.17.12
+    mute-stream: 0.0.7
+    run-async: ^2.2.0
+    rxjs: ^6.4.0
+    string-width: ^2.1.0
+    strip-ansi: ^5.1.0
+    through: ^2.3.6
+  checksum: 175ad4cd1ebed493b231b240185f1da5afeace5f4e8811dfa83cf55dcae59c3255eaed990aa71871b0fd31aa9dc212f43c44c50ed04fb529364405e72f484d28
+  languageName: node
+  linkType: hard
+
+"inquirer@npm:^7.3.3":
+  version: 7.3.3
+  resolution: "inquirer@npm:7.3.3"
+  dependencies:
+    ansi-escapes: ^4.2.1
+    chalk: ^4.1.0
+    cli-cursor: ^3.1.0
+    cli-width: ^3.0.0
+    external-editor: ^3.0.3
+    figures: ^3.0.0
+    lodash: ^4.17.19
+    mute-stream: 0.0.8
+    run-async: ^2.4.0
+    rxjs: ^6.6.0
+    string-width: ^4.1.0
+    strip-ansi: ^6.0.0
+    through: ^2.3.6
+  checksum: 4d387fc1eb6126acbd58cbdb9ad99d2887d181df86ab0c2b9abdf734e751093e2d5882c2b6dc7144d9ab16b7ab30a78a1d7f01fb6a2850a44aeb175d1e3f8778
+  languageName: node
+  linkType: hard
+
+"inquirer@npm:^8.2.1":
+  version: 8.2.5
+  resolution: "inquirer@npm:8.2.5"
+  dependencies:
+    ansi-escapes: ^4.2.1
+    chalk: ^4.1.1
+    cli-cursor: ^3.1.0
+    cli-width: ^3.0.0
+    external-editor: ^3.0.3
+    figures: ^3.0.0
+    lodash: ^4.17.21
+    mute-stream: 0.0.8
+    ora: ^5.4.1
+    run-async: ^2.4.0
+    rxjs: ^7.5.5
+    string-width: ^4.1.0
+    strip-ansi: ^6.0.0
+    through: ^2.3.6
+    wrap-ansi: ^7.0.0
+  checksum: f13ee4c444187786fb393609dedf6b30870115a57b603f2e6424f29a99abc13446fd45ee22461c33c9c40a92a60a8df62d0d6b25d74fc6676fa4cb211de55b55
+  languageName: node
+  linkType: hard
+
+"internal-slot@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "internal-slot@npm:1.0.3"
+  dependencies:
+    get-intrinsic: ^1.1.0
+    has: ^1.0.3
+    side-channel: ^1.0.4
+  checksum: 1944f92e981e47aebc98a88ff0db579fd90543d937806104d0b96557b10c1f170c51fb777b97740a8b6ddeec585fca8c39ae99fd08a8e058dfc8ab70937238bf
+  languageName: node
+  linkType: hard
+
+"internal-slot@npm:^1.0.4, internal-slot@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "internal-slot@npm:1.0.5"
+  dependencies:
+    get-intrinsic: ^1.2.0
+    has: ^1.0.3
+    side-channel: ^1.0.4
+  checksum: 97e84046bf9e7574d0956bd98d7162313ce7057883b6db6c5c7b5e5f05688864b0978ba07610c726d15d66544ffe4b1050107d93f8a39ebc59b15d8b429b497a
+  languageName: node
+  linkType: hard
+
+"invariant@npm:^2.2.2":
+  version: 2.2.4
+  resolution: "invariant@npm:2.2.4"
+  dependencies:
+    loose-envify: ^1.0.0
+  checksum: cc3182d793aad82a8d1f0af697b462939cb46066ec48bbf1707c150ad5fad6406137e91a262022c269702e01621f35ef60269f6c0d7fd178487959809acdfb14
+  languageName: node
+  linkType: hard
+
+"invert-kv@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "invert-kv@npm:3.0.1"
+  checksum: 782c44c97f8b693006f5ba0995301754bf68d2160ec98fc34d96b266e2c28cc0c91d86c341ca058fe993bc3dd91f104f776a40f04b6c75254a9a1a0d716ac814
+  languageName: node
+  linkType: hard
+
+"ip@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "ip@npm:2.0.0"
+  checksum: cfcfac6b873b701996d71ec82a7dd27ba92450afdb421e356f44044ed688df04567344c36cbacea7d01b1c39a4c732dc012570ebe9bebfb06f27314bca625349
+  languageName: node
+  linkType: hard
+
+"ipaddr.js@npm:1.9.1":
+  version: 1.9.1
+  resolution: "ipaddr.js@npm:1.9.1"
+  checksum: f88d3825981486f5a1942414c8d77dd6674dd71c065adcfa46f578d677edcb99fda25af42675cb59db492fdf427b34a5abfcde3982da11a8fd83a500b41cfe77
+  languageName: node
+  linkType: hard
+
+"is-accessor-descriptor@npm:^0.1.6":
+  version: 0.1.6
+  resolution: "is-accessor-descriptor@npm:0.1.6"
+  dependencies:
+    kind-of: ^3.0.2
+  checksum: 3d629a086a9585bc16a83a8e8a3416f400023301855cafb7ccc9a1d63145b7480f0ad28877dcc2cce09492c4ec1c39ef4c071996f24ee6ac626be4217b8ffc8a
+  languageName: node
+  linkType: hard
+
+"is-accessor-descriptor@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "is-accessor-descriptor@npm:1.0.0"
+  dependencies:
+    kind-of: ^6.0.0
+  checksum: 8e475968e9b22f9849343c25854fa24492dbe8ba0dea1a818978f9f1b887339190b022c9300d08c47fe36f1b913d70ce8cbaca00369c55a56705fdb7caed37fe
+  languageName: node
+  linkType: hard
+
+"is-alphabetical@npm:^1.0.0":
+  version: 1.0.4
+  resolution: "is-alphabetical@npm:1.0.4"
+  checksum: 6508cce44fd348f06705d377b260974f4ce68c74000e7da4045f0d919e568226dc3ce9685c5a2af272195384df6930f748ce9213fc9f399b5d31b362c66312cb
+  languageName: node
+  linkType: hard
+
+"is-alphanumerical@npm:^1.0.0":
+  version: 1.0.4
+  resolution: "is-alphanumerical@npm:1.0.4"
+  dependencies:
+    is-alphabetical: ^1.0.0
+    is-decimal: ^1.0.0
+  checksum: e2e491acc16fcf5b363f7c726f666a9538dba0a043665740feb45bba1652457a73441e7c5179c6768a638ed396db3437e9905f403644ec7c468fb41f4813d03f
+  languageName: node
+  linkType: hard
+
+"is-arguments@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "is-arguments@npm:1.1.1"
+  dependencies:
+    call-bind: ^1.0.2
+    has-tostringtag: ^1.0.0
+  checksum: 7f02700ec2171b691ef3e4d0e3e6c0ba408e8434368504bb593d0d7c891c0dbfda6d19d30808b904a6cb1929bca648c061ba438c39f296c2a8ca083229c49f27
+  languageName: node
+  linkType: hard
+
+"is-array-buffer@npm:^3.0.1, is-array-buffer@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "is-array-buffer@npm:3.0.2"
+  dependencies:
+    call-bind: ^1.0.2
+    get-intrinsic: ^1.2.0
+    is-typed-array: ^1.1.10
+  checksum: dcac9dda66ff17df9cabdc58214172bf41082f956eab30bb0d86bc0fab1e44b690fc8e1f855cf2481245caf4e8a5a006a982a71ddccec84032ed41f9d8da8c14
+  languageName: node
+  linkType: hard
+
+"is-arrayish@npm:^0.2.1":
+  version: 0.2.1
+  resolution: "is-arrayish@npm:0.2.1"
+  checksum: eef4417e3c10e60e2c810b6084942b3ead455af16c4509959a27e490e7aee87cfb3f38e01bbde92220b528a0ee1a18d52b787e1458ee86174d8c7f0e58cd488f
+  languageName: node
+  linkType: hard
+
+"is-bigint@npm:^1.0.1":
+  version: 1.0.4
+  resolution: "is-bigint@npm:1.0.4"
+  dependencies:
+    has-bigints: ^1.0.1
+  checksum: c56edfe09b1154f8668e53ebe8252b6f185ee852a50f9b41e8d921cb2bed425652049fbe438723f6cb48a63ca1aa051e948e7e401e093477c99c84eba244f666
+  languageName: node
+  linkType: hard
+
+"is-binary-path@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "is-binary-path@npm:1.0.1"
+  dependencies:
+    binary-extensions: ^1.0.0
+  checksum: a803c99e9d898170c3b44a86fbdc0736d3d7fcbe737345433fb78e810b9fe30c982657782ad0e676644ba4693ddf05601a7423b5611423218663d6b533341ac9
+  languageName: node
+  linkType: hard
+
+"is-binary-path@npm:~2.1.0":
+  version: 2.1.0
+  resolution: "is-binary-path@npm:2.1.0"
+  dependencies:
+    binary-extensions: ^2.0.0
+  checksum: 84192eb88cff70d320426f35ecd63c3d6d495da9d805b19bc65b518984b7c0760280e57dbf119b7e9be6b161784a5a673ab2c6abe83abb5198a432232ad5b35c
+  languageName: node
+  linkType: hard
+
+"is-boolean-object@npm:^1.1.0":
+  version: 1.1.2
+  resolution: "is-boolean-object@npm:1.1.2"
+  dependencies:
+    call-bind: ^1.0.2
+    has-tostringtag: ^1.0.0
+  checksum: c03b23dbaacadc18940defb12c1c0e3aaece7553ef58b162a0f6bba0c2a7e1551b59f365b91e00d2dbac0522392d576ef322628cb1d036a0fe51eb466db67222
+  languageName: node
+  linkType: hard
+
+"is-buffer@npm:^2.0.0":
+  version: 2.0.5
+  resolution: "is-buffer@npm:2.0.5"
+  checksum: 764c9ad8b523a9f5a32af29bdf772b08eb48c04d2ad0a7240916ac2688c983bf5f8504bf25b35e66240edeb9d9085461f9b5dae1f3d2861c6b06a65fe983de42
+  languageName: node
+  linkType: hard
+
+"is-callable@npm:^1.1.3, is-callable@npm:^1.2.7":
+  version: 1.2.7
+  resolution: "is-callable@npm:1.2.7"
+  checksum: 61fd57d03b0d984e2ed3720fb1c7a897827ea174bd44402878e059542ea8c4aeedee0ea0985998aa5cc2736b2fa6e271c08587addb5b3959ac52cf665173d1ac
+  languageName: node
+  linkType: hard
+
+"is-callable@npm:^1.1.4, is-callable@npm:^1.2.3, is-callable@npm:^1.2.4":
+  version: 1.2.4
+  resolution: "is-callable@npm:1.2.4"
+  checksum: 1a28d57dc435797dae04b173b65d6d1e77d4f16276e9eff973f994eadcfdc30a017e6a597f092752a083c1103cceb56c91e3dadc6692fedb9898dfaba701575f
+  languageName: node
+  linkType: hard
+
+"is-core-module@npm:^2.11.0, is-core-module@npm:^2.12.0, is-core-module@npm:^2.5.0":
+  version: 2.12.1
+  resolution: "is-core-module@npm:2.12.1"
+  dependencies:
+    has: ^1.0.3
+  checksum: f04ea30533b5e62764e7b2e049d3157dc0abd95ef44275b32489ea2081176ac9746ffb1cdb107445cf1ff0e0dfcad522726ca27c27ece64dadf3795428b8e468
+  languageName: node
+  linkType: hard
+
+"is-core-module@npm:^2.2.0":
+  version: 2.8.0
+  resolution: "is-core-module@npm:2.8.0"
+  dependencies:
+    has: ^1.0.3
+  checksum: f8b52714891e1a6c6577fcb8d5e057bab064a7a30954aab6beb5092e311473eb8da57afd334de4981dc32409ffca998412efc3a2edceb9e397cef6098d21dd91
+  languageName: node
+  linkType: hard
+
+"is-core-module@npm:^2.8.1":
+  version: 2.8.1
+  resolution: "is-core-module@npm:2.8.1"
+  dependencies:
+    has: ^1.0.3
+  checksum: 418b7bc10768a73c41c7ef497e293719604007f88934a6ffc5f7c78702791b8528102fb4c9e56d006d69361549b3d9519440214a74aefc7e0b79e5e4411d377f
+  languageName: node
+  linkType: hard
+
+"is-data-descriptor@npm:^0.1.4":
+  version: 0.1.4
+  resolution: "is-data-descriptor@npm:0.1.4"
+  dependencies:
+    kind-of: ^3.0.2
+  checksum: 5c622e078ba933a78338ae398a3d1fc5c23332b395312daf4f74bab4afb10d061cea74821add726cb4db8b946ba36217ee71a24fe71dd5bca4632edb7f6aad87
+  languageName: node
+  linkType: hard
+
+"is-data-descriptor@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "is-data-descriptor@npm:1.0.0"
+  dependencies:
+    kind-of: ^6.0.0
+  checksum: e705e6816241c013b05a65dc452244ee378d1c3e3842bd140beabe6e12c0d700ef23c91803f971aa7b091fb0573c5da8963af34a2b573337d87bc3e1f53a4e6d
+  languageName: node
+  linkType: hard
+
+"is-date-object@npm:^1.0.1, is-date-object@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "is-date-object@npm:1.0.5"
+  dependencies:
+    has-tostringtag: ^1.0.0
+  checksum: baa9077cdf15eb7b58c79398604ca57379b2fc4cf9aa7a9b9e295278648f628c9b201400c01c5e0f7afae56507d741185730307cbe7cad3b9f90a77e5ee342fc
+  languageName: node
+  linkType: hard
+
+"is-decimal@npm:^1.0.0":
+  version: 1.0.4
+  resolution: "is-decimal@npm:1.0.4"
+  checksum: ed483a387517856dc395c68403a10201fddcc1b63dc56513fbe2fe86ab38766120090ecdbfed89223d84ca8b1cd28b0641b93cb6597b6e8f4c097a7c24e3fb96
+  languageName: node
+  linkType: hard
+
+"is-descriptor@npm:^0.1.0":
+  version: 0.1.6
+  resolution: "is-descriptor@npm:0.1.6"
+  dependencies:
+    is-accessor-descriptor: ^0.1.6
+    is-data-descriptor: ^0.1.4
+    kind-of: ^5.0.0
+  checksum: 0f780c1b46b465f71d970fd7754096ffdb7b69fd8797ca1f5069c163eaedcd6a20ec4a50af669075c9ebcfb5266d2e53c8b227e485eefdb0d1fee09aa1dd8ab6
+  languageName: node
+  linkType: hard
+
+"is-descriptor@npm:^1.0.0, is-descriptor@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "is-descriptor@npm:1.0.2"
+  dependencies:
+    is-accessor-descriptor: ^1.0.0
+    is-data-descriptor: ^1.0.0
+    kind-of: ^6.0.2
+  checksum: 2ed623560bee035fb67b23e32ce885700bef8abe3fbf8c909907d86507b91a2c89a9d3a4d835a4d7334dd5db0237a0aeae9ca109c1e4ef1c0e7b577c0846ab5a
+  languageName: node
+  linkType: hard
+
+"is-docker@npm:^2.0.0":
+  version: 2.2.1
+  resolution: "is-docker@npm:2.2.1"
+  bin:
+    is-docker: cli.js
+  checksum: 3fef7ddbf0be25958e8991ad941901bf5922ab2753c46980b60b05c1bf9c9c2402d35e6dc32e4380b980ef5e1970a5d9d5e5aa2e02d77727c3b6b5e918474c56
+  languageName: node
+  linkType: hard
+
+"is-extendable@npm:^0.1.0, is-extendable@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "is-extendable@npm:0.1.1"
+  checksum: 3875571d20a7563772ecc7a5f36cb03167e9be31ad259041b4a8f73f33f885441f778cee1f1fe0085eb4bc71679b9d8c923690003a36a6a5fdf8023e6e3f0672
+  languageName: node
+  linkType: hard
+
+"is-extendable@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "is-extendable@npm:1.0.1"
+  dependencies:
+    is-plain-object: ^2.0.4
+  checksum: db07bc1e9de6170de70eff7001943691f05b9d1547730b11be01c0ebfe67362912ba743cf4be6fd20a5e03b4180c685dad80b7c509fe717037e3eee30ad8e84f
+  languageName: node
+  linkType: hard
+
+"is-extglob@npm:^2.1.0, is-extglob@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "is-extglob@npm:2.1.1"
+  checksum: df033653d06d0eb567461e58a7a8c9f940bd8c22274b94bf7671ab36df5719791aae15eef6d83bbb5e23283967f2f984b8914559d4449efda578c775c4be6f85
+  languageName: node
+  linkType: hard
+
+"is-finite@npm:^1.0.0":
+  version: 1.1.0
+  resolution: "is-finite@npm:1.1.0"
+  checksum: 532b97ed3d03e04c6bd203984d9e4ba3c0c390efee492bad5d1d1cd1802a68ab27adbd3ef6382f6312bed6c8bb1bd3e325ea79a8dc8fe080ed7a06f5f97b93e7
+  languageName: node
+  linkType: hard
+
+"is-fullwidth-code-point@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "is-fullwidth-code-point@npm:2.0.0"
+  checksum: eef9c6e15f68085fec19ff6a978a6f1b8f48018fd1265035552078ee945573594933b09bbd6f562553e2a241561439f1ef5339276eba68d272001343084cfab8
+  languageName: node
+  linkType: hard
+
+"is-fullwidth-code-point@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "is-fullwidth-code-point@npm:3.0.0"
+  checksum: 44a30c29457c7fb8f00297bce733f0a64cd22eca270f83e58c105e0d015e45c019491a4ab2faef91ab51d4738c670daff901c799f6a700e27f7314029e99e348
+  languageName: node
+  linkType: hard
+
+"is-git-url@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "is-git-url@npm:1.0.0"
+  checksum: 77d8a147ca57cca1544e3a363400bece8e1d765d3da245e38262654281aeb4c97a3c798868cf8931a2ed51bb413611f98c113d3ce5d4f8eb9e98139e2fb435c1
+  languageName: node
+  linkType: hard
+
+"is-glob@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "is-glob@npm:3.1.0"
+  dependencies:
+    is-extglob: ^2.1.0
+  checksum: 9d483bca84f16f01230f7c7c8c63735248fe1064346f292e0f6f8c76475fd20c6f50fc19941af5bec35f85d6bf26f4b7768f39a48a5f5fdc72b408dc74e07afc
+  languageName: node
+  linkType: hard
+
+"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:~4.0.1":
+  version: 4.0.1
+  resolution: "is-glob@npm:4.0.1"
+  dependencies:
+    is-extglob: ^2.1.1
+  checksum: 84627cad11b4e745f5db5a163f32c47b711585a5ff6e14f8f8d026db87f4cdd3e2c95f6fa1f94ad22e469f36d819ae2814f03f9c668b164422ac3354a94672d3
+  languageName: node
+  linkType: hard
+
+"is-glob@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "is-glob@npm:4.0.3"
+  dependencies:
+    is-extglob: ^2.1.1
+  checksum: d381c1319fcb69d341cc6e6c7cd588e17cd94722d9a32dbd60660b993c4fb7d0f19438674e68dfec686d09b7c73139c9166b47597f846af387450224a8101ab4
+  languageName: node
+  linkType: hard
+
+"is-hexadecimal@npm:^1.0.0":
+  version: 1.0.4
+  resolution: "is-hexadecimal@npm:1.0.4"
+  checksum: a452e047587b6069332d83130f54d30da4faf2f2ebaa2ce6d073c27b5703d030d58ed9e0b729c8e4e5b52c6f1dab26781bb77b7bc6c7805f14f320e328ff8cd5
+  languageName: node
+  linkType: hard
+
+"is-interactive@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "is-interactive@npm:1.0.0"
+  checksum: 824808776e2d468b2916cdd6c16acacebce060d844c35ca6d82267da692e92c3a16fdba624c50b54a63f38bdc4016055b6f443ce57d7147240de4f8cdabaf6f9
+  languageName: node
+  linkType: hard
+
+"is-lambda@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "is-lambda@npm:1.0.1"
+  checksum: 93a32f01940220532e5948538699ad610d5924ac86093fcee83022252b363eb0cc99ba53ab084a04e4fb62bf7b5731f55496257a4c38adf87af9c4d352c71c35
+  languageName: node
+  linkType: hard
+
+"is-language-code@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "is-language-code@npm:3.1.0"
+  dependencies:
+    "@babel/runtime": ^7.14.0
+  checksum: 97d2cd7ce00c32721bd1c6b4dccbe775c145612f70f57f384400ee18c49697ab810893a64daf73a9baf07f5f373f241c90fad0e7c8e99c104add114ae5604ee5
+  languageName: node
+  linkType: hard
+
+"is-map@npm:^2.0.1, is-map@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "is-map@npm:2.0.2"
+  checksum: ace3d0ecd667bbdefdb1852de601268f67f2db725624b1958f279316e13fecb8fa7df91fd60f690d7417b4ec180712f5a7ee967008e27c65cfd475cc84337728
+  languageName: node
+  linkType: hard
+
+"is-negative-zero@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "is-negative-zero@npm:2.0.1"
+  checksum: a46f2e0cb5e16fdb8f2011ed488979386d7e68d381966682e3f4c98fc126efe47f26827912baca2d06a02a644aee458b9cba307fb389f6b161e759125db7a3b8
+  languageName: node
+  linkType: hard
+
+"is-negative-zero@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "is-negative-zero@npm:2.0.2"
+  checksum: f3232194c47a549da60c3d509c9a09be442507616b69454716692e37ae9f37c4dea264fb208ad0c9f3efd15a796a46b79df07c7e53c6227c32170608b809149a
+  languageName: node
+  linkType: hard
+
+"is-number-object@npm:^1.0.4":
+  version: 1.0.6
+  resolution: "is-number-object@npm:1.0.6"
+  dependencies:
+    has-tostringtag: ^1.0.0
+  checksum: c697704e8fc2027fc41cb81d29805de4e8b6dc9c3efee93741dbf126a8ecc8443fef85adbc581415ae7e55d325e51d0a942324ae35c829131748cce39cba55f3
+  languageName: node
+  linkType: hard
+
+"is-number@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "is-number@npm:3.0.0"
+  dependencies:
+    kind-of: ^3.0.2
+  checksum: 0c62bf8e9d72c4dd203a74d8cfc751c746e75513380fef420cda8237e619a988ee43e678ddb23c87ac24d91ac0fe9f22e4ffb1301a50310c697e9d73ca3994e9
+  languageName: node
+  linkType: hard
+
+"is-number@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "is-number@npm:7.0.0"
+  checksum: 456ac6f8e0f3111ed34668a624e45315201dff921e5ac181f8ec24923b99e9f32ca1a194912dc79d539c97d33dba17dc635202ff0b2cf98326f608323276d27a
+  languageName: node
+  linkType: hard
+
+"is-obj@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "is-obj@npm:1.0.1"
+  checksum: 3ccf0efdea12951e0b9c784e2b00e77e87b2f8bd30b42a498548a8afcc11b3287342a2030c308e473e93a7a19c9ea7854c99a8832a476591c727df2a9c79796c
+  languageName: node
+  linkType: hard
+
+"is-obj@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "is-obj@npm:2.0.0"
+  checksum: c9916ac8f4621962a42f5e80e7ffdb1d79a3fab7456ceaeea394cd9e0858d04f985a9ace45be44433bf605673c8be8810540fe4cc7f4266fc7526ced95af5a08
+  languageName: node
+  linkType: hard
+
+"is-path-inside@npm:^3.0.3":
+  version: 3.0.3
+  resolution: "is-path-inside@npm:3.0.3"
+  checksum: abd50f06186a052b349c15e55b182326f1936c89a78bf6c8f2b707412517c097ce04bc49a0ca221787bc44e1049f51f09a2ffb63d22899051988d3a618ba13e9
+  languageName: node
+  linkType: hard
+
+"is-plain-obj@npm:2.1.0, is-plain-obj@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "is-plain-obj@npm:2.1.0"
+  checksum: cec9100678b0a9fe0248a81743041ed990c2d4c99f893d935545cfbc42876cbe86d207f3b895700c690ad2fa520e568c44afc1605044b535a7820c1d40e38daa
+  languageName: node
+  linkType: hard
+
+"is-plain-obj@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "is-plain-obj@npm:1.1.0"
+  checksum: 0ee04807797aad50859652a7467481816cbb57e5cc97d813a7dcd8915da8195dc68c436010bf39d195226cde6a2d352f4b815f16f26b7bf486a5754290629931
+  languageName: node
+  linkType: hard
+
+"is-plain-object@npm:^2.0.3, is-plain-object@npm:^2.0.4":
+  version: 2.0.4
+  resolution: "is-plain-object@npm:2.0.4"
+  dependencies:
+    isobject: ^3.0.1
+  checksum: 2a401140cfd86cabe25214956ae2cfee6fbd8186809555cd0e84574f88de7b17abacb2e477a6a658fa54c6083ecbda1e6ae404c7720244cd198903848fca70ca
+  languageName: node
+  linkType: hard
+
+"is-plain-object@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "is-plain-object@npm:5.0.0"
+  checksum: e32d27061eef62c0847d303125440a38660517e586f2f3db7c9d179ae5b6674ab0f469d519b2e25c147a1a3bc87156d0d5f4d8821e0ce4a9ee7fe1fcf11ce45c
+  languageName: node
+  linkType: hard
+
+"is-potential-custom-element-name@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "is-potential-custom-element-name@npm:1.0.1"
+  checksum: ced7bbbb6433a5b684af581872afe0e1767e2d1146b2207ca0068a648fb5cab9d898495d1ac0583524faaf24ca98176a7d9876363097c2d14fee6dd324f3a1ab
+  languageName: node
+  linkType: hard
+
+"is-reference@npm:^1.1.0":
+  version: 1.2.1
+  resolution: "is-reference@npm:1.2.1"
+  dependencies:
+    "@types/estree": "*"
+  checksum: e7b48149f8abda2c10849ea51965904d6a714193d68942ad74e30522231045acf06cbfae5a4be2702fede5d232e61bf50b3183acdc056e6e3afe07fcf4f4b2bc
+  languageName: node
+  linkType: hard
+
+"is-regex@npm:^1.1.2, is-regex@npm:^1.1.4":
+  version: 1.1.4
+  resolution: "is-regex@npm:1.1.4"
+  dependencies:
+    call-bind: ^1.0.2
+    has-tostringtag: ^1.0.0
+  checksum: 362399b33535bc8f386d96c45c9feb04cf7f8b41c182f54174c1a45c9abbbe5e31290bbad09a458583ff6bf3b2048672cdb1881b13289569a7c548370856a652
+  languageName: node
+  linkType: hard
+
+"is-regexp@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "is-regexp@npm:1.0.0"
+  checksum: be692828e24cba479ec33644326fa98959ec68ba77965e0291088c1a741feaea4919d79f8031708f85fd25e39de002b4520622b55460660b9c369e6f7187faef
+  languageName: node
+  linkType: hard
+
+"is-set@npm:^2.0.1, is-set@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "is-set@npm:2.0.2"
+  checksum: b64343faf45e9387b97a6fd32be632ee7b269bd8183701f3b3f5b71a7cf00d04450ed8669d0bd08753e08b968beda96fca73a10fd0ff56a32603f64deba55a57
+  languageName: node
+  linkType: hard
+
+"is-shared-array-buffer@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "is-shared-array-buffer@npm:1.0.1"
+  checksum: 2ffb92533e64e2876e6cfe6906871d28400b6f1a53130fe652ec8007bc0e5044d05e7af8e31bdc992fbba520bd92938cfbeedd0f286be92f250c7c76191c4d90
+  languageName: node
+  linkType: hard
+
+"is-shared-array-buffer@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "is-shared-array-buffer@npm:1.0.2"
+  dependencies:
+    call-bind: ^1.0.2
+  checksum: 9508929cf14fdc1afc9d61d723c6e8d34f5e117f0bffda4d97e7a5d88c3a8681f633a74f8e3ad1fe92d5113f9b921dc5ca44356492079612f9a247efbce7032a
+  languageName: node
+  linkType: hard
+
+"is-stream@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "is-stream@npm:1.1.0"
+  checksum: 063c6bec9d5647aa6d42108d4c59723d2bd4ae42135a2d4db6eadbd49b7ea05b750fd69d279e5c7c45cf9da753ad2c00d8978be354d65aa9f6bb434969c6a2ae
+  languageName: node
+  linkType: hard
+
+"is-stream@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "is-stream@npm:2.0.1"
+  checksum: b8e05ccdf96ac330ea83c12450304d4a591f9958c11fd17bed240af8d5ffe08aedafa4c0f4cfccd4d28dc9d4d129daca1023633d5c11601a6cbc77521f6fae66
+  languageName: node
+  linkType: hard
+
+"is-string@npm:^1.0.5, is-string@npm:^1.0.7":
+  version: 1.0.7
+  resolution: "is-string@npm:1.0.7"
+  dependencies:
+    has-tostringtag: ^1.0.0
+  checksum: 323b3d04622f78d45077cf89aab783b2f49d24dc641aa89b5ad1a72114cfeff2585efc8c12ef42466dff32bde93d839ad321b26884cf75e5a7892a938b089989
+  languageName: node
+  linkType: hard
+
+"is-symbol@npm:^1.0.2, is-symbol@npm:^1.0.3":
+  version: 1.0.4
+  resolution: "is-symbol@npm:1.0.4"
+  dependencies:
+    has-symbols: ^1.0.2
+  checksum: 92805812ef590738d9de49d677cd17dfd486794773fb6fa0032d16452af46e9b91bb43ffe82c983570f015b37136f4b53b28b8523bfb10b0ece7a66c31a54510
+  languageName: node
+  linkType: hard
+
+"is-type@npm:0.0.1":
+  version: 0.0.1
+  resolution: "is-type@npm:0.0.1"
+  dependencies:
+    core-util-is: ~1.0.0
+  checksum: c0ea697d42775270b0eefbe31f01f40e4ab1c86c31580d846b7f3b5a46f744b89248c7bcbb9e2e51325592bdf5d24e0dd265e1cdabd052241a5f3f0c72fd58e1
+  languageName: node
+  linkType: hard
+
+"is-typed-array@npm:^1.1.10, is-typed-array@npm:^1.1.9":
+  version: 1.1.10
+  resolution: "is-typed-array@npm:1.1.10"
+  dependencies:
+    available-typed-arrays: ^1.0.5
+    call-bind: ^1.0.2
+    for-each: ^0.3.3
+    gopd: ^1.0.1
+    has-tostringtag: ^1.0.0
+  checksum: aac6ecb59d4c56a1cdeb69b1f129154ef462bbffe434cb8a8235ca89b42f258b7ae94073c41b3cb7bce37f6a1733ad4499f07882d5d5093a7ba84dfc4ebb8017
+  languageName: node
+  linkType: hard
+
+"is-typedarray@npm:^1.0.0, is-typedarray@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "is-typedarray@npm:1.0.0"
+  checksum: 3508c6cd0a9ee2e0df2fa2e9baabcdc89e911c7bd5cf64604586697212feec525aa21050e48affb5ffc3df20f0f5d2e2cf79b08caa64e1ccc9578e251763aef7
+  languageName: node
+  linkType: hard
+
+"is-unicode-supported@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "is-unicode-supported@npm:0.1.0"
+  checksum: a2aab86ee7712f5c2f999180daaba5f361bdad1efadc9610ff5b8ab5495b86e4f627839d085c6530363c6d6d4ecbde340fb8e54bdb83da4ba8e0865ed5513c52
+  languageName: node
+  linkType: hard
+
+"is-weakmap@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "is-weakmap@npm:2.0.1"
+  checksum: 1222bb7e90c32bdb949226e66d26cb7bce12e1e28e3e1b40bfa6b390ba3e08192a8664a703dff2a00a84825f4e022f9cd58c4599ff9981ab72b1d69479f4f7f6
+  languageName: node
+  linkType: hard
+
+"is-weakref@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "is-weakref@npm:1.0.1"
+  dependencies:
+    call-bind: ^1.0.0
+  checksum: fdafb7b955671dd2f9658ff47c86e4025c0650fc68a3542a40e5a75898a763b1abd6b1e1f9f13207eed49541cdd76af67d73c44989ea358b201b70274cf8f6c1
+  languageName: node
+  linkType: hard
+
+"is-weakref@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "is-weakref@npm:1.0.2"
+  dependencies:
+    call-bind: ^1.0.2
+  checksum: 95bd9a57cdcb58c63b1c401c60a474b0f45b94719c30f548c891860f051bc2231575c290a6b420c6bc6e7ed99459d424c652bd5bf9a1d5259505dc35b4bf83de
+  languageName: node
+  linkType: hard
+
+"is-weakset@npm:^2.0.1":
+  version: 2.0.2
+  resolution: "is-weakset@npm:2.0.2"
+  dependencies:
+    call-bind: ^1.0.2
+    get-intrinsic: ^1.1.1
+  checksum: 5d8698d1fa599a0635d7ca85be9c26d547b317ed8fd83fc75f03efbe75d50001b5eececb1e9971de85fcde84f69ae6f8346bc92d20d55d46201d328e4c74a367
+  languageName: node
+  linkType: hard
+
+"is-windows@npm:^1.0.1, is-windows@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "is-windows@npm:1.0.2"
+  checksum: 438b7e52656fe3b9b293b180defb4e448088e7023a523ec21a91a80b9ff8cdb3377ddb5b6e60f7c7de4fa8b63ab56e121b6705fe081b3cf1b828b0a380009ad7
+  languageName: node
+  linkType: hard
+
+"is-wsl@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "is-wsl@npm:1.1.0"
+  checksum: ea157d232351e68c92bd62fc541771096942fe72f69dff452dd26dcc31466258c570a3b04b8cda2e01cd2968255b02951b8670d08ea4ed76d6b1a646061ac4fe
+  languageName: node
+  linkType: hard
+
+"is-wsl@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "is-wsl@npm:2.2.0"
+  dependencies:
+    is-docker: ^2.0.0
+  checksum: 20849846ae414997d290b75e16868e5261e86ff5047f104027026fd61d8b5a9b0b3ade16239f35e1a067b3c7cc02f70183cb661010ed16f4b6c7c93dad1b19d8
+  languageName: node
+  linkType: hard
+
+"isarray@npm:0.0.1":
+  version: 0.0.1
+  resolution: "isarray@npm:0.0.1"
+  checksum: 49191f1425681df4a18c2f0f93db3adb85573bcdd6a4482539d98eac9e705d8961317b01175627e860516a2fc45f8f9302db26e5a380a97a520e272e2a40a8d4
+  languageName: node
+  linkType: hard
+
+"isarray@npm:1.0.0, isarray@npm:^1.0.0, isarray@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "isarray@npm:1.0.0"
+  checksum: f032df8e02dce8ec565cf2eb605ea939bdccea528dbcf565cdf92bfa2da9110461159d86a537388ef1acef8815a330642d7885b29010e8f7eac967c9993b65ab
+  languageName: node
+  linkType: hard
+
+"isarray@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "isarray@npm:2.0.5"
+  checksum: bd5bbe4104438c4196ba58a54650116007fa0262eccef13a4c55b2e09a5b36b59f1e75b9fcc49883dd9d4953892e6fc007eef9e9155648ceea036e184b0f930a
+  languageName: node
+  linkType: hard
+
+"isbinaryfile@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "isbinaryfile@npm:5.0.0"
+  checksum: 25cc27388d51b8322c103f5894f9e72ec04e017734e57c4b70be2666501ec7e7f6cbb4a5fcfd15260a7cac979bd1ddb7f5231f5a3098c0695c4e7c049513dfaf
+  languageName: node
+  linkType: hard
+
+"isexe@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "isexe@npm:2.0.0"
+  checksum: 26bf6c5480dda5161c820c5b5c751ae1e766c587b1f951ea3fcfc973bafb7831ae5b54a31a69bd670220e42e99ec154475025a468eae58ea262f813fdc8d1c62
+  languageName: node
+  linkType: hard
+
+"isobject@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "isobject@npm:2.1.0"
+  dependencies:
+    isarray: 1.0.0
+  checksum: 811c6f5a866877d31f0606a88af4a45f282544de886bf29f6a34c46616a1ae2ed17076cc6bf34c0128f33eecf7e1fcaa2c82cf3770560d3e26810894e96ae79f
+  languageName: node
+  linkType: hard
+
+"isobject@npm:^3.0.0, isobject@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "isobject@npm:3.0.1"
+  checksum: db85c4c970ce30693676487cca0e61da2ca34e8d4967c2e1309143ff910c207133a969f9e4ddb2dc6aba670aabce4e0e307146c310350b298e74a31f7d464703
+  languageName: node
+  linkType: hard
+
+"isstream@npm:~0.1.2":
+  version: 0.1.2
+  resolution: "isstream@npm:0.1.2"
+  checksum: 1eb2fe63a729f7bdd8a559ab552c69055f4f48eb5c2f03724430587c6f450783c8f1cd936c1c952d0a927925180fcc892ebd5b174236cf1065d4bd5bdb37e963
+  languageName: node
+  linkType: hard
+
+"istextorbinary@npm:2.1.0":
+  version: 2.1.0
+  resolution: "istextorbinary@npm:2.1.0"
+  dependencies:
+    binaryextensions: 1 || 2
+    editions: ^1.1.1
+    textextensions: 1 || 2
+  checksum: f07e2c8648663ffa609ee89fa6a50157bcd4d99b8fee3c99c5d5114c068d733e3b5ba16f0c9b704cbf7fd8a1cab0836b1451b40de56c790a283fbabf34d52167
+  languageName: node
+  linkType: hard
+
+"istextorbinary@npm:^2.5.1":
+  version: 2.6.0
+  resolution: "istextorbinary@npm:2.6.0"
+  dependencies:
+    binaryextensions: ^2.1.2
+    editions: ^2.2.0
+    textextensions: ^2.5.0
+  checksum: 964915aa9533df46a7142d36263e9e1a0940d63b58e2ee1ca1ecc9088239a2499b8153d9746225cfe71b9a7a0ab40565bf23c0a8cfed3a4bce7465303b9fb237
+  languageName: node
+  linkType: hard
+
+"jest-worker@npm:^27.4.5":
+  version: 27.5.1
+  resolution: "jest-worker@npm:27.5.1"
+  dependencies:
+    "@types/node": "*"
+    merge-stream: ^2.0.0
+    supports-color: ^8.0.0
+  checksum: 98cd68b696781caed61c983a3ee30bf880b5bd021c01d98f47b143d4362b85d0737f8523761e2713d45e18b4f9a2b98af1eaee77afade4111bb65c77d6f7c980
+  languageName: node
+  linkType: hard
+
+"jquery@npm:^3.4.1":
+  version: 3.7.0
+  resolution: "jquery@npm:3.7.0"
+  checksum: 907785e133afc427650a131af5fccef66a404885037513b3d4d7d63aee6409bcc32a39836868c60e59b05aa0fb8ace8961c18b2ee3ffdf6ffdb571d6d7cd88ff
+  languageName: node
+  linkType: hard
+
+"js-sdsl@npm:^4.1.4":
+  version: 4.1.5
+  resolution: "js-sdsl@npm:4.1.5"
+  checksum: 695f657ddc5be462b97cac4e8e60f37de28d628ee0e23016baecff0bb584a18dddb5caeac537a775030f180b5afd62133ac4481e7024c8d03a62d73e4da0713e
+  languageName: node
+  linkType: hard
+
+"js-string-escape@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "js-string-escape@npm:1.0.1"
+  checksum: f11e0991bf57e0c183b55c547acec85bd2445f043efc9ea5aa68b41bd2a3e7d3ce94636cb233ae0d84064ba4c1a505d32e969813c5b13f81e7d4be12c59256fe
+  languageName: node
+  linkType: hard
+
+"js-tokens@npm:^3.0.0 || ^4.0.0, js-tokens@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "js-tokens@npm:4.0.0"
+  checksum: 8a95213a5a77deb6cbe94d86340e8d9ace2b93bc367790b260101d2f36a2eaf4e4e22d9fa9cf459b38af3a32fb4190e638024cf82ec95ef708680e405ea7cc78
+  languageName: node
+  linkType: hard
+
+"js-tokens@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "js-tokens@npm:3.0.2"
+  checksum: ff24cf90e6e4ac446eba56e604781c1aaf3bdaf9b13a00596a0ebd972fa3b25dc83c0f0f67289c33252abb4111e0d14e952a5d9ffb61f5c22532d555ebd8d8a9
+  languageName: node
+  linkType: hard
+
+"js-yaml@npm:^3.13.1, js-yaml@npm:^3.2.5, js-yaml@npm:^3.2.7":
+  version: 3.14.1
+  resolution: "js-yaml@npm:3.14.1"
+  dependencies:
+    argparse: ^1.0.7
+    esprima: ^4.0.0
+  bin:
+    js-yaml: bin/js-yaml.js
+  checksum: bef146085f472d44dee30ec34e5cf36bf89164f5d585435a3d3da89e52622dff0b188a580e4ad091c3341889e14cb88cac6e4deb16dc5b1e9623bb0601fc255c
+  languageName: node
+  linkType: hard
+
+"js-yaml@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "js-yaml@npm:4.1.0"
+  dependencies:
+    argparse: ^2.0.1
+  bin:
+    js-yaml: bin/js-yaml.js
+  checksum: c7830dfd456c3ef2c6e355cc5a92e6700ceafa1d14bba54497b34a99f0376cecbb3e9ac14d3e5849b426d5a5140709a66237a8c991c675431271c4ce5504151a
+  languageName: node
+  linkType: hard
+
+"jsbn@npm:~0.1.0":
+  version: 0.1.1
+  resolution: "jsbn@npm:0.1.1"
+  checksum: e5ff29c1b8d965017ef3f9c219dacd6e40ad355c664e277d31246c90545a02e6047018c16c60a00f36d561b3647215c41894f5d869ada6908a2e0ce4200c88f2
+  languageName: node
+  linkType: hard
+
+"jsdom@npm:^16.4.0":
+  version: 16.5.3
+  resolution: "jsdom@npm:16.5.3"
+  dependencies:
+    abab: ^2.0.5
+    acorn: ^8.1.0
+    acorn-globals: ^6.0.0
+    cssom: ^0.4.4
+    cssstyle: ^2.3.0
+    data-urls: ^2.0.0
+    decimal.js: ^10.2.1
+    domexception: ^2.0.1
+    escodegen: ^2.0.0
+    html-encoding-sniffer: ^2.0.1
+    is-potential-custom-element-name: ^1.0.0
+    nwsapi: ^2.2.0
+    parse5: 6.0.1
+    request: ^2.88.2
+    request-promise-native: ^1.0.9
+    saxes: ^5.0.1
+    symbol-tree: ^3.2.4
+    tough-cookie: ^4.0.0
+    w3c-hr-time: ^1.0.2
+    w3c-xmlserializer: ^2.0.0
+    webidl-conversions: ^6.1.0
+    whatwg-encoding: ^1.0.5
+    whatwg-mimetype: ^2.3.0
+    whatwg-url: ^8.5.0
+    ws: ^7.4.4
+    xml-name-validator: ^3.0.0
+  peerDependencies:
+    canvas: ^2.5.0
+  peerDependenciesMeta:
+    canvas:
+      optional: true
+  checksum: 19d107eeaa2b67cb9288b313d12af9df4c633526bbbaf222b0d97c1cfd4b9f23294f168dd80c39ee6bd344dde336b9a57ed24136639fea7dc5e24e88f4d5f79f
+  languageName: node
+  linkType: hard
+
+"jsesc@npm:^1.3.0":
+  version: 1.3.0
+  resolution: "jsesc@npm:1.3.0"
+  bin:
+    jsesc: bin/jsesc
+  checksum: 9384cc72bf8ef7f2eb75fea64176b8b0c1c5e77604854c72cb4670b7072e112e3baaa69ef134be98cb078834a7812b0bfe676ad441ccd749a59427f5ed2127f1
+  languageName: node
+  linkType: hard
+
+"jsesc@npm:^2.5.1":
+  version: 2.5.2
+  resolution: "jsesc@npm:2.5.2"
+  bin:
+    jsesc: bin/jsesc
+  checksum: 4dc190771129e12023f729ce20e1e0bfceac84d73a85bc3119f7f938843fe25a4aeccb54b6494dce26fcf263d815f5f31acdefac7cc9329efb8422a4f4d9fa9d
+  languageName: node
+  linkType: hard
+
+"jsesc@npm:~0.3.x":
+  version: 0.3.0
+  resolution: "jsesc@npm:0.3.0"
+  bin:
+    jsesc: bin/jsesc
+  checksum: a5222fb2a599e874461ca384b59ecdc6449d52b6dd9d6ce0e878917e49ac6eb304e549cd69cb80bcf710d65aba130b31c795d1f1cd59f490d78e93d743bb6a4b
+  languageName: node
+  linkType: hard
+
+"jsesc@npm:~0.5.0":
+  version: 0.5.0
+  resolution: "jsesc@npm:0.5.0"
+  bin:
+    jsesc: bin/jsesc
+  checksum: b8b44cbfc92f198ad972fba706ee6a1dfa7485321ee8c0b25f5cedd538dcb20cde3197de16a7265430fce8277a12db066219369e3d51055038946039f6e20e17
+  languageName: node
+  linkType: hard
+
+"json-parse-better-errors@npm:^1.0.1, json-parse-better-errors@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "json-parse-better-errors@npm:1.0.2"
+  checksum: ff2b5ba2a70e88fd97a3cb28c1840144c5ce8fae9cbeeddba15afa333a5c407cf0e42300cd0a2885dbb055227fe68d405070faad941beeffbfde9cf3b2c78c5d
+  languageName: node
+  linkType: hard
+
+"json-parse-even-better-errors@npm:^2.3.0, json-parse-even-better-errors@npm:^2.3.1":
+  version: 2.3.1
+  resolution: "json-parse-even-better-errors@npm:2.3.1"
+  checksum: 798ed4cf3354a2d9ccd78e86d2169515a0097a5c133337807cdf7f1fc32e1391d207ccfc276518cc1d7d8d4db93288b8a50ba4293d212ad1336e52a8ec0a941f
+  languageName: node
+  linkType: hard
+
+"json-schema-traverse@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "json-schema-traverse@npm:0.4.1"
+  checksum: 7486074d3ba247769fda17d5181b345c9fb7d12e0da98b22d1d71a5db9698d8b4bd900a3ec1a4ffdd60846fc2556274a5c894d0c48795f14cb03aeae7b55260b
+  languageName: node
+  linkType: hard
+
+"json-schema-traverse@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "json-schema-traverse@npm:1.0.0"
+  checksum: 02f2f466cdb0362558b2f1fd5e15cce82ef55d60cd7f8fa828cf35ba74330f8d767fcae5c5c2adb7851fa811766c694b9405810879bc4e1ddd78a7c0e03658ad
+  languageName: node
+  linkType: hard
+
+"json-schema@npm:0.2.3":
+  version: 0.2.3
+  resolution: "json-schema@npm:0.2.3"
+  checksum: bbc2070988fb5f2a2266a31b956f1b5660e03ea7eaa95b33402901274f625feb586ae0c485e1df854fde40a7f0dc679f3b3ca8e5b8d31f8ea07a0d834de785c7
+  languageName: node
+  linkType: hard
+
+"json-stable-stringify-without-jsonify@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "json-stable-stringify-without-jsonify@npm:1.0.1"
+  checksum: cff44156ddce9c67c44386ad5cddf91925fe06b1d217f2da9c4910d01f358c6e3989c4d5a02683c7a5667f9727ff05831f7aa8ae66c8ff691c556f0884d49215
+  languageName: node
+  linkType: hard
+
+"json-stable-stringify@npm:^1.0.0, json-stable-stringify@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "json-stable-stringify@npm:1.0.1"
+  dependencies:
+    jsonify: ~0.0.0
+  checksum: 65d6cbf0fca72a4136999f65f4401cf39a129f7aeff0fdd987ac3d3423a2113659294045fb8377e6e20d865cac32b1b8d70f3d87346c9786adcee60661d96ca5
+  languageName: node
+  linkType: hard
+
+"json-stringify-safe@npm:~5.0.1":
+  version: 5.0.1
+  resolution: "json-stringify-safe@npm:5.0.1"
+  checksum: 48ec0adad5280b8a96bb93f4563aa1667fd7a36334f79149abd42446d0989f2ddc58274b479f4819f1f00617957e6344c886c55d05a4e15ebb4ab931e4a6a8ee
+  languageName: node
+  linkType: hard
+
+"json5@npm:^0.5.1":
+  version: 0.5.1
+  resolution: "json5@npm:0.5.1"
+  bin:
+    json5: lib/cli.js
+  checksum: 9b85bf06955b23eaa4b7328aa8892e3887e81ca731dd27af04a5f5f1458fbc5e1de57a24442e3272f8a888dd1abe1cb68eb693324035f6b3aeba4fcab7667d62
+  languageName: node
+  linkType: hard
+
+"json5@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "json5@npm:1.0.1"
+  dependencies:
+    minimist: ^1.2.0
+  bin:
+    json5: lib/cli.js
+  checksum: e76ea23dbb8fc1348c143da628134a98adf4c5a4e8ea2adaa74a80c455fc2cdf0e2e13e6398ef819bfe92306b610ebb2002668ed9fc1af386d593691ef346fc3
+  languageName: node
+  linkType: hard
+
+"json5@npm:^2.1.1, json5@npm:^2.2.2":
+  version: 2.2.3
+  resolution: "json5@npm:2.2.3"
+  bin:
+    json5: lib/cli.js
+  checksum: 2a7436a93393830bce797d4626275152e37e877b265e94ca69c99e3d20c2b9dab021279146a39cdb700e71b2dd32a4cebd1514cd57cee102b1af906ce5040349
+  languageName: node
+  linkType: hard
+
+"json5@npm:^2.1.2":
+  version: 2.2.0
+  resolution: "json5@npm:2.2.0"
+  dependencies:
+    minimist: ^1.2.5
+  bin:
+    json5: lib/cli.js
+  checksum: e88fc5274bb58fc99547baa777886b069d2dd96d9cfc4490b305fd16d711dabd5979e35a4f90873cefbeb552e216b041a304fe56702bedba76e19bc7845f208d
+  languageName: node
+  linkType: hard
+
+"json5@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "json5@npm:2.2.1"
+  bin:
+    json5: lib/cli.js
+  checksum: 74b8a23b102a6f2bf2d224797ae553a75488b5adbaee9c9b6e5ab8b510a2fc6e38f876d4c77dea672d4014a44b2399e15f2051ac2b37b87f74c0c7602003543b
+  languageName: node
+  linkType: hard
+
+"jsondiffpatch@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "jsondiffpatch@npm:0.4.1"
+  dependencies:
+    chalk: ^2.3.0
+    diff-match-patch: ^1.0.0
+  bin:
+    jsondiffpatch: ./bin/jsondiffpatch
+  checksum: 2062d188cc7f60f9d84e7bf497a7d89233d2f8ec21d085c26cdb24c2b7c5f4f7231ad9b978355e319c00820de0863499ba881c6c6b1bd92313db1a7d16d6ab1d
+  languageName: node
+  linkType: hard
+
+"jsonfile@npm:^2.1.0":
+  version: 2.4.0
+  resolution: "jsonfile@npm:2.4.0"
+  dependencies:
+    graceful-fs: ^4.1.6
+  dependenciesMeta:
+    graceful-fs:
+      optional: true
+  checksum: f5064aabbc9e35530dc471d8b203ae1f40dbe949ddde4391c6f6a6d310619a15f0efdae5587df594d1d70c555193aaeee9d2ed4aec9ffd5767bd5e4e62d49c3d
+  languageName: node
+  linkType: hard
+
+"jsonfile@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "jsonfile@npm:3.0.1"
+  dependencies:
+    graceful-fs: ^4.1.6
+  dependenciesMeta:
+    graceful-fs:
+      optional: true
+  checksum: f2935da339462fe6489c3b8961b637e4eeebd42bcbbe1c8d88f4e937fe19d2d9bc222167281ada2e2f6ddc0324edb43b18107a9b12c743b350326d83ba4db5ef
+  languageName: node
+  linkType: hard
+
+"jsonfile@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "jsonfile@npm:4.0.0"
+  dependencies:
+    graceful-fs: ^4.1.6
+  dependenciesMeta:
+    graceful-fs:
+      optional: true
+  checksum: 6447d6224f0d31623eef9b51185af03ac328a7553efcee30fa423d98a9e276ca08db87d71e17f2310b0263fd3ffa6c2a90a6308367f661dc21580f9469897c9e
+  languageName: node
+  linkType: hard
+
+"jsonfile@npm:^6.0.1":
+  version: 6.1.0
+  resolution: "jsonfile@npm:6.1.0"
+  dependencies:
+    graceful-fs: ^4.1.6
+    universalify: ^2.0.0
+  dependenciesMeta:
+    graceful-fs:
+      optional: true
+  checksum: 7af3b8e1ac8fe7f1eccc6263c6ca14e1966fcbc74b618d3c78a0a2075579487547b94f72b7a1114e844a1e15bb00d440e5d1720bfc4612d790a6f285d5ea8354
+  languageName: node
+  linkType: hard
+
+"jsonify@npm:~0.0.0":
+  version: 0.0.0
+  resolution: "jsonify@npm:0.0.0"
+  checksum: d8d4ed476c116e6987a460dcb82f22284686caae9f498ac87b0502c1765ac1522f4f450a4cad4cc368d202fd3b27a3860735140a82867fc6d558f5f199c38bce
+  languageName: node
+  linkType: hard
+
+"jsonlint@npm:^1.6.3":
+  version: 1.6.3
+  resolution: "jsonlint@npm:1.6.3"
+  dependencies:
+    JSV: ^4.0.x
+    nomnom: ^1.5.x
+  bin:
+    jsonlint: lib/cli.js
+  checksum: be0972cf552ff1ec589db5d7b20ff31064561fbe4605708f5a260e2dcc18e26acd5bf842ba10dd157706232aca6d6c9116d21005cb3e8fb5ec9d9b01c8869677
+  languageName: node
+  linkType: hard
+
+"jsprim@npm:^1.2.2":
+  version: 1.4.1
+  resolution: "jsprim@npm:1.4.1"
+  dependencies:
+    assert-plus: 1.0.0
+    extsprintf: 1.3.0
+    json-schema: 0.2.3
+    verror: 1.10.0
+  checksum: 6bcb20ec265ae18bb48e540a6da2c65f9c844f7522712d6dfcb01039527a49414816f4869000493363f1e1ea96cbad00e46188d5ecc78257a19f152467587373
+  languageName: node
+  linkType: hard
+
+"just-extend@npm:^4.0.2":
+  version: 4.2.1
+  resolution: "just-extend@npm:4.2.1"
+  checksum: ff9fdede240fad313efeeeb68a660b942e5586d99c0058064c78884894a2690dc09bba44c994ad4e077e45d913fef01a9240c14a72c657b53687ac58de53b39c
+  languageName: node
+  linkType: hard
+
+"kind-of@npm:^6.0.3":
+  version: 6.0.3
+  resolution: "kind-of@npm:6.0.3"
+  checksum: 3ab01e7b1d440b22fe4c31f23d8d38b4d9b91d9f291df683476576493d5dfd2e03848a8b05813dd0c3f0e835bc63f433007ddeceb71f05cb25c45ae1b19c6d3b
+  languageName: node
+  linkType: hard
+
+"klaw@npm:^1.0.0":
+  version: 1.3.1
+  resolution: "klaw@npm:1.3.1"
+  dependencies:
+    graceful-fs: ^4.1.9
+  dependenciesMeta:
+    graceful-fs:
+      optional: true
+  checksum: 8f69e4797c26e7c3f2426bfa85f38a3da3c2cb1b4c6bd850d2377aed440d41ce9d806f2885c2e2e224372c56af4b1d43b8a499adecf9a05e7373dc6b8b7c52e4
+  languageName: node
+  linkType: hard
+
+"known-css-properties@npm:^0.27.0":
+  version: 0.27.0
+  resolution: "known-css-properties@npm:0.27.0"
+  checksum: 8584fcf0526f984fe5a358af20200dec3b944373dd005dc23a3ce988895e1acd03e7d69c49533dda07d6d9b6d53990ed1119bd9d3e927f17545f8764c434a5cd
+  languageName: node
+  linkType: hard
+
+"language-subtag-registry@npm:^0.3.20":
+  version: 0.3.22
+  resolution: "language-subtag-registry@npm:0.3.22"
+  checksum: 8ab70a7e0e055fe977ac16ea4c261faec7205ac43db5e806f72e5b59606939a3b972c4bd1e10e323b35d6ffa97c3e1c4c99f6553069dad2dfdd22020fa3eb56a
+  languageName: node
+  linkType: hard
+
+"language-tags@npm:^1.0.8":
+  version: 1.0.8
+  resolution: "language-tags@npm:1.0.8"
+  dependencies:
+    language-subtag-registry: ^0.3.20
+  checksum: 95d200a4c23ae58ec1c2224e264162ca95e71b3a1104a9cf9d2fd39ab807fa766b37827905a44c84763accc8223aedccebd4cd7807c16876cbe2af769e7a487b
+  languageName: node
+  linkType: hard
+
+"lcid@npm:^3.0.0":
+  version: 3.1.1
+  resolution: "lcid@npm:3.1.1"
+  dependencies:
+    invert-kv: ^3.0.0
+  checksum: 7ebab7a2696a3cc6c6c9f25d957ef81dd2a8a2f48b7e2a9185e4bbcfc36d70cb633acf5fa5c9508f3d30badf23a303b1b6afe0bba8f0bb7d353d0f5d59c9ec1b
+  languageName: node
+  linkType: hard
+
+"leek@npm:0.0.24":
+  version: 0.0.24
+  resolution: "leek@npm:0.0.24"
+  dependencies:
+    debug: ^2.1.0
+    lodash.assign: ^3.2.0
+    rsvp: ^3.0.21
+  checksum: da2c554c7ea37c6e5ef680ce1940f7be2c2eef5661dc7f74e1bc86ac65136525fdb11e1d1f8f5c582ea8b9e4c8a31ba61d82e1192495a8f91bf1ca702b8d19f2
+  languageName: node
+  linkType: hard
+
+"levn@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "levn@npm:0.4.1"
+  dependencies:
+    prelude-ls: ^1.2.1
+    type-check: ~0.4.0
+  checksum: 12c5021c859bd0f5248561bf139121f0358285ec545ebf48bb3d346820d5c61a4309535c7f387ed7d84361cf821e124ce346c6b7cef8ee09a67c1473b46d0fc4
+  languageName: node
+  linkType: hard
+
+"levn@npm:~0.3.0":
+  version: 0.3.0
+  resolution: "levn@npm:0.3.0"
+  dependencies:
+    prelude-ls: ~1.1.2
+    type-check: ~0.3.2
+  checksum: 0d084a524231a8246bb10fec48cdbb35282099f6954838604f3c7fc66f2e16fa66fd9cc2f3f20a541a113c4dafdf181e822c887c8a319c9195444e6c64ac395e
+  languageName: node
+  linkType: hard
+
+"line-column@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "line-column@npm:1.0.2"
+  dependencies:
+    isarray: ^1.0.0
+    isobject: ^2.0.0
+  checksum: 7b71b3aaebf629cf79bea9b8356d5c3d3cc36129619f8248a95409206f26cd1cad9d758ea873cbf262fce780e31c1aa50ec85ee48dbd539bd3356523d535c8f5
+  languageName: node
+  linkType: hard
+
+"lines-and-columns@npm:^1.1.6":
+  version: 1.1.6
+  resolution: "lines-and-columns@npm:1.1.6"
+  checksum: 198a5436b1fa5cf703bae719c01c686b076f0ad7e1aafd95a58d626cabff302dc0414822126f2f80b58a8c3d66cda8a7b6da064f27130f87e1d3506d6dfd0d68
+  languageName: node
+  linkType: hard
+
+"linkify-it@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "linkify-it@npm:4.0.1"
+  dependencies:
+    uc.micro: ^1.0.1
+  checksum: 3e0a29921269c14eb7ac6f5db2da68d4854ea9acca6e9014a323f75f2dd39b197ffab57c1fbd6a906ceb021aad3ee6d7ba7d0181236dd9630ffc452b392f7f71
+  languageName: node
+  linkType: hard
+
+"lint-staged@npm:^10.5.1":
+  version: 10.5.4
+  resolution: "lint-staged@npm:10.5.4"
+  dependencies:
+    chalk: ^4.1.0
+    cli-truncate: ^2.1.0
+    commander: ^6.2.0
+    cosmiconfig: ^7.0.0
+    debug: ^4.2.0
+    dedent: ^0.7.0
+    enquirer: ^2.3.6
+    execa: ^4.1.0
+    listr2: ^3.2.2
+    log-symbols: ^4.0.0
+    micromatch: ^4.0.2
+    normalize-path: ^3.0.0
+    please-upgrade-node: ^3.2.0
+    string-argv: 0.3.1
+    stringify-object: ^3.3.0
+  bin:
+    lint-staged: bin/lint-staged.js
+  checksum: 4cc65f6c0a22dc091d0bbdfa6c15cd6e9b7d0d1e7603f5441bf9ac62f3a760fa36b0bda2db4c31b4084f28ba47cd4d0a176c3c3b314a97de8326e050d20b1635
+  languageName: node
+  linkType: hard
+
+"listr2@npm:^3.2.2":
+  version: 3.8.2
+  resolution: "listr2@npm:3.8.2"
+  dependencies:
+    chalk: ^4.1.1
+    cli-truncate: ^2.1.0
+    figures: ^3.2.0
+    indent-string: ^4.0.0
+    log-update: ^4.0.0
+    p-map: ^4.0.0
+    rxjs: ^6.6.7
+    through: ^2.3.8
+    wrap-ansi: ^7.0.0
+  peerDependencies:
+    enquirer: ">= 2.3.0 < 3"
+  checksum: f0930780daf525015fb6e0568c69b36e23a1b5c74c00b802ed911e2d9b2eacc6fb9f498e90669b1a0f51c987fab5dfe7d95f5bbddddf5f3d9d42d99d373ea700
+  languageName: node
+  linkType: hard
+
+"livereload-js@npm:^3.3.1":
+  version: 3.3.2
+  resolution: "livereload-js@npm:3.3.2"
+  checksum: 72121395b54f338f0aaf33542a062b7ecfd886f472cb8acb174635011bf29ccc689e5861427431c115d445239498dbbcd070a37c0c8b9561606ebc90c579afbd
+  languageName: node
+  linkType: hard
+
+"load-json-file@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "load-json-file@npm:4.0.0"
+  dependencies:
+    graceful-fs: ^4.1.2
+    parse-json: ^4.0.0
+    pify: ^3.0.0
+    strip-bom: ^3.0.0
+  checksum: 8f5d6d93ba64a9620445ee9bde4d98b1eac32cf6c8c2d20d44abfa41a6945e7969456ab5f1ca2fb06ee32e206c9769a20eec7002fe290de462e8c884b6b8b356
+  languageName: node
+  linkType: hard
+
+"loader-runner@npm:^2.4.0":
+  version: 2.4.0
+  resolution: "loader-runner@npm:2.4.0"
+  checksum: e27eebbca5347a03f6b1d1bce5b2736a4984fb742f872c0a4d68e62de10f7637613e79a464d3bcd77c246d9c70fcac112bb4a3123010eb527e8b203a614647db
+  languageName: node
+  linkType: hard
+
+"loader-runner@npm:^4.2.0":
+  version: 4.3.0
+  resolution: "loader-runner@npm:4.3.0"
+  checksum: a90e00dee9a16be118ea43fec3192d0b491fe03a32ed48a4132eb61d498f5536a03a1315531c19d284392a8726a4ecad71d82044c28d7f22ef62e029bf761569
+  languageName: node
+  linkType: hard
+
+"loader-utils@npm:^1.2.3, loader-utils@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "loader-utils@npm:1.4.0"
+  dependencies:
+    big.js: ^5.2.2
+    emojis-list: ^3.0.0
+    json5: ^1.0.1
+  checksum: d150b15e7a42ac47d935c8b484b79e44ff6ab4c75df7cc4cb9093350cf014ec0b17bdb60c5d6f91a37b8b218bd63b973e263c65944f58ca2573e402b9a27e717
+  languageName: node
+  linkType: hard
+
+"loader-utils@npm:^2.0.0":
+  version: 2.0.2
+  resolution: "loader-utils@npm:2.0.2"
+  dependencies:
+    big.js: ^5.2.2
+    emojis-list: ^3.0.0
+    json5: ^2.1.2
+  checksum: 9078d1ed47cadc57f4c6ddbdb2add324ee7da544cea41de3b7f1128e8108fcd41cd3443a85b7ee8d7d8ac439148aa221922774efe4cf87506d4fb054d5889303
+  languageName: node
+  linkType: hard
+
+"loader.js@npm:^4.7.0":
+  version: 4.7.0
+  resolution: "loader.js@npm:4.7.0"
+  checksum: 947412e7665e47ed1fefcd5c07b8fbcfd9991ccc4f39aa3ad631fc0be301c4410f57a2ed762e710450643210072fbbb54ea00128f9c449d76ee79fe5b8481ec6
+  languageName: node
+  linkType: hard
+
+"locate-character@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "locate-character@npm:2.0.5"
+  checksum: dbc4c62bb98ba95626d5533c6d45d480b2536bb500d1453efdd19d0797e75ba92abf8d0432966990a1567a3b591b0fa6067f0ce93808cbf8b55beedd7bd28a78
+  languageName: node
+  linkType: hard
+
+"locate-path@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "locate-path@npm:2.0.0"
+  dependencies:
+    p-locate: ^2.0.0
+    path-exists: ^3.0.0
+  checksum: 02d581edbbbb0fa292e28d96b7de36b5b62c2fa8b5a7e82638ebb33afa74284acf022d3b1e9ae10e3ffb7658fbc49163fcd5e76e7d1baaa7801c3e05a81da755
+  languageName: node
+  linkType: hard
+
+"locate-path@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "locate-path@npm:3.0.0"
+  dependencies:
+    p-locate: ^3.0.0
+    path-exists: ^3.0.0
+  checksum: 53db3996672f21f8b0bf2a2c645ae2c13ffdae1eeecfcd399a583bce8516c0b88dcb4222ca6efbbbeb6949df7e46860895be2c02e8d3219abd373ace3bfb4e11
+  languageName: node
+  linkType: hard
+
+"locate-path@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "locate-path@npm:5.0.0"
+  dependencies:
+    p-locate: ^4.1.0
+  checksum: 83e51725e67517287d73e1ded92b28602e3ae5580b301fe54bfb76c0c723e3f285b19252e375712316774cf52006cb236aed5704692c32db0d5d089b69696e30
+  languageName: node
+  linkType: hard
+
+"locate-path@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "locate-path@npm:6.0.0"
+  dependencies:
+    p-locate: ^5.0.0
+  checksum: 72eb661788a0368c099a184c59d2fee760b3831c9c1c33955e8a19ae4a21b4116e53fa736dc086cdeb9fce9f7cc508f2f92d2d3aae516f133e16a2bb59a39f5a
+  languageName: node
+  linkType: hard
+
+"locate-path@npm:^7.1.0":
+  version: 7.1.0
+  resolution: "locate-path@npm:7.1.0"
+  dependencies:
+    p-locate: ^6.0.0
+  checksum: 17d5eb6c04ff31856f8a6ae4ee3e3091d41485657428d1a91bd5f66aa1fcd7a90db3de6e8ffb905c2ff1a0014b77509b98dd6410424505efc08b1726d50bcbfc
+  languageName: node
+  linkType: hard
+
+"lodash-es@npm:^4.17.11":
+  version: 4.17.21
+  resolution: "lodash-es@npm:4.17.21"
+  checksum: 05cbffad6e2adbb331a4e16fbd826e7faee403a1a04873b82b42c0f22090f280839f85b95393f487c1303c8a3d2a010048bf06151a6cbe03eee4d388fb0a12d2
+  languageName: node
+  linkType: hard
+
+"lodash._baseassign@npm:^3.0.0":
+  version: 3.2.0
+  resolution: "lodash._baseassign@npm:3.2.0"
+  dependencies:
+    lodash._basecopy: ^3.0.0
+    lodash.keys: ^3.0.0
+  checksum: 27155048736d02dc384f97af303ba66bb5f768aedd5191dddf25acbd13a0733c530d4258df2136440fce7e28c8240561ecd94e769ce4cbb0115dbfd9ab5c4203
+  languageName: node
+  linkType: hard
+
+"lodash._basecopy@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "lodash._basecopy@npm:3.0.1"
+  checksum: 4ccbeef09f53cb1a0cdf1cafeaea2d445ec2184337e1389eb3b81649a3e30f33c377d79027fbce06dae199a6f8ffb4fbd32f1ce07bddbdfae14f51f8340ae68c
+  languageName: node
+  linkType: hard
+
+"lodash._baseflatten@npm:^3.0.0":
+  version: 3.1.4
+  resolution: "lodash._baseflatten@npm:3.1.4"
+  dependencies:
+    lodash.isarguments: ^3.0.0
+    lodash.isarray: ^3.0.0
+  checksum: 7637d1105ce272c5df5c552879dccdbae48da8b8e613d303c3bc1bbee9e1443fd1c934f7c8c0049b96e54df14d9cfd1bab5522412ad6952bb13cbdff1b37a20c
+  languageName: node
+  linkType: hard
+
+"lodash._bindcallback@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "lodash._bindcallback@npm:3.0.1"
+  checksum: 3916fd72bc02de3643a52d46cf5aaeab4c0b21cd7cb2fb801a8bf9dacdc8532e89b30a4ebafdf65da5fe09d8b0bf898a7416402704fd7262a976703e1c59e549
+  languageName: node
+  linkType: hard
+
+"lodash._createassigner@npm:^3.0.0":
+  version: 3.1.1
+  resolution: "lodash._createassigner@npm:3.1.1"
+  dependencies:
+    lodash._bindcallback: ^3.0.0
+    lodash._isiterateecall: ^3.0.0
+    lodash.restparam: ^3.0.0
+  checksum: ca9e08350914c279560b8930a3f7aa065b061a7e2b0bf13b33af1f782be8b5356f623ce01e89248212cc6099b1bc6c39e03ed9ffc9e0c2fd7169b1b7c447c01e
+  languageName: node
+  linkType: hard
+
+"lodash._getnative@npm:^3.0.0":
+  version: 3.9.1
+  resolution: "lodash._getnative@npm:3.9.1"
+  checksum: ba2152bb10bf44beb54fcd273598197972c989c2181b54e533cec1ff1ebebdf8bb02d4ffc3d5a648480a48beb3026db191f5de99adecd7eac36bbd6025c9b048
+  languageName: node
+  linkType: hard
+
+"lodash._isiterateecall@npm:^3.0.0":
+  version: 3.0.9
+  resolution: "lodash._isiterateecall@npm:3.0.9"
+  checksum: 95ace291d07f2930d9f038ec3c662f88cef48ccebd508665ce08a3251f126b2a645234ab734a6dff0987e1ae9ef74dad706e0d9a2bf26828e50d19c7a6238cab
+  languageName: node
+  linkType: hard
+
+"lodash._reinterpolate@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "lodash._reinterpolate@npm:3.0.0"
+  checksum: 06d2d5f33169604fa5e9f27b6067ed9fb85d51a84202a656901e5ffb63b426781a601508466f039c720af111b0c685d12f1a5c14ff8df5d5f27e491e562784b2
+  languageName: node
+  linkType: hard
+
+"lodash.assign@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "lodash.assign@npm:3.2.0"
+  dependencies:
+    lodash._baseassign: ^3.0.0
+    lodash._createassigner: ^3.0.0
+    lodash.keys: ^3.0.0
+  checksum: 135351c0e376e2963ec785d4ad4efce55cd7f1d5e3d34387e940c1de6c5f92d6f91d3e415218bc37657f34aae823bc9ecf2fb38bd4734dc69f7d659582cc4178
+  languageName: node
+  linkType: hard
+
+"lodash.assign@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "lodash.assign@npm:4.2.0"
+  checksum: 75bbc6733c9f577c448031b4051f990f068802708891f94be9d4c2faffd6a9ec67a2c49671dafc908a068d35687765464853282842b4560b662e6c903d11cc90
+  languageName: node
+  linkType: hard
+
+"lodash.assignin@npm:^4.1.0":
+  version: 4.2.0
+  resolution: "lodash.assignin@npm:4.2.0"
+  checksum: 4b55bc1d65ccd7648fdba8a4316d10546929bf0beb5950830d86c559948cf170f0e65b77c95e66b45b511b85a31161714de8b2008d2537627ef3c7759afe36a6
+  languageName: node
+  linkType: hard
+
+"lodash.camelcase@npm:^4.1.1, lodash.camelcase@npm:^4.3.0":
+  version: 4.3.0
+  resolution: "lodash.camelcase@npm:4.3.0"
+  checksum: cb9227612f71b83e42de93eccf1232feeb25e705bdb19ba26c04f91e885bfd3dd5c517c4a97137658190581d3493ea3973072ca010aab7e301046d90740393d1
+  languageName: node
+  linkType: hard
+
+"lodash.castarray@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "lodash.castarray@npm:4.4.0"
+  checksum: fca8c7047e0ae2738b0b2503fb00157ae0ff6d8a1b716f87ed715b22560e09de438c75b65e01a7e44ceb41c5b31dce2eb576e46db04beb9c699c498e03cbd00f
+  languageName: node
+  linkType: hard
+
+"lodash.clonedeep@npm:^4.4.1, lodash.clonedeep@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.clonedeep@npm:4.5.0"
+  checksum: 92c46f094b064e876a23c97f57f81fbffd5d760bf2d8a1c61d85db6d1e488c66b0384c943abee4f6af7debf5ad4e4282e74ff83177c9e63d8ff081a4837c3489
+  languageName: node
+  linkType: hard
+
+"lodash.compact@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "lodash.compact@npm:3.0.1"
+  checksum: 75039eddfa5ef2ea0da1fc3d36515e92227241f94258b3dcf771196e741c878698ce5b79c0cb7fe758841c9dfd0e6fa222888985aadc0384fd79bbc9680dd829
+  languageName: node
+  linkType: hard
+
+"lodash.debounce@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "lodash.debounce@npm:3.1.1"
+  dependencies:
+    lodash._getnative: ^3.0.0
+  checksum: 8d9dcd6f66246c3e92a25420881714b68f6d7a794db9ffcedb4a2c0f9005f4c6fd59c80ff801eca3ef8aa7fc227d62ae301f37854a73db6d064bd8dcaa93355d
+  languageName: node
+  linkType: hard
+
+"lodash.debounce@npm:^4.0.8":
+  version: 4.0.8
+  resolution: "lodash.debounce@npm:4.0.8"
+  checksum: a3f527d22c548f43ae31c861ada88b2637eb48ac6aa3eb56e82d44917971b8aa96fbb37aa60efea674dc4ee8c42074f90f7b1f772e9db375435f6c83a19b3bc6
+  languageName: node
+  linkType: hard
+
+"lodash.defaultsdeep@npm:^4.6.1":
+  version: 4.6.1
+  resolution: "lodash.defaultsdeep@npm:4.6.1"
+  checksum: 1f346f16158b760545ca99553cb13e907a28b281425751af6bfe681387b9e5685438a7ddbfd36a8d5cc8bda066867a134aa31416f17e318db8c461c377810a76
+  languageName: node
+  linkType: hard
+
+"lodash.find@npm:^4.5.1, lodash.find@npm:^4.6.0":
+  version: 4.6.0
+  resolution: "lodash.find@npm:4.6.0"
+  checksum: b737f849a4fe36f5c3664ea636780dda2fde18335021faf80cdfdcb300ed75441da6f55cfd6de119092d8bb2ddbc4433f4a8de4b99c0b9c8640465b0901c717c
+  languageName: node
+  linkType: hard
+
+"lodash.flatten@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "lodash.flatten@npm:3.0.2"
+  dependencies:
+    lodash._baseflatten: ^3.0.0
+    lodash._isiterateecall: ^3.0.0
+  checksum: 7d2dc97c02ad305cf8d4d8761fbc41f3bde6a8f7f1c4d720d5b234c4e81f6a00c1f0afd8f84d7fb7330fdd799a734f1fab4191a806f3629e28e3ba00eb4b9e26
+  languageName: node
+  linkType: hard
+
+"lodash.flatten@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "lodash.flatten@npm:4.4.0"
+  checksum: 0ac34a393d4b795d4b7421153d27c13ae67e08786c9cbb60ff5b732210d46f833598eee3fb3844bb10070e8488efe390ea53bb567377e0cb47e9e630bf0811cb
+  languageName: node
+  linkType: hard
+
+"lodash.foreach@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.foreach@npm:4.5.0"
+  checksum: a940386b158ca0d62994db41fc16529eb8ae67138f29ced38e91f912cb5435d1b0ed34b18e6f7b9ddfc32ab676afc6dfec60d1e22633d8e3e4b33413402ab4ad
+  languageName: node
+  linkType: hard
+
+"lodash.forin@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "lodash.forin@npm:4.4.0"
+  checksum: c9c8e6c3204029fe0610efb8c74113b00a3d5a92b1d8defbf3f5cbc2d0f7663c680dff62e2950ed9406bb6d06e882fa39568c607bc44229d53fd93a9fd6c07b7
+  languageName: node
+  linkType: hard
+
+"lodash.get@npm:^4.4.2":
+  version: 4.4.2
+  resolution: "lodash.get@npm:4.4.2"
+  checksum: e403047ddb03181c9d0e92df9556570e2b67e0f0a930fcbbbd779370972368f5568e914f913e93f3b08f6d492abc71e14d4e9b7a18916c31fa04bd2306efe545
+  languageName: node
+  linkType: hard
+
+"lodash.has@npm:^4.5.2":
+  version: 4.5.2
+  resolution: "lodash.has@npm:4.5.2"
+  checksum: b3ec829a86852331d48b3730ff06088a283d128a3965aa521ffd942bcf5c82e06bed3164ff7a7751d11e768d88f0d7bab316192091489caf20f452d42f7055d5
+  languageName: node
+  linkType: hard
+
+"lodash.invokemap@npm:^4.6.0":
+  version: 4.6.0
+  resolution: "lodash.invokemap@npm:4.6.0"
+  checksum: 646ceebbefbcb6da301f8c2868254680fd0bcdc6ada470495d9ae49c9c32938829c1b38a38c95d0258409a9655f85db404b16e648381c7450b7ed3d9c52d8808
+  languageName: node
+  linkType: hard
+
+"lodash.isarguments@npm:^3.0.0":
+  version: 3.1.0
+  resolution: "lodash.isarguments@npm:3.1.0"
+  checksum: ae1526f3eb5c61c77944b101b1f655f846ecbedcb9e6b073526eba6890dc0f13f09f72e11ffbf6540b602caee319af9ac363d6cdd6be41f4ee453436f04f13b5
+  languageName: node
+  linkType: hard
+
+"lodash.isarray@npm:^3.0.0":
+  version: 3.0.4
+  resolution: "lodash.isarray@npm:3.0.4"
+  checksum: 3b298fb76ff16981353f7d0695d8680be9451b74d2e76714ddbd903a90fbaa8e1d84979d0ae99325f5a9033776771154b19e05027ab23de83202251c8abe81b5
+  languageName: node
+  linkType: hard
+
+"lodash.isempty@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "lodash.isempty@npm:4.4.0"
+  checksum: a8118f23f7ed72a1dbd176bf27f297d1e71aa1926288449cb8f7cef99ba1bc7527eab52fe7899ab080fa1dc150aba6e4a6367bf49fa4e0b78da1ecc095f8d8c5
+  languageName: node
+  linkType: hard
+
+"lodash.isequal@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.isequal@npm:4.5.0"
+  checksum: da27515dc5230eb1140ba65ff8de3613649620e8656b19a6270afe4866b7bd461d9ba2ac8a48dcc57f7adac4ee80e1de9f965d89d4d81a0ad52bb3eec2609644
+  languageName: node
+  linkType: hard
+
+"lodash.isfunction@npm:^3.0.9":
+  version: 3.0.9
+  resolution: "lodash.isfunction@npm:3.0.9"
+  checksum: 99e54c34b1e8a9ba75c034deb39cedbd2aca7af685815e67a2a8ec4f73ec9748cda6ebee5a07d7de4b938e90d421fd280e9c385cc190f903ac217ac8aff30314
+  languageName: node
+  linkType: hard
+
+"lodash.isinteger@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "lodash.isinteger@npm:4.0.4"
+  checksum: 6034821b3fc61a2ffc34e7d5644bb50c5fd8f1c0121c554c21ac271911ee0c0502274852845005f8651d51e199ee2e0cfebfe40aaa49c7fe617f603a8a0b1691
+  languageName: node
+  linkType: hard
+
+"lodash.isplainobject@npm:^4.0.6":
+  version: 4.0.6
+  resolution: "lodash.isplainobject@npm:4.0.6"
+  checksum: 29c6351f281e0d9a1d58f1a4c8f4400924b4c79f18dfc4613624d7d54784df07efaff97c1ff2659f3e085ecf4fff493300adc4837553104cef2634110b0d5337
+  languageName: node
+  linkType: hard
+
+"lodash.kebabcase@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "lodash.kebabcase@npm:4.1.1"
+  checksum: 5a6c59161914e1bae23438a298c7433e83d935e0f59853fa862e691164696bc07f6dfa4c313d499fbf41ba8d53314e9850416502376705a357d24ee6ca33af78
+  languageName: node
+  linkType: hard
+
+"lodash.keys@npm:^3.0.0":
+  version: 3.1.2
+  resolution: "lodash.keys@npm:3.1.2"
+  dependencies:
+    lodash._getnative: ^3.0.0
+    lodash.isarguments: ^3.0.0
+    lodash.isarray: ^3.0.0
+  checksum: ac7c02c793334c48161a8e8a1f12576c73ee50d1371e75680afc6c2d3740d5e9bdc899517e6c0034014eaa2512c5f433a2e6985c9e16cf28b5c9013ec81bd35e
+  languageName: node
+  linkType: hard
+
+"lodash.lowerfirst@npm:^4.3.1":
+  version: 4.3.1
+  resolution: "lodash.lowerfirst@npm:4.3.1"
+  checksum: e1688e18873777d394db4994d150dfc14cf01bf450169cf8296af4d84ecd7c3c4ae4dab3746f77f8719a093e4fff58bee3ae73ae7e23ef508b7d970b189d9952
+  languageName: node
+  linkType: hard
+
+"lodash.map@npm:^4.6.0":
+  version: 4.6.0
+  resolution: "lodash.map@npm:4.6.0"
+  checksum: 7369a41d7d24d15ce3bbd02a7faa3a90f6266c38184e64932571b9b21b758bd10c04ffd117d1859be1a44156f29b94df5045eff172bf8a97fddf68bf1002d12f
+  languageName: node
+  linkType: hard
+
+"lodash.mapvalues@npm:^4.6.0":
+  version: 4.6.0
+  resolution: "lodash.mapvalues@npm:4.6.0"
+  checksum: 0ff1b252fda318fc36e47c296984925e98fbb0fc5a2ecc4ef458f3c739a9476d47e40c95ac653e8314d132aa59c746d4276527b99d6e271940555c6e12d2babd
+  languageName: node
+  linkType: hard
+
+"lodash.memoize@npm:4.1.2, lodash.memoize@npm:^4.1.2":
+  version: 4.1.2
+  resolution: "lodash.memoize@npm:4.1.2"
+  checksum: 9ff3942feeccffa4f1fafa88d32f0d24fdc62fd15ded5a74a5f950ff5f0c6f61916157246744c620173dddf38d37095a92327d5fd3861e2063e736a5c207d089
+  languageName: node
+  linkType: hard
+
+"lodash.merge@npm:^4.6.0, lodash.merge@npm:^4.6.2":
+  version: 4.6.2
+  resolution: "lodash.merge@npm:4.6.2"
+  checksum: ad580b4bdbb7ca1f7abf7e1bce63a9a0b98e370cf40194b03380a46b4ed799c9573029599caebc1b14e3f24b111aef72b96674a56cfa105e0f5ac70546cdc005
+  languageName: node
+  linkType: hard
+
+"lodash.omit@npm:^4.1.0":
+  version: 4.5.0
+  resolution: "lodash.omit@npm:4.5.0"
+  checksum: 434645e49fe84ab315719bd5a9a3a585a0f624aa4160bc09157dd041a414bcc287c15840365c1379476a3f3eda41fbe838976c3f7bdecbbf4c5478e86c471a30
+  languageName: node
+  linkType: hard
+
+"lodash.pick@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "lodash.pick@npm:4.4.0"
+  checksum: 2c36cab7da6b999a20bd3373b40e31a3ef81fa264f34a6979c852c5bc8ac039379686b27380f0cb8e3781610844fafec6949c6fbbebc059c98f8fa8570e3675f
+  languageName: node
+  linkType: hard
+
+"lodash.restparam@npm:^3.0.0":
+  version: 3.6.1
+  resolution: "lodash.restparam@npm:3.6.1"
+  checksum: 8bda0c7aaeac93da2b7e856bfeec8e6fdefb4d7eadfe6fd84775312a729fc1cb985636d922fe33b49f41aba135204962f4b853d7946105b7704102edb2bf6082
+  languageName: node
+  linkType: hard
+
+"lodash.snakecase@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "lodash.snakecase@npm:4.1.1"
+  checksum: 1685ed3e83dda6eae5a4dcaee161a51cd210aabb3e1c09c57150e7dd8feda19e4ca0d27d0631eabe8d0f4eaa51e376da64e8c018ae5415417c5890d42feb72a8
+  languageName: node
+  linkType: hard
+
+"lodash.template@npm:^4.4.0, lodash.template@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.template@npm:4.5.0"
+  dependencies:
+    lodash._reinterpolate: ^3.0.0
+    lodash.templatesettings: ^4.0.0
+  checksum: ca64e5f07b6646c9d3dbc0fe3aaa995cb227c4918abd1cef7a9024cd9c924f2fa389a0ec4296aa6634667e029bc81d4bbdb8efbfde11df76d66085e6c529b450
+  languageName: node
+  linkType: hard
+
+"lodash.templatesettings@npm:^4.0.0":
+  version: 4.2.0
+  resolution: "lodash.templatesettings@npm:4.2.0"
+  dependencies:
+    lodash._reinterpolate: ^3.0.0
+  checksum: 863e025478b092997e11a04e9d9e735875eeff1ffcd6c61742aa8272e3c2cddc89ce795eb9726c4e74cef5991f722897ff37df7738a125895f23fc7d12a7bb59
+  languageName: node
+  linkType: hard
+
+"lodash.truncate@npm:^4.4.2":
+  version: 4.4.2
+  resolution: "lodash.truncate@npm:4.4.2"
+  checksum: b463d8a382cfb5f0e71c504dcb6f807a7bd379ff1ea216669aa42c52fc28c54e404bfbd96791aa09e6df0de2c1d7b8f1b7f4b1a61f324d38fe98bc535aeee4f5
+  languageName: node
+  linkType: hard
+
+"lodash.uniq@npm:^4.2.0, lodash.uniq@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.uniq@npm:4.5.0"
+  checksum: a4779b57a8d0f3c441af13d9afe7ecff22dd1b8ce1129849f71d9bbc8e8ee4e46dfb4b7c28f7ad3d67481edd6e51126e4e2a6ee276e25906d10f7140187c392d
+  languageName: node
+  linkType: hard
+
+"lodash.uniqby@npm:^4.7.0":
+  version: 4.7.0
+  resolution: "lodash.uniqby@npm:4.7.0"
+  checksum: 659264545a95726d1493123345aad8cbf56e17810fa9a0b029852c6d42bc80517696af09d99b23bef1845d10d95e01b8b4a1da578f22aeba7a30d3e0022a4938
+  languageName: node
+  linkType: hard
+
+"lodash.values@npm:^4.3.0":
+  version: 4.3.0
+  resolution: "lodash.values@npm:4.3.0"
+  checksum: 857e122ddf6edb50137887f0b834d471f96d66692ebb5de8b048ed277c8a3dd1bc8f85d82cf31b0f5c6dbc5b72c036a591205f76eec86bb11818a1a6f7e5a28c
+  languageName: node
+  linkType: hard
+
+"lodash@npm:^4.0.0, lodash@npm:^4.17.10, lodash@npm:^4.17.11, lodash@npm:^4.17.12, lodash@npm:^4.17.14, lodash@npm:^4.17.15, lodash@npm:^4.17.19, lodash@npm:^4.17.21, lodash@npm:^4.17.4, lodash@npm:^4.5.1, lodash@npm:^4.7.0":
+  version: 4.17.21
+  resolution: "lodash@npm:4.17.21"
+  checksum: eb835a2e51d381e561e508ce932ea50a8e5a68f4ebdd771ea240d3048244a8d13658acbd502cd4829768c56f2e16bdd4340b9ea141297d472517b83868e677f7
+  languageName: node
+  linkType: hard
+
+"log-symbols@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "log-symbols@npm:2.2.0"
+  dependencies:
+    chalk: ^2.0.1
+  checksum: 4c95e3b65f0352dbe91dc4989c10baf7a44e2ef5b0db7e6721e1476268e2b6f7090c3aa880d4f833a05c5c3ff18f4ec5215a09bd0099986d64a8186cfeb48ac8
+  languageName: node
+  linkType: hard
+
+"log-symbols@npm:^4.0.0, log-symbols@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "log-symbols@npm:4.1.0"
+  dependencies:
+    chalk: ^4.1.0
+    is-unicode-supported: ^0.1.0
+  checksum: fce1497b3135a0198803f9f07464165e9eb83ed02ceb2273930a6f8a508951178d8cf4f0378e9d28300a2ed2bc49050995d2bd5f53ab716bb15ac84d58c6ef74
+  languageName: node
+  linkType: hard
+
+"log-update@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "log-update@npm:4.0.0"
+  dependencies:
+    ansi-escapes: ^4.3.0
+    cli-cursor: ^3.1.0
+    slice-ansi: ^4.0.0
+    wrap-ansi: ^6.2.0
+  checksum: ae2f85bbabc1906034154fb7d4c4477c79b3e703d22d78adee8b3862fa913942772e7fa11713e3d96fb46de4e3cabefbf5d0a544344f03b58d3c4bff52aa9eb2
+  languageName: node
+  linkType: hard
+
+"loglevel-colored-level-prefix@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "loglevel-colored-level-prefix@npm:1.0.0"
+  dependencies:
+    chalk: ^1.1.3
+    loglevel: ^1.4.1
+  checksum: 146aa7d0ea900d6d8523e945b2265be240e4c7c4752dae678983764dd756c44194684af1ee8ea721feff4c4f8c5771544a02a6cd8b269a663cffe9b4fcf955f1
+  languageName: node
+  linkType: hard
+
+"loglevel@npm:^1.4.1":
+  version: 1.7.1
+  resolution: "loglevel@npm:1.7.1"
+  checksum: 715a4ae69ad75d4d3bd04e4f6e9edbc4cae4db34d1e7f54f426d8cebe2dd9fef891ca3789e839d927cdbc5fad73d789e998db0af2f11f4c40219c272bc923823
+  languageName: node
+  linkType: hard
+
+"lolex@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "lolex@npm:4.2.0"
+  checksum: 0a83bfe1748fc745515dff9b3f722422918f5f6975104d7e576fc32c06b5398ee0c58525684068d4de49cdd49874e00b5e2b2d72ce8c5d829dab86c8c08ca31f
+  languageName: node
+  linkType: hard
+
+"lolex@npm:^5.0.1":
+  version: 5.1.2
+  resolution: "lolex@npm:5.1.2"
+  dependencies:
+    "@sinonjs/commons": ^1.7.0
+  checksum: 7eb468d4ef4746c024d23cb2b75f679f79449a9d5cbe11abadf2f3b147c1d7ffe28816438bedfb8a75c58357a625c2f9ba197b050c226d2b3f0c4a956cf556fb
+  languageName: node
+  linkType: hard
+
+"longest-streak@npm:^2.0.0":
+  version: 2.0.4
+  resolution: "longest-streak@npm:2.0.4"
+  checksum: 28b8234a14963002c5c71035dee13a0a11e9e9d18ffa320fdc8796ed7437399204495702ed69cd2a7087b0af041a2a8b562829b7c1e2042e73a3374d1ecf6580
+  languageName: node
+  linkType: hard
+
+"loose-envify@npm:^1.0.0":
+  version: 1.4.0
+  resolution: "loose-envify@npm:1.4.0"
+  dependencies:
+    js-tokens: ^3.0.0 || ^4.0.0
+  bin:
+    loose-envify: cli.js
+  checksum: 6517e24e0cad87ec9888f500c5b5947032cdfe6ef65e1c1936a0c48a524b81e65542c9c3edc91c97d5bddc806ee2a985dbc79be89215d613b1de5db6d1cfe6f4
+  languageName: node
+  linkType: hard
+
+"lower-case@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "lower-case@npm:2.0.2"
+  dependencies:
+    tslib: ^2.0.3
+  checksum: 83a0a5f159ad7614bee8bf976b96275f3954335a84fad2696927f609ddae902802c4f3312d86668722e668bef41400254807e1d3a7f2e8c3eede79691aa1f010
+  languageName: node
+  linkType: hard
+
+"lru-cache@npm:^5.1.1":
+  version: 5.1.1
+  resolution: "lru-cache@npm:5.1.1"
+  dependencies:
+    yallist: ^3.0.2
+  checksum: c154ae1cbb0c2206d1501a0e94df349653c92c8cbb25236d7e85190bcaf4567a03ac6eb43166fabfa36fd35623694da7233e88d9601fbf411a9a481d85dbd2cb
+  languageName: node
+  linkType: hard
+
+"lru-cache@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "lru-cache@npm:6.0.0"
+  dependencies:
+    yallist: ^4.0.0
+  checksum: f97f499f898f23e4585742138a22f22526254fdba6d75d41a1c2526b3b6cc5747ef59c5612ba7375f42aca4f8461950e925ba08c991ead0651b4918b7c978297
+  languageName: node
+  linkType: hard
+
+"lru-cache@npm:^7.5.1, lru-cache@npm:^7.7.1":
+  version: 7.18.3
+  resolution: "lru-cache@npm:7.18.3"
+  checksum: e550d772384709deea3f141af34b6d4fa392e2e418c1498c078de0ee63670f1f46f5eee746e8ef7e69e1c895af0d4224e62ee33e66a543a14763b0f2e74c1356
+  languageName: node
+  linkType: hard
+
+"magic-string@npm:^0.24.0":
+  version: 0.24.1
+  resolution: "magic-string@npm:0.24.1"
+  dependencies:
+    sourcemap-codec: ^1.4.1
+  checksum: 335a4992a75b5869acf054216acf430bc587986500c495cb2f0d42d47364c7677c5a2db5a8465fac380ce5e87d33225e7f2e1cd8f586e7e5ceaf34d366650606
+  languageName: node
+  linkType: hard
+
+"magic-string@npm:^0.25.2, magic-string@npm:^0.25.7":
+  version: 0.25.7
+  resolution: "magic-string@npm:0.25.7"
+  dependencies:
+    sourcemap-codec: ^1.4.4
+  checksum: 727a1fb70f9610304fe384f1df0251eb7d1d9dd779c07ef1225690361b71b216f26f5d934bfb11c919b5b0e7ba50f6240c823a6f2e44cfd33d4a07d7747ca829
+  languageName: node
+  linkType: hard
+
+"magic-string@npm:^0.30.0":
+  version: 0.30.0
+  resolution: "magic-string@npm:0.30.0"
+  dependencies:
+    "@jridgewell/sourcemap-codec": ^1.4.13
+  checksum: 7bdf22e27334d8a393858a16f5f840af63a7c05848c000fd714da5aa5eefa09a1bc01d8469362f25cc5c4a14ec01b46557b7fff8751365522acddf21e57c488d
+  languageName: node
+  linkType: hard
+
+"make-dir@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "make-dir@npm:2.1.0"
+  dependencies:
+    pify: ^4.0.1
+    semver: ^5.6.0
+  checksum: 043548886bfaf1820323c6a2997e6d2fa51ccc2586ac14e6f14634f7458b4db2daf15f8c310e2a0abd3e0cddc64df1890d8fc7263033602c47bb12cbfcf86aab
+  languageName: node
+  linkType: hard
+
+"make-dir@npm:^3.0.0, make-dir@npm:^3.0.2, make-dir@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "make-dir@npm:3.1.0"
+  dependencies:
+    semver: ^6.0.0
+  checksum: 484200020ab5a1fdf12f393fe5f385fc8e4378824c940fba1729dcd198ae4ff24867bc7a5646331e50cead8abff5d9270c456314386e629acec6dff4b8016b78
+  languageName: node
+  linkType: hard
+
+"make-fetch-happen@npm:^10.0.3":
+  version: 10.2.1
+  resolution: "make-fetch-happen@npm:10.2.1"
+  dependencies:
+    agentkeepalive: ^4.2.1
+    cacache: ^16.1.0
+    http-cache-semantics: ^4.1.0
+    http-proxy-agent: ^5.0.0
+    https-proxy-agent: ^5.0.0
+    is-lambda: ^1.0.1
+    lru-cache: ^7.7.1
+    minipass: ^3.1.6
+    minipass-collect: ^1.0.2
+    minipass-fetch: ^2.0.3
+    minipass-flush: ^1.0.5
+    minipass-pipeline: ^1.2.4
+    negotiator: ^0.6.3
+    promise-retry: ^2.0.1
+    socks-proxy-agent: ^7.0.0
+    ssri: ^9.0.0
+  checksum: 2332eb9a8ec96f1ffeeea56ccefabcb4193693597b132cd110734d50f2928842e22b84cfa1508e921b8385cdfd06dda9ad68645fed62b50fff629a580f5fb72c
+  languageName: node
+  linkType: hard
+
+"make-plural@npm:^7.0.0":
+  version: 7.1.0
+  resolution: "make-plural@npm:7.1.0"
+  checksum: d0ef253e508c8cdbddcc37288d25e0944eb2bf800008bf178a1c37b101c3202d89609ddb577a10515bd2499c7665159594704682cc9c159cc20491da6b7ac09e
+  languageName: node
+  linkType: hard
+
+"makeerror@npm:1.0.12":
+  version: 1.0.12
+  resolution: "makeerror@npm:1.0.12"
+  dependencies:
+    tmpl: 1.0.5
+  checksum: b38a025a12c8146d6eeea5a7f2bf27d51d8ad6064da8ca9405fcf7bf9b54acd43e3b30ddd7abb9b1bfa4ddb266019133313482570ddb207de568f71ecfcf6060
+  languageName: node
+  linkType: hard
+
+"map-age-cleaner@npm:^0.1.3":
+  version: 0.1.3
+  resolution: "map-age-cleaner@npm:0.1.3"
+  dependencies:
+    p-defer: ^1.0.0
+  checksum: cb2804a5bcb3cbdfe4b59066ea6d19f5e7c8c196cd55795ea4c28f792b192e4c442426ae52524e5e1acbccf393d3bddacefc3d41f803e66453f6c4eda3650bc1
+  languageName: node
+  linkType: hard
+
+"map-cache@npm:^0.2.2":
+  version: 0.2.2
+  resolution: "map-cache@npm:0.2.2"
+  checksum: 3067cea54285c43848bb4539f978a15dedc63c03022abeec6ef05c8cb6829f920f13b94bcaf04142fc6a088318e564c4785704072910d120d55dbc2e0c421969
+  languageName: node
+  linkType: hard
+
+"map-obj@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "map-obj@npm:1.0.1"
+  checksum: 9949e7baec2a336e63b8d4dc71018c117c3ce6e39d2451ccbfd3b8350c547c4f6af331a4cbe1c83193d7c6b786082b6256bde843db90cb7da2a21e8fcc28afed
+  languageName: node
+  linkType: hard
+
+"map-obj@npm:^4.1.0":
+  version: 4.3.0
+  resolution: "map-obj@npm:4.3.0"
+  checksum: fbc554934d1a27a1910e842bc87b177b1a556609dd803747c85ece420692380827c6ae94a95cce4407c054fa0964be3bf8226f7f2cb2e9eeee432c7c1985684e
+  languageName: node
+  linkType: hard
+
+"map-visit@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "map-visit@npm:1.0.0"
+  dependencies:
+    object-visit: ^1.0.0
+  checksum: c27045a5021c344fc19b9132eb30313e441863b2951029f8f8b66f79d3d8c1e7e5091578075a996f74e417479506fe9ede28c44ca7bc351a61c9d8073daec36a
+  languageName: node
+  linkType: hard
+
+"markdown-it-terminal@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "markdown-it-terminal@npm:0.4.0"
+  dependencies:
+    ansi-styles: ^3.0.0
+    cardinal: ^1.0.0
+    cli-table: ^0.3.1
+    lodash.merge: ^4.6.2
+  peerDependencies:
+    markdown-it: ">= 13.0.0"
+  checksum: 45512555a4ffbad82d84d62c39c72a49e3c8f6553f79bebdb48fb75033abee019c90f0a13bee418cd1ea8e2f4bfa02011839afdac92c17c8381715c7de7dec87
+  languageName: node
+  linkType: hard
+
+"markdown-it@npm:^13.0.1":
+  version: 13.0.1
+  resolution: "markdown-it@npm:13.0.1"
+  dependencies:
+    argparse: ^2.0.1
+    entities: ~3.0.1
+    linkify-it: ^4.0.1
+    mdurl: ^1.0.1
+    uc.micro: ^1.0.5
+  bin:
+    markdown-it: bin/markdown-it.js
+  checksum: faf5891d389dc433bcf21d3fbff2009beb044b42b117c92f4848899780ca1a2282a209e3ff4672db4afed726a7248304ec473e6e242a7d6498af7113d31974e7
+  languageName: node
+  linkType: hard
+
+"markdown-table@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "markdown-table@npm:2.0.0"
+  dependencies:
+    repeat-string: ^1.0.0
+  checksum: 9bb634a9300016cbb41216c1eab44c74b6b7083ac07872e296f900a29449cf0e260ece03fa10c3e9784ab94c61664d1d147da0315f95e1336e2bdcc025615c90
+  languageName: node
+  linkType: hard
+
+"matcher-collection@npm:^1.0.0, matcher-collection@npm:^1.0.4, matcher-collection@npm:^1.1.1":
+  version: 1.1.2
+  resolution: "matcher-collection@npm:1.1.2"
+  dependencies:
+    minimatch: ^3.0.2
+  checksum: 9aaf90944fa185187a099000b5df9542b85c4fd330c66f1747578c945b78242376066d1a1bc74fcd6d48375ab11dd2dbb5619c6f1c00e7720cf1f4f5df9d291b
+  languageName: node
+  linkType: hard
+
+"matcher-collection@npm:^2.0.0, matcher-collection@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "matcher-collection@npm:2.0.1"
+  dependencies:
+    "@types/minimatch": ^3.0.3
+    minimatch: ^3.0.2
+  checksum: f6d4f94bdcf773f9cbd4b7b10199a7632c434833a4c01bfb29c373e118647bb3b748aa3f20c70d6c3a715915fcc44ad4a77a9f8d5f059f3a0d15c984c0acc83d
+  languageName: node
+  linkType: hard
+
+"mathml-tag-names@npm:^2.1.3":
+  version: 2.1.3
+  resolution: "mathml-tag-names@npm:2.1.3"
+  checksum: 1201a25a137d6b9e328facd67912058b8b45b19a6c4cc62641c9476195da28a275ca6e0eca070af5378b905c2b11abc1114676ba703411db0b9ce007de921ad0
+  languageName: node
+  linkType: hard
+
+"md5.js@npm:^1.3.4":
+  version: 1.3.5
+  resolution: "md5.js@npm:1.3.5"
+  dependencies:
+    hash-base: ^3.0.0
+    inherits: ^2.0.1
+    safe-buffer: ^5.1.2
+  checksum: 098494d885684bcc4f92294b18ba61b7bd353c23147fbc4688c75b45cb8590f5a95fd4584d742415dcc52487f7a1ef6ea611cfa1543b0dc4492fe026357f3f0c
+  languageName: node
+  linkType: hard
+
+"mdast-util-find-and-replace@npm:^1.1.0":
+  version: 1.1.1
+  resolution: "mdast-util-find-and-replace@npm:1.1.1"
+  dependencies:
+    escape-string-regexp: ^4.0.0
+    unist-util-is: ^4.0.0
+    unist-util-visit-parents: ^3.0.0
+  checksum: e4c9e50d9bce5ae4c728a925bd60080b94d16aaa312c27e2b70b16ddc29a5d0a0844d6e18efaef08aeb22c68303ec528f20183d1b0420504a0c2c1710cebd76f
+  languageName: node
+  linkType: hard
+
+"mdast-util-footnote@npm:^0.1.0":
+  version: 0.1.7
+  resolution: "mdast-util-footnote@npm:0.1.7"
+  dependencies:
+    mdast-util-to-markdown: ^0.6.0
+    micromark: ~2.11.0
+  checksum: 6d05396a9497c289fecf844d68d3210968750b215cf1df3fd1962c77d73560d8598cc4d79cef36a750d5b43f30b71fec079e0563f267b65072cfc38548d39eda
+  languageName: node
+  linkType: hard
+
+"mdast-util-from-markdown@npm:^0.8.0":
+  version: 0.8.5
+  resolution: "mdast-util-from-markdown@npm:0.8.5"
+  dependencies:
+    "@types/mdast": ^3.0.0
+    mdast-util-to-string: ^2.0.0
+    micromark: ~2.11.0
+    parse-entities: ^2.0.0
+    unist-util-stringify-position: ^2.0.0
+  checksum: 5a9d0d753a42db763761e874c22365d0c7c9934a5a18b5ff76a0643610108a208a041ffdb2f3d3dd1863d3d915225a4020a0aade282af0facfd0df110601eee6
+  languageName: node
+  linkType: hard
+
+"mdast-util-frontmatter@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "mdast-util-frontmatter@npm:0.2.0"
+  dependencies:
+    micromark-extension-frontmatter: ^0.2.0
+  checksum: 6dbed31233b34b41dd09da4756bbe3bd674fa3033c58f771f419e56675b8c7a601a18838d027fdb9cbef3b958346c661f7926ca401e154e63c071ecb2a3596a2
+  languageName: node
+  linkType: hard
+
+"mdast-util-gfm-autolink-literal@npm:^0.1.0":
+  version: 0.1.3
+  resolution: "mdast-util-gfm-autolink-literal@npm:0.1.3"
+  dependencies:
+    ccount: ^1.0.0
+    mdast-util-find-and-replace: ^1.1.0
+    micromark: ^2.11.3
+  checksum: 9f7b888678631fd8c0a522b0689a750aead2b05d57361dbdf02c10381557f1ce874f746226141f3ace1e0e7952495e8d5ce8f9af423a7a66bb300d4635a918eb
+  languageName: node
+  linkType: hard
+
+"mdast-util-gfm-strikethrough@npm:^0.2.0":
+  version: 0.2.3
+  resolution: "mdast-util-gfm-strikethrough@npm:0.2.3"
+  dependencies:
+    mdast-util-to-markdown: ^0.6.0
+  checksum: 51aa11ca8f1a5745f1eb9ccddb0eca797b3ede6f0c7bf355d594ad57c02c98d95260f00b1c4b07504018e0b22708531eabb76037841f09ce8465444706a06522
+  languageName: node
+  linkType: hard
+
+"mdast-util-gfm-table@npm:^0.1.0":
+  version: 0.1.6
+  resolution: "mdast-util-gfm-table@npm:0.1.6"
+  dependencies:
+    markdown-table: ^2.0.0
+    mdast-util-to-markdown: ~0.6.0
+  checksum: eeb43faf833753315b4ccf8d7bc8a6845b31562b2d2dd12a92aa40f9cee1b1954643c7515399a98f9b2e143c95cf6b5c0aac5941a4f609d6a57335587cee99ac
+  languageName: node
+  linkType: hard
+
+"mdast-util-gfm-task-list-item@npm:^0.1.0":
+  version: 0.1.6
+  resolution: "mdast-util-gfm-task-list-item@npm:0.1.6"
+  dependencies:
+    mdast-util-to-markdown: ~0.6.0
+  checksum: c10480c0ae86547980b38b49fba2ecd36a50bf1f3478d3f12810a0d8e8f821585c2bd7d805dd735518e84493b5eef314afdb8d59807021e2d9aa22d077eb7588
+  languageName: node
+  linkType: hard
+
+"mdast-util-gfm@npm:^0.1.0":
+  version: 0.1.2
+  resolution: "mdast-util-gfm@npm:0.1.2"
+  dependencies:
+    mdast-util-gfm-autolink-literal: ^0.1.0
+    mdast-util-gfm-strikethrough: ^0.2.0
+    mdast-util-gfm-table: ^0.1.0
+    mdast-util-gfm-task-list-item: ^0.1.0
+    mdast-util-to-markdown: ^0.6.1
+  checksum: 368ed535b2c2e0f33d0225a9e9c985468bf4825a06896815369aea585f6defaccb555ac40ba911e02c8e8c47e79f7efb4348de532de50bca2638a1e568f2d3c9
+  languageName: node
+  linkType: hard
+
+"mdast-util-to-markdown@npm:^0.6.0, mdast-util-to-markdown@npm:^0.6.1, mdast-util-to-markdown@npm:~0.6.0":
+  version: 0.6.5
+  resolution: "mdast-util-to-markdown@npm:0.6.5"
+  dependencies:
+    "@types/unist": ^2.0.0
+    longest-streak: ^2.0.0
+    mdast-util-to-string: ^2.0.0
+    parse-entities: ^2.0.0
+    repeat-string: ^1.0.0
+    zwitch: ^1.0.0
+  checksum: 7ebc47533bff6e8669f85ae124dc521ea570e9df41c0d9e4f0f43c19ef4a8c9928d741f3e4afa62fcca1927479b714582ff5fd684ef240d84ee5b75ab9d863cf
+  languageName: node
+  linkType: hard
+
+"mdast-util-to-string@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "mdast-util-to-string@npm:2.0.0"
+  checksum: 0b2113ada10e002fbccb014170506dabe2f2ddacaacbe4bc1045c33f986652c5a162732a2c057c5335cdb58419e2ad23e368e5be226855d4d4e280b81c4e9ec2
+  languageName: node
+  linkType: hard
+
+"mdn-data@npm:2.0.27":
+  version: 2.0.27
+  resolution: "mdn-data@npm:2.0.27"
+  checksum: df94012b7b50d5ac7b862dd603c0cd2712c47e5a7b8a1d914054989d6d798320459319dd99d17ba6d0ff39a9fb50b117c9e8bf88a767635849719ff44912614e
+  languageName: node
+  linkType: hard
+
+"mdn-data@npm:2.0.30":
+  version: 2.0.30
+  resolution: "mdn-data@npm:2.0.30"
+  checksum: d6ac5ac7439a1607df44b22738ecf83f48e66a0874e4482d6424a61c52da5cde5750f1d1229b6f5fa1b80a492be89465390da685b11f97d62b8adcc6e88189aa
+  languageName: node
+  linkType: hard
+
+"mdn-data@npm:2.0.4":
+  version: 2.0.4
+  resolution: "mdn-data@npm:2.0.4"
+  checksum: add3c95e6d03d301b8a8bcfee3de33f4d07e4c5eee5b79f18d6d737de717e22472deadf67c1a8563983c0b603e10d7df40aa8e5fddf18884dfe118ccec7ae329
+  languageName: node
+  linkType: hard
+
+"mdn-data@npm:~1.1.0":
+  version: 1.1.4
+  resolution: "mdn-data@npm:1.1.4"
+  checksum: 146dbea4c8bd68547f6ffec22868f099f82cead2a7a55eb70f80cf1a4958e3504c2d9bf17f3f0675f76f2b5a396b4ef2a5e9998af6c070625e9650771101c139
+  languageName: node
+  linkType: hard
+
+"mdurl@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "mdurl@npm:1.0.1"
+  checksum: 71731ecba943926bfbf9f9b51e28b5945f9411c4eda80894221b47cc105afa43ba2da820732b436f0798fd3edbbffcd1fc1415843c41a87fea08a41cc1e3d02b
+  languageName: node
+  linkType: hard
+
+"media-typer@npm:0.3.0":
+  version: 0.3.0
+  resolution: "media-typer@npm:0.3.0"
+  checksum: af1b38516c28ec95d6b0826f6c8f276c58aec391f76be42aa07646b4e39d317723e869700933ca6995b056db4b09a78c92d5440dc23657e6764be5d28874bba1
+  languageName: node
+  linkType: hard
+
+"mem@npm:^5.0.0":
+  version: 5.1.1
+  resolution: "mem@npm:5.1.1"
+  dependencies:
+    map-age-cleaner: ^0.1.3
+    mimic-fn: ^2.1.0
+    p-is-promise: ^2.1.0
+  checksum: 134ec3af9a290ca0ba3fcf0c21c344bdfd097073874ffebb9345f250a028e67a7bd81df1c6b8daa73498f995d55e4d8d4cb718132b23959609f0e8865f7551de
+  languageName: node
+  linkType: hard
+
+"memory-fs@npm:^0.4.1":
+  version: 0.4.1
+  resolution: "memory-fs@npm:0.4.1"
+  dependencies:
+    errno: ^0.1.3
+    readable-stream: ^2.0.1
+  checksum: 6db6c8682eff836664ca9b5b6052ae38d21713dda9d0ef4700fa5c0599a8bc16b2093bee75ac3dedbe59fb2222d368f25bafaa62ba143c41051359cbcb005044
+  languageName: node
+  linkType: hard
+
+"memory-fs@npm:^0.5.0":
+  version: 0.5.0
+  resolution: "memory-fs@npm:0.5.0"
+  dependencies:
+    errno: ^0.1.3
+    readable-stream: ^2.0.1
+  checksum: a9f25b0a8ecfb7324277393f19ef68e6ba53b9e6e4b526bbf2ba23055c5440fbf61acc7bf66bfd980e9eb4951a4790f6f777a9a3abd36603f22c87e8a64d3d6b
+  languageName: node
+  linkType: hard
+
+"memory-streams@npm:^0.1.3":
+  version: 0.1.3
+  resolution: "memory-streams@npm:0.1.3"
+  dependencies:
+    readable-stream: ~1.0.2
+  checksum: aebb6dc54c35ff8e7fcbbffc736ae95938d9bb7ed66735b693ed18743fcc6268f64eaa80b2580a49c3c73ddc00cd880d5847f318997affe6d2a46b75365715f8
+  languageName: node
+  linkType: hard
+
+"memorystream@npm:^0.3.1":
+  version: 0.3.1
+  resolution: "memorystream@npm:0.3.1"
+  checksum: f18b42440d24d09516d01466c06adf797df7873f0d40aa7db02e5fb9ed83074e5e65412d0720901d7069363465f82dc4f8bcb44f0cde271567a61426ce6ca2e9
+  languageName: node
+  linkType: hard
+
+"meow@npm:^10.1.5":
+  version: 10.1.5
+  resolution: "meow@npm:10.1.5"
+  dependencies:
+    "@types/minimist": ^1.2.2
+    camelcase-keys: ^7.0.0
+    decamelize: ^5.0.0
+    decamelize-keys: ^1.1.0
+    hard-rejection: ^2.1.0
+    minimist-options: 4.1.0
+    normalize-package-data: ^3.0.2
+    read-pkg-up: ^8.0.0
+    redent: ^4.0.0
+    trim-newlines: ^4.0.2
+    type-fest: ^1.2.2
+    yargs-parser: ^20.2.9
+  checksum: dd5f0caa4af18517813547dc66741dcbf52c4c23def5062578d39b11189fd9457aee5c1f2263a5cd6592a465023df8357e8ac876b685b64dbcf545e3f66c23a7
+  languageName: node
+  linkType: hard
+
+"merge-descriptors@npm:1.0.1":
+  version: 1.0.1
+  resolution: "merge-descriptors@npm:1.0.1"
+  checksum: 5abc259d2ae25bb06d19ce2b94a21632583c74e2a9109ee1ba7fd147aa7362b380d971e0251069f8b3eb7d48c21ac839e21fa177b335e82c76ec172e30c31a26
+  languageName: node
+  linkType: hard
+
+"merge-stream@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "merge-stream@npm:2.0.0"
+  checksum: 6fa4dcc8d86629705cea944a4b88ef4cb0e07656ebf223fa287443256414283dd25d91c1cd84c77987f2aec5927af1a9db6085757cb43d90eb170ebf4b47f4f4
+  languageName: node
+  linkType: hard
+
+"merge-trees@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "merge-trees@npm:1.0.1"
+  dependencies:
+    can-symlink: ^1.0.0
+    fs-tree-diff: ^0.5.4
+    heimdalljs: ^0.2.1
+    heimdalljs-logger: ^0.1.7
+    rimraf: ^2.4.3
+    symlink-or-copy: ^1.0.0
+  checksum: d32b06a9b18ab6963718c99b38fbe010e91f54a16f6f5555b32d48be0938c7f33ea81b8f0411846c43e6a5cfdbbf9aa2817fccc0186c2aa071944fe76bdc0372
+  languageName: node
+  linkType: hard
+
+"merge-trees@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "merge-trees@npm:2.0.0"
+  dependencies:
+    fs-updater: ^1.0.4
+    heimdalljs: ^0.2.5
+  checksum: 8e315ac6838192a7e61fecd003cca465b135b60d9d74e37501eef01e29a6f403850359b28a7b8696f369127caf28a5ff6d22493f11dc9cf5f7bbdfa11836cd7e
+  languageName: node
+  linkType: hard
+
+"merge2@npm:^1.2.3, merge2@npm:^1.3.0, merge2@npm:^1.4.1":
+  version: 1.4.1
+  resolution: "merge2@npm:1.4.1"
+  checksum: 7268db63ed5169466540b6fb947aec313200bcf6d40c5ab722c22e242f651994619bcd85601602972d3c85bd2cc45a358a4c61937e9f11a061919a1da569b0c2
+  languageName: node
+  linkType: hard
+
+"methods@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "methods@npm:1.1.2"
+  checksum: 0917ff4041fa8e2f2fda5425a955fe16ca411591fbd123c0d722fcf02b73971ed6f764d85f0a6f547ce49ee0221ce2c19a5fa692157931cecb422984f1dcd13a
+  languageName: node
+  linkType: hard
+
+"micromark-extension-footnote@npm:^0.3.0":
+  version: 0.3.2
+  resolution: "micromark-extension-footnote@npm:0.3.2"
+  dependencies:
+    micromark: ~2.11.0
+  checksum: 476c7f7ae86d7b3c33a07cbf7286d2cce06aa9b348eed79867fd6abc98c37519464c335c522e85208c99e573c1abbbcb72a0a27897f2a0b505d993c76df7bd1d
+  languageName: node
+  linkType: hard
+
+"micromark-extension-frontmatter@npm:^0.2.0":
+  version: 0.2.2
+  resolution: "micromark-extension-frontmatter@npm:0.2.2"
+  dependencies:
+    fault: ^1.0.0
+  checksum: b591494c2910162a47b4413b43d80b1e3f148c0d92955576737ff36525f34deb6cc784cdbede76c4ce6a9d06c75586c7198ffb84f97efee894cafabcc86716e4
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm-autolink-literal@npm:~0.5.0":
+  version: 0.5.7
+  resolution: "micromark-extension-gfm-autolink-literal@npm:0.5.7"
+  dependencies:
+    micromark: ~2.11.3
+  checksum: 319ec793c2e374e4cc0cbbb07326c1affb78819e507c7c1577f9d14b972852a6bb55e664332ec51f7cca24bdddd43429c5dd55f11e9200b1a00bab1bf494fb2d
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm-strikethrough@npm:~0.6.5":
+  version: 0.6.5
+  resolution: "micromark-extension-gfm-strikethrough@npm:0.6.5"
+  dependencies:
+    micromark: ~2.11.0
+  checksum: 67711633590d3e688759a46aaed9f9d04bcaf29b6615eec17af082eabe1059fbca4beb41ba13db418ae7be3ac90198742fbabe519a70f9b6bb615598c5d6ef1a
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm-table@npm:~0.4.0":
+  version: 0.4.3
+  resolution: "micromark-extension-gfm-table@npm:0.4.3"
+  dependencies:
+    micromark: ~2.11.0
+  checksum: 12c78de985944dd66aae409871c45d801cc65704f55ea5cc8afac422042c6d3b5e777b154c079ae81298b30b83434b257b54981bda51c220a102042dd2524a63
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm-tagfilter@npm:~0.3.0":
+  version: 0.3.0
+  resolution: "micromark-extension-gfm-tagfilter@npm:0.3.0"
+  checksum: 9369736a203836b2933dfdeacab863e7a4976139b9dd46fa5bd6c2feeef50c7dbbcdd641ae95f0481f577d8aa22396bfa7ed9c38515647d4cf3f2c727cc094a3
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm-task-list-item@npm:~0.3.0":
+  version: 0.3.3
+  resolution: "micromark-extension-gfm-task-list-item@npm:0.3.3"
+  dependencies:
+    micromark: ~2.11.0
+  checksum: e4ccbe6b440234c8ee05d89315e1204c78773724241af31ac328194470a8a61bc6606eab3ce2d9a83da4401b06e07936038654493da715d40522133d1556dda4
+  languageName: node
+  linkType: hard
+
+"micromark-extension-gfm@npm:^0.3.0":
+  version: 0.3.3
+  resolution: "micromark-extension-gfm@npm:0.3.3"
+  dependencies:
+    micromark: ~2.11.0
+    micromark-extension-gfm-autolink-literal: ~0.5.0
+    micromark-extension-gfm-strikethrough: ~0.6.5
+    micromark-extension-gfm-table: ~0.4.0
+    micromark-extension-gfm-tagfilter: ~0.3.0
+    micromark-extension-gfm-task-list-item: ~0.3.0
+  checksum: 7957a1afd8c92daa0fc165342902729334b22d59feacd85b20a0d9cc453c90bbdd5b5ba85a3d177c01802060aeb3326daf05d3e6d95932fcbc8371827c98336e
+  languageName: node
+  linkType: hard
+
+"micromark@npm:^2.11.3, micromark@npm:~2.11.0, micromark@npm:~2.11.3":
+  version: 2.11.4
+  resolution: "micromark@npm:2.11.4"
+  dependencies:
+    debug: ^4.0.0
+    parse-entities: ^2.0.0
+  checksum: f8a5477d394908a5d770227aea71657a76423d420227c67ea0699e659a5f62eb39d504c1f7d69ec525a6af5aaeb6a7bffcdba95614968c03d41d3851edecb0d6
+  languageName: node
+  linkType: hard
+
+"micromatch@npm:^3.0.4, micromatch@npm:^3.1.10, micromatch@npm:^3.1.4":
+  version: 3.1.10
+  resolution: "micromatch@npm:3.1.10"
+  dependencies:
+    arr-diff: ^4.0.0
+    array-unique: ^0.3.2
+    braces: ^2.3.1
+    define-property: ^2.0.2
+    extend-shallow: ^3.0.2
+    extglob: ^2.0.4
+    fragment-cache: ^0.2.1
+    kind-of: ^6.0.2
+    nanomatch: ^1.2.9
+    object.pick: ^1.3.0
+    regex-not: ^1.0.0
+    snapdragon: ^0.8.1
+    to-regex: ^3.0.2
+  checksum: ad226cba4daa95b4eaf47b2ca331c8d2e038d7b41ae7ed0697cde27f3f1d6142881ab03d4da51b65d9d315eceb5e4cdddb3fbb55f5f72cfa19cf3ea469d054dc
+  languageName: node
+  linkType: hard
+
+"micromatch@npm:^4.0.2, micromatch@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "micromatch@npm:4.0.4"
+  dependencies:
+    braces: ^3.0.1
+    picomatch: ^2.2.3
+  checksum: ef3d1c88e79e0a68b0e94a03137676f3324ac18a908c245a9e5936f838079fcc108ac7170a5fadc265a9c2596963462e402841406bda1a4bb7b68805601d631c
+  languageName: node
+  linkType: hard
+
+"micromatch@npm:^4.0.5":
+  version: 4.0.5
+  resolution: "micromatch@npm:4.0.5"
+  dependencies:
+    braces: ^3.0.2
+    picomatch: ^2.3.1
+  checksum: 02a17b671c06e8fefeeb6ef996119c1e597c942e632a21ef589154f23898c9c6a9858526246abb14f8bca6e77734aa9dcf65476fca47cedfb80d9577d52843fc
+  languageName: node
+  linkType: hard
+
+"miller-rabin@npm:^4.0.0":
+  version: 4.0.1
+  resolution: "miller-rabin@npm:4.0.1"
+  dependencies:
+    bn.js: ^4.0.0
+    brorand: ^1.0.1
+  bin:
+    miller-rabin: bin/miller-rabin
+  checksum: 00cd1ab838ac49b03f236cc32a14d29d7d28637a53096bf5c6246a032a37749c9bd9ce7360cbf55b41b89b7d649824949ff12bc8eee29ac77c6b38eada619ece
+  languageName: node
+  linkType: hard
+
+"mime-db@npm:1.47.0, mime-db@npm:>= 1.43.0 < 2":
+  version: 1.47.0
+  resolution: "mime-db@npm:1.47.0"
+  checksum: 6808235243c39b3142e677af86972cf32de8ebbec81178491475a79aa07caf67646cd9b559972d22c3c372ddca4a093e58bb0ba10376d75a1efbd0e07be82de2
+  languageName: node
+  linkType: hard
+
+"mime-db@npm:1.51.0":
+  version: 1.51.0
+  resolution: "mime-db@npm:1.51.0"
+  checksum: 613b1ac9d6e725cc24444600b124a7f1ce6c60b1baa654f39a3e260d0995a6dffc5693190217e271af7e2a5612dae19f2a73f3e316707d797a7391165f7ef423
+  languageName: node
+  linkType: hard
+
+"mime-db@npm:1.52.0":
+  version: 1.52.0
+  resolution: "mime-db@npm:1.52.0"
+  checksum: 0d99a03585f8b39d68182803b12ac601d9c01abfa28ec56204fa330bc9f3d1c5e14beb049bafadb3dbdf646dfb94b87e24d4ec7b31b7279ef906a8ea9b6a513f
+  languageName: node
+  linkType: hard
+
+"mime-types@npm:^2.1.12, mime-types@npm:^2.1.18, mime-types@npm:^2.1.26, mime-types@npm:~2.1.19, mime-types@npm:~2.1.24":
+  version: 2.1.30
+  resolution: "mime-types@npm:2.1.30"
+  dependencies:
+    mime-db: 1.47.0
+  checksum: 53c36729b1c4f6029fd5957d5859e62eff4b86311a6e1dce87937583dc8971fec9f359ffcff4be93d26bb5ddd03f1b5ffc7626912031ce0a63510d7896521b2e
+  languageName: node
+  linkType: hard
+
+"mime-types@npm:^2.1.19":
+  version: 2.1.34
+  resolution: "mime-types@npm:2.1.34"
+  dependencies:
+    mime-db: 1.51.0
+  checksum: 67013de9e9d6799bde6d669d18785b7e18bcd212e710d3e04a4727f92f67a8ad4e74aee24be28b685adb794944814bde649119b58ee3282ffdbee58f9278d9f3
+  languageName: node
+  linkType: hard
+
+"mime-types@npm:^2.1.27, mime-types@npm:~2.1.34":
+  version: 2.1.35
+  resolution: "mime-types@npm:2.1.35"
+  dependencies:
+    mime-db: 1.52.0
+  checksum: 89a5b7f1def9f3af5dad6496c5ed50191ae4331cc5389d7c521c8ad28d5fdad2d06fd81baf38fed813dc4e46bb55c8145bb0ff406330818c9cf712fb2e9b3836
+  languageName: node
+  linkType: hard
+
+"mime@npm:1.6.0":
+  version: 1.6.0
+  resolution: "mime@npm:1.6.0"
+  bin:
+    mime: cli.js
+  checksum: fef25e39263e6d207580bdc629f8872a3f9772c923c7f8c7e793175cee22777bbe8bba95e5d509a40aaa292d8974514ce634ae35769faa45f22d17edda5e8557
+  languageName: node
+  linkType: hard
+
+"mimic-fn@npm:^1.0.0":
+  version: 1.2.0
+  resolution: "mimic-fn@npm:1.2.0"
+  checksum: 69c08205156a1f4906d9c46f9b4dc08d18a50176352e77fdeb645cedfe9f20c0b19865d465bd2dec27a5c432347f24dc07fc3695e11159d193f892834233e939
+  languageName: node
+  linkType: hard
+
+"mimic-fn@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "mimic-fn@npm:2.1.0"
+  checksum: d2421a3444848ce7f84bd49115ddacff29c15745db73f54041edc906c14b131a38d05298dae3081667627a59b2eb1ca4b436ff2e1b80f69679522410418b478a
+  languageName: node
+  linkType: hard
+
+"min-indent@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "min-indent@npm:1.0.1"
+  checksum: bfc6dd03c5eaf623a4963ebd94d087f6f4bbbfd8c41329a7f09706b0cb66969c4ddd336abeb587bc44bc6f08e13bf90f0b374f9d71f9f01e04adc2cd6f083ef1
+  languageName: node
+  linkType: hard
+
+"mini-css-extract-plugin@npm:^2.5.2":
+  version: 2.6.0
+  resolution: "mini-css-extract-plugin@npm:2.6.0"
+  dependencies:
+    schema-utils: ^4.0.0
+  peerDependencies:
+    webpack: ^5.0.0
+  checksum: ea73bd66558de7a37db094fe68fa130e7a725ab15f880ff8467a75d9c4c2f1576d20720088ea22af9922a94b8600bbfef0c6acaf10d12a32a9bd20a90ba3c35f
+  languageName: node
+  linkType: hard
+
+"minimalistic-assert@npm:^1.0.0, minimalistic-assert@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "minimalistic-assert@npm:1.0.1"
+  checksum: cc7974a9268fbf130fb055aff76700d7e2d8be5f761fb5c60318d0ed010d839ab3661a533ad29a5d37653133385204c503bfac995aaa4236f4e847461ea32ba7
+  languageName: node
+  linkType: hard
+
+"minimalistic-crypto-utils@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "minimalistic-crypto-utils@npm:1.0.1"
+  checksum: 6e8a0422b30039406efd4c440829ea8f988845db02a3299f372fceba56ffa94994a9c0f2fd70c17f9969eedfbd72f34b5070ead9656a34d3f71c0bd72583a0ed
+  languageName: node
+  linkType: hard
+
+"minimatch@npm:^3.0.2":
+  version: 3.0.4
+  resolution: "minimatch@npm:3.0.4"
+  dependencies:
+    brace-expansion: ^1.1.7
+  checksum: 66ac295f8a7b59788000ea3749938b0970344c841750abd96694f80269b926ebcafad3deeb3f1da2522978b119e6ae3a5869b63b13a7859a456b3408bd18a078
+  languageName: node
+  linkType: hard
+
+"minimist-options@npm:4.1.0":
+  version: 4.1.0
+  resolution: "minimist-options@npm:4.1.0"
+  dependencies:
+    arrify: ^1.0.1
+    is-plain-obj: ^1.1.0
+    kind-of: ^6.0.3
+  checksum: 8c040b3068811e79de1140ca2b708d3e203c8003eb9a414c1ab3cd467fc5f17c9ca02a5aef23bedc51a7f8bfbe77f87e9a7e31ec81fba304cda675b019496f4e
+  languageName: node
+  linkType: hard
+
+"minimist@npm:^0.2.1":
+  version: 0.2.4
+  resolution: "minimist@npm:0.2.4"
+  checksum: 52ab5922f5fd4f2d17410619c5e8c2df79327e7d94a59a9d1e7c567c5ef991c5385f7adb5c090d213fe5701e1fa1b6bb3d89a319e3b1b656b5a17308c87e2513
+  languageName: node
+  linkType: hard
+
+"minimist@npm:^1.1.1, minimist@npm:^1.2.0, minimist@npm:^1.2.5, minimist@npm:^1.2.6":
+  version: 1.2.6
+  resolution: "minimist@npm:1.2.6"
+  checksum: d15428cd1e11eb14e1233bcfb88ae07ed7a147de251441d61158619dfb32c4d7e9061d09cab4825fdee18ecd6fce323228c8c47b5ba7cd20af378ca4048fb3fb
+  languageName: node
+  linkType: hard
+
+"minipass-collect@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "minipass-collect@npm:1.0.2"
+  dependencies:
+    minipass: ^3.0.0
+  checksum: 14df761028f3e47293aee72888f2657695ec66bd7d09cae7ad558da30415fdc4752bbfee66287dcc6fd5e6a2fa3466d6c484dc1cbd986525d9393b9523d97f10
+  languageName: node
+  linkType: hard
+
+"minipass-fetch@npm:^2.0.3":
+  version: 2.1.2
+  resolution: "minipass-fetch@npm:2.1.2"
+  dependencies:
+    encoding: ^0.1.13
+    minipass: ^3.1.6
+    minipass-sized: ^1.0.3
+    minizlib: ^2.1.2
+  dependenciesMeta:
+    encoding:
+      optional: true
+  checksum: 3f216be79164e915fc91210cea1850e488793c740534985da017a4cbc7a5ff50506956d0f73bb0cb60e4fe91be08b6b61ef35101706d3ef5da2c8709b5f08f91
+  languageName: node
+  linkType: hard
+
+"minipass-flush@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "minipass-flush@npm:1.0.5"
+  dependencies:
+    minipass: ^3.0.0
+  checksum: 56269a0b22bad756a08a94b1ffc36b7c9c5de0735a4dd1ab2b06c066d795cfd1f0ac44a0fcae13eece5589b908ecddc867f04c745c7009be0b566421ea0944cf
+  languageName: node
+  linkType: hard
+
+"minipass-pipeline@npm:^1.2.4":
+  version: 1.2.4
+  resolution: "minipass-pipeline@npm:1.2.4"
+  dependencies:
+    minipass: ^3.0.0
+  checksum: b14240dac0d29823c3d5911c286069e36d0b81173d7bdf07a7e4a91ecdef92cdff4baaf31ea3746f1c61e0957f652e641223970870e2353593f382112257971b
+  languageName: node
+  linkType: hard
+
+"minipass-sized@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "minipass-sized@npm:1.0.3"
+  dependencies:
+    minipass: ^3.0.0
+  checksum: 79076749fcacf21b5d16dd596d32c3b6bf4d6e62abb43868fac21674078505c8b15eaca4e47ed844985a4514854f917d78f588fcd029693709417d8f98b2bd60
+  languageName: node
+  linkType: hard
+
+"minipass@npm:^2.2.0":
+  version: 2.9.0
+  resolution: "minipass@npm:2.9.0"
+  dependencies:
+    safe-buffer: ^5.1.2
+    yallist: ^3.0.0
+  checksum: 077b66f31ba44fd5a0d27d12a9e6a86bff8f97a4978dedb0373167156b5599fadb6920fdde0d9f803374164d810e05e8462ce28e86abbf7f0bea293a93711fc6
+  languageName: node
+  linkType: hard
+
+"minipass@npm:^3.0.0, minipass@npm:^3.1.1, minipass@npm:^3.1.6":
+  version: 3.3.6
+  resolution: "minipass@npm:3.3.6"
+  dependencies:
+    yallist: ^4.0.0
+  checksum: a30d083c8054cee83cdcdc97f97e4641a3f58ae743970457b1489ce38ee1167b3aaf7d815cd39ec7a99b9c40397fd4f686e83750e73e652b21cb516f6d845e48
+  languageName: node
+  linkType: hard
+
+"minipass@npm:^4.0.0":
+  version: 4.2.8
+  resolution: "minipass@npm:4.2.8"
+  checksum: 7f4914d5295a9a30807cae5227a37a926e6d910c03f315930fde52332cf0575dfbc20295318f91f0baf0e6bb11a6f668e30cde8027dea7a11b9d159867a3c830
+  languageName: node
+  linkType: hard
+
+"minizlib@npm:^2.1.1, minizlib@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "minizlib@npm:2.1.2"
+  dependencies:
+    minipass: ^3.0.0
+    yallist: ^4.0.0
+  checksum: f1fdeac0b07cf8f30fcf12f4b586795b97be856edea22b5e9072707be51fc95d41487faec3f265b42973a304fe3a64acd91a44a3826a963e37b37bafde0212c3
+  languageName: node
+  linkType: hard
+
+"miragejs@npm:^0.1.43":
+  version: 0.1.43
+  resolution: "miragejs@npm:0.1.43"
+  dependencies:
+    "@miragejs/pretender-node-polyfill": ^0.1.0
+    inflected: ^2.0.4
+    lodash.assign: ^4.2.0
+    lodash.camelcase: ^4.3.0
+    lodash.clonedeep: ^4.5.0
+    lodash.compact: ^3.0.1
+    lodash.find: ^4.6.0
+    lodash.flatten: ^4.4.0
+    lodash.forin: ^4.4.0
+    lodash.get: ^4.4.2
+    lodash.has: ^4.5.2
+    lodash.invokemap: ^4.6.0
+    lodash.isempty: ^4.4.0
+    lodash.isequal: ^4.5.0
+    lodash.isfunction: ^3.0.9
+    lodash.isinteger: ^4.0.4
+    lodash.isplainobject: ^4.0.6
+    lodash.lowerfirst: ^4.3.1
+    lodash.map: ^4.6.0
+    lodash.mapvalues: ^4.6.0
+    lodash.pick: ^4.4.0
+    lodash.snakecase: ^4.1.1
+    lodash.uniq: ^4.5.0
+    lodash.uniqby: ^4.7.0
+    lodash.values: ^4.3.0
+    pretender: ^3.4.7
+  checksum: 11da61a83fc816748f635b4a4792a56a82dc6a0b7f5049c5337864948697b76eec421f3ca459fbbd35d8bb8e373e59bff9a773d20ae700977088a1f29857360d
+  languageName: node
+  linkType: hard
+
+"mississippi@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "mississippi@npm:3.0.0"
+  dependencies:
+    concat-stream: ^1.5.0
+    duplexify: ^3.4.2
+    end-of-stream: ^1.1.0
+    flush-write-stream: ^1.0.0
+    from2: ^2.1.0
+    parallel-transform: ^1.1.0
+    pump: ^3.0.0
+    pumpify: ^1.3.3
+    stream-each: ^1.1.0
+    through2: ^2.0.0
+  checksum: 84b3d9889621d293f9a596bafe60df863b330c88fc19215ced8f603c605fc7e1bf06f8e036edf301bd630a03fd5d9d7d23d5d6b9a4802c30ca864d800f0bd9f8
+  languageName: node
+  linkType: hard
+
+"mixin-deep@npm:^1.2.0":
+  version: 1.3.2
+  resolution: "mixin-deep@npm:1.3.2"
+  dependencies:
+    for-in: ^1.0.2
+    is-extendable: ^1.0.1
+  checksum: 820d5a51fcb7479f2926b97f2c3bb223546bc915e6b3a3eb5d906dda871bba569863595424a76682f2b15718252954644f3891437cb7e3f220949bed54b1750d
+  languageName: node
+  linkType: hard
+
+"mkdirp@npm:^0.3.5":
+  version: 0.3.5
+  resolution: "mkdirp@npm:0.3.5"
+  checksum: 5b7db0f7db199b87f5b0e563b919ad214d1a2c55c3896db332ef1e66c2192b2077112a4733b2c6ff99c833a6f85ba5686f05a768c411fe461b667a17421d37a8
+  languageName: node
+  linkType: hard
+
+"mkdirp@npm:^0.5.0, mkdirp@npm:^0.5.1, mkdirp@npm:^0.5.3, mkdirp@npm:^0.5.5, mkdirp@npm:~0.5.1":
+  version: 0.5.5
+  resolution: "mkdirp@npm:0.5.5"
+  dependencies:
+    minimist: ^1.2.5
+  bin:
+    mkdirp: bin/cmd.js
+  checksum: 3bce20ea525f9477befe458ab85284b0b66c8dc3812f94155af07c827175948cdd8114852ac6c6d82009b13c1048c37f6d98743eb019651ee25c39acc8aabe7d
+  languageName: node
+  linkType: hard
+
+"mkdirp@npm:^0.5.6":
+  version: 0.5.6
+  resolution: "mkdirp@npm:0.5.6"
+  dependencies:
+    minimist: ^1.2.6
+  bin:
+    mkdirp: bin/cmd.js
+  checksum: 0c91b721bb12c3f9af4b77ebf73604baf350e64d80df91754dc509491ae93bf238581e59c7188360cec7cb62fc4100959245a42cfe01834efedc5e9d068376c2
+  languageName: node
+  linkType: hard
+
+"mkdirp@npm:^1.0.3, mkdirp@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "mkdirp@npm:1.0.4"
+  bin:
+    mkdirp: bin/cmd.js
+  checksum: a96865108c6c3b1b8e1d5e9f11843de1e077e57737602de1b82030815f311be11f96f09cce59bd5b903d0b29834733e5313f9301e3ed6d6f6fba2eae0df4298f
+  languageName: node
+  linkType: hard
+
+"mktemp@npm:~0.4.0":
+  version: 0.4.0
+  resolution: "mktemp@npm:0.4.0"
+  checksum: f67d8b1ed599807a4ec154efc6a50d61b28f4183fa740c4fe3bd75ce8442d84a3b8fca382fb3cb4e20bb883cb14478a7fe549c4eab6135cd213163ca5083f0fe
+  languageName: node
+  linkType: hard
+
+"moo@npm:^0.5.1":
+  version: 0.5.2
+  resolution: "moo@npm:0.5.2"
+  checksum: 5a41ddf1059fd0feb674d917c4774e41c877f1ca980253be4d3aae1a37f4bc513f88815041243f36f5cf67a62fb39324f3f997cf7fb17b6cb00767c165e7c499
+  languageName: node
+  linkType: hard
+
+"morgan@npm:^1.10.0":
+  version: 1.10.0
+  resolution: "morgan@npm:1.10.0"
+  dependencies:
+    basic-auth: ~2.0.1
+    debug: 2.6.9
+    depd: ~2.0.0
+    on-finished: ~2.3.0
+    on-headers: ~1.0.2
+  checksum: fb41e226ab5a1abf7e8909e486b387076534716d60207e361acfb5df78b84d703a7b7ea58f3046a9fd0b83d3c94bfabde32323341a1f1b26ce50680abd2ea5dd
+  languageName: node
+  linkType: hard
+
+"mout@npm:^1.0.0":
+  version: 1.2.2
+  resolution: "mout@npm:1.2.2"
+  checksum: e6c4249e9a5e603af8b4ae7172572e266f7cbd2edbf27824e2e06dd288adc66e67170f4a061ecc388429046aa93a7e3946e35139fd0767f76dd10d075fbca74f
+  languageName: node
+  linkType: hard
+
+"move-concurrently@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "move-concurrently@npm:1.0.1"
+  dependencies:
+    aproba: ^1.1.1
+    copy-concurrently: ^1.0.0
+    fs-write-stream-atomic: ^1.0.8
+    mkdirp: ^0.5.1
+    rimraf: ^2.5.4
+    run-queue: ^1.0.3
+  checksum: 4ea3296c150b09e798177847f673eb5783f8ca417ba806668d2c631739f653e1a735f19fb9b6e2f5e25ee2e4c0a6224732237a8e4f84c764e99d7462d258209e
+  languageName: node
+  linkType: hard
+
+"mr-dep-walk@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "mr-dep-walk@npm:1.4.0"
+  dependencies:
+    acorn: ^5.1.1
+    amd-name-resolver: ^0.0.6
+    fs-extra: ^3.0.1
+  checksum: f8146a1a7280ef1b2792efb842846e504303944a3ff82e7fecaefc04aa124834f0e4a596fbad6077de4272c1d6836a4d8d39bf3d46530ae7a7d70fa0baf50f2a
+  languageName: node
+  linkType: hard
+
+"ms@npm:2.0.0":
+  version: 2.0.0
+  resolution: "ms@npm:2.0.0"
+  checksum: 0e6a22b8b746d2e0b65a430519934fefd41b6db0682e3477c10f60c76e947c4c0ad06f63ffdf1d78d335f83edee8c0aa928aa66a36c7cd95b69b26f468d527f4
+  languageName: node
+  linkType: hard
+
+"ms@npm:2.1.1":
+  version: 2.1.1
+  resolution: "ms@npm:2.1.1"
+  checksum: 0078a23cd916a9a7435c413caa14c57d4b4f6e2470e0ab554b6964163c8a4436448ac7ae020e883685475da6b6796cc396b670f579cb275db288a21e3e57721e
+  languageName: node
+  linkType: hard
+
+"ms@npm:2.1.2":
+  version: 2.1.2
+  resolution: "ms@npm:2.1.2"
+  checksum: 673cdb2c3133eb050c745908d8ce632ed2c02d85640e2edb3ace856a2266a813b30c613569bf3354fdf4ea7d1a1494add3bfa95e2713baa27d0c2c71fc44f58f
+  languageName: node
+  linkType: hard
+
+"ms@npm:2.1.3, ms@npm:^2.0.0, ms@npm:^2.1.1":
+  version: 2.1.3
+  resolution: "ms@npm:2.1.3"
+  checksum: aa92de608021b242401676e35cfa5aa42dd70cbdc082b916da7fb925c542173e36bce97ea3e804923fe92c0ad991434e4a38327e15a1b5b5f945d66df615ae6d
+  languageName: node
+  linkType: hard
+
+"mustache@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "mustache@npm:4.2.0"
+  bin:
+    mustache: bin/mustache
+  checksum: 928fcb63e3aa44a562bfe9b59ba202cccbe40a46da50be6f0dd831b495be1dd7e38ca4657f0ecab2c1a89dc7bccba0885eab7ee7c1b215830da765758c7e0506
+  languageName: node
+  linkType: hard
+
+"mute-stream@npm:0.0.7":
+  version: 0.0.7
+  resolution: "mute-stream@npm:0.0.7"
+  checksum: a9d4772c1c84206aa37c218ed4751cd060239bf1d678893124f51e037f6f22f4a159b2918c030236c93252638a74beb29c9b1fd3267c9f24d4b3253cf1eaa86f
+  languageName: node
+  linkType: hard
+
+"mute-stream@npm:0.0.8":
+  version: 0.0.8
+  resolution: "mute-stream@npm:0.0.8"
+  checksum: ff48d251fc3f827e5b1206cda0ffdaec885e56057ee86a3155e1951bc940fd5f33531774b1cc8414d7668c10a8907f863f6561875ee6e8768931a62121a531a1
+  languageName: node
+  linkType: hard
+
+"nan@npm:^2.12.1":
+  version: 2.14.2
+  resolution: "nan@npm:2.14.2"
+  dependencies:
+    node-gyp: latest
+  checksum: 7a269139b66a7d37470effb7fb36a8de8cc3b5ffba6e40bb8e0545307911fe5ebf94797ec62f655ecde79c237d169899f8bd28256c66a32cbc8284faaf94c3f4
+  languageName: node
+  linkType: hard
+
+"nanoid@npm:^3.3.4":
+  version: 3.3.4
+  resolution: "nanoid@npm:3.3.4"
+  bin:
+    nanoid: bin/nanoid.cjs
+  checksum: 2fddd6dee994b7676f008d3ffa4ab16035a754f4bb586c61df5a22cf8c8c94017aadd360368f47d653829e0569a92b129979152ff97af23a558331e47e37cd9c
+  languageName: node
+  linkType: hard
+
+"nanoid@npm:^3.3.6":
+  version: 3.3.6
+  resolution: "nanoid@npm:3.3.6"
+  bin:
+    nanoid: bin/nanoid.cjs
+  checksum: 7d0eda657002738aa5206107bd0580aead6c95c460ef1bdd0b1a87a9c7ae6277ac2e9b945306aaa5b32c6dcb7feaf462d0f552e7f8b5718abfc6ead5c94a71b3
+  languageName: node
+  linkType: hard
+
+"nanomatch@npm:^1.2.9":
+  version: 1.2.13
+  resolution: "nanomatch@npm:1.2.13"
+  dependencies:
+    arr-diff: ^4.0.0
+    array-unique: ^0.3.2
+    define-property: ^2.0.2
+    extend-shallow: ^3.0.2
+    fragment-cache: ^0.2.1
+    is-windows: ^1.0.2
+    kind-of: ^6.0.2
+    object.pick: ^1.3.0
+    regex-not: ^1.0.0
+    snapdragon: ^0.8.1
+    to-regex: ^3.0.1
+  checksum: 54d4166d6ef08db41252eb4e96d4109ebcb8029f0374f9db873bd91a1f896c32ec780d2a2ea65c0b2d7caf1f28d5e1ea33746a470f32146ac8bba821d80d38d8
+  languageName: node
+  linkType: hard
+
+"natural-compare-lite@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "natural-compare-lite@npm:1.4.0"
+  checksum: 5222ac3986a2b78dd6069ac62cbb52a7bf8ffc90d972ab76dfe7b01892485d229530ed20d0c62e79a6b363a663b273db3bde195a1358ce9e5f779d4453887225
+  languageName: node
+  linkType: hard
+
+"natural-compare@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "natural-compare@npm:1.4.0"
+  checksum: 23ad088b08f898fc9b53011d7bb78ec48e79de7627e01ab5518e806033861bef68d5b0cd0e2205c2f36690ac9571ff6bcb05eb777ced2eeda8d4ac5b44592c3d
+  languageName: node
+  linkType: hard
+
+"negotiator@npm:0.6.2":
+  version: 0.6.2
+  resolution: "negotiator@npm:0.6.2"
+  checksum: dfddaff6c06792f1c4c3809e29a427b8daef8cd437c83b08dd51d7ee11bbd1c29d9512d66b801144d6c98e910ffd8723f2432e0cbf8b18d41d2a09599c975ab3
+  languageName: node
+  linkType: hard
+
+"negotiator@npm:0.6.3, negotiator@npm:^0.6.3":
+  version: 0.6.3
+  resolution: "negotiator@npm:0.6.3"
+  checksum: b8ffeb1e262eff7968fc90a2b6767b04cfd9842582a9d0ece0af7049537266e7b2506dfb1d107a32f06dd849ab2aea834d5830f7f4d0e5cb7d36e1ae55d021d9
+  languageName: node
+  linkType: hard
+
+"neo-async@npm:^2.5.0, neo-async@npm:^2.6.0, neo-async@npm:^2.6.1, neo-async@npm:^2.6.2":
+  version: 2.6.2
+  resolution: "neo-async@npm:2.6.2"
+  checksum: deac9f8d00eda7b2e5cd1b2549e26e10a0faa70adaa6fdadca701cc55f49ee9018e427f424bac0c790b7c7e2d3068db97f3093f1093975f2acb8f8818b936ed9
+  languageName: node
+  linkType: hard
+
+"nice-try@npm:^1.0.4":
+  version: 1.0.5
+  resolution: "nice-try@npm:1.0.5"
+  checksum: 0b4af3b5bb5d86c289f7a026303d192a7eb4417231fe47245c460baeabae7277bcd8fd9c728fb6bd62c30b3e15cd6620373e2cf33353b095d8b403d3e8a15aff
+  languageName: node
+  linkType: hard
+
+"nise@npm:^1.5.2":
+  version: 1.5.3
+  resolution: "nise@npm:1.5.3"
+  dependencies:
+    "@sinonjs/formatio": ^3.2.1
+    "@sinonjs/text-encoding": ^0.7.1
+    just-extend: ^4.0.2
+    lolex: ^5.0.1
+    path-to-regexp: ^1.7.0
+  checksum: ec3af21345dcaf34650a6f5420a11e0fd21a836ac5960f5e8523c301ee98465abf88b958f7b3084ecc6e0a7133e5cf7963f4df176b90b423c4da4984f1ebd75e
+  languageName: node
+  linkType: hard
+
+"no-case@npm:^3.0.4":
+  version: 3.0.4
+  resolution: "no-case@npm:3.0.4"
+  dependencies:
+    lower-case: ^2.0.2
+    tslib: ^2.0.3
+  checksum: 0b2ebc113dfcf737d48dde49cfebf3ad2d82a8c3188e7100c6f375e30eafbef9e9124aadc3becef237b042fd5eb0aad2fd78669c20972d045bbe7fea8ba0be5c
+  languageName: node
+  linkType: hard
+
+"node-fetch@npm:^2.6.1":
+  version: 2.6.1
+  resolution: "node-fetch@npm:2.6.1"
+  checksum: 91075bedd57879117e310fbcc36983ad5d699e522edb1ebcdc4ee5294c982843982652925c3532729fdc86b2d64a8a827797a745f332040d91823c8752ee4d7c
+  languageName: node
+  linkType: hard
+
+"node-gyp@npm:latest":
+  version: 9.3.1
+  resolution: "node-gyp@npm:9.3.1"
+  dependencies:
+    env-paths: ^2.2.0
+    glob: ^7.1.4
+    graceful-fs: ^4.2.6
+    make-fetch-happen: ^10.0.3
+    nopt: ^6.0.0
+    npmlog: ^6.0.0
+    rimraf: ^3.0.2
+    semver: ^7.3.5
+    tar: ^6.1.2
+    which: ^2.0.2
+  bin:
+    node-gyp: bin/node-gyp.js
+  checksum: b860e9976fa645ca0789c69e25387401b4396b93c8375489b5151a6c55cf2640a3b6183c212b38625ef7c508994930b72198338e3d09b9d7ade5acc4aaf51ea7
+  languageName: node
+  linkType: hard
+
+"node-int64@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "node-int64@npm:0.4.0"
+  checksum: d0b30b1ee6d961851c60d5eaa745d30b5c95d94bc0e74b81e5292f7c42a49e3af87f1eb9e89f59456f80645d679202537de751b7d72e9e40ceea40c5e449057e
+  languageName: node
+  linkType: hard
+
+"node-libs-browser@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "node-libs-browser@npm:2.2.1"
+  dependencies:
+    assert: ^1.1.1
+    browserify-zlib: ^0.2.0
+    buffer: ^4.3.0
+    console-browserify: ^1.1.0
+    constants-browserify: ^1.0.0
+    crypto-browserify: ^3.11.0
+    domain-browser: ^1.1.1
+    events: ^3.0.0
+    https-browserify: ^1.0.0
+    os-browserify: ^0.3.0
+    path-browserify: 0.0.1
+    process: ^0.11.10
+    punycode: ^1.2.4
+    querystring-es3: ^0.2.0
+    readable-stream: ^2.3.3
+    stream-browserify: ^2.0.1
+    stream-http: ^2.7.2
+    string_decoder: ^1.0.0
+    timers-browserify: ^2.0.4
+    tty-browserify: 0.0.0
+    url: ^0.11.0
+    util: ^0.11.0
+    vm-browserify: ^1.0.1
+  checksum: 41fa7927378edc0cb98a8cc784d3f4a47e43378d3b42ec57a23f81125baa7287c4b54d6d26d062072226160a3ce4d8b7a62e873d2fb637aceaddf71f5a26eca0
+  languageName: node
+  linkType: hard
+
+"node-modules-path@npm:^1.0.0, node-modules-path@npm:^1.0.1":
+  version: 1.0.2
+  resolution: "node-modules-path@npm:1.0.2"
+  checksum: 1cee65591a65a71e420b72d011e313bd938ffced368c6b6ca2bfd5a741cea9af5200417afb49272bbdac1cee1350c0f56e0a80b611d6694de914959c1ddfc9f3
+  languageName: node
+  linkType: hard
+
+"node-notifier@npm:^8.0.1":
+  version: 8.0.2
+  resolution: "node-notifier@npm:8.0.2"
+  dependencies:
+    growly: ^1.3.0
+    is-wsl: ^2.2.0
+    semver: ^7.3.2
+    shellwords: ^0.1.1
+    uuid: ^8.3.0
+    which: ^2.0.2
+  checksum: 7db1683003f6aaa4324959dfa663cd56e301ccc0165977a9e7737989ffe3b4763297f9fc85f44d0662b63a4fd85516eda43411b492a4d2fae207afb23773f912
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^1.1.71, node-releases@npm:^1.1.77":
+  version: 1.1.77
+  resolution: "node-releases@npm:1.1.77"
+  checksum: eb2fcb45310e7d77f82bfdadeca546a698d258e011f15d88ad9a452a5e838a672ec532906581096ca19c66284a788330c3b09227ffc540e67228730f41b9c2e2
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "node-releases@npm:2.0.1"
+  checksum: b20dd8d4bced11f75060f0387e05e76b9dc4a0451f7bb3516eade6f50499ea7768ba95d8a60d520c193402df1e58cb3fe301510cc1c1ad68949c3d57b5149866
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^2.0.12":
+  version: 2.0.13
+  resolution: "node-releases@npm:2.0.13"
+  checksum: 17ec8f315dba62710cae71a8dad3cd0288ba943d2ece43504b3b1aa8625bf138637798ab470b1d9035b0545996f63000a8a926e0f6d35d0996424f8b6d36dda3
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^2.0.14":
+  version: 2.0.14
+  resolution: "node-releases@npm:2.0.14"
+  checksum: 59443a2f77acac854c42d321bf1b43dea0aef55cd544c6a686e9816a697300458d4e82239e2d794ea05f7bbbc8a94500332e2d3ac3f11f52e4b16cbe638b3c41
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "node-releases@npm:2.0.2"
+  checksum: da858bf86b4d512842379749f5a5e4196ddab05ba18ffcf29f05bf460beceaca927f070f4430bb5046efec18941ddbc85e4c5fdbb83afc28a38dd6069a2f255e
+  languageName: node
+  linkType: hard
+
+"node-releases@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "node-releases@npm:2.0.5"
+  checksum: e85d949addd19f8827f32569d2be5751e7812ccf6cc47879d49f79b5234ff4982225e39a3929315f96370823b070640fb04d79fc0ddec8b515a969a03493a42f
+  languageName: node
+  linkType: hard
+
+"node-watch@npm:0.7.3":
+  version: 0.7.3
+  resolution: "node-watch@npm:0.7.3"
+  checksum: c745482f720613415153b9065383b77d21f2ef60ceabf64f779c1452b1dcbb8d08c71f650b93f3c1d84524371321f92a15fda468745872cacffec8289741d51a
+  languageName: node
+  linkType: hard
+
+"nomnom@npm:^1.5.x":
+  version: 1.8.1
+  resolution: "nomnom@npm:1.8.1"
+  dependencies:
+    chalk: ~0.4.0
+    underscore: ~1.6.0
+  checksum: cc6f538062741e8914b65352499c444a754d18a95f8c4b336b9183367c44335f00a9d3beb54648f6a76d5434702a3d71bf37c23ef4c960d39595ed72d376c6fd
+  languageName: node
+  linkType: hard
+
+"nopt@npm:^3.0.6":
+  version: 3.0.6
+  resolution: "nopt@npm:3.0.6"
+  dependencies:
+    abbrev: 1
+  bin:
+    nopt: ./bin/nopt.js
+  checksum: 7f8579029a0d7cb3341c6b1610b31e363f708b7aaaaf3580e3ec5ae8528d1f3a79d350d8bfa331776e6c6703a5a148b72edd9b9b4c1dd55874d8e70e963d1e20
+  languageName: node
+  linkType: hard
+
+"nopt@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "nopt@npm:6.0.0"
+  dependencies:
+    abbrev: ^1.0.0
+  bin:
+    nopt: bin/nopt.js
+  checksum: 82149371f8be0c4b9ec2f863cc6509a7fd0fa729929c009f3a58e4eb0c9e4cae9920e8f1f8eb46e7d032fec8fb01bede7f0f41a67eb3553b7b8e14fa53de1dac
+  languageName: node
+  linkType: hard
+
+"normalize-package-data@npm:^2.3.2":
+  version: 2.5.0
+  resolution: "normalize-package-data@npm:2.5.0"
+  dependencies:
+    hosted-git-info: ^2.1.4
+    resolve: ^1.10.0
+    semver: 2 || 3 || 4 || 5
+    validate-npm-package-license: ^3.0.1
+  checksum: 7999112efc35a6259bc22db460540cae06564aa65d0271e3bdfa86876d08b0e578b7b5b0028ee61b23f1cae9fc0e7847e4edc0948d3068a39a2a82853efc8499
+  languageName: node
+  linkType: hard
+
+"normalize-package-data@npm:^3.0.2":
+  version: 3.0.3
+  resolution: "normalize-package-data@npm:3.0.3"
+  dependencies:
+    hosted-git-info: ^4.0.1
+    is-core-module: ^2.5.0
+    semver: ^7.3.4
+    validate-npm-package-license: ^3.0.1
+  checksum: bbcee00339e7c26fdbc760f9b66d429258e2ceca41a5df41f5df06cc7652de8d82e8679ff188ca095cad8eff2b6118d7d866af2b68400f74602fbcbce39c160a
+  languageName: node
+  linkType: hard
+
+"normalize-path@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "normalize-path@npm:2.1.1"
+  dependencies:
+    remove-trailing-separator: ^1.0.1
+  checksum: 7e9cbdcf7f5b8da7aa191fbfe33daf290cdcd8c038f422faf1b8a83c972bf7a6d94c5be34c4326cb00fb63bc0fd97d9fbcfaf2e5d6142332c2cd36d2e1b86cea
+  languageName: node
+  linkType: hard
+
+"normalize-path@npm:^3.0.0, normalize-path@npm:~3.0.0":
+  version: 3.0.0
+  resolution: "normalize-path@npm:3.0.0"
+  checksum: 88eeb4da891e10b1318c4b2476b6e2ecbeb5ff97d946815ffea7794c31a89017c70d7f34b3c2ebf23ef4e9fc9fb99f7dffe36da22011b5b5c6ffa34f4873ec20
+  languageName: node
+  linkType: hard
+
+"normalize-range@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "normalize-range@npm:0.1.2"
+  checksum: 9b2f14f093593f367a7a0834267c24f3cb3e887a2d9809c77d8a7e5fd08738bcd15af46f0ab01cc3a3d660386f015816b5c922cea8bf2ee79777f40874063184
+  languageName: node
+  linkType: hard
+
+"normalize.css@npm:4.1.1":
+  version: 4.1.1
+  resolution: "normalize.css@npm:4.1.1"
+  checksum: 48500b12c63141286b637a0ed771d23e95872469eb9726171aea4fa90c9e9fe97870ee52c81dc42ef391733423bf0887dc0fdadae0e5f6020b6eb04e60ffcd68
+  languageName: node
+  linkType: hard
+
+"npm-git-info@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "npm-git-info@npm:1.0.3"
+  checksum: 1f2218004e109db649580f023ae2b6eb690efae0e47ec26216a01751325b45788430428b12478d91583e18bd8f4bc933d02a1f42984b8d4977f1c35ddef1bad2
+  languageName: node
+  linkType: hard
+
+"npm-package-arg@npm:^10.1.0":
+  version: 10.1.0
+  resolution: "npm-package-arg@npm:10.1.0"
+  dependencies:
+    hosted-git-info: ^6.0.0
+    proc-log: ^3.0.0
+    semver: ^7.3.5
+    validate-npm-package-name: ^5.0.0
+  checksum: 8fe4b6a742502345e4836ed42fdf26c544c9f75563c476c67044a481ada6e81f71b55462489c7e1899d516e4347150e58028036a90fa11d47e320bcc9365fd30
+  languageName: node
+  linkType: hard
+
+"npm-run-all@npm:^4.1.5":
+  version: 4.1.5
+  resolution: "npm-run-all@npm:4.1.5"
+  dependencies:
+    ansi-styles: ^3.2.1
+    chalk: ^2.4.1
+    cross-spawn: ^6.0.5
+    memorystream: ^0.3.1
+    minimatch: ^3.0.4
+    pidtree: ^0.3.0
+    read-pkg: ^3.0.0
+    shell-quote: ^1.6.1
+    string.prototype.padend: ^3.0.0
+  bin:
+    npm-run-all: bin/npm-run-all/index.js
+    run-p: bin/run-p/index.js
+    run-s: bin/run-s/index.js
+  checksum: 373b72c6a36564da13c1642c1fd9bb4dcc756bce7a3648f883772f02661095319820834ff813762d2fee403e9b40c1cd27c8685807c107440f10eb19c006d4a0
+  languageName: node
+  linkType: hard
+
+"npm-run-path@npm:^2.0.0":
+  version: 2.0.2
+  resolution: "npm-run-path@npm:2.0.2"
+  dependencies:
+    path-key: ^2.0.0
+  checksum: acd5ad81648ba4588ba5a8effb1d98d2b339d31be16826a118d50f182a134ac523172101b82eab1d01cb4c2ba358e857d54cfafd8163a1ffe7bd52100b741125
+  languageName: node
+  linkType: hard
+
+"npm-run-path@npm:^3.0.0":
+  version: 3.1.0
+  resolution: "npm-run-path@npm:3.1.0"
+  dependencies:
+    path-key: ^3.0.0
+  checksum: 141e0b8f0e3b137347a2896572c9a84701754dda0670d3ceb8c56a87702ee03c26227e4517ab93f2904acfc836547315e740b8289bb24ca0cd8ba2b198043b0f
+  languageName: node
+  linkType: hard
+
+"npm-run-path@npm:^4.0.0, npm-run-path@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "npm-run-path@npm:4.0.1"
+  dependencies:
+    path-key: ^3.0.0
+  checksum: 5374c0cea4b0bbfdfae62da7bbdf1e1558d338335f4cacf2515c282ff358ff27b2ecb91ffa5330a8b14390ac66a1e146e10700440c1ab868208430f56b5f4d23
+  languageName: node
+  linkType: hard
+
+"npmlog@npm:^6.0.0":
+  version: 6.0.2
+  resolution: "npmlog@npm:6.0.2"
+  dependencies:
+    are-we-there-yet: ^3.0.0
+    console-control-strings: ^1.1.0
+    gauge: ^4.0.3
+    set-blocking: ^2.0.0
+  checksum: ae238cd264a1c3f22091cdd9e2b106f684297d3c184f1146984ecbe18aaa86343953f26b9520dedd1b1372bc0316905b736c1932d778dbeb1fcf5a1001390e2a
+  languageName: node
+  linkType: hard
+
+"nth-check@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "nth-check@npm:1.0.2"
+  dependencies:
+    boolbase: ~1.0.0
+  checksum: 59e115fdd75b971d0030f42ada3aac23898d4c03aa13371fa8b3339d23461d1badf3fde5aad251fb956aaa75c0a3b9bfcd07c08a34a83b4f9dadfdce1d19337c
+  languageName: node
+  linkType: hard
+
+"nth-check@npm:^2.0.1":
+  version: 2.1.1
+  resolution: "nth-check@npm:2.1.1"
+  dependencies:
+    boolbase: ^1.0.0
+  checksum: 5afc3dafcd1573b08877ca8e6148c52abd565f1d06b1eb08caf982e3fa289a82f2cae697ffb55b5021e146d60443f1590a5d6b944844e944714a5b549675bcd3
+  languageName: node
+  linkType: hard
+
+"num2fraction@npm:^1.2.2":
+  version: 1.2.2
+  resolution: "num2fraction@npm:1.2.2"
+  checksum: 1da9c6797b505d3f5b17c7f694c4fa31565bdd5c0e5d669553253aed848a580804cd285280e8a73148bd9628839267daee4967f24b53d4e893e44b563e412635
+  languageName: node
+  linkType: hard
+
+"nwsapi@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "nwsapi@npm:2.2.0"
+  checksum: 5ef4a9bc0c1a5b7f2e014aa6a4b359a257503b796618ed1ef0eb852098f77e772305bb0e92856e4bbfa3e6c75da48c0113505c76f144555ff38867229c2400a7
+  languageName: node
+  linkType: hard
+
+"oauth-sign@npm:~0.9.0":
+  version: 0.9.0
+  resolution: "oauth-sign@npm:0.9.0"
+  checksum: 8f5497a127967866a3c67094c21efd295e46013a94e6e828573c62220e9af568cc1d2d04b16865ba583e430510fa168baf821ea78f355146d8ed7e350fc44c64
+  languageName: node
+  linkType: hard
+
+"object-assign@npm:4.1.1, object-assign@npm:^4, object-assign@npm:^4.1.0, object-assign@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "object-assign@npm:4.1.1"
+  checksum: fcc6e4ea8c7fe48abfbb552578b1c53e0d194086e2e6bbbf59e0a536381a292f39943c6e9628af05b5528aa5e3318bb30d6b2e53cadaf5b8fe9e12c4b69af23f
+  languageName: node
+  linkType: hard
+
+"object-assign@npm:^2.0.0":
+  version: 2.1.1
+  resolution: "object-assign@npm:2.1.1"
+  checksum: d37a7d7173408e07ee225116437592d92b584b2a5f38cafe608400b43efd9b78878dbd545b524aff5b4118d88e39466b9038b2d3de8885e212adad497d656c46
+  languageName: node
+  linkType: hard
+
+"object-copy@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "object-copy@npm:0.1.0"
+  dependencies:
+    copy-descriptor: ^0.1.0
+    define-property: ^0.2.5
+    kind-of: ^3.0.3
+  checksum: a9e35f07e3a2c882a7e979090360d1a20ab51d1fa19dfdac3aa8873b328a7c4c7683946ee97c824ae40079d848d6740a3788fa14f2185155dab7ed970a72c783
+  languageName: node
+  linkType: hard
+
+"object-hash@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "object-hash@npm:1.3.1"
+  checksum: fdcb957a2f15a9060e30655a9f683ba1fc25dfb8809a73d32e9634bec385a2f1d686c707ac1e5f69fb773bc12df03fb64c77ce3faeed83e35f4eb1946cb1989e
+  languageName: node
+  linkType: hard
+
+"object-inspect@npm:^1.11.0, object-inspect@npm:^1.9.0":
+  version: 1.11.0
+  resolution: "object-inspect@npm:1.11.0"
+  checksum: 8c64f89ce3a7b96b6925879ad5f6af71d498abc217e136660efecd97452991216f375a7eb47cb1cb50643df939bf0c7cc391567b7abc6a924d04679705e58e27
+  languageName: node
+  linkType: hard
+
+"object-inspect@npm:^1.12.3":
+  version: 1.12.3
+  resolution: "object-inspect@npm:1.12.3"
+  checksum: dabfd824d97a5f407e6d5d24810d888859f6be394d8b733a77442b277e0808860555176719c5905e765e3743a7cada6b8b0a3b85e5331c530fd418cc8ae991db
+  languageName: node
+  linkType: hard
+
+"object-is@npm:^1.1.5":
+  version: 1.1.5
+  resolution: "object-is@npm:1.1.5"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+  checksum: 989b18c4cba258a6b74dc1d74a41805c1a1425bce29f6cabb50dcb1a6a651ea9104a1b07046739a49a5bb1bc49727bcb00efd5c55f932f6ea04ec8927a7901fe
+  languageName: node
+  linkType: hard
+
+"object-keys@npm:^1.0.12, object-keys@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "object-keys@npm:1.1.1"
+  checksum: b363c5e7644b1e1b04aa507e88dcb8e3a2f52b6ffd0ea801e4c7a62d5aa559affe21c55a07fd4b1fd55fc03a33c610d73426664b20032405d7b92a1414c34d6a
+  languageName: node
+  linkType: hard
+
+"object-visit@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "object-visit@npm:1.0.1"
+  dependencies:
+    isobject: ^3.0.0
+  checksum: b0ee07f5bf3bb881b881ff53b467ebbde2b37ebb38649d6944a6cd7681b32eedd99da9bd1e01c55facf81f54ed06b13af61aba6ad87f0052982995e09333f790
+  languageName: node
+  linkType: hard
+
+"object.assign@npm:^4.1.0, object.assign@npm:^4.1.2":
+  version: 4.1.2
+  resolution: "object.assign@npm:4.1.2"
+  dependencies:
+    call-bind: ^1.0.0
+    define-properties: ^1.1.3
+    has-symbols: ^1.0.1
+    object-keys: ^1.1.1
+  checksum: d621d832ed7b16ac74027adb87196804a500d80d9aca536fccb7ba48d33a7e9306a75f94c1d29cbfa324bc091bfc530bc24789568efdaee6a47fcfa298993814
+  languageName: node
+  linkType: hard
+
+"object.assign@npm:^4.1.4":
+  version: 4.1.4
+  resolution: "object.assign@npm:4.1.4"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    has-symbols: ^1.0.3
+    object-keys: ^1.1.1
+  checksum: 76cab513a5999acbfe0ff355f15a6a125e71805fcf53de4e9d4e082e1989bdb81d1e329291e1e4e0ae7719f0e4ef80e88fb2d367ae60500d79d25a6224ac8864
+  languageName: node
+  linkType: hard
+
+"object.getownpropertydescriptors@npm:^2.1.0":
+  version: 2.1.2
+  resolution: "object.getownpropertydescriptors@npm:2.1.2"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+    es-abstract: ^1.18.0-next.2
+  checksum: 6c1c0162a2bea912f092dbf48699998d6f4b788a9884ee99ba41ddf25c3f0924ec56c6a55738c4ae3bd91d1203813a9a8e18e6fff1f477e2626cdbcd1a5f3ca8
+  languageName: node
+  linkType: hard
+
+"object.pick@npm:^1.3.0":
+  version: 1.3.0
+  resolution: "object.pick@npm:1.3.0"
+  dependencies:
+    isobject: ^3.0.1
+  checksum: 77fb6eed57c67adf75e9901187e37af39f052ef601cb4480386436561357eb9e459e820762f01fd02c5c1b42ece839ad393717a6d1850d848ee11fbabb3e580a
+  languageName: node
+  linkType: hard
+
+"object.values@npm:^1.1.0":
+  version: 1.1.3
+  resolution: "object.values@npm:1.1.3"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+    es-abstract: ^1.18.0-next.2
+    has: ^1.0.3
+  checksum: 8b29bd0936a32c2c5dfeb39389f65c7c3f32253a2ad3e4605726cac6bda8f642b4f8ab1ef58279851b86b7ae7322b3cf9a464c346498a7deb8f0c3a0554015f0
+  languageName: node
+  linkType: hard
+
+"on-finished@npm:2.4.1":
+  version: 2.4.1
+  resolution: "on-finished@npm:2.4.1"
+  dependencies:
+    ee-first: 1.1.1
+  checksum: d20929a25e7f0bb62f937a425b5edeb4e4cde0540d77ba146ec9357f00b0d497cdb3b9b05b9c8e46222407d1548d08166bff69cc56dfa55ba0e4469228920ff0
+  languageName: node
+  linkType: hard
+
+"on-finished@npm:~2.3.0":
+  version: 2.3.0
+  resolution: "on-finished@npm:2.3.0"
+  dependencies:
+    ee-first: 1.1.1
+  checksum: 1db595bd963b0124d6fa261d18320422407b8f01dc65863840f3ddaaf7bcad5b28ff6847286703ca53f4ec19595bd67a2f1253db79fc4094911ec6aa8df1671b
+  languageName: node
+  linkType: hard
+
+"on-headers@npm:~1.0.2":
+  version: 1.0.2
+  resolution: "on-headers@npm:1.0.2"
+  checksum: 2bf13467215d1e540a62a75021e8b318a6cfc5d4fc53af8e8f84ad98dbcea02d506c6d24180cd62e1d769c44721ba542f3154effc1f7579a8288c9f7873ed8e5
+  languageName: node
+  linkType: hard
+
+"once@npm:^1.3.0, once@npm:^1.3.1, once@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "once@npm:1.4.0"
+  dependencies:
+    wrappy: 1
+  checksum: cd0a88501333edd640d95f0d2700fbde6bff20b3d4d9bdc521bdd31af0656b5706570d6c6afe532045a20bb8dc0849f8332d6f2a416e0ba6d3d3b98806c7db68
+  languageName: node
+  linkType: hard
+
+"onetime@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "onetime@npm:2.0.1"
+  dependencies:
+    mimic-fn: ^1.0.0
+  checksum: bb44015ac7a525d0fb43b029a583d4ad359834632b4424ca209b438aacf6d669dda81b5edfbdb42c22636e607b276ba5589f46694a729e3bc27948ce26f4cc1a
+  languageName: node
+  linkType: hard
+
+"onetime@npm:^5.1.0, onetime@npm:^5.1.2":
+  version: 5.1.2
+  resolution: "onetime@npm:5.1.2"
+  dependencies:
+    mimic-fn: ^2.1.0
+  checksum: 2478859ef817fc5d4e9c2f9e5728512ddd1dbc9fb7829ad263765bb6d3b91ce699d6e2332eef6b7dff183c2f490bd3349f1666427eaba4469fba0ac38dfd0d34
+  languageName: node
+  linkType: hard
+
+"optionator@npm:^0.8.1":
+  version: 0.8.3
+  resolution: "optionator@npm:0.8.3"
+  dependencies:
+    deep-is: ~0.1.3
+    fast-levenshtein: ~2.0.6
+    levn: ~0.3.0
+    prelude-ls: ~1.1.2
+    type-check: ~0.3.2
+    word-wrap: ~1.2.3
+  checksum: b8695ddf3d593203e25ab0900e265d860038486c943ff8b774f596a310f8ceebdb30c6832407a8198ba3ec9debe1abe1f51d4aad94843612db3b76d690c61d34
+  languageName: node
+  linkType: hard
+
+"optionator@npm:^0.9.1":
+  version: 0.9.1
+  resolution: "optionator@npm:0.9.1"
+  dependencies:
+    deep-is: ^0.1.3
+    fast-levenshtein: ^2.0.6
+    levn: ^0.4.1
+    prelude-ls: ^1.2.1
+    type-check: ^0.4.0
+    word-wrap: ^1.2.3
+  checksum: dbc6fa065604b24ea57d734261914e697bd73b69eff7f18e967e8912aa2a40a19a9f599a507fa805be6c13c24c4eae8c71306c239d517d42d4c041c942f508a0
+  languageName: node
+  linkType: hard
+
+"optionator@npm:^0.9.3":
+  version: 0.9.3
+  resolution: "optionator@npm:0.9.3"
+  dependencies:
+    "@aashutoshrathi/word-wrap": ^1.2.3
+    deep-is: ^0.1.3
+    fast-levenshtein: ^2.0.6
+    levn: ^0.4.1
+    prelude-ls: ^1.2.1
+    type-check: ^0.4.0
+  checksum: 09281999441f2fe9c33a5eeab76700795365a061563d66b098923eb719251a42bdbe432790d35064d0816ead9296dbeb1ad51a733edf4167c96bd5d0882e428a
+  languageName: node
+  linkType: hard
+
+"ora@npm:^3.4.0":
+  version: 3.4.0
+  resolution: "ora@npm:3.4.0"
+  dependencies:
+    chalk: ^2.4.2
+    cli-cursor: ^2.1.0
+    cli-spinners: ^2.0.0
+    log-symbols: ^2.2.0
+    strip-ansi: ^5.2.0
+    wcwidth: ^1.0.1
+  checksum: f1f8e7f290b766276dcd19ddf2159a1971b1ec37eec4a5556b8f5e4afbe513a965ed65c183d38956724263b6a20989b3d8fb71b95ac4a2d6a01db2f1ed8899e4
+  languageName: node
+  linkType: hard
+
+"ora@npm:^5.4.0, ora@npm:^5.4.1":
+  version: 5.4.1
+  resolution: "ora@npm:5.4.1"
+  dependencies:
+    bl: ^4.1.0
+    chalk: ^4.1.0
+    cli-cursor: ^3.1.0
+    cli-spinners: ^2.5.0
+    is-interactive: ^1.0.0
+    is-unicode-supported: ^0.1.0
+    log-symbols: ^4.1.0
+    strip-ansi: ^6.0.0
+    wcwidth: ^1.0.1
+  checksum: 28d476ee6c1049d68368c0dc922e7225e3b5600c3ede88fade8052837f9ed342625fdaa84a6209302587c8ddd9b664f71f0759833cbdb3a4cf81344057e63c63
+  languageName: node
+  linkType: hard
+
+"os-browserify@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "os-browserify@npm:0.3.0"
+  checksum: 16e37ba3c0e6a4c63443c7b55799ce4066d59104143cb637ecb9fce586d5da319cdca786ba1c867abbe3890d2cbf37953f2d51eea85e20dd6c4570d6c54bfebf
+  languageName: node
+  linkType: hard
+
+"os-homedir@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "os-homedir@npm:1.0.2"
+  checksum: af609f5a7ab72de2f6ca9be6d6b91a599777afc122ac5cad47e126c1f67c176fe9b52516b9eeca1ff6ca0ab8587fe66208bc85e40a3940125f03cdb91408e9d2
+  languageName: node
+  linkType: hard
+
+"os-locale@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "os-locale@npm:5.0.0"
+  dependencies:
+    execa: ^4.0.0
+    lcid: ^3.0.0
+    mem: ^5.0.0
+  checksum: 294bbb412f87a93bdbf271905cb05223a0365957ebc941af6e68e1df9f380cd69fcba62c623a0f31e913e48d009863cb9b9749deae81501d5d3b2e2d0e33b712
+  languageName: node
+  linkType: hard
+
+"os-tmpdir@npm:^1.0.0, os-tmpdir@npm:^1.0.1, os-tmpdir@npm:~1.0.1, os-tmpdir@npm:~1.0.2":
+  version: 1.0.2
+  resolution: "os-tmpdir@npm:1.0.2"
+  checksum: 5666560f7b9f10182548bf7013883265be33620b1c1b4a4d405c25be2636f970c5488ff3e6c48de75b55d02bde037249fe5dbfbb4c0fb7714953d56aed062e6d
+  languageName: node
+  linkType: hard
+
+"osenv@npm:^0.1.3":
+  version: 0.1.5
+  resolution: "osenv@npm:0.1.5"
+  dependencies:
+    os-homedir: ^1.0.0
+    os-tmpdir: ^1.0.0
+  checksum: 779d261920f2a13e5e18cf02446484f12747d3f2ff82280912f52b213162d43d312647a40c332373cbccd5e3fb8126915d3bfea8dde4827f70f82da76e52d359
+  languageName: node
+  linkType: hard
+
+"p-defer@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "p-defer@npm:1.0.0"
+  checksum: 4271b935c27987e7b6f229e5de4cdd335d808465604644cb7b4c4c95bef266735859a93b16415af8a41fd663ee9e3b97a1a2023ca9def613dba1bad2a0da0c7b
+  languageName: node
+  linkType: hard
+
+"p-defer@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "p-defer@npm:3.0.0"
+  checksum: ac3b0976a1c76b67cca1a34e00f7299b0cc230891f820749686aa84f8947326bbe0f8e3b7d9ca511578ee06f0c1a6e0ff68c8e9c325eac455f09d99f91697161
+  languageName: node
+  linkType: hard
+
+"p-finally@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "p-finally@npm:1.0.0"
+  checksum: 93a654c53dc805dd5b5891bab16eb0ea46db8f66c4bfd99336ae929323b1af2b70a8b0654f8f1eae924b2b73d037031366d645f1fd18b3d30cbd15950cc4b1d4
+  languageName: node
+  linkType: hard
+
+"p-finally@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "p-finally@npm:2.0.1"
+  checksum: 6306a2851c3b28f8b603624f395ae84dce76970498fed8aa6aae2d930595053746edf1e4ee0c4b78a97410d84aa4504d63179f5310d555511ecd226f53ed1e8e
+  languageName: node
+  linkType: hard
+
+"p-is-promise@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "p-is-promise@npm:2.1.0"
+  checksum: c9a8248c8b5e306475a5d55ce7808dbce4d4da2e3d69526e4991a391a7809bfd6cfdadd9bf04f1c96a3db366c93d9a0f5ee81d949e7b1684c4e0f61f747199ef
+  languageName: node
+  linkType: hard
+
+"p-limit@npm:^1.1.0":
+  version: 1.3.0
+  resolution: "p-limit@npm:1.3.0"
+  dependencies:
+    p-try: ^1.0.0
+  checksum: 281c1c0b8c82e1ac9f81acd72a2e35d402bf572e09721ce5520164e9de07d8274451378a3470707179ad13240535558f4b277f02405ad752e08c7d5b0d54fbfd
+  languageName: node
+  linkType: hard
+
+"p-limit@npm:^2.0.0, p-limit@npm:^2.2.0":
+  version: 2.3.0
+  resolution: "p-limit@npm:2.3.0"
+  dependencies:
+    p-try: ^2.0.0
+  checksum: 84ff17f1a38126c3314e91ecfe56aecbf36430940e2873dadaa773ffe072dc23b7af8e46d4b6485d302a11673fe94c6b67ca2cfbb60c989848b02100d0594ac1
+  languageName: node
+  linkType: hard
+
+"p-limit@npm:^3.0.2":
+  version: 3.1.0
+  resolution: "p-limit@npm:3.1.0"
+  dependencies:
+    yocto-queue: ^0.1.0
+  checksum: 7c3690c4dbf62ef625671e20b7bdf1cbc9534e83352a2780f165b0d3ceba21907e77ad63401708145ca4e25bfc51636588d89a8c0aeb715e6c37d1c066430360
+  languageName: node
+  linkType: hard
+
+"p-limit@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "p-limit@npm:4.0.0"
+  dependencies:
+    yocto-queue: ^1.0.0
+  checksum: 01d9d70695187788f984226e16c903475ec6a947ee7b21948d6f597bed788e3112cc7ec2e171c1d37125057a5f45f3da21d8653e04a3a793589e12e9e80e756b
+  languageName: node
+  linkType: hard
+
+"p-locate@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "p-locate@npm:2.0.0"
+  dependencies:
+    p-limit: ^1.1.0
+  checksum: e2dceb9b49b96d5513d90f715780f6f4972f46987dc32a0e18bc6c3fc74a1a5d73ec5f81b1398af5e58b99ea1ad03fd41e9181c01fa81b4af2833958696e3081
+  languageName: node
+  linkType: hard
+
+"p-locate@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "p-locate@npm:3.0.0"
+  dependencies:
+    p-limit: ^2.0.0
+  checksum: 83991734a9854a05fe9dbb29f707ea8a0599391f52daac32b86f08e21415e857ffa60f0e120bfe7ce0cc4faf9274a50239c7895fc0d0579d08411e513b83a4ae
+  languageName: node
+  linkType: hard
+
+"p-locate@npm:^4.1.0":
+  version: 4.1.0
+  resolution: "p-locate@npm:4.1.0"
+  dependencies:
+    p-limit: ^2.2.0
+  checksum: 513bd14a455f5da4ebfcb819ef706c54adb09097703de6aeaa5d26fe5ea16df92b48d1ac45e01e3944ce1e6aa2a66f7f8894742b8c9d6e276e16cd2049a2b870
+  languageName: node
+  linkType: hard
+
+"p-locate@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "p-locate@npm:5.0.0"
+  dependencies:
+    p-limit: ^3.0.2
+  checksum: 1623088f36cf1cbca58e9b61c4e62bf0c60a07af5ae1ca99a720837356b5b6c5ba3eb1b2127e47a06865fee59dd0453cad7cc844cda9d5a62ac1a5a51b7c86d3
+  languageName: node
+  linkType: hard
+
+"p-locate@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "p-locate@npm:6.0.0"
+  dependencies:
+    p-limit: ^4.0.0
+  checksum: 2bfe5234efa5e7a4e74b30a5479a193fdd9236f8f6b4d2f3f69e3d286d9a7d7ab0c118a2a50142efcf4e41625def635bd9332d6cbf9cc65d85eb0718c579ab38
+  languageName: node
+  linkType: hard
+
+"p-map@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "p-map@npm:4.0.0"
+  dependencies:
+    aggregate-error: ^3.0.0
+  checksum: cb0ab21ec0f32ddffd31dfc250e3afa61e103ef43d957cc45497afe37513634589316de4eb88abdfd969fe6410c22c0b93ab24328833b8eb1ccc087fc0442a1c
+  languageName: node
+  linkType: hard
+
+"p-try@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "p-try@npm:1.0.0"
+  checksum: 3b5303f77eb7722144154288bfd96f799f8ff3e2b2b39330efe38db5dd359e4fb27012464cd85cb0a76e9b7edd1b443568cb3192c22e7cffc34989df0bafd605
+  languageName: node
+  linkType: hard
+
+"p-try@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "p-try@npm:2.2.0"
+  checksum: f8a8e9a7693659383f06aec604ad5ead237c7a261c18048a6e1b5b85a5f8a067e469aa24f5bc009b991ea3b058a87f5065ef4176793a200d4917349881216cae
+  languageName: node
+  linkType: hard
+
+"pako@npm:~1.0.5":
+  version: 1.0.11
+  resolution: "pako@npm:1.0.11"
+  checksum: 1be2bfa1f807608c7538afa15d6f25baa523c30ec870a3228a89579e474a4d992f4293859524e46d5d87fd30fa17c5edf34dbef0671251d9749820b488660b16
+  languageName: node
+  linkType: hard
+
+"parallel-transform@npm:^1.1.0":
+  version: 1.2.0
+  resolution: "parallel-transform@npm:1.2.0"
+  dependencies:
+    cyclist: ^1.0.1
+    inherits: ^2.0.3
+    readable-stream: ^2.1.5
+  checksum: ab6ddc1a662cefcfb3d8d546a111763d3b223f484f2e9194e33aefd8f6760c319d0821fd22a00a3adfbd45929b50d2c84cc121389732f013c2ae01c226269c27
+  languageName: node
+  linkType: hard
+
+"parent-module@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "parent-module@npm:1.0.1"
+  dependencies:
+    callsites: ^3.0.0
+  checksum: 6ba8b255145cae9470cf5551eb74be2d22281587af787a2626683a6c20fbb464978784661478dd2a3f1dad74d1e802d403e1b03c1a31fab310259eec8ac560ff
+  languageName: node
+  linkType: hard
+
+"parse-asn1@npm:^5.0.0, parse-asn1@npm:^5.1.5":
+  version: 5.1.6
+  resolution: "parse-asn1@npm:5.1.6"
+  dependencies:
+    asn1.js: ^5.2.0
+    browserify-aes: ^1.0.0
+    evp_bytestokey: ^1.0.0
+    pbkdf2: ^3.0.3
+    safe-buffer: ^5.1.1
+  checksum: 9243311d1f88089bc9f2158972aa38d1abd5452f7b7cabf84954ed766048fe574d434d82c6f5a39b988683e96fb84cd933071dda38927e03469dc8c8d14463c7
+  languageName: node
+  linkType: hard
+
+"parse-entities@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "parse-entities@npm:2.0.0"
+  dependencies:
+    character-entities: ^1.0.0
+    character-entities-legacy: ^1.0.0
+    character-reference-invalid: ^1.0.0
+    is-alphanumerical: ^1.0.0
+    is-decimal: ^1.0.0
+    is-hexadecimal: ^1.0.0
+  checksum: 7addfd3e7d747521afac33c8121a5f23043c6973809756920d37e806639b4898385d386fcf4b3c8e2ecf1bc28aac5ae97df0b112d5042034efbe80f44081ebce
+  languageName: node
+  linkType: hard
+
+"parse-json@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "parse-json@npm:4.0.0"
+  dependencies:
+    error-ex: ^1.3.1
+    json-parse-better-errors: ^1.0.1
+  checksum: 0fe227d410a61090c247e34fa210552b834613c006c2c64d9a05cfe9e89cf8b4246d1246b1a99524b53b313e9ac024438d0680f67e33eaed7e6f38db64cfe7b5
+  languageName: node
+  linkType: hard
+
+"parse-json@npm:^5.0.0, parse-json@npm:^5.2.0":
+  version: 5.2.0
+  resolution: "parse-json@npm:5.2.0"
+  dependencies:
+    "@babel/code-frame": ^7.0.0
+    error-ex: ^1.3.1
+    json-parse-even-better-errors: ^2.3.0
+    lines-and-columns: ^1.1.6
+  checksum: 62085b17d64da57f40f6afc2ac1f4d95def18c4323577e1eced571db75d9ab59b297d1d10582920f84b15985cbfc6b6d450ccbf317644cfa176f3ed982ad87e2
+  languageName: node
+  linkType: hard
+
+"parse-ms@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "parse-ms@npm:1.0.1"
+  checksum: 93fa7921554fe16bc73272a94bf812d1db6a144964fb57692f6de4fccf14bd771a232e8dcdcd4bbaa4aa477796cd3f35374d65596cca12323f2664bc023b4b4c
+  languageName: node
+  linkType: hard
+
+"parse-passwd@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "parse-passwd@npm:1.0.0"
+  checksum: 4e55e0231d58f828a41d0f1da2bf2ff7bcef8f4cb6146e69d16ce499190de58b06199e6bd9b17fbf0d4d8aef9052099cdf8c4f13a6294b1a522e8e958073066e
+  languageName: node
+  linkType: hard
+
+"parse-static-imports@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "parse-static-imports@npm:1.1.0"
+  checksum: 8af1fc58ae27837715735aa471cc0559bf4cfdab59d4c4ae5c41e218fd841aaa702d18fef62659ff03ed1b42ae936db94d8d2bc0ad07430d19ca9727f721d55c
+  languageName: node
+  linkType: hard
+
+"parse5-htmlparser2-tree-adapter@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "parse5-htmlparser2-tree-adapter@npm:7.0.0"
+  dependencies:
+    domhandler: ^5.0.2
+    parse5: ^7.0.0
+  checksum: fc5d01e07733142a1baf81de5c2a9c41426c04b7ab29dd218acb80cd34a63177c90aff4a4aee66cf9f1d0aeecff1389adb7452ad6f8af0a5888e3e9ad6ef733d
+  languageName: node
+  linkType: hard
+
+"parse5@npm:6.0.1, parse5@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "parse5@npm:6.0.1"
+  checksum: 7d569a176c5460897f7c8f3377eff640d54132b9be51ae8a8fa4979af940830b2b0c296ce75e5bd8f4041520aadde13170dbdec44889975f906098ea0002f4bd
+  languageName: node
+  linkType: hard
+
+"parse5@npm:^7.0.0":
+  version: 7.1.1
+  resolution: "parse5@npm:7.1.1"
+  dependencies:
+    entities: ^4.4.0
+  checksum: 8f72fbfa6df83a3f29f58e1818f7bd46b47ff3e26d79c74e10b8fc7ef7ee76163f205113f1b2f6a5b8dc4e31e726f490444f04890cead6e974dbcbe8172b1321
+  languageName: node
+  linkType: hard
+
+"parseurl@npm:~1.3.3":
+  version: 1.3.3
+  resolution: "parseurl@npm:1.3.3"
+  checksum: 407cee8e0a3a4c5cd472559bca8b6a45b82c124e9a4703302326e9ab60fc1081442ada4e02628efef1eb16197ddc7f8822f5a91fd7d7c86b51f530aedb17dfa2
+  languageName: node
+  linkType: hard
+
+"pascalcase@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "pascalcase@npm:0.1.1"
+  checksum: f83681c3c8ff75fa473a2bb2b113289952f802ff895d435edd717e7cb898b0408cbdb247117a938edcbc5d141020909846cc2b92c47213d764e2a94d2ad2b925
+  languageName: node
+  linkType: hard
+
+"path-browserify@npm:0.0.1":
+  version: 0.0.1
+  resolution: "path-browserify@npm:0.0.1"
+  checksum: ae8dcd45d0d3cfbaf595af4f206bf3ed82d77f72b4877ae7e77328079e1468c84f9386754bb417d994d5a19bf47882fd253565c18441cd5c5c90ae5187599e35
+  languageName: node
+  linkType: hard
+
+"path-dirname@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "path-dirname@npm:1.0.2"
+  checksum: 0d2f6604ae05a252a0025318685f290e2764ecf9c5436f203cdacfc8c0b17c24cdedaa449d766beb94ab88cc7fc70a09ec21e7933f31abc2b719180883e5e33f
+  languageName: node
+  linkType: hard
+
+"path-exists@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "path-exists@npm:3.0.0"
+  checksum: 96e92643aa34b4b28d0de1cd2eba52a1c5313a90c6542d03f62750d82480e20bfa62bc865d5cfc6165f5fcd5aeb0851043c40a39be5989646f223300021bae0a
+  languageName: node
+  linkType: hard
+
+"path-exists@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "path-exists@npm:4.0.0"
+  checksum: 505807199dfb7c50737b057dd8d351b82c033029ab94cb10a657609e00c1bc53b951cfdbccab8de04c5584d5eff31128ce6afd3db79281874a5ef2adbba55ed1
+  languageName: node
+  linkType: hard
+
+"path-exists@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "path-exists@npm:5.0.0"
+  checksum: 8ca842868cab09423994596eb2c5ec2a971c17d1a3cb36dbf060592c730c725cd524b9067d7d2a1e031fef9ba7bd2ac6dc5ec9fb92aa693265f7be3987045254
+  languageName: node
+  linkType: hard
+
+"path-is-absolute@npm:1.0.1, path-is-absolute@npm:^1.0.0, path-is-absolute@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "path-is-absolute@npm:1.0.1"
+  checksum: 060840f92cf8effa293bcc1bea81281bd7d363731d214cbe5c227df207c34cd727430f70c6037b5159c8a870b9157cba65e775446b0ab06fd5ecc7e54615a3b8
+  languageName: node
+  linkType: hard
+
+"path-key@npm:^2.0.0, path-key@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "path-key@npm:2.0.1"
+  checksum: f7ab0ad42fe3fb8c7f11d0c4f849871e28fbd8e1add65c370e422512fc5887097b9cf34d09c1747d45c942a8c1e26468d6356e2df3f740bf177ab8ca7301ebfd
+  languageName: node
+  linkType: hard
+
+"path-key@npm:^3.0.0, path-key@npm:^3.1.0":
+  version: 3.1.1
+  resolution: "path-key@npm:3.1.1"
+  checksum: 55cd7a9dd4b343412a8386a743f9c746ef196e57c823d90ca3ab917f90ab9f13dd0ded27252ba49dbdfcab2b091d998bc446f6220cd3cea65db407502a740020
+  languageName: node
+  linkType: hard
+
+"path-parse@npm:^1.0.6, path-parse@npm:^1.0.7":
+  version: 1.0.7
+  resolution: "path-parse@npm:1.0.7"
+  checksum: 49abf3d81115642938a8700ec580da6e830dde670be21893c62f4e10bd7dd4c3742ddc603fe24f898cba7eb0c6bc1777f8d9ac14185d34540c6d4d80cd9cae8a
+  languageName: node
+  linkType: hard
+
+"path-posix@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "path-posix@npm:1.0.0"
+  checksum: 4f64ad212de6ad8d0dbfa440cac8b924303c25c30301769ad0501e29e83a5b9d469e8133753f999ad37482c9c8d3511129e4d83db55d2e4b1555b183c9749ae8
+  languageName: node
+  linkType: hard
+
+"path-root-regex@npm:^0.1.0":
+  version: 0.1.2
+  resolution: "path-root-regex@npm:0.1.2"
+  checksum: dcd75d1f8e93faabe35a58e875b0f636839b3658ff2ad8c289463c40bc1a844debe0dab73c3398ef9dc8f6ec6c319720aff390cf4633763ddcf3cf4b1bbf7e8b
+  languageName: node
+  linkType: hard
+
+"path-root@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "path-root@npm:0.1.1"
+  dependencies:
+    path-root-regex: ^0.1.0
+  checksum: ff88aebfc1c59ace510cc06703d67692a11530989920427625e52b66a303ca9b3d4059b0b7d0b2a73248d1ad29bcb342b8b786ec00592f3101d38a45fd3b2e08
+  languageName: node
+  linkType: hard
+
+"path-to-regexp@npm:0.1.7":
+  version: 0.1.7
+  resolution: "path-to-regexp@npm:0.1.7"
+  checksum: 69a14ea24db543e8b0f4353305c5eac6907917031340e5a8b37df688e52accd09e3cebfe1660b70d76b6bd89152f52183f28c74813dbf454ba1a01c82a38abce
+  languageName: node
+  linkType: hard
+
+"path-to-regexp@npm:^1.7.0":
+  version: 1.8.0
+  resolution: "path-to-regexp@npm:1.8.0"
+  dependencies:
+    isarray: 0.0.1
+  checksum: 709f6f083c0552514ef4780cb2e7e4cf49b0cc89a97439f2b7cc69a608982b7690fb5d1720a7473a59806508fc2dae0be751ba49f495ecf89fd8fbc62abccbcd
+  languageName: node
+  linkType: hard
+
+"path-type@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "path-type@npm:3.0.0"
+  dependencies:
+    pify: ^3.0.0
+  checksum: 735b35e256bad181f38fa021033b1c33cfbe62ead42bb2222b56c210e42938eecb272ae1949f3b6db4ac39597a61b44edd8384623ec4d79bfdc9a9c0f12537a6
+  languageName: node
+  linkType: hard
+
+"path-type@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "path-type@npm:4.0.0"
+  checksum: 5b1e2daa247062061325b8fdbfd1fb56dde0a448fb1455453276ea18c60685bdad23a445dc148cf87bc216be1573357509b7d4060494a6fd768c7efad833ee45
+  languageName: node
+  linkType: hard
+
+"pbkdf2@npm:^3.0.3":
+  version: 3.1.2
+  resolution: "pbkdf2@npm:3.1.2"
+  dependencies:
+    create-hash: ^1.1.2
+    create-hmac: ^1.1.4
+    ripemd160: ^2.0.1
+    safe-buffer: ^5.0.1
+    sha.js: ^2.4.8
+  checksum: 2c950a100b1da72123449208e231afc188d980177d021d7121e96a2de7f2abbc96ead2b87d03d8fe5c318face097f203270d7e27908af9f471c165a4e8e69c92
+  languageName: node
+  linkType: hard
+
+"performance-now@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "performance-now@npm:2.1.0"
+  checksum: 534e641aa8f7cba160f0afec0599b6cecefbb516a2e837b512be0adbe6c1da5550e89c78059c7fabc5c9ffdf6627edabe23eb7c518c4500067a898fa65c2b550
+  languageName: node
+  linkType: hard
+
+"picocolors@npm:^0.2.1":
+  version: 0.2.1
+  resolution: "picocolors@npm:0.2.1"
+  checksum: 3b0f441f0062def0c0f39e87b898ae7461c3a16ffc9f974f320b44c799418cabff17780ee647fda42b856a1dc45897e2c62047e1b546d94d6d5c6962f45427b2
+  languageName: node
+  linkType: hard
+
+"picocolors@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "picocolors@npm:1.0.0"
+  checksum: a2e8092dd86c8396bdba9f2b5481032848525b3dc295ce9b57896f931e63fc16f79805144321f72976383fc249584672a75cc18d6777c6b757603f372f745981
+  languageName: node
+  linkType: hard
+
+"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3":
+  version: 2.2.3
+  resolution: "picomatch@npm:2.2.3"
+  checksum: 45e2b882b5265d3a322c6b7b854c1fdc33d5083011b9730296e9ad26332824ac356529f1ce1b0c1111f08a84c02e8525ea121d17c4bbe2970ca6665e587921fa
+  languageName: node
+  linkType: hard
+
+"picomatch@npm:^2.3.1":
+  version: 2.3.1
+  resolution: "picomatch@npm:2.3.1"
+  checksum: 050c865ce81119c4822c45d3c84f1ced46f93a0126febae20737bd05ca20589c564d6e9226977df859ed5e03dc73f02584a2b0faad36e896936238238b0446cf
+  languageName: node
+  linkType: hard
+
+"pidtree@npm:^0.3.0":
+  version: 0.3.1
+  resolution: "pidtree@npm:0.3.1"
+  bin:
+    pidtree: bin/pidtree.js
+  checksum: eb49025099f1af89a4696f7673351421f13420f3397b963c901fe23a1c9c2ff50f4750321970d4472c0ffbb065e4a6c3c27f75e226cc62284b19e21d32ce7012
+  languageName: node
+  linkType: hard
+
+"pify@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "pify@npm:3.0.0"
+  checksum: 6cdcbc3567d5c412450c53261a3f10991665d660961e06605decf4544a61a97a54fefe70a68d5c37080ff9d6f4cf51444c90198d1ba9f9309a6c0d6e9f5c4fde
+  languageName: node
+  linkType: hard
+
+"pify@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "pify@npm:4.0.1"
+  checksum: 9c4e34278cb09987685fa5ef81499c82546c033713518f6441778fbec623fc708777fe8ac633097c72d88470d5963094076c7305cafc7ad340aae27cfacd856b
+  languageName: node
+  linkType: hard
+
+"pinkie-promise@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "pinkie-promise@npm:2.0.1"
+  dependencies:
+    pinkie: ^2.0.0
+  checksum: b53a4a2e73bf56b6f421eef711e7bdcb693d6abb474d57c5c413b809f654ba5ee750c6a96dd7225052d4b96c4d053cdcb34b708a86fceed4663303abee52fcca
+  languageName: node
+  linkType: hard
+
+"pinkie@npm:^2.0.0":
+  version: 2.0.4
+  resolution: "pinkie@npm:2.0.4"
+  checksum: b12b10afea1177595aab036fc220785488f67b4b0fc49e7a27979472592e971614fa1c728e63ad3e7eb748b4ec3c3dbd780819331dad6f7d635c77c10537b9db
+  languageName: node
+  linkType: hard
+
+"pkg-dir@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "pkg-dir@npm:3.0.0"
+  dependencies:
+    find-up: ^3.0.0
+  checksum: 70c9476ffefc77552cc6b1880176b71ad70bfac4f367604b2b04efd19337309a4eec985e94823271c7c0e83946fa5aeb18cd360d15d10a5d7533e19344bfa808
+  languageName: node
+  linkType: hard
+
+"pkg-dir@npm:^4.1.0":
+  version: 4.2.0
+  resolution: "pkg-dir@npm:4.2.0"
+  dependencies:
+    find-up: ^4.0.0
+  checksum: 9863e3f35132bf99ae1636d31ff1e1e3501251d480336edb1c211133c8d58906bed80f154a1d723652df1fda91e01c7442c2eeaf9dc83157c7ae89087e43c8d6
+  languageName: node
+  linkType: hard
+
+"pkg-up@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "pkg-up@npm:2.0.0"
+  dependencies:
+    find-up: ^2.1.0
+  checksum: de4b418175281a082e366ce1a919f032520ee53cf421578b35173f03816f6ec4c19e1552066840bb0988c3e1215859653948efd6ca3507a23f4f44229269500d
+  languageName: node
+  linkType: hard
+
+"pkg-up@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "pkg-up@npm:3.1.0"
+  dependencies:
+    find-up: ^3.0.0
+  checksum: 5bac346b7c7c903613c057ae3ab722f320716199d753f4a7d053d38f2b5955460f3e6ab73b4762c62fd3e947f58e04f1343e92089e7bb6091c90877406fcd8c8
+  languageName: node
+  linkType: hard
+
+"pkijs@npm:^2.2.2":
+  version: 2.2.2
+  resolution: "pkijs@npm:2.2.2"
+  dependencies:
+    asn1js: ^2.1.1
+    bytestreamjs: ^1.0.29
+    pvutils: ^1.0.17
+  checksum: 92664bc4b7378200f74d7faf32a80365058d79f22b27f9a83b10e1e7684892a17657ff65c106e7c48be6d79b76545149e949229ae42a6456d0e447b9872a26e5
+  languageName: node
+  linkType: hard
+
+"please-upgrade-node@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "please-upgrade-node@npm:3.2.0"
+  dependencies:
+    semver-compare: ^1.0.0
+  checksum: d87c41581a2a022fbe25965a97006238cd9b8cbbf49b39f78d262548149a9d30bd2bdf35fec3d810e0001e630cd46ef13c7e19c389dea8de7e64db271a2381bb
+  languageName: node
+  linkType: hard
+
+"portfinder@npm:^1.0.32":
+  version: 1.0.32
+  resolution: "portfinder@npm:1.0.32"
+  dependencies:
+    async: ^2.6.4
+    debug: ^3.2.7
+    mkdirp: ^0.5.6
+  checksum: 116b4aed1b9e16f6d5503823d966d9ffd41b1c2339e27f54c06cd2f3015a9d8ef53e2a53b57bc0a25af0885977b692007353aa28f9a0a98a44335cb50487240d
+  languageName: node
+  linkType: hard
+
+"posix-character-classes@npm:^0.1.0":
+  version: 0.1.1
+  resolution: "posix-character-classes@npm:0.1.1"
+  checksum: dedb99913c60625a16050cfed2fb5c017648fc075be41ac18474e1c6c3549ef4ada201c8bd9bd006d36827e289c571b6092e1ef6e756cdbab2fd7046b25c6442
+  languageName: node
+  linkType: hard
+
+"postcss-modules-extract-imports@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "postcss-modules-extract-imports@npm:3.0.0"
+  peerDependencies:
+    postcss: ^8.1.0
+  checksum: 4b65f2f1382d89c4bc3c0a1bdc5942f52f3cb19c110c57bd591ffab3a5fee03fcf831604168205b0c1b631a3dce2255c70b61aaae3ef39d69cd7eb450c2552d2
+  languageName: node
+  linkType: hard
+
+"postcss-modules-local-by-default@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "postcss-modules-local-by-default@npm:4.0.0"
+  dependencies:
+    icss-utils: ^5.0.0
+    postcss-selector-parser: ^6.0.2
+    postcss-value-parser: ^4.1.0
+  peerDependencies:
+    postcss: ^8.1.0
+  checksum: 6cf570badc7bc26c265e073f3ff9596b69bb954bc6ac9c5c1b8cba2995b80834226b60e0a3cbb87d5f399dbb52e6466bba8aa1d244f6218f99d834aec431a69d
+  languageName: node
+  linkType: hard
+
+"postcss-modules-scope@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "postcss-modules-scope@npm:3.0.0"
+  dependencies:
+    postcss-selector-parser: ^6.0.4
+  peerDependencies:
+    postcss: ^8.1.0
+  checksum: 330b9398dbd44c992c92b0dc612c0626135e2cc840fee41841eb61247a6cfed95af2bd6f67ead9dd9d0bb41f5b0367129d93c6e434fa3e9c58ade391d9a5a138
+  languageName: node
+  linkType: hard
+
+"postcss-modules-values@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "postcss-modules-values@npm:4.0.0"
+  dependencies:
+    icss-utils: ^5.0.0
+  peerDependencies:
+    postcss: ^8.1.0
+  checksum: f7f2cdf14a575b60e919ad5ea52fed48da46fe80db2733318d71d523fc87db66c835814940d7d05b5746b0426e44661c707f09bdb83592c16aea06e859409db6
+  languageName: node
+  linkType: hard
+
+"postcss-resolve-nested-selector@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "postcss-resolve-nested-selector@npm:0.1.1"
+  checksum: b08fb76ab092a09ee01328bad620a01dcb445ac5eb02dd0ed9ed75217c2f779ecb3bf99a361c46e695689309c08c09f1a1ad7354c8d58c2c2c40d364657fcb08
+  languageName: node
+  linkType: hard
+
+"postcss-safe-parser@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "postcss-safe-parser@npm:6.0.0"
+  peerDependencies:
+    postcss: ^8.3.3
+  checksum: 06c733eaad83a3954367e7ee02ddfe3796e7a44d4299ccf9239f40964a4daac153c7d77613f32964b5a86c0c6c2f6167738f31d578b73b17cb69d0c4446f0ebe
+  languageName: node
+  linkType: hard
+
+"postcss-selector-parser@npm:^6.0.13":
+  version: 6.0.13
+  resolution: "postcss-selector-parser@npm:6.0.13"
+  dependencies:
+    cssesc: ^3.0.0
+    util-deprecate: ^1.0.2
+  checksum: f89163338a1ce3b8ece8e9055cd5a3165e79a15e1c408e18de5ad8f87796b61ec2d48a2902d179ae0c4b5de10fccd3a325a4e660596549b040bc5ad1b465f096
+  languageName: node
+  linkType: hard
+
+"postcss-selector-parser@npm:^6.0.2, postcss-selector-parser@npm:^6.0.4":
+  version: 6.0.10
+  resolution: "postcss-selector-parser@npm:6.0.10"
+  dependencies:
+    cssesc: ^3.0.0
+    util-deprecate: ^1.0.2
+  checksum: 46afaa60e3d1998bd7adf6caa374baf857cc58d3ff944e29459c9a9e4680a7fe41597bd5b755fc81d7c388357e9bf67c0251d047c640a09f148e13606b8a8608
+  languageName: node
+  linkType: hard
+
+"postcss-value-parser@npm:^3.2.3":
+  version: 3.3.1
+  resolution: "postcss-value-parser@npm:3.3.1"
+  checksum: 62cd26e1cdbcf2dcc6bcedf3d9b409c9027bc57a367ae20d31dd99da4e206f730689471fd70a2abe866332af83f54dc1fa444c589e2381bf7f8054c46209ce16
+  languageName: node
+  linkType: hard
+
+"postcss-value-parser@npm:^4.1.0, postcss-value-parser@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "postcss-value-parser@npm:4.2.0"
+  checksum: 819ffab0c9d51cf0acbabf8996dffbfafbafa57afc0e4c98db88b67f2094cb44488758f06e5da95d7036f19556a4a732525e84289a425f4f6fd8e412a9d7442f
+  languageName: node
+  linkType: hard
+
+"postcss@npm:^6.0.1, postcss@npm:^6.0.17":
+  version: 6.0.23
+  resolution: "postcss@npm:6.0.23"
+  dependencies:
+    chalk: ^2.4.1
+    source-map: ^0.6.1
+    supports-color: ^5.4.0
+  checksum: cc6cb2c1dbcdefa6f57a71d67fe535c9e96543298bbe28f9a6a64c4f1e21b6127113890dd4cda8873d3f4e6613a0566b7b4bbb230204f3a9a309190bda065d81
+  languageName: node
+  linkType: hard
+
+"postcss@npm:^8.2.15":
+  version: 8.4.14
+  resolution: "postcss@npm:8.4.14"
+  dependencies:
+    nanoid: ^3.3.4
+    picocolors: ^1.0.0
+    source-map-js: ^1.0.2
+  checksum: fe58766ff32e4becf65a7d57678995cfd239df6deed2fe0557f038b47c94e4132e7e5f68b5aa820c13adfec32e523b693efaeb65798efb995ce49ccd83953816
+  languageName: node
+  linkType: hard
+
+"postcss@npm:^8.4.24":
+  version: 8.4.26
+  resolution: "postcss@npm:8.4.26"
+  dependencies:
+    nanoid: ^3.3.6
+    picocolors: ^1.0.0
+    source-map-js: ^1.0.2
+  checksum: 1cf08ee10d58cbe98f94bf12ac49a5e5ed1588507d333d2642aacc24369ca987274e1f60ff4cbf0081f70d2ab18a5cd3a4a273f188d835b8e7f3ba381b184e57
+  languageName: node
+  linkType: hard
+
+"prelude-ls@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "prelude-ls@npm:1.2.1"
+  checksum: cd192ec0d0a8e4c6da3bb80e4f62afe336df3f76271ac6deb0e6a36187133b6073a19e9727a1ff108cd8b9982e4768850d413baa71214dd80c7979617dca827a
+  languageName: node
+  linkType: hard
+
+"prelude-ls@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "prelude-ls@npm:1.1.2"
+  checksum: c4867c87488e4a0c233e158e4d0d5565b609b105d75e4c05dc760840475f06b731332eb93cc8c9cecb840aa8ec323ca3c9a56ad7820ad2e63f0261dadcb154e4
+  languageName: node
+  linkType: hard
+
+"pretender@npm:^3.4.3":
+  version: 3.4.3
+  resolution: "pretender@npm:3.4.3"
+  dependencies:
+    fake-xml-http-request: ^2.1.1
+    route-recognizer: ^0.3.3
+  checksum: 2ac03977f489eb79882f1fd4bcfb949f6ca6226fd95f366ec35a73590bd76b52fc283e7d8e5a8e649982619097849a4240dce138afad9089b407b1feba5df4a3
+  languageName: node
+  linkType: hard
+
+"pretender@npm:^3.4.7":
+  version: 3.4.7
+  resolution: "pretender@npm:3.4.7"
+  dependencies:
+    fake-xml-http-request: ^2.1.2
+    route-recognizer: ^0.3.3
+  checksum: ca767dfa3fdb5e49cec8f272de1c7d489f53986a9f58dd0caf379b6365b1f1241bbb03bea6fe4421ce3e2aaa894d6c7349a5ef603283710be2babca49f1ad6fb
+  languageName: node
+  linkType: hard
+
+"prettier-eslint-cli@npm:^7.1.0":
+  version: 7.1.0
+  resolution: "prettier-eslint-cli@npm:7.1.0"
+  dependencies:
+    "@messageformat/core": ^3.0.1
+    "@prettier/eslint": "npm:prettier-eslint@^15.0.1"
+    arrify: ^2.0.1
+    boolify: ^1.0.1
+    camelcase-keys: ^7.0.2
+    chalk: ^4.1.2
+    common-tags: ^1.8.2
+    core-js: ^3.24.1
+    eslint: ^8.21.0
+    find-up: ^5.0.0
+    get-stdin: ^8.0.0
+    glob: ^7.2.3
+    ignore: ^5.2.0
+    indent-string: ^4.0.0
+    lodash.memoize: ^4.1.2
+    loglevel-colored-level-prefix: ^1.0.0
+    rxjs: ^7.5.6
+    yargs: ^13.1.1
+  peerDependencies:
+    prettier-eslint: "*"
+  peerDependenciesMeta:
+    prettier-eslint:
+      optional: true
+  bin:
+    prettier-eslint: dist/index.js
+  checksum: 7c948d748ec5c34c1d1fb3d47cffe55629141a2383a099af15b2887db87908fe8edd6f1328b922521b531c9403d6a3924b4484b36622ca8889c90351e47d4ec5
+  languageName: node
+  linkType: hard
+
+"prettier-linter-helpers@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "prettier-linter-helpers@npm:1.0.0"
+  dependencies:
+    fast-diff: ^1.1.2
+  checksum: 00ce8011cf6430158d27f9c92cfea0a7699405633f7f1d4a45f07e21bf78e99895911cbcdc3853db3a824201a7c745bd49bfea8abd5fb9883e765a90f74f8392
+  languageName: node
+  linkType: hard
+
+"prettier@npm:2.8.7":
+  version: 2.8.7
+  resolution: "prettier@npm:2.8.7"
+  bin:
+    prettier: bin-prettier.js
+  checksum: fdc8f2616f099f5f0d685907f4449a70595a0fc1d081a88919604375989e0d5e9168d6121d8cc6861f21990b31665828e00472544d785d5940ea08a17660c3a6
+  languageName: node
+  linkType: hard
+
+"prettier@npm:^2.5.1":
+  version: 2.7.1
+  resolution: "prettier@npm:2.7.1"
+  bin:
+    prettier: bin-prettier.js
+  checksum: 55a4409182260866ab31284d929b3cb961e5fdb91fe0d2e099dac92eaecec890f36e524b4c19e6ceae839c99c6d7195817579cdffc8e2c80da0cb794463a748b
+  languageName: node
+  linkType: hard
+
+"pretty-format@npm:^23.0.1":
+  version: 23.6.0
+  resolution: "pretty-format@npm:23.6.0"
+  dependencies:
+    ansi-regex: ^3.0.0
+    ansi-styles: ^3.2.0
+  checksum: b668eac9fb19d12cf27098206d587b0be8da9f7fdc56998ace9bad9b6b6f5a5be5004d9fec3c2dc215d4128ef3db901e7329e0e8e081b0732a781bddfa9e2b66
+  languageName: node
+  linkType: hard
+
+"pretty-ms@npm:^3.1.0":
+  version: 3.2.0
+  resolution: "pretty-ms@npm:3.2.0"
+  dependencies:
+    parse-ms: ^1.0.0
+  checksum: 705030a262353abfeda1c765bd1f5269c06dc7777536bdd5f8cebc84f0d012aaca679ca6fc5ea4a84c915e967dce4ab4b6489693abb05dd58e7a9802747736a3
+  languageName: node
+  linkType: hard
+
+"printf@npm:^0.6.1":
+  version: 0.6.1
+  resolution: "printf@npm:0.6.1"
+  checksum: 7643279e5e4e2032b86b61babb21e60b99eac71491556a0fc3f01a443f61f90f1701f9912be41a1e44e1164a69fa349b907719716b983e3a222ad9a978ba06f9
+  languageName: node
+  linkType: hard
+
+"prismjs@npm:^1.21.0":
+  version: 1.29.0
+  resolution: "prismjs@npm:1.29.0"
+  checksum: 007a8869d4456ff8049dc59404e32d5666a07d99c3b0e30a18bd3b7676dfa07d1daae9d0f407f20983865fd8da56de91d09cb08e6aa61f5bc420a27c0beeaf93
+  languageName: node
+  linkType: hard
+
+"private@npm:^0.1.6, private@npm:^0.1.8":
+  version: 0.1.8
+  resolution: "private@npm:0.1.8"
+  checksum: a00abd713d25389f6de7294f0e7879b8a5d09a9ec5fd81cc2f21b29d4f9a80ec53bc4222927d3a281d4aadd4cd373d9a28726fca3935921950dc75fd71d1fdbb
+  languageName: node
+  linkType: hard
+
+"proc-log@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "proc-log@npm:3.0.0"
+  checksum: 02b64e1b3919e63df06f836b98d3af002b5cd92655cab18b5746e37374bfb73e03b84fe305454614b34c25b485cc687a9eebdccf0242cda8fda2475dd2c97e02
+  languageName: node
+  linkType: hard
+
+"process-nextick-args@npm:~2.0.0":
+  version: 2.0.1
+  resolution: "process-nextick-args@npm:2.0.1"
+  checksum: 1d38588e520dab7cea67cbbe2efdd86a10cc7a074c09657635e34f035277b59fbb57d09d8638346bf7090f8e8ebc070c96fa5fd183b777fff4f5edff5e9466cf
+  languageName: node
+  linkType: hard
+
+"process-relative-require@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "process-relative-require@npm:1.0.0"
+  dependencies:
+    node-modules-path: ^1.0.0
+  checksum: 659265a7dad2329edd0483d36b7e25f61f8663901b74dd672ebd0bb5248494156b2892f0860ef0574049a235423183996656bee052ce2212fef2fbc61034df7e
+  languageName: node
+  linkType: hard
+
+"process@npm:^0.11.10":
+  version: 0.11.10
+  resolution: "process@npm:0.11.10"
+  checksum: bfcce49814f7d172a6e6a14d5fa3ac92cc3d0c3b9feb1279774708a719e19acd673995226351a082a9ae99978254e320ccda4240ddc474ba31a76c79491ca7c3
+  languageName: node
+  linkType: hard
+
+"promise-inflight@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "promise-inflight@npm:1.0.1"
+  checksum: 22749483091d2c594261517f4f80e05226d4d5ecc1fc917e1886929da56e22b5718b7f2a75f3807e7a7d471bc3be2907fe92e6e8f373ddf5c64bae35b5af3981
+  languageName: node
+  linkType: hard
+
+"promise-map-series@npm:^0.2.1":
+  version: 0.2.3
+  resolution: "promise-map-series@npm:0.2.3"
+  dependencies:
+    rsvp: ^3.0.14
+  checksum: 3f63265f596580388c025742492e379b54470fb94a1b05626723092e412f722ec8fe8e2be78cbf1c788887a307bf6cd0fedd071bec1d409a2972aec5238ea35a
+  languageName: node
+  linkType: hard
+
+"promise-map-series@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "promise-map-series@npm:0.3.0"
+  checksum: a1c992562e68a3e14c39d010bd6335166e4a0469763fd161a8b1e15f972033fce5207722edb9c16ecc9324b44ef45e42674f7015e6a8922972f45a85849bbeef
+  languageName: node
+  linkType: hard
+
+"promise-retry@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "promise-retry@npm:2.0.1"
+  dependencies:
+    err-code: ^2.0.2
+    retry: ^0.12.0
+  checksum: f96a3f6d90b92b568a26f71e966cbbc0f63ab85ea6ff6c81284dc869b41510e6cdef99b6b65f9030f0db422bf7c96652a3fff9f2e8fb4a0f069d8f4430359429
+  languageName: node
+  linkType: hard
+
+"promise.hash.helper@npm:^1.0.8":
+  version: 1.0.8
+  resolution: "promise.hash.helper@npm:1.0.8"
+  checksum: 88844dd1dd9d95a3d3b9c27f092dee938da02f9c9f3bd62a6b7b20e16c51c64a0db33edf09d25615055a1cb7ad96b5edcc837680cde88de09a12c466adfaf435
+  languageName: node
+  linkType: hard
+
+"promise.prototype.finally@npm:^3.1.0":
+  version: 3.1.3
+  resolution: "promise.prototype.finally@npm:3.1.3"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+    es-abstract: ^1.19.1
+  checksum: aba8af6ae8d076e2c344d2674409b44c8f98b3aba98b78619739aeb4a74ebac80dbba5f9338da7cf0108a34384799d3996c46697d2e21c6e998c04d68041213c
+  languageName: node
+  linkType: hard
+
+"proper-lockfile@npm:^4.1.2":
+  version: 4.1.2
+  resolution: "proper-lockfile@npm:4.1.2"
+  dependencies:
+    graceful-fs: ^4.2.4
+    retry: ^0.12.0
+    signal-exit: ^3.0.2
+  checksum: 00078ee6a61c216a56a6140c7d2a98c6c733b3678503002dc073ab8beca5d50ca271de4c85fca13b9b8ee2ff546c36674d1850509b84a04a5d0363bcb8638939
+  languageName: node
+  linkType: hard
+
+"proxy-addr@npm:~2.0.5":
+  version: 2.0.6
+  resolution: "proxy-addr@npm:2.0.6"
+  dependencies:
+    forwarded: ~0.1.2
+    ipaddr.js: 1.9.1
+  checksum: 2bad9b7a56b847faf606a19328aaaf5fca3e561ebb4e933969a580d94a20f77e74fb21196028a6e417851b3d9d95a0c704732a3362e3ef515d45d96859ac7eb9
+  languageName: node
+  linkType: hard
+
+"proxy-addr@npm:~2.0.7":
+  version: 2.0.7
+  resolution: "proxy-addr@npm:2.0.7"
+  dependencies:
+    forwarded: 0.2.0
+    ipaddr.js: 1.9.1
+  checksum: 29c6990ce9364648255454842f06f8c46fcd124d3e6d7c5066df44662de63cdc0bad032e9bf5a3d653ff72141cc7b6019873d685708ac8210c30458ad99f2b74
+  languageName: node
+  linkType: hard
+
+"prr@npm:~1.0.1":
+  version: 1.0.1
+  resolution: "prr@npm:1.0.1"
+  checksum: 3bca2db0479fd38f8c4c9439139b0c42dcaadcc2fbb7bb8e0e6afaa1383457f1d19aea9e5f961d5b080f1cfc05bfa1fe9e45c97a1d3fd6d421950a73d3108381
+  languageName: node
+  linkType: hard
+
+"psl@npm:^1.1.28, psl@npm:^1.1.33":
+  version: 1.8.0
+  resolution: "psl@npm:1.8.0"
+  checksum: 6150048ed2da3f919478bee8a82f3828303bc0fc730fb015a48f83c9977682c7b28c60ab01425a72d82a2891a1681627aa530a991d50c086b48a3be27744bde7
+  languageName: node
+  linkType: hard
+
+"public-encrypt@npm:^4.0.0":
+  version: 4.0.3
+  resolution: "public-encrypt@npm:4.0.3"
+  dependencies:
+    bn.js: ^4.1.0
+    browserify-rsa: ^4.0.0
+    create-hash: ^1.1.0
+    parse-asn1: ^5.0.0
+    randombytes: ^2.0.1
+    safe-buffer: ^5.1.2
+  checksum: 215d446e43cef021a20b67c1df455e5eea134af0b1f9b8a35f9e850abf32991b0c307327bc5b9bc07162c288d5cdb3d4a783ea6c6640979ed7b5017e3e0c9935
+  languageName: node
+  linkType: hard
+
+"pump@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "pump@npm:2.0.1"
+  dependencies:
+    end-of-stream: ^1.1.0
+    once: ^1.3.1
+  checksum: e9f26a17be00810bff37ad0171edb35f58b242487b0444f92fb7d78bc7d61442fa9b9c5bd93a43fd8fd8ddd3cc75f1221f5e04c790f42907e5baab7cf5e2b931
+  languageName: node
+  linkType: hard
+
+"pump@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "pump@npm:3.0.0"
+  dependencies:
+    end-of-stream: ^1.1.0
+    once: ^1.3.1
+  checksum: e42e9229fba14732593a718b04cb5e1cfef8254544870997e0ecd9732b189a48e1256e4e5478148ecb47c8511dca2b09eae56b4d0aad8009e6fac8072923cfc9
+  languageName: node
+  linkType: hard
+
+"pumpify@npm:^1.3.3":
+  version: 1.5.1
+  resolution: "pumpify@npm:1.5.1"
+  dependencies:
+    duplexify: ^3.6.0
+    inherits: ^2.0.3
+    pump: ^2.0.0
+  checksum: 26ca412ec8d665bd0d5e185c1b8f627728eff603440d75d22a58e421e3c66eaf86ec6fc6a6efc54808ecef65979279fa8e99b109a23ec1fa8d79f37e6978c9bd
+  languageName: node
+  linkType: hard
+
+"punycode@npm:1.3.2":
+  version: 1.3.2
+  resolution: "punycode@npm:1.3.2"
+  checksum: b8807fd594b1db33335692d1f03e8beeddde6fda7fbb4a2e32925d88d20a3aa4cd8dcc0c109ccaccbd2ba761c208dfaaada83007087ea8bfb0129c9ef1b99ed6
+  languageName: node
+  linkType: hard
+
+"punycode@npm:^1.2.4":
+  version: 1.4.1
+  resolution: "punycode@npm:1.4.1"
+  checksum: fa6e698cb53db45e4628559e557ddaf554103d2a96a1d62892c8f4032cd3bc8871796cae9eabc1bc700e2b6677611521ce5bb1d9a27700086039965d0cf34518
+  languageName: node
+  linkType: hard
+
+"punycode@npm:^2.1.0, punycode@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "punycode@npm:2.1.1"
+  checksum: 823bf443c6dd14f669984dea25757b37993f67e8d94698996064035edd43bed8a5a17a9f12e439c2b35df1078c6bec05a6c86e336209eb1061e8025c481168e8
+  languageName: node
+  linkType: hard
+
+"pvutils@latest, pvutils@npm:^1.0.17":
+  version: 1.0.17
+  resolution: "pvutils@npm:1.0.17"
+  checksum: 370cc6c7ed2cddeb97e85339f4cac06cc07e3195774b0b8707a7994db0acd73451745cc57209a2bc6d4138b9b14d5ab0335e3614743a91010a74db597428dfe8
+  languageName: node
+  linkType: hard
+
+"q@npm:^1.1.2":
+  version: 1.5.1
+  resolution: "q@npm:1.5.1"
+  checksum: 147baa93c805bc1200ed698bdf9c72e9e42c05f96d007e33a558b5fdfd63e5ea130e99313f28efc1783e90e6bdb4e48b67a36fcc026b7b09202437ae88a1fb12
+  languageName: node
+  linkType: hard
+
+"qs@npm:^6.3.0":
+  version: 6.10.1
+  resolution: "qs@npm:6.10.1"
+  dependencies:
+    side-channel: ^1.0.4
+  checksum: 00e390dbf98eff4d8ff121b61ab2fe32106852290de99ecd0e40fc76651c4101f43fc6cc8313cb69423563876fc532951b11dda55d2917def05f292258263480
+  languageName: node
+  linkType: hard
+
+"querystring-es3@npm:^0.2.0":
+  version: 0.2.1
+  resolution: "querystring-es3@npm:0.2.1"
+  checksum: 691e8d6b8b157e7cd49ae8e83fcf86de39ab3ba948c25abaa94fba84c0986c641aa2f597770848c64abce290ed17a39c9df6df737dfa7e87c3b63acc7d225d61
+  languageName: node
+  linkType: hard
+
+"querystring@npm:0.2.0":
+  version: 0.2.0
+  resolution: "querystring@npm:0.2.0"
+  checksum: 8258d6734f19be27e93f601758858c299bdebe71147909e367101ba459b95446fbe5b975bf9beb76390156a592b6f4ac3a68b6087cea165c259705b8b4e56a69
+  languageName: node
+  linkType: hard
+
+"queue-microtask@npm:^1.2.2":
+  version: 1.2.3
+  resolution: "queue-microtask@npm:1.2.3"
+  checksum: b676f8c040cdc5b12723ad2f91414d267605b26419d5c821ff03befa817ddd10e238d22b25d604920340fd73efd8ba795465a0377c4adf45a4a41e4234e42dc4
+  languageName: node
+  linkType: hard
+
+"quick-lru@npm:^5.1.1":
+  version: 5.1.1
+  resolution: "quick-lru@npm:5.1.1"
+  checksum: a516faa25574be7947969883e6068dbe4aa19e8ef8e8e0fd96cddd6d36485e9106d85c0041a27153286b0770b381328f4072aa40d3b18a19f5f7d2b78b94b5ed
+  languageName: node
+  linkType: hard
+
+"quick-temp@npm:^0.1.2, quick-temp@npm:^0.1.3, quick-temp@npm:^0.1.5, quick-temp@npm:^0.1.8":
+  version: 0.1.8
+  resolution: "quick-temp@npm:0.1.8"
+  dependencies:
+    mktemp: ~0.4.0
+    rimraf: ^2.5.4
+    underscore.string: ~3.3.4
+  checksum: b9a60934301afd5cb67a10946f8124e63ccb0cd305d35e2d8e5fe7be80df4d29b8414605ee1e55a714c3b87468856fa92526737569fc5e4a11e056ee192b72c8
+  languageName: node
+  linkType: hard
+
+"qunit-dom@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "qunit-dom@npm:2.0.0"
+  dependencies:
+    broccoli-funnel: ^3.0.3
+    broccoli-merge-trees: ^4.2.0
+    ember-cli-babel: ^7.23.0
+    ember-cli-version-checker: ^5.1.1
+  checksum: f9f06ad19adaaa4f8f107f28fd3feacd65b26d4de647d08b11a844b750ebbed2adbeabab52edc9d8cda2b0b7a0e08812425a5d4698b34f1b2a9af7b6f53b8413
+  languageName: node
+  linkType: hard
+
+"qunit@npm:^2.19.4":
+  version: 2.19.4
+  resolution: "qunit@npm:2.19.4"
+  dependencies:
+    commander: 7.2.0
+    node-watch: 0.7.3
+    tiny-glob: 0.2.9
+  bin:
+    qunit: bin/qunit.js
+  checksum: 626001f82881e91f3bff2688bc55948a570bd8bf7aea7c9e7836285f1ab0a7a3577296f3b37cce21e182dcd724d14ee439fa39961348a603fbe5a6d5ffc144ef
+  languageName: node
+  linkType: hard
+
+"randombytes@npm:^2.0.0, randombytes@npm:^2.0.1, randombytes@npm:^2.0.5, randombytes@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "randombytes@npm:2.1.0"
+  dependencies:
+    safe-buffer: ^5.1.0
+  checksum: d779499376bd4cbb435ef3ab9a957006c8682f343f14089ed5f27764e4645114196e75b7f6abf1cbd84fd247c0cb0651698444df8c9bf30e62120fbbc52269d6
+  languageName: node
+  linkType: hard
+
+"randomfill@npm:^1.0.3":
+  version: 1.0.4
+  resolution: "randomfill@npm:1.0.4"
+  dependencies:
+    randombytes: ^2.0.5
+    safe-buffer: ^5.1.0
+  checksum: 33734bb578a868d29ee1b8555e21a36711db084065d94e019a6d03caa67debef8d6a1bfd06a2b597e32901ddc761ab483a85393f0d9a75838f1912461d4dbfc7
+  languageName: node
+  linkType: hard
+
+"range-parser@npm:~1.2.1":
+  version: 1.2.1
+  resolution: "range-parser@npm:1.2.1"
+  checksum: 0a268d4fea508661cf5743dfe3d5f47ce214fd6b7dec1de0da4d669dd4ef3d2144468ebe4179049eff253d9d27e719c88dae55be64f954e80135a0cada804ec9
+  languageName: node
+  linkType: hard
+
+"raw-body@npm:2.4.0":
+  version: 2.4.0
+  resolution: "raw-body@npm:2.4.0"
+  dependencies:
+    bytes: 3.1.0
+    http-errors: 1.7.2
+    iconv-lite: 0.4.24
+    unpipe: 1.0.0
+  checksum: 6343906939e018c6e633a34a938a5d6d1e93ffcfa48646e00207d53b418e941953b521473950c079347220944dc75ba10e7b3c08bf97e3ac72c7624882db09bb
+  languageName: node
+  linkType: hard
+
+"raw-body@npm:2.5.1":
+  version: 2.5.1
+  resolution: "raw-body@npm:2.5.1"
+  dependencies:
+    bytes: 3.1.2
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    unpipe: 1.0.0
+  checksum: 5362adff1575d691bb3f75998803a0ffed8c64eabeaa06e54b4ada25a0cd1b2ae7f4f5ec46565d1bec337e08b5ac90c76eaa0758de6f72a633f025d754dec29e
+  languageName: node
+  linkType: hard
+
+"raw-body@npm:~1.1.0":
+  version: 1.1.7
+  resolution: "raw-body@npm:1.1.7"
+  dependencies:
+    bytes: 1
+    string_decoder: 0.10
+  checksum: 75ab1815ac54992abccccdffb27bd9ad9f5b6f5fb66e740474ad0d1bd3c1425e407b2be5eb34e0bef3da2c66bfa6a2c2b77498596f5b9999ead2d449fff0226f
+  languageName: node
+  linkType: hard
+
+"read-pkg-up@npm:^8.0.0":
+  version: 8.0.0
+  resolution: "read-pkg-up@npm:8.0.0"
+  dependencies:
+    find-up: ^5.0.0
+    read-pkg: ^6.0.0
+    type-fest: ^1.0.1
+  checksum: fe4c80401656b40b408884457fffb5a8015c03b1018cfd8e48f8d82a5e9023e24963603aeb2755608d964593e046c15b34d29b07d35af9c7aa478be81805209c
+  languageName: node
+  linkType: hard
+
+"read-pkg@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "read-pkg@npm:3.0.0"
+  dependencies:
+    load-json-file: ^4.0.0
+    normalize-package-data: ^2.3.2
+    path-type: ^3.0.0
+  checksum: 398903ebae6c7e9965419a1062924436cc0b6f516c42c4679a90290d2f87448ed8f977e7aa2dbba4aa1ac09248628c43e493ac25b2bc76640e946035200e34c6
+  languageName: node
+  linkType: hard
+
+"read-pkg@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "read-pkg@npm:6.0.0"
+  dependencies:
+    "@types/normalize-package-data": ^2.4.0
+    normalize-package-data: ^3.0.2
+    parse-json: ^5.2.0
+    type-fest: ^1.0.1
+  checksum: 0cebdff381128e923815c643074a87011070e5fc352bee575d327d6485da3317fab6d802a7b03deeb0be7be8d3ad1640397b3d5d2f044452caf4e8d1736bf94f
+  languageName: node
+  linkType: hard
+
+"readable-stream@npm:1 || 2, readable-stream@npm:^2.0.0, readable-stream@npm:^2.0.1, readable-stream@npm:^2.0.2, readable-stream@npm:^2.1.5, readable-stream@npm:^2.2.2, readable-stream@npm:^2.3.3, readable-stream@npm:^2.3.6, readable-stream@npm:~2.3.6":
+  version: 2.3.7
+  resolution: "readable-stream@npm:2.3.7"
+  dependencies:
+    core-util-is: ~1.0.0
+    inherits: ~2.0.3
+    isarray: ~1.0.0
+    process-nextick-args: ~2.0.0
+    safe-buffer: ~5.1.1
+    string_decoder: ~1.1.1
+    util-deprecate: ~1.0.1
+  checksum: e4920cf7549a60f8aaf694d483a0e61b2a878b969d224f89b3bc788b8d920075132c4b55a7494ee944c7b6a9a0eada28a7f6220d80b0312ece70bbf08eeca755
+  languageName: node
+  linkType: hard
+
+"readable-stream@npm:2 || 3, readable-stream@npm:^3.4.0, readable-stream@npm:^3.6.0":
+  version: 3.6.0
+  resolution: "readable-stream@npm:3.6.0"
+  dependencies:
+    inherits: ^2.0.3
+    string_decoder: ^1.1.1
+    util-deprecate: ^1.0.1
+  checksum: d4ea81502d3799439bb955a3a5d1d808592cf3133350ed352aeaa499647858b27b1c4013984900238b0873ec8d0d8defce72469fb7a83e61d53f5ad61cb80dc8
+  languageName: node
+  linkType: hard
+
+"readable-stream@npm:~1.0.2":
+  version: 1.0.34
+  resolution: "readable-stream@npm:1.0.34"
+  dependencies:
+    core-util-is: ~1.0.0
+    inherits: ~2.0.1
+    isarray: 0.0.1
+    string_decoder: ~0.10.x
+  checksum: 85042c537e4f067daa1448a7e257a201070bfec3dd2706abdbd8ebc7f3418eb4d3ed4b8e5af63e2544d69f88ab09c28d5da3c0b77dc76185fddd189a59863b60
+  languageName: node
+  linkType: hard
+
+"readdirp@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "readdirp@npm:2.2.1"
+  dependencies:
+    graceful-fs: ^4.1.11
+    micromatch: ^3.1.10
+    readable-stream: ^2.0.2
+  checksum: 3879b20f1a871e0e004a14fbf1776e65ee0b746a62f5a416010808b37c272ac49b023c47042c7b1e281cba75a449696635bc64c397ed221ea81d853a8f2ed79a
+  languageName: node
+  linkType: hard
+
+"readdirp@npm:~3.5.0":
+  version: 3.5.0
+  resolution: "readdirp@npm:3.5.0"
+  dependencies:
+    picomatch: ^2.2.1
+  checksum: 6b1a9341e295e15d4fb40c010216cbcb6266587cd0b3ce7defabd66fa1b4e35f9fba3d64c2187fd38fadd01ccbfc5f1b33fdfb1da63b3cbf66224b7c6d75ce5a
+  languageName: node
+  linkType: hard
+
+"readdirp@npm:~3.6.0":
+  version: 3.6.0
+  resolution: "readdirp@npm:3.6.0"
+  dependencies:
+    picomatch: ^2.2.1
+  checksum: 1ced032e6e45670b6d7352d71d21ce7edf7b9b928494dcaba6f11fba63180d9da6cd7061ebc34175ffda6ff529f481818c962952004d273178acd70f7059b320
+  languageName: node
+  linkType: hard
+
+"recast@npm:^0.18.1":
+  version: 0.18.10
+  resolution: "recast@npm:0.18.10"
+  dependencies:
+    ast-types: 0.13.3
+    esprima: ~4.0.0
+    private: ^0.1.8
+    source-map: ~0.6.1
+  checksum: bb6b3083153301985511ed2ae1dd244a6b8e6a1b799ce1e0db49e57162247eec98f38dc7322d13a3680e5ab85be7cdff7edc28b0be11a689f2cb5fd925d6adbb
+  languageName: node
+  linkType: hard
+
+"redent@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "redent@npm:4.0.0"
+  dependencies:
+    indent-string: ^5.0.0
+    strip-indent: ^4.0.0
+  checksum: 6944e7b1d8f3fd28c2515f5c605b9f7f0ea0f4edddf41890bbbdd4d9ee35abb7540c3b278f03ff827bd278bb6ff4a5bd8692ca406b748c5c1c3ce7355e9fbf8f
+  languageName: node
+  linkType: hard
+
+"redeyed@npm:~1.0.0":
+  version: 1.0.1
+  resolution: "redeyed@npm:1.0.1"
+  dependencies:
+    esprima: ~3.0.0
+  checksum: fb189829954ce9dfa1647b38e2fdcbe53857dd6d37d2c66feea3a3f7cf22dafa74b66cef5f3d3d3deb5fe1614aa6966d21372374af5685c0a0e437ee68370d64
+  languageName: node
+  linkType: hard
+
+"regenerate-unicode-properties@npm:^10.0.1":
+  version: 10.0.1
+  resolution: "regenerate-unicode-properties@npm:10.0.1"
+  dependencies:
+    regenerate: ^1.4.2
+  checksum: 1b638b7087d8143e5be3e20e2cda197ea0440fa0bc2cc49646b2f50c5a2b1acdc54b21e4215805a5a2dd487c686b2291accd5ad00619534098d2667e76247754
+  languageName: node
+  linkType: hard
+
+"regenerate-unicode-properties@npm:^10.1.0":
+  version: 10.1.1
+  resolution: "regenerate-unicode-properties@npm:10.1.1"
+  dependencies:
+    regenerate: ^1.4.2
+  checksum: b80958ef40f125275824c2c47d5081dfaefebd80bff26c76761e9236767c748a4a95a69c053fe29d2df881177f2ca85df4a71fe70a82360388b31159ef19adcf
+  languageName: node
+  linkType: hard
+
+"regenerate-unicode-properties@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "regenerate-unicode-properties@npm:9.0.0"
+  dependencies:
+    regenerate: ^1.4.2
+  checksum: 62df21c274259a68c6fa1373e5ddb4d6f6374ad72c08dd488b7802880bc1c3b6de716303ec56c9f793a73d01815e9d81f03a8fbe3f32bc0f7fdf8d70d4841b64
+  languageName: node
+  linkType: hard
+
+"regenerate@npm:^1.2.1, regenerate@npm:^1.4.2":
+  version: 1.4.2
+  resolution: "regenerate@npm:1.4.2"
+  checksum: 3317a09b2f802da8db09aa276e469b57a6c0dd818347e05b8862959c6193408242f150db5de83c12c3fa99091ad95fb42a6db2c3329bfaa12a0ea4cbbeb30cb0
+  languageName: node
+  linkType: hard
+
+"regenerator-runtime@npm:^0.10.5":
+  version: 0.10.5
+  resolution: "regenerator-runtime@npm:0.10.5"
+  checksum: 35b33dbe5381d268b2be98f4ee4b028702acb38b012bff90723df067f915a337e5c979cce4dab4ed23febb223bbebb8820d46902f897742c55818c22c14e2a7c
+  languageName: node
+  linkType: hard
+
+"regenerator-runtime@npm:^0.11.0":
+  version: 0.11.1
+  resolution: "regenerator-runtime@npm:0.11.1"
+  checksum: 3c97bd2c7b2b3247e6f8e2147a002eb78c995323732dad5dc70fac8d8d0b758d0295e7015b90d3d444446ae77cbd24b9f9123ec3a77018e81d8999818301b4f4
+  languageName: node
+  linkType: hard
+
+"regenerator-runtime@npm:^0.13.11":
+  version: 0.13.11
+  resolution: "regenerator-runtime@npm:0.13.11"
+  checksum: 27481628d22a1c4e3ff551096a683b424242a216fee44685467307f14d58020af1e19660bf2e26064de946bad7eff28950eae9f8209d55723e2d9351e632bbb4
+  languageName: node
+  linkType: hard
+
+"regenerator-runtime@npm:^0.13.4":
+  version: 0.13.9
+  resolution: "regenerator-runtime@npm:0.13.9"
+  checksum: 65ed455fe5afd799e2897baf691ca21c2772e1a969d19bb0c4695757c2d96249eb74ee3553ea34a91062b2a676beedf630b4c1551cc6299afb937be1426ec55e
+  languageName: node
+  linkType: hard
+
+"regenerator-runtime@npm:^0.14.0":
+  version: 0.14.0
+  resolution: "regenerator-runtime@npm:0.14.0"
+  checksum: 1c977ad82a82a4412e4f639d65d22be376d3ebdd30da2c003eeafdaaacd03fc00c2320f18120007ee700900979284fc78a9f00da7fb593f6e6eeebc673fba9a3
+  languageName: node
+  linkType: hard
+
+"regenerator-transform@npm:^0.10.0":
+  version: 0.10.1
+  resolution: "regenerator-transform@npm:0.10.1"
+  dependencies:
+    babel-runtime: ^6.18.0
+    babel-types: ^6.19.0
+    private: ^0.1.6
+  checksum: bd366a3b0fa0d0975c48fb9eff250363a9ab28c25b472ecdc397bb19a836746640a30d8f641718a895f9178564bd8a01a0179a9c8e5813f76fc29e62a115d9d7
+  languageName: node
+  linkType: hard
+
+"regenerator-transform@npm:^0.14.2":
+  version: 0.14.5
+  resolution: "regenerator-transform@npm:0.14.5"
+  dependencies:
+    "@babel/runtime": ^7.8.4
+  checksum: a467a3b652b4ec26ff964e9c5f1817523a73fc44cb928b8d21ff11aebeac5d10a84d297fe02cea9f282bcec81a0b0d562237da69ef0f40a0160b30a4fa98bc94
+  languageName: node
+  linkType: hard
+
+"regenerator-transform@npm:^0.15.0":
+  version: 0.15.0
+  resolution: "regenerator-transform@npm:0.15.0"
+  dependencies:
+    "@babel/runtime": ^7.8.4
+  checksum: 86e54849ab1167618d28bb56d214c52a983daf29b0d115c976d79840511420049b6b42c9ebdf187defa8e7129bdd74b6dd266420d0d3868c9fa7f793b5d15d49
+  languageName: node
+  linkType: hard
+
+"regenerator-transform@npm:^0.15.2":
+  version: 0.15.2
+  resolution: "regenerator-transform@npm:0.15.2"
+  dependencies:
+    "@babel/runtime": ^7.8.4
+  checksum: 20b6f9377d65954980fe044cfdd160de98df415b4bff38fbade67b3337efaf078308c4fed943067cd759827cc8cfeca9cb28ccda1f08333b85d6a2acbd022c27
+  languageName: node
+  linkType: hard
+
+"regex-not@npm:^1.0.0, regex-not@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "regex-not@npm:1.0.2"
+  dependencies:
+    extend-shallow: ^3.0.2
+    safe-regex: ^1.1.0
+  checksum: 3081403de79559387a35ef9d033740e41818a559512668cef3d12da4e8a29ef34ee13c8ed1256b07e27ae392790172e8a15c8a06b72962fd4550476cde3d8f77
+  languageName: node
+  linkType: hard
+
+"regexp.prototype.flags@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "regexp.prototype.flags@npm:1.3.1"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+  checksum: 343595db5a6bbbb3bfbda881f9c74832cfa9fc0039e64a43843f6bb9158b78b921055266510800ed69d4997638890b17a46d55fd9f32961f53ae56ac3ec4dd05
+  languageName: node
+  linkType: hard
+
+"regexp.prototype.flags@npm:^1.4.3, regexp.prototype.flags@npm:^1.5.0":
+  version: 1.5.0
+  resolution: "regexp.prototype.flags@npm:1.5.0"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.2.0
+    functions-have-names: ^1.2.3
+  checksum: c541687cdbdfff1b9a07f6e44879f82c66bbf07665f9a7544c5fd16acdb3ec8d1436caab01662d2fbcad403f3499d49ab0b77fbc7ef29ef961d98cc4bc9755b4
+  languageName: node
+  linkType: hard
+
+"regexpp@npm:^3.0.0":
+  version: 3.1.0
+  resolution: "regexpp@npm:3.1.0"
+  checksum: 63bcb2c98d63274774c79bef256e03f716d25f1fa8427267d0302d1436a83fa0d905f4e8a172fdfa99fb4d84833df2fb3bf7da2a1a868f156e913174c32b1139
+  languageName: node
+  linkType: hard
+
+"regexpp@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "regexpp@npm:3.2.0"
+  checksum: a78dc5c7158ad9ddcfe01aa9144f46e192ddbfa7b263895a70a5c6c73edd9ce85faf7c0430e59ac38839e1734e275b9c3de5c57ee3ab6edc0e0b1bdebefccef8
+  languageName: node
+  linkType: hard
+
+"regexpu-core@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "regexpu-core@npm:2.0.0"
+  dependencies:
+    regenerate: ^1.2.1
+    regjsgen: ^0.2.0
+    regjsparser: ^0.1.4
+  checksum: 14a78eb4608fa991ded6a1433ee6a570f95a4cfb7fe312145a44d6ecbb3dc8c707016a099494c741aa0ac75a1329b40814d30ff134c0d67679c80187029c7d2d
+  languageName: node
+  linkType: hard
+
+"regexpu-core@npm:^4.7.1":
+  version: 4.8.0
+  resolution: "regexpu-core@npm:4.8.0"
+  dependencies:
+    regenerate: ^1.4.2
+    regenerate-unicode-properties: ^9.0.0
+    regjsgen: ^0.5.2
+    regjsparser: ^0.7.0
+    unicode-match-property-ecmascript: ^2.0.0
+    unicode-match-property-value-ecmascript: ^2.0.0
+  checksum: df92e3e6482409f0a0de162ca1b4e17897e9b0b0687caead6804f04e9b89847e47abbfd0bfc62f52a0b833acf764ea5bdb7b707bb088034824a675ee95d31dec
+  languageName: node
+  linkType: hard
+
+"regexpu-core@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "regexpu-core@npm:5.0.1"
+  dependencies:
+    regenerate: ^1.4.2
+    regenerate-unicode-properties: ^10.0.1
+    regjsgen: ^0.6.0
+    regjsparser: ^0.8.2
+    unicode-match-property-ecmascript: ^2.0.0
+    unicode-match-property-value-ecmascript: ^2.0.0
+  checksum: 6151a9700dad512fadb5564ad23246d54c880eb9417efa5e5c3658b910c1ff894d622dfd159af2ed527ffd44751bfe98682ae06c717155c254d8e2b4bab62785
+  languageName: node
+  linkType: hard
+
+"regexpu-core@npm:^5.3.1":
+  version: 5.3.2
+  resolution: "regexpu-core@npm:5.3.2"
+  dependencies:
+    "@babel/regjsgen": ^0.8.0
+    regenerate: ^1.4.2
+    regenerate-unicode-properties: ^10.1.0
+    regjsparser: ^0.9.1
+    unicode-match-property-ecmascript: ^2.0.0
+    unicode-match-property-value-ecmascript: ^2.1.0
+  checksum: 95bb97088419f5396e07769b7de96f995f58137ad75fac5811fb5fe53737766dfff35d66a0ee66babb1eb55386ef981feaef392f9df6d671f3c124812ba24da2
+  languageName: node
+  linkType: hard
+
+"regjsgen@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "regjsgen@npm:0.2.0"
+  checksum: 1f3ae570151e2c29193cdc5a5890c0b83cd8c5029ed69315b0ea303bc2644f9ab5d536d2288fd9b70293fd351d7dd7fc1fc99ebe24554015c894dbce883bcf2b
+  languageName: node
+  linkType: hard
+
+"regjsgen@npm:^0.5.2":
+  version: 0.5.2
+  resolution: "regjsgen@npm:0.5.2"
+  checksum: 87c83d8488affae2493a823904de1a29a1867a07433c5e1142ad749b5606c5589b305fe35bfcc0972cf5a3b0d66b1f7999009e541be39a5d42c6041c59e2fb52
+  languageName: node
+  linkType: hard
+
+"regjsgen@npm:^0.6.0":
+  version: 0.6.0
+  resolution: "regjsgen@npm:0.6.0"
+  checksum: c5158ebd735e75074e41292ade1ff05d85566d205426cc61501e360c450a63baced8512ee3ae238e5c0a0e42969563c7875b08fa69d6f0402daf36bcb3e4d348
+  languageName: node
+  linkType: hard
+
+"regjsparser@npm:^0.1.4":
+  version: 0.1.5
+  resolution: "regjsparser@npm:0.1.5"
+  dependencies:
+    jsesc: ~0.5.0
+  bin:
+    regjsparser: bin/parser
+  checksum: 1feba2f3f2d4f1ef9f5f4e0f20c827cf866d4f65c51502eb64db4d4dd9c656f8c70f6c79537c892bf0fc9592c96f732519f7d8ad4a82f3b622756118ac737970
+  languageName: node
+  linkType: hard
+
+"regjsparser@npm:^0.7.0":
+  version: 0.7.0
+  resolution: "regjsparser@npm:0.7.0"
+  dependencies:
+    jsesc: ~0.5.0
+  bin:
+    regjsparser: bin/parser
+  checksum: fefff9adcab47650817d2c492aac774f11a44b824a4a814e466ebc76313e03e79c50d2babde7e04888296f6ec0fd094e3eeeafa8122c60184de92cdb30636a57
+  languageName: node
+  linkType: hard
+
+"regjsparser@npm:^0.8.2":
+  version: 0.8.4
+  resolution: "regjsparser@npm:0.8.4"
+  dependencies:
+    jsesc: ~0.5.0
+  bin:
+    regjsparser: bin/parser
+  checksum: d069b932491761cda127ce11f6bd2729c3b1b394a35200ec33f1199e937423db28ceb86cf33f0a97c76ecd7c0f8db996476579eaf0d80a1f74c1934f4ca8b27a
+  languageName: node
+  linkType: hard
+
+"regjsparser@npm:^0.9.1":
+  version: 0.9.1
+  resolution: "regjsparser@npm:0.9.1"
+  dependencies:
+    jsesc: ~0.5.0
+  bin:
+    regjsparser: bin/parser
+  checksum: 5e1b76afe8f1d03c3beaf9e0d935dd467589c3625f6d65fb8ffa14f224d783a0fed4bf49c2c1b8211043ef92b6117313419edf055a098ed8342e340586741afc
+  languageName: node
+  linkType: hard
+
+"remark-footnotes@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "remark-footnotes@npm:3.0.0"
+  dependencies:
+    mdast-util-footnote: ^0.1.0
+    micromark-extension-footnote: ^0.3.0
+  checksum: 5e84afb47b57e512171f8af5146e8ba49817faff761c6cdd14abf26c9f018b497e69e79378d94b3ba529e491d3f0615c60851d3db86de785aa37641bf5bf7f8a
+  languageName: node
+  linkType: hard
+
+"remark-frontmatter@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "remark-frontmatter@npm:3.0.0"
+  dependencies:
+    mdast-util-frontmatter: ^0.2.0
+    micromark-extension-frontmatter: ^0.2.0
+  checksum: 33bbcf36a51ee4c3813106b933766e0dc4b2b50f8eb4da3a4c577ea0278335589b36b182fb2722c9857d0ea9932ac75368a5dff70c8cf2b74f4747c244068976
+  languageName: node
+  linkType: hard
+
+"remark-gfm@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "remark-gfm@npm:1.0.0"
+  dependencies:
+    mdast-util-gfm: ^0.1.0
+    micromark-extension-gfm: ^0.3.0
+  checksum: 877b0f6472a90a490b5d5a1393f46d22c4ab7451b1e83ebd7362e5be9c661b6ed03e76c28f76894f460bedf23345c589d3f412c273ce0d4d442c6a4d65b0eae4
+  languageName: node
+  linkType: hard
+
+"remark-parse@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "remark-parse@npm:9.0.0"
+  dependencies:
+    mdast-util-from-markdown: ^0.8.0
+  checksum: 50104880549639b7dd7ae6f1e23c214915fe9c054f02f3328abdaee3f6de6d7282bf4357c3c5b106958fe75e644a3c248c2197755df34f9955e8e028fc74868f
+  languageName: node
+  linkType: hard
+
+"remove-trailing-separator@npm:^1.0.1":
+  version: 1.1.0
+  resolution: "remove-trailing-separator@npm:1.1.0"
+  checksum: d3c20b5a2d987db13e1cca9385d56ecfa1641bae143b620835ac02a6b70ab88f68f117a0021838db826c57b31373d609d52e4f31aca75fc490c862732d595419
+  languageName: node
+  linkType: hard
+
+"remove-types@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "remove-types@npm:1.0.0"
+  dependencies:
+    "@babel/core": ^7.16.10
+    "@babel/plugin-syntax-decorators": ^7.16.7
+    "@babel/plugin-transform-typescript": ^7.16.8
+    prettier: ^2.5.1
+  checksum: 7665e649c762b4880a4e67a982a8bab0db7d4538c18470736854baf9d8fd0fd22273dccf7263b4d6bf9c3d5145cfa085cb15f700e99c51081891c8eaeee2d137
+  languageName: node
+  linkType: hard
+
+"repeat-element@npm:^1.1.2":
+  version: 1.1.4
+  resolution: "repeat-element@npm:1.1.4"
+  checksum: 1edd0301b7edad71808baad226f0890ba709443f03a698224c9ee4f2494c317892dc5211b2ba8cbea7194a9ddbcac01e283bd66de0467ab24ee1fc1a3711d8a9
+  languageName: node
+  linkType: hard
+
+"repeat-string@npm:^1.0.0, repeat-string@npm:^1.6.1":
+  version: 1.6.1
+  resolution: "repeat-string@npm:1.6.1"
+  checksum: 1b809fc6db97decdc68f5b12c4d1a671c8e3f65ec4a40c238bc5200e44e85bcc52a54f78268ab9c29fcf5fe4f1343e805420056d1f30fa9a9ee4c2d93e3cc6c0
+  languageName: node
+  linkType: hard
+
+"repeating@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "repeating@npm:2.0.1"
+  dependencies:
+    is-finite: ^1.0.0
+  checksum: d2db0b69c5cb0c14dd750036e0abcd6b3c3f7b2da3ee179786b755cf737ca15fa0fff417ca72de33d6966056f4695440e680a352401fc02c95ade59899afbdd0
+  languageName: node
+  linkType: hard
+
+"request-promise-core@npm:1.1.4":
+  version: 1.1.4
+  resolution: "request-promise-core@npm:1.1.4"
+  dependencies:
+    lodash: ^4.17.19
+  peerDependencies:
+    request: ^2.34
+  checksum: c798bafd552961e36fbf5023b1d081e81c3995ab390f1bc8ef38a711ba3fe4312eb94dbd61887073d7356c3499b9380947d7f62faa805797c0dc50f039425699
+  languageName: node
+  linkType: hard
+
+"request-promise-native@npm:^1.0.9":
+  version: 1.0.9
+  resolution: "request-promise-native@npm:1.0.9"
+  dependencies:
+    request-promise-core: 1.1.4
+    stealthy-require: ^1.1.1
+    tough-cookie: ^2.3.3
+  peerDependencies:
+    request: ^2.34
+  checksum: 3e2c694eefac88cb20beef8911ad57a275ab3ccbae0c4ca6c679fffb09d5fd502458aab08791f0814ca914b157adab2d4e472597c97a73be702918e41725ed69
+  languageName: node
+  linkType: hard
+
+"request@npm:^2.88.2":
+  version: 2.88.2
+  resolution: "request@npm:2.88.2"
+  dependencies:
+    aws-sign2: ~0.7.0
+    aws4: ^1.8.0
+    caseless: ~0.12.0
+    combined-stream: ~1.0.6
+    extend: ~3.0.2
+    forever-agent: ~0.6.1
+    form-data: ~2.3.2
+    har-validator: ~5.1.3
+    http-signature: ~1.2.0
+    is-typedarray: ~1.0.0
+    isstream: ~0.1.2
+    json-stringify-safe: ~5.0.1
+    mime-types: ~2.1.19
+    oauth-sign: ~0.9.0
+    performance-now: ^2.1.0
+    qs: ~6.5.2
+    safe-buffer: ^5.1.2
+    tough-cookie: ~2.5.0
+    tunnel-agent: ^0.6.0
+    uuid: ^3.3.2
+  checksum: 4e112c087f6eabe7327869da2417e9d28fcd0910419edd2eb17b6acfc4bfa1dad61954525949c228705805882d8a98a86a0ea12d7f739c01ee92af7062996983
+  languageName: node
+  linkType: hard
+
+"require-directory@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "require-directory@npm:2.1.1"
+  checksum: fb47e70bf0001fdeabdc0429d431863e9475e7e43ea5f94ad86503d918423c1543361cc5166d713eaa7029dd7a3d34775af04764bebff99ef413111a5af18c80
+  languageName: node
+  linkType: hard
+
+"require-from-string@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "require-from-string@npm:2.0.2"
+  checksum: a03ef6895445f33a4015300c426699bc66b2b044ba7b670aa238610381b56d3f07c686251740d575e22f4c87531ba662d06937508f0f3c0f1ddc04db3130560b
+  languageName: node
+  linkType: hard
+
+"require-main-filename@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "require-main-filename@npm:2.0.0"
+  checksum: e9e294695fea08b076457e9ddff854e81bffbe248ed34c1eec348b7abbd22a0d02e8d75506559e2265e96978f3c4720bd77a6dad84755de8162b357eb6c778c7
+  languageName: node
+  linkType: hard
+
+"require-relative@npm:^0.8.7":
+  version: 0.8.7
+  resolution: "require-relative@npm:0.8.7"
+  checksum: f1c3be06977823bba43600344d9ea6fbf8a55bdb81ec76533126849ab4024e6c31c6666f37fa4b5cfeda9c41dee89b8e19597cac02bdefaab42255c6708661ab
+  languageName: node
+  linkType: hard
+
+"requireindex@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "requireindex@npm:1.2.0"
+  checksum: 50d8b10a1ff1fdf6aea7a1870bc7bd238b0fb1917d8d7ca17fd03afc38a65dcd7a8a4eddd031f89128b5f0065833d5c92c4fef67f2c04e8624057fe626c9cf94
+  languageName: node
+  linkType: hard
+
+"requires-port@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "requires-port@npm:1.0.0"
+  checksum: eee0e303adffb69be55d1a214e415cf42b7441ae858c76dfc5353148644f6fd6e698926fc4643f510d5c126d12a705e7c8ed7e38061113bdf37547ab356797ff
+  languageName: node
+  linkType: hard
+
+"reselect@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "reselect@npm:3.0.1"
+  checksum: c7ce544bae92db2dc6e768bc2dcc1248f9a21ada22ab5906c5e3c472e1dbc5f080889e5a715b8a2535e652d74c599dd090f5a68bcbe7e6f88053b7599ef4e8d3
+  languageName: node
+  linkType: hard
+
+"reselect@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "reselect@npm:4.0.0"
+  checksum: ac7dfc9ef2cdb42b6fc87a856f3ce904c2e4363a2bc1e6fb7eea5f78902a6f506e4388e6509752984877c6dbfe501100c076671d334799eb5a1bfe9936cb2c12
+  languageName: node
+  linkType: hard
+
+"reselect@npm:^4.1.7":
+  version: 4.1.8
+  resolution: "reselect@npm:4.1.8"
+  checksum: a4ac87cedab198769a29be92bc221c32da76cfdad6911eda67b4d3e7136dca86208c3b210e31632eae31ebd2cded18596f0dd230d3ccc9e978df22f233b5583e
+  languageName: node
+  linkType: hard
+
+"resolve-dir@npm:^1.0.0, resolve-dir@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "resolve-dir@npm:1.0.1"
+  dependencies:
+    expand-tilde: ^2.0.0
+    global-modules: ^1.0.0
+  checksum: ef736b8ed60d6645c3b573da17d329bfb50ec4e1d6c5ffd6df49e3497acef9226f9810ea6823b8ece1560e01dcb13f77a9f6180d4f242d00cc9a8f4de909c65c
+  languageName: node
+  linkType: hard
+
+"resolve-from@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "resolve-from@npm:4.0.0"
+  checksum: f4ba0b8494846a5066328ad33ef8ac173801a51739eb4d63408c847da9a2e1c1de1e6cbbf72699211f3d13f8fc1325648b169bd15eb7da35688e30a5fb0e4a7f
+  languageName: node
+  linkType: hard
+
+"resolve-from@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "resolve-from@npm:5.0.0"
+  checksum: 4ceeb9113e1b1372d0cd969f3468fa042daa1dd9527b1b6bb88acb6ab55d8b9cd65dbf18819f9f9ddf0db804990901dcdaade80a215e7b2c23daae38e64f5bdf
+  languageName: node
+  linkType: hard
+
+"resolve-package-path@npm:^1.0.11, resolve-package-path@npm:^1.2.2, resolve-package-path@npm:^1.2.6":
+  version: 1.2.7
+  resolution: "resolve-package-path@npm:1.2.7"
+  dependencies:
+    path-root: ^0.1.1
+    resolve: ^1.10.0
+  checksum: 554855963c8599ef7ce4c29629356891f36652834d0ba39555459009918474fa28bd75332139223e3fb297455f103ae0c880233fa51603c1bc1ba3e2e280b7ec
+  languageName: node
+  linkType: hard
+
+"resolve-package-path@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "resolve-package-path@npm:2.0.0"
+  dependencies:
+    path-root: ^0.1.1
+    resolve: ^1.13.1
+  checksum: 606fab28e752d863bdeef9cef1e67e92830d8e7e0f038f40fbff94f9808a57cb2a810bd70c387c5b438bee626c1753cd11a0d953a7fd28e9dba190910cd6783a
+  languageName: node
+  linkType: hard
+
+"resolve-package-path@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "resolve-package-path@npm:3.1.0"
+  dependencies:
+    path-root: ^0.1.1
+    resolve: ^1.17.0
+  checksum: 9d1d170db3b01e5439bc0918344e7b539c4dece53f68ff2b6c13e3c941bb10c2553b7ea837fef8aee25ce3dd5f404d83eac91a5f5b651a42578bd2df5a301a7e
+  languageName: node
+  linkType: hard
+
+"resolve-package-path@npm:^4.0.1, resolve-package-path@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "resolve-package-path@npm:4.0.3"
+  dependencies:
+    path-root: ^0.1.1
+  checksum: ac68180c66036c8d8b75a747592f7aeb5fd1efbbec10256b535f53e8bbc95e242145338d7d309cd665f509435662b530ece0afbc3a10a13ed2d4ce9d24905a20
+  languageName: node
+  linkType: hard
+
+"resolve-path@npm:^1.4.0":
+  version: 1.4.0
+  resolution: "resolve-path@npm:1.4.0"
+  dependencies:
+    http-errors: ~1.6.2
+    path-is-absolute: 1.0.1
+  checksum: 1a39f569ee54dd5f8ee8576ef8671c9724bea65d9f9982fbb5352af9fb4e500e1e459c1bfb1ae3ebfd8d43a709c3a01dfa4f46cf5b831e45e2caed4f1a208300
+  languageName: node
+  linkType: hard
+
+"resolve-url@npm:^0.2.1":
+  version: 0.2.1
+  resolution: "resolve-url@npm:0.2.1"
+  checksum: 7b7035b9ed6e7bc7d289e90aef1eab5a43834539695dac6416ca6e91f1a94132ae4796bbd173cdacfdc2ade90b5f38a3fb6186bebc1b221cd157777a23b9ad14
+  languageName: node
+  linkType: hard
+
+"resolve@npm:^1.1.7, resolve@npm:^1.22.1":
+  version: 1.22.3
+  resolution: "resolve@npm:1.22.3"
+  dependencies:
+    is-core-module: ^2.12.0
+    path-parse: ^1.0.7
+    supports-preserve-symlinks-flag: ^1.0.0
+  bin:
+    resolve: bin/resolve
+  checksum: fb834b81348428cb545ff1b828a72ea28feb5a97c026a1cf40aa1008352c72811ff4d4e71f2035273dc536dcfcae20c13604ba6283c612d70fa0b6e44519c374
+  languageName: node
+  linkType: hard
+
+"resolve@npm:^1.10.0, resolve@npm:^1.11.1, resolve@npm:^1.13.1, resolve@npm:^1.14.2, resolve@npm:^1.17.0, resolve@npm:^1.20.0, resolve@npm:^1.3.3, resolve@npm:^1.4.0, resolve@npm:^1.5.0, resolve@npm:^1.8.1":
+  version: 1.20.0
+  resolution: "resolve@npm:1.20.0"
+  dependencies:
+    is-core-module: ^2.2.0
+    path-parse: ^1.0.6
+  checksum: 40cf70b2cde00ef57f99daf2dc63c6a56d6c14a1b7fc51735d06a6f0a3b97cb67b4fb7ef6c747b4e13a7baba83b0ef625d7c4ce92a483cd5af923c3b65fd16fe
+  languageName: node
+  linkType: hard
+
+"resolve@npm:^1.22.0":
+  version: 1.22.0
+  resolution: "resolve@npm:1.22.0"
+  dependencies:
+    is-core-module: ^2.8.1
+    path-parse: ^1.0.7
+    supports-preserve-symlinks-flag: ^1.0.0
+  bin:
+    resolve: bin/resolve
+  checksum: a2d14cc437b3a23996f8c7367eee5c7cf8149c586b07ca2ae00e96581ce59455555a1190be9aa92154785cf9f2042646c200d0e00e0bbd2b8a995a93a0ed3e4e
+  languageName: node
+  linkType: hard
+
+"resolve@patch:resolve@^1.1.7#~builtin<compat/resolve>, resolve@patch:resolve@^1.22.1#~builtin<compat/resolve>":
+  version: 1.22.3
+  resolution: "resolve@patch:resolve@npm%3A1.22.3#~builtin<compat/resolve>::version=1.22.3&hash=c3c19d"
+  dependencies:
+    is-core-module: ^2.12.0
+    path-parse: ^1.0.7
+    supports-preserve-symlinks-flag: ^1.0.0
+  bin:
+    resolve: bin/resolve
+  checksum: ad59734723b596d0891321c951592ed9015a77ce84907f89c9d9307dd0c06e11a67906a3e628c4cae143d3e44898603478af0ddeb2bba3f229a9373efe342665
+  languageName: node
+  linkType: hard
+
+"resolve@patch:resolve@^1.10.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.11.1#~builtin<compat/resolve>, resolve@patch:resolve@^1.13.1#~builtin<compat/resolve>, resolve@patch:resolve@^1.14.2#~builtin<compat/resolve>, resolve@patch:resolve@^1.17.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.20.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.3.3#~builtin<compat/resolve>, resolve@patch:resolve@^1.4.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.5.0#~builtin<compat/resolve>, resolve@patch:resolve@^1.8.1#~builtin<compat/resolve>":
+  version: 1.20.0
+  resolution: "resolve@patch:resolve@npm%3A1.20.0#~builtin<compat/resolve>::version=1.20.0&hash=c3c19d"
+  dependencies:
+    is-core-module: ^2.2.0
+    path-parse: ^1.0.6
+  checksum: a0dd7d16a8e47af23afa9386df2dff10e3e0debb2c7299a42e581d9d9b04d7ad5d2c53f24f1e043f7b3c250cbdc71150063e53d0b6559683d37f790b7c8c3cd5
+  languageName: node
+  linkType: hard
+
+"resolve@patch:resolve@^1.22.0#~builtin<compat/resolve>":
+  version: 1.22.0
+  resolution: "resolve@patch:resolve@npm%3A1.22.0#~builtin<compat/resolve>::version=1.22.0&hash=c3c19d"
+  dependencies:
+    is-core-module: ^2.8.1
+    path-parse: ^1.0.7
+    supports-preserve-symlinks-flag: ^1.0.0
+  bin:
+    resolve: bin/resolve
+  checksum: c79ecaea36c872ee4a79e3db0d3d4160b593f2ca16e031d8283735acd01715a203607e9ded3f91f68899c2937fa0d49390cddbe0fb2852629212f3cda283f4a7
+  languageName: node
+  linkType: hard
+
+"restore-cursor@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "restore-cursor@npm:2.0.0"
+  dependencies:
+    onetime: ^2.0.0
+    signal-exit: ^3.0.2
+  checksum: 482e13d02d834b6e5e3aa90304a8b5e840775d6f06916cc92a50038adf9f098dcc72405b567da8a37e137ae40ad3e31896fa3136ae62f7a426c2fbf53d036536
+  languageName: node
+  linkType: hard
+
+"restore-cursor@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "restore-cursor@npm:3.1.0"
+  dependencies:
+    onetime: ^5.1.0
+    signal-exit: ^3.0.2
+  checksum: f877dd8741796b909f2a82454ec111afb84eb45890eb49ac947d87991379406b3b83ff9673a46012fca0d7844bb989f45cc5b788254cf1a39b6b5a9659de0630
+  languageName: node
+  linkType: hard
+
+"ret@npm:~0.1.10":
+  version: 0.1.15
+  resolution: "ret@npm:0.1.15"
+  checksum: d76a9159eb8c946586567bd934358dfc08a36367b3257f7a3d7255fdd7b56597235af23c6afa0d7f0254159e8051f93c918809962ebd6df24ca2a83dbe4d4151
+  languageName: node
+  linkType: hard
+
+"retry@npm:^0.12.0":
+  version: 0.12.0
+  resolution: "retry@npm:0.12.0"
+  checksum: 623bd7d2e5119467ba66202d733ec3c2e2e26568074923bc0585b6b99db14f357e79bdedb63cab56cec47491c4a0da7e6021a7465ca6dc4f481d3898fdd3158c
+  languageName: node
+  linkType: hard
+
+"reusify@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "reusify@npm:1.0.4"
+  checksum: c3076ebcc22a6bc252cb0b9c77561795256c22b757f40c0d8110b1300723f15ec0fc8685e8d4ea6d7666f36c79ccc793b1939c748bf36f18f542744a4e379fcc
+  languageName: node
+  linkType: hard
+
+"rimraf@npm:^2.2.8, rimraf@npm:^2.3.4, rimraf@npm:^2.4.3, rimraf@npm:^2.5.3, rimraf@npm:^2.5.4, rimraf@npm:^2.6.1, rimraf@npm:^2.6.2, rimraf@npm:^2.6.3":
+  version: 2.7.1
+  resolution: "rimraf@npm:2.7.1"
+  dependencies:
+    glob: ^7.1.3
+  bin:
+    rimraf: ./bin.js
+  checksum: cdc7f6eacb17927f2a075117a823e1c5951792c6498ebcce81ca8203454a811d4cf8900314154d3259bb8f0b42ab17f67396a8694a54cae3283326e57ad250cd
+  languageName: node
+  linkType: hard
+
+"rimraf@npm:^3.0.0, rimraf@npm:^3.0.1, rimraf@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "rimraf@npm:3.0.2"
+  dependencies:
+    glob: ^7.1.3
+  bin:
+    rimraf: bin.js
+  checksum: 87f4164e396f0171b0a3386cc1877a817f572148ee13a7e113b238e48e8a9f2f31d009a92ec38a591ff1567d9662c6b67fd8818a2dbbaed74bc26a87a2a4a9a0
+  languageName: node
+  linkType: hard
+
+"rimraf@npm:~2.6.2":
+  version: 2.6.3
+  resolution: "rimraf@npm:2.6.3"
+  dependencies:
+    glob: ^7.1.3
+  bin:
+    rimraf: ./bin.js
+  checksum: 3ea587b981a19016297edb96d1ffe48af7e6af69660e3b371dbfc73722a73a0b0e9be5c88089fbeeb866c389c1098e07f64929c7414290504b855f54f901ab10
+  languageName: node
+  linkType: hard
+
+"ripemd160@npm:^2.0.0, ripemd160@npm:^2.0.1":
+  version: 2.0.2
+  resolution: "ripemd160@npm:2.0.2"
+  dependencies:
+    hash-base: ^3.0.0
+    inherits: ^2.0.1
+  checksum: 006accc40578ee2beae382757c4ce2908a826b27e2b079efdcd2959ee544ddf210b7b5d7d5e80467807604244e7388427330f5c6d4cd61e6edaddc5773ccc393
+  languageName: node
+  linkType: hard
+
+"rollup-pluginutils@npm:^2.0.1, rollup-pluginutils@npm:^2.6.0, rollup-pluginutils@npm:^2.8.1":
+  version: 2.8.2
+  resolution: "rollup-pluginutils@npm:2.8.2"
+  dependencies:
+    estree-walker: ^0.6.1
+  checksum: 339fdf866d8f4ff6e408fa274c0525412f7edb01dc46b5ccda51f575b7e0d20ad72965773376fb5db95a77a7fcfcab97bf841ec08dbadf5d6b08af02b7a2cf5e
+  languageName: node
+  linkType: hard
+
+"rollup@npm:^0.57.1":
+  version: 0.57.1
+  resolution: "rollup@npm:0.57.1"
+  dependencies:
+    "@types/acorn": ^4.0.3
+    acorn: ^5.5.3
+    acorn-dynamic-import: ^3.0.0
+    date-time: ^2.1.0
+    is-reference: ^1.1.0
+    locate-character: ^2.0.5
+    pretty-ms: ^3.1.0
+    require-relative: ^0.8.7
+    rollup-pluginutils: ^2.0.1
+    signal-exit: ^3.0.2
+    sourcemap-codec: ^1.4.1
+  bin:
+    rollup: ./bin/rollup
+  checksum: 602691dfa734baec73a1988f34287e802a5498555a7fbe607135de4489cdb6ec49eea5902a850a25b96bf3a862e8cadbbffbd6ddf9986663d3f5ce4a0cb38519
+  languageName: node
+  linkType: hard
+
+"rollup@npm:^1.12.0":
+  version: 1.32.1
+  resolution: "rollup@npm:1.32.1"
+  dependencies:
+    "@types/estree": "*"
+    "@types/node": "*"
+    acorn: ^7.1.0
+  bin:
+    rollup: dist/bin/rollup
+  checksum: 3a02731c20c71321fae647c9c9cab0febee0580c6af029fdcd5dd6f424b8c85119d92c8554c6837327fd323c2458e92d955bbebc90ca6bed87cc626695e7c31f
+  languageName: node
+  linkType: hard
+
+"rollup@npm:^2.50.0":
+  version: 2.70.1
+  resolution: "rollup@npm:2.70.1"
+  dependencies:
+    fsevents: ~2.3.2
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  bin:
+    rollup: dist/bin/rollup
+  checksum: 06c62933e6e81a1c8c684d7d576e507081aabdb63cc0c91bca86b7348b66df03b77827068e4990b8b6c738bd3ef66dcc8c7ed7e0ea40b736068e7618f693133e
+  languageName: node
+  linkType: hard
+
+"route-recognizer@npm:^0.3.3":
+  version: 0.3.4
+  resolution: "route-recognizer@npm:0.3.4"
+  checksum: 9586704491b26716eba1bdbb4a386893ecaab80c6dbf34e394957063b941ebf336ca09222f0892c9d118c609fa9b972d6e73e454abd4382acdc34dbb878e87f2
+  languageName: node
+  linkType: hard
+
+"rsvp@npm:^3.0.14, rsvp@npm:^3.0.17, rsvp@npm:^3.0.18, rsvp@npm:^3.0.21, rsvp@npm:^3.0.6, rsvp@npm:^3.1.0":
+  version: 3.6.2
+  resolution: "rsvp@npm:3.6.2"
+  checksum: 08504ea7ab3dba0349ff820011a460da69de08edf7149ee672f4511310ee4bd3767bfa83b6db019fa99b144125e1e93e6fba122d75a702a005360393f4352864
+  languageName: node
+  linkType: hard
+
+"rsvp@npm:^4.7.0, rsvp@npm:^4.8.1, rsvp@npm:^4.8.2, rsvp@npm:^4.8.4, rsvp@npm:^4.8.5":
+  version: 4.8.5
+  resolution: "rsvp@npm:4.8.5"
+  checksum: 2d8ef30d8febdf05bdf856ccca38001ae3647e41835ca196bc1225333f79b94ae44def733121ca549ccc36209c9b689f6586905e2a043873262609744da8efc1
+  languageName: node
+  linkType: hard
+
+"rsvp@npm:~3.2.1":
+  version: 3.2.1
+  resolution: "rsvp@npm:3.2.1"
+  checksum: e2ac49cbe35b8c2701b07698066d7cd8004115b070f3352d45759dfcd820fa57e687230331ba41f5a40e1871789cbf122de6e73559598777a0b18b66953dc09b
+  languageName: node
+  linkType: hard
+
+"run-async@npm:^2.2.0, run-async@npm:^2.4.0":
+  version: 2.4.1
+  resolution: "run-async@npm:2.4.1"
+  checksum: a2c88aa15df176f091a2878eb840e68d0bdee319d8d97bbb89112223259cebecb94bc0defd735662b83c2f7a30bed8cddb7d1674eb48ae7322dc602b22d03797
+  languageName: node
+  linkType: hard
+
+"run-parallel@npm:^1.1.9":
+  version: 1.2.0
+  resolution: "run-parallel@npm:1.2.0"
+  dependencies:
+    queue-microtask: ^1.2.2
+  checksum: cb4f97ad25a75ebc11a8ef4e33bb962f8af8516bb2001082ceabd8902e15b98f4b84b4f8a9b222e5d57fc3bd1379c483886ed4619367a7680dad65316993021d
+  languageName: node
+  linkType: hard
+
+"run-queue@npm:^1.0.0, run-queue@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "run-queue@npm:1.0.3"
+  dependencies:
+    aproba: ^1.1.1
+  checksum: c4541e18b5e056af60f398f2f1b3d89aae5c093d1524bf817c5ee68bcfa4851ad9976f457a9aea135b1d0d72ee9a91c386e3d136bcd95b699c367cd09c70be53
+  languageName: node
+  linkType: hard
+
+"rw@npm:1":
+  version: 1.3.3
+  resolution: "rw@npm:1.3.3"
+  checksum: c20d82421f5a71c86a13f76121b751553a99cd4a70ea27db86f9b23f33db941f3f06019c30f60d50c356d0bd674c8e74764ac146ea55e217c091bde6fba82aa3
+  languageName: node
+  linkType: hard
+
+"rxjs@npm:^6.4.0, rxjs@npm:^6.6.0, rxjs@npm:^6.6.7":
+  version: 6.6.7
+  resolution: "rxjs@npm:6.6.7"
+  dependencies:
+    tslib: ^1.9.0
+  checksum: bc334edef1bb8bbf56590b0b25734ba0deaf8825b703256a93714308ea36dff8a11d25533671adf8e104e5e8f256aa6fdfe39b2e248cdbd7a5f90c260acbbd1b
+  languageName: node
+  linkType: hard
+
+"rxjs@npm:^7.5.5":
+  version: 7.8.1
+  resolution: "rxjs@npm:7.8.1"
+  dependencies:
+    tslib: ^2.1.0
+  checksum: de4b53db1063e618ec2eca0f7965d9137cabe98cf6be9272efe6c86b47c17b987383df8574861bcced18ebd590764125a901d5506082be84a8b8e364bf05f119
+  languageName: node
+  linkType: hard
+
+"rxjs@npm:^7.5.6":
+  version: 7.5.7
+  resolution: "rxjs@npm:7.5.7"
+  dependencies:
+    tslib: ^2.1.0
+  checksum: edabcdb73b0f7e0f5f6e05c2077aff8c52222ac939069729704357d6406438acca831c24210db320aba269e86dbe1a400f3769c89101791885121a342fb15d9c
+  languageName: node
+  linkType: hard
+
+"safe-buffer@npm:5.1.2, safe-buffer@npm:~5.1.0, safe-buffer@npm:~5.1.1":
+  version: 5.1.2
+  resolution: "safe-buffer@npm:5.1.2"
+  checksum: f2f1f7943ca44a594893a852894055cf619c1fbcb611237fc39e461ae751187e7baf4dc391a72125e0ac4fb2d8c5c0b3c71529622e6a58f46b960211e704903c
+  languageName: node
+  linkType: hard
+
+"safe-buffer@npm:5.2.1, safe-buffer@npm:>=5.1.0, safe-buffer@npm:^5.0.1, safe-buffer@npm:^5.1.0, safe-buffer@npm:^5.1.1, safe-buffer@npm:^5.1.2, safe-buffer@npm:^5.2.0, safe-buffer@npm:~5.2.0":
+  version: 5.2.1
+  resolution: "safe-buffer@npm:5.2.1"
+  checksum: b99c4b41fdd67a6aaf280fcd05e9ffb0813654894223afb78a31f14a19ad220bba8aba1cb14eddce1fcfb037155fe6de4e861784eb434f7d11ed58d1e70dd491
+  languageName: node
+  linkType: hard
+
+"safe-identifier@npm:^0.4.1":
+  version: 0.4.2
+  resolution: "safe-identifier@npm:0.4.2"
+  checksum: 67e28ed89a74cf20b827419003d3cb60a0ebaec0771c2c818f4b2239bf4f96e01ad90aa8db6dc57ee90c0c438b6f46323e4b5a3d955d18d8c4e158ea035cabdd
+  languageName: node
+  linkType: hard
+
+"safe-json-parse@npm:~1.0.1":
+  version: 1.0.1
+  resolution: "safe-json-parse@npm:1.0.1"
+  checksum: aea585d967fb373903aae99e6e31157a68ebebdc9d0011bc86732b6c700994768349e30d4fb6dfdc346106004a85104187d0b48964fe1caff90b0886df5827eb
+  languageName: node
+  linkType: hard
+
+"safe-regex-test@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "safe-regex-test@npm:1.0.0"
+  dependencies:
+    call-bind: ^1.0.2
+    get-intrinsic: ^1.1.3
+    is-regex: ^1.1.4
+  checksum: bc566d8beb8b43c01b94e67de3f070fd2781685e835959bbbaaec91cc53381145ca91f69bd837ce6ec244817afa0a5e974fc4e40a2957f0aca68ac3add1ddd34
+  languageName: node
+  linkType: hard
+
+"safe-regex@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "safe-regex@npm:1.1.0"
+  dependencies:
+    ret: ~0.1.10
+  checksum: 9a8bba57c87a841f7997b3b951e8e403b1128c1a4fd1182f40cc1a20e2d490593d7c2a21030fadfea320c8e859219019e136f678c6689ed5960b391b822f01d5
+  languageName: node
+  linkType: hard
+
+"safe-stable-stringify@npm:^2.2.0":
+  version: 2.4.0
+  resolution: "safe-stable-stringify@npm:2.4.0"
+  checksum: 5c9e4b2b2423470becafe232244948e7ce9545baaa65d67965e8c36536c93d2f7b4c1ddeb4bba8a912d0325e02c7691f24dd4de6935a9c1221402c17582ae1c1
+  languageName: node
+  linkType: hard
+
+"safe-stable-stringify@npm:^2.4.2":
+  version: 2.4.3
+  resolution: "safe-stable-stringify@npm:2.4.3"
+  checksum: 3aeb64449706ee1f5ad2459fc99648b131d48e7a1fbb608d7c628020177512dc9d94108a5cb61bbc953985d313d0afea6566d243237743e02870490afef04b43
+  languageName: node
+  linkType: hard
+
+"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.0.2, safer-buffer@npm:^2.1.0, safer-buffer@npm:~2.1.0":
+  version: 2.1.2
+  resolution: "safer-buffer@npm:2.1.2"
+  checksum: cab8f25ae6f1434abee8d80023d7e72b598cf1327164ddab31003c51215526801e40b66c5e65d658a0af1e9d6478cadcb4c745f4bd6751f97d8644786c0978b0
+  languageName: node
+  linkType: hard
+
+"sane@npm:^4.0.0":
+  version: 4.1.0
+  resolution: "sane@npm:4.1.0"
+  dependencies:
+    "@cnakazawa/watch": ^1.0.3
+    anymatch: ^2.0.0
+    capture-exit: ^2.0.0
+    exec-sh: ^0.3.2
+    execa: ^1.0.0
+    fb-watchman: ^2.0.0
+    micromatch: ^3.1.4
+    minimist: ^1.1.1
+    walker: ~1.0.5
+  bin:
+    sane: ./src/cli.js
+  checksum: 97716502d456c0d38670a902a4ea943d196dcdf998d1e40532d8f3e24e25d7eddfd4c3579025a1eee8eac09a48dfd05fba61a2156c56704e7feaa450eb249f7c
+  languageName: node
+  linkType: hard
+
+"sane@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "sane@npm:5.0.1"
+  dependencies:
+    "@cnakazawa/watch": ^1.0.3
+    anymatch: ^3.1.1
+    capture-exit: ^2.0.0
+    exec-sh: ^0.3.4
+    execa: ^4.0.0
+    fb-watchman: ^2.0.1
+    micromatch: ^4.0.2
+    minimist: ^1.1.1
+    walker: ~1.0.5
+  bin:
+    sane: src/cli.js
+  checksum: 137c419e28dea9f8fc31c1817012d335d511dd8d5a1527f87742b7a4e904e009f62d52fab933d565c10c2fcf6113aa5c30a99d2eb651b63e835ea73de6267615
+  languageName: node
+  linkType: hard
+
+"sass-svg-uri@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "sass-svg-uri@npm:1.0.0"
+  checksum: 75a2af6cc4ac44c262309f51c290a1a5120ab5cd45cabafd0faabd9ad3bb6898417d3993fdfdf65efbf0ff9878d105d2bb8e1502db29f13c41974fb4adaa3f1a
+  languageName: node
+  linkType: hard
+
+"sass@npm:^1.58.3":
+  version: 1.58.3
+  resolution: "sass@npm:1.58.3"
+  dependencies:
+    chokidar: ">=3.0.0 <4.0.0"
+    immutable: ^4.0.0
+    source-map-js: ">=0.6.2 <2.0.0"
+  bin:
+    sass: sass.js
+  checksum: 35a2b98c037ef80fdc93c9b0be846e6ccc7d75596351a37ee79c397e66666d0a754c52c4696e746c0aff32327471e185343ca349e998a58340411adc9d0489a5
+  languageName: node
+  linkType: hard
+
+"sass@npm:^1.69.5":
+  version: 1.69.5
+  resolution: "sass@npm:1.69.5"
+  dependencies:
+    chokidar: ">=3.0.0 <4.0.0"
+    immutable: ^4.0.0
+    source-map-js: ">=0.6.2 <2.0.0"
+  bin:
+    sass: sass.js
+  checksum: c66f4f02882e7aa7aa49703824dadbb5a174dcd05e3cd96f17f73687889aab6027d078b518e2c04b594dfd89b2f574824bf935c7aee46c770aa6be9aafcc49f2
+  languageName: node
+  linkType: hard
+
+"sax@npm:~1.2.4":
+  version: 1.2.4
+  resolution: "sax@npm:1.2.4"
+  checksum: d3df7d32b897a2c2f28e941f732c71ba90e27c24f62ee918bd4d9a8cfb3553f2f81e5493c7f0be94a11c1911b643a9108f231dd6f60df3fa9586b5d2e3e9e1fe
+  languageName: node
+  linkType: hard
+
+"saxes@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "saxes@npm:5.0.1"
+  dependencies:
+    xmlchars: ^2.2.0
+  checksum: 5636b55cf15f7cf0baa73f2797bf992bdcf75d1b39d82c0aa4608555c774368f6ac321cb641fd5f3d3ceb87805122cd47540da6a7b5960fe0dbdb8f8c263f000
+  languageName: node
+  linkType: hard
+
+"schema-utils@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "schema-utils@npm:1.0.0"
+  dependencies:
+    ajv: ^6.1.0
+    ajv-errors: ^1.0.0
+    ajv-keywords: ^3.1.0
+  checksum: e8273b4f6eff9ddf4a4f4c11daf7b96b900237bf8859c86fa1e9b4fab416b72d7ea92468f8db89c18a3499a1070206e1c8a750c83b42d5325fc659cbb55eee88
+  languageName: node
+  linkType: hard
+
+"schema-utils@npm:^2.6.5":
+  version: 2.7.1
+  resolution: "schema-utils@npm:2.7.1"
+  dependencies:
+    "@types/json-schema": ^7.0.5
+    ajv: ^6.12.4
+    ajv-keywords: ^3.5.2
+  checksum: 32c62fc9e28edd101e1bd83453a4216eb9bd875cc4d3775e4452b541908fa8f61a7bbac8ffde57484f01d7096279d3ba0337078e85a918ecbeb72872fb09fb2b
+  languageName: node
+  linkType: hard
+
+"schema-utils@npm:^3.0.0, schema-utils@npm:^3.1.0, schema-utils@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "schema-utils@npm:3.1.1"
+  dependencies:
+    "@types/json-schema": ^7.0.8
+    ajv: ^6.12.5
+    ajv-keywords: ^3.5.2
+  checksum: fb73f3d759d43ba033c877628fe9751620a26879f6301d3dbeeb48cf2a65baec5cdf99da65d1bf3b4ff5444b2e59cbe4f81c2456b5e0d2ba7d7fd4aed5da29ce
+  languageName: node
+  linkType: hard
+
+"schema-utils@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "schema-utils@npm:4.0.0"
+  dependencies:
+    "@types/json-schema": ^7.0.9
+    ajv: ^8.8.0
+    ajv-formats: ^2.1.1
+    ajv-keywords: ^5.0.0
+  checksum: c843e92fdd1a5c145dbb6ffdae33e501867f9703afac67bdf35a685e49f85b1dcc10ea250033175a64bd9d31f0555bc6785b8359da0c90bcea30cf6dfbb55a8f
+  languageName: node
+  linkType: hard
+
+"semver-compare@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "semver-compare@npm:1.0.0"
+  checksum: dd1d7e2909744cf2cf71864ac718efc990297f9de2913b68e41a214319e70174b1d1793ac16e31183b128c2b9812541300cb324db8168e6cf6b570703b171c68
+  languageName: node
+  linkType: hard
+
+"semver@npm:2 || 3 || 4 || 5":
+  version: 5.7.2
+  resolution: "semver@npm:5.7.2"
+  bin:
+    semver: bin/semver
+  checksum: fb4ab5e0dd1c22ce0c937ea390b4a822147a9c53dbd2a9a0132f12fe382902beef4fbf12cf51bb955248d8d15874ce8cd89532569756384f994309825f10b686
+  languageName: node
+  linkType: hard
+
+"semver@npm:7.0.0":
+  version: 7.0.0
+  resolution: "semver@npm:7.0.0"
+  bin:
+    semver: bin/semver.js
+  checksum: 272c11bf8d083274ef79fe40a81c55c184dff84dd58e3c325299d0927ba48cece1f020793d138382b85f89bab5002a35a5ba59a3a68a7eebbb597eb733838778
+  languageName: node
+  linkType: hard
+
+"semver@npm:7.3.5, semver@npm:^7.3.2, semver@npm:^7.3.4, semver@npm:^7.3.5":
+  version: 7.3.5
+  resolution: "semver@npm:7.3.5"
+  dependencies:
+    lru-cache: ^6.0.0
+  bin:
+    semver: bin/semver.js
+  checksum: 5eafe6102bea2a7439897c1856362e31cc348ccf96efd455c8b5bc2c61e6f7e7b8250dc26b8828c1d76a56f818a7ee907a36ae9fb37a599d3d24609207001d60
+  languageName: node
+  linkType: hard
+
+"semver@npm:^5.3.0, semver@npm:^5.4.1, semver@npm:^5.5.0, semver@npm:^5.6.0":
+  version: 5.7.1
+  resolution: "semver@npm:5.7.1"
+  bin:
+    semver: ./bin/semver
+  checksum: 57fd0acfd0bac382ee87cd52cd0aaa5af086a7dc8d60379dfe65fea491fb2489b6016400813930ecd61fd0952dae75c115287a1b16c234b1550887117744dfaf
+  languageName: node
+  linkType: hard
+
+"semver@npm:^6.0.0, semver@npm:^6.1.1, semver@npm:^6.1.2, semver@npm:^6.3.0":
+  version: 6.3.0
+  resolution: "semver@npm:6.3.0"
+  bin:
+    semver: ./bin/semver.js
+  checksum: 1b26ecf6db9e8292dd90df4e781d91875c0dcc1b1909e70f5d12959a23c7eebb8f01ea581c00783bbee72ceeaad9505797c381756326073850dc36ed284b21b9
+  languageName: node
+  linkType: hard
+
+"semver@npm:^6.3.1":
+  version: 6.3.1
+  resolution: "semver@npm:6.3.1"
+  bin:
+    semver: bin/semver.js
+  checksum: ae47d06de28836adb9d3e25f22a92943477371292d9b665fb023fae278d345d508ca1958232af086d85e0155aee22e313e100971898bbb8d5d89b8b1d4054ca2
+  languageName: node
+  linkType: hard
+
+"semver@npm:^7.0.0":
+  version: 7.5.1
+  resolution: "semver@npm:7.5.1"
+  dependencies:
+    lru-cache: ^6.0.0
+  bin:
+    semver: bin/semver.js
+  checksum: d16dbedad53c65b086f79524b9ef766bf38670b2395bdad5c957f824dcc566b624988013564f4812bcace3f9d405355c3635e2007396a39d1bffc71cfec4a2fc
+  languageName: node
+  linkType: hard
+
+"semver@npm:^7.3.7":
+  version: 7.3.7
+  resolution: "semver@npm:7.3.7"
+  dependencies:
+    lru-cache: ^6.0.0
+  bin:
+    semver: bin/semver.js
+  checksum: 2fa3e877568cd6ce769c75c211beaed1f9fce80b28338cadd9d0b6c40f2e2862bafd62c19a6cff42f3d54292b7c623277bcab8816a2b5521cf15210d43e75232
+  languageName: node
+  linkType: hard
+
+"semver@npm:^7.3.8":
+  version: 7.3.8
+  resolution: "semver@npm:7.3.8"
+  dependencies:
+    lru-cache: ^6.0.0
+  bin:
+    semver: bin/semver.js
+  checksum: ba9c7cbbf2b7884696523450a61fee1a09930d888b7a8d7579025ad93d459b2d1949ee5bbfeb188b2be5f4ac163544c5e98491ad6152df34154feebc2cc337c1
+  languageName: node
+  linkType: hard
+
+"send@npm:0.17.1":
+  version: 0.17.1
+  resolution: "send@npm:0.17.1"
+  dependencies:
+    debug: 2.6.9
+    depd: ~1.1.2
+    destroy: ~1.0.4
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    fresh: 0.5.2
+    http-errors: ~1.7.2
+    mime: 1.6.0
+    ms: 2.1.1
+    on-finished: ~2.3.0
+    range-parser: ~1.2.1
+    statuses: ~1.5.0
+  checksum: d214c2fa42e7fae3f8fc1aa3931eeb3e6b78c2cf141574e09dbe159915c1e3a337269fc6b7512e7dfddcd7d6ff5974cb62f7c3637ba86a55bde20a92c18bdca0
+  languageName: node
+  linkType: hard
+
+"send@npm:0.18.0":
+  version: 0.18.0
+  resolution: "send@npm:0.18.0"
+  dependencies:
+    debug: 2.6.9
+    depd: 2.0.0
+    destroy: 1.2.0
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    fresh: 0.5.2
+    http-errors: 2.0.0
+    mime: 1.6.0
+    ms: 2.1.3
+    on-finished: 2.4.1
+    range-parser: ~1.2.1
+    statuses: 2.0.1
+  checksum: 74fc07ebb58566b87b078ec63e5a3e41ecd987e4272ba67b7467e86c6ad51bc6b0b0154133b6d8b08a2ddda360464f71382f7ef864700f34844a76c8027817a8
+  languageName: node
+  linkType: hard
+
+"serialize-javascript@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "serialize-javascript@npm:3.1.0"
+  dependencies:
+    randombytes: ^2.1.0
+  checksum: 0fc0131a78168d6237cfe1b21564f20a3b9b72e8ceebb21935baacf026631ed636912c20c7e9fa721a8f27a247e6f9849e705f27032d19863333c2cfab16d1c9
+  languageName: node
+  linkType: hard
+
+"serve-static@npm:1.14.1":
+  version: 1.14.1
+  resolution: "serve-static@npm:1.14.1"
+  dependencies:
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    parseurl: ~1.3.3
+    send: 0.17.1
+  checksum: c6b268e8486d39ecd54b86c7f2d0ee4a38cd7514ddd9c92c8d5793bb005afde5e908b12395898ae206782306ccc848193d93daa15b86afb3cbe5a8414806abe8
+  languageName: node
+  linkType: hard
+
+"serve-static@npm:1.15.0":
+  version: 1.15.0
+  resolution: "serve-static@npm:1.15.0"
+  dependencies:
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    parseurl: ~1.3.3
+    send: 0.18.0
+  checksum: af57fc13be40d90a12562e98c0b7855cf6e8bd4c107fe9a45c212bf023058d54a1871b1c89511c3958f70626fff47faeb795f5d83f8cf88514dbaeb2b724464d
+  languageName: node
+  linkType: hard
+
+"set-blocking@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "set-blocking@npm:2.0.0"
+  checksum: 6e65a05f7cf7ebdf8b7c75b101e18c0b7e3dff4940d480efed8aad3a36a4005140b660fa1d804cb8bce911cac290441dc728084a30504d3516ac2ff7ad607b02
+  languageName: node
+  linkType: hard
+
+"set-value@npm:^2.0.0, set-value@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "set-value@npm:2.0.1"
+  dependencies:
+    extend-shallow: ^2.0.1
+    is-extendable: ^0.1.1
+    is-plain-object: ^2.0.3
+    split-string: ^3.0.1
+  checksum: 09a4bc72c94641aeae950eb60dc2755943b863780fcc32e441eda964b64df5e3f50603d5ebdd33394ede722528bd55ed43aae26e9df469b4d32e2292b427b601
+  languageName: node
+  linkType: hard
+
+"setimmediate@npm:^1.0.4":
+  version: 1.0.5
+  resolution: "setimmediate@npm:1.0.5"
+  checksum: c9a6f2c5b51a2dabdc0247db9c46460152ffc62ee139f3157440bd48e7c59425093f42719ac1d7931f054f153e2d26cf37dfeb8da17a794a58198a2705e527fd
+  languageName: node
+  linkType: hard
+
+"setprototypeof@npm:1.1.0":
+  version: 1.1.0
+  resolution: "setprototypeof@npm:1.1.0"
+  checksum: 27cb44304d6c9e1a23bc6c706af4acaae1a7aa1054d4ec13c05f01a99fd4887109a83a8042b67ad90dbfcd100d43efc171ee036eb080667172079213242ca36e
+  languageName: node
+  linkType: hard
+
+"setprototypeof@npm:1.1.1":
+  version: 1.1.1
+  resolution: "setprototypeof@npm:1.1.1"
+  checksum: a8bee29c1c64c245d460ce53f7460af8cbd0aceac68d66e5215153992cc8b3a7a123416353e0c642060e85cc5fd4241c92d1190eec97eda0dcb97436e8fcca3b
+  languageName: node
+  linkType: hard
+
+"setprototypeof@npm:1.2.0":
+  version: 1.2.0
+  resolution: "setprototypeof@npm:1.2.0"
+  checksum: be18cbbf70e7d8097c97f713a2e76edf84e87299b40d085c6bf8b65314e994cc15e2e317727342fa6996e38e1f52c59720b53fe621e2eb593a6847bf0356db89
+  languageName: node
+  linkType: hard
+
+"sha.js@npm:^2.4.0, sha.js@npm:^2.4.8":
+  version: 2.4.11
+  resolution: "sha.js@npm:2.4.11"
+  dependencies:
+    inherits: ^2.0.1
+    safe-buffer: ^5.0.1
+  bin:
+    sha.js: ./bin.js
+  checksum: ebd3f59d4b799000699097dadb831c8e3da3eb579144fd7eb7a19484cbcbb7aca3c68ba2bb362242eb09e33217de3b4ea56e4678184c334323eca24a58e3ad07
+  languageName: node
+  linkType: hard
+
+"shebang-command@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "shebang-command@npm:1.2.0"
+  dependencies:
+    shebang-regex: ^1.0.0
+  checksum: 9eed1750301e622961ba5d588af2212505e96770ec376a37ab678f965795e995ade7ed44910f5d3d3cb5e10165a1847f52d3348c64e146b8be922f7707958908
+  languageName: node
+  linkType: hard
+
+"shebang-command@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "shebang-command@npm:2.0.0"
+  dependencies:
+    shebang-regex: ^3.0.0
+  checksum: 6b52fe87271c12968f6a054e60f6bde5f0f3d2db483a1e5c3e12d657c488a15474121a1d55cd958f6df026a54374ec38a4a963988c213b7570e1d51575cea7fa
+  languageName: node
+  linkType: hard
+
+"shebang-regex@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "shebang-regex@npm:1.0.0"
+  checksum: 404c5a752cd40f94591dfd9346da40a735a05139dac890ffc229afba610854d8799aaa52f87f7e0c94c5007f2c6af55bdcaeb584b56691926c5eaf41dc8f1372
+  languageName: node
+  linkType: hard
+
+"shebang-regex@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "shebang-regex@npm:3.0.0"
+  checksum: 1a2bcae50de99034fcd92ad4212d8e01eedf52c7ec7830eedcf886622804fe36884278f2be8be0ea5fde3fd1c23911643a4e0f726c8685b61871c8908af01222
+  languageName: node
+  linkType: hard
+
+"shell-quote@npm:^1.6.1":
+  version: 1.7.2
+  resolution: "shell-quote@npm:1.7.2"
+  checksum: efad426fb25d8a54d06363f1f45774aa9e195f62f14fa696d542b44bfe418ab41206448b63af18d726c62e099e66d9a3f4f44858b9ea2ce4b794b41b802672d1
+  languageName: node
+  linkType: hard
+
+"shell-quote@npm:^1.8.1":
+  version: 1.8.1
+  resolution: "shell-quote@npm:1.8.1"
+  checksum: 5f01201f4ef504d4c6a9d0d283fa17075f6770bfbe4c5850b074974c68062f37929ca61700d95ad2ac8822e14e8c4b990ca0e6e9272e64befd74ce5e19f0736b
+  languageName: node
+  linkType: hard
+
+"shellwords@npm:^0.1.1":
+  version: 0.1.1
+  resolution: "shellwords@npm:0.1.1"
+  checksum: 8d73a5e9861f5e5f1068e2cfc39bc0002400fe58558ab5e5fa75630d2c3adf44ca1fac81957609c8320d5533e093802fcafc72904bf1a32b95de3c19a0b1c0d4
+  languageName: node
+  linkType: hard
+
+"side-channel@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "side-channel@npm:1.0.4"
+  dependencies:
+    call-bind: ^1.0.0
+    get-intrinsic: ^1.0.2
+    object-inspect: ^1.9.0
+  checksum: 351e41b947079c10bd0858364f32bb3a7379514c399edb64ab3dce683933483fc63fb5e4efe0a15a2e8a7e3c436b6a91736ddb8d8c6591b0460a24bb4a1ee245
+  languageName: node
+  linkType: hard
+
+"signal-exit@npm:^3.0.0, signal-exit@npm:^3.0.2":
+  version: 3.0.6
+  resolution: "signal-exit@npm:3.0.6"
+  checksum: b819ac81ba757af559dad0804233ae31bf6f054591cd8a671e9cbcf09f21c72ec3076fe87d1e04861f5b33b47d63f0694b568de99c99cd733ee2060515beb6d5
+  languageName: node
+  linkType: hard
+
+"signal-exit@npm:^3.0.3, signal-exit@npm:^3.0.7":
+  version: 3.0.7
+  resolution: "signal-exit@npm:3.0.7"
+  checksum: a2f098f247adc367dffc27845853e9959b9e88b01cb301658cfe4194352d8d2bb32e18467c786a7fe15f1d44b233ea35633d076d5e737870b7139949d1ab6318
+  languageName: node
+  linkType: hard
+
+"signal-exit@npm:^4.0.1":
+  version: 4.0.2
+  resolution: "signal-exit@npm:4.0.2"
+  checksum: 41f5928431cc6e91087bf0343db786a6313dd7c6fd7e551dbc141c95bb5fb26663444fd9df8ea47c5d7fc202f60aa7468c3162a9365cbb0615fc5e1b1328fe31
+  languageName: node
+  linkType: hard
+
+"silent-error@npm:^1.0.0, silent-error@npm:^1.0.1, silent-error@npm:^1.1.0, silent-error@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "silent-error@npm:1.1.1"
+  dependencies:
+    debug: ^2.2.0
+  checksum: 4b35a081351acf5610bca231f8788fde72de17e0ab35b6d54a3090dac16ecec56becdbc619da756eee84b134f2030f806a105c70f8fcc6544738654b8aceefd7
+  languageName: node
+  linkType: hard
+
+"simple-html-tokenizer@npm:^0.5.11, simple-html-tokenizer@npm:^0.5.8":
+  version: 0.5.11
+  resolution: "simple-html-tokenizer@npm:0.5.11"
+  checksum: f834a5a0b169ffe10f74bd479a071a7161e0186669e28a1cd662efacdaedd27667469e2b965d5a8538d9d8e7373cb741ea8d748259221f40fa3e4bda2efbdbfc
+  languageName: node
+  linkType: hard
+
+"sinon@npm:^7.4.2":
+  version: 7.5.0
+  resolution: "sinon@npm:7.5.0"
+  dependencies:
+    "@sinonjs/commons": ^1.4.0
+    "@sinonjs/formatio": ^3.2.1
+    "@sinonjs/samsam": ^3.3.3
+    diff: ^3.5.0
+    lolex: ^4.2.0
+    nise: ^1.5.2
+    supports-color: ^5.5.0
+  checksum: e8cf6b3dd16e9c1ed1a2b9560c396a2d6205a4f32293b1762cb6ebb8f88cfa47db6aba45b0c1709ec396efb41d171d88c9b1ab8f32f35512eb9e5d0d0d15d307
+  languageName: node
+  linkType: hard
+
+"slash@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "slash@npm:1.0.0"
+  checksum: 4b6e21b1fba6184a7e2efb1dd173f692d8a845584c1bbf9dc818ff86f5a52fc91b413008223d17cc684604ee8bb9263a420b1182027ad9762e35388434918860
+  languageName: node
+  linkType: hard
+
+"slash@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "slash@npm:3.0.0"
+  checksum: 94a93fff615f25a999ad4b83c9d5e257a7280c90a32a7cb8b4a87996e4babf322e469c42b7f649fd5796edd8687652f3fb452a86dc97a816f01113183393f11c
+  languageName: node
+  linkType: hard
+
+"slash@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "slash@npm:4.0.0"
+  checksum: da8e4af73712253acd21b7853b7e0dbba776b786e82b010a5bfc8b5051a1db38ed8aba8e1e8f400dd2c9f373be91eb1c42b66e91abb407ff42b10feece5e1d2d
+  languageName: node
+  linkType: hard
+
+"slice-ansi@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "slice-ansi@npm:3.0.0"
+  dependencies:
+    ansi-styles: ^4.0.0
+    astral-regex: ^2.0.0
+    is-fullwidth-code-point: ^3.0.0
+  checksum: 5ec6d022d12e016347e9e3e98a7eb2a592213a43a65f1b61b74d2c78288da0aded781f665807a9f3876b9daa9ad94f64f77d7633a0458876c3a4fdc4eb223f24
+  languageName: node
+  linkType: hard
+
+"slice-ansi@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "slice-ansi@npm:4.0.0"
+  dependencies:
+    ansi-styles: ^4.0.0
+    astral-regex: ^2.0.0
+    is-fullwidth-code-point: ^3.0.0
+  checksum: 4a82d7f085b0e1b070e004941ada3c40d3818563ac44766cca4ceadd2080427d337554f9f99a13aaeb3b4a94d9964d9466c807b3d7b7541d1ec37ee32d308756
+  languageName: node
+  linkType: hard
+
+"smart-buffer@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "smart-buffer@npm:4.2.0"
+  checksum: b5167a7142c1da704c0e3af85c402002b597081dd9575031a90b4f229ca5678e9a36e8a374f1814c8156a725d17008ae3bde63b92f9cfd132526379e580bec8b
+  languageName: node
+  linkType: hard
+
+"snake-case@npm:^3.0.3":
+  version: 3.0.4
+  resolution: "snake-case@npm:3.0.4"
+  dependencies:
+    dot-case: ^3.0.4
+    tslib: ^2.0.3
+  checksum: 0a7a79900bbb36f8aaa922cf111702a3647ac6165736d5dc96d3ef367efc50465cac70c53cd172c382b022dac72ec91710608e5393de71f76d7142e6fd80e8a3
+  languageName: node
+  linkType: hard
+
+"snapdragon-node@npm:^2.0.1":
+  version: 2.1.1
+  resolution: "snapdragon-node@npm:2.1.1"
+  dependencies:
+    define-property: ^1.0.0
+    isobject: ^3.0.0
+    snapdragon-util: ^3.0.1
+  checksum: 9bb57d759f9e2a27935dbab0e4a790137adebace832b393e350a8bf5db461ee9206bb642d4fe47568ee0b44080479c8b4a9ad0ebe3712422d77edf9992a672fd
+  languageName: node
+  linkType: hard
+
+"snapdragon-util@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "snapdragon-util@npm:3.0.1"
+  dependencies:
+    kind-of: ^3.2.0
+  checksum: 684997dbe37ec995c03fd3f412fba2b711fc34cb4010452b7eb668be72e8811a86a12938b511e8b19baf853b325178c56d8b78d655305e5cfb0bb8b21677e7b7
+  languageName: node
+  linkType: hard
+
+"snapdragon@npm:^0.8.1":
+  version: 0.8.2
+  resolution: "snapdragon@npm:0.8.2"
+  dependencies:
+    base: ^0.11.1
+    debug: ^2.2.0
+    define-property: ^0.2.5
+    extend-shallow: ^2.0.1
+    map-cache: ^0.2.2
+    source-map: ^0.5.6
+    source-map-resolve: ^0.5.0
+    use: ^3.1.0
+  checksum: a197f242a8f48b11036563065b2487e9b7068f50a20dd81d9161eca6af422174fc158b8beeadbe59ce5ef172aa5718143312b3aebaae551c124b7824387c8312
+  languageName: node
+  linkType: hard
+
+"socket.io-adapter@npm:~2.4.0":
+  version: 2.4.0
+  resolution: "socket.io-adapter@npm:2.4.0"
+  checksum: a84639946dce13547b95f6e09fe167cdcd5d80941afc2e46790cc23384e0fd3c901e690ecc9bdd600939ce6292261ee15094a0b486f797ed621cfc8783d87a0c
+  languageName: node
+  linkType: hard
+
+"socket.io-parser@npm:~4.2.0":
+  version: 4.2.1
+  resolution: "socket.io-parser@npm:4.2.1"
+  dependencies:
+    "@socket.io/component-emitter": ~3.1.0
+    debug: ~4.3.1
+  checksum: 2582202f22538d7e6b4436991378cb4cea3b2f8219cda24923ae35afd291ab5ad6120e7d093e41738256b6c6ad10c667dd25753c2d9a2340fead04e9286f152d
+  languageName: node
+  linkType: hard
+
+"socket.io@npm:^4.1.2":
+  version: 4.5.2
+  resolution: "socket.io@npm:4.5.2"
+  dependencies:
+    accepts: ~1.3.4
+    base64id: ~2.0.0
+    debug: ~4.3.2
+    engine.io: ~6.2.0
+    socket.io-adapter: ~2.4.0
+    socket.io-parser: ~4.2.0
+  checksum: 8527dd78fa3cf483a2cf0f09f64c4591186931b6765e5d8456dd3022b8786407952e3b931a83a86513c9f56852442e12f3497c761a113113e32b0c867c5ad5a7
+  languageName: node
+  linkType: hard
+
+"socks-proxy-agent@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "socks-proxy-agent@npm:7.0.0"
+  dependencies:
+    agent-base: ^6.0.2
+    debug: ^4.3.3
+    socks: ^2.6.2
+  checksum: 720554370154cbc979e2e9ce6a6ec6ced205d02757d8f5d93fe95adae454fc187a5cbfc6b022afab850a5ce9b4c7d73e0f98e381879cf45f66317a4895953846
+  languageName: node
+  linkType: hard
+
+"socks@npm:^2.6.2":
+  version: 2.7.1
+  resolution: "socks@npm:2.7.1"
+  dependencies:
+    ip: ^2.0.0
+    smart-buffer: ^4.2.0
+  checksum: 259d9e3e8e1c9809a7f5c32238c3d4d2a36b39b83851d0f573bfde5f21c4b1288417ce1af06af1452569cd1eb0841169afd4998f0e04ba04656f6b7f0e46d748
+  languageName: node
+  linkType: hard
+
+"sort-object-keys@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "sort-object-keys@npm:1.1.3"
+  checksum: abea944d6722a1710a1aa6e4f9509da085d93d5fc0db23947cb411eedc7731f80022ce8fa68ed83a53dd2ac7441fcf72a3f38c09b3d9bbc4ff80546aa2e151ad
+  languageName: node
+  linkType: hard
+
+"sort-package-json@npm:^1.57.0":
+  version: 1.57.0
+  resolution: "sort-package-json@npm:1.57.0"
+  dependencies:
+    detect-indent: ^6.0.0
+    detect-newline: 3.1.0
+    git-hooks-list: 1.0.3
+    globby: 10.0.0
+    is-plain-obj: 2.1.0
+    sort-object-keys: ^1.1.3
+  bin:
+    sort-package-json: cli.js
+  checksum: 15758ba6b1033ae136863eabd4b8c8a28e79dd68b71327f6803c2ea740dc149dc9ad708b006d07ee9de56b6dc7cadb7c697801ad50c01348aa91022c6ff6e21d
+  languageName: node
+  linkType: hard
+
+"source-list-map@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "source-list-map@npm:2.0.1"
+  checksum: 806efc6f75e7cd31e4815e7a3aaf75a45c704871ea4075cb2eb49882c6fca28998f44fc5ac91adb6de03b2882ee6fb02f951fdc85e6a22b338c32bfe19557938
+  languageName: node
+  linkType: hard
+
+"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1, source-map-js@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "source-map-js@npm:1.0.2"
+  checksum: c049a7fc4deb9a7e9b481ae3d424cc793cb4845daa690bc5a05d428bf41bf231ced49b4cf0c9e77f9d42fdb3d20d6187619fc586605f5eabe995a316da8d377c
+  languageName: node
+  linkType: hard
+
+"source-map-resolve@npm:^0.5.0":
+  version: 0.5.3
+  resolution: "source-map-resolve@npm:0.5.3"
+  dependencies:
+    atob: ^2.1.2
+    decode-uri-component: ^0.2.0
+    resolve-url: ^0.2.1
+    source-map-url: ^0.4.0
+    urix: ^0.1.0
+  checksum: c73fa44ac00783f025f6ad9e038ab1a2e007cd6a6b86f47fe717c3d0765b4a08d264f6966f3bd7cd9dbcd69e4832783d5472e43247775b2a550d6f2155d24bae
+  languageName: node
+  linkType: hard
+
+"source-map-support@npm:^0.4.15":
+  version: 0.4.18
+  resolution: "source-map-support@npm:0.4.18"
+  dependencies:
+    source-map: ^0.5.6
+  checksum: 669aa7e992fec586fac0ba9a8dea8ce81b7328f92806335f018ffac5709afb2920e3870b4e56c68164282607229f04b8bbcf5d0e5c845eb1b5119b092e7585c0
+  languageName: node
+  linkType: hard
+
+"source-map-support@npm:~0.5.12, source-map-support@npm:~0.5.19":
+  version: 0.5.19
+  resolution: "source-map-support@npm:0.5.19"
+  dependencies:
+    buffer-from: ^1.0.0
+    source-map: ^0.6.0
+  checksum: c72802fdba9cb62b92baef18cc14cc4047608b77f0353e6c36dd993444149a466a2845332c5540d4a6630957254f0f68f4ef5a0120c33d2e83974c51a05afbac
+  languageName: node
+  linkType: hard
+
+"source-map-support@npm:~0.5.20":
+  version: 0.5.21
+  resolution: "source-map-support@npm:0.5.21"
+  dependencies:
+    buffer-from: ^1.0.0
+    source-map: ^0.6.0
+  checksum: 43e98d700d79af1d36f859bdb7318e601dfc918c7ba2e98456118ebc4c4872b327773e5a1df09b0524e9e5063bb18f0934538eace60cca2710d1fa687645d137
+  languageName: node
+  linkType: hard
+
+"source-map-url@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "source-map-url@npm:0.3.0"
+  checksum: 9ed12e3fd1b09cd6506c6197129c062e02451f474dcd7ef6419f20fe86ba969c74ba10c37fb4ea5e1f2265e62fde8d31946596d7971e3251a0c75fbf411c5f1b
+  languageName: node
+  linkType: hard
+
+"source-map-url@npm:^0.4.0":
+  version: 0.4.1
+  resolution: "source-map-url@npm:0.4.1"
+  checksum: 64c5c2c77aff815a6e61a4120c309ae4cac01298d9bcbb3deb1b46a4dd4c46d4a1eaeda79ec9f684766ae80e8dc86367b89326ce9dd2b89947bd9291fc1ac08c
+  languageName: node
+  linkType: hard
+
+"source-map@npm:0.4.x, source-map@npm:^0.4.2":
+  version: 0.4.4
+  resolution: "source-map@npm:0.4.4"
+  dependencies:
+    amdefine: ">=0.0.4"
+  checksum: b31992fcb4a2a6c335617f187bd36f392896dfcc111830ebdb8b716923cf6554b665833b975fc998bdf3a63881b2c8b4c5c34fda0280357b8c18fe6aa5d148ea
+  languageName: node
+  linkType: hard
+
+"source-map@npm:^0.5.0, source-map@npm:^0.5.3, source-map@npm:^0.5.6, source-map@npm:^0.5.7":
+  version: 0.5.7
+  resolution: "source-map@npm:0.5.7"
+  checksum: 5dc2043b93d2f194142c7f38f74a24670cd7a0063acdaf4bf01d2964b402257ae843c2a8fa822ad5b71013b5fcafa55af7421383da919752f22ff488bc553f4d
+  languageName: node
+  linkType: hard
+
+"source-map@npm:^0.6.0, source-map@npm:^0.6.1, source-map@npm:~0.6.1":
+  version: 0.6.1
+  resolution: "source-map@npm:0.6.1"
+  checksum: 59ce8640cf3f3124f64ac289012c2b8bd377c238e316fb323ea22fbfe83da07d81e000071d7242cad7a23cd91c7de98e4df8830ec3f133cb6133a5f6e9f67bc2
+  languageName: node
+  linkType: hard
+
+"source-map@npm:~0.1.x":
+  version: 0.1.43
+  resolution: "source-map@npm:0.1.43"
+  dependencies:
+    amdefine: ">=0.0.4"
+  checksum: 0a230f8cae8a8ea70bd36701c33d01fb0c437b798508a561c896a99b42f5af81a206176a250fc654c7c57a736b8081c4b4a6c9887455f7d2724f847451f1d7d9
+  languageName: node
+  linkType: hard
+
+"source-map@npm:~0.7.2":
+  version: 0.7.3
+  resolution: "source-map@npm:0.7.3"
+  checksum: cd24efb3b8fa69b64bf28e3c1b1a500de77e84260c5b7f2b873f88284df17974157cc88d386ee9b6d081f08fdd8242f3fc05c953685a6ad81aad94c7393dedea
+  languageName: node
+  linkType: hard
+
+"sourcemap-codec@npm:^1.4.1, sourcemap-codec@npm:^1.4.4":
+  version: 1.4.8
+  resolution: "sourcemap-codec@npm:1.4.8"
+  checksum: b57981c05611afef31605732b598ccf65124a9fcb03b833532659ac4d29ac0f7bfacbc0d6c5a28a03e84c7510e7e556d758d0bb57786e214660016fb94279316
+  languageName: node
+  linkType: hard
+
+"sourcemap-validator@npm:^1.1.0":
+  version: 1.1.1
+  resolution: "sourcemap-validator@npm:1.1.1"
+  dependencies:
+    jsesc: ~0.3.x
+    lodash.foreach: ^4.5.0
+    lodash.template: ^4.5.0
+    source-map: ~0.1.x
+  checksum: 51b704c08d6899dcb3abbf42cdcf39ccc2199a4c1be201935dd366f15ee8c2e43f684b1eef3c84e08f209280616943fd17feef2542873ca37471205288f13467
+  languageName: node
+  linkType: hard
+
+"spawn-args@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "spawn-args@npm:0.2.0"
+  checksum: bfae0a52166bf4b0b18388220532aa48c436413e970f8c404ca249e541ad63b5e5371f54f1db9b0fd57517ea333a1356d71209783a7686f08c883338e75ae0ac
+  languageName: node
+  linkType: hard
+
+"spdx-correct@npm:^3.0.0":
+  version: 3.1.1
+  resolution: "spdx-correct@npm:3.1.1"
+  dependencies:
+    spdx-expression-parse: ^3.0.0
+    spdx-license-ids: ^3.0.0
+  checksum: 77ce438344a34f9930feffa61be0eddcda5b55fc592906ef75621d4b52c07400a97084d8701557b13f7d2aae0cb64f808431f469e566ef3fe0a3a131dcb775a6
+  languageName: node
+  linkType: hard
+
+"spdx-exceptions@npm:^2.1.0":
+  version: 2.3.0
+  resolution: "spdx-exceptions@npm:2.3.0"
+  checksum: cb69a26fa3b46305637123cd37c85f75610e8c477b6476fa7354eb67c08128d159f1d36715f19be6f9daf4b680337deb8c65acdcae7f2608ba51931540687ac0
+  languageName: node
+  linkType: hard
+
+"spdx-expression-parse@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "spdx-expression-parse@npm:3.0.1"
+  dependencies:
+    spdx-exceptions: ^2.1.0
+    spdx-license-ids: ^3.0.0
+  checksum: a1c6e104a2cbada7a593eaa9f430bd5e148ef5290d4c0409899855ce8b1c39652bcc88a725259491a82601159d6dc790bedefc9016c7472f7de8de7361f8ccde
+  languageName: node
+  linkType: hard
+
+"spdx-license-ids@npm:^3.0.0":
+  version: 3.0.7
+  resolution: "spdx-license-ids@npm:3.0.7"
+  checksum: b52a88aebc19b4c69049349939e1948014c4d10f52a11870431fc1cc6551de411d19e4570f5f1df2d8b7089bec921df9017a3d5199ae2468b2b432171945278e
+  languageName: node
+  linkType: hard
+
+"split-string@npm:^3.0.1, split-string@npm:^3.0.2":
+  version: 3.1.0
+  resolution: "split-string@npm:3.1.0"
+  dependencies:
+    extend-shallow: ^3.0.0
+  checksum: ae5af5c91bdc3633628821bde92fdf9492fa0e8a63cf6a0376ed6afde93c701422a1610916f59be61972717070119e848d10dfbbd5024b7729d6a71972d2a84c
+  languageName: node
+  linkType: hard
+
+"sprintf-js@npm:^1.0.3":
+  version: 1.1.2
+  resolution: "sprintf-js@npm:1.1.2"
+  checksum: d4bb46464632b335e5faed381bd331157e0af64915a98ede833452663bc672823db49d7531c32d58798e85236581fb7342fd0270531ffc8f914e186187bf1c90
+  languageName: node
+  linkType: hard
+
+"sprintf-js@npm:~1.0.2":
+  version: 1.0.3
+  resolution: "sprintf-js@npm:1.0.3"
+  checksum: 19d79aec211f09b99ec3099b5b2ae2f6e9cdefe50bc91ac4c69144b6d3928a640bb6ae5b3def70c2e85a2c3d9f5ec2719921e3a59d3ca3ef4b2fd1a4656a0df3
+  languageName: node
+  linkType: hard
+
+"sri-toolbox@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "sri-toolbox@npm:0.2.0"
+  checksum: 945af49e38f8481e28d02e71e9c23ac1eea008da4328f9c98610cb44eeed83c74e4fa64de7f7264b1385dccb8acabc25ac0a9bb6dbe67ef6261cf18f9e308d01
+  languageName: node
+  linkType: hard
+
+"sshpk@npm:^1.7.0":
+  version: 1.16.1
+  resolution: "sshpk@npm:1.16.1"
+  dependencies:
+    asn1: ~0.2.3
+    assert-plus: ^1.0.0
+    bcrypt-pbkdf: ^1.0.0
+    dashdash: ^1.12.0
+    ecc-jsbn: ~0.1.1
+    getpass: ^0.1.1
+    jsbn: ~0.1.0
+    safer-buffer: ^2.0.2
+    tweetnacl: ~0.14.0
+  bin:
+    sshpk-conv: bin/sshpk-conv
+    sshpk-sign: bin/sshpk-sign
+    sshpk-verify: bin/sshpk-verify
+  checksum: 5e76afd1cedc780256f688b7c09327a8a650902d18e284dfeac97489a735299b03c3e72c6e8d22af03dbbe4d6f123fdfd5f3c4ed6bedbec72b9529a55051b857
+  languageName: node
+  linkType: hard
+
+"ssri@npm:^6.0.1":
+  version: 6.0.2
+  resolution: "ssri@npm:6.0.2"
+  dependencies:
+    figgy-pudding: ^3.5.1
+  checksum: 7c2e5d442f6252559c8987b7114bcf389fe5614bf65de09ba3e6f9a57b9b65b2967de348fcc3acccff9c069adb168140dd2c5fc2f6f4a779e604a27ef1f7d551
+  languageName: node
+  linkType: hard
+
+"ssri@npm:^9.0.0":
+  version: 9.0.1
+  resolution: "ssri@npm:9.0.1"
+  dependencies:
+    minipass: ^3.1.1
+  checksum: fb58f5e46b6923ae67b87ad5ef1c5ab6d427a17db0bead84570c2df3cd50b4ceb880ebdba2d60726588272890bae842a744e1ecce5bd2a2a582fccd5068309eb
+  languageName: node
+  linkType: hard
+
+"stable@npm:^0.1.8":
+  version: 0.1.8
+  resolution: "stable@npm:0.1.8"
+  checksum: 2ff482bb100285d16dd75cd8f7c60ab652570e8952c0bfa91828a2b5f646a0ff533f14596ea4eabd48bb7f4aeea408dce8f8515812b975d958a4cc4fa6b9dfeb
+  languageName: node
+  linkType: hard
+
+"stagehand@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "stagehand@npm:1.0.0"
+  dependencies:
+    debug: ^4.1.0
+  checksum: 262ca2bfff9e505588a7595a24792814d9df27e54f8703aa5f2aa451df7f499b23a6860d42d9cd7462e37f45421365d430680705edca1ffe04d1cce481ed782a
+  languageName: node
+  linkType: hard
+
+"static-extend@npm:^0.1.1":
+  version: 0.1.2
+  resolution: "static-extend@npm:0.1.2"
+  dependencies:
+    define-property: ^0.2.5
+    object-copy: ^0.1.0
+  checksum: 8657485b831f79e388a437260baf22784540417a9b29e11572c87735df24c22b84eda42107403a64b30861b2faf13df9f7fc5525d51f9d1d2303aba5cbf4e12c
+  languageName: node
+  linkType: hard
+
+"statuses@npm:2.0.1":
+  version: 2.0.1
+  resolution: "statuses@npm:2.0.1"
+  checksum: 18c7623fdb8f646fb213ca4051be4df7efb3484d4ab662937ca6fbef7ced9b9e12842709872eb3020cc3504b93bde88935c9f6417489627a7786f24f8031cbcb
+  languageName: node
+  linkType: hard
+
+"statuses@npm:>= 1.4.0 < 2, statuses@npm:>= 1.5.0 < 2, statuses@npm:~1.5.0":
+  version: 1.5.0
+  resolution: "statuses@npm:1.5.0"
+  checksum: c469b9519de16a4bb19600205cffb39ee471a5f17b82589757ca7bd40a8d92ebb6ed9f98b5a540c5d302ccbc78f15dc03cc0280dd6e00df1335568a5d5758a5c
+  languageName: node
+  linkType: hard
+
+"stealthy-require@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "stealthy-require@npm:1.1.1"
+  checksum: 6805b857a9f3a6a1079fc6652278038b81011f2a5b22cbd559f71a6c02087e6f1df941eb10163e3fdc5391ab5807aa46758d4258547c1f5ede31e6d9bfda8dd3
+  languageName: node
+  linkType: hard
+
+"stop-iteration-iterator@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "stop-iteration-iterator@npm:1.0.0"
+  dependencies:
+    internal-slot: ^1.0.4
+  checksum: d04173690b2efa40e24ab70e5e51a3ff31d56d699550cfad084104ab3381390daccb36652b25755e420245f3b0737de66c1879eaa2a8d4fc0a78f9bf892fcb42
+  languageName: node
+  linkType: hard
+
+"stream-browserify@npm:^2.0.1":
+  version: 2.0.2
+  resolution: "stream-browserify@npm:2.0.2"
+  dependencies:
+    inherits: ~2.0.1
+    readable-stream: ^2.0.2
+  checksum: 8de7bcab5582e9a931ae1a4768be7efe8fa4b0b95fd368d16d8cf3e494b897d6b0a7238626de5d71686e53bddf417fd59d106cfa3af0ec055f61a8d1f8fc77b3
+  languageName: node
+  linkType: hard
+
+"stream-each@npm:^1.1.0":
+  version: 1.2.3
+  resolution: "stream-each@npm:1.2.3"
+  dependencies:
+    end-of-stream: ^1.1.0
+    stream-shift: ^1.0.0
+  checksum: f243de78e9fcc60757994efc4e8ecae9f01a4b2c6a505d786b11fcaa68b1a75ca54afc1669eac9e08f19ff0230792fc40d0f3e3e2935d76971b4903af18b76ab
+  languageName: node
+  linkType: hard
+
+"stream-http@npm:^2.7.2":
+  version: 2.8.3
+  resolution: "stream-http@npm:2.8.3"
+  dependencies:
+    builtin-status-codes: ^3.0.0
+    inherits: ^2.0.1
+    readable-stream: ^2.3.6
+    to-arraybuffer: ^1.0.0
+    xtend: ^4.0.0
+  checksum: f57dfaa21a015f72e6ce6b199cf1762074cfe8acf0047bba8f005593754f1743ad0a91788f95308d9f3829ad55742399ad27b4624432f2752a08e62ef4346e05
+  languageName: node
+  linkType: hard
+
+"stream-shift@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "stream-shift@npm:1.0.1"
+  checksum: 59b82b44b29ec3699b5519a49b3cedcc6db58c72fb40c04e005525dfdcab1c75c4e0c180b923c380f204bed78211b9bad8faecc7b93dece4d004c3f6ec75737b
+  languageName: node
+  linkType: hard
+
+"string-argv@npm:0.3.1":
+  version: 0.3.1
+  resolution: "string-argv@npm:0.3.1"
+  checksum: efbd0289b599bee808ce80820dfe49c9635610715429c6b7cc50750f0437e3c2f697c81e5c390208c13b5d5d12d904a1546172a88579f6ee5cbaaaa4dc9ec5cf
+  languageName: node
+  linkType: hard
+
+"string-template@npm:~0.2.1":
+  version: 0.2.1
+  resolution: "string-template@npm:0.2.1"
+  checksum: 042cdcf4d4832378f12fbf45b42f479990f330cc409e6dc184838801efbc8352ccf9428fe169f8f8cfff2b864879d4ba1ef8b5f41d63d1d71844c48005a1683f
+  languageName: node
+  linkType: hard
+
+"string-width@npm:^1.0.2 || 2 || 3 || 4, string-width@npm:^4.2.3":
+  version: 4.2.3
+  resolution: "string-width@npm:4.2.3"
+  dependencies:
+    emoji-regex: ^8.0.0
+    is-fullwidth-code-point: ^3.0.0
+    strip-ansi: ^6.0.1
+  checksum: e52c10dc3fbfcd6c3a15f159f54a90024241d0f149cf8aed2982a2d801d2e64df0bf1dc351cf8e95c3319323f9f220c16e740b06faecd53e2462df1d2b5443fb
+  languageName: node
+  linkType: hard
+
+"string-width@npm:^2.1.0":
+  version: 2.1.1
+  resolution: "string-width@npm:2.1.1"
+  dependencies:
+    is-fullwidth-code-point: ^2.0.0
+    strip-ansi: ^4.0.0
+  checksum: d6173abe088c615c8dffaf3861dc5d5906ed3dc2d6fd67ff2bd2e2b5dce7fd683c5240699cf0b1b8aa679a3b3bd6b28b5053c824cb89b813d7f6541d8f89064a
+  languageName: node
+  linkType: hard
+
+"string-width@npm:^3.0.0, string-width@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "string-width@npm:3.1.0"
+  dependencies:
+    emoji-regex: ^7.0.1
+    is-fullwidth-code-point: ^2.0.0
+    strip-ansi: ^5.1.0
+  checksum: 57f7ca73d201682816d573dc68bd4bb8e1dff8dc9fcf10470fdfc3474135c97175fec12ea6a159e67339b41e86963112355b64529489af6e7e70f94a7caf08b2
+  languageName: node
+  linkType: hard
+
+"string-width@npm:^4.1.0, string-width@npm:^4.2.0":
+  version: 4.2.2
+  resolution: "string-width@npm:4.2.2"
+  dependencies:
+    emoji-regex: ^8.0.0
+    is-fullwidth-code-point: ^3.0.0
+    strip-ansi: ^6.0.0
+  checksum: 343e089b0e66e0f72aab4ad1d9b6f2c9cc5255844b0c83fd9b53f2a3b3fd0421bdd6cb05be96a73117eb012db0887a6c1d64ca95aaa50c518e48980483fea0ab
+  languageName: node
+  linkType: hard
+
+"string.prototype.endswith@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "string.prototype.endswith@npm:0.2.0"
+  checksum: ee0d1619878a7525a6613da16b3a1d7f6d84a8d4414f78a8a1d24aef9789d4bd774d9e93eeb922a78e7f67d804e60f4cba314beb8f55327bff6e83ba39b91f24
+  languageName: node
+  linkType: hard
+
+"string.prototype.matchall@npm:^4.0.5":
+  version: 4.0.6
+  resolution: "string.prototype.matchall@npm:4.0.6"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+    es-abstract: ^1.19.1
+    get-intrinsic: ^1.1.1
+    has-symbols: ^1.0.2
+    internal-slot: ^1.0.3
+    regexp.prototype.flags: ^1.3.1
+    side-channel: ^1.0.4
+  checksum: 07aca53ddd8a096a8bd0560eb8574386c6b3887a6a06b40a98abd42c94dadeed3296261fca22fec59a1ed970d199bdeb450fcb6a7390193588d9c6b5f48fe842
+  languageName: node
+  linkType: hard
+
+"string.prototype.matchall@npm:^4.0.6":
+  version: 4.0.8
+  resolution: "string.prototype.matchall@npm:4.0.8"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    es-abstract: ^1.20.4
+    get-intrinsic: ^1.1.3
+    has-symbols: ^1.0.3
+    internal-slot: ^1.0.3
+    regexp.prototype.flags: ^1.4.3
+    side-channel: ^1.0.4
+  checksum: 952da3a818de42ad1c10b576140a5e05b4de7b34b8d9dbf00c3ac8c1293e9c0f533613a39c5cda53e0a8221f2e710bc2150e730b1c2278d60004a8a35726efb6
+  languageName: node
+  linkType: hard
+
+"string.prototype.padend@npm:^3.0.0":
+  version: 3.1.4
+  resolution: "string.prototype.padend@npm:3.1.4"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    es-abstract: ^1.20.4
+  checksum: 76e07238fe31dc12177428f0436b7ed6985f6a7ba97470fd53e4f0a6d9860bfee127d81957f3073cc879b434233df143825d140581e1340278053ad993c92f6c
+  languageName: node
+  linkType: hard
+
+"string.prototype.startswith@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "string.prototype.startswith@npm:0.2.0"
+  checksum: b4224e2454c276baf0609c76f5db0ee6355a89a649041df9a2e49b4cdf4b424dbebbe2c070a3b5f6f00594f8f8fa98415799c7211e873e13f6ee007daae73516
+  languageName: node
+  linkType: hard
+
+"string.prototype.trim@npm:^1.2.7":
+  version: 1.2.7
+  resolution: "string.prototype.trim@npm:1.2.7"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    es-abstract: ^1.20.4
+  checksum: 05b7b2d6af63648e70e44c4a8d10d8cc457536df78b55b9d6230918bde75c5987f6b8604438c4c8652eb55e4fc9725d2912789eb4ec457d6995f3495af190c09
+  languageName: node
+  linkType: hard
+
+"string.prototype.trimend@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "string.prototype.trimend@npm:1.0.4"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+  checksum: 17e5aa45c3983f582693161f972c1c1fa4bbbdf22e70e582b00c91b6575f01680dc34e83005b98e31abe4d5d29e0b21fcc24690239c106c7b2315aade6a898ac
+  languageName: node
+  linkType: hard
+
+"string.prototype.trimend@npm:^1.0.6":
+  version: 1.0.6
+  resolution: "string.prototype.trimend@npm:1.0.6"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    es-abstract: ^1.20.4
+  checksum: 0fdc34645a639bd35179b5a08227a353b88dc089adf438f46be8a7c197fc3f22f8514c1c9be4629b3cd29c281582730a8cbbad6466c60f76b5f99cf2addb132e
+  languageName: node
+  linkType: hard
+
+"string.prototype.trimstart@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "string.prototype.trimstart@npm:1.0.4"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.3
+  checksum: 3fb06818d3cccac5fa3f5f9873d984794ca0e9f6616fae6fcc745885d9efed4e17fe15f832515d9af5e16c279857fdbffdfc489ca4ed577811b017721b30302f
+  languageName: node
+  linkType: hard
+
+"string.prototype.trimstart@npm:^1.0.6":
+  version: 1.0.6
+  resolution: "string.prototype.trimstart@npm:1.0.6"
+  dependencies:
+    call-bind: ^1.0.2
+    define-properties: ^1.1.4
+    es-abstract: ^1.20.4
+  checksum: 89080feef416621e6ef1279588994305477a7a91648d9436490d56010a1f7adc39167cddac7ce0b9884b8cdbef086987c4dcb2960209f2af8bac0d23ceff4f41
+  languageName: node
+  linkType: hard
+
+"string_decoder@npm:0.10, string_decoder@npm:~0.10.x":
+  version: 0.10.31
+  resolution: "string_decoder@npm:0.10.31"
+  checksum: fe00f8e303647e5db919948ccb5ce0da7dea209ab54702894dd0c664edd98e5d4df4b80d6fabf7b9e92b237359d21136c95bf068b2f7760b772ca974ba970202
+  languageName: node
+  linkType: hard
+
+"string_decoder@npm:^1.0.0, string_decoder@npm:^1.1.1":
+  version: 1.3.0
+  resolution: "string_decoder@npm:1.3.0"
+  dependencies:
+    safe-buffer: ~5.2.0
+  checksum: 8417646695a66e73aefc4420eb3b84cc9ffd89572861fe004e6aeb13c7bc00e2f616247505d2dbbef24247c372f70268f594af7126f43548565c68c117bdeb56
+  languageName: node
+  linkType: hard
+
+"string_decoder@npm:~1.1.1":
+  version: 1.1.1
+  resolution: "string_decoder@npm:1.1.1"
+  dependencies:
+    safe-buffer: ~5.1.0
+  checksum: 9ab7e56f9d60a28f2be697419917c50cac19f3e8e6c28ef26ed5f4852289fe0de5d6997d29becf59028556f2c62983790c1d9ba1e2a3cc401768ca12d5183a5b
+  languageName: node
+  linkType: hard
+
+"stringify-object@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "stringify-object@npm:3.3.0"
+  dependencies:
+    get-own-enumerable-property-symbols: ^3.0.0
+    is-obj: ^1.0.1
+    is-regexp: ^1.0.0
+  checksum: 6827a3f35975cfa8572e8cd3ed4f7b262def260af18655c6fde549334acdac49ddba69f3c861ea5a6e9c5a4990fe4ae870b9c0e6c31019430504c94a83b7a154
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:^3.0.0":
+  version: 3.0.1
+  resolution: "strip-ansi@npm:3.0.1"
+  dependencies:
+    ansi-regex: ^2.0.0
+  checksum: 9b974de611ce5075c70629c00fa98c46144043db92ae17748fb780f706f7a789e9989fd10597b7c2053ae8d1513fd707816a91f1879b2f71e6ac0b6a863db465
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "strip-ansi@npm:4.0.0"
+  dependencies:
+    ansi-regex: ^3.0.0
+  checksum: d9186e6c0cf78f25274f6750ee5e4a5725fb91b70fdd79aa5fe648eab092a0ec5b9621b22d69d4534a56319f75d8944efbd84e3afa8d4ad1b9a9491f12c84eca
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:^5.0.0, strip-ansi@npm:^5.1.0, strip-ansi@npm:^5.2.0":
+  version: 5.2.0
+  resolution: "strip-ansi@npm:5.2.0"
+  dependencies:
+    ansi-regex: ^4.1.0
+  checksum: bdb5f76ade97062bd88e7723aa019adbfacdcba42223b19ccb528ffb9fb0b89a5be442c663c4a3fb25268eaa3f6ea19c7c3fbae830bd1562d55adccae1fcec46
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "strip-ansi@npm:6.0.0"
+  dependencies:
+    ansi-regex: ^5.0.0
+  checksum: 04c3239ede44c4d195b0e66c0ad58b932f08bec7d05290416d361ff908ad282ecdaf5d9731e322c84f151d427436bde01f05b7422c3ec26dd927586736b0e5d0
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:^6.0.1":
+  version: 6.0.1
+  resolution: "strip-ansi@npm:6.0.1"
+  dependencies:
+    ansi-regex: ^5.0.1
+  checksum: f3cd25890aef3ba6e1a74e20896c21a46f482e93df4a06567cebf2b57edabb15133f1f94e57434e0a958d61186087b1008e89c94875d019910a213181a14fc8c
+  languageName: node
+  linkType: hard
+
+"strip-ansi@npm:~0.1.0":
+  version: 0.1.1
+  resolution: "strip-ansi@npm:0.1.1"
+  bin:
+    strip-ansi: cli.js
+  checksum: 31f1d4d3b86e6d968aa568bf47d712626dd748aff7d576a98ba2ed378dd60dfb1475898254b62479779231e50a38f0b7ea0b66d3b22d14cde38b769c1c747d33
+  languageName: node
+  linkType: hard
+
+"strip-bom@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "strip-bom@npm:3.0.0"
+  checksum: 8d50ff27b7ebe5ecc78f1fe1e00fcdff7af014e73cf724b46fb81ef889eeb1015fc5184b64e81a2efe002180f3ba431bdd77e300da5c6685d702780fbf0c8d5b
+  languageName: node
+  linkType: hard
+
+"strip-bom@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "strip-bom@npm:4.0.0"
+  checksum: 9dbcfbaf503c57c06af15fe2c8176fb1bf3af5ff65003851a102749f875a6dbe0ab3b30115eccf6e805e9d756830d3e40ec508b62b3f1ddf3761a20ebe29d3f3
+  languageName: node
+  linkType: hard
+
+"strip-eof@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "strip-eof@npm:1.0.0"
+  checksum: 40bc8ddd7e072f8ba0c2d6d05267b4e0a4800898c3435b5fb5f5a21e6e47dfaff18467e7aa0d1844bb5d6274c3097246595841fbfeb317e541974ee992cac506
+  languageName: node
+  linkType: hard
+
+"strip-final-newline@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "strip-final-newline@npm:2.0.0"
+  checksum: 69412b5e25731e1938184b5d489c32e340605bb611d6140344abc3421b7f3c6f9984b21dff296dfcf056681b82caa3bb4cc996a965ce37bcfad663e92eae9c64
+  languageName: node
+  linkType: hard
+
+"strip-indent@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "strip-indent@npm:4.0.0"
+  dependencies:
+    min-indent: ^1.0.1
+  checksum: 06cbcd93da721c46bc13caeb1c00af93a9b18146a1c95927672d2decab6a25ad83662772417cea9317a2507fb143253ecc23c4415b64f5828cef9b638a744598
+  languageName: node
+  linkType: hard
+
+"strip-json-comments@npm:^3.1.0, strip-json-comments@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "strip-json-comments@npm:3.1.1"
+  checksum: 492f73e27268f9b1c122733f28ecb0e7e8d8a531a6662efbd08e22cccb3f9475e90a1b82cab06a392f6afae6d2de636f977e231296400d0ec5304ba70f166443
+  languageName: node
+  linkType: hard
+
+"style-loader@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "style-loader@npm:2.0.0"
+  dependencies:
+    loader-utils: ^2.0.0
+    schema-utils: ^3.0.0
+  peerDependencies:
+    webpack: ^4.0.0 || ^5.0.0
+  checksum: 21425246a5a8f14d1625a657a3a56f8a323193fa341a71af818a2ed2a429efa2385a328b4381cf2f12c2d0e6380801eb9e0427ed9c3a10ff95c86e383184d632
+  languageName: node
+  linkType: hard
+
+"style-search@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "style-search@npm:0.1.0"
+  checksum: 3cfefe335033aad6d47da0725cb48f5db91a73935954c77eab77d9e415e6668cdb406da4a4f7ef9f1aca77853cf5ba7952c45e869caa5bd6439691d88098d468
+  languageName: node
+  linkType: hard
+
+"styled_string@npm:0.0.1":
+  version: 0.0.1
+  resolution: "styled_string@npm:0.0.1"
+  checksum: cc01e28ec5b7559e66cfb88b2a712beb3af91dc932df2bbe09e32d9bd5ae915bfe9dc1c1d3f5f9fcfe80acbe1ec2d741fa300a1a9032859c0f20856f5ef0e32a
+  languageName: node
+  linkType: hard
+
+"stylelint-config-recommended@npm:^11.0.0":
+  version: 11.0.0
+  resolution: "stylelint-config-recommended@npm:11.0.0"
+  peerDependencies:
+    stylelint: ^15.3.0
+  checksum: f6bed5995235d61a2b4bcae086fab925df3b824c77ef585f9f0f9b891b1409c0aa8ae49e8f53d6a2f851be8f7928a7d95e2b17ee876f248ce88f718a3892bf6f
+  languageName: node
+  linkType: hard
+
+"stylelint-config-standard@npm:^32.0.0":
+  version: 32.0.0
+  resolution: "stylelint-config-standard@npm:32.0.0"
+  dependencies:
+    stylelint-config-recommended: ^11.0.0
+  peerDependencies:
+    stylelint: ^15.4.0
+  checksum: 05f7481f93e0fd3d2e69ba6ef3b3b8347c2340fcc6732e3f4289cc1067ae74e87f6474b4385b8936a0ff062cc3dd08c5cc50e27d96994c6176a69d055a75537a
+  languageName: node
+  linkType: hard
+
+"stylelint-prettier@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "stylelint-prettier@npm:3.0.0"
+  dependencies:
+    prettier-linter-helpers: ^1.0.0
+  peerDependencies:
+    prettier: ">=2.0.0"
+    stylelint: ">=14.0.0"
+  checksum: 094f53ef5dbe3806524db7f580b9312ceca444651803fc08c8baa48cd9a270985c709fa4f083681a685310dc347b8e55aa93d462554ba7d4ae6258a3bdf6a278
+  languageName: node
+  linkType: hard
+
+"stylelint@npm:^15.4.0":
+  version: 15.10.1
+  resolution: "stylelint@npm:15.10.1"
+  dependencies:
+    "@csstools/css-parser-algorithms": ^2.3.0
+    "@csstools/css-tokenizer": ^2.1.1
+    "@csstools/media-query-list-parser": ^2.1.2
+    "@csstools/selector-specificity": ^3.0.0
+    balanced-match: ^2.0.0
+    colord: ^2.9.3
+    cosmiconfig: ^8.2.0
+    css-functions-list: ^3.1.0
+    css-tree: ^2.3.1
+    debug: ^4.3.4
+    fast-glob: ^3.3.0
+    fastest-levenshtein: ^1.0.16
+    file-entry-cache: ^6.0.1
+    global-modules: ^2.0.0
+    globby: ^11.1.0
+    globjoin: ^0.1.4
+    html-tags: ^3.3.1
+    ignore: ^5.2.4
+    import-lazy: ^4.0.0
+    imurmurhash: ^0.1.4
+    is-plain-object: ^5.0.0
+    known-css-properties: ^0.27.0
+    mathml-tag-names: ^2.1.3
+    meow: ^10.1.5
+    micromatch: ^4.0.5
+    normalize-path: ^3.0.0
+    picocolors: ^1.0.0
+    postcss: ^8.4.24
+    postcss-resolve-nested-selector: ^0.1.1
+    postcss-safe-parser: ^6.0.0
+    postcss-selector-parser: ^6.0.13
+    postcss-value-parser: ^4.2.0
+    resolve-from: ^5.0.0
+    string-width: ^4.2.3
+    strip-ansi: ^6.0.1
+    style-search: ^0.1.0
+    supports-hyperlinks: ^3.0.0
+    svg-tags: ^1.0.0
+    table: ^6.8.1
+    write-file-atomic: ^5.0.1
+  bin:
+    stylelint: bin/stylelint.mjs
+  checksum: 8eeae81fe4ed2dfc580d7c401806dbb058c14631abfafd0821db32f1e649aee62e3d39dda3462c6122826df91bd9799409be926e91b55b007622f51e44eb94c1
+  languageName: node
+  linkType: hard
+
+"sum-up@npm:^1.0.1":
+  version: 1.0.3
+  resolution: "sum-up@npm:1.0.3"
+  dependencies:
+    chalk: ^1.0.0
+  checksum: bd08f404c83464f4e7a880340e84ad4aeb271a1b0a5ee8d084dd511988f96f7e321fb64442c7ca21249990c7562476f929ec8bd1cf6f4514ca25e6aae5281ee6
+  languageName: node
+  linkType: hard
+
+"supports-color@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "supports-color@npm:2.0.0"
+  checksum: 602538c5812b9006404370b5a4b885d3e2a1f6567d314f8b4a41974ffe7d08e525bf92ae0f9c7030e3b4c78e4e34ace55d6a67a74f1571bc205959f5972f88f0
+  languageName: node
+  linkType: hard
+
+"supports-color@npm:^5.3.0, supports-color@npm:^5.4.0, supports-color@npm:^5.5.0":
+  version: 5.5.0
+  resolution: "supports-color@npm:5.5.0"
+  dependencies:
+    has-flag: ^3.0.0
+  checksum: 95f6f4ba5afdf92f495b5a912d4abee8dcba766ae719b975c56c084f5004845f6f5a5f7769f52d53f40e21952a6d87411bafe34af4a01e65f9926002e38e1dac
+  languageName: node
+  linkType: hard
+
+"supports-color@npm:^7.0.0, supports-color@npm:^7.1.0":
+  version: 7.2.0
+  resolution: "supports-color@npm:7.2.0"
+  dependencies:
+    has-flag: ^4.0.0
+  checksum: 3dda818de06ebbe5b9653e07842d9479f3555ebc77e9a0280caf5a14fb877ffee9ed57007c3b78f5a6324b8dbeec648d9e97a24e2ed9fdb81ddc69ea07100f4a
+  languageName: node
+  linkType: hard
+
+"supports-color@npm:^8.0.0":
+  version: 8.1.1
+  resolution: "supports-color@npm:8.1.1"
+  dependencies:
+    has-flag: ^4.0.0
+  checksum: c052193a7e43c6cdc741eb7f378df605636e01ad434badf7324f17fb60c69a880d8d8fcdcb562cf94c2350e57b937d7425ab5b8326c67c2adc48f7c87c1db406
+  languageName: node
+  linkType: hard
+
+"supports-hyperlinks@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "supports-hyperlinks@npm:3.0.0"
+  dependencies:
+    has-flag: ^4.0.0
+    supports-color: ^7.0.0
+  checksum: 41021305de5255b10d821bf93c7a781f783e1693d0faec293d7fc7ccf17011b90bde84b0295fa92ba75c6c390351fe84fdd18848cad4bf656e464a958243c3e7
+  languageName: node
+  linkType: hard
+
+"supports-preserve-symlinks-flag@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "supports-preserve-symlinks-flag@npm:1.0.0"
+  checksum: 53b1e247e68e05db7b3808b99b892bd36fb096e6fba213a06da7fab22045e97597db425c724f2bbd6c99a3c295e1e73f3e4de78592289f38431049e1277ca0ae
+  languageName: node
+  linkType: hard
+
+"svg-tags@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "svg-tags@npm:1.0.0"
+  checksum: 407e5ef87cfa2fb81c61d738081c2decd022ce13b922d035b214b49810630bf5d1409255a4beb3a940b77b32f6957806deff16f1bf0ce1ab11c7a184115a0b7f
+  languageName: node
+  linkType: hard
+
+"svgo@npm:1.3.0":
+  version: 1.3.0
+  resolution: "svgo@npm:1.3.0"
+  dependencies:
+    chalk: ^2.4.1
+    coa: ^2.0.2
+    css-select: ^2.0.0
+    css-select-base-adapter: ^0.1.1
+    css-tree: 1.0.0-alpha.33
+    csso: ^3.5.1
+    js-yaml: ^3.13.1
+    mkdirp: ~0.5.1
+    object.values: ^1.1.0
+    sax: ~1.2.4
+    stable: ^0.1.8
+    unquote: ~1.1.1
+    util.promisify: ~1.0.0
+  bin:
+    svgo: ./bin/svgo
+  checksum: 813880c96af74a90d5f52c477c71b5dda62b2a215807eab05757d6a0e0886d4e3fda564241d985d856dba225dad0b5d7409208e681fccfaa48ac90c53441238e
+  languageName: node
+  linkType: hard
+
+"swagger-ui-dist@npm:^5.9.0":
+  version: 5.9.0
+  resolution: "swagger-ui-dist@npm:5.9.0"
+  checksum: 722f5d81adf0c0a940559952f48f7cd20a3f2a53aee8771c896eee8e3bed6f78c2f231960a7c30a4dca390d1205c0b2909d84062978013bb60febc478b9fc3d9
+  languageName: node
+  linkType: hard
+
+"symbol-tree@npm:^3.2.4":
+  version: 3.2.4
+  resolution: "symbol-tree@npm:3.2.4"
+  checksum: 6e8fc7e1486b8b54bea91199d9535bb72f10842e40c79e882fc94fb7b14b89866adf2fd79efa5ebb5b658bc07fb459ccce5ac0e99ef3d72f474e74aaf284029d
+  languageName: node
+  linkType: hard
+
+"symlink-or-copy@npm:^1.0.0, symlink-or-copy@npm:^1.0.1, symlink-or-copy@npm:^1.1.8, symlink-or-copy@npm:^1.2.0, symlink-or-copy@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "symlink-or-copy@npm:1.3.1"
+  checksum: 430c32ab5606f7b7c946a5a29ea17ce6cb0b34d8cb8394234b7abe710c8c029bf41030df79406cf49c4fc1e49aa979ca950b836767e3b8702acf9efe922a2f74
+  languageName: node
+  linkType: hard
+
+"sync-disk-cache@npm:^1.3.3":
+  version: 1.3.4
+  resolution: "sync-disk-cache@npm:1.3.4"
+  dependencies:
+    debug: ^2.1.3
+    heimdalljs: ^0.2.3
+    mkdirp: ^0.5.0
+    rimraf: ^2.2.8
+    username-sync: ^1.0.2
+  checksum: b828cf52b43500d83f4d98b626463227a773743cb14a5a1b5fc4f437ef85170e2a5259c6a1686e569cc231557a9a7b4278fa0cf16cef976329b18154d88215bd
+  languageName: node
+  linkType: hard
+
+"sync-disk-cache@npm:^2.0.0":
+  version: 2.1.0
+  resolution: "sync-disk-cache@npm:2.1.0"
+  dependencies:
+    debug: ^4.1.1
+    heimdalljs: ^0.2.6
+    mkdirp: ^0.5.0
+    rimraf: ^3.0.0
+    username-sync: ^1.0.2
+  checksum: 02f02d2842c69da088c28f5c6e39df7f22b68b06fd309a91eee9266a561d1a50759a8ba058df51017b89f3e70608dc884ec086b572fc9ae51165de0585029abb
+  languageName: node
+  linkType: hard
+
+"tabbable@npm:^5.3.3":
+  version: 5.3.3
+  resolution: "tabbable@npm:5.3.3"
+  checksum: 1aa56e1bb617cc10616c407f4e756f0607f3e2d30f9803664d70b85db037ca27e75918ed1c71443f3dc902e21dc9f991ce4b52d63a538c9b69b3218d3babcd70
+  languageName: node
+  linkType: hard
+
+"table@npm:^6.8.1":
+  version: 6.8.1
+  resolution: "table@npm:6.8.1"
+  dependencies:
+    ajv: ^8.0.1
+    lodash.truncate: ^4.4.2
+    slice-ansi: ^4.0.0
+    string-width: ^4.2.3
+    strip-ansi: ^6.0.1
+  checksum: 08249c7046125d9d0a944a6e96cfe9ec66908d6b8a9db125531be6eb05fa0de047fd5542e9d43b4f987057f00a093b276b8d3e19af162a9c40db2681058fd306
+  languageName: node
+  linkType: hard
+
+"tap-parser@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "tap-parser@npm:7.0.0"
+  dependencies:
+    events-to-array: ^1.0.1
+    js-yaml: ^3.2.7
+    minipass: ^2.2.0
+  bin:
+    tap-parser: bin/cmd.js
+  checksum: 9970c8e797b97bcdb91d92eb0847e8d550e64b914800c4485bea0a28756f9c4e4cbbfe429e7d05c2140b1a83ae092b5636e191360c8fc3f817e60acb96658147
+  languageName: node
+  linkType: hard
+
+"tapable@npm:^1.0.0, tapable@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "tapable@npm:1.1.3"
+  checksum: 53ff4e7c3900051c38cc4faab428ebfd7e6ad0841af5a7ac6d5f3045c5b50e88497bfa8295b4b3fbcadd94993c9e358868b78b9fb249a76cb8b018ac8dccafd7
+  languageName: node
+  linkType: hard
+
+"tapable@npm:^2.1.1, tapable@npm:^2.2.0":
+  version: 2.2.1
+  resolution: "tapable@npm:2.2.1"
+  checksum: 3b7a1b4d86fa940aad46d9e73d1e8739335efd4c48322cb37d073eb6f80f5281889bf0320c6d8ffcfa1a0dd5bfdbd0f9d037e252ef972aca595330538aac4d51
+  languageName: node
+  linkType: hard
+
+"tar@npm:^6.1.11, tar@npm:^6.1.2":
+  version: 6.1.13
+  resolution: "tar@npm:6.1.13"
+  dependencies:
+    chownr: ^2.0.0
+    fs-minipass: ^2.0.0
+    minipass: ^4.0.0
+    minizlib: ^2.1.1
+    mkdirp: ^1.0.3
+    yallist: ^4.0.0
+  checksum: 8a278bed123aa9f53549b256a36b719e317c8b96fe86a63406f3c62887f78267cea9b22dc6f7007009738509800d4a4dccc444abd71d762287c90f35b002eb1c
+  languageName: node
+  linkType: hard
+
+"temp@npm:0.9.4":
+  version: 0.9.4
+  resolution: "temp@npm:0.9.4"
+  dependencies:
+    mkdirp: ^0.5.1
+    rimraf: ~2.6.2
+  checksum: 8709d4d63278bd309ca0e49e80a268308dea543a949e71acd427b3314cd9417da9a2cc73425dd9c21c6780334dbffd67e05e7be5aaa73e9affe8479afc6f20e3
+  languageName: node
+  linkType: hard
+
+"terser-webpack-plugin@npm:^1.4.3":
+  version: 1.4.5
+  resolution: "terser-webpack-plugin@npm:1.4.5"
+  dependencies:
+    cacache: ^12.0.2
+    find-cache-dir: ^2.1.0
+    is-wsl: ^1.1.0
+    schema-utils: ^1.0.0
+    serialize-javascript: ^4.0.0
+    source-map: ^0.6.1
+    terser: ^4.1.2
+    webpack-sources: ^1.4.0
+    worker-farm: ^1.7.0
+  peerDependencies:
+    webpack: ^4.0.0
+  checksum: 02aada80927d3c8105d69cb00384d307b73aed67d180db5d20023a8d649149f3803ad50f9cd2ef9eb2622005de87e677198ecc5088f51422bfac5d4d57472d0e
+  languageName: node
+  linkType: hard
+
+"terser-webpack-plugin@npm:^5.1.3":
+  version: 5.3.3
+  resolution: "terser-webpack-plugin@npm:5.3.3"
+  dependencies:
+    "@jridgewell/trace-mapping": ^0.3.7
+    jest-worker: ^27.4.5
+    schema-utils: ^3.1.1
+    serialize-javascript: ^6.0.0
+    terser: ^5.7.2
+  peerDependencies:
+    webpack: ^5.1.0
+  peerDependenciesMeta:
+    "@swc/core":
+      optional: true
+    esbuild:
+      optional: true
+    uglify-js:
+      optional: true
+  checksum: 4b8d508d8a0f6e604addb286975f1fa670f8c3964a67abc03a7cfcfd4cdeca4b07dda6655e1c4425427fb62e4d2b0ca59d84f1b2cd83262ff73616d5d3ccdeb5
+  languageName: node
+  linkType: hard
+
+"terser@npm:^4.1.2, terser@npm:^4.3.9":
+  version: 4.8.0
+  resolution: "terser@npm:4.8.0"
+  dependencies:
+    commander: ^2.20.0
+    source-map: ~0.6.1
+    source-map-support: ~0.5.12
+  bin:
+    terser: bin/terser
+  checksum: f980789097d4f856c1ef4b9a7ada37beb0bb022fb8aa3057968862b5864ad7c244253b3e269c9eb0ab7d0caf97b9521273f2d1cf1e0e942ff0016e0583859c71
+  languageName: node
+  linkType: hard
+
+"terser@npm:^5.3.0":
+  version: 5.7.0
+  resolution: "terser@npm:5.7.0"
+  dependencies:
+    commander: ^2.20.0
+    source-map: ~0.7.2
+    source-map-support: ~0.5.19
+  bin:
+    terser: bin/terser
+  checksum: 3abeb551865079b27e2890dbec866054967d1963fc80a81e5e14e414c43db88ff53a5e88844c145df11bed01b28040aa96afd82113c6d1a6ad28409b6cae4fde
+  languageName: node
+  linkType: hard
+
+"terser@npm:^5.7.2":
+  version: 5.14.0
+  resolution: "terser@npm:5.14.0"
+  dependencies:
+    "@jridgewell/source-map": ^0.3.2
+    acorn: ^8.5.0
+    commander: ^2.20.0
+    source-map-support: ~0.5.20
+  bin:
+    terser: bin/terser
+  checksum: 9bce919c17cf028b1b41a3aca9f7e05354ff46701de39e733d6d7a43ebd9c6042d33cfa3e7ef84e5f4c17f1c429c7f40381a38c6e6d6ab1cdc46a1bf8f4e8985
+  languageName: node
+  linkType: hard
+
+"testem@npm:^3.10.1":
+  version: 3.10.1
+  resolution: "testem@npm:3.10.1"
+  dependencies:
+    "@xmldom/xmldom": ^0.8.0
+    backbone: ^1.1.2
+    bluebird: ^3.4.6
+    charm: ^1.0.0
+    commander: ^2.6.0
+    compression: ^1.7.4
+    consolidate: ^0.16.0
+    execa: ^1.0.0
+    express: ^4.10.7
+    fireworm: ^0.7.0
+    glob: ^7.0.4
+    http-proxy: ^1.13.1
+    js-yaml: ^3.2.5
+    lodash.assignin: ^4.1.0
+    lodash.castarray: ^4.4.0
+    lodash.clonedeep: ^4.4.1
+    lodash.find: ^4.5.1
+    lodash.uniqby: ^4.7.0
+    mkdirp: ^1.0.4
+    mustache: ^4.2.0
+    node-notifier: ^10.0.0
+    npmlog: ^6.0.0
+    printf: ^0.6.1
+    rimraf: ^3.0.2
+    socket.io: ^4.1.2
+    spawn-args: ^0.2.0
+    styled_string: 0.0.1
+    tap-parser: ^7.0.0
+    tmp: 0.0.33
+  bin:
+    testem: testem.js
+  checksum: d6f05dc22186484efff4fe251af2c4af5b86f39e2430390ee5616b6d3bb3b0216d5ab3d5d31ac41e49545745e228af88c8131c54ea548c7d7f33e23234b9430d
+  languageName: node
+  linkType: hard
+
+"tether@npm:^1.4.0":
+  version: 1.4.7
+  resolution: "tether@npm:1.4.7"
+  checksum: 766ac802654064b05e5785584a109101fc184266a0df99581a3ac45d33706c39d9fed314bd28daddf3532bfa0c41f81ebc133ce2c51995101ac922d3fb0477b8
+  languageName: node
+  linkType: hard
+
+"text-encoder-lite@npm:2.0.0":
+  version: 2.0.0
+  resolution: "text-encoder-lite@npm:2.0.0"
+  checksum: 25c3cb8b894c84ec3c2b8c66bcf6267e207d502e16385ca2c4ddca9b59194b5c36aa536a82923d3026be96f5c31121fb8f089cdf6e83768650a74c55416295af
+  languageName: node
+  linkType: hard
+
+"text-table@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "text-table@npm:0.2.0"
+  checksum: b6937a38c80c7f84d9c11dd75e49d5c44f71d95e810a3250bd1f1797fc7117c57698204adf676b71497acc205d769d65c16ae8fa10afad832ae1322630aef10a
+  languageName: node
+  linkType: hard
+
+"textextensions@npm:1 || 2, textextensions@npm:^2.5.0":
+  version: 2.6.0
+  resolution: "textextensions@npm:2.6.0"
+  checksum: e28781f092d0172b78974fd22d5c007cc43ac50be666b36bbf10125d961775faf309a70b51697a2debc074c8f23cc923f1386b1e4661e11b128cee292060034c
+  languageName: node
+  linkType: hard
+
+"through2@npm:^2.0.0":
+  version: 2.0.5
+  resolution: "through2@npm:2.0.5"
+  dependencies:
+    readable-stream: ~2.3.6
+    xtend: ~4.0.1
+  checksum: beb0f338aa2931e5660ec7bf3ad949e6d2e068c31f4737b9525e5201b824ac40cac6a337224856b56bd1ddd866334bbfb92a9f57cd6f66bc3f18d3d86fc0fe50
+  languageName: node
+  linkType: hard
+
+"through2@npm:^3.0.1":
+  version: 3.0.2
+  resolution: "through2@npm:3.0.2"
+  dependencies:
+    inherits: ^2.0.4
+    readable-stream: 2 || 3
+  checksum: 47c9586c735e7d9cbbc1029f3ff422108212f7cc42e06d5cc9fff7901e659c948143c790e0d0d41b1b5f89f1d1200bdd200c7b72ad34f42f9edbeb32ea49e8b7
+  languageName: node
+  linkType: hard
+
+"through@npm:^2.3.6, through@npm:^2.3.8":
+  version: 2.3.8
+  resolution: "through@npm:2.3.8"
+  checksum: a38c3e059853c494af95d50c072b83f8b676a9ba2818dcc5b108ef252230735c54e0185437618596c790bbba8fcdaef5b290405981ffa09dce67b1f1bf190cbd
+  languageName: node
+  linkType: hard
+
+"time-zone@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "time-zone@npm:1.0.0"
+  checksum: e46f5a69b8c236dcd8e91e29d40d4e7a3495ed4f59888c3f84ce1d9678e20461421a6ba41233509d47dd94bc18f1a4377764838b21b584663f942b3426dcbce8
+  languageName: node
+  linkType: hard
+
+"timers-browserify@npm:^2.0.4":
+  version: 2.0.12
+  resolution: "timers-browserify@npm:2.0.12"
+  dependencies:
+    setimmediate: ^1.0.4
+  checksum: ec37ae299066bef6c464dcac29c7adafba1999e7227a9bdc4e105a459bee0f0b27234a46bfd7ab4041da79619e06a58433472867a913d01c26f8a203f87cee70
+  languageName: node
+  linkType: hard
+
+"tiny-glob@npm:0.2.9":
+  version: 0.2.9
+  resolution: "tiny-glob@npm:0.2.9"
+  dependencies:
+    globalyzer: 0.1.0
+    globrex: ^0.1.2
+  checksum: aea5801eb6663ddf77ebb74900b8f8bd9dfcfc9b6a1cc8018cb7421590c00bf446109ff45e4b64a98e6c95ddb1255a337a5d488fb6311930e2a95334151ec9c6
+  languageName: node
+  linkType: hard
+
+"tiny-lr@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "tiny-lr@npm:2.0.0"
+  dependencies:
+    body: ^5.1.0
+    debug: ^3.1.0
+    faye-websocket: ^0.11.3
+    livereload-js: ^3.3.1
+    object-assign: ^4.1.0
+    qs: ^6.4.0
+  checksum: d1804c15727e741aa6eccdee6171548fce8d2865b0f18b3e1b6ac9f80048c2e099eeec2540a49380a1fd6f3eb6cafe1cb5adc76dfec2c9dceee3e014a4f25991
+  languageName: node
+  linkType: hard
+
+"tippy.js@npm:^6.3.7":
+  version: 6.3.7
+  resolution: "tippy.js@npm:6.3.7"
+  dependencies:
+    "@popperjs/core": ^2.9.0
+  checksum: cac955318a65288e8d2dca05059878b003c6e66f92c94f7810f5bc5448eb6646abdf7dacc9bd00020e2611592598d0aae3a28ec9a45349a159603c3fdddce5fb
+  languageName: node
+  linkType: hard
+
+"tmp@npm:0.0.28":
+  version: 0.0.28
+  resolution: "tmp@npm:0.0.28"
+  dependencies:
+    os-tmpdir: ~1.0.1
+  checksum: 8167d2471b650f88fde1515bbf6c62d2adef07972d06531569f789863a2436c32027b6d5fbe3102ed2c430b86043dffd337db12494f1f982534862d9487e4eff
+  languageName: node
+  linkType: hard
+
+"tmp@npm:0.0.33, tmp@npm:^0.0.33":
+  version: 0.0.33
+  resolution: "tmp@npm:0.0.33"
+  dependencies:
+    os-tmpdir: ~1.0.2
+  checksum: 902d7aceb74453ea02abbf58c203f4a8fc1cead89b60b31e354f74ed5b3fb09ea817f94fb310f884a5d16987dd9fa5a735412a7c2dd088dd3d415aa819ae3a28
+  languageName: node
+  linkType: hard
+
+"tmp@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "tmp@npm:0.1.0"
+  dependencies:
+    rimraf: ^2.6.3
+  checksum: 6bab8431de9d245d4264bd8cd6bb216f9d22f179f935dada92a11d1315572c8eb7c3334201e00594b4708608bd536fad3a63bfb037e7804d827d66aa53a1afcd
+  languageName: node
+  linkType: hard
+
+"tmp@npm:^0.2.1":
+  version: 0.2.1
+  resolution: "tmp@npm:0.2.1"
+  dependencies:
+    rimraf: ^3.0.0
+  checksum: 8b1214654182575124498c87ca986ac53dc76ff36e8f0e0b67139a8d221eaecfdec108c0e6ec54d76f49f1f72ab9325500b246f562b926f85bcdfca8bf35df9e
+  languageName: node
+  linkType: hard
+
+"tmpl@npm:1.0.5":
+  version: 1.0.5
+  resolution: "tmpl@npm:1.0.5"
+  checksum: cd922d9b853c00fe414c5a774817be65b058d54a2d01ebb415840960406c669a0fc632f66df885e24cb022ec812739199ccbdb8d1164c3e513f85bfca5ab2873
+  languageName: node
+  linkType: hard
+
+"to-arraybuffer@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "to-arraybuffer@npm:1.0.1"
+  checksum: 31433c10b388722729f5da04c6b2a06f40dc84f797bb802a5a171ced1e599454099c6c5bc5118f4b9105e7d049d3ad9d0f71182b77650e4fdb04539695489941
+  languageName: node
+  linkType: hard
+
+"to-fast-properties@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "to-fast-properties@npm:1.0.3"
+  checksum: bd0abb58c4722851df63419de3f6d901d5118f0440d3f71293ed776dd363f2657edaaf2dc470e3f6b7b48eb84aa411193b60db8a4a552adac30de9516c5cc580
+  languageName: node
+  linkType: hard
+
+"to-fast-properties@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "to-fast-properties@npm:2.0.0"
+  checksum: be2de62fe58ead94e3e592680052683b1ec986c72d589e7b21e5697f8744cdbf48c266fa72f6c15932894c10187b5f54573a3bcf7da0bfd964d5caf23d436168
+  languageName: node
+  linkType: hard
+
+"to-object-path@npm:^0.3.0":
+  version: 0.3.0
+  resolution: "to-object-path@npm:0.3.0"
+  dependencies:
+    kind-of: ^3.0.2
+  checksum: 9425effee5b43e61d720940fa2b889623f77473d459c2ce3d4a580a4405df4403eec7be6b857455908070566352f9e2417304641ed158dda6f6a365fe3e66d70
+  languageName: node
+  linkType: hard
+
+"to-regex-range@npm:^2.1.0":
+  version: 2.1.1
+  resolution: "to-regex-range@npm:2.1.1"
+  dependencies:
+    is-number: ^3.0.0
+    repeat-string: ^1.6.1
+  checksum: 46093cc14be2da905cc931e442d280b2e544e2bfdb9a24b3cf821be8d342f804785e5736c108d5be026021a05d7b38144980a61917eee3c88de0a5e710e10320
+  languageName: node
+  linkType: hard
+
+"to-regex-range@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "to-regex-range@npm:5.0.1"
+  dependencies:
+    is-number: ^7.0.0
+  checksum: f76fa01b3d5be85db6a2a143e24df9f60dd047d151062d0ba3df62953f2f697b16fe5dad9b0ac6191c7efc7b1d9dcaa4b768174b7b29da89d4428e64bc0a20ed
+  languageName: node
+  linkType: hard
+
+"to-regex@npm:^3.0.1, to-regex@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "to-regex@npm:3.0.2"
+  dependencies:
+    define-property: ^2.0.2
+    extend-shallow: ^3.0.2
+    regex-not: ^1.0.2
+    safe-regex: ^1.1.0
+  checksum: 4ed4a619059b64e204aad84e4e5f3ea82d97410988bcece7cf6cbfdbf193d11bff48cf53842d88b8bb00b1bfc0d048f61f20f0709e6f393fd8fe0122662d9db4
+  languageName: node
+  linkType: hard
+
+"toidentifier@npm:1.0.0":
+  version: 1.0.0
+  resolution: "toidentifier@npm:1.0.0"
+  checksum: 199e6bfca1531d49b3506cff02353d53ec987c9ee10ee272ca6484ed97f1fc10fb77c6c009079ca16d5c5be4a10378178c3cacdb41ce9ec954c3297c74c6053e
+  languageName: node
+  linkType: hard
+
+"toidentifier@npm:1.0.1":
+  version: 1.0.1
+  resolution: "toidentifier@npm:1.0.1"
+  checksum: 952c29e2a85d7123239b5cfdd889a0dde47ab0497f0913d70588f19c53f7e0b5327c95f4651e413c74b785147f9637b17410ac8c846d5d4a20a5a33eb6dc3a45
+  languageName: node
+  linkType: hard
+
+"tough-cookie@npm:^2.3.3, tough-cookie@npm:~2.5.0":
+  version: 2.5.0
+  resolution: "tough-cookie@npm:2.5.0"
+  dependencies:
+    psl: ^1.1.28
+    punycode: ^2.1.1
+  checksum: 16a8cd090224dd176eee23837cbe7573ca0fa297d7e468ab5e1c02d49a4e9a97bb05fef11320605eac516f91d54c57838a25864e8680e27b069a5231d8264977
+  languageName: node
+  linkType: hard
+
+"tough-cookie@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "tough-cookie@npm:4.0.0"
+  dependencies:
+    psl: ^1.1.33
+    punycode: ^2.1.1
+    universalify: ^0.1.2
+  checksum: 0891b37eb7d17faa3479d47f0dce2e3007f2583094ad272f2670d120fbcc3df3b0b0a631ba96ecad49f9e2297d93ff8995ce0d3292d08dd7eabe162f5b224d69
+  languageName: node
+  linkType: hard
+
+"tr46@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "tr46@npm:2.0.2"
+  dependencies:
+    punycode: ^2.1.1
+  checksum: 2b2b3dfa6bc65d027b2fac729fba0fb5b9d98af7b69ad6876c0f088ebf127f2d53e5a4d4464e5de40380cf721f392262c9183d2a05cea4967a890e8801c842f6
+  languageName: node
+  linkType: hard
+
+"tracked-built-ins@npm:^3.1.1":
+  version: 3.2.0
+  resolution: "tracked-built-ins@npm:3.2.0"
+  dependencies:
+    "@embroider/addon-shim": ^1.8.3
+    ember-tracked-storage-polyfill: ^1.0.0
+  checksum: 262c8df5cfa2911a9b2288e1d34aa9b07b6e5673d0138531445e86426253176f51f4c96083f60e564a380df1f489cdd0bc522b75a9b04fdadfe374f543bbed85
+  languageName: node
+  linkType: hard
+
+"tracked-maps-and-sets@npm:^3.0.1":
+  version: 3.0.2
+  resolution: "tracked-maps-and-sets@npm:3.0.2"
+  dependencies:
+    "@glimmer/tracking": ^1.0.0
+    ember-cli-babel: ^7.26.6
+    ember-cli-typescript: ^4.2.1
+    ember-tracked-storage-polyfill: 1.0.0
+  checksum: 3bcd53d27c751d4d7355457d7639fb6c9cf93f8d3b9a955b04805809b628b2fdb62b1899313c2bc7a92b64817a26d2fc648452d5f662de967767351439b70f11
+  languageName: node
+  linkType: hard
+
+"traverse@npm:^0.6.6":
+  version: 0.6.6
+  resolution: "traverse@npm:0.6.6"
+  checksum: e2afa72f11efa9ba31ed763d2d9d2aa244612f22015d16c0ea3ba5f6ca8bf071de87f8108b721885cce06ea4a36ef4605d9228c67e431d9015ea4685cb364420
+  languageName: node
+  linkType: hard
+
+"tree-sync@npm:^1.2.2":
+  version: 1.4.0
+  resolution: "tree-sync@npm:1.4.0"
+  dependencies:
+    debug: ^2.2.0
+    fs-tree-diff: ^0.5.6
+    mkdirp: ^0.5.1
+    quick-temp: ^0.1.5
+    walk-sync: ^0.3.3
+  checksum: af76c496653dea16c125cf16a7313814d453ce51d7d9ac3aafc9b4d60150c25477c7228a9821b8479951ef70d7bf2f7950c206cbc2e9843e57692d69c2221503
+  languageName: node
+  linkType: hard
+
+"tree-sync@npm:^2.0.0, tree-sync@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "tree-sync@npm:2.1.0"
+  dependencies:
+    debug: ^4.1.1
+    fs-tree-diff: ^2.0.1
+    mkdirp: ^0.5.5
+    quick-temp: ^0.1.5
+    walk-sync: ^0.3.3
+  checksum: 6454ca6021cf7ab9220764b7577370af4601d4172085b55f45ab6f414639281f95deb2e10cb46007b6f04dba5189cb11e48fb43be908f78369a93a6b680c9342
+  languageName: node
+  linkType: hard
+
+"trim-newlines@npm:^4.0.2":
+  version: 4.1.1
+  resolution: "trim-newlines@npm:4.1.1"
+  checksum: 5b09f8e329e8f33c1111ef26906332ba7ba7248cde3e26fc054bb3d69f2858bf5feedca9559c572ff91f33e52977c28e0d41c387df6a02a633cbb8c2d8238627
+  languageName: node
+  linkType: hard
+
+"trim-right@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "trim-right@npm:1.0.1"
+  checksum: 9120af534e006a7424a4f9358710e6e707887b6ccf7ea69e50d6ac6464db1fe22268400def01752f09769025d480395159778153fb98d4a2f6f40d4cf5d4f3b6
+  languageName: node
+  linkType: hard
+
+"trough@npm:^1.0.0":
+  version: 1.0.5
+  resolution: "trough@npm:1.0.5"
+  checksum: d6c8564903ed00e5258bab92134b020724dbbe83148dc72e4bf6306c03ed8843efa1bcc773fa62410dd89161ecb067432dd5916501793508a9506cacbc408e25
+  languageName: node
+  linkType: hard
+
+"tslib@npm:^1.8.1, tslib@npm:^1.9.0":
+  version: 1.14.1
+  resolution: "tslib@npm:1.14.1"
+  checksum: dbe628ef87f66691d5d2959b3e41b9ca0045c3ee3c7c7b906cc1e328b39f199bb1ad9e671c39025bd56122ac57dfbf7385a94843b1cc07c60a4db74795829acd
+  languageName: node
+  linkType: hard
+
+"tslib@npm:^2.0.3":
+  version: 2.2.0
+  resolution: "tslib@npm:2.2.0"
+  checksum: a48c9639f7496fa701ea8ffe0561070fcb44c104a59632f7f845c0af00825c99b6373575ec59b2b5cdbfd7505875086dbe5dc83312304d8979f22ce571218ca3
+  languageName: node
+  linkType: hard
+
+"tslib@npm:^2.1.0":
+  version: 2.4.1
+  resolution: "tslib@npm:2.4.1"
+  checksum: 19480d6e0313292bd6505d4efe096a6b31c70e21cf08b5febf4da62e95c265c8f571f7b36fcc3d1a17e068032f59c269fab3459d6cd3ed6949eafecf64315fca
+  languageName: node
+  linkType: hard
+
+"tslib@npm:^2.3.1":
+  version: 2.3.1
+  resolution: "tslib@npm:2.3.1"
+  checksum: de17a98d4614481f7fcb5cd53ffc1aaf8654313be0291e1bfaee4b4bb31a20494b7d218ff2e15017883e8ea9626599b3b0e0229c18383ba9dce89da2adf15cb9
+  languageName: node
+  linkType: hard
+
+"tsutils@npm:^3.21.0":
+  version: 3.21.0
+  resolution: "tsutils@npm:3.21.0"
+  dependencies:
+    tslib: ^1.8.1
+  peerDependencies:
+    typescript: ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
+  checksum: 1843f4c1b2e0f975e08c4c21caa4af4f7f65a12ac1b81b3b8489366826259323feb3fc7a243123453d2d1a02314205a7634e048d4a8009921da19f99755cdc48
+  languageName: node
+  linkType: hard
+
+"tty-browserify@npm:0.0.0":
+  version: 0.0.0
+  resolution: "tty-browserify@npm:0.0.0"
+  checksum: a06f746acc419cb2527ba19b6f3bd97b4a208c03823bfb37b2982629d2effe30ebd17eaed0d7e2fc741f3c4f2a0c43455bd5fb4194354b378e78cfb7ca687f59
+  languageName: node
+  linkType: hard
+
+"tunnel-agent@npm:^0.6.0":
+  version: 0.6.0
+  resolution: "tunnel-agent@npm:0.6.0"
+  dependencies:
+    safe-buffer: ^5.0.1
+  checksum: 05f6510358f8afc62a057b8b692f05d70c1782b70db86d6a1e0d5e28a32389e52fa6e7707b6c5ecccacc031462e4bc35af85ecfe4bbc341767917b7cf6965711
+  languageName: node
+  linkType: hard
+
+"tweetnacl@npm:^0.14.3, tweetnacl@npm:~0.14.0":
+  version: 0.14.5
+  resolution: "tweetnacl@npm:0.14.5"
+  checksum: 6061daba1724f59473d99a7bb82e13f211cdf6e31315510ae9656fefd4779851cb927adad90f3b488c8ed77c106adc0421ea8055f6f976ff21b27c5c4e918487
+  languageName: node
+  linkType: hard
+
+"type-check@npm:^0.4.0, type-check@npm:~0.4.0":
+  version: 0.4.0
+  resolution: "type-check@npm:0.4.0"
+  dependencies:
+    prelude-ls: ^1.2.1
+  checksum: ec688ebfc9c45d0c30412e41ca9c0cdbd704580eb3a9ccf07b9b576094d7b86a012baebc95681999dd38f4f444afd28504cb3a89f2ef16b31d4ab61a0739025a
+  languageName: node
+  linkType: hard
+
+"type-check@npm:~0.3.2":
+  version: 0.3.2
+  resolution: "type-check@npm:0.3.2"
+  dependencies:
+    prelude-ls: ~1.1.2
+  checksum: dd3b1495642731bc0e1fc40abe5e977e0263005551ac83342ecb6f4f89551d106b368ec32ad3fb2da19b3bd7b2d1f64330da2ea9176d8ddbfe389fb286eb5124
+  languageName: node
+  linkType: hard
+
+"type-detect@npm:4.0.8":
+  version: 4.0.8
+  resolution: "type-detect@npm:4.0.8"
+  checksum: 62b5628bff67c0eb0b66afa371bd73e230399a8d2ad30d852716efcc4656a7516904570cd8631a49a3ce57c10225adf5d0cbdcb47f6b0255fe6557c453925a15
+  languageName: node
+  linkType: hard
+
+"type-fest@npm:^0.11.0":
+  version: 0.11.0
+  resolution: "type-fest@npm:0.11.0"
+  checksum: 8e7589e1eb5ced6c8e1d3051553b59b9f525c41e58baa898229915781c7bf55db8cb2f74e56d8031f6af5af2eecc7cb8da9ca3af7e5b80b49d8ca5a81891f3f9
+  languageName: node
+  linkType: hard
+
+"type-fest@npm:^0.20.2":
+  version: 0.20.2
+  resolution: "type-fest@npm:0.20.2"
+  checksum: 4fb3272df21ad1c552486f8a2f8e115c09a521ad7a8db3d56d53718d0c907b62c6e9141ba5f584af3f6830d0872c521357e512381f24f7c44acae583ad517d73
+  languageName: node
+  linkType: hard
+
+"type-fest@npm:^0.21.3":
+  version: 0.21.3
+  resolution: "type-fest@npm:0.21.3"
+  checksum: e6b32a3b3877f04339bae01c193b273c62ba7bfc9e325b8703c4ee1b32dc8fe4ef5dfa54bf78265e069f7667d058e360ae0f37be5af9f153b22382cd55a9afe0
+  languageName: node
+  linkType: hard
+
+"type-fest@npm:^1.0.1, type-fest@npm:^1.2.1, type-fest@npm:^1.2.2":
+  version: 1.4.0
+  resolution: "type-fest@npm:1.4.0"
+  checksum: b011c3388665b097ae6a109a437a04d6f61d81b7357f74cbcb02246f2f5bd72b888ae33631b99871388122ba0a87f4ff1c94078e7119ff22c70e52c0ff828201
+  languageName: node
+  linkType: hard
+
+"type-is@npm:~1.6.17, type-is@npm:~1.6.18":
+  version: 1.6.18
+  resolution: "type-is@npm:1.6.18"
+  dependencies:
+    media-typer: 0.3.0
+    mime-types: ~2.1.24
+  checksum: 2c8e47675d55f8b4e404bcf529abdf5036c537a04c2b20177bcf78c9e3c1da69da3942b1346e6edb09e823228c0ee656ef0e033765ec39a70d496ef601a0c657
+  languageName: node
+  linkType: hard
+
+"typed-array-length@npm:^1.0.4":
+  version: 1.0.4
+  resolution: "typed-array-length@npm:1.0.4"
+  dependencies:
+    call-bind: ^1.0.2
+    for-each: ^0.3.3
+    is-typed-array: ^1.1.9
+  checksum: 2228febc93c7feff142b8c96a58d4a0d7623ecde6c7a24b2b98eb3170e99f7c7eff8c114f9b283085cd59dcd2bd43aadf20e25bba4b034a53c5bb292f71f8956
+  languageName: node
+  linkType: hard
+
+"typedarray-to-buffer@npm:^3.1.5":
+  version: 3.1.5
+  resolution: "typedarray-to-buffer@npm:3.1.5"
+  dependencies:
+    is-typedarray: ^1.0.0
+  checksum: 99c11aaa8f45189fcfba6b8a4825fd684a321caa9bd7a76a27cf0c7732c174d198b99f449c52c3818107430b5f41c0ccbbfb75cb2ee3ca4a9451710986d61a60
+  languageName: node
+  linkType: hard
+
+"typedarray@npm:^0.0.6":
+  version: 0.0.6
+  resolution: "typedarray@npm:0.0.6"
+  checksum: 33b39f3d0e8463985eeaeeacc3cb2e28bc3dfaf2a5ed219628c0b629d5d7b810b0eb2165f9f607c34871d5daa92ba1dc69f49051cf7d578b4cbd26c340b9d1b1
+  languageName: node
+  linkType: hard
+
+"typescript-memoize@npm:^1.0.0-alpha.3, typescript-memoize@npm:^1.0.1":
+  version: 1.1.0
+  resolution: "typescript-memoize@npm:1.1.0"
+  checksum: a7d3357adbf421972619397c5db562664f3d440629a5afbb510c09e23e3a176424f600c3c853addc2234a9b7be3e61dae984771c057a76980fab67fb30c70d64
+  languageName: node
+  linkType: hard
+
+"typescript@npm:^4.5.4, typescript@npm:^4.8.4":
+  version: 4.8.4
+  resolution: "typescript@npm:4.8.4"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: 3e4f061658e0c8f36c820802fa809e0fd812b85687a9a2f5430bc3d0368e37d1c9605c3ce9b39df9a05af2ece67b1d844f9f6ea8ff42819f13bcb80f85629af0
+  languageName: node
+  linkType: hard
+
+"typescript@patch:typescript@^4.5.4#~builtin<compat/typescript>, typescript@patch:typescript@^4.8.4#~builtin<compat/typescript>":
+  version: 4.8.4
+  resolution: "typescript@patch:typescript@npm%3A4.8.4#~builtin<compat/typescript>::version=4.8.4&hash=1a91c8"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: c981e82b77a5acdcc4e69af9c56cdecf5b934a87a08e7b52120596701e389a878b8e3f860e73ffb287bf649cc47a8c741262ce058148f71de4cdd88bb9c75153
+  languageName: node
+  linkType: hard
+
+"uc.micro@npm:^1.0.1, uc.micro@npm:^1.0.5":
+  version: 1.0.6
+  resolution: "uc.micro@npm:1.0.6"
+  checksum: 6898bb556319a38e9cf175e3628689347bd26fec15fc6b29fa38e0045af63075ff3fea4cf1fdba9db46c9f0cbf07f2348cd8844889dd31ebd288c29fe0d27e7a
+  languageName: node
+  linkType: hard
+
+"uglify-js@npm:^3.1.4":
+  version: 3.14.3
+  resolution: "uglify-js@npm:3.14.3"
+  bin:
+    uglifyjs: bin/uglifyjs
+  checksum: eef57b4fec031f687bef46182c33de5eff6bc40fec8d46152f3b92bb044602dd524a04e33ca5f7391f82db969b92ef6aded860f8a4ee5f4bf796d7420b030236
+  languageName: node
+  linkType: hard
+
+"unbox-primitive@npm:^1.0.0, unbox-primitive@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "unbox-primitive@npm:1.0.1"
+  dependencies:
+    function-bind: ^1.1.1
+    has-bigints: ^1.0.1
+    has-symbols: ^1.0.2
+    which-boxed-primitive: ^1.0.2
+  checksum: 89d950e18fb45672bc6b3c961f1e72c07beb9640c7ceed847b571ba6f7d2af570ae1a2584cfee268b9d9ea1e3293f7e33e0bc29eaeb9f8e8a0bab057ff9e6bba
+  languageName: node
+  linkType: hard
+
+"unbox-primitive@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "unbox-primitive@npm:1.0.2"
+  dependencies:
+    call-bind: ^1.0.2
+    has-bigints: ^1.0.2
+    has-symbols: ^1.0.3
+    which-boxed-primitive: ^1.0.2
+  checksum: b7a1cf5862b5e4b5deb091672ffa579aa274f648410009c81cca63fed3b62b610c4f3b773f912ce545bb4e31edc3138975b5bc777fc6e4817dca51affb6380e9
+  languageName: node
+  linkType: hard
+
+"underscore.string@npm:^3.2.2, underscore.string@npm:~3.3.4":
+  version: 3.3.5
+  resolution: "underscore.string@npm:3.3.5"
+  dependencies:
+    sprintf-js: ^1.0.3
+    util-deprecate: ^1.0.2
+  checksum: 86c60f4e9c3176ae77a548ec2ac659cc3cf48b93c7cff7d548f7c91569fc15885c90816245bf4d6925241f64b54508fc60aac562246ea2de2e50d0411e82a702
+  languageName: node
+  linkType: hard
+
+"underscore@npm:^1.12.1":
+  version: 1.13.1
+  resolution: "underscore@npm:1.13.1"
+  checksum: 69bb4e6dd92c387ad322dd5b105f496fa64896d92ff1eea987610920d452667a12bca0938def4c4d60acd12da62410540fd268e7ca4f2480d89324498382fcac
+  languageName: node
+  linkType: hard
+
+"unicode-canonical-property-names-ecmascript@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "unicode-canonical-property-names-ecmascript@npm:2.0.0"
+  checksum: 39be078afd014c14dcd957a7a46a60061bc37c4508ba146517f85f60361acf4c7539552645ece25de840e17e293baa5556268d091ca6762747fdd0c705001a45
+  languageName: node
+  linkType: hard
+
+"unicode-match-property-ecmascript@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "unicode-match-property-ecmascript@npm:2.0.0"
+  dependencies:
+    unicode-canonical-property-names-ecmascript: ^2.0.0
+    unicode-property-aliases-ecmascript: ^2.0.0
+  checksum: 1f34a7434a23df4885b5890ac36c5b2161a809887000be560f56ad4b11126d433c0c1c39baf1016bdabed4ec54829a6190ee37aa24919aa116dc1a5a8a62965a
+  languageName: node
+  linkType: hard
+
+"unicode-match-property-value-ecmascript@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "unicode-match-property-value-ecmascript@npm:2.0.0"
+  checksum: 8fe6a09d9085a625cabcead5d95bdbc1a2d5d481712856092ce0347231e81a60b93a68f1b69e82b3076a07e415a72c708044efa2aa40ae23e2e7b5c99ed4a9ea
+  languageName: node
+  linkType: hard
+
+"unicode-match-property-value-ecmascript@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "unicode-match-property-value-ecmascript@npm:2.1.0"
+  checksum: 8d6f5f586b9ce1ed0e84a37df6b42fdba1317a05b5df0c249962bd5da89528771e2d149837cad11aa26bcb84c35355cb9f58a10c3d41fa3b899181ece6c85220
+  languageName: node
+  linkType: hard
+
+"unicode-property-aliases-ecmascript@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "unicode-property-aliases-ecmascript@npm:2.0.0"
+  checksum: dda4d39128cbbede2ac60fbb85493d979ec65913b8a486bf7cb7a375a2346fa48cbf9dc6f1ae23376e7e8e684c2b411434891e151e865a661b40a85407db51d0
+  languageName: node
+  linkType: hard
+
+"unified@npm:^9.2.2":
+  version: 9.2.2
+  resolution: "unified@npm:9.2.2"
+  dependencies:
+    bail: ^1.0.0
+    extend: ^3.0.0
+    is-buffer: ^2.0.0
+    is-plain-obj: ^2.0.0
+    trough: ^1.0.0
+    vfile: ^4.0.0
+  checksum: 7c24461be7de4145939739ce50d18227c5fbdf9b3bc5a29dabb1ce26dd3e8bd4a1c385865f6f825f3b49230953ee8b591f23beab3bb3643e3e9dc37aa8a089d5
+  languageName: node
+  linkType: hard
+
+"union-value@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "union-value@npm:1.0.1"
+  dependencies:
+    arr-union: ^3.1.0
+    get-value: ^2.0.6
+    is-extendable: ^0.1.1
+    set-value: ^2.0.1
+  checksum: a3464097d3f27f6aa90cf103ed9387541bccfc006517559381a10e0dffa62f465a9d9a09c9b9c3d26d0f4cbe61d4d010e2fbd710fd4bf1267a768ba8a774b0ba
+  languageName: node
+  linkType: hard
+
+"unique-filename@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "unique-filename@npm:1.1.1"
+  dependencies:
+    unique-slug: ^2.0.0
+  checksum: cf4998c9228cc7647ba7814e255dec51be43673903897b1786eff2ac2d670f54d4d733357eb08dea969aa5e6875d0e1bd391d668fbdb5a179744e7c7551a6f80
+  languageName: node
+  linkType: hard
+
+"unique-filename@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "unique-filename@npm:2.0.1"
+  dependencies:
+    unique-slug: ^3.0.0
+  checksum: 807acf3381aff319086b64dc7125a9a37c09c44af7620bd4f7f3247fcd5565660ac12d8b80534dcbfd067e6fe88a67e621386dd796a8af828d1337a8420a255f
+  languageName: node
+  linkType: hard
+
+"unique-slug@npm:^2.0.0":
+  version: 2.0.2
+  resolution: "unique-slug@npm:2.0.2"
+  dependencies:
+    imurmurhash: ^0.1.4
+  checksum: 5b6876a645da08d505dedb970d1571f6cebdf87044cb6b740c8dbb24f0d6e1dc8bdbf46825fd09f994d7cf50760e6f6e063cfa197d51c5902c00a861702eb75a
+  languageName: node
+  linkType: hard
+
+"unique-slug@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "unique-slug@npm:3.0.0"
+  dependencies:
+    imurmurhash: ^0.1.4
+  checksum: 49f8d915ba7f0101801b922062ee46b7953256c93ceca74303bd8e6413ae10aa7e8216556b54dc5382895e8221d04f1efaf75f945c2e4a515b4139f77aa6640c
+  languageName: node
+  linkType: hard
+
+"unique-string@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "unique-string@npm:2.0.0"
+  dependencies:
+    crypto-random-string: ^2.0.0
+  checksum: ef68f639136bcfe040cf7e3cd7a8dff076a665288122855148a6f7134092e6ed33bf83a7f3a9185e46c98dddc445a0da6ac25612afa1a7c38b8b654d6c02498e
+  languageName: node
+  linkType: hard
+
+"unist-util-is@npm:^4.0.0":
+  version: 4.1.0
+  resolution: "unist-util-is@npm:4.1.0"
+  checksum: 726484cd2adc9be75a939aeedd48720f88294899c2e4a3143da413ae593f2b28037570730d5cf5fd910ff41f3bc1501e3d636b6814c478d71126581ef695f7ea
+  languageName: node
+  linkType: hard
+
+"unist-util-stringify-position@npm:^2.0.0":
+  version: 2.0.3
+  resolution: "unist-util-stringify-position@npm:2.0.3"
+  dependencies:
+    "@types/unist": ^2.0.2
+  checksum: f755cadc959f9074fe999578a1a242761296705a7fe87f333a37c00044de74ab4b184b3812989a57d4cd12211f0b14ad397b327c3a594c7af84361b1c25a7f09
+  languageName: node
+  linkType: hard
+
+"unist-util-visit-parents@npm:^3.0.0":
+  version: 3.1.1
+  resolution: "unist-util-visit-parents@npm:3.1.1"
+  dependencies:
+    "@types/unist": ^2.0.0
+    unist-util-is: ^4.0.0
+  checksum: 1170e397dff88fab01e76d5154981666eb0291019d2462cff7a2961a3e76d3533b42eaa16b5b7e2d41ad42a5ea7d112301458283d255993e660511387bf67bc3
+  languageName: node
+  linkType: hard
+
+"universalify@npm:^0.1.0, universalify@npm:^0.1.2":
+  version: 0.1.2
+  resolution: "universalify@npm:0.1.2"
+  checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff
+  languageName: node
+  linkType: hard
+
+"universalify@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "universalify@npm:2.0.0"
+  checksum: 2406a4edf4a8830aa6813278bab1f953a8e40f2f63a37873ffa9a3bc8f9745d06cc8e88f3572cb899b7e509013f7f6fcc3e37e8a6d914167a5381d8440518c44
+  languageName: node
+  linkType: hard
+
+"unpipe@npm:1.0.0, unpipe@npm:~1.0.0":
+  version: 1.0.0
+  resolution: "unpipe@npm:1.0.0"
+  checksum: 4fa18d8d8d977c55cb09715385c203197105e10a6d220087ec819f50cb68870f02942244f1017565484237f1f8c5d3cd413631b1ae104d3096f24fdfde1b4aa2
+  languageName: node
+  linkType: hard
+
+"unquote@npm:~1.1.1":
+  version: 1.1.1
+  resolution: "unquote@npm:1.1.1"
+  checksum: 71745867d09cba44ba2d26cb71d6dda7045a98b14f7405df4faaf2b0c90d24703ad027a9d90ba9a6e0d096de2c8d56f864fd03f1c0498c0b7a3990f73b4c8f5f
+  languageName: node
+  linkType: hard
+
+"unset-value@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "unset-value@npm:1.0.0"
+  dependencies:
+    has-value: ^0.3.1
+    isobject: ^3.0.0
+  checksum: 5990ecf660672be2781fc9fb322543c4aa592b68ed9a3312fa4df0e9ba709d42e823af090fc8f95775b4cd2c9a5169f7388f0cec39238b6d0d55a69fc2ab6b29
+  languageName: node
+  linkType: hard
+
+"untildify@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "untildify@npm:2.1.0"
+  dependencies:
+    os-homedir: ^1.0.0
+  checksum: 071b394053fc94747d9df8c7f7ca50af41355c1207c8a0bf9f35f52b0d9ad5142a1920b018bc2b6ff04340a4f9c599ad50c9b8f4ff2c689ae52b1463ebbda94e
+  languageName: node
+  linkType: hard
+
+"upath@npm:^1.1.1":
+  version: 1.2.0
+  resolution: "upath@npm:1.2.0"
+  checksum: 4c05c094797cb733193a0784774dbea5b1889d502fc9f0572164177e185e4a59ba7099bf0b0adf945b232e2ac60363f9bf18aac9b2206fb99cbef971a8455445
+  languageName: node
+  linkType: hard
+
+"upath@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "upath@npm:2.0.1"
+  checksum: 2db04f24a03ef72204c7b969d6991abec9e2cb06fb4c13a1fd1c59bc33b46526b16c3325e55930a11ff86a77a8cbbcda8f6399bf914087028c5beae21ecdb33c
+  languageName: node
+  linkType: hard
+
+"update-browserslist-db@npm:^1.0.11":
+  version: 1.0.11
+  resolution: "update-browserslist-db@npm:1.0.11"
+  dependencies:
+    escalade: ^3.1.1
+    picocolors: ^1.0.0
+  peerDependencies:
+    browserslist: ">= 4.21.0"
+  bin:
+    update-browserslist-db: cli.js
+  checksum: b98327518f9a345c7cad5437afae4d2ae7d865f9779554baf2a200fdf4bac4969076b679b1115434bd6557376bdd37ca7583d0f9b8f8e302d7d4cc1e91b5f231
+  languageName: node
+  linkType: hard
+
+"update-browserslist-db@npm:^1.0.13":
+  version: 1.0.13
+  resolution: "update-browserslist-db@npm:1.0.13"
+  dependencies:
+    escalade: ^3.1.1
+    picocolors: ^1.0.0
+  peerDependencies:
+    browserslist: ">= 4.21.0"
+  bin:
+    update-browserslist-db: cli.js
+  checksum: 1e47d80182ab6e4ad35396ad8b61008ae2a1330221175d0abd37689658bdb61af9b705bfc41057fd16682474d79944fb2d86767c5ed5ae34b6276b9bed353322
+  languageName: node
+  linkType: hard
+
+"update-section@npm:^0.3.3":
+  version: 0.3.3
+  resolution: "update-section@npm:0.3.3"
+  checksum: 77176459493af2565eccdff16f126a7cec1636ec16a458554bac128631129e734884a0f889d9579cd59739c04c047d46ca19dbe5550e0894736e5bc524fceb18
+  languageName: node
+  linkType: hard
+
+"uri-js@npm:^4.2.2":
+  version: 4.4.1
+  resolution: "uri-js@npm:4.4.1"
+  dependencies:
+    punycode: ^2.1.0
+  checksum: 7167432de6817fe8e9e0c9684f1d2de2bb688c94388f7569f7dbdb1587c9f4ca2a77962f134ec90be0cc4d004c939ff0d05acc9f34a0db39a3c797dada262633
+  languageName: node
+  linkType: hard
+
+"urix@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "urix@npm:0.1.0"
+  checksum: 4c076ecfbf3411e888547fe844e52378ab5ada2d2f27625139011eada79925e77f7fbf0e4016d45e6a9e9adb6b7e64981bd49b22700c7c401c5fc15f423303b3
+  languageName: node
+  linkType: hard
+
+"url@npm:^0.11.0":
+  version: 0.11.0
+  resolution: "url@npm:0.11.0"
+  dependencies:
+    punycode: 1.3.2
+    querystring: 0.2.0
+  checksum: 50d100d3dd2d98b9fe3ada48cadb0b08aa6be6d3ac64112b867b56b19be4bfcba03c2a9a0d7922bfd7ac17d4834e88537749fe182430dfd9b68e520175900d90
+  languageName: node
+  linkType: hard
+
+"use@npm:^3.1.0":
+  version: 3.1.1
+  resolution: "use@npm:3.1.1"
+  checksum: 08a130289f5238fcbf8f59a18951286a6e660d17acccc9d58d9b69dfa0ee19aa038e8f95721b00b432c36d1629a9e32a464bf2e7e0ae6a244c42ddb30bdd8b33
+  languageName: node
+  linkType: hard
+
+"username-sync@npm:^1.0.2":
+  version: 1.0.3
+  resolution: "username-sync@npm:1.0.3"
+  checksum: 1a2aaa8629d018daebd8500272a3064041e18ed157eb32d098dab6ea7dc111b2904222c61bb50f25340d378f003aacbefb3fd6313dd42586137532bc38befe8e
+  languageName: node
+  linkType: hard
+
+"util-deprecate@npm:^1.0.1, util-deprecate@npm:^1.0.2, util-deprecate@npm:~1.0.1":
+  version: 1.0.2
+  resolution: "util-deprecate@npm:1.0.2"
+  checksum: 474acf1146cb2701fe3b074892217553dfcf9a031280919ba1b8d651a068c9b15d863b7303cb15bd00a862b498e6cf4ad7b4a08fb134edd5a6f7641681cb54a2
+  languageName: node
+  linkType: hard
+
+"util.promisify@npm:~1.0.0":
+  version: 1.0.1
+  resolution: "util.promisify@npm:1.0.1"
+  dependencies:
+    define-properties: ^1.1.3
+    es-abstract: ^1.17.2
+    has-symbols: ^1.0.1
+    object.getownpropertydescriptors: ^2.1.0
+  checksum: d823c75b3fc66510018596f128a6592c98991df38bc0464a633bdf9134e2de0a1a33199c5c21cc261048a3982d7a19e032ecff8835b3c587f843deba96063e37
+  languageName: node
+  linkType: hard
+
+"util@npm:0.10.3":
+  version: 0.10.3
+  resolution: "util@npm:0.10.3"
+  dependencies:
+    inherits: 2.0.1
+  checksum: bd800f5d237a82caddb61723a6cbe45297d25dd258651a31335a4d5d981fd033cb4771f82db3d5d59b582b187cb69cfe727dc6f4d8d7826f686ee6c07ce611e0
+  languageName: node
+  linkType: hard
+
+"util@npm:^0.11.0":
+  version: 0.11.1
+  resolution: "util@npm:0.11.1"
+  dependencies:
+    inherits: 2.0.3
+  checksum: 80bee6a2edf5ab08dcb97bfe55ca62289b4e66f762ada201f2c5104cb5e46474c8b334f6504d055c0e6a8fda10999add9bcbd81ba765e7f37b17dc767331aa55
+  languageName: node
+  linkType: hard
+
+"utils-merge@npm:1.0.1":
+  version: 1.0.1
+  resolution: "utils-merge@npm:1.0.1"
+  checksum: c81095493225ecfc28add49c106ca4f09cdf56bc66731aa8dabc2edbbccb1e1bfe2de6a115e5c6a380d3ea166d1636410b62ef216bb07b3feb1cfde1d95d5080
+  languageName: node
+  linkType: hard
+
+"uuid@npm:^3.3.2":
+  version: 3.4.0
+  resolution: "uuid@npm:3.4.0"
+  bin:
+    uuid: ./bin/uuid
+  checksum: 58de2feed61c59060b40f8203c0e4ed7fd6f99d42534a499f1741218a1dd0c129f4aa1de797bcf822c8ea5da7e4137aa3673431a96dae729047f7aca7b27866f
+  languageName: node
+  linkType: hard
+
+"uuid@npm:^8.3.0":
+  version: 8.3.2
+  resolution: "uuid@npm:8.3.2"
+  bin:
+    uuid: dist/bin/uuid
+  checksum: 5575a8a75c13120e2f10e6ddc801b2c7ed7d8f3c8ac22c7ed0c7b2ba6383ec0abda88c905085d630e251719e0777045ae3236f04c812184b7c765f63a70e58df
+  languageName: node
+  linkType: hard
+
+"uuid@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "uuid@npm:9.0.0"
+  bin:
+    uuid: dist/bin/uuid
+  checksum: 8dd2c83c43ddc7e1c71e36b60aea40030a6505139af6bee0f382ebcd1a56f6cd3028f7f06ffb07f8cf6ced320b76aea275284b224b002b289f89fe89c389b028
+  languageName: node
+  linkType: hard
+
+"v8-compile-cache@npm:^2.3.0":
+  version: 2.3.0
+  resolution: "v8-compile-cache@npm:2.3.0"
+  checksum: adb0a271eaa2297f2f4c536acbfee872d0dd26ec2d76f66921aa7fc437319132773483344207bdbeee169225f4739016d8d2dbf0553913a52bb34da6d0334f8e
+  languageName: node
+  linkType: hard
+
+"validate-npm-package-license@npm:^3.0.1":
+  version: 3.0.4
+  resolution: "validate-npm-package-license@npm:3.0.4"
+  dependencies:
+    spdx-correct: ^3.0.0
+    spdx-expression-parse: ^3.0.0
+  checksum: 35703ac889d419cf2aceef63daeadbe4e77227c39ab6287eeb6c1b36a746b364f50ba22e88591f5d017bc54685d8137bc2d328d0a896e4d3fd22093c0f32a9ad
+  languageName: node
+  linkType: hard
+
+"validate-npm-package-name@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "validate-npm-package-name@npm:5.0.0"
+  dependencies:
+    builtins: ^5.0.0
+  checksum: 5342a994986199b3c28e53a8452a14b2bb5085727691ea7aa0d284a6606b127c371e0925ae99b3f1ef7cc7d2c9de75f52eb61a3d1cc45e39bca1e3a9444cbb4e
+  languageName: node
+  linkType: hard
+
+"validate-peer-dependencies@npm:^1.1.0":
+  version: 1.2.0
+  resolution: "validate-peer-dependencies@npm:1.2.0"
+  dependencies:
+    resolve-package-path: ^3.1.0
+    semver: ^7.3.2
+  checksum: a48f4841ff87edf1c0b3dd6e49d197169d654d6206495714ba687112fc30136674c1f0d44d89b935cf15aeb7692024a268af78c6c9ca0a1dad08e72cc7118566
+  languageName: node
+  linkType: hard
+
+"validate-peer-dependencies@npm:^2.1.0":
+  version: 2.2.0
+  resolution: "validate-peer-dependencies@npm:2.2.0"
+  dependencies:
+    resolve-package-path: ^4.0.3
+    semver: ^7.3.8
+  checksum: 0f025e34d9d469c03cf221c34da7e6b53a463ba11bb69294da63a08de67776384e3ef15e3bb479318f304593ae40f502c3e17a9cb671df4d73a9d1005b8b4774
+  languageName: node
+  linkType: hard
+
+"vary@npm:^1, vary@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "vary@npm:1.1.2"
+  checksum: ae0123222c6df65b437669d63dfa8c36cee20a504101b2fcd97b8bf76f91259c17f9f2b4d70a1e3c6bbcee7f51b28392833adb6b2770b23b01abec84e369660b
+  languageName: node
+  linkType: hard
+
+"vault@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "vault@workspace:."
+  dependencies:
+    "@babel/eslint-parser": ^7.21.3
+    "@babel/plugin-proposal-decorators": ^7.21.0
+    "@babel/plugin-proposal-object-rest-spread": ^7.12.1
+    "@babel/plugin-transform-block-scoping": ^7.12.1
+    "@ember/legacy-built-in-components": ^0.4.1
+    "@ember/optional-features": ^2.0.0
+    "@ember/render-modifiers": ^1.0.2
+    "@ember/string": ^3.0.1
+    "@ember/test-helpers": 2.9.3
+    "@ember/test-waiters": ^3.0.0
+    "@glimmer/component": ^1.1.2
+    "@glimmer/tracking": ^1.1.2
+    "@hashicorp/design-system-components": ^3.3.0
+    "@hashicorp/ember-flight-icons": ^4.0.4
+    "@hashicorp/structure-icons": ^1.3.0
+    "@icholy/duration": ^5.1.0
+    "@tsconfig/ember": ^1.0.1
+    "@types/ember": ^4.0.2
+    "@types/ember-data": ^4.4.6
+    "@types/ember-data__adapter": ^4.0.1
+    "@types/ember-data__model": ^4.0.0
+    "@types/ember-data__serializer": ^4.0.1
+    "@types/ember-data__store": ^4.0.2
+    "@types/ember-qunit": ^5.0.2
+    "@types/ember-resolver": ^5.0.13
+    "@types/ember__application": ^4.0.4
+    "@types/ember__array": ^4.0.3
+    "@types/ember__component": ^4.0.11
+    "@types/ember__controller": ^4.0.3
+    "@types/ember__debug": ^4.0.3
+    "@types/ember__destroyable": ^4.0.1
+    "@types/ember__engine": ^4.0.4
+    "@types/ember__error": ^4.0.1
+    "@types/ember__object": ^4.0.5
+    "@types/ember__polyfills": ^4.0.1
+    "@types/ember__routing": ^4.0.12
+    "@types/ember__runloop": ^4.0.2
+    "@types/ember__service": ^4.0.1
+    "@types/ember__string": ^3.0.10
+    "@types/ember__template": ^4.0.1
+    "@types/ember__test": ^4.0.1
+    "@types/ember__test-helpers": ^2.8.2
+    "@types/ember__utils": ^4.0.2
+    "@types/qunit": ^2.19.3
+    "@types/rsvp": ^4.0.4
+    "@types/shell-quote": ^1.7.1
+    "@typescript-eslint/eslint-plugin": ^5.19.0
+    "@typescript-eslint/parser": ^5.19.0
+    asn1js: ^2.2.0
+    autosize: ^4.0.0
+    babel-plugin-inline-json-import: ^0.3.2
+    base64-js: ^1.3.1
+    broccoli-asset-rev: ^3.0.0
+    broccoli-sri-hash: "meirish/broccoli-sri-hash#rooturl"
+    codemirror: ^5.58.2
+    columnify: ^1.5.4
+    d3-axis: ^1.0.8
+    d3-ease: ^1.0.5
+    d3-scale: ^1.0.7
+    d3-selection: ^1.3.0
+    d3-time-format: ^2.1.1
+    d3-tip: ^0.9.1
+    d3-transition: ^1.2.0
+    date-fns: ^2.16.1
+    date-fns-tz: ^1.2.2
+    deepmerge: ^4.0.0
+    doctoc: ^2.2.0
+    dompurify: ^3.0.2
+    ember-auto-import: 2.6.3
+    ember-basic-dropdown: 6.0.1
+    ember-cli: ~4.12.1
+    ember-cli-autoprefixer: ^0.8.1
+    ember-cli-babel: ^7.26.11
+    ember-cli-content-security-policy: 2.0.3
+    ember-cli-dependency-checker: ^3.3.1
+    ember-cli-deprecation-workflow: ^2.1.0
+    ember-cli-flash: 4.0.0
+    ember-cli-htmlbars: ^6.2.0
+    ember-cli-inject-live-reload: ^2.1.0
+    ember-cli-mirage: 2.4.0
+    ember-cli-page-object: 1.17.10
+    ember-cli-sass: 11.0.1
+    ember-cli-sri: "meirish/ember-cli-sri#rooturl"
+    ember-cli-string-helpers: 6.1.0
+    ember-cli-terser: ^4.0.2
+    ember-cli-typescript: ^5.2.1
+    ember-composable-helpers: 5.0.0
+    ember-concurrency: 2.3.4
+    ember-copy: 2.0.1
+    ember-d3: ^0.5.1
+    ember-data: ~4.11.3
+    ember-engines: 0.8.23
+    ember-fetch: ^8.1.2
+    ember-inflector: 4.0.2
+    ember-load-initializers: ^2.1.2
+    ember-maybe-in-element: ^2.0.3
+    ember-modal-dialog: ^4.0.1
+    ember-modifier: ^4.1.0
+    ember-page-title: ^7.0.0
+    ember-power-select: 6.0.1
+    ember-qrcode-shim: ^0.4.0
+    ember-qunit: 6.0.0
+    ember-resolver: ^10.0.0
+    ember-responsive: 5.0.0
+    ember-router-helpers: ^0.4.0
+    ember-service-worker: "meirish/ember-service-worker#configurable-scope"
+    ember-sinon: ^4.0.0
+    ember-source: ~4.12.0
+    ember-svg-jar: 2.4.0
+    ember-template-lint: 5.7.2
+    ember-template-lint-plugin-prettier: 4.0.0
+    ember-test-selectors: 6.0.0
+    ember-tether: ^2.0.1
+    ember-truth-helpers: 3.0.0
+    escape-string-regexp: ^2.0.0
+    eslint: ^8.37.0
+    eslint-config-prettier: ^8.8.0
+    eslint-plugin-compat: 4.0.2
+    eslint-plugin-ember: ^11.5.0
+    eslint-plugin-n: ^15.7.0
+    eslint-plugin-prettier: ^4.2.1
+    eslint-plugin-qunit: ^7.3.4
+    filesize: ^4.2.1
+    flat: ^6.0.1
+    handlebars: 4.7.7
+    highlight.js: ^10.4.1
+    jsondiffpatch: ^0.4.1
+    jsonlint: ^1.6.3
+    lint-staged: ^10.5.1
+    loader.js: ^4.7.0
+    node-notifier: ^8.0.1
+    normalize.css: 4.1.1
+    npm-run-all: ^4.1.5
+    pkijs: ^2.2.2
+    pretender: ^3.4.3
+    prettier: 2.8.7
+    prettier-eslint-cli: ^7.1.0
+    pvutils: ^1.0.17
+    qunit: ^2.19.4
+    qunit-dom: ^2.0.0
+    sass: ^1.58.3
+    sass-svg-uri: ^1.0.0
+    shell-quote: ^1.8.1
+    string.prototype.endswith: ^0.2.0
+    string.prototype.startswith: ^0.2.0
+    stylelint: ^15.4.0
+    stylelint-config-standard: ^32.0.0
+    stylelint-prettier: ^3.0.0
+    swagger-ui-dist: ^5.9.0
+    text-encoder-lite: 2.0.0
+    tracked-built-ins: ^3.1.1
+    typescript: ^4.8.4
+    uuid: ^9.0.0
+    walk-sync: ^2.0.2
+    webpack: 5.78.0
+    xstate: ^3.3.3
+  languageName: unknown
+  linkType: soft
+
+"verror@npm:1.10.0":
+  version: 1.10.0
+  resolution: "verror@npm:1.10.0"
+  dependencies:
+    assert-plus: ^1.0.0
+    core-util-is: 1.0.2
+    extsprintf: ^1.2.0
+  checksum: c431df0bedf2088b227a4e051e0ff4ca54df2c114096b0c01e1cbaadb021c30a04d7dd5b41ab277bcd51246ca135bf931d4c4c796ecae7a4fef6d744ecef36ea
+  languageName: node
+  linkType: hard
+
+"vfile-message@npm:^2.0.0":
+  version: 2.0.4
+  resolution: "vfile-message@npm:2.0.4"
+  dependencies:
+    "@types/unist": ^2.0.0
+    unist-util-stringify-position: ^2.0.0
+  checksum: 1bade499790f46ca5aba04bdce07a1e37c2636a8872e05cf32c26becc912826710b7eb063d30c5754fdfaeedc8a7658e78df10b3bc535c844890ec8a184f5643
+  languageName: node
+  linkType: hard
+
+"vfile@npm:^4.0.0":
+  version: 4.2.1
+  resolution: "vfile@npm:4.2.1"
+  dependencies:
+    "@types/unist": ^2.0.0
+    is-buffer: ^2.0.0
+    unist-util-stringify-position: ^2.0.0
+    vfile-message: ^2.0.0
+  checksum: ee5726e10d170472cde778fc22e0f7499caa096eb85babea5d0ce0941455b721037ee1c9e6ae506ca2803250acd313d0f464328ead0b55cfe7cb6315f1b462d6
+  languageName: node
+  linkType: hard
+
+"vm-browserify@npm:^1.0.1":
+  version: 1.1.2
+  resolution: "vm-browserify@npm:1.1.2"
+  checksum: 10a1c50aab54ff8b4c9042c15fc64aefccce8d2fb90c0640403242db0ee7fb269f9b102bdb69cfb435d7ef3180d61fd4fb004a043a12709abaf9056cfd7e039d
+  languageName: node
+  linkType: hard
+
+"vue-eslint-parser@npm:^8.0.1":
+  version: 8.3.0
+  resolution: "vue-eslint-parser@npm:8.3.0"
+  dependencies:
+    debug: ^4.3.2
+    eslint-scope: ^7.0.0
+    eslint-visitor-keys: ^3.1.0
+    espree: ^9.0.0
+    esquery: ^1.4.0
+    lodash: ^4.17.21
+    semver: ^7.3.5
+  peerDependencies:
+    eslint: ">=6.0.0"
+  checksum: 8cc751e9fc2bfba93664ad8945732ab1c97791f9123e703de8669b65670d1e01906d80436bf4932d7ee6fa6174ed4545e8abb059206c88f4bd71957ca6cf7ba8
+  languageName: node
+  linkType: hard
+
+"w3c-hr-time@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "w3c-hr-time@npm:1.0.2"
+  dependencies:
+    browser-process-hrtime: ^1.0.0
+  checksum: ec3c2dacbf8050d917bbf89537a101a08c2e333b4c19155f7d3bedde43529d4339db6b3d049d9610789cb915f9515f8be037e0c54c079e9d4735c50b37ed52b9
+  languageName: node
+  linkType: hard
+
+"w3c-xmlserializer@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "w3c-xmlserializer@npm:2.0.0"
+  dependencies:
+    xml-name-validator: ^3.0.0
+  checksum: ae25c51cf71f1fb2516df1ab33a481f83461a117565b95e3d0927432522323f93b1b2846cbb60196d337970c421adb604fc2d0d180c6a47a839da01db5b9973b
+  languageName: node
+  linkType: hard
+
+"walk-sync@npm:^0.2.5":
+  version: 0.2.7
+  resolution: "walk-sync@npm:0.2.7"
+  dependencies:
+    ensure-posix-path: ^1.0.0
+    matcher-collection: ^1.0.0
+  checksum: dd5ee5de5504a4e45f86ee6c3ba6af02728a788e43b929a14fc13f19d06faaddc39692a23fba61ace4ff552b5d98b6c56fe207770bb09d87caa85a7e64bf384e
+  languageName: node
+  linkType: hard
+
+"walk-sync@npm:^0.3.0, walk-sync@npm:^0.3.1, walk-sync@npm:^0.3.3":
+  version: 0.3.4
+  resolution: "walk-sync@npm:0.3.4"
+  dependencies:
+    ensure-posix-path: ^1.0.0
+    matcher-collection: ^1.0.0
+  checksum: 07e45a065421d504d305c70d385e37f192600dfd714ba35bb5c2664682e87bfb8be9640212df160b58ae78b506479aa437267f36d6c2f54f1dd800a84d229d86
+  languageName: node
+  linkType: hard
+
+"walk-sync@npm:^1.0.0, walk-sync@npm:^1.1.3":
+  version: 1.1.4
+  resolution: "walk-sync@npm:1.1.4"
+  dependencies:
+    "@types/minimatch": ^3.0.3
+    ensure-posix-path: ^1.1.0
+    matcher-collection: ^1.1.1
+  checksum: 21ce5bfdca01b8ccf3a088e22b7634f1d045f70aac7577728d9797cbdabd4a4cdb1341145a1d5a7fe07c4a15ae106ae2625a319cb6aab3e260fdbf48719e3cc5
+  languageName: node
+  linkType: hard
+
+"walk-sync@npm:^2.0.0, walk-sync@npm:^2.0.2, walk-sync@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "walk-sync@npm:2.2.0"
+  dependencies:
+    "@types/minimatch": ^3.0.3
+    ensure-posix-path: ^1.1.0
+    matcher-collection: ^2.0.0
+    minimatch: ^3.0.4
+  checksum: e579b574f769977a739607d4feba40ded8931ff641f26964ea5a10a280d648d1c1aca260e9ab60288f16d69500ff33687d3ba5fa4dbd427090123189f0f0c9b6
+  languageName: node
+  linkType: hard
+
+"walk-sync@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "walk-sync@npm:3.0.0"
+  dependencies:
+    "@types/minimatch": ^3.0.4
+    ensure-posix-path: ^1.1.0
+    matcher-collection: ^2.0.1
+    minimatch: ^3.0.4
+  checksum: b8701fc893003e4dac62d4fae8e7f411081fb18a9350632e078e9b61880e9a0c7b532385162c8e0b0fb3070f022cf70ac64518bde709b0dec58c13a833182cbc
+  languageName: node
+  linkType: hard
+
+"walker@npm:~1.0.5":
+  version: 1.0.8
+  resolution: "walker@npm:1.0.8"
+  dependencies:
+    makeerror: 1.0.12
+  checksum: ad7a257ea1e662e57ef2e018f97b3c02a7240ad5093c392186ce0bcf1f1a60bbadd520d073b9beb921ed99f64f065efb63dfc8eec689a80e569f93c1c5d5e16c
+  languageName: node
+  linkType: hard
+
+"watch-detector@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "watch-detector@npm:0.1.0"
+  dependencies:
+    heimdalljs-logger: ^0.1.9
+    quick-temp: ^0.1.8
+    rsvp: ^4.7.0
+    semver: ^5.4.1
+    silent-error: ^1.1.0
+  checksum: 024a8eeeeca18fcd8e907f6687508773304b47feb751ac97fa5a4068f6213e7d4cdb8207ee8b688055c20f794fa047d4adba884a3fcf32a965e0ed2cbac0fa18
+  languageName: node
+  linkType: hard
+
+"watch-detector@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "watch-detector@npm:1.0.0"
+  dependencies:
+    heimdalljs-logger: ^0.1.10
+    semver: ^6.3.0
+    silent-error: ^1.1.1
+    tmp: ^0.1.0
+  checksum: da3ab7804890663a07b36c53c27a15bad086021f195941141c0b7153f5b3e269e925a2fb3b65377bd0f5606891e67213a10d31fedd3feed21aef604a30053b26
+  languageName: node
+  linkType: hard
+
+"watch-detector@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "watch-detector@npm:1.0.2"
+  dependencies:
+    heimdalljs-logger: ^0.1.10
+    silent-error: ^1.1.1
+    tmp: ^0.1.0
+  checksum: 1c3bb68ba4ad5e0cdec1daf4d9dc3ff80cacebcc598ad162e2436be06adf5ce5626d4c0bcec84bff9c9ee27add9ff98d6ed4e29cdff2c86a7c4d8120b5f50c1d
+  languageName: node
+  linkType: hard
+
+"watchpack-chokidar2@npm:^2.0.1":
+  version: 2.0.1
+  resolution: "watchpack-chokidar2@npm:2.0.1"
+  dependencies:
+    chokidar: ^2.1.8
+  checksum: acf0f9ebca0c0b2fd1fe87ba557670477a6c0410bf1a653a726e68eb0620aa94fd9a43027a160a76bc793a21ea12e215e1e87dafe762682c13ef92ad4daf7b58
+  languageName: node
+  linkType: hard
+
+"watchpack@npm:^1.7.4":
+  version: 1.7.5
+  resolution: "watchpack@npm:1.7.5"
+  dependencies:
+    chokidar: ^3.4.1
+    graceful-fs: ^4.1.2
+    neo-async: ^2.5.0
+    watchpack-chokidar2: ^2.0.1
+  dependenciesMeta:
+    chokidar:
+      optional: true
+    watchpack-chokidar2:
+      optional: true
+  checksum: 8b7cb8c8df8f4dd0e8ac47693c0141c4f020a4b031411247d600eca31522fde6f1f9a3a6f6518b46e71f7971b0ed5734c08c60d7fdd2530e7262776286f69236
+  languageName: node
+  linkType: hard
+
+"watchpack@npm:^2.4.0":
+  version: 2.4.0
+  resolution: "watchpack@npm:2.4.0"
+  dependencies:
+    glob-to-regexp: ^0.4.1
+    graceful-fs: ^4.1.2
+  checksum: 23d4bc58634dbe13b86093e01c6a68d8096028b664ab7139d58f0c37d962d549a940e98f2f201cecdabd6f9c340338dc73ef8bf094a2249ef582f35183d1a131
+  languageName: node
+  linkType: hard
+
+"wcwidth@npm:^1.0.0, wcwidth@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "wcwidth@npm:1.0.1"
+  dependencies:
+    defaults: ^1.0.3
+  checksum: 814e9d1ddcc9798f7377ffa448a5a3892232b9275ebb30a41b529607691c0491de47cba426e917a4d08ded3ee7e9ba2f3fe32e62ee3cd9c7d3bafb7754bd553c
+  languageName: node
+  linkType: hard
+
+"webidl-conversions@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "webidl-conversions@npm:5.0.0"
+  checksum: ccf1ec2ca7c0b5671e5440ace4a66806ae09c49016ab821481bec0c05b1b82695082dc0a27d1fe9d804d475a408ba0c691e6803fd21be608e710955d4589cd69
+  languageName: node
+  linkType: hard
+
+"webidl-conversions@npm:^6.1.0":
+  version: 6.1.0
+  resolution: "webidl-conversions@npm:6.1.0"
+  checksum: 1f526507aa491f972a0c1409d07f8444e1d28778dfa269a9971f2e157182f3d496dc33296e4ed45b157fdb3bf535bb90c90bf10c50dcf1dd6caacb2a34cc84fb
+  languageName: node
+  linkType: hard
+
+"webpack-sources@npm:^1.4.0, webpack-sources@npm:^1.4.1":
+  version: 1.4.3
+  resolution: "webpack-sources@npm:1.4.3"
+  dependencies:
+    source-list-map: ^2.0.0
+    source-map: ~0.6.1
+  checksum: 37463dad8d08114930f4bc4882a9602941f07c9f0efa9b6bc78738cd936275b990a596d801ef450d022bb005b109b9f451dd087db2f3c9baf53e8e22cf388f79
+  languageName: node
+  linkType: hard
+
+"webpack-sources@npm:^3.2.3":
+  version: 3.2.3
+  resolution: "webpack-sources@npm:3.2.3"
+  checksum: 989e401b9fe3536529e2a99dac8c1bdc50e3a0a2c8669cbafad31271eadd994bc9405f88a3039cd2e29db5e6d9d0926ceb7a1a4e7409ece021fe79c37d9c4607
+  languageName: node
+  linkType: hard
+
+"webpack@npm:5.78.0":
+  version: 5.78.0
+  resolution: "webpack@npm:5.78.0"
+  dependencies:
+    "@types/eslint-scope": ^3.7.3
+    "@types/estree": ^0.0.51
+    "@webassemblyjs/ast": 1.11.1
+    "@webassemblyjs/wasm-edit": 1.11.1
+    "@webassemblyjs/wasm-parser": 1.11.1
+    acorn: ^8.7.1
+    acorn-import-assertions: ^1.7.6
+    browserslist: ^4.14.5
+    chrome-trace-event: ^1.0.2
+    enhanced-resolve: ^5.10.0
+    es-module-lexer: ^0.9.0
+    eslint-scope: 5.1.1
+    events: ^3.2.0
+    glob-to-regexp: ^0.4.1
+    graceful-fs: ^4.2.9
+    json-parse-even-better-errors: ^2.3.1
+    loader-runner: ^4.2.0
+    mime-types: ^2.1.27
+    neo-async: ^2.6.2
+    schema-utils: ^3.1.0
+    tapable: ^2.1.1
+    terser-webpack-plugin: ^5.1.3
+    watchpack: ^2.4.0
+    webpack-sources: ^3.2.3
+  peerDependenciesMeta:
+    webpack-cli:
+      optional: true
+  bin:
+    webpack: bin/webpack.js
+  checksum: 4213e5bcc23e54c2f2a589e8e96f1fb71a2c05d5033ffda6dd8bae32284abfa0eb6b6d0707806e8dcfa48a8fcda2448d3af6c4539061679251d94c0996bebf99
+  languageName: node
+  linkType: hard
+
+"webpack@npm:^4.43.0":
+  version: 4.46.0
+  resolution: "webpack@npm:4.46.0"
+  dependencies:
+    "@webassemblyjs/ast": 1.9.0
+    "@webassemblyjs/helper-module-context": 1.9.0
+    "@webassemblyjs/wasm-edit": 1.9.0
+    "@webassemblyjs/wasm-parser": 1.9.0
+    acorn: ^6.4.1
+    ajv: ^6.10.2
+    ajv-keywords: ^3.4.1
+    chrome-trace-event: ^1.0.2
+    enhanced-resolve: ^4.5.0
+    eslint-scope: ^4.0.3
+    json-parse-better-errors: ^1.0.2
+    loader-runner: ^2.4.0
+    loader-utils: ^1.2.3
+    memory-fs: ^0.4.1
+    micromatch: ^3.1.10
+    mkdirp: ^0.5.3
+    neo-async: ^2.6.1
+    node-libs-browser: ^2.2.1
+    schema-utils: ^1.0.0
+    tapable: ^1.1.3
+    terser-webpack-plugin: ^1.4.3
+    watchpack: ^1.7.4
+    webpack-sources: ^1.4.1
+  peerDependenciesMeta:
+    webpack-cli:
+      optional: true
+    webpack-command:
+      optional: true
+  bin:
+    webpack: bin/webpack.js
+  checksum: 013fa24c00d4261e16ebca60353fa6f848e417b5a44bdf28c16ebebd67fa61e960420bb314c8df05cfe2dad9b90efabcf38fd6875f2361922769a0384085ef1e
+  languageName: node
+  linkType: hard
+
+"websocket-driver@npm:>=0.5.1":
+  version: 0.7.4
+  resolution: "websocket-driver@npm:0.7.4"
+  dependencies:
+    http-parser-js: ">=0.5.1"
+    safe-buffer: ">=5.1.0"
+    websocket-extensions: ">=0.1.1"
+  checksum: fffe5a33fe8eceafd21d2a065661d09e38b93877eae1de6ab5d7d2734c6ed243973beae10ae48c6613cfd675f200e5a058d1e3531bc9e6c5d4f1396ff1f0bfb9
+  languageName: node
+  linkType: hard
+
+"websocket-extensions@npm:>=0.1.1":
+  version: 0.1.4
+  resolution: "websocket-extensions@npm:0.1.4"
+  checksum: 5976835e68a86afcd64c7a9762ed85f2f27d48c488c707e67ba85e717b90fa066b98ab33c744d64255c9622d349eedecf728e65a5f921da71b58d0e9591b9038
+  languageName: node
+  linkType: hard
+
+"whatwg-encoding@npm:^1.0.5":
+  version: 1.0.5
+  resolution: "whatwg-encoding@npm:1.0.5"
+  dependencies:
+    iconv-lite: 0.4.24
+  checksum: 5be4efe111dce29ddee3448d3915477fcc3b28f991d9cf1300b4e50d6d189010d47bca2f51140a844cf9b726e8f066f4aee72a04d687bfe4f2ee2767b2f5b1e6
+  languageName: node
+  linkType: hard
+
+"whatwg-fetch@npm:^3.6.2":
+  version: 3.6.2
+  resolution: "whatwg-fetch@npm:3.6.2"
+  checksum: ee976b7249e7791edb0d0a62cd806b29006ad7ec3a3d89145921ad8c00a3a67e4be8f3fb3ec6bc7b58498724fd568d11aeeeea1f7827e7e1e5eae6c8a275afed
+  languageName: node
+  linkType: hard
+
+"whatwg-mimetype@npm:^2.3.0":
+  version: 2.3.0
+  resolution: "whatwg-mimetype@npm:2.3.0"
+  checksum: 23eb885940bcbcca4ff841c40a78e9cbb893ec42743993a42bf7aed16085b048b44b06f3402018931687153550f9a32d259dfa524e4f03577ab898b6965e5383
+  languageName: node
+  linkType: hard
+
+"whatwg-url@npm:^8.0.0, whatwg-url@npm:^8.5.0":
+  version: 8.5.0
+  resolution: "whatwg-url@npm:8.5.0"
+  dependencies:
+    lodash: ^4.7.0
+    tr46: ^2.0.2
+    webidl-conversions: ^6.1.0
+  checksum: 3bda9bfd98be7a86761bc629d848526ae246b34bce6b1037254752bade6fb610fc696c1d4ba477d0fdd57c86b6fad0128f68203527d94cee13997cc91ecf2bb7
+  languageName: node
+  linkType: hard
+
+"which-boxed-primitive@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "which-boxed-primitive@npm:1.0.2"
+  dependencies:
+    is-bigint: ^1.0.1
+    is-boolean-object: ^1.1.0
+    is-number-object: ^1.0.4
+    is-string: ^1.0.5
+    is-symbol: ^1.0.3
+  checksum: 53ce774c7379071729533922adcca47220228405e1895f26673bbd71bdf7fb09bee38c1d6399395927c6289476b5ae0629863427fd151491b71c4b6cb04f3a5e
+  languageName: node
+  linkType: hard
+
+"which-collection@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "which-collection@npm:1.0.1"
+  dependencies:
+    is-map: ^2.0.1
+    is-set: ^2.0.1
+    is-weakmap: ^2.0.1
+    is-weakset: ^2.0.1
+  checksum: c815bbd163107ef9cb84f135e6f34453eaf4cca994e7ba85ddb0d27cea724c623fae2a473ceccfd5549c53cc65a5d82692de418166df3f858e1e5dc60818581c
+  languageName: node
+  linkType: hard
+
+"which-module@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "which-module@npm:2.0.0"
+  checksum: 809f7fd3dfcb2cdbe0180b60d68100c88785084f8f9492b0998c051d7a8efe56784492609d3f09ac161635b78ea29219eb1418a98c15ce87d085bce905705c9c
+  languageName: node
+  linkType: hard
+
+"which-typed-array@npm:^1.1.9":
+  version: 1.1.9
+  resolution: "which-typed-array@npm:1.1.9"
+  dependencies:
+    available-typed-arrays: ^1.0.5
+    call-bind: ^1.0.2
+    for-each: ^0.3.3
+    gopd: ^1.0.1
+    has-tostringtag: ^1.0.0
+    is-typed-array: ^1.1.10
+  checksum: fe0178ca44c57699ca2c0e657b64eaa8d2db2372a4e2851184f568f98c478ae3dc3fdb5f7e46c384487046b0cf9e23241423242b277e03e8ba3dabc7c84c98ef
+  languageName: node
+  linkType: hard
+
+"which@npm:^1.2.14, which@npm:^1.2.9, which@npm:^1.3.1":
+  version: 1.3.1
+  resolution: "which@npm:1.3.1"
+  dependencies:
+    isexe: ^2.0.0
+  bin:
+    which: ./bin/which
+  checksum: f2e185c6242244b8426c9df1510e86629192d93c1a986a7d2a591f2c24869e7ffd03d6dac07ca863b2e4c06f59a4cc9916c585b72ee9fa1aa609d0124df15e04
+  languageName: node
+  linkType: hard
+
+"which@npm:^2.0.1, which@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "which@npm:2.0.2"
+  dependencies:
+    isexe: ^2.0.0
+  bin:
+    node-which: ./bin/node-which
+  checksum: 1a5c563d3c1b52d5f893c8b61afe11abc3bab4afac492e8da5bde69d550de701cf9806235f20a47b5c8fa8a1d6a9135841de2596535e998027a54589000e66d1
+  languageName: node
+  linkType: hard
+
+"wide-align@npm:^1.1.5":
+  version: 1.1.5
+  resolution: "wide-align@npm:1.1.5"
+  dependencies:
+    string-width: ^1.0.2 || 2 || 3 || 4
+  checksum: d5fc37cd561f9daee3c80e03b92ed3e84d80dde3365a8767263d03dacfc8fa06b065ffe1df00d8c2a09f731482fcacae745abfbb478d4af36d0a891fad4834d3
+  languageName: node
+  linkType: hard
+
+"word-wrap@npm:^1.2.3, word-wrap@npm:~1.2.3":
+  version: 1.2.3
+  resolution: "word-wrap@npm:1.2.3"
+  checksum: 30b48f91fcf12106ed3186ae4fa86a6a1842416df425be7b60485de14bec665a54a68e4b5156647dec3a70f25e84d270ca8bc8cd23182ed095f5c7206a938c1f
+  languageName: node
+  linkType: hard
+
+"wordwrap@npm:^0.0.3":
+  version: 0.0.3
+  resolution: "wordwrap@npm:0.0.3"
+  checksum: dfc2d3512e857ae4b3bc2e8d4e5d2c285c28a4b87cd1d81c977ce9a1a99152d355807e046851a3d61148f39d877fbb889352e07b65a9cbdd2256aa928e159026
+  languageName: node
+  linkType: hard
+
+"wordwrap@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "wordwrap@npm:1.0.0"
+  checksum: 2a44b2788165d0a3de71fd517d4880a8e20ea3a82c080ce46e294f0b68b69a2e49cff5f99c600e275c698a90d12c5ea32aff06c311f0db2eb3f1201f3e7b2a04
+  languageName: node
+  linkType: hard
+
+"worker-farm@npm:^1.7.0":
+  version: 1.7.0
+  resolution: "worker-farm@npm:1.7.0"
+  dependencies:
+    errno: ~0.1.7
+  checksum: eab917530e1feddf157ec749e9c91b73a886142daa7fdf3490bccbf7b548b2576c43ab8d0a98e72ac755cbc101ca8647a7b1ff2485fddb9e8f53c40c77f5a719
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^2.3.0":
+  version: 2.3.4
+  resolution: "workerpool@npm:2.3.4"
+  dependencies:
+    object-assign: 4.1.1
+  checksum: 34793e88505ca6638372791d401a27d17674efdd34d5535b76ce6579b35a0cb1780156b113a3790405eefc447160d6e255e4887bfbf0c42edbae8fdf475ccc93
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^3.1.1":
+  version: 3.1.2
+  resolution: "workerpool@npm:3.1.2"
+  dependencies:
+    "@babel/core": ^7.3.4
+    object-assign: 4.1.1
+    rsvp: ^4.8.4
+  checksum: 7b382021ca70310926662b40c489ce78d391fb15a3aa7cf1d03eb7578e49eec777b1f332155b5f654118c03b53367ef96f66a42b128e5ca48b25164de9ef2a99
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^5.0.1":
+  version: 5.0.4
+  resolution: "workerpool@npm:5.0.4"
+  checksum: 735a9b19a3dce3c6391c88ee85ca7a952d48d1e1e4c32ec208adb9f29920eb052755737e04d1c44f32614d5a81c26387f3a2cfb7e96f15c87cfa01c7b1218958
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^6.0.0":
+  version: 6.1.4
+  resolution: "workerpool@npm:6.1.4"
+  checksum: 0927dd4302fc39be132e829f6bdca1c675a50d285858d3f0b233b75724030d7c10a618a5e8f5623c991121073306c10af73e750ec9ea366e1d2d76d8b5d3422c
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^6.0.2":
+  version: 6.5.1
+  resolution: "workerpool@npm:6.5.1"
+  checksum: f86d13f9139c3a57c5a5867e81905cd84134b499849405dec2ffe5b1acd30dabaa1809f6f6ee603a7c65e1e4325f21509db6b8398eaf202c8b8f5809e26a2e16
+  languageName: node
+  linkType: hard
+
+"workerpool@npm:^6.4.0":
+  version: 6.4.0
+  resolution: "workerpool@npm:6.4.0"
+  checksum: 5fc010dbec44c69e1758cb2ccf924dfd286a86062a934f9e69a81cbad66f9be541441b2399debc2b024ae3dfc33a34a4c9ad61058af2ed8d53dcdeffb22b7b40
+  languageName: node
+  linkType: hard
+
+"wrap-ansi@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "wrap-ansi@npm:5.1.0"
+  dependencies:
+    ansi-styles: ^3.2.0
+    string-width: ^3.0.0
+    strip-ansi: ^5.0.0
+  checksum: 9b48c862220e541eb0daa22661b38b947973fc57054e91be5b0f2dcc77741a6875ccab4ebe970a394b4682c8dfc17e888266a105fb8b0a9b23c19245e781ceae
+  languageName: node
+  linkType: hard
+
+"wrap-ansi@npm:^6.2.0":
+  version: 6.2.0
+  resolution: "wrap-ansi@npm:6.2.0"
+  dependencies:
+    ansi-styles: ^4.0.0
+    string-width: ^4.1.0
+    strip-ansi: ^6.0.0
+  checksum: 6cd96a410161ff617b63581a08376f0cb9162375adeb7956e10c8cd397821f7eb2a6de24eb22a0b28401300bf228c86e50617cd568209b5f6775b93c97d2fe3a
+  languageName: node
+  linkType: hard
+
+"wrap-ansi@npm:^7.0.0":
+  version: 7.0.0
+  resolution: "wrap-ansi@npm:7.0.0"
+  dependencies:
+    ansi-styles: ^4.0.0
+    string-width: ^4.1.0
+    strip-ansi: ^6.0.0
+  checksum: a790b846fd4505de962ba728a21aaeda189b8ee1c7568ca5e817d85930e06ef8d1689d49dbf0e881e8ef84436af3a88bc49115c2e2788d841ff1b8b5b51a608b
+  languageName: node
+  linkType: hard
+
+"wrap-legacy-hbs-plugin-if-needed@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "wrap-legacy-hbs-plugin-if-needed@npm:1.0.1"
+  dependencies:
+    "@glimmer/reference": ^0.42.1
+    "@glimmer/runtime": ^0.42.1
+    "@glimmer/syntax": ^0.42.1
+    "@simple-dom/interface": ^1.4.0
+  checksum: b273f53b92fa26041e6cf8f3b712a0267a3cc75c8def3370e556428e72ef38deea605897c8d42b2a3b90f04d810c432b1de470db983b0c131030b29dc46aa1bd
+  languageName: node
+  linkType: hard
+
+"wrappy@npm:1":
+  version: 1.0.2
+  resolution: "wrappy@npm:1.0.2"
+  checksum: 159da4805f7e84a3d003d8841557196034155008f817172d4e986bd591f74aa82aa7db55929a54222309e01079a65a92a9e6414da5a6aa4b01ee44a511ac3ee5
+  languageName: node
+  linkType: hard
+
+"write-file-atomic@npm:^3.0.0":
+  version: 3.0.3
+  resolution: "write-file-atomic@npm:3.0.3"
+  dependencies:
+    imurmurhash: ^0.1.4
+    is-typedarray: ^1.0.0
+    signal-exit: ^3.0.2
+    typedarray-to-buffer: ^3.1.5
+  checksum: c55b24617cc61c3a4379f425fc62a386cc51916a9b9d993f39734d005a09d5a4bb748bc251f1304e7abd71d0a26d339996c275955f527a131b1dcded67878280
+  languageName: node
+  linkType: hard
+
+"write-file-atomic@npm:^5.0.1":
+  version: 5.0.1
+  resolution: "write-file-atomic@npm:5.0.1"
+  dependencies:
+    imurmurhash: ^0.1.4
+    signal-exit: ^4.0.1
+  checksum: 8dbb0e2512c2f72ccc20ccedab9986c7d02d04039ed6e8780c987dc4940b793339c50172a1008eed7747001bfacc0ca47562668a069a7506c46c77d7ba3926a9
+  languageName: node
+  linkType: hard
+
+"ws@npm:^7.4.4":
+  version: 7.4.5
+  resolution: "ws@npm:7.4.5"
+  peerDependencies:
+    bufferutil: ^4.0.1
+    utf-8-validate: ^5.0.2
+  peerDependenciesMeta:
+    bufferutil:
+      optional: true
+    utf-8-validate:
+      optional: true
+  checksum: 5c7d1527f93ef27f9306aaf52db76315e8ff84174d1df717196527c50334c80bc10307dcaf6674a9aca4bb73aac3f77c23d3d9b1800e8aa810a5ee7f52d67cfb
+  languageName: node
+  linkType: hard
+
+"ws@npm:~8.2.3":
+  version: 8.2.3
+  resolution: "ws@npm:8.2.3"
+  peerDependencies:
+    bufferutil: ^4.0.1
+    utf-8-validate: ^5.0.2
+  peerDependenciesMeta:
+    bufferutil:
+      optional: true
+    utf-8-validate:
+      optional: true
+  checksum: c869296ccb45f218ac6d32f8f614cd85b50a21fd434caf11646008eef92173be53490810c5c23aea31bc527902261fbfd7b062197eea341b26128d4be56a85e4
+  languageName: node
+  linkType: hard
+
+"xdg-basedir@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "xdg-basedir@npm:4.0.0"
+  checksum: 0073d5b59a37224ed3a5ac0dd2ec1d36f09c49f0afd769008a6e9cd3cd666bd6317bd1c7ce2eab47e1de285a286bad11a9b038196413cd753b79770361855f3c
+  languageName: node
+  linkType: hard
+
+"xml-name-validator@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "xml-name-validator@npm:3.0.0"
+  checksum: b3ac459afed783c285bb98e4960bd1f3ba12754fd4f2320efa0f9181ca28928c53cc75ca660d15d205e81f92304419afe94c531c7cfb3e0649aa6d140d53ecb0
+  languageName: node
+  linkType: hard
+
+"xmlchars@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "xmlchars@npm:2.2.0"
+  checksum: 8c70ac94070ccca03f47a81fcce3b271bd1f37a591bf5424e787ae313fcb9c212f5f6786e1fa82076a2c632c0141552babcd85698c437506dfa6ae2d58723062
+  languageName: node
+  linkType: hard
+
+"xstate@npm:^3.3.3":
+  version: 3.3.3
+  resolution: "xstate@npm:3.3.3"
+  checksum: b659cf8c7ac5f48ef68bd55d8b5a60fb3b34686222c8d4e8966b9e8d7fd59569cf02e135fba5969d1f7b96cd3f617b1131b38970b90930371e668af7f6b4d2f6
+  languageName: node
+  linkType: hard
+
+"xtend@npm:^4.0.0, xtend@npm:~4.0.1":
+  version: 4.0.2
+  resolution: "xtend@npm:4.0.2"
+  checksum: ac5dfa738b21f6e7f0dd6e65e1b3155036d68104e67e5d5d1bde74892e327d7e5636a076f625599dc394330a731861e87343ff184b0047fef1360a7ec0a5a36a
+  languageName: node
+  linkType: hard
+
+"y18n@npm:^4.0.0":
+  version: 4.0.3
+  resolution: "y18n@npm:4.0.3"
+  checksum: 014dfcd9b5f4105c3bb397c1c8c6429a9df004aa560964fb36732bfb999bfe83d45ae40aeda5b55d21b1ee53d8291580a32a756a443e064317953f08025b1aa4
+  languageName: node
+  linkType: hard
+
+"y18n@npm:^5.0.5":
+  version: 5.0.8
+  resolution: "y18n@npm:5.0.8"
+  checksum: 54f0fb95621ee60898a38c572c515659e51cc9d9f787fb109cef6fde4befbe1c4602dc999d30110feee37456ad0f1660fa2edcfde6a9a740f86a290999550d30
+  languageName: node
+  linkType: hard
+
+"yallist@npm:^3.0.0, yallist@npm:^3.0.2":
+  version: 3.1.1
+  resolution: "yallist@npm:3.1.1"
+  checksum: 48f7bb00dc19fc635a13a39fe547f527b10c9290e7b3e836b9a8f1ca04d4d342e85714416b3c2ab74949c9c66f9cebb0473e6bc353b79035356103b47641285d
+  languageName: node
+  linkType: hard
+
+"yallist@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "yallist@npm:4.0.0"
+  checksum: 343617202af32df2a15a3be36a5a8c0c8545208f3d3dfbc6bb7c3e3b7e8c6f8e7485432e4f3b88da3031a6e20afa7c711eded32ddfb122896ac5d914e75848d5
+  languageName: node
+  linkType: hard
+
+"yam@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "yam@npm:1.0.0"
+  dependencies:
+    fs-extra: ^4.0.2
+    lodash.merge: ^4.6.0
+  checksum: b954d6fedeb19525ff559e25ce8bd38033ffe75f11a13a71fa960b3c36055c0e4a57910aac441ffd8ae9513ef3461ed1a9f91c767825546f3ea3831b39bdb5c9
+  languageName: node
+  linkType: hard
+
+"yaml@npm:^1.10.0":
+  version: 1.10.2
+  resolution: "yaml@npm:1.10.2"
+  checksum: ce4ada136e8a78a0b08dc10b4b900936912d15de59905b2bf415b4d33c63df1d555d23acb2a41b23cf9fb5da41c256441afca3d6509de7247daa062fd2c5ea5f
+  languageName: node
+  linkType: hard
+
+"yargs-parser@npm:^13.1.2":
+  version: 13.1.2
+  resolution: "yargs-parser@npm:13.1.2"
+  dependencies:
+    camelcase: ^5.0.0
+    decamelize: ^1.2.0
+  checksum: c8bb6f44d39a4acd94462e96d4e85469df865de6f4326e0ab1ac23ae4a835e5dd2ddfe588317ebf80c3a7e37e741bd5cb0dc8d92bcc5812baefb7df7c885e86b
+  languageName: node
+  linkType: hard
+
+"yargs-parser@npm:^20.2.9":
+  version: 20.2.9
+  resolution: "yargs-parser@npm:20.2.9"
+  checksum: 8bb69015f2b0ff9e17b2c8e6bfe224ab463dd00ca211eece72a4cd8a906224d2703fb8a326d36fdd0e68701e201b2a60ed7cf81ce0fd9b3799f9fe7745977ae3
+  languageName: node
+  linkType: hard
+
+"yargs-parser@npm:^21.1.1":
+  version: 21.1.1
+  resolution: "yargs-parser@npm:21.1.1"
+  checksum: ed2d96a616a9e3e1cc7d204c62ecc61f7aaab633dcbfab2c6df50f7f87b393993fe6640d017759fe112d0cb1e0119f2b4150a87305cc873fd90831c6a58ccf1c
+  languageName: node
+  linkType: hard
+
+"yargs@npm:^13.1.1":
+  version: 13.3.2
+  resolution: "yargs@npm:13.3.2"
+  dependencies:
+    cliui: ^5.0.0
+    find-up: ^3.0.0
+    get-caller-file: ^2.0.1
+    require-directory: ^2.1.1
+    require-main-filename: ^2.0.0
+    set-blocking: ^2.0.0
+    string-width: ^3.0.0
+    which-module: ^2.0.0
+    y18n: ^4.0.0
+    yargs-parser: ^13.1.2
+  checksum: 75c13e837eb2bb25717957ba58d277e864efc0cca7f945c98bdf6477e6ec2f9be6afa9ed8a876b251a21423500c148d7b91e88dee7adea6029bdec97af1ef3e8
+  languageName: node
+  linkType: hard
+
+"yargs@npm:^17.7.1":
+  version: 17.7.2
+  resolution: "yargs@npm:17.7.2"
+  dependencies:
+    cliui: ^8.0.1
+    escalade: ^3.1.1
+    get-caller-file: ^2.0.5
+    require-directory: ^2.1.1
+    string-width: ^4.2.3
+    y18n: ^5.0.5
+    yargs-parser: ^21.1.1
+  checksum: 73b572e863aa4a8cbef323dd911d79d193b772defd5a51aab0aca2d446655216f5002c42c5306033968193bdbf892a7a4c110b0d77954a7fdf563e653967b56a
+  languageName: node
+  linkType: hard
+
+"yocto-queue@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "yocto-queue@npm:0.1.0"
+  checksum: f77b3d8d00310def622123df93d4ee654fc6a0096182af8bd60679ddcdfb3474c56c6c7190817c84a2785648cdee9d721c0154eb45698c62176c322fb46fc700
+  languageName: node
+  linkType: hard
+
+"yocto-queue@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "yocto-queue@npm:1.0.0"
+  checksum: 2cac84540f65c64ccc1683c267edce396b26b1e931aa429660aefac8fbe0188167b7aee815a3c22fa59a28a58d898d1a2b1825048f834d8d629f4c2a5d443801
+  languageName: node
+  linkType: hard
+
+"zwitch@npm:^1.0.0":
+  version: 1.0.5
+  resolution: "zwitch@npm:1.0.5"
+  checksum: 28a1bebacab3bc60150b6b0a2ba1db2ad033f068e81f05e4892ec0ea13ae63f5d140a1d692062ac0657840c8da076f35b94433b5f1c329d7803b247de80f064a
+  languageName: node
+  linkType: hard
diff --git a/vault/ha.go b/vault/ha.go
index 8ef86b0fefcb..9468538a6609 100644
--- a/vault/ha.go
+++ b/vault/ha.go
@@ -118,13 +118,15 @@ func (c *Core) getHAMembers() ([]HAStatusNode, error) {
 	for _, peerNode := range c.GetHAPeerNodesCached() {
 		lastEcho := peerNode.LastEcho
 		nodes = append(nodes, HAStatusNode{
-			Hostname:       peerNode.Hostname,
-			APIAddress:     peerNode.APIAddress,
-			ClusterAddress: peerNode.ClusterAddress,
-			LastEcho:       &lastEcho,
-			Version:        peerNode.Version,
-			UpgradeVersion: peerNode.UpgradeVersion,
-			RedundancyZone: peerNode.RedundancyZone,
+			Hostname:           peerNode.Hostname,
+			APIAddress:         peerNode.APIAddress,
+			ClusterAddress:     peerNode.ClusterAddress,
+			LastEcho:           &lastEcho,
+			Version:            peerNode.Version,
+			UpgradeVersion:     peerNode.UpgradeVersion,
+			RedundancyZone:     peerNode.RedundancyZone,
+			EchoDurationMillis: peerNode.EchoDuration.Milliseconds(),
+			ClockSkewMillis:    peerNode.ClockSkewMillis,
 		})
 	}
 
@@ -150,30 +152,41 @@ func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err erro
 	if c.Sealed() {
 		return false, "", "", consts.ErrSealed
 	}
-
 	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+
+	return c.LeaderLocked()
+}
+
+func (c *Core) LeaderLocked() (isLeader bool, leaderAddr, clusterAddr string, err error) {
+	// Check if HA enabled. We don't need the lock for this check as it's set
+	// on startup and never modified
+	if c.ha == nil {
+		return false, "", "", ErrHANotEnabled
+	}
+
+	// Check if sealed
+	if c.Sealed() {
+		return false, "", "", consts.ErrSealed
+	}
 
 	// Check if we are the leader
 	if !c.standby {
-		c.stateLock.RUnlock()
 		return true, c.redirectAddr, c.ClusterAddr(), nil
 	}
 
 	// Initialize a lock
 	lock, err := c.ha.LockWith(CoreLockPath, "read")
 	if err != nil {
-		c.stateLock.RUnlock()
 		return false, "", "", err
 	}
 
 	// Read the value
 	held, leaderUUID, err := lock.Value()
 	if err != nil {
-		c.stateLock.RUnlock()
 		return false, "", "", err
 	}
 	if !held {
-		c.stateLock.RUnlock()
 		return false, "", "", nil
 	}
 
@@ -188,13 +201,11 @@ func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err erro
 	// If the leader hasn't changed, return the cached value; nothing changes
 	// mid-leadership, and the barrier caches anyways
 	if leaderUUID == localLeaderUUID && localRedirectAddr != "" {
-		c.stateLock.RUnlock()
 		return false, localRedirectAddr, localClusterAddr, nil
 	}
 
 	c.logger.Trace("found new active node information, refreshing")
 
-	defer c.stateLock.RUnlock()
 	c.leaderParamsLock.Lock()
 	defer c.leaderParamsLock.Unlock()
 
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
index bf890c57f2b0..6094339c4e84 100644
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@@ -68,8 +68,10 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 			},
 
 			Fields: entityPathFields(),
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.UpdateOperation: i.handleEntityUpdateCommon(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityUpdateCommon(),
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(entityHelp["entity"][0]),
@@ -158,8 +160,10 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 				},
 			},
 
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.UpdateOperation: i.handleEntityBatchDelete(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: i.handleEntityBatchDelete(),
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(entityHelp["batch-delete"][0]),
@@ -173,8 +177,10 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 				OperationSuffix: "by-name",
 			},
 
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.ListOperation: i.pathEntityNameList(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: i.pathEntityNameList(),
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-name-list"][0]),
@@ -188,8 +194,10 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 				OperationSuffix: "by-id",
 			},
 
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.ListOperation: i.pathEntityIDList(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: i.pathEntityIDList(),
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-id-list"][0]),
@@ -221,8 +229,11 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 					Description: "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.",
 				},
 			},
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.UpdateOperation: i.pathEntityMergeID(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback:                  i.pathEntityMergeID(),
+					ForwardPerformanceStandby: true,
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(entityHelp["entity-merge-id"][0]),
@@ -883,6 +894,15 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 		}
 
 		if fromEntity == nil {
+			// If forceMergeAliases is true, and we didn't find a fromEntity, then something
+			// is wrong with storage. This function was called as part of an automated
+			// merge from CreateOrFetchEntity or Invalidate to repatriate an alias with its 'true'
+			// entity. As a result, the entity _should_ exist, but we can't find it.
+			// MemDb may be in a bad state, because fromEntity should be non-nil in the
+			// automated merge case.
+			if forceMergeAliases {
+				return fmt.Errorf("fromEntity %s was not found in memdb as part of an automated entity merge into %s; storage/memdb may be in a bad state", fromEntityID, toEntity.ID), nil, nil
+			}
 			return errors.New("entity id to merge from is invalid"), nil, nil
 		}
 
@@ -995,6 +1015,15 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 		}
 
 		if fromEntity == nil {
+			// If forceMergeAliases is true, and we didn't find a fromEntity, then something
+			// is wrong with storage. This function was called as part of an automated
+			// merge from CreateOrFetchEntity or Invalidate to repatriate an alias with its 'true'
+			// entity. As a result, the entity _should_ exist, but we can't find it.
+			// MemDb may be in a bad state, because fromEntity should be non-nil in the
+			// automated merge case.
+			if forceMergeAliases {
+				return fmt.Errorf("fromEntity %s was not found in memdb as part of an automated entity merge into %s; storage/memdb may be in a bad state", fromEntityID, toEntity.ID), nil, nil
+			}
 			return errors.New("entity id to merge from is invalid"), nil, nil
 		}
 
diff --git a/vault/logical_system.go b/vault/logical_system.go
index e978095a1908..bd5c93e22742 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -809,6 +809,7 @@ func (b *SystemBackend) handlePluginRuntimeCatalogUpdate(ctx context.Context, _
 		if memory < 0 {
 			return logical.ErrorResponse("runtime memory in bytes cannot be negative"), nil
 		}
+		rootless := d.Get("rootless").(bool)
 		if err = b.Core.pluginRuntimeCatalog.Set(ctx,
 			&pluginruntimeutil.PluginRuntimeConfig{
 				Name:         runtimeName,
@@ -817,6 +818,7 @@ func (b *SystemBackend) handlePluginRuntimeCatalogUpdate(ctx context.Context, _
 				CgroupParent: cgroupParent,
 				CPU:          cpu,
 				Memory:       memory,
+				Rootless:     rootless,
 			}); err != nil {
 			return logical.ErrorResponse(err.Error()), nil
 		}
@@ -889,6 +891,7 @@ func (b *SystemBackend) handlePluginRuntimeCatalogRead(ctx context.Context, _ *l
 		"cgroup_parent": conf.CgroupParent,
 		"cpu_nanos":     conf.CPU,
 		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
 	}}, nil
 }
 
@@ -928,6 +931,7 @@ func (b *SystemBackend) handlePluginRuntimeCatalogList(ctx context.Context, _ *l
 					"cgroup_parent": conf.CgroupParent,
 					"cpu_nanos":     conf.CPU,
 					"memory_bytes":  conf.Memory,
+					"rootless":      conf.Rootless,
 				})
 			}
 		}
@@ -1426,6 +1430,9 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
 	if len(apiConfig.AllowedManagedKeys) > 0 {
 		config.AllowedManagedKeys = apiConfig.AllowedManagedKeys
 	}
+	if len(apiConfig.DelegatedAuthAccessors) > 0 {
+		config.DelegatedAuthAccessors = apiConfig.DelegatedAuthAccessors
+	}
 
 	// Create the mount entry
 	me := &MountEntry{
@@ -2370,6 +2377,32 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
 		}
 	}
 
+	if rawVal, ok := data.GetOk("delegated_auth_accessors"); ok {
+		delegatedAuthAccessors := rawVal.([]string)
+
+		oldVal := mountEntry.Config.DelegatedAuthAccessors
+		mountEntry.Config.DelegatedAuthAccessors = delegatedAuthAccessors
+
+		// Update the mount table
+		var err error
+		switch {
+		case strings.HasPrefix(path, "auth/"):
+			err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local)
+		default:
+			err = b.Core.persistMounts(ctx, b.Core.mounts, &mountEntry.Local)
+		}
+		if err != nil {
+			mountEntry.Config.DelegatedAuthAccessors = oldVal
+			return handleError(err)
+		}
+
+		mountEntry.SyncCache()
+
+		if b.Core.logger.IsInfo() {
+			b.Core.logger.Info("mount tuning of delegated_auth_accessors successful", "path", path)
+		}
+	}
+
 	var err error
 	var resp *logical.Response
 	var options map[string]string
@@ -4675,6 +4708,8 @@ func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *log
 		},
 	}
 
+	resp.Data["chroot_namespace"] = req.ChrootNamespace
+
 	if acl.root {
 		resp.Data["root"] = true
 		return resp, nil
@@ -5121,8 +5156,15 @@ type LeaderResponse struct {
 }
 
 func (core *Core) GetLeaderStatus() (*LeaderResponse, error) {
+	core.stateLock.RLock()
+	defer core.stateLock.RUnlock()
+
+	return core.GetLeaderStatusLocked()
+}
+
+func (core *Core) GetLeaderStatusLocked() (*LeaderResponse, error) {
 	haEnabled := true
-	isLeader, address, clusterAddr, err := core.Leader()
+	isLeader, address, clusterAddr, err := core.LeaderLocked()
 	if errwrap.Contains(err, ErrHANotEnabled.Error()) {
 		haEnabled = false
 		err = nil
@@ -5136,10 +5178,10 @@ func (core *Core) GetLeaderStatus() (*LeaderResponse, error) {
 		IsSelf:               isLeader,
 		LeaderAddress:        address,
 		LeaderClusterAddress: clusterAddr,
-		PerfStandby:          core.PerfStandby(),
+		PerfStandby:          core.perfStandby,
 	}
 	if isLeader {
-		resp.ActiveTime = core.ActiveTime()
+		resp.ActiveTime = core.activeTime
 	}
 	if resp.PerfStandby {
 		resp.PerfStandbyLastRemoteWAL = core.EntLastRemoteWAL()
@@ -5147,7 +5189,7 @@ func (core *Core) GetLeaderStatus() (*LeaderResponse, error) {
 		resp.LastWAL = core.EntLastWAL()
 	}
 
-	resp.RaftCommittedIndex, resp.RaftAppliedIndex = core.GetRaftIndexes()
+	resp.RaftCommittedIndex, resp.RaftAppliedIndex = core.GetRaftIndexesLocked()
 	return resp, nil
 }
 
@@ -5171,7 +5213,7 @@ func (b *SystemBackend) handleSealStatus(ctx context.Context, req *logical.Reque
 }
 
 func (b *SystemBackend) handleLeaderStatus(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	status, err := b.Core.GetLeaderStatus()
+	status, err := b.Core.GetLeaderStatusLocked()
 	if err != nil {
 		return nil, err
 	}
@@ -5248,14 +5290,16 @@ func (b *SystemBackend) handleHAStatus(ctx context.Context, req *logical.Request
 }
 
 type HAStatusNode struct {
-	Hostname       string     `json:"hostname"`
-	APIAddress     string     `json:"api_address"`
-	ClusterAddress string     `json:"cluster_address"`
-	ActiveNode     bool       `json:"active_node"`
-	LastEcho       *time.Time `json:"last_echo"`
-	Version        string     `json:"version"`
-	UpgradeVersion string     `json:"upgrade_version,omitempty"`
-	RedundancyZone string     `json:"redundancy_zone,omitempty"`
+	Hostname           string     `json:"hostname"`
+	APIAddress         string     `json:"api_address"`
+	ClusterAddress     string     `json:"cluster_address"`
+	ActiveNode         bool       `json:"active_node"`
+	LastEcho           *time.Time `json:"last_echo"`
+	Version            string     `json:"version"`
+	UpgradeVersion     string     `json:"upgrade_version,omitempty"`
+	RedundancyZone     string     `json:"redundancy_zone,omitempty"`
+	EchoDurationMillis int64      `json:"echo_duration_ms"`
+	ClockSkewMillis    int64      `json:"clock_skew_ms"`
 }
 
 func (b *SystemBackend) handleVersionHistoryList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@@ -6252,6 +6296,10 @@ This path responds to the following HTTP methods.
 		"Memory limit to set per container in bytes. Defaults to no limit.",
 		"",
 	},
+	"plugin-runtime-catalog_rootless": {
+		"Whether the container runtime is run as a non-privileged (non-root) user.",
+		"",
+	},
 	"leases": {
 		`View or list lease metadata.`,
 		`
@@ -6409,4 +6457,8 @@ This path responds to the following HTTP methods.
 			Returns the available and enabled experiments.
 		`,
 	},
+	"delegated_auth_accessors": {
+		"A list of auth accessors that the mount is allowed to delegate authentication too",
+		"",
+	},
 }
diff --git a/vault/logical_system_integ_test.go b/vault/logical_system_integ_test.go
index d1ff71d10251..644aaec0a688 100644
--- a/vault/logical_system_integ_test.go
+++ b/vault/logical_system_integ_test.go
@@ -144,7 +144,8 @@ func TestSystemBackend_InternalUIResultantACL(t *testing.T) {
 				},
 			},
 		},
-		"root": false,
+		"root":             false,
+		"chroot_namespace": "",
 	}
 
 	if diff := deep.Equal(resp.Data, exp); diff != nil {
diff --git a/vault/logical_system_paths.go b/vault/logical_system_paths.go
index 5f4df09ecb31..60e56d31824c 100644
--- a/vault/logical_system_paths.go
+++ b/vault/logical_system_paths.go
@@ -2143,6 +2143,10 @@ func (b *SystemBackend) pluginsRuntimesCatalogCRUDPath() *framework.Path {
 				Type:        framework.TypeInt64,
 				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_memory-bytes"][0]),
 			},
+			"rootless": {
+				Type:        framework.TypeBool,
+				Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_rootless"][0]),
+			},
 		},
 
 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -2212,6 +2216,11 @@ func (b *SystemBackend) pluginsRuntimesCatalogCRUDPath() *framework.Path {
 								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_memory-bytes"][0]),
 								Required:    true,
 							},
+							"rootless": {
+								Type:        framework.TypeBool,
+								Description: strings.TrimSpace(sysHelp["plugin-runtime-catalog_rootless"][0]),
+								Required:    true,
+							},
 						},
 					}},
 				},
@@ -2633,6 +2642,10 @@ func (b *SystemBackend) internalPaths() []*framework.Path {
 									Type:     framework.TypeMap,
 									Required: false,
 								},
+								"chroot_namespace": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
 							},
 						}},
 					},
@@ -4427,6 +4440,10 @@ func (b *SystemBackend) mountPaths() []*framework.Path {
 					Type:        framework.TypeCommaStringSlice,
 					Description: strings.TrimSpace(sysHelp["tune_allowed_managed_keys"][0]),
 				},
+				"delegated_auth_accessors": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: strings.TrimSpace(sysHelp["allowed_delegated_auth_accessors"][0]),
+				},
 				"plugin_version": {
 					Type:        framework.TypeString,
 					Description: strings.TrimSpace(sysHelp["plugin-catalog_version"][0]),
@@ -4477,6 +4494,11 @@ func (b *SystemBackend) mountPaths() []*framework.Path {
 									Description: strings.TrimSpace(sysHelp["tune_allowed_managed_keys"][0]),
 									Required:    false,
 								},
+								"delegated_auth_accessors": {
+									Type:        framework.TypeCommaStringSlice,
+									Description: strings.TrimSpace(sysHelp["delegated_auth_accessors"][0]),
+									Required:    false,
+								},
 								"allowed_response_headers": {
 									Type:        framework.TypeCommaStringSlice,
 									Description: strings.TrimSpace(sysHelp["allowed_response_headers"][0]),
diff --git a/vault/logical_system_raft.go b/vault/logical_system_raft.go
index d270d1d39bfd..7b254076051a 100644
--- a/vault/logical_system_raft.go
+++ b/vault/logical_system_raft.go
@@ -570,7 +570,8 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool, makeSealer fu
 		if !ok {
 			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
 		}
-		if req.HTTPRequest == nil || req.HTTPRequest.Body == nil {
+		body, ok := logical.ContextOriginalBodyValue(ctx)
+		if !ok {
 			return nil, errors.New("no reader for request")
 		}
 
@@ -583,7 +584,7 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool, makeSealer fu
 		// don't have to hold the full snapshot in memory. We also want to do
 		// the restore in two parts so we can restore the snapshot while the
 		// stateLock is write locked.
-		snapFile, cleanup, metadata, err := raftStorage.WriteSnapshotToTemp(req.HTTPRequest.Body, sealer)
+		snapFile, cleanup, metadata, err := raftStorage.WriteSnapshotToTemp(body, sealer)
 		switch {
 		case err == nil:
 		case strings.Contains(err.Error(), "failed to open the sealed hashes"):
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
index 2b60a822e08b..baa77c74f0f4 100644
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -6104,6 +6104,7 @@ func TestSystemBackend_pluginRuntimeCRUD(t *testing.T) {
 		CgroupParent: "/cpulimit/",
 		CPU:          1,
 		Memory:       10000,
+		Rootless:     true,
 	}
 
 	// Register the plugin runtime
@@ -6113,6 +6114,7 @@ func TestSystemBackend_pluginRuntimeCRUD(t *testing.T) {
 		"cgroup_parent": conf.CgroupParent,
 		"cpu_nanos":     conf.CPU,
 		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
 	}
 
 	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
@@ -6153,6 +6155,7 @@ func TestSystemBackend_pluginRuntimeCRUD(t *testing.T) {
 		"cgroup_parent": conf.CgroupParent,
 		"cpu_nanos":     conf.CPU,
 		"memory_bytes":  conf.Memory,
+		"rootless":      conf.Rootless,
 	}
 	if !reflect.DeepEqual(resp.Data, readExp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, readExp)
diff --git a/vault/mount.go b/vault/mount.go
index b72e22a054b1..d06c331ea12a 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -364,6 +364,7 @@ type MountConfig struct {
 	TokenType                 logical.TokenType     `json:"token_type,omitempty" structs:"token_type" mapstructure:"token_type"`
 	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
 	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`
+	DelegatedAuthAccessors    []string              `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
 
 	// PluginName is the name of the plugin registered in the catalog.
 	//
@@ -399,6 +400,7 @@ type APIMountConfig struct {
 	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
 	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`
 	PluginVersion             string                `json:"plugin_version,omitempty" mapstructure:"plugin_version"`
+	DelegatedAuthAccessors    []string              `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
 
 	// PluginName is the name of the plugin registered in the catalog.
 	//
@@ -500,6 +502,12 @@ func (e *MountEntry) SyncCache() {
 	} else {
 		e.synthesizedConfigCache.Store("allowed_managed_keys", e.Config.AllowedManagedKeys)
 	}
+
+	if len(e.Config.DelegatedAuthAccessors) == 0 {
+		e.synthesizedConfigCache.Delete("delegated_auth_accessors")
+	} else {
+		e.synthesizedConfigCache.Store("delegated_auth_accessors", e.Config.DelegatedAuthAccessors)
+	}
 }
 
 func (entry *MountEntry) Deserialize() map[string]interface{} {
diff --git a/vault/raft.go b/vault/raft.go
index 9e4df481d9ce..76dcf4fa0de0 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -70,7 +70,10 @@ func (c *Core) GetRaftNodeID() string {
 func (c *Core) GetRaftIndexes() (committed uint64, applied uint64) {
 	c.stateLock.RLock()
 	defer c.stateLock.RUnlock()
+	return c.GetRaftIndexesLocked()
+}
 
+func (c *Core) GetRaftIndexesLocked() (committed uint64, applied uint64) {
 	raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend)
 	if !ok {
 		return 0, 0
@@ -311,14 +314,6 @@ func (c *Core) setupRaftActiveNode(ctx context.Context) error {
 	c.logger.Info("starting raft active node")
 	raftBackend.SetEffectiveSDKVersion(c.effectiveSDKVersion)
 
-	autopilotConfig, err := c.loadAutopilotConfiguration(ctx)
-	if err != nil {
-		c.logger.Error("failed to load autopilot config from storage when setting up cluster; continuing since autopilot falls back to default config", "error", err)
-	}
-	disableAutopilot := c.disableAutopilot
-
-	raftBackend.SetupAutopilot(c.activeContext, autopilotConfig, c.raftFollowerStates, disableAutopilot)
-
 	c.pendingRaftPeers = &sync.Map{}
 
 	// Reload the raft TLS keys to ensure we are using the latest version.
@@ -331,7 +326,18 @@ func (c *Core) setupRaftActiveNode(ctx context.Context) error {
 	if err := c.monitorUndoLogs(); err != nil {
 		return err
 	}
-	return c.startPeriodicRaftTLSRotate(ctx)
+
+	if err := c.startPeriodicRaftTLSRotate(ctx); err != nil {
+		return err
+	}
+
+	autopilotConfig, err := c.loadAutopilotConfiguration(ctx)
+	if err != nil {
+		c.logger.Error("failed to load autopilot config from storage when setting up cluster; continuing since autopilot falls back to default config", "error", err)
+	}
+	disableAutopilot := c.disableAutopilot
+	raftBackend.SetupAutopilot(c.activeContext, autopilotConfig, c.raftFollowerStates, disableAutopilot)
+	return nil
 }
 
 func (c *Core) stopRaftActiveNode() {
diff --git a/vault/rekey_test.go b/vault/rekey_test.go
index c0857a6f94b6..a7278b037f26 100644
--- a/vault/rekey_test.go
+++ b/vault/rekey_test.go
@@ -151,6 +151,10 @@ func TestCore_Rekey_Update(t *testing.T) {
 }
 
 func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root string, recovery bool) {
+	testCore_Rekey_Update_Common_Error(t, c, keys, root, recovery, false)
+}
+
+func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, root string, recovery bool, wantRekeyUpdateError bool) {
 	var err error
 	// Start a rekey
 	var expType string
@@ -184,12 +188,19 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str
 	for _, key := range keys {
 		result, err = c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery)
 		if err != nil {
-			t.Fatalf("err: %v", err)
+			if !wantRekeyUpdateError {
+				t.Fatalf("err: %v", err)
+			} else {
+				return
+			}
 		}
 		if result != nil {
 			break
 		}
 	}
+	if wantRekeyUpdateError {
+		t.Fatal("expected and error during RekeyUpdate")
+	}
 	if result == nil {
 		t.Fatal("nil result after update")
 	}
diff --git a/vault/reload_seal_stubs_oss.go b/vault/reload_seal_stubs_oss.go
new file mode 100644
index 000000000000..3528840aa6ac
--- /dev/null
+++ b/vault/reload_seal_stubs_oss.go
@@ -0,0 +1,18 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"io"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/vault/seal"
+)
+
+//go:generate go run github.com/hashicorp/vault/tools/stubmaker
+
+func (c *Core) reloadSealsEnt(secureRandomReader io.Reader, sealAccess seal.Access, logger hclog.Logger) {
+}
diff --git a/vault/request_forwarding_rpc.go b/vault/request_forwarding_rpc.go
index 92dad79aefe9..8b82b767d02d 100644
--- a/vault/request_forwarding_rpc.go
+++ b/vault/request_forwarding_rpc.go
@@ -16,6 +16,8 @@ import (
 	"github.com/hashicorp/vault/physical/raft"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/vault/replication"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 type forwardedRequestRPCServer struct {
@@ -72,20 +74,26 @@ func (s *forwardedRequestRPCServer) ForwardRequest(ctx context.Context, freq *fo
 }
 
 type nodeHAConnectionInfo struct {
-	nodeInfo       *NodeInformation
-	lastHeartbeat  time.Time
-	version        string
-	upgradeVersion string
-	redundancyZone string
+	nodeInfo        *NodeInformation
+	lastHeartbeat   time.Time
+	version         string
+	upgradeVersion  string
+	redundancyZone  string
+	localTime       time.Time
+	echoDuration    time.Duration
+	clockSkewMillis int64
 }
 
 func (s *forwardedRequestRPCServer) Echo(ctx context.Context, in *EchoRequest) (*EchoReply, error) {
 	incomingNodeConnectionInfo := nodeHAConnectionInfo{
-		nodeInfo:       in.NodeInfo,
-		lastHeartbeat:  time.Now(),
-		version:        in.SdkVersion,
-		upgradeVersion: in.RaftUpgradeVersion,
-		redundancyZone: in.RaftRedundancyZone,
+		nodeInfo:        in.NodeInfo,
+		lastHeartbeat:   time.Now(),
+		version:         in.SdkVersion,
+		upgradeVersion:  in.RaftUpgradeVersion,
+		redundancyZone:  in.RaftRedundancyZone,
+		localTime:       in.Now.AsTime(),
+		echoDuration:    in.LastRoundtripTime.AsDuration(),
+		clockSkewMillis: in.ClockSkewMillis,
 	}
 	if in.ClusterAddr != "" {
 		s.core.clusterPeerClusterAddrsCache.Set(in.ClusterAddr, incomingNodeConnectionInfo, 0)
@@ -106,6 +114,7 @@ func (s *forwardedRequestRPCServer) Echo(ctx context.Context, in *EchoRequest) (
 	reply := &EchoReply{
 		Message:          "pong",
 		ReplicationState: uint32(s.core.ReplicationState()),
+		Now:              timestamppb.Now(),
 	}
 
 	if raftBackend := s.core.getRaftBackend(); raftBackend != nil {
@@ -134,15 +143,19 @@ func (c *forwardingClient) startHeartbeat() {
 			Hostname: hostname,
 			Mode:     "standby",
 		}
+		var echoDuration time.Duration
+		var serverTimeDelta int64
 		tick := func() {
 			labels := make([]metrics.Label, 0, 1)
 			defer metrics.MeasureSinceWithLabels([]string{"ha", "rpc", "client", "echo"}, time.Now(), labels)
 
 			req := &EchoRequest{
-				Message:     "ping",
-				ClusterAddr: clusterAddr,
-				NodeInfo:    &ni,
-				SdkVersion:  c.core.effectiveSDKVersion,
+				Message:           "ping",
+				ClusterAddr:       clusterAddr,
+				NodeInfo:          &ni,
+				SdkVersion:        c.core.effectiveSDKVersion,
+				LastRoundtripTime: durationpb.New(echoDuration),
+				ClockSkewMillis:   serverTimeDelta,
 			}
 
 			if raftBackend := c.core.getRaftBackend(); raftBackend != nil {
@@ -155,9 +168,22 @@ func (c *forwardingClient) startHeartbeat() {
 				labels = append(labels, metrics.Label{Name: "peer_id", Value: raftBackend.NodeID()})
 			}
 
+			start := time.Now()
+			req.Now = timestamppb.New(start)
 			ctx, cancel := context.WithTimeout(c.echoContext, 2*time.Second)
 			resp, err := c.RequestForwardingClient.Echo(ctx, req)
 			cancel()
+
+			now := time.Now()
+			if err == nil {
+				serverTimeDelta = resp.Now.AsTime().UnixMilli() - now.UnixMilli()
+			} else {
+				serverTimeDelta = 0
+			}
+			echoDuration = now.Sub(start)
+			c.core.echoDuration.Store(echoDuration)
+			c.core.activeNodeClockSkewMillis.Store(serverTimeDelta)
+
 			if err != nil {
 				metrics.IncrCounter([]string{"ha", "rpc", "client", "echo", "errors"}, 1)
 				c.core.logger.Debug("forwarding: error sending echo request to active node", "error", err)
diff --git a/vault/request_forwarding_service.pb.go b/vault/request_forwarding_service.pb.go
index 4b5cb8b28a35..2f0d206bf786 100644
--- a/vault/request_forwarding_service.pb.go
+++ b/vault/request_forwarding_service.pb.go
@@ -13,6 +13,8 @@ import (
 	forwarding "github.com/hashicorp/vault/helper/forwarding"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	durationpb "google.golang.org/protobuf/types/known/durationpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -35,15 +37,20 @@ type EchoRequest struct {
 	ClusterAddr string `protobuf:"bytes,2,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"`
 	// ClusterAddrs is used to send up a list of cluster addresses to a dr
 	// primary from a dr secondary
-	ClusterAddrs        []string         `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
-	RaftAppliedIndex    uint64           `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
-	RaftNodeID          string           `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
-	NodeInfo            *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
-	RaftTerm            uint64           `protobuf:"varint,7,opt,name=raft_term,json=raftTerm,proto3" json:"raft_term,omitempty"`
-	RaftDesiredSuffrage string           `protobuf:"bytes,8,opt,name=raft_desired_suffrage,json=raftDesiredSuffrage,proto3" json:"raft_desired_suffrage,omitempty"`
-	RaftUpgradeVersion  string           `protobuf:"bytes,9,opt,name=raft_upgrade_version,json=raftUpgradeVersion,proto3" json:"raft_upgrade_version,omitempty"`
-	RaftRedundancyZone  string           `protobuf:"bytes,10,opt,name=raft_redundancy_zone,json=raftRedundancyZone,proto3" json:"raft_redundancy_zone,omitempty"`
-	SdkVersion          string           `protobuf:"bytes,11,opt,name=sdk_version,json=sdkVersion,proto3" json:"sdk_version,omitempty"`
+	ClusterAddrs        []string               `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
+	RaftAppliedIndex    uint64                 `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
+	RaftNodeID          string                 `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
+	NodeInfo            *NodeInformation       `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
+	RaftTerm            uint64                 `protobuf:"varint,7,opt,name=raft_term,json=raftTerm,proto3" json:"raft_term,omitempty"`
+	RaftDesiredSuffrage string                 `protobuf:"bytes,8,opt,name=raft_desired_suffrage,json=raftDesiredSuffrage,proto3" json:"raft_desired_suffrage,omitempty"`
+	RaftUpgradeVersion  string                 `protobuf:"bytes,9,opt,name=raft_upgrade_version,json=raftUpgradeVersion,proto3" json:"raft_upgrade_version,omitempty"`
+	RaftRedundancyZone  string                 `protobuf:"bytes,10,opt,name=raft_redundancy_zone,json=raftRedundancyZone,proto3" json:"raft_redundancy_zone,omitempty"`
+	SdkVersion          string                 `protobuf:"bytes,11,opt,name=sdk_version,json=sdkVersion,proto3" json:"sdk_version,omitempty"`
+	Now                 *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=now,proto3" json:"now,omitempty"`
+	// last_roundtrip_time is the time taken for the last echo request
+	LastRoundtripTime *durationpb.Duration `protobuf:"bytes,13,opt,name=last_roundtrip_time,json=lastRoundtripTime,proto3" json:"last_roundtrip_time,omitempty"`
+	// clock_skew_millis is the server time minus the local time
+	ClockSkewMillis int64 `protobuf:"varint,14,opt,name=clock_skew_millis,json=clockSkewMillis,proto3" json:"clock_skew_millis,omitempty"`
 }
 
 func (x *EchoRequest) Reset() {
@@ -155,6 +162,27 @@ func (x *EchoRequest) GetSdkVersion() string {
 	return ""
 }
 
+func (x *EchoRequest) GetNow() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Now
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetLastRoundtripTime() *durationpb.Duration {
+	if x != nil {
+		return x.LastRoundtripTime
+	}
+	return nil
+}
+
+func (x *EchoRequest) GetClockSkewMillis() int64 {
+	if x != nil {
+		return x.ClockSkewMillis
+	}
+	return 0
+}
+
 type EchoReply struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -166,6 +194,8 @@ type EchoReply struct {
 	RaftAppliedIndex uint64           `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
 	RaftNodeID       string           `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
 	NodeInfo         *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
+	// now is the time on the server
+	Now *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=now,proto3" json:"now,omitempty"`
 }
 
 func (x *EchoReply) Reset() {
@@ -242,6 +272,13 @@ func (x *EchoReply) GetNodeInfo() *NodeInformation {
 	return nil
 }
 
+func (x *EchoReply) GetNow() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Now
+	}
+	return nil
+}
+
 type NodeInformation struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -531,105 +568,122 @@ var file_vault_request_forwarding_service_proto_rawDesc = []byte{
 	0x0a, 0x26, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f,
 	0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69,
 	0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x1a,
-	0x1d, 0x68, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x2f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69,
-	0x6e, 0x67, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xca,
-	0x03, 0x0a, 0x0b, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18,
-	0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
-	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x23, 0x0a, 0x0d, 0x63,
-	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x73,
-	0x12, 0x2c, 0x0a, 0x12, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64,
-	0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72, 0x61,
-	0x66, 0x74, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x20,
-	0x0a, 0x0c, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x64,
-	0x12, 0x33, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x06, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x4e, 0x6f, 0x64, 0x65,
-	0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6e, 0x6f, 0x64,
-	0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x74, 0x65,
-	0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x08, 0x72, 0x61, 0x66, 0x74, 0x54, 0x65,
-	0x72, 0x6d, 0x12, 0x32, 0x0a, 0x15, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x64, 0x65, 0x73, 0x69, 0x72,
-	0x65, 0x64, 0x5f, 0x73, 0x75, 0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x13, 0x72, 0x61, 0x66, 0x74, 0x44, 0x65, 0x73, 0x69, 0x72, 0x65, 0x64, 0x53, 0x75,
-	0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x75,
-	0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64,
-	0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66, 0x74,
-	0x5f, 0x72, 0x65, 0x64, 0x75, 0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5f, 0x7a, 0x6f, 0x6e, 0x65,
-	0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x52, 0x65, 0x64, 0x75,
-	0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x64,
-	0x6b, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0a, 0x73, 0x64, 0x6b, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0xfc, 0x01, 0x0a, 0x09,
-	0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61,
-	0x64, 0x64, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x73, 0x12, 0x2b, 0x0a, 0x11, 0x72, 0x65, 0x70, 0x6c,
-	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x61, 0x70,
-	0x70, 0x6c, 0x69, 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x04, 0x52, 0x10, 0x72, 0x61, 0x66, 0x74, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e,
-	0x64, 0x65, 0x78, 0x12, 0x20, 0x0a, 0x0c, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65,
-	0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e,
-	0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x33, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e,
-	0x66, 0x6f, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74,
-	0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x22, 0xc5, 0x01, 0x0a, 0x0f, 0x4e,
-	0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x21,
-	0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64,
-	0x72, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x70, 0x69, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x70, 0x69, 0x41, 0x64, 0x64, 0x72, 0x12, 0x12, 0x0a, 0x04,
-	0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65,
-	0x12, 0x17, 0x0a, 0x07, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x2b, 0x0a, 0x11, 0x72, 0x65, 0x70,
-	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x05,
-	0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
-	0x6d, 0x65, 0x22, 0x49, 0x0a, 0x09, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x12,
-	0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74,
-	0x79, 0x70, 0x65, 0x12, 0x0c, 0x0a, 0x01, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x01,
-	0x78, 0x12, 0x0c, 0x0a, 0x01, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x01, 0x79, 0x12,
-	0x0c, 0x0a, 0x01, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x01, 0x64, 0x22, 0x1a, 0x0a,
-	0x18, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63,
-	0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x22, 0xe9, 0x01, 0x0a, 0x1b, 0x50, 0x65,
-	0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75,
-	0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63,
-	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x14, 0x70, 0x72, 0x69, 0x6d,
-	0x61, 0x72, 0x79, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x70, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x43,
-	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x17, 0x0a, 0x07, 0x63, 0x61,
-	0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x63, 0x61, 0x43,
-	0x65, 0x72, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65,
-	0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x43, 0x65, 0x72, 0x74, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6b,
-	0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74,
-	0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x63, 0x6c, 0x69, 0x65,
-	0x6e, 0x74, 0x4b, 0x65, 0x79, 0x32, 0xf0, 0x01, 0x0a, 0x11, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x3d, 0x0a, 0x0e, 0x46,
-	0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x13, 0x2e,
-	0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x2e,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x04, 0x45, 0x63,
-	0x68, 0x6f, 0x12, 0x12, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x45, 0x63, 0x68, 0x6f, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x45,
-	0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x6c, 0x0a, 0x21, 0x50, 0x65,
-	0x72, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79,
-	0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
-	0x1f, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e,
-	0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x70, 0x75, 0x74,
-	0x1a, 0x22, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61,
-	0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x42, 0x22, 0x5a, 0x20, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
-	0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x1a, 0x1d, 0x68, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x2f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
+	0x69, 0x6e, 0x67, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0xef, 0x04, 0x0a, 0x0b, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75,
+	0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x23, 0x0a, 0x0d,
+	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x73, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72,
+	0x73, 0x12, 0x2c, 0x0a, 0x12, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x65,
+	0x64, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72,
+	0x61, 0x66, 0x74, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12,
+	0x20, 0x0a, 0x0c, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x49,
+	0x64, 0x12, 0x33, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x4e, 0x6f, 0x64,
+	0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6e, 0x6f,
+	0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x74,
+	0x65, 0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x08, 0x72, 0x61, 0x66, 0x74, 0x54,
+	0x65, 0x72, 0x6d, 0x12, 0x32, 0x0a, 0x15, 0x72, 0x61, 0x66, 0x74, 0x5f, 0x64, 0x65, 0x73, 0x69,
+	0x72, 0x65, 0x64, 0x5f, 0x73, 0x75, 0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x13, 0x72, 0x61, 0x66, 0x74, 0x44, 0x65, 0x73, 0x69, 0x72, 0x65, 0x64, 0x53,
+	0x75, 0x66, 0x66, 0x72, 0x61, 0x67, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66, 0x74, 0x5f,
+	0x75, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x55, 0x70, 0x67, 0x72, 0x61,
+	0x64, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x30, 0x0a, 0x14, 0x72, 0x61, 0x66,
+	0x74, 0x5f, 0x72, 0x65, 0x64, 0x75, 0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5f, 0x7a, 0x6f, 0x6e,
+	0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x72, 0x61, 0x66, 0x74, 0x52, 0x65, 0x64,
+	0x75, 0x6e, 0x64, 0x61, 0x6e, 0x63, 0x79, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73,
+	0x64, 0x6b, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x73, 0x64, 0x6b, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2c, 0x0a, 0x03,
+	0x6e, 0x6f, 0x77, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x03, 0x6e, 0x6f, 0x77, 0x12, 0x49, 0x0a, 0x13, 0x6c, 0x61,
+	0x73, 0x74, 0x5f, 0x72, 0x6f, 0x75, 0x6e, 0x64, 0x74, 0x72, 0x69, 0x70, 0x5f, 0x74, 0x69, 0x6d,
+	0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x52, 0x6f, 0x75, 0x6e, 0x64, 0x74, 0x72, 0x69,
+	0x70, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x6f, 0x63, 0x6b, 0x5f, 0x73,
+	0x6b, 0x65, 0x77, 0x5f, 0x6d, 0x69, 0x6c, 0x6c, 0x69, 0x73, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x03,
+	0x52, 0x0f, 0x63, 0x6c, 0x6f, 0x63, 0x6b, 0x53, 0x6b, 0x65, 0x77, 0x4d, 0x69, 0x6c, 0x6c, 0x69,
+	0x73, 0x22, 0xaa, 0x02, 0x0a, 0x09, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12,
+	0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x6c, 0x75,
+	0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x73, 0x12, 0x2b,
+	0x0a, 0x11, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74,
+	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69,
+	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x72,
+	0x61, 0x66, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x64, 0x65,
+	0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72, 0x61, 0x66, 0x74, 0x41, 0x70, 0x70,
+	0x6c, 0x69, 0x65, 0x64, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x20, 0x0a, 0x0c, 0x72, 0x61, 0x66,
+	0x74, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x72, 0x61, 0x66, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x33, 0x0a, 0x09, 0x6e,
+	0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72,
+	0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f,
+	0x12, 0x2c, 0x0a, 0x03, 0x6e, 0x6f, 0x77, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x03, 0x6e, 0x6f, 0x77, 0x22, 0xc5,
+	0x01, 0x0a, 0x0f, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x64,
+	0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65,
+	0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x70, 0x69, 0x5f, 0x61, 0x64, 0x64,
+	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x70, 0x69, 0x41, 0x64, 0x64, 0x72,
+	0x12, 0x12, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x6d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x64, 0x12, 0x2b, 0x0a,
+	0x11, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61,
+	0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f,
+	0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f,
+	0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x49, 0x0a, 0x09, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x4b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0c, 0x0a, 0x01, 0x78, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x01, 0x78, 0x12, 0x0c, 0x0a, 0x01, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c,
+	0x52, 0x01, 0x79, 0x12, 0x0c, 0x0a, 0x01, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x01,
+	0x64, 0x22, 0x1a, 0x0a, 0x18, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79,
+	0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x22, 0xe9, 0x01,
+	0x0a, 0x1b, 0x50, 0x65, 0x72, 0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a,
+	0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x14,
+	0x70, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f,
+	0x61, 0x64, 0x64, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x70, 0x72, 0x69, 0x6d,
+	0x61, 0x72, 0x79, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x12, 0x17,
+	0x0a, 0x07, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x06, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e,
+	0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x76,
+	0x61, 0x75, 0x6c, 0x74, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x09,
+	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x32, 0xf0, 0x01, 0x0a, 0x11, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12,
+	0x3d, 0x0a, 0x0e, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x13, 0x2e, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x2e, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
+	0x69, 0x6e, 0x67, 0x2e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e,
+	0x0a, 0x04, 0x45, 0x63, 0x68, 0x6f, 0x12, 0x12, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x45,
+	0x63, 0x68, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x76, 0x61, 0x75,
+	0x6c, 0x74, 0x2e, 0x45, 0x63, 0x68, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x6c,
+	0x0a, 0x21, 0x50, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61,
+	0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x1f, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72, 0x66,
+	0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49,
+	0x6e, 0x70, 0x75, 0x74, 0x1a, 0x22, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2e, 0x50, 0x65, 0x72,
+	0x66, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x45, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x42, 0x22, 0x5a, 0x20,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69,
+	0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -652,24 +706,29 @@ var file_vault_request_forwarding_service_proto_goTypes = []interface{}{
 	(*ClientKey)(nil),                   // 3: vault.ClientKey
 	(*PerfStandbyElectionInput)(nil),    // 4: vault.PerfStandbyElectionInput
 	(*PerfStandbyElectionResponse)(nil), // 5: vault.PerfStandbyElectionResponse
-	(*forwarding.Request)(nil),          // 6: forwarding.Request
-	(*forwarding.Response)(nil),         // 7: forwarding.Response
+	(*timestamppb.Timestamp)(nil),       // 6: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),         // 7: google.protobuf.Duration
+	(*forwarding.Request)(nil),          // 8: forwarding.Request
+	(*forwarding.Response)(nil),         // 9: forwarding.Response
 }
 var file_vault_request_forwarding_service_proto_depIDxs = []int32{
 	2, // 0: vault.EchoRequest.node_info:type_name -> vault.NodeInformation
-	2, // 1: vault.EchoReply.node_info:type_name -> vault.NodeInformation
-	3, // 2: vault.PerfStandbyElectionResponse.client_key:type_name -> vault.ClientKey
-	6, // 3: vault.RequestForwarding.ForwardRequest:input_type -> forwarding.Request
-	0, // 4: vault.RequestForwarding.Echo:input_type -> vault.EchoRequest
-	4, // 5: vault.RequestForwarding.PerformanceStandbyElectionRequest:input_type -> vault.PerfStandbyElectionInput
-	7, // 6: vault.RequestForwarding.ForwardRequest:output_type -> forwarding.Response
-	1, // 7: vault.RequestForwarding.Echo:output_type -> vault.EchoReply
-	5, // 8: vault.RequestForwarding.PerformanceStandbyElectionRequest:output_type -> vault.PerfStandbyElectionResponse
-	6, // [6:9] is the sub-list for method output_type
-	3, // [3:6] is the sub-list for method input_type
-	3, // [3:3] is the sub-list for extension type_name
-	3, // [3:3] is the sub-list for extension extendee
-	0, // [0:3] is the sub-list for field type_name
+	6, // 1: vault.EchoRequest.now:type_name -> google.protobuf.Timestamp
+	7, // 2: vault.EchoRequest.last_roundtrip_time:type_name -> google.protobuf.Duration
+	2, // 3: vault.EchoReply.node_info:type_name -> vault.NodeInformation
+	6, // 4: vault.EchoReply.now:type_name -> google.protobuf.Timestamp
+	3, // 5: vault.PerfStandbyElectionResponse.client_key:type_name -> vault.ClientKey
+	8, // 6: vault.RequestForwarding.ForwardRequest:input_type -> forwarding.Request
+	0, // 7: vault.RequestForwarding.Echo:input_type -> vault.EchoRequest
+	4, // 8: vault.RequestForwarding.PerformanceStandbyElectionRequest:input_type -> vault.PerfStandbyElectionInput
+	9, // 9: vault.RequestForwarding.ForwardRequest:output_type -> forwarding.Response
+	1, // 10: vault.RequestForwarding.Echo:output_type -> vault.EchoReply
+	5, // 11: vault.RequestForwarding.PerformanceStandbyElectionRequest:output_type -> vault.PerfStandbyElectionResponse
+	9, // [9:12] is the sub-list for method output_type
+	6, // [6:9] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_vault_request_forwarding_service_proto_init() }
diff --git a/vault/request_forwarding_service.proto b/vault/request_forwarding_service.proto
index bb54b7189bf6..f564e807dcde 100644
--- a/vault/request_forwarding_service.proto
+++ b/vault/request_forwarding_service.proto
@@ -5,6 +5,8 @@ syntax = "proto3";
 
 package vault;
 
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
 import "helper/forwarding/types.proto";
 
 option go_package = "github.com/hashicorp/vault/vault";
@@ -26,6 +28,11 @@ message EchoRequest {
   string raft_upgrade_version = 9;
   string raft_redundancy_zone = 10;
   string sdk_version = 11;
+  google.protobuf.Timestamp now = 12;
+  // last_roundtrip_time is the time taken for the last echo request
+  google.protobuf.Duration last_roundtrip_time = 13;
+  // clock_skew_millis is the server time minus the local time
+  int64 clock_skew_millis = 14;
 }
 
 message EchoReply {
@@ -35,6 +42,8 @@ message EchoReply {
   uint64 raft_applied_index = 4;
   string raft_node_id = 5;
   NodeInformation node_info = 6;
+  // now is the time on the server
+  google.protobuf.Timestamp now = 7;
 }
 
 message NodeInformation {
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 1330b94688f5..034146b5c002 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -9,7 +9,11 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"maps"
+	"net/textproto"
 	"os"
+	paths "path"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -577,6 +581,10 @@ func (c *Core) switchedLockHandleRequest(httpCtx context.Context, req *logical.R
 	if disable_repl_status, ok := logical.ContextDisableReplicationStatusEndpointsValue(httpCtx); ok {
 		ctx = logical.CreateContextDisableReplicationStatusEndpoints(ctx, disable_repl_status)
 	}
+	body, ok := logical.ContextOriginalBodyValue(httpCtx)
+	if ok {
+		ctx = logical.CreateContextOriginalBody(ctx, body)
+	}
 	resp, err = c.handleCancelableRequest(ctx, req)
 	req.SetTokenEntry(nil)
 	cancel()
@@ -767,7 +775,7 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 	walState := &logical.WALState{}
 	ctx = logical.IndexStateContext(ctx, walState)
 	var auth *logical.Auth
-	if c.isLoginRequest(ctx, req) {
+	if c.isLoginRequest(ctx, req) && req.ClientTokenSource != logical.ClientTokenFromInternalAuth {
 		resp, auth, err = c.handleLoginRequest(ctx, req)
 	} else {
 		resp, auth, err = c.handleRequest(ctx, req)
@@ -1379,6 +1387,10 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 
 	// Return the response and error
 	if routeErr != nil {
+		if _, ok := routeErr.(*logical.RequestDelegatedAuthError); ok {
+			routeErr = fmt.Errorf("delegated authentication requested but authentication token present")
+		}
+
 		retErr = multierror.Append(retErr, routeErr)
 	}
 
@@ -1496,15 +1508,23 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 	// Route the request
 	resp, routeErr := c.doRouting(ctx, req)
 
-	// if routeErr has invalid credentials error, update the userFailedLoginMap
-	if routeErr != nil && routeErr == logical.ErrInvalidCredentials {
+	handleInvalidCreds := func(err error) (*logical.Response, *logical.Auth, error) {
 		if !isUserLockoutDisabled {
 			err := c.failedUserLoginProcess(ctx, entry, req)
 			if err != nil {
 				return nil, nil, err
 			}
 		}
-		return resp, nil, routeErr
+		return resp, nil, err
+	}
+
+	if routeErr != nil {
+		// if routeErr has invalid credentials error, update the userFailedLoginMap
+		if routeErr == logical.ErrInvalidCredentials {
+			return handleInvalidCreds(routeErr)
+		} else if da, ok := routeErr.(*logical.RequestDelegatedAuthError); ok {
+			return c.handleDelegatedAuth(ctx, req, da, entry, handleInvalidCreds)
+		}
 	}
 
 	if resp != nil {
@@ -1837,6 +1857,117 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 	return resp, auth, routeErr
 }
 
+type invalidCredentialHandler func(err error) (*logical.Response, *logical.Auth, error)
+
+// handleDelegatedAuth when a backend request returns logical.RequestDelegatedAuthError, it is requesting that
+// an authentication workflow of its choosing be implemented prior to it being able to accept it. Normally
+// this is used for standard protocols that communicate the credential information in a non-standard Vault way
+func (c *Core) handleDelegatedAuth(ctx context.Context, origReq *logical.Request, da *logical.RequestDelegatedAuthError, entry *MountEntry, invalidCredHandler invalidCredentialHandler) (*logical.Response, *logical.Auth, error) {
+	// Make sure we didn't get into a routing loop.
+	if origReq.ClientTokenSource == logical.ClientTokenFromInternalAuth {
+		return nil, nil, fmt.Errorf("%w: original request had delegated auth token, "+
+			"forbidding another delegated request from path '%s'", ErrInternalError, origReq.Path)
+	}
+
+	// Backend has requested internally delegated authentication
+	requestedAccessor := da.MountAccessor()
+	if strings.TrimSpace(requestedAccessor) == "" {
+		return nil, nil, fmt.Errorf("%w: backend returned an invalid mount accessor '%s'", ErrInternalError, requestedAccessor)
+	}
+	// First, is this allowed by the mount tunable?
+	if !slices.Contains(entry.Config.DelegatedAuthAccessors, requestedAccessor) {
+		return nil, nil, fmt.Errorf("delegated auth to accessor %s not permitted", requestedAccessor)
+	}
+
+	reqNamespace, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed looking up namespace from context: %w", err)
+	}
+
+	mount := c.router.MatchingMountByAccessor(requestedAccessor)
+	if mount == nil {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication accessor '%s' was not found", logical.ErrPermissionDenied, requestedAccessor)
+	}
+	if mount.Table != credentialTableType {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication mount '%s' was not an auth mount", logical.ErrPermissionDenied, requestedAccessor)
+	}
+	if mount.NamespaceID != reqNamespace.ID {
+		return nil, nil, fmt.Errorf("%w: requested delegate authentication mount was in a different namespace than request", logical.ErrPermissionDenied)
+	}
+
+	// Found it, now form the login path and issue the request
+	path := paths.Join("auth", mount.Path, da.Path())
+	authReq, err := origReq.Clone()
+	if err != nil {
+		return nil, nil, err
+	}
+	authReq.MountAccessor = requestedAccessor
+	authReq.Path = path
+	authReq.Operation = logical.UpdateOperation
+
+	// filter out any response wrapping headers, for our embedded login request
+	delete(authReq.Headers, textproto.CanonicalMIMEHeaderKey(consts.WrapTTLHeaderName))
+	authReq.WrapInfo = nil
+
+	// Insert the data fields from the delegated auth error in our auth request
+	authReq.Data = maps.Clone(da.Data())
+
+	// Make sure we are going to perform a login request and not expose other backend types to this request
+	if !c.isLoginRequest(ctx, authReq) {
+		return nil, nil, fmt.Errorf("delegated path '%s' was not considered a login request", authReq.Path)
+	}
+
+	authResp, err := c.handleCancelableRequest(ctx, authReq)
+	if err != nil || authResp.IsError() {
+		// see if the backend wishes to handle the failed auth
+		if da.AuthErrorHandler() != nil {
+			resp, err := da.AuthErrorHandler()(ctx, origReq, authReq, authResp, err)
+			return resp, nil, err
+		}
+		switch err {
+		case nil:
+			return authResp, nil, nil
+		case logical.ErrInvalidCredentials:
+			return invalidCredHandler(err)
+		default:
+			return authResp, nil, err
+		}
+	}
+	if authResp == nil {
+		return nil, nil, fmt.Errorf("%w: delegated auth request returned empty response for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	// A login request should never return a secret!
+	if authResp.Secret != nil {
+		return nil, nil, fmt.Errorf("%w: unexpected Secret response for login path for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	if authResp.Auth == nil {
+		return nil, nil, fmt.Errorf("%w: Auth response was nil for request_path: %s", ErrInternalError, authReq.Path)
+	}
+	if authResp.Auth.ClientToken == "" {
+		if authResp.Auth.MFARequirement != nil {
+			return nil, nil, fmt.Errorf("%w: delegated auth request requiring MFA is not supported: %s", logical.ErrPermissionDenied, authReq.Path)
+		}
+		return nil, nil, fmt.Errorf("%w: delegated auth request did not return a client token for login path: %s", ErrInternalError, authReq.Path)
+	}
+
+	// Delegated auth tokens should only be batch tokens, as we don't want to incur
+	// the cost of storage/tidying for protocols that will be generating a token per
+	// request.
+	if !IsBatchToken(authResp.Auth.ClientToken) {
+		return nil, nil, fmt.Errorf("%w: delegated auth requests must be configured to issue batch tokens", logical.ErrPermissionDenied)
+	}
+
+	// Authentication successful, use the resulting ClientToken to reissue the original request
+	secondReq, err := origReq.Clone()
+	if err != nil {
+		return nil, nil, err
+	}
+	secondReq.ClientToken = authResp.Auth.ClientToken
+	secondReq.ClientTokenSource = logical.ClientTokenFromInternalAuth
+	resp, err := c.handleCancelableRequest(ctx, secondReq)
+	return resp, nil, err
+}
+
 // LoginCreateToken creates a token as a result of a login request.
 // If MFA is enforced, mfa/validate endpoint calls this functions
 // after successful MFA validation to generate the token.
diff --git a/vault/seal/seal.go b/vault/seal/seal.go
index 3786f37c866f..5d3c41c3dd73 100644
--- a/vault/seal/seal.go
+++ b/vault/seal/seal.go
@@ -8,21 +8,19 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"reflect"
 	"sort"
 	"strings"
 	"sync/atomic"
 	"time"
 
+	metrics "github.com/armon/go-metrics"
 	"github.com/google/go-cmp/cmp"
-
 	"github.com/hashicorp/go-hclog"
-
-	"github.com/hashicorp/vault/internalshared/configutil"
-
-	metrics "github.com/armon/go-metrics"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-kms-wrapping/v2/aead"
+	"github.com/hashicorp/vault/internalshared/configutil"
 )
 
 type StoredKeysSupport int
@@ -102,7 +100,7 @@ func (sgi *SealGenerationInfo) Validate(existingSgi *SealGenerationInfo, hasPart
 		}
 	}
 
-	if !previousShamirConfigured && (!existingSgi.IsRewrapped() || hasPartiallyWrappedPaths) {
+	if !previousShamirConfigured && (!existingSgi.IsRewrapped() || hasPartiallyWrappedPaths) && os.Getenv("VAULT_SEAL_REWRAP_SAFETY") != "disable" {
 		return errors.New("cannot make seal config changes while seal re-wrap is in progress, please revert any seal configuration changes")
 	}
 
@@ -203,13 +201,13 @@ func haveCommonSeal(existingSealKmsConfigs, newSealKmsConfigs []*configutil.KMS)
 }
 
 func findRenamedDisabledSeals(configs []*configutil.KMS) []*configutil.KMS {
-	diabledSeals := []*configutil.KMS{}
+	disabledSeals := []*configutil.KMS{}
 	for _, seal := range configs {
 		if seal.Disabled && strings.HasSuffix(seal.Name, configutil.KmsRenameDisabledSuffix) {
-			diabledSeals = append(diabledSeals, seal)
+			disabledSeals = append(disabledSeals, seal)
 		}
 	}
-	return diabledSeals
+	return disabledSeals
 }
 
 func compareKMSConfigByNameAndType() cmp.Option {
@@ -468,7 +466,10 @@ func (a *access) Init(ctx context.Context, options ...wrapping.Option) error {
 				a.logger.Warn("cannot determine key ID for seal", "seal", sealWrapper.Name, "err", err)
 				return fmt.Errorf("cannod determine key ID for seal %s: %w", sealWrapper.Name, err)
 			}
-			keyIds = append(keyIds, keyId)
+			if keyId != "" {
+				// Some wrappers may not yet know their key id. For emample, see gcpkms.Wrapper.
+				keyIds = append(keyIds, keyId)
+			}
 		}
 	}
 	a.keyIdSet.setIds(keyIds)
@@ -477,7 +478,7 @@ func (a *access) Init(ctx context.Context, options ...wrapping.Option) error {
 
 func (a *access) IsUpToDate(ctx context.Context, value *MultiWrapValue, forceKeyIdRefresh bool) (bool, error) {
 	// Note that we don't compare generations when the value is transitory, since all single-blobInfo
-	// values are unmarshalled as transitory values.
+	// values (i.e. not yet upgraded to MultiWrapValues) are unmarshalled as transitory values.
 	if value.Generation != 0 && value.Generation != a.Generation() {
 		return false, nil
 	}
@@ -558,6 +559,34 @@ GATHER_RESULTS:
 		}
 	}
 
+	{
+		// Check for duplicate Key IDs.
+		// If any wrappers produce duplicated IDs, their BlobInfo will be replaced by an error.
+
+		keyIdToSealWrapperNameMap := make(map[string]string)
+		for _, sealWrapper := range enabledWrappersByPriority {
+			wrapperName := sealWrapper.Name
+			if result, ok := results[wrapperName]; ok {
+				if result.err != nil {
+					continue
+				}
+				if result.ciphertext.KeyInfo == nil {
+					// Can this really happen? Probably not?
+					continue
+				}
+				keyId := result.ciphertext.KeyInfo.KeyId
+				duplicateWrapperName, isDuplicate := keyIdToSealWrapperNameMap[keyId]
+				if isDuplicate {
+					for _, name := range []string{wrapperName, duplicateWrapperName} {
+						results[name].err = fmt.Errorf("seal %s has returned duplicate key ID %s, key IDs must be unique", name, keyId)
+						results[name].ciphertext = nil
+					}
+				}
+				keyIdToSealWrapperNameMap[keyId] = wrapperName
+			}
+		}
+	}
+
 	// Sort out the successful results from the errors
 	var slots []*wrapping.BlobInfo
 	errs := make(map[string]error)
@@ -587,6 +616,7 @@ GATHER_RESULTS:
 
 	a.logger.Trace("successfully encrypted value", "encryption seal wrappers", len(slots), "total enabled seal wrappers",
 		len(a.GetEnabledSealWrappersByPriority()))
+
 	ret := &MultiWrapValue{
 		Generation: a.Generation(),
 		Slots:      slots,
@@ -748,7 +778,7 @@ GATHER_RESULTS:
 	return nil, false, errors.New("context timeout exceeded")
 }
 
-// tryDecrypt returns the plaintext and a flad indicating whether the decryption was done by the "unwrapSeal" (see
+// tryDecrypt returns the plaintext and a flag indicating whether the decryption was done by the "unwrapSeal" (see
 // sealWrapMigration.Decrypt).
 func (a *access) tryDecrypt(ctx context.Context, sealWrapper *SealWrapper, ciphertextByKeyId map[string]*wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) {
 	now := time.Now()
diff --git a/vault/seal/seal_test.go b/vault/seal/seal_test.go
index 07abe465dba1..75562431823a 100644
--- a/vault/seal/seal_test.go
+++ b/vault/seal/seal_test.go
@@ -4,8 +4,12 @@
 package seal
 
 import (
+	"context"
+	"fmt"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
@@ -95,3 +99,47 @@ func Test_keyIdSet(t *testing.T) {
 		runTest(tt.name+".setIDs", useSetIds)
 	}
 }
+
+// Test_Encrypt_duplicate_keyIds verifies that if two seal wrappers produce the same Key ID, an error
+// will be returned for both.
+func Test_Encrypt_duplicate_keyIds(t *testing.T) {
+	ctx := context.Background()
+
+	setId := func(w *SealWrapper, keyId string) {
+		testWrapper := w.Wrapper.(*ToggleableWrapper).Wrapper.(*wrapping.TestWrapper)
+		testWrapper.SetKeyId(keyId)
+	}
+
+	getId := func(w *SealWrapper) string {
+		id, err := w.Wrapper.KeyId(ctx)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return id
+	}
+
+	access, _ := NewTestSeal(&TestSealOpts{WrapperCount: 3})
+
+	// Set up - make the key IDs the same for the last two wrappers
+	wrappers := access.GetAllSealWrappersByPriority()
+	setId(wrappers[1], "this-key-is-duplicated")
+	setId(wrappers[2], "this-key-is-duplicated")
+
+	// Some sanity checks
+	require.NotEqual(t, wrappers[0].Name, wrappers[1].Name)
+	require.NotEqual(t, wrappers[1].Name, wrappers[2].Name)
+	require.NotEqual(t, getId(wrappers[0]), getId(wrappers[1]))
+	require.Equal(t, getId(wrappers[1]), getId(wrappers[2]))
+
+	// Encrypt a value
+	mwv, errorMap := access.Encrypt(ctx, []byte("Rinconete y Cortadillo"))
+
+	// Assertions
+	require.NotNilf(t, mwv, "seal 0 should have succeeded")
+
+	requireDuplicateErr := func(w *SealWrapper) {
+		require.ErrorContains(t, errorMap[w.Name], fmt.Sprintf("seal %v has returned duplicate key ID", w.Name))
+	}
+	requireDuplicateErr(wrappers[1])
+	requireDuplicateErr(wrappers[2])
+}
diff --git a/vault/seal/seal_testing.go b/vault/seal/seal_testing.go
index 56a7bcb46cfb..db3a77ee79bb 100644
--- a/vault/seal/seal_testing.go
+++ b/vault/seal/seal_testing.go
@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"sync"
 
+	UUID "github.com/hashicorp/go-uuid"
+
 	"github.com/hashicorp/vault/sdk/helper/logging"
 
 	"github.com/hashicorp/go-hclog"
@@ -17,7 +19,7 @@ import (
 type TestSealOpts struct {
 	Logger       hclog.Logger
 	StoredKeys   StoredKeysSupport
-	Secret       []byte
+	Secrets      [][]byte
 	Name         wrapping.WrapperType
 	WrapperCount int
 	Generation   uint64
@@ -37,6 +39,29 @@ func NewTestSealOpts(opts *TestSealOpts) *TestSealOpts {
 		// we might at some point need to allow Generation == 0
 		opts.Generation = 1
 	}
+	switch len(opts.Secrets) {
+	case opts.WrapperCount:
+		// all good, each wrapper has its own secret
+
+	case 0:
+		if opts.WrapperCount == 1 {
+			// If there is only one wrapper, the default TestWrapper behaviour of reversing
+			// the bytes slice is fine.
+			opts.Secrets = [][]byte{nil}
+		} else {
+			// If there is more than one wrapper, each one needs a different secret
+			for i := 0; i < opts.WrapperCount; i++ {
+				uuid, err := UUID.GenerateUUID()
+				if err != nil {
+					panic(fmt.Sprintf("error generating secret: %v", err))
+				}
+				opts.Secrets = append(opts.Secrets, []byte(uuid))
+			}
+		}
+
+	default:
+		panic(fmt.Sprintf("wrong number of secrets %d vs %d wrappers", len(opts.Secrets), opts.WrapperCount))
+	}
 	return opts
 }
 
@@ -46,7 +71,12 @@ func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) {
 	sealWrappers := make([]*SealWrapper, opts.WrapperCount)
 	ctx := context.Background()
 	for i := 0; i < opts.WrapperCount; i++ {
-		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
+		wrapperName := fmt.Sprintf("%s-%d", opts.Name, i+1)
+		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secrets[i])}
+		_, err := wrappers[i].Wrapper.SetConfig(context.Background(), wrapping.WithKeyId(wrapperName))
+		if err != nil {
+			panic(err)
+		}
 		wrapperType, err := wrappers[i].Type(ctx)
 		if err != nil {
 			panic(err)
@@ -54,7 +84,7 @@ func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) {
 		sealWrappers[i] = NewSealWrapper(
 			wrappers[i],
 			i+1,
-			fmt.Sprintf("%s-%d", opts.Name, i+1),
+			wrapperName,
 			wrapperType.String(),
 			false,
 			true,
@@ -75,77 +105,6 @@ type TestSealWrapperOpts struct {
 	WrapperCount int
 }
 
-func CreateTestSealWrapperOpts(opts *TestSealWrapperOpts) *TestSealWrapperOpts {
-	if opts == nil {
-		opts = new(TestSealWrapperOpts)
-	}
-	if opts.WrapperCount == 0 {
-		opts.WrapperCount = 1
-	}
-	if opts.Logger == nil {
-		opts.Logger = logging.NewVaultLogger(hclog.Debug)
-	}
-	return opts
-}
-
-func CreateTestSealWrappers(opts *TestSealWrapperOpts) []*SealWrapper {
-	opts = CreateTestSealWrapperOpts(opts)
-	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
-	sealWrappers := make([]*SealWrapper, opts.WrapperCount)
-	ctx := context.Background()
-	for i := 0; i < opts.WrapperCount; i++ {
-		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
-		wrapperType, err := wrappers[i].Type(ctx)
-		if err != nil {
-			panic(err)
-		}
-		sealWrappers[i] = NewSealWrapper(
-			wrappers[i],
-			i+1,
-			fmt.Sprintf("%s-%d", opts.Name, i+1),
-			wrapperType.String(),
-			false,
-			true,
-		)
-	}
-
-	return sealWrappers
-}
-
-func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) {
-	opts = NewTestSealOpts(opts)
-
-	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
-	sealWrappers := make([]*SealWrapper, opts.WrapperCount)
-	funcs := make([]func(error), opts.WrapperCount)
-	ctx := context.Background()
-	for i := 0; i < opts.WrapperCount; i++ {
-		w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
-		wrapperType, err := w.Type(ctx)
-		if err != nil {
-			panic(err)
-		}
-
-		wrappers[i] = w
-		sealWrappers[i] = NewSealWrapper(
-			wrappers[i],
-			i+1,
-			fmt.Sprintf("%s-%d", opts.Name, i+1),
-			wrapperType.String(),
-			false,
-			true,
-		)
-		funcs[i] = w.SetError
-	}
-
-	sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers)
-	if err != nil {
-		panic(err)
-	}
-
-	return sealAccess, funcs
-}
-
 type ToggleableWrapper struct {
 	wrapping.Wrapper
 	wrapperType  *wrapping.WrapperType
diff --git a/vault/seal/seal_wrapper.go b/vault/seal/seal_wrapper.go
index 067a557f8058..421024c7e8a1 100644
--- a/vault/seal/seal_wrapper.go
+++ b/vault/seal/seal_wrapper.go
@@ -15,6 +15,14 @@ import (
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
+type PartialSealWrapError struct {
+	Err error
+}
+
+func (p *PartialSealWrapError) Error() string {
+	return p.Err.Error()
+}
+
 // SealWrapper contains a Wrapper and related information needed by the seal that uses it.
 // Use NewSealWrapper to construct new instances, do not do it directly.
 type SealWrapper struct {
diff --git a/vault/seal_autoseal_test.go b/vault/seal_autoseal_test.go
index d4f52ecc182e..e070471a35e3 100644
--- a/vault/seal_autoseal_test.go
+++ b/vault/seal_autoseal_test.go
@@ -183,7 +183,7 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
 	metrics.NewGlobal(metricsConf, inmemSink)
 
 	pBackend := newTestBackend(t)
-	testSealAccess, setErrs := seal.NewToggleableTestSeal(&seal.TestSealOpts{Name: "health-test"})
+	testSealAccess, wrappers := seal.NewTestSeal(&seal.TestSealOpts{Name: "health-test"})
 	core, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{
 		MetricSink: metricsutil.NewClusterMetricSink("", inmemSink),
 		Physical:   pBackend,
@@ -195,7 +195,7 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
 	core.seal = autoSeal
 	autoSeal.StartHealthCheck()
 	defer autoSeal.StopHealthCheck()
-	setErrs[0](errors.New("disconnected"))
+	wrappers[0].SetError(errors.New("disconnected"))
 
 	tries := 10
 	for tries = 10; tries > 0; tries-- {
@@ -208,7 +208,7 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
 		t.Fatalf("Expected to detect unhealthy seals")
 	}
 
-	setErrs[0](nil)
+	wrappers[0].SetError(nil)
 	time.Sleep(50 * time.Millisecond)
 	if !autoSeal.Healthy() {
 		t.Fatal("Expected seals to be healthy")
@@ -216,8 +216,8 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
 }
 
 func TestAutoSeal_BarrierSealConfigType(t *testing.T) {
-	singleWrapperAccess, _ := seal.NewToggleableTestSeal(&seal.TestSealOpts{WrapperCount: 1})
-	multipleWrapperAccess, _ := seal.NewToggleableTestSeal(&seal.TestSealOpts{WrapperCount: 2})
+	singleWrapperAccess, _ := seal.NewTestSeal(&seal.TestSealOpts{WrapperCount: 1})
+	multipleWrapperAccess, _ := seal.NewTestSeal(&seal.TestSealOpts{WrapperCount: 2})
 
 	require.Equalf(t, singleWrapperAccess.GetAllSealWrappersByPriority()[0].SealConfigType, NewAutoSeal(singleWrapperAccess).BarrierSealConfigType().String(),
 		"autoseals that have a single seal wrapper report that wrapper's as the barrier seal type")
diff --git a/vault/seal_testing_util.go b/vault/seal_testing_util.go
index 6139ed25ebee..ea735b087505 100644
--- a/vault/seal_testing_util.go
+++ b/vault/seal_testing_util.go
@@ -10,6 +10,8 @@ import (
 	testing "github.com/mitchellh/go-testing-interface"
 )
 
+// NewTestSeal creates a new seal for testing. If you want to use the same seal multiple times, such as for
+// a cluster, use NewTestSealFunc instead.
 func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 	t.Helper()
 	opts = seal.NewTestSealOpts(opts)
@@ -50,3 +52,27 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 		return NewAutoSeal(access)
 	}
 }
+
+// NewTestSealFunc returns a function that creates seals. All such seals will have TestWrappers that
+// share the same secret, thus making them equivalent.
+func NewTestSealFunc(t testing.T, opts *seal.TestSealOpts) func() Seal {
+	testSeal := NewTestSeal(t, opts)
+
+	return func() Seal {
+		return cloneTestSeal(t, testSeal)
+	}
+}
+
+// CloneTestSeal creates a new test seal that shares the same seal wrappers as `testSeal`.
+func cloneTestSeal(t testing.T, testSeal Seal) Seal {
+	logger := corehelpers.NewTestLogger(t).Named("sealAccess")
+
+	access, err := seal.NewAccessFromSealWrappers(logger, testSeal.GetAccess().Generation(), testSeal.GetAccess().GetSealGenerationInfo().IsRewrapped(), testSeal.GetAccess().GetAllSealWrappersByPriority())
+	if err != nil {
+		t.Fatal("error cloning seal %v", err)
+	}
+	if testSeal.StoredKeysSupported() == seal.StoredKeysNotSupported {
+		return NewDefaultSeal(access)
+	}
+	return NewAutoSeal(access)
+}
diff --git a/vault/seal_util.go b/vault/seal_util.go
index 3435ba9c51b9..4ba94f6a98c6 100644
--- a/vault/seal_util.go
+++ b/vault/seal_util.go
@@ -23,7 +23,7 @@ type PartialWrapFailCallback func(context.Context, map[string]error) error
 // Helper function to use for partial wrap fail callbacks where we don't want to allow a partial failure.  See
 // for example barrier or recovery key wrapping.  Just don't allow for those risky scenarios
 var DisallowPartialSealWrap = func(ctx context.Context, errs map[string]error) error {
-	return seal.JoinSealWrapErrors("not allowing operation to proceed without full wrapping involving all configured seals", errs)
+	return &seal.PartialSealWrapError{seal.JoinSealWrapErrors("not allowing operation to proceed without full wrapping involving all configured seals", errs)}
 }
 
 // SealWrapValue creates a SealWrappedValue wrapper with the entryValue being optionally encrypted with the give seal Access.
diff --git a/vault/testdata/Dockerfile b/vault/testdata/Dockerfile
index e9385bf2e06b..2fd0aa80e20d 100644
--- a/vault/testdata/Dockerfile
+++ b/vault/testdata/Dockerfile
@@ -5,6 +5,10 @@ FROM docker.mirror.hashicorp.services/ubuntu:22.04
 
 ARG plugin
 
+RUN groupadd nonroot && useradd -g nonroot nonroot
+
+USER nonroot
+
 COPY ${plugin} /bin/plugin
 
 ENTRYPOINT [ "/bin/plugin" ]
\ No newline at end of file
diff --git a/vault/testing.go b/vault/testing.go
index ba3ff2456572..ec3088e5b994 100644
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -37,6 +37,11 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/reloadutil"
 	raftlib "github.com/hashicorp/raft"
 	kv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/mitchellh/copystructure"
+	"github.com/mitchellh/go-testing-interface"
+	"golang.org/x/crypto/ed25519"
+	"golang.org/x/net/http2"
+
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/audit"
 	auditFile "github.com/hashicorp/vault/builtin/audit/file"
@@ -59,10 +64,6 @@ import (
 	backendplugin "github.com/hashicorp/vault/sdk/plugin"
 	"github.com/hashicorp/vault/vault/cluster"
 	"github.com/hashicorp/vault/vault/seal"
-	"github.com/mitchellh/copystructure"
-	"github.com/mitchellh/go-testing-interface"
-	"golang.org/x/crypto/ed25519"
-	"golang.org/x/net/http2"
 )
 
 // This file contains a number of methods that are useful for unit
@@ -873,7 +874,7 @@ func (c *TestCluster) start(t testing.T) {
 
 	activeCore := -1
 WAITACTIVE:
-	for i := 0; i < 60; i++ {
+	for i := 0; i < 600; i++ {
 		for i, core := range c.Cores {
 			if standby, _ := core.Core.Standby(); !standby {
 				activeCore = i
@@ -881,7 +882,7 @@ WAITACTIVE:
 			}
 		}
 
-		time.Sleep(time.Second)
+		time.Sleep(100 * time.Millisecond)
 	}
 	if activeCore == -1 {
 		t.Fatalf("no core became active")
@@ -917,12 +918,12 @@ WAITACTIVE:
 // UnsealCores uses the cluster barrier keys to unseal the test cluster cores
 func (c *TestCluster) UnsealCores(t testing.T) {
 	t.Helper()
-	if err := c.UnsealCoresWithError(false); err != nil {
+	if err := c.UnsealCoresWithError(t, false); err != nil {
 		t.Fatal(err)
 	}
 }
 
-func (c *TestCluster) UnsealCoresWithError(useStoredKeys bool) error {
+func (c *TestCluster) UnsealCoresWithError(t testing.T, useStoredKeys bool) error {
 	unseal := func(core *Core) error {
 		for _, key := range c.BarrierKeys {
 			if _, err := core.Unseal(TestKeyCopy(key)); err != nil {
@@ -959,19 +960,21 @@ func (c *TestCluster) UnsealCoresWithError(useStoredKeys bool) error {
 	}
 
 	// Let them come fully up to standby
-	time.Sleep(2 * time.Second)
-
-	// Ensure cluster connection info is populated.
-	// Other cores should not come up as leaders.
-	for i := 1; i < len(c.Cores); i++ {
-		isLeader, _, _, err := c.Cores[i].Leader()
-		if err != nil {
-			return err
-		}
-		if isLeader {
-			return fmt.Errorf("core[%d] should not be leader", i)
+	corehelpers.RetryUntil(t, 2*time.Second, func() error {
+		// Ensure cluster connection info is populated.
+		// Other cores should not come up as leaders.
+		for i := 1; i < len(c.Cores); i++ {
+			isLeader, _, _, err := c.Cores[i].Leader()
+			if err != nil {
+				return err
+			}
+			if isLeader {
+				return fmt.Errorf("core[%d] should not be leader", i)
+			}
 		}
-	}
+
+		return nil
+	})
 
 	return nil
 }
@@ -1109,8 +1112,6 @@ func (c *TestCluster) Cleanup() {
 		os.RemoveAll(c.TempDir)
 	}
 
-	// Give time to actually shut down/clean up before the next test
-	time.Sleep(time.Second)
 	if c.CleanupFunc != nil {
 		c.CleanupFunc()
 	}
@@ -1256,7 +1257,7 @@ type TestClusterOptions struct {
 
 	NoDefaultQuotas bool
 
-	Plugins *TestPluginConfig
+	Plugins []*TestPluginConfig
 
 	// if populated, the callback is called for every request
 	RequestResponseCallback func(logical.Backend, *logical.Request, *logical.Response)
@@ -1699,27 +1700,29 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		opts.ClusterLayers = inmemCluster
 	}
 
-	if opts != nil && opts.Plugins != nil {
-		if opts.Plugins.Container && runtime.GOOS != "linux" {
-			t.Skip("Running plugins in containers is only supported on linux")
-		}
+	if opts != nil && len(opts.Plugins) != 0 {
+		var plugins []pluginhelpers.TestPlugin
+		for _, pluginType := range opts.Plugins {
+			if pluginType.Container && runtime.GOOS != "linux" {
+				t.Skip("Running plugins in containers is only supported on linux")
+			}
 
-		var pluginDir string
-		var cleanup func(t testing.T)
+			var pluginDir string
+			var cleanup func(t testing.T)
 
-		if coreConfig.PluginDirectory == "" {
-			pluginDir, cleanup = corehelpers.MakeTestPluginDir(t)
-			coreConfig.PluginDirectory = pluginDir
-			t.Cleanup(func() { cleanup(t) })
-		}
+			if coreConfig.PluginDirectory == "" {
+				pluginDir, cleanup = corehelpers.MakeTestPluginDir(t)
+				coreConfig.PluginDirectory = pluginDir
+				t.Cleanup(func() { cleanup(t) })
+			}
 
-		var plugins []pluginhelpers.TestPlugin
-		for _, version := range opts.Plugins.Versions {
-			plugin := pluginhelpers.CompilePlugin(t, opts.Plugins.Typ, version, coreConfig.PluginDirectory)
-			if opts.Plugins.Container {
-				plugin.Image, plugin.ImageSha256 = pluginhelpers.BuildPluginContainerImage(t, plugin, coreConfig.PluginDirectory)
+			for _, version := range pluginType.Versions {
+				plugin := pluginhelpers.CompilePlugin(t, pluginType.Typ, version, coreConfig.PluginDirectory)
+				if pluginType.Container {
+					plugin.Image, plugin.ImageSha256 = pluginhelpers.BuildPluginContainerImage(t, plugin, coreConfig.PluginDirectory)
+				}
+				plugins = append(plugins, plugin)
 			}
-			plugins = append(plugins, plugin)
 		}
 		testCluster.Plugins = plugins
 	}
@@ -2175,19 +2178,21 @@ func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAudit
 		}
 
 		// Let them come fully up to standby
-		time.Sleep(2 * time.Second)
-
-		// Ensure cluster connection info is populated.
-		// Other cores should not come up as leaders.
-		for i := 1; i < numCores; i++ {
-			isLeader, _, _, err := tc.Cores[i].Core.Leader()
-			if err != nil {
-				t.Fatal(err)
-			}
-			if isLeader {
-				t.Fatalf("core[%d] should not be leader", i)
+		corehelpers.RetryUntil(t, 2*time.Second, func() error {
+			// Ensure cluster connection info is populated.
+			// Other cores should not come up as leaders.
+			for i := 1; i < numCores; i++ {
+				isLeader, _, _, err := tc.Cores[i].Core.Leader()
+				if err != nil {
+					return err
+				}
+				if isLeader {
+					return fmt.Errorf("core[%d] should not be leader", i)
+				}
 			}
-		}
+
+			return nil
+		})
 	}
 
 	//
diff --git a/website/.nvmrc b/website/.nvmrc
index 958b5a36e1fa..3f430af82b3d 100644
--- a/website/.nvmrc
+++ b/website/.nvmrc
@@ -1 +1 @@
-v14
+v18
diff --git a/website/content/api-docs/secret/azure.mdx b/website/content/api-docs/secret/azure.mdx
index f0ced9b035ca..2124e64b4958 100644
--- a/website/content/api-docs/secret/azure.mdx
+++ b/website/content/api-docs/secret/azure.mdx
@@ -212,6 +212,9 @@ information about roles.
   suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
+- `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
+  Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount.
+- `tags` (`string: ""`) - A comma-separated string of Azure tags to attach to an application.
 
 ### Sample payload
 
@@ -229,6 +232,8 @@ information about roles.
   ]",
   "ttl": 3600,
   "max_ttl": "24h"
+  "sign_in_audience": "AzureADMyOrg"
+  "tags": "team:engineering","environment:development"
 }
 ```
 
diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx
index 28f7fba484e5..44a3b072a566 100644
--- a/website/content/api-docs/secret/pki.mdx
+++ b/website/content/api-docs/secret/pki.mdx
@@ -751,8 +751,8 @@ engine override the issuer as necessary.
 
 - `key_bits` `(int: 0)` - Specifies the number of bits to use for the
   generated keys. Allowed values are 0 (universal default); with
-  `key_type=rsa`, allowed values are: 2048 (default), 3072, or
-  4096; with `key_type=ec`, allowed values are: 224, 256 (default),
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
   384, or 521; ignored with `key_type=ed25519`.
 
 - `private_key_format` `(string: "der")` - Specifies the format for marshaling
@@ -2194,8 +2194,8 @@ used.
 
 - `key_bits` `(int: 0)` - Specifies the number of bits to use for the
   generated keys. Allowed values are 0 (universal default); with
-  `key_type=rsa`, allowed values are: 2048 (default), 3072, or
-  4096; with `key_type=ec`, allowed values are: 224, 256 (default),
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
   384, or 521; ignored with `key_type=ed25519`.
 
 #### Managed keys parameters
@@ -2341,8 +2341,8 @@ use the values set via `config/urls`.
 
 - `key_bits` `(int: 0)` - Specifies the number of bits to use for the
   generated keys. Allowed values are 0 (universal default); with
-  `key_type=rsa`, allowed values are: 2048 (default), 3072, or
-  4096; with `key_type=ec`, allowed values are: 224, 256 (default),
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
   384, or 521; ignored with `key_type=ed25519`.
 
 - `max_path_length` `(int: -1)` - Specifies the maximum path length to encode in
@@ -2541,8 +2541,8 @@ generated depending on the `type` request parameter.
 
 - `key_bits` `(int: 0)` - Specifies the number of bits to use for the
   generated keys. Allowed values are 0 (universal default); with
-  `key_type=rsa`, allowed values are: 2048 (default), 3072, or
-  4096; with `key_type=ec`, allowed values are: 224, 256 (default),
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096, or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
   384, or 521; ignored with `key_type=ed25519`. Not suitable for
   `type=existing` requests.
 
@@ -3449,8 +3449,8 @@ request is denied.
 
 - `key_bits` `(int: 0)` - Specifies the number of bits to use for the
   generated keys. Allowed values are 0 (universal default); with
-  `key_type=rsa`, allowed values are: 2048 (default), 3072, or
-  4096; with `key_type=ec`, allowed values are: 224, 256 (default),
+  `key_type=rsa`, allowed values are: 2048 (default), 3072, 4096 or 8192;
+  with `key_type=ec`, allowed values are: 224, 256 (default),
   384, or 521; ignored with `key_type=ed25519` or in signing operations
   when `key_type=any`.
 
@@ -4199,8 +4199,9 @@ the CRL.
 - `ocsp_disable` `(bool: false)` - Disables or enables the OCSP responder in Vault.
 
 - `ocsp_expiry` `(string: "12h")` - The amount of time an OCSP response can be cached for,
-  (controls the NextUpdate field), useful for OCSP stapling refresh durations. Setting to 0
-  should effectively disable caching in third party systems.
+  (controls the NextUpdate field), useful for OCSP stapling refresh durations. If set to 0
+  the NextUpdate field is not set, indicating newer revocation information is available
+  all the time.
 
 - `auto_rebuild` `(bool: false)` - Enables or disables periodic rebuilding of
   the CRL upon expiry.
diff --git a/website/content/api-docs/system/mounts.mdx b/website/content/api-docs/system/mounts.mdx
index 3bee236c5ce4..5486e9f70251 100644
--- a/website/content/api-docs/system/mounts.mdx
+++ b/website/content/api-docs/system/mounts.mdx
@@ -174,6 +174,9 @@ This endpoint enables a new secrets engine at the given path.
   - `allowed_managed_keys` `(array: [])` - List of managed key registry entry names
     that the mount in question is allowed to access.
 
+  - `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
+    accessors the backend can request delegated authentication for.
+
 - `options` `(map<string|string>: nil)` - Specifies mount type specific options
   that are passed to the backend.
 
@@ -382,6 +385,9 @@ This endpoint tunes configuration parameters for a given mount point.
 - `plugin_version` `(string: "")` – Specifies the semantic version of the plugin
   to use, e.g. "v1.0.0". Changes will not take effect until the mount is reloaded.
 
+- `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
+  accessors the backend can request delegated authentication for.
+
 ### Sample payload
 
 ```json
diff --git a/website/content/api-docs/system/plugins-runtimes-catalog.mdx b/website/content/api-docs/system/plugins-runtimes-catalog.mdx
index a056942abc33..ae5a5688fb93 100644
--- a/website/content/api-docs/system/plugins-runtimes-catalog.mdx
+++ b/website/content/api-docs/system/plugins-runtimes-catalog.mdx
@@ -78,6 +78,10 @@ supplied type and name.
 - `name` `(string: <required>)` – Part of the request URL. Specifies the plugin runtime name.
    Use the runtime name to look up plugin runtimes in the catalog.
 
+- `rootless` `(bool: false)` - Whether the container runtime is running as a
+  non-privileged user. Must be set if plugin container images are also configured
+  to run as a non-root user.
+
 - `oci_runtime` `(string: <optional>)` – Specifies OCI-compliant container runtime to use.
   Default is "runsc", gVisor's OCI runtime.
 
diff --git a/website/content/api-docs/system/secrets-sync.mdx b/website/content/api-docs/system/secrets-sync.mdx
index b258a8082ceb..beb52f137fa2 100644
--- a/website/content/api-docs/system/secrets-sync.mdx
+++ b/website/content/api-docs/system/secrets-sync.mdx
@@ -11,6 +11,56 @@ The `/sys/sync` endpoints are used to configure destinations and associate secre
 Each destination type has its own endpoint for creation & update operations, but share the same endpoints for read &
 delete operations.
 
+## Configuration
+
+The `sys/sync/config` endpoint is used to set configuration parameters for the sync system as a whole.
+
+@include 'alerts/restricted-root.mdx'
+
+| Method  | Path              |
+|:--------|:------------------|
+| `PATCH` | `sys/sync/config` |
+
+### Parameters
+
+- `disabled` `(bool: false)` - Disables sync operations from sending secrets in Vault to external destinations when
+set to true. While disabled, actions performed in Vault which trigger a sync operation will instead get queued to be
+processed once syncing is reactivated. Queued operations will have a status of `PENDING` until they are completed.
+This is provided as a safety mechanism for emergencies.
+
+### Sample payload
+```json
+{
+    "disabled": "true"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PATCH \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/sync/config
+```
+
+### Sample response
+
+```json
+{
+    "request_id": "uuid",
+    "lease_id": "",
+    "lease_duration": 0,
+    "renewable": false,
+    "data": {
+        "disabled": true
+    },
+    "warnings": null,
+    "mount_type": "system"
+}
+```
+
 ## List destinations
 
 This endpoint lists all configured sync destination names regrouped by destination type.
diff --git a/website/content/docs/agent-and-proxy/agent/index.mdx b/website/content/docs/agent-and-proxy/agent/index.mdx
index 5fae0df52500..7ce716eb6384 100644
--- a/website/content/docs/agent-and-proxy/agent/index.mdx
+++ b/website/content/docs/agent-and-proxy/agent/index.mdx
@@ -83,14 +83,17 @@ See the [caching](/vault/docs/agent-and-proxy/agent/caching#api) page for detail
   are `standard` and `json`. This can also be specified via the
   `VAULT_LOG_FORMAT` environment variable.
 
-- `-log-file` ((#\_log_file)) - writes all the Vault agent log messages
-  to a file. This value is used as a prefix for the log file name. The current timestamp
-  is appended to the file name. If the value ends in a path separator, `vault-agent`
-  will be appended to the value. If the file name is missing an extension, `.log`
-  is appended. For example, setting `log-file` to `/var/log/` would result in a log
-  file path of `/var/log/vault-agent-{timestamp}.log`. `log-file` can be combined with
-  [`-log-rotate-bytes`](#_log_rotate_bytes) and [`-log-rotate-duration`](#_log_rotate_duration)
-  for a fine-grained log rotation experience.
+- `-log-file` ((#\_log_file)) - the absolute path where Vault Agent should save
+  log messages. Paths that end with a path separator use the default file name,
+  `agent.log`. Paths that do not end with a file extension use the default
+  `.log` extension. If the log file rotates, Vault Agent appends the current
+  timestamp to the file name at the time of rotation. For example:
+
+  `log-file` | Full log file | Rotated log file
+  ---------- | ------------- | ----------------
+  `/var/log` | `/var/log/agent.log` | `/var/log/agent-{timestamp}.log`
+  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
+  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`
 
 - `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
   bytes that should be written to a log before it needs to be rotated. Unless specified,
diff --git a/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx b/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx
index 08636d477697..3a16a1a9b919 100644
--- a/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx
+++ b/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx
@@ -18,11 +18,19 @@ appropriate cache updates.
 1. Enable [auto-auth](/vault/docs/agent-and-proxy/autoauth).
 1. Create an auto-auth token with permission to subscribe to KV event updates
 with the [Vault event system](/vault/docs/concepts/events). For example, to
-create a policy that grants access to static secret (KVv1 and KVv2) events:
+create a policy that grants access to static secret (KVv1 and KVv2) events,
+we need permission to subscribe to the `events` endpoint, as well as the
+`list` and `subscribe` permissions on KV secrets we want to get secrets
+from:
  ```hcl
- path "sys/events/subscribe/kv*" {
-   capabilities = ["read"]
- }
+  path "sys/events/subscribe/kv*" {
+    capabilities = ["read"]
+  }
+
+  path "*" {
+    capabilities = ["list", "subscribe"]
+    subscribe_event_types = ["kv*"]
+  }
    ```
 
 Subscribing to KV events means that Proxy receives updates as soon as a secret
@@ -30,7 +38,6 @@ changes, which reduces staleness in the cache. Vault Proxy only checks for a
 secret update if an event notification indicates that the related secret was
 updated.
 
-
 ## Step 2: Ensure tokens have `capabilities-self` access
 
 Tokens require `update` access to the
@@ -76,7 +83,7 @@ same token can then access this secret from the cache instead of Vault.
 Vault Proxy uses the [event system](/vault/docs/concepts/events) to keep the
 cache up to date. It monitors the KV event feed for events related to any secret
 currently stored in the cache, including modification events like updates and
-deletes. When Proxy detects a change in a cached secrete, it will update or
+deletes. When Proxy detects a change in a cached secret, it will update or
 evict the cache entry as appropriate.
 
 Vault Proxy also checks and refreshes the access permissions of known tokens
diff --git a/website/content/docs/agent-and-proxy/proxy/index.mdx b/website/content/docs/agent-and-proxy/proxy/index.mdx
index fdaae8ab8178..086ff87eddde 100644
--- a/website/content/docs/agent-and-proxy/proxy/index.mdx
+++ b/website/content/docs/agent-and-proxy/proxy/index.mdx
@@ -75,14 +75,17 @@ also be specified via the `VAULT_LOG_LEVEL` environment variable.
 are `standard` and `json`. This can also be specified via the
 `VAULT_LOG_FORMAT` environment variable.
 
-- `-log-file` ((#\_log_file)) - writes all the Vault proxy log messages
-to a file. This value is used as a prefix for the log file name. The current timestamp
-is appended to the file name. If the value ends in a path separator, `vault-proxy`
-will be appended to the value. If the file name is missing an extension, `.log`
-is appended. For example, setting `log-file` to `/var/log/` would result in a log
-file path of `/var/log/vault-proxy-{timestamp}.log`. `log-file` can be combined with
-[`-log-rotate-bytes`](#_log_rotate_bytes) and [`-log-rotate-duration`](#_log_rotate_duration)
-for a fine-grained log rotation experience.
+- `-log-file` ((#\_log_file)) - the absolute path where Vault Proxy should save
+  log messages. Paths that end with a path separator use the default file name,
+  `proxy.log`. Paths that do not end with a file extension use the default
+  `.log` extension. If the log file rotates, Vault Proxy appends the current
+  timestamp to the file name at the time of rotation. For example:
+
+  `log-file` | Full log file | Rotated log file
+  ---------- | ------------- | ----------------
+  `/var/log` | `/var/log/proxy.log` | `/var/log/proxy-{timestamp}.log`
+  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
+  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`
 
 - `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
 bytes that should be written to a log before it needs to be rotated. Unless specified,
diff --git a/website/content/docs/commands/plugin/runtime/register.mdx b/website/content/docs/commands/plugin/runtime/register.mdx
index 698ee318db6f..75119d4e7268 100644
--- a/website/content/docs/commands/plugin/runtime/register.mdx
+++ b/website/content/docs/commands/plugin/runtime/register.mdx
@@ -45,6 +45,10 @@ flags](/vault/docs/commands) included on all commands.
 - `-type` `(string: <required>)` - Plugin runtime type. Vault currently only
   supports `container` as a runtime type.
 
+- `-rootless` `(bool: false)` - Whether the container runtime is running as a
+  non-privileged user. Must be set if plugin container images are also configured
+  to run as a non-root user.
+
 - `-cgroup_parent` `(string: "")` - Parent cgroup to set for each container.
   Use `cgroup_parent` to control the total resource usage for a group of plugins.
 
diff --git a/website/content/docs/commands/server.mdx b/website/content/docs/commands/server.mdx
index 8c9f08f05d0d..8a12a738aa23 100644
--- a/website/content/docs/commands/server.mdx
+++ b/website/content/docs/commands/server.mdx
@@ -60,15 +60,18 @@ flags](/vault/docs/commands) included on all commands.
   are `standard` and `json`. This can also be specified via the
   `VAULT_LOG_FORMAT` environment variable.
 
-- `-log-file` ((#\_log_file)) - writes all the Vault log messages
-  to a file. This value is used as a prefix for the log file name. The current timestamp
-  is appended to the file name. If the value ends in a path separator, `vault`
-  will be appended to the value. If the file name is missing an extension, `.log`
-  is appended. For example, setting `log-file` to `/var/log/` would result in a log
-  file path of `/var/log/vault-{timestamp}.log`. `log-file` can be combined with
-  [`-log-rotate-bytes`](#_log_rotate_bytes) and [`-log-rotate-duration`](#_log_rotate_duration)
-  for a fine-grained log rotation experience. This output operates in addition to existing 
-  outputs, meaning logs will continue to be written to journald / stdout (where appropriate).
+- `-log-file` ((#\_log_file)) - the absolute path where Vault should save log
+  messages in addition to other, existing outputs like journald / stdout. Paths
+  that end with a path separator use the default file name, `vault.log`. Paths
+  that do not end with a file extension use the default `.log` extension. If the
+  log file rotates, Vault appends the current timestamp to the file name
+  at the time of rotation. For example:
+
+  `log-file` | Full log file | Rotated log file
+  ---------- | ------------- | ----------------
+  `/var/log` | `/var/log/vault.log` | `/var/log/vault-{timestamp}.log`
+  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
+  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`
 
 - `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
   bytes that should be written to a log before it needs to be rotated. Unless specified,
diff --git a/website/content/docs/enterprise/fips/fips1402.mdx b/website/content/docs/enterprise/fips/fips1402.mdx
index ce9fa97904e2..4d46dfa46daa 100644
--- a/website/content/docs/enterprise/fips/fips1402.mdx
+++ b/website/content/docs/enterprise/fips/fips1402.mdx
@@ -88,8 +88,12 @@ reasons:
    of say, a Root CA involves a concerted, non-Vault effort to accomplish
    and must be done thoughtfully.
 
-Combined, we suggest leaving the existing cluster in place, and carefully
-consider migration of specific workloads to the FIPS-backed cluster.
+As such Hashicorp cannot provide support for workloads that are affected
+either technically or via non-compliance that results from converting
+existing cluster workloads to the FIPS 140-2 Inside binary.
+
+Instead, we suggest leaving the existing cluster in place, and carefully
+consider migration of specific workloads to the FIPS-backed cluster.  
 
 #### Entropy augmentation restrictions
 
diff --git a/website/content/docs/platform/k8s/vso/helm.mdx b/website/content/docs/platform/k8s/vso/helm.mdx
index 864c6b4c6943..957db87aa30a 100644
--- a/website/content/docs/platform/k8s/vso/helm.mdx
+++ b/website/content/docs/platform/k8s/vso/helm.mdx
@@ -119,7 +119,7 @@ Use these links to navigate to a particular top-level stanza.
 
       - `repository` ((#v-controller-manager-image-repository)) (`string: hashicorp/vault-secrets-operator`)
 
-      - `tag` ((#v-controller-manager-image-tag)) (`string: 0.4.0`)
+      - `tag` ((#v-controller-manager-image-tag)) (`string: 0.4.1`)
 
     - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that
       are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens
@@ -262,8 +262,7 @@ Use these links to navigate to a particular top-level stanza.
           headers:
             X-vault-something1: "foo"
 
-    - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles by the controller.
-      NOTE: Currently this is only used by the reconciliation logic of dynamic secrets.
+    - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles for each controller.
 
       default: 100
 
diff --git a/website/content/docs/platform/k8s/vso/installation.mdx b/website/content/docs/platform/k8s/vso/installation.mdx
index b99861c7b979..34b6ad402c7f 100644
--- a/website/content/docs/platform/k8s/vso/installation.mdx
+++ b/website/content/docs/platform/k8s/vso/installation.mdx
@@ -30,13 +30,13 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 ```shell-session
 $ helm search repo hashicorp/vault-secrets-operator
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault-secrets-operator	0.4.0       	0.4.0     	Official HashiCorp Vault Secrets Operator Chart
+hashicorp/vault-secrets-operator	0.4.1       	0.4.1     	Official HashiCorp Vault Secrets Operator Chart
 ```
 
 Then install the Operator:
 
 ```shell-session
-$ helm install --version 0.4.0 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
+$ helm install --version 0.4.1 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
 ```
 
 
@@ -65,10 +65,10 @@ $ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator
 $ helm upgrade --version <TARGET_VSO_VERSION> --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
 ```
 
-For example, if you are upgrading to VSO 0.4.0:
+For example, if you are upgrading to VSO 0.4.1:
 ```shell-session
-$ helm show crds --version 0.4.0 hashicorp/vault-secrets-operator | kubectl apply -f -
-$ helm upgrade --version 0.4.0 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
+$ helm show crds --version 0.4.1 hashicorp/vault-secrets-operator | kubectl apply -f -
+$ helm upgrade --version 0.4.1 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
 ```
 
 ## Updating CRDs
@@ -83,9 +83,9 @@ To update the VSO CRDs, replace `<TARGET_VSO_VERSION>` with the VSO version you
 $ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
 ```
 
-For example, if you are upgrading to VSO 0.4.0:
+For example, if you are upgrading to VSO 0.4.1:
 ```shell-session
-$ helm show crds --version 0.4.0 hashicorp/vault-secrets-operator | kubectl apply -f -
+$ helm show crds --version 0.4.1 hashicorp/vault-secrets-operator | kubectl apply -f -
 
 customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
 customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
diff --git a/website/content/docs/platform/k8s/vso/openshift.mdx b/website/content/docs/platform/k8s/vso/openshift.mdx
index a05f68ff982b..465c5f1bc7bd 100644
--- a/website/content/docs/platform/k8s/vso/openshift.mdx
+++ b/website/content/docs/platform/k8s/vso/openshift.mdx
@@ -23,7 +23,7 @@ The Vault Secrets Operator may also be installed in OpenShift using the Helm cha
 $ helm install vault-secrets-operator hashicorp/vault-secrets-operator \
   --create-namespace \
   --namespace vault-secrets-operator \
-  --version 0.4.0 \
+  --version 0.4.1 \
   --values values.yaml
 ```
 
@@ -56,7 +56,7 @@ controller:
   manager:
     image:
       repository: registry.connect.redhat.com/hashicorp/vault-secrets-operator
-      tag: 0.4.0-ubi
+      tag: 0.4.1-ubi
     resources:
       limits:
         memory: 256Mi
diff --git a/website/content/docs/plugins/containerized-plugins.mdx b/website/content/docs/plugins/containerized-plugins.mdx
index 1bd4cb2de797..748d6d680923 100644
--- a/website/content/docs/plugins/containerized-plugins.mdx
+++ b/website/content/docs/plugins/containerized-plugins.mdx
@@ -39,7 +39,7 @@ increases the isolation between plugins, and between plugins and Vault.
 
 All plugins have the following basic requirements to be containerized:
 
-- **Your plugin must be built with at least v1.5.0 of the HashiCorp
+- **Your plugin must be built with at least v1.6.0 of the HashiCorp
   [`go-plugin`](https://github.com/hashicorp/go-plugin) library**.
 
 - **The image entrypoint should run the plugin binary**.
@@ -52,39 +52,39 @@ in [supported configurations](#supported-configurations).
 Vault's containerized plugins are compatible with a variety of configurations.
 In particular, it has been tested with the following:
 
-- Docker and Podman.
-- Default and rootless container engine.
-- OCI runtimes runsc and runc.
-- Plugin container images with root and non-root users.
+- Default and [rootless](https://docs.docker.com/engine/security/rootless/) Docker.
+- OCI-compatible runtimes `runsc` and `runc`.
+- Plugin container images running as root and non-root users.
 - [Mlock](/vault/docs/configuration#disable_mlock) disabled or enabled.
 
 Not all combinations work and some have additional requirements, listed below.
 If you use a configuration that matches multiple headings, you should combine
 the requirements from each matching heading.
 
-### Rootless installation with non-root container user
+### `runsc` runtime
 
-Not currently supported. We are hoping to provide support in future.
+- You must pass an additional `--host-uds=create` flag to the `runsc` runtime.
 
-### runsc runtime
+### Rootless Docker with `runsc` runtime
 
-- You must pass an additional `--host-uds=all` flag to the `runsc` runtime.
+- You must pass an additional `--ignore-cgroups` flag to the `runsc` runtime.
+  - Cgroup limits are not currently supported for this configuration.
 
-### Rootless installation with `runsc`
+### Rootless Docker with non-root container user
 
-- Does not currently support cgroup limits.
-- You must pass an additional `--ignore-cgroups` flag to the `runsc` runtime.
+- You must use a container plugin runtime with
+  [`rootless`](/vault/docs/commands/plugin/runtime/register#rootless) enabled.
+- Your filesystem must have Posix 1e ACL support, available by default in most
+  modern Linux file systems.
+- Only supported for gVisor's `runsc` runtime.
 
-### Non-root container user with mlock enabled
+### Rootless Docker with mlock enabled
 
-- You must set the IPC_LOCK capability on the plugin binary.
+- Only supported for gVisor's `runsc` runtime.
 
-### Rootless container engine with mlock enabled
+### Non-root container user with mlock enabled
 
-- You must set the IPC_LOCK capability on the container engine's binary.
-- You do not need to set the IPC_LOCK capability if running with Docker and runsc.
-  The `runsc` runtime supports mlock syscalls in rootless Docker without needing
-  IPC_LOCK itself.
+- You must set the `IPC_LOCK` capability on the plugin binary.
 
 ## Container lifecycle and metadata
 
diff --git a/website/content/docs/sync/azurekv.mdx b/website/content/docs/sync/azurekv.mdx
index 8266420d0143..d86ec901388c 100644
--- a/website/content/docs/sync/azurekv.mdx
+++ b/website/content/docs/sync/azurekv.mdx
@@ -27,8 +27,9 @@ Prerequisites:
 
 1. Once the service principal is created, the next step is to
   [grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli)
-  access to Azure Key Vault. We recommend using the "Key Vault Secrets Officer" built-in role,
-  which gives sufficient access to manage secrets.
+  access to Azure Key Vault. To quickly get started, we recommend using the "Key Vault Secrets Officer" built-in role,
+  which gives sufficient access to manage secrets. For more information, see the [Permissions](#permissions) section.
+
 
 1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps.
 
@@ -127,6 +128,45 @@ Moving forward, any modification on the Vault secret will be propagated in near
 counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret
 or the association in Vault will delete the secret in your Azure Key Vault as well.
 
+
+## Permissions
+
+For a more minimal set of permissions, you can create a
+[custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#steps-to-create-a-custom-role)
+using the following JSON role definition. Be sure to replace the subscription id placeholder.
+
+```json
+{
+  "properties": {
+    "roleName": "Key Vault Secrets Reader Writer",
+    "description": "Custom role for reading and updating Azure Key Vault secrets.",
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.KeyVault/vaults/secrets/read",
+          "Microsoft.KeyVault/vaults/secrets/write"
+        ],
+        "notActions": [],
+        "dataActions": [
+          "Microsoft.KeyVault/vaults/secrets/delete",
+          "Microsoft.KeyVault/vaults/secrets/backup/action",
+          "Microsoft.KeyVault/vaults/secrets/purge/action",
+          "Microsoft.KeyVault/vaults/secrets/recover/action",
+          "Microsoft.KeyVault/vaults/secrets/restore/action",
+          "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
+          "Microsoft.KeyVault/vaults/secrets/getSecret/action",
+          "Microsoft.KeyVault/vaults/secrets/setSecret/action"
+        ],
+        "notDataActions": []
+      }
+    ],
+    "assignableScopes": [
+      "/subscriptions/{subscriptionId}/"
+    ]
+  }
+}
+```
+
 ## API
 
 Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details.
diff --git a/website/package-lock.json b/website/package-lock.json
index 79339e660dbc..ccdff66fdbaa 100644
--- a/website/package-lock.json
+++ b/website/package-lock.json
@@ -17,7 +17,7 @@
         "simple-git-hooks": "^2.6.1"
       },
       "engines": {
-        "node": ">=12.0.0 <= 16.x",
+        "node": ">=12.0.0 <= 18.x",
         "npm": ">=7.0.0"
       }
     },
diff --git a/website/package.json b/website/package.json
index 3e8666fe3e40..5e85e591969a 100644
--- a/website/package.json
+++ b/website/package.json
@@ -13,7 +13,7 @@
   },
   "engines": {
     "npm": ">=7.0.0",
-    "node": ">=12.0.0 <= 16.x"
+    "node": ">=12.0.0 <= 18.x"
   },
   "repository": {
     "type": "git",